733 files changed, 0 insertions, 407520 deletions

diff --git a/security/nss/lib/Makefile b/security/nss/lib/Makefile
deleted file mode 100644
index 0d3bf410d..000000000
--- a/security/nss/lib/Makefile
+++ /dev/null
@@ -1,95 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-ifeq ($(OS_TARGET), WINCE)
-DIRS := $(filter-out fortcrypt,$(DIRS))
-endif
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-ifdef MOZILLA_SECURITY_BUILD
-FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
-
-export::
-	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
-	    $(NSINSTALL) -D crypto; \
-	    for file in $(FILES) ; do \
-		if test -f $$file; then \
-		    $(INSTALL) -m 444 $$file crypto; \
-		fi; \
-	    done;  \
-	    $(INSTALL) -m 444 freebl/sha_fast.c crypto; \
-	    $(INSTALL) -m 444 freebl/sha_fast.h crypto; \
-	fi
-endif
diff --git a/security/nss/lib/asn1/Makefile b/security/nss/lib/asn1/Makefile
deleted file mode 100644
index 2d25c00f2..000000000
--- a/security/nss/lib/asn1/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-export:: private_export
diff --git a/security/nss/lib/asn1/asn1.c b/security/nss/lib/asn1/asn1.c
deleted file mode 100644
index fda5bd71a..000000000
--- a/security/nss/lib/asn1/asn1.c
+++ /dev/null
@@ -1,1730 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * asn1.c
- *
- * At this point in time, this file contains the NSS wrappers for
- * the old "SEC" ASN.1 encoder/decoder stuff.
- */
-
-#ifndef ASN1M_H
-#include "asn1m.h"
-#endif /* ASN1M_H */
-
-#include "plarena.h"
-#include "secasn1.h"
-
-/*
- * The pointer-tracking stuff
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker decoder_pointer_tracker;
-
-static PRStatus
-decoder_add_pointer
-(
-  const nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-decoder_remove_pointer
-(
-  const nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1Decoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Decoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_verify
-(
-  nssASN1Decoder *decoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&decoder_pointer_tracker, decoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ASN1DECODER);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-static nssPointerTracker encoder_pointer_tracker;
-
-static PRStatus
-encoder_add_pointer
-(
-  const nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-encoder_remove_pointer
-(
-  const nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1Encoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Encoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_verify
-(
-  nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&encoder_pointer_tracker, encoder);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ASN1ENCODER);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * nssASN1Decoder_Create
- *
- * This routine creates an ASN.1 Decoder, which will use the specified
- * template to decode a datastream into the specified destination
- * structure.  If the optional arena argument is non-NULL, blah blah 
- * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
- * as a hint?  Or is each encoding distinctive?  This routine may 
- * return NULL upon error, in which case an error will have been 
- * placed upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Decoder upon success.
- */
-
-NSS_IMPLEMENT nssASN1Decoder *
-nssASN1Decoder_Create
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[]
-)
-{
-  SEC_ASN1DecoderContext *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (nssASN1Decoder *)NULL;
-    }
-  }
-
-  /* 
-   * May destination be NULL?  I'd think so, since one might
-   * have only a filter proc.  But if not, check the pointer here.
-   */
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Decoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  rv = SEC_ASN1DecoderStart(hack, destination, template);
-  if( (SEC_ASN1DecoderContext *)NULL == rv ) {
-    nss_SetError(PORT_GetError()); /* also evil */
-    return (nssASN1Decoder *)NULL;
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != decoder_add_pointer(rv) ) {
-    (void)SEC_ASN1DecoderFinish(rv);
-    return (nssASN1Decoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  return (nssASN1Decoder *)rv;
-}
-
-/*
- * nssASN1Decoder_Update
- *
- * This routine feeds data to the decoder.  In the event of an error, 
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ASN1DECODER
- *  NSS_ERROR_INVALID_BER
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success.
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_Update
-(
-  nssASN1Decoder *decoder,
-  const void *data,
-  PRUint32 amount
-)
-{
-  SECStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-
-  if( (void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  rv = SEC_ASN1DecoderUpdate((SEC_ASN1DecoderContext *)decoder, 
-                             (const char *)data,
-                             (unsigned long)amount);
-  if( SECSuccess != rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_Finish
- *
- * This routine finishes the decoding and destroys the decoder.
- * In the event of an error, it will place an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_Finish
-(
-  nssASN1Decoder *decoder
-)
-{
-  PRStatus rv = PR_SUCCESS;
-  SECStatus srv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  srv = SEC_ASN1DecoderFinish((SEC_ASN1DecoderContext *)decoder);
-
-  if( SECSuccess != srv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    rv = PR_FAILURE;
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus rv2 = decoder_remove_pointer(decoder);
-    if( PR_SUCCESS == rv ) {
-      rv = rv2;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * nssASN1Decoder_SetFilter
- *
- * This routine registers a callback filter routine with the decoder,
- * which will be called blah blah blah.  The specified argument will
- * be passed as-is to the filter routine.  The routine pointer may
- * be NULL, in which case no filter callback will be called.  If the
- * noStore boolean is PR_TRUE, then decoded fields will not be stored
- * in the destination structure specified when the decoder was 
- * created.  This routine returns a PRStatus value; in the event of
- * an error, it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_SetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction *callback,
-  void *argument,
-  PRBool noStore
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1DecoderFilterFunction *)NULL == callback ) {
-     SEC_ASN1DecoderClearFilterProc((SEC_ASN1DecoderContext *)decoder);
-  } else {
-     SEC_ASN1DecoderSetFilterProc((SEC_ASN1DecoderContext *)decoder,
-                                  (SEC_ASN1WriteProc)callback,
-                                  argument, noStore);
-  }
-
-  /* No error returns defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_GetFilter
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetFilter will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt
- * pointer is non-null, the filter's closure argument will be stored
- * there.  If the optional pNoStoreOpt pointer is non-null, the
- * noStore value specified when setting the filter will be stored
- * there.  This routine returns a PRStatus value; in the event of
- * an error it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_GetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction **pCallbackOpt,
-  void **pArgumentOpt,
-  PRBool *pNoStoreOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1DecoderFilterFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1DecoderFilterFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  if( (PRBool *)NULL != pNoStoreOpt ) {
-    *pNoStoreOpt = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Decoder_SetNotify
- *
- * This routine registers a callback notify routine with the decoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_SetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction *)NULL == callback ) {
-    SEC_ASN1DecoderClearNotifyProc((SEC_ASN1DecoderContext *)decoder);
-  } else {
-    SEC_ASN1DecoderSetNotifyProc((SEC_ASN1DecoderContext *)decoder,
-                                 (SEC_ASN1NotifyProc)callback,
-                                 argument);
-  }
-
-  /* No error returns defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Decoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Decoder_GetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1_Decode
- *
- * This routine will decode the specified data into the specified
- * destination structure, as specified by the specified template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_Decode
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const void *berData,
-  PRUint32 amount
-)
-{
-  PRStatus rv;
-  nssASN1Decoder *decoder;
-
-  /* This call will do our pointer-checking for us! */
-  decoder = nssASN1Decoder_Create(arenaOpt, destination, template);
-  if( (nssASN1Decoder *)NULL == decoder ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssASN1Decoder_Update(decoder, berData, amount);
-  if( PR_SUCCESS != nssASN1Decoder_Finish(decoder) ) {
-    rv = PR_FAILURE;
-  }
-
-  return rv;
-}
-
-/*
- * nssASN1_DecodeBER
- *
- * This routine will decode the data in the specified NSSBER
- * into the destination structure, as specified by the template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_NSSBER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_DecodeBER
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const NSSBER *data
-)
-{
-  return nssASN1_Decode(arenaOpt, destination, template, 
-                        data->data, data->size);
-}
-
-/*
- * nssASN1Encoder_Create
- *
- * This routine creates an ASN.1 Encoder, blah blah blah.  This 
- * may return NULL upon error, in which case an error will have been
- * placed on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Encoder upon success
- */
-
-NSS_IMPLEMENT nssASN1Encoder *
-nssASN1Encoder_Create
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-)
-{
-  SEC_ASN1EncoderContext *rv;
-
-#ifdef DEBUG
-  if( (void *)NULL == source ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( (nssASN1EncoderWriteFunction *)NULL == sink ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssASN1Encoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  switch( encoding ) {
-  case NSSASN1BER:
-  case NSSASN1DER:
-    break;
-  case NSSASN1CER:
-  case NSSASN1LWER:
-  case NSSASN1PER:
-  case NSSASN1UnknownEncoding:
-  default:
-    nss_SetError(NSS_ERROR_ENCODING_NOT_SUPPORTED);
-    return (nssASN1Encoder *)NULL;
-  }
-
-  rv = SEC_ASN1EncoderStart((void *)source, template, 
-                            (SEC_ASN1WriteProc)sink, argument);
-  if( (SEC_ASN1EncoderContext *)NULL == rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (nssASN1Encoder *)NULL;
-  }
-
-  if( NSSASN1DER == encoding ) {
-    sec_ASN1EncoderSetDER(rv);
-  }
-
-#ifdef DEBUG
-  if( PR_SUCCESS != encoder_add_pointer(rv) ) {
-    (void)SEC_ASN1EncoderFinish(rv);
-    return (nssASN1Encoder *)NULL;
-  }
-#endif /* DEBUG */
-
-  return (nssASN1Encoder *)rv;
-}
-
-/*
- * nssASN1Encoder_Update
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_Update
-(
-  nssASN1Encoder *encoder,
-  const void *data,
-  PRUint32 length
-)
-{
-  SECStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Can data legitimately be NULL?  If not, verify..
-   */
-#endif /* DEBUG */
-
-  rv = SEC_ASN1EncoderUpdate((SEC_ASN1EncoderContext *)encoder,
-                             (const char *)data, 
-                             (unsigned long)length);
-  if( SECSuccess != rv ) {
-    nss_SetError(PORT_GetError()); /* ugly */
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_Finish
- *
- * Destructor.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_Finish
-(
-  nssASN1Encoder *encoder
-)
-{
-  PRStatus rv;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  SEC_ASN1EncoderFinish((SEC_ASN1EncoderContext *)encoder);
-  rv = PR_SUCCESS; /* no error return defined for that call */
-
-#ifdef DEBUG
-  {
-    PRStatus rv2 = encoder_remove_pointer(encoder);
-    if( PR_SUCCESS == rv ) {
-      rv = rv2;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * nssASN1Encoder_SetNotify
- *
- * This routine registers a callback notify routine with the encoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction *)NULL == callback ) {
-    SEC_ASN1EncoderClearNotifyProc((SEC_ASN1EncoderContext *)encoder);
-  } else {
-    SEC_ASN1EncoderSetNotifyProc((SEC_ASN1EncoderContext *)encoder,
-                                 (SEC_ASN1NotifyProc)callback,
-                                 argument);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Encoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_GetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
-    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
-  }
-
-  if( (void **)NULL != pArgumentOpt ) {
-    *pArgumentOpt = (void *)NULL;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Encoder_SetStreaming
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool streaming
-)
-{
-  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( streaming ) {
-    SEC_ASN1EncoderSetStreaming(cx);
-  } else {
-    SEC_ASN1EncoderClearStreaming(cx);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetStreaming
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool *pStreaming
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (PRBool *)NULL != pStreaming ) {
-    *pStreaming = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1Encoder_SetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_SetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool takeFromBuffer
-)
-{
-  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( takeFromBuffer ) {
-    SEC_ASN1EncoderSetTakeFromBuf(cx);
-  } else {
-    SEC_ASN1EncoderClearTakeFromBuf(cx);
-  }
-
-  /* no error return defined for those routines */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssASN1Encoder_GetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1Encoder_GetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool *pTakeFromBuffer
-)
-{
-#ifdef DEBUG
-  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( (PRBool *)NULL != pTakeFromBuffer ) {
-    *pTakeFromBuffer = PR_FALSE;
-  }
-
-  /* Error because it's unimplemented */
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FAILURE;
-}
-
-/*
- * nssASN1_Encode
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_Encode
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-)
-{
-  PRStatus rv;
-  nssASN1Encoder *encoder;
-
-  encoder = nssASN1Encoder_Create(source, template, encoding, sink, argument);
-  if( (nssASN1Encoder *)NULL == encoder ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssASN1Encoder_Update(encoder, (const void *)NULL, 0);
-  if( PR_SUCCESS != nssASN1Encoder_Finish(encoder) ) {
-    rv = PR_FAILURE;
-  }
-
-  return rv;
-}
-
-/*
- * nssasn1_encode_item_count
- *
- * This is a helper function for nssASN1_EncodeItem.  It just counts
- * up the space required for an encoding.
- */
-
-static void
-nssasn1_encode_item_count
-(
-  void *arg,
-  const char *buf,
-  unsigned long len,
-  int depth,
-  nssASN1EncodingPart data_kind
-)
-{
-  unsigned long *count;
-
-  count = (unsigned long*)arg;
-  PR_ASSERT (count != NULL);
-
-  *count += len;
-}
-
-/*
- * nssasn1_encode_item_store
- *
- * This is a helper function for nssASN1_EncodeItem.  It appends the
- * new data onto the destination item.
- */
-
-static void
-nssasn1_encode_item_store
-(
-  void *arg,
-  const char *buf,
-  unsigned long len,
-  int depth,
-  nssASN1EncodingPart data_kind
-)
-{
-  NSSItem *dest;
-
-  dest = (NSSItem*)arg;
-  PR_ASSERT (dest != NULL);
-
-  memcpy((unsigned char *)dest->data + dest->size, buf, len);
-  dest->size += len;
-}
-
-/*
- * nssASN1_EncodeItem
- *
- * There must be a better name.  If the optional arena argument is
- * non-null, it'll be used for the space.  If the optional rvOpt is
- * non-null, it'll be the return value-- if it is null, a new one
- * will be allocated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *
- * Return value:
- *  NULL upon error
- *  A valid pointer to an NSSDER upon success
- */
-
-NSS_IMPLEMENT NSSDER *
-nssASN1_EncodeItem
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding
-)
-{
-  NSSDER *rv;
-  PRUint32 len = 0;
-  PRStatus status;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-
-  if( (void *)NULL == source ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-
-  if( (nssASN1Template *)NULL == template ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-#endif /* DEBUG */
-
-  status = nssASN1_Encode(source, template, encoding, 
-                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_count, 
-                          &len);
-  if( PR_SUCCESS != status ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->size = len;
-  rv->data = nss_ZAlloc(arenaOpt, len);
-  if( (void *)NULL == rv->data ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = 0; /* for nssasn1_encode_item_store */
-
-  status = nssASN1_Encode(source, template, encoding,
-                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_store, 
-                          rv);
-  if( PR_SUCCESS != status ) {
-    nss_ZFreeIf(rv->data);
-    if( (NSSDER *)NULL == rvOpt ) {
-      nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  PR_ASSERT(rv->size == len);
-
-  return rv;
-}
-
-/*
- * nssASN1_CreatePRUint32FromBER
- *
- */
-
-NSS_IMPLEMENT PRStatus
-nssASN1_CreatePRUint32FromBER
-(
-  NSSBER *encoded,
-  PRUint32 *pResult
-)
-{
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FALSE;
-}
-
-/*
- * nssASN1_GetDERFromPRUint32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRUint32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRUint32 value
-)
-{
-  NSSDER *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-  SECItem *item;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  item = SEC_ASN1EncodeUnsignedInteger(hack, (SECItem *)rv, value);
-  if( (SECItem *)NULL == item ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (NSSDER *)NULL;
-  }
-
-  /* 
-   * I happen to know that these things look alike.. but I'm only
-   * doing it for these "temporary" wrappers.  This is an evil thing.
-   */
-  return (NSSDER *)item;
-}
-
-/*himom*/
-NSS_IMPLEMENT PRStatus
-nssASN1_CreatePRInt32FromBER
-(
-  NSSBER *encoded,
-  PRInt32 *pResult
-)
-{
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return PR_FALSE;
-}
-
-/*
- * nssASN1_GetDERFromPRInt32
- *
- */
-
-NSS_IMPLEMENT NSSDER *
-nssASN1_GetDERFromPRInt32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRInt32 value
-)
-{
-  NSSDER *rv;
-  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
-  SECItem *item;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  item = SEC_ASN1EncodeInteger(hack, (SECItem *)rv, value);
-  if( (SECItem *)NULL == item ) {
-    if( (NSSDER *)NULL == rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-
-    nss_SetError(PORT_GetError()); /* ugly */
-    return (NSSDER *)NULL;
-  }
-
-  /* 
-   * I happen to know that these things look alike.. but I'm only
-   * doing it for these "temporary" wrappers.  This is an evil thing.
-   */
-  return (NSSDER *)item;
-}
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-const nssASN1Template *nssASN1Template_Any =                             (nssASN1Template *)SEC_AnyTemplate;
-const nssASN1Template *nssASN1Template_BitString =                       (nssASN1Template *)SEC_BitStringTemplate;
-const nssASN1Template *nssASN1Template_BMPString =                       (nssASN1Template *)SEC_BMPStringTemplate;
-const nssASN1Template *nssASN1Template_Boolean =                         (nssASN1Template *)SEC_BooleanTemplate;
-const nssASN1Template *nssASN1Template_Enumerated =                      (nssASN1Template *)SEC_EnumeratedTemplate;
-const nssASN1Template *nssASN1Template_GeneralizedTime =                 (nssASN1Template *)SEC_GeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_IA5String =                       (nssASN1Template *)SEC_IA5StringTemplate;
-const nssASN1Template *nssASN1Template_Integer =                         (nssASN1Template *)SEC_IntegerTemplate;
-const nssASN1Template *nssASN1Template_Null =                            (nssASN1Template *)SEC_NullTemplate;
-const nssASN1Template *nssASN1Template_ObjectID =                        (nssASN1Template *)SEC_ObjectIDTemplate;
-const nssASN1Template *nssASN1Template_OctetString =                     (nssASN1Template *)SEC_OctetStringTemplate;
-const nssASN1Template *nssASN1Template_PrintableString =                 (nssASN1Template *)SEC_PrintableStringTemplate;
-const nssASN1Template *nssASN1Template_T61String =                       (nssASN1Template *)SEC_T61StringTemplate;
-const nssASN1Template *nssASN1Template_UniversalString =                 (nssASN1Template *)SEC_UniversalStringTemplate;
-const nssASN1Template *nssASN1Template_UTCTime =                         (nssASN1Template *)SEC_UTCTimeTemplate;
-const nssASN1Template *nssASN1Template_UTF8String =                      (nssASN1Template *)SEC_UTF8StringTemplate;
-const nssASN1Template *nssASN1Template_VisibleString =                   (nssASN1Template *)SEC_VisibleStringTemplate;
-
-const nssASN1Template *nssASN1Template_PointerToAny =                    (nssASN1Template *)SEC_PointerToAnyTemplate;
-const nssASN1Template *nssASN1Template_PointerToBitString =              (nssASN1Template *)SEC_PointerToBitStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToBMPString =              (nssASN1Template *)SEC_PointerToBMPStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToBoolean =                (nssASN1Template *)SEC_PointerToBooleanTemplate;
-const nssASN1Template *nssASN1Template_PointerToEnumerated =             (nssASN1Template *)SEC_PointerToEnumeratedTemplate;
-const nssASN1Template *nssASN1Template_PointerToGeneralizedTime =        (nssASN1Template *)SEC_PointerToGeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_PointerToIA5String =              (nssASN1Template *)SEC_PointerToIA5StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToInteger =                (nssASN1Template *)SEC_PointerToIntegerTemplate;
-const nssASN1Template *nssASN1Template_PointerToNull =                   (nssASN1Template *)SEC_PointerToNullTemplate;
-const nssASN1Template *nssASN1Template_PointerToObjectID =               (nssASN1Template *)SEC_PointerToObjectIDTemplate;
-const nssASN1Template *nssASN1Template_PointerToOctetString =            (nssASN1Template *)SEC_PointerToOctetStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToPrintableString =        (nssASN1Template *)SEC_PointerToPrintableStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToT61String =              (nssASN1Template *)SEC_PointerToT61StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToUniversalString =        (nssASN1Template *)SEC_PointerToUniversalStringTemplate;
-const nssASN1Template *nssASN1Template_PointerToUTCTime =                (nssASN1Template *)SEC_PointerToUTCTimeTemplate;
-const nssASN1Template *nssASN1Template_PointerToUTF8String =             (nssASN1Template *)SEC_PointerToUTF8StringTemplate;
-const nssASN1Template *nssASN1Template_PointerToVisibleString =          (nssASN1Template *)SEC_PointerToVisibleStringTemplate;
-
-const nssASN1Template *nssASN1Template_SetOfAny =                        (nssASN1Template *)SEC_SetOfAnyTemplate;
-const nssASN1Template *nssASN1Template_SetOfBitString =                  (nssASN1Template *)SEC_SetOfBitStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfBMPString =                  (nssASN1Template *)SEC_SetOfBMPStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfBoolean =                    (nssASN1Template *)SEC_SetOfBooleanTemplate;
-const nssASN1Template *nssASN1Template_SetOfEnumerated =                 (nssASN1Template *)SEC_SetOfEnumeratedTemplate;
-const nssASN1Template *nssASN1Template_SetOfGeneralizedTime =            (nssASN1Template *)SEC_SetOfGeneralizedTimeTemplate;
-const nssASN1Template *nssASN1Template_SetOfIA5String =                  (nssASN1Template *)SEC_SetOfIA5StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfInteger =                    (nssASN1Template *)SEC_SetOfIntegerTemplate;
-const nssASN1Template *nssASN1Template_SetOfNull =                       (nssASN1Template *)SEC_SetOfNullTemplate;
-const nssASN1Template *nssASN1Template_SetOfObjectID =                   (nssASN1Template *)SEC_SetOfObjectIDTemplate;
-const nssASN1Template *nssASN1Template_SetOfOctetString =                (nssASN1Template *)SEC_SetOfOctetStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfPrintableString =            (nssASN1Template *)SEC_SetOfPrintableStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfT61String =                  (nssASN1Template *)SEC_SetOfT61StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfUniversalString =            (nssASN1Template *)SEC_SetOfUniversalStringTemplate;
-const nssASN1Template *nssASN1Template_SetOfUTCTime =                    (nssASN1Template *)SEC_SetOfUTCTimeTemplate;
-const nssASN1Template *nssASN1Template_SetOfUTF8String =                 (nssASN1Template *)SEC_SetOfUTF8StringTemplate;
-const nssASN1Template *nssASN1Template_SetOfVisibleString =              (nssASN1Template *)SEC_SetOfVisibleStringTemplate;
-
-/*
- *
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSBER *berData
-)
-{
-  NSSUTF8 *rv = NULL;
-  PRUint8 tag;
-  NSSArena *a;
-  NSSItem in;
-  NSSItem out;
-  PRStatus st;
-  const nssASN1Template *templ;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  if( (NSSBER *)NULL == berData ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (void *)NULL == berData->data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  a = NSSArena_Create();
-  if( (NSSArena *)NULL == a ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  in = *berData;
-
-  /*
-   * By the way, at first I succumbed to the temptation to make
-   * this an incestuous nested switch statement.  Count yourself
-   * lucky I cleaned it up.
-   */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    /*
-     * draft-ietf-pkix-ipki-part1-11 says in part:
-     *
-     * DirectoryString { INTEGER:maxSize } ::= CHOICE {
-     *   teletexString           TeletexString (SIZE (1..maxSize)),
-     *   printableString         PrintableString (SIZE (1..maxSize)),
-     *   universalString         UniversalString (SIZE (1..maxSize)),
-     *   bmpString               BMPString (SIZE(1..maxSize)),
-     *   utf8String              UTF8String (SIZE(1..maxSize))
-     *                       }
-     *
-     * The tags are:
-     *  TeletexString       UNIVERSAL 20
-     *  PrintableString     UNIVERSAL 19
-     *  UniversalString     UNIVERSAL 28
-     *  BMPString           UNIVERSAL 30
-     *  UTF8String          UNIVERSAL 12
-     *
-     * "UNIVERSAL" tags have bits 8 and 7 zero, bit 6 is zero for
-     * primitive encodings, and if the tag value is less than 30,
-     * the tag value is directly encoded in bits 5 through 1.
-     */
-    in.data = (void *)&(((PRUint8 *)berData->data)[1]);
-    in.size = berData->size-1;
-    
-    tag = *(PRUint8 *)berData->data;
-    switch( tag & nssASN1_TAGNUM_MASK ) {
-    case 20:
-      /*
-       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-       * below) but is T61 a suitable value for "Latin-1"?
-       */
-      templ = nssASN1Template_T61String;
-      type = nssStringType_TeletexString;
-      break;
-    case 19:
-      templ = nssASN1Template_PrintableString;
-      type = nssStringType_PrintableString;
-      break;
-    case 28:
-      templ = nssASN1Template_UniversalString;
-      type = nssStringType_UniversalString;
-      break;
-    case 30:
-      templ = nssASN1Template_BMPString;
-      type = nssStringType_BMPString;
-      break;
-    case 12:
-      templ = nssASN1Template_UTF8String;
-      type = nssStringType_UTF8String;
-      break;
-    default:
-      nss_SetError(NSS_ERROR_INVALID_POINTER); /* "pointer"? */
-      (void)NSSArena_Destroy(a);
-      return (NSSUTF8 *)NULL;
-    }
-
-    break;
-
-  case nssStringType_TeletexString:
-    /*
-     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-     * below) but is T61 a suitable value for "Latin-1"?
-     */
-    templ = nssASN1Template_T61String;
-    break;
-   
-  case nssStringType_PrintableString:
-    templ = nssASN1Template_PrintableString;
-    break;
-
-  case nssStringType_UniversalString:
-    templ = nssASN1Template_UniversalString;
-    break;
-
-  case nssStringType_BMPString:
-    templ = nssASN1Template_BMPString;
-    break;
-
-  case nssStringType_UTF8String:
-    templ = nssASN1Template_UTF8String;
-    break;
-
-  case nssStringType_PHGString:
-    templ = nssASN1Template_IA5String;
-    break;
-
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    (void)NSSArena_Destroy(a);
-    return (NSSUTF8 *)NULL;
-  }
-    
-  st = nssASN1_DecodeBER(a, &out, templ, &in);
-  
-  if( PR_SUCCESS == st ) {
-    rv = nssUTF8_Create(arenaOpt, type, out.data, out.size);
-  }
-  (void)NSSArena_Destroy(a);
-  
-  return rv;
-}
-
-NSS_EXTERN NSSDER *
-nssUTF8_GetDEREncoding
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const NSSUTF8 *string
-)
-{
-  NSSDER *rv = (NSSDER *)NULL;
-  NSSItem str;
-  NSSDER *der;
-  const nssASN1Template *templ;
-  NSSArena *a;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-
-  if( (const NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSDER *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  str.data = (void *)string;
-  str.size = nssUTF8_Size(string, (PRStatus *)NULL);
-  if( 0 == str.size ) {
-    return (NSSDER *)NULL;
-  }
-
-  a = NSSArena_Create();
-  if( (NSSArena *)NULL == a ) {
-    return (NSSDER *)NULL;
-  }
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    {
-      NSSDER *utf;
-      PRUint8 *c;
-
-      utf = nssASN1_EncodeItem(a, (NSSDER *)NULL, &str, 
-                               nssASN1Template_UTF8String,
-                               NSSASN1DER);
-      if( (NSSDER *)NULL == utf ) {
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-
-      rv = nss_ZNEW(arenaOpt, NSSDER);
-      if( (NSSDER *)NULL == rv ) {
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-
-      rv->size = utf->size + 1;
-      rv->data = nss_ZAlloc(arenaOpt, rv->size);
-      if( (void *)NULL == rv->data ) {
-        (void)nss_ZFreeIf(rv);
-        (void)NSSArena_Destroy(a);
-        return (NSSDER *)NULL;
-      }
-      
-      c = (PRUint8 *)rv->data;
-      (void)nsslibc_memcpy(&c[1], utf->data, utf->size);
-      *c = 12; /* UNIVERSAL primitive encoding tag for UTF8String */
-
-      (void)NSSArena_Destroy(a);
-      return rv;
-    }
-  case nssStringType_TeletexString:
-    /*
-     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-     * below) but is T61 a suitable value for "Latin-1"?
-     */
-    templ = nssASN1Template_T61String;
-    break;
-  case nssStringType_PrintableString:
-    templ = nssASN1Template_PrintableString;
-    break;
-
-  case nssStringType_UniversalString:
-    templ = nssASN1Template_UniversalString;
-    break;
-
-  case nssStringType_BMPString:
-    templ = nssASN1Template_BMPString;
-    break;
-
-  case nssStringType_UTF8String:
-    templ = nssASN1Template_UTF8String;
-    break;
-
-  case nssStringType_PHGString:
-    templ = nssASN1Template_IA5String;
-    break;
-
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  der = nssUTF8_GetDEREncoding(a, type, string);
-  if( (NSSItem *)NULL == der ) {
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  rv = nssASN1_EncodeItem(arenaOpt, (NSSDER *)NULL, der, templ, NSSASN1DER);
-  if( (NSSDER *)NULL == rv ) {
-    (void)NSSArena_Destroy(a);
-    return (NSSDER *)NULL;
-  }
-
-  (void)NSSArena_Destroy(a);
-  return rv;
-}
diff --git a/security/nss/lib/asn1/asn1.h b/security/nss/lib/asn1/asn1.h
deleted file mode 100644
index eecc54120..000000000
--- a/security/nss/lib/asn1/asn1.h
+++ /dev/null
@@ -1,882 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef ASN1_H
-#define ASN1_H
-
-#ifdef DEBUG
-static const char ASN1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * asn1.h
- *
- * This file contains the ASN.1 encoder/decoder routines available
- * internally within NSS.  It's not clear right now if this file
- * will be folded into base.h or something, I just needed to get this
- * going.  At the moment, most of these routines wrap the old SEC_ASN1
- * calls.
- */
-
-#ifndef ASN1T_H
-#include "asn1t.h"
-#endif /* ASN1T_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssASN1Decoder
- *
- * ... description here ...
- *
- *  nssASN1Decoder_Create (Factory/Constructor)
- *  nssASN1Decoder_Update
- *  nssASN1Decoder_Finish (Destructor)
- *  nssASN1Decoder_SetFilter
- *  nssASN1Decoder_GetFilter
- *  nssASN1Decoder_SetNotify
- *  nssASN1Decoder_GetNotify
- *
- * Debug builds only:
- *
- *  nssASN1Decoder_verify
- *
- * Related functions that aren't type methods:
- *
- *  nssASN1_Decode
- *  nssASN1_DecodeBER
- */
-
-/*
- * nssASN1Decoder_Create
- *
- * This routine creates an ASN.1 Decoder, which will use the specified
- * template to decode a datastream into the specified destination
- * structure.  If the optional arena argument is non-NULL, blah blah 
- * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
- * as a hint?  Or is each encoding distinctive?  This routine may 
- * return NULL upon error, in which case an error will have been 
- * placed upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Decoder upon success.
- */
-
-NSS_EXTERN nssASN1Decoder *
-nssASN1Decoder_Create
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[]
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Decoder_Update
- *
- * This routine feeds data to the decoder.  In the event of an error, 
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ASN1DECODER
- *  NSS_ERROR_INVALID_BER
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success.
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_Update
-(
-  nssASN1Decoder *decoder,
-  const void *data,
-  PRUint32 amount
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1Decoder_Finish
- *
- * This routine finishes the decoding and destroys the decoder.
- * In the event of an error, it will place an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_Finish
-(
-  nssASN1Decoder *decoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_SetFilter
- *
- * This routine registers a callback filter routine with the decoder,
- * which will be called blah blah blah.  The specified argument will
- * be passed as-is to the filter routine.  The routine pointer may
- * be NULL, in which case no filter callback will be called.  If the
- * noStore boolean is PR_TRUE, then decoded fields will not be stored
- * in the destination structure specified when the decoder was 
- * created.  This routine returns a PRStatus value; in the event of
- * an error, it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_SetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction *callback,
-  void *argument,
-  PRBool noStore
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_GetFilter
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetFilter will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt
- * pointer is non-null, the filter's closure argument will be stored
- * there.  If the optional pNoStoreOpt pointer is non-null, the
- * noStore value specified when setting the filter will be stored
- * there.  This routine returns a PRStatus value; in the event of
- * an error it will place an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_GetFilter
-(
-  nssASN1Decoder *decoder,
-  nssASN1DecoderFilterFunction **pCallbackOpt,
-  void **pArgumentOpt,
-  PRBool *pNoStoreOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_SetNotify
- *
- * This routine registers a callback notify routine with the decoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_SetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Decoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Decoder_GetNotify
-(
-  nssASN1Decoder *decoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-
-/*
- * nssASN1Decoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Decoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssASN1Decoder_verify
-(
-  nssASN1Decoder *decoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
-#endif /* DEBUG */
-
-/*
- * nssASN1_Decode
- *
- * This routine will decode the specified data into the specified
- * destination structure, as specified by the specified template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_Decode
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const void *berData,
-  PRUint32 amount
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1_DecodeBER
- *
- * This routine will decode the data in the specified NSSBER
- * into the destination structure, as specified by the template.
- * This routine returns a PRStatus value; in the event of an error
- * it will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_NSSBER
- *  NSS_ERROR_INVALID_BER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_DecodeBER
-(
-  NSSArena *arenaOpt,
-  void *destination,
-  const nssASN1Template template[],
-  const NSSBER *data
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_BER;
-
-/*
- * nssASN1Encoder
- *
- * ... description here ...
- *
- *  nssASN1Encoder_Create (Factory/Constructor)
- *  nssASN1Encoder_Update
- *  nssASN1Encoder_Finish (Destructor)
- *  nssASN1Encoder_SetNotify
- *  nssASN1Encoder_GetNotify
- *  nssASN1Encoder_SetStreaming
- *  nssASN1Encoder_GetStreaming
- *  nssASN1Encoder_SetTakeFromBuffer
- *  nssASN1Encoder_GetTakeFromBuffer
- *
- * Debug builds only:
- *
- *  nssASN1Encoder_verify
- *
- * Related functions that aren't type methods:
- *
- *  nssASN1_Encode
- *  nssASN1_EncodeItem
- */
-
-/*
- * nssASN1Encoder_Create
- *
- * This routine creates an ASN.1 Encoder, blah blah blah.  This 
- * may return NULL upon error, in which case an error will have been
- * placed on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an ASN.1 Encoder upon success
- */
-
-NSS_EXTERN nssASN1Encoder *
-nssASN1Encoder_Create
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * nssASN1Encoder_Update
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_Update
-(
-  nssASN1Encoder *encoder,
-  const void *data,
-  PRUint32 length
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_Finish
- *
- * Destructor.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_Finish
-(
-  nssASN1Encoder *encoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_SetNotify
- *
- * This routine registers a callback notify routine with the encoder,
- * which will be called whenever.. The specified argument will be
- * passed as-is to the notify routine.  The routine pointer may be
- * NULL, in which case no notify routine will be called.  This routine
- * returns a PRStatus value; in the event of an error it will place
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1DECODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction *callback,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetNotify
- *
- * If the optional pCallbackOpt argument to this routine is non-null,
- * then the pointer to any callback function established for this
- * decoder with nssASN1Encoder_SetNotify will be stored at the 
- * location indicated by it.  If the optional pArgumentOpt pointer is
- * non-null, the filter's closure argument will be stored there.
- * This routine returns a PRStatus value; in the event of an error it
- * will place an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetNotify
-(
-  nssASN1Encoder *encoder,
-  nssASN1NotifyFunction **pCallbackOpt,
-  void **pArgumentOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_SetStreaming
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool streaming
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetStreaming
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetStreaming
-(
-  nssASN1Encoder *encoder,
-  PRBool *pStreaming
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_SetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_SetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool takeFromBuffer
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-
-/*
- * nssASN1Encoder_GetTakeFromBuffer
- *
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1Encoder_GetTakeFromBuffer
-(
-  nssASN1Encoder *encoder,
-  PRBool *pTakeFromBuffer
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nssASN1Encoder_verify
- *
- * This routine is only available in debug builds.
- *
- * If the specified pointer is a valid pointer to an nssASN1Encoder
- * object, this routine will return PR_SUCCESS.  Otherwise, it will 
- * put an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ASN1ENCODER
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssASN1Encoder_verify
-(
-  nssASN1Encoder *encoder
-);
-
-extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
-#endif /* DEBUG */
-
-/*
- * nssASN1_Encode
- *
- * 
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *  ...
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssASN1_Encode
-(
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding,
-  nssASN1EncoderWriteFunction *sink,
-  void *argument
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * nssASN1_EncodeItem
- *
- * There must be a better name.  If the optional arena argument is
- * non-null, it'll be used for the space.  If the optional rvOpt is
- * non-null, it'll be the return value-- if it is null, a new one
- * will be allocated.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_ENCODING_NOT_SUPPORTED
- *
- * Return value:
- *  NULL upon error
- *  A valid pointer to an NSSDER upon success
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_EncodeItem
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  const void *source,
-  const nssASN1Template template[],
-  NSSASN1EncodingType encoding
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
-
-/*
- * Other basic types' encoding and decoding helper functions:
- *
- *  nssASN1_CreatePRUint32FromBER
- *  nssASN1_GetDERFromPRUint32
- *  nssASN1_CreatePRInt32FromBER
- *  nssASN1_GetDERFromPRInt32
- * ..etc..
- */
-
-/*
- * nssASN1_CreatePRUint32FromBER
- *
- */
-
-NSS_EXTERN PRStatus
-nssASN1_CreatePRUint32FromBER
-(
-  NSSBER *encoded,
-  PRUint32 *pResult
-);
-
-/*
- * nssASN1_GetDERFromPRUint32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRUint32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRUint32 value
-);
-
-/*
- * nssASN1_CreatePRInt32FromBER
- *
- */
-
-NSS_EXTERN PRStatus
-nssASN1_CreatePRInt32FromBER
-(
-  NSSBER *encoded,
-  PRInt32 *pResult
-);
-
-/*
- * nssASN1_GetDERFromPRInt32
- *
- */
-
-NSS_EXTERN NSSDER *
-nssASN1_GetDERFromPRInt32
-(
-  NSSArena *arenaOpt,
-  NSSDER *rvOpt,
-  PRInt32 value
-);
-
-/*
- * Builtin templates
- */
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-extern const nssASN1Template *nssASN1Template_Any;
-extern const nssASN1Template *nssASN1Template_BitString;
-extern const nssASN1Template *nssASN1Template_BMPString;
-extern const nssASN1Template *nssASN1Template_Boolean;
-extern const nssASN1Template *nssASN1Template_Enumerated;
-extern const nssASN1Template *nssASN1Template_GeneralizedTime;
-extern const nssASN1Template *nssASN1Template_IA5String;
-extern const nssASN1Template *nssASN1Template_Integer;
-extern const nssASN1Template *nssASN1Template_Null;
-extern const nssASN1Template *nssASN1Template_ObjectID;
-extern const nssASN1Template *nssASN1Template_OctetString;
-extern const nssASN1Template *nssASN1Template_PrintableString;
-extern const nssASN1Template *nssASN1Template_T61String;
-extern const nssASN1Template *nssASN1Template_UniversalString;
-extern const nssASN1Template *nssASN1Template_UTCTime;
-extern const nssASN1Template *nssASN1Template_UTF8String;
-extern const nssASN1Template *nssASN1Template_VisibleString;
-
-extern const nssASN1Template *nssASN1Template_PointerToAny;
-extern const nssASN1Template *nssASN1Template_PointerToBitString;
-extern const nssASN1Template *nssASN1Template_PointerToBMPString;
-extern const nssASN1Template *nssASN1Template_PointerToBoolean;
-extern const nssASN1Template *nssASN1Template_PointerToEnumerated;
-extern const nssASN1Template *nssASN1Template_PointerToGeneralizedTime;
-extern const nssASN1Template *nssASN1Template_PointerToIA5String;
-extern const nssASN1Template *nssASN1Template_PointerToInteger;
-extern const nssASN1Template *nssASN1Template_PointerToNull;
-extern const nssASN1Template *nssASN1Template_PointerToObjectID;
-extern const nssASN1Template *nssASN1Template_PointerToOctetString;
-extern const nssASN1Template *nssASN1Template_PointerToPrintableString;
-extern const nssASN1Template *nssASN1Template_PointerToT61String;
-extern const nssASN1Template *nssASN1Template_PointerToUniversalString;
-extern const nssASN1Template *nssASN1Template_PointerToUTCTime;
-extern const nssASN1Template *nssASN1Template_PointerToUTF8String;
-extern const nssASN1Template *nssASN1Template_PointerToVisibleString;
-
-extern const nssASN1Template *nssASN1Template_SetOfAny;
-extern const nssASN1Template *nssASN1Template_SetOfBitString;
-extern const nssASN1Template *nssASN1Template_SetOfBMPString;
-extern const nssASN1Template *nssASN1Template_SetOfBoolean;
-extern const nssASN1Template *nssASN1Template_SetOfEnumerated;
-extern const nssASN1Template *nssASN1Template_SetOfGeneralizedTime;
-extern const nssASN1Template *nssASN1Template_SetOfIA5String;
-extern const nssASN1Template *nssASN1Template_SetOfInteger;
-extern const nssASN1Template *nssASN1Template_SetOfNull;
-extern const nssASN1Template *nssASN1Template_SetOfObjectID;
-extern const nssASN1Template *nssASN1Template_SetOfOctetString;
-extern const nssASN1Template *nssASN1Template_SetOfPrintableString;
-extern const nssASN1Template *nssASN1Template_SetOfT61String;
-extern const nssASN1Template *nssASN1Template_SetOfUniversalString;
-extern const nssASN1Template *nssASN1Template_SetOfUTCTime;
-extern const nssASN1Template *nssASN1Template_SetOfUTF8String;
-extern const nssASN1Template *nssASN1Template_SetOfVisibleString;
-
-/*
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  NSSBER *berData
-);
-
-NSS_EXTERN NSSDER *
-nssUTF8_GetDEREncoding
-(
-  NSSArena *arenaOpt,
-  /* Should have an NSSDER *rvOpt */
-  nssStringType type,
-  const NSSUTF8 *string
-);
-
-PR_END_EXTERN_C
-
-#endif /* ASN1_H */
diff --git a/security/nss/lib/asn1/asn1m.h b/security/nss/lib/asn1/asn1m.h
deleted file mode 100644
index 957591d88..000000000
--- a/security/nss/lib/asn1/asn1m.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef ASN1M_H
-#define ASN1M_H
-
-#ifdef DEBUG
-static const char ASN1M_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * asn1m.h
- *
- * This file contains the ASN.1 encoder/decoder routines available
- * only within the ASN.1 module itself.
- */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssasn1_number_length
- *
- */
-
-NSS_EXTERN PRUint32
-nssasn1_length_length
-(
-  PRUint32 number
-);
-
-/*
- * nssasn1_get_subtemplate
- *
- */
-
-NSS_EXTERN const nssASN1Template *
-nssasn1_get_subtemplate
-(
-  const nssASN1Template template[],
-  void *thing,
-  PRBool encoding
-);
-
-PR_END_EXTERN_C
-
-#endif /* ASN1M_H */
diff --git a/security/nss/lib/asn1/asn1t.h b/security/nss/lib/asn1/asn1t.h
deleted file mode 100644
index d7d8d6585..000000000
--- a/security/nss/lib/asn1/asn1t.h
+++ /dev/null
@@ -1,169 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef ASN1T_H
-#define ASN1T_H
-
-#ifdef DEBUG
-static const char ASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * asn1t.h
- *
- * This file contains the ASN.1 encoder/decoder types available 
- * internally within NSS.  It's not clear right now if this file
- * will be folded into baset.h or something, I just needed to
- * get this going.  At the moment, these types are wrappers for
- * the old types.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSASN1T_H
-#include "nssasn1t.h"
-#endif /* NSSASN1T_H */
-
-#include "seccomon.h"
-#include "secasn1t.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * XXX fgmr
- *
- * This sort of bites.  Let's keep an eye on this, to make sure
- * we aren't stuck with it forever.
- */
-
-struct nssASN1ItemStr {
-  PRUint32 reserved;
-  PRUint8 *data;
-  PRUint32 size;
-};
-
-typedef struct nssASN1ItemStr nssASN1Item;
-
-/*
- * I'm not documenting these here, since this'll require another
- * pass anyway.
- */
-
-typedef SEC_ASN1Template nssASN1Template;
-
-#define nssASN1_TAG_MASK               SEC_ASN1_TAG_MASK
-
-#define nssASN1_TAGNUM_MASK            SEC_ASN1_TAGNUM_MASK
-#define nssASN1_BOOLEAN                SEC_ASN1_BOOLEAN
-#define nssASN1_INTEGER                SEC_ASN1_INTEGER
-#define nssASN1_BIT_STRING             SEC_ASN1_BIT_STRING
-#define nssASN1_OCTET_STRING           SEC_ASN1_OCTET_STRING
-#define nssASN1_NULL                   SEC_ASN1_NULL
-#define nssASN1_OBJECT_ID              SEC_ASN1_OBJECT_ID
-#define nssASN1_OBJECT_DESCRIPTOR      SEC_ASN1_OBJECT_DESCRIPTOR
-/* External type and instance-of type   0x08 */
-#define nssASN1_REAL                   SEC_ASN1_REAL
-#define nssASN1_ENUMERATED             SEC_ASN1_ENUMERATED
-#define nssASN1_EMBEDDED_PDV           SEC_ASN1_EMBEDDED_PDV
-#define nssASN1_UTF8_STRING            SEC_ASN1_UTF8_STRING
-#define nssASN1_SEQUENCE               SEC_ASN1_SEQUENCE
-#define nssASN1_SET                    SEC_ASN1_SET
-#define nssASN1_NUMERIC_STRING         SEC_ASN1_NUMERIC_STRING
-#define nssASN1_PRINTABLE_STRING       SEC_ASN1_PRINTABLE_STRING
-#define nssASN1_T61_STRING             SEC_ASN1_T61_STRING
-#define nssASN1_TELETEX_STRING         nssASN1_T61_STRING
-#define nssASN1_VIDEOTEX_STRING        SEC_ASN1_VIDEOTEX_STRING
-#define nssASN1_IA5_STRING             SEC_ASN1_IA5_STRING
-#define nssASN1_UTC_TIME               SEC_ASN1_UTC_TIME
-#define nssASN1_GENERALIZED_TIME       SEC_ASN1_GENERALIZED_TIME
-#define nssASN1_GRAPHIC_STRING         SEC_ASN1_GRAPHIC_STRING
-#define nssASN1_VISIBLE_STRING         SEC_ASN1_VISIBLE_STRING
-#define nssASN1_GENERAL_STRING         SEC_ASN1_GENERAL_STRING
-#define nssASN1_UNIVERSAL_STRING       SEC_ASN1_UNIVERSAL_STRING
-/*                                      0x1d */
-#define nssASN1_BMP_STRING             SEC_ASN1_BMP_STRING
-#define nssASN1_HIGH_TAG_NUMBER        SEC_ASN1_HIGH_TAG_NUMBER
-
-#define nssASN1_METHOD_MASK            SEC_ASN1_METHOD_MASK
-#define nssASN1_PRIMITIVE              SEC_ASN1_PRIMITIVE
-#define nssASN1_CONSTRUCTED            SEC_ASN1_CONSTRUCTED
-                                                                
-#define nssASN1_CLASS_MASK             SEC_ASN1_CLASS_MASK
-#define nssASN1_UNIVERSAL              SEC_ASN1_UNIVERSAL
-#define nssASN1_APPLICATION            SEC_ASN1_APPLICATION
-#define nssASN1_CONTEXT_SPECIFIC       SEC_ASN1_CONTEXT_SPECIFIC
-#define nssASN1_PRIVATE                SEC_ASN1_PRIVATE
-
-#define nssASN1_OPTIONAL               SEC_ASN1_OPTIONAL 
-#define nssASN1_EXPLICIT               SEC_ASN1_EXPLICIT 
-#define nssASN1_ANY                    SEC_ASN1_ANY      
-#define nssASN1_INLINE                 SEC_ASN1_INLINE   
-#define nssASN1_POINTER                SEC_ASN1_POINTER  
-#define nssASN1_GROUP                  SEC_ASN1_GROUP    
-#define nssASN1_DYNAMIC                SEC_ASN1_DYNAMIC  
-#define nssASN1_SKIP                   SEC_ASN1_SKIP     
-#define nssASN1_INNER                  SEC_ASN1_INNER    
-#define nssASN1_SAVE                   SEC_ASN1_SAVE     
-#define nssASN1_MAY_STREAM             SEC_ASN1_MAY_STREAM
-#define nssASN1_SKIP_REST              SEC_ASN1_SKIP_REST
-#define nssASN1_CHOICE                 SEC_ASN1_CHOICE
-
-#define nssASN1_SEQUENCE_OF            SEC_ASN1_SEQUENCE_OF 
-#define nssASN1_SET_OF                 SEC_ASN1_SET_OF      
-#define nssASN1_ANY_CONTENTS           SEC_ASN1_ANY_CONTENTS
-
-typedef SEC_ASN1TemplateChooserPtr nssASN1ChooseTemplateFunction;
-
-typedef SEC_ASN1DecoderContext nssASN1Decoder;
-typedef SEC_ASN1EncoderContext nssASN1Encoder;
-
-typedef enum {
-  nssASN1EncodingPartIdentifier    = SEC_ASN1_Identifier,
-  nssASN1EncodingPartLength        = SEC_ASN1_Length,
-  nssASN1EncodingPartContents      = SEC_ASN1_Contents,
-  nssASN1EncodingPartEndOfContents = SEC_ASN1_EndOfContents
-} nssASN1EncodingPart;
-
-typedef SEC_ASN1NotifyProc nssASN1NotifyFunction;
-
-typedef SEC_ASN1WriteProc nssASN1EncoderWriteFunction;
-typedef SEC_ASN1WriteProc nssASN1DecoderFilterFunction;
-
-PR_END_EXTERN_C
-
-#endif /* ASN1T_H */
diff --git a/security/nss/lib/asn1/config.mk b/security/nss/lib/asn1/config.mk
deleted file mode 100644
index f4e5b965b..000000000
--- a/security/nss/lib/asn1/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/asn1/manifest.mn b/security/nss/lib/asn1/manifest.mn
deleted file mode 100644
index 382a5baa3..000000000
--- a/security/nss/lib/asn1/manifest.mn
+++ /dev/null
@@ -1,59 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	asn1t.h		  \
-	asn1m.h		  \
-	asn1.h		  \
-	nssasn1t.h	  \
-	$(NULL)
-
-EXPORTS =	   \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS =		   \
-	asn1.c	   \
-	$(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = asn1
diff --git a/security/nss/lib/asn1/nssasn1t.h b/security/nss/lib/asn1/nssasn1t.h
deleted file mode 100644
index 6df1f24a0..000000000
--- a/security/nss/lib/asn1/nssasn1t.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSASN1T_H
-#define NSSASN1T_H
-
-#ifdef DEBUG
-static const char NSSASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssasn1t.h
- *
- * This file contains the public types related to our ASN.1 encoder 
- * and decoder.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSASN1EncodingType
- *
- * This type enumerates specific types of ASN.1 encodings.
- */
-
-typedef enum {
-  NSSASN1BER,               /* Basic Encoding Rules */
-  NSSASN1CER,               /* Canonical Encoding Rules */
-  NSSASN1DER,               /* Distinguished Encoding Rules */
-  NSSASN1LWER,              /* LightWeight Encoding Rules */
-  NSSASN1PER,               /* Packed Encoding Rules */
-  NSSASN1UnknownEncoding = -1
-} NSSASN1EncodingType;
-
-PR_END_EXTERN_C
-
-#endif /* NSSASN1T_H */
diff --git a/security/nss/lib/base/Makefile b/security/nss/lib/base/Makefile
deleted file mode 100644
index 2d25c00f2..000000000
--- a/security/nss/lib/base/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-export:: private_export
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c
deleted file mode 100644
index 61fb07147..000000000
--- a/security/nss/lib/base/arena.c
+++ /dev/null
@@ -1,1145 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * arena.c
- *
- * This contains the implementation of NSS's thread-safe arenas.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifdef ARENA_THREADMARK
-#include "prthread.h"
-#endif /* ARENA_THREADMARK */
-
-#include "prlock.h"
-#include "plarena.h"
-
-#include <string.h>
-
-/*
- * NSSArena
- *
- * This is based on NSPR's arena code, but it is threadsafe.
- *
- * The public methods relating to this type are:
- *
- *  NSSArena_Create  -- constructor
- *  NSSArena_Destroy
- *
- * The nonpublic methods relating to this type are:
- *
- *  nssArena_Create  -- constructor
- *  nssArena_Destroy
- *  nssArena_Mark
- *  nssArena_Release
- *  nssArena_Unmark
- * 
- *  nss_ZAlloc
- *  nss_ZFreeIf
- *  nss_ZRealloc
- *
- * In debug builds, the following calls are available:
- *
- *  nssArena_verifyPointer
- *  nssArena_registerDestructor
- *  nssArena_deregisterDestructor
- */
-
-struct NSSArenaStr {
-  PLArenaPool pool;
-  PRLock *lock;
-#ifdef ARENA_THREADMARK
-  PRThread *marking_thread;
-  nssArenaMark *first_mark;
-  nssArenaMark *last_mark;
-#endif /* ARENA_THREADMARK */
-#ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *first_destructor;
-  struct arena_destructor_node *last_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-};
-
-/*
- * nssArenaMark
- *
- * This type is used to mark the current state of an NSSArena.
- */
-
-struct nssArenaMarkStr {
-  PRUint32 magic;
-  void *mark;
-#ifdef ARENA_THREADMARK
-  nssArenaMark *next;
-#endif /* ARENA_THREADMARK */
-#ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *next_destructor;
-  struct arena_destructor_node *prev_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-};
-
-#define MARK_MAGIC 0x4d41524b /* "MARK" how original */
-
-/*
- * But first, the pointer-tracking code
- */
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker arena_pointer_tracker;
-
-static PRStatus
-arena_add_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-arena_remove_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssArena_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSArena object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    /*
-     * This is a little disingenious.  We have to initialize the
-     * tracker, because someone could "legitimately" try to verify
-     * an arena pointer before one is ever created.  And this step
-     * might fail, due to lack of memory.  But the only way that
-     * this step can fail is if it's doing the call_once stuff,
-     * (later calls just no-op).  And if it didn't no-op, there
-     * aren't any valid arenas.. so the argument certainly isn't one.
-     */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-#ifdef ARENA_DESTRUCTOR_LIST
-
-struct arena_destructor_node {
-  struct arena_destructor_node *next;
-  struct arena_destructor_node *prev;
-  void (*destructor)(void *argument);
-  void *arg;
-};
-
-/*
- * nssArena_registerDestructor
- *
- * This routine stores a pointer to a callback and an arbitrary
- * pointer-sized argument in the arena, at the current point in
- * the mark stack.  If the arena is destroyed, or an "earlier"
- * mark is released, then this destructor will be called at that
- * time.  Note that the destructor will be called with the arena
- * locked, which means the destructor may free memory in that
- * arena, but it may not allocate or cause to be allocated any
- * memory.  This callback facility was included to support our
- * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
-{
-  struct arena_destructor_node *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-  
-  it = nss_ZNEW(arena, struct arena_destructor_node);
-  if( (struct arena_destructor_node *)NULL == it ) {
-    return PR_FAILURE;
-  }
-
-  it->prev = arena->last_destructor;
-  arena->last_destructor->next = it;
-  arena->last_destructor = it;
-  it->destructor = destructor;
-  it->arg = arg;
-
-  if( (nssArenaMark *)NULL != arena->last_mark ) {
-    arena->last_mark->prev_destructor = it->prev;
-    arena->last_mark->next_destructor = it->next;
-  }
-
-  return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
-{
-  struct arena_destructor_node *it;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  for( it = arena->first_destructor; it; it = it->next ) {
-    if( (it->destructor == destructor) && (it->arg == arg) ) {
-      break;
-    }
-  }
-
-  if( (struct arena_destructor_node *)NULL == it ) {
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-  }
-
-  if( it == arena->first_destructor ) {
-    arena->first_destructor = it->next;
-  }
-
-  if( it == arena->last_destructor ) {
-    arena->last_destructor = it->prev;
-  }
-
-  if( (struct arena_destructor_node *)NULL != it->prev ) {
-    it->prev->next = it->next;
-  }
-
-  if( (struct arena_destructor_node *)NULL != it->next ) {
-    it->next->prev = it->prev;
-  }
-
-  {
-    nssArenaMark *m;
-    for( m = arena->first_mark; m; m = m->next ) {
-      if( m->next_destructor == it ) {
-        m->next_destructor = it->next;
-      }
-      if( m->prev_destructor == it ) {
-        m->prev_destructor = it->prev;
-      }
-    }
-  }
-
-  nss_ZFreeIf(it);
-  return PR_SUCCESS;
-}
-
-static void
-nss_arena_call_destructor_chain
-(
-  struct arena_destructor_node *it
-)
-{
-  for( ; it ; it = it->next ) {
-    (*(it->destructor))(it->arg);
-  }
-}
-
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-/*
- * NSSArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSArena_Create
-(
-  void
-)
-{
-  nss_ClearErrorStack();
-  return nssArena_Create();
-}
-
-/*
- * nssArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_IMPLEMENT NSSArena *
-nssArena_Create
-(
-  void
-)
-{
-  NSSArena *rv = (NSSArena *)NULL;
-
-  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
-  if( (NSSArena *)NULL == rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
-
-  rv->lock = PR_NewLock();
-  if( (PRLock *)NULL == rv->lock ) {
-    (void)nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
-
-  /*
-   * Arena sizes.  The current security code has 229 occurrences of
-   * PORT_NewArena.  The default chunksizes specified break down as
-   *
-   *  Size    Mult.   Specified as
-   *   512       1    512
-   *  1024       7    1024
-   *  2048       5    2048
-   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
-   *  2048     190    DER_DEFAULT_CHUNKSIZE
-   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
-   *  4096       1    4096
-   *
-   * Obviously this "default chunksize" flexibility isn't very 
-   * useful to us, so I'll just pick 2048.
-   */
-
-  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = arena_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PL_FinishArenaPool(&rv->pool);
-      PR_DestroyLock(rv->lock);
-      (void)nss_ZFreeIf(rv);
-      return (NSSArena *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * NSSArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssArena_Destroy(arena);
-}
-
-/*
- * nssArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-)
-{
-  PRLock *lock;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  
-#ifdef DEBUG
-  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-#ifdef ARENA_DESTRUCTOR_LIST
-  /* Note that the arena is locked at this time */
-  nss_arena_call_destructor_chain(arena->first_destructor);
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-  PL_FinishArenaPool(&arena->pool);
-  lock = arena->lock;
-  arena->lock = (PRLock *)NULL;
-  PR_Unlock(lock);
-  PR_DestroyLock(lock);
-  (void)nss_ZFreeIf(arena);
-  return PR_SUCCESS;
-}
-
-static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
-
-/*
- * nssArena_Mark
- *
- * This routine "marks" the current state of an arena.  Space
- * allocated after the arena has been marked can be freed by
- * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
- * have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon failure
- *  An nssArenaMark pointer upon success
- */
-
-NSS_IMPLEMENT nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-)
-{
-  nssArenaMark *rv;
-  void *p;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return (nssArenaMark *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return (nssArenaMark *)NULL;
-  }
-
-#ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL == arena->marking_thread ) {
-    /* Unmarked.  Store our thread ID */
-    arena->marking_thread = PR_GetCurrentThread();
-    /* This call never fails. */
-  } else {
-    /* Marked.  Verify it's the current thread */
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return (nssArenaMark *)NULL;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  p = PL_ARENA_MARK(&arena->pool);
-  /* No error possible */
-
-  /* Do this after the mark */
-  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
-  if( (nssArenaMark *)NULL == rv ) {
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (nssArenaMark *)NULL;
-  }
-
-#ifdef ARENA_THREADMARK
-  if ( (nssArenaMark *)NULL == arena->first_mark) {
-    arena->first_mark = rv;
-    arena->last_mark = rv;
-  } else {
-    arena->last_mark->next = rv;
-    arena->last_mark = rv;
-  }
-#endif /* ARENA_THREADMARK */
-
-  rv->mark = p;
-  rv->magic = MARK_MAGIC;
-
-#ifdef ARENA_DESTRUCTOR_LIST
-  rv->prev_destructor = arena->last_destructor;
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-  PR_Unlock(arena->lock);
-
-  return rv;
-}
-
-/*
- * nss_arena_unmark_release
- *
- * This static routine implements the routines nssArena_Release
- * ans nssArena_Unmark, which are almost identical.
- */
-
-static PRStatus
-nss_arena_unmark_release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark,
-  PRBool release
-)
-{
-  void *inner_mark;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  if( MARK_MAGIC != arenaMark->magic ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  PR_Lock(arena->lock);
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-
-#ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL != arena->marking_thread ) {
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return PR_FAILURE;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  if( MARK_MAGIC != arenaMark->magic ) {
-    /* Just got released */
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  arenaMark->magic = 0;
-  inner_mark = arenaMark->mark;
-
-#ifdef ARENA_THREADMARK
-  {
-    nssArenaMark **pMark = &arena->first_mark;
-    nssArenaMark *rest;
-    nssArenaMark *last = (nssArenaMark *)NULL;
-
-    /* Find this mark */
-    while( *pMark != arenaMark ) {
-      last = *pMark;
-      pMark = &(*pMark)->next;
-    }
-
-    /* Remember the pointer, then zero it */
-    rest = (*pMark)->next;
-    *pMark = (nssArenaMark *)NULL;
-
-    arena->last_mark = last;
-
-    /* Invalidate any later marks being implicitly released */
-    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
-      rest->magic = 0;
-    }
-
-    /* If we just got rid of the first mark, clear the thread ID */
-    if( (nssArenaMark *)NULL == arena->first_mark ) {
-      arena->marking_thread = (PRThread *)NULL;
-    }
-  }
-#endif /* ARENA_THREADMARK */
-
-  if( release ) {
-#ifdef ARENA_DESTRUCTOR_LIST
-    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
-      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
-    }
-    arena->last_destructor = arenaMark->prev_destructor;
-
-    /* Note that the arena is locked at this time */
-    nss_arena_call_destructor_chain(arenaMark->next_destructor);
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-    PR_ARENA_RELEASE(&arena->pool, inner_mark);
-    /* No error return */
-  }
-
-  PR_Unlock(arena->lock);
-  return PR_SUCCESS;
-}
-
-/*
- * nssArena_Release
- *
- * This routine invalidates and releases all memory allocated from
- * the specified arena after the point at which the specified mark
- * was obtained.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
-{
-  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
-}
-
-/*
- * nssArena_Unmark
- *
- * This routine "commits" the indicated mark and any marks after
- * it, making them unreleasable.  Note that any earlier marks can
- * still be released, and such a release will invalidate these
- * later unmarked regions.  If an arena is to be safely shared by
- * more than one thread, all marks must be either released or
- * unmarked.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
-{
-  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
-}
-
-/*
- * We prefix this header to all allocated blocks.  It is a multiple
- * of the alignment size.  Note that this usage of a header may make
- * purify spew bogus warnings about "potentially leaked blocks" of
- * memory; if that gets too annoying we can add in a pointer to the
- * header in the header itself.  There's not a lot of safety here;
- * maybe we should add a magic value?
- */
-struct pointer_header {
-  NSSArena *arena;
-  PRUint32 size;
-};
-
-static void *
-nss_zalloc_arena_locked
-(
-  NSSArena *arena,
-  PRUint32 size
-)
-{
-  void *p;
-  void *rv;
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
-  PR_ARENA_ALLOCATE(p, &arena->pool, my_size);
-  if( (void *)NULL == p ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-  /* 
-   * Do this before we unlock.  This way if the user is using
-   * an arena in one thread while destroying it in another, he'll
-   * fault/FMR in his code, not ours.
-   */
-  h = (struct pointer_header *)p;
-  h->arena = arena;
-  h->size = size;
-  rv = (void *)((char *)h + sizeof(struct pointer_header));
-  (void)nsslibc_memset(rv, 0, size);
-  return rv;
-}
-
-/*
- * nss_ZAlloc
- *
- * This routine allocates and zeroes a section of memory of the 
- * size, and returns to the caller a pointer to that memory.  If
- * the optional arena argument is non-null, the memory will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in
- * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
- * zero-length block of memory will be allocated.  This block may
- * be expanded by calling nss_ZRealloc.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-NSS_IMPLEMENT void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
-{
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
-
-  if( my_size < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    /* Heap allocation, no locking required. */
-    h = (struct pointer_header *)PR_Calloc(1, my_size);
-    if( (struct pointer_header *)NULL == h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    h->arena = (NSSArena *)NULL;
-    h->size = size;
-    /* We used calloc: it's already zeroed */
-
-    return (void *)((char *)h + sizeof(struct pointer_header));
-  } else {
-    void *rv;
-    /* Arena allocation */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(arenaOpt->lock);
-    if( (PRLock *)NULL == arenaOpt->lock ) {
-      /* Just got destroyed */
-      nss_SetError(NSS_ERROR_INVALID_ARENA);
-      return (void *)NULL;
-    }
-
-#ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
-      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        PR_Unlock(arenaOpt->lock);
-        return (void *)NULL;
-      }
-    }
-#endif /* ARENA_THREADMARK */
-
-    rv = nss_zalloc_arena_locked(arenaOpt, size);
-
-    PR_Unlock(arenaOpt->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
-}
-
-/*
- * nss_ZFreeIf
- *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-)
-{
-  struct pointer_header *h;
-
-  if( (void *)NULL == pointer ) {
-    return PR_SUCCESS;
-  }
-
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
-
-  /* Check any magic here */
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    (void)nsslibc_memset(pointer, 0, h->size);
-    PR_Free(h);
-    return PR_SUCCESS;
-  } else {
-    /* Arena */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return PR_FAILURE;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(h->arena->lock);
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return PR_FAILURE;
-    }
-
-    (void)nsslibc_memset(pointer, 0, h->size);
-
-    /* No way to "free" it within an NSPR arena. */
-
-    PR_Unlock(h->arena->lock);
-    return PR_SUCCESS;
-  }
-  /*NOTREACHED*/
-}
-
-/*
- * nss_ZRealloc
- *
- * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
- * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the replacement segment of memory
- */
-
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
-{
-  struct pointer_header *h, *new_h;
-  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
-  void *rv;
-
-  if( my_newSize < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (void *)NULL == pointer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
-
-  /* Check any magic here */
-
-  if( newSize == h->size ) {
-    /* saves thrashing */
-    return pointer;
-  }
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
-    if( (struct pointer_header *)NULL == new_h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    new_h->arena = (NSSArena *)NULL;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-
-    if( newSize > h->size ) {
-      (void)nsslibc_memcpy(rv, pointer, h->size);
-      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
-                           0, (newSize - h->size));
-    } else {
-      (void)nsslibc_memcpy(rv, pointer, newSize);
-    }
-
-    (void)nsslibc_memset(pointer, 0, h->size);
-    h->size = 0;
-    PR_Free(h);
-
-    return rv;
-  } else {
-    void *p;
-    /* Arena */
-#ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return (void *)NULL;
-    }
-#endif /* NSSDEBUG */
-
-    PR_Lock(h->arena->lock);
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (void *)NULL;
-    }
-
-#ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != h->arena->marking_thread ) {
-      if( PR_GetCurrentThread() != h->arena->marking_thread ) {
-        PR_Unlock(h->arena->lock);
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        return (void *)NULL;
-      }
-    }
-#endif /* ARENA_THREADMARK */
-
-    if( newSize < h->size ) {
-      /*
-       * We have no general way of returning memory to the arena
-       * (mark/release doesn't work because things may have been
-       * allocated after this object), so the memory is gone
-       * anyway.  We might as well just return the same pointer to
-       * the user, saying "yeah, uh-hunh, you can only use less of
-       * it now."  We'll zero the leftover part, of course.  And
-       * in fact we might as well *not* adjust h->size-- this way,
-       * if the user reallocs back up to something not greater than
-       * the original size, then voila, there's the memory!  This
-       * way a thrash big/small/big/small doesn't burn up the arena.
-       */
-      char *extra = &((char *)pointer)[ newSize ];
-      (void)nsslibc_memset(extra, 0, (h->size - newSize));
-      PR_Unlock(h->arena->lock);
-      return pointer;
-    }
-
-    PR_ARENA_ALLOCATE(p, &h->arena->pool, my_newSize);
-    if( (void *)NULL == p ) {
-      PR_Unlock(h->arena->lock);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
-
-    new_h = (struct pointer_header *)p;
-    new_h->arena = h->arena;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-    if (rv != pointer) {
-	(void)nsslibc_memcpy(rv, pointer, h->size);
-	(void)nsslibc_memset(pointer, 0, h->size);
-    }
-    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, (newSize - h->size));
-    h->arena = (NSSArena *)NULL;
-    h->size = 0;
-    PR_Unlock(new_h->arena->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
-}
diff --git a/security/nss/lib/base/base.h b/security/nss/lib/base/base.h
deleted file mode 100644
index e1896a1bb..000000000
--- a/security/nss/lib/base/base.h
+++ /dev/null
@@ -1,1448 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef BASE_H
-#define BASE_H
-
-#ifdef DEBUG
-static const char BASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * base.h
- *
- * This header file contains basic prototypes and preprocessor 
- * definitions used throughout nss but not available publicly.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#include "plhash.h"
-#include "prthread.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSArena
- *
- * The nonpublic methods relating to this type are:
- *
- *  nssArena_Create  -- constructor
- *  nssArena_Destroy
- *  nssArena_Mark
- *  nssArena_Release
- *  nssArena_Unmark
- *
- *  nss_ZAlloc
- *  nss_ZFreeIf
- *  nss_ZRealloc
- *
- * Additionally, there are some preprocessor macros:
- *
- *  nss_ZNEW
- *  nss_ZNEWARRAY
- *
- * In debug builds, the following calls are available:
- *
- *  nssArena_verifyPointer
- *  nssArena_registerDestructor
- *  nssArena_deregisterDestructor
- *
- * The following preprocessor macro is also always available:
- *
- *  nssArena_VERIFYPOINTER
- *
- * A constant PLHashAllocOps structure is available for users
- * of the NSPL PLHashTable routines.
- *
- *  nssArenaHashAllocOps
- */
-
-/*
- * nssArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-/*
- * XXX fgmr
- * Arenas can be named upon creation; this is mostly of use when
- * debugging.  Should we expose that here, allowing an optional
- * "const char *name" argument?  Should the public version of this
- * call (NSSArena_Create) have it too?
- */
-
-NSS_EXTERN NSSArena *
-nssArena_Create
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-
-/*
- * nssArena_Mark
- *
- * This routine "marks" the current state of an arena.  Space
- * allocated after the arena has been marked can be freed by
- * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
- * have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon failure
- *  An nssArenaMark pointer upon success
- */
-
-NSS_EXTERN nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nssArena_Release
- *
- * This routine invalidates and releases all memory allocated from
- * the specified arena after the point at which the specified mark
- * was obtained.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
-
-/*
- * nssArena_Unmark
- *
- * This routine "commits" the indicated mark and any marks after
- * it, making them unreleasable.  Note that any earlier marks can
- * still be released, and such a release will invalidate these
- * later unmarked regions.  If an arena is to be safely shared by
- * more than one thread, all marks must be either released or
- * unmarked.  This routine returns a PRStatus value; if successful,
- * it will return PR_SUCCESS.  If unsuccessful, it will set an error
- * on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_ARENA_MARK
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-#ifdef ARENA_DESTRUCTOR_LIST
-
-/*
- * nssArena_registerDestructor
- *
- * This routine stores a pointer to a callback and an arbitrary
- * pointer-sized argument in the arena, at the current point in
- * the mark stack.  If the arena is destroyed, or an "earlier"
- * mark is released, then this destructor will be called at that
- * time.  Note that the destructor will be called with the arena
- * locked, which means the destructor may free memory in that
- * arena, but it may not allocate or cause to be allocated any
- * memory.  This callback facility was included to support our
- * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssArena_deregisterDestructor
- *
- * This routine will remove the first destructor in the specified
- * arena which has the specified destructor and argument values.
- * The destructor will not be called.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NOT_FOUND
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
-
-extern const NSSError NSS_ERROR_INVALID_ITEM;
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-#endif /* ARENA_DESTRUCTOR_LIST */
-
-/*
- * nss_ZAlloc
- *
- * This routine allocates and zeroes a section of memory of the 
- * size, and returns to the caller a pointer to that memory.  If
- * the optional arena argument is non-null, the memory will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in
- * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
- * zero-length block of memory will be allocated.  This block may
- * be expanded by calling nss_ZRealloc.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-NSS_EXTERN void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nss_ZFreeIf
- *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_EXTERN PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nss_ZRealloc
- *
- * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
- * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the replacement segment of memory
- */
-
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
-
-/*
- * nss_ZNEW
- *
- * This preprocessor macro will allocate memory for a new object
- * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
- * upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
-
-/*
- * nss_ZNEWARRAY
- *
- * This preprocessor macro will allocate memory for an array of
- * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
- * stack.  The array size may be specified as zero.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the new segment of zeroed memory
- */
-
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
-
-/*
- * nss_ZREALLOCARRAY
- *
- * This preprocessor macro will reallocate memory for an array of
- * new objects, and will cast the return value appropriately.
- * This routine may return NULL upon error, in which case it will 
- *  have set an error upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the replacement segment of memory
- */
-#define nss_ZREALLOCARRAY(p, type, quantity) ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
-
-/*
- * nssArena_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSArena object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-#endif /* DEBUG */
-
-/*
- * nssArena_VERIFYPOINTER
- *
- * This macro is always available.  In debug builds it will call
- * nssArena_verifyPointer; in non-debug builds, it will merely
- * check that the pointer is not null.  Note that in non-debug
- * builds it cannot place an error on the error stack.
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-#define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
-#else /* DEBUG */
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
-#endif /* DEBUG */
-
-/*
- * nssArenaHashAllocOps
- *
- * This constant structure contains allocation callbacks designed for
- * use with the NSPL routine PL_NewHashTable.  For example:
- *
- *  NSSArena *hashTableArena = nssArena_Create();
- *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
- *    value_compare, nssArenaHashAllocOps, hashTableArena);
- */
-
-NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
-
-/*
- * The error stack
- *
- * The nonpublic methods relating to the error stack are:
- *
- *  nss_SetError
- *  nss_ClearErrorStack
- */
-
-/*
- * nss_SetError
- *
- * This routine places a new error code on the top of the calling 
- * thread's error stack.  Calling this routine wiht an error code
- * of zero will clear the error stack.
- */
-
-NSS_EXTERN void
-nss_SetError
-(
-  PRUint32 error
-);
-
-/*
- * nss_ClearErrorStack
- *
- * This routine clears the calling thread's error stack.
- */
-
-NSS_EXTERN void
-nss_ClearErrorStack
-(
-  void
-);
-
-/*
- * NSSItem
- *
- * nssItem_Create
- * nssItem_Duplicate
- * nssItem_Equal
- */
-
-NSS_EXTERN NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-);
-
-NSS_EXTERN void
-nssItem_Destroy
-(
-  NSSItem *item
-);
-
-NSS_EXTERN NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-);
-
-NSS_EXTERN PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSUTF8
- *
- *  nssUTF8_CaseIgnoreMatch
- *  nssUTF8_Duplicate
- *  nssUTF8_Size
- *  nssUTF8_Length
- *  nssUTF8_CopyIntoFixedBuffer
- */
-
-/*
- * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
- * two specified NSSUTF8 pointers differ only in typcase.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssUTF8_Duplicate
- *
- * This routine duplicates the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
- * not null, the memory required will be obtained from that arena;
- * otherwise, the memory required will be obtained from the heap.
- * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
- * returned.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssUTF8_PrintableMatch
- *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
- * and case is not significant), then PR_TRUE will be returned.
- * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
- * will be returned.  If the optional statusOpt argument is not
- * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
- * location.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssUTF8_Size
- *
- * This routine returns the length in bytes (including the terminating
- * null) of the UTF8-encoded string pointed to by the specified
- * NSSUTF8 pointer.  Zero is returned on error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  nonzero size of the string
- *  0 on error
- */
-
-NSS_EXTERN PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
-
-/*
- * nssUTF8_Length
- *
- * This routine returns the length in characters (not including the
- * terminating null) of the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  length of the string (which may be zero)
- *  0 on error
- */
-
-NSS_EXTERN PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
-extern const NSSError NSS_ERROR_INVALID_STRING;
-
-/*
- * nssUTF8_Create
- *
- * This routine creates a UTF8 string from a string in some other
- * format.  Some types of string may include embedded null characters,
- * so for them the length parameter must be used.  For string types
- * that are null-terminated, the length parameter is optional; if it
- * is zero, it will be ignored.  If the optional arena argument is
- * non-null, the memory used for the new string will be obtained from
- * that arena, otherwise it will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_UNSUPPORTED_TYPE
- *
- * Return value:
- *  NULL upon error
- *  A non-null pointer to a new UTF8 string otherwise
- */
-
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
-
-NSS_EXTERN NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-);
-
-/*
- * nssUTF8_CopyIntoFixedBuffer
- *
- * This will copy a UTF8 string into a fixed-length buffer, making 
- * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
- * null or space.
- *
- * Blah, blah, blah.
- */
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
-
-NSS_EXTERN PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-);
-
-/*
- * nssUTF8_Equal
- *
- */
-
-NSS_EXTERN PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
-
-/*
- * nssList
- *
- * The goal is to provide a simple, optionally threadsafe, linked list
- * class.  Since NSS did not seem to use the circularity of PRCList
- * much before, this provides a list that appears to be a linear,
- * NULL-terminated list.
- */
-
-/*
- * nssList_Create
- *
- * If threadsafe is true, the list will be locked during modifications
- * and traversals.
- */
-NSS_EXTERN nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-);
-
-/*
- * nssList_Destroy
- */
-NSS_EXTERN PRStatus
-nssList_Destroy
-(
-  nssList *list
-);
-
-NSS_EXTERN void
-nssList_Clear
-(
-  nssList *list, 
-  nssListElementDestructorFunc destructor
-);
-
-/*
- * nssList_SetCompareFunction
- *
- * By default, two list elements will be compared by comparing their
- * data pointers.  By setting this function, the user can control
- * how elements are compared.
- */
-NSS_EXTERN void
-nssList_SetCompareFunction
-(
-  nssList *list, 
-  nssListCompareFunc compareFunc
-);
-
-/*
- * nssList_SetSortFunction
- *
- * Sort function to use for an ordered list.
- */
-NSS_EXTERN void
-nssList_SetSortFunction
-(
-  nssList *list, 
-  nssListSortFunc sortFunc
-);
-
-/*
- * nssList_Add
- */
-NSS_EXTERN PRStatus
-nssList_Add
-(
-  nssList *list, 
-  void *data
-);
-
-/*
- * nssList_AddUnique
- *
- * This will use the compare function to see if the element is already
- * in the list.
- */
-NSS_EXTERN PRStatus
-nssList_AddUnique
-(
-  nssList *list, 
-  void *data
-);
-
-/*
- * nssList_Remove
- *
- * Uses the compare function to locate the element and remove it.
- */
-NSS_EXTERN PRStatus
-nssList_Remove(nssList *list, void *data);
-
-/*
- * nssList_Get
- *
- * Uses the compare function to locate an element.  Also serves as
- * nssList_Exists.
- */
-NSS_EXTERN void *
-nssList_Get
-(
-  nssList *list, 
-  void *data
-);
-
-/*
- * nssList_Count
- */
-NSS_EXTERN PRUint32
-nssList_Count
-(
-  nssList *list
-);
-
-/*
- * nssList_GetArray
- *
- * Fill rvArray, up to maxElements, with elements in the list.  The
- * array is NULL-terminated, so its allocated size must be maxElements + 1.
- */
-NSS_EXTERN PRStatus
-nssList_GetArray
-(
-  nssList *list, 
-  void **rvArray, 
-  PRUint32 maxElements
-);
-
-/*
- * nssList_CreateIterator
- *
- * Create an iterator for list traversal.
- */
-NSS_EXTERN nssListIterator *
-nssList_CreateIterator
-(
-  nssList *list
-);
-
-NSS_EXTERN nssList *
-nssList_Clone
-(
-  nssList *list
-);
-
-/*
- * nssListIterator_Destroy
- */
-NSS_EXTERN void
-nssListIterator_Destroy
-(
-  nssListIterator *iter
-);
-
-/*
- * nssListIterator_Start
- *
- * Begin a list iteration.  After this call, if the list is threadSafe,
- * the list is *locked*.
- */
-NSS_EXTERN void *
-nssListIterator_Start
-(
-  nssListIterator *iter
-);
-
-/*
- * nssListIterator_Next
- *
- * Continue a list iteration.
- */
-NSS_EXTERN void *
-nssListIterator_Next
-(
-  nssListIterator *iter
-);
-
-/*
- * nssListIterator_Finish
- *
- * Complete a list iteration.  This *must* be called in order for the
- * lock to be released.
- */
-NSS_EXTERN PRStatus
-nssListIterator_Finish
-(
-  nssListIterator *iter
-);
-
-/*
- * nssHash
- *
- *  nssHash_Create
- *  nssHash_Destroy
- *  nssHash_Add
- *  nssHash_Remove
- *  nssHash_Count
- *  nssHash_Exists
- *  nssHash_Lookup
- *  nssHash_Iterate
- */
-
-/*
- * nssHash_Create
- *
- */
-
-NSS_EXTERN nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-);
-
-NSS_EXTERN nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
-
-NSS_EXTERN nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
-
-NSS_EXTERN nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
-
-/*
- * nssHash_Destroy
- *
- */
-NSS_EXTERN void
-nssHash_Destroy
-(
-  nssHash *hash
-);
-
-/*
- * nssHash_Add
- *
- */
-
-extern const NSSError NSS_ERROR_HASH_COLLISION;
-
-NSS_EXTERN PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-);
-
-/*
- * nssHash_Remove
- *
- */
-NSS_EXTERN void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-);
-
-/*
- * nssHash_Count
- *
- */
-NSS_EXTERN PRUint32
-nssHash_Count
-(
-  nssHash *hash
-);
-
-/*
- * nssHash_Exists
- *
- */
-NSS_EXTERN PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-);
-
-/*
- * nssHash_Lookup
- *
- */
-NSS_EXTERN void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-);
-
-/*
- * nssHash_Iterate
- *
- */
-NSS_EXTERN void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-);
-
-
-/*
- * nssPointerTracker
- *
- * This type and these methods are only present in debug builds.
- * 
- * The nonpublic methods relating to this type are:
- *
- *  nssPointerTracker_initialize
- *  nssPointerTracker_finalize
- *  nssPointerTracker_add
- *  nssPointerTracker_remove
- *  nssPointerTracker_verify
- */
-
-/*
- * nssPointerTracker_initialize
- *
- * This method is only present in debug builds.
- * 
- * This routine initializes an nssPointerTracker object.  Note that
- * the object must have been declared *static* to guarantee that it
- * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_finalize
- *
- * This method is only present in debug builds.
- * 
- * This routine returns the nssPointerTracker object to the pre-
- * initialized state, releasing all resources used by the object.
- * It will *NOT* destroy the objects being tracked by the pointer
- * (should any remain), and therefore cannot be used to "sweep up"
- * remaining objects.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCES.  On failure it will set an
- * error on the error stack and return PR_FAILURE.  If any objects
- * remain in the tracker when it is finalized, that will be treated
- * as an error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_TRACKER_NOT_EMPTY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-);
-
-extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_add
- *
- * This method is only present in debug builds.
- *
- * This routine adds the specified pointer to the nssPointerTracker
- * object.  It should be called in constructor objects to register
- * new valid objects.  The nssPointerTracker is threadsafe, but this
- * call is not idempotent.  This routine returns a PRStatus value;
- * if successful it will return PR_SUCCESS.  On failure it will set
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_DUPLICATE_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
-extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_remove
- *
- * This method is only present in debug builds.
- *
- * This routine removes the specified pointer from the 
- * nssPointerTracker object.  It does not call any destructor for the
- * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
- * error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
-extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
-#endif /* DEBUG */
-
-/*
- * nssPointerTracker_verify
- *
- * This method is only present in debug builds.
- *
- * This routine verifies that the specified pointer has been registered
- * with the nssPointerTracker object.  The nssPointerTracker object is
- * threadsafe, and this call may be safely called from multiple threads
- * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
- * placing a more type-specific error on the stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILRUE
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
-
-extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
-#endif /* DEBUG */
-
-/*
- * libc
- *
- * nsslibc_memcpy
- * nsslibc_memset
- * nsslibc_offsetof
- */
-
-/*
- * nsslibc_memcpy
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_EXTERN void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nsslibc_memset
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_EXTERN void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-/*
- * nsslibc_memequal
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if they match
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_EXTERN PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-
-#define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
-
-/*
- * nss_NewThreadPrivateIndex
- * 
- */
-
-NSS_EXTERN PRStatus
-nss_NewThreadPrivateIndex
-(
-  PRUintn *ip,
-  PRThreadPrivateDTOR dtor
-);
-
-/*
- * nss_GetThreadPrivate
- *
- */
-
-NSS_EXTERN void *
-nss_GetThreadPrivate
-(
-  PRUintn i
-);
-
-/*
- * nss_SetThreadPrivate
- *
- */
-
-NSS_EXTERN void
-nss_SetThreadPrivate
-(
-  PRUintn i,
-  void *v
-);
-
-
-PR_END_EXTERN_C
-
-#endif /* BASE_H */
diff --git a/security/nss/lib/base/baset.h b/security/nss/lib/base/baset.h
deleted file mode 100644
index c6f146254..000000000
--- a/security/nss/lib/base/baset.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef BASET_H
-#define BASET_H
-
-#ifdef DEBUG
-static const char BASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * baset.h
- *
- * This file contains definitions for the basic types used throughout
- * nss but not available publicly.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#include "plhash.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * nssArenaMark
- *
- * This type is used to mark the current state of an NSSArena.
- */
-
-struct nssArenaMarkStr;
-typedef struct nssArenaMarkStr nssArenaMark;
-
-#ifdef DEBUG
-/*
- * ARENA_THREADMARK
- * 
- * Optionally, this arena implementation can be compiled with some
- * runtime checking enabled, which will catch the situation where
- * one thread "marks" the arena, another thread allocates memory,
- * and then the mark is released.  Usually this is a surprise to
- * the second thread, and this leads to weird runtime errors.
- * Define ARENA_THREADMARK to catch these cases; we define it for all
- * (internal and external) debug builds.
- */
-#define ARENA_THREADMARK
-
-/*
- * ARENA_DESTRUCTOR_LIST
- *
- * Unfortunately, our pointer-tracker facility, used in debug
- * builds to agressively fight invalid pointers, requries that
- * pointers be deregistered when objects are destroyed.  This
- * conflicts with the standard arena usage where "memory-only"
- * objects (that don't hold onto resources outside the arena)
- * can be allocated in an arena, and never destroyed other than
- * when the arena is destroyed.  Therefore we have added a
- * destructor-registratio facility to our arenas.  This was not
- * a simple decision, since we're getting ever-further away from
- * the original arena philosophy.  However, it was felt that
- * adding this in debug builds wouldn't be so bad; as it would
- * discourage them from being used for "serious" purposes.
- * This facility requires ARENA_THREADMARK to be defined.
- */
-#ifdef ARENA_THREADMARK
-#define ARENA_DESTRUCTOR_LIST
-#endif /* ARENA_THREADMARK */
-
-#endif /* DEBUG */
-
-typedef struct nssListStr nssList;
-typedef struct nssListIteratorStr nssListIterator;
-typedef PRBool (* nssListCompareFunc)(void *a, void *b);
-typedef PRIntn (* nssListSortFunc)(void *a, void *b);
-typedef void (* nssListElementDestructorFunc)(void *el);
-
-typedef struct nssHashStr nssHash;
-typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
-                                            void *value, 
-                                            void *arg);
-
-/*
- * nssPointerTracker
- *
- * This type is used in debug builds (both external and internal) to
- * track our object pointers.  Objects of this type must be statically
- * allocated, which means the structure size must be available to the
- * compiler.  Therefore we must expose the contents of this structure.
- * But please don't access elements directly; use the accessors.
- */
-
-#ifdef DEBUG
-struct nssPointerTrackerStr {
-  PRCallOnceType once;
-  PZLock *lock;
-  PLHashTable *table;
-};
-typedef struct nssPointerTrackerStr nssPointerTracker;
-#endif /* DEBUG */
-
-/*
- * nssStringType
- *
- * There are several types of strings in the real world.  We try to
- * use only UTF8 and avoid the rest, but that's not always possible.
- * So we have a couple converter routines to go to and from the other
- * string types.  We have to be able to specify those string types,
- * so we have this enumeration.
- */
-
-enum nssStringTypeEnum {
-  nssStringType_DirectoryString,
-  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
-  nssStringType_PrintableString,
-  nssStringType_UniversalString,
-  nssStringType_BMPString,
-  nssStringType_UTF8String,
-  nssStringType_PHGString,
-  nssStringType_GeneralString,
-
-  nssStringType_Unknown = -1
-};
-typedef enum nssStringTypeEnum nssStringType;
-
-PR_END_EXTERN_C
-
-#endif /* BASET_H */
diff --git a/security/nss/lib/base/config.mk b/security/nss/lib/base/config.mk
deleted file mode 100644
index f4e5b965b..000000000
--- a/security/nss/lib/base/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
deleted file mode 100644
index 470b8e3da..000000000
--- a/security/nss/lib/base/error.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * error.c
- *
- * This file contains the code implementing the per-thread error 
- * stacks upon which most NSS routines report their errors.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-#include <string.h> /* for memmove */
-
-#define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
-
-/*
- * The stack itself has a header, and a sequence of integers.
- * The header records the amount of space (as measured in stack
- * slots) already allocated for the stack, and the count of the
- * number of records currently being used.
- */
-
-struct stack_header_str {
-  PRUint16 space;
-  PRUint16 count;
-};
-
-struct error_stack_str {
-  struct stack_header_str header;
-  PRInt32 stack[1];
-};
-typedef struct error_stack_str error_stack;
-
-/*
- * error_stack_index
- *
- * Thread-private data must be indexed.  This is that index.
- * See PR_NewThreadPrivateIndex for more information.
- */
-
-static PRUintn error_stack_index;
-
-/*
- * call_once
- *
- * The thread-private index must be obtained (once!) at runtime.
- * This block is used for that one-time call.
- */
-
-static PRCallOnceType error_call_once;
-
-/*
- * error_once_function
- *
- * This is the once-called callback.
- */
-static PRStatus
-error_once_function ( void)
-{
-  return nss_NewThreadPrivateIndex(&error_stack_index,PR_Free);
-  /* return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); */
-}
-
-/*
- * error_get_my_stack
- *
- * This routine returns the calling thread's error stack, creating
- * it if necessary.  It may return NULL upon error, which implicitly
- * means that it ran out of memory.
- */
-
-static error_stack *
-error_get_my_stack ( void)
-{
-  PRStatus st;
-  error_stack *rv;
-  PRUintn new_size;
-  PRUint32 new_bytes;
-  error_stack *new_stack;
-
-  if( 0 == error_stack_index ) {
-    st = PR_CallOnce(&error_call_once, error_once_function);
-    if( PR_SUCCESS != st ) {
-      return (error_stack *)NULL;
-    }
-  }
-
-  rv = (error_stack *)nss_GetThreadPrivate(error_stack_index);
-  if( (error_stack *)NULL == rv ) {
-    /* Doesn't exist; create one */
-    new_size = 16;
-  } else if( rv->header.count == rv->header.space  &&
-             rv->header.count  < NSS_MAX_ERROR_STACK_COUNT ) {
-    /* Too small, expand it */
-    new_size = PR_MIN( rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
-  } else {
-    /* Okay, return it */
-    return rv;
-  }
-
-  new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
-  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
-  new_stack = PR_Calloc(1, new_bytes);
-  
-  if( (error_stack *)NULL != new_stack ) {
-    if( (error_stack *)NULL != rv ) {
-	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
-    }
-    new_stack->header.space = new_size;
-  }
-
-  /* Set the value, whether or not the allocation worked */
-  nss_SetThreadPrivate(error_stack_index, new_stack);
-  return new_stack;
-}
-
-/*
- * The error stack
- *
- * The public methods relating to the error stack are:
- *
- *  NSS_GetError
- *  NSS_GetErrorStack
- *
- * The nonpublic methods relating to the error stack are:
- *
- *  nss_SetError
- *  nss_ClearErrorStack
- *
- */
-
-/*
- * NSS_GetError
- *
- * This routine returns the highest-level (most general) error set
- * by the most recent NSS library routine called by the same thread
- * calling this routine.
- *
- * This routine cannot fail.  However, it may return zero, which
- * indicates that the previous NSS library call did not set an error.
- *
- * Return value:
- *  0 if no error has been set
- *  A nonzero error number
- */
-
-NSS_IMPLEMENT PRInt32
-NSS_GetError ( void)
-{
-  error_stack *es = error_get_my_stack();
-
-  if( (error_stack *)NULL == es ) {
-    return NSS_ERROR_NO_MEMORY; /* Good guess! */
-  }
-
-  if( 0 == es->header.count ) {
-    return 0;
-  }
-
-  return es->stack[ es->header.count-1 ];
-}
-
-/*
- * NSS_GetErrorStack
- *
- * This routine returns a pointer to an array of integers, containing
- * the entire sequence or "stack" of errors set by the most recent NSS
- * library routine called by the same thread calling this routine.
- * NOTE: the caller DOES NOT OWN the memory pointed to by the return
- * value.  The pointer will remain valid until the calling thread
- * calls another NSS routine.  The lowest-level (most specific) error 
- * is first in the array, and the highest-level is last.  The array is
- * zero-terminated.  This routine may return NULL upon error; this
- * indicates a low-memory situation.
- *
- * Return value:
- *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
- *  A NON-caller-owned pointer to an array of integers
- */
-
-NSS_IMPLEMENT PRInt32 *
-NSS_GetErrorStack ( void)
-{
-  error_stack *es = error_get_my_stack();
-
-  if( (error_stack *)NULL == es ) {
-    return (PRInt32 *)NULL;
-  }
-
-  /* Make sure it's terminated */
-  es->stack[ es->header.count ] = 0;
-
-  return es->stack;
-}
-
-/*
- * nss_SetError
- *
- * This routine places a new error code on the top of the calling 
- * thread's error stack.  Calling this routine wiht an error code
- * of zero will clear the error stack.
- */
-
-NSS_IMPLEMENT void
-nss_SetError ( PRUint32 error)
-{
-  error_stack *es;
-
-  if( 0 == error ) {
-    nss_ClearErrorStack();
-    return;
-  }
-
-  es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
-
-  if (es->header.count < es->header.space) {
-    es->stack[ es->header.count++ ] = error;
-  } else {
-    memmove(es->stack, es->stack + 1, 
-		(es->header.space - 1) * (sizeof es->stack[0]));
-    es->stack[ es->header.space - 1 ] = error;
-  }
-  return;
-}
-
-/*
- * nss_ClearErrorStack
- *
- * This routine clears the calling thread's error stack.
- */
-
-NSS_IMPLEMENT void
-nss_ClearErrorStack ( void)
-{
-  error_stack *es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
-
-  es->header.count = 0;
-  es->stack[0] = 0;
-  return;
-}
diff --git a/security/nss/lib/base/errorval.c b/security/nss/lib/base/errorval.c
deleted file mode 100644
index fd8d91e65..000000000
--- a/security/nss/lib/base/errorval.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * errorval.c
- *
- * This file contains the actual error constants used in NSS.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-const NSSError NSS_ERROR_NO_ERROR                       =  0;
-const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
-const NSSError NSS_ERROR_NO_MEMORY                      =  2;
-const NSSError NSS_ERROR_INVALID_POINTER                =  3;
-const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
-const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
-const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
-const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
-const NSSError NSS_ERROR_TRACKER_NOT_EMPTY              =  8;
-const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED        =  9;
-const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD = 10;
-const NSSError NSS_ERROR_VALUE_TOO_LARGE                = 11;
-const NSSError NSS_ERROR_UNSUPPORTED_TYPE               = 12;
-const NSSError NSS_ERROR_BUFFER_TOO_SHORT               = 13;
-const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT           = 14;
-const NSSError NSS_ERROR_INVALID_BASE64                 = 15;
-const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT           = 16;
-const NSSError NSS_ERROR_INVALID_ITEM                   = 17;
-const NSSError NSS_ERROR_INVALID_STRING                 = 18;
-const NSSError NSS_ERROR_INVALID_ASN1ENCODER            = 19;
-const NSSError NSS_ERROR_INVALID_ASN1DECODER            = 20;
-
-const NSSError NSS_ERROR_INVALID_BER                    = 21;
-const NSSError NSS_ERROR_INVALID_ATAV                   = 22;
-const NSSError NSS_ERROR_INVALID_ARGUMENT               = 23;
-const NSSError NSS_ERROR_INVALID_UTF8                   = 24;
-const NSSError NSS_ERROR_INVALID_NSSOID                 = 25;
-const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE              = 26;
-
-const NSSError NSS_ERROR_NOT_FOUND                      = 27;
-
-const NSSError NSS_ERROR_INVALID_PASSWORD               = 28;
-const NSSError NSS_ERROR_USER_CANCELED                  = 29;
-
-const NSSError NSS_ERROR_MAXIMUM_FOUND                  = 30;
-
-const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND   = 31;
-
-const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE           = 32;
-
-const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
-const NSSError NSS_ERROR_DEVICE_ERROR                   = 34;
-const NSSError NSS_ERROR_INVALID_CERTIFICATE            = 35;
-const NSSError NSS_ERROR_BUSY                           = 36;
-const NSSError NSS_ERROR_ALREADY_INITIALIZED            = 37;
-
diff --git a/security/nss/lib/base/hash.c b/security/nss/lib/base/hash.c
deleted file mode 100644
index 5433a1039..000000000
--- a/security/nss/lib/base/hash.c
+++ /dev/null
@@ -1,407 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * hash.c
- *
- * This is merely a couple wrappers around NSPR's PLHashTable, using
- * the identity hash and arena-aware allocators.
- * This is a copy of ckfw/hash.c, with modifications to use NSS types
- * (not Cryptoki types).  Would like for this to be a single implementation,
- * but doesn't seem like it will work.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * nssHash
- *
- *  nssHash_Create
- *  nssHash_Destroy
- *  nssHash_Add
- *  nssHash_Remove
- *  nssHash_Count
- *  nssHash_Exists
- *  nssHash_Lookup
- *  nssHash_Iterate
- */
-
-struct nssHashStr {
-  NSSArena *arena;
-  PRBool i_alloced_arena;
-  PRLock *mutex;
-
-  /*
-   * The invariant that mutex protects is:
-   *   The count accurately reflects the hashtable state.
-   */
-
-  PLHashTable *plHashTable;
-  PRUint32 count;
-};
-
-static PLHashNumber
-nss_identity_hash
-(
-  const void *key
-)
-{
-  PRUint32 i = (PRUint32)key;
-  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
-  return (PLHashNumber)i;
-}
-
-static PLHashNumber
-nss_item_hash
-(
-  const void *key
-)
-{
-  unsigned int i;
-  PLHashNumber h;
-  NSSItem *it = (NSSItem *)key;
-  h = 0;
-  for (i=0; i<it->size; i++)
-    h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)it->data)[i];
-  return h;
-}
-
-static int
-nss_compare_items(const void *v1, const void *v2)
-{
-  PRStatus ignore;
-  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
-}
-
-/*
- * nssHash_create
- *
- */
-NSS_IMPLEMENT nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-)
-{
-  nssHash *rv;
-  NSSArena *arena;
-  PRBool i_alloced;
-
-#ifdef NSSDEBUG
-  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if (arenaOpt) {
-    arena = arenaOpt;
-    i_alloced = PR_FALSE;
-  } else {
-    arena = nssArena_Create();
-    i_alloced = PR_TRUE;
-  }
-
-  rv = nss_ZNEW(arena, nssHash);
-  if( (nssHash *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->mutex = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == rv->mutex ) {
-    goto loser;
-  }
-
-  rv->plHashTable = PL_NewHashTable(numBuckets, 
-                                    keyHash, keyCompare, valueCompare,
-                                    &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
-    (void)PZ_DestroyLock(rv->mutex);
-    goto loser;
-  }
-
-  rv->count = 0;
-  rv->arena = arena;
-  rv->i_alloced_arena = i_alloced;
-
-  return rv;
-loser:
-  (void)nss_ZFreeIf(rv);
-  return (nssHash *)NULL;
-}
-
-/*
- * nssHash_CreatePointer
- *
- */
-NSS_IMPLEMENT nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
-{
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
-}
-
-/*
- * nssHash_CreateString
- *
- */
-NSS_IMPLEMENT nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
-{
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
-}
-
-/*
- * nssHash_CreateItem
- *
- */
-NSS_IMPLEMENT nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
-{
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_item_hash, nss_compare_items, PL_CompareValues);
-}
-
-/*
- * nssHash_Destroy
- *
- */
-NSS_IMPLEMENT void
-nssHash_Destroy
-(
-  nssHash *hash
-)
-{
-  (void)PZ_DestroyLock(hash->mutex);
-  PL_HashTableDestroy(hash->plHashTable);
-  if (hash->i_alloced_arena) {
-    nssArena_Destroy(hash->arena);
-  } else {
-    nss_ZFreeIf(hash);
-  }
-}
-
-/*
- * nssHash_Add
- *
- */
-NSS_IMPLEMENT PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-)
-{
-  PRStatus error = PR_FAILURE;
-  PLHashEntry *he;
-
-  PZ_Lock(hash->mutex);
-  
-  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  } else if (he->value != value) {
-    nss_SetError(NSS_ERROR_HASH_COLLISION);
-  } else {
-    hash->count++;
-    error = PR_SUCCESS;
-  }
-
-  (void)PZ_Unlock(hash->mutex);
-
-  return error;
-}
-
-/*
- * nssHash_Remove
- *
- */
-NSS_IMPLEMENT void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-)
-{
-  PRBool found;
-
-  PZ_Lock(hash->mutex);
-
-  found = PL_HashTableRemove(hash->plHashTable, it);
-  if( found ) {
-    hash->count--;
-  }
-
-  (void)PZ_Unlock(hash->mutex);
-  return;
-}
-
-/*
- * nssHash_Count
- *
- */
-NSS_IMPLEMENT PRUint32
-nssHash_Count
-(
-  nssHash *hash
-)
-{
-  PRUint32 count;
-
-  PZ_Lock(hash->mutex);
-
-  count = hash->count;
-
-  (void)PZ_Unlock(hash->mutex);
-
-  return count;
-}
-
-/*
- * nssHash_Exists
- *
- */
-NSS_IMPLEMENT PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-)
-{
-  void *value;
-
-  PZ_Lock(hash->mutex);
-
-  value = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)PZ_Unlock(hash->mutex);
-
-  if( (void *)NULL == value ) {
-    return PR_FALSE;
-  } else {
-    return PR_TRUE;
-  }
-}
-
-/*
- * nssHash_Lookup
- *
- */
-NSS_IMPLEMENT void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-)
-{
-  void *rv;
-
-  PZ_Lock(hash->mutex);
-
-  rv = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)PZ_Unlock(hash->mutex);
-
-  return rv;
-}
-
-struct arg_str {
-  nssHashIterator fcn;
-  void *closure;
-};
-
-static PRIntn
-nss_hash_enumerator
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
-{
-  struct arg_str *as = (struct arg_str *)arg;
-  as->fcn(he->key, he->value, as->closure);
-  return HT_ENUMERATE_NEXT;
-}
-
-/*
- * nssHash_Iterate
- *
- * NOTE that the iteration function will be called with the hashtable locked.
- */
-NSS_IMPLEMENT void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-)
-{
-  struct arg_str as;
-  as.fcn = fcn;
-  as.closure = closure;
-
-  PZ_Lock(hash->mutex);
-
-  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
-
-  (void)PZ_Unlock(hash->mutex);
-
-  return;
-}
diff --git a/security/nss/lib/base/hashops.c b/security/nss/lib/base/hashops.c
deleted file mode 100644
index 1372ea63e..000000000
--- a/security/nss/lib/base/hashops.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * hashops.c
- *
- * This file includes a set of PLHashAllocOps that use NSSArenas.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-static void * PR_CALLBACK
-nss_arena_hash_alloc_table
-(
-  void *pool,
-  PRSize size
-)
-{
-  NSSArena *arena = (NSSArena *)NULL;
-
-#ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return nss_ZAlloc(arena, size);
-}
-
-static void PR_CALLBACK
-nss_arena_hash_free_table
-(
-  void *pool, 
-  void *item
-)
-{
-  (void)nss_ZFreeIf(item);
-}
-
-static PLHashEntry * PR_CALLBACK
-nss_arena_hash_alloc_entry
-(
-  void *pool,
-  const void *key
-)
-{
-  NSSArena *arena = NULL;
-
-#ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  return nss_ZNEW(arena, PLHashEntry);
-}
-
-static void PR_CALLBACK
-nss_arena_hash_free_entry
-(
-  void *pool,
-  PLHashEntry *he,
-  PRUintn flag
-)
-{
-  if( HT_FREE_ENTRY == flag ) {
-    (void)nss_ZFreeIf(he);
-  }
-}
-
-NSS_IMPLEMENT_DATA PLHashAllocOps 
-nssArenaHashAllocOps = {
-  nss_arena_hash_alloc_table,
-  nss_arena_hash_free_table,
-  nss_arena_hash_alloc_entry,
-  nss_arena_hash_free_entry
-};
diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c
deleted file mode 100644
index f624891f9..000000000
--- a/security/nss/lib/base/item.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * item.c
- *
- * This contains some item-manipulation code.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * nssItem_Create
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *  NSS_ERROR_INVALID_POINTER
- *  
- * Return value:
- *  A pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (const void *)NULL == data ) {
-    if( length > 0 ) {
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (NSSItem *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  if( (NSSItem *)NULL == rvOpt ) {
-    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      goto loser;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->size = length;
-  rv->data = nss_ZAlloc(arenaOpt, length);
-  if( (void *)NULL == rv->data ) {
-    goto loser;
-  }
-
-  if( length > 0 ) {
-    (void)nsslibc_memcpy(rv->data, data, length);
-  }
-
-  return rv;
-
- loser:
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
-
-  return (NSSItem *)NULL;
-}
-
-NSS_IMPLEMENT void
-nssItem_Destroy
-(
-  NSSItem *item
-)
-{
-  nss_ClearErrorStack();
-
-  nss_ZFreeIf(item->data);
-  nss_ZFreeIf(item);
-
-}
-
-/*
- * nssItem_Duplicate
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
- *  NSS_ERROR_INVALID_ITEM
- *  
- * Return value:
- *  A pointer to an NSSItem upon success
- *  NULL upon failure
- */
-
-NSS_IMPLEMENT NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-)
-{
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (NSSItem *)NULL == obj ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return (NSSItem *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
-}
-
-#ifdef DEBUG
-/*
- * nssItem_verifyPointer
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_IMPLEMENT PRStatus
-nssItem_verifyPointer
-(
-  const NSSItem *item
-)
-{
-  if( ((const NSSItem *)NULL == item) ||
-      (((void *)NULL == item->data) && (item->size > 0)) ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * nssItem_Equal
- *
- * -- fgmr comments --
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ITEM
- *
- * Return value:
- *  PR_TRUE if the items are identical
- *  PR_FALSE if they aren't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-)
-{
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
-    return PR_TRUE;
-  }
-
-  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
-    return PR_FALSE;
-  }
-
-  if( one->size != two->size ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
-}
diff --git a/security/nss/lib/base/libc.c b/security/nss/lib/base/libc.c
deleted file mode 100644
index b37fe09cb..000000000
--- a/security/nss/lib/base/libc.c
+++ /dev/null
@@ -1,200 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * libc.c
- *
- * This file contains our wrappers/reimplementations for "standard" 
- * libc functions.  Things like "memcpy."  We add to this as we need 
- * it.  Oh, and let's keep it in alphabetical order, should it ever 
- * get large.  Most string/character stuff should be in utf8.c, not 
- * here.  This file (and maybe utf8.c) should be the only ones in
- * NSS to include files with angle brackets.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#include <string.h> /* memcpy, memset */
-
-/*
- * nsslibc_memcpy
- * nsslibc_memset
- * nsslibc_offsetof
- * nsslibc_memequal
- */
-
-/*
- * nsslibc_memcpy
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_IMPLEMENT void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-)
-{
-#ifdef NSSDEBUG
-  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return memcpy(dest, source, (size_t)n);
-}
-
-/*
- * nsslibc_memset
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  NULL on error
- *  The destination pointer on success
- */
-
-NSS_IMPLEMENT void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-)
-{
-#ifdef NSSDEBUG
-  if( ((void *)NULL == dest) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return memset(dest, (int)byte, (size_t)n);
-}
-
-/*
- * nsslibc_memequal
- *
- * Errors:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if they match
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  if( 0 == memcmp(a, b, len) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nsslibc_memcmp
- */
-
-NSS_IMPLEMENT PRInt32
-nsslibc_memcmp
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
-{
-  int v;
-
-#ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return -2;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  v = memcmp(a, b, len);
-  return (PRInt32)v;
-}
-
-/*
- * offsetof is a preprocessor definition
- */
diff --git a/security/nss/lib/base/list.c b/security/nss/lib/base/list.c
deleted file mode 100644
index a60020cf2..000000000
--- a/security/nss/lib/base/list.c
+++ /dev/null
@@ -1,436 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * list.c
- *
- * This contains the implementation of NSS's thread-safe linked list.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-struct nssListElementStr {
-    PRCList  link;
-    void    *data;
-};
-
-typedef struct nssListElementStr nssListElement;
-
-struct nssListStr {
-    NSSArena       *arena;
-    PZLock         *lock;
-    nssListElement *head;
-    PRUint32        count;
-    nssListCompareFunc compareFunc;
-    nssListSortFunc    sortFunc;
-    PRBool i_alloced_arena;
-};
-
-struct nssListIteratorStr {
-    PZLock *lock;
-    nssList *list;
-    nssListElement *current;
-};
-
-#define NSSLIST_LOCK_IF(list) \
-    if ((list)->lock) PZ_Lock((list)->lock)
-
-#define NSSLIST_UNLOCK_IF(list) \
-    if ((list)->lock) PZ_Unlock((list)->lock)
-
-static PRBool
-pointer_compare(void *a, void *b)
-{
-    return (PRBool)(a == b);
-}
-
-static nssListElement *
-nsslist_get_matching_element(nssList *list, void *data)
-{
-    PRCList *link;
-    nssListElement *node;
-    node = list->head;
-    if (!node) {
-	return NULL;
-    }
-    link = &node->link;
-    while (node) {
-	/* using a callback slows things down when it's just compare ... */
-	if (list->compareFunc(node->data, data)) {
-	    break;
-	}
-	link = &node->link;
-	if (link == PR_LIST_TAIL(&list->head->link)) {
-	    node = NULL;
-	    break;
-	}
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
-    }
-    return node;
-}
-
-NSS_IMPLEMENT nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-)
-{
-    NSSArena *arena;
-    nssList *list;
-    PRBool i_alloced;
-    if (arenaOpt) {
-	arena = arenaOpt;
-	i_alloced = PR_FALSE;
-    } else {
-	arena = nssArena_Create();
-	i_alloced = PR_TRUE;
-    }
-    if (!arena) {
-	return (nssList *)NULL;
-    }
-    list = nss_ZNEW(arena, nssList);
-    if (!list) {
-	if (!arenaOpt) {
-	    NSSArena_Destroy(arena);
-	}
-	return (nssList *)NULL;
-    }
-    if (threadSafe) {
-	list->lock = PZ_NewLock(nssILockOther);
-	if (!list->lock) {
-	    if (arenaOpt) {
-		nss_ZFreeIf(list);
-	    } else {
-		NSSArena_Destroy(arena);
-	    }
-	    return (nssList *)NULL;
-	}
-    }
-    list->arena = arena;
-    list->i_alloced_arena = i_alloced;
-    list->compareFunc = pointer_compare;
-    return list;
-}
-
-NSS_IMPLEMENT PRStatus
-nssList_Destroy(nssList *list)
-{
-    if (!list->i_alloced_arena) {
-	nssList_Clear(list, NULL);
-    }
-    if (list->lock) {
-	(void)PZ_DestroyLock(list->lock);
-    }
-    if (list->i_alloced_arena) {
-	NSSArena_Destroy(list->arena);
-	list = NULL;
-    }
-    nss_ZFreeIf(list);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT void
-nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
-{
-    list->compareFunc = compareFunc;
-}
-
-NSS_IMPLEMENT void
-nssList_SetSortFunction(nssList *list, nssListSortFunc sortFunc)
-{
-    /* XXX if list already has elements, sort them */
-    list->sortFunc = sortFunc;
-}
-
-NSS_IMPLEMENT nssListCompareFunc
-nssList_GetCompareFunction(nssList *list)
-{
-    return list->compareFunc;
-}
-
-NSS_IMPLEMENT void
-nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
-{
-    PRCList *link;
-    nssListElement *node, *tmp;
-    NSSLIST_LOCK_IF(list);
-    node = list->head;
-    list->head = NULL;
-    while (node && list->count > 0) {
-	if (destructor) (*destructor)(node->data);
-	link = &node->link;
-	tmp = (nssListElement *)PR_NEXT_LINK(link);
-	PR_REMOVE_LINK(link);
-	nss_ZFreeIf(node);
-	node = tmp;
-	--list->count;
-    }
-    NSSLIST_UNLOCK_IF(list);
-}
-
-static PRStatus
-nsslist_add_element(nssList *list, void *data)
-{
-    nssListElement *node = nss_ZNEW(list->arena, nssListElement);
-    if (!node) {
-	return PR_FAILURE;
-    }
-    PR_INIT_CLIST(&node->link);
-    node->data = data;
-    if (list->head) {
-	if (list->sortFunc) {
-	    PRCList *link;
-	    nssListElement *currNode;
-	    currNode = list->head;
-	    /* insert in ordered list */
-	    while (currNode) {
-		link = &currNode->link;
-		if (list->sortFunc(data, currNode->data) <= 0) {
-		    /* new element goes before current node */
-		    PR_INSERT_BEFORE(&node->link, link);
-		    /* reset head if this is first */
-		    if (currNode == list->head) list->head = node;
-		    break;
-		}
-		if (link == PR_LIST_TAIL(&list->head->link)) {
-		    /* reached end of list, append */
-		    PR_INSERT_AFTER(&node->link, link);
-		    break;
-		}
-		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
-	    }
-	} else {
-	    /* not sorting */
-	    PR_APPEND_LINK(&node->link, &list->head->link);
-	}
-    } else {
-	list->head = node;
-    }
-    ++list->count;
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssList_Add(nssList *list, void *data)
-{
-    PRStatus nssrv;
-    NSSLIST_LOCK_IF(list);
-    nssrv = nsslist_add_element(list, data);
-    NSSLIST_UNLOCK_IF(list);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssList_AddUnique(nssList *list, void *data)
-{
-    PRStatus nssrv;
-    nssListElement *node;
-    NSSLIST_LOCK_IF(list);
-    node = nsslist_get_matching_element(list, data);
-    if (node) {
-	/* already in, finish */
-	NSSLIST_UNLOCK_IF(list);
-	return PR_SUCCESS;
-    }
-    nssrv = nsslist_add_element(list, data);
-    NSSLIST_UNLOCK_IF(list);
-    return nssrv;
-}
-
-NSS_IMPLEMENT PRStatus
-nssList_Remove(nssList *list, void *data)
-{
-    nssListElement *node;
-    NSSLIST_LOCK_IF(list);
-    node = nsslist_get_matching_element(list, data);
-    if (node) {
-	if (node == list->head) {
-	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
-	}
-	PR_REMOVE_LINK(&node->link);
-	nss_ZFreeIf(node);
-	if (--list->count == 0) {
-	    list->head = NULL;
-	}
-    }
-    NSSLIST_UNLOCK_IF(list);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT void *
-nssList_Get(nssList *list, void *data)
-{
-    nssListElement *node;
-    NSSLIST_LOCK_IF(list);
-    node = nsslist_get_matching_element(list, data);
-    NSSLIST_UNLOCK_IF(list);
-    return (node) ? node->data : NULL;
-}
-
-NSS_IMPLEMENT PRUint32
-nssList_Count(nssList *list)
-{
-    return list->count;
-}
-
-NSS_IMPLEMENT PRStatus
-nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
-{
-    nssListElement *node;
-    PRUint32 i = 0;
-    PR_ASSERT(maxElements > 0);
-    node = list->head;
-    if (!node) {
-	return PR_SUCCESS;
-    }
-    NSSLIST_LOCK_IF(list);
-    while (node) {
-	rvArray[i++] = node->data;
-	if (i == maxElements) break;
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	if (node == list->head) {
-	    break;
-	}
-    }
-    NSSLIST_UNLOCK_IF(list);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT nssList *
-nssList_Clone(nssList *list)
-{
-    nssList *rvList;
-    nssListElement *node;
-    rvList = nssList_Create(NULL, (list->lock != NULL));
-    if (!rvList) {
-	return NULL;
-    }
-    NSSLIST_LOCK_IF(list);
-    if (list->count > 0) {
-	node = list->head;
-	while (PR_TRUE) {
-	    nssList_Add(rvList, node->data);
-	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	    if (node == list->head) {
-		break;
-	    }
-	}
-    }
-    NSSLIST_UNLOCK_IF(list);
-    return rvList;
-}
-
-NSS_IMPLEMENT nssListIterator *
-nssList_CreateIterator(nssList *list)
-{
-    nssListIterator *rvIterator;
-    rvIterator = nss_ZNEW(NULL, nssListIterator);
-    if (!rvIterator) {
-	return NULL;
-    }
-    rvIterator->list = nssList_Clone(list);
-    if (!rvIterator->list) {
-	nss_ZFreeIf(rvIterator);
-	return NULL;
-    }
-    rvIterator->current = rvIterator->list->head;
-    if (list->lock) {
-	rvIterator->lock = PZ_NewLock(nssILockOther);
-	if (!rvIterator->lock) {
-	    nssList_Destroy(rvIterator->list);
-	    nss_ZFreeIf(rvIterator);
-	}
-    }
-    return rvIterator;
-}
-
-NSS_IMPLEMENT void
-nssListIterator_Destroy(nssListIterator *iter)
-{
-    if (iter->lock) {
-	(void)PZ_DestroyLock(iter->lock);
-    }
-    nssList_Destroy(iter->list);
-    nss_ZFreeIf(iter);
-}
-
-NSS_IMPLEMENT void *
-nssListIterator_Start(nssListIterator *iter)
-{
-    NSSLIST_LOCK_IF(iter);
-    if (iter->list->count == 0) {
-	return NULL;
-    }
-    iter->current = iter->list->head;
-    return iter->current->data;
-}
-
-NSS_IMPLEMENT void *
-nssListIterator_Next(nssListIterator *iter)
-{
-    nssListElement *node;
-    PRCList *link;
-    if (iter->list->count == 1 || iter->current == NULL) {
-	/* Reached the end of the list.  Don't change the state, force to
-	 * user to call nssList_Finish to clean up.
-	 */
-	return NULL;
-    }
-    node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
-    link = &node->link;
-    if (link == PR_LIST_TAIL(&iter->list->head->link)) {
-	/* Signal the end of the list. */
-	iter->current = NULL;
-	return node->data;
-    }
-    iter->current = node;
-    return node->data;
-}
-
-NSS_IMPLEMENT PRStatus
-nssListIterator_Finish(nssListIterator *iter)
-{
-    iter->current = iter->list->head;
-    return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
-}
-
diff --git a/security/nss/lib/base/manifest.mn b/security/nss/lib/base/manifest.mn
deleted file mode 100644
index dc787caa7..000000000
--- a/security/nss/lib/base/manifest.mn
+++ /dev/null
@@ -1,69 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	baset.h		  \
-	base.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	nssbaset.h \
-	nssbase.h  \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS =		   \
-	arena.c	   \
-	error.c	   \
-	errorval.c \
-	hashops.c  \
-	libc.c	   \
-	tracker.c  \
-	item.c     \
-	utf8.c	   \
-	list.c     \
-	hash.c     \
-	whatnspr.c \
-	$(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nssb
diff --git a/security/nss/lib/base/nssbase.h b/security/nss/lib/base/nssbase.h
deleted file mode 100644
index 09a154f76..000000000
--- a/security/nss/lib/base/nssbase.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSBASE_H
-#define NSSBASE_H
-
-#ifdef DEBUG
-static const char NSSBASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssbase.h
- *
- * This header file contains the prototypes of the basic public
- * NSS routines.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSArena
- *
- * The public methods relating to this type are:
- *
- *  NSSArena_Create  -- constructor
- *  NSSArena_Destroy
- */
-
-/*
- * NSSArena_Create
- *
- * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSArena upon success
- */
-
-NSS_EXTERN NSSArena *
-NSSArena_Create
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSArena_Destroy
- *
- * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The top-level error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-
-/*
- * The error stack
- *
- * The public methods relating to the error stack are:
- *
- *  NSS_GetError
- *  NSS_GetErrorStack
- */
-
-/*
- * NSS_GetError
- *
- * This routine returns the highest-level (most general) error set
- * by the most recent NSS library routine called by the same thread
- * calling this routine.
- *
- * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
- * indicates that the previous NSS library call did not set an error.
- *
- * Return value:
- *  0 if no error has been set
- *  A nonzero error number
- */
-
-NSS_EXTERN NSSError
-NSS_GetError
-(
-  void
-);
-
-extern const NSSError NSS_ERROR_NO_ERROR;
-
-/*
- * NSS_GetErrorStack
- *
- * This routine returns a pointer to an array of NSSError values, 
- * containingthe entire sequence or "stack" of errors set by the most 
- * recent NSS library routine called by the same thread calling this 
- * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
- * the return value.  The pointer will remain valid until the calling 
- * thread calls another NSS routine.  The lowest-level (most specific) 
- * error is first in the array, and the highest-level is last.  The 
- * array is zero-terminated.  This routine may return NULL upon error; 
- * this indicates a low-memory situation.
- *
- * Return value:
- *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
- *  A NON-caller-owned pointer to an array of NSSError values
- */
-
-NSS_EXTERN NSSError *
-NSS_GetErrorStack
-(
-  void
-);
-
-PR_END_EXTERN_C
-
-#endif /* NSSBASE_H */
diff --git a/security/nss/lib/base/nssbaset.h b/security/nss/lib/base/nssbaset.h
deleted file mode 100644
index be60c8335..000000000
--- a/security/nss/lib/base/nssbaset.h
+++ /dev/null
@@ -1,156 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSBASET_H
-#define NSSBASET_H
-
-#ifdef DEBUG
-static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssbaset.h
- *
- * This file contains the most low-level, fundamental public types.
- */
-
-#include "nspr.h"
-#include "nssilock.h"
-
-/*
- * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
- *
- * NSS has its own versions of these NSPR macros, in a form which
- * does not confuse ctags and other related utilities.  NSPR 
- * defines these macros to take the type as an argument, because
- * of a requirement to support win16 dlls.  We do not have that
- * requirement, so we can drop that restriction.
- */
-
-#define DUMMY	/* dummy */
-#define NSS_EXTERN         PR_EXTERN(DUMMY)
-#define NSS_IMPLEMENT      PR_IMPLEMENT(DUMMY)
-#define NSS_EXTERN_DATA    PR_EXTERN_DATA(DUMMY)
-#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(DUMMY)
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSError
- *
- * Calls to NSS routines may result in one or more errors being placed
- * on the calling thread's "error stack."  Every possible error that
- * may be returned from a function is declared where the function is 
- * prototyped.  All errors are of the following type.
- */
-
-typedef PRInt32 NSSError;
-
-/*
- * NSSArena
- *
- * Arenas are logical sets of heap memory, from which memory may be
- * allocated.  When an arena is destroyed, all memory allocated within
- * that arena is implicitly freed.  These arenas are thread-safe: 
- * an arena pointer may be used by multiple threads simultaneously.
- * However, as they are not backed by shared memory, they may only be
- * used within one process.
- */
-
-struct NSSArenaStr;
-typedef struct NSSArenaStr NSSArena;
-
-/*
- * NSSItem
- *
- * This is the basic type used to refer to an unconstrained datum of
- * arbitrary size.
- */
-
-struct NSSItemStr {
-  void *data;
-  PRUint32 size;
-};
-typedef struct NSSItemStr NSSItem;
-
-
-/*
- * NSSBER
- *
- * Data packed according to the Basic Encoding Rules of ASN.1.
- */
-
-typedef NSSItem NSSBER;
-
-/*
- * NSSDER
- *
- * Data packed according to the Distinguished Encoding Rules of ASN.1;
- * this form is also known as the Canonical Encoding Rules form (CER).
- */
-
-typedef NSSBER NSSDER;
-
-/*
- * NSSBitString
- *
- * Some ASN.1 types use "bit strings," which are passed around as
- * octet strings but whose length is counted in bits.  We use this
- * typedef of NSSItem to point out the occasions when the length
- * is counted in bits, not octets.
- */
-
-typedef NSSItem NSSBitString;
-
-/*
- * NSSUTF8
- *
- * Character strings encoded in UTF-8, as defined by RFC 2279.
- */
-
-typedef char NSSUTF8;
-
-/*
- * NSSASCII7
- *
- * Character strings guaranteed to be 7-bit ASCII.
- */
-
-typedef char NSSASCII7;
-
-PR_END_EXTERN_C
-
-#endif /* NSSBASET_H */
diff --git a/security/nss/lib/base/tracker.c b/security/nss/lib/base/tracker.c
deleted file mode 100644
index 4bd54bebc..000000000
--- a/security/nss/lib/base/tracker.c
+++ /dev/null
@@ -1,546 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * tracker.c
- * 
- * This file contains the code used by the pointer-tracking calls used
- * in the debug builds to catch bad pointers.  The entire contents are
- * only available in debug builds (both internal and external builds).
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifdef DEBUG
-
-/*
- * call_once
- *
- * Unfortunately, NSPR's PR_CallOnce function doesn't accept a closure
- * variable.  So I have a static version here which does.  This code 
- * is based on NSPR's, and uses the NSPR function to initialize the
- * required lock.
- */
-
-/*
- * The is the "once block" that's passed to the "real" PR_CallOnce
- * function, to call the local initializer myOnceFunction once.
- */
-static PRCallOnceType myCallOnce;
-
-/*
- * This structure is used by the call_once function to make sure that
- * any "other" threads calling the call_once don't return too quickly,
- * before the initializer has finished.
- */
-static struct {
-  PZLock *ml;
-  PZCondVar *cv;
-} mod_init;
-
-/*
- * This is the initializer for the above mod_init structure.
- */
-static PRStatus
-myOnceFunction
-(
-  void
-)
-{
-  mod_init.ml = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == mod_init.ml ) {
-    return PR_FAILURE;
-  }
-
-  mod_init.cv = PZ_NewCondVar(mod_init.ml);
-  if( (PZCondVar *)NULL == mod_init.cv ) {
-    PZ_DestroyLock(mod_init.ml);
-    mod_init.ml = (PZLock *)NULL;
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * The nss call_once callback takes a closure argument.
- */
-typedef PRStatus (PR_CALLBACK *nssCallOnceFN)(void *arg);
-
-/*
- * NSS's call_once function.
- */
-static PRStatus
-call_once
-(
-  PRCallOnceType *once,
-  nssCallOnceFN func,
-  void *arg
-)
-{
-  PRStatus rv;
-
-  if( !myCallOnce.initialized ) {
-    rv = PR_CallOnce(&myCallOnce, myOnceFunction);
-    if( PR_SUCCESS != rv ) {
-      return rv;
-    }
-  }
-
-  if( !once->initialized ) {
-    if( 0 == PR_AtomicSet(&once->inProgress, 1) ) {
-      once->status = (*func)(arg);
-      PZ_Lock(mod_init.ml);
-      once->initialized = 1;
-      PZ_NotifyAllCondVar(mod_init.cv);
-      PZ_Unlock(mod_init.ml);
-    } else {
-      PZ_Lock(mod_init.ml);
-      while( !once->initialized ) {
-        PZ_WaitCondVar(mod_init.cv, PR_INTERVAL_NO_TIMEOUT);
-      }
-      PZ_Unlock(mod_init.ml);
-    }
-  }
-
-  return once->status;
-}
-
-/*
- * Now we actually get to my own "call once" payload function.
- * But wait, to create the hash, I need a hash function!
- */
-
-/*
- * identity_hash
- *
- * This static callback is a PLHashFunction as defined in plhash.h
- * It merely returns the value of the object pointer as its hash.
- * There are no possible errors.
- */
-
-static PLHashNumber PR_CALLBACK
-identity_hash
-(
-  const void *key
-)
-{
-  return (PLHashNumber)key;
-}
-
-/*
- * trackerOnceFunc
- *
- * This function is called once, using the nssCallOnce function above.
- * It creates a new pointer tracker object; initialising its hash
- * table and protective lock.
- */
-
-static PRStatus
-trackerOnceFunc
-(
-  void *arg
-)
-{
-  nssPointerTracker *tracker = (nssPointerTracker *)arg;
-
-  tracker->lock = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == tracker->lock ) {
-    return PR_FAILURE;
-  }
-
-  tracker->table = PL_NewHashTable(0, 
-                                   identity_hash, 
-                                   PL_CompareValues,
-                                   PL_CompareValues,
-                                   (PLHashAllocOps *)NULL, 
-                                   (void *)NULL);
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_DestroyLock(tracker->lock);
-    tracker->lock = (PZLock *)NULL;
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_initialize
- *
- * This method is only present in debug builds.
- * 
- * This routine initializes an nssPointerTracker object.  Note that
- * the object must have been declared *static* to guarantee that it
- * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-)
-{
-  PRStatus rv = call_once(&tracker->once, trackerOnceFunc, tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  }
-
-  return rv;
-}
-
-#ifdef DONT_DESTROY_EMPTY_TABLES
-/* See same #ifdef below */
-/*
- * count_entries
- *
- * This static routine is a PLHashEnumerator, as defined in plhash.h.
- * It merely causes the enumeration function to count the number of
- * entries.
- */
-
-static PRIntn PR_CALLBACK
-count_entries
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
-{
-  return HT_ENUMERATE_NEXT;
-}
-#endif /* DONT_DESTROY_EMPTY_TABLES */
-
-/*
- * zero_once
- *
- * This is a guaranteed zeroed once block.  It's used to help clear
- * the tracker.
- */
-
-static const PRCallOnceType zero_once;
-
-/*
- * nssPointerTracker_finalize
- *
- * This method is only present in debug builds.
- * 
- * This routine returns the nssPointerTracker object to the pre-
- * initialized state, releasing all resources used by the object.
- * It will *NOT* destroy the objects being tracked by the pointer
- * (should any remain), and therefore cannot be used to "sweep up"
- * remaining objects.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCES.  On failure it will set an
- * error on the error stack and return PR_FAILURE.  If any objects
- * remain in the tracker when it is finalized, that will be treated
- * as an error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_TRACKER_NOT_EMPTY
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-)
-{
-  PZLock *lock;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  lock = tracker->lock;
-  PZ_Lock(lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-#ifdef DONT_DESTROY_EMPTY_TABLES
-  /*
-   * I changed my mind; I think we don't want this after all.
-   * Comments?
-   */
-  count = PL_HashTableEnumerateEntries(tracker->table, 
-                                       count_entries,
-                                       (void *)NULL);
-
-  if( 0 != count ) {
-    PZ_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
-    return PR_FAILURE;
-  }
-#endif /* DONT_DESTROY_EMPTY_TABLES */
-
-  PL_HashTableDestroy(tracker->table);
-  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
-  tracker->once = zero_once;
-  tracker->lock = (PZLock *)NULL;
-  tracker->table = (PLHashTable *)NULL;
-
-  PZ_Unlock(lock);
-  PZ_DestroyLock(lock);
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_add
- *
- * This method is only present in debug builds.
- *
- * This routine adds the specified pointer to the nssPointerTracker
- * object.  It should be called in constructor objects to register
- * new valid objects.  The nssPointerTracker is threadsafe, but this
- * call is not idempotent.  This routine returns a PRStatus value;
- * if successful it will return PR_SUCCESS.  On failure it will set
- * an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_DUPLICATE_POINTER
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  void *check;
-  PLHashEntry *entry;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PZ_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  check = PL_HashTableLookup(tracker->table, pointer);
-  if( (void *)NULL != check ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
-    return PR_FAILURE;
-  }
-
-  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
-
-  PZ_Unlock(tracker->lock);
-
-  if( (PLHashEntry *)NULL == entry ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-  
-/*
- * nssPointerTracker_remove
- *
- * This method is only present in debug builds.
- *
- * This routine removes the specified pointer from the 
- * nssPointerTracker object.  It does not call any destructor for the
- * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
- * error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILURE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  PRBool registered;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PZ_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  registered = PL_HashTableRemove(tracker->table, pointer);
-  PZ_Unlock(tracker->lock);
-
-  if( !registered ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssPointerTracker_verify
- *
- * This method is only present in debug builds.
- *
- * This routine verifies that the specified pointer has been registered
- * with the nssPointerTracker object.  The nssPointerTracker object is
- * threadsafe, and this call may be safely called from multiple threads
- * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
- * placing a more type-specific error on the stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_TRACKER_NOT_INITIALIZED
- *  NSS_ERROR_POINTER_NOT_REGISTERED
- *
- * Return value:
- *  PR_SUCCESS
- *  PR_FAILRUE
- */
-
-NSS_IMPLEMENT PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
-{
-  void *check;
-
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
-
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  PZ_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  check = PL_HashTableLookup(tracker->table, pointer);
-  PZ_Unlock(tracker->lock);
-
-  if( (void *)NULL == check ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-#endif /* DEBUG */
diff --git a/security/nss/lib/base/utf8.c b/security/nss/lib/base/utf8.c
deleted file mode 100644
index 5360a2b14..000000000
--- a/security/nss/lib/base/utf8.c
+++ /dev/null
@@ -1,762 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * utf8.c
- *
- * This file contains some additional utility routines required for
- * handling UTF8 strings.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#include "plstr.h"
-
-/*
- * NOTES:
- *
- * There's an "is hex string" function in pki1/atav.c.  If we need
- * it in more places, pull that one out.
- */
-
-/*
- * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
- * two specified NSSUTF8 pointers differ only in typcase.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  /*
-   * XXX fgmr
-   *
-   * This is, like, so wrong!
-   */
-  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nssUTF8_PrintableMatch
- *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
- * and case is not significant), then PR_TRUE will be returned.
- * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
- * will be returned.  If the optional statusOpt argument is not
- * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
- * location.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *
- * Return value:
- *  PR_TRUE if the strings match, ignoring case
- *  PR_FALSE if they don't
- *  PR_FALSE upon error
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-  PRUint8 *c;
-  PRUint8 *d;
-
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  c = (PRUint8 *)a;
-  d = (PRUint8 *)b;
-
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  while( ('\0' != *c) && ('\0' != *d) ) {
-    PRUint8 e, f;
-
-    e = *c;
-    f = *d;
-    
-    if( ('a' <= e) && (e <= 'z') ) {
-      e -= ('a' - 'A');
-    }
-
-    if( ('a' <= f) && (f <= 'z') ) {
-      f -= ('a' - 'A');
-    }
-
-    if( e != f ) {
-      return PR_FALSE;
-    }
-
-    c++;
-    d++;
-
-    if( ' ' == *c ) {
-      while( ' ' == *c ) {
-        c++;
-      }
-      c--;
-    }
-
-    if( ' ' == *d ) {
-      while( ' ' == *d ) {
-        d++;
-      }
-      d--;
-    }
-  }
-
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  if( *c == *d ) {
-    /* And both '\0', btw */
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
-}
-
-/*
- * nssUTF8_Duplicate
- *
- * This routine duplicates the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
- * not null, the memory required will be obtained from that arena;
- * otherwise, the memory required will be obtained from the heap.
- * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
- * returned.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_NO_MEMORY
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint32 len;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  len = PL_strlen((const char *)s);
-#ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ len ] ) {
-    /* must have wrapped, e.g., too big for PRUint32 */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* PEDANTIC */
-  len++; /* zero termination */
-
-  rv = nss_ZAlloc(arenaOpt, len);
-  if( (void *)NULL == rv ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  (void)nsslibc_memcpy(rv, s, len);
-  return rv;
-}
-
-/*
- * nssUTF8_Size
- *
- * This routine returns the length in bytes (including the terminating
- * null) of the UTF8-encoded string pointed to by the specified
- * NSSUTF8 pointer.  Zero is returned on error.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *
- * Return value:
- *  0 on error
- *  nonzero length of the string.
- */
-
-NSS_IMPLEMENT PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 sv;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-#endif /* NSSDEBUG */
-
-  sv = PL_strlen((const char *)s) + 1;
-#ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ sv-1 ] ) {
-    /* wrapped */
-    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return 0;
-  }
-#endif /* PEDANTIC */
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  return sv;
-}
-
-/*
- * nssUTF8_Length
- *
- * This routine returns the length in characters (not including the
- * terminating null) of the UTF8-encoded string pointed to by the
- * specified NSSUTF8 pointer.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_VALUE_TOO_LARGE
- *  NSS_ERROR_INVALID_STRING
- *
- * Return value:
- *  length of the string (which may be zero)
- *  0 on error
- */
-
-NSS_IMPLEMENT PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 l = 0;
-  const PRUint8 *c = (const PRUint8 *)s;
-
-#ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    goto loser;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * From RFC 2044:
-   *
-   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
-   * 0000 0000-0000 007F   0xxxxxxx
-   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
-   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
-   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
-   */  
-
-  while( 0 != *c ) {
-    PRUint32 incr;
-    if( (*c & 0x80) == 0 ) {
-      incr = 1;
-    } else if( (*c & 0xE0) == 0xC0 ) {
-      incr = 2;
-    } else if( (*c & 0xF0) == 0xE0 ) {
-      incr = 3;
-    } else if( (*c & 0xF8) == 0xF0 ) {
-      incr = 4;
-    } else if( (*c & 0xFC) == 0xF8 ) {
-      incr = 5;
-    } else if( (*c & 0xFE) == 0xFC ) {
-      incr = 6;
-    } else {
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      goto loser;
-    }
-
-    l += incr;
-
-#ifdef PEDANTIC
-    if( l < incr ) {
-      /* Wrapped-- too big */
-      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-      goto loser;
-    }
-
-    {
-      PRUint8 *d;
-      for( d = &c[1]; d < &c[incr]; d++ ) {
-        if( (*d & 0xC0) != 0xF0 ) {
-          nss_SetError(NSS_ERROR_INVALID_STRING);
-          goto loser;
-        }
-      }
-    }
-#endif /* PEDANTIC */
-
-    c += incr;
-  }
-
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  return l;
-
- loser:
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
-
-  return 0;
-}
-
-
-/*
- * nssUTF8_Create
- *
- * This routine creates a UTF8 string from a string in some other
- * format.  Some types of string may include embedded null characters,
- * so for them the length parameter must be used.  For string types
- * that are null-terminated, the length parameter is optional; if it
- * is zero, it will be ignored.  If the optional arena argument is
- * non-null, the memory used for the new string will be obtained from
- * that arena, otherwise it will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following:
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_UNSUPPORTED_TYPE
- *
- * Return value:
- *  NULL upon error
- *  A non-null pointer to a new UTF8 string otherwise
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-)
-{
-  NSSUTF8 *rv = NULL;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  if( (const void *)NULL == inputString ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    /* This is a composite type requiring BER */
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  case nssStringType_TeletexString:
-    /*
-     * draft-ietf-pkix-ipki-part1-11 says in part:
-     *
-     * In addition, many legacy implementations support names encoded 
-     * in the ISO 8859-1 character set (Latin1String) but tag them as 
-     * TeletexString.  The Latin1String includes characters used in 
-     * Western European countries which are not part of the 
-     * TeletexString charcter set.  Implementations that process 
-     * TeletexString SHOULD be prepared to handle the entire ISO 
-     * 8859-1 character set.[ISO 8859-1].
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    /*
-     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
-     * This is a subset of ASCII, which is a subset of UTF8.
-     * So we can just duplicate the string over.
-     */
-
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
-
-      (void)nsslibc_memcpy(rv, inputString, size);
-    }
-
-    break;
-  case nssStringType_UniversalString:
-    /* 4-byte unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    /* Base Multilingual Plane of Unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
-
-      (void)nsslibc_memcpy(rv, inputString, size);
-    }
-
-    break;
-  case nssStringType_PHGString:
-    /* 
-     * PHGString is an IA5String (with case-insensitive comparisons).
-     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
-     * currency symbol.
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_GeneralString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  PRStatus status = PR_SUCCESS;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSItem *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_TeletexString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UniversalString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    {
-      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
-      if( (NSSUTF8 *)NULL == dup ) {
-        return (NSSItem *)NULL;
-      }
-
-      if( (NSSItem *)NULL == rvOpt ) {
-        rv = nss_ZNEW(arenaOpt, NSSItem);
-        if( (NSSItem *)NULL == rv ) {
-          (void)nss_ZFreeIf(dup);
-          return (NSSItem *)NULL;
-        }
-      } else {
-        rv = rvOpt;
-      }
-
-      rv->data = dup;
-      dup = (NSSUTF8 *)NULL;
-      rv->size = nssUTF8_Size(rv->data, &status);
-      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
-        if( (NSSItem *)NULL == rvOpt ) {
-          (void)nss_ZFreeIf(rv);
-        }
-        return (NSSItem *)NULL;
-      }
-    }
-    break;
-  case nssStringType_PHGString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
-
-  return rv;
-}
-
-/*
- * nssUTF8_CopyIntoFixedBuffer
- *
- * This will copy a UTF8 string into a fixed-length buffer, making 
- * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
- * null or space.
- *
- * Blah, blah, blah.
- */
-
-NSS_IMPLEMENT PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-)
-{
-  PRUint32 stringSize = 0;
-
-#ifdef NSSDEBUG
-  if( (char *)NULL == buffer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FALSE;
-  }
-
-  if( 0 == bufferSize ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
-
-  if( (pad & 0x80) != 0x00 ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSUTF8 *)NULL == string ) {
-    string = (NSSUTF8 *) "";
-  }
-
-  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
-  stringSize--; /* don't count the trailing null */
-  if( stringSize > bufferSize ) {
-    PRUint32 bs = bufferSize;
-    (void)nsslibc_memcpy(buffer, string, bufferSize);
-    
-    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
-        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
-        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
-        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
-        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
-        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
-      /* It fit exactly */
-      return PR_SUCCESS;
-    }
-
-    /* Too long.  We have to trim the last character */
-    for( /*bs*/; bs != 0; bs-- ) {
-      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
-        buffer[bs-1] = pad;
-        break;
-      } else {
-        buffer[bs-1] = pad;
-      }
-    }      
-  } else {
-    (void)nsslibc_memset(buffer, pad, bufferSize);
-    (void)nsslibc_memcpy(buffer, string, stringSize);
-  }
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssUTF8_Equal
- *
- */
-
-NSS_IMPLEMENT PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
-{
-  PRUint32 la, lb;
-
-#ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
-    }
-    return PR_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  la = nssUTF8_Size(a, statusOpt);
-  if( 0 == la ) {
-    return PR_FALSE;
-  }
-
-  lb = nssUTF8_Size(b, statusOpt);
-  if( 0 == lb ) {
-    return PR_FALSE;
-  }
-
-  if( la != lb ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(a, b, la, statusOpt);
-}
diff --git a/security/nss/lib/base/whatnspr.c b/security/nss/lib/base/whatnspr.c
deleted file mode 100644
index 25ddb0f07..000000000
--- a/security/nss/lib/base/whatnspr.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This file isolates us from differences in NSPR versions.
- * We have to detect the library with which we're running at
- * runtime, and switch behaviours there.  This lets us do
- * stuff like load cryptoki modules in Communicator.
- *
- * Hey, it's the PORT layer all over again!
- */
-
-static int whatnspr = 0;
-
-static int
-set_whatnspr
-(
-  void
-)
-{
-  /*
-   * The only runtime difference I could find was the
-   * return value of PR_dtoa.  We can't just look for
-   * a symbol in NSPR >=2, because it'll always be
-   * found (because we compile against NSPR >=2).
-   * Maybe we could look for a symbol merely in NSPR 1?
-   *
-   */
-
-  char buffer[64];
-  int decpt = 0, sign = 0;
-  char *rve = (char *)0;
-  /* extern int PR_dtoa(double, int, int, int *, int *, char **, char *, int); */
-  int r = (int)PR_dtoa((double)1.0, 0, 5, &decpt, &sign, &rve, 
-                       buffer, sizeof(buffer));
-
-  switch( r ) {
-  case 0:
-  case -1:
-    whatnspr = 2;
-    /*
-     * If we needed to, *now* we could look up "libVersionPoint"
-     * and get more data there.. except all current NSPR's (up
-     * to NSPR 4.x at time of writing) still say 2 in their
-     * version structure.
-     */
-    break;
-  default:
-    whatnspr = 1;
-    break;
-  }
-
-  return whatnspr;
-}
-
-#define WHATNSPR (whatnspr ? whatnspr : set_whatnspr())
-
-NSS_IMPLEMENT PRStatus
-nss_NewThreadPrivateIndex
-(
-  PRUintn *ip,
-  PRThreadPrivateDTOR dtor
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_NewThreadPrivateID", &l);
-      typedef PRInt32 (*ntpt)(void);
-      ntpt ntp = (ntpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      *ip = ntp();
-      return PR_SUCCESS;
-    }
-  case 2:
-  default:
-    return PR_NewThreadPrivateIndex(ip, dtor);
-  }
-}
-
-NSS_IMPLEMENT void *
-nss_GetThreadPrivate
-(
-  PRUintn i
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_GetThreadPrivate", &l);
-      typedef void *(*gtpt)(PRThread *, PRInt32);
-      gtpt gtp = (gtpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      return gtp(PR_CurrentThread(), i);
-    }
-  case 2:
-  default:
-    return PR_GetThreadPrivate(i);
-  }
-}
-
-NSS_IMPLEMENT void
-nss_SetThreadPrivate
-(
-  PRUintn i,
-  void *v
-)
-{
-  switch( WHATNSPR ) {
-  case 1:
-    {
-      PRLibrary *l = (PRLibrary *)0;
-      void *f = PR_FindSymbolAndLibrary("PR_SetThreadPrivate", &l);
-      typedef PRStatus (*stpt)(PRThread *, PRInt32, void *);
-      stpt stp = (stpt) f;
-
-      PR_ASSERT((void *)0 != f);
-
-      (void)stp(PR_CurrentThread(), i, v);
-      return;
-    }
-  case 2:
-  default:
-    (void)PR_SetThreadPrivate(i, v);
-    return;
-  }
-}
diff --git a/security/nss/lib/certdb/.cvsignore b/security/nss/lib/certdb/.cvsignore
deleted file mode 100644
index ec60123e5..000000000
--- a/security/nss/lib/certdb/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-nscertinit.c
diff --git a/security/nss/lib/certdb/Makefile b/security/nss/lib/certdb/Makefile
deleted file mode 100644
index a41aa72c6..000000000
--- a/security/nss/lib/certdb/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
deleted file mode 100644
index 8b8527dd8..000000000
--- a/security/nss/lib/certdb/alg1485.c
+++ /dev/null
@@ -1,1219 +0,0 @@
-/* alg1485.c - implementation of RFCs 1485, 1779 and 2253.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prprf.h"
-#include "cert.h"
-#include "xconst.h"
-#include "genname.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/* for better RFC 2253 compliance. */
-#define NSS_STRICT_RFC_2253_VALUES_ONLY 1
-
-struct NameToKind {
-    const char * name;
-    unsigned int maxLen; /* max bytes in UTF8 encoded string value */
-    SECOidTag    kind;
-};
-
-/* Add new entries to this table, and maybe to function CERT_ParseRFC1485AVA */
-static const struct NameToKind name2kinds[] = {
-/* keywords given in RFC 2253 */
-    { "CN",                      64, SEC_OID_AVA_COMMON_NAME              },
-    { "L",                      128, SEC_OID_AVA_LOCALITY                 },
-    { "ST",                     128, SEC_OID_AVA_STATE_OR_PROVINCE        },
-    { "O",                       64, SEC_OID_AVA_ORGANIZATION_NAME        },
-    { "OU",                      64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME },
-    { "C",                        2, SEC_OID_AVA_COUNTRY_NAME             },
-    { "STREET",                 128, SEC_OID_AVA_STREET_ADDRESS           },
-    { "DC",                     128, SEC_OID_AVA_DC                       },
-    { "UID",                    256, SEC_OID_RFC1274_UID                  },
-
-#ifndef NSS_STRICT_RFC_2253_KEYWORDS_ONLY
-/* NSS legacy keywords */
-    { "dnQualifier",          32767, SEC_OID_AVA_DN_QUALIFIER             },
-    { "E",                      128, SEC_OID_PKCS9_EMAIL_ADDRESS          },
-    { "MAIL",                   256, SEC_OID_RFC1274_MAIL                 },
-
-#ifndef NSS_LEGACY_KEYWORDS_ONLY
-/* values from draft-ietf-ldapbis-user-schema-05 */
-    { "SN",                      64, SEC_OID_AVA_SURNAME                  },
-    { "serialNumber",            64, SEC_OID_AVA_SERIAL_NUMBER            },
-    { "title",                   64, SEC_OID_AVA_TITLE                    },
-    { "postalAddress",          128, SEC_OID_AVA_POSTAL_ADDRESS           },
-    { "postalCode",              40, SEC_OID_AVA_POSTAL_CODE              },
-    { "postOfficeBox",           40, SEC_OID_AVA_POST_OFFICE_BOX          },
-    { "givenName",               64, SEC_OID_AVA_GIVEN_NAME               },
-    { "initials",                64, SEC_OID_AVA_INITIALS                 },
-    { "generationQualifier",     64, SEC_OID_AVA_GENERATION_QUALIFIER     },
-    { "houseIdentifier",         64, SEC_OID_AVA_HOUSE_IDENTIFIER         },
-#if 0 /* removed.  Not yet in any IETF draft or RFC. */
-    { "pseudonym",               64, SEC_OID_AVA_PSEUDONYM                },
-#endif
-#endif
-#endif
-    { 0,                        256, SEC_OID_UNKNOWN                      }
-};
-
-#define C_DOUBLE_QUOTE '\042'
-
-#define C_BACKSLASH '\134'
-
-#define C_EQUAL '='
-
-#define OPTIONAL_SPACE(c) \
-    (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
-
-#define SPECIAL_CHAR(c)						\
-    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
-     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
-     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
-     ((c) == ';') || ((c) == C_BACKSLASH))
-
-
-#define IS_PRINTABLE(c)						\
-    ((((c) >= 'a') && ((c) <= 'z')) ||				\
-     (((c) >= 'A') && ((c) <= 'Z')) ||				\
-     (((c) >= '0') && ((c) <= '9')) ||				\
-     ((c) == ' ') ||						\
-     ((c) == '\'') ||						\
-     ((c) == '\050') ||				/* ( */		\
-     ((c) == '\051') ||				/* ) */		\
-     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
-     ((c) == ':') ||						\
-     ((c) == '=') ||						\
-     ((c) == '?'))
-
-int
-cert_AVAOidTagToMaxLen(SECOidTag tag)
-{
-    const struct NameToKind *n2k = name2kinds;
-
-    while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
-	++n2k;
-    }
-    return (n2k->kind != SEC_OID_UNKNOWN) ? n2k->maxLen : -1;
-}
-
-static PRBool
-IsPrintable(unsigned char *data, unsigned len)
-{
-    unsigned char ch, *end;
-
-    end = data + len;
-    while (data < end) {
-	ch = *data++;
-	if (!IS_PRINTABLE(ch)) {
-	    return PR_FALSE;
-	}
-    }
-    return PR_TRUE;
-}
-
-static PRBool
-Is7Bit(unsigned char *data, unsigned len)
-{
-    unsigned char ch, *end;
-
-    end = data + len;
-    while (data < end) {
-        ch = *data++;
-        if ((ch & 0x80)) {
-            return PR_FALSE;
-        }
-    }
-    return PR_TRUE;
-}
-
-static void
-skipSpace(char **pbp, char *endptr)
-{
-    char *bp = *pbp;
-    while (bp < endptr && OPTIONAL_SPACE(*bp)) {
-	bp++;
-    }
-    *pbp = bp;
-}
-
-static SECStatus
-scanTag(char **pbp, char *endptr, char *tagBuf, int tagBufSize)
-{
-    char *bp, *tagBufp;
-    int taglen;
-
-    PORT_Assert(tagBufSize > 0);
-    
-    /* skip optional leading space */
-    skipSpace(pbp, endptr);
-    if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    
-    /* fill tagBuf */
-    taglen = 0;
-    bp = *pbp;
-    tagBufp = tagBuf;
-    while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
-	if (++taglen >= tagBufSize) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	*tagBufp++ = *bp++;
-    }
-    /* null-terminate tagBuf -- guaranteed at least one space left */
-    *tagBufp++ = 0;
-    *pbp = bp;
-    
-    /* skip trailing spaces till we hit something - should be an equal sign */
-    skipSpace(pbp, endptr);
-    if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    if (**pbp != C_EQUAL) {
-	/* should be an equal sign */
-	return SECFailure;
-    }
-    /* skip over the equal sign */
-    (*pbp)++;
-    
-    return SECSuccess;
-}
-
-static SECStatus
-scanVal(char **pbp, char *endptr, char *valBuf, int valBufSize)  
-{
-    char *bp, *valBufp;
-    int vallen;
-    PRBool isQuoted;
-    
-    PORT_Assert(valBufSize > 0);
-    
-    /* skip optional leading space */
-    skipSpace(pbp, endptr);
-    if(*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
-    }
-    
-    bp = *pbp;
-    
-    /* quoted? */
-    if (*bp == C_DOUBLE_QUOTE) {
-	isQuoted = PR_TRUE;
-	/* skip over it */
-	bp++;
-    } else {
-	isQuoted = PR_FALSE;
-    }
-    
-    valBufp = valBuf;
-    vallen = 0;
-    while (bp < endptr) {
-	char c = *bp;
-	if (c == C_BACKSLASH) {
-	    /* escape character */
-	    bp++;
-	    if (bp >= endptr) {
-		/* escape charater must appear with paired char */
-		*pbp = bp;
-		return SECFailure;
-	    }
-	} else if (!isQuoted && SPECIAL_CHAR(c)) {
-	    /* unescaped special and not within quoted value */
-	    break;
-	} else if (c == C_DOUBLE_QUOTE) {
-	    /* reached unescaped double quote */
-	    break;
-	}
-	/* append character */
-        vallen++;
-	if (vallen >= valBufSize) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	*valBufp++ = *bp++;
-    }
-    
-    /* stip trailing spaces from unquoted values */
-    if (!isQuoted) {
-	if (valBufp > valBuf) {
-	    valBufp--;
-	    while ((valBufp > valBuf) && OPTIONAL_SPACE(*valBufp)) {
-		valBufp--;
-	    }
-	    valBufp++;
-	}
-    }
-    
-    if (isQuoted) {
-	/* insist that we stopped on a double quote */
-	if (*bp != C_DOUBLE_QUOTE) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	/* skip over the quote and skip optional space */
-	bp++;
-	skipSpace(&bp, endptr);
-    }
-    
-    *pbp = bp;
-    
-    if (valBufp == valBuf) {
-	/* empty value -- not allowed */
-	return SECFailure;
-    }
-    
-    /* null-terminate valBuf -- guaranteed at least one space left */
-    *valBufp++ = 0;
-    
-    return SECSuccess;
-}
-
-CERTAVA *
-CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
-		    PRBool singleAVA) 
-{
-    CERTAVA *a;
-    const struct NameToKind *n2k;
-    int vt;
-    int valLen;
-    char *bp;
-
-    char tagBuf[32];
-    char valBuf[384];
-
-    if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
-	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
-	PORT_SetError(SEC_ERROR_INVALID_AVA);
-	return 0;
-    }
-
-    /* insist that if we haven't finished we've stopped on a separator */
-    bp = *pbp;
-    if (bp < endptr) {
-	if (singleAVA || (*bp != ',' && *bp != ';')) {
-	    PORT_SetError(SEC_ERROR_INVALID_AVA);
-	    *pbp = bp;
-	    return 0;
-	}
-	/* ok, skip over separator */
-	bp++;
-    }
-    *pbp = bp;
-
-    for (n2k = name2kinds; n2k->name; n2k++) {
-	if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
-	    valLen = PORT_Strlen(valBuf);
-	    if (n2k->kind == SEC_OID_AVA_COUNTRY_NAME) {
-		vt = SEC_ASN1_PRINTABLE_STRING;
-		if (valLen != 2) {
-		    PORT_SetError(SEC_ERROR_INVALID_AVA);
-		    return 0;
-		}
-		if (!IsPrintable((unsigned char*) valBuf, 2)) {
-		    PORT_SetError(SEC_ERROR_INVALID_AVA);
-		    return 0;
-		}
-	    } else if ((n2k->kind == SEC_OID_PKCS9_EMAIL_ADDRESS) ||
-		       (n2k->kind == SEC_OID_RFC1274_MAIL)) {
-		vt = SEC_ASN1_IA5_STRING;
-	    } else {
-		/* Hack -- for rationale see X.520 DirectoryString defn */
-		if (IsPrintable((unsigned char*)valBuf, valLen)) {
-		    vt = SEC_ASN1_PRINTABLE_STRING;
-                } else if (Is7Bit((unsigned char *)valBuf, valLen)) {
-                    vt = SEC_ASN1_T61_STRING;
-		} else {
-		    /* according to RFC3280, UTF8String is preferred encoding */
-		    vt = SEC_ASN1_UTF8_STRING;
-		}
-	    }
-	    a = CERT_CreateAVA(arena, n2k->kind, vt, (char *) valBuf);
-	    return a;
-	}
-    }
-    /* matched no kind -- invalid tag */
-    PORT_SetError(SEC_ERROR_INVALID_AVA);
-    return 0;
-}
-
-static CERTName *
-ParseRFC1485Name(char *buf, int len)
-{
-    SECStatus rv;
-    CERTName *name;
-    char *bp, *e;
-    CERTAVA *ava;
-    CERTRDN *rdn;
-
-    name = CERT_CreateName(NULL);
-    if (name == NULL) {
-	return NULL;
-    }
-    
-    e = buf + len;
-    bp = buf;
-    while (bp < e) {
-	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
-	if (ava == 0) goto loser;
-	rdn = CERT_CreateRDN(name->arena, ava, 0);
-	if (rdn == 0) goto loser;
-	rv = CERT_AddRDN(name, rdn);
-	if (rv) goto loser;
-	skipSpace(&bp, e);
-    }
-
-    if (name->rdns[0] == 0) {
-	/* empty name -- illegal */
-	goto loser;
-    }
-
-    /* Reverse order of RDNS to comply with RFC */
-    {
-	CERTRDN **firstRdn;
-	CERTRDN **lastRdn;
-	CERTRDN *tmp;
-	
-	/* get first one */
-	firstRdn = name->rdns;
-	
-	/* find last one */
-	lastRdn = name->rdns;
-	while (*lastRdn) lastRdn++;
-	lastRdn--;
-	
-	/* reverse list */
-	for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
-	    tmp = *firstRdn;
-	    *firstRdn = *lastRdn;
-	    *lastRdn = tmp;
-	}
-    }
-    
-    /* return result */
-    return name;
-    
-  loser:
-    CERT_DestroyName(name);
-    return NULL;
-}
-
-CERTName *
-CERT_AsciiToName(char *string)
-{
-    CERTName *name;
-    name = ParseRFC1485Name(string, PORT_Strlen(string));
-    return name;
-}
-
-/************************************************************************/
-
-typedef struct stringBufStr {
-    char *buffer;
-    unsigned offset;
-    unsigned size;
-} stringBuf;
-
-#define DEFAULT_BUFFER_SIZE 200
-
-static SECStatus
-AppendStr(stringBuf *bufp, char *str)
-{
-    char *buf;
-    unsigned bufLen, bufSize, len;
-    int size = 0;
-
-    /* Figure out how much to grow buf by (add in the '\0') */
-    buf = bufp->buffer;
-    bufLen = bufp->offset;
-    len = PORT_Strlen(str);
-    bufSize = bufLen + len;
-    if (!buf) {
-	bufSize++;
-	size = PR_MAX(DEFAULT_BUFFER_SIZE,bufSize*2);
-	buf = (char *) PORT_Alloc(size);
-	bufp->size = size;
-    } else if (bufp->size < bufSize) {
-	size = bufSize*2;
-	buf =(char *) PORT_Realloc(buf,size);
-	bufp->size = size;
-    }
-    if (!buf) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    bufp->buffer = buf;
-    bufp->offset = bufSize;
-
-    /* Concatenate str onto buf */
-    buf = buf + bufLen;
-    if (bufLen) buf--;			/* stomp on old '\0' */
-    PORT_Memcpy(buf, str, len+1);		/* put in new null */
-    return SECSuccess;
-}
-
-SECStatus
-CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
-{
-    int i, reqLen=0;
-    char *d = dst;
-    PRBool needsQuoting = PR_FALSE;
-    char lastC = 0;
-    
-    /* need to make an initial pass to determine if quoting is needed */
-    for (i = 0; i < srclen; i++) {
-	char c = src[i];
-	reqLen++;
-	if (!needsQuoting && (SPECIAL_CHAR(c) ||
-	    (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)))) {
-	    /* entirety will need quoting */
-	    needsQuoting = PR_TRUE;
-	}
-	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
-	    /* this char will need escaping */
-	    reqLen++;
-	}
-	lastC = c;
-    }
-    /* if it begins or ends in optional space it needs quoting */
-    if (!needsQuoting && srclen > 0 && 
-	(OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
-	needsQuoting = PR_TRUE;
-    }
-    
-    if (needsQuoting) reqLen += 2;
-
-    /* space for terminal null */
-    reqLen++;
-    
-    if (reqLen > dstlen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    
-    d = dst;
-    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
-    for (i = 0; i < srclen; i++) {
-	char c = src[i];
-	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
-	    /* escape it */
-	    *d++ = C_BACKSLASH;
-	}
-	*d++ = c;
-    }
-    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
-    *d++ = 0;
-    return SECSuccess;
-}
-
-/* convert an OID to dotted-decimal representation */
-/* Returns a string that must be freed with PR_smprintf_free(), */
-char *
-CERT_GetOidString(const SECItem *oid)
-{
-    PRUint8 *end;
-    PRUint8 *d;
-    PRUint8 *e;
-    char *a         = NULL;
-    char *b;
-
-#define MAX_OID_LEN 1024 /* bytes */
-
-    if (oid->len > MAX_OID_LEN) {
-    	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return NULL;
-    }
-
-    /* d will point to the next sequence of bytes to decode */
-    d = (PRUint8 *)oid->data;
-    /* end points to one past the legitimate data */
-    end = &d[ oid->len ];
-
-    /*
-     * Check for our pseudo-encoded single-digit OIDs
-     */
-    if( (*d == 0x80) && (2 == oid->len) ) {
-	/* Funky encoding.  The second byte is the number */
-	a = PR_smprintf("%lu", (PRUint32)d[1]);
-	if( (char *)NULL == a ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return (char *)NULL;
-	}
-	return a;
-    }
-
-    for( ; d < end; d = &e[1] ) {
-    
-	for( e = d; e < end; e++ ) {
-	    if( 0 == (*e & 0x80) ) {
-		break;
-	    }
-	}
-    
-	if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
-	    /* More than a 32-bit number */
-	} else {
-	    PRUint32 n = 0;
-      
-	    switch( e-d ) {
-	    case 4:
-		n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
-	    case 3:
-		n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
-	    case 2:
-		n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
-	    case 1:
-		n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
-	    case 0:
-		n |= ((PRUint32)(e[-0] & 0x7f))      ;
-	    }
-      
-	    if( (char *)NULL == a ) {
-		/* This is the first number.. decompose it */
-		PRUint32 one = PR_MIN(n/40, 2); /* never > 2 */
-		PRUint32 two = n - one * 40;
-        
-		a = PR_smprintf("OID.%lu.%lu", one, two);
-		if( (char *)NULL == a ) {
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    return (char *)NULL;
-		}
-	    } else {
-		b = PR_smprintf("%s.%lu", a, n);
-		if( (char *)NULL == b ) {
-		    PR_smprintf_free(a);
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    return (char *)NULL;
-		}
-        
-		PR_smprintf_free(a);
-		a = b;
-	    }
-	}
-    }
-
-    return a;
-}
-
-/* convert DER-encoded hex to a string */
-static SECItem *
-get_hex_string(SECItem *data)
-{
-    SECItem *rv;
-    unsigned int i, j;
-    static const char hex[] = { "0123456789ABCDEF" };
-
-    /* '#' + 2 chars per octet + terminator */
-    rv = SECITEM_AllocItem(NULL, NULL, data->len*2 + 2);
-    if (!rv) {
-	return NULL;
-    }
-    rv->data[0] = '#';
-    rv->len = 1 + 2 * data->len;
-    for (i=0; i<data->len; i++) {
-	j = data->data[i];
-	rv->data[2*i+1] = hex[j >> 4];
-	rv->data[2*i+2] = hex[j & 15];
-    }
-    rv->data[rv->len] = 0;
-    return rv;
-}
-
-static SECStatus
-AppendAVA(stringBuf *bufp, CERTAVA *ava)
-{
-    const struct NameToKind *n2k = name2kinds;
-    const char *tagName;
-    unsigned len, maxLen;
-    int tag;
-    SECStatus rv;
-    SECItem *avaValue = NULL;
-    char *unknownTag = NULL;
-    PRBool hexValue = PR_FALSE;
-    char tmpBuf[384];
-
-    tag = CERT_GetAVATag(ava);
-    while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
-        ++n2k;
-    }
-    if (n2k->kind != SEC_OID_UNKNOWN) {
-        tagName = n2k->name;
-    } else {
-	/* handle unknown attribute types per RFC 2253 */
-	tagName = unknownTag = CERT_GetOidString(&ava->type);
-	if (!tagName)
-	    return SECFailure;
-    }
-    maxLen = n2k->maxLen;
-
-#ifdef NSS_STRICT_RFC_2253_VALUES_ONLY
-    if (!unknownTag)
-#endif
-    avaValue = CERT_DecodeAVAValue(&ava->value);
-    if(!avaValue) {
-	/* the attribute value is not recognized, get the hex value */
-	avaValue = get_hex_string(&ava->value);
-	if(!avaValue) {
-	    if (unknownTag) PR_smprintf_free(unknownTag);
-	    return SECFailure;
-	}
-	hexValue = PR_TRUE;
-    }
-
-    /* Check value length */
-    if (avaValue->len > maxLen + 3) {  /* must be room for "..." */
-	/* avaValue is a UTF8 string, freshly allocated and returned to us 
-	** by CERT_DecodeAVAValue or get_hex_string just above, so we can
-	** modify it here.  See if we're in the middle of a multi-byte
-	** UTF8 character.
-	*/
-	while (((avaValue->data[maxLen] & 0xc0) == 0x80) && maxLen > 0) {
-	   maxLen--;
-	}
-	/* add elipsis to signify truncation. */
-	avaValue->data[maxLen++] = '.'; 
-	avaValue->data[maxLen++] = '.';
-	avaValue->data[maxLen++] = '.';
-	avaValue->data[maxLen]   = 0;
-	avaValue->len = maxLen;
-    }
-
-    len = PORT_Strlen(tagName);
-    if (len+1 > sizeof(tmpBuf)) {
-	if (unknownTag) PR_smprintf_free(unknownTag);
-	SECITEM_FreeItem(avaValue, PR_TRUE);
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    PORT_Memcpy(tmpBuf, tagName, len);
-    if (unknownTag) PR_smprintf_free(unknownTag);
-    tmpBuf[len++] = '=';
-    
-    /* escape and quote as necessary - don't quote hex strings */
-    if (hexValue) {
-        /* appent avaValue to tmpBuf */
-	if (avaValue->len + len + 1 > sizeof tmpBuf) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-    	} else {
-	    PORT_Strncpy(tmpBuf+len, (char *)avaValue->data, avaValue->len + 1);
-	    rv = SECSuccess;
-	}
-    } else 
-	rv = CERT_RFC1485_EscapeAndQuote(tmpBuf+len, sizeof(tmpBuf)-len, 
-		    		     (char *)avaValue->data, avaValue->len);
-    SECITEM_FreeItem(avaValue, PR_TRUE);
-    if (rv) return SECFailure;
-    
-    rv = AppendStr(bufp, tmpBuf);
-    return rv;
-}
-
-char *
-CERT_NameToAscii(CERTName *name)
-{
-    CERTRDN** rdns;
-    CERTRDN** lastRdn;
-    CERTRDN** rdn;
-    PRBool first = PR_TRUE;
-    stringBuf strBuf = { NULL, 0, 0 };
-    
-    rdns = name->rdns;
-    if (rdns == NULL) {
-	return NULL;
-    }
-    
-    /* find last RDN */
-    lastRdn = rdns;
-    while (*lastRdn) lastRdn++;
-    lastRdn--;
-    
-    /*
-     * Loop over name contents in _reverse_ RDN order appending to string
-     */
-    for (rdn = lastRdn; rdn >= rdns; rdn--) {
-	CERTAVA** avas = (*rdn)->avas;
-	CERTAVA* ava;
-	PRBool newRDN = PR_TRUE;
-
-	/* 
-	 * XXX Do we need to traverse the AVAs in reverse order, too?
-	 */
-	while (avas && (ava = *avas++) != NULL) {
-	    SECStatus rv;
-	    /* Put in comma or plus separator */
-	    if (!first) {
-		/* Use of spaces is deprecated in RFC 2253. */
-		rv = AppendStr(&strBuf, newRDN ? "," : "+");
-		if (rv) goto loser;
-	    } else {
-		first = PR_FALSE;
-	    }
-	    
-	    /* Add in tag type plus value into buf */
-	    rv = AppendAVA(&strBuf, ava);
-	    if (rv) goto loser;
-	    newRDN = PR_FALSE;
-	}
-    }
-    return strBuf.buffer;
-loser:
-    if (strBuf.buffer) {
-	PORT_Free(strBuf.buffer);
-    }
-    return NULL;
-}
-
-/*
- * Return the string representation of a DER encoded distinguished name
- * "dername" - The DER encoded name to convert
- */
-char *
-CERT_DerNameToAscii(SECItem *dername)
-{
-    int rv;
-    PRArenaPool *arena = NULL;
-    CERTName name;
-    char *retstr = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( arena == NULL) {
-	goto loser;
-    }
-    
-    rv = SEC_QuickDERDecodeItem(arena, &name, CERT_NameTemplate, dername);
-    
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retstr = CERT_NameToAscii(&name);
-
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(retstr);
-}
-
-/* RDNs are sorted from most general to most specific.
- * This code returns the FIRST one found, the most general one found.
- */
-static char *
-CERT_GetNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
-{
-    CERTRDN** rdns;
-    CERTRDN *rdn;
-    char *buf = 0;
-    
-    rdns = name->rdns;
-    while (rdns && (rdn = *rdns++) != 0) {
-	CERTAVA** avas = rdn->avas;
-	CERTAVA*  ava;
-	while (avas && (ava = *avas++) != 0) {
-	    int tag = CERT_GetAVATag(ava);
-	    if ( tag == wantedTag ) {
-		SECItem *decodeItem = CERT_DecodeAVAValue(&ava->value);
-		if(!decodeItem) {
-		    return NULL;
-		}
-		if (arena) {
-		    buf = (char *)PORT_ArenaZAlloc(arena,decodeItem->len + 1);
-		} else {
-		    buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
-		}
-		if ( buf ) {
-		    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
-		    buf[decodeItem->len] = 0;
-		}
-		SECITEM_FreeItem(decodeItem, PR_TRUE);
-		goto done;
-	    }
-	}
-    }
-    
-  done:
-    return buf;
-}
-
-/* RDNs are sorted from most general to most specific.
- * This code returns the LAST one found, the most specific one found.
- * This is particularly appropriate for Common Name.  See RFC 2818.
- */
-static char *
-CERT_GetLastNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
-{
-    CERTRDN** rdns;
-    CERTRDN *rdn;
-    CERTAVA * lastAva = NULL;
-    char *buf = 0;
-    
-    rdns = name->rdns;
-    while (rdns && (rdn = *rdns++) != 0) {
-	CERTAVA** avas = rdn->avas;
-	CERTAVA*  ava;
-	while (avas && (ava = *avas++) != 0) {
-	    int tag = CERT_GetAVATag(ava);
-	    if ( tag == wantedTag ) {
-		lastAva = ava;
-	    }
-	}
-    }
-
-    if (lastAva) {
-	SECItem *decodeItem = CERT_DecodeAVAValue(&lastAva->value);
-	if(!decodeItem) {
-	    return NULL;
-	}
-	if (arena) {
-	    buf = (char *)PORT_ArenaZAlloc(arena,decodeItem->len + 1);
-	} else {
-	    buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
-	}
-	if ( buf ) {
-	    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
-	    buf[decodeItem->len] = 0;
-	}
-	SECITEM_FreeItem(decodeItem, PR_TRUE);
-    }    
-    return buf;
-}
-
-char *
-CERT_GetCertificateEmailAddress(CERTCertificate *cert)
-{
-    char *rawEmailAddr = NULL;
-    SECItem subAltName;
-    SECStatus rv;
-    CERTGeneralName *nameList = NULL;
-    CERTGeneralName *current;
-    PRArenaPool *arena = NULL;
-    int i;
-    
-    subAltName.data = NULL;
-
-    rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject),
-						 SEC_OID_PKCS9_EMAIL_ADDRESS);
-    if ( rawEmailAddr == NULL ) {
-	rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject), 
-							SEC_OID_RFC1274_MAIL);
-    }
-    if ( rawEmailAddr == NULL) {
-
-	rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, 
-								&subAltName);
-	if (rv != SECSuccess) {
-	    goto finish;
-	}
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (!arena) {
-	    goto finish;
-	}
-	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
-	if (!nameList ) {
-	    goto finish;
-	}
-	if (nameList != NULL) {
-	    do {
-		if (current->type == certDirectoryName) {
-		    rawEmailAddr = CERT_GetNameElement(cert->arena,
-			&(current->name.directoryName), 
-					       SEC_OID_PKCS9_EMAIL_ADDRESS);
-		    if ( rawEmailAddr == NULL ) {
-			rawEmailAddr = CERT_GetNameElement(cert->arena,
-			  &(current->name.directoryName), SEC_OID_RFC1274_MAIL);
-		    }
-		} else if (current->type == certRFC822Name) {
-		    rawEmailAddr = (char*)PORT_ArenaZAlloc(cert->arena,
-						current->name.other.len + 1);
-		    if (!rawEmailAddr) {
-			goto finish;
-		    }
-		    PORT_Memcpy(rawEmailAddr, current->name.other.data, 
-				current->name.other.len);
-		    rawEmailAddr[current->name.other.len] = '\0';
-		}
-		if (rawEmailAddr) {
-		    break;
-		}
-		current = CERT_GetNextGeneralName(current);
-	    } while (current != nameList);
-	}
-    }
-    if (rawEmailAddr) {
-	for (i = 0; i <= (int) PORT_Strlen(rawEmailAddr); i++) {
-	    rawEmailAddr[i] = tolower(rawEmailAddr[i]);
-	}
-    } 
-
-finish:
-
-    /* Don't free nameList, it's part of the arena. */
-
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if ( subAltName.data ) {
-	SECITEM_FreeItem(&subAltName, PR_FALSE);
-    }
-
-    return(rawEmailAddr);
-}
-
-static char *
-appendStringToBuf(char *dest, char *src, PRUint32 *pRemaining)
-{
-    PRUint32 len;
-    if (dest && src && src[0] && *pRemaining > (len = PL_strlen(src))) {
-	PRUint32 i;
-	for (i = 0; i < len; ++i)
-	    dest[i] = tolower(src[i]);
-	dest[len] = 0;
-	dest        += len + 1;
-	*pRemaining -= len + 1;
-    }
-    return dest;
-}
-
-static char *
-appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining)
-{
-    if (dest && src && src->data && src->len && src->data[0] && 
-        *pRemaining > src->len + 1 ) {
-	PRUint32 len = src->len;
-	PRUint32 i;
-	for (i = 0; i < len && src->data[i] ; ++i)
-	    dest[i] = tolower(src->data[i]);
-	dest[len] = 0;
-	dest        += len + 1;
-	*pRemaining -= len + 1;
-    }
-    return dest;
-}
-
-/* Returns a pointer to an environment-like string, a series of 
-** null-terminated strings, terminated by a zero-length string.
-** This function is intended to be internal to NSS.
-*/
-char *
-cert_GetCertificateEmailAddresses(CERTCertificate *cert)
-{
-    char *           rawEmailAddr = NULL;
-    char *           addrBuf      = NULL;
-    char *           pBuf         = NULL;
-    PRArenaPool *    tmpArena     = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    PRUint32         maxLen       = 0;
-    PRInt32          finalLen     = 0;
-    SECStatus        rv;
-    SECItem          subAltName;
-    
-    if (!tmpArena) 
-    	return addrBuf;
-
-    subAltName.data = NULL;
-    maxLen = cert->derCert.len;
-    PORT_Assert(maxLen);
-    if (!maxLen) 
-	maxLen = 2000;  /* a guess, should never happen */
-
-    pBuf = addrBuf = (char *)PORT_ArenaZAlloc(tmpArena, maxLen + 1);
-    if (!addrBuf) 
-    	goto loser;
-
-    rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject,
-				       SEC_OID_PKCS9_EMAIL_ADDRESS);
-    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-
-    rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject, 
-				       SEC_OID_RFC1274_MAIL);
-    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-
-    rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&subAltName);
-    if (rv == SECSuccess && subAltName.data) {
-	CERTGeneralName *nameList     = NULL;
-
-	if (!!(nameList = CERT_DecodeAltNameExtension(tmpArena, &subAltName))) {
-	    CERTGeneralName *current = nameList;
-	    do {
-		if (current->type == certDirectoryName) {
-		    rawEmailAddr = CERT_GetNameElement(tmpArena,
-			                       &current->name.directoryName, 
-					       SEC_OID_PKCS9_EMAIL_ADDRESS);
-		    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-
-		    rawEmailAddr = CERT_GetNameElement(tmpArena,
-					      &current->name.directoryName, 
-					      SEC_OID_RFC1274_MAIL);
-		    pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-		} else if (current->type == certRFC822Name) {
-		    pBuf = appendItemToBuf(pBuf, &current->name.other, &maxLen);
-		}
-		current = CERT_GetNextGeneralName(current);
-	    } while (current != nameList);
-	}
-	SECITEM_FreeItem(&subAltName, PR_FALSE);
-	/* Don't free nameList, it's part of the tmpArena. */
-    }
-    /* now copy superstring to cert's arena */
-    finalLen = (pBuf - addrBuf) + 1;
-    pBuf = NULL;
-    if (finalLen > 1) {
-	pBuf = PORT_ArenaAlloc(cert->arena, finalLen);
-	if (pBuf) {
-	    PORT_Memcpy(pBuf, addrBuf, finalLen);
-	}
-    }
-loser:
-    if (tmpArena)
-	PORT_FreeArena(tmpArena, PR_FALSE);
-
-    return pBuf;
-}
-
-/* returns pointer to storage in cert's arena.  Storage remains valid
-** as long as cert's reference count doesn't go to zero.
-** Caller should strdup or otherwise copy.
-*/
-const char *	/* const so caller won't muck with it. */
-CERT_GetFirstEmailAddress(CERTCertificate * cert)
-{
-    if (cert && cert->emailAddr && cert->emailAddr[0])
-    	return (const char *)cert->emailAddr;
-    return NULL;
-}
-
-/* returns pointer to storage in cert's arena.  Storage remains valid
-** as long as cert's reference count doesn't go to zero.
-** Caller should strdup or otherwise copy.
-*/
-const char *	/* const so caller won't muck with it. */
-CERT_GetNextEmailAddress(CERTCertificate * cert, const char * prev)
-{
-    if (cert && prev && prev[0]) {
-    	PRUint32 len = PL_strlen(prev);
-	prev += len + 1;
-	if (prev && prev[0])
-	    return prev;
-    }
-    return NULL;
-}
-
-/* This is seriously bogus, now that certs store their email addresses in
-** subject Alternative Name extensions. 
-** Returns a string allocated by PORT_StrDup, which the caller must free.
-*/
-char *
-CERT_GetCertEmailAddress(CERTName *name)
-{
-    char *rawEmailAddr;
-    char *emailAddr;
-
-    
-    rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_PKCS9_EMAIL_ADDRESS);
-    if ( rawEmailAddr == NULL ) {
-	rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_MAIL);
-    }
-    emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
-    if ( rawEmailAddr ) {
-	PORT_Free(rawEmailAddr);
-    }
-    return(emailAddr);
-}
-
-/* The return value must be freed with PORT_Free. */
-char *
-CERT_GetCommonName(CERTName *name)
-{
-    return(CERT_GetLastNameElement(NULL, name, SEC_OID_AVA_COMMON_NAME));
-}
-
-char *
-CERT_GetCountryName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_COUNTRY_NAME));
-}
-
-char *
-CERT_GetLocalityName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_LOCALITY));
-}
-
-char *
-CERT_GetStateName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_STATE_OR_PROVINCE));
-}
-
-char *
-CERT_GetOrgName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATION_NAME));
-}
-
-char *
-CERT_GetDomainComponentName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DC));
-}
-
-char *
-CERT_GetOrgUnitName(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME));
-}
-
-char *
-CERT_GetDnQualifier(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DN_QUALIFIER));
-}
-
-char *
-CERT_GetCertUid(CERTName *name)
-{
-    return(CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_UID));
-}
-
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
deleted file mode 100644
index 9dfe8d775..000000000
--- a/security/nss/lib/certdb/cert.h
+++ /dev/null
@@ -1,1528 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * cert.h - public data structures and prototypes for the certificate library
- *
- * $Id$
- */
-
-#ifndef _CERT_H_
-#define _CERT_H_
-
-#include "plarena.h"
-#include "plhash.h"
-#include "prlong.h"
-#include "prlog.h"
-
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "keyt.h"
-#include "certt.h"
-
-SEC_BEGIN_PROTOS
-   
-/****************************************************************************
- *
- * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
- *
- ****************************************************************************/
-
-/*
-** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
-*/
-extern CERTName *CERT_AsciiToName(char *string);
-
-/*
-** Convert an CERTName into its RFC1485 encoded equivalent.
-** Returns a string that must be freed with PORT_Free().
-*/
-extern char *CERT_NameToAscii(CERTName *name);
-
-extern CERTAVA *CERT_CopyAVA(PRArenaPool *arena, CERTAVA *src);
-
-/* convert an OID to dotted-decimal representation */
-/* Returns a string that must be freed with PR_smprintf_free(). */
-extern char * CERT_GetOidString(const SECItem *oid);
-
-/*
-** Examine an AVA and return the tag that refers to it. The AVA tags are
-** defined as SEC_OID_AVA*.
-*/
-extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
-
-/*
-** Compare two AVA's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b);
-
-/*
-** Create an RDN (relative-distinguished-name). The argument list is a
-** NULL terminated list of AVA's.
-*/
-extern CERTRDN *CERT_CreateRDN(PRArenaPool *arena, CERTAVA *avas, ...);
-
-/*
-** Make a copy of "src" storing it in "dest".
-*/
-extern SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *dest, CERTRDN *src);
-
-/*
-** Destory an RDN object.
-**	"rdn" the RDN to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
-
-/*
-** Add an AVA to an RDN.
-**	"rdn" the RDN to add to
-**	"ava" the AVA to add
-*/
-extern SECStatus CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
-
-/*
-** Compare two RDN's, returning the difference between them.
-*/
-extern SECComparison CERT_CompareRDN(CERTRDN *a, CERTRDN *b);
-
-/*
-** Create an X.500 style name using a NULL terminated list of RDN's.
-*/
-extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
-
-/*
-** Make a copy of "src" storing it in "dest". Memory is allocated in
-** "dest" for each of the appropriate sub objects. Memory is not freed in
-** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
-** do that).
-*/
-extern SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *dest, CERTName *src);
-
-/*
-** Destroy a Name object.
-**	"name" the CERTName to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyName(CERTName *name);
-
-/*
-** Add an RDN to a name.
-**	"name" the name to add the RDN to
-**	"rdn" the RDN to add to name
-*/
-extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
-
-/*
-** Compare two names, returning the difference between them.
-*/
-extern SECComparison CERT_CompareName(CERTName *a, CERTName *b);
-
-/*
-** Convert a CERTName into something readable
-*/
-extern char *CERT_FormatName (CERTName *name);
-
-/*
-** Convert a der-encoded integer to a hex printable string form.
-** Perhaps this should be a SEC function but it's only used for certs.
-*/
-extern char *CERT_Hexify (SECItem *i, int do_colon);
-
-/******************************************************************************
- *
- * Certificate handling operations
- *
- *****************************************************************************/
-
-/*
-** Create a new validity object given two unix time values.
-**	"notBefore" the time before which the validity is not valid
-**	"notAfter" the time after which the validity is not valid
-*/
-extern CERTValidity *CERT_CreateValidity(int64 notBefore, int64 notAfter);
-
-/*
-** Destroy a validity object.
-**	"v" the validity to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyValidity(CERTValidity *v);
-
-/*
-** Copy the "src" object to "dest". Memory is allocated in "dest" for
-** each of the appropriate sub-objects. Memory in "dest" is not freed
-** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
-** that).
-*/
-extern SECStatus CERT_CopyValidity
-   (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
-
-/*
-** The cert lib considers a cert or CRL valid if the "notBefore" time is
-** in the not-too-distant future, e.g. within the next 24 hours. This 
-** prevents freshly issued certificates from being considered invalid
-** because the local system's time zone is incorrectly set.  
-** The amount of "pending slop time" is adjustable by the application.
-** Units of SlopTime are seconds.  Default is 86400  (24 hours).
-** Negative SlopTime values are not allowed.
-*/
-PRInt32 CERT_GetSlopTime(void);
-
-SECStatus CERT_SetSlopTime(PRInt32 slop);
-
-/*
-** Create a new certificate object. The result must be wrapped with an
-** CERTSignedData to create a signed certificate.
-**	"serialNumber" the serial number
-**	"issuer" the name of the certificate issuer
-**	"validity" the validity period of the certificate
-**	"req" the certificate request that prompted the certificate issuance
-*/
-extern CERTCertificate *
-CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
-			CERTValidity *validity, CERTCertificateRequest *req);
-
-/*
-** Destroy a certificate object
-**	"cert" the certificate to destroy
-** NOTE: certificate's are reference counted. This call decrements the
-** reference count, and if the result is zero, then the object is destroyed
-** and optionally freed.
-*/
-extern void CERT_DestroyCertificate(CERTCertificate *cert);
-
-/*
-** Make a shallow copy of a certificate "c". Just increments the
-** reference count on "c".
-*/
-extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
-
-/*
-** Create a new certificate request. This result must be wrapped with an
-** CERTSignedData to create a signed certificate request.
-**	"name" the subject name (who the certificate request is from)
-**	"spki" describes/defines the public key the certificate is for
-**	"attributes" if non-zero, some optional attribute data
-*/
-extern CERTCertificateRequest *
-CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
-			       SECItem **attributes);
-
-/*
-** Destroy a certificate-request object
-**	"r" the certificate-request to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
-
-/*
-** Start adding extensions to a certificate request.
-*/
-void *
-CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req);
-
-/*
-** Reformat the certifcate extension list into a CertificateRequest
-** attribute list.
-*/
-SECStatus
-CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req);
-
-/*
-** Extract the Extension Requests from a DER CertRequest attribute list.
-*/
-SECStatus
-CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
-                                     CERTCertExtension ***exts);
-
-/*
-** Extract a public key object from a certificate
-*/
-extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
-
-/*
- * used to get a public key with Key Material ID. Only used for fortezza V1
- * certificates.
- */
-extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
-
-
-/*
-** Retrieve the Key Type associated with the cert we're dealing with
-*/
-
-extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
-
-/*
-** Initialize the certificate database.  This is called to create
-**  the initial list of certificates in the database.
-*/
-extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
-
-extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
-
-/*
-** Default certificate database routines
-*/
-extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
-
-extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
-
-extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
-					       int64 time, 
-					       SECCertUsage usage);
-extern CERTCertificate *
-CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
-                         char *nickname, PRBool isperm, PRBool copyDER);
-
-
-/******************************************************************************
- *
- * X.500 Name handling operations
- *
- *****************************************************************************/
-
-/*
-** Create an AVA (attribute-value-assertion)
-**	"arena" the memory arena to alloc from
-**	"kind" is one of SEC_OID_AVA_*
-**	"valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
-**	   DER_T61_STRING
-**	"value" is the null terminated string containing the value
-*/
-extern CERTAVA *CERT_CreateAVA
-   (PRArenaPool *arena, SECOidTag kind, int valueType, char *value);
-
-/*
-** Extract the Distinguished Name from a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-**	"derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
-
-/*
-** Extract the Issuers Distinguished Name from a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-**	"derName" is the SECItem that the name is returned in
-*/
-extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
-					    SECItem *derName);
-
-extern SECItem *
-CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
-		       PRArenaPool *arena);
-
-extern CERTGeneralName *
-CERT_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
-		       CERTGeneralName  *genName);
-
-
-
-/*
-** Generate a database search key for a certificate, based on the
-** issuer and serial number.
-**	"arena" the memory arena to alloc from
-**	"derCert" the DER encoded certificate
-**	"key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
-
-extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
-					 SECItem *sn, SECItem *key);
-
-extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, 
-						SECItem *derName);
-
-
-/*
-** Generate a database search key for a crl, based on the
-** issuer.
-**	"arena" the memory arena to alloc from
-**	"derCrl" the DER encoded crl
-**	"key" the returned key
-*/
-extern SECStatus CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key);
-
-/*
-** Open the certificate database.  Use callback to get name of database.
-*/
-extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
-				 CERTDBNameFunc namecb, void *cbarg);
-
-/* Open the certificate database.  Use given filename for database. */
-extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
-					 char *certdbname, PRBool readOnly);
-
-/*
-** Open and initialize a cert database that is entirely in memory.  This
-** can be used when the permanent database can not be opened or created.
-*/
-extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
-
-/*
-** Check the hostname to make sure that it matches the shexp that
-** is given in the common name of the certificate.
-*/
-extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Add a domain name to the list of names that the user has explicitly
-** allowed (despite cert name mismatches) for use with a server cert.
-*/
-extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
-
-/*
-** Decode a DER encoded certificate into an CERTCertificate structure
-**	"derSignedCert" is the DER encoded signed certificate
-**	"copyDER" is true if the DER should be copied, false if the
-**		existing copy should be referenced
-**	"nickname" is the nickname to use in the database.  If it is NULL
-**		then a temporary nickname is generated.
-*/
-extern CERTCertificate *
-CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
-/*
-** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
-**	"derSignedCrl" is the DER encoded signed crl/krl.
-**	"type" is this a CRL or KRL.
-*/
-#define SEC_CRL_TYPE	1
-#define SEC_KRL_TYPE	0
-
-extern CERTSignedCrl *
-CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
-
-/*
- * same as CERT_DecodeDERCrl, plus allow options to be passed in
- */
-
-extern CERTSignedCrl *
-CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
-                          int type, PRInt32 options);
-
-/* CRL options to pass */
-
-#define CRL_DECODE_DEFAULT_OPTIONS          0x00000000
-
-/* when CRL_DECODE_DONT_COPY_DER is set, the DER is not copied . The
-   application must then keep derSignedCrl until it destroys the
-   CRL . Ideally, it should allocate derSignedCrl in an arena
-   and pass that arena in as the first argument to
-   CERT_DecodeDERCrlWithFlags */
-
-#define CRL_DECODE_DONT_COPY_DER            0x00000001
-#define CRL_DECODE_SKIP_ENTRIES             0x00000002
-#define CRL_DECODE_KEEP_BAD_CRL             0x00000004
-#define CRL_DECODE_ADOPT_HEAP_DER           0x00000008
-
-/* complete the decoding of a partially decoded CRL, ie. decode the
-   entries. Note that entries is an optional field in a CRL, so the
-   "entries" pointer in CERTCrlStr may still be NULL even after
-   function returns SECSuccess */
-
-extern SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl);
-
-/* Validate CRL then import it to the dbase.  If there is already a CRL with the
- * same CA in the dbase, it will be replaced if derCRL is more up to date.  
- * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
- * be returned. The caller should call PORT_GetError() for the exactly error 
- * code.
- */
-extern CERTSignedCrl *
-CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
-						int type, void * wincx);
-
-extern void CERT_DestroyCrl (CERTSignedCrl *crl);
-
-/* this is a hint to flush the CRL cache. crlKey is the DER subject of
-   the issuer (CA). */
-void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey);
-
-/* add the specified DER CRL object to the CRL cache. Doing so will allow
-   certificate verification functions (such as CERT_VerifyCertificate)
-   to automatically find and make use of this CRL object.
-   Once a CRL is added to the CRL cache, the application must hold on to
-   the object's memory, because the cache will reference it directly. The
-   application can only free the object after it calls CERT_UncacheCRL to
-   remove it from the CRL cache.
-*/
-SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
-
-/* remove a previously added CRL object from the CRL cache. It is OK
-   for the application to free the memory after a successful removal
-*/
-SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
-
-/*
-** Decode a certificate and put it into the temporary certificate database
-*/
-extern CERTCertificate *
-CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
-
-/*
-** Find a certificate in the database
-**	"key" is the database key to look for
-*/
-extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
-
-/*
-** Find a certificate in the database by name
-**	"name" is the distinguished name to look up
-*/
-extern CERTCertificate *
-CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
-
-/*
-** Find a certificate in the database by name
-**	"name" is the distinguished name to look up (in ascii)
-*/
-extern CERTCertificate *
-CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
-
-/*
-** Find a certificate in the database by name and keyid
-**	"name" is the distinguished name to look up
-**	"keyID" is the value of the subjectKeyID to match
-*/
-extern CERTCertificate *
-CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
-
-/*
-** Generate a certificate key from the issuer and serialnumber, then look it
-** up in the database.  Return the cert if found.
-**	"issuerAndSN" is the issuer and serial number to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
-
-/*
-** Find a certificate in the database by a subject key ID
-**	"subjKeyID" is the subject Key ID to look for
-*/
-extern CERTCertificate *
-CERT_FindCertBySubjectKeyID (CERTCertDBHandle *handle, SECItem *subjKeyID);
-
-/*
-** Find a certificate in the database by a nickname
-**	"nickname" is the ascii string nickname to look for
-*/
-extern CERTCertificate *
-CERT_FindCertByNickname (CERTCertDBHandle *handle, char *nickname);
-
-/*
-** Find a certificate in the database by a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-*/
-extern CERTCertificate *
-CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
-
-/*
-** Find a certificate in the database by a email address
-**	"emailAddr" is the email address to look up
-*/
-CERTCertificate *
-CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
-
-/*
-** Find a certificate in the database by a email address or nickname
-**	"name" is the email address or nickname to look up
-*/
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name);
-
-/*
-** Find a certificate in the database by a digest of a subject public key
-**	"spkDigest" is the digest to look up
-*/
-extern CERTCertificate *
-CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
-
-/*
- * Find the issuer of a cert
- */
-CERTCertificate *
-CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage);
-
-/*
-** Check the validity times of a certificate vs. time 't', allowing
-** some slop for broken clocks and stuff.
-**	"cert" is the certificate to be checked
-**	"t" is the time to check against
-**	"allowOverride" if true then check to see if the invalidity has
-**		been overridden by the user.
-*/
-extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
-						    PRTime t,
-						    PRBool allowOverride);
-
-/*
-** WARNING - this function is depricated, and will either go away or have
-**		a new API in the near future.
-**
-** Check the validity times of a certificate vs. the current time, allowing
-** some slop for broken clocks and stuff.
-**	"cert" is the certificate to be checked
-*/
-extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
-
-/*
-** Extract the validity times from a certificate
-**	"c" is the certificate
-**	"notBefore" is the start of the validity period
-**	"notAfter" is the end of the validity period
-*/
-extern SECStatus
-CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
-
-/*
-** Extract the issuer and serial number from a certificate
-*/
-extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PRArenaPool *, 
-							CERTCertificate *);
-
-/*
-** verify the signature of a signed data object with a given certificate
-**	"sd" the signed data object to be verified
-**	"cert" the certificate to use to check the signature
-*/
-extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
-				       CERTCertificate *cert,
-				       int64 t,
-				       void *wincx);
-/*
-** verify the signature of a signed data object with the given DER publickey
-*/
-extern SECStatus
-CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd,
-                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
-                                       void *wincx);
-
-/*
-** verify the signature of a signed data object with a SECKEYPublicKey.
-*/
-extern SECStatus
-CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
-                                   SECKEYPublicKey *pubKey, void *wincx);
-
-/*
-** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
-** verify a certificate by checking validity times against a certain time,
-** that we trust the issuer, and that the signature on the certificate is
-** valid.
-**	"cert" the certificate to verify
-**	"checkSig" only check signatures if true
-*/
-extern SECStatus
-CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertificateUsage requiredUsages,
-                int64 t, void *wincx, CERTVerifyLog *log,
-                SECCertificateUsage* returnedUsages);
-
-/* same as above, but uses current time */
-extern SECStatus
-CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertificateUsage requiredUsages,
-                   void *wincx, SECCertificateUsage* returnedUsages);
-
-/*
-** Verify that a CA cert can certify some (unspecified) leaf cert for a given
-** purpose. This is used by UI code to help identify where a chain may be
-** broken and why. This takes identical parameters to CERT_VerifyCert
-*/
-extern SECStatus
-CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log);
-
-/*
-** OLD OBSOLETE FUNCTIONS with enum SECCertUsage - DO NOT USE FOR NEW CODE
-** verify a certificate by checking validity times against a certain time,
-** that we trust the issuer, and that the signature on the certificate is
-** valid.
-**	"cert" the certificate to verify
-**	"checkSig" only check signatures if true
-*/
-extern SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log);
-
-/* same as above, but uses current time */
-extern SECStatus
-CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertUsage certUsage, void *wincx);
-
-SECStatus
-CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     PRBool checkSig, SECCertUsage certUsage, int64 t,
-		     void *wincx, CERTVerifyLog *log);
-
-/*
-** Read a base64 ascii encoded DER certificate and convert it to our
-** internal format.
-**	"certstr" is a null-terminated string containing the certificate
-*/
-extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
-
-/*
-** Read a certificate in some foreign format, and convert it to our
-** internal format.
-**	"certbuf" is the buffer containing the certificate
-**	"certlen" is the length of the buffer
-** NOTE - currently supports netscape base64 ascii encoded raw certs
-**  and netscape binary DER typed files.
-*/
-extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
-
-extern SECStatus
-CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
-
-extern SECStatus
-CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
-
-/*
-** Read a certificate chain in some foreign format, and pass it to a 
-** callback function.
-**	"certbuf" is the buffer containing the certificate
-**	"certlen" is the length of the buffer
-**	"f" is the callback function
-**	"arg" is the callback argument
-*/
-typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
-   (void *arg, SECItem **certs, int numcerts);
-
-extern SECStatus
-CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
-		       void *arg);
-
-/*
-** Pretty print a certificate in HTML
-**	"cert" is the certificate to print
-**	"showImages" controls whether or not to use about:security URLs
-**		for subject and issuer images.  This should only be true
-**		in the browser.
-*/
-extern char *CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages,
-			       PRBool showIssuer);
-
-/* 
-** Returns the value of an AVA.  This was a formerly static 
-** function that has been exposed due to the need to decode
-** and convert unicode strings to UTF8.  
-**
-** XXX This function resides in certhtml.c, should it be
-** moved elsewhere?
-*/
-extern SECItem *CERT_DecodeAVAValue(const SECItem *derAVAValue);
-
-
-
-/*
-** extract various element strings from a distinguished name.
-**	"name" the distinguished name
-*/
-
-extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
-
-extern char *CERT_GetCertEmailAddress(CERTName *name);
-
-extern const char * CERT_GetFirstEmailAddress(CERTCertificate * cert);
-
-extern const char * CERT_GetNextEmailAddress(CERTCertificate * cert, 
-                                             const char * prev);
-
-/* The return value must be freed with PORT_Free. */
-extern char *CERT_GetCommonName(CERTName *name);
-
-extern char *CERT_GetCountryName(CERTName *name);
-
-extern char *CERT_GetLocalityName(CERTName *name);
-
-extern char *CERT_GetStateName(CERTName *name);
-
-extern char *CERT_GetOrgName(CERTName *name);
-
-extern char *CERT_GetOrgUnitName(CERTName *name);
-
-extern char *CERT_GetDomainComponentName(CERTName *name);
-
-extern char *CERT_GetCertUid(CERTName *name);
-
-/* manipulate the trust parameters of a certificate */
-
-extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
-		      CERTCertTrust *trust);
-
-extern SECStatus
-CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
-			    SECCertUsage usage);
-
-/*************************************************************************
- *
- * manipulate the extensions of a certificate
- *
- ************************************************************************/
-
-/*
-** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
-** used by the next two routines.
-**	"cert" is the certificate we are adding extensions to
-*/
-extern void *CERT_StartCertExtensions(CERTCertificate *cert);
-
-/*
-** Add an extension to a certificate.
-**	"exthandle" is the handle returned by the previous function
-**	"idtag" is the integer tag for the OID that should ID this extension
-**	"value" is the value of the extension
-**	"critical" is the critical extension flag
-**	"copyData" is a flag indicating whether the value data should be
-**		copied.
-*/
-extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
-			SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
-			 SECItem *value, PRBool critical, PRBool copyData);
-
-extern SECStatus CERT_EncodeAndAddExtension
-   (void *exthandle, int idtag, void *value, PRBool critical,
-    const SEC_ASN1Template *atemplate);
-
-extern SECStatus CERT_EncodeAndAddBitStrExtension
-   (void *exthandle, int idtag, SECItem *value, PRBool critical);
-
-
-extern SECStatus
-CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
-
-
-/*
-** Finish adding cert extensions.  Does final processing on extension
-** data, putting it in the right format, and freeing any temporary
-** storage.
-**	"exthandle" is the handle used to add extensions to a certificate
-*/
-extern SECStatus CERT_FinishExtensions(void *exthandle);
-
-/*
-** Merge an external list of extensions into a cert's extension list, adding one
-** only when its OID matches none of the cert's existing extensions. Call this
-** immediately before calling CERT_FinishExtensions().
-*/
-SECStatus
-CERT_MergeExtensions(void *exthandle, CERTCertExtension **exts);
-
-/* If the extension is found, return its criticality and value.
-** This allocate storage for the returning extension value.
-*/
-extern SECStatus CERT_GetExtenCriticality
-   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
-
-extern void
-CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
-
-/****************************************************************************
- *
- * DER encode and decode extension values
- *
- ****************************************************************************/
-
-/* Encode the value of the basicConstraint extension.
-**	arena - where to allocate memory for the encoded value.
-**	value - extension value to encode
-**	encodedValue - output encoded value
-*/
-extern SECStatus CERT_EncodeBasicConstraintValue
-   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the authorityKeyIdentifier extension.
-*/
-extern SECStatus CERT_EncodeAuthKeyID
-   (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
-
-/*
-** Encode the value of the crlDistributionPoints extension.
-*/
-extern SECStatus CERT_EncodeCRLDistributionPoints
-   (PRArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
-
-/*
-** Decodes a DER encoded basicConstaint extension value into a readable format
-**	value - decoded value
-**	encodedValue - value to decoded
-*/
-extern SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue);
-
-/* Decodes a DER encoded authorityKeyIdentifier extension value into a
-** readable format.
-**	arena - where to allocate memory for the decoded value
-**	encodedValue - value to be decoded
-**	Returns a CERTAuthKeyID structure which contains the decoded value
-*/
-extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
-			(PRArenaPool *arena, SECItem *encodedValue);
-
-
-/* Decodes a DER encoded crlDistributionPoints extension value into a 
-** readable format.
-**	arena - where to allocate memory for the decoded value
-**	der - value to be decoded
-**	Returns a CERTCrlDistributionPoints structure which contains the 
-**          decoded value
-*/
-extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
-   (PRArenaPool *arena, SECItem *der);
-
-/* Extract certain name type from a generalName */
-extern void *CERT_GetGeneralNameByType
-   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
-
-
-extern CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem);
-
-
-
-
-/****************************************************************************
- *
- * Find extension values of a certificate 
- *
- ***************************************************************************/
-
-extern SECStatus CERT_FindCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindNSCertTypeExtension
-   (CERTCertificate *cert, SECItem *value);
-
-extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
-
-extern SECStatus CERT_FindIssuerCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
-extern SECStatus CERT_FindCertExtensionByOID
-   (CERTCertificate *cert, SECItem *oid, SECItem *value);
-
-extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
-								int catag);
-
-/* Returns the decoded value of the authKeyID extension.
-**   Note that this uses passed in the arena to allocate storage for the result
-*/
-extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena,CERTCertificate *cert);
-
-/* Returns the decoded value of the basicConstraint extension.
- */
-extern SECStatus CERT_FindBasicConstraintExten
-   (CERTCertificate *cert, CERTBasicConstraints *value);
-
-/* Returns the decoded value of the crlDistributionPoints extension.
-**  Note that the arena in cert is used to allocate storage for the result
-*/
-extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
-   (CERTCertificate *cert);
-
-/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
-** buffer for the decoded value. The caller should free up the storage 
-** allocated in value->data.
-*/
-extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
-							SECItem *value);
-
-/* Return the decoded value of the subjectKeyID extension. The caller should 
-** free up the storage allocated in retItem->data.
-*/
-extern SECStatus CERT_FindSubjectKeyIDExtension (CERTCertificate *cert, 
-							   SECItem *retItem);
-
-/*
-** If cert is a v3 certificate, and a critical keyUsage extension is included,
-** then check the usage against the extension value.  If a non-critical 
-** keyUsage extension is included, this will return SECSuccess without 
-** checking, since the extension is an advisory field, not a restriction.  
-** If cert is not a v3 certificate, this will return SECSuccess.
-**	cert - certificate
-**	usage - one of the x.509 v3 the Key Usage Extension flags
-*/
-extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
-							unsigned char usage);
-
-/****************************************************************************
- *
- *  CRL v2 Extensions supported routines
- *
- ****************************************************************************/
-
-extern SECStatus CERT_FindCRLExtensionByOID
-   (CERTCrl *crl, SECItem *oid, SECItem *value);
-
-extern SECStatus CERT_FindCRLExtension
-   (CERTCrl *crl, int tag, SECItem *value);
-
-extern SECStatus
-   CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value);
-
-/*
-** Set up a crl for adding X509v3 extensions.  Returns an opaque handle
-** used by routines that take an exthandle (void*) argument .
-**	"crl" is the CRL we are adding extensions to
-*/
-extern void *CERT_StartCRLExtensions(CERTCrl *crl);
-
-/*
-** Set up a crl entry for adding X509v3 extensions.  Returns an opaque handle
-** used by routines that take an exthandle (void*) argument .
-**	"crl" is the crl we are adding certs entries to
-**      "entry" is the crl entry we are adding extensions to
-*/
-extern void *CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry);
-
-extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
-						 int what, void *wincx);
-
-/*
-** Finds the crlNumber extension and decodes its value into 'value'
-*/
-extern SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value);
-
-extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
-
-extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
-
-extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
-							 CERTCertificate *c2);
-
-/*
-** Generate an array of the Distinguished Names that the given cert database
-** "trusts"
-*/
-extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
-
-extern void CERT_FreeDistNames(CERTDistNames *names);
-
-/*
-** Generate an array of Distinguished names from an array of nicknames
-*/
-extern CERTDistNames *CERT_DistNamesFromNicknames
-   (CERTCertDBHandle *handle, char **nicknames, int nnames);
-
-/*
-** Generate a certificate chain from a certificate.
-*/
-extern CERTCertificateList *
-CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
-		       PRBool includeRoot);
-
-extern CERTCertificateList *
-CERT_CertListFromCert(CERTCertificate *cert);
-
-extern CERTCertificateList *
-CERT_DupCertList(CERTCertificateList * oldList);
-
-extern void CERT_DestroyCertificateList(CERTCertificateList *list);
-
-/*
-** is cert a user cert? i.e. does it have CERTDB_USER trust,
-** i.e. a private key?
-*/
-PRBool CERT_IsUserCert(CERTCertificate* cert);
-
-/* is cert a newer than cert b? */
-PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
-
-/* currently a stub for address book */
-PRBool
-CERT_IsCertRevoked(CERTCertificate *cert);
-
-void
-CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
-
-/* convert an email address to lower case */
-char *CERT_FixupEmailAddr(char *emailAddr);
-
-/* decode string representation of trust flags into trust struct */
-SECStatus
-CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts);
-
-/* encode trust struct into string representation of trust flags */
-char *
-CERT_EncodeTrustString(CERTCertTrust *trust);
-
-/* find the next or prev cert in a subject list */
-CERTCertificate *
-CERT_PrevSubjectCert(CERTCertificate *cert);
-CERTCertificate *
-CERT_NextSubjectCert(CERTCertificate *cert);
-
-/*
- * import a collection of certs into the temporary or permanent cert
- * database
- */
-SECStatus
-CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
-		 unsigned int ncerts, SECItem **derCerts,
-		 CERTCertificate ***retCerts, PRBool keepCerts,
-		 PRBool caOnly, char *nickname);
-
-SECStatus
-CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
-		      PRBool caOnly, char *nickname);
-
-char *
-CERT_MakeCANickname(CERTCertificate *cert);
-
-PRBool
-CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
-
-PRBool
-CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
-
-PRBool
-CERT_IsRootDERCert(SECItem *derCert);
-
-SECStatus
-CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
-		      SECItem *profileTime);
-
-/*
- * find the smime symmetric capabilities profile for a given cert
- */
-SECItem *
-CERT_FindSMimeProfile(CERTCertificate *cert);
-
-SECStatus
-CERT_AddNewCerts(CERTCertDBHandle *handle);
-
-CERTPackageType
-CERT_CertPackageType(SECItem *package, SECItem *certitem);
-
-CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
-
-void
-CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
-
-CERTUserNotice *
-CERT_DecodeUserNotice(SECItem *noticeItem);
-
-extern CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName);
-
-extern CERTNameConstraints *
-CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, 
-                                    SECItem *encodedConstraints);
-
-/* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */
-extern CERTAuthInfoAccess **
-CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   SECItem     *encodedExtension);
-
-extern CERTPrivKeyUsagePeriod *
-CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
-
-extern CERTGeneralName *
-CERT_GetNextGeneralName(CERTGeneralName *current);
-
-extern CERTGeneralName *
-CERT_GetPrevGeneralName(CERTGeneralName *current);
-
-CERTNameConstraint *
-CERT_GetNextNameConstraint(CERTNameConstraint *current);
-
-CERTNameConstraint *
-CERT_GetPrevNameConstraint(CERTNameConstraint *current);
-
-void
-CERT_DestroyUserNotice(CERTUserNotice *userNotice);
-
-typedef char * (* CERTPolicyStringCallback)(char *org,
-					       unsigned long noticeNumber,
-					       void *arg);
-void
-CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
-
-char *
-CERT_GetCertCommentString(CERTCertificate *cert);
-
-PRBool
-CERT_GovtApprovedBitSet(CERTCertificate *cert);
-
-SECStatus
-CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
-
-/*
- * Given a cert, find the cert with the same subject name that
- * has the given key usage.  If the given cert has the correct keyUsage, then
- * return it, otherwise search the list in order.
- */
-CERTCertificate *
-CERT_FindCertByUsage(CERTCertificate *basecert, unsigned int requiredKeyUsage);
-
-
-CERTCertList *
-CERT_MatchUserCert(CERTCertDBHandle *handle,
-		   SECCertUsage usage,
-		   int nCANames, char **caNames,
-		   void *proto_win);
-
-CERTCertList *
-CERT_NewCertList(void);
-
-void
-CERT_DestroyCertList(CERTCertList *certs);
-
-/* remove the node and free the cert */
-void
-CERT_RemoveCertListNode(CERTCertListNode *node);
-
-SECStatus
-CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
-
-SECStatus
-CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
-
-SECStatus
-CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
-							 void *appData);
-
-SECStatus
-CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
-							 void *appData);
-
-typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
-				    CERTCertificate *certb,
-				    void *arg);
-SECStatus
-CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
-			 CERTSortCallback f, void *arg);
-
-/* callback for CERT_AddCertToListSorted that sorts based on validity
- * period and a given time.
- */
-PRBool
-CERT_SortCBValidity(CERTCertificate *certa,
-		    CERTCertificate *certb,
-		    void *arg);
-
-SECStatus
-CERT_CheckForEvilCert(CERTCertificate *cert);
-
-CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
-
-
-SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
-
-char *
-CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
-
-/*
- * Creates or adds to a list of all certs with a give subject name, sorted by
- * validity time, newest first.  Invalid certs are considered older than
- * valid certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, int64 sorttime, PRBool validOnly);
-
-/*
- * Creates or adds to a list of all certs with a give nickname, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			    char *nickname, int64 sorttime, PRBool validOnly);
-
-/*
- * Creates or adds to a list of all certs with a give email addr, sorted by
- * validity time, newest first.  Invalid certs are considered older than valid
- * certs. If validOnly is set, do not include invalid certs on list.
- */
-CERTCertList *
-CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			     char *emailAddr, int64 sorttime, PRBool validOnly);
-
-/*
- * remove certs from a list that don't have keyUsage and certType
- * that match the given usage.
- */
-SECStatus
-CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
-			   PRBool ca);
-
-/*
- * check the key usage of a cert against a set of required values
- */
-SECStatus
-CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
-
-/*
- * return required key usage and cert type based on cert usage
- */
-SECStatus
-CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
-				 PRBool ca,
-				 unsigned int *retKeyUsage,
-				 unsigned int *retCertType);
-/*
- * return required trust flags for various cert usages for CAs
- */
-SECStatus
-CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
-			      unsigned int *retFlags,
-			      SECTrustType *retTrustType);
-
-/*
- * Find all user certificates that match the given criteria.
- * 
- *	"handle" - database to search
- *	"usage" - certificate usage to match
- *	"oneCertPerName" - if set then only return the "best" cert per
- *			name
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertList *
-CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
-			  SECCertUsage usage,
-			  PRBool oneCertPerName,
-			  PRBool validOnly,
-			  void *proto_win);
-
-/*
- * Find a user certificate that matchs the given criteria.
- * 
- *	"handle" - database to search
- *	"nickname" - nickname to match
- *	"usage" - certificate usage to match
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertificate *
-CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
-			 char *nickname,
-			 SECCertUsage usage,
-			 PRBool validOnly,
-			 void *proto_win);
-
-/*
- * Filter a list of certificates, removing those certs that do not have
- * one of the named CA certs somewhere in their cert chain.
- *
- *	"certList" - the list of certificates to filter
- *	"nCANames" - number of CA names
- *	"caNames" - array of CA names in string(rfc 1485) form
- *	"usage" - what use the certs are for, this is used when
- *		selecting CA certs
- */
-SECStatus
-CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
-			     char **caNames, SECCertUsage usage);
-
-/*
- * Filter a list of certificates, removing those certs that aren't user certs
- */
-SECStatus
-CERT_FilterCertListForUserCerts(CERTCertList *certList);
-
-/*
- * Collect the nicknames from all certs in a CertList.  If the cert is not
- * valid, append a string to that nickname.
- *
- * "certList" - the list of certificates
- * "expiredString" - the string to append to the nickname of any expired cert
- * "notYetGoodString" - the string to append to the nickname of any cert
- *		that is not yet valid
- */
-CERTCertNicknames *
-CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
-				 char *notYetGoodString);
-
-/*
- * Extract the nickname from a nickmake string that may have either
- * expiredString or notYetGoodString appended.
- *
- * Args:
- *	"namestring" - the string containing the nickname, and possibly
- *		one of the validity label strings
- *	"expiredString" - the expired validity label string
- *	"notYetGoodString" - the not yet good validity label string
- *
- * Returns the raw nickname
- */
-char *
-CERT_ExtractNicknameString(char *namestring, char *expiredString,
-			   char *notYetGoodString);
-
-/*
- * Given a certificate, return a string containing the nickname, and possibly
- * one of the validity strings, based on the current validity state of the
- * certificate.
- *
- * "arena" - arena to allocate returned string from.  If NULL, then heap
- *	is used.
- * "cert" - the cert to get nickname from
- * "expiredString" - the string to append to the nickname if the cert is
- *		expired.
- * "notYetGoodString" - the string to append to the nickname if the cert is
- *		not yet good.
- */
-char *
-CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
-				 char *expiredString, char *notYetGoodString);
-
-/*
- * Return the string representation of a DER encoded distinguished name
- * "dername" - The DER encoded name to convert
- */
-char *
-CERT_DerNameToAscii(SECItem *dername);
-
-/*
- * Supported usage values and types:
- *	certUsageSSLClient
- *	certUsageSSLServer
- *	certUsageSSLServerWithStepUp
- *	certUsageEmailSigner
- *	certUsageEmailRecipient
- *	certUsageObjectSigner
- */
-
-CERTCertificate *
-CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
-		      CERTCertOwner owner, SECCertUsage usage,
-		      PRBool preferTrusted, int64 validTime, PRBool validOnly);
-
-/*
- * Acquire the global lock on the cert database.
- * This lock is currently used for the following operations:
- *	adding or deleting a cert to either the temp or perm databases
- *	converting a temp to perm or perm to temp
- *	changing(maybe just adding?) the trust of a cert
- *	adjusting the reference count of a cert
- */
-void
-CERT_LockDB(CERTCertDBHandle *handle);
-
-/*
- * Free the global cert database lock.
- */
-void
-CERT_UnlockDB(CERTCertDBHandle *handle);
-
-/*
- * Get the certificate status checking configuratino data for
- * the certificate database
- */
-CERTStatusConfig *
-CERT_GetStatusConfig(CERTCertDBHandle *handle);
-
-/*
- * Set the certificate status checking information for the
- * database.  The input structure becomes part of the certificate
- * database and will be freed by calling the 'Destroy' function in
- * the configuration object.
- */
-void
-CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
-
-
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertRefCount(CERTCertificate *cert);
-
-/*
- * Free the cert reference count lock
- */
-void
-CERT_UnlockCertRefCount(CERTCertificate *cert);
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertTrust(CERTCertificate *cert);
-
-/*
- * Free the cert trust lock
- */
-void
-CERT_UnlockCertTrust(CERTCertificate *cert);
-
-/*
- * Digest the cert's subject public key using the specified algorithm.
- * The necessary storage for the digest data is allocated.  If "fill" is
- * non-null, the data is put there, otherwise a SECItem is allocated.
- * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
- * results in a NULL being returned (and an appropriate error set).
- */ 
-extern SECItem *
-CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
-			   SECOidTag digestAlg, SECItem *fill);
-
-/*
- * fill in nsCertType field of the cert based on the cert extension
- */
-extern SECStatus cert_GetCertType(CERTCertificate *cert);
-
-
-SECStatus CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer,
-                        SECItem* dp, int64 t, void* wincx);
-
-
-SEC_END_PROTOS
-
-#endif /* _CERT_H_ */
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
deleted file mode 100644
index 9c5c22f31..000000000
--- a/security/nss/lib/certdb/certdb.c
+++ /dev/null
@@ -1,2982 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *    Aaron Spangler <aaron@spangler.ods.org>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Certificate handling code
- *
- * $Id$
- */
-
-#include "nssilock.h"
-#include "prmon.h"
-#include "prtime.h"
-#include "cert.h"
-#include "certi.h"
-#include "secder.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "genname.h"
-#include "keyhi.h"
-#include "secitem.h"
-#include "mcom_db.h"
-#include "certdb.h"
-#include "prprf.h"
-#include "sechash.h"
-#include "prlong.h"
-#include "certxutl.h"
-#include "portreg.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "nsslocks.h"
-#include "pk11func.h"
-#include "xconst.h"   /* for  CERT_DecodeAltNameExtension */
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "pki.h"
-#include "pki3hack.h"
-
-/*
- * Certificate database handling code
- */
-
-
-const SEC_ASN1Template CERT_CertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(CERTCertExtension,critical) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCertExtension,value) },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate }
-};
-
-const SEC_ASN1Template CERT_CertificateTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(CERTCertificate) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0, 		/* XXX DER_DEFAULT */ 
-	  offsetof(CERTCertificate,version),
-	  SEC_IntegerTemplate },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertificate,serialNumber) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,signature),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE, 
-	  offsetof(CERTCertificate,derIssuer) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,issuer),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,validity),
-	  CERT_ValidityTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCertificate,derSubject) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,subject),
-	  CERT_NameTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCertificate,derPublicKey) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,subjectPublicKeyInfo),
-	  CERT_SubjectPublicKeyInfoTemplate },
-    { SEC_ASN1_OPTIONAL |  SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(CERTCertificate,issuerID),
-	  SEC_BitStringTemplate },
-    { SEC_ASN1_OPTIONAL |  SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(CERTCertificate,subjectID),
-	  SEC_BitStringTemplate },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 3,
-	  offsetof(CERTCertificate,extensions),
-	  CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_SignedCertificateTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertificate) },
-    { SEC_ASN1_SAVE, 
-	  offsetof(CERTCertificate,signatureWrap.data) },
-    { SEC_ASN1_INLINE, 
-	  0, CERT_CertificateTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificate,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTCertificate,signatureWrap.signature) },
-    { 0 }
-};
-
-/*
- * Find the subjectName in a DER encoded certificate
- */
-const SEC_ASN1Template SEC_CertSubjectTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECItem) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */
-    { SEC_ASN1_SKIP },		/* serial number */
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_SKIP },		/* issuer */
-    { SEC_ASN1_SKIP },		/* validity */
-    { SEC_ASN1_ANY, 0, NULL },		/* subject */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-/*
- * Find the issuerName in a DER encoded certificate
- */
-const SEC_ASN1Template SEC_CertIssuerTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECItem) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */
-    { SEC_ASN1_SKIP },		/* serial number */
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_ANY, 0, NULL },		/* issuer */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-/*
- * Find the subjectName in a DER encoded certificate
- */
-const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECItem) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */
-    { SEC_ASN1_ANY, 0, NULL }, /* serial number */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-/*
- * Find the issuer and serialNumber in a DER encoded certificate.
- * This data is used as the database lookup key since its the unique
- * identifier of a certificate.
- */
-const SEC_ASN1Template CERT_CertKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertKey) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  0, SEC_SkipTemplate },	/* version */ 
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertKey,serialNumber) },
-    { SEC_ASN1_SKIP },		/* signature algorithm */
-    { SEC_ASN1_ANY,
-	  offsetof(CERTCertKey,derIssuer) },
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SequenceOfCertExtensionTemplate)
-
-SECStatus
-CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
-			SECItem *key)
-{
-    key->len = sn->len + issuer->len;
-
-    if ((sn->data == NULL) || (issuer->data == NULL)) {
-	goto loser;
-    }
-    
-    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
-    if ( !key->data ) {
-	goto loser;
-    }
-
-    /* copy the serialNumber */
-    PORT_Memcpy(key->data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-
-/*
- * Extract the subject name from a DER certificate
- */
-SECStatus
-CERT_NameFromDERCert(SECItem *derCert, SECItem *derName)
-{
-    int rv;
-    PRArenaPool *arena;
-    CERTSignedData sd;
-    void *tmpptr;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-   
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(derName, 0, sizeof(SECItem));
-    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    tmpptr = derName->data;
-    derName->data = (unsigned char*)PORT_Alloc(derName->len);
-    if ( derName->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(derName->data, tmpptr, derName->len);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECFailure);
-}
-
-SECStatus
-CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName)
-{
-    int rv;
-    PRArenaPool *arena;
-    CERTSignedData sd;
-    void *tmpptr;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-   
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(derName, 0, sizeof(SECItem));
-    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    tmpptr = derName->data;
-    derName->data = (unsigned char*)PORT_Alloc(derName->len);
-    if ( derName->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(derName->data, tmpptr, derName->len);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECFailure);
-}
-
-SECStatus
-CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName)
-{
-    int rv;
-    PRArenaPool *arena;
-    CERTSignedData sd;
-    void *tmpptr;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-   
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(derName, 0, sizeof(SECItem));
-    rv = SEC_QuickDERDecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    tmpptr = derName->data;
-    derName->data = (unsigned char*)PORT_Alloc(derName->len);
-    if ( derName->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(derName->data, tmpptr, derName->len);
-    
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECFailure);
-}
-
-/*
- * Generate a database key, based on serial number and issuer, from a
- * DER certificate.
- */
-SECStatus
-CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
-{
-    int rv;
-    CERTSignedData sd;
-    CERTCertKey certkey;
-
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
-    
-    if ( rv ) {
-	goto loser;
-    }
-    
-    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
-    rv = SEC_ASN1DecodeItem(arena, &certkey, CERT_CertKeyTemplate, &sd.data);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    return(CERT_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
-				   &certkey.serialNumber, key));
-loser:
-    return(SECFailure);
-}
-
-/*
- * fill in keyUsage field of the cert based on the cert extension
- * if the extension is not critical, then we allow all uses
- */
-static SECStatus
-GetKeyUsage(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem tmpitem;
-    
-    rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
-    if ( rv == SECSuccess ) {
-	/* remember the actual value of the extension */
-	cert->rawKeyUsage = tmpitem.data[0];
-	cert->keyUsagePresent = PR_TRUE;
-	cert->keyUsage = tmpitem.data[0];
-
-	PORT_Free(tmpitem.data);
-	tmpitem.data = NULL;
-	
-    } else {
-	/* if the extension is not present, then we allow all uses */
-	cert->keyUsage = KU_ALL;
-	cert->rawKeyUsage = KU_ALL;
-	cert->keyUsagePresent = PR_FALSE;
-    }
-
-    if ( CERT_GovtApprovedBitSet(cert) ) {
-	cert->keyUsage |= KU_NS_GOVT_APPROVED;
-	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
-    }
-    
-    return(SECSuccess);
-}
-
-
-/*
- * determine if a fortezza V1 Cert is a CA or not.
- */
-static PRBool
-fortezzaIsCA( CERTCertificate *cert) {
-    PRBool isCA = PR_FALSE;
-    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
-    int tag;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_KEA_DSS) ||
-       (tag == SEC_OID_MISSI_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_DSS) ) {
-	SECItem rawkey;
-	unsigned char *rawptr;
-	unsigned char *end;
-	int len;
-
-	rawkey = spki->subjectPublicKey;
-	DER_ConvertBitString(&rawkey);
-	rawptr = rawkey.data;
-	end = rawkey.data + rawkey.len;
-
-	/* version */	
-	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* skip the key */
-	len = (*rawptr << 8) | rawptr[1];
-	rawptr += 2 + len;
-
-	/* shared key */
-	if (rawptr >= end) { return PR_FALSE; }
-	/* DSS Version is next */
-	rawptr += 2;
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	if (*rawptr & 0x30) isCA = PR_TRUE;
-	
-   }
-   return isCA;
-}
-
-static SECStatus
-findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
-{
-    SECItem **oids;
-    SECItem *oid;
-    SECStatus rv = SECFailure;
-    
-    if (seq != NULL) {
-	oids = seq->oids;
-	while (oids != NULL && *oids != NULL) {
-	    oid = *oids;
-	    if (SECOID_FindOIDTag(oid) == tagnum) {
-		rv = SECSuccess;
-		break;
-	    }
-	    oids++;
-	}
-    }
-    return rv;
-}
-
-/*
- * fill in nsCertType field of the cert based on the cert extension
- */
-SECStatus
-cert_GetCertType(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem tmpitem;
-    SECItem encodedExtKeyUsage;
-    CERTOidSequence *extKeyUsage = NULL;
-    PRBool basicConstraintPresent = PR_FALSE;
-    CERTBasicConstraints basicConstraint;
-    unsigned int nsCertType = 0;
-
-    if (cert->nsCertType) {
-        /* once set, no need to recalculate */
-        return SECSuccess;
-    }
-
-    tmpitem.data = NULL;
-    CERT_FindNSCertTypeExtension(cert, &tmpitem);
-    encodedExtKeyUsage.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
-				&encodedExtKeyUsage);
-    if (rv == SECSuccess) {
-	extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
-    }
-    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
-    if (rv == SECSuccess) {
-	basicConstraintPresent = PR_TRUE;
-    }
-    if (tmpitem.data != NULL || extKeyUsage != NULL) {
-	if (tmpitem.data == NULL) {
-	    nsCertType = 0;
-	} else {
-	    nsCertType = tmpitem.data[0];
-	}
-
-	/* free tmpitem data pointer to avoid memory leak */
-	PORT_Free(tmpitem.data);
-	tmpitem.data = NULL;
-	
-	/*
-	 * for this release, we will allow SSL certs with an email address
-	 * to be used for email
-	 */
-	if ( ( nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
-	    cert->emailAddr && cert->emailAddr[0]) {
-	    nsCertType |= NS_CERT_TYPE_EMAIL;
-	}
-	/*
-	 * for this release, we will allow SSL intermediate CAs to be
-	 * email intermediate CAs too.
-	 */
-	if ( nsCertType & NS_CERT_TYPE_SSL_CA ) {
-	    nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
-	/*
-	 * allow a cert with the extended key usage of EMail Protect
-	 * to be used for email or as an email CA, if basic constraints
-	 * indicates that it is a CA.
-	 */
-	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
-				    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
-	    SECSuccess) {
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	    } else {
-		nsCertType |= NS_CERT_TYPE_EMAIL;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
-				    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
-	    SECSuccess){
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-	    } else {
-		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-	    }
-	}
-	/* Treat certs with step-up OID as also having SSL server type. */
-	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
-				    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
-	    SECSuccess){
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-	    } else {
-		nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
-	    SECSuccess){
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-	    } else {
-		nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
-	    SECSuccess) {
-	    if (basicConstraintPresent == PR_TRUE &&
-		(basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	    } else {
-		nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
-	    }
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
-	    SECSuccess) {
-	    nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
-	}
-	if (findOIDinOIDSeqByTagNum(extKeyUsage,
-				    SEC_OID_OCSP_RESPONDER) == 
-	    SECSuccess) {
-	    nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	}
-    } else {
-	/* if no extension, then allow any ssl or email (no ca or object
-	 * signing)
-	 */
-	nsCertType = NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
-	    NS_CERT_TYPE_EMAIL;
-
-	/* if the basic constraint extension says the cert is a CA, then
-	   allow SSL CA and EMAIL CA and Status Responder */
-	if ((basicConstraintPresent == PR_TRUE)
-	    && (basicConstraint.isCA)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-		nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	} else if (CERT_IsCACert(cert, NULL) == PR_TRUE) {
-		nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
-	}
-
-	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
-	if (fortezzaIsCA(cert)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
-    }
-
-    if (encodedExtKeyUsage.data != NULL) {
-	PORT_Free(encodedExtKeyUsage.data);
-    }
-    if (extKeyUsage != NULL) {
-	CERT_DestroyOidSequence(extKeyUsage);
-    }
-    /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */
-    PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32));
-    PR_AtomicSet((PRInt32 *)&cert->nsCertType, nsCertType);
-    return(SECSuccess);
-}
-
-/*
- * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
- */
-SECStatus
-cert_GetKeyID(CERTCertificate *cert)
-{
-    SECItem tmpitem;
-    SECStatus rv;
-    SECKEYPublicKey *key;
-    
-    cert->subjectKeyID.len = 0;
-
-    /* see of the cert has a key identifier extension */
-    rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
-    if ( rv == SECSuccess ) {
-	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
-	if ( cert->subjectKeyID.data != NULL ) {
-	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
-	    cert->subjectKeyID.len = tmpitem.len;
-	    cert->keyIDGenerated = PR_FALSE;
-	}
-	
-	PORT_Free(tmpitem.data);
-    }
-    
-    /* if the cert doesn't have a key identifier extension and the cert is
-     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
-     * key identifier.  */
-    key = CERT_KMIDPublicKey(cert);
-
-    if (key != NULL) {
-	
-	if (key->keyType == fortezzaKey) {
-
-	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
-	    if ( cert->subjectKeyID.data != NULL ) {
-		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
-		cert->subjectKeyID.len = 8;
-		cert->keyIDGenerated = PR_FALSE;
-	    }
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
-    /* if the cert doesn't have a key identifier extension, then generate one*/
-    if ( cert->subjectKeyID.len == 0 ) {
-	/*
-	 * pkix says that if the subjectKeyID is not present, then we should
-	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
-	 */
-	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
-	if ( cert->subjectKeyID.data != NULL ) {
-	    rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data,
-			      cert->derPublicKey.data,
-			      cert->derPublicKey.len);
-	    if ( rv == SECSuccess ) {
-		cert->subjectKeyID.len = SHA1_LENGTH;
-	    }
-	}
-    }
-
-    if ( cert->subjectKeyID.len == 0 ) {
-	return(SECFailure);
-    }
-    return(SECSuccess);
-
-}
-
-static PRBool
-cert_IsRootCert(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem tmpitem;
-
-    /* cache the authKeyID extension, if present */
-    cert->authKeyID = CERT_FindAuthKeyIDExten(cert->arena, cert);
-
-    /* it MUST be self-issued to be a root */
-    if (cert->derIssuer.len == 0 ||
-        !SECITEM_ItemsAreEqual(&cert->derIssuer, &cert->derSubject))
-    {
-	return PR_FALSE;
-    }
-
-    /* check the authKeyID extension */
-    if (cert->authKeyID) {
-	/* authority key identifier is present */
-	if (cert->authKeyID->keyID.len > 0) {
-	    /* the keyIdentifier field is set, look for subjectKeyID */
-	    rv = CERT_FindSubjectKeyIDExtension(cert, &tmpitem);
-	    if (rv == SECSuccess) {
-		PRBool match;
-		/* also present, they MUST match for it to be a root */
-		match = SECITEM_ItemsAreEqual(&cert->authKeyID->keyID,
-		                              &tmpitem);
-		PORT_Free(tmpitem.data);
-		if (!match) return PR_FALSE; /* else fall through */
-	    } else {
-		/* the subject key ID is required when AKI is present */
-		return PR_FALSE;
-	    }
-	}
-	if (cert->authKeyID->authCertIssuer) {
-	    SECItem *caName;
-	    caName = (SECItem *)CERT_GetGeneralNameByType(
-	                                  cert->authKeyID->authCertIssuer,
-	                                  certDirectoryName, PR_TRUE);
-	    if (caName) {
-		if (!SECITEM_ItemsAreEqual(&cert->derIssuer, caName)) {
-		    return PR_FALSE;
-		} /* else fall through */
-	    } /* else ??? could not get general name as directory name? */
-	}
-	if (cert->authKeyID->authCertSerialNumber.len > 0) {
-	    if (!SECITEM_ItemsAreEqual(&cert->serialNumber,
-	                         &cert->authKeyID->authCertSerialNumber)) {
-		return PR_FALSE;
-	    } /* else fall through */
-	}
-	/* all of the AKI fields that were present passed the test */
-	return PR_TRUE;
-    }
-    /* else the AKI was not present, so this is a root */
-    return PR_TRUE;
-}
-
-/*
- * take a DER certificate and decode it into a certificate structure
- */
-CERTCertificate *
-CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
-			 char *nickname)
-{
-    CERTCertificate *cert;
-    PRArenaPool *arena;
-    void *data;
-    int rv;
-    int len;
-    char *tmpname;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return 0;
-    }
-
-    /* allocate the certificate structure */
-    cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-    
-    if ( !cert ) {
-	goto loser;
-    }
-    
-    cert->arena = arena;
-    
-    if ( copyDER ) {
-	/* copy the DER data for the cert into this arena */
-	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
-	if ( !data ) {
-	    goto loser;
-	}
-	cert->derCert.data = (unsigned char *)data;
-	cert->derCert.len = derSignedCert->len;
-	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
-    } else {
-	/* point to passed in DER data */
-	cert->derCert = *derSignedCert;
-    }
-
-    /* decode the certificate info */
-    rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
-		    &cert->derCert);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) {
-	PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
-	goto loser;
-    }
-
-    /* generate and save the database key for the cert */
-    rv = CERT_KeyFromIssuerAndSN(arena, &cert->derIssuer, &cert->serialNumber,
-			&cert->certKey);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* set the nickname */
-    if ( nickname == NULL ) {
-	cert->nickname = NULL;
-    } else {
-	/* copy and install the nickname */
-	len = PORT_Strlen(nickname) + 1;
-	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
-	if ( cert->nickname == NULL ) {
-	    goto loser;
-	}
-
-	PORT_Memcpy(cert->nickname, nickname, len);
-    }
-
-    /* set the email address */
-    cert->emailAddr = cert_GetCertificateEmailAddresses(cert);
-    
-    /* initialize the subjectKeyID */
-    rv = cert_GetKeyID(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize keyUsage */
-    rv = GetKeyUsage(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize the certType */
-    rv = cert_GetCertType(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* determine if this is a root cert */
-    cert->isRoot = cert_IsRootCert(cert);
-
-    tmpname = CERT_NameToAscii(&cert->subject);
-    if ( tmpname != NULL ) {
-	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
-	PORT_Free(tmpname);
-    }
-    
-    tmpname = CERT_NameToAscii(&cert->issuer);
-    if ( tmpname != NULL ) {
-	cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
-	PORT_Free(tmpname);
-    }
-    
-    cert->referenceCount = 1;
-    cert->slot = NULL;
-    cert->pkcs11ID = CK_INVALID_HANDLE;
-    cert->dbnickname = NULL;
-    
-    return(cert);
-    
-loser:
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(0);
-}
-
-CERTCertificate *
-__CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
-			 char *nickname)
-{
-    return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname);
-}
-
-
-/*
-** Amount of time that a certifiate is allowed good before it is actually
-** good. This is used for pending certificates, ones that are about to be
-** valid. The slop is designed to allow for some variance in the clocks
-** of the machine checking the certificate.
-*/
-#define PENDING_SLOP (24L*60L*60L)		/* seconds per day */
-static PRInt32 pendingSlop = PENDING_SLOP;	/* seconds */
-
-PRInt32
-CERT_GetSlopTime(void)
-{
-    return pendingSlop;			/* seconds */
-}
-
-SECStatus
-CERT_SetSlopTime(PRInt32 slop)		/* seconds */
-{
-    if (slop < 0)
-	return SECFailure;
-    pendingSlop = slop;
-    return SECSuccess;
-}
-
-SECStatus
-CERT_GetCertTimes(CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
-{
-    SECStatus rv;
-
-    if (!c || !notBefore || !notAfter) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    
-    /* convert DER not-before time */
-    rv = DER_DecodeTimeChoice(notBefore, &c->validity.notBefore);
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    /* convert DER not-after time */
-    rv = DER_DecodeTimeChoice(notAfter, &c->validity.notAfter);
-    if (rv) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Check the validity times of a certificate
- */
-SECCertTimeValidity
-CERT_CheckCertValidTimes(CERTCertificate *c, PRTime t, PRBool allowOverride)
-{
-    PRTime notBefore, notAfter, llPendingSlop, tmp1;
-    SECStatus rv;
-
-    if (!c) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return(secCertTimeUndetermined);
-    }
-    /* if cert is already marked OK, then don't bother to check */
-    if ( allowOverride && c->timeOK ) {
-	return(secCertTimeValid);
-    }
-
-    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
-    }
-    
-    LL_I2L(llPendingSlop, pendingSlop);
-    /* convert to micro seconds */
-    LL_UI2L(tmp1, PR_USEC_PER_SEC);
-    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
-    LL_SUB(notBefore, notBefore, llPendingSlop);
-    if ( LL_CMP( t, <, notBefore ) ) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(secCertTimeNotValidYet);
-    }
-    if ( LL_CMP( t, >, notAfter) ) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(secCertTimeExpired);
-    }
-
-    return(secCertTimeValid);
-}
-
-SECStatus
-SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter)
-{
-    int rv;
-    
-    /* convert DER not-before time */
-    rv = DER_DecodeTimeChoice(notBefore, &date->lastUpdate);
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    /* convert DER not-after time */
-    if (date->nextUpdate.data) {
-	rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate);
-	if (rv) {
-	    return(SECFailure);
-	}
-    }
-    else {
-	LL_I2L(*notAfter, 0L);
-    }
-    return(SECSuccess);
-}
-
-/* These routines should probably be combined with the cert
- * routines using an common extraction routine.
- */
-SECCertTimeValidity
-SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
-    PRTime notBefore, notAfter, llPendingSlop, tmp1;
-    SECStatus rv;
-
-    rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(secCertTimeExpired); 
-    }
-
-    LL_I2L(llPendingSlop, pendingSlop);
-    /* convert to micro seconds */
-    LL_I2L(tmp1, PR_USEC_PER_SEC);
-    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
-    LL_SUB(notBefore, notBefore, llPendingSlop);
-    if ( LL_CMP( t, <, notBefore ) ) {
-	return(secCertTimeNotValidYet);
-    }
-
-    /* If next update is omitted and the test for notBefore passes, then
-       we assume that the crl is up to date.
-     */
-    if ( LL_IS_ZERO(notAfter) ) {
-	return(secCertTimeValid);
-    }
-
-    if ( LL_CMP( t, >, notAfter) ) {
-	return(secCertTimeExpired);
-    }
-
-    return(secCertTimeValid);
-}
-
-PRBool
-SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
-    PRTime newNotBefore, newNotAfter;
-    PRTime oldNotBefore, oldNotAfter;
-    SECStatus rv;
-
-    /* problems with the new CRL? reject it */
-    rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter);
-    if (rv) return PR_FALSE;
-
-    /* problems with the old CRL? replace it */
-    rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter);
-    if (rv) return PR_TRUE;
-
-    /* Question: what about the notAfter's? */
-    return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore));
-}
-   
-/*
- * return required key usage and cert type based on cert usage 
- */
-SECStatus
-CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
-				 PRBool ca,
-				 unsigned int *retKeyUsage,
-				 unsigned int *retCertType)
-{
-    unsigned int requiredKeyUsage = 0;
-    unsigned int requiredCertType = 0;
-    
-    if ( ca ) {
-	switch ( usage ) {
-	  case certUsageSSLServerWithStepUp:
-	    requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLClient:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLServer:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageSSLCA:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageEmailSigner:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
-	    break;
-	  case certUsageEmailRecipient:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
-	    break;
-	  case certUsageObjectSigner:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
-		NS_CERT_TYPE_EMAIL_CA |
-		    NS_CERT_TYPE_SSL_CA;
-	    break;
-	  default:
-	    PORT_Assert(0);
-	    goto loser;
-	}
-    } else {
-	switch ( usage ) {
-	  case certUsageSSLClient:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_SSL_CLIENT;
-	    break;
-	  case certUsageSSLServer:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
-	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT |
-		KU_NS_GOVT_APPROVED;
-	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
-	    break;
-	  case certUsageSSLCA:
-	    requiredKeyUsage = KU_KEY_CERT_SIGN;
-	    requiredCertType = NS_CERT_TYPE_SSL_CA;
-	    break;
-	  case certUsageEmailSigner:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_EMAIL;
-	    break;
-	  case certUsageEmailRecipient:
-	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
-	    requiredCertType = NS_CERT_TYPE_EMAIL;
-	    break;
-	  case certUsageObjectSigner:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING;
-	    break;
-	  case certUsageStatusResponder:
-	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
-	    requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER;
-	    break;
-	  default:
-	    PORT_Assert(0);
-	    goto loser;
-	}
-    }
-
-    if ( retKeyUsage != NULL ) {
-	*retKeyUsage = requiredKeyUsage;
-    }
-    if ( retCertType != NULL ) {
-	*retCertType = requiredCertType;
-    }
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-/*
- * check the key usage of a cert against a set of required values
- */
-SECStatus
-CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
-{
-    unsigned int certKeyUsage;
-
-    if (!cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* choose between key agreement or key encipherment based on key
-     * type in cert
-     */
-    if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
-	KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
-	/* turn off the special bit */
-	requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
-
-	switch (keyType) {
-	case rsaKey:
-	    requiredUsage |= KU_KEY_ENCIPHERMENT;
-	    break;
-	case dsaKey:
-	    requiredUsage |= KU_DIGITAL_SIGNATURE;
-	    break;
-	case fortezzaKey:
-	case keaKey:
-	case dhKey:
-	    requiredUsage |= KU_KEY_AGREEMENT;
-	    break;
-	case ecKey:
-	    /* Accept either signature or agreement. */
-	    if (!(cert->keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)))
-		 goto loser;
-	    break;
-	default:
-	    goto loser;
-	}
-    }
-
-    certKeyUsage = cert->keyUsage;
-    if (certKeyUsage & KU_NON_REPUDIATION)
-        certKeyUsage |= KU_DIGITAL_SIGNATURE;
-    if ( (certKeyUsage & requiredUsage) == requiredUsage ) 
-    	return SECSuccess;
-
-loser:
-    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-    return SECFailure;
-}
-
-
-CERTCertificate *
-CERT_DupCertificate(CERTCertificate *c)
-{
-    if (c) {
-#ifdef NSS_CLASSIC
-	CERT_LockCertRefCount(c);
-	++c->referenceCount;
-	CERT_UnlockCertRefCount(c);
-#else
-	NSSCertificate *tmp = STAN_GetNSSCertificate(c);
-	nssCertificate_AddRef(tmp);
-#endif
-    }
-    return c;
-}
-
-/*
- * Allow use of default cert database, so that apps(such as mozilla) don't
- * have to pass the handle all over the place.
- */
-static CERTCertDBHandle *default_cert_db_handle = 0;
-
-void
-CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
-{
-    default_cert_db_handle = handle;
-    
-    return;
-}
-
-CERTCertDBHandle *
-CERT_GetDefaultCertDB(void)
-{
-    return(default_cert_db_handle);
-}
-
-/* XXX this would probably be okay/better as an xp routine? */
-static void
-sec_lower_string(char *s)
-{
-    if ( s == NULL ) {
-	return;
-    }
-    
-    while ( *s ) {
-	*s = PORT_Tolower(*s);
-	s++;
-    }
-    
-    return;
-}
-
-/*
-** Add a domain name to the list of names that the user has explicitly
-** allowed (despite cert name mismatches) for use with a server cert.
-*/
-SECStatus
-CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
-{
-    CERTOKDomainName *domainOK;
-    int	       newNameLen;
-
-    if (!hn || !(newNameLen = strlen(hn))) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, 
-				  (sizeof *domainOK) + newNameLen);
-    if (!domainOK) 
-    	return SECFailure;	/* error code is already set. */
-
-    PORT_Strcpy(domainOK->name, hn);
-    sec_lower_string(domainOK->name);
-
-    /* put at head of list. */
-    domainOK->next = cert->domainOK;
-    cert->domainOK = domainOK;
-    return SECSuccess;
-}
-
-/* returns SECSuccess if hn matches pattern cn,
-** returns SECFailure with SSL_ERROR_BAD_CERT_DOMAIN if no match,
-** returns SECFailure with some other error code if another error occurs.
-**
-** may modify cn, so caller must pass a modifiable copy.
-*/
-static SECStatus
-cert_TestHostName(char * cn, const char * hn)
-{
-    int regvalid = PORT_RegExpValid(cn);
-    if (regvalid != NON_SXP) {
-	SECStatus rv;
-	/* cn is a regular expression, try to match the shexp */
-	int match = PORT_RegExpCaseSearch(hn, cn);
-
-	if ( match == 0 ) {
-	    rv = SECSuccess;
-	} else {
-	    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-	    rv = SECFailure;
-	}
-	return rv;
-    } 
-    /* cn is not a regular expression */
-
-    /* compare entire hn with cert name */
-    if (PORT_Strcasecmp(hn, cn) == 0) {
-	return SECSuccess;
-    }
-	    
-    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-    return SECFailure;
-}
-
-
-SECStatus
-cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
-{
-    PRArenaPool *     arena          = NULL;
-    CERTGeneralName * nameList       = NULL;
-    CERTGeneralName * current;
-    char *            cn;
-    int               cnBufLen;
-    unsigned int      hnLen;
-    int               DNSextCount    = 0;
-    int               IPextCount     = 0;
-    PRBool            isIPaddr;
-    SECStatus         rv             = SECFailure;
-    SECItem           subAltName;
-    PRNetAddr         netAddr;
-    char              cnbuf[128];
-
-    subAltName.data = NULL;
-    hnLen    = strlen(hn);
-    cn       = cnbuf;
-    cnBufLen = sizeof cnbuf;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&subAltName);
-    if (rv != SECSuccess) {
-	goto finish;
-    }
-    isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
-    rv = SECFailure;
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!arena) 
-	goto finish;
-
-    nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
-    if (!current)
-    	goto finish;
-
-    do {
-	switch (current->type) {
-	case certDNSName:
-	    if (!isIPaddr) {
-		/* DNS name current->name.other.data is not null terminated.
-		** so must copy it.  
-		*/
-		int cnLen = current->name.other.len;
-		if (cnLen + 1 > cnBufLen) {
-		    cnBufLen = cnLen + 1;
-		    cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
-		    if (!cn)
-			goto finish;
-		}
-		PORT_Memcpy(cn, current->name.other.data, cnLen);
-		cn[cnLen] = 0;
-		rv = cert_TestHostName(cn ,hn);
-		if (rv == SECSuccess)
-		    goto finish;
-	    }
-	    DNSextCount++;
-	    break;
-	case certIPAddress:
-	    if (isIPaddr) {
-		int match = 0;
-		PRIPv6Addr v6Addr;
-		if (current->name.other.len == 4 &&         /* IP v4 address */
-		    netAddr.inet.family == PR_AF_INET) {
-		    match = !memcmp(&netAddr.inet.ip, 
-		                    current->name.other.data, 4);
-		} else if (current->name.other.len == 16 && /* IP v6 address */
-		    netAddr.ipv6.family == PR_AF_INET6) {
-		    match = !memcmp(&netAddr.ipv6.ip,
-		                     current->name.other.data, 16);
-		} else if (current->name.other.len == 16 && /* IP v6 address */
-		    netAddr.inet.family == PR_AF_INET) {
-		    /* convert netAddr to ipv6, then compare. */
-		    /* ipv4 must be in Network Byte Order on input. */
-		    PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr);
-		    match = !memcmp(&v6Addr, current->name.other.data, 16);
-		} else if (current->name.other.len == 4 &&  /* IP v4 address */
-		    netAddr.inet.family == PR_AF_INET6) {
-		    /* convert netAddr to ipv6, then compare. */
-		    PRUint32 ipv4 = (current->name.other.data[0] << 24) |
-		                    (current->name.other.data[1] << 16) |
-				    (current->name.other.data[2] <<  8) |
-				     current->name.other.data[3];
-		    /* ipv4 must be in Network Byte Order on input. */
-		    PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr);
-		    match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16);
-		} 
-		if (match) {
-		    rv = SECSuccess;
-		    goto finish;
-		}
-	    }
-	    IPextCount++;
-	    break;
-	default:
-	    break;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != nameList);
-
-    if ((!isIPaddr && !DNSextCount) || (isIPaddr && !IPextCount)) {
-	/* no relevant value in the extension was found. */
-	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-    } else {
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-    }
-    rv = SECFailure;
-
-finish:
-
-    /* Don't free nameList, it's part of the arena. */
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if (subAltName.data) {
-	SECITEM_FreeItem(&subAltName, PR_FALSE);
-    }
-
-    return rv;
-}
-
-
-/* Make sure that the name of the host we are connecting to matches the
- * name that is incoded in the common-name component of the certificate
- * that they are using.
- */
-SECStatus
-CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
-{
-    char *    cn;
-    SECStatus rv;
-    CERTOKDomainName *domainOK;
-
-    if (!hn || !strlen(hn)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* if the name is one that the user has already approved, it's OK. */
-    for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) {
-	if (0 == PORT_Strcasecmp(hn, domainOK->name)) {
-	    return SECSuccess;
-    	}
-    }
-
-    /* Per RFC 2818, if the SubjectAltName extension is present, it must
-    ** be used as the cert's identity.
-    */
-    rv = cert_VerifySubjectAltName(cert, hn);
-    if (rv == SECSuccess || PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
-    	return rv;
-
-    /* try the cert extension first, then the common name */
-    cn = CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-    if ( !cn ) {
-	cn = CERT_GetCommonName(&cert->subject);
-    }
-    if ( cn ) {
-	rv = cert_TestHostName(cn, hn);
-	PORT_Free(cn);
-    } else 
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-    return rv;
-}
-
-PRBool
-CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2)
-{
-    SECComparison comp;
-    
-    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
-    if ( comp == SECEqual ) { /* certs are the same */
-	return(PR_TRUE);
-    } else {
-	return(PR_FALSE);
-    }
-}
-
-static SECStatus
-StringsEqual(char *s1, char *s2) {
-    if ( ( s1 == NULL ) || ( s2 == NULL ) ) {
-	if ( s1 != s2 ) { /* only one is null */
-	    return(SECFailure);
-	}
-	return(SECSuccess); /* both are null */
-    }
-	
-    if ( PORT_Strcmp( s1, s2 ) != 0 ) {
-	return(SECFailure); /* not equal */
-    }
-
-    return(SECSuccess); /* strings are equal */
-}
-
-
-PRBool
-CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2)
-{
-    SECComparison comp;
-    char *c1str, *c2str;
-    SECStatus eq;
-    
-    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
-    if ( comp == SECEqual ) { /* certs are the same */
-	return(PR_TRUE);
-    }
-	
-    /* check if they are issued by the same CA */
-    comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer);
-    if ( comp != SECEqual ) { /* different issuer */
-	return(PR_FALSE);
-    }
-
-    /* check country name */
-    c1str = CERT_GetCountryName(&c1->subject);
-    c2str = CERT_GetCountryName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-    /* check locality name */
-    c1str = CERT_GetLocalityName(&c1->subject);
-    c2str = CERT_GetLocalityName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-	
-    /* check state name */
-    c1str = CERT_GetStateName(&c1->subject);
-    c2str = CERT_GetStateName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-    /* check org name */
-    c1str = CERT_GetOrgName(&c1->subject);
-    c2str = CERT_GetOrgName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-
-#ifdef NOTDEF	
-    /* check orgUnit name */
-    /*
-     * We need to revisit this and decide which fields should be allowed to be
-     * different
-     */
-    c1str = CERT_GetOrgUnitName(&c1->subject);
-    c2str = CERT_GetOrgUnitName(&c2->subject);
-    eq = StringsEqual(c1str, c2str);
-    PORT_Free(c1str);
-    PORT_Free(c2str);
-    if ( eq != SECSuccess ) {
-	return(PR_FALSE);
-    }
-#endif
-
-    return(PR_TRUE); /* all fields but common name are the same */
-}
-
-
-/* CERT_CertChainFromCert and CERT_DestroyCertificateList moved
-   to certhigh.c */
-
-
-CERTIssuerAndSN *
-CERT_GetCertIssuerAndSN(PRArenaPool *arena, CERTCertificate *cert)
-{
-    CERTIssuerAndSN *result;
-    SECStatus rv;
-
-    if ( arena == NULL ) {
-	arena = cert->arena;
-    }
-    
-    result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result));
-    if (result == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer);
-    if (rv != SECSuccess)
-	return NULL;
-
-    rv = CERT_CopyName(arena, &result->issuer, &cert->issuer);
-    if (rv != SECSuccess)
-	return NULL;
-
-    rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber);
-    if (rv != SECSuccess)
-	return NULL;
-
-    return result;
-}
-
-char *
-CERT_MakeCANickname(CERTCertificate *cert)
-{
-    char *firstname = NULL;
-    char *org = NULL;
-    char *nickname = NULL;
-    int count;
-    CERTCertificate *dummycert;
-    CERTCertDBHandle *handle;
-    
-    handle = cert->dbhandle;
-    
-    nickname = CERT_GetNickName(cert, handle, cert->arena);
-    if (nickname == NULL) {
-	firstname = CERT_GetCommonName(&cert->subject);
-	if ( firstname == NULL ) {
-	    firstname = CERT_GetOrgUnitName(&cert->subject);
-	}
-
-	org = CERT_GetOrgName(&cert->issuer);
-	if (org == NULL) {
-	    org = CERT_GetDomainComponentName(&cert->issuer);
-	    if (org == NULL) {
-		if (firstname) {
-		    org = firstname;
-		    firstname = NULL;
-		} else {
-		    org = PORT_Strdup("Unknown CA");
-		}
-	    }
-	}
-
-	/* can only fail if PORT_Strdup fails, in which case
-	 * we're having memory problems. */
-	if (org == NULL) {
-	    goto loser;
-	}
-
-    
-	count = 1;
-	while ( 1 ) {
-
-	    if ( firstname ) {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s - %s", firstname, org);
-		} else {
-		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
-		}
-	    } else {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s", org);
-		} else {
-		    nickname = PR_smprintf("%s #%d", org, count);
-		}
-	    }
-	    if ( nickname == NULL ) {
-		goto loser;
-	    }
-
-	    /* look up the nickname to make sure it isn't in use already */
-	    dummycert = CERT_FindCertByNickname(handle, nickname);
-
-	    if ( dummycert == NULL ) {
-		goto done;
-	    }
-	
-	    /* found a cert, destroy it and loop */
-	    CERT_DestroyCertificate(dummycert);
-
-	    /* free the nickname */
-	    PORT_Free(nickname);
-
-	    count++;
-	}
-    }
-loser:
-    if ( nickname ) {
-	PORT_Free(nickname);
-    }
-
-    nickname = "";
-    
-done:
-    if ( firstname ) {
-	PORT_Free(firstname);
-    }
-    if ( org ) {
-	PORT_Free(org);
-    }
-    
-    return(nickname);
-}
-
-/* CERT_Import_CAChain moved to certhigh.c */
-
-void
-CERT_DestroyCrl (CERTSignedCrl *crl)
-{
-    SEC_DestroyCrl (crl);
-}
-
-
-
-/*
- * Does a cert belong to a CA?  We decide based on perm database trust
- * flags, Netscape Cert Type Extension, and KeyUsage Extension.
- */
-PRBool
-CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
-{
-    CERTCertTrust *trust;
-    SECStatus rv;
-    unsigned int type;
-    PRBool ret;
-
-    ret = PR_FALSE;
-    type = 0;
-
-    if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags|
-				cert->trust->objectSigningFlags)) {
-	trust = cert->trust;
-	if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-	   ( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_SSL_CA;
-	}
-	
-	if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
-	  ( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_EMAIL_CA;
-	}
-	
-	if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) 
-						== CERTDB_VALID_CA ) ||
-          ( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA ) 
-						== CERTDB_TRUSTED_CA ) ) {
-	    ret = PR_TRUE;
-	    type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-	}
-    } else {
-	if ( cert->nsCertType &
-	    ( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
-	     NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) {
-	    ret = PR_TRUE;
-	    type = (cert->nsCertType & NS_CERT_TYPE_CA);
-	} else {
-	    CERTBasicConstraints constraints;
-	    rv = CERT_FindBasicConstraintExten(cert, &constraints);
-	    if ( rv == SECSuccess ) {
-		if ( constraints.isCA ) {
-		    ret = PR_TRUE;
-		    type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
-		}
-	    } 
-	} 
-
-	/* finally check if it's a FORTEZZA V1 CA */
-	if (ret == PR_FALSE) {
-	    if (fortezzaIsCA(cert)) {
-		ret = PR_TRUE;
-		type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
-	    }
-	}
-    }
-
-    /* the isRoot flag trumps all */
-    if (cert->isRoot) {
-	ret = PR_TRUE;
-	/* set only these by default, same as above */
-	type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
-    }
-
-    if ( rettype != NULL ) {
-	*rettype = type;
-    }
-    
-    return(ret);
-}
-
-PRBool
-CERT_IsCADERCert(SECItem *derCert, unsigned int *type) {
-    CERTCertificate *cert;
-    PRBool isCA;
-
-    /* This is okay -- only looks at extensions */
-    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-    if (cert == NULL) return PR_FALSE;
-
-    isCA = CERT_IsCACert(cert,type);
-    CERT_DestroyCertificate (cert);
-    return isCA;
-}
-
-PRBool
-CERT_IsRootDERCert(SECItem *derCert)
-{
-    CERTCertificate *cert;
-    PRBool isRoot;
-
-    /* This is okay -- only looks at extensions */
-    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-    if (cert == NULL) return PR_FALSE;
-
-    isRoot = cert->isRoot;
-    CERT_DestroyCertificate (cert);
-    return isRoot;
-}
-
-CERTCompareValidityStatus
-CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b)
-{
-    PRTime notBeforeA, notBeforeB, notAfterA, notAfterB;
-
-    if (!val_a || !val_b)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return certValidityUndetermined;
-    }
-
-    if ( SECSuccess != DER_DecodeTimeChoice(&notBeforeA, &val_a->notBefore) ||
-         SECSuccess != DER_DecodeTimeChoice(&notBeforeB, &val_b->notBefore) ||
-         SECSuccess != DER_DecodeTimeChoice(&notAfterA, &val_a->notAfter) ||
-         SECSuccess != DER_DecodeTimeChoice(&notAfterB, &val_b->notAfter) ) {
-        return certValidityUndetermined;
-    }
-
-    /* sanity check */
-    if (LL_CMP(notBeforeA,>,notAfterA) || LL_CMP(notBeforeB,>,notAfterB)) {
-        PORT_SetError(SEC_ERROR_INVALID_TIME);
-        return certValidityUndetermined;
-    }
-
-    if (LL_CMP(notAfterA,!=,notAfterB)) {
-        /* one cert validity goes farther into the future, select it */
-        return LL_CMP(notAfterA,<,notAfterB) ?
-            certValidityChooseB : certValidityChooseA;
-    }
-    /* the two certs have the same expiration date */
-    PORT_Assert(LL_CMP(notAfterA, == , notAfterB));
-    /* do they also have the same start date ? */
-    if (LL_CMP(notBeforeA,==,notBeforeB)) {
-	return certValidityEqual;
-    }
-    /* choose cert with the later start date */
-    return LL_CMP(notBeforeA,<,notBeforeB) ?
-        certValidityChooseB : certValidityChooseA;
-}
-
-/*
- * is certa newer than certb?  If one is expired, pick the other one.
- */
-PRBool
-CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
-{
-    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
-    SECStatus rv;
-    PRBool newerbefore, newerafter;
-    
-    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
-    if ( rv != SECSuccess ) {
-	return(PR_FALSE);
-    }
-    
-    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
-    if ( rv != SECSuccess ) {
-	return(PR_TRUE);
-    }
-
-    newerbefore = PR_FALSE;
-    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
-	newerbefore = PR_TRUE;
-    }
-
-    newerafter = PR_FALSE;
-    if ( LL_CMP(notAfterA, >, notAfterB) ) {
-	newerafter = PR_TRUE;
-    }
-    
-    if ( newerbefore && newerafter ) {
-	return(PR_TRUE);
-    }
-    
-    if ( ( !newerbefore ) && ( !newerafter ) ) {
-	return(PR_FALSE);
-    }
-
-    /* get current time */
-    now = PR_Now();
-
-    if ( newerbefore ) {
-	/* cert A was issued after cert B, but expires sooner */
-	/* if A is expired, then pick B */
-	if ( LL_CMP(notAfterA, <, now ) ) {
-	    return(PR_FALSE);
-	}
-	return(PR_TRUE);
-    } else {
-	/* cert B was issued after cert A, but expires sooner */
-	/* if B is expired, then pick A */
-	if ( LL_CMP(notAfterB, <, now ) ) {
-	    return(PR_TRUE);
-	}
-	return(PR_FALSE);
-    }
-}
-
-void
-CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts)
-{
-    unsigned int i;
-    
-    if ( certs ) {
-	for ( i = 0; i < ncerts; i++ ) {
-	    if ( certs[i] ) {
-		CERT_DestroyCertificate(certs[i]);
-	    }
-	}
-
-	PORT_Free(certs);
-    }
-    
-    return;
-}
-
-char *
-CERT_FixupEmailAddr(char *emailAddr)
-{
-    char *retaddr;
-    char *str;
-
-    if ( emailAddr == NULL ) {
-	return(NULL);
-    }
-    
-    /* copy the string */
-    str = retaddr = PORT_Strdup(emailAddr);
-    if ( str == NULL ) {
-	return(NULL);
-    }
-    
-    /* make it lower case */
-    while ( *str ) {
-	*str = tolower( *str );
-	str++;
-    }
-    
-    return(retaddr);
-}
-
-/*
- * NOTE - don't allow encode of govt-approved or invisible bits
- */
-SECStatus
-CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts)
-{
-    unsigned int i;
-    unsigned int *pflags;
-    
-    if (!trust) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    trust->sslFlags = 0;
-    trust->emailFlags = 0;
-    trust->objectSigningFlags = 0;
-    if (!trusts) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pflags = &trust->sslFlags;
-    
-    for (i=0; i < PORT_Strlen(trusts); i++) {
-	switch (trusts[i]) {
-	  case 'p':
-	      *pflags = *pflags | CERTDB_VALID_PEER;
-	      break;
-
-	  case 'P':
-	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
-	      break;
-
-	  case 'w':
-	      *pflags = *pflags | CERTDB_SEND_WARN;
-	      break;
-
-	  case 'c':
-	      *pflags = *pflags | CERTDB_VALID_CA;
-	      break;
-
-	  case 'T':
-	      *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA;
-	      break;
-
-	  case 'C' :
-	      *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
-	      break;
-
-	  case 'u':
-	      *pflags = *pflags | CERTDB_USER;
-	      break;
-
-	  case 'i':
-	      *pflags = *pflags | CERTDB_INVISIBLE_CA;
-	      break;
-	  case 'g':
-	      *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
-	      break;
-
-	  case ',':
-	      if ( pflags == &trust->sslFlags ) {
-		  pflags = &trust->emailFlags;
-	      } else {
-		  pflags = &trust->objectSigningFlags;
-	      }
-	      break;
-	  default:
-	      return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-static void
-EncodeFlags(char *trusts, unsigned int flags)
-{
-    if (flags & CERTDB_VALID_CA)
-	if (!(flags & CERTDB_TRUSTED_CA) &&
-	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
-	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
-	if (!(flags & CERTDB_TRUSTED))
-	    PORT_Strcat(trusts, "p");
-    if (flags & CERTDB_TRUSTED_CA)
-	PORT_Strcat(trusts, "C");
-    if (flags & CERTDB_TRUSTED_CLIENT_CA)
-	PORT_Strcat(trusts, "T");
-    if (flags & CERTDB_TRUSTED)
-	PORT_Strcat(trusts, "P");
-    if (flags & CERTDB_USER)
-	PORT_Strcat(trusts, "u");
-    if (flags & CERTDB_SEND_WARN)
-	PORT_Strcat(trusts, "w");
-    if (flags & CERTDB_INVISIBLE_CA)
-	PORT_Strcat(trusts, "I");
-    if (flags & CERTDB_GOVT_APPROVED_CA)
-	PORT_Strcat(trusts, "G");
-    return;
-}
-
-char *
-CERT_EncodeTrustString(CERTCertTrust *trust)
-{
-    char tmpTrustSSL[32];
-    char tmpTrustEmail[32];
-    char tmpTrustSigning[32];
-    char *retstr = NULL;
-
-    if ( trust ) {
-	tmpTrustSSL[0] = '\0';
-	tmpTrustEmail[0] = '\0';
-	tmpTrustSigning[0] = '\0';
-    
-	EncodeFlags(tmpTrustSSL, trust->sslFlags);
-	EncodeFlags(tmpTrustEmail, trust->emailFlags);
-	EncodeFlags(tmpTrustSigning, trust->objectSigningFlags);
-    
-	retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail,
-			     tmpTrustSigning);
-    }
-    
-    return(retstr);
-}
-
-/* in 3.4, this will only set trust */
-SECStatus
-CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
-		      PRBool caOnly, char *nickname)
-{
-    SECStatus rv;
-    PRBool saveit;
-    CERTCertTrust trust;
-    PRBool isCA;
-    unsigned int certtype;
-    
-    isCA = CERT_IsCACert(cert, NULL);
-    if ( caOnly && ( !isCA ) ) {
-	return(SECSuccess);
-    }
-    /* In NSS 3.4, certs are given zero trust upon import.  However, this
-    * function needs to set up default CA trust (CERTDB_VALID_CA), or
-    * PKCS#12 imported certs will not show up correctly.  In the case of a
-    * CA cert with zero trust, continue with this function.  But if the cert
-    * does already have some trust bits, exit and do not change them.
-    */
-    if (isCA && cert->trust && 
-        (cert->trust->sslFlags |
-         cert->trust->emailFlags |
-         cert->trust->objectSigningFlags)) {
-	return(SECSuccess);
-    }
-
-    saveit = PR_TRUE;
-    
-    PORT_Memset((void *)&trust, 0, sizeof(trust));
-
-    certtype = cert->nsCertType;
-
-    /* if no CA bits in cert type, then set all CA bits */
-    if ( isCA && ( ! ( certtype & NS_CERT_TYPE_CA ) ) ) {
-	certtype |= NS_CERT_TYPE_CA;
-    }
-
-    /* if no app bits in cert type, then set all app bits */
-    if ( ( !isCA ) && ( ! ( certtype & NS_CERT_TYPE_APP ) ) ) {
-	certtype |= NS_CERT_TYPE_APP;
-    }
-
-    switch ( usage ) {
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	if ( isCA ) {
-	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
-		trust.emailFlags = CERTDB_VALID_CA;
-	    }
-	} else {
-	    if ( !cert->emailAddr || !cert->emailAddr[0] ) {
-		saveit = PR_FALSE;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		trust.emailFlags = CERTDB_VALID_PEER;
-		if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
-		    /* don't save it if KeyEncipherment is not allowed */
-		    saveit = PR_FALSE;
-		}
-	    }
-	}
-	break;
-      case certUsageUserCertImport:
-	if ( isCA ) {
-	    if ( certtype & NS_CERT_TYPE_SSL_CA ) {
-		trust.sslFlags = CERTDB_VALID_CA;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
-		trust.emailFlags = CERTDB_VALID_CA;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
-		trust.objectSigningFlags = CERTDB_VALID_CA;
-	    }
-	    
-	} else {
-	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
-		trust.sslFlags = CERTDB_VALID_PEER;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		trust.emailFlags = CERTDB_VALID_PEER;
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
-		trust.objectSigningFlags = CERTDB_VALID_PEER;
-	    }
-	}
-	break;
-      case certUsageAnyCA:
-	trust.sslFlags = CERTDB_VALID_CA;
-	break;
-      case certUsageSSLCA:
-	trust.sslFlags = CERTDB_VALID_CA | 
-			CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
-	break;
-      default:	/* XXX added to quiet warnings; no other cases needed? */
-	break;
-    }
-
-    if ( saveit ) {
-	rv = CERT_ChangeCertTrust(cert->dbhandle, cert, &trust);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-    rv = SECSuccess;
-    goto done;
-
-loser:
-    rv = SECFailure;
-done:
-
-    return(rv);
-}
-
-SECStatus
-CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
-		 unsigned int ncerts, SECItem **derCerts,
-		 CERTCertificate ***retCerts, PRBool keepCerts,
-		 PRBool caOnly, char *nickname)
-{
-    unsigned int i;
-    CERTCertificate **certs = NULL;
-    SECStatus rv;
-    unsigned int fcerts = 0;
-
-    if ( ncerts ) {
-	certs = PORT_ZNewArray(CERTCertificate*, ncerts);
-	if ( certs == NULL ) {
-	    return(SECFailure);
-	}
-    
-	/* decode all of the certs into the temporary DB */
-	for ( i = 0, fcerts= 0; i < ncerts; i++) {
-	    certs[fcerts] = CERT_NewTempCertificate(certdb,
-	                                            derCerts[i],
-	                                            NULL,
-	                                            PR_FALSE,
-	                                            PR_TRUE);
-	    if (certs[fcerts]) fcerts++;
-	}
-
-	if ( keepCerts ) {
-	    for ( i = 0; i < fcerts; i++ ) {
-                char* canickname = NULL;
-                PRBool freeNickname = PR_FALSE;
-
-		SECKEY_UpdateCertPQG(certs[i]);
-                
-                if ( CERT_IsCACert(certs[i], NULL) ) {
-                    canickname = CERT_MakeCANickname(certs[i]);
-                    if ( canickname != NULL ) {
-                        freeNickname = PR_TRUE;
-                    }
-                }
-
-		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
-		    /* if we are importing only a single cert and specifying
-		     * a nickname, we want to use that nickname if it a CA,
-		     * otherwise if there are more than one cert, we don't
-		     * know which cert it belongs to. But we still may try
-                     * the individual canickname from the cert itself.
-		     */
-		    rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
-		} else {
-		    rv = CERT_AddTempCertToPerm(certs[i],
-                                                nickname?nickname:canickname, NULL);
-		}
-		if (rv == SECSuccess) {
-		    CERT_SaveImportedCert(certs[i], usage, caOnly, NULL);
-		}
-
-                if (PR_TRUE == freeNickname) {
-                    PORT_Free(canickname);
-                }
-		/* don't care if it fails - keep going */
-	    }
-	}
-    }
-
-    if ( retCerts ) {
-	*retCerts = certs;
-    } else {
-	if (certs) {
-	    CERT_DestroyCertArray(certs, fcerts);
-	}
-    }
-
-    return ((fcerts || !ncerts) ? SECSuccess : SECFailure);
-}
-
-/*
- * a real list of certificates - need to convert CERTCertificateList
- * stuff and ASN 1 encoder/decoder over to using this...
- */
-CERTCertList *
-CERT_NewCertList(void)
-{
-    PRArenaPool *arena = NULL;
-    CERTCertList *ret = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-    
-    ret->arena = arena;
-    
-    PR_INIT_CLIST(&ret->list);
-    
-    return(ret);
-
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyCertList(CERTCertList *certs)
-{
-    PRCList *node;
-
-    while( !PR_CLIST_IS_EMPTY(&certs->list) ) {
-	node = PR_LIST_HEAD(&certs->list);
-	CERT_DestroyCertificate(((CERTCertListNode *)node)->cert);
-	PR_REMOVE_LINK(node);
-    }
-    
-    PORT_FreeArena(certs->arena, PR_FALSE);
-    
-    return;
-}
-
-void
-CERT_RemoveCertListNode(CERTCertListNode *node)
-{
-    CERT_DestroyCertificate(node->cert);
-    PR_REMOVE_LINK(&node->links);
-    return;
-}
-
-
-SECStatus
-CERT_AddCertToListTailWithData(CERTCertList *certs, 
-				CERTCertificate *cert, void *appData)
-{
-    CERTCertListNode *node;
-    
-    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
-						sizeof(CERTCertListNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    PR_INSERT_BEFORE(&node->links, &certs->list);
-    /* certs->count++; */
-    node->cert = cert;
-    node->appData = appData;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-SECStatus
-CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert)
-{
-    return CERT_AddCertToListTailWithData(certs, cert, NULL);
-}
-
-SECStatus
-CERT_AddCertToListHeadWithData(CERTCertList *certs, 
-					CERTCertificate *cert, void *appData)
-{
-    CERTCertListNode *node;
-    CERTCertListNode *head;
-    
-    head = CERT_LIST_HEAD(certs);
-
-    if (head == NULL) return CERT_AddCertToListTail(certs,cert);
-
-    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
-						sizeof(CERTCertListNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    PR_INSERT_BEFORE(&node->links, &head->links);
-    /* certs->count++; */
-    node->cert = cert;
-    node->appData = appData;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-SECStatus
-CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert)
-{
-    return CERT_AddCertToListHeadWithData(certs, cert, NULL);
-}
-
-/*
- * Sort callback function to determine if cert a is newer than cert b.
- * Not valid certs are considered older than valid certs.
- */
-PRBool
-CERT_SortCBValidity(CERTCertificate *certa,
-		    CERTCertificate *certb,
-		    void *arg)
-{
-    PRTime sorttime;
-    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB;
-    SECStatus rv;
-    PRBool newerbefore, newerafter;
-    PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE;
-
-    sorttime = *(PRTime *)arg;
-    
-    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
-    if ( rv != SECSuccess ) {
-	return(PR_FALSE);
-    }
-    
-    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
-    if ( rv != SECSuccess ) {
-	return(PR_TRUE);
-    }
-    newerbefore = PR_FALSE;
-    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
-	newerbefore = PR_TRUE;
-    }
-    newerafter = PR_FALSE;
-    if ( LL_CMP(notAfterA, >, notAfterB) ) {
-	newerafter = PR_TRUE;
-    }
-
-    /* check if A is valid at sorttime */
-    if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE)
-	!= secCertTimeValid ) {
-	aNotValid = PR_TRUE;
-    }
-
-    /* check if B is valid at sorttime */
-    if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE)
-	!= secCertTimeValid ) {
-	bNotValid = PR_TRUE;
-    }
-
-    /* a is valid, b is not */
-    if ( bNotValid && ( ! aNotValid ) ) {
-	return(PR_TRUE);
-    }
-
-    /* b is valid, a is not */
-    if ( aNotValid && ( ! bNotValid ) ) {
-	return(PR_FALSE);
-    }
-    
-    /* a and b are either valid or not valid */
-    if ( newerbefore && newerafter ) {
-	return(PR_TRUE);
-    }
-    
-    if ( ( !newerbefore ) && ( !newerafter ) ) {
-	return(PR_FALSE);
-    }
-
-    if ( newerbefore ) {
-	/* cert A was issued after cert B, but expires sooner */
-	return(PR_TRUE);
-    } else {
-	/* cert B was issued after cert A, but expires sooner */
-	return(PR_FALSE);
-    }
-}
-
-
-SECStatus
-CERT_AddCertToListSorted(CERTCertList *certs,
-			 CERTCertificate *cert,
-			 CERTSortCallback f,
-			 void *arg)
-{
-    CERTCertListNode *node;
-    CERTCertListNode *head;
-    PRBool ret;
-    
-    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
-						sizeof(CERTCertListNode));
-    if ( node == NULL ) {
-	goto loser;
-    }
-    
-    head = CERT_LIST_HEAD(certs);
-    
-    while ( !CERT_LIST_END(head, certs) ) {
-
-	/* if cert is already in the list, then don't add it again */
-	if ( cert == head->cert ) {
-	    /*XXX*/
-	    /* don't keep a reference */
-	    CERT_DestroyCertificate(cert);
-	    goto done;
-	}
-	
-	ret = (* f)(cert, head->cert, arg);
-	/* if sort function succeeds, then insert before current node */
-	if ( ret ) {
-	    PR_INSERT_BEFORE(&node->links, &head->links);
-	    goto done;
-	}
-
-	head = CERT_LIST_NEXT(head);
-    }
-    /* if we get to the end, then just insert it at the tail */
-    PR_INSERT_BEFORE(&node->links, &certs->list);
-
-done:    
-    /* certs->count++; */
-    node->cert = cert;
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/* This routine is here because pcertdb.c still has a call to it.
- * The SMIME profile code in pcertdb.c should be split into high (find
- * the email cert) and low (store the profile) code.  At that point, we
- * can move this to certhigh.c where it belongs.
- *
- * remove certs from a list that don't have keyUsage and certType
- * that match the given usage.
- */
-SECStatus
-CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
-			   PRBool ca)
-{
-    unsigned int requiredKeyUsage;
-    unsigned int requiredCertType;
-    CERTCertListNode *node, *savenode;
-    SECStatus rv;
-    
-    if (certList == NULL) goto loser;
-
-    rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage,
-					  &requiredCertType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    node = CERT_LIST_HEAD(certList);
-	
-    while ( !CERT_LIST_END(node, certList) ) {
-
-	PRBool bad = (PRBool)(!node->cert);
-
-	/* bad key usage ? */
-	if ( !bad && 
-	     CERT_CheckKeyUsage(node->cert, requiredKeyUsage) != SECSuccess ) {
-	    bad = PR_TRUE;
-	}
-	/* bad cert type ? */
-	if ( !bad ) {
-	    unsigned int certType = 0;
-	    if ( ca ) {
-		/* This function returns a more comprehensive cert type that
-		 * takes trust flags into consideration.  Should probably
-		 * fix the cert decoding code to do this.
-		 */
-		(void)CERT_IsCACert(node->cert, &certType);
-	    } else {
-		certType = node->cert->nsCertType;
-	    }
-	    if ( !( certType & requiredCertType ) ) {
-		bad = PR_TRUE;
-	    }
-	}
-
-	if ( bad ) {
-	    /* remove the node if it is bad */
-	    savenode = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(node);
-	    node = savenode;
-	} else {
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-PRBool CERT_IsUserCert(CERTCertificate* cert)
-{
-    if ( cert->trust &&
-        ((cert->trust->sslFlags & CERTDB_USER ) ||
-         (cert->trust->emailFlags & CERTDB_USER ) ||
-         (cert->trust->objectSigningFlags & CERTDB_USER )) ) {
-        return PR_TRUE;
-    } else {
-        return PR_FALSE;
-    }
-}
-
-SECStatus
-CERT_FilterCertListForUserCerts(CERTCertList *certList)
-{
-    CERTCertListNode *node, *freenode;
-    CERTCertificate *cert;
-
-    if (!certList) {
-        return SECFailure;
-    }
-
-    node = CERT_LIST_HEAD(certList);
-    
-    while ( ! CERT_LIST_END(node, certList) ) {
-	cert = node->cert;
-	if ( PR_TRUE != CERT_IsUserCert(cert) ) {
-	    /* Not a User Cert, so remove this cert from the list */
-	    freenode = node;
-	    node = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(freenode);
-	} else {
-	    /* Is a User cert, so leave it in the list */
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-
-    return(SECSuccess);
-}
-
-static PZLock *certRefCountLock = NULL;
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertRefCount(CERTCertificate *cert)
-{
-    if ( certRefCountLock == NULL ) {
-	nss_InitLock(&certRefCountLock, nssILockRefLock);
-	PORT_Assert(certRefCountLock != NULL);
-    }
-    
-    PZ_Lock(certRefCountLock);
-    return;
-}
-
-/*
- * Free the cert reference count lock
- */
-void
-CERT_UnlockCertRefCount(CERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certRefCountLock != NULL);
-    
-    prstat = PZ_Unlock(certRefCountLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-static PZLock *certTrustLock = NULL;
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-CERT_LockCertTrust(CERTCertificate *cert)
-{
-    if ( certTrustLock == NULL ) {
-	nss_InitLock(&certTrustLock, nssILockCertDB);
-	PORT_Assert(certTrustLock != NULL);
-    }
-    
-    PZ_Lock(certTrustLock);
-    return;
-}
-
-/*
- * Free the cert trust lock
- */
-void
-CERT_UnlockCertTrust(CERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certTrustLock != NULL);
-    
-    prstat = PZ_Unlock(certTrustLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-
-/*
- * Get the StatusConfig data for this handle
- */
-CERTStatusConfig *
-CERT_GetStatusConfig(CERTCertDBHandle *handle)
-{
-  return handle->statusConfig;
-}
-
-/*
- * Set the StatusConfig data for this handle.  There
- * should not be another configuration set.
- */
-void
-CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
-{
-  PORT_Assert(handle->statusConfig == NULL);
-  handle->statusConfig = statusConfig;
-}
-
-/*
- * Code for dealing with subjKeyID to cert mappings.
- */
-
-static PLHashTable *gSubjKeyIDHash = NULL;
-static PRLock      *gSubjKeyIDLock = NULL;
-
-static void *cert_AllocTable(void *pool, PRSize size)
-{
-    return PORT_Alloc(size);
-}
-
-static void cert_FreeTable(void *pool, void *item)
-{
-    PORT_Free(item);
-}
-
-static PLHashEntry* cert_AllocEntry(void *pool, const void *key)
-{
-    return PORT_New(PLHashEntry);
-}
-
-static void cert_FreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
-{
-    SECITEM_FreeItem((SECItem*)(he->value), PR_TRUE);
-    if (flag == HT_FREE_ENTRY) {
-        SECITEM_FreeItem((SECItem*)(he->key), PR_TRUE);
-        PORT_Free(he);
-    }
-}
-
-static PLHashAllocOps cert_AllocOps = {
-    cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
-};
-
-SECStatus
-cert_CreateSubjectKeyIDHashTable(void)
-{
-    gSubjKeyIDHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-                                    SECITEM_HashCompare,
-                                    &cert_AllocOps, NULL);
-    if (!gSubjKeyIDHash) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return SECFailure;
-    }
-    gSubjKeyIDLock = PR_NewLock();
-    if (!gSubjKeyIDLock) {
-        PL_HashTableDestroy(gSubjKeyIDHash);
-        gSubjKeyIDHash = NULL;
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return SECFailure;
-    }
-    return SECSuccess;
-
-}
-
-SECStatus
-cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert)
-{
-    SECItem *newKeyID, *oldVal, *newVal;
-    SECStatus rv = SECFailure;
-
-    if (!gSubjKeyIDLock) {
-	/* If one is created, then both are there.  So only check for one. */
-	return SECFailure;
-    }
-
-    newVal = SECITEM_DupItem(&cert->derCert);
-    if (!newVal) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        goto done;
-    }
-    newKeyID = SECITEM_DupItem(subjKeyID);
-    if (!newKeyID) {
-        SECITEM_FreeItem(newVal, PR_TRUE);
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        goto done;
-    }
-
-    PR_Lock(gSubjKeyIDLock);
-    /* The hash table implementation does not free up the memory 
-     * associated with the key of an already existing entry if we add a 
-     * duplicate, so we would wind up leaking the previously allocated 
-     * key if we don't remove before adding.
-     */
-    oldVal = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
-    if (oldVal) {
-        PL_HashTableRemove(gSubjKeyIDHash, subjKeyID);
-    }
-
-    rv = (PL_HashTableAdd(gSubjKeyIDHash, newKeyID, newVal)) ? SECSuccess :
-                                                               SECFailure;
-    PR_Unlock(gSubjKeyIDLock);
-done:
-    return rv;
-}
-
-SECStatus
-cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID)
-{
-    SECStatus rv;
-    if (!gSubjKeyIDLock)
-        return SECFailure;
-
-    PR_Lock(gSubjKeyIDLock);
-    rv = (PL_HashTableRemove(gSubjKeyIDHash, subjKeyID)) ? SECSuccess :
-                                                           SECFailure;
-    PR_Unlock(gSubjKeyIDLock);
-    return rv;
-}
-
-SECStatus
-cert_DestroySubjectKeyIDHashTable(void)
-{
-    if (gSubjKeyIDHash) {
-        PR_Lock(gSubjKeyIDLock);
-        PL_HashTableDestroy(gSubjKeyIDHash);
-        gSubjKeyIDHash = NULL;
-        PR_Unlock(gSubjKeyIDLock);
-        PR_DestroyLock(gSubjKeyIDLock);
-        gSubjKeyIDLock = NULL;
-    }
-    return SECSuccess;
-}
-
-SECItem*
-cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID)
-{
-    SECItem   *val;
- 
-    if (!gSubjKeyIDLock)
-        return NULL;
-
-    PR_Lock(gSubjKeyIDLock);
-    val = (SECItem*)PL_HashTableLookup(gSubjKeyIDHash, subjKeyID);
-    if (val) {
-        val = SECITEM_DupItem(val);
-    }
-    PR_Unlock(gSubjKeyIDLock);
-    return val;
-}
-
-CERTCertificate*
-CERT_FindCertBySubjectKeyID(CERTCertDBHandle *handle, SECItem *subjKeyID)
-{
-    CERTCertificate *cert = NULL;
-    SECItem *derCert;
-
-    derCert = cert_FindDERCertBySubjectKeyID(subjKeyID);
-    if (derCert) {
-        cert = CERT_FindCertByDERCert(handle, derCert);
-        SECITEM_FreeItem(derCert, PR_TRUE);
-    }
-    return cert;
-}
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
deleted file mode 100644
index f81fa93a7..000000000
--- a/security/nss/lib/certdb/certdb.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _CERTDB_H_
-#define _CERTDB_H_
-
-
-/* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
-#define CERTDB_TRUSTED		(1<<1)
-#define CERTDB_SEND_WARN	(1<<2)
-#define CERTDB_VALID_CA		(1<<3)
-#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
-#define CERTDB_NS_TRUSTED_CA	(1<<5)
-#define CERTDB_USER		(1<<6)
-#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
-#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
-#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
-
-
-SEC_BEGIN_PROTOS
-
-CERTSignedCrl *
-SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
-
-CERTSignedCrl *
-SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
-
-CERTSignedCrl *
-SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
-
-PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
-			 CERTCertDBHandle *handle);
-CERTSignedCrl *
-SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
-
-SECStatus
-SEC_DeletePermCRL(CERTSignedCrl *crl);
-
-
-SECStatus
-SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type);
-
-SECStatus 
-SEC_DestroyCrl(CERTSignedCrl *crl);
-
-CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl);
-
-SECStatus
-CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
-		       CERTCertTrust *trust);
-
-SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
-
-PRBool
-SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
-
-SECCertTimeValidity
-SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
-
-#ifdef notdef
-/*
-** Add a DER encoded certificate to the permanent database.
-**	"derCert" is the DER encoded certificate.
-**	"nickname" is the nickname to use for the cert
-**	"trust" is the trust parameters for the cert
-*/
-SECStatus SEC_AddPermCertificate(PCERTCertDBHandle *handle, SECItem *derCert,
-				char *nickname, PCERTCertTrust *trust);
-
-certDBEntryCert *
-SEC_FindPermCertByKey(PCERTCertDBHandle *handle, SECItem *certKey);
-
-certDBEntryCert
-*SEC_FindPermCertByName(PCERTCertDBHandle *handle, SECItem *name);
-
-SECStatus SEC_OpenPermCertDB(PCERTCertDBHandle *handle,
-			     PRBool readOnly,
-			     PCERTDBNameFunc namecb,
-			     void *cbarg);
-
-
-typedef SECStatus (PR_CALLBACK * PermCertCallback)(PCERTCertificate *cert,
-                                                   SECItem *k, void *pdata);
-/*
-** Traverse the entire permanent database, and pass the certs off to a
-** user supplied function.
-**	"certfunc" is the user function to call for each certificate
-**	"udata" is the user's data, which is passed through to "certfunc"
-*/
-SECStatus
-PCERT_TraversePermCerts(PCERTCertDBHandle *handle,
-		      PermCertCallback certfunc,
-		      void *udata );
-
-SECStatus
-SEC_AddTempNickname(PCERTCertDBHandle *handle, char *nickname, SECItem *certKey);
-
-SECStatus
-SEC_DeleteTempNickname(PCERTCertDBHandle *handle, char *nickname);
-
-
-PRBool
-SEC_CertDBKeyConflict(SECItem *derCert, PCERTCertDBHandle *handle);
-
-SECStatus
-SEC_GetCrlTimes(PCERTCrl *dates, PRTime *notBefore, PRTime *notAfter);
-
-PCERTSignedCrl *
-SEC_AddPermCrlToTemp(PCERTCertDBHandle *handle, certDBEntryRevocation *entry);
-
-SECStatus
-SEC_DeleteTempCrl(PCERTSignedCrl *crl);
-
-
-SECStatus
-SEC_CheckKRL(PCERTCertDBHandle *handle,SECKEYLowPublicKey *key,
-	     PCERTCertificate *rootCert, int64 t, void *wincx);
-
-SECStatus
-SEC_CheckCRL(PCERTCertDBHandle *handle,PCERTCertificate *cert,
-	     PCERTCertificate *caCert, int64 t, void *wincx);
-
-SECStatus
-SEC_CrlReplaceUrl(PCERTSignedCrl *crl,char *url);
-
-/* Compare two certificate validity structures and return which cert should be
-** preferred, based first on newer notAfter, then on newer notBefore.
-*/
-CERTCompareValidityStatus
-CERT_CompareValidityTimes(CERTValidity* val_a, CERTValidity* val_b);
-
-#endif
-
-SEC_END_PROTOS
-
-#endif /* _CERTDB_H_ */
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
deleted file mode 100644
index 4a76191e8..000000000
--- a/security/nss/lib/certdb/certi.h
+++ /dev/null
@@ -1,247 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * certi.h - private data structures for the certificate library
- *
- * $Id$
- */
-#ifndef _CERTI_H_
-#define _CERTI_H_
-
-#include "certt.h"
-#include "nssrwlkt.h"
-
-/*
-#define GLOBAL_RWLOCK 1
-*/
-
-#define DPC_RWLOCK 1
-
-/* all definitions in this file are subject to change */
-
-typedef struct OpaqueCRLFieldsStr OpaqueCRLFields;
-typedef struct CRLEntryCacheStr CRLEntryCache;
-typedef struct CRLDPCacheStr CRLDPCache;
-typedef struct CRLIssuerCacheStr CRLIssuerCache;
-typedef struct CRLCacheStr CRLCache;
-typedef struct CachedCrlStr CachedCrl;
-
-struct OpaqueCRLFieldsStr {
-    PRBool partial;
-    PRBool decodingError;
-    PRBool badEntries;
-    PRBool badDER;
-    PRBool badExtensions;
-    PRBool heapDER;
-};
-
-typedef struct PreAllocatorStr PreAllocator;
-
-struct PreAllocatorStr
-{
-    PRSize len;
-    void* data;
-    PRSize used;
-    PRArenaPool* arena;
-    PRSize extra;
-};
-
-/*  CRL entry cache.
-    This is the same as an entry plus the next/prev pointers for the hash table
-*/
-
-struct CRLEntryCacheStr {
-    CERTCrlEntry entry;
-    CRLEntryCache *prev, *next;
-};
-
-#define CRL_CACHE_INVALID_CRLS              0x0001 /* this state will be set
-        if we have CRL objects with an invalid DER or signature. Can be
-        cleared if the invalid objects are deleted from the token */
-#define CRL_CACHE_LAST_FETCH_FAILED         0x0002 /* this state will be set
-        if the last CRL fetch encountered an error. Can be cleared if a
-        new fetch succeeds */
-
-#define CRL_CACHE_OUT_OF_MEMORY             0x0004 /* this state will be set
-        if we don't have enough memory to build the hash table of entries */
-
-typedef enum {
-    CRL_OriginToken = 0,    /* CRL came from PKCS#11 token */
-    CRL_OriginExplicit = 1  /* CRL was explicitly added to the cache, from RAM */
-} CRLOrigin;
-
-struct CachedCrlStr {
-    CERTSignedCrl* crl;
-    CRLOrigin origin;
-    /* hash table of entries. We use a PLHashTable and pre-allocate the
-       required amount of memory in one shot, so that our allocator can
-       simply pass offsets into it when hashing.
-
-       This won't work anymore when we support delta CRLs and iCRLs, because
-       the size of the hash table will vary over time. At that point, the best
-       solution will be to allocate large CRLEntry structures by modifying
-       the DER decoding template. The extra space would be for next/prev
-       pointers. This would allow entries from different CRLs to be mixed in
-       the same hash table.
-    */
-    PLHashTable* entries;
-    PreAllocator* prebuffer; /* big pre-allocated buffer mentioned above */
-    PRBool sigChecked; /* this CRL signature has already been checked */
-    PRBool sigValid; /* signature verification status .
-                     Only meaningful if checked is PR_TRUE . */
-};
-
-/*  CRL distribution point cache object
-    This is a cache of CRL entries for a given distribution point of an issuer
-    It is built from a collection of one full and 0 or more delta CRLs.
-*/
-
-struct CRLDPCacheStr {
-#ifdef DPC_RWLOCK
-    NSSRWLock* lock;
-#else
-    PRLock* lock;
-#endif
-    CERTCertificate* issuer;    /* cert issuer 
-                                   XXX there may be multiple issuer certs,
-                                       with different validity dates. Also
-                                       need to deal with SKID/AKID . See
-                                       bugzilla 217387, 233118 */
-    SECItem* subject;           /* DER of issuer subject */
-    SECItem* distributionPoint; /* DER of distribution point. This may be
-                                   NULL when distribution points aren't
-                                   in use (ie. the CA has a single CRL).
-                                   Currently not used. */
-
-    /* array of full CRLs matching this distribution point */
-    PRUint32 ncrls;              /* total number of CRLs in crls */
-    CachedCrl** crls;            /* array of all matching CRLs */
-    /* XCRL With iCRLs and multiple DPs, the CRL can be shared accross several
-       issuers. In the future, we'll need to globally recycle the CRL in a
-       separate list in order to avoid extra lookups, decodes, and copies */
-
-    /* pointers to good decoded CRLs used to build the cache */
-    CachedCrl* selected;    /* full CRL selected for use in the cache */
-#if 0
-    /* for future use */
-    PRInt32 numdeltas;      /* number of delta CRLs used for the cache */
-    CachedCrl** deltas;     /* delta CRLs used for the cache */
-#endif
-    /* cache invalidity bitflag */
-    PRUint16 invalid;       /* this state will be set if either
-             CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
-             In those cases, all certs are considered revoked as a
-             security precaution. The invalid state can only be cleared
-             during an update if all error states are cleared */
-    PRBool refresh;        /* manual refresh from tokens has been forced */
-    PRBool mustchoose;     /* trigger reselection algorithm, for case when
-                              RAM CRL objects are dropped from the cache */
-    PRTime lastfetch;      /* time a CRL token fetch was last performed */
-    PRTime lastcheck;      /* time CRL token objects were last checked for
-                              existence */
-};
-
-/*  CRL issuer cache object
-    This object tracks all the distribution point caches for a given issuer.
-    XCRL once we support multiple issuing distribution points, this object
-    will be a hash table. For now, it just holds the single CRL distribution
-    point cache structure.
-*/
-
-struct CRLIssuerCacheStr {
-    SECItem* subject;           /* DER of issuer subject */
-    CRLDPCache* dpp;
-#if 0
-    /* XCRL for future use.
-       We don't need to lock at the moment because we only have one DP,
-       which gets created at the same time as this object */
-    NSSRWLock* lock;
-    CRLDPCache** dps;
-    PLHashTable* distributionpoints;
-    CERTCertificate* issuer;
-#endif
-};
-
-/*  CRL revocation cache object
-    This object tracks all the issuer caches
-*/
-
-struct CRLCacheStr {
-#ifdef GLOBAL_RWLOCK
-    NSSRWLock* lock;
-#else
-    PRLock* lock;
-#endif
-    /* hash table of issuer to CRLIssuerCacheStr,
-       indexed by issuer DER subject */
-    PLHashTable* issuers;
-};
-
-SECStatus InitCRLCache(void);
-SECStatus ShutdownCRLCache(void);
-
-/* Returns a pointer to an environment-like string, a series of
-** null-terminated strings, terminated by a zero-length string.
-** This function is intended to be internal to NSS.
-*/
-extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
-
-/*
- * These functions are used to map subjectKeyID extension values to certs.
- */
-SECStatus
-cert_CreateSubjectKeyIDHashTable(void);
-
-SECStatus
-cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
-
-/*
- * Call this function to remove an entry from the mapping table.
- */
-SECStatus
-cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID);
-
-SECStatus
-cert_DestroySubjectKeyIDHashTable(void);
-
-SECItem*
-cert_FindDERCertBySubjectKeyID(SECItem *subjKeyID);
-
-/* return maximum length of AVA value based on its type OID tag. */
-extern int cert_AVAOidTagToMaxLen(SECOidTag tag);
-
-#endif /* _CERTI_H_ */
-
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
deleted file mode 100644
index 8567ebbe4..000000000
--- a/security/nss/lib/certdb/certt.h
+++ /dev/null
@@ -1,887 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * certt.h - public data structures for the certificate library
- *
- * $Id$
- */
-#ifndef _CERTT_H_
-#define _CERTT_H_
-
-#include "prclist.h"
-#include "pkcs11t.h"
-#include "seccomon.h"
-#include "secmodt.h"
-#include "secoidt.h"
-#include "plarena.h"
-#include "prcvar.h"
-#include "nssilock.h"
-#include "prio.h"
-#include "prmon.h"
-
-/* Stan data types */
-struct NSSCertificateStr;
-struct NSSTrustDomainStr;
-
-/* Non-opaque objects */
-typedef struct CERTAVAStr                        CERTAVA;
-typedef struct CERTAttributeStr                  CERTAttribute;
-typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
-typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
-typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
-#ifdef NSS_CLASSIC
-typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
-#else
-typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
-#endif
-typedef struct CERTCertExtensionStr              CERTCertExtension;
-typedef struct CERTCertKeyStr                    CERTCertKey;
-typedef struct CERTCertListStr                   CERTCertList;
-typedef struct CERTCertListNodeStr               CERTCertListNode;
-typedef struct CERTCertNicknamesStr              CERTCertNicknames;
-typedef struct CERTCertTrustStr                  CERTCertTrust;
-typedef struct CERTCertificateStr                CERTCertificate;
-typedef struct CERTCertificateListStr            CERTCertificateList;
-typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
-typedef struct CERTCrlStr                        CERTCrl;
-typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
-typedef struct CERTCrlEntryStr                   CERTCrlEntry;
-typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
-typedef struct CERTCrlKeyStr                     CERTCrlKey;
-typedef struct CERTCrlNodeStr                    CERTCrlNode;
-typedef struct CERTDERCertsStr                   CERTDERCerts;
-typedef struct CERTDistNamesStr                  CERTDistNames;
-typedef struct CERTGeneralNameStr                CERTGeneralName;
-typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
-typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
-typedef struct CERTNameStr                       CERTName;
-typedef struct CERTNameConstraintStr             CERTNameConstraint;
-typedef struct CERTNameConstraintsStr            CERTNameConstraints;
-typedef struct CERTOKDomainNameStr               CERTOKDomainName;
-typedef struct CERTPrivKeyUsagePeriodStr         CERTPrivKeyUsagePeriod;
-typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
-typedef struct CERTRDNStr                        CERTRDN;
-typedef struct CERTSignedCrlStr                  CERTSignedCrl;
-typedef struct CERTSignedDataStr                 CERTSignedData;
-typedef struct CERTStatusConfigStr               CERTStatusConfig;
-typedef struct CERTSubjectListStr                CERTSubjectList;
-typedef struct CERTSubjectNodeStr                CERTSubjectNode;
-typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
-typedef struct CERTValidityStr                   CERTValidity;
-typedef struct CERTVerifyLogStr                  CERTVerifyLog;
-typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
-typedef struct CRLDistributionPointStr           CRLDistributionPoint;
-
-/* CRL extensions type */
-typedef unsigned long CERTCrlNumber;
-
-/*
-** An X.500 AVA object
-*/
-struct CERTAVAStr {
-    SECItem type;
-    SECItem value;
-};
-
-/*
-** An X.500 RDN object
-*/
-struct CERTRDNStr {
-    CERTAVA **avas;
-};
-
-/*
-** An X.500 name object
-*/
-struct CERTNameStr {
-    PRArenaPool *arena;
-    CERTRDN **rdns;
-};
-
-/*
-** An X.509 validity object
-*/
-struct CERTValidityStr {
-    PRArenaPool *arena;
-    SECItem notBefore;
-    SECItem notAfter;
-};
-
-/*
- * A serial number and issuer name, which is used as a database key
- */
-struct CERTCertKeyStr {
-    SECItem serialNumber;
-    SECItem derIssuer;
-};
-
-/*
-** A signed data object. Used to implement the "signed" macro used
-** in the X.500 specs.
-*/
-struct CERTSignedDataStr {
-    SECItem data;
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;
-};
-
-/*
-** An X.509 subject-public-key-info object
-*/
-struct CERTSubjectPublicKeyInfoStr {
-    PRArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem subjectPublicKey;
-};
-
-struct CERTPublicKeyAndChallengeStr {
-    SECItem spki;
-    SECItem challenge;
-};
-
-struct CERTCertTrustStr {
-    unsigned int sslFlags;
-    unsigned int emailFlags;
-    unsigned int objectSigningFlags;
-};
-
-/*
- * defined the types of trust that exist
- */
-typedef enum SECTrustTypeEnum {
-    trustSSL = 0,
-    trustEmail = 1,
-    trustObjectSigning = 2,
-    trustTypeNone = 3
-} SECTrustType;
-
-#define SEC_GET_TRUST_FLAGS(trust,type) \
-        (((type)==trustSSL)?((trust)->sslFlags): \
-	 (((type)==trustEmail)?((trust)->emailFlags): \
-	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
-
-/*
-** An X.509.3 certificate extension
-*/
-struct CERTCertExtensionStr {
-    SECItem id;
-    SECItem critical;
-    SECItem value;
-};
-
-struct CERTSubjectNodeStr {
-    struct CERTSubjectNodeStr *next;
-    struct CERTSubjectNodeStr *prev;
-    SECItem certKey;
-    SECItem keyID;
-};
-
-struct CERTSubjectListStr {
-    PRArenaPool *arena;
-    int ncerts;
-    char *emailAddr;
-    CERTSubjectNode *head;
-    CERTSubjectNode *tail; /* do we need tail? */
-    void *entry;
-};
-
-/*
-** An X.509 certificate object (the unsigned form)
-*/
-struct CERTCertificateStr {
-    /* the arena is used to allocate any data structures that have the same
-     * lifetime as the cert.  This is all stuff that hangs off of the cert
-     * structure, and is all freed at the same time.  I is used when the
-     * cert is decoded, destroyed, and at some times when it changes
-     * state
-     */
-    PRArenaPool *arena;
-
-    /* The following fields are static after the cert has been decoded */
-    char *subjectName;
-    char *issuerName;
-    CERTSignedData signatureWrap;	/* XXX */
-    SECItem derCert;			/* original DER for the cert */
-    SECItem derIssuer;			/* DER for issuer name */
-    SECItem derSubject;			/* DER for subject name */
-    SECItem derPublicKey;		/* DER for the public key */
-    SECItem certKey;			/* database key for this cert */
-    SECItem version;
-    SECItem serialNumber;
-    SECAlgorithmID signature;
-    CERTName issuer;
-    CERTValidity validity;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    SECItem issuerID;
-    SECItem subjectID;
-    CERTCertExtension **extensions;
-    char *emailAddr;
-    CERTCertDBHandle *dbhandle;
-    SECItem subjectKeyID;	/* x509v3 subject key identifier */
-    PRBool keyIDGenerated;	/* was the keyid generated? */
-    unsigned int keyUsage;	/* what uses are allowed for this cert */
-    unsigned int rawKeyUsage;	/* value of the key usage extension */
-    PRBool keyUsagePresent;	/* was the key usage extension present */
-    PRUint32 nsCertType;	/* value of the ns cert type extension */
-				/* must be 32-bit for PR_AtomicSet */
-
-    /* these values can be set by the application to bypass certain checks
-     * or to keep the cert in memory for an entire session.
-     * XXX - need an api to set these
-     */
-    PRBool keepSession;			/* keep this cert for entire session*/
-    PRBool timeOK;			/* is the bad validity time ok? */
-    CERTOKDomainName *domainOK;		/* these domain names are ok */
-
-    /*
-     * these values can change when the cert changes state.  These state
-     * changes include transitions from temp to perm or vice-versa, and
-     * changes of trust flags
-     */
-    PRBool isperm;
-    PRBool istemp;
-    char *nickname;
-    char *dbnickname;
-    struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
-    CERTCertTrust *trust;
-
-    /* the reference count is modified whenever someone looks up, dups
-     * or destroys a certificate
-     */
-    int referenceCount;
-
-    /* The subject list is a list of all certs with the same subject name.
-     * It can be modified any time a cert is added or deleted from either
-     * the in-memory(temporary) or on-disk(permanent) database.
-     */
-    CERTSubjectList *subjectList;
-
-    /* these belong in the static section, but are here to maintain
-     * the structure's integrity
-     */
-    CERTAuthKeyID * authKeyID;  /* x509v3 authority key identifier */
-    PRBool isRoot;              /* cert is the end of a chain */
-
-    /* these fields are used by client GUI code to keep track of ssl sockets
-     * that are blocked waiting on GUI feedback related to this cert.
-     * XXX - these should be moved into some sort of application specific
-     *       data structure.  They are only used by the browser right now.
-     */
-    struct SECSocketNode *authsocketlist;
-    int series; /* was int authsocketcount; record the series of the pkcs11ID */
-
-    /* This is PKCS #11 stuff. */
-    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
-    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
-    PRBool ownSlot;		/*true if the cert owns the slot reference */
-};
-#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
-#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
-#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
-
-#define SEC_CRL_VERSION_1		0	/* default */
-#define SEC_CRL_VERSION_2		1	/* v2 extensions */
-
-/*
- * used to identify class of cert in mime stream code
- */
-#define SEC_CERT_CLASS_CA	1
-#define SEC_CERT_CLASS_SERVER	2
-#define SEC_CERT_CLASS_USER	3
-#define SEC_CERT_CLASS_EMAIL	4
-
-struct CERTDERCertsStr {
-    PRArenaPool *arena;
-    int numcerts;
-    SECItem *rawCerts;
-};
-
-/*
-** A PKCS ? Attribute
-** XXX this is duplicated through out the code, it *should* be moved
-** to a central location.  Where would be appropriate?
-*/
-struct CERTAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-
-/*
-** A PKCS#10 certificate-request object (the unsigned form)
-*/
-struct CERTCertificateRequestStr {
-    PRArenaPool *arena;
-    SECItem version;
-    CERTName subject;
-    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
-    CERTAttribute **attributes;
-};
-#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
-
-
-/*
-** A certificate list object.
-*/
-struct CERTCertificateListStr {
-    SECItem *certs;
-    int len;					/* number of certs */
-    PRArenaPool *arena;
-};
-
-struct CERTCertListNodeStr {
-    PRCList links;
-    CERTCertificate *cert;
-    void *appData;
-};
-
-struct CERTCertListStr {
-    PRCList list;
-    PRArenaPool *arena;
-};
-
-#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
-#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
-#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
-#define CERT_LIST_EMPTY(l) CERT_LIST_END(CERT_LIST_HEAD(l), l)
-
-struct CERTCrlEntryStr {
-    SECItem serialNumber;
-    SECItem revocationDate;
-    CERTCertExtension **extensions;    
-};
-
-struct CERTCrlStr {
-    PRArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID signatureAlg;
-    SECItem derName;
-    CERTName name;
-    SECItem lastUpdate;
-    SECItem nextUpdate;				/* optional for x.509 CRL  */
-    CERTCrlEntry **entries;
-    CERTCertExtension **extensions;    
-    /* can't add anything there for binary backwards compatibility reasons */
-};
-
-struct CERTCrlKeyStr {
-    SECItem derName;
-    SECItem dummy;			/* The decoder can not skip a primitive,
-					   this serves as a place holder for the
-					   decoder to finish its task only
-					*/
-};
-
-struct CERTSignedCrlStr {
-    PRArenaPool *arena;
-    CERTCrl crl;
-    void *reserved1;
-    PRBool reserved2;
-    PRBool isperm;
-    PRBool istemp;
-    int referenceCount;
-    CERTCertDBHandle *dbhandle;
-    CERTSignedData signatureWrap;	/* XXX */
-    char *url;
-    SECItem *derCrl;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE pkcs11ID;
-    void* opaque; /* do not touch */
-};
-
-
-struct CERTCrlHeadNodeStr {
-    PRArenaPool *arena;
-    CERTCertDBHandle *dbhandle;
-    CERTCrlNode *first;
-    CERTCrlNode *last;
-};
-
-
-struct CERTCrlNodeStr {
-    CERTCrlNode *next;
-    int 	type;
-    CERTSignedCrl *crl;
-};
-
-
-/*
- * Array of X.500 Distinguished Names
- */
-struct CERTDistNamesStr {
-    PRArenaPool *arena;
-    int nnames;
-    SECItem  *names;
-    void *head; /* private */
-};
-
-
-#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
-#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
-#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
-#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
-#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
-#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
-#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
-#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
-
-#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
-#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
-
-#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
-			  NS_CERT_TYPE_SSL_SERVER | \
-			  NS_CERT_TYPE_EMAIL | \
-			  NS_CERT_TYPE_OBJECT_SIGNING )
-
-#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
-			 NS_CERT_TYPE_EMAIL_CA | \
-			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
-			 EXT_KEY_USAGE_STATUS_RESPONDER )
-typedef enum SECCertUsageEnum {
-    certUsageSSLClient = 0,
-    certUsageSSLServer = 1,
-    certUsageSSLServerWithStepUp = 2,
-    certUsageSSLCA = 3,
-    certUsageEmailSigner = 4,
-    certUsageEmailRecipient = 5,
-    certUsageObjectSigner = 6,
-    certUsageUserCertImport = 7,
-    certUsageVerifyCA = 8,
-    certUsageProtectedObjectSigner = 9,
-    certUsageStatusResponder = 10,
-    certUsageAnyCA = 11
-} SECCertUsage;
-
-typedef PRInt64 SECCertificateUsage;
-
-#define certificateUsageSSLClient              (0x0001)
-#define certificateUsageSSLServer              (0x0002)
-#define certificateUsageSSLServerWithStepUp    (0x0004)
-#define certificateUsageSSLCA                  (0x0008)
-#define certificateUsageEmailSigner            (0x0010)
-#define certificateUsageEmailRecipient         (0x0020)
-#define certificateUsageObjectSigner           (0x0040)
-#define certificateUsageUserCertImport         (0x0080)
-#define certificateUsageVerifyCA               (0x0100)
-#define certificateUsageProtectedObjectSigner  (0x0200)
-#define certificateUsageStatusResponder        (0x0400)
-#define certificateUsageAnyCA                  (0x0800)
-
-#define certificateUsageHighest certificateUsageAnyCA
-
-/*
- * Does the cert belong to the user, a peer, or a CA.
- */
-typedef enum CERTCertOwnerEnum {
-    certOwnerUser = 0,
-    certOwnerPeer = 1,
-    certOwnerCA = 2
-} CERTCertOwner;
-
-/*
- * This enum represents the state of validity times of a certificate
- */
-typedef enum SECCertTimeValidityEnum {
-    secCertTimeValid = 0,
-    secCertTimeExpired = 1,
-    secCertTimeNotValidYet = 2,
-    secCertTimeUndetermined = 3 /* validity could not be decoded from the
-                                   cert, most likely because it was NULL */
-} SECCertTimeValidity;
-
-/*
- * This is used as return status in functions that compare the validity
- * periods of two certificates A and B, currently only
- * CERT_CompareValidityTimes.
- */
-
-typedef enum CERTCompareValidityStatusEnum
-{
-    certValidityUndetermined = 0, /* the function is unable to select one cert 
-                                     over another */
-    certValidityChooseB = 1,      /* cert B should be preferred */
-    certValidityEqual = 2,        /* both certs have the same validity period */
-    certValidityChooseA = 3       /* cert A should be preferred */
-} CERTCompareValidityStatus;
-
-/*
- * Interface for getting certificate nickname strings out of the database
- */
-
-/* these are values for the what argument below */
-#define SEC_CERT_NICKNAMES_ALL		1
-#define SEC_CERT_NICKNAMES_USER		2
-#define SEC_CERT_NICKNAMES_SERVER	3
-#define SEC_CERT_NICKNAMES_CA		4
-
-struct CERTCertNicknamesStr {
-    PRArenaPool *arena;
-    void *head;
-    int numnicknames;
-    char **nicknames;
-    int what;
-    int totallen;
-};
-
-struct CERTIssuerAndSNStr {
-    SECItem derIssuer;
-    CERTName issuer;
-    SECItem serialNumber;
-};
-
-
-/* X.509 v3 Key Usage Extension flags */
-#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
-#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
-#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
-#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
-#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
-#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
-#define KU_CRL_SIGN			(0x02)  /* bit 6 */
-#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
-					 KU_NON_REPUDIATION | \
-					 KU_KEY_ENCIPHERMENT | \
-					 KU_DATA_ENCIPHERMENT | \
-					 KU_KEY_AGREEMENT | \
-					 KU_KEY_CERT_SIGN | \
-					 KU_CRL_SIGN)
-
-/* This value will not occur in certs.  It is used internally for the case
- * when the key type is not know ahead of time and either key agreement or
- * key encipherment are the correct value based on key type
- */
-#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
-
-/* internal bits that do not match bits in the x509v3 spec, but are used
- * for similar purposes
- */
-#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
-/*
- * x.509 v3 Basic Constraints Extension
- * If isCA is false, the pathLenConstraint is ignored.
- * Otherwise, the following pathLenConstraint values will apply:
- *	< 0 - there is no limit to the certificate path
- *	0   - CA can issues end-entity certificates only
- *	> 0 - the number of certificates in the certificate path is
- *	      limited to this number
- */
-#define CERT_UNLIMITED_PATH_CONSTRAINT -2
-
-struct CERTBasicConstraintsStr {
-    PRBool isCA;			/* on if is CA */
-    int pathLenConstraint;		/* maximum number of certificates that can be
-					   in the cert path.  Only applies to a CA
-					   certificate; otherwise, it's ignored.
-					 */
-};
-
-/* Maximum length of a certificate chain */
-#define CERT_MAX_CERT_CHAIN 20
-
-/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
-#define RF_UNUSED			(0x80)	/* bit 0 */
-#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
-#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
-#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
-#define RF_SUPERSEDED			(0x08)  /* bit 4 */
-#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
-#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
-
-/* If we needed to extract the general name field, use this */
-/* General Name types */
-typedef enum CERTGeneralNameTypeEnum {
-    certOtherName = 1,
-    certRFC822Name = 2,
-    certDNSName = 3,
-    certX400Address = 4,
-    certDirectoryName = 5,
-    certEDIPartyName = 6,
-    certURI = 7,
-    certIPAddress = 8,
-    certRegisterID = 9
-} CERTGeneralNameType;
-
-
-typedef struct OtherNameStr {
-    SECItem          name;
-    SECItem          oid;
-}OtherName;
-
-
-
-struct CERTGeneralNameStr {
-    CERTGeneralNameType type;		/* name type */
-    union {
-	CERTName directoryName;         /* distinguish name */
-	OtherName  OthName;		/* Other Name */
-	SECItem other;                  /* the rest of the name forms */
-    }name;
-    SECItem derDirectoryName;		/* this is saved to simplify directory name
-					   comparison */
-    PRCList l;
-};
-
-struct CERTGeneralNameListStr {
-    PRArenaPool *arena;
-    CERTGeneralName *name;
-    int refCount;
-    int len;
-    PZLock *lock;
-};
-
-struct CERTNameConstraintStr {
-    CERTGeneralName  name;
-    SECItem          DERName;
-    SECItem          min;
-    SECItem          max;
-    PRCList          l;
-};
-
-
-struct CERTNameConstraintsStr {
-    CERTNameConstraint  *permited;
-    CERTNameConstraint  *excluded;
-    SECItem             **DERPermited;
-    SECItem             **DERExcluded;
-};
-
-
-/* Private Key Usage Period extension struct. */
-struct CERTPrivKeyUsagePeriodStr {
-    SECItem notBefore;
-    SECItem notAfter;
-    PRArenaPool *arena;
-};
-
-/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
-   issuer field, we only support URI now.
- */
-struct CERTAuthKeyIDStr {
-    SECItem keyID;			/* unique key identifier */
-    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
-    SECItem authCertSerialNumber;	/* CA's certificate serial number */
-    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
-					   the authCertIssuer field. It is used
-					   by the encoding engine. It should be
-					   used as a read only field by the caller.
-					*/
-};
-
-/* x.509 v3 CRL Distributeion Point */
-
-/*
- * defined the types of CRL Distribution points
- */
-typedef enum DistributionPointTypesEnum {
-    generalName = 1,			/* only support this for now */
-    relativeDistinguishedName = 2
-} DistributionPointTypes;
-
-struct CRLDistributionPointStr {
-    DistributionPointTypes distPointType;
-    union {
-	CERTGeneralName *fullName;
-	CERTRDN relativeName;
-    } distPoint;
-    SECItem reasons;
-    CERTGeneralName *crlIssuer;
-    
-    /* Reserved for internal use only*/
-    SECItem derDistPoint;
-    SECItem derRelativeName;
-    SECItem **derCrlIssuer;
-    SECItem **derFullName;
-    SECItem bitsmap;
-};
-
-struct CERTCrlDistributionPointsStr {
-    CRLDistributionPoint **distPoints;
-};
-
-/*
- * This structure is used to keep a log of errors when verifying
- * a cert chain.  This allows multiple errors to be reported all at
- * once.
- */
-struct CERTVerifyLogNodeStr {
-    CERTCertificate *cert;	/* what cert had the error */
-    long error;			/* what error was it? */
-    unsigned int depth;		/* how far up the chain are we */
-    void *arg;			/* error specific argument */
-    struct CERTVerifyLogNodeStr *next; /* next in the list */
-    struct CERTVerifyLogNodeStr *prev; /* next in the list */
-};
-
-
-struct CERTVerifyLogStr {
-    PRArenaPool *arena;
-    unsigned int count;
-    struct CERTVerifyLogNodeStr *head;
-    struct CERTVerifyLogNodeStr *tail;
-};
-
-
-struct CERTOKDomainNameStr {
-    CERTOKDomainName *next;
-    char              name[1]; /* actual length may be longer. */
-};
-
-
-typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
-						    CERTCertificate *cert,
-						    int64 time,
-						    void *pwArg);
-
-typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
-
-struct CERTStatusConfigStr {
-    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
-    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
-    void *statusContext;		/* cx specific to checking protocol */
-};
-
-struct CERTAuthInfoAccessStr {
-    SECItem method;
-    SECItem derLocation;
-    CERTGeneralName *location;		/* decoded location */
-};
-
-
-/* This is the typedef for the callback passed to CERT_OpenCertDB() */
-/* callback to return database name based on version number */
-typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
-
-/*
- * types of cert packages that we can decode
- */
-typedef enum CERTPackageTypeEnum {
-    certPackageNone = 0,
-    certPackageCert = 1,
-    certPackagePKCS7 = 2,
-    certPackageNSCertSeq = 3,
-    certPackageNSCertWrap = 4
-} CERTPackageType;
-
-/*
- * these types are for the PKIX Certificate Policies extension
- */
-typedef struct {
-    SECOidTag oid;
-    SECItem qualifierID;
-    SECItem qualifierValue;
-} CERTPolicyQualifier;
-
-typedef struct {
-    SECOidTag oid;
-    SECItem policyID;
-    CERTPolicyQualifier **policyQualifiers;
-} CERTPolicyInfo;
-
-typedef struct {
-    PRArenaPool *arena;
-    CERTPolicyInfo **policyInfos;
-} CERTCertificatePolicies;
-
-typedef struct {
-    SECItem organization;
-    SECItem **noticeNumbers;
-} CERTNoticeReference;
-
-typedef struct {
-    PRArenaPool *arena;
-    CERTNoticeReference noticeReference;
-    SECItem derNoticeReference;
-    SECItem displayText;
-} CERTUserNotice;
-
-typedef struct {
-    PRArenaPool *arena;
-    SECItem **oids;
-} CERTOidSequence;
-
-
-/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
-
-#include "secasn1t.h"	/* way down here because I expect template stuff to
-			 * move out of here anyway */
-
-SEC_BEGIN_PROTOS
-
-extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
-extern const SEC_ASN1Template CERT_CertificateTemplate[];
-extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
-extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
-extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
-extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
-extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
-extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
-extern const SEC_ASN1Template CERT_ValidityTemplate[];
-extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
-extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
-
-extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
-extern const SEC_ASN1Template CERT_NameTemplate[];
-extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
-extern const SEC_ASN1Template CERT_RDNTemplate[];
-extern const SEC_ASN1Template CERT_SignedDataTemplate[];
-extern const SEC_ASN1Template CERT_CrlTemplate[];
-extern const SEC_ASN1Template CERT_SignedCrlTemplate[];
-
-/*
-** XXX should the attribute stuff be centralized for all of ns/security?
-*/
-extern const SEC_ASN1Template CERT_AttributeTemplate[];
-extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
-
-/* These functions simply return the address of the above-declared templates.
-** This is necessary for Windows DLLs.  Sigh.
-*/
-SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SequenceOfCertExtensionTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_SignedCrlTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
-
-SEC_END_PROTOS
-
-#endif /* _CERTT_H_ */
diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c
deleted file mode 100644
index 8a300d7b7..000000000
--- a/security/nss/lib/certdb/certv3.c
+++ /dev/null
@@ -1,400 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Code for dealing with X509.V3 extensions.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-#include "secerr.h"
-
-SECStatus
-CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
-			    SECItem *value)
-{
-    return (cert_FindExtensionByOID (cert->extensions, oid, value));
-}
-    
-
-SECStatus
-CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
-{
-    return (cert_FindExtension (cert->extensions, tag, value));
-}
-
-static void
-SetExts(void *object, CERTCertExtension **exts)
-{
-    CERTCertificate *cert = (CERTCertificate *)object;
-
-    cert->extensions = exts;
-    DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
-}
-
-void *
-CERT_StartCertExtensions(CERTCertificate *cert)
-{
-    return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
-}
-
-/* find the given extension in the certificate of the Issuer of 'cert' */
-SECStatus
-CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
-{
-    CERTCertificate *issuercert;
-    SECStatus rv;
-
-    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
-    if ( issuercert ) {
-	rv = cert_FindExtension(issuercert->extensions, tag, value);
-	CERT_DestroyCertificate(issuercert);
-    } else {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-/* find a URL extension in the cert or its CA
- * apply the base URL string if it exists
- */
-char *
-CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
-{
-    SECStatus rv;
-    SECItem urlitem;
-    SECItem baseitem;
-    SECItem urlstringitem = {siBuffer,0};
-    SECItem basestringitem = {siBuffer,0};
-    PRArenaPool *arena = NULL;
-    PRBool hasbase;
-    char *urlstring;
-    char *str;
-    int len;
-    unsigned int i;
-    
-    urlstring = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( ! arena ) {
-	goto loser;
-    }
-    
-    hasbase = PR_FALSE;
-    urlitem.data = NULL;
-    baseitem.data = NULL;
-    
-    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
-    if ( rv == SECSuccess ) {
-	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
-				   &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-	
-    } else if ( catag ) {
-	/* if the cert doesn't have the extensions, see if the issuer does */
-	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}	    
-	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
-					 &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-    } else {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, &urlstringitem, SEC_IA5StringTemplate, 
-			    &urlitem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    if ( hasbase ) {
-	rv = SEC_QuickDERDecodeItem(arena, &basestringitem, SEC_IA5StringTemplate,
-				&baseitem);
-
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
-    
-    str = urlstring = (char *)PORT_Alloc(len);
-    if ( urlstring == NULL ) {
-	goto loser;
-    }
-    
-    /* copy the URL base first */
-    if ( hasbase ) {
-
-	/* if the urlstring has a : in it, then we assume it is an absolute
-	 * URL, and will not get the base string pre-pended
-	 */
-	for ( i = 0; i < urlstringitem.len; i++ ) {
-	    if ( urlstringitem.data[i] == ':' ) {
-		goto nobase;
-	    }
-	}
-	
-	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
-	str += basestringitem.len;
-	
-    }
-
-nobase:
-    /* copy the rest (or all) of the URL */
-    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
-    str += urlstringitem.len;
-    
-    *str = '\0';
-    goto done;
-    
-loser:
-    if ( urlstring ) {
-	PORT_Free(urlstring);
-    }
-    
-    urlstring = NULL;
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( baseitem.data ) {
-	PORT_Free(baseitem.data);
-    }
-    if ( urlitem.data ) {
-	PORT_Free(urlitem.data);
-    }
-
-    return(urlstring);
-}
-
-/*
- * get the value of the Netscape Certificate Type Extension
- */
-SECStatus
-CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
-{
-
-    return (CERT_FindBitStringExtension
-	    (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));    
-}
-
-
-/*
- * get the value of a string type extension
- */
-char *
-CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
-{
-    SECItem wrapperItem, tmpItem = {siBuffer,0};
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    char *retstring = NULL;
-    
-    wrapperItem.data = NULL;
-    tmpItem.data = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	goto loser;
-    }
-    
-    rv = cert_FindExtension(cert->extensions, oidtag,
-			       &wrapperItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, &tmpItem, SEC_IA5StringTemplate, 
-			    &wrapperItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
-    if ( retstring == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
-    retstring[tmpItem.len] = '\0';
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    if ( wrapperItem.data ) {
-	PORT_Free(wrapperItem.data);
-    }
-
-    return(retstring);
-}
-
-/*
- * get the value of the X.509 v3 Key Usage Extension
- */
-SECStatus
-CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
-{
-
-    return (CERT_FindBitStringExtension(cert->extensions,
-					SEC_OID_X509_KEY_USAGE, retItem));    
-}
-
-/*
- * get the value of the X.509 v3 Key Usage Extension
- */
-SECStatus
-CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, SECItem *retItem)
-{
-
-    SECStatus rv;
-    SECItem encodedValue = {siBuffer, NULL, 0 };
-    SECItem decodedValue = {siBuffer, NULL, 0 };
-
-    rv = cert_FindExtension
-	 (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue);
-    if (rv == SECSuccess) {
-	PLArenaPool * tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (tmpArena) {
-	    rv = SEC_QuickDERDecodeItem(tmpArena, &decodedValue, 
-	                                SEC_OctetStringTemplate, 
-					&encodedValue);
-	    if (rv == SECSuccess) {
-	        rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
-	    }
-	    PORT_FreeArena(tmpArena, PR_FALSE);
-	} else {
-	    rv = SECFailure;
-	}
-    }
-    SECITEM_FreeItem(&encodedValue, PR_FALSE);
-    return rv;
-}
-
-SECStatus
-CERT_FindBasicConstraintExten(CERTCertificate *cert,
-			      CERTBasicConstraints *value)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (rv);
-    }
-
-    rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
-    
-    /* free the raw extension data */
-    PORT_Free(encodedExtenValue.data);
-    encodedExtenValue.data = NULL;
-    
-    return(rv);
-}
-
-CERTAuthKeyID *
-CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-    CERTAuthKeyID *ret;
-    
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (NULL);
-    }
-
-    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
-
-    PORT_Free(encodedExtenValue.data);
-    encodedExtenValue.data = NULL;
-    
-    return(ret);
-}
-
-SECStatus
-CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
-{
-    SECItem keyUsage;
-    SECStatus rv;
-
-    /* There is no extension, v1 or v2 certificate */
-    if (cert->extensions == NULL) {
-	return (SECSuccess);
-    }
-    
-    keyUsage.data = NULL;
-
-    /* This code formerly ignored the Key Usage extension if it was
-    ** marked non-critical.  That was wrong.  Since we do understand it,
-    ** we are obligated to honor it, whether or not it is critical.
-    */
-    rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
-    if (rv == SECFailure) {
-        rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ?
-	    SECSuccess : SECFailure;
-    } else if (!(keyUsage.data[0] & usage)) {
-	PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID);
-	rv = SECFailure;
-    }
-    PORT_Free (keyUsage.data);
-    return (rv);
-}
diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c
deleted file mode 100644
index edc8b45bb..000000000
--- a/security/nss/lib/certdb/certxutl.c
+++ /dev/null
@@ -1,529 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Certificate Extensions handling code
- *
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-#include "secerr.h"
-
-#ifdef OLD
-#include "ocspti.h"	/* XXX a better extensions interface would not
-			 * require knowledge of data structures of callers */
-#endif
-
-static CERTCertExtension *
-GetExtension (CERTCertExtension **extensions, SECItem *oid)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    SECComparison comp;
-
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    comp = SECITEM_CompareItem(oid, &ext->id);
-	    if ( comp == SECEqual ) 
-		break;
-
-	    exts++;
-	}
-	return (*exts ? ext : NULL);
-    }
-    return (NULL);
-}
-
-SECStatus
-cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
-{
-    CERTCertExtension *ext;
-    SECStatus rv = SECSuccess;
-    
-    ext = GetExtension (extensions, oid);
-    if (ext == NULL) {
-	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
-	return (SECFailure);
-    }
-    if (value)
-	rv = SECITEM_CopyItem(NULL, value, &ext->value);
-    return (rv);
-}
-    
-
-SECStatus
-CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
-{
-    CERTCertExtension *ext;
-    SECOidData *oid;
-
-    if (!isCritical)
-	return (SECSuccess);
-    
-    /* find the extension in the extensions list */
-    oid = SECOID_FindOIDByTag((SECOidTag)tag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-    ext = GetExtension (extensions, &oid->oid);
-    if (ext == NULL) {
-	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
-	return (SECFailure);
-    }
-
-    /* If the criticality is omitted, then it is false by default.
-       ex->critical.data is NULL */
-    if (ext->critical.data == NULL)
-	*isCritical = PR_FALSE;
-    else
-	*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
-    return (SECSuccess);    
-}
-
-SECStatus
-cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
-{
-    SECOidData *oid;
-    
-    oid = SECOID_FindOIDByTag((SECOidTag)tag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-
-    return(cert_FindExtensionByOID(extensions, &oid->oid, value));
-}
-
-
-typedef struct _extNode {
-    struct _extNode *next;
-    CERTCertExtension *ext;
-} extNode;
-
-typedef struct {
-    void (*setExts)(void *object, CERTCertExtension **exts);
-    void *object;
-    PRArenaPool *ownerArena;
-    PRArenaPool *arena;
-    extNode *head;
-    int count;
-}extRec;
-
-/*
- * cert_StartExtensions
- *
- * NOTE: This interface changed significantly to remove knowledge
- *   about callers data structures (owner objects)
- */
-void *
-cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
-   void (*setExts)(void *object, CERTCertExtension **exts))
-{
-    PRArenaPool *arena;
-    extRec *handle;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return(0);
-    }
-
-    handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
-    if ( !handle ) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return(0);
-    }
-
-    handle->object = owner;
-    handle->ownerArena = ownerArena;
-    handle->setExts = setExts;
-
-    handle->arena = arena;
-    handle->head = 0;
-    handle->count = 0;
-    
-    return(handle);
-}
-
-static unsigned char hextrue = 0xff;
-
-/*
- * Note - assumes that data pointed to by oid->data will not move
- */
-SECStatus
-CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
-			PRBool critical, PRBool copyData)
-{
-    CERTCertExtension *ext;
-    SECStatus rv;
-    extNode *node;
-    extRec *handle;
-    
-    handle = (extRec *)exthandle;
-
-    /* allocate space for extension and list node */
-    ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
-                                               sizeof(CERTCertExtension));
-    if ( !ext ) {
-	return(SECFailure);
-    }
-
-    node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
-    if ( !node ) {
-	return(SECFailure);
-    }
-
-    /* add to list */
-    node->next = handle->head;
-    handle->head = node;
-   
-    /* point to ext struct */
-    node->ext = ext;
-    
-    /* the object ID of the extension */
-    ext->id = *oid;
-    
-    /* set critical field */
-    if ( critical ) {
-	ext->critical.data = (unsigned char*)&hextrue;
-	ext->critical.len = 1;
-    }
-
-    /* set the value */
-    if ( copyData ) {
-	rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
-	if ( rv ) {
-	    return(SECFailure);
-	}
-    } else {
-	ext->value = *value;
-    }
-    
-    handle->count++;
-    
-    return(SECSuccess);
-
-}
-
-SECStatus
-CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
-		     PRBool critical, PRBool copyData)
-{
-    SECOidData *oid;
-    
-    oid = SECOID_FindOIDByTag((SECOidTag)idtag);
-    if ( !oid ) {
-	return(SECFailure);
-    }
-
-    return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
-}
-
-SECStatus
-CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
-			   PRBool critical, const SEC_ASN1Template *atemplate)
-{
-    extRec *handle;
-    SECItem *encitem;
-
-    handle = (extRec *)exthandle;
-
-    encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
-    if ( encitem == NULL ) {
-	return(SECFailure);
-    }
-
-    return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
-}
-
-void
-PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
-{
-  unsigned char onebyte;
-  unsigned int i, len = 0;
-
-  /* to prevent warning on some platform at compile time */ 
-  onebyte = '\0';   
-  /* Get the position of the right-most turn-on bit */ 
-  for (i = 0; i < (value->len ) * 8; ++i) {
-      if (i % 8 == 0)
-	  onebyte = value->data[i/8];
-      if (onebyte & 0x80)
-	  len = i;            
-      onebyte <<= 1;
-      
-  }
-  bitsmap->data = value->data;
-  /* Add one here since we work with base 1 */ 
-  bitsmap->len = len + 1;
-}
-
-SECStatus
-CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
-				  SECItem *value, PRBool critical)
-{
-  SECItem bitsmap;
-  
-  PrepareBitStringForEncoding (&bitsmap, value);
-  return (CERT_EncodeAndAddExtension
-	  (exthandle, idtag, &bitsmap, critical, SEC_BitStringTemplate));
-}
-
-SECStatus
-CERT_FinishExtensions(void *exthandle)
-{
-    extRec *handle;
-    extNode *node;
-    CERTCertExtension **exts;
-    SECStatus rv = SECFailure;
-    
-    handle = (extRec *)exthandle;
-
-    /* allocate space for extensions array */
-    exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
-			      handle->count + 1);
-    if (exts == NULL) {
-	goto loser;
-    }
-
-    /* put extensions in owner object and update its version number */
-
-#ifdef OLD
-    switch (handle->type) {
-      case CertificateExtensions:
-	handle->owner.cert->extensions = exts;
-	DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
-			 SEC_CERTIFICATE_VERSION_3);
-	break;
-      case CrlExtensions:
-	handle->owner.crl->extensions = exts;
-	DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
-			 SEC_CRL_VERSION_2);
-	break;
-      case OCSPRequestExtensions:
-	handle->owner.request->tbsRequest->requestExtensions = exts;
-	break;
-      case OCSPSingleRequestExtensions:
-	handle->owner.singleRequest->singleRequestExtensions = exts;	
-	break;
-      case OCSPResponseSingleExtensions:
-	handle->owner.singleResponse->singleExtensions = exts;	
-	break;
-    }
-#endif
-
-    handle->setExts(handle->object, exts);
-	
-    /* update the version number */
-
-    /* copy each extension pointer */
-    node = handle->head;
-    while ( node ) {
-	*exts = node->ext;
-	
-	node = node->next;
-	exts++;
-    }
-
-    /* terminate the array of extensions */
-    *exts = 0;
-
-    rv = SECSuccess;
-
-loser:
-    /* free working arena */
-    PORT_FreeArena(handle->arena, PR_FALSE);
-    return rv;
-}
-
-SECStatus
-CERT_MergeExtensions(void *exthandle, CERTCertExtension **extensions)
-{
-    CERTCertExtension *ext;
-    SECStatus rv = SECSuccess;
-    SECOidTag tag;
-    extNode *node;
-    extRec *handle = exthandle;
-    
-    if (!exthandle || !extensions) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    while ((ext = *extensions++) != NULL) {
-        tag = SECOID_FindOIDTag(&ext->id);
-        for (node=handle->head; node != NULL; node=node->next) {
-            if (tag == 0) {
-                if (SECITEM_ItemsAreEqual(&ext->id, &node->ext->id))
-                    break;
-            }
-            else {
-                if (SECOID_FindOIDTag(&node->ext->id) == tag) {
-                    break;
-                }
-            }
-        }
-        if (node == NULL) {
-            PRBool critical = (ext->critical.len != 0 &&
-                            ext->critical.data[ext->critical.len - 1] != 0);
-            if (critical && tag == SEC_OID_UNKNOWN) {
-               PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
-               rv = SECFailure;
-               break;
-            }
-            /* add to list */
-            rv = CERT_AddExtensionByOID (exthandle, &ext->id, &ext->value,
-                                         critical, PR_TRUE);
-            if (rv != SECSuccess)
-                break;
-        }
-    }
-    return rv;
-}
-
-/*
- * get the value of the Netscape Certificate Type Extension
- */
-SECStatus
-CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
-			     SECItem *retItem)
-{
-    SECItem wrapperItem, tmpItem = {siBuffer,0};
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    
-    wrapperItem.data = NULL;
-    tmpItem.data = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( ! arena ) {
-	return(SECFailure);
-    }
-    
-    rv = cert_FindExtension(extensions, tag, &wrapperItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, &tmpItem, SEC_BitStringTemplate, 
-			    &wrapperItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
-    if ( retItem->data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
-    retItem->len = tmpItem.len;
-    
-    rv = SECSuccess;
-    goto done;
-    
-loser:
-    rv = SECFailure;
-
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    if ( wrapperItem.data ) {
-	PORT_Free(wrapperItem.data);
-    }
-
-    return(rv);
-}
-
-PRBool
-cert_HasCriticalExtension (CERTCertExtension **extensions)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    PRBool hasCriticalExten = PR_FALSE;
-    
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    /* If the criticality is omitted, it's non-critical */
-	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
-		hasCriticalExten = PR_TRUE;
-		break;
-	    }
-	    exts++;
-	}
-    }
-    return (hasCriticalExten);
-}
-
-PRBool
-cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
-{
-    CERTCertExtension **exts;
-    CERTCertExtension *ext = NULL;
-    PRBool hasUnknownCriticalExten = PR_FALSE;
-    
-    exts = extensions;
-    
-    if (exts) {
-	while ( *exts ) {
-	    ext = *exts;
-	    /* If the criticality is omitted, it's non-critical.
-	       If an extension is critical, make sure that we know
-	       how to process the extension.
-             */
-	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
-		if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
-		    hasUnknownCriticalExten = PR_TRUE;
-		    break;
-		}
-	    }
-	    exts++;
-	}
-    }
-    return (hasUnknownCriticalExten);
-}
diff --git a/security/nss/lib/certdb/certxutl.h b/security/nss/lib/certdb/certxutl.h
deleted file mode 100644
index 9f8a1596d..000000000
--- a/security/nss/lib/certdb/certxutl.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * x.509 v3 certificate extension helper routines
- *
- */
-
-
-#ifndef _CERTXUTL_H_
-#define _CERTXUTL_H_
-
-#include "nspr.h"
-
-#ifdef OLD
-typedef enum {
-    CertificateExtensions,
-    CrlExtensions,
-    OCSPRequestExtensions,
-    OCSPSingleRequestExtensions,
-    OCSPResponseSingleExtensions
-} ExtensionsType;
-#endif
-
-extern PRBool
-cert_HasCriticalExtension (CERTCertExtension **extensions);
-
-extern SECStatus
-CERT_FindBitStringExtension (CERTCertExtension **extensions,
-			     int tag, SECItem *retItem);
-extern void *
-cert_StartExtensions (void *owner, PLArenaPool *arena,
-                      void (*setExts)(void *object, CERTCertExtension **exts));
-
-extern SECStatus
-cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value);
-
-extern SECStatus
-cert_FindExtensionByOID (CERTCertExtension **extensions,
-			 SECItem *oid, SECItem *value);
-
-extern SECStatus
-cert_GetExtenCriticality (CERTCertExtension **extensions,
-			  int tag, PRBool *isCritical);
-
-extern PRBool
-cert_HasUnknownCriticalExten (CERTCertExtension **extensions);
-
-#endif
diff --git a/security/nss/lib/certdb/config.mk b/security/nss/lib/certdb/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/certdb/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
deleted file mode 100644
index 7cd308c0a..000000000
--- a/security/nss/lib/certdb/crl.c
+++ /dev/null
@@ -1,3003 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Moved from secpkcs7.c
- *
- * $Id$
- */
- 
-#include "cert.h"
-#include "certi.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "certdb.h"
-#include "certxutl.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "dev.h"
-#include "dev3hack.h"
-#include "nssbase.h"
-#if defined(DPC_RWLOCK) || defined(GLOBAL_RWLOCK)
-#include "nssrwlk.h"
-#endif
-#include "pk11priv.h"
-
-const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(CERTCertExtension,critical), },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCertExtension,value) },
-    { 0, }
-};
-
-static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
-};
-
-/*
- * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
- * be tested; Lisa did the obvious translation but they still should be
- * verified.
- */
-
-const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTIssuerAndSN) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTIssuerAndSN,derIssuer) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTIssuerAndSN,issuer),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTIssuerAndSN,serialNumber) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_KrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,signatureAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_KrlEntryTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  cert_KrlTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlKey) },
-    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
-    { SEC_ASN1_SKIP },
-    { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrlEntry,revocationDate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrlEntry, extensions),
-	  SEC_CERTExtensionTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,signatureAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
-	  offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_CrlEntryTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	  SEC_ASN1_EXPLICIT | 0,
-	  offsetof(CERTCrl,extensions),
-	  SEC_CERTExtensionsTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,signatureAlg),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
-	  offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF |
-      SEC_ASN1_SKIP }, /* skip entries */
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	  SEC_ASN1_EXPLICIT | 0,
-	  offsetof(CERTCrl,extensions),
-	  SEC_CERTExtensionsTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CrlTemplateEntriesOnly[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_SKIP | SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL },
-    { SEC_ASN1_SKIP },
-    { SEC_ASN1_SKIP },
-    { SEC_ASN1_SKIP | SEC_ASN1_INLINE,
-        offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
-        offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_CrlEntryTemplate }, /* decode entries */
-    { SEC_ASN1_SKIP_REST },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_SignedCrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  CERT_CrlTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedCrlTemplateNoEntries[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  CERT_CrlTemplateNoEntries },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, CERT_SignedCrlTemplate },
-};
-
-/* get CRL version */
-int cert_get_crl_version(CERTCrl * crl)
-{
-    /* CRL version is defaulted to v1 */
-    int version = SEC_CRL_VERSION_1;
-    if (crl && crl->version.data != 0) {
-	version = (int)DER_GetUInteger (&crl->version);
-    }
-    return version;
-}
-
-
-/* check the entries in the CRL */
-SECStatus cert_check_crl_entries (CERTCrl *crl)
-{
-    CERTCrlEntry **entries;
-    CERTCrlEntry *entry;
-    PRBool hasCriticalExten = PR_FALSE;
-    SECStatus rv = SECSuccess;
-
-    if (!crl) {
-        return SECFailure;
-    }
-
-    if (crl->entries == NULL) {
-        /* CRLs with no entries are valid */
-        return (SECSuccess);
-    }
-
-    /* Look in the crl entry extensions.  If there is a critical extension,
-       then the crl version must be v2; otherwise, it should be v1.
-     */
-    entries = crl->entries;
-    while (*entries) {
-	entry = *entries;
-	if (entry->extensions) {
-	    /* If there is a critical extension in the entries, then the
-	       CRL must be of version 2.  If we already saw a critical extension,
-	       there is no need to check the version again.
-	    */
-            if (hasCriticalExten == PR_FALSE) {
-                hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
-                if (hasCriticalExten) {
-                    if (cert_get_crl_version(crl) != SEC_CRL_VERSION_2) { 
-                        /* only CRL v2 critical extensions are supported */
-                        PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
-                        rv = SECFailure;
-                        break;
-                    }
-                }
-            }
-
-	    /* For each entry, make sure that it does not contain an unknown
-	       critical extension.  If it does, we must reject the CRL since
-	       we don't know how to process the extension.
-	    */
-	    if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
-		PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
-		rv = SECFailure;
-		break;
-	    }
-	}
-	++entries;
-    }
-    return(rv);
-}
-
-/* Check the version of the CRL.  If there is a critical extension in the crl
-   or crl entry, then the version must be v2. Otherwise, it should be v1. If
-   the crl contains critical extension(s), then we must recognized the
-   extension's OID.
-   */
-SECStatus cert_check_crl_version (CERTCrl *crl)
-{
-    PRBool hasCriticalExten = PR_FALSE;
-    int version = cert_get_crl_version(crl);
-	
-    if (version > SEC_CRL_VERSION_2) {
-	PORT_SetError (SEC_ERROR_CRL_INVALID_VERSION);
-	return (SECFailure);
-    }
-
-    /* Check the crl extensions for a critial extension.  If one is found,
-       and the version is not v2, then we are done.
-     */
-    if (crl->extensions) {
-	hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
-	if (hasCriticalExten) {
-            if (version != SEC_CRL_VERSION_2) {
-                /* only CRL v2 critical extensions are supported */
-                PORT_SetError(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION);
-                return (SECFailure);
-            }
-	    /* make sure that there is no unknown critical extension */
-	    if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
-		PORT_SetError (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION);
-		return (SECFailure);
-	    }
-	}
-    }
-
-    return (SECSuccess);
-}
-
-/*
- * Generate a database key, based on the issuer name from a
- * DER crl.
- */
-SECStatus
-CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
-{
-    SECStatus rv;
-    CERTSignedData sd;
-    CERTCrlKey crlkey;
-
-    PORT_Memset (&sd, 0, sizeof (sd));
-    rv = SEC_ASN1DecodeItem (arena, &sd, CERT_SignedDataTemplate, derCrl);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    PORT_Memset (&crlkey, 0, sizeof (crlkey));
-    rv = SEC_ASN1DecodeItem(arena, &crlkey, cert_CrlKeyTemplate, &sd.data);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    key->len =  crlkey.derName.len;
-    key->data = crlkey.derName.data;
-
-    return(SECSuccess);
-}
-
-#define GetOpaqueCRLFields(x) ((OpaqueCRLFields*)x->opaque)
-
-SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl)
-{
-    SECStatus rv = SECSuccess;
-    SECItem* crldata = NULL;
-    OpaqueCRLFields* extended = NULL;
-
-    if ( (!crl) ||
-         (!(extended = (OpaqueCRLFields*) crl->opaque)) ||
-         (PR_TRUE == extended->decodingError) ) {
-        rv = SECFailure;
-    } else {
-        if (PR_FALSE == extended->partial) {
-            /* the CRL has already been fully decoded */
-            return SECSuccess;
-        }
-        if (PR_TRUE == extended->badEntries) {
-            /* the entries decoding already failed */
-            return SECFailure;
-        }
-        crldata = &crl->signatureWrap.data;
-        if (!crldata) {
-            rv = SECFailure;
-        }
-    }
-
-    if (SECSuccess == rv) {
-        rv = SEC_QuickDERDecodeItem(crl->arena,
-            &crl->crl,
-            CERT_CrlTemplateEntriesOnly,
-            crldata);
-        if (SECSuccess == rv) {
-            extended->partial = PR_FALSE; /* successful decode, avoid
-                decoding again */
-        } else {
-            extended->decodingError = PR_TRUE;
-            extended->badEntries = PR_TRUE;
-            /* cache the decoding failure. If it fails the first time,
-               it will fail again, which will grow the arena and leak
-               memory, so we want to avoid it */
-        }
-        rv = cert_check_crl_entries(&crl->crl);
-        if (rv != SECSuccess) {
-            extended->badExtensions = PR_TRUE;
-        }
-    }
-    return rv;
-}
-
-/*
- * take a DER CRL or KRL  and decode it into a CRL structure
- * allow reusing the input DER without making a copy
- */
-CERTSignedCrl *
-CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
-                          int type, PRInt32 options)
-{
-    PRArenaPool *arena;
-    CERTSignedCrl *crl;
-    SECStatus rv;
-    OpaqueCRLFields* extended = NULL;
-    const SEC_ASN1Template* crlTemplate = CERT_SignedCrlTemplate;
-
-    if (!derSignedCrl ||
-        ( (options & CRL_DECODE_ADOPT_HEAP_DER) && /* adopting DER requires
-                                                      not copying it */
-          (!(options & CRL_DECODE_DONT_COPY_DER))
-        )
-       ) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    /* make a new arena if needed */
-    if (narena == NULL) {
-    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    return NULL;
-	}
-    } else {
-	arena = narena;
-    }
-
-    /* allocate the CRL structure */
-    crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
-    if ( !crl ) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    crl->arena = arena;
-
-    /* allocate opaque fields */
-    crl->opaque = (void*)PORT_ArenaZAlloc(arena, sizeof(OpaqueCRLFields));
-    if ( !crl->opaque ) {
-	goto loser;
-    }
-    extended = (OpaqueCRLFields*) crl->opaque;
-    if (options & CRL_DECODE_ADOPT_HEAP_DER) {
-        extended->heapDER = PR_TRUE;
-    }
-    if (options & CRL_DECODE_DONT_COPY_DER) {
-        crl->derCrl = derSignedCrl; /* DER is not copied . The application
-                                       must keep derSignedCrl until it
-                                       destroys the CRL */
-    } else {
-        crl->derCrl = (SECItem *)PORT_ArenaZAlloc(arena,sizeof(SECItem));
-        if (crl->derCrl == NULL) {
-            goto loser;
-        }
-        rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
-        if (rv != SECSuccess) {
-            goto loser;
-        }
-    }
-
-    /* Save the arena in the inner crl for CRL extensions support */
-    crl->crl.arena = arena;
-    if (options & CRL_DECODE_SKIP_ENTRIES) {
-        crlTemplate = cert_SignedCrlTemplateNoEntries;
-        extended->partial = PR_TRUE;
-    }
-
-    /* decode the CRL info */
-    switch (type) {
-    case SEC_CRL_TYPE:
-        rv = SEC_QuickDERDecodeItem(arena, crl, crlTemplate, crl->derCrl);
-        if (rv != SECSuccess) {
-            extended->badDER = PR_TRUE;
-            break;
-        }
-        /* check for critical extensions */
-        rv =  cert_check_crl_version (&crl->crl);
-        if (rv != SECSuccess) {
-            extended->badExtensions = PR_TRUE;
-            break;
-        }
-
-        if (PR_TRUE == extended->partial) {
-            /* partial decoding, don't verify entries */
-            break;
-        }
-
-        rv = cert_check_crl_entries(&crl->crl);
-        if (rv != SECSuccess) {
-            extended->badExtensions = PR_TRUE;
-        }
-
-        break;
-
-    case SEC_KRL_TYPE:
-	rv = SEC_QuickDERDecodeItem
-	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    crl->referenceCount = 1;
-    
-    return(crl);
-    
-loser:
-    if (options & CRL_DECODE_KEEP_BAD_CRL) {
-        extended->decodingError = PR_TRUE;
-        crl->referenceCount = 1;
-        return(crl);
-    }
-
-    if ((narena == NULL) && arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(0);
-}
-
-/*
- * take a DER CRL or KRL  and decode it into a CRL structure
- */
-CERTSignedCrl *
-CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
-{
-    return CERT_DecodeDERCrlWithFlags(narena, derSignedCrl, type,
-                                      CRL_DECODE_DEFAULT_OPTIONS);
-}
-
-/*
- * Lookup a CRL in the databases. We mirror the same fast caching data base
- *  caching stuff used by certificates....?
- * return values :
- *
- * SECSuccess means we got a valid DER CRL (passed in "decoded"), or no CRL at
- * all
- *
- * SECFailure means we got a fatal error - most likely, we found a CRL,
- * and it failed decoding, or there was an out of memory error. Do NOT ignore
- * it and specifically do NOT treat it the same as having no CRL, as this
- * can compromise security !!! Ideally, you should treat this case as if you
- * received a "catch-all" CRL where all certs you were looking up are
- * considered to be revoked
- */
-static SECStatus
-SEC_FindCrlByKeyOnSlot(PK11SlotInfo *slot, SECItem *crlKey, int type,
-                       CERTSignedCrl** decoded, PRInt32 decodeoptions)
-{
-    SECStatus rv = SECSuccess;
-    CERTSignedCrl *crl = NULL;
-    SECItem *derCrl = NULL;
-    CK_OBJECT_HANDLE crlHandle = 0;
-    char *url = NULL;
-    int nsserror;
-
-    PORT_Assert(decoded);
-    if (!decoded) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* XXX it would be really useful to be able to fetch the CRL directly into
-       an arena. This would avoid a copy later on in the decode step */
-    PORT_SetError(0);
-    derCrl = PK11_FindCrlByName(&slot, &crlHandle, crlKey, type, &url);
-    if (derCrl == NULL) {
-	/* if we had a problem other than the CRL just didn't exist, return
-	 * a failure to the upper level */
-	nsserror = PORT_GetError();
-	if ((nsserror != 0) && (nsserror != SEC_ERROR_CRL_NOT_FOUND)) {
-	    rv = SECFailure;
-	}
-	goto loser;
-    }
-    PORT_Assert(crlHandle != CK_INVALID_HANDLE);
-    /* PK11_FindCrlByName obtained a slot reference. */
-    
-    if (!(decodeoptions & CRL_DECODE_DONT_COPY_DER) ) {
-        /* force adoption of the DER from the heap - this will cause it to be
-           automatically freed when SEC_DestroyCrl is invoked */
-        decodeoptions |= CRL_DECODE_ADOPT_HEAP_DER;
-    }
-    crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, type, decodeoptions);
-    if (crl) {
-        crl->slot = slot;
-        slot = NULL; /* adopt it */
-        crl->pkcs11ID = crlHandle;
-        if (url) {
-            crl->url = PORT_ArenaStrdup(crl->arena,url);
-        }
-    } else {
-        rv = SECFailure;
-    }
-    
-    if (url) {
-	PORT_Free(url);
-    }
-
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-
-loser:
-    if (derCrl) {
-        /* destroy the DER if it was copied to the CRL */
-        if (crl && (!(decodeoptions & CRL_DECODE_DONT_COPY_DER)) ) {
-            SECITEM_FreeItem(derCrl, PR_TRUE);
-        }
-    }
-
-    *decoded = crl;
-
-    return rv;
-}
-
-SECStatus SEC_DestroyCrl(CERTSignedCrl *crl);
-
-CERTSignedCrl *
-crl_storeCRL (PK11SlotInfo *slot,char *url,
-                  CERTSignedCrl *newCrl, SECItem *derCrl, int type)
-{
-    CERTSignedCrl *oldCrl = NULL, *crl = NULL;
-    PRBool deleteOldCrl = PR_FALSE;
-    CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
-
-    PORT_Assert(newCrl);
-    PORT_Assert(derCrl);
-
-    /* we can't use the cache here because we must look in the same
-       token */
-    SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
-                                &oldCrl, CRL_DECODE_SKIP_ENTRIES);
-
-    /* if there is an old crl on the token, make sure the one we are
-       installing is newer. If not, exit out, otherwise delete the
-       old crl.
-     */
-    if (oldCrl != NULL) {
-	/* if it's already there, quietly continue */
-	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
-						== SECEqual) {
-	    crl = newCrl;
-	    crl->slot = PK11_ReferenceSlot(slot);
-	    crl->pkcs11ID = oldCrl->pkcs11ID;
-	    goto done;
-	}
-        if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
-
-            if (type == SEC_CRL_TYPE) {
-                PORT_SetError(SEC_ERROR_OLD_CRL);
-            } else {
-                PORT_SetError(SEC_ERROR_OLD_KRL);
-            }
-
-            goto done;
-        }
-
-        if ((SECITEM_CompareItem(&newCrl->crl.derName,
-                &oldCrl->crl.derName) != SECEqual) &&
-            (type == SEC_KRL_TYPE) ) {
-
-            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
-            goto done;
-        }
-
-        /* if we have a url in the database, use that one */
-        if (oldCrl->url) {
-	    url = oldCrl->url;
-        }
-
-        /* really destroy this crl */
-        /* first drum it out of the permanment Data base */
-	deleteOldCrl = PR_TRUE;
-    }
-
-    /* invalidate CRL cache for this issuer */
-    CERT_CRLCacheRefreshIssuer(NULL, &newCrl->crl.derName);
-    /* Write the new entry into the data base */
-    crlHandle = PK11_PutCrl(slot, derCrl, &newCrl->crl.derName, url, type);
-    if (crlHandle != CK_INVALID_HANDLE) {
-	crl = newCrl;
-	crl->slot = PK11_ReferenceSlot(slot);
-	crl->pkcs11ID = crlHandle;
-	if (url) {
-	    crl->url = PORT_ArenaStrdup(crl->arena,url);
-	}
-    }
-
-done:
-    if (oldCrl) {
-	if (deleteOldCrl && crlHandle != CK_INVALID_HANDLE) {
-	    SEC_DeletePermCRL(oldCrl);
-	}
-	SEC_DestroyCrl(oldCrl);
-    }
-
-    return crl;
-}
-
-/*
- *
- * create a new CRL from DER material.
- *
- * The signature on this CRL must be checked before you
- * load it. ???
- */
-CERTSignedCrl *
-SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
-{
-    CERTSignedCrl* retCrl = NULL;
-    PK11SlotInfo* slot = PK11_GetInternalKeySlot();
-    retCrl = PK11_ImportCRL(slot, derCrl, url, type, NULL,
-        CRL_IMPORT_BYPASS_CHECKS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
-    PK11_FreeSlot(slot);
-
-    return retCrl;
-}
-    
-CERTSignedCrl *
-SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
-{
-    PRArenaPool *arena;
-    SECItem crlKey;
-    SECStatus rv;
-    CERTSignedCrl *crl = NULL;
-    
-    /* create a scratch arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* extract the database key from the cert */
-    rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* find the crl */
-    crl = SEC_FindCrlByName(handle, &crlKey, type);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(crl);
-}
-
-CERTSignedCrl* SEC_DupCrl(CERTSignedCrl* acrl)
-{
-    if (acrl)
-    {
-        PR_AtomicIncrement(&acrl->referenceCount);
-        return acrl;
-    }
-    return NULL;
-}
-
-SECStatus
-SEC_DestroyCrl(CERTSignedCrl *crl)
-{
-    if (crl) {
-	if (PR_AtomicDecrement(&crl->referenceCount) < 1) {
-	    if (crl->slot) {
-		PK11_FreeSlot(crl->slot);
-	    }
-            if (GetOpaqueCRLFields(crl) &&
-                PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) {
-                SECITEM_FreeItem(crl->derCrl, PR_TRUE);
-            }
-            if (crl->arena) {
-                PORT_FreeArena(crl->arena, PR_FALSE);
-            }
-	}
-        return SECSuccess;
-    } else {
-        return SECFailure;
-    }
-}
-
-SECStatus
-SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
-{
-    CERTCrlHeadNode *head;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-
-    *nodes = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return SECFailure;
-    }
-
-    /* build a head structure */
-    head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
-    head->arena = arena;
-    head->first = NULL;
-    head->last = NULL;
-    head->dbhandle = handle;
-
-    /* Look up the proper crl types */
-    *nodes = head;
-
-    rv = PK11_LookupCrls(head, type, NULL);
-    
-    if (rv != SECSuccess) {
-	if ( arena ) {
-	    PORT_FreeArena(arena, PR_FALSE);
-	    *nodes = NULL;
-	}
-    }
-
-    return rv;
-}
-
-/* These functions simply return the address of the above-declared templates.
-** This is necessary for Windows DLLs.  Sigh.
-*/
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedCrlTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
-
-/* CRL cache code starts here */
-
-/* constructor */
-static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
-                           CRLOrigin origin);
-/* destructor */
-static SECStatus CachedCrl_Destroy(CachedCrl* crl);
-
-/* create hash table of CRL entries */
-static SECStatus CachedCrl_Populate(CachedCrl* crlobject);
-
-/* empty the cache content */
-static SECStatus CachedCrl_Depopulate(CachedCrl* crl);
-
-/* are these CRLs the same, as far as the cache is concerned ?
-   Or are they the same token object, but with different DER ? */
-
-static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
-                                PRBool* isUpdated);
-
-/* create a DPCache object */
-static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
-                         SECItem* subject, SECItem* dp);
-
-/* destructor for CRL DPCache object */
-static SECStatus DPCache_Destroy(CRLDPCache* cache);
-
-/* add a new CRL object to the dynamic array of CRLs of the DPCache, and
-   returns the cached CRL object . Needs write access to DPCache. */
-static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* crl, PRBool* added);
-
-/* fetch the CRL for this DP from the PKCS#11 tokens */
-static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate, void* wincx);
-
-/* check if a particular SN is in the CRL cache and return its entry */
-static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, CERTCrlEntry** returned);
-
-/* update the content of the CRL cache, including fetching of CRLs, and
-   reprocessing with specified issuer and date */
-static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate* issuer,
-                         PRBool readlocked, PRTime vfdate, void* wincx);
-
-/* returns true if there are CRLs from PKCS#11 slots */
-static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache);
-
-/* remove CRL at offset specified */
-static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset);
-
-/* Pick best CRL to use . needs write access */
-static SECStatus DPCache_SelectCRL(CRLDPCache* cache);
-
-/* create an issuer cache object (per CA subject ) */
-static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
-                             CERTCertificate* issuer,
-                             SECItem* subject, SECItem* dp);
-
-/* destructor for CRL IssuerCache object */
-SECStatus IssuerCache_Destroy(CRLIssuerCache* cache);
-
-/* add a DPCache to the issuer cache */
-static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache, CERTCertificate* issuer,
-                            SECItem* subject, SECItem* dp, CRLDPCache** newdpc);
-
-/* get a particular DPCache object from an IssuerCache */
-static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp);
-
-/*
-** Pre-allocator hash allocator ops.
-*/
-
-/* allocate memory for hash table */
-static void * PR_CALLBACK
-PreAllocTable(void *pool, PRSize size)
-{
-    PreAllocator* alloc = (PreAllocator*)pool;
-    PORT_Assert(alloc);
-    if (!alloc)
-    {
-        /* no allocator, or buffer full */
-        return NULL;
-    }
-    if (size > (alloc->len - alloc->used))
-    {
-        /* initial buffer full, let's use the arena */
-        alloc->extra += size;
-        return PORT_ArenaAlloc(alloc->arena, size);
-    }
-    /* use the initial buffer */
-    alloc->used += size;
-    return (char*) alloc->data + alloc->used - size;
-}
-
-/* free hash table memory.
-   Individual PreAllocator elements cannot be freed, so this is a no-op. */
-static void PR_CALLBACK
-PreFreeTable(void *pool, void *item)
-{
-}
-
-/* allocate memory for hash table */
-static PLHashEntry * PR_CALLBACK
-PreAllocEntry(void *pool, const void *key)
-{
-    return PreAllocTable(pool, sizeof(PLHashEntry));
-}
-
-/* free hash table entry.
-   Individual PreAllocator elements cannot be freed, so this is a no-op. */
-static void PR_CALLBACK
-PreFreeEntry(void *pool, PLHashEntry *he, PRUintn flag)
-{
-}
-
-/* methods required for PL hash table functions */
-static PLHashAllocOps preAllocOps =
-{
-    PreAllocTable, PreFreeTable,
-    PreAllocEntry, PreFreeEntry
-};
-
-/* destructor for PreAllocator object */
-void PreAllocator_Destroy(PreAllocator* PreAllocator)
-{
-    if (!PreAllocator)
-    {
-        return;
-    }
-    if (PreAllocator->arena)
-    {
-        PORT_FreeArena(PreAllocator->arena, PR_TRUE);
-    }
-    if (PreAllocator->data)
-    {
-        PORT_Free(PreAllocator->data);
-    }
-    PORT_Free(PreAllocator);
-}
-
-/* constructor for PreAllocator object */
-PreAllocator* PreAllocator_Create(PRSize size)
-{
-    PreAllocator prebuffer;
-    PreAllocator* prepointer = NULL;
-    memset(&prebuffer, 0, sizeof(PreAllocator));
-    prebuffer.len = size;
-    prebuffer.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    PORT_Assert(prebuffer.arena);
-    if (!prebuffer.arena)
-    {
-        PreAllocator_Destroy(&prebuffer);
-        return NULL;
-    }
-    if (prebuffer.len)
-    {
-        prebuffer.data = PORT_Alloc(prebuffer.len);
-        if (!prebuffer.data)
-        {
-            PreAllocator_Destroy(&prebuffer);
-            return NULL;
-        }
-    }
-    else
-    {
-        prebuffer.data = NULL;
-    }
-    prepointer = (PreAllocator*)PORT_Alloc(sizeof(PreAllocator));
-    if (!prepointer)
-    {
-        PreAllocator_Destroy(&prebuffer);
-        return NULL;
-    }
-    *prepointer = prebuffer;
-    return prepointer;
-}
-
-/* global CRL cache object */
-static CRLCache crlcache = { NULL, NULL };
-
-/* initial state is off */
-static PRBool crlcache_initialized = PR_FALSE;
-
-PRTime CRLCache_Empty_TokenFetch_Interval = 60 * 1000000; /* how often
-    to query the tokens for CRL objects, in order to discover new objects, if
-    the cache does not contain any token CRLs . In microseconds */
-
-PRTime CRLCache_TokenRefetch_Interval = 600 * 1000000 ; /* how often
-    to query the tokens for CRL objects, in order to discover new objects, if
-    the cache already contains token CRLs In microseconds */
-
-PRTime CRLCache_ExistenceCheck_Interval = 60 * 1000000; /* how often to check
-    if a token CRL object still exists. In microseconds */
-
-/* this function is called at NSS initialization time */
-SECStatus InitCRLCache(void)
-{
-    if (PR_FALSE == crlcache_initialized)
-    {
-        PORT_Assert(NULL == crlcache.lock);
-        PORT_Assert(NULL == crlcache.issuers);
-        if (crlcache.lock || crlcache.issuers)
-        {
-            /* CRL cache already partially initialized */
-            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-            return SECFailure;
-        }
-#ifdef GLOBAL_RWLOCK
-        crlcache.lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
-#else
-        crlcache.lock = PR_NewLock();
-#endif
-        if (!crlcache.lock)
-        {
-            return SECFailure;
-        }
-        crlcache.issuers = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-                                  PL_CompareValues, NULL, NULL);
-        if (!crlcache.issuers)
-        {
-#ifdef GLOBAL_RWLOCK
-            NSSRWLock_Destroy(crlcache.lock);
-#else
-            PR_DestroyLock(crlcache.lock);
-#endif
-            crlcache.lock = NULL;
-            return SECFailure;
-        }
-        crlcache_initialized = PR_TRUE;
-        return SECSuccess;
-    }
-    else
-    {
-        PORT_Assert(crlcache.lock);
-        PORT_Assert(crlcache.issuers);
-        if ( (NULL == crlcache.lock) || (NULL == crlcache.issuers) )
-        {
-            /* CRL cache not fully initialized */
-            return SECFailure;
-        }
-        else
-        {
-            /* CRL cache already initialized */
-            return SECSuccess;
-        }
-    }
-}
-
-/* destructor for CRL DPCache object */
-static SECStatus DPCache_Destroy(CRLDPCache* cache)
-{
-    PRUint32 i = 0;
-    PORT_Assert(cache);
-    if (!cache)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (cache->lock)
-    {
-#ifdef DPC_RWLOCK
-        NSSRWLock_Destroy(cache->lock);
-#else
-        PR_DestroyLock(cache->lock);
-#endif
-    }
-    else
-    {
-        PORT_Assert(0);
-        return SECFailure;
-    }
-    /* destroy all our CRL objects */
-    for (i=0;i<cache->ncrls;i++)
-    {
-        if (!cache->crls || !cache->crls[i] ||
-            SECSuccess != CachedCrl_Destroy(cache->crls[i]))
-        {
-            return SECFailure;
-        }
-    }
-    /* free the array of CRLs */
-    if (cache->crls)
-    {
-	PORT_Free(cache->crls);
-    }
-    /* destroy the cert */
-    if (cache->issuer)
-    {
-        CERT_DestroyCertificate(cache->issuer);
-    }
-    /* free the subject */
-    if (cache->subject)
-    {
-        SECITEM_FreeItem(cache->subject, PR_TRUE);
-    }
-    /* free the distribution points */
-    if (cache->distributionPoint)
-    {
-        SECITEM_FreeItem(cache->distributionPoint, PR_TRUE);
-    }
-    PORT_Free(cache);
-    return SECSuccess;
-}
-
-/* destructor for CRL IssuerCache object */
-SECStatus IssuerCache_Destroy(CRLIssuerCache* cache)
-{
-    PORT_Assert(cache);
-    if (!cache)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-#ifdef XCRL
-    if (cache->lock)
-    {
-        NSSRWLock_Destroy(cache->lock);
-    }
-    else
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (cache->issuer)
-    {
-        CERT_DestroyCertificate(cache->issuer);
-    }
-#endif
-    /* free the subject */
-    if (cache->subject)
-    {
-        SECITEM_FreeItem(cache->subject, PR_TRUE);
-    }
-    if (SECSuccess != DPCache_Destroy(cache->dpp))
-    {
-        PORT_Assert(0);
-        return SECFailure;
-    }
-    PORT_Free(cache);
-    return SECSuccess;
-}
-
-/* callback function used in hash table destructor */
-static PRIntn PR_CALLBACK FreeIssuer(PLHashEntry *he, PRIntn i, void *arg)
-{
-    CRLIssuerCache* issuer = NULL;
-    SECStatus* rv = (SECStatus*) arg;
-
-    PORT_Assert(he);
-    if (!he)
-    {
-        return HT_ENUMERATE_NEXT;
-    }
-    issuer = (CRLIssuerCache*) he->value;
-    PORT_Assert(issuer);
-    if (issuer)
-    {
-        if (SECSuccess != IssuerCache_Destroy(issuer))
-        {
-            PORT_Assert(rv);
-            if (rv)
-            {
-                *rv = SECFailure;
-            }
-            return HT_ENUMERATE_NEXT;
-        }
-    }
-    return HT_ENUMERATE_NEXT;
-}
-
-/* needs to be called at NSS shutdown time
-   This will destroy the global CRL cache, including 
-   - the hash table of issuer cache objects
-   - the issuer cache objects
-   - DPCache objects in issuer cache objects */
-SECStatus ShutdownCRLCache(void)
-{
-    SECStatus rv = SECSuccess;
-    if (PR_FALSE == crlcache_initialized &&
-        !crlcache.lock && !crlcache.issuers)
-    {
-        /* CRL cache has already been shut down */
-        return SECSuccess;
-    }
-    if (PR_TRUE == crlcache_initialized &&
-        (!crlcache.lock || !crlcache.issuers))
-    {
-        /* CRL cache has partially been shut down */
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    /* empty the cache */
-    /* free the issuers */
-    PL_HashTableEnumerateEntries(crlcache.issuers, &FreeIssuer, &rv);
-    /* free the hash table of issuers */
-    PL_HashTableDestroy(crlcache.issuers);
-    crlcache.issuers = NULL;
-    /* free the global lock */
-#ifdef GLOBAL_RWLOCK
-    NSSRWLock_Destroy(crlcache.lock);
-#else
-    PR_DestroyLock(crlcache.lock);
-#endif
-    crlcache.lock = NULL;
-    crlcache_initialized = PR_FALSE;
-    return rv;
-}
-
-/* add a new CRL object to the dynamic array of CRLs of the DPCache, and
-   returns the cached CRL object . Needs write access to DPCache. */
-static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* newcrl,
-                                PRBool* added)
-{
-    CachedCrl** newcrls = NULL;
-    PRUint32 i = 0;
-    PORT_Assert(cache);
-    PORT_Assert(newcrl);
-    PORT_Assert(added);
-    if (!cache || !newcrl || !added)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-
-    *added = PR_FALSE;
-    /* before adding a new CRL, check if it is a duplicate */
-    for (i=0;i<cache->ncrls;i++)
-    {
-        CachedCrl* existing = NULL;
-        SECStatus rv = SECSuccess;
-        PRBool dupe = PR_FALSE, updated = PR_FALSE;
-        if (!cache->crls)
-        {
-            PORT_Assert(0);
-            return SECFailure;
-        }
-        existing = cache->crls[i];
-        if (!existing)
-        {
-            PORT_Assert(0);
-            return SECFailure;
-        }
-        rv = CachedCrl_Compare(existing, newcrl, &dupe, &updated);
-        if (SECSuccess != rv)
-        {
-            PORT_Assert(0);
-            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-            return SECFailure;
-        }
-        if (PR_TRUE == dupe)
-        {
-            /* dupe */
-            PORT_SetError(SEC_ERROR_CRL_ALREADY_EXISTS);
-            return SECSuccess;
-        }
-        if (PR_TRUE == updated)
-        {
-            /* this token CRL is in the same slot and has the same object ID,
-               but different content. We need to remove the old object */
-            if (SECSuccess != DPCache_RemoveCRL(cache, i))
-            {
-                PORT_Assert(0);
-                PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-                return PR_FALSE;
-            }
-        }
-    }
-
-    newcrls = (CachedCrl**)PORT_Realloc(cache->crls,
-        (cache->ncrls+1)*sizeof(CachedCrl*));
-    if (!newcrls)
-    {
-        return SECFailure;
-    }
-    cache->crls = newcrls;
-    cache->ncrls++;
-    cache->crls[cache->ncrls-1] = newcrl;
-    *added = PR_TRUE;
-    return SECSuccess;
-}
-
-/* remove CRL at offset specified */
-static SECStatus DPCache_RemoveCRL(CRLDPCache* cache, PRUint32 offset)
-{
-    CachedCrl* acrl = NULL;
-    PORT_Assert(cache);
-    if (!cache || (!cache->crls) || (!(offset<cache->ncrls)) )
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    acrl = cache->crls[offset];
-    PORT_Assert(acrl);
-    if (!acrl)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    cache->crls[offset] = cache->crls[cache->ncrls-1];
-    cache->crls[cache->ncrls-1] = NULL;
-    cache->ncrls--;
-    if (cache->selected == acrl) {
-        cache->selected = NULL;
-    }
-    if (SECSuccess != CachedCrl_Destroy(acrl))
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* check whether a CRL object stored in a PKCS#11 token still exists in
-   that token . This has to be efficient (the entire CRL value cannot be
-   transferred accross the token boundaries), so this is accomplished by
-   simply fetching the subject attribute and making sure it hasn't changed .
-   Note that technically, the CRL object could have been replaced with a new
-   PKCS#11 object of the same ID and subject (which actually happens in
-   softoken), but this function has no way of knowing that the object
-   value changed, since CKA_VALUE isn't checked. */
-static PRBool TokenCRLStillExists(CERTSignedCrl* crl)
-{
-    NSSItem newsubject;
-    SECItem subject;
-    CK_ULONG crl_class;
-    PRStatus status;
-    PK11SlotInfo* slot = NULL;
-    nssCryptokiObject instance;
-    NSSArena* arena;
-    PRBool xstatus = PR_TRUE;
-    SECItem* oldSubject = NULL;
-
-    PORT_Assert(crl);
-    if (!crl)
-    {
-        return PR_FALSE;
-    }
-    slot = crl->slot;
-    PORT_Assert(crl->slot);
-    if (!slot)
-    {
-        return PR_FALSE;
-    }
-    oldSubject = &crl->crl.derName;
-    PORT_Assert(oldSubject);
-    if (!oldSubject)
-    {
-        return PR_FALSE;
-    }
-
-    /* query subject and type attributes in order to determine if the
-       object has been deleted */
-
-    /* first, make an nssCryptokiObject */
-    instance.handle = crl->pkcs11ID;
-    PORT_Assert(instance.handle);
-    if (!instance.handle)
-    {
-        return PR_FALSE;
-    }
-    instance.token = PK11Slot_GetNSSToken(slot);
-    PORT_Assert(instance.token);
-    if (!instance.token)
-    {
-        return PR_FALSE;
-    }
-    instance.isTokenObject = PR_TRUE;
-    instance.label = NULL;
-
-    arena = NSSArena_Create();
-    PORT_Assert(arena);
-    if (!arena)
-    {
-        return PR_FALSE;
-    }
-
-    status = nssCryptokiCRL_GetAttributes(&instance,
-                                          NULL,  /* XXX sessionOpt */
-                                          arena,
-                                          NULL,
-                                          &newsubject,  /* subject */
-                                          &crl_class,   /* class */
-                                          NULL,
-                                          NULL);
-    if (PR_SUCCESS == status)
-    {
-        subject.data = newsubject.data;
-        subject.len = newsubject.size;
-        if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual)
-        {
-            xstatus = PR_FALSE;
-        }
-        if (CKO_NETSCAPE_CRL != crl_class)
-        {
-            xstatus = PR_FALSE;
-        }
-    }
-    else
-    {
-        xstatus = PR_FALSE;
-    }
-    NSSArena_Destroy(arena);
-    return xstatus;
-}
-
-/* verify the signature of a CRL against its issuer at a given date */
-static SECStatus CERT_VerifyCRL(
-    CERTSignedCrl* crlobject,
-    CERTCertificate* issuer,
-    PRTime vfdate,
-    void* wincx)
-{
-    return CERT_VerifySignedData(&crlobject->signatureWrap,
-                                 issuer, vfdate, wincx);
-}
-
-/* verify a CRL and update cache state */
-static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject,
-                          PRTime vfdate, void* wincx)
-{
-    /*  Check if it is an invalid CRL
-        if we got a bad CRL, we want to cache it in order to avoid
-        subsequent fetches of this same identical bad CRL. We set
-        the cache to the invalid state to ensure that all certs
-        on this DP are considered revoked from now on. The cache
-        object will remain in this state until the bad CRL object
-        is removed from the token it was fetched from. If the cause
-        of the failure is that we didn't have the issuer cert to
-        verify the signature, this state can be cleared when
-        the issuer certificate becomes available if that causes the
-        signature to verify */
-
-    if (!cache || !crlobject)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError)
-    {
-        crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
-            with bogus DER. Mark it checked so we won't try again */
-        PORT_SetError(SEC_ERROR_BAD_DER);
-        return SECSuccess;
-    }
-    else
-    {
-        SECStatus signstatus = SECFailure;
-        if (cache->issuer)
-        {
-            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
-                                        wincx);
-        }
-        if (SECSuccess != signstatus)
-        {
-            if (!cache->issuer)
-            {
-                /* we tried to verify without an issuer cert . This is
-                   because this CRL came through a call to SEC_FindCrlByName.
-                   So, we don't cache this verification failure. We'll try
-                   to verify the CRL again when a certificate from that issuer
-                   becomes available */
-            } else
-            {
-                crlobject->sigChecked = PR_TRUE;
-            }
-            PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
-            return SECSuccess;
-        } else
-        {
-            crlobject->sigChecked = PR_TRUE;
-            crlobject->sigValid = PR_TRUE;
-        }
-    }
-    
-    return SECSuccess;
-}
-
-/* fetch the CRLs for this DP from the PKCS#11 tokens */
-static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate,
-                                         void* wincx)
-{
-    SECStatus rv = SECSuccess;
-    CERTCrlHeadNode head;
-    if (!cache)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    /* first, initialize list */
-    memset(&head, 0, sizeof(head));
-    head.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    rv = pk11_RetrieveCrls(&head, cache->subject, wincx);
-
-    /* if this function fails, something very wrong happened, such as an out
-       of memory error during CRL decoding. We don't want to proceed and must
-       mark the cache object invalid */
-    if (SECFailure == rv)
-    {
-        /* fetch failed, add error bit */
-        cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
-    } else
-    {
-        /* fetch was successful, clear this error bit */
-        cache->invalid &= (~CRL_CACHE_LAST_FETCH_FAILED);
-    }
-
-    /* add any CRLs found to our array */
-    if (SECSuccess == rv)
-    {
-        CERTCrlNode* crlNode = NULL;
-
-        for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
-        {
-            CachedCrl* returned = NULL;
-            CERTSignedCrl* crlobject = crlNode->crl;
-            if (!crlobject)
-            {
-                PORT_Assert(0);
-                continue;
-            }
-            rv = CachedCrl_Create(&returned, crlobject, CRL_OriginToken);
-            if (SECSuccess == rv)
-            {
-                PRBool added = PR_FALSE;
-                rv = DPCache_AddCRL(cache, returned, &added);
-                if (PR_TRUE != added)
-                {
-                    rv = CachedCrl_Destroy(returned);
-                    returned = NULL;
-                }
-                else
-                {
-                    rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
-                }
-            }
-            else
-            {
-                /* not enough memory to add the CRL to the cache. mark it
-                   invalid so we will try again . */
-                cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
-            }
-            if (SECFailure == rv)
-            {
-                break;
-            }
-        }
-    }
-
-    if (head.arena)
-    {
-        CERTCrlNode* crlNode = NULL;
-        /* clean up the CRL list in case we got a partial one
-           during a failed fetch */
-        for (crlNode = head.first; crlNode ; crlNode = crlNode->next)
-        {
-            if (crlNode->crl)
-            {
-                SEC_DestroyCrl(crlNode->crl); /* free the CRL. Either it got
-                   added to the cache and the refcount got bumped, or not, and
-                   thus we need to free its RAM */
-            }
-        }
-        PORT_FreeArena(head.arena, PR_FALSE); /* destroy CRL list */
-    }
-
-    return rv;
-}
-
-/* check if a particular SN is in the CRL cache and return its entry */
-static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn,
-                                CERTCrlEntry** returned)
-{
-    CERTCrlEntry* acrlEntry = NULL;
-    if (!cache || !sn || !returned)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        /* no cache or SN to look up, or no way to return entry */
-        return SECFailure;
-    }
-    if (0 != cache->invalid)
-    {
-        /* the cache contains a bad CRL, or there was a CRL fetching error.
-           consider all certs revoked as a security measure */
-        PORT_SetError(SEC_ERROR_CRL_INVALID);
-        return SECFailure;
-    }
-    if (!cache->selected)
-    {
-        /* no CRL means no entry to return, but this is OK */
-        *returned = NULL;
-        return SECSuccess;
-    }
-    PORT_Assert(cache->selected->entries);
-    if (!cache->selected->entries)
-    {
-        return SECFailure;
-    }
-    /* XXX should probably use CachedCrl accessor function here */
-    acrlEntry = PL_HashTableLookup(cache->selected->entries, (void*)sn);
-    if (acrlEntry)
-    {
-        *returned = acrlEntry;
-    }
-    return SECSuccess;
-}
-
-#if defined(DPC_RWLOCK)
-
-#define DPCache_LockWrite() \
-{ \
-    if (readlocked) \
-    { \
-        NSSRWLock_UnlockRead(cache->lock); \
-    } \
-    NSSRWLock_LockWrite(cache->lock); \
-}
-
-#define DPCache_UnlockWrite() \
-{ \
-    if (readlocked) \
-    { \
-        NSSRWLock_LockRead(cache->lock); \
-    } \
-    NSSRWLock_UnlockWrite(cache->lock); \
-}
-
-#else
-
-/* with a global lock, we are always locked for read before we need write
-   access, so do nothing */
-
-#define DPCache_LockWrite() \
-{ \
-}
-
-#define DPCache_UnlockWrite() \
-{ \
-}
-
-#endif
-
-/* update the content of the CRL cache, including fetching of CRLs, and
-   reprocessing with specified issuer and date . We are always holding
-   either the read or write lock on DPCache upon entry. */
-static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate*
-                                     issuer, PRBool readlocked, PRTime vfdate,
-                                     void* wincx)
-{
-    /* Update the CRLDPCache now. We don't cache token CRL lookup misses
-       yet, as we have no way of getting notified of new PKCS#11 object
-       creation that happens in a token  */
-    SECStatus rv = SECSuccess;
-    PRUint32 i = 0;
-    PRBool forcedrefresh = PR_FALSE;
-    PRBool dirty = PR_FALSE; /* whether something was changed in the
-                                cache state during this update cycle */
-    PRBool hastokenCRLs = PR_FALSE;
-    PRTime now = 0;
-    PRTime lastfetch = 0;
-
-    if (!cache)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-
-    /* first, make sure we have obtained all the CRLs we need.
-       We do an expensive token fetch in the following cases :
-       1) cache is empty because no fetch was ever performed yet
-       2) cache is explicitly set to refresh state
-       3) cache is in invalid state because last fetch failed
-       4) cache contains no token CRLs, and it's been more than one minute
-          since the last fetch
-       5) cache contains token CRLs, and it's been more than 10 minutes since
-          the last fetch
-    */
-    forcedrefresh = cache->refresh;
-    lastfetch = cache->lastfetch;
-    if (PR_TRUE != forcedrefresh && 
-        (!(cache->invalid & CRL_CACHE_LAST_FETCH_FAILED)))
-    {
-        now = PR_Now();
-        hastokenCRLs = DPCache_HasTokenCRLs(cache);
-    }
-    if ( (0 == lastfetch) ||
-
-         (PR_TRUE == forcedrefresh) ||
-
-         (cache->invalid & CRL_CACHE_LAST_FETCH_FAILED) ||
-
-         ( (PR_FALSE == hastokenCRLs) &&
-           ( (now - cache->lastfetch > CRLCache_Empty_TokenFetch_Interval) ||
-             (now < cache->lastfetch)) ) ||
-
-         ( (PR_TRUE == hastokenCRLs) &&
-           ((now - cache->lastfetch > CRLCache_TokenRefetch_Interval) ||
-            (now < cache->lastfetch)) ) )
-    {
-        /* the cache needs to be refreshed, and/or we had zero CRL for this
-           DP. Try to get one from PKCS#11 tokens */
-        DPCache_LockWrite();
-        /* check if another thread updated before us, and skip update if so */
-        if (lastfetch == cache->lastfetch)
-        {
-            /* we are the first */
-            rv = DPCache_FetchFromTokens(cache, vfdate, wincx);
-            if (PR_TRUE == cache->refresh)
-            {
-                cache->refresh = PR_FALSE; /* clear refresh state */
-            }
-            dirty = PR_TRUE;
-            cache->lastfetch = PR_Now();
-        }
-        DPCache_UnlockWrite();
-    }
-
-    /* now, make sure we have no extraneous CRLs (deleted token objects)
-       we'll do this inexpensive existence check either
-       1) if there was a token object fetch
-       2) every minute */
-    if (( PR_TRUE != dirty) && (!now) )
-    {
-        now = PR_Now();
-    }
-    if ( (PR_TRUE == dirty) ||
-         ( (now - cache->lastcheck > CRLCache_ExistenceCheck_Interval) ||
-           (now < cache->lastcheck)) )
-    {
-        PRBool mustunlock = PR_FALSE;
-        PRTime lastcheck = cache->lastcheck;
-        /* check if all CRLs still exist */
-        for (i = 0; (i < cache->ncrls) ; i++)
-        {
-            CachedCrl* savcrl = cache->crls[i];
-            if ( (!savcrl) || (savcrl && CRL_OriginToken != savcrl->origin))
-            {
-                /* we only want to check token CRLs */
-                continue;
-            }
-            if ((PR_TRUE != TokenCRLStillExists(savcrl->crl)))
-            {
-                
-                /* this CRL is gone */
-                if (PR_TRUE != mustunlock)
-                {
-                    DPCache_LockWrite();
-                    mustunlock = PR_TRUE;
-                }
-                /* first, we need to check if another thread did an update
-                   before we did */
-                if (lastcheck == cache->lastcheck)
-                {
-                    /* the CRL is gone. And we are the one to do the update */
-                    DPCache_RemoveCRL(cache, i);
-                    dirty = PR_TRUE;
-                }
-                /* stay locked here intentionally so we do all the other
-                   updates in this thread for the remaining CRLs */
-            }
-        }
-        if (PR_TRUE == mustunlock)
-        {
-            cache->lastcheck = PR_Now();
-            DPCache_UnlockWrite();
-            mustunlock = PR_FALSE;
-        }
-    }
-
-    /* add issuer certificate if it was previously unavailable */
-    if (issuer && (NULL == cache->issuer) &&
-        (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
-    {
-        /* if we didn't have a valid issuer cert yet, but we do now. add it */
-        DPCache_LockWrite();
-        if (!cache->issuer)
-        {
-            dirty = PR_TRUE;
-            cache->issuer = CERT_DupCertificate(issuer);    
-        }
-        DPCache_UnlockWrite();
-    }
-
-    /* verify CRLs that couldn't be checked when inserted into the cache
-       because the issuer cert or a verification date was unavailable.
-       These are CRLs that were inserted into the cache through
-       SEC_FindCrlByName, or through manual insertion, rather than through a
-       certificate verification (CERT_CheckCRL) */
-
-    if (cache->issuer && vfdate )
-    {
-        PRBool mustunlock = PR_FALSE;
-        /* re-process all unverified CRLs */
-        for (i = 0; i < cache->ncrls ; i++)
-        {
-            CachedCrl* savcrl = cache->crls[i];
-            if (!savcrl)
-            {
-                continue;
-            }
-            if (PR_TRUE != savcrl->sigChecked)
-            {
-                if (PR_TRUE != mustunlock)
-                {
-                    DPCache_LockWrite();
-                    mustunlock = PR_TRUE;
-                }
-                /* first, we need to check if another thread updated
-                   it before we did, and abort if it has been modified since
-                   we acquired the lock. Make sure first that the CRL is still
-                   in the array at the same position */
-                if ( (i<cache->ncrls) && (savcrl == cache->crls[i]) &&
-                     (PR_TRUE != savcrl->sigChecked) )
-                {
-                    /* the CRL is still there, unverified. Do it */
-                    CachedCrl_Verify(cache, savcrl, vfdate, wincx);
-                    dirty = PR_TRUE;
-                }
-                /* stay locked here intentionally so we do all the other
-                   updates in this thread for the remaining CRLs */
-            }
-            if (PR_TRUE == mustunlock)
-            {
-                DPCache_UnlockWrite();
-                mustunlock = PR_FALSE;
-            }
-        }
-    }
-
-    if (dirty || cache->mustchoose)
-    {
-        /* changes to the content of the CRL cache necessitate examining all
-           CRLs for selection of the most appropriate one to cache */
-        DPCache_LockWrite();
-        DPCache_SelectCRL(cache);
-        cache->mustchoose = PR_FALSE;
-        DPCache_UnlockWrite();
-    }
-
-    return rv;
-}
-
-/* callback for qsort to sort by thisUpdate */
-static int SortCRLsByThisUpdate(const void* arg1, const void* arg2)
-{
-    PRTime timea, timeb;
-    SECStatus rv = SECSuccess;
-    CachedCrl* a, *b;
-
-    a = *(CachedCrl**) arg1;
-    b = *(CachedCrl**) arg2;
-
-    if (!a || !b)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        rv = SECFailure;
-    }
-
-    if (SECSuccess == rv)
-    {
-        rv = DER_DecodeTimeChoice(&timea, &a->crl->crl.lastUpdate);
-    }                       
-    if (SECSuccess == rv)
-    {
-        rv = DER_DecodeTimeChoice(&timeb, &b->crl->crl.lastUpdate);
-    }
-    if (SECSuccess == rv)
-    {
-        if (timea > timeb)
-        {
-            return 1; /* a is better than b */
-        }
-        if (timea < timeb )
-        {
-            return -1; /* a is not as good as b */
-        }
-    }
-
-    /* if they are equal, or if all else fails, use pointer differences */
-    PORT_Assert(a != b); /* they should never be equal */
-    return a>b?1:-1;
-}
-
-/* callback for qsort to sort a set of disparate CRLs, some of which are
-   invalid DER or failed signature check.
-   
-   Validated CRLs are differentiated by thisUpdate .
-   Validated CRLs are preferred over non-validated CRLs .
-   Proper DER CRLs are preferred over non-DER data .
-*/
-static int SortImperfectCRLs(const void* arg1, const void* arg2)
-{
-    CachedCrl* a, *b;
-
-    a = *(CachedCrl**) arg1;
-    b = *(CachedCrl**) arg2;
-
-    if (!a || !b)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        PORT_Assert(0);
-    }
-    else
-    {
-        PRBool aDecoded = PR_FALSE, bDecoded = PR_FALSE;
-        if ( (PR_TRUE == a->sigValid) && (PR_TRUE == b->sigValid) )
-        {
-            /* both CRLs have been validated, choose the latest one */
-            return SortCRLsByThisUpdate(arg1, arg2);
-        }
-        if (PR_TRUE == a->sigValid)
-        {
-            return 1; /* a is greater than b */
-        }
-        if (PR_TRUE == b->sigValid)
-        {
-            return -1; /* a is not as good as b */
-        }
-        aDecoded = GetOpaqueCRLFields(a->crl)->decodingError;
-        bDecoded = GetOpaqueCRLFields(b->crl)->decodingError;
-        /* neither CRL had its signature check pass */
-        if ( (PR_FALSE == aDecoded) && (PR_FALSE == bDecoded) )
-        {
-            /* both CRLs are proper DER, choose the latest one */
-            return SortCRLsByThisUpdate(arg1, arg2);
-        }
-        if (PR_FALSE == aDecoded)
-        {
-            return 1; /* a is better than b */
-        }
-        if (PR_FALSE == bDecoded)
-        {
-            return -1; /* a is not as good as b */
-        }
-        /* both are invalid DER. sigh. */
-    }
-    /* if they are equal, or if all else fails, use pointer differences */
-    PORT_Assert(a != b); /* they should never be equal */
-    return a>b?1:-1;
-}
-
-
-/* Pick best CRL to use . needs write access */
-static SECStatus DPCache_SelectCRL(CRLDPCache* cache)
-{
-    PRUint32 i;
-    PRBool valid = PR_TRUE;
-    CachedCrl* selected = NULL;
-
-    PORT_Assert(cache);
-    if (!cache)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    /* if any invalid CRL is present, then the CRL cache is
-       considered invalid, for security reasons */
-    for (i = 0 ; i<cache->ncrls; i++)
-    {
-        if (!cache->crls[i] || !cache->crls[i]->sigChecked ||
-            !cache->crls[i]->sigValid)
-        {
-            valid = PR_FALSE;
-            break;
-        }
-    }
-    if (PR_TRUE == valid)
-    {
-        /* all CRLs are valid, clear this error */
-        cache->invalid &= (~CRL_CACHE_INVALID_CRLS);
-    } else
-    {
-        /* some CRLs are invalid, set this error */
-        cache->invalid |= CRL_CACHE_INVALID_CRLS;
-    }
-
-    if (cache->invalid)
-    {
-        /* cache is in an invalid state, so destroy it */
-        if (cache->selected)
-        {
-            if (SECSuccess != CachedCrl_Depopulate(cache->selected))
-            {
-                PORT_Assert(0);
-                return SECFailure;
-            }
-            cache->selected = NULL;
-        }
-        /* also sort the CRLs imperfectly */
-        qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
-              SortImperfectCRLs);
-        return SECSuccess;
-    }
-    /* all CRLs are good, sort them by thisUpdate */
-    qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*),
-          SortCRLsByThisUpdate);
-
-    if (cache->ncrls)
-    {
-        /* pick the newest CRL */
-        selected = cache->crls[cache->ncrls-1];
-    
-        /* and populate the cache */
-        if (SECSuccess != CachedCrl_Populate(selected))
-        {
-            return SECFailure;
-        }
-    }
-
-    /* free the old CRL cache, if it's for a different CRL */
-    if (cache->selected && cache->selected != selected)
-    {
-        if (SECSuccess != CachedCrl_Depopulate(cache->selected))
-        {
-            return SECFailure;
-        }
-    }
-
-    cache->selected = selected;
-
-    return SECSuccess;
-}
-
-/* initialize a DPCache object */
-static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
-                         SECItem* subject, SECItem* dp)
-{
-    CRLDPCache* cache = NULL;
-    PORT_Assert(returned);
-    /* issuer and dp are allowed to be NULL */
-    if (!returned || !subject)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    *returned = NULL;
-    cache = PORT_ZAlloc(sizeof(CRLDPCache));
-    PORT_Assert(cache);
-    if (!cache)
-    {
-        return SECFailure;
-    }
-#ifdef DPC_RWLOCK
-    cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
-#else
-    cache->lock = PR_NewLock();
-#endif
-    if (!cache->lock)
-    {
-        return SECFailure;
-    }
-    if (issuer)
-    {
-        cache->issuer = CERT_DupCertificate(issuer);
-    }
-    cache->distributionPoint = SECITEM_DupItem(dp);
-    cache->subject = SECITEM_DupItem(subject);
-    cache->lastfetch = 0;
-    cache->lastcheck = 0;
-    *returned = cache;
-    return SECSuccess;
-}
-
-/* create an issuer cache object (per CA subject ) */
-static SECStatus IssuerCache_Create(CRLIssuerCache** returned,
-                             CERTCertificate* issuer,
-                             SECItem* subject, SECItem* dp)
-{
-    SECStatus rv = SECSuccess;
-    CRLIssuerCache* cache = NULL;
-    PORT_Assert(returned);
-    PORT_Assert(subject);
-    /* issuer and dp are allowed to be NULL */
-    if (!returned || !subject)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    *returned = NULL;
-    cache = (CRLIssuerCache*) PORT_ZAlloc(sizeof(CRLIssuerCache));
-    if (!cache)
-    {
-        return SECFailure;
-    }
-    cache->subject = SECITEM_DupItem(subject);
-#ifdef XCRL
-    cache->lock = NSSRWLock_New(NSS_RWLOCK_RANK_NONE, NULL);
-    if (!cache->lock)
-    {
-        rv = SECFailure;
-    }
-    if (SECSuccess == rv && issuer)
-    {
-        cache->issuer = CERT_DupCertificate(issuer);
-        if (!cache->issuer)
-        {
-            rv = SECFailure;
-        }
-    }
-#endif
-    if (SECSuccess != rv)
-    {
-        PORT_Assert(SECSuccess == IssuerCache_Destroy(cache));
-        return SECFailure;
-    }
-    *returned = cache;
-    return SECSuccess;
-}
-
-/* add a DPCache to the issuer cache */
-static SECStatus IssuerCache_AddDP(CRLIssuerCache* cache,
-                                   CERTCertificate* issuer,
-                                   SECItem* subject, SECItem* dp,
-                                   CRLDPCache** newdpc)
-{
-    /* now create the required DP cache object */
-    if (!cache || !subject || !newdpc)
-    {
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (!dp)
-    {
-        /* default distribution point */
-        SECStatus rv = DPCache_Create(&cache->dpp, issuer, subject, NULL);
-        if (SECSuccess == rv)
-        {
-            *newdpc = cache->dpp;
-            return SECSuccess;
-        }
-    }
-    else
-    {
-        /* we should never hit this until we support multiple DPs */
-        PORT_Assert(dp);
-        /* XCRL allocate a new distribution point cache object, initialize it,
-           and add it to the hash table of DPs */
-    }
-    return SECFailure;
-}
-
-/* add an IssuerCache to the global hash table of issuers */
-static SECStatus CRLCache_AddIssuer(CRLIssuerCache* issuer)
-{    
-    PORT_Assert(issuer);
-    PORT_Assert(crlcache.issuers);
-    if (!issuer || !crlcache.issuers)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (NULL == PL_HashTableAdd(crlcache.issuers, (void*) issuer->subject,
-                                (void*) issuer))
-    {
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* retrieve the issuer cache object for a given issuer subject */
-static SECStatus CRLCache_GetIssuerCache(CRLCache* cache, SECItem* subject,
-                                         CRLIssuerCache** returned)
-{
-    /* we need to look up the issuer in the hash table */
-    SECStatus rv = SECSuccess;
-    PORT_Assert(cache);
-    PORT_Assert(subject);
-    PORT_Assert(returned);
-    PORT_Assert(crlcache.issuers);
-    if (!cache || !subject || !returned || !crlcache.issuers)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        rv = SECFailure;
-    }
-
-    if (SECSuccess == rv)
-    {
-        *returned = (CRLIssuerCache*) PL_HashTableLookup(crlcache.issuers,
-                                                         (void*) subject);
-    }
-
-    return rv;
-}
-
-/* retrieve the full CRL object that best matches the content of a DPCache */
-static CERTSignedCrl* GetBestCRL(CRLDPCache* cache, PRBool entries)
-{
-    CachedCrl* acrl = NULL;
-
-    PORT_Assert(cache);
-    if (!cache)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return NULL;
-    }
-
-    if (0 == cache->ncrls)
-    {
-        /* empty cache*/
-        return NULL;
-    }    
-
-    /* if we have a valid full CRL selected, return it */
-    if (cache->selected)
-    {
-        return SEC_DupCrl(cache->selected->crl);
-    }
-
-    /* otherwise, use latest valid DER CRL */
-    acrl = cache->crls[cache->ncrls-1];
-
-    if (acrl && (PR_FALSE == GetOpaqueCRLFields(acrl->crl)->decodingError) )
-    {
-        SECStatus rv = SECSuccess;
-        if (PR_TRUE == entries)
-        {
-            rv = CERT_CompleteCRLDecodeEntries(acrl->crl);
-        }
-        if (SECSuccess == rv)
-        {
-            return SEC_DupCrl(acrl->crl);
-        }
-    }
-
-    return NULL;
-}
-
-/* get a particular DPCache object from an IssuerCache */
-static CRLDPCache* IssuerCache_GetDPCache(CRLIssuerCache* cache, SECItem* dp)
-{
-    CRLDPCache* dpp = NULL;
-    PORT_Assert(cache);
-    /* XCRL for now we only support the "default" DP, ie. the
-       full CRL. So we can return the global one without locking. In
-       the future we will have a lock */
-    PORT_Assert(NULL == dp);
-    if (!cache || dp)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return NULL;
-    }
-#ifdef XCRL
-    NSSRWLock_LockRead(cache->lock);
-#endif
-    dpp = cache->dpp;
-#ifdef XCRL
-    NSSRWLock_UnlockRead(cache->lock);
-#endif
-    return dpp;
-}
-
-/* get a DPCache object for the given issuer subject and dp
-   Automatically creates the cache object if it doesn't exist yet.
-   */
-static SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject,
-                                SECItem* dp, int64 t, void* wincx,
-                                CRLDPCache** dpcache, PRBool* writeLocked)
-{
-    SECStatus rv = SECSuccess;
-    CRLIssuerCache* issuercache = NULL;
-#ifdef GLOBAL_RWLOCK
-    PRBool globalwrite = PR_FALSE;
-#endif
-    PORT_Assert(crlcache.lock);
-    if (!crlcache.lock)
-    {
-        /* CRL cache is not initialized */
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-#ifdef GLOBAL_RWLOCK
-    NSSRWLock_LockRead(crlcache.lock);
-#else
-    PR_Lock(crlcache.lock);
-#endif
-    rv = CRLCache_GetIssuerCache(&crlcache, subject, &issuercache);
-    if (SECSuccess != rv)
-    {
-#ifdef GLOBAL_RWLOCK
-        NSSRWLock_UnlockRead(crlcache.lock);
-#else
-        PR_Unlock(crlcache.lock);
-#endif
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    if (!issuercache)
-    {
-        /* there is no cache for this issuer yet. This means this is the
-           first time we look up a cert from that issuer, and we need to
-           create the cache. */
-        
-        rv = IssuerCache_Create(&issuercache, issuer, subject, dp);
-        if (SECSuccess == rv && !issuercache)
-        {
-            PORT_Assert(issuercache);
-            rv = SECFailure;
-        }
-
-        if (SECSuccess == rv)
-        {
-            /* This is the first time we look up a cert of this issuer.
-               Create the DPCache for this DP . */
-            rv = IssuerCache_AddDP(issuercache, issuer, subject, dp, dpcache);
-        }
-
-        if (SECSuccess == rv)
-        {
-            /* lock the DPCache for write to ensure the update happens in this
-               thread */
-            *writeLocked = PR_TRUE;
-#ifdef DPC_RWLOCK
-            NSSRWLock_LockWrite((*dpcache)->lock);
-#else
-            PR_Lock((*dpcache)->lock);
-#endif
-        }
-        
-        if (SECSuccess == rv)
-        {
-            /* now add the new issuer cache to the global hash table of
-               issuers */
-#ifdef GLOBAL_RWLOCK
-            CRLIssuerCache* existing = NULL;
-            NSSRWLock_UnlockRead(crlcache.lock);
-            /* when using a r/w lock for the global cache, check if the issuer
-               already exists before adding to the hash table */
-            NSSRWLock_LockWrite(crlcache.lock);
-            globalwrite = PR_TRUE;
-            rv = CRLCache_GetIssuerCache(&crlcache, subject, &existing);
-            if (!existing)
-            {
-#endif
-                rv = CRLCache_AddIssuer(issuercache);
-                if (SECSuccess != rv)
-                {
-                    /* failure */
-                    rv = SECFailure;
-                }
-#ifdef GLOBAL_RWLOCK
-            }
-            else
-            {
-                /* somebody else updated before we did */
-                IssuerCache_Destroy(issuercache); /* destroy the new object */
-                issuercache = existing; /* use the existing one */
-                *dpcache = IssuerCache_GetDPCache(issuercache, dp);
-            }
-#endif
-        }
-
-        /* now unlock the global cache. We only want to lock the issuer hash
-           table addition. Holding it longer would hurt scalability */
-#ifdef GLOBAL_RWLOCK
-        if (PR_TRUE == globalwrite)
-        {
-            NSSRWLock_UnlockWrite(crlcache.lock);
-            globalwrite = PR_FALSE;
-        }
-        else
-        {
-            NSSRWLock_UnlockRead(crlcache.lock);
-        }
-#else
-        PR_Unlock(crlcache.lock);
-#endif
-
-        /* if there was a failure adding an issuer cache object, destroy it */
-        if (SECSuccess != rv && issuercache)
-        {
-            if (PR_TRUE == *writeLocked)
-            {
-#ifdef DPC_RWLOCK
-                NSSRWLock_UnlockWrite((*dpcache)->lock);
-#else
-                PR_Unlock((*dpcache)->lock);
-#endif
-            }
-            IssuerCache_Destroy(issuercache);
-            issuercache = NULL;
-        }
-
-        if (SECSuccess != rv)
-        {
-            return SECFailure;
-        }
-    } else
-    {
-#ifdef GLOBAL_RWLOCK
-        NSSRWLock_UnlockRead(crlcache.lock);
-#else
-        PR_Unlock(crlcache.lock);
-#endif
-        *dpcache = IssuerCache_GetDPCache(issuercache, dp);
-    }
-    /* we now have a DPCache that we can use for lookups */
-    /* lock it for read, unless we already locked for write */
-    if (PR_FALSE == *writeLocked)
-    {
-#ifdef DPC_RWLOCK
-        NSSRWLock_LockRead((*dpcache)->lock);
-#else
-        PR_Lock((*dpcache)->lock);
-#endif
-    }
-    
-    if (SECSuccess == rv)
-    {
-        /* currently there is always one and only one DPCache per issuer */
-        PORT_Assert(*dpcache);
-        if (*dpcache)
-        {
-            /* make sure the DP cache is up to date before using it */
-            rv = DPCache_GetUpToDate(*dpcache, issuer, PR_FALSE == *writeLocked,
-                                     t, wincx);
-        }
-        else
-        {
-            rv = SECFailure;
-        }
-    }
-    return rv;
-}
-
-/* unlock access to the DPCache */
-static void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked)
-{
-    if (!dpcache)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return;
-    }
-#ifdef DPC_RWLOCK
-    if (PR_TRUE == writeLocked)
-    {
-        NSSRWLock_UnlockWrite(dpcache->lock);
-    }
-    else
-    {
-        NSSRWLock_UnlockRead(dpcache->lock);
-    }
-#else
-    PR_Unlock(dpcache->lock);
-#endif
-}
-
-/* check CRL revocation status of given certificate and issuer */
-SECStatus
-CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
-              int64 t, void* wincx)
-{
-    PRBool lockedwrite = PR_FALSE;
-    SECStatus rv = SECSuccess;
-    CRLDPCache* dpcache = NULL;
-    if (!cert || !issuer)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-
-    if (SECSuccess != CERT_CheckCertValidTimes(issuer, t, PR_FALSE))
-    {
-        /* we won't be able to check the CRL's signature if the issuer cert
-           is expired as of the time we are verifying. This may cause a valid
-           CRL to be cached as bad. short-circuit to avoid this case. */
-        PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
-        return SECFailure;
-    }
-
-    rv = AcquireDPCache(issuer, &issuer->derSubject, dp, t, wincx, &dpcache,
-                        &lockedwrite);
-    
-    if (SECSuccess == rv)
-    {
-        /* now look up the certificate SN in the DP cache's CRL */
-        CERTCrlEntry* entry = NULL;
-        rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry);
-        if (SECSuccess == rv && entry)
-        {
-            /* check the time if we have one */
-            if (entry->revocationDate.data && entry->revocationDate.len)
-            {
-                int64 revocationDate = 0;
-                if (SECSuccess == DER_DecodeTimeChoice(&revocationDate,
-                                               &entry->revocationDate))
-                {
-                    /* we got a good revocation date, only consider the
-                       certificate revoked if the time we are inquiring about
-                       is past the revocation date */
-                    if (t>=revocationDate)
-                    {
-                        rv = SECFailure;
-                    }
-                } else {
-                    /* invalid revocation date, consider the certificate
-                       permanently revoked */
-                    rv = SECFailure;
-                }
-            } else {
-                /* no revocation date, certificate is permanently revoked */
-                rv = SECFailure;
-            }
-            if (SECFailure == rv)
-            {
-                PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-            }
-        }
-    }
-
-    ReleaseDPCache(dpcache, lockedwrite);
-    return rv;
-}
-
-/* retrieve full CRL object that best matches the cache status */
-CERTSignedCrl *
-SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
-{
-    CERTSignedCrl* acrl = NULL;
-    CRLDPCache* dpcache = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool writeLocked = PR_FALSE;
-
-    if (!crlKey)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &dpcache, &writeLocked);
-    if (SECSuccess == rv)
-    {
-        acrl = GetBestCRL(dpcache, PR_TRUE); /* decode entries, because
-        SEC_FindCrlByName always returned fully decoded CRLs in the past */
-        ReleaseDPCache(dpcache, writeLocked);
-    }
-    return acrl;
-}
-
-/* invalidate the CRL cache for a given issuer, which forces a refetch of
-   CRL objects from PKCS#11 tokens */
-void CERT_CRLCacheRefreshIssuer(CERTCertDBHandle* dbhandle, SECItem* crlKey)
-{
-    CRLDPCache* cache = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool writeLocked = PR_FALSE;
-    PRBool readlocked;
-
-    (void) dbhandle; /* silence compiler warnings */
-
-    /* XCRL we will need to refresh all the DPs of the issuer in the future,
-            not just the default one */
-    rv = AcquireDPCache(NULL, crlKey, NULL, 0, NULL, &cache, &writeLocked);
-    if (SECSuccess != rv)
-    {
-        return;
-    }
-    /* we need to invalidate the DPCache here */
-    readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
-    DPCache_LockWrite();
-    cache->refresh = PR_TRUE;
-    DPCache_UnlockWrite();
-    ReleaseDPCache(cache, writeLocked);
-    return;
-}
-
-/* add the specified RAM CRL object to the cache */
-SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newdercrl)
-{
-    CRLDPCache* cache = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool writeLocked = PR_FALSE;
-    PRBool readlocked;
-    CachedCrl* returned = NULL;
-    PRBool added = PR_FALSE;
-    CERTSignedCrl* newcrl = NULL;
-    int realerror = 0;
-    
-    if (!dbhandle || !newdercrl)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* first decode the DER CRL to make sure it's OK */
-    newcrl = CERT_DecodeDERCrlWithFlags(NULL, newdercrl, SEC_CRL_TYPE,
-                                        CRL_DECODE_DONT_COPY_DER |
-                                        CRL_DECODE_SKIP_ENTRIES);
-
-    if (!newcrl)
-    {
-        return SECFailure;
-    }
-
-    rv = AcquireDPCache(NULL,
-                        &newcrl->crl.derName,
-                        NULL, 0, NULL, &cache, &writeLocked);
-    if (SECSuccess == rv)
-    {
-        readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
-    
-        rv = CachedCrl_Create(&returned, newcrl, CRL_OriginExplicit);
-        if (SECSuccess == rv && returned)
-        {
-            DPCache_LockWrite();
-            rv = DPCache_AddCRL(cache, returned, &added);
-            if (PR_TRUE != added)
-            {
-                realerror = PORT_GetError();
-                CachedCrl_Destroy(returned);
-                returned = NULL;
-            }
-            DPCache_UnlockWrite();
-        }
-    
-        ReleaseDPCache(cache, writeLocked);
-    
-        if (!added)
-        {
-            rv = SECFailure;
-        }
-    }
-    SEC_DestroyCrl(newcrl); /* free the CRL. Either it got added to the cache
-        and the refcount got bumped, or not, and thus we need to free its
-        RAM */
-    if (realerror)
-    {
-        PORT_SetError(realerror);
-    }
-    return rv;
-}
-
-/* remove the specified RAM CRL object from the cache */
-SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* olddercrl)
-{
-    CRLDPCache* cache = NULL;
-    SECStatus rv = SECSuccess;
-    PRBool writeLocked = PR_FALSE;
-    PRBool readlocked;
-    PRBool removed = PR_FALSE;
-    PRUint32 i;
-    CERTSignedCrl* oldcrl = NULL;
-    
-    if (!dbhandle || !olddercrl)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* first decode the DER CRL to make sure it's OK */
-    oldcrl = CERT_DecodeDERCrlWithFlags(NULL, olddercrl, SEC_CRL_TYPE,
-                                        CRL_DECODE_DONT_COPY_DER |
-                                        CRL_DECODE_SKIP_ENTRIES);
-
-    if (!oldcrl)
-    {
-        /* if this DER CRL can't decode, it can't be in the cache */
-        return SECFailure;
-    }
-
-    rv = AcquireDPCache(NULL,
-                        &oldcrl->crl.derName,
-                        NULL, 0, NULL, &cache, &writeLocked);
-    if (SECSuccess == rv)
-    {
-        CachedCrl* returned = NULL;
-
-        readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
-    
-        rv = CachedCrl_Create(&returned, oldcrl, CRL_OriginExplicit);
-        if (SECSuccess == rv && returned)
-        {
-            DPCache_LockWrite();
-            for (i=0;i<cache->ncrls;i++)
-            {
-                PRBool dupe = PR_FALSE, updated = PR_FALSE;
-                rv = CachedCrl_Compare(returned, cache->crls[i],
-                                                      &dupe, &updated);
-                if (SECSuccess != rv)
-                {
-                    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-                    break;
-                }
-                if (PR_TRUE == dupe)
-                {
-                    DPCache_RemoveCRL(cache, i); /* got a match */
-                    cache->mustchoose = PR_TRUE;
-                    removed = PR_TRUE;
-                    break;
-                }
-            }
-            
-            DPCache_UnlockWrite();
-        }
-
-        ReleaseDPCache(cache, writeLocked);
-
-        if (PR_TRUE != removed)
-        {
-            rv = SECFailure;
-        }
-    }
-    SEC_DestroyCrl(oldcrl); /* need to do this because object is refcounted */
-    if (PR_TRUE != removed)
-    {
-        PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
-    }
-    return rv;
-}
-
-static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
-                                  CRLOrigin origin)
-{
-    CachedCrl* newcrl = NULL;
-    if (!returned)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    newcrl = PORT_ZAlloc(sizeof(CachedCrl));
-    if (!newcrl)
-    {
-        return SECFailure;
-    }
-    newcrl->crl = SEC_DupCrl(crl);
-    newcrl->origin = origin;
-    *returned = newcrl;
-    return SECSuccess;
-}
-
-/* empty the cache content */
-static SECStatus CachedCrl_Depopulate(CachedCrl* crl)
-{
-    if (!crl)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-     /* destroy the hash table */
-    if (crl->entries)
-    {
-        PL_HashTableDestroy(crl->entries);
-        crl->entries = NULL;
-    }
-
-    /* free the pre buffer */
-    if (crl->prebuffer)
-    {
-        PreAllocator_Destroy(crl->prebuffer);
-        crl->prebuffer = NULL;
-    }
-    return SECSuccess;
-}
-
-static SECStatus CachedCrl_Destroy(CachedCrl* crl)
-{
-    if (!crl)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    CachedCrl_Depopulate(crl);
-    SEC_DestroyCrl(crl->crl);
-    PORT_Free(crl);
-    return SECSuccess;
-}
-
-/* create hash table of CRL entries */
-static SECStatus CachedCrl_Populate(CachedCrl* crlobject)
-{
-    SECStatus rv = SECFailure;
-    CERTCrlEntry** crlEntry = NULL;
-    PRUint32 numEntries = 0;
-
-    if (!crlobject)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-    /* complete the entry decoding . XXX thread-safety of CRL object */
-    rv = CERT_CompleteCRLDecodeEntries(crlobject->crl);
-    if (SECSuccess != rv)
-    {
-        return SECFailure;
-    }
-
-    if (crlobject->entries && crlobject->prebuffer)
-    {
-        /* cache is already built */
-        return SECSuccess;
-    }
-
-    /* build the hash table from the full CRL */    
-    /* count CRL entries so we can pre-allocate space for hash table entries */
-    for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
-         crlEntry++)
-    {
-        numEntries++;
-    }
-    crlobject->prebuffer = PreAllocator_Create(numEntries*sizeof(PLHashEntry));
-    PORT_Assert(crlobject->prebuffer);
-    if (!crlobject->prebuffer)
-    {
-        return SECFailure;
-    }
-    /* create a new hash table */
-    crlobject->entries = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-                         PL_CompareValues, &preAllocOps, crlobject->prebuffer);
-    PORT_Assert(crlobject->entries);
-    if (!crlobject->entries)
-    {
-        return SECFailure;
-    }
-    /* add all serial numbers to the hash table */
-    for (crlEntry = crlobject->crl->crl.entries; crlEntry && *crlEntry;
-         crlEntry++)
-    {
-        PL_HashTableAdd(crlobject->entries, &(*crlEntry)->serialNumber,
-                        *crlEntry);
-    }
-
-    return SECSuccess;
-}
-
-/* returns true if there are CRLs from PKCS#11 slots */
-static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache)
-{
-    PRBool answer = PR_FALSE;
-    PRUint32 i;
-    for (i=0;i<cache->ncrls;i++)
-    {
-        if (cache->crls[i] && (CRL_OriginToken == cache->crls[i]->origin) )
-        {
-            answer = PR_TRUE;
-            break;
-        }
-    }
-    return answer;
-}
-
-/* are these CRLs the same, as far as the cache is concerned ? */
-/* are these CRLs the same token object but with different DER ?
-   This can happen if the DER CRL got updated in the token, but the PKCS#11
-   object ID did not change. NSS softoken has the unfortunate property to
-   never change the object ID for CRL objects. */
-static SECStatus CachedCrl_Compare(CachedCrl* a, CachedCrl* b, PRBool* isDupe,
-                                PRBool* isUpdated)
-{
-    PORT_Assert(a);
-    PORT_Assert(b);
-    PORT_Assert(isDupe);
-    PORT_Assert(isUpdated);
-    if (!a || !b || !isDupe || !isUpdated || !a->crl || !b->crl)
-    {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-        return SECFailure;
-    }
-
-    *isDupe = *isUpdated = PR_FALSE;
-
-    if (a == b)
-    {
-        /* dupe */
-        *isDupe = PR_TRUE;
-        *isUpdated = PR_FALSE;
-        return SECSuccess;
-    }
-    if (b->origin != a->origin)
-    {
-        /* CRLs of different origins are not considered dupes,
-           and can't be updated either */
-        return SECSuccess;
-    }
-    if (CRL_OriginToken == b->origin)
-    {
-        /* for token CRLs, slot and PKCS#11 object handle must match for CRL
-           to truly be a dupe */
-        if ( (b->crl->slot == a->crl->slot) &&
-             (b->crl->pkcs11ID == a->crl->pkcs11ID) )
-        {
-            /* ASN.1 DER needs to match for dupe check */
-            /* could optimize by just checking a few fields like thisUpdate */
-            if ( SECEqual == SECITEM_CompareItem(b->crl->derCrl,
-                                                 a->crl->derCrl) )
-            {
-                *isDupe = PR_TRUE;
-            }
-            else
-            {
-                *isUpdated = PR_TRUE;
-            }
-        }
-        return SECSuccess;
-    }
-    if (CRL_OriginExplicit == b->origin)
-    {
-        /* We need to make sure this is the same object that the user provided
-           to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
-           just do a pointer comparison here.
-        */
-        if (b->crl->derCrl == a->crl->derCrl)
-        {
-            *isDupe = PR_TRUE;
-        }
-    }
-    return SECSuccess;
-}
-
-
-
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c
deleted file mode 100644
index a5ac86e75..000000000
--- a/security/nss/lib/certdb/genname.c
+++ /dev/null
@@ -1,1832 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secitem.h"
-#include "secoidt.h"
-#include "mcom_db.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-#include "cert.h"
-#include "xconst.h"
-#include "secerr.h"
-#include "secoid.h"
-#include "prprf.h"
-#include "genname.h"
-
-
-
-static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
-    { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-          offsetof(CERTNameConstraint, min), SEC_IntegerTemplate }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-          offsetof(CERTNameConstraint, max), SEC_IntegerTemplate },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-
-const SEC_ASN1Template CERT_NameConstraintSubtreePermitedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, CERT_NameConstraintSubtreeSubTemplate }
-};
-
-const SEC_ASN1Template CERT_NameConstraintSubtreeExcludedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1, 0, CERT_NameConstraintSubtreeSubTemplate }
-};
-
-
-static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-          offsetof(CERTNameConstraints, DERPermited), 
-	  CERT_NameConstraintSubtreeSubTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-          offsetof(CERTNameConstraints, DERExcluded), 
-	  CERT_NameConstraintSubtreeSubTemplate},
-    { 0, }
-};
-
-
-static const SEC_ASN1Template CERTOthNameTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
-    { SEC_ASN1_OBJECT_ID, 
-	  offsetof(OtherName, oid) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
-          offsetof(OtherName, name), SEC_AnyTemplate },
-    { 0, } 
-};
-
-static const SEC_ASN1Template CERTOtherNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 ,
-      offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, 
-      sizeof(CERTGeneralName) }
-};
-
-static const SEC_ASN1Template CERTOtherName2Template[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
-      0, NULL, sizeof(CERTGeneralName) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
-    { 0, } 
-};
-
-static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 2 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 3,
-          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 4,
-          offsetof(CERTGeneralName, derDirectoryName), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-
-static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 5,
-          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_URITemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 6 ,
-          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 7 ,
-          offsetof(CERTGeneralName, name.other), SEC_OctetStringTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 8 ,
-          offsetof(CERTGeneralName, name.other), SEC_ObjectIDTemplate,
-          sizeof (CERTGeneralName)}
-};
-
-
-const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-
-
-CERTGeneralName *
-cert_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
-{
-    CERTGeneralName *name = arena 
-                            ? PORT_ArenaZNew(arena, CERTGeneralName)
-	                    : PORT_ZNew(CERTGeneralName);
-    if (name) {
-	name->type = type;
-	name->l.prev = name->l.next = &name->l;
-    }
-    return name;
-}
-
-/* Copy content of one General Name to another.
-** Caller has allocated destination general name.
-** This function does not change the destinate's GeneralName's list linkage.
-*/
-SECStatus
-cert_CopyOneGeneralName(PRArenaPool      *arena, 
-		        CERTGeneralName  *dest, 
-		        CERTGeneralName  *src)
-{
-    SECStatus rv;
-
-    /* TODO: mark arena */
-    PORT_Assert(dest != NULL);
-    dest->type = src->type;
-
-    switch (src->type) {
-    case certDirectoryName: 
-	rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, 
-				      &src->derDirectoryName);
-	if (rv == SECSuccess) 
-	    rv = CERT_CopyName(arena, &dest->name.directoryName, 
-				       &src->name.directoryName);
-	break;
-
-    case certOtherName: 
-	rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, 
-				      &src->name.OthName.name);
-	if (rv == SECSuccess) 
-	    rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, 
-					  &src->name.OthName.oid);
-	break;
-
-    default: 
-	rv = SECITEM_CopyItem(arena, &dest->name.other, 
-				      &src->name.other);
-	break;
-
-    }
-    if (rv != SECSuccess) {
-	/* TODO: release back to mark */
-    } else {
-	/* TODO: unmark arena */
-    }
-    return rv;
-}
-
-
-void
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
-{
-    PZLock *lock;
-
-    if (list != NULL) {
-	lock = list->lock;
-	PZ_Lock(lock);
-	if (--list->refCount <= 0 && list->arena != NULL) {
-	    PORT_FreeArena(list->arena, PR_FALSE);
-	    PZ_Unlock(lock);
-	    PZ_DestroyLock(lock);
-	} else {
-	    PZ_Unlock(lock);
-	}
-    }
-    return;
-}
-
-CERTGeneralNameList *
-CERT_CreateGeneralNameList(CERTGeneralName *name) {
-    PRArenaPool *arena;
-    CERTGeneralNameList *list = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto done;
-    }
-    list = PORT_ArenaZNew(arena, CERTGeneralNameList);
-    if (!list)
-    	goto loser;
-    if (name != NULL) {
-	SECStatus rv;
-	list->name = cert_NewGeneralName(arena, (CERTGeneralNameType)0);
-	if (!list->name)
-	    goto loser;
-	rv = CERT_CopyGeneralName(arena, list->name, name);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-    list->lock = PZ_NewLock(nssILockList);
-    if (!list->lock)
-    	goto loser;
-    list->arena = arena;
-    list->refCount = 1;
-done:
-    return list;
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-CERTGeneralName *
-CERT_GetNextGeneralName(CERTGeneralName *current)
-{
-    PRCList *next;
-    
-    next = current->l.next;
-    return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
-}
-
-CERTGeneralName *
-CERT_GetPrevGeneralName(CERTGeneralName *current)
-{
-    PRCList *prev;
-    prev = current->l.prev;
-    return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
-}
-
-CERTNameConstraint *
-CERT_GetNextNameConstraint(CERTNameConstraint *current)
-{
-    PRCList *next;
-    
-    next = current->l.next;
-    return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
-}
-
-CERTNameConstraint *
-CERT_GetPrevNameConstraint(CERTNameConstraint *current)
-{
-    PRCList *prev;
-    prev = current->l.prev;
-    return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
-}
-
-SECItem *
-CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena)
-{
-
-    const SEC_ASN1Template * template;
-
-    PORT_Assert(arena);
-    if (arena == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* TODO: mark arena */
-    if (dest == NULL) {
-	dest = PORT_ArenaZNew(arena, SECItem);
-	if (!dest)
-	    goto loser;
-    }
-    if (genName->type == certDirectoryName) {
-	if (genName->derDirectoryName.data == NULL) {
-	    /* The field hasn't been encoded yet. */
-            SECItem * pre_dest =
-            SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
-                                &(genName->name.directoryName),
-                                CERT_NameTemplate);
-            if (!pre_dest)
-                goto loser;
-	}
-	if (genName->derDirectoryName.data == NULL) {
-	    goto loser;
-	}
-    }
-    switch (genName->type) {
-    case certURI:           template = CERT_URITemplate;           break;
-    case certRFC822Name:    template = CERT_RFC822NameTemplate;    break;
-    case certDNSName:       template = CERT_DNSNameTemplate;       break;
-    case certIPAddress:     template = CERT_IPAddressTemplate;     break;
-    case certOtherName:     template = CERTOtherNameTemplate;      break;
-    case certRegisterID:    template = CERT_RegisteredIDTemplate;  break;
-         /* for this type, we expect the value is already encoded */
-    case certEDIPartyName:  template = CERT_EDIPartyNameTemplate;  break;
-	 /* for this type, we expect the value is already encoded */
-    case certX400Address:   template = CERT_X400AddressTemplate;   break;
-    case certDirectoryName: template = CERT_DirectoryNameTemplate; break;
-    default:
-	PORT_Assert(0); goto loser;
-    }
-    dest = SEC_ASN1EncodeItem(arena, dest, genName, template);
-    if (!dest) {
-	goto loser;
-    }
-    /* TODO: unmark arena */
-    return dest;
-loser:
-    /* TODO: release arena back to mark */
-    return NULL;
-}
-
-SECItem **
-cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names)
-{
-    CERTGeneralName  *current_name;
-    SECItem          **items = NULL;
-    int              count = 0;
-    int              i;
-    PRCList          *head;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    current_name = names;
-    if (names != NULL) {
-	count = 1;
-    }
-    head = &(names->l);
-    while (current_name->l.next != head) {
-	current_name = CERT_GetNextGeneralName(current_name);
-	++count;
-    }
-    current_name = CERT_GetNextGeneralName(current_name);
-    items = PORT_ArenaNewArray(arena, SECItem *, count + 1);
-    if (items == NULL) {
-	goto loser;
-    }
-    for (i = 0; i < count; i++) {
-	items[i] = CERT_EncodeGeneralName(current_name, (SECItem *)NULL, arena);
-	if (items[i] == NULL) {
-	    goto loser;
-	}
-	current_name = CERT_GetNextGeneralName(current_name);
-    }
-    items[i] = NULL;
-    /* TODO: unmark arena */
-    return items;
-loser:
-    /* TODO: release arena to mark */
-    return NULL;
-}
-
-CERTGeneralName *
-CERT_DecodeGeneralName(PRArenaPool      *arena,
-		       SECItem          *encodedName,
-		       CERTGeneralName  *genName)
-{
-    const SEC_ASN1Template *         template;
-    CERTGeneralNameType              genNameType;
-    SECStatus                        rv = SECSuccess;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    genNameType = (CERTGeneralNameType)((*(encodedName->data) & 0x0f) + 1);
-    if (genName == NULL) {
-	genName = cert_NewGeneralName(arena, genNameType);
-	if (!genName)
-	    goto loser;
-    } else {
-	genName->type = genNameType;
-	genName->l.prev = genName->l.next = &genName->l;
-    }
-    switch (genNameType) {
-    case certURI: 		template = CERT_URITemplate;           break;
-    case certRFC822Name: 	template = CERT_RFC822NameTemplate;    break;
-    case certDNSName: 		template = CERT_DNSNameTemplate;       break;
-    case certIPAddress: 	template = CERT_IPAddressTemplate;     break;
-    case certOtherName: 	template = CERTOtherNameTemplate;      break;
-    case certRegisterID: 	template = CERT_RegisteredIDTemplate;  break;
-    case certEDIPartyName: 	template = CERT_EDIPartyNameTemplate;  break;
-    case certX400Address: 	template = CERT_X400AddressTemplate;   break;
-    case certDirectoryName: 	template = CERT_DirectoryNameTemplate; break;
-    default: 
-        goto loser;
-    }
-    rv = SEC_ASN1DecodeItem(arena, genName, template, encodedName);
-    if (rv != SECSuccess) 
-	goto loser;
-    if (genNameType == certDirectoryName) {
-	rv = SEC_ASN1DecodeItem(arena, &(genName->name.directoryName), 
-				CERT_NameTemplate, 
-				&(genName->derDirectoryName));
-        if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* TODO: unmark arena */
-    return genName;
-loser:
-    /* TODO: release arena to mark */
-    return NULL;
-}
-
-CERTGeneralName *
-cert_DecodeGeneralNames (PRArenaPool  *arena,
-			 SECItem      **encodedGenName)
-{
-    PRCList                           *head = NULL;
-    PRCList                           *tail = NULL;
-    CERTGeneralName                   *currentName = NULL;
-
-    PORT_Assert(arena);
-    if (!encodedGenName || !arena) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* TODO: mark arena */
-    while (*encodedGenName != NULL) {
-	currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL);
-	if (currentName == NULL)
-	    break;
-	if (head == NULL) {
-	    head = &(currentName->l);
-	    tail = head;
-	}
-	currentName->l.next = head;
-	currentName->l.prev = tail;
-	tail = head->prev = tail->next = &(currentName->l);
-	encodedGenName++;
-    }
-    if (currentName) {
-	/* TODO: unmark arena */
-	return CERT_GetNextGeneralName(currentName);
-    }
-    /* TODO: release arena to mark */
-    return NULL;
-}
-
-void
-CERT_DestroyGeneralName(CERTGeneralName *name)
-{
-    cert_DestroyGeneralNames(name);
-}
-
-SECStatus
-cert_DestroyGeneralNames(CERTGeneralName *name)
-{
-    CERTGeneralName    *first;
-    CERTGeneralName    *next = NULL;
-
-
-    first = name;
-    do {
-	next = CERT_GetNextGeneralName(name);
-	PORT_Free(name);
-	name = next;
-    } while (name != first);
-    return SECSuccess;
-}
-
-static SECItem *
-cert_EncodeNameConstraint(CERTNameConstraint  *constraint, 
-			 SECItem             *dest,
-			 PRArenaPool         *arena)
-{
-    PORT_Assert(arena);
-    if (dest == NULL) {
-	dest = PORT_ArenaZNew(arena, SECItem);
-	if (dest == NULL) {
-	    return NULL;
-	}
-    }
-    CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), arena);
-    
-    dest = SEC_ASN1EncodeItem (arena, dest, constraint,
-			       CERTNameConstraintTemplate);
-    return dest;
-} 
-
-SECStatus 
-cert_EncodeNameConstraintSubTree(CERTNameConstraint  *constraints,
-			         PRArenaPool         *arena,
-				 SECItem             ***dest,
-				 PRBool              permited)
-{
-    CERTNameConstraint  *current_constraint = constraints;
-    SECItem             **items = NULL;
-    int                 count = 0;
-    int                 i;
-    PRCList             *head;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    if (constraints != NULL) {
-	count = 1;
-    }
-    head = &constraints->l;
-    while (current_constraint->l.next != head) {
-	current_constraint = CERT_GetNextNameConstraint(current_constraint);
-	++count;
-    }
-    current_constraint = CERT_GetNextNameConstraint(current_constraint);
-    items = PORT_ArenaZNewArray(arena, SECItem *, count + 1);
-    if (items == NULL) {
-	goto loser;
-    }
-    for (i = 0; i < count; i++) {
-	items[i] = cert_EncodeNameConstraint(current_constraint, 
-					     (SECItem *) NULL, arena);
-	if (items[i] == NULL) {
-	    goto loser;
-	}
-	current_constraint = CERT_GetNextNameConstraint(current_constraint);
-    }
-    *dest = items;
-    if (*dest == NULL) {
-	goto loser;
-    }
-    /* TODO: unmark arena */
-    return SECSuccess;
-loser:
-    /* TODO: release arena to mark */
-    return SECFailure;
-}
-
-SECStatus 
-cert_EncodeNameConstraints(CERTNameConstraints  *constraints,
-			   PRArenaPool          *arena,
-			   SECItem              *dest)
-{
-    SECStatus    rv = SECSuccess;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    if (constraints->permited != NULL) {
-	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
-					      &constraints->DERPermited, 
-					      PR_TRUE);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-    }
-    if (constraints->excluded != NULL) {
-	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
-					      &constraints->DERExcluded, 
-					      PR_FALSE);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-    }
-    dest = SEC_ASN1EncodeItem(arena, dest, constraints, 
-			      CERTNameConstraintsTemplate);
-    if (dest == NULL) {
-	goto loser;
-    }
-    /* TODO: unmark arena */
-    return SECSuccess;
-loser:
-    /* TODO: release arena to mark */
-    return SECFailure;
-}
-
-
-CERTNameConstraint *
-cert_DecodeNameConstraint(PRArenaPool       *arena,
-			  SECItem           *encodedConstraint)
-{
-    CERTNameConstraint     *constraint;
-    SECStatus              rv = SECSuccess;
-    CERTGeneralName        *temp;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    constraint = PORT_ArenaZNew(arena, CERTNameConstraint);
-    if (!constraint)
-    	goto loser;
-    rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, 
-                            encodedConstraint);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    temp = CERT_DecodeGeneralName(arena, &(constraint->DERName), 
-                                         &(constraint->name));
-    if (temp != &(constraint->name)) {
-	goto loser;
-    }
-
-    /* ### sjlee: since the name constraint contains only one 
-     *            CERTGeneralName, the list within CERTGeneralName shouldn't 
-     *            point anywhere else.  Otherwise, bad things will happen.
-     */
-    constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
-    /* TODO: unmark arena */
-    return constraint;
-loser:
-    /* TODO: release arena back to mark */
-    return NULL;
-}
-
-CERTNameConstraint *
-cert_DecodeNameConstraintSubTree(PRArenaPool   *arena,
-				 SECItem       **subTree,
-				 PRBool        permited)
-{
-    CERTNameConstraint   *current = NULL;
-    CERTNameConstraint   *first = NULL;
-    CERTNameConstraint   *last = NULL;
-    int                  i = 0;
-
-    PORT_Assert(arena);
-    /* TODO: mark arena */
-    while (subTree[i] != NULL) {
-	current = cert_DecodeNameConstraint(arena, subTree[i]);
-	if (current == NULL) {
-	    goto loser;
-	}
-	if (last == NULL) {
-	    first = last = current;
-	}
-	current->l.prev = &(last->l);
-	current->l.next = last->l.next;
-	last->l.next = &(current->l);
-	i++;
-    }
-    first->l.prev = &(current->l);
-    /* TODO: unmark arena */
-    return first;
-loser:
-    /* TODO: release arena back to mark */
-    return NULL;
-}
-
-CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool   *arena,
-			   SECItem       *encodedConstraints)
-{
-    CERTNameConstraints   *constraints;
-    SECStatus             rv;
-
-    PORT_Assert(arena);
-    PORT_Assert(encodedConstraints);
-    /* TODO: mark arena */
-    constraints = PORT_ArenaZNew(arena, CERTNameConstraints);
-    if (constraints == NULL) {
-	goto loser;
-    }
-    rv = SEC_ASN1DecodeItem(arena, constraints, CERTNameConstraintsTemplate, 
-			    encodedConstraints);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (constraints->DERPermited != NULL && 
-        constraints->DERPermited[0] != NULL) {
-	constraints->permited = 
-	    cert_DecodeNameConstraintSubTree(arena, constraints->DERPermited,
-					     PR_TRUE);
-	if (constraints->permited == NULL) {
-	    goto loser;
-	}
-    }
-    if (constraints->DERExcluded != NULL && 
-        constraints->DERExcluded[0] != NULL) {
-	constraints->excluded = 
-	    cert_DecodeNameConstraintSubTree(arena, constraints->DERExcluded,
-					     PR_FALSE);
-	if (constraints->excluded == NULL) {
-	    goto loser;
-	}
-    }
-    /* TODO: unmark arena */
-    return constraints;
-loser:
-    /* TODO: release arena back to mark */
-    return NULL;
-}
-
-/* Copy a chain of one or more general names to a destination chain.
-** Caller has allocated at least the first destination GeneralName struct. 
-** Both source and destination chains are circular doubly-linked lists.
-** The first source struct is copied to the first destination struct.
-** If the source chain has more than one member, and the destination chain 
-** has only one member, then this function allocates new structs for all but 
-** the first copy from the arena and links them into the destination list.  
-** If the destination struct is part of a list with more than one member,
-** then this function traverses both the source and destination lists,
-** copying each source struct to the corresponding dest struct.
-** In that case, the destination list MUST contain at least as many 
-** structs as the source list or some dest entries will be overwritten.
-*/
-SECStatus
-CERT_CopyGeneralName(PRArenaPool      *arena, 
-		     CERTGeneralName  *dest, 
-		     CERTGeneralName  *src)
-{
-    SECStatus rv;
-    CERTGeneralName *destHead = dest;
-    CERTGeneralName *srcHead = src;
-
-    PORT_Assert(dest != NULL);
-    if (!dest) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    /* TODO: mark arena */
-    do {
-	rv = cert_CopyOneGeneralName(arena, dest, src);
-	if (rv != SECSuccess)
-	    goto loser;
-	src = CERT_GetNextGeneralName(src);
-	/* if there is only one general name, we shouldn't do this */
-	if (src != srcHead) {
-	    if (dest->l.next == &destHead->l) {
-		CERTGeneralName *temp;
-		temp = cert_NewGeneralName(arena, (CERTGeneralNameType)0);
-		if (!temp) 
-		    goto loser;
-		temp->l.next = &destHead->l;
-		temp->l.prev = &dest->l;
-		destHead->l.prev = &temp->l;
-		dest->l.next = &temp->l;
-		dest = temp;
-	    } else {
-		dest = CERT_GetNextGeneralName(dest);
-	    }
-	}
-    } while (src != srcHead && rv == SECSuccess);
-    /* TODO: unmark arena */
-    return rv;
-loser:
-    /* TODO: release back to mark */
-    return SECFailure;
-}
-
-
-CERTGeneralNameList *
-CERT_DupGeneralNameList(CERTGeneralNameList *list)
-{
-    if (list != NULL) {
-	PZ_Lock(list->lock);
-	list->refCount++;
-	PZ_Unlock(list->lock);
-    }
-    return list;
-}
-
-CERTNameConstraint *
-CERT_CopyNameConstraint(PRArenaPool         *arena, 
-			CERTNameConstraint  *dest, 
-			CERTNameConstraint  *src)
-{
-    SECStatus  rv;
-    
-    /* TODO: mark arena */
-    if (dest == NULL) {
-	dest = PORT_ArenaZNew(arena, CERTNameConstraint);
-	if (!dest)
-	    goto loser;
-	/* mark that it is not linked */
-	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
-    }
-    rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    dest->l.prev = dest->l.next = &dest->l;
-    /* TODO: unmark arena */
-    return dest;
-loser:
-    /* TODO: release arena to mark */
-    return NULL;
-}
-
-
-CERTGeneralName *
-cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
-{
-    PRCList *begin1;
-    PRCList *begin2;
-    PRCList *end1;
-    PRCList *end2;
-
-    if (list1 == NULL){
-	return list2;
-    } else if (list2 == NULL) {
-	return list1;
-    } else {
-	begin1 = &list1->l;
-	begin2 = &list2->l;
-	end1 = list1->l.prev;
-	end2 = list2->l.prev;
-	end1->next = begin2;
-	end2->next = begin1;
-	begin1->prev = end2;
-	begin2->prev = end1;
-	return list1;
-    }
-}
-
-
-CERTNameConstraint *
-cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
-{
-    PRCList *begin1;
-    PRCList *begin2;
-    PRCList *end1;
-    PRCList *end2;
-
-    if (list1 == NULL){
-	return list2;
-    } else if (list2 == NULL) {
-	return list1;
-    } else {
-	begin1 = &list1->l;
-	begin2 = &list2->l;
-	end1 = list1->l.prev;
-	end2 = list2->l.prev;
-	end1->next = begin2;
-	end2->next = begin1;
-	begin1->prev = end2;
-	begin2->prev = end1;
-	return list1;
-    }
-}
-
-
-CERTNameConstraint *
-CERT_AddNameConstraint(CERTNameConstraint *list, 
-		       CERTNameConstraint *constraint)
-{
-    PORT_Assert(constraint != NULL);
-    constraint->l.next = constraint->l.prev = &constraint->l;
-    list = cert_CombineConstraintsLists(list, constraint);
-    return list;
-}
-
-
-SECStatus
-CERT_GetNameConstraintByType (CERTNameConstraint *constraints,
-			      CERTGeneralNameType type, 
-			      CERTNameConstraint **returnList,
-			      PRArenaPool *arena)
-{
-    CERTNameConstraint *current;
-    
-    *returnList = NULL;
-    if (!constraints)
-	return SECSuccess;
-    /* TODO: mark arena */
-    current = constraints;
-    do {
-	PORT_Assert(current->name.type);
-	if (current->name.type == type) {
-	    CERTNameConstraint *temp;
-	    temp = CERT_CopyNameConstraint(arena, NULL, current);
-	    if (temp == NULL) 
-		goto loser;
-	    *returnList = CERT_AddNameConstraint(*returnList, temp);
-	}
-	current = CERT_GetNextNameConstraint(current);
-    } while (current != constraints);
-    /* TODO: unmark arena */
-    return SECSuccess;
-loser:
-    /* TODO: release arena back to mark */
-    return SECFailure;
-}
-
-void *
-CERT_GetGeneralNameByType (CERTGeneralName *genNames,
-			   CERTGeneralNameType type, PRBool derFormat)
-{
-    CERTGeneralName *current;
-    
-    if (!genNames)
-	return NULL;
-    current = genNames;
-
-    do {
-	if (current->type == type) {
-	    switch (type) {
-	    case certDNSName:
-	    case certEDIPartyName:
-	    case certIPAddress:
-	    case certRegisterID:
-	    case certRFC822Name:
-	    case certX400Address:
-	    case certURI: 
-		return (void *)&current->name.other;           /* SECItem * */
-
-	    case certOtherName: 
-		return (void *)&current->name.OthName;         /* OthName * */
-
-	    case certDirectoryName: 
-		return derFormat 
-		       ? (void *)&current->derDirectoryName    /* SECItem * */
-		       : (void *)&current->name.directoryName; /* CERTName * */
-	    }
-	    PORT_Assert(0); 
-	    return NULL;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != genNames);
-    return NULL;
-}
-
-int
-CERT_GetNamesLength(CERTGeneralName *names)
-{
-    int              length = 0;
-    CERTGeneralName  *first;
-
-    first = names;
-    if (names != NULL) {
-	do {
-	    length++;
-	    names = CERT_GetNextGeneralName(names);
-	} while (names != first);
-    }
-    return length;
-}
-
-/* Creates new GeneralNames for any email addresses found in the 
-** input DN, and links them onto the list for the DN.
-*/
-SECStatus
-cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena)
-{
-    CERTGeneralName  *nameList = NULL;
-    const CERTRDN    **nRDNs   = name->name.directoryName.rdns;
-    SECStatus        rv        = SECSuccess;
-
-    PORT_Assert(name->type == certDirectoryName);
-    if (name->type != certDirectoryName) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* TODO: mark arena */
-    while (nRDNs && *nRDNs) { /* loop over RDNs */
-	const CERTRDN *nRDN = *nRDNs++;
-	CERTAVA **nAVAs = nRDN->avas;
-	while (nAVAs && *nAVAs) { /* loop over AVAs */
-	    int tag;
-	    CERTAVA *nAVA = *nAVAs++;
-	    tag = CERT_GetAVATag(nAVA);
-	    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
-		 tag == SEC_OID_RFC1274_MAIL) { /* email AVA */
-		CERTGeneralName *newName = NULL;
-		SECItem *avaValue = CERT_DecodeAVAValue(&nAVA->value);
-		if (!avaValue)
-		    goto loser;
-		rv = SECFailure;
-                newName = cert_NewGeneralName(arena, certRFC822Name);
-		if (newName) {
-		   rv = SECITEM_CopyItem(arena, &newName->name.other, avaValue);
-		}
-		SECITEM_FreeItem(avaValue, PR_TRUE);
-		if (rv != SECSuccess)
-		    goto loser;
-		nameList = cert_CombineNamesLists(nameList, newName);
-	    } /* handle one email AVA */
-	} /* loop over AVAs */
-    } /* loop over RDNs */
-    /* combine new names with old one. */
-    name = cert_CombineNamesLists(name, nameList);
-    /* TODO: unmark arena */
-    return SECSuccess;
-
-loser:
-    /* TODO: release arena back to mark */
-    return SECFailure;
-}
-
-/* This function is called by CERT_VerifyCertChain to extract all
-** names from a cert in preparation for a name constraints test.
-*/
-CERTGeneralName *
-CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
-{
-    CERTGeneralName  *DN;
-    CERTGeneralName  *altName         = NULL;
-    SECItem          altNameExtension = {siBuffer, NULL, 0 };
-    SECStatus        rv;
-
-    /* TODO: mark arena */
-    DN = cert_NewGeneralName(arena, certDirectoryName);
-    if (DN == NULL) {
-	goto loser;
-    }
-    rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    /* Extract email addresses from DN, construct CERTGeneralName structs 
-    ** for them, add them to the name list 
-    */
-    rv = cert_ExtractDNEmailAddrs(DN, arena);
-    if (rv != SECSuccess)
-        goto loser;
-
-    /* Now extract any GeneralNames from the subject name names extension. */
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv == SECSuccess) {
-	altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-	rv = altName ? SECSuccess : SECFailure;
-    }
-    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
-	rv = SECSuccess;
-    if (altNameExtension.data)
-	SECITEM_FreeItem(&altNameExtension, PR_FALSE);
-    if (rv != SECSuccess)
-        goto loser;
-    DN = cert_CombineNamesLists(DN, altName);
-
-    /* TODO: unmark arena */
-    return DN;
-loser:
-    /* TODO: release arena to mark */
-    return NULL;
-}
-
-/* Returns SECSuccess if name matches constraint per RFC 3280 rules for 
-** URI name constraints.  SECFailure otherwise.
-** If the constraint begins with a dot, it is a domain name, otherwise
-** It is a host name.  Examples:
-**  Constraint            Name             Result
-** ------------      ---------------      --------
-**  foo.bar.com          foo.bar.com      matches
-**  foo.bar.com          FoO.bAr.CoM      matches
-**  foo.bar.com      www.foo.bar.com      no match
-**  foo.bar.com        nofoo.bar.com      no match
-** .foo.bar.com      www.foo.bar.com      matches
-** .foo.bar.com        nofoo.bar.com      no match
-** .foo.bar.com          foo.bar.com      no match
-** .foo.bar.com     www..foo.bar.com      no match
-*/
-static SECStatus
-compareURIN2C(const SECItem *name, const SECItem *constraint)
-{
-    int offset;
-    /* The spec is silent on intepreting zero-length constraints.
-    ** We interpret them as matching no URI names.
-    */
-    if (!constraint->len)
-        return SECFailure;
-    if (constraint->data[0] != '.') { 
-    	/* constraint is a host name. */
-    	if (name->len != constraint->len ||
-	    PL_strncasecmp(name->data, constraint->data, constraint->len))
-	    return SECFailure;
-    	return SECSuccess;
-    }
-    /* constraint is a domain name. */
-    if (name->len < constraint->len)
-        return SECFailure;
-    offset = name->len - constraint->len;
-    if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
-        return SECFailure;
-    if (!offset || 
-        (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
-	return SECSuccess;
-    return SECFailure;
-}
-
-/* for DNSname constraints, RFC 3280 says, (section 4.2.1.11, page 38)
-**
-** DNS name restrictions are expressed as foo.bar.com.  Any DNS name
-** that can be constructed by simply adding to the left hand side of the
-** name satisfies the name constraint.  For example, www.foo.bar.com
-** would satisfy the constraint but foo1.bar.com would not.
-**
-** But NIST's PKITS test suite requires that the constraint be treated
-** as a domain name, and requires that any name added to the left hand
-** side end in a dot ".".  Sensible, but not strictly following the RFC.
-**
-**  Constraint            Name            RFC 3280  NIST PKITS
-** ------------      ---------------      --------  ----------
-**  foo.bar.com          foo.bar.com      matches    matches
-**  foo.bar.com          FoO.bAr.CoM      matches    matches
-**  foo.bar.com      www.foo.bar.com      matches    matches
-**  foo.bar.com        nofoo.bar.com      MATCHES    NO MATCH
-** .foo.bar.com      www.foo.bar.com      matches    matches? disallowed?
-** .foo.bar.com          foo.bar.com      no match   no match
-** .foo.bar.com     www..foo.bar.com      matches    probably not 
-**
-** We will try to conform to NIST's PKITS tests, and the unstated 
-** rules they imply.
-*/
-static SECStatus
-compareDNSN2C(const SECItem *name, const SECItem *constraint)
-{
-    int offset;
-    /* The spec is silent on intepreting zero-length constraints.
-    ** We interpret them as matching all DNSnames.
-    */
-    if (!constraint->len)
-        return SECSuccess;
-    if (name->len < constraint->len)
-        return SECFailure;
-    offset = name->len - constraint->len;
-    if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
-        return SECFailure;
-    if (!offset || 
-        (name->data[offset - 1] == '.') + (constraint->data[0] == '.') == 1)
-	return SECSuccess;
-    return SECFailure;
-}
-
-/* Returns SECSuccess if name matches constraint per RFC 3280 rules for
-** internet email addresses.  SECFailure otherwise.
-** If constraint contains a '@' then the two strings much match exactly.
-** Else if constraint starts with a '.'. then it must match the right-most
-** substring of the name, 
-** else constraint string must match entire name after the name's '@'.
-** Empty constraint string matches all names. All comparisons case insensitive.
-*/
-static SECStatus
-compareRFC822N2C(const SECItem *name, const SECItem *constraint)
-{
-    int offset;
-    if (!constraint->len)
-        return SECSuccess;
-    if (name->len < constraint->len)
-        return SECFailure;
-    if (constraint->len == 1 && constraint->data[0] == '.')
-        return SECSuccess;
-    for (offset = constraint->len - 1; offset >= 0; --offset) {
-    	if (constraint->data[offset] == '@') {
-	    return (name->len == constraint->len && 
-	        !PL_strncasecmp(name->data, constraint->data, constraint->len))
-		? SECSuccess : SECFailure;
-	}
-    }
-    offset = name->len - constraint->len;
-    if (PL_strncasecmp(name->data + offset, constraint->data, constraint->len))
-        return SECFailure;
-    if (constraint->data[0] == '.')
-        return SECSuccess;
-    if (offset > 0 && name->data[offset - 1] == '@')
-        return SECSuccess;
-    return SECFailure;
-}
-
-/* name contains either a 4 byte IPv4 address or a 16 byte IPv6 address.
-** constraint contains an address of the same length, and a subnet mask
-** of the same length.  Compare name's address to the constraint's 
-** address, subject to the mask.
-** Return SECSuccess if they match, SECFailure if they don't. 
-*/
-static SECStatus
-compareIPaddrN2C(const SECItem *name, const SECItem *constraint)
-{
-    int i;
-    if (name->len == 4 && constraint->len == 8) { /* ipv4 addr */
-        for (i = 0; i < 4; i++) {
-	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+4])
-	        goto loser;
-	}
-	return SECSuccess;
-    }
-    if (name->len == 16 && constraint->len == 32) { /* ipv6 addr */
-        for (i = 0; i < 16; i++) {
-	    if ((name->data[i] ^ constraint->data[i]) & constraint->data[i+16])
-	        goto loser;
-	}
-	return SECSuccess;
-    }
-loser:
-    return SECFailure;
-}
-
-/* start with a SECItem that points to a URI.  Parse it lookingg for 
-** a hostname.  Modify item->data and item->len to define the hostname,
-** but do not modify and data at item->data.  
-** If anything goes wrong, the contents of *item are undefined.
-*/
-static SECStatus
-parseUriHostname(SECItem * item)
-{
-    int i;
-    PRBool found = PR_FALSE;
-    for (i = 0; (unsigned)(i+2) < item->len; ++i) {
-	if (item->data[i  ] == ':' &&
-	    item->data[i+1] == '/' &&
-	    item->data[i+2] == '/') {
-	    i += 3;
-	    item->data += i;
-	    item->len  -= i;
-	    found = PR_TRUE;
-	    break;
-	}
-    }
-    if (!found) 
-        return SECFailure;
-    /* now look for a '/', which is an upper bound in the end of the name */
-    for (i = 0; (unsigned)i < item->len; ++i) {
-	if (item->data[i] == '/') {
-	    item->len = i;
-	    break;
-	}
-    }
-    /* now look for a ':', which marks the end of the name */
-    for (i = item->len; --i >= 0; ) {
-        if (item->data[i] == ':') {
-	    item->len = i;
-	    break;
-	}
-    }
-    /* now look for an '@', which marks the beginning of the hostname */
-    for (i = 0; (unsigned)i < item->len; ++i) {
-	if (item->data[i] == '@') {
-	    ++i;
-	    item->data += i;
-	    item->len  -= i;
-	    break;
-	}
-    }
-    return item->len ? SECSuccess : SECFailure;
-}
-
-/* This function takes one name, and a list of constraints.
-** It searches the constraints looking for a match.
-** It returns SECSuccess if the name satisfies the constraints, i.e.,
-** if excluded, then the name does not match any constraint, 
-** if permitted, then the name matches at least one constraint.
-** It returns SECFailure if the name fails to satisfy the constraints,
-** or if some code fails (e.g. out of memory, or invalid constraint)
-*/
-static SECStatus
-cert_CompareNameWithConstraints(CERTGeneralName     *name, 
-				CERTNameConstraint  *constraints,
-				PRBool              excluded)
-{
-    SECStatus           rv     = SECSuccess;
-    SECStatus           matched = SECFailure;
-    CERTNameConstraint  *current;
-
-    PORT_Assert(constraints);  /* caller should not call with NULL */
-    if (!constraints) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    current = constraints;
-    do {
-	rv = SECSuccess;
-	matched = SECFailure;
-	PORT_Assert(name->type == current->name.type);
-	switch (name->type) {
-
-	case certDNSName:
-	    matched = compareDNSN2C(&name->name.other, 
-	                            &current->name.name.other);
-	    break;
-
-	case certRFC822Name:
-	    matched = compareRFC822N2C(&name->name.other, 
-	                               &current->name.name.other);
-	    break;
-
-	case certURI:
-	    {
-		/* make a modifiable copy of the URI SECItem. */
-		SECItem uri = name->name.other;
-		/* find the hostname in the URI */
-		rv = parseUriHostname(&uri);
-		if (rv == SECSuccess) {
-		    /* does our hostname meet the constraint? */
-		    matched = compareURIN2C(&uri, &current->name.name.other);
-		}
-	    }
-	    break;
-
-	case certDirectoryName:
-	    /* Determine if the constraint directory name is a "prefix"
-	    ** for the directory name being tested. 
-	    */
-	  {
-	    /* status defaults to SECEqual, so that a constraint with 
-	    ** no AVAs will be a wildcard, matching all directory names.
-	    */
-	    SECComparison   status = SECEqual;
-	    const CERTRDN **cRDNs = current->name.name.directoryName.rdns;  
-	    const CERTRDN **nRDNs = name->name.directoryName.rdns;
-	    while (cRDNs && *cRDNs && nRDNs && *nRDNs) { 
-		/* loop over name RDNs and constraint RDNs in lock step */
-		const CERTRDN *cRDN = *cRDNs++;
-		const CERTRDN *nRDN = *nRDNs++;
-		CERTAVA **cAVAs = cRDN->avas;
-		while (cAVAs && *cAVAs) { /* loop over constraint AVAs */
-		    CERTAVA *cAVA = *cAVAs++;
-		    CERTAVA **nAVAs = nRDN->avas;
-		    while (nAVAs && *nAVAs) { /* loop over name AVAs */
-			CERTAVA *nAVA = *nAVAs++;
-			status = CERT_CompareAVA(cAVA, nAVA);
-			if (status == SECEqual) 
-			    break;
-		    } /* loop over name AVAs */
-		    if (status != SECEqual) 
-			break;
-		} /* loop over constraint AVAs */
-		if (status != SECEqual) 
-		    break;
-	    } /* loop over name RDNs and constraint RDNs */
-	    matched = (status == SECEqual) ? SECSuccess : SECFailure;
-	    break;
-	  }
-
-	case certIPAddress:	/* type 8 */
-	    matched = compareIPaddrN2C(&name->name.other, 
-	                               &current->name.name.other);
-	    break;
-
-	/* NSS does not know how to compare these "Other" type names with 
-	** their respective constraints.  But it does know how to tell
-	** if the constraint applies to the type of name (by comparing
-	** the constraint OID to the name OID).  NSS makes no use of "Other"
-	** type names at all, so NSS errs on the side of leniency for these 
-	** types, provided that their OIDs match.  So, when an "Other"
-	** name constraint appears in an excluded subtree, it never causes
-	** a name to fail.  When an "Other" name constraint appears in a
-	** permitted subtree, AND the constraint's OID matches the name's
-	** OID, then name is treated as if it matches the constraint.
-	*/
-	case certOtherName:	/* type 1 */
-	    matched = (!excluded &&
-		       name->type == current->name.type &&
-		       SECITEM_ItemsAreEqual(&name->name.OthName.oid,
-					     &current->name.name.OthName.oid))
-		 ? SECSuccess : SECFailure;
-	    break;
-
-	/* NSS does not know how to compare these types of names with their
-	** respective constraints.  But NSS makes no use of these types of 
-	** names at all, so it errs on the side of leniency for these types.
-	** Constraints for these types of names never cause the name to 
-	** fail the constraints test.  NSS behaves as if the name matched
-	** for permitted constraints, and did not match for excluded ones.
-	*/
-	case certX400Address:	/* type 4 */
-	case certEDIPartyName:  /* type 6 */
-	case certRegisterID:	/* type 9 */
-	    matched = excluded ? SECFailure : SECSuccess;
-	    break;
-
-	default: /* non-standard types are not supported */
-	    rv = SECFailure;
-	    break;
-	}
-	if (matched == SECSuccess || rv != SECSuccess)
-	    break;
-	current = CERT_GetNextNameConstraint(current);
-    } while (current != constraints);
-    if (rv == SECSuccess) {
-        if (matched == SECSuccess) 
-	    rv = excluded ? SECFailure : SECSuccess;
-	else
-	    rv = excluded ? SECSuccess : SECFailure;
-	return rv;
-    }
-
-    return SECFailure;
-}
-
-/* Extract the name constraints extension from the CA cert.
-** Test each and every name in namesList against all the constraints
-** relevant to that type of name.
-** Returns NULL for success, all names are acceptable.
-** If some name is not acceptable, returns a pointer to the cert that
-** contained that name.
-*/
-SECStatus
-CERT_CompareNameSpace(CERTCertificate  *cert,
-		      CERTGeneralName  *namesList,
- 		      CERTCertificate **certsList,
- 		      PRArenaPool      *arena,
- 		      CERTCertificate **pBadCert)
-{
-    SECStatus            rv;
-    SECItem              constraintsExtension;
-    CERTNameConstraints  *constraints;
-    CERTGeneralName      *currentName;
-    int                  count = 0;
-    CERTNameConstraint  *matchingConstraints;
-    CERTCertificate      *badCert = NULL;
-    
-    constraintsExtension.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
-                                &constraintsExtension);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
-	    rv = SECSuccess;
-	} else {
-	    count = -1;
-	}
-	goto done;
-    }
-    /* TODO: mark arena */
-    constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
-    PORT_Free(constraintsExtension.data);
-    currentName = namesList;
-    if (constraints == NULL) { /* decode failed */
-	rv = SECFailure;
-    	count = -1;
-	goto done;
-    } 
-    do {
- 	if (constraints->excluded != NULL) {
- 	    rv = CERT_GetNameConstraintByType(constraints->excluded, 
-	                                      currentName->type, 
- 					      &matchingConstraints, arena);
- 	    if (rv == SECSuccess && matchingConstraints != NULL) {
- 		rv = cert_CompareNameWithConstraints(currentName, 
-		                                     matchingConstraints,
- 						     PR_TRUE);
- 	    }
-	    if (rv != SECSuccess) 
-		break;
- 	}
- 	if (constraints->permited != NULL) {
- 	    rv = CERT_GetNameConstraintByType(constraints->permited, 
-	                                      currentName->type, 
- 					      &matchingConstraints, arena);
-            if (rv == SECSuccess && matchingConstraints != NULL) {
- 		rv = cert_CompareNameWithConstraints(currentName, 
-		                                     matchingConstraints,
- 						     PR_FALSE);
- 	    }
-	    if (rv != SECSuccess) 
-		break;
- 	}
- 	currentName = CERT_GetNextGeneralName(currentName);
- 	count ++;
-    } while (currentName != namesList);
-done:
-    if (rv != SECSuccess) {
-	badCert = (count >= 0) ? certsList[count] : cert;
-    }
-    if (pBadCert)
-	*pBadCert = badCert;
-    /* TODO: release back to mark */
-    return rv;
-}
-
-/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
-** ASN1 Decode it into a list of alternate names.
-** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
-** ASN1 Decode that name.  Turn the result into a zString.  
-** Look for duplicate nickname already in the certdb. 
-** If one is found, create a nickname string that is not a duplicate.
-*/
-char *
-CERT_GetNickName(CERTCertificate   *cert,
- 		 CERTCertDBHandle  *handle,
-		 PRArenaPool      *nicknameArena)
-{ 
-    CERTGeneralName  *current;
-    CERTGeneralName  *names;
-    char             *nickname   = NULL;
-    char             *returnName = NULL;
-    char             *basename   = NULL;
-    PRArenaPool      *arena      = NULL;
-    CERTCertificate  *tmpcert;
-    SECStatus        rv;
-    int              count;
-    int              found = 0;
-    SECItem          altNameExtension;
-    SECItem          nick;
-
-    if (handle == NULL) {
-	handle = CERT_GetDefaultCertDB();
-    }
-    altNameExtension.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) { 
-	goto loser; 
-    }
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (names == NULL) {
-	goto loser;
-    } 
-    current = names;
-    do {
-	if (current->type == certOtherName && 
-	    SECOID_FindOIDTag(&current->name.OthName.oid) == 
-	      SEC_OID_NETSCAPE_NICKNAME) {
-	    found = 1;
-	    break;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != names);
-    if (!found)
-    	goto loser;
-
-    rv = SEC_ASN1DecodeItem(arena, &nick, SEC_IA5StringTemplate, 
-			    &current->name.OthName.name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* make a null terminated string out of nick, with room enough at
-    ** the end to add on a number of up to 21 digits in length, (a signed
-    ** 64-bit number in decimal) plus a space and a "#". 
-    */
-    nickname = (char*)PORT_ZAlloc(nick.len + 24);
-    if (!nickname) 
-	goto loser;
-    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
-
-    /* Don't let this cert's nickname duplicate one already in the DB.
-    ** If it does, create a variant of the nickname that doesn't.
-    */
-    count = 0;
-    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
-	CERT_DestroyCertificate(tmpcert);
-	if (!basename) {
-	    basename = PORT_Strdup(nickname);
-	    if (!basename)
-		goto loser;
-	}
-	count++;
-	sprintf(nickname, "%s #%d", basename, count);
-    }
-
-    /* success */
-    if (nicknameArena) {
-	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
-    } else {
-	returnName = nickname;
-	nickname = NULL;
-    }
-loser:
-    if (arena != NULL) 
-	PORT_FreeArena(arena, PR_FALSE);
-    if (nickname)
-	PORT_Free(nickname);
-    if (basename)
-	PORT_Free(basename);
-    if (altNameExtension.data)
-    	PORT_Free(altNameExtension.data);
-    return returnName;
-}
-
-#if 0
-/* not exported from shared libs, not used.  Turn on if we ever need it. */
-SECStatus
-CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
-{
-    CERTGeneralName *currentA;
-    CERTGeneralName *currentB;
-    PRBool found;
-
-    currentA = a;
-    currentB = b;
-    if (a != NULL) {
-	do { 
-	    if (currentB == NULL) {
-		return SECFailure;
-	    }
-	    currentB = CERT_GetNextGeneralName(currentB);
-	    currentA = CERT_GetNextGeneralName(currentA);
-	} while (currentA != a);
-    }
-    if (currentB != b) {
-	return SECFailure;
-    }
-    currentA = a;
-    do {
-	currentB = b;
-	found = PR_FALSE;
-	do {
-	    if (currentB->type == currentA->type) {
-		switch (currentB->type) {
-		  case certDNSName:
-		  case certEDIPartyName:
-		  case certIPAddress:
-		  case certRegisterID:
-		  case certRFC822Name:
-		  case certX400Address:
-		  case certURI:
-		    if (SECITEM_CompareItem(&currentA->name.other,
-					    &currentB->name.other) 
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		    break;
-		  case certOtherName:
-		    if (SECITEM_CompareItem(&currentA->name.OthName.oid,
-					    &currentB->name.OthName.oid) 
-			== SECEqual &&
-			SECITEM_CompareItem(&currentA->name.OthName.name,
-					    &currentB->name.OthName.name)
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		    break;
-		  case certDirectoryName:
-		    if (CERT_CompareName(&currentA->name.directoryName,
-					 &currentB->name.directoryName)
-			== SECEqual) {
-			found = PR_TRUE;
-		    }
-		}
-		    
-	    }
-	    currentB = CERT_GetNextGeneralName(currentB);
-	} while (currentB != b && found != PR_TRUE);
-	if (found != PR_TRUE) {
-	    return SECFailure;
-	}
-	currentA = CERT_GetNextGeneralName(currentA);
-    } while (currentA != a);
-    return SECSuccess;
-}
-
-SECStatus
-CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
-{
-    SECStatus rv;
-
-    if (a == b) {
-	return SECSuccess;
-    }
-    if (a != NULL && b != NULL) {
-	PZ_Lock(a->lock);
-	PZ_Lock(b->lock);
-	rv = CERT_CompareGeneralName(a->name, b->name);
-	PZ_Unlock(a->lock);
-	PZ_Unlock(b->lock);
-    } else {
-	rv = SECFailure;
-    }
-    return rv;
-}
-#endif
-
-#if 0
-/* This function is not exported from NSS shared libraries, and is not
-** used inside of NSS.
-** XXX it doesn't check for failed allocations. :-(
-*/
-void *
-CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
-				  CERTGeneralNameType type,
-				  PRArenaPool *arena)
-{
-    CERTName *name = NULL; 
-    SECItem *item = NULL;
-    OtherName *other = NULL;
-    OtherName *tmpOther = NULL;
-    void *data;
-
-    PZ_Lock(list->lock);
-    data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
-    if (data != NULL) {
-	switch (type) {
-	  case certDNSName:
-	  case certEDIPartyName:
-	  case certIPAddress:
-	  case certRegisterID:
-	  case certRFC822Name:
-	  case certX400Address:
-	  case certURI:
-	    if (arena != NULL) {
-		item = PORT_ArenaNew(arena, SECItem);
-		if (item != NULL) {
-XXX		    SECITEM_CopyItem(arena, item, (SECItem *) data);
-		}
-	    } else { 
-		item = SECITEM_DupItem((SECItem *) data);
-	    }
-	    PZ_Unlock(list->lock);
-	    return item;
-	  case certOtherName:
-	    other = (OtherName *) data;
-	    if (arena != NULL) {
-		tmpOther = PORT_ArenaNew(arena, OtherName);
-	    } else {
-		tmpOther = PORT_New(OtherName);
-	    }
-	    if (tmpOther != NULL) {
-XXX		SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
-XXX		SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
-	    }
-	    PZ_Unlock(list->lock);
-	    return tmpOther;
-	  case certDirectoryName:
-	    if (arena) {
-		name = PORT_ArenaZNew(list->arena, CERTName);
-		if (name) {
-XXX		    CERT_CopyName(arena, name, (CERTName *) data);
-		}
-	    }
-	    PZ_Unlock(list->lock);
-	    return name;
-	}
-    }
-    PZ_Unlock(list->lock);
-    return NULL;
-}
-#endif
-
-#if 0
-/* This function is not exported from NSS shared libraries, and is not
-** used inside of NSS.
-** XXX it should NOT be a void function, since it does allocations
-** that can fail.
-*/
-void
-CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
-			  CERTGeneralNameType type,
-			  void *data, SECItem *oid)
-{
-    CERTGeneralName *name;
-
-    if (list != NULL && data != NULL) {
-	PZ_Lock(list->lock);
-	name = cert_NewGeneralName(list->arena, type);
-	if (!name)
-	    goto done;
-	switch (type) {
-	  case certDNSName:
-	  case certEDIPartyName:
-	  case certIPAddress:
-	  case certRegisterID:
-	  case certRFC822Name:
-	  case certX400Address:
-	  case certURI:
-XXX	    SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
-	    break;
-	  case certOtherName:
-XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.name,
-			     (SECItem *) data);
-XXX	    SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
-			     oid);
-	    break;
-	  case certDirectoryName:
-XXX	    CERT_CopyName(list->arena, &name->name.directoryName,
-			  (CERTName *) data);
-	    break;
-	}
-	list->name = cert_CombineNamesLists(list->name, name);
-	list->len++;
-done:
-	PZ_Unlock(list->lock);
-    }
-    return;
-}
-#endif
diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h
deleted file mode 100644
index 71507a2f2..000000000
--- a/security/nss/lib/certdb/genname.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _GENAME_H_
-#define _GENAME_H_
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-extern const SEC_ASN1Template CERT_GeneralNamesTemplate[];
-
-extern SECItem **
-cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names);
-
-extern CERTGeneralName *
-cert_DecodeGeneralNames(PRArenaPool *arena, SECItem **encodedGenName);
-
-extern SECStatus
-cert_DestroyGeneralNames(CERTGeneralName *name);
-
-extern SECStatus 
-cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
-			   SECItem *dest);
-
-extern CERTNameConstraints *
-cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
-
-extern CERTGeneralName *
-cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
-
-extern CERTNameConstraint *
-cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
-
-/*********************************************************************/
-/* A thread safe implementation of General Names                     */
-/*********************************************************************/
-
-/* Destroy a Single CERTGeneralName */
-void
-CERT_DestroyGeneralName(CERTGeneralName *name);
-
-SECStatus
-CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b);
-
-SECStatus
-CERT_CopyGeneralName(PRArenaPool      *arena, 
-		     CERTGeneralName  *dest, 
-		     CERTGeneralName  *src);
-
-/* General Name Lists are a thread safe, reference counting layer to 
- * general names */
-
-/* Destroys a CERTGeneralNameList */
-void
-CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
-
-/* Creates a CERTGeneralNameList */
-CERTGeneralNameList *
-CERT_CreateGeneralNameList(CERTGeneralName *name);
-
-/* Compares two CERTGeneralNameList */
-SECStatus
-CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
-
-/* returns a copy of the first name of the type requested */
-void *
-CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
-				  CERTGeneralNameType type,
-				  PRArenaPool *arena);
-
-/* Adds a name to the tail of the list */
-void
-CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
-			  CERTGeneralNameType type,
-			  void *data, SECItem *oid);
-
-/* returns a duplicate of the CERTGeneralNameList */
-CERTGeneralNameList *
-CERT_DupGeneralNameList(CERTGeneralNameList *list);
-
-/* returns the number of CERTGeneralName objects in the  doubly linked
-** list of which *names is a member.
-*/
-extern int
-CERT_GetNamesLength(CERTGeneralName *names);
-
-/************************************************************************/
-
-SECStatus
-CERT_CompareNameSpace(CERTCertificate  *cert,
-		      CERTGeneralName  *namesList,
- 		      CERTCertificate **certsList,
- 		      PRArenaPool      *arena,
- 		      CERTCertificate **pBadCert);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn
deleted file mode 100644
index f56f13c3b..000000000
--- a/security/nss/lib/certdb/manifest.mn
+++ /dev/null
@@ -1,72 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	cert.h \
-	certt.h \
-	certdb.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	genname.h \
-	xconst.h \
-	certxutl.h \
-	certi.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	alg1485.c \
-	certdb.c \
-	certv3.c \
-	certxutl.c \
-	crl.c \
-	genname.c \
-	stanpcertdb.c \
-	polcyxtn.c \
-	secname.c \
-	xauthkid.c \
-	xbsconst.c \
-	xconst.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = certdb
-
diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c
deleted file mode 100644
index 58b95b380..000000000
--- a/security/nss/lib/certdb/polcyxtn.c
+++ /dev/null
@@ -1,568 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support for various policy related extensions
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secport.h"
-#include "secder.h"
-#include "cert.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "nspr.h"
-
-const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTNoticeReference) },
-/* NOTE: this should be a choice */
-    { SEC_ASN1_IA5_STRING,
-	  offsetof(CERTNoticeReference, organization) },
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTNoticeReference, noticeNumbers),
-	  SEC_IntegerTemplate }, 
-    { 0 }
-};
-
-/* this template can not be encoded because of the option inline */
-const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTUserNotice) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED,
-	  offsetof(CERTUserNotice, derNoticeReference) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(CERTUserNotice, displayText) }, 
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyQualifier) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyQualifier, qualifierID) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTPolicyQualifier, qualifierValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTPolicyInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTPolicyInfo, policyID) },
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL,
-	  offsetof(CERTPolicyInfo, policyQualifiers),
-	  CERT_PolicyQualifierTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCertificatePolicies, policyInfos),
-	  CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
-};
-
-static void
-breakLines(char *string)
-{
-    char *tmpstr;
-    char *lastspace = NULL;
-    int curlen = 0;
-    int c;
-    
-    tmpstr = string;
-
-    while ( ( c = *tmpstr ) != '\0' ) {
-	switch ( c ) {
-	  case ' ':
-	    lastspace = tmpstr;
-	    break;
-	  case '\n':
-	    lastspace = NULL;
-	    curlen = 0;
-	    break;
-	}
-	
-	if ( ( curlen >= 55 ) && ( lastspace != NULL ) ) {
-	    *lastspace = '\n';
-	    curlen = ( tmpstr - lastspace );
-	    lastspace = NULL;
-	}
-	
-	curlen++;
-	tmpstr++;
-    }
-    
-    return;
-}
-
-CERTCertificatePolicies *
-CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTCertificatePolicies *policies;
-    CERTPolicyInfo **policyInfos, *policyInfo;
-    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
-    SECItem newExtnValue;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the certifiate policies structure */
-    policies = (CERTCertificatePolicies *)
-	PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicies));
-    
-    if ( policies == NULL ) {
-	goto loser;
-    }
-    
-    policies->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* decode the policy info */
-    rv = SEC_QuickDERDecodeItem(arena, policies, CERT_CertificatePoliciesTemplate,
-			    &newExtnValue);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* initialize the oid tags */
-    policyInfos = policies->policyInfos;
-    while (*policyInfos != NULL ) {
-	policyInfo = *policyInfos;
-	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
-	policyQualifiers = policyInfo->policyQualifiers;
-	while ( policyQualifiers != NULL && *policyQualifiers != NULL ) {
-	    policyQualifier = *policyQualifiers;
-	    policyQualifier->oid =
-		SECOID_FindOIDTag(&policyQualifier->qualifierID);
-	    policyQualifiers++;
-	}
-	policyInfos++;
-    }
-
-    return(policies);
-    
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
-{
-    if ( policies != NULL ) {
-	PORT_FreeArena(policies->arena, PR_FALSE);
-    }
-    return;
-}
-
-
-CERTUserNotice *
-CERT_DecodeUserNotice(SECItem *noticeItem)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTUserNotice *userNotice;
-    SECItem newNoticeItem;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the userNotice structure */
-    userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
-						    sizeof(CERTUserNotice));
-    
-    if ( userNotice == NULL ) {
-	goto loser;
-    }
-    
-    userNotice->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newNoticeItem, noticeItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* decode the user notice */
-    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
-			    &newNoticeItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    if (userNotice->derNoticeReference.data != NULL) {
-	/* sigh, the asn1 parser stripped the sequence encoding, re add it
-	 * before we decode.
-	 */
-	SECItem tmpbuf;
-	int	newBytes;
-
-	newBytes = SEC_ASN1LengthLength(userNotice->derNoticeReference.len)+1;
-	tmpbuf.len = newBytes + userNotice->derNoticeReference.len;
-	tmpbuf.data = PORT_ArenaZAlloc(arena, tmpbuf.len);
-	if (tmpbuf.data == NULL) {
-	    goto loser;
-	}
-	tmpbuf.data[0] = SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED;
-	SEC_ASN1EncodeLength(&tmpbuf.data[1],userNotice->derNoticeReference.len);
-	PORT_Memcpy(&tmpbuf.data[newBytes],userNotice->derNoticeReference.data,
-				userNotice->derNoticeReference.len);
-
-	/* OK, no decode it */
-    	rv = SEC_QuickDERDecodeItem(arena, &userNotice->noticeReference, 
-	    CERT_NoticeReferenceTemplate, &tmpbuf);
-
-	PORT_Free(tmpbuf.data); tmpbuf.data = NULL;
-    	if ( rv != SECSuccess ) {
-	    goto loser;
-    	}
-    }
-
-    return(userNotice);
-    
-loser:
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-CERT_DestroyUserNotice(CERTUserNotice *userNotice)
-{
-    if ( userNotice != NULL ) {
-	PORT_FreeArena(userNotice->arena, PR_FALSE);
-    }
-    return;
-}
-
-static CERTPolicyStringCallback policyStringCB = NULL;
-static void *policyStringCBArg = NULL;
-
-void
-CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
-{
-    policyStringCB = cb;
-    policyStringCBArg = cbarg;
-    return;
-}
-
-char *
-stringFromUserNotice(SECItem *noticeItem)
-{
-    SECItem *org;
-    unsigned int len, headerlen;
-    char *stringbuf;
-    CERTUserNotice *userNotice;
-    char *policystr;
-    char *retstr = NULL;
-    SECItem *displayText;
-    SECItem **noticeNumbers;
-    unsigned int strnum;
-    
-    /* decode the user notice */
-    userNotice = CERT_DecodeUserNotice(noticeItem);
-    if ( userNotice == NULL ) {
-	return(NULL);
-    }
-    
-    org = &userNotice->noticeReference.organization;
-    if ( (org->len != 0 ) && ( policyStringCB != NULL ) ) {
-	/* has a noticeReference */
-
-	/* extract the org string */
-	len = org->len;
-	stringbuf = (char*)PORT_Alloc(len + 1);
-	if ( stringbuf != NULL ) {
-	    PORT_Memcpy(stringbuf, org->data, len);
-	    stringbuf[len] = '\0';
-
-	    noticeNumbers = userNotice->noticeReference.noticeNumbers;
-	    while ( *noticeNumbers != NULL ) {
-		/* XXX - only one byte integers right now*/
-		strnum = (*noticeNumbers)->data[0];
-		policystr = (* policyStringCB)(stringbuf,
-					       strnum,
-					       policyStringCBArg);
-		if ( policystr != NULL ) {
-		    if ( retstr != NULL ) {
-			retstr = PR_sprintf_append(retstr, "\n%s", policystr);
-		    } else {
-			retstr = PR_sprintf_append(retstr, "%s", policystr);
-		    }
-
-		    PORT_Free(policystr);
-		}
-		
-		noticeNumbers++;
-	    }
-
-	    PORT_Free(stringbuf);
-	}
-    }
-
-    if ( retstr == NULL ) {
-	if ( userNotice->displayText.len != 0 ) {
-	    displayText = &userNotice->displayText;
-
-	    if ( displayText->len > 2 ) {
-		if ( displayText->data[0] == SEC_ASN1_VISIBLE_STRING ) {
-		    headerlen = 2;
-		    if ( displayText->data[1] & 0x80 ) {
-			/* multibyte length */
-			headerlen += ( displayText->data[1] & 0x7f );
-		    }
-
-		    len = displayText->len - headerlen;
-		    retstr = (char*)PORT_Alloc(len + 1);
-		    if ( retstr != NULL ) {
-			PORT_Memcpy(retstr, &displayText->data[headerlen],len);
-			retstr[len] = '\0';
-		    }
-		}
-	    }
-	}
-    }
-    
-    CERT_DestroyUserNotice(userNotice);
-    
-    return(retstr);
-}
-
-char *
-CERT_GetCertCommentString(CERTCertificate *cert)
-{
-    char *retstring = NULL;
-    SECStatus rv;
-    SECItem policyItem;
-    CERTCertificatePolicies *policies = NULL;
-    CERTPolicyInfo **policyInfos;
-    CERTPolicyQualifier **policyQualifiers, *qualifier;
-
-    policyItem.data = NULL;
-    
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
-				&policyItem);
-    if ( rv != SECSuccess ) {
-	goto nopolicy;
-    }
-
-    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
-    if ( policies == NULL ) {
-	goto nopolicy;
-    }
-
-    policyInfos = policies->policyInfos;
-    /* search through policyInfos looking for the verisign policy */
-    while (*policyInfos != NULL ) {
-	if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
-	    policyQualifiers = (*policyInfos)->policyQualifiers;
-	    /* search through the policy qualifiers looking for user notice */
-	    while ( policyQualifiers != NULL && *policyQualifiers != NULL ) {
-		qualifier = *policyQualifiers;
-		if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
-		    retstring =
-			stringFromUserNotice(&qualifier->qualifierValue);
-		    break;
-		}
-
-		policyQualifiers++;
-	    }
-	    break;
-	}
-	policyInfos++;
-    }
-
-nopolicy:
-    if ( policyItem.data != NULL ) {
-	PORT_Free(policyItem.data);
-    }
-
-    if ( policies != NULL ) {
-	CERT_DestroyCertificatePoliciesExtension(policies);
-    }
-    
-    if ( retstring == NULL ) {
-	retstring = CERT_FindNSStringExtension(cert,
-					       SEC_OID_NS_CERT_EXT_COMMENT);
-    }
-    
-    if ( retstring != NULL ) {
-	breakLines(retstring);
-    }
-    
-    return(retstring);
-}
-
-
-const SEC_ASN1Template CERT_OidSeqTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTOidSequence, oids),
-	  SEC_ObjectIDTemplate }
-};
-
-CERTOidSequence *
-CERT_DecodeOidSequence(SECItem *seqItem)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    CERTOidSequence *oidSeq;
-    SECItem newSeqItem;
-    
-    /* make a new arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	goto loser;
-    }
-
-    /* allocate the userNotice structure */
-    oidSeq = (CERTOidSequence *)PORT_ArenaZAlloc(arena,
-						 sizeof(CERTOidSequence));
-    
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-    
-    oidSeq->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newSeqItem, seqItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* decode the user notice */
-    rv = SEC_QuickDERDecodeItem(arena, oidSeq, CERT_OidSeqTemplate, &newSeqItem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    return(oidSeq);
-    
-loser:
-    return(NULL);
-}
-
-
-void
-CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
-{
-    if ( oidSeq != NULL ) {
-	PORT_FreeArena(oidSeq->arena, PR_FALSE);
-    }
-    return;
-}
-
-PRBool
-CERT_GovtApprovedBitSet(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem extItem;
-    CERTOidSequence *oidSeq = NULL;
-    PRBool ret;
-    SECItem **oids;
-    SECItem *oid;
-    SECOidTag oidTag;
-    
-    extItem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    oidSeq = CERT_DecodeOidSequence(&extItem);
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-
-    oids = oidSeq->oids;
-    while ( oids != NULL && *oids != NULL ) {
-	oid = *oids;
-	
-	oidTag = SECOID_FindOIDTag(oid);
-	
-	if ( oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED ) {
-	    goto success;
-	}
-	
-	oids++;
-    }
-
-loser:
-    ret = PR_FALSE;
-    goto done;
-success:
-    ret = PR_TRUE;
-done:
-    if ( oidSeq != NULL ) {
-	CERT_DestroyOidSequence(oidSeq);
-    }
-    if (extItem.data != NULL) {
-	PORT_Free(extItem.data);
-    }
-    return(ret);
-}
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c
deleted file mode 100644
index 99354a617..000000000
--- a/security/nss/lib/certdb/secname.c
+++ /dev/null
@@ -1,704 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   John Gardiner Myers <jgmyers@speakeasy.net>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "cert.h"
-#include "secoid.h"
-#include "secder.h"	/* XXX remove this when remove the DERTemplates */
-#include "secasn1.h"
-#include "secitem.h"
-#include <stdarg.h>
-#include "secerr.h"
-#include "certi.h"
-
-static const SEC_ASN1Template cert_AVATemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTAVA) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTAVA,type), },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTAVA,value), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_RDNTemplate[] = {
-    { SEC_ASN1_SET_OF,
-	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
-};
-
-
-static int
-CountArray(void **array)
-{
-    int count = 0;
-    if (array) {
-	while (*array++) {
-	    count++;
-	}
-    }
-    return count;
-}
-
-static void **
-AddToArray(PRArenaPool *arena, void **array, void *element)
-{
-    unsigned count;
-    void **ap;
-
-    /* Count up number of slots already in use in the array */
-    count = 0;
-    ap = array;
-    if (ap) {
-	while (*ap++) {
-	    count++;
-	}
-    }
-
-    if (array) {
-	array = (void**) PORT_ArenaGrow(arena, array,
-					(count + 1) * sizeof(void *),
-					(count + 2) * sizeof(void *));
-    } else {
-	array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
-    }
-    if (array) {
-	array[count] = element;
-	array[count+1] = 0;
-    }
-    return array;
-}
-
-
-SECOidTag
-CERT_GetAVATag(CERTAVA *ava)
-{
-    SECOidData *oid;
-    if (!ava->type.data) return (SECOidTag)-1;
-
-    oid = SECOID_FindOID(&ava->type);
-    
-    if ( oid ) {
-	return(oid->offset);
-    }
-    return (SECOidTag)-1;
-}
-
-static SECStatus
-SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
-{
-    unsigned char *oid;
-    unsigned oidLen;
-    unsigned char *cp;
-    int      maxLen;
-    SECOidData *oidrec;
-
-    oidrec = SECOID_FindOIDByTag(type);
-    if (oidrec == NULL)
-	return SECFailure;
-
-    oid = oidrec->oid.data;
-    oidLen = oidrec->oid.len;
-
-    maxLen = cert_AVAOidTagToMaxLen(type);
-    if (maxLen < 0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
-    if (cp == NULL) {
-	return SECFailure;
-    }
-    it->len = oidLen;
-    PORT_Memcpy(cp, oid, oidLen);
-    *maxLenp = (unsigned)maxLen;
-    return SECSuccess;
-}
-
-static SECStatus
-SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it,
-	      unsigned maxLen)
-{
-    unsigned valueLen, valueLenLen, total;
-    unsigned ucs4Len = 0, ucs4MaxLen;
-    unsigned char *cp, *ucs4Val;
-
-    switch (valueType) {
-      case SEC_ASN1_PRINTABLE_STRING:
-      case SEC_ASN1_IA5_STRING:
-      case SEC_ASN1_T61_STRING:
-      case SEC_ASN1_UTF8_STRING: /* no conversion required */
-	valueLen = PORT_Strlen(value);
-	break;
-      case SEC_ASN1_UNIVERSAL_STRING:
-	valueLen = PORT_Strlen(value);
-	ucs4MaxLen = valueLen * 6;
-	ucs4Val = (unsigned char *)PORT_ArenaZAlloc(arena, ucs4MaxLen);
-	if(!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, 
-	                                (unsigned char *)value, valueLen,
-					ucs4Val, ucs4MaxLen, &ucs4Len)) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	value = (char *)ucs4Val;
-	valueLen = ucs4Len;
-    	maxLen *= 4;
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (valueLen > maxLen) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    } 
-
-    valueLenLen = DER_LengthLength(valueLen);
-    total = 1 + valueLenLen + valueLen;
-    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, total);
-    if (!cp) {
-	return SECFailure;
-    }
-    it->len = total;
-    cp = (unsigned char*) DER_StoreHeader(cp, valueType, valueLen);
-    PORT_Memcpy(cp, value, valueLen);
-    return SECSuccess;
-}
-
-CERTAVA *
-CERT_CreateAVA(PRArenaPool *arena, SECOidTag kind, int valueType, char *value)
-{
-    CERTAVA *ava;
-    int rv;
-    unsigned maxLen;
-
-    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
-    if (ava) {
-	rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
-	if (rv) {
-	    /* Illegal AVA type */
-	    return 0;
-	}
-	rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
-	if (rv) {
-	    /* Illegal value type */
-	    return 0;
-	}
-    }
-    return ava;
-}
-
-CERTAVA *
-CERT_CopyAVA(PRArenaPool *arena, CERTAVA *from)
-{
-    CERTAVA *ava;
-    int rv;
-
-    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
-    if (ava) {
-	rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
-	if (rv) goto loser;
-	rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
-	if (rv) goto loser;
-    }
-    return ava;
-
-  loser:
-    return 0;
-}
-
-/************************************************************************/
-/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
-static const SEC_ASN1Template cert_RDNTemplate[] = {
-    { SEC_ASN1_SET_OF,
-	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
-};
-
-
-CERTRDN *
-CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...)
-{
-    CERTAVA *ava;
-    CERTRDN *rdn;
-    va_list ap;
-    unsigned count;
-    CERTAVA **avap;
-
-    rdn = (CERTRDN*) PORT_ArenaAlloc(arena, sizeof(CERTRDN));
-    if (rdn) {
-	/* Count number of avas going into the rdn */
-	count = 0;
-	if (ava0) {
-	    count++;
-	    va_start(ap, ava0);
-	    while ((ava = va_arg(ap, CERTAVA*)) != 0) {
-		count++;
-	    }
-	    va_end(ap);
-	}
-
-	/* Now fill in the pointers */
-	rdn->avas = avap =
-	    (CERTAVA**) PORT_ArenaAlloc( arena, (count + 1)*sizeof(CERTAVA*));
-	if (!avap) {
-	    return 0;
-	}
-	if (ava0) {
-	    *avap++ = ava0;
-	    va_start(ap, ava0);
-	    while ((ava = va_arg(ap, CERTAVA*)) != 0) {
-		*avap++ = ava;
-	    }
-	    va_end(ap);
-	}
-	*avap++ = 0;
-    }
-    return rdn;
-}
-
-SECStatus
-CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
-{
-    rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava);
-    return rdn->avas ? SECSuccess : SECFailure;
-}
-
-SECStatus
-CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from)
-{
-    CERTAVA **avas, *fava, *tava;
-    SECStatus rv = SECSuccess;
-
-    /* Copy each ava from from */
-    avas = from->avas;
-    if (avas) {
-	if (avas[0] == NULL) {
-	    rv = CERT_AddAVA(arena, to, NULL);
-	    return rv;
-	}
-	while ((fava = *avas++) != 0) {
-	    tava = CERT_CopyAVA(arena, fava);
-	    if (!tava) {
-	    	rv = SECFailure;
-		break;
-	    }
-	    rv = CERT_AddAVA(arena, to, tava);
-	    if (rv != SECSuccess) 
-	    	break;
-	}
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-const SEC_ASN1Template CERT_NameTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTName,rdns), CERT_RDNTemplate, sizeof(CERTName) }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate)
-
-CERTName *
-CERT_CreateName(CERTRDN *rdn0, ...)
-{
-    CERTRDN *rdn;
-    CERTName *name;
-    va_list ap;
-    unsigned count;
-    CERTRDN **rdnp;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return(0);
-    }
-    
-    name = (CERTName*) PORT_ArenaAlloc(arena, sizeof(CERTName));
-    if (name) {
-	name->arena = arena;
-	
-	/* Count number of RDNs going into the Name */
-	if (!rdn0) {
-	    count = 0;
-	} else {
-	    count = 1;
-	    va_start(ap, rdn0);
-	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
-		count++;
-	    }
-	    va_end(ap);
-	}
-
-	/* Allocate space (including space for terminal null ptr) */
-	name->rdns = rdnp =
-	    (CERTRDN**) PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN*));
-	if (!name->rdns) {
-	    goto loser;
-	}
-
-	/* Now fill in the pointers */
-	if (count > 0) {
-	    *rdnp++ = rdn0;
-	    va_start(ap, rdn0);
-	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
-		*rdnp++ = rdn;
-	    }
-	    va_end(ap);
-	}
-
-	/* null terminate the list */
-	*rdnp++ = 0;
-    }
-    return name;
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(0);
-}
-
-void
-CERT_DestroyName(CERTName *name)
-{
-    if (name)
-    {
-        PRArenaPool *arena = name->arena;
-        name->rdns = NULL;
-	name->arena = NULL;
-	if (arena) PORT_FreeArena(arena, PR_FALSE);
-    }
-}
-
-SECStatus
-CERT_AddRDN(CERTName *name, CERTRDN *rdn)
-{
-    name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
-    return name->rdns ? SECSuccess : SECFailure;
-}
-
-SECStatus
-CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
-{
-    CERTRDN **rdns, *frdn, *trdn;
-    SECStatus rv = SECSuccess;
-
-    if (!to || !from) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    CERT_DestroyName(to);
-    to->arena = arena;
-
-    /* Copy each rdn from from */
-    rdns = from->rdns;
-    if (rdns) {
-    	if (rdns[0] == NULL) {
-	    rv = CERT_AddRDN(to, NULL);
-	    return rv;
-	}
-	while ((frdn = *rdns++) != NULL) {
-	    trdn = CERT_CreateRDN(arena, 0);
-	    if (!trdn) {
-		rv = SECFailure;
-		break;
-	    }
-	    rv = CERT_CopyRDN(arena, trdn, frdn);
-	    if (rv != SECSuccess) 
-	        break;
-	    rv = CERT_AddRDN(to, trdn);
-	    if (rv != SECSuccess) 
-	        break;
-	}
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-static void
-canonicalize(SECItem * foo)
-{
-    int ch, lastch, len, src, dest;
-
-    /* strip trailing whitespace. */
-    len = foo->len;
-    while (len > 0 && ((ch = foo->data[len - 1]) == ' ' || 
-           ch == '\t' || ch == '\r' || ch == '\n')) {
-	len--;
-    }
-
-    src = 0;
-    /* strip leading whitespace. */
-    while (src < len && ((ch = foo->data[src]) == ' ' || 
-           ch == '\t' || ch == '\r' || ch == '\n')) {
-	src++;
-    }
-    dest = 0; lastch = ' ';
-    while (src < len) {
-        ch = foo->data[src++];
-	if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
-	    ch = ' ';
-	    if (ch == lastch)
-	        continue;
-	} else if (ch >= 'A' && ch <= 'Z') {
-	    ch |= 0x20;  /* downshift */
-	}
-	foo->data[dest++] = lastch = ch;
-    }
-    foo->len = dest;
-}
-
-/* SECItems a and b contain DER-encoded printable strings. */
-SECComparison
-CERT_CompareDERPrintableStrings(const SECItem *a, const SECItem *b)
-{
-    SECComparison rv = SECLessThan;
-    SECItem * aVal = CERT_DecodeAVAValue(a);
-    SECItem * bVal = CERT_DecodeAVAValue(b);
-
-    if (aVal && aVal->len && aVal->data &&
-	bVal && bVal->len && bVal->data) {
-	canonicalize(aVal);
-	canonicalize(bVal);
-	rv = SECITEM_CompareItem(aVal, bVal);
-    }
-    SECITEM_FreeItem(aVal, PR_TRUE);
-    SECITEM_FreeItem(bVal, PR_TRUE);
-    return rv;
-}
-
-SECComparison
-CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b)
-{
-    SECComparison rv;
-
-    rv = SECITEM_CompareItem(&a->type, &b->type);
-    if (SECEqual != rv)
-	return rv;  /* Attribute types don't match. */
-    /* Let's be optimistic.  Maybe the values will just compare equal. */
-    rv = SECITEM_CompareItem(&a->value, &b->value);
-    if (SECEqual == rv)
-        return rv;  /* values compared exactly. */
-    if (a->value.len && a->value.data && b->value.len && b->value.data) {
-	/* Here, the values did not match.  
-	** If the values had different encodings, convert them to the same
-	** encoding and compare that way.
-	*/
-	if (a->value.data[0] != b->value.data[0]) {
-	    /* encodings differ.  Convert both to UTF-8 and compare. */
-	    SECItem * aVal = CERT_DecodeAVAValue(&a->value);
-	    SECItem * bVal = CERT_DecodeAVAValue(&b->value);
-	    if (aVal && aVal->len && aVal->data &&
-	        bVal && bVal->len && bVal->data) {
-		rv = SECITEM_CompareItem(aVal, bVal);
-	    }
-	    SECITEM_FreeItem(aVal, PR_TRUE);
-	    SECITEM_FreeItem(bVal, PR_TRUE);
-	} else if (a->value.data[0] == 0x13) { /* both are printable strings. */
-	    /* printable strings */
-	    rv = CERT_CompareDERPrintableStrings(&a->value, &b->value);
-	}
-    }
-    return rv;
-}
-
-SECComparison
-CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
-{
-    CERTAVA **aavas, *aava;
-    CERTAVA **bavas, *bava;
-    int ac, bc;
-    SECComparison rv = SECEqual;
-
-    aavas = a->avas;
-    bavas = b->avas;
-
-    /*
-    ** Make sure array of ava's are the same length. If not, then we are
-    ** not equal
-    */
-    ac = CountArray((void**) aavas);
-    bc = CountArray((void**) bavas);
-    if (ac < bc) return SECLessThan;
-    if (ac > bc) return SECGreaterThan;
-
-    for (;;) {
-	aava = *aavas++;
-	bava = *bavas++;
-	if (!aava) {
-	    break;
-	}
-	rv = CERT_CompareAVA(aava, bava);
-	if (rv) return rv;
-    }
-    return rv;
-}
-
-SECComparison
-CERT_CompareName(CERTName *a, CERTName *b)
-{
-    CERTRDN **ardns, *ardn;
-    CERTRDN **brdns, *brdn;
-    int ac, bc;
-    SECComparison rv = SECEqual;
-
-    ardns = a->rdns;
-    brdns = b->rdns;
-
-    /*
-    ** Make sure array of rdn's are the same length. If not, then we are
-    ** not equal
-    */
-    ac = CountArray((void**) ardns);
-    bc = CountArray((void**) brdns);
-    if (ac < bc) return SECLessThan;
-    if (ac > bc) return SECGreaterThan;
-
-    for (;;) {
-	ardn = *ardns++;
-	brdn = *brdns++;
-	if (!ardn) {
-	    break;
-	}
-	rv = CERT_CompareRDN(ardn, brdn);
-	if (rv) return rv;
-    }
-    return rv;
-}
-
-/* Moved from certhtml.c */
-SECItem *
-CERT_DecodeAVAValue(const SECItem *derAVAValue)
-{
-          SECItem          *retItem; 
-    const SEC_ASN1Template *theTemplate       = NULL;
-          enum { conv_none, conv_ucs4, conv_ucs2, conv_iso88591 } convert = conv_none;
-          SECItem           avaValue          = {siBuffer, 0}; 
-          PLArenaPool      *newarena          = NULL;
-
-    if (!derAVAValue || !derAVAValue->len || !derAVAValue->data) {
-	return NULL;
-    }
-
-    switch(derAVAValue->data[0]) {
-	case SEC_ASN1_UNIVERSAL_STRING:
-	    convert = conv_ucs4;
-	    theTemplate = SEC_UniversalStringTemplate;
-	    break;
-	case SEC_ASN1_IA5_STRING:
-	    theTemplate = SEC_IA5StringTemplate;
-	    break;
-	case SEC_ASN1_PRINTABLE_STRING:
-	    theTemplate = SEC_PrintableStringTemplate;
-	    break;
-	case SEC_ASN1_T61_STRING:
-	    /*
-	     * Per common practice, we're not decoding actual T.61, but instead
-	     * treating T61-labeled strings as containing ISO-8859-1.
-	     */
-	    convert = conv_iso88591;
-	    theTemplate = SEC_T61StringTemplate;
-	    break;
-	case SEC_ASN1_BMP_STRING:
-	    convert = conv_ucs2;
-	    theTemplate = SEC_BMPStringTemplate;
-	    break;
-	case SEC_ASN1_UTF8_STRING:
-	    /* No conversion needed ! */
-	    theTemplate = SEC_UTF8StringTemplate;
-	    break;
-	default:
-	    return NULL;
-    }
-
-    PORT_Memset(&avaValue, 0, sizeof(SECItem));
-    newarena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (!newarena) {
-        return NULL;
-    }
-    if(SEC_QuickDERDecodeItem(newarena, &avaValue, theTemplate, derAVAValue) 
-				!= SECSuccess) {
-	PORT_FreeArena(newarena, PR_FALSE);
-	return NULL;
-    }
-
-    if (convert != conv_none) {
-	unsigned int   utf8ValLen = avaValue.len * 3;
-	unsigned char *utf8Val    = (unsigned char*)
-				    PORT_ArenaZAlloc(newarena, utf8ValLen);
-
-        switch (convert) {
-        case conv_ucs4:
-           if(avaValue.len % 4 != 0 ||
-              !PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
-					utf8Val, utf8ValLen, &utf8ValLen)) {
-                PORT_FreeArena(newarena, PR_FALSE);
-                PORT_SetError(SEC_ERROR_INVALID_AVA);
-		return NULL;
-	   }
-	   break;
-	case conv_ucs2:
-           if(avaValue.len % 2 != 0 ||
-              !PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
-					utf8Val, utf8ValLen, &utf8ValLen)) {
-                PORT_FreeArena(newarena, PR_FALSE);
-                PORT_SetError(SEC_ERROR_INVALID_AVA);
-		return NULL;
-	   }
-	   break;
-	case conv_iso88591:
-           if(!PORT_ISO88591_UTF8Conversion(avaValue.data, avaValue.len,
-					utf8Val, utf8ValLen, &utf8ValLen)) {
-                PORT_FreeArena(newarena, PR_FALSE);
-                PORT_SetError(SEC_ERROR_INVALID_AVA);
-		return NULL;
-	   }
-	   break;
-	case conv_none:
-	   PORT_Assert(0); /* not reached */
-	   break;
-	}
-	  
-	avaValue.data = utf8Val;
-	avaValue.len = utf8ValLen;
-    }
-
-    retItem = SECITEM_DupItem(&avaValue);
-    PORT_FreeArena(newarena, PR_FALSE);
-    return retItem;
-}
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
deleted file mode 100644
index 18e35b299..000000000
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ /dev/null
@@ -1,989 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prtime.h"
-
-#include "cert.h"
-#include "mcom_db.h"
-#include "certdb.h"
-#include "secitem.h"
-#include "secder.h"
-
-/* Call to PK11_FreeSlot below */
-
-#include "secasn1.h"
-#include "secerr.h"
-#include "nssilock.h"
-#include "prmon.h"
-#include "nsslocks.h"
-#include "base64.h"
-#include "sechash.h"
-#include "plhash.h"
-#include "pk11func.h" /* sigh */
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "nsspki.h"
-#include "pki.h"
-#include "pkim.h"
-#include "pki3hack.h"
-#include "ckhelper.h"
-#include "base.h"
-#include "pkistore.h"
-#include "dev3hack.h"
-#include "dev.h"
-
-PRBool
-SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
-			 CERTCertDBHandle *handle)
-{
-    CERTCertificate *cert;
-    PRBool conflict = PR_FALSE;
-
-    cert=CERT_FindCertByNickname(handle, nickname);
-
-    if (!cert) {
-	return conflict;
-    }
-
-    conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
-    CERT_DestroyCertificate(cert);
-    return conflict;
-}
-
-SECStatus
-SEC_DeletePermCertificate(CERTCertificate *cert)
-{
-    PRStatus nssrv;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    NSSCertificate *c = STAN_GetNSSCertificate(cert);
-
-    /* get rid of the token instances */
-    nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
-
-    /* get rid of the cache entry */
-    nssTrustDomain_LockCertCache(td);
-    nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
-    nssTrustDomain_UnlockCertCache(td);
-
-    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
-}
-
-SECStatus
-CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
-{
-    SECStatus rv;
-    CERT_LockCertTrust(cert);
-    if ( cert->trust == NULL ) {
-	rv = SECFailure;
-    } else {
-	*trust = *cert->trust;
-	rv = SECSuccess;
-    }
-    CERT_UnlockCertTrust(cert);
-    return(rv);
-}
-
-#ifdef notdef
-static char *
-cert_parseNickname(char *nickname)
-{
-    char *cp;
-    for (cp=nickname; *cp && *cp != ':'; cp++);
-    if (*cp == ':') return cp+1;
-    return nickname;
-}
-#endif
-
-SECStatus
-CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
-		    CERTCertTrust *trust)
-{
-    SECStatus rv = SECFailure;
-    PRStatus ret;
-
-    CERT_LockCertTrust(cert);
-    ret = STAN_ChangeCertTrust(cert, trust);
-    rv = (ret == PR_SUCCESS) ? SECSuccess : SECFailure;
-    CERT_UnlockCertTrust(cert);
-    return rv;
-}
-
-extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
-
-SECStatus
-__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
-		       CERTCertTrust *trust)
-{
-    NSSUTF8 *stanNick;
-    PK11SlotInfo *slot;
-    NSSToken *internal;
-    NSSCryptoContext *context;
-    nssCryptokiObject *permInstance;
-    NSSCertificate *c = STAN_GetNSSCertificate(cert);
-    context = c->object.cryptoContext;
-    if (!context) {
-	PORT_SetError(SEC_ERROR_ADDING_CERT); 
-	return SECFailure; /* wasn't a temp cert */
-    }
-    stanNick = nssCertificate_GetNickname(c, NULL);
-    if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
-	/* take the new nickname */
-	cert->nickname = NULL;
-	stanNick = NULL;
-    }
-    if (!stanNick && nickname) {
-	stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
-    }
-    /* Delete the temp instance */
-    nssCertificateStore_Lock(context->certStore);
-    nssCertificateStore_RemoveCertLOCKED(context->certStore, c);
-    nssCertificateStore_Unlock(context->certStore);
-    c->object.cryptoContext = NULL;
-    /* Import the perm instance onto the internal token */
-    slot = PK11_GetInternalKeySlot();
-    internal = PK11Slot_GetNSSToken(slot);
-    permInstance = nssToken_ImportCertificate(internal, NULL,
-                                              NSSCertificateType_PKIX,
-                                              &c->id,
-                                              stanNick,
-                                              &c->encoding,
-                                              &c->issuer,
-                                              &c->subject,
-                                              &c->serial,
-					      cert->emailAddr,
-                                              PR_TRUE);
-    PK11_FreeSlot(slot);
-    if (!permInstance) {
-	if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
-	    PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-	}
-	return SECFailure;
-    }
-    nssPKIObject_AddInstance(&c->object, permInstance);
-    nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
-    /* reset the CERTCertificate fields */
-    cert->nssCertificate = NULL;
-    cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
-    if (!cert) {
-        return SECFailure;
-    }
-    cert->istemp = PR_FALSE;
-    cert->isperm = PR_TRUE;
-    if (!trust) {
-	return SECSuccess;
-    }
-    return (STAN_ChangeCertTrust(cert, trust) == PR_SUCCESS) ? 
-							SECSuccess: SECFailure;
-}
-
-SECStatus
-CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
-		       CERTCertTrust *trust)
-{
-    return __CERT_AddTempCertToPerm(cert, nickname, trust);
-}
-
-CERTCertificate *
-__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
-			  char *nickname, PRBool isperm, PRBool copyDER)
-{
-    PRStatus nssrv;
-    NSSCertificate *c;
-    CERTCertificate *cc;
-    NSSCertificate *tempCert;
-    nssPKIObject *pkio;
-    NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
-    NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
-    if (!isperm) {
-	NSSDER encoding;
-	NSSITEM_FROM_SECITEM(&encoding, derCert);
-	/* First, see if it is already a temp cert */
-	c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, 
-	                                                       &encoding);
-	if (!c) {
-	    /* Then, see if it is already a perm cert */
-	    c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
-	                                                           &encoding);
-	}
-	if (c) {
-	    /* actually, that search ends up going by issuer/serial,
-	     * so it is still possible to return a cert with the same
-	     * issuer/serial but a different encoding, and we're
-	     * going to reject that
-	     */
-	    if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
-		nssCertificate_Destroy(c);
-		PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-		cc = NULL;
-	    } else {
-    		cc = STAN_GetCERTCertificateOrRelease(c);
-	    }
-	    return cc;
-	}
-    }
-    pkio = nssPKIObject_Create(NULL, NULL, gTD, gCC);
-    if (!pkio) {
-	return NULL;
-    }
-    c = nss_ZNEW(pkio->arena, NSSCertificate);
-    if (!c) {
-	nssPKIObject_Destroy(pkio);
-	return NULL;
-    }
-    c->object = *pkio;
-    if (copyDER) {
-	nssItem_Create(c->object.arena, &c->encoding, 
-	               derCert->len, derCert->data);
-    } else {
-	NSSITEM_FROM_SECITEM(&c->encoding, derCert);
-    }
-    /* Forces a decoding of the cert in order to obtain the parts used
-     * below
-     */
-    /* 'c' is not adopted here, if we fail loser frees what has been
-     * allocated so far for 'c' */
-    cc = STAN_GetCERTCertificate(c);
-    if (!cc) {
-        goto loser;
-    }
-    nssItem_Create(c->object.arena, 
-                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
-    nssItem_Create(c->object.arena, 
-                   &c->subject, cc->derSubject.len, cc->derSubject.data);
-    if (PR_TRUE) {
-	/* CERTCertificate stores serial numbers decoded.  I need the DER
-	* here.  sigh.
-	*/
-	SECItem derSerial = { 0 };
-	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
-	if (!derSerial.data) goto loser;
-	nssItem_Create(c->object.arena, &c->serial, derSerial.len, derSerial.data);
-	PORT_Free(derSerial.data);
-    }
-    if (nickname) {
-	c->object.tempName = nssUTF8_Create(c->object.arena, 
-                                            nssStringType_UTF8String, 
-                                            (NSSUTF8 *)nickname, 
-                                            PORT_Strlen(nickname));
-    }
-    if (cc->emailAddr && cc->emailAddr[0]) {
-	c->email = nssUTF8_Create(c->object.arena, 
-	                          nssStringType_PrintableString, 
-	                          (NSSUTF8 *)cc->emailAddr, 
-	                          PORT_Strlen(cc->emailAddr));
-    }
-    /* this function cannot detect if the cert exists as a temp cert now, but
-     * didn't when CERT_NewTemp was first called.
-     */
-    nssrv = NSSCryptoContext_ImportCertificate(gCC, c);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    /* so find the entry in the temp store */
-    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(gCC,
-                                                                   &c->issuer,
-                                                                   &c->serial);
-    /* destroy the copy */
-    NSSCertificate_Destroy(c);
-    if (tempCert) {
-	/* and use the "official" entry */
-	c = tempCert;
-    	cc = STAN_GetCERTCertificateOrRelease(c);
-        if (!cc) {
-            return NULL;
-        }
-    } else {
-	return NULL;
-    }
-    cc->istemp = PR_TRUE;
-    cc->isperm = PR_FALSE;
-    return cc;
-loser:
-    nssPKIObject_Destroy(&c->object);
-    return NULL;
-}
-
-CERTCertificate *
-CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
-			char *nickname, PRBool isperm, PRBool copyDER)
-{
-    return( __CERT_NewTempCertificate(handle, derCert, nickname,
-                                      isperm, copyDER) );
-}
-
-/* maybe all the wincx's should be some const for internal token login? */
-CERTCertificate *
-CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
-{
-    PK11SlotInfo *slot;
-    CERTCertificate *cert;
-
-    cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
-    if (cert && slot) {
-        PK11_FreeSlot(slot);
-    }
-
-    return cert;
-}
-
-static NSSCertificate *
-get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
-{
-    NSSUsage usage;
-    NSSCertificate *arr[3];
-    if (!ct) {
-	return nssCertificate_AddRef(cp);
-    } else if (!cp) {
-	return nssCertificate_AddRef(ct);
-    }
-    arr[0] = ct;
-    arr[1] = cp;
-    arr[2] = NULL;
-    usage.anyUsage = PR_TRUE;
-    return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
-}
-
-CERTCertificate *
-CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
-{
-    NSSCertificate *cp, *ct, *c;
-    NSSDER subject;
-    NSSUsage usage;
-    NSSCryptoContext *cc;
-    NSSITEM_FROM_SECITEM(&subject, name);
-    usage.anyUsage = PR_TRUE;
-    cc = STAN_GetDefaultCryptoContext();
-    ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, 
-                                                       NULL, &usage, NULL);
-    cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, 
-                                                     NULL, &usage, NULL);
-    c = get_best_temp_or_perm(ct, cp);
-    if (ct) {
-	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
-    }
-    if (cp) {
-	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(cp));
-    }
-    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
-}
-
-CERTCertificate *
-CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
-{
-    CERTCertList *list;
-    CERTCertificate *cert = NULL;
-    CERTCertListNode *node, *head;
-
-    list = CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
-    if (list == NULL) return NULL;
-
-    node = head = CERT_LIST_HEAD(list);
-    if (head) {
-	do {
-	    if (node->cert && 
-		SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID) ) {
-		cert = CERT_DupCertificate(node->cert);
-		goto done;
-	    }
-	    node = CERT_LIST_NEXT(node);
-	} while (node && head != node);
-    }
-    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-done:
-    if (list) {
-        CERT_DestroyCertList(list);
-    }
-    return cert;
-}
-
-CERTCertificate *
-CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname)
-{
-    NSSCryptoContext *cc;
-    NSSCertificate *c, *ct;
-    CERTCertificate *cert;
-    NSSUsage usage;
-    usage.anyUsage = PR_TRUE;
-    cc = STAN_GetDefaultCryptoContext();
-    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, 
-                                                       NULL, &usage, NULL);
-    cert = PK11_FindCertFromNickname(nickname, NULL);
-    c = NULL;
-    if (cert) {
-	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
-	CERT_DestroyCertificate(cert);
-	if (ct) {
-	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
-	}
-    } else {
-	c = ct;
-    }
-    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
-}
-
-CERTCertificate *
-CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
-{
-    NSSCryptoContext *cc;
-    NSSCertificate *c;
-    NSSDER encoding;
-    NSSITEM_FROM_SECITEM(&encoding, derCert);
-    cc = STAN_GetDefaultCryptoContext();
-    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
-    if (!c) {
-	c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
-	                                                       &encoding);
-	if (!c) return NULL;
-    }
-    return STAN_GetCERTCertificateOrRelease(c);
-}
-
-CERTCertificate *
-CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name)
-{
-    NSSCryptoContext *cc;
-    NSSCertificate *c, *ct;
-    CERTCertificate *cert;
-    NSSUsage usage;
-
-    if (NULL == name) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    usage.anyUsage = PR_TRUE;
-    cc = STAN_GetDefaultCryptoContext();
-    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, 
-                                                       NULL, &usage, NULL);
-    if (!ct && PORT_Strchr(name, '@') != NULL) {
-        char* lowercaseName = CERT_FixupEmailAddr(name);
-        if (lowercaseName) {
-	    ct = NSSCryptoContext_FindBestCertificateByEmail(cc, lowercaseName, 
-							    NULL, &usage, NULL);
-            PORT_Free(lowercaseName);
-        }
-    }
-    cert = PK11_FindCertFromNickname(name, NULL);
-    if (cert) {
-	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
-	CERT_DestroyCertificate(cert);
-	if (ct) {
-	    CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
-	}
-    } else {
-	c = ct;
-    }
-    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
-}
-
-static void 
-add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
-                    PRBool validOnly, int64 sorttime)
-{
-    SECStatus secrv;
-    if (!validOnly ||
-	CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) 
-	 == secCertTimeValid) {
-	    secrv = CERT_AddCertToListSorted(certList, cert, 
-	                                     CERT_SortCBValidity, 
-	                                     (void *)&sorttime);
-	    if (secrv != SECSuccess) {
-		CERT_DestroyCertificate(cert);
-	    }
-    } else {
-	CERT_DestroyCertificate(cert);
-    }
-}
-
-CERTCertList *
-CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
-			   SECItem *name, int64 sorttime, PRBool validOnly)
-{
-    NSSCryptoContext *cc;
-    NSSCertificate **tSubjectCerts, **pSubjectCerts;
-    NSSCertificate **ci;
-    CERTCertificate *cert;
-    NSSDER subject;
-    PRBool myList = PR_FALSE;
-    cc = STAN_GetDefaultCryptoContext();
-    NSSITEM_FROM_SECITEM(&subject, name);
-    /* Collect both temp and perm certs for the subject */
-    tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
-                                                               &subject,
-                                                               NULL,
-                                                               0,
-                                                               NULL);
-    pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
-                                                             &subject,
-                                                             NULL,
-                                                             0,
-                                                             NULL);
-    if (!tSubjectCerts && !pSubjectCerts) {
-	return NULL;
-    }
-    if (certList == NULL) {
-	certList = CERT_NewCertList();
-	myList = PR_TRUE;
-	if (!certList) goto loser;
-    }
-    /* Iterate over the matching temp certs.  Add them to the list */
-    ci = tSubjectCerts;
-    while (ci && *ci) {
-	cert = STAN_GetCERTCertificateOrRelease(*ci);
-	/* *ci may be invalid at this point, don't reference it again */
-        if (cert) {
-	    /* NOTE: add_to_subject_list adopts the incoming cert. */
-	    add_to_subject_list(certList, cert, validOnly, sorttime);
-        }
-	ci++;
-    }
-    /* Iterate over the matching perm certs.  Add them to the list */
-    ci = pSubjectCerts;
-    while (ci && *ci) {
-	cert = STAN_GetCERTCertificateOrRelease(*ci);
-	/* *ci may be invalid at this point, don't reference it again */
-        if (cert) {
-	    /* NOTE: add_to_subject_list adopts the incoming cert. */
-	    add_to_subject_list(certList, cert, validOnly, sorttime);
-        }
-	ci++;
-    }
-    /* all the references have been adopted or freed at this point, just
-     * free the arrays now */
-    nss_ZFreeIf(tSubjectCerts);
-    nss_ZFreeIf(pSubjectCerts);
-    return certList;
-loser:
-    /* need to free the references in tSubjectCerts and pSubjectCerts! */
-    nssCertificateArray_Destroy(tSubjectCerts);
-    nssCertificateArray_Destroy(pSubjectCerts);
-    if (myList && certList != NULL) {
-	CERT_DestroyCertList(certList);
-    }
-    return NULL;
-}
-
-void
-CERT_DestroyCertificate(CERTCertificate *cert)
-{
-    if ( cert ) {
-	/* don't use STAN_GetNSSCertificate because we don't want to
-	 * go to the trouble of translating the CERTCertificate into
-	 * an NSSCertificate just to destroy it.  If it hasn't been done
-	 * yet, don't do it at all.
-	 */
-	NSSCertificate *tmp = cert->nssCertificate;
-	if (tmp) {
-	    /* delete the NSSCertificate */
-	    NSSCertificate_Destroy(tmp);
-	} else if (cert->arena) {
-	    PORT_FreeArena(cert->arena, PR_FALSE);
-	}
-    }
-    return;
-}
-
-#ifdef notdef
-SECStatus
-CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
-			    CERTCertificate *cert, SECCertUsage usage)
-{
-    SECStatus rv;
-    CERTCertTrust trust;
-    CERTCertTrust tmptrust;
-    unsigned int certtype;
-    PRBool saveit;
-    
-    saveit = PR_TRUE;
-    
-    PORT_Memset((void *)&trust, 0, sizeof(trust));
-
-    certtype = cert->nsCertType;
-
-    /* if no app bits in cert type, then set all app bits */
-    if ( ! ( certtype & NS_CERT_TYPE_APP ) ) {
-	certtype |= NS_CERT_TYPE_APP;
-    }
-
-    switch ( usage ) {
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	if ( certtype & NS_CERT_TYPE_EMAIL ) {
-	     trust.emailFlags = CERTDB_VALID_PEER;
-	     if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
-		/* don't save it if KeyEncipherment is not allowed */
-		saveit = PR_FALSE;
-	    }
-	}
-	break;
-      case certUsageUserCertImport:
-	if ( certtype & NS_CERT_TYPE_EMAIL ) {
-	    trust.emailFlags = CERTDB_VALID_PEER;
-	}
-	/* VALID_USER is already set if the cert was imported, 
-	 * in the case that the cert was already in the database
-	 * through SMIME or other means, we should set the USER
-	 * flags, if they are not already set.
-	 */
-	if( cert->isperm ) {
-	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
-		if( !(cert->trust->sslFlags & CERTDB_USER) ) {
-		    trust.sslFlags |= CERTDB_USER;
-		}
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
-		if( !(cert->trust->emailFlags & CERTDB_USER) ) {
-		    trust.emailFlags |= CERTDB_USER;
-		}
-	    }
-	    
-	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
-		if( !(cert->trust->objectSigningFlags & CERTDB_USER) ) {
-		    trust.objectSigningFlags |= CERTDB_USER;
-		}
-	    }
-	}
-	break;
-      default:	/* XXX added to quiet warnings; no other cases needed? */
-	break;
-    }
-
-    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
-	saveit = PR_FALSE;
-    }
-
-    if ( saveit && cert->isperm ) {
-	/* Cert already in the DB.  Just adjust flags */
-	tmptrust = *cert->trust;
-	tmptrust.sslFlags |= trust.sslFlags;
-	tmptrust.emailFlags |= trust.emailFlags;
-	tmptrust.objectSigningFlags |= trust.objectSigningFlags;
-	    
-	rv = CERT_ChangeCertTrust(cert->dbhandle, cert,
-				  &tmptrust);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-
-    rv = SECSuccess;
-    goto done;
-
-loser:
-    rv = SECFailure;
-done:
-
-    return(rv);
-}
-#endif
-
-int
-CERT_GetDBContentVersion(CERTCertDBHandle *handle)
-{
-    /* should read the DB content version from the pkcs #11 device */
-    return 0;
-}
-
-SECStatus
-certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr, 
-				SECItem *emailProfile, SECItem *profileTime)
-{
-    int64 oldtime;
-    int64 newtime;
-    SECStatus rv = SECFailure;
-    PRBool saveit;
-    SECItem oldprof, oldproftime;
-    SECItem *oldProfile = NULL;
-    SECItem *oldProfileTime = NULL;
-    PK11SlotInfo *slot = NULL;
-    NSSCertificate *c;
-    NSSCryptoContext *cc;
-    nssSMIMEProfile *stanProfile = NULL;
-    PRBool freeOldProfile = PR_FALSE;
-
-    c = STAN_GetNSSCertificate(cert);
-    if (!c) return SECFailure;
-    cc = c->object.cryptoContext;
-    if (cc != NULL) {
-	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
-	if (stanProfile) {
-	    PORT_Assert(stanProfile->profileData);
-	    SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
-	    oldProfile = &oldprof;
-	    SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
-	    oldProfileTime = &oldproftime;
-	}
-    } else {
-	oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr, 
-					&cert->derSubject, &oldProfileTime); 
-	freeOldProfile = PR_TRUE;
-    }
-
-    saveit = PR_FALSE;
-    
-    /* both profileTime and emailProfile have to exist or not exist */
-    if ( emailProfile == NULL ) {
-	profileTime = NULL;
-    } else if ( profileTime == NULL ) {
-	emailProfile = NULL;
-    }
-   
-    if ( oldProfileTime == NULL ) {
-	saveit = PR_TRUE;
-    } else {
-	/* there was already a profile for this email addr */
-	if ( profileTime ) {
-	    /* we have an old and new profile - save whichever is more recent*/
-	    if ( oldProfileTime->len == 0 ) {
-		/* always replace if old entry doesn't have a time */
-		oldtime = LL_MININT;
-	    } else {
-		rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
-		if ( rv != SECSuccess ) {
-		    goto loser;
-		}
-	    }
-	    
-	    rv = DER_UTCTimeToTime(&newtime, profileTime);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	
-	    if ( LL_CMP(newtime, >, oldtime ) ) {
-		/* this is a newer profile, save it and cert */
-		saveit = PR_TRUE;
-	    }
-	} else {
-	    saveit = PR_TRUE;
-	}
-    }
-
-
-    if (saveit) {
-	if (cc) {
-	    if (stanProfile) {
-		/* stanProfile is already stored in the crypto context,
-		 * overwrite the data
-		 */
-		NSSArena *arena = stanProfile->object.arena;
-		stanProfile->profileTime = nssItem_Create(arena, 
-		                                          NULL,
-		                                          profileTime->len,
-		                                          profileTime->data);
-		stanProfile->profileData = nssItem_Create(arena, 
-		                                          NULL,
-		                                          emailProfile->len,
-		                                          emailProfile->data);
-	    } else if (profileTime && emailProfile) {
-		PRStatus nssrv;
-		NSSDER subject;
-		NSSItem profTime, profData;
-		NSSItem *pprofTime, *pprofData;
-		NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
-		if (profileTime) {
-		    NSSITEM_FROM_SECITEM(&profTime, profileTime);
-		    pprofTime = &profTime;
-		} else {
-		    pprofTime = NULL;
-		}
-		if (emailProfile) {
-		    NSSITEM_FROM_SECITEM(&profData, emailProfile);
-		    pprofData = &profData;
-		} else {
-		    pprofData = NULL;
-		}
-		stanProfile = nssSMIMEProfile_Create(c, pprofTime, pprofData);
-		if (!stanProfile) goto loser;
-		nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
-		rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
-	    }
-	} else {
-	    rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr, 
-				&cert->derSubject, emailProfile, profileTime);
-	}
-    } else {
-	rv = SECSuccess;
-    }
-
-loser:
-    if (oldProfile && freeOldProfile) {
-    	SECITEM_FreeItem(oldProfile,PR_TRUE);
-    }
-    if (oldProfileTime && freeOldProfile) {
-    	SECITEM_FreeItem(oldProfileTime,PR_TRUE);
-    }
-    if (stanProfile) {
-	nssSMIMEProfile_Destroy(stanProfile);
-    }
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    
-    return(rv);
-}
-
-/*
- *
- * Manage S/MIME profiles
- *
- */
-
-SECStatus
-CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
-		      SECItem *profileTime)
-{
-    const char *emailAddr;
-    SECStatus rv;
-
-    if (!cert) {
-        return SECFailure;
-    }
-
-    if (cert->slot &&  !PK11_IsInternal(cert->slot)) {
-        /* this cert comes from an external source, we need to add it
-        to the cert db before creating an S/MIME profile */
-        PK11SlotInfo* internalslot = PK11_GetInternalKeySlot();
-        if (!internalslot) {
-            return SECFailure;
-        }
-        rv = PK11_ImportCert(internalslot, cert,
-            CK_INVALID_HANDLE, NULL, PR_FALSE);
-
-        PK11_FreeSlot(internalslot);
-        if (rv != SECSuccess ) {
-            return SECFailure;
-        }
-    }
-
-    
-    for (emailAddr = CERT_GetFirstEmailAddress(cert); emailAddr != NULL;
-		emailAddr = CERT_GetNextEmailAddress(cert,emailAddr)) {
-	rv = certdb_SaveSingleProfile(cert,emailAddr,emailProfile,profileTime);
-	if (rv != SECSuccess) {
-	   return SECFailure;
-	}
-    }
-    return SECSuccess;
-
-}
-
-
-SECItem *
-CERT_FindSMimeProfile(CERTCertificate *cert)
-{
-    PK11SlotInfo *slot = NULL;
-    NSSCertificate *c;
-    NSSCryptoContext *cc;
-    SECItem *rvItem = NULL;
-
-    if (!cert || !cert->emailAddr || !cert->emailAddr[0]) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    c = STAN_GetNSSCertificate(cert);
-    if (!c) return NULL;
-    cc = c->object.cryptoContext;
-    if (cc != NULL) {
-	nssSMIMEProfile *stanProfile;
-	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
-	if (stanProfile) {
-	    rvItem = SECITEM_AllocItem(NULL, NULL, 
-	                               stanProfile->profileData->size);
-	    if (rvItem) {
-		rvItem->data = stanProfile->profileData->data;
-	    }
-	    nssSMIMEProfile_Destroy(stanProfile);
-	}
-	return rvItem;
-    }
-    rvItem =
-	PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
-    if (slot) {
-    	PK11_FreeSlot(slot);
-    }
-    return rvItem;
-}
-
-/*
- * depricated functions that are now just stubs.
- */
-/*
- * Close the database
- */
-void
-__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
-{
-    PORT_Assert("CERT_ClosePermCertDB is Depricated" == NULL);
-    return;
-}
-
-SECStatus
-CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
-                        PRBool readOnly)
-{
-    PORT_Assert("CERT_OpenCertDBFilename is Depricated" == NULL);
-    return SECFailure;
-}
-
-SECItem *
-SECKEY_HashPassword(char *pw, SECItem *salt)
-{
-    PORT_Assert("SECKEY_HashPassword is Depricated" == NULL);
-    return NULL;
-}
-
-SECStatus
-__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
-                                 SECItem *derSubject,
-                                 void *cb, void *cbarg)
-{
-    PORT_Assert("CERT_TraversePermCertsForSubject is Depricated" == NULL);
-    return SECFailure;
-}
-
-
-SECStatus
-__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
-                                  void *cb, void *cbarg)
-{
-    PORT_Assert("CERT_TraversePermCertsForNickname is Depricated" == NULL);
-    return SECFailure;
-}
-
-
-
diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c
deleted file mode 100644
index 8d9df2123..000000000
--- a/security/nss/lib/certdb/xauthkid.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * X.509 v3 Subject Key Usage Extension 
- *
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "secport.h"
-#include "certt.h"  
-#include "genname.h"
-#include "secerr.h"
-
-   
-const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
-          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate},
-    { 0 }
-};
-
-
-
-SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue)
-{
-    SECStatus rv = SECFailure;
- 
-    PORT_Assert (value);
-    PORT_Assert (arena);
-    PORT_Assert (value->DERAuthCertIssuer == NULL);
-    PORT_Assert (encodedValue);
-
-    do {
-	
-	/* If both of the authCertIssuer and the serial number exist, encode
-	   the name first.  Otherwise, it is an error if one exist and the other
-	   is not.
-	 */
-	if (value->authCertIssuer) {
-	    if (!value->authCertSerialNumber.data) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	    }
-
-	    value->DERAuthCertIssuer = cert_EncodeGeneralNames
-		(arena, value->authCertIssuer);
-	    if (!value->DERAuthCertIssuer) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	    }
-	}
-	else if (value->authCertSerialNumber.data) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		break;
-	}
-
-	if (SEC_ASN1EncodeItem (arena, encodedValue, value,
-				CERTAuthKeyIDTemplate) == NULL)
-	    break;
-	rv = SECSuccess;
-
-    } while (0);
-     return(rv);
-}
-
-CERTAuthKeyID *
-CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
-{
-    CERTAuthKeyID * value = NULL;
-    SECStatus       rv    = SECFailure;
-    void *          mark;
-    SECItem         newEncodedValue;
-
-    PORT_Assert (arena);
-   
-    do {
-	mark = PORT_ArenaMark (arena);
-        value = (CERTAuthKeyID*)PORT_ArenaZAlloc (arena, sizeof (*value));
-	value->DERAuthCertIssuer = NULL;
-	if (value == NULL)
-	    break;
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue);
-        if ( rv != SECSuccess ) {
-	    break;
-        }
-
-        rv = SEC_QuickDERDecodeItem
-	     (arena, value, CERTAuthKeyIDTemplate, &newEncodedValue);
-	if (rv != SECSuccess)
-	    break;
-
-        value->authCertIssuer = cert_DecodeGeneralNames (arena, value->DERAuthCertIssuer);
-	if (value->authCertIssuer == NULL)
-	    break;
-	
-	/* what if the general name contains other format but not URI ?
-	   hl
-	 */
-	if ((value->authCertSerialNumber.data && !value->authCertIssuer) ||
-	    (!value->authCertSerialNumber.data && value->authCertIssuer)){
-	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-	    break;
-	}
-    } while (0);
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (arena, mark);
-	return ((CERTAuthKeyID *)NULL);	    
-    } 
-    PORT_ArenaUnmark(arena, mark);
-    return (value);
-}
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
deleted file mode 100644
index a6c08b371..000000000
--- a/security/nss/lib/certdb/xbsconst.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * X.509 v3 Basic Constraints Extension 
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "certt.h"
-#include "secder.h"
-#include "prprf.h"
-#include "secerr.h"
-
-typedef struct EncodedContext{
-    SECItem isCA;
-    SECItem pathLenConstraint;
-    SECItem encodedValue;
-    PRArenaPool *arena;
-}EncodedContext;
-
-static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(EncodedContext) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
-	  offsetof(EncodedContext,isCA)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
-	  offsetof(EncodedContext,pathLenConstraint) },
-    { 0, }
-};
-
-static unsigned char hexTrue = 0xff;
-static unsigned char hexFalse = 0x00;
-
-#define GEN_BREAK(status) rv = status; break;
-
-SECStatus CERT_EncodeBasicConstraintValue
-   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
-{
-    EncodedContext encodeContext;
-    PRArenaPool *our_pool = NULL;   
-    SECStatus rv = SECSuccess;
-
-    do {
-	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-	if (!value->isCA && value->pathLenConstraint >= 0) {
-	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-	    GEN_BREAK (SECFailure);
-	}
-
-        encodeContext.arena = arena;
-	if (value->isCA == PR_TRUE) {
-	    encodeContext.isCA.data =  &hexTrue ;
-	    encodeContext.isCA.len = 1;
-	}
-
-	/* If the pathLenConstraint is less than 0, then it should be
-	 * omitted from the encoding.
-	 */
-	if (value->isCA && value->pathLenConstraint >= 0) {
-	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	    if (our_pool == NULL) {
-		PORT_SetError (SEC_ERROR_NO_MEMORY);
-		GEN_BREAK (SECFailure);
-	    }
-	    if (SEC_ASN1EncodeUnsignedInteger
-		(our_pool, &encodeContext.pathLenConstraint,
-		 (unsigned long)value->pathLenConstraint) == NULL) {
-		PORT_SetError (SEC_ERROR_NO_MEMORY);
-		GEN_BREAK (SECFailure);
-	    }
-	}
-	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-				CERTBasicConstraintsTemplate) == NULL) {
-	    GEN_BREAK (SECFailure);
-	}
-    } while (0);
-    if (our_pool)
-	PORT_FreeArena (our_pool, PR_FALSE);
-    return(rv);
-
-}
-
-SECStatus CERT_DecodeBasicConstraintValue
-   (CERTBasicConstraints *value, SECItem *encodedValue)
-{
-    EncodedContext decodeContext;
-    PRArenaPool *our_pool;
-    SECStatus rv = SECSuccess;
-
-    do {
-	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
-	/* initialize the value just in case we got "0x30 00", or when the
-	   pathLenConstraint is omitted.
-         */
-	decodeContext.isCA.data =&hexFalse;
-	decodeContext.isCA.len = 1;
-	
-	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	if (our_pool == NULL) {
-	    PORT_SetError (SEC_ERROR_NO_MEMORY);
-	    GEN_BREAK (SECFailure);
-	}
-
-        rv = SEC_QuickDERDecodeItem
-	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
-	if (rv == SECFailure)
-	    break;
-	
-	value->isCA = decodeContext.isCA.data 
-	              ? (PRBool)(decodeContext.isCA.data[0] != 0)
-		      : PR_FALSE;
-	if (decodeContext.pathLenConstraint.data == NULL) {
-	    /* if the pathLenConstraint is not encoded, and the current setting
-	      is CA, then the pathLenConstraint should be set to a negative number
-	      for unlimited certificate path.
-	     */
-	    if (value->isCA)
-		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-	} else if (value->isCA) {
-	    long len = DER_GetInteger (&decodeContext.pathLenConstraint);
-	    if (len < 0 || len == LONG_MAX) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		GEN_BREAK (SECFailure);
-	    }
-	    value->pathLenConstraint = len;
-	} else {
-	    /* here we get an error where the subject is not a CA, but
-	       the pathLenConstraint is set */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    GEN_BREAK (SECFailure);
-	    break;
-	}
-	 
-    } while (0);
-    PORT_FreeArena (our_pool, PR_FALSE);
-    return (rv);
-
-}
diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c
deleted file mode 100644
index 94bc697ce..000000000
--- a/security/nss/lib/certdb/xconst.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * X.509 Extension Encoding  
- */
-
-#include "prtypes.h"
-#include "mcom_db.h"
-#include "seccomon.h"
-#include "secdert.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "secder.h"
-#include "prprf.h"
-#include "xconst.h"
-#include "genname.h"
-#include "secasn1.h"
-#include "secerr.h"
-
-
-static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {
-    { SEC_ASN1_OCTET_STRING }
-};
-
-
-static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
-    { SEC_ASN1_IA5_STRING }
-};
-
-
-static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(CERTPrivKeyUsagePeriod) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 0,	
-	  offsetof(CERTPrivKeyUsagePeriod, notBefore), 
-	  SEC_GeneralizedTimeTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
-	  offsetof(CERTPrivKeyUsagePeriod, notAfter), 
-	  SEC_GeneralizedTimeTemplate},
-    { 0, } 
-};
-
-
-const SEC_ASN1Template CERTAltNameTemplate[] = {
-    { SEC_ASN1_CONSTRUCTED, offsetof(CERTAltNameEncodedContext, encodedGenName), 
-      CERT_GeneralNamesTemplate}
-};
-
-const SEC_ASN1Template CERTAuthInfoAccessItemTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-      0, NULL, sizeof(CERTAuthInfoAccess) },
-    { SEC_ASN1_OBJECT_ID,
-      offsetof(CERTAuthInfoAccess, method) },
-    { SEC_ASN1_ANY,
-      offsetof(CERTAuthInfoAccess, derLocation) },
-    { 0, }
-};
-
-const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CERTAuthInfoAccessItemTemplate }
-};
-
-
-SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue)
-{
-    SECItem encodeContext;
-    SECStatus rv = SECSuccess;
-
-
-    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-    
-    if (value != NULL) {
-	encodeContext.data = (unsigned char *)value;
-	encodeContext.len = len;
-    }
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-			    CERTSubjectKeyIDTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-
-SECStatus
-CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, 
-                                CERTPrivKeyUsagePeriod *pkup, 
-				SECItem *encodedValue)
-{
-    SECStatus rv = SECSuccess;
-
-    if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
-			    CERTPrivateKeyUsagePeriodTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    return(rv);
-}
-
-CERTPrivKeyUsagePeriod *
-CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue)
-{
-    SECStatus rv;
-    CERTPrivKeyUsagePeriod *pPeriod;
-    SECItem newExtnValue;
-
-    /* allocate the certificate policies structure */
-    pPeriod = PORT_ArenaZNew(arena, CERTPrivKeyUsagePeriod);
-    if ( pPeriod == NULL ) {
-	goto loser;
-    }
-    
-    pPeriod->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, pPeriod, 
-                                CERTPrivateKeyUsagePeriodTemplate,
-			        &newExtnValue);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    return pPeriod;
-    
-loser:
-    return NULL;
-}
-
-
-SECStatus 
-CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue)
-{
-    SECItem encodeContext;
-    SECStatus rv = SECSuccess;
-
-
-    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-    
-    if (value != NULL) {
-	encodeContext.data = (unsigned char *)value;
-	encodeContext.len = strlen(value);
-    }
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
-			    CERTIA5TypeTemplate) == NULL) {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-SECStatus
-CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue)
-{
-    SECItem                **encodedGenName;
-    SECStatus              rv = SECSuccess;
-
-    encodedGenName = cert_EncodeGeneralNames(arena, value);
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
-			    CERT_GeneralNamesTemplate) == NULL) {
-	rv = SECFailure;
-    }
-
-    return rv;
-}
-
-CERTGeneralName *
-CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName)
-{
-    SECStatus              rv = SECSuccess;
-    CERTAltNameEncodedContext  encodedContext;
-
-    encodedContext.encodedGenName = NULL;
-    PORT_Memset(&encodedContext, 0, sizeof(CERTAltNameEncodedContext));
-    rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate,
-			     EncodedAltName);
-    if (rv == SECFailure) {
-	goto loser;
-    }
-    if (encodedContext.encodedGenName && encodedContext.encodedGenName[0])
-	return cert_DecodeGeneralNames(arena, encodedContext.encodedGenName);
-    /* Extension contained an empty GeneralNames sequence */
-    /* Treat as extension not found */
-    PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-loser:
-    return NULL;
-}
-
-
-SECStatus
-CERT_EncodeNameConstraintsExtension(PRArenaPool          *arena, 
-				    CERTNameConstraints  *value,
-				    SECItem              *encodedValue)
-{
-    SECStatus     rv = SECSuccess;
-    
-    rv = cert_EncodeNameConstraints(value, arena, encodedValue);
-    return rv;
-}
-
-
-CERTNameConstraints *
-CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
-				    SECItem              *encodedConstraints)
-{
-    return cert_DecodeNameConstraints(arena, encodedConstraints);
-}
-
-
-CERTAuthInfoAccess **
-CERT_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   SECItem     *encodedExtension)
-{
-    CERTAuthInfoAccess **info = NULL;
-    SECStatus rv;
-    int i;
-
-    rv = SEC_ASN1DecodeItem(arena, &info, CERTAuthInfoAccessTemplate, 
-			    encodedExtension);
-    if (rv != SECSuccess || info == NULL) {
-	return NULL;
-    }
-
-    for (i = 0; info[i] != NULL; i++) {
-	info[i]->location = CERT_DecodeGeneralName(arena,
-						   &(info[i]->derLocation),
-						   NULL);
-    }
-    return info;
-}
-
-SECStatus
-cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   CERTAuthInfoAccess **info,
-				   SECItem *dest)
-{
-    SECItem *dummy;
-    int i;
-
-    PORT_Assert(info != NULL);
-    PORT_Assert(dest != NULL);
-    if (info == NULL || dest == NULL) {
-	return SECFailure;
-    }
-
-    for (i = 0; info[i] != NULL; i++) {
-	if (CERT_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
-				   arena) == NULL)
-	    /* Note that this may leave some of the locations filled in. */
-	    return SECFailure;
-    }
-    dummy = SEC_ASN1EncodeItem(arena, dest, &info,
-			       CERTAuthInfoAccessTemplate);
-    if (dummy == NULL) {
-	return SECFailure;
-    }
-    return SECSuccess;
-}
diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h
deleted file mode 100644
index f1b19358c..000000000
--- a/security/nss/lib/certdb/xconst.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _XCONST_H_
-#define _XCONST_H_
-
-#include "certt.h"
-
-typedef struct CERTAltNameEncodedContextStr {
-    SECItem **encodedGenName;
-} CERTAltNameEncodedContext;
-
-
-
-SEC_BEGIN_PROTOS
-
-extern SECStatus
-CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, 
-                                CERTPrivKeyUsagePeriod *pkup,
-				SECItem *encodedValue);
-
-extern SECStatus
-CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, 
-                                    CERTNameConstraints  *value,
-			            SECItem *encodedValue);
-
-extern SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, 
-                        SECItem *encodedValue);
-
-extern SECStatus 
-CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, 
-                            SECItem *encodedValue);
-
-SECStatus
-cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
-				   CERTAuthInfoAccess **info,
-				   SECItem *dest);
-SEC_END_PROTOS
-#endif
diff --git a/security/nss/lib/certhigh/Makefile b/security/nss/lib/certhigh/Makefile
deleted file mode 100644
index 7e0b30282..000000000
--- a/security/nss/lib/certhigh/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
deleted file mode 100644
index 2c0ffe7cb..000000000
--- a/security/nss/lib/certhigh/certhigh.c
+++ /dev/null
@@ -1,1204 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-#include "secerr.h"
-#include "secasn1.h"
-#include "seccomon.h"
-#include "pk11func.h"
-#include "certdb.h"
-#include "certt.h"
-#include "cert.h"
-#include "certxutl.h"
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif
-#include "nsspki.h"
-#include "pki.h"
-#include "pkit.h"
-#include "pkitm.h"
-#include "pki3hack.h"
-
-
-PRBool
-CERT_MatchNickname(char *name1, char *name2) {
-    char *nickname1= NULL;
-    char *nickname2 = NULL;
-    char *token1;
-    char *token2;
-    char *token = NULL;
-    int len;
-
-    /* first deal with the straight comparison */
-    if (PORT_Strcmp(name1, name2) == 0) {
-	return PR_TRUE;
-    }
-    /* we need to handle the case where one name has an explicit token and the other
-     * doesn't */
-    token1 = PORT_Strchr(name1,':');
-    token2 = PORT_Strchr(name2,':');
-    if ((token1 && token2) || (!token1 && !token2)) {
-	/* either both token names are specified or neither are, not match */
-	return PR_FALSE;
-    }
-    if (token1) {
-	token=name1;
-	nickname1=token1;
-	nickname2=name2;
-    } else {
-	token=name2;
-	nickname1=token2;
-	nickname2=name1;
-    }
-    len = nickname1-token;
-    nickname1++;
-    if (PORT_Strcmp(nickname1,nickname2) != 0) {
-	return PR_FALSE;
-    }
-    /* compare the other token with the internal slot here */
-    return PR_TRUE;
-}
-
-/*
- * Find all user certificates that match the given criteria.
- * 
- *	"handle" - database to search
- *	"usage" - certificate usage to match
- *	"oneCertPerName" - if set then only return the "best" cert per
- *			name
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertList *
-CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
-			  SECCertUsage usage,
-			  PRBool oneCertPerName,
-			  PRBool validOnly,
-			  void *proto_win)
-{
-    CERTCertNicknames *nicknames = NULL;
-    char **nnptr;
-    int nn;
-    CERTCertificate *cert = NULL;
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-    int64 time;
-    CERTCertListNode *node = NULL;
-    CERTCertListNode *freenode = NULL;
-    int n;
-    
-    time = PR_Now();
-    
-    nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
-				      proto_win);
-    
-    if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
-	goto loser;
-    }
-
-    nnptr = nicknames->nicknames;
-    nn = nicknames->numnicknames;
-
-    while ( nn > 0 ) {
-	cert = NULL;
-	/* use the pk11 call so that we pick up any certs on tokens,
-	 * which may require login
-	 */
-	if ( proto_win != NULL ) {
-	    cert = PK11_FindCertFromNickname(*nnptr,proto_win);
-	}
-
-	/* Sigh, It turns out if the cert is already in the temp db, because
-	 * it's in the perm db, then the nickname lookup doesn't work.
-	 * since we already have the cert here, though, than we can just call
-	 * CERT_CreateSubjectCertList directly. For those cases where we didn't
-	 * find the cert in pkcs #11 (because we didn't have a password arg,
-	 * or because the nickname is for a peer, server, or CA cert, then we
-	 * go look the cert up.
-	 */
-	if (cert == NULL) { 
-	    cert = CERT_FindCertByNickname(handle,*nnptr);
-	}
-
-	if ( cert != NULL ) {
-	   /* collect certs for this nickname, sorting them into the list */
-	    certList = CERT_CreateSubjectCertList(certList, handle, 
-				&cert->derSubject, time, validOnly);
-
-	    CERT_FilterCertListForUserCerts(certList);
-	
-	    /* drop the extra reference */
-	    CERT_DestroyCertificate(cert);
-	}
-	
-	nnptr++;
-	nn--;
-    }
-
-    /* remove certs with incorrect usage */
-    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* remove any extra certs for each name */
-    if ( oneCertPerName ) {
-	PRBool *flags;
-
-	nn = nicknames->numnicknames;
-	nnptr = nicknames->nicknames;
-	
-	flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
-	if ( flags == NULL ) {
-	    goto loser;
-	}
-	
-	node = CERT_LIST_HEAD(certList);
-	
-	/* treverse all certs in the list */
-	while ( !CERT_LIST_END(node, certList) ) {
-
-	    /* find matching nickname index */
-	    for ( n = 0; n < nn; n++ ) {
-		if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) {
-		    /* We found a match.  If this is the first one, then
-		     * set the flag and move on to the next cert.  If this
-		     * is not the first one then delete it from the list.
-		     */
-		    if ( flags[n] ) {
-			/* We have already seen a cert with this nickname,
-			 * so delete this one.
-			 */
-			freenode = node;
-			node = CERT_LIST_NEXT(node);
-			CERT_RemoveCertListNode(freenode);
-		    } else {
-			/* keep the first cert for each nickname, but set the
-			 * flag so we know to delete any others with the same
-			 * nickname.
-			 */
-			flags[n] = PR_TRUE;
-			node = CERT_LIST_NEXT(node);
-		    }
-		    break;
-		}
-	    }
-	    if ( n == nn ) {
-		/* if we get here it means that we didn't find a matching
-		 * nickname, which should not happen.
-		 */
-		PORT_Assert(0);
-		node = CERT_LIST_NEXT(node);
-	    }
-	}
-	PORT_Free(flags);
-    }
-
-    goto done;
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-	certList = NULL;
-    }
-
-done:
-    if ( nicknames != NULL ) {
-	CERT_FreeNicknames(nicknames);
-    }
-
-    return(certList);
-}
-
-/*
- * Find a user certificate that matchs the given criteria.
- * 
- *	"handle" - database to search
- *	"nickname" - nickname to match
- *	"usage" - certificate usage to match
- *	"validOnly" - only return certs that are curently valid
- *	"proto_win" - window handle passed to pkcs11
- */
-CERTCertificate *
-CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
-			 char *nickname,
-			 SECCertUsage usage,
-			 PRBool validOnly,
-			 void *proto_win)
-{
-    CERTCertificate *cert = NULL;
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-    int64 time;
-    
-    time = PR_Now();
-    
-    /* use the pk11 call so that we pick up any certs on tokens,
-     * which may require login
-     */
-    /* XXX - why is this restricted? */
-    if ( proto_win != NULL ) {
-	cert = PK11_FindCertFromNickname(nickname,proto_win);
-    }
-
-
-    /* sigh, There are still problems find smart cards from the temp
-     * db. This will get smart cards working again. The real fix
-     * is to make sure we can search the temp db by their token nickname.
-     */
-    if (cert == NULL) {
-	cert = CERT_FindCertByNickname(handle,nickname);
-    }
-
-    if ( cert != NULL ) {
- 	/* collect certs for this nickname, sorting them into the list */
-	certList = CERT_CreateSubjectCertList(certList, handle, 
-					&cert->derSubject, time, validOnly);
-
-	CERT_FilterCertListForUserCerts(certList);
-
-	/* drop the extra reference */
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-	
-    if ( certList == NULL ) {
-	goto loser;
-    }
-    
-    /* remove certs with incorrect usage */
-    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
-	cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
-    }
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-    }
-
-    return(cert);
-}
-
-CERTCertList *
-CERT_MatchUserCert(CERTCertDBHandle *handle,
-		   SECCertUsage usage,
-		   int nCANames, char **caNames,
-		   void *proto_win)
-{
-    CERTCertList *certList = NULL;
-    SECStatus rv;
-
-    certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE,
-					 proto_win);
-    if ( certList == NULL ) {
-	goto loser;
-    }
-    
-    rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    goto done;
-    
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-	certList = NULL;
-    }
-
-done:
-
-    return(certList);
-}
-
-
-typedef struct stringNode {
-    struct stringNode *next;
-    char *string;
-} stringNode;
-    
-static PRStatus
-CollectNicknames( NSSCertificate *c, void *data)
-{
-    CERTCertNicknames *names;
-    PRBool saveit = PR_FALSE;
-    stringNode *node;
-    int len;
-#ifdef notdef
-    NSSTrustDomain *td;
-    NSSTrust *trust;
-#endif
-    char *stanNickname;
-    char *nickname = NULL;
-    
-    names = (CERTCertNicknames *)data;
-
-    stanNickname = nssCertificate_GetNickname(c,NULL);
-    
-    if ( stanNickname ) {
-	if (names->what == SEC_CERT_NICKNAMES_USER) {
-	    saveit = NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL);
-	}
-#ifdef notdef
-	  else {
-	    td = NSSCertificate_GetTrustDomain(c);
-	    if (!td) {
-		return PR_SUCCESS;
-	    }
-	    trust = nssTrustDomain_FindTrustForCertificate(td,c);
-	
-	    switch(names->what) {
-	     case SEC_CERT_NICKNAMES_ALL:
-		if ((trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-		 (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
-		 (trust->objectSigningFlags & 
-					(CERTDB_VALID_CA|CERTDB_VALID_PEER))) {
-		    saveit = PR_TRUE;
-		}
-	    
-		break;
-	     case SEC_CERT_NICKNAMES_SERVER:
-		if ( trust->sslFlags & CERTDB_VALID_PEER ) {
-		    saveit = PR_TRUE;
-		}
-	    
-		break;
-	     case SEC_CERT_NICKNAMES_CA:
-		if (((trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA)||
-		 ((trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA) ||
-		 ((trust->objectSigningFlags & CERTDB_VALID_CA ) 
-							== CERTDB_VALID_CA)) {
-		    saveit = PR_TRUE;
-		}
-		break;
-	    }
-	}
-#endif
-    }
-
-    /* traverse the list of collected nicknames and make sure we don't make
-     * a duplicate
-     */
-    if ( saveit ) {
-	nickname = STAN_GetCERTCertificateName(NULL, c);
-	/* nickname can only be NULL here if we are having memory 
-	 * alloc problems */
-	if (nickname == NULL) {
-	    return PR_FAILURE;
-	}
-	node = (stringNode *)names->head;
-	while ( node != NULL ) {
-	    if ( PORT_Strcmp(nickname, node->string) == 0 ) { 
-		/* if the string matches, then don't save this one */
-		saveit = PR_FALSE;
-		break;
-	    }
-	    node = node->next;
-	}
-    }
-
-    if ( saveit ) {
-	
-	/* allocate the node */
-	node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
-	if ( node == NULL ) {
-	    return(PR_FAILURE);
-	}
-
-	/* copy the string */
-	len = PORT_Strlen(nickname) + 1;
-	node->string = (char*)PORT_ArenaAlloc(names->arena, len);
-	if ( node->string == NULL ) {
-	    if (nickname) PORT_Free(nickname);
-	    return(PR_FAILURE);
-	}
-	PORT_Memcpy(node->string, nickname, len);
-
-	/* link it into the list */
-	node->next = (stringNode *)names->head;
-	names->head = (void *)node;
-
-	/* bump the count */
-	names->numnicknames++;
-    }
-    
-    if (nickname) PORT_Free(nickname);
-    return(PR_SUCCESS);
-}
-
-CERTCertNicknames *
-CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
-{
-    PRArenaPool *arena;
-    CERTCertNicknames *names;
-    int i;
-    stringNode *node;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(NULL);
-    }
-    
-    names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    names->arena = arena;
-    names->head = NULL;
-    names->numnicknames = 0;
-    names->nicknames = NULL;
-    names->what = what;
-    names->totallen = 0;
-
-    /* make sure we are logged in */
-    (void) pk11_TraverseAllSlots(NULL, NULL, wincx);
-   
-    NSSTrustDomain_TraverseCertificates(handle,
-					    CollectNicknames, (void *)names);
-    if ( names->numnicknames ) {
-	names->nicknames = (char**)PORT_ArenaAlloc(arena,
-					 names->numnicknames * sizeof(char *));
-
-	if ( names->nicknames == NULL ) {
-	    goto loser;
-	}
-    
-	node = (stringNode *)names->head;
-	
-	for ( i = 0; i < names->numnicknames; i++ ) {
-	    PORT_Assert(node != NULL);
-	    
-	    names->nicknames[i] = node->string;
-	    names->totallen += PORT_Strlen(node->string);
-	    node = node->next;
-	}
-
-	PORT_Assert(node == NULL);
-    }
-
-    return(names);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-void
-CERT_FreeNicknames(CERTCertNicknames *nicknames)
-{
-    PORT_FreeArena(nicknames->arena, PR_FALSE);
-    
-    return;
-}
-
-/* [ FROM pcertdb.c ] */
-
-typedef struct dnameNode {
-    struct dnameNode *next;
-    SECItem name;
-} dnameNode;
-
-void
-CERT_FreeDistNames(CERTDistNames *names)
-{
-    PORT_FreeArena(names->arena, PR_FALSE);
-    
-    return;
-}
-
-static SECStatus
-CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
-{
-    CERTDistNames *names;
-    PRBool saveit = PR_FALSE;
-    CERTCertTrust *trust;
-    dnameNode *node;
-    int len;
-    
-    names = (CERTDistNames *)data;
-    
-    if ( cert->trust ) {
-	trust = cert->trust;
-	
-	/* only collect names of CAs trusted for issuing SSL clients */
-	if (  trust->sslFlags &  CERTDB_TRUSTED_CLIENT_CA )  {
-	    saveit = PR_TRUE;
-	}
-    }
-
-    if ( saveit ) {
-	/* allocate the node */
-	node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
-	if ( node == NULL ) {
-	    return(SECFailure);
-	}
-
-	/* copy the name */
-	node->name.len = len = cert->derSubject.len;
-	node->name.type = siBuffer;
-	node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len);
-	if ( node->name.data == NULL ) {
-	    return(SECFailure);
-	}
-	PORT_Memcpy(node->name.data, cert->derSubject.data, len);
-
-	/* link it into the list */
-	node->next = (dnameNode *)names->head;
-	names->head = (void *)node;
-
-	/* bump the count */
-	names->nnames++;
-    }
-    
-    return(SECSuccess);
-}
-
-/*
- * Return all of the CAs that are "trusted" for SSL.
- */
-CERTDistNames *
-CERT_GetSSLCACerts(CERTCertDBHandle *handle)
-{
-    PRArenaPool *arena;
-    CERTDistNames *names;
-    int i;
-    SECStatus rv;
-    dnameNode *node;
-    
-    /* allocate an arena to use */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(NULL);
-    }
-    
-    /* allocate the header structure */
-    names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    /* initialize the header struct */
-    names->arena = arena;
-    names->head = NULL;
-    names->nnames = 0;
-    names->names = NULL;
-    
-    /* collect the names from the database */
-    rv = PK11_TraverseSlotCerts(CollectDistNames, (void *)names, NULL);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* construct the array from the list */
-    if ( names->nnames ) {
-	names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
-
-	if ( names->names == NULL ) {
-	    goto loser;
-	}
-    
-	node = (dnameNode *)names->head;
-	
-	for ( i = 0; i < names->nnames; i++ ) {
-	    PORT_Assert(node != NULL);
-	    
-	    names->names[i] = node->name;
-	    node = node->next;
-	}
-
-	PORT_Assert(node == NULL);
-    }
-
-    return(names);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-CERTDistNames *
-CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
-			   int nnames)
-{
-    CERTDistNames *dnames = NULL;
-    PRArenaPool *arena;
-    int i, rv;
-    SECItem *names = NULL;
-    CERTCertificate *cert = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto loser;
-    dnames = (CERTDistNames*)PORT_Alloc(sizeof(CERTDistNames));
-    if (dnames == NULL) goto loser;
-
-    dnames->arena = arena;
-    dnames->nnames = nnames;
-    dnames->names = names = (SECItem*)PORT_Alloc(nnames * sizeof(SECItem));
-    if (names == NULL) goto loser;
-    
-    for (i = 0; i < nnames; i++) {
-	cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
-	if (cert == NULL) goto loser;
-	rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
-	if (rv == SECFailure) goto loser;
-	CERT_DestroyCertificate(cert);
-    }
-    return dnames;
-    
-loser:
-    if (cert != NULL)
-	CERT_DestroyCertificate(cert);
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/* [ from pcertdb.c - calls Ascii to Name ] */
-/*
- * Lookup a certificate in the database by name
- */
-CERTCertificate *
-CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
-{
-    CERTName *name;
-    SECItem *nameItem;
-    CERTCertificate *cert = NULL;
-    PRArenaPool *arena = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    name = CERT_AsciiToName(nameStr);
-    
-    if ( name ) {
-	nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
-				       CERT_NameTemplate);
-	if ( nameItem == NULL ) {
-	    goto loser;
-	}
-
-	cert = CERT_FindCertByName(handle, nameItem);
-	CERT_DestroyName(name);
-    }
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(cert);
-}
-
-/* From certv3.c */
-
-CERTCrlDistributionPoints *
-CERT_FindCRLDistributionPoints (CERTCertificate *cert)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-    CERTCrlDistributionPoints *dps;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS,
-			    &encodedExtenValue);
-    if ( rv != SECSuccess ) {
-	return (NULL);
-    }
-
-    dps = CERT_DecodeCRLDistributionPoints(cert->arena, &encodedExtenValue);
-
-    PORT_Free(encodedExtenValue.data);
-
-    return dps;
-}
-
-/* From crl.c */
-CERTSignedCrl * CERT_ImportCRL
-   (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
-{
-    CERTSignedCrl* retCrl = NULL;
-    PK11SlotInfo* slot = PK11_GetInternalKeySlot();
-    retCrl = PK11_ImportCRL(slot, derCRL, url, type, wincx,
-        CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS);
-    PK11_FreeSlot(slot);
-
-    return retCrl;
-}
-
-/* From certdb.c */
-static SECStatus
-cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool trusted)
-{
-    SECStatus rv;
-    SECItem *derCert;
-    CERTCertificate *cert = NULL;
-    CERTCertificate *newcert = NULL;
-    CERTCertDBHandle *handle;
-    CERTCertTrust trust;
-    PRBool isca;
-    char *nickname;
-    unsigned int certtype;
-    
-    handle = CERT_GetDefaultCertDB();
-    
-    while (numcerts--) {
-	derCert = certs;
-	certs++;
-
-	/* decode my certificate */
-	/* This use is ok -- only looks at decoded parts, calls NewTemp later */
-	newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-	if ( newcert == NULL ) {
-	    goto loser;
-	}
-
-	if (!trusted) {
-	    /* make sure that cert is valid */
-	    rv = CERT_CertTimesValid(newcert);
-	    if ( rv == SECFailure ) {
-		goto endloop;
-	    }
-	}
-
-	/* does it have the CA extension */
-	
-	/*
-	 * Make sure that if this is an intermediate CA in the chain that
-	 * it was given permission by its signer to be a CA.
-	 */
-	isca = CERT_IsCACert(newcert, &certtype);
-
-	if ( !isca ) {
-	    if (!trusted) {
-		goto endloop;
-	    }
-	    trust.sslFlags = CERTDB_VALID_CA;
-	    trust.emailFlags = CERTDB_VALID_CA;
-	    trust.objectSigningFlags = CERTDB_VALID_CA;
-	} else {
-	    /* SSL ca's must have the ssl bit set */
-	    if ( ( certUsage == certUsageSSLCA ) &&
-		(( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) {
-		goto endloop;
-	    }
-
-	    /* it passed all of the tests, so lets add it to the database */
-	    /* mark it as a CA */
-	    PORT_Memset((void *)&trust, 0, sizeof(trust));
-	    switch ( certUsage ) {
-	      case certUsageSSLCA:
-		trust.sslFlags = CERTDB_VALID_CA;
-		break;
-	      case certUsageUserCertImport:
-		if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
-		    trust.sslFlags = CERTDB_VALID_CA;
-		}
-		if ((certtype & NS_CERT_TYPE_EMAIL_CA) 
-						== NS_CERT_TYPE_EMAIL_CA ) {
-		    trust.emailFlags = CERTDB_VALID_CA;
-		}
-		if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) ==
-					NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
-		     trust.objectSigningFlags = CERTDB_VALID_CA;
-		}
-		break;
-	      default:
-		PORT_Assert(0);
-		break;
-	    }
-	}
-	
-	cert = CERT_NewTempCertificate(handle, derCert, NULL, 
-							PR_FALSE, PR_FALSE);
-	if ( cert == NULL ) {
-	    goto loser;
-	}
-	
-	/* if the cert is temp, make it perm; otherwise we're done */
-	if (cert->istemp) {
-	    /* get a default nickname for it */
-	    nickname = CERT_MakeCANickname(cert);
-
-	    rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
-
-	    /* free the nickname */
-	    if ( nickname ) {
-		PORT_Free(nickname);
-	    }
-	} else {
-	    rv = SECSuccess;
-	}
-
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-	
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-
-endloop:
-	if ( newcert ) {
-	    CERT_DestroyCertificate(newcert);
-	    newcert = NULL;
-	}
-	
-    }
-
-    rv = SECSuccess;
-    goto done;
-loser:
-    rv = SECFailure;
-done:
-    
-    if ( newcert ) {
-	CERT_DestroyCertificate(newcert);
-	newcert = NULL;
-    }
-    
-    if ( cert ) {
-	CERT_DestroyCertificate(cert);
-	cert = NULL;
-    }
-    
-    return(rv);
-}
-
-SECStatus
-CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage)
-{
-    return cert_ImportCAChain(certs, numcerts, certUsage, PR_FALSE);
-}
-
-SECStatus
-CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) {
-    return cert_ImportCAChain(certs, numcerts, certUsage, PR_TRUE);
-}
-
-/* Moved from certdb.c */
-/*
-** CERT_CertChainFromCert
-**
-** Construct a CERTCertificateList consisting of the given certificate and all
-** of the issuer certs until we either get to a self-signed cert or can't find
-** an issuer.  Since we don't know how many certs are in the chain we have to
-** build a linked list first as we count them.
-*/
-
-typedef struct certNode {
-    struct certNode *next;
-    CERTCertificate *cert;
-} certNode;
-
-CERTCertificateList *
-CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
-		       PRBool includeRoot)
-{
-#ifdef NSS_CLASSIC
-    CERTCertificateList *chain = NULL;
-    CERTCertificate *c;
-    SECItem *p;
-    int rv, len = 0;
-    PRArenaPool *tmpArena, *arena;
-    certNode *head, *tail, *node;
-
-    /*
-     * Initialize stuff so we can goto loser.
-     */
-    head = NULL;
-    arena = NULL;
-
-    /* arena for linked list */
-    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (tmpArena == NULL) goto no_memory;
-
-    /* arena for SecCertificateList */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto no_memory;
-
-    head = tail = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
-    if (head == NULL) goto no_memory;
-
-    /* put primary cert first in the linked list */
-    head->cert = c = CERT_DupCertificate(cert);
-    if (head->cert == NULL) goto loser;
-    len++;
-
-    /* add certs until we come to a self-signed one */
-    while(SECITEM_CompareItem(&c->derIssuer, &c->derSubject) != SECEqual) {
-	c = CERT_FindCertIssuer(tail->cert, PR_Now(), usage);
-	if (c == NULL) {
-	    /* no root is found, so make sure we don't attempt to delete one
-	     * below
-	     */
-	    includeRoot = PR_TRUE;
-	    break;
-	}
-	
-	tail->next = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
-	tail = tail->next;
-	if (tail == NULL) goto no_memory;
-	
-	tail->cert = c;
-	len++;
-    }
-
-    /* now build the CERTCertificateList */
-    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
-    if (chain == NULL) goto no_memory;
-    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
-    if (chain->certs == NULL) goto no_memory;
-    
-    for(node = head, p = chain->certs; node; node = node->next, p++) {
-	rv = SECITEM_CopyItem(arena, p, &node->cert->derCert);
-	CERT_DestroyCertificate(node->cert);
-	node->cert = NULL;
-	if (rv < 0) goto loser;
-    }
-    if ( !includeRoot && len > 1) {
-	chain->len = len - 1;
-    } else {
-	chain->len = len;
-    }
-    
-    chain->arena = arena;
-
-    PORT_FreeArena(tmpArena, PR_FALSE);
-    
-    return chain;
-
-no_memory:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-loser:
-    if (head != NULL) {
-	for (node = head; node; node = node->next) {
-	    if (node->cert != NULL)
-		CERT_DestroyCertificate(node->cert);
-	}
-    }
-
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    if (tmpArena != NULL) {
-	PORT_FreeArena(tmpArena, PR_FALSE);
-    }
-
-    return NULL;
-#else
-    CERTCertificateList *chain = NULL;
-    NSSCertificate **stanChain;
-    NSSCertificate *stanCert;
-    PRArenaPool *arena;
-    NSSUsage nssUsage;
-    int i, len;
-    NSSTrustDomain *td   = STAN_GetDefaultTrustDomain();
-    NSSCryptoContext *cc = STAN_GetDefaultCryptoContext();
-
-    stanCert = STAN_GetNSSCertificate(cert);
-    nssUsage.anyUsage = PR_FALSE;
-    nssUsage.nss3usage = usage;
-    nssUsage.nss3lookingForCA = PR_FALSE;
-    stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL,
-					  NULL, 0, NULL, NULL, td, cc);
-    if (!stanChain) {
-	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-	return NULL;
-    }
-
-    len = 0;
-    stanCert = stanChain[0];
-    while (stanCert) {
-	stanCert = stanChain[++len];
-    }
-
-    arena = PORT_NewArena(4096);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, 
-                                                 sizeof(CERTCertificateList));
-    if (!chain) goto loser;
-    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
-    if (!chain->certs) goto loser;
-    i = 0;
-    stanCert = stanChain[i];
-    while (stanCert) {
-	SECItem derCert;
-	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
-	if (!cCert) {
-	    goto loser;
-	}
-	derCert.len = (unsigned int)stanCert->encoding.size;
-	derCert.data = (unsigned char *)stanCert->encoding.data;
-	derCert.type = siBuffer;
-	SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
-	stanCert = stanChain[++i];
-	if (!stanCert && !cCert->isRoot) {
-	    /* reached the end of the chain, but the final cert is
-	     * not a root.  Don't discard it.
-	     */
-	    includeRoot = PR_TRUE;
-	}
-	CERT_DestroyCertificate(cCert);
-    }
-    if ( !includeRoot && len > 1) {
-	chain->len = len - 1;
-    } else {
-	chain->len = len;
-    }
-    
-    chain->arena = arena;
-    nss_ZFreeIf(stanChain);
-    return chain;
-loser:
-    i = 0;
-    stanCert = stanChain[i];
-    while (stanCert) {
-	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
-	if (cCert) {
-	    CERT_DestroyCertificate(cCert);
-	}
-	stanCert = stanChain[++i];
-    }
-    nss_ZFreeIf(stanChain);
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-#endif
-}
-
-/* Builds a CERTCertificateList holding just one DER-encoded cert, namely
-** the one for the cert passed as an argument.
-*/
-CERTCertificateList *
-CERT_CertListFromCert(CERTCertificate *cert)
-{
-    CERTCertificateList *chain = NULL;
-    int rv;
-    PRArenaPool *arena;
-
-    /* arena for SecCertificateList */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) goto no_memory;
-
-    /* build the CERTCertificateList */
-    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
-    if (chain == NULL) goto no_memory;
-    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
-    if (chain->certs == NULL) goto no_memory;
-    rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert));
-    if (rv < 0) goto loser;
-    chain->len = 1;
-    chain->arena = arena;
-
-    return chain;
-
-no_memory:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-CERTCertificateList *
-CERT_DupCertList(CERTCertificateList * oldList)
-{
-    CERTCertificateList *newList = NULL;
-    PRArenaPool         *arena   = NULL;
-    SECItem             *newItem;
-    SECItem             *oldItem;
-    int                 len      = oldList->len;
-    int                 rv;
-
-    /* arena for SecCertificateList */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) 
-	goto no_memory;
-
-    /* now build the CERTCertificateList */
-    newList = PORT_ArenaNew(arena, CERTCertificateList);
-    if (newList == NULL) 
-	goto no_memory;
-    newList->arena = arena;
-    newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
-    if (newItem == NULL) 
-	goto no_memory;
-    newList->certs = newItem;
-    newList->len   = len;
-
-    for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) {
-	rv = SECITEM_CopyItem(arena, newItem, oldItem);
-	if (rv < 0) 
-	    goto loser;
-    }
-    return newList;
-
-no_memory:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-void
-CERT_DestroyCertificateList(CERTCertificateList *list)
-{
-    PORT_FreeArena(list->arena, PR_FALSE);
-}
-
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
deleted file mode 100644
index 11ce4f6c8..000000000
--- a/security/nss/lib/certhigh/certhtml.c
+++ /dev/null
@@ -1,599 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * certhtml.c --- convert a cert to html
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "sechash.h"
-#include "cert.h"
-#include "keyhi.h"
-#include "secder.h"
-#include "prprf.h"
-#include "secport.h"
-#include "secasn1.h"
-#include "pk11func.h"
-
-static char *hex = "0123456789ABCDEF";
-
-/*
-** Convert a der-encoded integer to a hex printable string form
-*/
-char *CERT_Hexify (SECItem *i, int do_colon)
-{
-    unsigned char *cp, *end;
-    char *rv, *o;
-
-    if (!i->len) {
-	return PORT_Strdup("00");
-    }
-
-    rv = o = (char*) PORT_Alloc(i->len * 3);
-    if (!rv) return rv;
-
-    cp = i->data;
-    end = cp + i->len;
-    while (cp < end) {
-	unsigned char ch = *cp++;
-	*o++ = hex[(ch >> 4) & 0xf];
-	*o++ = hex[ch & 0xf];
-	if (cp != end) {
-	    if (do_colon) {
-		*o++ = ':';
-	    }
-	} 
-    }
-    *o = 0;           /* Null terminate the string */
-    return rv;
-}
-
-static char *
-gatherStrings(char **strings)
-{
-    char **strs;
-    int len;
-    char *ret;
-    char *s;
-
-    /* find total length of all strings */
-    strs = strings;
-    len = 0;
-    while ( *strs ) {
-	len += PORT_Strlen(*strs);
-	strs++;
-    }
-    
-    /* alloc enough memory for it */
-    ret = (char*)PORT_Alloc(len + 1);
-    if ( !ret ) {
-	return(ret);
-    }
-
-    s = ret;
-    
-    /* copy the strings */
-    strs = strings;
-    while ( *strs ) {
-	PORT_Strcpy(s, *strs);
-	s += PORT_Strlen(*strs);
-	strs++;
-    }
-
-    return( ret );
-}
-
-#define BREAK "<br>"
-#define BREAKLEN 4
-#define COMMA ", "
-#define COMMALEN 2
-
-#define MAX_OUS 20
-#define MAX_DC MAX_OUS
-
-
-char *CERT_FormatName (CERTName *name)
-{
-    CERTRDN** rdns;
-    CERTRDN * rdn;
-    CERTAVA** avas;
-    CERTAVA*  ava;
-    char *    buf	= 0;
-    char *    tmpbuf	= 0;
-    SECItem * cn	= 0;
-    SECItem * email	= 0;
-    SECItem * org	= 0;
-    SECItem * loc	= 0;
-    SECItem * state	= 0;
-    SECItem * country	= 0;
-    SECItem * dq     	= 0;
-
-    unsigned  len 	= 0;
-    int       tag;
-    int       i;
-    int       ou_count = 0;
-    int       dc_count = 0;
-    PRBool    first;
-    SECItem * orgunit[MAX_OUS];
-    SECItem * dc[MAX_DC];
-
-    /* Loop over name components and gather the interesting ones */
-    rdns = name->rdns;
-    while ((rdn = *rdns++) != 0) {
-	avas = rdn->avas;
-	while ((ava = *avas++) != 0) {
-	    tag = CERT_GetAVATag(ava);
-	    switch(tag) {
-	      case SEC_OID_AVA_COMMON_NAME:
-		cn = CERT_DecodeAVAValue(&ava->value);
-		len += cn->len;
-		break;
-	      case SEC_OID_AVA_COUNTRY_NAME:
-		country = CERT_DecodeAVAValue(&ava->value);
-		len += country->len;
-		break;
-	      case SEC_OID_AVA_LOCALITY:
-		loc = CERT_DecodeAVAValue(&ava->value);
-		len += loc->len;
-		break;
-	      case SEC_OID_AVA_STATE_OR_PROVINCE:
-		state = CERT_DecodeAVAValue(&ava->value);
-		len += state->len;
-		break;
-	      case SEC_OID_AVA_ORGANIZATION_NAME:
-		org = CERT_DecodeAVAValue(&ava->value);
-		len += org->len;
-		break;
-	      case SEC_OID_AVA_DN_QUALIFIER:
-		dq = CERT_DecodeAVAValue(&ava->value);
-		len += dq->len;
-		break;
-	      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
-		if (ou_count < MAX_OUS) {
-			orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
-			len += orgunit[ou_count++]->len;
-		}
-		break;
-	      case SEC_OID_AVA_DC:
-		if (dc_count < MAX_DC) {
-			dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
-			len += dc[dc_count++]->len;
-		}
-		break;
-	      case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	      case SEC_OID_RFC1274_MAIL:
-		email = CERT_DecodeAVAValue(&ava->value);
-		len += email->len;
-		break;
-	      default:
-		break;
-	    }
-	}
-    }
-
-    /* XXX - add some for formatting */
-    len += 128;
-
-    /* allocate buffer */
-    buf = (char *)PORT_Alloc(len);
-    if ( !buf ) {
-	return(0);
-    }
-
-    tmpbuf = buf;
-    
-    if ( cn ) {
-	PORT_Memcpy(tmpbuf, cn->data, cn->len);
-	tmpbuf += cn->len;
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(cn, PR_TRUE);
-    }
-    if ( email ) {
-	PORT_Memcpy(tmpbuf, email->data, email->len);
-	tmpbuf += ( email->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(email, PR_TRUE);
-    }
-    for (i=ou_count-1; i >= 0; i--) {
-	PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
-	tmpbuf += ( orgunit[i]->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(orgunit[i], PR_TRUE);
-    }
-    if ( dq ) {
-	PORT_Memcpy(tmpbuf, dq->data, dq->len);
-	tmpbuf += ( dq->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(dq, PR_TRUE);
-    }
-    if ( org ) {
-	PORT_Memcpy(tmpbuf, org->data, org->len);
-	tmpbuf += ( org->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(org, PR_TRUE);
-    }
-    for (i=dc_count-1; i >= 0; i--) {
-	PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
-	tmpbuf += ( dc[i]->len );
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-	SECITEM_FreeItem(dc[i], PR_TRUE);
-    }
-    first = PR_TRUE;
-    if ( loc ) {
-	PORT_Memcpy(tmpbuf, loc->data,  loc->len);
-	tmpbuf += ( loc->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(loc, PR_TRUE);
-    }
-    if ( state ) {
-	if ( !first ) {
-	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
-	    tmpbuf += COMMALEN;
-	}
-	PORT_Memcpy(tmpbuf, state->data, state->len);
-	tmpbuf += ( state->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(state, PR_TRUE);
-    }
-    if ( country ) {
-	if ( !first ) {
-	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
-	    tmpbuf += COMMALEN;
-	}
-	PORT_Memcpy(tmpbuf, country->data, country->len);
-	tmpbuf += ( country->len );
-	first = PR_FALSE;
-	SECITEM_FreeItem(country, PR_TRUE);
-    }
-    if ( !first ) {
-	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
-	tmpbuf += BREAKLEN;
-    }
-
-    *tmpbuf = 0;
-
-    return(buf);
-}
-
-static char *sec_FortezzaClearance(SECItem *clearance) {
-    unsigned char clr = 0;
-
-    if (clearance->len > 0) { clr = clearance->data[0]; }
-
-    if (clr & 0x4) return "Top Secret";
-    if (clr & 0x8) return "Secret";
-    if (clr & 0x10) return "Confidential";
-    if (clr & 0x20) return "Sensitive";
-    if (clr & 0x40) return "Unclassified";
-    return "None";
-}
-
-static char *sec_FortezzaMessagePrivilege(SECItem *priv) {
-    unsigned char clr = 0;
-
-    if (priv->len > 0) { clr = (priv->data[0]) & 0x78; }
-
-    if (clr == 0x00) {
-	return "None";
-    } else {
-
-	return PR_smprintf("%s%s%s%s%s%s%s",
-
-	    clr&0x40?"Critical/Flash":"",
-	    (clr&0x40) && (clr&0x38) ? ", " : "" ,
-
-	    clr&0x20?"Immediate/Priority":"",
-	    (clr&0x20) && (clr&0x18) ? ", " : "" ,
-
-	    clr&0x10?"Routine/Deferred":"",
-	    (clr&0x10) && (clr&0x08) ? ", " : "" ,
-
-	    clr&0x08?"Rekey Agent":"");
-    }
-
-}
-					
-static char *sec_FortezzaCertPrivilege(SECItem *priv) {
-    unsigned char clr = 0;
-
-    if (priv->len > 0) { clr = priv->data[0]; }
-
-    return PR_smprintf("%s%s%s%s%s%s%s%s%s%s%s%s",
-	clr&0x40?"Organizational Releaser":"",
-	(clr&0x40) && (clr&0x3e) ? "," : "" ,
-	clr&0x20?"Policy Creation Authority":"",
-	(clr&0x20) && (clr&0x1e) ? "," : "" ,
-	clr&0x10?"Certificate Authority":"",
-	(clr&0x10) && (clr&0x0e) ? "," : "" ,
-	clr&0x08?"Local Managment Authority":"",
-	(clr&0x08) && (clr&0x06) ? "," : "" ,
-	clr&0x04?"Configuration Vector Authority":"",
-	(clr&0x04) && (clr&0x02) ? "," : "" ,
-	clr&0x02?"No Signature Capability":"",
-	clr&0x7e?"":"Signing Only"
-    );
-}
-
-static char *htmlcertstrings[] = {
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td valign=top>"
-    "<font size=2><b>This Certificate belongs to:</b><br>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
-    0, /* image goes here */
-    0,
-    0,
-    "</td><td width=10> </td><td><font size=2>",
-    0, /* subject name goes here */
-    "</td></tr></table></font></td><td width=20> </td><td valign=top>"
-    "<font size=2><b>This Certificate was issued by:</b><br>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
-    0, /* image goes here */
-    0,
-    0,
-    "</td><td width=10> </td><td><font size=2>",
-    0, /* issuer name goes here */
-    "</td></tr></table></font></td></tr></table>"
-    "<b>Serial Number:</b> ",
-    0,
-    "<br><b>This Certificate is valid from ",
-    0, /* notBefore goes here */
-    " to ",
-    0, /* notAfter does here */
-    "</b><br><b>Clearance:</b>",
-    0,
-    "<br><b>DSS Privileges:</b>",
-    0,
-    "<br><b>KEA Privileges:</b>",
-    0,
-    "<br><b>KMID:</b>",
-    0,
-    "<br><b>Certificate Fingerprint:</b>"
-    "<table border=0 cellspacing=0 cellpadding=0><tr>"
-    "<td width=10> </td><td><font size=2>",
-    0, /* fingerprint goes here */
-    "</td></tr></table>",
-    0, /* comment header goes here */
-    0, /* comment goes here */
-    0, /* comment trailer goes here */
-    0
-};
-
-char *
-CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
-{
-    SECStatus rv;
-    char *issuer, *subject, *serialNumber, *version;
-    char *notBefore, *notAfter;
-    char *ret;
-    char *nickname;
-    unsigned char fingerprint[16];   /* result of MD5, always 16 bytes */
-    char *fpstr;
-    SECItem fpitem;
-    char *commentstring = NULL;
-    SECKEYPublicKey *pubk;
-    char *DSSPriv;
-    char *KMID = NULL;
-    char *servername;
-    
-    if (!cert) {
-	return(0);
-    }
-
-    issuer = CERT_FormatName (&cert->issuer);
-    subject = CERT_FormatName (&cert->subject);
-    version = CERT_Hexify (&cert->version,1);
-    serialNumber = CERT_Hexify (&cert->serialNumber,1);
-    notBefore = DER_TimeChoiceDayToAscii(&cert->validity.notBefore);
-    notAfter = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
-    servername = CERT_FindNSStringExtension(cert,
-				   SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-
-    nickname = cert->nickname;
-    if ( nickname == NULL ) {
-	showImages = PR_FALSE;
-    }
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-			       NULL);
-    
-    if ( rv || !showImages ) {
-	htmlcertstrings[1] = "";
-	htmlcertstrings[2] = "";
-	htmlcertstrings[3] = "";
-    } else {
-	htmlcertstrings[1] = "<img src=\"about:security?subject-logo=";
-	htmlcertstrings[2] = nickname;
-	htmlcertstrings[3] = "\">";
-    }
-
-    if ( servername ) {
-	char *tmpstr;
-	tmpstr = (char *)PORT_Alloc(PORT_Strlen(subject) +
-				    PORT_Strlen(servername) +
-				    sizeof("<br>") + 1);
-	if ( tmpstr ) {
-	    PORT_Strcpy(tmpstr, servername);
-	    PORT_Strcat(tmpstr, "<br>");
-	    PORT_Strcat(tmpstr, subject);
-	    PORT_Free(subject);
-	    subject = tmpstr;
-	}
-    }
-    
-    htmlcertstrings[5] = subject;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-			       NULL);
-    
-    if ( rv || !showImages ) {
-	htmlcertstrings[7] = "";
-	htmlcertstrings[8] = "";
-	htmlcertstrings[9] = "";
-    } else {
-	htmlcertstrings[7] = "<img src=\"about:security?issuer-logo=";
-	htmlcertstrings[8] = nickname;
-	htmlcertstrings[9] = "\">";
-    }
-
-    
-    if (showIssuer == PR_TRUE) {
-        htmlcertstrings[11] = issuer;
-    } else {
-	htmlcertstrings[11] = "";
-    }
-
-    htmlcertstrings[13] = serialNumber;
-    htmlcertstrings[15] = notBefore;
-    htmlcertstrings[17] = notAfter;
-
-    pubk = CERT_ExtractPublicKey(cert);
-    DSSPriv = NULL;
-    if (pubk && (pubk->keyType == fortezzaKey)) {
-	SECItem dummyitem;
-	htmlcertstrings[18] = "</b><br><b>Clearance:</b>";
-	htmlcertstrings[19] = sec_FortezzaClearance(
-					&pubk->u.fortezza.clearance);
-	htmlcertstrings[20] = "<br><b>DSS Privileges:</b>";
-	DSSPriv = sec_FortezzaCertPrivilege(
-					&pubk->u.fortezza.DSSpriviledge);
-	htmlcertstrings[21] = DSSPriv;
-	htmlcertstrings[22] = "<br><b>KEA Privileges:</b>";
-	htmlcertstrings[23] = sec_FortezzaMessagePrivilege(
-					&pubk->u.fortezza.KEApriviledge);
-	htmlcertstrings[24] = "<br><b>KMID:</b>";
-	dummyitem.data = &pubk->u.fortezza.KMID[0];
-	dummyitem.len = sizeof(pubk->u.fortezza.KMID);
-	KMID = CERT_Hexify (&dummyitem,0);
-	htmlcertstrings[25] = KMID;
-    } else {
-	/* clear out the headers in the non-fortezza cases */
-	htmlcertstrings[18] = "";
-	htmlcertstrings[19] = "";
-	htmlcertstrings[20] = "";
-	htmlcertstrings[21] = "";
-	htmlcertstrings[22] = "";
-	htmlcertstrings[23] = "";
-	htmlcertstrings[24] = "";
-	htmlcertstrings[25] = "</b>";
-    }
-
-    if (pubk) {
-      SECKEY_DestroyPublicKey(pubk);
-    }
-
-#define HTML_OFF 27
-    rv = PK11_HashBuf(SEC_OID_MD5, fingerprint, 
-    	              cert->derCert.data, cert->derCert.len);
-    
-    fpitem.data = fingerprint;
-    fpitem.len = sizeof(fingerprint);
-
-    fpstr = CERT_Hexify (&fpitem,1);
-    
-    htmlcertstrings[HTML_OFF] = fpstr;
-
-    commentstring = CERT_GetCertCommentString(cert);
-
-    if (commentstring == NULL) {
-	htmlcertstrings[HTML_OFF+2] = "";
-	htmlcertstrings[HTML_OFF+3] = "";
-	htmlcertstrings[HTML_OFF+4] = "";
-    } else {
-	htmlcertstrings[HTML_OFF+2] =
-	    "<b>Comment:</b>"
-	    "<table border=0 cellspacing=0 cellpadding=0><tr>"
-	    "<td width=10> </td><td><font size=3>"
-	    "<textarea name=foobar rows=4 cols=55 onfocus=\"this.blur()\">";
-	htmlcertstrings[HTML_OFF+3] = commentstring;
-	htmlcertstrings[HTML_OFF+4] = "</textarea></font></td></tr></table>";
-    }
-    
-    ret = gatherStrings(htmlcertstrings);
-    
-    if ( issuer ) {
-	PORT_Free(issuer);
-    }
-    
-    if ( subject ) {
-	PORT_Free(subject);
-    }
-    
-    if ( version ) {
-	PORT_Free(version);
-    }
-    
-    if ( serialNumber ) {
-	PORT_Free(serialNumber);
-    }
-    
-    if ( notBefore ) {
-	PORT_Free(notBefore);
-    }
-    
-    if ( notAfter ) {
-	PORT_Free(notAfter);
-    }
-    
-    if ( fpstr ) {
-	PORT_Free(fpstr);
-    }
-    if (DSSPriv) {
-	PORT_Free(DSSPriv);
-    }
-
-    if (KMID) {
-	PORT_Free(KMID);
-    }
-
-    if ( commentstring ) {
-	PORT_Free(commentstring);
-    }
-    
-    if ( servername ) {
-	PORT_Free(servername);
-    }
-    
-    return(ret);
-}
-
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
deleted file mode 100644
index 148b71746..000000000
--- a/security/nss/lib/certhigh/certreq.c
+++ /dev/null
@@ -1,350 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "cert.h"
-#include "certt.h"
-#include "secder.h"
-#include "key.h"
-#include "secitem.h"
-#include "secasn1.h"
-#include "secerr.h"
-
-const SEC_ASN1Template CERT_AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTAttribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
-    { SEC_ASN1_SET_OF, offsetof(CERTAttribute, attrValue),
-	SEC_AnyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
-};
-
-const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCertificateRequest) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(CERTCertificateRequest,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificateRequest,subject),
-	  CERT_NameTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
-	  CERT_SubjectPublicKeyInfoTemplate },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(CERTCertificateRequest,attributes), 
-	  CERT_SetOfAttributeTemplate },
-    { 0 }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
-
-CERTCertificate *
-CERT_CreateCertificate(unsigned long serialNumber,
-		      CERTName *issuer,
-		      CERTValidity *validity,
-		      CERTCertificateRequest *req)
-{
-    CERTCertificate *c;
-    int rv;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return(0);
-    }
-
-    c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-    
-    if (c) {
-	c->referenceCount = 1;
-	c->arena = arena;
-
-	/*
-	 * Default is a plain version 1.
-	 * If extensions are added, it will get changed as appropriate.
-	 */
-	rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
-	if (rv) goto loser;
-
-	rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
-	if (rv) goto loser;
-
-	rv = CERT_CopyName(arena, &c->issuer, issuer);
-	if (rv) goto loser;
-
-	rv = CERT_CopyValidity(arena, &c->validity, validity);
-	if (rv) goto loser;
-
-	rv = CERT_CopyName(arena, &c->subject, &req->subject);
-	if (rv) goto loser;
-	rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
-					  &req->subjectPublicKeyInfo);
-	if (rv) goto loser;
-    }
-    return c;
-
-  loser:
-    CERT_DestroyCertificate(c);
-    return 0;
-}
-
-/************************************************************************/
-/* It's clear from the comments that the original author of this 
- * function expected the template for certificate requests to treat
- * the attributes as a SET OF ANY.  This function expected to be 
- * passed an array of SECItems each of which contained an already encoded
- * Attribute.  But the cert request template does not treat the 
- * Attributes as a SET OF ANY, and AFAIK never has.  Instead the template
- * encodes attributes as a SET OF xxxxxxx.  That is, it expects to encode
- * each of the Attributes, not have them pre-encoded.  Consequently an 
- * array of SECItems containing encoded Attributes is of no value to this 
- * function.  But we cannot change the signature of this public function.
- * It must continue to take SECItems.
- *
- * I have recoded this function so that each SECItem contains an 
- * encoded cert extension.  The encoded cert extensions form the list for the
- * single attribute of the cert request. In this implementation there is at most
- * one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.
- */
-
-CERTCertificateRequest *
-CERT_CreateCertificateRequest(CERTName *subject,
-			     CERTSubjectPublicKeyInfo *spki,
-			     SECItem **attributes)
-{
-    CERTCertificateRequest *certreq;
-    PRArenaPool *arena;
-    CERTAttribute * attribute;
-    SECOidData * oidData;
-    SECStatus rv;
-    int i = 0;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return NULL;
-    }
-    
-    certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);
-    if (!certreq) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-    /* below here it is safe to goto loser */
-
-    certreq->arena = arena;
-    
-    rv = DER_SetUInteger(arena, &certreq->version,
-			 SEC_CERTIFICATE_REQUEST_VERSION);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = CERT_CopyName(arena, &certreq->subject, subject);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SECKEY_CopySubjectPublicKeyInfo(arena,
-				      &certreq->subjectPublicKeyInfo,
-				      spki);
-    if (rv != SECSuccess)
-	goto loser;
-
-    certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2);
-    if(!certreq->attributes) 
-	goto loser;
-
-    /* Copy over attribute information */
-    if (!attributes || !attributes[0]) {
-	/*
-	 ** Invent empty attribute information. According to the
-	 ** pkcs#10 spec, attributes has this ASN.1 type:
-	 **
-	 ** attributes [0] IMPLICIT Attributes
-	 ** 
-	 ** Which means, we should create a NULL terminated list
-	 ** with the first entry being NULL;
-	 */
-	certreq->attributes[0] = NULL;
-	return certreq;
-    }	
-
-    /* allocate space for attributes */
-    attribute = PORT_ArenaZNew(arena, CERTAttribute);
-    if (!attribute) 
-	goto loser;
-
-    oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST );
-    PORT_Assert(oidData);
-    if (!oidData)
-	goto loser;
-    rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);
-    if (rv != SECSuccess)
-	goto loser;
-
-    for (i = 0; attributes[i] != NULL ; i++) 
-	;
-    attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1);
-    if (!attribute->attrValue) 
-	goto loser;
-
-    /* copy attributes */
-    for (i = 0; attributes[i]; i++) {
-	/*
-	** Attributes are a SetOf Attribute which implies
-	** lexigraphical ordering.  It is assumes that the
-	** attributes are passed in sorted.  If we need to
-	** add functionality to sort them, there is an
-	** example in the PKCS 7 code.
-	*/
-	attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
-	if(!attribute->attrValue[i]) 
-	    goto loser;
-    }
-
-    certreq->attributes[0] = attribute;
-
-    return certreq;
-
-loser:
-    CERT_DestroyCertificateRequest(certreq);
-    return NULL;
-}
-
-void
-CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
-{
-    if (req && req->arena) {
-	PORT_FreeArena(req->arena, PR_FALSE);
-    }
-    return;
-}
-
-static void
-setCRExt(void *o, CERTCertExtension **exts)
-{
-    ((CERTCertificateRequest *)o)->attributes = (struct CERTAttributeStr **)exts;
-}
-
-/*
-** Set up to start gathering cert extensions for a cert request.
-** The list is created as CertExtensions and converted to an
-** attribute list by CERT_FinishCRAttributes().
- */
-extern void *cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
-                       void (*setExts)(void *object, CERTCertExtension **exts));
-void *
-CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
-{
-    return (cert_StartExtensions ((void *)req, req->arena, setCRExt));
-}
-
-/*
-** At entry req->attributes actually contains an list of cert extensions--
-** req-attributes is overloaded until the list is DER encoded (the first
-** ...EncodeItem() below).
-** We turn this into an attribute list by encapsulating it
-** in a PKCS 10 Attribute structure
- */
-SECStatus
-CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
-{   SECItem *extlist;
-    SECOidData *oidrec;
-    CERTAttribute *attribute;
-   
-    if (!req || !req->arena) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    if (req->attributes == NULL || req->attributes[0] == NULL)
-        return SECSuccess;
-
-    extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,
-                            SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
-    if (extlist == NULL)
-        return(SECFailure);
-
-    oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
-    if (oidrec == NULL)
-	return SECFailure;
-
-    /* now change the list of cert extensions into a list of attributes
-     */
-    req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2);
-
-    attribute = PORT_ArenaZNew(req->arena, CERTAttribute);
-    
-    if (req->attributes == NULL || attribute == NULL ||
-        SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2);
-
-    if (attribute->attrValue == NULL)
-        return SECFailure;
-
-    attribute->attrValue[0] = extlist;
-    attribute->attrValue[1] = NULL;
-    req->attributes[0] = attribute;
-    req->attributes[1] = NULL;
-
-    return SECSuccess;
-}
-
-SECStatus
-CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
-                                        CERTCertExtension ***exts)
-{
-    if (req == NULL || exts == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    
-    if (req->attributes == NULL || *req->attributes == NULL)
-        return SECSuccess;
-    
-    if ((*req->attributes)->attrValue == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    return(SEC_ASN1DecodeItem(req->arena, exts, 
-            SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
-            (*req->attributes)->attrValue[0]));
-}
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
deleted file mode 100644
index 25d0eaf42..000000000
--- a/security/nss/lib/certhigh/certvfy.c
+++ /dev/null
@@ -1,2078 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-#include "secerr.h"
-#include "secport.h"
-#include "seccomon.h"
-#include "secoid.h"
-#include "sslerr.h"
-#include "genname.h"
-#include "keyhi.h"
-#include "cert.h"
-#include "certdb.h"
-#include "cryptohi.h"
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "nsspki.h"
-#include "pkitm.h"
-#include "pkim.h"
-#include "pki3hack.h"
-#include "base.h"
-
-#define PENDING_SLOP (24L*60L*60L)
-
-/*
- * WARNING - this function is depricated, and will go away in the near future.
- *	It has been superseded by CERT_CheckCertValidTimes().
- *
- * Check the validity times of a certificate
- */
-SECStatus
-CERT_CertTimesValid(CERTCertificate *c)
-{
-    int64 now, notBefore, notAfter, pendingSlop;
-    SECStatus rv;
-    
-    /* if cert is already marked OK, then don't bother to check */
-    if ( c->timeOK ) {
-	return(SECSuccess);
-    }
-    
-    /* get current time */
-    now = PR_Now();
-    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
-    
-    if (rv) {
-	return(SECFailure);
-    }
-    
-    LL_I2L(pendingSlop, PENDING_SLOP);
-    LL_SUB(notBefore, notBefore, pendingSlop);
-
-    if (LL_CMP(now, <, notBefore) || LL_CMP(now, >, notAfter)) {
-	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * verify the signature of a signed data object with the given DER publickey
- */
-SECStatus
-CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd, 
-                                   SECKEYPublicKey *pubKey,
-		                   void *wincx)
-{
-    SECStatus        rv;
-    SECOidTag        algid;
-    SECItem          sig;
-
-    if ( !pubKey || !sd ) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-
-    /* check the signature */
-    sig = sd->signature;
-    /* convert sig->len from bit counts to byte count. */
-    DER_ConvertBitString(&sig);
-
-    algid = SECOID_GetAlgorithmTag(&sd->signatureAlgorithm);
-    rv = VFY_VerifyData(sd->data.data, sd->data.len, pubKey, &sig,
-			algid, wincx);
-
-    return rv ? SECFailure : SECSuccess;
-}
-
-/*
- * verify the signature of a signed data object with the given DER publickey
- */
-SECStatus
-CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, 
-                                       CERTSubjectPublicKeyInfo *pubKeyInfo,
-		                       void *wincx)
-{
-    SECKEYPublicKey *pubKey;
-    SECStatus        rv		= SECFailure;
-
-    /* get cert's public key */
-    pubKey = SECKEY_ExtractPublicKey(pubKeyInfo);
-    if (pubKey) {
-	rv =  CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    return rv;
-}
-
-/*
- * verify the signature of a signed data object with the given certificate
- */
-SECStatus
-CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
-		      int64 t, void *wincx)
-{
-    SECKEYPublicKey *pubKey = 0;
-    SECStatus        rv     = SECFailure;
-    SECCertTimeValidity validity;
-
-    /* check the certificate's validity */
-    validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE);
-    if ( validity != secCertTimeValid ) {
-	return rv;
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if (pubKey) {
-	rv =  CERT_VerifySignedDataWithPublicKey(sd, pubKey, wincx);
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    return rv;
-}
-
-
-/* Software FORTEZZA installation hack. The software fortezza installer does
- * not have access to the krl and cert.db file. Accept FORTEZZA Certs without
- * KRL's in this case. 
- */
-static int dont_use_krl = 0;
-/* not a public exposed function... */
-void sec_SetCheckKRLState(int value) { dont_use_krl = value; }
-
-SECStatus
-SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key,
-	     CERTCertificate *rootCert, int64 t, void * wincx)
-{
-    CERTSignedCrl *crl = NULL;
-    SECStatus rv = SECFailure;
-    SECStatus rv2;
-    CERTCrlEntry **crlEntry;
-    SECCertTimeValidity validity;
-    CERTCertificate *issuerCert = NULL;
-
-    if (dont_use_krl) return SECSuccess;
-
-    /* first look up the KRL */
-    crl = SEC_FindCrlByName(handle,&rootCert->derSubject, SEC_KRL_TYPE);
-    if (crl == NULL) {
-	PORT_SetError(SEC_ERROR_NO_KRL);
-	goto done;
-    }
-
-    /* get the issuing certificate */
-    issuerCert = CERT_FindCertByName(handle, &crl->crl.derName);
-    if (issuerCert == NULL) {
-        PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-        goto done;
-    }
-
-
-    /* now verify the KRL signature */
-    rv2 = CERT_VerifySignedData(&crl->signatureWrap, issuerCert, t, wincx);
-    if (rv2 != SECSuccess) {
-	PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-    	goto done;
-    }
-
-    /* Verify the date validity of the KRL */
-    validity = SEC_CheckCrlTimes(&crl->crl, t);
-    if (validity == secCertTimeExpired) {
-	PORT_SetError(SEC_ERROR_KRL_EXPIRED);
-	goto done;
-    }
-
-    /* now make sure the key in this cert is still valid */
-    if (key->keyType != fortezzaKey) {
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-	goto done; /* This should be an assert? */
-    }
-
-    /* now make sure the key is not on the revocation list */
-    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
-	if (PORT_Memcmp((*crlEntry)->serialNumber.data,
-				key->u.fortezza.KMID,
-				    (*crlEntry)->serialNumber.len) == 0) {
-	    PORT_SetError(SEC_ERROR_REVOKED_KEY);
-	    goto done;
-	}
-    }
-    rv = SECSuccess;
-
-done:
-    if (issuerCert) CERT_DestroyCertificate(issuerCert);
-    if (crl) SEC_DestroyCrl(crl);
-    return rv;
-}
-
-SECStatus
-SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
-	     CERTCertificate *caCert, int64 t, void * wincx)
-{
-    return CERT_CheckCRL(cert, caCert, NULL, t, wincx);
-}
-
-/*
- * Find the issuer of a cert.  Use the authorityKeyID if it exists.
- */
-CERTCertificate *
-CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage)
-{
-#ifdef NSS_CLASSIC
-    CERTAuthKeyID *   authorityKeyID = NULL;  
-    CERTCertificate * issuerCert     = NULL;
-    SECItem *         caName;
-    PRArenaPool       *tmpArena = NULL;
-
-    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !tmpArena ) {
-	goto loser;
-    }
-    authorityKeyID = CERT_FindAuthKeyIDExten(tmpArena,cert);
-
-    if ( authorityKeyID != NULL ) {
-	/* has the authority key ID extension */
-	if ( authorityKeyID->keyID.data != NULL ) {
-	    /* extension contains a key ID, so lookup based on it */
-	    issuerCert = CERT_FindCertByKeyID(cert->dbhandle, &cert->derIssuer,
-					      &authorityKeyID->keyID);
-	    if ( issuerCert == NULL ) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-		goto loser;
-	    }
-	    
-	} else if ( authorityKeyID->authCertIssuer != NULL ) {
-	    /* no key ID, so try issuer and serial number */
-	    caName = (SECItem*)CERT_GetGeneralNameByType(authorityKeyID->authCertIssuer,
-					       		 certDirectoryName, PR_TRUE);
-
-	    /*
-	     * caName is NULL when the authCertIssuer field is not
-	     * being used, or other name form is used instead.
-	     * If the directoryName format and serialNumber fields are
-	     * used, we use them to find the CA cert.
-	     * Note:
-	     *	By the time it gets here, we known for sure that if the
-	     *	authCertIssuer exists, then the authCertSerialNumber
-	     *	must also exists (CERT_DecodeAuthKeyID() ensures this).
-	     *	We don't need to check again. 
-	     */
-
-	    if (caName != NULL) {
-		CERTIssuerAndSN issuerSN;
-
-		issuerSN.derIssuer.data = caName->data;
-		issuerSN.derIssuer.len = caName->len;
-		issuerSN.serialNumber.data = 
-			authorityKeyID->authCertSerialNumber.data;
-		issuerSN.serialNumber.len = 
-			authorityKeyID->authCertSerialNumber.len;
-		issuerCert = CERT_FindCertByIssuerAndSN(cert->dbhandle,
-								&issuerSN);
-		if ( issuerCert == NULL ) {
-		    PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-		    goto loser;
-		}
-	    }
-	}
-    }
-    if ( issuerCert == NULL ) {
-	/* if there is not authorityKeyID, then try to find the issuer */
-	/* find a valid CA cert with correct usage */
-	issuerCert = CERT_FindMatchingCert(cert->dbhandle,
-					   &cert->derIssuer,
-					   certOwnerCA, usage, PR_TRUE,
-					   validTime, PR_TRUE);
-
-	/* if that fails, then fall back to grabbing any cert with right name*/
-	if ( issuerCert == NULL ) {
-	    issuerCert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
-	    if ( issuerCert == NULL ) {
-		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-	    }
-	}
-    }
-
-loser:
-    if (tmpArena != NULL) {
-	PORT_FreeArena(tmpArena, PR_FALSE);
-	tmpArena = NULL;
-    }
-
-    return(issuerCert);
-#else
-    NSSCertificate *me;
-    NSSTime *nssTime;
-    NSSTrustDomain *td;
-    NSSCryptoContext *cc;
-    NSSCertificate *chain[3];
-    NSSUsage nssUsage;
-    PRStatus status;
-
-    me = STAN_GetNSSCertificate(cert);
-    if (!me) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    nssTime = NSSTime_SetPRTime(NULL, validTime);
-    nssUsage.anyUsage = PR_FALSE;
-    nssUsage.nss3usage = usage;
-    nssUsage.nss3lookingForCA = PR_TRUE;
-    memset(chain, 0, 3*sizeof(NSSCertificate *));
-    td   = STAN_GetDefaultTrustDomain();
-    cc = STAN_GetDefaultCryptoContext();
-    (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL, 
-                                    chain, 2, NULL, &status, td, cc);
-    nss_ZFreeIf(nssTime);
-    if (status == PR_SUCCESS) {
-	/* if it's a root, the chain will only have one cert */
-	if (!chain[1]) {
-	    /* already has a reference from the call to BuildChain */
-	    return cert;
-	} else {
-	    CERT_DestroyCertificate(cert); /* the first cert in the chain */
-	    return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */
-	}
-    } else {
-	if (chain[0]) {
-	    CERT_DestroyCertificate(cert);
-	}
-	PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
-    }
-    return NULL;
-#endif
-}
-
-/*
- * return required trust flags for various cert usages for CAs
- */
-SECStatus
-CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
-			      unsigned int *retFlags,
-			      SECTrustType *retTrustType)
-{
-    unsigned int requiredFlags;
-    SECTrustType trustType;
-
-    switch ( usage ) {
-      case certUsageSSLClient:
-	requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageSSLServer:
-      case certUsageSSLCA:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageSSLServerWithStepUp:
-	requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
-	trustType = trustSSL;
-        break;
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustEmail;
-	break;
-      case certUsageObjectSigner:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustObjectSigning;
-	break;
-      case certUsageVerifyCA:
-      case certUsageAnyCA:
-      case certUsageStatusResponder:
-	requiredFlags = CERTDB_TRUSTED_CA;
-	trustType = trustTypeNone;
-	break;
-      default:
-	PORT_Assert(0);
-	goto loser;
-    }
-    if ( retFlags != NULL ) {
-	*retFlags = requiredFlags;
-    }
-    if ( retTrustType != NULL ) {
-	*retTrustType = trustType;
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-
-
-
-
-static void
-AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
-	       unsigned int depth, void *arg)
-{
-    CERTVerifyLogNode *node, *tnode;
-
-    PORT_Assert(log != NULL);
-    
-    node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
-						sizeof(CERTVerifyLogNode));
-    if ( node != NULL ) {
-	node->cert = CERT_DupCertificate(cert);
-	node->error = error;
-	node->depth = depth;
-	node->arg = arg;
-	
-	if ( log->tail == NULL ) {
-	    /* empty list */
-	    log->head = log->tail = node;
-	    node->prev = NULL;
-	    node->next = NULL;
-	} else if ( depth >= log->tail->depth ) {
-	    /* add to tail */
-	    node->prev = log->tail;
-	    log->tail->next = node;
-	    log->tail = node;
-	    node->next = NULL;
-	} else if ( depth < log->head->depth ) {
-	    /* add at head */
-	    node->prev = NULL;
-	    node->next = log->head;
-	    log->head->prev = node;
-	    log->head = node;
-	} else {
-	    /* add in middle */
-	    tnode = log->tail;
-	    while ( tnode != NULL ) {
-		if ( depth >= tnode->depth ) {
-		    /* insert after tnode */
-		    node->prev = tnode;
-		    node->next = tnode->next;
-		    tnode->next->prev = node;
-		    tnode->next = node;
-		    break;
-		}
-
-		tnode = tnode->prev;
-	    }
-	}
-
-	log->count++;
-    }
-    return;
-}
-
-#define EXIT_IF_NOT_LOGGING(log) \
-    if ( log == NULL ) { \
-	goto loser; \
-    }
-
-#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
-    if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
-    } else { \
-	goto loser; \
-    }
-
-#define LOG_ERROR(log,cert,depth,arg) \
-    if ( log != NULL ) { \
-	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
-    }
-
-
-typedef enum { cbd_None, cbd_User, cbd_CA } cbd_FortezzaType;
-
-static SECStatus
-cert_VerifyFortezzaV1Cert(CERTCertDBHandle *handle, CERTCertificate *cert,
-	cbd_FortezzaType *next_type, cbd_FortezzaType last_type,
-	int64 t, void *wincx)
-{
-    unsigned char priv = 0;
-    SECKEYPublicKey *key;
-    SECStatus rv;
-
-    *next_type = cbd_CA;
-
-    /* read the key */
-    key = CERT_ExtractPublicKey(cert);
-
-    /* Cant' get Key? fail. */
-    if (key == NULL) {
-    	PORT_SetError(SEC_ERROR_BAD_KEY);
-	return SECFailure;
-    }
-
-
-    /* if the issuer is not an old fortezza cert, we bail */
-    if (key->keyType != fortezzaKey) {
-    	SECKEY_DestroyPublicKey(key);
-	/* CA Cert not fortezza */
-    	PORT_SetError(SEC_ERROR_NOT_FORTEZZA_ISSUER);
-	return SECFailure;
-    }
-
-    /* get the privilege mask */
-    if (key->u.fortezza.DSSpriviledge.len > 0) {
-	priv = key->u.fortezza.DSSpriviledge.data[0];
-    }
-
-    /*
-     * make sure the CA's keys are OK
-     */
-            
-    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
-    SECKEY_DestroyPublicKey(key);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    switch (last_type) {
-      case cbd_User:
-	/* first check for subordination */
-	/*rv = FortezzaSubordinateCheck(cert,issuerCert);*/
-	rv = SECSuccess;
-
-	/* now check for issuer privilege */
-	if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
-	    /* bail */
-	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-	    return SECFailure;
-	}
-	break;
-      case cbd_CA:
-	if ((priv & 0x20) == 0) {
-	    /* bail */
-	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-	    return SECFailure;
-	}
-	break;
-      case cbd_None:
-	*next_type = (priv & 0x30) ? cbd_CA : cbd_User;
-	break;
-      default:
-	/* bail */ /* shouldn't ever happen */
-    	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-static SECStatus
-cert_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     PRBool checkSig, PRBool* sigerror,
-                     SECCertUsage certUsage, int64 t, void *wincx,
-                     CERTVerifyLog *log, PRBool* revoked)
-{
-    SECTrustType trustType;
-    CERTBasicConstraints basicConstraint;
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert = NULL;
-    CERTCertificate *badCert = NULL;
-    PRBool isca;
-    PRBool isFortezzaV1 = PR_FALSE;
-    SECStatus rv;
-    SECStatus rvFinal = SECSuccess;
-    int count;
-    int currentPathLen = 0;
-    int pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
-    int flags;
-    unsigned int caCertType;
-    unsigned int requiredCAKeyUsage;
-    unsigned int requiredFlags;
-    PRArenaPool *arena = NULL;
-    CERTGeneralName *namesList = NULL;
-    CERTCertificate **certsList      = NULL;
-    int certsListLen = 16;
-    int namesCount = 0;
-    PRBool subjectCertIsSelfIssued;
-
-    cbd_FortezzaType last_type = cbd_None;
-
-    if (revoked) {
-        *revoked = PR_FALSE;
-    }
-
-    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
-					 &requiredCAKeyUsage,
-					 &caCertType)
-	!= SECSuccess ) {
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredCAKeyUsage = 0;
-	caCertType = 0;
-    }
-
-    switch ( certUsage ) {
-      case certUsageSSLClient:
-      case certUsageSSLServer:
-      case certUsageSSLCA:
-      case certUsageSSLServerWithStepUp:
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-      case certUsageObjectSigner:
-      case certUsageVerifyCA:
-      case certUsageStatusResponder:
-	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
-					   &trustType) != SECSuccess ) {
-	    PORT_Assert(0);
-	    EXIT_IF_NOT_LOGGING(log);
-	    requiredFlags = 0;
-	    trustType = trustSSL;
-	}
-	break;
-      default:
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredFlags = 0;
-	trustType = trustSSL;/* This used to be 0, but we need something
-			      * that matches the enumeration type.
-			      */
-	caCertType = 0;
-    }
-    
-    subjectCert = CERT_DupCertificate(cert);
-    if ( subjectCert == NULL ) {
-	goto loser;
-    }
-
-    /* determine if the cert is fortezza.
-     */
-    isFortezzaV1 = (PRBool)
-	(CERT_GetCertKeyType(&subjectCert->subjectPublicKeyInfo) 
-							== fortezzaKey);
-
-    if (isFortezzaV1) {
-	rv = cert_VerifyFortezzaV1Cert(handle, subjectCert, &last_type, 
-						cbd_None, t, wincx);
-	if (rv == SECFailure) {
-	    /**** PORT_SetError is already set by cert_VerifyFortezzaV1Cert **/
-	    LOG_ERROR_OR_EXIT(log,subjectCert,0,0);
-	}
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    certsList = PORT_ZNewArray(CERTCertificate *, certsListLen);
-    if (certsList == NULL)
-	goto loser;
-
-    /* RFC 3280 says that the name constraints will apply to the names
-    ** in the leaf (EE) cert, whether it is self issued or not, so
-    ** we pretend that it is not.
-    */
-    subjectCertIsSelfIssued = PR_FALSE;
-    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
-	PRBool validCAOverride = PR_FALSE;
-
-	/* Construct a list of names for the current and all previous 
-	 * certifcates (except leaf (EE) certs, root CAs, and self-issued
-	 * intermediate CAs) to be verified against the name constraints 
-	 * extension of the issuer certificate. 
-	 */
-	if (subjectCertIsSelfIssued == PR_FALSE) {
-	    CERTGeneralName *subjectNameList;
-	    int subjectNameListLen;
-	    int i;
-	    subjectNameList    = CERT_GetCertificateNames(subjectCert, arena);
-	    subjectNameListLen = CERT_GetNamesLength(subjectNameList);
-	    if (certsListLen <= namesCount + subjectNameListLen) {
-		CERTCertificate **tmpCertsList;
-		certsListLen = (namesCount + subjectNameListLen) * 2;
-		tmpCertsList = 
-		    (CERTCertificate **)PORT_Realloc(certsList, 
-	                            certsListLen * sizeof(CERTCertificate *));
-		if (tmpCertsList == NULL) {
-		    goto loser;
-		}
-		certsList = tmpCertsList;
-	    }
-	    for (i = 0; i < subjectNameListLen; i++) {
-		certsList[namesCount + i] = subjectCert;
-	    }
-	    namesCount += subjectNameListLen;
-	    namesList = cert_CombineNamesLists(namesList, subjectNameList);
-	}
-	/* find the certificate of the issuer */
-	issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
-	if ( ! issuerCert ) {
-	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-	    LOG_ERROR(log,subjectCert,count,0);
-	    goto loser;
-	}
-
-	/* verify the signature on the cert */
-	if ( checkSig ) {
-	    rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
-				       issuerCert, t, wincx);
-    
-	    if ( rv != SECSuccess ) {
-                if (sigerror) {
-                    *sigerror = PR_TRUE;
-                }
-		if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) {
-		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
-		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-		} else {
-		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
-		}
-	    }
-	}
-
-	/*
-	 * XXX - fortezza may need error logging stuff added
-	 */
-	if (isFortezzaV1) {
-	    rv = cert_VerifyFortezzaV1Cert(handle, issuerCert, &last_type, 
-					last_type, t, wincx);
-	    if (rv == SECFailure) {
-		/**** PORT_SetError is already set by *
-		 * cert_VerifyFortezzaV1Cert **/
-		LOG_ERROR_OR_EXIT(log,subjectCert,0,0);
-	    }
-	}
-
-	/* If the basicConstraint extension is included in an immediate CA
-	 * certificate, make sure that the isCA flag is on.  If the
-	 * pathLenConstraint component exists, it must be greater than the
-	 * number of CA certificates we have seen so far.  If the extension
-	 * is omitted, we will assume that this is a CA certificate with
-	 * an unlimited pathLenConstraint (since it already passes the
-	 * netscape-cert-type extension checking).
-	 *
-	 * In the fortezza (V1) case, we've already checked the CA bits
-	 * in the key, so we're presumed to be a CA; however we really don't
-	 * want to bypass Basic constraint or netscape extension parsing.
-         * 
-         * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
-	 */
-
-	rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
-	if ( rv != SECSuccess ) {
-	    if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    } 
-	    pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
-	    /* no basic constraints found, if we're fortezza, CA bit is already
-	     * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
-	     * isca = PR_FALSE */
-	    isca = isFortezzaV1;
-	} else  {
-	    if ( basicConstraint.isCA == PR_FALSE ) {
-		PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    }
-	    pathLengthLimit = basicConstraint.pathLenConstraint;
-	    isca = PR_TRUE;
-	}    
-	/* make sure that the path len constraint is properly set.*/
-	if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
-	    PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
-	    LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
-	}
-	
-	/* XXX - the error logging may need to go down into CRL stuff at some
-	 * point
-	 */
-	/* check revoked list (issuer) */
-        rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
-        if (rv == SECFailure) {
-            if (revoked) {
-                *revoked = PR_TRUE;
-            }
-            LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
-        } else if (rv == SECWouldBlock) {
-            /* We found something fishy, so we intend to issue an
-             * error to the user, but the user may wish to continue
-             * processing, in which case we better make sure nothing
-             * worse has happened... so keep cranking the loop */
-            rvFinal = SECFailure;
-            if (revoked) {
-                *revoked = PR_TRUE;
-            }
-            LOG_ERROR(log,subjectCert,count,0);
-        }
-
-	if ( issuerCert->trust ) {
-	    /* we have some trust info, but this does NOT imply that this
-	     * cert is actually trusted for any purpose.  The cert may be
-	     * explicitly UNtrusted.  We won't know until we examine the
-	     * trust bits.
-	     */
-	    if (certUsage == certUsageStatusResponder) {
-		/* XXX NSS has done this for years, but it seems incorrect. */
-		rv = rvFinal;
-		goto done;
-	    }
-
-	    /*
-	     * check the trust parms of the issuer
-	     */
-	    if ( certUsage == certUsageVerifyCA ) {
-		if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
-		    trustType = trustEmail;
-		} else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
-		    trustType = trustSSL;
-		} else {
-		    trustType = trustObjectSigning;
-		}
-	    }
-	    
-	    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
-	    
-	    if (flags & CERTDB_VALID_CA) {
-		if ( ( flags & requiredFlags ) == requiredFlags) {
-		    /* we found a trusted one, so return */
-		    rv = rvFinal; 
-		    goto done;
-		}
-		validCAOverride = PR_TRUE;
-	    }
-	}
-
-	if (!validCAOverride) {
-	    /*
-	     * Make sure that if this is an intermediate CA in the chain that
-	     * it was given permission by its signer to be a CA.
-	     */
-	    /*
-	     * if basicConstraints says it is a ca, then we check the
-	     * nsCertType.  If the nsCertType has any CA bits set, then
-	     * it must have the right one.
-	     */
-	    if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
-		isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
-	    }
-	
-	    if (  !isca  ) {
-		PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
-	    }
-
-	    /* make sure key usage allows cert signing */
-	    if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
-		PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
-	    }
-	}
-
-	/* make sure that the entire chain is within the name space of the 
-	** current issuer certificate.
-	*/
-	rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, 
-	                           arena, &badCert);
-	if (rv != SECSuccess || badCert != NULL) {
-	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
-	    goto loser;
-	}
-	/* make sure that the issuer is not self signed.  If it is, then
-	 * stop here to prevent looping.
-	 */
-	if (issuerCert->isRoot) {
-	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
-	    LOG_ERROR(log, issuerCert, count+1, 0);
-	    goto loser;
-	} 
-	/* The issuer cert will be the subject cert in the next loop.
-	 * A cert is self-issued if its subject and issuer are equal and
-	 * both are of non-zero length. 
-	 */
-	subjectCertIsSelfIssued = (PRBool)
-	    SECITEM_ItemsAreEqual(&issuerCert->derIssuer, 
-				  &issuerCert->derSubject) &&
-	    issuerCert->derSubject.len > 0;
-	if (subjectCertIsSelfIssued == PR_FALSE) {
-	    /* RFC 3280 says only non-self-issued intermediate CA certs 
-	     * count in path length.
-	     */
-	    ++currentPathLen;
-	}
-
-	CERT_DestroyCertificate(subjectCert);
-	subjectCert = issuerCert;
-	issuerCert = NULL;
-    }
-
-    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-    LOG_ERROR(log,subjectCert,count,0);
-loser:
-    rv = SECFailure;
-done:
-    if (certsList != NULL) {
-	PORT_Free(certsList);
-    }
-    if ( issuerCert ) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    
-    if ( subjectCert ) {
-	CERT_DestroyCertificate(subjectCert);
-    }
-
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-SECStatus
-CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     PRBool checkSig, SECCertUsage certUsage, int64 t,
-		     void *wincx, CERTVerifyLog *log)
-{
-    return cert_VerifyCertChain(handle, cert, checkSig, NULL, certUsage, t,
-			 wincx, log, NULL);
-}
-
-/*
- * verify that a CA can sign a certificate with the requested usage.
- * XXX This function completely ignores cert path length constraints!
- */
-SECStatus
-CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log)
-{
-    SECTrustType trustType;
-    CERTBasicConstraints basicConstraint;
-    PRBool isca;
-    PRBool validCAOverride = PR_FALSE;
-    SECStatus rv;
-    SECComparison rvCompare;
-    SECStatus rvFinal = SECSuccess;
-    int flags;
-    unsigned int caCertType;
-    unsigned int requiredCAKeyUsage;
-    unsigned int requiredFlags;
-    CERTCertificate *issuerCert;
-
-
-    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
-					 &requiredCAKeyUsage,
-					 &caCertType) != SECSuccess ) {
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredCAKeyUsage = 0;
-	caCertType = 0;
-    }
-
-    switch ( certUsage ) {
-      case certUsageSSLClient:
-      case certUsageSSLServer:
-      case certUsageSSLCA:
-      case certUsageSSLServerWithStepUp:
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-      case certUsageObjectSigner:
-      case certUsageVerifyCA:
-      case certUsageStatusResponder:
-	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
-					   &trustType) != SECSuccess ) {
-	    PORT_Assert(0);
-	    EXIT_IF_NOT_LOGGING(log);
-	    requiredFlags = 0;
-	    trustType = trustSSL;
-	}
-	break;
-      default:
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredFlags = 0;
-	trustType = trustSSL;/* This used to be 0, but we need something
-			      * that matches the enumeration type.
-			      */
-	caCertType = 0;
-    }
-    
-    /* If the basicConstraint extension is included in an intermmediate CA
-     * certificate, make sure that the isCA flag is on.  If the
-     * pathLenConstraint component exists, it must be greater than the
-     * number of CA certificates we have seen so far.  If the extension
-     * is omitted, we will assume that this is a CA certificate with
-     * an unlimited pathLenConstraint (since it already passes the
-     * netscape-cert-type extension checking).
-     *
-     * In the fortezza (V1) case, we've already checked the CA bits
-     * in the key, so we're presumed to be a CA; however we really don't
-     * want to bypass Basic constraint or netscape extension parsing.
-     * 
-     * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
-     */
-
-    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
-    if ( rv != SECSuccess ) {
-	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
-	    LOG_ERROR_OR_EXIT(log,cert,0,0);
-	} 
-	/* no basic constraints found, if we're fortezza, CA bit is already
-	 * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
-	 * isca = PR_FALSE */
-	isca = PR_FALSE;
-    } else  {
-	if ( basicConstraint.isCA == PR_FALSE ) {
-	    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
-	    LOG_ERROR_OR_EXIT(log,cert,0,0);
-	}
-
-	/* can't check path length if we don't know the previous path */
-	isca = PR_TRUE;
-    }
-	
-    if ( cert->trust ) {
-	/* we have some trust info, but this does NOT imply that this
-	 * cert is actually trusted for any purpose.  The cert may be
-	 * explicitly UNtrusted.  We won't know until we examine the
-	 * trust bits.
-	 */
-        if (certUsage == certUsageStatusResponder) {
-	    /* Check the special case of certUsageStatusResponder */
-            issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
-            if (issuerCert) {
-                if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) 
-		    != SECSuccess) {
-                    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-                    CERT_DestroyCertificate(issuerCert);
-                    goto loser;
-                }
-                CERT_DestroyCertificate(issuerCert);
-            }
-	    /* XXX We have NOT determined that this cert is trusted.
-	     * For years, NSS has treated this as trusted, 
-	     * but it seems incorrect.
-	     */
-	    rv = rvFinal; 
-	    goto done;
-        }
-
-	/*
-	 * check the trust parms of the issuer
-	 */
-	flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
-	    
-	if (flags & CERTDB_VALID_CA) {
-	    if ( ( flags & requiredFlags ) == requiredFlags) {
-		/* we found a trusted one, so return */
-		rv = rvFinal; 
-		goto done;
-	    }
-	    validCAOverride = PR_TRUE;
-	}
-    }
-    if (!validCAOverride) {
-	/*
-	 * Make sure that if this is an intermediate CA in the chain that
-	 * it was given permission by its signer to be a CA.
-	 */
-	/*
-	 * if basicConstraints says it is a ca, then we check the
-	 * nsCertType.  If the nsCertType has any CA bits set, then
-	 * it must have the right one.
-	 */
-	if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
-	    isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
-	}
-	
-	if (!isca) {
-	    PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
-	    LOG_ERROR_OR_EXIT(log,cert,0,0);
-	}
-	    
-	/* make sure key usage allows cert signing */
-	if (CERT_CheckKeyUsage(cert, requiredCAKeyUsage) != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-	    LOG_ERROR_OR_EXIT(log,cert,0,requiredCAKeyUsage);
-	}
-    }
-    /* make sure that the issuer is not self signed.  If it is, then
-     * stop here to prevent looping.
-     */
-    rvCompare = SECITEM_CompareItem(&cert->derSubject, &cert->derIssuer);
-    if (rvCompare == SECEqual) {
-	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
-	    LOG_ERROR(log, cert, 0, 0);
-	    goto loser;
-    }
-
-    return CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t, 
-		     					wincx, log);
-loser:
-    rv = SECFailure;
-done:
-    return rv;
-}
-
-#define NEXT_USAGE() { \
-    i*=2; \
-    certUsage++; \
-    continue; \
-}
-
-#define VALID_USAGE() { \
-    NEXT_USAGE(); \
-}
-
-#define INVALID_USAGE() { \
-    if (returnedUsages) { \
-        *returnedUsages &= (~i); \
-    } \
-    if (PR_TRUE == requiredUsage) { \
-        valid = SECFailure; \
-    } \
-    NEXT_USAGE(); \
-}
-
-/*
- * verify a certificate by checking if it's valid and that we
- * trust the issuer.
- *
- * certificateUsage contains a bitfield of all cert usages that are
- * required for verification to succeed
- *
- * a bitfield of cert usages is returned in *returnedUsages
- * if requiredUsages is non-zero, the returned bitmap is only
- * for those required usages, otherwise it is for all usages
- *
- */
-SECStatus
-CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertificateUsage requiredUsages, int64 t,
-		void *wincx, CERTVerifyLog *log, SECCertificateUsage* returnedUsages)
-{
-    SECStatus rv;
-    SECStatus valid;
-    unsigned int requiredKeyUsage;
-    unsigned int requiredCertType;
-    unsigned int flags;
-    unsigned int certType;
-    PRBool       allowOverride;
-    SECCertTimeValidity validity;
-    CERTStatusConfig *statusConfig;
-    PRInt32 i;
-    SECCertUsage certUsage = 0;
-    PRBool checkedOCSP = PR_FALSE;
-    PRBool checkAllUsages = PR_FALSE;
-    PRBool revoked = PR_FALSE;
-    PRBool sigerror = PR_FALSE;
-
-    if (!requiredUsages) {
-        /* there are no required usages, so the user probably wants to
-           get status for all usages */
-        checkAllUsages = PR_TRUE;
-    }
-
-    if (returnedUsages) {
-        *returnedUsages = 0;
-    } else {
-        /* we don't have a place to return status for all usages,
-           so we can skip checks for usages that aren't required */
-        checkAllUsages = PR_FALSE;
-    }
-    valid = SECSuccess ; /* start off assuming cert is valid */
-   
-#ifdef notdef 
-    /* check if this cert is in the Evil list */
-    rv = CERT_CheckForEvilCert(cert);
-    if ( rv != SECSuccess ) {
-	PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-	LOG_ERROR(log,cert,0,0);
-	return SECFailure;
-    }
-#endif
-    
-    /* make sure that the cert is valid at time t */
-    allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                             (requiredUsages & certificateUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
-    if ( validity != secCertTimeValid ) {
-        LOG_ERROR(log,cert,0,validity);
-	return SECFailure;
-    }
-
-    /* check key usage and netscape cert type */
-    cert_GetCertType(cert);
-    certType = cert->nsCertType;
-
-    for (i=1;i<=certificateUsageHighest && !(SECFailure == valid && !returnedUsages) ;) {
-        PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
-        if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
-            NEXT_USAGE();
-        }
-        if (returnedUsages) {
-            *returnedUsages |= i; /* start off assuming this usage is valid */
-        }
-        switch ( certUsage ) {
-          case certUsageSSLClient:
-          case certUsageSSLServer:
-          case certUsageSSLServerWithStepUp:
-          case certUsageSSLCA:
-          case certUsageEmailSigner:
-          case certUsageEmailRecipient:
-          case certUsageObjectSigner:
-          case certUsageStatusResponder:
-            rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
-                                                  &requiredKeyUsage,
-                                                  &requiredCertType);
-            if ( rv != SECSuccess ) {
-                PORT_Assert(0);
-                /* EXIT_IF_NOT_LOGGING(log); XXX ??? */
-                requiredKeyUsage = 0;
-                requiredCertType = 0;
-                INVALID_USAGE();
-            }
-            break;
-
-          case certUsageAnyCA:
-          case certUsageProtectedObjectSigner:
-          case certUsageUserCertImport:
-          case certUsageVerifyCA:
-              /* these usages cannot be verified */
-              NEXT_USAGE();
-
-          default:
-            PORT_Assert(0);
-            requiredKeyUsage = 0;
-            requiredCertType = 0;
-            INVALID_USAGE();
-        }
-        if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
-            if (PR_TRUE == requiredUsage) {
-                PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-            }
-            LOG_ERROR(log,cert,0,requiredKeyUsage);
-            INVALID_USAGE();
-        }
-        if ( !( certType & requiredCertType ) ) {
-            if (PR_TRUE == requiredUsage) {
-                PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
-            }
-            LOG_ERROR(log,cert,0,requiredCertType);
-            INVALID_USAGE();
-        }
-
-        /* check trust flags to see if this cert is directly trusted */
-        if ( cert->trust ) { /* the cert is in the DB */
-            switch ( certUsage ) {
-              case certUsageSSLClient:
-              case certUsageSSLServer:
-                flags = cert->trust->sslFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageSSLServerWithStepUp:
-                /* XXX - step up certs can't be directly trusted */
-                break;
-              case certUsageSSLCA:
-                break;
-              case certUsageEmailSigner:
-              case certUsageEmailRecipient:
-                flags = cert->trust->emailFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-                    ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageObjectSigner:
-                flags = cert->trust->objectSigningFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageVerifyCA:
-              case certUsageStatusResponder:
-                flags = cert->trust->sslFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->emailFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->objectSigningFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageAnyCA:
-              case certUsageProtectedObjectSigner:
-              case certUsageUserCertImport:
-                /* XXX to make the compiler happy.  Should these be
-                 * explicitly handled?
-                 */
-                break;
-            }
-        }
-
-        if (PR_TRUE == revoked || PR_TRUE == sigerror) {
-            INVALID_USAGE();
-        }
-
-        rv = cert_VerifyCertChain(handle, cert,
-            checkSig, &sigerror,
-            certUsage, t, wincx, log,
-            &revoked);
-
-        if (rv != SECSuccess) {
-            /* EXIT_IF_NOT_LOGGING(log); XXX ???? */
-            INVALID_USAGE();
-        }
-
-        /*
-         * Check OCSP revocation status, but only if the cert we are checking
-         * is not a status reponder itself.  We only do this in the case
-         * where we checked the cert chain (above); explicit trust "wins"
-         * (avoids status checking, just as it avoids CRL checking) by
-         * bypassing this code.
-         */
-
-        if (PR_FALSE == checkedOCSP) {
-            checkedOCSP = PR_TRUE; /* only check OCSP once */
-            statusConfig = CERT_GetStatusConfig(handle);
-            if ( (! (requiredUsages & certificateUsageStatusResponder)) &&
-                statusConfig != NULL) {
-                if (statusConfig->statusChecker != NULL) {
-                    rv = (* statusConfig->statusChecker)(handle, cert,
-                                                                 t, wincx);
-                    if (rv != SECSuccess) {
-                        LOG_ERROR(log,cert,0,0);
-                        revoked = PR_TRUE;
-                        INVALID_USAGE();
-                    }
-                }
-            }
-        }
-
-        NEXT_USAGE();
-    }
-    
-    return(valid);
-}
-			
-/* obsolete, do not use for new code */
-SECStatus
-CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-		PRBool checkSig, SECCertUsage certUsage, int64 t,
-		void *wincx, CERTVerifyLog *log)
-{
-    SECStatus rv;
-    unsigned int requiredKeyUsage;
-    unsigned int requiredCertType;
-    unsigned int flags;
-    unsigned int certType;
-    PRBool       allowOverride;
-    SECCertTimeValidity validity;
-    CERTStatusConfig *statusConfig;
-   
-#ifdef notdef 
-    /* check if this cert is in the Evil list */
-    rv = CERT_CheckForEvilCert(cert);
-    if ( rv != SECSuccess ) {
-	PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-	LOG_ERROR_OR_EXIT(log,cert,0,0);
-    }
-#endif
-    
-    /* make sure that the cert is valid at time t */
-    allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
-                             (certUsage == certUsageSSLServerWithStepUp));
-    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
-    if ( validity != secCertTimeValid ) {
-	LOG_ERROR_OR_EXIT(log,cert,0,validity);
-    }
-
-    /* check key usage and netscape cert type */
-    cert_GetCertType(cert);
-    certType = cert->nsCertType;
-    switch ( certUsage ) {
-      case certUsageSSLClient:
-      case certUsageSSLServer:
-      case certUsageSSLServerWithStepUp:
-      case certUsageSSLCA:
-      case certUsageEmailSigner:
-      case certUsageEmailRecipient:
-      case certUsageObjectSigner:
-      case certUsageStatusResponder:
-	rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
-					      &requiredKeyUsage,
-					      &requiredCertType);
-	if ( rv != SECSuccess ) {
-	    PORT_Assert(0);
-	    EXIT_IF_NOT_LOGGING(log);
-	    requiredKeyUsage = 0;
-	    requiredCertType = 0;
-	}
-	break;
-      case certUsageVerifyCA:
-	requiredKeyUsage = KU_KEY_CERT_SIGN;
-	requiredCertType = NS_CERT_TYPE_CA;
-	if ( ! ( certType & NS_CERT_TYPE_CA ) ) {
-	    certType |= NS_CERT_TYPE_CA;
-	}
-	break;
-      default:
-	PORT_Assert(0);
-	EXIT_IF_NOT_LOGGING(log);
-	requiredKeyUsage = 0;
-	requiredCertType = 0;
-    }
-    if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
-	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
-	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
-    }
-    if ( !( certType & requiredCertType ) ) {
-	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
-	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
-    }
-
-    /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { /* the cert is in the DB */
-	switch ( certUsage ) {
-	  case certUsageSSLClient:
-	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    /* XXX - step up certs can't be directly trusted */
-	    break;
-	  case certUsageSSLCA:
-	    break;
-	  case certUsageEmailSigner:
-	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
-
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->emailFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->objectSigningFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageProtectedObjectSigner:
-	  case certUsageUserCertImport:
-	    /* XXX to make the compiler happy.  Should these be
-	     * explicitly handled?
-	     */
-	    break;
-	}
-    }
-
-    rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
-			      t, wincx, log);
-    if (rv != SECSuccess) {
-	EXIT_IF_NOT_LOGGING(log);
-    }
-
-    /*
-     * Check revocation status, but only if the cert we are checking
-     * is not a status reponder itself.  We only do this in the case
-     * where we checked the cert chain (above); explicit trust "wins"
-     * (avoids status checking, just as it avoids CRL checking, which
-     * is all done inside VerifyCertChain) by bypassing this code.
-     */
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (certUsage != certUsageStatusResponder && statusConfig != NULL) {
-	if (statusConfig->statusChecker != NULL) {
-	    rv = (* statusConfig->statusChecker)(handle, cert,
-							 t, wincx);
-	    if (rv != SECSuccess) {
-		LOG_ERROR_OR_EXIT(log,cert,0,0);
-	    }
-	}
-    }
-
-winner:
-    return(SECSuccess);
-
-loser:
-    rv = SECFailure;
-    
-    return(rv);
-}
-
-/*
- * verify a certificate by checking if its valid and that we
- * trust the issuer.  Verify time against now.
- */
-SECStatus
-CERT_VerifyCertificateNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertificateUsage requiredUsages,
-                   void *wincx, SECCertificateUsage* returnedUsages)
-{
-    return(CERT_VerifyCertificate(handle, cert, checkSig, 
-		   requiredUsages, PR_Now(), wincx, NULL, returnedUsages));
-}
-
-/* obsolete, do not use for new code */
-SECStatus
-CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
-		   PRBool checkSig, SECCertUsage certUsage, void *wincx)
-{
-    return(CERT_VerifyCert(handle, cert, checkSig, 
-		   certUsage, PR_Now(), wincx, NULL));
-}
-
-
-/* [ FROM pcertdb.c ] */
-/*
- * Supported usage values and types:
- *	certUsageSSLClient
- *	certUsageSSLServer
- *	certUsageSSLServerWithStepUp
- *	certUsageEmailSigner
- *	certUsageEmailRecipient
- *	certUsageObjectSigner
- */
-
-CERTCertificate *
-CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
-		      CERTCertOwner owner, SECCertUsage usage,
-		      PRBool preferTrusted, int64 validTime, PRBool validOnly)
-{
-    CERTCertList *certList = NULL;
-    CERTCertificate *cert = NULL;
-    unsigned int requiredTrustFlags;
-    SECTrustType requiredTrustType;
-    unsigned int flags;
-    
-    PRBool lookingForCA = PR_FALSE;
-    SECStatus rv;
-    CERTCertListNode *node;
-    CERTCertificate *saveUntrustedCA = NULL;
-    
-    /* if preferTrusted is set, must be a CA cert */
-    PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) );
-    
-    if ( owner == certOwnerCA ) {
-	lookingForCA = PR_TRUE;
-	if ( preferTrusted ) {
-	    rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
-					       &requiredTrustType);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	    requiredTrustFlags |= CERTDB_VALID_CA;
-	}
-    }
-
-    certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime,
-					  validOnly);
-    if ( certList != NULL ) {
-	rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	
-	node = CERT_LIST_HEAD(certList);
-	
-	while ( !CERT_LIST_END(node, certList) ) {
-	    cert = node->cert;
-
-	    /* looking for a trusted CA cert */
-	    if ( ( owner == certOwnerCA ) && preferTrusted &&
-		( requiredTrustType != trustTypeNone ) ) {
-
-		if ( cert->trust == NULL ) {
-		    flags = 0;
-		} else {
-		    flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
-		}
-
-		if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
-		    /* cert is not trusted */
-		    /* if this is the first cert to get this far, then save
-		     * it, so we can use it if we can't find a trusted one
-		     */
-		    if ( saveUntrustedCA == NULL ) {
-			saveUntrustedCA = cert;
-		    }
-		    goto endloop;
-		}
-	    }
-	    /* if we got this far, then this cert meets all criteria */
-	    break;
-	    
-endloop:
-	    node = CERT_LIST_NEXT(node);
-	    cert = NULL;
-	}
-
-	/* use the saved one if we have it */
-	if ( cert == NULL ) {
-	    cert = saveUntrustedCA;
-	}
-
-	/* if we found one then bump the ref count before freeing the list */
-	if ( cert != NULL ) {
-	    /* bump the ref count */
-	    cert = CERT_DupCertificate(cert);
-	}
-	
-	CERT_DestroyCertList(certList);
-    }
-
-    return(cert);
-
-loser:
-    if ( certList != NULL ) {
-	CERT_DestroyCertList(certList);
-    }
-
-    return(NULL);
-}
-
-
-/* [ From certdb.c ] */
-/*
- * Filter a list of certificates, removing those certs that do not have
- * one of the named CA certs somewhere in their cert chain.
- *
- *	"certList" - the list of certificates to filter
- *	"nCANames" - number of CA names
- *	"caNames" - array of CA names in string(rfc 1485) form
- *	"usage" - what use the certs are for, this is used when
- *		selecting CA certs
- */
-SECStatus
-CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
-			     char **caNames, SECCertUsage usage)
-{
-    CERTCertificate *issuerCert = NULL;
-    CERTCertificate *subjectCert;
-    CERTCertListNode *node, *freenode;
-    CERTCertificate *cert;
-    int n;
-    char **names;
-    PRBool found;
-    int64 time;
-    
-    if ( nCANames <= 0 ) {
-	return(SECSuccess);
-    }
-
-    time = PR_Now();
-    
-    node = CERT_LIST_HEAD(certList);
-    
-    while ( ! CERT_LIST_END(node, certList) ) {
-	cert = node->cert;
-	
-	subjectCert = CERT_DupCertificate(cert);
-
-	/* traverse the CA certs for this cert */
-	found = PR_FALSE;
-	while ( subjectCert != NULL ) {
-	    n = nCANames;
-	    names = caNames;
-	   
-            if (subjectCert->issuerName != NULL) { 
-	        while ( n > 0 ) {
-		    if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) {
-		        found = PR_TRUE;
-		        break;
-		    }
-
-		    n--;
-		    names++;
-                }
-	    }
-
-	    if ( found ) {
-		break;
-	    }
-	    
-	    issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
-	    if ( issuerCert == subjectCert ) {
-		CERT_DestroyCertificate(issuerCert);
-		issuerCert = NULL;
-		break;
-	    }
-	    CERT_DestroyCertificate(subjectCert);
-	    subjectCert = issuerCert;
-
-	}
-	CERT_DestroyCertificate(subjectCert);
-	if ( !found ) {
-	    /* CA was not found, so remove this cert from the list */
-	    freenode = node;
-	    node = CERT_LIST_NEXT(node);
-	    CERT_RemoveCertListNode(freenode);
-	} else {
-	    /* CA was found, so leave it in the list */
-	    node = CERT_LIST_NEXT(node);
-	}
-    }
-    
-    return(SECSuccess);
-}
-
-/*
- * Given a certificate, return a string containing the nickname, and possibly
- * one of the validity strings, based on the current validity state of the
- * certificate.
- *
- * "arena" - arena to allocate returned string from.  If NULL, then heap
- *	is used.
- * "cert" - the cert to get nickname from
- * "expiredString" - the string to append to the nickname if the cert is
- *		expired.
- * "notYetGoodString" - the string to append to the nickname if the cert is
- *		not yet good.
- */
-char *
-CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
-				 char *expiredString, char *notYetGoodString)
-{
-    SECCertTimeValidity validity;
-    char *nickname = NULL, *tmpstr = NULL;
-    
-    validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
-
-    /* if the cert is good, then just use the nickname directly */
-    if ( validity == secCertTimeValid ) {
-	if ( arena == NULL ) {
-	    nickname = PORT_Strdup(cert->nickname);
-	} else {
-	    nickname = PORT_ArenaStrdup(arena, cert->nickname);
-	}
-	
-	if ( nickname == NULL ) {
-	    goto loser;
-	}
-    } else {
-	    
-	/* if the cert is not valid, then tack one of the strings on the
-	 * end
-	 */
-	if ( validity == secCertTimeExpired ) {
-	    tmpstr = PR_smprintf("%s%s", cert->nickname,
-				 expiredString);
-	} else if ( validity == secCertTimeNotValidYet ) {
-	    /* not yet valid */
-	    tmpstr = PR_smprintf("%s%s", cert->nickname,
-				 notYetGoodString);
-        } else {
-            /* undetermined */
-	    tmpstr = PR_smprintf("%s",
-                        "(NULL) (Validity Unknown)");
-        }
-
-	if ( tmpstr == NULL ) {
-	    goto loser;
-	}
-
-	if ( arena ) {
-	    /* copy the string into the arena and free the malloc'd one */
-	    nickname = PORT_ArenaStrdup(arena, tmpstr);
-	    PORT_Free(tmpstr);
-	} else {
-	    nickname = tmpstr;
-	}
-	if ( nickname == NULL ) {
-	    goto loser;
-	}
-    }    
-    return(nickname);
-
-loser:
-    return(NULL);
-}
-
-/*
- * Collect the nicknames from all certs in a CertList.  If the cert is not
- * valid, append a string to that nickname.
- *
- * "certList" - the list of certificates
- * "expiredString" - the string to append to the nickname of any expired cert
- * "notYetGoodString" - the string to append to the nickname of any cert
- *		that is not yet valid
- */
-CERTCertNicknames *
-CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
-				 char *notYetGoodString)
-{
-    CERTCertNicknames *names;
-    PRArenaPool *arena;
-    CERTCertListNode *node;
-    char **nn;
-    
-    /* allocate an arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* allocate the structure */
-    names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
-    if ( names == NULL ) {
-	goto loser;
-    }
-
-    /* init the structure */
-    names->arena = arena;
-    names->head = NULL;
-    names->numnicknames = 0;
-    names->nicknames = NULL;
-    names->totallen = 0;
-
-    /* count the certs in the list */
-    node = CERT_LIST_HEAD(certList);
-    while ( ! CERT_LIST_END(node, certList) ) {
-	names->numnicknames++;
-	node = CERT_LIST_NEXT(node);
-    }
-    
-    /* allocate nicknames array */
-    names->nicknames = PORT_ArenaAlloc(arena,
-				       sizeof(char *) * names->numnicknames);
-    if ( names->nicknames == NULL ) {
-	goto loser;
-    }
-
-    /* just in case printf can't deal with null strings */
-    if (expiredString == NULL ) {
-	expiredString = "";
-    }
-
-    if ( notYetGoodString == NULL ) {
-	notYetGoodString = "";
-    }
-    
-    /* traverse the list of certs and collect the nicknames */
-    nn = names->nicknames;
-    node = CERT_LIST_HEAD(certList);
-    while ( ! CERT_LIST_END(node, certList) ) {
-	*nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
-					       expiredString,
-					       notYetGoodString);
-	if ( *nn == NULL ) {
-	    goto loser;
-	}
-
-	names->totallen += PORT_Strlen(*nn);
-	
-	nn++;
-	node = CERT_LIST_NEXT(node);
-    }
-
-    return(names);
-
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(NULL);
-}
-
-/*
- * Extract the nickname from a nickmake string that may have either
- * expiredString or notYetGoodString appended.
- *
- * Args:
- *	"namestring" - the string containing the nickname, and possibly
- *		one of the validity label strings
- *	"expiredString" - the expired validity label string
- *	"notYetGoodString" - the not yet good validity label string
- *
- * Returns the raw nickname
- */
-char *
-CERT_ExtractNicknameString(char *namestring, char *expiredString,
-			   char *notYetGoodString)
-{
-    int explen, nyglen, namelen;
-    int retlen;
-    char *retstr;
-    
-    namelen = PORT_Strlen(namestring);
-    explen = PORT_Strlen(expiredString);
-    nyglen = PORT_Strlen(notYetGoodString);
-    
-    if ( namelen > explen ) {
-	if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) {
-	    retlen = namelen - explen;
-	    retstr = (char *)PORT_Alloc(retlen+1);
-	    if ( retstr == NULL ) {
-		goto loser;
-	    }
-	    
-	    PORT_Memcpy(retstr, namestring, retlen);
-	    retstr[retlen] = '\0';
-	    goto done;
-	}
-    }
-
-    if ( namelen > nyglen ) {
-	if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) {
-	    retlen = namelen - nyglen;
-	    retstr = (char *)PORT_Alloc(retlen+1);
-	    if ( retstr == NULL ) {
-		goto loser;
-	    }
-	    
-	    PORT_Memcpy(retstr, namestring, retlen);
-	    retstr[retlen] = '\0';
-	    goto done;
-	}
-    }
-
-    /* if name string is shorter than either invalid string, then it must
-     * be a raw nickname
-     */
-    retstr = PORT_Strdup(namestring);
-    
-done:
-    return(retstr);
-
-loser:
-    return(NULL);
-}
-
-CERTCertList *
-CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
-{
-    CERTCertList *chain = NULL;
-
-    if (NULL == cert) {
-        return NULL;
-    }
-    
-    cert = CERT_DupCertificate(cert);
-    if (NULL == cert) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return NULL;
-    }
-
-    chain = CERT_NewCertList();
-    if (NULL == chain) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return NULL;
-    }
-
-    while (cert != NULL) {
-	if (SECSuccess != CERT_AddCertToListTail(chain, cert)) {
-            /* return partial chain */
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-            return chain;
-        }
-
-	if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject)
-	    == SECEqual) {
-            /* return complete chain */
-	    return chain;
-	}
-
-	cert = CERT_FindCertIssuer(cert, time, usage);
-    }
-
-    /* return partial chain */
-    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
-    return chain;
-}
diff --git a/security/nss/lib/certhigh/config.mk b/security/nss/lib/certhigh/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/certhigh/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/certhigh/crlv2.c b/security/nss/lib/certhigh/crlv2.c
deleted file mode 100644
index b6d8c9182..000000000
--- a/security/nss/lib/certhigh/crlv2.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Code for dealing with x.509 v3 crl and crl entries extensions.
- *
- * $Id$
- */
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secoidt.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "certxutl.h"
-
-SECStatus
-CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
-{
-    return (cert_FindExtensionByOID (crl->extensions, oid, value));
-}
-    
-
-SECStatus
-CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
-{
-    return (cert_FindExtension (crl->extensions, tag, value));
-}
-
-
-/* Callback to set extensions and adjust verison */
-static void
-SetCrlExts(void *object, CERTCertExtension **exts)
-{
-    CERTCrl *crl = (CERTCrl *)object;
-
-    crl->extensions = exts;
-    DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
-}
-
-void *
-CERT_StartCRLExtensions(CERTCrl *crl)
-{
-    return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
-}
-
-static void
-SetCrlEntryExts(void *object, CERTCertExtension **exts)
-{
-    CERTCrlEntry *crlEntry = (CERTCrlEntry *)object;
-
-    crlEntry->extensions = exts;
-}
-
-void *
-CERT_StartCRLEntryExtensions(CERTCrl *crl, CERTCrlEntry *entry)
-{
-    return (cert_StartExtensions (entry, crl->arena, SetCrlEntryExts));
-}
-
-SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value)
-{
-    SECItem encodedExtenValue;
-    SECStatus rv;
-
-    encodedExtenValue.data = NULL;
-    encodedExtenValue.len = 0;
-
-    rv = cert_FindExtension
-	 (crl->extensions, SEC_OID_X509_CRL_NUMBER, &encodedExtenValue);
-    if ( rv != SECSuccess )
-	return (rv);
-
-    rv = SEC_ASN1DecodeItem (NULL, value, SEC_IntegerTemplate,
-			     &encodedExtenValue);
-    PORT_Free (encodedExtenValue.data);
-    return (rv);
-}
-
-SECStatus CERT_FindCRLReasonExten (CERTCrl *crl, SECItem *value)
-{
-    return (CERT_FindBitStringExtension
-	    (crl->extensions, SEC_OID_X509_REASON_CODE, value));    
-}
-
-SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
-{
-    SECItem encodedExtenValue;
-    SECItem decodedExtenValue = {siBuffer,0};
-    SECStatus rv;
-
-    encodedExtenValue.data = decodedExtenValue.data = NULL;
-    encodedExtenValue.len = decodedExtenValue.len = 0;
-
-    rv = cert_FindExtension
-	 (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
-    if ( rv != SECSuccess )
-	return (rv);
-
-    rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
-			     SEC_GeneralizedTimeTemplate, &encodedExtenValue);
-    if (rv == SECSuccess)
-	rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
-    PORT_Free (decodedExtenValue.data);
-    PORT_Free (encodedExtenValue.data);
-    return (rv);
-}
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
deleted file mode 100644
index bd8de3771..000000000
--- a/security/nss/lib/certhigh/manifest.mn
+++ /dev/null
@@ -1,63 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	ocsp.h \
-	ocspt.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	ocspti.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	certhtml.c \
-	certreq.c \
-	crlv2.c \
-	ocsp.c \
-	certhigh.c \
-    certvfy.c \
-    xcrldist.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = certhi
-
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
deleted file mode 100644
index 9eda390b4..000000000
--- a/security/nss/lib/certhigh/ocsp.c
+++ /dev/null
@@ -1,3998 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Implementation of OCSP services, for both client and server.
- * (XXX, really, mostly just for client right now, but intended to do both.)
- *
- * $Id$
- */
-
-#include "prerror.h"
-#include "prprf.h"
-#include "plarena.h"
-#include "prnetdb.h"
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "cert.h"
-#include "xconst.h"
-#include "secerr.h"
-#include "secoid.h"
-#include "hasht.h"
-#include "sechash.h"
-#include "secasn1.h"
-#include "keyhi.h"
-#include "cryptohi.h"
-#include "ocsp.h"
-#include "ocspti.h"
-#include "genname.h"
-#include "certxutl.h"
-#include "pk11func.h"	/* for PK11_HashBuf */
-#include <stdarg.h>
-
-
-/*
- * The following structure is only used internally.  It is allocated when
- * someone turns on OCSP checking, and hangs off of the status-configuration
- * structure in the certdb structure.  We use it to keep configuration
- * information specific to OCSP checking.
- */
-typedef struct ocspCheckingContextStr {
-    PRBool useDefaultResponder;
-    char *defaultResponderURI;
-    char *defaultResponderNickname;
-    CERTCertificate *defaultResponderCert;
-} ocspCheckingContext;
-
-
-/*
- * Forward declarations of sub-types, so I can lay out the types in the
- * same order as the ASN.1 is laid out in the OCSP spec itself.
- *
- * These are in alphabetical order (case-insensitive); please keep it that way!
- */
-extern const SEC_ASN1Template ocsp_CertIDTemplate[];
-extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[];
-extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[];
-extern const SEC_ASN1Template ocsp_ResponseDataTemplate[];
-extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[];
-extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
-extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
-extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
-
-
-/*
- * Request-related templates...
- */
-
-/*
- * OCSPRequest	::=	SEQUENCE {
- *	tbsRequest		TBSRequest,
- *	optionalSignature	[0] EXPLICIT Signature OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTOCSPRequest) },
-    { SEC_ASN1_POINTER,
-	offsetof(CERTOCSPRequest, tbsRequest),
-	ocsp_TBSRequestTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPRequest, optionalSignature),
-	ocsp_PointerToSignatureTemplate },
-    { 0 }
-};
-
-/*
- * TBSRequest	::=	SEQUENCE {
- *	version			[0] EXPLICIT Version DEFAULT v1,
- *	requestorName		[1] EXPLICIT GeneralName OPTIONAL,
- *	requestList		SEQUENCE OF Request,
- *	requestExtensions	[2] EXPLICIT Extensions OPTIONAL }
- *
- * Version	::=	INTEGER { v1(0) }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspTBSRequest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspTBSRequest, version),
-	SEC_IntegerTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspTBSRequest, derRequestorName),
-	SEC_PointerToAnyTemplate },
-    { SEC_ASN1_SEQUENCE_OF,
-	offsetof(ocspTBSRequest, requestList),
-	ocsp_SingleRequestTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspTBSRequest, requestExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * Signature	::=	SEQUENCE {
- *	signatureAlgorithm	AlgorithmIdentifier,
- *	signature		BIT STRING,
- *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspSignature) },
-    { SEC_ASN1_INLINE,
-	offsetof(ocspSignature, signatureAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(ocspSignature, signature) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspSignature, derCerts), 
-	SEC_SequenceOfAnyTemplate },
-    { 0 }
-};
-
-/*
- * This template is just an extra level to use in an explicitly-tagged
- * reference to a Signature.
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
-    { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate }
-};
-
-/*
- * Request	::=	SEQUENCE {
- *	reqCert			CertID,
- *	singleRequestExtensions	[0] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(ocspSingleRequest) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspSingleRequest, reqCert),
-	ocsp_CertIDTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspSingleRequest, singleRequestExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-
-/*
- * This data structure and template (CertID) is used by both OCSP
- * requests and responses.  It is the only one that is shared.
- *
- * CertID	::=	SEQUENCE {
- *	hashAlgorithm		AlgorithmIdentifier,
- *	issuerNameHash		OCTET STRING,	-- Hash of Issuer DN
- *	issuerKeyHash		OCTET STRING,	-- Hash of Issuer public key
- *	serialNumber		CertificateSerialNumber }
- *
- * CertificateSerialNumber ::=	INTEGER
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_CertIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(CERTOCSPCertID) },
-    { SEC_ASN1_INLINE,
-	offsetof(CERTOCSPCertID, hashAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(CERTOCSPCertID, issuerNameHash) },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(CERTOCSPCertID, issuerKeyHash) },
-    { SEC_ASN1_INTEGER, 
-	offsetof(CERTOCSPCertID, serialNumber) },
-    { 0 }
-};
-
-
-/*
- * Response-related templates...
- */
-
-/*
- * OCSPResponse	::=	SEQUENCE {
- *	responseStatus		OCSPResponseStatus,
- *	responseBytes		[0] EXPLICIT ResponseBytes OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(CERTOCSPResponse) },
-    { SEC_ASN1_ENUMERATED, 
-	offsetof(CERTOCSPResponse, responseStatus) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPResponse, responseBytes),
-	ocsp_PointerToResponseBytesTemplate },
-    { 0 }
-};
-
-/*
- * ResponseBytes	::=	SEQUENCE {
- *	responseType		OBJECT IDENTIFIER,
- *	response		OCTET STRING }
- */
-static const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspResponseBytes) },
-    { SEC_ASN1_OBJECT_ID,
-	offsetof(ocspResponseBytes, responseType) },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(ocspResponseBytes, response) },
-    { 0 }
-};
-
-/*
- * This template is just an extra level to use in an explicitly-tagged
- * reference to a ResponseBytes.
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
-    { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate }
-};
-
-/*
- * BasicOCSPResponse	::=	SEQUENCE {
- *	tbsResponseData		ResponseData,
- *	signatureAlgorithm	AlgorithmIdentifier,
- *	signature		BIT STRING,
- *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspBasicOCSPResponse) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspBasicOCSPResponse, tbsResponseData),
-	ocsp_ResponseDataTemplate },
-    { SEC_ASN1_INLINE,
-	offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
-	SEC_SequenceOfAnyTemplate },
-    { 0 }
-};
-
-/*
- * ResponseData	::=	SEQUENCE {
- *	version			[0] EXPLICIT Version DEFAULT v1,
- *	responderID		ResponderID,
- *	producedAt		GeneralizedTime,
- *	responses		SEQUENCE OF SingleResponse,
- *	responseExtensions	[1] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspResponseData) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspResponseData, version),
-	SEC_IntegerTemplate },
-    { SEC_ASN1_ANY,
-	offsetof(ocspResponseData, derResponderID) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(ocspResponseData, producedAt) },
-    { SEC_ASN1_SEQUENCE_OF,
-	offsetof(ocspResponseData, responses),
-	ocsp_SingleResponseTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspResponseData, responseExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * KeyHash ::=	OCTET STRING -- SHA-1 hash of responder's public key
- * (excluding the tag and length fields)
- *
- * XXX Because the ASN.1 encoder and decoder currently do not provide
- * a way to automatically handle a CHOICE, we need to do it in two
- * steps, looking at the type tag and feeding the exact choice back
- * to the ASN.1 code.  Hopefully that will change someday and this
- * can all be simplified down into a single template.  Anyway, for
- * now we list each choice as its own template:
- */
-static const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(ocspResponderID, responderIDValue.name),
-	CERT_NameTemplate }
-};
-static const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspResponderID, responderIDValue.keyHash),
-	SEC_OctetStringTemplate }
-};
-static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
-    { SEC_ASN1_ANY,
-	offsetof(ocspResponderID, responderIDValue.other) }
-};
-
-/*
- * SingleResponse	::=	SEQUENCE {
- *	certID			CertID,
- *	certStatus		CertStatus,
- *	thisUpdate		GeneralizedTime,
- *	nextUpdate		[0] EXPLICIT GeneralizedTime OPTIONAL,
- *	singleExtensions	[1] EXPLICIT Extensions OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(CERTOCSPSingleResponse) },
-    { SEC_ASN1_POINTER,
-	offsetof(CERTOCSPSingleResponse, certID),
-	ocsp_CertIDTemplate },
-    { SEC_ASN1_ANY,
-	offsetof(CERTOCSPSingleResponse, derCertStatus) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(CERTOCSPSingleResponse, thisUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(CERTOCSPSingleResponse, nextUpdate),
-	SEC_PointerToGeneralizedTimeTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(CERTOCSPSingleResponse, singleExtensions),
-	CERT_SequenceOfCertExtensionTemplate },
-    { 0 }
-};
-
-/*
- * CertStatus	::=	CHOICE {
- *	good			[0] IMPLICIT NULL,
- *	revoked			[1] IMPLICIT RevokedInfo,
- *	unknown			[2] IMPLICIT UnknownInfo }
- *
- * Because the ASN.1 encoder and decoder currently do not provide
- * a way to automatically handle a CHOICE, we need to do it in two
- * steps, looking at the type tag and feeding the exact choice back
- * to the ASN.1 code.  Hopefully that will change someday and this
- * can all be simplified down into a single template.  Anyway, for
- * now we list each choice as its own template:
- */
-static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspCertStatus, certStatusInfo.goodInfo),
-	SEC_NullTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
-	ocsp_RevokedInfoTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
-	SEC_NullTemplate }
-};
-static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
-    { SEC_ASN1_POINTER,
-	offsetof(ocspCertStatus, certStatusInfo.otherInfo),
-	SEC_AnyTemplate }
-};
-
-/*
- * RevokedInfo	::=	SEQUENCE {
- *	revocationTime		GeneralizedTime,
- *	revocationReason	[0] EXPLICIT CRLReason OPTIONAL }
- *
- * Note: this should be static but the AIX compiler doesn't like it (because it
- * was forward-declared above); it is not meant to be exported, but this
- * is the only way it will compile.
- */
-const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspRevokedInfo) },
-    { SEC_ASN1_GENERALIZED_TIME,
-	offsetof(ocspRevokedInfo, revocationTime) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(ocspRevokedInfo, revocationReason), 
-	SEC_PointerToEnumeratedTemplate },
-    { 0 }
-};
-
-
-/*
- * OCSP-specific extension templates:
- */
-
-/*
- * ServiceLocator	::=	SEQUENCE {
- *	issuer			Name,
- *	locator			AuthorityInfoAccessSyntax OPTIONAL }
- */
-static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(ocspServiceLocator) },
-    { SEC_ASN1_POINTER,
-	offsetof(ocspServiceLocator, issuer),
-	CERT_NameTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	offsetof(ocspServiceLocator, locator) },
-    { 0 }
-};
-
-
-/*
- * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
- */
-
-/* 
- * FUNCTION: CERT_EncodeOCSPRequest
- *   DER encodes an OCSP Request, possibly adding a signature as well.
- *   XXX Signing is not yet supported, however; see comments in code.
- * INPUTS: 
- *   PRArenaPool *arena
- *     The return value is allocated from here.
- *     If a NULL is passed in, allocation is done from the heap instead.
- *   CERTOCSPRequest *request
- *     The request to be encoded.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * RETURN:
- *   Returns a NULL on error and a pointer to the SECItem with the
- *   encoded value otherwise.  Any error is likely to be low-level
- *   (e.g. no memory).
- */
-SECItem *
-CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
-		       void *pwArg)
-{
-    ocspTBSRequest *tbsRequest;
-    SECStatus rv;
-
-    /* XXX All of these should generate errors if they fail. */
-    PORT_Assert(request);
-    PORT_Assert(request->tbsRequest);
-
-    tbsRequest = request->tbsRequest;
-
-    if (request->tbsRequest->extensionHandle != NULL) {
-	rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
-	request->tbsRequest->extensionHandle = NULL;
-	if (rv != SECSuccess)
-	    return NULL;
-    }
-
-    /*
-     * XXX When signed requests are supported and request->optionalSignature
-     * is not NULL:
-     *  - need to encode tbsRequest->requestorName
-     *  - need to encode tbsRequest
-     *  - need to sign that encoded result (using cert in sig), filling in the
-     *    request->optionalSignature structure with the result, the signing
-     *    algorithm and (perhaps?) the cert (and its chain?) in derCerts
-     */
-
-    return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
-}
-
-
-/*
- * FUNCTION: CERT_DecodeOCSPRequest
- *   Decode a DER encoded OCSP Request.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Request.
- * RETURN:
- *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
- *   On error, returns NULL.  Most likely error is trouble decoding
- *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
- */
-CERTOCSPRequest *
-CERT_DecodeOCSPRequest(SECItem *src)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECFailure;
-    CERTOCSPRequest *dest = NULL;
-    int i;
-    SECItem newSrc;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, 
-						sizeof(CERTOCSPRequest));
-    if (dest == NULL) {
-	goto loser;
-    }
-    dest->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newSrc, src);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
-	goto loser;
-    }
-
-    /*
-     * XXX I would like to find a way to get rid of the necessity
-     * of doing this copying of the arena pointer.
-     */
-    for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
-	dest->tbsRequest->requestList[i]->arena = arena;
-    }
-
-    return dest;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
-{
-    if (certID->poolp) {
-	PORT_FreeArena(certID->poolp, PR_FALSE);
-	return SECSuccess;
-    }
-    return SECFailure;
-}
-
-
-/*
- * Create and fill-in a CertID.  This function fills in the hash values
- * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1.
- * Someday it might need to be more flexible about hash algorithm, but
- * for now we have no intention/need to create anything else.
- *
- * Error causes a null to be returned; most likely cause is trouble
- * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER).
- * Other errors are low-level problems (no memory, bad database, etc.).
- */
-static CERTOCSPCertID *
-ocsp_CreateCertID(PRArenaPool *arena, CERTCertificate *cert, int64 time)
-{
-    CERTOCSPCertID *certID;
-    CERTCertificate *issuerCert = NULL;
-    SECItem *tempItem = NULL;
-    void *mark = PORT_ArenaMark(arena);
-    SECStatus rv;
-
-    PORT_Assert(arena != NULL);
-
-    certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
-    if (certID == NULL) {
-	goto loser;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
-			       NULL);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-
-    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
-    if (issuerCert == NULL) {
-	goto loser;
-    }
-
-    tempItem = SEC_ASN1EncodeItem(NULL, NULL, &issuerCert->subject,
-				  CERT_NameTemplate);
-    if (tempItem == NULL) {
-	goto loser;
-    }
-
-    if (SECITEM_AllocItem(arena, &(certID->issuerNameHash),
-			  SHA1_LENGTH) == NULL) {
-	goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, certID->issuerNameHash.data,
-		      tempItem->data, tempItem->len);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-    certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
-    certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
-    /* cache the other two hash algorithms as well */
-    if (SECITEM_AllocItem(arena, &(certID->issuerMD5NameHash),
-			  MD5_LENGTH) == NULL) {
-	goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_MD5, certID->issuerMD5NameHash.data,
-		      tempItem->data, tempItem->len);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-    if (SECITEM_AllocItem(arena, &(certID->issuerMD2NameHash),
-			  MD2_LENGTH) == NULL) {
-	goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_MD2, certID->issuerMD2NameHash.data,
-		      tempItem->data, tempItem->len);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-
-    SECITEM_FreeItem(tempItem, PR_TRUE);
-    tempItem = NULL;
-
-    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_SHA1,
-				   &(certID->issuerKeyHash)) == NULL) {
-	goto loser;
-    }
-    certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
-    certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
-    /* cache the other two hash algorithms as well */
-    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_MD5,
-				   &(certID->issuerMD5KeyHash)) == NULL) {
-	goto loser;
-    }
-    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_MD2,
-				   &(certID->issuerMD2KeyHash)) == NULL) {
-	goto loser;
-    }
-
-
-    /* now we are done with issuerCert */
-    CERT_DestroyCertificate(issuerCert);
-    issuerCert = NULL;
-
-    rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
-    if (rv != SECSuccess) {
-	goto loser; 
-    }
-
-    PORT_ArenaUnmark(arena, mark);
-    return certID;
-
-loser:
-    if (issuerCert != NULL) {
-	CERT_DestroyCertificate(issuerCert);
-    }
-    if (tempItem != NULL) {
-	SECITEM_FreeItem(tempItem, PR_TRUE);
-    }
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-CERTOCSPCertID*
-CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time)
-{
-    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    CERTOCSPCertID *certID;
-    PORT_Assert(arena != NULL);
-    if (!arena)
-	return NULL;
-    
-    certID = ocsp_CreateCertID(arena, cert, time);
-    if (!certID) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-    certID->poolp = arena;
-    return certID;
-}
-
-
-
-/*
- * Callback to set Extensions in request object
- */
-void SetSingleReqExts(void *object, CERTCertExtension **exts)
-{
-  ocspSingleRequest *singleRequest =
-    (ocspSingleRequest *)object;
-
-  singleRequest->singleRequestExtensions = exts;
-}
-
-/*
- * Add the Service Locator extension to the singleRequestExtensions
- * for the given singleRequest.
- *
- * All errors are internal or low-level problems (e.g. no memory).
- */
-static SECStatus
-ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
-				CERTCertificate *cert)
-{
-    ocspServiceLocator *serviceLocator = NULL;
-    void *extensionHandle = NULL;
-    SECStatus rv = SECFailure;
-
-    serviceLocator = PORT_ZNew(ocspServiceLocator);
-    if (serviceLocator == NULL)
-	goto loser;
-
-    /*
-     * Normally it would be a bad idea to do a direct reference like
-     * this rather than allocate and copy the name *or* at least dup
-     * a reference of the cert.  But all we need is to be able to read
-     * the issuer name during the encoding we are about to do, so a
-     * copy is just a waste of time.
-     */
-    serviceLocator->issuer = &cert->issuer;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
-				&serviceLocator->locator);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
-	    goto loser;
-    }
-
-    /* prepare for following loser gotos */
-    rv = SECFailure;
-
-    extensionHandle = cert_StartExtensions(singleRequest,
-                       singleRequest->arena, SetSingleReqExts);
-    if (extensionHandle == NULL)
-	goto loser;
-
-    rv = CERT_EncodeAndAddExtension(extensionHandle,
-				    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
-				    serviceLocator, PR_FALSE,
-				    ocsp_ServiceLocatorTemplate);
-
-loser:
-    if (extensionHandle != NULL) {
-	/*
-	 * Either way we have to finish out the extension context (so it gets
-	 * freed).  But careful not to override any already-set bad status.
-	 */
-	SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
-	if (rv == SECSuccess)
-	    rv = tmprv;
-    }
-
-    /*
-     * Finally, free the serviceLocator structure itself and we are done.
-     */
-    if (serviceLocator != NULL) {
-	if (serviceLocator->locator.data != NULL)
-	    SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
-	PORT_Free(serviceLocator);
-    }
-
-    return rv;
-}
-
-/*
- * Creates an array of ocspSingleRequest based on a list of certs.
- * Note that the code which later compares the request list with the
- * response expects this array to be in the exact same order as the
- * certs are found in the list.  It would be harder to change that
- * order than preserve it, but since the requirement is not obvious,
- * it deserves to be mentioned.
- *
- * Any problem causes a null return and error set:
- *	SEC_ERROR_UNKNOWN_ISSUER
- * Other errors are low-level problems (no memory, bad database, etc.).
- */
-static ocspSingleRequest **
-ocsp_CreateSingleRequestList(PRArenaPool *arena, CERTCertList *certList,
-			     int64 time, PRBool includeLocator)
-{
-    ocspSingleRequest **requestList = NULL;
-    CERTCertListNode *node;
-    int i, count;
-    void *mark = PORT_ArenaMark(arena);
- 
-    node = CERT_LIST_HEAD(certList);
-    for (count = 0; !CERT_LIST_END(node, certList); count++) {
-	node = CERT_LIST_NEXT(node);
-    }
-
-    if (count == 0)
-	goto loser;
-
-    requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
-    if (requestList == NULL)
-	goto loser;
-
-    node = CERT_LIST_HEAD(certList);
-    for (i = 0; !CERT_LIST_END(node, certList); i++) {
-        requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest);
-	if (requestList[i] == NULL)
-	    goto loser;
-
-	requestList[i]->arena = arena;
-	requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time);
-	if (requestList[i]->reqCert == NULL)
-	    goto loser;
-
-	if (includeLocator == PR_TRUE) {
-	    SECStatus rv;
-
-	    rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-
-	node = CERT_LIST_NEXT(node);
-    }
-
-    PORT_Assert(i == count);
-
-    PORT_ArenaUnmark(arena, mark);
-    requestList[i] = NULL;
-    return requestList;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-/*
- * FUNCTION: CERT_CreateOCSPRequest
- *   Creates a CERTOCSPRequest, requesting the status of the certs in 
- *   the given list.
- * INPUTS:
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no effect on the request itself.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *     XXX note that request signing is not yet supported; see comment in code
- * RETURN:
- *   A pointer to a CERTOCSPRequest structure containing an OCSP request
- *   for the cert list.  On error, null is returned, with an error set
- *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
- *   (The issuer is needed to create a request for the certificate.)
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
-		       PRBool addServiceLocator,
-		       CERTCertificate *signerCert)
-{
-    PRArenaPool *arena = NULL;
-    CERTOCSPRequest *request = NULL;
-    ocspTBSRequest *tbsRequest = NULL;
-
-    /*
-     * XXX This should set an error, but since it is only temporary and
-     * since PSM will not initially provide a way to turn on signing of
-     * requests anyway, I figure we can just skip defining an error that
-     * will be obsolete in the next release.  When we are prepared to
-     * put signing of requests back in, this entire check will go away,
-     * and later in this function we will need to allocate a signature
-     * structure for the request, fill in the "derCerts" field in it,
-     * save the signerCert there, as well as fill in the "requestorName"
-     * field of the tbsRequest.
-     */
-    if (signerCert != NULL) {
-	return NULL;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    request = PORT_ArenaZNew(arena, CERTOCSPRequest);
-    if (request == NULL) {
-	goto loser;
-    }
-    request->arena = arena;
-
-    tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest);
-    if (tbsRequest == NULL) {
-	goto loser;
-    }
-    request->tbsRequest = tbsRequest;
-
-    /* version 1 is the default, so we need not fill in a version number */
-
-    /*
-     * Now create the list of single requests, one for each cert.
-     */
-    tbsRequest->requestList = ocsp_CreateSingleRequestList(arena, certList,
-							   time,
-							   addServiceLocator);
-    if (tbsRequest->requestList == NULL) {
-	goto loser;
-    }
-    return request;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-
-/*
- * FUNCTION: CERT_AddOCSPAcceptableResponses
- *   Add the AcceptableResponses extension to an OCSP Request.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     The request to which the extension should be added.
- *   ...
- *     A list (of one or more) of SECOidTag -- each of the response types
- *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
- *     (This marks the end of the list, and it must be specified because a
- *     client conforming to the OCSP standard is required to handle the basic
- *     response type.)  The OIDs are not checked in any way.
- * RETURN:
- *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
- *   All errors are internal or low-level problems (e.g. no memory).
- */
-
-void SetRequestExts(void *object, CERTCertExtension **exts)
-{
-  CERTOCSPRequest *request = (CERTOCSPRequest *)object;
-
-  request->tbsRequest->requestExtensions = exts;
-}
-
-SECStatus
-CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
-				SECOidTag responseType0, ...)
-{
-    void *extHandle;
-    va_list ap;
-    int i, count;
-    SECOidTag responseType;
-    SECOidData *responseOid;
-    SECItem **acceptableResponses = NULL;
-    SECStatus rv = SECFailure;
-
-    extHandle = request->tbsRequest->extensionHandle;
-    if (extHandle == NULL) {
-	extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
-	if (extHandle == NULL)
-	    goto loser;
-    }
-
-    /* Count number of OIDS going into the extension value. */
-    count = 1;
-    if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) {
-	va_start(ap, responseType0);
-	do {
-	    count++;
-	    responseType = va_arg(ap, SECOidTag);
-	} while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-	va_end(ap);
-    }
-
-    acceptableResponses = PORT_NewArray(SECItem *, count + 1);
-    if (acceptableResponses == NULL)
-	goto loser;
-
-    i = 0;
-    responseOid = SECOID_FindOIDByTag(responseType0);
-    acceptableResponses[i++] = &(responseOid->oid);
-    if (count > 1) {
-	va_start(ap, responseType0);
-	for ( ; i < count; i++) {
-	    responseType = va_arg(ap, SECOidTag);
-	    responseOid = SECOID_FindOIDByTag(responseType);
-	    acceptableResponses[i] = &(responseOid->oid);
-	}
-	va_end(ap);
-    }
-    acceptableResponses[i] = NULL;
-
-    rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
-				    &acceptableResponses, PR_FALSE,
-				    SEC_SequenceOfObjectIDTemplate);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Free(acceptableResponses);
-    if (request->tbsRequest->extensionHandle == NULL)
-	request->tbsRequest->extensionHandle = extHandle;
-    return SECSuccess;
-
-loser:
-    if (acceptableResponses != NULL)
-	PORT_Free(acceptableResponses);
-    if (extHandle != NULL)
-	(void) CERT_FinishExtensions(extHandle);
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_DestroyOCSPRequest
- *   Frees an OCSP Request structure.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     Pointer to CERTOCSPRequest to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-void
-CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
-{
-    if (request == NULL)
-	return;
-
-    if (request->tbsRequest != NULL) {
-	if (request->tbsRequest->requestorName != NULL)
-	    CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
-	if (request->tbsRequest->extensionHandle != NULL)
-	    (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
-    }
-
-    if (request->optionalSignature != NULL) {
-	if (request->optionalSignature->cert != NULL)
-	    CERT_DestroyCertificate(request->optionalSignature->cert);
-
-	/*
-	 * XXX Need to free derCerts?  Or do they come out of arena?
-	 * (Currently we never fill in derCerts, which is why the
-	 * answer is not obvious.  Once we do, add any necessary code
-	 * here and remove this comment.)
-	 */
-    }
-
-    /*
-     * We should actually never have a request without an arena,
-     * but check just in case.  (If there isn't one, there is not
-     * much we can do about it...)
-     */
-    PORT_Assert(request->arena != NULL);
-    if (request->arena != NULL)
-	PORT_FreeArena(request->arena, PR_FALSE);
-}
-
-
-/*
- * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
- */
-
-/*
- * Helper function for encoding or decoding a ResponderID -- based on the
- * given type, return the associated template for that choice.
- */
-static const SEC_ASN1Template *
-ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
-{
-    const SEC_ASN1Template *responderIDTemplate;
-
-    switch (responderIDType) {
-	case ocspResponderID_byName:
-	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
-	    break;
-	case ocspResponderID_byKey:
-	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
-	    break;
-	case ocspResponderID_other:
-	default:
-	    PORT_Assert(responderIDType == ocspResponderID_other);
-	    responderIDTemplate = ocsp_ResponderIDOtherTemplate;
-	    break;
-    }
-
-    return responderIDTemplate;
-}
-
-/*
- * Helper function for encoding or decoding a CertStatus -- based on the
- * given type, return the associated template for that choice.
- */
-static const SEC_ASN1Template *
-ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
-{
-    const SEC_ASN1Template *certStatusTemplate;
-
-    switch (certStatusType) {
-	case ocspCertStatus_good:
-	    certStatusTemplate = ocsp_CertStatusGoodTemplate;
-	    break;
-	case ocspCertStatus_revoked:
-	    certStatusTemplate = ocsp_CertStatusRevokedTemplate;
-	    break;
-	case ocspCertStatus_unknown:
-	    certStatusTemplate = ocsp_CertStatusUnknownTemplate;
-	    break;
-	case ocspCertStatus_other:
-	default:
-	    PORT_Assert(certStatusType == ocspCertStatus_other);
-	    certStatusTemplate = ocsp_CertStatusOtherTemplate;
-	    break;
-    }
-
-    return certStatusTemplate;
-}
-
-/*
- * Helper function for decoding a certStatus -- turn the actual DER tag
- * into our local translation.
- */
-static ocspCertStatusType
-ocsp_CertStatusTypeByTag(int derTag)
-{
-    ocspCertStatusType certStatusType;
-
-    switch (derTag) {
-	case 0:
-	    certStatusType = ocspCertStatus_good;
-	    break;
-	case 1:
-	    certStatusType = ocspCertStatus_revoked;
-	    break;
-	case 2:
-	    certStatusType = ocspCertStatus_unknown;
-	    break;
-	default:
-	    certStatusType = ocspCertStatus_other;
-	    break;
-    }
-
-    return certStatusType;
-}
-
-/*
- * Helper function for decoding SingleResponses -- they each contain
- * a status which is encoded as CHOICE, which needs to be decoded "by hand".
- *
- * Note -- on error, this routine does not release the memory it may
- * have allocated; it expects its caller to do that.
- */
-static SECStatus
-ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
-				   CERTOCSPSingleResponse **responses)
-{
-    ocspCertStatus *certStatus;
-    ocspCertStatusType certStatusType;
-    const SEC_ASN1Template *certStatusTemplate;
-    int derTag;
-    int i;
-    SECStatus rv = SECFailure;
-
-    if (responses == NULL)			/* nothing to do */
-	return SECSuccess;
-
-    for (i = 0; responses[i] != NULL; i++) {
-	/*
-	 * The following assert points out internal errors (problems in
-	 * the template definitions or in the ASN.1 decoder itself, etc.).
-	 */
-	PORT_Assert(responses[i]->derCertStatus.data != NULL);
-
-	derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
-	certStatusType = ocsp_CertStatusTypeByTag(derTag);
-	certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
-
-	certStatus = PORT_ArenaZAlloc(arena, sizeof(ocspCertStatus));
-	if (certStatus == NULL) {
-	    goto loser;
-	}
-	rv = SEC_ASN1DecodeItem(arena, certStatus, certStatusTemplate,
-				&responses[i]->derCertStatus);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SEC_ERROR_BAD_DER)
-		PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	    goto loser;
-	}
-
-	certStatus->certStatusType = certStatusType;
-	responses[i]->certStatus = certStatus;
-    }
-
-    return SECSuccess;
-
-loser:
-    return rv;
-}
-
-/*
- * Helper function for decoding a responderID -- turn the actual DER tag
- * into our local translation.
- */
-static ocspResponderIDType
-ocsp_ResponderIDTypeByTag(int derTag)
-{
-    ocspResponderIDType responderIDType;
-
-    switch (derTag) {
-	case 1:
-	    responderIDType = ocspResponderID_byName;
-	    break;
-	case 2:
-	    responderIDType = ocspResponderID_byKey;
-	    break;
-	default:
-	    responderIDType = ocspResponderID_other;
-	    break;
-    }
-
-    return responderIDType;
-}
-
-/*
- * Decode "src" as a BasicOCSPResponse, returning the result.
- */
-static ocspBasicOCSPResponse *
-ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
-{
-    void *mark;
-    ocspBasicOCSPResponse *basicResponse;
-    ocspResponseData *responseData;
-    ocspResponderID *responderID;
-    ocspResponderIDType responderIDType;
-    const SEC_ASN1Template *responderIDTemplate;
-    int derTag;
-    SECStatus rv;
-    SECItem newsrc;
-
-    mark = PORT_ArenaMark(arena);
-
-    basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
-    if (basicResponse == NULL) {
-	goto loser;
-    }
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newsrc, src);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, basicResponse,
-			    ocsp_BasicOCSPResponseTemplate, &newsrc);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    responseData = basicResponse->tbsResponseData;
-
-    /*
-     * The following asserts point out internal errors (problems in
-     * the template definitions or in the ASN.1 decoder itself, etc.).
-     */
-    PORT_Assert(responseData != NULL);
-    PORT_Assert(responseData->derResponderID.data != NULL);
-
-    /*
-     * XXX Because responderID is a CHOICE, which is not currently handled
-     * by our ASN.1 decoder, we have to decode it "by hand".
-     */
-    derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK;
-    responderIDType = ocsp_ResponderIDTypeByTag(derTag);
-    responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType);
-
-    responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
-    if (responderID == NULL) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate,
-			    &responseData->derResponderID);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    responderID->responderIDType = responderIDType;
-    responseData->responderID = responderID;
-
-    /*
-     * XXX Each SingleResponse also contains a CHOICE, which has to be
-     * fixed up by hand.
-     */
-    rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(arena, mark);
-    return basicResponse;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-
-/*
- * Decode the responseBytes based on the responseType found in "rbytes",
- * leaving the resulting translated/decoded information in there as well.
- */
-static SECStatus
-ocsp_DecodeResponseBytes(PRArenaPool *arena, ocspResponseBytes *rbytes)
-{
-    PORT_Assert(rbytes != NULL);		/* internal error, really */
-    if (rbytes == NULL)
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);	/* XXX set better error? */
-
-    rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
-    switch (rbytes->responseTypeTag) {
-	case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
-	    {
-		ocspBasicOCSPResponse *basicResponse;
-
-		basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
-							     &rbytes->response);
-		if (basicResponse == NULL)
-		    return SECFailure;
-
-		rbytes->decodedResponse.basic = basicResponse;
-	    }
-	    break;
-
-	/*
-	 * Add new/future response types here.
-	 */
-
-	default:
-	    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
-	    return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DecodeOCSPResponse
- *   Decode a DER encoded OCSP Response.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Response.
- * RETURN:
- *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
- *   the caller is responsible for destroying it.  Or NULL if error (either
- *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
- *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
- *   or a low-level or internal error occurred).
- */
-CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src)
-{
-    PRArenaPool *arena = NULL;
-    CERTOCSPResponse *response = NULL;
-    SECStatus rv = SECFailure;
-    ocspResponseStatus sv;
-    SECItem newSrc;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
-						     sizeof(CERTOCSPResponse));
-    if (response == NULL) {
-	goto loser;
-    }
-    response->arena = arena;
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newSrc, src);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &newSrc);
-    if (rv != SECSuccess) {
-	if (PORT_GetError() == SEC_ERROR_BAD_DER)
-	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	goto loser;
-    }
-
-    sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
-    response->statusValue = sv;
-    if (sv != ocspResponse_successful) {
-	/*
-	 * If the response status is anything but successful, then we
-	 * are all done with decoding; the status is all there is.
-	 */
-	return response;
-    }
-
-    /*
-     * A successful response contains much more information, still encoded.
-     * Now we need to decode that.
-     */
-    rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    return response;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return NULL;
-}
-
-/*
- * The way an OCSPResponse is defined, there are many levels to descend
- * before getting to the actual response information.  And along the way
- * we need to check that the response *type* is recognizable, which for
- * now means that it is a BasicOCSPResponse, because that is the only
- * type currently defined.  Rather than force all routines to perform
- * a bunch of sanity checking every time they want to work on a response,
- * this function isolates that and gives back the interesting part.
- * Note that no copying is done, this just returns a pointer into the
- * substructure of the response which is passed in.
- *
- * XXX This routine only works when a valid response structure is passed
- * into it; this is checked with many assertions.  Assuming the response
- * was creating by decoding, it wouldn't make it this far without being
- * okay.  That is a sufficient assumption since the entire OCSP interface
- * is only used internally.  When this interface is officially exported,
- * each assertion below will need to be followed-up with setting an error
- * and returning (null).
- */
-static ocspResponseData *
-ocsp_GetResponseData(CERTOCSPResponse *response)
-{
-    ocspBasicOCSPResponse *basic;
-    ocspResponseData *responseData;
-
-    PORT_Assert(response != NULL);
-
-    PORT_Assert(response->responseBytes != NULL);
-
-    PORT_Assert(response->responseBytes->responseTypeTag
-		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-
-    basic = response->responseBytes->decodedResponse.basic;
-    PORT_Assert(basic != NULL);
-
-    responseData = basic->tbsResponseData;
-    PORT_Assert(responseData != NULL);
-
-    return responseData;
-}
-
-/*
- * Much like the routine above, except it returns the response signature.
- * Again, no copy is done.
- */
-static ocspSignature *
-ocsp_GetResponseSignature(CERTOCSPResponse *response)
-{
-    ocspBasicOCSPResponse *basic;
-
-    PORT_Assert(response != NULL);
-    if (NULL == response->responseBytes) {
-        return NULL;
-    }
-    PORT_Assert(response->responseBytes != NULL);
-    PORT_Assert(response->responseBytes->responseTypeTag
-		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-
-    basic = response->responseBytes->decodedResponse.basic;
-    PORT_Assert(basic != NULL);
-
-    return &(basic->responseSignature);
-}
-
-
-/*
- * FUNCTION: CERT_DestroyOCSPResponse
- *   Frees an OCSP Response structure.
- * INPUTS:
- *   CERTOCSPResponse *request
- *     Pointer to CERTOCSPResponse to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-void
-CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
-{
-    if (response != NULL) {
-	ocspSignature *signature = ocsp_GetResponseSignature(response);
-	if (signature && signature->cert != NULL)
-	    CERT_DestroyCertificate(signature->cert);
-
-	/*
-	 * We should actually never have a response without an arena,
-	 * but check just in case.  (If there isn't one, there is not
-	 * much we can do about it...)
-	 */
-	PORT_Assert(response->arena != NULL);
-	if (response->arena != NULL) {
-	    PORT_FreeArena(response->arena, PR_FALSE);
-	}
-    }
-}
-
-
-/*
- * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
- */
-
-
-/*
- * Pick apart a URL, saving the important things in the passed-in pointers.
- *
- * We expect to find "http://<hostname>[:<port>]/[path]", though we will
- * tolerate that final slash character missing, as well as beginning and
- * trailing whitespace, and any-case-characters for "http".  All of that
- * tolerance is what complicates this routine.  What we want is just to
- * pick out the hostname, the port, and the path.
- *
- * On a successful return, the caller will need to free the output pieces
- * of hostname and path, which are copies of the values found in the url.
- */
-static SECStatus
-ocsp_ParseURL(char *url, char **pHostname, PRUint16 *pPort, char **pPath)
-{
-    unsigned short port = 80;		/* default, in case not in url */
-    char *hostname = NULL;
-    char *path = NULL;
-    char *save;
-    char c;
-    int len;
-
-    if (url == NULL)
-	goto loser;
-
-    /*
-     * Skip beginning whitespace.
-     */
-    c = *url;
-    while ((c == ' ' || c == '\t') && c != '\0') {
-	url++;
-	c = *url;
-    }
-    if (c == '\0')
-	goto loser;
-
-    /*
-     * Confirm, then skip, protocol.  (Since we only know how to do http,
-     * that is all we will accept).
-     */
-    if (PORT_Strncasecmp(url, "http://", 7) != 0)
-	goto loser;
-    url += 7;
-
-    /*
-     * Whatever comes next is the hostname (or host IP address).  We just
-     * save it aside and then search for its end so we can determine its
-     * length and copy it.
-     *
-     * XXX Note that because we treat a ':' as a terminator character
-     * (and below, we expect that to mean there is a port specification
-     * immediately following), we will not handle IPv6 addresses.  That is
-     * apparently an acceptable limitation, for the time being.  Some day,
-     * when there is a clear way to specify a URL with an IPv6 address that
-     * can be parsed unambiguously, this code should be made to do that.
-     */
-    save = url;
-    c = *url;
-    while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
-	url++;
-	c = *url;
-    }
-    len = url - save;
-    hostname = PORT_Alloc(len + 1);
-    if (hostname == NULL)
-	goto loser;
-    PORT_Memcpy(hostname, save, len);
-    hostname[len] = '\0';
-
-    /*
-     * Now we figure out if there was a port specified or not.
-     * If so, we need to parse it (as a number) and skip it.
-     */
-    if (c == ':') {
-	url++;
-	port = (unsigned short) PORT_Atoi(url);
-	c = *url;
-	while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
-	    if (c < '0' || c > '9')
-		goto loser;
-	    url++;
-	    c = *url;
-	}
-    }
-
-    /*
-     * Last thing to find is a path.  There *should* be a slash,
-     * if nothing else -- but if there is not we provide one.
-     */
-    if (c == '/') {
-	save = url;
-	while (c != '\0' && c != ' ' && c != '\t') {
-	    url++;
-	    c = *url;
-	}
-	len = url - save;
-	path = PORT_Alloc(len + 1);
-	if (path == NULL)
-	    goto loser;
-	PORT_Memcpy(path, save, len);
-	path[len] = '\0';
-    } else {
-	path = PORT_Strdup("/");
-    }
-
-    *pHostname = hostname;
-    *pPort = port;
-    *pPath = path;
-    return SECSuccess;
-
-loser:
-    if (hostname != NULL)
-	PORT_Free(hostname);
-    if (path != NULL)
-	PORT_Free(path);
-    PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
-    return SECFailure;
-}
-
-/*
- * Open a socket to the specified host on the specified port, and return it.
- * The host is either a hostname or an IP address.
- */
-static PRFileDesc *
-ocsp_ConnectToHost(const char *host, PRUint16 port)
-{
-    PRFileDesc *sock = NULL;
-    PRIntervalTime timeout;
-    PRNetAddr addr;
-    char *netdbbuf = NULL;
-
-    sock = PR_NewTCPSocket();
-    if (sock == NULL)
-	goto loser;
-
-    /* XXX Some day need a way to set (and get?) the following value */
-    timeout = PR_SecondsToInterval(30);
-
-    /*
-     * If the following converts an IP address string in "dot notation"
-     * into a PRNetAddr.  If it fails, we assume that is because we do not
-     * have such an address, but instead a host *name*.  In that case we
-     * then lookup the host by name.  Using the NSPR function this way
-     * means we do not have to have our own logic for distinguishing a
-     * valid numerical IP address from a hostname.
-     */
-    if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
-	PRIntn hostIndex;
-	PRHostEnt hostEntry;
-
-	netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
-	if (netdbbuf == NULL)
-	    goto loser;
-
-	if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
-			     &hostEntry) != PR_SUCCESS)
-	    goto loser;
-
-	hostIndex = 0;
-	do {
-	    hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
-	    if (hostIndex <= 0)
-		goto loser;
-	} while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
-
-	PORT_Free(netdbbuf);
-    } else {
-	/*
-	 * First put the port into the address, then connect.
-	 */
-	if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
-	    goto loser;
-	if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
-	    goto loser;
-    }
-
-    return sock;
-
-loser:
-    if (sock != NULL)
-	PR_Close(sock);
-    if (netdbbuf != NULL)
-	PORT_Free(netdbbuf);
-    return NULL;
-}
-
-/*
- * Sends an encoded OCSP request to the server identified by "location",
- * and returns the socket on which it was sent (so can listen for the reply).
- * "location" is expected to be a valid URL -- an error parsing it produces
- * SEC_ERROR_CERT_BAD_ACCESS_LOCATION.  Other errors are likely problems
- * connecting to it, or writing to it, or allocating memory, and the low-level
- * errors appropriate to the problem will be set.
- */
-static PRFileDesc *
-ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
-{
-    char *hostname = NULL;
-    char *path = NULL;
-    PRUint16 port;
-    SECStatus rv;
-    PRFileDesc *sock = NULL;
-    PRFileDesc *returnSock = NULL;
-    char *header = NULL;
-
-    /*
-     * Take apart the location, getting the hostname, port, and path.
-     */
-    rv = ocsp_ParseURL(location, &hostname, &port, &path);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Assert(hostname != NULL);
-    PORT_Assert(path != NULL);
-
-    sock = ocsp_ConnectToHost(hostname, port);
-    if (sock == NULL)
-	goto loser;
-
-    header = PR_smprintf("POST %s HTTP/1.0\r\n"
-			 "Host: %s:%d\r\n"
-			 "Content-Type: application/ocsp-request\r\n"
-			 "Content-Length: %u\r\n\r\n",
-			 path, hostname, port, encodedRequest->len);
-    if (header == NULL)
-	goto loser;
-
-    /*
-     * The NSPR documentation promises that if it can, it will write the full
-     * amount; this will not return a partial value expecting us to loop.
-     */
-    if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
-	goto loser;
-
-    if (PR_Write(sock, encodedRequest->data,
-		 (PRInt32) encodedRequest->len) < 0)
-	goto loser;
-
-    returnSock = sock;
-    sock = NULL;
-
-loser:
-    if (header != NULL)
-	PORT_Free(header);
-    if (sock != NULL)
-	PR_Close(sock);
-    if (path != NULL)
-	PORT_Free(path);
-    if (hostname != NULL)
-	PORT_Free(hostname);
-
-    return returnSock;
-}
-
-/*
- * Read from "fd" into "buf" -- expect/attempt to read a given number of bytes
- * Obviously, stop if hit end-of-stream. Timeout is passed in.
- */
-
-static int
-ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout)
-{
-    int total = 0;
-
-    while (total < toread)
-    {
-        PRInt32 got;
-
-        got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout);
-        if (got < 0)
-        {
-            if (0 == total)
-            {
-                total = -1; /* report the error if we didn't read anything yet */
-            }
-            break;
-        }
-        else
-        if (got == 0)
-        {			/* EOS */
-            break;
-        }
-
-        total += got;
-    }
-
-    return total;
-}
-
-#define OCSP_BUFSIZE 1024
-
-#define AbortHttpDecode(error) \
-{ \
-        if (inBuffer) \
-            PORT_Free(inBuffer); \
-        PORT_SetError(error); \
-        return NULL; \
-}
-
-
-/*
- * Reads on the given socket and returns an encoded response when received.
- * Properly formatted HTTP/1.0 response headers are expected to be read
- * from the socket, preceding a binary-encoded OCSP response.  Problems
- * with parsing cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be
- * set; any other problems are likely low-level i/o or memory allocation
- * errors.
- */
-static SECItem *
-ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)
-{
-    /* first read HTTP status line and headers */
-
-    char* inBuffer = NULL;
-    PRInt32 offset = 0;
-    PRInt32 inBufsize = 0;
-    const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */
-    const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */
-    const char* CRLF = "\r\n";
-    const PRInt32 CRLFlen = strlen(CRLF);
-    const char* headerEndMark = "\r\n\r\n";
-    const PRInt32 markLen = strlen(headerEndMark);
-    const PRIntervalTime ocsptimeout =
-        PR_SecondsToInterval(30); /* hardcoded to 30s for now */
-    char* headerEnd = NULL;
-    PRBool EOS = PR_FALSE;
-    const char* httpprotocol = "HTTP/";
-    const PRInt32 httplen = strlen(httpprotocol);
-    const char* httpcode = NULL;
-    const char* contenttype = NULL;
-    PRInt32 contentlength = 0;
-    PRInt32 bytesRead = 0;
-    char* statusLineEnd = NULL;
-    char* space = NULL;
-    char* nextHeader = NULL;
-    SECItem* result = NULL;
-
-    /* read up to at least the end of the HTTP headers */
-    do
-    {
-        inBufsize += bufSizeIncrement;
-        inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
-        if (NULL == inBuffer)
-        {
-            AbortHttpDecode(SEC_ERROR_NO_MEMORY);
-        }
-        bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
-            ocsptimeout);
-        if (bytesRead > 0)
-        {
-            PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0;
-            offset += bytesRead;
-            *(inBuffer + offset) = '\0'; /* NULL termination */
-            headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMark);
-            if (bytesRead < bufSizeIncrement)
-            {
-                /* we read less data than requested, therefore we are at
-                   EOS or there was a read error */
-                EOS = PR_TRUE;
-            }
-        }
-        else
-        {
-            /* recv error or EOS */
-            EOS = PR_TRUE;
-        }
-    } while ( (!headerEnd) && (PR_FALSE == EOS) &&
-              (inBufsize < maxBufSize) );
-
-    if (!headerEnd)
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-
-    /* parse the HTTP status line  */
-    statusLineEnd = strstr((const char*)inBuffer, CRLF);
-    if (!statusLineEnd)
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-    *statusLineEnd = '\0';
-
-    /* check for HTTP/ response */
-    space = strchr((const char*)inBuffer, ' ');
-    if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen) != 0 )
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-
-    /* check the HTTP status code of 200 */
-    httpcode = space +1;
-    space = strchr(httpcode, ' ');
-    if (!space)
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-    *space = 0;
-    if (0 != strcmp(httpcode, "200"))
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-
-    /* parse the HTTP headers in the buffer . We only care about
-       content-type and content-length
-    */
-
-    nextHeader = statusLineEnd + CRLFlen;
-    *headerEnd = '\0'; /* terminate */
-    do
-    {
-        char* thisHeaderEnd = NULL;
-        char* value = NULL;
-        char* colon = strchr(nextHeader, ':');
-        
-        if (!colon)
-        {
-            AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-        }
-
-        *colon = '\0';
-        value = colon + 1;
-
-        /* jpierre - note : the following code will only handle the basic form
-           of HTTP/1.0 response headers, of the form "name: value" . Headers
-           split among multiple lines are not supported. This is not common
-           and should not be an issue, but it could become one in the
-           future */
-
-        if (*value != ' ')
-        {
-            AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-        }
-
-        value++;
-        thisHeaderEnd  = strstr(value, CRLF);
-        if (thisHeaderEnd )
-        {
-            *thisHeaderEnd  = '\0';
-        }
-
-        if (0 == PORT_Strcasecmp(nextHeader, "content-type"))
-        {
-            contenttype = value;
-        }
-        else
-        if (0 == PORT_Strcasecmp(nextHeader, "content-length"))
-        {
-            contentlength = atoi(value);
-        }
-
-        if (thisHeaderEnd )
-        {
-            nextHeader = thisHeaderEnd + CRLFlen;
-        }
-        else
-        {
-            nextHeader = NULL;
-        }
-
-    } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) );
-
-    /* check content-type */
-    if (!contenttype ||
-        (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) )
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-
-    /* read the body of the OCSP response */
-    offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen;
-    if (offset)
-    {
-        /* move all data to the beginning of the buffer */
-        PORT_Memmove(inBuffer, headerEnd + markLen, offset);
-    }
-
-    /* resize buffer to only what's needed to hold the current response */
-    inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ;
-
-    while ( (PR_FALSE == EOS) &&
-            ( (contentlength == 0) || (offset < contentlength) ) &&
-            (inBufsize < maxBufSize)
-            )
-    {
-        /* we still need to receive more body data */
-        inBufsize += bufSizeIncrement;
-        inBuffer = PORT_Realloc(inBuffer, inBufsize+1);
-        if (NULL == inBuffer)
-        {
-            AbortHttpDecode(SEC_ERROR_NO_MEMORY);
-        }
-        bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement,
-                              ocsptimeout);
-        if (bytesRead > 0)
-        {
-            offset += bytesRead;
-            if (bytesRead < bufSizeIncrement)
-            {
-                /* we read less data than requested, therefore we are at
-                   EOS or there was a read error */
-                EOS = PR_TRUE;
-            }
-        }
-        else
-        {
-            /* recv error or EOS */
-            EOS = PR_TRUE;
-        }
-    }
-
-    if (0 == offset)
-    {
-        AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
-    }
-
-    /*
-     * Now allocate the item to hold the data.
-     */
-    result = SECITEM_AllocItem(arena, NULL, offset);
-    if (NULL == result)
-    {
-        AbortHttpDecode(SEC_ERROR_NO_MEMORY);
-    }
-
-    /*
-     * And copy the data left in the buffer.
-    */
-    PORT_Memcpy(result->data, inBuffer, offset);
-
-    /* and free the temporary buffer */
-    PORT_Free(inBuffer);
-    return result;
-}
-
-
-/*
- * FUNCTION: CERT_GetEncodedOCSPResponse
- *   Creates and sends a request to an OCSP responder, then reads and
- *   returns the (encoded) response.
- * INPUTS:
- *   PRArenaPool *arena
- *     Pointer to arena from which return value will be allocated.
- *     If NULL, result will be allocated from the heap (and thus should
- *     be freed via SECITEM_FreeItem).
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   char *location
- *     The location of the OCSP responder (a URL).
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no other bearing on the operation.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * OUTPUTS:
- *   CERTOCSPRequest **pRequest
- *     Pointer in which to store the OCSP request created for the given
- *     list of certificates.  It is only filled in if the entire operation
- *     is successful and the pointer is not null -- and in that case the
- *     caller is then reponsible for destroying it.
- * RETURN:
- *   Returns a pointer to the SECItem holding the response.
- *   On error, returns null with error set describing the reason:
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-SECItem *
-CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
-			    char *location, int64 time,
-			    PRBool addServiceLocator,
-			    CERTCertificate *signerCert, void *pwArg,
-			    CERTOCSPRequest **pRequest)
-{
-    CERTOCSPRequest *request = NULL;
-    SECItem *encodedRequest = NULL;
-    SECItem *encodedResponse = NULL;
-    PRFileDesc *sock = NULL;
-    SECStatus rv;
-
-    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
-				     signerCert);
-    if (request == NULL)
-	goto loser;
-
-    rv = CERT_AddOCSPAcceptableResponses(request,
-					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
-    if (rv != SECSuccess)
-	goto loser;
-
-    encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
-    if (encodedRequest == NULL)
-	goto loser;
-
-    sock = ocsp_SendEncodedRequest(location, encodedRequest);
-    if (sock == NULL)
-	goto loser;
-
-    encodedResponse = ocsp_GetEncodedResponse(arena, sock);
-    if (encodedResponse != NULL && pRequest != NULL) {
-	*pRequest = request;
-	request = NULL;			/* avoid destroying below */
-    }
-
-loser:
-    if (request != NULL)
-	CERT_DestroyOCSPRequest(request);
-    if (encodedRequest != NULL)
-	SECITEM_FreeItem(encodedRequest, PR_TRUE);
-    if (sock != NULL)
-	PR_Close(sock);
-
-    return encodedResponse;
-}
-
-
-/* Checks a certificate for the key usage extension of OCSP signer. */
-static PRBool
-ocsp_CertIsOCSPSigner(CERTCertificate *cert)
-{
-    SECStatus rv;
-    SECItem extItem;
-    SECItem **oids;
-    SECItem *oid;
-    SECOidTag oidTag;
-    PRBool retval;
-    CERTOidSequence *oidSeq = NULL;
-
-
-    extItem.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    oidSeq = CERT_DecodeOidSequence(&extItem);
-    if ( oidSeq == NULL ) {
-	goto loser;
-    }
-
-    oids = oidSeq->oids;
-    while ( *oids != NULL ) {
-	oid = *oids;
-	
-	oidTag = SECOID_FindOIDTag(oid);
-	
-	if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
-	    goto success;
-	}
-	
-	oids++;
-    }
-
-loser:
-    retval = PR_FALSE;
-    goto done;
-success:
-    retval = PR_TRUE;
-done:
-    if ( extItem.data != NULL ) {
-	PORT_Free(extItem.data);
-    }
-    if ( oidSeq != NULL ) {
-	CERT_DestroyOidSequence(oidSeq);
-    }
-    
-    return(retval);
-}
-
-
-#ifdef LATER	/*
-		 * XXX This function is not currently used, but will
-		 * be needed later when we do revocation checking of
-		 * the responder certificate.  Of course, it may need
-		 * revising then, if the cert extension interface has
-		 * changed.  (Hopefully it will!)
-		 */
-
-/* Checks a certificate to see if it has the OCSP no check extension. */
-static PRBool
-ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
-{
-    SECStatus rv;
-    
-    rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, 
-				NULL);
-    if (rv == SECSuccess) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-#endif	/* LATER */
-
-static PRBool
-ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
-{
-    SECItem item;
-    unsigned char buf[HASH_LENGTH_MAX];
-
-    item.data = buf;
-    item.len = SHA1_LENGTH;
-
-    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
-	return PR_FALSE;
-    }
-    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
-	return PR_TRUE;
-    }
-    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
-	return PR_FALSE;
-    }
-    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
-	return PR_TRUE;
-    }
-    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
-	return PR_FALSE;
-    }
-    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
-
-static CERTCertificate *
-ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID);
-
-/*
- * Check the signature on some OCSP data.  This is a helper function that
- * can be used to check either a request or a response.  The result is
- * saved in the signature structure itself for future reference (to avoid
- * repeating the expensive verification operation), as well as returned.
- * In addition to checking the signature, the certificate (and its chain)
- * are also checked for validity (at the specified time) and usage.
- *
- * The type of cert lookup to be performed is specified by "lookupByName":
- * if true, then "certIndex" is actually a CERTName; otherwise it is a
- * SECItem which contains a key hash.
- *
- * If the signature verifies okay, and the argument "pSignerCert" is not
- * null, that parameter will be filled-in with a pointer to the signer's
- * certificate.  The caller is then responsible for destroying the cert.
- *
- * A return of SECSuccess means the verification succeeded.  If not,
- * an error will be set with the reason.  Most likely are:
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- * Other errors are any of the many possible failures in cert verification
- * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- * verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-static SECStatus
-ocsp_CheckSignature(ocspSignature *signature, void *tbs,
-		    const SEC_ASN1Template *encodeTemplate,
-		    CERTCertDBHandle *handle, SECCertUsage certUsage,
-		    int64 checkTime, PRBool lookupByName, void *certIndex,
-		    void *pwArg, CERTCertificate **pSignerCert,
-		    CERTCertificate *issuer)
-{
-    SECItem rawSignature;
-    SECItem *encodedTBS = NULL;
-    CERTCertificate *responder = NULL;
-    CERTCertificate *signerCert = NULL;
-    SECKEYPublicKey *signerKey = NULL;
-    CERTCertificate **certs = NULL;
-    SECStatus rv = SECFailure;
-    int certCount;
-    int i;
-
-    /*
-     * If this signature has already gone through verification, just
-     * return the cached result.
-     */
-    if (signature->wasChecked) {
-	if (signature->status == SECSuccess) {
-	    if (pSignerCert != NULL)
-		*pSignerCert = CERT_DupCertificate(signature->cert);
-	} else {
-	    PORT_SetError(signature->failureReason);
-	}
-	return signature->status;
-    }
-
-    /*
-     * If the signature contains some certificates as well, temporarily
-     * import them in case they are needed for verification.
-     *
-     * Note that the result of this is that each cert in "certs" needs
-     * to be destroyed.
-     */
-    certCount = 0;
-    if (signature->derCerts != NULL) {
-	for (; signature->derCerts[certCount] != NULL; certCount++) {
-	    /* just counting */
-	    /*IMPORT CERT TO SPKI TABLE */
-	}
-    }
-    rv = CERT_ImportCerts(handle, certUsage, certCount,
-			  signature->derCerts, &certs,
-			  PR_FALSE, PR_FALSE, NULL);
-    if (rv != SECSuccess)
-	goto finish;
-
-    /*
-     * Now look up the certificate that did the signing.
-     * The signer can be specified either by name or by key hash.
-     */
-    if (lookupByName) {
-	SECItem *encodedName;
-
-	encodedName = SEC_ASN1EncodeItem(NULL, NULL, certIndex,
-					 CERT_NameTemplate);
-	if (encodedName == NULL)
-	    goto finish;
-
-	signerCert = CERT_FindCertByName(handle, encodedName);
-	SECITEM_FreeItem(encodedName, PR_TRUE);
-    } else {
-	/*
-	 * The signer is either 1) a known issuer CA we passed in,
-	 * 2) the default OCSP responder, or 3) an intermediate CA
-	 * passed in the cert list to use. Figure out which it is.
-	 */
-	responder = ocsp_CertGetDefaultResponder(handle,NULL);
-	if (responder && ocsp_matchcert(certIndex,responder)) {
-	    signerCert = CERT_DupCertificate(responder);
-	} else if (issuer && ocsp_matchcert(certIndex,issuer)) {
-	    signerCert = CERT_DupCertificate(issuer);
-	} 
-	for (i=0; (signerCert == NULL) && (i < certCount); i++) {
-	    if (ocsp_matchcert(certIndex,certs[i])) {
-		signerCert = CERT_DupCertificate(certs[i]);
-	    }
-	}
-    }
-
-    if (signerCert == NULL) {
-	rv = SECFailure;
-	if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
-	    /* Make the error a little more specific. */
-	    PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
-	}
-	goto finish;
-    }
-
-    /*
-     * We could mark this true at the top of this function, or always
-     * below at "finish", but if the problem was just that we could not
-     * find the signer's cert, leave that as if the signature hasn't
-     * been checked in case a subsequent call might have better luck.
-     */
-    signature->wasChecked = PR_TRUE;
-
-    /*
-     * Just because we have a cert does not mean it is any good; check
-     * it for validity, trust and usage.
-     */
-    rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime,
-			 pwArg, NULL);
-    if (rv != SECSuccess) {
-        PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
-	goto finish;
-    }
-
-    /*
-     * Now get the public key from the signer's certificate; we need
-     * it to perform the verification.
-     */
-    signerKey = CERT_ExtractPublicKey(signerCert);
-    if (signerKey == NULL)
-	goto finish;
-
-    /*
-     * Prepare the data to be verified; it needs to be DER encoded first.
-     */
-    encodedTBS = SEC_ASN1EncodeItem(NULL, NULL, tbs, encodeTemplate);
-    if (encodedTBS == NULL)
-	goto finish;
-
-    /*
-     * We copy the signature data *pointer* and length, so that we can
-     * modify the length without damaging the original copy.  This is a
-     * simple copy, not a dup, so no destroy/free is necessary.
-     */
-    rawSignature = signature->signature;
-    /*
-     * The raw signature is a bit string, but we need to represent its
-     * length in bytes, because that is what the verify function expects.
-     */
-    DER_ConvertBitString(&rawSignature);
-
-    rv = VFY_VerifyData(encodedTBS->data, encodedTBS->len, signerKey,
-			&rawSignature,
-			SECOID_GetAlgorithmTag(&signature->signatureAlgorithm),
-			pwArg);
-
-finish:
-    if (signature->wasChecked)
-	signature->status = rv;
-
-    if (rv != SECSuccess) {
-	signature->failureReason = PORT_GetError();
-	if (signerCert != NULL)
-	    CERT_DestroyCertificate(signerCert);
-    } else {
-	/*
-	 * Save signer's certificate in signature.
-	 */
-	signature->cert = signerCert;
-	if (pSignerCert != NULL) {
-	    /*
-	     * Pass pointer to signer's certificate back to our caller,
-	     * who is also now responsible for destroying it.
-	     */
-	    *pSignerCert = CERT_DupCertificate(signerCert);
-	}
-    }
-
-    if (encodedTBS != NULL)
-	SECITEM_FreeItem(encodedTBS, PR_TRUE);
-
-    if (signerKey != NULL)
-	SECKEY_DestroyPublicKey(signerKey);
-
-    if (certs != NULL)
-	CERT_DestroyCertArray(certs, certCount);
-	/* Free CERTS from SPKDigest Table */
-
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_VerifyOCSPResponseSignature
- *   Check the signature on an OCSP Response.  Will also perform a
- *   verification of the signer's certificate.  Note, however, that a
- *   successful verification does not make any statement about the
- *   signer's *authority* to provide status for the certificate(s),
- *   that must be checked individually for each certificate.
- * INPUTS:
- *   CERTOCSPResponse *response
- *     Pointer to response structure with signature to be checked.
- *   CERTCertDBHandle *handle
- *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.
- * OUTPUTS:
- *   CERTCertificate **pSignerCert
- *     Pointer in which to store signer's certificate; only filled-in if
- *     non-null.
- * RETURN:
- *   Returns SECSuccess when signature is valid, anything else means invalid.
- *   Possible errors set:
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
- *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
-				 CERTCertDBHandle *handle, void *pwArg,
-				 CERTCertificate **pSignerCert,
-				 CERTCertificate *issuer)
-{
-    ocspResponseData *tbsData;		/* this is what is signed */
-    PRBool byName;
-    void *certIndex;
-    int64 producedAt;
-    SECStatus rv;
-
-    tbsData = ocsp_GetResponseData(response);
-
-    PORT_Assert(tbsData->responderID != NULL);
-    switch (tbsData->responderID->responderIDType) {
-      case ocspResponderID_byName:
-	byName = PR_TRUE;
-	certIndex = &tbsData->responderID->responderIDValue.name;
-	break;
-      case ocspResponderID_byKey:
-	byName = PR_FALSE;
-	certIndex = &tbsData->responderID->responderIDValue.keyHash;
-	break;
-      case ocspResponderID_other:
-      default:
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	return SECFailure;
-    }
-
-    /*
-     * ocsp_CheckSignature will also verify the signer certificate; we
-     * need to tell it *when* that certificate must be valid -- for our
-     * purposes we expect it to be valid when the response was signed.
-     * The value of "producedAt" is the signing time.
-     */
-    rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt);
-    if (rv != SECSuccess)
-	return rv;
-
-    return ocsp_CheckSignature(ocsp_GetResponseSignature(response),
-			       tbsData, ocsp_ResponseDataTemplate,
-			       handle, certUsageStatusResponder, producedAt,
-			       byName, certIndex, pwArg, pSignerCert, issuer);
-}
-
-/*
- * See if two certIDs match.  This can be easy or difficult, depending
- * on whether the same hash algorithm was used.
- */
-static PRBool
-ocsp_CertIDsMatch(CERTCertDBHandle *handle,
-		  CERTOCSPCertID *certID1, CERTOCSPCertID *certID2)
-{
-    PRBool match = PR_FALSE;
-    SECItem *foundHash = NULL;
-    SECOidTag hashAlg;
-    SECItem *keyHash = NULL;
-    SECItem *nameHash = NULL;
-
-    /*
-     * In order to match, they must have the same issuer and the same
-     * serial number.
-     *
-     * We just compare the easier things first.
-     */
-    if (SECITEM_CompareItem(&certID1->serialNumber,
-			    &certID2->serialNumber) != SECEqual) {
-	goto done;
-    }
-
-    if (SECOID_CompareAlgorithmID(&certID1->hashAlgorithm,
-				  &certID2->hashAlgorithm) == SECEqual) {
-	/*
-	 * If the hash algorithms match then we can do a simple compare
-	 * of the hash values themselves.
-	 */
-	if ((SECITEM_CompareItem(&certID1->issuerNameHash,
-				 &certID2->issuerNameHash) == SECEqual)
-	    && (SECITEM_CompareItem(&certID1->issuerKeyHash,
-				    &certID2->issuerKeyHash) == SECEqual)) {
-	    match = PR_TRUE;
-	}
-	goto done;
-    }
-
-    hashAlg = SECOID_FindOIDTag(&certID2->hashAlgorithm.algorithm);
-    switch (hashAlg) {
-    case SEC_OID_SHA1:
-	keyHash = &certID1->issuerSHA1KeyHash;
-	nameHash = &certID1->issuerSHA1NameHash;
-	break;
-    case SEC_OID_MD5:
-	keyHash = &certID1->issuerMD5KeyHash;
-	nameHash = &certID1->issuerMD5NameHash;
-	break;
-    case SEC_OID_MD2:
-	keyHash = &certID1->issuerMD2KeyHash;
-	nameHash = &certID1->issuerMD2NameHash;
-	break;
-    default:
-	foundHash = NULL;
-	break;
-    }
-
-    if (foundHash == NULL) {
-	goto done;
-    }
-    PORT_Assert(keyHash && nameHash);
-
-    if ((SECITEM_CompareItem(nameHash, &certID2->issuerNameHash) == SECEqual)
-      && (SECITEM_CompareItem(keyHash, &certID2->issuerKeyHash) == SECEqual)) {
-	match = PR_TRUE;
-    }
-
-done:
-    return match;
-}
-
-/*
- * Find the single response for the cert specified by certID.
- * No copying is done; this just returns a pointer to the appropriate
- * response within responses, if it is found (and null otherwise).
- * This is fine, of course, since this function is internal-use only.
- */
-static CERTOCSPSingleResponse *
-ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
-				CERTCertDBHandle *handle,
-				CERTOCSPCertID *certID)
-{
-    CERTOCSPSingleResponse *single;
-    int i;
-
-    if (responses == NULL)
-	return NULL;
-
-    for (i = 0; responses[i] != NULL; i++) {
-	single = responses[i];
-	if (ocsp_CertIDsMatch(handle, certID, single->certID) == PR_TRUE) {
-	    return single;
-	}
-    }
-
-    /*
-     * The OCSP server should have included a response even if it knew
-     * nothing about the certificate in question.  Since it did not,
-     * this will make it look as if it had.
-     * 
-     * XXX Should we make this a separate error to notice the server's
-     * bad behavior?
-     */
-    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
-    return NULL;
-}
-
-static ocspCheckingContext *
-ocsp_GetCheckingContext(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *ocspcx = NULL;
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig != NULL) {
-	ocspcx = statusConfig->statusContext;
-
-	/*
-	 * This is actually an internal error, because we should never
-	 * have a good statusConfig without a good statusContext, too.
-	 * For lack of anything better, though, we just assert and use
-	 * the same error as if there were no statusConfig (set below).
-	 */
-	PORT_Assert(ocspcx != NULL);
-    }
-
-    if (ocspcx == NULL)
-	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
-
-    return ocspcx;
-}
-/*
- * Return true if the given signerCert is the default responder for
- * the given certID.  If not, or if any error, return false.
- */
-static CERTCertificate *
-ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID)
-{
-    ocspCheckingContext *ocspcx;
-
-    ocspcx = ocsp_GetCheckingContext(handle);
-    if (ocspcx == NULL)
-	goto loser;
-
-   /*
-    * Right now we have only one default responder.  It applies to
-    * all certs when it is used, so the check is simple and certID
-    * has no bearing on the answer.  Someday in the future we may
-    * allow configuration of different responders for different
-    * issuers, and then we would have to use the issuer specified
-    * in certID to determine if signerCert is the right one.
-    */
-    if (ocspcx->useDefaultResponder) {
-	PORT_Assert(ocspcx->defaultResponderCert != NULL);
-	return ocspcx->defaultResponderCert;
-    }
-
-loser:
-    return NULL;
-}
-
-/*
- * Return true if the given signerCert is the default responder for
- * the given certID.  If not, or if any error, return false.
- */
-static PRBool
-ocsp_CertIsDefaultResponderForCertID(CERTCertDBHandle *handle,
-				     CERTCertificate *signerCert,
-				     CERTOCSPCertID *certID)
-{
-    CERTCertificate *defaultResponderCert;
-
-    defaultResponderCert = ocsp_CertGetDefaultResponder(handle, certID);
-    return (PRBool) (defaultResponderCert == signerCert);
-}
-
-/*
- * Check that the given signer certificate is authorized to sign status
- * information for the given certID.  Return true if it is, false if not
- * (or if there is any error along the way).  If false is returned because
- * the signer is not authorized, the following error will be set:
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- * Other errors are low-level problems (no memory, bad database, etc.).
- *
- * There are three ways to be authorized.  In the order in which we check,
- * using the terms used in the OCSP spec, the signer must be one of:
- *  1.  A "trusted responder" -- it matches a local configuration
- *      of OCSP signing authority for the certificate in question.
- *  2.  The CA who issued the certificate in question.
- *  3.  A "CA designated responder", aka an "authorized responder" -- it
- *      must be represented by a special cert issued by the CA who issued
- *      the certificate in question.
- */
-static PRBool
-ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
-				  CERTCertificate *signerCert,
-				  CERTOCSPCertID *certID,
-				  int64 thisUpdate)
-{
-    CERTCertificate *issuerCert = NULL;
-    SECItem *issuerKeyHash = NULL;
-    SECOidTag hashAlg;
-    PRBool okay = PR_FALSE;
-
-    /*
-     * Check first for a trusted responder, which overrides everything else.
-     */
-    if (ocsp_CertIsDefaultResponderForCertID(handle, signerCert, certID))
-	return PR_TRUE;
-
-    /*
-     * In the other two cases, we need to do an issuer comparison.
-     * How we do it depends on whether the signer certificate has the
-     * special extension (for a designated responder) or not.
-     */
-
-    if (ocsp_CertIsOCSPSigner(signerCert)) {
-	/*
-	 * The signer is a designated responder.  Its issuer must match
-	 * the issuer of the cert being checked.
-	 */
-	issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate,
-					 certUsageAnyCA);
-	if (issuerCert == NULL) {
-	    /*
-	     * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
-	     * but the following will give slightly more information.
-	     * Once we have an error stack, things will be much better.
-	     */
-	    PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
-	    goto loser;
-	}
-    } else {
-	/*
-	 * The signer must *be* the issuer of the cert being checked.
-	 */
-	issuerCert = signerCert;
-    }
-
-    hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
-    issuerKeyHash = CERT_SPKDigestValueForCert(NULL, issuerCert, hashAlg, NULL);
-    if (issuerKeyHash == NULL)
-	goto loser;
-
-    if (SECITEM_CompareItem(issuerKeyHash,
-			    &certID->issuerKeyHash) != SECEqual) {
-	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
-	goto loser;
-    }
-
-    okay = PR_TRUE;
-
-loser:
-    if (issuerKeyHash != NULL)
-	SECITEM_FreeItem(issuerKeyHash, PR_TRUE);
-
-    if (issuerCert != NULL && issuerCert != signerCert)
-	CERT_DestroyCertificate(issuerCert);
-
-    return okay;
-}
-
-/*
- * We need to check that a responder gives us "recent" information.
- * Since a responder can pre-package responses, we need to pick an amount
- * of time that is acceptable to us, and reject any response that is
- * older than that.
- *
- * XXX This *should* be based on some configuration parameter, so that
- * different usages could specify exactly what constitutes "sufficiently
- * recent".  But that is not going to happen right away.  For now, we
- * want something from within the last 24 hours.  This macro defines that
- * number in seconds.
- */
-#define OCSP_ALLOWABLE_LAPSE_SECONDS	(24L * 60L * 60L)
-
-static PRBool
-ocsp_TimeIsRecent(int64 checkTime)
-{
-    int64 now = PR_Now();
-    int64 lapse, tmp;
-
-    LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
-    LL_I2L(tmp, PR_USEC_PER_SEC);
-    LL_MUL(lapse, lapse, tmp);		/* allowable lapse in microseconds */
-
-    LL_ADD(checkTime, checkTime, lapse);
-    if (LL_CMP(now, >, checkTime))
-	return PR_FALSE;
-
-    return PR_TRUE;
-}
-
-#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes
-                              in the future by default */
-
-static PRUint32 ocspsloptime = OCSP_SLOP;	/* seconds */
-
-/*
- * Check that this single response is okay.  A return of SECSuccess means:
- *   1. The signer (represented by "signerCert") is authorized to give status
- *	for the cert represented by the individual response in "single".
- *   2. The value of thisUpdate is earlier than now.
- *   3. The value of producedAt is later than or the same as thisUpdate.
- *   4. If nextUpdate is given:
- *	- The value of nextUpdate is later than now.
- *	- The value of producedAt is earlier than nextUpdate.
- *	Else if no nextUpdate:
- *	- The value of thisUpdate is fairly recent.
- *	- The value of producedAt is fairly recent.
- *	However we do not need to perform an explicit check for this last
- *	constraint because it is already guaranteed by checking that
- *	producedAt is later than thisUpdate and thisUpdate is recent.
- * Oh, and any responder is "authorized" to say that a cert is unknown to it.
- *
- * If any of those checks fail, SECFailure is returned and an error is set:
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- * Other errors are low-level problems (no memory, bad database, etc.).
- */ 
-static SECStatus
-ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
-			  CERTCertDBHandle *handle,
-			  CERTCertificate *signerCert,
-			  int64 producedAt)
-{
-    CERTOCSPCertID *certID = single->certID;
-    int64 now, thisUpdate, nextUpdate, tmstamp, tmp;
-    SECStatus rv;
-
-    /*
-     * If all the responder said was that the given cert was unknown to it,
-     * that is a valid response.  Not very interesting to us, of course,
-     * but all this function is concerned with is validity of the response,
-     * not the status of the cert.
-     */
-    PORT_Assert(single->certStatus != NULL);
-    if (single->certStatus->certStatusType == ocspCertStatus_unknown)
-	return SECSuccess;
-
-    /*
-     * We need to extract "thisUpdate" for use below and to pass along
-     * to AuthorizedResponderForCertID in case it needs it for doing an
-     * issuer look-up.
-     */
-    rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
-    if (rv != SECSuccess)
-	return rv;
-
-    /*
-     * First confirm that signerCert is authorized to give this status.
-     */
-    if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
-					  thisUpdate) != PR_TRUE)
-	return SECFailure;
-
-    /*
-     * Now check the time stuff, as described above.
-     */
-    now = PR_Now();
-    /* allow slop time for future response */
-    LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */
-    LL_UI2L(tmp, PR_USEC_PER_SEC);
-    LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */
-    LL_ADD(tmstamp, tmp, now); /* add current time to it */
-
-    if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) {
-	PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
-	return SECFailure;
-    }
-    if (single->nextUpdate != NULL) {
-	rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
-	if (rv != SECSuccess)
-	    return rv;
-
-	LL_ADD(tmp, tmp, nextUpdate);
-	if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) {
-	    PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
-	    return SECFailure;
-	}
-    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
-	PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
- *   Get the value of the URI of the OCSP responder for the given cert.
- *   This is found in the (optional) Authority Information Access extension
- *   in the cert.
- * INPUTS:
- *   CERTCertificate *cert
- *     The certificate being examined.
- * RETURN:
- *   char *
- *     A copy of the URI for the OCSP method, if found.  If either the
- *     extension is not present or it does not contain an entry for OCSP,
- *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
- *     Any other error will also result in a NULL being returned.
- *     
- *     This result should be freed (via PORT_Free) when no longer in use.
- */
-char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert)
-{
-    CERTGeneralName *locname = NULL;
-    SECItem *location = NULL;
-    SECItem *encodedAuthInfoAccess = NULL;
-    CERTAuthInfoAccess **authInfoAccess = NULL;
-    char *locURI = NULL;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    int i;
-
-    /*
-     * Allocate this one from the heap because it will get filled in
-     * by CERT_FindCertExtension which will also allocate from the heap,
-     * and we can free the entire thing on our way out.
-     */
-    encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
-    if (encodedAuthInfoAccess == NULL)
-	goto loser;
-
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
-				encodedAuthInfoAccess);
-    if (rv == SECFailure)
-	goto loser;
-
-    /*
-     * The rest of the things allocated in the routine will come out of
-     * this arena, which is temporary just for us to decode and get at the
-     * AIA extension.  The whole thing will be destroyed on our way out,
-     * after we have copied the location string (url) itself (if found).
-     */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena,
-							encodedAuthInfoAccess);
-    if (authInfoAccess == NULL)
-	goto loser;
-
-    for (i = 0; authInfoAccess[i] != NULL; i++) {
-	if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
-	    locname = authInfoAccess[i]->location;
-    }
-
-    /*
-     * If we found an AIA extension, but it did not include an OCSP method,
-     * that should look to our caller as if we did not find the extension
-     * at all, because it is only an OCSP method that we care about.
-     * So set the same error that would be set if the AIA extension was
-     * not there at all.
-     */
-    if (locname == NULL) {
-	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-	goto loser;
-    }
-
-    /*
-     * The following is just a pointer back into locname (i.e. not a copy);
-     * thus it should not be freed.
-     */
-    location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
-    if (location == NULL) {
-	/*
-	 * XXX Appears that CERT_GetGeneralNameByType does not set an
-	 * error if there is no name by that type.  For lack of anything
-	 * better, act as if the extension was not found.  In the future
-	 * this should probably be something more like the extension was
-	 * badly formed.
-	 */
-	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-	goto loser;
-    }
-
-    /*
-     * That location is really a string, but it has a specified length
-     * without a null-terminator.  We need a real string that does have
-     * a null-terminator, and we need a copy of it anyway to return to
-     * our caller -- so allocate and copy.
-     */
-    locURI = PORT_Alloc(location->len + 1);
-    if (locURI == NULL) {
-	goto loser;
-    }
-    PORT_Memcpy(locURI, location->data, location->len);
-    locURI[location->len] = '\0';
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-
-    if (encodedAuthInfoAccess != NULL)
-	SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
-
-    return locURI;
-}
-
-
-/*
- * Figure out where we should go to find out the status of the given cert
- * via OCSP.  If a default responder is set up, that is our answer.
- * If not, see if the certificate has an Authority Information Access (AIA)
- * extension for OCSP, and return the value of that.  Otherwise return NULL.
- * We also let our caller know whether or not the responder chosen was
- * a default responder or not through the output variable isDefault;
- * its value has no meaning unless a good (non-null) value is returned
- * for the location.
- *
- * The result needs to be freed (PORT_Free) when no longer in use.
- */
-static char *
-ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
-			  PRBool *isDefault)
-{
-    ocspCheckingContext *ocspcx;
-
-    ocspcx = ocsp_GetCheckingContext(handle);
-    if (ocspcx != NULL && ocspcx->useDefaultResponder) {
-	/*
-	 * A default responder wins out, if specified.
-	 * XXX Someday this may be a more complicated determination based
-	 * on the cert's issuer.  (That is, we could have different default
-	 * responders configured for different issuers.)
-	 */
-	PORT_Assert(ocspcx->defaultResponderURI != NULL);
-	*isDefault = PR_TRUE;
-	return (PORT_Strdup(ocspcx->defaultResponderURI));
-    }
-
-    /*
-     * No default responder set up, so go see if we can find an AIA
-     * extension that has a value for OCSP, and get the url from that.
-     */
-    *isDefault = PR_FALSE;
-    return CERT_GetOCSPAuthorityInfoAccessLocation(cert);
-}
-
-/*
- * Return SECSuccess if the cert was revoked *after* "time",
- * SECFailure otherwise.
- */
-static SECStatus
-ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, int64 time)
-{
-    int64 revokedTime;
-    SECStatus rv;
-
-    rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
-    if (rv != SECSuccess)
-	return rv;
-
-    /*
-     * Set the error even if we will return success; someone might care.
-     */
-    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
-
-    if (LL_CMP(revokedTime, >, time))
-	return SECSuccess;
-
-    return SECFailure;
-}
-
-/*
- * See if the cert represented in the single response had a good status
- * at the specified time.
- */
-static SECStatus
-ocsp_CertHasGoodStatus(CERTOCSPSingleResponse *single, int64 time)
-{
-    ocspCertStatus *status;
-    SECStatus rv;
-
-    status = single->certStatus;
-
-    switch (status->certStatusType) {
-      case ocspCertStatus_good:
-	rv = SECSuccess;
-	break;
-      case ocspCertStatus_revoked:
-	rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
-	break;
-      case ocspCertStatus_unknown:
-	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
-	rv = SECFailure;
-	break;
-      case ocspCertStatus_other:
-      default:
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-	rv = SECFailure;
-	break;
-    }
-
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_CheckOCSPStatus
- *   Checks the status of a certificate via OCSP.  Will only check status for
- *   a certificate that has an AIA (Authority Information Access) extension
- *   for OCSP *or* when a "default responder" is specified and enabled.
- *   (If no AIA extension for OCSP and no default responder in place, the
- *   cert is considered to have a good status and SECSuccess is returned.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     certificate DB of the cert that is being checked
- *   CERTCertificate *cert
- *     the certificate being checked
- *   XXX in the long term also need a boolean parameter that specifies
- *	whether to check the cert chain, as well; for now we check only
- *	the leaf (the specified certificate)
- *   int64 time
- *     time for which status is to be determined
- *   void *pwArg
- *     argument for password prompting, if needed
- * RETURN:
- *   Returns SECSuccess if an approved OCSP responder "knows" the cert
- *   *and* returns a non-revoked status for it; SECFailure otherwise,
- *   with an error set describing the reason:
- *
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_MALFORMED_REQUEST
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
- *	SEC_ERROR_OCSP_SERVER_ERROR
- *	SEC_ERROR_OCSP_TRY_SERVER_LATER
- *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- *	SEC_ERROR_OCSP_UNKNOWN_CERT
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
- *
- *	SEC_ERROR_BAD_SIGNATURE
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_INVALID_TIME
- *	SEC_ERROR_REVOKED_CERTIFICATE
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_UNKNOWN_SIGNER
- *
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (error allocating
- *   memory, error performing ASN.1 decoding, etc.).
- */    
-SECStatus 
-CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     int64 time, void *pwArg)
-{
-    char *location = NULL;
-    PRBool locationIsDefault;
-    CERTCertList *certList = NULL;
-    SECItem *encodedResponse = NULL;
-    CERTOCSPRequest *request = NULL;
-    CERTOCSPResponse *response = NULL;
-    CERTCertificate *signerCert = NULL;
-    CERTCertificate *issuerCert = NULL;
-    CERTOCSPCertID *certID;
-    SECStatus rv = SECFailure;
-
-
-    /*
-     * The first thing we need to do is find the location of the responder.
-     * This will be the value of the default responder (if enabled), else
-     * it will come out of the AIA extension in the cert (if present).
-     * If we have no such location, then this cert does not "deserve" to
-     * be checked -- that is, we consider it a success and just return.
-     * The way we tell that is by looking at the error number to see if
-     * the problem was no AIA extension was found; any other error was
-     * a true failure that we unfortunately have to treat as an overall
-     * failure here.
-     */
-    location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault);
-    if (location == NULL) {
-	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
-	    return SECSuccess;
-	else
-	    return SECFailure;
-    }
-
-    /*
-     * For now, create a cert-list of one.
-     * XXX In the fullness of time, we will want/need to handle a
-     * certificate chain.  This will be done either when a new parameter
-     * tells us to, or some configuration variable tells us to.  In any
-     * case, handling it is complicated because we may need to send as
-     * many requests (and receive as many responses) as we have certs
-     * in the chain.  If we are going to talk to a default responder,
-     * and we only support one default responder, we can put all of the
-     * certs together into one request.  Otherwise, we must break them up
-     * into multiple requests.  (Even if all of the requests will go to
-     * the same location, the signature on each response will be different,
-     * because each issuer is different.  Carefully read the OCSP spec
-     * if you do not understand this.)
-     */
-
-    certList = CERT_NewCertList();
-    if (certList == NULL)
-	goto loser;
-
-    /* dup it because freeing the list will destroy the cert, too */
-    cert = CERT_DupCertificate(cert);
-    if (cert == NULL)
-	goto loser;
-
-    if (CERT_AddCertToListTail(certList, cert) != SECSuccess) {
-	CERT_DestroyCertificate(cert);
-	goto loser;
-    }
-
-    /*
-     * XXX If/when signing of requests is supported, that second NULL
-     * should be changed to be the signer certificate.  Not sure if that
-     * should be passed into this function or retrieved via some operation
-     * on the handle/context.
-     */
-    encodedResponse = CERT_GetEncodedOCSPResponse(NULL, certList, location,
-						  time, locationIsDefault,
-						  NULL, pwArg, &request);
-    if (encodedResponse == NULL) {
-	goto loser;
-    }
-
-    response = CERT_DecodeOCSPResponse(encodedResponse);
-    if (response == NULL) {
-	goto loser;
-    }
-
-    /*
-     * Okay, we at least have a response that *looks* like a response!
-     * Now see if the overall response status value is good or not.
-     * If not, we set an error and give up.  (It means that either the
-     * server had a problem, or it didn't like something about our
-     * request.  Either way there is nothing to do but give up.)
-     * Otherwise, we continue to find the actual per-cert status
-     * in the response.
-     */
-    if (CERT_GetOCSPResponseStatus(response) != SECSuccess) {
-	goto loser;
-    }
-
-    /*
-     * If we've made it this far, we expect a response with a good signature.
-     * So, check for that.
-     */
-    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
-    rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
-			issuerCert);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_Assert(signerCert != NULL);	/* internal consistency check */
-    /* XXX probably should set error, return failure if signerCert is null */
-
-
-    /*
-     * Again, we are only doing one request for one cert.
-     * XXX When we handle cert chains, the following code will obviously
-     * have to be modified, in coordation with the code above that will
-     * have to determine how to make multiple requests, etc.  It will need
-     * to loop, and for each certID in the request, find the matching
-     * single response and check the status specified by it.
-     *
-     * We are helped here in that we know that the requests are made with
-     * the request list in the same order as the order of the certs we hand
-     * to it.  This is why I can directly access the first member of the
-     * single request array for the one cert I care about.
-     */
-
-    certID = request->tbsRequest->requestList[0]->reqCert;
-    rv = CERT_GetOCSPStatusForCertID(handle, response, certID, 
-                                     signerCert, time);
-loser:
-    if (issuerCert != NULL)
-	CERT_DestroyCertificate(issuerCert);
-    if (signerCert != NULL)
-	CERT_DestroyCertificate(signerCert);
-    if (response != NULL)
-	CERT_DestroyOCSPResponse(response);
-    if (request != NULL)
-	CERT_DestroyOCSPRequest(request);
-    if (encodedResponse != NULL)
-	SECITEM_FreeItem(encodedResponse, PR_TRUE);
-    if (certList != NULL)
-	CERT_DestroyCertList(certList);
-    if (location != NULL)
-	PORT_Free(location);
-    return rv;
-}
-
-SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
-                            CERTOCSPResponse *response, 
-                            CERTOCSPCertID   *certID,
-                            CERTCertificate  *signerCert,
-                            int64             time)
-{
-    SECStatus rv;
-    ocspResponseData *responseData;
-    int64 producedAt;
-    CERTOCSPSingleResponse *single;
-
-    /*
-     * The ResponseData part is the real guts of the response.
-     */
-    responseData = ocsp_GetResponseData(response);
-    if (responseData == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /*
-     * There is one producedAt time for the entire response (and a separate
-     * thisUpdate time for each individual single response).  We need to
-     * compare them, so get the overall time to pass into the check of each
-     * single response.
-     */
-    rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt);
-    if (rv != SECSuccess)
-	goto loser;
-
-    single = ocsp_GetSingleResponseForCertID(responseData->responses,
-					     handle, certID);
-    if (single == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * Okay, the last step is to check whether the status says revoked,
-     * and if so how that compares to the time value passed into this routine.
-     */
-
-    rv = ocsp_CertHasGoodStatus(single, time);
-loser:
-    return rv;
-}
-
-
-/*
- * Disable status checking and destroy related structures/data.
- */
-static SECStatus
-ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
-{
-    ocspCheckingContext *statusContext;
-
-    /*
-     * Disable OCSP checking
-     */
-    statusConfig->statusChecker = NULL;
-
-    statusContext = statusConfig->statusContext;
-    PORT_Assert(statusContext != NULL);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusContext->defaultResponderURI != NULL)
-	PORT_Free(statusContext->defaultResponderURI);
-    if (statusContext->defaultResponderNickname != NULL)
-	PORT_Free(statusContext->defaultResponderNickname);
-
-    PORT_Free(statusContext);
-    statusConfig->statusContext = NULL;
-
-    PORT_Free(statusConfig);
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DisableOCSPChecking
- *   Turns off OCSP checking for the given certificate database.
- *   This routine disables OCSP checking.  Though it will return
- *   SECFailure if OCSP checking is not enabled, it is "safe" to
- *   call it that way and just ignore the return value, if it is
- *   easier to just call it than to "remember" whether it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be disabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (usually means that OCSP
- *   checking was not enabled or status contexts were not initialized --
- *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
- */
-SECStatus
-CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *statusContext;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    statusContext = ocsp_GetCheckingContext(handle);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
-	/*
-	 * Status configuration is present, but either not currently
-	 * enabled or not for OCSP.
-	 */
-	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
-	return SECFailure;
-    }
-
-    /*
-     * This is how we disable status checking.  Everything else remains
-     * in place in case we are enabled again.
-     */
-    statusConfig->statusChecker = NULL;
-
-    return SECSuccess;
-}
-
-/*
- * Allocate and initialize the informational structures for status checking.
- * This is done when some configuration of OCSP is being done or when OCSP
- * checking is being turned on, whichever comes first.
- */
-static SECStatus
-ocsp_InitStatusChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig = NULL;
-    ocspCheckingContext *statusContext = NULL;
-
-    PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
-    if (CERT_GetStatusConfig(handle) != NULL) {
-	/* XXX or call statusConfig->statusDestroy and continue? */
-	return SECFailure;
-    }
-
-    statusConfig = PORT_ZNew(CERTStatusConfig);
-    if (statusConfig == NULL)
-	goto loser;
-
-    statusContext = PORT_ZNew(ocspCheckingContext);
-    if (statusContext == NULL)
-	goto loser;
-
-    statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
-    statusConfig->statusContext = statusContext;
-
-    CERT_SetStatusConfig(handle, statusConfig);
-
-    return SECSuccess;
-
-loser:
-    if (statusContext != NULL)
-	PORT_Free(statusContext);
-    if (statusConfig != NULL)
-	PORT_Free(statusConfig);
-    return SECFailure;
-}
-
-
-/*
- * FUNCTION: CERT_EnableOCSPChecking
- *   Turns on OCSP checking for the given certificate database.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be enabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (likely only problem
- *   allocating memory); SECSuccess otherwise.
- */
-SECStatus
-CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    
-    SECStatus rv;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig == NULL) {
-	rv = ocsp_InitStatusChecking(handle);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/* Get newly established value */
-	statusConfig = CERT_GetStatusConfig(handle);
-	PORT_Assert(statusConfig != NULL);
-    }
-
-    /*
-     * Setting the checker function is what really enables the checking
-     * when each cert verification is done.
-     */
-    statusConfig->statusChecker = CERT_CheckOCSPStatus;
-
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_SetOCSPDefaultResponder
- *   Specify the location and cert of the default responder.
- *   If OCSP checking is already enabled *and* use of a default responder
- *   is also already enabled, all OCSP checking from now on will go directly
- *   to the specified responder.  If OCSP checking is not enabled, or if
- *   it is but use of a default responder is not enabled, the information
- *   will be recorded and take effect whenever both are enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- *   char *url
- *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
- *     Note that the location will not be tested until the first attempt
- *     to send a request there.
- *   char *name
- *     The nickname of the cert to trust (expected) to sign the OCSP responses.
- *     If the corresponding cert cannot be found, SECFailure is returned.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   The most likely error is that the cert for "name" could not be found
- *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
- *   bad database, etc.).
- */
-SECStatus
-CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
-			     const char *url, const char *name)
-{
-    CERTCertificate *cert;
-    ocspCheckingContext *statusContext;
-    char *url_copy = NULL;
-    char *name_copy = NULL;
-    SECStatus rv;
-
-    if (handle == NULL || url == NULL || name == NULL) {
-	/*
-	 * XXX When interface is exported, probably want better errors;
-	 * perhaps different one for each parameter.
-	 */
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /*
-     * Find the certificate for the specified nickname.  Do this first
-     * because it seems the most likely to fail.
-     *
-     * XXX Shouldn't need that cast if the FindCertByNickname interface
-     * used const to convey that it does not modify the name.  Maybe someday.
-     */
-    cert = CERT_FindCertByNickname(handle, (char *) name);
-    if (cert == NULL) {
-      /*
-       * look for the cert on an external token.
-       */
-      cert = PK11_FindCertFromNickname((char *)name, NULL);
-    }
-    if (cert == NULL)
-	return SECFailure;
-
-    /*
-     * Make a copy of the url and nickname.
-     */
-    url_copy = PORT_Strdup(url);
-    name_copy = PORT_Strdup(name);
-    if (url_copy == NULL || name_copy == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    statusContext = ocsp_GetCheckingContext(handle);
-
-    /*
-     * Allocate and init the context if it doesn't already exist.
-     */
-    if (statusContext == NULL) {
-	rv = ocsp_InitStatusChecking(handle);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	statusContext = ocsp_GetCheckingContext(handle);
-	PORT_Assert(statusContext != NULL);	/* extreme paranoia */
-    }
-
-    /*
-     * Note -- we do not touch the status context until after all of
-     * the steps which could cause errors.  If something goes wrong,
-     * we want to leave things as they were.
-     */
-
-    /*
-     * Get rid of old url and name if there.
-     */
-    if (statusContext->defaultResponderNickname != NULL)
-	PORT_Free(statusContext->defaultResponderNickname);
-    if (statusContext->defaultResponderURI != NULL)
-	PORT_Free(statusContext->defaultResponderURI);
-
-    /*
-     * And replace them with the new ones.
-     */
-    statusContext->defaultResponderURI = url_copy;
-    statusContext->defaultResponderNickname = name_copy;
-
-    /*
-     * If there was already a cert in place, get rid of it and replace it.
-     * Otherwise, we are not currently enabled, so we don't want to save it;
-     * it will get re-found and set whenever use of a default responder is
-     * enabled.
-     */
-    if (statusContext->defaultResponderCert != NULL) {
-	CERT_DestroyCertificate(statusContext->defaultResponderCert);
-	statusContext->defaultResponderCert = cert;
-    } else {
-	PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
-	CERT_DestroyCertificate(cert);
-    }
-
-    return SECSuccess;
-
-loser:
-    CERT_DestroyCertificate(cert);
-    if (url_copy != NULL)
-	PORT_Free(url_copy);
-    if (name_copy != NULL)
-	PORT_Free(name_copy);
-    return rv;
-}
-
-
-/*
- * FUNCTION: CERT_EnableOCSPDefaultResponder
- *   Turns on use of a default responder when OCSP checking.
- *   If OCSP checking is already enabled, this will make subsequent checks
- *   go directly to the default responder.  (The location of the responder
- *   and the nickname of the responder cert must already be specified.)
- *   If OCSP checking is not enabled, this will be recorded and take effect
- *   whenever it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   No errors are especially likely unless the caller did not previously
- *   perform a successful call to SetOCSPDefaultResponder (in which case
- *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
- */
-SECStatus
-CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
-{
-    ocspCheckingContext *statusContext;
-    CERTCertificate *cert;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusContext = ocsp_GetCheckingContext(handle);
-
-    if (statusContext == NULL) {
-	/*
-	 * Strictly speaking, the error already set is "correct",
-	 * but cover over it with one more helpful in this context.
-	 */
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    if (statusContext->defaultResponderURI == NULL) {
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    if (statusContext->defaultResponderNickname == NULL) {
-	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
-	return SECFailure;
-    }
-
-    /*
-     * Find the cert for the nickname.
-     */
-    cert = CERT_FindCertByNickname(handle,
-				   statusContext->defaultResponderNickname);
-    if (cert == NULL) {
-        cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname,
-                                         NULL);
-    }
-    /*
-     * We should never have trouble finding the cert, because its
-     * existence should have been proven by SetOCSPDefaultResponder.
-     */
-    PORT_Assert(cert != NULL);
-    if (cert == NULL)
-	return SECFailure;
-
-    /*
-     * And hang onto it.
-     */
-    statusContext->defaultResponderCert = cert;
-
-    /*
-     * Finally, record the fact that we now have a default responder enabled.
-     */
-    statusContext->useDefaultResponder = PR_TRUE;
-    return SECSuccess;
-}
-
-
-/*
- * FUNCTION: CERT_DisableOCSPDefaultResponder
- *   Turns off use of a default responder when OCSP checking.
- *   (Does nothing if use of a default responder is not enabled.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should stop using a default
- *     responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   Errors very unlikely (like random memory corruption...).
- */
-SECStatus
-CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
-{
-    CERTStatusConfig *statusConfig;
-    ocspCheckingContext *statusContext;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (statusConfig == NULL)
-	return SECSuccess;
-
-    statusContext = ocsp_GetCheckingContext(handle);
-    PORT_Assert(statusContext != NULL);
-    if (statusContext == NULL)
-	return SECFailure;
-
-    if (statusContext->defaultResponderCert != NULL) {
-	CERT_DestroyCertificate(statusContext->defaultResponderCert);
-	statusContext->defaultResponderCert = NULL;
-    }
-
-    /*
-     * Finally, record the fact.
-     */
-    statusContext->useDefaultResponder = PR_FALSE;
-    return SECSuccess;
-}
-
-/*
- * Digest the cert's subject public key using the specified algorithm.
- * The necessary storage for the digest data is allocated.  If "fill" is
- * non-null, the data is put there, otherwise a SECItem is allocated.
- * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
- * results in a NULL being returned (and an appropriate error set).
- */
-SECItem *
-CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
-                           SECOidTag digestAlg, SECItem *fill)
-{
-    const SECHashObject *digestObject;
-    void *digestContext;
-    SECItem *result = NULL;
-    void *mark = NULL;
-    SECItem spk;
-
-    if ( arena != NULL ) {
-        mark = PORT_ArenaMark(arena);
-    }
-
-    digestObject = HASH_GetHashObjectByOidTag(digestAlg);
-    if ( digestObject == NULL ) {
-        goto loser;
-    }
-
-    if ((fill == NULL) || (fill->data == NULL)) {
-	result = SECITEM_AllocItem(arena, fill, digestObject->length);
-	if ( result == NULL ) {
-	   goto loser;
-	}
-	fill = result;
-    }
-
-    /*
-     * Copy just the length and data pointer (nothing needs to be freed)
-     * of the subject public key so we can convert the length from bits
-     * to bytes, which is what the digest function expects.
-     */
-    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
-    DER_ConvertBitString(&spk);
-
-    /*
-     * Now digest the value, using the specified algorithm.
-     */
-    digestContext = digestObject->create();
-    if ( digestContext == NULL ) {
-        goto loser;
-    }
-    digestObject->begin(digestContext);
-    digestObject->update(digestContext, spk.data, spk.len);
-    digestObject->end(digestContext, fill->data, &(fill->len), fill->len);
-    digestObject->destroy(digestContext, PR_TRUE);
-
-    if ( arena != NULL ) {
-        PORT_ArenaUnmark(arena, mark);
-    }
-    return(fill);
-
-loser:
-    if ( arena != NULL ) {
-        PORT_ArenaRelease(arena, mark);
-    } else {
-        if ( result != NULL ) {
-            SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
-        }
-    }
-    return(NULL);
-}
-
-SECStatus
-CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
-{
-    PORT_Assert(response);
-    if (response->statusValue == ocspResponse_successful)
-	return SECSuccess;
-
-    switch (response->statusValue) {
-      case ocspResponse_malformedRequest:
-	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
-	break;
-      case ocspResponse_internalError:
-	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
-	break;
-      case ocspResponse_tryLater:
-	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
-	break;
-      case ocspResponse_sigRequired:
-	/* XXX We *should* retry with a signature, if possible. */
-	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
-	break;
-      case ocspResponse_unauthorized:
-	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
-	break;
-      case ocspResponse_other:
-      case ocspResponse_unused:
-      default:
-	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
-	break;
-    }
-    return SECFailure;
-}
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
deleted file mode 100644
index c188f6780..000000000
--- a/security/nss/lib/certhigh/ocsp.h
+++ /dev/null
@@ -1,537 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Interface to the OCSP implementation.
- *
- * $Id$
- */
-
-#ifndef _OCSP_H_
-#define _OCSP_H_
-
-
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "keyt.h"
-#include "certt.h"
-#include "ocspt.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * FUNCTION: CERT_EnableOCSPChecking
- *   Turns on OCSP checking for the given certificate database.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be enabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (likely only problem
- *   allocating memory); SECSuccess otherwise.
- */
-extern SECStatus
-CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_DisableOCSPChecking
- *   Turns off OCSP checking for the given certificate database.
- *   This routine disables OCSP checking.  Though it will return
- *   SECFailure if OCSP checking is not enabled, it is "safe" to
- *   call it that way and just ignore the return value, if it is
- *   easier to just call it than to "remember" whether it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Certificate database for which OCSP checking will be disabled.
- * RETURN:
- *   Returns SECFailure if an error occurred (usually means that OCSP
- *   checking was not enabled or status contexts were not initialized --
- *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
- */
-extern SECStatus
-CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_SetOCSPDefaultResponder
- *   Specify the location and cert of the default responder.
- *   If OCSP checking is already enabled *and* use of a default responder
- *   is also already enabled, all OCSP checking from now on will go directly
- *   to the specified responder.  If OCSP checking is not enabled, or if
- *   it is but use of a default responder is not enabled, the information
- *   will be recorded and take effect whenever both are enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- *   char *url
- *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
- *     Note that the location will not be tested until the first attempt
- *     to send a request there.
- *   char *name
- *     The nickname of the cert to trust (expected) to sign the OCSP responses.
- *     If the corresponding cert cannot be found, SECFailure is returned.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   The most likely error is that the cert for "name" could not be found
- *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
- *   bad database, etc.).
- */
-extern SECStatus
-CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
-			     const char *url, const char *name);
-
-/*
- * FUNCTION: CERT_EnableOCSPDefaultResponder
- *   Turns on use of a default responder when OCSP checking.
- *   If OCSP checking is already enabled, this will make subsequent checks
- *   go directly to the default responder.  (The location of the responder
- *   and the nickname of the responder cert must already be specified.)
- *   If OCSP checking is not enabled, this will be recorded and take effect
- *   whenever it is enabled.
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should use the default responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   No errors are especially likely unless the caller did not previously
- *   perform a successful call to SetOCSPDefaultResponder (in which case
- *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
- */
-extern SECStatus
-CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
-
-/*
- * FUNCTION: CERT_DisableOCSPDefaultResponder
- *   Turns off use of a default responder when OCSP checking.
- *   (Does nothing if use of a default responder is not enabled.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     Cert database on which OCSP checking should stop using a default
- *     responder.
- * RETURN:
- *   Returns SECFailure if an error occurred; SECSuccess otherwise.
- *   Errors very unlikely (like random memory corruption...).
- */
-extern SECStatus
-CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
-
-/*
- * -------------------------------------------------------
- * The Functions above are those expected to be used by a client
- * providing OCSP status checking along with every cert verification.
- * The functions below are for OCSP testing, debugging, or clients
- * or servers performing more specialized OCSP tasks.
- * -------------------------------------------------------
- */
-
-/*
- * FUNCTION: CERT_CreateOCSPRequest
- *   Creates a CERTOCSPRequest, requesting the status of the certs in 
- *   the given list.
- * INPUTS:
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no effect on the request itself.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *     XXX note that request signing is not yet supported; see comment in code
- * RETURN:
- *   A pointer to a CERTOCSPRequest structure containing an OCSP request
- *   for the cert list.  On error, null is returned, with an error set
- *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
- *   (The issuer is needed to create a request for the certificate.)
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-extern CERTOCSPRequest *
-CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
-		       PRBool addServiceLocator,
-		       CERTCertificate *signerCert);
-
-/*
- * FUNCTION: CERT_AddOCSPAcceptableResponses
- *   Add the AcceptableResponses extension to an OCSP Request.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     The request to which the extension should be added.
- *   SECOidTag responseType0, ...
- *     A list (of one or more) of SECOidTag -- each of the response types
- *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
- *     (This marks the end of the list, and it must be specified because a
- *     client conforming to the OCSP standard is required to handle the basic
- *     response type.)  The OIDs are not checked in any way.
- * RETURN:
- *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
- *   All errors are internal or low-level problems (e.g. no memory).
- */
-extern SECStatus
-CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request,
-				SECOidTag responseType0, ...);
-
-/* 
- * FUNCTION: CERT_EncodeOCSPRequest
- *   DER encodes an OCSP Request, possibly adding a signature as well.
- *   XXX Signing is not yet supported, however; see comments in code.
- * INPUTS: 
- *   PRArenaPool *arena
- *     The return value is allocated from here.
- *     If a NULL is passed in, allocation is done from the heap instead.
- *   CERTOCSPRequest *request
- *     The request to be encoded.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * RETURN:
- *   Returns a NULL on error and a pointer to the SECItem with the
- *   encoded value otherwise.  Any error is likely to be low-level
- *   (e.g. no memory).
- */
-extern SECItem *
-CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
-		       void *pwArg);
-
-/*
- * FUNCTION: CERT_DecodeOCSPRequest
- *   Decode a DER encoded OCSP Request.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Request.
- * RETURN:
- *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
- *   On error, returns NULL.  Most likely error is trouble decoding
- *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
- */
-extern CERTOCSPRequest *
-CERT_DecodeOCSPRequest(SECItem *src);
-
-/*
- * FUNCTION: CERT_DestroyOCSPRequest
- *   Frees an OCSP Request structure.
- * INPUTS:
- *   CERTOCSPRequest *request
- *     Pointer to CERTOCSPRequest to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-extern void
-CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
-
-/*
- * FUNCTION: CERT_DecodeOCSPResponse
- *   Decode a DER encoded OCSP Response.
- * INPUTS:
- *   SECItem *src
- *     Pointer to a SECItem holding DER encoded OCSP Response.
- * RETURN:
- *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
- *   the caller is responsible for destroying it.  Or NULL if error (either
- *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
- *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
- *   or a low-level or internal error occurred).
- */
-extern CERTOCSPResponse *
-CERT_DecodeOCSPResponse(SECItem *src);
-
-/*
- * FUNCTION: CERT_DestroyOCSPResponse
- *   Frees an OCSP Response structure.
- * INPUTS:
- *   CERTOCSPResponse *request
- *     Pointer to CERTOCSPResponse to be freed.
- * RETURN:
- *   No return value; no errors.
- */
-extern void
-CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
-
-/*
- * FUNCTION: CERT_GetEncodedOCSPResponse
- *   Creates and sends a request to an OCSP responder, then reads and
- *   returns the (encoded) response.
- * INPUTS:
- *   PRArenaPool *arena
- *     Pointer to arena from which return value will be allocated.
- *     If NULL, result will be allocated from the heap (and thus should
- *     be freed via SECITEM_FreeItem).
- *   CERTCertList *certList
- *     A list of certs for which status will be requested.
- *     Note that all of these certificates should have the same issuer,
- *     or it's expected the response will be signed by a trusted responder.
- *     If the certs need to be broken up into multiple requests, that
- *     must be handled by the caller (and thus by having multiple calls
- *     to this routine), who knows about where the request(s) are being
- *     sent and whether there are any trusted responders in place.
- *   char *location
- *     The location of the OCSP responder (a URL).
- *   int64 time
- *     Indicates the time for which the certificate status is to be 
- *     determined -- this may be used in the search for the cert's issuer
- *     but has no other bearing on the operation.
- *   PRBool addServiceLocator
- *     If true, the Service Locator extension should be added to the
- *     single request(s) for each cert.
- *   CERTCertificate *signerCert
- *     If non-NULL, means sign the request using this cert.  Otherwise,
- *     do not sign.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.  (Definitely
- *     not needed if not signing.)
- * OUTPUTS:
- *   CERTOCSPRequest **pRequest
- *     Pointer in which to store the OCSP request created for the given
- *     list of certificates.  It is only filled in if the entire operation
- *     is successful and the pointer is not null -- and in that case the
- *     caller is then reponsible for destroying it.
- * RETURN:
- *   Returns a pointer to the SECItem holding the response.
- *   On error, returns null with error set describing the reason:
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *   Other errors are low-level problems (no memory, bad database, etc.).
- */
-extern SECItem *
-CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
-			    char *location, int64 time,
-			    PRBool addServiceLocator,
-			    CERTCertificate *signerCert, void *pwArg,
-			    CERTOCSPRequest **pRequest);
-
-/*
- * FUNCTION: CERT_VerifyOCSPResponseSignature
- *   Check the signature on an OCSP Response.  Will also perform a
- *   verification of the signer's certificate.  Note, however, that a
- *   successful verification does not make any statement about the
- *   signer's *authority* to provide status for the certificate(s),
- *   that must be checked individually for each certificate.
- * INPUTS:
- *   CERTOCSPResponse *response
- *     Pointer to response structure with signature to be checked.
- *   CERTCertDBHandle *handle
- *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
- *   void *pwArg
- *     Pointer to argument for password prompting, if needed.
- *   CERTCertificate *issuerCert
- *     Issuer of the certificate that generated the OCSP request.
- * OUTPUTS:
- *   CERTCertificate **pSignerCert
- *     Pointer in which to store signer's certificate; only filled-in if
- *     non-null.
- * RETURN:
- *   Returns SECSuccess when signature is valid, anything else means invalid.
- *   Possible errors set:
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
- *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
- *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
- *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (no memory, etc.)
- */
-extern SECStatus
-CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
-				 CERTCertDBHandle *handle, void *pwArg,
-				 CERTCertificate **pSignerCert,
-				 CERTCertificate *issuerCert);
-
-/*
- * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
- *   Get the value of the URI of the OCSP responder for the given cert.
- *   This is found in the (optional) Authority Information Access extension
- *   in the cert.
- * INPUTS:
- *   CERTCertificate *cert
- *     The certificate being examined.
- * RETURN:
- *   char *
- *     A copy of the URI for the OCSP method, if found.  If either the
- *     extension is not present or it does not contain an entry for OCSP,
- *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
- *     Any other error will also result in a NULL being returned.
- *     
- *     This result should be freed (via PORT_Free) when no longer in use.
- */
-extern char *
-CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
-
-/*
- * FUNCTION: CERT_CheckOCSPStatus
- *   Checks the status of a certificate via OCSP.  Will only check status for
- *   a certificate that has an AIA (Authority Information Access) extension
- *   for OCSP *or* when a "default responder" is specified and enabled.
- *   (If no AIA extension for OCSP and no default responder in place, the
- *   cert is considered to have a good status and SECSuccess is returned.)
- * INPUTS:
- *   CERTCertDBHandle *handle
- *     certificate DB of the cert that is being checked
- *   CERTCertificate *cert
- *     the certificate being checked
- *   XXX in the long term also need a boolean parameter that specifies
- *	whether to check the cert chain, as well; for now we check only
- *	the leaf (the specified certificate)
- *   int64 time
- *     time for which status is to be determined
- *   void *pwArg
- *     argument for password prompting, if needed
- * RETURN:
- *   Returns SECSuccess if an approved OCSP responder "knows" the cert
- *   *and* returns a non-revoked status for it; SECFailure otherwise,
- *   with an error set describing the reason:
- *
- *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
- *	SEC_ERROR_OCSP_FUTURE_RESPONSE
- *	SEC_ERROR_OCSP_MALFORMED_REQUEST
- *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
- *	SEC_ERROR_OCSP_OLD_RESPONSE
- *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
- *	SEC_ERROR_OCSP_SERVER_ERROR
- *	SEC_ERROR_OCSP_TRY_SERVER_LATER
- *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
- *	SEC_ERROR_OCSP_UNKNOWN_CERT
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
- *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
- *
- *	SEC_ERROR_BAD_SIGNATURE
- *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- *	SEC_ERROR_INVALID_TIME
- *	SEC_ERROR_REVOKED_CERTIFICATE
- *	SEC_ERROR_UNKNOWN_ISSUER
- *	SEC_ERROR_UNKNOWN_SIGNER
- *
- *   Other errors are any of the many possible failures in cert verification
- *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
- *   verifying the signer's cert, or low-level problems (error allocating
- *   memory, error performing ASN.1 decoding, etc.).
- */    
-extern SECStatus 
-CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
-		     int64 time, void *pwArg);
-/*
- * FUNCTION: CERT_GetOCSPStatusForCertID
- *  Returns the OCSP status contained in the passed in paramter response
- *  that corresponds to the certID passed in.
- * INPUTS:
- *  CERTCertDBHandle *handle
- *    certificate DB of the cert that is being checked
- *  CERTOCSPResponse *response
- *    the OCSP response we want to retrieve status from.
- *  CERTOCSPCertID *certID
- *    the ID we want to look for from the response.
- *  CERTCertificate *signerCert
- *    the certificate that was used to sign the OCSP response.
- *    must be obtained via a call to CERT_VerifyOCSPResponseSignature.
- *  int64 time
- *    The time at which we're checking the status for.
- *  RETURN:
- *    Return values are the same as those for CERT_CheckOCSPStatus
- */
-extern SECStatus
-CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, 
-			    CERTOCSPResponse *response,
-			    CERTOCSPCertID   *certID,
-			    CERTCertificate  *signerCert,
-                            int64             time);
-
-/*
- * FUNCTION CERT_GetOCSPResponseStatus
- *   Returns the response status for the response passed.
- * INPUTS:
- *   CERTOCSPResponse *response
- *     The response to query for status
- *  RETURN:
- *    Returns SECSuccess if the response has a successful status value.
- *    Otherwise it returns SECFailure and sets one of the following error
- *    codes via PORT_SetError
- *        SEC_ERROR_OCSP_MALFORMED_REQUEST
- *        SEC_ERROR_OCSP_SERVER_ERROR
- *        SEC_ERROR_OCSP_TRY_SERVER_LATER
- *        SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
- *        SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
- *        SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
- */
-extern SECStatus
-CERT_GetOCSPResponseStatus(CERTOCSPResponse *response);
-
-/*
- * FUNCTION CERT_CreateOCSPCertID
- *  Returns the OCSP certID for the certificate passed in.
- * INPUTS:
- *  CERTCertificate *cert
- *    The certificate for which to create the certID for.
- *  int64 time
- *    The time at which the id is requested for.  This is used
- *    to determine the appropriate issuer for the cert since
- *    the issuing CA may be an older expired certificate.
- *  RETURN:
- *    A new copy of a CERTOCSPCertID*.  The memory for this certID
- *    should be freed by calling CERT_DestroyOCSPCertID when the 
- *    certID is no longer necessary.
- */
-extern CERTOCSPCertID*
-CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time);
-
-/*
- * FUNCTION: CERT_DestroyOCSPCertID
- *  Frees the memory associated with the certID passed in.
- * INPUTS:
- *  CERTOCSPCertID* certID
- *    The certID that the caller no longer needs and wants to 
- *    free the associated memory.
- * RETURN:
- *  SECSuccess if freeing the memory was successful.  Returns
- *  SECFailure if the memory passed in was not allocated with
- *  a call to CERT_CreateOCSPCertID.
- */
-extern SECStatus
-CERT_DestroyOCSPCertID(CERTOCSPCertID* certID);
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _OCSP_H_ */
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
deleted file mode 100644
index 5171d9cdb..000000000
--- a/security/nss/lib/certhigh/ocspt.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Public header for exported OCSP types.
- *
- * $Id$
- */
-
-#ifndef _OCSPT_H_
-#define _OCSPT_H_
-
-/*
- * The following are all opaque types.  If someone needs to get at
- * a field within, then we need to fix the API.  Try very hard not
- * make the type available to them.
- */
-typedef struct CERTOCSPRequestStr CERTOCSPRequest;
-typedef struct CERTOCSPResponseStr CERTOCSPResponse;
-
-/*
- * XXX I think only those first two above should need to be exported,
- * but until I know for certain I am leaving the rest of these here, too.
- */
-typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
-typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
-typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
-
-#endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/certhigh/ocspti.h b/security/nss/lib/certhigh/ocspti.h
deleted file mode 100644
index 7148c140a..000000000
--- a/security/nss/lib/certhigh/ocspti.h
+++ /dev/null
@@ -1,408 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Private header defining OCSP types.
- *
- * $Id$
- */
-
-#ifndef _OCSPTI_H_
-#define _OCSPTI_H_
-
-#include "ocspt.h"
-
-#include "certt.h"
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-
-
-/*
- * Some notes about naming conventions...
- *
- * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
- * (Even the public types are opaque, however.  Only their names are
- * "exported".)
- *
- * Internal-only data types drop the "CERT" prefix and use only the
- * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
- *
- * In either case, the base/suffix of the type name usually matches the
- * name as defined in the OCSP specification.  The exceptions to this are:
- *  - When there is overlap between the "OCSP" or "ocsp" prefix and
- *    the name used in the standard.  That is, you cannot strip off the
- *    "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
- *    type as it is defined in the standard; the "real" name will be
- *    *either* "OCSPSuffix" or just "Suffix".
- *  - When the name in the standard was a little too generic.  (e.g. The
- *    standard defines "Request" but we call it a "SingleRequest".)
- *    In this case a comment above the type definition calls attention
- *    to the difference.
- *
- * The definitions laid out in this header file are intended to follow
- * the same order as the definitions in the OCSP specification itself.
- * With the OCSP standard in hand, you should be able to move through
- * this file and follow along.  To future modifiers of this file: please
- * try to keep it that way.  The only exceptions are the few cases where
- * we need to define a type before it is referenced (e.g. enumerations),
- * whereas in the OCSP specification these are usually defined the other
- * way around (reference before definition).
- */
-
-
-/*
- * Forward-declarations of internal-only data structures.
- *
- * These are in alphabetical order (case-insensitive); please keep it that way!
- */
-typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
-typedef struct ocspCertStatusStr ocspCertStatus;
-typedef struct ocspResponderIDStr ocspResponderID;
-typedef struct ocspResponseBytesStr ocspResponseBytes;
-typedef struct ocspResponseDataStr ocspResponseData;
-typedef struct ocspRevokedInfoStr ocspRevokedInfo;
-typedef struct ocspServiceLocatorStr ocspServiceLocator;
-typedef struct ocspSignatureStr ocspSignature;
-typedef struct ocspSingleRequestStr ocspSingleRequest;
-typedef struct ocspSingleResponseStr ocspSingleResponse;
-typedef struct ocspTBSRequestStr ocspTBSRequest;
-
-
-/*
- * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
- */
-struct CERTOCSPRequestStr {
-    PRArenaPool *arena;			/* local; not part of encoding */
-    ocspTBSRequest *tbsRequest;
-    ocspSignature *optionalSignature;
-};
-
-/*
- * A TBSRequest; when an OCSPRequest is signed, the encoding of this
- * is what the signature is actually applied to.  ("TBS" == To Be Signed)
- * Whether signed or not, however, this structure will be present, and
- * is the "meat" of the OCSPRequest.
- *
- * Note that the "requestorName" field cannot be encoded/decoded in the
- * same pass as the entire request -- it needs to be handled with a special
- * call to convert to/from our internal form of a GeneralName.  Thus the
- * "derRequestorName" field, which is the actual DER-encoded bytes.
- *
- * The "extensionHandle" field is used on creation only; it holds
- * in-progress extensions as they are optionally added to the request.
- */
-struct ocspTBSRequestStr {
-    SECItem version;			/* an INTEGER */
-    SECItem *derRequestorName;		/* encoded GeneralName; see above */
-    CERTGeneralNameList *requestorName;	/* local; not part of encoding */
-    ocspSingleRequest **requestList;
-    CERTCertExtension **requestExtensions;
-    void *extensionHandle;		/* local; not part of encoding */
-};
-
-/*
- * This is the actual signature information for an OCSPRequest (applied to
- * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
- * ResponseData structure).
- *
- * Note that the "signature" field itself is a BIT STRING; operations on
- * it need to keep that in mind, converting the length to bytes as needed
- * and back again afterward (so that the length is usually expressing bits).
- *
- * The "cert" field is the signer's certificate.  In the case of a received
- * signature, it will be filled in when the signature is verified.  In the
- * case of a created signature, it is filled in on creation and will be the
- * cert used to create the signature when the signing-and-encoding occurs,
- * as well as the cert (and its chain) to fill in derCerts if requested.
- *
- * The extra fields cache information about the signature after we have
- * attempted a verification.  "wasChecked", if true, means the signature
- * has been checked against the appropriate data and thus that "status"
- * contains the result of that verification.  If "status" is not SECSuccess,
- * "failureReason" is a copy of the error code that was set at the time;
- * presumably it tells why the signature verification failed.
- */
-struct ocspSignatureStr {
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;			/* a BIT STRING */
-    SECItem **derCerts;			/* a SEQUENCE OF Certificate */
-    CERTCertificate *cert;		/* local; not part of encoding */
-    PRBool wasChecked;			/* local; not part of encoding */
-    SECStatus status;			/* local; not part of encoding */
-    int failureReason;			/* local; not part of encoding */
-};
-
-/*
- * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
- * whose status is being checked.
- *
- * Note that in the OCSP specification this is just called "Request",
- * but since that seemed confusing (vs. an OCSPRequest) and to be more
- * consistent with the parallel type "SingleResponse", I called it a
- * "SingleRequest".
- * 
- * XXX figure out how to get rid of that arena -- there must be a way
- */
-struct ocspSingleRequestStr {
-    PRArenaPool *arena;			/* just a copy of the response arena,
-					 * needed here for extension handling
-					 * routines, on creation only */
-    CERTOCSPCertID *reqCert;
-    CERTCertExtension **singleRequestExtensions;
-};
-
-/*
- * A CertID is the means of identifying a certificate, used both in requests
- * and in responses.
- *
- * When in a SingleRequest it specifies the certificate to be checked.
- * When in a SingleResponse it is the cert whose status is being given.
- */
-struct CERTOCSPCertIDStr {
-    SECAlgorithmID hashAlgorithm;
-    SECItem issuerNameHash;		/* an OCTET STRING */
-    SECItem issuerKeyHash;		/* an OCTET STRING */
-    SECItem serialNumber;		/* an INTEGER */
-    SECItem issuerSHA1NameHash;		/* keep other hashes around when */
-    SECItem issuerMD5NameHash;              /* we have them */
-    SECItem issuerMD2NameHash;
-    SECItem issuerSHA1KeyHash;		/* keep other hashes around when */
-    SECItem issuerMD5KeyHash;              /* we have them */
-    SECItem issuerMD2KeyHash;
-    PRArenaPool *poolp;
-};
-
-/*
- * This describes the value of the responseStatus field in an OCSPResponse.
- * The corresponding ASN.1 definition is:
- *
- * OCSPResponseStatus	::=	ENUMERATED {
- *	successful		(0),	--Response has valid confirmations
- *	malformedRequest	(1),	--Illegal confirmation request
- *	internalError		(2),	--Internal error in issuer
- *	tryLater		(3),	--Try again later
- *					--(4) is not used
- *	sigRequired		(5),	--Must sign the request
- *	unauthorized		(6),	--Request unauthorized
- * }
- */
-typedef enum {
-    ocspResponse_successful = 0,
-    ocspResponse_malformedRequest = 1,
-    ocspResponse_internalError = 2,
-    ocspResponse_tryLater = 3,
-    ocspResponse_unused = 4,
-    ocspResponse_sigRequired = 5,
-    ocspResponse_unauthorized = 6,
-    ocspResponse_other			/* unknown/unrecognized value */
-} ocspResponseStatus;
-
-/*
- * An OCSPResponse is what is sent (encoded) by an OCSP responder.
- *
- * The field "responseStatus" is the ASN.1 encoded value; the field
- * "statusValue" is simply that same value translated into our local
- * type ocspResponseStatus.
- */
-struct CERTOCSPResponseStr {
-    PRArenaPool *arena;			/* local; not part of encoding */
-    SECItem responseStatus;		/* an ENUMERATED, see above */
-    ocspResponseStatus statusValue;	/* local; not part of encoding */
-    ocspResponseBytes *responseBytes;	/* only when status is successful */
-};
-
-/*
- * A ResponseBytes (despite appearances) is what contains the meat
- * of a successful response -- but still in encoded form.  The type
- * given as "responseType" tells you how to decode the string.
- *
- * We look at the OID and translate it into our local OID representation
- * "responseTypeTag", and use that value to tell us how to decode the
- * actual response itself.  For now the only kind of OCSP response we
- * know about is a BasicOCSPResponse.  However, the intention in the
- * OCSP specification is to allow for other response types, so we are
- * building in that flexibility from the start and thus put a pointer
- * to that data structure inside of a union.  Whenever OCSP adds more
- * response types, just add them to the union.
- */
-struct ocspResponseBytesStr {
-    SECItem responseType;		/* an OBJECT IDENTIFIER */
-    SECOidTag responseTypeTag;		/* local; not part of encoding */
-    SECItem response;			/* an OCTET STRING */
-    union {
-	ocspBasicOCSPResponse *basic;	/* when type is id-pkix-ocsp-basic */
-    } decodedResponse;			/* local; not part of encoding */
-};
-
-/*
- * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
- * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
- * encoding of one of these.
- *
- * Note that in the OCSP specification, the signature fields are not
- * part of a separate sub-structure.  But since they are the same fields
- * as we define for the signature in a request, it made sense to share
- * the C data structure here and in some shared code to operate on them.
- */
-struct ocspBasicOCSPResponseStr {
-    ocspResponseData *tbsResponseData;	/* "tbs" == To Be Signed */
-    ocspSignature responseSignature;
-};
-
-/*
- * A ResponseData is the part of a BasicOCSPResponse that is signed
- * (after it is DER encoded).  It contains the real details of the response
- * (a per-certificate status).
- */
-struct ocspResponseDataStr {
-    SECItem version;			/* an INTEGER */
-    SECItem derResponderID;
-    ocspResponderID *responderID;	/* local; not part of encoding */
-    SECItem producedAt;			/* a GeneralizedTime */
-    CERTOCSPSingleResponse **responses;
-    CERTCertExtension **responseExtensions;
-};
-
-/*
- * A ResponderID identifies the responder -- or more correctly, the
- * signer of the response.  The ASN.1 definition of a ResponderID is:
- *
- * ResponderID	::=	CHOICE {
- *	byName			[1] EXPLICIT Name,
- *	byKey			[2] EXPLICIT KeyHash }
- *
- * Because it is CHOICE, the type of identification used and the
- * identification itself are actually encoded together.  To represent
- * this same information internally, we explicitly define a type and
- * save it, along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspResponderID_byName,
-    ocspResponderID_byKey,
-    ocspResponderID_other		/* unknown kind of responderID */
-} ocspResponderIDType;
-
-struct ocspResponderIDStr {
-    ocspResponderIDType responderIDType;/* local; not part of encoding */
-    union {
-	CERTName name;			/* when ocspResponderID_byName */
-	SECItem keyHash;		/* when ocspResponderID_byKey */
-	SECItem other;			/* when ocspResponderID_other */
-    } responderIDValue;
-};
-
-/*
- * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
- * SingleResponse -- one for each certificate whose status is being supplied.
- * 
- * XXX figure out how to get rid of that arena -- there must be a way
- */
-struct CERTOCSPSingleResponseStr {
-    PRArenaPool *arena;			/* just a copy of the response arena,
-					 * needed here for extension handling
-					 * routines, on creation only */
-    CERTOCSPCertID *certID;
-    SECItem derCertStatus;
-    ocspCertStatus *certStatus;		/* local; not part of encoding */
-    SECItem thisUpdate;			/* a GeneralizedTime */
-    SECItem *nextUpdate;		/* a GeneralizedTime */
-    CERTCertExtension **singleExtensions;
-};
-
-/*
- * A CertStatus is the actual per-certificate status.  Its ASN.1 definition:
- *
- * CertStatus	::=	CHOICE {
- *	good			[0] IMPLICIT NULL,
- *	revoked			[1] IMPLICIT RevokedInfo,
- *	unknown			[2] IMPLICIT UnknownInfo }
- *
- * (where for now UnknownInfo is defined to be NULL but in the
- * future may be replaced with an enumeration).
- *
- * Because it is CHOICE, the status value and its associated information
- * (if any) are actually encoded together.  To represent this same
- * information internally, we explicitly define a type and save it,
- * along with the value, into a data structure.
- */
-
-typedef enum {
-    ocspCertStatus_good,		/* cert is not revoked */
-    ocspCertStatus_revoked,		/* cert is revoked */
-    ocspCertStatus_unknown,		/* cert was unknown to the responder */
-    ocspCertStatus_other		/* status was not an expected value */
-} ocspCertStatusType;
-
-/*
- * This is the actual per-certificate status.
- *
- * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
- * (Though someday OCSP may replace UnknownInfo with an enumeration that
- * gives more detailed information.)
- */
-struct ocspCertStatusStr {
-    ocspCertStatusType certStatusType;	/* local; not part of encoding */
-    union {
-	SECItem *goodInfo;		/* when ocspCertStatus_good */
-	ocspRevokedInfo *revokedInfo;	/* when ocspCertStatus_revoked */
-	SECItem *unknownInfo;		/* when ocspCertStatus_unknown */
-	SECItem *otherInfo;		/* when ocspCertStatus_other */
-    } certStatusInfo; 
-};
-
-/*
- * A RevokedInfo gives information about a revoked certificate -- when it
- * was revoked and why.
- */
-struct ocspRevokedInfoStr {
-    SECItem revocationTime;		/* a GeneralizedTime */
-    SECItem *revocationReason;		/* a CRLReason; ignored for now */
-};
-
-/*
- * ServiceLocator can be included as one of the singleRequestExtensions.
- * When added, it specifies the (name of the) issuer of the cert being
- * checked, and optionally the value of the AuthorityInfoAccess extension
- * if the cert has one.
- */
-struct ocspServiceLocatorStr {
-    CERTName *issuer;
-    SECItem locator;	/* DER encoded authInfoAccess extension from cert */
-};
-
-#endif /* _OCSPTI_H_ */
diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c
deleted file mode 100644
index 07b226856..000000000
--- a/security/nss/lib/certhigh/xcrldist.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Code for dealing with x.509 v3 CRL Distribution Point extension.
- */
-#include "genname.h"
-#include "certt.h"
-#include "secerr.h"
-
-extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
-
-static const SEC_ASN1Template FullNameTemplate[] = {
-    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof (CRLDistributionPoint,derFullName), CERT_GeneralNamesTemplate}
-};
-
-static const SEC_ASN1Template RelativeNameTemplate[] = {
-    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
-	offsetof (CRLDistributionPoint,distPoint.relativeName), CERT_RDNTemplate}
-};
-	 
-static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
-	    SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
-	    offsetof(CRLDistributionPoint,derDistPoint), SEC_AnyTemplate},
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	    offsetof(CRLDistributionPoint,bitsmap), SEC_BitStringTemplate},
-	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
-	    SEC_ASN1_CONSTRUCTED | 2,
-	    offsetof(CRLDistributionPoint, derCrlIssuer), CERT_GeneralNamesTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
-    {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
-};
-
-SECStatus
-CERT_EncodeCRLDistributionPoints (PRArenaPool *arena, CERTCrlDistributionPoints *value,
-				  SECItem *derValue)
-{
-    CRLDistributionPoint **pointList, *point;
-    PRArenaPool *ourPool = NULL;
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert (derValue);
-    PORT_Assert (value && value->distPoints);
-
-    do {
-	ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-	if (ourPool == NULL) {
-	    rv = SECFailure;
-	    break;
-	}    
-	
-	pointList = value->distPoints;
-	while (*pointList) {
-	    point = *pointList;
-	    point->derFullName = NULL;
-	    point->derDistPoint.data = NULL;
-
-	    if (point->distPointType == generalName) {
-		point->derFullName = cert_EncodeGeneralNames
-		    (ourPool, point->distPoint.fullName);
-		
-		if (point->derFullName) {
-		    rv = (SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
-			  point, FullNameTemplate) == NULL) ? SECFailure : SECSuccess;
-		} else {
-		    rv = SECFailure;
-		}
-	    }
-	    else if (point->distPointType == relativeDistinguishedName) {
-		if (SEC_ASN1EncodeItem
-		     (ourPool, &point->derDistPoint, 
-		      point, RelativeNameTemplate) == NULL) 
-		    rv = SECFailure;
-	    }
-	    /* distributionPointName is omitted */
-	    else if (point->distPointType != 0) {
-		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		rv = SECFailure;
-	    }
-	    if (rv != SECSuccess)
-		break;
-
-	    if (point->reasons.data)
-		PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
-
-	    if (point->crlIssuer) {
-		point->derCrlIssuer = cert_EncodeGeneralNames
-		    (ourPool, point->crlIssuer);
-		if (!point->crlIssuer)
-		    break;
-	    }
-	    
-	    ++pointList;
-	}
-	if (rv != SECSuccess)
-	    break;
-	if (SEC_ASN1EncodeItem
-	     (arena, derValue, value, CERTCRLDistributionPointsTemplate) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-    } while (0);
-    PORT_FreeArena (ourPool, PR_FALSE);
-    return (rv);
-}
-
-CERTCrlDistributionPoints *
-CERT_DecodeCRLDistributionPoints (PRArenaPool *arena, SECItem *encodedValue)
-{
-   CERTCrlDistributionPoints *value = NULL;    
-   CRLDistributionPoint **pointList, *point;    
-   SECStatus rv;
-   SECItem newEncodedValue;
-
-   PORT_Assert (arena);
-   do {
-	value = (CERTCrlDistributionPoints*)PORT_ArenaZAlloc (arena, sizeof (*value));
-	if (value == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newEncodedValue, encodedValue);
-        if ( rv != SECSuccess ) {
-	    break;
-        }
-
-	rv = SEC_QuickDERDecodeItem
-	     (arena, &value->distPoints, CERTCRLDistributionPointsTemplate,
-	      &newEncodedValue);
-	if (rv != SECSuccess)
-	    break;
-
-	pointList = value->distPoints;
-	while (*pointList) {
-	    point = *pointList;
-
-	    /* get the data if the distributionPointName is not omitted */
-	    if (point->derDistPoint.data != NULL) {
-		point->distPointType = (DistributionPointTypes)
-					((point->derDistPoint.data[0] & 0x1f) +1);
-		if (point->distPointType == generalName) {
-		    SECItem innerDER;
-		
-		    innerDER.data = NULL;
-		    rv = SEC_QuickDERDecodeItem
-			 (arena, point, FullNameTemplate, &(point->derDistPoint));
-		    if (rv != SECSuccess)
-			break;
-		    point->distPoint.fullName = cert_DecodeGeneralNames
-			(arena, point->derFullName);
-
-		    if (!point->distPoint.fullName)
-			break;
-		}
-		else if ( relativeDistinguishedName) {
-		    rv = SEC_QuickDERDecodeItem
-			 (arena, point, RelativeNameTemplate, &(point->derDistPoint));
-		    if (rv != SECSuccess)
-			break;
-		}
-		else {
-		    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
-		    break;
-		}
-	    }
-
-	    /* Get the reason code if it's not omitted in the encoding */
-	    if (point->bitsmap.data != NULL) {
-		point->reasons.data = (unsigned char*) PORT_ArenaAlloc
-				      (arena, (point->bitsmap.len + 7) >> 3);
-		if (!point->reasons.data) {
-		    rv = SECFailure;
-		    break;
-		}
-		PORT_Memcpy (point->reasons.data, point->bitsmap.data,
-			     point->reasons.len = ((point->bitsmap.len + 7) >> 3));
-	    }
-
-	    /* Get the crl issuer name if it's not omitted in the encoding */
-	    if (point->derCrlIssuer != NULL) {
-		point->crlIssuer = cert_DecodeGeneralNames
-		    (arena, point->derCrlIssuer);
-
-		if (!point->crlIssuer)
-		    break;
-	    }
-	    ++pointList;
-	}
-   } while (0);
-   return (rv == SECSuccess ? value : NULL);
-}
diff --git a/security/nss/lib/ckfw/Makefile b/security/nss/lib/ckfw/Makefile
deleted file mode 100644
index 126256ab4..000000000
--- a/security/nss/lib/ckfw/Makefile
+++ /dev/null
@@ -1,58 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# This'll need some help from a build person.
-
-# The generated files are checked in, and differ from what ckapi.perl
-# will produce.  ckapi.perl is currently newer than the targets, so
-# these rules are invoked, causing the wrong files to be generated.
-# Turning off to fix builds.
-#
-# nssckepv.h: ck.api ckapi.perl
-# nssckft.h: ck.api ckapi.perl
-# nssckg.h: ck.api ckapi.perl
-# nssck.api: ck.api ckapi.perl
-# 	perl ckapi.perl ck.api
-
-export:: private_export
-
diff --git a/security/nss/lib/ckfw/builtins/Makefile b/security/nss/lib/ckfw/builtins/Makefile
deleted file mode 100644
index d1410119c..000000000
--- a/security/nss/lib/ckfw/builtins/Makefile
+++ /dev/null
@@ -1,102 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-
-EXTRA_LIBS = \
-	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(NULL)
-
-# can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-ifdef NS_USE_GCC
-EXTRA_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else 
-EXTRA_SHARED_LIBS += \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-        $(NULL)
-endif # NS_USE_GCC
-else
-
-EXTRA_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-endif
-
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# Generate certdata.c.
-generate:
-	perl certdata.perl < certdata.txt
-
-# This'll need some help from a build person.
-
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
-DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
-EXTRA_DSO_LDOPTS        = -lc
-MKSHLIB                 = xlC $(DSO_LDOPTS)
-
-$(SHARED_LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
-	chmod +x $@
-
-endif
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
-LD      += -G
-endif 
-
-
diff --git a/security/nss/lib/ckfw/builtins/README b/security/nss/lib/ckfw/builtins/README
deleted file mode 100644
index 9b110e61d..000000000
--- a/security/nss/lib/ckfw/builtins/README
+++ /dev/null
@@ -1,48 +0,0 @@
-This README file explains how to add a builtin root CA certificate to NSS
-or remove a builtin root CA certificate from NSS.
-
-The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11
-module. The sources to the nssckbi module are in this directory.
-
-I. Adding a Builtin Root CA Certificate
-
-You need to use the addbuiltin command-line tool to add a root CA certificate
-to the nssckbi module. In the procedure described below, we assume that the
-new root CA certificate is distributed in DER format in the file newroot.der.
-
-1. Add the directory where the addbuiltin executable resides to your PATH
-environment variable. Then, add the directory where the NSPR and NSS shared
-libraries (DLLs) reside to the platform-specific environment variable that
-specifies your shared library search path: LD_LIBRARY_PATH (most Unix
-variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows).
-
-2. Copy newroot.der to this directory.
-
-3. In this directory, run addbuiltin to add the new root certificate. The
-argument to the -n option should be replaced by the nickname of the root
-certificate. Then run "gmake generate".
-
-    % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt
-    % gmake generate
-
-4. Edit nssckbi.h to bump the version of the module.
-
-5. Run gmake in this directory to build the nssckbi module.
-
-6. After you verify that the new nssckbi module is correct, check in
-certdata.txt, certdata.c, and nssckbi.h.
-
-II. Removing a Builtin Root CA Certificate
-
-1. Change directory to this directory.
-
-2. Edit certdata.txt and remove the root CA certificate.
-
-3. Run "gmake generate".
-
-4. Edit nssckbi.h to bump the version of the module.
-
-5. Run gmake in this directory to build the nssckbi module.
-
-6. After you verify that the new nssckbi module is correct, check in
-certdata.txt, certdata.c, and nssckbi.h.
diff --git a/security/nss/lib/ckfw/builtins/anchor.c b/security/nss/lib/ckfw/builtins/anchor.c
deleted file mode 100644
index fc294f8f7..000000000
--- a/security/nss/lib/ckfw/builtins/anchor.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * builtins/anchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading.  See the 
- * comments in nssck.api for more information.
- */
-
-#include "builtins.h"
-
-#define MODULE_NAME builtins
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/builtins/bfind.c b/security/nss/lib/ckfw/builtins/bfind.c
deleted file mode 100644
index 90ddb2e70..000000000
--- a/security/nss/lib/ckfw/builtins/bfind.c
+++ /dev/null
@@ -1,286 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef BUILTINS_H
-#include "builtins.h"
-#endif /* BUILTINS_H */
-
-/*
- * builtins/find.c
- *
- * This file implements the NSSCKMDFindObjects object for the
- * "builtin objects" cryptoki module.
- */
-
-struct builtinsFOStr {
-  NSSArena *arena;
-  CK_ULONG n;
-  CK_ULONG i;
-  builtinsInternalObject **objs;
-};
-
-static void
-builtins_mdFindObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
-  NSSArena *arena = fo->arena;
-
-  nss_ZFreeIf(fo->objs);
-  nss_ZFreeIf(fo);
-  nss_ZFreeIf(mdFindObjects);
-  if ((NSSArena *)NULL != arena) {
-    NSSArena_Destroy(arena);
-  }
-
-  return;
-}
-
-static NSSCKMDObject *
-builtins_mdFindObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
-  builtinsInternalObject *io;
-
-  if( fo->i == fo->n ) {
-    *pError = CKR_OK;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  io = fo->objs[ fo->i ];
-  fo->i++;
-
-  return nss_builtins_CreateMDObject(arena, io, pError);
-}
-
-static int
-builtins_derUnwrapInt(unsigned char *src, int size, unsigned char **dest) {
-    unsigned char *start = src;
-    int len = 0;
-
-    if (*src ++ != 2) {
-	return 0;
-    }
-    len = *src++;
-    if (len & 0x80) {
-	int count = len & 0x7f;
-	len =0;
-
-	if (count+2 > size) {
-	    return 0;
-	}
-	while (count-- > 0) {
-	    len = (len << 8) | *src++;
-	}
-    }
-    if (len + (src-start) != size) {
-	return 0;
-    }
-    *dest = src;
-    return len;
-}
-
-static CK_BBOOL
-builtins_attrmatch
-(
-  CK_ATTRIBUTE_PTR a,
-  const NSSItem *b
-)
-{
-  PRBool prb;
-
-  if( a->ulValueLen != b->size ) {
-    /* match a decoded serial number */
-    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
-	int len;
-	unsigned char *data;
-
-	len = builtins_derUnwrapInt(b->data,b->size,&data);
-	if ((len == a->ulValueLen) && 
-		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
-	    return CK_TRUE;
-	}
-    }
-    return CK_FALSE;
-  }
-
-  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
-
-  if( PR_TRUE == prb ) {
-    return CK_TRUE;
-  } else {
-    return CK_FALSE;
-  }
-}
-
-
-static CK_BBOOL
-builtins_match
-(
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  builtinsInternalObject *o
-)
-{
-  CK_ULONG i;
-
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    CK_ULONG j;
-
-    for( j = 0; j < o->n; j++ ) {
-      if( o->types[j] == pTemplate[i].type ) {
-        if( CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j]) ) {
-          return CK_FALSE;
-        } else {
-          break;
-        }
-      }
-    }
-
-    if( j == o->n ) {
-      /* Loop ran to the end: no matching attribute */
-      return CK_FALSE;
-    }
-  }
-
-  /* Every attribute passed */
-  return CK_TRUE;
-}
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_builtins_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  /* This could be made more efficient.  I'm rather rushed. */
-  NSSArena *arena;
-  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
-  struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
-  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
-  PRUint32 i;
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    goto loser;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo = nss_ZNEW(arena, struct builtinsFOStr);
-  if( (struct builtinsFOStr *)NULL == fo ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo->arena = arena;
-  /* fo->n and fo->i are already zero */
-
-  rv->etc = (void *)fo;
-  rv->Final = builtins_mdFindObjects_Final;
-  rv->Next = builtins_mdFindObjects_Next;
-  rv->null = (void *)NULL;
-
-  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
-                       nss_builtins_nObjects);
-  if( (builtinsInternalObject **)NULL == temp ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  for( i = 0; i < nss_builtins_nObjects; i++ ) {
-    builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
-
-    if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
-      temp[ fo->n ] = o;
-      fo->n++;
-    }
-  }
-
-  fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
-  if( (builtinsInternalObject **)NULL == fo->objs ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
-  nss_ZFreeIf(temp);
-  temp = (builtinsInternalObject **)NULL;
-
-  return rv;
-
- loser:
-  nss_ZFreeIf(temp);
-  nss_ZFreeIf(fo);
-  nss_ZFreeIf(rv);
-  if ((NSSArena *)NULL != arena) {
-     NSSArena_Destroy(arena);
-  }
-  return (NSSCKMDFindObjects *)NULL;
-}
-
diff --git a/security/nss/lib/ckfw/builtins/binst.c b/security/nss/lib/ckfw/builtins/binst.c
deleted file mode 100644
index 2df0777a0..000000000
--- a/security/nss/lib/ckfw/builtins/binst.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/instance.c
- *
- * This file implements the NSSCKMDInstance object for the 
- * "builtin objects" cryptoki module.
- */
-
-/*
- * NSSCKMDInstance methods
- */
-
-static CK_ULONG
-builtins_mdInstance_GetNSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (CK_ULONG)1;
-}
-
-static CK_VERSION
-builtins_mdInstance_GetCryptokiVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_CryptokiVersion;
-}
-
-static NSSUTF8 *
-builtins_mdInstance_GetManufacturerID
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static NSSUTF8 *
-builtins_mdInstance_GetLibraryDescription
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_LibraryDescription;
-}
-
-static CK_VERSION
-builtins_mdInstance_GetLibraryVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_LibraryVersion;
-}
-
-static CK_RV
-builtins_mdInstance_GetSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *slots[]
-)
-{
-  slots[0] = (NSSCKMDSlot *)&nss_builtins_mdSlot;
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDInstance
-nss_builtins_mdInstance = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Finalize */
-  builtins_mdInstance_GetNSlots,
-  builtins_mdInstance_GetCryptokiVersion,
-  builtins_mdInstance_GetManufacturerID,
-  builtins_mdInstance_GetLibraryDescription,
-  builtins_mdInstance_GetLibraryVersion,
-  NULL, /* ModuleHandlesSessionObjects -- defaults to false */
-  builtins_mdInstance_GetSlots,
-  NULL, /* WaitForSlotEvent */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/builtins/bobject.c b/security/nss/lib/ckfw/builtins/bobject.c
deleted file mode 100644
index a42df1a64..000000000
--- a/security/nss/lib/ckfw/builtins/bobject.c
+++ /dev/null
@@ -1,258 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/object.c
- *
- * This file implements the NSSCKMDObject object for the
- * "builtin objects" cryptoki module.
- */
-
-/*
- * Finalize - unneeded
- * Destroy - CKR_SESSION_READ_ONLY
- * IsTokenObject - CK_TRUE
- * GetAttributeCount
- * GetAttributeTypes
- * GetAttributeSize
- * GetAttribute
- * SetAttribute - unneeded
- * GetObjectSize
- */
-
-static CK_RV
-builtins_mdObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_SESSION_READ_ONLY;
-}
-
-static CK_BBOOL
-builtins_mdObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_ULONG
-builtins_mdObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  return io->n;
-}
-
-static CK_RV
-builtins_mdObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  if( io->n != ulCount ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  for( i = 0; i < io->n; i++ ) {
-    typeArray[i] = io->types[i];
-  }
-
-  return CKR_OK;
-}
-
-static CK_ULONG
-builtins_mdObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  for( i = 0; i < io->n; i++ ) {
-    if( attribute == io->types[i] ) {
-      return (CK_ULONG)(io->items[i].size);
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return 0;
-}
-
-static NSSCKFWItem
-builtins_mdObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  NSSCKFWItem mdItem;
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-
-  mdItem.needsFreeing = PR_FALSE;
-  mdItem.item = (NSSItem*) NULL;
-
-  for( i = 0; i < io->n; i++ ) {
-    if( attribute == io->types[i] ) {
-      mdItem.item = (NSSItem*) &io->items[i];
-      return mdItem;
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return mdItem;
-}
-
-static CK_ULONG
-builtins_mdObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
-  CK_ULONG i;
-  CK_ULONG rv = sizeof(CK_ULONG);
-
-  for( i = 0; i < io->n; i++ ) {
-    rv += sizeof(CK_ATTRIBUTE_TYPE) + sizeof(NSSItem) + io->items[i].size;
-  }
-
-  return rv;
-}
-
-static const NSSCKMDObject
-builtins_prototype_mdObject = {
-  (void *)NULL, /* etc */
-  NULL, /* Finalize */
-  builtins_mdObject_Destroy,
-  builtins_mdObject_IsTokenObject,
-  builtins_mdObject_GetAttributeCount,
-  builtins_mdObject_GetAttributeTypes,
-  builtins_mdObject_GetAttributeSize,
-  builtins_mdObject_GetAttribute,
-  NULL, /* FreeAttribute */
-  NULL, /* SetAttribute */
-  builtins_mdObject_GetObjectSize,
-  (void *)NULL /* null terminator */
-};
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_builtins_CreateMDObject
-(
-  NSSArena *arena,
-  builtinsInternalObject *io,
-  CK_RV *pError
-)
-{
-  if ( (void*)NULL == io->mdObject.etc) {
-    (void) nsslibc_memcpy(&io->mdObject,&builtins_prototype_mdObject,
-					sizeof(builtins_prototype_mdObject));
-    io->mdObject.etc = (void *)io;
-  }
-
-  return &io->mdObject;
-}
diff --git a/security/nss/lib/ckfw/builtins/bsession.c b/security/nss/lib/ckfw/builtins/bsession.c
deleted file mode 100644
index 14f4e4bbd..000000000
--- a/security/nss/lib/ckfw/builtins/bsession.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/session.c
- *
- * This file implements the NSSCKMDSession object for the 
- * "builtin objects" cryptoki module.
- */
-
-static NSSCKMDFindObjects *
-builtins_mdSession_FindObjectsInit
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  return nss_builtins_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_builtins_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  NSSCKMDSession *rv;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-  if( (NSSArena *)NULL == arena ) {
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDSession);
-  if( (NSSCKMDSession *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  /* 
-   * rv was zeroed when allocated, so we only 
-   * need to set the non-zero members.
-   */
-
-  rv->etc = (void *)fwSession;
-  /* rv->Close */
-  /* rv->GetDeviceError */
-  /* rv->Login */
-  /* rv->Logout */
-  /* rv->InitPIN */
-  /* rv->SetPIN */
-  /* rv->GetOperationStateLen */
-  /* rv->GetOperationState */
-  /* rv->SetOperationState */
-  /* rv->CreateObject */
-  /* rv->CopyObject */
-  rv->FindObjectsInit = builtins_mdSession_FindObjectsInit;
-  /* rv->SeedRandom */
-  /* rv->GetRandom */
-  /* rv->null */
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/builtins/bslot.c b/security/nss/lib/ckfw/builtins/bslot.c
deleted file mode 100644
index ebf951d48..000000000
--- a/security/nss/lib/ckfw/builtins/bslot.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/slot.c
- *
- * This file implements the NSSCKMDSlot object for the
- * "builtin objects" cryptoki module.
- */
-
-static NSSUTF8 *
-builtins_mdSlot_GetSlotDescription
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_SlotDescription;
-}
-
-static NSSUTF8 *
-builtins_mdSlot_GetManufacturerID
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static CK_VERSION
-builtins_mdSlot_GetHardwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_HardwareVersion;
-}
-
-static CK_VERSION
-builtins_mdSlot_GetFirmwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_FirmwareVersion;
-}
-
-static NSSCKMDToken *
-builtins_mdSlot_GetToken
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSCKMDToken *)&nss_builtins_mdToken;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDSlot
-nss_builtins_mdSlot = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Destroy */
-  builtins_mdSlot_GetSlotDescription,
-  builtins_mdSlot_GetManufacturerID,
-  NULL, /* GetTokenPresent -- defaults to true */
-  NULL, /* GetRemovableDevice -- defaults to false */
-  NULL, /* GetHardwareSlot -- defaults to false */
-  builtins_mdSlot_GetHardwareVersion,
-  builtins_mdSlot_GetFirmwareVersion,
-  builtins_mdSlot_GetToken,
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/builtins/btoken.c b/security/nss/lib/ckfw/builtins/btoken.c
deleted file mode 100644
index 7808161d9..000000000
--- a/security/nss/lib/ckfw/builtins/btoken.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "builtins.h"
-
-/*
- * builtins/token.c
- *
- * This file implements the NSSCKMDToken object for the
- * "builtin objects" cryptoki module.
- */
-
-static NSSUTF8 *
-builtins_mdToken_GetLabel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenLabel;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetManufacturerID
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_ManufacturerID;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetModel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenModel;
-}
-
-static NSSUTF8 *
-builtins_mdToken_GetSerialNumber
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_builtins_TokenSerialNumber;
-}
-
-static CK_BBOOL
-builtins_mdToken_GetIsWriteProtected
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_VERSION
-builtins_mdToken_GetHardwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_HardwareVersion;
-}
-
-static CK_VERSION
-builtins_mdToken_GetFirmwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_builtins_FirmwareVersion;
-}
-
-static NSSCKMDSession *
-builtins_mdToken_OpenSession
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  return nss_builtins_CreateSession(fwSession, pError);
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDToken
-nss_builtins_mdToken = {
-  (void *)NULL, /* etc */
-  NULL, /* Setup */
-  NULL, /* Invalidate */
-  NULL, /* InitToken -- default errs */
-  builtins_mdToken_GetLabel,
-  builtins_mdToken_GetManufacturerID,
-  builtins_mdToken_GetModel,
-  builtins_mdToken_GetSerialNumber,
-  NULL, /* GetHasRNG -- default is false */
-  builtins_mdToken_GetIsWriteProtected,
-  NULL, /* GetLoginRequired -- default is false */
-  NULL, /* GetUserPinInitialized -- default is false */
-  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
-  NULL, /* GetHasClockOnToken -- default is false */
-  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
-  NULL, /* GetSupportsDualCryptoOperations -- default is false */
-  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxPinLen -- irrelevant */
-  NULL, /* GetMinPinLen -- irrelevant */
-  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  builtins_mdToken_GetHardwareVersion,
-  builtins_mdToken_GetFirmwareVersion,
-  NULL, /* GetUTCTime -- no clock */
-  builtins_mdToken_OpenSession,
-  NULL, /* GetMechanismCount -- default is zero */
-  NULL, /* GetMechanismTypes -- irrelevant */
-  NULL, /* GetMechanism -- irrelevant */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h
deleted file mode 100644
index a3937ac9f..000000000
--- a/security/nss/lib/ckfw/builtins/builtins.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-struct builtinsInternalObjectStr {
-  CK_ULONG n;
-  const CK_ATTRIBUTE_TYPE *types;
-  const NSSItem *items;
-  NSSCKMDObject mdObject;
-};
-typedef struct builtinsInternalObjectStr builtinsInternalObject;
-
-NSS_EXTERN_DATA builtinsInternalObject nss_builtins_data[];
-NSS_EXTERN_DATA const PRUint32               nss_builtins_nObjects;
-
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_CryptokiVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_ManufacturerID;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_LibraryDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_LibraryVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_SlotDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_HardwareVersion;
-NSS_EXTERN_DATA const CK_VERSION   nss_builtins_FirmwareVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenLabel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenModel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenSerialNumber;
-
-NSS_EXTERN_DATA const NSSCKMDInstance nss_builtins_mdInstance;
-NSS_EXTERN_DATA const NSSCKMDSlot     nss_builtins_mdSlot;
-NSS_EXTERN_DATA const NSSCKMDToken    nss_builtins_mdToken;
-
-NSS_EXTERN NSSCKMDSession *
-nss_builtins_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_builtins_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDObject *
-nss_builtins_CreateMDObject
-(
-  NSSArena *arena,
-  builtinsInternalObject *io,
-  CK_RV *pError
-);
diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c
deleted file mode 100644
index ca3d68970..000000000
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ /dev/null
@@ -1,12872 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef BUILTINS_H
-#include "builtins.h"
-#endif /* BUILTINS_H */
-
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
-static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_BBOOL ck_true = CK_TRUE;
-static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
-static const CK_BBOOL ck_false = CK_FALSE;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-#ifdef DEBUG
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_APPLICATION,  CKA_VALUE
-};
-#endif /* DEBUG */
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_1 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_2 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_3 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_4 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_5 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_6 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_7 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_8 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_9 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_10 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_11 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_12 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_13 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_14 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_15 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_16 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_17 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_18 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_19 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_20 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_21 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_22 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_23 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_24 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_25 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_26 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_27 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_28 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_29 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_30 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_31 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_32 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_33 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_34 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_35 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_36 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_37 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_38 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_39 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_40 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_41 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_42 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_43 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_44 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_45 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_46 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_47 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_48 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_49 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_50 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_51 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_52 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_53 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_54 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_55 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_56 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_57 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_58 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_59 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_60 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_61 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_62 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_63 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_64 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_65 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_66 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_67 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_68 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_69 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_70 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_71 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_72 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_73 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_74 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_75 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_76 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_77 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_78 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_79 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_80 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_81 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_82 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_83 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_84 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_85 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_86 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_87 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_88 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_89 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_90 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_91 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_92 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_93 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_94 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_95 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_96 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_97 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_98 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_99 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_100 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_101 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_102 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_103 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_104 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_105 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_106 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_107 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_108 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_109 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_110 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_111 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_112 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_113 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_114 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_115 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_116 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_117 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_118 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_119 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_120 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_121 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_122 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_123 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_124 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_125 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_126 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_127 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_128 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_129 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_130 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_131 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_132 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_133 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_134 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_135 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_136 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_137 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_138 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_139 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_140 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_141 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_142 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_143 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_144 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_145 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_146 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_147 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_148 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_149 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_150 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_151 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_152 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_153 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_154 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_155 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_156 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_157 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_158 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_159 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_160 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_161 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_162 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_163 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_164 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_165 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_166 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_167 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_168 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_169 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_170 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_171 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_172 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_173 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_174 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_175 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_176 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_177 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_178 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_179 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_180 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_181 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_182 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_183 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_184 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_185 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_186 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_187 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_188 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
-};
-static const CK_ATTRIBUTE_TYPE nss_builtins_types_189 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
-};
-#ifdef DEBUG
-static const NSSItem nss_builtins_items_0 [] = {
-  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"CVS ID", (PRUint32)7 },
-  { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$", (PRUint32)160 }
-};
-#endif /* DEBUG */
-static const NSSItem nss_builtins_items_1 [] = {
-  { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
-};
-static const NSSItem nss_builtins_items_2 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign/RSA Secure Server CA", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
-"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
-"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
-"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
-"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
-"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
-"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\002\255\146\176\116\105\376\136\127\157\074\230\031\136"
-"\335\300"
-, (PRUint32)18 },
-  { (void *)"\060\202\002\064\060\202\001\241\002\020\002\255\146\176\116\105"
-"\376\136\127\157\074\230\031\136\335\300\060\015\006\011\052\206"
-"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004"
-"\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143\165"
-"\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006\003"
-"\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162\166"
-"\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\064"
-"\061\061\060\071\060\060\060\060\060\060\132\027\015\061\060\060"
-"\061\060\067\062\063\065\071\065\071\132\060\137\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125"
-"\004\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143"
-"\165\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006"
-"\003\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162"
-"\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\060\201\233\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\211"
-"\000\060\201\205\002\176\000\222\316\172\301\256\203\076\132\252"
-"\211\203\127\254\045\001\166\014\255\256\216\054\067\316\353\065"
-"\170\144\124\003\345\204\100\121\311\277\217\010\342\212\202\010"
-"\322\026\206\067\125\351\261\041\002\255\166\150\201\232\005\242"
-"\113\311\113\045\146\042\126\154\210\007\217\367\201\131\155\204"
-"\007\145\160\023\161\166\076\233\167\114\343\120\211\126\230\110"
-"\271\035\247\051\032\023\056\112\021\131\234\036\025\325\111\124"
-"\054\163\072\151\202\261\227\071\234\155\160\147\110\345\335\055"
-"\326\310\036\173\002\003\001\000\001\060\015\006\011\052\206\110"
-"\206\367\015\001\001\002\005\000\003\176\000\145\335\176\341\262"
-"\354\260\342\072\340\354\161\106\232\031\021\270\323\307\240\264"
-"\003\100\046\002\076\011\234\341\022\263\321\132\366\067\245\267"
-"\141\003\266\133\026\151\073\306\104\010\014\210\123\014\153\227"
-"\111\307\076\065\334\154\271\273\252\337\134\273\072\057\223\140"
-"\266\251\113\115\362\040\367\315\137\177\144\173\216\334\000\134"
-"\327\372\167\312\071\026\131\157\016\352\323\265\203\177\115\115"
-"\102\126\166\264\311\137\004\370\070\370\353\322\137\165\137\315"
-"\173\374\345\216\200\174\374\120"
-, (PRUint32)568 }
-};
-static const NSSItem nss_builtins_items_3 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign/RSA Secure Server CA", (PRUint32)30 },
-  { (void *)"\104\143\305\061\327\314\301\000\147\224\141\053\266\126\323\277"
-"\202\127\204\157"
-, (PRUint32)20 },
-  { (void *)"\164\173\202\003\103\360\000\236\153\263\354\107\277\205\245\223"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
-"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
-"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
-"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\002\255\146\176\116\105\376\136\127\157\074\230\031\136"
-"\335\300"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_4 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GTE CyberTrust Root CA", (PRUint32)23 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
-"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\122\157\157\164"
-, (PRUint32)71 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
-"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\122\157\157\164"
-, (PRUint32)71 },
-  { (void *)"\002\002\001\243"
-, (PRUint32)4 },
-  { (void *)"\060\202\001\372\060\202\001\143\002\002\001\243\060\015\006\011"
-"\052\206\110\206\367\015\001\001\004\005\000\060\105\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003"
-"\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141"
-"\164\151\157\156\061\034\060\032\006\003\125\004\003\023\023\107"
-"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157"
-"\157\164\060\036\027\015\071\066\060\062\062\063\062\063\060\061"
-"\060\060\132\027\015\060\066\060\062\062\063\062\063\065\071\060"
-"\060\132\060\105\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040"
-"\103\157\162\160\157\162\141\164\151\157\156\061\034\060\032\006"
-"\003\125\004\003\023\023\107\124\105\040\103\171\142\145\162\124"
-"\162\165\163\164\040\122\157\157\164\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\270\346\117\272\333\230\174\161\174\257"
-"\104\267\323\017\106\331\144\345\223\301\102\216\307\272\111\215"
-"\065\055\172\347\213\275\345\005\061\131\306\261\057\012\014\373"
-"\237\247\077\242\011\146\204\126\036\067\051\033\207\351\176\014"
-"\312\232\237\245\177\365\025\224\243\325\242\106\202\330\150\114"
-"\321\067\025\006\150\257\275\370\260\263\360\051\365\225\132\011"
-"\026\141\167\012\042\045\324\117\105\252\307\275\345\226\337\371"
-"\324\250\216\102\314\044\300\036\221\047\112\265\155\006\200\143"
-"\071\304\242\136\070\003\002\003\001\000\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\004\005\000\003\201\201\000\022\263"
-"\165\306\137\035\341\141\125\200\000\324\201\113\173\061\017\043"
-"\143\347\075\363\003\371\364\066\250\273\331\343\245\227\115\352"
-"\053\051\340\326\152\163\201\346\300\211\243\323\361\340\245\245"
-"\042\067\232\143\302\110\040\264\333\162\343\310\366\331\174\276"
-"\261\257\123\332\024\264\041\270\326\325\226\343\376\116\014\131"
-"\142\266\232\112\371\102\335\214\157\201\251\161\377\364\012\162"
-"\155\155\104\016\235\363\164\164\250\325\064\111\351\136\236\351"
-"\264\172\341\345\132\037\204\060\234\323\237\245\045\330"
-, (PRUint32)510 }
-};
-static const NSSItem nss_builtins_items_5 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GTE CyberTrust Root CA", (PRUint32)23 },
-  { (void *)"\220\336\336\236\114\116\237\157\330\206\027\127\235\323\221\274"
-"\145\246\211\144"
-, (PRUint32)20 },
-  { (void *)"\304\327\360\262\243\305\175\141\147\360\004\315\103\323\272\130"
-, (PRUint32)16 },
-  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
-"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\122\157\157\164"
-, (PRUint32)71 },
-  { (void *)"\002\002\001\243"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_6 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
-"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
-"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
-"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
-"\141\154\040\122\157\157\164"
-, (PRUint32)119 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
-"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
-"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
-"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
-"\141\154\040\122\157\157\164"
-, (PRUint32)119 },
-  { (void *)"\002\002\001\245"
-, (PRUint32)4 },
-  { (void *)"\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011"
-"\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003"
-"\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141"
-"\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107"
-"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157"
-"\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060"
-"\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145"
-"\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157"
-"\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071"
-"\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060"
-"\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040"
-"\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006"
-"\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124"
-"\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040"
-"\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107"
-"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154"
-"\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307"
-"\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212"
-"\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341"
-"\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322"
-"\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034"
-"\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215"
-"\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370"
-"\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264"
-"\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353"
-"\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343"
-"\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203"
-"\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175"
-"\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331"
-"\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277"
-"\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017"
-"\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117"
-"\037\042\265\315\225\255\272\247\314\371\253\013\172\177"
-, (PRUint32)606 }
-};
-static const NSSItem nss_builtins_items_7 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
-  { (void *)"\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061"
-"\066\176\364\164"
-, (PRUint32)20 },
-  { (void *)"\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333"
-, (PRUint32)16 },
-  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
-"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
-"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
-"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
-"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
-"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
-"\141\154\040\122\157\157\164"
-, (PRUint32)119 },
-  { (void *)"\002\002\001\245"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_8 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Basic CA", (PRUint32)25 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
-"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
-"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
-"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
-, (PRUint32)206 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
-"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
-"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
-"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
-, (PRUint32)206 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\041\060\202\002\212\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
-"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
-"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
-"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
-"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
-"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
-"\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164"
-"\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151\143"
-"\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015\001"
-"\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141\163"
-"\151\143\100\164\150\141\167\164\145\056\143\157\155\060\036\027"
-"\015\071\066\060\061\060\061\060\060\060\060\060\060\132\027\015"
-"\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\313"
-"\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060"
-"\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040"
-"\103\141\160\145\061\022\060\020\006\003\125\004\007\023\011\103"
-"\141\160\145\040\124\157\167\156\061\032\060\030\006\003\125\004"
-"\012\023\021\124\150\141\167\164\145\040\103\157\156\163\165\154"
-"\164\151\156\147\061\050\060\046\006\003\125\004\013\023\037\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162"
-"\166\151\143\145\163\040\104\151\166\151\163\151\157\156\061\041"
-"\060\037\006\003\125\004\003\023\030\124\150\141\167\164\145\040"
-"\120\145\162\163\157\156\141\154\040\102\141\163\151\143\040\103"
-"\101\061\050\060\046\006\011\052\206\110\206\367\015\001\011\001"
-"\026\031\160\145\162\163\157\156\141\154\055\142\141\163\151\143"
-"\100\164\150\141\167\164\145\056\143\157\155\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\274\274\223\123\155\300\120\117"
-"\202\025\346\110\224\065\246\132\276\157\102\372\017\107\356\167"
-"\165\162\335\215\111\233\226\127\240\170\324\312\077\121\263\151"
-"\013\221\166\027\042\007\227\152\304\121\223\113\340\215\357\067"
-"\225\241\014\115\332\064\220\035\027\211\227\340\065\070\127\112"
-"\300\364\010\160\351\074\104\173\120\176\141\232\220\343\043\323"
-"\210\021\106\047\365\013\007\016\273\335\321\177\040\012\210\271"
-"\126\013\056\034\200\332\361\343\236\051\357\024\275\012\104\373"
-"\033\133\030\321\277\043\223\041\002\003\001\000\001\243\023\060"
-"\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001"
-"\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005"
-"\000\003\201\201\000\055\342\231\153\260\075\172\211\327\131\242"
-"\224\001\037\053\335\022\113\123\302\255\177\252\247\000\134\221"
-"\100\127\045\112\070\252\204\160\271\331\200\017\245\173\134\373"
-"\163\306\275\327\212\141\134\003\343\055\047\250\027\340\204\205"
-"\102\334\136\233\306\267\262\155\273\164\257\344\077\313\247\267"
-"\260\340\135\276\170\203\045\224\322\333\201\017\171\007\155\117"
-"\364\071\025\132\122\001\173\336\062\326\115\070\366\022\134\006"
-"\120\337\005\133\275\024\113\241\337\051\272\073\101\215\367\143"
-"\126\241\337\042\261"
-, (PRUint32)805 }
-};
-static const NSSItem nss_builtins_items_9 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Basic CA", (PRUint32)25 },
-  { (void *)"\100\347\214\035\122\075\034\331\225\117\254\032\032\263\275\074"
-"\272\241\133\374"
-, (PRUint32)20 },
-  { (void *)"\346\013\322\311\312\055\210\333\032\161\016\113\170\353\002\101"
-, (PRUint32)16 },
-  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
-"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
-"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
-"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
-, (PRUint32)206 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_10 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Premium CA", (PRUint32)27 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
-"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
-"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
-"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
-"\157\155"
-, (PRUint32)210 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
-"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
-"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
-"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
-"\157\155"
-, (PRUint32)210 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
-"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
-"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
-"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
-"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
-"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
-"\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167\164"
-"\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155\151"
-"\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206\367"
-"\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055\160"
-"\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143\157"
-"\155\060\036\027\015\071\066\060\061\060\061\060\060\060\060\060"
-"\060\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071"
-"\132\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132"
-"\101\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164"
-"\145\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004"
-"\007\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030"
-"\006\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157"
-"\156\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004"
-"\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151"
-"\157\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141"
-"\167\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145"
-"\155\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110"
-"\206\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154"
-"\055\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056"
-"\143\157\155\060\201\237\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000"
-"\311\146\331\370\007\104\317\271\214\056\360\241\357\023\105\154"
-"\005\337\336\047\026\121\066\101\021\154\154\073\355\376\020\175"
-"\022\236\345\233\102\232\376\140\061\303\146\267\163\072\110\256"
-"\116\320\062\067\224\210\265\015\266\331\363\362\104\331\325\210"
-"\022\335\166\115\362\032\374\157\043\036\172\361\330\230\105\116"
-"\007\020\357\026\102\320\103\165\155\112\336\342\252\311\061\377"
-"\037\000\160\174\146\317\020\045\010\272\372\356\000\351\106\003"
-"\146\047\021\025\073\252\133\362\230\335\066\102\262\332\210\165"
-"\002\003\001\000\001\243\023\060\021\060\017\006\003\125\035\023"
-"\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206"
-"\110\206\367\015\001\001\004\005\000\003\201\201\000\151\066\211"
-"\367\064\052\063\162\057\155\073\324\042\262\270\157\232\305\066"
-"\146\016\033\074\241\261\165\132\346\375\065\323\370\250\362\007"
-"\157\205\147\216\336\053\271\342\027\260\072\240\360\016\242\000"
-"\232\337\363\024\025\156\273\310\205\132\230\200\371\377\276\164"
-"\035\075\363\376\060\045\321\067\064\147\372\245\161\171\060\141"
-"\051\162\300\340\054\114\373\126\344\072\250\157\345\062\131\122"
-"\333\165\050\120\131\014\370\013\031\344\254\331\257\226\215\057"
-"\120\333\007\303\352\037\253\063\340\365\053\061\211"
-, (PRUint32)813 }
-};
-static const NSSItem nss_builtins_items_11 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Premium CA", (PRUint32)27 },
-  { (void *)"\066\206\065\143\375\121\050\307\276\246\360\005\317\351\264\066"
-"\150\010\154\316"
-, (PRUint32)20 },
-  { (void *)"\072\262\336\042\232\040\223\111\371\355\310\322\212\347\150\015"
-, (PRUint32)16 },
-  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
-"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
-"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
-"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
-"\157\155"
-, (PRUint32)210 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_12 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Freemail CA", (PRUint32)28 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
-"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
-"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
-"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
-"\056\143\157\155"
-, (PRUint32)212 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
-"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
-"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
-"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
-"\056\143\157\155"
-, (PRUint32)212 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\055\060\202\002\226\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
-"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
-"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
-"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
-"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
-"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
-"\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167\164"
-"\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145\155"
-"\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110\206"
-"\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154\055"
-"\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145\056"
-"\143\157\155\060\036\027\015\071\066\060\061\060\061\060\060\060"
-"\060\060\060\132\027\015\062\060\061\062\063\061\062\063\065\071"
-"\065\071\132\060\201\321\061\013\060\011\006\003\125\004\006\023"
-"\002\132\101\061\025\060\023\006\003\125\004\010\023\014\127\145"
-"\163\164\145\162\156\040\103\141\160\145\061\022\060\020\006\003"
-"\125\004\007\023\011\103\141\160\145\040\124\157\167\156\061\032"
-"\060\030\006\003\125\004\012\023\021\124\150\141\167\164\145\040"
-"\103\157\156\163\165\154\164\151\156\147\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\044\060\042\006\003\125\004\003\023\033\124"
-"\150\141\167\164\145\040\120\145\162\163\157\156\141\154\040\106"
-"\162\145\145\155\141\151\154\040\103\101\061\053\060\051\006\011"
-"\052\206\110\206\367\015\001\011\001\026\034\160\145\162\163\157"
-"\156\141\154\055\146\162\145\145\155\141\151\154\100\164\150\141"
-"\167\164\145\056\143\157\155\060\201\237\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211"
-"\002\201\201\000\324\151\327\324\260\224\144\133\161\351\107\330"
-"\014\121\266\352\162\221\260\204\136\175\055\015\217\173\022\337"
-"\205\045\165\050\164\072\102\054\143\047\237\225\173\113\357\176"
-"\031\207\035\206\352\243\335\271\316\226\144\032\302\024\156\104"
-"\254\174\346\217\350\115\017\161\037\100\070\246\000\243\207\170"
-"\366\371\224\206\136\255\352\300\136\166\353\331\024\243\135\156"
-"\172\174\014\245\113\125\177\006\031\051\177\236\232\046\325\152"
-"\273\070\044\010\152\230\307\261\332\243\230\221\375\171\333\345"
-"\132\304\034\271\002\003\001\000\001\243\023\060\021\060\017\006"
-"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015"
-"\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201"
-"\000\307\354\222\176\116\370\365\226\245\147\142\052\244\360\115"
-"\021\140\320\157\215\140\130\141\254\046\273\122\065\134\010\317"
-"\060\373\250\112\226\212\037\142\102\043\214\027\017\364\272\144"
-"\234\027\254\107\051\337\235\230\136\322\154\140\161\134\242\254"
-"\334\171\343\347\156\000\107\037\265\015\050\350\002\235\344\232"
-"\375\023\364\246\331\174\261\370\334\137\043\046\011\221\200\163"
-"\320\024\033\336\103\251\203\045\362\346\234\057\025\312\376\246"
-"\253\212\007\165\213\014\335\121\204\153\344\370\321\316\167\242"
-"\201"
-, (PRUint32)817 }
-};
-static const NSSItem nss_builtins_items_13 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Personal Freemail CA", (PRUint32)28 },
-  { (void *)"\040\231\000\266\075\225\127\050\024\014\321\066\042\330\306\207"
-"\244\353\000\205"
-, (PRUint32)20 },
-  { (void *)"\036\164\303\206\074\014\065\305\076\302\177\357\074\252\074\331"
-, (PRUint32)16 },
-  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
-"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
-"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
-"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
-"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
-"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
-"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
-"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
-"\056\143\157\155"
-, (PRUint32)212 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_14 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Server CA", (PRUint32)17 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
-"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
-"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
-"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
-"\167\164\145\056\143\157\155"
-, (PRUint32)199 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
-"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
-"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
-"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
-"\167\164\145\056\143\157\155"
-, (PRUint32)199 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
-"\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003"
-"\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163"
-"\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125"
-"\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163"
-"\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150"
-"\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046"
-"\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163"
-"\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167"
-"\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061"
-"\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062"
-"\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125"
-"\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023"
-"\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060"
-"\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167"
-"\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167"
-"\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143"
-"\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145"
-"\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003"
-"\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166"
-"\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367"
-"\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162"
-"\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237"
-"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
-"\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377"
-"\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204"
-"\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165"
-"\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142"
-"\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160"
-"\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227"
-"\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155"
-"\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337"
-"\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243"
-"\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001"
-"\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106"
-"\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121"
-"\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117"
-"\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236"
-"\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212"
-"\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325"
-"\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131"
-"\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274"
-"\243\377\212\043\056\160\107"
-, (PRUint32)791 }
-};
-static const NSSItem nss_builtins_items_15 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Server CA", (PRUint32)17 },
-  { (void *)"\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243"
-"\365\330\213\214"
-, (PRUint32)20 },
-  { (void *)"\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035"
-, (PRUint32)16 },
-  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
-"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
-"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
-"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
-"\167\164\145\056\143\157\155"
-, (PRUint32)199 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_16 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Premium Server CA", (PRUint32)25 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
-"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
-"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
-"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
-"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
-"\155"
-, (PRUint32)209 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
-"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
-"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
-"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
-"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
-"\155"
-, (PRUint32)209 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
-"\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003"
-"\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163"
-"\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125"
-"\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163"
-"\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150"
-"\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162"
-"\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206"
-"\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163"
-"\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155"
-"\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060"
-"\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132"
-"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
-"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
-"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
-"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
-"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
-"\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066"
-"\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004"
-"\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364"
-"\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236"
-"\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320"
-"\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014"
-"\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055"
-"\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021"
-"\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003"
-"\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001"
-"\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206"
-"\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302"
-"\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140"
-"\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010"
-"\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106"
-"\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274"
-"\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114"
-"\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310"
-"\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047"
-"\246\015\246\043\371\273\313\246\007\024\102"
-, (PRUint32)811 }
-};
-static const NSSItem nss_builtins_items_17 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Premium Server CA", (PRUint32)25 },
-  { (void *)"\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263"
-"\363\076\372\232"
-, (PRUint32)20 },
-  { (void *)"\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072"
-, (PRUint32)16 },
-  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
-"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
-"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
-"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
-"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
-"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
-"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
-"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
-"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
-"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
-"\155"
-, (PRUint32)209 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_18 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure CA", (PRUint32)18 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
-"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)80 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
-"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)80 },
-  { (void *)"\002\004\065\336\364\317"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\065"
-"\336\364\317\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151"
-"\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161"
-"\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
-"\164\171\060\036\027\015\071\070\060\070\062\062\061\066\064\061"
-"\065\061\132\027\015\061\070\060\070\062\062\061\066\064\061\065"
-"\061\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151"
-"\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161"
-"\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
-"\164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301"
-"\135\261\130\147\010\142\356\240\232\055\037\010\155\221\024\150"
-"\230\012\036\376\332\004\157\023\204\142\041\303\321\174\316\237"
-"\005\340\270\001\360\116\064\354\342\212\225\004\144\254\361\153"
-"\123\137\005\263\313\147\200\277\102\002\216\376\335\001\011\354"
-"\341\000\024\117\374\373\360\014\335\103\272\133\053\341\037\200"
-"\160\231\025\127\223\026\361\017\227\152\267\302\150\043\034\314"
-"\115\131\060\254\121\036\073\257\053\326\356\143\105\173\305\331"
-"\137\120\322\343\120\017\072\210\347\277\024\375\340\307\271\002"
-"\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003"
-"\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060"
-"\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\020"
-"\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141\170"
-"\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151\146"
-"\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151\146"
-"\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061"
-"\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032"
-"\006\003\125\035\020\004\023\060\021\201\017\062\060\061\070\060"
-"\070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035"
-"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
-"\060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043"
-"\040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004"
-"\026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040"
-"\020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005"
-"\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007"
-"\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006"
-"\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
-"\003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027"
-"\265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177"
-"\266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230"
-"\356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075"
-"\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265"
-"\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141"
-"\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041"
-"\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117"
-"\254\007\167\070"
-, (PRUint32)804 }
-};
-static const NSSItem nss_builtins_items_19 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure CA", (PRUint32)18 },
-  { (void *)"\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023"
-"\227\206\143\072"
-, (PRUint32)20 },
-  { (void *)"\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324"
-, (PRUint32)16 },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
-"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)80 },
-  { (void *)"\002\004\065\336\364\317"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_20 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ABAecom (sub., Am. Bankers Assn.) Root CA", (PRUint32)42 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
-"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
-"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
-"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
-"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
-"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
-"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)140 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
-"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
-"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
-"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
-"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
-"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
-"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)140 },
-  { (void *)"\002\021\000\320\036\100\220\000\000\106\122\000\000\000\001\000"
-"\000\000\004"
-, (PRUint32)19 },
-  { (void *)"\060\202\003\265\060\202\002\235\240\003\002\001\002\002\021\000"
-"\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000\004"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060\021"
-"\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164\157"
-"\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101\056"
-"\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006\003"
-"\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122\157"
-"\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206\367"
-"\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147\163"
-"\151\147\164\162\165\163\164\056\143\157\155\060\036\027\015\071"
-"\071\060\067\061\062\061\067\063\063\065\063\132\027\015\060\071"
-"\060\067\060\071\061\067\063\063\065\063\132\060\201\211\061\013"
-"\060\011\006\003\125\004\006\023\002\125\123\061\013\060\011\006"
-"\003\125\004\010\023\002\104\103\061\023\060\021\006\003\125\004"
-"\007\023\012\127\141\163\150\151\156\147\164\157\156\061\027\060"
-"\025\006\003\125\004\012\023\016\101\102\101\056\105\103\117\115"
-"\054\040\111\116\103\056\061\031\060\027\006\003\125\004\003\023"
-"\020\101\102\101\056\105\103\117\115\040\122\157\157\164\040\103"
-"\101\061\044\060\042\006\011\052\206\110\206\367\015\001\011\001"
-"\026\025\141\144\155\151\156\100\144\151\147\163\151\147\164\162"
-"\165\163\164\056\143\157\155\060\202\001\042\060\015\006\011\052"
-"\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060"
-"\202\001\012\002\202\001\001\000\261\323\021\340\171\125\103\007"
-"\010\114\313\005\102\000\342\015\203\106\075\344\223\272\266\006"
-"\323\015\131\275\076\301\316\103\147\001\212\041\250\357\274\314"
-"\320\242\314\260\125\226\123\204\146\005\000\332\104\111\200\330"
-"\124\012\245\045\206\224\355\143\126\377\160\154\243\241\031\322"
-"\170\276\150\052\104\136\057\317\314\030\136\107\274\072\261\106"
-"\075\036\360\271\054\064\137\214\174\114\010\051\235\100\125\353"
-"\074\175\203\336\265\360\367\212\203\016\241\114\264\072\245\263"
-"\137\132\042\227\354\031\233\301\005\150\375\346\267\251\221\224"
-"\054\344\170\110\044\032\045\031\072\353\225\234\071\012\212\317"
-"\102\262\360\034\325\137\373\153\355\150\126\173\071\054\162\070"
-"\260\356\223\251\323\173\167\074\353\161\003\251\070\112\026\154"
-"\211\052\312\332\063\023\171\302\125\214\355\234\273\362\313\133"
-"\020\370\056\141\065\306\051\114\052\320\052\143\321\145\131\264"
-"\370\315\371\364\000\204\266\127\102\205\235\062\250\371\052\124"
-"\373\377\170\101\274\275\161\050\364\273\220\274\377\226\064\004"
-"\343\105\236\241\106\050\100\201\002\003\001\000\001\243\026\060"
-"\024\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001"
-"\001\377\002\001\010\060\015\006\011\052\206\110\206\367\015\001"
-"\001\005\005\000\003\202\001\001\000\004\157\045\206\344\346\226"
-"\047\264\331\102\300\320\311\000\261\177\124\076\207\262\155\044"
-"\251\057\012\176\375\244\104\260\370\124\007\275\033\235\235\312"
-"\173\120\044\173\021\133\111\243\246\277\022\164\325\211\267\267"
-"\057\230\144\045\024\267\141\351\177\140\200\153\323\144\350\253"
-"\275\032\326\121\372\300\264\135\167\032\177\144\010\136\171\306"
-"\005\114\361\172\335\115\175\316\346\110\173\124\322\141\222\201"
-"\326\033\326\000\360\016\236\050\167\240\115\210\307\042\166\031"
-"\303\307\236\033\246\167\170\370\137\233\126\321\360\362\027\254"
-"\216\235\131\346\037\376\127\266\331\136\341\135\237\105\354\141"
-"\150\031\101\341\262\040\046\376\132\060\166\044\377\100\162\074"
-"\171\237\174\042\110\253\106\315\333\263\206\054\217\277\005\101"
-"\323\301\343\024\343\101\027\046\320\174\247\161\114\031\350\112"
-"\017\162\130\061\175\354\140\172\243\042\050\275\031\044\140\077"
-"\073\207\163\300\153\344\313\256\267\253\045\103\262\125\055\173"
-"\253\006\016\165\135\064\345\135\163\155\236\262\165\100\245\131"
-"\311\117\061\161\210\331\210\177\124"
-, (PRUint32)953 }
-};
-static const NSSItem nss_builtins_items_21 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ABAecom (sub., Am. Bankers Assn.) Root CA", (PRUint32)42 },
-  { (void *)"\172\164\101\017\260\315\134\227\052\066\113\161\277\003\035\210"
-"\246\121\016\236"
-, (PRUint32)20 },
-  { (void *)"\101\270\007\367\250\321\011\356\264\232\216\160\115\374\033\170"
-, (PRUint32)16 },
-  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
-"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
-"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
-"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
-"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
-"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
-"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)140 },
-  { (void *)"\002\021\000\320\036\100\220\000\000\106\122\000\000\000\001\000"
-"\000\000\004"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_22 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\061"
-, (PRUint32)72 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\061"
-, (PRUint32)72 },
-  { (void *)"\002\004\066\160\025\226"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066"
-"\160\025\226\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151"
-"\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162"
-"\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013"
-"\023\010\104\123\124\103\101\040\105\061\060\036\027\015\071\070"
-"\061\062\061\060\061\070\061\060\062\063\132\027\015\061\070\061"
-"\062\061\060\061\070\064\060\062\063\132\060\106\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125"
-"\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156"
-"\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061"
-"\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040"
-"\105\061\060\201\235\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\240"
-"\154\201\251\317\064\036\044\335\376\206\050\314\336\203\057\371"
-"\136\324\102\322\350\164\140\146\023\230\006\034\251\121\022\151"
-"\157\061\125\271\111\162\000\010\176\323\245\142\104\067\044\231"
-"\217\331\203\110\217\231\155\225\023\273\103\073\056\111\116\210"
-"\067\301\273\130\177\376\341\275\370\273\141\315\363\107\300\231"
-"\246\361\363\221\350\170\174\000\313\141\311\104\047\161\151\125"
-"\112\176\111\115\355\242\243\276\002\114\000\312\002\250\356\001"
-"\002\061\144\017\122\055\023\164\166\066\265\172\264\055\161\002"
-"\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006"
-"\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127"
-"\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\061\061\015\060\013\006\003\125\004"
-"\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044"
-"\060\042\200\017\061\071\071\070\061\062\061\060\061\070\061\060"
-"\062\063\132\201\017\062\060\061\070\061\062\061\060\061\070\061"
-"\060\062\063\132\060\013\006\003\125\035\017\004\004\003\002\001"
-"\006\060\037\006\003\125\035\043\004\030\060\026\200\024\152\171"
-"\176\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016"
-"\242\370\060\035\006\003\125\035\016\004\026\004\024\152\171\176"
-"\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016\242"
-"\370\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060"
-"\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012"
-"\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\201\201\000\042\022\330"
-"\172\035\334\201\006\266\011\145\262\207\310\037\136\264\057\351"
-"\304\036\362\074\301\273\004\220\021\112\203\116\176\223\271\115"
-"\102\307\222\046\240\134\064\232\070\162\370\375\153\026\076\040"
-"\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311"
-"\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376"
-"\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233"
-"\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274"
-"\241\223\004\273\206\237\072\133\103\172\303\212\145"
-, (PRUint32)813 }
-};
-static const NSSItem nss_builtins_items_23 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
-  { (void *)"\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143"
-"\133\321\043\323"
-, (PRUint32)20 },
-  { (void *)"\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255"
-, (PRUint32)16 },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\061"
-, (PRUint32)72 },
-  { (void *)"\002\004\066\160\025\226"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_24 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\062"
-, (PRUint32)72 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\062"
-, (PRUint32)72 },
-  { (void *)"\002\004\066\156\323\316"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066"
-"\156\323\316\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151"
-"\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162"
-"\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013"
-"\023\010\104\123\124\103\101\040\105\062\060\036\027\015\071\070"
-"\061\062\060\071\061\071\061\067\062\066\132\027\015\061\070\061"
-"\062\060\071\061\071\064\067\062\066\132\060\106\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125"
-"\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156"
-"\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061"
-"\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040"
-"\105\062\060\201\235\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\277"
-"\223\217\027\222\357\063\023\030\353\020\177\116\026\277\377\006"
-"\217\052\205\274\136\371\044\246\044\210\266\003\267\301\303\137"
-"\003\133\321\157\256\176\102\352\146\043\270\143\203\126\373\050"
-"\055\341\070\213\264\356\250\001\341\316\034\266\210\052\042\106"
-"\205\373\237\247\160\251\107\024\077\316\336\145\360\250\161\367"
-"\117\046\154\214\274\306\265\357\336\111\047\377\110\052\175\350"
-"\115\003\314\307\262\122\306\027\061\023\073\265\115\333\310\304"
-"\366\303\017\044\052\332\014\235\347\221\133\200\315\224\235\002"
-"\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006"
-"\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127"
-"\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\062\061\015\060\013\006\003\125\004"
-"\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044"
-"\060\042\200\017\061\071\071\070\061\062\060\071\061\071\061\067"
-"\062\066\132\201\017\062\060\061\070\061\062\060\071\061\071\061"
-"\067\062\066\132\060\013\006\003\125\035\017\004\004\003\002\001"
-"\006\060\037\006\003\125\035\043\004\030\060\026\200\024\036\202"
-"\115\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370"
-"\071\133\060\035\006\003\125\035\016\004\026\004\024\036\202\115"
-"\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370\071"
-"\133\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060"
-"\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012"
-"\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\201\201\000\107\215\203"
-"\255\142\362\333\260\236\105\042\005\271\242\326\003\016\070\162"
-"\347\236\374\173\346\223\266\232\245\242\224\310\064\035\221\321"
-"\305\327\364\012\045\017\075\170\201\236\017\261\147\304\220\114"
-"\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055"
-"\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113"
-"\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113"
-"\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371"
-"\307\177\033\033\326\006\040\002\130\241\303\242\003"
-, (PRUint32)813 }
-};
-static const NSSItem nss_builtins_items_25 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
-  { (void *)"\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127"
-"\360\066\233\106"
-, (PRUint32)20 },
-  { (void *)"\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112"
-, (PRUint32)16 },
-  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
-"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
-"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
-"\104\123\124\103\101\040\105\062"
-, (PRUint32)72 },
-  { (void *)"\002\004\066\156\323\316"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_26 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 2", (PRUint32)40 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"\002\021\000\320\036\100\213\000\000\002\174\000\000\000\002\000"
-"\000\000\001"
-, (PRUint32)19 },
-  { (void *)"\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000"
-"\000\002\174\000\000\000\002\000\000\000\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060"
-"\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003"
-"\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125"
-"\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151"
-"\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147"
-"\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124"
-"\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004"
-"\013\023\010\104\123\124\103\101\040\130\061\061\026\060\024\006"
-"\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101"
-"\040\130\061\061\041\060\037\006\011\052\206\110\206\367\015\001"
-"\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165"
-"\163\164\056\143\157\155\060\036\027\015\071\070\061\062\060\061"
-"\061\070\061\070\065\065\132\027\015\060\070\061\061\062\070\061"
-"\070\061\070\065\065\132\060\201\251\061\013\060\011\006\003\125"
-"\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023"
-"\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016"
-"\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044"
-"\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154"
-"\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164"
-"\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104"
-"\123\124\103\101\040\130\061\061\026\060\024\006\003\125\004\003"
-"\023\015\104\123\124\040\122\157\157\164\103\101\040\130\061\061"
-"\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022"
-"\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143"
-"\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
-"\001\001\000\322\306\046\266\347\245\075\301\304\150\325\120\157"
-"\123\305\157\111\023\011\270\257\054\110\215\024\152\243\027\137"
-"\132\371\323\056\165\057\330\050\142\321\223\057\374\115\324\253"
-"\207\345\010\307\231\347\222\077\165\275\353\045\264\025\301\233"
-"\031\075\322\104\215\327\164\040\155\067\002\217\151\223\133\212"
-"\304\031\235\364\262\016\374\026\154\271\261\005\222\203\321\205"
-"\054\140\224\076\105\125\240\331\253\010\041\346\140\350\073\164"
-"\362\231\120\121\150\320\003\055\261\200\276\243\330\122\260\104"
-"\315\103\112\160\216\130\205\225\341\116\054\326\055\101\157\326"
-"\204\347\310\230\104\312\107\333\054\044\245\151\046\317\153\270"
-"\047\142\303\364\311\172\222\043\355\023\147\202\256\105\056\105"
-"\345\176\162\077\205\235\224\142\020\346\074\221\241\255\167\000"
-"\340\025\354\363\204\200\162\172\216\156\140\227\307\044\131\020"
-"\064\203\133\341\245\244\151\266\127\065\034\170\131\306\323\057"
-"\072\163\147\356\224\312\004\023\005\142\006\160\043\263\364\174"
-"\356\105\331\144\013\133\111\252\244\103\316\046\304\104\022\154"
-"\270\335\171\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\202\001\001\000\242\067\262\077"
-"\151\373\327\206\171\124\111\061\225\063\053\363\321\011\024\111"
-"\142\140\206\245\260\021\342\120\302\035\006\127\076\055\350\063"
-"\144\276\233\252\255\137\033\115\324\231\225\242\213\232\311\142"
-"\162\265\151\352\331\130\253\065\355\025\242\103\326\266\274\007"
-"\171\145\144\163\175\327\171\312\173\325\132\121\306\341\123\004"
-"\226\215\070\317\243\027\254\071\161\153\001\303\213\123\074\143"
-"\351\356\171\300\344\276\222\062\144\172\263\037\227\224\142\275"
-"\352\262\040\025\225\373\227\362\170\057\143\066\100\070\343\106"
-"\017\035\335\254\225\312\347\113\220\173\261\113\251\324\305\353"
-"\232\332\252\325\243\224\024\106\215\055\037\363\072\326\223\072"
-"\366\076\171\374\350\346\260\165\355\356\075\311\160\307\135\252"
-"\201\113\106\045\034\307\154\025\343\225\116\017\252\062\067\224"
-"\012\027\044\222\023\204\130\322\143\157\053\367\346\133\142\013"
-"\023\027\260\015\122\114\376\376\157\134\342\221\156\035\375\244"
-"\142\327\150\372\216\172\117\322\010\332\223\334\360\222\021\172"
-"\320\334\162\223\014\163\223\142\205\150\320\364"
-, (PRUint32)988 }
-};
-static const NSSItem nss_builtins_items_27 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 2", (PRUint32)40 },
-  { (void *)"\267\057\377\222\322\316\103\336\012\215\114\124\214\120\067\046"
-"\250\036\053\223"
-, (PRUint32)20 },
-  { (void *)"\154\311\247\156\107\361\014\343\123\073\170\114\115\302\152\305"
-, (PRUint32)16 },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"\002\021\000\320\036\100\213\000\000\002\174\000\000\000\002\000"
-"\000\000\001"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_28 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 4", (PRUint32)40 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"\002\021\000\320\036\100\213\000\000\167\155\000\000\000\001\000"
-"\000\000\004"
-, (PRUint32)19 },
-  { (void *)"\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000"
-"\000\167\155\000\000\000\001\000\000\000\004\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060"
-"\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003"
-"\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125"
-"\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151"
-"\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147"
-"\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124"
-"\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004"
-"\013\023\010\104\123\124\103\101\040\130\062\061\026\060\024\006"
-"\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101"
-"\040\130\062\061\041\060\037\006\011\052\206\110\206\367\015\001"
-"\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165"
-"\163\164\056\143\157\155\060\036\027\015\071\070\061\061\063\060"
-"\062\062\064\066\061\066\132\027\015\060\070\061\061\062\067\062"
-"\062\064\066\061\066\132\060\201\251\061\013\060\011\006\003\125"
-"\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023"
-"\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016"
-"\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044"
-"\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154"
-"\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164"
-"\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104"
-"\123\124\103\101\040\130\062\061\026\060\024\006\003\125\004\003"
-"\023\015\104\123\124\040\122\157\157\164\103\101\040\130\062\061"
-"\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022"
-"\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143"
-"\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
-"\001\001\000\334\165\360\214\300\165\226\232\300\142\037\046\367"
-"\304\341\232\352\340\126\163\133\231\315\001\104\250\010\266\325"
-"\247\332\032\004\030\071\222\112\170\243\201\302\365\167\172\120"
-"\264\160\377\232\253\306\307\312\156\203\117\102\230\373\046\013"
-"\332\334\155\326\251\231\125\122\147\351\050\003\222\334\345\260"
-"\005\232\017\025\371\153\131\162\126\362\372\071\374\252\150\356"
-"\017\037\020\203\057\374\235\372\027\226\335\202\343\346\105\175"
-"\300\113\200\104\037\355\054\340\204\375\221\134\222\124\151\045"
-"\345\142\151\334\345\356\000\122\275\063\013\255\165\002\205\247"
-"\144\120\055\305\031\031\060\300\046\333\311\323\375\056\231\255"
-"\131\265\013\115\324\101\256\205\110\103\131\334\267\250\342\242"
-"\336\303\217\327\270\241\142\246\150\120\122\344\317\061\247\224"
-"\205\332\237\106\062\027\126\345\362\353\146\075\022\377\103\333"
-"\230\357\167\317\313\201\215\064\261\306\120\112\046\321\344\076"
-"\101\120\257\154\256\042\064\056\325\153\156\203\272\171\270\166"
-"\145\110\332\011\051\144\143\042\271\373\107\166\205\214\206\104"
-"\313\011\333\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\202\001\001\000\265\066\016\135"
-"\341\141\050\132\021\145\300\077\203\003\171\115\276\050\246\013"
-"\007\002\122\205\315\370\221\320\020\154\265\152\040\133\034\220"
-"\331\060\074\306\110\236\212\136\144\371\241\161\167\357\004\047"
-"\037\007\353\344\046\367\163\164\311\104\030\032\146\323\340\103"
-"\257\221\073\321\313\054\330\164\124\072\034\115\312\324\150\315"
-"\043\174\035\020\236\105\351\366\000\156\246\315\031\377\117\054"
-"\051\217\127\115\304\167\222\276\340\114\011\373\135\104\206\146"
-"\041\250\271\062\242\126\325\351\214\203\174\131\077\304\361\013"
-"\347\235\354\236\275\234\030\016\076\302\071\171\050\267\003\015"
-"\010\313\306\347\331\001\067\120\020\354\314\141\026\100\324\257"
-"\061\164\173\374\077\061\247\320\107\163\063\071\033\314\116\152"
-"\327\111\203\021\006\376\353\202\130\063\062\114\360\126\254\036"
-"\234\057\126\232\173\301\112\034\245\375\125\066\316\374\226\115"
-"\364\260\360\354\267\154\202\355\057\061\231\102\114\251\262\015"
-"\270\025\135\361\337\272\311\265\112\324\144\230\263\046\251\060"
-"\310\375\246\354\253\226\041\255\177\302\170\266"
-, (PRUint32)988 }
-};
-static const NSSItem nss_builtins_items_29 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Digital Signature Trust Co. Global CA 4", (PRUint32)40 },
-  { (void *)"\147\353\063\173\150\114\353\016\302\260\166\012\264\210\047\214"
-"\335\225\227\335"
-, (PRUint32)20 },
-  { (void *)"\315\073\075\142\133\011\270\011\066\207\236\022\057\161\144\272"
-, (PRUint32)16 },
-  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
-"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
-"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
-"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
-"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
-"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
-"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
-"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
-"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
-"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
-"\163\151\147\164\162\165\163\164\056\143\157\155"
-, (PRUint32)172 },
-  { (void *)"\002\021\000\320\036\100\213\000\000\167\155\000\000\000\001\000"
-"\000\000\004"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_30 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263"
-"\162\252\125"
-, (PRUint32)19 },
-  { (void *)"\060\202\002\075\060\202\001\246\002\021\000\315\272\177\126\360"
-"\337\344\274\124\376\042\254\263\162\252\125\060\015\006\011\052"
-"\206\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
-"\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071"
-"\066\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070"
-"\060\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
-"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154"
-"\141\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151"
-"\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201"
-"\215\000\060\201\211\002\201\201\000\345\031\277\155\243\126\141"
-"\055\231\110\161\366\147\336\271\215\353\267\236\206\200\012\221"
-"\016\372\070\045\257\106\210\202\345\163\250\240\233\044\135\015"
-"\037\314\145\156\014\260\320\126\204\030\207\232\006\233\020\241"
-"\163\337\264\130\071\153\156\301\366\025\325\250\250\077\252\022"
-"\006\215\061\254\177\260\064\327\217\064\147\210\011\315\024\021"
-"\342\116\105\126\151\037\170\002\200\332\334\107\221\051\273\066"
-"\311\143\134\305\340\327\055\207\173\241\267\062\260\173\060\272"
-"\052\057\061\252\356\243\147\332\333\002\003\001\000\001\060\015"
-"\006\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201"
-"\000\114\077\270\213\306\150\337\356\103\063\016\135\351\246\313"
-"\007\204\115\172\063\377\222\033\364\066\255\330\225\042\066\150"
-"\021\154\174\102\314\363\234\056\304\007\077\024\260\017\117\377"
-"\220\222\166\371\342\274\112\351\217\315\240\200\012\367\305\051"
-"\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171"
-"\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100"
-"\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173"
-"\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161"
-"\224"
-, (PRUint32)577 }
-};
-static const NSSItem nss_builtins_items_31 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)"\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204"
-"\167\257\125\157"
-, (PRUint32)20 },
-  { (void *)"\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263"
-"\162\252\125"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_32 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105"
-"\276\013"
-, (PRUint32)18 },
-  { (void *)"\060\202\002\074\060\202\001\245\002\020\055\033\374\112\027\215"
-"\243\221\353\347\377\365\213\105\276\013\060\015\006\011\052\206"
-"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004"
-"\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143"
-"\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163"
-"\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155\141"
-"\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066"
-"\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060"
-"\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
-"\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\266\132\213\243\015\152\043\203"
-"\200\153\317\071\207\364\041\023\063\006\114\045\242\355\125\022"
-"\227\305\247\200\271\372\203\301\040\240\372\057\025\015\174\241"
-"\140\153\176\171\054\372\006\017\072\256\366\033\157\261\322\377"
-"\057\050\122\137\203\175\113\304\172\267\370\146\037\200\124\374"
-"\267\302\216\131\112\024\127\106\321\232\223\276\101\221\003\273"
-"\025\200\223\134\353\347\314\010\154\077\076\263\112\374\377\113"
-"\154\043\325\120\202\046\104\031\216\043\303\161\352\031\044\107"
-"\004\236\165\277\310\246\000\037\002\003\001\000\001\060\015\006"
-"\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000"
-"\212\033\053\372\071\301\164\327\136\330\031\144\242\130\112\055"
-"\067\340\063\107\017\254\355\367\252\333\036\344\213\006\134\140"
-"\047\312\105\122\316\026\357\077\006\144\347\224\150\174\140\063"
-"\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005"
-"\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134"
-"\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213"
-"\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003"
-"\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330"
-, (PRUint32)576 }
-};
-static const NSSItem nss_builtins_items_33 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)"\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012"
-"\117\140\024\052"
-, (PRUint32)20 },
-  { (void *)"\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105"
-"\276\013"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_34 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314"
-"\272\277"
-, (PRUint32)18 },
-  { (void *)"\060\202\002\074\060\202\001\245\002\020\160\272\344\035\020\331"
-"\051\064\266\070\312\173\003\314\272\277\060\015\006\011\052\206"
-"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004"
-"\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143"
-"\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163"
-"\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155\141"
-"\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066"
-"\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060"
-"\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
-"\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\311\134\131\236\362\033\212\001"
-"\024\264\020\337\004\100\333\343\127\257\152\105\100\217\204\014"
-"\013\321\063\331\331\021\317\356\002\130\037\045\367\052\250\104"
-"\005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326"
-"\254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071"
-"\357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254"
-"\043\137\160\051\066\244\311\206\347\261\232\040\313\123\245\205"
-"\347\075\276\175\232\376\044\105\063\334\166\025\355\017\242\161"
-"\144\114\145\056\201\150\105\247\002\003\001\000\001\060\015\006"
-"\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000"
-"\273\114\022\053\317\054\046\000\117\024\023\335\246\373\374\012"
-"\021\204\214\363\050\034\147\222\057\174\266\305\372\337\360\350"
-"\225\274\035\217\154\054\250\121\314\163\330\244\300\123\360\116"
-"\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320"
-"\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234"
-"\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075"
-"\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237"
-"\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144"
-, (PRUint32)576 }
-};
-static const NSSItem nss_builtins_items_35 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
-  { (void *)"\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305"
-"\076\141\164\342"
-, (PRUint32)20 },
-  { (void *)"\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314"
-"\272\277"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_36 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211"
-"\221\222"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\002\060\202\002\153\002\020\114\307\352\252\230\076"
-"\161\323\223\020\370\075\072\211\221\222\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
-"\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
-"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
-"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
-"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
-"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
-"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
-"\063\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\252\320"
-"\272\276\026\055\270\203\324\312\322\017\274\166\061\312\224\330"
-"\035\223\214\126\002\274\331\157\032\157\122\066\156\165\126\012"
-"\125\323\337\103\207\041\021\145\212\176\217\275\041\336\153\062"
-"\077\033\204\064\225\005\235\101\065\353\222\353\226\335\252\131"
-"\077\001\123\155\231\117\355\345\342\052\132\220\301\271\304\246"
-"\025\317\310\105\353\246\135\216\234\076\360\144\044\166\245\315"
-"\253\032\157\266\330\173\121\141\156\246\177\207\310\342\267\345"
-"\064\334\101\210\352\011\100\276\163\222\075\153\347\165\002\003"
-"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\003\201\201\000\251\117\303\015\307\147\276\054\313\331"
-"\250\315\055\165\347\176\025\236\073\162\353\176\353\134\055\011"
-"\207\326\153\155\140\174\345\256\305\220\043\014\134\112\320\257"
-"\261\135\363\307\266\012\333\340\025\223\015\335\003\274\307\166"
-"\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245"
-"\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352"
-"\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152"
-"\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274"
-"\017\061\134\350\362\331"
-, (PRUint32)774 }
-};
-static const NSSItem nss_builtins_items_37 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)"\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142"
-"\365\062\345\107"
-, (PRUint32)20 },
-  { (void *)"\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203"
-, (PRUint32)16 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211"
-"\221\222"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_38 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160"
-"\154\212\257"
-, (PRUint32)19 },
-  { (void *)"\060\202\003\003\060\202\002\154\002\021\000\271\057\140\314\210"
-"\237\241\172\106\011\270\133\160\154\212\257\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
-"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154"
-"\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151"
-"\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107"
-"\062\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
-"\061\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
-"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060"
-"\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156"
-"\040\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036"
-"\027\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027"
-"\015\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201"
-"\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
-"\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147"
-"\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013"
-"\023\063\103\154\141\163\163\040\062\040\120\165\142\154\151\143"
-"\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061"
-"\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147"
-"\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165"
-"\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154"
-"\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151"
-"\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157"
-"\162\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\247"
-"\210\001\041\164\054\347\032\003\360\230\341\227\074\017\041\010"
-"\361\234\333\227\351\232\374\302\004\006\023\276\137\122\310\314"
-"\036\054\022\126\054\270\001\151\054\314\231\037\255\260\226\256"
-"\171\004\362\023\071\301\173\230\272\010\054\350\302\204\023\054"
-"\252\151\351\011\364\307\251\002\244\102\302\043\117\112\330\360"
-"\016\242\373\061\154\311\346\157\231\047\007\365\346\364\114\170"
-"\236\155\353\106\206\372\271\206\311\124\362\262\304\257\324\106"
-"\034\132\311\025\060\377\015\154\365\055\016\155\316\177\167\002"
-"\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304"
-"\236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342"
-"\235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053"
-"\225\366\044\140\206\115\104\056\203\245\304\055\240\323\256\170"
-"\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027"
-"\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163"
-"\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263"
-"\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047"
-"\214\022\173\305\104\264\256"
-, (PRUint32)775 }
-};
-static const NSSItem nss_builtins_items_39 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)"\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010"
-"\033\147\354\235"
-, (PRUint32)20 },
-  { (void *)"\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341"
-, (PRUint32)16 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160"
-"\154\212\257"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_40 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211"
-"\064\306"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\002\060\202\002\153\002\020\175\331\376\007\317\250"
-"\036\267\020\171\147\373\247\211\064\306\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
-"\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
-"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
-"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
-"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
-"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
-"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
-"\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\314\136"
-"\321\021\135\134\151\320\253\323\271\152\114\231\037\131\230\060"
-"\216\026\205\040\106\155\107\077\324\205\040\204\341\155\263\370"
-"\244\355\014\361\027\017\073\371\247\371\045\327\301\317\204\143"
-"\362\174\143\317\242\107\362\306\133\063\216\144\100\004\150\301"
-"\200\271\144\034\105\167\307\330\156\365\225\051\074\120\350\064"
-"\327\170\037\250\272\155\103\221\225\217\105\127\136\176\305\373"
-"\312\244\004\353\352\227\067\124\060\157\273\001\107\062\063\315"
-"\334\127\233\144\151\141\370\233\035\034\211\117\134\147\002\003"
-"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\003\201\201\000\121\115\315\276\134\313\230\031\234\025"
-"\262\001\071\170\056\115\017\147\160\160\231\306\020\132\224\244"
-"\123\115\124\155\053\257\015\135\100\213\144\323\327\356\336\126"
-"\141\222\137\246\304\035\020\141\066\323\054\047\074\350\051\011"
-"\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342"
-"\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151"
-"\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263"
-"\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130"
-"\240\235\235\151\221\375"
-, (PRUint32)774 }
-};
-static const NSSItem nss_builtins_items_41 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)"\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011"
-"\350\370\167\017"
-, (PRUint32)20 },
-  { (void *)"\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351"
-, (PRUint32)16 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211"
-"\064\306"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_42 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067"
-"\045\370"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\002\060\202\002\153\002\020\062\210\216\232\322\365"
-"\353\023\107\370\177\304\040\067\045\370\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
-"\163\163\040\064\040\120\165\142\154\151\143\040\120\162\151\155"
-"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
-"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
-"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
-"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
-"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
-"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
-"\063\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\272\360"
-"\344\317\371\304\256\205\124\271\007\127\371\217\305\177\150\021"
-"\370\304\027\260\104\334\343\060\163\325\052\142\052\270\320\314"
-"\034\355\050\133\176\275\152\334\263\221\044\312\101\142\074\374"
-"\002\001\277\034\026\061\224\005\227\166\156\242\255\275\141\027"
-"\154\116\060\206\360\121\067\052\120\307\250\142\201\334\133\112"
-"\252\301\240\264\156\353\057\345\127\305\261\053\100\160\333\132"
-"\115\241\216\037\275\003\037\330\003\324\217\114\231\161\274\342"
-"\202\314\130\350\230\072\206\323\206\070\363\000\051\037\002\003"
-"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\003\201\201\000\205\214\022\301\247\271\120\025\172\313"
-"\076\254\270\103\212\334\252\335\024\272\211\201\176\001\074\043"
-"\161\041\210\057\202\334\143\372\002\105\254\105\131\327\052\130"
-"\104\133\267\237\201\073\222\150\075\342\067\044\365\173\154\217"
-"\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062"
-"\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351"
-"\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131"
-"\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117"
-"\117\312\200\221\266\051"
-, (PRUint32)774 }
-};
-static const NSSItem nss_builtins_items_43 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
-  { (void *)"\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374"
-"\172\275\233\122"
-, (PRUint32)20 },
-  { (void *)"\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140"
-, (PRUint32)16 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067"
-"\045\370"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_44 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GlobalSign Root CA", (PRUint32)19 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
-"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
-"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
-"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
-"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
-"\156\040\122\157\157\164\040\103\101"
-, (PRUint32)89 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
-"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
-"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
-"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
-"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
-"\156\040\122\157\157\164\040\103\101"
-, (PRUint32)89 },
-  { (void *)"\002\013\002\000\000\000\000\000\326\170\267\224\005"
-, (PRUint32)13 },
-  { (void *)"\060\202\003\165\060\202\002\135\240\003\002\001\002\002\013\002"
-"\000\000\000\000\000\326\170\267\224\005\060\015\006\011\052\206"
-"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
-"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
-"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
-"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
-"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
-"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
-"\103\101\060\036\027\015\071\070\060\071\060\061\061\062\060\060"
-"\060\060\132\027\015\061\064\060\061\062\070\061\062\060\060\060"
-"\060\132\060\127\061\013\060\011\006\003\125\004\006\023\002\102"
-"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
-"\141\154\123\151\147\156\040\156\166\055\163\141\061\020\060\016"
-"\006\003\125\004\013\023\007\122\157\157\164\040\103\101\061\033"
-"\060\031\006\003\125\004\003\023\022\107\154\157\142\141\154\123"
-"\151\147\156\040\122\157\157\164\040\103\101\060\202\001\042\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
-"\001\017\000\060\202\001\012\002\202\001\001\000\332\016\346\231"
-"\215\316\243\343\117\212\176\373\361\213\203\045\153\352\110\037"
-"\361\052\260\271\225\021\004\275\360\143\321\342\147\146\317\034"
-"\335\317\033\110\053\356\215\211\216\232\257\051\200\145\253\351"
-"\307\055\022\313\253\034\114\160\007\241\075\012\060\315\025\215"
-"\117\370\335\324\214\120\025\034\357\120\356\304\056\367\374\351"
-"\122\362\221\175\340\155\325\065\060\216\136\103\163\362\101\351"
-"\325\152\343\262\211\072\126\071\070\157\006\074\210\151\133\052"
-"\115\305\247\124\270\154\211\314\233\371\074\312\345\375\211\365"
-"\022\074\222\170\226\326\334\164\156\223\104\141\321\215\307\106"
-"\262\165\016\206\350\031\212\325\155\154\325\170\026\225\242\351"
-"\310\012\070\353\362\044\023\117\163\124\223\023\205\072\033\274"
-"\036\064\265\213\005\214\271\167\213\261\333\037\040\221\253\011"
-"\123\156\220\316\173\067\164\271\160\107\221\042\121\143\026\171"
-"\256\261\256\101\046\010\310\031\053\321\106\252\110\326\144\052"
-"\327\203\064\377\054\052\301\154\031\103\112\007\205\347\323\174"
-"\366\041\150\357\352\362\122\237\177\223\220\317\002\003\001\000"
-"\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004"
-"\004\003\002\000\006\060\035\006\003\125\035\016\004\026\004\024"
-"\140\173\146\032\105\015\227\312\211\120\057\175\004\315\064\250"
-"\377\374\375\113\060\017\006\003\125\035\023\001\001\377\004\005"
-"\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001"
-"\001\004\005\000\003\202\001\001\000\256\252\237\374\267\322\313"
-"\037\137\071\051\050\030\236\064\311\154\117\157\032\360\144\242"
-"\160\112\117\023\206\233\140\050\236\350\201\111\230\175\012\273"
-"\345\260\235\075\066\333\217\005\121\377\011\061\052\037\335\211"
-"\167\236\017\056\154\225\004\355\206\313\264\000\077\204\002\115"
-"\200\152\052\055\170\013\256\157\053\242\203\104\203\037\315\120"
-"\202\114\044\257\275\367\245\264\310\132\017\364\347\107\136\111"
-"\216\067\226\376\232\210\005\072\331\300\333\051\207\346\031\226"
-"\107\247\072\246\214\213\074\167\376\106\143\247\123\332\041\321"
-"\254\176\111\242\113\346\303\147\131\057\263\212\016\273\054\275"
-"\251\252\102\174\065\301\330\177\325\247\061\072\116\143\103\071"
-"\257\010\260\141\064\214\323\230\251\103\064\366\017\207\051\073"
-"\235\302\126\130\230\167\303\367\033\254\366\235\370\076\252\247"
-"\124\105\360\365\371\325\061\145\376\153\130\234\161\263\036\327"
-"\122\352\062\027\374\100\140\035\311\171\044\262\366\154\375\250"
-"\146\016\202\335\230\313\332\302\104\117\056\240\173\362\367\153"
-"\054\166\021\204\106\212\170\243\343"
-, (PRUint32)889 }
-};
-static const NSSItem nss_builtins_items_45 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GlobalSign Root CA", (PRUint32)19 },
-  { (void *)"\057\027\077\175\351\226\147\257\245\172\370\012\242\321\261\057"
-"\254\203\003\070"
-, (PRUint32)20 },
-  { (void *)"\253\277\352\343\153\051\246\314\246\170\065\231\357\255\053\200"
-, (PRUint32)16 },
-  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
-"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
-"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
-"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
-"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
-"\156\040\122\157\157\164\040\103\101"
-, (PRUint32)89 },
-  { (void *)"\002\013\002\000\000\000\000\000\326\170\267\224\005"
-, (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_46 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
-"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
-"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
-"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
-"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
-"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
-"\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126"
-"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
-"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
-"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
-"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
-"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
-"\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062"
-"\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006"
-"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
-"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
-"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
-"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
-"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
-"\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154"
-"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
-"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
-"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
-"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
-"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
-"\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130"
-"\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363"
-"\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022"
-"\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376"
-"\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235"
-"\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123"
-"\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030"
-"\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300"
-"\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364"
-"\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144"
-"\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007"
-"\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326"
-"\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152"
-"\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105"
-"\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360"
-"\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355"
-"\161\202\053\231\317\072\267\365\055\162\310"
-, (PRUint32)747 }
-};
-static const NSSItem nss_builtins_items_47 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
-  { (void *)"\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201"
-"\020\237\344\216"
-, (PRUint32)20 },
-  { (void *)"\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353"
-, (PRUint32)16 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_48 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
-"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
-"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
-"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
-"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
-"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
-"\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126"
-"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
-"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
-"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
-"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
-"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
-"\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062"
-"\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006"
-"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
-"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
-"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
-"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
-"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
-"\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154"
-"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
-"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
-"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
-"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
-"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
-"\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330"
-"\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353"
-"\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045"
-"\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175"
-"\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205"
-"\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071"
-"\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022"
-"\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156"
-"\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157"
-"\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201"
-"\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275"
-"\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356"
-"\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120"
-"\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041"
-"\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002"
-"\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370"
-"\276\355\164\114\274\133\325\142\037\103\335"
-, (PRUint32)747 }
-};
-static const NSSItem nss_builtins_items_49 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
-  { (void *)"\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267"
-"\330\361\374\246"
-, (PRUint32)20 },
-  { (void *)"\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207"
-, (PRUint32)16 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_50 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Root Certificate 1", (PRUint32)23 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
-"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
-"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
-"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
-"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
-"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
-"\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126"
-"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
-"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
-"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
-"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
-"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
-"\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062"
-"\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006"
-"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
-"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
-"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
-"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
-"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
-"\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154"
-"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
-"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
-"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
-"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
-"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
-"\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303"
-"\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065"
-"\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253"
-"\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354"
-"\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155"
-"\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312"
-"\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230"
-"\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342"
-"\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204"
-"\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012"
-"\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323"
-"\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311"
-"\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250"
-"\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274"
-"\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300"
-"\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010"
-"\040\017\105\176\153\242\177\243\214\025\356"
-, (PRUint32)747 }
-};
-static const NSSItem nss_builtins_items_51 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Root Certificate 1", (PRUint32)23 },
-  { (void *)"\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363"
-"\354\252\065\373"
-, (PRUint32)20 },
-  { (void *)"\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162"
-, (PRUint32)16 },
-  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
-"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
-"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
-"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
-"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
-"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
-"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
-"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
-"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
-"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
-"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
-, (PRUint32)190 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_52 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110"
-"\316\261\244"
-, (PRUint32)19 },
-  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\213\133\165\126\204"
-"\124\205\013\000\317\257\070\110\316\261\244\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
-"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
-"\151\147\156\040\103\154\141\163\163\040\061\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
-"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
-"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
-"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
-"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
-"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
-"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
-"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
-"\040\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
-"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
-"\002\202\001\001\000\335\204\324\271\264\371\247\330\363\004\170"
-"\234\336\075\334\154\023\026\331\172\335\044\121\146\300\307\046"
-"\131\015\254\006\010\302\224\321\063\037\360\203\065\037\156\033"
-"\310\336\252\156\025\116\124\047\357\304\155\032\354\013\343\016"
-"\360\104\245\127\307\100\130\036\243\107\037\161\354\140\366\155"
-"\224\310\030\071\355\376\102\030\126\337\344\114\111\020\170\116"
-"\001\166\065\143\022\066\335\146\274\001\004\066\243\125\150\325"
-"\242\066\011\254\253\041\046\124\006\255\077\312\024\340\254\312"
-"\255\006\035\225\342\370\235\361\340\140\377\302\177\165\053\114"
-"\314\332\376\207\231\041\352\272\376\076\124\327\322\131\170\333"
-"\074\156\317\240\023\000\032\270\047\241\344\276\147\226\312\240"
-"\305\263\234\335\311\165\236\353\060\232\137\243\315\331\256\170"
-"\031\077\043\351\134\333\051\275\255\125\310\033\124\214\143\366"
-"\350\246\352\307\067\022\134\243\051\036\002\331\333\037\073\264"
-"\327\017\126\107\201\025\004\112\257\203\047\321\305\130\210\301"
-"\335\366\252\247\243\030\332\150\252\155\021\121\341\277\145\153"
-"\237\226\166\321\075\002\003\001\000\001\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\253\146"
-"\215\327\263\272\307\232\266\346\125\320\005\361\237\061\215\132"
-"\252\331\252\106\046\017\161\355\245\255\123\126\142\001\107\052"
-"\104\351\376\077\164\013\023\233\271\364\115\033\262\321\137\262"
-"\266\322\210\134\263\237\315\313\324\247\331\140\225\204\072\370"
-"\301\067\035\141\312\347\260\305\345\221\332\124\246\254\061\201"
-"\256\227\336\315\010\254\270\300\227\200\177\156\162\244\347\151"
-"\023\225\145\037\304\223\074\375\171\217\004\324\076\117\352\367"
-"\236\316\315\147\174\117\145\002\377\221\205\124\163\307\377\066"
-"\367\206\055\354\320\136\117\377\021\237\162\006\326\270\032\361"
-"\114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354"
-"\245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216"
-"\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042"
-"\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170"
-"\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043"
-"\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243"
-"\113\336\006\226\161\054\362\333\266\037\244\357\077\356"
-, (PRUint32)1054 }
-};
-static const NSSItem nss_builtins_items_53 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)"\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321"
-"\351\216\106\245"
-, (PRUint32)20 },
-  { (void *)"\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163"
-, (PRUint32)16 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110"
-"\316\261\244"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_54 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120"
-"\133\172"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\031\060\202\003\001\002\020\141\160\313\111\214\137"
-"\230\105\051\347\260\246\331\120\133\172\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
-"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145\162"
-"\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167"
-"\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050\143"
-"\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156\054"
-"\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164\150"
-"\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061"
-"\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123\151"
-"\147\156\040\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060\061"
-"\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066\062"
-"\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003\125"
-"\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012\023"
-"\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061"
-"\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151"
-"\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153"
-"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
-"\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111\156"
-"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
-"\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060\103"
-"\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156\040"
-"\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040\120"
-"\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055"
-"\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206\367"
-"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
-"\202\001\001\000\257\012\015\302\325\054\333\147\271\055\345\224"
-"\047\335\245\276\340\260\115\217\263\141\126\074\326\174\303\364"
-"\315\076\206\313\242\210\342\341\330\244\151\305\265\342\277\301"
-"\246\107\120\136\106\071\213\325\226\272\265\157\024\277\020\316"
-"\047\023\236\005\107\233\061\172\023\330\037\331\323\002\067\213"
-"\255\054\107\360\216\201\006\247\015\060\014\353\367\074\017\040"
-"\035\334\162\106\356\245\002\310\133\303\311\126\151\114\305\030"
-"\301\221\173\013\325\023\000\233\274\357\303\110\076\106\140\040"
-"\205\052\325\220\266\315\213\240\314\062\335\267\375\100\125\262"
-"\120\034\126\256\314\215\167\115\307\040\115\247\061\166\357\150"
-"\222\212\220\036\010\201\126\262\255\151\243\122\320\313\034\304"
-"\043\075\037\231\376\114\350\026\143\216\306\010\216\366\061\366"
-"\322\372\345\166\335\265\034\222\243\111\315\315\001\315\150\315"
-"\251\151\272\243\353\035\015\234\244\040\246\301\240\305\321\106"
-"\114\027\155\322\254\146\077\226\214\340\204\324\066\377\042\131"
-"\305\371\021\140\250\137\004\175\362\032\366\045\102\141\017\304"
-"\112\270\076\211\002\003\001\000\001\060\015\006\011\052\206\110"
-"\206\367\015\001\001\005\005\000\003\202\001\001\000\064\046\025"
-"\074\300\215\115\103\111\035\275\351\041\222\327\146\234\267\336"
-"\305\270\320\344\135\137\166\042\300\046\371\204\072\072\371\214"
-"\265\373\354\140\361\350\316\004\260\310\335\247\003\217\060\363"
-"\230\337\244\346\244\061\337\323\034\013\106\334\162\040\077\256"
-"\356\005\074\244\063\077\013\071\254\160\170\163\113\231\053\337"
-"\060\302\124\260\250\073\125\241\376\026\050\315\102\275\164\156"
-"\200\333\047\104\247\316\104\135\324\033\220\230\015\036\102\224"
-"\261\000\054\004\320\164\243\002\005\042\143\143\315\203\265\373"
-"\301\155\142\153\151\165\375\135\160\101\271\365\277\174\337\276"
-"\301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110"
-"\260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153"
-"\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045"
-"\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317"
-"\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263"
-"\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125"
-"\311\130\020\371\252\357\132\266\317\113\113\337\052"
-, (PRUint32)1053 }
-};
-static const NSSItem nss_builtins_items_55 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)"\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257"
-"\237\353\143\021"
-, (PRUint32)20 },
-  { (void *)"\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366"
-, (PRUint32)16 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120"
-"\133\172"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_56 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161"
-"\051\357\127"
-, (PRUint32)19 },
-  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\233\176\006\111\243"
-"\076\142\271\325\356\220\110\161\051\357\127\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
-"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
-"\151\147\156\040\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
-"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
-"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
-"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
-"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
-"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
-"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
-"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
-"\040\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
-"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
-"\002\202\001\001\000\313\272\234\122\374\170\037\032\036\157\033"
-"\067\163\275\370\311\153\224\022\060\117\360\066\107\365\320\221"
-"\012\365\027\310\245\141\301\026\100\115\373\212\141\220\345\166"
-"\040\301\021\006\175\253\054\156\246\365\021\101\216\372\055\255"
-"\052\141\131\244\147\046\114\320\350\274\122\133\160\040\004\130"
-"\321\172\311\244\151\274\203\027\144\255\005\213\274\320\130\316"
-"\215\214\365\353\360\102\111\013\235\227\047\147\062\156\341\256"
-"\223\025\034\160\274\040\115\057\030\336\222\210\350\154\205\127"
-"\021\032\351\176\343\046\021\124\242\105\226\125\203\312\060\211"
-"\350\334\330\243\355\052\200\077\177\171\145\127\076\025\040\146"
-"\010\057\225\223\277\252\107\057\250\106\227\360\022\342\376\302"
-"\012\053\121\346\166\346\267\106\267\342\015\246\314\250\303\114"
-"\131\125\211\346\350\123\134\034\352\235\360\142\026\013\247\311"
-"\137\014\360\336\302\166\316\257\367\152\362\372\101\246\242\063"
-"\024\311\345\172\143\323\236\142\067\325\205\145\236\016\346\123"
-"\044\164\033\136\035\022\123\133\307\054\347\203\111\073\025\256"
-"\212\150\271\127\227\002\003\001\000\001\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\021\024"
-"\226\301\253\222\010\367\077\057\311\262\376\344\132\237\144\336"
-"\333\041\117\206\231\064\166\066\127\335\320\025\057\305\255\177"
-"\025\037\067\142\163\076\324\347\137\316\027\003\333\065\372\053"
-"\333\256\140\011\137\036\137\217\156\273\013\075\352\132\023\036"
-"\014\140\157\265\300\265\043\042\056\007\013\313\251\164\313\107"
-"\273\035\301\327\245\153\314\057\322\102\375\111\335\247\211\317"
-"\123\272\332\000\132\050\277\202\337\370\272\023\035\120\206\202"
-"\375\216\060\217\051\106\260\036\075\065\332\070\142\026\030\112"
-"\255\346\266\121\154\336\257\142\353\001\320\036\044\376\172\217"
-"\022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151"
-"\027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246"
-"\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156"
-"\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255"
-"\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126"
-"\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255"
-"\153\271\012\172\116\117\113\204\356\113\361\175\335\021"
-, (PRUint32)1054 }
-};
-static const NSSItem nss_builtins_items_57 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)"\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166"
-"\140\233\134\306"
-, (PRUint32)20 },
-  { (void *)"\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011"
-, (PRUint32)16 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161"
-"\051\357\127"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_58 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057"
-"\224\136\327"
-, (PRUint32)19 },
-  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\354\240\247\213\156"
-"\165\152\001\317\304\174\314\057\224\136\327\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
-"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
-"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
-"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
-"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
-"\151\147\156\040\103\154\141\163\163\040\064\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
-"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
-"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
-"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
-"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
-"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
-"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
-"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
-"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
-"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
-"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
-"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
-"\040\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
-"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
-"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
-"\002\202\001\001\000\255\313\245\021\151\306\131\253\361\217\265"
-"\031\017\126\316\314\265\037\040\344\236\046\045\113\340\163\145"
-"\211\131\336\320\203\344\365\017\265\273\255\361\174\350\041\374"
-"\344\350\014\356\174\105\042\031\166\222\264\023\267\040\133\011"
-"\372\141\256\250\362\245\215\205\302\052\326\336\146\066\322\233"
-"\002\364\250\222\140\174\234\151\264\217\044\036\320\206\122\366"
-"\062\234\101\130\036\042\275\315\105\142\225\010\156\320\146\335"
-"\123\242\314\360\020\334\124\163\213\004\241\106\063\063\134\027"
-"\100\271\236\115\323\363\276\125\203\350\261\211\216\132\174\232"
-"\226\042\220\073\210\045\362\322\123\210\002\014\013\170\362\346"
-"\067\027\113\060\106\007\344\200\155\246\330\226\056\350\054\370"
-"\021\263\070\015\146\246\233\352\311\043\133\333\216\342\363\023"
-"\216\032\131\055\252\002\360\354\244\207\146\334\301\077\365\330"
-"\271\364\354\202\306\322\075\225\035\345\300\117\204\311\331\243"
-"\104\050\006\152\327\105\254\360\153\152\357\116\137\370\021\202"
-"\036\070\143\064\146\120\324\076\223\163\372\060\303\146\255\377"
-"\223\055\227\357\003\002\003\001\000\001\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\217\372"
-"\045\153\117\133\344\244\116\047\125\253\042\025\131\074\312\265"
-"\012\324\112\333\253\335\241\137\123\305\240\127\071\302\316\107"
-"\053\276\072\310\126\277\302\331\047\020\072\261\005\074\300\167"
-"\061\273\072\323\005\173\155\232\034\060\214\200\313\223\223\052"
-"\203\253\005\121\202\002\000\021\147\153\363\210\141\107\137\003"
-"\223\325\133\015\340\361\324\241\062\065\205\262\072\333\260\202"
-"\253\321\313\012\274\117\214\133\305\113\000\073\037\052\202\246"
-"\176\066\205\334\176\074\147\000\265\344\073\122\340\250\353\135"
-"\025\371\306\155\360\255\035\016\205\267\251\232\163\024\132\133"
-"\217\101\050\300\325\350\055\115\244\136\315\252\331\355\316\334"
-"\330\325\074\102\035\027\301\022\135\105\070\303\070\363\374\205"
-"\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136"
-"\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177"
-"\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304"
-"\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347"
-"\367\146\103\363\236\203\076\040\252\303\065\140\221\316"
-, (PRUint32)1054 }
-};
-static const NSSItem nss_builtins_items_59 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
-  { (void *)"\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363"
-"\024\225\163\235"
-, (PRUint32)20 },
-  { (void *)"\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337"
-, (PRUint32)16 },
-  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
-"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
-"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
-"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
-"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
-"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
-"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
-"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\040\055\040\107\063"
-, (PRUint32)205 },
-  { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057"
-"\224\136\327"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_60 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
-"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
-"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
-"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
-"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
-"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
-"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
-"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171"
-, (PRUint32)198 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
-"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
-"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
-"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
-"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
-"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
-"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
-"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171"
-, (PRUint32)198 },
-  { (void *)"\002\004\067\112\322\103"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067"
-"\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002"
-"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
-"\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004"
-"\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156"
-"\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142"
-"\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154"
-"\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034"
-"\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164"
-"\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070"
-"\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156"
-"\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065"
-"\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062"
-"\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004"
-"\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073"
-"\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164"
-"\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164"
-"\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040"
-"\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201"
-"\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
-"\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124"
-"\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262"
-"\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077"
-"\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037"
-"\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050"
-"\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367"
-"\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064"
-"\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071"
-"\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202"
-"\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370"
-"\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125"
-"\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333"
-"\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125"
-"\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023"
-"\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071"
-"\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165"
-"\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162"
-"\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151"
-"\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125"
-"\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164"
-"\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144"
-"\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165"
-"\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145"
-"\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013"
-"\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240"
-"\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156"
-"\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145"
-"\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060"
-"\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064"
-"\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071"
-"\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006"
-"\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142"
-"\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320"
-"\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023"
-"\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032"
-"\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031"
-"\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033"
-"\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110"
-"\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002"
-"\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016"
-"\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015"
-"\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145"
-"\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030"
-"\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035"
-"\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255"
-"\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076"
-"\155\055\105\013\367\012\223\352\355\006\371\262"
-, (PRUint32)1244 }
-};
-static const NSSItem nss_builtins_items_61 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
-  { (void *)"\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374"
-"\061\176\025\071"
-, (PRUint32)20 },
-  { (void *)"\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356"
-, (PRUint32)16 },
-  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
-"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
-"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
-"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
-"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
-"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
-"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
-"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171"
-, (PRUint32)198 },
-  { (void *)"\002\004\067\112\322\103"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_62 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Secure Personal CA", (PRUint32)31 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
-"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
-"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
-"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
-"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
-"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
-"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
-"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
-"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)204 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
-"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
-"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
-"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
-"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
-"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
-"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
-"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
-"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)204 },
-  { (void *)"\002\004\070\003\221\356"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\355\060\202\004\126\240\003\002\001\002\002\004\070"
-"\003\221\356\060\015\006\011\052\206\110\206\367\015\001\001\004"
-"\005\000\060\201\311\061\013\060\011\006\003\125\004\006\023\002"
-"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
-"\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004"
-"\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156"
-"\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146"
-"\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
-"\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141"
-"\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
-"\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145"
-"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
-"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
-"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036"
-"\027\015\071\071\061\060\061\062\061\071\062\064\063\060\132\027"
-"\015\061\071\061\060\061\062\061\071\065\064\063\060\132\060\201"
-"\311\061\013\060\011\006\003\125\004\006\023\002\125\123\061\024"
-"\060\022\006\003\125\004\012\023\013\105\156\164\162\165\163\164"
-"\056\156\145\164\061\110\060\106\006\003\125\004\013\024\077\167"
-"\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\103"
-"\154\151\145\156\164\137\103\101\137\111\156\146\157\057\103\120"
-"\123\040\151\156\143\157\162\160\056\040\142\171\040\162\145\146"
-"\056\040\154\151\155\151\164\163\040\154\151\141\142\056\061\045"
-"\060\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071"
-"\071\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151"
-"\155\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052"
-"\105\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145"
-"\156\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\060\201\235\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\201\213\000"
-"\060\201\207\002\201\201\000\310\072\231\136\061\027\337\254\047"
-"\157\220\173\344\031\377\105\243\064\302\333\301\250\117\360\150"
-"\352\204\375\237\165\171\317\301\212\121\224\257\307\127\003\107"
-"\144\236\255\202\033\132\332\177\067\170\107\273\067\230\022\226"
-"\316\306\023\175\357\322\014\060\121\251\071\236\125\370\373\261"
-"\347\060\336\203\262\272\076\361\325\211\073\073\205\272\252\164"
-"\054\376\077\061\156\257\221\225\156\006\324\007\115\113\054\126"
-"\107\030\004\122\332\016\020\223\277\143\220\233\341\337\214\346"
-"\002\244\346\117\136\367\213\002\001\003\243\202\001\340\060\202"
-"\001\334\060\021\006\011\140\206\110\001\206\370\102\001\001\004"
-"\004\003\002\000\007\060\202\001\042\006\003\125\035\037\004\202"
-"\001\031\060\202\001\025\060\201\344\240\201\341\240\201\336\244"
-"\201\333\060\201\330\061\013\060\011\006\003\125\004\006\023\002"
-"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
-"\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004"
-"\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156"
-"\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146"
-"\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
-"\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141"
-"\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
-"\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145"
-"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
-"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
-"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015"
-"\060\013\006\003\125\004\003\023\004\103\122\114\061\060\054\240"
-"\052\240\050\206\046\150\164\164\160\072\057\057\167\167\167\056"
-"\145\156\164\162\165\163\164\056\156\145\164\057\103\122\114\057"
-"\103\154\151\145\156\164\061\056\143\162\154\060\053\006\003\125"
-"\035\020\004\044\060\042\200\017\061\071\071\071\061\060\061\062"
-"\061\071\062\064\063\060\132\201\017\062\060\061\071\061\060\061"
-"\062\061\071\062\064\063\060\132\060\013\006\003\125\035\017\004"
-"\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026"
-"\200\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312"
-"\231\164\213\225\352\114\060\035\006\003\125\035\016\004\026\004"
-"\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312\231"
-"\164\213\225\352\114\060\014\006\003\125\035\023\004\005\060\003"
-"\001\001\377\060\031\006\011\052\206\110\206\366\175\007\101\000"
-"\004\014\060\012\033\004\126\064\056\060\003\002\004\220\060\015"
-"\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201"
-"\000\077\256\212\361\327\146\003\005\236\076\372\352\034\106\273"
-"\244\133\217\170\232\022\110\231\371\364\065\336\014\066\007\002"
-"\153\020\072\211\024\201\234\061\246\174\262\101\262\152\347\007"
-"\001\241\113\371\237\045\073\226\312\231\303\076\241\121\034\363"
-"\303\056\104\367\260\147\106\252\222\345\073\332\034\031\024\070"
-"\060\325\342\242\061\045\056\361\354\105\070\355\370\006\130\003"
-"\163\142\260\020\061\217\100\277\144\340\134\076\305\117\037\332"
-"\022\103\377\114\346\006\046\250\233\031\252\104\074\166\262\134"
-"\354"
-, (PRUint32)1265 }
-};
-static const NSSItem nss_builtins_items_63 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Secure Personal CA", (PRUint32)31 },
-  { (void *)"\332\171\301\161\021\120\302\064\071\252\053\013\014\142\375\125"
-"\262\371\365\200"
-, (PRUint32)20 },
-  { (void *)"\014\101\057\023\133\240\124\365\226\146\055\176\315\016\003\364"
-, (PRUint32)16 },
-  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
-"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
-"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
-"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
-"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
-"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
-"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
-"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
-"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
-"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
-"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)204 },
-  { (void *)"\002\004\070\003\221\356"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_64 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\040\050\062\060\064\070\051"
-, (PRUint32)183 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\040\050\062\060\064\070\051"
-, (PRUint32)183 },
-  { (void *)"\002\004\070\143\271\146"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\134\060\202\003\104\240\003\002\001\002\002\004\070"
-"\143\271\146\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013"
-"\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006"
-"\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163"
-"\164\056\156\145\164\057\103\120\123\137\062\060\064\070\040\151"
-"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
-"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
-"\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071\071"
-"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
-"\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105"
-"\156\164\162\165\163\164\056\156\145\164\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\050\062\060\064\070\051\060\036\027\015\071\071\061"
-"\062\062\064\061\067\065\060\065\061\132\027\015\061\071\061\062"
-"\062\064\061\070\062\060\065\061\132\060\201\264\061\024\060\022"
-"\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156"
-"\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167"
-"\056\145\156\164\162\165\163\164\056\156\145\164\057\103\120\123"
-"\137\062\060\064\070\040\151\156\143\157\162\160\056\040\142\171"
-"\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151"
-"\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050"
-"\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056"
-"\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006"
-"\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145"
-"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\040\050\062\060\064\070\051"
-"\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001"
-"\000\255\115\113\251\022\206\262\352\243\040\007\025\026\144\052"
-"\053\113\321\277\013\112\115\216\355\200\166\245\147\267\170\100"
-"\300\163\102\310\150\300\333\123\053\335\136\270\166\230\065\223"
-"\213\032\235\174\023\072\016\037\133\267\036\317\345\044\024\036"
-"\261\201\251\215\175\270\314\153\113\003\361\002\014\334\253\245"
-"\100\044\000\177\164\224\241\235\010\051\263\210\013\365\207\167"
-"\235\125\315\344\303\176\327\152\144\253\205\024\206\225\133\227"
-"\062\120\157\075\310\272\146\014\343\374\275\270\111\301\166\211"
-"\111\031\375\300\250\275\211\243\147\057\306\237\274\161\031\140"
-"\270\055\351\054\311\220\166\146\173\224\342\257\170\326\145\123"
-"\135\074\326\234\262\317\051\003\371\057\244\120\262\324\110\316"
-"\005\062\125\212\375\262\144\114\016\344\230\007\165\333\177\337"
-"\271\010\125\140\205\060\051\371\173\110\244\151\206\343\065\077"
-"\036\206\135\172\172\025\275\357\000\216\025\042\124\027\000\220"
-"\046\223\274\016\111\150\221\277\370\107\323\235\225\102\301\016"
-"\115\337\157\046\317\303\030\041\142\146\103\160\326\325\300\007"
-"\341\002\003\001\000\001\243\164\060\162\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\037\006"
-"\003\125\035\043\004\030\060\026\200\024\125\344\201\321\021\200"
-"\276\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035"
-"\006\003\125\035\016\004\026\004\024\125\344\201\321\021\200\276"
-"\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035\006"
-"\011\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010"
-"\126\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011"
-"\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000"
-"\131\107\254\041\204\212\027\311\234\211\123\036\272\200\205\032"
-"\306\074\116\076\261\234\266\174\306\222\135\030\144\002\343\323"
-"\006\010\021\141\174\143\343\053\235\061\003\160\166\322\243\050"
-"\240\364\273\232\143\163\355\155\345\052\333\355\024\251\053\306"
-"\066\021\320\053\353\007\213\245\332\236\134\031\235\126\022\365"
-"\124\051\310\005\355\262\022\052\215\364\003\033\377\347\222\020"
-"\207\260\072\265\303\235\005\067\022\243\307\364\025\271\325\244"
-"\071\026\233\123\072\043\221\361\250\202\242\152\210\150\301\171"
-"\002\042\274\252\246\326\256\337\260\024\137\270\207\320\335\174"
-"\177\173\377\257\034\317\346\333\007\255\136\333\205\235\320\053"
-"\015\063\333\004\321\346\111\100\023\053\166\373\076\351\234\211"
-"\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315"
-"\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074"
-"\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331"
-"\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162"
-"\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305"
-, (PRUint32)1120 }
-};
-static const NSSItem nss_builtins_items_65 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
-  { (void *)"\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104"
-"\074\052\130\376"
-, (PRUint32)20 },
-  { (void *)"\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374"
-, (PRUint32)16 },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\040\050\062\060\064\070\051"
-, (PRUint32)183 },
-  { (void *)"\002\004\070\143\271\146"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_66 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
-"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
-"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
-"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
-"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
-"\145\162\124\162\165\163\164\040\122\157\157\164"
-, (PRUint32)92 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
-"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
-"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
-"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
-"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
-"\145\162\124\162\165\163\164\040\122\157\157\164"
-, (PRUint32)92 },
-  { (void *)"\002\004\002\000\000\271"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\167\060\202\002\137\240\003\002\001\002\002\004\002"
-"\000\000\271\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\111"
-"\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164"
-"\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012"
-"\103\171\142\145\162\124\162\165\163\164\061\042\060\040\006\003"
-"\125\004\003\023\031\102\141\154\164\151\155\157\162\145\040\103"
-"\171\142\145\162\124\162\165\163\164\040\122\157\157\164\060\036"
-"\027\015\060\060\060\065\061\062\061\070\064\066\060\060\132\027"
-"\015\062\065\060\065\061\062\062\063\065\071\060\060\132\060\132"
-"\061\013\060\011\006\003\125\004\006\023\002\111\105\061\022\060"
-"\020\006\003\125\004\012\023\011\102\141\154\164\151\155\157\162"
-"\145\061\023\060\021\006\003\125\004\013\023\012\103\171\142\145"
-"\162\124\162\165\163\164\061\042\060\040\006\003\125\004\003\023"
-"\031\102\141\154\164\151\155\157\162\145\040\103\171\142\145\162"
-"\124\162\165\163\164\040\122\157\157\164\060\202\001\042\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
-"\017\000\060\202\001\012\002\202\001\001\000\243\004\273\042\253"
-"\230\075\127\350\046\162\232\265\171\324\051\342\341\350\225\200"
-"\261\260\343\133\216\053\051\232\144\337\241\135\355\260\011\005"
-"\155\333\050\056\316\142\242\142\376\264\210\332\022\353\070\353"
-"\041\235\300\101\053\001\122\173\210\167\323\034\217\307\272\271"
-"\210\265\152\011\347\163\350\021\100\247\321\314\312\142\215\055"
-"\345\217\013\246\120\322\250\120\303\050\352\365\253\045\207\212"
-"\232\226\034\251\147\270\077\014\325\367\371\122\023\057\302\033"
-"\325\160\160\360\217\300\022\312\006\313\232\341\331\312\063\172"
-"\167\326\370\354\271\361\150\104\102\110\023\322\300\302\244\256"
-"\136\140\376\266\246\005\374\264\335\007\131\002\324\131\030\230"
-"\143\365\245\143\340\220\014\175\135\262\006\172\363\205\352\353"
-"\324\003\256\136\204\076\137\377\025\355\151\274\371\071\066\162"
-"\165\317\167\122\115\363\311\220\054\271\075\345\311\043\123\077"
-"\037\044\230\041\134\007\231\051\275\306\072\354\347\156\206\072"
-"\153\227\164\143\063\275\150\030\061\360\170\215\166\277\374\236"
-"\216\135\052\206\247\115\220\334\047\032\071\002\003\001\000\001"
-"\243\105\060\103\060\035\006\003\125\035\016\004\026\004\024\345"
-"\235\131\060\202\107\130\314\254\372\010\124\066\206\173\072\265"
-"\004\115\360\060\022\006\003\125\035\023\001\001\377\004\010\060"
-"\006\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001"
-"\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367"
-"\015\001\001\005\005\000\003\202\001\001\000\205\014\135\216\344"
-"\157\121\150\102\005\240\335\273\117\047\045\204\003\275\367\144"
-"\375\055\327\060\343\244\020\027\353\332\051\051\266\171\077\166"
-"\366\031\023\043\270\020\012\371\130\244\324\141\160\275\004\141"
-"\152\022\212\027\325\012\275\305\274\060\174\326\351\014\045\215"
-"\206\100\117\354\314\243\176\070\306\067\021\117\355\335\150\061"
-"\216\114\322\263\001\164\356\276\165\136\007\110\032\177\160\377"
-"\026\134\204\300\171\205\270\005\375\177\276\145\021\243\017\300"
-"\002\264\370\122\067\071\004\325\251\061\172\030\277\240\052\364"
-"\022\231\367\243\105\202\343\074\136\365\235\236\265\310\236\174"
-"\056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275"
-"\144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163"
-"\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021"
-"\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017"
-"\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322"
-"\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374"
-"\347\201\035\031\303\044\102\352\143\071\251"
-, (PRUint32)891 }
-};
-static const NSSItem nss_builtins_items_67 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
-  { (void *)"\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050"
-"\122\312\344\164"
-, (PRUint32)20 },
-  { (void *)"\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344"
-, (PRUint32)16 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
-"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
-"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
-"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
-"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
-"\145\162\124\162\165\163\164\040\122\157\157\164"
-, (PRUint32)92 },
-  { (void *)"\002\004\002\000\000\271"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
-};
-static const NSSItem nss_builtins_items_68 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
-"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
-"\165\163\151\156\145\163\163\040\103\101\055\061"
-, (PRUint32)92 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
-"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
-"\165\163\151\156\145\163\163\040\103\101\055\061"
-, (PRUint32)92 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\220\060\202\001\371\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
-"\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170"
-"\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053"
-"\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123"
-"\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165"
-"\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\071"
-"\071\060\066\062\061\060\064\060\060\060\060\132\027\015\062\060"
-"\060\066\062\061\060\064\060\060\060\060\132\060\132\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\034\060\032\006\003"
-"\125\004\012\023\023\105\161\165\151\146\141\170\040\123\145\143"
-"\165\162\145\040\111\156\143\056\061\055\060\053\006\003\125\004"
-"\003\023\044\105\161\165\151\146\141\170\040\123\145\143\165\162"
-"\145\040\107\154\157\142\141\154\040\145\102\165\163\151\156\145"
-"\163\163\040\103\101\055\061\060\201\237\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211"
-"\002\201\201\000\272\347\027\220\002\145\261\064\125\074\111\302"
-"\121\325\337\247\321\067\217\321\347\201\163\101\122\140\233\235"
-"\241\027\046\170\255\307\261\350\046\224\062\265\336\063\215\072"
-"\057\333\362\232\172\132\163\230\243\134\351\373\212\163\033\134"
-"\347\303\277\200\154\315\251\364\326\053\300\367\371\231\252\143"
-"\242\261\107\002\017\324\344\121\072\022\074\154\212\132\124\204"
-"\160\333\301\305\220\317\162\105\313\250\131\300\315\063\235\077"
-"\243\226\353\205\063\041\034\076\036\076\140\156\166\234\147\205"
-"\305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006"
-"\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007"
-"\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001"
-"\377\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250"
-"\240\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153"
-"\150\154\060\035\006\003\125\035\016\004\026\004\024\276\250\240"
-"\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150"
-"\154\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
-"\003\201\201\000\060\342\001\121\252\307\352\137\332\271\320\145"
-"\017\060\326\076\332\015\024\111\156\221\223\047\024\061\357\304"
-"\367\055\105\370\354\307\277\242\101\015\043\264\222\371\031\000"
-"\147\275\001\257\315\340\161\374\132\317\144\304\340\226\230\320"
-"\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145"
-"\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257"
-"\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263"
-"\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031"
-"\126\224\251\125"
-, (PRUint32)660 }
-};
-static const NSSItem nss_builtins_items_69 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
-  { (void *)"\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312"
-"\331\012\031\105"
-, (PRUint32)20 },
-  { (void *)"\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314"
-, (PRUint32)16 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
-"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
-"\165\163\151\156\145\163\163\040\103\101\055\061"
-, (PRUint32)92 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_70 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
-"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
-"\040\103\101\055\061"
-, (PRUint32)85 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
-"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
-"\040\103\101\055\061"
-, (PRUint32)85 },
-  { (void *)"\002\001\004"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\202\060\202\001\353\240\003\002\001\002\002\001\004"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
-"\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170"
-"\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060\044"
-"\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123"
-"\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040"
-"\103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064"
-"\060\060\060\060\132\027\015\062\060\060\066\062\061\060\064\060"
-"\060\060\060\132\060\123\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\034\060\032\006\003\125\004\012\023\023\105\161"
-"\165\151\146\141\170\040\123\145\143\165\162\145\040\111\156\143"
-"\056\061\046\060\044\006\003\125\004\003\023\035\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\040\145\102\165\163\151"
-"\156\145\163\163\040\103\101\055\061\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\316\057\031\274\027\267\167\336\223\251"
-"\137\132\015\027\117\064\032\014\230\364\042\331\131\324\304\150"
-"\106\360\264\065\305\205\003\040\306\257\105\245\041\121\105\101"
-"\353\026\130\066\062\157\342\120\142\144\371\375\121\234\252\044"
-"\331\364\235\203\052\207\012\041\323\022\070\064\154\215\000\156"
-"\132\240\331\102\356\032\041\225\371\122\114\125\132\305\017\070"
-"\117\106\372\155\370\056\065\326\035\174\353\342\360\260\165\200"
-"\310\251\023\254\276\210\357\072\156\253\137\052\070\142\002\260"
-"\022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060"
-"\021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002"
-"\000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003"
-"\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024"
-"\112\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152"
-"\107\174\114\241\060\035\006\003\125\035\016\004\026\004\024\112"
-"\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152\107"
-"\174\114\241\060\015\006\011\052\206\110\206\367\015\001\001\004"
-"\005\000\003\201\201\000\165\133\250\233\003\021\346\351\126\114"
-"\315\371\251\114\300\015\232\363\314\145\151\346\045\166\314\131"
-"\267\326\124\303\035\315\231\254\031\335\264\205\325\340\075\374"
-"\142\040\247\204\113\130\145\361\342\371\225\041\077\365\324\176"
-"\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274"
-"\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174"
-"\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215"
-"\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315"
-"\132\052\202\262\067\171"
-, (PRUint32)646 }
-};
-static const NSSItem nss_builtins_items_71 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
-  { (void *)"\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365"
-"\267\321\212\101"
-, (PRUint32)20 },
-  { (void *)"\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075"
-, (PRUint32)16 },
-  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
-"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
-"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
-"\040\103\101\055\061"
-, (PRUint32)85 },
-  { (void *)"\002\001\004"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_72 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
-"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
-"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
-, (PRUint32)80 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
-"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
-"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
-, (PRUint32)80 },
-  { (void *)"\002\004\067\160\317\265"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\067"
-"\160\317\265\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003"
-"\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143"
-"\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101"
-"\055\062\060\036\027\015\071\071\060\066\062\063\061\062\061\064"
-"\064\065\132\027\015\061\071\060\066\062\063\061\062\061\064\064"
-"\065\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
-"\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151"
-"\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003"
-"\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143"
-"\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101"
-"\055\062\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\344"
-"\071\071\223\036\122\006\033\050\066\370\262\243\051\305\355\216"
-"\262\021\275\376\353\347\264\164\302\217\377\005\347\331\235\006"
-"\277\022\310\077\016\362\326\321\044\262\021\336\321\163\011\212"
-"\324\261\054\230\011\015\036\120\106\262\203\246\105\215\142\150"
-"\273\205\033\040\160\062\252\100\315\246\226\137\304\161\067\077"
-"\004\363\267\101\044\071\007\032\036\056\141\130\240\022\013\345"
-"\245\337\305\253\352\067\161\314\034\310\067\072\271\227\122\247"
-"\254\305\152\044\224\116\234\173\317\300\152\326\337\041\275\002"
-"\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003"
-"\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060"
-"\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
-"\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141\170"
-"\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004\013"
-"\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162\145"
-"\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062\061"
-"\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032"
-"\006\003\125\035\020\004\023\060\021\201\017\062\060\061\071\060"
-"\066\062\063\061\062\061\064\064\065\132\060\013\006\003\125\035"
-"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
-"\060\026\200\024\120\236\013\352\257\136\271\040\110\246\120\152"
-"\313\375\330\040\172\247\202\166\060\035\006\003\125\035\016\004"
-"\026\004\024\120\236\013\352\257\136\271\040\110\246\120\152\313"
-"\375\330\040\172\247\202\166\060\014\006\003\125\035\023\004\005"
-"\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007"
-"\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006"
-"\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
-"\003\201\201\000\014\206\202\255\350\116\032\365\216\211\047\342"
-"\065\130\075\051\264\007\217\066\120\225\277\156\301\236\353\304"
-"\220\262\205\250\273\267\102\340\017\007\071\337\373\236\220\262"
-"\321\301\076\123\237\003\104\260\176\113\364\157\344\174\037\347"
-"\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050"
-"\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365"
-"\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240"
-"\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341"
-"\221\060\352\315"
-, (PRUint32)804 }
-};
-static const NSSItem nss_builtins_items_73 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
-  { (void *)"\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350"
-"\202\263\205\314"
-, (PRUint32)20 },
-  { (void *)"\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312"
-, (PRUint32)16 },
-  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
-"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
-"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
-"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
-, (PRUint32)80 },
-  { (void *)"\002\004\067\160\317\265"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
-};
-static const NSSItem nss_builtins_items_74 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Visa International Global Root 2", (PRUint32)33 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
-"\164\040\062"
-, (PRUint32)99 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
-"\164\040\062"
-, (PRUint32)99 },
-  { (void *)"\002\002\003\036"
-, (PRUint32)4 },
-  { (void *)"\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003"
-"\036\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
-"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
-"\164\040\062\060\036\027\015\060\060\060\070\061\066\062\062\065"
-"\061\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071"
-"\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002"
-"\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123"
-"\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141"
-"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123"
-"\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151"
-"\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040"
-"\122\157\157\164\040\062\060\202\001\042\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202"
-"\001\012\002\202\001\001\000\251\001\160\265\252\304\100\360\253"
-"\152\046\141\171\031\000\374\277\233\067\131\014\257\157\144\033"
-"\370\332\225\224\044\151\063\021\160\312\343\126\164\242\027\127"
-"\144\134\040\006\341\326\357\161\267\073\367\253\301\151\320\111"
-"\244\261\004\327\364\127\142\211\134\260\165\055\027\044\151\343"
-"\102\140\344\356\164\326\253\200\126\330\210\050\341\373\155\042"
-"\375\043\174\106\163\117\176\124\163\036\250\054\125\130\165\267"
-"\114\363\132\105\245\002\032\372\332\235\303\105\303\042\136\363"
-"\213\361\140\051\322\307\137\264\014\072\121\203\357\060\370\324"
-"\347\307\362\372\231\243\042\120\276\371\005\067\243\255\355\232"
-"\303\346\354\210\033\266\031\047\033\070\213\200\115\354\271\307"
-"\305\211\313\374\032\062\355\043\360\265\001\130\371\366\217\340"
-"\205\251\114\011\162\071\022\333\263\365\317\116\142\144\332\306"
-"\031\025\072\143\035\351\027\125\241\114\042\074\064\062\106\370"
-"\145\127\272\053\357\066\214\152\372\331\331\104\364\252\335\204"
-"\327\015\034\262\124\254\062\205\264\144\015\336\101\273\261\064"
-"\306\001\206\062\144\325\237\002\003\001\000\001\243\102\060\100"
-"\060\035\006\003\125\035\016\004\026\004\024\236\175\113\064\277"
-"\161\255\302\005\366\003\165\200\316\251\117\032\304\044\114\060"
-"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
-"\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\041\245\166\024\125\371\255\047\160\217\074\364"
-"\325\154\310\314\012\253\243\230\013\212\006\043\305\311\141\333"
-"\231\007\151\065\046\061\376\307\056\204\302\231\141\324\015\351"
-"\175\056\023\053\174\216\205\266\205\307\113\317\065\266\054\107"
-"\075\316\051\057\330\157\237\211\034\144\223\277\010\275\166\320"
-"\220\212\224\263\177\050\133\156\254\115\063\054\355\145\334\026"
-"\314\342\315\256\244\075\142\222\006\225\046\277\337\271\344\040"
-"\246\163\152\301\276\367\224\104\326\115\157\052\013\153\030\115"
-"\164\020\066\150\152\132\301\152\247\335\066\051\214\270\060\213"
-"\117\041\077\000\056\124\060\007\072\272\212\344\303\236\312\330"
-"\265\330\173\316\165\105\146\007\364\155\055\330\172\312\351\211"
-"\212\362\043\330\057\313\156\000\066\117\373\360\057\001\314\017"
-"\300\042\145\364\253\342\116\141\055\003\202\175\221\026\265\060"
-"\325\024\336\136\307\220\374\241\374\253\020\257\134\153\160\247"
-"\007\357\051\206\350\262\045\307\040\377\046\335\167\357\171\104"
-"\024\304\275\335\073\305\003\233\167\043\354\240\354\273\132\071"
-"\265\314\255\006"
-, (PRUint32)900 }
-};
-static const NSSItem nss_builtins_items_75 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Visa International Global Root 2", (PRUint32)33 },
-  { (void *)"\311\015\033\352\210\075\247\321\027\276\073\171\364\041\016\032"
-"\130\224\247\055"
-, (PRUint32)20 },
-  { (void *)"\065\110\225\066\112\124\132\162\226\216\340\144\314\357\054\214"
-, (PRUint32)16 },
-  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
-"\164\040\062"
-, (PRUint32)99 },
-  { (void *)"\002\002\003\036"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_76 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA", (PRUint32)18 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
-"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
-"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
-"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
-"\123\124\145\144\040\122\157\157\164\040\103\101"
-, (PRUint32)92 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
-"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
-"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
-"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
-"\123\124\145\144\040\122\157\157\164\040\103\101"
-, (PRUint32)92 },
-  { (void *)"\002\004\071\117\175\207"
-, (PRUint32)6 },
-  { (void *)"\060\202\005\054\060\202\004\024\240\003\002\001\002\002\004\071"
-"\117\175\207\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\127"
-"\127\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122"
-"\125\123\124\145\144\061\033\060\031\006\003\125\004\003\023\022"
-"\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103"
-"\101\163\061\032\060\030\006\003\125\004\003\023\021\142\145\124"
-"\122\125\123\124\145\144\040\122\157\157\164\040\103\101\060\036"
-"\027\015\060\060\060\066\062\060\061\064\062\061\060\064\132\027"
-"\015\061\060\060\066\062\060\061\063\062\061\060\064\132\060\132"
-"\061\013\060\011\006\003\125\004\006\023\002\127\127\061\022\060"
-"\020\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145"
-"\144\061\033\060\031\006\003\125\004\003\023\022\142\145\124\122"
-"\125\123\124\145\144\040\122\157\157\164\040\103\101\163\061\032"
-"\060\030\006\003\125\004\003\023\021\142\145\124\122\125\123\124"
-"\145\144\040\122\157\157\164\040\103\101\060\202\001\042\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
-"\017\000\060\202\001\012\002\202\001\001\000\324\264\163\172\023"
-"\012\070\125\001\276\211\126\341\224\236\324\276\132\353\112\064"
-"\165\033\141\051\304\341\255\010\140\041\170\110\377\264\320\372"
-"\136\101\215\141\104\207\350\355\311\130\372\374\223\232\337\117"
-"\352\076\065\175\370\063\172\346\361\327\315\157\111\113\075\117"
-"\055\156\016\203\072\030\170\167\243\317\347\364\115\163\330\232"
-"\073\032\035\276\225\123\317\040\227\302\317\076\044\122\154\014"
-"\216\145\131\305\161\377\142\011\217\252\305\217\314\140\240\163"
-"\112\327\070\077\025\162\277\242\227\267\160\350\257\342\176\026"
-"\006\114\365\252\144\046\162\007\045\255\065\374\030\261\046\327"
-"\330\377\031\016\203\033\214\334\170\105\147\064\075\364\257\034"
-"\215\344\155\153\355\040\263\147\232\264\141\313\027\157\211\065"
-"\377\347\116\300\062\022\347\356\354\337\377\227\060\164\355\215"
-"\107\216\353\264\303\104\346\247\114\177\126\103\350\270\274\266"
-"\276\372\203\227\346\273\373\304\266\223\276\031\030\076\214\201"
-"\271\163\210\026\364\226\103\234\147\163\027\220\330\011\156\143"
-"\254\112\266\043\304\001\241\255\244\344\305\002\003\001\000\001"
-"\243\202\001\370\060\202\001\364\060\017\006\003\125\035\023\001"
-"\001\377\004\005\060\003\001\001\377\060\202\001\131\006\003\125"
-"\035\040\004\202\001\120\060\202\001\114\060\202\001\110\006\012"
-"\053\006\001\004\001\261\076\001\000\000\060\202\001\070\060\202"
-"\001\001\006\010\053\006\001\005\005\007\002\002\060\201\364\032"
-"\201\361\122\145\154\151\141\156\143\145\040\157\156\040\164\150"
-"\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\142"
-"\171\040\141\156\171\040\160\141\162\164\171\040\141\163\163\165"
-"\155\145\163\040\141\143\143\145\160\164\141\156\143\145\040\157"
-"\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154\151"
-"\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040\164"
-"\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164\151"
-"\157\156\163\040\157\146\040\165\163\145\054\040\141\156\144\040"
-"\143\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162"
-"\141\143\164\151\143\145\040\163\164\141\164\145\155\145\156\164"
-"\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040\146"
-"\157\165\156\144\040\141\164\040\142\145\124\122\125\123\124\145"
-"\144\047\163\040\167\145\142\040\163\151\164\145\054\040\150\164"
-"\164\160\163\072\057\057\167\167\167\056\142\145\124\122\125\123"
-"\124\145\144\056\143\157\155\057\166\141\165\154\164\057\164\145"
-"\162\155\163\060\061\006\010\053\006\001\005\005\007\002\001\026"
-"\045\150\164\164\160\163\072\057\057\167\167\167\056\142\145\124"
-"\122\125\123\124\145\144\056\143\157\155\057\166\141\165\154\164"
-"\057\164\145\162\155\163\060\064\006\003\125\035\037\004\055\060"
-"\053\060\051\240\047\240\045\244\043\060\041\061\022\060\020\006"
-"\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144\061"
-"\013\060\011\006\003\125\004\006\023\002\127\127\060\035\006\003"
-"\125\035\016\004\026\004\024\052\271\233\151\056\073\233\330\315"
-"\336\052\061\004\064\153\312\007\030\253\147\060\037\006\003\125"
-"\035\043\004\030\060\026\200\024\052\271\233\151\056\073\233\330"
-"\315\336\052\061\004\064\153\312\007\030\253\147\060\016\006\003"
-"\125\035\017\001\001\377\004\004\003\002\001\376\060\015\006\011"
-"\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000"
-"\171\141\333\243\136\156\026\261\352\166\121\371\313\025\233\313"
-"\151\276\346\201\153\237\050\037\145\076\335\021\205\222\324\350"
-"\101\277\176\063\275\043\347\361\040\277\244\264\246\031\001\306"
-"\214\215\065\174\145\244\117\011\244\326\330\043\025\005\023\247"
-"\103\171\257\333\243\016\233\173\170\032\363\004\206\132\306\366"
-"\214\040\107\070\111\120\006\235\162\147\072\360\230\003\255\226"
-"\147\104\374\077\020\015\206\115\344\000\073\051\173\316\073\073"
-"\231\206\141\045\100\204\334\023\142\267\372\312\131\326\003\036"
-"\326\123\001\315\155\114\150\125\100\341\356\153\307\052\000\000"
-"\110\202\263\012\001\303\140\052\014\367\202\065\356\110\206\226"
-"\344\164\324\075\352\001\161\272\004\165\100\247\251\177\071\071"
-"\232\125\227\051\145\256\031\125\045\005\162\107\323\350\030\334"
-"\270\351\257\103\163\001\022\164\243\341\134\137\025\135\044\363"
-"\371\344\364\266\147\147\022\347\144\042\212\366\245\101\246\034"
-"\266\140\143\105\212\020\264\272\106\020\256\101\127\145\154\077"
-"\043\020\077\041\020\131\267\344\100\335\046\014\043\366\252\256"
-, (PRUint32)1328 }
-};
-static const NSSItem nss_builtins_items_77 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA", (PRUint32)18 },
-  { (void *)"\133\315\315\314\146\366\334\344\104\037\343\175\134\303\023\114"
-"\106\364\160\070"
-, (PRUint32)20 },
-  { (void *)"\205\312\166\132\033\321\150\042\334\242\043\022\312\306\200\064"
-, (PRUint32)16 },
-  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
-"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
-"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
-"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
-"\123\124\145\144\040\122\157\157\164\040\103\101"
-, (PRUint32)92 },
-  { (void *)"\002\004\071\117\175\207"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_78 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
-"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
-"\103\101\040\122\157\157\164"
-, (PRUint32)103 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
-"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
-"\103\101\040\122\157\157\164"
-, (PRUint32)103 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\030\060\202\003\000\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
-"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
-"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
-"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
-"\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144"
-"\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103"
-"\101\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060"
-"\061\060\063\070\063\061\132\027\015\062\060\060\065\063\060\061"
-"\060\063\070\063\061\132\060\145\061\013\060\011\006\003\125\004"
-"\006\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013"
-"\101\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006"
-"\003\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124"
-"\124\120\040\116\145\164\167\157\162\153\061\041\060\037\006\003"
-"\125\004\003\023\030\101\144\144\124\162\165\163\164\040\103\154"
-"\141\163\163\040\061\040\103\101\040\122\157\157\164\060\202\001"
-"\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
-"\003\202\001\017\000\060\202\001\012\002\202\001\001\000\226\226"
-"\324\041\111\140\342\153\350\101\007\014\336\304\340\334\023\043"
-"\315\301\065\307\373\326\116\021\012\147\136\365\006\133\153\245"
-"\010\073\133\051\026\072\347\207\262\064\006\305\274\005\245\003"
-"\174\202\313\051\020\256\341\210\201\275\326\236\323\376\055\126"
-"\301\025\316\343\046\235\025\056\020\373\006\217\060\004\336\247"
-"\264\143\264\377\261\234\256\074\257\167\266\126\305\265\253\242"
-"\351\151\072\075\016\063\171\062\077\160\202\222\231\141\155\215"
-"\060\010\217\161\077\246\110\127\031\370\045\334\113\146\134\245"
-"\164\217\230\256\310\371\300\006\042\347\254\163\337\245\056\373"
-"\122\334\261\025\145\040\372\065\146\151\336\337\054\361\156\274"
-"\060\333\054\044\022\333\353\065\065\150\220\313\000\260\227\041"
-"\075\164\041\043\145\064\053\273\170\131\243\326\341\166\071\232"
-"\244\111\216\214\164\257\156\244\232\243\331\233\322\070\134\233"
-"\242\030\314\165\043\204\276\353\342\115\063\161\216\032\360\302"
-"\370\307\035\242\255\003\227\054\370\317\045\306\366\270\044\061"
-"\261\143\135\222\177\143\360\045\311\123\056\037\277\115\002\003"
-"\001\000\001\243\201\322\060\201\317\060\035\006\003\125\035\016"
-"\004\026\004\024\225\261\264\360\224\266\275\307\332\321\021\011"
-"\041\276\301\257\111\375\020\173\060\013\006\003\125\035\017\004"
-"\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004"
-"\005\060\003\001\001\377\060\201\217\006\003\125\035\043\004\201"
-"\207\060\201\204\200\024\225\261\264\360\224\266\275\307\332\321"
-"\021\011\041\276\301\257\111\375\020\173\241\151\244\147\060\145"
-"\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060"
-"\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164"
-"\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101\144"
-"\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167\157"
-"\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144\144"
-"\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103\101"
-"\040\122\157\157\164\202\001\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\202\001\001\000\054\155\144\033"
-"\037\315\015\335\271\001\372\226\143\064\062\110\107\231\256\227"
-"\355\375\162\026\246\163\107\132\364\353\335\351\365\326\373\105"
-"\314\051\211\104\135\277\106\071\075\350\356\274\115\124\206\036"
-"\035\154\343\027\047\103\341\211\126\053\251\157\162\116\111\063"
-"\343\162\174\052\043\232\274\076\377\050\052\355\243\377\034\043"
-"\272\103\127\011\147\115\113\142\006\055\370\377\154\235\140\036"
-"\330\034\113\175\265\061\057\331\320\174\135\370\336\153\203\030"
-"\170\067\127\057\350\063\007\147\337\036\307\153\052\225\166\256"
-"\217\127\243\360\364\122\264\251\123\010\317\340\117\323\172\123"
-"\213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145"
-"\247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030"
-"\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173"
-"\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200"
-"\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317"
-"\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344"
-"\065\341\035\026\034\320\274\053\216\326\161\331"
-, (PRUint32)1052 }
-};
-static const NSSItem nss_builtins_items_79 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Low-Value Services Root", (PRUint32)33 },
-  { (void *)"\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353"
-"\044\343\224\235"
-, (PRUint32)20 },
-  { (void *)"\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374"
-, (PRUint32)16 },
-  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
-"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
-"\103\101\040\122\157\157\164"
-, (PRUint32)103 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_80 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust External Root", (PRUint32)23 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
-"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
-"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
-"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
-"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
-"\164"
-, (PRUint32)113 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
-"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
-"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
-"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
-"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
-"\164"
-, (PRUint32)113 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\066\060\202\003\036\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
-"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
-"\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101"
-"\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154"
-"\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040"
-"\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040"
-"\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164"
-"\060\036\027\015\060\060\060\065\063\060\061\060\064\070\063\070"
-"\132\027\015\062\060\060\065\063\060\061\060\064\070\063\070\132"
-"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
-"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
-"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
-"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
-"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
-"\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
-"\001\000\267\367\032\063\346\362\000\004\055\071\340\116\133\355"
-"\037\274\154\017\315\265\372\043\266\316\336\233\021\063\227\244"
-"\051\114\175\223\237\275\112\274\223\355\003\032\343\217\317\345"
-"\155\120\132\326\227\051\224\132\200\260\111\172\333\056\225\375"
-"\270\312\277\067\070\055\036\076\221\101\255\160\126\307\360\117"
-"\077\350\062\236\164\312\310\220\124\351\306\137\017\170\235\232"
-"\100\074\016\254\141\252\136\024\217\236\207\241\152\120\334\327"
-"\232\116\257\005\263\246\161\224\234\161\263\120\140\012\307\023"
-"\235\070\007\206\002\250\351\250\151\046\030\220\253\114\260\117"
-"\043\253\072\117\204\330\337\316\237\341\151\157\273\327\102\327"
-"\153\104\344\307\255\356\155\101\137\162\132\161\010\067\263\171"
-"\145\244\131\240\224\067\367\000\057\015\302\222\162\332\320\070"
-"\162\333\024\250\105\304\135\052\175\267\264\326\304\356\254\315"
-"\023\104\267\311\053\335\103\000\045\372\141\271\151\152\130\043"
-"\021\267\247\063\217\126\165\131\365\315\051\327\106\267\012\053"
-"\145\266\323\102\157\025\262\270\173\373\357\351\135\123\325\064"
-"\132\047\002\003\001\000\001\243\201\334\060\201\331\060\035\006"
-"\003\125\035\016\004\026\004\024\255\275\230\172\064\264\046\367"
-"\372\304\046\124\357\003\275\340\044\313\124\032\060\013\006\003"
-"\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023"
-"\001\001\377\004\005\060\003\001\001\377\060\201\231\006\003\125"
-"\035\043\004\201\221\060\201\216\200\024\255\275\230\172\064\264"
-"\046\367\372\304\046\124\357\003\275\340\044\313\124\032\241\163"
-"\244\161\060\157\061\013\060\011\006\003\125\004\006\023\002\123"
-"\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124"
-"\162\165\163\164\040\101\102\061\046\060\044\006\003\125\004\013"
-"\023\035\101\144\144\124\162\165\163\164\040\105\170\164\145\162"
-"\156\141\154\040\124\124\120\040\116\145\164\167\157\162\153\061"
-"\042\060\040\006\003\125\004\003\023\031\101\144\144\124\162\165"
-"\163\164\040\105\170\164\145\162\156\141\154\040\103\101\040\122"
-"\157\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015"
-"\001\001\005\005\000\003\202\001\001\000\260\233\340\205\045\302"
-"\326\043\342\017\226\006\222\235\101\230\234\331\204\171\201\331"
-"\036\133\024\007\043\066\145\217\260\330\167\273\254\101\154\107"
-"\140\203\121\260\371\062\075\347\374\366\046\023\307\200\026\245"
-"\277\132\374\207\317\170\171\211\041\232\342\114\007\012\206\065"
-"\274\362\336\121\304\322\226\267\334\176\116\356\160\375\034\071"
-"\353\014\002\121\024\055\216\275\026\340\301\337\106\165\347\044"
-"\255\354\364\102\264\205\223\160\020\147\272\235\006\065\112\030"
-"\323\053\172\314\121\102\241\172\143\321\346\273\241\305\053\302"
-"\066\276\023\015\346\275\143\176\171\173\247\011\015\100\253\152"
-"\335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247"
-"\142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027"
-"\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236"
-"\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163"
-"\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132"
-"\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202"
-"\027\132\173\320\274\307\217\116\206\004"
-, (PRUint32)1082 }
-};
-static const NSSItem nss_builtins_items_81 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust External Root", (PRUint32)23 },
-  { (void *)"\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133"
-"\150\205\030\150"
-, (PRUint32)20 },
-  { (void *)"\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077"
-, (PRUint32)16 },
-  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
-"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
-"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
-"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
-"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
-"\164"
-, (PRUint32)113 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_82 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Public Services Root", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
-"\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
-"\101\040\122\157\157\164"
-, (PRUint32)102 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
-"\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
-"\101\040\122\157\157\164"
-, (PRUint32)102 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
-"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
-"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
-"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
-"\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144"
-"\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101"
-"\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061"
-"\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060"
-"\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006"
-"\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101"
-"\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003"
-"\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124"
-"\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125"
-"\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142"
-"\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
-"\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217"
-"\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151"
-"\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125"
-"\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362"
-"\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305"
-"\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327"
-"\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167"
-"\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325"
-"\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317"
-"\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121"
-"\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136"
-"\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207"
-"\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263"
-"\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320"
-"\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105"
-"\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353"
-"\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000"
-"\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026"
-"\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252"
-"\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003"
-"\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060"
-"\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253"
-"\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013"
-"\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006"
-"\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101"
-"\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124"
-"\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153"
-"\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162"
-"\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157"
-"\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001"
-"\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332"
-"\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272"
-"\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332"
-"\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262"
-"\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277"
-"\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175"
-"\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132"
-"\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050"
-"\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307"
-"\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146"
-"\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341"
-"\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266"
-"\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120"
-"\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046"
-"\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035"
-"\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362"
-"\116\072\063\014\053\263\055\220\006"
-, (PRUint32)1049 }
-};
-static const NSSItem nss_builtins_items_83 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Public Services Root", (PRUint32)30 },
-  { (void *)"\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231"
-"\162\054\226\345"
-, (PRUint32)20 },
-  { (void *)"\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177"
-, (PRUint32)16 },
-  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
-"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
-"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
-"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
-"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
-"\164"
-, (PRUint32)113 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
-};
-static const NSSItem nss_builtins_items_84 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
-"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
-"\144\040\103\101\040\122\157\157\164"
-, (PRUint32)105 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
-"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
-"\144\040\103\101\040\122\157\157\164"
-, (PRUint32)105 },
-  { (void *)"\001"
-, (PRUint32)1 },
-  { (void *)"\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
-"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
-"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
-"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
-"\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144"
-"\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144"
-"\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065"
-"\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063"
-"\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003"
-"\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012"
-"\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060"
-"\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164"
-"\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041"
-"\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040"
-"\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157"
-"\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
-"\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137"
-"\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052"
-"\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322"
-"\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022"
-"\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106"
-"\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050"
-"\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052"
-"\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042"
-"\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076"
-"\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255"
-"\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024"
-"\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370"
-"\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341"
-"\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065"
-"\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113"
-"\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145"
-"\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006"
-"\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324"
-"\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003"
-"\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023"
-"\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125"
-"\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134"
-"\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153"
-"\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123"
-"\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124"
-"\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013"
-"\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116"
-"\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023"
-"\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146"
-"\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015"
-"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001"
-"\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357"
-"\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125"
-"\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263"
-"\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146"
-"\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043"
-"\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152"
-"\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227"
-"\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311"
-"\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262"
-"\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267"
-"\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056"
-"\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033"
-"\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130"
-"\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335"
-"\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336"
-"\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350"
-"\306\241"
-, (PRUint32)1058 }
-};
-static const NSSItem nss_builtins_items_85 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
-  { (void *)"\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036"
-"\305\115\213\317"
-, (PRUint32)20 },
-  { (void *)"\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273"
-, (PRUint32)16 },
-  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
-"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
-"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
-"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
-"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
-"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
-"\144\040\103\101\040\122\157\157\164"
-, (PRUint32)105 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_86 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
-"\125\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142"
-"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
-"\040\122\145\163\160\157\156\144\145\162"
-, (PRUint32)170 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\053\150\324\243\106\236\305\073\050\011\253\070\135\177"
-"\047\040"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\053"
-"\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
-"\056\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
-"\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132"
-"\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060"
-"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
-"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
-"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
-"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
-"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
-"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
-"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
-"\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
-"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\271\355\136\172\072\167\137\316\137\072"
-"\122\374\315\144\367\161\265\157\152\226\306\131\222\125\224\135"
-"\057\133\056\301\021\352\046\212\313\247\201\074\366\132\104\336"
-"\172\023\057\375\132\121\331\173\067\046\112\300\047\077\004\003"
-"\152\126\301\203\054\341\157\133\251\124\120\044\112\306\056\172"
-"\114\241\133\067\124\044\041\061\037\241\170\030\166\247\261\160"
-"\332\042\320\152\376\007\142\100\306\367\366\233\175\014\006\270"
-"\113\307\050\344\146\043\204\121\357\106\267\223\330\201\063\313"
-"\345\066\254\306\350\005\002\003\001\000\001\243\202\001\020\060"
-"\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025"
-"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
-"\120\040\061\055\061\060\061\006\003\125\035\037\004\052\060\050"
-"\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143"
-"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\160\143\141\061\056\143\162\154\060\023\006\003\125\035\045\004"
-"\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006"
-"\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006"
-"\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164"
-"\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147"
-"\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165"
-"\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013"
-"\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006"
-"\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163"
-"\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056"
-"\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002"
-"\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201"
-"\201\000\160\220\335\270\344\276\123\027\174\177\002\351\325\367"
-"\213\231\223\061\140\215\176\346\140\153\044\357\140\254\322\316"
-"\221\336\200\155\011\244\323\270\070\345\104\312\162\136\015\055"
-"\301\167\234\275\054\003\170\051\215\244\245\167\207\365\361\053"
-"\046\255\314\007\154\072\124\132\050\340\011\363\115\012\004\312"
-"\324\130\151\013\247\263\365\335\001\245\347\334\360\037\272\301"
-"\135\220\215\263\352\117\301\021\131\227\152\262\053\023\261\332"
-"\255\227\241\263\261\240\040\133\312\062\253\215\317\023\360\037"
-"\051\303"
-, (PRUint32)930 }
-};
-static const NSSItem nss_builtins_items_87 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 1 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)"\004\226\110\344\112\311\314\255\105\203\230\331\074\175\221\365"
-"\042\104\033\212"
-, (PRUint32)20 },
-  { (void *)"\176\157\072\123\033\174\276\260\060\333\103\036\036\224\211\262"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\053\150\324\243\106\236\305\073\050\011\253\070\135\177"
-"\047\040"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_88 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
-"\125\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142"
-"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
-"\040\122\145\163\160\157\156\144\145\162"
-, (PRUint32)170 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\011\106\027\346\035\330\324\034\240\014\240\142\350\171"
-"\212\247"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\011"
-"\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
-"\056\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
-"\036\027\015\060\060\060\070\060\061\060\060\060\060\060\060\132"
-"\027\015\060\064\060\067\063\061\062\063\065\071\065\071\132\060"
-"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
-"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
-"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
-"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
-"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
-"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
-"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
-"\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
-"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\320\312\143\061\141\177\104\064\174\005"
-"\175\013\075\152\220\313\171\113\167\012\077\113\307\043\345\300"
-"\142\055\176\234\176\076\210\207\221\320\254\350\115\111\207\242"
-"\226\220\212\335\004\245\002\077\214\233\351\211\376\142\240\342"
-"\132\275\310\335\264\170\346\245\102\223\010\147\001\300\040\115"
-"\327\134\364\135\332\263\343\067\246\122\032\054\114\145\115\212"
-"\207\331\250\243\361\111\124\273\074\134\200\121\150\306\373\111"
-"\377\013\125\253\025\335\373\232\301\271\035\164\015\262\214\104"
-"\135\211\374\237\371\203\002\003\001\000\001\243\202\001\020\060"
-"\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025"
-"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
-"\120\040\061\055\062\060\061\006\003\125\035\037\004\052\060\050"
-"\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143"
-"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\160\143\141\062\056\143\162\154\060\023\006\003\125\035\045\004"
-"\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006"
-"\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006"
-"\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164"
-"\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147"
-"\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165"
-"\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013"
-"\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006"
-"\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163"
-"\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056"
-"\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002"
-"\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201"
-"\201\000\037\175\011\156\044\106\165\004\234\363\046\233\343\071"
-"\156\027\357\274\275\242\033\322\002\204\206\253\320\100\227\054"
-"\304\103\210\067\031\153\042\250\003\161\120\235\040\334\066\140"
-"\040\232\163\055\163\125\154\130\233\054\302\264\064\054\172\063"
-"\102\312\221\331\351\103\257\317\036\340\365\304\172\253\077\162"
-"\143\036\251\067\341\133\073\210\263\023\206\202\220\127\313\127"
-"\377\364\126\276\042\335\343\227\250\341\274\042\103\302\335\115"
-"\333\366\201\236\222\024\236\071\017\023\124\336\202\330\300\136"
-"\064\215"
-, (PRUint32)930 }
-};
-static const NSSItem nss_builtins_items_89 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 2 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)"\042\171\151\276\320\122\116\115\035\066\262\361\162\041\167\361"
-"\124\123\110\167"
-, (PRUint32)20 },
-  { (void *)"\363\105\275\020\226\015\205\113\357\237\021\142\064\247\136\265"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\011\106\027\346\035\330\324\034\240\014\240\142\350\171"
-"\212\247"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_90 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
-"\125\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142"
-"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
-"\040\122\145\163\160\157\156\144\145\162"
-, (PRUint32)170 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\056\226\236\277\266\142\154\354\173\351\163\314\343\154"
-"\301\204"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\242\060\202\003\013\240\003\002\001\002\002\020\056"
-"\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
-"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
-"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
-"\056\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
-"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
-"\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132"
-"\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060"
-"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
-"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
-"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
-"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
-"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
-"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
-"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
-"\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
-"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
-"\201\211\002\201\201\000\361\344\010\016\203\273\165\343\110\345"
-"\270\333\246\360\271\253\351\074\142\307\136\065\133\320\002\124"
-"\021\330\311\321\126\271\166\113\271\253\172\346\315\272\366\014"
-"\004\326\176\326\260\012\145\254\116\071\343\361\367\055\243\045"
-"\071\357\260\213\317\276\333\014\135\156\160\364\007\315\160\367"
-"\072\300\076\065\026\355\170\214\103\317\302\046\056\107\326\206"
-"\175\234\361\276\326\147\014\042\045\244\312\145\346\037\172\170"
-"\050\057\077\005\333\004\041\277\341\105\146\376\074\267\202\355"
-"\132\270\026\025\271\125\002\003\001\000\001\243\202\001\024\060"
-"\202\001\020\060\040\006\003\125\035\021\004\031\060\027\244\025"
-"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
-"\120\040\061\055\063\060\065\006\003\125\035\037\004\056\060\054"
-"\060\052\240\050\240\046\206\044\150\164\164\160\072\057\057\143"
-"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
-"\160\143\141\063\056\061\056\061\056\143\162\154\060\023\006\003"
-"\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007\003"
-"\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066\060"
-"\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046\026"
-"\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145\162"
-"\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057\163"
-"\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060\073"
-"\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001\060"
-"\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150"
-"\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163"
-"\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003\125"
-"\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004\003"
-"\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\003\201\201\000\002\366\123\143\300\251\036\362\320\213"
-"\063\060\217\110\233\114\260\126\264\203\161\112\276\334\120\330"
-"\365\266\340\013\333\275\170\117\351\317\011\064\332\051\111\235"
-"\001\163\132\221\221\202\124\054\023\012\323\167\043\317\067\374"
-"\143\336\247\343\366\267\265\151\105\050\111\303\221\334\252\107"
-"\034\251\210\231\054\005\052\215\215\212\372\142\342\132\267\000"
-"\040\135\071\304\050\302\313\374\236\250\211\256\133\075\216\022"
-"\352\062\262\374\353\024\327\011\025\032\300\315\033\325\265\025"
-"\116\101\325\226\343\116"
-, (PRUint32)934 }
-};
-static const NSSItem nss_builtins_items_91 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Class 3 Public Primary OCSP Responder", (PRUint32)47 },
-  { (void *)"\265\355\267\332\046\072\126\164\322\042\105\060\324\307\217\172"
-"\007\365\345\137"
-, (PRUint32)20 },
-  { (void *)"\175\121\222\311\166\203\230\026\336\214\263\206\304\175\146\373"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
-"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
-"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
-"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\020\056\226\236\277\266\142\154\354\173\351\163\314\343\154"
-"\301\204"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_92 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Secure Server OCSP Responder", (PRUint32)38 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003"
-"\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166"
-"\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145"
-"\162"
-, (PRUint32)161 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
-"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
-"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
-"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\021\000\377\105\325\047\135\044\373\263\302\071\044\123\127"
-"\341\117\336"
-, (PRUint32)19 },
-  { (void *)"\060\202\003\237\060\202\003\014\240\003\002\001\002\002\021\000"
-"\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117\336"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040"
-"\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141\164"
-"\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143\056"
-"\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165\162"
-"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\060\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060"
-"\132\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132"
-"\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003"
-"\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166"
-"\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145"
-"\162\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\270\121"
-"\231\144\205\016\356\263\012\150\360\277\143\166\035\123\365\374"
-"\241\170\214\063\356\237\364\276\071\332\233\017\115\107\251\217"
-"\040\350\113\104\275\316\315\173\220\321\060\350\220\304\045\173"
-"\211\050\336\275\366\223\035\377\271\377\222\265\251\215\344\256"
-"\314\342\303\007\203\152\243\162\020\001\047\142\042\246\065\046"
-"\071\055\236\317\140\014\374\107\244\327\320\102\170\247\035\154"
-"\320\313\117\025\247\051\012\264\225\105\304\261\347\132\011\327"
-"\071\225\330\035\065\236\302\275\263\135\301\014\113\037\002\003"
-"\001\000\001\243\202\001\035\060\202\001\031\060\040\006\003\125"
-"\035\021\004\031\060\027\244\025\060\023\061\021\060\017\006\003"
-"\125\004\003\023\010\117\103\123\120\040\061\055\064\060\076\006"
-"\003\125\035\037\004\067\060\065\060\063\240\061\240\057\206\055"
-"\150\164\164\160\072\057\057\143\162\154\056\166\145\162\151\163"
-"\151\147\156\056\143\157\155\057\122\123\101\123\145\143\165\162"
-"\145\123\145\162\166\145\162\055\160\056\143\162\154\060\023\006"
-"\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007"
-"\003\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066"
-"\060\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046"
-"\026\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145"
-"\162\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057"
-"\163\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060"
-"\073\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001"
-"\060\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034"
-"\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151"
-"\163\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003"
-"\125\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004"
-"\003\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\176\000\000\263\020\123\146\234\111\223\056\061"
-"\240\002\102\322\130\127\176\146\241\376\033\212\141\030\120\100"
-"\054\036\053\101\245\326\333\377\254\010\034\132\005\155\002\134"
-"\052\266\226\117\107\333\276\116\333\316\314\272\206\270\030\316"
-"\261\022\221\137\143\367\363\110\076\314\361\115\023\344\155\011"
-"\224\170\000\222\313\243\040\235\006\013\152\240\103\007\316\321"
-"\031\154\217\030\165\232\237\027\063\375\251\046\270\343\342\336"
-"\302\250\304\132\212\177\230\326\007\006\153\314\126\236\206\160"
-"\316\324\357"
-, (PRUint32)931 }
-};
-static const NSSItem nss_builtins_items_93 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Secure Server OCSP Responder", (PRUint32)38 },
-  { (void *)"\161\236\140\141\327\175\054\203\361\242\135\074\366\215\002\274"
-"\224\070\305\056"
-, (PRUint32)20 },
-  { (void *)"\054\142\303\330\200\001\026\011\352\131\352\170\253\020\103\366"
-, (PRUint32)16 },
-  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
-"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
-"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
-"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)97 },
-  { (void *)"\002\021\000\377\105\325\047\135\044\373\263\302\071\044\123\127"
-"\341\117\336"
-, (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_94 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Time Stamping Authority CA", (PRUint32)36 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\245\061\027\060\025\006\003\125\004\012\023\016\126\145"
-"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
-"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
-"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
-"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
-"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
-"\057\162\160\141\040\050\143\051\060\060\061\054\060\052\006\003"
-"\125\004\003\023\043\126\145\162\151\123\151\147\156\040\124\151"
-"\155\145\040\123\164\141\155\160\151\156\147\040\101\165\164\150"
-"\157\162\151\164\171\040\103\101"
-, (PRUint32)168 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\123\141\262\140\256\333\161\216\247\224\263\023\063\364"
-"\007\011"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\315\060\202\003\066\240\003\002\001\002\002\020\123"
-"\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
-"\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147"
-"\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013"
-"\023\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143"
-"\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061"
-"\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147"
-"\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165"
-"\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154"
-"\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151"
-"\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157"
-"\162\153\060\036\027\015\060\060\060\071\062\066\060\060\060\060"
-"\060\060\132\027\015\061\060\060\071\062\065\062\063\065\071\065"
-"\071\132\060\201\245\061\027\060\025\006\003\125\004\012\023\016"
-"\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061\037"
-"\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147"
-"\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061"
-"\073\060\071\006\003\125\004\013\023\062\124\145\162\155\163\040"
-"\157\146\040\165\163\145\040\141\164\040\150\164\164\160\163\072"
-"\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056\143"
-"\157\155\057\162\160\141\040\050\143\051\060\060\061\054\060\052"
-"\006\003\125\004\003\023\043\126\145\162\151\123\151\147\156\040"
-"\124\151\155\145\040\123\164\141\155\160\151\156\147\040\101\165"
-"\164\150\157\162\151\164\171\040\103\101\060\201\237\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000"
-"\060\201\211\002\201\201\000\322\031\235\147\302\000\041\131\142"
-"\316\264\011\042\104\151\212\370\045\132\333\355\015\267\066\176"
-"\116\340\273\224\076\220\045\207\302\141\107\051\331\275\124\270"
-"\143\314\054\175\151\264\063\066\364\067\007\232\301\335\100\124"
-"\374\340\170\235\240\223\271\011\075\043\121\177\104\302\024\164"
-"\333\012\276\313\311\060\064\100\230\076\320\327\045\020\201\224"
-"\275\007\117\234\326\124\047\337\056\250\277\313\220\214\215\165"
-"\113\274\342\350\104\207\315\346\101\012\045\156\350\364\044\002"
-"\305\122\017\156\354\230\165\002\003\001\000\001\243\201\337\060"
-"\201\334\060\017\006\003\125\035\023\004\010\060\006\001\001\377"
-"\002\001\000\060\105\006\003\125\035\040\004\076\060\074\060\072"
-"\006\014\140\206\110\001\206\370\105\001\007\027\001\003\060\052"
-"\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150\164"
-"\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163\151"
-"\147\156\056\143\157\155\057\162\160\141\060\061\006\003\125\035"
-"\037\004\052\060\050\060\046\240\044\240\042\206\040\150\164\164"
-"\160\072\057\057\143\162\154\056\166\145\162\151\163\151\147\156"
-"\056\143\157\155\057\160\143\141\063\056\143\162\154\060\013\006"
-"\003\125\035\017\004\004\003\002\001\006\060\102\006\010\053\006"
-"\001\005\005\007\001\001\004\066\060\064\060\062\006\010\053\006"
-"\001\005\005\007\060\001\246\046\026\044\150\164\164\160\072\057"
-"\057\157\143\163\160\056\166\145\162\151\163\151\147\156\056\143"
-"\157\155\057\157\143\163\160\057\163\164\141\164\165\163\060\015"
-"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201"
-"\000\202\160\150\225\337\266\015\302\001\160\031\112\322\124\126"
-"\036\254\362\105\114\207\270\365\065\353\170\113\005\251\310\235"
-"\073\031\041\056\160\064\112\242\365\211\340\025\165\105\347\050"
-"\067\000\064\047\051\350\067\113\362\357\104\227\153\027\121\032"
-"\303\126\235\074\032\212\366\112\106\106\067\214\372\313\365\144"
-"\132\070\150\056\034\303\357\160\316\270\106\006\026\277\367\176"
-"\347\265\250\076\105\254\251\045\165\042\173\157\077\260\234\224"
-"\347\307\163\253\254\037\356\045\233\300\026\355\267\312\133\360"
-"\024"
-, (PRUint32)977 }
-};
-static const NSSItem nss_builtins_items_95 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Verisign Time Stamping Authority CA", (PRUint32)36 },
-  { (void *)"\246\017\064\310\142\154\201\366\213\367\175\251\366\147\130\212"
-"\220\077\175\066"
-, (PRUint32)20 },
-  { (void *)"\211\111\124\214\310\150\232\203\051\354\334\006\163\041\253\227"
-, (PRUint32)16 },
-  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
-"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
-"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
-"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
-"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
-"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
-"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
-"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
-"\167\157\162\153"
-, (PRUint32)196 },
-  { (void *)"\002\020\123\141\262\140\256\333\161\216\247\224\263\023\063\364"
-"\007\011"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_96 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Time Stamping CA", (PRUint32)24 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
-"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
-"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
-"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
-"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
-"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
-, (PRUint32)142 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
-"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
-"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
-"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
-"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
-"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
-, (PRUint32)142 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\241\060\202\002\012\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
-"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
-"\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007\023"
-"\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060\015"
-"\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035\060"
-"\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060\035"
-"\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124\151"
-"\155\145\163\164\141\155\160\151\156\147\040\103\101\060\036\027"
-"\015\071\067\060\061\060\061\060\060\060\060\060\060\132\027\015"
-"\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\213"
-"\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060"
-"\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040"
-"\103\141\160\145\061\024\060\022\006\003\125\004\007\023\013\104"
-"\165\162\142\141\156\166\151\154\154\145\061\017\060\015\006\003"
-"\125\004\012\023\006\124\150\141\167\164\145\061\035\060\033\006"
-"\003\125\004\013\023\024\124\150\141\167\164\145\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\061\037\060\035\006\003"
-"\125\004\003\023\026\124\150\141\167\164\145\040\124\151\155\145"
-"\163\164\141\155\160\151\156\147\040\103\101\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\326\053\130\170\141\105\206\123"
-"\352\064\173\121\234\355\260\346\056\030\016\376\340\137\250\047"
-"\323\264\311\340\174\131\116\026\016\163\124\140\301\177\366\237"
-"\056\351\072\205\044\025\074\333\107\004\143\303\236\304\224\032"
-"\132\337\114\172\363\331\103\035\074\020\172\171\045\333\220\376"
-"\360\121\347\060\326\101\000\375\237\050\337\171\276\224\273\235"
-"\266\024\343\043\205\327\251\101\340\114\244\171\260\053\032\213"
-"\362\370\073\212\076\105\254\161\222\000\264\220\101\230\373\137"
-"\355\372\267\056\212\370\210\067\002\003\001\000\001\243\023\060"
-"\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001"
-"\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005"
-"\000\003\201\201\000\147\333\342\302\346\207\075\100\203\206\067"
-"\065\175\037\316\232\303\014\146\040\250\272\252\004\211\206\302"
-"\365\020\010\015\277\313\242\005\212\320\115\066\076\364\327\357"
-"\151\306\136\344\260\224\157\112\271\347\336\133\210\266\173\333"
-"\343\047\345\166\303\360\065\301\313\265\047\233\063\171\334\220"
-"\246\000\236\167\372\374\315\047\224\102\026\234\323\034\150\354"
-"\277\134\335\345\251\173\020\012\062\164\124\023\061\213\205\003"
-"\204\221\267\130\001\060\024\070\257\050\312\374\261\120\031\031"
-"\011\254\211\111\323"
-, (PRUint32)677 }
-};
-static const NSSItem nss_builtins_items_97 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Thawte Time Stamping CA", (PRUint32)24 },
-  { (void *)"\276\066\244\126\057\262\356\005\333\263\323\043\043\255\364\105"
-"\010\116\326\126"
-, (PRUint32)20 },
-  { (void *)"\177\146\172\161\323\353\151\170\040\232\121\024\235\203\332\040"
-, (PRUint32)16 },
-  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
-"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
-"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
-"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
-"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
-"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
-"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
-"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
-, (PRUint32)142 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_98 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Global Secure Server CA", (PRUint32)36 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
-"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
-"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
-"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
-"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
-"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
-"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
-"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
-"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)189 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
-"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
-"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
-"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
-"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
-"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
-"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
-"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
-"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)189 },
-  { (void *)"\002\004\070\233\021\074"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\225\060\202\003\376\240\003\002\001\002\002\004\070"
-"\233\021\074\060\015\006\011\052\206\110\206\367\015\001\001\004"
-"\005\000\060\201\272\061\024\060\022\006\003\125\004\012\023\013"
-"\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075\006"
-"\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165\163"
-"\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151\156"
-"\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154"
-"\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043"
-"\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040"
-"\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151"
-"\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156"
-"\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145"
-"\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
-"\036\027\015\060\060\060\062\060\064\061\067\062\060\060\060\132"
-"\027\015\062\060\060\062\060\064\061\067\065\060\060\060\132\060"
-"\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
-"\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125\004"
-"\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056\156"
-"\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157\162"
-"\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151"
-"\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125"
-"\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156\164"
-"\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144"
-"\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165"
-"\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145"
-"\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201"
-"\215\000\060\201\211\002\201\201\000\307\301\137\116\161\361\316"
-"\360\140\206\017\322\130\177\323\063\227\055\027\242\165\060\265"
-"\226\144\046\057\150\303\104\253\250\165\346\000\147\064\127\236"
-"\145\307\042\233\163\346\323\335\010\016\067\125\252\045\106\201"
-"\154\275\376\250\366\165\127\127\214\220\154\112\303\076\213\113"
-"\103\012\311\021\126\232\232\047\042\231\317\125\236\141\331\002"
-"\342\174\266\174\070\007\334\343\177\117\232\271\003\101\200\266"
-"\165\147\023\013\237\350\127\066\310\135\000\066\336\146\024\332"
-"\156\166\037\117\067\214\202\023\211\002\003\001\000\001\243\202"
-"\001\244\060\202\001\240\060\021\006\011\140\206\110\001\206\370"
-"\102\001\001\004\004\003\002\000\007\060\201\343\006\003\125\035"
-"\037\004\201\333\060\201\330\060\201\325\240\201\322\240\201\317"
-"\244\201\314\060\201\311\061\024\060\022\006\003\125\004\012\023"
-"\013\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075"
-"\006\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165"
-"\163\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151"
-"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
-"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
-"\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060"
-"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
-"\151\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105"
-"\156\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162"
-"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060"
-"\053\006\003\125\035\020\004\044\060\042\200\017\062\060\060\060"
-"\060\062\060\064\061\067\062\060\060\060\132\201\017\062\060\062"
-"\060\060\062\060\064\061\067\065\060\060\060\132\060\013\006\003"
-"\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043"
-"\004\030\060\026\200\024\313\154\300\153\343\273\076\313\374\042"
-"\234\376\373\213\222\234\260\362\156\042\060\035\006\003\125\035"
-"\016\004\026\004\024\313\154\300\153\343\273\076\313\374\042\234"
-"\376\373\213\222\234\260\362\156\042\060\014\006\003\125\035\023"
-"\004\005\060\003\001\001\377\060\035\006\011\052\206\110\206\366"
-"\175\007\101\000\004\020\060\016\033\010\126\065\056\060\072\064"
-"\056\060\003\002\004\220\060\015\006\011\052\206\110\206\367\015"
-"\001\001\004\005\000\003\201\201\000\142\333\201\221\316\310\232"
-"\167\102\057\354\275\047\243\123\017\120\033\352\116\222\360\251"
-"\257\251\240\272\110\141\313\357\311\006\357\037\325\364\356\337"
-"\126\055\346\312\152\031\163\252\123\276\222\263\120\002\266\205"
-"\046\162\143\330\165\120\142\165\024\267\263\120\032\077\312\021"
-"\000\013\205\105\151\155\266\245\256\121\341\112\334\202\077\154"
-"\214\064\262\167\153\331\002\366\177\016\352\145\004\361\315\124"
-"\312\272\311\314\340\204\367\310\076\021\227\323\140\011\030\274"
-"\005\377\154\211\063\360\354\025\017"
-, (PRUint32)1177 }
-};
-static const NSSItem nss_builtins_items_99 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Global Secure Server CA", (PRUint32)36 },
-  { (void *)"\211\071\127\156\027\215\367\005\170\017\314\136\310\117\204\366"
-"\045\072\110\223"
-, (PRUint32)20 },
-  { (void *)"\235\146\152\314\377\325\365\103\264\277\214\026\321\053\250\231"
-, (PRUint32)16 },
-  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
-"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
-"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
-"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
-"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
-"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
-"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
-"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
-"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)189 },
-  { (void *)"\002\004\070\233\021\074"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_100 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Global Secure Personal CA", (PRUint32)38 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171"
-, (PRUint32)183 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171"
-, (PRUint32)183 },
-  { (void *)"\002\004\070\236\366\344"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\203\060\202\003\354\240\003\002\001\002\002\004\070"
-"\236\366\344\060\015\006\011\052\206\110\206\367\015\001\001\004"
-"\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013"
-"\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006"
-"\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163"
-"\164\056\156\145\164\057\107\103\103\101\137\103\120\123\040\151"
-"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
-"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
-"\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060"
-"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
-"\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105"
-"\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145\156"
-"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\060\036\027\015\060\060\060"
-"\062\060\067\061\066\061\066\064\060\132\027\015\062\060\060\062"
-"\060\067\061\066\064\066\064\060\132\060\201\264\061\024\060\022"
-"\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156"
-"\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167"
-"\056\145\156\164\162\165\163\164\056\156\145\164\057\107\103\103"
-"\101\137\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
-"\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151"
-"\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050"
-"\143\051\040\062\060\060\060\040\105\156\164\162\165\163\164\056"
-"\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006"
-"\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145"
-"\164\040\103\154\151\145\156\164\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001"
-"\005\000\003\201\215\000\060\201\211\002\201\201\000\223\164\264"
-"\266\344\305\113\326\241\150\177\142\325\354\367\121\127\263\162"
-"\112\230\365\320\211\311\255\143\315\115\065\121\152\204\324\255"
-"\311\150\171\157\270\353\021\333\207\256\134\044\121\023\361\124"
-"\045\204\257\051\053\237\343\200\342\331\313\335\306\105\111\064"
-"\210\220\136\001\227\357\352\123\246\335\374\301\336\113\052\045"
-"\344\351\065\372\125\005\006\345\211\172\352\244\021\127\073\374"
-"\174\075\066\315\147\065\155\244\251\045\131\275\146\365\371\047"
-"\344\225\147\326\077\222\200\136\362\064\175\053\205\002\003\001"
-"\000\001\243\202\001\236\060\202\001\232\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201\335"
-"\006\003\125\035\037\004\201\325\060\201\322\060\201\317\240\201"
-"\314\240\201\311\244\201\306\060\201\303\061\024\060\022\006\003"
-"\125\004\012\023\013\105\156\164\162\165\163\164\056\156\145\164"
-"\061\100\060\076\006\003\125\004\013\024\067\167\167\167\056\145"
-"\156\164\162\165\163\164\056\156\145\164\057\107\103\103\101\137"
-"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
-"\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141\142"
-"\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
-"\040\062\060\060\060\040\105\156\164\162\165\163\164\056\156\145"
-"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
-"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
-"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015"
-"\060\013\006\003\125\004\003\023\004\103\122\114\061\060\053\006"
-"\003\125\035\020\004\044\060\042\200\017\062\060\060\060\060\062"
-"\060\067\061\066\061\066\064\060\132\201\017\062\060\062\060\060"
-"\062\060\067\061\066\064\066\064\060\132\060\013\006\003\125\035"
-"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
-"\060\026\200\024\204\213\164\375\305\215\300\377\047\155\040\067"
-"\105\174\376\055\316\272\323\175\060\035\006\003\125\035\016\004"
-"\026\004\024\204\213\164\375\305\215\300\377\047\155\040\067\105"
-"\174\376\055\316\272\323\175\060\014\006\003\125\035\023\004\005"
-"\060\003\001\001\377\060\035\006\011\052\206\110\206\366\175\007"
-"\101\000\004\020\060\016\033\010\126\065\056\060\072\064\056\060"
-"\003\002\004\220\060\015\006\011\052\206\110\206\367\015\001\001"
-"\004\005\000\003\201\201\000\116\157\065\200\073\321\212\365\016"
-"\247\040\313\055\145\125\320\222\364\347\204\265\006\046\203\022"
-"\204\013\254\073\262\104\356\275\317\100\333\040\016\272\156\024"
-"\352\060\340\073\142\174\177\213\153\174\112\247\325\065\074\276"
-"\250\134\352\113\273\223\216\200\146\253\017\051\375\115\055\277"
-"\032\233\012\220\305\253\332\321\263\206\324\057\044\122\134\172"
-"\155\306\362\376\345\115\032\060\214\220\362\272\327\112\076\103"
-"\176\324\310\120\032\207\370\117\201\307\166\013\204\072\162\235"
-"\316\145\146\227\256\046\136"
-, (PRUint32)1159 }
-};
-static const NSSItem nss_builtins_items_101 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Entrust.net Global Secure Personal CA", (PRUint32)38 },
-  { (void *)"\317\164\277\377\233\206\201\133\010\063\124\100\066\076\207\266"
-"\266\360\277\163"
-, (PRUint32)20 },
-  { (void *)"\232\167\031\030\355\226\317\337\033\267\016\365\215\271\210\056"
-, (PRUint32)16 },
-  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
-"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
-"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
-"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
-"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
-"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
-"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
-"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
-"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
-"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171"
-, (PRUint32)183 },
-  { (void *)"\002\004\070\236\366\344"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_102 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AOL Time Warner Root Certification Authority 1", (PRUint32)47 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\061"
-, (PRUint32)134 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\061"
-, (PRUint32)134 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\346\060\202\002\316\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124\151"
-"\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061\034"
-"\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143\141"
-"\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060\065"
-"\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145\040"
-"\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\061\060\036\027\015\060\062\060\065\062\071\060"
-"\066\060\060\060\060\132\027\015\063\067\061\061\062\060\061\065"
-"\060\063\060\060\132\060\201\203\061\013\060\011\006\003\125\004"
-"\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024"
-"\101\117\114\040\124\151\155\145\040\127\141\162\156\145\162\040"
-"\111\156\143\056\061\034\060\032\006\003\125\004\013\023\023\101"
-"\155\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156"
-"\143\056\061\067\060\065\006\003\125\004\003\023\056\101\117\114"
-"\040\124\151\155\145\040\127\141\162\156\145\162\040\122\157\157"
-"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\040\061\060\202\001\042\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
-"\001\017\000\060\202\001\012\002\202\001\001\000\231\336\217\303"
-"\045\243\151\064\350\005\367\164\271\277\132\227\031\271\057\224"
-"\322\223\345\055\211\312\204\174\077\020\103\033\214\213\174\204"
-"\130\370\044\174\110\317\052\375\300\025\331\030\176\204\032\027"
-"\323\333\236\327\312\344\331\327\252\130\121\207\360\360\213\110"
-"\116\342\302\304\131\151\060\142\266\060\242\214\013\021\231\141"
-"\065\155\176\357\305\261\031\006\040\022\216\102\341\337\017\226"
-"\020\122\250\317\234\137\225\024\330\257\073\165\013\061\040\037"
-"\104\057\242\142\101\263\273\030\041\333\312\161\074\214\354\266"
-"\271\015\237\357\121\357\115\173\022\362\013\014\341\254\100\217"
-"\167\177\260\312\170\161\014\135\026\161\160\242\327\302\072\205"
-"\315\016\232\304\340\000\260\325\045\352\334\053\344\224\055\070"
-"\234\211\101\127\144\050\145\031\034\266\104\264\310\061\153\216"
-"\001\173\166\131\045\177\025\034\204\010\174\163\145\040\012\241"
-"\004\056\032\062\250\232\040\261\234\054\041\131\347\373\317\356"
-"\160\055\010\312\143\076\054\233\223\031\152\244\302\227\377\267"
-"\206\127\210\205\154\236\025\026\053\115\054\263\002\003\001\000"
-"\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004"
-"\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004"
-"\024\241\066\060\026\313\206\220\000\105\200\123\261\217\310\330"
-"\075\174\276\137\022\060\037\006\003\125\035\043\004\030\060\026"
-"\200\024\241\066\060\026\313\206\220\000\105\200\123\261\217\310"
-"\330\075\174\276\137\022\060\016\006\003\125\035\017\001\001\377"
-"\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015"
-"\001\001\005\005\000\003\202\001\001\000\212\040\030\245\276\263"
-"\057\264\246\204\000\100\060\051\372\264\024\163\114\171\105\247"
-"\366\160\340\350\176\144\036\012\225\174\152\141\302\357\116\037"
-"\276\377\311\231\037\007\141\112\341\135\114\315\255\356\320\122"
-"\062\331\131\062\274\332\171\162\326\173\011\350\002\201\065\323"
-"\012\337\021\035\311\171\240\200\115\376\132\327\126\326\355\017"
-"\052\257\247\030\165\063\014\352\301\141\005\117\152\232\211\362"
-"\215\271\237\056\357\260\137\132\000\353\276\255\240\370\104\005"
-"\147\274\313\004\357\236\144\305\351\310\077\005\277\306\057\007"
-"\034\303\066\161\206\312\070\146\112\315\326\270\113\306\154\247"
-"\227\073\372\023\055\156\043\141\207\241\143\102\254\302\313\227"
-"\237\141\150\317\055\114\004\235\327\045\117\012\016\115\220\213"
-"\030\126\250\223\110\127\334\157\256\275\236\147\127\167\211\120"
-"\263\276\021\233\105\147\203\206\031\207\323\230\275\010\032\026"
-"\037\130\202\013\341\226\151\005\113\216\354\203\121\061\007\325"
-"\324\237\377\131\173\250\156\205\317\323\113\251\111\260\137\260"
-"\071\050\150\016\163\335\045\232\336\022"
-, (PRUint32)1002 }
-};
-static const NSSItem nss_builtins_items_103 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AOL Time Warner Root Certification Authority 1", (PRUint32)47 },
-  { (void *)"\164\124\123\134\044\243\247\130\040\176\076\076\323\044\370\026"
-"\373\041\026\111"
-, (PRUint32)20 },
-  { (void *)"\347\172\334\261\037\156\006\037\164\154\131\026\047\303\113\300"
-, (PRUint32)16 },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\061"
-, (PRUint32)134 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_104 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AOL Time Warner Root Certification Authority 2", (PRUint32)47 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\062"
-, (PRUint32)134 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\062"
-, (PRUint32)134 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\005\346\060\202\003\316\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124\151"
-"\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061\034"
-"\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143\141"
-"\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060\065"
-"\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145\040"
-"\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\062\060\036\027\015\060\062\060\065\062\071\060"
-"\066\060\060\060\060\132\027\015\063\067\060\071\062\070\062\063"
-"\064\063\060\060\132\060\201\203\061\013\060\011\006\003\125\004"
-"\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024"
-"\101\117\114\040\124\151\155\145\040\127\141\162\156\145\162\040"
-"\111\156\143\056\061\034\060\032\006\003\125\004\013\023\023\101"
-"\155\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156"
-"\143\056\061\067\060\065\006\003\125\004\003\023\056\101\117\114"
-"\040\124\151\155\145\040\127\141\162\156\145\162\040\122\157\157"
-"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\040\062\060\202\002\042\060"
-"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
-"\002\017\000\060\202\002\012\002\202\002\001\000\264\067\132\010"
-"\026\231\024\350\125\261\033\044\153\374\307\213\346\207\251\211"
-"\356\213\231\315\117\100\206\244\266\115\311\331\261\334\074\115"
-"\015\205\114\025\154\106\213\122\170\237\370\043\375\147\365\044"
-"\072\150\135\320\367\144\141\101\124\243\213\245\010\322\051\133"
-"\233\140\117\046\203\321\143\022\126\111\166\244\026\302\245\235"
-"\105\254\213\204\225\250\026\261\354\237\352\044\032\357\271\127"
-"\134\232\044\041\054\115\016\161\037\246\254\135\105\164\003\230"
-"\304\124\214\026\112\101\167\206\225\165\014\107\001\146\140\374"
-"\025\361\017\352\365\024\170\307\016\327\156\201\034\136\277\136"
-"\347\072\052\330\227\027\060\174\000\255\010\235\063\257\270\231"
-"\141\200\213\250\225\176\024\334\022\154\244\320\330\357\100\111"
-"\002\066\371\156\251\326\035\226\126\004\262\263\055\026\126\206"
-"\217\331\040\127\200\315\147\020\155\260\114\360\332\106\266\352"
-"\045\056\106\257\215\260\205\070\064\213\024\046\202\053\254\256"
-"\231\013\216\024\327\122\275\236\151\303\206\002\013\352\166\165"
-"\061\011\316\063\031\041\205\103\346\211\055\237\045\067\147\361"
-"\043\152\322\000\155\227\371\237\347\051\312\335\037\327\006\352"
-"\270\311\271\011\041\237\310\077\006\305\322\351\022\106\000\116"
-"\173\010\353\102\075\053\110\156\235\147\335\113\002\344\104\363"
-"\223\031\245\047\316\151\172\276\147\323\374\120\244\054\253\303"
-"\153\271\343\200\114\317\005\141\113\053\334\033\271\246\322\320"
-"\252\365\053\163\373\316\220\065\237\014\122\034\277\134\041\141"
-"\021\133\025\113\251\044\121\374\244\134\367\027\235\260\322\372"
-"\007\351\217\126\344\032\214\150\212\004\323\174\132\343\236\242"
-"\241\312\161\133\242\324\240\347\051\205\135\003\150\052\117\322"
-"\006\327\075\371\303\003\057\077\145\371\147\036\107\100\323\143"
-"\017\343\325\216\371\205\253\227\114\263\327\046\353\226\012\224"
-"\336\205\066\234\310\177\201\011\002\111\052\016\365\144\062\014"
-"\202\321\272\152\202\033\263\113\164\021\363\214\167\326\237\277"
-"\334\067\244\247\125\004\057\324\061\350\323\106\271\003\174\332"
-"\022\116\131\144\267\121\061\061\120\240\312\034\047\331\020\056"
-"\255\326\275\020\146\053\303\260\042\112\022\133\002\003\001\000"
-"\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004"
-"\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004"
-"\024\117\151\155\003\176\235\237\007\030\103\274\267\020\116\325"
-"\277\251\304\040\050\060\037\006\003\125\035\043\004\030\060\026"
-"\200\024\117\151\155\003\176\235\237\007\030\103\274\267\020\116"
-"\325\277\251\304\040\050\060\016\006\003\125\035\017\001\001\377"
-"\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015"
-"\001\001\005\005\000\003\202\002\001\000\073\363\256\312\350\056"
-"\207\205\373\145\131\347\255\021\024\245\127\274\130\237\044\022"
-"\127\273\373\077\064\332\356\255\172\052\064\162\160\061\153\307"
-"\031\230\200\311\202\336\067\167\136\124\213\216\362\352\147\117"
-"\311\164\204\221\126\011\325\345\172\232\201\266\201\302\255\066"
-"\344\361\124\021\123\363\064\105\001\046\310\345\032\274\064\104"
-"\041\336\255\045\374\166\026\167\041\220\200\230\127\235\116\352"
-"\354\057\252\074\024\173\127\301\176\030\024\147\356\044\306\275"
-"\272\025\260\322\030\275\267\125\201\254\123\300\350\335\151\022"
-"\023\102\267\002\265\005\101\312\171\120\156\202\016\161\162\223"
-"\106\350\235\015\135\275\256\316\051\255\143\325\125\026\200\060"
-"\047\377\166\272\367\270\326\112\343\331\265\371\122\320\116\100"
-"\251\307\345\302\062\307\252\166\044\341\153\005\120\353\305\277"
-"\012\124\345\271\102\074\044\373\267\007\234\060\237\171\132\346"
-"\340\100\122\025\364\374\252\364\126\371\104\227\207\355\016\145"
-"\162\136\276\046\373\115\244\055\010\007\336\330\134\240\334\201"
-"\063\231\030\045\021\167\247\353\375\130\011\054\231\153\033\212"
-"\363\122\077\032\115\110\140\361\240\366\063\002\123\213\355\045"
-"\011\270\015\055\355\227\163\354\327\226\037\216\140\016\332\020"
-"\233\057\030\044\366\246\115\012\371\073\313\165\302\314\057\316"
-"\044\151\311\012\042\216\131\247\367\202\014\327\327\153\065\234"
-"\103\000\152\304\225\147\272\234\105\313\270\016\067\367\334\116"
-"\001\117\276\012\266\003\323\255\212\105\367\332\047\115\051\261"
-"\110\337\344\021\344\226\106\275\154\002\076\326\121\310\225\027"
-"\001\025\251\362\252\252\362\277\057\145\033\157\320\271\032\223"
-"\365\216\065\304\200\207\076\224\057\146\344\351\250\377\101\234"
-"\160\052\117\052\071\030\225\036\176\373\141\001\074\121\010\056"
-"\050\030\244\026\017\061\375\072\154\043\223\040\166\341\375\007"
-"\205\321\133\077\322\034\163\062\335\372\271\370\214\317\002\207"
-"\172\232\226\344\355\117\211\215\123\103\253\016\023\300\001\025"
-"\264\171\070\333\374\156\075\236\121\266\270\023\213\147\317\371"
-"\174\331\042\035\366\135\305\034\001\057\230\350\172\044\030\274"
-"\204\327\372\334\162\133\367\301\072\150"
-, (PRUint32)1514 }
-};
-static const NSSItem nss_builtins_items_105 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"AOL Time Warner Root Certification Authority 2", (PRUint32)47 },
-  { (void *)"\374\041\232\166\021\057\166\301\305\010\203\074\232\057\242\272"
-"\204\254\010\172"
-, (PRUint32)20 },
-  { (void *)"\001\132\231\303\326\117\251\113\074\073\261\243\253\047\114\277"
-, (PRUint32)16 },
-  { (void *)"\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124"
-"\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061"
-"\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060"
-"\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145"
-"\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\040\062"
-, (PRUint32)134 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_106 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA-Baltimore Implementation", (PRUint32)43 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055"
-"\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055"
-"\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"\002\004\074\265\075\106"
-, (PRUint32)6 },
-  { (void *)"\060\202\005\152\060\202\004\122\240\003\002\001\002\002\004\074"
-"\265\075\106\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\146\061\022\060\020\006\003\125\004\012\023\011\142"
-"\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004"
-"\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157"
-"\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023\052"
-"\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103"
-"\101\055\102\141\154\164\151\155\157\162\145\040\111\155\160\154"
-"\145\155\145\156\164\141\164\151\157\156\060\036\027\015\060\062"
-"\060\064\061\061\060\067\063\070\065\061\132\027\015\062\062\060"
-"\064\061\061\060\067\063\070\065\061\132\060\146\061\022\060\020"
-"\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144"
-"\061\033\060\031\006\003\125\004\013\023\022\142\145\124\122\125"
-"\123\124\145\144\040\122\157\157\164\040\103\101\163\061\063\060"
-"\061\006\003\125\004\003\023\052\142\145\124\122\125\123\124\145"
-"\144\040\122\157\157\164\040\103\101\055\102\141\154\164\151\155"
-"\157\162\145\040\111\155\160\154\145\155\145\156\164\141\164\151"
-"\157\156\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
-"\001\001\000\274\176\304\071\234\214\343\326\034\206\377\312\142"
-"\255\340\177\060\105\172\216\032\263\270\307\371\321\066\377\042"
-"\363\116\152\137\204\020\373\146\201\303\224\171\061\322\221\341"
-"\167\216\030\052\303\024\336\121\365\117\243\053\274\030\026\342"
-"\265\335\171\336\042\370\202\176\313\201\037\375\047\054\217\372"
-"\227\144\042\216\370\377\141\243\234\033\036\222\217\300\250\011"
-"\337\011\021\354\267\175\061\232\032\352\203\041\006\074\237\272"
-"\134\377\224\352\152\270\303\153\125\064\117\075\062\037\335\201"
-"\024\340\304\074\315\235\060\370\060\251\227\323\356\314\243\320"
-"\037\137\034\023\201\324\030\253\224\321\143\303\236\177\065\222"
-"\236\137\104\352\354\364\042\134\267\350\075\175\244\371\211\251"
-"\221\262\052\331\353\063\207\356\245\375\343\332\314\210\346\211"
-"\046\156\307\053\202\320\136\235\131\333\024\354\221\203\005\303"
-"\136\016\306\052\320\004\335\161\075\040\116\130\047\374\123\373"
-"\170\170\031\024\262\374\220\122\211\070\142\140\007\264\240\354"
-"\254\153\120\326\375\271\050\153\357\122\055\072\262\377\361\001"
-"\100\254\067\002\003\001\000\001\243\202\002\036\060\202\002\032"
-"\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001"
-"\377\060\202\001\265\006\003\125\035\040\004\202\001\254\060\202"
-"\001\250\060\202\001\244\006\017\053\006\001\004\001\261\076\000"
-"\000\001\011\050\203\221\061\060\202\001\217\060\202\001\110\006"
-"\010\053\006\001\005\005\007\002\002\060\202\001\072\032\202\001"
-"\066\122\145\154\151\141\156\143\145\040\157\156\040\157\162\040"
-"\165\163\145\040\157\146\040\164\150\151\163\040\103\145\162\164"
-"\151\146\151\143\141\164\145\040\143\162\145\141\164\145\163\040"
-"\141\156\040\141\143\153\156\157\167\154\145\144\147\155\145\156"
-"\164\040\141\156\144\040\141\143\143\145\160\164\141\156\143\145"
-"\040\157\146\040\164\150\145\040\164\150\145\156\040\141\160\160"
-"\154\151\143\141\142\154\145\040\163\164\141\156\144\141\162\144"
-"\040\164\145\162\155\163\040\141\156\144\040\143\157\156\144\151"
-"\164\151\157\156\163\040\157\146\040\165\163\145\054\040\164\150"
-"\145\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\120\162\141\143\164\151\143\145\040\123\164\141\164\145\155\145"
-"\156\164\040\141\156\144\040\164\150\145\040\122\145\154\171\151"
-"\156\147\040\120\141\162\164\171\040\101\147\162\145\145\155\145"
-"\156\164\054\040\167\150\151\143\150\040\143\141\156\040\142\145"
-"\040\146\157\165\156\144\040\141\164\040\164\150\145\040\142\145"
-"\124\122\125\123\124\145\144\040\167\145\142\040\163\151\164\145"
-"\054\040\150\164\164\160\072\057\057\167\167\167\056\142\145\164"
-"\162\165\163\164\145\144\056\143\157\155\057\160\162\157\144\165"
-"\143\164\163\137\163\145\162\166\151\143\145\163\057\151\156\144"
-"\145\170\056\150\164\155\154\060\101\006\010\053\006\001\005\005"
-"\007\002\001\026\065\150\164\164\160\072\057\057\167\167\167\056"
-"\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160\162"
-"\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163\057"
-"\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035"
-"\016\004\026\004\024\105\075\303\251\321\334\077\044\126\230\034"
-"\163\030\210\152\377\203\107\355\266\060\037\006\003\125\035\043"
-"\004\030\060\026\200\024\105\075\303\251\321\334\077\044\126\230"
-"\034\163\030\210\152\377\203\107\355\266\060\016\006\003\125\035"
-"\017\001\001\377\004\004\003\002\001\006\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\111\222"
-"\274\243\356\254\275\372\015\311\213\171\206\034\043\166\260\200"
-"\131\167\374\332\177\264\113\337\303\144\113\152\116\016\255\362"
-"\175\131\167\005\255\012\211\163\260\372\274\313\334\215\000\210"
-"\217\246\240\262\352\254\122\047\277\241\110\174\227\020\173\272"
-"\355\023\035\232\007\156\313\061\142\022\350\143\003\252\175\155"
-"\343\370\033\166\041\170\033\237\113\103\214\323\111\206\366\033"
-"\134\366\056\140\025\323\351\343\173\165\077\320\002\203\320\030"
-"\202\101\315\145\067\352\216\062\176\275\153\231\135\060\021\310"
-"\333\110\124\034\073\341\247\023\323\152\110\223\367\075\214\177"
-"\005\350\316\363\210\052\143\004\270\352\176\130\174\001\173\133"
-"\341\305\175\357\041\340\215\016\135\121\175\261\147\375\243\275"
-"\070\066\306\362\070\206\207\032\226\150\140\106\373\050\024\107"
-"\125\341\247\200\014\153\342\352\337\115\174\220\110\240\066\275"
-"\011\027\211\177\303\362\323\234\234\343\335\304\033\335\365\267"
-"\161\263\123\005\211\006\320\313\112\200\301\310\123\220\265\074"
-"\061\210\027\120\237\311\304\016\213\330\250\002\143\015"
-, (PRUint32)1390 }
-};
-static const NSSItem nss_builtins_items_107 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA-Baltimore Implementation", (PRUint32)43 },
-  { (void *)"\334\273\236\267\031\113\304\162\005\301\021\165\051\206\203\133"
-"\123\312\344\370"
-, (PRUint32)20 },
-  { (void *)"\201\065\271\373\373\022\312\030\151\066\353\256\151\170\241\361"
-, (PRUint32)16 },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055"
-"\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"\002\004\074\265\075\106"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_108 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA - Entrust Implementation", (PRUint32)43 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"\002\004\074\265\117\100"
-, (PRUint32)6 },
-  { (void *)"\060\202\006\121\060\202\005\071\240\003\002\001\002\002\004\074"
-"\265\117\100\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\146\061\022\060\020\006\003\125\004\012\023\011\142"
-"\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004"
-"\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157"
-"\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023\052"
-"\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103"
-"\101\040\055\040\105\156\164\162\165\163\164\040\111\155\160\154"
-"\145\155\145\156\164\141\164\151\157\156\060\036\027\015\060\062"
-"\060\064\061\061\060\070\062\064\062\067\132\027\015\062\062\060"
-"\064\061\061\060\070\065\064\062\067\132\060\146\061\022\060\020"
-"\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144"
-"\061\033\060\031\006\003\125\004\013\023\022\142\145\124\122\125"
-"\123\124\145\144\040\122\157\157\164\040\103\101\163\061\063\060"
-"\061\006\003\125\004\003\023\052\142\145\124\122\125\123\124\145"
-"\144\040\122\157\157\164\040\103\101\040\055\040\105\156\164\162"
-"\165\163\164\040\111\155\160\154\145\155\145\156\164\141\164\151"
-"\157\156\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
-"\001\001\000\272\364\104\003\252\022\152\265\103\354\125\222\266"
-"\060\175\065\127\014\333\363\015\047\156\114\367\120\250\233\116"
-"\053\157\333\365\255\034\113\135\263\251\301\376\173\104\353\133"
-"\243\005\015\037\305\064\053\060\000\051\361\170\100\262\244\377"
-"\072\364\001\210\027\176\346\324\046\323\272\114\352\062\373\103"
-"\167\227\207\043\305\333\103\243\365\052\243\121\136\341\073\322"
-"\145\151\176\125\025\233\172\347\151\367\104\340\127\265\025\350"
-"\146\140\017\015\003\373\202\216\243\350\021\173\154\276\307\143"
-"\016\027\223\337\317\113\256\156\163\165\340\363\252\271\244\300"
-"\011\033\205\352\161\051\210\101\062\371\360\052\016\154\011\362"
-"\164\153\146\154\122\023\037\030\274\324\076\367\330\156\040\236"
-"\312\376\374\041\224\356\023\050\113\327\134\136\014\146\356\351"
-"\273\017\301\064\261\177\010\166\363\075\046\160\311\213\045\035"
-"\142\044\014\352\034\165\116\300\022\344\272\023\035\060\051\055"
-"\126\063\005\273\227\131\176\306\111\117\211\327\057\044\250\266"
-"\210\100\265\144\222\123\126\044\344\242\240\205\263\136\220\264"
-"\022\063\315\002\003\001\000\001\243\202\003\005\060\202\003\001"
-"\060\202\001\267\006\003\125\035\040\004\202\001\256\060\202\001"
-"\252\060\202\001\246\006\017\053\006\001\004\001\261\076\000\000"
-"\002\011\050\203\221\061\060\202\001\221\060\202\001\111\006\010"
-"\053\006\001\005\005\007\002\002\060\202\001\073\032\202\001\067"
-"\122\145\154\151\141\156\143\145\040\157\156\040\157\162\040\165"
-"\163\145\040\157\146\040\164\150\151\163\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\143\162\145\141\164\145\163\040\141"
-"\156\040\141\143\153\156\157\167\154\145\144\147\155\145\156\164"
-"\040\141\156\144\040\141\143\143\145\160\164\141\156\143\145\040"
-"\157\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154"
-"\151\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040"
-"\164\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164"
-"\151\157\156\163\040\157\146\040\165\163\145\054\040\164\150\145"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\120"
-"\162\141\143\164\151\143\145\040\123\164\141\164\145\155\145\156"
-"\164\040\141\156\144\040\164\150\145\040\122\145\154\171\151\156"
-"\147\040\120\141\162\164\171\040\101\147\162\145\145\155\145\156"
-"\164\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040"
-"\146\157\165\156\144\040\141\164\040\164\150\145\040\142\145\124"
-"\122\125\123\124\145\144\040\167\145\142\040\163\151\164\145\054"
-"\040\150\164\164\160\163\072\057\057\167\167\167\056\142\145\164"
-"\162\165\163\164\145\144\056\143\157\155\057\160\162\157\144\165"
-"\143\164\163\137\163\145\162\166\151\143\145\163\057\151\156\144"
-"\145\170\056\150\164\155\154\060\102\006\010\053\006\001\005\005"
-"\007\002\001\026\066\150\164\164\160\163\072\057\057\167\167\167"
-"\056\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160"
-"\162\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163"
-"\057\151\156\144\145\170\056\150\164\155\154\060\021\006\011\140"
-"\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201"
-"\211\006\003\125\035\037\004\201\201\060\177\060\175\240\173\240"
-"\171\244\167\060\165\061\022\060\020\006\003\125\004\012\023\011"
-"\142\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125"
-"\004\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157"
-"\157\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023"
-"\052\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\040\055\040\105\156\164\162\165\163\164\040\111\155\160"
-"\154\145\155\145\156\164\141\164\151\157\156\061\015\060\013\006"
-"\003\125\004\003\023\004\103\122\114\061\060\053\006\003\125\035"
-"\020\004\044\060\042\200\017\062\060\060\062\060\064\061\061\060"
-"\070\062\064\062\067\132\201\017\062\060\062\062\060\064\061\061"
-"\060\070\065\064\062\067\132\060\013\006\003\125\035\017\004\004"
-"\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200"
-"\024\175\160\345\256\070\213\006\077\252\034\032\217\371\317\044"
-"\060\252\204\204\026\060\035\006\003\125\035\016\004\026\004\024"
-"\175\160\345\256\070\213\006\077\252\034\032\217\371\317\044\060"
-"\252\204\204\026\060\014\006\003\125\035\023\004\005\060\003\001"
-"\001\377\060\035\006\011\052\206\110\206\366\175\007\101\000\004"
-"\020\060\016\033\010\126\066\056\060\072\064\056\060\003\002\004"
-"\220\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
-"\003\202\001\001\000\052\270\027\316\037\020\224\353\270\232\267"
-"\271\137\354\332\367\222\044\254\334\222\073\307\040\215\362\231"
-"\345\135\070\241\302\064\355\305\023\131\134\005\265\053\117\141"
-"\233\221\373\101\374\374\325\074\115\230\166\006\365\201\175\353"
-"\335\220\346\321\126\124\332\343\055\014\237\021\062\224\042\001"
-"\172\366\154\054\164\147\004\314\245\217\216\054\263\103\265\224"
-"\242\320\175\351\142\177\006\276\047\001\203\236\072\375\212\356"
-"\230\103\112\153\327\265\227\073\072\277\117\155\264\143\372\063"
-"\000\064\056\055\155\226\311\173\312\231\143\272\276\364\366\060"
-"\240\055\230\226\351\126\104\005\251\104\243\141\020\353\202\241"
-"\147\135\274\135\047\165\252\212\050\066\052\070\222\331\335\244"
-"\136\000\245\314\314\174\051\052\336\050\220\253\267\341\266\377"
-"\175\045\013\100\330\252\064\243\055\336\007\353\137\316\012\335"
-"\312\176\072\175\046\301\142\150\072\346\057\067\363\201\206\041"
-"\304\251\144\252\357\105\066\321\032\146\174\370\351\067\326\326"
-"\141\276\242\255\110\347\337\346\164\376\323\155\175\322\045\334"
-"\254\142\127\251\367"
-, (PRUint32)1621 }
-};
-static const NSSItem nss_builtins_items_109 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA - Entrust Implementation", (PRUint32)43 },
-  { (void *)"\162\231\171\023\354\233\015\256\145\321\266\327\262\112\166\243"
-"\256\302\356\026"
-, (PRUint32)20 },
-  { (void *)"\175\206\220\217\133\361\362\100\300\367\075\142\265\244\251\073"
-, (PRUint32)16 },
-  { (void *)"\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155"
-"\145\156\164\141\164\151\157\156"
-, (PRUint32)104 },
-  { (void *)"\002\004\074\265\117\100"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_110 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA - RSA Implementation", (PRUint32)39 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141"
-"\164\151\157\156"
-, (PRUint32)100 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141"
-"\164\151\157\156"
-, (PRUint32)100 },
-  { (void *)"\002\020\073\131\307\173\315\133\127\236\275\067\122\254\166\264"
-"\252\032"
-, (PRUint32)18 },
-  { (void *)"\060\202\005\150\060\202\004\120\240\003\002\001\002\002\020\073"
-"\131\307\173\315\133\127\236\275\067\122\254\166\264\252\032\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\142"
-"\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125"
-"\123\124\145\144\061\033\060\031\006\003\125\004\013\023\022\142"
-"\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101"
-"\163\061\057\060\055\006\003\125\004\003\023\046\142\145\124\122"
-"\125\123\124\145\144\040\122\157\157\164\040\103\101\040\055\040"
-"\122\123\101\040\111\155\160\154\145\155\145\156\164\141\164\151"
-"\157\156\060\036\027\015\060\062\060\064\061\061\061\061\061\070"
-"\061\063\132\027\015\062\062\060\064\061\062\061\061\060\067\062"
-"\065\132\060\142\061\022\060\020\006\003\125\004\012\023\011\142"
-"\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004"
-"\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157"
-"\164\040\103\101\163\061\057\060\055\006\003\125\004\003\023\046"
-"\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103"
-"\101\040\055\040\122\123\101\040\111\155\160\154\145\155\145\156"
-"\164\141\164\151\157\156\060\202\001\042\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202"
-"\001\012\002\202\001\001\000\344\272\064\060\011\216\127\320\271"
-"\006\054\157\156\044\200\042\277\135\103\246\372\117\254\202\347"
-"\034\150\160\205\033\243\156\265\252\170\331\156\007\113\077\351"
-"\337\365\352\350\124\241\141\212\016\057\151\165\030\267\014\345"
-"\024\215\161\156\230\270\125\374\014\225\320\233\156\341\055\210"
-"\324\072\100\153\222\361\231\226\144\336\333\377\170\364\356\226"
-"\035\107\211\174\324\276\271\210\167\043\072\011\346\004\236\155"
-"\252\136\322\310\275\232\116\031\337\211\352\133\016\176\303\344"
-"\264\360\340\151\073\210\017\101\220\370\324\161\103\044\301\217"
-"\046\113\073\126\351\377\214\154\067\351\105\255\205\214\123\303"
-"\140\206\220\112\226\311\263\124\260\273\027\360\034\105\331\324"
-"\033\031\144\126\012\031\367\314\341\377\206\257\176\130\136\254"
-"\172\220\037\311\050\071\105\173\242\266\307\234\037\332\205\324"
-"\041\206\131\060\223\276\123\063\067\366\357\101\317\063\307\253"
-"\162\153\045\365\363\123\033\014\114\056\361\165\113\357\240\207"
-"\367\376\212\025\320\154\325\313\371\150\123\271\160\025\023\302"
-"\365\056\373\103\065\165\055\002\003\001\000\001\243\202\002\030"
-"\060\202\002\024\060\014\006\003\125\035\023\004\005\060\003\001"
-"\001\377\060\202\001\265\006\003\125\035\040\004\202\001\254\060"
-"\202\001\250\060\202\001\244\006\017\053\006\001\004\001\261\076"
-"\000\000\003\011\050\203\221\061\060\202\001\217\060\101\006\010"
-"\053\006\001\005\005\007\002\001\026\065\150\164\164\160\072\057"
-"\057\167\167\167\056\142\145\164\162\165\163\164\145\144\056\143"
-"\157\155\057\160\162\157\144\165\143\164\163\137\163\145\162\166"
-"\151\143\145\163\057\151\156\144\145\170\056\150\164\155\154\060"
-"\202\001\110\006\010\053\006\001\005\005\007\002\002\060\202\001"
-"\072\032\202\001\066\122\145\154\151\141\156\143\145\040\157\156"
-"\040\157\162\040\165\163\145\040\157\146\040\164\150\151\163\040"
-"\103\145\162\164\151\146\151\143\141\164\145\040\143\162\145\141"
-"\164\145\163\040\141\156\040\141\143\153\156\157\167\154\145\144"
-"\147\155\145\156\164\040\141\156\144\040\141\143\143\145\160\164"
-"\141\156\143\145\040\157\146\040\164\150\145\040\164\150\145\156"
-"\040\141\160\160\154\151\143\141\142\154\145\040\163\164\141\156"
-"\144\141\162\144\040\164\145\162\155\163\040\141\156\144\040\143"
-"\157\156\144\151\164\151\157\156\163\040\157\146\040\165\163\145"
-"\054\040\164\150\145\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\120\162\141\143\164\151\143\145\040\123\164\141"
-"\164\145\155\145\156\164\040\141\156\144\040\164\150\145\040\122"
-"\145\154\171\151\156\147\040\120\141\162\164\171\040\101\147\162"
-"\145\145\155\145\156\164\054\040\167\150\151\143\150\040\143\141"
-"\156\040\142\145\040\146\157\165\156\144\040\141\164\040\164\150"
-"\145\040\142\145\124\122\125\123\124\145\144\040\167\145\142\040"
-"\163\151\164\145\054\040\150\164\164\160\072\057\057\167\167\167"
-"\056\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160"
-"\162\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163"
-"\057\151\156\144\145\170\056\150\164\155\154\060\013\006\003\125"
-"\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004"
-"\030\060\026\200\024\251\354\024\176\371\331\103\314\123\053\024"
-"\255\317\367\360\131\211\101\315\031\060\035\006\003\125\035\016"
-"\004\026\004\024\251\354\024\176\371\331\103\314\123\053\024\255"
-"\317\367\360\131\211\101\315\031\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\202\001\001\000\333\227\260\165"
-"\352\014\304\301\230\312\126\005\300\250\255\046\110\257\055\040"
-"\350\201\307\266\337\103\301\054\035\165\113\324\102\215\347\172"
-"\250\164\334\146\102\131\207\263\365\151\155\331\251\236\263\175"
-"\034\061\301\365\124\342\131\044\111\345\356\275\071\246\153\212"
-"\230\104\373\233\327\052\203\227\064\055\307\175\065\114\055\064"
-"\270\076\015\304\354\210\047\257\236\222\375\120\141\202\250\140"
-"\007\024\123\314\145\023\301\366\107\104\151\322\061\310\246\335"
-"\056\263\013\336\112\215\133\075\253\015\302\065\122\242\126\067"
-"\314\062\213\050\205\102\234\221\100\172\160\053\070\066\325\341"
-"\163\032\037\345\372\176\137\334\326\234\073\060\352\333\300\133"
-"\047\134\323\163\007\301\302\363\114\233\157\237\033\312\036\252"
-"\250\070\063\011\130\262\256\374\007\350\066\334\125\272\057\117"
-"\100\376\172\275\006\246\201\301\223\042\174\206\021\012\006\167"
-"\110\256\065\267\057\062\232\141\136\213\276\051\237\051\044\210"
-"\126\071\054\250\322\253\226\003\132\324\110\237\271\100\204\013"
-"\230\150\373\001\103\326\033\342\011\261\227\034"
-, (PRUint32)1388 }
-};
-static const NSSItem nss_builtins_items_111 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"beTRUSTed Root CA - RSA Implementation", (PRUint32)39 },
-  { (void *)"\035\202\131\312\041\047\303\313\301\154\331\062\366\054\145\051"
-"\214\250\207\022"
-, (PRUint32)20 },
-  { (void *)"\206\102\005\011\274\247\235\354\035\363\056\016\272\330\035\320"
-, (PRUint32)16 },
-  { (void *)"\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124"
-"\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023"
-"\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040"
-"\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145"
-"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040"
-"\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141"
-"\164\151\157\156"
-, (PRUint32)100 },
-  { (void *)"\002\020\073\131\307\173\315\133\127\236\275\067\122\254\166\264"
-"\252\032"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_112 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Security 2048 v3", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\062\060\064\070\040\126\063"
-, (PRUint32)60 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\062\060\064\070\040\126\063"
-, (PRUint32)60 },
-  { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000"
-"\000\002"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\141\060\202\002\111\240\003\002\001\002\002\020\012"
-"\001\001\001\000\000\002\174\000\000\000\012\000\000\000\002\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\072"
-"\061\031\060\027\006\003\125\004\012\023\020\122\123\101\040\123"
-"\145\143\165\162\151\164\171\040\111\156\143\061\035\060\033\006"
-"\003\125\004\013\023\024\122\123\101\040\123\145\143\165\162\151"
-"\164\171\040\062\060\064\070\040\126\063\060\036\027\015\060\061"
-"\060\062\062\062\062\060\063\071\062\063\132\027\015\062\066\060"
-"\062\062\062\062\060\063\071\062\063\132\060\072\061\031\060\027"
-"\006\003\125\004\012\023\020\122\123\101\040\123\145\143\165\162"
-"\151\164\171\040\111\156\143\061\035\060\033\006\003\125\004\013"
-"\023\024\122\123\101\040\123\145\143\165\162\151\164\171\040\062"
-"\060\064\070\040\126\063\060\202\001\042\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202"
-"\001\012\002\202\001\001\000\267\217\125\161\322\200\335\173\151"
-"\171\247\360\030\120\062\074\142\147\366\012\225\007\335\346\033"
-"\363\236\331\322\101\124\153\255\237\174\276\031\315\373\106\253"
-"\101\150\036\030\352\125\310\057\221\170\211\050\373\047\051\140"
-"\377\337\217\214\073\311\111\233\265\244\224\316\001\352\076\265"
-"\143\173\177\046\375\031\335\300\041\275\204\321\055\117\106\303"
-"\116\334\330\067\071\073\050\257\313\235\032\352\053\257\041\245"
-"\301\043\042\270\270\033\132\023\207\127\203\321\360\040\347\350"
-"\117\043\102\260\000\245\175\211\351\351\141\163\224\230\161\046"
-"\274\055\152\340\367\115\360\361\266\052\070\061\201\015\051\341"
-"\000\301\121\017\114\122\370\004\132\252\175\162\323\270\207\052"
-"\273\143\020\003\052\263\241\117\015\132\136\106\267\075\016\365"
-"\164\354\231\237\371\075\044\201\210\246\335\140\124\350\225\066"
-"\075\306\011\223\232\243\022\200\000\125\231\031\107\275\320\245"
-"\174\303\272\373\037\367\365\017\370\254\271\265\364\067\230\023"
-"\030\336\205\133\267\014\202\073\207\157\225\071\130\060\332\156"
-"\001\150\027\042\314\300\013\002\003\001\000\001\243\143\060\141"
-"\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001"
-"\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001"
-"\006\060\037\006\003\125\035\043\004\030\060\026\200\024\007\303"
-"\121\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261"
-"\235\214\060\035\006\003\125\035\016\004\026\004\024\007\303\121"
-"\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261\235"
-"\214\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
-"\003\202\001\001\000\137\076\206\166\156\270\065\074\116\066\034"
-"\036\171\230\277\375\325\022\021\171\122\016\356\061\211\274\335"
-"\177\371\321\306\025\041\350\212\001\124\015\072\373\124\271\326"
-"\143\324\261\252\226\115\242\102\115\324\123\037\213\020\336\177"
-"\145\276\140\023\047\161\210\244\163\343\204\143\321\244\125\341"
-"\120\223\346\033\016\171\320\147\274\106\310\277\077\027\015\225"
-"\346\306\220\151\336\347\264\057\336\225\175\320\022\077\075\076"
-"\177\115\077\024\150\365\021\120\325\301\364\220\245\010\035\061"
-"\140\377\140\214\043\124\012\257\376\241\156\305\321\172\052\150"
-"\170\317\036\202\012\040\264\037\255\345\205\262\152\150\165\116"
-"\255\045\067\224\205\276\275\241\324\352\267\014\113\074\235\350"
-"\022\000\360\137\254\015\341\254\160\143\163\367\177\171\237\062"
-"\045\102\164\005\200\050\277\275\301\044\226\130\025\261\027\041"
-"\351\211\113\333\007\210\147\364\025\255\160\076\057\115\205\073"
-"\302\267\333\376\230\150\043\211\341\164\017\336\364\305\204\143"
-"\051\033\314\313\007\311\000\244\251\327\302\042\117\147\327\167"
-"\354\040\005\141\336"
-, (PRUint32)869 }
-};
-static const NSSItem nss_builtins_items_113 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Security 2048 v3", (PRUint32)21 },
-  { (void *)"\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137"
-"\060\223\225\102"
-, (PRUint32)20 },
-  { (void *)"\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216"
-, (PRUint32)16 },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\062\060\064\070\040\126\063"
-, (PRUint32)60 },
-  { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000"
-"\000\002"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_114 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Security 1024 v3", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\061\060\062\064\040\126\063"
-, (PRUint32)60 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\061\060\062\064\040\126\063"
-, (PRUint32)60 },
-  { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\013\000\000"
-"\000\002"
-, (PRUint32)18 },
-  { (void *)"\060\202\002\134\060\202\001\305\240\003\002\001\002\002\020\012"
-"\001\001\001\000\000\002\174\000\000\000\013\000\000\000\002\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\072"
-"\061\031\060\027\006\003\125\004\012\023\020\122\123\101\040\123"
-"\145\143\165\162\151\164\171\040\111\156\143\061\035\060\033\006"
-"\003\125\004\013\023\024\122\123\101\040\123\145\143\165\162\151"
-"\164\171\040\061\060\062\064\040\126\063\060\036\027\015\060\061"
-"\060\062\062\062\062\061\060\061\064\071\132\027\015\062\066\060"
-"\062\062\062\062\060\060\061\064\071\132\060\072\061\031\060\027"
-"\006\003\125\004\012\023\020\122\123\101\040\123\145\143\165\162"
-"\151\164\171\040\111\156\143\061\035\060\033\006\003\125\004\013"
-"\023\024\122\123\101\040\123\145\143\165\162\151\164\171\040\061"
-"\060\062\064\040\126\063\060\201\237\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
-"\201\201\000\325\335\376\146\011\317\044\074\076\256\201\116\116"
-"\212\304\151\200\133\131\073\337\271\115\114\312\265\055\303\047"
-"\055\074\257\000\102\155\274\050\246\226\317\177\327\130\254\203"
-"\012\243\125\265\173\027\220\025\204\114\212\356\046\231\334\130"
-"\357\307\070\246\252\257\320\216\102\310\142\327\253\254\251\373"
-"\112\175\277\352\376\022\115\335\377\046\055\157\066\124\150\310"
-"\322\204\126\356\222\123\141\011\263\077\071\233\250\311\233\275"
-"\316\237\176\324\031\152\026\051\030\276\327\072\151\334\045\133"
-"\063\032\121\002\003\001\000\001\243\143\060\141\060\017\006\003"
-"\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006"
-"\003\125\035\017\001\001\377\004\004\003\002\001\006\060\037\006"
-"\003\125\035\043\004\030\060\026\200\024\304\300\034\244\007\224"
-"\375\315\115\001\324\124\332\245\014\137\336\256\005\132\060\035"
-"\006\003\125\035\016\004\026\004\024\304\300\034\244\007\224\375"
-"\315\115\001\324\124\332\245\014\137\336\256\005\132\060\015\006"
-"\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000"
-"\077\055\152\343\046\103\225\175\211\227\145\373\165\344\162\035"
-"\106\127\304\141\153\151\237\022\233\054\325\132\350\300\242\360"
-"\103\225\343\037\351\166\315\334\353\274\223\240\145\012\307\115"
-"\117\137\247\257\242\106\024\271\014\363\314\275\152\156\267\235"
-"\336\045\102\320\124\377\236\150\163\143\334\044\353\042\277\250"
-"\162\362\136\000\341\015\116\072\103\156\231\116\077\211\170\003"
-"\230\312\363\125\314\235\256\216\301\252\105\230\372\217\032\240"
-"\215\210\043\361\025\101\015\245\106\076\221\077\213\353\367\161"
-, (PRUint32)608 }
-};
-static const NSSItem nss_builtins_items_115 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"RSA Security 1024 v3", (PRUint32)21 },
-  { (void *)"\074\273\135\340\374\326\071\174\005\210\345\146\227\275\106\052"
-"\275\371\134\166"
-, (PRUint32)20 },
-  { (void *)"\072\345\120\260\071\276\307\106\066\063\241\376\202\076\215\224"
-, (PRUint32)16 },
-  { (void *)"\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101"
-"\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060"
-"\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165"
-"\162\151\164\171\040\061\060\062\064\040\126\063"
-, (PRUint32)60 },
-  { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\013\000\000"
-"\000\002"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_116 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GeoTrust Global CA", (PRUint32)19 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
-"\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
-"\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
-"\154\040\103\101"
-, (PRUint32)68 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
-"\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
-"\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
-"\154\040\103\101"
-, (PRUint32)68 },
-  { (void *)"\002\003\002\064\126"
-, (PRUint32)5 },
-  { (void *)"\060\202\003\124\060\202\002\074\240\003\002\001\002\002\003\002"
-"\064\126\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
-"\000\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162"
-"\165\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004"
-"\003\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142"
-"\141\154\040\103\101\060\036\027\015\060\062\060\065\062\061\060"
-"\064\060\060\060\060\132\027\015\062\062\060\065\062\061\060\064"
-"\060\060\060\060\132\060\102\061\013\060\011\006\003\125\004\006"
-"\023\002\125\123\061\026\060\024\006\003\125\004\012\023\015\107"
-"\145\157\124\162\165\163\164\040\111\156\143\056\061\033\060\031"
-"\006\003\125\004\003\023\022\107\145\157\124\162\165\163\164\040"
-"\107\154\157\142\141\154\040\103\101\060\202\001\042\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017"
-"\000\060\202\001\012\002\202\001\001\000\332\314\030\143\060\375"
-"\364\027\043\032\126\176\133\337\074\154\070\344\161\267\170\221"
-"\324\274\241\330\114\370\250\103\266\003\351\115\041\007\010\210"
-"\332\130\057\146\071\051\275\005\170\213\235\070\350\005\267\152"
-"\176\161\244\346\304\140\246\260\357\200\344\211\050\017\236\045"
-"\326\355\203\363\255\246\221\307\230\311\102\030\065\024\235\255"
-"\230\106\222\056\117\312\361\207\103\301\026\225\127\055\120\357"
-"\211\055\200\172\127\255\362\356\137\153\322\000\215\271\024\370"
-"\024\025\065\331\300\106\243\173\162\310\221\277\311\125\053\315"
-"\320\227\076\234\046\144\314\337\316\203\031\161\312\116\346\324"
-"\325\173\251\031\315\125\336\310\354\322\136\070\123\345\134\117"
-"\214\055\376\120\043\066\374\146\346\313\216\244\071\031\000\267"
-"\225\002\071\221\013\016\376\070\056\321\035\005\232\366\115\076"
-"\157\017\007\035\257\054\036\217\140\071\342\372\066\123\023\071"
-"\324\136\046\053\333\075\250\024\275\062\353\030\003\050\122\004"
-"\161\345\253\063\075\341\070\273\007\066\204\142\234\171\352\026"
-"\060\364\137\300\053\350\161\153\344\371\002\003\001\000\001\243"
-"\123\060\121\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\300"
-"\172\230\150\215\211\373\253\005\144\014\021\175\252\175\145\270"
-"\312\314\116\060\037\006\003\125\035\043\004\030\060\026\200\024"
-"\300\172\230\150\215\211\373\253\005\144\014\021\175\252\175\145"
-"\270\312\314\116\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\202\001\001\000\065\343\051\152\345\057\135\124"
-"\216\051\120\224\237\231\032\024\344\217\170\052\142\224\242\047"
-"\147\236\320\317\032\136\107\351\301\262\244\317\335\101\032\005"
-"\116\233\113\356\112\157\125\122\263\044\241\067\012\353\144\166"
-"\052\056\054\363\375\073\165\220\277\372\161\330\307\075\067\322"
-"\265\005\225\142\271\246\336\211\075\066\173\070\167\110\227\254"
-"\246\040\217\056\246\311\014\302\262\231\105\000\307\316\021\121"
-"\042\042\340\245\352\266\025\110\011\144\352\136\117\164\367\005"
-"\076\307\212\122\014\333\025\264\275\155\233\345\306\261\124\150"
-"\251\343\151\220\266\232\245\017\270\271\077\040\175\256\112\265"
-"\270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047"
-"\207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002"
-"\256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115"
-"\063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325"
-"\345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013"
-"\331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355"
-"\302\005\146\200\241\313\346\063"
-, (PRUint32)856 }
-};
-static const NSSItem nss_builtins_items_117 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"GeoTrust Global CA", (PRUint32)19 },
-  { (void *)"\336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371"
-"\226\052\202\022"
-, (PRUint32)20 },
-  { (void *)"\367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365"
-, (PRUint32)16 },
-  { (void *)"\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165"
-"\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003"
-"\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141"
-"\154\040\103\101"
-, (PRUint32)68 },
-  { (void *)"\002\003\002\064\126"
-, (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_118 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
-"\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
-"\141\164\151\157\156\163"
-, (PRUint32)166 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
-"\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
-"\141\164\151\157\156\163"
-, (PRUint32)166 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300"
-"\063\167"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\144\060\202\003\114\240\003\002\001\002\002\020\104"
-"\276\014\213\120\000\044\264\021\323\066\060\113\300\063\167\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\243\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013"
-"\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006"
-"\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040"
-"\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124"
-"\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150"
-"\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162"
-"\165\163\164\056\143\157\155\061\053\060\051\006\003\125\004\003"
-"\023\042\125\124\116\055\125\123\105\122\106\151\162\163\164\055"
-"\116\145\164\167\157\162\153\040\101\160\160\154\151\143\141\164"
-"\151\157\156\163\060\036\027\015\071\071\060\067\060\071\061\070"
-"\064\070\063\071\132\027\015\061\071\060\067\060\071\061\070\065"
-"\067\064\071\132\060\201\243\061\013\060\011\006\003\125\004\006"
-"\023\002\125\123\061\013\060\011\006\003\125\004\010\023\002\125"
-"\124\061\027\060\025\006\003\125\004\007\023\016\123\141\154\164"
-"\040\114\141\153\145\040\103\151\164\171\061\036\060\034\006\003"
-"\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125"
-"\123\124\040\116\145\164\167\157\162\153\061\041\060\037\006\003"
-"\125\004\013\023\030\150\164\164\160\072\057\057\167\167\167\056"
-"\165\163\145\162\164\162\165\163\164\056\143\157\155\061\053\060"
-"\051\006\003\125\004\003\023\042\125\124\116\055\125\123\105\122"
-"\106\151\162\163\164\055\116\145\164\167\157\162\153\040\101\160"
-"\160\154\151\143\141\164\151\157\156\163\060\202\001\042\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
-"\017\000\060\202\001\012\002\202\001\001\000\263\373\221\241\344"
-"\066\125\205\254\006\064\133\240\232\130\262\370\265\017\005\167"
-"\203\256\062\261\166\222\150\354\043\112\311\166\077\343\234\266"
-"\067\171\003\271\253\151\215\007\045\266\031\147\344\260\033\030"
-"\163\141\112\350\176\315\323\057\144\343\246\174\014\372\027\200"
-"\243\015\107\211\117\121\161\057\356\374\077\371\270\026\200\207"
-"\211\223\045\040\232\103\202\151\044\166\050\131\065\241\035\300"
-"\177\203\006\144\026\040\054\323\111\244\205\264\300\141\177\121"
-"\010\370\150\025\221\200\313\245\325\356\073\072\364\204\004\136"
-"\140\131\247\214\064\162\356\270\170\305\321\073\022\112\157\176"
-"\145\047\271\244\125\305\271\157\103\244\305\035\054\231\300\122"
-"\244\170\114\025\263\100\230\010\153\103\306\001\260\172\173\365"
-"\153\034\042\077\313\357\377\250\320\072\113\166\025\236\322\321"
-"\306\056\343\333\127\033\062\242\270\157\350\206\246\077\160\253"
-"\345\160\222\253\104\036\100\120\373\234\243\142\344\154\156\240"
-"\310\336\342\200\102\372\351\057\350\316\062\004\217\174\215\267"
-"\034\243\065\074\025\335\236\303\256\227\245\002\003\001\000\001"
-"\243\201\221\060\201\216\060\013\006\003\125\035\017\004\004\003"
-"\002\001\306\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\372"
-"\206\311\333\340\272\351\170\365\113\250\326\025\337\360\323\341"
-"\152\024\074\060\117\006\003\125\035\037\004\110\060\106\060\104"
-"\240\102\240\100\206\076\150\164\164\160\072\057\057\143\162\154"
-"\056\165\163\145\162\164\162\165\163\164\056\143\157\155\057\125"
-"\124\116\055\125\123\105\122\106\151\162\163\164\055\116\145\164"
-"\167\157\162\153\101\160\160\154\151\143\141\164\151\157\156\163"
-"\056\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\202\001\001\000\244\363\045\314\321\324\221\203"
-"\042\320\314\062\253\233\226\116\064\221\124\040\045\064\141\137"
-"\052\002\025\341\213\252\377\175\144\121\317\012\377\274\175\330"
-"\041\152\170\313\057\121\157\370\102\035\063\275\353\265\173\224"
-"\303\303\251\240\055\337\321\051\037\035\376\217\077\273\250\105"
-"\052\177\321\156\125\044\342\273\002\373\061\077\276\350\274\354"
-"\100\053\370\001\324\126\070\344\312\104\202\265\141\040\041\147"
-"\145\366\360\013\347\064\370\245\302\234\243\134\100\037\205\223"
-"\225\006\336\117\324\047\251\266\245\374\026\315\163\061\077\270"
-"\145\047\317\324\123\032\360\254\156\237\117\005\014\003\201\247"
-"\204\051\304\132\275\144\127\162\255\073\317\067\030\246\230\306"
-"\255\006\264\334\010\243\004\325\051\244\226\232\022\147\112\214"
-"\140\105\235\361\043\232\260\000\234\150\265\230\120\323\357\216"
-"\056\222\145\261\110\076\041\276\025\060\052\015\265\014\243\153"
-"\077\256\177\127\365\037\226\174\337\157\335\202\060\054\145\033"
-"\100\112\315\150\271\162\354\161\166\354\124\216\037\205\014\001"
-"\152\372\246\070\254\037\304\204"
-, (PRUint32)1128 }
-};
-static const NSSItem nss_builtins_items_119 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN-USER First-Network Applications", (PRUint32)36 },
-  { (void *)"\135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352"
-"\052\302\076\361"
-, (PRUint32)20 },
-  { (void *)"\277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317"
-, (PRUint32)16 },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125"
-"\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143"
-"\141\164\151\157\156\163"
-, (PRUint32)166 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300"
-"\063\167"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_120 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\061"
-, (PRUint32)101 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\061"
-, (PRUint32)101 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\244\060\202\002\214\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
-"\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141"
-"\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064"
-"\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117"
-"\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\061\060\036\027\015\060\062\060\065\062\070\060\066"
-"\060\060\060\060\132\027\015\063\067\061\061\061\071\062\060\064"
-"\063\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155"
-"\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143"
-"\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
-"\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\040\061\060\202\001\042\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017"
-"\000\060\202\001\012\002\202\001\001\000\250\057\350\244\151\006"
-"\003\107\303\351\052\230\377\031\242\160\232\306\120\262\176\245"
-"\337\150\115\033\174\017\266\227\150\175\055\246\213\227\351\144"
-"\206\311\243\357\240\206\277\140\145\234\113\124\210\302\110\305"
-"\112\071\277\024\343\131\125\345\031\264\164\310\264\005\071\134"
-"\026\245\342\225\005\340\022\256\131\213\242\063\150\130\034\246"
-"\324\025\267\330\237\327\334\161\253\176\232\277\233\216\063\017"
-"\042\375\037\056\347\007\066\357\142\071\305\335\313\272\045\024"
-"\043\336\014\306\075\074\316\202\010\346\146\076\332\121\073\026"
-"\072\243\005\177\240\334\207\325\234\374\162\251\240\175\170\344"
-"\267\061\125\036\145\273\324\141\260\041\140\355\020\062\162\305"
-"\222\045\036\370\220\112\030\170\107\337\176\060\067\076\120\033"
-"\333\034\323\153\232\206\123\007\260\357\254\006\170\370\204\231"
-"\376\041\215\114\200\266\014\202\366\146\160\171\032\323\117\243"
-"\317\361\317\106\260\113\017\076\335\210\142\270\214\251\011\050"
-"\073\172\307\227\341\036\345\364\237\300\300\256\044\240\310\241"
-"\331\017\326\173\046\202\151\062\075\247\002\003\001\000\001\243"
-"\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\000"
-"\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327\114"
-"\317\063\336\060\037\006\003\125\035\043\004\030\060\026\200\024"
-"\000\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327"
-"\114\317\063\336\060\016\006\003\125\035\017\001\001\377\004\004"
-"\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\202\001\001\000\174\212\321\037\030\067\202\340"
-"\270\260\243\355\126\225\310\142\141\234\005\242\315\302\142\046"
-"\141\315\020\026\327\314\264\145\064\320\021\212\255\250\251\005"
-"\146\357\164\363\155\137\235\231\257\366\213\373\353\122\262\005"
-"\230\242\157\052\305\124\275\045\275\137\256\310\206\352\106\054"
-"\301\263\275\301\351\111\160\030\026\227\010\023\214\040\340\033"
-"\056\072\107\313\036\344\000\060\225\133\364\105\243\300\032\260"
-"\001\116\253\275\300\043\156\143\077\200\112\305\007\355\334\342"
-"\157\307\301\142\361\343\162\326\004\310\164\147\013\372\210\253"
-"\241\001\310\157\360\024\257\322\231\315\121\223\176\355\056\070"
-"\307\275\316\106\120\075\162\343\171\045\235\233\210\053\020\040"
-"\335\245\270\062\237\215\340\051\337\041\164\206\202\333\057\202"
-"\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120"
-"\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266"
-"\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154"
-"\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250"
-"\200\072\231\355\165\314\106\173"
-, (PRUint32)936 }
-};
-static const NSSItem nss_builtins_items_121 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"America Online Root Certification Authority 1", (PRUint32)46 },
-  { (void *)"\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330"
-"\005\013\126\152"
-, (PRUint32)20 },
-  { (void *)"\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136"
-, (PRUint32)16 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\061"
-, (PRUint32)101 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_122 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\062"
-, (PRUint32)101 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\062"
-, (PRUint32)101 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\005\244\060\202\003\214\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
-"\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141"
-"\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064"
-"\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117"
-"\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\040\062\060\036\027\015\060\062\060\065\062\070\060\066"
-"\060\060\060\060\132\027\015\063\067\060\071\062\071\061\064\060"
-"\070\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155"
-"\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143"
-"\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
-"\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\040\062\060\202\002\042\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017"
-"\000\060\202\002\012\002\202\002\001\000\314\101\105\035\351\075"
-"\115\020\366\214\261\101\311\340\136\313\015\267\277\107\163\323"
-"\360\125\115\335\306\014\372\261\146\005\152\315\170\264\334\002"
-"\333\116\201\363\327\247\174\161\274\165\143\240\135\343\007\014"
-"\110\354\045\304\003\040\364\377\016\073\022\377\233\215\341\306"
-"\325\033\264\155\042\343\261\333\177\041\144\257\206\274\127\042"
-"\052\326\107\201\127\104\202\126\123\275\206\024\001\013\374\177"
-"\164\244\132\256\361\272\021\265\233\130\132\200\264\067\170\011"
-"\063\174\062\107\003\134\304\245\203\110\364\127\126\156\201\066"
-"\047\030\117\354\233\050\302\324\264\327\174\014\076\014\053\337"
-"\312\004\327\306\216\352\130\116\250\244\245\030\034\154\105\230"
-"\243\101\321\055\322\307\155\215\031\361\255\171\267\201\077\275"
-"\006\202\047\055\020\130\005\265\170\005\271\057\333\014\153\220"
-"\220\176\024\131\070\273\224\044\023\345\321\235\024\337\323\202"
-"\115\106\360\200\071\122\062\017\343\204\262\172\103\362\136\336"
-"\137\077\035\335\343\262\033\240\241\052\043\003\156\056\001\025"
-"\207\134\246\165\165\307\227\141\276\336\206\334\324\110\333\275"
-"\052\277\112\125\332\350\175\120\373\264\200\027\270\224\277\001"
-"\075\352\332\272\174\340\130\147\027\271\130\340\210\206\106\147"
-"\154\235\020\107\130\062\320\065\174\171\052\220\242\132\020\021"
-"\043\065\255\057\314\344\112\133\247\310\047\362\203\336\136\273"
-"\136\167\347\350\245\156\143\302\015\135\141\320\214\322\154\132"
-"\041\016\312\050\243\316\052\351\225\307\110\317\226\157\035\222"
-"\045\310\306\306\301\301\014\005\254\046\304\322\165\322\341\052"
-"\147\300\075\133\245\232\353\317\173\032\250\235\024\105\345\017"
-"\240\232\145\336\057\050\275\316\157\224\146\203\110\051\330\352"
-"\145\214\257\223\331\144\237\125\127\046\277\157\313\067\061\231"
-"\243\140\273\034\255\211\064\062\142\270\103\041\006\162\014\241"
-"\134\155\106\305\372\051\317\060\336\211\334\161\133\335\266\067"
-"\076\337\120\365\270\007\045\046\345\274\265\376\074\002\263\267"
-"\370\276\103\301\207\021\224\236\043\154\027\212\270\212\047\014"
-"\124\107\360\251\263\300\200\214\240\047\353\035\031\343\007\216"
-"\167\160\312\053\364\175\166\340\170\147\002\003\001\000\001\243"
-"\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\115"
-"\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241\043"
-"\024\327\236\060\037\006\003\125\035\043\004\030\060\026\200\024"
-"\115\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241"
-"\043\024\327\236\060\016\006\003\125\035\017\001\001\377\004\004"
-"\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\202\002\001\000\147\153\006\271\137\105\073\052"
-"\113\063\263\346\033\153\131\116\042\314\271\267\244\045\311\247"
-"\304\360\124\226\013\144\363\261\130\117\136\121\374\262\227\173"
-"\047\145\302\345\312\347\015\014\045\173\142\343\372\237\264\207"
-"\267\105\106\257\203\245\227\110\214\245\275\361\026\053\233\166"
-"\054\172\065\140\154\021\200\227\314\251\222\122\346\053\346\151"
-"\355\251\370\066\055\054\167\277\141\110\321\143\013\271\133\122"
-"\355\030\260\103\102\042\246\261\167\256\336\151\305\315\307\034"
-"\241\261\245\034\020\373\030\276\032\160\335\301\222\113\276\051"
-"\132\235\077\065\276\345\175\121\370\125\340\045\165\043\207\036"
-"\134\334\272\235\260\254\263\151\333\027\203\311\367\336\014\274"
-"\010\334\221\236\250\320\327\025\067\163\245\065\270\374\176\305"
-"\104\100\006\303\353\370\042\200\134\107\316\002\343\021\237\104"
-"\377\375\232\062\314\175\144\121\016\353\127\046\166\072\343\036"
-"\042\074\302\246\066\335\031\357\247\374\022\363\046\300\131\061"
-"\205\114\234\330\317\337\244\314\314\051\223\377\224\155\166\134"
-"\023\010\227\362\355\245\013\115\335\350\311\150\016\146\323\000"
-"\016\063\022\133\274\225\345\062\220\250\263\306\154\203\255\167"
-"\356\213\176\176\261\251\253\323\341\361\266\300\261\352\210\300"
-"\347\323\220\351\050\222\224\173\150\173\227\052\012\147\055\205"
-"\002\070\020\344\003\141\324\332\045\066\307\010\130\055\241\247"
-"\121\257\060\012\111\365\246\151\207\007\055\104\106\166\216\052"
-"\345\232\073\327\030\242\374\234\070\020\314\306\073\322\265\027"
-"\072\157\375\256\045\275\365\162\131\144\261\164\052\070\137\030"
-"\114\337\317\161\004\132\066\324\277\057\231\234\350\331\272\261"
-"\225\346\002\113\041\241\133\325\301\117\217\256\151\155\123\333"
-"\001\223\265\134\036\030\335\144\132\312\030\050\076\143\004\021"
-"\375\034\215\000\017\270\067\337\147\212\235\146\251\002\152\221"
-"\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045"
-"\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073"
-"\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373"
-"\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260"
-"\105\217\046\221\242\216\376\251"
-, (PRUint32)1448 }
-};
-static const NSSItem nss_builtins_items_123 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"America Online Root Certification Authority 2", (PRUint32)46 },
-  { (void *)"\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023"
-"\333\027\222\204"
-, (PRUint32)20 },
-  { (void *)"\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277"
-, (PRUint32)16 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143"
-"\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060"
-"\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040"
-"\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\040\062"
-, (PRUint32)101 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_124 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Visa eCommerce Root", (PRUint32)20 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
-"\103\157\155\155\145\162\143\145\040\122\157\157\164"
-, (PRUint32)109 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
-"\103\157\155\155\145\162\143\145\040\122\157\157\164"
-, (PRUint32)109 },
-  { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220"
-"\034\142"
-, (PRUint32)18 },
-  { (void *)"\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023"
-"\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153"
-"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060"
-"\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055"
-"\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145"
-"\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143"
-"\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060"
-"\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157"
-"\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060"
-"\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062"
-"\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060"
-"\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003"
-"\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125"
-"\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141"
-"\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101"
-"\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003"
-"\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145"
-"\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
-"\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241"
-"\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266"
-"\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063"
-"\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004"
-"\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105"
-"\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215"
-"\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125"
-"\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143"
-"\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115"
-"\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352"
-"\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132"
-"\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072"
-"\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055"
-"\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040"
-"\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013"
-"\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213"
-"\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102"
-"\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003"
-"\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003"
-"\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070"
-"\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327"
-"\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
-"\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340"
-"\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106"
-"\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021"
-"\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267"
-"\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122"
-"\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367"
-"\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214"
-"\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105"
-"\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035"
-"\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174"
-"\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106"
-"\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060"
-"\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213"
-"\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000"
-"\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355"
-"\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026"
-"\222\340\134\366\007\017"
-, (PRUint32)934 }
-};
-static const NSSItem nss_builtins_items_125 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Visa eCommerce Root", (PRUint32)20 },
-  { (void *)"\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062"
-"\275\340\005\142"
-, (PRUint32)20 },
-  { (void *)"\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002"
-, (PRUint32)16 },
-  { (void *)"\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
-"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
-"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
-"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
-"\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145"
-"\103\157\155\155\145\162\143\145\040\122\157\157\164"
-, (PRUint32)109 },
-  { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220"
-"\034\142"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_126 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"\002\002\003\352"
-, (PRUint32)4 },
-  { (void *)"\060\202\003\134\060\202\002\305\240\003\002\001\002\002\002\003"
-"\352\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
-"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060"
-"\036\027\015\071\070\060\063\060\071\061\061\065\071\065\071\132"
-"\027\015\061\061\060\061\060\061\061\061\065\071\065\071\132\060"
-"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
-"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
-"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
-"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
-"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
-"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
-"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
-"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
-"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062"
-"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
-"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
-"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201"
-"\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
-"\003\201\215\000\060\201\211\002\201\201\000\332\070\350\355\062"
-"\000\051\161\203\001\015\277\214\001\334\332\306\255\071\244\251"
-"\212\057\325\213\134\150\137\120\306\142\365\146\275\312\221\042"
-"\354\252\035\121\327\075\263\121\262\203\116\135\313\111\260\360"
-"\114\125\345\153\055\307\205\013\060\034\222\116\202\324\312\002"
-"\355\367\157\276\334\340\343\024\270\005\123\362\232\364\126\213"
-"\132\236\205\223\321\264\202\126\256\115\273\250\113\127\026\274"
-"\376\370\130\236\370\051\215\260\173\315\170\311\117\254\213\147"
-"\014\361\234\373\374\127\233\127\134\117\015\002\003\001\000\001"
-"\243\153\060\151\060\017\006\003\125\035\023\001\001\377\004\005"
-"\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004"
-"\004\003\002\001\206\060\063\006\011\140\206\110\001\206\370\102"
-"\001\010\004\046\026\044\150\164\164\160\072\057\057\167\167\167"
-"\056\164\162\165\163\164\143\145\156\164\145\162\056\144\145\057"
-"\147\165\151\144\145\154\151\156\145\163\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\015\006"
-"\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000"
-"\204\122\373\050\337\377\037\165\001\274\001\276\004\126\227\152"
-"\164\102\044\061\203\371\106\261\006\212\211\317\226\054\063\277"
-"\214\265\137\172\162\241\205\006\316\206\370\005\216\350\371\045"
-"\312\332\203\214\006\254\353\066\155\205\221\064\004\066\364\102"
-"\360\370\171\056\012\110\134\253\314\121\117\170\166\240\331\254"
-"\031\275\052\321\151\004\050\221\312\066\020\047\200\127\133\322"
-"\134\365\302\133\253\144\201\143\164\121\364\227\277\315\022\050"
-"\367\115\146\177\247\360\034\001\046\170\262\146\107\160\121\144"
-, (PRUint32)864 }
-};
-static const NSSItem nss_builtins_items_127 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
-  { (void *)"\203\216\060\367\177\335\024\252\070\136\321\105\000\234\016\042"
-"\066\111\117\252"
-, (PRUint32)20 },
-  { (void *)"\270\026\063\114\114\114\362\330\323\115\006\264\246\133\100\003"
-, (PRUint32)16 },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"\002\002\003\352"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_128 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"\002\002\003\353"
-, (PRUint32)4 },
-  { (void *)"\060\202\003\134\060\202\002\305\240\003\002\001\002\002\002\003"
-"\353\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
-"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060"
-"\036\027\015\071\070\060\063\060\071\061\061\065\071\065\071\132"
-"\027\015\061\061\060\061\060\061\061\061\065\071\065\071\132\060"
-"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
-"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
-"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
-"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
-"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
-"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
-"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
-"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
-"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063"
-"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
-"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
-"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201"
-"\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
-"\003\201\215\000\060\201\211\002\201\201\000\266\264\301\065\005"
-"\056\015\215\354\240\100\152\034\016\047\246\120\222\153\120\033"
-"\007\336\056\347\166\314\340\332\374\204\250\136\214\143\152\053"
-"\115\331\116\002\166\021\301\013\362\215\171\312\000\266\361\260"
-"\016\327\373\244\027\075\257\253\151\172\226\047\277\257\063\241"
-"\232\052\131\252\304\265\067\010\362\022\245\061\266\103\365\062"
-"\226\161\050\050\253\215\050\206\337\273\356\343\014\175\060\326"
-"\303\122\253\217\135\047\234\153\300\243\347\005\153\127\111\104"
-"\263\156\352\144\317\322\216\172\120\167\167\002\003\001\000\001"
-"\243\153\060\151\060\017\006\003\125\035\023\001\001\377\004\005"
-"\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004"
-"\004\003\002\001\206\060\063\006\011\140\206\110\001\206\370\102"
-"\001\010\004\046\026\044\150\164\164\160\072\057\057\167\167\167"
-"\056\164\162\165\163\164\143\145\156\164\145\162\056\144\145\057"
-"\147\165\151\144\145\154\151\156\145\163\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\015\006"
-"\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000"
-"\026\075\306\315\301\273\205\161\205\106\237\076\040\217\121\050"
-"\231\354\055\105\041\143\043\133\004\273\114\220\270\210\222\004"
-"\115\275\175\001\243\077\366\354\316\361\336\376\175\345\341\076"
-"\273\306\253\136\013\335\075\226\304\313\251\324\371\046\346\006"
-"\116\236\014\245\172\272\156\303\174\202\031\321\307\261\261\303"
-"\333\015\216\233\100\174\067\013\361\135\350\375\037\220\210\245"
-"\016\116\067\144\041\250\116\215\264\237\361\336\110\255\325\126"
-"\030\122\051\213\107\064\022\011\324\273\222\065\357\017\333\064"
-, (PRUint32)864 }
-};
-static const NSSItem nss_builtins_items_129 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
-  { (void *)"\237\307\226\350\370\122\117\206\072\341\111\155\070\022\102\020"
-"\137\033\170\365"
-, (PRUint32)20 },
-  { (void *)"\137\224\112\163\042\270\367\321\061\354\131\071\367\216\376\156"
-, (PRUint32)16 },
-  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
-"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
-"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
-"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
-"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
-"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
-"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
-"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
-"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
-"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
-"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
-"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
-, (PRUint32)191 },
-  { (void *)"\002\002\003\353"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_130 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Certum Root CA", (PRUint32)15 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061"
-"\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164"
-"\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020"
-"\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101"
-, (PRUint32)64 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061"
-"\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164"
-"\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020"
-"\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101"
-, (PRUint32)64 },
-  { (void *)"\002\003\001\000\040"
-, (PRUint32)5 },
-  { (void *)"\060\202\003\014\060\202\001\364\240\003\002\001\002\002\003\001"
-"\000\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
-"\000\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114"
-"\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145"
-"\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060"
-"\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103"
-"\101\060\036\027\015\060\062\060\066\061\061\061\060\064\066\063"
-"\071\132\027\015\062\067\060\066\061\061\061\060\064\066\063\071"
-"\132\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114"
-"\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145"
-"\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060"
-"\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103"
-"\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
-"\001\000\316\261\301\056\323\117\174\315\045\316\030\076\117\304"
-"\214\157\200\152\163\310\133\121\370\233\322\334\273\000\134\261"
-"\240\374\165\003\356\201\360\210\356\043\122\351\346\025\063\215"
-"\254\055\011\305\166\371\053\071\200\211\344\227\113\220\245\250"
-"\170\370\163\103\173\244\141\260\330\130\314\341\154\146\176\234"
-"\363\011\136\125\143\204\325\250\357\363\261\056\060\150\263\304"
-"\074\330\254\156\215\231\132\220\116\064\334\066\232\217\201\210"
-"\120\267\155\226\102\011\363\327\225\203\015\101\113\260\152\153"
-"\370\374\017\176\142\237\147\304\355\046\137\020\046\017\010\117"
-"\360\244\127\050\316\217\270\355\105\366\156\356\045\135\252\156"
-"\071\276\344\223\057\331\107\240\162\353\372\246\133\257\312\123"
-"\077\342\016\306\226\126\021\156\367\351\146\251\046\330\177\225"
-"\123\355\012\205\210\272\117\051\245\102\214\136\266\374\205\040"
-"\000\252\150\013\241\032\205\001\234\304\106\143\202\210\266\042"
-"\261\356\376\252\106\131\176\317\065\054\325\266\332\135\367\110"
-"\063\024\124\266\353\331\157\316\315\210\326\253\033\332\226\073"
-"\035\131\002\003\001\000\001\243\023\060\021\060\017\006\003\125"
-"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011"
-"\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000"
-"\270\215\316\357\347\024\272\317\356\260\104\222\154\264\071\076"
-"\242\204\156\255\270\041\167\322\324\167\202\207\346\040\101\201"
-"\356\342\370\021\267\143\321\027\067\276\031\166\044\034\004\032"
-"\114\353\075\252\147\157\055\324\315\376\145\061\160\305\033\246"
-"\002\012\272\140\173\155\130\302\232\111\376\143\062\013\153\343"
-"\072\300\254\253\073\260\350\323\011\121\214\020\203\306\064\340"
-"\305\053\340\032\266\140\024\047\154\062\167\214\274\262\162\230"
-"\317\315\314\077\271\310\044\102\024\326\127\374\346\046\103\251"
-"\035\345\200\220\316\003\124\050\076\367\077\323\370\115\355\152"
-"\012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171"
-"\345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323"
-"\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161"
-"\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122"
-"\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151"
-"\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054"
-"\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163"
-, (PRUint32)784 }
-};
-static const NSSItem nss_builtins_items_131 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Certum Root CA", (PRUint32)15 },
-  { (void *)"\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102"
-"\121\261\201\030"
-, (PRUint32)20 },
-  { (void *)"\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251"
-, (PRUint32)16 },
-  { (void *)"\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061"
-"\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164"
-"\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020"
-"\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101"
-, (PRUint32)64 },
-  { (void *)"\002\003\001\000\040"
-, (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_132 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo AAA Services root", (PRUint32)25 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003"
-"\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151"
-"\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)125 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003"
-"\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151"
-"\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)125 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\062\060\202\003\032\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033"
-"\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162"
-"\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006"
-"\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060"
-"\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103"
-"\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003\125"
-"\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151\143"
-"\141\164\145\040\123\145\162\166\151\143\145\163\060\036\027\015"
-"\060\064\060\061\060\061\060\060\060\060\060\060\132\027\015\062"
-"\070\061\062\063\061\062\063\065\071\065\071\132\060\173\061\013"
-"\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006"
-"\003\125\004\010\014\022\107\162\145\141\164\145\162\040\115\141"
-"\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004"
-"\007\014\007\123\141\154\146\157\162\144\061\032\060\030\006\003"
-"\125\004\012\014\021\103\157\155\157\144\157\040\103\101\040\114"
-"\151\155\151\164\145\144\061\041\060\037\006\003\125\004\003\014"
-"\030\101\101\101\040\103\145\162\164\151\146\151\143\141\164\145"
-"\040\123\145\162\166\151\143\145\163\060\202\001\042\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017"
-"\000\060\202\001\012\002\202\001\001\000\276\100\235\364\156\341"
-"\352\166\207\034\115\105\104\216\276\106\310\203\006\235\301\052"
-"\376\030\037\216\344\002\372\363\253\135\120\212\026\061\013\232"
-"\006\320\305\160\042\315\111\055\124\143\314\266\156\150\106\013"
-"\123\352\313\114\044\300\274\162\116\352\361\025\256\364\124\232"
-"\022\012\303\172\262\063\140\342\332\211\125\363\042\130\363\336"
-"\334\317\357\203\206\242\214\224\117\237\150\362\230\220\106\204"
-"\047\307\166\277\343\314\065\054\213\136\007\144\145\202\300\110"
-"\260\250\221\371\141\237\166\040\120\250\221\307\146\265\353\170"
-"\142\003\126\360\212\032\023\352\061\243\036\240\231\375\070\366"
-"\366\047\062\130\157\007\365\153\270\373\024\053\257\267\252\314"
-"\326\143\137\163\214\332\005\231\250\070\250\313\027\170\066\121"
-"\254\351\236\364\170\072\215\317\017\331\102\342\230\014\253\057"
-"\237\016\001\336\357\237\231\111\361\055\337\254\164\115\033\230"
-"\265\107\305\345\051\321\371\220\030\307\142\234\276\203\307\046"
-"\173\076\212\045\307\300\335\235\346\065\150\020\040\235\217\330"
-"\336\322\303\204\234\015\136\350\057\311\002\003\001\000\001\243"
-"\201\300\060\201\275\060\035\006\003\125\035\016\004\026\004\024"
-"\240\021\012\043\076\226\361\007\354\342\257\051\357\202\245\177"
-"\320\060\244\264\060\016\006\003\125\035\017\001\001\377\004\004"
-"\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005"
-"\060\003\001\001\377\060\173\006\003\125\035\037\004\164\060\162"
-"\060\070\240\066\240\064\206\062\150\164\164\160\072\057\057\143"
-"\162\154\056\143\157\155\157\144\157\143\141\056\143\157\155\057"
-"\101\101\101\103\145\162\164\151\146\151\143\141\164\145\123\145"
-"\162\166\151\143\145\163\056\143\162\154\060\066\240\064\240\062"
-"\206\060\150\164\164\160\072\057\057\143\162\154\056\143\157\155"
-"\157\144\157\056\156\145\164\057\101\101\101\103\145\162\164\151"
-"\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056\143"
-"\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
-"\000\003\202\001\001\000\010\126\374\002\360\233\350\377\244\372"
-"\326\173\306\104\200\316\117\304\305\366\000\130\314\246\266\274"
-"\024\111\150\004\166\350\346\356\135\354\002\017\140\326\215\120"
-"\030\117\046\116\001\343\346\260\245\356\277\274\164\124\101\277"
-"\375\374\022\270\307\117\132\364\211\140\005\177\140\267\005\112"
-"\363\366\361\302\277\304\271\164\206\266\055\175\153\314\322\363"
-"\106\335\057\306\340\152\303\303\064\003\054\175\226\335\132\302"
-"\016\247\012\231\301\005\213\253\014\057\363\134\072\317\154\067"
-"\125\011\207\336\123\100\154\130\357\374\266\253\145\156\004\366"
-"\033\334\074\340\132\025\306\236\331\361\131\110\060\041\145\003"
-"\154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217"
-"\372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042"
-"\227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242"
-"\156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362"
-"\343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267"
-"\262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237"
-"\225\351\066\226\230\156"
-, (PRUint32)1078 }
-};
-static const NSSItem nss_builtins_items_133 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo AAA Services root", (PRUint32)25 },
-  { (void *)"\321\353\043\244\155\027\326\217\331\045\144\302\361\361\140\027"
-"\144\330\343\111"
-, (PRUint32)20 },
-  { (void *)"\111\171\004\260\353\207\031\254\107\260\274\021\121\233\164\320"
-, (PRUint32)16 },
-  { (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003"
-"\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151"
-"\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)125 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_134 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo Secure Services root", (PRUint32)28 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003"
-"\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164"
-"\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)128 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003"
-"\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164"
-"\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)128 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\077\060\202\003\047\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033"
-"\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162"
-"\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006"
-"\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060"
-"\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103"
-"\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125"
-"\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060"
-"\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060\132"
-"\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132\060"
-"\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033"
-"\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162"
-"\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006"
-"\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060"
-"\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103"
-"\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125"
-"\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060"
-"\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001"
-"\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000"
-"\300\161\063\202\212\320\160\353\163\207\202\100\325\035\344\313"
-"\311\016\102\220\371\336\064\271\241\272\021\364\045\205\363\314"
-"\162\155\362\173\227\153\263\007\361\167\044\221\137\045\217\366"
-"\164\075\344\200\302\370\074\015\363\277\100\352\367\310\122\321"
-"\162\157\357\310\253\101\270\156\056\027\052\225\151\014\315\322"
-"\036\224\173\055\224\035\252\165\327\263\230\313\254\274\144\123"
-"\100\274\217\254\254\066\313\134\255\273\335\340\224\027\354\321"
-"\134\320\277\357\245\225\311\220\305\260\254\373\033\103\337\172"
-"\010\135\267\270\362\100\033\053\047\236\120\316\136\145\202\210"
-"\214\136\323\116\014\172\352\010\221\266\066\252\053\102\373\352"
-"\302\243\071\345\333\046\070\255\213\012\356\031\143\307\034\044"
-"\337\003\170\332\346\352\301\107\032\013\013\106\011\335\002\374"
-"\336\313\207\137\327\060\143\150\241\256\334\062\241\272\276\376"
-"\104\253\150\266\245\027\025\375\275\325\247\247\232\344\104\063"
-"\351\210\216\374\355\121\353\223\161\116\255\001\347\104\216\253"
-"\055\313\250\376\001\111\110\360\300\335\307\150\330\222\376\075"
-"\002\003\001\000\001\243\201\307\060\201\304\060\035\006\003\125"
-"\035\016\004\026\004\024\074\330\223\210\302\300\202\011\314\001"
-"\231\006\223\040\351\236\160\011\143\117\060\016\006\003\125\035"
-"\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035"
-"\023\001\001\377\004\005\060\003\001\001\377\060\201\201\006\003"
-"\125\035\037\004\172\060\170\060\073\240\071\240\067\206\065\150"
-"\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157"
-"\143\141\056\143\157\155\057\123\145\143\165\162\145\103\145\162"
-"\164\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163"
-"\056\143\162\154\060\071\240\067\240\065\206\063\150\164\164\160"
-"\072\057\057\143\162\154\056\143\157\155\157\144\157\056\156\145"
-"\164\057\123\145\143\165\162\145\103\145\162\164\151\146\151\143"
-"\141\164\145\123\145\162\166\151\143\145\163\056\143\162\154\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202"
-"\001\001\000\207\001\155\043\035\176\133\027\175\301\141\062\317"
-"\217\347\363\212\224\131\146\340\236\050\250\136\323\267\364\064"
-"\346\252\071\262\227\026\305\202\157\062\244\351\214\347\257\375"
-"\357\302\350\271\113\252\243\364\346\332\215\145\041\373\272\200"
-"\353\046\050\205\032\376\071\214\336\133\004\004\264\124\371\243"
-"\147\236\101\372\011\122\314\005\110\250\311\077\041\004\036\316"
-"\110\153\374\205\350\302\173\257\177\267\314\370\137\072\375\065"
-"\306\015\357\227\334\114\253\021\341\153\313\061\321\154\373\110"
-"\200\253\334\234\067\270\041\024\113\015\161\075\354\203\063\156"
-"\321\156\062\026\354\230\307\026\213\131\246\064\253\005\127\055"
-"\223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011"
-"\150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217"
-"\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344"
-"\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345"
-"\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315"
-"\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174"
-"\354\375\051"
-, (PRUint32)1091 }
-};
-static const NSSItem nss_builtins_items_135 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo Secure Services root", (PRUint32)28 },
-  { (void *)"\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063"
-"\317\307\241\321"
-, (PRUint32)20 },
-  { (void *)"\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275"
-, (PRUint32)16 },
-  { (void *)"\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003"
-"\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164"
-"\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
-, (PRUint32)128 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_136 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo Trusted Services root", (PRUint32)29 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
-"\163"
-, (PRUint32)129 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
-"\163"
-, (PRUint32)129 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\103\060\202\003\053\240\003\002\001\002\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033"
-"\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162"
-"\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006"
-"\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060"
-"\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103"
-"\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003\125"
-"\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162\164"
-"\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163"
-"\060\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060"
-"\132\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132"
-"\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
-"\163\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
-"\001\000\337\161\157\066\130\123\132\362\066\124\127\200\304\164"
-"\010\040\355\030\177\052\035\346\065\232\036\045\254\234\345\226"
-"\176\162\122\240\025\102\333\131\335\144\172\032\320\270\173\335"
-"\071\025\274\125\110\304\355\072\000\352\061\021\272\362\161\164"
-"\032\147\270\317\063\314\250\061\257\243\343\327\177\277\063\055"
-"\114\152\074\354\213\303\222\322\123\167\044\164\234\007\156\160"
-"\374\275\013\133\166\272\137\362\377\327\067\113\112\140\170\367"
-"\360\372\312\160\264\352\131\252\243\316\110\057\251\303\262\013"
-"\176\027\162\026\014\246\007\014\033\070\317\311\142\267\077\240"
-"\223\245\207\101\362\267\160\100\167\330\276\024\174\343\250\300"
-"\172\216\351\143\152\321\017\232\306\322\364\213\072\024\004\126"
-"\324\355\270\314\156\365\373\342\054\130\275\177\117\153\053\367"
-"\140\044\130\044\316\046\357\064\221\072\325\343\201\320\262\360"
-"\004\002\327\133\267\076\222\254\153\022\212\371\344\005\260\073"
-"\221\111\134\262\353\123\352\370\237\107\206\356\277\225\300\300"
-"\006\237\322\133\136\021\033\364\307\004\065\051\322\125\134\344"
-"\355\353\002\003\001\000\001\243\201\311\060\201\306\060\035\006"
-"\003\125\035\016\004\026\004\024\305\173\130\275\355\332\045\151"
-"\322\367\131\026\250\263\062\300\173\047\133\364\060\016\006\003"
-"\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003"
-"\125\035\023\001\001\377\004\005\060\003\001\001\377\060\201\203"
-"\006\003\125\035\037\004\174\060\172\060\074\240\072\240\070\206"
-"\066\150\164\164\160\072\057\057\143\162\154\056\143\157\155\157"
-"\144\157\143\141\056\143\157\155\057\124\162\165\163\164\145\144"
-"\103\145\162\164\151\146\151\143\141\164\145\123\145\162\166\151"
-"\143\145\163\056\143\162\154\060\072\240\070\240\066\206\064\150"
-"\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157"
-"\056\156\145\164\057\124\162\165\163\164\145\144\103\145\162\164"
-"\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056"
-"\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\003\202\001\001\000\310\223\201\073\211\264\257\270\204"
-"\022\114\215\322\360\333\160\272\127\206\025\064\020\271\057\177"
-"\036\260\250\211\140\241\212\302\167\014\120\112\233\000\213\330"
-"\213\364\101\342\320\203\212\112\034\024\006\260\243\150\005\160"
-"\061\060\247\123\233\016\351\112\240\130\151\147\016\256\235\366"
-"\245\054\101\277\074\006\153\344\131\314\155\020\361\226\157\037"
-"\337\364\004\002\244\237\105\076\310\330\372\066\106\104\120\077"
-"\202\227\221\037\050\333\030\021\214\052\344\145\203\127\022\022"
-"\214\027\077\224\066\376\135\260\300\004\167\023\270\364\025\325"
-"\077\070\314\224\072\125\320\254\230\365\272\000\137\340\206\031"
-"\201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076"
-"\306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261"
-"\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336"
-"\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047"
-"\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335"
-"\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230"
-"\160\136\310\304\170\260\142"
-, (PRUint32)1095 }
-};
-static const NSSItem nss_builtins_items_137 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Comodo Trusted Services root", (PRUint32)29 },
-  { (void *)"\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272"
-"\156\024\011\275"
-, (PRUint32)20 },
-  { (void *)"\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047"
-, (PRUint32)16 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061"
-"\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145"
-"\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016"
-"\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032"
-"\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040"
-"\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162"
-"\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145"
-"\163"
-, (PRUint32)129 },
-  { (void *)"\002\001\001"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_138 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Chained CAs root", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023"
-"\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040"
-"\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006"
-"\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141"
-"\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-, (PRUint32)288 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023"
-"\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040"
-"\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006"
-"\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141"
-"\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-, (PRUint32)288 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023\052"
-"\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040\103"
-"\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006\003"
-"\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141\151"
-"\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060"
-"\036\027\015\060\061\061\062\062\071\060\060\065\063\065\070\132"
-"\027\015\062\065\061\062\062\067\060\060\065\063\065\070\132\060"
-"\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023\052"
-"\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040\103"
-"\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006\003"
-"\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141\151"
-"\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060"
-"\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
-"\000\003\201\215\000\060\201\211\002\201\201\000\334\126\222\111"
-"\262\224\040\274\230\117\120\353\150\244\247\111\013\277\322\061"
-"\350\307\117\302\206\013\372\150\375\103\132\212\363\140\222\065"
-"\231\070\273\115\003\122\041\133\360\067\231\065\341\101\040\201"
-"\205\201\005\161\201\235\264\225\031\251\137\166\064\056\143\067"
-"\065\127\216\264\037\102\077\025\134\341\172\301\137\023\030\062"
-"\061\311\255\276\243\307\203\146\036\271\234\004\023\313\151\301"
-"\006\336\060\006\273\063\243\265\037\360\217\157\316\377\226\350"
-"\124\276\146\200\256\153\333\101\204\066\242\075\002\003\001\000"
-"\001\243\202\004\103\060\202\004\077\060\035\006\003\125\035\016"
-"\004\026\004\024\241\255\061\261\371\076\341\027\246\310\253\064"
-"\374\122\207\011\036\142\122\101\060\202\001\116\006\003\125\035"
-"\043\004\202\001\105\060\202\001\101\200\024\241\255\061\261\371"
-"\076\341\027\246\310\253\064\374\122\207\011\036\142\122\101\241"
-"\202\001\044\244\202\001\040\060\202\001\034\061\013\060\011\006"
-"\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004"
-"\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020"
-"\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141"
-"\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111"
-"\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151"
-"\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056"
-"\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106"
-"\056\040\040\102\055\066\060\071\062\071\064\065\062\061\063\060"
-"\061\006\003\125\004\013\023\052\111\120\123\040\103\101\040\103"
-"\150\141\151\156\145\144\040\103\101\163\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\061\063\060\061\006\003\125\004\003\023\052\111\120\123"
-"\040\103\101\040\103\150\141\151\156\145\144\040\103\101\163\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110"
-"\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154"
-"\056\151\160\163\056\145\163\202\001\000\060\014\006\003\125\035"
-"\023\004\005\060\003\001\001\377\060\014\006\003\125\035\017\004"
-"\005\003\003\007\377\200\060\153\006\003\125\035\045\004\144\060"
-"\142\006\010\053\006\001\005\005\007\003\001\006\010\053\006\001"
-"\005\005\007\003\002\006\010\053\006\001\005\005\007\003\003\006"
-"\010\053\006\001\005\005\007\003\004\006\010\053\006\001\005\005"
-"\007\003\010\006\012\053\006\001\004\001\202\067\002\001\025\006"
-"\012\053\006\001\004\001\202\067\002\001\026\006\012\053\006\001"
-"\004\001\202\067\012\003\001\006\012\053\006\001\004\001\202\067"
-"\012\003\004\060\021\006\011\140\206\110\001\206\370\102\001\001"
-"\004\004\003\002\000\007\060\032\006\003\125\035\021\004\023\060"
-"\021\201\017\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\060\032\006\003\125\035\022\004\023\060\021\201\017\151"
-"\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060\102"
-"\006\011\140\206\110\001\206\370\102\001\015\004\065\026\063\103"
-"\150\141\151\156\145\144\040\103\101\040\103\145\162\164\151\146"
-"\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171\040"
-"\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145"
-"\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002\004"
-"\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151\160"
-"\163\056\145\163\057\151\160\163\062\060\060\062\057\060\067\006"
-"\011\140\206\110\001\206\370\102\001\004\004\052\026\050\150\164"
-"\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163\057"
-"\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062\103"
-"\101\103\056\143\162\154\060\074\006\011\140\206\110\001\206\370"
-"\102\001\003\004\057\026\055\150\164\164\160\072\057\057\167\167"
-"\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062"
-"\057\162\145\166\157\143\141\164\151\157\156\103\101\103\056\150"
-"\164\155\154\077\060\071\006\011\140\206\110\001\206\370\102\001"
-"\007\004\054\026\052\150\164\164\160\072\057\057\167\167\167\056"
-"\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162"
-"\145\156\145\167\141\154\103\101\103\056\150\164\155\154\077\060"
-"\067\006\011\140\206\110\001\206\370\102\001\010\004\052\026\050"
-"\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145"
-"\163\057\151\160\163\062\060\060\062\057\160\157\154\151\143\171"
-"\103\101\103\056\150\164\155\154\060\155\006\003\125\035\037\004"
-"\146\060\144\060\056\240\054\240\052\206\050\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\151\160\163\062\060\060\062\103\101\103\056"
-"\143\162\154\060\062\240\060\240\056\206\054\150\164\164\160\072"
-"\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163"
-"\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062"
-"\103\101\103\056\143\162\154\060\057\006\010\053\006\001\005\005"
-"\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005"
-"\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160"
-"\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\104\162\060\235\126"
-"\130\242\101\033\050\267\225\341\246\032\225\137\247\170\100\053"
-"\357\333\226\112\374\114\161\143\331\163\225\275\002\342\242\006"
-"\307\276\227\052\223\200\064\206\003\372\334\330\075\036\007\315"
-"\036\163\103\044\140\365\035\141\334\334\226\240\274\373\035\343"
-"\347\022\000\047\063\002\300\300\053\123\075\330\153\003\201\243"
-"\333\326\223\225\040\357\323\226\176\046\220\211\234\046\233\315"
-"\157\146\253\355\003\042\104\070\314\131\275\237\333\366\007\242"
-"\001\177\046\304\143\365\045\102\136\142\275"
-, (PRUint32)2043 }
-};
-static const NSSItem nss_builtins_items_139 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Chained CAs root", (PRUint32)21 },
-  { (void *)"\310\302\137\026\236\370\120\164\325\276\350\315\242\324\074\256"
-"\347\137\322\127"
-, (PRUint32)20 },
-  { (void *)"\215\162\121\333\240\072\317\040\167\337\362\145\006\136\337\357"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023"
-"\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040"
-"\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006"
-"\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141"
-"\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151"
-"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
-"\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-, (PRUint32)288 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_140 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASE1 root", (PRUint32)16 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\007\352\060\202\007\123\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023\045"
-"\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045"
-"\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206\367"
-"\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056\151"
-"\160\163\056\145\163\060\036\027\015\060\061\061\062\062\071\060"
-"\060\065\071\063\070\132\027\015\062\065\061\062\062\067\060\060"
-"\065\071\063\070\132\060\202\001\022\061\013\060\011\006\003\125"
-"\004\006\023\002\105\123\061\022\060\020\006\003\125\004\010\023"
-"\011\102\141\162\143\145\154\157\156\141\061\022\060\020\006\003"
-"\125\004\007\023\011\102\141\162\143\145\154\157\156\141\061\056"
-"\060\054\006\003\125\004\012\023\045\111\120\123\040\111\156\164"
-"\145\162\156\145\164\040\160\165\142\154\151\163\150\151\156\147"
-"\040\123\145\162\166\151\143\145\163\040\163\056\154\056\061\053"
-"\060\051\006\003\125\004\012\024\042\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163\040\103\056\111\056\106\056\040"
-"\040\102\055\066\060\071\062\071\064\065\062\061\056\060\054\006"
-"\003\125\004\013\023\045\111\120\123\040\103\101\040\103\114\101"
-"\123\105\061\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006"
-"\003\125\004\003\023\045\111\120\123\040\103\101\040\103\114\101"
-"\123\105\061\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\036\060\034\006"
-"\011\052\206\110\206\367\015\001\011\001\026\017\151\160\163\100"
-"\155\141\151\154\056\151\160\163\056\145\163\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\340\121\047\247\013\335\257\321"
-"\271\103\133\202\067\105\126\162\357\232\266\302\022\357\054\022"
-"\314\166\371\006\131\257\135\041\324\322\132\270\240\324\363\152"
-"\375\312\151\215\146\110\367\164\346\356\066\275\350\226\221\165"
-"\246\161\050\312\347\042\022\062\151\260\076\036\153\364\120\122"
-"\142\142\375\143\073\175\176\354\356\070\352\142\364\154\250\161"
-"\215\341\351\213\311\077\306\265\315\224\102\157\335\202\105\074"
-"\350\337\011\350\357\012\125\251\126\107\141\114\111\144\163\020"
-"\050\077\312\277\011\377\306\057\002\003\001\000\001\243\202\004"
-"\112\060\202\004\106\060\035\006\003\125\035\016\004\026\004\024"
-"\353\263\031\171\363\301\245\034\254\334\272\037\146\242\262\233"
-"\151\320\170\010\060\202\001\104\006\003\125\035\043\004\202\001"
-"\073\060\202\001\067\200\024\353\263\031\171\363\301\245\034\254"
-"\334\272\037\146\242\262\233\151\320\170\010\241\202\001\032\244"
-"\202\001\026\060\202\001\022\061\013\060\011\006\003\125\004\006"
-"\023\002\105\123\061\022\060\020\006\003\125\004\010\023\011\102"
-"\141\162\143\145\154\157\156\141\061\022\060\020\006\003\125\004"
-"\007\023\011\102\141\162\143\145\154\157\156\141\061\056\060\054"
-"\006\003\125\004\012\023\045\111\120\123\040\111\156\164\145\162"
-"\156\145\164\040\160\165\142\154\151\163\150\151\156\147\040\123"
-"\145\162\166\151\143\145\163\040\163\056\154\056\061\053\060\051"
-"\006\003\125\004\012\024\042\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163\040\103\056\111\056\106\056\040\040\102"
-"\055\066\060\071\062\071\064\065\062\061\056\060\054\006\003\125"
-"\004\013\023\045\111\120\123\040\103\101\040\103\114\101\123\105"
-"\061\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003\125"
-"\004\003\023\045\111\120\123\040\103\101\040\103\114\101\123\105"
-"\061\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052"
-"\206\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141"
-"\151\154\056\151\160\163\056\145\163\202\001\000\060\014\006\003"
-"\125\035\023\004\005\060\003\001\001\377\060\014\006\003\125\035"
-"\017\004\005\003\003\007\377\200\060\153\006\003\125\035\045\004"
-"\144\060\142\006\010\053\006\001\005\005\007\003\001\006\010\053"
-"\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007\003"
-"\003\006\010\053\006\001\005\005\007\003\004\006\010\053\006\001"
-"\005\005\007\003\010\006\012\053\006\001\004\001\202\067\002\001"
-"\025\006\012\053\006\001\004\001\202\067\002\001\026\006\012\053"
-"\006\001\004\001\202\067\012\003\001\006\012\053\006\001\004\001"
-"\202\067\012\003\004\060\021\006\011\140\206\110\001\206\370\102"
-"\001\001\004\004\003\002\000\007\060\032\006\003\125\035\021\004"
-"\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160"
-"\163\056\145\163\060\032\006\003\125\035\022\004\023\060\021\201"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-"\060\101\006\011\140\206\110\001\206\370\102\001\015\004\064\026"
-"\062\103\114\101\123\105\061\040\103\101\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171"
-"\040\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056"
-"\145\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002"
-"\004\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151"
-"\160\163\056\145\163\057\151\160\163\062\060\060\062\057\060\072"
-"\006\011\140\206\110\001\206\370\102\001\004\004\055\026\053\150"
-"\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163"
-"\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062"
-"\103\114\101\123\105\061\056\143\162\154\060\077\006\011\140\206"
-"\110\001\206\370\102\001\003\004\062\026\060\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\103"
-"\114\101\123\105\061\056\150\164\155\154\077\060\074\006\011\140"
-"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
-"\072\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160"
-"\163\062\060\060\062\057\162\145\156\145\167\141\154\103\114\101"
-"\123\105\061\056\150\164\155\154\077\060\072\006\011\140\206\110"
-"\001\206\370\102\001\010\004\055\026\053\150\164\164\160\072\057"
-"\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062"
-"\060\060\062\057\160\157\154\151\143\171\103\114\101\123\105\061"
-"\056\150\164\155\154\060\163\006\003\125\035\037\004\154\060\152"
-"\060\061\240\057\240\055\206\053\150\164\164\160\072\057\057\167"
-"\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060"
-"\062\057\151\160\163\062\060\060\062\103\114\101\123\105\061\056"
-"\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160\072"
-"\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163"
-"\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062"
-"\103\114\101\123\105\061\056\143\162\154\060\057\006\010\053\006"
-"\001\005\005\007\001\001\004\043\060\041\060\037\006\010\053\006"
-"\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157"
-"\143\163\160\056\151\160\163\056\145\163\057\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\003\201\201\000\053\320"
-"\353\375\332\310\312\131\152\332\323\314\062\056\311\124\033\212"
-"\142\176\025\055\351\331\061\323\056\364\047\043\377\133\253\305"
-"\112\266\162\100\256\123\164\364\274\005\264\306\331\310\311\167"
-"\373\267\371\064\177\170\000\370\326\244\344\122\077\054\112\143"
-"\127\201\165\132\216\350\214\373\002\300\224\306\051\272\263\334"
-"\034\350\262\257\322\056\142\133\032\251\216\016\314\305\127\105"
-"\121\024\351\116\034\210\245\221\364\243\367\216\121\310\251\276"
-"\206\063\076\346\057\110\156\257\124\220\116\255\261\045"
-, (PRUint32)2030 }
-};
-static const NSSItem nss_builtins_items_141 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASE1 root", (PRUint32)16 },
-  { (void *)"\103\236\122\137\132\152\107\303\054\353\304\134\143\355\071\061"
-"\174\345\364\337"
-, (PRUint32)20 },
-  { (void *)"\204\220\035\225\060\111\126\374\101\201\360\105\327\166\304\153"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_142 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASE3 root", (PRUint32)16 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\007\352\060\202\007\123\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023\045"
-"\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045"
-"\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206\367"
-"\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056\151"
-"\160\163\056\145\163\060\036\027\015\060\061\061\062\062\071\060"
-"\061\060\061\064\064\132\027\015\062\065\061\062\062\067\060\061"
-"\060\061\064\064\132\060\202\001\022\061\013\060\011\006\003\125"
-"\004\006\023\002\105\123\061\022\060\020\006\003\125\004\010\023"
-"\011\102\141\162\143\145\154\157\156\141\061\022\060\020\006\003"
-"\125\004\007\023\011\102\141\162\143\145\154\157\156\141\061\056"
-"\060\054\006\003\125\004\012\023\045\111\120\123\040\111\156\164"
-"\145\162\156\145\164\040\160\165\142\154\151\163\150\151\156\147"
-"\040\123\145\162\166\151\143\145\163\040\163\056\154\056\061\053"
-"\060\051\006\003\125\004\012\024\042\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163\040\103\056\111\056\106\056\040"
-"\040\102\055\066\060\071\062\071\064\065\062\061\056\060\054\006"
-"\003\125\004\013\023\045\111\120\123\040\103\101\040\103\114\101"
-"\123\105\063\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006"
-"\003\125\004\003\023\045\111\120\123\040\103\101\040\103\114\101"
-"\123\105\063\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\036\060\034\006"
-"\011\052\206\110\206\367\015\001\011\001\026\017\151\160\163\100"
-"\155\141\151\154\056\151\160\163\056\145\163\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\253\027\376\016\260\306\150\033"
-"\123\360\122\276\237\372\332\372\213\023\004\273\001\217\062\331"
-"\037\217\115\316\066\230\332\344\000\104\214\050\330\023\104\052"
-"\244\153\116\027\044\102\234\323\210\244\101\202\326\043\373\213"
-"\311\206\345\271\251\202\005\334\361\336\037\340\014\231\125\230"
-"\362\070\354\154\235\040\003\300\357\252\243\306\144\004\121\055"
-"\170\015\243\322\250\072\326\044\114\351\226\172\030\254\023\043"
-"\042\033\174\350\061\021\263\137\011\252\060\160\161\106\045\153"
-"\111\161\200\053\225\001\262\037\002\003\001\000\001\243\202\004"
-"\112\060\202\004\106\060\035\006\003\125\035\016\004\026\004\024"
-"\270\223\377\056\313\334\054\216\242\347\172\376\066\121\041\243"
-"\230\133\014\064\060\202\001\104\006\003\125\035\043\004\202\001"
-"\073\060\202\001\067\200\024\270\223\377\056\313\334\054\216\242"
-"\347\172\376\066\121\041\243\230\133\014\064\241\202\001\032\244"
-"\202\001\026\060\202\001\022\061\013\060\011\006\003\125\004\006"
-"\023\002\105\123\061\022\060\020\006\003\125\004\010\023\011\102"
-"\141\162\143\145\154\157\156\141\061\022\060\020\006\003\125\004"
-"\007\023\011\102\141\162\143\145\154\157\156\141\061\056\060\054"
-"\006\003\125\004\012\023\045\111\120\123\040\111\156\164\145\162"
-"\156\145\164\040\160\165\142\154\151\163\150\151\156\147\040\123"
-"\145\162\166\151\143\145\163\040\163\056\154\056\061\053\060\051"
-"\006\003\125\004\012\024\042\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163\040\103\056\111\056\106\056\040\040\102"
-"\055\066\060\071\062\071\064\065\062\061\056\060\054\006\003\125"
-"\004\013\023\045\111\120\123\040\103\101\040\103\114\101\123\105"
-"\063\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003\125"
-"\004\003\023\045\111\120\123\040\103\101\040\103\114\101\123\105"
-"\063\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052"
-"\206\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141"
-"\151\154\056\151\160\163\056\145\163\202\001\000\060\014\006\003"
-"\125\035\023\004\005\060\003\001\001\377\060\014\006\003\125\035"
-"\017\004\005\003\003\007\377\200\060\153\006\003\125\035\045\004"
-"\144\060\142\006\010\053\006\001\005\005\007\003\001\006\010\053"
-"\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007\003"
-"\003\006\010\053\006\001\005\005\007\003\004\006\010\053\006\001"
-"\005\005\007\003\010\006\012\053\006\001\004\001\202\067\002\001"
-"\025\006\012\053\006\001\004\001\202\067\002\001\026\006\012\053"
-"\006\001\004\001\202\067\012\003\001\006\012\053\006\001\004\001"
-"\202\067\012\003\004\060\021\006\011\140\206\110\001\206\370\102"
-"\001\001\004\004\003\002\000\007\060\032\006\003\125\035\021\004"
-"\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160"
-"\163\056\145\163\060\032\006\003\125\035\022\004\023\060\021\201"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-"\060\101\006\011\140\206\110\001\206\370\102\001\015\004\064\026"
-"\062\103\114\101\123\105\063\040\103\101\040\103\145\162\164\151"
-"\146\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171"
-"\040\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056"
-"\145\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002"
-"\004\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151"
-"\160\163\056\145\163\057\151\160\163\062\060\060\062\057\060\072"
-"\006\011\140\206\110\001\206\370\102\001\004\004\055\026\053\150"
-"\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163"
-"\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062"
-"\103\114\101\123\105\063\056\143\162\154\060\077\006\011\140\206"
-"\110\001\206\370\102\001\003\004\062\026\060\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\103"
-"\114\101\123\105\063\056\150\164\155\154\077\060\074\006\011\140"
-"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
-"\072\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160"
-"\163\062\060\060\062\057\162\145\156\145\167\141\154\103\114\101"
-"\123\105\063\056\150\164\155\154\077\060\072\006\011\140\206\110"
-"\001\206\370\102\001\010\004\055\026\053\150\164\164\160\072\057"
-"\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062"
-"\060\060\062\057\160\157\154\151\143\171\103\114\101\123\105\063"
-"\056\150\164\155\154\060\163\006\003\125\035\037\004\154\060\152"
-"\060\061\240\057\240\055\206\053\150\164\164\160\072\057\057\167"
-"\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060"
-"\062\057\151\160\163\062\060\060\062\103\114\101\123\105\063\056"
-"\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160\072"
-"\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163"
-"\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062"
-"\103\114\101\123\105\063\056\143\162\154\060\057\006\010\053\006"
-"\001\005\005\007\001\001\004\043\060\041\060\037\006\010\053\006"
-"\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157"
-"\143\163\160\056\151\160\163\056\145\163\057\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\003\201\201\000\027\145"
-"\134\231\225\103\003\047\257\046\345\353\320\263\027\043\367\103"
-"\252\307\360\175\354\017\306\251\256\256\226\017\166\051\034\342"
-"\006\055\176\046\305\074\372\241\301\201\316\123\260\102\321\227"
-"\127\032\027\176\244\121\141\306\356\351\136\357\005\272\353\275"
-"\017\247\222\157\330\243\006\150\051\216\171\365\377\277\371\247"
-"\257\344\261\316\302\321\200\102\047\005\004\064\370\303\177\026"
-"\170\043\014\007\044\362\106\107\255\073\124\320\257\325\061\262"
-"\257\175\310\352\351\324\126\331\016\023\262\305\105\120"
-, (PRUint32)2030 }
-};
-static const NSSItem nss_builtins_items_143 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASE3 root", (PRUint32)16 },
-  { (void *)"\101\170\253\114\277\316\173\101\002\254\332\304\223\076\157\365"
-"\015\317\161\134"
-, (PRUint32)20 },
-  { (void *)"\102\166\227\150\317\246\264\070\044\252\241\033\362\147\336\312"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023"
-"\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)278 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_144 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASEA1 root", (PRUint32)17 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023\046"
-"\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110"
-"\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154"
-"\056\151\160\163\056\145\163\060\036\027\015\060\061\061\062\062"
-"\071\060\061\060\065\063\062\132\027\015\062\065\061\062\062\067"
-"\060\061\060\065\063\062\132\060\202\001\024\061\013\060\011\006"
-"\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004"
-"\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020"
-"\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141"
-"\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111"
-"\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151"
-"\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056"
-"\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106"
-"\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060"
-"\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103"
-"\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057"
-"\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040"
-"\103\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060"
-"\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
-"\000\003\201\215\000\060\201\211\002\201\201\000\273\060\327\334"
-"\320\124\275\065\116\237\305\114\202\352\321\120\074\107\230\374"
-"\233\151\235\167\315\156\340\077\356\353\062\137\137\237\322\320"
-"\171\345\225\163\104\041\062\340\012\333\235\327\316\215\253\122"
-"\213\053\170\340\233\133\175\364\375\155\011\345\256\341\154\035"
-"\007\043\240\027\321\371\175\250\106\106\221\042\250\262\151\306"
-"\255\367\365\365\224\241\060\224\275\000\314\104\177\356\304\236"
-"\311\301\346\217\012\066\301\375\044\075\001\240\365\173\342\174"
-"\170\146\103\213\117\131\362\233\331\372\111\263\002\003\001\000"
-"\001\243\202\004\123\060\202\004\117\060\035\006\003\125\035\016"
-"\004\026\004\024\147\046\226\347\241\277\330\265\003\235\376\073"
-"\334\376\362\212\346\025\335\060\060\202\001\106\006\003\125\035"
-"\043\004\202\001\075\060\202\001\071\200\024\147\046\226\347\241"
-"\277\330\265\003\235\376\073\334\376\362\212\346\025\335\060\241"
-"\202\001\034\244\202\001\030\060\202\001\024\061\013\060\011\006"
-"\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004"
-"\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020"
-"\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141"
-"\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111"
-"\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151"
-"\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056"
-"\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106"
-"\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060"
-"\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103"
-"\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057"
-"\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040"
-"\103\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\202"
-"\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377"
-"\060\014\006\003\125\035\017\004\005\003\003\007\377\200\060\153"
-"\006\003\125\035\045\004\144\060\142\006\010\053\006\001\005\005"
-"\007\003\001\006\010\053\006\001\005\005\007\003\002\006\010\053"
-"\006\001\005\005\007\003\003\006\010\053\006\001\005\005\007\003"
-"\004\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001"
-"\004\001\202\067\002\001\025\006\012\053\006\001\004\001\202\067"
-"\002\001\026\006\012\053\006\001\004\001\202\067\012\003\001\006"
-"\012\053\006\001\004\001\202\067\012\003\004\060\021\006\011\140"
-"\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\032"
-"\006\003\125\035\021\004\023\060\021\201\017\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\060\032\006\003\125\035"
-"\022\004\023\060\021\201\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163\060\102\006\011\140\206\110\001\206\370"
-"\102\001\015\004\065\026\063\103\114\101\123\105\101\061\040\103"
-"\101\040\103\145\162\164\151\146\151\143\141\164\145\040\151\163"
-"\163\165\145\144\040\142\171\040\150\164\164\160\072\057\057\167"
-"\167\167\056\151\160\163\056\145\163\057\060\051\006\011\140\206"
-"\110\001\206\370\102\001\002\004\034\026\032\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\060\073\006\011\140\206\110\001\206\370\102"
-"\001\004\004\056\026\054\150\164\164\160\072\057\057\167\167\167"
-"\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057"
-"\151\160\163\062\060\060\062\103\114\101\123\105\101\061\056\143"
-"\162\154\060\100\006\011\140\206\110\001\206\370\102\001\003\004"
-"\063\026\061\150\164\164\160\072\057\057\167\167\167\056\151\160"
-"\163\056\145\163\057\151\160\163\062\060\060\062\057\162\145\166"
-"\157\143\141\164\151\157\156\103\114\101\123\105\101\061\056\150"
-"\164\155\154\077\060\075\006\011\140\206\110\001\206\370\102\001"
-"\007\004\060\026\056\150\164\164\160\072\057\057\167\167\167\056"
-"\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162"
-"\145\156\145\167\141\154\103\114\101\123\105\101\061\056\150\164"
-"\155\154\077\060\073\006\011\140\206\110\001\206\370\102\001\010"
-"\004\056\026\054\150\164\164\160\072\057\057\167\167\167\056\151"
-"\160\163\056\145\163\057\151\160\163\062\060\060\062\057\160\157"
-"\154\151\143\171\103\114\101\123\105\101\061\056\150\164\155\154"
-"\060\165\006\003\125\035\037\004\156\060\154\060\062\240\060\240"
-"\056\206\054\150\164\164\160\072\057\057\167\167\167\056\151\160"
-"\163\056\145\163\057\151\160\163\062\060\060\062\057\151\160\163"
-"\062\060\060\062\103\114\101\123\105\101\061\056\143\162\154\060"
-"\066\240\064\240\062\206\060\150\164\164\160\072\057\057\167\167"
-"\167\142\141\143\153\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\151\160\163\062\060\060\062\103\114\101\123"
-"\105\101\061\056\143\162\154\060\057\006\010\053\006\001\005\005"
-"\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005"
-"\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160"
-"\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\176\272\212\254\200"
-"\000\204\025\012\325\230\121\014\144\305\234\002\130\203\146\312"
-"\255\036\007\315\176\152\332\200\007\337\003\064\112\034\223\304"
-"\113\130\040\065\066\161\355\242\012\065\022\245\246\145\247\205"
-"\151\012\016\343\141\356\352\276\050\223\063\325\354\350\276\304"
-"\333\137\177\250\371\143\061\310\153\226\342\051\302\133\240\347"
-"\227\066\235\167\136\061\153\376\323\247\333\052\333\333\226\213"
-"\037\146\336\266\003\300\053\263\170\326\125\007\345\217\071\120"
-"\336\007\043\162\346\275\040\024\113\264\206"
-, (PRUint32)2043 }
-};
-static const NSSItem nss_builtins_items_145 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASEA1 root", (PRUint32)17 },
-  { (void *)"\063\243\065\302\074\350\003\113\004\341\075\345\304\216\171\032"
-"\353\214\062\004"
-, (PRUint32)20 },
-  { (void *)"\014\370\236\027\374\324\003\275\346\215\233\074\005\207\376\204"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_146 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASEA3 root", (PRUint32)17 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023\046"
-"\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040\103"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
-"\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110"
-"\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154"
-"\056\151\160\163\056\145\163\060\036\027\015\060\061\061\062\062"
-"\071\060\061\060\067\065\060\132\027\015\062\065\061\062\062\067"
-"\060\061\060\067\065\060\132\060\202\001\024\061\013\060\011\006"
-"\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004"
-"\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020"
-"\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141"
-"\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111"
-"\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151"
-"\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056"
-"\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106"
-"\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060"
-"\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103"
-"\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057"
-"\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040"
-"\103\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060"
-"\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
-"\000\003\201\215\000\060\201\211\002\201\201\000\356\200\000\366"
-"\032\144\056\255\152\310\203\261\213\247\356\217\331\266\333\315"
-"\033\273\206\006\042\166\063\014\022\155\110\126\141\322\334\202"
-"\045\142\057\237\322\151\060\145\003\102\043\130\274\107\334\153"
-"\326\165\135\027\074\341\377\362\130\147\171\240\301\201\261\324"
-"\126\242\362\215\021\231\375\366\175\361\307\304\136\002\052\232"
-"\342\112\265\023\212\000\375\214\167\206\346\327\224\365\040\165"
-"\056\016\114\277\164\304\077\201\076\203\264\243\070\066\051\347"
-"\350\052\365\214\210\101\252\200\246\343\154\357\002\003\001\000"
-"\001\243\202\004\123\060\202\004\117\060\035\006\003\125\035\016"
-"\004\026\004\024\036\237\127\120\107\266\141\223\071\323\054\374"
-"\332\135\075\005\165\267\231\002\060\202\001\106\006\003\125\035"
-"\043\004\202\001\075\060\202\001\071\200\024\036\237\127\120\107"
-"\266\141\223\071\323\054\374\332\135\075\005\165\267\231\002\241"
-"\202\001\034\244\202\001\030\060\202\001\024\061\013\060\011\006"
-"\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004"
-"\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020"
-"\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141"
-"\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111"
-"\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151"
-"\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056"
-"\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106"
-"\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060"
-"\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103"
-"\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057"
-"\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040"
-"\103\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061"
-"\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017"
-"\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\202"
-"\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377"
-"\060\014\006\003\125\035\017\004\005\003\003\007\377\200\060\153"
-"\006\003\125\035\045\004\144\060\142\006\010\053\006\001\005\005"
-"\007\003\001\006\010\053\006\001\005\005\007\003\002\006\010\053"
-"\006\001\005\005\007\003\003\006\010\053\006\001\005\005\007\003"
-"\004\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001"
-"\004\001\202\067\002\001\025\006\012\053\006\001\004\001\202\067"
-"\002\001\026\006\012\053\006\001\004\001\202\067\012\003\001\006"
-"\012\053\006\001\004\001\202\067\012\003\004\060\021\006\011\140"
-"\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\032"
-"\006\003\125\035\021\004\023\060\021\201\017\151\160\163\100\155"
-"\141\151\154\056\151\160\163\056\145\163\060\032\006\003\125\035"
-"\022\004\023\060\021\201\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163\060\102\006\011\140\206\110\001\206\370"
-"\102\001\015\004\065\026\063\103\114\101\123\105\101\063\040\103"
-"\101\040\103\145\162\164\151\146\151\143\141\164\145\040\151\163"
-"\163\165\145\144\040\142\171\040\150\164\164\160\072\057\057\167"
-"\167\167\056\151\160\163\056\145\163\057\060\051\006\011\140\206"
-"\110\001\206\370\102\001\002\004\034\026\032\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\060\073\006\011\140\206\110\001\206\370\102"
-"\001\004\004\056\026\054\150\164\164\160\072\057\057\167\167\167"
-"\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057"
-"\151\160\163\062\060\060\062\103\114\101\123\105\101\063\056\143"
-"\162\154\060\100\006\011\140\206\110\001\206\370\102\001\003\004"
-"\063\026\061\150\164\164\160\072\057\057\167\167\167\056\151\160"
-"\163\056\145\163\057\151\160\163\062\060\060\062\057\162\145\166"
-"\157\143\141\164\151\157\156\103\114\101\123\105\101\063\056\150"
-"\164\155\154\077\060\075\006\011\140\206\110\001\206\370\102\001"
-"\007\004\060\026\056\150\164\164\160\072\057\057\167\167\167\056"
-"\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162"
-"\145\156\145\167\141\154\103\114\101\123\105\101\063\056\150\164"
-"\155\154\077\060\073\006\011\140\206\110\001\206\370\102\001\010"
-"\004\056\026\054\150\164\164\160\072\057\057\167\167\167\056\151"
-"\160\163\056\145\163\057\151\160\163\062\060\060\062\057\160\157"
-"\154\151\143\171\103\114\101\123\105\101\063\056\150\164\155\154"
-"\060\165\006\003\125\035\037\004\156\060\154\060\062\240\060\240"
-"\056\206\054\150\164\164\160\072\057\057\167\167\167\056\151\160"
-"\163\056\145\163\057\151\160\163\062\060\060\062\057\151\160\163"
-"\062\060\060\062\103\114\101\123\105\101\063\056\143\162\154\060"
-"\066\240\064\240\062\206\060\150\164\164\160\072\057\057\167\167"
-"\167\142\141\143\153\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\151\160\163\062\060\060\062\103\114\101\123"
-"\105\101\063\056\143\162\154\060\057\006\010\053\006\001\005\005"
-"\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005"
-"\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160"
-"\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206"
-"\367\015\001\001\005\005\000\003\201\201\000\112\075\040\107\032"
-"\332\211\364\172\053\061\171\354\001\300\314\001\365\326\301\374"
-"\310\303\363\120\002\121\220\130\052\237\347\065\011\133\060\012"
-"\201\000\045\107\257\324\017\016\236\140\046\250\225\247\203\010"
-"\337\055\254\351\016\367\234\310\237\313\223\105\361\272\152\306"
-"\147\121\112\151\117\153\376\175\013\057\122\051\302\120\255\044"
-"\104\355\043\263\110\313\104\100\301\003\225\014\012\170\006\022"
-"\001\365\221\061\055\111\215\273\077\105\116\054\340\350\315\265"
-"\311\024\025\014\343\007\203\233\046\165\357"
-, (PRUint32)2043 }
-};
-static const NSSItem nss_builtins_items_147 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS CLASEA3 root", (PRUint32)17 },
-  { (void *)"\026\324\044\376\226\020\341\165\031\257\043\053\266\207\164\342"
-"\101\104\276\156"
-, (PRUint32)20 },
-  { (void *)"\006\371\353\354\314\126\235\210\272\220\365\272\260\032\340\002"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023"
-"\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003"
-"\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206"
-"\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163"
-, (PRUint32)280 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_148 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Servidores root", (PRUint32)20 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105"
-"\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102"
-"\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004"
-"\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144"
-"\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145"
-"\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060"
-"\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126"
-"\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)166 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105"
-"\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102"
-"\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004"
-"\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144"
-"\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145"
-"\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060"
-"\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126"
-"\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)166 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\002\267\060\202\002\040\002\001\000\060\015\006\011\052"
-"\206\110\206\367\015\001\001\004\005\000\060\201\243\061\013\060"
-"\011\006\003\125\004\006\023\002\105\123\061\022\060\020\006\003"
-"\125\004\010\023\011\102\101\122\103\105\114\117\116\101\061\022"
-"\060\020\006\003\125\004\007\023\011\102\101\122\103\105\114\117"
-"\116\101\061\031\060\027\006\003\125\004\012\023\020\111\120\123"
-"\040\123\145\147\165\162\151\144\141\144\040\103\101\061\030\060"
-"\026\006\003\125\004\013\023\017\103\145\162\164\151\146\151\143"
-"\141\143\151\157\156\145\163\061\027\060\025\006\003\125\004\003"
-"\023\016\111\120\123\040\123\105\122\126\111\104\117\122\105\123"
-"\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026"
-"\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163"
-"\060\036\027\015\071\070\060\061\060\061\062\063\062\061\060\067"
-"\132\027\015\060\071\061\062\062\071\062\063\062\061\060\067\132"
-"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105"
-"\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102"
-"\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004"
-"\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144"
-"\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145"
-"\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060"
-"\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126"
-"\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163\060\201\237\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
-"\201\201\000\254\117\122\164\237\071\352\216\334\045\304\274\230"
-"\135\230\144\044\011\074\041\263\314\031\265\216\224\216\207\321"
-"\370\067\076\241\310\055\130\244\200\065\133\241\165\154\035\105"
-"\014\037\141\143\152\136\157\233\012\114\301\310\270\141\043\065"
-"\201\377\376\254\170\160\055\150\341\072\007\230\225\002\124\335"
-"\315\043\267\200\123\327\310\067\105\162\006\044\022\272\023\141"
-"\041\212\156\165\050\340\305\017\064\375\066\330\105\177\341\270"
-"\066\357\263\341\306\040\216\350\264\070\274\341\076\366\021\336"
-"\214\235\001\002\003\001\000\001\060\015\006\011\052\206\110\206"
-"\367\015\001\001\004\005\000\003\201\201\000\054\363\303\171\130"
-"\044\336\306\073\321\340\102\151\270\356\144\263\075\142\001\271"
-"\263\204\337\043\175\335\230\317\020\251\376\000\330\042\226\005"
-"\023\007\124\127\305\247\336\313\331\270\210\102\366\231\333\024"
-"\167\037\266\376\045\075\341\242\076\003\251\201\322\055\154\107"
-"\365\226\106\214\042\253\310\314\015\016\227\136\213\101\264\073"
-"\304\012\006\100\035\335\106\364\001\335\272\202\056\074\075\170"
-"\160\236\174\030\320\253\370\270\167\007\106\161\361\312\013\143"
-"\134\152\371\162\224\325\001\117\240\333\102"
-, (PRUint32)699 }
-};
-static const NSSItem nss_builtins_items_149 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Servidores root", (PRUint32)20 },
-  { (void *)"\044\272\155\154\212\133\130\067\244\215\265\372\351\031\352\147"
-"\134\224\322\027"
-, (PRUint32)20 },
-  { (void *)"\173\265\010\231\232\214\030\277\205\047\175\016\256\332\262\253"
-, (PRUint32)16 },
-  { (void *)"\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105"
-"\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102"
-"\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004"
-"\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144"
-"\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145"
-"\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060"
-"\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126"
-"\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206"
-"\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056"
-"\151\160\163\056\145\163"
-, (PRUint32)166 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_150 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Timestamping root", (PRUint32)22 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023"
-"\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155"
-"\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062"
-"\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151"
-"\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011"
-"\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163"
-, (PRUint32)290 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023"
-"\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155"
-"\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062"
-"\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151"
-"\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011"
-"\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163"
-, (PRUint32)290 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\010\070\060\202\007\241\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105\123"
-"\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145"
-"\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102"
-"\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004"
-"\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040"
-"\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151"
-"\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004"
-"\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071"
-"\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023\053"
-"\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155\160"
-"\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151\157"
-"\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062\006"
-"\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151\155"
-"\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001"
-"\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145"
-"\163\060\036\027\015\060\061\061\062\062\071\060\061\061\060\061"
-"\070\132\027\015\062\065\061\062\062\067\060\061\061\060\061\070"
-"\132\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002"
-"\105\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162"
-"\143\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023"
-"\011\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003"
-"\125\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145"
-"\164\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162"
-"\166\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003"
-"\125\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160"
-"\163\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066"
-"\060\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013"
-"\023\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141"
-"\155\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060"
-"\062\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124"
-"\151\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001"
-"\011\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\060\201\237\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000"
-"\274\270\356\126\245\232\214\346\066\311\302\142\240\146\201\215"
-"\032\325\172\322\163\237\016\204\144\272\225\264\220\247\170\257"
-"\312\376\124\141\133\316\262\040\127\001\256\104\222\103\020\070"
-"\021\367\150\374\027\100\245\150\047\062\073\304\247\346\102\161"
-"\305\231\357\166\377\053\225\044\365\111\222\030\150\312\000\265"
-"\244\132\057\156\313\326\033\054\015\124\147\153\172\051\241\130"
-"\253\242\132\000\326\133\273\030\302\337\366\036\023\126\166\233"
-"\245\150\342\230\316\306\003\212\064\333\114\203\101\246\251\243"
-"\002\003\001\000\001\243\202\004\200\060\202\004\174\060\035\006"
-"\003\125\035\016\004\026\004\024\213\320\020\120\011\201\362\235"
-"\011\325\016\140\170\003\042\242\077\310\312\146\060\202\001\120"
-"\006\003\125\035\043\004\202\001\107\060\202\001\103\200\024\213"
-"\320\020\120\011\201\362\235\011\325\016\140\170\003\042\242\077"
-"\310\312\146\241\202\001\046\244\202\001\042\060\202\001\036\061"
-"\013\060\011\006\003\125\004\006\023\002\105\123\061\022\060\020"
-"\006\003\125\004\010\023\011\102\141\162\143\145\154\157\156\141"
-"\061\022\060\020\006\003\125\004\007\023\011\102\141\162\143\145"
-"\154\157\156\141\061\056\060\054\006\003\125\004\012\023\045\111"
-"\120\123\040\111\156\164\145\162\156\145\164\040\160\165\142\154"
-"\151\163\150\151\156\147\040\123\145\162\166\151\143\145\163\040"
-"\163\056\154\056\061\053\060\051\006\003\125\004\012\024\042\151"
-"\160\163\100\155\141\151\154\056\151\160\163\056\145\163\040\103"
-"\056\111\056\106\056\040\040\102\055\066\060\071\062\071\064\065"
-"\062\061\064\060\062\006\003\125\004\013\023\053\111\120\123\040"
-"\103\101\040\124\151\155\145\163\164\141\155\160\151\156\147\040"
-"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
-"\164\150\157\162\151\164\171\061\064\060\062\006\003\125\004\003"
-"\023\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141"
-"\155\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164"
-"\151\157\156\040\101\165\164\150\157\162\151\164\171\061\036\060"
-"\034\006\011\052\206\110\206\367\015\001\011\001\026\017\151\160"
-"\163\100\155\141\151\154\056\151\160\163\056\145\163\202\001\000"
-"\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\014"
-"\006\003\125\035\017\004\005\003\003\007\377\200\060\153\006\003"
-"\125\035\045\004\144\060\142\006\010\053\006\001\005\005\007\003"
-"\001\006\010\053\006\001\005\005\007\003\002\006\010\053\006\001"
-"\005\005\007\003\003\006\010\053\006\001\005\005\007\003\004\006"
-"\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004\001"
-"\202\067\002\001\025\006\012\053\006\001\004\001\202\067\002\001"
-"\026\006\012\053\006\001\004\001\202\067\012\003\001\006\012\053"
-"\006\001\004\001\202\067\012\003\004\060\021\006\011\140\206\110"
-"\001\206\370\102\001\001\004\004\003\002\000\007\060\032\006\003"
-"\125\035\021\004\023\060\021\201\017\151\160\163\100\155\141\151"
-"\154\056\151\160\163\056\145\163\060\032\006\003\125\035\022\004"
-"\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160"
-"\163\056\145\163\060\107\006\011\140\206\110\001\206\370\102\001"
-"\015\004\072\026\070\124\151\155\145\163\164\141\155\160\151\156"
-"\147\040\103\101\040\103\145\162\164\151\146\151\143\141\164\145"
-"\040\151\163\163\165\145\144\040\142\171\040\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\060\051\006"
-"\011\140\206\110\001\206\370\102\001\002\004\034\026\032\150\164"
-"\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163\057"
-"\151\160\163\062\060\060\062\057\060\100\006\011\140\206\110\001"
-"\206\370\102\001\004\004\063\026\061\150\164\164\160\072\057\057"
-"\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060"
-"\060\062\057\151\160\163\062\060\060\062\124\151\155\145\163\164"
-"\141\155\160\151\156\147\056\143\162\154\060\105\006\011\140\206"
-"\110\001\206\370\102\001\003\004\070\026\066\150\164\164\160\072"
-"\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163"
-"\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\124"
-"\151\155\145\163\164\141\155\160\151\156\147\056\150\164\155\154"
-"\077\060\102\006\011\140\206\110\001\206\370\102\001\007\004\065"
-"\026\063\150\164\164\160\072\057\057\167\167\167\056\151\160\163"
-"\056\145\163\057\151\160\163\062\060\060\062\057\162\145\156\145"
-"\167\141\154\124\151\155\145\163\164\141\155\160\151\156\147\056"
-"\150\164\155\154\077\060\100\006\011\140\206\110\001\206\370\102"
-"\001\010\004\063\026\061\150\164\164\160\072\057\057\167\167\167"
-"\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057"
-"\160\157\154\151\143\171\124\151\155\145\163\164\141\155\160\151"
-"\156\147\056\150\164\155\154\060\177\006\003\125\035\037\004\170"
-"\060\166\060\067\240\065\240\063\206\061\150\164\164\160\072\057"
-"\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062"
-"\060\060\062\057\151\160\163\062\060\060\062\124\151\155\145\163"
-"\164\141\155\160\151\156\147\056\143\162\154\060\073\240\071\240"
-"\067\206\065\150\164\164\160\072\057\057\167\167\167\142\141\143"
-"\153\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062"
-"\057\151\160\163\062\060\060\062\124\151\155\145\163\164\141\155"
-"\160\151\156\147\056\143\162\154\060\057\006\010\053\006\001\005"
-"\005\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005"
-"\005\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163"
-"\160\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110"
-"\206\367\015\001\001\005\005\000\003\201\201\000\145\272\301\314"
-"\000\032\225\221\312\351\154\072\277\072\036\024\010\174\373\203"
-"\356\153\142\121\323\063\221\265\140\171\176\004\330\135\171\067"
-"\350\303\133\260\304\147\055\150\132\262\137\016\012\372\315\077"
-"\072\105\241\352\066\317\046\036\247\021\050\305\224\217\204\114"
-"\123\010\305\223\263\374\342\177\365\215\363\261\251\205\137\210"
-"\336\221\226\356\027\133\256\245\352\160\145\170\054\041\144\001"
-"\225\316\316\114\076\120\364\266\131\313\143\215\266\275\030\324"
-"\207\112\137\334\357\351\126\360\012\014\350\165"
-, (PRUint32)2108 }
-};
-static const NSSItem nss_builtins_items_151 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"IPS Timestamping root", (PRUint32)22 },
-  { (void *)"\226\231\134\167\021\350\345\055\371\343\113\354\354\147\323\313"
-"\361\266\304\322"
-, (PRUint32)20 },
-  { (void *)"\056\003\375\305\365\327\053\224\144\301\276\211\061\361\026\233"
-, (PRUint32)16 },
-  { (void *)"\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105"
-"\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143"
-"\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011"
-"\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125"
-"\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164"
-"\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166"
-"\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125"
-"\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163"
-"\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060"
-"\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023"
-"\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155"
-"\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151"
-"\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062"
-"\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151"
-"\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151"
-"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
-"\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011"
-"\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056"
-"\145\163"
-, (PRUint32)290 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_152 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"QuoVadis Root CA", (PRUint32)17 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
-"\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
-"\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126"
-"\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)129 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
-"\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
-"\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126"
-"\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)129 },
-  { (void *)"\002\004\072\266\120\213"
-, (PRUint32)6 },
-  { (void *)"\060\202\005\320\060\202\004\270\240\003\002\001\002\002\004\072"
-"\266\120\213\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\177\061\013\060\011\006\003\125\004\006\023\002\102"
-"\115\061\031\060\027\006\003\125\004\012\023\020\121\165\157\126"
-"\141\144\151\163\040\114\151\155\151\164\145\144\061\045\060\043"
-"\006\003\125\004\013\023\034\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\061\056\060\054\006\003\125\004\003\023\045\121\165"
-"\157\126\141\144\151\163\040\122\157\157\164\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\060\036\027\015\060\061\060\063\061\071\061\070\063"
-"\063\063\063\132\027\015\062\061\060\063\061\067\061\070\063\063"
-"\063\063\132\060\177\061\013\060\011\006\003\125\004\006\023\002"
-"\102\115\061\031\060\027\006\003\125\004\012\023\020\121\165\157"
-"\126\141\144\151\163\040\114\151\155\151\164\145\144\061\045\060"
-"\043\006\003\125\004\013\023\034\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045\121"
-"\165\157\126\141\144\151\163\040\122\157\157\164\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\060\202\001\042\060\015\006\011\052\206\110\206"
-"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
-"\002\202\001\001\000\277\141\265\225\123\272\127\374\372\362\147"
-"\013\072\032\337\021\200\144\225\264\321\274\315\172\317\366\051"
-"\226\056\044\124\100\044\070\367\032\205\334\130\114\313\244\047"
-"\102\227\320\237\203\212\303\344\006\003\133\000\245\121\036\160"
-"\004\164\342\301\324\072\253\327\255\073\007\030\005\216\375\203"
-"\254\352\146\331\030\033\150\212\365\127\032\230\272\365\355\166"
-"\075\174\331\336\224\152\073\113\027\301\325\217\275\145\070\072"
-"\225\320\075\125\066\116\337\171\127\061\052\036\330\131\145\111"
-"\130\040\230\176\253\137\176\237\351\326\115\354\203\164\251\307"
-"\154\330\356\051\112\205\052\006\024\371\124\346\323\332\145\007"
-"\213\143\067\022\327\320\354\303\173\040\101\104\243\355\313\240"
-"\027\341\161\145\316\035\146\061\367\166\001\031\310\175\003\130"
-"\266\225\111\035\246\022\046\350\306\014\166\340\343\146\313\352"
-"\135\246\046\356\345\314\137\275\147\247\001\047\016\242\312\124"
-"\305\261\172\225\035\161\036\112\051\212\003\334\152\105\301\244"
-"\031\136\157\066\315\303\242\260\267\376\134\070\342\122\274\370"
-"\104\103\346\220\273\002\003\001\000\001\243\202\002\122\060\202"
-"\002\116\060\075\006\010\053\006\001\005\005\007\001\001\004\061"
-"\060\057\060\055\006\010\053\006\001\005\005\007\060\001\206\041"
-"\150\164\164\160\163\072\057\057\157\143\163\160\056\161\165\157"
-"\166\141\144\151\163\157\146\146\163\150\157\162\145\056\143\157"
-"\155\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001"
-"\001\377\060\202\001\032\006\003\125\035\040\004\202\001\021\060"
-"\202\001\015\060\202\001\011\006\011\053\006\001\004\001\276\130"
-"\000\001\060\201\373\060\201\324\006\010\053\006\001\005\005\007"
-"\002\002\060\201\307\032\201\304\122\145\154\151\141\156\143\145"
-"\040\157\156\040\164\150\145\040\121\165\157\126\141\144\151\163"
-"\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164"
-"\145\040\142\171\040\141\156\171\040\160\141\162\164\171\040\141"
-"\163\163\165\155\145\163\040\141\143\143\145\160\164\141\156\143"
-"\145\040\157\146\040\164\150\145\040\164\150\145\156\040\141\160"
-"\160\154\151\143\141\142\154\145\040\163\164\141\156\144\141\162"
-"\144\040\164\145\162\155\163\040\141\156\144\040\143\157\156\144"
-"\151\164\151\157\156\163\040\157\146\040\165\163\145\054\040\143"
-"\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162\141"
-"\143\164\151\143\145\163\054\040\141\156\144\040\164\150\145\040"
-"\121\165\157\126\141\144\151\163\040\103\145\162\164\151\146\151"
-"\143\141\164\145\040\120\157\154\151\143\171\056\060\042\006\010"
-"\053\006\001\005\005\007\002\001\026\026\150\164\164\160\072\057"
-"\057\167\167\167\056\161\165\157\166\141\144\151\163\056\142\155"
-"\060\035\006\003\125\035\016\004\026\004\024\213\113\155\355\323"
-"\051\271\006\031\354\071\071\251\360\227\204\152\313\357\337\060"
-"\201\256\006\003\125\035\043\004\201\246\060\201\243\200\024\213"
-"\113\155\355\323\051\271\006\031\354\071\071\251\360\227\204\152"
-"\313\357\337\241\201\204\244\201\201\060\177\061\013\060\011\006"
-"\003\125\004\006\023\002\102\115\061\031\060\027\006\003\125\004"
-"\012\023\020\121\165\157\126\141\144\151\163\040\114\151\155\151"
-"\164\145\144\061\045\060\043\006\003\125\004\013\023\034\122\157"
-"\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003"
-"\125\004\003\023\045\121\165\157\126\141\144\151\163\040\122\157"
-"\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171\202\004\072\266\120\213"
-"\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\212\324\024\265\376\364\232\222\247\031\324\244"
-"\176\162\030\217\331\150\174\122\044\335\147\157\071\172\304\252"
-"\136\075\342\130\260\115\160\230\204\141\350\033\343\151\030\016"
-"\316\373\107\120\240\116\377\360\044\037\275\262\316\365\047\374"
-"\354\057\123\252\163\173\003\075\164\156\346\026\236\353\245\056"
-"\304\277\126\047\120\053\142\272\276\113\034\074\125\134\101\035"
-"\044\276\202\040\107\135\325\104\176\172\026\150\337\175\115\121"
-"\160\170\127\035\063\036\375\002\231\234\014\315\012\005\117\307"
-"\273\216\244\165\372\112\155\261\200\216\011\126\271\234\032\140"
-"\376\135\301\327\172\334\021\170\320\326\135\301\267\325\255\062"
-"\231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106"
-"\154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060"
-"\242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026"
-"\304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050"
-"\362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240"
-"\207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212"
-"\112\164\066\371"
-, (PRUint32)1492 }
-};
-static const NSSItem nss_builtins_items_153 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"QuoVadis Root CA", (PRUint32)17 },
-  { (void *)"\336\077\100\275\120\223\323\233\154\140\366\332\274\007\142\001"
-"\000\211\166\311"
-, (PRUint32)20 },
-  { (void *)"\047\336\066\376\162\267\000\003\000\235\364\360\036\154\004\044"
-, (PRUint32)16 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061"
-"\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144"
-"\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003"
-"\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126"
-"\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146"
-"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
-"\171"
-, (PRUint32)129 },
-  { (void *)"\002\004\072\266\120\213"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_154 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Security Communication Root CA", (PRUint32)31 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
-"\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040"
-"\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125"
-"\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155"
-"\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103"
-"\101\061"
-, (PRUint32)82 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
-"\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040"
-"\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125"
-"\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155"
-"\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103"
-"\101\061"
-, (PRUint32)82 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\132\060\202\002\102\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061\030"
-"\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040\124"
-"\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125\004"
-"\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155\155"
-"\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103\101"
-"\061\060\036\027\015\060\063\060\071\063\060\060\064\062\060\064"
-"\071\132\027\015\062\063\060\071\063\060\060\064\062\060\064\071"
-"\132\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120"
-"\061\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115"
-"\040\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003"
-"\125\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157"
-"\155\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164"
-"\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367"
-"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
-"\202\001\001\000\263\263\376\177\323\155\261\357\026\174\127\245"
-"\014\155\166\212\057\113\277\144\373\114\356\212\360\363\051\174"
-"\365\377\356\052\340\351\351\272\133\144\042\232\232\157\054\072"
-"\046\151\121\005\231\046\334\325\034\152\161\306\232\175\036\235"
-"\335\174\154\306\214\147\147\112\076\370\161\260\031\047\251\011"
-"\014\246\225\277\113\214\014\372\125\230\073\330\350\042\241\113"
-"\161\070\171\254\227\222\151\263\211\176\352\041\150\006\230\024"
-"\226\207\322\141\066\274\155\047\126\236\127\356\300\300\126\375"
-"\062\317\244\331\216\302\043\327\215\250\363\330\045\254\227\344"
-"\160\070\364\266\072\264\235\073\227\046\103\243\241\274\111\131"
-"\162\114\043\060\207\001\130\366\116\276\034\150\126\146\257\315"
-"\101\135\310\263\115\052\125\106\253\037\332\036\342\100\075\333"
-"\315\175\271\222\200\234\067\335\014\226\144\235\334\042\367\144"
-"\213\337\141\336\025\224\122\025\240\175\122\311\113\250\041\311"
-"\306\261\355\313\303\225\140\321\017\360\253\160\370\337\313\115"
-"\176\354\326\372\253\331\275\177\124\362\245\351\171\372\331\326"
-"\166\044\050\163\002\003\001\000\001\243\077\060\075\060\035\006"
-"\003\125\035\016\004\026\004\024\240\163\111\231\150\334\205\133"
-"\145\343\233\050\057\127\237\275\063\274\007\110\060\013\006\003"
-"\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023"
-"\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\150\100"
-"\251\250\273\344\117\135\171\263\005\265\027\263\140\023\353\306"
-"\222\135\340\321\323\152\376\373\276\233\155\277\307\005\155\131"
-"\040\304\034\360\267\332\204\130\002\143\372\110\026\357\117\245"
-"\013\367\112\230\362\077\236\033\255\107\153\143\316\010\107\353"
-"\122\077\170\234\257\115\256\370\325\117\317\232\230\052\020\101"
-"\071\122\304\335\331\233\016\357\223\001\256\262\056\312\150\102"
-"\044\102\154\260\263\072\076\315\351\332\110\304\025\313\351\371"
-"\007\017\222\120\111\212\335\061\227\137\311\351\067\252\073\131"
-"\145\227\224\062\311\263\237\076\072\142\130\305\111\255\142\016"
-"\161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124"
-"\045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101"
-"\065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260"
-"\112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055"
-"\105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003"
-"\214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026"
-"\057\317\246\356\311\160\042\024\275\375\276\154\013\003"
-, (PRUint32)862 }
-};
-static const NSSItem nss_builtins_items_155 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Security Communication Root CA", (PRUint32)31 },
-  { (void *)"\066\261\053\111\371\201\236\327\114\236\274\070\017\306\126\217"
-"\135\254\262\367"
-, (PRUint32)20 },
-  { (void *)"\361\274\143\152\124\340\265\047\365\315\347\032\343\115\156\112"
-, (PRUint32)16 },
-  { (void *)"\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
-"\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040"
-"\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125"
-"\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155"
-"\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103"
-"\101\061"
-, (PRUint32)82 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_156 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\061\040\103\101"
-, (PRUint32)59 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\061\040\103\101"
-, (PRUint32)59 },
-  { (void *)"\002\001\044"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\040\060\202\002\010\240\003\002\001\002\002\001\044"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061\017"
-"\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141\061"
-"\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162\141"
-"\040\103\154\141\163\163\061\040\103\101\060\036\027\015\060\061"
-"\060\064\060\066\061\060\064\071\061\063\132\027\015\062\061\060"
-"\064\060\066\061\060\064\071\061\063\132\060\071\061\013\060\011"
-"\006\003\125\004\006\023\002\106\111\061\017\060\015\006\003\125"
-"\004\012\023\006\123\157\156\145\162\141\061\031\060\027\006\003"
-"\125\004\003\023\020\123\157\156\145\162\141\040\103\154\141\163"
-"\163\061\040\103\101\060\202\001\042\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001"
-"\012\002\202\001\001\000\265\211\037\053\117\147\012\171\377\305"
-"\036\370\177\074\355\321\176\332\260\315\155\057\066\254\064\306"
-"\333\331\144\027\010\143\060\063\042\212\114\356\216\273\017\015"
-"\102\125\311\235\056\245\357\367\247\214\303\253\271\227\313\216"
-"\357\077\025\147\250\202\162\143\123\017\101\214\175\020\225\044"
-"\241\132\245\006\372\222\127\235\372\245\001\362\165\351\037\274"
-"\126\046\122\116\170\031\145\130\125\003\130\300\024\256\214\174"
-"\125\137\160\133\167\043\006\066\227\363\044\265\232\106\225\344"
-"\337\015\013\005\105\345\321\362\035\202\273\306\023\340\376\252"
-"\172\375\151\060\224\363\322\105\205\374\362\062\133\062\336\350"
-"\154\135\037\313\244\042\164\260\200\216\135\224\367\006\000\113"
-"\251\324\136\056\065\120\011\363\200\227\364\014\027\256\071\330"
-"\137\315\063\301\034\312\211\302\042\367\105\022\355\136\022\223"
-"\235\143\253\202\056\271\353\102\101\104\313\112\032\000\202\015"
-"\236\371\213\127\076\114\307\027\355\054\213\162\063\137\162\172"
-"\070\126\325\346\331\256\005\032\035\165\105\261\313\245\045\034"
-"\022\127\066\375\042\067\002\003\001\000\001\243\063\060\061\060"
-"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
-"\060\021\006\003\125\035\016\004\012\004\010\107\342\014\213\366"
-"\123\210\122\060\013\006\003\125\035\017\004\004\003\002\001\006"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\213\032\262\311\135\141\264\341\271\053\271\123"
-"\321\262\205\235\167\216\026\356\021\075\333\302\143\331\133\227"
-"\145\373\022\147\330\052\134\266\253\345\136\303\267\026\057\310"
-"\350\253\035\212\375\253\032\174\325\137\143\317\334\260\335\167"
-"\271\250\346\322\042\070\207\007\024\331\377\276\126\265\375\007"
-"\016\074\125\312\026\314\247\246\167\067\373\333\134\037\116\131"
-"\006\207\243\003\103\365\026\253\267\204\275\116\357\237\061\067"
-"\360\106\361\100\266\321\014\245\144\370\143\136\041\333\125\116"
-"\117\061\166\234\020\141\216\266\123\072\243\021\276\257\155\174"
-"\036\275\256\055\342\014\151\307\205\123\150\242\141\272\305\076"
-"\264\171\124\170\236\012\307\002\276\142\321\021\202\113\145\057"
-"\221\132\302\250\207\261\126\150\224\171\371\045\367\301\325\256"
-"\032\270\273\075\217\251\212\070\025\367\163\320\132\140\321\200"
-"\260\360\334\325\120\315\116\356\222\110\151\355\262\043\036\060"
-"\314\310\224\310\266\365\073\206\177\077\246\056\237\366\076\054"
-"\265\222\226\076\337\054\223\212\377\201\214\017\017\131\041\031"
-"\127\275\125\232"
-, (PRUint32)804 }
-};
-static const NSSItem nss_builtins_items_157 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Sonera Class 1 Root CA", (PRUint32)23 },
-  { (void *)"\007\107\042\001\231\316\164\271\174\260\075\171\262\144\242\310"
-"\125\351\063\377"
-, (PRUint32)20 },
-  { (void *)"\063\267\204\365\137\047\327\150\047\336\024\336\022\052\355\157"
-, (PRUint32)16 },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\061\040\103\101"
-, (PRUint32)59 },
-  { (void *)"\002\001\044"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_158 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\062\040\103\101"
-, (PRUint32)59 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\062\040\103\101"
-, (PRUint32)59 },
-  { (void *)"\002\001\035"
-, (PRUint32)3 },
-  { (void *)"\060\202\003\040\060\202\002\010\240\003\002\001\002\002\001\035"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061\017"
-"\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141\061"
-"\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162\141"
-"\040\103\154\141\163\163\062\040\103\101\060\036\027\015\060\061"
-"\060\064\060\066\060\067\062\071\064\060\132\027\015\062\061\060"
-"\064\060\066\060\067\062\071\064\060\132\060\071\061\013\060\011"
-"\006\003\125\004\006\023\002\106\111\061\017\060\015\006\003\125"
-"\004\012\023\006\123\157\156\145\162\141\061\031\060\027\006\003"
-"\125\004\003\023\020\123\157\156\145\162\141\040\103\154\141\163"
-"\163\062\040\103\101\060\202\001\042\060\015\006\011\052\206\110"
-"\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001"
-"\012\002\202\001\001\000\220\027\112\065\235\312\360\015\226\307"
-"\104\372\026\067\374\110\275\275\177\200\055\065\073\341\157\250"
-"\147\251\277\003\034\115\214\157\062\107\325\101\150\244\023\004"
-"\301\065\014\232\204\103\374\134\035\377\211\263\350\027\030\315"
-"\221\137\373\211\343\352\277\116\135\174\033\046\323\165\171\355"
-"\346\204\343\127\345\255\051\304\364\072\050\347\245\173\204\066"
-"\151\263\375\136\166\275\243\055\231\323\220\116\043\050\175\030"
-"\143\361\124\073\046\235\166\133\227\102\262\377\256\360\116\354"
-"\335\071\225\116\203\006\177\347\111\100\310\305\001\262\124\132"
-"\146\035\075\374\371\351\074\012\236\201\270\160\360\001\213\344"
-"\043\124\174\310\256\370\220\036\000\226\162\324\124\317\141\043"
-"\274\352\373\235\002\225\321\266\271\161\072\151\010\077\017\264"
-"\341\102\307\210\365\077\230\250\247\272\034\340\161\161\357\130"
-"\127\201\120\172\134\153\164\106\016\203\003\230\303\216\250\156"
-"\362\166\062\156\047\203\302\163\363\334\030\350\264\223\352\165"
-"\104\153\004\140\040\161\127\207\235\363\276\240\220\043\075\212"
-"\044\341\332\041\333\303\002\003\001\000\001\243\063\060\061\060"
-"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
-"\060\021\006\003\125\035\016\004\012\004\010\112\240\252\130\204"
-"\323\136\074\060\013\006\003\125\035\017\004\004\003\002\001\006"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\132\316\207\371\026\162\025\127\113\035\331\233"
-"\347\242\046\060\354\223\147\337\326\055\322\064\257\367\070\245"
-"\316\253\026\271\253\057\174\065\313\254\320\017\264\114\053\374"
-"\200\357\153\214\221\137\066\166\367\333\263\033\031\352\364\262"
-"\021\375\141\161\104\277\050\263\072\035\277\263\103\350\237\277"
-"\334\061\010\161\260\235\215\326\064\107\062\220\306\145\044\367"
-"\240\112\174\004\163\217\071\157\027\214\162\265\275\113\310\172"
-"\370\173\203\303\050\116\234\011\352\147\077\262\147\004\033\303"
-"\024\332\370\347\111\044\221\320\035\152\372\141\071\357\153\347"
-"\041\165\006\007\330\022\264\041\040\160\102\161\201\332\074\232"
-"\066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272"
-"\116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143"
-"\256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165"
-"\267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366"
-"\146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032"
-"\072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132"
-"\160\254\337\114"
-, (PRUint32)804 }
-};
-static const NSSItem nss_builtins_items_159 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Sonera Class 2 Root CA", (PRUint32)23 },
-  { (void *)"\067\367\155\346\007\174\220\305\261\076\223\032\267\101\020\264"
-"\362\344\232\047"
-, (PRUint32)20 },
-  { (void *)"\243\354\165\017\056\210\337\372\110\001\116\013\134\110\157\373"
-, (PRUint32)16 },
-  { (void *)"\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061"
-"\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141"
-"\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162"
-"\141\040\103\154\141\163\163\062\040\103\101"
-, (PRUint32)59 },
-  { (void *)"\002\001\035"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_160 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
-"\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061"
-"\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040"
-"\122\157\157\164\040\103\101"
-, (PRUint32)87 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
-"\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061"
-"\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040"
-"\122\157\157\164\040\103\101"
-, (PRUint32)87 },
-  { (void *)"\002\004\000\230\226\212"
-, (PRUint32)6 },
-  { (void *)"\060\202\003\272\060\202\002\242\240\003\002\001\002\002\004\000"
-"\230\226\212\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\125\061\013\060\011\006\003\125\004\006\023\002\116"
-"\114\061\036\060\034\006\003\125\004\012\023\025\123\164\141\141"
-"\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145"
-"\156\061\046\060\044\006\003\125\004\003\023\035\123\164\141\141"
-"\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145"
-"\156\040\122\157\157\164\040\103\101\060\036\027\015\060\062\061"
-"\062\061\067\060\071\062\063\064\071\132\027\015\061\065\061\062"
-"\061\066\060\071\061\065\063\070\132\060\125\061\013\060\011\006"
-"\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004"
-"\012\023\025\123\164\141\141\164\040\144\145\162\040\116\145\144"
-"\145\162\154\141\156\144\145\156\061\046\060\044\006\003\125\004"
-"\003\023\035\123\164\141\141\164\040\144\145\162\040\116\145\144"
-"\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101"
-"\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001"
-"\000\230\322\265\121\021\172\201\246\024\230\161\155\276\314\347"
-"\023\033\326\047\016\172\263\152\030\034\266\141\132\325\141\011"
-"\277\336\220\023\307\147\356\335\363\332\305\014\022\236\065\125"
-"\076\054\047\210\100\153\367\334\335\042\141\365\302\307\016\365"
-"\366\325\166\123\115\217\214\274\030\166\067\205\235\350\312\111"
-"\307\322\117\230\023\011\242\076\042\210\234\177\326\362\020\145"
-"\264\356\137\030\325\027\343\370\305\375\342\235\242\357\123\016"
-"\205\167\242\017\341\060\107\356\000\347\063\175\104\147\032\013"
-"\121\350\213\240\236\120\230\150\064\122\037\056\155\001\362\140"
-"\105\362\061\353\251\061\150\051\273\172\101\236\306\031\177\224"
-"\264\121\071\003\177\262\336\247\062\233\264\107\216\157\264\112"
-"\256\345\257\261\334\260\033\141\274\231\162\336\344\211\267\172"
-"\046\135\332\063\111\133\122\234\016\365\212\255\303\270\075\350"
-"\006\152\302\325\052\013\154\173\204\275\126\005\313\206\145\222"
-"\354\104\053\260\216\271\334\160\013\106\332\255\274\143\210\071"
-"\372\333\152\376\043\372\274\344\110\364\147\053\152\021\020\041"
-"\111\002\003\001\000\001\243\201\221\060\201\216\060\014\006\003"
-"\125\035\023\004\005\060\003\001\001\377\060\117\006\003\125\035"
-"\040\004\110\060\106\060\104\006\004\125\035\040\000\060\074\060"
-"\072\006\010\053\006\001\005\005\007\002\001\026\056\150\164\164"
-"\160\072\057\057\167\167\167\056\160\153\151\157\166\145\162\150"
-"\145\151\144\056\156\154\057\160\157\154\151\143\151\145\163\057"
-"\162\157\157\164\055\160\157\154\151\143\171\060\016\006\003\125"
-"\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125"
-"\035\016\004\026\004\024\250\175\353\274\143\244\164\023\164\000"
-"\354\226\340\323\064\301\054\277\154\370\060\015\006\011\052\206"
-"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\005\204"
-"\207\125\164\066\141\301\273\321\324\306\025\250\023\264\237\244"
-"\376\273\356\025\264\057\006\014\051\362\250\222\244\141\015\374"
-"\253\134\010\133\121\023\053\115\302\052\141\310\370\011\130\374"
-"\055\002\262\071\175\231\146\201\277\156\134\225\105\040\154\346"
-"\171\247\321\330\034\051\374\302\040\047\121\310\361\174\135\064"
-"\147\151\205\021\060\306\000\322\327\363\323\174\266\360\061\127"
-"\050\022\202\163\351\063\057\246\125\264\013\221\224\107\234\372"
-"\273\172\102\062\350\256\176\055\310\274\254\024\277\331\017\331"
-"\133\374\301\371\172\225\341\175\176\226\374\161\260\302\114\310"
-"\337\105\064\311\316\015\362\234\144\010\320\073\303\051\305\262"
-"\355\220\004\301\261\051\221\305\060\157\301\251\162\063\314\376"
-"\135\026\027\054\021\151\347\176\376\305\203\010\337\274\334\042"
-"\072\056\040\151\043\071\126\140\147\220\213\056\166\071\373\021"
-"\210\227\366\174\275\113\270\040\026\147\005\215\342\073\301\162"
-"\077\224\225\067\307\135\271\236\330\223\241\027\217\377\014\146"
-"\025\301\044\174\062\174\003\035\073\241\130\105\062\223"
-, (PRUint32)958 }
-};
-static const NSSItem nss_builtins_items_161 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Staat der Nederlanden Root CA", (PRUint32)30 },
-  { (void *)"\020\035\372\077\325\013\313\273\233\265\140\014\031\125\244\032"
-"\364\163\072\004"
-, (PRUint32)20 },
-  { (void *)"\140\204\174\132\316\333\014\324\313\247\351\376\002\306\251\300"
-, (PRUint32)16 },
-  { (void *)"\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061"
-"\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061"
-"\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040"
-"\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040"
-"\122\157\157\164\040\103\101"
-, (PRUint32)87 },
-  { (void *)"\002\004\000\230\226\212"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_162 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TDC Internet Root CA", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
-"\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
-"\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
-"\157\164\040\103\101"
-, (PRUint32)69 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
-"\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
-"\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
-"\157\164\040\103\101"
-, (PRUint32)69 },
-  { (void *)"\002\004\072\314\245\114"
-, (PRUint32)6 },
-  { (void *)"\060\202\004\053\060\202\003\023\240\003\002\001\002\002\004\072"
-"\314\245\114\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\103\061\013\060\011\006\003\125\004\006\023\002\104"
-"\113\061\025\060\023\006\003\125\004\012\023\014\124\104\103\040"
-"\111\156\164\145\162\156\145\164\061\035\060\033\006\003\125\004"
-"\013\023\024\124\104\103\040\111\156\164\145\162\156\145\164\040"
-"\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064\060"
-"\065\061\066\063\063\061\067\132\027\015\062\061\060\064\060\065"
-"\061\067\060\063\061\067\132\060\103\061\013\060\011\006\003\125"
-"\004\006\023\002\104\113\061\025\060\023\006\003\125\004\012\023"
-"\014\124\104\103\040\111\156\164\145\162\156\145\164\061\035\060"
-"\033\006\003\125\004\013\023\024\124\104\103\040\111\156\164\145"
-"\162\156\145\164\040\122\157\157\164\040\103\101\060\202\001\042"
-"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
-"\202\001\017\000\060\202\001\012\002\202\001\001\000\304\270\100"
-"\274\221\325\143\037\327\231\240\213\014\100\036\164\267\110\235"
-"\106\214\002\262\340\044\137\360\031\023\247\067\203\153\135\307"
-"\216\371\204\060\316\032\073\372\373\316\213\155\043\306\303\156"
-"\146\237\211\245\337\340\102\120\147\372\037\154\036\364\320\005"
-"\326\277\312\326\116\344\150\140\154\106\252\034\135\143\341\007"
-"\206\016\145\000\247\056\246\161\306\274\271\201\250\072\175\032"
-"\322\371\321\254\113\313\316\165\257\334\173\372\201\163\324\374"
-"\272\275\101\210\324\164\263\371\136\070\072\074\103\250\322\225"
-"\116\167\155\023\014\235\217\170\001\267\132\040\037\003\067\065"
-"\342\054\333\113\053\054\170\271\111\333\304\320\307\234\234\344"
-"\212\040\011\041\026\126\146\377\005\354\133\343\360\317\253\044"
-"\044\136\303\177\160\172\022\304\322\265\020\240\266\041\341\215"
-"\170\151\125\104\151\365\312\226\034\064\205\027\045\167\342\366"
-"\057\047\230\170\375\171\006\072\242\326\132\103\301\377\354\004"
-"\073\356\023\357\323\130\132\377\222\353\354\256\332\362\067\003"
-"\107\101\266\227\311\055\012\101\042\273\273\346\247\002\003\001"
-"\000\001\243\202\001\045\060\202\001\041\060\021\006\011\140\206"
-"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\145\006"
-"\003\125\035\037\004\136\060\134\060\132\240\130\240\126\244\124"
-"\060\122\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
-"\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
-"\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
-"\157\164\040\103\101\061\015\060\013\006\003\125\004\003\023\004"
-"\103\122\114\061\060\053\006\003\125\035\020\004\044\060\042\200"
-"\017\062\060\060\061\060\064\060\065\061\066\063\063\061\067\132"
-"\201\017\062\060\062\061\060\064\060\065\061\067\060\063\061\067"
-"\132\060\013\006\003\125\035\017\004\004\003\002\001\006\060\037"
-"\006\003\125\035\043\004\030\060\026\200\024\154\144\001\307\375"
-"\205\155\254\310\332\236\120\010\205\010\265\074\126\250\120\060"
-"\035\006\003\125\035\016\004\026\004\024\154\144\001\307\375\205"
-"\155\254\310\332\236\120\010\205\010\265\074\126\250\120\060\014"
-"\006\003\125\035\023\004\005\060\003\001\001\377\060\035\006\011"
-"\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010\126"
-"\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011\052"
-"\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\116"
-"\103\314\321\335\035\020\033\006\177\267\244\372\323\331\115\373"
-"\043\237\043\124\133\346\213\057\004\050\213\265\047\155\211\241"
-"\354\230\151\334\347\215\046\203\005\171\164\354\264\271\243\227"
-"\301\065\000\375\025\332\071\201\072\225\061\220\336\227\351\206"
-"\250\231\167\014\345\132\240\204\377\022\026\254\156\270\215\303"
-"\173\222\302\254\056\320\175\050\354\266\363\140\070\151\157\076"
-"\330\004\125\076\236\314\125\322\272\376\273\107\004\327\012\331"
-"\026\012\064\051\365\130\023\325\117\317\217\126\113\263\036\356"
-"\323\230\171\332\010\036\014\157\270\370\026\047\357\302\157\075"
-"\366\243\113\076\016\344\155\154\333\073\101\022\233\275\015\107"
-"\043\177\074\112\320\257\300\257\366\357\033\265\025\304\353\203"
-"\304\011\137\164\213\331\021\373\302\126\261\074\370\160\312\064"
-"\215\103\100\023\214\375\231\003\124\171\306\056\352\206\241\366"
-"\072\324\011\274\364\274\146\314\075\130\320\127\111\012\356\045"
-"\342\101\356\023\371\233\070\064\321\000\365\176\347\224\035\374"
-"\151\003\142\270\231\005\005\075\153\170\022\275\260\157\145"
-, (PRUint32)1071 }
-};
-static const NSSItem nss_builtins_items_163 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TDC Internet Root CA", (PRUint32)21 },
-  { (void *)"\041\374\275\216\177\154\257\005\033\321\263\103\354\250\347\141"
-"\107\362\017\212"
-, (PRUint32)20 },
-  { (void *)"\221\364\003\125\040\241\370\143\054\142\336\254\373\141\034\216"
-, (PRUint32)16 },
-  { (void *)"\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156"
-"\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023"
-"\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157"
-"\157\164\040\103\101"
-, (PRUint32)69 },
-  { (void *)"\002\004\072\314\245\114"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_164 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TDC OCES Root CA", (PRUint32)17 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060"
-"\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123"
-"\040\103\101"
-, (PRUint32)51 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060"
-"\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123"
-"\040\103\101"
-, (PRUint32)51 },
-  { (void *)"\002\004\076\110\275\304"
-, (PRUint32)6 },
-  { (void *)"\060\202\005\031\060\202\004\001\240\003\002\001\002\002\004\076"
-"\110\275\304\060\015\006\011\052\206\110\206\367\015\001\001\005"
-"\005\000\060\061\061\013\060\011\006\003\125\004\006\023\002\104"
-"\113\061\014\060\012\006\003\125\004\012\023\003\124\104\103\061"
-"\024\060\022\006\003\125\004\003\023\013\124\104\103\040\117\103"
-"\105\123\040\103\101\060\036\027\015\060\063\060\062\061\061\060"
-"\070\063\071\063\060\132\027\015\063\067\060\062\061\061\060\071"
-"\060\071\063\060\132\060\061\061\013\060\011\006\003\125\004\006"
-"\023\002\104\113\061\014\060\012\006\003\125\004\012\023\003\124"
-"\104\103\061\024\060\022\006\003\125\004\003\023\013\124\104\103"
-"\040\117\103\105\123\040\103\101\060\202\001\042\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
-"\060\202\001\012\002\202\001\001\000\254\142\366\141\040\262\317"
-"\300\306\205\327\343\171\346\314\355\362\071\222\244\227\056\144"
-"\243\204\133\207\234\114\375\244\363\304\137\041\275\126\020\353"
-"\333\056\141\354\223\151\343\243\314\275\231\303\005\374\006\270"
-"\312\066\034\376\220\216\111\114\304\126\232\057\126\274\317\173"
-"\014\361\157\107\246\015\103\115\342\351\035\071\064\315\215\054"
-"\331\022\230\371\343\341\301\112\174\206\070\304\251\304\141\210"
-"\322\136\257\032\046\115\325\344\240\042\107\204\331\144\267\031"
-"\226\374\354\031\344\262\227\046\116\112\114\313\217\044\213\124"
-"\030\034\110\141\173\325\210\150\332\135\265\352\315\032\060\301"
-"\200\203\166\120\252\117\321\324\335\070\360\357\026\364\341\014"
-"\120\006\277\352\373\172\111\241\050\053\034\366\374\025\062\243"
-"\164\152\217\251\303\142\051\161\061\345\073\244\140\027\136\164"
-"\346\332\023\355\351\037\037\033\321\262\150\163\306\020\064\165"
-"\106\020\020\343\220\000\166\100\313\213\267\103\011\041\377\253"
-"\116\223\306\130\351\245\202\333\167\304\072\231\261\162\225\111"
-"\004\360\267\053\372\173\131\216\335\002\003\001\000\001\243\202"
-"\002\067\060\202\002\063\060\017\006\003\125\035\023\001\001\377"
-"\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001"
-"\377\004\004\003\002\001\006\060\201\354\006\003\125\035\040\004"
-"\201\344\060\201\341\060\201\336\006\010\052\201\120\201\051\001"
-"\001\001\060\201\321\060\057\006\010\053\006\001\005\005\007\002"
-"\001\026\043\150\164\164\160\072\057\057\167\167\167\056\143\145"
-"\162\164\151\146\151\153\141\164\056\144\153\057\162\145\160\157"
-"\163\151\164\157\162\171\060\201\235\006\010\053\006\001\005\005"
-"\007\002\002\060\201\220\060\012\026\003\124\104\103\060\003\002"
-"\001\001\032\201\201\103\145\162\164\151\146\151\153\141\164\145"
-"\162\040\146\162\141\040\144\145\156\156\145\040\103\101\040\165"
-"\144\163\164\145\144\145\163\040\165\156\144\145\162\040\117\111"
-"\104\040\061\056\062\056\062\060\070\056\061\066\071\056\061\056"
-"\061\056\061\056\040\103\145\162\164\151\146\151\143\141\164\145"
-"\163\040\146\162\157\155\040\164\150\151\163\040\103\101\040\141"
-"\162\145\040\151\163\163\165\145\144\040\165\156\144\145\162\040"
-"\117\111\104\040\061\056\062\056\062\060\070\056\061\066\071\056"
-"\061\056\061\056\061\056\060\021\006\011\140\206\110\001\206\370"
-"\102\001\001\004\004\003\002\000\007\060\201\201\006\003\125\035"
-"\037\004\172\060\170\060\110\240\106\240\104\244\102\060\100\061"
-"\013\060\011\006\003\125\004\006\023\002\104\113\061\014\060\012"
-"\006\003\125\004\012\023\003\124\104\103\061\024\060\022\006\003"
-"\125\004\003\023\013\124\104\103\040\117\103\105\123\040\103\101"
-"\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060"
-"\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143\162"
-"\154\056\157\143\145\163\056\143\145\162\164\151\146\151\153\141"
-"\164\056\144\153\057\157\143\145\163\056\143\162\154\060\053\006"
-"\003\125\035\020\004\044\060\042\200\017\062\060\060\063\060\062"
-"\061\061\060\070\063\071\063\060\132\201\017\062\060\063\067\060"
-"\062\061\061\060\071\060\071\063\060\132\060\037\006\003\125\035"
-"\043\004\030\060\026\200\024\140\265\205\354\126\144\176\022\031"
-"\047\147\035\120\025\113\163\256\073\371\022\060\035\006\003\125"
-"\035\016\004\026\004\024\140\265\205\354\126\144\176\022\031\047"
-"\147\035\120\025\113\163\256\073\371\022\060\035\006\011\052\206"
-"\110\206\366\175\007\101\000\004\020\060\016\033\010\126\066\056"
-"\060\072\064\056\060\003\002\004\220\060\015\006\011\052\206\110"
-"\206\367\015\001\001\005\005\000\003\202\001\001\000\012\272\046"
-"\046\106\323\163\250\011\363\153\013\060\231\375\212\341\127\172"
-"\021\323\270\224\327\011\020\156\243\261\070\003\321\266\362\103"
-"\101\051\142\247\162\330\373\174\005\346\061\160\047\124\030\116"
-"\212\174\116\345\321\312\214\170\210\317\033\323\220\213\346\043"
-"\370\013\016\063\103\175\234\342\012\031\217\311\001\076\164\135"
-"\164\311\213\034\003\345\030\310\001\114\077\313\227\005\135\230"
-"\161\246\230\157\266\174\275\067\177\276\341\223\045\155\157\360"
-"\012\255\027\030\341\003\274\007\051\310\255\046\350\370\141\360"
-"\375\041\011\176\232\216\251\150\175\110\142\162\275\000\352\001"
-"\231\270\006\202\121\201\116\361\365\264\221\124\271\043\172\000"
-"\232\237\135\215\340\074\144\271\032\022\222\052\307\202\104\162"
-"\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320"
-"\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231"
-"\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314"
-"\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075"
-"\004\243\103\055\332\374\013\142\352\057\137\142\123"
-, (PRUint32)1309 }
-};
-static const NSSItem nss_builtins_items_165 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"TDC OCES Root CA", (PRUint32)17 },
-  { (void *)"\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046"
-"\004\212\016\001"
-, (PRUint32)20 },
-  { (void *)"\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227"
-, (PRUint32)16 },
-  { (void *)"\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061"
-"\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060"
-"\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123"
-"\040\103\101"
-, (PRUint32)51 },
-  { (void *)"\002\004\076\110\275\304"
-, (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_166 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125"
-"\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157"
-"\162\160\040\123\107\103"
-, (PRUint32)150 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125"
-"\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157"
-"\162\160\040\123\107\103"
-, (PRUint32)150 },
-  { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251"
-"\255\151"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\136\060\202\003\106\240\003\002\001\002\002\020\104"
-"\276\014\213\120\000\041\264\021\323\052\150\006\251\255\151\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\223\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013"
-"\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006"
-"\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040"
-"\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124"
-"\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150"
-"\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162"
-"\165\163\164\056\143\157\155\061\033\060\031\006\003\125\004\003"
-"\023\022\125\124\116\040\055\040\104\101\124\101\103\157\162\160"
-"\040\123\107\103\060\036\027\015\071\071\060\066\062\064\061\070"
-"\065\067\062\061\132\027\015\061\071\060\066\062\064\061\071\060"
-"\066\063\060\132\060\201\223\061\013\060\011\006\003\125\004\006"
-"\023\002\125\123\061\013\060\011\006\003\125\004\010\023\002\125"
-"\124\061\027\060\025\006\003\125\004\007\023\016\123\141\154\164"
-"\040\114\141\153\145\040\103\151\164\171\061\036\060\034\006\003"
-"\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125"
-"\123\124\040\116\145\164\167\157\162\153\061\041\060\037\006\003"
-"\125\004\013\023\030\150\164\164\160\072\057\057\167\167\167\056"
-"\165\163\145\162\164\162\165\163\164\056\143\157\155\061\033\060"
-"\031\006\003\125\004\003\023\022\125\124\116\040\055\040\104\101"
-"\124\101\103\157\162\160\040\123\107\103\060\202\001\042\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
-"\017\000\060\202\001\012\002\202\001\001\000\337\356\130\020\242"
-"\053\156\125\304\216\277\056\106\011\347\340\010\017\056\053\172"
-"\023\224\033\275\366\266\200\216\145\005\223\000\036\274\257\342"
-"\017\216\031\015\022\107\354\254\255\243\372\056\160\370\336\156"
-"\373\126\102\025\236\056\134\357\043\336\041\271\005\166\047\031"
-"\017\117\326\303\234\264\276\224\031\143\362\246\021\012\353\123"
-"\110\234\276\362\051\073\026\350\032\240\114\246\311\364\030\131"
-"\150\300\160\362\123\000\300\136\120\202\245\126\157\066\371\112"
-"\340\104\206\240\115\116\326\107\156\111\112\313\147\327\246\304"
-"\005\271\216\036\364\374\377\315\347\066\340\234\005\154\262\063"
-"\042\025\320\264\340\314\027\300\262\300\364\376\062\077\051\052"
-"\225\173\330\362\247\116\017\124\174\241\015\200\263\011\003\301"
-"\377\134\335\136\232\076\274\256\274\107\212\152\256\161\312\037"
-"\261\052\270\137\102\005\013\354\106\060\321\162\013\312\351\126"
-"\155\365\357\337\170\276\141\272\262\245\256\004\114\274\250\254"
-"\151\025\227\275\357\353\264\214\277\065\370\324\303\321\050\016"
-"\134\072\237\160\030\063\040\167\304\242\257\002\003\001\000\001"
-"\243\201\253\060\201\250\060\013\006\003\125\035\017\004\004\003"
-"\002\001\306\060\017\006\003\125\035\023\001\001\377\004\005\060"
-"\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\123"
-"\062\321\263\317\177\372\340\361\240\135\205\116\222\322\236\105"
-"\035\264\117\060\075\006\003\125\035\037\004\066\060\064\060\062"
-"\240\060\240\056\206\054\150\164\164\160\072\057\057\143\162\154"
-"\056\165\163\145\162\164\162\165\163\164\056\143\157\155\057\125"
-"\124\116\055\104\101\124\101\103\157\162\160\123\107\103\056\143"
-"\162\154\060\052\006\003\125\035\045\004\043\060\041\006\010\053"
-"\006\001\005\005\007\003\001\006\012\053\006\001\004\001\202\067"
-"\012\003\003\006\011\140\206\110\001\206\370\102\004\001\060\015"
-"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001"
-"\001\000\047\065\227\000\212\213\050\275\306\063\060\036\051\374"
-"\342\367\325\230\324\100\273\140\312\277\253\027\054\011\066\177"
-"\120\372\101\334\256\226\072\012\043\076\211\131\311\243\007\355"
-"\033\067\255\374\174\276\121\111\132\336\072\012\124\010\026\105"
-"\302\231\261\207\315\214\150\340\151\003\351\304\116\230\262\073"
-"\214\026\263\016\240\014\230\120\233\223\251\160\011\310\054\243"
-"\217\337\002\344\340\161\072\361\264\043\162\240\252\001\337\337"
-"\230\076\024\120\240\061\046\275\050\351\132\060\046\165\371\173"
-"\140\034\215\363\315\120\046\155\004\047\232\337\325\015\105\107"
-"\051\153\054\346\166\331\251\051\175\062\335\311\066\074\275\256"
-"\065\361\021\236\035\273\220\077\022\107\116\216\327\176\017\142"
-"\163\035\122\046\070\034\030\111\375\060\164\232\304\345\042\057"
-"\330\300\215\355\221\172\114\000\217\162\177\135\332\335\033\213"
-"\105\153\347\335\151\227\250\305\126\114\017\014\366\237\172\221"
-"\067\366\227\202\340\335\161\151\377\166\077\140\115\074\317\367"
-"\231\371\306\127\364\311\125\071\170\272\054\171\311\246\210\053"
-"\364\010"
-, (PRUint32)1122 }
-};
-static const NSSItem nss_builtins_items_167 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN DATACorp SGC Root CA", (PRUint32)25 },
-  { (void *)"\130\021\237\016\022\202\207\352\120\375\331\207\105\157\117\170"
-"\334\372\326\324"
-, (PRUint32)20 },
-  { (void *)"\263\245\076\167\041\155\254\112\300\311\373\325\101\075\312\006"
-, (PRUint32)16 },
-  { (void *)"\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125"
-"\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157"
-"\162\160\040\123\107\103"
-, (PRUint32)150 },
-  { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251"
-"\255\151"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_168 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125"
-"\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164"
-"\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151"
-"\154"
-, (PRUint32)177 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125"
-"\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164"
-"\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151"
-"\154"
-, (PRUint32)177 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147"
-"\311\211"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\242\060\202\003\212\240\003\002\001\002\002\020\104"
-"\276\014\213\120\000\044\264\021\323\066\045\045\147\311\211\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\256\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013"
-"\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006"
-"\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040"
-"\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124"
-"\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150"
-"\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162"
-"\165\163\164\056\143\157\155\061\066\060\064\006\003\125\004\003"
-"\023\055\125\124\116\055\125\123\105\122\106\151\162\163\164\055"
-"\103\154\151\145\156\164\040\101\165\164\150\145\156\164\151\143"
-"\141\164\151\157\156\040\141\156\144\040\105\155\141\151\154\060"
-"\036\027\015\071\071\060\067\060\071\061\067\062\070\065\060\132"
-"\027\015\061\071\060\067\060\071\061\067\063\066\065\070\132\060"
-"\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025"
-"\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145"
-"\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025"
-"\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145"
-"\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030"
-"\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164"
-"\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125\004"
-"\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163\164"
-"\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164\151"
-"\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151\154"
-"\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001"
-"\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001"
-"\000\262\071\205\244\362\175\253\101\073\142\106\067\256\315\301"
-"\140\165\274\071\145\371\112\032\107\242\271\314\110\314\152\230"
-"\325\115\065\031\271\244\102\345\316\111\342\212\057\036\174\322"
-"\061\007\307\116\264\203\144\235\056\051\325\242\144\304\205\275"
-"\205\121\065\171\244\116\150\220\173\034\172\244\222\250\027\362"
-"\230\025\362\223\314\311\244\062\225\273\014\117\060\275\230\240"
-"\013\213\345\156\033\242\106\372\170\274\242\157\253\131\136\245"
-"\057\317\312\332\155\252\057\353\254\241\263\152\252\267\056\147"
-"\065\213\171\341\036\151\210\342\346\106\315\240\245\352\276\013"
-"\316\166\072\172\016\233\352\374\332\047\133\075\163\037\042\346"
-"\110\141\306\114\363\151\261\250\056\033\266\324\061\040\054\274"
-"\202\212\216\244\016\245\327\211\103\374\026\132\257\035\161\327"
-"\021\131\332\272\207\015\257\372\363\341\302\360\244\305\147\214"
-"\326\326\124\072\336\012\244\272\003\167\263\145\310\375\036\323"
-"\164\142\252\030\312\150\223\036\241\205\176\365\107\145\313\370"
-"\115\127\050\164\322\064\377\060\266\356\366\142\060\024\214\054"
-"\353\002\003\001\000\001\243\201\271\060\201\266\060\013\006\003"
-"\125\035\017\004\004\003\002\001\306\060\017\006\003\125\035\023"
-"\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035"
-"\016\004\026\004\024\211\202\147\175\304\235\046\160\000\113\264"
-"\120\110\174\336\075\256\004\156\175\060\130\006\003\125\035\037"
-"\004\121\060\117\060\115\240\113\240\111\206\107\150\164\164\160"
-"\072\057\057\143\162\154\056\165\163\145\162\164\162\165\163\164"
-"\056\143\157\155\057\125\124\116\055\125\123\105\122\106\151\162"
-"\163\164\055\103\154\151\145\156\164\101\165\164\150\145\156\164"
-"\151\143\141\164\151\157\156\141\156\144\105\155\141\151\154\056"
-"\143\162\154\060\035\006\003\125\035\045\004\026\060\024\006\010"
-"\053\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007"
-"\003\004\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
-"\000\003\202\001\001\000\261\155\141\135\246\032\177\174\253\112"
-"\344\060\374\123\157\045\044\306\312\355\342\061\134\053\016\356"
-"\356\141\125\157\004\076\317\071\336\305\033\111\224\344\353\040"
-"\114\264\346\236\120\056\162\331\215\365\252\243\263\112\332\126"
-"\034\140\227\200\334\202\242\255\112\275\212\053\377\013\011\264"
-"\306\327\040\004\105\344\315\200\001\272\272\053\156\316\252\327"
-"\222\376\344\257\353\364\046\035\026\052\177\154\060\225\067\057"
-"\063\022\254\177\335\307\321\021\214\121\230\262\320\243\221\320"
-"\255\366\237\236\203\223\036\035\102\270\106\257\153\146\360\233"
-"\177\352\343\003\002\345\002\121\301\252\325\065\235\162\100\003"
-"\211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246"
-"\170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254"
-"\176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174"
-"\025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044"
-"\121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266"
-"\370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303"
-"\005\323\312\003\112\124"
-, (PRUint32)1190 }
-};
-static const NSSItem nss_builtins_items_169 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Email Root CA", (PRUint32)28 },
-  { (void *)"\261\162\261\245\155\225\371\037\345\002\207\341\115\067\352\152"
-"\104\143\166\212"
-, (PRUint32)20 },
-  { (void *)"\327\064\075\357\035\047\011\050\341\061\002\133\023\053\335\367"
-, (PRUint32)16 },
-  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125"
-"\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164"
-"\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151"
-"\154"
-, (PRUint32)177 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147"
-"\311\211"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_170 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125"
-"\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\110\141\162\144\167\141\162\145"
-, (PRUint32)154 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125"
-"\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\110\141\162\144\167\141\162\145"
-, (PRUint32)154 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145"
-"\012\375"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\164\060\202\003\134\240\003\002\001\002\002\020\104"
-"\276\014\213\120\000\044\264\021\323\066\052\376\145\012\375\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\227\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013"
-"\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006"
-"\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040"
-"\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124"
-"\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150"
-"\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162"
-"\165\163\164\056\143\157\155\061\037\060\035\006\003\125\004\003"
-"\023\026\125\124\116\055\125\123\105\122\106\151\162\163\164\055"
-"\110\141\162\144\167\141\162\145\060\036\027\015\071\071\060\067"
-"\060\071\061\070\061\060\064\062\132\027\015\061\071\060\067\060"
-"\071\061\070\061\071\062\062\132\060\201\227\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\013\060\011\006\003\125\004"
-"\010\023\002\125\124\061\027\060\025\006\003\125\004\007\023\016"
-"\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\036"
-"\060\034\006\003\125\004\012\023\025\124\150\145\040\125\123\105"
-"\122\124\122\125\123\124\040\116\145\164\167\157\162\153\061\041"
-"\060\037\006\003\125\004\013\023\030\150\164\164\160\072\057\057"
-"\167\167\167\056\165\163\145\162\164\162\165\163\164\056\143\157"
-"\155\061\037\060\035\006\003\125\004\003\023\026\125\124\116\055"
-"\125\123\105\122\106\151\162\163\164\055\110\141\162\144\167\141"
-"\162\145\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
-"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
-"\001\001\000\261\367\303\070\077\264\250\177\317\071\202\121\147"
-"\320\155\237\322\377\130\363\347\237\053\354\015\211\124\231\271"
-"\070\231\026\367\340\041\171\110\302\273\141\164\022\226\035\074"
-"\152\162\325\074\020\147\072\071\355\053\023\315\146\353\225\011"
-"\063\244\154\227\261\350\306\354\301\165\171\234\106\136\215\253"
-"\320\152\375\271\052\125\027\020\124\263\031\360\232\366\361\261"
-"\135\266\247\155\373\340\161\027\153\242\210\373\000\337\376\032"
-"\061\167\014\232\001\172\261\062\343\053\001\007\070\156\303\245"
-"\136\043\274\105\233\173\120\301\311\060\217\333\345\053\172\323"
-"\133\373\063\100\036\240\325\230\027\274\213\207\303\211\323\135"
-"\240\216\262\252\252\366\216\151\210\006\305\372\211\041\363\010"
-"\235\151\056\011\063\233\051\015\106\017\214\314\111\064\260\151"
-"\121\275\371\006\315\150\255\146\114\274\076\254\141\275\012\210"
-"\016\310\337\075\356\174\004\114\235\012\136\153\221\326\356\307"
-"\355\050\215\253\115\207\211\163\320\156\244\320\036\026\213\024"
-"\341\166\104\003\177\143\254\344\315\111\234\305\222\364\253\062"
-"\241\110\133\002\003\001\000\001\243\201\271\060\201\266\060\013"
-"\006\003\125\035\017\004\004\003\002\001\306\060\017\006\003\125"
-"\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003"
-"\125\035\016\004\026\004\024\241\162\137\046\033\050\230\103\225"
-"\135\007\067\325\205\226\235\113\322\303\105\060\104\006\003\125"
-"\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150\164"
-"\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162\165"
-"\163\164\056\143\157\155\057\125\124\116\055\125\123\105\122\106"
-"\151\162\163\164\055\110\141\162\144\167\141\162\145\056\143\162"
-"\154\060\061\006\003\125\035\045\004\052\060\050\006\010\053\006"
-"\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003\005"
-"\006\010\053\006\001\005\005\007\003\006\006\010\053\006\001\005"
-"\005\007\003\007\060\015\006\011\052\206\110\206\367\015\001\001"
-"\005\005\000\003\202\001\001\000\107\031\017\336\164\306\231\227"
-"\257\374\255\050\136\165\216\353\055\147\356\116\173\053\327\014"
-"\377\366\336\313\125\242\012\341\114\124\145\223\140\153\237\022"
-"\234\255\136\203\054\353\132\256\300\344\055\364\000\143\035\270"
-"\300\154\362\317\111\273\115\223\157\006\246\012\042\262\111\142"
-"\010\116\377\310\310\024\262\210\026\135\347\001\344\022\225\345"
-"\105\064\263\213\151\275\317\264\205\217\165\121\236\175\072\070"
-"\072\024\110\022\306\373\247\073\032\215\015\202\100\007\350\004"
-"\010\220\241\211\313\031\120\337\312\034\001\274\035\004\031\173"
-"\020\166\227\073\356\220\220\312\304\016\037\026\156\165\357\063"
-"\370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055"
-"\335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136"
-"\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120"
-"\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222"
-"\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251"
-"\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020"
-"\062\234\036\273\235\370\146\250"
-, (PRUint32)1144 }
-};
-static const NSSItem nss_builtins_items_171 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Hardware Root CA", (PRUint32)31 },
-  { (void *)"\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000"
-"\343\276\371\327"
-, (PRUint32)20 },
-  { (void *)"\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071"
-, (PRUint32)16 },
-  { (void *)"\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125"
-"\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\110\141\162\144\167\141\162\145"
-, (PRUint32)154 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145"
-"\012\375"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_172 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125"
-"\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\117\142\152\145\143\164"
-, (PRUint32)152 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125"
-"\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\117\142\152\145\143\164"
-, (PRUint32)152 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263"
-"\137\033"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\146\060\202\003\116\240\003\002\001\002\002\020\104"
-"\276\014\213\120\000\044\264\021\323\066\055\340\263\137\033\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\225\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013"
-"\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006"
-"\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040"
-"\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124"
-"\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164"
-"\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150"
-"\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162"
-"\165\163\164\056\143\157\155\061\035\060\033\006\003\125\004\003"
-"\023\024\125\124\116\055\125\123\105\122\106\151\162\163\164\055"
-"\117\142\152\145\143\164\060\036\027\015\071\071\060\067\060\071"
-"\061\070\063\061\062\060\132\027\015\061\071\060\067\060\071\061"
-"\070\064\060\063\066\132\060\201\225\061\013\060\011\006\003\125"
-"\004\006\023\002\125\123\061\013\060\011\006\003\125\004\010\023"
-"\002\125\124\061\027\060\025\006\003\125\004\007\023\016\123\141"
-"\154\164\040\114\141\153\145\040\103\151\164\171\061\036\060\034"
-"\006\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124"
-"\122\125\123\124\040\116\145\164\167\157\162\153\061\041\060\037"
-"\006\003\125\004\013\023\030\150\164\164\160\072\057\057\167\167"
-"\167\056\165\163\145\162\164\162\165\163\164\056\143\157\155\061"
-"\035\060\033\006\003\125\004\003\023\024\125\124\116\055\125\123"
-"\105\122\106\151\162\163\164\055\117\142\152\145\143\164\060\202"
-"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
-"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\316"
-"\252\201\077\243\243\141\170\252\061\000\125\225\021\236\047\017"
-"\037\034\337\072\233\202\150\060\300\112\141\035\361\057\016\372"
-"\276\171\367\245\043\357\125\121\226\204\315\333\343\271\156\076"
-"\061\330\012\040\147\307\364\331\277\224\353\107\004\076\002\316"
-"\052\242\135\207\004\011\366\060\235\030\212\227\262\252\034\374"
-"\101\322\241\066\313\373\075\221\272\347\331\160\065\372\344\347"
-"\220\303\233\243\233\323\074\365\022\231\167\261\267\011\340\150"
-"\346\034\270\363\224\143\210\152\152\376\013\166\311\276\364\042"
-"\344\147\271\253\032\136\167\301\205\007\335\015\154\277\356\006"
-"\307\167\152\101\236\247\017\327\373\356\224\027\267\374\205\276"
-"\244\253\304\034\061\335\327\266\321\344\360\357\337\026\217\262"
-"\122\223\327\241\324\211\241\007\056\277\341\001\022\102\036\032"
-"\341\330\225\064\333\144\171\050\377\272\056\021\302\345\350\133"
-"\222\110\373\107\013\302\154\332\255\062\203\101\363\245\345\101"
-"\160\375\145\220\155\372\372\121\304\371\275\226\053\031\004\054"
-"\323\155\247\334\360\177\157\203\145\342\152\253\207\206\165\002"
-"\003\001\000\001\243\201\257\060\201\254\060\013\006\003\125\035"
-"\017\004\004\003\002\001\306\060\017\006\003\125\035\023\001\001"
-"\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004"
-"\026\004\024\332\355\144\164\024\234\024\074\253\335\231\251\275"
-"\133\050\115\213\074\311\330\060\102\006\003\125\035\037\004\073"
-"\060\071\060\067\240\065\240\063\206\061\150\164\164\160\072\057"
-"\057\143\162\154\056\165\163\145\162\164\162\165\163\164\056\143"
-"\157\155\057\125\124\116\055\125\123\105\122\106\151\162\163\164"
-"\055\117\142\152\145\143\164\056\143\162\154\060\051\006\003\125"
-"\035\045\004\042\060\040\006\010\053\006\001\005\005\007\003\003"
-"\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004"
-"\001\202\067\012\003\004\060\015\006\011\052\206\110\206\367\015"
-"\001\001\005\005\000\003\202\001\001\000\010\037\122\261\067\104"
-"\170\333\375\316\271\332\225\226\230\252\125\144\200\265\132\100"
-"\335\041\245\305\301\363\137\054\114\310\107\132\151\352\350\360"
-"\065\065\364\320\045\363\310\246\244\207\112\275\033\261\163\010"
-"\275\324\303\312\266\065\273\131\206\167\061\315\247\200\024\256"
-"\023\357\374\261\110\371\153\045\045\055\121\266\054\155\105\301"
-"\230\310\212\126\135\076\356\103\116\076\153\047\216\320\072\113"
-"\205\013\137\323\355\152\247\165\313\321\132\207\057\071\165\023"
-"\132\162\260\002\201\237\276\360\017\204\124\040\142\154\151\324"
-"\341\115\306\015\231\103\001\015\022\226\214\170\235\277\120\242"
-"\261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360"
-"\064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271"
-"\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223"
-"\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327"
-"\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221"
-"\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170"
-"\275\023\122\035\250\076\315\000\037\310"
-, (PRUint32)1130 }
-};
-static const NSSItem nss_builtins_items_173 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"UTN USERFirst Object Root CA", (PRUint32)29 },
-  { (void *)"\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330"
-"\070\136\055\106"
-, (PRUint32)20 },
-  { (void *)"\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311"
-, (PRUint32)16 },
-  { (void *)"\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060"
-"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
-"\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023"
-"\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116"
-"\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023"
-"\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162"
-"\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125"
-"\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163"
-"\164\055\117\142\152\145\143\164"
-, (PRUint32)152 },
-  { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263"
-"\137\033"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_174 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
-"\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
-"\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
-"\164"
-, (PRUint32)129 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
-"\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
-"\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
-"\164"
-, (PRUint32)129 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047"
-"\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145"
-"\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070"
-"\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013"
-"\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141"
-"\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060\040"
-"\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163\040"
-"\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157\164"
-"\060\036\027\015\060\063\060\071\063\060\061\066\061\063\064\063"
-"\132\027\015\063\067\060\071\063\060\061\066\061\063\064\064\132"
-"\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
-"\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
-"\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
-"\164\060\202\001\040\060\015\006\011\052\206\110\206\367\015\001"
-"\001\001\005\000\003\202\001\015\000\060\202\001\010\002\202\001"
-"\001\000\267\066\125\345\245\135\030\060\340\332\211\124\221\374"
-"\310\307\122\370\057\120\331\357\261\165\163\145\107\175\033\133"
-"\272\165\305\374\241\210\044\372\057\355\312\010\112\071\124\304"
-"\121\172\265\332\140\352\070\074\201\262\313\361\273\331\221\043"
-"\077\110\001\160\165\251\005\052\255\037\161\363\311\124\075\035"
-"\006\152\100\076\263\014\205\356\134\033\171\302\142\304\270\066"
-"\216\065\135\001\014\043\004\107\065\252\233\140\116\240\146\075"
-"\313\046\012\234\100\241\364\135\230\277\161\253\245\000\150\052"
-"\355\203\172\017\242\024\265\324\042\263\200\260\074\014\132\121"
-"\151\055\130\030\217\355\231\236\361\256\342\225\346\366\107\250"
-"\326\014\017\260\130\130\333\303\146\067\236\233\221\124\063\067"
-"\322\224\034\152\110\311\311\362\245\332\245\014\043\367\043\016"
-"\234\062\125\136\161\234\204\005\121\232\055\375\346\116\052\064"
-"\132\336\312\100\067\147\014\124\041\125\167\332\012\014\314\227"
-"\256\200\334\224\066\112\364\076\316\066\023\036\123\344\254\116"
-"\072\005\354\333\256\162\234\070\213\320\071\073\211\012\076\167"
-"\376\165\002\001\003\243\202\001\104\060\202\001\100\060\022\006"
-"\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001"
-"\014\060\074\006\003\125\035\037\004\065\060\063\060\061\240\057"
-"\240\055\206\053\150\164\164\160\072\057\057\143\162\154\056\143"
-"\150\141\155\142\145\162\163\151\147\156\056\157\162\147\057\143"
-"\150\141\155\142\145\162\163\162\157\157\164\056\143\162\154\060"
-"\035\006\003\125\035\016\004\026\004\024\343\224\365\261\115\351"
-"\333\241\051\133\127\213\115\166\006\166\341\321\242\212\060\016"
-"\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\021"
-"\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000"
-"\007\060\047\006\003\125\035\021\004\040\060\036\201\034\143\150"
-"\141\155\142\145\162\163\162\157\157\164\100\143\150\141\155\142"
-"\145\162\163\151\147\156\056\157\162\147\060\047\006\003\125\035"
-"\022\004\040\060\036\201\034\143\150\141\155\142\145\162\163\162"
-"\157\157\164\100\143\150\141\155\142\145\162\163\151\147\156\056"
-"\157\162\147\060\130\006\003\125\035\040\004\121\060\117\060\115"
-"\006\013\053\006\001\004\001\201\207\056\012\003\001\060\076\060"
-"\074\006\010\053\006\001\005\005\007\002\001\026\060\150\164\164"
-"\160\072\057\057\143\160\163\056\143\150\141\155\142\145\162\163"
-"\151\147\156\056\157\162\147\057\143\160\163\057\143\150\141\155"
-"\142\145\162\163\162\157\157\164\056\150\164\155\154\060\015\006"
-"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
-"\000\014\101\227\302\032\206\300\042\174\237\373\220\363\032\321"
-"\003\261\357\023\371\041\137\004\234\332\311\245\215\047\154\226"
-"\207\221\276\101\220\001\162\223\347\036\175\137\366\211\306\135"
-"\247\100\011\075\254\111\105\105\334\056\215\060\150\262\011\272"
-"\373\303\057\314\272\013\337\077\167\173\106\175\072\022\044\216"
-"\226\217\074\005\012\157\322\224\050\035\155\014\300\056\210\042"
-"\325\330\317\035\023\307\360\110\327\327\005\247\317\307\107\236"
-"\073\074\064\310\200\117\324\024\273\374\015\120\367\372\263\354"
-"\102\137\251\335\155\310\364\165\317\173\301\162\046\261\001\034"
-"\134\054\375\172\116\264\001\305\005\127\271\347\074\252\005\331"
-"\210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312"
-"\327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064"
-"\170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110"
-"\132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335"
-"\250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356"
-"\264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370"
-"\334"
-, (PRUint32)1217 }
-};
-static const NSSItem nss_builtins_items_175 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Camerfirma Chambers of Commerce Root", (PRUint32)37 },
-  { (void *)"\156\072\125\244\031\014\031\134\223\204\074\300\333\162\056\061"
-"\060\141\360\261"
-, (PRUint32)20 },
-  { (void *)"\260\001\356\024\331\257\051\030\224\166\216\361\151\063\052\204"
-, (PRUint32)16 },
-  { (void *)"\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060"
-"\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163"
-"\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157"
-"\164"
-, (PRUint32)129 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_176 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060"
-"\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103"
-"\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164"
-, (PRUint32)127 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060"
-"\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103"
-"\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164"
-, (PRUint32)127 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\305\060\202\003\255\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047"
-"\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145"
-"\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070"
-"\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013"
-"\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141"
-"\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060\036"
-"\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103\150"
-"\141\155\142\145\162\163\151\147\156\040\122\157\157\164\060\036"
-"\027\015\060\063\060\071\063\060\061\066\061\064\061\070\132\027"
-"\015\063\067\060\071\063\060\061\066\061\064\061\070\132\060\175"
-"\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047\060"
-"\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145\162"
-"\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070\062"
-"\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013\023"
-"\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141\155"
-"\142\145\162\163\151\147\156\056\157\162\147\061\040\060\036\006"
-"\003\125\004\003\023\027\107\154\157\142\141\154\040\103\150\141"
-"\155\142\145\162\163\151\147\156\040\122\157\157\164\060\202\001"
-"\040\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
-"\003\202\001\015\000\060\202\001\010\002\202\001\001\000\242\160"
-"\242\320\237\102\256\133\027\307\330\175\317\024\203\374\117\311"
-"\241\267\023\257\212\327\236\076\004\012\222\213\140\126\372\264"
-"\062\057\210\115\241\140\010\364\267\011\116\240\111\057\111\326"
-"\323\337\235\227\132\237\224\004\160\354\077\131\331\267\314\146"
-"\213\230\122\050\011\002\337\305\057\204\215\172\227\167\277\354"
-"\100\235\045\162\253\265\077\062\230\373\267\267\374\162\204\345"
-"\065\207\371\125\372\243\037\016\157\056\050\335\151\240\331\102"
-"\020\306\370\265\104\302\320\103\177\333\274\344\242\074\152\125"
-"\170\012\167\251\330\352\031\062\267\057\376\134\077\033\356\261"
-"\230\354\312\255\172\151\105\343\226\017\125\366\346\355\165\352"
-"\145\350\062\126\223\106\211\250\045\212\145\006\356\153\277\171"
-"\007\320\361\267\257\355\054\115\222\273\300\250\137\247\147\175"
-"\004\362\025\010\160\254\222\326\175\004\322\063\373\114\266\013"
-"\013\373\032\311\304\215\003\251\176\134\362\120\253\022\245\241"
-"\317\110\120\245\357\322\310\032\023\372\260\177\261\202\034\167"
-"\152\017\137\334\013\225\217\357\103\176\346\105\011\045\002\001"
-"\003\243\202\001\120\060\202\001\114\060\022\006\003\125\035\023"
-"\001\001\377\004\010\060\006\001\001\377\002\001\014\060\077\006"
-"\003\125\035\037\004\070\060\066\060\064\240\062\240\060\206\056"
-"\150\164\164\160\072\057\057\143\162\154\056\143\150\141\155\142"
-"\145\162\163\151\147\156\056\157\162\147\057\143\150\141\155\142"
-"\145\162\163\151\147\156\162\157\157\164\056\143\162\154\060\035"
-"\006\003\125\035\016\004\026\004\024\103\234\066\237\260\236\060"
-"\115\306\316\137\255\020\253\345\003\245\372\251\024\060\016\006"
-"\003\125\035\017\001\001\377\004\004\003\002\001\006\060\021\006"
-"\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007"
-"\060\052\006\003\125\035\021\004\043\060\041\201\037\143\150\141"
-"\155\142\145\162\163\151\147\156\162\157\157\164\100\143\150\141"
-"\155\142\145\162\163\151\147\156\056\157\162\147\060\052\006\003"
-"\125\035\022\004\043\060\041\201\037\143\150\141\155\142\145\162"
-"\163\151\147\156\162\157\157\164\100\143\150\141\155\142\145\162"
-"\163\151\147\156\056\157\162\147\060\133\006\003\125\035\040\004"
-"\124\060\122\060\120\006\013\053\006\001\004\001\201\207\056\012"
-"\001\001\060\101\060\077\006\010\053\006\001\005\005\007\002\001"
-"\026\063\150\164\164\160\072\057\057\143\160\163\056\143\150\141"
-"\155\142\145\162\163\151\147\156\056\157\162\147\057\143\160\163"
-"\057\143\150\141\155\142\145\162\163\151\147\156\162\157\157\164"
-"\056\150\164\155\154\060\015\006\011\052\206\110\206\367\015\001"
-"\001\005\005\000\003\202\001\001\000\074\073\160\221\371\004\124"
-"\047\221\341\355\355\376\150\177\141\135\345\101\145\117\062\361"
-"\030\005\224\152\034\336\037\160\333\076\173\062\002\064\265\014"
-"\154\241\212\174\245\364\217\377\324\330\255\027\325\055\004\321"
-"\077\130\200\342\201\131\210\276\300\343\106\223\044\376\220\275"
-"\046\242\060\055\350\227\046\127\065\211\164\226\030\366\025\342"
-"\257\044\031\126\002\002\262\272\017\024\352\306\212\146\301\206"
-"\105\125\213\276\222\276\234\244\004\307\111\074\236\350\051\172"
-"\211\327\376\257\377\150\365\245\027\220\275\254\231\314\245\206"
-"\127\011\147\106\333\326\026\302\106\361\344\251\120\365\217\321"
-"\222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015"
-"\045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334"
-"\171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075"
-"\262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316"
-"\030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177"
-"\001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111"
-"\166\135\165\220\032\365\046\217\360"
-, (PRUint32)1225 }
-};
-static const NSSItem nss_builtins_items_177 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Camerfirma Global Chambersign Root", (PRUint32)35 },
-  { (void *)"\063\233\153\024\120\044\233\125\172\001\207\162\204\331\340\057"
-"\303\322\330\351"
-, (PRUint32)20 },
-  { (void *)"\305\346\173\277\006\320\117\103\355\304\172\145\212\373\153\031"
-, (PRUint32)16 },
-  { (void *)"\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061"
-"\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155"
-"\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101"
-"\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004"
-"\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150"
-"\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060"
-"\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103"
-"\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164"
-, (PRUint32)127 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_178 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141"
-"\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144"
-"\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036"
-"\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142"
-"\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032"
-"\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164"
-"\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
-"\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
-"\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
-"\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
-"\144\157"
-, (PRUint32)178 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141"
-"\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144"
-"\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036"
-"\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142"
-"\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032"
-"\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164"
-"\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
-"\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
-"\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
-"\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
-"\144\157"
-, (PRUint32)178 },
-  { (void *)"\002\002\001\003"
-, (PRUint32)4 },
-  { (void *)"\060\202\006\175\060\202\005\145\240\003\002\001\002\002\002\001"
-"\003\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
-"\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141"
-"\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144"
-"\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036"
-"\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142"
-"\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032"
-"\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164"
-"\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
-"\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
-"\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
-"\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
-"\144\157\060\036\027\015\071\071\060\062\062\064\062\063\061\064"
-"\064\067\132\027\015\061\071\060\062\061\071\062\063\061\064\064"
-"\067\132\060\201\257\061\013\060\011\006\003\125\004\006\023\002"
-"\110\125\061\020\060\016\006\003\125\004\010\023\007\110\165\156"
-"\147\141\162\171\061\021\060\017\006\003\125\004\007\023\010\102"
-"\165\144\141\160\145\163\164\061\047\060\045\006\003\125\004\012"
-"\023\036\116\145\164\114\157\143\153\040\110\141\154\157\172\141"
-"\164\142\151\172\164\157\156\163\141\147\151\040\113\146\164\056"
-"\061\032\060\030\006\003\125\004\013\023\021\124\141\156\165\163"
-"\151\164\166\141\156\171\153\151\141\144\157\153\061\066\060\064"
-"\006\003\125\004\003\023\055\116\145\164\114\157\143\153\040\113"
-"\157\172\152\145\147\171\172\157\151\040\050\103\154\141\163\163"
-"\040\101\051\040\124\141\156\165\163\151\164\166\141\156\171\153"
-"\151\141\144\157\060\202\001\042\060\015\006\011\052\206\110\206"
-"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
-"\002\202\001\001\000\274\164\214\017\273\114\364\067\036\251\005"
-"\202\330\346\341\154\160\352\170\265\156\321\070\104\015\250\203"
-"\316\135\322\326\325\201\305\324\113\347\133\224\160\046\333\073"
-"\235\152\114\142\367\161\363\144\326\141\073\075\353\163\243\067"
-"\331\317\352\214\222\073\315\367\007\334\146\164\227\364\105\042"
-"\335\364\134\340\277\155\363\276\145\063\344\025\072\277\333\230"
-"\220\125\070\304\355\246\125\143\013\260\170\004\364\343\156\301"
-"\077\216\374\121\170\037\222\236\203\302\376\331\260\251\311\274"
-"\132\000\377\251\250\230\164\373\366\054\076\025\071\015\266\004"
-"\125\250\016\230\040\102\263\261\045\255\176\232\157\135\123\261"
-"\253\014\374\353\340\363\172\263\250\263\377\106\366\143\242\330"
-"\072\230\173\266\254\205\377\260\045\117\164\143\347\023\007\245"
-"\012\217\005\367\300\144\157\176\247\047\200\226\336\324\056\206"
-"\140\307\153\053\136\163\173\027\347\221\077\144\014\330\113\042"
-"\064\053\233\062\362\110\037\237\241\012\204\172\342\302\255\227"
-"\075\216\325\301\371\126\243\120\351\306\264\372\230\242\356\225"
-"\346\052\003\214\337\002\003\001\000\001\243\202\002\237\060\202"
-"\002\233\060\016\006\003\125\035\017\001\001\377\004\004\003\002"
-"\000\006\060\022\006\003\125\035\023\001\001\377\004\010\060\006"
-"\001\001\377\002\001\004\060\021\006\011\140\206\110\001\206\370"
-"\102\001\001\004\004\003\002\000\007\060\202\002\140\006\011\140"
-"\206\110\001\206\370\102\001\015\004\202\002\121\026\202\002\115"
-"\106\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164"
-"\141\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164"
-"\114\157\143\153\040\113\146\164\056\040\101\154\164\141\154\141"
-"\156\157\163\040\123\172\157\154\147\141\154\164\141\164\141\163"
-"\151\040\106\145\154\164\145\164\145\154\145\151\142\145\156\040"
-"\154\145\151\162\164\040\145\154\152\141\162\141\163\157\153\040"
-"\141\154\141\160\152\141\156\040\153\145\163\172\165\154\164\056"
-"\040\101\040\150\151\164\145\154\145\163\151\164\145\163\040\146"
-"\157\154\171\141\155\141\164\141\164\040\141\040\116\145\164\114"
-"\157\143\153\040\113\146\164\056\040\164\145\162\155\145\153\146"
-"\145\154\145\154\157\163\163\145\147\055\142\151\172\164\157\163"
-"\151\164\141\163\141\040\166\145\144\151\056\040\101\040\144\151"
-"\147\151\164\141\154\151\163\040\141\154\141\151\162\141\163\040"
-"\145\154\146\157\147\141\144\141\163\141\156\141\153\040\146\145"
-"\154\164\145\164\145\154\145\040\141\172\040\145\154\157\151\162"
-"\164\040\145\154\154\145\156\157\162\172\145\163\151\040\145\154"
-"\152\141\162\141\163\040\155\145\147\164\145\164\145\154\145\056"
-"\040\101\172\040\145\154\152\141\162\141\163\040\154\145\151\162"
-"\141\163\141\040\155\145\147\164\141\154\141\154\150\141\164\157"
-"\040\141\040\116\145\164\114\157\143\153\040\113\146\164\056\040"
-"\111\156\164\145\162\156\145\164\040\150\157\156\154\141\160\152"
-"\141\156\040\141\040\150\164\164\160\163\072\057\057\167\167\167"
-"\056\156\145\164\154\157\143\153\056\156\145\164\057\144\157\143"
-"\163\040\143\151\155\145\156\040\166\141\147\171\040\153\145\162"
-"\150\145\164\157\040\141\172\040\145\154\154\145\156\157\162\172"
-"\145\163\100\156\145\164\154\157\143\153\056\156\145\164\040\145"
-"\055\155\141\151\154\040\143\151\155\145\156\056\040\111\115\120"
-"\117\122\124\101\116\124\041\040\124\150\145\040\151\163\163\165"
-"\141\156\143\145\040\141\156\144\040\164\150\145\040\165\163\145"
-"\040\157\146\040\164\150\151\163\040\143\145\162\164\151\146\151"
-"\143\141\164\145\040\151\163\040\163\165\142\152\145\143\164\040"
-"\164\157\040\164\150\145\040\116\145\164\114\157\143\153\040\103"
-"\120\123\040\141\166\141\151\154\141\142\154\145\040\141\164\040"
-"\150\164\164\160\163\072\057\057\167\167\167\056\156\145\164\154"
-"\157\143\153\056\156\145\164\057\144\157\143\163\040\157\162\040"
-"\142\171\040\145\055\155\141\151\154\040\141\164\040\143\160\163"
-"\100\156\145\164\154\157\143\153\056\156\145\164\056\060\015\006"
-"\011\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001"
-"\000\110\044\106\367\272\126\157\372\310\050\003\100\116\345\061"
-"\071\153\046\153\123\177\333\337\337\363\161\075\046\300\024\016"
-"\306\147\173\043\250\014\163\335\001\273\306\312\156\067\071\125"
-"\325\307\214\126\040\016\050\012\016\322\052\244\260\111\122\306"
-"\070\007\376\276\012\011\214\321\230\317\312\332\024\061\241\117"
-"\322\071\374\017\021\054\103\303\335\253\223\307\125\076\107\174"
-"\030\032\000\334\363\173\330\362\177\122\154\040\364\013\137\151"
-"\122\364\356\370\262\051\140\353\343\111\061\041\015\326\265\020"
-"\101\342\101\011\154\342\032\232\126\113\167\002\366\240\233\232"
-"\047\207\350\125\051\161\302\220\237\105\170\032\341\025\144\075"
-"\320\016\330\240\166\237\256\305\320\056\352\326\017\126\354\144"
-"\177\132\233\024\130\001\047\176\023\120\307\153\052\346\150\074"
-"\277\134\240\012\033\341\016\172\351\342\200\303\351\351\366\375"
-"\154\021\236\320\345\050\047\053\124\062\102\024\202\165\346\112"
-"\360\053\146\165\143\214\242\373\004\076\203\016\233\066\360\030"
-"\344\046\040\303\214\360\050\007\255\074\027\146\210\265\375\266"
-"\210"
-, (PRUint32)1665 }
-};
-static const NSSItem nss_builtins_items_179 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 },
-  { (void *)"\254\355\137\145\123\375\045\316\001\137\037\172\110\073\152\164"
-"\237\141\170\306"
-, (PRUint32)20 },
-  { (void *)"\206\070\155\136\111\143\154\205\134\333\155\334\224\267\320\367"
-, (PRUint32)16 },
-  { (void *)"\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141"
-"\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144"
-"\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036"
-"\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142"
-"\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032"
-"\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164"
-"\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003"
-"\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172"
-"\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101"
-"\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
-"\144\157"
-, (PRUint32)178 },
-  { (void *)"\002\002\001\003"
-, (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_180 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Business (Class B) Root", (PRUint32)32 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004"
-"\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164"
-"\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165"
-"\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)156 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004"
-"\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164"
-"\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165"
-"\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)156 },
-  { (void *)"\002\001\151"
-, (PRUint32)3 },
-  { (void *)"\060\202\005\113\060\202\004\264\240\003\002\001\002\002\001\151"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125\061"
-"\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145"
-"\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164"
-"\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164"
-"\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006"
-"\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156"
-"\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004\003"
-"\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164\151"
-"\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165\163"
-"\151\164\166\141\156\171\153\151\141\144\157\060\036\027\015\071"
-"\071\060\062\062\065\061\064\061\060\062\062\132\027\015\061\071"
-"\060\062\062\060\061\064\061\060\062\062\132\060\201\231\061\013"
-"\060\011\006\003\125\004\006\023\002\110\125\061\021\060\017\006"
-"\003\125\004\007\023\010\102\165\144\141\160\145\163\164\061\047"
-"\060\045\006\003\125\004\012\023\036\116\145\164\114\157\143\153"
-"\040\110\141\154\157\172\141\164\142\151\172\164\157\156\163\141"
-"\147\151\040\113\146\164\056\061\032\060\030\006\003\125\004\013"
-"\023\021\124\141\156\165\163\151\164\166\141\156\171\153\151\141"
-"\144\157\153\061\062\060\060\006\003\125\004\003\023\051\116\145"
-"\164\114\157\143\153\040\125\172\154\145\164\151\040\050\103\154"
-"\141\163\163\040\102\051\040\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\060\201\237\060\015\006\011\052\206"
-"\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211"
-"\002\201\201\000\261\352\004\354\040\240\043\302\217\070\140\317"
-"\307\106\263\325\033\376\373\271\231\236\004\334\034\177\214\112"
-"\201\230\356\244\324\312\212\027\271\042\177\203\012\165\114\233"
-"\300\151\330\144\071\243\355\222\243\375\133\134\164\032\300\107"
-"\312\072\151\166\232\272\342\104\027\374\114\243\325\376\270\227"
-"\210\257\210\003\211\037\244\362\004\076\310\007\013\346\371\263"
-"\057\172\142\024\011\106\024\312\144\365\213\200\265\142\250\330"
-"\153\326\161\223\055\263\277\011\124\130\355\006\353\250\173\334"
-"\103\261\241\151\002\003\001\000\001\243\202\002\237\060\202\002"
-"\233\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001"
-"\001\377\002\001\004\060\016\006\003\125\035\017\001\001\377\004"
-"\004\003\002\000\006\060\021\006\011\140\206\110\001\206\370\102"
-"\001\001\004\004\003\002\000\007\060\202\002\140\006\011\140\206"
-"\110\001\206\370\102\001\015\004\202\002\121\026\202\002\115\106"
-"\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164\141"
-"\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164\114"
-"\157\143\153\040\113\146\164\056\040\101\154\164\141\154\141\156"
-"\157\163\040\123\172\157\154\147\141\154\164\141\164\141\163\151"
-"\040\106\145\154\164\145\164\145\154\145\151\142\145\156\040\154"
-"\145\151\162\164\040\145\154\152\141\162\141\163\157\153\040\141"
-"\154\141\160\152\141\156\040\153\145\163\172\165\154\164\056\040"
-"\101\040\150\151\164\145\154\145\163\151\164\145\163\040\146\157"
-"\154\171\141\155\141\164\141\164\040\141\040\116\145\164\114\157"
-"\143\153\040\113\146\164\056\040\164\145\162\155\145\153\146\145"
-"\154\145\154\157\163\163\145\147\055\142\151\172\164\157\163\151"
-"\164\141\163\141\040\166\145\144\151\056\040\101\040\144\151\147"
-"\151\164\141\154\151\163\040\141\154\141\151\162\141\163\040\145"
-"\154\146\157\147\141\144\141\163\141\156\141\153\040\146\145\154"
-"\164\145\164\145\154\145\040\141\172\040\145\154\157\151\162\164"
-"\040\145\154\154\145\156\157\162\172\145\163\151\040\145\154\152"
-"\141\162\141\163\040\155\145\147\164\145\164\145\154\145\056\040"
-"\101\172\040\145\154\152\141\162\141\163\040\154\145\151\162\141"
-"\163\141\040\155\145\147\164\141\154\141\154\150\141\164\157\040"
-"\141\040\116\145\164\114\157\143\153\040\113\146\164\056\040\111"
-"\156\164\145\162\156\145\164\040\150\157\156\154\141\160\152\141"
-"\156\040\141\040\150\164\164\160\163\072\057\057\167\167\167\056"
-"\156\145\164\154\157\143\153\056\156\145\164\057\144\157\143\163"
-"\040\143\151\155\145\156\040\166\141\147\171\040\153\145\162\150"
-"\145\164\157\040\141\172\040\145\154\154\145\156\157\162\172\145"
-"\163\100\156\145\164\154\157\143\153\056\156\145\164\040\145\055"
-"\155\141\151\154\040\143\151\155\145\156\056\040\111\115\120\117"
-"\122\124\101\116\124\041\040\124\150\145\040\151\163\163\165\141"
-"\156\143\145\040\141\156\144\040\164\150\145\040\165\163\145\040"
-"\157\146\040\164\150\151\163\040\143\145\162\164\151\146\151\143"
-"\141\164\145\040\151\163\040\163\165\142\152\145\143\164\040\164"
-"\157\040\164\150\145\040\116\145\164\114\157\143\153\040\103\120"
-"\123\040\141\166\141\151\154\141\142\154\145\040\141\164\040\150"
-"\164\164\160\163\072\057\057\167\167\167\056\156\145\164\154\157"
-"\143\153\056\156\145\164\057\144\157\143\163\040\157\162\040\142"
-"\171\040\145\055\155\141\151\154\040\141\164\040\143\160\163\100"
-"\156\145\164\154\157\143\153\056\156\145\164\056\060\015\006\011"
-"\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000\004"
-"\333\256\214\027\257\370\016\220\061\116\315\076\011\300\155\072"
-"\260\370\063\114\107\114\343\165\210\020\227\254\260\070\025\221"
-"\306\051\226\314\041\300\155\074\245\164\317\330\202\245\071\303"
-"\145\343\102\160\273\042\220\343\175\333\065\166\341\240\265\332"
-"\237\160\156\223\032\060\071\035\060\333\056\343\174\262\221\262"
-"\321\067\051\372\271\326\027\134\107\117\343\035\070\353\237\325"
-"\173\225\250\050\236\025\112\321\321\320\053\000\227\240\342\222"
-"\066\053\143\254\130\001\153\063\051\120\206\203\361\001\110"
-, (PRUint32)1359 }
-};
-static const NSSItem nss_builtins_items_181 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Business (Class B) Root", (PRUint32)32 },
-  { (void *)"\207\237\113\356\005\337\230\130\073\343\140\326\063\347\015\077"
-"\376\230\161\257"
-, (PRUint32)20 },
-  { (void *)"\071\026\252\271\152\101\341\024\151\337\236\154\073\162\334\266"
-, (PRUint32)16 },
-  { (void *)"\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004"
-"\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164"
-"\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165"
-"\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)156 },
-  { (void *)"\002\001\151"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_182 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Express (Class C) Root", (PRUint32)31 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004"
-"\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145"
-"\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141"
-"\156\165\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)158 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004"
-"\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145"
-"\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141"
-"\156\165\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)158 },
-  { (void *)"\002\001\150"
-, (PRUint32)3 },
-  { (void *)"\060\202\005\117\060\202\004\270\240\003\002\001\002\002\001\150"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
-"\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125\061"
-"\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145"
-"\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164"
-"\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164"
-"\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006"
-"\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156"
-"\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004\003"
-"\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145\163"
-"\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141\156"
-"\165\163\151\164\166\141\156\171\153\151\141\144\157\060\036\027"
-"\015\071\071\060\062\062\065\061\064\060\070\061\061\132\027\015"
-"\061\071\060\062\062\060\061\064\060\070\061\061\132\060\201\233"
-"\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021\060"
-"\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163\164"
-"\061\047\060\045\006\003\125\004\012\023\036\116\145\164\114\157"
-"\143\153\040\110\141\154\157\172\141\164\142\151\172\164\157\156"
-"\163\141\147\151\040\113\146\164\056\061\032\060\030\006\003\125"
-"\004\013\023\021\124\141\156\165\163\151\164\166\141\156\171\153"
-"\151\141\144\157\153\061\064\060\062\006\003\125\004\003\023\053"
-"\116\145\164\114\157\143\153\040\105\170\160\162\145\163\163\172"
-"\040\050\103\154\141\163\163\040\103\051\040\124\141\156\165\163"
-"\151\164\166\141\156\171\153\151\141\144\157\060\201\237\060\015"
-"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
-"\000\060\201\211\002\201\201\000\353\354\260\154\141\212\043\045"
-"\257\140\040\343\331\237\374\223\013\333\135\215\260\241\263\100"
-"\072\202\316\375\165\340\170\062\003\206\132\206\225\221\355\123"
-"\372\235\100\374\346\350\335\331\133\172\003\275\135\363\073\014"
-"\303\121\171\233\255\125\240\351\320\003\020\257\012\272\024\102"
-"\331\122\046\021\042\307\322\040\314\202\244\232\251\376\270\201"
-"\166\235\152\267\322\066\165\076\261\206\011\366\156\155\176\116"
-"\267\172\354\256\161\204\366\004\063\010\045\062\353\164\254\026"
-"\104\306\344\100\223\035\177\255\002\003\001\000\001\243\202\002"
-"\237\060\202\002\233\060\022\006\003\125\035\023\001\001\377\004"
-"\010\060\006\001\001\377\002\001\004\060\016\006\003\125\035\017"
-"\001\001\377\004\004\003\002\000\006\060\021\006\011\140\206\110"
-"\001\206\370\102\001\001\004\004\003\002\000\007\060\202\002\140"
-"\006\011\140\206\110\001\206\370\102\001\015\004\202\002\121\026"
-"\202\002\115\106\111\107\131\105\114\105\115\041\040\105\172\145"
-"\156\040\164\141\156\165\163\151\164\166\141\156\171\040\141\040"
-"\116\145\164\114\157\143\153\040\113\146\164\056\040\101\154\164"
-"\141\154\141\156\157\163\040\123\172\157\154\147\141\154\164\141"
-"\164\141\163\151\040\106\145\154\164\145\164\145\154\145\151\142"
-"\145\156\040\154\145\151\162\164\040\145\154\152\141\162\141\163"
-"\157\153\040\141\154\141\160\152\141\156\040\153\145\163\172\165"
-"\154\164\056\040\101\040\150\151\164\145\154\145\163\151\164\145"
-"\163\040\146\157\154\171\141\155\141\164\141\164\040\141\040\116"
-"\145\164\114\157\143\153\040\113\146\164\056\040\164\145\162\155"
-"\145\153\146\145\154\145\154\157\163\163\145\147\055\142\151\172"
-"\164\157\163\151\164\141\163\141\040\166\145\144\151\056\040\101"
-"\040\144\151\147\151\164\141\154\151\163\040\141\154\141\151\162"
-"\141\163\040\145\154\146\157\147\141\144\141\163\141\156\141\153"
-"\040\146\145\154\164\145\164\145\154\145\040\141\172\040\145\154"
-"\157\151\162\164\040\145\154\154\145\156\157\162\172\145\163\151"
-"\040\145\154\152\141\162\141\163\040\155\145\147\164\145\164\145"
-"\154\145\056\040\101\172\040\145\154\152\141\162\141\163\040\154"
-"\145\151\162\141\163\141\040\155\145\147\164\141\154\141\154\150"
-"\141\164\157\040\141\040\116\145\164\114\157\143\153\040\113\146"
-"\164\056\040\111\156\164\145\162\156\145\164\040\150\157\156\154"
-"\141\160\152\141\156\040\141\040\150\164\164\160\163\072\057\057"
-"\167\167\167\056\156\145\164\154\157\143\153\056\156\145\164\057"
-"\144\157\143\163\040\143\151\155\145\156\040\166\141\147\171\040"
-"\153\145\162\150\145\164\157\040\141\172\040\145\154\154\145\156"
-"\157\162\172\145\163\100\156\145\164\154\157\143\153\056\156\145"
-"\164\040\145\055\155\141\151\154\040\143\151\155\145\156\056\040"
-"\111\115\120\117\122\124\101\116\124\041\040\124\150\145\040\151"
-"\163\163\165\141\156\143\145\040\141\156\144\040\164\150\145\040"
-"\165\163\145\040\157\146\040\164\150\151\163\040\143\145\162\164"
-"\151\146\151\143\141\164\145\040\151\163\040\163\165\142\152\145"
-"\143\164\040\164\157\040\164\150\145\040\116\145\164\114\157\143"
-"\153\040\103\120\123\040\141\166\141\151\154\141\142\154\145\040"
-"\141\164\040\150\164\164\160\163\072\057\057\167\167\167\056\156"
-"\145\164\154\157\143\153\056\156\145\164\057\144\157\143\163\040"
-"\157\162\040\142\171\040\145\055\155\141\151\154\040\141\164\040"
-"\143\160\163\100\156\145\164\154\157\143\153\056\156\145\164\056"
-"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\003"
-"\201\201\000\020\255\177\327\014\062\200\012\330\206\361\171\230"
-"\265\255\324\315\263\066\304\226\110\301\134\315\232\331\005\056"
-"\237\276\120\353\364\046\024\020\055\324\146\027\370\236\301\047"
-"\375\361\355\344\173\113\240\154\265\253\232\127\160\246\355\240"
-"\244\355\056\365\375\374\275\376\115\067\010\014\274\343\226\203"
-"\042\365\111\033\177\113\053\264\124\301\200\174\231\116\035\320"
-"\214\356\320\254\345\222\372\165\126\376\144\240\023\217\270\270"
-"\026\235\141\005\147\200\310\320\330\245\007\002\064\230\004\215"
-"\063\004\324"
-, (PRUint32)1363 }
-};
-static const NSSItem nss_builtins_items_183 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"NetLock Express (Class C) Root", (PRUint32)31 },
-  { (void *)"\343\222\121\057\012\317\365\005\337\366\336\006\177\165\067\341"
-"\145\352\127\113"
-, (PRUint32)20 },
-  { (void *)"\117\353\361\360\160\302\200\143\135\130\237\332\022\074\251\304"
-, (PRUint32)16 },
-  { (void *)"\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125"
-"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160"
-"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145"
-"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172"
-"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030"
-"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141"
-"\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004"
-"\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145"
-"\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141"
-"\156\165\163\151\164\166\141\156\171\153\151\141\144\157"
-, (PRUint32)158 },
-  { (void *)"\002\001\150"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_184 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"XRamp Global CA Root", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170"
-"\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155"
-"\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160"
-"\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143"
-"\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023"
-"\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)133 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170"
-"\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155"
-"\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160"
-"\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143"
-"\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023"
-"\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)133 },
-  { (void *)"\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217"
-"\240\255"
-, (PRUint32)18 },
-  { (void *)"\060\202\004\060\060\202\003\030\240\003\002\001\002\002\020\120"
-"\224\154\354\030\352\325\234\115\325\227\357\165\217\240\255\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
-"\202\061\013\060\011\006\003\125\004\006\023\002\125\123\061\036"
-"\060\034\006\003\125\004\013\023\025\167\167\167\056\170\162\141"
-"\155\160\163\145\143\165\162\151\164\171\056\143\157\155\061\044"
-"\060\042\006\003\125\004\012\023\033\130\122\141\155\160\040\123"
-"\145\143\165\162\151\164\171\040\123\145\162\166\151\143\145\163"
-"\040\111\156\143\061\055\060\053\006\003\125\004\003\023\044\130"
-"\122\141\155\160\040\107\154\157\142\141\154\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\060\036\027\015\060\064\061\061\060\061\061\067\061"
-"\064\060\064\132\027\015\063\065\060\061\060\061\060\065\063\067"
-"\061\071\132\060\201\202\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\036\060\034\006\003\125\004\013\023\025\167\167"
-"\167\056\170\162\141\155\160\163\145\143\165\162\151\164\171\056"
-"\143\157\155\061\044\060\042\006\003\125\004\012\023\033\130\122"
-"\141\155\160\040\123\145\143\165\162\151\164\171\040\123\145\162"
-"\166\151\143\145\163\040\111\156\143\061\055\060\053\006\003\125"
-"\004\003\023\044\130\122\141\155\160\040\107\154\157\142\141\154"
-"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
-"\165\164\150\157\162\151\164\171\060\202\001\042\060\015\006\011"
-"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
-"\060\202\001\012\002\202\001\001\000\230\044\036\275\025\264\272"
-"\337\307\214\245\047\266\070\013\151\363\266\116\250\054\056\041"
-"\035\134\104\337\041\135\176\043\164\376\136\176\264\112\267\246"
-"\255\037\256\340\006\026\342\233\133\331\147\164\153\135\200\217"
-"\051\235\206\033\331\234\015\230\155\166\020\050\130\344\145\260"
-"\177\112\230\171\237\340\303\061\176\200\053\265\214\300\100\073"
-"\021\206\320\313\242\206\066\140\244\325\060\202\155\331\156\320"
-"\017\022\004\063\227\137\117\141\132\360\344\371\221\253\347\035"
-"\073\274\350\317\364\153\055\064\174\342\110\141\034\216\363\141"
-"\104\314\157\240\112\251\224\260\115\332\347\251\064\172\162\070"
-"\250\101\314\074\224\021\175\353\310\246\214\267\206\313\312\063"
-"\073\331\075\067\213\373\172\076\206\054\347\163\327\012\127\254"
-"\144\233\031\353\364\017\004\010\212\254\003\027\031\144\364\132"
-"\045\042\215\064\054\262\366\150\035\022\155\323\212\036\024\332"
-"\304\217\246\342\043\205\325\172\015\275\152\340\351\354\354\027"
-"\273\102\033\147\252\045\355\105\203\041\374\301\311\174\325\142"
-"\076\372\362\305\055\323\375\324\145\002\003\001\000\001\243\201"
-"\237\060\201\234\060\023\006\011\053\006\001\004\001\202\067\024"
-"\002\004\006\036\004\000\103\000\101\060\013\006\003\125\035\017"
-"\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377"
-"\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026"
-"\004\024\306\117\242\075\006\143\204\011\234\316\142\344\004\254"
-"\215\134\265\351\266\033\060\066\006\003\125\035\037\004\057\060"
-"\055\060\053\240\051\240\047\206\045\150\164\164\160\072\057\057"
-"\143\162\154\056\170\162\141\155\160\163\145\143\165\162\151\164"
-"\171\056\143\157\155\057\130\107\103\101\056\143\162\154\060\020"
-"\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001\001"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\221\025\071\003\001\033\147\373\112\034\371\012"
-"\140\133\241\332\115\227\142\371\044\123\047\327\202\144\116\220"
-"\056\303\111\033\053\232\334\374\250\170\147\065\361\035\360\021"
-"\275\267\110\343\020\366\015\337\077\322\311\266\252\125\244\110"
-"\272\002\333\336\131\056\025\133\073\235\026\175\107\327\067\352"
-"\137\115\166\022\066\273\037\327\241\201\004\106\040\243\054\155"
-"\251\236\001\176\077\051\316\000\223\337\375\311\222\163\211\211"
-"\144\236\347\053\344\034\221\054\322\271\316\175\316\157\061\231"
-"\323\346\276\322\036\220\360\011\024\171\134\043\253\115\322\332"
-"\041\037\115\231\171\235\341\317\047\237\020\233\034\210\015\260"
-"\212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273"
-"\176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262"
-"\213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341"
-"\074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330"
-"\072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020"
-"\073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311"
-"\264\003\045\274"
-, (PRUint32)1076 }
-};
-static const NSSItem nss_builtins_items_185 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"XRamp Global CA Root", (PRUint32)21 },
-  { (void *)"\270\001\206\321\353\234\206\245\101\004\317\060\124\363\114\122"
-"\267\345\130\306"
-, (PRUint32)20 },
-  { (void *)"\241\013\104\263\312\020\330\000\156\235\017\330\017\222\012\321"
-, (PRUint32)16 },
-  { (void *)"\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123"
-"\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170"
-"\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155"
-"\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160"
-"\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143"
-"\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023"
-"\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)133 },
-  { (void *)"\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217"
-"\240\255"
-, (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_186 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Go Daddy Class 2 CA", (PRUint32)20 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157"
-"\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156"
-"\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040"
-"\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)101 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157"
-"\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156"
-"\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040"
-"\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)101 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\000\060\202\002\350\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\041"
-"\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157\040"
-"\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156\143"
-"\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040\104"
-"\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145\162"
-"\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157"
-"\162\151\164\171\060\036\027\015\060\064\060\066\062\071\061\067"
-"\060\066\062\060\132\027\015\063\064\060\066\062\071\061\067\060"
-"\066\062\060\132\060\143\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\041\060\037\006\003\125\004\012\023\030\124\150"
-"\145\040\107\157\040\104\141\144\144\171\040\107\162\157\165\160"
-"\054\040\111\156\143\056\061\061\060\057\006\003\125\004\013\023"
-"\050\107\157\040\104\141\144\144\171\040\103\154\141\163\163\040"
-"\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\060\202\001\040\060\015\006"
-"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\015"
-"\000\060\202\001\010\002\202\001\001\000\336\235\327\352\127\030"
-"\111\241\133\353\327\137\110\206\352\276\335\377\344\357\147\034"
-"\364\145\150\263\127\161\240\136\167\273\355\233\111\351\160\200"
-"\075\126\030\143\010\157\332\362\314\320\077\177\002\124\042\124"
-"\020\330\262\201\324\300\165\075\113\177\307\167\303\076\170\253"
-"\032\003\265\040\153\057\152\053\261\305\210\176\304\273\036\260"
-"\301\330\105\047\157\252\067\130\367\207\046\327\330\055\366\251"
-"\027\267\037\162\066\116\246\027\077\145\230\222\333\052\156\135"
-"\242\376\210\340\013\336\177\345\215\025\341\353\313\072\325\342"
-"\022\242\023\055\330\216\257\137\022\075\240\010\005\010\266\134"
-"\245\145\070\004\105\231\036\243\140\140\164\305\101\245\162\142"
-"\033\142\305\037\157\137\032\102\276\002\121\145\250\256\043\030"
-"\152\374\170\003\251\115\177\200\303\372\253\132\374\241\100\244"
-"\312\031\026\376\262\310\357\136\163\015\356\167\275\232\366\171"
-"\230\274\261\007\147\242\025\015\335\240\130\306\104\173\012\076"
-"\142\050\137\272\101\007\123\130\317\021\176\070\164\305\370\377"
-"\265\151\220\217\204\164\352\227\033\257\002\001\003\243\201\300"
-"\060\201\275\060\035\006\003\125\035\016\004\026\004\024\322\304"
-"\260\322\221\324\114\021\161\263\141\313\075\241\376\335\250\152"
-"\324\343\060\201\215\006\003\125\035\043\004\201\205\060\201\202"
-"\200\024\322\304\260\322\221\324\114\021\161\263\141\313\075\241"
-"\376\335\250\152\324\343\241\147\244\145\060\143\061\013\060\011"
-"\006\003\125\004\006\023\002\125\123\061\041\060\037\006\003\125"
-"\004\012\023\030\124\150\145\040\107\157\040\104\141\144\144\171"
-"\040\107\162\157\165\160\054\040\111\156\143\056\061\061\060\057"
-"\006\003\125\004\013\023\050\107\157\040\104\141\144\144\171\040"
-"\103\154\141\163\163\040\062\040\103\145\162\164\151\146\151\143"
-"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\202"
-"\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
-"\202\001\001\000\062\113\363\262\312\076\221\374\022\306\241\007"
-"\214\216\167\240\063\006\024\134\220\036\030\367\010\246\075\012"
-"\031\371\207\200\021\156\151\344\226\027\060\377\064\221\143\162"
-"\070\356\314\034\001\243\035\224\050\244\061\366\172\304\124\327"
-"\366\345\061\130\003\242\314\316\142\333\224\105\163\265\277\105"
-"\311\044\265\325\202\002\255\043\171\151\215\270\266\115\316\317"
-"\114\312\063\043\350\034\210\252\235\213\101\156\026\311\040\345"
-"\211\236\315\073\332\160\367\176\231\046\040\024\124\045\253\156"
-"\163\205\346\233\041\235\012\154\202\016\250\370\302\014\372\020"
-"\036\154\226\357\207\015\304\017\141\213\255\356\203\053\225\370"
-"\216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274"
-"\353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021"
-"\164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002"
-"\022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245"
-"\236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237"
-"\105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035"
-"\177\333\275\237"
-, (PRUint32)1028 }
-};
-static const NSSItem nss_builtins_items_187 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Go Daddy Class 2 CA", (PRUint32)20 },
-  { (void *)"\047\226\272\346\077\030\001\342\167\046\033\240\327\167\160\002"
-"\217\040\356\344"
-, (PRUint32)20 },
-  { (void *)"\221\336\006\045\253\332\375\062\027\014\273\045\027\052\204\147"
-, (PRUint32)16 },
-  { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157"
-"\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156"
-"\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040"
-"\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145"
-"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
-"\157\162\151\164\171"
-, (PRUint32)101 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-static const NSSItem nss_builtins_items_188 [] = {
-  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Starfield Class 2 CA", (PRUint32)21 },
-  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
-  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151"
-"\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163"
-"\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023"
-"\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163"
-"\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)106 },
-  { (void *)"0", (PRUint32)2 },
-  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151"
-"\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163"
-"\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023"
-"\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163"
-"\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)106 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)"\060\202\004\017\060\202\002\367\240\003\002\001\002\002\001\000"
-"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
-"\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061\045"
-"\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151\145"
-"\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163\054"
-"\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023\051"
-"\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163\040"
-"\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
-"\101\165\164\150\157\162\151\164\171\060\036\027\015\060\064\060"
-"\066\062\071\061\067\063\071\061\066\132\027\015\063\064\060\066"
-"\062\071\061\067\063\071\061\066\132\060\150\061\013\060\011\006"
-"\003\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004"
-"\012\023\034\123\164\141\162\146\151\145\154\144\040\124\145\143"
-"\150\156\157\154\157\147\151\145\163\054\040\111\156\143\056\061"
-"\062\060\060\006\003\125\004\013\023\051\123\164\141\162\146\151"
-"\145\154\144\040\103\154\141\163\163\040\062\040\103\145\162\164"
-"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
-"\151\164\171\060\202\001\040\060\015\006\011\052\206\110\206\367"
-"\015\001\001\001\005\000\003\202\001\015\000\060\202\001\010\002"
-"\202\001\001\000\267\062\310\376\351\161\246\004\205\255\014\021"
-"\144\337\316\115\357\310\003\030\207\077\241\253\373\074\246\237"
-"\360\303\241\332\324\330\156\053\123\220\373\044\244\076\204\360"
-"\236\350\137\354\345\047\104\365\050\246\077\173\336\340\052\360"
-"\310\257\123\057\236\312\005\001\223\036\217\146\034\071\247\115"
-"\372\132\266\163\004\045\146\353\167\177\347\131\306\112\231\045"
-"\024\124\353\046\307\363\177\031\325\060\160\217\257\260\106\052"
-"\377\255\353\051\355\327\237\252\004\207\243\324\371\211\245\064"
-"\137\333\103\221\202\066\331\146\074\261\270\271\202\375\234\072"
-"\076\020\310\073\357\006\145\146\172\233\031\030\075\377\161\121"
-"\074\060\056\137\276\075\167\163\262\135\006\154\303\043\126\232"
-"\053\205\046\222\034\247\002\263\344\077\015\257\010\171\202\270"
-"\066\075\352\234\323\065\263\274\151\312\365\314\235\350\375\144"
-"\215\027\200\063\156\136\112\135\231\311\036\207\264\235\032\300"
-"\325\156\023\065\043\136\337\233\137\075\357\326\367\166\302\352"
-"\076\273\170\015\034\102\147\153\004\330\370\326\332\157\213\362"
-"\104\240\001\253\002\001\003\243\201\305\060\201\302\060\035\006"
-"\003\125\035\016\004\026\004\024\277\137\267\321\316\335\037\206"
-"\364\133\125\254\334\327\020\302\016\251\210\347\060\201\222\006"
-"\003\125\035\043\004\201\212\060\201\207\200\024\277\137\267\321"
-"\316\335\037\206\364\133\125\254\334\327\020\302\016\251\210\347"
-"\241\154\244\152\060\150\061\013\060\011\006\003\125\004\006\023"
-"\002\125\123\061\045\060\043\006\003\125\004\012\023\034\123\164"
-"\141\162\146\151\145\154\144\040\124\145\143\150\156\157\154\157"
-"\147\151\145\163\054\040\111\156\143\056\061\062\060\060\006\003"
-"\125\004\013\023\051\123\164\141\162\146\151\145\154\144\040\103"
-"\154\141\163\163\040\062\040\103\145\162\164\151\146\151\143\141"
-"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\202\001"
-"\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060"
-"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202"
-"\001\001\000\005\235\077\210\235\321\311\032\125\241\254\151\363"
-"\363\131\332\233\001\207\032\117\127\251\241\171\011\052\333\367"
-"\057\262\036\314\307\136\152\330\203\207\241\227\357\111\065\076"
-"\167\006\101\130\142\277\216\130\270\012\147\077\354\263\335\041"
-"\146\037\311\124\372\162\314\075\114\100\330\201\257\167\236\203"
-"\172\273\242\307\365\064\027\216\331\021\100\364\374\054\052\115"
-"\025\177\247\142\135\056\045\323\000\013\040\032\035\150\371\027"
-"\270\364\275\213\355\050\131\335\115\026\213\027\203\310\262\145"
-"\307\055\172\245\252\274\123\206\155\335\127\244\312\370\040\101"
-"\013\150\360\364\373\164\276\126\135\172\171\365\371\035\205\343"
-"\055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351"
-"\125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101"
-"\152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064"
-"\253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030"
-"\131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155"
-"\370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057"
-"\037\027\224"
-, (PRUint32)1043 }
-};
-static const NSSItem nss_builtins_items_189 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Starfield Class 2 CA", (PRUint32)21 },
-  { (void *)"\255\176\034\050\260\144\357\217\140\003\100\040\024\303\320\343"
-"\067\016\265\212"
-, (PRUint32)20 },
-  { (void *)"\062\112\113\273\310\143\151\233\276\164\232\306\335\035\106\044"
-, (PRUint32)16 },
-  { (void *)"\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
-"\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151"
-"\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163"
-"\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023"
-"\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163"
-"\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
-"\040\101\165\164\150\157\162\151\164\171"
-, (PRUint32)106 },
-  { (void *)"\002\001\000"
-, (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
-};
-
-PR_IMPLEMENT_DATA(builtinsInternalObject)
-nss_builtins_data[] = {
-#ifdef DEBUG
-  { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
-#endif /* DEBUG */
-  { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
-  { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
-  { 13, nss_builtins_types_3, nss_builtins_items_3, {NULL} },
-  { 11, nss_builtins_types_4, nss_builtins_items_4, {NULL} },
-  { 13, nss_builtins_types_5, nss_builtins_items_5, {NULL} },
-  { 11, nss_builtins_types_6, nss_builtins_items_6, {NULL} },
-  { 13, nss_builtins_types_7, nss_builtins_items_7, {NULL} },
-  { 11, nss_builtins_types_8, nss_builtins_items_8, {NULL} },
-  { 13, nss_builtins_types_9, nss_builtins_items_9, {NULL} },
-  { 11, nss_builtins_types_10, nss_builtins_items_10, {NULL} },
-  { 13, nss_builtins_types_11, nss_builtins_items_11, {NULL} },
-  { 11, nss_builtins_types_12, nss_builtins_items_12, {NULL} },
-  { 13, nss_builtins_types_13, nss_builtins_items_13, {NULL} },
-  { 11, nss_builtins_types_14, nss_builtins_items_14, {NULL} },
-  { 13, nss_builtins_types_15, nss_builtins_items_15, {NULL} },
-  { 11, nss_builtins_types_16, nss_builtins_items_16, {NULL} },
-  { 13, nss_builtins_types_17, nss_builtins_items_17, {NULL} },
-  { 11, nss_builtins_types_18, nss_builtins_items_18, {NULL} },
-  { 13, nss_builtins_types_19, nss_builtins_items_19, {NULL} },
-  { 11, nss_builtins_types_20, nss_builtins_items_20, {NULL} },
-  { 13, nss_builtins_types_21, nss_builtins_items_21, {NULL} },
-  { 11, nss_builtins_types_22, nss_builtins_items_22, {NULL} },
-  { 13, nss_builtins_types_23, nss_builtins_items_23, {NULL} },
-  { 11, nss_builtins_types_24, nss_builtins_items_24, {NULL} },
-  { 13, nss_builtins_types_25, nss_builtins_items_25, {NULL} },
-  { 11, nss_builtins_types_26, nss_builtins_items_26, {NULL} },
-  { 13, nss_builtins_types_27, nss_builtins_items_27, {NULL} },
-  { 11, nss_builtins_types_28, nss_builtins_items_28, {NULL} },
-  { 13, nss_builtins_types_29, nss_builtins_items_29, {NULL} },
-  { 11, nss_builtins_types_30, nss_builtins_items_30, {NULL} },
-  { 13, nss_builtins_types_31, nss_builtins_items_31, {NULL} },
-  { 11, nss_builtins_types_32, nss_builtins_items_32, {NULL} },
-  { 13, nss_builtins_types_33, nss_builtins_items_33, {NULL} },
-  { 11, nss_builtins_types_34, nss_builtins_items_34, {NULL} },
-  { 13, nss_builtins_types_35, nss_builtins_items_35, {NULL} },
-  { 11, nss_builtins_types_36, nss_builtins_items_36, {NULL} },
-  { 13, nss_builtins_types_37, nss_builtins_items_37, {NULL} },
-  { 11, nss_builtins_types_38, nss_builtins_items_38, {NULL} },
-  { 13, nss_builtins_types_39, nss_builtins_items_39, {NULL} },
-  { 11, nss_builtins_types_40, nss_builtins_items_40, {NULL} },
-  { 13, nss_builtins_types_41, nss_builtins_items_41, {NULL} },
-  { 11, nss_builtins_types_42, nss_builtins_items_42, {NULL} },
-  { 13, nss_builtins_types_43, nss_builtins_items_43, {NULL} },
-  { 11, nss_builtins_types_44, nss_builtins_items_44, {NULL} },
-  { 13, nss_builtins_types_45, nss_builtins_items_45, {NULL} },
-  { 11, nss_builtins_types_46, nss_builtins_items_46, {NULL} },
-  { 13, nss_builtins_types_47, nss_builtins_items_47, {NULL} },
-  { 11, nss_builtins_types_48, nss_builtins_items_48, {NULL} },
-  { 13, nss_builtins_types_49, nss_builtins_items_49, {NULL} },
-  { 11, nss_builtins_types_50, nss_builtins_items_50, {NULL} },
-  { 13, nss_builtins_types_51, nss_builtins_items_51, {NULL} },
-  { 11, nss_builtins_types_52, nss_builtins_items_52, {NULL} },
-  { 13, nss_builtins_types_53, nss_builtins_items_53, {NULL} },
-  { 11, nss_builtins_types_54, nss_builtins_items_54, {NULL} },
-  { 13, nss_builtins_types_55, nss_builtins_items_55, {NULL} },
-  { 11, nss_builtins_types_56, nss_builtins_items_56, {NULL} },
-  { 13, nss_builtins_types_57, nss_builtins_items_57, {NULL} },
-  { 11, nss_builtins_types_58, nss_builtins_items_58, {NULL} },
-  { 13, nss_builtins_types_59, nss_builtins_items_59, {NULL} },
-  { 11, nss_builtins_types_60, nss_builtins_items_60, {NULL} },
-  { 13, nss_builtins_types_61, nss_builtins_items_61, {NULL} },
-  { 11, nss_builtins_types_62, nss_builtins_items_62, {NULL} },
-  { 13, nss_builtins_types_63, nss_builtins_items_63, {NULL} },
-  { 11, nss_builtins_types_64, nss_builtins_items_64, {NULL} },
-  { 13, nss_builtins_types_65, nss_builtins_items_65, {NULL} },
-  { 11, nss_builtins_types_66, nss_builtins_items_66, {NULL} },
-  { 12, nss_builtins_types_67, nss_builtins_items_67, {NULL} },
-  { 11, nss_builtins_types_68, nss_builtins_items_68, {NULL} },
-  { 13, nss_builtins_types_69, nss_builtins_items_69, {NULL} },
-  { 11, nss_builtins_types_70, nss_builtins_items_70, {NULL} },
-  { 13, nss_builtins_types_71, nss_builtins_items_71, {NULL} },
-  { 11, nss_builtins_types_72, nss_builtins_items_72, {NULL} },
-  { 12, nss_builtins_types_73, nss_builtins_items_73, {NULL} },
-  { 11, nss_builtins_types_74, nss_builtins_items_74, {NULL} },
-  { 13, nss_builtins_types_75, nss_builtins_items_75, {NULL} },
-  { 11, nss_builtins_types_76, nss_builtins_items_76, {NULL} },
-  { 13, nss_builtins_types_77, nss_builtins_items_77, {NULL} },
-  { 11, nss_builtins_types_78, nss_builtins_items_78, {NULL} },
-  { 13, nss_builtins_types_79, nss_builtins_items_79, {NULL} },
-  { 11, nss_builtins_types_80, nss_builtins_items_80, {NULL} },
-  { 13, nss_builtins_types_81, nss_builtins_items_81, {NULL} },
-  { 11, nss_builtins_types_82, nss_builtins_items_82, {NULL} },
-  { 12, nss_builtins_types_83, nss_builtins_items_83, {NULL} },
-  { 11, nss_builtins_types_84, nss_builtins_items_84, {NULL} },
-  { 13, nss_builtins_types_85, nss_builtins_items_85, {NULL} },
-  { 11, nss_builtins_types_86, nss_builtins_items_86, {NULL} },
-  { 13, nss_builtins_types_87, nss_builtins_items_87, {NULL} },
-  { 11, nss_builtins_types_88, nss_builtins_items_88, {NULL} },
-  { 13, nss_builtins_types_89, nss_builtins_items_89, {NULL} },
-  { 11, nss_builtins_types_90, nss_builtins_items_90, {NULL} },
-  { 13, nss_builtins_types_91, nss_builtins_items_91, {NULL} },
-  { 11, nss_builtins_types_92, nss_builtins_items_92, {NULL} },
-  { 13, nss_builtins_types_93, nss_builtins_items_93, {NULL} },
-  { 11, nss_builtins_types_94, nss_builtins_items_94, {NULL} },
-  { 13, nss_builtins_types_95, nss_builtins_items_95, {NULL} },
-  { 11, nss_builtins_types_96, nss_builtins_items_96, {NULL} },
-  { 13, nss_builtins_types_97, nss_builtins_items_97, {NULL} },
-  { 11, nss_builtins_types_98, nss_builtins_items_98, {NULL} },
-  { 13, nss_builtins_types_99, nss_builtins_items_99, {NULL} },
-  { 11, nss_builtins_types_100, nss_builtins_items_100, {NULL} },
-  { 13, nss_builtins_types_101, nss_builtins_items_101, {NULL} },
-  { 11, nss_builtins_types_102, nss_builtins_items_102, {NULL} },
-  { 13, nss_builtins_types_103, nss_builtins_items_103, {NULL} },
-  { 11, nss_builtins_types_104, nss_builtins_items_104, {NULL} },
-  { 13, nss_builtins_types_105, nss_builtins_items_105, {NULL} },
-  { 11, nss_builtins_types_106, nss_builtins_items_106, {NULL} },
-  { 13, nss_builtins_types_107, nss_builtins_items_107, {NULL} },
-  { 11, nss_builtins_types_108, nss_builtins_items_108, {NULL} },
-  { 13, nss_builtins_types_109, nss_builtins_items_109, {NULL} },
-  { 11, nss_builtins_types_110, nss_builtins_items_110, {NULL} },
-  { 13, nss_builtins_types_111, nss_builtins_items_111, {NULL} },
-  { 11, nss_builtins_types_112, nss_builtins_items_112, {NULL} },
-  { 13, nss_builtins_types_113, nss_builtins_items_113, {NULL} },
-  { 11, nss_builtins_types_114, nss_builtins_items_114, {NULL} },
-  { 13, nss_builtins_types_115, nss_builtins_items_115, {NULL} },
-  { 11, nss_builtins_types_116, nss_builtins_items_116, {NULL} },
-  { 13, nss_builtins_types_117, nss_builtins_items_117, {NULL} },
-  { 11, nss_builtins_types_118, nss_builtins_items_118, {NULL} },
-  { 13, nss_builtins_types_119, nss_builtins_items_119, {NULL} },
-  { 11, nss_builtins_types_120, nss_builtins_items_120, {NULL} },
-  { 13, nss_builtins_types_121, nss_builtins_items_121, {NULL} },
-  { 11, nss_builtins_types_122, nss_builtins_items_122, {NULL} },
-  { 13, nss_builtins_types_123, nss_builtins_items_123, {NULL} },
-  { 11, nss_builtins_types_124, nss_builtins_items_124, {NULL} },
-  { 13, nss_builtins_types_125, nss_builtins_items_125, {NULL} },
-  { 11, nss_builtins_types_126, nss_builtins_items_126, {NULL} },
-  { 13, nss_builtins_types_127, nss_builtins_items_127, {NULL} },
-  { 11, nss_builtins_types_128, nss_builtins_items_128, {NULL} },
-  { 13, nss_builtins_types_129, nss_builtins_items_129, {NULL} },
-  { 11, nss_builtins_types_130, nss_builtins_items_130, {NULL} },
-  { 13, nss_builtins_types_131, nss_builtins_items_131, {NULL} },
-  { 11, nss_builtins_types_132, nss_builtins_items_132, {NULL} },
-  { 13, nss_builtins_types_133, nss_builtins_items_133, {NULL} },
-  { 11, nss_builtins_types_134, nss_builtins_items_134, {NULL} },
-  { 13, nss_builtins_types_135, nss_builtins_items_135, {NULL} },
-  { 11, nss_builtins_types_136, nss_builtins_items_136, {NULL} },
-  { 13, nss_builtins_types_137, nss_builtins_items_137, {NULL} },
-  { 11, nss_builtins_types_138, nss_builtins_items_138, {NULL} },
-  { 13, nss_builtins_types_139, nss_builtins_items_139, {NULL} },
-  { 11, nss_builtins_types_140, nss_builtins_items_140, {NULL} },
-  { 13, nss_builtins_types_141, nss_builtins_items_141, {NULL} },
-  { 11, nss_builtins_types_142, nss_builtins_items_142, {NULL} },
-  { 13, nss_builtins_types_143, nss_builtins_items_143, {NULL} },
-  { 11, nss_builtins_types_144, nss_builtins_items_144, {NULL} },
-  { 13, nss_builtins_types_145, nss_builtins_items_145, {NULL} },
-  { 11, nss_builtins_types_146, nss_builtins_items_146, {NULL} },
-  { 13, nss_builtins_types_147, nss_builtins_items_147, {NULL} },
-  { 11, nss_builtins_types_148, nss_builtins_items_148, {NULL} },
-  { 13, nss_builtins_types_149, nss_builtins_items_149, {NULL} },
-  { 11, nss_builtins_types_150, nss_builtins_items_150, {NULL} },
-  { 13, nss_builtins_types_151, nss_builtins_items_151, {NULL} },
-  { 11, nss_builtins_types_152, nss_builtins_items_152, {NULL} },
-  { 13, nss_builtins_types_153, nss_builtins_items_153, {NULL} },
-  { 11, nss_builtins_types_154, nss_builtins_items_154, {NULL} },
-  { 13, nss_builtins_types_155, nss_builtins_items_155, {NULL} },
-  { 11, nss_builtins_types_156, nss_builtins_items_156, {NULL} },
-  { 13, nss_builtins_types_157, nss_builtins_items_157, {NULL} },
-  { 11, nss_builtins_types_158, nss_builtins_items_158, {NULL} },
-  { 13, nss_builtins_types_159, nss_builtins_items_159, {NULL} },
-  { 11, nss_builtins_types_160, nss_builtins_items_160, {NULL} },
-  { 13, nss_builtins_types_161, nss_builtins_items_161, {NULL} },
-  { 11, nss_builtins_types_162, nss_builtins_items_162, {NULL} },
-  { 13, nss_builtins_types_163, nss_builtins_items_163, {NULL} },
-  { 11, nss_builtins_types_164, nss_builtins_items_164, {NULL} },
-  { 13, nss_builtins_types_165, nss_builtins_items_165, {NULL} },
-  { 11, nss_builtins_types_166, nss_builtins_items_166, {NULL} },
-  { 13, nss_builtins_types_167, nss_builtins_items_167, {NULL} },
-  { 11, nss_builtins_types_168, nss_builtins_items_168, {NULL} },
-  { 13, nss_builtins_types_169, nss_builtins_items_169, {NULL} },
-  { 11, nss_builtins_types_170, nss_builtins_items_170, {NULL} },
-  { 13, nss_builtins_types_171, nss_builtins_items_171, {NULL} },
-  { 11, nss_builtins_types_172, nss_builtins_items_172, {NULL} },
-  { 13, nss_builtins_types_173, nss_builtins_items_173, {NULL} },
-  { 11, nss_builtins_types_174, nss_builtins_items_174, {NULL} },
-  { 13, nss_builtins_types_175, nss_builtins_items_175, {NULL} },
-  { 11, nss_builtins_types_176, nss_builtins_items_176, {NULL} },
-  { 13, nss_builtins_types_177, nss_builtins_items_177, {NULL} },
-  { 11, nss_builtins_types_178, nss_builtins_items_178, {NULL} },
-  { 13, nss_builtins_types_179, nss_builtins_items_179, {NULL} },
-  { 11, nss_builtins_types_180, nss_builtins_items_180, {NULL} },
-  { 13, nss_builtins_types_181, nss_builtins_items_181, {NULL} },
-  { 11, nss_builtins_types_182, nss_builtins_items_182, {NULL} },
-  { 13, nss_builtins_types_183, nss_builtins_items_183, {NULL} },
-  { 11, nss_builtins_types_184, nss_builtins_items_184, {NULL} },
-  { 13, nss_builtins_types_185, nss_builtins_items_185, {NULL} },
-  { 11, nss_builtins_types_186, nss_builtins_items_186, {NULL} },
-  { 13, nss_builtins_types_187, nss_builtins_items_187, {NULL} },
-  { 11, nss_builtins_types_188, nss_builtins_items_188, {NULL} },
-  { 13, nss_builtins_types_189, nss_builtins_items_189, {NULL} }
-};
-PR_IMPLEMENT_DATA(const PRUint32)
-#ifdef DEBUG
-  nss_builtins_nObjects = 189+1;
-#else
-  nss_builtins_nObjects = 189;
-#endif /* DEBUG */
diff --git a/security/nss/lib/ckfw/builtins/certdata.perl b/security/nss/lib/ckfw/builtins/certdata.perl
deleted file mode 100644
index 256235cfc..000000000
--- a/security/nss/lib/ckfw/builtins/certdata.perl
+++ /dev/null
@@ -1,299 +0,0 @@
-#!perl -w
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-my $cvs_id = '@(#) $RCSfile$ $Revision$ $Date$';
-use strict;
-
-my %constants;
-my $count = 0;
-my $o;
-my @objects = ();
-my @objsize;
-my $cvsid;
-
-$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
-$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
-$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";
-
-while(<>) {
-  my @fields = ();
-  my $size;
-
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-  if( /(^CVS_ID\s+)(.*)/ ) {
-#    print "The CVS ID is $2\n";
-    $cvsid = $2 . "\"; $cvs_id\"";
-    my $scratch = $cvsid;
-    $size = 1 + $scratch =~ s/[^"\n]//g;
-    @{$objects[0][0]} = ( "CKA_CLASS", "&cko_data", "sizeof(CK_OBJECT_CLASS)" );
-    @{$objects[0][1]} = ( "CKA_TOKEN", "&ck_true", "sizeof(CK_BBOOL)" );
-    @{$objects[0][2]} = ( "CKA_PRIVATE", "&ck_false", "sizeof(CK_BBOOL)" );
-    @{$objects[0][3]} = ( "CKA_MODIFIABLE", "&ck_false", "sizeof(CK_BBOOL)" );
-    @{$objects[0][4]} = ( "CKA_LABEL", "\"CVS ID\"", "7" );
-    @{$objects[0][5]} = ( "CKA_APPLICATION", "\"NSS\"", "4" );
-    @{$objects[0][6]} = ( "CKA_VALUE", $cvsid, "$size" );
-    $objsize[0] = 7;
-    next;
-  }
-
-  # This was taken from the perl faq #4.
-  my $text = $_;
-  push(@fields, $+) while $text =~ m{
-      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
-    | ([^\s]+)\s?
-    | \s
-  }gx;
-  push(@fields, undef) if substr($text,-1,1) eq '\s';
-
-  if( $fields[0] =~ /BEGINDATA/ ) {
-    next;
-  }
-
-  if( $fields[1] =~ /MULTILINE/ ) {
-    $fields[2] = "";
-    while(<>) {
-      last if /END/;
-      chomp;
-      $fields[2] .= "\"$_\"\n";
-    }
-  }
-
-  if( $fields[1] =~ /UTF8/ ) {
-    if( $fields[2] =~ /^"/ ) {
-      ;
-    } else {
-      $fields[2] = "\"" . $fields[2] . "\"";
-    }
-
-    my $scratch = $fields[2];
-    $size = $scratch =~ s/[^"\n]//g; # should supposedly handle multilines, too..
-    $size += 1; # null terminate
-  }
-
-  if( $fields[1] =~ /OCTAL/ ) {
-    if( $fields[2] =~ /^"/ ) {
-      ;
-    } else {
-      $fields[2] = "\"" . $fields[2] . "\"";
-    }
-
-    my $scratch = $fields[2];
-    $size = $scratch =~ tr/\\//;
-    # no null termination
-  }
-
-  if( $fields[1] =~ /^CK_/ ) {
-    my $lcv = $fields[2];
-    $lcv =~ tr/A-Z/a-z/;
-    if( !defined($constants{$fields[2]}) ) {
-      $constants{$fields[2]} = "static const $fields[1] $lcv = $fields[2];\n";
-    }
-    
-    $size = "sizeof($fields[1])";
-    $fields[2] = "&$lcv";
-  }
-
-  if( $fields[0] =~ /CKA_CLASS/ ) {
-    $count++;
-    $objsize[$count] = 0;
-  }
-
-  @{$objects[$count][$objsize[$count]++]} = ( "$fields[0]", $fields[2], "$size" );
-
- # print "$fields[0] | $fields[1] | $size | $fields[2]\n";
-}
-
-doprint();
-
-sub dudump {
-my $i;
-for( $i = 0; $i <= $count; $i++ ) {
-  print "\n";
-  $o = $objects[$i];
-  my @ob = @{$o};
-  my $l;
-  my $j;
-  for( $j = 0; $j < @ob; $j++ ) {
-    $l = $ob[$j];
-    my @a = @{$l};
-    print "$a[0] ! $a[1] ! $a[2]\n";
-  }
-}
-
-}
-
-sub doprint {
-my $i;
-
-open(CFILE, ">certdata.c") || die "Can't open certdata.c: $!";
-
-print CFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifdef DEBUG
-static const char CVS_ID[] = $cvsid;
-#endif /* DEBUG */
-
-#ifndef BUILTINS_H
-#include "builtins.h"
-#endif /* BUILTINS_H */
-
-EOD
-    ;
-
-while(($a,$b) = each(%constants)) {
-  print CFILE $b;
-}
-
-for( $i = 0; $i <= $count; $i++ ) {
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
-  $o = $objects[$i];
- # print STDOUT "type $i object $o \n";
-  my @ob = @{$o};
-  my $j;
-  for( $j = 0; $j < @ob; $j++ ) {
-    my $l = $ob[$j];
-    my @a = @{$l};
-    print CFILE " $a[0]";
-    if( $j+1 != @ob ) {
-      print CFILE ", ";
-    }
-  }
-  print CFILE "\n};\n";
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-for( $i = 0; $i <= $count; $i++ ) {
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "static const NSSItem nss_builtins_items_$i [] = {\n";
-  $o = $objects[$i];
-  my @ob = @{$o};
-  my $j;
-  for( $j = 0; $j < @ob; $j++ ) {
-    my $l = $ob[$j];
-    my @a = @{$l};
-    print CFILE "  { (void *)$a[1], (PRUint32)$a[2] }";
-    if( $j+1 != @ob ) {
-      print CFILE ",\n";
-    } else {
-      print CFILE "\n";
-    }
-  }
-  print CFILE "};\n";
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-print CFILE "\nPR_IMPLEMENT_DATA(builtinsInternalObject)\n";
-print CFILE "nss_builtins_data[] = {\n";
-
-for( $i = 0; $i <= $count; $i++ ) {
-
-  if( 0 == $i ) {
-    print CFILE "#ifdef DEBUG\n";
-  }
-
-  print CFILE "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i, {NULL} }";
-
-  if( $i == $count ) {
-    print CFILE "\n";
-  } else {
-    print CFILE ",\n";
-  }
-
-  if( 0 == $i ) {
-    print CFILE "#endif /* DEBUG */\n";
-  }
-}
-
-print CFILE "};\n";
-
-print CFILE "PR_IMPLEMENT_DATA(const PRUint32)\n";
-print CFILE "#ifdef DEBUG\n";
-print CFILE "  nss_builtins_nObjects = $count+1;\n";
-print CFILE "#else\n";
-print CFILE "  nss_builtins_nObjects = $count;\n";
-print CFILE "#endif /* DEBUG */\n";
-}
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
deleted file mode 100644
index 8a8b1c5b6..000000000
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ /dev/null
@@ -1,13070 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$"
-
-#
-# certdata.txt
-#
-# This file contains the object definitions for the certs and other
-# information "built into" NSS.
-#
-# Object definitions:
-#
-#    Certificates
-#
-#  -- Attribute --          -- type --              -- value --
-#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE
-#  CKA_TOKEN                CK_BBOOL                CK_TRUE
-#  CKA_PRIVATE              CK_BBOOL                CK_FALSE
-#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE
-#  CKA_LABEL                UTF8                    (varies)
-#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509
-#  CKA_SUBJECT              DER+base64              (varies)
-#  CKA_ID                   byte array              (varies)
-#  CKA_ISSUER               DER+base64              (varies)
-#  CKA_SERIAL_NUMBER        DER+base64              (varies)
-#  CKA_VALUE                DER+base64              (varies)
-#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)
-#
-#    Trust
-#
-#  -- Attribute --              -- type --          -- value --
-#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST
-#  CKA_TOKEN                    CK_BBOOL            CK_TRUE
-#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE
-#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE
-#  CKA_LABEL                    UTF8                (varies)
-#  CKA_ISSUER                   DER+base64          (varies)
-#  CKA_SERIAL_NUMBER            DER+base64          (varies)
-#  CKA_CERT_HASH                binary+base64       (varies)
-#  CKA_EXPIRES                  CK_DATE             (not used here)
-#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)
-#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)
-#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)
-#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)
-#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)
-#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)
-#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)
-#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)
-#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)
-#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)
-#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)
-#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)
-#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)
-#  CKA_TRUST_STEP_UP_APPROVED   CK_BBOOL            (varies)
-#  (other trust attributes can be defined)
-#
-
-#
-# The object to tell NSS that this is a root list and we don't
-# have to go looking for others.
-#
-BEGINDATA
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Mozilla Builtin Roots"
-
-#
-# Certificate "Verisign/RSA Secure Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign/RSA Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
-\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
-\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
-\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
-\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
-\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
-\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\002\255\146\176\116\105\376\136\127\157\074\230\031\136
-\335\300
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\064\060\202\001\241\002\020\002\255\146\176\116\105
-\376\136\127\157\074\230\031\136\335\300\060\015\006\011\052\206
-\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004
-\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143\165
-\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006\003
-\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162\166
-\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\064
-\061\061\060\071\060\060\060\060\060\060\132\027\015\061\060\060
-\061\060\067\062\063\065\071\065\071\132\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125
-\004\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143
-\165\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006
-\003\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162
-\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\201\233\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\211
-\000\060\201\205\002\176\000\222\316\172\301\256\203\076\132\252
-\211\203\127\254\045\001\166\014\255\256\216\054\067\316\353\065
-\170\144\124\003\345\204\100\121\311\277\217\010\342\212\202\010
-\322\026\206\067\125\351\261\041\002\255\166\150\201\232\005\242
-\113\311\113\045\146\042\126\154\210\007\217\367\201\131\155\204
-\007\145\160\023\161\166\076\233\167\114\343\120\211\126\230\110
-\271\035\247\051\032\023\056\112\021\131\234\036\025\325\111\124
-\054\163\072\151\202\261\227\071\234\155\160\147\110\345\335\055
-\326\310\036\173\002\003\001\000\001\060\015\006\011\052\206\110
-\206\367\015\001\001\002\005\000\003\176\000\145\335\176\341\262
-\354\260\342\072\340\354\161\106\232\031\021\270\323\307\240\264
-\003\100\046\002\076\011\234\341\022\263\321\132\366\067\245\267
-\141\003\266\133\026\151\073\306\104\010\014\210\123\014\153\227
-\111\307\076\065\334\154\271\273\252\337\134\273\072\057\223\140
-\266\251\113\115\362\040\367\315\137\177\144\173\216\334\000\134
-\327\372\167\312\071\026\131\157\016\352\323\265\203\177\115\115
-\102\126\166\264\311\137\004\370\070\370\353\322\137\165\137\315
-\173\374\345\216\200\174\374\120
-END
-
-# Trust for Certificate "Verisign/RSA Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign/RSA Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\104\143\305\061\327\314\301\000\147\224\141\053\266\126\323\277
-\202\127\204\157
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\164\173\202\003\103\360\000\236\153\263\354\107\277\205\245\223
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
-\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
-\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
-\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\002\255\146\176\116\105\376\136\127\157\074\230\031\136
-\335\300
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "GTE CyberTrust Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
-\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
-\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\243
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\001\372\060\202\001\143\002\002\001\243\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\105\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\034\060\032\006\003\125\004\003\023\023\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157
-\157\164\060\036\027\015\071\066\060\062\062\063\062\063\060\061
-\060\060\132\027\015\060\066\060\062\062\063\062\063\065\071\060
-\060\132\060\105\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\034\060\032\006
-\003\125\004\003\023\023\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\270\346\117\272\333\230\174\161\174\257
-\104\267\323\017\106\331\144\345\223\301\102\216\307\272\111\215
-\065\055\172\347\213\275\345\005\061\131\306\261\057\012\014\373
-\237\247\077\242\011\146\204\126\036\067\051\033\207\351\176\014
-\312\232\237\245\177\365\025\224\243\325\242\106\202\330\150\114
-\321\067\025\006\150\257\275\370\260\263\360\051\365\225\132\011
-\026\141\167\012\042\045\324\117\105\252\307\275\345\226\337\371
-\324\250\216\102\314\044\300\036\221\047\112\265\155\006\200\143
-\071\304\242\136\070\003\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\022\263
-\165\306\137\035\341\141\125\200\000\324\201\113\173\061\017\043
-\143\347\075\363\003\371\364\066\250\273\331\343\245\227\115\352
-\053\051\340\326\152\163\201\346\300\211\243\323\361\340\245\245
-\042\067\232\143\302\110\040\264\333\162\343\310\366\331\174\276
-\261\257\123\332\024\264\041\270\326\325\226\343\376\116\014\131
-\142\266\232\112\371\102\335\214\157\201\251\161\377\364\012\162
-\155\155\104\016\235\363\164\164\250\325\064\111\351\136\236\351
-\264\172\341\345\132\037\204\060\234\323\237\245\045\330
-END
-
-# Trust for Certificate "GTE CyberTrust Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\220\336\336\236\114\116\237\157\330\206\027\127\235\323\221\274
-\145\246\211\144
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\304\327\360\262\243\305\175\141\147\360\004\315\103\323\272\130
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
-\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\243
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "GTE CyberTrust Global Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
-\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
-\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
-\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
-\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
-\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
-\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
-\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
-\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
-\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
-\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
-\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
-\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
-\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
-\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
-\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
-\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
-\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
-\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
-\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
-\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
-\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
-\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
-\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
-\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
-\037\042\265\315\225\255\272\247\314\371\253\013\172\177
-END
-
-# Trust for Certificate "GTE CyberTrust Global Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
-\066\176\364\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Thawte Personal Basic CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Basic CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
-\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
-\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
-\163\151\143\100\164\150\141\167\164\145\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
-\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
-\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
-\163\151\143\100\164\150\141\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\041\060\202\002\212\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
-\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
-\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
-\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
-\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164
-\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151\143
-\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015\001
-\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141\163
-\151\143\100\164\150\141\167\164\145\056\143\157\155\060\036\027
-\015\071\066\060\061\060\061\060\060\060\060\060\060\132\027\015
-\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\313
-\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060
-\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040
-\103\141\160\145\061\022\060\020\006\003\125\004\007\023\011\103
-\141\160\145\040\124\157\167\156\061\032\060\030\006\003\125\004
-\012\023\021\124\150\141\167\164\145\040\103\157\156\163\165\154
-\164\151\156\147\061\050\060\046\006\003\125\004\013\023\037\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162
-\166\151\143\145\163\040\104\151\166\151\163\151\157\156\061\041
-\060\037\006\003\125\004\003\023\030\124\150\141\167\164\145\040
-\120\145\162\163\157\156\141\154\040\102\141\163\151\143\040\103
-\101\061\050\060\046\006\011\052\206\110\206\367\015\001\011\001
-\026\031\160\145\162\163\157\156\141\154\055\142\141\163\151\143
-\100\164\150\141\167\164\145\056\143\157\155\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\274\274\223\123\155\300\120\117
-\202\025\346\110\224\065\246\132\276\157\102\372\017\107\356\167
-\165\162\335\215\111\233\226\127\240\170\324\312\077\121\263\151
-\013\221\166\027\042\007\227\152\304\121\223\113\340\215\357\067
-\225\241\014\115\332\064\220\035\027\211\227\340\065\070\127\112
-\300\364\010\160\351\074\104\173\120\176\141\232\220\343\043\323
-\210\021\106\047\365\013\007\016\273\335\321\177\040\012\210\271
-\126\013\056\034\200\332\361\343\236\051\357\024\275\012\104\373
-\033\133\030\321\277\043\223\041\002\003\001\000\001\243\023\060
-\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005
-\000\003\201\201\000\055\342\231\153\260\075\172\211\327\131\242
-\224\001\037\053\335\022\113\123\302\255\177\252\247\000\134\221
-\100\127\045\112\070\252\204\160\271\331\200\017\245\173\134\373
-\163\306\275\327\212\141\134\003\343\055\047\250\027\340\204\205
-\102\334\136\233\306\267\262\155\273\164\257\344\077\313\247\267
-\260\340\135\276\170\203\045\224\322\333\201\017\171\007\155\117
-\364\071\025\132\122\001\173\336\062\326\115\070\366\022\134\006
-\120\337\005\133\275\024\113\241\337\051\272\073\101\215\367\143
-\126\241\337\042\261
-END
-
-# Trust for Certificate "Thawte Personal Basic CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Basic CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\100\347\214\035\122\075\034\331\225\117\254\032\032\263\275\074
-\272\241\133\374
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\346\013\322\311\312\055\210\333\032\161\016\113\170\353\002\101
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
-\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
-\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
-\163\151\143\100\164\150\141\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Personal Premium CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Premium CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
-\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
-\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
-\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
-\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
-\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
-\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
-\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
-\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\051\060\202\002\222\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
-\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
-\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
-\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
-\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167\164
-\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155\151
-\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206\367
-\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055\160
-\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143\157
-\155\060\036\027\015\071\066\060\061\060\061\060\060\060\060\060
-\060\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071
-\132\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132
-\101\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164
-\145\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004
-\007\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030
-\006\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157
-\156\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004
-\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151
-\157\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141
-\167\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145
-\155\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110
-\206\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154
-\055\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056
-\143\157\155\060\201\237\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000
-\311\146\331\370\007\104\317\271\214\056\360\241\357\023\105\154
-\005\337\336\047\026\121\066\101\021\154\154\073\355\376\020\175
-\022\236\345\233\102\232\376\140\061\303\146\267\163\072\110\256
-\116\320\062\067\224\210\265\015\266\331\363\362\104\331\325\210
-\022\335\166\115\362\032\374\157\043\036\172\361\330\230\105\116
-\007\020\357\026\102\320\103\165\155\112\336\342\252\311\061\377
-\037\000\160\174\146\317\020\045\010\272\372\356\000\351\106\003
-\146\047\021\025\073\252\133\362\230\335\066\102\262\332\210\165
-\002\003\001\000\001\243\023\060\021\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206
-\110\206\367\015\001\001\004\005\000\003\201\201\000\151\066\211
-\367\064\052\063\162\057\155\073\324\042\262\270\157\232\305\066
-\146\016\033\074\241\261\165\132\346\375\065\323\370\250\362\007
-\157\205\147\216\336\053\271\342\027\260\072\240\360\016\242\000
-\232\337\363\024\025\156\273\310\205\132\230\200\371\377\276\164
-\035\075\363\376\060\045\321\067\064\147\372\245\161\171\060\141
-\051\162\300\340\054\114\373\126\344\072\250\157\345\062\131\122
-\333\165\050\120\131\014\370\013\031\344\254\331\257\226\215\057
-\120\333\007\303\352\037\253\063\340\365\053\061\211
-END
-
-# Trust for Certificate "Thawte Personal Premium CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Premium CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\066\206\065\143\375\121\050\307\276\246\360\005\317\351\264\066
-\150\010\154\316
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\072\262\336\042\232\040\223\111\371\355\310\322\212\347\150\015
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
-\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
-\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
-\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
-\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Personal Freemail CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Freemail CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
-\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
-\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
-\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
-\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
-\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
-\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
-\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
-\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\055\060\202\002\226\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
-\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
-\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
-\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
-\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167\164
-\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145\155
-\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110\206
-\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154\055
-\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145\056
-\143\157\155\060\036\027\015\071\066\060\061\060\061\060\060\060
-\060\060\060\132\027\015\062\060\061\062\063\061\062\063\065\071
-\065\071\132\060\201\321\061\013\060\011\006\003\125\004\006\023
-\002\132\101\061\025\060\023\006\003\125\004\010\023\014\127\145
-\163\164\145\162\156\040\103\141\160\145\061\022\060\020\006\003
-\125\004\007\023\011\103\141\160\145\040\124\157\167\156\061\032
-\060\030\006\003\125\004\012\023\021\124\150\141\167\164\145\040
-\103\157\156\163\165\154\164\151\156\147\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\044\060\042\006\003\125\004\003\023\033\124
-\150\141\167\164\145\040\120\145\162\163\157\156\141\154\040\106
-\162\145\145\155\141\151\154\040\103\101\061\053\060\051\006\011
-\052\206\110\206\367\015\001\011\001\026\034\160\145\162\163\157
-\156\141\154\055\146\162\145\145\155\141\151\154\100\164\150\141
-\167\164\145\056\143\157\155\060\201\237\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
-\002\201\201\000\324\151\327\324\260\224\144\133\161\351\107\330
-\014\121\266\352\162\221\260\204\136\175\055\015\217\173\022\337
-\205\045\165\050\164\072\102\054\143\047\237\225\173\113\357\176
-\031\207\035\206\352\243\335\271\316\226\144\032\302\024\156\104
-\254\174\346\217\350\115\017\161\037\100\070\246\000\243\207\170
-\366\371\224\206\136\255\352\300\136\166\353\331\024\243\135\156
-\172\174\014\245\113\125\177\006\031\051\177\236\232\046\325\152
-\273\070\044\010\152\230\307\261\332\243\230\221\375\171\333\345
-\132\304\034\271\002\003\001\000\001\243\023\060\021\060\017\006
-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015
-\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201
-\000\307\354\222\176\116\370\365\226\245\147\142\052\244\360\115
-\021\140\320\157\215\140\130\141\254\046\273\122\065\134\010\317
-\060\373\250\112\226\212\037\142\102\043\214\027\017\364\272\144
-\234\027\254\107\051\337\235\230\136\322\154\140\161\134\242\254
-\334\171\343\347\156\000\107\037\265\015\050\350\002\235\344\232
-\375\023\364\246\331\174\261\370\334\137\043\046\011\221\200\163
-\320\024\033\336\103\251\203\045\362\346\234\057\025\312\376\246
-\253\212\007\165\213\014\335\121\204\153\344\370\321\316\167\242
-\201
-END
-
-# Trust for Certificate "Thawte Personal Freemail CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Personal Freemail CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\040\231\000\266\075\225\127\050\024\014\321\066\042\330\306\207
-\244\353\000\205
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\036\164\303\206\074\014\065\305\076\302\177\357\074\252\074\331
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
-\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
-\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
-\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
-\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
-\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
-\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
-\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
-\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150
-\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046
-\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163
-\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167
-\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061
-\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062
-\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125
-\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023
-\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060
-\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167
-\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167
-\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143
-\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145
-\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003
-\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166
-\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367
-\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162
-\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377
-\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204
-\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165
-\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142
-\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160
-\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227
-\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155
-\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337
-\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243
-\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
-\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106
-\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121
-\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117
-\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236
-\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212
-\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325
-\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131
-\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274
-\243\377\212\043\056\160\107
-END
-
-# Trust for Certificate "Thawte Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243
-\365\330\213\214
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Thawte Premium Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150
-\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162
-\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206
-\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163
-\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155
-\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060
-\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066
-\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004
-\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364
-\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236
-\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320
-\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014
-\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055
-\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021
-\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003
-\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
-\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302
-\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140
-\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010
-\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106
-\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274
-\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114
-\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310
-\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047
-\246\015\246\043\371\273\313\246\007\024\102
-END
-
-# Trust for Certificate "Thawte Premium Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263
-\363\076\372\232
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Equifax Secure CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\065\336\364\317
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\065
-\336\364\317\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
-\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
-\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
-\164\171\060\036\027\015\071\070\060\070\062\062\061\066\064\061
-\065\061\132\027\015\061\070\060\070\062\062\061\066\064\061\065
-\061\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
-\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
-\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
-\164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301
-\135\261\130\147\010\142\356\240\232\055\037\010\155\221\024\150
-\230\012\036\376\332\004\157\023\204\142\041\303\321\174\316\237
-\005\340\270\001\360\116\064\354\342\212\225\004\144\254\361\153
-\123\137\005\263\313\147\200\277\102\002\216\376\335\001\011\354
-\341\000\024\117\374\373\360\014\335\103\272\133\053\341\037\200
-\160\231\025\127\223\026\361\017\227\152\267\302\150\043\034\314
-\115\131\060\254\121\036\073\257\053\326\356\143\105\173\305\331
-\137\120\322\343\120\017\072\210\347\277\024\375\340\307\271\002
-\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
-\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
-\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\020
-\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141\170
-\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151\146
-\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151\146
-\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061
-\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
-\006\003\125\035\020\004\023\060\021\201\017\062\060\061\070\060
-\070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035
-\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
-\060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043
-\040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004
-\026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040
-\020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
-\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
-\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027
-\265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177
-\266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230
-\356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075
-\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265
-\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141
-\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041
-\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117
-\254\007\167\070
-END
-
-# Trust for Certificate "Equifax Secure CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023
-\227\206\143\072
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\065\336\364\317
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "ABAecom (sub., Am. Bankers Assn.) Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ABAecom (sub., Am. Bankers Assn.) Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
-\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
-\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
-\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
-\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
-\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
-\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
-\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
-\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
-\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
-\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
-\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
-\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\220\000\000\106\122\000\000\000\001\000
-\000\000\004
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\265\060\202\002\235\240\003\002\001\002\002\021\000
-\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000\004
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060\021
-\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164\157
-\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101\056
-\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006\003
-\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122\157
-\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206\367
-\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147\163
-\151\147\164\162\165\163\164\056\143\157\155\060\036\027\015\071
-\071\060\067\061\062\061\067\063\063\065\063\132\027\015\060\071
-\060\067\060\071\061\067\063\063\065\063\132\060\201\211\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\013\060\011\006
-\003\125\004\010\023\002\104\103\061\023\060\021\006\003\125\004
-\007\023\012\127\141\163\150\151\156\147\164\157\156\061\027\060
-\025\006\003\125\004\012\023\016\101\102\101\056\105\103\117\115
-\054\040\111\116\103\056\061\031\060\027\006\003\125\004\003\023
-\020\101\102\101\056\105\103\117\115\040\122\157\157\164\040\103
-\101\061\044\060\042\006\011\052\206\110\206\367\015\001\011\001
-\026\025\141\144\155\151\156\100\144\151\147\163\151\147\164\162
-\165\163\164\056\143\157\155\060\202\001\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
-\202\001\012\002\202\001\001\000\261\323\021\340\171\125\103\007
-\010\114\313\005\102\000\342\015\203\106\075\344\223\272\266\006
-\323\015\131\275\076\301\316\103\147\001\212\041\250\357\274\314
-\320\242\314\260\125\226\123\204\146\005\000\332\104\111\200\330
-\124\012\245\045\206\224\355\143\126\377\160\154\243\241\031\322
-\170\276\150\052\104\136\057\317\314\030\136\107\274\072\261\106
-\075\036\360\271\054\064\137\214\174\114\010\051\235\100\125\353
-\074\175\203\336\265\360\367\212\203\016\241\114\264\072\245\263
-\137\132\042\227\354\031\233\301\005\150\375\346\267\251\221\224
-\054\344\170\110\044\032\045\031\072\353\225\234\071\012\212\317
-\102\262\360\034\325\137\373\153\355\150\126\173\071\054\162\070
-\260\356\223\251\323\173\167\074\353\161\003\251\070\112\026\154
-\211\052\312\332\063\023\171\302\125\214\355\234\273\362\313\133
-\020\370\056\141\065\306\051\114\052\320\052\143\321\145\131\264
-\370\315\371\364\000\204\266\127\102\205\235\062\250\371\052\124
-\373\377\170\101\274\275\161\050\364\273\220\274\377\226\064\004
-\343\105\236\241\106\050\100\201\002\003\001\000\001\243\026\060
-\024\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
-\001\377\002\001\010\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\004\157\045\206\344\346\226
-\047\264\331\102\300\320\311\000\261\177\124\076\207\262\155\044
-\251\057\012\176\375\244\104\260\370\124\007\275\033\235\235\312
-\173\120\044\173\021\133\111\243\246\277\022\164\325\211\267\267
-\057\230\144\045\024\267\141\351\177\140\200\153\323\144\350\253
-\275\032\326\121\372\300\264\135\167\032\177\144\010\136\171\306
-\005\114\361\172\335\115\175\316\346\110\173\124\322\141\222\201
-\326\033\326\000\360\016\236\050\167\240\115\210\307\042\166\031
-\303\307\236\033\246\167\170\370\137\233\126\321\360\362\027\254
-\216\235\131\346\037\376\127\266\331\136\341\135\237\105\354\141
-\150\031\101\341\262\040\046\376\132\060\166\044\377\100\162\074
-\171\237\174\042\110\253\106\315\333\263\206\054\217\277\005\101
-\323\301\343\024\343\101\027\046\320\174\247\161\114\031\350\112
-\017\162\130\061\175\354\140\172\243\042\050\275\031\044\140\077
-\073\207\163\300\153\344\313\256\267\253\045\103\262\125\055\173
-\253\006\016\165\135\064\345\135\163\155\236\262\165\100\245\131
-\311\117\061\161\210\331\210\177\124
-END
-
-# Trust for Certificate "ABAecom (sub., Am. Bankers Assn.) Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ABAecom (sub., Am. Bankers Assn.) Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\172\164\101\017\260\315\134\227\052\066\113\161\277\003\035\210
-\246\121\016\236
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\101\270\007\367\250\321\011\356\264\232\216\160\115\374\033\170
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
-\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
-\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
-\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
-\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
-\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
-\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\220\000\000\106\122\000\000\000\001\000
-\000\000\004
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Digital Signature Trust Co. Global CA 1"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\066\160\025\226
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066
-\160\025\226\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151
-\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162
-\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013
-\023\010\104\123\124\103\101\040\105\061\060\036\027\015\071\070
-\061\062\061\060\061\070\061\060\062\063\132\027\015\061\070\061
-\062\061\060\061\070\064\060\062\063\132\060\106\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125
-\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156
-\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061
-\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040
-\105\061\060\201\235\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\240
-\154\201\251\317\064\036\044\335\376\206\050\314\336\203\057\371
-\136\324\102\322\350\164\140\146\023\230\006\034\251\121\022\151
-\157\061\125\271\111\162\000\010\176\323\245\142\104\067\044\231
-\217\331\203\110\217\231\155\225\023\273\103\073\056\111\116\210
-\067\301\273\130\177\376\341\275\370\273\141\315\363\107\300\231
-\246\361\363\221\350\170\174\000\313\141\311\104\047\161\151\125
-\112\176\111\115\355\242\243\276\002\114\000\312\002\250\356\001
-\002\061\144\017\122\055\023\164\166\066\265\172\264\055\161\002
-\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006
-\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127
-\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\061\061\015\060\013\006\003\125\004
-\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044
-\060\042\200\017\061\071\071\070\061\062\061\060\061\070\061\060
-\062\063\132\201\017\062\060\061\070\061\062\061\060\061\070\061
-\060\062\063\132\060\013\006\003\125\035\017\004\004\003\002\001
-\006\060\037\006\003\125\035\043\004\030\060\026\200\024\152\171
-\176\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016
-\242\370\060\035\006\003\125\035\016\004\026\004\024\152\171\176
-\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016\242
-\370\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060
-\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012
-\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\201\201\000\042\022\330
-\172\035\334\201\006\266\011\145\262\207\310\037\136\264\057\351
-\304\036\362\074\301\273\004\220\021\112\203\116\176\223\271\115
-\102\307\222\046\240\134\064\232\070\162\370\375\153\026\076\040
-\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311
-\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376
-\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233
-\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274
-\241\223\004\273\206\237\072\133\103\172\303\212\145
-END
-
-# Trust for Certificate "Digital Signature Trust Co. Global CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143
-\133\321\043\323
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\066\160\025\226
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Digital Signature Trust Co. Global CA 3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\066\156\323\316
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066
-\156\323\316\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151
-\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162
-\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013
-\023\010\104\123\124\103\101\040\105\062\060\036\027\015\071\070
-\061\062\060\071\061\071\061\067\062\066\132\027\015\061\070\061
-\062\060\071\061\071\064\067\062\066\132\060\106\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125
-\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156
-\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061
-\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040
-\105\062\060\201\235\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\277
-\223\217\027\222\357\063\023\030\353\020\177\116\026\277\377\006
-\217\052\205\274\136\371\044\246\044\210\266\003\267\301\303\137
-\003\133\321\157\256\176\102\352\146\043\270\143\203\126\373\050
-\055\341\070\213\264\356\250\001\341\316\034\266\210\052\042\106
-\205\373\237\247\160\251\107\024\077\316\336\145\360\250\161\367
-\117\046\154\214\274\306\265\357\336\111\047\377\110\052\175\350
-\115\003\314\307\262\122\306\027\061\023\073\265\115\333\310\304
-\366\303\017\044\052\332\014\235\347\221\133\200\315\224\235\002
-\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006
-\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127
-\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\062\061\015\060\013\006\003\125\004
-\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044
-\060\042\200\017\061\071\071\070\061\062\060\071\061\071\061\067
-\062\066\132\201\017\062\060\061\070\061\062\060\071\061\071\061
-\067\062\066\132\060\013\006\003\125\035\017\004\004\003\002\001
-\006\060\037\006\003\125\035\043\004\030\060\026\200\024\036\202
-\115\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370
-\071\133\060\035\006\003\125\035\016\004\026\004\024\036\202\115
-\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370\071
-\133\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060
-\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012
-\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\201\201\000\107\215\203
-\255\142\362\333\260\236\105\042\005\271\242\326\003\016\070\162
-\347\236\374\173\346\223\266\232\245\242\224\310\064\035\221\321
-\305\327\364\012\045\017\075\170\201\236\017\261\147\304\220\114
-\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055
-\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113
-\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113
-\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371
-\307\177\033\033\326\006\040\002\130\241\303\242\003
-END
-
-# Trust for Certificate "Digital Signature Trust Co. Global CA 3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127
-\360\066\233\106
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
-\104\123\124\103\101\040\105\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\066\156\323\316
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Digital Signature Trust Co. Global CA 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\213\000\000\002\174\000\000\000\002\000
-\000\000\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000
-\000\002\174\000\000\000\002\000\000\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060
-\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003
-\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125
-\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151
-\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147
-\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124
-\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004
-\013\023\010\104\123\124\103\101\040\130\061\061\026\060\024\006
-\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101
-\040\130\061\061\041\060\037\006\011\052\206\110\206\367\015\001
-\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165
-\163\164\056\143\157\155\060\036\027\015\071\070\061\062\060\061
-\061\070\061\070\065\065\132\027\015\060\070\061\061\062\070\061
-\070\061\070\065\065\132\060\201\251\061\013\060\011\006\003\125
-\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023
-\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016
-\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044
-\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154
-\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164
-\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104
-\123\124\103\101\040\130\061\061\026\060\024\006\003\125\004\003
-\023\015\104\123\124\040\122\157\157\164\103\101\040\130\061\061
-\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
-\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143
-\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\322\306\046\266\347\245\075\301\304\150\325\120\157
-\123\305\157\111\023\011\270\257\054\110\215\024\152\243\027\137
-\132\371\323\056\165\057\330\050\142\321\223\057\374\115\324\253
-\207\345\010\307\231\347\222\077\165\275\353\045\264\025\301\233
-\031\075\322\104\215\327\164\040\155\067\002\217\151\223\133\212
-\304\031\235\364\262\016\374\026\154\271\261\005\222\203\321\205
-\054\140\224\076\105\125\240\331\253\010\041\346\140\350\073\164
-\362\231\120\121\150\320\003\055\261\200\276\243\330\122\260\104
-\315\103\112\160\216\130\205\225\341\116\054\326\055\101\157\326
-\204\347\310\230\104\312\107\333\054\044\245\151\046\317\153\270
-\047\142\303\364\311\172\222\043\355\023\147\202\256\105\056\105
-\345\176\162\077\205\235\224\142\020\346\074\221\241\255\167\000
-\340\025\354\363\204\200\162\172\216\156\140\227\307\044\131\020
-\064\203\133\341\245\244\151\266\127\065\034\170\131\306\323\057
-\072\163\147\356\224\312\004\023\005\142\006\160\043\263\364\174
-\356\105\331\144\013\133\111\252\244\103\316\046\304\104\022\154
-\270\335\171\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\202\001\001\000\242\067\262\077
-\151\373\327\206\171\124\111\061\225\063\053\363\321\011\024\111
-\142\140\206\245\260\021\342\120\302\035\006\127\076\055\350\063
-\144\276\233\252\255\137\033\115\324\231\225\242\213\232\311\142
-\162\265\151\352\331\130\253\065\355\025\242\103\326\266\274\007
-\171\145\144\163\175\327\171\312\173\325\132\121\306\341\123\004
-\226\215\070\317\243\027\254\071\161\153\001\303\213\123\074\143
-\351\356\171\300\344\276\222\062\144\172\263\037\227\224\142\275
-\352\262\040\025\225\373\227\362\170\057\143\066\100\070\343\106
-\017\035\335\254\225\312\347\113\220\173\261\113\251\324\305\353
-\232\332\252\325\243\224\024\106\215\055\037\363\072\326\223\072
-\366\076\171\374\350\346\260\165\355\356\075\311\160\307\135\252
-\201\113\106\045\034\307\154\025\343\225\116\017\252\062\067\224
-\012\027\044\222\023\204\130\322\143\157\053\367\346\133\142\013
-\023\027\260\015\122\114\376\376\157\134\342\221\156\035\375\244
-\142\327\150\372\216\172\117\322\010\332\223\334\360\222\021\172
-\320\334\162\223\014\163\223\142\205\150\320\364
-END
-
-# Trust for Certificate "Digital Signature Trust Co. Global CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\267\057\377\222\322\316\103\336\012\215\114\124\214\120\067\046
-\250\036\053\223
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\154\311\247\156\107\361\014\343\123\073\170\114\115\302\152\305
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\213\000\000\002\174\000\000\000\002\000
-\000\000\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Digital Signature Trust Co. Global CA 4"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 4"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\213\000\000\167\155\000\000\000\001\000
-\000\000\004
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000
-\000\167\155\000\000\000\001\000\000\000\004\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060
-\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003
-\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125
-\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151
-\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147
-\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124
-\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004
-\013\023\010\104\123\124\103\101\040\130\062\061\026\060\024\006
-\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101
-\040\130\062\061\041\060\037\006\011\052\206\110\206\367\015\001
-\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165
-\163\164\056\143\157\155\060\036\027\015\071\070\061\061\063\060
-\062\062\064\066\061\066\132\027\015\060\070\061\061\062\067\062
-\062\064\066\061\066\132\060\201\251\061\013\060\011\006\003\125
-\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023
-\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016
-\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044
-\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154
-\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164
-\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104
-\123\124\103\101\040\130\062\061\026\060\024\006\003\125\004\003
-\023\015\104\123\124\040\122\157\157\164\103\101\040\130\062\061
-\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
-\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143
-\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\334\165\360\214\300\165\226\232\300\142\037\046\367
-\304\341\232\352\340\126\163\133\231\315\001\104\250\010\266\325
-\247\332\032\004\030\071\222\112\170\243\201\302\365\167\172\120
-\264\160\377\232\253\306\307\312\156\203\117\102\230\373\046\013
-\332\334\155\326\251\231\125\122\147\351\050\003\222\334\345\260
-\005\232\017\025\371\153\131\162\126\362\372\071\374\252\150\356
-\017\037\020\203\057\374\235\372\027\226\335\202\343\346\105\175
-\300\113\200\104\037\355\054\340\204\375\221\134\222\124\151\045
-\345\142\151\334\345\356\000\122\275\063\013\255\165\002\205\247
-\144\120\055\305\031\031\060\300\046\333\311\323\375\056\231\255
-\131\265\013\115\324\101\256\205\110\103\131\334\267\250\342\242
-\336\303\217\327\270\241\142\246\150\120\122\344\317\061\247\224
-\205\332\237\106\062\027\126\345\362\353\146\075\022\377\103\333
-\230\357\167\317\313\201\215\064\261\306\120\112\046\321\344\076
-\101\120\257\154\256\042\064\056\325\153\156\203\272\171\270\166
-\145\110\332\011\051\144\143\042\271\373\107\166\205\214\206\104
-\313\011\333\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\202\001\001\000\265\066\016\135
-\341\141\050\132\021\145\300\077\203\003\171\115\276\050\246\013
-\007\002\122\205\315\370\221\320\020\154\265\152\040\133\034\220
-\331\060\074\306\110\236\212\136\144\371\241\161\167\357\004\047
-\037\007\353\344\046\367\163\164\311\104\030\032\146\323\340\103
-\257\221\073\321\313\054\330\164\124\072\034\115\312\324\150\315
-\043\174\035\020\236\105\351\366\000\156\246\315\031\377\117\054
-\051\217\127\115\304\167\222\276\340\114\011\373\135\104\206\146
-\041\250\271\062\242\126\325\351\214\203\174\131\077\304\361\013
-\347\235\354\236\275\234\030\016\076\302\071\171\050\267\003\015
-\010\313\306\347\331\001\067\120\020\354\314\141\026\100\324\257
-\061\164\173\374\077\061\247\320\107\163\063\071\033\314\116\152
-\327\111\203\021\006\376\353\202\130\063\062\114\360\126\254\036
-\234\057\126\232\173\301\112\034\245\375\125\066\316\374\226\115
-\364\260\360\354\267\154\202\355\057\061\231\102\114\251\262\015
-\270\025\135\361\337\272\311\265\112\324\144\230\263\046\251\060
-\310\375\246\354\253\226\041\255\177\302\170\266
-END
-
-# Trust for Certificate "Digital Signature Trust Co. Global CA 4"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 4"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\147\353\063\173\150\114\353\016\302\260\166\012\264\210\047\214
-\335\225\227\335
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\315\073\075\142\133\011\270\011\066\207\236\022\057\161\144\272
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
-\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
-\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
-\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
-\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
-\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
-\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
-\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
-\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
-\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
-\163\151\147\164\162\165\163\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\320\036\100\213\000\000\167\155\000\000\000\001\000
-\000\000\004
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Verisign Class 1 Public Primary Certification Authority"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263
-\162\252\125
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\075\060\202\001\246\002\021\000\315\272\177\126\360
-\337\344\274\124\376\042\254\263\162\252\125\060\015\006\011\052
-\206\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
-\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071
-\066\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070
-\060\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154
-\141\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151
-\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201
-\215\000\060\201\211\002\201\201\000\345\031\277\155\243\126\141
-\055\231\110\161\366\147\336\271\215\353\267\236\206\200\012\221
-\016\372\070\045\257\106\210\202\345\163\250\240\233\044\135\015
-\037\314\145\156\014\260\320\126\204\030\207\232\006\233\020\241
-\163\337\264\130\071\153\156\301\366\025\325\250\250\077\252\022
-\006\215\061\254\177\260\064\327\217\064\147\210\011\315\024\021
-\342\116\105\126\151\037\170\002\200\332\334\107\221\051\273\066
-\311\143\134\305\340\327\055\207\173\241\267\062\260\173\060\272
-\052\057\061\252\356\243\147\332\333\002\003\001\000\001\060\015
-\006\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201
-\000\114\077\270\213\306\150\337\356\103\063\016\135\351\246\313
-\007\204\115\172\063\377\222\033\364\066\255\330\225\042\066\150
-\021\154\174\102\314\363\234\056\304\007\077\024\260\017\117\377
-\220\222\166\371\342\274\112\351\217\315\240\200\012\367\305\051
-\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171
-\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100
-\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173
-\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161
-\224
-END
-
-# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204
-\167\257\125\157
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263
-\162\252\125
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 2 Public Primary Certification Authority"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105
-\276\013
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\074\060\202\001\245\002\020\055\033\374\112\027\215
-\243\221\353\347\377\365\213\105\276\013\060\015\006\011\052\206
-\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
-\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
-\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
-\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155\141
-\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
-\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
-\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
-\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\266\132\213\243\015\152\043\203
-\200\153\317\071\207\364\041\023\063\006\114\045\242\355\125\022
-\227\305\247\200\271\372\203\301\040\240\372\057\025\015\174\241
-\140\153\176\171\054\372\006\017\072\256\366\033\157\261\322\377
-\057\050\122\137\203\175\113\304\172\267\370\146\037\200\124\374
-\267\302\216\131\112\024\127\106\321\232\223\276\101\221\003\273
-\025\200\223\134\353\347\314\010\154\077\076\263\112\374\377\113
-\154\043\325\120\202\046\104\031\216\043\303\161\352\031\044\107
-\004\236\165\277\310\246\000\037\002\003\001\000\001\060\015\006
-\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000
-\212\033\053\372\071\301\164\327\136\330\031\144\242\130\112\055
-\067\340\063\107\017\254\355\367\252\333\036\344\213\006\134\140
-\047\312\105\122\316\026\357\077\006\144\347\224\150\174\140\063
-\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005
-\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134
-\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213
-\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003
-\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330
-END
-
-# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012
-\117\140\024\052
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105
-\276\013
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 3 Public Primary Certification Authority"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
-\272\277
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\074\060\202\001\245\002\020\160\272\344\035\020\331
-\051\064\266\070\312\173\003\314\272\277\060\015\006\011\052\206
-\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
-\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
-\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
-\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155\141
-\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
-\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
-\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
-\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\311\134\131\236\362\033\212\001
-\024\264\020\337\004\100\333\343\127\257\152\105\100\217\204\014
-\013\321\063\331\331\021\317\356\002\130\037\045\367\052\250\104
-\005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326
-\254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071
-\357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254
-\043\137\160\051\066\244\311\206\347\261\232\040\313\123\245\205
-\347\075\276\175\232\376\044\105\063\334\166\025\355\017\242\161
-\144\114\145\056\201\150\105\247\002\003\001\000\001\060\015\006
-\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000
-\273\114\022\053\317\054\046\000\117\024\023\335\246\373\374\012
-\021\204\214\363\050\034\147\222\057\174\266\305\372\337\360\350
-\225\274\035\217\154\054\250\121\314\163\330\244\300\123\360\116
-\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320
-\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234
-\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075
-\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237
-\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144
-END
-
-# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305
-\076\141\164\342
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
-\272\277
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211
-\221\222
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\002\060\202\002\153\002\020\114\307\352\252\230\076
-\161\323\223\020\370\075\072\211\221\222\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
-\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
-\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
-\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
-\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
-\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
-\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
-\063\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\252\320
-\272\276\026\055\270\203\324\312\322\017\274\166\061\312\224\330
-\035\223\214\126\002\274\331\157\032\157\122\066\156\165\126\012
-\125\323\337\103\207\041\021\145\212\176\217\275\041\336\153\062
-\077\033\204\064\225\005\235\101\065\353\222\353\226\335\252\131
-\077\001\123\155\231\117\355\345\342\052\132\220\301\271\304\246
-\025\317\310\105\353\246\135\216\234\076\360\144\044\166\245\315
-\253\032\157\266\330\173\121\141\156\246\177\207\310\342\267\345
-\064\334\101\210\352\011\100\276\163\222\075\153\347\165\002\003
-\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\201\201\000\251\117\303\015\307\147\276\054\313\331
-\250\315\055\165\347\176\025\236\073\162\353\176\353\134\055\011
-\207\326\153\155\140\174\345\256\305\220\043\014\134\112\320\257
-\261\135\363\307\266\012\333\340\025\223\015\335\003\274\307\166
-\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245
-\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352
-\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152
-\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274
-\017\061\134\350\362\331
-END
-
-# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142
-\365\062\345\107
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211
-\221\222
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
-\154\212\257
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\003\060\202\002\154\002\021\000\271\057\140\314\210
-\237\241\172\106\011\270\133\160\154\212\257\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154
-\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151
-\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
-\062\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
-\061\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
-\151\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060
-\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156
-\040\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036
-\027\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027
-\015\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201
-\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013
-\023\063\103\154\141\163\163\040\062\040\120\165\142\154\151\143
-\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061
-\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165
-\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154
-\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151
-\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157
-\162\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\247
-\210\001\041\164\054\347\032\003\360\230\341\227\074\017\041\010
-\361\234\333\227\351\232\374\302\004\006\023\276\137\122\310\314
-\036\054\022\126\054\270\001\151\054\314\231\037\255\260\226\256
-\171\004\362\023\071\301\173\230\272\010\054\350\302\204\023\054
-\252\151\351\011\364\307\251\002\244\102\302\043\117\112\330\360
-\016\242\373\061\154\311\346\157\231\047\007\365\346\364\114\170
-\236\155\353\106\206\372\271\206\311\124\362\262\304\257\324\106
-\034\132\311\025\060\377\015\154\365\055\016\155\316\177\167\002
-\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304
-\236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342
-\235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053
-\225\366\044\140\206\115\104\056\203\245\304\055\240\323\256\170
-\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027
-\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163
-\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263
-\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047
-\214\022\173\305\104\264\256
-END
-
-# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010
-\033\147\354\235
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
-\154\212\257
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211
-\064\306
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\002\060\202\002\153\002\020\175\331\376\007\317\250
-\036\267\020\171\147\373\247\211\064\306\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
-\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
-\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
-\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
-\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
-\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
-\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
-\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\314\136
-\321\021\135\134\151\320\253\323\271\152\114\231\037\131\230\060
-\216\026\205\040\106\155\107\077\324\205\040\204\341\155\263\370
-\244\355\014\361\027\017\073\371\247\371\045\327\301\317\204\143
-\362\174\143\317\242\107\362\306\133\063\216\144\100\004\150\301
-\200\271\144\034\105\167\307\330\156\365\225\051\074\120\350\064
-\327\170\037\250\272\155\103\221\225\217\105\127\136\176\305\373
-\312\244\004\353\352\227\067\124\060\157\273\001\107\062\063\315
-\334\127\233\144\151\141\370\233\035\034\211\117\134\147\002\003
-\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\201\201\000\121\115\315\276\134\313\230\031\234\025
-\262\001\071\170\056\115\017\147\160\160\231\306\020\132\224\244
-\123\115\124\155\053\257\015\135\100\213\144\323\327\356\336\126
-\141\222\137\246\304\035\020\141\066\323\054\047\074\350\051\011
-\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342
-\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151
-\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263
-\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130
-\240\235\235\151\221\375
-END
-
-# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011
-\350\370\167\017
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211
-\064\306
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 4 Public Primary Certification Authority - G2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067
-\045\370
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\002\060\202\002\153\002\020\062\210\216\232\322\365
-\353\023\107\370\177\304\040\067\045\370\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
-\163\163\040\064\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
-\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
-\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
-\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
-\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
-\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
-\063\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\272\360
-\344\317\371\304\256\205\124\271\007\127\371\217\305\177\150\021
-\370\304\027\260\104\334\343\060\163\325\052\142\052\270\320\314
-\034\355\050\133\176\275\152\334\263\221\044\312\101\142\074\374
-\002\001\277\034\026\061\224\005\227\166\156\242\255\275\141\027
-\154\116\060\206\360\121\067\052\120\307\250\142\201\334\133\112
-\252\301\240\264\156\353\057\345\127\305\261\053\100\160\333\132
-\115\241\216\037\275\003\037\330\003\324\217\114\231\161\274\342
-\202\314\130\350\230\072\206\323\206\070\363\000\051\037\002\003
-\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\201\201\000\205\214\022\301\247\271\120\025\172\313
-\076\254\270\103\212\334\252\335\024\272\211\201\176\001\074\043
-\161\041\210\057\202\334\143\372\002\105\254\105\131\327\052\130
-\104\133\267\237\201\073\222\150\075\342\067\044\365\173\154\217
-\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062
-\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351
-\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131
-\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117
-\117\312\200\221\266\051
-END
-
-# Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374
-\172\275\233\122
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067
-\045\370
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "GlobalSign Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GlobalSign Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
-\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
-\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
-\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
-\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
-\156\040\122\157\157\164\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
-\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
-\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
-\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
-\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
-\156\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\013\002\000\000\000\000\000\326\170\267\224\005
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\165\060\202\002\135\240\003\002\001\002\002\013\002
-\000\000\000\000\000\326\170\267\224\005\060\015\006\011\052\206
-\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
-\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
-\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
-\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
-\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
-\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
-\103\101\060\036\027\015\071\070\060\071\060\061\061\062\060\060
-\060\060\132\027\015\061\064\060\061\062\070\061\062\060\060\060
-\060\132\060\127\061\013\060\011\006\003\125\004\006\023\002\102
-\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
-\141\154\123\151\147\156\040\156\166\055\163\141\061\020\060\016
-\006\003\125\004\013\023\007\122\157\157\164\040\103\101\061\033
-\060\031\006\003\125\004\003\023\022\107\154\157\142\141\154\123
-\151\147\156\040\122\157\157\164\040\103\101\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\332\016\346\231
-\215\316\243\343\117\212\176\373\361\213\203\045\153\352\110\037
-\361\052\260\271\225\021\004\275\360\143\321\342\147\146\317\034
-\335\317\033\110\053\356\215\211\216\232\257\051\200\145\253\351
-\307\055\022\313\253\034\114\160\007\241\075\012\060\315\025\215
-\117\370\335\324\214\120\025\034\357\120\356\304\056\367\374\351
-\122\362\221\175\340\155\325\065\060\216\136\103\163\362\101\351
-\325\152\343\262\211\072\126\071\070\157\006\074\210\151\133\052
-\115\305\247\124\270\154\211\314\233\371\074\312\345\375\211\365
-\022\074\222\170\226\326\334\164\156\223\104\141\321\215\307\106
-\262\165\016\206\350\031\212\325\155\154\325\170\026\225\242\351
-\310\012\070\353\362\044\023\117\163\124\223\023\205\072\033\274
-\036\064\265\213\005\214\271\167\213\261\333\037\040\221\253\011
-\123\156\220\316\173\067\164\271\160\107\221\042\121\143\026\171
-\256\261\256\101\046\010\310\031\053\321\106\252\110\326\144\052
-\327\203\064\377\054\052\301\154\031\103\112\007\205\347\323\174
-\366\041\150\357\352\362\122\237\177\223\220\317\002\003\001\000
-\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\000\006\060\035\006\003\125\035\016\004\026\004\024
-\140\173\146\032\105\015\227\312\211\120\057\175\004\315\064\250
-\377\374\375\113\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001
-\001\004\005\000\003\202\001\001\000\256\252\237\374\267\322\313
-\037\137\071\051\050\030\236\064\311\154\117\157\032\360\144\242
-\160\112\117\023\206\233\140\050\236\350\201\111\230\175\012\273
-\345\260\235\075\066\333\217\005\121\377\011\061\052\037\335\211
-\167\236\017\056\154\225\004\355\206\313\264\000\077\204\002\115
-\200\152\052\055\170\013\256\157\053\242\203\104\203\037\315\120
-\202\114\044\257\275\367\245\264\310\132\017\364\347\107\136\111
-\216\067\226\376\232\210\005\072\331\300\333\051\207\346\031\226
-\107\247\072\246\214\213\074\167\376\106\143\247\123\332\041\321
-\254\176\111\242\113\346\303\147\131\057\263\212\016\273\054\275
-\251\252\102\174\065\301\330\177\325\247\061\072\116\143\103\071
-\257\010\260\141\064\214\323\230\251\103\064\366\017\207\051\073
-\235\302\126\130\230\167\303\367\033\254\366\235\370\076\252\247
-\124\105\360\365\371\325\061\145\376\153\130\234\161\263\036\327
-\122\352\062\027\374\100\140\035\311\171\044\262\366\154\375\250
-\146\016\202\335\230\313\332\302\104\117\056\240\173\362\367\153
-\054\166\021\204\106\212\170\243\343
-END
-
-# Trust for Certificate "GlobalSign Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GlobalSign Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\057\027\077\175\351\226\147\257\245\172\370\012\242\321\261\057
-\254\203\003\070
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\253\277\352\343\153\051\246\314\246\170\065\231\357\255\053\200
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
-\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
-\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
-\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
-\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
-\156\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\013\002\000\000\000\000\000\326\170\267\224\005
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "ValiCert Class 1 VA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
-\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
-\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
-\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
-\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
-\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
-\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
-\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
-\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
-\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
-\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
-\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
-\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
-\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
-\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
-\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
-\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
-\161\202\053\231\317\072\267\365\055\162\310
-END
-
-# Trust for Certificate "ValiCert Class 1 VA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
-\020\237\344\216
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "ValiCert Class 2 VA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
-\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
-\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
-\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
-\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
-\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
-\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
-\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
-\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
-\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
-\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
-\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
-\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
-\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
-\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
-\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
-\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
-\276\355\164\114\274\133\325\142\037\103\335
-END
-
-# Trust for Certificate "ValiCert Class 2 VA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
-\330\361\374\246
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "RSA Root Certificate 1"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
-\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
-\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
-\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
-\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
-\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
-\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
-\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
-\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
-\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
-\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
-\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
-\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
-\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
-\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
-\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
-\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
-\040\017\105\176\153\242\177\243\214\025\356
-END
-
-# Trust for Certificate "RSA Root Certificate 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
-\354\252\065\373
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110
-\316\261\244
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\032\060\202\003\002\002\021\000\213\133\165\126\204
-\124\205\013\000\317\257\070\110\316\261\244\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
-\151\147\156\040\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
-\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
-\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
-\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
-\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
-\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
-\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
-\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
-\040\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\335\204\324\271\264\371\247\330\363\004\170
-\234\336\075\334\154\023\026\331\172\335\044\121\146\300\307\046
-\131\015\254\006\010\302\224\321\063\037\360\203\065\037\156\033
-\310\336\252\156\025\116\124\047\357\304\155\032\354\013\343\016
-\360\104\245\127\307\100\130\036\243\107\037\161\354\140\366\155
-\224\310\030\071\355\376\102\030\126\337\344\114\111\020\170\116
-\001\166\065\143\022\066\335\146\274\001\004\066\243\125\150\325
-\242\066\011\254\253\041\046\124\006\255\077\312\024\340\254\312
-\255\006\035\225\342\370\235\361\340\140\377\302\177\165\053\114
-\314\332\376\207\231\041\352\272\376\076\124\327\322\131\170\333
-\074\156\317\240\023\000\032\270\047\241\344\276\147\226\312\240
-\305\263\234\335\311\165\236\353\060\232\137\243\315\331\256\170
-\031\077\043\351\134\333\051\275\255\125\310\033\124\214\143\366
-\350\246\352\307\067\022\134\243\051\036\002\331\333\037\073\264
-\327\017\126\107\201\025\004\112\257\203\047\321\305\130\210\301
-\335\366\252\247\243\030\332\150\252\155\021\121\341\277\145\153
-\237\226\166\321\075\002\003\001\000\001\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\253\146
-\215\327\263\272\307\232\266\346\125\320\005\361\237\061\215\132
-\252\331\252\106\046\017\161\355\245\255\123\126\142\001\107\052
-\104\351\376\077\164\013\023\233\271\364\115\033\262\321\137\262
-\266\322\210\134\263\237\315\313\324\247\331\140\225\204\072\370
-\301\067\035\141\312\347\260\305\345\221\332\124\246\254\061\201
-\256\227\336\315\010\254\270\300\227\200\177\156\162\244\347\151
-\023\225\145\037\304\223\074\375\171\217\004\324\076\117\352\367
-\236\316\315\147\174\117\145\002\377\221\205\124\163\307\377\066
-\367\206\055\354\320\136\117\377\021\237\162\006\326\270\032\361
-\114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
-\245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
-\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
-\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
-\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
-\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
-\113\336\006\226\161\054\362\333\266\037\244\357\077\356
-END
-
-# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321
-\351\216\106\245
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110
-\316\261\244
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120
-\133\172
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\031\060\202\003\001\002\020\141\160\313\111\214\137
-\230\105\051\347\260\246\331\120\133\172\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145\162
-\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167
-\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050\143
-\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156\054
-\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164\150
-\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061
-\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123\151
-\147\156\040\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060\061
-\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066\062
-\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012\023
-\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061
-\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151
-\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153
-\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
-\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
-\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060\103
-\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156\040
-\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040\120
-\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055
-\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\257\012\015\302\325\054\333\147\271\055\345\224
-\047\335\245\276\340\260\115\217\263\141\126\074\326\174\303\364
-\315\076\206\313\242\210\342\341\330\244\151\305\265\342\277\301
-\246\107\120\136\106\071\213\325\226\272\265\157\024\277\020\316
-\047\023\236\005\107\233\061\172\023\330\037\331\323\002\067\213
-\255\054\107\360\216\201\006\247\015\060\014\353\367\074\017\040
-\035\334\162\106\356\245\002\310\133\303\311\126\151\114\305\030
-\301\221\173\013\325\023\000\233\274\357\303\110\076\106\140\040
-\205\052\325\220\266\315\213\240\314\062\335\267\375\100\125\262
-\120\034\126\256\314\215\167\115\307\040\115\247\061\166\357\150
-\222\212\220\036\010\201\126\262\255\151\243\122\320\313\034\304
-\043\075\037\231\376\114\350\026\143\216\306\010\216\366\061\366
-\322\372\345\166\335\265\034\222\243\111\315\315\001\315\150\315
-\251\151\272\243\353\035\015\234\244\040\246\301\240\305\321\106
-\114\027\155\322\254\146\077\226\214\340\204\324\066\377\042\131
-\305\371\021\140\250\137\004\175\362\032\366\045\102\141\017\304
-\112\270\076\211\002\003\001\000\001\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\064\046\025
-\074\300\215\115\103\111\035\275\351\041\222\327\146\234\267\336
-\305\270\320\344\135\137\166\042\300\046\371\204\072\072\371\214
-\265\373\354\140\361\350\316\004\260\310\335\247\003\217\060\363
-\230\337\244\346\244\061\337\323\034\013\106\334\162\040\077\256
-\356\005\074\244\063\077\013\071\254\160\170\163\113\231\053\337
-\060\302\124\260\250\073\125\241\376\026\050\315\102\275\164\156
-\200\333\047\104\247\316\104\135\324\033\220\230\015\036\102\224
-\261\000\054\004\320\164\243\002\005\042\143\143\315\203\265\373
-\301\155\142\153\151\165\375\135\160\101\271\365\277\174\337\276
-\301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
-\260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
-\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
-\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
-\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
-\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
-\311\130\020\371\252\357\132\266\317\113\113\337\052
-END
-
-# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257
-\237\353\143\021
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120
-\133\172
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
-\051\357\127
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\032\060\202\003\002\002\021\000\233\176\006\111\243
-\076\142\271\325\356\220\110\161\051\357\127\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
-\151\147\156\040\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
-\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
-\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
-\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
-\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
-\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
-\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
-\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
-\040\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\313\272\234\122\374\170\037\032\036\157\033
-\067\163\275\370\311\153\224\022\060\117\360\066\107\365\320\221
-\012\365\027\310\245\141\301\026\100\115\373\212\141\220\345\166
-\040\301\021\006\175\253\054\156\246\365\021\101\216\372\055\255
-\052\141\131\244\147\046\114\320\350\274\122\133\160\040\004\130
-\321\172\311\244\151\274\203\027\144\255\005\213\274\320\130\316
-\215\214\365\353\360\102\111\013\235\227\047\147\062\156\341\256
-\223\025\034\160\274\040\115\057\030\336\222\210\350\154\205\127
-\021\032\351\176\343\046\021\124\242\105\226\125\203\312\060\211
-\350\334\330\243\355\052\200\077\177\171\145\127\076\025\040\146
-\010\057\225\223\277\252\107\057\250\106\227\360\022\342\376\302
-\012\053\121\346\166\346\267\106\267\342\015\246\314\250\303\114
-\131\125\211\346\350\123\134\034\352\235\360\142\026\013\247\311
-\137\014\360\336\302\166\316\257\367\152\362\372\101\246\242\063
-\024\311\345\172\143\323\236\142\067\325\205\145\236\016\346\123
-\044\164\033\136\035\022\123\133\307\054\347\203\111\073\025\256
-\212\150\271\127\227\002\003\001\000\001\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\021\024
-\226\301\253\222\010\367\077\057\311\262\376\344\132\237\144\336
-\333\041\117\206\231\064\166\066\127\335\320\025\057\305\255\177
-\025\037\067\142\163\076\324\347\137\316\027\003\333\065\372\053
-\333\256\140\011\137\036\137\217\156\273\013\075\352\132\023\036
-\014\140\157\265\300\265\043\042\056\007\013\313\251\164\313\107
-\273\035\301\327\245\153\314\057\322\102\375\111\335\247\211\317
-\123\272\332\000\132\050\277\202\337\370\272\023\035\120\206\202
-\375\216\060\217\051\106\260\036\075\065\332\070\142\026\030\112
-\255\346\266\121\154\336\257\142\353\001\320\036\044\376\172\217
-\022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
-\027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
-\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
-\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
-\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
-\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
-\153\271\012\172\116\117\113\204\356\113\361\175\335\021
-END
-
-# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166
-\140\233\134\306
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
-\051\357\127
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057
-\224\136\327
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\032\060\202\003\002\002\021\000\354\240\247\213\156
-\165\152\001\317\304\174\314\057\224\136\327\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
-\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
-\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
-\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
-\151\147\156\040\103\154\141\163\163\040\064\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
-\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
-\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
-\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
-\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
-\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
-\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
-\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
-\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
-\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
-\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
-\040\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
-\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\255\313\245\021\151\306\131\253\361\217\265
-\031\017\126\316\314\265\037\040\344\236\046\045\113\340\163\145
-\211\131\336\320\203\344\365\017\265\273\255\361\174\350\041\374
-\344\350\014\356\174\105\042\031\166\222\264\023\267\040\133\011
-\372\141\256\250\362\245\215\205\302\052\326\336\146\066\322\233
-\002\364\250\222\140\174\234\151\264\217\044\036\320\206\122\366
-\062\234\101\130\036\042\275\315\105\142\225\010\156\320\146\335
-\123\242\314\360\020\334\124\163\213\004\241\106\063\063\134\027
-\100\271\236\115\323\363\276\125\203\350\261\211\216\132\174\232
-\226\042\220\073\210\045\362\322\123\210\002\014\013\170\362\346
-\067\027\113\060\106\007\344\200\155\246\330\226\056\350\054\370
-\021\263\070\015\146\246\233\352\311\043\133\333\216\342\363\023
-\216\032\131\055\252\002\360\354\244\207\146\334\301\077\365\330
-\271\364\354\202\306\322\075\225\035\345\300\117\204\311\331\243
-\104\050\006\152\327\105\254\360\153\152\357\116\137\370\021\202
-\036\070\143\064\146\120\324\076\223\163\372\060\303\146\255\377
-\223\055\227\357\003\002\003\001\000\001\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\217\372
-\045\153\117\133\344\244\116\047\125\253\042\025\131\074\312\265
-\012\324\112\333\253\335\241\137\123\305\240\127\071\302\316\107
-\053\276\072\310\126\277\302\331\047\020\072\261\005\074\300\167
-\061\273\072\323\005\173\155\232\034\060\214\200\313\223\223\052
-\203\253\005\121\202\002\000\021\147\153\363\210\141\107\137\003
-\223\325\133\015\340\361\324\241\062\065\205\262\072\333\260\202
-\253\321\313\012\274\117\214\133\305\113\000\073\037\052\202\246
-\176\066\205\334\176\074\147\000\265\344\073\122\340\250\353\135
-\025\371\306\155\360\255\035\016\205\267\251\232\163\024\132\133
-\217\101\050\300\325\350\055\115\244\136\315\252\331\355\316\334
-\330\325\074\102\035\027\301\022\135\105\070\303\070\363\374\205
-\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136
-\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177
-\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304
-\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347
-\367\146\103\363\236\203\076\040\252\303\065\140\221\316
-END
-
-# Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363
-\024\225\163\235
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057
-\224\136\327
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_TRUE
-
-#
-# Certificate "Entrust.net Secure Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
-\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
-\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
-\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
-\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
-\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
-\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
-\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
-\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
-\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
-\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
-\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
-\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
-\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
-\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
-\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
-\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
-\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
-\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
-\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
-\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
-\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
-\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
-\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
-\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
-\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
-\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
-\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
-\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
-\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
-\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
-\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
-\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
-\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
-\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
-\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
-\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
-\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
-\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
-\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
-\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
-\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
-\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
-\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
-\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
-\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
-\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
-\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
-\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
-\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
-\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
-\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
-\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
-\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
-\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
-\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
-\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
-\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
-\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
-\155\055\105\013\367\012\223\352\355\006\371\262
-END
-
-# Trust for Certificate "Entrust.net Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
-\061\176\025\071
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Entrust.net Secure Personal CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Personal CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
-\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
-\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
-\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
-\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
-\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
-\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
-\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
-\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
-\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
-\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
-\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
-\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
-\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
-\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
-\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
-\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\003\221\356
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\355\060\202\004\126\240\003\002\001\002\002\004\070
-\003\221\356\060\015\006\011\052\206\110\206\367\015\001\001\004
-\005\000\060\201\311\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004
-\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146
-\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171
-\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141
-\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051
-\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145
-\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
-\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
-\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036
-\027\015\071\071\061\060\061\062\061\071\062\064\063\060\132\027
-\015\061\071\061\060\061\062\061\071\065\064\063\060\132\060\201
-\311\061\013\060\011\006\003\125\004\006\023\002\125\123\061\024
-\060\022\006\003\125\004\012\023\013\105\156\164\162\165\163\164
-\056\156\145\164\061\110\060\106\006\003\125\004\013\024\077\167
-\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\103
-\154\151\145\156\164\137\103\101\137\111\156\146\157\057\103\120
-\123\040\151\156\143\157\162\160\056\040\142\171\040\162\145\146
-\056\040\154\151\155\151\164\163\040\154\151\141\142\056\061\045
-\060\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071
-\071\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151
-\155\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052
-\105\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145
-\156\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\201\235\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\201\213\000
-\060\201\207\002\201\201\000\310\072\231\136\061\027\337\254\047
-\157\220\173\344\031\377\105\243\064\302\333\301\250\117\360\150
-\352\204\375\237\165\171\317\301\212\121\224\257\307\127\003\107
-\144\236\255\202\033\132\332\177\067\170\107\273\067\230\022\226
-\316\306\023\175\357\322\014\060\121\251\071\236\125\370\373\261
-\347\060\336\203\262\272\076\361\325\211\073\073\205\272\252\164
-\054\376\077\061\156\257\221\225\156\006\324\007\115\113\054\126
-\107\030\004\122\332\016\020\223\277\143\220\233\341\337\214\346
-\002\244\346\117\136\367\213\002\001\003\243\202\001\340\060\202
-\001\334\060\021\006\011\140\206\110\001\206\370\102\001\001\004
-\004\003\002\000\007\060\202\001\042\006\003\125\035\037\004\202
-\001\031\060\202\001\025\060\201\344\240\201\341\240\201\336\244
-\201\333\060\201\330\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004
-\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146
-\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171
-\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141
-\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051
-\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145
-\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
-\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
-\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015
-\060\013\006\003\125\004\003\023\004\103\122\114\061\060\054\240
-\052\240\050\206\046\150\164\164\160\072\057\057\167\167\167\056
-\145\156\164\162\165\163\164\056\156\145\164\057\103\122\114\057
-\103\154\151\145\156\164\061\056\143\162\154\060\053\006\003\125
-\035\020\004\044\060\042\200\017\061\071\071\071\061\060\061\062
-\061\071\062\064\063\060\132\201\017\062\060\061\071\061\060\061
-\062\061\071\062\064\063\060\132\060\013\006\003\125\035\017\004
-\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026
-\200\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312
-\231\164\213\225\352\114\060\035\006\003\125\035\016\004\026\004
-\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312\231
-\164\213\225\352\114\060\014\006\003\125\035\023\004\005\060\003
-\001\001\377\060\031\006\011\052\206\110\206\366\175\007\101\000
-\004\014\060\012\033\004\126\064\056\060\003\002\004\220\060\015
-\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201
-\000\077\256\212\361\327\146\003\005\236\076\372\352\034\106\273
-\244\133\217\170\232\022\110\231\371\364\065\336\014\066\007\002
-\153\020\072\211\024\201\234\061\246\174\262\101\262\152\347\007
-\001\241\113\371\237\045\073\226\312\231\303\076\241\121\034\363
-\303\056\104\367\260\147\106\252\222\345\073\332\034\031\024\070
-\060\325\342\242\061\045\056\361\354\105\070\355\370\006\130\003
-\163\142\260\020\061\217\100\277\144\340\134\076\305\117\037\332
-\022\103\377\114\346\006\046\250\233\031\252\104\074\166\262\134
-\354
-END
-
-# Trust for Certificate "Entrust.net Secure Personal CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Personal CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\332\171\301\161\021\120\302\064\071\252\053\013\014\142\375\125
-\262\371\365\200
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\014\101\057\023\133\240\124\365\226\146\055\176\315\016\003\364
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
-\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
-\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
-\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
-\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
-\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
-\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
-\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
-\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\003\221\356
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Entrust.net Premium 2048 Secure Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\050\062\060\064\070\051
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\050\062\060\064\070\051
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\143\271\146
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\134\060\202\003\104\240\003\002\001\002\002\004\070
-\143\271\146\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013
-\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006
-\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163
-\164\056\156\145\164\057\103\120\123\137\062\060\064\070\040\151
-\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
-\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
-\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071\071
-\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
-\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105
-\156\164\162\165\163\164\056\156\145\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\050\062\060\064\070\051\060\036\027\015\071\071\061
-\062\062\064\061\067\065\060\065\061\132\027\015\061\071\061\062
-\062\064\061\070\062\060\065\061\132\060\201\264\061\024\060\022
-\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156
-\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167
-\056\145\156\164\162\165\163\164\056\156\145\164\057\103\120\123
-\137\062\060\064\070\040\151\156\143\157\162\160\056\040\142\171
-\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151
-\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050
-\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056
-\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006
-\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145
-\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\040\050\062\060\064\070\051
-\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
-\000\255\115\113\251\022\206\262\352\243\040\007\025\026\144\052
-\053\113\321\277\013\112\115\216\355\200\166\245\147\267\170\100
-\300\163\102\310\150\300\333\123\053\335\136\270\166\230\065\223
-\213\032\235\174\023\072\016\037\133\267\036\317\345\044\024\036
-\261\201\251\215\175\270\314\153\113\003\361\002\014\334\253\245
-\100\044\000\177\164\224\241\235\010\051\263\210\013\365\207\167
-\235\125\315\344\303\176\327\152\144\253\205\024\206\225\133\227
-\062\120\157\075\310\272\146\014\343\374\275\270\111\301\166\211
-\111\031\375\300\250\275\211\243\147\057\306\237\274\161\031\140
-\270\055\351\054\311\220\166\146\173\224\342\257\170\326\145\123
-\135\074\326\234\262\317\051\003\371\057\244\120\262\324\110\316
-\005\062\125\212\375\262\144\114\016\344\230\007\165\333\177\337
-\271\010\125\140\205\060\051\371\173\110\244\151\206\343\065\077
-\036\206\135\172\172\025\275\357\000\216\025\042\124\027\000\220
-\046\223\274\016\111\150\221\277\370\107\323\235\225\102\301\016
-\115\337\157\046\317\303\030\041\142\146\103\160\326\325\300\007
-\341\002\003\001\000\001\243\164\060\162\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\037\006
-\003\125\035\043\004\030\060\026\200\024\125\344\201\321\021\200
-\276\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035
-\006\003\125\035\016\004\026\004\024\125\344\201\321\021\200\276
-\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035\006
-\011\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010
-\126\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
-\131\107\254\041\204\212\027\311\234\211\123\036\272\200\205\032
-\306\074\116\076\261\234\266\174\306\222\135\030\144\002\343\323
-\006\010\021\141\174\143\343\053\235\061\003\160\166\322\243\050
-\240\364\273\232\143\163\355\155\345\052\333\355\024\251\053\306
-\066\021\320\053\353\007\213\245\332\236\134\031\235\126\022\365
-\124\051\310\005\355\262\022\052\215\364\003\033\377\347\222\020
-\207\260\072\265\303\235\005\067\022\243\307\364\025\271\325\244
-\071\026\233\123\072\043\221\361\250\202\242\152\210\150\301\171
-\002\042\274\252\246\326\256\337\260\024\137\270\207\320\335\174
-\177\173\377\257\034\317\346\333\007\255\136\333\205\235\320\053
-\015\063\333\004\321\346\111\100\023\053\166\373\076\351\234\211
-\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315
-\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074
-\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331
-\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162
-\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305
-END
-
-# Trust for Certificate "Entrust.net Premium 2048 Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104
-\074\052\130\376
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\050\062\060\064\070\051
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\143\271\146
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Baltimore CyberTrust Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Baltimore CyberTrust Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
-\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
-\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
-\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
-\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
-\145\162\124\162\165\163\164\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
-\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
-\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
-\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
-\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
-\145\162\124\162\165\163\164\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\002\000\000\271
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\167\060\202\002\137\240\003\002\001\002\002\004\002
-\000\000\271\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\111
-\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164
-\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012
-\103\171\142\145\162\124\162\165\163\164\061\042\060\040\006\003
-\125\004\003\023\031\102\141\154\164\151\155\157\162\145\040\103
-\171\142\145\162\124\162\165\163\164\040\122\157\157\164\060\036
-\027\015\060\060\060\065\061\062\061\070\064\066\060\060\132\027
-\015\062\065\060\065\061\062\062\063\065\071\060\060\132\060\132
-\061\013\060\011\006\003\125\004\006\023\002\111\105\061\022\060
-\020\006\003\125\004\012\023\011\102\141\154\164\151\155\157\162
-\145\061\023\060\021\006\003\125\004\013\023\012\103\171\142\145
-\162\124\162\165\163\164\061\042\060\040\006\003\125\004\003\023
-\031\102\141\154\164\151\155\157\162\145\040\103\171\142\145\162
-\124\162\165\163\164\040\122\157\157\164\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\243\004\273\042\253
-\230\075\127\350\046\162\232\265\171\324\051\342\341\350\225\200
-\261\260\343\133\216\053\051\232\144\337\241\135\355\260\011\005
-\155\333\050\056\316\142\242\142\376\264\210\332\022\353\070\353
-\041\235\300\101\053\001\122\173\210\167\323\034\217\307\272\271
-\210\265\152\011\347\163\350\021\100\247\321\314\312\142\215\055
-\345\217\013\246\120\322\250\120\303\050\352\365\253\045\207\212
-\232\226\034\251\147\270\077\014\325\367\371\122\023\057\302\033
-\325\160\160\360\217\300\022\312\006\313\232\341\331\312\063\172
-\167\326\370\354\271\361\150\104\102\110\023\322\300\302\244\256
-\136\140\376\266\246\005\374\264\335\007\131\002\324\131\030\230
-\143\365\245\143\340\220\014\175\135\262\006\172\363\205\352\353
-\324\003\256\136\204\076\137\377\025\355\151\274\371\071\066\162
-\165\317\167\122\115\363\311\220\054\271\075\345\311\043\123\077
-\037\044\230\041\134\007\231\051\275\306\072\354\347\156\206\072
-\153\227\164\143\063\275\150\030\061\360\170\215\166\277\374\236
-\216\135\052\206\247\115\220\334\047\032\071\002\003\001\000\001
-\243\105\060\103\060\035\006\003\125\035\016\004\026\004\024\345
-\235\131\060\202\107\130\314\254\372\010\124\066\206\173\072\265
-\004\115\360\060\022\006\003\125\035\023\001\001\377\004\010\060
-\006\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\205\014\135\216\344
-\157\121\150\102\005\240\335\273\117\047\045\204\003\275\367\144
-\375\055\327\060\343\244\020\027\353\332\051\051\266\171\077\166
-\366\031\023\043\270\020\012\371\130\244\324\141\160\275\004\141
-\152\022\212\027\325\012\275\305\274\060\174\326\351\014\045\215
-\206\100\117\354\314\243\176\070\306\067\021\117\355\335\150\061
-\216\114\322\263\001\164\356\276\165\136\007\110\032\177\160\377
-\026\134\204\300\171\205\270\005\375\177\276\145\021\243\017\300
-\002\264\370\122\067\071\004\325\251\061\172\030\277\240\052\364
-\022\231\367\243\105\202\343\074\136\365\235\236\265\310\236\174
-\056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
-\144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
-\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
-\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
-\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
-\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
-\347\201\035\031\303\044\102\352\143\071\251
-END
-
-# Trust for Certificate "Baltimore CyberTrust Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Baltimore CyberTrust Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050
-\122\312\344\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
-\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
-\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
-\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
-\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
-\145\162\124\162\165\163\164\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\002\000\000\271
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-
-#
-# Certificate "Equifax Secure Global eBusiness CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\220\060\202\001\371\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053
-\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123
-\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165
-\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\071
-\071\060\066\062\061\060\064\060\060\060\060\132\027\015\062\060
-\060\066\062\061\060\064\060\060\060\060\132\060\132\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\034\060\032\006\003
-\125\004\012\023\023\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\111\156\143\056\061\055\060\053\006\003\125\004
-\003\023\044\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\107\154\157\142\141\154\040\145\102\165\163\151\156\145
-\163\163\040\103\101\055\061\060\201\237\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
-\002\201\201\000\272\347\027\220\002\145\261\064\125\074\111\302
-\121\325\337\247\321\067\217\321\347\201\163\101\122\140\233\235
-\241\027\046\170\255\307\261\350\046\224\062\265\336\063\215\072
-\057\333\362\232\172\132\163\230\243\134\351\373\212\163\033\134
-\347\303\277\200\154\315\251\364\326\053\300\367\371\231\252\143
-\242\261\107\002\017\324\344\121\072\022\074\154\212\132\124\204
-\160\333\301\305\220\317\162\105\313\250\131\300\315\063\235\077
-\243\226\353\205\063\041\034\076\036\076\140\156\166\234\147\205
-\305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006
-\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007
-\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
-\377\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250
-\240\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153
-\150\154\060\035\006\003\125\035\016\004\026\004\024\276\250\240
-\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150
-\154\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
-\003\201\201\000\060\342\001\121\252\307\352\137\332\271\320\145
-\017\060\326\076\332\015\024\111\156\221\223\047\024\061\357\304
-\367\055\105\370\354\307\277\242\101\015\043\264\222\371\031\000
-\147\275\001\257\315\340\161\374\132\317\144\304\340\226\230\320
-\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145
-\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257
-\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263
-\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031
-\126\224\251\125
-END
-
-# Trust for Certificate "Equifax Secure Global eBusiness CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312
-\331\012\031\105
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Equifax Secure eBusiness CA 1"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\004
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\202\060\202\001\353\240\003\002\001\002\002\001\004
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060\044
-\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123
-\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040
-\103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064
-\060\060\060\060\132\027\015\062\060\060\066\062\061\060\064\060
-\060\060\060\132\060\123\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\111\156\143
-\056\061\046\060\044\006\003\125\004\003\023\035\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\145\102\165\163\151
-\156\145\163\163\040\103\101\055\061\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\316\057\031\274\027\267\167\336\223\251
-\137\132\015\027\117\064\032\014\230\364\042\331\131\324\304\150
-\106\360\264\065\305\205\003\040\306\257\105\245\041\121\105\101
-\353\026\130\066\062\157\342\120\142\144\371\375\121\234\252\044
-\331\364\235\203\052\207\012\041\323\022\070\064\154\215\000\156
-\132\240\331\102\356\032\041\225\371\122\114\125\132\305\017\070
-\117\106\372\155\370\056\065\326\035\174\353\342\360\260\165\200
-\310\251\023\254\276\210\357\072\156\253\137\052\070\142\002\260
-\022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060
-\021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002
-\000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024
-\112\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152
-\107\174\114\241\060\035\006\003\125\035\016\004\026\004\024\112
-\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152\107
-\174\114\241\060\015\006\011\052\206\110\206\367\015\001\001\004
-\005\000\003\201\201\000\165\133\250\233\003\021\346\351\126\114
-\315\371\251\114\300\015\232\363\314\145\151\346\045\166\314\131
-\267\326\124\303\035\315\231\254\031\335\264\205\325\340\075\374
-\142\040\247\204\113\130\145\361\342\371\225\041\077\365\324\176
-\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274
-\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174
-\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215
-\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315
-\132\052\202\262\067\171
-END
-
-# Trust for Certificate "Equifax Secure eBusiness CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365
-\267\321\212\101
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\004
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Equifax Secure eBusiness CA 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\160\317\265
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\067
-\160\317\265\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
-\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
-\055\062\060\036\027\015\071\071\060\066\062\063\061\062\061\064
-\064\065\132\027\015\061\071\060\066\062\063\061\062\061\064\064
-\065\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
-\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
-\055\062\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\344
-\071\071\223\036\122\006\033\050\066\370\262\243\051\305\355\216
-\262\021\275\376\353\347\264\164\302\217\377\005\347\331\235\006
-\277\022\310\077\016\362\326\321\044\262\021\336\321\163\011\212
-\324\261\054\230\011\015\036\120\106\262\203\246\105\215\142\150
-\273\205\033\040\160\062\252\100\315\246\226\137\304\161\067\077
-\004\363\267\101\044\071\007\032\036\056\141\130\240\022\013\345
-\245\337\305\253\352\067\161\314\034\310\067\072\271\227\122\247
-\254\305\152\044\224\116\234\173\317\300\152\326\337\041\275\002
-\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
-\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
-\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004\013
-\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162\145
-\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062\061
-\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
-\006\003\125\035\020\004\023\060\021\201\017\062\060\061\071\060
-\066\062\063\061\062\061\064\064\065\132\060\013\006\003\125\035
-\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
-\060\026\200\024\120\236\013\352\257\136\271\040\110\246\120\152
-\313\375\330\040\172\247\202\166\060\035\006\003\125\035\016\004
-\026\004\024\120\236\013\352\257\136\271\040\110\246\120\152\313
-\375\330\040\172\247\202\166\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
-\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
-\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\201\201\000\014\206\202\255\350\116\032\365\216\211\047\342
-\065\130\075\051\264\007\217\066\120\225\277\156\301\236\353\304
-\220\262\205\250\273\267\102\340\017\007\071\337\373\236\220\262
-\321\301\076\123\237\003\104\260\176\113\364\157\344\174\037\347
-\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050
-\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365
-\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240
-\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341
-\221\060\352\315
-END
-
-# Trust for Certificate "Equifax Secure eBusiness CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350
-\202\263\205\314
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
-\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\160\317\265
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-
-#
-# Certificate "Visa International Global Root 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa International Global Root 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
-\164\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
-\164\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\036
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003
-\036\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
-\164\040\062\060\036\027\015\060\060\060\070\061\066\062\062\065
-\061\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071
-\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123
-\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141
-\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123
-\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151
-\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040
-\122\157\157\164\040\062\060\202\001\042\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
-\001\012\002\202\001\001\000\251\001\160\265\252\304\100\360\253
-\152\046\141\171\031\000\374\277\233\067\131\014\257\157\144\033
-\370\332\225\224\044\151\063\021\160\312\343\126\164\242\027\127
-\144\134\040\006\341\326\357\161\267\073\367\253\301\151\320\111
-\244\261\004\327\364\127\142\211\134\260\165\055\027\044\151\343
-\102\140\344\356\164\326\253\200\126\330\210\050\341\373\155\042
-\375\043\174\106\163\117\176\124\163\036\250\054\125\130\165\267
-\114\363\132\105\245\002\032\372\332\235\303\105\303\042\136\363
-\213\361\140\051\322\307\137\264\014\072\121\203\357\060\370\324
-\347\307\362\372\231\243\042\120\276\371\005\067\243\255\355\232
-\303\346\354\210\033\266\031\047\033\070\213\200\115\354\271\307
-\305\211\313\374\032\062\355\043\360\265\001\130\371\366\217\340
-\205\251\114\011\162\071\022\333\263\365\317\116\142\144\332\306
-\031\025\072\143\035\351\027\125\241\114\042\074\064\062\106\370
-\145\127\272\053\357\066\214\152\372\331\331\104\364\252\335\204
-\327\015\034\262\124\254\062\205\264\144\015\336\101\273\261\064
-\306\001\206\062\144\325\237\002\003\001\000\001\243\102\060\100
-\060\035\006\003\125\035\016\004\026\004\024\236\175\113\064\277
-\161\255\302\005\366\003\165\200\316\251\117\032\304\044\114\060
-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
-\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\041\245\166\024\125\371\255\047\160\217\074\364
-\325\154\310\314\012\253\243\230\013\212\006\043\305\311\141\333
-\231\007\151\065\046\061\376\307\056\204\302\231\141\324\015\351
-\175\056\023\053\174\216\205\266\205\307\113\317\065\266\054\107
-\075\316\051\057\330\157\237\211\034\144\223\277\010\275\166\320
-\220\212\224\263\177\050\133\156\254\115\063\054\355\145\334\026
-\314\342\315\256\244\075\142\222\006\225\046\277\337\271\344\040
-\246\163\152\301\276\367\224\104\326\115\157\052\013\153\030\115
-\164\020\066\150\152\132\301\152\247\335\066\051\214\270\060\213
-\117\041\077\000\056\124\060\007\072\272\212\344\303\236\312\330
-\265\330\173\316\165\105\146\007\364\155\055\330\172\312\351\211
-\212\362\043\330\057\313\156\000\066\117\373\360\057\001\314\017
-\300\042\145\364\253\342\116\141\055\003\202\175\221\026\265\060
-\325\024\336\136\307\220\374\241\374\253\020\257\134\153\160\247
-\007\357\051\206\350\262\045\307\040\377\046\335\167\357\171\104
-\024\304\275\335\073\305\003\233\167\043\354\240\354\273\132\071
-\265\314\255\006
-END
-
-# Trust for Certificate "Visa International Global Root 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa International Global Root 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\311\015\033\352\210\075\247\321\027\276\073\171\364\041\016\032
-\130\224\247\055
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\065\110\225\066\112\124\132\162\226\216\340\144\314\357\054\214
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
-\164\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\036
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "beTRUSTed Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
-\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
-\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
-\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
-\123\124\145\144\040\122\157\157\164\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
-\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
-\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
-\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
-\123\124\145\144\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\071\117\175\207
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\054\060\202\004\024\240\003\002\001\002\002\004\071
-\117\175\207\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\127
-\127\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122
-\125\123\124\145\144\061\033\060\031\006\003\125\004\003\023\022
-\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103
-\101\163\061\032\060\030\006\003\125\004\003\023\021\142\145\124
-\122\125\123\124\145\144\040\122\157\157\164\040\103\101\060\036
-\027\015\060\060\060\066\062\060\061\064\062\061\060\064\132\027
-\015\061\060\060\066\062\060\061\063\062\061\060\064\132\060\132
-\061\013\060\011\006\003\125\004\006\023\002\127\127\061\022\060
-\020\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145
-\144\061\033\060\031\006\003\125\004\003\023\022\142\145\124\122
-\125\123\124\145\144\040\122\157\157\164\040\103\101\163\061\032
-\060\030\006\003\125\004\003\023\021\142\145\124\122\125\123\124
-\145\144\040\122\157\157\164\040\103\101\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\324\264\163\172\023
-\012\070\125\001\276\211\126\341\224\236\324\276\132\353\112\064
-\165\033\141\051\304\341\255\010\140\041\170\110\377\264\320\372
-\136\101\215\141\104\207\350\355\311\130\372\374\223\232\337\117
-\352\076\065\175\370\063\172\346\361\327\315\157\111\113\075\117
-\055\156\016\203\072\030\170\167\243\317\347\364\115\163\330\232
-\073\032\035\276\225\123\317\040\227\302\317\076\044\122\154\014
-\216\145\131\305\161\377\142\011\217\252\305\217\314\140\240\163
-\112\327\070\077\025\162\277\242\227\267\160\350\257\342\176\026
-\006\114\365\252\144\046\162\007\045\255\065\374\030\261\046\327
-\330\377\031\016\203\033\214\334\170\105\147\064\075\364\257\034
-\215\344\155\153\355\040\263\147\232\264\141\313\027\157\211\065
-\377\347\116\300\062\022\347\356\354\337\377\227\060\164\355\215
-\107\216\353\264\303\104\346\247\114\177\126\103\350\270\274\266
-\276\372\203\227\346\273\373\304\266\223\276\031\030\076\214\201
-\271\163\210\026\364\226\103\234\147\163\027\220\330\011\156\143
-\254\112\266\043\304\001\241\255\244\344\305\002\003\001\000\001
-\243\202\001\370\060\202\001\364\060\017\006\003\125\035\023\001
-\001\377\004\005\060\003\001\001\377\060\202\001\131\006\003\125
-\035\040\004\202\001\120\060\202\001\114\060\202\001\110\006\012
-\053\006\001\004\001\261\076\001\000\000\060\202\001\070\060\202
-\001\001\006\010\053\006\001\005\005\007\002\002\060\201\364\032
-\201\361\122\145\154\151\141\156\143\145\040\157\156\040\164\150
-\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\142
-\171\040\141\156\171\040\160\141\162\164\171\040\141\163\163\165
-\155\145\163\040\141\143\143\145\160\164\141\156\143\145\040\157
-\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154\151
-\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040\164
-\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164\151
-\157\156\163\040\157\146\040\165\163\145\054\040\141\156\144\040
-\143\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162
-\141\143\164\151\143\145\040\163\164\141\164\145\155\145\156\164
-\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040\146
-\157\165\156\144\040\141\164\040\142\145\124\122\125\123\124\145
-\144\047\163\040\167\145\142\040\163\151\164\145\054\040\150\164
-\164\160\163\072\057\057\167\167\167\056\142\145\124\122\125\123
-\124\145\144\056\143\157\155\057\166\141\165\154\164\057\164\145
-\162\155\163\060\061\006\010\053\006\001\005\005\007\002\001\026
-\045\150\164\164\160\163\072\057\057\167\167\167\056\142\145\124
-\122\125\123\124\145\144\056\143\157\155\057\166\141\165\154\164
-\057\164\145\162\155\163\060\064\006\003\125\035\037\004\055\060
-\053\060\051\240\047\240\045\244\043\060\041\061\022\060\020\006
-\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144\061
-\013\060\011\006\003\125\004\006\023\002\127\127\060\035\006\003
-\125\035\016\004\026\004\024\052\271\233\151\056\073\233\330\315
-\336\052\061\004\064\153\312\007\030\253\147\060\037\006\003\125
-\035\043\004\030\060\026\200\024\052\271\233\151\056\073\233\330
-\315\336\052\061\004\064\153\312\007\030\253\147\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\376\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
-\171\141\333\243\136\156\026\261\352\166\121\371\313\025\233\313
-\151\276\346\201\153\237\050\037\145\076\335\021\205\222\324\350
-\101\277\176\063\275\043\347\361\040\277\244\264\246\031\001\306
-\214\215\065\174\145\244\117\011\244\326\330\043\025\005\023\247
-\103\171\257\333\243\016\233\173\170\032\363\004\206\132\306\366
-\214\040\107\070\111\120\006\235\162\147\072\360\230\003\255\226
-\147\104\374\077\020\015\206\115\344\000\073\051\173\316\073\073
-\231\206\141\045\100\204\334\023\142\267\372\312\131\326\003\036
-\326\123\001\315\155\114\150\125\100\341\356\153\307\052\000\000
-\110\202\263\012\001\303\140\052\014\367\202\065\356\110\206\226
-\344\164\324\075\352\001\161\272\004\165\100\247\251\177\071\071
-\232\125\227\051\145\256\031\125\045\005\162\107\323\350\030\334
-\270\351\257\103\163\001\022\164\243\341\134\137\025\135\044\363
-\371\344\364\266\147\147\022\347\144\042\212\366\245\101\246\034
-\266\140\143\105\212\020\264\272\106\020\256\101\127\145\154\077
-\043\020\077\041\020\131\267\344\100\335\046\014\043\366\252\256
-END
-
-# Trust for Certificate "beTRUSTed Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\133\315\315\314\146\366\334\344\104\037\343\175\134\303\023\114
-\106\364\160\070
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\205\312\166\132\033\321\150\042\334\242\043\022\312\306\200\064
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
-\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
-\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
-\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
-\123\124\145\144\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\071\117\175\207
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Low-Value Services Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Low-Value Services Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
-\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
-\103\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
-\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
-\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\030\060\202\003\000\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144
-\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103
-\101\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060
-\061\060\063\070\063\061\132\027\015\062\060\060\065\063\060\061
-\060\063\070\063\061\132\060\145\061\013\060\011\006\003\125\004
-\006\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013
-\101\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006
-\003\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124
-\124\120\040\116\145\164\167\157\162\153\061\041\060\037\006\003
-\125\004\003\023\030\101\144\144\124\162\165\163\164\040\103\154
-\141\163\163\040\061\040\103\101\040\122\157\157\164\060\202\001
-\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\001\017\000\060\202\001\012\002\202\001\001\000\226\226
-\324\041\111\140\342\153\350\101\007\014\336\304\340\334\023\043
-\315\301\065\307\373\326\116\021\012\147\136\365\006\133\153\245
-\010\073\133\051\026\072\347\207\262\064\006\305\274\005\245\003
-\174\202\313\051\020\256\341\210\201\275\326\236\323\376\055\126
-\301\025\316\343\046\235\025\056\020\373\006\217\060\004\336\247
-\264\143\264\377\261\234\256\074\257\167\266\126\305\265\253\242
-\351\151\072\075\016\063\171\062\077\160\202\222\231\141\155\215
-\060\010\217\161\077\246\110\127\031\370\045\334\113\146\134\245
-\164\217\230\256\310\371\300\006\042\347\254\163\337\245\056\373
-\122\334\261\025\145\040\372\065\146\151\336\337\054\361\156\274
-\060\333\054\044\022\333\353\065\065\150\220\313\000\260\227\041
-\075\164\041\043\145\064\053\273\170\131\243\326\341\166\071\232
-\244\111\216\214\164\257\156\244\232\243\331\233\322\070\134\233
-\242\030\314\165\043\204\276\353\342\115\063\161\216\032\360\302
-\370\307\035\242\255\003\227\054\370\317\045\306\366\270\044\061
-\261\143\135\222\177\143\360\045\311\123\056\037\277\115\002\003
-\001\000\001\243\201\322\060\201\317\060\035\006\003\125\035\016
-\004\026\004\024\225\261\264\360\224\266\275\307\332\321\021\011
-\041\276\301\257\111\375\020\173\060\013\006\003\125\035\017\004
-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\201\217\006\003\125\035\043\004\201
-\207\060\201\204\200\024\225\261\264\360\224\266\275\307\332\321
-\021\011\041\276\301\257\111\375\020\173\241\151\244\147\060\145
-\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060
-\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164
-\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101\144
-\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167\157
-\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144\144
-\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103\101
-\040\122\157\157\164\202\001\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\202\001\001\000\054\155\144\033
-\037\315\015\335\271\001\372\226\143\064\062\110\107\231\256\227
-\355\375\162\026\246\163\107\132\364\353\335\351\365\326\373\105
-\314\051\211\104\135\277\106\071\075\350\356\274\115\124\206\036
-\035\154\343\027\047\103\341\211\126\053\251\157\162\116\111\063
-\343\162\174\052\043\232\274\076\377\050\052\355\243\377\034\043
-\272\103\127\011\147\115\113\142\006\055\370\377\154\235\140\036
-\330\034\113\175\265\061\057\331\320\174\135\370\336\153\203\030
-\170\067\127\057\350\063\007\147\337\036\307\153\052\225\166\256
-\217\127\243\360\364\122\264\251\123\010\317\340\117\323\172\123
-\213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
-\247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
-\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
-\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
-\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
-\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
-\065\341\035\026\034\320\274\053\216\326\161\331
-END
-
-# Trust for Certificate "AddTrust Low-Value Services Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Low-Value Services Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353
-\044\343\224\235
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
-\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
-\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust External Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust External Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
-\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
-\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
-\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
-\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
-\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
-\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
-\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
-\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
-\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
-\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\066\060\202\003\036\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101
-\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154
-\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040
-\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040
-\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164
-\060\036\027\015\060\060\060\065\063\060\061\060\064\070\063\070
-\132\027\015\062\060\060\065\063\060\061\060\064\070\063\070\132
-\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
-\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
-\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
-\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
-\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
-\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\267\367\032\063\346\362\000\004\055\071\340\116\133\355
-\037\274\154\017\315\265\372\043\266\316\336\233\021\063\227\244
-\051\114\175\223\237\275\112\274\223\355\003\032\343\217\317\345
-\155\120\132\326\227\051\224\132\200\260\111\172\333\056\225\375
-\270\312\277\067\070\055\036\076\221\101\255\160\126\307\360\117
-\077\350\062\236\164\312\310\220\124\351\306\137\017\170\235\232
-\100\074\016\254\141\252\136\024\217\236\207\241\152\120\334\327
-\232\116\257\005\263\246\161\224\234\161\263\120\140\012\307\023
-\235\070\007\206\002\250\351\250\151\046\030\220\253\114\260\117
-\043\253\072\117\204\330\337\316\237\341\151\157\273\327\102\327
-\153\104\344\307\255\356\155\101\137\162\132\161\010\067\263\171
-\145\244\131\240\224\067\367\000\057\015\302\222\162\332\320\070
-\162\333\024\250\105\304\135\052\175\267\264\326\304\356\254\315
-\023\104\267\311\053\335\103\000\045\372\141\271\151\152\130\043
-\021\267\247\063\217\126\165\131\365\315\051\327\106\267\012\053
-\145\266\323\102\157\025\262\270\173\373\357\351\135\123\325\064
-\132\047\002\003\001\000\001\243\201\334\060\201\331\060\035\006
-\003\125\035\016\004\026\004\024\255\275\230\172\064\264\046\367
-\372\304\046\124\357\003\275\340\044\313\124\032\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\201\231\006\003\125
-\035\043\004\201\221\060\201\216\200\024\255\275\230\172\064\264
-\046\367\372\304\046\124\357\003\275\340\044\313\124\032\241\163
-\244\161\060\157\061\013\060\011\006\003\125\004\006\023\002\123
-\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
-\162\165\163\164\040\101\102\061\046\060\044\006\003\125\004\013
-\023\035\101\144\144\124\162\165\163\164\040\105\170\164\145\162
-\156\141\154\040\124\124\120\040\116\145\164\167\157\162\153\061
-\042\060\040\006\003\125\004\003\023\031\101\144\144\124\162\165
-\163\164\040\105\170\164\145\162\156\141\154\040\103\101\040\122
-\157\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\260\233\340\205\045\302
-\326\043\342\017\226\006\222\235\101\230\234\331\204\171\201\331
-\036\133\024\007\043\066\145\217\260\330\167\273\254\101\154\107
-\140\203\121\260\371\062\075\347\374\366\046\023\307\200\026\245
-\277\132\374\207\317\170\171\211\041\232\342\114\007\012\206\065
-\274\362\336\121\304\322\226\267\334\176\116\356\160\375\034\071
-\353\014\002\121\024\055\216\275\026\340\301\337\106\165\347\044
-\255\354\364\102\264\205\223\160\020\147\272\235\006\065\112\030
-\323\053\172\314\121\102\241\172\143\321\346\273\241\305\053\302
-\066\276\023\015\346\275\143\176\171\173\247\011\015\100\253\152
-\335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
-\142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
-\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
-\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
-\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
-\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
-\027\132\173\320\274\307\217\116\206\004
-END
-
-# Trust for Certificate "AddTrust External Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust External Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133
-\150\205\030\150
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
-\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
-\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
-\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
-\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
-\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Public Services Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144
-\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101
-\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061
-\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060
-\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006
-\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101
-\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003
-\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124
-\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125
-\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142
-\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217
-\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151
-\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125
-\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362
-\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305
-\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327
-\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167
-\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325
-\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317
-\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121
-\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136
-\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207
-\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263
-\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320
-\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105
-\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353
-\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000
-\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026
-\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252
-\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003
-\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060
-\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253
-\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013
-\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006
-\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101
-\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124
-\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153
-\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162
-\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157
-\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332
-\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272
-\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332
-\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262
-\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277
-\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175
-\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132
-\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050
-\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307
-\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146
-\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
-\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
-\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
-\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
-\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
-\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
-\116\072\063\014\053\263\055\220\006
-END
-
-# Trust for Certificate "AddTrust Public Services Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231
-\162\054\226\345
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
-\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
-\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
-\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
-\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
-\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-
-#
-# Certificate "AddTrust Qualified Certificates Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144
-\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144
-\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065
-\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063
-\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003
-\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012
-\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060
-\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164
-\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041
-\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040
-\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157
-\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137
-\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052
-\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322
-\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022
-\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106
-\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050
-\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052
-\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042
-\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076
-\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255
-\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024
-\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370
-\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341
-\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065
-\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113
-\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145
-\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006
-\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324
-\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125
-\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134
-\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153
-\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123
-\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
-\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013
-\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116
-\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023
-\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146
-\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
-\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357
-\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125
-\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263
-\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146
-\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043
-\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152
-\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227
-\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311
-\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262
-\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267
-\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
-\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
-\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
-\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
-\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
-\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
-\306\241
-END
-
-# Trust for Certificate "AddTrust Qualified Certificates Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036
-\305\115\213\317
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 1 Public Primary OCSP Responder"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary OCSP Responder"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
-\125\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142
-\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
-\040\122\145\163\160\157\156\144\145\162
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\053\150\324\243\106\236\305\073\050\011\253\070\135\177
-\047\040
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\053
-\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
-\056\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
-\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132
-\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060
-\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
-\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
-\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
-\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
-\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
-\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
-\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
-\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
-\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\271\355\136\172\072\167\137\316\137\072
-\122\374\315\144\367\161\265\157\152\226\306\131\222\125\224\135
-\057\133\056\301\021\352\046\212\313\247\201\074\366\132\104\336
-\172\023\057\375\132\121\331\173\067\046\112\300\047\077\004\003
-\152\126\301\203\054\341\157\133\251\124\120\044\112\306\056\172
-\114\241\133\067\124\044\041\061\037\241\170\030\166\247\261\160
-\332\042\320\152\376\007\142\100\306\367\366\233\175\014\006\270
-\113\307\050\344\146\043\204\121\357\106\267\223\330\201\063\313
-\345\066\254\306\350\005\002\003\001\000\001\243\202\001\020\060
-\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025
-\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
-\120\040\061\055\061\060\061\006\003\125\035\037\004\052\060\050
-\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143
-\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\160\143\141\061\056\143\162\154\060\023\006\003\125\035\045\004
-\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006
-\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006
-\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164
-\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147
-\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165
-\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013
-\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006
-\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163
-\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056
-\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002
-\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201
-\201\000\160\220\335\270\344\276\123\027\174\177\002\351\325\367
-\213\231\223\061\140\215\176\346\140\153\044\357\140\254\322\316
-\221\336\200\155\011\244\323\270\070\345\104\312\162\136\015\055
-\301\167\234\275\054\003\170\051\215\244\245\167\207\365\361\053
-\046\255\314\007\154\072\124\132\050\340\011\363\115\012\004\312
-\324\130\151\013\247\263\365\335\001\245\347\334\360\037\272\301
-\135\220\215\263\352\117\301\021\131\227\152\262\053\023\261\332
-\255\227\241\263\261\240\040\133\312\062\253\215\317\023\360\037
-\051\303
-END
-
-# Trust for Certificate "Verisign Class 1 Public Primary OCSP Responder"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary OCSP Responder"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\004\226\110\344\112\311\314\255\105\203\230\331\074\175\221\365
-\042\104\033\212
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\176\157\072\123\033\174\276\260\060\333\103\036\036\224\211\262
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\053\150\324\243\106\236\305\073\050\011\253\070\135\177
-\047\040
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 2 Public Primary OCSP Responder"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary OCSP Responder"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
-\125\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142
-\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
-\040\122\145\163\160\157\156\144\145\162
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\011\106\027\346\035\330\324\034\240\014\240\142\350\171
-\212\247
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\011
-\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
-\056\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
-\036\027\015\060\060\060\070\060\061\060\060\060\060\060\060\132
-\027\015\060\064\060\067\063\061\062\063\065\071\065\071\132\060
-\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
-\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
-\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
-\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
-\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
-\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
-\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
-\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
-\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\320\312\143\061\141\177\104\064\174\005
-\175\013\075\152\220\313\171\113\167\012\077\113\307\043\345\300
-\142\055\176\234\176\076\210\207\221\320\254\350\115\111\207\242
-\226\220\212\335\004\245\002\077\214\233\351\211\376\142\240\342
-\132\275\310\335\264\170\346\245\102\223\010\147\001\300\040\115
-\327\134\364\135\332\263\343\067\246\122\032\054\114\145\115\212
-\207\331\250\243\361\111\124\273\074\134\200\121\150\306\373\111
-\377\013\125\253\025\335\373\232\301\271\035\164\015\262\214\104
-\135\211\374\237\371\203\002\003\001\000\001\243\202\001\020\060
-\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025
-\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
-\120\040\061\055\062\060\061\006\003\125\035\037\004\052\060\050
-\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143
-\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\160\143\141\062\056\143\162\154\060\023\006\003\125\035\045\004
-\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006
-\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006
-\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164
-\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147
-\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165
-\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013
-\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006
-\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163
-\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056
-\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002
-\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201
-\201\000\037\175\011\156\044\106\165\004\234\363\046\233\343\071
-\156\027\357\274\275\242\033\322\002\204\206\253\320\100\227\054
-\304\103\210\067\031\153\042\250\003\161\120\235\040\334\066\140
-\040\232\163\055\163\125\154\130\233\054\302\264\064\054\172\063
-\102\312\221\331\351\103\257\317\036\340\365\304\172\253\077\162
-\143\036\251\067\341\133\073\210\263\023\206\202\220\127\313\127
-\377\364\126\276\042\335\343\227\250\341\274\042\103\302\335\115
-\333\366\201\236\222\024\236\071\017\023\124\336\202\330\300\136
-\064\215
-END
-
-# Trust for Certificate "Verisign Class 2 Public Primary OCSP Responder"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary OCSP Responder"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\042\171\151\276\320\122\116\115\035\066\262\361\162\041\167\361
-\124\123\110\167
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\363\105\275\020\226\015\205\113\357\237\021\142\064\247\136\265
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\011\106\027\346\035\330\324\034\240\014\240\142\350\171
-\212\247
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 3 Public Primary OCSP Responder"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary OCSP Responder"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
-\125\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142
-\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
-\040\122\145\163\160\157\156\144\145\162
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\056\226\236\277\266\142\154\354\173\351\163\314\343\154
-\301\204
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\242\060\202\003\013\240\003\002\001\002\002\020\056
-\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
-\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
-\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
-\056\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
-\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
-\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132
-\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060
-\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
-\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
-\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
-\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
-\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
-\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
-\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
-\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
-\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\361\344\010\016\203\273\165\343\110\345
-\270\333\246\360\271\253\351\074\142\307\136\065\133\320\002\124
-\021\330\311\321\126\271\166\113\271\253\172\346\315\272\366\014
-\004\326\176\326\260\012\145\254\116\071\343\361\367\055\243\045
-\071\357\260\213\317\276\333\014\135\156\160\364\007\315\160\367
-\072\300\076\065\026\355\170\214\103\317\302\046\056\107\326\206
-\175\234\361\276\326\147\014\042\045\244\312\145\346\037\172\170
-\050\057\077\005\333\004\041\277\341\105\146\376\074\267\202\355
-\132\270\026\025\271\125\002\003\001\000\001\243\202\001\024\060
-\202\001\020\060\040\006\003\125\035\021\004\031\060\027\244\025
-\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
-\120\040\061\055\063\060\065\006\003\125\035\037\004\056\060\054
-\060\052\240\050\240\046\206\044\150\164\164\160\072\057\057\143
-\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
-\160\143\141\063\056\061\056\061\056\143\162\154\060\023\006\003
-\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007\003
-\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066\060
-\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046\026
-\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145\162
-\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057\163
-\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060\073
-\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001\060
-\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150
-\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163
-\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003\125
-\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004\003
-\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\201\201\000\002\366\123\143\300\251\036\362\320\213
-\063\060\217\110\233\114\260\126\264\203\161\112\276\334\120\330
-\365\266\340\013\333\275\170\117\351\317\011\064\332\051\111\235
-\001\163\132\221\221\202\124\054\023\012\323\167\043\317\067\374
-\143\336\247\343\366\267\265\151\105\050\111\303\221\334\252\107
-\034\251\210\231\054\005\052\215\215\212\372\142\342\132\267\000
-\040\135\071\304\050\302\313\374\236\250\211\256\133\075\216\022
-\352\062\262\374\353\024\327\011\025\032\300\315\033\325\265\025
-\116\101\325\226\343\116
-END
-
-# Trust for Certificate "Verisign Class 3 Public Primary OCSP Responder"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary OCSP Responder"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\265\355\267\332\046\072\126\164\322\042\105\060\324\307\217\172
-\007\365\345\137
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\175\121\222\311\166\203\230\026\336\214\263\206\304\175\146\373
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\056\226\236\277\266\142\154\354\173\351\163\314\343\154
-\301\204
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Secure Server OCSP Responder"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Secure Server OCSP Responder"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003
-\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166
-\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145
-\162
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
-\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
-\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
-\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\377\105\325\047\135\044\373\263\302\071\044\123\127
-\341\117\336
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\237\060\202\003\014\240\003\002\001\002\002\021\000
-\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117\336
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040
-\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141\164
-\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143\056
-\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165\162
-\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\060\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060
-\132\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132
-\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003
-\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166
-\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145
-\162\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\270\121
-\231\144\205\016\356\263\012\150\360\277\143\166\035\123\365\374
-\241\170\214\063\356\237\364\276\071\332\233\017\115\107\251\217
-\040\350\113\104\275\316\315\173\220\321\060\350\220\304\045\173
-\211\050\336\275\366\223\035\377\271\377\222\265\251\215\344\256
-\314\342\303\007\203\152\243\162\020\001\047\142\042\246\065\046
-\071\055\236\317\140\014\374\107\244\327\320\102\170\247\035\154
-\320\313\117\025\247\051\012\264\225\105\304\261\347\132\011\327
-\071\225\330\035\065\236\302\275\263\135\301\014\113\037\002\003
-\001\000\001\243\202\001\035\060\202\001\031\060\040\006\003\125
-\035\021\004\031\060\027\244\025\060\023\061\021\060\017\006\003
-\125\004\003\023\010\117\103\123\120\040\061\055\064\060\076\006
-\003\125\035\037\004\067\060\065\060\063\240\061\240\057\206\055
-\150\164\164\160\072\057\057\143\162\154\056\166\145\162\151\163
-\151\147\156\056\143\157\155\057\122\123\101\123\145\143\165\162
-\145\123\145\162\166\145\162\055\160\056\143\162\154\060\023\006
-\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007
-\003\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066
-\060\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046
-\026\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145
-\162\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057
-\163\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060
-\073\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001
-\060\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034
-\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
-\163\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003
-\125\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004
-\003\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\176\000\000\263\020\123\146\234\111\223\056\061
-\240\002\102\322\130\127\176\146\241\376\033\212\141\030\120\100
-\054\036\053\101\245\326\333\377\254\010\034\132\005\155\002\134
-\052\266\226\117\107\333\276\116\333\316\314\272\206\270\030\316
-\261\022\221\137\143\367\363\110\076\314\361\115\023\344\155\011
-\224\170\000\222\313\243\040\235\006\013\152\240\103\007\316\321
-\031\154\217\030\165\232\237\027\063\375\251\046\270\343\342\336
-\302\250\304\132\212\177\230\326\007\006\153\314\126\236\206\160
-\316\324\357
-END
-
-# Trust for Certificate "Verisign Secure Server OCSP Responder"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Secure Server OCSP Responder"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\161\236\140\141\327\175\054\203\361\242\135\074\366\215\002\274
-\224\070\305\056
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\054\142\303\330\200\001\026\011\352\131\352\170\253\020\103\366
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
-\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
-\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
-\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\377\105\325\047\135\044\373\263\302\071\044\123\127
-\341\117\336
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Time Stamping Authority CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Time Stamping Authority CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\245\061\027\060\025\006\003\125\004\012\023\016\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
-\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
-\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
-\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
-\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
-\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
-\057\162\160\141\040\050\143\051\060\060\061\054\060\052\006\003
-\125\004\003\023\043\126\145\162\151\123\151\147\156\040\124\151
-\155\145\040\123\164\141\155\160\151\156\147\040\101\165\164\150
-\157\162\151\164\171\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\123\141\262\140\256\333\161\216\247\224\263\023\063\364
-\007\011
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\315\060\202\003\066\240\003\002\001\002\002\020\123
-\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013
-\023\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143
-\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061
-\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165
-\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154
-\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151
-\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157
-\162\153\060\036\027\015\060\060\060\071\062\066\060\060\060\060
-\060\060\132\027\015\061\060\060\071\062\065\062\063\065\071\065
-\071\132\060\201\245\061\027\060\025\006\003\125\004\012\023\016
-\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061\037
-\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147
-\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061
-\073\060\071\006\003\125\004\013\023\062\124\145\162\155\163\040
-\157\146\040\165\163\145\040\141\164\040\150\164\164\160\163\072
-\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056\143
-\157\155\057\162\160\141\040\050\143\051\060\060\061\054\060\052
-\006\003\125\004\003\023\043\126\145\162\151\123\151\147\156\040
-\124\151\155\145\040\123\164\141\155\160\151\156\147\040\101\165
-\164\150\157\162\151\164\171\040\103\101\060\201\237\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000
-\060\201\211\002\201\201\000\322\031\235\147\302\000\041\131\142
-\316\264\011\042\104\151\212\370\045\132\333\355\015\267\066\176
-\116\340\273\224\076\220\045\207\302\141\107\051\331\275\124\270
-\143\314\054\175\151\264\063\066\364\067\007\232\301\335\100\124
-\374\340\170\235\240\223\271\011\075\043\121\177\104\302\024\164
-\333\012\276\313\311\060\064\100\230\076\320\327\045\020\201\224
-\275\007\117\234\326\124\047\337\056\250\277\313\220\214\215\165
-\113\274\342\350\104\207\315\346\101\012\045\156\350\364\044\002
-\305\122\017\156\354\230\165\002\003\001\000\001\243\201\337\060
-\201\334\060\017\006\003\125\035\023\004\010\060\006\001\001\377
-\002\001\000\060\105\006\003\125\035\040\004\076\060\074\060\072
-\006\014\140\206\110\001\206\370\105\001\007\027\001\003\060\052
-\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150\164
-\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163\151
-\147\156\056\143\157\155\057\162\160\141\060\061\006\003\125\035
-\037\004\052\060\050\060\046\240\044\240\042\206\040\150\164\164
-\160\072\057\057\143\162\154\056\166\145\162\151\163\151\147\156
-\056\143\157\155\057\160\143\141\063\056\143\162\154\060\013\006
-\003\125\035\017\004\004\003\002\001\006\060\102\006\010\053\006
-\001\005\005\007\001\001\004\066\060\064\060\062\006\010\053\006
-\001\005\005\007\060\001\246\046\026\044\150\164\164\160\072\057
-\057\157\143\163\160\056\166\145\162\151\163\151\147\156\056\143
-\157\155\057\157\143\163\160\057\163\164\141\164\165\163\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201
-\000\202\160\150\225\337\266\015\302\001\160\031\112\322\124\126
-\036\254\362\105\114\207\270\365\065\353\170\113\005\251\310\235
-\073\031\041\056\160\064\112\242\365\211\340\025\165\105\347\050
-\067\000\064\047\051\350\067\113\362\357\104\227\153\027\121\032
-\303\126\235\074\032\212\366\112\106\106\067\214\372\313\365\144
-\132\070\150\056\034\303\357\160\316\270\106\006\026\277\367\176
-\347\265\250\076\105\254\251\045\165\042\173\157\077\260\234\224
-\347\307\163\253\254\037\356\045\233\300\026\355\267\312\133\360
-\024
-END
-
-# Trust for Certificate "Verisign Time Stamping Authority CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Time Stamping Authority CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\246\017\064\310\142\154\201\366\213\367\175\251\366\147\130\212
-\220\077\175\066
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\211\111\124\214\310\150\232\203\051\354\334\006\163\041\253\227
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\123\141\262\140\256\333\161\216\247\224\263\023\063\364
-\007\011
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Time Stamping CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Time Stamping CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
-\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
-\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
-\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
-\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
-\151\155\145\163\164\141\155\160\151\156\147\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
-\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
-\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
-\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
-\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
-\151\155\145\163\164\141\155\160\151\156\147\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\241\060\202\002\012\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007\023
-\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060\015
-\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035\060
-\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060\035
-\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124\151
-\155\145\163\164\141\155\160\151\156\147\040\103\101\060\036\027
-\015\071\067\060\061\060\061\060\060\060\060\060\060\132\027\015
-\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\213
-\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060
-\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040
-\103\141\160\145\061\024\060\022\006\003\125\004\007\023\013\104
-\165\162\142\141\156\166\151\154\154\145\061\017\060\015\006\003
-\125\004\012\023\006\124\150\141\167\164\145\061\035\060\033\006
-\003\125\004\013\023\024\124\150\141\167\164\145\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\061\037\060\035\006\003
-\125\004\003\023\026\124\150\141\167\164\145\040\124\151\155\145
-\163\164\141\155\160\151\156\147\040\103\101\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\326\053\130\170\141\105\206\123
-\352\064\173\121\234\355\260\346\056\030\016\376\340\137\250\047
-\323\264\311\340\174\131\116\026\016\163\124\140\301\177\366\237
-\056\351\072\205\044\025\074\333\107\004\143\303\236\304\224\032
-\132\337\114\172\363\331\103\035\074\020\172\171\045\333\220\376
-\360\121\347\060\326\101\000\375\237\050\337\171\276\224\273\235
-\266\024\343\043\205\327\251\101\340\114\244\171\260\053\032\213
-\362\370\073\212\076\105\254\161\222\000\264\220\101\230\373\137
-\355\372\267\056\212\370\210\067\002\003\001\000\001\243\023\060
-\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005
-\000\003\201\201\000\147\333\342\302\346\207\075\100\203\206\067
-\065\175\037\316\232\303\014\146\040\250\272\252\004\211\206\302
-\365\020\010\015\277\313\242\005\212\320\115\066\076\364\327\357
-\151\306\136\344\260\224\157\112\271\347\336\133\210\266\173\333
-\343\047\345\166\303\360\065\301\313\265\047\233\063\171\334\220
-\246\000\236\167\372\374\315\047\224\102\026\234\323\034\150\354
-\277\134\335\345\251\173\020\012\062\164\124\023\061\213\205\003
-\204\221\267\130\001\060\024\070\257\050\312\374\261\120\031\031
-\011\254\211\111\323
-END
-
-# Trust for Certificate "Thawte Time Stamping CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Time Stamping CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\276\066\244\126\057\262\356\005\333\263\323\043\043\255\364\105
-\010\116\326\126
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\177\146\172\161\323\353\151\170\040\232\121\024\235\203\332\040
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
-\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
-\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
-\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
-\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
-\151\155\145\163\164\141\155\160\151\156\147\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Entrust.net Global Secure Server CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Global Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
-\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
-\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
-\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
-\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
-\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
-\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
-\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
-\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
-\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
-\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
-\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
-\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
-\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
-\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
-\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
-\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\233\021\074
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\225\060\202\003\376\240\003\002\001\002\002\004\070
-\233\021\074\060\015\006\011\052\206\110\206\367\015\001\001\004
-\005\000\060\201\272\061\024\060\022\006\003\125\004\012\023\013
-\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075\006
-\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165\163
-\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151\156
-\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154
-\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043
-\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040
-\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151
-\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156
-\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145
-\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
-\036\027\015\060\060\060\062\060\064\061\067\062\060\060\060\132
-\027\015\062\060\060\062\060\064\061\067\065\060\060\060\132\060
-\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125\004
-\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157\162
-\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
-\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
-\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156\164
-\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
-\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
-\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
-\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201
-\215\000\060\201\211\002\201\201\000\307\301\137\116\161\361\316
-\360\140\206\017\322\130\177\323\063\227\055\027\242\165\060\265
-\226\144\046\057\150\303\104\253\250\165\346\000\147\064\127\236
-\145\307\042\233\163\346\323\335\010\016\067\125\252\045\106\201
-\154\275\376\250\366\165\127\127\214\220\154\112\303\076\213\113
-\103\012\311\021\126\232\232\047\042\231\317\125\236\141\331\002
-\342\174\266\174\070\007\334\343\177\117\232\271\003\101\200\266
-\165\147\023\013\237\350\127\066\310\135\000\066\336\146\024\332
-\156\166\037\117\067\214\202\023\211\002\003\001\000\001\243\202
-\001\244\060\202\001\240\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\201\343\006\003\125\035
-\037\004\201\333\060\201\330\060\201\325\240\201\322\240\201\317
-\244\201\314\060\201\311\061\024\060\022\006\003\125\004\012\023
-\013\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075
-\006\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165
-\163\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151
-\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
-\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
-\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060
-\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
-\151\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105
-\156\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162
-\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060
-\053\006\003\125\035\020\004\044\060\042\200\017\062\060\060\060
-\060\062\060\064\061\067\062\060\060\060\132\201\017\062\060\062
-\060\060\062\060\064\061\067\065\060\060\060\132\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043
-\004\030\060\026\200\024\313\154\300\153\343\273\076\313\374\042
-\234\376\373\213\222\234\260\362\156\042\060\035\006\003\125\035
-\016\004\026\004\024\313\154\300\153\343\273\076\313\374\042\234
-\376\373\213\222\234\260\362\156\042\060\014\006\003\125\035\023
-\004\005\060\003\001\001\377\060\035\006\011\052\206\110\206\366
-\175\007\101\000\004\020\060\016\033\010\126\065\056\060\072\064
-\056\060\003\002\004\220\060\015\006\011\052\206\110\206\367\015
-\001\001\004\005\000\003\201\201\000\142\333\201\221\316\310\232
-\167\102\057\354\275\047\243\123\017\120\033\352\116\222\360\251
-\257\251\240\272\110\141\313\357\311\006\357\037\325\364\356\337
-\126\055\346\312\152\031\163\252\123\276\222\263\120\002\266\205
-\046\162\143\330\165\120\142\165\024\267\263\120\032\077\312\021
-\000\013\205\105\151\155\266\245\256\121\341\112\334\202\077\154
-\214\064\262\167\153\331\002\366\177\016\352\145\004\361\315\124
-\312\272\311\314\340\204\367\310\076\021\227\323\140\011\030\274
-\005\377\154\211\063\360\354\025\017
-END
-
-# Trust for Certificate "Entrust.net Global Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Global Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\211\071\127\156\027\215\367\005\170\017\314\136\310\117\204\366
-\045\072\110\223
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\235\146\152\314\377\325\365\103\264\277\214\026\321\053\250\231
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
-\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
-\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
-\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
-\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
-\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
-\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
-\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
-\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\233\021\074
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Entrust.net Global Secure Personal CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Global Secure Personal CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\236\366\344
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\203\060\202\003\354\240\003\002\001\002\002\004\070
-\236\366\344\060\015\006\011\052\206\110\206\367\015\001\001\004
-\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013
-\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006
-\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163
-\164\056\156\145\164\057\107\103\103\101\137\103\120\123\040\151
-\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
-\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
-\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060
-\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
-\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105
-\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145\156
-\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\060\036\027\015\060\060\060
-\062\060\067\061\066\061\066\064\060\132\027\015\062\060\060\062
-\060\067\061\066\064\066\064\060\132\060\201\264\061\024\060\022
-\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156
-\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167
-\056\145\156\164\162\165\163\164\056\156\145\164\057\107\103\103
-\101\137\103\120\123\040\151\156\143\157\162\160\056\040\142\171
-\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151
-\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050
-\143\051\040\062\060\060\060\040\105\156\164\162\165\163\164\056
-\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006
-\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145
-\164\040\103\154\151\145\156\164\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\201\215\000\060\201\211\002\201\201\000\223\164\264
-\266\344\305\113\326\241\150\177\142\325\354\367\121\127\263\162
-\112\230\365\320\211\311\255\143\315\115\065\121\152\204\324\255
-\311\150\171\157\270\353\021\333\207\256\134\044\121\023\361\124
-\045\204\257\051\053\237\343\200\342\331\313\335\306\105\111\064
-\210\220\136\001\227\357\352\123\246\335\374\301\336\113\052\045
-\344\351\065\372\125\005\006\345\211\172\352\244\021\127\073\374
-\174\075\066\315\147\065\155\244\251\045\131\275\146\365\371\047
-\344\225\147\326\077\222\200\136\362\064\175\053\205\002\003\001
-\000\001\243\202\001\236\060\202\001\232\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201\335
-\006\003\125\035\037\004\201\325\060\201\322\060\201\317\240\201
-\314\240\201\311\244\201\306\060\201\303\061\024\060\022\006\003
-\125\004\012\023\013\105\156\164\162\165\163\164\056\156\145\164
-\061\100\060\076\006\003\125\004\013\024\067\167\167\167\056\145
-\156\164\162\165\163\164\056\156\145\164\057\107\103\103\101\137
-\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
-\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141\142
-\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143\051
-\040\062\060\060\060\040\105\156\164\162\165\163\164\056\156\145
-\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
-\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
-\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015
-\060\013\006\003\125\004\003\023\004\103\122\114\061\060\053\006
-\003\125\035\020\004\044\060\042\200\017\062\060\060\060\060\062
-\060\067\061\066\061\066\064\060\132\201\017\062\060\062\060\060
-\062\060\067\061\066\064\066\064\060\132\060\013\006\003\125\035
-\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
-\060\026\200\024\204\213\164\375\305\215\300\377\047\155\040\067
-\105\174\376\055\316\272\323\175\060\035\006\003\125\035\016\004
-\026\004\024\204\213\164\375\305\215\300\377\047\155\040\067\105
-\174\376\055\316\272\323\175\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\035\006\011\052\206\110\206\366\175\007
-\101\000\004\020\060\016\033\010\126\065\056\060\072\064\056\060
-\003\002\004\220\060\015\006\011\052\206\110\206\367\015\001\001
-\004\005\000\003\201\201\000\116\157\065\200\073\321\212\365\016
-\247\040\313\055\145\125\320\222\364\347\204\265\006\046\203\022
-\204\013\254\073\262\104\356\275\317\100\333\040\016\272\156\024
-\352\060\340\073\142\174\177\213\153\174\112\247\325\065\074\276
-\250\134\352\113\273\223\216\200\146\253\017\051\375\115\055\277
-\032\233\012\220\305\253\332\321\263\206\324\057\044\122\134\172
-\155\306\362\376\345\115\032\060\214\220\362\272\327\112\076\103
-\176\324\310\120\032\207\370\117\201\307\166\013\204\072\162\235
-\316\145\146\227\256\046\136
-END
-
-# Trust for Certificate "Entrust.net Global Secure Personal CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Global Secure Personal CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\317\164\277\377\233\206\201\133\010\063\124\100\066\076\207\266
-\266\360\277\163
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\232\167\031\030\355\226\317\337\033\267\016\365\215\271\210\056
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
-\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
-\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
-\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
-\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\070\236\366\344
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AOL Time Warner Root Certification Authority 1"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\346\060\202\002\316\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124\151
-\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061\034
-\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060\065
-\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145\040
-\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061\060\036\027\015\060\062\060\065\062\071\060
-\066\060\060\060\060\132\027\015\063\067\061\061\062\060\061\065
-\060\063\060\060\132\060\201\203\061\013\060\011\006\003\125\004
-\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024
-\101\117\114\040\124\151\155\145\040\127\141\162\156\145\162\040
-\111\156\143\056\061\034\060\032\006\003\125\004\013\023\023\101
-\155\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156
-\143\056\061\067\060\065\006\003\125\004\003\023\056\101\117\114
-\040\124\151\155\145\040\127\141\162\156\145\162\040\122\157\157
-\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\040\061\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\231\336\217\303
-\045\243\151\064\350\005\367\164\271\277\132\227\031\271\057\224
-\322\223\345\055\211\312\204\174\077\020\103\033\214\213\174\204
-\130\370\044\174\110\317\052\375\300\025\331\030\176\204\032\027
-\323\333\236\327\312\344\331\327\252\130\121\207\360\360\213\110
-\116\342\302\304\131\151\060\142\266\060\242\214\013\021\231\141
-\065\155\176\357\305\261\031\006\040\022\216\102\341\337\017\226
-\020\122\250\317\234\137\225\024\330\257\073\165\013\061\040\037
-\104\057\242\142\101\263\273\030\041\333\312\161\074\214\354\266
-\271\015\237\357\121\357\115\173\022\362\013\014\341\254\100\217
-\167\177\260\312\170\161\014\135\026\161\160\242\327\302\072\205
-\315\016\232\304\340\000\260\325\045\352\334\053\344\224\055\070
-\234\211\101\127\144\050\145\031\034\266\104\264\310\061\153\216
-\001\173\166\131\045\177\025\034\204\010\174\163\145\040\012\241
-\004\056\032\062\250\232\040\261\234\054\041\131\347\373\317\356
-\160\055\010\312\143\076\054\233\223\031\152\244\302\227\377\267
-\206\127\210\205\154\236\025\026\053\115\054\263\002\003\001\000
-\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\241\066\060\026\313\206\220\000\105\200\123\261\217\310\330
-\075\174\276\137\022\060\037\006\003\125\035\043\004\030\060\026
-\200\024\241\066\060\026\313\206\220\000\105\200\123\261\217\310
-\330\075\174\276\137\022\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\212\040\030\245\276\263
-\057\264\246\204\000\100\060\051\372\264\024\163\114\171\105\247
-\366\160\340\350\176\144\036\012\225\174\152\141\302\357\116\037
-\276\377\311\231\037\007\141\112\341\135\114\315\255\356\320\122
-\062\331\131\062\274\332\171\162\326\173\011\350\002\201\065\323
-\012\337\021\035\311\171\240\200\115\376\132\327\126\326\355\017
-\052\257\247\030\165\063\014\352\301\141\005\117\152\232\211\362
-\215\271\237\056\357\260\137\132\000\353\276\255\240\370\104\005
-\147\274\313\004\357\236\144\305\351\310\077\005\277\306\057\007
-\034\303\066\161\206\312\070\146\112\315\326\270\113\306\154\247
-\227\073\372\023\055\156\043\141\207\241\143\102\254\302\313\227
-\237\141\150\317\055\114\004\235\327\045\117\012\016\115\220\213
-\030\126\250\223\110\127\334\157\256\275\236\147\127\167\211\120
-\263\276\021\233\105\147\203\206\031\207\323\230\275\010\032\026
-\037\130\202\013\341\226\151\005\113\216\354\203\121\061\007\325
-\324\237\377\131\173\250\156\205\317\323\113\251\111\260\137\260
-\071\050\150\016\163\335\045\232\336\022
-END
-
-# Trust for Certificate "AOL Time Warner Root Certification Authority 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\164\124\123\134\044\243\247\130\040\176\076\076\323\044\370\026
-\373\041\026\111
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\347\172\334\261\037\156\006\037\164\154\131\026\047\303\113\300
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AOL Time Warner Root Certification Authority 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\346\060\202\003\316\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124\151
-\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061\034
-\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060\065
-\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145\040
-\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062\060\036\027\015\060\062\060\065\062\071\060
-\066\060\060\060\060\132\027\015\063\067\060\071\062\070\062\063
-\064\063\060\060\132\060\201\203\061\013\060\011\006\003\125\004
-\006\023\002\125\123\061\035\060\033\006\003\125\004\012\023\024
-\101\117\114\040\124\151\155\145\040\127\141\162\156\145\162\040
-\111\156\143\056\061\034\060\032\006\003\125\004\013\023\023\101
-\155\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156
-\143\056\061\067\060\065\006\003\125\004\003\023\056\101\117\114
-\040\124\151\155\145\040\127\141\162\156\145\162\040\122\157\157
-\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\040\062\060\202\002\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\002\017\000\060\202\002\012\002\202\002\001\000\264\067\132\010
-\026\231\024\350\125\261\033\044\153\374\307\213\346\207\251\211
-\356\213\231\315\117\100\206\244\266\115\311\331\261\334\074\115
-\015\205\114\025\154\106\213\122\170\237\370\043\375\147\365\044
-\072\150\135\320\367\144\141\101\124\243\213\245\010\322\051\133
-\233\140\117\046\203\321\143\022\126\111\166\244\026\302\245\235
-\105\254\213\204\225\250\026\261\354\237\352\044\032\357\271\127
-\134\232\044\041\054\115\016\161\037\246\254\135\105\164\003\230
-\304\124\214\026\112\101\167\206\225\165\014\107\001\146\140\374
-\025\361\017\352\365\024\170\307\016\327\156\201\034\136\277\136
-\347\072\052\330\227\027\060\174\000\255\010\235\063\257\270\231
-\141\200\213\250\225\176\024\334\022\154\244\320\330\357\100\111
-\002\066\371\156\251\326\035\226\126\004\262\263\055\026\126\206
-\217\331\040\127\200\315\147\020\155\260\114\360\332\106\266\352
-\045\056\106\257\215\260\205\070\064\213\024\046\202\053\254\256
-\231\013\216\024\327\122\275\236\151\303\206\002\013\352\166\165
-\061\011\316\063\031\041\205\103\346\211\055\237\045\067\147\361
-\043\152\322\000\155\227\371\237\347\051\312\335\037\327\006\352
-\270\311\271\011\041\237\310\077\006\305\322\351\022\106\000\116
-\173\010\353\102\075\053\110\156\235\147\335\113\002\344\104\363
-\223\031\245\047\316\151\172\276\147\323\374\120\244\054\253\303
-\153\271\343\200\114\317\005\141\113\053\334\033\271\246\322\320
-\252\365\053\163\373\316\220\065\237\014\122\034\277\134\041\141
-\021\133\025\113\251\044\121\374\244\134\367\027\235\260\322\372
-\007\351\217\126\344\032\214\150\212\004\323\174\132\343\236\242
-\241\312\161\133\242\324\240\347\051\205\135\003\150\052\117\322
-\006\327\075\371\303\003\057\077\145\371\147\036\107\100\323\143
-\017\343\325\216\371\205\253\227\114\263\327\046\353\226\012\224
-\336\205\066\234\310\177\201\011\002\111\052\016\365\144\062\014
-\202\321\272\152\202\033\263\113\164\021\363\214\167\326\237\277
-\334\067\244\247\125\004\057\324\061\350\323\106\271\003\174\332
-\022\116\131\144\267\121\061\061\120\240\312\034\047\331\020\056
-\255\326\275\020\146\053\303\260\042\112\022\133\002\003\001\000
-\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\117\151\155\003\176\235\237\007\030\103\274\267\020\116\325
-\277\251\304\040\050\060\037\006\003\125\035\043\004\030\060\026
-\200\024\117\151\155\003\176\235\237\007\030\103\274\267\020\116
-\325\277\251\304\040\050\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\002\001\000\073\363\256\312\350\056
-\207\205\373\145\131\347\255\021\024\245\127\274\130\237\044\022
-\127\273\373\077\064\332\356\255\172\052\064\162\160\061\153\307
-\031\230\200\311\202\336\067\167\136\124\213\216\362\352\147\117
-\311\164\204\221\126\011\325\345\172\232\201\266\201\302\255\066
-\344\361\124\021\123\363\064\105\001\046\310\345\032\274\064\104
-\041\336\255\045\374\166\026\167\041\220\200\230\127\235\116\352
-\354\057\252\074\024\173\127\301\176\030\024\147\356\044\306\275
-\272\025\260\322\030\275\267\125\201\254\123\300\350\335\151\022
-\023\102\267\002\265\005\101\312\171\120\156\202\016\161\162\223
-\106\350\235\015\135\275\256\316\051\255\143\325\125\026\200\060
-\047\377\166\272\367\270\326\112\343\331\265\371\122\320\116\100
-\251\307\345\302\062\307\252\166\044\341\153\005\120\353\305\277
-\012\124\345\271\102\074\044\373\267\007\234\060\237\171\132\346
-\340\100\122\025\364\374\252\364\126\371\104\227\207\355\016\145
-\162\136\276\046\373\115\244\055\010\007\336\330\134\240\334\201
-\063\231\030\045\021\167\247\353\375\130\011\054\231\153\033\212
-\363\122\077\032\115\110\140\361\240\366\063\002\123\213\355\045
-\011\270\015\055\355\227\163\354\327\226\037\216\140\016\332\020
-\233\057\030\044\366\246\115\012\371\073\313\165\302\314\057\316
-\044\151\311\012\042\216\131\247\367\202\014\327\327\153\065\234
-\103\000\152\304\225\147\272\234\105\313\270\016\067\367\334\116
-\001\117\276\012\266\003\323\255\212\105\367\332\047\115\051\261
-\110\337\344\021\344\226\106\275\154\002\076\326\121\310\225\027
-\001\025\251\362\252\252\362\277\057\145\033\157\320\271\032\223
-\365\216\065\304\200\207\076\224\057\146\344\351\250\377\101\234
-\160\052\117\052\071\030\225\036\176\373\141\001\074\121\010\056
-\050\030\244\026\017\061\375\072\154\043\223\040\166\341\375\007
-\205\321\133\077\322\034\163\062\335\372\271\370\214\317\002\207
-\172\232\226\344\355\117\211\215\123\103\253\016\023\300\001\025
-\264\171\070\333\374\156\075\236\121\266\270\023\213\147\317\371
-\174\331\042\035\366\135\305\034\001\057\230\350\172\044\030\274
-\204\327\372\334\162\133\367\301\072\150
-END
-
-# Trust for Certificate "AOL Time Warner Root Certification Authority 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AOL Time Warner Root Certification Authority 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\374\041\232\166\021\057\166\301\305\010\203\074\232\057\242\272
-\204\254\010\172
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\001\132\231\303\326\117\251\113\074\073\261\243\253\047\114\277
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\203\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\035\060\033\006\003\125\004\012\023\024\101\117\114\040\124
-\151\155\145\040\127\141\162\156\145\162\040\111\156\143\056\061
-\034\060\032\006\003\125\004\013\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\067\060
-\065\006\003\125\004\003\023\056\101\117\114\040\124\151\155\145
-\040\127\141\162\156\145\162\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "beTRUSTed Root CA-Baltimore Implementation"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA-Baltimore Implementation"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055
-\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055
-\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\074\265\075\106
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\152\060\202\004\122\240\003\002\001\002\002\004\074
-\265\075\106\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\146\061\022\060\020\006\003\125\004\012\023\011\142
-\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004
-\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157
-\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023\052
-\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103
-\101\055\102\141\154\164\151\155\157\162\145\040\111\155\160\154
-\145\155\145\156\164\141\164\151\157\156\060\036\027\015\060\062
-\060\064\061\061\060\067\063\070\065\061\132\027\015\062\062\060
-\064\061\061\060\067\063\070\065\061\132\060\146\061\022\060\020
-\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144
-\061\033\060\031\006\003\125\004\013\023\022\142\145\124\122\125
-\123\124\145\144\040\122\157\157\164\040\103\101\163\061\063\060
-\061\006\003\125\004\003\023\052\142\145\124\122\125\123\124\145
-\144\040\122\157\157\164\040\103\101\055\102\141\154\164\151\155
-\157\162\145\040\111\155\160\154\145\155\145\156\164\141\164\151
-\157\156\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\274\176\304\071\234\214\343\326\034\206\377\312\142
-\255\340\177\060\105\172\216\032\263\270\307\371\321\066\377\042
-\363\116\152\137\204\020\373\146\201\303\224\171\061\322\221\341
-\167\216\030\052\303\024\336\121\365\117\243\053\274\030\026\342
-\265\335\171\336\042\370\202\176\313\201\037\375\047\054\217\372
-\227\144\042\216\370\377\141\243\234\033\036\222\217\300\250\011
-\337\011\021\354\267\175\061\232\032\352\203\041\006\074\237\272
-\134\377\224\352\152\270\303\153\125\064\117\075\062\037\335\201
-\024\340\304\074\315\235\060\370\060\251\227\323\356\314\243\320
-\037\137\034\023\201\324\030\253\224\321\143\303\236\177\065\222
-\236\137\104\352\354\364\042\134\267\350\075\175\244\371\211\251
-\221\262\052\331\353\063\207\356\245\375\343\332\314\210\346\211
-\046\156\307\053\202\320\136\235\131\333\024\354\221\203\005\303
-\136\016\306\052\320\004\335\161\075\040\116\130\047\374\123\373
-\170\170\031\024\262\374\220\122\211\070\142\140\007\264\240\354
-\254\153\120\326\375\271\050\153\357\122\055\072\262\377\361\001
-\100\254\067\002\003\001\000\001\243\202\002\036\060\202\002\032
-\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
-\377\060\202\001\265\006\003\125\035\040\004\202\001\254\060\202
-\001\250\060\202\001\244\006\017\053\006\001\004\001\261\076\000
-\000\001\011\050\203\221\061\060\202\001\217\060\202\001\110\006
-\010\053\006\001\005\005\007\002\002\060\202\001\072\032\202\001
-\066\122\145\154\151\141\156\143\145\040\157\156\040\157\162\040
-\165\163\145\040\157\146\040\164\150\151\163\040\103\145\162\164
-\151\146\151\143\141\164\145\040\143\162\145\141\164\145\163\040
-\141\156\040\141\143\153\156\157\167\154\145\144\147\155\145\156
-\164\040\141\156\144\040\141\143\143\145\160\164\141\156\143\145
-\040\157\146\040\164\150\145\040\164\150\145\156\040\141\160\160
-\154\151\143\141\142\154\145\040\163\164\141\156\144\141\162\144
-\040\164\145\162\155\163\040\141\156\144\040\143\157\156\144\151
-\164\151\157\156\163\040\157\146\040\165\163\145\054\040\164\150
-\145\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\120\162\141\143\164\151\143\145\040\123\164\141\164\145\155\145
-\156\164\040\141\156\144\040\164\150\145\040\122\145\154\171\151
-\156\147\040\120\141\162\164\171\040\101\147\162\145\145\155\145
-\156\164\054\040\167\150\151\143\150\040\143\141\156\040\142\145
-\040\146\157\165\156\144\040\141\164\040\164\150\145\040\142\145
-\124\122\125\123\124\145\144\040\167\145\142\040\163\151\164\145
-\054\040\150\164\164\160\072\057\057\167\167\167\056\142\145\164
-\162\165\163\164\145\144\056\143\157\155\057\160\162\157\144\165
-\143\164\163\137\163\145\162\166\151\143\145\163\057\151\156\144
-\145\170\056\150\164\155\154\060\101\006\010\053\006\001\005\005
-\007\002\001\026\065\150\164\164\160\072\057\057\167\167\167\056
-\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160\162
-\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163\057
-\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035
-\016\004\026\004\024\105\075\303\251\321\334\077\044\126\230\034
-\163\030\210\152\377\203\107\355\266\060\037\006\003\125\035\043
-\004\030\060\026\200\024\105\075\303\251\321\334\077\044\126\230
-\034\163\030\210\152\377\203\107\355\266\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\111\222
-\274\243\356\254\275\372\015\311\213\171\206\034\043\166\260\200
-\131\167\374\332\177\264\113\337\303\144\113\152\116\016\255\362
-\175\131\167\005\255\012\211\163\260\372\274\313\334\215\000\210
-\217\246\240\262\352\254\122\047\277\241\110\174\227\020\173\272
-\355\023\035\232\007\156\313\061\142\022\350\143\003\252\175\155
-\343\370\033\166\041\170\033\237\113\103\214\323\111\206\366\033
-\134\366\056\140\025\323\351\343\173\165\077\320\002\203\320\030
-\202\101\315\145\067\352\216\062\176\275\153\231\135\060\021\310
-\333\110\124\034\073\341\247\023\323\152\110\223\367\075\214\177
-\005\350\316\363\210\052\143\004\270\352\176\130\174\001\173\133
-\341\305\175\357\041\340\215\016\135\121\175\261\147\375\243\275
-\070\066\306\362\070\206\207\032\226\150\140\106\373\050\024\107
-\125\341\247\200\014\153\342\352\337\115\174\220\110\240\066\275
-\011\027\211\177\303\362\323\234\234\343\335\304\033\335\365\267
-\161\263\123\005\211\006\320\313\112\200\301\310\123\220\265\074
-\061\210\027\120\237\311\304\016\213\330\250\002\143\015
-END
-
-# Trust for Certificate "beTRUSTed Root CA-Baltimore Implementation"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA-Baltimore Implementation"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\334\273\236\267\031\113\304\162\005\301\021\165\051\206\203\133
-\123\312\344\370
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\201\065\271\373\373\022\312\030\151\066\353\256\151\170\241\361
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\055
-\102\141\154\164\151\155\157\162\145\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\074\265\075\106
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "beTRUSTed Root CA - Entrust Implementation"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA - Entrust Implementation"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\074\265\117\100
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\006\121\060\202\005\071\240\003\002\001\002\002\004\074
-\265\117\100\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\146\061\022\060\020\006\003\125\004\012\023\011\142
-\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004
-\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157
-\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023\052
-\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103
-\101\040\055\040\105\156\164\162\165\163\164\040\111\155\160\154
-\145\155\145\156\164\141\164\151\157\156\060\036\027\015\060\062
-\060\064\061\061\060\070\062\064\062\067\132\027\015\062\062\060
-\064\061\061\060\070\065\064\062\067\132\060\146\061\022\060\020
-\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144
-\061\033\060\031\006\003\125\004\013\023\022\142\145\124\122\125
-\123\124\145\144\040\122\157\157\164\040\103\101\163\061\063\060
-\061\006\003\125\004\003\023\052\142\145\124\122\125\123\124\145
-\144\040\122\157\157\164\040\103\101\040\055\040\105\156\164\162
-\165\163\164\040\111\155\160\154\145\155\145\156\164\141\164\151
-\157\156\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\272\364\104\003\252\022\152\265\103\354\125\222\266
-\060\175\065\127\014\333\363\015\047\156\114\367\120\250\233\116
-\053\157\333\365\255\034\113\135\263\251\301\376\173\104\353\133
-\243\005\015\037\305\064\053\060\000\051\361\170\100\262\244\377
-\072\364\001\210\027\176\346\324\046\323\272\114\352\062\373\103
-\167\227\207\043\305\333\103\243\365\052\243\121\136\341\073\322
-\145\151\176\125\025\233\172\347\151\367\104\340\127\265\025\350
-\146\140\017\015\003\373\202\216\243\350\021\173\154\276\307\143
-\016\027\223\337\317\113\256\156\163\165\340\363\252\271\244\300
-\011\033\205\352\161\051\210\101\062\371\360\052\016\154\011\362
-\164\153\146\154\122\023\037\030\274\324\076\367\330\156\040\236
-\312\376\374\041\224\356\023\050\113\327\134\136\014\146\356\351
-\273\017\301\064\261\177\010\166\363\075\046\160\311\213\045\035
-\142\044\014\352\034\165\116\300\022\344\272\023\035\060\051\055
-\126\063\005\273\227\131\176\306\111\117\211\327\057\044\250\266
-\210\100\265\144\222\123\126\044\344\242\240\205\263\136\220\264
-\022\063\315\002\003\001\000\001\243\202\003\005\060\202\003\001
-\060\202\001\267\006\003\125\035\040\004\202\001\256\060\202\001
-\252\060\202\001\246\006\017\053\006\001\004\001\261\076\000\000
-\002\011\050\203\221\061\060\202\001\221\060\202\001\111\006\010
-\053\006\001\005\005\007\002\002\060\202\001\073\032\202\001\067
-\122\145\154\151\141\156\143\145\040\157\156\040\157\162\040\165
-\163\145\040\157\146\040\164\150\151\163\040\103\145\162\164\151
-\146\151\143\141\164\145\040\143\162\145\141\164\145\163\040\141
-\156\040\141\143\153\156\157\167\154\145\144\147\155\145\156\164
-\040\141\156\144\040\141\143\143\145\160\164\141\156\143\145\040
-\157\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154
-\151\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040
-\164\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164
-\151\157\156\163\040\157\146\040\165\163\145\054\040\164\150\145
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\120
-\162\141\143\164\151\143\145\040\123\164\141\164\145\155\145\156
-\164\040\141\156\144\040\164\150\145\040\122\145\154\171\151\156
-\147\040\120\141\162\164\171\040\101\147\162\145\145\155\145\156
-\164\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040
-\146\157\165\156\144\040\141\164\040\164\150\145\040\142\145\124
-\122\125\123\124\145\144\040\167\145\142\040\163\151\164\145\054
-\040\150\164\164\160\163\072\057\057\167\167\167\056\142\145\164
-\162\165\163\164\145\144\056\143\157\155\057\160\162\157\144\165
-\143\164\163\137\163\145\162\166\151\143\145\163\057\151\156\144
-\145\170\056\150\164\155\154\060\102\006\010\053\006\001\005\005
-\007\002\001\026\066\150\164\164\160\163\072\057\057\167\167\167
-\056\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160
-\162\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163
-\057\151\156\144\145\170\056\150\164\155\154\060\021\006\011\140
-\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201
-\211\006\003\125\035\037\004\201\201\060\177\060\175\240\173\240
-\171\244\167\060\165\061\022\060\020\006\003\125\004\012\023\011
-\142\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125
-\004\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157
-\157\164\040\103\101\163\061\063\060\061\006\003\125\004\003\023
-\052\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\040\055\040\105\156\164\162\165\163\164\040\111\155\160
-\154\145\155\145\156\164\141\164\151\157\156\061\015\060\013\006
-\003\125\004\003\023\004\103\122\114\061\060\053\006\003\125\035
-\020\004\044\060\042\200\017\062\060\060\062\060\064\061\061\060
-\070\062\064\062\067\132\201\017\062\060\062\062\060\064\061\061
-\060\070\065\064\062\067\132\060\013\006\003\125\035\017\004\004
-\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200
-\024\175\160\345\256\070\213\006\077\252\034\032\217\371\317\044
-\060\252\204\204\026\060\035\006\003\125\035\016\004\026\004\024
-\175\160\345\256\070\213\006\077\252\034\032\217\371\317\044\060
-\252\204\204\026\060\014\006\003\125\035\023\004\005\060\003\001
-\001\377\060\035\006\011\052\206\110\206\366\175\007\101\000\004
-\020\060\016\033\010\126\066\056\060\072\064\056\060\003\002\004
-\220\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\202\001\001\000\052\270\027\316\037\020\224\353\270\232\267
-\271\137\354\332\367\222\044\254\334\222\073\307\040\215\362\231
-\345\135\070\241\302\064\355\305\023\131\134\005\265\053\117\141
-\233\221\373\101\374\374\325\074\115\230\166\006\365\201\175\353
-\335\220\346\321\126\124\332\343\055\014\237\021\062\224\042\001
-\172\366\154\054\164\147\004\314\245\217\216\054\263\103\265\224
-\242\320\175\351\142\177\006\276\047\001\203\236\072\375\212\356
-\230\103\112\153\327\265\227\073\072\277\117\155\264\143\372\063
-\000\064\056\055\155\226\311\173\312\231\143\272\276\364\366\060
-\240\055\230\226\351\126\104\005\251\104\243\141\020\353\202\241
-\147\135\274\135\047\165\252\212\050\066\052\070\222\331\335\244
-\136\000\245\314\314\174\051\052\336\050\220\253\267\341\266\377
-\175\045\013\100\330\252\064\243\055\336\007\353\137\316\012\335
-\312\176\072\175\046\301\142\150\072\346\057\067\363\201\206\041
-\304\251\144\252\357\105\066\321\032\146\174\370\351\067\326\326
-\141\276\242\255\110\347\337\346\164\376\323\155\175\322\045\334
-\254\142\127\251\367
-END
-
-# Trust for Certificate "beTRUSTed Root CA - Entrust Implementation"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA - Entrust Implementation"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\162\231\171\023\354\233\015\256\145\321\266\327\262\112\166\243
-\256\302\356\026
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\175\206\220\217\133\361\362\100\300\367\075\142\265\244\251\073
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\146\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\063\060\061\006\003\125\004\003\023\052\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\105\156\164\162\165\163\164\040\111\155\160\154\145\155
-\145\156\164\141\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\074\265\117\100
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "beTRUSTed Root CA - RSA Implementation"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA - RSA Implementation"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141
-\164\151\157\156
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141
-\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\073\131\307\173\315\133\127\236\275\067\122\254\166\264
-\252\032
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\150\060\202\004\120\240\003\002\001\002\002\020\073
-\131\307\173\315\133\127\236\275\067\122\254\166\264\252\032\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\142
-\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125
-\123\124\145\144\061\033\060\031\006\003\125\004\013\023\022\142
-\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101
-\163\061\057\060\055\006\003\125\004\003\023\046\142\145\124\122
-\125\123\124\145\144\040\122\157\157\164\040\103\101\040\055\040
-\122\123\101\040\111\155\160\154\145\155\145\156\164\141\164\151
-\157\156\060\036\027\015\060\062\060\064\061\061\061\061\061\070
-\061\063\132\027\015\062\062\060\064\061\062\061\061\060\067\062
-\065\132\060\142\061\022\060\020\006\003\125\004\012\023\011\142
-\145\124\122\125\123\124\145\144\061\033\060\031\006\003\125\004
-\013\023\022\142\145\124\122\125\123\124\145\144\040\122\157\157
-\164\040\103\101\163\061\057\060\055\006\003\125\004\003\023\046
-\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103
-\101\040\055\040\122\123\101\040\111\155\160\154\145\155\145\156
-\164\141\164\151\157\156\060\202\001\042\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
-\001\012\002\202\001\001\000\344\272\064\060\011\216\127\320\271
-\006\054\157\156\044\200\042\277\135\103\246\372\117\254\202\347
-\034\150\160\205\033\243\156\265\252\170\331\156\007\113\077\351
-\337\365\352\350\124\241\141\212\016\057\151\165\030\267\014\345
-\024\215\161\156\230\270\125\374\014\225\320\233\156\341\055\210
-\324\072\100\153\222\361\231\226\144\336\333\377\170\364\356\226
-\035\107\211\174\324\276\271\210\167\043\072\011\346\004\236\155
-\252\136\322\310\275\232\116\031\337\211\352\133\016\176\303\344
-\264\360\340\151\073\210\017\101\220\370\324\161\103\044\301\217
-\046\113\073\126\351\377\214\154\067\351\105\255\205\214\123\303
-\140\206\220\112\226\311\263\124\260\273\027\360\034\105\331\324
-\033\031\144\126\012\031\367\314\341\377\206\257\176\130\136\254
-\172\220\037\311\050\071\105\173\242\266\307\234\037\332\205\324
-\041\206\131\060\223\276\123\063\067\366\357\101\317\063\307\253
-\162\153\045\365\363\123\033\014\114\056\361\165\113\357\240\207
-\367\376\212\025\320\154\325\313\371\150\123\271\160\025\023\302
-\365\056\373\103\065\165\055\002\003\001\000\001\243\202\002\030
-\060\202\002\024\060\014\006\003\125\035\023\004\005\060\003\001
-\001\377\060\202\001\265\006\003\125\035\040\004\202\001\254\060
-\202\001\250\060\202\001\244\006\017\053\006\001\004\001\261\076
-\000\000\003\011\050\203\221\061\060\202\001\217\060\101\006\010
-\053\006\001\005\005\007\002\001\026\065\150\164\164\160\072\057
-\057\167\167\167\056\142\145\164\162\165\163\164\145\144\056\143
-\157\155\057\160\162\157\144\165\143\164\163\137\163\145\162\166
-\151\143\145\163\057\151\156\144\145\170\056\150\164\155\154\060
-\202\001\110\006\010\053\006\001\005\005\007\002\002\060\202\001
-\072\032\202\001\066\122\145\154\151\141\156\143\145\040\157\156
-\040\157\162\040\165\163\145\040\157\146\040\164\150\151\163\040
-\103\145\162\164\151\146\151\143\141\164\145\040\143\162\145\141
-\164\145\163\040\141\156\040\141\143\153\156\157\167\154\145\144
-\147\155\145\156\164\040\141\156\144\040\141\143\143\145\160\164
-\141\156\143\145\040\157\146\040\164\150\145\040\164\150\145\156
-\040\141\160\160\154\151\143\141\142\154\145\040\163\164\141\156
-\144\141\162\144\040\164\145\162\155\163\040\141\156\144\040\143
-\157\156\144\151\164\151\157\156\163\040\157\146\040\165\163\145
-\054\040\164\150\145\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\120\162\141\143\164\151\143\145\040\123\164\141
-\164\145\155\145\156\164\040\141\156\144\040\164\150\145\040\122
-\145\154\171\151\156\147\040\120\141\162\164\171\040\101\147\162
-\145\145\155\145\156\164\054\040\167\150\151\143\150\040\143\141
-\156\040\142\145\040\146\157\165\156\144\040\141\164\040\164\150
-\145\040\142\145\124\122\125\123\124\145\144\040\167\145\142\040
-\163\151\164\145\054\040\150\164\164\160\072\057\057\167\167\167
-\056\142\145\164\162\165\163\164\145\144\056\143\157\155\057\160
-\162\157\144\165\143\164\163\137\163\145\162\166\151\143\145\163
-\057\151\156\144\145\170\056\150\164\155\154\060\013\006\003\125
-\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004
-\030\060\026\200\024\251\354\024\176\371\331\103\314\123\053\024
-\255\317\367\360\131\211\101\315\031\060\035\006\003\125\035\016
-\004\026\004\024\251\354\024\176\371\331\103\314\123\053\024\255
-\317\367\360\131\211\101\315\031\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\202\001\001\000\333\227\260\165
-\352\014\304\301\230\312\126\005\300\250\255\046\110\257\055\040
-\350\201\307\266\337\103\301\054\035\165\113\324\102\215\347\172
-\250\164\334\146\102\131\207\263\365\151\155\331\251\236\263\175
-\034\061\301\365\124\342\131\044\111\345\356\275\071\246\153\212
-\230\104\373\233\327\052\203\227\064\055\307\175\065\114\055\064
-\270\076\015\304\354\210\047\257\236\222\375\120\141\202\250\140
-\007\024\123\314\145\023\301\366\107\104\151\322\061\310\246\335
-\056\263\013\336\112\215\133\075\253\015\302\065\122\242\126\067
-\314\062\213\050\205\102\234\221\100\172\160\053\070\066\325\341
-\163\032\037\345\372\176\137\334\326\234\073\060\352\333\300\133
-\047\134\323\163\007\301\302\363\114\233\157\237\033\312\036\252
-\250\070\063\011\130\262\256\374\007\350\066\334\125\272\057\117
-\100\376\172\275\006\246\201\301\223\042\174\206\021\012\006\167
-\110\256\065\267\057\062\232\141\136\213\276\051\237\051\044\210
-\126\071\054\250\322\253\226\003\132\324\110\237\271\100\204\013
-\230\150\373\001\103\326\033\342\011\261\227\034
-END
-
-# Trust for Certificate "beTRUSTed Root CA - RSA Implementation"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "beTRUSTed Root CA - RSA Implementation"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\035\202\131\312\041\047\303\313\301\154\331\062\366\054\145\051
-\214\250\207\022
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\206\102\005\011\274\247\235\354\035\363\056\016\272\330\035\320
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\142\061\022\060\020\006\003\125\004\012\023\011\142\145\124
-\122\125\123\124\145\144\061\033\060\031\006\003\125\004\013\023
-\022\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040
-\103\101\163\061\057\060\055\006\003\125\004\003\023\046\142\145
-\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\040
-\055\040\122\123\101\040\111\155\160\154\145\155\145\156\164\141
-\164\151\157\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\073\131\307\173\315\133\127\236\275\067\122\254\166\264
-\252\032
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "RSA Security 2048 v3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Security 2048 v3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\062\060\064\070\040\126\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\062\060\064\070\040\126\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000
-\000\002
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\141\060\202\002\111\240\003\002\001\002\002\020\012
-\001\001\001\000\000\002\174\000\000\000\012\000\000\000\002\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\072
-\061\031\060\027\006\003\125\004\012\023\020\122\123\101\040\123
-\145\143\165\162\151\164\171\040\111\156\143\061\035\060\033\006
-\003\125\004\013\023\024\122\123\101\040\123\145\143\165\162\151
-\164\171\040\062\060\064\070\040\126\063\060\036\027\015\060\061
-\060\062\062\062\062\060\063\071\062\063\132\027\015\062\066\060
-\062\062\062\062\060\063\071\062\063\132\060\072\061\031\060\027
-\006\003\125\004\012\023\020\122\123\101\040\123\145\143\165\162
-\151\164\171\040\111\156\143\061\035\060\033\006\003\125\004\013
-\023\024\122\123\101\040\123\145\143\165\162\151\164\171\040\062
-\060\064\070\040\126\063\060\202\001\042\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
-\001\012\002\202\001\001\000\267\217\125\161\322\200\335\173\151
-\171\247\360\030\120\062\074\142\147\366\012\225\007\335\346\033
-\363\236\331\322\101\124\153\255\237\174\276\031\315\373\106\253
-\101\150\036\030\352\125\310\057\221\170\211\050\373\047\051\140
-\377\337\217\214\073\311\111\233\265\244\224\316\001\352\076\265
-\143\173\177\046\375\031\335\300\041\275\204\321\055\117\106\303
-\116\334\330\067\071\073\050\257\313\235\032\352\053\257\041\245
-\301\043\042\270\270\033\132\023\207\127\203\321\360\040\347\350
-\117\043\102\260\000\245\175\211\351\351\141\163\224\230\161\046
-\274\055\152\340\367\115\360\361\266\052\070\061\201\015\051\341
-\000\301\121\017\114\122\370\004\132\252\175\162\323\270\207\052
-\273\143\020\003\052\263\241\117\015\132\136\106\267\075\016\365
-\164\354\231\237\371\075\044\201\210\246\335\140\124\350\225\066
-\075\306\011\223\232\243\022\200\000\125\231\031\107\275\320\245
-\174\303\272\373\037\367\365\017\370\254\271\265\364\067\230\023
-\030\336\205\133\267\014\202\073\207\157\225\071\130\060\332\156
-\001\150\027\042\314\300\013\002\003\001\000\001\243\143\060\141
-\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
-\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
-\006\060\037\006\003\125\035\043\004\030\060\026\200\024\007\303
-\121\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261
-\235\214\060\035\006\003\125\035\016\004\026\004\024\007\303\121
-\060\244\252\351\105\256\065\044\372\377\044\054\063\320\261\235
-\214\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\202\001\001\000\137\076\206\166\156\270\065\074\116\066\034
-\036\171\230\277\375\325\022\021\171\122\016\356\061\211\274\335
-\177\371\321\306\025\041\350\212\001\124\015\072\373\124\271\326
-\143\324\261\252\226\115\242\102\115\324\123\037\213\020\336\177
-\145\276\140\023\047\161\210\244\163\343\204\143\321\244\125\341
-\120\223\346\033\016\171\320\147\274\106\310\277\077\027\015\225
-\346\306\220\151\336\347\264\057\336\225\175\320\022\077\075\076
-\177\115\077\024\150\365\021\120\325\301\364\220\245\010\035\061
-\140\377\140\214\043\124\012\257\376\241\156\305\321\172\052\150
-\170\317\036\202\012\040\264\037\255\345\205\262\152\150\165\116
-\255\045\067\224\205\276\275\241\324\352\267\014\113\074\235\350
-\022\000\360\137\254\015\341\254\160\143\163\367\177\171\237\062
-\045\102\164\005\200\050\277\275\301\044\226\130\025\261\027\041
-\351\211\113\333\007\210\147\364\025\255\160\076\057\115\205\073
-\302\267\333\376\230\150\043\211\341\164\017\336\364\305\204\143
-\051\033\314\313\007\311\000\244\251\327\302\042\117\147\327\167
-\354\040\005\141\336
-END
-
-# Trust for Certificate "RSA Security 2048 v3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Security 2048 v3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\045\001\220\031\317\373\331\231\034\267\150\045\164\215\224\137
-\060\223\225\102
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\167\015\031\261\041\375\000\102\234\076\014\245\335\013\002\216
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\062\060\064\070\040\126\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000
-\000\002
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "RSA Security 1024 v3"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Security 1024 v3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\061\060\062\064\040\126\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\061\060\062\064\040\126\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\012\001\001\001\000\000\002\174\000\000\000\013\000\000
-\000\002
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\134\060\202\001\305\240\003\002\001\002\002\020\012
-\001\001\001\000\000\002\174\000\000\000\013\000\000\000\002\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\072
-\061\031\060\027\006\003\125\004\012\023\020\122\123\101\040\123
-\145\143\165\162\151\164\171\040\111\156\143\061\035\060\033\006
-\003\125\004\013\023\024\122\123\101\040\123\145\143\165\162\151
-\164\171\040\061\060\062\064\040\126\063\060\036\027\015\060\061
-\060\062\062\062\062\061\060\061\064\071\132\027\015\062\066\060
-\062\062\062\062\060\060\061\064\071\132\060\072\061\031\060\027
-\006\003\125\004\012\023\020\122\123\101\040\123\145\143\165\162
-\151\164\171\040\111\156\143\061\035\060\033\006\003\125\004\013
-\023\024\122\123\101\040\123\145\143\165\162\151\164\171\040\061
-\060\062\064\040\126\063\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\325\335\376\146\011\317\044\074\076\256\201\116\116
-\212\304\151\200\133\131\073\337\271\115\114\312\265\055\303\047
-\055\074\257\000\102\155\274\050\246\226\317\177\327\130\254\203
-\012\243\125\265\173\027\220\025\204\114\212\356\046\231\334\130
-\357\307\070\246\252\257\320\216\102\310\142\327\253\254\251\373
-\112\175\277\352\376\022\115\335\377\046\055\157\066\124\150\310
-\322\204\126\356\222\123\141\011\263\077\071\233\250\311\233\275
-\316\237\176\324\031\152\026\051\030\276\327\072\151\334\045\133
-\063\032\121\002\003\001\000\001\243\143\060\141\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\006\060\037\006
-\003\125\035\043\004\030\060\026\200\024\304\300\034\244\007\224
-\375\315\115\001\324\124\332\245\014\137\336\256\005\132\060\035
-\006\003\125\035\016\004\026\004\024\304\300\034\244\007\224\375
-\315\115\001\324\124\332\245\014\137\336\256\005\132\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000
-\077\055\152\343\046\103\225\175\211\227\145\373\165\344\162\035
-\106\127\304\141\153\151\237\022\233\054\325\132\350\300\242\360
-\103\225\343\037\351\166\315\334\353\274\223\240\145\012\307\115
-\117\137\247\257\242\106\024\271\014\363\314\275\152\156\267\235
-\336\045\102\320\124\377\236\150\163\143\334\044\353\042\277\250
-\162\362\136\000\341\015\116\072\103\156\231\116\077\211\170\003
-\230\312\363\125\314\235\256\216\301\252\105\230\372\217\032\240
-\215\210\043\361\025\101\015\245\106\076\221\077\213\353\367\161
-END
-
-# Trust for Certificate "RSA Security 1024 v3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Security 1024 v3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\074\273\135\340\374\326\071\174\005\210\345\146\227\275\106\052
-\275\371\134\166
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\072\345\120\260\071\276\307\106\066\063\241\376\202\076\215\224
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\072\061\031\060\027\006\003\125\004\012\023\020\122\123\101
-\040\123\145\143\165\162\151\164\171\040\111\156\143\061\035\060
-\033\006\003\125\004\013\023\024\122\123\101\040\123\145\143\165
-\162\151\164\171\040\061\060\062\064\040\126\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\012\001\001\001\000\000\002\174\000\000\000\013\000\000
-\000\002
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "GeoTrust Global CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003
-\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003
-\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\002\064\126
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\124\060\202\002\074\240\003\002\001\002\002\003\002
-\064\126\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162
-\165\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004
-\003\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142
-\141\154\040\103\101\060\036\027\015\060\062\060\065\062\061\060
-\064\060\060\060\060\132\027\015\062\062\060\065\062\061\060\064
-\060\060\060\060\132\060\102\061\013\060\011\006\003\125\004\006
-\023\002\125\123\061\026\060\024\006\003\125\004\012\023\015\107
-\145\157\124\162\165\163\164\040\111\156\143\056\061\033\060\031
-\006\003\125\004\003\023\022\107\145\157\124\162\165\163\164\040
-\107\154\157\142\141\154\040\103\101\060\202\001\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-\000\060\202\001\012\002\202\001\001\000\332\314\030\143\060\375
-\364\027\043\032\126\176\133\337\074\154\070\344\161\267\170\221
-\324\274\241\330\114\370\250\103\266\003\351\115\041\007\010\210
-\332\130\057\146\071\051\275\005\170\213\235\070\350\005\267\152
-\176\161\244\346\304\140\246\260\357\200\344\211\050\017\236\045
-\326\355\203\363\255\246\221\307\230\311\102\030\065\024\235\255
-\230\106\222\056\117\312\361\207\103\301\026\225\127\055\120\357
-\211\055\200\172\127\255\362\356\137\153\322\000\215\271\024\370
-\024\025\065\331\300\106\243\173\162\310\221\277\311\125\053\315
-\320\227\076\234\046\144\314\337\316\203\031\161\312\116\346\324
-\325\173\251\031\315\125\336\310\354\322\136\070\123\345\134\117
-\214\055\376\120\043\066\374\146\346\313\216\244\071\031\000\267
-\225\002\071\221\013\016\376\070\056\321\035\005\232\366\115\076
-\157\017\007\035\257\054\036\217\140\071\342\372\066\123\023\071
-\324\136\046\053\333\075\250\024\275\062\353\030\003\050\122\004
-\161\345\253\063\075\341\070\273\007\066\204\142\234\171\352\026
-\060\364\137\300\053\350\161\153\344\371\002\003\001\000\001\243
-\123\060\121\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\300
-\172\230\150\215\211\373\253\005\144\014\021\175\252\175\145\270
-\312\314\116\060\037\006\003\125\035\043\004\030\060\026\200\024
-\300\172\230\150\215\211\373\253\005\144\014\021\175\252\175\145
-\270\312\314\116\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\065\343\051\152\345\057\135\124
-\216\051\120\224\237\231\032\024\344\217\170\052\142\224\242\047
-\147\236\320\317\032\136\107\351\301\262\244\317\335\101\032\005
-\116\233\113\356\112\157\125\122\263\044\241\067\012\353\144\166
-\052\056\054\363\375\073\165\220\277\372\161\330\307\075\067\322
-\265\005\225\142\271\246\336\211\075\066\173\070\167\110\227\254
-\246\040\217\056\246\311\014\302\262\231\105\000\307\316\021\121
-\042\042\340\245\352\266\025\110\011\144\352\136\117\164\367\005
-\076\307\212\122\014\333\025\264\275\155\233\345\306\261\124\150
-\251\343\151\220\266\232\245\017\270\271\077\040\175\256\112\265
-\270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047
-\207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002
-\256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115
-\063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325
-\345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013
-\331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355
-\302\005\146\200\241\313\346\063
-END
-
-# Trust for Certificate "GeoTrust Global CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\336\050\364\244\377\345\271\057\243\305\003\321\243\111\247\371
-\226\052\202\022
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\367\165\253\051\373\121\116\267\167\136\377\005\074\231\216\365
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\102\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\033\060\031\006\003\125\004\003
-\023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\002\064\126
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN-USER First-Network Applications"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN-USER First-Network Applications"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125
-\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143
-\141\164\151\157\156\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125
-\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143
-\141\164\151\157\156\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300
-\063\167
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\144\060\202\003\114\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\060\113\300\063\167\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\243\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\053\060\051\006\003\125\004\003
-\023\042\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\116\145\164\167\157\162\153\040\101\160\160\154\151\143\141\164
-\151\157\156\163\060\036\027\015\071\071\060\067\060\071\061\070
-\064\070\063\071\132\027\015\061\071\060\067\060\071\061\070\065
-\067\064\071\132\060\201\243\061\013\060\011\006\003\125\004\006
-\023\002\125\123\061\013\060\011\006\003\125\004\010\023\002\125
-\124\061\027\060\025\006\003\125\004\007\023\016\123\141\154\164
-\040\114\141\153\145\040\103\151\164\171\061\036\060\034\006\003
-\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125
-\123\124\040\116\145\164\167\157\162\153\061\041\060\037\006\003
-\125\004\013\023\030\150\164\164\160\072\057\057\167\167\167\056
-\165\163\145\162\164\162\165\163\164\056\143\157\155\061\053\060
-\051\006\003\125\004\003\023\042\125\124\116\055\125\123\105\122
-\106\151\162\163\164\055\116\145\164\167\157\162\153\040\101\160
-\160\154\151\143\141\164\151\157\156\163\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\263\373\221\241\344
-\066\125\205\254\006\064\133\240\232\130\262\370\265\017\005\167
-\203\256\062\261\166\222\150\354\043\112\311\166\077\343\234\266
-\067\171\003\271\253\151\215\007\045\266\031\147\344\260\033\030
-\163\141\112\350\176\315\323\057\144\343\246\174\014\372\027\200
-\243\015\107\211\117\121\161\057\356\374\077\371\270\026\200\207
-\211\223\045\040\232\103\202\151\044\166\050\131\065\241\035\300
-\177\203\006\144\026\040\054\323\111\244\205\264\300\141\177\121
-\010\370\150\025\221\200\313\245\325\356\073\072\364\204\004\136
-\140\131\247\214\064\162\356\270\170\305\321\073\022\112\157\176
-\145\047\271\244\125\305\271\157\103\244\305\035\054\231\300\122
-\244\170\114\025\263\100\230\010\153\103\306\001\260\172\173\365
-\153\034\042\077\313\357\377\250\320\072\113\166\025\236\322\321
-\306\056\343\333\127\033\062\242\270\157\350\206\246\077\160\253
-\345\160\222\253\104\036\100\120\373\234\243\142\344\154\156\240
-\310\336\342\200\102\372\351\057\350\316\062\004\217\174\215\267
-\034\243\065\074\025\335\236\303\256\227\245\002\003\001\000\001
-\243\201\221\060\201\216\060\013\006\003\125\035\017\004\004\003
-\002\001\306\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\372
-\206\311\333\340\272\351\170\365\113\250\326\025\337\360\323\341
-\152\024\074\060\117\006\003\125\035\037\004\110\060\106\060\104
-\240\102\240\100\206\076\150\164\164\160\072\057\057\143\162\154
-\056\165\163\145\162\164\162\165\163\164\056\143\157\155\057\125
-\124\116\055\125\123\105\122\106\151\162\163\164\055\116\145\164
-\167\157\162\153\101\160\160\154\151\143\141\164\151\157\156\163
-\056\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\244\363\045\314\321\324\221\203
-\042\320\314\062\253\233\226\116\064\221\124\040\045\064\141\137
-\052\002\025\341\213\252\377\175\144\121\317\012\377\274\175\330
-\041\152\170\313\057\121\157\370\102\035\063\275\353\265\173\224
-\303\303\251\240\055\337\321\051\037\035\376\217\077\273\250\105
-\052\177\321\156\125\044\342\273\002\373\061\077\276\350\274\354
-\100\053\370\001\324\126\070\344\312\104\202\265\141\040\041\147
-\145\366\360\013\347\064\370\245\302\234\243\134\100\037\205\223
-\225\006\336\117\324\047\251\266\245\374\026\315\163\061\077\270
-\145\047\317\324\123\032\360\254\156\237\117\005\014\003\201\247
-\204\051\304\132\275\144\127\162\255\073\317\067\030\246\230\306
-\255\006\264\334\010\243\004\325\051\244\226\232\022\147\112\214
-\140\105\235\361\043\232\260\000\234\150\265\230\120\323\357\216
-\056\222\145\261\110\076\041\276\025\060\052\015\265\014\243\153
-\077\256\177\127\365\037\226\174\337\157\335\202\060\054\145\033
-\100\112\315\150\271\162\354\161\166\354\124\216\037\205\014\001
-\152\372\246\070\254\037\304\204
-END
-
-# Trust for Certificate "UTN-USER First-Network Applications"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN-USER First-Network Applications"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\135\230\234\333\025\226\021\066\121\145\144\033\126\017\333\352
-\052\302\076\361
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\277\140\131\243\133\272\366\247\166\102\332\157\032\173\120\317
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\053\060\051\006\003\125
-\004\003\023\042\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\116\145\164\167\157\162\153\040\101\160\160\154\151\143
-\141\164\151\157\156\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300
-\063\167
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "America Online Root Certification Authority 1"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\244\060\202\002\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\061\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\061\061\061\071\062\060\064
-\063\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\061\060\202\001\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-\000\060\202\001\012\002\202\001\001\000\250\057\350\244\151\006
-\003\107\303\351\052\230\377\031\242\160\232\306\120\262\176\245
-\337\150\115\033\174\017\266\227\150\175\055\246\213\227\351\144
-\206\311\243\357\240\206\277\140\145\234\113\124\210\302\110\305
-\112\071\277\024\343\131\125\345\031\264\164\310\264\005\071\134
-\026\245\342\225\005\340\022\256\131\213\242\063\150\130\034\246
-\324\025\267\330\237\327\334\161\253\176\232\277\233\216\063\017
-\042\375\037\056\347\007\066\357\142\071\305\335\313\272\045\024
-\043\336\014\306\075\074\316\202\010\346\146\076\332\121\073\026
-\072\243\005\177\240\334\207\325\234\374\162\251\240\175\170\344
-\267\061\125\036\145\273\324\141\260\041\140\355\020\062\162\305
-\222\045\036\370\220\112\030\170\107\337\176\060\067\076\120\033
-\333\034\323\153\232\206\123\007\260\357\254\006\170\370\204\231
-\376\041\215\114\200\266\014\202\366\146\160\171\032\323\117\243
-\317\361\317\106\260\113\017\076\335\210\142\270\214\251\011\050
-\073\172\307\227\341\036\345\364\237\300\300\256\044\240\310\241
-\331\017\326\173\046\202\151\062\075\247\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\000
-\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327\114
-\317\063\336\060\037\006\003\125\035\043\004\030\060\026\200\024
-\000\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327
-\114\317\063\336\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\174\212\321\037\030\067\202\340
-\270\260\243\355\126\225\310\142\141\234\005\242\315\302\142\046
-\141\315\020\026\327\314\264\145\064\320\021\212\255\250\251\005
-\146\357\164\363\155\137\235\231\257\366\213\373\353\122\262\005
-\230\242\157\052\305\124\275\045\275\137\256\310\206\352\106\054
-\301\263\275\301\351\111\160\030\026\227\010\023\214\040\340\033
-\056\072\107\313\036\344\000\060\225\133\364\105\243\300\032\260
-\001\116\253\275\300\043\156\143\077\200\112\305\007\355\334\342
-\157\307\301\142\361\343\162\326\004\310\164\147\013\372\210\253
-\241\001\310\157\360\024\257\322\231\315\121\223\176\355\056\070
-\307\275\316\106\120\075\162\343\171\045\235\233\210\053\020\040
-\335\245\270\062\237\215\340\051\337\041\164\206\202\333\057\202
-\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120
-\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266
-\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154
-\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250
-\200\072\231\355\165\314\106\173
-END
-
-# Trust for Certificate "America Online Root Certification Authority 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330
-\005\013\126\152
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "America Online Root Certification Authority 2"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\244\060\202\003\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\062\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\060\071\062\071\061\064\060
-\070\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\062\060\202\002\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017
-\000\060\202\002\012\002\202\002\001\000\314\101\105\035\351\075
-\115\020\366\214\261\101\311\340\136\313\015\267\277\107\163\323
-\360\125\115\335\306\014\372\261\146\005\152\315\170\264\334\002
-\333\116\201\363\327\247\174\161\274\165\143\240\135\343\007\014
-\110\354\045\304\003\040\364\377\016\073\022\377\233\215\341\306
-\325\033\264\155\042\343\261\333\177\041\144\257\206\274\127\042
-\052\326\107\201\127\104\202\126\123\275\206\024\001\013\374\177
-\164\244\132\256\361\272\021\265\233\130\132\200\264\067\170\011
-\063\174\062\107\003\134\304\245\203\110\364\127\126\156\201\066
-\047\030\117\354\233\050\302\324\264\327\174\014\076\014\053\337
-\312\004\327\306\216\352\130\116\250\244\245\030\034\154\105\230
-\243\101\321\055\322\307\155\215\031\361\255\171\267\201\077\275
-\006\202\047\055\020\130\005\265\170\005\271\057\333\014\153\220
-\220\176\024\131\070\273\224\044\023\345\321\235\024\337\323\202
-\115\106\360\200\071\122\062\017\343\204\262\172\103\362\136\336
-\137\077\035\335\343\262\033\240\241\052\043\003\156\056\001\025
-\207\134\246\165\165\307\227\141\276\336\206\334\324\110\333\275
-\052\277\112\125\332\350\175\120\373\264\200\027\270\224\277\001
-\075\352\332\272\174\340\130\147\027\271\130\340\210\206\106\147
-\154\235\020\107\130\062\320\065\174\171\052\220\242\132\020\021
-\043\065\255\057\314\344\112\133\247\310\047\362\203\336\136\273
-\136\167\347\350\245\156\143\302\015\135\141\320\214\322\154\132
-\041\016\312\050\243\316\052\351\225\307\110\317\226\157\035\222
-\045\310\306\306\301\301\014\005\254\046\304\322\165\322\341\052
-\147\300\075\133\245\232\353\317\173\032\250\235\024\105\345\017
-\240\232\145\336\057\050\275\316\157\224\146\203\110\051\330\352
-\145\214\257\223\331\144\237\125\127\046\277\157\313\067\061\231
-\243\140\273\034\255\211\064\062\142\270\103\041\006\162\014\241
-\134\155\106\305\372\051\317\060\336\211\334\161\133\335\266\067
-\076\337\120\365\270\007\045\046\345\274\265\376\074\002\263\267
-\370\276\103\301\207\021\224\236\043\154\027\212\270\212\047\014
-\124\107\360\251\263\300\200\214\240\047\353\035\031\343\007\216
-\167\160\312\053\364\175\166\340\170\147\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\115
-\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241\043
-\024\327\236\060\037\006\003\125\035\043\004\030\060\026\200\024
-\115\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241
-\043\024\327\236\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\002\001\000\147\153\006\271\137\105\073\052
-\113\063\263\346\033\153\131\116\042\314\271\267\244\045\311\247
-\304\360\124\226\013\144\363\261\130\117\136\121\374\262\227\173
-\047\145\302\345\312\347\015\014\045\173\142\343\372\237\264\207
-\267\105\106\257\203\245\227\110\214\245\275\361\026\053\233\166
-\054\172\065\140\154\021\200\227\314\251\222\122\346\053\346\151
-\355\251\370\066\055\054\167\277\141\110\321\143\013\271\133\122
-\355\030\260\103\102\042\246\261\167\256\336\151\305\315\307\034
-\241\261\245\034\020\373\030\276\032\160\335\301\222\113\276\051
-\132\235\077\065\276\345\175\121\370\125\340\045\165\043\207\036
-\134\334\272\235\260\254\263\151\333\027\203\311\367\336\014\274
-\010\334\221\236\250\320\327\025\067\163\245\065\270\374\176\305
-\104\100\006\303\353\370\042\200\134\107\316\002\343\021\237\104
-\377\375\232\062\314\175\144\121\016\353\127\046\166\072\343\036
-\042\074\302\246\066\335\031\357\247\374\022\363\046\300\131\061
-\205\114\234\330\317\337\244\314\314\051\223\377\224\155\166\134
-\023\010\227\362\355\245\013\115\335\350\311\150\016\146\323\000
-\016\063\022\133\274\225\345\062\220\250\263\306\154\203\255\167
-\356\213\176\176\261\251\253\323\341\361\266\300\261\352\210\300
-\347\323\220\351\050\222\224\173\150\173\227\052\012\147\055\205
-\002\070\020\344\003\141\324\332\045\066\307\010\130\055\241\247
-\121\257\060\012\111\365\246\151\207\007\055\104\106\166\216\052
-\345\232\073\327\030\242\374\234\070\020\314\306\073\322\265\027
-\072\157\375\256\045\275\365\162\131\144\261\164\052\070\137\030
-\114\337\317\161\004\132\066\324\277\057\231\234\350\331\272\261
-\225\346\002\113\041\241\133\325\301\117\217\256\151\155\123\333
-\001\223\265\134\036\030\335\144\132\312\030\050\076\143\004\021
-\375\034\215\000\017\270\067\337\147\212\235\146\251\002\152\221
-\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045
-\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073
-\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373
-\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260
-\105\217\046\221\242\216\376\251
-END
-
-# Trust for Certificate "America Online Root Certification Authority 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023
-\333\027\222\204
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Visa eCommerce Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023
-\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060
-\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055
-\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145
-\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143
-\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060
-\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157
-\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060
-\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062
-\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003
-\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125
-\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141
-\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101
-\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003
-\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145
-\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241
-\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266
-\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063
-\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004
-\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105
-\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215
-\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125
-\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143
-\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115
-\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352
-\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132
-\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072
-\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055
-\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040
-\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013
-\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213
-\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102
-\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070
-\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327
-\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340
-\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106
-\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021
-\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267
-\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122
-\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367
-\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214
-\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105
-\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035
-\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174
-\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
-\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
-\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
-\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
-\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
-\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
-\222\340\134\366\007\017
-END
-
-# Trust for Certificate "Visa eCommerce Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
-\275\340\005\142
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "TC TrustCenter, Germany, Class 2 CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 2 CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\352
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\134\060\202\002\305\240\003\002\001\002\002\002\003
-\352\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060
-\036\027\015\071\070\060\063\060\071\061\061\065\071\065\071\132
-\027\015\061\061\060\061\060\061\061\061\065\071\065\071\132\060
-\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
-\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
-\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
-\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
-\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
-\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
-\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
-\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062
-\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
-\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
-\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201
-\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\201\215\000\060\201\211\002\201\201\000\332\070\350\355\062
-\000\051\161\203\001\015\277\214\001\334\332\306\255\071\244\251
-\212\057\325\213\134\150\137\120\306\142\365\146\275\312\221\042
-\354\252\035\121\327\075\263\121\262\203\116\135\313\111\260\360
-\114\125\345\153\055\307\205\013\060\034\222\116\202\324\312\002
-\355\367\157\276\334\340\343\024\270\005\123\362\232\364\126\213
-\132\236\205\223\321\264\202\126\256\115\273\250\113\127\026\274
-\376\370\130\236\370\051\215\260\173\315\170\311\117\254\213\147
-\014\361\234\373\374\127\233\127\134\117\015\002\003\001\000\001
-\243\153\060\151\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\206\060\063\006\011\140\206\110\001\206\370\102
-\001\010\004\046\026\044\150\164\164\160\072\057\057\167\167\167
-\056\164\162\165\163\164\143\145\156\164\145\162\056\144\145\057
-\147\165\151\144\145\154\151\156\145\163\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\015\006
-\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000
-\204\122\373\050\337\377\037\165\001\274\001\276\004\126\227\152
-\164\102\044\061\203\371\106\261\006\212\211\317\226\054\063\277
-\214\265\137\172\162\241\205\006\316\206\370\005\216\350\371\045
-\312\332\203\214\006\254\353\066\155\205\221\064\004\066\364\102
-\360\370\171\056\012\110\134\253\314\121\117\170\166\240\331\254
-\031\275\052\321\151\004\050\221\312\066\020\047\200\127\133\322
-\134\365\302\133\253\144\201\143\164\121\364\227\277\315\022\050
-\367\115\146\177\247\360\034\001\046\170\262\146\107\160\121\144
-END
-
-# Trust for Certificate "TC TrustCenter, Germany, Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 2 CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\203\216\060\367\177\335\024\252\070\136\321\105\000\234\016\042
-\066\111\117\252
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\270\026\063\114\114\114\362\330\323\115\006\264\246\133\100\003
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\352
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "TC TrustCenter, Germany, Class 3 CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 3 CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\353
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\134\060\202\002\305\240\003\002\001\002\002\002\003
-\353\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060
-\036\027\015\071\070\060\063\060\071\061\061\065\071\065\071\132
-\027\015\061\061\060\061\060\061\061\061\065\071\065\071\132\060
-\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
-\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
-\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
-\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
-\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
-\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
-\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
-\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063
-\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
-\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
-\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201
-\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\201\215\000\060\201\211\002\201\201\000\266\264\301\065\005
-\056\015\215\354\240\100\152\034\016\047\246\120\222\153\120\033
-\007\336\056\347\166\314\340\332\374\204\250\136\214\143\152\053
-\115\331\116\002\166\021\301\013\362\215\171\312\000\266\361\260
-\016\327\373\244\027\075\257\253\151\172\226\047\277\257\063\241
-\232\052\131\252\304\265\067\010\362\022\245\061\266\103\365\062
-\226\161\050\050\253\215\050\206\337\273\356\343\014\175\060\326
-\303\122\253\217\135\047\234\153\300\243\347\005\153\127\111\104
-\263\156\352\144\317\322\216\172\120\167\167\002\003\001\000\001
-\243\153\060\151\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\206\060\063\006\011\140\206\110\001\206\370\102
-\001\010\004\046\026\044\150\164\164\160\072\057\057\167\167\167
-\056\164\162\165\163\164\143\145\156\164\145\162\056\144\145\057
-\147\165\151\144\145\154\151\156\145\163\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\015\006
-\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000
-\026\075\306\315\301\273\205\161\205\106\237\076\040\217\121\050
-\231\354\055\105\041\143\043\133\004\273\114\220\270\210\222\004
-\115\275\175\001\243\077\366\354\316\361\336\376\175\345\341\076
-\273\306\253\136\013\335\075\226\304\313\251\324\371\046\346\006
-\116\236\014\245\172\272\156\303\174\202\031\321\307\261\261\303
-\333\015\216\233\100\174\067\013\361\135\350\375\037\220\210\245
-\016\116\067\144\041\250\116\215\264\237\361\336\110\255\325\126
-\030\122\051\213\107\064\022\011\324\273\222\065\357\017\333\064
-END
-
-# Trust for Certificate "TC TrustCenter, Germany, Class 3 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 3 CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\237\307\226\350\370\122\117\206\072\341\111\155\070\022\102\020
-\137\033\170\365
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\137\224\112\163\042\270\367\321\061\354\131\071\367\216\376\156
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
-\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
-\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
-\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
-\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
-\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
-\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
-\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
-\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
-\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
-\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\003\353
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Certum Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certum Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\001\000\040
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\014\060\202\001\364\240\003\002\001\002\002\003\001
-\000\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114
-\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145
-\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060
-\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103
-\101\060\036\027\015\060\062\060\066\061\061\061\060\064\066\063
-\071\132\027\015\062\067\060\066\061\061\061\060\064\066\063\071
-\132\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114
-\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145
-\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060
-\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103
-\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\316\261\301\056\323\117\174\315\045\316\030\076\117\304
-\214\157\200\152\163\310\133\121\370\233\322\334\273\000\134\261
-\240\374\165\003\356\201\360\210\356\043\122\351\346\025\063\215
-\254\055\011\305\166\371\053\071\200\211\344\227\113\220\245\250
-\170\370\163\103\173\244\141\260\330\130\314\341\154\146\176\234
-\363\011\136\125\143\204\325\250\357\363\261\056\060\150\263\304
-\074\330\254\156\215\231\132\220\116\064\334\066\232\217\201\210
-\120\267\155\226\102\011\363\327\225\203\015\101\113\260\152\153
-\370\374\017\176\142\237\147\304\355\046\137\020\046\017\010\117
-\360\244\127\050\316\217\270\355\105\366\156\356\045\135\252\156
-\071\276\344\223\057\331\107\240\162\353\372\246\133\257\312\123
-\077\342\016\306\226\126\021\156\367\351\146\251\046\330\177\225
-\123\355\012\205\210\272\117\051\245\102\214\136\266\374\205\040
-\000\252\150\013\241\032\205\001\234\304\106\143\202\210\266\042
-\261\356\376\252\106\131\176\317\065\054\325\266\332\135\367\110
-\063\024\124\266\353\331\157\316\315\210\326\253\033\332\226\073
-\035\131\002\003\001\000\001\243\023\060\021\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
-\270\215\316\357\347\024\272\317\356\260\104\222\154\264\071\076
-\242\204\156\255\270\041\167\322\324\167\202\207\346\040\101\201
-\356\342\370\021\267\143\321\027\067\276\031\166\044\034\004\032
-\114\353\075\252\147\157\055\324\315\376\145\061\160\305\033\246
-\002\012\272\140\173\155\130\302\232\111\376\143\062\013\153\343
-\072\300\254\253\073\260\350\323\011\121\214\020\203\306\064\340
-\305\053\340\032\266\140\024\047\154\062\167\214\274\262\162\230
-\317\315\314\077\271\310\044\102\024\326\127\374\346\046\103\251
-\035\345\200\220\316\003\124\050\076\367\077\323\370\115\355\152
-\012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
-\345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
-\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
-\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
-\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
-\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
-\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
-END
-
-# Trust for Certificate "Certum Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certum Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102
-\121\261\201\030
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\001\000\040
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo AAA Services root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo AAA Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003
-\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151
-\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003
-\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151
-\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\062\060\202\003\032\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003\125
-\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151\143
-\141\164\145\040\123\145\162\166\151\143\145\163\060\036\027\015
-\060\064\060\061\060\061\060\060\060\060\060\060\132\027\015\062
-\070\061\062\063\061\062\063\065\071\065\071\132\060\173\061\013
-\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006
-\003\125\004\010\014\022\107\162\145\141\164\145\162\040\115\141
-\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004
-\007\014\007\123\141\154\146\157\162\144\061\032\060\030\006\003
-\125\004\012\014\021\103\157\155\157\144\157\040\103\101\040\114
-\151\155\151\164\145\144\061\041\060\037\006\003\125\004\003\014
-\030\101\101\101\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\060\202\001\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-\000\060\202\001\012\002\202\001\001\000\276\100\235\364\156\341
-\352\166\207\034\115\105\104\216\276\106\310\203\006\235\301\052
-\376\030\037\216\344\002\372\363\253\135\120\212\026\061\013\232
-\006\320\305\160\042\315\111\055\124\143\314\266\156\150\106\013
-\123\352\313\114\044\300\274\162\116\352\361\025\256\364\124\232
-\022\012\303\172\262\063\140\342\332\211\125\363\042\130\363\336
-\334\317\357\203\206\242\214\224\117\237\150\362\230\220\106\204
-\047\307\166\277\343\314\065\054\213\136\007\144\145\202\300\110
-\260\250\221\371\141\237\166\040\120\250\221\307\146\265\353\170
-\142\003\126\360\212\032\023\352\061\243\036\240\231\375\070\366
-\366\047\062\130\157\007\365\153\270\373\024\053\257\267\252\314
-\326\143\137\163\214\332\005\231\250\070\250\313\027\170\066\121
-\254\351\236\364\170\072\215\317\017\331\102\342\230\014\253\057
-\237\016\001\336\357\237\231\111\361\055\337\254\164\115\033\230
-\265\107\305\345\051\321\371\220\030\307\142\234\276\203\307\046
-\173\076\212\045\307\300\335\235\346\065\150\020\040\235\217\330
-\336\322\303\204\234\015\136\350\057\311\002\003\001\000\001\243
-\201\300\060\201\275\060\035\006\003\125\035\016\004\026\004\024
-\240\021\012\043\076\226\361\007\354\342\257\051\357\202\245\177
-\320\060\244\264\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\173\006\003\125\035\037\004\164\060\162
-\060\070\240\066\240\064\206\062\150\164\164\160\072\057\057\143
-\162\154\056\143\157\155\157\144\157\143\141\056\143\157\155\057
-\101\101\101\103\145\162\164\151\146\151\143\141\164\145\123\145
-\162\166\151\143\145\163\056\143\162\154\060\066\240\064\240\062
-\206\060\150\164\164\160\072\057\057\143\162\154\056\143\157\155
-\157\144\157\056\156\145\164\057\101\101\101\103\145\162\164\151
-\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056\143
-\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\010\126\374\002\360\233\350\377\244\372
-\326\173\306\104\200\316\117\304\305\366\000\130\314\246\266\274
-\024\111\150\004\166\350\346\356\135\354\002\017\140\326\215\120
-\030\117\046\116\001\343\346\260\245\356\277\274\164\124\101\277
-\375\374\022\270\307\117\132\364\211\140\005\177\140\267\005\112
-\363\366\361\302\277\304\271\164\206\266\055\175\153\314\322\363
-\106\335\057\306\340\152\303\303\064\003\054\175\226\335\132\302
-\016\247\012\231\301\005\213\253\014\057\363\134\072\317\154\067
-\125\011\207\336\123\100\154\130\357\374\266\253\145\156\004\366
-\033\334\074\340\132\025\306\236\331\361\131\110\060\041\145\003
-\154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217
-\372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042
-\227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242
-\156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362
-\343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267
-\262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237
-\225\351\066\226\230\156
-END
-
-# Trust for Certificate "Comodo AAA Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo AAA Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\321\353\043\244\155\027\326\217\331\045\144\302\361\361\140\027
-\144\330\343\111
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\111\171\004\260\353\207\031\254\107\260\274\021\121\233\164\320
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\041\060\037\006\003
-\125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151
-\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Secure Services root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\077\060\202\003\047\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060\132
-\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-\300\161\063\202\212\320\160\353\163\207\202\100\325\035\344\313
-\311\016\102\220\371\336\064\271\241\272\021\364\045\205\363\314
-\162\155\362\173\227\153\263\007\361\167\044\221\137\045\217\366
-\164\075\344\200\302\370\074\015\363\277\100\352\367\310\122\321
-\162\157\357\310\253\101\270\156\056\027\052\225\151\014\315\322
-\036\224\173\055\224\035\252\165\327\263\230\313\254\274\144\123
-\100\274\217\254\254\066\313\134\255\273\335\340\224\027\354\321
-\134\320\277\357\245\225\311\220\305\260\254\373\033\103\337\172
-\010\135\267\270\362\100\033\053\047\236\120\316\136\145\202\210
-\214\136\323\116\014\172\352\010\221\266\066\252\053\102\373\352
-\302\243\071\345\333\046\070\255\213\012\356\031\143\307\034\044
-\337\003\170\332\346\352\301\107\032\013\013\106\011\335\002\374
-\336\313\207\137\327\060\143\150\241\256\334\062\241\272\276\376
-\104\253\150\266\245\027\025\375\275\325\247\247\232\344\104\063
-\351\210\216\374\355\121\353\223\161\116\255\001\347\104\216\253
-\055\313\250\376\001\111\110\360\300\335\307\150\330\222\376\075
-\002\003\001\000\001\243\201\307\060\201\304\060\035\006\003\125
-\035\016\004\026\004\024\074\330\223\210\302\300\202\011\314\001
-\231\006\223\040\351\236\160\011\143\117\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\201\201\006\003
-\125\035\037\004\172\060\170\060\073\240\071\240\067\206\065\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\143\141\056\143\157\155\057\123\145\143\165\162\145\103\145\162
-\164\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163
-\056\143\162\154\060\071\240\067\240\065\206\063\150\164\164\160
-\072\057\057\143\162\154\056\143\157\155\157\144\157\056\156\145
-\164\057\123\145\143\165\162\145\103\145\162\164\151\146\151\143
-\141\164\145\123\145\162\166\151\143\145\163\056\143\162\154\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202
-\001\001\000\207\001\155\043\035\176\133\027\175\301\141\062\317
-\217\347\363\212\224\131\146\340\236\050\250\136\323\267\364\064
-\346\252\071\262\227\026\305\202\157\062\244\351\214\347\257\375
-\357\302\350\271\113\252\243\364\346\332\215\145\041\373\272\200
-\353\046\050\205\032\376\071\214\336\133\004\004\264\124\371\243
-\147\236\101\372\011\122\314\005\110\250\311\077\041\004\036\316
-\110\153\374\205\350\302\173\257\177\267\314\370\137\072\375\065
-\306\015\357\227\334\114\253\021\341\153\313\061\321\154\373\110
-\200\253\334\234\067\270\041\024\113\015\161\075\354\203\063\156
-\321\156\062\026\354\230\307\026\213\131\246\064\253\005\127\055
-\223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
-\150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
-\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
-\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
-\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
-\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
-\354\375\051
-END
-
-# Trust for Certificate "Comodo Secure Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063
-\317\307\241\321
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Trusted Services root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\103\060\202\003\053\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003\125
-\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-\060\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060
-\132\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\337\161\157\066\130\123\132\362\066\124\127\200\304\164
-\010\040\355\030\177\052\035\346\065\232\036\045\254\234\345\226
-\176\162\122\240\025\102\333\131\335\144\172\032\320\270\173\335
-\071\025\274\125\110\304\355\072\000\352\061\021\272\362\161\164
-\032\147\270\317\063\314\250\061\257\243\343\327\177\277\063\055
-\114\152\074\354\213\303\222\322\123\167\044\164\234\007\156\160
-\374\275\013\133\166\272\137\362\377\327\067\113\112\140\170\367
-\360\372\312\160\264\352\131\252\243\316\110\057\251\303\262\013
-\176\027\162\026\014\246\007\014\033\070\317\311\142\267\077\240
-\223\245\207\101\362\267\160\100\167\330\276\024\174\343\250\300
-\172\216\351\143\152\321\017\232\306\322\364\213\072\024\004\126
-\324\355\270\314\156\365\373\342\054\130\275\177\117\153\053\367
-\140\044\130\044\316\046\357\064\221\072\325\343\201\320\262\360
-\004\002\327\133\267\076\222\254\153\022\212\371\344\005\260\073
-\221\111\134\262\353\123\352\370\237\107\206\356\277\225\300\300
-\006\237\322\133\136\021\033\364\307\004\065\051\322\125\134\344
-\355\353\002\003\001\000\001\243\201\311\060\201\306\060\035\006
-\003\125\035\016\004\026\004\024\305\173\130\275\355\332\045\151
-\322\367\131\026\250\263\062\300\173\047\133\364\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\201\203
-\006\003\125\035\037\004\174\060\172\060\074\240\072\240\070\206
-\066\150\164\164\160\072\057\057\143\162\154\056\143\157\155\157
-\144\157\143\141\056\143\157\155\057\124\162\165\163\164\145\144
-\103\145\162\164\151\146\151\143\141\164\145\123\145\162\166\151
-\143\145\163\056\143\162\154\060\072\240\070\240\066\206\064\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\056\156\145\164\057\124\162\165\163\164\145\144\103\145\162\164
-\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056
-\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\202\001\001\000\310\223\201\073\211\264\257\270\204
-\022\114\215\322\360\333\160\272\127\206\025\064\020\271\057\177
-\036\260\250\211\140\241\212\302\167\014\120\112\233\000\213\330
-\213\364\101\342\320\203\212\112\034\024\006\260\243\150\005\160
-\061\060\247\123\233\016\351\112\240\130\151\147\016\256\235\366
-\245\054\101\277\074\006\153\344\131\314\155\020\361\226\157\037
-\337\364\004\002\244\237\105\076\310\330\372\066\106\104\120\077
-\202\227\221\037\050\333\030\021\214\052\344\145\203\127\022\022
-\214\027\077\224\066\376\135\260\300\004\167\023\270\364\025\325
-\077\070\314\224\072\125\320\254\230\365\272\000\137\340\206\031
-\201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
-\306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
-\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
-\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
-\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
-\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
-\160\136\310\304\170\260\142
-END
-
-# Trust for Certificate "Comodo Trusted Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272
-\156\024\011\275
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS Chained CAs root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Chained CAs root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023
-\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040
-\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006
-\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141
-\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023
-\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040
-\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006
-\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141
-\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023\052
-\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040\103
-\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006\003
-\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141\151
-\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060
-\036\027\015\060\061\061\062\062\071\060\060\065\063\065\070\132
-\027\015\062\065\061\062\062\067\060\060\065\063\065\070\132\060
-\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023\052
-\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040\103
-\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006\003
-\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141\151
-\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060
-\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\201\215\000\060\201\211\002\201\201\000\334\126\222\111
-\262\224\040\274\230\117\120\353\150\244\247\111\013\277\322\061
-\350\307\117\302\206\013\372\150\375\103\132\212\363\140\222\065
-\231\070\273\115\003\122\041\133\360\067\231\065\341\101\040\201
-\205\201\005\161\201\235\264\225\031\251\137\166\064\056\143\067
-\065\127\216\264\037\102\077\025\134\341\172\301\137\023\030\062
-\061\311\255\276\243\307\203\146\036\271\234\004\023\313\151\301
-\006\336\060\006\273\063\243\265\037\360\217\157\316\377\226\350
-\124\276\146\200\256\153\333\101\204\066\242\075\002\003\001\000
-\001\243\202\004\103\060\202\004\077\060\035\006\003\125\035\016
-\004\026\004\024\241\255\061\261\371\076\341\027\246\310\253\064
-\374\122\207\011\036\142\122\101\060\202\001\116\006\003\125\035
-\043\004\202\001\105\060\202\001\101\200\024\241\255\061\261\371
-\076\341\027\246\310\253\064\374\122\207\011\036\142\122\101\241
-\202\001\044\244\202\001\040\060\202\001\034\061\013\060\011\006
-\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004
-\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020
-\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141
-\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111
-\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151
-\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056
-\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106
-\056\040\040\102\055\066\060\071\062\071\064\065\062\061\063\060
-\061\006\003\125\004\013\023\052\111\120\123\040\103\101\040\103
-\150\141\151\156\145\144\040\103\101\163\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\061\063\060\061\006\003\125\004\003\023\052\111\120\123
-\040\103\101\040\103\150\141\151\156\145\144\040\103\101\163\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110
-\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154
-\056\151\160\163\056\145\163\202\001\000\060\014\006\003\125\035
-\023\004\005\060\003\001\001\377\060\014\006\003\125\035\017\004
-\005\003\003\007\377\200\060\153\006\003\125\035\045\004\144\060
-\142\006\010\053\006\001\005\005\007\003\001\006\010\053\006\001
-\005\005\007\003\002\006\010\053\006\001\005\005\007\003\003\006
-\010\053\006\001\005\005\007\003\004\006\010\053\006\001\005\005
-\007\003\010\006\012\053\006\001\004\001\202\067\002\001\025\006
-\012\053\006\001\004\001\202\067\002\001\026\006\012\053\006\001
-\004\001\202\067\012\003\001\006\012\053\006\001\004\001\202\067
-\012\003\004\060\021\006\011\140\206\110\001\206\370\102\001\001
-\004\004\003\002\000\007\060\032\006\003\125\035\021\004\023\060
-\021\201\017\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\060\032\006\003\125\035\022\004\023\060\021\201\017\151
-\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060\102
-\006\011\140\206\110\001\206\370\102\001\015\004\065\026\063\103
-\150\141\151\156\145\144\040\103\101\040\103\145\162\164\151\146
-\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171\040
-\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145
-\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002\004
-\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151\160
-\163\056\145\163\057\151\160\163\062\060\060\062\057\060\067\006
-\011\140\206\110\001\206\370\102\001\004\004\052\026\050\150\164
-\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163\057
-\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062\103
-\101\103\056\143\162\154\060\074\006\011\140\206\110\001\206\370
-\102\001\003\004\057\026\055\150\164\164\160\072\057\057\167\167
-\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062
-\057\162\145\166\157\143\141\164\151\157\156\103\101\103\056\150
-\164\155\154\077\060\071\006\011\140\206\110\001\206\370\102\001
-\007\004\054\026\052\150\164\164\160\072\057\057\167\167\167\056
-\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162
-\145\156\145\167\141\154\103\101\103\056\150\164\155\154\077\060
-\067\006\011\140\206\110\001\206\370\102\001\010\004\052\026\050
-\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145
-\163\057\151\160\163\062\060\060\062\057\160\157\154\151\143\171
-\103\101\103\056\150\164\155\154\060\155\006\003\125\035\037\004
-\146\060\144\060\056\240\054\240\052\206\050\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\151\160\163\062\060\060\062\103\101\103\056
-\143\162\154\060\062\240\060\240\056\206\054\150\164\164\160\072
-\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163
-\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062
-\103\101\103\056\143\162\154\060\057\006\010\053\006\001\005\005
-\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005
-\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160
-\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\104\162\060\235\126
-\130\242\101\033\050\267\225\341\246\032\225\137\247\170\100\053
-\357\333\226\112\374\114\161\143\331\163\225\275\002\342\242\006
-\307\276\227\052\223\200\064\206\003\372\334\330\075\036\007\315
-\036\163\103\044\140\365\035\141\334\334\226\240\274\373\035\343
-\347\022\000\047\063\002\300\300\053\123\075\330\153\003\201\243
-\333\326\223\225\040\357\323\226\176\046\220\211\234\046\233\315
-\157\146\253\355\003\042\104\070\314\131\275\237\333\366\007\242
-\001\177\046\304\143\365\045\102\136\142\275
-END
-
-# Trust for Certificate "IPS Chained CAs root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Chained CAs root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\310\302\137\026\236\370\120\164\325\276\350\315\242\324\074\256
-\347\137\322\127
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\215\162\121\333\240\072\317\040\167\337\362\145\006\136\337\357
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\034\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\063\060\061\006\003\125\004\013\023
-\052\111\120\123\040\103\101\040\103\150\141\151\156\145\144\040
-\103\101\163\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\063\060\061\006
-\003\125\004\003\023\052\111\120\123\040\103\101\040\103\150\141
-\151\156\145\144\040\103\101\163\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS CLASE1 root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASE1 root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\352\060\202\007\123\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023\045
-\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045
-\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206\367
-\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056\151
-\160\163\056\145\163\060\036\027\015\060\061\061\062\062\071\060
-\060\065\071\063\070\132\027\015\062\065\061\062\062\067\060\060
-\065\071\063\070\132\060\202\001\022\061\013\060\011\006\003\125
-\004\006\023\002\105\123\061\022\060\020\006\003\125\004\010\023
-\011\102\141\162\143\145\154\157\156\141\061\022\060\020\006\003
-\125\004\007\023\011\102\141\162\143\145\154\157\156\141\061\056
-\060\054\006\003\125\004\012\023\045\111\120\123\040\111\156\164
-\145\162\156\145\164\040\160\165\142\154\151\163\150\151\156\147
-\040\123\145\162\166\151\143\145\163\040\163\056\154\056\061\053
-\060\051\006\003\125\004\012\024\042\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163\040\103\056\111\056\106\056\040
-\040\102\055\066\060\071\062\071\064\065\062\061\056\060\054\006
-\003\125\004\013\023\045\111\120\123\040\103\101\040\103\114\101
-\123\105\061\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006
-\003\125\004\003\023\045\111\120\123\040\103\101\040\103\114\101
-\123\105\061\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\036\060\034\006
-\011\052\206\110\206\367\015\001\011\001\026\017\151\160\163\100
-\155\141\151\154\056\151\160\163\056\145\163\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\340\121\047\247\013\335\257\321
-\271\103\133\202\067\105\126\162\357\232\266\302\022\357\054\022
-\314\166\371\006\131\257\135\041\324\322\132\270\240\324\363\152
-\375\312\151\215\146\110\367\164\346\356\066\275\350\226\221\165
-\246\161\050\312\347\042\022\062\151\260\076\036\153\364\120\122
-\142\142\375\143\073\175\176\354\356\070\352\142\364\154\250\161
-\215\341\351\213\311\077\306\265\315\224\102\157\335\202\105\074
-\350\337\011\350\357\012\125\251\126\107\141\114\111\144\163\020
-\050\077\312\277\011\377\306\057\002\003\001\000\001\243\202\004
-\112\060\202\004\106\060\035\006\003\125\035\016\004\026\004\024
-\353\263\031\171\363\301\245\034\254\334\272\037\146\242\262\233
-\151\320\170\010\060\202\001\104\006\003\125\035\043\004\202\001
-\073\060\202\001\067\200\024\353\263\031\171\363\301\245\034\254
-\334\272\037\146\242\262\233\151\320\170\010\241\202\001\032\244
-\202\001\026\060\202\001\022\061\013\060\011\006\003\125\004\006
-\023\002\105\123\061\022\060\020\006\003\125\004\010\023\011\102
-\141\162\143\145\154\157\156\141\061\022\060\020\006\003\125\004
-\007\023\011\102\141\162\143\145\154\157\156\141\061\056\060\054
-\006\003\125\004\012\023\045\111\120\123\040\111\156\164\145\162
-\156\145\164\040\160\165\142\154\151\163\150\151\156\147\040\123
-\145\162\166\151\143\145\163\040\163\056\154\056\061\053\060\051
-\006\003\125\004\012\024\042\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163\040\103\056\111\056\106\056\040\040\102
-\055\066\060\071\062\071\064\065\062\061\056\060\054\006\003\125
-\004\013\023\045\111\120\123\040\103\101\040\103\114\101\123\105
-\061\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003\125
-\004\003\023\045\111\120\123\040\103\101\040\103\114\101\123\105
-\061\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052
-\206\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141
-\151\154\056\151\160\163\056\145\163\202\001\000\060\014\006\003
-\125\035\023\004\005\060\003\001\001\377\060\014\006\003\125\035
-\017\004\005\003\003\007\377\200\060\153\006\003\125\035\045\004
-\144\060\142\006\010\053\006\001\005\005\007\003\001\006\010\053
-\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007\003
-\003\006\010\053\006\001\005\005\007\003\004\006\010\053\006\001
-\005\005\007\003\010\006\012\053\006\001\004\001\202\067\002\001
-\025\006\012\053\006\001\004\001\202\067\002\001\026\006\012\053
-\006\001\004\001\202\067\012\003\001\006\012\053\006\001\004\001
-\202\067\012\003\004\060\021\006\011\140\206\110\001\206\370\102
-\001\001\004\004\003\002\000\007\060\032\006\003\125\035\021\004
-\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160
-\163\056\145\163\060\032\006\003\125\035\022\004\023\060\021\201
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-\060\101\006\011\140\206\110\001\206\370\102\001\015\004\064\026
-\062\103\114\101\123\105\061\040\103\101\040\103\145\162\164\151
-\146\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171
-\040\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056
-\145\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002
-\004\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151
-\160\163\056\145\163\057\151\160\163\062\060\060\062\057\060\072
-\006\011\140\206\110\001\206\370\102\001\004\004\055\026\053\150
-\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163
-\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062
-\103\114\101\123\105\061\056\143\162\154\060\077\006\011\140\206
-\110\001\206\370\102\001\003\004\062\026\060\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\103
-\114\101\123\105\061\056\150\164\155\154\077\060\074\006\011\140
-\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
-\072\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160
-\163\062\060\060\062\057\162\145\156\145\167\141\154\103\114\101
-\123\105\061\056\150\164\155\154\077\060\072\006\011\140\206\110
-\001\206\370\102\001\010\004\055\026\053\150\164\164\160\072\057
-\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062
-\060\060\062\057\160\157\154\151\143\171\103\114\101\123\105\061
-\056\150\164\155\154\060\163\006\003\125\035\037\004\154\060\152
-\060\061\240\057\240\055\206\053\150\164\164\160\072\057\057\167
-\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060
-\062\057\151\160\163\062\060\060\062\103\114\101\123\105\061\056
-\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160\072
-\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163
-\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062
-\103\114\101\123\105\061\056\143\162\154\060\057\006\010\053\006
-\001\005\005\007\001\001\004\043\060\041\060\037\006\010\053\006
-\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157
-\143\163\160\056\151\160\163\056\145\163\057\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\201\201\000\053\320
-\353\375\332\310\312\131\152\332\323\314\062\056\311\124\033\212
-\142\176\025\055\351\331\061\323\056\364\047\043\377\133\253\305
-\112\266\162\100\256\123\164\364\274\005\264\306\331\310\311\167
-\373\267\371\064\177\170\000\370\326\244\344\122\077\054\112\143
-\127\201\165\132\216\350\214\373\002\300\224\306\051\272\263\334
-\034\350\262\257\322\056\142\133\032\251\216\016\314\305\127\105
-\121\024\351\116\034\210\245\221\364\243\367\216\121\310\251\276
-\206\063\076\346\057\110\156\257\124\220\116\255\261\045
-END
-
-# Trust for Certificate "IPS CLASE1 root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASE1 root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\103\236\122\137\132\152\107\303\054\353\304\134\143\355\071\061
-\174\345\364\337
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\204\220\035\225\060\111\126\374\101\201\360\105\327\166\304\153
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS CLASE3 root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASE3 root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\352\060\202\007\123\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023\045
-\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045
-\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206\367
-\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056\151
-\160\163\056\145\163\060\036\027\015\060\061\061\062\062\071\060
-\061\060\061\064\064\132\027\015\062\065\061\062\062\067\060\061
-\060\061\064\064\132\060\202\001\022\061\013\060\011\006\003\125
-\004\006\023\002\105\123\061\022\060\020\006\003\125\004\010\023
-\011\102\141\162\143\145\154\157\156\141\061\022\060\020\006\003
-\125\004\007\023\011\102\141\162\143\145\154\157\156\141\061\056
-\060\054\006\003\125\004\012\023\045\111\120\123\040\111\156\164
-\145\162\156\145\164\040\160\165\142\154\151\163\150\151\156\147
-\040\123\145\162\166\151\143\145\163\040\163\056\154\056\061\053
-\060\051\006\003\125\004\012\024\042\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163\040\103\056\111\056\106\056\040
-\040\102\055\066\060\071\062\071\064\065\062\061\056\060\054\006
-\003\125\004\013\023\045\111\120\123\040\103\101\040\103\114\101
-\123\105\063\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006
-\003\125\004\003\023\045\111\120\123\040\103\101\040\103\114\101
-\123\105\063\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\036\060\034\006
-\011\052\206\110\206\367\015\001\011\001\026\017\151\160\163\100
-\155\141\151\154\056\151\160\163\056\145\163\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\253\027\376\016\260\306\150\033
-\123\360\122\276\237\372\332\372\213\023\004\273\001\217\062\331
-\037\217\115\316\066\230\332\344\000\104\214\050\330\023\104\052
-\244\153\116\027\044\102\234\323\210\244\101\202\326\043\373\213
-\311\206\345\271\251\202\005\334\361\336\037\340\014\231\125\230
-\362\070\354\154\235\040\003\300\357\252\243\306\144\004\121\055
-\170\015\243\322\250\072\326\044\114\351\226\172\030\254\023\043
-\042\033\174\350\061\021\263\137\011\252\060\160\161\106\045\153
-\111\161\200\053\225\001\262\037\002\003\001\000\001\243\202\004
-\112\060\202\004\106\060\035\006\003\125\035\016\004\026\004\024
-\270\223\377\056\313\334\054\216\242\347\172\376\066\121\041\243
-\230\133\014\064\060\202\001\104\006\003\125\035\043\004\202\001
-\073\060\202\001\067\200\024\270\223\377\056\313\334\054\216\242
-\347\172\376\066\121\041\243\230\133\014\064\241\202\001\032\244
-\202\001\026\060\202\001\022\061\013\060\011\006\003\125\004\006
-\023\002\105\123\061\022\060\020\006\003\125\004\010\023\011\102
-\141\162\143\145\154\157\156\141\061\022\060\020\006\003\125\004
-\007\023\011\102\141\162\143\145\154\157\156\141\061\056\060\054
-\006\003\125\004\012\023\045\111\120\123\040\111\156\164\145\162
-\156\145\164\040\160\165\142\154\151\163\150\151\156\147\040\123
-\145\162\166\151\143\145\163\040\163\056\154\056\061\053\060\051
-\006\003\125\004\012\024\042\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163\040\103\056\111\056\106\056\040\040\102
-\055\066\060\071\062\071\064\065\062\061\056\060\054\006\003\125
-\004\013\023\045\111\120\123\040\103\101\040\103\114\101\123\105
-\063\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003\125
-\004\003\023\045\111\120\123\040\103\101\040\103\114\101\123\105
-\063\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052
-\206\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141
-\151\154\056\151\160\163\056\145\163\202\001\000\060\014\006\003
-\125\035\023\004\005\060\003\001\001\377\060\014\006\003\125\035
-\017\004\005\003\003\007\377\200\060\153\006\003\125\035\045\004
-\144\060\142\006\010\053\006\001\005\005\007\003\001\006\010\053
-\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007\003
-\003\006\010\053\006\001\005\005\007\003\004\006\010\053\006\001
-\005\005\007\003\010\006\012\053\006\001\004\001\202\067\002\001
-\025\006\012\053\006\001\004\001\202\067\002\001\026\006\012\053
-\006\001\004\001\202\067\012\003\001\006\012\053\006\001\004\001
-\202\067\012\003\004\060\021\006\011\140\206\110\001\206\370\102
-\001\001\004\004\003\002\000\007\060\032\006\003\125\035\021\004
-\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160
-\163\056\145\163\060\032\006\003\125\035\022\004\023\060\021\201
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-\060\101\006\011\140\206\110\001\206\370\102\001\015\004\064\026
-\062\103\114\101\123\105\063\040\103\101\040\103\145\162\164\151
-\146\151\143\141\164\145\040\151\163\163\165\145\144\040\142\171
-\040\150\164\164\160\072\057\057\167\167\167\056\151\160\163\056
-\145\163\057\060\051\006\011\140\206\110\001\206\370\102\001\002
-\004\034\026\032\150\164\164\160\072\057\057\167\167\167\056\151
-\160\163\056\145\163\057\151\160\163\062\060\060\062\057\060\072
-\006\011\140\206\110\001\206\370\102\001\004\004\055\026\053\150
-\164\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163
-\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062
-\103\114\101\123\105\063\056\143\162\154\060\077\006\011\140\206
-\110\001\206\370\102\001\003\004\062\026\060\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\103
-\114\101\123\105\063\056\150\164\155\154\077\060\074\006\011\140
-\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
-\072\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160
-\163\062\060\060\062\057\162\145\156\145\167\141\154\103\114\101
-\123\105\063\056\150\164\155\154\077\060\072\006\011\140\206\110
-\001\206\370\102\001\010\004\055\026\053\150\164\164\160\072\057
-\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062
-\060\060\062\057\160\157\154\151\143\171\103\114\101\123\105\063
-\056\150\164\155\154\060\163\006\003\125\035\037\004\154\060\152
-\060\061\240\057\240\055\206\053\150\164\164\160\072\057\057\167
-\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060\060
-\062\057\151\160\163\062\060\060\062\103\114\101\123\105\063\056
-\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160\072
-\057\057\167\167\167\142\141\143\153\056\151\160\163\056\145\163
-\057\151\160\163\062\060\060\062\057\151\160\163\062\060\060\062
-\103\114\101\123\105\063\056\143\162\154\060\057\006\010\053\006
-\001\005\005\007\001\001\004\043\060\041\060\037\006\010\053\006
-\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157
-\143\163\160\056\151\160\163\056\145\163\057\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\201\201\000\027\145
-\134\231\225\103\003\047\257\046\345\353\320\263\027\043\367\103
-\252\307\360\175\354\017\306\251\256\256\226\017\166\051\034\342
-\006\055\176\046\305\074\372\241\301\201\316\123\260\102\321\227
-\127\032\027\176\244\121\141\306\356\351\136\357\005\272\353\275
-\017\247\222\157\330\243\006\150\051\216\171\365\377\277\371\247
-\257\344\261\316\302\321\200\102\047\005\004\064\370\303\177\026
-\170\043\014\007\044\362\106\107\255\073\124\320\257\325\061\262
-\257\175\310\352\351\324\126\331\016\023\262\305\105\120
-END
-
-# Trust for Certificate "IPS CLASE3 root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASE3 root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\101\170\253\114\277\316\173\101\002\254\332\304\223\076\157\365
-\015\317\161\134
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\102\166\227\150\317\246\264\070\044\252\241\033\362\147\336\312
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\022\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\056\060\054\006\003\125\004\013\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\056\060\054\006\003\125\004\003\023
-\045\111\120\123\040\103\101\040\103\114\101\123\105\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS CLASEA1 root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASEA1 root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023\046
-\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110
-\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154
-\056\151\160\163\056\145\163\060\036\027\015\060\061\061\062\062
-\071\060\061\060\065\063\062\132\027\015\062\065\061\062\062\067
-\060\061\060\065\063\062\132\060\202\001\024\061\013\060\011\006
-\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004
-\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020
-\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141
-\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111
-\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151
-\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056
-\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106
-\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060
-\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103
-\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057
-\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040
-\103\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060
-\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\201\215\000\060\201\211\002\201\201\000\273\060\327\334
-\320\124\275\065\116\237\305\114\202\352\321\120\074\107\230\374
-\233\151\235\167\315\156\340\077\356\353\062\137\137\237\322\320
-\171\345\225\163\104\041\062\340\012\333\235\327\316\215\253\122
-\213\053\170\340\233\133\175\364\375\155\011\345\256\341\154\035
-\007\043\240\027\321\371\175\250\106\106\221\042\250\262\151\306
-\255\367\365\365\224\241\060\224\275\000\314\104\177\356\304\236
-\311\301\346\217\012\066\301\375\044\075\001\240\365\173\342\174
-\170\146\103\213\117\131\362\233\331\372\111\263\002\003\001\000
-\001\243\202\004\123\060\202\004\117\060\035\006\003\125\035\016
-\004\026\004\024\147\046\226\347\241\277\330\265\003\235\376\073
-\334\376\362\212\346\025\335\060\060\202\001\106\006\003\125\035
-\043\004\202\001\075\060\202\001\071\200\024\147\046\226\347\241
-\277\330\265\003\235\376\073\334\376\362\212\346\025\335\060\241
-\202\001\034\244\202\001\030\060\202\001\024\061\013\060\011\006
-\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004
-\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020
-\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141
-\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111
-\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151
-\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056
-\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106
-\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060
-\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103
-\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057
-\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040
-\103\114\101\123\105\101\061\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\202
-\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377
-\060\014\006\003\125\035\017\004\005\003\003\007\377\200\060\153
-\006\003\125\035\045\004\144\060\142\006\010\053\006\001\005\005
-\007\003\001\006\010\053\006\001\005\005\007\003\002\006\010\053
-\006\001\005\005\007\003\003\006\010\053\006\001\005\005\007\003
-\004\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001
-\004\001\202\067\002\001\025\006\012\053\006\001\004\001\202\067
-\002\001\026\006\012\053\006\001\004\001\202\067\012\003\001\006
-\012\053\006\001\004\001\202\067\012\003\004\060\021\006\011\140
-\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\032
-\006\003\125\035\021\004\023\060\021\201\017\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\060\032\006\003\125\035
-\022\004\023\060\021\201\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163\060\102\006\011\140\206\110\001\206\370
-\102\001\015\004\065\026\063\103\114\101\123\105\101\061\040\103
-\101\040\103\145\162\164\151\146\151\143\141\164\145\040\151\163
-\163\165\145\144\040\142\171\040\150\164\164\160\072\057\057\167
-\167\167\056\151\160\163\056\145\163\057\060\051\006\011\140\206
-\110\001\206\370\102\001\002\004\034\026\032\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\060\073\006\011\140\206\110\001\206\370\102
-\001\004\004\056\026\054\150\164\164\160\072\057\057\167\167\167
-\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057
-\151\160\163\062\060\060\062\103\114\101\123\105\101\061\056\143
-\162\154\060\100\006\011\140\206\110\001\206\370\102\001\003\004
-\063\026\061\150\164\164\160\072\057\057\167\167\167\056\151\160
-\163\056\145\163\057\151\160\163\062\060\060\062\057\162\145\166
-\157\143\141\164\151\157\156\103\114\101\123\105\101\061\056\150
-\164\155\154\077\060\075\006\011\140\206\110\001\206\370\102\001
-\007\004\060\026\056\150\164\164\160\072\057\057\167\167\167\056
-\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162
-\145\156\145\167\141\154\103\114\101\123\105\101\061\056\150\164
-\155\154\077\060\073\006\011\140\206\110\001\206\370\102\001\010
-\004\056\026\054\150\164\164\160\072\057\057\167\167\167\056\151
-\160\163\056\145\163\057\151\160\163\062\060\060\062\057\160\157
-\154\151\143\171\103\114\101\123\105\101\061\056\150\164\155\154
-\060\165\006\003\125\035\037\004\156\060\154\060\062\240\060\240
-\056\206\054\150\164\164\160\072\057\057\167\167\167\056\151\160
-\163\056\145\163\057\151\160\163\062\060\060\062\057\151\160\163
-\062\060\060\062\103\114\101\123\105\101\061\056\143\162\154\060
-\066\240\064\240\062\206\060\150\164\164\160\072\057\057\167\167
-\167\142\141\143\153\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\151\160\163\062\060\060\062\103\114\101\123
-\105\101\061\056\143\162\154\060\057\006\010\053\006\001\005\005
-\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005
-\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160
-\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\176\272\212\254\200
-\000\204\025\012\325\230\121\014\144\305\234\002\130\203\146\312
-\255\036\007\315\176\152\332\200\007\337\003\064\112\034\223\304
-\113\130\040\065\066\161\355\242\012\065\022\245\246\145\247\205
-\151\012\016\343\141\356\352\276\050\223\063\325\354\350\276\304
-\333\137\177\250\371\143\061\310\153\226\342\051\302\133\240\347
-\227\066\235\167\136\061\153\376\323\247\333\052\333\333\226\213
-\037\146\336\266\003\300\053\263\170\326\125\007\345\217\071\120
-\336\007\043\162\346\275\040\024\113\264\206
-END
-
-# Trust for Certificate "IPS CLASEA1 root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASEA1 root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\063\243\065\302\074\350\003\113\004\341\075\345\304\216\171\032
-\353\214\062\004
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\014\370\236\027\374\324\003\275\346\215\233\074\005\207\376\204
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\061
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS CLASEA3 root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASEA3 root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\367\060\202\007\140\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023\046
-\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206\110
-\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154
-\056\151\160\163\056\145\163\060\036\027\015\060\061\061\062\062
-\071\060\061\060\067\065\060\132\027\015\062\065\061\062\062\067
-\060\061\060\067\065\060\132\060\202\001\024\061\013\060\011\006
-\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004
-\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020
-\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141
-\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111
-\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151
-\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056
-\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106
-\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060
-\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103
-\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057
-\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040
-\103\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\060
-\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\201\215\000\060\201\211\002\201\201\000\356\200\000\366
-\032\144\056\255\152\310\203\261\213\247\356\217\331\266\333\315
-\033\273\206\006\042\166\063\014\022\155\110\126\141\322\334\202
-\045\142\057\237\322\151\060\145\003\102\043\130\274\107\334\153
-\326\165\135\027\074\341\377\362\130\147\171\240\301\201\261\324
-\126\242\362\215\021\231\375\366\175\361\307\304\136\002\052\232
-\342\112\265\023\212\000\375\214\167\206\346\327\224\365\040\165
-\056\016\114\277\164\304\077\201\076\203\264\243\070\066\051\347
-\350\052\365\214\210\101\252\200\246\343\154\357\002\003\001\000
-\001\243\202\004\123\060\202\004\117\060\035\006\003\125\035\016
-\004\026\004\024\036\237\127\120\107\266\141\223\071\323\054\374
-\332\135\075\005\165\267\231\002\060\202\001\106\006\003\125\035
-\043\004\202\001\075\060\202\001\071\200\024\036\237\127\120\107
-\266\141\223\071\323\054\374\332\135\075\005\165\267\231\002\241
-\202\001\034\244\202\001\030\060\202\001\024\061\013\060\011\006
-\003\125\004\006\023\002\105\123\061\022\060\020\006\003\125\004
-\010\023\011\102\141\162\143\145\154\157\156\141\061\022\060\020
-\006\003\125\004\007\023\011\102\141\162\143\145\154\157\156\141
-\061\056\060\054\006\003\125\004\012\023\045\111\120\123\040\111
-\156\164\145\162\156\145\164\040\160\165\142\154\151\163\150\151
-\156\147\040\123\145\162\166\151\143\145\163\040\163\056\154\056
-\061\053\060\051\006\003\125\004\012\024\042\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\040\103\056\111\056\106
-\056\040\040\102\055\066\060\071\062\071\064\065\062\061\057\060
-\055\006\003\125\004\013\023\046\111\120\123\040\103\101\040\103
-\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\057
-\060\055\006\003\125\004\003\023\046\111\120\123\040\103\101\040
-\103\114\101\123\105\101\063\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061
-\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026\017
-\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163\202
-\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377
-\060\014\006\003\125\035\017\004\005\003\003\007\377\200\060\153
-\006\003\125\035\045\004\144\060\142\006\010\053\006\001\005\005
-\007\003\001\006\010\053\006\001\005\005\007\003\002\006\010\053
-\006\001\005\005\007\003\003\006\010\053\006\001\005\005\007\003
-\004\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001
-\004\001\202\067\002\001\025\006\012\053\006\001\004\001\202\067
-\002\001\026\006\012\053\006\001\004\001\202\067\012\003\001\006
-\012\053\006\001\004\001\202\067\012\003\004\060\021\006\011\140
-\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060\032
-\006\003\125\035\021\004\023\060\021\201\017\151\160\163\100\155
-\141\151\154\056\151\160\163\056\145\163\060\032\006\003\125\035
-\022\004\023\060\021\201\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163\060\102\006\011\140\206\110\001\206\370
-\102\001\015\004\065\026\063\103\114\101\123\105\101\063\040\103
-\101\040\103\145\162\164\151\146\151\143\141\164\145\040\151\163
-\163\165\145\144\040\142\171\040\150\164\164\160\072\057\057\167
-\167\167\056\151\160\163\056\145\163\057\060\051\006\011\140\206
-\110\001\206\370\102\001\002\004\034\026\032\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\060\073\006\011\140\206\110\001\206\370\102
-\001\004\004\056\026\054\150\164\164\160\072\057\057\167\167\167
-\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057
-\151\160\163\062\060\060\062\103\114\101\123\105\101\063\056\143
-\162\154\060\100\006\011\140\206\110\001\206\370\102\001\003\004
-\063\026\061\150\164\164\160\072\057\057\167\167\167\056\151\160
-\163\056\145\163\057\151\160\163\062\060\060\062\057\162\145\166
-\157\143\141\164\151\157\156\103\114\101\123\105\101\063\056\150
-\164\155\154\077\060\075\006\011\140\206\110\001\206\370\102\001
-\007\004\060\026\056\150\164\164\160\072\057\057\167\167\167\056
-\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057\162
-\145\156\145\167\141\154\103\114\101\123\105\101\063\056\150\164
-\155\154\077\060\073\006\011\140\206\110\001\206\370\102\001\010
-\004\056\026\054\150\164\164\160\072\057\057\167\167\167\056\151
-\160\163\056\145\163\057\151\160\163\062\060\060\062\057\160\157
-\154\151\143\171\103\114\101\123\105\101\063\056\150\164\155\154
-\060\165\006\003\125\035\037\004\156\060\154\060\062\240\060\240
-\056\206\054\150\164\164\160\072\057\057\167\167\167\056\151\160
-\163\056\145\163\057\151\160\163\062\060\060\062\057\151\160\163
-\062\060\060\062\103\114\101\123\105\101\063\056\143\162\154\060
-\066\240\064\240\062\206\060\150\164\164\160\072\057\057\167\167
-\167\142\141\143\153\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\151\160\163\062\060\060\062\103\114\101\123
-\105\101\063\056\143\162\154\060\057\006\010\053\006\001\005\005
-\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005\005
-\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163\160
-\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\112\075\040\107\032
-\332\211\364\172\053\061\171\354\001\300\314\001\365\326\301\374
-\310\303\363\120\002\121\220\130\052\237\347\065\011\133\060\012
-\201\000\045\107\257\324\017\016\236\140\046\250\225\247\203\010
-\337\055\254\351\016\367\234\310\237\313\223\105\361\272\152\306
-\147\121\112\151\117\153\376\175\013\057\122\051\302\120\255\044
-\104\355\043\263\110\313\104\100\301\003\225\014\012\170\006\022
-\001\365\221\061\055\111\215\273\077\105\116\054\340\350\315\265
-\311\024\025\014\343\007\203\233\046\165\357
-END
-
-# Trust for Certificate "IPS CLASEA3 root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS CLASEA3 root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\026\324\044\376\226\020\341\165\031\257\043\053\266\207\164\342
-\101\104\276\156
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\006\371\353\354\314\126\235\210\272\220\365\272\260\032\340\002
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\024\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\057\060\055\006\003\125\004\013\023
-\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003
-\023\046\111\120\123\040\103\101\040\103\114\101\123\105\101\063
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\061\036\060\034\006\011\052\206
-\110\206\367\015\001\011\001\026\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS Servidores root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Servidores root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105
-\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102
-\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004
-\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144
-\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145
-\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060
-\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126
-\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105
-\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102
-\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004
-\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144
-\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145
-\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060
-\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126
-\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\267\060\202\002\040\002\001\000\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\060\201\243\061\013\060
-\011\006\003\125\004\006\023\002\105\123\061\022\060\020\006\003
-\125\004\010\023\011\102\101\122\103\105\114\117\116\101\061\022
-\060\020\006\003\125\004\007\023\011\102\101\122\103\105\114\117
-\116\101\061\031\060\027\006\003\125\004\012\023\020\111\120\123
-\040\123\145\147\165\162\151\144\141\144\040\103\101\061\030\060
-\026\006\003\125\004\013\023\017\103\145\162\164\151\146\151\143
-\141\143\151\157\156\145\163\061\027\060\025\006\003\125\004\003
-\023\016\111\120\123\040\123\105\122\126\111\104\117\122\105\123
-\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001\026
-\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145\163
-\060\036\027\015\071\070\060\061\060\061\062\063\062\061\060\067
-\132\027\015\060\071\061\062\062\071\062\063\062\061\060\067\132
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105
-\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102
-\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004
-\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144
-\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145
-\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060
-\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126
-\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\254\117\122\164\237\071\352\216\334\045\304\274\230
-\135\230\144\044\011\074\041\263\314\031\265\216\224\216\207\321
-\370\067\076\241\310\055\130\244\200\065\133\241\165\154\035\105
-\014\037\141\143\152\136\157\233\012\114\301\310\270\141\043\065
-\201\377\376\254\170\160\055\150\341\072\007\230\225\002\124\335
-\315\043\267\200\123\327\310\067\105\162\006\044\022\272\023\141
-\041\212\156\165\050\340\305\017\064\375\066\330\105\177\341\270
-\066\357\263\341\306\040\216\350\264\070\274\341\076\366\021\336
-\214\235\001\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\004\005\000\003\201\201\000\054\363\303\171\130
-\044\336\306\073\321\340\102\151\270\356\144\263\075\142\001\271
-\263\204\337\043\175\335\230\317\020\251\376\000\330\042\226\005
-\023\007\124\127\305\247\336\313\331\270\210\102\366\231\333\024
-\167\037\266\376\045\075\341\242\076\003\251\201\322\055\154\107
-\365\226\106\214\042\253\310\314\015\016\227\136\213\101\264\073
-\304\012\006\100\035\335\106\364\001\335\272\202\056\074\075\170
-\160\236\174\030\320\253\370\270\167\007\106\161\361\312\013\143
-\134\152\371\162\224\325\001\117\240\333\102
-END
-
-# Trust for Certificate "IPS Servidores root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Servidores root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\044\272\155\154\212\133\130\067\244\215\265\372\351\031\352\147
-\134\224\322\027
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\173\265\010\231\232\214\030\277\205\047\175\016\256\332\262\253
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\243\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\101\122\103\105
-\114\117\116\101\061\022\060\020\006\003\125\004\007\023\011\102
-\101\122\103\105\114\117\116\101\061\031\060\027\006\003\125\004
-\012\023\020\111\120\123\040\123\145\147\165\162\151\144\141\144
-\040\103\101\061\030\060\026\006\003\125\004\013\023\017\103\145
-\162\164\151\146\151\143\141\143\151\157\156\145\163\061\027\060
-\025\006\003\125\004\003\023\016\111\120\123\040\123\105\122\126
-\111\104\117\122\105\123\061\036\060\034\006\011\052\206\110\206
-\367\015\001\011\001\026\017\151\160\163\100\155\141\151\154\056
-\151\160\163\056\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "IPS Timestamping root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Timestamping root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023
-\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155
-\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062
-\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151
-\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011
-\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023
-\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155
-\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062
-\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151
-\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011
-\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\010\070\060\202\007\241\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143\145
-\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011\102
-\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125\004
-\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164\040
-\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166\151
-\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125\004
-\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060\071
-\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023\053
-\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155\160
-\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062\006
-\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151\155
-\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011\001
-\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056\145
-\163\060\036\027\015\060\061\061\062\062\071\060\061\061\060\061
-\070\132\027\015\062\065\061\062\062\067\060\061\061\060\061\070
-\132\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002
-\105\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162
-\143\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023
-\011\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003
-\125\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145
-\164\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162
-\166\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003
-\125\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160
-\163\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066
-\060\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013
-\023\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141
-\155\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060
-\062\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124
-\151\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001
-\011\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\060\201\237\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000
-\274\270\356\126\245\232\214\346\066\311\302\142\240\146\201\215
-\032\325\172\322\163\237\016\204\144\272\225\264\220\247\170\257
-\312\376\124\141\133\316\262\040\127\001\256\104\222\103\020\070
-\021\367\150\374\027\100\245\150\047\062\073\304\247\346\102\161
-\305\231\357\166\377\053\225\044\365\111\222\030\150\312\000\265
-\244\132\057\156\313\326\033\054\015\124\147\153\172\051\241\130
-\253\242\132\000\326\133\273\030\302\337\366\036\023\126\166\233
-\245\150\342\230\316\306\003\212\064\333\114\203\101\246\251\243
-\002\003\001\000\001\243\202\004\200\060\202\004\174\060\035\006
-\003\125\035\016\004\026\004\024\213\320\020\120\011\201\362\235
-\011\325\016\140\170\003\042\242\077\310\312\146\060\202\001\120
-\006\003\125\035\043\004\202\001\107\060\202\001\103\200\024\213
-\320\020\120\011\201\362\235\011\325\016\140\170\003\042\242\077
-\310\312\146\241\202\001\046\244\202\001\042\060\202\001\036\061
-\013\060\011\006\003\125\004\006\023\002\105\123\061\022\060\020
-\006\003\125\004\010\023\011\102\141\162\143\145\154\157\156\141
-\061\022\060\020\006\003\125\004\007\023\011\102\141\162\143\145
-\154\157\156\141\061\056\060\054\006\003\125\004\012\023\045\111
-\120\123\040\111\156\164\145\162\156\145\164\040\160\165\142\154
-\151\163\150\151\156\147\040\123\145\162\166\151\143\145\163\040
-\163\056\154\056\061\053\060\051\006\003\125\004\012\024\042\151
-\160\163\100\155\141\151\154\056\151\160\163\056\145\163\040\103
-\056\111\056\106\056\040\040\102\055\066\060\071\062\071\064\065
-\062\061\064\060\062\006\003\125\004\013\023\053\111\120\123\040
-\103\101\040\124\151\155\145\163\164\141\155\160\151\156\147\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\061\064\060\062\006\003\125\004\003
-\023\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141
-\155\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\061\036\060
-\034\006\011\052\206\110\206\367\015\001\011\001\026\017\151\160
-\163\100\155\141\151\154\056\151\160\163\056\145\163\202\001\000
-\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\014
-\006\003\125\035\017\004\005\003\003\007\377\200\060\153\006\003
-\125\035\045\004\144\060\142\006\010\053\006\001\005\005\007\003
-\001\006\010\053\006\001\005\005\007\003\002\006\010\053\006\001
-\005\005\007\003\003\006\010\053\006\001\005\005\007\003\004\006
-\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004\001
-\202\067\002\001\025\006\012\053\006\001\004\001\202\067\002\001
-\026\006\012\053\006\001\004\001\202\067\012\003\001\006\012\053
-\006\001\004\001\202\067\012\003\004\060\021\006\011\140\206\110
-\001\206\370\102\001\001\004\004\003\002\000\007\060\032\006\003
-\125\035\021\004\023\060\021\201\017\151\160\163\100\155\141\151
-\154\056\151\160\163\056\145\163\060\032\006\003\125\035\022\004
-\023\060\021\201\017\151\160\163\100\155\141\151\154\056\151\160
-\163\056\145\163\060\107\006\011\140\206\110\001\206\370\102\001
-\015\004\072\026\070\124\151\155\145\163\164\141\155\160\151\156
-\147\040\103\101\040\103\145\162\164\151\146\151\143\141\164\145
-\040\151\163\163\165\145\144\040\142\171\040\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\060\051\006
-\011\140\206\110\001\206\370\102\001\002\004\034\026\032\150\164
-\164\160\072\057\057\167\167\167\056\151\160\163\056\145\163\057
-\151\160\163\062\060\060\062\057\060\100\006\011\140\206\110\001
-\206\370\102\001\004\004\063\026\061\150\164\164\160\072\057\057
-\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062\060
-\060\062\057\151\160\163\062\060\060\062\124\151\155\145\163\164
-\141\155\160\151\156\147\056\143\162\154\060\105\006\011\140\206
-\110\001\206\370\102\001\003\004\070\026\066\150\164\164\160\072
-\057\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163
-\062\060\060\062\057\162\145\166\157\143\141\164\151\157\156\124
-\151\155\145\163\164\141\155\160\151\156\147\056\150\164\155\154
-\077\060\102\006\011\140\206\110\001\206\370\102\001\007\004\065
-\026\063\150\164\164\160\072\057\057\167\167\167\056\151\160\163
-\056\145\163\057\151\160\163\062\060\060\062\057\162\145\156\145
-\167\141\154\124\151\155\145\163\164\141\155\160\151\156\147\056
-\150\164\155\154\077\060\100\006\011\140\206\110\001\206\370\102
-\001\010\004\063\026\061\150\164\164\160\072\057\057\167\167\167
-\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062\057
-\160\157\154\151\143\171\124\151\155\145\163\164\141\155\160\151
-\156\147\056\150\164\155\154\060\177\006\003\125\035\037\004\170
-\060\166\060\067\240\065\240\063\206\061\150\164\164\160\072\057
-\057\167\167\167\056\151\160\163\056\145\163\057\151\160\163\062
-\060\060\062\057\151\160\163\062\060\060\062\124\151\155\145\163
-\164\141\155\160\151\156\147\056\143\162\154\060\073\240\071\240
-\067\206\065\150\164\164\160\072\057\057\167\167\167\142\141\143
-\153\056\151\160\163\056\145\163\057\151\160\163\062\060\060\062
-\057\151\160\163\062\060\060\062\124\151\155\145\163\164\141\155
-\160\151\156\147\056\143\162\154\060\057\006\010\053\006\001\005
-\005\007\001\001\004\043\060\041\060\037\006\010\053\006\001\005
-\005\007\060\001\206\023\150\164\164\160\072\057\057\157\143\163
-\160\056\151\160\163\056\145\163\057\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\201\201\000\145\272\301\314
-\000\032\225\221\312\351\154\072\277\072\036\024\010\174\373\203
-\356\153\142\121\323\063\221\265\140\171\176\004\330\135\171\067
-\350\303\133\260\304\147\055\150\132\262\137\016\012\372\315\077
-\072\105\241\352\066\317\046\036\247\021\050\305\224\217\204\114
-\123\010\305\223\263\374\342\177\365\215\363\261\251\205\137\210
-\336\221\226\356\027\133\256\245\352\160\145\170\054\041\144\001
-\225\316\316\114\076\120\364\266\131\313\143\215\266\275\030\324
-\207\112\137\334\357\351\126\360\012\014\350\165
-END
-
-# Trust for Certificate "IPS Timestamping root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IPS Timestamping root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\226\231\134\167\021\350\345\055\371\343\113\354\354\147\323\313
-\361\266\304\322
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\056\003\375\305\365\327\053\224\144\301\276\211\061\361\026\233
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\036\061\013\060\011\006\003\125\004\006\023\002\105
-\123\061\022\060\020\006\003\125\004\010\023\011\102\141\162\143
-\145\154\157\156\141\061\022\060\020\006\003\125\004\007\023\011
-\102\141\162\143\145\154\157\156\141\061\056\060\054\006\003\125
-\004\012\023\045\111\120\123\040\111\156\164\145\162\156\145\164
-\040\160\165\142\154\151\163\150\151\156\147\040\123\145\162\166
-\151\143\145\163\040\163\056\154\056\061\053\060\051\006\003\125
-\004\012\024\042\151\160\163\100\155\141\151\154\056\151\160\163
-\056\145\163\040\103\056\111\056\106\056\040\040\102\055\066\060
-\071\062\071\064\065\062\061\064\060\062\006\003\125\004\013\023
-\053\111\120\123\040\103\101\040\124\151\155\145\163\164\141\155
-\160\151\156\147\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\064\060\062
-\006\003\125\004\003\023\053\111\120\123\040\103\101\040\124\151
-\155\145\163\164\141\155\160\151\156\147\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\061\036\060\034\006\011\052\206\110\206\367\015\001\011
-\001\026\017\151\160\163\100\155\141\151\154\056\151\160\163\056
-\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "QuoVadis Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "QuoVadis Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061
-\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144
-\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126
-\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061
-\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144
-\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126
-\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\072\266\120\213
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\320\060\202\004\270\240\003\002\001\002\002\004\072
-\266\120\213\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\177\061\013\060\011\006\003\125\004\006\023\002\102
-\115\061\031\060\027\006\003\125\004\012\023\020\121\165\157\126
-\141\144\151\163\040\114\151\155\151\164\145\144\061\045\060\043
-\006\003\125\004\013\023\034\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\056\060\054\006\003\125\004\003\023\045\121\165
-\157\126\141\144\151\163\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\060\036\027\015\060\061\060\063\061\071\061\070\063
-\063\063\063\132\027\015\062\061\060\063\061\067\061\070\063\063
-\063\063\132\060\177\061\013\060\011\006\003\125\004\006\023\002
-\102\115\061\031\060\027\006\003\125\004\012\023\020\121\165\157
-\126\141\144\151\163\040\114\151\155\151\164\145\144\061\045\060
-\043\006\003\125\004\013\023\034\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\061\056\060\054\006\003\125\004\003\023\045\121
-\165\157\126\141\144\151\163\040\122\157\157\164\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\277\141\265\225\123\272\127\374\372\362\147
-\013\072\032\337\021\200\144\225\264\321\274\315\172\317\366\051
-\226\056\044\124\100\044\070\367\032\205\334\130\114\313\244\047
-\102\227\320\237\203\212\303\344\006\003\133\000\245\121\036\160
-\004\164\342\301\324\072\253\327\255\073\007\030\005\216\375\203
-\254\352\146\331\030\033\150\212\365\127\032\230\272\365\355\166
-\075\174\331\336\224\152\073\113\027\301\325\217\275\145\070\072
-\225\320\075\125\066\116\337\171\127\061\052\036\330\131\145\111
-\130\040\230\176\253\137\176\237\351\326\115\354\203\164\251\307
-\154\330\356\051\112\205\052\006\024\371\124\346\323\332\145\007
-\213\143\067\022\327\320\354\303\173\040\101\104\243\355\313\240
-\027\341\161\145\316\035\146\061\367\166\001\031\310\175\003\130
-\266\225\111\035\246\022\046\350\306\014\166\340\343\146\313\352
-\135\246\046\356\345\314\137\275\147\247\001\047\016\242\312\124
-\305\261\172\225\035\161\036\112\051\212\003\334\152\105\301\244
-\031\136\157\066\315\303\242\260\267\376\134\070\342\122\274\370
-\104\103\346\220\273\002\003\001\000\001\243\202\002\122\060\202
-\002\116\060\075\006\010\053\006\001\005\005\007\001\001\004\061
-\060\057\060\055\006\010\053\006\001\005\005\007\060\001\206\041
-\150\164\164\160\163\072\057\057\157\143\163\160\056\161\165\157
-\166\141\144\151\163\157\146\146\163\150\157\162\145\056\143\157
-\155\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\202\001\032\006\003\125\035\040\004\202\001\021\060
-\202\001\015\060\202\001\011\006\011\053\006\001\004\001\276\130
-\000\001\060\201\373\060\201\324\006\010\053\006\001\005\005\007
-\002\002\060\201\307\032\201\304\122\145\154\151\141\156\143\145
-\040\157\156\040\164\150\145\040\121\165\157\126\141\144\151\163
-\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164
-\145\040\142\171\040\141\156\171\040\160\141\162\164\171\040\141
-\163\163\165\155\145\163\040\141\143\143\145\160\164\141\156\143
-\145\040\157\146\040\164\150\145\040\164\150\145\156\040\141\160
-\160\154\151\143\141\142\154\145\040\163\164\141\156\144\141\162
-\144\040\164\145\162\155\163\040\141\156\144\040\143\157\156\144
-\151\164\151\157\156\163\040\157\146\040\165\163\145\054\040\143
-\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162\141
-\143\164\151\143\145\163\054\040\141\156\144\040\164\150\145\040
-\121\165\157\126\141\144\151\163\040\103\145\162\164\151\146\151
-\143\141\164\145\040\120\157\154\151\143\171\056\060\042\006\010
-\053\006\001\005\005\007\002\001\026\026\150\164\164\160\072\057
-\057\167\167\167\056\161\165\157\166\141\144\151\163\056\142\155
-\060\035\006\003\125\035\016\004\026\004\024\213\113\155\355\323
-\051\271\006\031\354\071\071\251\360\227\204\152\313\357\337\060
-\201\256\006\003\125\035\043\004\201\246\060\201\243\200\024\213
-\113\155\355\323\051\271\006\031\354\071\071\251\360\227\204\152
-\313\357\337\241\201\204\244\201\201\060\177\061\013\060\011\006
-\003\125\004\006\023\002\102\115\061\031\060\027\006\003\125\004
-\012\023\020\121\165\157\126\141\144\151\163\040\114\151\155\151
-\164\145\144\061\045\060\043\006\003\125\004\013\023\034\122\157
-\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\061\056\060\054\006\003
-\125\004\003\023\045\121\165\157\126\141\144\151\163\040\122\157
-\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\202\004\072\266\120\213
-\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\212\324\024\265\376\364\232\222\247\031\324\244
-\176\162\030\217\331\150\174\122\044\335\147\157\071\172\304\252
-\136\075\342\130\260\115\160\230\204\141\350\033\343\151\030\016
-\316\373\107\120\240\116\377\360\044\037\275\262\316\365\047\374
-\354\057\123\252\163\173\003\075\164\156\346\026\236\353\245\056
-\304\277\126\047\120\053\142\272\276\113\034\074\125\134\101\035
-\044\276\202\040\107\135\325\104\176\172\026\150\337\175\115\121
-\160\170\127\035\063\036\375\002\231\234\014\315\012\005\117\307
-\273\216\244\165\372\112\155\261\200\216\011\126\271\234\032\140
-\376\135\301\327\172\334\021\170\320\326\135\301\267\325\255\062
-\231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106
-\154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060
-\242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026
-\304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050
-\362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240
-\207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212
-\112\164\066\371
-END
-
-# Trust for Certificate "QuoVadis Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "QuoVadis Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\336\077\100\275\120\223\323\233\154\140\366\332\274\007\142\001
-\000\211\166\311
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\047\336\066\376\162\267\000\003\000\235\364\360\036\154\004\044
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\102\115\061
-\031\060\027\006\003\125\004\012\023\020\121\165\157\126\141\144
-\151\163\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\013\023\034\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\056\060\054\006\003\125\004\003\023\045\121\165\157\126
-\141\144\151\163\040\122\157\157\164\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\072\266\120\213
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Security Communication Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040
-\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125
-\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155
-\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103
-\101\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040
-\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125
-\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155
-\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\132\060\202\002\102\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061\030
-\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040\124
-\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125\004
-\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155\155
-\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103\101
-\061\060\036\027\015\060\063\060\071\063\060\060\064\062\060\064
-\071\132\027\015\062\063\060\071\063\060\060\064\062\060\064\071
-\132\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120
-\061\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115
-\040\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003
-\125\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157
-\155\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164
-\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\263\263\376\177\323\155\261\357\026\174\127\245
-\014\155\166\212\057\113\277\144\373\114\356\212\360\363\051\174
-\365\377\356\052\340\351\351\272\133\144\042\232\232\157\054\072
-\046\151\121\005\231\046\334\325\034\152\161\306\232\175\036\235
-\335\174\154\306\214\147\147\112\076\370\161\260\031\047\251\011
-\014\246\225\277\113\214\014\372\125\230\073\330\350\042\241\113
-\161\070\171\254\227\222\151\263\211\176\352\041\150\006\230\024
-\226\207\322\141\066\274\155\047\126\236\127\356\300\300\126\375
-\062\317\244\331\216\302\043\327\215\250\363\330\045\254\227\344
-\160\070\364\266\072\264\235\073\227\046\103\243\241\274\111\131
-\162\114\043\060\207\001\130\366\116\276\034\150\126\146\257\315
-\101\135\310\263\115\052\125\106\253\037\332\036\342\100\075\333
-\315\175\271\222\200\234\067\335\014\226\144\235\334\042\367\144
-\213\337\141\336\025\224\122\025\240\175\122\311\113\250\041\311
-\306\261\355\313\303\225\140\321\017\360\253\160\370\337\313\115
-\176\354\326\372\253\331\275\177\124\362\245\351\171\372\331\326
-\166\044\050\163\002\003\001\000\001\243\077\060\075\060\035\006
-\003\125\035\016\004\026\004\024\240\163\111\231\150\334\205\133
-\145\343\233\050\057\127\237\275\063\274\007\110\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\150\100
-\251\250\273\344\117\135\171\263\005\265\027\263\140\023\353\306
-\222\135\340\321\323\152\376\373\276\233\155\277\307\005\155\131
-\040\304\034\360\267\332\204\130\002\143\372\110\026\357\117\245
-\013\367\112\230\362\077\236\033\255\107\153\143\316\010\107\353
-\122\077\170\234\257\115\256\370\325\117\317\232\230\052\020\101
-\071\122\304\335\331\233\016\357\223\001\256\262\056\312\150\102
-\044\102\154\260\263\072\076\315\351\332\110\304\025\313\351\371
-\007\017\222\120\111\212\335\061\227\137\311\351\067\252\073\131
-\145\227\224\062\311\263\237\076\072\142\130\305\111\255\142\016
-\161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124
-\045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101
-\065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260
-\112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055
-\105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003
-\214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026
-\057\317\246\356\311\160\042\024\275\375\276\154\013\003
-END
-
-# Trust for Certificate "Security Communication Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\066\261\053\111\371\201\236\327\114\236\274\070\017\306\126\217
-\135\254\262\367
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\361\274\143\152\124\340\265\047\365\315\347\032\343\115\156\112
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\120\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\030\060\026\006\003\125\004\012\023\017\123\105\103\117\115\040
-\124\162\165\163\164\056\156\145\164\061\047\060\045\006\003\125
-\004\013\023\036\123\145\143\165\162\151\164\171\040\103\157\155
-\155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Sonera Class 1 Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Sonera Class 1 Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\061\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\061\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\044
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\010\240\003\002\001\002\002\001\044
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061\017
-\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141\061
-\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162\141
-\040\103\154\141\163\163\061\040\103\101\060\036\027\015\060\061
-\060\064\060\066\061\060\064\071\061\063\132\027\015\062\061\060
-\064\060\066\061\060\064\071\061\063\132\060\071\061\013\060\011
-\006\003\125\004\006\023\002\106\111\061\017\060\015\006\003\125
-\004\012\023\006\123\157\156\145\162\141\061\031\060\027\006\003
-\125\004\003\023\020\123\157\156\145\162\141\040\103\154\141\163
-\163\061\040\103\101\060\202\001\042\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
-\012\002\202\001\001\000\265\211\037\053\117\147\012\171\377\305
-\036\370\177\074\355\321\176\332\260\315\155\057\066\254\064\306
-\333\331\144\027\010\143\060\063\042\212\114\356\216\273\017\015
-\102\125\311\235\056\245\357\367\247\214\303\253\271\227\313\216
-\357\077\025\147\250\202\162\143\123\017\101\214\175\020\225\044
-\241\132\245\006\372\222\127\235\372\245\001\362\165\351\037\274
-\126\046\122\116\170\031\145\130\125\003\130\300\024\256\214\174
-\125\137\160\133\167\043\006\066\227\363\044\265\232\106\225\344
-\337\015\013\005\105\345\321\362\035\202\273\306\023\340\376\252
-\172\375\151\060\224\363\322\105\205\374\362\062\133\062\336\350
-\154\135\037\313\244\042\164\260\200\216\135\224\367\006\000\113
-\251\324\136\056\065\120\011\363\200\227\364\014\027\256\071\330
-\137\315\063\301\034\312\211\302\042\367\105\022\355\136\022\223
-\235\143\253\202\056\271\353\102\101\104\313\112\032\000\202\015
-\236\371\213\127\076\114\307\027\355\054\213\162\063\137\162\172
-\070\126\325\346\331\256\005\032\035\165\105\261\313\245\045\034
-\022\127\066\375\042\067\002\003\001\000\001\243\063\060\061\060
-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
-\060\021\006\003\125\035\016\004\012\004\010\107\342\014\213\366
-\123\210\122\060\013\006\003\125\035\017\004\004\003\002\001\006
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\213\032\262\311\135\141\264\341\271\053\271\123
-\321\262\205\235\167\216\026\356\021\075\333\302\143\331\133\227
-\145\373\022\147\330\052\134\266\253\345\136\303\267\026\057\310
-\350\253\035\212\375\253\032\174\325\137\143\317\334\260\335\167
-\271\250\346\322\042\070\207\007\024\331\377\276\126\265\375\007
-\016\074\125\312\026\314\247\246\167\067\373\333\134\037\116\131
-\006\207\243\003\103\365\026\253\267\204\275\116\357\237\061\067
-\360\106\361\100\266\321\014\245\144\370\143\136\041\333\125\116
-\117\061\166\234\020\141\216\266\123\072\243\021\276\257\155\174
-\036\275\256\055\342\014\151\307\205\123\150\242\141\272\305\076
-\264\171\124\170\236\012\307\002\276\142\321\021\202\113\145\057
-\221\132\302\250\207\261\126\150\224\171\371\045\367\301\325\256
-\032\270\273\075\217\251\212\070\025\367\163\320\132\140\321\200
-\260\360\334\325\120\315\116\356\222\110\151\355\262\043\036\060
-\314\310\224\310\266\365\073\206\177\077\246\056\237\366\076\054
-\265\222\226\076\337\054\223\212\377\201\214\017\017\131\041\031
-\127\275\125\232
-END
-
-# Trust for Certificate "Sonera Class 1 Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Sonera Class 1 Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\007\107\042\001\231\316\164\271\174\260\075\171\262\144\242\310
-\125\351\063\377
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\063\267\204\365\137\047\327\150\047\336\024\336\022\052\355\157
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\061\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\044
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Sonera Class 2 Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Sonera Class 2 Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\062\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\062\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\035
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\010\240\003\002\001\002\002\001\035
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061\017
-\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141\061
-\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162\141
-\040\103\154\141\163\163\062\040\103\101\060\036\027\015\060\061
-\060\064\060\066\060\067\062\071\064\060\132\027\015\062\061\060
-\064\060\066\060\067\062\071\064\060\132\060\071\061\013\060\011
-\006\003\125\004\006\023\002\106\111\061\017\060\015\006\003\125
-\004\012\023\006\123\157\156\145\162\141\061\031\060\027\006\003
-\125\004\003\023\020\123\157\156\145\162\141\040\103\154\141\163
-\163\062\040\103\101\060\202\001\042\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
-\012\002\202\001\001\000\220\027\112\065\235\312\360\015\226\307
-\104\372\026\067\374\110\275\275\177\200\055\065\073\341\157\250
-\147\251\277\003\034\115\214\157\062\107\325\101\150\244\023\004
-\301\065\014\232\204\103\374\134\035\377\211\263\350\027\030\315
-\221\137\373\211\343\352\277\116\135\174\033\046\323\165\171\355
-\346\204\343\127\345\255\051\304\364\072\050\347\245\173\204\066
-\151\263\375\136\166\275\243\055\231\323\220\116\043\050\175\030
-\143\361\124\073\046\235\166\133\227\102\262\377\256\360\116\354
-\335\071\225\116\203\006\177\347\111\100\310\305\001\262\124\132
-\146\035\075\374\371\351\074\012\236\201\270\160\360\001\213\344
-\043\124\174\310\256\370\220\036\000\226\162\324\124\317\141\043
-\274\352\373\235\002\225\321\266\271\161\072\151\010\077\017\264
-\341\102\307\210\365\077\230\250\247\272\034\340\161\161\357\130
-\127\201\120\172\134\153\164\106\016\203\003\230\303\216\250\156
-\362\166\062\156\047\203\302\163\363\334\030\350\264\223\352\165
-\104\153\004\140\040\161\127\207\235\363\276\240\220\043\075\212
-\044\341\332\041\333\303\002\003\001\000\001\243\063\060\061\060
-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
-\060\021\006\003\125\035\016\004\012\004\010\112\240\252\130\204
-\323\136\074\060\013\006\003\125\035\017\004\004\003\002\001\006
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\132\316\207\371\026\162\025\127\113\035\331\233
-\347\242\046\060\354\223\147\337\326\055\322\064\257\367\070\245
-\316\253\026\271\253\057\174\065\313\254\320\017\264\114\053\374
-\200\357\153\214\221\137\066\166\367\333\263\033\031\352\364\262
-\021\375\141\161\104\277\050\263\072\035\277\263\103\350\237\277
-\334\061\010\161\260\235\215\326\064\107\062\220\306\145\044\367
-\240\112\174\004\163\217\071\157\027\214\162\265\275\113\310\172
-\370\173\203\303\050\116\234\011\352\147\077\262\147\004\033\303
-\024\332\370\347\111\044\221\320\035\152\372\141\071\357\153\347
-\041\165\006\007\330\022\264\041\040\160\102\161\201\332\074\232
-\066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272
-\116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143
-\256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165
-\267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366
-\146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032
-\072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132
-\160\254\337\114
-END
-
-# Trust for Certificate "Sonera Class 2 Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Sonera Class 2 Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\067\367\155\346\007\174\220\305\261\076\223\032\267\101\020\264
-\362\344\232\047
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\243\354\165\017\056\210\337\372\110\001\116\013\134\110\157\373
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\071\061\013\060\011\006\003\125\004\006\023\002\106\111\061
-\017\060\015\006\003\125\004\012\023\006\123\157\156\145\162\141
-\061\031\060\027\006\003\125\004\003\023\020\123\157\156\145\162
-\141\040\103\154\141\163\163\062\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\035
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Staat der Nederlanden Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Staat der Nederlanden Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
-\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
-\122\157\157\164\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
-\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
-\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\000\230\226\212
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\272\060\202\002\242\240\003\002\001\002\002\004\000
-\230\226\212\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\125\061\013\060\011\006\003\125\004\006\023\002\116
-\114\061\036\060\034\006\003\125\004\012\023\025\123\164\141\141
-\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
-\156\061\046\060\044\006\003\125\004\003\023\035\123\164\141\141
-\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
-\156\040\122\157\157\164\040\103\101\060\036\027\015\060\062\061
-\062\061\067\060\071\062\063\064\071\132\027\015\061\065\061\062
-\061\066\060\071\061\065\063\070\132\060\125\061\013\060\011\006
-\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
-\012\023\025\123\164\141\141\164\040\144\145\162\040\116\145\144
-\145\162\154\141\156\144\145\156\061\046\060\044\006\003\125\004
-\003\023\035\123\164\141\141\164\040\144\145\162\040\116\145\144
-\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
-\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
-\000\230\322\265\121\021\172\201\246\024\230\161\155\276\314\347
-\023\033\326\047\016\172\263\152\030\034\266\141\132\325\141\011
-\277\336\220\023\307\147\356\335\363\332\305\014\022\236\065\125
-\076\054\047\210\100\153\367\334\335\042\141\365\302\307\016\365
-\366\325\166\123\115\217\214\274\030\166\067\205\235\350\312\111
-\307\322\117\230\023\011\242\076\042\210\234\177\326\362\020\145
-\264\356\137\030\325\027\343\370\305\375\342\235\242\357\123\016
-\205\167\242\017\341\060\107\356\000\347\063\175\104\147\032\013
-\121\350\213\240\236\120\230\150\064\122\037\056\155\001\362\140
-\105\362\061\353\251\061\150\051\273\172\101\236\306\031\177\224
-\264\121\071\003\177\262\336\247\062\233\264\107\216\157\264\112
-\256\345\257\261\334\260\033\141\274\231\162\336\344\211\267\172
-\046\135\332\063\111\133\122\234\016\365\212\255\303\270\075\350
-\006\152\302\325\052\013\154\173\204\275\126\005\313\206\145\222
-\354\104\053\260\216\271\334\160\013\106\332\255\274\143\210\071
-\372\333\152\376\043\372\274\344\110\364\147\053\152\021\020\041
-\111\002\003\001\000\001\243\201\221\060\201\216\060\014\006\003
-\125\035\023\004\005\060\003\001\001\377\060\117\006\003\125\035
-\040\004\110\060\106\060\104\006\004\125\035\040\000\060\074\060
-\072\006\010\053\006\001\005\005\007\002\001\026\056\150\164\164
-\160\072\057\057\167\167\167\056\160\153\151\157\166\145\162\150
-\145\151\144\056\156\154\057\160\157\154\151\143\151\145\163\057
-\162\157\157\164\055\160\157\154\151\143\171\060\016\006\003\125
-\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125
-\035\016\004\026\004\024\250\175\353\274\143\244\164\023\164\000
-\354\226\340\323\064\301\054\277\154\370\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\005\204
-\207\125\164\066\141\301\273\321\324\306\025\250\023\264\237\244
-\376\273\356\025\264\057\006\014\051\362\250\222\244\141\015\374
-\253\134\010\133\121\023\053\115\302\052\141\310\370\011\130\374
-\055\002\262\071\175\231\146\201\277\156\134\225\105\040\154\346
-\171\247\321\330\034\051\374\302\040\047\121\310\361\174\135\064
-\147\151\205\021\060\306\000\322\327\363\323\174\266\360\061\127
-\050\022\202\163\351\063\057\246\125\264\013\221\224\107\234\372
-\273\172\102\062\350\256\176\055\310\274\254\024\277\331\017\331
-\133\374\301\371\172\225\341\175\176\226\374\161\260\302\114\310
-\337\105\064\311\316\015\362\234\144\010\320\073\303\051\305\262
-\355\220\004\301\261\051\221\305\060\157\301\251\162\063\314\376
-\135\026\027\054\021\151\347\176\376\305\203\010\337\274\334\042
-\072\056\040\151\043\071\126\140\147\220\213\056\166\071\373\021
-\210\227\366\174\275\113\270\040\026\147\005\215\342\073\301\162
-\077\224\225\067\307\135\271\236\330\223\241\027\217\377\014\146
-\025\301\044\174\062\174\003\035\073\241\130\105\062\223
-END
-
-# Trust for Certificate "Staat der Nederlanden Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Staat der Nederlanden Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\020\035\372\077\325\013\313\273\233\265\140\014\031\125\244\032
-\364\163\072\004
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\140\204\174\132\316\333\014\324\313\247\351\376\002\306\251\300
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\036\060\034\006\003\125\004\012\023\025\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
-\046\060\044\006\003\125\004\003\023\035\123\164\141\141\164\040
-\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
-\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\000\230\226\212
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "TDC Internet Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC Internet Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156
-\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023
-\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157
-\157\164\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156
-\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023
-\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157
-\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\072\314\245\114
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\053\060\202\003\023\240\003\002\001\002\002\004\072
-\314\245\114\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\103\061\013\060\011\006\003\125\004\006\023\002\104
-\113\061\025\060\023\006\003\125\004\012\023\014\124\104\103\040
-\111\156\164\145\162\156\145\164\061\035\060\033\006\003\125\004
-\013\023\024\124\104\103\040\111\156\164\145\162\156\145\164\040
-\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064\060
-\065\061\066\063\063\061\067\132\027\015\062\061\060\064\060\065
-\061\067\060\063\061\067\132\060\103\061\013\060\011\006\003\125
-\004\006\023\002\104\113\061\025\060\023\006\003\125\004\012\023
-\014\124\104\103\040\111\156\164\145\162\156\145\164\061\035\060
-\033\006\003\125\004\013\023\024\124\104\103\040\111\156\164\145
-\162\156\145\164\040\122\157\157\164\040\103\101\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\304\270\100
-\274\221\325\143\037\327\231\240\213\014\100\036\164\267\110\235
-\106\214\002\262\340\044\137\360\031\023\247\067\203\153\135\307
-\216\371\204\060\316\032\073\372\373\316\213\155\043\306\303\156
-\146\237\211\245\337\340\102\120\147\372\037\154\036\364\320\005
-\326\277\312\326\116\344\150\140\154\106\252\034\135\143\341\007
-\206\016\145\000\247\056\246\161\306\274\271\201\250\072\175\032
-\322\371\321\254\113\313\316\165\257\334\173\372\201\163\324\374
-\272\275\101\210\324\164\263\371\136\070\072\074\103\250\322\225
-\116\167\155\023\014\235\217\170\001\267\132\040\037\003\067\065
-\342\054\333\113\053\054\170\271\111\333\304\320\307\234\234\344
-\212\040\011\041\026\126\146\377\005\354\133\343\360\317\253\044
-\044\136\303\177\160\172\022\304\322\265\020\240\266\041\341\215
-\170\151\125\104\151\365\312\226\034\064\205\027\045\167\342\366
-\057\047\230\170\375\171\006\072\242\326\132\103\301\377\354\004
-\073\356\023\357\323\130\132\377\222\353\354\256\332\362\067\003
-\107\101\266\227\311\055\012\101\042\273\273\346\247\002\003\001
-\000\001\243\202\001\045\060\202\001\041\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\145\006
-\003\125\035\037\004\136\060\134\060\132\240\130\240\126\244\124
-\060\122\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156
-\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023
-\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157
-\157\164\040\103\101\061\015\060\013\006\003\125\004\003\023\004
-\103\122\114\061\060\053\006\003\125\035\020\004\044\060\042\200
-\017\062\060\060\061\060\064\060\065\061\066\063\063\061\067\132
-\201\017\062\060\062\061\060\064\060\065\061\067\060\063\061\067
-\132\060\013\006\003\125\035\017\004\004\003\002\001\006\060\037
-\006\003\125\035\043\004\030\060\026\200\024\154\144\001\307\375
-\205\155\254\310\332\236\120\010\205\010\265\074\126\250\120\060
-\035\006\003\125\035\016\004\026\004\024\154\144\001\307\375\205
-\155\254\310\332\236\120\010\205\010\265\074\126\250\120\060\014
-\006\003\125\035\023\004\005\060\003\001\001\377\060\035\006\011
-\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010\126
-\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\116
-\103\314\321\335\035\020\033\006\177\267\244\372\323\331\115\373
-\043\237\043\124\133\346\213\057\004\050\213\265\047\155\211\241
-\354\230\151\334\347\215\046\203\005\171\164\354\264\271\243\227
-\301\065\000\375\025\332\071\201\072\225\061\220\336\227\351\206
-\250\231\167\014\345\132\240\204\377\022\026\254\156\270\215\303
-\173\222\302\254\056\320\175\050\354\266\363\140\070\151\157\076
-\330\004\125\076\236\314\125\322\272\376\273\107\004\327\012\331
-\026\012\064\051\365\130\023\325\117\317\217\126\113\263\036\356
-\323\230\171\332\010\036\014\157\270\370\026\047\357\302\157\075
-\366\243\113\076\016\344\155\154\333\073\101\022\233\275\015\107
-\043\177\074\112\320\257\300\257\366\357\033\265\025\304\353\203
-\304\011\137\164\213\331\021\373\302\126\261\074\370\160\312\064
-\215\103\100\023\214\375\231\003\124\171\306\056\352\206\241\366
-\072\324\011\274\364\274\146\314\075\130\320\127\111\012\356\045
-\342\101\356\023\371\233\070\064\321\000\365\176\347\224\035\374
-\151\003\142\270\231\005\005\075\153\170\022\275\260\157\145
-END
-
-# Trust for Certificate "TDC Internet Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC Internet Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\041\374\275\216\177\154\257\005\033\321\263\103\354\250\347\141
-\107\362\017\212
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\221\364\003\125\040\241\370\143\054\142\336\254\373\141\034\216
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\103\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\025\060\023\006\003\125\004\012\023\014\124\104\103\040\111\156
-\164\145\162\156\145\164\061\035\060\033\006\003\125\004\013\023
-\024\124\104\103\040\111\156\164\145\162\156\145\164\040\122\157
-\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\072\314\245\114
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "TDC OCES Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\031\060\202\004\001\240\003\002\001\002\002\004\076
-\110\275\304\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\061\061\013\060\011\006\003\125\004\006\023\002\104
-\113\061\014\060\012\006\003\125\004\012\023\003\124\104\103\061
-\024\060\022\006\003\125\004\003\023\013\124\104\103\040\117\103
-\105\123\040\103\101\060\036\027\015\060\063\060\062\061\061\060
-\070\063\071\063\060\132\027\015\063\067\060\062\061\061\060\071
-\060\071\063\060\132\060\061\061\013\060\011\006\003\125\004\006
-\023\002\104\113\061\014\060\012\006\003\125\004\012\023\003\124
-\104\103\061\024\060\022\006\003\125\004\003\023\013\124\104\103
-\040\117\103\105\123\040\103\101\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\254\142\366\141\040\262\317
-\300\306\205\327\343\171\346\314\355\362\071\222\244\227\056\144
-\243\204\133\207\234\114\375\244\363\304\137\041\275\126\020\353
-\333\056\141\354\223\151\343\243\314\275\231\303\005\374\006\270
-\312\066\034\376\220\216\111\114\304\126\232\057\126\274\317\173
-\014\361\157\107\246\015\103\115\342\351\035\071\064\315\215\054
-\331\022\230\371\343\341\301\112\174\206\070\304\251\304\141\210
-\322\136\257\032\046\115\325\344\240\042\107\204\331\144\267\031
-\226\374\354\031\344\262\227\046\116\112\114\313\217\044\213\124
-\030\034\110\141\173\325\210\150\332\135\265\352\315\032\060\301
-\200\203\166\120\252\117\321\324\335\070\360\357\026\364\341\014
-\120\006\277\352\373\172\111\241\050\053\034\366\374\025\062\243
-\164\152\217\251\303\142\051\161\061\345\073\244\140\027\136\164
-\346\332\023\355\351\037\037\033\321\262\150\163\306\020\064\165
-\106\020\020\343\220\000\166\100\313\213\267\103\011\041\377\253
-\116\223\306\130\351\245\202\333\167\304\072\231\261\162\225\111
-\004\360\267\053\372\173\131\216\335\002\003\001\000\001\243\202
-\002\067\060\202\002\063\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\201\354\006\003\125\035\040\004
-\201\344\060\201\341\060\201\336\006\010\052\201\120\201\051\001
-\001\001\060\201\321\060\057\006\010\053\006\001\005\005\007\002
-\001\026\043\150\164\164\160\072\057\057\167\167\167\056\143\145
-\162\164\151\146\151\153\141\164\056\144\153\057\162\145\160\157
-\163\151\164\157\162\171\060\201\235\006\010\053\006\001\005\005
-\007\002\002\060\201\220\060\012\026\003\124\104\103\060\003\002
-\001\001\032\201\201\103\145\162\164\151\146\151\153\141\164\145
-\162\040\146\162\141\040\144\145\156\156\145\040\103\101\040\165
-\144\163\164\145\144\145\163\040\165\156\144\145\162\040\117\111
-\104\040\061\056\062\056\062\060\070\056\061\066\071\056\061\056
-\061\056\061\056\040\103\145\162\164\151\146\151\143\141\164\145
-\163\040\146\162\157\155\040\164\150\151\163\040\103\101\040\141
-\162\145\040\151\163\163\165\145\144\040\165\156\144\145\162\040
-\117\111\104\040\061\056\062\056\062\060\070\056\061\066\071\056
-\061\056\061\056\061\056\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\201\201\006\003\125\035
-\037\004\172\060\170\060\110\240\106\240\104\244\102\060\100\061
-\013\060\011\006\003\125\004\006\023\002\104\113\061\014\060\012
-\006\003\125\004\012\023\003\124\104\103\061\024\060\022\006\003
-\125\004\003\023\013\124\104\103\040\117\103\105\123\040\103\101
-\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060
-\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143\162
-\154\056\157\143\145\163\056\143\145\162\164\151\146\151\153\141
-\164\056\144\153\057\157\143\145\163\056\143\162\154\060\053\006
-\003\125\035\020\004\044\060\042\200\017\062\060\060\063\060\062
-\061\061\060\070\063\071\063\060\132\201\017\062\060\063\067\060
-\062\061\061\060\071\060\071\063\060\132\060\037\006\003\125\035
-\043\004\030\060\026\200\024\140\265\205\354\126\144\176\022\031
-\047\147\035\120\025\113\163\256\073\371\022\060\035\006\003\125
-\035\016\004\026\004\024\140\265\205\354\126\144\176\022\031\047
-\147\035\120\025\113\163\256\073\371\022\060\035\006\011\052\206
-\110\206\366\175\007\101\000\004\020\060\016\033\010\126\066\056
-\060\072\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\012\272\046
-\046\106\323\163\250\011\363\153\013\060\231\375\212\341\127\172
-\021\323\270\224\327\011\020\156\243\261\070\003\321\266\362\103
-\101\051\142\247\162\330\373\174\005\346\061\160\047\124\030\116
-\212\174\116\345\321\312\214\170\210\317\033\323\220\213\346\043
-\370\013\016\063\103\175\234\342\012\031\217\311\001\076\164\135
-\164\311\213\034\003\345\030\310\001\114\077\313\227\005\135\230
-\161\246\230\157\266\174\275\067\177\276\341\223\045\155\157\360
-\012\255\027\030\341\003\274\007\051\310\255\046\350\370\141\360
-\375\041\011\176\232\216\251\150\175\110\142\162\275\000\352\001
-\231\270\006\202\121\201\116\361\365\264\221\124\271\043\172\000
-\232\237\135\215\340\074\144\271\032\022\222\052\307\202\104\162
-\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320
-\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231
-\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314
-\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075
-\004\243\103\055\332\374\013\142\352\057\137\142\123
-END
-
-# Trust for Certificate "TDC OCES Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046
-\004\212\016\001
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN DATACorp SGC Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN DATACorp SGC Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125
-\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157
-\162\160\040\123\107\103
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125
-\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157
-\162\160\040\123\107\103
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251
-\255\151
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\136\060\202\003\106\240\003\002\001\002\002\020\104
-\276\014\213\120\000\041\264\021\323\052\150\006\251\255\151\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\223\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\033\060\031\006\003\125\004\003
-\023\022\125\124\116\040\055\040\104\101\124\101\103\157\162\160
-\040\123\107\103\060\036\027\015\071\071\060\066\062\064\061\070
-\065\067\062\061\132\027\015\061\071\060\066\062\064\061\071\060
-\066\063\060\132\060\201\223\061\013\060\011\006\003\125\004\006
-\023\002\125\123\061\013\060\011\006\003\125\004\010\023\002\125
-\124\061\027\060\025\006\003\125\004\007\023\016\123\141\154\164
-\040\114\141\153\145\040\103\151\164\171\061\036\060\034\006\003
-\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125
-\123\124\040\116\145\164\167\157\162\153\061\041\060\037\006\003
-\125\004\013\023\030\150\164\164\160\072\057\057\167\167\167\056
-\165\163\145\162\164\162\165\163\164\056\143\157\155\061\033\060
-\031\006\003\125\004\003\023\022\125\124\116\040\055\040\104\101
-\124\101\103\157\162\160\040\123\107\103\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\337\356\130\020\242
-\053\156\125\304\216\277\056\106\011\347\340\010\017\056\053\172
-\023\224\033\275\366\266\200\216\145\005\223\000\036\274\257\342
-\017\216\031\015\022\107\354\254\255\243\372\056\160\370\336\156
-\373\126\102\025\236\056\134\357\043\336\041\271\005\166\047\031
-\017\117\326\303\234\264\276\224\031\143\362\246\021\012\353\123
-\110\234\276\362\051\073\026\350\032\240\114\246\311\364\030\131
-\150\300\160\362\123\000\300\136\120\202\245\126\157\066\371\112
-\340\104\206\240\115\116\326\107\156\111\112\313\147\327\246\304
-\005\271\216\036\364\374\377\315\347\066\340\234\005\154\262\063
-\042\025\320\264\340\314\027\300\262\300\364\376\062\077\051\052
-\225\173\330\362\247\116\017\124\174\241\015\200\263\011\003\301
-\377\134\335\136\232\076\274\256\274\107\212\152\256\161\312\037
-\261\052\270\137\102\005\013\354\106\060\321\162\013\312\351\126
-\155\365\357\337\170\276\141\272\262\245\256\004\114\274\250\254
-\151\025\227\275\357\353\264\214\277\065\370\324\303\321\050\016
-\134\072\237\160\030\063\040\167\304\242\257\002\003\001\000\001
-\243\201\253\060\201\250\060\013\006\003\125\035\017\004\004\003
-\002\001\306\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\123
-\062\321\263\317\177\372\340\361\240\135\205\116\222\322\236\105
-\035\264\117\060\075\006\003\125\035\037\004\066\060\064\060\062
-\240\060\240\056\206\054\150\164\164\160\072\057\057\143\162\154
-\056\165\163\145\162\164\162\165\163\164\056\143\157\155\057\125
-\124\116\055\104\101\124\101\103\157\162\160\123\107\103\056\143
-\162\154\060\052\006\003\125\035\045\004\043\060\041\006\010\053
-\006\001\005\005\007\003\001\006\012\053\006\001\004\001\202\067
-\012\003\003\006\011\140\206\110\001\206\370\102\004\001\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
-\001\000\047\065\227\000\212\213\050\275\306\063\060\036\051\374
-\342\367\325\230\324\100\273\140\312\277\253\027\054\011\066\177
-\120\372\101\334\256\226\072\012\043\076\211\131\311\243\007\355
-\033\067\255\374\174\276\121\111\132\336\072\012\124\010\026\105
-\302\231\261\207\315\214\150\340\151\003\351\304\116\230\262\073
-\214\026\263\016\240\014\230\120\233\223\251\160\011\310\054\243
-\217\337\002\344\340\161\072\361\264\043\162\240\252\001\337\337
-\230\076\024\120\240\061\046\275\050\351\132\060\046\165\371\173
-\140\034\215\363\315\120\046\155\004\047\232\337\325\015\105\107
-\051\153\054\346\166\331\251\051\175\062\335\311\066\074\275\256
-\065\361\021\236\035\273\220\077\022\107\116\216\327\176\017\142
-\163\035\122\046\070\034\030\111\375\060\164\232\304\345\042\057
-\330\300\215\355\221\172\114\000\217\162\177\135\332\335\033\213
-\105\153\347\335\151\227\250\305\126\114\017\014\366\237\172\221
-\067\366\227\202\340\335\161\151\377\166\077\140\115\074\317\367
-\231\371\306\127\364\311\125\071\170\272\054\171\311\246\210\053
-\364\010
-END
-
-# Trust for Certificate "UTN DATACorp SGC Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN DATACorp SGC Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\130\021\237\016\022\202\207\352\120\375\331\207\105\157\117\170
-\334\372\326\324
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\263\245\076\167\041\155\254\112\300\311\373\325\101\075\312\006
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\223\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\033\060\031\006\003\125
-\004\003\023\022\125\124\116\040\055\040\104\101\124\101\103\157
-\162\160\040\123\107\103
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251
-\255\151
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN USERFirst Email Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Email Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125
-\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164
-\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151
-\154
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125
-\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164
-\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151
-\154
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147
-\311\211
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\242\060\202\003\212\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\045\045\147\311\211\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\256\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\066\060\064\006\003\125\004\003
-\023\055\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\103\154\151\145\156\164\040\101\165\164\150\145\156\164\151\143
-\141\164\151\157\156\040\141\156\144\040\105\155\141\151\154\060
-\036\027\015\071\071\060\067\060\071\061\067\062\070\065\060\132
-\027\015\061\071\060\067\060\071\061\067\063\066\065\070\132\060
-\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025
-\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145
-\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025
-\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145
-\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030
-\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164
-\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125\004
-\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163\164
-\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164\151
-\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151\154
-\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
-\000\262\071\205\244\362\175\253\101\073\142\106\067\256\315\301
-\140\165\274\071\145\371\112\032\107\242\271\314\110\314\152\230
-\325\115\065\031\271\244\102\345\316\111\342\212\057\036\174\322
-\061\007\307\116\264\203\144\235\056\051\325\242\144\304\205\275
-\205\121\065\171\244\116\150\220\173\034\172\244\222\250\027\362
-\230\025\362\223\314\311\244\062\225\273\014\117\060\275\230\240
-\013\213\345\156\033\242\106\372\170\274\242\157\253\131\136\245
-\057\317\312\332\155\252\057\353\254\241\263\152\252\267\056\147
-\065\213\171\341\036\151\210\342\346\106\315\240\245\352\276\013
-\316\166\072\172\016\233\352\374\332\047\133\075\163\037\042\346
-\110\141\306\114\363\151\261\250\056\033\266\324\061\040\054\274
-\202\212\216\244\016\245\327\211\103\374\026\132\257\035\161\327
-\021\131\332\272\207\015\257\372\363\341\302\360\244\305\147\214
-\326\326\124\072\336\012\244\272\003\167\263\145\310\375\036\323
-\164\142\252\030\312\150\223\036\241\205\176\365\107\145\313\370
-\115\127\050\164\322\064\377\060\266\356\366\142\060\024\214\054
-\353\002\003\001\000\001\243\201\271\060\201\266\060\013\006\003
-\125\035\017\004\004\003\002\001\306\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
-\016\004\026\004\024\211\202\147\175\304\235\046\160\000\113\264
-\120\110\174\336\075\256\004\156\175\060\130\006\003\125\035\037
-\004\121\060\117\060\115\240\113\240\111\206\107\150\164\164\160
-\072\057\057\143\162\154\056\165\163\145\162\164\162\165\163\164
-\056\143\157\155\057\125\124\116\055\125\123\105\122\106\151\162
-\163\164\055\103\154\151\145\156\164\101\165\164\150\145\156\164
-\151\143\141\164\151\157\156\141\156\144\105\155\141\151\154\056
-\143\162\154\060\035\006\003\125\035\045\004\026\060\024\006\010
-\053\006\001\005\005\007\003\002\006\010\053\006\001\005\005\007
-\003\004\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\261\155\141\135\246\032\177\174\253\112
-\344\060\374\123\157\045\044\306\312\355\342\061\134\053\016\356
-\356\141\125\157\004\076\317\071\336\305\033\111\224\344\353\040
-\114\264\346\236\120\056\162\331\215\365\252\243\263\112\332\126
-\034\140\227\200\334\202\242\255\112\275\212\053\377\013\011\264
-\306\327\040\004\105\344\315\200\001\272\272\053\156\316\252\327
-\222\376\344\257\353\364\046\035\026\052\177\154\060\225\067\057
-\063\022\254\177\335\307\321\021\214\121\230\262\320\243\221\320
-\255\366\237\236\203\223\036\035\102\270\106\257\153\146\360\233
-\177\352\343\003\002\345\002\121\301\252\325\065\235\162\100\003
-\211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246
-\170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254
-\176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174
-\025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044
-\121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266
-\370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303
-\005\323\312\003\112\124
-END
-
-# Trust for Certificate "UTN USERFirst Email Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Email Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\261\162\261\245\155\225\371\037\345\002\207\341\115\067\352\152
-\104\143\166\212
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\327\064\075\357\035\047\011\050\341\061\002\133\023\053\335\367
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\066\060\064\006\003\125
-\004\003\023\055\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\103\154\151\145\156\164\040\101\165\164\150\145\156\164
-\151\143\141\164\151\157\156\040\141\156\144\040\105\155\141\151
-\154
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147
-\311\211
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN USERFirst Hardware Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\164\060\202\003\134\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\052\376\145\012\375\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\227\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\037\060\035\006\003\125\004\003
-\023\026\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\110\141\162\144\167\141\162\145\060\036\027\015\071\071\060\067
-\060\071\061\070\061\060\064\062\132\027\015\061\071\060\067\060
-\071\061\070\061\071\062\062\132\060\201\227\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\013\060\011\006\003\125\004
-\010\023\002\125\124\061\027\060\025\006\003\125\004\007\023\016
-\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\036
-\060\034\006\003\125\004\012\023\025\124\150\145\040\125\123\105
-\122\124\122\125\123\124\040\116\145\164\167\157\162\153\061\041
-\060\037\006\003\125\004\013\023\030\150\164\164\160\072\057\057
-\167\167\167\056\165\163\145\162\164\162\165\163\164\056\143\157
-\155\061\037\060\035\006\003\125\004\003\023\026\125\124\116\055
-\125\123\105\122\106\151\162\163\164\055\110\141\162\144\167\141
-\162\145\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\261\367\303\070\077\264\250\177\317\071\202\121\147
-\320\155\237\322\377\130\363\347\237\053\354\015\211\124\231\271
-\070\231\026\367\340\041\171\110\302\273\141\164\022\226\035\074
-\152\162\325\074\020\147\072\071\355\053\023\315\146\353\225\011
-\063\244\154\227\261\350\306\354\301\165\171\234\106\136\215\253
-\320\152\375\271\052\125\027\020\124\263\031\360\232\366\361\261
-\135\266\247\155\373\340\161\027\153\242\210\373\000\337\376\032
-\061\167\014\232\001\172\261\062\343\053\001\007\070\156\303\245
-\136\043\274\105\233\173\120\301\311\060\217\333\345\053\172\323
-\133\373\063\100\036\240\325\230\027\274\213\207\303\211\323\135
-\240\216\262\252\252\366\216\151\210\006\305\372\211\041\363\010
-\235\151\056\011\063\233\051\015\106\017\214\314\111\064\260\151
-\121\275\371\006\315\150\255\146\114\274\076\254\141\275\012\210
-\016\310\337\075\356\174\004\114\235\012\136\153\221\326\356\307
-\355\050\215\253\115\207\211\163\320\156\244\320\036\026\213\024
-\341\166\104\003\177\143\254\344\315\111\234\305\222\364\253\062
-\241\110\133\002\003\001\000\001\243\201\271\060\201\266\060\013
-\006\003\125\035\017\004\004\003\002\001\306\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003
-\125\035\016\004\026\004\024\241\162\137\046\033\050\230\103\225
-\135\007\067\325\205\226\235\113\322\303\105\060\104\006\003\125
-\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150\164
-\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162\165
-\163\164\056\143\157\155\057\125\124\116\055\125\123\105\122\106
-\151\162\163\164\055\110\141\162\144\167\141\162\145\056\143\162
-\154\060\061\006\003\125\035\045\004\052\060\050\006\010\053\006
-\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003\005
-\006\010\053\006\001\005\005\007\003\006\006\010\053\006\001\005
-\005\007\003\007\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\107\031\017\336\164\306\231\227
-\257\374\255\050\136\165\216\353\055\147\356\116\173\053\327\014
-\377\366\336\313\125\242\012\341\114\124\145\223\140\153\237\022
-\234\255\136\203\054\353\132\256\300\344\055\364\000\143\035\270
-\300\154\362\317\111\273\115\223\157\006\246\012\042\262\111\142
-\010\116\377\310\310\024\262\210\026\135\347\001\344\022\225\345
-\105\064\263\213\151\275\317\264\205\217\165\121\236\175\072\070
-\072\024\110\022\306\373\247\073\032\215\015\202\100\007\350\004
-\010\220\241\211\313\031\120\337\312\034\001\274\035\004\031\173
-\020\166\227\073\356\220\220\312\304\016\037\026\156\165\357\063
-\370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
-\335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
-\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
-\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
-\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
-\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
-\062\234\036\273\235\370\146\250
-END
-
-# Trust for Certificate "UTN USERFirst Hardware Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000
-\343\276\371\327
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN USERFirst Object Root CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\146\060\202\003\116\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\055\340\263\137\033\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\225\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\035\060\033\006\003\125\004\003
-\023\024\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\117\142\152\145\143\164\060\036\027\015\071\071\060\067\060\071
-\061\070\063\061\062\060\132\027\015\061\071\060\067\060\071\061
-\070\064\060\063\066\132\060\201\225\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\013\060\011\006\003\125\004\010\023
-\002\125\124\061\027\060\025\006\003\125\004\007\023\016\123\141
-\154\164\040\114\141\153\145\040\103\151\164\171\061\036\060\034
-\006\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124
-\122\125\123\124\040\116\145\164\167\157\162\153\061\041\060\037
-\006\003\125\004\013\023\030\150\164\164\160\072\057\057\167\167
-\167\056\165\163\145\162\164\162\165\163\164\056\143\157\155\061
-\035\060\033\006\003\125\004\003\023\024\125\124\116\055\125\123
-\105\122\106\151\162\163\164\055\117\142\152\145\143\164\060\202
-\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\316
-\252\201\077\243\243\141\170\252\061\000\125\225\021\236\047\017
-\037\034\337\072\233\202\150\060\300\112\141\035\361\057\016\372
-\276\171\367\245\043\357\125\121\226\204\315\333\343\271\156\076
-\061\330\012\040\147\307\364\331\277\224\353\107\004\076\002\316
-\052\242\135\207\004\011\366\060\235\030\212\227\262\252\034\374
-\101\322\241\066\313\373\075\221\272\347\331\160\065\372\344\347
-\220\303\233\243\233\323\074\365\022\231\167\261\267\011\340\150
-\346\034\270\363\224\143\210\152\152\376\013\166\311\276\364\042
-\344\147\271\253\032\136\167\301\205\007\335\015\154\277\356\006
-\307\167\152\101\236\247\017\327\373\356\224\027\267\374\205\276
-\244\253\304\034\061\335\327\266\321\344\360\357\337\026\217\262
-\122\223\327\241\324\211\241\007\056\277\341\001\022\102\036\032
-\341\330\225\064\333\144\171\050\377\272\056\021\302\345\350\133
-\222\110\373\107\013\302\154\332\255\062\203\101\363\245\345\101
-\160\375\145\220\155\372\372\121\304\371\275\226\053\031\004\054
-\323\155\247\334\360\177\157\203\145\342\152\253\207\206\165\002
-\003\001\000\001\243\201\257\060\201\254\060\013\006\003\125\035
-\017\004\004\003\002\001\306\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004
-\026\004\024\332\355\144\164\024\234\024\074\253\335\231\251\275
-\133\050\115\213\074\311\330\060\102\006\003\125\035\037\004\073
-\060\071\060\067\240\065\240\063\206\061\150\164\164\160\072\057
-\057\143\162\154\056\165\163\145\162\164\162\165\163\164\056\143
-\157\155\057\125\124\116\055\125\123\105\122\106\151\162\163\164
-\055\117\142\152\145\143\164\056\143\162\154\060\051\006\003\125
-\035\045\004\042\060\040\006\010\053\006\001\005\005\007\003\003
-\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004
-\001\202\067\012\003\004\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\010\037\122\261\067\104
-\170\333\375\316\271\332\225\226\230\252\125\144\200\265\132\100
-\335\041\245\305\301\363\137\054\114\310\107\132\151\352\350\360
-\065\065\364\320\045\363\310\246\244\207\112\275\033\261\163\010
-\275\324\303\312\266\065\273\131\206\167\061\315\247\200\024\256
-\023\357\374\261\110\371\153\045\045\055\121\266\054\155\105\301
-\230\310\212\126\135\076\356\103\116\076\153\047\216\320\072\113
-\205\013\137\323\355\152\247\165\313\321\132\207\057\071\165\023
-\132\162\260\002\201\237\276\360\017\204\124\040\142\154\151\324
-\341\115\306\015\231\103\001\015\022\226\214\170\235\277\120\242
-\261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
-\064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
-\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
-\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
-\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
-\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
-\275\023\122\035\250\076\315\000\037\310
-END
-
-# Trust for Certificate "UTN USERFirst Object Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330
-\070\136\055\106
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Camerfirma Chambers of Commerce Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Camerfirma Chambers of Commerce Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060
-\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163
-\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
-\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060
-\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163
-\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
-\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047
-\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145
-\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070
-\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013
-\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141
-\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060\040
-\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163\040
-\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157\164
-\060\036\027\015\060\063\060\071\063\060\061\066\061\063\064\063
-\132\027\015\063\067\060\071\063\060\061\066\061\063\064\064\132
-\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060
-\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163
-\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
-\164\060\202\001\040\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\015\000\060\202\001\010\002\202\001
-\001\000\267\066\125\345\245\135\030\060\340\332\211\124\221\374
-\310\307\122\370\057\120\331\357\261\165\163\145\107\175\033\133
-\272\165\305\374\241\210\044\372\057\355\312\010\112\071\124\304
-\121\172\265\332\140\352\070\074\201\262\313\361\273\331\221\043
-\077\110\001\160\165\251\005\052\255\037\161\363\311\124\075\035
-\006\152\100\076\263\014\205\356\134\033\171\302\142\304\270\066
-\216\065\135\001\014\043\004\107\065\252\233\140\116\240\146\075
-\313\046\012\234\100\241\364\135\230\277\161\253\245\000\150\052
-\355\203\172\017\242\024\265\324\042\263\200\260\074\014\132\121
-\151\055\130\030\217\355\231\236\361\256\342\225\346\366\107\250
-\326\014\017\260\130\130\333\303\146\067\236\233\221\124\063\067
-\322\224\034\152\110\311\311\362\245\332\245\014\043\367\043\016
-\234\062\125\136\161\234\204\005\121\232\055\375\346\116\052\064
-\132\336\312\100\067\147\014\124\041\125\167\332\012\014\314\227
-\256\200\334\224\066\112\364\076\316\066\023\036\123\344\254\116
-\072\005\354\333\256\162\234\070\213\320\071\073\211\012\076\167
-\376\165\002\001\003\243\202\001\104\060\202\001\100\060\022\006
-\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001
-\014\060\074\006\003\125\035\037\004\065\060\063\060\061\240\057
-\240\055\206\053\150\164\164\160\072\057\057\143\162\154\056\143
-\150\141\155\142\145\162\163\151\147\156\056\157\162\147\057\143
-\150\141\155\142\145\162\163\162\157\157\164\056\143\162\154\060
-\035\006\003\125\035\016\004\026\004\024\343\224\365\261\115\351
-\333\241\051\133\127\213\115\166\006\166\341\321\242\212\060\016
-\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\021
-\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000
-\007\060\047\006\003\125\035\021\004\040\060\036\201\034\143\150
-\141\155\142\145\162\163\162\157\157\164\100\143\150\141\155\142
-\145\162\163\151\147\156\056\157\162\147\060\047\006\003\125\035
-\022\004\040\060\036\201\034\143\150\141\155\142\145\162\163\162
-\157\157\164\100\143\150\141\155\142\145\162\163\151\147\156\056
-\157\162\147\060\130\006\003\125\035\040\004\121\060\117\060\115
-\006\013\053\006\001\004\001\201\207\056\012\003\001\060\076\060
-\074\006\010\053\006\001\005\005\007\002\001\026\060\150\164\164
-\160\072\057\057\143\160\163\056\143\150\141\155\142\145\162\163
-\151\147\156\056\157\162\147\057\143\160\163\057\143\150\141\155
-\142\145\162\163\162\157\157\164\056\150\164\155\154\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
-\000\014\101\227\302\032\206\300\042\174\237\373\220\363\032\321
-\003\261\357\023\371\041\137\004\234\332\311\245\215\047\154\226
-\207\221\276\101\220\001\162\223\347\036\175\137\366\211\306\135
-\247\100\011\075\254\111\105\105\334\056\215\060\150\262\011\272
-\373\303\057\314\272\013\337\077\167\173\106\175\072\022\044\216
-\226\217\074\005\012\157\322\224\050\035\155\014\300\056\210\042
-\325\330\317\035\023\307\360\110\327\327\005\247\317\307\107\236
-\073\074\064\310\200\117\324\024\273\374\015\120\367\372\263\354
-\102\137\251\335\155\310\364\165\317\173\301\162\046\261\001\034
-\134\054\375\172\116\264\001\305\005\127\271\347\074\252\005\331
-\210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312
-\327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064
-\170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110
-\132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335
-\250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356
-\264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370
-\334
-END
-
-# Trust for Certificate "Camerfirma Chambers of Commerce Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Camerfirma Chambers of Commerce Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\156\072\125\244\031\014\031\134\223\204\074\300\333\162\056\061
-\060\141\360\261
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\260\001\356\024\331\257\051\030\224\166\216\361\151\063\052\204
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060
-\040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163
-\040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
-\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Camerfirma Global Chambersign Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Camerfirma Global Chambersign Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060
-\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
-\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060
-\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
-\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\305\060\202\003\255\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047
-\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145
-\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070
-\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013
-\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141
-\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060\036
-\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103\150
-\141\155\142\145\162\163\151\147\156\040\122\157\157\164\060\036
-\027\015\060\063\060\071\063\060\061\066\061\064\061\070\132\027
-\015\063\067\060\071\063\060\061\066\061\064\061\070\132\060\175
-\061\013\060\011\006\003\125\004\006\023\002\105\125\061\047\060
-\045\006\003\125\004\012\023\036\101\103\040\103\141\155\145\162
-\146\151\162\155\141\040\123\101\040\103\111\106\040\101\070\062
-\067\064\063\062\070\067\061\043\060\041\006\003\125\004\013\023
-\032\150\164\164\160\072\057\057\167\167\167\056\143\150\141\155
-\142\145\162\163\151\147\156\056\157\162\147\061\040\060\036\006
-\003\125\004\003\023\027\107\154\157\142\141\154\040\103\150\141
-\155\142\145\162\163\151\147\156\040\122\157\157\164\060\202\001
-\040\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\001\015\000\060\202\001\010\002\202\001\001\000\242\160
-\242\320\237\102\256\133\027\307\330\175\317\024\203\374\117\311
-\241\267\023\257\212\327\236\076\004\012\222\213\140\126\372\264
-\062\057\210\115\241\140\010\364\267\011\116\240\111\057\111\326
-\323\337\235\227\132\237\224\004\160\354\077\131\331\267\314\146
-\213\230\122\050\011\002\337\305\057\204\215\172\227\167\277\354
-\100\235\045\162\253\265\077\062\230\373\267\267\374\162\204\345
-\065\207\371\125\372\243\037\016\157\056\050\335\151\240\331\102
-\020\306\370\265\104\302\320\103\177\333\274\344\242\074\152\125
-\170\012\167\251\330\352\031\062\267\057\376\134\077\033\356\261
-\230\354\312\255\172\151\105\343\226\017\125\366\346\355\165\352
-\145\350\062\126\223\106\211\250\045\212\145\006\356\153\277\171
-\007\320\361\267\257\355\054\115\222\273\300\250\137\247\147\175
-\004\362\025\010\160\254\222\326\175\004\322\063\373\114\266\013
-\013\373\032\311\304\215\003\251\176\134\362\120\253\022\245\241
-\317\110\120\245\357\322\310\032\023\372\260\177\261\202\034\167
-\152\017\137\334\013\225\217\357\103\176\346\105\011\045\002\001
-\003\243\202\001\120\060\202\001\114\060\022\006\003\125\035\023
-\001\001\377\004\010\060\006\001\001\377\002\001\014\060\077\006
-\003\125\035\037\004\070\060\066\060\064\240\062\240\060\206\056
-\150\164\164\160\072\057\057\143\162\154\056\143\150\141\155\142
-\145\162\163\151\147\156\056\157\162\147\057\143\150\141\155\142
-\145\162\163\151\147\156\162\157\157\164\056\143\162\154\060\035
-\006\003\125\035\016\004\026\004\024\103\234\066\237\260\236\060
-\115\306\316\137\255\020\253\345\003\245\372\251\024\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\006\060\021\006
-\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007
-\060\052\006\003\125\035\021\004\043\060\041\201\037\143\150\141
-\155\142\145\162\163\151\147\156\162\157\157\164\100\143\150\141
-\155\142\145\162\163\151\147\156\056\157\162\147\060\052\006\003
-\125\035\022\004\043\060\041\201\037\143\150\141\155\142\145\162
-\163\151\147\156\162\157\157\164\100\143\150\141\155\142\145\162
-\163\151\147\156\056\157\162\147\060\133\006\003\125\035\040\004
-\124\060\122\060\120\006\013\053\006\001\004\001\201\207\056\012
-\001\001\060\101\060\077\006\010\053\006\001\005\005\007\002\001
-\026\063\150\164\164\160\072\057\057\143\160\163\056\143\150\141
-\155\142\145\162\163\151\147\156\056\157\162\147\057\143\160\163
-\057\143\150\141\155\142\145\162\163\151\147\156\162\157\157\164
-\056\150\164\155\154\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\074\073\160\221\371\004\124
-\047\221\341\355\355\376\150\177\141\135\345\101\145\117\062\361
-\030\005\224\152\034\336\037\160\333\076\173\062\002\064\265\014
-\154\241\212\174\245\364\217\377\324\330\255\027\325\055\004\321
-\077\130\200\342\201\131\210\276\300\343\106\223\044\376\220\275
-\046\242\060\055\350\227\046\127\065\211\164\226\030\366\025\342
-\257\044\031\126\002\002\262\272\017\024\352\306\212\146\301\206
-\105\125\213\276\222\276\234\244\004\307\111\074\236\350\051\172
-\211\327\376\257\377\150\365\245\027\220\275\254\231\314\245\206
-\127\011\147\106\333\326\026\302\106\361\344\251\120\365\217\321
-\222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015
-\045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334
-\171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075
-\262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316
-\030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177
-\001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111
-\166\135\165\220\032\365\046\217\360
-END
-
-# Trust for Certificate "Camerfirma Global Chambersign Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Camerfirma Global Chambersign Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\063\233\153\024\120\044\233\125\172\001\207\162\204\331\340\057
-\303\322\330\351
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\305\346\173\277\006\320\117\103\355\304\172\145\212\373\153\031
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\105\125\061
-\047\060\045\006\003\125\004\012\023\036\101\103\040\103\141\155
-\145\162\146\151\162\155\141\040\123\101\040\103\111\106\040\101
-\070\062\067\064\063\062\070\067\061\043\060\041\006\003\125\004
-\013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
-\141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060
-\036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
-\150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "NetLock Notary (Class A) Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Notary (Class A) Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141
-\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144
-\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036
-\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142
-\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032
-\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164
-\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003
-\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172
-\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101
-\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141
-\144\157
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141
-\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144
-\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036
-\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142
-\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032
-\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164
-\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003
-\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172
-\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101
-\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141
-\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\003
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\006\175\060\202\005\145\240\003\002\001\002\002\002\001
-\003\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
-\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141
-\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144
-\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036
-\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142
-\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032
-\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164
-\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003
-\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172
-\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101
-\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141
-\144\157\060\036\027\015\071\071\060\062\062\064\062\063\061\064
-\064\067\132\027\015\061\071\060\062\061\071\062\063\061\064\064
-\067\132\060\201\257\061\013\060\011\006\003\125\004\006\023\002
-\110\125\061\020\060\016\006\003\125\004\010\023\007\110\165\156
-\147\141\162\171\061\021\060\017\006\003\125\004\007\023\010\102
-\165\144\141\160\145\163\164\061\047\060\045\006\003\125\004\012
-\023\036\116\145\164\114\157\143\153\040\110\141\154\157\172\141
-\164\142\151\172\164\157\156\163\141\147\151\040\113\146\164\056
-\061\032\060\030\006\003\125\004\013\023\021\124\141\156\165\163
-\151\164\166\141\156\171\153\151\141\144\157\153\061\066\060\064
-\006\003\125\004\003\023\055\116\145\164\114\157\143\153\040\113
-\157\172\152\145\147\171\172\157\151\040\050\103\154\141\163\163
-\040\101\051\040\124\141\156\165\163\151\164\166\141\156\171\153
-\151\141\144\157\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\274\164\214\017\273\114\364\067\036\251\005
-\202\330\346\341\154\160\352\170\265\156\321\070\104\015\250\203
-\316\135\322\326\325\201\305\324\113\347\133\224\160\046\333\073
-\235\152\114\142\367\161\363\144\326\141\073\075\353\163\243\067
-\331\317\352\214\222\073\315\367\007\334\146\164\227\364\105\042
-\335\364\134\340\277\155\363\276\145\063\344\025\072\277\333\230
-\220\125\070\304\355\246\125\143\013\260\170\004\364\343\156\301
-\077\216\374\121\170\037\222\236\203\302\376\331\260\251\311\274
-\132\000\377\251\250\230\164\373\366\054\076\025\071\015\266\004
-\125\250\016\230\040\102\263\261\045\255\176\232\157\135\123\261
-\253\014\374\353\340\363\172\263\250\263\377\106\366\143\242\330
-\072\230\173\266\254\205\377\260\045\117\164\143\347\023\007\245
-\012\217\005\367\300\144\157\176\247\047\200\226\336\324\056\206
-\140\307\153\053\136\163\173\027\347\221\077\144\014\330\113\042
-\064\053\233\062\362\110\037\237\241\012\204\172\342\302\255\227
-\075\216\325\301\371\126\243\120\351\306\264\372\230\242\356\225
-\346\052\003\214\337\002\003\001\000\001\243\202\002\237\060\202
-\002\233\060\016\006\003\125\035\017\001\001\377\004\004\003\002
-\000\006\060\022\006\003\125\035\023\001\001\377\004\010\060\006
-\001\001\377\002\001\004\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\202\002\140\006\011\140
-\206\110\001\206\370\102\001\015\004\202\002\121\026\202\002\115
-\106\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164
-\141\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164
-\114\157\143\153\040\113\146\164\056\040\101\154\164\141\154\141
-\156\157\163\040\123\172\157\154\147\141\154\164\141\164\141\163
-\151\040\106\145\154\164\145\164\145\154\145\151\142\145\156\040
-\154\145\151\162\164\040\145\154\152\141\162\141\163\157\153\040
-\141\154\141\160\152\141\156\040\153\145\163\172\165\154\164\056
-\040\101\040\150\151\164\145\154\145\163\151\164\145\163\040\146
-\157\154\171\141\155\141\164\141\164\040\141\040\116\145\164\114
-\157\143\153\040\113\146\164\056\040\164\145\162\155\145\153\146
-\145\154\145\154\157\163\163\145\147\055\142\151\172\164\157\163
-\151\164\141\163\141\040\166\145\144\151\056\040\101\040\144\151
-\147\151\164\141\154\151\163\040\141\154\141\151\162\141\163\040
-\145\154\146\157\147\141\144\141\163\141\156\141\153\040\146\145
-\154\164\145\164\145\154\145\040\141\172\040\145\154\157\151\162
-\164\040\145\154\154\145\156\157\162\172\145\163\151\040\145\154
-\152\141\162\141\163\040\155\145\147\164\145\164\145\154\145\056
-\040\101\172\040\145\154\152\141\162\141\163\040\154\145\151\162
-\141\163\141\040\155\145\147\164\141\154\141\154\150\141\164\157
-\040\141\040\116\145\164\114\157\143\153\040\113\146\164\056\040
-\111\156\164\145\162\156\145\164\040\150\157\156\154\141\160\152
-\141\156\040\141\040\150\164\164\160\163\072\057\057\167\167\167
-\056\156\145\164\154\157\143\153\056\156\145\164\057\144\157\143
-\163\040\143\151\155\145\156\040\166\141\147\171\040\153\145\162
-\150\145\164\157\040\141\172\040\145\154\154\145\156\157\162\172
-\145\163\100\156\145\164\154\157\143\153\056\156\145\164\040\145
-\055\155\141\151\154\040\143\151\155\145\156\056\040\111\115\120
-\117\122\124\101\116\124\041\040\124\150\145\040\151\163\163\165
-\141\156\143\145\040\141\156\144\040\164\150\145\040\165\163\145
-\040\157\146\040\164\150\151\163\040\143\145\162\164\151\146\151
-\143\141\164\145\040\151\163\040\163\165\142\152\145\143\164\040
-\164\157\040\164\150\145\040\116\145\164\114\157\143\153\040\103
-\120\123\040\141\166\141\151\154\141\142\154\145\040\141\164\040
-\150\164\164\160\163\072\057\057\167\167\167\056\156\145\164\154
-\157\143\153\056\156\145\164\057\144\157\143\163\040\157\162\040
-\142\171\040\145\055\155\141\151\154\040\141\164\040\143\160\163
-\100\156\145\164\154\157\143\153\056\156\145\164\056\060\015\006
-\011\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001
-\000\110\044\106\367\272\126\157\372\310\050\003\100\116\345\061
-\071\153\046\153\123\177\333\337\337\363\161\075\046\300\024\016
-\306\147\173\043\250\014\163\335\001\273\306\312\156\067\071\125
-\325\307\214\126\040\016\050\012\016\322\052\244\260\111\122\306
-\070\007\376\276\012\011\214\321\230\317\312\332\024\061\241\117
-\322\071\374\017\021\054\103\303\335\253\223\307\125\076\107\174
-\030\032\000\334\363\173\330\362\177\122\154\040\364\013\137\151
-\122\364\356\370\262\051\140\353\343\111\061\041\015\326\265\020
-\101\342\101\011\154\342\032\232\126\113\167\002\366\240\233\232
-\047\207\350\125\051\161\302\220\237\105\170\032\341\025\144\075
-\320\016\330\240\166\237\256\305\320\056\352\326\017\126\354\144
-\177\132\233\024\130\001\047\176\023\120\307\153\052\346\150\074
-\277\134\240\012\033\341\016\172\351\342\200\303\351\351\366\375
-\154\021\236\320\345\050\047\053\124\062\102\024\202\165\346\112
-\360\053\146\165\143\214\242\373\004\076\203\016\233\066\360\030
-\344\046\040\303\214\360\050\007\255\074\027\146\210\265\375\266
-\210
-END
-
-# Trust for Certificate "NetLock Notary (Class A) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Notary (Class A) Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\254\355\137\145\123\375\045\316\001\137\037\172\110\073\152\164
-\237\141\170\306
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\206\070\155\136\111\143\154\205\134\333\155\334\224\267\320\367
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\020\060\016\006\003\125\004\010\023\007\110\165\156\147\141
-\162\171\061\021\060\017\006\003\125\004\007\023\010\102\165\144
-\141\160\145\163\164\061\047\060\045\006\003\125\004\012\023\036
-\116\145\164\114\157\143\153\040\110\141\154\157\172\141\164\142
-\151\172\164\157\156\163\141\147\151\040\113\146\164\056\061\032
-\060\030\006\003\125\004\013\023\021\124\141\156\165\163\151\164
-\166\141\156\171\153\151\141\144\157\153\061\066\060\064\006\003
-\125\004\003\023\055\116\145\164\114\157\143\153\040\113\157\172
-\152\145\147\171\172\157\151\040\050\103\154\141\163\163\040\101
-\051\040\124\141\156\165\163\151\164\166\141\156\171\153\151\141
-\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\003
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "NetLock Business (Class B) Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Business (Class B) Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
-\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
-\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
-\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
-\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
-\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
-\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\151
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\113\060\202\004\264\240\003\002\001\002\002\001\151
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125\061
-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
-\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164
-\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164
-\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006
-\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156
-\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004\003
-\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164\151
-\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165\163
-\151\164\166\141\156\171\153\151\141\144\157\060\036\027\015\071
-\071\060\062\062\065\061\064\061\060\062\062\132\027\015\061\071
-\060\062\062\060\061\064\061\060\062\062\132\060\201\231\061\013
-\060\011\006\003\125\004\006\023\002\110\125\061\021\060\017\006
-\003\125\004\007\023\010\102\165\144\141\160\145\163\164\061\047
-\060\045\006\003\125\004\012\023\036\116\145\164\114\157\143\153
-\040\110\141\154\157\172\141\164\142\151\172\164\157\156\163\141
-\147\151\040\113\146\164\056\061\032\060\030\006\003\125\004\013
-\023\021\124\141\156\165\163\151\164\166\141\156\171\153\151\141
-\144\157\153\061\062\060\060\006\003\125\004\003\023\051\116\145
-\164\114\157\143\153\040\125\172\154\145\164\151\040\050\103\154
-\141\163\163\040\102\051\040\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\060\201\237\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
-\002\201\201\000\261\352\004\354\040\240\043\302\217\070\140\317
-\307\106\263\325\033\376\373\271\231\236\004\334\034\177\214\112
-\201\230\356\244\324\312\212\027\271\042\177\203\012\165\114\233
-\300\151\330\144\071\243\355\222\243\375\133\134\164\032\300\107
-\312\072\151\166\232\272\342\104\027\374\114\243\325\376\270\227
-\210\257\210\003\211\037\244\362\004\076\310\007\013\346\371\263
-\057\172\142\024\011\106\024\312\144\365\213\200\265\142\250\330
-\153\326\161\223\055\263\277\011\124\130\355\006\353\250\173\334
-\103\261\241\151\002\003\001\000\001\243\202\002\237\060\202\002
-\233\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
-\001\377\002\001\004\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\000\006\060\021\006\011\140\206\110\001\206\370\102
-\001\001\004\004\003\002\000\007\060\202\002\140\006\011\140\206
-\110\001\206\370\102\001\015\004\202\002\121\026\202\002\115\106
-\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164\141
-\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164\114
-\157\143\153\040\113\146\164\056\040\101\154\164\141\154\141\156
-\157\163\040\123\172\157\154\147\141\154\164\141\164\141\163\151
-\040\106\145\154\164\145\164\145\154\145\151\142\145\156\040\154
-\145\151\162\164\040\145\154\152\141\162\141\163\157\153\040\141
-\154\141\160\152\141\156\040\153\145\163\172\165\154\164\056\040
-\101\040\150\151\164\145\154\145\163\151\164\145\163\040\146\157
-\154\171\141\155\141\164\141\164\040\141\040\116\145\164\114\157
-\143\153\040\113\146\164\056\040\164\145\162\155\145\153\146\145
-\154\145\154\157\163\163\145\147\055\142\151\172\164\157\163\151
-\164\141\163\141\040\166\145\144\151\056\040\101\040\144\151\147
-\151\164\141\154\151\163\040\141\154\141\151\162\141\163\040\145
-\154\146\157\147\141\144\141\163\141\156\141\153\040\146\145\154
-\164\145\164\145\154\145\040\141\172\040\145\154\157\151\162\164
-\040\145\154\154\145\156\157\162\172\145\163\151\040\145\154\152
-\141\162\141\163\040\155\145\147\164\145\164\145\154\145\056\040
-\101\172\040\145\154\152\141\162\141\163\040\154\145\151\162\141
-\163\141\040\155\145\147\164\141\154\141\154\150\141\164\157\040
-\141\040\116\145\164\114\157\143\153\040\113\146\164\056\040\111
-\156\164\145\162\156\145\164\040\150\157\156\154\141\160\152\141
-\156\040\141\040\150\164\164\160\163\072\057\057\167\167\167\056
-\156\145\164\154\157\143\153\056\156\145\164\057\144\157\143\163
-\040\143\151\155\145\156\040\166\141\147\171\040\153\145\162\150
-\145\164\157\040\141\172\040\145\154\154\145\156\157\162\172\145
-\163\100\156\145\164\154\157\143\153\056\156\145\164\040\145\055
-\155\141\151\154\040\143\151\155\145\156\056\040\111\115\120\117
-\122\124\101\116\124\041\040\124\150\145\040\151\163\163\165\141
-\156\143\145\040\141\156\144\040\164\150\145\040\165\163\145\040
-\157\146\040\164\150\151\163\040\143\145\162\164\151\146\151\143
-\141\164\145\040\151\163\040\163\165\142\152\145\143\164\040\164
-\157\040\164\150\145\040\116\145\164\114\157\143\153\040\103\120
-\123\040\141\166\141\151\154\141\142\154\145\040\141\164\040\150
-\164\164\160\163\072\057\057\167\167\167\056\156\145\164\154\157
-\143\153\056\156\145\164\057\144\157\143\163\040\157\162\040\142
-\171\040\145\055\155\141\151\154\040\141\164\040\143\160\163\100
-\156\145\164\154\157\143\153\056\156\145\164\056\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\003\201\201\000\004
-\333\256\214\027\257\370\016\220\061\116\315\076\011\300\155\072
-\260\370\063\114\107\114\343\165\210\020\227\254\260\070\025\221
-\306\051\226\314\041\300\155\074\245\164\317\330\202\245\071\303
-\145\343\102\160\273\042\220\343\175\333\065\166\341\240\265\332
-\237\160\156\223\032\060\071\035\060\333\056\343\174\262\221\262
-\321\067\051\372\271\326\027\134\107\117\343\035\070\353\237\325
-\173\225\250\050\236\025\112\321\321\320\053\000\227\240\342\222
-\066\053\143\254\130\001\153\063\051\120\206\203\361\001\110
-END
-
-# Trust for Certificate "NetLock Business (Class B) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Business (Class B) Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\207\237\113\356\005\337\230\130\073\343\140\326\063\347\015\077
-\376\230\161\257
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\071\026\252\271\152\101\341\024\151\337\236\154\073\162\334\266
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\231\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
-\003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
-\151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
-\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\151
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "NetLock Express (Class C) Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Express (Class C) Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
-\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
-\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
-\156\165\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
-\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
-\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
-\156\165\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\150
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\117\060\202\004\270\240\003\002\001\002\002\001\150
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125\061
-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
-\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164
-\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164
-\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006
-\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156
-\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004\003
-\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145\163
-\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141\156
-\165\163\151\164\166\141\156\171\153\151\141\144\157\060\036\027
-\015\071\071\060\062\062\065\061\064\060\070\061\061\132\027\015
-\061\071\060\062\062\060\061\064\060\070\061\061\132\060\201\233
-\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021\060
-\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163\164
-\061\047\060\045\006\003\125\004\012\023\036\116\145\164\114\157
-\143\153\040\110\141\154\157\172\141\164\142\151\172\164\157\156
-\163\141\147\151\040\113\146\164\056\061\032\060\030\006\003\125
-\004\013\023\021\124\141\156\165\163\151\164\166\141\156\171\153
-\151\141\144\157\153\061\064\060\062\006\003\125\004\003\023\053
-\116\145\164\114\157\143\153\040\105\170\160\162\145\163\163\172
-\040\050\103\154\141\163\163\040\103\051\040\124\141\156\165\163
-\151\164\166\141\156\171\153\151\141\144\157\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\353\354\260\154\141\212\043\045
-\257\140\040\343\331\237\374\223\013\333\135\215\260\241\263\100
-\072\202\316\375\165\340\170\062\003\206\132\206\225\221\355\123
-\372\235\100\374\346\350\335\331\133\172\003\275\135\363\073\014
-\303\121\171\233\255\125\240\351\320\003\020\257\012\272\024\102
-\331\122\046\021\042\307\322\040\314\202\244\232\251\376\270\201
-\166\235\152\267\322\066\165\076\261\206\011\366\156\155\176\116
-\267\172\354\256\161\204\366\004\063\010\045\062\353\164\254\026
-\104\306\344\100\223\035\177\255\002\003\001\000\001\243\202\002
-\237\060\202\002\233\060\022\006\003\125\035\023\001\001\377\004
-\010\060\006\001\001\377\002\001\004\060\016\006\003\125\035\017
-\001\001\377\004\004\003\002\000\006\060\021\006\011\140\206\110
-\001\206\370\102\001\001\004\004\003\002\000\007\060\202\002\140
-\006\011\140\206\110\001\206\370\102\001\015\004\202\002\121\026
-\202\002\115\106\111\107\131\105\114\105\115\041\040\105\172\145
-\156\040\164\141\156\165\163\151\164\166\141\156\171\040\141\040
-\116\145\164\114\157\143\153\040\113\146\164\056\040\101\154\164
-\141\154\141\156\157\163\040\123\172\157\154\147\141\154\164\141
-\164\141\163\151\040\106\145\154\164\145\164\145\154\145\151\142
-\145\156\040\154\145\151\162\164\040\145\154\152\141\162\141\163
-\157\153\040\141\154\141\160\152\141\156\040\153\145\163\172\165
-\154\164\056\040\101\040\150\151\164\145\154\145\163\151\164\145
-\163\040\146\157\154\171\141\155\141\164\141\164\040\141\040\116
-\145\164\114\157\143\153\040\113\146\164\056\040\164\145\162\155
-\145\153\146\145\154\145\154\157\163\163\145\147\055\142\151\172
-\164\157\163\151\164\141\163\141\040\166\145\144\151\056\040\101
-\040\144\151\147\151\164\141\154\151\163\040\141\154\141\151\162
-\141\163\040\145\154\146\157\147\141\144\141\163\141\156\141\153
-\040\146\145\154\164\145\164\145\154\145\040\141\172\040\145\154
-\157\151\162\164\040\145\154\154\145\156\157\162\172\145\163\151
-\040\145\154\152\141\162\141\163\040\155\145\147\164\145\164\145
-\154\145\056\040\101\172\040\145\154\152\141\162\141\163\040\154
-\145\151\162\141\163\141\040\155\145\147\164\141\154\141\154\150
-\141\164\157\040\141\040\116\145\164\114\157\143\153\040\113\146
-\164\056\040\111\156\164\145\162\156\145\164\040\150\157\156\154
-\141\160\152\141\156\040\141\040\150\164\164\160\163\072\057\057
-\167\167\167\056\156\145\164\154\157\143\153\056\156\145\164\057
-\144\157\143\163\040\143\151\155\145\156\040\166\141\147\171\040
-\153\145\162\150\145\164\157\040\141\172\040\145\154\154\145\156
-\157\162\172\145\163\100\156\145\164\154\157\143\153\056\156\145
-\164\040\145\055\155\141\151\154\040\143\151\155\145\156\056\040
-\111\115\120\117\122\124\101\116\124\041\040\124\150\145\040\151
-\163\163\165\141\156\143\145\040\141\156\144\040\164\150\145\040
-\165\163\145\040\157\146\040\164\150\151\163\040\143\145\162\164
-\151\146\151\143\141\164\145\040\151\163\040\163\165\142\152\145
-\143\164\040\164\157\040\164\150\145\040\116\145\164\114\157\143
-\153\040\103\120\123\040\141\166\141\151\154\141\142\154\145\040
-\141\164\040\150\164\164\160\163\072\057\057\167\167\167\056\156
-\145\164\154\157\143\153\056\156\145\164\057\144\157\143\163\040
-\157\162\040\142\171\040\145\055\155\141\151\154\040\141\164\040
-\143\160\163\100\156\145\164\154\157\143\153\056\156\145\164\056
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\003
-\201\201\000\020\255\177\327\014\062\200\012\330\206\361\171\230
-\265\255\324\315\263\066\304\226\110\301\134\315\232\331\005\056
-\237\276\120\353\364\046\024\020\055\324\146\027\370\236\301\047
-\375\361\355\344\173\113\240\154\265\253\232\127\160\246\355\240
-\244\355\056\365\375\374\275\376\115\067\010\014\274\343\226\203
-\042\365\111\033\177\113\053\264\124\301\200\174\231\116\035\320
-\214\356\320\254\345\222\372\165\126\376\144\240\023\217\270\270
-\026\235\141\005\147\200\310\320\330\245\007\002\064\230\004\215
-\063\004\324
-END
-
-# Trust for Certificate "NetLock Express (Class C) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "NetLock Express (Class C) Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\343\222\121\057\012\317\365\005\337\366\336\006\177\165\067\341
-\145\352\127\113
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\117\353\361\360\160\302\200\143\135\130\237\332\022\074\251\304
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\233\061\013\060\011\006\003\125\004\006\023\002\110\125
-\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160
-\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145
-\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172
-\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030
-\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141
-\156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
-\003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
-\163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
-\156\165\163\151\164\166\141\156\171\153\151\141\144\157
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\150
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "XRamp Global CA Root"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "XRamp Global CA Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170
-\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155
-\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160
-\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143
-\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023
-\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170
-\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155
-\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160
-\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143
-\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023
-\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
-\240\255
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\060\060\202\003\030\240\003\002\001\002\002\020\120
-\224\154\354\030\352\325\234\115\325\227\357\165\217\240\255\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\202\061\013\060\011\006\003\125\004\006\023\002\125\123\061\036
-\060\034\006\003\125\004\013\023\025\167\167\167\056\170\162\141
-\155\160\163\145\143\165\162\151\164\171\056\143\157\155\061\044
-\060\042\006\003\125\004\012\023\033\130\122\141\155\160\040\123
-\145\143\165\162\151\164\171\040\123\145\162\166\151\143\145\163
-\040\111\156\143\061\055\060\053\006\003\125\004\003\023\044\130
-\122\141\155\160\040\107\154\157\142\141\154\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\060\036\027\015\060\064\061\061\060\061\061\067\061
-\064\060\064\132\027\015\063\065\060\061\060\061\060\065\063\067
-\061\071\132\060\201\202\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\036\060\034\006\003\125\004\013\023\025\167\167
-\167\056\170\162\141\155\160\163\145\143\165\162\151\164\171\056
-\143\157\155\061\044\060\042\006\003\125\004\012\023\033\130\122
-\141\155\160\040\123\145\143\165\162\151\164\171\040\123\145\162
-\166\151\143\145\163\040\111\156\143\061\055\060\053\006\003\125
-\004\003\023\044\130\122\141\155\160\040\107\154\157\142\141\154
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\230\044\036\275\025\264\272
-\337\307\214\245\047\266\070\013\151\363\266\116\250\054\056\041
-\035\134\104\337\041\135\176\043\164\376\136\176\264\112\267\246
-\255\037\256\340\006\026\342\233\133\331\147\164\153\135\200\217
-\051\235\206\033\331\234\015\230\155\166\020\050\130\344\145\260
-\177\112\230\171\237\340\303\061\176\200\053\265\214\300\100\073
-\021\206\320\313\242\206\066\140\244\325\060\202\155\331\156\320
-\017\022\004\063\227\137\117\141\132\360\344\371\221\253\347\035
-\073\274\350\317\364\153\055\064\174\342\110\141\034\216\363\141
-\104\314\157\240\112\251\224\260\115\332\347\251\064\172\162\070
-\250\101\314\074\224\021\175\353\310\246\214\267\206\313\312\063
-\073\331\075\067\213\373\172\076\206\054\347\163\327\012\127\254
-\144\233\031\353\364\017\004\010\212\254\003\027\031\144\364\132
-\045\042\215\064\054\262\366\150\035\022\155\323\212\036\024\332
-\304\217\246\342\043\205\325\172\015\275\152\340\351\354\354\027
-\273\102\033\147\252\045\355\105\203\041\374\301\311\174\325\142
-\076\372\362\305\055\323\375\324\145\002\003\001\000\001\243\201
-\237\060\201\234\060\023\006\011\053\006\001\004\001\202\067\024
-\002\004\006\036\004\000\103\000\101\060\013\006\003\125\035\017
-\004\004\003\002\001\206\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
-\004\024\306\117\242\075\006\143\204\011\234\316\142\344\004\254
-\215\134\265\351\266\033\060\066\006\003\125\035\037\004\057\060
-\055\060\053\240\051\240\047\206\045\150\164\164\160\072\057\057
-\143\162\154\056\170\162\141\155\160\163\145\143\165\162\151\164
-\171\056\143\157\155\057\130\107\103\101\056\143\162\154\060\020
-\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\221\025\071\003\001\033\147\373\112\034\371\012
-\140\133\241\332\115\227\142\371\044\123\047\327\202\144\116\220
-\056\303\111\033\053\232\334\374\250\170\147\065\361\035\360\021
-\275\267\110\343\020\366\015\337\077\322\311\266\252\125\244\110
-\272\002\333\336\131\056\025\133\073\235\026\175\107\327\067\352
-\137\115\166\022\066\273\037\327\241\201\004\106\040\243\054\155
-\251\236\001\176\077\051\316\000\223\337\375\311\222\163\211\211
-\144\236\347\053\344\034\221\054\322\271\316\175\316\157\061\231
-\323\346\276\322\036\220\360\011\024\171\134\043\253\115\322\332
-\041\037\115\231\171\235\341\317\047\237\020\233\034\210\015\260
-\212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273
-\176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262
-\213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341
-\074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330
-\072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020
-\073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311
-\264\003\045\274
-END
-
-# Trust for Certificate "XRamp Global CA Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "XRamp Global CA Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\270\001\206\321\353\234\206\245\101\004\317\060\124\363\114\122
-\267\345\130\306
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\241\013\104\263\312\020\330\000\156\235\017\330\017\222\012\321
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\036\060\034\006\003\125\004\013\023\025\167\167\167\056\170
-\162\141\155\160\163\145\143\165\162\151\164\171\056\143\157\155
-\061\044\060\042\006\003\125\004\012\023\033\130\122\141\155\160
-\040\123\145\143\165\162\151\164\171\040\123\145\162\166\151\143
-\145\163\040\111\156\143\061\055\060\053\006\003\125\004\003\023
-\044\130\122\141\155\160\040\107\154\157\142\141\154\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
-\240\255
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Go Daddy Class 2 CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Go Daddy Class 2 CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157
-\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156
-\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040
-\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157
-\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156
-\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040
-\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\000\060\202\002\350\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\041
-\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157\040
-\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156\143
-\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040\104
-\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\060\036\027\015\060\064\060\066\062\071\061\067
-\060\066\062\060\132\027\015\063\064\060\066\062\071\061\067\060
-\066\062\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\041\060\037\006\003\125\004\012\023\030\124\150
-\145\040\107\157\040\104\141\144\144\171\040\107\162\157\165\160
-\054\040\111\156\143\056\061\061\060\057\006\003\125\004\013\023
-\050\107\157\040\104\141\144\144\171\040\103\154\141\163\163\040
-\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\060\202\001\040\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\015
-\000\060\202\001\010\002\202\001\001\000\336\235\327\352\127\030
-\111\241\133\353\327\137\110\206\352\276\335\377\344\357\147\034
-\364\145\150\263\127\161\240\136\167\273\355\233\111\351\160\200
-\075\126\030\143\010\157\332\362\314\320\077\177\002\124\042\124
-\020\330\262\201\324\300\165\075\113\177\307\167\303\076\170\253
-\032\003\265\040\153\057\152\053\261\305\210\176\304\273\036\260
-\301\330\105\047\157\252\067\130\367\207\046\327\330\055\366\251
-\027\267\037\162\066\116\246\027\077\145\230\222\333\052\156\135
-\242\376\210\340\013\336\177\345\215\025\341\353\313\072\325\342
-\022\242\023\055\330\216\257\137\022\075\240\010\005\010\266\134
-\245\145\070\004\105\231\036\243\140\140\164\305\101\245\162\142
-\033\142\305\037\157\137\032\102\276\002\121\145\250\256\043\030
-\152\374\170\003\251\115\177\200\303\372\253\132\374\241\100\244
-\312\031\026\376\262\310\357\136\163\015\356\167\275\232\366\171
-\230\274\261\007\147\242\025\015\335\240\130\306\104\173\012\076
-\142\050\137\272\101\007\123\130\317\021\176\070\164\305\370\377
-\265\151\220\217\204\164\352\227\033\257\002\001\003\243\201\300
-\060\201\275\060\035\006\003\125\035\016\004\026\004\024\322\304
-\260\322\221\324\114\021\161\263\141\313\075\241\376\335\250\152
-\324\343\060\201\215\006\003\125\035\043\004\201\205\060\201\202
-\200\024\322\304\260\322\221\324\114\021\161\263\141\313\075\241
-\376\335\250\152\324\343\241\147\244\145\060\143\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\041\060\037\006\003\125
-\004\012\023\030\124\150\145\040\107\157\040\104\141\144\144\171
-\040\107\162\157\165\160\054\040\111\156\143\056\061\061\060\057
-\006\003\125\004\013\023\050\107\157\040\104\141\144\144\171\040
-\103\154\141\163\163\040\062\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\202
-\001\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
-\202\001\001\000\062\113\363\262\312\076\221\374\022\306\241\007
-\214\216\167\240\063\006\024\134\220\036\030\367\010\246\075\012
-\031\371\207\200\021\156\151\344\226\027\060\377\064\221\143\162
-\070\356\314\034\001\243\035\224\050\244\061\366\172\304\124\327
-\366\345\061\130\003\242\314\316\142\333\224\105\163\265\277\105
-\311\044\265\325\202\002\255\043\171\151\215\270\266\115\316\317
-\114\312\063\043\350\034\210\252\235\213\101\156\026\311\040\345
-\211\236\315\073\332\160\367\176\231\046\040\024\124\045\253\156
-\163\205\346\233\041\235\012\154\202\016\250\370\302\014\372\020
-\036\154\226\357\207\015\304\017\141\213\255\356\203\053\225\370
-\216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274
-\353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021
-\164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002
-\022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245
-\236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237
-\105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035
-\177\333\275\237
-END
-
-# Trust for Certificate "Go Daddy Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Go Daddy Class 2 CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\047\226\272\346\077\030\001\342\167\046\033\240\327\167\160\002
-\217\040\356\344
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\221\336\006\045\253\332\375\062\027\014\273\045\027\052\204\147
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\041\060\037\006\003\125\004\012\023\030\124\150\145\040\107\157
-\040\104\141\144\144\171\040\107\162\157\165\160\054\040\111\156
-\143\056\061\061\060\057\006\003\125\004\013\023\050\107\157\040
-\104\141\144\144\171\040\103\154\141\163\163\040\062\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Starfield Class 2 CA"
-#
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Starfield Class 2 CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151
-\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163
-\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023
-\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163
-\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151
-\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163
-\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023
-\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163
-\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\017\060\202\002\367\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061\045
-\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151\145
-\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163\054
-\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023\051
-\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163\040
-\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\060\036\027\015\060\064\060
-\066\062\071\061\067\063\071\061\066\132\027\015\063\064\060\066
-\062\071\061\067\063\071\061\066\132\060\150\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004
-\012\023\034\123\164\141\162\146\151\145\154\144\040\124\145\143
-\150\156\157\154\157\147\151\145\163\054\040\111\156\143\056\061
-\062\060\060\006\003\125\004\013\023\051\123\164\141\162\146\151
-\145\154\144\040\103\154\141\163\163\040\062\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\060\202\001\040\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\015\000\060\202\001\010\002
-\202\001\001\000\267\062\310\376\351\161\246\004\205\255\014\021
-\144\337\316\115\357\310\003\030\207\077\241\253\373\074\246\237
-\360\303\241\332\324\330\156\053\123\220\373\044\244\076\204\360
-\236\350\137\354\345\047\104\365\050\246\077\173\336\340\052\360
-\310\257\123\057\236\312\005\001\223\036\217\146\034\071\247\115
-\372\132\266\163\004\045\146\353\167\177\347\131\306\112\231\045
-\024\124\353\046\307\363\177\031\325\060\160\217\257\260\106\052
-\377\255\353\051\355\327\237\252\004\207\243\324\371\211\245\064
-\137\333\103\221\202\066\331\146\074\261\270\271\202\375\234\072
-\076\020\310\073\357\006\145\146\172\233\031\030\075\377\161\121
-\074\060\056\137\276\075\167\163\262\135\006\154\303\043\126\232
-\053\205\046\222\034\247\002\263\344\077\015\257\010\171\202\270
-\066\075\352\234\323\065\263\274\151\312\365\314\235\350\375\144
-\215\027\200\063\156\136\112\135\231\311\036\207\264\235\032\300
-\325\156\023\065\043\136\337\233\137\075\357\326\367\166\302\352
-\076\273\170\015\034\102\147\153\004\330\370\326\332\157\213\362
-\104\240\001\253\002\001\003\243\201\305\060\201\302\060\035\006
-\003\125\035\016\004\026\004\024\277\137\267\321\316\335\037\206
-\364\133\125\254\334\327\020\302\016\251\210\347\060\201\222\006
-\003\125\035\043\004\201\212\060\201\207\200\024\277\137\267\321
-\316\335\037\206\364\133\125\254\334\327\020\302\016\251\210\347
-\241\154\244\152\060\150\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\045\060\043\006\003\125\004\012\023\034\123\164
-\141\162\146\151\145\154\144\040\124\145\143\150\156\157\154\157
-\147\151\145\163\054\040\111\156\143\056\061\062\060\060\006\003
-\125\004\013\023\051\123\164\141\162\146\151\145\154\144\040\103
-\154\141\163\163\040\062\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\202\001
-\000\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202
-\001\001\000\005\235\077\210\235\321\311\032\125\241\254\151\363
-\363\131\332\233\001\207\032\117\127\251\241\171\011\052\333\367
-\057\262\036\314\307\136\152\330\203\207\241\227\357\111\065\076
-\167\006\101\130\142\277\216\130\270\012\147\077\354\263\335\041
-\146\037\311\124\372\162\314\075\114\100\330\201\257\167\236\203
-\172\273\242\307\365\064\027\216\331\021\100\364\374\054\052\115
-\025\177\247\142\135\056\045\323\000\013\040\032\035\150\371\027
-\270\364\275\213\355\050\131\335\115\026\213\027\203\310\262\145
-\307\055\172\245\252\274\123\206\155\335\127\244\312\370\040\101
-\013\150\360\364\373\164\276\126\135\172\171\365\371\035\205\343
-\055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351
-\125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101
-\152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064
-\253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030
-\131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155
-\370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057
-\037\027\224
-END
-
-# Trust for Certificate "Starfield Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Starfield Class 2 CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\255\176\034\050\260\144\357\217\140\003\100\040\024\303\320\343
-\067\016\265\212
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\062\112\113\273\310\143\151\233\276\164\232\306\335\035\106\044
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\150\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\045\060\043\006\003\125\004\012\023\034\123\164\141\162\146\151
-\145\154\144\040\124\145\143\150\156\157\154\157\147\151\145\163
-\054\040\111\156\143\056\061\062\060\060\006\003\125\004\013\023
-\051\123\164\141\162\146\151\145\154\144\040\103\154\141\163\163
-\040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
diff --git a/security/nss/lib/ckfw/builtins/ckbiver.c b/security/nss/lib/ckfw/builtins/ckbiver.c
deleted file mode 100644
index f9b1a87ce..000000000
--- a/security/nss/lib/ckfw/builtins/ckbiver.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2004
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nssckbi.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_builtins_rcsid[] = "$Header: NSS Builtin Trusted Root CAs "
-        NSS_BUILTINS_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_builtins_sccsid[] = "@(#)NSS Builtin Trusted Root CAs "
-        NSS_BUILTINS_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ckfw/builtins/config.mk b/security/nss/lib/ckfw/builtins/config.mk
deleted file mode 100644
index fdfc8cf09..000000000
--- a/security/nss/lib/ckfw/builtins/config.mk
+++ /dev/null
@@ -1,71 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-#
-#  Override TARGETS variable so that only shared libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(SHARED_LIBRARY)
-LIBRARY        =
-IMPORT_LIBRARY =
-PROGRAM        =
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-    SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-    RES = $(OBJDIR)/$(LIBRARY_NAME).res
-    RESNAME = $(LIBRARY_NAME).rc
-endif
-
-ifdef BUILD_IDG
-    DEFINES += -DNSSDEBUG
-endif
-
-#
-# To create a loadable module on Darwin, we must use -bundle.
-#
-ifeq ($(OS_TARGET),Darwin)
-DSO_LDOPTS = -bundle
-endif
-
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
diff --git a/security/nss/lib/ckfw/builtins/constants.c b/security/nss/lib/ckfw/builtins/constants.c
deleted file mode 100644
index a4a8bc7c7..000000000
--- a/security/nss/lib/ckfw/builtins/constants.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * builtins/constants.c
- *
- * Identification and other constants, all collected here in one place.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKBI_H
-#include "nssckbi.h"
-#endif /* NSSCKBI_H */
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_CryptokiVersion =  {
-		NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR,
-		NSS_BUILTINS_CRYPTOKI_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_ManufacturerID = (NSSUTF8 *) "Netscape Communications Corp.";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_LibraryDescription = (NSSUTF8 *) "NSS Builtin Object Cryptoki Module";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_LibraryVersion = {
-	NSS_BUILTINS_LIBRARY_VERSION_MAJOR,
-	NSS_BUILTINS_LIBRARY_VERSION_MINOR};
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_SlotDescription = (NSSUTF8 *) "";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_HardwareVersion = { 
-	NSS_BUILTINS_HARDWARE_VERSION_MAJOR,
-	NSS_BUILTINS_HARDWARE_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_builtins_FirmwareVersion = { 
-	NSS_BUILTINS_FIRMWARE_VERSION_MAJOR,
-	NSS_BUILTINS_FIRMWARE_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenLabel = (NSSUTF8 *) "Builtin Object Token";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenModel = (NSSUTF8 *) "1";
-
-/* should this be e.g. the certdata.txt RCS revision number? */
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_builtins_TokenSerialNumber = (NSSUTF8 *) "1";
-
diff --git a/security/nss/lib/ckfw/builtins/manifest.mn b/security/nss/lib/ckfw/builtins/manifest.mn
deleted file mode 100644
index 34e44334a..000000000
--- a/security/nss/lib/ckfw/builtins/manifest.mn
+++ /dev/null
@@ -1,65 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../../..
-
-MODULE = nss
-MAPFILE = $(OBJDIR)/nssckbi.def
-
-EXPORTS =		\
-	nssckbi.h	\
-	$(NULL)
-
-CSRCS =			\
-	anchor.c	\
-	constants.c	\
-	bfind.c		\
-	binst.c 	\
-	bobject.c	\
-	bsession.c	\
-	bslot.c		\
-	btoken.c	\
-	certdata.c	\
-	ckbiver.c	\
-	$(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nssckbi
-
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.def b/security/nss/lib/ckfw/builtins/nssckbi.def
deleted file mode 100644
index 47b280430..000000000
--- a/security/nss/lib/ckfw/builtins/nssckbi.def
+++ /dev/null
@@ -1,58 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2003
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#     line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSS_3.1 {       # NSS 3.1 release
-;+    global:
-LIBRARY nssckbi ;-
-EXPORTS ;-
-C_GetFunctionList;
-;+    local:
-;+*;
-;+};
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
deleted file mode 100644
index b0378eea9..000000000
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKBI_H
-#define NSSCKBI_H
-
-/*
- * NSS BUILTINS Version numbers.
- *
- * These are the version numbers for the builtins module packaged with
- * this release on NSS. To determine the version numbers of the builtin
- * module you are using, use the appropriate PKCS #11 calls.
- *
- * These version numbers detail changes to the PKCS #11 interface. They map
- * to the PKCS #11 spec versions.
- */
-#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
-#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
-
-/* These version numbers detail the changes 
- * to the list of trusted certificates.
- *
- * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
- * for each NSS minor release AND whenever we change the list of
- * trusted certificates.  10 minor versions are allocated for each
- * NSS 3.x branch as follows, allowing us to change the list of
- * trusted certificates up to 9 times on each branch.
- *   - NSS 3.5 branch:  3-9
- *   - NSS 3.6 branch:  10-19
- *   - NSS 3.7 branch:  20-29
- *   - NSS 3.8 branch:  30-39
- *   - NSS 3.9 branch:  40-49
- *   - NSS 3.10 branch: 50-59
- *   - NSS 3.11 branch: 60-69
- *     ...
- *   - NSS 3.14 branch: 90-99
- *     ...
- *   - NSS 3.30 branch: 250-255
- *
- * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
- * whether we may use its full range (0-255) or only 0-99 because
- * of the comment in the CK_VERSION type definition.
- */
-#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
-#define NSS_BUILTINS_LIBRARY_VERSION "1.60"
-
-/* These version numbers detail the semantic changes to the ckfw engine. */
-#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
-#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
-
-/* These version numbers detail the semantic changes to ckbi itself 
- * (new PKCS #11 objects), etc. */
-#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
-#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
-
-#endif /* NSSCKBI_H */
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.rc b/security/nss/lib/ckfw/builtins/nssckbi.rc
deleted file mode 100644
index 1ff4fa9c1..000000000
--- a/security/nss/lib/ckfw/builtins/nssckbi.rc
+++ /dev/null
@@ -1,97 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2004
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssckbi.h"
-#include <winver.h>
-
-#define MY_LIBNAME "nssckbi"
-#define MY_FILEDESCRIPTION "NSS Builtin Trusted Root CAs"
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
- PRODUCTVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/ckfw/capi/Makefile b/security/nss/lib/ckfw/capi/Makefile
deleted file mode 100644
index 77afe8097..000000000
--- a/security/nss/lib/ckfw/capi/Makefile
+++ /dev/null
@@ -1,105 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-
-EXTRA_LIBS = \
-	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(NULL)
-
-# can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-ifdef NS_USE_GCC
-EXTRA_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else 
-EXTRA_SHARED_LIBS += \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-        crypt32.lib \
-	advapi32.lib \
-	rpcrt4.lib \
-        $(NULL)
-endif # NS_USE_GCC
-else
-
-EXTRA_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-endif
-
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# Generate certdata.c.
-generate:
-	perl certdata.perl < certdata.txt
-
-# This'll need some help from a build person.
-
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
-DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
-EXTRA_DSO_LDOPTS        = -lc
-MKSHLIB                 = xlC $(DSO_LDOPTS)
-
-$(SHARED_LIBRARY): $(OBJS)
-	@$(MAKE_OBJDIR)
-	rm -f $@
-	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
-	chmod +x $@
-
-endif
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
-LD      += -G
-endif 
-
-
diff --git a/security/nss/lib/ckfw/capi/README b/security/nss/lib/ckfw/capi/README
deleted file mode 100644
index 76fa6638a..000000000
--- a/security/nss/lib/ckfw/capi/README
+++ /dev/null
@@ -1,6 +0,0 @@
-This Cryptoki module provides acces to certs and keys stored in
-Microsofts CAPI certificate store.
-
-Currently this module is read only.
-It does not export CA Root trust from the CAPI.
-It does not export CRLs from the CAPI.
diff --git a/security/nss/lib/ckfw/capi/anchor.c b/security/nss/lib/ckfw/capi/anchor.c
deleted file mode 100644
index e21006621..000000000
--- a/security/nss/lib/ckfw/capi/anchor.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * capi/canchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading.  See the 
- * comments in nssck.api for more information.
- */
-
-#include "ckcapi.h"
-
-#define MODULE_NAME ckcapi
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/capi/cfind.c b/security/nss/lib/ckfw/capi/cfind.c
deleted file mode 100644
index b685c0888..000000000
--- a/security/nss/lib/ckfw/capi/cfind.c
+++ /dev/null
@@ -1,595 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef CKCAPI_H
-#include "ckcapi.h"
-#endif /* CKCAPI_H */
-
-/*
- * ckcapi/cfind.c
- *
- * This file implements the NSSCKMDFindObjects object for the
- * "capi" cryptoki module.
- */
-
-struct ckcapiFOStr {
-  NSSArena *arena;
-  CK_ULONG n;
-  CK_ULONG i;
-  ckcapiInternalObject **objs;
-};
-
-static void
-ckcapi_mdFindObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
-  NSSArena *arena = fo->arena;
-  PRUint32 i;
-
-  /* walk down an free the unused 'objs' */
-  for (i=fo->i; i < fo->n ; i++) {
-    nss_ckcapi_DestroyInternalObject(fo->objs[i]);
-  }
-
-  nss_ZFreeIf(fo->objs);
-  nss_ZFreeIf(fo);
-  nss_ZFreeIf(mdFindObjects);
-  if ((NSSArena *)NULL != arena) {
-    NSSArena_Destroy(arena);
-  }
-
-  return;
-}
-
-static NSSCKMDObject *
-ckcapi_mdFindObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
-  ckcapiInternalObject *io;
-
-  if( fo->i == fo->n ) {
-    *pError = CKR_OK;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  io = fo->objs[ fo->i ];
-  fo->i++;
-
-  return nss_ckcapi_CreateMDObject(arena, io, pError);
-}
-
-static CK_BBOOL
-ckcapi_attrmatch
-(
-  CK_ATTRIBUTE_PTR a,
-  ckcapiInternalObject *o
-)
-{
-  PRBool prb;
-  const NSSItem *b;
-
-  b = nss_ckcapi_FetchAttribute(o, a->type);
-  if (b == NULL) {
-    return CK_FALSE;
-  }
-
-  if( a->ulValueLen != b->size ) {
-    /* match a decoded serial number */
-    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
-	int len;
-	unsigned char *data;
-
-	data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
-	if ((len == a->ulValueLen) && 
-		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
-	    return CK_TRUE;
-	}
-    }
-    return CK_FALSE;
-  }
-
-  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
-
-  if( PR_TRUE == prb ) {
-    return CK_TRUE;
-  } else {
-    return CK_FALSE;
-  }
-}
-
-
-static CK_BBOOL
-ckcapi_match
-(
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  ckcapiInternalObject *o
-)
-{
-  CK_ULONG i;
-
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
-      return CK_FALSE;
-    }
-  }
-
-  /* Every attribute passed */
-  return CK_TRUE;
-}
-
-#define CKAPI_ITEM_CHUNK  20
-
-#define PUT_Object(obj,err) \
-  { \
-    if (count >= size) { \
-    *listp = *listp ? \
-		nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
-		               (size+CKAPI_ITEM_CHUNK) ) : \
-		nss_ZNEWARRAY(NULL, ckcapiInternalObject *, \
-		               (size+CKAPI_ITEM_CHUNK) ) ; \
-      if ((ckcapiInternalObject **)NULL == *listp) { \
-        err = CKR_HOST_MEMORY; \
-        goto loser; \
-      } \
-      size += CKAPI_ITEM_CHUNK; \
-    } \
-    (*listp)[ count ] = (obj); \
-    count++; \
-  }
-
-
-/*
- * pass parameters back through the callback.
- */
-typedef struct BareCollectParamsStr {
-  CK_OBJECT_CLASS objClass;
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulAttributeCount;
-  ckcapiInternalObject ***listp;
-  PRUint32 size;
-  PRUint32 count;
-} BareCollectParams;
-
-/* collect_bare's callback. Called for each object that
- * supposedly has a PROVINDER_INFO property */
-static BOOL WINAPI
-doBareCollect
-(
-  const CRYPT_HASH_BLOB *msKeyID,
-  DWORD flags,
-  void *reserved,
-  void *args,
-  DWORD cProp,
-  DWORD *propID,
-  void **propData,
-  DWORD *propSize
-)
-{
-  BareCollectParams *bcp = (BareCollectParams *) args;
-  PRUint32 size = bcp->size;
-  PRUint32 count = bcp->count;
-  ckcapiInternalObject ***listp = bcp->listp;
-  ckcapiInternalObject *io = NULL;
-  DWORD i;
-  CRYPT_KEY_PROV_INFO *keyProvInfo = NULL;
-  void *idData;
-  CK_RV error;
- 
-  /* make sure there is a Key Provider Info property */
-  for (i=0; i < cProp; i++) {
-    if (CERT_KEY_PROV_INFO_PROP_ID == propID[i]) {
-	keyProvInfo = (CRYPT_KEY_PROV_INFO *)propData[i];
-	break;
-    }
-  }
-  if ((CRYPT_KEY_PROV_INFO *)NULL == keyProvInfo) {
-    return 1;
-  }
-
-  /* copy the key ID */
-  idData = nss_ZNEWARRAY(NULL, char, msKeyID->cbData);
-  if ((void *)NULL == idData) {
-     goto loser;
-  }
-  nsslibc_memcpy(idData, msKeyID->pbData, msKeyID->cbData);
-
-  /* build a bare internal object */  
-  io = nss_ZNEW(NULL, ckcapiInternalObject);
-  if ((ckcapiInternalObject *)NULL == io) {
-     goto loser;
-  }
-  io->type = ckcapiBareKey;
-  io->objClass = bcp->objClass;
-  io->u.key.provInfo = *keyProvInfo;
-  io->u.key.provInfo.pwszContainerName = 
-			nss_ckcapi_WideDup(keyProvInfo->pwszContainerName);
-  io->u.key.provInfo.pwszProvName = 
-			nss_ckcapi_WideDup(keyProvInfo->pwszProvName);
-  io->u.key.provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
-  io->u.key.containerName = 
-                        nss_ckcapi_WideToUTF8(keyProvInfo->pwszContainerName);
-  io->u.key.hProv = 0;
-  io->idData = idData;
-  io->id.data = idData;
-  io->id.size = msKeyID->cbData;
-  idData = NULL;
-
-  /* see if it matches */ 
-  if( CK_FALSE == ckcapi_match(bcp->pTemplate, bcp->ulAttributeCount, io) ) {
-    goto loser;
-  }
-  PUT_Object(io, error);
-  bcp->size = size;
-  bcp->count = count;
-  return 1;
-
-loser:
-  if (io) {
-    nss_ckcapi_DestroyInternalObject(io);
-  }
-  nss_ZFreeIf(idData);
-  return 1;
-}
-
-/*
- * collect the bare keys running around
- */
-static PRUint32
-collect_bare(
-  CK_OBJECT_CLASS objClass,
-  CK_ATTRIBUTE_PTR pTemplate, 
-  CK_ULONG ulAttributeCount, 
-  ckcapiInternalObject ***listp,
-  PRUint32 *sizep,
-  PRUint32 count,
-  CK_RV *pError
-)
-{
-  BOOL rc;
-  BareCollectParams bareCollectParams;
-
-  bareCollectParams.objClass = objClass;
-  bareCollectParams.pTemplate = pTemplate;
-  bareCollectParams.ulAttributeCount = ulAttributeCount;
-  bareCollectParams.listp = listp;
-  bareCollectParams.size = *sizep;
-  bareCollectParams.count = count;
-
-  rc = CryptEnumKeyIdentifierProperties(NULL, CERT_KEY_PROV_INFO_PROP_ID, 0,
-       NULL, NULL, &bareCollectParams, doBareCollect);
-
-  *sizep = bareCollectParams.size;
-  return bareCollectParams.count;
-}
-
-/* find all the certs that represent the appropriate object (cert, priv key, or
- *  pub key) in the cert store.
- */
-static PRUint32
-collect_class(
-  CK_OBJECT_CLASS objClass,
-  LPCSTR storeStr,
-  PRBool hasID,
-  CK_ATTRIBUTE_PTR pTemplate, 
-  CK_ULONG ulAttributeCount, 
-  ckcapiInternalObject ***listp,
-  PRUint32 *sizep,
-  PRUint32 count,
-  CK_RV *pError
-)
-{
-  PRUint32 size = *sizep;
-  ckcapiInternalObject *next = NULL;
-  HCERTSTORE hStore;
-  PCCERT_CONTEXT certContext = NULL;
-  PRBool  isKey = 
-     (objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);
-
-  hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
-  if (NULL == hStore) {
-     return count; /* none found does not imply an error */
-  }
-
-  /* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
-   * have to enumerate all the certificates */
-  while ((PCERT_CONTEXT) NULL != 
-         (certContext= CertEnumCertificatesInStore(hStore, certContext))) {
-    /* first filter out non user certs if we are looking for keys */
-    if (isKey) {
-      /* make sure there is a Key Provider Info property */
-      CRYPT_KEY_PROV_INFO key_prov;
-      DWORD size = sizeof(CRYPT_KEY_PROV_INFO);
-      BOOL rv;
-      rv =CertGetCertificateContextProperty(certContext,
-        CERT_KEY_PROV_INFO_PROP_ID, &key_prov, &size);
-      if (!rv) {
-	int reason = GetLastError();
-        /* we only care if it exists, we don't really need to fetch it yet */
-	if (reason == CRYPT_E_NOT_FOUND) {
-	  continue;
-	}
-      }
-    }
-    
-    if ((ckcapiInternalObject *)NULL == next) {
-      next = nss_ZNEW(NULL, ckcapiInternalObject);
-      if ((ckcapiInternalObject *)NULL == next) {
-        *pError = CKR_HOST_MEMORY;
-        goto loser;
-      }
-    }
-    next->type = ckcapiCert;
-    next->objClass = objClass;
-    next->u.cert.certContext = certContext;
-    next->u.cert.hasID = hasID;
-    next->u.cert.certStore = storeStr;
-    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next) ) {
-      /* clear cached values that may be dependent on our old certContext */
-      memset(&next->u.cert, 0, sizeof(next->u.cert));
-      /* get a 'permanent' context */
-      next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
-      next->objClass = objClass;
-      next->u.cert.certContext = certContext;
-      next->u.cert.hasID = hasID;
-      next->u.cert.certStore = storeStr;
-      PUT_Object(next, *pError);
-      next = NULL; /* need to allocate a new one now */
-    } else {
-      /* don't cache the values we just loaded */
-      memset(&next->u.cert, 0, sizeof(next->u.cert));
-    }
-  }
-loser:
-  CertCloseStore(hStore, 0);
-  nss_ZFreeIf(next);
-  *sizep = size;
-  return count;
-}
-
-NSS_IMPLEMENT PRUint32
-nss_ckcapi_collect_all_certs(
-  CK_ATTRIBUTE_PTR pTemplate, 
-  CK_ULONG ulAttributeCount, 
-  ckcapiInternalObject ***listp,
-  PRUint32 *sizep,
-  PRUint32 count,
-  CK_RV *pError
-)
-{
-  count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate, 
-			ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate, 
-                        ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate, 
-			ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate, 
-			ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate, 
-			ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate, 
-                        ulAttributeCount, listp, sizep, count, pError);
-  count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate, 
-                        ulAttributeCount, listp, sizep, count, pError);
-  return count;
-}
-
-CK_OBJECT_CLASS
-ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate, 
-                      CK_ULONG ulAttributeCount)
-{
-  CK_ULONG i;
-
-  for (i=0; i < ulAttributeCount; i++)
-  {
-    if (pTemplate[i].type == CKA_CLASS) {
-      return *(CK_OBJECT_CLASS *) pTemplate[i].pValue;
-    }
-  }
-  /* need to return a value that says 'fetch them all' */
-  return CK_INVALID_HANDLE;
-}
-
-static PRUint32
-collect_objects(
-  CK_ATTRIBUTE_PTR pTemplate, 
-  CK_ULONG ulAttributeCount, 
-  ckcapiInternalObject ***listp,
-  CK_RV *pError
-)
-{
-  PRUint32 i;
-  PRUint32 count = 0;
-  PRUint32 size = 0;
-  CK_OBJECT_CLASS objClass;
-
-  /*
-   * first handle the static build in objects (if any)
-   */
-  for( i = 0; i < nss_ckcapi_nObjects; i++ ) {
-    ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];
-
-    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o) ) {
-      PUT_Object(o, *pError);
-    }
-  }
-
-  /*
-   * now handle the various object types
-   */
-  objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
-  *pError = CKR_OK;
-  switch (objClass) {
-  case CKO_CERTIFICATE:
-    count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp, 
-                              &size, count, pError);
-    break;
-  case CKO_PUBLIC_KEY:
-    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
-			ulAttributeCount, listp, &size, count, pError);
-    count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
-			&size, count, pError);
-    break;
-  case CKO_PRIVATE_KEY:
-    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
-			ulAttributeCount, listp, &size, count, pError);
-    count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
-			&size, count, pError);
-    break;
-  /* all of them */
-  case CK_INVALID_HANDLE:
-    count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp, 
-                              &size, count, pError);
-    count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate, 
-			ulAttributeCount, listp, &size, count, pError);
-    count = collect_bare(CKO_PUBLIC_KEY, pTemplate, ulAttributeCount, listp,
-			&size, count, pError);
-    count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate, 
-			ulAttributeCount, listp, &size, count, pError);
-    count = collect_bare(CKO_PRIVATE_KEY, pTemplate, ulAttributeCount, listp,
-			&size, count, pError);
-    break;
-  default:
-    goto done; /* no other object types we understand in this module */
-  }
-  if (CKR_OK != *pError) {
-    goto loser;
-  }
-
-
-done:
-  return count;
-loser:
-  nss_ZFreeIf(*listp);
-  return 0;
-}
-
-
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_ckcapi_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  /* This could be made more efficient.  I'm rather rushed. */
-  NSSArena *arena;
-  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
-  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
-  ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    goto loser;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo = nss_ZNEW(arena, struct ckcapiFOStr);
-  if( (struct ckcapiFOStr *)NULL == fo ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fo->arena = arena;
-  /* fo->n and fo->i are already zero */
-
-  rv->etc = (void *)fo;
-  rv->Final = ckcapi_mdFindObjects_Final;
-  rv->Next = ckcapi_mdFindObjects_Next;
-  rv->null = (void *)NULL;
-
-  fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
-  if (*pError != CKR_OK) {
-    goto loser;
-  }
-
-  fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
-  if( (ckcapiInternalObject **)NULL == fo->objs ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
-  nss_ZFreeIf(temp);
-  temp = (ckcapiInternalObject **)NULL;
-
-  return rv;
-
- loser:
-  nss_ZFreeIf(temp);
-  nss_ZFreeIf(fo);
-  nss_ZFreeIf(rv);
-  if ((NSSArena *)NULL != arena) {
-     NSSArena_Destroy(arena);
-  }
-  return (NSSCKMDFindObjects *)NULL;
-}
-
diff --git a/security/nss/lib/ckfw/capi/cinst.c b/security/nss/lib/ckfw/capi/cinst.c
deleted file mode 100644
index fe5c3d25e..000000000
--- a/security/nss/lib/ckfw/capi/cinst.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-
-/*
- * ckcapi/cinstance.c
- *
- * This file implements the NSSCKMDInstance object for the 
- * "capi" cryptoki module.
- */
-
-/*
- * NSSCKMDInstance methods
- */
-
-static CK_ULONG
-ckcapi_mdInstance_GetNSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (CK_ULONG)1;
-}
-
-static CK_VERSION
-ckcapi_mdInstance_GetCryptokiVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_CryptokiVersion;
-}
-
-static NSSUTF8 *
-ckcapi_mdInstance_GetManufacturerID
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
-}
-
-static NSSUTF8 *
-ckcapi_mdInstance_GetLibraryDescription
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_LibraryDescription;
-}
-
-static CK_VERSION
-ckcapi_mdInstance_GetLibraryVersion
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_LibraryVersion;
-}
-
-static CK_RV
-ckcapi_mdInstance_GetSlots
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *slots[]
-)
-{
-  slots[0] = (NSSCKMDSlot *)&nss_ckcapi_mdSlot;
-  return CKR_OK;
-}
-
-static CK_BBOOL
-ckcapi_mdInstance_ModuleHandlesSessionObjects
-(
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  /* we don't want to allow any session object creation, at least
-   * until we can investigate whether or not we can use those objects
-   */
-  return CK_TRUE;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDInstance
-nss_ckcapi_mdInstance = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Finalize */
-  ckcapi_mdInstance_GetNSlots,
-  ckcapi_mdInstance_GetCryptokiVersion,
-  ckcapi_mdInstance_GetManufacturerID,
-  ckcapi_mdInstance_GetLibraryDescription,
-  ckcapi_mdInstance_GetLibraryVersion,
-  ckcapi_mdInstance_ModuleHandlesSessionObjects, 
-  /*NULL, /* HandleSessionObjects */
-  ckcapi_mdInstance_GetSlots,
-  NULL, /* WaitForSlotEvent */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/capi/ckcapi.h b/security/nss/lib/ckfw/capi/ckcapi.h
deleted file mode 100644
index fb434ce57..000000000
--- a/security/nss/lib/ckfw/capi/ckcapi.h
+++ /dev/null
@@ -1,309 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CKCAPI_H
-#define CKCAPI_H 1
-
-#ifdef DEBUG
-static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-#include "WTypes.h"
-#include "WinCrypt.h"
-
-/*
- * statically defined raw objects. Allows us to data description objects
- * to this PKCS #11 module.
- */
-struct ckcapiRawObjectStr {
-  CK_ULONG n;
-  const CK_ATTRIBUTE_TYPE *types;
-  const NSSItem *items;
-};
-typedef struct ckcapiRawObjectStr ckcapiRawObject;
-
-
-/*
- * common values needed for both bare keys and cert referenced keys.
- */
-struct ckcapiKeyParamsStr {
-  NSSItem	  modulus;
-  NSSItem	  exponent;
-  NSSItem	  privateExponent;
-  NSSItem	  prime1;
-  NSSItem	  prime2;
-  NSSItem	  exponent1;
-  NSSItem	  exponent2;
-  NSSItem	  coefficient;
-  unsigned char   publicExponentData[sizeof(CK_ULONG)];
-  void		  *privateKey;
-  void		  *pubKey;
-};
-typedef struct ckcapiKeyParamsStr ckcapiKeyParams;
-
-/*
- * Key objects. Handles bare keys which do not yet have certs associated
- * with them. These are usually short lived, but may exist for several days
- * while the CA is issuing the certificate.
- */
-struct ckcapiKeyObjectStr {
-  CRYPT_KEY_PROV_INFO provInfo;
-  char            *provName;
-  char            *containerName;
-  HCRYPTPROV      hProv;
-  ckcapiKeyParams key;
-};
-typedef struct ckcapiKeyObjectStr ckcapiKeyObject;
-
-/*
- * Certificate and certificate referenced keys.
- */
-struct ckcapiCertObjectStr {
-  PCCERT_CONTEXT  certContext;
-  PRBool          hasID;
-  const char	  *certStore;
-  NSSItem	  label;
-  NSSItem	  subject;
-  NSSItem	  issuer;
-  NSSItem	  serial;
-  NSSItem	  derCert;
-  ckcapiKeyParams key;
-  unsigned char   *labelData;
-  /* static data: to do, make this dynamic like labelData */
-  unsigned char   derSerial[128];
-};
-typedef struct ckcapiCertObjectStr ckcapiCertObject;
-
-typedef enum {
-  ckcapiRaw,
-  ckcapiCert,
-  ckcapiBareKey
-} ckcapiObjectType;
-
-/*
- * all the various types of objects are abstracted away in cobject and
- * cfind as ckcapiInternalObjects.
- */
-struct ckcapiInternalObjectStr {
-  ckcapiObjectType type;
-  union {
-    ckcapiRawObject  raw;
-    ckcapiCertObject cert;
-    ckcapiKeyObject  key;
-  } u;
-  CK_OBJECT_CLASS objClass;
-  NSSItem	  hashKey;
-  NSSItem	  id;
-  void		  *idData;
-  unsigned char   hashKeyData[128];
-  NSSCKMDObject mdObject;
-};
-typedef struct ckcapiInternalObjectStr ckcapiInternalObject;
-
-/* our raw object data array */
-NSS_EXTERN_DATA ckcapiInternalObject nss_ckcapi_data[];
-NSS_EXTERN_DATA const PRUint32               nss_ckcapi_nObjects;
-
-NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_CryptokiVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_ManufacturerID;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_LibraryDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_LibraryVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_SlotDescription;
-NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_HardwareVersion;
-NSS_EXTERN_DATA const CK_VERSION   nss_ckcapi_FirmwareVersion;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenLabel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenModel;
-NSS_EXTERN_DATA const NSSUTF8 *    nss_ckcapi_TokenSerialNumber;
-
-NSS_EXTERN_DATA const NSSCKMDInstance  nss_ckcapi_mdInstance;
-NSS_EXTERN_DATA const NSSCKMDSlot      nss_ckcapi_mdSlot;
-NSS_EXTERN_DATA const NSSCKMDToken     nss_ckcapi_mdToken;
-NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckcapi_mdMechanismRSA;
-
-NSS_EXTERN NSSCKMDSession *
-nss_ckcapi_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_ckcapi_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * Object Utilities
- */
-NSS_EXTERN NSSCKMDObject *
-nss_ckcapi_CreateMDObject
-(
-  NSSArena *arena,
-  ckcapiInternalObject *io,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDObject *
-nss_ckcapi_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-NSS_EXTERN const NSSItem *
-nss_ckcapi_FetchAttribute
-(
-  ckcapiInternalObject *io, 
-  CK_ATTRIBUTE_TYPE type
-);
-
-NSS_EXTERN void
-nss_ckcapi_DestroyInternalObject
-(
-  ckcapiInternalObject *io
-);
-
-NSS_EXTERN CK_RV
-nss_ckcapi_FetchKeyContainer
-(
-  ckcapiInternalObject *iKey,
-  HCRYPTPROV  *hProv,
-  DWORD       *keySpec,
-  HCRYPTKEY   *hKey
-);
-
-/*
- * generic utilities
- */
-
-/*
- * So everyone else in the worlds stores their bignum data MSB first, but not
- * Microsoft, we need to byte swap everything coming into and out of CAPI.
- */
-void
-ckcapi_ReverseData
-(
-  NSSItem *item
-);
-
-/*
- * unwrap a single DER value
- */
-char *
-nss_ckcapi_DERUnwrap
-(
-  char *src, 
-  int size, 
-  int *outSize, 
-  char **next
-);
-
-/*
- * Return the size in bytes of a wide string
- */
-int 
-nss_ckcapi_WideSize
-(
-  LPCWSTR wide
-);
-
-/*
- * Covert a Unicode wide character string to a UTF8 string
- */
-char *
-nss_ckcapi_WideToUTF8
-(
-  LPCWSTR wide 
-);
-
-/*
- * Return a Wide String duplicated with nss allocated memory.
- */
-LPWSTR
-nss_ckcapi_WideDup
-(
-  LPCWSTR wide
-);
-
-/*
- * Covert a UTF8 string to Unicode wide character
- */
-LPWSTR
-nss_ckcapi_UTF8ToWide
-(
-  char *buf
-);
-
-
-NSS_EXTERN PRUint32
-nss_ckcapi_collect_all_certs(
-  CK_ATTRIBUTE_PTR pTemplate, 
-  CK_ULONG ulAttributeCount, 
-  ckcapiInternalObject ***listp,
-  PRUint32 *sizep,
-  PRUint32 count,
-  CK_RV *pError
-);
-
-#define NSS_CKCAPI_ARRAY_SIZE(x) ((sizeof (x))/(sizeof ((x)[0])))
- 
-#endif
diff --git a/security/nss/lib/ckfw/capi/ckcapiver.c b/security/nss/lib/ckfw/capi/ckcapiver.c
deleted file mode 100644
index d69290575..000000000
--- a/security/nss/lib/ckfw/capi/ckcapiver.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* Library identity and versioning */
-
-#include "nsscapi.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_ckcapi_rcsid[] = "$Header: NSS Access to Microsoft Certificate Store "
-        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Microsoft Certificate Store "
-        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ckfw/capi/cobject.c b/security/nss/lib/ckfw/capi/cobject.c
deleted file mode 100644
index 09382073c..000000000
--- a/security/nss/lib/ckfw/capi/cobject.c
+++ /dev/null
@@ -1,2261 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-#include "nssbase.h"
-
-/*
- * ckcapi/cobject.c
- *
- * This file implements the NSSCKMDObject object for the
- * "nss to capi objects" cryptoki module.
- */
-
-const CK_ATTRIBUTE_TYPE certAttrs[] = {
-    CKA_CLASS,
-    CKA_TOKEN,
-    CKA_PRIVATE,
-    CKA_MODIFIABLE,
-    CKA_LABEL,
-    CKA_CERTIFICATE_TYPE,
-    CKA_SUBJECT,
-    CKA_ISSUER,
-    CKA_SERIAL_NUMBER,
-    CKA_VALUE
-};
-const PRUint32 certAttrsCount = NSS_CKCAPI_ARRAY_SIZE(certAttrs);
-
-/* private keys, for now only support RSA */
-const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
-    CKA_CLASS,
-    CKA_TOKEN,
-    CKA_PRIVATE,
-    CKA_MODIFIABLE,
-    CKA_LABEL,
-    CKA_KEY_TYPE,
-    CKA_DERIVE,
-    CKA_LOCAL,
-    CKA_SUBJECT,
-    CKA_SENSITIVE,
-    CKA_DECRYPT,
-    CKA_SIGN,
-    CKA_SIGN_RECOVER,
-    CKA_UNWRAP,
-    CKA_EXTRACTABLE,
-    CKA_ALWAYS_SENSITIVE,
-    CKA_NEVER_EXTRACTABLE,
-    CKA_MODULUS,
-    CKA_PUBLIC_EXPONENT,
-};
-const PRUint32 privKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(privKeyAttrs);
-
-/* public keys, for now only support RSA */
-const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
-    CKA_CLASS,
-    CKA_TOKEN,
-    CKA_PRIVATE,
-    CKA_MODIFIABLE,
-    CKA_LABEL,
-    CKA_KEY_TYPE,
-    CKA_DERIVE,
-    CKA_LOCAL,
-    CKA_SUBJECT,
-    CKA_ENCRYPT,
-    CKA_VERIFY,
-    CKA_VERIFY_RECOVER,
-    CKA_WRAP,
-    CKA_MODULUS,
-    CKA_PUBLIC_EXPONENT,
-};
-const PRUint32 pubKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(pubKeyAttrs);
-static const CK_BBOOL ck_true = CK_TRUE;
-static const CK_BBOOL ck_false = CK_FALSE;
-static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
-static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
-static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
-static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
-static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
-static const NSSItem ckcapi_trueItem = { 
-  (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) };
-static const NSSItem ckcapi_falseItem = { 
-  (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) };
-static const NSSItem ckcapi_x509Item = { 
-  (void *)&ckc_x509, (PRUint32)sizeof(CKC_X_509) };
-static const NSSItem ckcapi_rsaItem = { 
-  (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) };
-static const NSSItem ckcapi_certClassItem = { 
-  (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) };
-static const NSSItem ckcapi_privKeyClassItem = {
-  (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
-static const NSSItem ckcapi_pubKeyClassItem = {
-  (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
-static const NSSItem ckcapi_emptyItem = { 
-  (void *)&ck_true, 0};
-
-/*
- * these are utilities. The chould be moved to a new utilities file.
- */
-
-/*
- * unwrap a single DER value
- */
-char *
-nss_ckcapi_DERUnwrap
-(
-  char *src, 
-  int size, 
-  int *outSize, 
-  char **next
-)
-{
-  unsigned char *start = src;
-  unsigned char *end = src+size;
-  unsigned int len = 0;
-
-  /* initialize error condition return values */
-  *outSize = 0;
-  if (next) {
-    *next = src;
-  }
-
-  if (size < 2) {
-    return start;
-  }
-  src ++ ; /* skip the tag -- should check it against an expected value! */
-  len = (unsigned) *src++;
-  if (len & 0x80) {
-    int count = len & 0x7f;
-    len =0;
-
-    if (count+2 > size) {
-      return start;
-    }
-    while (count-- > 0) {
-      len = (len << 8) | (unsigned) *src++;
-    }
-  }
-  if (len + (src-start) > (unsigned int)size) {
-    return start;
-  }
-  if (next) {
-    *next = src+len;
-  }
-  *outSize = len;
-
-  return src;
-}
-
-/*
- * convert a PKCS #11 bytestrin into a CK_ULONG, the byte stream must be
- * less than sizeof (CK_ULONG).
- */
-CK_ULONG  
-nss_ckcapi_DataToInt
-(
-  NSSItem *data,
-  CK_RV *pError
-)
-{
-  CK_ULONG value = 0;
-  unsigned long count = data->size;
-  unsigned char *dataPtr = data->data;
-  unsigned long size = 0;
-
-  *pError = CKR_OK;
-
-  while (count--) {
-    value = value << 8;
-    value = value + *dataPtr++;
-    if (size || value) {
-      size++;
-    }
-  }
-  if (size > sizeof(CK_ULONG)) {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-  }
-  return value;
-}
-
-/*
- * convert a CK_ULONG to a bytestream. Data is stored in the buffer 'buf'
- * and must be at least CK_ULONG. Caller must provide buf.
- */
-CK_ULONG  
-nss_ckcapi_IntToData
-(
-  CK_ULONG value,
-  NSSItem *data,
-  unsigned char *dataPtr,
-  CK_RV *pError
-)
-{
-  unsigned long count = 0;
-  unsigned long i;
-#define SHIFT ((sizeof(CK_ULONG)-1)*8)
-  PRBool first = 0;
-
-  *pError = CKR_OK;
-
-  data->data = dataPtr;
-  for (i=0; i < sizeof(CK_ULONG); i++) {
-    unsigned char digit = (unsigned char)((value >> SHIFT) & 0xff);
-
-    value = value << 8;
-
-    /* drop leading zero bytes */
-    if (first && (0 == digit)) {
-	continue;
-    }
-    *dataPtr++ = digit;
-    count++;
-  }
-  data->size = count;
-  return count;
-}
-
-/*
- * get an attribute from a template. Value is returned in NSS item.
- * data for the item is owned by the template.
- */
-CK_RV
-nss_ckcapi_GetAttribute
-(
-  CK_ATTRIBUTE_TYPE type,
-  CK_ATTRIBUTE *template,
-  CK_ULONG templateSize, 
-  NSSItem *item
-)
-{
-  CK_ULONG i;
-
-  for (i=0; i < templateSize; i++) {
-    if (template[i].type == type) {
-      item->data = template[i].pValue;
-      item->size = template[i].ulValueLen;
-      return CKR_OK;
-    }
-  }
-  return CKR_TEMPLATE_INCOMPLETE;
-}
-
-/*
- * get an attribute which is type CK_ULONG.
- */
-CK_ULONG
-nss_ckcapi_GetULongAttribute
-(
-  CK_ATTRIBUTE_TYPE type,
-  CK_ATTRIBUTE *template,
-  CK_ULONG templateSize, 
-  CK_RV *pError
-)
-{
-  NSSItem item;
-
-  *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
-  if (CKR_OK != *pError) {
-    return (CK_ULONG) 0;
-  }
-  if (item.size != sizeof(CK_ULONG)) {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-    return (CK_ULONG) 0;
-  }
-  return *(CK_ULONG *)item.data;
-}
-
-/*
- * get an attribute which is type CK_BBOOL.
- */
-CK_BBOOL
-nss_ckcapi_GetBoolAttribute
-(
-  CK_ATTRIBUTE_TYPE type,
-  CK_ATTRIBUTE *template,
-  CK_ULONG templateSize, 
-  CK_RV *pError
-)
-{
-  NSSItem item;
-
-  *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
-  if (CKR_OK != *pError) {
-    return (CK_BBOOL) 0;
-  }
-  if (item.size != sizeof(CK_BBOOL)) {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-    return (CK_BBOOL) 0;
-  }
-  return *(CK_BBOOL *)item.data;
-}
-
-/*
- * Return the size in bytes of a wide string
- */
-int
-nss_ckcapi_WideSize
-(
-  LPCWSTR wide
-)
-{
-  DWORD size = wcslen(wide)+1;
-  return size*2;
-}
-
-/*
- * Covert a Unicode wide character string to a UTF8 string
- */
-char *
-nss_ckcapi_WideToUTF8
-(
-  LPCWSTR wide 
-)
-{
-  DWORD len = nss_ckcapi_WideSize(wide);
-  DWORD size;
-  char *buf;
-
-  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, NULL, 0, NULL, 0);
-  if (size == 0) {
-    return NULL;
-  }
-  buf = nss_ZNEWARRAY(NULL, char, size);
-  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, buf, size, NULL, 0);
-  if (size == 0) {
-    nss_ZFreeIf(buf);
-    return NULL;
-  }
-  return buf;
-}
-
-/*
- * Return a Wide String duplicated with nss allocated memory.
- */
-LPWSTR
-nss_ckcapi_WideDup
-(
-  LPCWSTR wide
-)
-{
-  DWORD len = nss_ckcapi_WideSize(wide);
-  LPWSTR buf;
-
-  buf = (LPWSTR) nss_ZNEWARRAY(NULL, char, len);
-  if ((LPWSTR) NULL == buf) {
-    return buf;
-  }
-  nsslibc_memcpy(buf, wide, len);
-  return buf;
-}
-
-/*
- * Covert a UTF8 string to Unicode wide character
- */
-LPWSTR
-nss_ckcapi_UTF8ToWide
-(
-  char *buf
-)
-{
-  DWORD size;
-  DWORD len = strlen(buf)+1;
-  LPWSTR wide;
-
-  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, NULL, 0);
-  if (size == 0) {
-    return NULL;
-  }
-  wide = (LPWSTR)nss_ZNEWARRAY(NULL, char, size);
-  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, wide, size);
-  if (size == 0) {
-    nss_ZFreeIf(wide);
-    return NULL;
-  }
-  return wide;
-}
-
-
-/*
- * keep all the knowlege of how the internalObject is laid out in this function
- *
- * nss_ckcapi_FetchKeyContainer
- *
- * fetches the Provider container and info as well as a key handle for a
- * private key. If something other than a private key is passed in,
- * this function fails with CKR_KEY_TYPE_INCONSISTENT
- */
-NSS_EXTERN CK_RV
-nss_ckcapi_FetchKeyContainer
-(
-  ckcapiInternalObject *iKey,
-  HCRYPTPROV *hProv, 
-  DWORD *keySpec,
-  HCRYPTKEY *hKey
-)
-{
-  ckcapiCertObject *co;
-  ckcapiKeyObject *ko;
-  BOOL rc, dummy;
-  DWORD msError;
-
-
-  switch (iKey->type) {
-  default:
-  case ckcapiRaw:
-     /* can't have raw private keys */
-     return CKR_KEY_TYPE_INCONSISTENT;
-  case ckcapiCert:
-    if (iKey->objClass != CKO_PRIVATE_KEY) {
-      /* Only private keys have private key provider handles */
-      return CKR_KEY_TYPE_INCONSISTENT;
-    }
-    co = &iKey->u.cert;
-
-    /* OK, get the Provider */
-    rc = CryptAcquireCertificatePrivateKey(co->certContext,
-      CRYPT_ACQUIRE_CACHE_FLAG|CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, hProv, 
-      keySpec, &dummy);
-    if (!rc) {
-      goto loser;
-    }
-    break;
-  case ckcapiBareKey:
-    if (iKey->objClass != CKO_PRIVATE_KEY) {
-       /* Only private keys have private key provider handles */
-       return CKR_KEY_TYPE_INCONSISTENT;
-    }
-    ko = &iKey->u.key;
-
-    /* OK, get the Provider */
-    if (0 == ko->hProv) {
-      rc = CryptAcquireContext(hProv,
-			       ko->containerName, 
-			       ko->provName,
-                               ko->provInfo.dwProvType , 0);
-      if (!rc) {
-        goto loser;
-      }
-    } else {
-      *hProv = ko->hProv;
-    }
-    *keySpec = ko->provInfo.dwKeySpec;
-    break;
-  }
-
-  /* and get the crypto handle */
-  rc = CryptGetUserKey(*hProv, *keySpec, hKey);
-  if (!rc) {
-    goto loser;
-  }
-  return CKR_OK;
-loser:
-  /* map the microsoft error before leaving */
-  msError = GetLastError();
-  switch (msError) {
-  case ERROR_INVALID_HANDLE:
-  case ERROR_INVALID_PARAMETER:
-  case NTE_BAD_KEY:
-  case NTE_NO_KEY:
-  case NTE_BAD_PUBLIC_KEY:
-  case NTE_BAD_KEYSET:
-  case NTE_KEYSET_NOT_DEF:
-    return CKR_KEY_TYPE_INCONSISTENT;
-  case NTE_BAD_UID:
-  case NTE_KEYSET_ENTRY_BAD:
-    return CKR_DEVICE_ERROR;
-  }
-  return CKR_GENERAL_ERROR;
-}
-
-
-/*
- * take a DER PUBLIC Key block and return the modulus and exponent
- */
-static void
-ckcapi_CertPopulateModulusExponent
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiKeyParams *kp = &io->u.cert.key;
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
-  CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
-  CK_ULONG newSize;
-  char *ptr, *newptr;
-
-  /* find the start of the modulus -- this will not give good results if
-   * the key isn't an rsa key! */
-  ptr = nss_ckcapi_DERUnwrap(pkData, size, &newSize, NULL);
-  kp->modulus.data = nss_ckcapi_DERUnwrap(ptr, newSize, 
-                                           &kp->modulus.size, &newptr);
-  /* changed from signed to unsigned int */
-  if (0 == *(char *)kp->modulus.data) {
-    kp->modulus.data = ((char *)kp->modulus.data)+1;
-    kp->modulus.size = kp->modulus.size - 1;
-  }
-  /* changed from signed to unsigned int */
-  kp->exponent.data = nss_ckcapi_DERUnwrap(newptr, (newptr-ptr)+newSize, 
-						&kp->exponent.size, NULL);
-  if (0 == *(char *)kp->exponent.data) {
-    kp->exponent.data = ((char *)kp->exponent.data)+1;
-    kp->exponent.size = kp->exponent.size - 1;
-  }
-  return;
-}
-
-typedef struct _CAPI_RSA_KEY_BLOB {
-  PUBLICKEYSTRUC header;
-  RSAPUBKEY  rsa;
-  char	     data[1];
-} CAPI_RSA_KEY_BLOB;
-
-#define CAPI_MODULUS_OFFSET(modSize)     0
-#define CAPI_PRIME_1_OFFSET(modSize)     (modSize)
-#define CAPI_PRIME_2_OFFSET(modSize)     ((modSize)+(modSize)/2)
-#define CAPI_EXPONENT_1_OFFSET(modSize)  ((modSize)*2)
-#define CAPI_EXPONENT_2_OFFSET(modSize)  ((modSize)*2+(modSize)/2)
-#define CAPI_COEFFICIENT_OFFSET(modSize) ((modSize)*3)
-#define CAPI_PRIVATE_EXP_OFFSET(modSize) ((modSize)*3+(modSize)/2)
-
-void
-ckcapi_FetchPublicKey
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiKeyParams *kp;
-  HCRYPTPROV hProv;
-  DWORD keySpec;
-  HCRYPTKEY hKey = 0;
-  CK_RV error;
-  DWORD bufLen;
-  BOOL rc;
-  unsigned long modulus;
-  char *buf = NULL;
-  CAPI_RSA_KEY_BLOB *blob;
-
-  error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
-  if (CKR_OK != error) {
-    goto loser;
-  }
-  kp = (ckcapiCert == io->type) ?  &io->u.cert.key : &io->u.key.key;
-
-  rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
-  if (!rc) {
-    goto loser;
-  }
-  buf = nss_ZNEWARRAY(NULL, char, bufLen);
-  rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
-  if (!rc) {
-    goto loser;
-  }
-  /* validate the blob */
-  blob = (CAPI_RSA_KEY_BLOB *)buf;
-  if ((PUBLICKEYBLOB != blob->header.bType) ||
-      (0x02 != blob->header.bVersion) ||
-      (0x31415352 != blob->rsa.magic)) {
-    goto loser;
-  }
-  modulus = blob->rsa.bitlen/8;
-  kp->pubKey = buf;
-  buf = NULL;
-
-  kp->modulus.data = &blob->data[CAPI_MODULUS_OFFSET(modulus)];
-  kp->modulus.size = modulus;
-  ckcapi_ReverseData(&kp->modulus);
-  nss_ckcapi_IntToData(blob->rsa.pubexp, &kp->exponent,
-                     kp->publicExponentData, &error);
-
-loser:
-  nss_ZFreeIf(buf);
-  if (0 != hKey) {
-     CryptDestroyKey(hKey);
-  }
-  return;
-}
-
-void
-ckcapi_FetchPrivateKey
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiKeyParams *kp;
-  HCRYPTPROV hProv;
-  DWORD keySpec;
-  HCRYPTKEY hKey = 0;
-  CK_RV error;
-  DWORD bufLen;
-  BOOL rc;
-  unsigned long modulus;
-  char *buf = NULL;
-  CAPI_RSA_KEY_BLOB *blob;
-
-  error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
-  if (CKR_OK != error) {
-    goto loser;
-  }
-  kp = (ckcapiCert == io->type) ?  &io->u.cert.key : &io->u.key.key;
-
-  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
-  if (!rc) {
-    goto loser;
-  }
-  buf = nss_ZNEWARRAY(NULL, char, bufLen);
-  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
-  if (!rc) {
-    goto loser;
-  }
-  /* validate the blob */
-  blob = (CAPI_RSA_KEY_BLOB *)buf;
-  if ((PRIVATEKEYBLOB != blob->header.bType) ||
-      (0x02 != blob->header.bVersion) ||
-      (0x32415352 != blob->rsa.magic)) {
-    goto loser;
-  }
-  modulus = blob->rsa.bitlen/8;
-  kp->privateKey = buf;
-  buf = NULL;
-
-  kp->privateExponent.data = &blob->data[CAPI_PRIVATE_EXP_OFFSET(modulus)];
-  kp->privateExponent.size = modulus;
-  ckcapi_ReverseData(&kp->privateExponent);
-  kp->prime1.data = &blob->data[CAPI_PRIME_1_OFFSET(modulus)];
-  kp->prime1.size = modulus/2;
-  ckcapi_ReverseData(&kp->prime1);
-  kp->prime2.data = &blob->data[CAPI_PRIME_2_OFFSET(modulus)];
-  kp->prime2.size = modulus/2;
-  ckcapi_ReverseData(&kp->prime2);
-  kp->exponent1.data = &blob->data[CAPI_EXPONENT_1_OFFSET(modulus)];
-  kp->exponent1.size = modulus/2;
-  ckcapi_ReverseData(&kp->exponent1);
-  kp->exponent2.data = &blob->data[CAPI_EXPONENT_2_OFFSET(modulus)];
-  kp->exponent2.size = modulus/2;
-  ckcapi_ReverseData(&kp->exponent2);
-  kp->coefficient.data = &blob->data[CAPI_COEFFICIENT_OFFSET(modulus)];
-  kp->coefficient.size = modulus/2;
-  ckcapi_ReverseData(&kp->coefficient);
-
-loser:
-  nss_ZFreeIf(buf);
-  if (0 != hKey) {
-     CryptDestroyKey(hKey);
-  }
-  return;
-}
-
-
-void
-ckcapi_PopulateModulusExponent
-(
-  ckcapiInternalObject *io
-)
-{
-  if (ckcapiCert == io->type) {
-    ckcapi_CertPopulateModulusExponent(io);
-  } else {
-    ckcapi_FetchPublicKey(io);
-  } 
-  return;
-}
-
-/*
- * fetch the friendly name attribute.
- * can only be called with ckcapiCert type objects!
- */
-void
-ckcapi_FetchLabel
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiCertObject *co = &io->u.cert;
-  char *label;
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  char labelDataUTF16[128];
-  DWORD size = sizeof(labelDataUTF16);
-  DWORD size8 = sizeof(co->labelData);
-  BOOL rv;
-
-  rv = CertGetCertificateContextProperty(certContext,
-	CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
-  if (rv) {
-    co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16);
-    if ((CHAR *)NULL == co->labelData) {
-      rv = 0;
-    } else {
-      size = strlen(co->labelData);
-    }
-  }
-  label = co->labelData;
-  /* we are presuming a user cert, make sure it has a nickname, even if
-   * Microsoft never gave it one */
-  if (!rv && co->hasID) {
-    DWORD mserror = GetLastError();
-#define DEFAULT_NICKNAME "no Microsoft nickname"
-    label = DEFAULT_NICKNAME;
-    size = sizeof(DEFAULT_NICKNAME);
-    rv = 1;
-  }
-    
-  if (rv) {
-    co->label.data = label;
-    co->label.size = size;
-  }
-  return;
-}
-
-void
-ckcapi_FetchSerial
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiCertObject *co = &io->u.cert;
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  DWORD size = sizeof(co->derSerial);
-
-  BOOL rc = CryptEncodeObject(X509_ASN_ENCODING,
-                         X509_MULTI_BYTE_INTEGER,
-                         &certContext->pCertInfo->SerialNumber,
-			 co->derSerial,
-                         &size);
-  if (rc) {
-    co->serial.data = co->derSerial;
-    co->serial.size = size;
-  }
-  return;
-}
-
-/*
- * fetch the key ID.
- */
-void
-ckcapi_FetchID
-(
-  ckcapiInternalObject *io
-)
-{
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  DWORD size = 0;
-  BOOL rc;
-
-  rc = CertGetCertificateContextProperty(certContext,
-	CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
-  if (!rc) {
-    return;
-  }
-  io->idData = nss_ZNEWARRAY(NULL, char, size);
-  if (io->idData == NULL) {
-    return;
-  }
-
-  rc = CertGetCertificateContextProperty(certContext,
-	CERT_KEY_IDENTIFIER_PROP_ID, io->idData, &size);
-  if (!rc) {
-    nss_ZFreeIf(io->idData);
-    io->idData = NULL;
-    return;
-  }
-  io->id.data = io->idData;
-  io->id.size = size;
-  return;
-}
-
-/*
- * fetch the hash key.
- */
-void
-ckcapi_CertFetchHashKey
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiCertObject *co = &io->u.cert;
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  DWORD size = certContext->cbCertEncoded;
-  DWORD max = sizeof(io->hashKeyData)-1;
-  DWORD offset = 0;
-
-  /* make sure we don't over flow. NOTE: cutting the top of a cert is
-   * not a big issue because the signature for will be unique for the cert */
-  if (size > max) {
-    offset = size - max;
-    size = max;
-  }
-
-  nsslibc_memcpy(io->hashKeyData,certContext->pbCertEncoded+offset, size);
-  io->hashKeyData[size] = (char)(io->objClass & 0xff);
-
-  io->hashKey.data = io->hashKeyData;
-  io->hashKey.size = size+1;
-  return;
-}
-
-/*
- * fetch the hash key.
- */
-void
-ckcapi_KeyFetchHashKey
-(
-  ckcapiInternalObject *io
-)
-{
-  ckcapiKeyObject *ko = &io->u.key;
-  DWORD size;
-  DWORD max = sizeof(io->hashKeyData)-2;
-  DWORD offset = 0;
-  DWORD provLen = strlen(ko->provName);
-  DWORD containerLen = strlen(ko->containerName);
-
- 
-  size = provLen + containerLen; 
-
-  /* make sure we don't overflow, try to keep things unique */
-  if (size > max) {
-    DWORD diff = ((size - max)+1)/2;
-    provLen -= diff;
-    containerLen -= diff;
-    size = provLen+containerLen;
-  }
-
-  nsslibc_memcpy(io->hashKeyData, ko->provName, provLen);
-  nsslibc_memcpy(&io->hashKeyData[provLen],
-                 ko->containerName,
-		 containerLen);
-  io->hashKeyData[size] = (char)(io->objClass & 0xff);
-  io->hashKeyData[size+1] = (char)(ko->provInfo.dwKeySpec & 0xff);
-
-  io->hashKey.data = io->hashKeyData;
-  io->hashKey.size = size+2;
-  return;
-}
-
-/*
- * fetch the hash key.
- */
-void
-ckcapi_FetchHashKey
-(
-  ckcapiInternalObject *io
-)
-{
-  if (ckcapiCert == io->type) {
-    ckcapi_CertFetchHashKey(io);
-  } else {
-    ckcapi_KeyFetchHashKey(io);
-  } 
-  return;
-}
- 
-const NSSItem *
-ckcapi_FetchCertAttribute
-(
-  ckcapiInternalObject *io,
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  switch(type) {
-  case CKA_CLASS:
-    return &ckcapi_certClassItem;
-  case CKA_TOKEN:
-    return &ckcapi_trueItem;
-  case CKA_MODIFIABLE:
-  case CKA_PRIVATE:
-    return &ckcapi_falseItem;
-  case CKA_CERTIFICATE_TYPE:
-    return &ckcapi_x509Item;
-  case CKA_LABEL:
-    if (0 == io->u.cert.label.size) {
-      ckcapi_FetchLabel(io);
-    }
-    return &io->u.cert.label;
-  case CKA_SUBJECT:
-    if (0 == io->u.cert.subject.size) {
-      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
-      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
-    }
-    return &io->u.cert.subject;
-  case CKA_ISSUER:
-    if (0 == io->u.cert.issuer.size) {
-      io->u.cert.issuer.data = certContext->pCertInfo->Issuer.pbData;
-      io->u.cert.issuer.size = certContext->pCertInfo->Issuer.cbData;
-    }
-    return &io->u.cert.issuer;
-  case CKA_SERIAL_NUMBER:
-    if (0 == io->u.cert.serial.size) {
-      /* not exactly right. This should be the encoded serial number, but
-       * it's the decoded serial number! */
-      ckcapi_FetchSerial(io);
-    }
-    return &io->u.cert.serial;
-  case CKA_VALUE:
-    if (0 == io->u.cert.derCert.size) {
-      io->u.cert.derCert.data = io->u.cert.certContext->pbCertEncoded;
-      io->u.cert.derCert.size = io->u.cert.certContext->cbCertEncoded;
-    }
-    return &io->u.cert.derCert;
-  case CKA_ID:
-    if (!io->u.cert.hasID) {
-      return NULL;
-    }
-    if (0 == io->id.size) {
-      ckcapi_FetchID(io);
-    }
-    return &io->id;
-  default:
-    break;
-  }
-  return NULL;
-}
-
-const NSSItem *
-ckcapi_FetchPubKeyAttribute
-(
-  ckcapiInternalObject *io, 
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  PRBool isCertType = (ckcapiCert == io->type);
-  ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
-  
-  switch(type) {
-  case CKA_CLASS:
-    return &ckcapi_pubKeyClassItem;
-  case CKA_TOKEN:
-  case CKA_LOCAL:
-  case CKA_ENCRYPT:
-  case CKA_VERIFY:
-  case CKA_VERIFY_RECOVER:
-    return &ckcapi_trueItem;
-  case CKA_PRIVATE:
-  case CKA_MODIFIABLE:
-  case CKA_DERIVE:
-  case CKA_WRAP:
-    return &ckcapi_falseItem;
-  case CKA_KEY_TYPE:
-    return &ckcapi_rsaItem;
-  case CKA_LABEL:
-    if (!isCertType) {
-      return &ckcapi_emptyItem;
-    }
-    if (0 == io->u.cert.label.size) {
-      ckcapi_FetchLabel(io);
-    }
-    return &io->u.cert.label;
-  case CKA_SUBJECT:
-    if (!isCertType) {
-      return &ckcapi_emptyItem;
-    }
-    if (0 == io->u.cert.subject.size) {
-      PCCERT_CONTEXT certContext= io->u.cert.certContext;
-      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
-      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
-    }
-    return &io->u.cert.subject;
-  case CKA_MODULUS:
-    if (0 == kp->modulus.size) {
-	ckcapi_PopulateModulusExponent(io);
-    }
-    return &kp->modulus;
-  case CKA_PUBLIC_EXPONENT:
-    if (0 == kp->modulus.size) {
-	ckcapi_PopulateModulusExponent(io);
-    }
-    return &kp->exponent;
-  case CKA_ID:
-    if (0 == io->id.size) {
-      ckcapi_FetchID(io);
-    }
-    return &io->id;
-  default:
-    break;
-  }
-  return NULL;
-}
-
-const NSSItem *
-ckcapi_FetchPrivKeyAttribute
-(
-  ckcapiInternalObject *io, 
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  PRBool isCertType = (ckcapiCert == io->type);
-  ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
-
-  switch(type) {
-  case CKA_CLASS:
-    return &ckcapi_privKeyClassItem;
-  case CKA_TOKEN:
-  case CKA_LOCAL:
-  case CKA_SIGN:
-  case CKA_DECRYPT:
-  case CKA_SIGN_RECOVER:
-    return &ckcapi_trueItem;
-  case CKA_SENSITIVE:
-  case CKA_PRIVATE:    /* should move in the future */
-  case CKA_MODIFIABLE:
-  case CKA_DERIVE:
-  case CKA_UNWRAP:
-  case CKA_EXTRACTABLE: /* will probably move in the future */
-  case CKA_ALWAYS_SENSITIVE:
-  case CKA_NEVER_EXTRACTABLE:
-    return &ckcapi_falseItem;
-  case CKA_KEY_TYPE:
-    return &ckcapi_rsaItem;
-  case CKA_LABEL:
-    if (!isCertType) {
-      return &ckcapi_emptyItem;
-    }
-    if (0 == io->u.cert.label.size) {
-      ckcapi_FetchLabel(io);
-    }
-    return &io->u.cert.label;
-  case CKA_SUBJECT:
-    if (!isCertType) {
-      return &ckcapi_emptyItem;
-    }
-    if (0 == io->u.cert.subject.size) {
-      PCCERT_CONTEXT certContext= io->u.cert.certContext;
-      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
-      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
-    }
-    return &io->u.cert.subject;
-  case CKA_MODULUS:
-    if (0 == kp->modulus.size) {
-      ckcapi_PopulateModulusExponent(io);
-    }
-    return &kp->modulus;
-  case CKA_PUBLIC_EXPONENT:
-    if (0 == kp->modulus.size) {
-      ckcapi_PopulateModulusExponent(io);
-    }
-    return &kp->exponent;
-  case CKA_PRIVATE_EXPONENT:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->privateExponent;
-  case CKA_PRIME_1:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->prime1;
-  case CKA_PRIME_2:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->prime2;
-  case CKA_EXPONENT_1:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->exponent1;
-  case CKA_EXPONENT_2:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->exponent2;
-  case CKA_COEFFICIENT:
-    if (0 == kp->privateExponent.size) {
-      ckcapi_FetchPrivateKey(io);
-    }
-    return &kp->coefficient;
-  case CKA_ID:
-    if (0 == io->id.size) {
-      ckcapi_FetchID(io);
-    }
-    return &io->id;
-  default:
-    return NULL;
-  }
-}
-
-const NSSItem *
-nss_ckcapi_FetchAttribute
-(
-  ckcapiInternalObject *io, 
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  CK_ULONG i;
-
-  if (io->type == ckcapiRaw) {
-    for( i = 0; i < io->u.raw.n; i++ ) {
-      if( type == io->u.raw.types[i] ) {
-        return &io->u.raw.items[i];
-      }
-    }
-    return NULL;
-  }
-  /* deal with the common attributes */
-  switch (io->objClass) {
-  case CKO_CERTIFICATE:
-   return ckcapi_FetchCertAttribute(io, type); 
-  case CKO_PRIVATE_KEY:
-   return ckcapi_FetchPrivKeyAttribute(io, type); 
-  case CKO_PUBLIC_KEY:
-   return ckcapi_FetchPubKeyAttribute(io, type); 
-  }
-  return NULL;
-}
-
-/*
- * check to see if the certificate already exists
- */
-static PRBool
-ckcapi_cert_exists(
-  NSSItem *value,
-  ckcapiInternalObject **io
-)
-{
-  int count,i;
-  PRUint32 size = 0;
-  ckcapiInternalObject **listp = NULL;
-  CK_ATTRIBUTE myTemplate[2];
-  CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
-  CK_ULONG templateCount = 2;
-  CK_RV error;
-  PRBool found = PR_FALSE;
-
-  myTemplate[0].type = CKA_CLASS;
-  myTemplate[0].pValue = &cert_class;
-  myTemplate[0].ulValueLen = sizeof(cert_class);
-  myTemplate[1].type = CKA_VALUE;
-  myTemplate[1].pValue = value->data;
-  myTemplate[1].ulValueLen = value->size;
-
-  count = nss_ckcapi_collect_all_certs(myTemplate, templateCount, &listp, 
-			&size, 0, &error);
-
-  /* free them */
-  if (count > 1) {
-    *io = listp[0];
-    found = PR_TRUE;
-  }
-    
-  for (i=1; i < count; i++) {
-    nss_ckcapi_DestroyInternalObject(listp[i]);
-  }
-  nss_ZFreeIf(listp);
-  return found;
-}
-
-static PRBool
-ckcapi_cert_hasEmail
-(
-  PCCERT_CONTEXT certContext
-)
-{
-  int count;
-
-  count = CertGetNameString(certContext, CERT_NAME_EMAIL_TYPE, 
-                            0, NULL, NULL, 0);
-
-  return count > 1 ? PR_TRUE : PR_FALSE;
-}
-
-static PRBool
-ckcapi_cert_isRoot
-(
-  PCCERT_CONTEXT certContext
-)
-{
-  return CertCompareCertificateName(certContext->dwCertEncodingType,
-	&certContext->pCertInfo->Issuer, &certContext->pCertInfo->Subject);
-}
-
-static PRBool
-ckcapi_cert_isCA
-(
-  PCCERT_CONTEXT certContext
-)
-{
-  PCERT_EXTENSION extension;
-  CERT_BASIC_CONSTRAINTS2_INFO basicInfo;
-  DWORD size = sizeof(basicInfo);
-  BOOL rc;
-
-  extension = CertFindExtension (szOID_BASIC_CONSTRAINTS,
-				certContext->pCertInfo->cExtension,
-				certContext->pCertInfo->rgExtension);
-  if ((PCERT_EXTENSION) NULL == extension ) {
-    return PR_FALSE;
-  }
-  rc = CryptDecodeObject(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS2,
-          extension->Value.pbData, extension->Value.cbData, 
-          0, &basicInfo, &size);
-  if (!rc) {
-    return PR_FALSE;
-  }
-  return (PRBool) basicInfo.fCA;
-}
-
-static CRYPT_KEY_PROV_INFO *
-ckcapi_cert_getPrivateKeyInfo
-(
-  PCCERT_CONTEXT certContext,
-  NSSItem *keyID
-)
-{
-  BOOL rc;
-  CRYPT_HASH_BLOB msKeyID;
-  DWORD size = 0;
-  CRYPT_KEY_PROV_INFO *prov = NULL;
-
-  msKeyID.cbData = keyID->size;
-  msKeyID.pbData = keyID->data;
-
-  rc = CryptGetKeyIdentifierProperty(
-	  &msKeyID,
-       	  CERT_KEY_PROV_INFO_PROP_ID,
-	  0, NULL, NULL, NULL, &size);
-  if (!rc) {
-    return (CRYPT_KEY_PROV_INFO *)NULL;
-  }
-  prov = (CRYPT_KEY_PROV_INFO *)nss_ZNEWARRAY(NULL, char, size);
-  if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
-    return (CRYPT_KEY_PROV_INFO *) NULL;
-  }
-  rc = CryptGetKeyIdentifierProperty(
-	  &msKeyID,
-       	  CERT_KEY_PROV_INFO_PROP_ID,
-	  0, NULL, NULL, prov, &size);
-  if (!rc) {
-    nss_ZFreeIf(prov);
-    return (CRYPT_KEY_PROV_INFO *)NULL;
-  }
-  
-  return prov;
-}
-
-static CRYPT_KEY_PROV_INFO *
-ckcapi_cert_getProvInfo
-(
-  ckcapiInternalObject *io
-)
-{
-  BOOL rc;
-  DWORD size = 0;
-  CRYPT_KEY_PROV_INFO *prov = NULL;
-
-  rc = CertGetCertificateContextProperty(
-	  io->u.cert.certContext,
-       	  CERT_KEY_PROV_INFO_PROP_ID,
-	  NULL, &size);
-  if (!rc) {
-    return (CRYPT_KEY_PROV_INFO *)NULL;
-  }
-  prov = (CRYPT_KEY_PROV_INFO *)nss_ZNEWARRAY(NULL, char, size);
-  if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
-    return (CRYPT_KEY_PROV_INFO *) NULL;
-  }
-  rc = CertGetCertificateContextProperty(
-	  io->u.cert.certContext,
-       	  CERT_KEY_PROV_INFO_PROP_ID,
-	  prov, &size);
-  if (!rc) {
-    nss_ZFreeIf(prov);
-    return (CRYPT_KEY_PROV_INFO *)NULL;
-  }
-
-  return prov;
-}
-  
-/* forward declaration */
-static void
-ckcapi_removeObjectFromHash
-(
-  ckcapiInternalObject *io
-);
-
-/*
- * Finalize - unneeded
- * Destroy 
- * IsTokenObject - CK_TRUE
- * GetAttributeCount
- * GetAttributeTypes
- * GetAttributeSize
- * GetAttribute
- * SetAttribute
- * GetObjectSize
- */
-
-static CK_RV
-ckcapi_mdObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-  CK_OBJECT_CLASS objClass;
-  BOOL rc;
-  DWORD provType;
-  DWORD msError;
-  PRBool isCertType = (PRBool)(ckcapiCert == io->type);
-  HCERTSTORE hStore = 0;
-
-  if (ckcapiRaw == io->type) {
-    /* there is not 'object write protected' error, use the next best thing */
-    return CKR_TOKEN_WRITE_PROTECTED;
-  }
-
-  objClass = io->objClass;
-  if (CKO_CERTIFICATE == objClass) {
-    PCCERT_CONTEXT certContext;
-
-    /* get the store */
-    hStore = CertOpenSystemStore(0, io->u.cert.certStore);
-    if (0 == hStore) {
-      rc = 0;
-      goto loser;
-    }
-    certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0, 
-      CERT_FIND_EXISTING, io->u.cert.certContext, NULL); 
-    if ((PCCERT_CONTEXT)NULL ==  certContext) {
-      rc = 0;
-      goto loser;
-    }
-    rc = CertDeleteCertificateFromStore(certContext);
-    CertFreeCertificateContext(certContext);
-  } else {
-    char *provName = NULL;
-    char *containerName = NULL;
-    HCRYPTPROV hProv;
-    CRYPT_HASH_BLOB msKeyID;
-
-    if (0 == io->id.size) {
-      ckcapi_FetchID(io);
-    }
-
-    if (isCertType) {
-      CRYPT_KEY_PROV_INFO * provInfo = ckcapi_cert_getProvInfo(io);
-      provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName);
-      containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName);
-      provType = provInfo->dwProvType;
-      nss_ZFreeIf(provInfo);
-    } else {
-      provName = io->u.key.provName;
-      containerName = io->u.key.containerName;
-      provType = io->u.key.provInfo.dwProvType;
-      io->u.key.provName = NULL;
-      io->u.key.containerName = NULL;
-    }
-    /* first remove the key id pointer */
-    msKeyID.cbData = io->id.size;
-    msKeyID.pbData = io->id.data;
-    rc = CryptSetKeyIdentifierProperty(&msKeyID, 
-	CERT_KEY_PROV_INFO_PROP_ID, CRYPT_KEYID_DELETE_FLAG, NULL, NULL, NULL);
-    if (rc) {
-      rc = CryptAcquireContext(&hProv, containerName, provName, provType,
-		CRYPT_DELETEKEYSET);
-    }
-    nss_ZFreeIf(provName);
-    nss_ZFreeIf(containerName);
-  }
-loser:
-
-  if (hStore) {
-    CertCloseStore(hStore, 0);
-  }
-  if (!rc) {
-    msError = GetLastError();
-    return CKR_GENERAL_ERROR;
-  }
-
-  /* remove it from the hash */
-  ckcapi_removeObjectFromHash(io);
-
-  /* free the puppy.. */
-  nss_ckcapi_DestroyInternalObject(io);
-  return CKR_OK;
-}
-
-static CK_BBOOL
-ckcapi_mdObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_ULONG
-ckcapi_mdObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-
-  if (ckcapiRaw == io->type) {
-     return io->u.raw.n;
-  }
-  switch (io->objClass) {
-  case CKO_CERTIFICATE:
-    return certAttrsCount;
-  case CKO_PUBLIC_KEY:
-    return pubKeyAttrsCount;
-  case CKO_PRIVATE_KEY:
-    return privKeyAttrsCount;
-  default:
-    break;
-  }
-  return 0;
-}
-
-static CK_RV
-ckcapi_mdObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-  CK_ULONG i;
-  CK_RV error = CKR_OK;
-  const CK_ATTRIBUTE_TYPE *attrs = NULL;
-  CK_ULONG size = ckcapi_mdObject_GetAttributeCount(
-			mdObject, fwObject, mdSession, fwSession, 
-			mdToken, fwToken, mdInstance, fwInstance, &error);
-
-  if( size != ulCount ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-  if (io->type == ckcapiRaw) {
-    attrs = io->u.raw.types;
-  } else switch(io->objClass) {
-    case CKO_CERTIFICATE:
-      attrs = certAttrs;
-      break;
-    case CKO_PUBLIC_KEY:
-      attrs = pubKeyAttrs;
-      break;
-    case CKO_PRIVATE_KEY:
-      attrs = privKeyAttrs;
-      break;
-    default:
-      return CKR_OK;
-  }
-  
-  for( i = 0; i < size; i++) {
-    typeArray[i] = attrs[i];
-  }
-
-  return CKR_OK;
-}
-
-static CK_ULONG
-ckcapi_mdObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-
-  const NSSItem *b;
-
-  b = nss_ckcapi_FetchAttribute(io, attribute);
-
-  if ((const NSSItem *)NULL == b) {
-    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-    return 0;
-  }
-  return b->size;
-}
-
-static CK_RV
-ckcapi_mdObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem           *value
-)
-{
-  return CKR_OK;
-}
-
-static NSSCKFWItem
-ckcapi_mdObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  NSSCKFWItem mdItem;
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-
-  mdItem.needsFreeing = PR_FALSE;
-  mdItem.item = (NSSItem*)nss_ckcapi_FetchAttribute(io, attribute);
-
-  if ((NSSItem *)NULL == mdItem.item) {
-    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  }
-
-  return mdItem;
-}
-
-static CK_ULONG
-ckcapi_mdObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
-  CK_ULONG rv = 1;
-
-  /* size is irrelevant to this token */
-  return rv;
-}
-
-static const NSSCKMDObject
-ckcapi_prototype_mdObject = {
-  (void *)NULL, /* etc */
-  NULL, /* Finalize */
-  ckcapi_mdObject_Destroy,
-  ckcapi_mdObject_IsTokenObject,
-  ckcapi_mdObject_GetAttributeCount,
-  ckcapi_mdObject_GetAttributeTypes,
-  ckcapi_mdObject_GetAttributeSize,
-  ckcapi_mdObject_GetAttribute,
-  NULL, /* FreeAttribute */
-  ckcapi_mdObject_SetAttribute,
-  ckcapi_mdObject_GetObjectSize,
-  (void *)NULL /* null terminator */
-};
-
-static nssHash *ckcapiInternalObjectHash = NULL;
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_ckcapi_CreateMDObject
-(
-  NSSArena *arena,
-  ckcapiInternalObject *io,
-  CK_RV *pError
-)
-{
-  if ((nssHash *)NULL == ckcapiInternalObjectHash) {
-    ckcapiInternalObjectHash = nssHash_CreateItem(NULL, 10);
-  }
-  if (ckcapiCert == io->type) {
-    /* the hash key, not a cryptographic key */
-    NSSItem *key = &io->hashKey;
-    ckcapiInternalObject *old_o = NULL;
-
-    if (key->size == 0) {
-      ckcapi_FetchHashKey(io);
-    }
-    old_o = (ckcapiInternalObject *) 
-              nssHash_Lookup(ckcapiInternalObjectHash, key);
-    if (!old_o) {
-      nssHash_Add(ckcapiInternalObjectHash, key, io);
-    } else if (old_o != io) {
-      nss_ckcapi_DestroyInternalObject(io);
-      io = old_o;
-    }
-  }
-    
-  if ( (void*)NULL == io->mdObject.etc) {
-    (void) nsslibc_memcpy(&io->mdObject,&ckcapi_prototype_mdObject,
-					sizeof(ckcapi_prototype_mdObject));
-    io->mdObject.etc = (void *)io;
-  }
-  return &io->mdObject;
-}
-
-static void
-ckcapi_removeObjectFromHash
-(
-  ckcapiInternalObject *io
-)
-{
-  NSSItem *key = &io->hashKey;
-
-  if ((nssHash *)NULL == ckcapiInternalObjectHash) {
-    return;
-  }
-  if (key->size == 0) {
-    ckcapi_FetchHashKey(io);
-  }
-  nssHash_Remove(ckcapiInternalObjectHash, key);
-  return;
-}
-
-void
-nss_ckcapi_DestroyInternalObject
-(
-  ckcapiInternalObject *io
-)
-{
-  switch (io->type) {
-  case ckcapiRaw:
-    return;
-  case ckcapiCert:
-    CertFreeCertificateContext(io->u.cert.certContext);
-    nss_ZFreeIf(io->u.cert.labelData);
-    nss_ZFreeIf(io->u.cert.key.privateKey);
-    nss_ZFreeIf(io->u.cert.key.pubKey);
-    nss_ZFreeIf(io->idData);
-    break;
-  case ckcapiBareKey:
-    nss_ZFreeIf(io->u.key.provInfo.pwszContainerName);
-    nss_ZFreeIf(io->u.key.provInfo.pwszProvName);
-    nss_ZFreeIf(io->u.key.provName);
-    nss_ZFreeIf(io->u.key.containerName);
-    nss_ZFreeIf(io->u.key.key.privateKey);
-    nss_ZFreeIf(io->u.key.key.pubKey);
-    if (0 != io->u.key.hProv) {
-      CryptReleaseContext(io->u.key.hProv, 0);
-    }
-    nss_ZFreeIf(io->idData);
-    break;
-  }
-  nss_ZFreeIf(io);
-  return;
-}
-
-static ckcapiInternalObject *
-nss_ckcapi_CreateCertificate
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSItem value;
-  NSSItem keyID;
-  char *storeStr;
-  ckcapiInternalObject *io = NULL;
-  PCCERT_CONTEXT certContext = NULL;
-  PCCERT_CONTEXT storedCertContext = NULL;
-  CRYPT_KEY_PROV_INFO *prov_info = NULL;
-  HCERTSTORE hStore = 0;
-  DWORD msError = 0;
-  PRBool hasID;
-  BOOL rc;
-
-  *pError = nss_ckcapi_GetAttribute(CKA_VALUE, pTemplate, 
-				  ulAttributeCount, &value);
-
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-
-  *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, 
-				  ulAttributeCount, &keyID);
-
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-
-  if (ckcapi_cert_exists(&value, &io)) {
-    return io;
-  }
-
-  /* OK, we are creating a new one, figure out what store it belongs to.. 
-   * first get a certContext handle.. */
-  certContext = CertCreateCertificateContext(X509_ASN_ENCODING, 
-                                             value.data, value.size);
-  if ((PCCERT_CONTEXT) NULL == certContext) {
-    msError = GetLastError();
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-
-  /* do we have a private key laying around... */
-  prov_info = ckcapi_cert_getPrivateKeyInfo(certContext, &keyID);
-  if (prov_info) {
-    CRYPT_DATA_BLOB msKeyID;
-    storeStr = "My";
-    hasID = PR_TRUE;
-    rc = CertSetCertificateContextProperty(certContext,
-       	        CERT_KEY_PROV_INFO_PROP_ID,
-                0, prov_info);
-    nss_ZFreeIf(prov_info);
-    if (!rc) {
-      msError = GetLastError();
-      *pError = CKR_DEVICE_ERROR;
-      goto loser;
-    }
-    msKeyID.cbData = keyID.size;
-    msKeyID.pbData = keyID.data;
-    rc = CertSetCertificateContextProperty(certContext,
-       	        CERT_KEY_IDENTIFIER_PROP_ID,
-                0, &msKeyID);
-    if (!rc) {
-      msError = GetLastError();
-      *pError = CKR_DEVICE_ERROR;
-      goto loser;
-    }
-  /* does it look like a CA */
-  } else if (ckcapi_cert_isCA(certContext)) {
-    storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root";
-  /* does it look like an S/MIME cert */
-  } else if (ckcapi_cert_hasEmail(certContext)) {
-    storeStr = "AddressBook";
-  } else {
-  /* just pick a store */
-    storeStr = "CA";
-  }
-
-  hStore = CertOpenSystemStore((HCRYPTPROV) NULL, storeStr);
-  if (0 == hStore) {
-    msError = GetLastError();
-    *pError = CKR_DEVICE_ERROR;
-    goto loser;
-  }
-
-  rc = CertAddCertificateContextToStore(hStore, certContext, 
-       CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES, &storedCertContext);
-  CertFreeCertificateContext(certContext);
-  certContext = NULL;
-  CertCloseStore(hStore, 0);
-  hStore = 0;
-  if (!rc) {
-    msError = GetLastError();
-    *pError = CKR_DEVICE_ERROR;
-    goto loser;
-  }
-
-  io = nss_ZNEW(NULL, ckcapiInternalObject);
-  if ((ckcapiInternalObject *)NULL == io) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-  io->type = ckcapiCert;
-  io->objClass = CKO_CERTIFICATE;
-  io->u.cert.certContext = storedCertContext;
-  io->u.cert.hasID = hasID;
-  return io;
-
-loser:
-  if (certContext) {
-    CertFreeCertificateContext(certContext);
-    certContext = NULL;
-  }
-  if (storedCertContext) {
-    CertFreeCertificateContext(storedCertContext);
-    storedCertContext = NULL;
-  }
-  if (0 != hStore) {
-    CertCloseStore(hStore, 0);
-  }
-  return (ckcapiInternalObject *)NULL;
-
-}
-
-static char *
-ckcapi_getDefaultProvider
-(
-  CK_RV *pError
-)
-{
-  char *name = NULL;
-  BOOL rc;
-  DWORD nameLength = 0;
-
-  rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, NULL,
-		&nameLength);
-  if (!rc) {
-    return (char *)NULL;
-  }
-
-  name = nss_ZNEWARRAY(NULL, char, nameLength);
-  if ((char *)NULL == name ) {
-    return (char *)NULL;
-  }
-  rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, name,
-		&nameLength);
-  if (!rc) {
-    nss_ZFreeIf(name);
-    return (char *)NULL;
-  }
-
-  return name;
-}
-
-static char *
-ckcapi_getContainer
-(
-  CK_RV *pError,
-  NSSItem *id
-)
-{
-  RPC_STATUS rstat;
-  UUID uuid;
-  char *uuidStr;
-  char *container;
-
-  rstat = UuidCreate(&uuid);
-  rstat = UuidToString(&uuid, &uuidStr);
-
-  /* convert it from rcp memory to our own */
-  container = nssUTF8_Duplicate(uuidStr, NULL);
-  RpcStringFree(&uuidStr);
-  
-  return container;
-}
-
-static CK_RV
-ckcapi_buildPrivateKeyBlob
-(
-  NSSItem  *keyBlob, 
-  NSSItem  *modulus,
-  NSSItem  *publicExponent,
-  NSSItem  *privateExponent,
-  NSSItem  *prime1,
-  NSSItem  *prime2,
-  NSSItem  *exponent1,
-  NSSItem  *exponent2,
-  NSSItem  *coefficient, 
-  PRBool   isKeyExchange
-)
-{
-  CAPI_RSA_KEY_BLOB *keyBlobData = NULL;
-  unsigned char *target;
-  unsigned long modSize = modulus->size;
-  unsigned long dataSize;
-  CK_RV error = CKR_OK;
-
-  /* validate extras */
-  if (privateExponent->size != modSize) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  if (prime1->size != modSize/2) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  if (prime2->size != modSize/2) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  if (exponent1->size != modSize/2) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  if (exponent2->size != modSize/2) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  if (coefficient->size != modSize/2) {
-    error = CKR_ATTRIBUTE_VALUE_INVALID;
-    goto loser;
-  }
-  dataSize = (modSize*4)+(modSize/2) + sizeof(CAPI_RSA_KEY_BLOB);
-  keyBlobData = (CAPI_RSA_KEY_BLOB *)nss_ZNEWARRAY(NULL, char, dataSize);
-  if ((CAPI_RSA_KEY_BLOB *)NULL == keyBlobData) {
-    error = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  keyBlobData->header.bType = PRIVATEKEYBLOB;
-  keyBlobData->header.bVersion = 0x02;
-  keyBlobData->header.reserved = 0x00;
-  keyBlobData->header.aiKeyAlg = isKeyExchange ? CALG_RSA_KEYX:CALG_RSA_SIGN;
-  keyBlobData->rsa.magic = 0x32415352;
-  keyBlobData->rsa.bitlen = modSize * 8;
-  keyBlobData->rsa.pubexp = nss_ckcapi_DataToInt(publicExponent,&error);
-  if (CKR_OK != error) {
-    goto loser;
-  }
-
-  target = &keyBlobData->data[CAPI_MODULUS_OFFSET(modSize)];
-  nsslibc_memcpy(target, modulus->data, modulus->size);
-  modulus->data = target;
-  ckcapi_ReverseData(modulus);
-
-  target = &keyBlobData->data[CAPI_PRIVATE_EXP_OFFSET(modSize)];
-  nsslibc_memcpy(target, privateExponent->data, privateExponent->size);
-  privateExponent->data = target;
-  ckcapi_ReverseData(privateExponent);
-
-  target = &keyBlobData->data[CAPI_PRIME_1_OFFSET(modSize)];
-  nsslibc_memcpy(target, prime1->data, prime1->size);
-  prime1->data = target;
-  ckcapi_ReverseData(prime1);
-
-  target = &keyBlobData->data[CAPI_PRIME_2_OFFSET(modSize)];
-  nsslibc_memcpy(target, prime2->data, prime2->size);
-  prime2->data = target;
-  ckcapi_ReverseData(prime2);
-
-  target = &keyBlobData->data[CAPI_EXPONENT_1_OFFSET(modSize)];
-  nsslibc_memcpy(target, exponent1->data, exponent1->size);
-  exponent1->data = target;
-  ckcapi_ReverseData(exponent1);
-
-  target = &keyBlobData->data[CAPI_EXPONENT_2_OFFSET(modSize)];
-  nsslibc_memcpy(target, exponent2->data, exponent2->size);
-  exponent2->data = target;
-  ckcapi_ReverseData(exponent2);
-
-  target = &keyBlobData->data[CAPI_COEFFICIENT_OFFSET(modSize)];
-  nsslibc_memcpy(target, coefficient->data, coefficient->size);
-  coefficient->data = target;
-  ckcapi_ReverseData(coefficient);
-
-  keyBlob->data = keyBlobData;
-  keyBlob->size = dataSize;
-
-  return CKR_OK;
-
-loser:
-  nss_ZFreeIf(keyBlobData);
-  return error;
-}
-
-static ckcapiInternalObject *
-nss_ckcapi_CreatePrivateKey
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSItem modulus;
-  NSSItem publicExponent;
-  NSSItem privateExponent;
-  NSSItem exponent1;
-  NSSItem exponent2;
-  NSSItem prime1;
-  NSSItem prime2;
-  NSSItem coefficient;
-  NSSItem keyID;
-  NSSItem keyBlob;
-  ckcapiInternalObject *io = NULL;
-  char *providerName = NULL;
-  char *containerName = NULL;
-  char *idData = NULL;
-  CRYPT_KEY_PROV_INFO provInfo;
-  CRYPT_HASH_BLOB msKeyID;
-  CK_KEY_TYPE keyType;
-  HCRYPTPROV hProv = 0;
-  HCRYPTKEY hKey = 0;
-  PRBool decrypt;
-  DWORD keySpec;
-  DWORD msError;
-  BOOL rc;
-
-  keyType = nss_ckcapi_GetULongAttribute
-                  (CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  if (CKK_RSA != keyType) {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-    return (ckcapiInternalObject *)NULL;
-  }
-
-  decrypt = nss_ckcapi_GetBoolAttribute(CKA_DECRYPT, 
-				pTemplate, ulAttributeCount, pError);
-  if (CKR_TEMPLATE_INCOMPLETE == *pError) {
-    decrypt = PR_TRUE; /* default to true */
-  }
-  decrypt = decrypt || nss_ckcapi_GetBoolAttribute(CKA_UNWRAP, 
-				pTemplate, ulAttributeCount, pError);
-  if (CKR_TEMPLATE_INCOMPLETE == *pError) {
-    decrypt = PR_TRUE; /* default to true */
-  }
-  keySpec = decrypt ? AT_KEYEXCHANGE : AT_SIGNATURE;
-
-  *pError = nss_ckcapi_GetAttribute(CKA_MODULUS, pTemplate, 
-				  ulAttributeCount, &modulus);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate, 
-				  ulAttributeCount, &publicExponent);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate, 
-				  ulAttributeCount, &privateExponent);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_PRIME_1, pTemplate, 
-				  ulAttributeCount, &prime1);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_PRIME_2, pTemplate, 
-				  ulAttributeCount, &prime2);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_1, pTemplate, 
-				  ulAttributeCount, &exponent1);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_2, pTemplate, 
-				  ulAttributeCount, &exponent2);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_COEFFICIENT, pTemplate, 
-				  ulAttributeCount, &coefficient);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, 
-				  ulAttributeCount, &keyID);
-  if (CKR_OK != *pError) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  providerName = ckcapi_getDefaultProvider(pError);
-  if ((char *)NULL == providerName ) {
-    return (ckcapiInternalObject *)NULL;
-  }
-  containerName = ckcapi_getContainer(pError, &keyID);
-  if ((char *)NULL == providerName ) {
-    goto loser;
-  }
-  rc = CryptAcquireContext(&hProv, containerName, providerName, 
-                           PROV_RSA_FULL, CRYPT_NEWKEYSET);
-  if (!rc) {
-    msError = GetLastError();
-    *pError = CKR_DEVICE_ERROR;
-    goto loser;
-  }
-
-  *pError = ckcapi_buildPrivateKeyBlob(
-		&keyBlob, 
-		&modulus, 
-		&publicExponent, 
-		&privateExponent,
-		&prime1,
-		&prime2, 
-		&exponent1, 
-		&exponent2, 
-		&coefficient, 
-		decrypt);
-  if (CKR_OK != *pError) {
-    goto loser;
-  }
-
-  rc = CryptImportKey(hProv, keyBlob.data, keyBlob.size, 
-		      0, CRYPT_EXPORTABLE, &hKey);
-  if (!rc) {
-    msError = GetLastError();
-    *pError = CKR_DEVICE_ERROR;
-    goto loser;
-  }
-
-  idData = nss_ZNEWARRAY(NULL, char, keyID.size);
-  if ((void *)NULL == idData) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-  nsslibc_memcpy(idData, keyID.data, keyID.size);
-
-  provInfo.pwszContainerName = nss_ckcapi_UTF8ToWide(containerName);
-  provInfo.pwszProvName = nss_ckcapi_UTF8ToWide(providerName);
-  provInfo.dwProvType = PROV_RSA_FULL;
-  provInfo.dwFlags = 0;
-  provInfo.cProvParam = 0;
-  provInfo.rgProvParam = NULL;
-  provInfo.dwKeySpec = keySpec;
-
-  msKeyID.cbData = keyID.size;
-  msKeyID.pbData = keyID.data;
-
-  rc = CryptSetKeyIdentifierProperty(&msKeyID, CERT_KEY_PROV_INFO_PROP_ID,
-                                     0, NULL, NULL, &provInfo);
-  if (!rc) {
-    goto loser;
-  }
-
-  /* handle error here */
-  io = nss_ZNEW(NULL, ckcapiInternalObject);
-  if ((ckcapiInternalObject *)NULL == io) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-  io->type = ckcapiBareKey;
-  io->objClass = CKO_PRIVATE_KEY;
-  io->u.key.provInfo = provInfo;
-  io->u.key.provName = providerName;
-  io->u.key.containerName = containerName;
-  io->u.key.hProv = hProv; /* save the handle */
-  io->idData = idData;
-  io->id.data = idData;
-  io->id.size = keyID.size;
-  /* done with the key handle */
-  CryptDestroyKey(hKey);
-  return io;
-
-loser:
-  nss_ZFreeIf(containerName);
-  nss_ZFreeIf(providerName);
-  nss_ZFreeIf(idData);
-  if (0 != hProv) {
-    CryptReleaseContext(hProv, 0);
-  }
-  if (0 != hKey) {
-    CryptDestroyKey(hKey);
-  }
-  return (ckcapiInternalObject *)NULL;
-}
-
-
-NSS_EXTERN NSSCKMDObject *
-nss_ckcapi_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  CK_OBJECT_CLASS objClass;
-  ckcapiInternalObject *io;
-  CK_BBOOL isToken;
-
-  /*
-   * only create token objects
-   */
-  isToken = nss_ckcapi_GetBoolAttribute(CKA_TOKEN, pTemplate, 
-					ulAttributeCount, pError);
-  if (CKR_OK != *pError) {
-    return (NSSCKMDObject *) NULL;
-  }
-  if (!isToken) {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-    return (NSSCKMDObject *) NULL;
-  }
-
-  /*
-   * only create keys and certs.
-   */
-  objClass = nss_ckcapi_GetULongAttribute(CKA_CLASS, pTemplate, 
-					  ulAttributeCount, pError);
-  if (CKR_OK != *pError) {
-    return (NSSCKMDObject *) NULL;
-  }
-#ifdef notdef
-  if (objClass == CKO_PUBLIC_KEY) {
-    return CKR_OK; /* fake public key creation, happens as a side effect of
-                    * private key creation */
-  }
-#endif
-  if (objClass == CKO_CERTIFICATE) {
-    io = nss_ckcapi_CreateCertificate(fwSession, pTemplate, 
-				      ulAttributeCount, pError);
-  } else if (objClass == CKO_PRIVATE_KEY) {
-    io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate, 
-                                     ulAttributeCount, pError);
-  } else {
-    *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-  }
-
-  if ((ckcapiInternalObject *)NULL == io) {
-    return (NSSCKMDObject *) NULL;
-  }
-  return nss_ckcapi_CreateMDObject(NULL, io, pError);
-}
diff --git a/security/nss/lib/ckfw/capi/config.mk b/security/nss/lib/ckfw/capi/config.mk
deleted file mode 100644
index fdfc8cf09..000000000
--- a/security/nss/lib/ckfw/capi/config.mk
+++ /dev/null
@@ -1,71 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-#
-#  Override TARGETS variable so that only shared libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(SHARED_LIBRARY)
-LIBRARY        =
-IMPORT_LIBRARY =
-PROGRAM        =
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-    SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-    RES = $(OBJDIR)/$(LIBRARY_NAME).res
-    RESNAME = $(LIBRARY_NAME).rc
-endif
-
-ifdef BUILD_IDG
-    DEFINES += -DNSSDEBUG
-endif
-
-#
-# To create a loadable module on Darwin, we must use -bundle.
-#
-ifeq ($(OS_TARGET),Darwin)
-DSO_LDOPTS = -bundle
-endif
-
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
diff --git a/security/nss/lib/ckfw/capi/constants.c b/security/nss/lib/ckfw/capi/constants.c
deleted file mode 100644
index 4e509da65..000000000
--- a/security/nss/lib/ckfw/capi/constants.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ckcapi/constants.c
- *
- * Identification and other constants, all collected here in one place.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCAPI_H
-#include "nsscapi.h"
-#endif /* NSSCAPI_H */
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_ckcapi_CryptokiVersion =  {
-		NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR,
-		NSS_CKCAPI_CRYPTOKI_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_LibraryDescription = (NSSUTF8 *) "NSS Access to Microsoft Certificate Store";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_ckcapi_LibraryVersion = {
-	NSS_CKCAPI_LIBRARY_VERSION_MAJOR,
-	NSS_CKCAPI_LIBRARY_VERSION_MINOR};
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_SlotDescription = (NSSUTF8 *) "Microsoft Certificate Store";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_ckcapi_HardwareVersion = { 
-	NSS_CKCAPI_HARDWARE_VERSION_MAJOR,
-	NSS_CKCAPI_HARDWARE_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const CK_VERSION
-nss_ckcapi_FirmwareVersion = { 
-	NSS_CKCAPI_FIRMWARE_VERSION_MAJOR,
-	NSS_CKCAPI_FIRMWARE_VERSION_MINOR };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_TokenLabel = (NSSUTF8 *) "Microsoft Certificate Store";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_TokenModel = (NSSUTF8 *) "1";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
-nss_ckcapi_TokenSerialNumber = (NSSUTF8 *) "1";
-
diff --git a/security/nss/lib/ckfw/capi/crsa.c b/security/nss/lib/ckfw/capi/crsa.c
deleted file mode 100644
index ce0f42797..000000000
--- a/security/nss/lib/ckfw/capi/crsa.c
+++ /dev/null
@@ -1,748 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Red Hat, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-#include "secdert.h"
-
-#define SSL3_SHAMD5_HASH_SIZE  36 /* LEN_MD5 (16) + LEN_SHA1 (20) */
-
-/*
- * ckcapi/crsa.c
- *
- * This file implements the NSSCKMDMechnaism and NSSCKMDCryptoOperation objects
- * for the RSA operation on the CAPI cryptoki module.
- */
-
-/*
- * write a Decimal value to a string
- */
-
-static char *
-putDecimalString(char *cstr, unsigned long value)
-{
-  unsigned long tenpower;
-  int first = 1;
-
-  for (tenpower=10000000; tenpower; tenpower /= 10) {
-    unsigned char digit = (unsigned char )(value/tenpower);
-    value = value % tenpower;
-
-    /* drop leading zeros */
-    if (first && (0 == digit)) {
-      continue;
-    }
-    first = 0;
-    *cstr++ = digit + '0';
-  }
-
-  /* if value was zero, put one of them out */
-  if (first) {
-    *cstr++ = '0';
-  }
-  return cstr;
-}
-
-
-/*
- * Create a Capi OID string value from a DER OID
- */
-static char *
-nss_ckcapi_GetOidString
-(
-  unsigned char *oidTag,
-  int oidTagSize,
-  CK_RV *pError
-)
-{
-  unsigned char *oid;
-  char *oidStr;
-  char *cstr;
-  unsigned long value;
-  int oidSize;
-
-  if (DER_OBJECT_ID != *oidTag) {
-    /* wasn't an oid */
-    *pError = CKR_DATA_INVALID;
-    return NULL;
-  }
-  oid = nss_ckcapi_DERUnwrap(oidTag, oidTagSize, &oidSize, NULL);
-
-  if (oidSize < 2) {
-    *pError = CKR_DATA_INVALID;
-    return NULL;
-  }
-
-  oidStr = nss_ZNEWARRAY( NULL, char, oidSize*4 );
-  if ((char *)NULL == oidStr) {
-    *pError = CKR_HOST_MEMORY;
-    return NULL;
-  }
-  cstr = oidStr;
-  cstr = putDecimalString(cstr, (*oid) / 40);
-  *cstr++ = '.';
-  cstr = putDecimalString(cstr, (*oid) % 40);
-  oidSize--;
-
-  value = 0;
-  while (oidSize--) {
-    oid++;
-    value = (value << 7) + (*oid & 0x7f);
-    if (0 == (*oid & 0x80)) {
-      *cstr++ = '.';
-      cstr = putDecimalString(cstr, value);
-      value = 0;
-    }
-  }
-
-  *cstr = 0; /* NULL terminate */
-
-  if (value != 0) {
-    nss_ZFreeIf(oidStr);
-    *pError = CKR_DATA_INVALID;
-    return NULL;
-  }
-  return oidStr;
-}
-
-
-/*
- * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
- * which includes the hash OID. CAPI expects to take a Hash Context. While 
- * CAPI does have the capability of setting a raw hash value, it does not 
- * have the ability to sign an arbitrary value. This function tries to
- * reduce the passed in data into something that CAPI could actually sign.
- */
-static CK_RV
-ckcapi_GetRawHash
-(
-  const NSSItem *input,
-  NSSItem *hash, 
-  ALG_ID *hashAlg
-)
-{
-   unsigned char *current;
-   unsigned char *algid;
-   unsigned char *oid;
-   unsigned char *hashData;
-   char *oidStr;
-   CK_RV error;
-   int oidSize;
-   int size;
-   /*
-    * there are 2 types of hashes NSS typically tries to sign, regular
-    * RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
-    * CAPI knows not to add any oids to SSL3_Signed hashes, so if we have any
-    * random hash that is exactly the same size as an SSL3 hash, then we can
-    * just pass the data through. CAPI has know way of knowing if the value
-    * is really a combined hash or some other arbitrary data, so it's safe to
-    * handle this case first.
-    */
-  if (SSL3_SHAMD5_HASH_SIZE == input->size) {
-    hash->data = input->data;
-    hash->size = input->size;
-    *hashAlg = CALG_SSL3_SHAMD5;
-    return CKR_OK;
-  }
-
-  current = (unsigned char *)input->data;
-
-  /* make sure we have a sequence tag */
-  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *current) {
-    return CKR_DATA_INVALID;
-  }
-
-  /* parse the input block to get 1) the hash oid, and 2) the raw hash value.
-   * unfortunatly CAPI doesn't have a builtin function to do this work, so
-   * we go ahead and do it by hand here.
-   *
-   * format is:
-   *  SEQUENCE {
-   *     SECQUENCE { // algid
-   *       OID {}    // oid
-   *       ANY {}    // optional params 
-   *     }
-   *     OCTECT {}   // hash
-   */
-
-  /* unwrap */
-  algid = nss_ckcapi_DERUnwrap(current,input->size, &size, NULL);
-  
-  if (algid+size != current+input->size) {
-    /* make sure there is not extra data at the end */
-    return CKR_DATA_INVALID;
-  }
-
-  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *algid) {
-    /* wasn't an algid */
-    return CKR_DATA_INVALID;
-  }
-  oid = nss_ckcapi_DERUnwrap(algid, size, &oidSize, &hashData);
-
-  if (DER_OCTET_STRING != *hashData) {
-    /* wasn't a hash */
-    return CKR_DATA_INVALID;
-  }
-
-  /* get the real hash */
-  current = hashData;
-  size = size - (hashData-algid);
-  hash->data = nss_ckcapi_DERUnwrap(current, size, &hash->size, NULL);
-
-  /* get the real oid as a string. Again, Microsoft does not
-   * export anything that does this for us */
-  oidStr = nss_ckcapi_GetOidString(oid, oidSize, &error);
-  if ((char *)NULL == oidStr ) {
-    return error;
-  }
-
-  /* look up the hash alg from the oid (fortunately CAPI does to this) */ 
-  *hashAlg = CertOIDToAlgId(oidStr);
-  nss_ZFreeIf(oidStr);
-  if (0 == *hashAlg) {
-    return CKR_HOST_MEMORY;
-  }
-
-  /* hash looks reasonably consistent, we should be able to sign it now */
-  return CKR_OK;
-}
-
-/*
- * So everyone else in the worlds stores their bignum data MSB first, but not
- * Microsoft, we need to byte swap everything coming into and out of CAPI.
- */
-void
-ckcapi_ReverseData(NSSItem *item)
-{
-  int end = (item->size)-1;
-  int middle = (item->size)/2;
-  unsigned char *buf = item->data;
-  int i;
-
-  for (i=0; i < middle; i++) {
-    unsigned char  tmp = buf[i];
-    buf[i] = buf[end-i];
-    buf[end-i] = tmp;
-  }
-  return;
-}
-
-typedef struct ckcapiInternalCryptoOperationRSAPrivStr 
-               ckcapiInternalCryptoOperationRSAPriv;
-struct ckcapiInternalCryptoOperationRSAPrivStr
-{
-  NSSCKMDCryptoOperation mdOperation;
-  NSSCKMDMechanism     *mdMechanism;
-  ckcapiInternalObject *iKey;
-  HCRYPTPROV           hProv;
-  DWORD                keySpec;
-  HCRYPTKEY            hKey;
-  NSSItem	       *buffer;
-};
-
-/*
- * ckcapi_mdCryptoOperationRSAPriv_Create
- */
-static NSSCKMDCryptoOperation *
-ckcapi_mdCryptoOperationRSAPriv_Create
-(
-  const NSSCKMDCryptoOperation *proto,
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKMDObject *mdKey,
-  CK_RV *pError
-)
-{
-  ckcapiInternalObject *iKey = (ckcapiInternalObject *)mdKey->etc;
-  const NSSItem *classItem = nss_ckcapi_FetchAttribute(iKey, CKA_CLASS);
-  const NSSItem *keyType = nss_ckcapi_FetchAttribute(iKey, CKA_KEY_TYPE);
-  ckcapiInternalCryptoOperationRSAPriv *iOperation;
-  CK_RV   error;
-  HCRYPTPROV  hProv;
-  DWORD       keySpec;
-  HCRYPTKEY   hKey;
-
-  /* make sure we have the right objects */
-  if (((const NSSItem *)NULL == classItem) ||
-      (sizeof(CK_OBJECT_CLASS) != classItem->size) ||
-      (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
-      ((const NSSItem *)NULL == keyType) ||
-      (sizeof(CK_KEY_TYPE) != keyType->size) ||
-      (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
-    *pError =  CKR_KEY_TYPE_INCONSISTENT;
-    return (NSSCKMDCryptoOperation *)NULL;
-  }
-
-  error = nss_ckcapi_FetchKeyContainer(iKey, &hProv, &keySpec, &hKey);
-  if (error != CKR_OK) {
-    *pError = error;
-    return (NSSCKMDCryptoOperation *)NULL;
-  }
-
-  iOperation = nss_ZNEW(NULL, ckcapiInternalCryptoOperationRSAPriv);
-  if ((ckcapiInternalCryptoOperationRSAPriv *)NULL == iOperation) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDCryptoOperation *)NULL;
-  }
-  iOperation->mdMechanism = mdMechanism;
-  iOperation->iKey = iKey;
-  iOperation->hProv = hProv;
-  iOperation->keySpec = keySpec;
-  iOperation->hKey = hKey;
-
-  nsslibc_memcpy(&iOperation->mdOperation, 
-                 proto, sizeof(NSSCKMDCryptoOperation));
-  iOperation->mdOperation.etc = iOperation;
-
-  return &iOperation->mdOperation;
-}
-
-static CK_RV
-ckcapi_mdCryptoOperationRSAPriv_Destroy
-(
-  NSSCKMDCryptoOperation *mdOperation,
-  NSSCKFWCryptoOperation *fwOperation,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  ckcapiInternalCryptoOperationRSAPriv *iOperation =
-       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
-
-  if (iOperation->hKey) {
-    CryptDestroyKey(iOperation->hKey);
-  }
-  if (iOperation->buffer) {
-    nssItem_Destroy(iOperation->buffer);
-  }
-  nss_ZFreeIf(iOperation);
-  return CKR_OK;
-}
-
-static CK_ULONG
-ckcapi_mdCryptoOperationRSA_GetFinalLength
-(
-  NSSCKMDCryptoOperation *mdOperation,
-  NSSCKFWCryptoOperation *fwOperation,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  ckcapiInternalCryptoOperationRSAPriv *iOperation =
-       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
-  const NSSItem *modulus = 
-       nss_ckcapi_FetchAttribute(iOperation->iKey, CKA_MODULUS);
-
-  return modulus->size;
-}
-
-
-/*
- * ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
- * we won't know the length until we actually decrypt the
- * input block. Since we go to all the work to decrypt the
- * the block, we'll save if for when the block is asked for
- */
-static CK_ULONG
-ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
-(
-  NSSCKMDCryptoOperation *mdOperation,
-  NSSCKFWCryptoOperation *fwOperation,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  const NSSItem *input,
-  CK_RV *pError
-)
-{
-  ckcapiInternalCryptoOperationRSAPriv *iOperation =
-       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
-  BOOL rc;
-
-  /* Microsoft's Decrypt operation works in place. Since we don't want
-   * to trash our input buffer, we make a copy of it */
-  iOperation->buffer = nssItem_Duplicate((NSSItem *)input, NULL, NULL);
-  if ((NSSItem *) NULL == iOperation->buffer) {
-    *pError = CKR_HOST_MEMORY;
-    return 0;
-  }
-  /* Sigh, reverse it */
-  ckcapi_ReverseData(iOperation->buffer);
-  
-  rc = CryptDecrypt(iOperation->hKey, 0, TRUE, 0, 
-		    iOperation->buffer->data, &iOperation->buffer->size);
-  if (!rc) {
-    DWORD msError = GetLastError();
-    switch (msError) {
-    case NTE_BAD_DATA:
-      *pError = CKR_ENCRYPTED_DATA_INVALID;
-      break;
-    case NTE_FAIL:
-    case NTE_BAD_UID:
-      *pError = CKR_DEVICE_ERROR;
-      break;
-    default:
-      *pError = CKR_GENERAL_ERROR; 
-    }
-    return 0;
-  }
-
-  return iOperation->buffer->size;
-}
-
-/*
- * ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
- *
- * NOTE: ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to 
- * have been called previously.
- */
-static CK_RV
-ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
-(
-  NSSCKMDCryptoOperation *mdOperation,
-  NSSCKFWCryptoOperation *fwOperation,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  const NSSItem *input,
-  NSSItem *output
-)
-{
-  ckcapiInternalCryptoOperationRSAPriv *iOperation =
-       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
-  NSSItem *buffer = iOperation->buffer;
-
-  if ((NSSItem *)NULL == buffer) {
-    return CKR_GENERAL_ERROR;
-  }
-  nsslibc_memcpy(output->data, buffer->data, buffer->size);
-  output->size = buffer->size;
-  return CKR_OK;
-}
-
-/*
- * ckcapi_mdCryptoOperationRSASign_UpdateFinal
- *
- */
-static CK_RV
-ckcapi_mdCryptoOperationRSASign_UpdateFinal
-(
-  NSSCKMDCryptoOperation *mdOperation,
-  NSSCKFWCryptoOperation *fwOperation,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  const NSSItem *input,
-  NSSItem *output
-)
-{
-  ckcapiInternalCryptoOperationRSAPriv *iOperation =
-       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
-  CK_RV error = CKR_OK;
-  DWORD msError;
-  NSSItem hash;
-  HCRYPTHASH hHash = 0;
-  ALG_ID  hashAlg;
-  DWORD  hashSize;
-  DWORD  len; /* temp length value we throw away */
-  BOOL   rc;
-
-  /*
-   * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
-   * which includes the hash OID. CAPI expects to take a Hash Context. While 
-   * CAPI does have the capability of setting a raw hash value, it does not 
-   * have the ability to sign an arbitrary value. This function tries to
-   * reduce the passed in data into something that CAPI could actually sign.
-   */
-  error = ckcapi_GetRawHash(input, &hash, &hashAlg);
-  if (CKR_OK != error) {
-    goto loser;
-  }
-
-  rc = CryptCreateHash(iOperation->hProv, hashAlg, 0, 0, &hHash);
-  if (!rc) {
-    goto loser;
-  }
-
-  /* make sure the hash lens match before we set it */
-  len = sizeof(DWORD);
-  rc = CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&hashSize, &len, 0);
-  if (!rc) {
-    goto loser;
-  }
-
-  if (hash.size != hashSize) {
-    /* The input must have been bad for this to happen */
-    error = CKR_DATA_INVALID;
-    goto loser;
-  }
-
-  /* we have an explicit hash, set it, note that the length is
-   * implicit by the hashAlg used in create */
-  rc = CryptSetHashParam(hHash, HP_HASHVAL, hash.data, 0);
-  if (!rc) {
-    goto loser;
-  }
-
-  /* OK, we have the data in a hash structure, sign it! */
-  rc = CryptSignHash(hHash, iOperation->keySpec, NULL, 0,
-                     output->data, &output->size);
-  if (!rc) {
-    goto loser;
-  }
-
-  /* Don't return a signature that might have been broken because of a cosmic
-   * ray, or a broken processor, verify that it is valid... */
-  rc = CryptVerifySignature(hHash, output->data, output->size, 
-                            iOperation->hKey, NULL, 0);
-  if (!rc) {
-    goto loser;
-  }
-
-  /* OK, Microsoft likes to do things completely differently than anyone
-   * else. We need to reverse the data we recieved here */
-  ckcapi_ReverseData(output);
-  CryptDestroyHash(hHash);
-  return CKR_OK;
-
-loser:
-  /* map the microsoft error */
-  if (CKR_OK == error) {
-    msError = GetLastError();
-    switch (msError) {
-    case ERROR_NOT_ENOUGH_MEMORY:
-      error = CKR_HOST_MEMORY;
-      break;
-    case NTE_NO_MEMORY:
-      error = CKR_DEVICE_MEMORY;
-      break;
-    case ERROR_MORE_DATA:
-      return CKR_BUFFER_TOO_SMALL;
-    case ERROR_INVALID_PARAMETER: /* these params were derived from the */
-    case ERROR_INVALID_HANDLE:    /* inputs, so if they are bad, the input */ 
-    case NTE_BAD_ALGID:           /* data is bad */
-    case NTE_BAD_HASH:
-      error = CKR_DATA_INVALID;
-      break;
-    case ERROR_BUSY:
-    case NTE_FAIL:
-    case NTE_BAD_UID:
-      error = CKR_DEVICE_ERROR;
-      break;
-    default:
-      error = CKR_GENERAL_ERROR;
-      break;
-    }
-  }
-  if (hHash) {
-    CryptDestroyHash(hHash);
-  }
-  return error;
-}
-  
-
-NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
-ckcapi_mdCryptoOperationRSADecrypt_proto = {
-  NULL, /* etc */
-  ckcapi_mdCryptoOperationRSAPriv_Destroy,
-  NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
-  ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength,
-  NULL, /* Final - not needed for one shot operation */
-  NULL, /* Update - not needed for one shot operation */
-  NULL, /* DigetUpdate - not needed for one shot operation */
-  ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal,
-  NULL, /* UpdateCombo - not needed for one shot operation */
-  NULL, /* DigetKey - not needed for one shot operation */
-  (void *)NULL /* null terminator */
-};
-
-NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
-ckcapi_mdCryptoOperationRSASign_proto = {
-  NULL, /* etc */
-  ckcapi_mdCryptoOperationRSAPriv_Destroy,
-  ckcapi_mdCryptoOperationRSA_GetFinalLength,
-  NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
-  NULL, /* Final - not needed for one shot operation */
-  NULL, /* Update - not needed for one shot operation */
-  NULL, /* DigetUpdate - not needed for one shot operation */
-  ckcapi_mdCryptoOperationRSASign_UpdateFinal,
-  NULL, /* UpdateCombo - not needed for one shot operation */
-  NULL, /* DigetKey - not needed for one shot operation */
-  (void *)NULL /* null terminator */
-};
-
-/********** NSSCKMDMechansim functions ***********************/
-/*
- * ckcapi_mdMechanismRSA_Destroy
- */
-static void
-ckcapi_mdMechanismRSA_Destroy
-(
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKFWMechanism *fwMechanism,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_ZFreeIf(fwMechanism);
-}
-
-/*
- * ckcapi_mdMechanismRSA_GetMinKeySize
- */
-static CK_ULONG
-ckcapi_mdMechanismRSA_GetMinKeySize
-(
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKFWMechanism *fwMechanism,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return 384;
-}
-
-/*
- * ckcapi_mdMechanismRSA_GetMaxKeySize
- */
-static CK_ULONG
-ckcapi_mdMechanismRSA_GetMaxKeySize
-(
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKFWMechanism *fwMechanism,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return 16384;
-}
-
-/*
- * ckcapi_mdMechanismRSA_DecryptInit
- */
-static NSSCKMDCryptoOperation * 
-ckcapi_mdMechanismRSA_DecryptInit
-(
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKFWMechanism *fwMechanism,
-  CK_MECHANISM     *pMechanism,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDObject *mdKey,
-  NSSCKFWObject *fwKey,
-  CK_RV *pError
-)
-{
-  return ckcapi_mdCryptoOperationRSAPriv_Create(
-		&ckcapi_mdCryptoOperationRSADecrypt_proto,
-		mdMechanism, mdKey, pError);
-}
-
-/*
- * ckcapi_mdMechanismRSA_SignInit
- */
-static NSSCKMDCryptoOperation * 
-ckcapi_mdMechanismRSA_SignInit
-(
-  NSSCKMDMechanism *mdMechanism,
-  NSSCKFWMechanism *fwMechanism,
-  CK_MECHANISM     *pMechanism,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDObject *mdKey,
-  NSSCKFWObject *fwKey,
-  CK_RV *pError
-)
-{
-  return ckcapi_mdCryptoOperationRSAPriv_Create(
-		&ckcapi_mdCryptoOperationRSASign_proto,
-		mdMechanism, mdKey, pError);
-}
-
-
-NSS_IMPLEMENT_DATA const NSSCKMDMechanism
-nss_ckcapi_mdMechanismRSA = {
-  (void *)NULL, /* etc */
-  ckcapi_mdMechanismRSA_Destroy,
-  ckcapi_mdMechanismRSA_GetMinKeySize,
-  ckcapi_mdMechanismRSA_GetMaxKeySize,
-  NULL, /* GetInHardware - default false */
-  NULL, /* EncryptInit - default errs */
-  ckcapi_mdMechanismRSA_DecryptInit,
-  NULL, /* DigestInit - default errs*/
-  ckcapi_mdMechanismRSA_SignInit,
-  NULL, /* VerifyInit - default errs */
-  ckcapi_mdMechanismRSA_SignInit,  /* SignRecoverInit */
-  NULL, /* VerifyRecoverInit - default errs */
-  NULL, /* GenerateKey - default errs */
-  NULL, /* GenerateKeyPair - default errs */
-  NULL, /* GetWrapKeyLength - default errs */
-  NULL, /* WrapKey - default errs */
-  NULL, /* UnwrapKey - default errs */
-  NULL, /* DeriveKey - default errs */
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/capi/csession.c b/security/nss/lib/ckfw/capi/csession.c
deleted file mode 100644
index f0abd6d0b..000000000
--- a/security/nss/lib/ckfw/capi/csession.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-
-/*
- * ckcapi/csession.c
- *
- * This file implements the NSSCKMDSession object for the 
- * "nss to capi" cryptoki module.
- */
-
-static NSSCKMDFindObjects *
-ckcapi_mdSession_FindObjectsInit
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  return nss_ckcapi_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-static NSSCKMDObject *
-ckcapi_mdSession_CreateObject
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena        *arena,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  return nss_ckcapi_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_ckcapi_CreateSession
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  NSSCKMDSession *rv;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-  if( (NSSArena *)NULL == arena ) {
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDSession);
-  if( (NSSCKMDSession *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  /* 
-   * rv was zeroed when allocated, so we only 
-   * need to set the non-zero members.
-   */
-
-  rv->etc = (void *)fwSession;
-  /* rv->Close */
-  /* rv->GetDeviceError */
-  /* rv->Login */
-  /* rv->Logout */
-  /* rv->InitPIN */
-  /* rv->SetPIN */
-  /* rv->GetOperationStateLen */
-  /* rv->GetOperationState */
-  /* rv->SetOperationState */
-  rv->CreateObject = ckcapi_mdSession_CreateObject;
-  /* rv->CopyObject */
-  rv->FindObjectsInit = ckcapi_mdSession_FindObjectsInit;
-  /* rv->SeedRandom */
-  /* rv->GetRandom */
-  /* rv->null */
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/capi/cslot.c b/security/nss/lib/ckfw/capi/cslot.c
deleted file mode 100644
index 1c42c107d..000000000
--- a/security/nss/lib/ckfw/capi/cslot.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-
-/*
- * ckcapi/cslot.c
- *
- * This file implements the NSSCKMDSlot object for the
- * "nss to capi" cryptoki module.
- */
-
-static NSSUTF8 *
-ckcapi_mdSlot_GetSlotDescription
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_SlotDescription;
-}
-
-static NSSUTF8 *
-ckcapi_mdSlot_GetManufacturerID
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
-}
-
-static CK_VERSION
-ckcapi_mdSlot_GetHardwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_HardwareVersion;
-}
-
-static CK_VERSION
-ckcapi_mdSlot_GetFirmwareVersion
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_FirmwareVersion;
-}
-
-static NSSCKMDToken *
-ckcapi_mdSlot_GetToken
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSCKMDToken *)&nss_ckcapi_mdToken;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDSlot
-nss_ckcapi_mdSlot = {
-  (void *)NULL, /* etc */
-  NULL, /* Initialize */
-  NULL, /* Destroy */
-  ckcapi_mdSlot_GetSlotDescription,
-  ckcapi_mdSlot_GetManufacturerID,
-  NULL, /* GetTokenPresent -- defaults to true */
-  NULL, /* GetRemovableDevice -- defaults to false */
-  NULL, /* GetHardwareSlot -- defaults to false */
-  ckcapi_mdSlot_GetHardwareVersion,
-  ckcapi_mdSlot_GetFirmwareVersion,
-  ckcapi_mdSlot_GetToken,
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/capi/ctoken.c b/security/nss/lib/ckfw/capi/ctoken.c
deleted file mode 100644
index bce2c17e2..000000000
--- a/security/nss/lib/ckfw/capi/ctoken.c
+++ /dev/null
@@ -1,246 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckcapi.h"
-
-/*
- * ckcapi/ctoken.c
- *
- * This file implements the NSSCKMDToken object for the
- * "nss to capi" cryptoki module.
- */
-
-static NSSUTF8 *
-ckcapi_mdToken_GetLabel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_TokenLabel;
-}
-
-static NSSUTF8 *
-ckcapi_mdToken_GetManufacturerID
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
-}
-
-static NSSUTF8 *
-ckcapi_mdToken_GetModel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_TokenModel;
-}
-
-static NSSUTF8 *
-ckcapi_mdToken_GetSerialNumber
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return (NSSUTF8 *)nss_ckcapi_TokenSerialNumber;
-}
-
-static CK_BBOOL
-ckcapi_mdToken_GetIsWriteProtected
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_FALSE;
-}
-
-/* fake out Mozilla so we don't try to initialize the token */
-static CK_BBOOL
-ckcapi_mdToken_GetUserPinInitialized
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_VERSION
-ckcapi_mdToken_GetHardwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_HardwareVersion;
-}
-
-static CK_VERSION
-ckcapi_mdToken_GetFirmwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return nss_ckcapi_FirmwareVersion;
-}
-
-static NSSCKMDSession *
-ckcapi_mdToken_OpenSession
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  return nss_ckcapi_CreateSession(fwSession, pError);
-}
-
-static CK_ULONG
-ckcapi_mdToken_GetMechanismCount
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return (CK_ULONG)1;
-}
-
-static CK_RV
-ckcapi_mdToken_GetMechanismTypes
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_MECHANISM_TYPE types[]
-)
-{
-  types[0] = CKM_RSA_PKCS;
-  return CKR_OK;
-}
-
-static NSSCKMDMechanism *
-ckcapi_mdToken_GetMechanism
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_MECHANISM_TYPE which,
-  CK_RV *pError
-)
-{
-  if (which != CKM_RSA_PKCS) {
-    *pError = CKR_MECHANISM_INVALID;
-    return (NSSCKMDMechanism *)NULL;
-  }
-  return (NSSCKMDMechanism *)&nss_ckcapi_mdMechanismRSA;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDToken
-nss_ckcapi_mdToken = {
-  (void *)NULL, /* etc */
-  NULL, /* Setup */
-  NULL, /* Invalidate */
-  NULL, /* InitToken -- default errs */
-  ckcapi_mdToken_GetLabel,
-  ckcapi_mdToken_GetManufacturerID,
-  ckcapi_mdToken_GetModel,
-  ckcapi_mdToken_GetSerialNumber,
-  NULL, /* GetHasRNG -- default is false */
-  ckcapi_mdToken_GetIsWriteProtected,
-  NULL, /* GetLoginRequired -- default is false */
-  ckcapi_mdToken_GetUserPinInitialized,
-  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
-  NULL, /* GetHasClockOnToken -- default is false */
-  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
-  NULL, /* GetSupportsDualCryptoOperations -- default is false */
-  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetMaxPinLen -- irrelevant */
-  NULL, /* GetMinPinLen -- irrelevant */
-  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
-  ckcapi_mdToken_GetHardwareVersion,
-  ckcapi_mdToken_GetFirmwareVersion,
-  NULL, /* GetUTCTime -- no clock */
-  ckcapi_mdToken_OpenSession,
-  ckcapi_mdToken_GetMechanismCount,
-  ckcapi_mdToken_GetMechanismTypes,
-  ckcapi_mdToken_GetMechanism,
-  (void *)NULL /* null terminator */
-};
diff --git a/security/nss/lib/ckfw/capi/manifest.mn b/security/nss/lib/ckfw/capi/manifest.mn
deleted file mode 100644
index 8959e5d2d..000000000
--- a/security/nss/lib/ckfw/capi/manifest.mn
+++ /dev/null
@@ -1,66 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../../..
-
-MODULE = nss
-MAPFILE = $(OBJDIR)/nsscapi.def
-
-EXPORTS =		\
-	nsscapi.h	\
-	$(NULL)
-
-CSRCS =			\
-	anchor.c	\
-	constants.c	\
-	cfind.c		\
-	cinst.c 	\
-	cobject.c	\
-	crsa.c		\
-	csession.c	\
-	cslot.c		\
-	ctoken.c	\
-	ckcapiver.c	\
-	staticobj.c	\
-	$(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nsscapi
-
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/capi/nsscapi.def b/security/nss/lib/ckfw/capi/nsscapi.def
deleted file mode 100644
index 0e6106c62..000000000
--- a/security/nss/lib/ckfw/capi/nsscapi.def
+++ /dev/null
@@ -1,58 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2003
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#     line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSS_3.1 {       # NSS 3.1 release
-;+    global:
-LIBRARY nsscapi ;-
-EXPORTS ;-
-C_GetFunctionList;
-;+    local:
-;+*;
-;+};
diff --git a/security/nss/lib/ckfw/capi/nsscapi.h b/security/nss/lib/ckfw/capi/nsscapi.h
deleted file mode 100644
index 1d80487e9..000000000
--- a/security/nss/lib/ckfw/capi/nsscapi.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCAPI_H
-#define NSSCAPI_H
-
-/*
- * NSS CKCAPI Version numbers.
- *
- * These are the version numbers for the capi module packaged with
- * this release on NSS. To determine the version numbers of the builtin
- * module you are using, use the appropriate PKCS #11 calls.
- *
- * These version numbers detail changes to the PKCS #11 interface. They map
- * to the PKCS #11 spec versions.
- */
-#define NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR 2
-#define NSS_CKCAPI_CRYPTOKI_VERSION_MINOR 20
-
-/* These version numbers detail the changes 
- * to the list of trusted certificates.
- *
- * NSS_CKCAPI_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
- * whether we may use its full range (0-255) or only 0-99 because
- * of the comment in the CK_VERSION type definition.
- */
-#define NSS_CKCAPI_LIBRARY_VERSION_MAJOR 1
-#define NSS_CKCAPI_LIBRARY_VERSION_MINOR 1
-#define NSS_CKCAPI_LIBRARY_VERSION "1.1"
-
-/* These version numbers detail the semantic changes to the ckfw engine. */
-#define NSS_CKCAPI_HARDWARE_VERSION_MAJOR 1
-#define NSS_CKCAPI_HARDWARE_VERSION_MINOR 0
-
-/* These version numbers detail the semantic changes to ckbi itself 
- * (new PKCS #11 objects), etc. */
-#define NSS_CKCAPI_FIRMWARE_VERSION_MAJOR 1
-#define NSS_CKCAPI_FIRMWARE_VERSION_MINOR 0
-
-#endif /* NSSCKBI_H */
diff --git a/security/nss/lib/ckfw/capi/nsscapi.rc b/security/nss/lib/ckfw/capi/nsscapi.rc
deleted file mode 100644
index d5024f7a6..000000000
--- a/security/nss/lib/ckfw/capi/nsscapi.rc
+++ /dev/null
@@ -1,97 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2004
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsscapi.h"
-#include <winver.h>
-
-#define MY_LIBNAME "nsscapi"
-#define MY_FILEDESCRIPTION "NSS Access to Microsoft CAPI"
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
- PRODUCTVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Mozilla Foundation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2005 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/ckfw/capi/staticobj.c b/security/nss/lib/ckfw/capi/staticobj.c
deleted file mode 100644
index 8cfd8fbdd..000000000
--- a/security/nss/lib/ckfw/capi/staticobj.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- * Portions created by Red Hat, Inc, are Copyright (C) 2005
- *
- * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef CKCAPI_H
-#include "ckcapi.h"
-#endif /* CKCAPI_H */
-
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
-static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_BBOOL ck_true = CK_TRUE;
-static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
-static const CK_BBOOL ck_false = CK_FALSE;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-
-/* example of a static object */
-static const CK_ATTRIBUTE_TYPE nss_ckcapi_types_1 [] = {
- CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
-};
-
-static const NSSItem nss_ckcapi_items_1 [] = {
-  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
-  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
-  { (void *)"Mozilla CAPI Access", (PRUint32)20 }
-};
-
-PR_IMPLEMENT_DATA(ckcapiInternalObject) nss_ckcapi_data[] = {
-  { ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
-};
-
-PR_IMPLEMENT_DATA(const PRUint32) nss_ckcapi_nObjects = 1;
diff --git a/security/nss/lib/ckfw/ck.api b/security/nss/lib/ckfw/ck.api
deleted file mode 100644
index 501cbb0c8..000000000
--- a/security/nss/lib/ckfw/ck.api
+++ /dev/null
@@ -1,575 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# This file is in part derived from a file "pkcs11f.h" made available
-# by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11f.h
-
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$"
-
-# Fields
-#  FUNCTION introduces a Cryptoki function
-#  CK_type specifies and introduces an argument
-#
-
-# General-purpose
-
-# C_Initialize initializes the Cryptoki library.
-FUNCTION C_Initialize
-CK_VOID_PTR pInitArgs   # if this is not NULL_PTR, it gets
-                        # cast to CK_C_INITIALIZE_ARGS_PTR
-                        # and dereferenced
-
-# C_Finalize indicates that an application is done with the
-# Cryptoki library.
-FUNCTION C_Finalize
-CK_VOID_PTR pReserved   # reserved.  Should be NULL_PTR
-
-# C_GetInfo returns general information about Cryptoki. 
-FUNCTION C_GetInfo
-CK_INFO_PTR pInfo       # location that receives information
-
-# C_GetFunctionList returns the function list. 
-FUNCTION C_GetFunctionList
-CK_FUNCTION_LIST_PTR_PTR ppFunctionList # receives pointer to function 
-                                        # list
-
-
-# Slot and token management 
-
-# C_GetSlotList obtains a list of slots in the system. 
-FUNCTION C_GetSlotList
-CK_BBOOL       tokenPresent # only slots with tokens? 
-CK_SLOT_ID_PTR pSlotList    # receives array of slot IDs 
-CK_ULONG_PTR   pulCount     # receives number of slots 
-
-# C_GetSlotInfo obtains information about a particular slot in the 
-# system.
-FUNCTION C_GetSlotInfo
-CK_SLOT_ID       slotID     # the ID of the slot 
-CK_SLOT_INFO_PTR pInfo      # receives the slot information 
-
-# C_GetTokenInfo obtains information about a particular token in the 
-# system. 
-FUNCTION C_GetTokenInfo
-CK_SLOT_ID        slotID    # ID of the token's slot 
-CK_TOKEN_INFO_PTR pInfo     # receives the token information 
-
-# C_GetMechanismList obtains a list of mechanism types supported by a 
-# token. 
-FUNCTION C_GetMechanismList
-CK_SLOT_ID            slotID            # ID of token's slot 
-CK_MECHANISM_TYPE_PTR pMechanismList    # gets mech. array 
-CK_ULONG_PTR          pulCount          # gets # of mechs. 
-
-# C_GetMechanismInfo obtains information about a particular mechanism 
-# possibly supported by a token. 
-FUNCTION C_GetMechanismInfo
-CK_SLOT_ID            slotID    # ID of the token's slot 
-CK_MECHANISM_TYPE     type      # type of mechanism 
-CK_MECHANISM_INFO_PTR pInfo     # receives mechanism info 
-
-# C_InitToken initializes a token. 
-FUNCTION C_InitToken
-CK_SLOT_ID  slotID      # ID of the token's slot 
-CK_CHAR_PTR pPin        # the SO's initial PIN 
-CK_ULONG    ulPinLen    # length in bytes of the PIN 
-CK_CHAR_PTR pLabel      # 32-byte token label (blank padded) 
-
-# C_InitPIN initializes the normal user's PIN. 
-FUNCTION C_InitPIN
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_CHAR_PTR       pPin      # the normal user's PIN 
-CK_ULONG          ulPinLen  # length in bytes of the PIN 
-
-# C_SetPIN modifies the PIN of the user who is logged in. 
-FUNCTION C_SetPIN
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_CHAR_PTR       pOldPin   # the old PIN 
-CK_ULONG          ulOldLen  # length of the old PIN 
-CK_CHAR_PTR       pNewPin   # the new PIN 
-CK_ULONG          ulNewLen  # length of the new PIN 
-
-
-# Session management 
-
-# C_OpenSession opens a session between an application and a token. 
-FUNCTION C_OpenSession
-CK_SLOT_ID            slotID        # the slot's ID 
-CK_FLAGS              flags         # from CK_SESSION_INFO 
-CK_VOID_PTR           pApplication  # passed to callback 
-CK_NOTIFY             Notify        # callback function 
-CK_SESSION_HANDLE_PTR phSession     # gets session handle 
-
-# C_CloseSession closes a session between an application and a token. 
-FUNCTION C_CloseSession
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-# C_CloseAllSessions closes all sessions with a token. 
-FUNCTION C_CloseAllSessions
-CK_SLOT_ID slotID   # the token's slot 
-
-# C_GetSessionInfo obtains information about the session. 
-FUNCTION C_GetSessionInfo
-CK_SESSION_HANDLE   hSession    # the session's handle 
-CK_SESSION_INFO_PTR pInfo       # receives session info 
-
-# C_GetOperationState obtains the state of the cryptographic 
-# operation in a session. 
-FUNCTION C_GetOperationState
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pOperationState       # gets state 
-CK_ULONG_PTR      pulOperationStateLen  # gets state length 
-
-# C_SetOperationState restores the state of the cryptographic 
-# operation in a session. 
-FUNCTION C_SetOperationState
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR      pOperationState        # holds state 
-CK_ULONG         ulOperationStateLen    # holds state length 
-CK_OBJECT_HANDLE hEncryptionKey         # en/decryption key 
-CK_OBJECT_HANDLE hAuthenticationKey     # sign/verify key 
-
-# C_Login logs a user into a token. 
-FUNCTION C_Login
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_USER_TYPE      userType  # the user type 
-CK_CHAR_PTR       pPin      # the user's PIN 
-CK_ULONG          ulPinLen  # the length of the PIN 
-
-# C_Logout logs a user out from a token. 
-FUNCTION C_Logout
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Object management 
-
-# C_CreateObject creates a new object. 
-FUNCTION C_CreateObject
-CK_SESSION_HANDLE    hSession   # the session's handle 
-CK_ATTRIBUTE_PTR     pTemplate  # the object's template 
-CK_ULONG             ulCount    # attributes in template 
-CK_OBJECT_HANDLE_PTR phObject   # gets new object's handle. 
-
-# C_CopyObject copies an object, creating a new object for the copy.
-FUNCTION C_CopyObject
-CK_SESSION_HANDLE    hSession       # the session's handle 
-CK_OBJECT_HANDLE     hObject        # the object's handle 
-CK_ATTRIBUTE_PTR     pTemplate      # template for new object 
-CK_ULONG             ulCount        # attributes in template 
-CK_OBJECT_HANDLE_PTR phNewObject    # receives handle of copy 
-
-# C_DestroyObject destroys an object. 
-FUNCTION C_DestroyObject
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hObject   # the object's handle 
-
-# C_GetObjectSize gets the size of an object in bytes. 
-FUNCTION C_GetObjectSize
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hObject   # the object's handle 
-CK_ULONG_PTR      pulSize   # receives size of object 
-
-# C_GetAttributeValue obtains the value of one or more object 
-# attributes. 
-FUNCTION C_GetAttributeValue
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_OBJECT_HANDLE  hObject     # the object's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs; gets vals 
-CK_ULONG          ulCount     # attributes in template 
-
-# C_SetAttributeValue modifies the value of one or more object 
-# attributes 
-FUNCTION C_SetAttributeValue
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_OBJECT_HANDLE  hObject     # the object's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs and values 
-CK_ULONG          ulCount     # attributes in template 
-
-# C_FindObjectsInit initializes a search for token and session 
-# objects that match a template. 
-FUNCTION C_FindObjectsInit
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_ATTRIBUTE_PTR  pTemplate   # attribute values to match 
-CK_ULONG          ulCount     # attrs in search template 
-
-# C_FindObjects continues a search for token and session objects that 
-# match a template, obtaining additional object handles. 
-FUNCTION C_FindObjects
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_OBJECT_HANDLE_PTR phObject           # gets obj. handles 
-CK_ULONG             ulMaxObjectCount   # max handles to get 
-CK_ULONG_PTR         pulObjectCount     # actual # returned 
-
-# C_FindObjectsFinal finishes a search for token and session objects. 
-FUNCTION C_FindObjectsFinal
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Encryption and decryption 
-
-# C_EncryptInit initializes an encryption operation. 
-FUNCTION C_EncryptInit
-CK_SESSION_HANDLE hSession    # the session's handle 
-CK_MECHANISM_PTR  pMechanism  # the encryption mechanism 
-CK_OBJECT_HANDLE  hKey        # handle of encryption key 
-
-# C_Encrypt encrypts single-part data. 
-FUNCTION C_Encrypt
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pData                 # the plaintext data 
-CK_ULONG          ulDataLen             # bytes of plaintext 
-CK_BYTE_PTR       pEncryptedData        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedDataLen   # gets c-text size 
-
-# C_EncryptUpdate continues a multiple-part encryption operation. 
-FUNCTION C_EncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext data len 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text size 
-
-# C_EncryptFinal finishes a multiple-part encryption operation. 
-FUNCTION C_EncryptFinal
-CK_SESSION_HANDLE hSession                  # session handle 
-CK_BYTE_PTR       pLastEncryptedPart        # last c-text 
-CK_ULONG_PTR      pulLastEncryptedPartLen   # gets last size 
-
-# C_DecryptInit initializes a decryption operation. 
-FUNCTION C_DecryptInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the decryption mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of decryption key 
-
-# C_Decrypt decrypts encrypted data in a single part. 
-FUNCTION C_Decrypt
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedData        # ciphertext 
-CK_ULONG          ulEncryptedDataLen    # ciphertext length 
-CK_BYTE_PTR       pData                 # gets plaintext 
-CK_ULONG_PTR      pulDataLen            # gets p-text size 
-
-# C_DecryptUpdate continues a multiple-part decryption operation. 
-FUNCTION C_DecryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # encrypted data 
-CK_ULONG          ulEncryptedPartLen    # input length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # p-text size 
-
-# C_DecryptFinal finishes a multiple-part decryption operation. 
-FUNCTION C_DecryptFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pLastPart         # gets plaintext 
-CK_ULONG_PTR      pulLastPartLen    # p-text size 
-
-
-# Message digesting 
-
-# C_DigestInit initializes a message-digesting operation. 
-FUNCTION C_DigestInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the digesting mechanism 
-
-# C_Digest digests data in a single part. 
-FUNCTION C_Digest
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       pData         # data to be digested 
-CK_ULONG          ulDataLen     # bytes of data to digest 
-CK_BYTE_PTR       pDigest       # gets the message digest 
-CK_ULONG_PTR      pulDigestLen  # gets digest length 
-
-# C_DigestUpdate continues a multiple-part message-digesting operation.
-FUNCTION C_DigestUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # data to be digested 
-CK_ULONG          ulPartLen # bytes of data to be digested 
-
-# C_DigestKey continues a multi-part message-digesting operation, by 
-# digesting the value of a secret key as part of the data already 
-# digested. 
-FUNCTION C_DigestKey
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_OBJECT_HANDLE  hKey      # secret key to digest 
-
-# C_DigestFinal finishes a multiple-part message-digesting operation. 
-FUNCTION C_DigestFinal
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       pDigest       # gets the message digest 
-CK_ULONG_PTR      pulDigestLen  # gets byte count of digest 
-
-
-# Signing and MACing 
-
-# C_SignInit initializes a signature (private key encryption) 
-# operation, where the signature is (will be) an appendix to the 
-# data, and plaintext cannot be recovered from the signature. 
-FUNCTION C_SignInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of signature key 
-
-# C_Sign signs (encrypts with private key) data in a single part, 
-# where the signature is (will be) an appendix to the data, and 
-# plaintext cannot be recovered from the signature. 
-FUNCTION C_Sign
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # the data to sign 
-CK_ULONG          ulDataLen         # count of bytes to sign 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-# C_SignUpdate continues a multiple-part signature operation, where 
-# the signature is (will be) an appendix to the data, and plaintext 
-# cannot be recovered from the signature. 
-FUNCTION C_SignUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # the data to sign 
-CK_ULONG          ulPartLen # count of bytes to sign 
-
-# C_SignFinal finishes a multiple-part signature operation, returning 
-# the signature. 
-FUNCTION C_SignFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-# C_SignRecoverInit initializes a signature operation, where the data 
-# can be recovered from the signature. 
-FUNCTION C_SignRecoverInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
-CK_OBJECT_HANDLE  hKey          # handle of the signature key 
-
-# C_SignRecover signs data in a single operation, where the data can 
-# be recovered from the signature. 
-FUNCTION C_SignRecover
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # the data to sign 
-CK_ULONG          ulDataLen         # count of bytes to sign 
-CK_BYTE_PTR       pSignature        # gets the signature 
-CK_ULONG_PTR      pulSignatureLen   # gets signature length 
-
-
-# Verifying signatures and MACs 
-
-# C_VerifyInit initializes a verification operation, where the 
-# signature is an appendix to the data, and plaintext cannot cannot 
-# be recovered from the signature (e.g. DSA). 
-FUNCTION C_VerifyInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
-CK_OBJECT_HANDLE  hKey          # verification key  
-
-# C_Verify verifies a signature in a single-part operation, where the 
-# signature is an appendix to the data, and plaintext cannot be 
-# recovered from the signature. 
-FUNCTION C_Verify
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pData             # signed data 
-CK_ULONG          ulDataLen         # length of signed data 
-CK_BYTE_PTR       pSignature        # signature 
-CK_ULONG          ulSignatureLen    # signature length
-
-# C_VerifyUpdate continues a multiple-part verification operation, 
-# where the signature is an appendix to the data, and plaintext cannot be 
-# recovered from the signature. 
-FUNCTION C_VerifyUpdate
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pPart     # signed data 
-CK_ULONG          ulPartLen # length of signed data 
-
-# C_VerifyFinal finishes a multiple-part verification operation, 
-# checking the signature. 
-FUNCTION C_VerifyFinal
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # signature to verify 
-CK_ULONG          ulSignatureLen    # signature length 
-
-# C_VerifyRecoverInit initializes a signature verification operation, 
-# where the data is recovered from the signature. 
-FUNCTION C_VerifyRecoverInit
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
-CK_OBJECT_HANDLE  hKey          # verification key 
-
-# C_VerifyRecover verifies a signature in a single-part operation, 
-# where the data is recovered from the signature. 
-FUNCTION C_VerifyRecover
-CK_SESSION_HANDLE hSession          # the session's handle 
-CK_BYTE_PTR       pSignature        # signature to verify 
-CK_ULONG          ulSignatureLen    # signature length 
-CK_BYTE_PTR       pData             # gets signed data 
-CK_ULONG_PTR      pulDataLen        # gets signed data len 
-
-
-# Dual-function cryptographic operations 
-
-# C_DigestEncryptUpdate continues a multiple-part digesting and 
-# encryption operation. 
-FUNCTION C_DigestEncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext length 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
-
-# C_DecryptDigestUpdate continues a multiple-part decryption and 
-# digesting operation. 
-FUNCTION C_DecryptDigestUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # ciphertext 
-CK_ULONG          ulEncryptedPartLen    # ciphertext length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # gets plaintext len 
-
-# C_SignEncryptUpdate continues a multiple-part signing and 
-# encryption operation. 
-FUNCTION C_SignEncryptUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pPart                 # the plaintext data 
-CK_ULONG          ulPartLen             # plaintext length 
-CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
-CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
-
-# C_DecryptVerifyUpdate continues a multiple-part decryption and 
-# verify operation. 
-FUNCTION C_DecryptVerifyUpdate
-CK_SESSION_HANDLE hSession              # session's handle 
-CK_BYTE_PTR       pEncryptedPart        # ciphertext 
-CK_ULONG          ulEncryptedPartLen    # ciphertext length 
-CK_BYTE_PTR       pPart                 # gets plaintext 
-CK_ULONG_PTR      pulPartLen            # gets p-text length 
-
-
-# Key management 
-
-# C_GenerateKey generates a secret key, creating a new key object. 
-FUNCTION C_GenerateKey
-CK_SESSION_HANDLE    hSession   # the session's handle 
-CK_MECHANISM_PTR     pMechanism # key generation mech. 
-CK_ATTRIBUTE_PTR     pTemplate  # template for new key 
-CK_ULONG             ulCount    # # of attrs in template 
-CK_OBJECT_HANDLE_PTR phKey      # gets handle of new key 
-
-# C_GenerateKeyPair generates a public-key/private-key pair, creating 
-# new key objects. 
-FUNCTION C_GenerateKeyPair
-CK_SESSION_HANDLE    hSession                   # session handle
-CK_MECHANISM_PTR     pMechanism                 # key-gen mech.
-CK_ATTRIBUTE_PTR     pPublicKeyTemplate         # template for pub. key
-CK_ULONG             ulPublicKeyAttributeCount  # # pub. attrs.
-CK_ATTRIBUTE_PTR     pPrivateKeyTemplate        # template for priv. key
-CK_ULONG             ulPrivateKeyAttributeCount # # priv. attrs.
-CK_OBJECT_HANDLE_PTR phPublicKey                # gets pub. key handle
-CK_OBJECT_HANDLE_PTR phPrivateKey               # gets priv. key handle
-
-# C_WrapKey wraps (i.e., encrypts) a key. 
-FUNCTION C_WrapKey
-CK_SESSION_HANDLE hSession         # the session's handle 
-CK_MECHANISM_PTR  pMechanism       # the wrapping mechanism 
-CK_OBJECT_HANDLE  hWrappingKey     # wrapping key 
-CK_OBJECT_HANDLE  hKey             # key to be wrapped 
-CK_BYTE_PTR       pWrappedKey      # gets wrapped key 
-CK_ULONG_PTR      pulWrappedKeyLen # gets wrapped key size 
-
-# C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key 
-# object. 
-FUNCTION C_UnwrapKey
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_MECHANISM_PTR     pMechanism         # unwrapping mech. 
-CK_OBJECT_HANDLE     hUnwrappingKey     # unwrapping key 
-CK_BYTE_PTR          pWrappedKey        # the wrapped key 
-CK_ULONG             ulWrappedKeyLen    # wrapped key len 
-CK_ATTRIBUTE_PTR     pTemplate          # new key template 
-CK_ULONG             ulAttributeCount   # template length 
-CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
-
-# C_DeriveKey derives a key from a base key, creating a new key object.
-FUNCTION C_DeriveKey
-CK_SESSION_HANDLE    hSession           # session's handle 
-CK_MECHANISM_PTR     pMechanism         # key deriv. mech. 
-CK_OBJECT_HANDLE     hBaseKey           # base key 
-CK_ATTRIBUTE_PTR     pTemplate          # new key template 
-CK_ULONG             ulAttributeCount   # template length 
-CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
-
-
-# Random number generation 
-
-# C_SeedRandom mixes additional seed material into the token's random 
-# number generator. 
-FUNCTION C_SeedRandom
-CK_SESSION_HANDLE hSession  # the session's handle 
-CK_BYTE_PTR       pSeed     # the seed material 
-CK_ULONG          ulSeedLen # length of seed material 
-
-# C_GenerateRandom generates random data. 
-FUNCTION C_GenerateRandom
-CK_SESSION_HANDLE hSession      # the session's handle 
-CK_BYTE_PTR       RandomData    # receives the random data 
-CK_ULONG          ulRandomLen   # # of bytes to generate 
-
-
-# Parallel function management 
-
-# C_GetFunctionStatus is a legacy function; it obtains an updated 
-# status of a function running in parallel with an application.
-FUNCTION C_GetFunctionStatus
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-# C_CancelFunction is a legacy function; it cancels a function running 
-# in parallel. 
-FUNCTION C_CancelFunction
-CK_SESSION_HANDLE hSession  # the session's handle 
-
-
-# Functions added in for Cryptoki Version 2.01 or later 
-
-# C_WaitForSlotEvent waits for a slot event (token insertion, removal, 
-# etc.) to occur. 
-FUNCTION C_WaitForSlotEvent
-CK_FLAGS       flags    # blocking/nonblocking flag 
-CK_SLOT_ID_PTR pSlot    # location that receives the slot ID 
-CK_VOID_PTR    pRserved # reserved.  Should be NULL_PTR 
-
-## C_ConfigureSlot passes an installation-specified bytestring to a 
-## slot. 
-#FUNCTION C_ConfigureSlot
-#CK_SLOT_ID slotID      # the slot to configure 
-#CK_BYTE_PTR pConfig    # the configuration string 
-#CK_ULONG ulConfigLen   # length of the config string 
diff --git a/security/nss/lib/ckfw/ck.h b/security/nss/lib/ckfw/ck.h
deleted file mode 100644
index 7314292cb..000000000
--- a/security/nss/lib/ckfw/ck.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CK_H
-#define CK_H
-
-#ifdef DEBUG
-static const char CK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ck.h
- *
- * This header file consolidates all header files needed by the source
- * files implementing the NSS Cryptoki Framework.  This makes managing
- * the source files a bit easier.
- */
-
-/* Types */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFT_H
-#include "nssckft.h"
-#endif /* NSSCKFT_H */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-#ifndef CKFWTM_H
-#include "ckfwtm.h"
-#endif /* CKFWTM_H */
-
-/* Prototypes */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef NSSCKG_H
-#include "nssckg.h"
-#endif /* NSSCKG_H */
-
-#ifndef NSSCKFW_H
-#include "nssckfw.h"
-#endif /* NSSCKFW_H */
-
-#ifndef NSSCKFWC_H
-#include "nssckfwc.h"
-#endif /* NSSCKFWC_H */
-
-#ifndef CKFW_H
-#include "ckfw.h"
-#endif /* CKFW_H */
-
-#ifndef CKFWM_H
-#include "ckfwm.h"
-#endif /* CKFWM_H */
-
-#ifndef CKMD_H
-#include "ckmd.h"
-#endif /* CKMD_H */
-
-/* NSS-private */
-
-/* nss_ZNEW and the like.  We might want to publish the memory APIs.. */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#endif /* CK_H */
diff --git a/security/nss/lib/ckfw/ckapi.perl b/security/nss/lib/ckfw/ckapi.perl
deleted file mode 100644
index 927737510..000000000
--- a/security/nss/lib/ckfw/ckapi.perl
+++ /dev/null
@@ -1,515 +0,0 @@
-#!perl
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$';
-
-$copyright = '/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-';
-
-$count = -1;
-$i = 0;
-
-open(INPUT, "<$ARGV[0]") || die "Can't open $ARGV[0]: $!";
-
-while(<INPUT>) {
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-#  print;
-
-  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
-  $name = $1;
-  $value = $2;
-
-  if( ($name =~ "FUNCTION") && !($name =~ "CK_FUNCTION") ) {
-    $count++;
-    $x[$count]{name} = $value;
-    $i = 0;
-  } else {
-    if( $count < 0 ) {
-      $value =~ s/"//g;
-      $g{$name} = $value;
-    } else {
-      $x[$count]{args}[$i]{type} = $name;
-      $x[$count]{args}[$i]{name} = $value;
-      $i++;
-      $x[$count]{nargs} = $i; # rewritten each time, oh well
-    }
-  }
-}
-
-close INPUT;
-
-# dodump();
-doprint();
-
-sub dodump {
-  for( $j = 0; $j <= $count; $j++ ) {
-    print "CK_RV CK_ENTRY $x[$j]{name}\n";
-    for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-      print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-      if( $i == ($x[$j]{nargs} - 1) ) {
-        print "\n";
-      } else {
-        print ",\n";
-      }
-    }
-  }
-}
-
-sub doprint {
-open(PROTOTYPE, ">nssckg.h") || die "Can't open nssckg.h: $!";
-open(TYPEDEF, ">nssckft.h") || die "Can't open nssckft.h: $!";
-open(EPV, ">nssckepv.h") || die "Can't open nssckepv.h: $!";
-open(API, ">nssck.api") || die "Can't open nssck.api: $!";
-
-select PROTOTYPE;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKG_H
-#define NSSCKG_H
-
-#ifdef DEBUG
-static const char NSSCKG_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckg.h
- *
- * This automatically-generated header file prototypes the Cryptoki
- * functions specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "CK_RV CK_ENTRY $x[$j]{name}\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ");\n\n";
-}
-
-print <<EOD
-#endif /* NSSCKG_H */
-EOD
-    ;
-
-select TYPEDEF;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKFT_H
-#define NSSCKFT_H
-
-#ifdef DEBUG
-static const char NSSCKFT_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckft.h
- *
- * The automatically-generated header file declares a typedef
- * each of the Cryptoki functions specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-#  print "typedef CK_RV (CK_ENTRY *CK_$x[$j]{name})(\n";
-  print "typedef CK_CALLBACK_FUNCTION(CK_RV, CK_$x[$j]{name})(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ");\n\n";
-}
-
-print <<EOD
-#endif /* NSSCKFT_H */
-EOD
-    ;
-
-select EPV;
-
-print $copyright;
-print <<EOD
-#ifndef NSSCKEPV_H
-#define NSSCKEPV_H
-
-#ifdef DEBUG
-static const char NSSCKEPV_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssckepv.h
- *
- * This automatically-generated header file defines the type
- * CK_FUNCTION_LIST specified by PKCS#11.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFT_H
-#include "nssckft.h"
-#endif /* NSSCKFT_H */
-
-#include "nssckp.h"
-
-struct CK_FUNCTION_LIST {
-  CK_VERSION version;
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "  CK_$x[$j]{name} $x[$j]{name};\n";
-}
-
-print <<EOD
-};
-
-#include "nsscku.h"
-
-#endif /* NSSCKEPV_H */
-EOD
-    ;
-
-select API;
-
-print $copyright;
-print <<EOD
-
-#ifdef DEBUG
-static const char NSSCKAPI_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-/*
- * nssck.api
- *
- * This automatically-generated file is used to generate a set of
- * Cryptoki entry points within the object space of a Module using
- * the NSS Cryptoki Framework.
- *
- * The Module should have a .c file with the following:
- *
- *  #define MODULE_NAME name
- *  #define INSTANCE_NAME instance
- *  #include "nssck.api"
- *
- * where "name" is some module-specific name that can be used to
- * disambiguate various modules.  This included file will then
- * define the actual Cryptoki routines which pass through to the
- * Framework calls.  All routines, except C_GetFunctionList, will
- * be prefixed with the name; C_GetFunctionList will be generated
- * to return an entry-point vector with these routines.  The
- * instance specified should be the basic instance of NSSCKMDInstance.
- *
- * If, prior to including nssck.api, the .c file also specifies
- *
- *  #define DECLARE_STRICT_CRYTPOKI_NAMES
- *
- * Then a set of "stub" routines not prefixed with the name will
- * be included.  This would allow the combined module and framework
- * to be used in applications which are hard-coded to use the
- * PKCS#11 names (instead of going through the EPV).  Please note
- * that such applications should be careful resolving symbols when
- * more than one PKCS#11 module is loaded.
- */
-
-#ifndef MODULE_NAME
-#error "Error: MODULE_NAME must be defined."
-#endif /* MODULE_NAME */
-
-#ifndef INSTANCE_NAME
-#error "Error: INSTANCE_NAME must be defined."
-#endif /* INSTANCE_NAME */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKFWC_H
-#include "nssckfwc.h"
-#endif /* NSSCKFWC_H */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#define ADJOIN(x,y) x##y
-
-#define __ADJOIN(x,y) ADJOIN(x,y)
-
-/*
- * The anchor.  This object is used to store an "anchor" pointer in
- * the Module's object space, so the wrapper functions can relate
- * back to this instance.
- */
-
-static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Initialize)
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY 
-C_Initialize
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Finalize)
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return NSSCKFWC_Finalize(&fwInstance);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Finalize
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetInfo)
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetInfo(fwInstance, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetInfo
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-/*
- * C_GetFunctionList is defined at the end.
- */
-
-EOD
-    ;
-
-for( $j = 4; $j <= $count; $j++ ) {
-  print "static CK_RV CK_ENTRY\n";
-  print "__ADJOIN(MODULE_NAME,$x[$j]{name})\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ")\n";
-  print "{\n";
-  print "  return NSSCKFW$x[$j]{name}(fwInstance, ";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "$x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print ");\n";
-    } else {
-      print ", ";
-    }
-  }
-  print "}\n\n";
-
-  print "#ifdef DECLARE_STRICT_CRYPTOKI_NAMES\n";
-  print "CK_RV CK_ENTRY\n";
-  print "$x[$j]{name}\n";
-  print "(\n";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print "\n";
-    } else {
-      print ",\n";
-    }
-  }
-  print ")\n";
-  print "{\n";
-  print "  return __ADJOIN(MODULE_NAME,$x[$j]{name})(";
-  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
-    print "$x[$j]{args}[$i]{name}";
-    if( $i == ($x[$j]{nargs} - 1) ) {
-      print ");\n";
-    } else {
-      print ", ";
-    }
-  }
-  print "}\n";
-  print "#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */\n\n";
-}
-
-print <<EOD
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-);
-
-static CK_FUNCTION_LIST FunctionList = {
-  { 2, 1 },
-EOD
-    ;
-
-for( $j = 0; $j <= $count; $j++ ) {
-  print "__ADJOIN(MODULE_NAME,$x[$j]{name})";
-  if( $j < $count ) {
-    print ",\n";
-  } else {
-    print "\n};\n\n";
-  }
-}
-
-print <<EOD
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  *ppFunctionList = &FunctionList;
-  return CKR_OK;
-}
-
-/* This one is always present */
-CK_RV CK_ENTRY
-C_GetFunctionList
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
-}
-
-#undef __ADJOIN
-
-EOD
-    ;
-
-select STDOUT;
-
-}
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
deleted file mode 100644
index 379e0401d..000000000
--- a/security/nss/lib/ckfw/ckfw.h
+++ /dev/null
@@ -1,1863 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CKFW_H
-#define CKFW_H
-
-#ifdef DEBUG
-static const char CKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ckfw.h
- *
- * This file prototypes the private calls of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-/*
- * NSSCKFWInstance
- *
- *  -- create/destroy --
- *  nssCKFWInstance_Create
- *  nssCKFWInstance_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWInstance_GetMDInstance
- *  nssCKFWInstance_GetArena
- *  nssCKFWInstance_MayCreatePthreads
- *  nssCKFWInstance_CreateMutex
- *  nssCKFWInstance_GetConfigurationData
- *  nssCKFWInstance_GetInitArgs 
- *
- *  -- private accessors --
- *  nssCKFWInstance_CreateSessionHandle
- *  nssCKFWInstance_ResolveSessionHandle
- *  nssCKFWInstance_DestroySessionHandle
- *  nssCKFWInstance_FindSessionHandle
- *  nssCKFWInstance_CreateObjectHandle
- *  nssCKFWInstance_ResolveObjectHandle
- *  nssCKFWInstance_DestroyObjectHandle
- *  nssCKFWInstance_FindObjectHandle
- *
- *  -- module fronts --
- *  nssCKFWInstance_GetNSlots
- *  nssCKFWInstance_GetCryptokiVersion
- *  nssCKFWInstance_GetManufacturerID
- *  nssCKFWInstance_GetFlags
- *  nssCKFWInstance_GetLibraryDescription
- *  nssCKFWInstance_GetLibraryVersion
- *  nssCKFWInstance_GetModuleHandlesSessionObjects
- *  nssCKFWInstance_GetSlots
- *  nssCKFWInstance_WaitForSlotEvent
- *
- *  -- debugging versions only --
- *  nssCKFWInstance_verifyPointer
- */
-
-/*
- * nssCKFWInstance_Create
- *
- */
-NSS_EXTERN NSSCKFWInstance *
-nssCKFWInstance_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  CryptokiLockingState LockingState,
-  NSSCKMDInstance *mdInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_Destroy
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetMDInstance
- *
- */
-NSS_EXTERN NSSCKMDInstance *
-nssCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_MayCreatePthreads
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_CreateMutex
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_GetConfigurationData
- *
- */
-NSS_EXTERN NSSUTF8 *
-nssCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetInitArgs
- *
- */
-NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
-nssCKFWInstance_GetInitArgs
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_CreateSessionHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWInstance_CreateSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_ResolveSessionHandle
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWInstance_ResolveSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWInstance_DestroySessionHandle
- *
- */
-NSS_EXTERN void
-nssCKFWInstance_DestroySessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWInstance_FindSessionHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWInstance_FindSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWInstance_CreateObjectHandle
- *
- */
-NSS_EXTERN CK_OBJECT_HANDLE
-nssCKFWInstance_CreateObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_ResolveObjectHandle
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWInstance_ResolveObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWInstance_ReassignObjectHandle
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_ReassignObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWInstance_DestroyObjectHandle
- *
- */
-NSS_EXTERN void
-nssCKFWInstance_DestroyObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWInstance_FindObjectHandle
- *
- */
-NSS_EXTERN CK_OBJECT_HANDLE
-nssCKFWInstance_FindObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWInstance_GetNSlots
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWInstance_GetNSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_GetCryptokiVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWInstance_GetCryptokiVersion
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_GetManufacturerID
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWInstance_GetFlags
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWInstance_GetFlags
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetLibraryDescription
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_GetLibraryDescription
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR libraryDescription[32]
-);
-
-/*
- * nssCKFWInstance_GetLibraryVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWInstance_GetLibraryVersion
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetModuleHandlesSessionObjects
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWInstance_GetModuleHandlesSessionObjects
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * nssCKFWInstance_GetSlots
- *
- */
-NSS_EXTERN NSSCKFWSlot **
-nssCKFWInstance_GetSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_WaitForSlotEvent
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWInstance_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL block,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWInstance_verifyPointer
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWInstance_verifyPointer
-(
-  const NSSCKFWInstance *fwInstance
-);
-
-
-/*
- * NSSCKFWSlot
- *
- *  -- create/destroy --
- *  nssCKFWSlot_Create
- *  nssCKFWSlot_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWSlot_GetMDSlot
- *  nssCKFWSlot_GetFWInstance
- *  nssCKFWSlot_GetMDInstance
- *
- *  -- private accessors --
- *  nssCKFWSlot_GetSlotID
- *
- *  -- module fronts --
- *  nssCKFWSlot_GetSlotDescription
- *  nssCKFWSlot_GetManufacturerID
- *  nssCKFWSlot_GetTokenPresent
- *  nssCKFWSlot_GetRemovableDevice
- *  nssCKFWSlot_GetHardwareSlot
- *  nssCKFWSlot_GetHardwareVersion
- *  nssCKFWSlot_GetFirmwareVersion
- *  nssCKFWSlot_GetToken
- */
-
-/*
- * nssCKFWSlot_Create
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWSlot_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *mdSlot,
-  CK_SLOT_ID slotID,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSlot_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_Destroy
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetMDSlot
- *
- */
-NSS_EXTERN NSSCKMDSlot *
-nssCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetFWInstance
- *
- */
-
-NSS_EXTERN NSSCKFWInstance *
-nssCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-nssCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetSlotID
- *
- */
-NSS_EXTERN CK_SLOT_ID
-nssCKFWSlot_GetSlotID
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetSlotDescription
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_GetSlotDescription
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR slotDescription[64]
-);
-
-/*
- * nssCKFWSlot_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSlot_GetManufacturerID
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWSlot_GetTokenPresent
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetTokenPresent
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetRemovableDevice
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetRemovableDevice
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetHardwareSlot
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSlot_GetHardwareSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetHardwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWSlot_GetHardwareVersion
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetFirmwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWSlot_GetFirmwareVersion
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * nssCKFWSlot_GetToken
- * 
- */
-NSS_EXTERN NSSCKFWToken *
-nssCKFWSlot_GetToken
-(
-  NSSCKFWSlot *fwSlot,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSlot_ClearToken
- *
- */
-NSS_EXTERN void
-nssCKFWSlot_ClearToken
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWToken
- *
- *  -- create/destroy --
- *  nssCKFWToken_Create
- *  nssCKFWToken_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWToken_GetMDToken
- *  nssCKFWToken_GetFWSlot
- *  nssCKFWToken_GetMDSlot
- *  nssCKFWToken_GetSessionState
- *
- *  -- private accessors --
- *  nssCKFWToken_SetSessionState
- *  nssCKFWToken_RemoveSession
- *  nssCKFWToken_CloseAllSessions
- *  nssCKFWToken_GetSessionCount
- *  nssCKFWToken_GetRwSessionCount
- *  nssCKFWToken_GetRoSessionCount
- *  nssCKFWToken_GetSessionObjectHash
- *  nssCKFWToken_GetMDObjectHash
- *  nssCKFWToken_GetObjectHandleHash
- *
- *  -- module fronts --
- *  nssCKFWToken_InitToken
- *  nssCKFWToken_GetLabel
- *  nssCKFWToken_GetManufacturerID
- *  nssCKFWToken_GetModel
- *  nssCKFWToken_GetSerialNumber
- *  nssCKFWToken_GetHasRNG
- *  nssCKFWToken_GetIsWriteProtected
- *  nssCKFWToken_GetLoginRequired
- *  nssCKFWToken_GetUserPinInitialized
- *  nssCKFWToken_GetRestoreKeyNotNeeded
- *  nssCKFWToken_GetHasClockOnToken
- *  nssCKFWToken_GetHasProtectedAuthenticationPath
- *  nssCKFWToken_GetSupportsDualCryptoOperations
- *  nssCKFWToken_GetMaxSessionCount
- *  nssCKFWToken_GetMaxRwSessionCount
- *  nssCKFWToken_GetMaxPinLen
- *  nssCKFWToken_GetMinPinLen
- *  nssCKFWToken_GetTotalPublicMemory
- *  nssCKFWToken_GetFreePublicMemory
- *  nssCKFWToken_GetTotalPrivateMemory
- *  nssCKFWToken_GetFreePrivateMemory
- *  nssCKFWToken_GetHardwareVersion
- *  nssCKFWToken_GetFirmwareVersion
- *  nssCKFWToken_GetUTCTime
- *  nssCKFWToken_OpenSession
- *  nssCKFWToken_GetMechanismCount
- *  nssCKFWToken_GetMechanismTypes
- *  nssCKFWToken_GetMechanism
- */
-
-/*
- * nssCKFWToken_Create
- *
- */
-NSS_EXTERN NSSCKFWToken *
-nssCKFWToken_Create
-(
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDToken *mdToken,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_Destroy
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDToken
- *
- */
-NSS_EXTERN NSSCKMDToken *
-nssCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_GetFWSlot
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDSlot
- *
- */
-NSS_EXTERN NSSCKMDSlot *
-nssCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionState
- *
- */
-NSS_EXTERN CK_STATE
-nssCKFWToken_GetSessionState
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_InitToken
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_InitToken
-(
-  NSSCKFWToken *fwToken,
-  NSSItem *pin,
-  NSSUTF8 *label
-);
-
-/*
- * nssCKFWToken_GetLabel
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetLabel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR label[32]
-);
-
-/*
- * nssCKFWToken_GetManufacturerID
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetManufacturerID
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR manufacturerID[32]
-);
-
-/*
- * nssCKFWToken_GetModel
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetModel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR model[16]
-);
-
-/*
- * nssCKFWToken_GetSerialNumber
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetSerialNumber
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR serialNumber[16]
-);
-
-/*
- * nssCKFWToken_GetHasRNG
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasRNG
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetIsWriteProtected
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetIsWriteProtected
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetLoginRequired
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetLoginRequired
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetUserPinInitialized
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetUserPinInitialized
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRestoreKeyNotNeeded
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetRestoreKeyNotNeeded
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHasClockOnToken
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasClockOnToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHasProtectedAuthenticationPath
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetHasProtectedAuthenticationPath
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSupportsDualCryptoOperations
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWToken_GetSupportsDualCryptoOperations
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxRwSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxRwSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMaxPinLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMaxPinLen
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMinPinLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMinPinLen
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetTotalPublicMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetTotalPublicMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFreePublicMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetFreePublicMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetTotalPrivateMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetTotalPrivateMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFreePrivateMemory
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetFreePrivateMemory
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetHardwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWToken_GetHardwareVersion
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetFirmwareVersion
- *
- */
-NSS_EXTERN CK_VERSION
-nssCKFWToken_GetFirmwareVersion
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetUTCTime
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetUTCTime
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR utcTime[16]
-);
-
-/*
- * nssCKFWToken_OpenSession
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWToken_OpenSession
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_GetMechanismCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetMechanismCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMechanismTypes
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_GetMechanismTypes
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE types[]
-);
-
-/*
- * nssCKFWToken_GetMechanism
- *
- */
-NSS_EXTERN NSSCKFWMechanism *
-nssCKFWToken_GetMechanism
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE which,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWToken_SetSessionState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_SetSessionState
-(
-  NSSCKFWToken *fwToken,
-  CK_STATE newState
-);
-
-/*
- * nssCKFWToken_RemoveSession
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_RemoveSession
-(
-  NSSCKFWToken *fwToken,
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWToken_CloseAllSessions
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWToken_CloseAllSessions
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRwSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetRwSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetRoSessionCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWToken_GetRoSessionCount
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetSessionObjectHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetSessionObjectHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetMDObjectHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetMDObjectHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * nssCKFWToken_GetObjectHandleHash
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWToken_GetObjectHandleHash
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWMechanism
- *
- *  -- create/destroy --
- *  nssCKFWMechanism_Create
- *  nssCKFWMechanism_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWMechanism_GetMDMechanism
- *  nssCKFWMechanism_GetParameter
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWMechanism_GetMinKeySize
- *  nssCKFWMechanism_GetMaxKeySize
- *  nssCKFWMechanism_GetInHardware
- */
-
-/*
- * nssCKFWMechanism_Create
- *
- */
-NSS_EXTERN NSSCKFWMechanism *
-nssCKFWMechanism_Create
-(
-  void /* XXX fgmr */
-);
-
-/*
- * nssCKFWMechanism_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMechanism_Destroy
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMDMechanism
- *
- */
-
-NSS_EXTERN NSSCKMDMechanism *
-nssCKFWMechanism_GetMDMechanism
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetParameter
- *
- * XXX fgmr-- or as an additional parameter to the crypto ops?
- */
-NSS_EXTERN NSSItem *
-nssCKFWMechanism_GetParameter
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMinKeySize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWMechanism_GetMinKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetMaxKeySize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWMechanism_GetMaxKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * nssCKFWMechanism_GetInHardware
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWMechanism_GetInHardware
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWSession
- *
- *  -- create/destroy --
- *  nssCKFWSession_Create
- *  nssCKFWSession_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWSession_GetMDSession
- *  nssCKFWSession_GetArena
- *  nssCKFWSession_CallNotification
- *  nssCKFWSession_IsRWSession
- *  nssCKFWSession_IsSO
- *
- *  -- private accessors --
- *  nssCKFWSession_GetFWSlot
- *  nssCKFWSession_GetSessionState
- *  nssCKFWSession_SetFWFindObjects
- *  nssCKFWSession_GetFWFindObjects
- *  nssCKFWSession_SetMDSession
- *  nssCKFWSession_SetHandle
- *  nssCKFWSession_GetHandle
- *  nssCKFWSession_RegisterSessionObject
- *  nssCKFWSession_DeregisterSessionObject
- *
- *  -- module fronts --
- *  nssCKFWSession_GetDeviceError
- *  nssCKFWSession_Login
- *  nssCKFWSession_Logout
- *  nssCKFWSession_InitPIN
- *  nssCKFWSession_SetPIN
- *  nssCKFWSession_GetOperationStateLen
- *  nssCKFWSession_GetOperationState
- *  nssCKFWSession_SetOperationState
- *  nssCKFWSession_CreateObject
- *  nssCKFWSession_CopyObject
- *  nssCKFWSession_FindObjectsInit
- *  nssCKFWSession_SeedRandom
- *  nssCKFWSession_GetRandom
- */
-
-/*
- * nssCKFWSession_Create
- *
- */
-NSS_EXTERN NSSCKFWSession *
-nssCKFWSession_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Destroy
-(
-  NSSCKFWSession *fwSession,
-  CK_BBOOL removeFromTokenHash
-);
-
-/*
- * nssCKFWSession_GetMDSession
- *
- */
-NSS_EXTERN NSSCKMDSession *
-nssCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_CallNotification
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-);
-
-/*
- * nssCKFWSession_IsRWSession
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_IsSO
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_GetFWSlot
- *
- */
-NSS_EXTERN NSSCKFWSlot *
-nssCKFWSession_GetFWSlot
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCFKWSession_GetSessionState
- *
- */
-NSS_EXTERN CK_STATE
-nssCKFWSession_GetSessionState
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_SetFWFindObjects
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWSession_GetFWFindObjects
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWSession_GetFWFindObjects
-(
-  NSSCKFWSession *fwSesssion,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_SetMDSession
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetMDSession
-(
-  NSSCKFWSession *fwSession,
-  NSSCKMDSession *mdSession
-);
-
-/*
- * nssCKFWSession_SetHandle
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetHandle
-(
-  NSSCKFWSession *fwSession,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * nssCKFWSession_GetHandle
- *
- */
-NSS_EXTERN CK_SESSION_HANDLE
-nssCKFWSession_GetHandle
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_RegisterSessionObject
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_RegisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWSession_DeregisterSessionObject
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_DeregisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWSession_GetDeviceError
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWSession_GetDeviceError
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_Login
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Login
-(
-  NSSCKFWSession *fwSession,
-  CK_USER_TYPE userType,
-  NSSItem *pin
-);
-
-/*
- * nssCKFWSession_Logout
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_Logout
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * nssCKFWSession_InitPIN
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_InitPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *pin
-);
-
-/*
- * nssCKFWSession_SetPIN
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *newPin,
-  NSSItem *oldPin
-);
-
-/*
- * nssCKFWSession_GetOperationStateLen
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWSession_GetOperationStateLen
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_GetOperationState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_GetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-);
-
-/*
- * nssCKFWSession_SetOperationState
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *state,
-  NSSCKFWObject *encryptionKey,
-  NSSCKFWObject *authenticationKey
-);
-
-/*
- * nssCKFWSession_CreateObject
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWSession_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_CopyObject
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWSession_CopyObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *object,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_FindObjectsInit
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWSession_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWSession_SeedRandom
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_SeedRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *seed
-);
-
-/*
- * nssCKFWSession_GetRandom
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWSession_GetRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-);
-
-/*
- * NSSCKFWObject
- *
- * -- create/destroy --
- *  nssCKFWObject_Create
- *  nssCKFWObject_Finalize
- *  nssCKFWObject_Destroy
- *
- * -- implement public accessors --
- *  nssCKFWObject_GetMDObject
- *  nssCKFWObject_GetArena
- *
- * -- private accessors --
- *  nssCKFWObject_SetHandle
- *  nssCKFWObject_GetHandle
- *
- * -- module fronts --
- *  nssCKFWObject_IsTokenObject
- *  nssCKFWObject_GetAttributeCount
- *  nssCKFWObject_GetAttributeTypes
- *  nssCKFWObject_GetAttributeSize
- *  nssCKFWObject_GetAttribute
- *  nssCKFWObject_SetAttribute
- *  nssCKFWObject_GetObjectSize
- */
-
-/*
- * nssCKFWObject_Create
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWObject_Create
-(
-  NSSArena *arena,
-  NSSCKMDObject *mdObject,
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_Finalize
- *
- */
-NSS_EXTERN void
-nssCKFWObject_Finalize
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWObject_Destroy
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetMDObject
- *
- */
-NSS_EXTERN NSSCKMDObject *
-nssCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-nssCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_SetHandle
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWObject_SetHandle
-(
-  NSSCKFWObject *fwObject,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * nssCKFWObject_GetHandle
- *
- */
-NSS_EXTERN CK_OBJECT_HANDLE
-nssCKFWObject_GetHandle
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_IsTokenObject
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * nssCKFWObject_GetAttributeCount
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_GetAttributeTypes
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-/*
- * nssCKFWObject_GetAttributeSize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_GetAttribute
- *
- * Usual NSS allocation rules:
- * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
- * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
- * the buffer will be allocated; otherwise, the buffer will be used.
- * Any allocations will come from the optional arena, if one is
- * specified.
- */
-NSS_EXTERN NSSItem *
-nssCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWObject_SetAttribute
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWObject_SetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-);
-
-/*
- * nssCKFWObject_GetObjectSize
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWFindObjects
- *
- *  -- create/destroy --
- *  nssCKFWFindObjects_Create
- *  nssCKFWFindObjects_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWFindObjects_GetMDFindObjects
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWFindObjects_Next
- */
-
-/*
- * nssCKFWFindObjects_Create
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWFindObjects_Create
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDFindObjects *mdFindObjects1,
-  NSSCKMDFindObjects *mdFindObjects2,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWFindObjects_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWFindObjects_Destroy
-(
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWFindObjects_GetMDFindObjects
- *
- */
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-);
-
-/*
- * nssCKFWFindObjects_Next
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWFindObjects_Next
-(
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWMutex
- *
- *  nssCKFWMutex_Create
- *  nssCKFWMutex_Destroy
- *  nssCKFWMutex_Lock
- *  nssCKFWMutex_Unlock
- *
- */
-
-/*
- * nssCKFWMutex_Create
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWMutex_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  CryptokiLockingState LockingState,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * nssCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * nssCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-);
-
-#endif /* CKFW_H */
diff --git a/security/nss/lib/ckfw/ckfwm.h b/security/nss/lib/ckfw/ckfwm.h
deleted file mode 100644
index 542bc390c..000000000
--- a/security/nss/lib/ckfw/ckfwm.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CKFWM_H
-#define CKFWM_H
-
-#ifdef DEBUG
-static const char CKFWM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ckfwm.h
- *
- * This file prototypes the module-private calls of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-/*
- * nssCKFWHash
- *
- *  nssCKFWHash_Create
- *  nssCKFWHash_Destroy
- *  nssCKFWHash_Add
- *  nssCKFWHash_Remove
- *  nssCKFWHash_Count
- *  nssCKFWHash_Exists
- *  nssCKFWHash_Lookup
- *  nssCKFWHash_Iterate
- */
-
-/*
- * nssCKFWHash_Create
- *
- */
-NSS_EXTERN nssCKFWHash *
-nssCKFWHash_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * nssCKFWHash_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Destroy
-(
-  nssCKFWHash *hash
-);
-
-/*
- * nssCKFWHash_Add
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWHash_Add
-(
-  nssCKFWHash *hash,
-  const void *key,
-  const void *value
-);
-
-/*
- * nssCKFWHash_Remove
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Remove
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Count
- *
- */
-NSS_EXTERN CK_ULONG
-nssCKFWHash_Count
-(
-  nssCKFWHash *hash
-);
-
-/*
- * nssCKFWHash_Exists
- *
- */
-NSS_EXTERN CK_BBOOL
-nssCKFWHash_Exists
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Lookup
- *
- */
-NSS_EXTERN void *
-nssCKFWHash_Lookup
-(
-  nssCKFWHash *hash,
-  const void *it
-);
-
-/*
- * nssCKFWHash_Iterate
- *
- */
-NSS_EXTERN void
-nssCKFWHash_Iterate
-(
-  nssCKFWHash *hash,
-  nssCKFWHashIterator fcn,
-  void *closure
-);
-
-#endif /* CKFWM_H */
diff --git a/security/nss/lib/ckfw/ckfwtm.h b/security/nss/lib/ckfw/ckfwtm.h
deleted file mode 100644
index b3eee1edb..000000000
--- a/security/nss/lib/ckfw/ckfwtm.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CKFWTM_H
-#define CKFWTM_H
-
-#ifdef DEBUG
-static const char CKFWTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ckfwtm.h
- *
- * This file declares the module-private types of the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-struct nssCKFWHashStr;
-typedef struct nssCKFWHashStr nssCKFWHash;
-
-typedef void (PR_CALLBACK *nssCKFWHashIterator)(const void *key, void *value, void *closure);
-
-#endif /* CKFWTM_H */
diff --git a/security/nss/lib/ckfw/ckmd.h b/security/nss/lib/ckfw/ckmd.h
deleted file mode 100644
index 0c6b14311..000000000
--- a/security/nss/lib/ckfw/ckmd.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef CKMD_H
-#define CKMD_H
-
-#ifdef DEBUG
-static const char CKMD_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * ckmd.h
- *
- */
-
-NSS_EXTERN NSSCKMDObject *
-nssCKMDSessionObject_Create
-(
-  NSSCKFWToken *fwToken,
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR attributes,
-  CK_ULONG ulCount,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKMDFindSessionObjects_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_RV *pError
-);
-
-#endif /* CKMD_H */
diff --git a/security/nss/lib/ckfw/ckt.h b/security/nss/lib/ckfw/ckt.h
deleted file mode 100644
index f2e631679..000000000
--- a/security/nss/lib/ckfw/ckt.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* get back to just one set of PKCS #11 headers. Use the onese that
- * are easiest to maintain from the RSA website */
-/* this one is the one that defines NSS specific data */
-#include "pkcs11n.h"
diff --git a/security/nss/lib/ckfw/config.mk b/security/nss/lib/ckfw/config.mk
deleted file mode 100644
index 5202c7103..000000000
--- a/security/nss/lib/ckfw/config.mk
+++ /dev/null
@@ -1,58 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-# Hack to see if everything still builds
-#
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
-
diff --git a/security/nss/lib/ckfw/dbm/Makefile b/security/nss/lib/ckfw/dbm/Makefile
deleted file mode 100644
index bc6c17f1a..000000000
--- a/security/nss/lib/ckfw/dbm/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include config.mk
-include $(CORE_DEPTH)/coreconf/config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/ckfw/dbm/anchor.c b/security/nss/lib/ckfw/dbm/anchor.c
deleted file mode 100644
index 6f6137a3c..000000000
--- a/security/nss/lib/ckfw/dbm/anchor.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * dbm/anchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading.  See the 
- * comments in nssck.api for more information.
- */
-
-#include "ckdbm.h"
-
-#define MODULE_NAME dbm
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/dbm/ckdbm.h b/security/nss/lib/ckfw/dbm/ckdbm.h
deleted file mode 100644
index a38850a0f..000000000
--- a/security/nss/lib/ckfw/dbm/ckdbm.h
+++ /dev/null
@@ -1,281 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CKDBM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef CKDBM_H
-#define CKDBM_H
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-#include "mcom_db.h"
-
-NSS_EXTERN_DATA NSSCKMDInstance nss_dbm_mdInstance;
-
-typedef struct nss_dbm_db_struct nss_dbm_db_t;
-struct nss_dbm_db_struct {
-  DB *db;
-  NSSCKFWMutex *crustylock;
-};
-
-typedef struct nss_dbm_dbt_struct nss_dbm_dbt_t;
-struct nss_dbm_dbt_struct {
-  DBT dbt;
-  nss_dbm_db_t *my_db;
-};
-
-typedef struct nss_dbm_instance_struct nss_dbm_instance_t;
-struct nss_dbm_instance_struct {
-  NSSArena *arena;
-  CK_ULONG nSlots;
-  char **filenames;
-  int *flags; /* e.g. O_RDONLY, O_RDWR */
-};
-
-typedef struct nss_dbm_slot_struct nss_dbm_slot_t;
-struct nss_dbm_slot_struct {
-  nss_dbm_instance_t *instance;
-  char *filename;
-  int flags;
-  nss_dbm_db_t *token_db;
-};
-
-typedef struct nss_dbm_token_struct nss_dbm_token_t;
-struct nss_dbm_token_struct {
-  NSSArena *arena;
-  nss_dbm_slot_t *slot;
-  nss_dbm_db_t *session_db;
-  NSSUTF8 *label;
-};
-
-struct nss_dbm_dbt_node {
-  struct nss_dbm_dbt_node *next;
-  nss_dbm_dbt_t *dbt;
-};
-
-typedef struct nss_dbm_session_struct nss_dbm_session_t;
-struct nss_dbm_session_struct {
-  NSSArena *arena;
-  nss_dbm_token_t *token;
-  CK_ULONG deviceError;
-  struct nss_dbm_dbt_node *session_objects;
-  NSSCKFWMutex *list_lock;
-};
-
-typedef struct nss_dbm_object_struct nss_dbm_object_t;
-struct nss_dbm_object_struct {
-  NSSArena *arena; /* token or session */
-  nss_dbm_dbt_t *handle;
-};
-
-typedef struct nss_dbm_find_struct nss_dbm_find_t;
-struct nss_dbm_find_struct {
-  NSSArena *arena;
-  struct nss_dbm_dbt_node *found;
-  NSSCKFWMutex *list_lock;
-};
-
-NSS_EXTERN NSSCKMDSlot *
-nss_dbm_mdSlot_factory
-(
-  nss_dbm_instance_t *instance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDToken *
-nss_dbm_mdToken_factory
-(
-  nss_dbm_slot_t *slot,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDSession *
-nss_dbm_mdSession_factory
-(
-  nss_dbm_token_t *token,
-  NSSCKFWSession *fwSession,
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL rw,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDObject *
-nss_dbm_mdObject_factory
-(
-  nss_dbm_object_t *object,
-  CK_RV *pError
-);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_dbm_mdFindObjects_factory
-(
-  nss_dbm_find_t *find,
-  CK_RV *pError
-);
-
-NSS_EXTERN nss_dbm_db_t *
-nss_dbm_db_open
-(
-  NSSArena *arena,
-  NSSCKFWInstance *fwInstance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-);
-
-NSS_EXTERN void
-nss_dbm_db_close
-(
-  nss_dbm_db_t *db
-);
-
-NSS_EXTERN CK_VERSION
-nss_dbm_db_get_format_version
-(
-  nss_dbm_db_t *db
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_set_label
-(
-  nss_dbm_db_t *db,
-  NSSUTF8 *label
-);
-
-NSS_EXTERN NSSUTF8 *
-nss_dbm_db_get_label
-(
-  nss_dbm_db_t *db,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_delete_object
-(
-  nss_dbm_dbt_t *dbt
-);
-
-NSS_EXTERN nss_dbm_dbt_t *
-nss_dbm_db_create_object
-(
-  NSSArena *arena,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_find_objects
-(
-  nss_dbm_find_t *find,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_BBOOL
-nss_dbm_db_object_still_exists
-(
-  nss_dbm_dbt_t *dbt
-);
-
-NSS_EXTERN CK_ULONG
-nss_dbm_db_get_object_attribute_count
-(
-  nss_dbm_dbt_t *dbt,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_get_object_attribute_types
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_ULONG
-nss_dbm_db_get_object_attribute_size
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN NSSItem *
-nss_dbm_db_get_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  NSSArena *arena,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-);
-
-NSS_EXTERN CK_RV
-nss_dbm_db_set_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  NSSItem *value,
-  CK_ULONG *pdbrv
-);
-
-#endif /* CKDBM_H */
diff --git a/security/nss/lib/ckfw/dbm/config.mk b/security/nss/lib/ckfw/dbm/config.mk
deleted file mode 100644
index 63eb61689..000000000
--- a/security/nss/lib/ckfw/dbm/config.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
diff --git a/security/nss/lib/ckfw/dbm/db.c b/security/nss/lib/ckfw/dbm/db.c
deleted file mode 100644
index 83d933a67..000000000
--- a/security/nss/lib/ckfw/dbm/db.c
+++ /dev/null
@@ -1,1065 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-#define PREFIX_METADATA "0000"
-#define PREFIX_OBJECT   "0001"
-#define PREFIX_INDEX    "0002"
-
-static CK_VERSION nss_dbm_db_format_version = { 1, 0 };
-struct handle {
-  char prefix[4];
-  CK_ULONG id;
-};
-
-NSS_IMPLEMENT nss_dbm_db_t *
-nss_dbm_db_open
-(
-  NSSArena *arena,
-  NSSCKFWInstance *fwInstance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-)
-{
-  nss_dbm_db_t *rv;
-  CK_VERSION db_version;
-
-  rv = nss_ZNEW(arena, nss_dbm_db_t);
-  if( (nss_dbm_db_t *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  rv->db = dbopen(filename, flags, 0600, DB_HASH, (const void *)NULL);
-  if( (DB *)NULL == rv->db ) {
-    *pError = CKR_TOKEN_NOT_PRESENT;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  rv->crustylock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == rv->crustylock ) {
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  db_version = nss_dbm_db_get_format_version(rv);
-  if( db_version.major != nss_dbm_db_format_version.major ) {
-    nss_dbm_db_close(rv);
-    *pError = CKR_TOKEN_NOT_RECOGNIZED;
-    return (nss_dbm_db_t *)NULL;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT void
-nss_dbm_db_close
-(
-  nss_dbm_db_t *db
-)
-{
-  if( (NSSCKFWMutex *)NULL != db->crustylock ) {
-    (void)NSSCKFWMutex_Destroy(db->crustylock);
-  }
-
-  if( (DB *)NULL != db->db ) {
-    (void)db->db->close(db->db);
-  }
-
-  nss_ZFreeIf(db);
-}
-
-NSS_IMPLEMENT CK_VERSION
-nss_dbm_db_get_format_version
-(
-  nss_dbm_db_t *db
-)
-{
-  CK_VERSION rv;
-  DBT k, v;
-  int dbrv;
-  char buffer[64];
-
-  rv.major = rv.minor = 0;
-
-  k.data = PREFIX_METADATA "FormatVersion";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-  (void)memset(&v, 0, sizeof(v));
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->get(db->db, &k, &v, 0);
-    if( dbrv == 0 ) {
-      CK_ULONG major = 0, minor = 0;
-      (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
-      rv.major = major;
-      rv.minor = minor;
-    } else if( dbrv > 0 ) {
-      (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
-                        nss_dbm_db_format_version.minor);
-      v.data = buffer;
-      v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
-      dbrv = db->db->put(db->db, &k, &v, 0);
-      (void)db->db->sync(db->db, 0);
-      rv = nss_dbm_db_format_version;
-    } else {
-      /* No error return.. */
-      ;
-    }
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_set_label
-(
-  nss_dbm_db_t *db,
-  NSSUTF8 *label
-)
-{
-  CK_RV rv;
-  DBT k, v;
-  int dbrv;
-
-  k.data = PREFIX_METADATA "Label";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-  v.data = label;
-  v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->put(db->db, &k, &v, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-    }
-
-    dbrv = db->db->sync(db->db, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-    }
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nss_dbm_db_get_label
-(
-  nss_dbm_db_t *db,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSUTF8 *rv = (NSSUTF8 *)NULL;
-  DBT k, v;
-  int dbrv;
-
-  k.data = PREFIX_METADATA "Label";
-  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-
-  /* Locked region */ 
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
-      return rv;
-    }
-
-    dbrv = db->db->get(db->db, &k, &v, 0);
-    if( 0 == dbrv ) {
-      rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
-      if( (NSSUTF8 *)NULL == rv ) {
-        *pError = CKR_HOST_MEMORY;
-      }
-    } else if( dbrv > 0 ) {
-      /* Just return null */
-      ;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      ;
-    }
-
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_delete_object
-(
-  nss_dbm_dbt_t *dbt
-)
-{
-  CK_RV rv;
-  int dbrv;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    dbrv = dbt->my_db->db->del(dbt->my_db->db, &dbt->dbt, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    dbrv = dbt->my_db->db->sync(dbt->my_db->db, 0);
-    if( 0 != dbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-static CK_ULONG
-nss_dbm_db_new_handle
-(
-  nss_dbm_db_t *db,
-  DBT *dbt, /* pre-allocated */
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-  DBT k, v;
-  CK_ULONG align = 0, id, myid;
-  struct handle *hp;
-
-  if( sizeof(struct handle) != dbt->size ) {
-    return EINVAL;
-  }
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != *pError ) {
-      return EINVAL;
-    }
-
-    k.data = PREFIX_METADATA "LastID";
-    k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
-    (void)memset(&v, 0, sizeof(v));
-
-    rv = db->db->get(db->db, &k, &v, 0);
-    if( 0 == rv ) {
-      (void)memcpy(&align, v.data, sizeof(CK_ULONG));
-      id = ntohl(align);
-    } else if( rv > 0 ) {
-      id = 0;
-    } else {
-      goto done;
-    }
-
-    myid = id;
-    id++;
-    align = htonl(id);
-    v.data = &align;
-    v.size = sizeof(CK_ULONG);
-
-    rv = db->db->put(db->db, &k, &v, 0);
-    if( 0 != rv ) {
-      goto done;
-    }
-
-    rv = db->db->sync(db->db, 0);
-    if( 0 != rv ) {
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  if( 0 != rv ) {
-    return rv;
-  }
-
-  hp = (struct handle *)dbt->data;
-  (void)memcpy(&hp->prefix[0], PREFIX_OBJECT, 4);
-  hp->id = myid;
-
-  return 0;
-}
-
-/*
- * This attribute-type-dependent swapping should probably
- * be in the Framework, because it'll be a concern of just
- * about every Module.  Of course any Framework implementation
- * will have to be augmentable or overridable by a Module.
- */
-
-enum swap_type { type_byte, type_short, type_long, type_opaque };
-
-static enum swap_type
-nss_dbm_db_swap_type
-(
-  CK_ATTRIBUTE_TYPE type
-)
-{
-  switch( type ) {
-  case CKA_CLASS: return type_long;
-  case CKA_TOKEN: return type_byte;
-  case CKA_PRIVATE: return type_byte;
-  case CKA_LABEL: return type_opaque;
-  case CKA_APPLICATION: return type_opaque;
-  case CKA_VALUE: return type_opaque;
-  case CKA_CERTIFICATE_TYPE: return type_long;
-  case CKA_ISSUER: return type_opaque;
-  case CKA_SERIAL_NUMBER: return type_opaque;
-  case CKA_KEY_TYPE: return type_long;
-  case CKA_SUBJECT: return type_opaque;
-  case CKA_ID: return type_opaque;
-  case CKA_SENSITIVE: return type_byte;
-  case CKA_ENCRYPT: return type_byte;
-  case CKA_DECRYPT: return type_byte;
-  case CKA_WRAP: return type_byte;
-  case CKA_UNWRAP: return type_byte;
-  case CKA_SIGN: return type_byte;
-  case CKA_SIGN_RECOVER: return type_byte;
-  case CKA_VERIFY: return type_byte;
-  case CKA_VERIFY_RECOVER: return type_byte;
-  case CKA_DERIVE: return type_byte;
-  case CKA_START_DATE: return type_opaque;
-  case CKA_END_DATE: return type_opaque;
-  case CKA_MODULUS: return type_opaque;
-  case CKA_MODULUS_BITS: return type_long;
-  case CKA_PUBLIC_EXPONENT: return type_opaque;
-  case CKA_PRIVATE_EXPONENT: return type_opaque;
-  case CKA_PRIME_1: return type_opaque;
-  case CKA_PRIME_2: return type_opaque;
-  case CKA_EXPONENT_1: return type_opaque;
-  case CKA_EXPONENT_2: return type_opaque;
-  case CKA_COEFFICIENT: return type_opaque;
-  case CKA_PRIME: return type_opaque;
-  case CKA_SUBPRIME: return type_opaque;
-  case CKA_BASE: return type_opaque;
-  case CKA_VALUE_BITS: return type_long;
-  case CKA_VALUE_LEN: return type_long;
-  case CKA_EXTRACTABLE: return type_byte;
-  case CKA_LOCAL: return type_byte;
-  case CKA_NEVER_EXTRACTABLE: return type_byte;
-  case CKA_ALWAYS_SENSITIVE: return type_byte;
-  case CKA_MODIFIABLE: return type_byte;
-  case CKA_NETSCAPE_URL: return type_opaque;
-  case CKA_NETSCAPE_EMAIL: return type_opaque;
-  case CKA_NETSCAPE_SMIME_INFO: return type_opaque;
-  case CKA_NETSCAPE_SMIME_TIMESTAMP: return type_opaque;
-  case CKA_NETSCAPE_PKCS8_SALT: return type_opaque;
-  case CKA_NETSCAPE_PASSWORD_CHECK: return type_opaque;
-  case CKA_NETSCAPE_EXPIRES: return type_opaque;
-  case CKA_TRUST_DIGITAL_SIGNATURE: return type_long;
-  case CKA_TRUST_NON_REPUDIATION: return type_long;
-  case CKA_TRUST_KEY_ENCIPHERMENT: return type_long;
-  case CKA_TRUST_DATA_ENCIPHERMENT: return type_long;
-  case CKA_TRUST_KEY_AGREEMENT: return type_long;
-  case CKA_TRUST_KEY_CERT_SIGN: return type_long;
-  case CKA_TRUST_CRL_SIGN: return type_long;
-  case CKA_TRUST_SERVER_AUTH: return type_long;
-  case CKA_TRUST_CLIENT_AUTH: return type_long;
-  case CKA_TRUST_CODE_SIGNING: return type_long;
-  case CKA_TRUST_EMAIL_PROTECTION: return type_long;
-  case CKA_TRUST_IPSEC_END_SYSTEM: return type_long;
-  case CKA_TRUST_IPSEC_TUNNEL: return type_long;
-  case CKA_TRUST_IPSEC_USER: return type_long;
-  case CKA_TRUST_TIME_STAMPING: return type_long;
-  case CKA_NETSCAPE_DB: return type_opaque;
-  case CKA_NETSCAPE_TRUST: return type_opaque;
-  default: return type_opaque;
-  }
-}
-
-static void
-nss_dbm_db_swap_copy
-(
-  CK_ATTRIBUTE_TYPE type,
-  void *dest,
-  void *src,
-  CK_ULONG len
-)
-{
-  switch( nss_dbm_db_swap_type(type) ) {
-  case type_byte:
-  case type_opaque:
-    (void)memcpy(dest, src, len);
-    break;
-  case type_short:
-    {
-      CK_USHORT s, d;
-      (void)memcpy(&s, src, sizeof(CK_USHORT));
-      d = htons(s);
-      (void)memcpy(dest, &d, sizeof(CK_USHORT));
-      break;
-    }
-  case type_long:
-    {
-      CK_ULONG s, d;
-      (void)memcpy(&s, src, sizeof(CK_ULONG));
-      d = htonl(s);
-      (void)memcpy(dest, &d, sizeof(CK_ULONG));
-      break;
-    }
-  }
-}
-
-static CK_RV
-nss_dbm_db_wrap_object
-(
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  DBT *object
-)
-{
-  CK_ULONG object_size;
-  CK_ULONG i;
-  CK_ULONG *pulData;
-  char *pcData;
-  CK_ULONG offset;
-
-  object_size = (1 + ulAttributeCount*3) * sizeof(CK_ULONG);
-  offset = object_size;
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    object_size += pTemplate[i].ulValueLen;
-  }
-
-  object->size = object_size;
-  object->data = nss_ZAlloc(arena, object_size);
-  if( (void *)NULL == object->data ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  pulData = (CK_ULONG *)object->data;
-  pcData = (char *)object->data;
-
-  pulData[0] = htonl(ulAttributeCount);
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    CK_ULONG len = pTemplate[i].ulValueLen;
-    pulData[1 + i*3] = htonl(pTemplate[i].type);
-    pulData[2 + i*3] = htonl(len);
-    pulData[3 + i*3] = htonl(offset);
-    nss_dbm_db_swap_copy(pTemplate[i].type, &pcData[offset], pTemplate[i].pValue, len);
-    offset += len;
-  }
-
-  return CKR_OK;
-}
-
-static CK_RV
-nss_dbm_db_unwrap_object
-(
-  NSSArena *arena,
-  DBT *object,
-  CK_ATTRIBUTE_PTR *ppTemplate,
-  CK_ULONG *pulAttributeCount
-)
-{
-  CK_ULONG *pulData;
-  char *pcData;
-  CK_ULONG n, i;
-  CK_ATTRIBUTE_PTR pTemplate;
-
-  pulData = (CK_ULONG *)object->data;
-  pcData = (char *)object->data;
-
-  n = ntohl(pulData[0]);
-  *pulAttributeCount = n;
-  pTemplate = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, n);
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  for( i = 0; i < n; i++ ) {
-    CK_ULONG len;
-    CK_ULONG offset;
-    void *p;
-
-    pTemplate[i].type = ntohl(pulData[1 + i*3]);
-    len = ntohl(pulData[2 + i*3]);
-    offset = ntohl(pulData[3 +  i*3]);
-    
-    p = nss_ZAlloc(arena, len);
-    if( (void *)NULL == p ) {
-      return CKR_HOST_MEMORY;
-    }
-    
-    nss_dbm_db_swap_copy(pTemplate[i].type, p, &pcData[offset], len);
-    pTemplate[i].ulValueLen = len;
-    pTemplate[i].pValue = p;
-  }
-
-  *ppTemplate = pTemplate;
-  return CKR_OK;
-}
-
-
-NSS_IMPLEMENT nss_dbm_dbt_t *
-nss_dbm_db_create_object
-(
-  NSSArena *arena,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  NSSArena *tmparena = (NSSArena *)NULL;
-  nss_dbm_dbt_t *rv = (nss_dbm_dbt_t *)NULL;
-  DBT object;
-
-  rv = nss_ZNEW(arena, nss_dbm_dbt_t);
-  if( (nss_dbm_dbt_t *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  rv->my_db = db;
-  rv->dbt.size = sizeof(struct handle);
-  rv->dbt.data = nss_ZAlloc(arena, rv->dbt.size);
-  if( (void *)NULL == rv->dbt.data ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  *pdbrv = nss_dbm_db_new_handle(db, &rv->dbt, pError);
-  if( 0 != *pdbrv ) {
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  tmparena = NSSArena_Create();
-  if( (NSSArena *)NULL == tmparena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nss_dbm_dbt_t *)NULL;
-  }
-
-  *pError = nss_dbm_db_wrap_object(tmparena, pTemplate, ulAttributeCount, &object);
-  if( CKR_OK != *pError ) {
-    return (nss_dbm_dbt_t *)NULL;
-  }
-  
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    *pdbrv = db->db->put(db->db, &rv->dbt, &object, 0);
-    if( 0 != *pdbrv ) {
-      *pError = CKR_DEVICE_ERROR;
-    }
-
-    (void)db->db->sync(db->db, 0);
-
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
- loser:  
-  if( (NSSArena *)NULL != tmparena ) {
-    (void)NSSArena_Destroy(tmparena);
-  }
-
-  return rv;
-}
-
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_find_objects
-(
-  nss_dbm_find_t *find,
-  nss_dbm_db_t *db,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-
-  if( (nss_dbm_db_t *)NULL != db ) {
-    DBT k, v;
-
-    rv = NSSCKFWMutex_Lock(db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    *pdbrv = db->db->seq(db->db, &k, &v, R_FIRST);
-    while( 0 == *pdbrv ) {
-      CK_ULONG i, j;
-      NSSArena *tmparena = (NSSArena *)NULL;
-      CK_ULONG ulac;
-      CK_ATTRIBUTE_PTR pt;
-
-      if( (k.size < 4) || (0 != memcmp(k.data, PREFIX_OBJECT, 4)) ) {
-        goto nomatch;
-      }
-
-      tmparena = NSSArena_Create();
-
-      rv = nss_dbm_db_unwrap_object(tmparena, &v, &pt, &ulac);
-      if( CKR_OK != rv ) {
-        goto loser;
-      }
-
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        for( j = 0; j < ulac; j++ ) {
-          if( pTemplate[i].type == pt[j].type ) {
-            if( pTemplate[i].ulValueLen != pt[j].ulValueLen ) {
-              goto nomatch;
-            }
-            if( 0 != memcmp(pTemplate[i].pValue, pt[j].pValue, pt[j].ulValueLen) ) {
-              goto nomatch;
-            }
-            break;
-          }
-        }
-        if( j == ulac ) {
-          goto nomatch;
-        }
-      }
-
-      /* entire template matches */
-      {
-        struct nss_dbm_dbt_node *node;
-
-        node = nss_ZNEW(find->arena, struct nss_dbm_dbt_node);
-        if( (struct nss_dbm_dbt_node *)NULL == node ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-
-        node->dbt = nss_ZNEW(find->arena, nss_dbm_dbt_t);
-        if( (nss_dbm_dbt_t *)NULL == node->dbt ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-        
-        node->dbt->dbt.size = k.size;
-        node->dbt->dbt.data = nss_ZAlloc(find->arena, k.size);
-        if( (void *)NULL == node->dbt->dbt.data ) {
-          rv = CKR_HOST_MEMORY;
-          goto loser;
-        }
-
-        (void)memcpy(node->dbt->dbt.data, k.data, k.size);
-
-        node->dbt->my_db = db;
-
-        node->next = find->found;
-        find->found = node;
-      }
-
-    nomatch:
-      if( (NSSArena *)NULL != tmparena ) {
-        (void)NSSArena_Destroy(tmparena);
-      }
-      *pdbrv = db->db->seq(db->db, &k, &v, R_NEXT);
-    }
-
-    if( *pdbrv < 0 ) {
-      rv = CKR_DEVICE_ERROR;
-      goto loser;
-    }
-
-    rv = CKR_OK;
-
-  loser:
-    (void)NSSCKFWMutex_Unlock(db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_BBOOL
-nss_dbm_db_object_still_exists
-(
-  nss_dbm_dbt_t *dbt
-)
-{
-  CK_BBOOL rv;
-  CK_RV ckrv;
-  int dbrv;
-  DBT object;
-
-  ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-  if( CKR_OK != ckrv ) {
-    return CK_FALSE;
-  }
-
-  dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-  if( 0 == dbrv ) {
-    rv = CK_TRUE;
-  } else {
-    rv = CK_FALSE;
-  }
-
-  (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_ULONG
-nss_dbm_db_get_object_attribute_count
-(
-  nss_dbm_dbt_t *dbt,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  CK_ULONG rv = 0;
-  DBT object;
-  CK_ULONG *pulData;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    rv = ntohl(pulData[0]);
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_get_object_attribute_types
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-  DBT object;
-  CK_ULONG *pulData;
-  CK_ULONG n, i;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      rv = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    n = ntohl(pulData[0]);
-
-    if( ulCount < n ) {
-      rv = CKR_BUFFER_TOO_SMALL;
-      goto done;
-    }
-
-    for( i = 0; i < n; i++ ) {
-      typeArray[i] = ntohl(pulData[1 + i*3]);
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_ULONG
-nss_dbm_db_get_object_attribute_size
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  CK_ULONG rv = 0;
-  DBT object;
-  CK_ULONG *pulData;
-  CK_ULONG n, i;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      return rv;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    pulData = (CK_ULONG *)object.data;
-    n = ntohl(pulData[0]);
-
-    for( i = 0; i < n; i++ ) {
-      if( type == ntohl(pulData[1 + i*3]) ) {
-        rv = ntohl(pulData[2 + i*3]);
-      }
-    }
-
-    if( i == n ) {
-      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSItem *
-nss_dbm_db_get_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  NSSArena *arena,
-  CK_ATTRIBUTE_TYPE type,
-  CK_RV *pError,
-  CK_ULONG *pdbrv
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  DBT object;
-  CK_ULONG i;
-  NSSArena *tmp = NSSArena_Create();
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulAttributeCount;
-
-  /* Locked region */
-  {
-    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      *pError = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      *pError = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
-    if( CKR_OK != *pError ) {
-      goto done;
-    }
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( type == pTemplate[i].type ) {
-        rv = nss_ZNEW(arena, NSSItem);
-        if( (NSSItem *)NULL == rv ) {
-          *pError = CKR_HOST_MEMORY;
-          goto done;
-        }
-        rv->size = pTemplate[i].ulValueLen;
-        rv->data = nss_ZAlloc(arena, rv->size);
-        if( (void *)NULL == rv->data ) {
-          *pError = CKR_HOST_MEMORY;
-          goto done;
-        }
-        (void)memcpy(rv->data, pTemplate[i].pValue, rv->size);
-        break;
-      }
-    }
-    if( ulAttributeCount == i ) {
-      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-      goto done;
-    }
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
- loser:
-  if( (NSSArena *)NULL != tmp ) {
-    NSSArena_Destroy(tmp);
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT CK_RV
-nss_dbm_db_set_object_attribute
-(
-  nss_dbm_dbt_t *dbt,
-  CK_ATTRIBUTE_TYPE type,
-  NSSItem *value,
-  CK_ULONG *pdbrv
-)
-{
-  CK_RV rv = CKR_OK;
-  DBT object;
-  CK_ULONG i;
-  NSSArena *tmp = NSSArena_Create();
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulAttributeCount;
-
-  /* Locked region */
-  {
-    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
-    if( CKR_OK != rv ) {
-      goto loser;
-    }
-
-    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 == *pdbrv ) {
-      ;
-    } else if( *pdbrv > 0 ) {
-      rv = CKR_OBJECT_HANDLE_INVALID;
-      goto done;
-    } else {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
-    if( CKR_OK != rv ) {
-      goto done;
-    }
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( type == pTemplate[i].type ) {
-        /* Replacing an existing attribute */
-        pTemplate[i].ulValueLen = value->size;
-        pTemplate[i].pValue = value->data;
-        break;
-      }
-    }
-
-    if( i == ulAttributeCount ) {
-      /* Adding a new attribute */
-      CK_ATTRIBUTE_PTR npt = nss_ZNEWARRAY(tmp, CK_ATTRIBUTE, ulAttributeCount+1);
-      if( (CK_ATTRIBUTE_PTR)NULL == npt ) {
-        rv = CKR_DEVICE_ERROR;
-        goto done;
-      }
-
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        npt[i] = pTemplate[i];
-      }
-
-      npt[ulAttributeCount].type = type;
-      npt[ulAttributeCount].ulValueLen = value->size;
-      npt[ulAttributeCount].pValue = value->data;
-
-      pTemplate = npt;
-      ulAttributeCount++;
-    }
-
-    rv = nss_dbm_db_wrap_object(tmp, pTemplate, ulAttributeCount, &object);
-    if( CKR_OK != rv ) {
-      goto done;
-    }
-
-    *pdbrv = dbt->my_db->db->put(dbt->my_db->db, &dbt->dbt, &object, 0);
-    if( 0 != *pdbrv ) {
-      rv = CKR_DEVICE_ERROR;
-      goto done;
-    }
-
-    (void)dbt->my_db->db->sync(dbt->my_db->db, 0);
-
-  done:
-    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
-  }
-
- loser:
-  if( (NSSArena *)NULL != tmp ) {
-    NSSArena_Destroy(tmp);
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/find.c b/security/nss/lib/ckfw/dbm/find.c
deleted file mode 100644
index 929142af8..000000000
--- a/security/nss/lib/ckfw/dbm/find.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdFindObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
-
-  /* Locks might have system resources associated */
-  (void)NSSCKFWMutex_Destroy(find->list_lock);
-  (void)NSSArena_Destroy(find->arena);
-}
-
-
-static NSSCKMDObject *
-nss_dbm_mdFindObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
-  struct nss_dbm_dbt_node *node;
-  nss_dbm_object_t *object;
-  NSSCKMDObject *rv;
-
-  while(1) {
-    /* Lock */
-    {
-      *pError = NSSCKFWMutex_Lock(find->list_lock);
-      if( CKR_OK != *pError ) {
-        return (NSSCKMDObject *)NULL;
-      }
-      
-      node = find->found;
-      if( (struct nss_dbm_dbt_node *)NULL != node ) {
-        find->found = node->next;
-      }
-      
-      *pError = NSSCKFWMutex_Unlock(find->list_lock);
-      if( CKR_OK != *pError ) {
-        /* screwed now */
-        return (NSSCKMDObject *)NULL;
-      }
-    }
-
-    if( (struct nss_dbm_dbt_node *)NULL == node ) {
-      break;
-    }
-
-    if( nss_dbm_db_object_still_exists(node->dbt) ) {
-      break;
-    }
-  }
-
-  if( (struct nss_dbm_dbt_node *)NULL == node ) {
-    *pError = CKR_OK;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object = nss_ZNEW(arena, nss_dbm_object_t);
-  if( (nss_dbm_object_t *)NULL == object ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->arena = arena;
-  object->handle = nss_ZNEW(arena, nss_dbm_dbt_t);
-  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->handle->my_db = node->dbt->my_db;
-  object->handle->dbt.size = node->dbt->dbt.size;
-  object->handle->dbt.data = nss_ZAlloc(arena, node->dbt->dbt.size);
-  if( (void *)NULL == object->handle->dbt.data ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  (void)memcpy(object->handle->dbt.data, node->dbt->dbt.data, node->dbt->dbt.size);
-
-  rv = nss_dbm_mdObject_factory(object, pError);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  return rv;
-}
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_dbm_mdFindObjects_factory
-(
-  nss_dbm_find_t *find,
-  CK_RV *pError
-)
-{
-  NSSCKMDFindObjects *rv;
-
-  rv = nss_ZNEW(find->arena, NSSCKMDFindObjects);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv->etc = (void *)find;
-  rv->Final = nss_dbm_mdFindObjects_Final;
-  rv->Next = nss_dbm_mdFindObjects_Next;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/instance.c b/security/nss/lib/ckfw/dbm/instance.c
deleted file mode 100644
index b87625f55..000000000
--- a/security/nss/lib/ckfw/dbm/instance.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdInstance_Initialize
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  NSSUTF8 *configurationData
-)
-{
-  CK_RV rv = CKR_OK;
-  NSSArena *arena;
-  nss_dbm_instance_t *instance;
-
-  arena = NSSCKFWInstance_GetArena(fwInstance, &rv);
-  if( ((NSSArena *)NULL == arena) && (CKR_OK != rv) ) {
-    return rv;
-  }
-
-  instance = nss_ZNEW(arena, nss_dbm_instance_t);
-  if( (nss_dbm_instance_t *)NULL == instance ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->arena = arena;
-
-  /*
-   * This should parse the configuration data for information on
-   * number and locations of databases, modes (e.g. readonly), etc.
-   * But for now, we'll have one slot with a creatable read-write
-   * database called "cert8.db."
-   */
-
-  instance->nSlots = 1;
-  instance->filenames = nss_ZNEWARRAY(arena, char *, instance->nSlots);
-  if( (char **)NULL == instance->filenames ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->flags = nss_ZNEWARRAY(arena, int, instance->nSlots);
-  if( (int *)NULL == instance->flags ) {
-    return CKR_HOST_MEMORY;
-  }
-
-  instance->filenames[0] = "cert8.db";
-  instance->flags[0] = O_RDWR|O_CREAT;
-
-  mdInstance->etc = (void *)instance;
-  return CKR_OK;
-}
-
-/* nss_dbm_mdInstance_Finalize is not required */
-
-static CK_ULONG
-nss_dbm_mdInstance_GetNSlots
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  return instance->nSlots;
-}
-
-static CK_VERSION
-nss_dbm_mdInstance_GetCryptokiVersion
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  static CK_VERSION rv = { 2, 1 };
-  return rv;
-}
-
-static NSSUTF8 *
-nss_dbm_mdInstance_GetManufacturerID
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Netscape Communications Corp.";
-}
-
-static NSSUTF8 *
-nss_dbm_mdInstance_GetLibraryDescription
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Berkeley Database Module";
-}
-
-static CK_VERSION
-nss_dbm_mdInstance_GetLibraryVersion
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  static CK_VERSION rv = { 1, 0 }; /* My own version number */
-  return rv;
-}
-
-static CK_BBOOL
-nss_dbm_mdInstance_ModuleHandlesSessionObjects
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_TRUE;
-}
-
-static CK_RV
-nss_dbm_mdInstance_GetSlots
-(
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *slots[]
-)
-{
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_ULONG i;
-  CK_RV rv = CKR_OK;
-
-  for( i = 0; i < instance->nSlots; i++ ) {
-    slots[i] = nss_dbm_mdSlot_factory(instance, instance->filenames[i], 
-                                      instance->flags[i], &rv);
-    if( (NSSCKMDSlot *)NULL == slots[i] ) {
-      return rv;
-    }
-  }
-
-  return rv;
-}
-
-/* nss_dbm_mdInstance_WaitForSlotEvent is not relevant */
-
-NSS_IMPLEMENT_DATA NSSCKMDInstance 
-nss_dbm_mdInstance = {
-  NULL, /* etc; filled in later */
-  nss_dbm_mdInstance_Initialize,
-  NULL, /* nss_dbm_mdInstance_Finalize */
-  nss_dbm_mdInstance_GetNSlots,
-  nss_dbm_mdInstance_GetCryptokiVersion,
-  nss_dbm_mdInstance_GetManufacturerID,
-  nss_dbm_mdInstance_GetLibraryDescription,
-  nss_dbm_mdInstance_GetLibraryVersion,
-  nss_dbm_mdInstance_ModuleHandlesSessionObjects,
-  nss_dbm_mdInstance_GetSlots,
-  NULL, /* nss_dbm_mdInstance_WaitForSlotEvent */
-  NULL /* terminator */
-};
diff --git a/security/nss/lib/ckfw/dbm/manifest.mn b/security/nss/lib/ckfw/dbm/manifest.mn
deleted file mode 100644
index ff4b408ca..000000000
--- a/security/nss/lib/ckfw/dbm/manifest.mn
+++ /dev/null
@@ -1,54 +0,0 @@
-# 
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-# 
-# The Original Code is the Netscape security libraries.
-# 
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are 
-# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-# Rights Reserved.
-# 
-# Contributor(s):
-# 
-# Alternatively, the contents of this file may be used under the
-# terms of the GNU General Public License Version 2 or later (the
-# "GPL"), in which case the provisions of the GPL are applicable 
-# instead of those above.  If you wish to allow use of your 
-# version of this file only under the terms of the GPL and not to
-# allow others to use your version of this file under the MPL,
-# indicate your decision by deleting the provisions above and
-# replace them with the notice and other provisions required by
-# the GPL.  If you do not delete the provisions above, a recipient
-# may use your version of this file under either the MPL or the
-# GPL.
-#
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../../..
-
-MODULE = nss
-
-CSRCS =		   \
-	anchor.c   \
-	instance.c \
-	slot.c	   \
-	token.c	   \
-	session.c  \
-	object.c   \
-	find.c	   \
-	db.c	   \
-	$(NULL)
-
-REQUIRES = dbm nspr
-
-LIBRARY_NAME = nssckdbm
-
-EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -ldbm -lnspr4 -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/dbm/object.c b/security/nss/lib/ckfw/dbm/object.c
deleted file mode 100644
index bf85447ad..000000000
--- a/security/nss/lib/ckfw/dbm/object.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  ;
-}
-
-static CK_RV
-nss_dbm_mdObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  return nss_dbm_db_delete_object(object->handle);
-}
-
-static CK_ULONG
-nss_dbm_mdObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_count(object->handle, pError, 
-                                               &session->deviceError);
-}
-
-static CK_RV
-nss_dbm_mdObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_types(object->handle, typeArray,
-                                               ulCount, &session->deviceError);
-}
-
-static CK_ULONG
-nss_dbm_mdObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute_size(object->handle, attribute, pError, 
-                                              &session->deviceError);
-}
-
-static NSSItem *
-nss_dbm_mdObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_get_object_attribute(object->handle, object->arena, attribute,
-                                         pError, &session->deviceError);
-}
-
-static CK_RV
-nss_dbm_mdObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return nss_dbm_db_set_object_attribute(object->handle, attribute, value,
-                                         &session->deviceError);
-}
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_dbm_mdObject_factory
-(
-  nss_dbm_object_t *object,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *rv;
-
-  rv = nss_ZNEW(object->arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  rv->etc = (void *)object;
-  rv->Finalize = nss_dbm_mdObject_Finalize;
-  rv->Destroy = nss_dbm_mdObject_Destroy;
-  /*  IsTokenObject can be deferred */
-  rv->GetAttributeCount = nss_dbm_mdObject_GetAttributeCount;
-  rv->GetAttributeTypes = nss_dbm_mdObject_GetAttributeTypes;
-  rv->GetAttributeSize = nss_dbm_mdObject_GetAttributeSize;
-  rv->GetAttribute = nss_dbm_mdObject_GetAttribute;
-  rv->SetAttribute = nss_dbm_mdObject_SetAttribute;
-  /*  GetObjectSize can be deferred */
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/session.c b/security/nss/lib/ckfw/dbm/session.c
deleted file mode 100644
index 8ce140641..000000000
--- a/security/nss/lib/ckfw/dbm/session.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static void
-nss_dbm_mdSession_Close
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-
-  struct nss_dbm_dbt_node *w;
-
-  /* Lock */
-  {
-    if( CKR_OK != NSSCKFWMutex_Lock(session->list_lock) ) {
-      return;
-    }
-
-    w = session->session_objects;
-    session->session_objects = (struct nss_dbm_dbt_node *)NULL; /* sanity */
-    
-    (void)NSSCKFWMutex_Unlock(session->list_lock);
-  }
-
-  for( ; (struct nss_dbm_dbt_node *)NULL != w; w = w->next ) {
-    (void)nss_dbm_db_delete_object(w->dbt);
-  }
-}
-
-static CK_ULONG
-nss_dbm_mdSession_GetDeviceError
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  return session->deviceError;
-}
-
-/* Login isn't needed */
-/* Logout isn't needed */
-/* InitPIN is irrelevant */
-/* SetPIN is irrelevant */
-/* GetOperationStateLen is irrelevant */
-/* GetOperationState is irrelevant */
-/* SetOperationState is irrelevant */
-
-static NSSCKMDObject *
-nss_dbm_mdSession_CreateObject
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *handyArenaPointer,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  CK_ULONG i;
-  CK_BBOOL isToken = CK_FALSE; /* defaults to false */
-  NSSCKMDObject *rv;
-  struct nss_dbm_dbt_node *node = (struct nss_dbm_dbt_node *)NULL;
-  nss_dbm_object_t *object;
-  nss_dbm_db_t *which_db;
-
-  /* This framework should really pass this to me */
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      isToken = *(CK_BBOOL *)pTemplate[i].pValue;
-      break;
-    }
-  }
-
-  object = nss_ZNEW(handyArenaPointer, nss_dbm_object_t);
-  if( (nss_dbm_object_t *)NULL == object ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDObject *)NULL;
-  }
-
-  object->arena = handyArenaPointer;
-  which_db = isToken ? token->slot->token_db : token->session_db;
-
-  /* Do this before the actual database call; it's easier to recover from */
-  rv = nss_dbm_mdObject_factory(object, pError);
-  if( (NSSCKMDObject *)NULL == rv ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  if( CK_FALSE == isToken ) {
-    node = nss_ZNEW(session->arena, struct nss_dbm_dbt_node);
-    if( (struct nss_dbm_dbt_node *)NULL == node ) {
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKMDObject *)NULL;
-    }
-  }
-
-  object->handle = nss_dbm_db_create_object(handyArenaPointer, which_db, 
-                                            pTemplate, ulAttributeCount,
-                                            pError, &session->deviceError);
-  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
-    return (NSSCKMDObject *)NULL;
-  }
-
-  if( CK_FALSE == isToken ) {
-    node->dbt = object->handle;
-    /* Lock */
-    {
-      *pError = NSSCKFWMutex_Lock(session->list_lock);
-      if( CKR_OK != *pError ) {
-        (void)nss_dbm_db_delete_object(object->handle);
-        return (NSSCKMDObject *)NULL;
-      }
-      
-      node->next = session->session_objects;
-      session->session_objects = node;
-      
-      *pError = NSSCKFWMutex_Unlock(session->list_lock);
-    }
-  }
-
-  return rv;
-}
-
-/* CopyObject isn't needed; the framework will use CreateObject */
-
-static NSSCKMDFindObjects *
-nss_dbm_mdSession_FindObjectsInit
-(
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  NSSArena *arena;
-  nss_dbm_find_t *find;
-  NSSCKMDFindObjects *rv;
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  find = nss_ZNEW(arena, nss_dbm_find_t);
-  if( (nss_dbm_find_t *)NULL == find ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  find->arena = arena;
-  find->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == find->list_lock ) {
-    goto loser;
-  }
-
-  *pError = nss_dbm_db_find_objects(find, token->slot->token_db, pTemplate, 
-                                    ulAttributeCount, &session->deviceError);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  *pError = nss_dbm_db_find_objects(find, token->session_db, pTemplate, 
-                                    ulAttributeCount, &session->deviceError);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  rv = nss_dbm_mdFindObjects_factory(find, pError);
-  if( (NSSCKMDFindObjects *)NULL == rv ) {
-    goto loser;
-  }
-
-  return rv;
-
- loser:
-  if( (NSSArena *)NULL != arena ) {
-    (void)NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKMDFindObjects *)NULL;
-}
-
-/* SeedRandom is irrelevant */
-/* GetRandom is irrelevant */
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_dbm_mdSession_factory
-(
-  nss_dbm_token_t *token,
-  NSSCKFWSession *fwSession,
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  nss_dbm_session_t *session;
-  NSSCKMDSession *rv;
-
-  arena = NSSCKFWSession_GetArena(fwSession, pError);
-
-  session = nss_ZNEW(arena, nss_dbm_session_t);
-  if( (nss_dbm_session_t *)NULL == session ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDSession);
-  if( (NSSCKMDSession *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSession *)NULL;
-  }
-
-  session->arena = arena;
-  session->token = token;
-  session->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == session->list_lock ) {
-    return (NSSCKMDSession *)NULL;
-  }
-
-  rv->etc = (void *)session;
-  rv->Close = nss_dbm_mdSession_Close;
-  rv->GetDeviceError = nss_dbm_mdSession_GetDeviceError;
-  /*  Login isn't needed */
-  /*  Logout isn't needed */
-  /*  InitPIN is irrelevant */
-  /*  SetPIN is irrelevant */
-  /*  GetOperationStateLen is irrelevant */
-  /*  GetOperationState is irrelevant */
-  /*  SetOperationState is irrelevant */
-  rv->CreateObject = nss_dbm_mdSession_CreateObject;
-  /*  CopyObject isn't needed; the framework will use CreateObject */
-  rv->FindObjectsInit = nss_dbm_mdSession_FindObjectsInit;
-  rv->null = NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/slot.c b/security/nss/lib/ckfw/dbm/slot.c
deleted file mode 100644
index 800815cf7..000000000
--- a/security/nss/lib/ckfw/dbm/slot.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdSlot_Initialize
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_RV rv = CKR_OK;
-
-  slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, slot->filename, 
-                                   slot->flags, &rv);
-  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
-    if( CKR_TOKEN_NOT_PRESENT == rv ) {
-      /* This is not an error-- just means "the token isn't there" */
-      rv = CKR_OK;
-    }
-  }
-
-  return rv;
-}
-
-static void
-nss_dbm_mdSlot_Destroy
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-
-  if( (nss_dbm_db_t *)NULL != slot->token_db ) {
-    nss_dbm_db_close(slot->token_db);
-    slot->token_db = (nss_dbm_db_t *)NULL;
-  }
-}
-
-static NSSUTF8 *
-nss_dbm_mdSlot_GetSlotDescription
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Database";
-}
-
-static NSSUTF8 *
-nss_dbm_mdSlot_GetManufacturerID
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "Berkeley";
-}
-
-static CK_BBOOL
-nss_dbm_mdSlot_GetTokenPresent
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-
-  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-static CK_BBOOL
-nss_dbm_mdSlot_GetRemovableDevice
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance
-)
-{
-  /*
-   * Well, this supports "tokens" (databases) that aren't there, so in
-   * that sense they're removable.  It'd be nice to handle databases
-   * that suddenly disappear (NFS-mounted home directories and network
-   * errors, for instance) but that's a harder problem.  We'll say
-   * we support removable devices, badly.
-   */
-
-  return CK_TRUE;
-}
-
-/* nss_dbm_mdSlot_GetHardwareSlot defaults to CK_FALSE */
-/* 
- * nss_dbm_mdSlot_GetHardwareVersion
- * nss_dbm_mdSlot_GetFirmwareVersion
- *
- * These are kinda fuzzy concepts here.  I suppose we could return the
- * Berkeley DB version for one of them, if we had an actual number we
- * were confident in.  But mcom's "dbm" has been hacked enough that I
- * don't really know from what "real" version it stems..
- */
-
-static NSSCKMDToken *
-nss_dbm_mdSlot_GetToken
-(
-  NSSCKMDSlot *mdSlot,
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDInstance *mdInstance,                                    
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
-  return nss_dbm_mdToken_factory(slot, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSlot *
-nss_dbm_mdSlot_factory
-(
-  nss_dbm_instance_t *instance,
-  char *filename,
-  int flags,
-  CK_RV *pError
-)
-{
-  nss_dbm_slot_t *slot;
-  NSSCKMDSlot *rv;
-
-  slot = nss_ZNEW(instance->arena, nss_dbm_slot_t);
-  if( (nss_dbm_slot_t *)NULL == slot ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSlot *)NULL;
-  }
-
-  slot->instance = instance;
-  slot->filename = filename;
-  slot->flags = flags;
-  slot->token_db = (nss_dbm_db_t *)NULL;
-
-  rv = nss_ZNEW(instance->arena, NSSCKMDSlot);
-  if( (NSSCKMDSlot *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDSlot *)NULL;
-  }
-
-  rv->etc = (void *)slot;
-  rv->Initialize = nss_dbm_mdSlot_Initialize;
-  rv->Destroy = nss_dbm_mdSlot_Destroy;
-  rv->GetSlotDescription = nss_dbm_mdSlot_GetSlotDescription;
-  rv->GetManufacturerID = nss_dbm_mdSlot_GetManufacturerID;
-  rv->GetTokenPresent = nss_dbm_mdSlot_GetTokenPresent;
-  rv->GetRemovableDevice = nss_dbm_mdSlot_GetRemovableDevice;
-  /*  GetHardwareSlot */
-  /*  GetHardwareVersion */
-  /*  GetFirmwareVersion */
-  rv->GetToken = nss_dbm_mdSlot_GetToken;
-  rv->null = (void *)NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/dbm/token.c b/security/nss/lib/ckfw/dbm/token.c
deleted file mode 100644
index ed958ec31..000000000
--- a/security/nss/lib/ckfw/dbm/token.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "ckdbm.h"
-
-static CK_RV
-nss_dbm_mdToken_Setup
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  CK_RV rv = CKR_OK;
-
-  token->arena = NSSCKFWToken_GetArena(fwToken, &rv);
-  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
-                                      O_RDWR|O_CREAT, &rv);
-  if( (nss_dbm_db_t *)NULL == token->session_db ) {
-    return rv;
-  }
-
-  /* Add a label record if there isn't one? */
-
-  return CKR_OK;
-}
-
-static void
-nss_dbm_mdToken_Invalidate
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( (nss_dbm_db_t *)NULL != token->session_db ) {
-    nss_dbm_db_close(token->session_db);
-    token->session_db = (nss_dbm_db_t *)NULL;
-  }
-}
-
-static CK_RV
-nss_dbm_mdToken_InitToken
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSItem *pin,
-  NSSUTF8 *label
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
-  CK_RV rv;
-
-  /* Wipe the session object data */
-  
-  if( (nss_dbm_db_t *)NULL != token->session_db ) {
-    nss_dbm_db_close(token->session_db);
-  }
-
-  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
-                                      O_RDWR|O_CREAT, &rv);
-  if( (nss_dbm_db_t *)NULL == token->session_db ) {
-    return rv;
-  }
-
-  /* Wipe the token object data */
-
-  if( token->slot->flags & O_RDWR ) {
-    if( (nss_dbm_db_t *)NULL != token->slot->token_db ) {
-      nss_dbm_db_close(token->slot->token_db);
-    }
-
-    token->slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, 
-                                            token->slot->filename,
-                                            token->slot->flags | O_CREAT | O_TRUNC, 
-                                            &rv);
-    if( (nss_dbm_db_t *)NULL == token->slot->token_db ) {
-      return rv;
-    }
-
-    /* PIN is irrelevant */
-
-    rv = nss_dbm_db_set_label(token->slot->token_db, label);
-    if( CKR_OK != rv ) {
-      return rv;
-    }
-  }
-
-  return CKR_OK;
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetLabel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( (NSSUTF8 *)NULL == token->label ) {
-    token->label = nss_dbm_db_get_label(token->slot->token_db, token->arena, pError);
-  }
-
-  /* If no label has been set, return *something* */
-  if( (NSSUTF8 *)NULL == token->label ) {
-    return token->slot->filename;
-  }
-
-  return token->label;
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetManufacturerID
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "mozilla.org NSS";
-}
-
-static NSSUTF8 *
-nss_dbm_mdToken_GetModel
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  return "dbm";
-}
-
-/* GetSerialNumber is irrelevant */
-/* GetHasRNG defaults to CK_FALSE */
-
-static CK_BBOOL
-nss_dbm_mdToken_GetIsWriteProtected
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-
-  if( token->slot->flags & O_RDWR ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-/* GetLoginRequired defaults to CK_FALSE */
-/* GetUserPinInitialized defaults to CK_FALSE */
-/* GetRestoreKeyNotNeeded is irrelevant */
-/* GetHasClockOnToken defaults to CK_FALSE */
-/* GetHasProtectedAuthenticationPath defaults to CK_FALSE */
-/* GetSupportsDualCryptoOperations is irrelevant */
-
-static CK_ULONG
-nss_dbm_mdToken_effectively_infinite
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  return CK_EFFECTIVELY_INFINITE;
-}
-
-static CK_VERSION
-nss_dbm_mdToken_GetHardwareVersion
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  return nss_dbm_db_get_format_version(token->slot->token_db);
-}
-
-/* GetFirmwareVersion is irrelevant */
-/* GetUTCTime is irrelevant */
-
-static NSSCKMDSession *
-nss_dbm_mdToken_OpenSession
-(
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_BBOOL rw,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
-  return nss_dbm_mdSession_factory(token, fwSession, fwInstance, rw, pError);
-}
-
-/* GetMechanismCount defaults to zero */
-/* GetMechanismTypes is irrelevant */
-/* GetMechanism is irrelevant */
-
-NSS_IMPLEMENT NSSCKMDToken *
-nss_dbm_mdToken_factory
-(
-  nss_dbm_slot_t *slot,
-  CK_RV *pError
-)
-{
-  nss_dbm_token_t *token;
-  NSSCKMDToken *rv;
-
-  token = nss_ZNEW(slot->instance->arena, nss_dbm_token_t);
-  if( (nss_dbm_token_t *)NULL == token ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDToken *)NULL;
-  }
-
-  rv = nss_ZNEW(slot->instance->arena, NSSCKMDToken);
-  if( (NSSCKMDToken *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDToken *)NULL;
-  }
-
-  token->slot = slot;
-
-  rv->etc = (void *)token;
-  rv->Setup = nss_dbm_mdToken_Setup;
-  rv->Invalidate = nss_dbm_mdToken_Invalidate;
-  rv->InitToken = nss_dbm_mdToken_InitToken;
-  rv->GetLabel = nss_dbm_mdToken_GetLabel;
-  rv->GetManufacturerID = nss_dbm_mdToken_GetManufacturerID;
-  rv->GetModel = nss_dbm_mdToken_GetModel;
-  /*  GetSerialNumber is irrelevant */
-  /*  GetHasRNG defaults to CK_FALSE */
-  rv->GetIsWriteProtected = nss_dbm_mdToken_GetIsWriteProtected;
-  /*  GetLoginRequired defaults to CK_FALSE */
-  /*  GetUserPinInitialized defaults to CK_FALSE */
-  /*  GetRestoreKeyNotNeeded is irrelevant */
-  /*  GetHasClockOnToken defaults to CK_FALSE */
-  /*  GetHasProtectedAuthenticationPath defaults to CK_FALSE */
-  /*  GetSupportsDualCryptoOperations is irrelevant */
-  rv->GetMaxSessionCount = nss_dbm_mdToken_effectively_infinite;
-  rv->GetMaxRwSessionCount = nss_dbm_mdToken_effectively_infinite;
-  /*  GetMaxPinLen is irrelevant */
-  /*  GetMinPinLen is irrelevant */
-  /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
-  rv->GetHardwareVersion = nss_dbm_mdToken_GetHardwareVersion;
-  /*  GetFirmwareVersion is irrelevant */
-  /*  GetUTCTime is irrelevant */
-  rv->OpenSession = nss_dbm_mdToken_OpenSession;
-  rv->null = NULL;
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/find.c b/security/nss/lib/ckfw/find.c
deleted file mode 100644
index fe9345b42..000000000
--- a/security/nss/lib/ckfw/find.c
+++ /dev/null
@@ -1,405 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * find.c
- *
- * This file implements the nssCKFWFindObjects type and methods.
- */
-
-#ifndef CK_H
-#include "ck.h"
-#endif /* CK_H */
-
-/*
- * NSSCKFWFindObjects
- *
- *  -- create/destroy --
- *  nssCKFWFindObjects_Create
- *  nssCKFWFindObjects_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWFindObjects_GetMDFindObjects
- * 
- *  -- implement public accessors --
- *  nssCKFWFindObjects_GetMDFindObjects
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWFindObjects_Next
- */
-
-struct NSSCKFWFindObjectsStr {
-  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
-  NSSCKMDFindObjects *mdfo1;
-  NSSCKMDFindObjects *mdfo2;
-  NSSCKFWSession *fwSession;
-  NSSCKMDSession *mdSession;
-  NSSCKFWToken *fwToken;
-  NSSCKMDToken *mdToken;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-
-  NSSCKMDFindObjects *mdFindObjects; /* varies */
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do these routines as no-ops.
- */
-
-static CK_RV
-findObjects_add_pointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-findObjects_remove_pointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWFindObjects_verifyPointer
-(
-  const NSSCKFWFindObjects *fwFindObjects
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWFindObjects_Create
- *
- */
-NSS_EXTERN NSSCKFWFindObjects *
-nssCKFWFindObjects_Create
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDFindObjects *mdFindObjects1,
-  NSSCKMDFindObjects *mdFindObjects2,
-  CK_RV *pError
-)
-{
-  NSSCKFWFindObjects *fwFindObjects = NULL;
-  NSSCKMDSession *mdSession;
-  NSSCKMDToken *mdToken;
-  NSSCKMDInstance *mdInstance;
-
-  mdSession = nssCKFWSession_GetMDSession(fwSession);
-  mdToken = nssCKFWToken_GetMDToken(fwToken);
-  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-
-  fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwFindObjects->mdfo1 = mdFindObjects1;
-  fwFindObjects->mdfo2 = mdFindObjects2;
-  fwFindObjects->fwSession = fwSession;
-  fwFindObjects->mdSession = mdSession;
-  fwFindObjects->fwToken = fwToken;
-  fwFindObjects->mdToken = mdToken;
-  fwFindObjects->fwInstance = fwInstance;
-  fwFindObjects->mdInstance = mdInstance;
-
-  fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError);
-  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
-    goto loser;
-  }
-
-#ifdef DEBUG
-  *pError = findObjects_add_pointer(fwFindObjects);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return fwFindObjects;
-
- loser:
-  nss_ZFreeIf(fwFindObjects);
-
-  if( (NSSCKMDFindObjects *)NULL != mdFindObjects1 ) {
-    if( (void *)NULL != (void *)mdFindObjects1->Final ) {
-      fwFindObjects->mdFindObjects = mdFindObjects1;
-      mdFindObjects1->Final(mdFindObjects1, fwFindObjects, mdSession, 
-        fwSession, mdToken, fwToken, mdInstance, fwInstance);
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != mdFindObjects2 ) {
-    if( (void *)NULL != (void *)mdFindObjects2->Final ) {
-      fwFindObjects->mdFindObjects = mdFindObjects2;
-      mdFindObjects2->Final(mdFindObjects2, fwFindObjects, mdSession, 
-        fwSession, mdToken, fwToken, mdInstance, fwInstance);
-    }
-  }
-
-  if( CKR_OK == *pError ) {
-    *pError = CKR_GENERAL_ERROR;
-  }
-
-  return (NSSCKFWFindObjects *)NULL;
-}
-
-
-/*
- * nssCKFWFindObjects_Destroy
- *
- */
-NSS_EXTERN void
-nssCKFWFindObjects_Destroy
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
-      fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
-        fwFindObjects->mdSession, fwFindObjects->fwSession, 
-        fwFindObjects->mdToken, fwFindObjects->fwToken,
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
-      fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
-        fwFindObjects->mdSession, fwFindObjects->fwSession, 
-        fwFindObjects->mdToken, fwFindObjects->fwToken,
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-    }
-  }
-
-  nss_ZFreeIf(fwFindObjects);
-
-#ifdef DEBUG
-  (void)findObjects_remove_pointer(fwFindObjects);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWFindObjects_GetMDFindObjects
- *
- */
-NSS_EXTERN NSSCKMDFindObjects *
-nssCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwFindObjects->mdFindObjects;
-}
-
-/*
- * nssCKFWFindObjects_Next
- *
- */
-NSS_EXTERN NSSCKFWObject *
-nssCKFWFindObjects_Next
-(
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *mdObject;
-  NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
-  NSSArena *objArena;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
-      mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
-        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
-        fwFindObjects->mdToken, fwFindObjects->fwToken, 
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
-        arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
-        if( CKR_OK != *pError ) {
-          goto done;
-        }
-
-        /* All done. */
-        fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
-          fwFindObjects->mdSession, fwFindObjects->fwSession,
-          fwFindObjects->mdToken, fwFindObjects->fwToken, 
-          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-        fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
-      } else {
-        goto wrap;
-      }
-    }
-  }
-
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
-      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
-      mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
-        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
-        fwFindObjects->mdToken, fwFindObjects->fwToken, 
-        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
-        arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
-        if( CKR_OK != *pError ) {
-          goto done;
-        }
-
-        /* All done. */
-        fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
-          fwFindObjects->mdSession, fwFindObjects->fwSession,
-          fwFindObjects->mdToken, fwFindObjects->fwToken, 
-          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
-        fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
-      } else {
-        goto wrap;
-      }
-    }
-  }
-  
-  /* No more objects */
-  *pError = CKR_OK;
-  goto done;
-
- wrap:
-  /*
-   * This is less than ideal-- we should determine if it's a token
-   * object or a session object, and use the appropriate arena.
-   * But that duplicates logic in nssCKFWObject_IsTokenObject.
-   * Worry about that later.  For now, be conservative, and use
-   * the token arena.
-   */
-  objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
-  if( (NSSArena *)NULL == objArena ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_HOST_MEMORY;
-    }
-    goto done;
-  }
-
-  fwObject = nssCKFWObject_Create(objArena, mdObject,
-               fwFindObjects->fwSession, fwFindObjects->fwToken, 
-               fwFindObjects->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
-  return fwObject;
-}
-
-/*
- * NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-NSS_EXTERN NSSCKMDFindObjects *
-NSSCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWFindObjects_GetMDFindObjects(fwFindObjects);
-}
diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c
deleted file mode 100644
index 501299cd8..000000000
--- a/security/nss/lib/ckfw/hash.c
+++ /dev/null
@@ -1,337 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * hash.c
- *
- * This is merely a couple wrappers around NSPR's PLHashTable, using
- * the identity hash and arena-aware allocators.  The reason I did
- * this is that hash tables are used in a few places throughout the
- * NSS Cryptoki Framework in a fairly stereotyped way, and this allows
- * me to pull the commonalities into one place.  Should we ever want
- * to change the implementation, it's all right here.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * nssCKFWHash
- *
- *  nssCKFWHash_Create
- *  nssCKFWHash_Destroy
- *  nssCKFWHash_Add
- *  nssCKFWHash_Remove
- *  nssCKFWHash_Count
- *  nssCKFWHash_Exists
- *  nssCKFWHash_Lookup
- *  nssCKFWHash_Iterate
- */
-
-struct nssCKFWHashStr {
-  NSSCKFWMutex *mutex;
-
-  /*
-   * The invariant that mutex protects is:
-   *   The count accurately reflects the hashtable state.
-   */
-
-  PLHashTable *plHashTable;
-  CK_ULONG count;
-};
-
-static PLHashNumber
-nss_ckfw_identity_hash
-(
-  const void *key
-)
-{
-  PRUint32 i = (PRUint32)key;
-  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
-  return (PLHashNumber)i;
-}
-
-/*
- * nssCKFWHash_Create
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWHash_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nssCKFWHash *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (nssCKFWHash *)NULL;
-  }
-
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arena, nssCKFWHash);
-  if( (nssCKFWHash *)NULL == rv ) {
-    *pError = CKR_HOST_MEMORY;
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
-    PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
-    (void)nssCKFWMutex_Destroy(rv->mutex);
-    (void)nss_ZFreeIf(rv);
-    *pError = CKR_HOST_MEMORY;
-    return (nssCKFWHash *)NULL;
-  }
-
-  rv->count = 0;
-
-  return rv;
-}
-
-/*
- * nssCKFWHash_Destroy
- *
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Destroy
-(
-  nssCKFWHash *hash
-)
-{
-  (void)nssCKFWMutex_Destroy(hash->mutex);
-  PL_HashTableDestroy(hash->plHashTable);
-  (void)nss_ZFreeIf(hash);
-}
-
-/*
- * nssCKFWHash_Add
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWHash_Add
-(
-  nssCKFWHash *hash,
-  const void *key,
-  const void *value
-)
-{
-  CK_RV error = CKR_OK;
-  PLHashEntry *he;
-
-  error = nssCKFWMutex_Lock(hash->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-  
-  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
-    error = CKR_HOST_MEMORY;
-  } else {
-    hash->count++;
-  }
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return error;
-}
-
-/*
- * nssCKFWHash_Remove
- *
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Remove
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  PRBool found;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return;
-  }
-
-  found = PL_HashTableRemove(hash->plHashTable, it);
-  if( found ) {
-    hash->count--;
-  }
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-  return;
-}
-
-/*
- * nssCKFWHash_Count
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWHash_Count
-(
-  nssCKFWHash *hash
-)
-{
-  CK_ULONG count;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  count = hash->count;
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return count;
-}
-
-/*
- * nssCKFWHash_Exists
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWHash_Exists
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  void *value;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return CK_FALSE;
-  }
-
-  value = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  if( (void *)NULL == value ) {
-    return CK_FALSE;
-  } else {
-    return CK_TRUE;
-  }
-}
-
-/*
- * nssCKFWHash_Lookup
- *
- */
-NSS_IMPLEMENT void *
-nssCKFWHash_Lookup
-(
-  nssCKFWHash *hash,
-  const void *it
-)
-{
-  void *rv;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return (void *)NULL;
-  }
-
-  rv = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return rv;
-}
-
-struct arg_str {
-  nssCKFWHashIterator fcn;
-  void *closure;
-};
-
-static PRIntn
-nss_ckfwhash_enumerator
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
-{
-  struct arg_str *as = (struct arg_str *)arg;
-  as->fcn(he->key, he->value, as->closure);
-  return HT_ENUMERATE_NEXT;
-}
-
-/*
- * nssCKFWHash_Iterate
- *
- * NOTE that the iteration function will be called with the hashtable locked.
- */
-NSS_IMPLEMENT void
-nssCKFWHash_Iterate
-(
-  nssCKFWHash *hash,
-  nssCKFWHashIterator fcn,
-  void *closure
-)
-{
-  struct arg_str as;
-  as.fcn = fcn;
-  as.closure = closure;
-
-  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
-    return;
-  }
-
-  PL_HashTableEnumerateEntries(hash->plHashTable, nss_ckfwhash_enumerator, &as);
-
-  (void)nssCKFWMutex_Unlock(hash->mutex);
-
-  return;
-}
diff --git a/security/nss/lib/ckfw/instance.c b/security/nss/lib/ckfw/instance.c
deleted file mode 100644
index 572dbb822..000000000
--- a/security/nss/lib/ckfw/instance.c
+++ /dev/null
@@ -1,1367 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * instance.c
- *
- * This file implements the NSSCKFWInstance type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWInstance
- *
- *  -- create/destroy --
- *  nssCKFWInstance_Create
- *  nssCKFWInstance_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWInstance_GetMDInstance
- *  NSSCKFWInstance_GetArena
- *  NSSCKFWInstance_MayCreatePthreads
- *  NSSCKFWInstance_CreateMutex
- *  NSSCKFWInstance_GetConfigurationData
- *  NSSCKFWInstance_GetInitArgs
- *
- *  -- implement public accessors --
- *  nssCKFWInstance_GetMDInstance
- *  nssCKFWInstance_GetArena
- *  nssCKFWInstance_MayCreatePthreads
- *  nssCKFWInstance_CreateMutex
- *  nssCKFWInstance_GetConfigurationData
- *  nssCKFWInstance_GetInitArgs 
- *
- *  -- private accessors --
- *  nssCKFWInstance_CreateSessionHandle
- *  nssCKFWInstance_ResolveSessionHandle
- *  nssCKFWInstance_DestroySessionHandle
- *  nssCKFWInstance_FindSessionHandle
- *  nssCKFWInstance_CreateObjectHandle
- *  nssCKFWInstance_ResolveObjectHandle
- *  nssCKFWInstance_DestroyObjectHandle
- *
- *  -- module fronts --
- *  nssCKFWInstance_GetNSlots
- *  nssCKFWInstance_GetCryptokiVersion
- *  nssCKFWInstance_GetManufacturerID
- *  nssCKFWInstance_GetFlags
- *  nssCKFWInstance_GetLibraryDescription
- *  nssCKFWInstance_GetLibraryVersion
- *  nssCKFWInstance_GetModuleHandlesSessionObjects
- *  nssCKFWInstance_GetSlots
- *  nssCKFWInstance_WaitForSlotEvent
- *
- *  -- debugging versions only --
- *  nssCKFWInstance_verifyPointer
- */
-
-struct NSSCKFWInstanceStr {
-  NSSCKFWMutex *mutex;
-  NSSArena *arena;
-  NSSCKMDInstance *mdInstance;
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs;
-  CK_C_INITIALIZE_ARGS initArgs;
-  CryptokiLockingState LockingState;
-  CK_BBOOL mayCreatePthreads;
-  NSSUTF8 *configurationData;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **fwSlotList;
-  NSSCKMDSlot **mdSlotList;
-  CK_BBOOL moduleHandlesSessionObjects;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   *  1) Each of the cached descriptions (versions, etc.) are in an
-   *     internally consistant state.
-   *
-   *  2) The session handle hashes and count are consistant
-   *
-   *  3) The object handle hashes and count are consistant.
-   *
-   * I could use multiple locks, but let's wait to see if that's 
-   * really necessary.
-   *
-   * Note that the calls accessing the cached descriptions will 
-   * call the NSSCKMDInstance methods with the mutex locked.  Those
-   * methods may then call the public NSSCKFWInstance routines.
-   * Those public routines only access the constant data above, so
-   * there's no problem.  But be careful if you add to this object;
-   * mutexes are in general not reentrant, so don't create deadlock
-   * situations.
-   */
-
-  CK_VERSION cryptokiVersion;
-  NSSUTF8 *manufacturerID;
-  NSSUTF8 *libraryDescription;
-  CK_VERSION libraryVersion;
-
-  CK_ULONG lastSessionHandle;
-  nssCKFWHash *sessionHandleHash;
-
-  CK_ULONG lastObjectHandle;
-  nssCKFWHash *objectHandleHash;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-instance_add_pointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-instance_remove_pointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_verifyPointer
-(
-  const NSSCKFWInstance *fwInstance
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWInstance_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWInstance *
-nssCKFWInstance_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  CryptokiLockingState LockingState,
-  NSSCKMDInstance *mdInstance,
-  CK_RV *pError
-)
-{
-  NSSCKFWInstance *fwInstance;
-  NSSArena *arena = (NSSArena *)NULL;
-  CK_ULONG i;
-  CK_BBOOL called_Initialize = CK_FALSE;
-
-#ifdef NSSDEBUG
-  if( (CK_RV)NULL == pError ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWInstance *)NULL;
-  }
-
-  fwInstance = nss_ZNEW(arena, NSSCKFWInstance);
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    goto nomem;
-  }
-
-  fwInstance->arena = arena;
-  fwInstance->mdInstance = mdInstance;
-
-  fwInstance->LockingState = LockingState;
-  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
-    fwInstance->initArgs = *pInitArgs;
-    fwInstance->pInitArgs = &fwInstance->initArgs;
-    if( pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS ) {
-      fwInstance->mayCreatePthreads = CK_FALSE;
-    } else {
-      fwInstance->mayCreatePthreads = CK_TRUE;
-    }
-    fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
-  } else {
-    fwInstance->mayCreatePthreads = CK_TRUE;
-  }
-
-  fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena,
-                                          pError);
-  if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  if( (void *)NULL != (void *)mdInstance->Initialize ) {
-    *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-
-    called_Initialize = CK_TRUE;
-  }
-
-  if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) {
-    fwInstance->moduleHandlesSessionObjects = 
-      mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
-  } else {
-    fwInstance->moduleHandlesSessionObjects = CK_FALSE;
-  }
-
-  if( (void *)NULL == (void *)mdInstance->GetNSlots ) {
-    /* That routine is required */
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  fwInstance->nSlots = mdInstance->GetNSlots(mdInstance, fwInstance, pError);
-  if( (CK_ULONG)0 == fwInstance->nSlots ) {
-    if( CKR_OK == *pError ) {
-      /* Zero is not a legitimate answer */
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  fwInstance->fwSlotList = nss_ZNEWARRAY(arena, NSSCKFWSlot *, fwInstance->nSlots);
-  if( (NSSCKFWSlot **)NULL == fwInstance->fwSlotList ) {
-    goto nomem;
-  }
-
-  fwInstance->mdSlotList = nss_ZNEWARRAY(arena, NSSCKMDSlot *, fwInstance->nSlots);
-  if( (NSSCKMDSlot **)NULL == fwInstance->mdSlotList ) {
-    goto nomem;
-  }
-
-  fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, 
-    fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) {
-    goto loser;
-  }
-
-  fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance,
-    fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) {
-    goto loser;
-  }
-
-  if( (void *)NULL == (void *)mdInstance->GetSlots ) {
-    /* That routine is required */
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  *pError = mdInstance->GetSlots(mdInstance, fwInstance, fwInstance->mdSlotList);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-  for( i = 0; i < fwInstance->nSlots; i++ ) {
-    NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i];
-
-    if( (NSSCKMDSlot *)NULL == mdSlot ) {
-      *pError = CKR_GENERAL_ERROR;
-      goto loser;
-    }
-
-    fwInstance->fwSlotList[i] = nssCKFWSlot_Create(fwInstance, mdSlot, i, pError);
-    if( CKR_OK != *pError ) {
-      CK_ULONG j;
-
-      for( j = 0; j < i; j++ ) {
-        (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[j]);
-      }
-
-      for( j = i; j < fwInstance->nSlots; j++ ) {
-        NSSCKMDSlot *mds = fwInstance->mdSlotList[j];
-        if( (void *)NULL != (void *)mds->Destroy ) {
-          mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance);
-        }
-      }
-
-      goto loser;
-    }
-  }
-
-#ifdef DEBUG
-  *pError = instance_add_pointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    for( i = 0; i < fwInstance->nSlots; i++ ) {
-      (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
-    }
-    
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance;
-
- nomem:
-  *pError = CKR_HOST_MEMORY;
-  /*FALLTHROUGH*/
- loser:
-
-  if( CK_TRUE == called_Initialize ) {
-    if( (void *)NULL != (void *)mdInstance->Finalize ) {
-      mdInstance->Finalize(mdInstance, fwInstance);
-    }
-  }
-
-  if (arena) {
-    (void)NSSArena_Destroy(arena);
-  }
-  return (NSSCKFWInstance *)NULL;
-}
-
-/*
- * nssCKFWInstance_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_Destroy
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  nssCKFWMutex_Destroy(fwInstance->mutex);
-
-  for( i = 0; i < fwInstance->nSlots; i++ ) {
-    (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) {
-    fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance);
-  }
-
-  if (fwInstance->sessionHandleHash) {
-     nssCKFWHash_Destroy(fwInstance->sessionHandleHash);
-  }
-
-  if (fwInstance->objectHandleHash) {
-     nssCKFWHash_Destroy(fwInstance->objectHandleHash);
-  }
-
-#ifdef DEBUG
-  (void)instance_remove_pointer(fwInstance);
-#endif /* DEBUG */
-
-  (void)NSSArena_Destroy(fwInstance->arena);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWInstance_GetMDInstance
- *
- */
-NSS_IMPLEMENT NSSCKMDInstance *
-nssCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->mdInstance;
-}
-
-/*
- * nssCKFWInstance_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance->arena;
-}
-
-/*
- * nssCKFWInstance_MayCreatePthreads
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->mayCreatePthreads;
-}
-
-/*
- * nssCKFWInstance_CreateMutex
- *
- */
-NSS_IMPLEMENT NSSCKFWMutex *
-nssCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSCKFWMutex *mutex;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, fwInstance->LockingState,
-                              arena, pError);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  return mutex;
-}
-
-/*
- * nssCKFWInstance_GetConfigurationData
- *
- */
-NSS_IMPLEMENT NSSUTF8 *
-nssCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->configurationData;
-}
-
-/*
- * nssCKFWInstance_GetInitArgs
- *
- */
-CK_C_INITIALIZE_ARGS_PTR
-nssCKFWInstance_GetInitArgs
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
-  }
-#endif /* NSSDEBUG */
-
-    return fwInstance->pInitArgs;
-}
-
-/*
- * nssCKFWInstance_CreateSessionHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWInstance_CreateSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  CK_SESSION_HANDLE hSession;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  hSession = ++(fwInstance->lastSessionHandle);
-
-  /* Alan would say I should unlock for this call. */
-  
-  *pError = nssCKFWSession_SetHandle(fwSession, hSession);
-  if( CKR_OK != *pError ) {
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwInstance->sessionHandleHash, 
-              (const void *)hSession, (const void *)fwSession);
-  if( CKR_OK != *pError ) {
-    hSession = (CK_SESSION_HANDLE)0;
-    goto done;
-  }
-
- done:
-  nssCKFWMutex_Unlock(fwInstance->mutex);
-  return hSession;
-}
-
-/*
- * nssCKFWInstance_ResolveSessionHandle
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWInstance_ResolveSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  NSSCKFWSession *fwSession;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
-                fwInstance->sessionHandleHash, (const void *)hSession);
-
-  /* Assert(hSession == nssCKFWSession_GetHandle(fwSession)) */
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-
-  return fwSession;
-}
-
-/*
- * nssCKFWInstance_DestroySessionHandle
- *
- */
-NSS_IMPLEMENT void
-nssCKFWInstance_DestroySessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  NSSCKFWSession *fwSession;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return;
-  }
-
-  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
-                fwInstance->sessionHandleHash, (const void *)hSession);
-
-  nssCKFWHash_Remove(fwInstance->sessionHandleHash, (const void *)hSession);
-  nssCKFWSession_SetHandle(fwSession, (CK_SESSION_HANDLE)0);
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-
-  return;
-}
-
-/*
- * nssCKFWInstance_FindSessionHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWInstance_FindSessionHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (CK_SESSION_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWSession_GetHandle(fwSession);
-  /* look it up and assert? */
-}
-
-/*
- * nssCKFWInstance_CreateObjectHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWInstance_CreateObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_OBJECT_HANDLE hObject;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  hObject = ++(fwInstance->lastObjectHandle);
-
-  *pError = nssCKFWObject_SetHandle(fwObject, hObject);
-  if( CKR_OK != *pError ) {
-    hObject = (CK_OBJECT_HANDLE)0;
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwInstance->objectHandleHash, 
-              (const void *)hObject, (const void *)fwObject);
-  if( CKR_OK != *pError ) {
-    hObject = (CK_OBJECT_HANDLE)0;
-    goto done;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return hObject;
-}
-
-/*
- * nssCKFWInstance_ResolveObjectHandle
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWInstance_ResolveObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  NSSCKFWObject *fwObject;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                fwInstance->objectHandleHash, (const void *)hObject);
-
-  /* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return fwObject;
-}
-
-/*
- * nssCKFWInstance_ReassignObjectHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_ReassignObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject,
-  NSSCKFWObject *fwObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWObject *oldObject;
-
-#ifdef NSSDEBUG
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  oldObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                 fwInstance->objectHandleHash, (const void *)hObject);
-  /* Assert(hObject == nssCKFWObject_GetHandle(oldObject) */
-  (void)nssCKFWObject_SetHandle(oldObject, (CK_SESSION_HANDLE)0);
-  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
-
-  error = nssCKFWObject_SetHandle(fwObject, hObject);
-  if( CKR_OK != error ) {
-    goto done;
-  }
-  error = nssCKFWHash_Add(fwInstance->objectHandleHash, 
-            (const void *)hObject, (const void *)fwObject);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_DestroyObjectHandle
- *
- */
-NSS_IMPLEMENT void
-nssCKFWInstance_DestroyObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  NSSCKFWObject *fwObject;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    return;
-  }
-
-  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
-                fwInstance->objectHandleHash, (const void *)hObject);
-  /* Assert(hObject = nssCKFWObject_GetHandle(fwObject)) */
-  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
-  (void)nssCKFWObject_SetHandle(fwObject, (CK_SESSION_HANDLE)0);
-
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return;
-}
-
-/*
- * nssCKFWInstance_FindObjectHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWInstance_FindObjectHandle
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-  
-  return nssCKFWObject_GetHandle(fwObject);
-}
-
-/*
- * nssCKFWInstance_GetNSlots
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWInstance_GetNSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = CKR_OK;
-  return fwInstance->nSlots;
-}  
-
-/*
- * nssCKFWInstance_GetCryptokiVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWInstance_GetCryptokiVersion
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwInstance->cryptokiVersion.major) ||
-      (0 != fwInstance->cryptokiVersion.minor) ) {
-    rv = fwInstance->cryptokiVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) {
-    fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
-      fwInstance->mdInstance, fwInstance);
-  } else {
-    fwInstance->cryptokiVersion.major = 2;
-    fwInstance->cryptokiVersion.minor = 1;
-  }
-
-  rv = fwInstance->cryptokiVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWInstance_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_GetManufacturerID
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) {
-      fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
-        fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwInstance->manufacturerID = (NSSUTF8 *) "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_GetFlags
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWInstance_GetFlags
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  /* No "instance flags" are yet defined by Cryptoki. */
-  return (CK_ULONG)0;
-}
-
-/*
- * nssCKFWInstance_GetLibraryDescription
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWInstance_GetLibraryDescription
-(
-  NSSCKFWInstance *fwInstance,
-  CK_CHAR libraryDescription[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == libraryDescription ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwInstance->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) {
-      fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
-        fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwInstance->libraryDescription = (NSSUTF8 *) "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return error;
-}
-
-/*
- * nssCKFWInstance_GetLibraryVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWInstance_GetLibraryVersion
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwInstance->libraryVersion.major) ||
-      (0 != fwInstance->libraryVersion.minor) ) {
-    rv = fwInstance->libraryVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
-    fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
-      fwInstance->mdInstance, fwInstance);
-  } else {
-    fwInstance->libraryVersion.major = 0;
-    fwInstance->libraryVersion.minor = 3;
-  }
-
-  rv = fwInstance->libraryVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWInstance_GetModuleHandlesSessionObjects
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWInstance_GetModuleHandlesSessionObjects
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->moduleHandlesSessionObjects;
-}
-
-/*
- * nssCKFWInstance_GetSlots
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot **
-nssCKFWInstance_GetSlots
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot **)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot **)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwInstance->fwSlotList;
-}
-
-/*
- * nssCKFWInstance_WaitForSlotEvent
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWInstance_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL block,
-  CK_RV *pError
-)
-{
-  NSSCKFWSlot *fwSlot = (NSSCKFWSlot *)NULL;
-  NSSCKMDSlot *mdSlot;
-  CK_ULONG i, n;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  switch( block ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) {
-    *pError = CKR_NO_EVENT;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  mdSlot = fwInstance->mdInstance->WaitForSlotEvent(
-    fwInstance->mdInstance,
-    fwInstance,
-    block,
-    pError
-  );
-
-  if( (NSSCKMDSlot *)NULL == mdSlot ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  n = nssCKFWInstance_GetNSlots(fwInstance, pError);
-  if( ((CK_ULONG)0 == n) && (CKR_OK != *pError) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  for( i = 0; i < n; i++ ) {
-    if( fwInstance->mdSlotList[i] == mdSlot ) {
-      fwSlot = fwInstance->fwSlotList[i];
-      break;
-    }
-  }
-
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    /* Internal error */
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  return fwSlot;
-}
-
-/*
- * NSSCKFWInstance_GetMDInstance
- *
- */
-NSS_IMPLEMENT NSSCKMDInstance *
-NSSCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetMDInstance(fwInstance);
-}
-
-/*
- * NSSCKFWInstance_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-NSSCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetArena(fwInstance, pError);
-}
-
-/*
- * NSSCKFWInstance_MayCreatePthreads
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_MayCreatePthreads(fwInstance);
-}
-
-/*
- * NSSCKFWInstance_CreateMutex
- *
- */
-NSS_IMPLEMENT NSSCKFWMutex *
-NSSCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-}
-
-/*
- * NSSCKFWInstance_GetConfigurationData
- *
- */
-NSS_IMPLEMENT NSSUTF8 *
-NSSCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetConfigurationData(fwInstance);
-}
-
-/*
- * NSSCKFWInstance_GetInitArgs
- *
- */
-NSS_IMPLEMENT CK_C_INITIALIZE_ARGS_PTR
-NSSCKFWInstance_GetInitArgs
-(
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
-    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWInstance_GetInitArgs(fwInstance);
-}
-
diff --git a/security/nss/lib/ckfw/manifest.mn b/security/nss/lib/ckfw/manifest.mn
deleted file mode 100644
index f5e9fb953..000000000
--- a/security/nss/lib/ckfw/manifest.mn
+++ /dev/null
@@ -1,82 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-DIRS = builtins
-
-PRIVATE_EXPORTS = \
-	ck.h		  \
-	ckfw.h		  \
-	ckfwm.h		  \
-	ckfwtm.h	  \
-	ckmd.h		  \
-	ckt.h		  \
-	$(NULL)
-
-EXPORTS =	   \
-	nssck.api  \
-	nssckepv.h \
-	nssckft.h  \
-	nssckfw.h  \
-	nssckfwc.h \
-	nssckfwt.h \
-	nssckg.h   \
-	nssckmdt.h \
-	nssckt.h   \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS =		   \
-	find.c	   \
-	hash.c	   \
-	instance.c \
-	mutex.c	   \
-	object.c   \
-	session.c  \
-	sessobj.c  \
-	slot.c	   \
-	token.c	   \
-	wrap.c	   \
-	mechanism.c \
-	$(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nssckfw
diff --git a/security/nss/lib/ckfw/mechanism.c b/security/nss/lib/ckfw/mechanism.c
deleted file mode 100644
index 8ae8b5f71..000000000
--- a/security/nss/lib/ckfw/mechanism.c
+++ /dev/null
@@ -1,168 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * mechanism.c
- *
- * This file implements the NSSCKFWMechanism type and methods.
- * These functions are currently stubs.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWMechanism
- *
- *  -- create/destroy --
- *  nssCKFWMechanism_Create
- *  nssCKFWMechanism_Destroy
- *
- *  -- implement public accessors --
- *  nssCKFWMechanism_GetMDMechanism
- *  nssCKFWMechanism_GetParameter
- *
- *  -- private accessors --
- *
- *  -- module fronts --
- *  nssCKFWMechanism_GetMinKeySize
- *  nssCKFWMechanism_GetMaxKeySize
- *  nssCKFWMechanism_GetInHardware
- */
-
-
-struct NSSCKFWMechanismStr {
-   void * dummy;
-};
-
-/*
- * nssCKFWMechanism_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWMechanism *
-nssCKFWMechanism_Create
-(
-  void /* XXX fgmr */
-)
-{
-  return (NSSCKFWMechanism *)NULL;
-}
-
-/*
- * nssCKFWMechanism_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWMechanism_Destroy
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-   return CKR_OK;
-}
-
-/*
- * nssCKFWMechanism_GetMDMechanism
- *
- */
-
-NSS_IMPLEMENT NSSCKMDMechanism *
-nssCKFWMechanism_GetMDMechanism
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-    return NULL;
-}
-
-/*
- * nssCKFWMechanism_GetParameter
- *
- * XXX fgmr-- or as an additional parameter to the crypto ops?
- */
-NSS_IMPLEMENT NSSItem *
-nssCKFWMechanism_GetParameter
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-	return NULL;
-}
-
-/*
- * nssCKFWMechanism_GetMinKeySize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWMechanism_GetMinKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-    return 0;
-}
-
-/*
- * nssCKFWMechanism_GetMaxKeySize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWMechanism_GetMaxKeySize
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-   return 0;
-}
-
-/*
- * nssCKFWMechanism_GetInHardware
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWMechanism_GetInHardware
-(
-  NSSCKFWMechanism *fwMechanism
-)
-{
-    return PR_FALSE;
-}
-
diff --git a/security/nss/lib/ckfw/mutex.c b/security/nss/lib/ckfw/mutex.c
deleted file mode 100644
index 0b6b80019..000000000
--- a/security/nss/lib/ckfw/mutex.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * mutex.c
- *
- * This file implements a mutual-exclusion locking facility for Modules
- * using the NSS Cryptoki Framework.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWMutex
- *
- *  NSSCKFWMutex_Destroy
- *  NSSCKFWMutex_Lock
- *  NSSCKFWMutex_Unlock
- *
- *  nssCKFWMutex_Create
- *  nssCKFWMutex_Destroy
- *  nssCKFWMutex_Lock
- *  nssCKFWMutex_Unlock
- *
- *  -- debugging versions only --
- *  nssCKFWMutex_verifyPointer
- *
- */
-
-struct NSSCKFWMutexStr {
-  PRLock *lock;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-mutex_add_pointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-mutex_remove_pointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWMutex_verifyPointer
-(
-  const NSSCKFWMutex *fwMutex
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-static CK_RV
-mutex_noop
-(
-  CK_VOID_PTR pMutex
-)
-{
-  return CKR_OK;
-}
-
-/*
- * nssCKFWMutex_Create
- *
- */
-NSS_EXTERN NSSCKFWMutex *
-nssCKFWMutex_Create
-(
-  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-  CryptokiLockingState LockingState,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  NSSCKFWMutex *mutex;
-  
-  mutex = nss_ZNEW(arena, NSSCKFWMutex);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWMutex *)NULL;
-  }
-  *pError = CKR_OK;
-  mutex->lock = NULL;
-  if (LockingState == MultiThreaded) {
-    mutex->lock = PR_NewLock();
-    if (!mutex->lock) {
-      *pError = CKR_HOST_MEMORY; /* we couldn't get the resource */
-    }
-  }
-    
-  if( CKR_OK != *pError ) {
-    (void)nss_ZFreeIf(mutex);
-    return (NSSCKFWMutex *)NULL;
-  }
-
-#ifdef DEBUG
-  *pError = mutex_add_pointer(mutex);
-  if( CKR_OK != *pError ) {
-    if (mutex->lock) {
-      PR_DestroyLock(mutex->lock);
-    }
-    (void)nss_ZFreeIf(mutex);
-    return (NSSCKFWMutex *)NULL;
-  }
-#endif /* DEBUG */
-
-  return mutex;
-}  
-
-/*
- * nssCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-)
-{
-  CK_RV rv = CKR_OK;
-
-#ifdef NSSDEBUG
-  rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
- 
-  if (mutex->lock) {
-    PR_DestroyLock(mutex->lock);
-  } 
-
-#ifdef DEBUG
-  (void)mutex_remove_pointer(mutex);
-#endif /* DEBUG */
-
-  (void)nss_ZFreeIf(mutex);
-  return rv;
-}
-
-/*
- * nssCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef NSSDEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
-  if (mutex->lock) {
-    PR_Lock(mutex->lock);
-  }
-  
-  return CKR_OK;
-}
-
-/*
- * nssCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-nssCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-)
-{
-  PRStatus nrv;
-#ifdef NSSDEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if (!mutex->lock) 
-    return CKR_OK;
-
-  nrv =  PR_Unlock(mutex->lock);
-
-  /* if unlock fails, either we have a programming error, or we have
-   * some sort of hardware failure... in either case return CKR_DEVICE_ERROR.
-   */
-  return nrv == PR_SUCCESS ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/*
- * NSSCKFWMutex_Destroy
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-  
-  return nssCKFWMutex_Destroy(mutex);
-}
-
-/*
- * NSSCKFWMutex_Lock
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-  
-  return nssCKFWMutex_Lock(mutex);
-}
-
-/*
- * NSSCKFWMutex_Unlock
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-)
-{
-#ifdef DEBUG
-  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
-  if( CKR_OK != rv ) {
-    return rv;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWMutex_Unlock(mutex);
-}
-
diff --git a/security/nss/lib/ckfw/nsprstub.c b/security/nss/lib/ckfw/nsprstub.c
deleted file mode 100644
index 30e4a5ed4..000000000
--- a/security/nss/lib/ckfw/nsprstub.c
+++ /dev/null
@@ -1,520 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * secport.c - portability interfaces for security libraries
- *
- * This file abstracts out libc functionality that libsec depends on
- * 
- * NOTE - These are not public interfaces. These stubs are to allow the 
- * SW FORTEZZA to link with some low level security functions without dragging
- * in NSPR.
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "prmem.h"
-#include "prerror.h"
-#include "plarena.h"
-#include "secerr.h"
-#include "prmon.h"
-#include "prbit.h"
-#include "ck.h"
-
-#ifdef notdef
-unsigned long port_allocFailures;
-
-/* locations for registering Unicode conversion functions.  
- *  Is this the appropriate location?  or should they be
- *     moved to client/server specific locations?
- */
-PORTCharConversionFunc ucs4Utf8ConvertFunc;
-PORTCharConversionFunc ucs2Utf8ConvertFunc;
-PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
-
-void *
-PORT_Alloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)malloc(bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void *
-PORT_Realloc(void *oldptr, size_t bytes)
-{
-    void *rv;
-
-    rv = (void *)realloc(oldptr, bytes);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void *
-PORT_ZAlloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)calloc(1, bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-    }
-    return rv;
-}
-
-void
-PORT_Free(void *ptr)
-{
-    if (ptr) {
-	free(ptr);
-    }
-}
-
-void
-PORT_ZFree(void *ptr, size_t len)
-{
-    if (ptr) {
-	memset(ptr, 0, len);
-	free(ptr);
-    }
-}
-
-/********************* Arena code follows *****************************/
-
-
-PLArenaPool *
-PORT_NewArena(unsigned long chunksize)
-{
-    PLArenaPool *arena;
-    
-    arena = (PLArenaPool*)PORT_ZAlloc(sizeof(PLArenaPool));
-    if ( arena != NULL ) {
-	PR_InitArenaPool(arena, "security", chunksize, sizeof(double));
-    }
-    return(arena);
-}
-
-void *
-PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    if (p == NULL) {
-	++port_allocFailures;
-    }
-
-    return(p);
-}
-
-void *
-PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    PL_ARENA_ALLOCATE(p, arena, size);
-    if (p == NULL) {
-	++port_allocFailures;
-    } else {
-	PORT_Memset(p, 0, size);
-    }
-
-    return(p);
-}
-
-/* need to zeroize!! */
-void
-PORT_FreeArena(PLArenaPool *arena, PRBool zero)
-{
-    PR_FinishArenaPool(arena);
-    PORT_Free(arena);
-}
-
-void *
-PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
-{
-    PORT_Assert(newsize >= oldsize);
-    
-    PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
-    
-    return(ptr);
-}
-
-void *
-PORT_ArenaMark(PLArenaPool *arena)
-{
-    void * result;
-
-    result = PL_ARENA_MARK(arena);
-    return result;
-}
-
-void
-PORT_ArenaRelease(PLArenaPool *arena, void *mark)
-{
-    PL_ARENA_RELEASE(arena, mark);
-}
-
-void
-PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
-{
-    /* do nothing */
-}
-
-char *
-PORT_ArenaStrdup(PLArenaPool *arena,const char *str) {
-    int len = PORT_Strlen(str)+1;
-    char *newstr;
-
-    newstr = (char*)PORT_ArenaAlloc(arena,len);
-    if (newstr) {
-        PORT_Memcpy(newstr,str,len);
-    }
-    return newstr;
-}
-#endif
-
-/*
- * replace the nice thread-safe Error stack code with something
- * that will work without all the NSPR features.
- */
-static PRInt32 stack[2] = {0, 0};
-
-PR_IMPLEMENT(void)
-nss_SetError(PRUint32 value)
-{	
-    stack[0] = value;
-    return;
-}
-
-PR_IMPLEMENT(PRInt32)
-NSS_GetError(void)
-{
-    return(stack[0]);
-}
-
-
-PR_IMPLEMENT(PRInt32 *)
-NSS_GetErrorStack(void)
-{
-    return(&stack[0]);
-}
-
-PR_IMPLEMENT(void)
-nss_ClearErrorStack(void)
-{
-    stack[0] = 0;
-    return;
-}
-
-#ifdef DEBUG
-/*
- * replace the pointer tracking stuff for the same reasons.
- *  If you want to turn pointer tracking on, simply ifdef out this code and 
- *  link with real NSPR.
- */
-PR_IMPLEMENT(PRStatus)
-nssPointerTracker_initialize(nssPointerTracker *tracker)
-{
-    return PR_SUCCESS;
-}
-
-
-PR_IMPLEMENT(PRStatus)
-nssPointerTracker_finalize(nssPointerTracker *tracker)
-{
-    return PR_SUCCESS;
-}
-
-PR_IMPLEMENT(PRStatus)
-nssPointerTracker_add(nssPointerTracker *tracker, const void *pointer)
-{
-     return PR_SUCCESS;
-}
-
-PR_IMPLEMENT(PRStatus)
-nssPointerTracker_remove(nssPointerTracker *tracker, const void *pointer)
-{
-     return PR_SUCCESS;
-}
-
-PR_IMPLEMENT(PRStatus)
-nssPointerTracker_verify(nssPointerTracker *tracker, const void *pointer)
-{
-     return PR_SUCCESS;
-}
-#endif
-
-/*
- * Do not use NSPR stubs for MinGW because they can't resolve references
- * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
- * the right solution.
- */
-#if !(defined(WIN32) && defined(__GNUC__))
-PR_IMPLEMENT(PRThread *)
-PR_GetCurrentThread(void)
-{
-     return (PRThread *)1;
-}
-
-
-
-PR_IMPLEMENT(void)
-PR_Assert(const char *expr, const char *file, int line) {
-    return; 
-}
-
-PR_IMPLEMENT(void *)
-PR_Alloc(PRUint32 bytes) { return malloc(bytes); }
-
-PR_IMPLEMENT(void *)
-PR_Malloc(PRUint32 bytes) { return malloc(bytes); }
-
-PR_IMPLEMENT(void *)
-PR_Calloc(PRUint32 blocks, PRUint32 bytes) { return calloc(blocks,bytes); }
-
-PR_IMPLEMENT(void *)
-PR_Realloc(void * blocks, PRUint32 bytes) { return realloc(blocks,bytes); }
-
-PR_IMPLEMENT(void)
-PR_Free(void *ptr) { free(ptr); }
-
-#ifdef notdef
-/* Old template; want to expunge it eventually. */
-#include "secasn1.h"
-#include "secoid.h"
-
-const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-PR_IMPLEMENT(PRStatus) PR_Sleep(PRIntervalTime ticks) { return PR_SUCCESS; }
-
-/* This is not atomic! */
-PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
-
-PR_IMPLEMENT(PRInt32) PR_AtomicSet(PRInt32 *val) { return ++(*val); }
-
-#endif
-
-/* now make the RNG happy */ /* This is not atomic! */
-PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
-#endif /* ! (WIN32 && GCC) */
-
-static CK_C_INITIALIZE_ARGS_PTR nssstub_pInitArgs = NULL;
-static CK_C_INITIALIZE_ARGS nssstub_initArgs;
-static NSSArena *nssstub_arena = NULL;
-static CryptokiLockingState nssstub_LockingState = SingleThreaded;
-
-PR_IMPLEMENT(CK_RV)
-nssSetLockArgs(CK_C_INITIALIZE_ARGS_PTR pInitArgs, CryptokiLockingState* returned)
-{
-    CK_ULONG count = (CK_ULONG)0;
-    CK_BBOOL os_ok = CK_FALSE;
-    CK_RV rv = CKR_OK;
-    if (nssstub_pInitArgs == NULL) {
-	if (pInitArgs != NULL) {
-	    nssstub_initArgs = *pInitArgs;
-	    nssstub_pInitArgs = &nssstub_initArgs;
-            if( (CK_CREATEMUTEX )NULL != pInitArgs->CreateMutex  ) count++;
-            if( (CK_DESTROYMUTEX)NULL != pInitArgs->DestroyMutex ) count++;
-            if( (CK_LOCKMUTEX   )NULL != pInitArgs->LockMutex    ) count++;
-            if( (CK_UNLOCKMUTEX )NULL != pInitArgs->UnlockMutex  ) count++;
-            os_ok = (pInitArgs->flags & CKF_OS_LOCKING_OK) ? CK_TRUE : CK_FALSE;
-
-            if( (0 != count) && (4 != count) ) {
-                rv = CKR_ARGUMENTS_BAD;
-                goto loser;
-            }
-	} else {
-	    nssstub_pInitArgs = pInitArgs;
-	}
-	/* nssstub_arena = NSSArena_Create(); */
-    }
-
-    if( (0 == count) && (CK_TRUE == os_ok) ) {
-      /*
-       * This is case #2 in the description of C_Initialize:
-       * The library will be called in a multithreaded way, but
-       * no routines were specified: os locking calls should be
-       * used.  Unfortunately, this can be hard.. like, I think
-       * I may have to dynamically look up the entry points in
-       * the instance of NSPR already going in the application.
-       *
-       * I know that *we* always specify routines, so this only
-       * comes up if someone is using NSS to create their own
-       * PCKS#11 modules for other products.  Oh, heck, I'll 
-       * worry about this then.
-       */
-      rv = CKR_CANT_LOCK;
-      goto loser;
-    }
-
-    if( 0 == count ) {
-      /*
-       * With the above test out of the way, we know this is case
-       * #1 in the description of C_Initialize: this library will
-       * not be called in a multithreaded way.
-       */
-
-      nssstub_LockingState = SingleThreaded;
-    } else {
-      /*
-       * We know that we're in either case #3 or #4 in the description
-       * of C_Initialize.  Case #3 says we should use the specified
-       * functions, case #4 cays we can use either the specified ones
-       * or the OS ones.  I'll use the specified ones.
-       */
-      nssstub_LockingState = MultiThreaded;
-    }
-
-    loser:
-    *returned = nssstub_LockingState;
-    return rv;
-}
-
-/*
- * Do not use NSPR stubs for MinGW because they can't resolve references
- * to the _imp__PR_XXX symbols.  This is merely an expedient hack and not
- * the right solution.
- */
-#if !(defined(WIN32) && defined(__GNUC__))
-#include "prlock.h"
-PR_IMPLEMENT(PRLock *)
-PR_NewLock(void) {
-	PRLock *lock = NULL;
-	NSSCKFWMutex *mlock = NULL;
-	CK_RV error;
-
-	mlock = nssCKFWMutex_Create(nssstub_pInitArgs,nssstub_LockingState,nssstub_arena,&error);
-	lock = (PRLock *)mlock;
-
-	/* if we don't have a lock, nssCKFWMutex can deal with things */
-	if (lock == NULL) lock=(PRLock *) 1;
-	return lock;
-}
-
-PR_IMPLEMENT(void) 
-PR_DestroyLock(PRLock *lock) {
-	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
-	if (lock == (PRLock *)1) return;
-	nssCKFWMutex_Destroy(mlock);
-}
-
-PR_IMPLEMENT(void) 
-PR_Lock(PRLock *lock) {
-	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
-	if (lock == (PRLock *)1) return;
-	nssCKFWMutex_Lock(mlock);
-}
-
-PR_IMPLEMENT(PRStatus) 
-PR_Unlock(PRLock *lock) {
-	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
-	if (lock == (PRLock *)1) return PR_SUCCESS;
-	nssCKFWMutex_Unlock(mlock);
-	return PR_SUCCESS;
-}
-
-#ifdef notdef
-#endif
-/* this implementation is here to satisfy the PRMonitor use in plarena.c.
-** It appears that it doesn't need re-entrant locks.  It could have used
-** PRLock instead of PRMonitor.  So, this implementation just uses 
-** PRLock for a PRMonitor.
-*/
-PR_IMPLEMENT(PRMonitor*) 
-PR_NewMonitor(void)
-{
-    return (PRMonitor *) PR_NewLock();
-}
-
-
-PR_IMPLEMENT(void) 
-PR_EnterMonitor(PRMonitor *mon)
-{
-    PR_Lock( (PRLock *)mon );
-}
-
-PR_IMPLEMENT(PRStatus) 
-PR_ExitMonitor(PRMonitor *mon)
-{
-    return PR_Unlock( (PRLock *)mon );
-}
-
-#include "prinit.h"
-
-/* This is NOT threadsafe.  It is merely a pseudo-functional stub.
-*/
-PR_IMPLEMENT(PRStatus) PR_CallOnce(
-    PRCallOnceType *once,
-    PRCallOnceFN    func)
-{
-    /* This is not really atomic! */
-    if (1 == PR_AtomicIncrement(&once->initialized)) {
-	once->status = (*func)();
-    }  else {
-    	/* Should wait to be sure that func has finished before returning. */
-    }
-    return once->status;
-}
-
-/*
-** Compute the log of the least power of 2 greater than or equal to n
-*/
-PRIntn PR_CeilingLog2(PRUint32 i) {
-	PRIntn log2;
-	PR_CEILING_LOG2(log2,i);
-	return log2;
-}
-#endif /* ! (WIN32 && GCC) */
-
-/********************** end of arena functions ***********************/
-
diff --git a/security/nss/lib/ckfw/nssck.api b/security/nss/lib/ckfw/nssck.api
deleted file mode 100644
index d0b15ff45..000000000
--- a/security/nss/lib/ckfw/nssck.api
+++ /dev/null
@@ -1,1890 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char NSSCKAPI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssck.api
- *
- * This automatically-generated file is used to generate a set of
- * Cryptoki entry points within the object space of a Module using
- * the NSS Cryptoki Framework.
- *
- * The Module should have a .c file with the following:
- *
- *  #define MODULE_NAME name
- *  #define INSTANCE_NAME instance
- *  #include "nssck.api"
- *
- * where "name" is some module-specific name that can be used to
- * disambiguate various modules.  This included file will then
- * define the actual Cryptoki routines which pass through to the
- * Framework calls.  All routines, except C_GetFunctionList, will
- * be prefixed with the name; C_GetFunctionList will be generated
- * to return an entry-point vector with these routines.  The
- * instance specified should be the basic instance of NSSCKMDInstance.
- *
- * If, prior to including nssck.api, the .c file also specifies
- *
- *  #define DECLARE_STRICT_CRYTPOKI_NAMES
- *
- * Then a set of "stub" routines not prefixed with the name will
- * be included.  This would allow the combined module and framework
- * to be used in applications which are hard-coded to use the
- * PKCS#11 names (instead of going through the EPV).  Please note
- * that such applications should be careful resolving symbols when
- * more than one PKCS#11 module is loaded.
- */
-
-#ifndef MODULE_NAME
-#error "Error: MODULE_NAME must be defined."
-#endif /* MODULE_NAME */
-
-#ifndef INSTANCE_NAME
-#error "Error: INSTANCE_NAME must be defined."
-#endif /* INSTANCE_NAME */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKFWC_H
-#include "nssckfwc.h"
-#endif /* NSSCKFWC_H */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#define ADJOIN(x,y) x##y
-
-#define __ADJOIN(x,y) ADJOIN(x,y)
-
-/*
- * The anchor.  This object is used to store an "anchor" pointer in
- * the Module's object space, so the wrapper functions can relate
- * back to this instance.
- */
-
-static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Initialize)
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY 
-C_Initialize
-(
-  CK_VOID_PTR pInitArgs
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Finalize)
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return NSSCKFWC_Finalize(&fwInstance);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Finalize
-(
-  CK_VOID_PTR pReserved
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetInfo)
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetInfo(fwInstance, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetInfo
-(
-  CK_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-/*
- * C_GetFunctionList is defined at the end.
- */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetSlotList)
-(
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-)
-{
-  return NSSCKFWC_GetSlotList(fwInstance, tokenPresent, pSlotList, pulCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetSlotList
-(
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetSlotList)(tokenPresent, pSlotList, pulCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetSlotInfo)
-(
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetSlotInfo(fwInstance, slotID, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetSlotInfo
-(
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetSlotInfo)(slotID, pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetTokenInfo)
-(
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetTokenInfo(fwInstance, slotID, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetTokenInfo
-(
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetTokenInfo)(slotID, pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetMechanismList)
-(
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-)
-{
-  return NSSCKFWC_GetMechanismList(fwInstance, slotID, pMechanismList, pulCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetMechanismList
-(
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetMechanismList)(slotID, pMechanismList, pulCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetMechanismInfo)
-(
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetMechanismInfo(fwInstance, slotID, type, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetMechanismInfo
-(
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetMechanismInfo)(slotID, type, pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_InitToken)
-(
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-)
-{
-  return NSSCKFWC_InitToken(fwInstance, slotID, pPin, ulPinLen, pLabel);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_InitToken
-(
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-)
-{
-  return __ADJOIN(MODULE_NAME,C_InitToken)(slotID, pPin, ulPinLen, pLabel);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_InitPIN)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  return NSSCKFWC_InitPIN(fwInstance, hSession, pPin, ulPinLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_InitPIN
-(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_InitPIN)(hSession, pPin, ulPinLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SetPIN)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-)
-{
-  return NSSCKFWC_SetPIN(fwInstance, hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SetPIN
-(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SetPIN)(hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_OpenSession)
-(
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-)
-{
-  return NSSCKFWC_OpenSession(fwInstance, slotID, flags, pApplication, Notify, phSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_OpenSession
-(
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_OpenSession)(slotID, flags, pApplication, Notify, phSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_CloseSession)
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return NSSCKFWC_CloseSession(fwInstance, hSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_CloseSession
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_CloseSession)(hSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_CloseAllSessions)
-(
-  CK_SLOT_ID slotID
-)
-{
-  return NSSCKFWC_CloseAllSessions(fwInstance, slotID);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_CloseAllSessions
-(
-  CK_SLOT_ID slotID
-)
-{
-  return __ADJOIN(MODULE_NAME,C_CloseAllSessions)(slotID);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetSessionInfo)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-)
-{
-  return NSSCKFWC_GetSessionInfo(fwInstance, hSession, pInfo);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetSessionInfo
-(
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetSessionInfo)(hSession, pInfo);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetOperationState)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-)
-{
-  return NSSCKFWC_GetOperationState(fwInstance, hSession, pOperationState, pulOperationStateLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetOperationState
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetOperationState)(hSession, pOperationState, pulOperationStateLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SetOperationState)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-)
-{
-  return NSSCKFWC_SetOperationState(fwInstance, hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SetOperationState
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SetOperationState)(hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Login)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  return NSSCKFWC_Login(fwInstance, hSession, userType, pPin, ulPinLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Login
-(
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Login)(hSession, userType, pPin, ulPinLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Logout)
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return NSSCKFWC_Logout(fwInstance, hSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Logout
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Logout)(hSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_CreateObject)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-)
-{
-  return NSSCKFWC_CreateObject(fwInstance, hSession, pTemplate, ulCount, phObject);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_CreateObject
-(
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-)
-{
-  return __ADJOIN(MODULE_NAME,C_CreateObject)(hSession, pTemplate, ulCount, phObject);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_CopyObject)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-)
-{
-  return NSSCKFWC_CopyObject(fwInstance, hSession, hObject, pTemplate, ulCount, phNewObject);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_CopyObject
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-)
-{
-  return __ADJOIN(MODULE_NAME,C_CopyObject)(hSession, hObject, pTemplate, ulCount, phNewObject);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DestroyObject)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  return NSSCKFWC_DestroyObject(fwInstance, hSession, hObject);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DestroyObject
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DestroyObject)(hSession, hObject);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetObjectSize)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-)
-{
-  return NSSCKFWC_GetObjectSize(fwInstance, hSession, hObject, pulSize);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetObjectSize
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetObjectSize)(hSession, hObject, pulSize);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetAttributeValue)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return NSSCKFWC_GetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetAttributeValue
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetAttributeValue)(hSession, hObject, pTemplate, ulCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SetAttributeValue)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return NSSCKFWC_SetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SetAttributeValue
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SetAttributeValue)(hSession, hObject, pTemplate, ulCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_FindObjectsInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return NSSCKFWC_FindObjectsInit(fwInstance, hSession, pTemplate, ulCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_FindObjectsInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_FindObjectsInit)(hSession, pTemplate, ulCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_FindObjects)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-)
-{
-  return NSSCKFWC_FindObjects(fwInstance, hSession, phObject, ulMaxObjectCount, pulObjectCount);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_FindObjects
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-)
-{
-  return __ADJOIN(MODULE_NAME,C_FindObjects)(hSession, phObject, ulMaxObjectCount, pulObjectCount);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_FindObjectsFinal)
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return NSSCKFWC_FindObjectsFinal(fwInstance, hSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_FindObjectsFinal
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_FindObjectsFinal)(hSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_EncryptInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_EncryptInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_EncryptInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_EncryptInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Encrypt)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-)
-{
-  return NSSCKFWC_Encrypt(fwInstance, hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Encrypt
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Encrypt)(hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_EncryptUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return NSSCKFWC_EncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_EncryptUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_EncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_EncryptFinal)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-)
-{
-  return NSSCKFWC_EncryptFinal(fwInstance, hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_EncryptFinal
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_EncryptFinal)(hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DecryptInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_DecryptInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DecryptInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DecryptInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Decrypt)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return NSSCKFWC_Decrypt(fwInstance, hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Decrypt
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Decrypt)(hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DecryptUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return NSSCKFWC_DecryptUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DecryptUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DecryptUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DecryptFinal)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-)
-{
-  return NSSCKFWC_DecryptFinal(fwInstance, hSession, pLastPart, pulLastPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DecryptFinal
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DecryptFinal)(hSession, pLastPart, pulLastPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DigestInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-)
-{
-  return NSSCKFWC_DigestInit(fwInstance, hSession, pMechanism);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DigestInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DigestInit)(hSession, pMechanism);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Digest)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return NSSCKFWC_Digest(fwInstance, hSession, pData, ulDataLen, pDigest, pulDigestLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Digest
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Digest)(hSession, pData, ulDataLen, pDigest, pulDigestLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DigestUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return NSSCKFWC_DigestUpdate(fwInstance, hSession, pPart, ulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DigestUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DigestUpdate)(hSession, pPart, ulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DigestKey)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_DigestKey(fwInstance, hSession, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DigestKey
-(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DigestKey)(hSession, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DigestFinal)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return NSSCKFWC_DigestFinal(fwInstance, hSession, pDigest, pulDigestLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DigestFinal
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DigestFinal)(hSession, pDigest, pulDigestLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_SignInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Sign)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return NSSCKFWC_Sign(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Sign
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Sign)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return NSSCKFWC_SignUpdate(fwInstance, hSession, pPart, ulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignUpdate)(hSession, pPart, ulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignFinal)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return NSSCKFWC_SignFinal(fwInstance, hSession, pSignature, pulSignatureLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignFinal
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignFinal)(hSession, pSignature, pulSignatureLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignRecoverInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_SignRecoverInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignRecoverInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignRecoverInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignRecover)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return NSSCKFWC_SignRecover(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignRecover
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignRecover)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_VerifyInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_VerifyInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_VerifyInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_VerifyInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_Verify)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return NSSCKFWC_Verify(fwInstance, hSession, pData, ulDataLen, pSignature, ulSignatureLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_Verify
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_Verify)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_VerifyUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return NSSCKFWC_VerifyUpdate(fwInstance, hSession, pPart, ulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_VerifyUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_VerifyUpdate)(hSession, pPart, ulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_VerifyFinal)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return NSSCKFWC_VerifyFinal(fwInstance, hSession, pSignature, ulSignatureLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_VerifyFinal
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_VerifyFinal)(hSession, pSignature, ulSignatureLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_VerifyRecoverInit)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return NSSCKFWC_VerifyRecoverInit(fwInstance, hSession, pMechanism, hKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_VerifyRecoverInit
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_VerifyRecoverInit)(hSession, pMechanism, hKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_VerifyRecover)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return NSSCKFWC_VerifyRecover(fwInstance, hSession, pSignature, ulSignatureLen, pData, pulDataLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_VerifyRecover
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_VerifyRecover)(hSession, pSignature, ulSignatureLen, pData, pulDataLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return NSSCKFWC_DigestEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DigestEncryptUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return NSSCKFWC_DecryptDigestUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DecryptDigestUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SignEncryptUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return NSSCKFWC_SignEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SignEncryptUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SignEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return NSSCKFWC_DecryptVerifyUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DecryptVerifyUpdate
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GenerateKey)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return NSSCKFWC_GenerateKey(fwInstance, hSession, pMechanism, pTemplate, ulCount, phKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GenerateKey
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GenerateKey)(hSession, pMechanism, pTemplate, ulCount, phKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GenerateKeyPair)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-)
-{
-  return NSSCKFWC_GenerateKeyPair(fwInstance, hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GenerateKeyPair
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GenerateKeyPair)(hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_WrapKey)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-)
-{
-  return NSSCKFWC_WrapKey(fwInstance, hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_WrapKey
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_WrapKey)(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_UnwrapKey)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return NSSCKFWC_UnwrapKey(fwInstance, hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_UnwrapKey
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_UnwrapKey)(hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_DeriveKey)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return NSSCKFWC_DeriveKey(fwInstance, hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_DeriveKey
-(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return __ADJOIN(MODULE_NAME,C_DeriveKey)(hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_SeedRandom)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-)
-{
-  return NSSCKFWC_SeedRandom(fwInstance, hSession, pSeed, ulSeedLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_SeedRandom
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_SeedRandom)(hSession, pSeed, ulSeedLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GenerateRandom)
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR RandomData,
-  CK_ULONG ulRandomLen
-)
-{
-  return NSSCKFWC_GenerateRandom(fwInstance, hSession, RandomData, ulRandomLen);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GenerateRandom
-(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR RandomData,
-  CK_ULONG ulRandomLen
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GenerateRandom)(hSession, RandomData, ulRandomLen);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionStatus)
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return NSSCKFWC_GetFunctionStatus(fwInstance, hSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_GetFunctionStatus
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetFunctionStatus)(hSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_CancelFunction)
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return NSSCKFWC_CancelFunction(fwInstance, hSession);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_CancelFunction
-(
-  CK_SESSION_HANDLE hSession
-)
-{
-  return __ADJOIN(MODULE_NAME,C_CancelFunction)(hSession);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
-(
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pRserved
-)
-{
-  return NSSCKFWC_WaitForSlotEvent(fwInstance, flags, pSlot, pRserved);
-}
-
-#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
-CK_RV CK_ENTRY
-C_WaitForSlotEvent
-(
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pRserved
-)
-{
-  return __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)(flags, pSlot, pRserved);
-}
-#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-);
-
-static CK_FUNCTION_LIST FunctionList = {
-  { 2, 1 },
-__ADJOIN(MODULE_NAME,C_Initialize),
-__ADJOIN(MODULE_NAME,C_Finalize),
-__ADJOIN(MODULE_NAME,C_GetInfo),
-__ADJOIN(MODULE_NAME,C_GetFunctionList),
-__ADJOIN(MODULE_NAME,C_GetSlotList),
-__ADJOIN(MODULE_NAME,C_GetSlotInfo),
-__ADJOIN(MODULE_NAME,C_GetTokenInfo),
-__ADJOIN(MODULE_NAME,C_GetMechanismList),
-__ADJOIN(MODULE_NAME,C_GetMechanismInfo),
-__ADJOIN(MODULE_NAME,C_InitToken),
-__ADJOIN(MODULE_NAME,C_InitPIN),
-__ADJOIN(MODULE_NAME,C_SetPIN),
-__ADJOIN(MODULE_NAME,C_OpenSession),
-__ADJOIN(MODULE_NAME,C_CloseSession),
-__ADJOIN(MODULE_NAME,C_CloseAllSessions),
-__ADJOIN(MODULE_NAME,C_GetSessionInfo),
-__ADJOIN(MODULE_NAME,C_GetOperationState),
-__ADJOIN(MODULE_NAME,C_SetOperationState),
-__ADJOIN(MODULE_NAME,C_Login),
-__ADJOIN(MODULE_NAME,C_Logout),
-__ADJOIN(MODULE_NAME,C_CreateObject),
-__ADJOIN(MODULE_NAME,C_CopyObject),
-__ADJOIN(MODULE_NAME,C_DestroyObject),
-__ADJOIN(MODULE_NAME,C_GetObjectSize),
-__ADJOIN(MODULE_NAME,C_GetAttributeValue),
-__ADJOIN(MODULE_NAME,C_SetAttributeValue),
-__ADJOIN(MODULE_NAME,C_FindObjectsInit),
-__ADJOIN(MODULE_NAME,C_FindObjects),
-__ADJOIN(MODULE_NAME,C_FindObjectsFinal),
-__ADJOIN(MODULE_NAME,C_EncryptInit),
-__ADJOIN(MODULE_NAME,C_Encrypt),
-__ADJOIN(MODULE_NAME,C_EncryptUpdate),
-__ADJOIN(MODULE_NAME,C_EncryptFinal),
-__ADJOIN(MODULE_NAME,C_DecryptInit),
-__ADJOIN(MODULE_NAME,C_Decrypt),
-__ADJOIN(MODULE_NAME,C_DecryptUpdate),
-__ADJOIN(MODULE_NAME,C_DecryptFinal),
-__ADJOIN(MODULE_NAME,C_DigestInit),
-__ADJOIN(MODULE_NAME,C_Digest),
-__ADJOIN(MODULE_NAME,C_DigestUpdate),
-__ADJOIN(MODULE_NAME,C_DigestKey),
-__ADJOIN(MODULE_NAME,C_DigestFinal),
-__ADJOIN(MODULE_NAME,C_SignInit),
-__ADJOIN(MODULE_NAME,C_Sign),
-__ADJOIN(MODULE_NAME,C_SignUpdate),
-__ADJOIN(MODULE_NAME,C_SignFinal),
-__ADJOIN(MODULE_NAME,C_SignRecoverInit),
-__ADJOIN(MODULE_NAME,C_SignRecover),
-__ADJOIN(MODULE_NAME,C_VerifyInit),
-__ADJOIN(MODULE_NAME,C_Verify),
-__ADJOIN(MODULE_NAME,C_VerifyUpdate),
-__ADJOIN(MODULE_NAME,C_VerifyFinal),
-__ADJOIN(MODULE_NAME,C_VerifyRecoverInit),
-__ADJOIN(MODULE_NAME,C_VerifyRecover),
-__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate),
-__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate),
-__ADJOIN(MODULE_NAME,C_SignEncryptUpdate),
-__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate),
-__ADJOIN(MODULE_NAME,C_GenerateKey),
-__ADJOIN(MODULE_NAME,C_GenerateKeyPair),
-__ADJOIN(MODULE_NAME,C_WrapKey),
-__ADJOIN(MODULE_NAME,C_UnwrapKey),
-__ADJOIN(MODULE_NAME,C_DeriveKey),
-__ADJOIN(MODULE_NAME,C_SeedRandom),
-__ADJOIN(MODULE_NAME,C_GenerateRandom),
-__ADJOIN(MODULE_NAME,C_GetFunctionStatus),
-__ADJOIN(MODULE_NAME,C_CancelFunction),
-__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
-};
-
-static CK_RV CK_ENTRY
-__ADJOIN(MODULE_NAME,C_GetFunctionList)
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  *ppFunctionList = &FunctionList;
-  return CKR_OK;
-}
-
-/* This one is always present */
-CK_RV CK_ENTRY
-C_GetFunctionList
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
-}
-
-#undef __ADJOIN
-
diff --git a/security/nss/lib/ckfw/nssckepv.h b/security/nss/lib/ckfw/nssckepv.h
deleted file mode 100644
index c65260829..000000000
--- a/security/nss/lib/ckfw/nssckepv.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef NSSCKEPV_H
-#define NSSCKEPV_H
-
-#include "pkcs11.h"
-
-#endif /* NSSCKEPV_H */
diff --git a/security/nss/lib/ckfw/nssckft.h b/security/nss/lib/ckfw/nssckft.h
deleted file mode 100644
index 506992c3f..000000000
--- a/security/nss/lib/ckfw/nssckft.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _NSSCKFT_H_
-#define _NSSCKFT_H_ 1
-
-#include "pkcs11t.h"
-
-#endif /* _NSSCKFT_H_ */
diff --git a/security/nss/lib/ckfw/nssckfw.h b/security/nss/lib/ckfw/nssckfw.h
deleted file mode 100644
index 02a8e834d..000000000
--- a/security/nss/lib/ckfw/nssckfw.h
+++ /dev/null
@@ -1,513 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKFW_H
-#define NSSCKFW_H
-
-#ifdef DEBUG
-static const char NSSCKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssckfw.h
- *
- * This file prototypes the publicly available calls of the 
- * NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-/*
- * NSSCKFWInstance
- *
- *  NSSCKFWInstance_GetMDInstance
- *  NSSCKFWInstance_GetArena
- *  NSSCKFWInstance_MayCreatePthreads
- *  NSSCKFWInstance_CreateMutex
- *  NSSCKFWInstance_GetConfigurationData
- */
-
-/*
- * NSSCKFWInstance_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-NSSCKFWInstance_GetMDInstance
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWInstance_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWInstance_GetArena
-(
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWInstance_MayCreatePthreads
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWInstance_MayCreatePthreads
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWInstance_CreateMutex
- *
- */
-
-NSS_EXTERN NSSCKFWMutex *
-NSSCKFWInstance_CreateMutex
-(
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWInstance_GetConfigurationData
- *
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSCKFWInstance_GetConfigurationData
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWInstance_GetInitArgs
- *
- */
-
-NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
-NSSCKFWInstance_GetInitArgs
-(
-  NSSCKFWInstance *fwInstance
-);
-
-/*
- * NSSCKFWSlot
- *
- *  NSSCKFWSlot_GetMDSlot
- *  NSSCKFWSlot_GetFWInstance
- *  NSSCKFWSlot_GetMDInstance
- *
- */
-
-/*
- * NSSCKFWSlot_GetMDSlot
- *
- */
-
-NSS_EXTERN NSSCKMDSlot *
-NSSCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWSlot_GetFWInstance
- *
- */
-
-NSS_EXTERN NSSCKFWInstance *
-NSSCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWSlot_GetMDInstance
- *
- */
-
-NSS_EXTERN NSSCKMDInstance *
-NSSCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-);
-
-/*
- * NSSCKFWToken
- *
- *  NSSCKFWToken_GetMDToken
- *  NSSCKFWToken_GetFWSlot
- *  NSSCKFWToken_GetMDSlot
- *  NSSCKFWToken_GetSessionState
- *
- */
-
-/*
- * NSSCKFWToken_GetMDToken
- *
- */
-
-NSS_EXTERN NSSCKMDToken *
-NSSCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWToken_GetFWSlot
- *
- */
-
-NSS_EXTERN NSSCKFWSlot *
-NSSCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetMDSlot
- *
- */
-
-NSS_EXTERN NSSCKMDSlot *
-NSSCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWToken_GetSessionState
- *
- */
-
-NSS_EXTERN CK_STATE
-NSSCKFWSession_GetSessionState
-(
-  NSSCKFWToken *fwToken
-);
-
-/*
- * NSSCKFWMechanism
- *
- *  NSSKCFWMechanism_GetMDMechanism
- *  NSSCKFWMechanism_GetParameter
- *
- */
-
-/*
- * NSSKCFWMechanism_GetMDMechanism
- *
- */
-
-NSS_EXTERN NSSCKMDMechanism *
-NSSCKFWMechanism_GetMDMechanism
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWMechanism_GetParameter
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCKFWMechanism_GetParameter
-(
-  NSSCKFWMechanism *fwMechanism
-);
-
-/*
- * NSSCKFWSession
- *
- *  NSSCKFWSession_GetMDSession
- *  NSSCKFWSession_GetArena
- *  NSSCKFWSession_CallNotification
- *  NSSCKFWSession_IsRWSession
- *  NSSCKFWSession_IsSO
- *
- */
-
-/*
- * NSSCKFWSession_GetMDSession
- *
- */
-
-NSS_EXTERN NSSCKMDSession *
-NSSCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWSession_GetArena
- *
- */
-
-NSS_EXTERN NSSArena *
-NSSCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWSession_CallNotification
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-);
-
-/*
- * NSSCKFWSession_IsRWSession
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWSession_IsSO
- *
- */
-
-NSS_EXTERN CK_BBOOL
-NSSCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-);
-
-/*
- * NSSCKFWObject
- *
- *  NSSCKFWObject_GetMDObject
- *  NSSCKFWObject_GetArena
- *  NSSCKFWObject_IsTokenObject
- *  NSSCKFWObject_GetAttributeCount
- *  NSSCKFWObject_GetAttributeTypes
- *  NSSCKFWObject_GetAttributeSize
- *  NSSCKFWObject_GetAttribute
- *  NSSCKFWObject_GetObjectSize
- */
-
-/*
- * NSSCKFWObject_GetMDObject
- *
- */
-NSS_EXTERN NSSCKMDObject *
-NSSCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * NSSCKFWObject_GetArena
- *
- */
-NSS_EXTERN NSSArena *
-NSSCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_IsTokenObject
- *
- */
-NSS_EXTERN CK_BBOOL
-NSSCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-);
-
-/*
- * NSSCKFWObject_GetAttributeCount
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetAttributeTypes
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWObject_GetAttributeSize
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetAttribute
- *
- */
-NSS_EXTERN NSSItem *
-NSSCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWObject_GetObjectSize
- *
- */
-NSS_EXTERN CK_ULONG
-NSSCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-);
-
-/*
- * NSSCKFWFindObjects
- *
- *  NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-/*
- * NSSCKFWFindObjects_GetMDFindObjects
- *
- */
-
-NSS_EXTERN NSSCKMDFindObjects *
-NSSCKFWFindObjects_GetMDFindObjects
-(
-  NSSCKFWFindObjects *
-);
-
-/*
- * NSSCKFWMutex
- *
- *  NSSCKFWMutex_Destroy
- *  NSSCKFWMutex_Lock
- *  NSSCKFWMutex_Unlock
- *
- */
-
-/*
- * NSSCKFWMutex_Destroy
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Destroy
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * NSSCKFWMutex_Lock
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Lock
-(
-  NSSCKFWMutex *mutex
-);
-
-/*
- * NSSCKFWMutex_Unlock
- *
- */
-
-NSS_EXTERN CK_RV
-NSSCKFWMutex_Unlock
-(
-  NSSCKFWMutex *mutex
-);
-
-#endif /* NSSCKFW_H */
-
diff --git a/security/nss/lib/ckfw/nssckfwc.h b/security/nss/lib/ckfw/nssckfwc.h
deleted file mode 100644
index 965fb2a02..000000000
--- a/security/nss/lib/ckfw/nssckfwc.h
+++ /dev/null
@@ -1,1049 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKFWC_H
-#define NSSCKFWC_H
-
-#ifdef DEBUG
-static const char NSSCKFWC_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssckfwc.h
- *
- * This file prototypes all of the NSS Cryptoki Framework "wrapper" 
- * which implement the PKCS#11 API.  Technically, these are public
- * routines (with capital "NSS" prefixes), since they are called
- * from (generated) code within a Module using the Framework.
- * However, they should not be called except from those generated
- * calls.  Hence, the prototypes have been split out into this file.
- */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-#ifndef NSSCKMDT_H
-#include "nssckmdt.h"
-#endif /* NSSCKMDT_H */
-
-/*
- * NSSCKFWC_Initialize
- * NSSCKFWC_Finalize
- * NSSCKFWC_GetInfo
- * -- NSSCKFWC_GetFunctionList -- see the API insert file
- * NSSCKFWC_GetSlotList
- * NSSCKFWC_GetSlotInfo
- * NSSCKFWC_GetTokenInfo
- * NSSCKFWC_WaitForSlotEvent
- * NSSCKFWC_GetMechanismList
- * NSSCKFWC_GetMechanismInfo
- * NSSCKFWC_InitToken
- * NSSCKFWC_InitPIN
- * NSSCKFWC_SetPIN
- * NSSCKFWC_OpenSession
- * NSSCKFWC_CloseSession
- * NSSCKFWC_CloseAllSessions
- * NSSCKFWC_GetSessionInfo
- * NSSCKFWC_GetOperationState
- * NSSCKFWC_SetOperationState
- * NSSCKFWC_Login
- * NSSCKFWC_Logout
- * NSSCKFWC_CreateObject
- * NSSCKFWC_CopyObject
- * NSSCKFWC_DestroyObject
- * NSSCKFWC_GetObjectSize
- * NSSCKFWC_GetAttributeValue
- * NSSCKFWC_SetAttributeValue
- * NSSCKFWC_FindObjectsInit
- * NSSCKFWC_FindObjects
- * NSSCKFWC_FindObjectsFinal
- * NSSCKFWC_EncryptInit
- * NSSCKFWC_Encrypt
- * NSSCKFWC_EncryptUpdate
- * NSSCKFWC_EncryptFinal
- * NSSCKFWC_DecryptInit
- * NSSCKFWC_Decrypt
- * NSSCKFWC_DecryptUpdate
- * NSSCKFWC_DecryptFinal
- * NSSCKFWC_DigestInit
- * NSSCKFWC_Digest
- * NSSCKFWC_DigestUpdate
- * NSSCKFWC_DigestKey
- * NSSCKFWC_DigestFinal
- * NSSCKFWC_SignInit
- * NSSCKFWC_Sign
- * NSSCKFWC_SignUpdate
- * NSSCKFWC_SignFinal
- * NSSCKFWC_SignRecoverInit
- * NSSCKFWC_SignRecover
- * NSSCKFWC_VerifyInit
- * NSSCKFWC_Verify
- * NSSCKFWC_VerifyUpdate
- * NSSCKFWC_VerifyFinal
- * NSSCKFWC_VerifyRecoverInit
- * NSSCKFWC_VerifyRecover
- * NSSCKFWC_DigestEncryptUpdate
- * NSSCKFWC_DecryptDigestUpdate
- * NSSCKFWC_SignEncryptUpdate
- * NSSCKFWC_DecryptVerifyUpdate
- * NSSCKFWC_GenerateKey
- * NSSCKFWC_GenerateKeyPair
- * NSSCKFWC_WrapKey
- * NSSCKFWC_UnwrapKey
- * NSSCKFWC_DeriveKey
- * NSSCKFWC_SeedRandom
- * NSSCKFWC_GenerateRandom
- * NSSCKFWC_GetFunctionStatus
- * NSSCKFWC_CancelFunction
- */
-
-/*
- * NSSCKFWC_Initialize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Initialize
-(
-  NSSCKFWInstance **pFwInstance,
-  NSSCKMDInstance *mdInstance,
-  CK_VOID_PTR pInitArgs
-);
-
-/*
- * NSSCKFWC_Finalize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Finalize
-(
-  NSSCKFWInstance **pFwInstance
-);
-
-/*
- * NSSCKFWC_GetInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_INFO_PTR pInfo
-);
-  
-/*
- * C_GetFunctionList is implemented entirely in the Module's file which
- * includes the Framework API insert file.  It requires no "actual"
- * NSSCKFW routine.
- */
-
-/*
- * NSSCKFWC_GetSlotList
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSlotList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-);
- 
-/*
- * NSSCKFWC_GetSlotInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSlotInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_GetTokenInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetTokenInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_WaitForSlotEvent
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pReserved
-);
-
-/*
- * NSSCKFWC_GetMechanismList
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetMechanismList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-);
-
-/*
- * NSSCKFWC_GetMechanismInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetMechanismInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_InitToken
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_InitToken
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-);
-
-/*
- * NSSCKFWC_InitPIN
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_InitPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-);
-
-/*
- * NSSCKFWC_SetPIN
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-);
-
-/*
- * NSSCKFWC_OpenSession
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_OpenSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-);
-
-/*
- * NSSCKFWC_CloseSession
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CloseSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CloseAllSessions
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CloseAllSessions
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID
-);
-
-/*
- * NSSCKFWC_GetSessionInfo
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetSessionInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-);
-
-/*
- * NSSCKFWC_GetOperationState
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-);
-
-/*
- * NSSCKFWC_SetOperationState
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-);
-
-/*
- * NSSCKFWC_Login
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Login
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-);
-
-/*
- * NSSCKFWC_Logout
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Logout
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CreateObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CreateObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-);
-
-/*
- * NSSCKFWC_CopyObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CopyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-);
-
-/*
- * NSSCKFWC_DestroyObject
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DestroyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-);
-
-/*
- * NSSCKFWC_GetObjectSize
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetObjectSize
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-);
-
-/*
- * NSSCKFWC_GetAttributeValue
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-  
-/*
- * NSSCKFWC_SetAttributeValue
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWC_FindObjectsInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjectsInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-);
-
-/*
- * NSSCKFWC_FindObjects
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjects
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-);
-
-/*
- * NSSCKFWC_FindObjectsFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_FindObjectsFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_EncryptInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Encrypt
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Encrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-);
-
-/*
- * NSSCKFWC_EncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_EncryptFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_EncryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Decrypt
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Decrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-);
-
-/*
- * NSSCKFWC_DecryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_DecryptFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-);
-
-/*
- * NSSCKFWC_DigestInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-);
-
-/*
- * NSSCKFWC_Digest
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Digest
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-);
-
-/*
- * NSSCKFWC_DigestUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen
-);
-
-/*
- * NSSCKFWC_DigestKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_DigestFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-);
-
-/*
- * NSSCKFWC_SignInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Sign
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Sign
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_SignUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-);
-
-/*
- * NSSCKFWC_SignFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_SignRecoverInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_SignRecover
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_Verify
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_Verify
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-);
-
-/*
- * NSSCKFWC_VerifyFinal
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-);
-
-/*
- * NSSCKFWC_VerifyRecoverInit
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-);
-
-/*
- * NSSCKFWC_VerifyRecover
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_VerifyRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-);
-
-/*
- * NSSCKFWC_DigestEncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DigestEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptDigestUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptDigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_SignEncryptUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SignEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-);
-
-/*
- * NSSCKFWC_DecryptVerifyUpdate
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DecryptVerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-);
-
-/*
- * NSSCKFWC_GenerateKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_GenerateKeyPair
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateKeyPair
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-);
-
-/*
- * NSSCKFWC_WrapKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_WrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-);
-
-/*
- * NSSCKFWC_UnwrapKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_UnwrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_DeriveKey
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_DeriveKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-);
-
-/*
- * NSSCKFWC_SeedRandom
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_SeedRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-);
-
-/*
- * NSSCKFWC_GenerateRandom
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GenerateRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pRandomData,
-  CK_ULONG ulRandomLen
-);
-
-/*
- * NSSCKFWC_GetFunctionStatus
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_GetFunctionStatus
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-/*
- * NSSCKFWC_CancelFunction
- *
- */
-NSS_EXTERN CK_RV
-NSSCKFWC_CancelFunction
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-);
-
-#endif /* NSSCKFWC_H */
diff --git a/security/nss/lib/ckfw/nssckfwt.h b/security/nss/lib/ckfw/nssckfwt.h
deleted file mode 100644
index cad97325c..000000000
--- a/security/nss/lib/ckfw/nssckfwt.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKFWT_H
-#define NSSCKFWT_H
-
-#ifdef DEBUG
-static const char NSSCKFWT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssckfwt.h
- *
- * This file declares the public types used by the NSS Cryptoki Framework.
- */
-
-/*
- * NSSCKFWInstance
- *
- */
-
-struct NSSCKFWInstanceStr;
-typedef struct NSSCKFWInstanceStr NSSCKFWInstance;
-
-/*
- * NSSCKFWSlot
- *
- */
-
-struct NSSCKFWSlotStr;
-typedef struct NSSCKFWSlotStr NSSCKFWSlot;
-
-/*
- * NSSCKFWToken
- *
- */
-
-struct NSSCKFWTokenStr;
-typedef struct NSSCKFWTokenStr NSSCKFWToken;
-
-/*
- * NSSCKFWMechanism
- *
- */
-
-struct NSSCKFWMechanismStr;
-typedef struct NSSCKFWMechanismStr NSSCKFWMechanism;
-
-/*
- * NSSCKFWSession
- *
- */
-
-struct NSSCKFWSessionStr;
-typedef struct NSSCKFWSessionStr NSSCKFWSession;
-
-/*
- * NSSCKFWObject
- *
- */
-
-struct NSSCKFWObjectStr;
-typedef struct NSSCKFWObjectStr NSSCKFWObject;
-
-/*
- * NSSCKFWFindObjects
- *
- */
-
-struct NSSCKFWFindObjectsStr;
-typedef struct NSSCKFWFindObjectsStr NSSCKFWFindObjects;
-
-/*
- * NSSCKFWMutex
- *
- */
-
-struct NSSCKFWMutexStr;
-typedef struct NSSCKFWMutexStr NSSCKFWMutex;
-
-typedef enum {
-    SingleThreaded,
-    MultiThreaded
-} CryptokiLockingState ;
-
-#endif /* NSSCKFWT_H */
diff --git a/security/nss/lib/ckfw/nssckg.h b/security/nss/lib/ckfw/nssckg.h
deleted file mode 100644
index f6d55243c..000000000
--- a/security/nss/lib/ckfw/nssckg.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef NSSCKG_H
-#define NSSCKG_H
-
-#include "pkcs11.h"
-
-#endif /* NSSCKG_H */
diff --git a/security/nss/lib/ckfw/nssckmdt.h b/security/nss/lib/ckfw/nssckmdt.h
deleted file mode 100644
index 2825d8f90..000000000
--- a/security/nss/lib/ckfw/nssckmdt.h
+++ /dev/null
@@ -1,2039 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKMDT_H
-#define NSSCKMDT_H
-
-#ifdef DEBUG
-static const char NSSCKMDT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssckmdt.h
- *
- * This file specifies the basic types that must be implemented by
- * any Module using the NSS Cryptoki Framework.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSCKFWT_H
-#include "nssckfwt.h"
-#endif /* NSSCKFWT_H */
-
-typedef struct NSSCKMDInstanceStr NSSCKMDInstance;
-typedef struct NSSCKMDSlotStr NSSCKMDSlot;
-typedef struct NSSCKMDTokenStr NSSCKMDToken;
-typedef struct NSSCKMDSessionStr NSSCKMDSession;
-typedef struct NSSCKMDFindObjectsStr NSSCKMDFindObjects;
-typedef struct NSSCKMDMechanismStr NSSCKMDMechanism;
-typedef struct NSSCKMDObjectStr NSSCKMDObject;
-
-/*
- * NSSCKFWItem
- *
- * This is a structure used by modules to return object attributes.
- * The needsFreeing bit indicates whether the object needs to be freed.
- * If so, the framework will call the FreeAttribute function on the item
- * after it is done using it.
- *
- */
-
-typedef struct {
-  PRBool needsFreeing;
-  NSSItem* item;
-} NSSCKFWItem ;
-
-/*
- * NSSCKMDInstance
- *
- * This is the basic handle for an instance of a PKCS#11 Module.
- * It is returned by the Module's CreateInstance routine, and
- * may be obtained from the corresponding NSSCKFWInstance object.
- * It contains a pointer for use by the Module, to store any
- * instance-related data, and it contains the EPV for a set of
- * routines which the Module may implement for use by the Framework.
- * Some of these routines are optional; others are mandatory.
- */
-
-struct NSSCKMDInstanceStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework to initialize
-   * the Module.  This routine is optional; if unimplemented,
-   * it won't be called.  If this routine returns an error,
-   * then the initialization will fail.
-   */
-  CK_RV (PR_CALLBACK *Initialize)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    NSSUTF8 *configurationData
-  );
-
-  /*
-   * This routine is called when the Framework is finalizing
-   * the PKCS#11 Module.  It is the last thing called before
-   * the NSSCKFWInstance's NSSArena is destroyed.  This routine
-   * is optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Finalize)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine gets the number of slots.  This value must
-   * never change, once the instance is initialized.  This 
-   * routine must be implemented.  It may return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetNSlots)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the version of the Cryptoki standard
-   * to which this Module conforms.  This routine is optional;
-   * if unimplemented, the Framework uses the version to which
-   * ~it~ was implemented.
-   */
-  CK_VERSION (PR_CALLBACK *GetCryptokiVersion)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing the manufacturer ID for this Module.  Only
-   * the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.
-   * The string returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of this Module library.  Only
-   * the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.
-   * The string returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetLibraryDescription)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the version of this Module library.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a Module library version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetLibraryVersion)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the Module wishes to
-   * handle session objects.  This routine is optional.
-   * If this routine is NULL, or if it exists but returns
-   * CK_FALSE, the Framework will assume responsibility
-   * for managing session objects.
-   */
-  CK_BBOOL (PR_CALLBACK *ModuleHandlesSessionObjects)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs pointers to NSSCKMDSlot objects into
-   * the specified array; one for each slot supported by this
-   * instance.  The Framework will determine the size needed
-   * for the array by calling GetNSlots.  This routine is
-   * required.
-   */
-  CK_RV (PR_CALLBACK *GetSlots)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDSlot *slots[]
-  );
-
-  /*
-   * This call returns a pointer to the slot in which an event
-   * has occurred.  If the block argument is CK_TRUE, the call 
-   * should block until a slot event occurs; if CK_FALSE, it 
-   * should check to see if an event has occurred, occurred, 
-   * but return NULL (and set *pError to CK_NO_EVENT) if one 
-   * hasn't.  This routine is optional; if unimplemented, the
-   * Framework will assume that no event has happened.  This
-   * routine may return NULL upon error.
-   */
-  NSSCKMDSlot *(PR_CALLBACK *WaitForSlotEvent)(
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_BBOOL block,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-
-/*
- * NSSCKMDSlot
- *
- * This is the basic handle for a PKCS#11 Module Slot.  It is
- * created by the NSSCKMDInstance->GetSlots call, and may be
- * obtained from the Framework's corresponding NSSCKFWSlot
- * object.  It contains a pointer for use by the Module, to
- * store any slot-related data, and it contains the EPV for
- * a set of routines which the Module may implement for use
- * by the Framework.  Some of these routines are optional.
- */
-
-struct NSSCKMDSlotStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called during the Framework initialization
-   * step, after the Framework Instance has obtained the list
-   * of slots (by calling NSSCKMDInstance->GetSlots).  Any slot-
-   * specific initialization can be done here.  This routine is
-   * optional; if unimplemented, it won't be called.  Note that
-   * if this routine returns an error, the entire Framework
-   * initialization for this Module will fail.
-   */
-  CK_RV (PR_CALLBACK *Initialize)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is called when the Framework is finalizing
-   * the PKCS#11 Module.  This call (for each of the slots)
-   * is the last thing called before NSSCKMDInstance->Finalize.
-   * This routine is optional; if unimplemented, it merely 
-   * won't be called.  Note: In the rare circumstance that
-   * the Framework initialization cannot complete (due to,
-   * for example, memory limitations), this can be called with
-   * a NULL value for fwSlot.
-   */
-  void (PR_CALLBACK *Destroy)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of this slot.  Only the characters
-   * completely encoded in the first sixty-four bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetSlotDescription)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing a description of the manufacturer of this slot.
-   * Only the characters completely encoded in the first thirty-
-   * two bytes are significant.  This routine is optional.  
-   * The string  returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns CK_TRUE if a token is present in this
-   * slot.  This routine is optional; if unimplemented, CK_TRUE
-   * is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetTokenPresent)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the slot supports removable
-   * tokens.  This routine is optional; if unimplemented, CK_FALSE
-   * is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetRemovableDevice)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this slot is a hardware
-   * device, or CK_FALSE if this slot is a software device.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHardwareSlot)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version of this slot's hardware.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a hardware version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version of this slot's firmware.
-   * This routine is optional; if unimplemented, the Framework
-   * will assume a hardware version of 0.1.
-   */
-  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine should return a pointer to an NSSCKMDToken
-   * object corresponding to the token in the specified slot.
-   * The NSSCKFWToken object passed in has an NSSArena
-   * available which is dedicated for this token.  This routine
-   * must be implemented.  This routine may return NULL upon
-   * error.
-   */
-  NSSCKMDToken *(PR_CALLBACK *GetToken)(
-    NSSCKMDSlot *mdSlot,
-    NSSCKFWSlot *fwSlot,
-    NSSCKMDInstance *mdInstance,                                    
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDToken
- *
- * This is the basic handle for a PKCS#11 Token.  It is created by
- * the NSSCKMDSlot->GetToken call, and may be obtained from the
- * Framework's corresponding NSSCKFWToken object.  It contains a
- * pointer for use by the Module, to store any token-related
- * data, and it contains the EPV for a set of routines which the
- * Module may implement for use by the Framework.  Some of these
- * routines are optional.
- */
-
-struct NSSCKMDTokenStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is used to prepare a Module token object for
-   * use.  It is called after the NSSCKMDToken object is obtained
-   * from NSSCKMDSlot->GetToken.  It is named "Setup" here because
-   * Cryptoki already defines "InitToken" to do the process of
-   * wiping out any existing state on a token and preparing it for
-   * a new use.  This routine is optional; if unimplemented, it
-   * merely won't be called.
-   */
-  CK_RV (PR_CALLBACK *Setup)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is called by the Framework whenever it notices
-   * that the token object is invalid.  (Typically this is when a 
-   * routine indicates an error such as CKR_DEVICE_REMOVED).  This
-   * call is the last thing called before the NSSArena in the
-   * corresponding NSSCKFWToken is destroyed.  This routine is
-   * optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Invalidate)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine initialises the token in the specified slot.
-   * This routine is optional; if unimplemented, the Framework
-   * will fail this operation with an error of CKR_DEVICE_ERROR.
-   */
-
-  CK_RV (PR_CALLBACK *InitToken)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *pin,
-    NSSUTF8 *label
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's label.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetLabel)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's manufacturer ID.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's model name.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetModel)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns a pointer to a UTF8-encoded string
-   * containing this token's serial number.  Only the characters
-   * completely encoded in the first thirty-two bytes are
-   * significant.  This routine is optional.  The string 
-   * returned is never freed; if dynamically generated,
-   * the space for it should be allocated from the NSSArena
-   * that may be obtained from the NSSCKFWInstance.  This
-   * routine may return NULL upon error; however if *pError
-   * is CKR_OK, the NULL will be considered the valid response.
-   */
-  NSSUTF8 *(PR_CALLBACK *GetSerialNumber)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has its own
-   * random number generator.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasRNG)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this token is write-protected.
-   * This routine is optional; if unimplemented, CK_FALSE is
-   * assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetIsWriteProtected)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if this token requires a login.
-   * This routine is optional; if unimplemented, CK_FALSE is
-   * assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetLoginRequired)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the normal user's PIN on this
-   * token has been initialised.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetUserPinInitialized)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if a successful save of a
-   * session's cryptographic operations state ~always~ contains
-   * all keys needed to restore the state of the session.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetRestoreKeyNotNeeded)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has its own
-   * hardware clock.  This routine is optional; if unimplemented,
-   * CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasClockOnToken)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token has a protected
-   * authentication path.  This routine is optional; if
-   * unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetHasProtectedAuthenticationPath)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns CK_TRUE if the token supports dual
-   * cryptographic operations within a single session.  This
-   * routine is optional; if unimplemented, CK_FALSE is assumed.
-   */
-  CK_BBOOL (PR_CALLBACK *GetSupportsDualCryptoOperations)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * XXX fgmr-- should we have a call to return all the flags
-   * at once, for folks who already know about Cryptoki?
-   */
-
-  /*
-   * This routine returns the maximum number of sessions that
-   * may be opened on this token.  This routine is optional;
-   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   * is assumed.  XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxSessionCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the maximum number of read/write
-   * sesisons that may be opened on this token.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.  XXX fgmr-- or 
-   * CK_EFFECTIVELY_INFINITE?
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxRwSessionCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the maximum PIN code length that is
-   * supported on this token.  This routine is optional;
-   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   * is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxPinLen)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the minimum PIN code length that is
-   * supported on this token.  This routine is optional; if
-   * unimplemented, the special value CK_UNAVAILABLE_INFORMATION
-   *  is assumed.  XXX fgmr-- or 0?
-   */
-  CK_ULONG (PR_CALLBACK *GetMinPinLen)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the total amount of memory on the token
-   * in which public objects may be stored.  This routine is
-   * optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetTotalPublicMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the amount of unused memory on the
-   * token in which public objects may be stored.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetFreePublicMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the total amount of memory on the token
-   * in which private objects may be stored.  This routine is
-   * optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetTotalPrivateMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the amount of unused memory on the
-   * token in which private objects may be stored.  This routine
-   * is optional; if unimplemented, the special value
-   * CK_UNAVAILABLE_INFORMATION is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetFreePrivateMemory)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version number of this token's
-   * hardware.  This routine is optional; if unimplemented,
-   * the value 0.1 is assumed.
-   */
-  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the version number of this token's
-   * firmware.  This routine is optional; if unimplemented,
-   * the value 0.1 is assumed.
-   */
-  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs the current UTC time, as obtained from
-   * the token, into the sixteen-byte buffer in the form
-   * YYYYMMDDhhmmss00.  This routine need only be implemented
-   * by token which indicate that they have a real-time clock.
-   * XXX fgmr-- think about time formats.
-   */
-  CK_RV (PR_CALLBACK *GetUTCTime)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_CHAR utcTime[16]
-  );
-
-  /*
-   * This routine creates a session on the token, and returns
-   * the corresponding NSSCKMDSession object.  The value of
-   * rw will be CK_TRUE if the session is to be a read/write 
-   * session, or CK_FALSE otherwise.  An NSSArena dedicated to
-   * the new session is available from the specified NSSCKFWSession.
-   * This routine may return NULL upon error.
-   */
-  NSSCKMDSession *(PR_CALLBACK *OpenSession)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWSession *fwSession,
-    CK_BBOOL rw,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the number of PKCS#11 Mechanisms
-   * supported by this token.  This routine is optional; if
-   * unimplemented, zero is assumed.
-   */
-  CK_ULONG (PR_CALLBACK *GetMechanismCount)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine stuffs into the specified array the types
-   * of the mechanisms supported by this token.  The Framework
-   * determines the size of the array by calling GetMechanismCount.
-   */
-  CK_RV (PR_CALLBACK *GetMechanismTypes)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_MECHANISM_TYPE types[]
-  );
-
-  /*
-   * This routine returns a pointer to a Module mechanism
-   * object corresponding to a specified type.  This routine
-   * need only exist for tokens implementing at least one
-   * mechanism.
-   */
-  NSSCKMDMechanism *(PR_CALLBACK *GetMechanism)(
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWMechanism *fwMechanism,
-    CK_MECHANISM_TYPE which
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDSession
- *
- * This is the basic handle for a session on a PKCS#11 Token.  It
- * is created by NSSCKMDToken->OpenSession, and may be obtained
- * from the Framework's corresponding NSSCKFWSession object.  It
- * contains a pointer for use by the Module, to store any session-
- * realted data, and it contains the EPV for a set of routines
- * which the Module may implement for use by the Framework.  Some
- * of these routines are optional.
- */
-
-struct NSSCKMDSessionStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework when a session is
-   * closed.  This call is the last thing called before the
-   * NSSArena in the correspoinding NSSCKFWSession is destroyed.
-   * This routine is optional; if unimplemented, it merely won't
-   * be called.
-   */
-  void (PR_CALLBACK *Close)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to get any device-specific error.
-   * This routine is optional.
-   */
-  CK_ULONG (PR_CALLBACK *GetDeviceError)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to log in a user to the token.  This
-   * routine is optional, since the Framework's NSSCKFWSession
-   * object keeps track of the login state.
-   */
-  CK_RV (PR_CALLBACK *Login)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_USER_TYPE userType,
-    NSSItem *pin,
-    CK_STATE oldState,
-    CK_STATE newState
-  );
-
-  /*
-   * This routine is used to log out a user from the token.  This
-   * routine is optional, since the Framework's NSSCKFWSession
-   * object keeps track of the login state.
-   */
-  CK_RV (PR_CALLBACK *Logout)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_STATE oldState,
-    CK_STATE newState
-  );
-
-  /*
-   * This routine is used to initialize the normal user's PIN or
-   * password.  This will only be called in the "read/write
-   * security officer functions" state.  If this token has a
-   * protected authentication path, then the pin argument will
-   * be NULL.  This routine is optional; if unimplemented, the
-   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
-   */
-  CK_RV (PR_CALLBACK *InitPIN)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *pin
-  );
-
-  /*
-   * This routine is used to modify a user's PIN or password.  This
-   * routine will only be called in the "read/write security officer
-   * functions" or "read/write user functions" state.  If this token
-   * has a protected authentication path, then the pin arguments
-   * will be NULL.  This routine is optional; if unimplemented, the
-   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
-   */
-  CK_RV (PR_CALLBACK *SetPIN)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *oldPin,
-    NSSItem *newPin
-  );
-
-  /*
-   * This routine is used to find out how much space would be required
-   * to save the current operational state.  This routine is optional;
-   * if unimplemented, the Framework will reject any attempts to save
-   * the operational state with the error CKR_STATE_UNSAVEABLE.  This
-   * routine may return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetOperationStateLen)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to store the current operational state.  This
-   * routine is only required if GetOperationStateLen is implemented 
-   * and can return a nonzero value.  The buffer in the specified item
-   * will be pre-allocated, and the length will specify the amount of
-   * space available (which may be more than GetOperationStateLen
-   * asked for, but which will not be smaller).
-   */
-  CK_RV (PR_CALLBACK *GetOperationState)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   * This routine is used to restore an operational state previously
-   * obtained with GetOperationState.  The Framework will take pains
-   * to be sure that the state is (or was at one point) valid; if the
-   * Module notices that the state is invalid, it should return an
-   * error, but it is not required to be paranoid about the issue.
-   * [XXX fgmr-- should (can?) the framework verify the keys match up?]
-   * This routine is required only if GetOperationState is implemented.
-   */
-  CK_RV (PR_CALLBACK *SetOperationState)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *state,
-    NSSCKMDObject *mdEncryptionKey,
-    NSSCKFWObject *fwEncryptionKey,
-    NSSCKMDObject *mdAuthenticationKey,
-    NSSCKFWObject *fwAuthenticationKey
-  );
-
-  /*
-   * This routine is used to create an object.  The specified template
-   * will only specify a session object if the Module has indicated 
-   * that it wishes to handle its own session objects.  This routine
-   * is optional; if unimplemented, the Framework will reject the
-   * operation with the error CKR_TOKEN_WRITE_PROTECTED.  Space for
-   * token objects should come from the NSSArena available from the
-   * NSSCKFWToken object; space for session objects (if supported)
-   * should come from the NSSArena available from the NSSCKFWSession
-   * object.  The appropriate NSSArena pointer will, as a convenience,
-   * be passed as the handyArenaPointer argument.  This routine may
-   * return NULL upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *CreateObject)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSArena *handyArenaPointer,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to make a copy of an object.  It is entirely
-   * optional; if unimplemented, the Framework will try to use
-   * CreateObject instead.  If the Module has indicated that it does
-   * not wish to handle session objects, then this routine will only
-   * be called to copy a token object to another token object.
-   * Otherwise, either the original object or the new may be of
-   * either the token or session variety.  As with CreateObject, the
-   * handyArenaPointer will point to the appropriate arena for the
-   * new object.  This routine may return NULL upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *CopyObject)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdOldObject,
-    NSSCKFWObject *fwOldObject,
-    NSSArena *handyArenaPointer,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is used to begin an object search.  This routine may
-   * be unimplemented only if the Module does not handle session 
-   * objects, and if none of its tokens have token objects.  The
-   * NSSCKFWFindObjects pointer has an NSSArena that may be used for
-   * storage for the life of this "find" operation.  This routine may
-   * return NULL upon error.  If the Module can determine immediately
-   * that the search will not find any matching objects, it may return
-   * NULL, and specify CKR_OK as the error.
-   */
-  NSSCKMDFindObjects *(PR_CALLBACK *FindObjectsInit)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine seeds the random-number generator.  It is
-   * optional, even if GetRandom is implemented.  If unimplemented,
-   * the Framework will issue the error CKR_RANDOM_SEED_NOT_SUPPORTED.
-   */
-  CK_RV (PR_CALLBACK *SeedRandom)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *seed
-  );
-
-  /*
-   * This routine gets random data.  It is optional.  If unimplemented,
-   * the Framework will issue the error CKR_RANDOM_NO_RNG.
-   */
-  CK_RV (PR_CALLBACK *GetRandom)(
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDFindObjects
- *
- * This is the basic handle for an object search.  It is
- * created by NSSCKMDSession->FindObjectsInit, and may be
- * obtained from the Framework's corresponding object.
- * It contains a pointer for use by the Module, to store
- * any search-related data, and it contains the EPV for a
- * set of routines which the Module may implement for use
- * by the Framework.  Some of these routines are optional.
- */
-
-struct NSSCKMDFindObjectsStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework to finish a
-   * search operation.  Note that the Framework may finish
-   * a search before it has completed.  This routine is
-   * optional; if unimplemented, it merely won't be called.
-   */
-  void (PR_CALLBACK *Final)(
-    NSSCKMDFindObjects *mdFindObjects,
-    NSSCKFWFindObjects *fwFindObjects,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to obtain another pointer to an
-   * object matching the search criteria.  This routine is
-   * required.  If no (more) objects match the search, it
-   * should return NULL and set the error to CKR_OK.
-   */
-  NSSCKMDObject *(PR_CALLBACK *Next)(
-    NSSCKMDFindObjects *mdFindObjects,
-    NSSCKFWFindObjects *fwFindObjects,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSArena *arena,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDMechanism
- *
- */
-
-struct NSSCKMDMechanismStr {
-  /*
-   * The Module may use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine returns the minimum key size allowed for
-   * this mechanism.  This routine is optional; if unimplemented,
-   * zero will be assumed.  This routine may return zero on
-   * error; if the error is CKR_OK, zero will be accepted as
-   * a valid response.
-   */
-  CK_ULONG (PR_CALLBACK *GetMinKeySize)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns the maximum key size allowed for
-   * this mechanism.  This routine is optional; if unimplemented,
-   * zero will be assumed.  This routine may return zero on
-   * error; if the error is CKR_OK, zero will be accepted as
-   * a valid response.
-   */
-  CK_ULONG (PR_CALLBACK *GetMaxKeySize)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine is called to determine if the mechanism is
-   * implemented in hardware or software.  It returns CK_TRUE
-   * if it is done in hardware.
-   */
-  CK_BBOOL (PR_CALLBACK *GetInHardware)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * The crypto routines themselves.  Most crypto operations may
-   * be performed in two ways, streaming and single-part.  The
-   * streaming operations involve the use of (typically) three
-   * calls-- an Init method to set up the operation, an Update
-   * method to feed data to the operation, and a Final method to
-   * obtain the final result.  Single-part operations involve
-   * one method, to perform the crypto operation all at once.
-   * The NSS Cryptoki Framework can implement the single-part
-   * operations in terms of the streaming operations on behalf
-   * of the Module.  There are a few variances.
-   * 
-   * For simplicity, the routines are listed in summary here:
-   *
-   *  EncryptInit, EncryptUpdate, EncryptFinal; Encrypt
-   *  DecryptInit, DecryptUpdate, DecryptFinal; Decrypt
-   *  DigestInit, DigestUpdate, DigestKey, DigestFinal; Digest
-   *  SignInit, SignUpdate, SignFinal; Sign
-   *  SignRecoverInit; SignRecover
-   *  VerifyInit, VerifyUpdate, VerifyFinal; Verify
-   *  VerifyRecoverInit; VerifyRecover
-   * 
-   * Also, there are some combined-operation calls:
-   * 
-   *  DigestEncryptUpdate
-   *  DecryptDigestUpdate
-   *  SignEncryptUpdate
-   *  DecryptVerifyUpdate
-   *
-   * The key-management routines are
-   *
-   *  GenerateKey
-   *  GenerateKeyPair
-   *  WrapKey
-   *  UnwrapKey
-   *  DeriveKey
-   *
-   * All of these routines based directly on the Cryptoki API; 
-   * see PKCS#11 for further information.
-   */
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *EncryptFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Encrypt)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Decrypt)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Digest)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data, 
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignFinal)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Sign)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyInit)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWObject *key
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyFinish)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *Verify)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKFWObject *key,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignRecover)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *VerifyRecover)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdKey,
-    NSSCKFWObject *fwKey,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DigestEncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptDigestUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *SignEncryptUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   */
-  CK_RV (PR_CALLBACK *DecryptVerifyUpdate)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSItem *data,
-    NSSItem *buffer
-  );
-
-  /*
-   * Key management operations.
-   */
-
-  /*
-   * This routine generates a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *GenerateKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine generates a key pair.
-   */
-  CK_RV (PR_CALLBACK *GenerateKeyPair)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG ulPublicKeyAttributeCount,
-    CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG ulPrivateKeyAttributeCount,
-    NSSCKMDObject **pPublicKey,
-    NSSCKMDObject **pPrivateKey
-  );
-
-  /*
-   * This routine wraps a key.
-   */
-  CK_RV (PR_CALLBACK *WrapKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdWrappingKey,
-    NSSCKFWObject *fwWrappingKey,
-    NSSCKMDObject *mdWrappedKey,
-    NSSCKFWObject *fwWrappedKey,
-    NSSItem *buffer
-  );
-
-  /*
-   * This routine unwraps a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *UnwrapKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdWrappingKey,
-    NSSCKFWObject *fwWrappingKey,
-    NSSItem *wrappedKey,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );    
-    
-  /*
-   * This routine derives a key.  This routine may return NULL
-   * upon error.
-   */
-  NSSCKMDObject *(PR_CALLBACK *DeriveKey)(
-    NSSCKMDMechanism *mdMechanism,
-    NSSCKFWMechanism *fwMechanism,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    NSSCKMDObject *mdBaseKey,
-    NSSCKFWObject *fwBaseKey,
-    CK_ATTRIBUTE_PTR pTemplate,
-    CK_ULONG ulAttributeCount,
-    CK_RV *pError
-  );    
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-/*
- * NSSCKMDObject
- *
- * This is the basic handle for any object used by a PKCS#11 Module.
- * Modules must implement it if they support their own objects, and
- * the Framework supports it for Modules that do not handle session
- * objects.  This type contains a pointer for use by the implementor,
- * to store any object-specific data, and it contains an EPV for a
- * set of routines used to access the object.
- */
-
-struct NSSCKMDObjectStr {
-  /*
-   * The implementation my use this pointer for its own purposes.
-   */
-  void *etc;
-
-  /*
-   * This routine is called by the Framework when it is letting
-   * go of an object handle.  It can be used by the Module to
-   * free any resources tied up by an object "in use."  It is
-   * optional.
-   */
-  void (PR_CALLBACK *Finalize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine is used to completely destroy an object.
-   * It is optional.  The parameter fwObject might be NULL
-   * if the framework runs out of memory at the wrong moment.
-   */
-  CK_RV (PR_CALLBACK *Destroy)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This helper routine is used by the Framework, and is especially
-   * useful when it is managing session objects on behalf of the
-   * Module.  This routine is optional; if unimplemented, the
-   * Framework will actually look up the CKA_TOKEN attribute.  In the
-   * event of an error, just make something up-- the Framework will
-   * find out soon enough anyway.
-   */
-  CK_BBOOL (PR_CALLBACK *IsTokenObject)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance
-  );
-
-  /*
-   * This routine returns the number of attributes of which this
-   * object consists.  It is mandatory.  It can return zero on
-   * error.
-   */
-  CK_ULONG (PR_CALLBACK *GetAttributeCount)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine stuffs the attribute types into the provided array.
-   * The array size (as obtained from GetAttributeCount) is passed in
-   * as a check; return CKR_BUFFER_TOO_SMALL if the count is wrong
-   * (either too big or too small).
-   */
-  CK_RV (PR_CALLBACK *GetAttributeTypes)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE_PTR typeArray,
-    CK_ULONG ulCount
-  );
-
-  /*
-   * This routine returns the size (in bytes) of the specified
-   * attribute.  It can return zero on error.
-   */
-  CK_ULONG (PR_CALLBACK *GetAttributeSize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns an NSSCKFWItem structure.
-   * The item pointer points to an NSSItem containing the attribute value.
-   * The needsFreeing bit tells the framework whether to call the
-   * FreeAttribute function . Upon error, an NSSCKFWItem structure
-   * with a NULL NSSItem item pointer will be returned
-   */
-  NSSCKFWItem (PR_CALLBACK *GetAttribute)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    CK_RV *pError
-  );
-
-  /*
-   * This routine returns CKR_OK if the attribute could be freed.
-   */
-  CK_RV (PR_CALLBACK *FreeAttribute)(
-    NSSCKFWItem * item
-  );
-
-  /*
-   * This routine changes the specified attribute.  If unimplemented,
-   * the object will be considered read-only.
-   */
-  CK_RV (PR_CALLBACK *SetAttribute)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_ATTRIBUTE_TYPE attribute,
-    NSSItem *value
-  );
-
-  /*
-   * This routine returns the storage requirements of this object,
-   * in bytes.  Cryptoki doesn't strictly define the definition,
-   * but it should relate to the values returned by the "Get Memory"
-   * routines of the NSSCKMDToken.  This routine is optional; if
-   * unimplemented, the Framework will consider this information
-   * sensitive.  This routine may return zero on error.  If the
-   * specified error is CKR_OK, zero will be accepted as a valid
-   * response.
-   */
-  CK_ULONG (PR_CALLBACK *GetObjectSize)(
-    NSSCKMDObject *mdObject,
-    NSSCKFWObject *fwObject,
-    NSSCKMDSession *mdSession,
-    NSSCKFWSession *fwSession,
-    NSSCKMDToken *mdToken,
-    NSSCKFWToken *fwToken,
-    NSSCKMDInstance *mdInstance,
-    NSSCKFWInstance *fwInstance,
-    CK_RV *pError
-  );
-
-  /*
-   * This object may be extended in future versions of the
-   * NSS Cryptoki Framework.  To allow for some flexibility
-   * in the area of binary compatibility, this field should
-   * be NULL.
-   */
-  void *null;
-};
-
-
-#endif /* NSSCKMDT_H */
diff --git a/security/nss/lib/ckfw/nssckt.h b/security/nss/lib/ckfw/nssckt.h
deleted file mode 100644
index 9e67f7fdf..000000000
--- a/security/nss/lib/ckfw/nssckt.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _NSSCKT_H_
-#define _NSSCKT_H_ 1
-
-#include "pkcs11t.h"
-
-typedef CK_ATTRIBUTE_TYPE CK_PTR CK_ATTRIBUTE_TYPE_PTR;
-#define CK_ENTRY
-
-#endif /* _NSSCKT_H_ */
-
diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c
deleted file mode 100644
index 1be38244d..000000000
--- a/security/nss/lib/ckfw/object.c
+++ /dev/null
@@ -1,1049 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * object.c
- *
- * This file implements the NSSCKFWObject type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWObject
- *
- * -- create/destroy --
- *  nssCKFWObject_Create
- *  nssCKFWObject_Finalize
- *  nssCKFWObject_Destroy
- *
- * -- public accessors --
- *  NSSCKFWObject_GetMDObject
- *  NSSCKFWObject_GetArena
- *  NSSCKFWObject_IsTokenObject
- *  NSSCKFWObject_GetAttributeCount
- *  NSSCKFWObject_GetAttributeTypes
- *  NSSCKFWObject_GetAttributeSize
- *  NSSCKFWObject_GetAttribute
- *  NSSCKFWObject_SetAttribute
- *  NSSCKFWObject_GetObjectSize
- *
- * -- implement public accessors --
- *  nssCKFWObject_GetMDObject
- *  nssCKFWObject_GetArena
- *
- * -- private accessors --
- *  nssCKFWObject_SetHandle
- *  nssCKFWObject_GetHandle
- *
- * -- module fronts --
- *  nssCKFWObject_IsTokenObject
- *  nssCKFWObject_GetAttributeCount
- *  nssCKFWObject_GetAttributeTypes
- *  nssCKFWObject_GetAttributeSize
- *  nssCKFWObject_GetAttribute
- *  nssCKFWObject_SetAttribute
- *  nssCKFWObject_GetObjectSize
- */
-
-struct NSSCKFWObjectStr {
-  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
-  NSSArena *arena;
-  NSSCKMDObject *mdObject;
-  NSSCKMDSession *mdSession;
-  NSSCKFWSession *fwSession;
-  NSSCKMDToken *mdToken;
-  NSSCKFWToken *fwToken;
-  NSSCKMDInstance *mdInstance;
-  NSSCKFWInstance *fwInstance;
-  CK_OBJECT_HANDLE hObject;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-object_add_pointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-object_remove_pointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_verifyPointer
-(
-  const NSSCKFWObject *fwObject
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-
-/*
- * nssCKFWObject_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWObject_Create
-(
-  NSSArena *arena,
-  NSSCKMDObject *mdObject,
-  NSSCKFWSession *fwSession,
-  NSSCKFWToken *fwToken,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  NSSCKFWObject *fwObject;
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == mdObjectHash ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( nssCKFWHash_Exists(mdObjectHash, mdObject) ) {
-    fwObject = nssCKFWHash_Lookup(mdObjectHash, mdObject);
-    return fwObject;
-  }
-
-  fwObject = nss_ZNEW(arena, NSSCKFWObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject->arena = arena;
-  fwObject->mdObject = mdObject;
-  fwObject->fwSession = fwSession;
-
-  if( (NSSCKFWSession *)NULL != fwSession ) {
-    fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession);
-  }
-
-  fwObject->fwToken = fwToken;
-
-  if( (NSSCKFWToken *)NULL != fwToken ) {
-    fwObject->mdToken = nssCKFWToken_GetMDToken(fwToken);
-  }
-
-  fwObject->fwInstance = fwInstance;
-  fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-  fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwObject->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWHash_Add(mdObjectHash, mdObject, fwObject);
-  if( CKR_OK != *pError ) {
-    nss_ZFreeIf(fwObject);
-    return (NSSCKFWObject *)NULL;
-  }
-
-#ifdef DEBUG
-  *pError = object_add_pointer(fwObject);
-  if( CKR_OK != *pError ) {
-    nssCKFWHash_Remove(mdObjectHash, mdObject);
-    nss_ZFreeIf(fwObject);
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwObject;
-}
-
-/*
- * nssCKFWObject_Finalize
- *
- */
-NSS_IMPLEMENT void
-nssCKFWObject_Finalize
-(
-  NSSCKFWObject *fwObject
-)
-{
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwObject->mutex);
-
-  if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) {
-    fwObject->mdObject->Finalize(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-  }
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-  if( (nssCKFWHash *)NULL != mdObjectHash ) {
-    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
-  }
-
-  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-  nss_ZFreeIf(fwObject);
-
-#ifdef DEBUG
-  (void)object_remove_pointer(fwObject);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWObject_Destroy
- *
- */
-NSS_IMPLEMENT void
-nssCKFWObject_Destroy
-(
-  NSSCKFWObject *fwObject
-)
-{
-  nssCKFWHash *mdObjectHash;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwObject->mutex);
-
-  if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) {
-    fwObject->mdObject->Destroy(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-  }
-
-  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-  if( (nssCKFWHash *)NULL != mdObjectHash ) {
-    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
-  }
-
-  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-  nss_ZFreeIf(fwObject);
-
-#ifdef DEBUG
-  (void)object_remove_pointer(fwObject);
-#endif /* DEBUG */
-
-  return;
-}
-
-/*
- * nssCKFWObject_GetMDObject
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-nssCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->mdObject;
-}
-
-/*
- * nssCKFWObject_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->arena;
-}
-
-/*
- * nssCKFWObject_SetHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_SetHandle
-(
-  NSSCKFWObject *fwObject,
-  CK_OBJECT_HANDLE hObject
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_OBJECT_HANDLE)0 != fwObject->hObject ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwObject->hObject = hObject;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWObject_GetHandle
- *
- */
-NSS_IMPLEMENT CK_OBJECT_HANDLE
-nssCKFWObject_GetHandle
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (CK_OBJECT_HANDLE)0;
-  }
-#endif /* NSSDEBUG */
-
-  return fwObject->hObject;
-}
-
-/*
- * nssCKFWObject_IsTokenObject
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-  CK_BBOOL b = CK_FALSE;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) {
-    NSSItem item;
-    NSSItem *pItem;
-    CK_RV rv = CKR_OK;
-
-    item.data = (void *)&b;
-    item.size = sizeof(b);
-
-    pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, 
-      (NSSArena *)NULL, &rv);
-    if( (NSSItem *)NULL == pItem ) {
-      /* Error of some type */
-      b = CK_FALSE;
-      goto done;
-    }
-
-    goto done;
-  }
-
-  b = fwObject->mdObject->IsTokenObject(fwObject->mdObject, fwObject, 
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
-
- done:
-  return b;
-}
-
-/*
- * nssCKFWObject_GetAttributeCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetAttributeCount(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_GetAttributeTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  error = fwObject->mdObject->GetAttributeTypes(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    typeArray, ulCount);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return error;
-}
-
-/*
- * nssCKFWObject_GetAttributeSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG )0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetAttributeSize(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    attribute, pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_GetAttribute
- *
- * Usual NSS allocation rules:
- * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
- * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
- * the buffer will be allocated; otherwise, the buffer will be used.
- * Any allocations will come from the optional arena, if one is
- * specified.
- */
-NSS_IMPLEMENT NSSItem *
-nssCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-  NSSItem *rv = (NSSItem *)NULL;
-  NSSCKFWItem mdItem;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttribute ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  mdItem = fwObject->mdObject->GetAttribute(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    attribute, pError);
-
-  if( (NSSItem *)NULL == mdItem.item ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-
-    goto done;
-  }
-
-  if( (NSSItem *)NULL == itemOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      *pError = CKR_HOST_MEMORY;
-      goto done;
-    }
-  } else {
-    rv = itemOpt;
-  }
-
-  if( (void *)NULL == rv->data ) {
-    rv->size = mdItem.item->size;
-    rv->data = nss_ZAlloc(arenaOpt, rv->size);
-    if( (void *)NULL == rv->data ) {
-      *pError = CKR_HOST_MEMORY;
-      if( (NSSItem *)NULL == itemOpt ) {
-        nss_ZFreeIf(rv);
-      }
-      rv = (NSSItem *)NULL;
-      goto done;
-    }
-  } else {
-    if( rv->size >= mdItem.item->size ) {
-      rv->size = mdItem.item->size;
-    } else {
-      *pError = CKR_BUFFER_TOO_SMALL;
-      /* Should we set rv->size to mdItem->size? */
-      /* rv can't have been allocated */
-      rv = (NSSItem *)NULL;
-      goto done;
-    }
-  }
-
-  (void)nsslibc_memcpy(rv->data, mdItem.item->data, rv->size);
-
-  if (PR_TRUE == mdItem.needsFreeing) {
-    PR_ASSERT(fwObject->mdObject->FreeAttribute);
-    if (fwObject->mdObject->FreeAttribute) {
-      *pError = fwObject->mdObject->FreeAttribute(&mdItem);
-    }
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWObject_SetAttribute
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWObject_SetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKA_TOKEN == attribute ) {
-    /*
-     * We're changing from a session object to a token object or 
-     * vice-versa.
-     */
-
-    CK_ATTRIBUTE a;
-    NSSCKFWObject *newFwObject;
-    NSSCKFWObject swab;
-
-    a.type = CKA_TOKEN;
-    a.pValue = value->data;
-    a.ulValueLen = value->size;
-
-    newFwObject = nssCKFWSession_CopyObject(fwObject->fwSession, fwObject,
-                    &a, 1, &error);
-    if( (NSSCKFWObject *)NULL == newFwObject ) {
-      if( CKR_OK == error ) {
-        error = CKR_GENERAL_ERROR;
-      }
-      return error;
-    }
-
-    /*
-     * Actually, I bet the locking is worse than this.. this part of
-     * the code could probably use some scrutiny and reworking.
-     */
-    error = nssCKFWMutex_Lock(fwObject->mutex);
-    if( CKR_OK != error ) {
-      nssCKFWObject_Destroy(newFwObject);
-      return error;
-    }
-
-    error = nssCKFWMutex_Lock(newFwObject->mutex);
-    if( CKR_OK != error ) {
-      nssCKFWMutex_Unlock(fwObject->mutex);
-      nssCKFWObject_Destroy(newFwObject);
-      return error;
-    }
-
-    /* 
-     * Now, we have our new object, but it has a new fwObject pointer,
-     * while we have to keep the existing one.  So quick swap the contents.
-     */
-    swab = *fwObject;
-    *fwObject = *newFwObject;
-    *newFwObject = swab;
-
-    /* But keep the mutexes the same */
-    swab.mutex = fwObject->mutex;
-    fwObject->mutex = newFwObject->mutex;
-    newFwObject->mutex = swab.mutex;
-
-    (void)nssCKFWMutex_Unlock(newFwObject->mutex);
-    (void)nssCKFWMutex_Unlock(fwObject->mutex);
-
-    /*
-     * Either remove or add this to the list of session objects
-     */
-
-    if( CK_FALSE == *(CK_BBOOL *)value->data ) {
-      /* 
-       * New one is a session object, except since we "stole" the fwObject, it's
-       * not in the list.  Add it.
-       */
-      nssCKFWSession_RegisterSessionObject(fwObject->fwSession, fwObject);
-    } else {
-      /*
-       * New one is a token object, except since we "stole" the fwObject, it's
-       * in the list.  Remove it.
-       */
-      nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
-    }
-
-    /*
-     * Now delete the old object.  Remember the names have changed.
-     */
-    nssCKFWObject_Destroy(newFwObject);
-
-    return CKR_OK;
-  } else {
-    /*
-     * An "ordinary" change.
-     */
-    if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) {
-      /* We could fake it with copying, like above.. later */
-      return CKR_ATTRIBUTE_READ_ONLY;
-    }
-
-    error = nssCKFWMutex_Lock(fwObject->mutex);
-    if( CKR_OK != error ) {
-      return error;
-    }
-
-    error = fwObject->mdObject->SetAttribute(fwObject->mdObject, fwObject,
-      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-      attribute, value);
-
-    (void)nssCKFWMutex_Unlock(fwObject->mutex);
-
-    return error;
-  }
-}
-
-/*
- * nssCKFWObject_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) {
-    *pError = CKR_INFORMATION_SENSITIVE;
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWMutex_Lock(fwObject->mutex);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwObject->mdObject->GetObjectSize(fwObject->mdObject, fwObject,
-    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
-    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
-    pError);
-
-  (void)nssCKFWMutex_Unlock(fwObject->mutex);
-  return rv;
-}
-
-/*
- * NSSCKFWObject_GetMDObject
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-NSSCKFWObject_GetMDObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetMDObject(fwObject);
-}
-
-/*
- * NSSCKFWObject_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-NSSCKFWObject_GetArena
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetArena(fwObject, pError);
-}
-
-/*
- * NSSCKFWObject_IsTokenObject
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWObject_IsTokenObject
-(
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_IsTokenObject(fwObject);
-}
-
-/*
- * NSSCKFWObject_GetAttributeCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetAttributeCount
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeCount(fwObject, pError);
-}
-
-/*
- * NSSCKFWObject_GetAttributeTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWObject_GetAttributeTypes
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-#ifdef DEBUG
-  CK_RV error = CKR_OK;
-
-  error = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeTypes(fwObject, typeArray, ulCount);
-}
-
-/*
- * NSSCKFWObject_GetAttributeSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetAttributeSize
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttributeSize(fwObject, attribute, pError);
-}
-
-/*
- * NSSCKFWObject_GetAttribute
- *
- */
-NSS_IMPLEMENT NSSItem *
-NSSCKFWObject_GetAttribute
-(
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *itemOpt,
-  NSSArena *arenaOpt,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSItem *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSItem *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetAttribute(fwObject, attribute, itemOpt, arenaOpt, pError);
-}
-
-/*
- * NSSCKFWObject_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_ULONG
-NSSCKFWObject_GetObjectSize
-(
-  NSSCKFWObject *fwObject,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWObject_GetObjectSize(fwObject, pError);
-}
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
deleted file mode 100644
index b2a85d75c..000000000
--- a/security/nss/lib/ckfw/session.c
+++ /dev/null
@@ -1,1965 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * session.c
- *
- * This file implements the NSSCKFWSession type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWSession
- *
- *  -- create/destroy --
- *  nssCKFWSession_Create
- *  nssCKFWSession_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWSession_GetMDSession
- *  NSSCKFWSession_GetArena
- *  NSSCKFWSession_CallNotification
- *  NSSCKFWSession_IsRWSession
- *  NSSCKFWSession_IsSO
- *
- *  -- implement public accessors --
- *  nssCKFWSession_GetMDSession
- *  nssCKFWSession_GetArena
- *  nssCKFWSession_CallNotification
- *  nssCKFWSession_IsRWSession
- *  nssCKFWSession_IsSO
- *
- *  -- private accessors --
- *  nssCKFWSession_GetSlot
- *  nssCKFWSession_GetSessionState
- *  nssCKFWSession_SetFWFindObjects
- *  nssCKFWSession_GetFWFindObjects
- *  nssCKFWSession_SetMDSession
- *  nssCKFWSession_SetHandle
- *  nssCKFWSession_GetHandle
- *  nssCKFWSession_RegisterSessionObject
- *  nssCKFWSession_DeegisterSessionObject
- *
- *  -- module fronts --
- *  nssCKFWSession_GetDeviceError
- *  nssCKFWSession_Login
- *  nssCKFWSession_Logout
- *  nssCKFWSession_InitPIN
- *  nssCKFWSession_SetPIN
- *  nssCKFWSession_GetOperationStateLen
- *  nssCKFWSession_GetOperationState
- *  nssCKFWSession_SetOperationState
- *  nssCKFWSession_CreateObject
- *  nssCKFWSession_CopyObject
- *  nssCKFWSession_FindObjectsInit
- *  nssCKFWSession_SeedRandom
- *  nssCKFWSession_GetRandom
- */
-
-struct NSSCKFWSessionStr {
-  NSSArena *arena;
-  NSSCKMDSession *mdSession;
-  NSSCKFWToken *fwToken;
-  NSSCKMDToken *mdToken;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-  CK_VOID_PTR pApplication;
-  CK_NOTIFY Notify;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The items below are atomic.  No locking required.  If we fear
-   * about pointer-copies being nonatomic, we'll lock fwFindObjects.
-   */
-
-  CK_BBOOL rw;
-  NSSCKFWFindObjects *fwFindObjects;
-  nssCKFWHash *sessionObjectHash;
-  CK_SESSION_HANDLE hSession;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-session_add_pointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-session_remove_pointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_verifyPointer
-(
-  const NSSCKFWSession *fwSession
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWSession_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWSession_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-)
-{
-  NSSArena *arena = (NSSArena *)NULL;
-  NSSCKFWSession *fwSession;
-  NSSCKFWSlot *fwSlot;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWSession *)NULL;
-  }
-
-  fwSession = nss_ZNEW(arena, NSSCKFWSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwSession->arena = arena;
-  fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
-  fwSession->fwToken = fwToken;
-  fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
-
-  fwSlot = nssCKFWToken_GetFWSlot(fwToken);
-  fwSession->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
-  fwSession->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
-
-  fwSession->rw = rw;
-  fwSession->pApplication = pApplication;
-  fwSession->Notify = Notify;
-
-  fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
-
-  fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-#ifdef DEBUG
-  *pError = session_add_pointer(fwSession);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  return fwSession;
-
- loser:
-  if( (NSSArena *)NULL != arena ) {
-    if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-      (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
-    }
-    NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKFWSession *)NULL;
-}
-
-static void
-nss_ckfw_session_object_destroy_iterator
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
-  nssCKFWObject_Finalize(fwObject);
-}
-
-/*
- * nssCKFWSession_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Destroy
-(
-  NSSCKFWSession *fwSession,
-  CK_BBOOL removeFromTokenHash
-)
-{
-  CK_RV error = CKR_OK;
-  nssCKFWHash *sessionObjectHash;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( removeFromTokenHash ) {
-    error = nssCKFWToken_RemoveSession(fwSession->fwToken, fwSession);
-  }
-
-  /*
-   * Invalidate session objects
-   */
-
-  sessionObjectHash = fwSession->sessionObjectHash;
-  fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
-
-  nssCKFWHash_Iterate(sessionObjectHash, 
-                      nss_ckfw_session_object_destroy_iterator, 
-                      (void *)NULL);
-
-#ifdef DEBUG
-  (void)session_remove_pointer(fwSession);
-#endif /* DEBUG */
-  (void)nssCKFWHash_Destroy(sessionObjectHash);
-  NSSArena_Destroy(fwSession->arena);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetMDSession
- *
- */
-NSS_IMPLEMENT NSSCKMDSession *
-nssCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKMDSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->mdSession;
-}
-
-/*
- * nssCKFWSession_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->arena;
-}
-
-/*
- * nssCKFWSession_CallNotification
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-)
-{
-  CK_RV error = CKR_OK;
-  CK_SESSION_HANDLE handle;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_NOTIFY)NULL == fwSession->Notify ) {
-    return CKR_OK;
-  }
-
-  handle = nssCKFWInstance_FindSessionHandle(fwSession->fwInstance, fwSession);
-  if( (CK_SESSION_HANDLE)0 == handle ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = fwSession->Notify(handle, event, fwSession->pApplication);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_IsRWSession
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->rw;
-}
-
-/*
- * nssCKFWSession_IsSO
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-)
-{
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  switch( state ) {
-  case CKS_RO_PUBLIC_SESSION:
-  case CKS_RO_USER_FUNCTIONS:
-  case CKS_RW_PUBLIC_SESSION:
-  case CKS_RW_USER_FUNCTIONS:
-    return CK_FALSE;
-  case CKS_RW_SO_FUNCTIONS:
-    return CK_TRUE;
-  default:
-    return CK_FALSE;
-  }
-}
-
-/*
- * nssCKFWSession_GetFWSlot
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWSession_GetFWSlot
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWToken_GetFWSlot(fwSession->fwToken);
-}
-
-/*
- * nssCFKWSession_GetSessionState
- *
- */
-NSS_IMPLEMENT CK_STATE
-nssCKFWSession_GetSessionState
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKS_RO_PUBLIC_SESSION; /* whatever */
-  }
-#endif /* NSSDEBUG */
-
-  return nssCKFWToken_GetSessionState(fwSession->fwToken);
-}
-
-/*
- * nssCKFWSession_SetFWFindObjects
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWFindObjects *fwFindObjects
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* fwFindObjects may be null */
-#endif /* NSSDEBUG */
-
-  if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) &&
-      ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) {
-    return CKR_OPERATION_ACTIVE;
-  }
-
-  fwSession->fwFindObjects = fwFindObjects;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetFWFindObjects
- *
- */
-NSS_IMPLEMENT NSSCKFWFindObjects *
-nssCKFWSession_GetFWFindObjects
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) {
-    *pError = CKR_OPERATION_NOT_INITIALIZED;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  return fwSession->fwFindObjects;
-}
-
-/*
- * nssCKFWSession_SetMDSession
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetMDSession
-(
-  NSSCKFWSession *fwSession,
-  NSSCKMDSession *mdSession
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == mdSession ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (NSSCKMDSession *)NULL != fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwSession->mdSession = mdSession;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_SetHandle
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetHandle
-(
-  NSSCKFWSession *fwSession,
-  CK_SESSION_HANDLE hSession
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  if( (CK_SESSION_HANDLE)0 != fwSession->hSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  fwSession->hSession = hSession;
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetHandle
- *
- */
-NSS_IMPLEMENT CK_SESSION_HANDLE
-nssCKFWSession_GetHandle
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSession->hSession;
-}
-
-/*
- * nssCKFWSession_RegisterSessionObject
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_RegisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-)
-{
-  CK_RV rv = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-    rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
-  }
-
-  return rv;
-}
-
-/*
- * nssCKFWSession_DeregisterSessionObject
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_DeregisterSessionObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
-    nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
-  }
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_GetDeviceError
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWSession_GetDeviceError
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (CK_ULONG)0;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) {
-    return (CK_ULONG)0;
-  }
-
-  return fwSession->mdSession->GetDeviceError(fwSession->mdSession, 
-    fwSession, fwSession->mdToken, fwSession->fwToken, 
-    fwSession->mdInstance, fwSession->fwInstance);
-}
-
-/*
- * nssCKFWSession_Login
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Login
-(
-  NSSCKFWSession *fwSession,
-  CK_USER_TYPE userType,
-  NSSItem *pin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE oldState;
-  CK_STATE newState;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  switch( userType ) {
-  case CKU_SO:
-  case CKU_USER:
-    break;
-  default:
-    return CKR_USER_TYPE_INVALID;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
-
-  /*
-   * It's not clear what happens when you're already logged in.
-   * I'll just fail; but if we decide to change, the logic is
-   * all right here.
-   */
-
-  if( CKU_SO == userType ) {
-    switch( oldState ) {
-    case CKS_RO_PUBLIC_SESSION:      
-      /*
-       * There's no such thing as a read-only security officer
-       * session, so fail.  The error should be CKR_SESSION_READ_ONLY,
-       * except that C_Login isn't defined to return that.  So we'll
-       * do CKR_SESSION_READ_ONLY_EXISTS, which is what is documented.
-       */
-      return CKR_SESSION_READ_ONLY_EXISTS;
-    case CKS_RO_USER_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    case CKS_RW_PUBLIC_SESSION:
-      newState = CKS_RW_SO_FUNCTIONS;
-      break;
-    case CKS_RW_USER_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    case CKS_RW_SO_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    default:
-      return CKR_GENERAL_ERROR;
-    }
-  } else /* CKU_USER == userType */ {
-    switch( oldState ) {
-    case CKS_RO_PUBLIC_SESSION:      
-      newState = CKS_RO_USER_FUNCTIONS;
-      break;
-    case CKS_RO_USER_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    case CKS_RW_PUBLIC_SESSION:
-      newState = CKS_RW_USER_FUNCTIONS;
-      break;
-    case CKS_RW_USER_FUNCTIONS:
-      return CKR_USER_ALREADY_LOGGED_IN;
-    case CKS_RW_SO_FUNCTIONS:
-      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
-    default:
-      return CKR_GENERAL_ERROR;
-    }
-  }
-
-  /*
-   * So now we're in one of three cases:
-   *
-   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
-   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
-   * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
-   */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->Login ) {
-    /*
-     * The Module doesn't want to be informed (or check the pin)
-     * it'll just rely on the Framework as needed.
-     */
-    ;
-  } else {
-    error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
-      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-      fwSession->fwInstance, userType, pin, oldState, newState);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_Logout
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_Logout
-(
-  NSSCKFWSession *fwSession
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE oldState;
-  CK_STATE newState;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
-
-  switch( oldState ) {
-  case CKS_RO_PUBLIC_SESSION:
-    return CKR_USER_NOT_LOGGED_IN;
-  case CKS_RO_USER_FUNCTIONS:
-    newState = CKS_RO_PUBLIC_SESSION;
-    break;
-  case CKS_RW_PUBLIC_SESSION:
-    return CKR_USER_NOT_LOGGED_IN;
-  case CKS_RW_USER_FUNCTIONS:
-    newState = CKS_RW_PUBLIC_SESSION;
-    break;
-  case CKS_RW_SO_FUNCTIONS:
-    newState = CKS_RW_PUBLIC_SESSION;
-    break;
-  default:
-    return CKR_GENERAL_ERROR;
-  }
-
-  /*
-   * So now we're in one of three cases:
-   *
-   * Old == CKS_RW_SO_FUNCTIONS,   New == CKS_RW_PUBLIC_SESSION;
-   * Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
-   * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
-   */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->Logout ) {
-    /*
-     * The Module doesn't want to be informed.  Okay.
-     */
-    ;
-  } else {
-    error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
-      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-      fwSession->fwInstance, oldState, newState);
-    if( CKR_OK != error ) {
-      /*
-       * Now what?!  A failure really should end up with the Framework
-       * considering it logged out, right?
-       */
-      ;
-    }
-  }
-
-  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
-  return error;
-}
-
-/*
- * nssCKFWSession_InitPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_InitPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *pin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  if( CKS_RW_SO_FUNCTIONS != state ) {
-    return CKR_USER_NOT_LOGGED_IN;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) {
-    return CKR_TOKEN_WRITE_PROTECTED;
-  }
-
-  error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, pin);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_SetPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetPIN
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *newPin,
-  NSSItem *oldPin
-)
-{
-  CK_RV error = CKR_OK;
-  CK_STATE state;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
-  if( (CKS_RW_SO_FUNCTIONS != state) &&
-      (CKS_RW_USER_FUNCTIONS != state) ) {
-    return CKR_USER_NOT_LOGGED_IN;
-  }
-
-  if( (NSSItem *)NULL == newPin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (NSSItem *)NULL == oldPin ) {
-    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
-    if( CK_TRUE != has ) {
-      return CKR_ARGUMENTS_BAD;
-    }
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) {
-    return CKR_TOKEN_WRITE_PROTECTED;
-  }
-
-  error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, newPin, oldPin);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetOperationStateLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWSession_GetOperationStateLen
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-  CK_ULONG mdAmt;
-  CK_ULONG fwAmt;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (CK_ULONG)0;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (CK_ULONG)0;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) {
-    *pError = CKR_STATE_UNSAVEABLE;
-  }
-
-  /*
-   * We could check that the session is actually in some state..
-   */
-
-  mdAmt = fwSession->mdSession->GetOperationStateLen(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, pError);
-
-  if( ((CK_ULONG)0 == mdAmt) && (CKR_OK != *pError) ) {
-    return (CK_ULONG)0;
-  }
-
-  /*
-   * Add a bit of sanity-checking
-   */
-  fwAmt = mdAmt + 2*sizeof(CK_ULONG);
-
-  return fwAmt;
-}
-
-/*
- * nssCKFWSession_GetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_GetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG fwAmt;
-  CK_ULONG *ulBuffer;
-  NSSItem i2;
-  CK_ULONG n, i;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == buffer ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == buffer->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) {
-    return CKR_STATE_UNSAVEABLE;
-  }
-
-  /*
-   * Sanity-check the caller's buffer.
-   */
-
-  error = CKR_OK;
-  fwAmt = nssCKFWSession_GetOperationStateLen(fwSession, &error);
-  if( ((CK_ULONG)0 == fwAmt) && (CKR_OK != error) ) {
-    return error;
-  }
-
-  if( buffer->size < fwAmt ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  ulBuffer = (CK_ULONG *)buffer->data;
-
-  i2.size = buffer->size - 2*sizeof(CK_ULONG);
-  i2.data = (void *)&ulBuffer[2];
-
-  error = fwSession->mdSession->GetOperationState(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken, 
-    fwSession->mdInstance, fwSession->fwInstance, &i2);
-
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /*
-   * Add a little integrety/identity check.  
-   * NOTE: right now, it's pretty stupid.  
-   * A CRC or something would be better.
-   */
-
-  ulBuffer[0] = 0x434b4657; /* CKFW */
-  ulBuffer[1] = 0;
-  n = i2.size/sizeof(CK_ULONG);
-  for( i = 0; i < n; i++ ) {
-    ulBuffer[1] ^= ulBuffer[2+i];
-  }
-
-  return CKR_OK;
-}
-
-/*
- * nssCKFWSession_SetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SetOperationState
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *state,
-  NSSCKFWObject *encryptionKey,
-  NSSCKFWObject *authenticationKey
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG *ulBuffer;
-  CK_ULONG n, i;
-  CK_ULONG x;
-  NSSItem s;
-  NSSCKMDObject *mdek;
-  NSSCKMDObject *mdak;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == state ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == state->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
-    error = nssCKFWObject_verifyPointer(encryptionKey);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
-    error = nssCKFWObject_verifyPointer(authenticationKey);
-    if( CKR_OK != error ) {
-      return error;
-    }
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  ulBuffer = (CK_ULONG *)state->data;
-  if( 0x43b4657 != ulBuffer[0] ) {
-    return CKR_SAVED_STATE_INVALID;
-  }
-  n = (state->size / sizeof(CK_ULONG)) - 2;
-  x = (CK_ULONG)0;
-  for( i = 0; i < n; i++ ) {
-    x ^= ulBuffer[2+i];
-  }
-
-  if( x != ulBuffer[1] ) {
-    return CKR_SAVED_STATE_INVALID;
-  }
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) {
-    return CKR_GENERAL_ERROR;
-  }
-
-  s.size = state->size - 2*sizeof(CK_ULONG);
-  s.data = (void *)&ulBuffer[2];
-
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
-    mdek = nssCKFWObject_GetMDObject(encryptionKey);
-  } else {
-    mdek = (NSSCKMDObject *)NULL;
-  }
-
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
-    mdak = nssCKFWObject_GetMDObject(authenticationKey);
-  } else {
-    mdak = (NSSCKMDObject *)NULL;
-  }
-
-  error = fwSession->mdSession->SetOperationState(fwSession->mdSession, 
-    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
-
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /*
-   * Here'd we restore any session data
-   */
-  
-  return CKR_OK;
-}
-
-static CK_BBOOL
-nss_attributes_form_token_object
-(
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount
-)
-{
-  CK_ULONG i;
-  CK_BBOOL rv;
-
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      /* If we sanity-check, we can remove this sizeof check */
-      if( sizeof(CK_BBOOL) == pTemplate[i].ulValueLen ) {
-        (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
-        return rv;
-      } else {
-        return CK_FALSE;
-      }
-    }
-  }
-
-  return CK_FALSE;
-}
-
-/*
- * nssCKFWSession_CreateObject
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWSession_CreateObject
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  NSSCKMDObject *mdObject;
-  NSSCKFWObject *fwObject;
-  CK_BBOOL isTokenObject;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Here would be an excellent place to sanity-check the object.
-   */
-
-  isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
-  if( CK_TRUE == isTokenObject ) {
-    /* === TOKEN OBJECT === */
-
-    if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
-      *pError = CKR_TOKEN_WRITE_PROTECTED;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    goto callmdcreateobject;
-  } else {
-    /* === SESSION OBJECT === */
-
-    arena = nssCKFWSession_GetArena(fwSession, pError);
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    if( CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
-                     fwSession->fwInstance) ) {
-      /* --- module handles the session object -- */
-
-      if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
-        *pError = CKR_GENERAL_ERROR;
-        return (NSSCKFWObject *)NULL;
-      }
-      
-      goto callmdcreateobject;
-    } else {
-      /* --- framework handles the session object -- */
-      mdObject = nssCKMDSessionObject_Create(fwSession->fwToken, 
-        arena, pTemplate, ulAttributeCount, pError);
-      goto gotmdobject;
-    }
-  }
-
- callmdcreateobject:
-  mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
-    fwSession, fwSession->mdToken, fwSession->fwToken,
-    fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
-    ulAttributeCount, pError);
-
- gotmdobject:
-  if( (NSSCKMDObject *)NULL == mdObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    return (NSSCKFWObject *)NULL;
-  }
-
-  fwObject = nssCKFWObject_Create(arena, mdObject, fwSession, 
-    fwSession->fwToken, fwSession->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    
-    if( (void *)NULL != (void *)mdObject->Destroy ) {
-      (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
-        fwSession->mdSession, fwSession, fwSession->mdToken,
-        fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
-    }
-    
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( CK_FALSE == isTokenObject ) {
-    if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, fwObject) ) {
-      *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
-      if( CKR_OK != *pError ) {
-        nssCKFWObject_Finalize(fwObject);
-        return (NSSCKFWObject *)NULL;
-      }
-    }
-  }
-  
-  return fwObject;
-}
-
-/*
- * nssCKFWSession_CopyObject
- *
- */
-NSS_IMPLEMENT NSSCKFWObject *
-nssCKFWSession_CopyObject
-(
-  NSSCKFWSession *fwSession,
-  NSSCKFWObject *fwObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  CK_BBOOL oldIsToken;
-  CK_BBOOL newIsToken;
-  CK_ULONG i;
-  NSSCKFWObject *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  *pError = nssCKFWObject_verifyPointer(fwObject);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWObject *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Sanity-check object
-   */
-
-  oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
-
-  newIsToken = oldIsToken;
-  for( i = 0; i < ulAttributeCount; i++ ) {
-    if( CKA_TOKEN == pTemplate[i].type ) {
-      /* Since we sanity-checked the object, we know this is the right size. */
-      (void)nsslibc_memcpy(&newIsToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
-      break;
-    }
-  }
-
-  /*
-   * If the Module handles its session objects, or if both the new
-   * and old object are token objects, use CopyObject if it exists.
-   */
-
-  if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) &&
-      (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
-       (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
-                     fwSession->fwInstance))) ) {
-    /* use copy object */
-    NSSArena *arena;
-    NSSCKMDObject *mdOldObject;
-    NSSCKMDObject *mdObject;
-
-    mdOldObject = nssCKFWObject_GetMDObject(fwObject);
-
-    if( CK_TRUE == newIsToken ) {
-      arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-    } else {
-      arena = nssCKFWSession_GetArena(fwSession, pError);
-    }
-    if( (NSSArena *)NULL == arena ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
-      fwSession, fwSession->mdToken, fwSession->fwToken,
-      fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
-      fwObject, arena, pTemplate, ulAttributeCount, pError);
-    if( (NSSCKMDObject *)NULL == mdObject ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWObject *)NULL;
-    }
-
-    rv = nssCKFWObject_Create(arena, mdObject, fwSession,
-      fwSession->fwToken, fwSession->fwInstance, pError);
-    if( (NSSCKFWObject *)NULL == fwObject ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-
-      if( (void *)NULL != (void *)mdObject->Destroy ) {
-        (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
-          fwSession->mdSession, fwSession, fwSession->mdToken,
-          fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
-      }
-    
-      return (NSSCKFWObject *)NULL;
-    }
-
-    if( CK_FALSE == newIsToken ) {
-      if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv) ) {
-        *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
-        if( CKR_OK != *pError ) {
-          nssCKFWObject_Finalize(rv);
-          return (NSSCKFWObject *)NULL;
-        }
-      }
-    }
-
-    return rv;
-  } else {
-    /* use create object */
-    NSSArena *tmpArena;
-    CK_ATTRIBUTE_PTR newTemplate;
-    CK_ULONG i, j, n, newLength, k;
-    CK_ATTRIBUTE_TYPE_PTR oldTypes;
-    NSSCKFWObject *rv;
-    
-    tmpArena = NSSArena_Create();
-    if( (NSSArena *)NULL == tmpArena ) {
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
-    if( (0 == n) && (CKR_OK != *pError) ) {
-      return (NSSCKFWObject *)NULL;
-    }
-
-    oldTypes = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE_TYPE, n);
-    if( (CK_ATTRIBUTE_TYPE_PTR)NULL == oldTypes ) {
-      NSSArena_Destroy(tmpArena);
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    *pError = nssCKFWObject_GetAttributeTypes(fwObject, oldTypes, n);
-    if( CKR_OK != *pError ) {
-      NSSArena_Destroy(tmpArena);
-      return (NSSCKFWObject *)NULL;
-    }
-
-    newLength = n;
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      for( j = 0; j < n; j++ ) {
-        if( oldTypes[j] == pTemplate[i].type ) {
-          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
-            /* Removing the attribute */
-            newLength--;
-          }
-          break;
-        }
-      }
-      if( j == n ) {
-        /* Not found */
-        newLength++;
-      }
-    }
-
-    newTemplate = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE, newLength);
-    if( (CK_ATTRIBUTE_PTR)NULL == newTemplate ) {
-      NSSArena_Destroy(tmpArena);
-      *pError = CKR_HOST_MEMORY;
-      return (NSSCKFWObject *)NULL;
-    }
-
-    k = 0;
-    for( j = 0; j < n; j++ ) {
-      for( i = 0; i < ulAttributeCount; i++ ) {
-        if( oldTypes[j] == pTemplate[i].type ) {
-          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
-            /* This attribute is being deleted */
-            ;
-          } else {
-            /* This attribute is being replaced */
-            newTemplate[k].type = pTemplate[i].type;
-            newTemplate[k].pValue = pTemplate[i].pValue;
-            newTemplate[k].ulValueLen = pTemplate[i].ulValueLen;
-            k++;
-          }
-          break;
-        }
-      }
-      if( i == ulAttributeCount ) {
-        /* This attribute is being copied over from the old object */
-        NSSItem item, *it;
-        item.size = 0;
-        item.data = (void *)NULL;
-        it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
-          &item, tmpArena, pError);
-        if( (NSSItem *)NULL == it ) {
-          if( CKR_OK == *pError ) {
-            *pError = CKR_GENERAL_ERROR;
-          }
-          NSSArena_Destroy(tmpArena);
-          return (NSSCKFWObject *)NULL;
-        }
-        newTemplate[k].type = oldTypes[j];
-        newTemplate[k].pValue = it->data;
-        newTemplate[k].ulValueLen = it->size;
-        k++;
-      }
-    }
-    /* assert that k == newLength */
-
-    rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
-    if( (NSSCKFWObject *)NULL == rv ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      NSSArena_Destroy(tmpArena);
-      return (NSSCKFWObject *)NULL;
-    }
-
-    NSSArena_Destroy(tmpArena);
-    return rv;
-  }
-}
-
-/*
- * nssCKFWSession_FindObjectsInit
- *
- */
-NSS_IMPLEMENT NSSCKFWFindObjects *
-nssCKFWSession_FindObjectsInit
-(
-  NSSCKFWSession *fwSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_RV *pError
-)
-{
-  NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
-  NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  if( ((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
-                   fwSession->fwInstance) ) {
-    CK_ULONG i;
-
-    /*
-     * Does the search criteria restrict us to token or session
-     * objects?
-     */
-
-    for( i = 0; i < ulAttributeCount; i++ ) {
-      if( CKA_TOKEN == pTemplate[i].type ) {
-        /* Yes, it does. */
-        CK_BBOOL isToken;
-        if( sizeof(CK_BBOOL) != pTemplate[i].ulValueLen ) {
-          *pError = CKR_ATTRIBUTE_VALUE_INVALID;
-          return (NSSCKFWFindObjects *)NULL;
-        }
-        (void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
-
-        if( CK_TRUE == isToken ) {
-          /* Pass it on to the module's search routine */
-          if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) {
-            goto wrap;
-          }
-
-          mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-                    fwSession, fwSession->mdToken, fwSession->fwToken,
-                    fwSession->mdInstance, fwSession->fwInstance, 
-                    pTemplate, ulAttributeCount, pError);
-        } else {
-          /* Do the search ourselves */
-          mdfo1 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, 
-                    pTemplate, ulAttributeCount, pError);
-        }
-
-        if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-          if( CKR_OK == *pError ) {
-            *pError = CKR_GENERAL_ERROR;
-          }
-          return (NSSCKFWFindObjects *)NULL;
-        }
-        
-        goto wrap;
-      }
-    }
-
-    if( i == ulAttributeCount ) {
-      /* No, it doesn't.  Do a hybrid search. */
-      mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-                fwSession, fwSession->mdToken, fwSession->fwToken,
-                fwSession->mdInstance, fwSession->fwInstance, 
-                pTemplate, ulAttributeCount, pError);
-
-      if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-        if( CKR_OK == *pError ) {
-          *pError = CKR_GENERAL_ERROR;
-        }
-        return (NSSCKFWFindObjects *)NULL;
-      }
-
-      mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
-                pTemplate, ulAttributeCount, pError);
-      if( (NSSCKMDFindObjects *)NULL == mdfo2 ) {
-        if( CKR_OK == *pError ) {
-          *pError = CKR_GENERAL_ERROR;
-        }
-        if( (void *)NULL != (void *)mdfo1->Final ) {
-          mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
-            fwSession, fwSession->mdToken, fwSession->fwToken, 
-            fwSession->mdInstance, fwSession->fwInstance);
-        }
-        return (NSSCKFWFindObjects *)NULL;
-      }
-
-      goto wrap;
-    }
-    /*NOTREACHED*/
-  } else {
-    /* Module handles all its own objects.  Pass on to module's search */
-    mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
-              fwSession, fwSession->mdToken, fwSession->fwToken,
-              fwSession->mdInstance, fwSession->fwInstance, 
-              pTemplate, ulAttributeCount, pError);
-
-    if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWFindObjects *)NULL;
-    }
-
-    goto wrap;
-  }
-
- wrap:
-  return nssCKFWFindObjects_Create(fwSession, fwSession->fwToken,
-           fwSession->fwInstance, mdfo1, mdfo2, pError);
-}
-
-/*
- * nssCKFWSession_SeedRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_SeedRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *seed
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == seed ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == seed->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( 0 == seed->size ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) {
-    return CKR_RANDOM_SEED_NOT_SUPPORTED;
-  }
-
-  error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, seed);
-
-  return error;
-}
-
-/*
- * nssCKFWSession_GetRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSession_GetRandom
-(
-  NSSCKFWSession *fwSession,
-  NSSItem *buffer
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSItem *)NULL == buffer ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (void *)NULL == buffer->data ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
-    return CKR_GENERAL_ERROR;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) {
-    if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) {
-      return CKR_GENERAL_ERROR;
-    } else {
-      return CKR_RANDOM_NO_RNG;
-    }
-  }
-
-  if( 0 == buffer->size ) {
-    return CKR_OK;
-  }
-
-  error = fwSession->mdSession->GetRandom(fwSession->mdSession, fwSession,
-    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-    fwSession->fwInstance, buffer);
-
-  return error;
-}
-
-/*
- * NSSCKFWSession_GetMDSession
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSession *
-NSSCKFWSession_GetMDSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return (NSSCKMDSession *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_GetMDSession(fwSession);
-}
-
-/*
- * NSSCKFWSession_GetArena
- *
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSCKFWSession_GetArena
-(
-  NSSCKFWSession *fwSession,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_GetArena(fwSession, pError);
-}
-
-/*
- * NSSCKFWSession_CallNotification
- *
- */
-
-NSS_IMPLEMENT CK_RV
-NSSCKFWSession_CallNotification
-(
-  NSSCKFWSession *fwSession,
-  CK_NOTIFICATION event
-)
-{
-#ifdef DEBUG
-  CK_RV error = CKR_OK;
-
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_CallNotification(fwSession, event);
-}
-
-/*
- * NSSCKFWSession_IsRWSession
- *
- */
-
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWSession_IsRWSession
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_IsRWSession(fwSession);
-}
-
-/*
- * NSSCKFWSession_IsSO
- *
- */
-
-NSS_IMPLEMENT CK_BBOOL
-NSSCKFWSession_IsSO
-(
-  NSSCKFWSession *fwSession
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
-    return CK_FALSE;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSession_IsSO(fwSession);
-}
diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c
deleted file mode 100644
index 8f12f94f6..000000000
--- a/security/nss/lib/ckfw/sessobj.c
+++ /dev/null
@@ -1,1102 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * sessobj.c
- *
- * This file contains an NSSCKMDObject implementation for session 
- * objects.  The framework uses this implementation to manage
- * session objects when a Module doesn't wish to be bothered.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * nssCKMDSessionObject
- *
- *  -- create --
- *  nssCKMDSessionObject_Create
- *
- *  -- EPV calls --
- *  nss_ckmdSessionObject_Finalize
- *  nss_ckmdSessionObject_IsTokenObject
- *  nss_ckmdSessionObject_GetAttributeCount
- *  nss_ckmdSessionObject_GetAttributeTypes
- *  nss_ckmdSessionObject_GetAttributeSize
- *  nss_ckmdSessionObject_GetAttribute
- *  nss_ckmdSessionObject_SetAttribute
- *  nss_ckmdSessionObject_GetObjectSize
- */
-
-struct nssCKMDSessionObjectStr {
-  CK_ULONG n;
-  NSSArena *arena;
-  NSSItem *attributes;
-  CK_ATTRIBUTE_TYPE_PTR types;
-  nssCKFWHash *hash;
-};
-typedef struct nssCKMDSessionObjectStr nssCKMDSessionObject;
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-nss_ckmdSessionObject_add_pointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdSessionObject_remove_pointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-
-#ifdef NSS_DEBUG
-static CK_RV
-nss_ckmdSessionObject_verifyPointer
-(
-  const NSSCKMDObject *mdObject
-)
-{
-  return CKR_OK;
-}
-#endif
-
-#endif /* DEBUG */
-
-/*
- * We must forward-declare these routines
- */
-static void
-nss_ckmdSessionObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_RV
-nss_ckmdSessionObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_BBOOL
-nss_ckmdSessionObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-static CK_RV
-nss_ckmdSessionObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-static NSSCKFWItem
-nss_ckmdSessionObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-);
-
-static CK_RV
-nss_ckmdSessionObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-);
-
-static CK_ULONG
-nss_ckmdSessionObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-);
-
-/*
- * nssCKMDSessionObject_Create
- *
- */
-NSS_IMPLEMENT NSSCKMDObject *
-nssCKMDSessionObject_Create
-(
-  NSSCKFWToken *fwToken,
-  NSSArena *arena,
-  CK_ATTRIBUTE_PTR attributes,
-  CK_ULONG ulCount,
-  CK_RV *pError
-)
-{
-  NSSCKMDObject *mdObject = (NSSCKMDObject *)NULL;
-  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)NULL;
-  CK_ULONG i;
-  nssCKFWHash *hash;
-
-  mdso = nss_ZNEW(arena, nssCKMDSessionObject);
-  if( (nssCKMDSessionObject *)NULL == mdso ) {
-    goto loser;
-  }
-
-  mdso->arena = arena;
-  mdso->n = ulCount;
-  mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount);
-  if( (NSSItem *)NULL == mdso->attributes ) {
-    goto loser;
-  }
-
-  mdso->types = nss_ZNEWARRAY(arena, CK_ATTRIBUTE_TYPE, ulCount);
-
-  for( i = 0; i < ulCount; i++ ) {
-    mdso->types[i] = attributes[i].type;
-    mdso->attributes[i].size = attributes[i].ulValueLen;
-    mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen);
-    if( (void *)NULL == mdso->attributes[i].data ) {
-      goto loser;
-    }
-    (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue,
-      attributes[i].ulValueLen);
-  }
-
-  mdObject = nss_ZNEW(arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == mdObject ) {
-    goto loser;
-  }
-
-  mdObject->etc = (void *)mdso;
-  mdObject->Finalize = nss_ckmdSessionObject_Finalize;
-  mdObject->Destroy = nss_ckmdSessionObject_Destroy;
-  mdObject->IsTokenObject = nss_ckmdSessionObject_IsTokenObject;
-  mdObject->GetAttributeCount = nss_ckmdSessionObject_GetAttributeCount;
-  mdObject->GetAttributeTypes = nss_ckmdSessionObject_GetAttributeTypes;
-  mdObject->GetAttributeSize = nss_ckmdSessionObject_GetAttributeSize;
-  mdObject->GetAttribute = nss_ckmdSessionObject_GetAttribute;
-  mdObject->SetAttribute = nss_ckmdSessionObject_SetAttribute;
-  mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize;
-
-  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
-    *pError = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  mdso->hash = hash;
-
-  *pError = nssCKFWHash_Add(hash, mdObject, mdObject);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-
-#ifdef DEBUG
-  if( CKR_OK != nss_ckmdSessionObject_add_pointer(mdObject) ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return mdObject;
-
- loser:
-  if( (nssCKMDSessionObject *)NULL != mdso ) {
-    if( (NSSItem *)NULL != mdso->attributes ) {
-      for( i = 0; i < ulCount; i++ ) {
-        nss_ZFreeIf(mdso->attributes[i].data);
-      }
-
-      nss_ZFreeIf(mdso->attributes);
-    }
-
-    nss_ZFreeIf(mdso->types);
-    nss_ZFreeIf(mdso);
-  }
-
-  nss_ZFreeIf(mdObject);
-  *pError = CKR_HOST_MEMORY;
-  return (NSSCKMDObject *)NULL;
-}
-
-/*
- * nss_ckmdSessionObject_Finalize
- *
- */
-static void
-nss_ckmdSessionObject_Finalize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  /* This shouldn't ever be called */
-  return;
-}
-
-/*
- * nss_ckmdSessionObject_Destroy
- *
- */
-
-static CK_RV
-nss_ckmdSessionObject_Destroy
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  nssCKMDSessionObject *mdso;
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  mdso = (nssCKMDSessionObject *)mdObject->etc;
-
-  nssCKFWHash_Remove(mdso->hash, mdObject);
-
-  for( i = 0; i < mdso->n; i++ ) {
-    nss_ZFreeIf(mdso->attributes[i].data);
-  }
-  nss_ZFreeIf(mdso->attributes);
-  nss_ZFreeIf(mdso->types);
-  nss_ZFreeIf(mdso);
-  nss_ZFreeIf(mdObject);
-
-#ifdef DEBUG
-  (void)nss_ckmdSessionObject_remove_pointer(mdObject);
-#endif /* DEBUG */
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_IsTokenObject
- *
- */
-
-static CK_BBOOL
-nss_ckmdSessionObject_IsTokenObject
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdSessionObject_verifyPointer(mdObject) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * This implementation is only ever used for session objects.
-   */
-  return CK_FALSE;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeCount
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeCount
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  return obj->n;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeTypes
- *
- */
-static CK_RV
-nss_ckmdSessionObject_GetAttributeTypes
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE_PTR typeArray,
-  CK_ULONG ulCount
-)
-{
-#ifdef NSSDEBUG
-  CK_RV error = CKR_OK;
-#endif /* NSSDEBUG */
-  nssCKMDSessionObject *obj;
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  if( ulCount < obj->n ) {
-    return CKR_BUFFER_TOO_SMALL;
-  }
-
-  (void)nsslibc_memcpy(typeArray, obj->types, 
-    sizeof(CK_ATTRIBUTE_TYPE) * obj->n);
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttributeSize
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetAttributeSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      return (CK_ULONG)(obj->attributes[i].size);
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return 0;
-}
-
-/*
- * nss_ckmdSessionObject_GetAttribute
- *
- */
-static NSSCKFWItem
-nss_ckmdSessionObject_GetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  CK_RV *pError
-)
-{
-  NSSCKFWItem item;
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-
-  item.needsFreeing = PR_FALSE;
-  item.item = NULL;
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return item;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return item;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      item.item = &obj->attributes[i];
-      return item;
-    }
-  }
-
-  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
-  return item;
-}
-
-/*
- * nss_ckmdSessionObject_SetAttribute
- *
- */
-
-/*
- * Okay, so this implementation sucks.  It doesn't support removing
- * an attribute (if value == NULL), and could be more graceful about
- * memory.  It should allow "blank" slots in the arrays, with some
- * invalid attribute type, and then it could support removal much
- * more easily.  Do this later.
- */
-static CK_RV
-nss_ckmdSessionObject_SetAttribute
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSItem *value
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-  NSSItem n;
-  NSSItem *ra;
-  CK_ATTRIBUTE_TYPE_PTR rt;
-#ifdef NSSDEBUG
-  CK_RV error;
-#endif /* NSSDEBUG */
-
-#ifdef NSSDEBUG
-  error = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != error ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  n.size = value->size;
-  n.data = nss_ZAlloc(obj->arena, n.size);
-  if( (void *)NULL == n.data ) {
-    return CKR_HOST_MEMORY;
-  }
-  (void)nsslibc_memcpy(n.data, value->data, n.size);
-
-  for( i = 0; i < obj->n; i++ ) {
-    if( attribute == obj->types[i] ) {
-      nss_ZFreeIf(obj->attributes[i].data);
-      obj->attributes[i] = n;
-      return CKR_OK;
-    }
-  }
-
-  /*
-   * It's new.
-   */
-
-  ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
-  if( (NSSItem *)NULL == ra ) {
-    nss_ZFreeIf(n.data);
-    return CKR_HOST_MEMORY;
-  }
-
-  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
-  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
-    nss_ZFreeIf(n.data);
-    obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
-    if( (NSSItem *)NULL == obj->attributes ) {
-      return CKR_GENERAL_ERROR;
-    }
-    return CKR_HOST_MEMORY;
-  }
-
-  obj->attributes = ra;
-  obj->types = rt;
-  obj->attributes[obj->n] = n;
-  obj->types[obj->n] = attribute;
-  obj->n++;
-
-  return CKR_OK;
-}
-
-/*
- * nss_ckmdSessionObject_GetObjectSize
- *
- */
-static CK_ULONG
-nss_ckmdSessionObject_GetObjectSize
-(
-  NSSCKMDObject *mdObject,
-  NSSCKFWObject *fwObject,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  CK_RV *pError
-)
-{
-  nssCKMDSessionObject *obj;
-  CK_ULONG i;
-  CK_ULONG rv = (CK_ULONG)0;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return 0;
-  }
-
-  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
-  if( CKR_OK != *pError ) {
-    return 0;
-  }
-
-  /* We could even check all the other arguments, for sanity. */
-#endif /* NSSDEBUG */
-
-  obj = (nssCKMDSessionObject *)mdObject->etc;
-
-  for( i = 0; i < obj->n; i++ ) {
-    rv += obj->attributes[i].size;
-  }
-
-  rv += sizeof(NSSItem) * obj->n;
-  rv += sizeof(CK_ATTRIBUTE_TYPE) * obj->n;
-  rv += sizeof(nssCKMDSessionObject);
-
-  return rv;
-}
-
-/*
- * nssCKMDFindSessionObjects
- *
- *  -- create --
- *  nssCKMDFindSessionObjects_Create
- *
- *  -- EPV calls --
- *  nss_ckmdFindSessionObjects_Final
- *  nss_ckmdFindSessionObjects_Next
- */
-
-struct nodeStr {
-  struct nodeStr *next;
-  NSSCKMDObject *mdObject;
-};
-
-struct nssCKMDFindSessionObjectsStr {
-  NSSArena *arena;
-  CK_RV error;
-  CK_ATTRIBUTE_PTR pTemplate;
-  CK_ULONG ulCount;
-  struct nodeStr *list;
-  nssCKFWHash *hash;
-
-};
-typedef struct nssCKMDFindSessionObjectsStr nssCKMDFindSessionObjects;
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-nss_ckmdFindSessionObjects_add_pointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-nss_ckmdFindSessionObjects_remove_pointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-
-#ifdef NSS_DEBUG
-static CK_RV
-nss_ckmdFindSessionObjects_verifyPointer
-(
-  const NSSCKMDFindObjects *mdFindObjects
-)
-{
-  return CKR_OK;
-}
-#endif
-
-#endif /* DEBUG */
-
-/*
- * We must forward-declare these routines.
- */
-static void
-nss_ckmdFindSessionObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-);
-
-static NSSCKMDObject *
-nss_ckmdFindSessionObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-);
-
-static CK_BBOOL
-items_match
-(
-  NSSItem *a,
-  CK_VOID_PTR pValue,
-  CK_ULONG ulValueLen
-)
-{
-  if( a->size != ulValueLen ) {
-    return CK_FALSE;
-  }
-
-  if( PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL) ) {
-    return CK_TRUE;
-  } else {
-    return CK_FALSE;
-  }
-}
-
-/*
- * Our hashtable iterator
- */
-static void
-findfcn
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  NSSCKMDObject *mdObject = (NSSCKMDObject *)value;
-  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)mdObject->etc;
-  nssCKMDFindSessionObjects *mdfso = (nssCKMDFindSessionObjects *)closure;
-  CK_ULONG i, j;
-  struct nodeStr *node;
-
-  if( CKR_OK != mdfso->error ) {
-    return;
-  }
-
-  for( i = 0; i < mdfso->ulCount; i++ ) {
-    CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
-
-    for( j = 0; j < mdso->n; j++ ) {
-      if( mdso->types[j] == p->type ) {
-        if( !items_match(&mdso->attributes[j], p->pValue, p->ulValueLen) ) {
-          return;
-        } else {
-          break;
-        }
-      }
-    }
-
-    if( j == mdso->n ) {
-      /* Attribute not found */
-      return;
-    }
-  }
-
-  /* Matches */
-  node = nss_ZNEW(mdfso->arena, struct nodeStr);
-  if( (struct nodeStr *)NULL == node ) {
-    mdfso->error = CKR_HOST_MEMORY;
-    return;
-  }
-
-  node->mdObject = mdObject;
-  node->next = mdfso->list;
-  mdfso->list = node;
-
-  return;
-}
-
-/*
- * nssCKMDFindSessionObjects_Create
- *
- */
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nssCKMDFindSessionObjects_Create
-(
-  NSSCKFWToken *fwToken,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_RV *pError
-)
-{
-  NSSArena *arena;
-  nssCKMDFindSessionObjects *mdfso;
-  nssCKFWHash *hash;
-  NSSCKMDFindObjects *rv;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
-    *pError= CKR_GENERAL_ERROR;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects);
-  if( (nssCKMDFindSessionObjects *)NULL == mdfso ) {
-    NSSArena_Destroy(arena);
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
-
-  mdfso->error = CKR_OK;
-  mdfso->pTemplate = pTemplate;
-  mdfso->ulCount = ulCount;
-  mdfso->hash = hash;
-
-  nssCKFWHash_Iterate(hash, findfcn, mdfso);
-
-  if( CKR_OK != mdfso->error ) {
-    NSSArena_Destroy(arena);
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKMDFindObjects *)NULL;
-  }
-
-  rv->etc = (void *)mdfso;
-  rv->Final = nss_ckmdFindSessionObjects_Final;
-  rv->Next = nss_ckmdFindSessionObjects_Next;
-
-#ifdef DEBUG
-  if( (*pError = nss_ckmdFindSessionObjects_add_pointer(rv)) != CKR_OK ) {
-    NSSArena_Destroy(arena);
-    return (NSSCKMDFindObjects *)NULL;
-  }
-#endif /* DEBUG */    
-  mdfso->arena = arena;
-
-  return rv;
-}
-
-static void
-nss_ckmdFindSessionObjects_Final
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance
-)
-{
-  nssCKMDFindSessionObjects *mdfso;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
-  if (mdfso->arena) NSSArena_Destroy(mdfso->arena);
-
-#ifdef DEBUG
-  (void)nss_ckmdFindSessionObjects_remove_pointer(mdFindObjects);
-#endif /* DEBUG */
-
-  return;
-}
-
-static NSSCKMDObject *
-nss_ckmdFindSessionObjects_Next
-(
-  NSSCKMDFindObjects *mdFindObjects,
-  NSSCKFWFindObjects *fwFindObjects,
-  NSSCKMDSession *mdSession,
-  NSSCKFWSession *fwSession,
-  NSSCKMDToken *mdToken,
-  NSSCKFWToken *fwToken,
-  NSSCKMDInstance *mdInstance,
-  NSSCKFWInstance *fwInstance,
-  NSSArena *arena,
-  CK_RV *pError
-)
-{
-  nssCKMDFindSessionObjects *mdfso;
-  NSSCKMDObject *rv = (NSSCKMDObject *)NULL;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
-    return (NSSCKMDObject *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
-
-  while( (NSSCKMDObject *)NULL == rv ) {
-    if( (struct nodeStr *)NULL == mdfso->list ) {
-      *pError = CKR_OK;
-      return (NSSCKMDObject *)NULL;
-    }
-
-    if( nssCKFWHash_Exists(mdfso->hash, mdfso->list->mdObject) ) {
-      rv = mdfso->list->mdObject;
-    }
-
-    mdfso->list = mdfso->list->next;
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/ckfw/slot.c b/security/nss/lib/ckfw/slot.c
deleted file mode 100644
index 442452b39..000000000
--- a/security/nss/lib/ckfw/slot.c
+++ /dev/null
@@ -1,759 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * slot.c
- *
- * This file implements the NSSCKFWSlot type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWSlot
- *
- *  -- create/destroy --
- *  nssCKFWSlot_Create
- *  nssCKFWSlot_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWSlot_GetMDSlot
- *  NSSCKFWSlot_GetFWInstance
- *  NSSCKFWSlot_GetMDInstance
- *
- *  -- implement public accessors --
- *  nssCKFWSlot_GetMDSlot
- *  nssCKFWSlot_GetFWInstance
- *  nssCKFWSlot_GetMDInstance
- *
- *  -- private accessors --
- *  nssCKFWSlot_GetSlotID
- *  nssCKFWSlot_ClearToken
- *
- *  -- module fronts --
- *  nssCKFWSlot_GetSlotDescription
- *  nssCKFWSlot_GetManufacturerID
- *  nssCKFWSlot_GetTokenPresent
- *  nssCKFWSlot_GetRemovableDevice
- *  nssCKFWSlot_GetHardwareSlot
- *  nssCKFWSlot_GetHardwareVersion
- *  nssCKFWSlot_GetFirmwareVersion
- *  nssCKFWSlot_InitToken
- *  nssCKFWSlot_GetToken
- */
-
-struct NSSCKFWSlotStr {
-  NSSCKFWMutex *mutex;
-  NSSCKMDSlot *mdSlot;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-  CK_SLOT_ID slotID;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   * 1) Each of the cached descriptions (versions, etc.) are in an
-   *    internally consistant state.
-   *
-   * 2) The fwToken points to the token currently in the slot, and
-   *    it is in a consistant state.
-   *
-   * Note that the calls accessing the cached descriptions will
-   * call the NSSCKMDSlot methods with the mutex locked.  Those
-   * methods may then call the public NSSCKFWSlot routines.  Those
-   * public routines only access the constant data above, so there's
-   * no problem.  But be careful if you add to this object; mutexes
-   * are in general not reentrant, so don't create deadlock situations.
-   */
-
-  NSSUTF8 *slotDescription;
-  NSSUTF8 *manufacturerID;
-  CK_VERSION hardwareVersion;
-  CK_VERSION firmwareVersion;
-  NSSCKFWToken *fwToken;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-slot_add_pointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-slot_remove_pointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_verifyPointer
-(
-  const NSSCKFWSlot *fwSlot
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWSlot_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWSlot_Create
-(
-  NSSCKFWInstance *fwInstance,
-  NSSCKMDSlot *mdSlot,
-  CK_SLOT_ID slotID,
-  CK_RV *pError
-)
-{
-  NSSCKFWSlot *fwSlot;
-  NSSCKMDInstance *mdInstance;
-  NSSArena *arena;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  *pError = nssCKFWInstance_verifyPointer(fwInstance);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    *pError = CKR_GENERAL_ERROR;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  arena = nssCKFWInstance_GetArena(fwInstance, pError);
-  if( (NSSArena *)NULL == arena ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-  }
-
-  fwSlot = nss_ZNEW(arena, NSSCKFWSlot);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    *pError = CKR_HOST_MEMORY;
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  fwSlot->mdSlot = mdSlot;
-  fwSlot->fwInstance = fwInstance;
-  fwSlot->mdInstance = mdInstance;
-  fwSlot->slotID = slotID;
-
-  fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    (void)nss_ZFreeIf(fwSlot);
-    return (NSSCKFWSlot *)NULL;
-  }
-
-  if( (void *)NULL != (void *)mdSlot->Initialize ) {
-    *pError = CKR_OK;
-    *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance);
-    if( CKR_OK != *pError ) {
-      (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-      (void)nss_ZFreeIf(fwSlot);
-      return (NSSCKFWSlot *)NULL;
-    }
-  }
-
-#ifdef DEBUG
-  *pError = slot_add_pointer(fwSlot);
-  if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSlot->Destroy ) {
-      mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance);
-    }
-
-    (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-    (void)nss_ZFreeIf(fwSlot);
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return fwSlot;
-}
-
-/*
- * nssCKFWSlot_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_Destroy
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-  if (fwSlot->fwToken) {
-    nssCKFWToken_Destroy(fwSlot->fwToken);
-  }
-
-  (void)nssCKFWMutex_Destroy(fwSlot->mutex);
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) {
-    fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, 
-      fwSlot->mdInstance, fwSlot->fwInstance);
-  }
-
-#ifdef DEBUG
-  error = slot_remove_pointer(fwSlot);
-#endif /* DEBUG */
-  (void)nss_ZFreeIf(fwSlot);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetMDSlot
- *
- */
-NSS_IMPLEMENT NSSCKMDSlot *
-nssCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->mdSlot;
-}
-
-/*
- * nssCKFWSlot_GetFWInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKFWInstance *
-nssCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->fwInstance;
-}
-
-/*
- * nssCKFWSlot_GetMDInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKMDInstance *
-nssCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->mdInstance;
-}
-
-/*
- * nssCKFWSlot_GetSlotID
- *
- */
-NSS_IMPLEMENT CK_SLOT_ID
-nssCKFWSlot_GetSlotID
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (CK_SLOT_ID)0;
-  }
-#endif /* NSSDEBUG */
-
-  return fwSlot->slotID;
-}
-
-/*
- * nssCKFWSlot_GetSlotDescription
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_GetSlotDescription
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR slotDescription[64]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == slotDescription ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) {
-      fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
-        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
-        fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwSlot->slotDescription = (NSSUTF8 *) "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWSlot_GetManufacturerID
-(
-  NSSCKFWSlot *fwSlot,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) {
-      fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
-        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
-        fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwSlot->manufacturerID = (NSSUTF8 *) "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return error;
-}
-
-/*
- * nssCKFWSlot_GetTokenPresent
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetTokenPresent
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) {
-    return CK_TRUE;
-  }
-
-  return fwSlot->mdSlot->GetTokenPresent(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetRemovableDevice
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetRemovableDevice
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) {
-    return CK_FALSE;
-  }
-
-  return fwSlot->mdSlot->GetRemovableDevice(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetHardwareSlot
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWSlot_GetHardwareSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) {
-    return CK_FALSE;
-  }
-
-  return fwSlot->mdSlot->GetHardwareSlot(fwSlot->mdSlot, fwSlot,
-    fwSlot->mdInstance, fwSlot->fwInstance);
-}
-
-/*
- * nssCKFWSlot_GetHardwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWSlot_GetHardwareVersion
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwSlot->hardwareVersion.major) ||
-      (0 != fwSlot->hardwareVersion.minor) ) {
-    rv = fwSlot->hardwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) {
-    fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
-      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-  } else {
-    fwSlot->hardwareVersion.major = 0;
-    fwSlot->hardwareVersion.minor = 1;
-  }
-
-  rv = fwSlot->hardwareVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWSlot_GetFirmwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWSlot_GetFirmwareVersion
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwSlot->firmwareVersion.major) ||
-      (0 != fwSlot->firmwareVersion.minor) ) {
-    rv = fwSlot->firmwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) {
-    fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
-      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-  } else {
-    fwSlot->firmwareVersion.major = 0;
-    fwSlot->firmwareVersion.minor = 1;
-  }
-
-  rv = fwSlot->firmwareVersion;
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWSlot_GetToken
- * 
- */
-NSS_IMPLEMENT NSSCKFWToken *
-nssCKFWSlot_GetToken
-(
-  NSSCKFWSlot *fwSlot,
-  CK_RV *pError
-)
-{
-  NSSCKMDToken *mdToken;
-  NSSCKFWToken *fwToken;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-
-  *pError = nssCKFWSlot_verifyPointer(fwSlot);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwSlot->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWToken *)NULL;
-  }
-
-  if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) {
-    if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) {
-      *pError = CKR_GENERAL_ERROR;
-      fwToken = (NSSCKFWToken *)NULL;
-      goto done;
-    }
-
-    mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot,
-      fwSlot->mdInstance, fwSlot->fwInstance, pError);
-    if( (NSSCKMDToken *)NULL == mdToken ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      return (NSSCKFWToken *)NULL;
-    }
-
-    fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
-    fwSlot->fwToken = fwToken;
-  } else {
-    fwToken = fwSlot->fwToken;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return fwToken;
-}
-
-/*
- * nssCKFWSlot_ClearToken
- *
- */
-NSS_IMPLEMENT void
-nssCKFWSlot_ClearToken
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
-    /* Now what? */
-    return;
-  }
-
-  fwSlot->fwToken = (NSSCKFWToken *)NULL;
-  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
-  return;
-}
-
-/*
- * NSSCKFWSlot_GetMDSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSlot *
-NSSCKFWSlot_GetMDSlot
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetMDSlot(fwSlot);
-}
-
-/*
- * NSSCKFWSlot_GetFWInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKFWInstance *
-NSSCKFWSlot_GetFWInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKFWInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetFWInstance(fwSlot);
-}
-
-/*
- * NSSCKFWSlot_GetMDInstance
- *
- */
-
-NSS_IMPLEMENT NSSCKMDInstance *
-NSSCKFWSlot_GetMDInstance
-(
-  NSSCKFWSlot *fwSlot
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
-    return (NSSCKMDInstance *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWSlot_GetMDInstance(fwSlot);
-}
diff --git a/security/nss/lib/ckfw/token.c b/security/nss/lib/ckfw/token.c
deleted file mode 100644
index 42dc6f51d..000000000
--- a/security/nss/lib/ckfw/token.c
+++ /dev/null
@@ -1,1872 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * token.c
- *
- * This file implements the NSSCKFWToken type and methods.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWToken
- *
- *  -- create/destroy --
- *  nssCKFWToken_Create
- *  nssCKFWToken_Destroy
- *
- *  -- public accessors --
- *  NSSCKFWToken_GetMDToken
- *  NSSCKFWToken_GetFWSlot
- *  NSSCKFWToken_GetMDSlot
- *  NSSCKFWToken_GetSessionState
- *
- *  -- implement public accessors --
- *  nssCKFWToken_GetMDToken
- *  nssCKFWToken_GetFWSlot
- *  nssCKFWToken_GetMDSlot
- *  nssCKFWToken_GetSessionState
- *  nssCKFWToken_SetSessionState
- *
- *  -- private accessors --
- *  nssCKFWToken_SetSessionState
- *  nssCKFWToken_RemoveSession
- *  nssCKFWToken_CloseAllSessions
- *  nssCKFWToken_GetSessionCount
- *  nssCKFWToken_GetRwSessionCount
- *  nssCKFWToken_GetRoSessionCount
- *  nssCKFWToken_GetSessionObjectHash
- *  nssCKFWToken_GetMDObjectHash
- *  nssCKFWToken_GetObjectHandleHash
- *
- *  -- module fronts --
- *  nssCKFWToken_InitToken
- *  nssCKFWToken_GetLabel
- *  nssCKFWToken_GetManufacturerID
- *  nssCKFWToken_GetModel
- *  nssCKFWToken_GetSerialNumber
- *  nssCKFWToken_GetHasRNG
- *  nssCKFWToken_GetIsWriteProtected
- *  nssCKFWToken_GetLoginRequired
- *  nssCKFWToken_GetUserPinInitialized
- *  nssCKFWToken_GetRestoreKeyNotNeeded
- *  nssCKFWToken_GetHasClockOnToken
- *  nssCKFWToken_GetHasProtectedAuthenticationPath
- *  nssCKFWToken_GetSupportsDualCryptoOperations
- *  nssCKFWToken_GetMaxSessionCount
- *  nssCKFWToken_GetMaxRwSessionCount
- *  nssCKFWToken_GetMaxPinLen
- *  nssCKFWToken_GetMinPinLen
- *  nssCKFWToken_GetTotalPublicMemory
- *  nssCKFWToken_GetFreePublicMemory
- *  nssCKFWToken_GetTotalPrivateMemory
- *  nssCKFWToken_GetFreePrivateMemory
- *  nssCKFWToken_GetHardwareVersion
- *  nssCKFWToken_GetFirmwareVersion
- *  nssCKFWToken_GetUTCTime
- *  nssCKFWToken_OpenSession
- *  nssCKFWToken_GetMechanismCount
- *  nssCKFWToken_GetMechanismTypes
- *  nssCKFWToken_GetMechanism
- */
-
-struct NSSCKFWTokenStr {
-  NSSCKFWMutex *mutex;
-  NSSArena *arena;
-  NSSCKMDToken *mdToken;
-  NSSCKFWSlot *fwSlot;
-  NSSCKMDSlot *mdSlot;
-  NSSCKFWInstance *fwInstance;
-  NSSCKMDInstance *mdInstance;
-
-  /*
-   * Everything above is set at creation time, and then not modified.
-   * The invariants the mutex protects are:
-   *
-   * 1) Each of the cached descriptions (versions, etc.) are in an
-   *    internally consistant state.
-   *
-   * 2) The session counts and hashes are consistant.
-   *
-   * 3) The object hashes are consistant.
-   *
-   * Note that the calls accessing the cached descriptions will call
-   * the NSSCKMDToken methods with the mutex locked.  Those methods
-   * may then call the public NSSCKFWToken routines.  Those public
-   * routines only access the constant data above and the atomic
-   * CK_STATE session state variable below, so there's no problem.
-   * But be careful if you add to this object; mutexes are in
-   * general not reentrant, so don't create deadlock situations.
-   */
-
-  NSSUTF8 *label;
-  NSSUTF8 *manufacturerID;
-  NSSUTF8 *model;
-  NSSUTF8 *serialNumber;
-  CK_VERSION hardwareVersion;
-  CK_VERSION firmwareVersion;
-
-  CK_ULONG sessionCount;
-  CK_ULONG rwSessionCount;
-  nssCKFWHash *sessions;
-  nssCKFWHash *sessionObjectHash;
-  nssCKFWHash *mdObjectHash;
-
-  CK_STATE state;
-};
-
-#ifdef DEBUG
-/*
- * But first, the pointer-tracking stuff.
- *
- * NOTE: the pointer-tracking support in NSS/base currently relies
- * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
- * locking, which is tied into the runtime.  We need a pointer-tracker
- * implementation that uses the locks supplied through C_Initialize.
- * That support, however, can be filled in later.  So for now, I'll
- * just do this routines as no-ops.
- */
-
-static CK_RV
-token_add_pointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-static CK_RV
-token_remove_pointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_verifyPointer
-(
-  const NSSCKFWToken *fwToken
-)
-{
-  return CKR_OK;
-}
-
-#endif /* DEBUG */
-
-/*
- * nssCKFWToken_Create
- *
- */
-NSS_IMPLEMENT NSSCKFWToken *
-nssCKFWToken_Create
-(
-  NSSCKFWSlot *fwSlot,
-  NSSCKMDToken *mdToken,
-  CK_RV *pError
-)
-{
-  NSSArena *arena = (NSSArena *)NULL;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  CK_BBOOL called_setup = CK_FALSE;
-
-  /*
-   * We have already verified the arguments in nssCKFWSlot_GetToken.
-   */
-
-  arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
-  fwToken = nss_ZNEW(arena, NSSCKFWToken);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }    
-
-  fwToken->arena = arena;
-  fwToken->mdToken = mdToken;
-  fwToken->fwSlot = fwSlot;
-  fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
-  fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
-  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  fwToken->sessionCount = 0;
-  fwToken->rwSessionCount = 0;
-
-  fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwToken->mutex ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
-                   fwToken->fwInstance) ) {
-    fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
-                                   arena, pError);
-    if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) {
-      if( CKR_OK == *pError ) {
-        *pError = CKR_GENERAL_ERROR;
-      }
-      goto loser;
-    }
-  }
-
-  fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
-                            arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto loser;
-  }
-
-  /* More here */
-
-  if( (void *)NULL != (void *)mdToken->Setup ) {
-    *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    if( CKR_OK != *pError ) {
-      goto loser;
-    }
-  }
-
-  called_setup = CK_TRUE;
-
-#ifdef DEBUG
-  *pError = token_add_pointer(fwToken);
-  if( CKR_OK != *pError ) {
-    goto loser;
-  }
-#endif /* DEBUG */
-
-  *pError = CKR_OK;
-  return fwToken;
-
- loser:
-
-  if( CK_TRUE == called_setup ) {
-    if( (void *)NULL != (void *)mdToken->Invalidate ) {
-      mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    }
-  }
-
-  if( (NSSArena *)NULL != arena ) {
-    (void)NSSArena_Destroy(arena);
-  }
-
-  return (NSSCKFWToken *)NULL;
-}
-
-static void
-nss_ckfwtoken_session_iterator
-(
-  const void *key,
-  void *value,
-  void *closure
-)
-{
-  /*
-   * Remember that the fwToken->mutex is locked
-   */
-  NSSCKFWSession *fwSession = (NSSCKFWSession *)value;
-  (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-  return;
-}
-
-/*
- * nssCKFWToken_Destroy
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_Destroy
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nssCKFWMutex_Destroy(fwToken->mutex);
-  
-  if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) {
-    fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
-      fwToken->mdInstance, fwToken->fwInstance);
-  }
-  /* we can destroy the list without locking now because no one else is 
-   * referencing us (or _Destroy was invalidly called!)
-   */
-  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, 
-								(void *)NULL);
-  nssCKFWHash_Destroy(fwToken->sessions);
-
-  if (fwToken->sessionObjectHash) {
-    nssCKFWHash_Destroy(fwToken->sessionObjectHash);
-  }
-  if (fwToken->mdObjectHash) {
-    nssCKFWHash_Destroy(fwToken->mdObjectHash);
-  }
-
-  nssCKFWSlot_ClearToken(fwToken->fwSlot);
-  
-#ifdef DEBUG
-  error = token_remove_pointer(fwToken);
-#endif /* DEBUG */
-
-  (void)NSSArena_Destroy(fwToken->arena);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetMDToken
- *
- */
-NSS_IMPLEMENT NSSCKMDToken *
-nssCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDToken *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdToken;
-}
-
-/*
- * nssCKFWToken_GetArena
- *
- */
-NSS_IMPLEMENT NSSArena *
-nssCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-)
-{
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSArena *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->arena;
-}
-
-/*
- * nssCKFWToken_GetFWSlot
- *
- */
-NSS_IMPLEMENT NSSCKFWSlot *
-nssCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->fwSlot;
-}
-
-/*
- * nssCKFWToken_GetMDSlot
- *
- */
-NSS_IMPLEMENT NSSCKMDSlot *
-nssCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdSlot;
-}
-
-/*
- * nssCKFWToken_GetSessionState
- *
- */
-NSS_IMPLEMENT CK_STATE
-nssCKFWToken_GetSessionState
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKS_RO_PUBLIC_SESSION; /* whatever */
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * BTW, do not lock the token in this method.
-   */
-
-  /*
-   * Theoretically, there is no state if there aren't any
-   * sessions open.  But then we'd need to worry about
-   * reporting an error, etc.  What the heck-- let's just
-   * revert to CKR_RO_PUBLIC_SESSION as the "default."
-   */
-
-  return fwToken->state;
-}
-
-/*
- * nssCKFWToken_InitToken
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_InitToken
-(
-  NSSCKFWToken *fwToken,
-  NSSItem *pin,
-  NSSUTF8 *label
-)
-{
-  CK_RV error;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( fwToken->sessionCount > 0 ) {
-    error = CKR_SESSION_EXISTS;
-    goto done;
-  }
-
-  if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) {
-    error = CKR_DEVICE_ERROR;
-    goto done;
-  }
-
-  if( (NSSItem *)NULL == pin ) {
-    if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
-      ; /* okay */
-    } else {
-      error = CKR_PIN_INCORRECT;
-      goto done;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == label ) {
-    label = (NSSUTF8 *) "";
-  }
-
-  error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
-            fwToken->mdInstance, fwToken->fwInstance, pin, label);
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetLabel
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetLabel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR label[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == label ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->label ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) {
-      fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
-        fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->label = (NSSUTF8 *) "";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetManufacturerID
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetManufacturerID
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR manufacturerID[32]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) {
-      fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
-        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->manufacturerID = (NSSUTF8 *)"";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetModel
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetModel
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR model[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == model ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->model ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) {
-      fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
-        fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->model = (NSSUTF8 *)"";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetSerialNumber
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetSerialNumber
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR serialNumber[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  if( (CK_CHAR_PTR)NULL == serialNumber ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (NSSUTF8 *)NULL == fwToken->serialNumber ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) {
-      fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, 
-        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) {
-        goto done;
-      }
-    } else {
-      fwToken->serialNumber = (NSSUTF8 *)"";
-    }
-  }
-
-  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-
-/*
- * nssCKFWToken_GetHasRNG
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasRNG
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetIsWriteProtected
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetIsWriteProtected
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetLoginRequired
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetLoginRequired
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetUserPinInitialized
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetUserPinInitialized
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetRestoreKeyNotNeeded
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetRestoreKeyNotNeeded
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHasClockOnToken
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasClockOnToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHasProtectedAuthenticationPath
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetHasProtectedAuthenticationPath
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken, 
-    fwToken, fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetSupportsDualCryptoOperations
- *
- */
-NSS_IMPLEMENT CK_BBOOL
-nssCKFWToken_GetSupportsDualCryptoOperations
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_FALSE;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) {
-    return CK_FALSE;
-  }
-
-  return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken, 
-    fwToken, fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxRwSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxRwSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMaxPinLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMaxPinLen
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMinPinLen
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMinPinLen
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetTotalPublicMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetTotalPublicMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetFreePublicMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetFreePublicMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetTotalPrivateMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetTotalPrivateMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetFreePrivateMemory
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetFreePrivateMemory
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) {
-    return CK_UNAVAILABLE_INFORMATION;
-  }
-
-  return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken, 
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetHardwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWToken_GetHardwareVersion
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwToken->hardwareVersion.major) ||
-      (0 != fwToken->hardwareVersion.minor) ) {
-    rv = fwToken->hardwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) {
-    fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
-      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-  } else {
-    fwToken->hardwareVersion.major = 0;
-    fwToken->hardwareVersion.minor = 1;
-  }
-
-  rv = fwToken->hardwareVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetFirmwareVersion
- *
- */
-NSS_IMPLEMENT CK_VERSION
-nssCKFWToken_GetFirmwareVersion
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_VERSION rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    rv.major = rv.minor = 0;
-    return rv;
-  }
-
-  if( (0 != fwToken->firmwareVersion.major) ||
-      (0 != fwToken->firmwareVersion.minor) ) {
-    rv = fwToken->firmwareVersion;
-    goto done;
-  }
-
-  if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) {
-    fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
-      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-  } else {
-    fwToken->firmwareVersion.major = 0;
-    fwToken->firmwareVersion.minor = 1;
-  }
-
-  rv = fwToken->firmwareVersion;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetUTCTime
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetUTCTime
-(
-  NSSCKFWToken *fwToken,
-  CK_CHAR utcTime[16]
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( (CK_CHAR_PTR)NULL == utcTime ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* DEBUG */
-
-  if( CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken) ) {
-    /* return CKR_DEVICE_ERROR; */
-    (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, (char *)utcTime, 16, ' ');
-    return CKR_OK;
-  }
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) {
-    /* It said it had one! */
-    return CKR_GENERAL_ERROR;
-  }
-
-  error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken, 
-            fwToken->mdInstance, fwToken->fwInstance, utcTime);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  /* Sanity-check the data */
-  {
-    /* Format is YYYYMMDDhhmmss00 */
-    int i;
-    int Y, M, D, h, m, s, z;
-    static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
-
-    for( i = 0; i < 16; i++ ) {
-      if( (utcTime[i] < '0') || (utcTime[i] > '9') ) {
-        goto badtime;
-      }
-    }
-
-    Y = ((utcTime[ 0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
-        ((utcTime[ 2] - '0') * 10) + (utcTime[ 3] - '0');
-    M = ((utcTime[ 4] - '0') * 10) + (utcTime[ 5] - '0');
-    D = ((utcTime[ 6] - '0') * 10) + (utcTime[ 7] - '0');
-    h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
-    m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
-    s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
-    z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
-
-    if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem.  heh heh heh */
-    if( (M < 1) || (M > 12) ) goto badtime;
-    if( (D < 1) || (D > 31) ) goto badtime;
-
-    if( D > dims[M-1] ) goto badtime; /* per-month check */
-    if( (2 == M) && (((Y%4)||!(Y%100))&&(Y%400)) && (D > 28) ) goto badtime; /* leap years */
-
-    if( (h < 0) || (h > 23) ) goto badtime;
-    if( (m < 0) || (m > 60) ) goto badtime;
-    if( (s < 0) || (s > 61) ) goto badtime;
-
-    /* 60m and 60 or 61s is only allowed for leap seconds. */
-    if( (60 == m) || (s >= 60) ) {
-      if( (23 != h) || (60 != m) || (s < 60) ) goto badtime;
-      /* leap seconds can only happen on June 30 or Dec 31.. I think */
-      /* if( ((6 != M) || (30 != D)) && ((12 != M) || (31 != D)) ) goto badtime; */
-    }
-  }
-
-  return CKR_OK;
-
- badtime:
-  return CKR_GENERAL_ERROR;
-}
-
-/*
- * nssCKFWToken_OpenSession
- *
- */
-NSS_IMPLEMENT NSSCKFWSession *
-nssCKFWToken_OpenSession
-(
-  NSSCKFWToken *fwToken,
-  CK_BBOOL rw,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_RV *pError
-)
-{
-  NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
-  NSSCKMDSession *mdSession;
-
-#ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  *pError = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  switch( rw ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSCKFWSession *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  *pError = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != *pError ) {
-    return (NSSCKFWSession *)NULL;
-  }
-
-  if( CK_TRUE == rw ) {
-    /* Read-write session desired */
-    if( CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken) ) {
-      *pError = CKR_TOKEN_WRITE_PROTECTED;
-      goto done;
-    }
-  } else {
-    /* Read-only session desired */
-    if( CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken) ) {
-      *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
-      goto done;
-    }
-  }
-
-  /* We could compare sesion counts to any limits we know of, I guess.. */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) {
-    /*
-     * I'm not sure that the Module actually needs to implement
-     * mdSessions -- the Framework can keep track of everything 
-     * needed, really.  But I'll sort out that detail later..
-     */
-    *pError = CKR_GENERAL_ERROR;
-    goto done;
-  }
-
-  fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
-                fwToken->mdInstance, fwToken->fwInstance, fwSession,
-                rw, pError);
-  if( (NSSCKMDSession *)NULL == mdSession ) {
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    if( CKR_OK == *pError ) {
-      *pError = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
-  if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSession->Close ) {
-      mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
-      fwToken->mdInstance, fwToken->fwInstance);
-    }
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    goto done;
-  }
-
-  *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
-  if( CKR_OK != *pError ) {
-    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
-    fwSession = (NSSCKFWSession *)NULL;
-    goto done;
-  }
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return fwSession;
-}
-
-/*
- * nssCKFWToken_GetMechanismCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetMechanismCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return 0;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismCount ) {
-    return 0;
-  }
-
-  return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
-    fwToken->mdInstance, fwToken->fwInstance);
-}
-
-/*
- * nssCKFWToken_GetMechanismTypes
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_GetMechanismTypes
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE types[]
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-
-  if( (CK_MECHANISM_TYPE *)NULL == types ) {
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismTypes ) {
-    /*
-     * This should only be called with a sufficiently-large
-     * "types" array, which can only be done if GetMechanismCount
-     * is implemented.  If that's implemented (and returns nonzero),
-     * then this should be too.  So return an error.
-     */
-    return CKR_GENERAL_ERROR;
-  }
-
-  return fwToken->mdToken->GetMechanismTypes(fwToken->mdToken, fwToken,
-    fwToken->mdInstance, fwToken->fwInstance, types);
-}
-
-
-/*
- * nssCKFWToken_GetMechanism
- *
- */
-NSS_IMPLEMENT NSSCKFWMechanism *
-nssCKFWToken_GetMechanism
-(
-  NSSCKFWToken *fwToken,
-  CK_MECHANISM_TYPE which,
-  CK_RV *pError
-)
-{
-  /* XXX fgmr */
-  return (NSSCKFWMechanism *)NULL;
-}
-
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_SetSessionState
-(
-  NSSCKFWToken *fwToken,
-  CK_STATE newState
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  switch( newState ) {
-  case CKS_RO_PUBLIC_SESSION:
-  case CKS_RO_USER_FUNCTIONS:
-  case CKS_RW_PUBLIC_SESSION:
-  case CKS_RW_USER_FUNCTIONS:
-  case CKS_RW_SO_FUNCTIONS:
-    break;
-  default:
-    return CKR_ARGUMENTS_BAD;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  fwToken->state = newState;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return CKR_OK;
-}
-
-/*
- * nssCKFWToken_RemoveSession
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_RemoveSession
-(
-  NSSCKFWToken *fwToken,
-  NSSCKFWSession *fwSession
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  error = nssCKFWSession_verifyPointer(fwSession);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  if( CK_TRUE != nssCKFWHash_Exists(fwToken->sessions, fwSession) ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto done;
-  }
-
-  nssCKFWHash_Remove(fwToken->sessions, fwSession);
-  fwToken->sessionCount--;
-
-  if( nssCKFWSession_IsRWSession(fwSession) ) {
-    fwToken->rwSessionCount--;
-  }
-
-  if( 0 == fwToken->sessionCount ) {
-    fwToken->rwSessionCount = 0; /* sanity */
-    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  }
-
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-
-/*
- * nssCKFWToken_CloseAllSessions
- *
- */
-NSS_IMPLEMENT CK_RV
-nssCKFWToken_CloseAllSessions
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_RV error = CKR_OK;
-
-#ifdef NSSDEBUG
-  error = nssCKFWToken_verifyPointer(fwToken);
-  if( CKR_OK != error ) {
-    return error;
-  }
-#endif /* NSSDEBUG */
-
-  error = nssCKFWMutex_Lock(fwToken->mutex);
-  if( CKR_OK != error ) {
-    return error;
-  }
-
-  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);
-
-  nssCKFWHash_Destroy(fwToken->sessions);
-
-  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
-    if( CKR_OK == error ) {
-      error = CKR_GENERAL_ERROR;
-    }
-    goto done;
-  }
-
-  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
-  fwToken->sessionCount = 0;
-  fwToken->rwSessionCount = 0;
-
-  error = CKR_OK;
-
- done:
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return error;
-}
-
-/*
- * nssCKFWToken_GetSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->sessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetRwSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetRwSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->rwSessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetRoSessionCount
- *
- */
-NSS_IMPLEMENT CK_ULONG
-nssCKFWToken_GetRoSessionCount
-(
-  NSSCKFWToken *fwToken
-)
-{
-  CK_ULONG rv;
-
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (CK_ULONG)0;
-  }
-#endif /* NSSDEBUG */
-
-  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
-    return (CK_ULONG)0;
-  }
-
-  rv = fwToken->sessionCount - fwToken->rwSessionCount;
-  (void)nssCKFWMutex_Unlock(fwToken->mutex);
-  return rv;
-}
-
-/*
- * nssCKFWToken_GetSessionObjectHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetSessionObjectHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->sessionObjectHash;
-}
-
-/*
- * nssCKFWToken_GetMDObjectHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetMDObjectHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdObjectHash;
-}
-
-/*
- * nssCKFWToken_GetObjectHandleHash
- *
- */
-NSS_IMPLEMENT nssCKFWHash *
-nssCKFWToken_GetObjectHandleHash
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef NSSDEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (nssCKFWHash *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return fwToken->mdObjectHash;
-}
-
-/*
- * NSSCKFWToken_GetMDToken
- *
- */
-
-NSS_IMPLEMENT NSSCKMDToken *
-NSSCKFWToken_GetMDToken
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDToken *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetMDToken(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetArena
- *
- */
-
-NSS_IMPLEMENT NSSArena *
-NSSCKFWToken_GetArena
-(
-  NSSCKFWToken *fwToken,
-  CK_RV *pError
-)
-{
-#ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
-    return (NSSArena *)NULL;
-  }
-
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    *pError = CKR_ARGUMENTS_BAD;
-    return (NSSArena *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetArena(fwToken, pError);
-}
-
-/*
- * NSSCKFWToken_GetFWSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKFWSlot *
-NSSCKFWToken_GetFWSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKFWSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetFWSlot(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetMDSlot
- *
- */
-
-NSS_IMPLEMENT NSSCKMDSlot *
-NSSCKFWToken_GetMDSlot
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return (NSSCKMDSlot *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetMDSlot(fwToken);
-}
-
-/*
- * NSSCKFWToken_GetSessionState
- *
- */
-
-NSS_IMPLEMENT CK_STATE
-NSSCKFWSession_GetSessionState
-(
-  NSSCKFWToken *fwToken
-)
-{
-#ifdef DEBUG
-  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
-    return CKS_RO_PUBLIC_SESSION;
-  }
-#endif /* DEBUG */
-
-  return nssCKFWToken_GetSessionState(fwToken);
-}
diff --git a/security/nss/lib/ckfw/wrap.c b/security/nss/lib/ckfw/wrap.c
deleted file mode 100644
index b9af321a3..000000000
--- a/security/nss/lib/ckfw/wrap.c
+++ /dev/null
@@ -1,3456 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * wrap.c
- *
- * This file contains the routines that actually implement the cryptoki
- * API, using the internal APIs of the NSS Cryptoki Framework.  There is
- * one routine here for every cryptoki routine.  For linking reasons
- * the actual entry points passed back with C_GetFunctionList have to
- * exist in one of the Module's source files; however, those are merely
- * simple wrappers that call these routines.  The intelligence of the
- * implementations is here.
- */
-
-#ifndef CK_T
-#include "ck.h"
-#endif /* CK_T */
-
-/*
- * NSSCKFWC_Initialize
- * NSSCKFWC_Finalize
- * NSSCKFWC_GetInfo
- * -- NSSCKFWC_GetFunctionList -- see the API insert file
- * NSSCKFWC_GetSlotList
- * NSSCKFWC_GetSlotInfo
- * NSSCKFWC_GetTokenInfo
- * NSSCKFWC_WaitForSlotEvent
- * NSSCKFWC_GetMechanismList
- * NSSCKFWC_GetMechanismInfo
- * NSSCKFWC_InitToken
- * NSSCKFWC_InitPIN
- * NSSCKFWC_SetPIN
- * NSSCKFWC_OpenSession
- * NSSCKFWC_CloseSession
- * NSSCKFWC_CloseAllSessions
- * NSSCKFWC_GetSessionInfo
- * NSSCKFWC_GetOperationState
- * NSSCKFWC_SetOperationState
- * NSSCKFWC_Login
- * NSSCKFWC_Logout
- * NSSCKFWC_CreateObject
- * NSSCKFWC_CopyObject
- * NSSCKFWC_DestroyObject
- * NSSCKFWC_GetObjectSize
- * NSSCKFWC_GetAttributeValue
- * NSSCKFWC_SetAttributeValue
- * NSSCKFWC_FindObjectsInit
- * NSSCKFWC_FindObjects
- * NSSCKFWC_FindObjectsFinal
- * NSSCKFWC_EncryptInit
- * NSSCKFWC_Encrypt
- * NSSCKFWC_EncryptUpdate
- * NSSCKFWC_EncryptFinal
- * NSSCKFWC_DecryptInit
- * NSSCKFWC_Decrypt
- * NSSCKFWC_DecryptUpdate
- * NSSCKFWC_DecryptFinal
- * NSSCKFWC_DigestInit
- * NSSCKFWC_Digest
- * NSSCKFWC_DigestUpdate
- * NSSCKFWC_DigestKey
- * NSSCKFWC_DigestFinal
- * NSSCKFWC_SignInit
- * NSSCKFWC_Sign
- * NSSCKFWC_SignUpdate
- * NSSCKFWC_SignFinal
- * NSSCKFWC_SignRecoverInit
- * NSSCKFWC_SignRecover
- * NSSCKFWC_VerifyInit
- * NSSCKFWC_Verify
- * NSSCKFWC_VerifyUpdate
- * NSSCKFWC_VerifyFinal
- * NSSCKFWC_VerifyRecoverInit
- * NSSCKFWC_VerifyRecover
- * NSSCKFWC_DigestEncryptUpdate
- * NSSCKFWC_DecryptDigestUpdate
- * NSSCKFWC_SignEncryptUpdate
- * NSSCKFWC_DecryptVerifyUpdate
- * NSSCKFWC_GenerateKey
- * NSSCKFWC_GenerateKeyPair
- * NSSCKFWC_WrapKey
- * NSSCKFWC_UnwrapKey
- * NSSCKFWC_DeriveKey
- * NSSCKFWC_SeedRandom
- * NSSCKFWC_GenerateRandom
- * NSSCKFWC_GetFunctionStatus
- * NSSCKFWC_CancelFunction
- */
-
-/* figure out out locking semantics */
-static CK_RV
-nssCKFW_GetThreadSafeState(CK_C_INITIALIZE_ARGS_PTR pInitArgs,
-                           CryptokiLockingState *pLocking_state) {
-  int functionCount = 0;
-
-  /* parsed according to (PKCS #11 Section 11.4) */
-  /* no args, the degenerate version of case 1 */
-  if (!pInitArgs) {
-    *pLocking_state = SingleThreaded;
-    return CKR_OK;
-  } 
-
-  /* CKF_OS_LOCKING_OK set, Cases 2 and 4 */
-  if (pInitArgs->flags & CKF_OS_LOCKING_OK) {
-    *pLocking_state = MultiThreaded;
-    return CKR_OK;
-  }
-  if ((CK_CREATEMUTEX) NULL != pInitArgs->CreateMutex) functionCount++;
-  if ((CK_DESTROYMUTEX) NULL != pInitArgs->DestroyMutex) functionCount++;
-  if ((CK_LOCKMUTEX) NULL != pInitArgs->LockMutex) functionCount++;
-  if ((CK_UNLOCKMUTEX) NULL != pInitArgs->UnlockMutex) functionCount++;
-
-  /* CKF_OS_LOCKING_OK is not set, and not functions supplied, 
-   * explicit case 1 */
-  if (0 == functionCount) {
-    *pLocking_state = SingleThreaded;
-    return CKR_OK;
-  }
-
-  /* OS_LOCKING_OK is not set and functions have been supplied. Since
-   * ckfw uses nssbase library which explicitly calls NSPR, and since 
-   * there is no way to reliably override these explicit calls to NSPR,
-   * therefore we can't support applications which have their own threading 
-   * module.  Return CKR_CANT_LOCK if they supplied the correct number of 
-   * arguments, or CKR_ARGUMENTS_BAD if they did not in either case we will 
-   * fail the initialize */
-  return (4 == functionCount) ? CKR_CANT_LOCK : CKR_ARGUMENTS_BAD;
-}
-
-/*
- * NSSCKFWC_Initialize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Initialize
-(
-  NSSCKFWInstance **pFwInstance,
-  NSSCKMDInstance *mdInstance,
-  CK_VOID_PTR pInitArgs
-)
-{
-  CK_RV error = CKR_OK;
-  CryptokiLockingState locking_state;
-
-  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  if( (NSSCKFWInstance *)NULL != *pFwInstance ) {
-    error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
-    goto loser;
-  }
-
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  error = nssCKFW_GetThreadSafeState(pInitArgs,&locking_state);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  *pFwInstance = nssCKFWInstance_Create(pInitArgs, locking_state, mdInstance, &error);
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_ARGUMENTS_BAD:
-  case CKR_CANT_LOCK:
-  case CKR_CRYPTOKI_ALREADY_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_NEED_TO_CREATE_THREADS:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Finalize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Finalize
-(
-  NSSCKFWInstance **pFwInstance
-)
-{
-  CK_RV error = CKR_OK;
-
-  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  error = nssCKFWInstance_Destroy(*pFwInstance);
-
-  /* In any case */
-  *pFwInstance = (NSSCKFWInstance *)NULL;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OK:
-    break;
-  default:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-
-  if( (CK_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here means a caller error
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_INFO));
-
-  pInfo->cryptokiVersion = nssCKFWInstance_GetCryptokiVersion(fwInstance);
-
-  error = nssCKFWInstance_GetManufacturerID(fwInstance, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  pInfo->flags = nssCKFWInstance_GetFlags(fwInstance);
-
-  error = nssCKFWInstance_GetLibraryDescription(fwInstance, pInfo->libraryDescription);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  pInfo->libraryVersion = nssCKFWInstance_GetLibraryVersion(fwInstance);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-    break;
-  default:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-  
-/*
- * C_GetFunctionList is implemented entirely in the Module's file which
- * includes the Framework API insert file.  It requires no "actual"
- * NSSCKFW routine.
- */
-
-/*
- * NSSCKFWC_GetSlotList
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSlotList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_BBOOL tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR pulCount
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  switch( tokenPresent ) {
-  case CK_TRUE:
-  case CK_FALSE:
-    break;
-  default:
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList ) {
-    *pulCount = nSlots;
-    return CKR_OK;
-  } 
-    
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
-
-  if( *pulCount < nSlots ) {
-    *pulCount = nSlots;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  } else {
-    CK_ULONG i;
-    *pulCount = nSlots;
-    
-    /* 
-     * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
-     * just index one when we need it.
-     */
-
-    for( i = 0; i < nSlots; i++ ) {
-      pSlotList[i] = i+1;
-    }
-
-    return CKR_OK;
-  }
-
- loser:
-  switch( error ) {
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
- 
-/*
- * NSSCKFWC_GetSlotInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSlotInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_SLOT_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SLOT_INFO));
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  error = nssCKFWSlot_GetSlotDescription(fwSlot, pInfo->slotDescription);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWSlot_GetManufacturerID(fwSlot, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  if( nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    pInfo->flags |= CKF_TOKEN_PRESENT;
-  }
-
-  if( nssCKFWSlot_GetRemovableDevice(fwSlot) ) {
-    pInfo->flags |= CKF_REMOVABLE_DEVICE;
-  }
-
-  if( nssCKFWSlot_GetHardwareSlot(fwSlot) ) {
-    pInfo->flags |= CKF_HW_SLOT;
-  }
-
-  pInfo->hardwareVersion = nssCKFWSlot_GetHardwareVersion(fwSlot);
-  pInfo->firmwareVersion = nssCKFWSlot_GetFirmwareVersion(fwSlot);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetTokenInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetTokenInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_TOKEN_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_TOKEN_INFO));
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetManufacturerID(fwToken, pInfo->manufacturerID);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetModel(fwToken, pInfo->model);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_GetSerialNumber(fwToken, pInfo->serialNumber);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  if( nssCKFWToken_GetHasRNG(fwToken) ) {
-    pInfo->flags |= CKF_RNG;
-  }
-
-  if( nssCKFWToken_GetIsWriteProtected(fwToken) ) {
-    pInfo->flags |= CKF_WRITE_PROTECTED;
-  }
-
-  if( nssCKFWToken_GetLoginRequired(fwToken) ) {
-    pInfo->flags |= CKF_LOGIN_REQUIRED;
-  }
-
-  if( nssCKFWToken_GetUserPinInitialized(fwToken) ) {
-    pInfo->flags |= CKF_USER_PIN_INITIALIZED;
-  }
-
-  if( nssCKFWToken_GetRestoreKeyNotNeeded(fwToken) ) {
-    pInfo->flags |= CKF_RESTORE_KEY_NOT_NEEDED;
-  }
-
-  if( nssCKFWToken_GetHasClockOnToken(fwToken) ) {
-    pInfo->flags |= CKF_CLOCK_ON_TOKEN;
-  }
-
-  if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
-    pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
-  }
-
-  if( nssCKFWToken_GetSupportsDualCryptoOperations(fwToken) ) {
-    pInfo->flags |= CKF_DUAL_CRYPTO_OPERATIONS;
-  }
-
-  pInfo->ulMaxSessionCount = nssCKFWToken_GetMaxSessionCount(fwToken);
-  pInfo->ulSessionCount = nssCKFWToken_GetSessionCount(fwToken);
-  pInfo->ulMaxRwSessionCount = nssCKFWToken_GetMaxRwSessionCount(fwToken);
-  pInfo->ulRwSessionCount= nssCKFWToken_GetRwSessionCount(fwToken);
-  pInfo->ulMaxPinLen = nssCKFWToken_GetMaxPinLen(fwToken);
-  pInfo->ulMinPinLen = nssCKFWToken_GetMinPinLen(fwToken);
-  pInfo->ulTotalPublicMemory = nssCKFWToken_GetTotalPublicMemory(fwToken);
-  pInfo->ulFreePublicMemory = nssCKFWToken_GetFreePublicMemory(fwToken);
-  pInfo->ulTotalPrivateMemory = nssCKFWToken_GetTotalPrivateMemory(fwToken);
-  pInfo->ulFreePrivateMemory = nssCKFWToken_GetFreePrivateMemory(fwToken);
-  pInfo->hardwareVersion = nssCKFWToken_GetHardwareVersion(fwToken);
-  pInfo->firmwareVersion = nssCKFWToken_GetFirmwareVersion(fwToken);
-  
-  error = nssCKFWToken_GetUTCTime(fwToken, pInfo->utcTime);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_WaitForSlotEvent
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_WaitForSlotEvent
-(
-  NSSCKFWInstance *fwInstance,
-  CK_FLAGS flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR pReserved
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  CK_BBOOL block;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  CK_ULONG i;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  if( flags & ~CKF_DONT_BLOCK ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  block = (flags & CKF_DONT_BLOCK) ? CK_TRUE : CK_FALSE;
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_VOID_PTR)CK_NULL_PTR != pReserved ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    goto loser;
-  }
-
-  for( i = 0; i < nSlots; i++ ) {
-    if( fwSlot == slots[i] ) {
-      *pSlot = (CK_SLOT_ID)(CK_ULONG)(i+1);
-      return CKR_OK;
-    }
-  }
-
-  error = CKR_GENERAL_ERROR; /* returned something not in the slot list */
-
- loser:
-  switch( error ) {
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_NO_EVENT:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetMechanismList
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetMechanismList
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR pulCount
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  CK_ULONG count;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  count = nssCKFWToken_GetMechanismCount(fwToken);
-
-  if( (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList ) {
-    *pulCount = count;
-    return CKR_OK;
-  }
-
-  if( *pulCount < count ) {
-    *pulCount = count;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
-
-  *pulCount = count;
-
-  if( 0 != count ) {
-    error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
-  } else {
-    error = CKR_OK;
-  }
-
-  if( CKR_OK == error ) {
-    return CKR_OK;
-  }
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetMechanismInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetMechanismInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_MECHANISM_TYPE type,
-  CK_MECHANISM_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSCKFWMechanism *fwMechanism;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  if( (CK_MECHANISM_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
-    goto loser;
-  }
-
-  pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism);
-  pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism);
-
-  if( nssCKFWMechanism_GetInHardware(fwMechanism) ) {
-    pInfo->flags |= CKF_HW;
-  }
-
-  /* More here... */
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_MECHANISM_INVALID:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_InitToken
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_InitToken
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen,
-  CK_CHAR_PTR pLabel
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSItem pin;
-  NSSUTF8 *label;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  pin.size = (PRUint32)ulPinLen;
-  pin.data = (void *)pPin;
-  label = (NSSUTF8 *)pLabel; /* identity conversion */
-
-  error = nssCKFWToken_InitToken(fwToken, &pin, label);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-  case CKR_TOKEN_NOT_PRESENT:
-    (void)nssCKFWToken_Destroy(fwToken);
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_EXISTS:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_InitPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_InitPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem pin, *arg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
-    arg = (NSSItem *)NULL;
-  } else {
-    arg = &pin;
-    pin.size = (PRUint32)ulPinLen;
-    pin.data = (void *)pPin;
-  }
-
-  error = nssCKFWSession_InitPIN(fwSession, arg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INVALID:
-  case CKR_PIN_LEN_RANGE:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_SetPIN
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetPIN
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR pOldPin,
-  CK_ULONG ulOldLen,
-  CK_CHAR_PTR pNewPin,
-  CK_ULONG ulNewLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem oldPin, newPin, *oldArg, *newArg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pOldPin ) {
-    oldArg = (NSSItem *)NULL;
-  } else {
-    oldArg = &oldPin;
-    oldPin.size = (PRUint32)ulOldLen;
-    oldPin.data = (void *)pOldPin;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pNewPin ) {
-    newArg = (NSSItem *)NULL;
-  } else {
-    newArg = &newPin;
-    newPin.size = (PRUint32)ulNewLen;
-    newPin.data = (void *)pNewPin;
-  }
-
-  error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_INVALID:
-  case CKR_PIN_LEN_RANGE:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_OpenSession
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_OpenSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID,
-  CK_FLAGS flags,
-  CK_VOID_PTR pApplication,
-  CK_NOTIFY Notify,
-  CK_SESSION_HANDLE_PTR phSession
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-  NSSCKFWSession *fwSession;
-  CK_BBOOL rw;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  if( flags & CKF_RW_SESSION ) {
-    rw = CK_TRUE;
-  } else {
-    rw = CK_FALSE;
-  }
-
-  if( flags & CKF_SERIAL_SESSION ) {
-    ;
-  } else {
-    error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
-    goto loser;
-  }
-
-  if( flags & ~(CKF_RW_SESSION|CKF_SERIAL_SESSION) ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  if( (CK_SESSION_HANDLE_PTR)CK_NULL_PTR == phSession ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phSession = (CK_SESSION_HANDLE)0;
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
-               Notify, &error);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    goto loser;
-  }
-
-  *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
-                 fwSession, &error);
-  if( (CK_SESSION_HANDLE)0 == *phSession ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_COUNT:
-  case CKR_SESSION_EXISTS:
-  case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
-  case CKR_SESSION_READ_WRITE_SO_EXISTS:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_PRESENT:
-  case CKR_TOKEN_NOT_RECOGNIZED:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CloseSession
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CloseSession
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
-  error = nssCKFWSession_Destroy(fwSession, CK_TRUE);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CloseAllSessions
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CloseAllSessions
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SLOT_ID slotID
-)
-{
-  CK_RV error = CKR_OK;
-  CK_ULONG nSlots;
-  NSSCKFWSlot **slots;
-  NSSCKFWSlot *fwSlot;
-  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
-  if( (CK_ULONG)0 == nSlots ) {
-    goto loser;
-  }
-
-  if( (slotID < 1) || (slotID > nSlots) ) {
-    error = CKR_SLOT_ID_INVALID;
-    goto loser;
-  }
-
-  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
-  if( (NSSCKFWSlot **)NULL == slots ) {
-    goto loser;
-  }
-
-  fwSlot = slots[ slotID-1 ];
-
-  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
-    error = CKR_TOKEN_NOT_PRESENT;
-    goto loser;
-  }
-
-  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
-    goto loser;
-  }
-
-  error = nssCKFWToken_CloseAllSessions(fwToken);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SLOT_ID_INVALID:
-  case CKR_TOKEN_NOT_PRESENT:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetSessionInfo
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetSessionInfo
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_SESSION_INFO_PTR pInfo
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWSlot *fwSlot;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));
-
-  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
-    error = CKR_GENERAL_ERROR;
-    goto loser;
-  }
-
-  pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
-  pInfo->state = nssCKFWSession_GetSessionState(fwSession);
-
-  if( CK_TRUE == nssCKFWSession_IsRWSession(fwSession) ) {
-    pInfo->flags |= CKF_RW_SESSION;
-  }
-
-  pInfo->flags |= CKF_SERIAL_SESSION; /* Always true */
-
-  pInfo->ulDeviceError = nssCKFWSession_GetDeviceError(fwSession);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG_PTR pulOperationStateLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  CK_ULONG len;
-  NSSItem buf;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  len = nssCKFWSession_GetOperationStateLen(fwSession, &error);
-  if( ((CK_ULONG)0 == len) && (CKR_OK != error) ) {
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
-    *pulOperationStateLen = len;
-    return CKR_OK;
-  }
-
-  if( *pulOperationStateLen < len ) {
-    *pulOperationStateLen = len;
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  buf.size = (PRUint32)*pulOperationStateLen;
-  buf.data = (void *)pOperationState;
-  *pulOperationStateLen = len;
-  error = nssCKFWSession_GetOperationState(fwSession, &buf);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_STATE_UNSAVEABLE:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_SetOperationState
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetOperationState
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pOperationState,
-  CK_ULONG ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *eKey;
-  NSSCKFWObject *aKey;
-  NSSItem state;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /* 
-   * We could loop through the buffer, to catch any purify errors
-   * in a place with a "user error" note.
-   */
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE)0 == hEncryptionKey ) {
-    eKey = (NSSCKFWObject *)NULL;
-  } else {
-    eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
-    if( (NSSCKFWObject *)NULL == eKey ) {
-      error = CKR_KEY_HANDLE_INVALID;
-      goto loser;
-    }
-  }
-
-  if( (CK_OBJECT_HANDLE)0 == hAuthenticationKey ) {
-    aKey = (NSSCKFWObject *)NULL;
-  } else {
-    aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
-    if( (NSSCKFWObject *)NULL == aKey ) {
-      error = CKR_KEY_HANDLE_INVALID;
-      goto loser;
-    }
-  }
-
-  error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_KEY_CHANGED:
-  case CKR_KEY_NEEDED:
-  case CKR_KEY_NOT_NEEDED:
-  case CKR_SAVED_STATE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Login
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Login
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE userType,
-  CK_CHAR_PTR pPin,
-  CK_ULONG ulPinLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem pin, *arg;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
-    arg = (NSSItem *)NULL;
-  } else {
-    arg = &pin;
-    pin.size = (PRUint32)ulPinLen;
-    pin.data = (void *)pPin;
-  }
-
-  error = nssCKFWSession_Login(fwSession, userType, arg);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_PIN_EXPIRED:
-  case CKR_PIN_INCORRECT:
-  case CKR_PIN_LOCKED:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY_EXISTS:
-  case CKR_USER_ALREADY_LOGGED_IN:
-  case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
-  case CKR_USER_PIN_NOT_INITIALIZED:
-  case CKR_USER_TOO_MANY_TYPES:
-  case CKR_USER_TYPE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_Logout
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Logout
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  error = nssCKFWSession_Logout(fwSession);
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CreateObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CreateObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phObject = (CK_OBJECT_HANDLE)0;
-
-  fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
-               ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    goto loser;
-  }
-
-  *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
-  if( (CK_OBJECT_HANDLE)0 == *phObject ) {
-    nssCKFWObject_Destroy(fwObject);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCOMPLETE:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_CopyObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CopyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  NSSCKFWObject *fwNewObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *phNewObject = (CK_OBJECT_HANDLE)0;
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
-                  pTemplate, ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwNewObject ) {
-    goto loser;
-  }
-
-  *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance, 
-                   fwNewObject, &error);
-  if( (CK_OBJECT_HANDLE)0 == *phNewObject ) {
-    nssCKFWObject_Destroy(fwNewObject);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_DestroyObject
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DestroyObject
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
-  nssCKFWObject_Destroy(fwObject);
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetObjectSize
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetObjectSize
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ULONG_PTR pulSize
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ULONG_PTR)CK_NULL_PTR == pulSize ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  *pulSize = (CK_ULONG)0;
-
-  *pulSize = nssCKFWObject_GetObjectSize(fwObject, &error);
-  if( ((CK_ULONG)0 == *pulSize) && (CKR_OK != error) ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_INFORMATION_SENSITIVE:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetAttributeValue
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  CK_BBOOL sensitive = CK_FALSE;
-  CK_BBOOL invalid = CK_FALSE;
-  CK_BBOOL tooSmall = CK_FALSE;
-  CK_ULONG i;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  for( i = 0; i < ulCount; i++ ) {
-    CK_ULONG size = nssCKFWObject_GetAttributeSize(fwObject, 
-                      pTemplate[i].type, &error);
-    if( (CK_ULONG)0 == size ) {
-      switch( error ) {
-      case CKR_ATTRIBUTE_SENSITIVE:
-      case CKR_INFORMATION_SENSITIVE:
-        sensitive = CK_TRUE;
-        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-        continue;
-      case CKR_ATTRIBUTE_TYPE_INVALID:
-        invalid = CK_TRUE;
-        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-        continue;
-      case CKR_OK:
-        break;
-      default:
-        goto loser;
-      }
-    }
-
-    if( (CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue ) {
-      pTemplate[i].ulValueLen = size;
-    } else {
-      NSSItem it, *p;
-
-      if( pTemplate[i].ulValueLen < size ) {
-        tooSmall = CK_TRUE;
-        continue;
-      }
-
-      it.size = (PRUint32)pTemplate[i].ulValueLen;
-      it.data = (void *)pTemplate[i].pValue;
-      p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, 
-            (NSSArena *)NULL, &error);
-      if( (NSSItem *)NULL == p ) {
-        switch( error ) {
-        case CKR_ATTRIBUTE_SENSITIVE:
-        case CKR_INFORMATION_SENSITIVE:
-          sensitive = CK_TRUE;
-          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-          continue;
-        case CKR_ATTRIBUTE_TYPE_INVALID:
-          invalid = CK_TRUE;
-          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
-          continue;
-        default:
-          goto loser;
-        }
-      }
-
-      pTemplate[i].ulValueLen = size;
-    }
-  }
-
-  if( sensitive ) {
-    error = CKR_ATTRIBUTE_SENSITIVE;
-    goto loser;
-  } else if( invalid ) {
-    error = CKR_ATTRIBUTE_TYPE_INVALID;
-    goto loser;
-  } else if( tooSmall ) {
-    error = CKR_BUFFER_TOO_SMALL;
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_SENSITIVE:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_BUFFER_TOO_SMALL:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-  
-/*
- * NSSCKFWC_SetAttributeValue
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SetAttributeValue
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hObject,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWObject *fwObject;
-  NSSCKFWObject *newFwObject;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
-    error = CKR_OBJECT_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject, pTemplate, 
-                  ulCount, &error);
-  if( (NSSCKFWObject *)NULL == newFwObject ) {
-    goto loser;
-  }
-
-  error = nssCKFWInstance_ReassignObjectHandle(fwInstance, hObject, newFwObject);
-  nssCKFWObject_Destroy(fwObject);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_READ_ONLY:
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OBJECT_HANDLE_INVALID:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_SESSION_READ_ONLY:
-  case CKR_TEMPLATE_INCONSISTENT:
-  case CKR_TOKEN_WRITE_PROTECTED:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjectsInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjectsInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0) ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) {
-    error = CKR_OPERATION_ACTIVE;
-    goto loser;
-  }
-
-  if( CKR_OPERATION_NOT_INITIALIZED != error ) {
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
-                    pTemplate, ulCount, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    goto loser;
-  }
-
-  error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);
-
-  if( CKR_OK != error ) {
-    nssCKFWFindObjects_Destroy(fwFindObjects);
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_ATTRIBUTE_TYPE_INVALID:
-  case CKR_ATTRIBUTE_VALUE_INVALID:
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjects
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjects
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG ulMaxObjectCount,
-  CK_ULONG_PTR pulObjectCount
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-  CK_ULONG i;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
-  *pulObjectCount = (CK_ULONG)0;
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    goto loser;
-  }
-
-  for( i = 0; i < ulMaxObjectCount; i++ ) {
-    NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
-                                NULL, &error);
-    if( (NSSCKFWObject *)NULL == fwObject ) {
-      break;
-    }
-
-    phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
-    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
-      phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
-    }
-    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
-      /* This isn't right either, is it? */
-      nssCKFWObject_Destroy(fwObject);
-      goto loser;
-    }
-  }
-
-  *pulObjectCount = i;
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_FindObjectsFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_FindObjectsFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSCKFWFindObjects *fwFindObjects;
-  
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-  
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
-    error = CKR_OPERATION_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  nssCKFWFindObjects_Destroy(fwFindObjects);
-  error = nssCKFWSession_SetFWFindObjects(fwSession, (NSSCKFWFindObjects *)NULL);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_NOT_INITIALIZED:
-  case CKR_SESSION_HANDLE_INVALID:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_EncryptInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Encrypt
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Encrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG_PTR pulEncryptedDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_EncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_EncryptFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_EncryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastEncryptedPart,
-  CK_ULONG_PTR pulLastEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Decrypt
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Decrypt
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedData,
-  CK_ULONG ulEncryptedDataLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pLastPart,
-  CK_ULONG_PTR pulLastPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Digest
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Digest
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pDigest,
-  CK_ULONG_PTR pulDigestLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Sign
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Sign
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignRecoverInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignRecover
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG_PTR pulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_Verify
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_Verify
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyFinal
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyFinal
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyRecoverInit
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyRecoverInit
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_VerifyRecover
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_VerifyRecover
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSignature,
-  CK_ULONG ulSignatureLen,
-  CK_BYTE_PTR pData,
-  CK_ULONG_PTR pulDataLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DigestEncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DigestEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptDigestUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptDigestUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SignEncryptUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SignEncryptUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pPart,
-  CK_ULONG ulPartLen,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG_PTR pulEncryptedPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DecryptVerifyUpdate
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DecryptVerifyUpdate
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pEncryptedPart,
-  CK_ULONG ulEncryptedPartLen,
-  CK_BYTE_PTR pPart,
-  CK_ULONG_PTR pulPartLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_GenerateKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_GenerateKeyPair
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateKeyPair
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-  CK_ULONG ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-  CK_ULONG ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_WrapKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_WrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hWrappingKey,
-  CK_OBJECT_HANDLE hKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG_PTR pulWrappedKeyLen
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_UnwrapKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_UnwrapKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hUnwrappingKey,
-  CK_BYTE_PTR pWrappedKey,
-  CK_ULONG ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_DeriveKey
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_DeriveKey
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR pMechanism,
-  CK_OBJECT_HANDLE hBaseKey,
-  CK_ATTRIBUTE_PTR pTemplate,
-  CK_ULONG ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-  return CKR_FUNCTION_FAILED;
-}
-
-/*
- * NSSCKFWC_SeedRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_SeedRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pSeed,
-  CK_ULONG ulSeedLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem seed;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pSeed ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /* We could read through the buffer in a Purify trap */
-
-  seed.size = (PRUint32)ulSeedLen;
-  seed.data = (void *)pSeed;
-
-  error = nssCKFWSession_SeedRandom(fwSession, &seed);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_CANCELED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_RANDOM_SEED_NOT_SUPPORTED:
-  case CKR_RANDOM_NO_RNG:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GenerateRandom
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GenerateRandom
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR pRandomData,
-  CK_ULONG ulRandomLen
-)
-{
-  CK_RV error = CKR_OK;
-  NSSCKFWSession *fwSession;
-  NSSItem buffer;
-
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
-    error = CKR_CRYPTOKI_NOT_INITIALIZED;
-    goto loser;
-  }
-
-  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
-    error = CKR_SESSION_HANDLE_INVALID;
-    goto loser;
-  }
-
-  if( (CK_BYTE_PTR)CK_NULL_PTR == pRandomData ) {
-    error = CKR_ARGUMENTS_BAD;
-    goto loser;
-  }
-
-  /*
-   * A purify error here indicates caller error.
-   */
-  (void)nsslibc_memset(pRandomData, 0, ulRandomLen);
-
-  buffer.size = (PRUint32)ulRandomLen;
-  buffer.data = (void *)pRandomData;
-
-  error = nssCKFWSession_GetRandom(fwSession, &buffer);
-
-  if( CKR_OK != error ) {
-    goto loser;
-  }
-
-  return CKR_OK;
-
- loser:
-  switch( error ) {
-  case CKR_SESSION_CLOSED:
-    /* destroy session? */
-    break;
-  case CKR_DEVICE_REMOVED:
-    /* (void)nssCKFWToken_Destroy(fwToken); */
-    break;
-  case CKR_CRYPTOKI_NOT_INITIALIZED:
-  case CKR_DEVICE_ERROR:
-  case CKR_DEVICE_MEMORY:
-  case CKR_FUNCTION_CANCELED:
-  case CKR_FUNCTION_FAILED:
-  case CKR_GENERAL_ERROR:
-  case CKR_HOST_MEMORY:
-  case CKR_OPERATION_ACTIVE:
-  case CKR_RANDOM_NO_RNG:
-  case CKR_SESSION_HANDLE_INVALID:
-  case CKR_USER_NOT_LOGGED_IN:
-    break;
-  default:
-  case CKR_OK:
-    error = CKR_GENERAL_ERROR;
-    break;
-  }
-
-  return error;
-}
-
-/*
- * NSSCKFWC_GetFunctionStatus
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_GetFunctionStatus
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/*
- * NSSCKFWC_CancelFunction
- *
- */
-NSS_IMPLEMENT CK_RV
-NSSCKFWC_CancelFunction
-(
-  NSSCKFWInstance *fwInstance,
-  CK_SESSION_HANDLE hSession
-)
-{
-  return CKR_FUNCTION_NOT_PARALLEL;
-}
diff --git a/security/nss/lib/crmf/Makefile b/security/nss/lib/crmf/Makefile
deleted file mode 100644
index 2f09fd1b7..000000000
--- a/security/nss/lib/crmf/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-export:: private_export
diff --git a/security/nss/lib/crmf/asn1cmn.c b/security/nss/lib/crmf/asn1cmn.c
deleted file mode 100644
index c93e6ab82..000000000
--- a/security/nss/lib/crmf/asn1cmn.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrenam.h"
-#include "cmmf.h"
-#include "cmmfi.h"
-
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
-SEC_ASN1_MKSUB(SEC_AnyTemplate)
-SEC_ASN1_MKSUB(SEC_IntegerTemplate)
-SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
-
-static const SEC_ASN1Template CMMFCertResponseTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertResponse)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFCertResponse, certReqId)},
-    { SEC_ASN1_INLINE, offsetof(CMMFCertResponse, status), 
-      CMMFPKIStatusInfoTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER, 
-      offsetof(CMMFCertResponse, certifiedKeyPair),
-      CMMFCertifiedKeyPairTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CMMFCertOrEncCertTemplate[] = {
-    { SEC_ASN1_ANY, offsetof(CMMFCertOrEncCert, derValue), NULL, 
-      sizeof(CMMFCertOrEncCert)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertifiedKeyPair)},
-    { SEC_ASN1_INLINE, offsetof(CMMFCertifiedKeyPair, certOrEncCert),
-      CMMFCertOrEncCertTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
-      offsetof(CMMFCertifiedKeyPair, privateKey),
-      CRMFEncryptedValueTemplate},
-    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-      SEC_ASN1_XTRN | 1,
-      offsetof (CMMFCertifiedKeyPair, derPublicationInfo),
-      SEC_ASN1_SUB(SEC_AnyTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPKIStatusInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFPKIStatusInfo)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFPKIStatusInfo, status)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTF8_STRING, 
-      offsetof(CMMFPKIStatusInfo, statusString)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING, 
-      offsetof(CMMFPKIStatusInfo, failInfo)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFSequenceOfCertsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF| SEC_ASN1_XTRN, 0, 
-			SEC_ASN1_SUB(SEC_SignedCertificateTemplate)}
-};
-
-const SEC_ASN1Template CMMFRandTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFRand)},
-    { SEC_ASN1_INTEGER, offsetof(CMMFRand, integer)},
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFRand, senderHash)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 
-      offsetof(CMMFPOPODecKeyRespContent, responses),
-      SEC_ASN1_SUB(SEC_IntegerTemplate), 
-      sizeof(CMMFPOPODecKeyRespContent)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      0,
-      CRMFEncryptedValueTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-      0,
-      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFCertRepContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertRepContent)},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL |
-      SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      offsetof(CMMFCertRepContent, caPubs),
-      CMMFSequenceOfCertsTemplate },
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFCertRepContent, response),
-      CMMFCertResponseTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CMMFChallengeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFChallenge)},
-    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN, 
-      offsetof(CMMFChallenge, owf),
-      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, witness) },
-    { SEC_ASN1_ANY, offsetof(CMMFChallenge, senderDER) },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, key) },
-    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, challenge) },
-    { 0 }
-};
-
-const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF,offsetof(CMMFPOPODecKeyChallContent, challenges),
-      CMMFChallengeTemplate, sizeof(CMMFPOPODecKeyChallContent) },
-    { 0 }
-};
-
-SECStatus
-cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
-				  CERTCertDBHandle *db,
-				  CMMFCertResponse *inCertResp)
-{
-    SECStatus rv = SECSuccess;
-  
-    if (inCertResp->certifiedKeyPair != NULL) {
-        rv = cmmf_decode_process_certified_key_pair(poolp, 
-						    db,
-						inCertResp->certifiedKeyPair);
-    }
-    return rv;
-}
-
-static CERTCertificate*
-cmmf_DecodeDERCertificate(CERTCertDBHandle *db, SECItem *derCert)
-{
-    CERTCertificate *newCert;
-
-    newCert = CERT_NewTempCertificate(db, derCert, NULL, PR_FALSE, PR_TRUE);
-    return newCert;
-}
-
-static CMMFCertOrEncCertChoice
-cmmf_get_certorenccertchoice_from_der(SECItem *der)
-{
-    CMMFCertOrEncCertChoice retChoice; 
-
-    switch(der->data[0] & 0x0f) {
-    case 0:
-        retChoice = cmmfCertificate;
-	break;
-    case 1:
-        retChoice = cmmfEncryptedCert;
-	break;
-    default:
-        retChoice = cmmfNoCertOrEncCert;
-	break;
-    }
-    return retChoice;
-}
-
-static SECStatus
-cmmf_decode_process_certorenccert(PRArenaPool       *poolp,
-				  CERTCertDBHandle  *db,
-				  CMMFCertOrEncCert *inCertOrEncCert)
-{
-    SECStatus rv = SECSuccess;
-
-    inCertOrEncCert->choice = 
-        cmmf_get_certorenccertchoice_from_der(&inCertOrEncCert->derValue);
-
-    switch (inCertOrEncCert->choice) {
-    case cmmfCertificate:
-        {
-	    /* The DER has implicit tagging, so we gotta switch it to 
-	     * un-tagged in order for the ASN1 parser to understand it.
-	     * Saving the bits that were changed.
-	     */ 
-	    inCertOrEncCert->derValue.data[0] = 0x30;
-	    inCertOrEncCert->cert.certificate = 
-	        cmmf_DecodeDERCertificate(db, &inCertOrEncCert->derValue);
-	    if (inCertOrEncCert->cert.certificate == NULL) {
-	        rv = SECFailure;
-	    }
-	
-	}
-	break;
-    case cmmfEncryptedCert:
-	PORT_Assert(poolp);
-	if (!poolp) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-        inCertOrEncCert->cert.encryptedCert =
-	    PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (inCertOrEncCert->cert.encryptedCert == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	rv = SEC_ASN1Decode(poolp, inCertOrEncCert->cert.encryptedCert, 
-			    CMMFCertOrEncCertEncryptedCertTemplate, 
-			    (const char*)inCertOrEncCert->derValue.data,
-			    inCertOrEncCert->derValue.len);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus 
-cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
-				       CERTCertDBHandle     *db,
-				       CMMFCertifiedKeyPair *inCertKeyPair)
-{
-    return cmmf_decode_process_certorenccert (poolp,
-					      db,
-					      &inCertKeyPair->certOrEncCert);
-}
-
-
diff --git a/security/nss/lib/crmf/challcli.c b/security/nss/lib/crmf/challcli.c
deleted file mode 100644
index 47b390917..000000000
--- a/security/nss/lib/crmf/challcli.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secder.h"
-#include "sechash.h"
-
-CMMFPOPODecKeyChallContent*
-CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len)
-{
-    PRArenaPool                *poolp;
-    CMMFPOPODecKeyChallContent *challContent;
-    SECStatus                   rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
-    if (challContent == NULL) {
-        goto loser;
-    }
-    challContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, challContent, 
-			CMMFPOPODecKeyChallContentTemplate, buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (challContent->challenges) {
-      while (challContent->challenges[challContent->numChallenges] != NULL) {
-	  challContent->numChallenges++;
-      }
-      challContent->numAllocated = challContent->numChallenges;
-    }
-    return challContent;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-int
-CMMF_POPODecKeyChallContentGetNumChallenges 
-                              (CMMFPOPODecKeyChallContent *inKeyChallCont)
-{
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL) {
-        return 0;
-    }
-    return inKeyChallCont->numChallenges;
-}
-
-SECItem* 
-CMMF_POPODecKeyChallContentGetPublicValue
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                         inIndex)
-{
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || (inIndex > inKeyChallCont->numChallenges-1)||
-	inIndex < 0) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inKeyChallCont->challenges[inIndex]->key);
-}
-
-static SECAlgorithmID*
-cmmf_get_owf(CMMFPOPODecKeyChallContent *inChalCont, 
-	     int                         inIndex)
-{
-   int i;
-   
-   for (i=inIndex; i >= 0; i--) {
-       if (inChalCont->challenges[i]->owf != NULL) {
-	   return inChalCont->challenges[i]->owf;
-       }
-   }
-   return NULL;
-}
-
-SECStatus 
-CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
-					 int                         inIndex,
-					 SECKEYPrivateKey           *inPrivKey)
-{
-    CMMFChallenge  *challenge;
-    SECItem        *decryptedRand=NULL;
-    SECAlgorithmID *owf;
-    PK11SlotInfo   *slot;
-    PK11SymKey     *symKey = NULL;
-    SECStatus       rv     = SECFailure;
-    CMMFRand        randStr;
-    SECItem         hashItem;
-    SECOidTag       tag;
-    unsigned char   hash[HASH_LENGTH_MAX]; 
-    PRArenaPool    *poolp  = NULL;
-
-    PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
-    if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
-	|| inPrivKey == NULL){
-        return SECFailure;
-    }
-    challenge = inChalCont->challenges[inIndex];
-    decryptedRand = PORT_ZNew(SECItem);
-    if (decryptedRand == NULL) {
-        goto loser;
-    }
-    decryptedRand->data = 
-        PORT_NewArray(unsigned char, challenge->challenge.len);
-    if (decryptedRand->data == NULL) {
-        goto loser;
-    }
-    slot = inPrivKey->pkcs11Slot;
-    symKey = PK11_PubUnwrapSymKey(inPrivKey, &challenge->challenge, 
-				  CKM_RSA_PKCS, CKA_VALUE, 0);
-    if (symKey == NULL) {
-      rv = SECFailure;
-      goto loser;
-    }
-    rv = PK11_ExtractKeyValue(symKey);
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    decryptedRand = PK11_GetKeyData(symKey);
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    rv = SEC_ASN1DecodeItem(poolp, &randStr, CMMFRandTemplate,
-			    decryptedRand); 
-    /* The decryptedRand returned points to a member within the symKey 
-     * structure, so we don't want to free it. Let the symKey destruction 
-     * function deal with freeing that memory.
-     */
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECFailure; /* Just so that when we do go to loser,
-		      * I won't have to set it again.
-		      */
-    owf = cmmf_get_owf(inChalCont, inIndex);
-    if (owf == NULL) {
-        /* No hashing algorithm came with the challenges.  Can't verify */
-        goto loser;
-    }
-    /* Verify the hashes in the challenge */
-    tag = SECOID_FindOIDTag(&owf->algorithm);
-    hashItem.len = HASH_ResultLenByOidTag(tag);
-    if (!hashItem.len)
-        goto loser;	/* error code has been set */
-
-    rv = PK11_HashBuf(tag, hash, randStr.integer.data, randStr.integer.len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    hashItem.data = hash;
-    if (SECITEM_CompareItem(&hashItem, &challenge->witness) != SECEqual) {
-        /* The hash for the data we decrypted doesn't match the hash provided
-	 * in the challenge.  Bail out.
-	 */
-        rv = SECFailure;
-	goto loser;
-    }
-    rv = PK11_HashBuf(tag, hash, challenge->senderDER.data, 
-		      challenge->senderDER.len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (SECITEM_CompareItem(&hashItem, &randStr.senderHash) != SECEqual) {
-        /* The hash for the data we decrypted doesn't match the hash provided
-	 * in the challenge.  Bail out.
-	 */
-        rv = SECFailure;
-	goto loser;
-    }
-    /* All of the hashes have verified, so we can now store the integer away.*/
-    rv = SECITEM_CopyItem(inChalCont->poolp, &challenge->randomNumber,
-			  &randStr.integer);
- loser:
-    if (symKey != NULL) {
-        PK11_FreeSymKey(symKey);
-    }
-    if (poolp) {
-    	PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_POPODecKeyChallContentGetRandomNumber
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                          inIndex,
-				    long                        *inDest)
-{
-    CMMFChallenge *challenge;
-    
-    PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= 
-	inKeyChallCont->numChallenges) {
-        return SECFailure;
-    }
-    challenge = inKeyChallCont->challenges[inIndex];
-    if (challenge->randomNumber.data == NULL) {
-        /* There is no random number here, nothing to see. */
-        return SECFailure;
-    }
-    *inDest = DER_GetInteger(&challenge->randomNumber);
-    return (*inDest == -1) ? SECFailure : SECSuccess;
-}
-
-SECStatus 
-CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
-				 int                       inNumRand,
-				 CRMFEncoderOutputCallback inCallback,
-				 void                     *inArg)
-{
-    PRArenaPool *poolp;
-    CMMFPOPODecKeyRespContent *response;
-    SECItem *currItem;
-    SECStatus rv=SECFailure;
-    int i;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return SECFailure;
-    }
-    response = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
-    if (response == NULL) {
-        goto loser;
-    }
-    response->responses = PORT_ArenaZNewArray(poolp, SECItem*, inNumRand+1);
-    if (response->responses == NULL) {
-        goto loser;
-    }
-    for (i=0; i<inNumRand; i++) {
-        currItem = response->responses[i] = PORT_ArenaZNew(poolp,SECItem);
-	if (currItem == NULL) {
-	    goto loser;
-	}
-	SEC_ASN1EncodeInteger(poolp, currItem,inDecodedRand[i]);
-    }
-    rv = cmmf_user_encode(response, inCallback, inArg,
-			  CMMFPOPODecKeyRespContentTemplate);
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return rv;
-}
diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h
deleted file mode 100644
index fdaa850fc..000000000
--- a/security/nss/lib/crmf/cmmf.h
+++ /dev/null
@@ -1,1122 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _CMMF_H_
-#define _CMMF_H_
-/*
- * These are the functions exported by the security library for 
- * implementing Certificate Management Message Formats (CMMF).
- *
- * This API is designed against July 1998 CMMF draft.  Please read this
- * draft before trying to use this API in an application that use CMMF.
- */
-#include "seccomon.h"
-#include "cmmft.h"
-#include "crmf.h"
-
-SEC_BEGIN_PROTOS
-
-/******************* Creation Functions *************************/
-
-/*
- * FUNCTION: CMMF_CreateCertRepContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function will create an empty CMMFCertRepContent Structure.  
- *    The client of the library must set the CMMFCertResponses.
- *    Call CMMF_CertRepContentSetCertResponse to accomplish this task.
- *    If the client of the library also wants to include the chain of 
- *    CA certs required to make the certificates in CMMFCertResponse valid, 
- *    then the user must also set the caPubs field of CMMFCertRepContent.
- *    Call CMMF_CertRepContentSetCAPubs to accomplish this.  After setting
- *    the desired fields, the user can then call CMMF_EncodeCertRepContent 
- *    to DER-encode the CertRepContent.
- * RETURN:
- *    A pointer to the CMMFCertRepContent.  A NULL return value indicates 
- *    an error in allocating memory or failure to initialize the structure.
- */
-extern CMMFCertRepContent* CMMF_CreateCertRepContent(void);
-
-/*
- * FUNCTION: CMMF_CreateCertRepContentFromDER
- * INPUTS
- *    db
- *        The certificate database where the certificates will be placed.
- *        The certificates will be placed in the temporary database associated
- *        with the handle. 
- *    buf
- *        A buffer to the DER-encoded CMMFCertRepContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- *    This function passes the buffer to the ASN1 decoder and creates a
- *    CMMFCertRepContent structure.  The user must call 
- *    CMMF_DestroyCertRepContent after the return value is no longer needed.
- *
- * RETURN:
- *    A pointer to the CMMFCertRepContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFCertRepContent* 
-       CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, 
-					const char       *buf, 
-					long              len);
-
-/*
- * FUNCTION: CMMF_CreateCertResponse
- * INPUTS:
- *    inCertReqId
- *        The Certificate Request Id this response is for.
- * NOTES:
- *    This creates a CMMFCertResponse.  This response should correspond
- *    to a request that was received via CRMF.  From the CRMF message you
- *    can get the Request Id to pass in as inCertReqId, in essence binding 
- *    a CMRFCertRequest message to the CMMFCertResponse created by this
- *    function.  If no requuest id is associated with the response to create
- *    then the user should pass in -1 for 'inCertReqId'.
- *
- * RETURN:
- *    A pointer to the new CMMFCertResponse corresponding to the request id 
- *    passed in.  A NULL return value indicates an error while trying to 
- *    create the CMMFCertResponse.
- */
-extern CMMFCertResponse* CMMF_CreateCertResponse(long inCertReqId);
-
-/*
- * FUNCTION: CMMF_CreateKeyRecRepContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function creates a new empty CMMFKeyRecRepContent structure.
- *    At the very minimum, the user  must call 
- *    CMMF_KeyRecRepContentSetPKIStatusInfoStatus field to have an
- *    encodable structure.  Depending on what the response is, the user may
- *    have to set other fields as well to properly build up the structure so
- *    that it can be encoded.  Refer to the CMMF draft for how to properly
- *    set up a CMMFKeyRecRepContent. This is the structure that an RA returns
- *    to an end entity when doing key recovery.
-
- *    The user must call CMMF_DestroyKeyRecRepContent when the return value
- *    is no longer needed.
- * RETURN:
- *    A pointer to the empty CMMFKeyRecRepContent.  A return value of NULL
- *    indicates an error in allocating memory or initializing the structure.
- */
-extern CMMFKeyRecRepContent *CMMF_CreateKeyRecRepContent(void);
-
-/*
- * FUNCTION: CMMF_CreateKeyRecRepContentFromDER
- * INPUTS:
- *    db
- *        The handle for the certificate database where the decoded 
- *        certificates will be placed.  The decoded certificates will
- *        be placed in the temporary database associated with the 
- *        handle.
- *    buf
- *        A buffer contatining the DER-encoded CMMFKeyRecRepContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES
- *    This function passes the buffer to the ASN1 decoder and creates a 
- *    CMMFKeyRecRepContent structure.
- *
- * RETURN:
- *    A pointer to the CMMFKeyRecRepContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFKeyRecRepContent* 
-       CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db,
-					  const char       *buf,
-					  long              len);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyChallContent
- * INPUTS:
- *    NONE
- * NOTES:
- *    This function creates an empty CMMFPOPODecKeyChallContent.  The user
- *    must add the challenges individually specifying the random number to
- *    be used and the public key to be used when creating each individual 
- *    challenge.  User can accomplish this by calling the function 
- *    CMMF_POPODecKeyChallContentSetNextChallenge.
- * RETURN:
- *    A pointer to a CMMFPOPODecKeyChallContent structure.  Ther user can
- *    then call CMMF_EncodePOPODecKeyChallContent passing in the return
- *    value from this function after setting all of the challenges.  A 
- *    return value of NULL indicates an error while creating the 
- *    CMMFPOPODecKeyChallContent structure.
- */
-extern CMMFPOPODecKeyChallContent*
-       CMMF_CreatePOPODecKeyChallContent(void);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyChallContentFromDER
- * INPUTS
- *    buf
- *        A buffer containing the DER-encoded CMMFPOPODecKeyChallContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- *    This function passes the buffer to the ASN1 decoder and creates a
- *    CMMFPOPODecKeyChallContent structure.  
- *
- * RETURN:
- *    A pointer to the CMMFPOPODecKeyChallContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFPOPODecKeyChallContent*
-       CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CMMF_CreatePOPODecKeyRespContentFromDER
- * INPUTS:
- *    buf
- *        A buffer contatining the DER-encoded CMMFPOPODecKeyRespContent
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES
- *    This function passes the buffer to the ASN1 decoder and creates a 
- *    CMMFPOPODecKeyRespContent structure.
- *
- * RETURN:
- *    A pointer to the CMMFPOPODecKeyRespContent structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CMMFPOPODecKeyRespContent*
-       CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len);
-
-/************************** Set Functions *************************/
-
-/*
- * FUNCTION: CMMF_CertRepContentSetCertResponses
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inCertResponses
- *        An array of pointers to CMMFCertResponse structures to 
- *        add to the CMMFCertRepContent structure.
- *    inNumResponses
- *        The length of the array 'inCertResponses'
- * NOTES:
- *    This function will add the CMMFCertResponse structure to the 
- *    CMMFCertRepContent passed in.  The CMMFCertResponse field of 
- *    CMMFCertRepContent is required, so the client must call this function
- *    before calling CMMF_EncodeCertRepContent.  If the user calls 
- *    CMMF_EncodeCertRepContent before calling this function, 
- *    CMMF_EncodeCertRepContent will fail.
- *
- * RETURN:
- *    SECSuccess if adding the CMMFCertResponses to the CMMFCertRepContent
- *    structure was successful.  Any other return value indicates an error
- *    while trying to add the CMMFCertResponses.
- */
-extern SECStatus 
-      CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
-					  CMMFCertResponse  **inCertResponses,
-					  int                 inNumResponses);
-
-/*
- * FUNCTION: CMMF_CertRepContentSetCAPubs
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inCAPubs
- *        The certificate list which makes up the chain of CA certificates
- *        required to make the issued cert valid.
- * NOTES:
- *    This function will set the the certificates in the CA chain as part
- *    of the CMMFCertRepContent.  This field is an optional member of the 
- *    CMMFCertRepContent structure, so the client is not required to call
- *    this function before calling CMMF_EncodeCertRepContent.
- *
- * RETURN:
- *    SECSuccess if adding the 'inCAPubs' to the CERTRepContent was successful.
- *    Any other return value indicates an error while adding 'inCAPubs' to the 
- *    CMMFCertRepContent structure.
- * 
- */
-extern SECStatus 
-       CMMF_CertRepContentSetCAPubs (CMMFCertRepContent  *inCertRepContent,
-				     CERTCertList        *inCAPubs);
-
-/*
- * FUNCTION: CMMF_CertResponseSetPKIStatusInfoStatus
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- *     inPKIStatus
- *        The value to set for the PKIStatusInfo.status field.
- * NOTES:
- *    This function will set the CertResponse.status.status field of 
- *    the CMMFCertResponse structure.  (View the definition of CertResponse
- *    in the CMMF draft to see exactly which value this talks about.)  This
- *    field is a required member of the structure, so the user must call this
- *    function in order to have a CMMFCertResponse that can be encoded.
- *
- * RETURN:
- *    SECSuccess if setting the field with the passed in value was successful.
- *    Any other return value indicates an error while trying to set the field.
- */
-extern SECStatus 
-     CMMF_CertResponseSetPKIStatusInfoStatus (CMMFCertResponse *inCertResp,
-					      CMMFPKIStatus     inPKIStatus);
-
-/*
- * FUNCTION: CMMF_CertResponseSetCertificate
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- *    inCertificate
- *        The certificate to add to the 
- *        CertResponse.CertifiedKeyPair.certOrEncCert.certificate field.
- * NOTES:
- *    This function will take the certificate and make it a member of the
- *    CMMFCertResponse.  The certificate should be the actual certificate
- *    being issued via the response.
- *
- * RETURN:
- *    SECSuccess if adding the certificate to the response was successful.
- *    Any other return value indicates an error in adding the certificate to
- *    the CertResponse.
- */
-extern SECStatus 
-       CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
-					CERTCertificate  *inCertificate);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetPKIStatusInfoStatus
- * INPUTS: 
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inPKIStatus
- *        The value to set the PKIStatusInfo.status field to.
- * NOTES:
- *    This function sets the only required field for the KeyRecRepContent.
- *    In most cases, the user will set this field and other fields of the
- *    structure to properly create the CMMFKeyRecRepContent structure.  
- *    Refer to the CMMF draft to see which fields need to be set in order
- *    to create the desired CMMFKeyRecRepContent.
- * 
- * RETURN:
- *    SECSuccess if setting the PKIStatusInfo.status field was successful.
- *    Any other return value indicates an error in setting the field.
- */
-extern SECStatus 
-CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
-					    CMMFPKIStatus         inPKIStatus);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetNewSignCert
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inNewSignCert
- *        The new signing cert to add to the CMMFKeyRecRepContent structure.
- * NOTES:
- *    This function sets the new signeing cert in the CMMFKeyRecRepContent
- *    structure.
- *
- * RETURN:
- *    SECSuccess if setting the new signing cert was successful.  Any other 
- *    return value indicates an error occurred while trying to add the
- *    new signing certificate.
- */
-extern SECStatus 
-       CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
-					   CERTCertificate     *inNewSignCert);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetCACerts
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inCACerts
- *        The list of CA certificates required to construct a valid 
- *        certificate chain with the certificates that will be returned
- *        to the end user via this KeyRecRepContent.
- * NOTES:
- *    This function sets the caCerts that are required to form a chain with the
- *    end entity certificates that are being re-issued in this 
- *    CMMFKeyRecRepContent structure.
- *
- * RETURN:
- *    SECSuccess if adding the caCerts was successful.  Any other return value
- *    indicates an error while tring to add the caCerts.
- */
-extern SECStatus 
-       CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
-				       CERTCertList         *inCACerts);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentSetCertifiedKeyPair
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- *    inCert
- *        The certificate to add to the CMMFKeyRecRepContent structure.
- *    inPrivKey
- *        The private key associated with the certificate above passed in.
- *    inPubKey
- *        The public key to use for wrapping the private key.
- * NOTES:
- *    This function adds another certificate-key pair to the 
- *    CMMFKeyRecRepcontent structure.  There may be more than one 
- *    certificate-key pair in the structure, so the user must call this 
- *    function multiple times to add more than one cert-key pair.
- *
- * RETURN:
- *    SECSuccess if adding the certified key pair was successful.  Any other
- *    return value indicates an error in adding certified key pair to 
- *    CMMFKeyRecRepContent structure.
- */
-extern SECStatus 
-    CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
-					     CERTCertificate      *inCert,
-					     SECKEYPrivateKey     *inPrivKey,
-					     SECKEYPublicKey      *inPubKey);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inRandom
- *        The random number to use when generating the challenge,
- *    inSender
- *        The GeneralName representation of the sender of the challenge.
- *    inPubKey
- *        The public key to use when encrypting the challenge.
- *    passwdArg
- *        This value will be passed to the function used for getting a
- *        password.  The password for getting a password should be registered
- *        by calling PK11_SetPasswordFunc before this function is called. 
- *        If no password callback is registered and the library needs to 
- *        authenticate to the slot for any reason, this function will fail.
- * NOTES:
- *    This function adds a challenge to the end of the list of challenges
- *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
- *    the random number passed in and the sender's GeneralName are used
- *    to generate the challenge and witness fields of the challenge.  This
- *    library will use SHA1 as the one-way function for generating the 
- *    witess field of the challenge.
- *
- * RETURN:
- *    SECSuccess if generating the challenge and adding to the end of list
- *    of challenges was successful.  Any other return value indicates an error
- *    while trying to generate the challenge.
- */
-extern SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				    long                        inRandom,
-				    CERTGeneralName            *inSender,
-				    SECKEYPublicKey            *inPubKey,
-				    void                       *passwdArg);
-
-
-/************************** Encoding Functions *************************/
-
-/*
- * FUNCTION: CMMF_EncodeCertRepContent
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to DER-encode.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *
- * RETURN:
- *    SECSuccess if encoding the CMMFCertRepContent was successful.  Any 
- *    other return value indicates an error while decoding the structure.
- */
-extern SECStatus 
-       CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
-				  CRMFEncoderOutputCallback  inCallback,
-				  void                      *inArg);
-
-/*
- * FUNCTION: CMMF_EncodeKeyRecRepContent
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRepContent to DER-encode.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *
- * RETURN:
- *    SECSuccess if encoding the CMMFKeyRecRepContent was successful.  Any 
- *    other return value indicates an error while decoding the structure.
- */
-extern SECStatus
-       CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
-				   CRMFEncoderOutputCallback  inCallback,
-				   void                      *inArg);
-
-/*
- * FUNCTION: CMMF_EncodePOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFDecKeyChallContent to operate on.
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback function whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded CMMFCertRepContent structure.
- *    The DER will be an encoding of the type POPODecKeyChallContents, which
- *    is just a sequence of challenges.
- *
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value indicates
- *    an error in trying to encode the Challenges.
- */
-extern SECStatus 
-CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
-				  CRMFEncoderOutputCallback inCallback,
-				  void                     *inArg);
-
-/*
- * FUNCTION: CMMF_EncodePOPODecKeyRespContent
- * INPUTS:
- *    inDecodedRand
- *        An array of integers to encode as the responses to 
- *        CMMFPOPODecKeyChallContent.  The integers must be in the same order
- *        as the challenges extracted from CMMFPOPODecKeyChallContent.
- *    inNumRand
- *        The number of random integers contained in the array 'inDecodedRand'
- *    inCallback
- *        A callback function that the ASN1 encoder will call whenever it 
- *        wants to write out DER-encoded bytes.  Look at the defintion of 
- *        CRMFEncoderOutputCallback in crmft.h for a description of the
- *        parameters to the function.
- *    inArg
- *        An opaque pointer to a user-supplied argument that will be passed
- *        to the callback funtion whenever the function is called.
- * NOTES:
- *    The CMMF library will use the same DER-encoding scheme as the CRMF 
- *    library.  In other words, when reading CRMF comments that pertain to
- *    encoding, those comments apply to the CMMF libray as well.  
- *    The callback function will be called multiple times, each time supplying
- *    the next chunk of DER-encoded bytes.  The user must concatenate the 
- *    output of each successive call to the callback in order to get the
- *    entire DER-encoded  POPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value indicates
- *    an error in trying to encode the Challenges.
- */
-extern SECStatus 
-      CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
-				       int                       inNumRand,
-				       CRMFEncoderOutputCallback inCallback,
-				       void                     *inArg); 
-
-/***************  Accessor function  ***********************************/
-
-/*
- * FUNCTION: CMMF_CertRepContentGetCAPubs
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to extract the caPubs from.
- * NOTES:
- *    This function will return a copy of the list of certificates that
- *    make up the chain of CA's required to make the cert issued valid.
- *    The user must call CERT_DestroyCertList on the return value when 
- *    done using the return value.  
- *
- *    Only call this function on a CertRepContent that has been decoded.
- *    The client must call CERT_DestroyCertList when the certificate list
- *    is no longer needed. 
- *
- *    The certs in the list will not be in the temporary database.  In order
- *    to make these certificates a part of the permanent CA internal database,
- *    the user must collect the der for all of these certs and call 
- *    CERT_ImportCAChain.  Afterwards the certs will be part of the permanent
- *    database.
- *    
- * RETURN:
- *    A pointer to the CERTCertList representing the CA chain associated 
- *    with the issued cert.  A NULL return value indicates  that no CA Pubs
- *    were available in the CMMFCertRepContent structure. 
- */
-extern CERTCertList* 
-       CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent);
-
-
-/*
- * FUNCTION: CMMF_CertRepContentGetNumResponses
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- * NOTES:
- *    This function will return the number of CertResponses that are contained
- *    by the CMMFCertRepContent passed in.
- * 
- * RETURN:
- *    The number of CMMFCertResponses contained in the structure passed in.
- */
-extern int 
- CMMF_CertRepContentGetNumResponses (CMMFCertRepContent *inCertRepContent);
-
-/*
- * FUNCTION: CMMF_CertRepContentGetResponseAtIndex
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to operate on.
- *    inIndex
- *        The index of the CMMFCertResponse the user wants a copy of.
- * NOTES:
- *    This funciton creates a copy of the CMMFCertResponse at the index 
- *    corresponding to the parameter 'inIndex'.  Indexing is done like a
- *    traditional C array, ie the valid indexes are (0...numResponses-1).
- *    The user must call CMMF_DestroyCertResponse after the return value is 
- *    no longer needed.
- *
- * RETURN:
- *    A pointer to the CMMFCertResponse at the index corresponding to 
- *    'inIndex'.  A return value of NULL indicates an error in copying 
- *    the CMMFCertResponse.
- */
-extern CMMFCertResponse*
-CMMF_CertRepContentGetResponseAtIndex (CMMFCertRepContent *inCertRepContent,
-				       int                 inIndex);
-
-/*
- * FUNCTION: CMMF_CertResponseGetCertReqId
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- * NOTES:
- *    This function returns the CertResponse.certReqId from the 
- *    CMMFCertResponse structure passed in.  If the return value is -1, that
- *    means there is no associated certificate request with the CertResponse.
- * RETURN:
- *    A long representing the id of the certificate request this 
- *    CMMFCertResponse corresponds to.  A return value of -1 indicates an
- *    error in extracting the value of the integer.
- */
-extern long CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_CertResponseGetPKIStatusInfoStatus
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to operate on.
- * NOTES:
- *    This function returns the CertResponse.status.status field of the 
- *    CMMFCertResponse structure.
- *
- * RETURN:
- *    The enumerated value corresponding to the PKIStatus defined in the CMMF
- *    draft.  See the CMMF draft for the definition of PKIStatus.  See crmft.h
- *    for the definition of CMMFPKIStatus.
- */
-extern CMMFPKIStatus 
-       CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_CertResponseGetCertificate
- * INPUTS:
- *    inCertResp
- *        The Certificate Response to operate on.
- *    inCertdb
- *        This is the certificate database where the function will place the
- *        newly issued certificate.
- * NOTES:
- *    This function retrieves the CertResponse.certifiedKeyPair.certificate
- *    from the CMMFCertResponse.  The user will get a copy of that certificate
- *    so  the user must call CERT_DestroyCertificate when the return value is 
- *    no longer needed.  The certificate returned will be in the temporary 
- *    certificate database.
- *
- * RETURN:
- *    A pointer to a copy of the certificate contained within the 
- *    CMMFCertResponse.  A return value of NULL indicates an error while trying
- *    to make a copy of the certificate.
- */
-extern CERTCertificate*
-       CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
-                                       CERTCertDBHandle *inCertdb);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetPKIStatusInfoStatus
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent structure to operate on.
- * NOTES:
- *    This function retrieves the KeyRecRepContent.status.status field of 
- *    the CMMFKeyRecRepContent structure.
- * RETURN:
- *    The CMMFPKIStatus corresponding to the value held in the 
- *    CMMFKeyRecRepContent structure.
- */
-extern CMMFPKIStatus 
-CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetNewSignCert
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * NOTES:
- *    This function retrieves the KeyRecRepContent.newSignCert field of the
- *    CMMFKeyRecRepContent structure.  The user must call 
- *    CERT_DestroyCertificate when the return value is no longer needed. The
- *    returned certificate will be in the temporary database.  The user 
- *    must then place the certificate permanently in whatever token the
- *    user determines is the proper destination.  A return value of NULL
- *    indicates the newSigCert field was not present.
- */
-extern CERTCertificate*
-       CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetCACerts
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * NOTES:
- *    This function returns a CERTCertList which contains all of the 
- *    certficates that are in the sequence KeyRecRepContent.caCerts
- *    User must call CERT_DestroyCertList when the return value is no longer 
- *    needed.  All of these certificates will be placed in the tempoaray
- *    database.
- *
- * RETURN:
- *    A pointer to the list of caCerts contained in the CMMFKeyRecRepContent
- *    structure.  A return value of NULL indicates the library was not able to 
- *    make a copy of the certifcates.  This may be because there are no caCerts
- *    included in the CMMFKeyRecRepContent strucure or an internal error.  Call
- *    CMMF_KeyRecRepContentHasCACerts to find out if there are any caCerts 
- *    included in 'inKeyRecRep'.
- */
-extern CERTCertList*
-       CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetNumKeyPairs
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFCertifiedKeyPair structures that
- *    that are stored in the KeyRecRepContent structure.
- */
-extern int 
-       CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentGetCertKeyAtIndex
- * INPUTS:
- *    inKeyRecRepContent
- *        The CMMFKeyRecRepContent to operate on.
- *    inIndex
- *        The index of the desired CMMFCertifiedKeyPair
- * NOTES:
- *    This function retrieves the CMMFCertifiedKeyPair structure at the index
- *    'inIndex'.  Valid indexes are 0...(numKeyPairs-1)  The user must call 
- *    CMMF_DestroyCertifiedKeyPair when the return value is no longer needed.
- *
- * RETURN:
- *    A pointer to the Certified Key Pair at the desired index.  A return value
- *    of NULL indicates an error in extracting the Certified Key Pair at the 
- *    desired index.
- */
-extern CMMFCertifiedKeyPair*
-      CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
-					     int                   inIndex);
-
-/*
- * FUNCTION: CMMF_CertifiedKeyPairGetCertificate
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- *    inCertdb
- *        The database handle for the database you want this certificate
- *        to wind up in.
- * NOTES:
- *    This function retrieves the certificate at 
- *    CertifiedKeyPair.certOrEncCert.certificate
- *    The user must call CERT_DestroyCertificate when the return value is no
- *    longer needed.  The user must import this certificate as a token object
- *    onto PKCS#11 slot in order to make it a permanent object.  The returned
- *    certificate will be in the temporary database.
- * 
- * RETURN:
- *    A pointer to the certificate contained within the certified key pair.
- *    A return value of NULL indicates an error in creating the copy of the 
- *    certificate.
- */
-extern CERTCertificate*
-      CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
-					  CERTCertDBHandle     *inCertdb);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFChallenges are contained in 
- *    the CMMFPOPODecKeyChallContent structure.
- */
-extern int CMMF_POPODecKeyChallContentGetNumChallenges
-                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetPublicValue
- * ---------------------------------------------------
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the Challenge within inKeyChallCont to operate on.
- *        Indexes start from 0, ie the Nth Challenge corresponds to index
- *        N-1.
- * NOTES:
- * This function retrieves the public value stored away in the Challenge at
- * index inIndex of inKeyChallCont.
- * RETURN:
- * A pointer to a SECItem containing the public value.  User must call 
- * SECITEM_FreeItem on the return value when the value is no longer necessary.
- * A return value of NULL indicates an error while retrieving the public value.
- */
-extern SECItem* CMMF_POPODecKeyChallContentGetPublicValue
-                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				    int                         inIndex);
-
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetRandomNumber
- * INPUTS:
- *    inChallContent
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the challenge to look at.  Valid indexes are 0 through
- *        (CMMF_POPODecKeyChallContentGetNumChallenges(inChallContent) - 1).
- *    inDest
- *        A pointer to a user supplied buffer where the library
- *        can place a copy of the random integer contatained in the
- *        challenge.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the random integer.  The user must call 
- *    CMMF_POPODecKeyChallContentDecryptChallenge before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
- *    decrypted.
- *
- * RETURN:
- *    SECSuccess indicates the witness field has been previously decrypted
- *    and the value for the random integer was successfully placed at *inDest.
- *    Any other return value indicates an error and that the value at *inDest
- *    is not a valid value.
- */
-extern SECStatus CMMF_POPODecKeyChallContentGetRandomNumber
-                                      (CMMFPOPODecKeyChallContent *inKeyChallCont,
-				       int                          inIndex,
-				       long                        *inDest);
-
-/*
- * FUNCTION: CMMF_POPODecKeyRespContentGetNumResponses
- * INPUTS:
- *    inRespCont
- *        The POPODecKeyRespContent to operate on.
- * RETURN:
- * This function returns the number of responses contained in inRespContent.
- */
-extern int 
- CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont);
-
-/*
- * FUNCTION: CMMF_POPODecKeyRespContentGetResponse
- * INPUTS:
- *    inRespCont
- *        The POPODecKeyRespContent to operate on.
- *    inIndex
- *        The index of the response to retrieve.
- *        The Nth response is at index N-1, ie the 1st response is at index 0,
- *        the 2nd response is at index 1, and so on.
- *    inDest
- *        A pointer to a pre-allocated buffer where the library can put the 
- *        value of the response located at inIndex.
- * NOTES:
- * The function returns the response contained at index inIndex.  
- * CMMFPOPODecKeyRespContent is a structure that the server will generally 
- * get in response to a CMMFPOPODecKeyChallContent.  The server will expect
- * to see the responses in the same order as it constructed them in 
- * the CMMFPOPODecKeyChallContent structure.
- * RETURN:
- * SECSuccess if getting the response at the desired index was successful.  Any
- * other return value indicates an errror.
- */
-extern SECStatus
-     CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
-					    int                        inIndex,
-					    long                      *inDest);
-
-/************************* Destructor Functions ******************************/
-
-/*
- * FUNCTION: CMMF_DestroyCertResponse
- * INPUTS:
- *    inCertResp
- *        The CMMFCertResponse to destroy.
- * NOTES:
- *    This function frees all the memory associated with the CMMFCertResponse
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing the memory was successful.  Any other return value
- *    indicates an error while freeing the memory.
- */
-extern SECStatus CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp);
-
-/*
- * FUNCTION: CMMF_DestroyCertRepContent
- * INPUTS:
- *    inCertRepContent
- *        The CMMFCertRepContent to destroy
- * NOTES:
- *    This function frees the memory associated with the CMMFCertRepContent
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing all the memory associated with the 
- *    CMMFCertRepContent passed in is successful.  Any other return value 
- *    indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CMMF_DestroyCertRepContent (CMMFCertRepContent *inCertRepContent);
-
-/*
- * FUNCTION: CMMF_DestroyKeyRecRepContent
- * INPUTS:
- *    inKeyRecRep
- *        The CMMFKeyRecRepContent to destroy.
- * NOTES:
- *    This function destroys all the memory associated with the 
- *    CMMFKeyRecRepContent passed in.
- *
- * RETURN:
- *    SECSuccess if freeing all the memory is successful.  Any other return 
- *    value indicates an error in freeing the memory.
- */
-extern SECStatus 
-       CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_DestroyCertifiedKeyPair
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- * NOTES: 
- *    This function frees up all the memory associated with 'inCertKeyPair'
- *
- * RETURN:
- *    SECSuccess if freeing all the memory associated with 'inCertKeyPair'
- *    is successful.  Any other return value indicates an error while trying
- *    to free the memory.
- */
-extern SECStatus 
-       CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
- * INPUTS:
- *    inDecKeyResp
- *        The CMMFPOPODecKeyRespContent structure to free.
- * NOTES:
- *    This function frees up all the memory associate with the 
- *    CMMFPOPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if freeing up all the memory associated with the
- *    CMMFPOPODecKeyRespContent structure is successful.  Any other
- *    return value indicates an error while freeing the memory.
- */
-extern SECStatus
-       CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
-
-
-/************************** Miscellaneous Functions *************************/
- 
-/*
- * FUNCTION: CMMF_CertifiedKeyPairUnwrapPrivKey
- * INPUTS:
- *    inCertKeyPair
- *        The CMMFCertifiedKeyPair to operate on.
- *    inPrivKey
- *        The private key to use to un-wrap the private key
- *    inNickName
- *        This is the nickname that will be associated with the private key
- *        to be unwrapped.
- *    inSlot
- *        The PKCS11 slot where the unwrapped private key should end up.
- *    inCertdb
- *        The Certificate database with which the new key will be associated.
- *    destPrivKey
- *        A pointer to memory where the library can place a pointer to the
- *        private key after importing the key onto the specified slot.
- *    wincx
- *        An opaque pointer that the library will use in a callback function
- *        to get the password if necessary.
- *    
- * NOTES:
- *    This function uses the private key passed in to unwrap the private key
- *    contained within the CMMFCertifiedKeyPair structure. After this 
- *    function successfully returns, the private key has been unwrapped and
- *    placed in the specified slot. 
- *
- * RETURN:
- *    SECSuccess if unwrapping the private key was successful.  Any other 
- *    return value indicates an error while trying to un-wrap the private key.
- */
-extern SECStatus 
-       CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
-					  SECKEYPrivateKey     *inPrivKey,
-					  SECItem              *inNickName,
-					  PK11SlotInfo         *inSlot,
-                                          CERTCertDBHandle     *inCertdb,
-					  SECKEYPrivateKey    **destPrivKey,
-					  void                 *wincx);
-
-/*
- * FUNCTION: CMMF_KeyRecRepContentHasCACerts
- * INPUTS:
- *    inKeyRecRecp
- *        The CMMFKeyRecRepContent to operate on.
- * RETURN:
- *    This function returns PR_TRUE if there are one or more certificates in 
- *    the sequence KeyRecRepContent.caCerts within the CMMFKeyRecRepContent
- *    structure.  The function will return PR_FALSE if there are 0 certificate
- *    in the above mentioned sequence.
- */
-extern PRBool 
-       CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContDecryptChallenge
- * INPUTS:
- *    inChalCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inIndex
- *        The index of the Challenge to operate on.  The 1st Challenge is
- *        at index 0, the second at index 1 and so forth.
- *    inPrivKey
- *        The private key to use to decrypt the witness field.
- * NOTES:
- *    This function uses the private key to decrypt the challenge field
- *    contained in the appropriate challenge.  Make sure the private key matches 
- *    the public key that was used to encrypt the witness.  Use 
- *    CMMF_POPODecKeyChallContentGetPublicValue to get the public value of
- *    the key used to encrypt the witness and then use that to determine the
- *    appropriate private key.  This can be done by calling PK11_MakeIDFromPubKey
- *    and then passing that return value to PK11_FindKeyByKeyID.  The creator of 
- *    the challenge will most likely be an RA that has the public key
- *    from a Cert request.  So the private key should be the private key
- *    associated with public key in that request.  This function will also
- *    verify the witness field of the challenge.  This function also verifies
- *    that the sender and witness hashes match within the challenge.
- *
- * RETURN:
- *    SECSuccess if decrypting the witness field was successful.  This does
- *    not indicate that the decrypted data is valid, since the private key 
- *    passed in may not be the actual key needed to properly decrypt the 
- *    witness field.  Meaning that there is a decrypted structure now, but
- *    may be garbage because the private key was incorrect.
- *    Any other return value indicates the function could not complete the
- *    decryption process.
- */
-extern SECStatus 
-  CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
-					   int                         inIndex,
-					   SECKEYPrivateKey           *inPrivKey);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyCont
- *        The CMMFPOPODecKeyChallContent to free
- * NOTES:
- *    This function frees up all the memory associated with the 
- *    CMMFPOPODecKeyChallContent 
- * RETURN:
- *    SECSuccess if freeing up all the memory associatd with the 
- *    CMMFPOPODecKeyChallContent is successful.  Any other return value
- *    indicates an error while freeing the memory.
- *
- */
-extern SECStatus 
- CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
-
-SEC_END_PROTOS
-#endif /* _CMMF_H_ */
diff --git a/security/nss/lib/crmf/cmmfasn1.c b/security/nss/lib/crmf/cmmfasn1.c
deleted file mode 100644
index 8f080f08c..000000000
--- a/security/nss/lib/crmf/cmmfasn1.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secasn1.h"
-#include "secitem.h"
-
-SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
-
-static const SEC_ASN1Template CMMFSequenceOfCertifiedKeyPairsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CMMFCertifiedKeyPairTemplate}
-};
-
-static const SEC_ASN1Template CMMFKeyRecRepContentTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFKeyRecRepContent)},
-    { SEC_ASN1_INLINE, offsetof(CMMFKeyRecRepContent, status), 
-      CMMFPKIStatusInfoTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-		SEC_ASN1_XTRN | 0,
-      offsetof(CMMFKeyRecRepContent, newSigCert),
-      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      offsetof(CMMFKeyRecRepContent, caCerts),
-      CMMFSequenceOfCertsTemplate},
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-      offsetof(CMMFKeyRecRepContent, keyPairHist),
-      CMMFSequenceOfCertifiedKeyPairsTemplate},
-    { 0 }
-};
-
-SECStatus
-CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
-			   CRMFEncoderOutputCallback  inCallback,
-			   void                      *inArg)
-{
-    return cmmf_user_encode(inCertRepContent, inCallback, inArg,
-			    CMMFCertRepContentTemplate);
-}
-
-SECStatus
-CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
-				  CRMFEncoderOutputCallback inCallback,
-				  void                     *inArg)
-{
-    return cmmf_user_encode(inDecKeyChall, inCallback, inArg,
-			    CMMFPOPODecKeyChallContentTemplate);
-}
-
-CMMFPOPODecKeyRespContent*
-CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len)
-{
-    PRArenaPool               *poolp;
-    CMMFPOPODecKeyRespContent *decKeyResp;
-    SECStatus                  rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    decKeyResp = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
-    if (decKeyResp == NULL) {
-        goto loser;
-    }
-    decKeyResp->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, decKeyResp, CMMFPOPODecKeyRespContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return decKeyResp;
-    
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
-			    CRMFEncoderOutputCallback  inCallback,
-			    void                      *inArg)
-{
-    return cmmf_user_encode(inKeyRecRep, inCallback, inArg,
-			    CMMFKeyRecRepContentTemplate);
-}
-
-CMMFKeyRecRepContent* 
-CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
-				   long len)
-{
-    PRArenaPool          *poolp;
-    CMMFKeyRecRepContent *keyRecContent;
-    SECStatus             rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
-    if (keyRecContent == NULL) {
-        goto loser;
-    }
-    keyRecContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, keyRecContent, CMMFKeyRecRepContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (keyRecContent->keyPairHist != NULL) {
-        while(keyRecContent->keyPairHist[keyRecContent->numKeyPairs] != NULL) {
-	    rv = cmmf_decode_process_certified_key_pair(poolp, db,
-		       keyRecContent->keyPairHist[keyRecContent->numKeyPairs]);
-	    if (rv != SECSuccess) {
-	        goto loser;
-	    }
-	    keyRecContent->numKeyPairs++;
-	}
-	keyRecContent->allocKeyPairs = keyRecContent->numKeyPairs;
-    }
-    keyRecContent->isDecoded = PR_TRUE;
-    return keyRecContent;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
diff --git a/security/nss/lib/crmf/cmmfchal.c b/security/nss/lib/crmf/cmmfchal.c
deleted file mode 100644
index 022b61d2e..000000000
--- a/security/nss/lib/crmf/cmmfchal.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "sechash.h"
-#include "genname.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "secitem.h"
-#include "secmod.h"
-#include "keyhi.h"
-
-static int
-cmmf_create_witness_and_challenge(PRArenaPool     *poolp,
-				  CMMFChallenge   *challenge,
-				  long             inRandom,
-				  SECItem         *senderDER,
-				  SECKEYPublicKey *inPubKey,
-				  void            *passwdArg)
-{
-    SECItem       *encodedRandNum;
-    SECItem        encodedRandStr = {siBuffer, NULL, 0};
-    SECItem       *dummy;
-    unsigned char *randHash, *senderHash, *encChal=NULL;
-    unsigned       modulusLen = 0;
-    SECStatus      rv = SECFailure;
-    CMMFRand       randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
-    PK11SlotInfo  *slot;
-    PK11SymKey    *symKey = NULL;
-    CK_OBJECT_HANDLE id;
-    CERTSubjectPublicKeyInfo *spki = NULL;
-
-    
-    encodedRandNum = SEC_ASN1EncodeInteger(poolp, &challenge->randomNumber,
-					   inRandom);
-    encodedRandNum = &challenge->randomNumber;
-    randHash   = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
-    senderHash = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
-    if (randHash == NULL) {
-        goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, randHash, encodedRandNum->data, 
-		      (uint32)encodedRandNum->len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = PK11_HashBuf(SEC_OID_SHA1, senderHash, senderDER->data,
-		      (uint32)senderDER->len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    challenge->witness.data = randHash;
-    challenge->witness.len  = SHA1_LENGTH;
-
-    randStr.integer    = *encodedRandNum;
-    randStr.senderHash.data = senderHash;
-    randStr.senderHash.len  = SHA1_LENGTH;
-    dummy = SEC_ASN1EncodeItem(NULL, &encodedRandStr, &randStr, 
-			       CMMFRandTemplate);
-    if (dummy != &encodedRandStr) {
-        rv = SECFailure;
-        goto loser;
-    }
-    /* XXXX Now I have to encrypt encodedRandStr and stash it away. */
-    modulusLen = SECKEY_PublicKeyStrength(inPubKey);
-    encChal = PORT_ArenaNewArray(poolp, unsigned char, modulusLen);
-    if (encChal == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    slot =PK11_GetBestSlot(CKM_RSA_PKCS, passwdArg);
-    if (slot == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
-    /* In order to properly encrypt the data, we import as a symmetric
-     * key, and then wrap that key.  That in essence encrypts the data.
-     * This is the method recommended in the PK11 world in order
-     * to prevent threading issues as well as breaking any other semantics
-     * the PK11 libraries depend on.
-     */
-    symKey = PK11_ImportSymKey(slot, CKM_RSA_PKCS, PK11_OriginGenerated,
-			       CKA_VALUE, &encodedRandStr, passwdArg);
-    if (symKey == NULL) {
-        rv = SECFailure;
-	goto loser;
-    }
-    challenge->challenge.data = encChal;
-    challenge->challenge.len  = modulusLen;
-    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, inPubKey, symKey, 
-			    &challenge->challenge);
-    PK11_FreeSlot(slot);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &challenge->senderDER, senderDER);
-    crmf_get_public_value(inPubKey, &challenge->key);
-    /* Fall through */
- loser:
-    if (spki != NULL) {
-        SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    if (encodedRandStr.data != NULL) {
-        PORT_Free(encodedRandStr.data);
-    }
-    if (encodedRandNum != NULL) {
-        SECITEM_FreeItem(encodedRandNum, PR_TRUE);
-    }
-    if (symKey != NULL) {
-        PK11_FreeSymKey(symKey);
-    }
-    return rv;
-}
-
-static SECStatus
-cmmf_create_first_challenge(CMMFPOPODecKeyChallContent *challContent, 
-			    long                        inRandom, 
-			    SECItem                    *senderDER, 
-			    SECKEYPublicKey            *inPubKey,
-			    void                       *passwdArg)
-{
-    SECOidData     *oidData;
-    CMMFChallenge  *challenge;
-    SECAlgorithmID *algId;
-    PRArenaPool    *poolp;
-    SECStatus       rv;
-
-    oidData = SECOID_FindOIDByTag(SEC_OID_SHA1);
-    if (oidData == NULL) {
-        return SECFailure;
-    }
-    poolp = challContent->poolp;
-    challenge = PORT_ArenaZNew(poolp, CMMFChallenge);
-    if (challenge == NULL) {
-        return SECFailure;
-    }
-    algId = challenge->owf = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (algId == NULL) {
-        return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &algId->algorithm, &oidData->oid);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    rv = cmmf_create_witness_and_challenge(poolp, challenge, inRandom, 
-					   senderDER, inPubKey, passwdArg);
-    challContent->challenges[0] = (rv == SECSuccess) ? challenge : NULL;
-    challContent->numChallenges++;
-    return rv ;
-}
-
-CMMFPOPODecKeyChallContent*
-CMMF_CreatePOPODecKeyChallContent (void)
-{
-    PRArenaPool *poolp;
-    CMMFPOPODecKeyChallContent *challContent;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
-    if (challContent == NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-    challContent->poolp = poolp;
-    return challContent;
-}
-
-SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                    (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				     long                        inRandom,
-				     CERTGeneralName            *inSender,
-				     SECKEYPublicKey            *inPubKey,
-				     void                       *passwdArg)
-{
-    CMMFChallenge               *curChallenge;
-    PRArenaPool                 *genNamePool = NULL, *poolp;
-    SECStatus                    rv;
-    SECItem                     *genNameDER;
-    void                        *mark;
-
-    PORT_Assert (inDecKeyChall != NULL &&
-		 inSender      != NULL &&
-		 inPubKey      != NULL);
-
-    if (inDecKeyChall == NULL || 
-	inSender      == NULL || inPubKey == NULL) {
-        return SECFailure;
-    }
-    poolp = inDecKeyChall->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    genNamePool = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    genNameDER = CERT_EncodeGeneralName(inSender, NULL, genNamePool);
-    if (genNameDER == NULL) {
-        rv = SECFailure;
-        goto loser;
-    }
-    if (inDecKeyChall->challenges == NULL) {
-        inDecKeyChall->challenges =
-	    PORT_ArenaZNewArray(poolp, CMMFChallenge*,(CMMF_MAX_CHALLENGES+1));
-	inDecKeyChall->numAllocated = CMMF_MAX_CHALLENGES;
-    }
-
-    if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
-        rv = SECFailure;
-        goto loser;
-    }
-
-    if (inDecKeyChall->numChallenges == 0) {
-        rv = cmmf_create_first_challenge(inDecKeyChall, inRandom, 
-					 genNameDER, inPubKey, passwdArg);
-    } else {
-        curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
-	if (curChallenge == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom, 
-					       genNameDER, inPubKey, 
-					       passwdArg);
-	if (rv == SECSuccess) {
-	    inDecKeyChall->challenges[inDecKeyChall->numChallenges] =
-	        curChallenge;
-	    inDecKeyChall->numChallenges++;
-	}
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    PORT_FreeArena(genNamePool, PR_FALSE);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    if (genNamePool != NULL) {
-        PORT_FreeArena(genNamePool, PR_FALSE);
-    }
-    PORT_Assert(rv != SECSuccess);
-    return rv;
-}
-
-SECStatus
-CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp)
-{
-    PORT_Assert(inDecKeyResp != NULL);
-    if (inDecKeyResp != NULL && inDecKeyResp->poolp != NULL) {
-        PORT_FreeArena(inDecKeyResp->poolp, PR_FALSE);
-    }
-    return SECSuccess;
-}
-
-int 
-CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont)
-{
-    int numResponses = 0;
-
-    PORT_Assert(inRespCont != NULL);
-    if (inRespCont == NULL) {
-        return 0;
-    }
-
-    while (inRespCont->responses[numResponses] != NULL) {
-        numResponses ++;
-    }
-    return numResponses;
-}
-
-SECStatus
-CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
-				       int                        inIndex,
-				       long                      *inDest)
-{
-    PORT_Assert(inRespCont != NULL);
-    
-    if (inRespCont == NULL || inIndex < 0 || 
-	inIndex >= CMMF_POPODecKeyRespContentGetNumResponses(inRespCont)) {
-        return SECFailure;
-    }
-    *inDest = DER_GetInteger(inRespCont->responses[inIndex]);
-    return (*inDest == -1) ? SECFailure : SECSuccess;
-}
diff --git a/security/nss/lib/crmf/cmmfi.h b/security/nss/lib/crmf/cmmfi.h
deleted file mode 100644
index 2677c8e56..000000000
--- a/security/nss/lib/crmf/cmmfi.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * These are the definitions needed by the library internally to implement
- * CMMF.  Most of these will be helper utilities for manipulating internal
- * data strucures.
- */
-#ifndef _CMMFI_H_
-#define _CMMFI_H_
-#include "cmmfit.h"
-#include "crmfi.h"
-
-#define CMMF_MAX_CHALLENGES 10
-#define CMMF_MAX_KEY_PAIRS  50
-
-/*
- * Some templates that the code will need to implement CMMF.
- */
-extern const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[];
-extern const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[];
-extern const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[];
-extern const SEC_ASN1Template CMMFRandTemplate[];
-extern const SEC_ASN1Template CMMFSequenceOfCertsTemplate[];
-extern const SEC_ASN1Template CMMFPKIStatusInfoTemplate[];
-extern const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[];
-
-
-/*
- * Some utility functions that are shared by multiple files in this 
- * implementation.
- */
-
-extern SECStatus cmmf_CopyCertResponse (PRArenaPool      *poolp, 
-					CMMFCertResponse *dest, 
-					CMMFCertResponse *src);
-
-extern SECStatus cmmf_CopyPKIStatusInfo (PRArenaPool       *poolp, 
-					 CMMFPKIStatusInfo *dest,
-					 CMMFPKIStatusInfo *src);
-
-extern SECStatus cmmf_CopyCertifiedKeyPair(PRArenaPool          *poolp, 
-					   CMMFCertifiedKeyPair *dest,
-					   CMMFCertifiedKeyPair *src);
-
-extern SECStatus cmmf_DestroyPKIStatusInfo(CMMFPKIStatusInfo *info, 
-					   PRBool freeit);
-
-extern SECStatus cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, 
-					   PRBool freeit);
-
-extern SECStatus cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
-					     PRArenaPool          *poolp,
-					     CMMFPKIStatus         inStatus);
-
-extern SECStatus cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
-					   PRArenaPool       *poolp,
-					   CERTCertificate ***certArray);
-
-extern SECStatus 
-       cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
-					PRArenaPool       *poolp,
-					CERTCertificate   *inCert);
-
-extern CMMFPKIStatus 
-       cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus);
-
-extern CERTCertList*
-       cmmf_MakeCertList(CERTCertificate **inCerts);
-
-extern CERTCertificate*
-cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
-                                 CERTCertDBHandle  *certdb);
-
-extern SECStatus
-cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
-				  CERTCertDBHandle *db,
-				  CMMFCertResponse *inCertResp);
-
-extern SECStatus
-cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
-				       CERTCertDBHandle     *db,
-				       CMMFCertifiedKeyPair *inCertKeyPair);
-
-extern SECStatus
-cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
-		 const SEC_ASN1Template *inTemplate);
-
-extern SECStatus
-cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src);
-#endif /*_CMMFI_H_*/
-
-
-
-
-
diff --git a/security/nss/lib/crmf/cmmfit.h b/security/nss/lib/crmf/cmmfit.h
deleted file mode 100644
index 7cf7ea7e2..000000000
--- a/security/nss/lib/crmf/cmmfit.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _CMMFIT_H_
-#define _CMMFIT_H_
-
-/*
- * All fields marked by a PKIStausInfo in comments is an integer
- * with the following possible values.
- *
- *  Integer Value          Meaning
- *  -------------          -------
- *         0               granted- got exactly what you asked for.
- *
- *         1               grantedWithMods-got something like what you asked 
- *                          for;requester is responsible for ascertainging the
- *                          differences.
- *
- *         2               rejection-you don't get what you asked for; more 
- *                          information elsewhere in the message
- *
- *         3               waiting-the request body part has not yet been 
- *                          processed, expect to hear more later.
- *
- *         4               revocationWarning-this message contains a warning 
- *                          that a revocation is imminent.
- *
- *         5               revocationNotification-notification that a 
- *                          revocation has occurred.
- *
- *         6               keyUpdateWarning-update already done for the 
- *                          oldCertId specified in FullCertTemplate.
- */
-
-struct CMMFPKIStatusInfoStr {
-    SECItem status;
-    SECItem statusString;
-    SECItem failInfo;
-};
-
-struct CMMFCertOrEncCertStr {
-    union { 
-        CERTCertificate    *certificate;
-        CRMFEncryptedValue *encryptedCert;
-    } cert;
-    CMMFCertOrEncCertChoice choice;
-    SECItem                 derValue;
-};
-
-struct CMMFCertifiedKeyPairStr {
-    CMMFCertOrEncCert   certOrEncCert;
-    CRMFEncryptedValue *privateKey;
-    SECItem             derPublicationInfo; /* We aren't creating 
-					     * PKIPublicationInfo's, so 
-					     * we'll store away the der 
-					     * here if we decode one that
-					     * does have pubInfo.
-					     */
-    SECItem unwrappedPrivKey;
-};
-
-struct CMMFCertResponseStr {
-    SECItem               certReqId;
-    CMMFPKIStatusInfo     status; /*PKIStatusInfo*/
-    CMMFCertifiedKeyPair *certifiedKeyPair;
-};
-
-struct CMMFCertRepContentStr {
-    CERTCertificate  **caPubs;
-    CMMFCertResponse **response;
-    PRArenaPool       *poolp;
-    PRBool             isDecoded;
-};
-
-struct CMMFChallengeStr {
-    SECAlgorithmID  *owf;
-    SECItem          witness;
-    SECItem          senderDER;
-    SECItem          key;
-    SECItem          challenge;
-    SECItem          randomNumber;
-};
-
-struct CMMFRandStr {
-    SECItem          integer;
-    SECItem          senderHash;
-    CERTGeneralName *sender;
-};
-
-struct CMMFPOPODecKeyChallContentStr {
-    CMMFChallenge **challenges;
-    PRArenaPool    *poolp;
-    int             numChallenges;
-    int             numAllocated;
-};
-
-struct CMMFPOPODecKeyRespContentStr {
-    SECItem     **responses;
-    PRArenaPool  *poolp;
-};
-
-struct CMMFKeyRecRepContentStr {
-    CMMFPKIStatusInfo      status; /* PKIStatusInfo */
-    CERTCertificate       *newSigCert;
-    CERTCertificate      **caCerts;
-    CMMFCertifiedKeyPair **keyPairHist;
-    PRArenaPool           *poolp;
-    int                    numKeyPairs;
-    int                    allocKeyPairs;
-    PRBool                 isDecoded;
-};
-
-#endif /* _CMMFIT_H_ */
-
diff --git a/security/nss/lib/crmf/cmmfrec.c b/security/nss/lib/crmf/cmmfrec.c
deleted file mode 100644
index 3dd7cdd07..000000000
--- a/security/nss/lib/crmf/cmmfrec.c
+++ /dev/null
@@ -1,351 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * This file will implement the functions related to key recovery in 
- * CMMF
- */
-
-#include "nssrenam.h"
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "keyhi.h"
-
-CMMFKeyRecRepContent*
-CMMF_CreateKeyRecRepContent(void)
-{
-    PRArenaPool          *poolp;
-    CMMFKeyRecRepContent *keyRecContent;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
-    if (keyRecContent == NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-    keyRecContent->poolp = poolp;
-    return keyRecContent;
-}
-
-SECStatus
-CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
-	int i;
-
-	if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert != NULL) {
-	    CERT_DestroyCertificate(inKeyRecRep->newSigCert);
-	}
-	if (inKeyRecRep->caCerts != NULL) {
-	    for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
-		CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
-	    }
-	}
-	if (inKeyRecRep->keyPairHist != NULL) {
-	    for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
-	        if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
-			cmmfCertificate) {
-		    CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
-					       certOrEncCert.cert.certificate);
-		}
-	    }
-	}
-        PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
-					    CMMFPKIStatus         inPKIStatus)
-{
-    PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
-		inPKIStatus < cmmfNumPKIStatus);
-    if (inKeyRecRep == NULL) {
-        return SECFailure;
-    }
-    
-    return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status, 
-				       inKeyRecRep->poolp,
-				       inPKIStatus);
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
-				    CERTCertificate      *inNewSignCert)
-{
-    PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
-    if (inKeyRecRep == NULL || inNewSignCert == NULL) {
-        return SECFailure;
-    }
-    if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert) {
-	CERT_DestroyCertificate(inKeyRecRep->newSigCert);
-    }
-    inKeyRecRep->isDecoded = PR_FALSE;
-    inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
-    return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;    
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
-				CERTCertList         *inCACerts)
-{
-    SECStatus rv;
-    void *mark;
-
-    PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
-    if (inKeyRecRep == NULL || inCACerts == NULL) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark(inKeyRecRep->poolp);
-    rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
-				   &inKeyRecRep->caCerts);
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(inKeyRecRep->poolp, mark);
-    } else {
-        PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
-					 CERTCertificate      *inCert,
-					 SECKEYPrivateKey     *inPrivKey,
-					 SECKEYPublicKey      *inPubKey)
-{
-    CMMFCertifiedKeyPair *keyPair;
-    CRMFEncryptedValue   *dummy;
-    PRArenaPool          *poolp;
-    void                 *mark;
-    SECStatus             rv;
-
-    PORT_Assert (inKeyRecRep != NULL &&
-		 inCert      != NULL &&
-		 inPrivKey   != NULL &&
-		 inPubKey    != NULL);
-    if (inKeyRecRep == NULL ||
-	inCert      == NULL ||
-	inPrivKey   == NULL ||
-	inPubKey    == NULL) {
-        return SECFailure;
-    }
-    poolp = inKeyRecRep->poolp;
-    mark = PORT_ArenaMark(poolp);
-    if (inKeyRecRep->keyPairHist == NULL) {
-        inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp, 
-						      CMMFCertifiedKeyPair*,
-						      (CMMF_MAX_KEY_PAIRS+1));
-	if (inKeyRecRep->keyPairHist == NULL) {
-	    goto loser;
-	}
-	inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
-	inKeyRecRep->numKeyPairs   = 0;
-    }
-
-    if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
-        goto loser;
-    }
-    
-    keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
-    if (keyPair == NULL) {
-        goto loser;
-    }
-    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
-					  poolp, inCert);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-    if (keyPair->privateKey == NULL) {
-        goto loser;
-    }
-    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey, 
-							keyPair->privateKey);
-    PORT_Assert(dummy == keyPair->privateKey);
-    if (dummy != keyPair->privateKey) {
-        crmf_destroy_encrypted_value(dummy, PR_TRUE);
-	goto loser;
-    }
-    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
-    inKeyRecRep->numKeyPairs++;
-    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-CMMFPKIStatus
-CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL) {
-        return cmmfNoPKIStatus;
-    }
-    return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
-}
-
-CERTCertificate*
-CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep             == NULL ||
-	inKeyRecRep->newSigCert == NULL) {
-        return NULL;
-    }
-    /* newSigCert may not be a real certificate, it may be a hand decoded
-     * cert structure. This code makes sure we hand off a real, fully formed
-     * CERTCertificate to the caller. TODO: This should move into the decode
-     * portion so that we never wind up with a half formed CERTCertificate
-     * here. In this case the call would be to CERT_DupCertificate.
-     */
-    return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-			          &inKeyRecRep->newSigCert->signatureWrap.data,
-				   NULL, PR_FALSE, PR_TRUE);
-}
-
-CERTCertList*
-CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
-        return NULL;
-    }
-    return cmmf_MakeCertList(inKeyRecRep->caCerts);
-}
-
-int 
-CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
-}
-
-PRBool
-cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
-				  int                   inIndex)
-{
-    int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
-    
-    return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
-}
-
-CMMFCertifiedKeyPair*
-CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
-				       int                   inIndex)
-{
-    CMMFCertifiedKeyPair *newKeyPair;
-    SECStatus             rv;
-
-    PORT_Assert(inKeyRecRep != NULL &&
-		cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
-    if (inKeyRecRep == NULL ||
-	!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
-        return NULL;
-    }
-    newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
-    if (newKeyPair == NULL) {
-        return NULL;
-    }
-    rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair, 
-				   inKeyRecRep->keyPairHist[inIndex]);
-    if (rv != SECSuccess) {
-        CMMF_DestroyCertifiedKeyPair(newKeyPair);
-	newKeyPair = NULL;
-    }
-    return newKeyPair;
-}
-
-SECStatus 
-CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
-				   SECKEYPrivateKey     *inPrivKey,
-				   SECItem              *inNickName,
-				   PK11SlotInfo         *inSlot,
-				   CERTCertDBHandle     *inCertdb,
-				   SECKEYPrivateKey    **destPrivKey,
-				   void                 *wincx)
-{
-    CERTCertificate *cert;
-    SECItem keyUsageValue = {siBuffer, NULL, 0};
-    unsigned char keyUsage = 0x0;
-    SECKEYPublicKey *pubKey;
-    SECStatus rv;
-
-    PORT_Assert(inKeyPair != NULL &&
-		inPrivKey != NULL && inCertdb != NULL);
-    if (inKeyPair             == NULL ||
-	inPrivKey             == NULL ||
-	inKeyPair->privateKey == NULL ||
-	inCertdb              == NULL) {
-        return SECFailure;
-    }
-    
-    cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
-    CERT_FindKeyUsageExtension(cert, &keyUsageValue);
-    if (keyUsageValue.data != NULL) {
-        keyUsage = keyUsageValue.data[3];
-	PORT_Free(keyUsageValue.data);
-    }
-    pubKey = CERT_ExtractPublicKey(cert);
-    rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
-					      inPrivKey, pubKey, 
-					      inNickName, inSlot, keyUsage, 
-					      destPrivKey, wincx);
-    SECKEY_DestroyPublicKey(pubKey);
-    CERT_DestroyCertificate(cert);
-    return rv;
-}
-
-
-PRBool 
-CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
-{
-    PORT_Assert(inKeyRecRep != NULL);
-    if (inKeyRecRep == NULL) {
-        return PR_FALSE;
-    }
-    return (PRBool)(inKeyRecRep->caCerts    != NULL && 
-		    inKeyRecRep->caCerts[0] != NULL);
-}
diff --git a/security/nss/lib/crmf/cmmfresp.c b/security/nss/lib/crmf/cmmfresp.c
deleted file mode 100644
index c77c5774d..000000000
--- a/security/nss/lib/crmf/cmmfresp.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * This file will contain all routines dealing with creating a 
- * CMMFCertRepContent structure through Create/Set functions.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-#include "secder.h"
-
-CMMFCertRepContent*
-CMMF_CreateCertRepContent(void)
-{
-    CMMFCertRepContent *retCertRep;
-    PRArenaPool        *poolp;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    retCertRep = PORT_ArenaZNew(poolp, CMMFCertRepContent);
-    if (retCertRep == NULL) {
-        goto loser;
-    }
-    retCertRep->poolp = poolp;
-    return retCertRep;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus 
-cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
-				 PRArenaPool       *poolp,
-				 CERTCertificate   *inCert)
-{
-    SECItem               *derDest = NULL;
-    SECStatus             rv = SECFailure;
-
-    if (inCert->derCert.data == NULL) {
-        derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert, 
-				     CMMFCertOrEncCertCertificateTemplate);
-	if (derDest == NULL) {
-	    goto loser;
-	}
-    } else {
-        derDest = SECITEM_DupItem(&inCert->derCert);
-	if (derDest == NULL) {
-	    goto loser;
-	}
-    }
-    PORT_Assert(certOrEncCert->cert.certificate == NULL);
-    certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
-    certOrEncCert->choice = cmmfCertificate;
-    if (poolp != NULL) {
-        rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-        certOrEncCert->derValue = *derDest;
-    }
-    PORT_Free(derDest);
-    return SECSuccess;
- loser:
-    if (derDest != NULL) {
-        SECITEM_FreeItem(derDest, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
-			  PRArenaPool       *poolp,
-			  CERTCertificate ***certArray)
-{
-    CERTCertificate  **arrayLocalCopy;
-    CERTCertListNode  *node;
-    int                numNodes = 0, i;
-
-    for (node = CERT_LIST_HEAD(inCertList); !CERT_LIST_END(node, inCertList);
-	 node = CERT_LIST_NEXT(node)) {
-        numNodes++;
-    }
-
-    arrayLocalCopy = *certArray = (poolp == NULL) ?
-                    PORT_NewArray(CERTCertificate*, (numNodes+1)) :
-                    PORT_ArenaNewArray(poolp, CERTCertificate*, (numNodes+1));
-    if (arrayLocalCopy == NULL) {
-        return SECFailure;
-    }
-    for (node = CERT_LIST_HEAD(inCertList), i=0; 
-	 !CERT_LIST_END(node, inCertList);
-	 node = CERT_LIST_NEXT(node), i++) {
-        arrayLocalCopy[i] = CERT_DupCertificate(node->cert);
-	if (arrayLocalCopy[i] == NULL) {
-	    int j;
-	    
-	    for (j=0; j<i; j++) {
-	        CERT_DestroyCertificate(arrayLocalCopy[j]);
-	    }
-	    if (poolp == NULL) {
-	        PORT_Free(arrayLocalCopy);
-	    }
-	    *certArray = NULL;
-	    return SECFailure;
-	}
-    }
-    arrayLocalCopy[numNodes] = NULL;
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
-				    CMMFCertResponse  **inCertResponses,
-				    int                 inNumResponses)
-{
-    PRArenaPool       *poolp;
-    CMMFCertResponse **respArr, *newResp;
-    void              *mark;
-    SECStatus          rv;
-    int                i;
-
-    PORT_Assert (inCertRepContent != NULL &&
-		 inCertResponses  != NULL &&
-		 inNumResponses    > 0);
-    if (inCertRepContent == NULL ||
-	inCertResponses  == NULL ||
-	inCertRepContent->response != NULL) {
-        return SECFailure;
-    }
-    poolp = inCertRepContent->poolp;
-    mark = PORT_ArenaMark(poolp);
-    respArr = inCertRepContent->response = 
-        PORT_ArenaZNewArray(poolp, CMMFCertResponse*, (inNumResponses+1));
-    if (respArr == NULL) {
-        goto loser;
-    }
-    for (i=0; i<inNumResponses; i++) {
-        newResp = PORT_ArenaZNew(poolp, CMMFCertResponse);
-	if (newResp == NULL) {
-	    goto loser;
-	}
-        rv = cmmf_CopyCertResponse(poolp, newResp, inCertResponses[i]);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	respArr[i] = newResp;
-    }
-    respArr[inNumResponses] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-CMMFCertResponse*
-CMMF_CreateCertResponse(long inCertReqId)
-{
-    SECItem          *dummy;
-    CMMFCertResponse *newResp;
-    
-    newResp = PORT_ZNew(CMMFCertResponse);
-    if (newResp == NULL) {
-        goto loser;
-    }
-    dummy = SEC_ASN1EncodeInteger(NULL, &newResp->certReqId, inCertReqId);
-    if (dummy != &newResp->certReqId) {
-        goto loser;
-    }
-    return newResp;
-
- loser:
-    if (newResp != NULL) {
-        CMMF_DestroyCertResponse(newResp);
-    }
-    return NULL;
-}
-
-SECStatus
-CMMF_CertResponseSetPKIStatusInfoStatus(CMMFCertResponse *inCertResp,
-					CMMFPKIStatus     inPKIStatus)
-{
-    PORT_Assert (inCertResp != NULL && inPKIStatus >= cmmfGranted
-		 && inPKIStatus < cmmfNumPKIStatus);
-
-    if  (inCertResp == NULL) {
-        return SECFailure;
-    }
-    return cmmf_PKIStatusInfoSetStatus(&inCertResp->status, NULL,
-				       inPKIStatus);
-}
-
-SECStatus
-CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
-				 CERTCertificate  *inCertificate)
-{
-    CMMFCertifiedKeyPair *keyPair = NULL;
-    SECStatus             rv = SECFailure;
-
-    PORT_Assert(inCertResp != NULL && inCertificate != NULL);
-    if (inCertResp == NULL || inCertificate == NULL) {
-        return SECFailure;
-    }
-    if (inCertResp->certifiedKeyPair == NULL) {
-        keyPair = inCertResp->certifiedKeyPair = 
-	    PORT_ZNew(CMMFCertifiedKeyPair);
-    } else {
-        keyPair = inCertResp->certifiedKeyPair;
-    }
-    if (keyPair == NULL) {
-        goto loser;
-    }
-    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
-					  inCertificate);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (keyPair) {
-        if (keyPair->certOrEncCert.derValue.data) {
-	    PORT_Free(keyPair->certOrEncCert.derValue.data);
-	}
-	PORT_Free(keyPair);
-    }
-    return rv;
-}
-
-
-SECStatus
-CMMF_CertRepContentSetCAPubs(CMMFCertRepContent *inCertRepContent,
-			     CERTCertList       *inCAPubs)
-{
-    PRArenaPool      *poolp;
-    void             *mark;
-    SECStatus         rv;
-
-    PORT_Assert(inCertRepContent != NULL &&
-		inCAPubs         != NULL &&
-		inCertRepContent->caPubs == NULL);
-    
-    if (inCertRepContent == NULL ||
-	inCAPubs == NULL || inCertRepContent == NULL) {
-        return SECFailure;
-    }
-
-    poolp = inCertRepContent->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
-				   &inCertRepContent->caPubs);
-
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(poolp, mark);
-    } else {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return rv;
-}
-
-CERTCertificate*
-CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
-				    CERTCertDBHandle     *inCertdb)
-{
-    PORT_Assert(inCertKeyPair != NULL);
-    if (inCertKeyPair == NULL) {
-        return NULL;
-    }
-    return cmmf_CertOrEncCertGetCertificate(&inCertKeyPair->certOrEncCert,
-					    inCertdb);
-}
diff --git a/security/nss/lib/crmf/cmmft.h b/security/nss/lib/crmf/cmmft.h
deleted file mode 100644
index 0590b7a78..000000000
--- a/security/nss/lib/crmf/cmmft.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _CMMFT_H_
-#define _CMMFT_H_
-
-#include "secasn1.h"
-
-/*
- * These are the enumerations used to distinguish between the different
- * choices available for the CMMFCertOrEncCert structure.
- */
-typedef enum {
-    cmmfNoCertOrEncCert = 0,
-    cmmfCertificate = 1,
-    cmmfEncryptedCert = 2
-} CMMFCertOrEncCertChoice;
-
-/*
- * This is the enumeration and the corresponding values used to 
- * represent the CMMF type PKIStatus
- */
-typedef enum {
-    cmmfNoPKIStatus = -1,
-    cmmfGranted = 0,
-    cmmfGrantedWithMods = 1,
-    cmmfRejection = 2,
-    cmmfWaiting = 3,
-    cmmfRevocationWarning = 4,
-    cmmfRevocationNotification = 5,
-    cmmfKeyUpdateWarning = 6,
-    cmmfNumPKIStatus
-} CMMFPKIStatus;
-
-/*
- * These enumerations are used to represent the corresponding values
- * in PKIFailureInfo defined in CMMF.
- */
-typedef enum {
-    cmmfBadAlg = 0,
-    cmmfBadMessageCheck = 1,
-    cmmfBadRequest = 2,
-    cmmfBadTime = 3,
-    cmmfBadCertId = 4,
-    cmmfBadDataFormat = 5,
-    cmmfWrongAuthority = 6,
-    cmmfIncorrectData = 7,
-    cmmfMissingTimeStamp = 8,
-    cmmfNoFailureInfo = 9
-} CMMFPKIFailureInfo;
-
-typedef struct CMMFPKIStatusInfoStr          CMMFPKIStatusInfo;
-typedef struct CMMFCertOrEncCertStr          CMMFCertOrEncCert;
-typedef struct CMMFCertifiedKeyPairStr       CMMFCertifiedKeyPair;
-typedef struct CMMFCertResponseStr           CMMFCertResponse;
-typedef struct CMMFCertResponseSeqStr        CMMFCertResponseSeq;
-typedef struct CMMFPOPODecKeyChallContentStr CMMFPOPODecKeyChallContent;
-typedef struct CMMFChallengeStr              CMMFChallenge;
-typedef struct CMMFRandStr                   CMMFRand;
-typedef struct CMMFPOPODecKeyRespContentStr  CMMFPOPODecKeyRespContent;
-typedef struct CMMFKeyRecRepContentStr       CMMFKeyRecRepContent;
-typedef struct CMMFCertRepContentStr         CMMFCertRepContent;
-
-/* Export this so people can call SEC_ASN1EncodeItem instead of having to 
- * write callbacks that are passed in to the high level encode function
- * for CMMFCertRepContent.
- */
-extern const SEC_ASN1Template CMMFCertRepContentTemplate[];
-extern const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[];
-
-#endif /*_CMMFT_H_*/
diff --git a/security/nss/lib/crmf/config.mk b/security/nss/lib/crmf/config.mk
deleted file mode 100644
index 9554ab4a5..000000000
--- a/security/nss/lib/crmf/config.mk
+++ /dev/null
@@ -1,48 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h
deleted file mode 100644
index d09163ae1..000000000
--- a/security/nss/lib/crmf/crmf.h
+++ /dev/null
@@ -1,1782 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _CRMF_H_
-#define _CRMF_H_
-
-#include "seccomon.h"
-#include "cert.h"
-#include "crmft.h"
-#include "secoid.h"
-#include "secpkcs7.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * FUNCTION: CRMF_EncodeCertReqMsg
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to be encoded.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded bytes.
- *    arg
- *        An opaque pointer that gets passed to the function fn
- * OUTPUT:
- *    The function fn will be called multiple times.  Look at the
- *    comments in crmft.h where the CRMFEncoderOutputCallback type is 
- *    defined for information on proper behavior of the function fn.
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value
- *    indicates an error occurred during encoding.
- */
-extern SECStatus 
-        CRMF_EncodeCertReqMsg (CRMFCertReqMsg            *inCertReqMsg, 
-			       CRMFEncoderOutputCallback  fn,
-			       void                      *arg);
-
-/*
- * FUNCTION: CRMF_EncoderCertRequest
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to be encoded.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded bytes.
- *    arg
- *        An opaque pointer that gets passed to the function fn.
- * OUTPUT:
- *    The function fn will be called, probably multiple times whenever 
- *    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the 
- *    comments in crmft.h where the CRMFEncoderOuputCallback type is
- *    defined for information on proper behavior of the funciton fn.
- * RETURN:
- *    SECSuccess if encoding was successful.  Any other return value 
- *    indicates an error occured during encoding.
- */
-extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
-					 CRMFEncoderOutputCallback  fn,
-					 void                      *arg);
-/*
- * FUNCTION: CRMF_EncodeCertReqMessages
- * INPUTS:
- *    inCertReqMsgs
- *        An array of pointers to the Certificate Request Messages
- *        to encode.  The user must place a NULL pointer in the index
- *        after the last message to be encoded.  When the library runs
- *        into the NULL pointer, the library assumes there are no more
- *        messages to encode.
- *    fn
- *        A Callback function that the ASN1 encoder calls whenever
- *        the encoder wants to write out some DER encoded byts.
- *    arg
- *        An opaque pointer that gets passed to the function fn.
- *
- * NOTES:
- *    The parameter inCertReqMsgs needs to be an array with a NULL pointer
- *    to signal the end of messages.  An array in the form of 
- *    {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
- *    m3.  All messages from m4 on will not be looked at by the library.
- *
- * OUTPUT:
- *    The function fn will be called, probably multiple times.  Look at the 
- *    comments in crmft.h where the CRMFEncoderOuputCallback type is
- *    defined for information on proper behavior of the funciton fn.
- *
- * RETURN:
- * SECSuccess if encoding the Certificate Request Messages was successful. 
- * Any other return value indicates an error occurred while encoding the
- * certificate request messages.
- */
-extern SECStatus 
-       CRMF_EncodeCertReqMessages(CRMFCertReqMsg           **inCertReqMsgs,
-				  CRMFEncoderOutputCallback  fn,
-				  void                      *arg);
-
-
-/*
- * FUNCTION: CRMF_CreateCertReqMsg
- * INPUTS:
- *    NONE
- * OUTPUT:
- *    An empty CRMF Certificate Request Message.
- *    Before encoding this message, the user must set
- *    the ProofOfPossession field and the certificate 
- *    request which are necessary for the full message.
- *    After the user no longer needs this CertReqMsg,
- *    the user must call CRMF_DestroyCertReqMsg to free
- *    all memory associated with the Certificate Request
- *    Message.
- * RETURN:
- *    A pointer to a Certificate Request Message.  The user 
- *    must pass the return value of this function to 
- *    CRMF_DestroyCertReqMsg after the Certificate Request
- *    Message is no longer necessary.
- */
-extern CRMFCertReqMsg* CRMF_CreateCertReqMsg(void);
-
-/*
- * FUNCTION: CRMF_DestroyCertReqMsg
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to destroy.
- *  NOTES:
- *    This function frees all the memory used for the Certificate
- *    Request Message and all the memory used in making copies of
- *    fields of elelments of the message, eg. the Proof Of Possession
- *    filed and the Cetificate Request.  
- * RETURN:
- *    SECSuccess if destruction was successful.  Any other return value
- *    indicates an error while trying to free the memory associated
- *    with inCertReqMsg.
- *    
- */
-extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetCertRequest
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message that the function will set
- *        the certificate request for.
- *    inCertReq
- *        The Certificate Request that will be added to the Certificate
- *        Request Message.
- * NOTES:
- *    This function will make a copy of the Certificate Request passed in
- *    and store it as part of the Certificate Request Message.  Therefore,
- *    the user must not call this function until the Certificate Request
- *    has been fully built and is ready to be encoded.
- * RETURN:
- *    SECSuccess 
- *        If copying the Certificate as a member of the Certificate
- *        request message was successful.
- *    Any other return value indicates a failure to copy the Certificate
- *    Request and make it a part of the Certificate Request Message.
- */
-extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg  *inCertReqMsg, 
-					       CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CreateCertRequest
- * INPUTS:
- *    inRequestID
- *        The ID that will be associated with this certificate request.
- * OUTPUTS:
- *    A certificate request which only has the requestID set.
- * NOTES:
- *    The user must call the function CRMF_DestroyCertRequest when
- *    the returned value is no longer needed.  This is usually the
- *    case after fully constructing the Certificate Request and then
- *    calling the function CRMF_CertReqMsgSetCertRequest.
- * RETURN:
- *    A pointer to the new Certificate Request.  A NULL return value
- *    indicates an error in creating the Certificate Request.
- */
-extern CRMFCertRequest *CRMF_CreateCertRequest (long inRequestID);
-
-/*
- * FUNCTION: CRMF_DestroyCertRequest
- * INPUTS:
- *    inCertReq
- *        The Certificate Request that will be destroyed.
- * RETURN:
- *    SECSuccess
- *        If freeing the memory associated with the certificate request 
- *        was successful.
- *    Any other return value indicates an error while trying to free the 
- *    memory.
- */
-extern SECStatus CRMF_DestroyCertRequest (CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CreateCertExtension
- * INPUTS:
- *    id
- *        The SECOidTag to associate with this CertExtension.  This must
- *        correspond to a valid Certificate Extension, if not the function
- *        will fail.
- *    isCritical
- *        A boolean value stating if the extension value is crtical.  PR_TRUE
- *        means the value is crtical.  PR_FALSE indicates the value is not 
- *        critical.
- *    data
- *        This is the data associated with the extension.  The user of the
- *        library is responsible for making sure the value passed in is a
- *        valid interpretation of the certificate extension.
- * NOTES:
- * Use this function to create CRMFCertExtension Structures which will 
- * then be passed to CRMF_AddFieldToCertTemplate as part of the 
- * CRMFCertCreationInfo.extensions  The user must call 
- * CRMF_DestroyCertExtension after the extension has been added to a certifcate
- * and the extension is no longer needed.
- *
- * RETURN:
- * A pointer to a newly created CertExtension.  A return value of NULL
- * indicates the id passed in was an invalid certificate extension.
- */
-extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag      id, 
-						   PRBool         isCritical,
-						   SECItem       *data);
-
-/*
- * FUNCTION: CMRF_DestroyCertExtension
- * INPUTS:
- *    inExtension
- *        The Cert Extension to destroy
- * NOTES:
- * Destroy a structure allocated by CRMF_CreateCertExtension.
- *
- * RETURN:
- * SECSuccess if freeing the memory associated with the certificate extension
- * was successful.  Any other error indicates an error while freeing the 
- * memory.
- */
-extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
-
-/* 
- * FUNCTION: CRMF_CertRequestSetTemplateField
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    inTemplateField
- *        An enumeration that indicates which field of the Certificate
- *        template to add.
- *    data
- *        A generic pointer that will be type cast according to the
- *        table under NOTES and used as the key for adding to the
- *        certificate template;
- * NOTES:
- *
- * Below is a table that tells what type to pass in as data
- * depending on the template field one wants to set.
- *
- * Look in crmft.h for the definition of CRMFCertTemplateField.
- * 
- * In all cases, the library makes copies of the data passed in.
- *
- *   CRMFCertTemplateField    Type of data    What data means
- *   ---------------------    ------------    ---------------
- *   crmfVersion              long *          The version of
- *                                            the certificate
- *                                            to be created.
- *
- *   crmfSerialNumber         long *          The serial number
- *                                            for the cert to be
- *                                            created.
- *   
- *   crmfSigningAlg           SECAlgorithm *  The ASN.1 object ID for
- *                                            the algorithm used in encoding
- *                                            the certificate.
- *
- *   crmfIssuer               CERTName *      Certificate Library 
- *                                            representation of the ASN1 type
- *                                            Name from X.509
- *
- *   crmfValidity     CRMFValidityCreationInfo *  At least one of the two
- *                                                fields in the structure must
- *                                                be present.  A NULL pointer 
- *                                                in the structure indicates
- *                                                that member should not be 
- *                                                added.
- *
- *   crmfSubject              CERTName *      Certificate Library 
- *                                            representation of the ASN1 type
- *                                            Name from X.509
- *
- *   crmfPublicKey    CERTSubjectPublicKeyInfo *  The public key info for the
- *                                                certificate being requested.
- *
- *   crmfIssuerUID            SECItem *           A bit string representation
- *                                                of the issuer UID. NOTE: The
- *                                                length is the number of bits
- *                                                and not the number of bytes.
- *
- *   crmfSubjectUID           SECItem*            A bit string representation
- *                                                of the subject UID. NOTE: The
- *                                                length is the number of bits
- *                                                and not the number of bytes.
- *
- *   crmfExtension   CRMFCertExtCreationInfo *     A pointer to the structure
- *                                                 populated with an array of 
- *                                                 of certificate extensions
- *                                                 and an integer that tells
- *                                                 how many elements are in the
- *                                                 array. Look in crmft.h for
- *                                                 the definition of 
- *                                                 CRMFCertExtCreationInfo
- * RETURN:
- *    SECSuccess if adding the desired field to the template was successful.
- *    Any other return value indicates failure when trying to add the field 
- *    to the template.
- *                                                
- */
-extern SECStatus
-  CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
-				   CRMFCertTemplateField  inTemplateField,
-				   void                  *data);
-
-/*
- * FUNCTION: CRMF_CertRequestIsFieldPresent
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    inTemplateField
- *        The enumeration for the template field the user wants to query
- *        about.
- * NOTES:
- * This function checks to see if the the field associated with inTemplateField
- * enumeration is already present in the certificate request passed in.
- *
- * RETURN:
- * The function returns PR_TRUE if the field associated with inTemplateField
- * is already present in the certificate request.  If the field is not present
- * the function returns PR_FALSE.
- */
-extern PRBool
-  CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
-				 CRMFCertTemplateField  inTemplateField);
-
-/*
- * FUNCTION: CRMF_CertRequestIsControlPresent
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    inControlType
- *        The type of control to look for.
- * NOTES:
- * This function looks at the control present in the certificate request
- * and returns PR_TRUE iff a control of type inControlType already exists.
- * The CRMF draft does not explicitly state that two controls of the same
- * type can not exist within the same request.  So the library will not
- * cause an error if you try to add a control and one of the same type
- * already exists.  It is up to the application to ensure that multiple
- * controls of the same type do not exist, if that is the desired behavior
- * by the application.
- *
- * RETURN:
- * The function returns PR_TRUE if a control of type inControlType already
- * exists in the certificate request.  If a control of type inControlType
- * does not exist, the function will return PR_FALSE.
- */
-extern PRBool
-  CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
-				   CRMFControlType  inControlType);
-				   
-
-/*
- * FUNCTION: CRMF_CertRequestSetRegTokenControl
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    value
- *        The UTF8 value which will be the Registration Token Control
- *        for this Certificate Request.
- * NOTES:
- *    The library does no verification that the value passed in is 
- *    a valid UTF8 value.  The caller must make sure of this in order
- *    to get an encoding that is valid.  The library will ultimately
- *    encode this value as it was passed in.
- * RETURN:
- *    SECSucces on successful addition of the Registration Token Control.
- *    Any other return value indicates an unsuccessful attempt to add the
- *    control.
- *
- */
-extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
-						    SECItem         *value);
-
-/*
- * FUNCTION: CRMF_CertRequestSetAuthenticatorControl
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    value
- *        The UTF8 value that will become the Authenticator Control
- *        for the passed in Certificate Request.
- * NOTES:
- *    The library does no verification that the value passed in is 
- *    a valid UTF8 value.  The caller must make sure of this in order
- *    to get an encoding that is valid.  The library will ultimately
- *    encode this value as it was passed in.
- * RETURN:
- *    SECSucces on successful addition of the Authenticator Control.
- *    Any other return value indicates an unsuccessful attempt to add the
- *    control.
- */
-extern SECStatus 
-       CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq,
-						SECItem         *value);
-
-/*
- * FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
- * INPUTS:
- *    inPrivKey
- *        This is the private key associated with a certificate that is
- *        being requested.  This structure will eventually wind up as 
- *        a part of the PKIArchiveOptions Control.  
- *    inCACert
- *        This is the certificate for the CA that will be receiving the 
- *        certificate request for the private key passed in.
- * OUTPUT:
- *    A CRMFEncryptedKey that can ultimately be used as part of the 
- *    PKIArchiveOptions Control.
- *
- * RETURN:
- *    A pointer to a CRMFEncyptedKey.  A NULL return value indicates an erro
- *    during the creation of the encrypted key.
- */
-extern CRMFEncryptedKey* 
-       CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
-						 CERTCertificate  *inCACert);
-
-/*
- * FUNCTION: CRMF_DestroyEncryptedKey
- * INPUTS:
- *    inEncrKey
- *        The CRMFEncryptedKey to be destroyed.
- * NOTES:
- *    Frees all memory associated with the CRMFEncryptedKey passed in.
- * RETURN:
- *    SECSuccess if freeing the memory was successful.  Any other return
- *    value indicates an error while freeig the memroy.
- */
-extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
-						
-/*
- * FUNCTION: CRMF_CreatePKIArchiveOptions
- * INPUTS:
- *    inType
- *        An enumeration value indicating which option for 
- *        PKIArchiveOptions to use.
- *    data
- *        A pointer that will be type-cast and de-referenced according
- *        to the table under NOTES.
- * NOTES:
- * A table listing what should be passed in as data
- * ------------------------------------------------
- *
- * inType                            data
- * ------                            ----
- * crmfEncryptedPrivateKey           CRMFEncryptedKey*
- * crmfKeyGenParameters              SECItem*(This needs to be an octet string)
- * crmfArchiveRemGenPrivKey          PRBool*
- *
- * RETURN:
- *    A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
- *    Request.  A NULL pointer indicates an error occurred while creating
- *    the CRMFPKIArchiveOptions Structure.
- */
-extern CRMFPKIArchiveOptions*
-       CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType  inType,
-				    void                      *data);
-/*
- * FUNCTION: CRMF_DestroyPKIArchiveOptions
- * INPUTS:
- *    inArchOpt
- *        A pointer to the CRMFPKIArchiveOptions structure to free.
- * NOTES:
- *    Will free all memory associated with 'inArchOpt'.
- * RETURN:
- *    SECSuccess if successful in freeing the memory used by 'inArchOpt'
- *    Any other return value indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
-
-/*
- * FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to add the the options to.
- *    inOptions
- *        The Archive Options to add to the Certificate Request.
- * NOTES:
- *    Adds the PKIArchiveOption to the Certificate Request.  This is what
- *    enables Key Escrow to take place through CRMF.  The library makes
- *    its own copy of the information.
- * RETURN:
- *    SECSuccess if successful in adding the ArchiveOptions to the Certificate
- *    request.  Any other return value indicates an error when trying to add
- *    the Archive Options  to the Certificate Request.
- */
-extern SECStatus 
-       CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
-					    CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPType
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    Returns an enumeration value indicating the method of Proof
- *    of Possession that was used for the passed in Certificate Request
- *    Message.
- * RETURN:
- *    An enumeration indicating what method for Proof Of Possession is
- *    being used in this Certificate Request Message.  Look in the file
- *    crmft.h for the definition of CRMFPOPChoice for the possible return
- *    values.
- */
-extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
- * INPUT:
- *    InCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    This function will set the method of Proof Of Possession to 
- *    crmfRAVerified which means the RA has already verified the 
- *    requester does possess the private key.
- * RETURN:
- *    SECSuccess if adding RAVerified to the message is successful.  
- *    Any other message indicates an error while trying to add RAVerified
- *    as the Proof of Possession.
- */
-extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetSignaturePOP
- * INPUT:
- *    inCertReqMsg
- *        The Certificate Request Message to add the SignaturePOP to.
- *    inPrivKey
- *        The Private Key which corresponds to the the Certificate Request
- *        Message.
- *    inPubKey
- *        The Public Key which corresponds to the Private Key passed in.
- *    inCertForInput
- *        A Certificate that in the future may be used to create 
- *        POPOSigningKeyInput.
- *    fn
- *        A callback for retrieving a password which may be used in the
- *       future to generate POPOSigningKeyInput.
- *    arg
- *        An opaque pointer that would be passed to fn whenever it is
- *        called.
- * NOTES:
- * Adds Proof Of Possession to the CertRequest using the signature field 
- * of the ProofOfPossession field.  NOTE: In order to use this option, 
- * the certificate template must contain the publicKey at the very minimum.
- * 
- * If you don't want the function to generate POPOSigningKeyInput, then
- * make sure the cert template already contains the subject and public key
- * values.  Currently creating POPOSigningKeyInput is not supported, so 
- * a Message passed to this function must have the publicKey and the subject
- * as part of the template
- *
- * This will take care of creating the entire POPOSigningKey structure
- * that will become part of the message.
- *
- * inPrivKey is the key to be used in the signing operation when creating
- * POPOSigningKey structure.  This should be the key corresponding to
- * the certificate being requested.
- *
- * inCertForInput will be used if POPOSigningKeyInput needs to be generated.
- * It will be used in generating the authInfo.sender field.  If the parameter
- * is not passed in then authInfo.publicKeyMAC will be generated instead.
- * If passed in, this certificate needs to be a valid certificate.
- *
- * The last 3 arguments are for future compatibility in case we ever want to
- * support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you 
- * definitely don't want the funciton to even try to generate 
- * POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
- * will fail.
- *
- * RETURN:
- *    SECSuccess if adding the Signature Proof Of Possession worked.
- *    Any other return value indicates an error in trying to add
- *    the Signature Proof Of Possession.
- */
-extern SECStatus 
-       CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
-				      SECKEYPrivateKey *inPrivKey,
-				      SECKEYPublicKey  *inPubKey,
-				      CERTCertificate  *inCertForInput,
-				      CRMFMACPasswordCallback  fn,
-				      void                    *arg);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- *    inKeyChoice
- *        An enumeration indicating which POPOPrivKey Choice to use
- *        in constructing the KeyEnciphermentPOP.
- *    subseqMess
- *        This parameter must be provided iff inKeyChoice is 
- *        crmfSubsequentMessage.  This details how the RA is to respond
- *        in order to perform Proof Of Possession.  Look in crmft.h under
- *        the definition of CRMFSubseqMessOptions for possible values.
- *    encPrivKey
- *        This parameter only needs to be provided if inKeyChoice is
- *        crmfThisMessage.  The item should contain the encrypted private
- *        key.
- *        
- * NOTES:
- * Adds Proof Of Possession using the keyEncipherment field of
- * ProofOfPossession.
- *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
- * in the following manner.
- *
- * If a parameter is not mentioned under interpretation, the funciton will not
- * look at its value when implementing that case.
- *
- * inKeyChoice          Interpretation
- * -----------          --------------
- * crmfThisMessage      This options requires that the encrypted private key
- *                      be included in the thisMessage field of POPOPrivKey.
- *                      We don't support this yet, so any clients who want
- *                      to use this feature have to implement a wrapping
- *                      function and agree with the server on how to properly
- *                      wrap the key.  That encrypted key must be passed in
- *                      as the encPrivKey parameter.
- *
- * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
- *                      be either CRMFEncrCert or CRMFChallengeResp.  The
- *                      parameter encPrivKey will not be looked at in this
- *                      case.
- *
- * crmfDHMAC            This is not a valid option for this function.  Passing
- *                      in this value will result in the function returning
- *                      SECFailure.
- * RETURN:
- *    SECSuccess if adding KeyEnciphermentPOP was successful.  Any other return
- *    value indicates an error in adding KeyEnciphermentPOP.
- */
-extern SECStatus 
-      CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
-					   CRMFPOPOPrivKeyChoice  inKeyChoice,
-					   CRMFSubseqMessOptions  subseqMess,
-					   SECItem               *encPrivKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- *    inKeyChoice
- *        An enumeration indicating which POPOPrivKey Choice to use
- *        in constructing the KeyAgreementPOP.
- *    subseqMess
- *        This parameter must be provided iff inKeyChoice is 
- *        crmfSubsequentMessage.  This details how the RA is to respond
- *        in order to perform Proof Of Possession.  Look in crmft.h under
- *        the definition of CRMFSubseqMessOptions for possible values.
- *    encPrivKey
- *        This parameter only needs to be provided if inKeyChoice is
- *        crmfThisMessage.  The item should contain the encrypted private
- *        key.
- * Adds Proof Of Possession using the keyAgreement field of
- * ProofOfPossession.
- *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
- * in the following manner.
- *
- * If a parameter is not mentioned under interpretation, the funciton will not
- * look at its value when implementing that case.
- *
- * inKeyChoice          Interpretation
- * -----------          --------------
- * crmfThisMessage      This options requires that the encrypted private key
- *                      be included in the thisMessage field of POPOPrivKey.
- *                      We don't support this yet, so any clients who want
- *                      to use this feature have to implement a wrapping
- *                      function and agree with the server on how to properly
- *                      wrap the key.  That encrypted key must be passed in
- *                      as the encPrivKey parameter.
- *
- * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
- *                      be either crmfEncrCert or crmfChallengeResp.  The
- *                      parameter encPrivKey will not be looked at in this
- *                      case.
- *
- * crmfDHMAC            This option is not supported.
- */
-extern SECStatus 
-       CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg        *inCertReqMsg,
-					 CRMFPOPOPrivKeyChoice  inKeyChoice,
-					 CRMFSubseqMessOptions  subseqMess,
-					 SECItem               *encPrivKey);
-
-/*
- * FUNCTION: CRMF_CreateCertReqMsgFromDER
- * INPUTS:
- *    buf
- *        A buffer to the DER-encoded Certificate Request Message.
- *    len
- *        The length in bytes of the buffer 'buf'
- * NOTES:
- * This function passes the buffer to the ASN1 decoder and creates a 
- * CRMFCertReqMsg structure.  Do not try adding any fields to a message
- * returned from this function.  Specifically adding more Controls or 
- * Extensions may cause your program to crash.
- *
- * RETURN:
- *    A pointer to the Certificate Request Message structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */
-extern CRMFCertReqMsg* CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CRMF_CreateCertReqMessagesFromDER
- * INPUTS:
- *    buf
- *        A buffer to the DER-encoded Certificate Request Messages.
- *    len
- *        The length in bytes of buf
- * NOTES:
- * This function passes the buffer to the ASN1 decoder and creates a 
- * CRMFCertReqMessages structure.  Do not try adding any fields to a message
- * derived from this function.  Specifically adding more Controls or 
- * Extensions may cause your program to crash.
- * The user must call CRMF_DestroyCertReqMessages after the return value is 
- * no longer needed, ie when all individual messages have been extracted.
- *  
- * RETURN:
- *    A pointer to the Certificate Request Messages structure.  A NULL return
- *    value indicates the library was unable to parse the DER.
- */ 
-extern CRMFCertReqMessages*
-       CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
-
-/*
- * FUNCTION: CRMF_DestroyCertReqMessages
- * INPUTS
- *    inCertReqMsgs
- *        The Messages to destroy.
- * RETURN:
- *    SECSuccess if freeing the memory was done successfully.  Any other
- *    return value indicates an error in freeing up memory.
- */ 
-extern SECStatus 
-       CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
-
-/*
- * FUNCTION: CRMF_CertReqMessagesGetNumMessages
- * INPUTS:
- *    inCertReqMsgs
- *        The Request Messages to operate on.
- * RETURN:
- *    The number of messages contained in the in the Request Messages 
- *    strucure.
- */
-extern int 
-       CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
-
-/*
- * FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
- * INPUTS:
- *    inReqMsgs
- *        The Certificate Request Messages to operate on.
- *    index
- *        The index of the single message the user wants a copy of.
- * NOTES:
- * This function returns a copy of the request messages stored at the 
- * index corresponding to the parameter 'index'.  Indexing of the messages
- * is done in the same manner as a C array.  Meaning the valid index are 
- * 0...numMessages-1.  User must call CRMF_DestroyCertReqMsg when done using
- * the return value of this function.
- *
- * RETURN:
- * SECSuccess if copying the message at the requested index was successful.
- * Any other return value indicates an invalid index or error while copying
- * the single request message.
- */
-extern CRMFCertReqMsg*
-       CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
-						int                  index);
-
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetID
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to get the ID from.
- *    destID
- *        A pointer to where the library can place the ID of the Message.
- * RETURN:
- *    SECSuccess if the function was able to retrieve the ID and place it
- *    at *destID.  Any other return value indicates an error meaning the value
- *    in *destId is un-reliable and should not be used by the caller of this 
- *    function.
- *    
- */
-extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, 
-				      long           *destID);
-
-/*
- * FUNCTION: CRMF_DoesRequestHaveField
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    inField
- *        An enumeration indicating which filed of the certificate template
- *        to look for.
- * NOTES:
- * All the fields in a certificate template are optional.  This function
- * checks to see if the requested field is present.  Look in crmft.h at the
- * definition of CRMFCertTemplateField for possible values for possible 
- * querying.
- *
- * RETURN:
- * PR_TRUE iff the field corresponding to 'inField' has been specified as part
- *         of 'inCertReq'
- * PR_FALSE iff the field corresponding to 'inField' has not been speicified
- *          as part of 'inCertReq'
- *        
- */
-extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest       *inCertReq,
-					CRMFCertTemplateField  inField);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetCertRequest
- * INPUTS:
- *    inCertReqMsg
- *        The Certificate Request Message to operate on.
- * NOTES:
- *    This function returns a copy of the Certificate Request to the user.
- *    The user can keep adding to this request and then making it a part
- *    of another message.  After the user no longer wants to use the
- *    returned request, the user must call CRMF_DestroyCertRequest and
- *    pass it the request returned by this function.
- * RETURN:
- *    A pointer to a copy of the certificate request contained by the message.
- *    A NULL return value indicates an error occurred while copying the 
- *   certificate request.
- */
-extern CRMFCertRequest *
-       CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateVersion
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    version
- *        A pointer to where the library can store the version contatined
- *        in the certificate template within the certifcate request.
- * RETURN:
- *    SECSuccess if the Certificate template contains the version field.  In 
- *    this case, *version will hold the value of the certificate template 
- *    version.
- *    SECFailure indicates that version field was not present as part of
- *    of the certificate template.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
-					      long            *version);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    serialNumber
- *        A pointer where the library can put the serial number contained
- *        in the certificate request's certificate template.
- * RETURN:
- * If a serial number exists in the CertTemplate of the request, the function 
- * returns SECSuccess and the value at *serialNumber contains the serial 
- * number.
- * If no serial number is present, then the function returns SECFailure and
- * the value at *serialNumber is un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq, 
-						   long         *serialNumber);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
- * INPUT:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destAlg
- *        A Pointer to where the library can place a copy of the signing alg
- *        used in the cert request's cert template.
- * RETURN:
- * If the signingAlg is present in the CertRequest's CertTemplate, then
- * the function returns SECSuccess and places a copy of sigingAlg in 
- * *destAlg.
- * If no signingAlg is present, then the function returns SECFailure and
- * the value at *destAlg is un-changed
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
-						 SECAlgorithmID  *destAlg);
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destIssuer
- *        A pointer to where the library can place a copy of the cert
- *        request's cert template issuer field.
- * RETURN:
- * If the issuer is present in the cert request cert template, the function 
- * returns SECSuccess and places a  copy of the issuer in *destIssuer.
- * If there is no issuer present, the funciton returns SECFailure and the
- * value at *destIssuer is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
-					     CERTName        *destIssuer);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateValidity
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destValdity
- *        A pointer to where the library can place a copy of the validity
- *        info in the cert request cert template.
- * NOTES:
- * Pass the pointer to 
- * RETURN: 
- * If there is an OptionalValidity field, the function will return SECSuccess
- * and place the appropriate values in *destValidity->notBefore and 
- * *destValidity->notAfter. (Each field is optional, but at least one will
- * be present if the function returns SECSuccess)
- *
- * If there is no OptionalValidity field, the function will return SECFailure
- * and the values at *destValidity will be un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
-					       CRMFGetValidity *destValidity);
-/*
- * FUNCTION: CRMF_DestroyGetValidity
- * INPUTS:
- *    inValidity
- *        A pointer to the memroy to be freed.
- * NOTES:
- * The function will free the memory allocated by the function 
- * CRMF_CertRequestGetCertTemplateValidity.  That means only memory pointed
- * to within the CRMFGetValidity structure.  Since 
- * CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
- * structure passed into it, it will not free it.  Meaning this function will
- * free the memory at inValidity->notBefore and inValidity->notAfter, but not
- * the memory directly at inValdity.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return value
- * indicates an error while freeing the memory.
- */
-extern SECStatus 
-       CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSubject
- * INPUTS:
- *    inCertReq
- *        The Certificate Request to operate on.
- *    destSubject
- *        A pointer to where the library can place a copy of the subject
- *        contained in the request's cert template.
- * RETURN:
- * If there is a subject in the CertTemplate, then the function returns 
- * SECSuccess and a copy of the subject is placed in *destSubject.
- *
- * If there is no subject, the function returns SECFailure and the values at
- * *destSubject is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateSubject (CRMFCertRequest *inCertReq,
-					       CERTName        *destSubject);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
- * INPUTS:
- *    inCertReq
- *        The Cert request to operate on.
- *    destPublicKey
- *        A pointer to where the library can place a copy of the request's
- *        cert template public key.
- * RETURN:
- * If there is a publicKey parameter in the CertRequest, the function returns
- * SECSuccess, and places a copy of the publicKey in *destPublicKey.
- *
- * If there is no publicKey, the function returns SECFailure and the value
- * at *destPublicKey is un-changed.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
-				      CERTSubjectPublicKeyInfo *destPublicKey);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
- * INPUTS:
- *    inCertReq
- *        The Cert request to operate on.
- *    destIssuerUID
- *        A pointer to where the library can store a copy of the request's
- *        cert template destIssuerUID.
- *
- * NOTES: 
- * destIssuerUID is a bit string and will be returned in a SECItem as
- * a bit string.  Meaning the len field contains the number of valid bits as
- * opposed to the number of bytes allocated.
- *
- * RETURN:
- * If the CertTemplate has an issuerUID, the function returns SECSuccess and
- * places a copy of the issuerUID in *destIssuerUID.
- *
- * If there is no issuerUID, the function returns SECFailure and the value
- * *destIssuerUID is unchanged.
- */
-extern SECStatus 
-       CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
-						SECItem        *destIssuerUID);
-
-/*
- * FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
- *    inCertReq
- *        The Cert request to operate on.
- *    destSubjectUID
- *        A pointer to where the library can store a copy of the request's
- *        cert template destIssuerUID.
- *
- * NOTES: 
- * destSubjectUID is a bit string and will be returned in a SECItem as
- * a bit string.  Meaning the len field contains the number of valid bits as
- * opposed to the number of bytes allocated.
- *
- * RETURN:
- * If the CertTemplate has an issuerUID, the function returns SECSuccess and
- * places a copy of the issuerUID in *destIssuerUID.
- *
- * If there is no issuerUID, the function returns SECSuccess and the value
- * *destIssuerUID is unchanged.
- */
-extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
-						SECItem       *destSubjectUID);
-
-/*
- * FUNCTION: CRMF_CertRequestGetNumberOfExtensions
- * INPUTS:
- *    inCertReq
- *        The cert request to operate on.
- * RETURN:
- *    Returns the number of extensions contained by the Cert Request.
- */
-extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CertRequestGetExtensionAtIndex
- * INPUTS:
- *    inCertReq
- *        The Certificate request to operate on.
- *    index
- *        The index of the extension array whihc the user wants to access.
- * NOTES:
- * This function retrieves the extension at the index corresponding to the 
- * parameter "index" indicates.  Indexing is done like a C array.  
- * (0 ... numElements-1)
- *
- * Call CRMF_DestroyCertExtension when done using the return value.
- *
- * RETURN:
- *    A pointer to a copy of the extension at the desired index.  A NULL 
- *    return value indicates an invalid index or an error while copying 
- *    the extension.
- */
-extern CRMFCertExtension *
-       CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
-					   int              index);
-/*
- * FUNCTION: CRMF_CertExtensionGetOidTag
- * INPUTS:
- *    inExtension
-
- *        The extension to operate on.
- * RETURN:
- *    Returns the SECOidTag associated with the cert extension passed in.
- */
-extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
-
-/*
- * FUNCTION: CRMF_CertExtensionGetIsCritical
- * INPUT:
- *    inExt
- *        The cert extension to operate on.
- *
- * RETURN:
- * PR_TRUE if the extension is critical.
- * PR_FALSE if the extension is not critical.
- */
-extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
-             
-/*
- * FUNCTION: CRMF_CertExtensionGetValue
- * INPUT:
- *    inExtension
- *        The extension to operate on.
- * NOTES:
- * Caller is responsible for freeing the memory associated with the return
- * value.  Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
- * value.
- *
- * RETURN:
- * A pointer to an item containig the value for the certificate extension.
- * A NULL return value indicates an error in copying the information.
- */
-extern SECItem*  CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to
- *        a copy of the Proof Of Possession Signing Key used 
- *        by the message.
- *
- * RETURN:
- * Get the POPOSigningKey associated with this CRMFCertReqMsg.  
- * If the CertReqMsg does not have a pop, the function returns
- * SECFailure and the value at *destKey is un-changed..
- *
- * If the CertReqMsg does have a pop, then the CertReqMsg's 
- * POPOSigningKey will be placed at *destKey.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
-					CRMFPOPOSigningKey **destKey);
-
-/*
- * FUNCTION: CRMF_DestroyPOPOSigningKey
- * INPUTS:
- *    inKey
- *        The signing key to free.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return value
- * indicates an error while freeing memory.
- */
-extern SECStatus CRMF_DestroyPOPOSigningKey (CRMFPOPOSigningKey *inKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetAlgID
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- * RETURN:
- * Return the algorithmID used by the CRMFPOPOSigningKey.  User must
- * call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
- * return value.
- */
-extern SECAlgorithmID* 
-       CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetSignature
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- *
- * RETURN:        
- * Get the actual signature stored away in the CRMFPOPOSigningKey.  SECItem
- * returned is a BIT STRING, so the len field is the number of bits as opposed
- * to the total number of bytes allocatd.  User must call 
- * SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
- */
-extern SECItem* CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_POPOSigningKeyGetInput
- * INPUTS:
- *    inSignKey
- *        The Signing Key to operate on.
- * NOTES:
- * This function will return the der encoded input that was read in while 
- * decoding.  The API does not support this option when creating, so you
- * cannot add this field.
- *
- * RETURN:
- * Get the poposkInput that is part of the of the POPOSigningKey. If the
- * optional field is not part of the POPOSigningKey, the function returns
- * NULL.
- *
- * If the optional field is part of the POPOSingingKey, the function will
- * return a copy of the der encoded poposkInput.
- */
-extern SECItem* CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to a 
- *        copy of the POPOPrivKey representing Key Encipherment 
- *        Proof of Possession.
- *NOTES:
- * This function gets the POPOPrivKey associated with this CRMFCertReqMsg 
- * for Key Encipherment.  
- *
- * RETURN:
- * If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
- * function returns SECFailure and the value at *destKey is un-changed.
- *
- * If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
- * function returns SECSuccess and places the POPOPrivKey representing the
- * Key Encipherment Proof Of Possessin at *destKey.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
-					    CRMFPOPOPrivKey **destKey);
-
-/*
- * FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
- * INPUTS:
- *    inCertReqMsg
- *        The certificate request message to operate on.
- *    destKey
- *        A pointer to where the library can place a pointer to a 
- *        copy of the POPOPrivKey representing Key Agreement 
- *        Proof of Possession.
- * NOTES:
- * This function gets the POPOPrivKey associated with this CRMFCertReqMsg for 
- * Key Agreement.  
- *
- * RETURN:
- * If the CertReqMsg used Key Agreement for Proof Of Possession, the
- * function returns SECSuccess and the POPOPrivKey for Key Agreement
- * is placed at *destKey.
- *
- * If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
- * function return SECFailure and the value at *destKey is unchanged.
- */
-extern SECStatus 
-       CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
-					 CRMFPOPOPrivKey **destKey);
-
-/* 
- * FUNCTION: CRMF_DestroyPOPOPrivKey
- * INPUTS:
- *    inPrivKey
- *        The POPOPrivKey to destroy.
- * NOTES:
- * Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
- * CRMF_GetPOPKeyAgreement.
- *
- * RETURN:
- * SECSuccess on successful destruction of the POPOPrivKey.
- * Any other return value indicates an error in freeing the 
- * memory.
- */
-extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
-
-/* 
- * FUNCTION: CRMF_POPOPrivKeyGetChoice
- * INPUT:
- *    inKey
- *        The POPOPrivKey to operate on.
- * RETURN:
- * Returns which choice was used in constructing the POPPOPrivKey. Look at
- * the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
- * values.
- */
-extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetThisMessage
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destString
- *        A pointer to where the library can place a copy of the This Message
- *        field stored in the POPOPrivKey
- *
- * RETURN:
- * Returns the field thisMessage from the POPOPrivKey.  
- * If the POPOPrivKey did not use the field thisMessage, the function
- * returns SECFailure and the value at *destString is unchanged.
- *
- * If the POPOPrivKey did use the field thisMessage, the function returns
- * SECSuccess and the BIT STRING representing thisMessage is placed
- * at *destString. BIT STRING representation means the len field is the
- * number of valid bits as opposed to the total number of bytes.
- */
-extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
-						SECItem          *destString);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destOpt
- *        A pointer to where the library can place the value of the 
- *        Subsequent Message option used by POPOPrivKey.
- *
- * RETURN:
- * Retrieves the field subsequentMessage from the POPOPrivKey.  
- * If the POPOPrivKey used the subsequentMessage option, the function 
- * returns SECSuccess and places the appropriate enumerated value at
- * *destMessageOption.
- *
- * If the POPOPrivKey did not use the subsequenMessage option, the function
- * returns SECFailure and the value at *destOpt is un-changed.
- */
-extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey       *inKey,
-					       CRMFSubseqMessOptions *destOpt);
-
-/*
- * FUNCTION: CRMF_POPOPrivKeyGetDHMAC
- * INPUTS:
- *    inKey
- *        The POPOPrivKey to operate on.
- *    destMAC
- *        A pointer to where the library can place a copy of the dhMAC
- *        field of the POPOPrivKey.
- *        
- * NOTES:
- * Returns the field dhMAC from the POPOPrivKey.  The populated SECItem 
- * is in BIT STRING format.
- *
- * RETURN:
- * If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
- * and the BIT STRING for dhMAC will be placed at *destMAC.  The len field in
- * destMAC (ie destMAC->len) will be the valid number of bits as opposed to
- * the number of allocated bytes.
- *
- * If the POPOPrivKey did not use the dhMAC option, the function returns
- * SECFailure and the value at *destMAC is unchanged.
- * 
- */
-extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
-					  SECItem         *destMAC);
-
-/*
- * FUNCTION: CRMF_CertRequestGetNumControls
- * INPUTS: 
- *    inCertReq
- *        The Certificate Request to operate on.
- * RETURN:
- * Returns the number of Controls registered with this CertRequest.
- */
-extern int CRMF_CertRequestGetNumControls (CRMFCertRequest *inCertReq);
-
-/*
- * FUNCTION: CRMF_CertRequestGetControlAtIndex
- * INPUTS:
- *    inCertReq
- *        The certificate request to operate on.
- *    index
- *        The index of the control the user wants a copy of.
- * NOTES:
- * Function retrieves the Control at located at index.  The Controls 
- * are numbered like a traditional C array (0 ... numElements-1)
- *
- * RETURN:
- * Returns a copy of the control at the index specified.  This is a copy
- * so the user must call CRMF_DestroyControl after the return value is no 
- * longer needed.  A return value of NULL indicates an error while copying
- * the control or that the index was invalid.
- */
-extern CRMFControl* 
-       CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, 
-					 int              index);
-
-/*
- * FUNCTION: CRMF_DestroyControl
- * INPUTS:
- *    inControl
- *        The Control to destroy.
- * NOTES:
- * Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
- *
- * RETURN:
- * SECSuccess if freeing the memory was successful.  Any other return
- * value indicates an error while freeing the memory.
- */
-extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetControlType
- * INPUTS:
- *    inControl
- *        The control to operate on.
- * NOTES:
- * The function returns an enumertion which indicates the type of control
- * 'inControl'.
- *
- * RETURN:
- * Look in crmft.h at the definition of the enumerated type CRMFControlType
- * for the possible return values.
- */
-extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetRegTokenControlValue
- * INPUTS:
- *    inControl
- *        The Control to operate on.
- * NOTES:
- * The user must call SECITEM_FreeItem passing in the return value
- * after the returnvalue is no longer needed.
-
- * RETURN:
- * Return the value for a Registration Token Control.
- * The SECItem returned should be in UTF8 format.  A NULL
- * return value indicates there was no Registration Control associated
- * with the Control.
- * (This library will not verify format.  It assumes the client properly 
- * formatted the strings when adding it or the message decoded was properly 
- * formatted.  The library will just give back the bytes it was given.)
- */
-extern SECItem* CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetAuthenticatorControlValue
- * INPUTS:
- *    inControl
- *        The Control to operate on.
- * NOTES:
- * The user must call SECITEM_FreeItem passing in the return value
- * after the returnvalue is no longer needed.
- *
- * RETURN:
- * Return the value for the Authenticator Control.
- * The SECItem returned should be in UTF8 format.  A NULL
- * return value indicates there was no Authenticator Control associated
- * with the CRMFControl..
- * (This library will not verify format.  It assumes the client properly 
- * formatted the strings when adding it or the message decoded was properly 
- * formatted.  The library will just give back the bytes it was given.)
- */
-extern SECItem* CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
-
-/*
- * FUNCTION: CRMF_ControlGetPKIArchiveOptions
- * INPUTS:inControl
- *    The Control tooperate on.
- * NOTES:
- * This function returns a copy of the PKIArchiveOptions.  The user must call
- * the function CRMF_DestroyPKIArchiveOptions when the return value is no
- * longer needed.
- *
- * RETURN:
- * Get the PKIArchiveOptions associated with the Control.  A return
- * value of NULL indicates the Control was not a PKIArchiveOptions 
- * Control.
- */
-extern CRMFPKIArchiveOptions* 
-       CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
-  
-/*
- * FUNCTION: CMRF_DestroyPKIArchiveOptions
- * INPUTS:
- *    inOptions
- *        The ArchiveOptions to destroy.
- * NOTE:
- * Destroy the CRMFPKIArchiveOptions structure.
- *
- * RETURN:
- * SECSuccess if successful in freeing all the memory associated with 
- * the PKIArchiveOptions.  Any other return value indicates an error while
- * freeing the PKIArchiveOptions.
- */
-extern SECStatus 
-       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
- * INPUTS:
- *    inOptions
- *        The PKIArchiveOptions to operate on.
- * RETURN:
- * Returns the choice used for the PKIArchiveOptions.  Look at the definition
- * of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
- */
-extern CRMFPKIArchiveOptionsType
-       CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
- * INPUTS:
- *    inOpts
- *        The PKIArchiveOptions to operate on.
- * 
- * NOTES:
- * The user must call CRMF_DestroyEncryptedKey when done using this return
- * value.
- *
- * RETURN:
- * Get the encryptedPrivKey field of the PKIArchiveOptions structure.
- * A return value of NULL indicates that encryptedPrivKey was not used as
- * the choice for this PKIArchiveOptions.
- */
-extern CRMFEncryptedKey*
-      CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
-
-/*
- * FUNCTION: CRMF_EncryptedKeyGetChoice
- * INPUTS:
- *    inEncrKey
- *        The EncryptedKey to operate on.
- *
- * NOTES:
- * Get the choice used for representing the EncryptedKey.
- *
- * RETURN:
- * Returns the Choice used in representing the EncryptedKey.  Look in 
- * crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
- * values.
- */
-extern CRMFEncryptedKeyChoice 
-       CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
-
-
-/*
- * FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
- * INPUTS:
- *    inKey
- *        The EncryptedKey to operate on.
- *
- * NOTES:
- * The user must call CRMF_DestroyEncryptedValue passing in 
- * CRMF_GetEncryptedValue's return value.
- *
- * RETURN:
- * A pointer to a copy of the EncryptedValue contained as a member of
- * the EncryptedKey.
- */
-extern CRMFEncryptedValue* 
-       CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
-
-/*
- * FUNCTION: CRMF_DestroyEncryptedValue
- * INPUTS:
- *    inEncrValue
- *        The EncryptedValue to destroy.
- *
- * NOTES:
- * Free up all memory associated with 'inEncrValue'.
- *
- * RETURN:
- * SECSuccess if freeing up the memory associated with the EncryptedValue
- * is successful. Any other return value indicates an error while freeing the
- * memory.
- */
-extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetEncValue
- * INPUTS:
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Function retrieves the encValue from an EncryptedValue structure.
- *
- * RETURN:
- * A poiner to a SECItem containing the encValue of the EncryptedValue
- * structure.  The return value is in BIT STRING format, meaning the
- * len field of the return structure represents the number of valid bits
- * as opposed to the allocated number of bytes.
- * ANULL return value indicates an error in copying the encValue field.
- */
-extern SECItem* CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetIntendedAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the IntendedAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this alogorithm is the alogrithm for
- * which the private key will be used.
- *
- * RETURN:
- * A Copy of the intendedAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue  *inEncValue);
-
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetSymmAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the symmAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this is algorithm used to
- * encrypt the encValue of the EncryptedValue.
- *
- * RETURN:
- * A Copy of the symmAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue  *inEncValue);
-
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetKeyAlg
- * INPUTS
- *    inEncValue
- *        The EncryptedValue to operate on.
- * NOTES:
- * Retrieve the keyAlg field from the EncryptedValue structure.
- * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
- * the return value.  When present, this is the algorithm used to encrypt
- * the symmetric key in the encSymmKey field of the EncryptedValue structure.
- *
- * RETURN:
- * A Copy of the keyAlg field.  A NULL return value indicates the
- * optional field was not present in the structure.
- */
-extern SECAlgorithmID* 
-       CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncryptedValueGetValueHint
- * INPUTS:
- *    inEncValue
- *        The EncryptedValue to operate on.
- *
- * NOTES:
- * Return a copy of the der-encoded value hint.
- * User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
- * return value.  When, present, this is a value that the client which
- * originally issued a certificate request can use to reproduce any data
- * it wants.  The RA does not know how to interpret this data.
- *
- * RETURN:
- * A copy of the valueHint field of the EncryptedValue.  A NULL return
- * value indicates the optional valueHint field is not present in the
- * EncryptedValue.
- */
-extern SECItem* 
-       CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue  *inEncValue);
-
-/*
- * FUNCTION: CRMF_EncrypteValueGetEncSymmKey
- * INPUTS: 
- *    inEncValue
- *        The EncryptedValue to operate on.
- *
- * NOTES:
- * Return a copy of the encSymmKey field. This field is the encrypted
- * symmetric key that the client uses in doing Public Key wrap of a private
- * key.  When present, this is the symmetric key that was used to wrap the
- * private key.  (The encrypted private key will be stored in encValue
- * of the same EncryptedValue structure.)  The user must call 
- * SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
- * needed.
- *
- * RETURN:
- * A copy of the optional encSymmKey field of the EncryptedValue structure.
- * The return value will be in BIT STRING format, meaning the len field will
- * be the number of valid bits as opposed to the number of bytes. A return 
- * value of NULL means the optional encSymmKey field was not present in
- * the EncryptedValue structure.
- */
-extern SECItem* 
-       CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
- * INPUTS:
- *    inOptions
- *        The PKiArchiveOptions to operate on.
- *
- * NOTES:
- * User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return 
- * value is no longer needed.
- *
- * RETURN:
- * Get the keyGenParameters field of the PKIArchiveOptions.
- * A NULL return value indicates that keyGenParameters was not 
- * used as the choice for this PKIArchiveOptions.
- *
- * The SECItem returned is in BIT STRING format (ie, the len field indicates
- * number of valid bits as opposed to allocated number of bytes.)
- */
-extern SECItem* 
-   CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
-
-/*
- * FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
- * INPUTS:
- *    inOpt
- *        The PKIArchiveOptions to operate on.
- *    destVal
- *        A pointer to where the library can place the value for 
- *        arciveRemGenPrivKey
- * RETURN:
- * If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
- * function returns SECSuccess and fills the value at *destValue with either
- * PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a 
- * value. 
- *
- * If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
- * function returns SECFailure and the value at *destValue is unchanged.
- */
-extern SECStatus 
-    CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
-						  PRBool             *destVal);
-
-/* Helper functions that can be used by other libraries. */
-/*
- * A quick helper funciton to get the best wrap mechanism.
- */
-extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); 
-
-/*
- * A helper function to get a randomly generated IV from a mechanism 
- * type.
- */
-extern SECItem* CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
- 
-SEC_END_PROTOS
-#endif /*_CRMF_H_*/
-
-
diff --git a/security/nss/lib/crmf/crmfcont.c b/security/nss/lib/crmf/crmfcont.c
deleted file mode 100644
index b609e84ea..000000000
--- a/security/nss/lib/crmf/crmfcont.c
+++ /dev/null
@@ -1,1175 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "pk11func.h"
-#include "keyhi.h"
-#include "secoid.h"
-
-static SECStatus
-crmf_modify_control_array (CRMFCertRequest *inCertReq, int count)
-{
-    if (count > 0) {
-        void *dummy = PORT_Realloc(inCertReq->controls, 
-				   sizeof(CRMFControl*)*(count+2));
-	if (dummy == NULL) {
-	    return SECFailure;
-	}
-	inCertReq->controls = dummy;
-    } else {
-        inCertReq->controls = PORT_ZNewArray(CRMFControl*, 2);
-    }
-    return (inCertReq->controls == NULL) ? SECFailure : SECSuccess ;
-}
-
-static SECStatus
-crmf_add_new_control(CRMFCertRequest *inCertReq,SECOidTag inTag,
-		     CRMFControl **destControl)
-{
-    SECOidData  *oidData;
-    SECStatus    rv;
-    PRArenaPool *poolp;
-    int          numControls = 0;
-    CRMFControl *newControl;
-    CRMFControl **controls;
-    void        *mark;
-
-    poolp = inCertReq->poolp;
-    if (poolp == NULL) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark(poolp);
-    if (inCertReq->controls != NULL) {
-        while (inCertReq->controls[numControls] != NULL)
-	    numControls++;
-    }
-    rv = crmf_modify_control_array(inCertReq, numControls);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    controls = inCertReq->controls;
-    oidData = SECOID_FindOIDByTag(inTag);
-    newControl = *destControl = PORT_ArenaZNew(poolp,CRMFControl);
-    if (newControl == NULL) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &oidData->oid);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    newControl->tag = inTag;
-    controls[numControls] = newControl;
-    controls[numControls+1] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *destControl = NULL;
-    return SECFailure;
-			  
-}
-
-SECStatus
-crmf_add_secitem_control(CRMFCertRequest *inCertReq, SECItem *value,
-			 SECOidTag inTag)
-{
-    SECStatus    rv;
-    CRMFControl *newControl;
-    void        *mark;
-
-    rv = crmf_add_new_control(inCertReq, inTag, &newControl);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    mark = PORT_ArenaMark(inCertReq->poolp);
-    rv = SECITEM_CopyItem(inCertReq->poolp, &newControl->derValue, value);
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(inCertReq->poolp, mark);
-	return rv;
-    }
-    PORT_ArenaUnmark(inCertReq->poolp, mark);
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq, SECItem *value)
-{
-    return crmf_add_secitem_control(inCertReq, value, 
-				    SEC_OID_PKIX_REGCTRL_REGTOKEN);
-}
-
-SECStatus
-CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq, 
-					 SECItem         *value)
-{
-    return crmf_add_secitem_control(inCertReq, value, 
-				    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR);
-}
-
-SECStatus
-crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, PRBool freeit)
-{
-    if (inEncrValue != NULL) {
-        if (inEncrValue->intendedAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->intendedAlg, PR_TRUE);
-	}
-	if (inEncrValue->symmAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->symmAlg, PR_TRUE);
-	}
-        if (inEncrValue->encSymmKey.data) {
-	    PORT_Free(inEncrValue->encSymmKey.data);
-	}
-	if (inEncrValue->keyAlg) {
-	    SECOID_DestroyAlgorithmID(inEncrValue->keyAlg, PR_TRUE);
-	}
-	if (inEncrValue->valueHint.data) {
-	    PORT_Free(inEncrValue->valueHint.data);
-	}
-        if (inEncrValue->encValue.data) {
-	    PORT_Free(inEncrValue->encValue.data);
-	}
-	if (freeit) {
-	    PORT_Free(inEncrValue);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue)
-{
-    return crmf_destroy_encrypted_value(inEncrValue, PR_TRUE);
-}
-
-SECStatus
-crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
-				SECAlgorithmID  *srcAlgId,
-				SECAlgorithmID **destAlgId)
-{
-    SECAlgorithmID *newAlgId;
-
-    *destAlgId = newAlgId = (poolp != NULL) ?
-                            PORT_ArenaZNew(poolp, SECAlgorithmID) :
-                            PORT_ZNew(SECAlgorithmID);
-    if (newAlgId == NULL) {
-        return SECFailure;
-    }
-    
-    return SECOID_CopyAlgorithmID(poolp, newAlgId, srcAlgId);
-}
-
-SECStatus
-crmf_copy_encryptedvalue(PRArenaPool        *poolp,
-			 CRMFEncryptedValue *srcValue,
-			 CRMFEncryptedValue *destValue)
-{
-    SECStatus           rv;
-
-    if (srcValue->intendedAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp,
-					     srcValue->intendedAlg,
-					     &destValue->intendedAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->symmAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp, 
-					     srcValue->symmAlg,
-					     &destValue->symmAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->encSymmKey.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, 
-				      &destValue->encSymmKey,
-				      &srcValue->encSymmKey);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->keyAlg != NULL) {
-        rv = crmf_copy_encryptedvalue_secalg(poolp,
-					     srcValue->keyAlg,
-					     &destValue->keyAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->valueHint.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, 
-			      &destValue->valueHint,
-			      &srcValue->valueHint);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValue->encValue.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp,
-				      &destValue->encValue,
-				      &srcValue->encValue);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    if (poolp == NULL && destValue != NULL) {
-        crmf_destroy_encrypted_value(destValue, PR_TRUE);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-crmf_copy_encryptedkey(PRArenaPool       *poolp,
-		       CRMFEncryptedKey  *srcEncrKey,
-		       CRMFEncryptedKey  *destEncrKey)
-{
-    SECStatus          rv;
-    void              *mark = NULL;
-
-    if (poolp != NULL) {
-        mark = PORT_ArenaMark(poolp);
-    }
-
-    switch (srcEncrKey->encKeyChoice) {
-    case crmfEncryptedValueChoice:
-        rv = crmf_copy_encryptedvalue(poolp, 
-				      &srcEncrKey->value.encryptedValue,
-				      &destEncrKey->value.encryptedValue);
-	break;
-    case crmfEnvelopedDataChoice:
-        destEncrKey->value.envelopedData = 
-	    SEC_PKCS7CopyContentInfo(srcEncrKey->value.envelopedData);
-        rv = (destEncrKey->value.envelopedData != NULL) ? SECSuccess:
-	                                                  SECFailure;
-        break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    destEncrKey->encKeyChoice = srcEncrKey->encKeyChoice;
-    if (mark) {
-    	PORT_ArenaUnmark(poolp, mark);
-    }
-    return SECSuccess;
-
- loser:
-    if (mark) {
-        PORT_ArenaRelease(poolp, mark);
-    }
-    return SECFailure;
-}
-
-CRMFPKIArchiveOptions*
-crmf_create_encr_pivkey_option(CRMFEncryptedKey *inEncryptedKey)
-{
-    CRMFPKIArchiveOptions *newArchOpt;
-    SECStatus              rv;
-
-    newArchOpt = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOpt == NULL) {
-        goto loser;
-    }
-
-    rv = crmf_copy_encryptedkey(NULL, inEncryptedKey,
-				&newArchOpt->option.encryptedKey);
-    
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    newArchOpt->archOption = crmfEncryptedPrivateKey;
-    return newArchOpt;
- loser:
-    if (newArchOpt != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOpt);
-    }
-    return NULL;
-}
-
-static CRMFPKIArchiveOptions*
-crmf_create_keygen_param_option(SECItem *inKeyGenParams)
-{
-    CRMFPKIArchiveOptions *newArchOptions;
-    SECStatus              rv;
-
-    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOptions == NULL) {
-        goto loser;
-    }
-    newArchOptions->archOption = crmfKeyGenParameters;
-    rv = SECITEM_CopyItem(NULL, &newArchOptions->option.keyGenParameters,
-			  inKeyGenParams);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newArchOptions;
- loser:
-    if (newArchOptions != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOptions);
-    }
-    return NULL;
-}
-
-static CRMFPKIArchiveOptions*
-crmf_create_arch_rem_gen_privkey(PRBool archiveRemGenPrivKey)
-{
-    unsigned char          value;
-    SECItem               *dummy;
-    CRMFPKIArchiveOptions *newArchOptions;
-
-    value = (archiveRemGenPrivKey) ? hexTrue : hexFalse;
-    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newArchOptions == NULL) {
-        goto loser;
-    }
-    dummy = SEC_ASN1EncodeItem(NULL, 
-			       &newArchOptions->option.archiveRemGenPrivKey,
-			       &value, SEC_ASN1_GET(SEC_BooleanTemplate));
-    PORT_Assert (dummy == &newArchOptions->option.archiveRemGenPrivKey);
-    if (dummy != &newArchOptions->option.archiveRemGenPrivKey) {
-        SECITEM_FreeItem (dummy, PR_TRUE);
-	goto loser;
-    }
-    newArchOptions->archOption = crmfArchiveRemGenPrivKey;
-    return newArchOptions;
- loser:
-    if (newArchOptions != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newArchOptions);
-    }
-    return NULL;
-}
-
-CRMFPKIArchiveOptions*
-CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType, void *data)
-{
-    CRMFPKIArchiveOptions* retOptions;
-
-    PORT_Assert(data != NULL);
-    if (data == NULL) {
-        return NULL;
-    }
-    switch(inType) {
-    case crmfEncryptedPrivateKey:
-        retOptions = crmf_create_encr_pivkey_option((CRMFEncryptedKey*)data);
-	break;
-    case crmfKeyGenParameters:
-        retOptions = crmf_create_keygen_param_option((SECItem*)data);
-	break;
-    case crmfArchiveRemGenPrivKey:
-        retOptions = crmf_create_arch_rem_gen_privkey(*(PRBool*)data);
-	break;
-    default:
-        retOptions = NULL;
-    }
-    return retOptions;
-}
-
-static SECStatus
-crmf_destroy_encrypted_key(CRMFEncryptedKey *inEncrKey, PRBool freeit)
-{ 
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey != NULL) {
-        switch (inEncrKey->encKeyChoice){
-	case crmfEncryptedValueChoice:
-            crmf_destroy_encrypted_value(&inEncrKey->value.encryptedValue, 
-					 PR_FALSE);
-	    break;
-	case crmfEnvelopedDataChoice:
-	    SEC_PKCS7DestroyContentInfo(inEncrKey->value.envelopedData);
-            break;
-        default:
-            break;
-        }
-        if (freeit) {
-            PORT_Free(inEncrKey);
-        }
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions, 
-			       PRBool                 freeit)
-{
-    PORT_Assert(inArchOptions != NULL);
-    if (inArchOptions != NULL) {
-        switch (inArchOptions->archOption) {
-	case crmfEncryptedPrivateKey:
-	    crmf_destroy_encrypted_key(&inArchOptions->option.encryptedKey,
-				       PR_FALSE);
-	    break;
-	case crmfKeyGenParameters:
-	case crmfArchiveRemGenPrivKey:
-	    /* This is a union, so having a pointer to one is like
-	     * having a pointer to both.  
-	     */
-	    SECITEM_FreeItem(&inArchOptions->option.keyGenParameters, 
-			     PR_FALSE);
-	    break;
-        case crmfNoArchiveOptions:
-            break;
-	}
-	if (freeit) {
-	    PORT_Free(inArchOptions);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOptions) 
-{
-    return crmf_destroy_pkiarchiveoptions(inArchOptions, PR_TRUE);
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_non_pad_mechanism(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_DES3_CBC_PAD:
-        return CKM_DES3_CBC;
-    case CKM_CAST5_CBC_PAD:
-        return CKM_CAST5_CBC;
-    case CKM_DES_CBC_PAD:
-        return CKM_DES_CBC;
-    case CKM_IDEA_CBC_PAD:
-        return CKM_IDEA_CBC;
-    case CKM_CAST3_CBC_PAD:
-        return CKM_CAST3_CBC;
-    case CKM_CAST_CBC_PAD:
-        return CKM_CAST_CBC;
-    case CKM_RC5_CBC_PAD:
-        return CKM_RC5_CBC;
-    case CKM_RC2_CBC_PAD:
-        return CKM_RC2_CBC;
-    case CKM_CDMF_CBC_PAD:
-        return CKM_CDMF_CBC;
-    }
-    return type;
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_pad_mech_from_tag(SECOidTag oidTag)
-{
-    CK_MECHANISM_TYPE  mechType;
-    SECOidData        *oidData;
-
-    oidData = SECOID_FindOIDByTag(oidTag);
-    mechType = (CK_MECHANISM_TYPE)oidData->mechanism;
-    return PK11_GetPadMechanism(mechType);
-}
-
-static CK_MECHANISM_TYPE
-crmf_get_best_privkey_wrap_mechanism(PK11SlotInfo *slot) 
-{
-    CK_MECHANISM_TYPE privKeyPadMechs[] = { CKM_DES3_CBC_PAD,
-					    CKM_CAST5_CBC_PAD,
-					    CKM_DES_CBC_PAD,
-					    CKM_IDEA_CBC_PAD,
-					    CKM_CAST3_CBC_PAD,
-					    CKM_CAST_CBC_PAD,
-					    CKM_RC5_CBC_PAD,
-					    CKM_RC2_CBC_PAD,
-					    CKM_CDMF_CBC_PAD };
-    int mechCount = sizeof(privKeyPadMechs)/sizeof(privKeyPadMechs[0]);
-    int i;
-
-    for (i=0; i < mechCount; i++) {
-        if (PK11_DoesMechanism(slot, privKeyPadMechs[i])) {
-	    return privKeyPadMechs[i];
-	}
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-CK_MECHANISM_TYPE
-CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot)
-{
-    return crmf_get_best_privkey_wrap_mechanism(slot);
-}
-
-static SECItem*
-crmf_get_iv(CK_MECHANISM_TYPE mechType)
-{
-    int        iv_size = PK11_GetIVLength(mechType);
-    SECItem   *iv;
-    SECStatus  rv; 
-
-    iv = PORT_ZNew(SECItem);
-    if (iv == NULL) {
-        return NULL;
-    }
-    if (iv_size == 0) {
-        iv->data = NULL;
-	iv->len  = 0;
-	return iv;
-    }
-    iv->data = PORT_NewArray(unsigned char, iv_size);
-    if (iv->data == NULL) {
-        iv->len = 0;
-	return iv;
-    }
-    iv->len = iv_size;
-    rv = PK11_GenerateRandom(iv->data, iv->len);
-    if (rv != SECSuccess) {
-        PORT_Free(iv->data);
-	iv->data = NULL;
-	iv->len  = 0;
-    }
-    return iv;
-}
-
-SECItem*
-CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType)
-{
-    return crmf_get_iv(mechType);
-}
-
-CK_MECHANISM_TYPE
-crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey)
-{
-    CERTSubjectPublicKeyInfo *spki = NULL;
-    SECOidTag                 tag;
-    
-
-    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
-    if (spki == NULL) {
-        return CKM_INVALID_MECHANISM;
-    }
-    tag = SECOID_FindOIDTag(&spki->algorithm.algorithm);
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-    spki = NULL;
-    return PK11_AlgtagToMechanism(tag);
-}
-
-SECItem*
-crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest)
-{
-    SECItem *src;
-
-    switch(pubKey->keyType) {
-    case dsaKey:
-	src =  &pubKey->u.dsa.publicValue;
-	break;
-    case rsaKey:
-	src =  &pubKey->u.rsa.modulus;
-	break;
-    case dhKey:
-	src =  &pubKey->u.dh.publicValue;
-	break;
-    default:
-	src = NULL;
-	break;
-    }
-    if (!src) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    if (dest != NULL) {
-	SECStatus rv = SECITEM_CopyItem(NULL, dest, src);
-	if (rv != SECSuccess) {
-	    dest = NULL;
-	}
-    } else {
-        dest = SECITEM_ArenaDupItem(NULL, src);
-    }
-    return dest;
-}
-
-static SECItem*
-crmf_decode_params(SECItem *inParams)
-{
-    SECItem     *params;
-    SECStatus    rv      = SECFailure;
-    PRArenaPool *poolp;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    
-    params = PORT_ArenaZNew(poolp, SECItem);
-    if (params) {
-	rv = SEC_ASN1DecodeItem(poolp, params, 
-				SEC_ASN1_GET(SEC_OctetStringTemplate),
-				inParams);
-    }
-    params = (rv == SECSuccess) ? SECITEM_ArenaDupItem(NULL, params) : NULL;
-    PORT_FreeArena(poolp, PR_FALSE);
-    return params;
-}
-
-int
-crmf_get_key_size_from_mech(CK_MECHANISM_TYPE mechType)
-{
-    CK_MECHANISM_TYPE keyGen = PK11_GetKeyGen(mechType);
-
-    switch (keyGen) {
-    case CKM_CDMF_KEY_GEN:
-    case CKM_DES_KEY_GEN:
-        return 8;
-    case CKM_DES2_KEY_GEN:
-	return 16;
-    case CKM_DES3_KEY_GEN:
-	return 24;
-    }
-    return 0;
-}
-
-SECStatus
-crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
-				     CRMFEncryptedValue *encValue,
-				     SECKEYPrivateKey   *privKey,
-				     SECKEYPublicKey    *newPubKey,
-				     SECItem            *nickname,
-				     PK11SlotInfo       *slot,
-				     unsigned char       keyUsage,
-				     SECKEYPrivateKey  **unWrappedKey,
-				     void               *wincx)
-{
-    PK11SymKey        *wrappingKey = NULL;
-    CK_MECHANISM_TYPE  wrapMechType;
-    SECOidTag          oidTag;
-    SECItem           *params = NULL, *publicValue = NULL;
-    int                keySize, origLen;
-    CK_KEY_TYPE        keyType;
-    CK_ATTRIBUTE_TYPE *usage = NULL;
-    CK_ATTRIBUTE_TYPE rsaUsage[] = {
-      CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
-    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
-    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
-    int usageCount = 0;
-
-    oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
-    wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
-    keySize = crmf_get_key_size_from_mech(wrapMechType);
-    wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey, 
-				       wrapMechType, CKA_UNWRAP, keySize);
-    if (wrappingKey == NULL) {
-        goto loser;
-    }/* Make the length a byte length instead of bit length*/
-    params = (encValue->symmAlg != NULL) ? 
-              crmf_decode_params(&encValue->symmAlg->parameters) : NULL;
-    origLen = encValue->encValue.len;
-    encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
-    publicValue = crmf_get_public_value(newPubKey, NULL);
-    switch(newPubKey->keyType) {
-    default:
-    case rsaKey:
-        keyType = CKK_RSA;
-        switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
-        case KU_KEY_ENCIPHERMENT:
-            usage = rsaUsage;
-            usageCount = 2;
-            break;
-        case KU_DIGITAL_SIGNATURE:
-            usage = &rsaUsage[2];
-            usageCount = 2;
-            break;
-        case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
-        case 0: /* default to everything */
-            usage = rsaUsage;
-            usageCount = 4;
-            break;
-        }
-	break;
-    case dhKey:
-        keyType = CKK_DH;
-        usage = dhUsage;
-        usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
-        break;
-    case dsaKey:
-        keyType = CKK_DSA;
-        usage = dsaUsage;
-        usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
-        break;
-    }
-    PORT_Assert(usage != NULL);
-    PORT_Assert(usageCount != 0);
-    *unWrappedKey = PK11_UnwrapPrivKey(slot, wrappingKey, wrapMechType, params,
-				       &encValue->encValue, nickname,
-				       publicValue, PR_TRUE,PR_TRUE, 
-				       keyType, usage, usageCount, wincx);
-    encValue->encValue.len = origLen;
-    if (*unWrappedKey == NULL) {
-        goto loser;
-    }
-    SECITEM_FreeItem (publicValue, PR_TRUE);
-    if (params!= NULL) {
-        SECITEM_FreeItem(params, PR_TRUE);
-    } 
-    PK11_FreeSymKey(wrappingKey);
-    return SECSuccess;
- loser:
-    *unWrappedKey = NULL;
-    return SECFailure;
-}
-
-CRMFEncryptedValue *
-crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
-					    SECKEYPublicKey    *inCAKey,
-					    CRMFEncryptedValue *destValue)
-{
-    SECItem                   wrappedPrivKey, wrappedSymKey;
-    SECItem                   encodedParam, *dummy;
-    SECStatus                 rv;
-    CK_MECHANISM_TYPE         pubMechType, symKeyType;
-    unsigned char            *wrappedSymKeyBits;
-    unsigned char            *wrappedPrivKeyBits;
-    SECItem                  *iv = NULL;
-    SECOidTag                 tag;
-    PK11SymKey               *symKey;
-    PK11SlotInfo             *slot;
-    SECAlgorithmID           *symmAlg;
-    CRMFEncryptedValue       *myEncrValue = NULL;
-
-    encodedParam.data = NULL;
-    wrappedSymKeyBits  = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
-    wrappedPrivKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
-    if (wrappedSymKeyBits == NULL || wrappedPrivKeyBits == NULL) {
-        goto loser;
-    }
-    if (destValue == NULL) {
-        myEncrValue = destValue = PORT_ZNew(CRMFEncryptedValue);
-	if (destValue == NULL) {
-	    goto loser;
-	}
-    }
-
-    pubMechType = crmf_get_mechanism_from_public_key(inCAKey);
-    if (pubMechType == CKM_INVALID_MECHANISM) {
-        /* XXX I should probably do something here for non-RSA 
-	 *     keys that are in certs. (ie DSA)
-	 * XXX or at least SET AN ERROR CODE.
-	 */
-        goto loser;
-    }
-    slot = inPrivKey->pkcs11Slot; 
-    PORT_Assert(slot != NULL);
-    symKeyType = crmf_get_best_privkey_wrap_mechanism(slot);
-    symKey = PK11_KeyGen(slot, symKeyType, NULL, 0, NULL);
-    if (symKey == NULL) {
-        goto loser;
-    }
-
-    wrappedSymKey.data = wrappedSymKeyBits;
-    wrappedSymKey.len  = MAX_WRAPPED_KEY_LEN;
-    rv = PK11_PubWrapSymKey(pubMechType, inCAKey, symKey, &wrappedSymKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Make the length of the result a Bit String length. */
-    wrappedSymKey.len <<= 3;
-
-    wrappedPrivKey.data = wrappedPrivKeyBits;
-    wrappedPrivKey.len  = MAX_WRAPPED_KEY_LEN;
-    iv = crmf_get_iv(symKeyType);
-    rv = PK11_WrapPrivKey(slot, symKey, inPrivKey, symKeyType, iv, 
-			  &wrappedPrivKey, NULL);
-    PK11_FreeSymKey(symKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Make the length of the result a Bit String length. */
-    wrappedPrivKey.len <<= 3;
-    rv = crmf_make_bitstring_copy(NULL, 
-				  &destValue->encValue, 
-				  &wrappedPrivKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_make_bitstring_copy(NULL,
-				  &destValue->encSymmKey, 
-				  &wrappedSymKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    destValue->symmAlg = symmAlg = PORT_ZNew(SECAlgorithmID);
-    if (symmAlg == NULL) {
-        goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv, 
-                               SEC_ASN1_GET(SEC_OctetStringTemplate));
-    if (dummy != &encodedParam) {
-        SECITEM_FreeItem(dummy, PR_TRUE);
-	goto loser;
-    }
-
-    symKeyType = crmf_get_non_pad_mechanism(symKeyType);
-    tag = PK11_MechanismToAlgtag(symKeyType);
-    rv = SECOID_SetAlgorithmID(NULL, symmAlg, tag, &encodedParam);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    SECITEM_FreeItem(&encodedParam, PR_FALSE);
-    PORT_Free(wrappedPrivKeyBits);
-    PORT_Free(wrappedSymKeyBits);
-    SECITEM_FreeItem(iv, PR_TRUE);
-    return destValue;
- loser:
-    if (iv != NULL) {
-	SECITEM_FreeItem(iv, PR_TRUE);
-    }
-    if (myEncrValue != NULL) {
-        crmf_destroy_encrypted_value(myEncrValue, PR_TRUE);
-    }
-    if (wrappedSymKeyBits != NULL) {
-        PORT_Free(wrappedSymKeyBits);
-    }
-    if (wrappedPrivKeyBits != NULL) {
-        PORT_Free(wrappedPrivKeyBits);
-    }
-    if (encodedParam.data != NULL) {
-	SECITEM_FreeItem(&encodedParam, PR_FALSE);
-    }
-    return NULL;
-}
-
-CRMFEncryptedKey*
-CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
-					   CERTCertificate  *inCACert)
-{
-    SECKEYPublicKey          *caPubKey = NULL;
-    CRMFEncryptedKey         *encKey = NULL;
-    CRMFEncryptedValue       *dummy;
-
-    PORT_Assert(inPrivKey != NULL && inCACert != NULL);
-    if (inPrivKey == NULL || inCACert == NULL) {
-        return NULL;
-    }
-
-    caPubKey = CERT_ExtractPublicKey(inCACert);
-    if (caPubKey == NULL) {
-        goto loser;
-    }
-
-    encKey = PORT_ZNew(CRMFEncryptedKey);
-    if (encKey == NULL) {
-        goto loser;
-    }
-    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
-							caPubKey,
-					       &encKey->value.encryptedValue);
-    PORT_Assert(dummy == &encKey->value.encryptedValue);
-    /* We won't add the der value here, but rather when it 
-     * becomes part of a certificate request.
-     */
-    SECKEY_DestroyPublicKey(caPubKey);
-    encKey->encKeyChoice = crmfEncryptedValueChoice;
-    return encKey;
- loser:
-    if (encKey != NULL) {
-        CRMF_DestroyEncryptedKey(encKey);
-    }
-    if (caPubKey != NULL) {
-        SECKEY_DestroyPublicKey(caPubKey);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey)
-{
-    return crmf_destroy_encrypted_key(inEncrKey, PR_TRUE);
-}
-
-SECStatus
-crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp,
-			    CRMFPKIArchiveOptions *destOpt,
-			    CRMFPKIArchiveOptions *srcOpt)
-{
-    SECStatus rv;
-    destOpt->archOption = srcOpt->archOption;
-    switch (srcOpt->archOption) {
-    case crmfEncryptedPrivateKey:
-        rv = crmf_copy_encryptedkey(poolp,
-				    &srcOpt->option.encryptedKey,
-				    &destOpt->option.encryptedKey);
-        break;
-    case crmfKeyGenParameters:
-    case crmfArchiveRemGenPrivKey:
-        /* We've got a union, so having a pointer to one is just
-	 * like having a pointer to the other one.
-	 */
-        rv = SECITEM_CopyItem(poolp, 
-			      &destOpt->option.keyGenParameters,
-			      &srcOpt->option.keyGenParameters);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-static SECStatus
-crmf_check_and_adjust_archoption(CRMFControl *inControl)
-{
-    CRMFPKIArchiveOptions *options;
-
-    options = &inControl->value.archiveOptions;
-    if (options->archOption == crmfNoArchiveOptions) {
-        /* It hasn't been set, so figure it out from the 
-	 * der.
-	 */
-        switch (inControl->derValue.data[0] & 0x0f) {
-	case 0:
-	    options->archOption = crmfEncryptedPrivateKey;
-	    break;
-	case 1:
-	    options->archOption = crmfKeyGenParameters;
-	    break;
-	case 2:
-	    options->archOption = crmfArchiveRemGenPrivKey;
-	    break;
-	default:
-	    /* We've got bad DER.  Return an error. */
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-static const SEC_ASN1Template *
-crmf_get_pkiarchive_subtemplate(CRMFControl *inControl)
-{
-    const SEC_ASN1Template *retTemplate;
-    SECStatus               rv;
-    /*
-     * We could be in the process of decoding, in which case the
-     * archOption field will not be set.  Let's check it and set 
-     * it accordingly.
-     */
-
-    rv = crmf_check_and_adjust_archoption(inControl);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-
-    switch (inControl->value.archiveOptions.archOption) {
-    case crmfEncryptedPrivateKey:
-        retTemplate = CRMFEncryptedKeyWithEncryptedValueTemplate;
-	inControl->value.archiveOptions.option.encryptedKey.encKeyChoice =
-	  crmfEncryptedValueChoice;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-const SEC_ASN1Template*
-crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl)
-{
-    const SEC_ASN1Template *retTemplate;
-
-    switch (inControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        retTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate);
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        retTemplate = crmf_get_pkiarchive_subtemplate(inControl);
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        /* We don't support these controls, so we fail for now.*/
-        retTemplate = NULL;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-static SECStatus
-crmf_encode_pkiarchiveoptions(PRArenaPool *poolp, CRMFControl *inControl)
-{
-    const SEC_ASN1Template *asn1Template;
-
-    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
-    /* We've got a union, so passing a pointer to one element of the 
-     * union, is the same as passing a pointer to any of the other
-     * members of the union.
-     */
-    SEC_ASN1EncodeItem(poolp, &inControl->derValue,
-                       &inControl->value.archiveOptions, asn1Template);
-
-    if (inControl->derValue.data == NULL) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
-				     CRMFPKIArchiveOptions *inOptions)
-{
-    CRMFControl *newControl;
-    PRArenaPool *poolp;
-    SECStatus    rv;
-    void        *mark;
-    
-    PORT_Assert(inCertReq != NULL && inOptions != NULL);
-    if (inCertReq == NULL || inOptions == NULL) {
-        return SECFailure;
-    }
-    poolp = inCertReq->poolp;
-    mark = PORT_ArenaMark(poolp);
-    rv = crmf_add_new_control(inCertReq, 
-			      SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
-			      &newControl);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_copy_pkiarchiveoptions(poolp, 
-				     &newControl->value.archiveOptions,
-				     inOptions);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_encode_pkiarchiveoptions(poolp, newControl); 
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-crmf_destroy_control(CRMFControl *inControl, PRBool freeit)
-{
-    PORT_Assert(inControl != NULL);
-    if (inControl != NULL) {
-        SECITEM_FreeItem(&inControl->derTag, PR_FALSE);
-        SECITEM_FreeItem(&inControl->derValue, PR_FALSE);
-	/* None of the other tags require special processing at 
-	 * the moment when freeing because they are not supported,
-	 * but if/when they are, add the necessary routines here.  
-	 * If all controls are supported, then every member of the 
-	 * union inControl->value will have a case that deals with 
-	 * it in the following switch statement.
-	 */
-	switch (inControl->tag) {
-	case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-	    crmf_destroy_pkiarchiveoptions(&inControl->value.archiveOptions,
-					   PR_FALSE);
-	    break;
-        default:
-           /* Put this here to get rid of all those annoying warnings.*/
-           break;
-	}
-	if (freeit) {
-	    PORT_Free(inControl);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyControl(CRMFControl *inControl)
-{
-    return crmf_destroy_control(inControl, PR_TRUE);
-}
-
-static SECOidTag
-crmf_controltype_to_tag(CRMFControlType inControlType)
-{
-    SECOidTag retVal;
-
-    switch(inControlType) {
-    case crmfRegTokenControl:
-      retVal = SEC_OID_PKIX_REGCTRL_REGTOKEN; 
-      break;
-    case crmfAuthenticatorControl:
-      retVal = SEC_OID_PKIX_REGCTRL_AUTHENTICATOR;
-      break;
-    case crmfPKIPublicationInfoControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PKIPUBINFO;
-      break;
-    case crmfPKIArchiveOptionsControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
-      break;
-    case crmfOldCertIDControl:
-      retVal = SEC_OID_PKIX_REGCTRL_OLD_CERT_ID;
-      break;
-    case crmfProtocolEncrKeyControl:
-      retVal = SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
-      break;
-    default:
-      retVal = SEC_OID_UNKNOWN;
-      break;
-    }
-    return retVal;
-}
-
-PRBool
-CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
-				 CRMFControlType  inControlType)
-{
-    SECOidTag controlTag;
-    int       i;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL || inCertReq->controls == NULL) {
-        return PR_FALSE;
-    }
-    controlTag = crmf_controltype_to_tag(inControlType);
-    for (i=0; inCertReq->controls[i] != NULL; i++) {
-        if (inCertReq->controls[i]->tag == controlTag) {
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
diff --git a/security/nss/lib/crmf/crmfdec.c b/security/nss/lib/crmf/crmfdec.c
deleted file mode 100644
index b7a5aa6ef..000000000
--- a/security/nss/lib/crmf/crmfdec.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-
-static CRMFPOPChoice
-crmf_get_popchoice_from_der(SECItem *derPOP)
-{
-    CRMFPOPChoice retChoice;
-
-    switch (derPOP->data[0] & 0x0f) {
-    case 0:
-        retChoice = crmfRAVerified;
-	break;
-    case 1:
-        retChoice = crmfSignature;
-	break;
-    case 2:
-        retChoice = crmfKeyEncipherment;
-	break;
-    case 3:
-        retChoice = crmfKeyAgreement;
-	break;
-    default:
-        retChoice = crmfNoPOPChoice;
-	break;
-    }
-    return retChoice;
-}
-
-static SECStatus
-crmf_decode_process_raverified(CRMFCertReqMsg *inCertReqMsg)
-{   
-    CRMFProofOfPossession *pop;
-    /* Just set up the structure so that the message structure
-     * looks like one that was created using the API
-     */
-    pop = inCertReqMsg->pop;
-    pop->popChoice.raVerified.data = NULL;
-    pop->popChoice.raVerified.len  = 0;
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_signature(CRMFCertReqMsg *inCertReqMsg)
-{
-    PORT_Assert(inCertReqMsg->poolp);
-    if (!inCertReqMsg->poolp) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    return SEC_ASN1Decode(inCertReqMsg->poolp,
-			  &inCertReqMsg->pop->popChoice.signature,
-			  CRMFPOPOSigningKeyTemplate, 
-			  (const char*)inCertReqMsg->derPOP.data,
-			  inCertReqMsg->derPOP.len);
-}
-
-static CRMFPOPOPrivKeyChoice
-crmf_get_messagechoice_from_der(SECItem *derPOP)
-{
-    CRMFPOPOPrivKeyChoice retChoice;
-
-    switch (derPOP->data[2] & 0x0f) {
-    case 0:
-        retChoice = crmfThisMessage;
-	break;
-    case 1:
-        retChoice = crmfSubsequentMessage;
-	break;
-    case 2:
-        retChoice = crmfDHMAC;
-	break;
-    default:
-        retChoice = crmfNoMessage;
-    }
-    return retChoice;
-}
-
-static SECStatus
-crmf_decode_process_popoprivkey(CRMFCertReqMsg *inCertReqMsg)
-{
-    /* We've got a union, so a pointer to one POPOPrivKey
-     * struct is the same as having a pointer to the other 
-     * one.
-     */
-    CRMFPOPOPrivKey *popoPrivKey = 
-                    &inCertReqMsg->pop->popChoice.keyEncipherment;
-    SECItem         *derPOP, privKeyDer;
-    SECStatus        rv;
-
-    derPOP = &inCertReqMsg->derPOP;
-    popoPrivKey->messageChoice = crmf_get_messagechoice_from_der(derPOP);
-    if (popoPrivKey->messageChoice == crmfNoMessage) {
-        return SECFailure;
-    }
-    /* If we ever encounter BER encodings of this, we'll get in trouble*/
-    switch (popoPrivKey->messageChoice) {
-    case crmfThisMessage:
-    case crmfDHMAC:
-        privKeyDer.data = &derPOP->data[5];
-	privKeyDer.len  = derPOP->len - 5;
-	break;
-    case crmfSubsequentMessage:
-        privKeyDer.data = &derPOP->data[4];
-	privKeyDer.len  = derPOP->len - 4;
-	break;
-    default:
-        rv = SECFailure;
-    }
-
-    rv = SECITEM_CopyItem(inCertReqMsg->poolp, 
-			  &popoPrivKey->message.subsequentMessage,
-			  &privKeyDer);
-
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    if (popoPrivKey->messageChoice == crmfThisMessage ||
-	popoPrivKey->messageChoice == crmfDHMAC) {
-
-        popoPrivKey->message.thisMessage.len = 
-	    CRMF_BYTES_TO_BITS(privKeyDer.len) - (int)derPOP->data[4];
-        
-    }
-    return SECSuccess;    
-}
-
-static SECStatus
-crmf_decode_process_keyagreement(CRMFCertReqMsg *inCertReqMsg)
-{
-    return crmf_decode_process_popoprivkey(inCertReqMsg);
-}
-
-static SECStatus
-crmf_decode_process_keyencipherment(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECStatus rv;
-
-    rv = crmf_decode_process_popoprivkey(inCertReqMsg);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    if (inCertReqMsg->pop->popChoice.keyEncipherment.messageChoice == 
-	crmfDHMAC) {
-        /* Key Encipherment can not use the dhMAC option for
-	 * POPOPrivKey. 
-	 */
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_pop(CRMFCertReqMsg *inCertReqMsg)
-{
-     SECItem               *derPOP;
-     PRArenaPool           *poolp;
-     CRMFProofOfPossession *pop;
-     void                  *mark;
-     SECStatus              rv;
-
-     derPOP = &inCertReqMsg->derPOP;
-     poolp  = inCertReqMsg->poolp;
-     if (derPOP->data == NULL) {
-         /* There is no Proof of Possession field in this message. */
-         return SECSuccess;
-     }
-     mark = PORT_ArenaMark(poolp);
-     pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-     if (pop == NULL) {
-         goto loser;
-     }
-     pop->popUsed = crmf_get_popchoice_from_der(derPOP);
-     if (pop->popUsed == crmfNoPOPChoice) {
-         /* A bad encoding of CRMF.  Not a valid tag was given to the
-	  * Proof Of Possession field.
-	  */
-         goto loser;
-     }
-     inCertReqMsg->pop = pop;
-     switch (pop->popUsed) {
-     case crmfRAVerified:
-         rv = crmf_decode_process_raverified(inCertReqMsg);
-	 break;
-     case crmfSignature:
-         rv = crmf_decode_process_signature(inCertReqMsg);
-	 break;
-     case crmfKeyEncipherment:
-         rv = crmf_decode_process_keyencipherment(inCertReqMsg);
-	 break;
-     case crmfKeyAgreement:
-         rv = crmf_decode_process_keyagreement(inCertReqMsg);
-	 break;
-     default:
-         rv = SECFailure;
-     }
-     if (rv != SECSuccess) {
-         goto loser;
-     }
-     PORT_ArenaUnmark(poolp, mark);
-     return SECSuccess;
-
- loser:
-     PORT_ArenaRelease(poolp, mark);
-     inCertReqMsg->pop = NULL;
-     return SECFailure;
-     
-}
-
-static SECStatus
-crmf_decode_process_single_control(PRArenaPool *poolp, 
-				   CRMFControl *inControl)
-{
-    const SEC_ASN1Template *asn1Template = NULL;
-
-    inControl->tag = SECOID_FindOIDTag(&inControl->derTag);
-    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
-
-    PORT_Assert (asn1Template != NULL);
-    PORT_Assert (poolp != NULL);
-    if (!asn1Template || !poolp) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* We've got a union, so passing a pointer to one element of the
-     * union is the same as passing a pointer to any of the other
-     * members of the union.
-     */
-    return SEC_ASN1Decode(poolp, &inControl->value.archiveOptions, 
-			  asn1Template, (const char*)inControl->derValue.data,
-			  inControl->derValue.len);
-}
-
-static SECStatus 
-crmf_decode_process_controls(CRMFCertReqMsg *inCertReqMsg)
-{
-    int           i, numControls;
-    SECStatus     rv;
-    PRArenaPool  *poolp;
-    CRMFControl **controls;
-    
-    numControls = CRMF_CertRequestGetNumControls(inCertReqMsg->certReq);
-    controls = inCertReqMsg->certReq->controls;
-    poolp    = inCertReqMsg->poolp;
-    for (i=0; i < numControls; i++) {
-        rv = crmf_decode_process_single_control(poolp, controls[i]);
-	if (rv != SECSuccess) {
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_decode_process_single_reqmsg(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECStatus rv;
-
-    rv = crmf_decode_process_pop(inCertReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_decode_process_controls(inCertReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    inCertReqMsg->certReq->certTemplate.numExtensions = 
-        CRMF_CertRequestGetNumberOfExtensions(inCertReqMsg->certReq);
-    inCertReqMsg->isDecoded = PR_TRUE;
-    rv = SECSuccess;
- loser:
-    return rv;
-}
-
-CRMFCertReqMsg*
-CRMF_CreateCertReqMsgFromDER (const char * buf, long len)
-{
-    PRArenaPool    *poolp;
-    CRMFCertReqMsg *certReqMsg;
-    SECStatus       rv;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    certReqMsg = PORT_ArenaZNew (poolp, CRMFCertReqMsg);
-    if (certReqMsg == NULL) {
-        goto loser;
-    }
-    certReqMsg->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certReqMsg, CRMFCertReqMsgTemplate, buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = crmf_decode_process_single_reqmsg(certReqMsg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    return certReqMsg;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-CRMFCertReqMessages*
-CRMF_CreateCertReqMessagesFromDER(const char *buf, long len)
-{
-    long                 arenaSize;
-    int                  i;
-    SECStatus            rv;
-    PRArenaPool         *poolp;
-    CRMFCertReqMessages *certReqMsgs;
-
-    PORT_Assert (buf != NULL);
-    /* Wanna make sure the arena is big enough to store all of the requests
-     * coming in.  We'll guestimate according to the length of the buffer.
-     */
-    arenaSize = len + len/2;
-    poolp = PORT_NewArena(arenaSize);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    certReqMsgs = PORT_ArenaZNew(poolp, CRMFCertReqMessages);
-    if (certReqMsgs == NULL) {
-        goto loser;
-    }
-    certReqMsgs->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certReqMsgs, CRMFCertReqMessagesTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    for (i=0; certReqMsgs->messages[i] != NULL; i++) {
-        /* The sub-routines expect the individual messages to have 
-	 * an arena.  We'll give them one temporarily.
-	 */
-        certReqMsgs->messages[i]->poolp = poolp;
-        rv = crmf_decode_process_single_reqmsg(certReqMsgs->messages[i]);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-        certReqMsgs->messages[i]->poolp = NULL;
-    }
-    return certReqMsgs;
-
- loser:
-    PORT_FreeArena(poolp, PR_FALSE);
-    return NULL;
-}
diff --git a/security/nss/lib/crmf/crmfenc.c b/security/nss/lib/crmf/crmfenc.c
deleted file mode 100644
index 939192a3d..000000000
--- a/security/nss/lib/crmf/crmfenc.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-
-SECStatus 
-CRMF_EncodeCertReqMsg(CRMFCertReqMsg            *inCertReqMsg,
-		      CRMFEncoderOutputCallback  fn,
-		      void                      *arg)
-{
-    struct crmfEncoderOutput output;
-
-    output.fn        = fn;
-    output.outputArg = arg;
-    return SEC_ASN1Encode(inCertReqMsg,CRMFCertReqMsgTemplate, 
-			  crmf_encoder_out, &output);
-    
-}
-
-
-SECStatus
-CRMF_EncodeCertRequest(CRMFCertRequest           *inCertReq,
-		       CRMFEncoderOutputCallback  fn,
-		       void                      *arg)
-{
-    struct crmfEncoderOutput output;
-
-    output.fn        = fn;
-    output.outputArg = arg;
-    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
-			  crmf_encoder_out, &output);
-}
-
-SECStatus
-CRMF_EncodeCertReqMessages(CRMFCertReqMsg              **inCertReqMsgs,
-			   CRMFEncoderOutputCallback     fn,
-			   void                         *arg)
-{
-    struct crmfEncoderOutput output;
-    CRMFCertReqMessages msgs;
-    
-    output.fn        = fn;
-    output.outputArg = arg;
-    msgs.messages = inCertReqMsgs;
-    return SEC_ASN1Encode(&msgs, CRMFCertReqMessagesTemplate,
-			  crmf_encoder_out, &output);
-}
-
-
-
-
diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h
deleted file mode 100644
index c605f04f7..000000000
--- a/security/nss/lib/crmf/crmffut.h
+++ /dev/null
@@ -1,393 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * These functions to be implemented in the future if the features
- * which these functions would implement wind up being needed.
- */
-
-/*
- * Use this functionto create the CRMFSinglePubInfo* variables that will 
- * populate the inPubInfoArray paramter for the funciton
- * CRMF_CreatePKIPublicationInfo.
- *
- * "inPubMethod" specifies which publication method will be used
- * "pubLocation" is a representation of the location where 
- */
-extern CRMFSinglePubInfo* 
-      CRMF_CreateSinglePubInfo(CRMFPublicationMethod  inPubMethod,
-			       CRMFGeneralName       *pubLocation);
-
-/*
- * Create a PKIPublicationInfo that can later be passed to the function
- * CRMFAddPubInfoControl.
- */
-extern CRMFPKIPublicationInfo *
-     CRMF_CreatePKIPublicationInfo(CRMFPublicationAction  inAction,
-				   CRMFSinglePubInfo    **inPubInfoArray,
-				   int                    numPubInfo);
-
-/*
- * Only call this function on a CRMFPublicationInfo that was created by
- * CRMF_CreatePKIPublicationInfo that was passed in NULL for arena.
- */
-
-extern SECStatus 
-       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
-
-extern SECStatus CRMF_AddPubInfoControl(CRMFCertRequest        *inCertReq,
-					CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * This is to create a Cert ID Control which can later be added to 
- * a certificate request.
- */
-extern CRMFCertID* CRMF_CreateCertID(CRMFGeneralName *issuer,
-				     long             serialNumber);
-
-extern SECStatus CRMF_DestroyCertID(CRMFCertID* certID);
-
-extern SECStatus CRMF_AddCertIDControl(CRMFCertRequest *inCertReq,
-				       CRMFCertID      *certID);
-
-extern SECStatus 
-       CRMF_AddProtocolEncryptioKeyControl(CRMFCertRequest          *inCertReq,
-					   CERTSubjectPublicKeyInfo *spki);
-
-/*
- * Add the ASCII Pairs Registration Info to the Certificate Request.
- * The SECItem must be an OCTET string representation.
- */
-extern SECStatus
-       CRMF_AddUTF8PairsRegInfo(CRMFCertRequest *inCertReq,
-				 SECItem         *asciiPairs);
-
-/*
- * This takes a CertRequest and adds it to another CertRequest.  
- */
-extern SECStatus
-       CRMF_AddCertReqToRegInfo(CRMFCertRequest *certReqToAddTo,
-				CRMFCertRequest *certReqBeingAdded);
-
-/*
- * Returns which option was used for the authInfo field of POPOSigningKeyInput
- */
-extern CRMFPOPOSkiInputAuthChoice 
-       CRMF_GetSignKeyInputAuthChoice(CRMFPOPOSigningKeyInput *inKeyInput);
-
-/*
- * Gets the PKMACValue associated with the POPOSigningKeyInput.
- * If the POPOSigningKeyInput did not use authInfo.publicKeyMAC 
- * the function returns SECFailure and the value at *destValue is unchanged.
- *
- * If the POPOSigningKeyInput did use authInfo.publicKeyMAC, the function
- * returns SECSuccess and places the PKMACValue at *destValue.
- */
-extern SECStatus 
-       CRMF_GetSignKeyInputPKMACValue(CRMFPOPOSigningKeyInput *inKeyInput,
-				      CRMFPKMACValue          **destValue);
-/*
- * Gets the SubjectPublicKeyInfo from the POPOSigningKeyInput
- */
-extern CERTSubjectPublicKeyInfo *
-       CRMF_GetSignKeyInputPublicKey(CRMFPOPOSigningKeyInput *inKeyInput);
-
-
-/*
- * Return the value for the PKIPublicationInfo Control.
- * A return value of NULL indicates that the Control was 
- * not a PKIPublicationInfo Control.  Call 
- * CRMF_DestroyPKIPublicationInfo on the return value when done
- * using the pointer.
- */
-extern CRMFPKIPublicationInfo* CRMF_GetPKIPubInfo(CRMFControl *inControl);
-
-/*
- * Free up a CRMFPKIPublicationInfo structure.
- */
-extern SECStatus 
-       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the choice used for action in this PKIPublicationInfo.
- */
-extern CRMFPublicationAction 
-       CRMF_GetPublicationAction(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the number of pubInfos are stored in the PKIPubicationInfo.
- */
-extern int CRMF_GetNumPubInfos(CRMFPKIPublicationInfo *inPubInfo);
-
-/*
- * Get the pubInfo at index for the given PKIPubicationInfo.
- * Indexing is done like a traditional C Array. (0 .. numElements-1)
- */
-extern CRMFSinglePubInfo* 
-       CRMF_GetPubInfoAtIndex(CRMFPKIPublicationInfo *inPubInfo,
-			      int                     index);
-
-/*
- * Destroy the CRMFSinglePubInfo.
- */
-extern SECStatus CRMF_DestroySinglePubInfo(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the pubMethod used by the SinglePubInfo.
- */
-extern CRMFPublicationMethod 
-       CRMF_GetPublicationMethod(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the pubLocation associated with the SinglePubInfo.
- * A NULL return value indicates there was no pubLocation associated
- * with the SinglePuInfo.
- */
-extern CRMFGeneralName* CRMF_GetPubLocation(CRMFSinglePubInfo *inPubInfo);
-
-/*
- * Get the authInfo.sender field out of the POPOSigningKeyInput.
- * If the POPOSigningKeyInput did not use the authInfo the function
- * returns SECFailure and the value at *destName is unchanged.
- *
- * If the POPOSigningKeyInput did use authInfo.sender, the function returns
- * SECSuccess and puts the authInfo.sender at *destName/
- */
-extern SECStatus CRMF_GetSignKeyInputSender(CRMFPOPOSigningKeyInput *keyInput,
-					    CRMFGeneralName        **destName);
-
-/**************** CMMF Functions that need to be added. **********************/
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
- * INPUTS:
- *    inDecKeyChall
- *        The CMMFPOPODecKeyChallContent to operate on.
- *    inRandom
- *        The random number to use when generating the challenge,
- *    inSender
- *        The GeneralName representation of the sender of the challenge.
- *    inPubKey
- *        The public key to use when encrypting the challenge.
- * NOTES:
- *    This function adds a challenge to the end of the list of challenges
- *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
- *    the random number passed in and the sender's GeneralName are used
- *    to generate the challenge and witness fields of the challenge.  This
- *    library will use SHA1 as the one-way function for generating the 
- *    witess field of the challenge.
- *
- * RETURN:
- *    SECSuccess if generating the challenge and adding to the end of list
- *    of challenges was successful.  Any other return value indicates an error
- *    while trying to generate the challenge.
- */
-extern SECStatus
-CMMF_POPODecKeyChallContentSetNextChallenge
-                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
-				    long                        inRandom,
-				    CERTGeneralName            *inSender,
-				    SECKEYPublicKey            *inPubKey);
-
-/*
- * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
- * INPUTS:
- *    inKeyChallCont
- *        The CMMFPOPODecKeyChallContent to operate on.
- * RETURN:
- *    This function returns the number of CMMFChallenges are contained in 
- *    the CMMFPOPODecKeyChallContent structure.
- */
-extern int CMMF_POPODecKeyChallContentGetNumChallenges
-                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
-
-/*
- * FUNCTION: CMMF_ChallengeGetRandomNumber
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inDest
- *        A pointer to a user supplied buffer where the library
- *        can place a copy of the random integer contatained in the
- *        challenge.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the random integer.  The user must call 
- *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
- *    decrypted.
- *
- * RETURN:
- *    SECSuccess indicates the witness field has been previously decrypted
- *    and the value for the random integer was successfully placed at *inDest.
- *    Any other return value indicates an error and that the value at *inDest
- *    is not a valid value.
- */
-extern SECStatus CMMF_ChallengeGetRandomNumber(CMMFChallenge *inChallenge,
-					       long          *inDest);
-
-/*
- * FUNCTION: CMMF_ChallengeGetSender
- * INPUTS:
- *    inChallenge
- *        the CMMFChallenge to operate on.
- * NOTES:
- *    This function returns the value held in the decrypted Rand structure
- *    corresponding to the sender.  The user must call 
- *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
- *    CMMF_ChallengeIsDecrypted to find out if the witness field has been
- *    decrypted.  The user must call CERT_DestroyGeneralName after the return
- *    value is no longer needed.
- *
- * RETURN:
- *    A pointer to a copy of the sender CERTGeneralName.  A return value of
- *    NULL indicates an error in trying to copy the information or that the
- *    witness field has not been decrypted.
- */
-extern CERTGeneralName* CMMF_ChallengeGetSender(CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_ChallengeGetAlgId
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inDestAlgId
- *        A pointer to memory where a pointer to a copy of the algorithm
- *        id can be placed.
- * NOTES:
- *    This function retrieves the one way function algorithm identifier 
- *    contained within the CMMFChallenge if the optional field is present.
- *
- * RETURN:
- *    SECSucces indicates the function was able to place a pointer to a copy of
- *    the alogrithm id at *inAlgId.  If the value at *inDestAlgId is NULL, 
- *    that means there was no algorithm identifier present in the 
- *    CMMFChallenge.  Any other return value indicates the function was not 
- *    able to make a copy of the algorithm identifier.  In this case the value 
- *    at *inDestAlgId is not valid.
- */
-extern SECStatus CMMF_ChallengeGetAlgId(CMMFChallenge  *inChallenge,
-					SECAlgorithmID *inAlgId);
-
-/*
- * FUNCTION: CMMF_DestroyChallenge
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to free up.
- * NOTES:
- *    This function frees up all the memory associated with the CMMFChallenge 
- *    passed in.
- * RETURN:
- *    SECSuccess if freeing all the memory associated with the CMMFChallenge
- *    passed in is successful.  Any other return value indicates an error 
- *    while freeing the memory.
- */
-extern SECStatus CMMF_DestroyChallenge (CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
- * INPUTS:
- *    inDecKeyResp
- *        The CMMFPOPODecKeyRespContent structure to free.
- * NOTES:
- *    This function frees up all the memory associate with the 
- *    CMMFPOPODecKeyRespContent.
- *
- * RETURN:
- *    SECSuccess if freeint up all the memory associated with the
- *    CMMFPOPODecKeyRespContent structure is successful.  Any other
- *    return value indicates an error while freeing the memory.
- */
-extern SECStatus
-     CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
-
-/*
- * FUNCTION: CMMF_ChallengeDecryptWitness
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- *    inPrivKey
- *        The private key to use to decrypt the witness field.
- * NOTES:
- *    This function uses the private key to decrypt the challenge field
- *    contained in the CMMFChallenge.  Make sure the private key matches the
- *    public key that was used to encrypt the witness.  The creator of 
- *    the challenge will most likely be an RA that has the public key
- *    from a Cert request.  So the private key should be the private key
- *    associated with public key in that request.  This function will also
- *    verify the witness field of the challenge.
- *
- * RETURN:
- *    SECSuccess if decrypting the witness field was successful.  This does
- *    not indicate that the decrypted data is valid, since the private key 
- *    passed in may not be the actual key needed to properly decrypt the 
- *    witness field.  Meaning that there is a decrypted structure now, but
- *    may be garbage because the private key was incorrect.
- *    Any other return value indicates the function could not complete the
- *    decryption process.
- */
-extern SECStatus CMMF_ChallengeDecryptWitness(CMMFChallenge    *inChallenge,
-					      SECKEYPrivateKey *inPrivKey);
-
-/*
- * FUNCTION: CMMF_ChallengeIsDecrypted
- * INPUTS:
- *    inChallenge
- *        The CMMFChallenge to operate on.
- * RETURN:
- *    This is a predicate function that returns PR_TRUE if the decryption 
- *    process has already been performed.  The function return PR_FALSE if 
- *    the decryption process has not been performed yet.
- */
-extern PRBool CMMF_ChallengeIsDecrypted(CMMFChallenge *inChallenge);
-
-/*
- * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
- * INPUTS:
- *    inDecKeyCont
- *        The CMMFPOPODecKeyChallContent to free
- * NOTES:
- *    This function frees up all the memory associated with the 
- *    CMMFPOPODecKeyChallContent 
- * RETURN:
- *    SECSuccess if freeing up all the memory associatd with the 
- *    CMMFPOPODecKeyChallContent is successful.  Any other return value
- *    indicates an error while freeing the memory.
- *
- */
-extern SECStatus 
- CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
-
diff --git a/security/nss/lib/crmf/crmfget.c b/security/nss/lib/crmf/crmfget.c
deleted file mode 100644
index 837ecf521..000000000
--- a/security/nss/lib/crmf/crmfget.c
+++ /dev/null
@@ -1,481 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "keyhi.h"
-#include "secder.h"
-
-
-CRMFPOPChoice
-CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg)
-{
-    PORT_Assert(inCertReqMsg != NULL);
-    if (inCertReqMsg != NULL && inCertReqMsg->pop != NULL) {
-        return inCertReqMsg->pop->popUsed;
-    }
-    return crmfNoPOPChoice;
-}
-
-static SECStatus
-crmf_destroy_validity(CRMFOptionalValidity *inValidity, PRBool freeit)
-{
-    if (inValidity != NULL){
-        if (inValidity->notBefore.data != NULL) {
-	    PORT_Free(inValidity->notBefore.data);
-	}
-	if (inValidity->notAfter.data != NULL) {
-	    PORT_Free(inValidity->notAfter.data);
-	}
-	if (freeit) {
-	    PORT_Free(inValidity);
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus 
-crmf_copy_cert_request_validity(PRArenaPool           *poolp,
-				CRMFOptionalValidity **destValidity,
-				CRMFOptionalValidity  *srcValidity)
-{
-    CRMFOptionalValidity *myValidity = NULL;
-    SECStatus             rv;
-
-    *destValidity = myValidity = (poolp == NULL) ?
-                                  PORT_ZNew(CRMFOptionalValidity) :
-                                  PORT_ArenaZNew(poolp, CRMFOptionalValidity);
-    if (myValidity == NULL) {
-        goto loser;
-    }
-    if (srcValidity->notBefore.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &myValidity->notBefore, 
-			      &srcValidity->notBefore);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcValidity->notAfter.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &myValidity->notAfter, 
-			      &srcValidity->notAfter);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    if (myValidity != NULL && poolp == NULL) {
-        crmf_destroy_validity(myValidity, PR_TRUE);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_extensions(PRArenaPool        *poolp, 
-		     CRMFCertTemplate   *destTemplate,
-		     CRMFCertExtension **srcExt)
-{
-    int       numExt = 0, i;
-    CRMFCertExtension **myExtArray = NULL;
-
-    while (srcExt[numExt] != NULL) {
-        numExt++;
-    }
-    if (numExt == 0) {
-        /*No extensions to copy.*/
-        destTemplate->extensions = NULL;
-	destTemplate->numExtensions = 0;
-        return SECSuccess;
-    }
-    destTemplate->extensions = myExtArray = 
-                           PORT_NewArray(CRMFCertExtension*, numExt+1);
-    if (myExtArray == NULL) {
-        goto loser;
-    }
-     
-    for (i=0; i<numExt; i++) {
-        myExtArray[i] = crmf_copy_cert_extension(poolp, srcExt[i]);
-	if (myExtArray[i] == NULL) {
-	    goto loser;
-	}
-    }
-    destTemplate->numExtensions = numExt;
-    myExtArray[numExt] = NULL;
-    return SECSuccess;
- loser:
-    if (myExtArray != NULL) {
-        if (poolp == NULL) {
-	    for (i=0; myExtArray[i] != NULL; i++) {
-	        CRMF_DestroyCertExtension(myExtArray[i]);
-	    }
-	}
-	PORT_Free(myExtArray);
-    }
-    destTemplate->extensions = NULL;
-    destTemplate->numExtensions = 0;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_cert_request_template(PRArenaPool      *poolp, 
-				CRMFCertTemplate *destTemplate,
-				CRMFCertTemplate *srcTemplate)
-{
-    SECStatus rv;
-
-    if (srcTemplate->version.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destTemplate->version, 
-			      &srcTemplate->version);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->serialNumber.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destTemplate->serialNumber,
-			      &srcTemplate->serialNumber);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->signingAlg != NULL) {
-        rv = crmf_template_copy_secalg(poolp, &destTemplate->signingAlg,
-				       srcTemplate->signingAlg);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->issuer != NULL) {
-        rv = crmf_copy_cert_name(poolp, &destTemplate->issuer,
-				 srcTemplate->issuer);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->validity != NULL) {
-        rv = crmf_copy_cert_request_validity(poolp, &destTemplate->validity,
-					     srcTemplate->validity);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->subject != NULL) {
-        rv = crmf_copy_cert_name(poolp, &destTemplate->subject, 
-				 srcTemplate->subject);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->publicKey != NULL) {
-        rv = crmf_template_add_public_key(poolp, &destTemplate->publicKey,
-					  srcTemplate->publicKey);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->issuerUID.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, &destTemplate->issuerUID,
-				      &srcTemplate->issuerUID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->subjectUID.data != NULL) {
-        rv = crmf_make_bitstring_copy(poolp, &destTemplate->subjectUID,
-				      &srcTemplate->subjectUID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (srcTemplate->extensions != NULL) {
-        rv = crmf_copy_extensions(poolp, destTemplate,
-				  srcTemplate->extensions);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return SECSuccess;
- loser:
-    return SECFailure;
-}
-
-static CRMFControl*
-crmf_copy_control(PRArenaPool *poolp, CRMFControl *srcControl)
-{
-    CRMFControl *newControl;
-    SECStatus    rv;
-
-    newControl = (poolp == NULL) ? PORT_ZNew(CRMFControl) :
-                                   PORT_ArenaZNew(poolp, CRMFControl);
-    if (newControl == NULL) {
-        goto loser;
-    }
-    newControl->tag = srcControl->tag;
-    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &srcControl->derTag);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newControl->derValue, &srcControl->derValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* We only handle PKIArchiveOptions Control right now.  But if in
-     * the future, more controls that are part of the union are added,
-     * then they need to be handled here as well.
-     */
-    switch (newControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        rv = crmf_copy_pkiarchiveoptions(poolp, 
-					 &newControl->value.archiveOptions,
-					 &srcControl->value.archiveOptions);
-      break;
-    default:
-        rv = SECSuccess;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newControl;
-
- loser:
-    if (poolp == NULL && newControl != NULL) {
-        CRMF_DestroyControl(newControl);
-    }
-    return NULL;
-}
-
-static SECStatus
-crmf_copy_cert_request_controls(PRArenaPool     *poolp, 
-				CRMFCertRequest *destReq, 
-				CRMFCertRequest *srcReq)
-{
-    int           numControls, i;
-    CRMFControl **myControls = NULL;
-
-    numControls = CRMF_CertRequestGetNumControls(srcReq);
-    if (numControls == 0) {
-        /* No Controls To Copy*/
-        return SECSuccess;
-    }
-    myControls = destReq->controls = PORT_NewArray(CRMFControl*, 
-						   numControls+1);
-    if (myControls == NULL) {
-        goto loser;
-    }
-    for (i=0; i<numControls; i++) {
-        myControls[i] = crmf_copy_control(poolp, srcReq->controls[i]);
-	if (myControls[i] == NULL) {
-	    goto loser;
-	}
-    }
-    myControls[numControls] = NULL;
-    return SECSuccess;
- loser:
-    if (myControls != NULL) {
-        if (poolp == NULL) {
-	    for (i=0; myControls[i] != NULL; i++) {
-	        CRMF_DestroyControl(myControls[i]);
-	    }
-	}
-	PORT_Free(myControls);
-    }
-    return SECFailure;
-}
-
-
-CRMFCertRequest*
-crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq)
-{
-    CRMFCertRequest *newReq = NULL;
-    SECStatus        rv;
-
-    if (srcReq == NULL) {
-        return NULL;
-    }
-    newReq = (poolp == NULL) ? PORT_ZNew(CRMFCertRequest) :
-                               PORT_ArenaZNew(poolp, CRMFCertRequest);
-    if (newReq == NULL) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &newReq->certReqId, &srcReq->certReqId);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = crmf_copy_cert_request_template(poolp, &newReq->certTemplate, 
-					 &srcReq->certTemplate);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = crmf_copy_cert_request_controls(poolp, newReq, srcReq);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newReq;
- loser:
-    if (newReq != NULL && poolp == NULL) {
-        CRMF_DestroyCertRequest(newReq);
-    }
-    return NULL;
-}
-
-SECStatus 
-CRMF_DestroyGetValidity(CRMFGetValidity *inValidity)
-{
-    PORT_Assert(inValidity != NULL);
-    if (inValidity != NULL) {
-        if (inValidity->notAfter) {
-	    PORT_Free(inValidity->notAfter);
-	    inValidity->notAfter = NULL;
-	}
-	if (inValidity->notBefore) {
-	    PORT_Free(inValidity->notBefore);
-	    inValidity->notBefore = NULL;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, SECItem *src)
-{
-    int origLenBits;
-    int bytesToCopy;
-    SECStatus rv;
-
-    origLenBits = src->len;
-    bytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
-    src->len = bytesToCopy;         
-    rv = SECITEM_CopyItem(arena, dest, src);
-    src->len = origLenBits;
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    dest->len = origLenBits;
-    return SECSuccess;
-}
-
-int
-CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq)
-{
-    CRMFCertTemplate *certTemplate;
-    int count = 0;
-    
-    certTemplate = &inCertReq->certTemplate;
-    if (certTemplate->extensions) {
-        while (certTemplate->extensions[count] != NULL)
-	    count++;
-    }
-    return count;
-}
-
-SECOidTag
-CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension)
-{
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return SEC_OID_UNKNOWN;
-    }
-    return SECOID_FindOIDTag(&inExtension->id);
-}
-
-PRBool
-CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt)
-{
-    PORT_Assert(inExt != NULL);
-    if (inExt == NULL) {
-        return PR_FALSE;
-    }
-    return inExt->critical.data != NULL;
-}
-
-SECItem*
-CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension)
-{
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return NULL;
-    }
-    
-    return SECITEM_DupItem(&inExtension->value);
-}
-			  
-
-SECStatus
-CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey != NULL) {
-        if (inKey->derInput.data != NULL) {
-	    SECITEM_FreeItem(&inKey->derInput, PR_FALSE);
-	}
-	if (inKey->algorithmIdentifier != NULL) {
-	    SECOID_DestroyAlgorithmID(inKey->algorithmIdentifier, PR_TRUE);
-	}
-	if (inKey->signature.data != NULL) {
-	    SECITEM_FreeItem(&inKey->signature, PR_FALSE);
-	}
-	PORT_Free(inKey);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey)
-{
-    PORT_Assert(inPrivKey != NULL);
-    if (inPrivKey != NULL) {
-        SECITEM_FreeItem(&inPrivKey->message.thisMessage, PR_FALSE);
-	PORT_Free(inPrivKey);
-    }
-    return SECSuccess;
-}
-
-int
-CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq)
-{
-    int              count = 0;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return 0;
-    }
-    if (inCertReq->controls) {
-        while (inCertReq->controls[count] != NULL)
-	    count++;
-    }
-    return count;
-}
-
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h
deleted file mode 100644
index 1b8a311d6..000000000
--- a/security/nss/lib/crmf/crmfi.h
+++ /dev/null
@@ -1,190 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _CRMFI_H_
-#define _CRMFI_H_
-/* This file will contain all declarations common to both 
- * encoding and decoding of CRMF Cert Requests.  This header 
- * file should only be included internally by CRMF implementation
- * files.
- */
-#include "secasn1.h"
-#include "crmfit.h"
-#include "secerr.h"
-
-#define CRMF_DEFAULT_ARENA_SIZE   1024
-#define MAX_WRAPPED_KEY_LEN       2048
-
-
-#define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
-#define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
-
-struct crmfEncoderArg {
-    SECItem *buffer;
-    long     allocatedLen;
-};
-
-struct crmfEncoderOutput {
-    CRMFEncoderOutputCallback fn;
-    void *outputArg;
-};
-
-/*
- * This funciton is used by the API for encoding functions that are 
- * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
- * functions.
- */
-extern void
-       crmf_encoder_out(void *arg, const char *buf, unsigned long len,
-                        int depth, SEC_ASN1EncodingPart data_kind);
-
-/*
- * This function is used when we want to encode something locally within
- * the library, ie the CertRequest so that we can produce its signature.
- */
-extern SECStatus 
-       crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
-				       SECItem               *derDest);
-
-/*
- * This is the callback function we feed to the ASN1 encoder when doing
- * internal DER-encodings.  ie, encoding the cert request so we can 
- * produce a signature.
- */
-extern void
-crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
-			      int depth, SEC_ASN1EncodingPart data_kind);
-
-/* The ASN1 templates that need to be seen by internal files
- * in order to implement CRMF.
- */
-extern const SEC_ASN1Template CRMFCertReqMsgTemplate[];
-extern const SEC_ASN1Template CRMFRAVerifiedTemplate[];
-extern const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[];
-extern const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[];
-extern const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[];
-extern const SEC_ASN1Template CRMFThisMessageTemplate[];
-extern const SEC_ASN1Template CRMFSubsequentMessageTemplate[];
-extern const SEC_ASN1Template CRMFDHMACTemplate[];
-extern const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate[];
-extern const SEC_ASN1Template CRMFEncryptedValueTemplate[];
-
-/*
- * Use these two values for encoding Boolean values.
- */
-extern const unsigned char hexTrue;
-extern const unsigned char hexFalse;
-/*
- * Prototypes for helper routines used internally by multiple files.
- */
-extern SECStatus crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, 
-				     long value);
-extern SECStatus crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, 
-					  SECItem *src);
-
-extern SECStatus crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp, 
-					     CRMFPKIArchiveOptions *destOpt,
-					     CRMFPKIArchiveOptions *srcOpt);
-extern SECStatus  
-       crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions,
-				      PRBool                 freeit);
-extern const SEC_ASN1Template*
-       crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl);
-
-extern SECStatus crmf_copy_encryptedkey(PRArenaPool       *poolp,
-					CRMFEncryptedKey  *srcEncrKey,
-					CRMFEncryptedKey  *destEncrKey);
-extern SECStatus
-crmf_copy_encryptedvalue(PRArenaPool        *poolp,
-			 CRMFEncryptedValue *srcValue,
-			 CRMFEncryptedValue *destValue);
-
-extern SECStatus
-crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
-				SECAlgorithmID  *srcAlgId,
-				SECAlgorithmID **destAlgId);
-
-extern SECStatus crmf_template_copy_secalg(PRArenaPool *poolp, 
-					   SECAlgorithmID **dest,
-					   SECAlgorithmID *src);
-
-extern SECStatus crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
-				     CERTName *src);
-
-extern SECStatus crmf_template_add_public_key(PRArenaPool               *poolp,
-					      CERTSubjectPublicKeyInfo **dest,
-					      CERTSubjectPublicKeyInfo  *pubKey);
-
-extern CRMFCertExtension* crmf_create_cert_extension(PRArenaPool *poolp, 
-						     SECOidTag    tag, 
-						     PRBool       isCritical,
-						     SECItem     *data);
-extern CRMFCertRequest*
-crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq);
-
-extern SECStatus crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, 
-					      PRBool freeit);
-
-extern CRMFEncryptedValue *
-crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
-					    SECKEYPublicKey    *inPubKey,
-					    CRMFEncryptedValue *destValue);
-
-extern CK_MECHANISM_TYPE 
-       crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey);
-
-extern SECStatus
-crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
-				     CRMFEncryptedValue *encValue,
-				     SECKEYPrivateKey   *privKey,
-				     SECKEYPublicKey    *newPubKey,
-				     SECItem            *nickname,
-				     PK11SlotInfo       *slot,
-				     unsigned char       keyUsage,
-				     SECKEYPrivateKey  **unWrappedKey,
-				     void               *wincx);
-
-extern SECItem*
-crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest);
-
-extern CRMFCertExtension*
-crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension);
-
-extern SECStatus
-crmf_create_prtime(SECItem *src, PRTime **dest);
-#endif /*_CRMFI_H_*/
diff --git a/security/nss/lib/crmf/crmfit.h b/security/nss/lib/crmf/crmfit.h
deleted file mode 100644
index 1edde840b..000000000
--- a/security/nss/lib/crmf/crmfit.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _CRMFIT_H_
-#define _CRMFIT_H_
-
-struct CRMFCertReqMessagesStr {
-    CRMFCertReqMsg **messages;
-    PRArenaPool     *poolp;
-};
-
-struct CRMFCertExtensionStr {
-    SECItem id;
-    SECItem critical;
-    SECItem value;
-};
-
-
-struct CRMFOptionalValidityStr {
-    SECItem notBefore; 
-    SECItem notAfter;
-};
-
-struct CRMFCertTemplateStr {
-    SECItem                   version;
-    SECItem                   serialNumber;
-    SECAlgorithmID           *signingAlg;
-    CERTName                 *issuer;
-    CRMFOptionalValidity     *validity;
-    CERTName                 *subject;
-    CERTSubjectPublicKeyInfo *publicKey;
-    SECItem                   issuerUID;
-    SECItem                   subjectUID; 
-    CRMFCertExtension       **extensions;
-    int                       numExtensions;
-};
-
-struct CRMFCertIDStr {
-    SECItem issuer; /* General Name */
-    SECItem serialNumber; /*INTEGER*/
-};
-
-struct CRMFEncryptedValueStr {
-    SECAlgorithmID *intendedAlg;
-    SECAlgorithmID *symmAlg;
-    SECItem         encSymmKey; /*BIT STRING   */
-    SECAlgorithmID *keyAlg;
-    SECItem         valueHint;  /*OCTET STRING */
-    SECItem         encValue;   /*BIT STRING   */
-};
-
-/*
- * The field derValue will contain the actual der
- * to include in the encoding or that was read in
- * from a der blob. 
- */
-struct CRMFEncryptedKeyStr {
-    union {
-        SEC_PKCS7ContentInfo   *envelopedData;
-        CRMFEncryptedValue      encryptedValue; 
-    } value;
-    CRMFEncryptedKeyChoice encKeyChoice;
-    SECItem derValue;
-};
-
-/* ASN1 must only have one of the following 3 options. */
-struct CRMFPKIArchiveOptionsStr {
-    union {
-        CRMFEncryptedKey  encryptedKey;
-        SECItem           keyGenParameters;
-        SECItem           archiveRemGenPrivKey; /* BOOLEAN */
-    } option;
-    CRMFPKIArchiveOptionsType archOption;
-};
-
-struct CRMFPKIPublicationInfoStr {
-    SECItem action; /* Possible values                    */
-                    /* dontPublish (0), pleasePublish (1) */
-    CRMFSinglePubInfo **pubInfos; 
-};
-
-struct CRMFControlStr {
-    SECOidTag  tag;
-    SECItem    derTag;
-    SECItem    derValue;
-    /* These will be C structures used to represent the various 
-     * options.  Values that can't be stored as der right away.
-     * After creating these structures, we'll place their der
-     * encoding in derValue so the encoder knows how to get to
-     * it.
-     */
-    union {
-        CRMFCertID              oldCertId;
-        CRMFPKIArchiveOptions   archiveOptions;
-        CRMFPKIPublicationInfo  pubInfo;
-        CRMFProtocolEncrKey     protEncrKey; 
-    } value;
-};
-
-struct CRMFCertRequestStr {
-    SECItem            certReqId;
-    CRMFCertTemplate   certTemplate;
-    CRMFControl      **controls;
-    /* The following members are used by the internal implementation, but
-     * are not part of the encoding.
-     */
-    PRArenaPool *poolp;
-    long         requestID; /* This is the value that will be encoded into
-			     * the certReqId field.
-			     */
-};                                   
-
-struct CRMFAttributeStr {
-    SECItem derTag;
-    SECItem derValue;
-};
-
-struct CRMFCertReqMsgStr {
-    CRMFCertRequest            *certReq;
-    CRMFProofOfPossession      *pop;
-    CRMFAttribute             **regInfo;
-    SECItem                     derPOP;
-    /* This arena will be used for allocating memory when decoding.
-     */
-    PRArenaPool *poolp;
-    PRBool       isDecoded;
-};
-
-struct CRMFPOPOSigningKeyInputStr {
-    /* ASN1 must have only one of the next 2 options */
-    union {
-        SECItem          sender; /*General Name*/
-        CRMFPKMACValue  *publicKeyMAC;
-    }authInfo;
-    CERTSubjectPublicKeyInfo publicKey;
-};
-
-struct CRMFPOPOSigningKeyStr {
-    SECItem                  derInput; /*If in the future we support 
-                                        *POPOSigningKeyInput, this will
-                                        *a C structure representation
-                                        *instead.
-                                        */
-    SECAlgorithmID          *algorithmIdentifier;
-    SECItem                  signature; /* This is a BIT STRING. Remember */
-};                                      /* that when interpreting.        */
-
-/* ASN1 must only choose one of these members */
-struct CRMFPOPOPrivKeyStr {
-    union {
-        SECItem thisMessage; /* BIT STRING */
-        SECItem subsequentMessage; /*INTEGER*/ 
-        SECItem dhMAC; /*BIT STRING*/
-    } message;
-    CRMFPOPOPrivKeyChoice messageChoice;
-};
-
-/* ASN1 must only have one of these options. */
-struct CRMFProofOfPossessionStr {
-    union {
-        SECItem             raVerified;
-        CRMFPOPOSigningKey  signature;
-        CRMFPOPOPrivKey     keyEncipherment;
-        CRMFPOPOPrivKey     keyAgreement;
-    } popChoice;
-    CRMFPOPChoice       popUsed; /*Not part of encoding*/
-};
-
-struct CRMFPKMACValueStr {
-    SECAlgorithmID algID;
-    SECItem        value; /*BIT STRING*/
-};
-
-struct CRMFSinglePubInfoStr {
-    SECItem pubMethod; /* Possible Values:
-			*   dontCare (0)
-			*   x500     (1)
-			*   web      (2)
-			*   ldap     (3)
-			*/
-    CERTGeneralName *pubLocation; /* General Name */
-};
-
-#endif /* _CRMFIT_H_ */
diff --git a/security/nss/lib/crmf/crmfpop.c b/security/nss/lib/crmf/crmfpop.c
deleted file mode 100644
index e105a90a8..000000000
--- a/security/nss/lib/crmf/crmfpop.c
+++ /dev/null
@@ -1,608 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secasn1.h"
-#include "keyhi.h"
-#include "cryptohi.h"
-
-#define CRMF_DEFAULT_ALLOC_SIZE 1024
-
-SECStatus
-crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, 
-				SECItem               *derDest) 
-{
-    derDest->data = PORT_ZNewArray(unsigned char, CRMF_DEFAULT_ALLOC_SIZE);
-    if (derDest->data == NULL) {
-        return SECFailure;
-    }
-    derDest->len = 0;
-    encoderArg->allocatedLen = CRMF_DEFAULT_ALLOC_SIZE;
-    encoderArg->buffer = derDest;
-    return SECSuccess;
-
-}
-
-/* Caller should release or unmark the pool, instead of doing it here.
-** But there are NO callers of this function at present...
-*/
-SECStatus 
-CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
-{
-    SECItem               *dummy;
-    CRMFProofOfPossession *pop;
-    PRArenaPool           *poolp;
-    void                  *mark;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
-        return SECFailure;
-    }
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    pop->popUsed = crmfRAVerified;
-    pop->popChoice.raVerified.data = NULL;
-    pop->popChoice.raVerified.len  = 0;
-    inCertReqMsg->pop = pop;
-    dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
-			       &(pop->popChoice.raVerified),
-			       CRMFRAVerifiedTemplate);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECOidTag
-crmf_map_keytag_to_signtag(SECOidTag inTag)
-{
-    switch (inTag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-        return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-    case SEC_OID_ANSIX9_DSA_SIGNATURE:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_DSS:
-        return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-    default:
-        /* Put this in here to kill warnings. */
-        break;
-    }
-    return inTag;
-}
-
-SECOidTag
-crmf_get_key_sign_tag(SECKEYPublicKey *inPubKey)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECOidTag                 tag;
-
-    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
-    if (spki == NULL) {
-        return SEC_OID_UNKNOWN;
-    }
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-    return crmf_map_keytag_to_signtag(tag);
-}
-
-SECAlgorithmID*
-crmf_create_poposignkey_algid(PRArenaPool      *poolp,
-			      SECKEYPublicKey  *inPubKey)
-{
-    SECAlgorithmID *algID;
-    SECOidTag       tag;
-    SECStatus       rv;
-    void           *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    algID = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (algID == NULL) {
-        goto loser;
-    }
-    tag = crmf_get_key_sign_tag(inPubKey);
-    if (tag == SEC_OID_UNKNOWN) {
-        goto loser;
-    }
-    rv = SECOID_SetAlgorithmID(poolp, algID, tag, NULL);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return algID;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-static CRMFPOPOSigningKeyInput*
-crmf_create_poposigningkeyinput(PRArenaPool *poolp, CERTCertificate *inCert,
-				CRMFMACPasswordCallback fn, void *arg)
-{
-  /* PSM isn't going to do this, so we'll fail here for now.*/
-     return NULL;
-}
-
-void
-crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
-			      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct crmfEncoderArg *encoderArg = (struct crmfEncoderArg*)arg;
-    unsigned char *cursor;
-    
-   if (encoderArg->buffer->len + len > encoderArg->allocatedLen) {
-        int newSize = encoderArg->buffer->len+CRMF_DEFAULT_ALLOC_SIZE;
-        void *dummy = PORT_Realloc(encoderArg->buffer->data, newSize);
-	if (dummy == NULL) {
-	    /* I really want to return an error code here */
-	    PORT_Assert(0);
-	    return;
-	}
-	encoderArg->buffer->data = dummy;
-	encoderArg->allocatedLen = newSize;
-    }
-    cursor = &(encoderArg->buffer->data[encoderArg->buffer->len]);
-    PORT_Memcpy (cursor, buf, len);
-    encoderArg->buffer->len += len;    
-}
-
-static SECStatus
-crmf_encode_certreq(CRMFCertRequest *inCertReq, SECItem *derDest)
-{
-    struct crmfEncoderArg encoderArg;
-    SECStatus             rv;
-  
-    rv = crmf_init_encoder_callback_arg (&encoderArg, derDest);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
-			  crmf_generic_encoder_callback, &encoderArg);
-}
-
-static SECStatus
-crmf_sign_certreq(PRArenaPool        *poolp, 
-		  CRMFPOPOSigningKey *crmfSignKey, 
-		  CRMFCertRequest    *certReq,
-		  SECKEYPrivateKey   *inKey,
-		  SECAlgorithmID     *inAlgId)
-{
-    SECItem                      derCertReq;
-    SECItem                      certReqSig;
-    SECStatus                    rv = SECSuccess;
-
-    rv = crmf_encode_certreq(certReq, &derCertReq);
-    if (rv != SECSuccess) {
-       goto loser;
-    }
-    rv = SEC_SignData(&certReqSig, derCertReq.data, derCertReq.len,
-		      inKey,SECOID_GetAlgorithmTag(inAlgId));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
- 
-    /* Now make it a part of the POPOSigningKey */
-    rv = SECITEM_CopyItem(poolp, &(crmfSignKey->signature), &certReqSig);
-    /* Convert this length to number of bits */
-    crmfSignKey->signature.len <<= 3; 
-   
- loser:
-    if (derCertReq.data != NULL) {
-        PORT_Free(derCertReq.data);
-    }
-    if (certReqSig.data != NULL) {
-        PORT_Free(certReqSig.data);
-    }
-    return rv;
-}
-
-static SECStatus
-crmf_create_poposignkey(PRArenaPool             *poolp, 
-			CRMFCertReqMsg          *inCertReqMsg, 
-			CRMFPOPOSigningKeyInput *signKeyInput, 
-			SECKEYPrivateKey        *inPrivKey,
-			SECAlgorithmID          *inAlgID,
-			CRMFPOPOSigningKey      *signKey) 
-{
-    CRMFCertRequest    *certReq;
-    void               *mark;
-    PRBool              useSignKeyInput;
-    SECStatus           rv;
-    
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL);
-    mark = PORT_ArenaMark(poolp);
-    if (signKey == NULL) {
-        goto loser;
-    }
-    certReq = inCertReqMsg->certReq;
-    useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq,crmfSubject)  &&
-			CRMF_DoesRequestHaveField(certReq,crmfPublicKey));
-
-    if (useSignKeyInput) {
-        goto loser; 
-    } else {
-        rv = crmf_sign_certreq(poolp, signKey, certReq,inPrivKey, inAlgID);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    PORT_ArenaUnmark(poolp,mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp,mark);
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
-			       SECKEYPrivateKey *inPrivKey,
-			       SECKEYPublicKey  *inPubKey,
-			       CERTCertificate  *inCertForInput,
-			       CRMFMACPasswordCallback  fn,
-			       void                    *arg)
-{
-    SECAlgorithmID  *algID;
-    PRArenaPool     *poolp;
-    SECItem          derDest = {siBuffer, NULL, 0};
-    void            *mark;
-    SECStatus        rv;
-    CRMFPOPOSigningKeyInput *signKeyInput = NULL;
-    CRMFCertRequest         *certReq;
-    CRMFProofOfPossession   *pop;
-    struct crmfEncoderArg    encoderArg;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL &&
-		inCertReqMsg->pop == NULL);
-    certReq = inCertReqMsg->certReq;
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice || 
-	!CRMF_DoesRequestHaveField(certReq, crmfPublicKey)) {
-        return SECFailure;
-    } 
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    algID = crmf_create_poposignkey_algid(poolp, inPubKey);
-
-    if(!CRMF_DoesRequestHaveField(certReq,crmfSubject)) {
-        signKeyInput = crmf_create_poposigningkeyinput(poolp, inCertForInput,
-						       fn, arg);
-	if (signKeyInput == NULL) {
-	    goto loser;
-	}
-    }
-
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    
-    rv = crmf_create_poposignkey(poolp, inCertReqMsg, 
-				 signKeyInput, inPrivKey, algID,
-				 &(pop->popChoice.signature));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    pop->popUsed = crmfSignature;
-    pop->popChoice.signature.algorithmIdentifier = algID;
-    inCertReqMsg->pop = pop;
-  
-    rv = crmf_init_encoder_callback_arg (&encoderArg, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SEC_ASN1Encode(&pop->popChoice.signature, 
-			CRMFPOPOSigningKeyTemplate,
-			crmf_generic_encoder_callback, &encoderArg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derDest);
-    PORT_Free (derDest.data);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp,mark);
-    return SECSuccess;
-
- loser:
-    PORT_ArenaRelease(poolp,mark);
-    if (derDest.data != NULL) {
-        PORT_Free(derDest.data);
-    }
-    return SECFailure;
-}
-
-static const SEC_ASN1Template*
-crmf_get_popoprivkey_subtemplate(CRMFPOPOPrivKey *inPrivKey) 
-{
-    const SEC_ASN1Template *retTemplate = NULL;
-
-    switch (inPrivKey->messageChoice) {
-    case crmfThisMessage:
-        retTemplate = CRMFThisMessageTemplate;
-	break;
-    case crmfSubsequentMessage:
-        retTemplate = CRMFSubsequentMessageTemplate;
-	break;
-    case crmfDHMAC:
-        retTemplate = CRMFDHMACTemplate;
-	break;
-    default:
-        retTemplate = NULL;
-    }
-    return retTemplate;
-}
-
-static SECStatus
-crmf_encode_popoprivkey(PRArenaPool            *poolp, 
-			CRMFCertReqMsg         *inCertReqMsg,
-			CRMFPOPOPrivKey        *popoPrivKey,
-			const SEC_ASN1Template *privKeyTemplate)
-{
-    struct crmfEncoderArg   encoderArg;
-    SECItem                 derDest; 
-    SECStatus               rv;
-    void                   *mark;
-    const SEC_ASN1Template *subDerTemplate;
-
-    mark = PORT_ArenaMark(poolp);
-    rv = crmf_init_encoder_callback_arg(&encoderArg, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    subDerTemplate = crmf_get_popoprivkey_subtemplate(popoPrivKey);
-    /* We've got a union, so a pointer to one item is a pointer to 
-     * all the items in the union.
-     */
-    rv = SEC_ASN1Encode(&popoPrivKey->message.thisMessage, 
-			subDerTemplate,
-			crmf_generic_encoder_callback, &encoderArg);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (encoderArg.allocatedLen > derDest.len+2) {
-        void *dummy = PORT_Realloc(derDest.data, derDest.len+2);
-	if (dummy == NULL) {
-	    goto loser;
-	}
-	derDest.data = dummy;
-    }
-    PORT_Memmove(&derDest.data[2], &derDest.data[0], derDest.len);
-    /* I couldn't figure out how to get the ASN1 encoder to implicitly
-     * tag an implicitly tagged der blob.  So I'm putting in the outter-
-     * most tag myself. -javi
-     */
-    derDest.data[0] = (unsigned char)privKeyTemplate->kind;
-    derDest.data[1] = (unsigned char)derDest.len;
-    derDest.len += 2;
-    rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derDest);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_Free(derDest.data);
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    if (derDest.data) {
-        PORT_Free(derDest.data);
-    }
-    return SECFailure;
-}
-
-static const SEC_ASN1Template*
-crmf_get_template_for_privkey(CRMFPOPChoice inChoice) 
-{
-    switch (inChoice) {
-    case crmfKeyAgreement:
-        return CRMFPOPOKeyAgreementTemplate;
-    case crmfKeyEncipherment:
-        return CRMFPOPOKeyEnciphermentTemplate;
-    default:
-        break;
-    }
-    return NULL;
-}
-
-static SECStatus
-crmf_add_privkey_thismessage(CRMFCertReqMsg *inCertReqMsg, SECItem *encPrivKey,
-			     CRMFPOPChoice inChoice)
-{
-    PRArenaPool           *poolp;
-    void                  *mark;
-    CRMFPOPOPrivKey       *popoPrivKey;
-    CRMFProofOfPossession *pop;
-    SECStatus              rv;
-
-    PORT_Assert(inCertReqMsg != NULL && encPrivKey != NULL);
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-    pop->popUsed = inChoice;
-    /* popChoice is a union, so getting a pointer to one
-     * field gives me a pointer to the other fields as
-     * well.  This in essence points to both 
-     * pop->popChoice.keyEncipherment and
-     * pop->popChoice.keyAgreement
-     */
-    popoPrivKey = &pop->popChoice.keyEncipherment;
-
-    rv = SECITEM_CopyItem(poolp, &(popoPrivKey->message.thisMessage),
-			  encPrivKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    popoPrivKey->message.thisMessage.len <<= 3;
-    popoPrivKey->messageChoice = crmfThisMessage;
-    inCertReqMsg->pop = pop;
-    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
-				 crmf_get_template_for_privkey(inChoice));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-    
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-static SECStatus
-crmf_add_privkey_subseqmessage(CRMFCertReqMsg        *inCertReqMsg,
-			       CRMFSubseqMessOptions  subsequentMessage,
-			       CRMFPOPChoice          inChoice)
-{
-    void                  *mark;
-    PRArenaPool           *poolp;
-    CRMFProofOfPossession *pop;
-    CRMFPOPOPrivKey       *popoPrivKey;
-    SECStatus              rv;
-    const SEC_ASN1Template *privKeyTemplate;
-
-    if (subsequentMessage == crmfNoSubseqMess) {
-        return SECFailure;
-    }
-    poolp = inCertReqMsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (pop == NULL) {
-        goto loser;
-    }
-
-    pop->popUsed = inChoice;
-    /* 
-     * We have a union, so a pointer to one member of the union
-     * is also a member to another member of that same union.
-     */
-    popoPrivKey = &pop->popChoice.keyEncipherment;
-
-    switch (subsequentMessage) {
-    case crmfEncrCert:
-        rv = crmf_encode_integer(poolp, 
-				 &(popoPrivKey->message.subsequentMessage),
-				 0);
-	break;
-    case crmfChallengeResp:
-        rv = crmf_encode_integer(poolp,
-				 &(popoPrivKey->message.subsequentMessage),
-				 1);
-	break;
-    default:
-        goto loser;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    popoPrivKey->messageChoice = crmfSubsequentMessage;
-    privKeyTemplate = crmf_get_template_for_privkey(inChoice);
-    inCertReqMsg->pop = pop;
-    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
-				 privKeyTemplate);
-
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
-				     CRMFPOPOPrivKeyChoice  inKeyChoice,
-				     CRMFSubseqMessOptions  subseqMess,
-				     SECItem               *encPrivKey)
-{
-    SECStatus rv;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
-        return SECFailure;
-    }
-    switch (inKeyChoice) {    
-    case crmfThisMessage:
-        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
-					  crmfKeyEncipherment);
-	break;
-    case crmfSubsequentMessage:
-        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
-					    crmfKeyEncipherment);
-        break;
-    case crmfDHMAC:
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus 
-CRMF_CertReqMsgSetKeyAgreementPOP (CRMFCertReqMsg        *inCertReqMsg,
-				   CRMFPOPOPrivKeyChoice  inKeyChoice,
-				   CRMFSubseqMessOptions  subseqMess,
-				   SECItem               *encPrivKey)
-{
-    SECStatus rv;
-
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
-    switch (inKeyChoice) {    
-    case crmfThisMessage:
-        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
-					  crmfKeyAgreement);
-	break;
-    case crmfSubsequentMessage:
-        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
-					    crmfKeyAgreement);
-	break;
-    case crmfDHMAC:
-        /* This case should be added in the future. */
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
diff --git a/security/nss/lib/crmf/crmfreq.c b/security/nss/lib/crmf/crmfreq.c
deleted file mode 100644
index b4e06bc32..000000000
--- a/security/nss/lib/crmf/crmfreq.c
+++ /dev/null
@@ -1,684 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "keyhi.h"
-#include "secder.h"
-
-/*
- * Macro that returns PR_TRUE if the pointer is not NULL.
- * If the pointer is NULL, then the macro will return PR_FALSE.
- */
-#define IS_NOT_NULL(ptr) ((ptr) == NULL) ? PR_FALSE : PR_TRUE
-
-const unsigned char hexTrue  = 0xff;
-const unsigned char hexFalse = 0x00;
-
-
-SECStatus
-crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, long value) 
-{
-    SECItem *dummy;
-
-    dummy = SEC_ASN1EncodeInteger(poolp, dest, value);
-    PORT_Assert (dummy == dest);
-    if (dummy == NULL) {
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    return  SECITEM_CopyItem (poolp, dest, src); 
-}
-
-PRBool
-CRMF_DoesRequestHaveField (CRMFCertRequest       *inCertReq, 
-			   CRMFCertTemplateField  inField)
-{
-  
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return PR_FALSE;
-    }
-    switch (inField) {
-    case crmfVersion:
-        return inCertReq->certTemplate.version.data != NULL;
-    case crmfSerialNumber:
-        return inCertReq->certTemplate.serialNumber.data != NULL;
-    case crmfSigningAlg:
-        return inCertReq->certTemplate.signingAlg != NULL;
-    case crmfIssuer:
-        return inCertReq->certTemplate.issuer != NULL;
-    case crmfValidity:
-        return inCertReq->certTemplate.validity != NULL;
-    case crmfSubject:
-        return inCertReq->certTemplate.subject != NULL;
-    case crmfPublicKey:
-        return inCertReq->certTemplate.publicKey != NULL;
-    case crmfIssuerUID:
-        return inCertReq->certTemplate.issuerUID.data != NULL;
-    case crmfSubjectUID:
-        return inCertReq->certTemplate.subjectUID.data != NULL;
-    case crmfExtension:
-        return CRMF_CertRequestGetNumberOfExtensions(inCertReq) != 0;
-    }
-    return PR_FALSE;
-}
-
-CRMFCertRequest *
-CRMF_CreateCertRequest (long inRequestID) {
-    PRArenaPool     *poolp;
-    CRMFCertRequest *certReq;
-    SECStatus        rv;
-    
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    
-    certReq=PORT_ArenaZNew(poolp,CRMFCertRequest);
-    if (certReq == NULL) {
-        goto loser;
-    }
-
-    certReq->poolp = poolp;
-    certReq->requestID = inRequestID;
-    
-    rv = crmf_encode_integer(poolp, &(certReq->certReqId), inRequestID);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    return certReq;
- loser:
-    if (poolp) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq != NULL) {
-        if (inCertReq->certTemplate.extensions) {
-	    PORT_Free(inCertReq->certTemplate.extensions);
-	}
-	if (inCertReq->controls) {
-	    /* Right now we don't support EnveloppedData option,
-	     * so we won't go through and delete each occurrence of 
-	     * an EnveloppedData in the control.
-	     */
-	    PORT_Free(inCertReq->controls);
-	}
-	if (inCertReq->poolp) {
-	    PORT_FreeArena(inCertReq->poolp, PR_TRUE);
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-crmf_template_add_version(PRArenaPool *poolp, SECItem *dest, long version)
-{
-    return (crmf_encode_integer(poolp, dest, version));
-}
-
-static SECStatus
-crmf_template_add_serialnumber(PRArenaPool *poolp, SECItem *dest, long serial)
-{
-    return (crmf_encode_integer(poolp, dest, serial));
-}
-
-SECStatus
-crmf_template_copy_secalg (PRArenaPool *poolp, SECAlgorithmID **dest, 
-			   SECAlgorithmID* src)
-{
-    SECStatus         rv;
-    void             *mark = NULL;
-    SECAlgorithmID   *mySecAlg;
-
-    if (poolp != NULL) {
-        mark = PORT_ArenaMark(poolp);
-    }
-    *dest = mySecAlg = PORT_ArenaZNew(poolp, SECAlgorithmID);
-    if (mySecAlg == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(poolp, mySecAlg, src);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (mark) {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return SECSuccess;
-
- loser:
-    *dest = NULL;
-    if (mark) {
-        PORT_ArenaRelease(poolp, mark);
-    }
-    return SECFailure;
-}
-
-SECStatus
-crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
-		    CERTName *src)
-{
-    CERTName *newName;
-    SECStatus rv;
-    void     *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    *dest = newName = PORT_ArenaZNew(poolp, CERTName);
-    if (newName == NULL) {
-        goto loser;
-    }
-
-    rv = CERT_CopyName(poolp, newName, src);
-    if (rv != SECSuccess) {
-      goto loser;
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_template_add_issuer (PRArenaPool *poolp, CERTName **dest, 
-			  CERTName* issuerName)
-{
-    return crmf_copy_cert_name(poolp, dest, issuerName);
-}
-
-
-static SECStatus
-crmf_template_add_validity (PRArenaPool *poolp, CRMFOptionalValidity **dest,
-			    CRMFValidityCreationInfo *info)
-{
-    SECStatus             rv;
-    void                 *mark; 
-    CRMFOptionalValidity *myValidity;
-
-    /*First off, let's make sure at least one of the two fields is present*/
-    if (!info  || (!info->notBefore && !info->notAfter)) {
-        return SECFailure;
-    }
-    mark = PORT_ArenaMark (poolp);
-    *dest = myValidity = PORT_ArenaZNew(poolp, CRMFOptionalValidity);
-    if (myValidity == NULL) {
-        goto loser;
-    }
-
-    if (info->notBefore) {
-        rv = DER_EncodeTimeChoice (poolp, &myValidity->notBefore, 
-				  *info->notBefore);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    if (info->notAfter) {
-        rv = DER_EncodeTimeChoice (poolp, &myValidity->notAfter,
-				  *info->notAfter);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_template_add_subject (PRArenaPool *poolp, CERTName **dest,
-			   CERTName *subject)
-{
-    return crmf_copy_cert_name(poolp, dest, subject);
-}
-
-SECStatus
-crmf_template_add_public_key(PRArenaPool *poolp, 
-			     CERTSubjectPublicKeyInfo **dest,
-			     CERTSubjectPublicKeyInfo  *pubKey)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-
-    *dest = spki = (poolp == NULL) ?
-                              PORT_ZNew(CERTSubjectPublicKeyInfo) :
-                              PORT_ArenaZNew (poolp, CERTSubjectPublicKeyInfo);
-    if (spki == NULL) {
-        goto loser;
-    }
-    rv = SECKEY_CopySubjectPublicKeyInfo (poolp, spki, pubKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (poolp == NULL && spki != NULL) {
-        SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    *dest = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_bitstring (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    SECStatus rv;
-    int origLenBits, numBytesToCopy;
-    
-    origLenBits = src->len;
-    numBytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
-    rv = crmf_copy_secitem(poolp, dest, src);
-    src->len = origLenBits;
-    dest->len = origLenBits;
-    return rv;
-}
-
-static SECStatus
-crmf_template_add_issuer_uid(PRArenaPool *poolp, SECItem *dest,
-			     SECItem *issuerUID)
-{
-    return crmf_copy_bitstring (poolp, dest, issuerUID);
-}
-
-static SECStatus
-crmf_template_add_subject_uid(PRArenaPool *poolp, SECItem *dest, 
-			      SECItem *subjectUID)
-{
-    return crmf_copy_bitstring (poolp, dest, subjectUID);
-}
-
-static void
-crmf_zeroize_new_extensions (CRMFCertExtension **extensions,
-			     int numToZeroize) 
-{
-    PORT_Memset((void*)extensions, 0, sizeof(CERTCertExtension*)*numToZeroize);
-}
-
-/*
- * The strategy for adding templates will differ from all the other
- * attributes in the template.  First, we want to allow the client
- * of this API to set extensions more than just once.  So we will
- * need the ability grow the array of extensions.  Since arenas don't
- * give us the realloc function, we'll use the generic PORT_* functions
- * to allocate the array of pointers *ONLY*.  Then we will allocate each
- * individual extension from the arena that comes along with the certReq
- * structure that owns this template.
- */
-static SECStatus
-crmf_template_add_extensions(PRArenaPool *poolp, CRMFCertTemplate *inTemplate,
-			     CRMFCertExtCreationInfo *extensions)
-{
-    void               *mark;
-    int                 newSize, oldSize, i;
-    SECStatus           rv;
-    CRMFCertExtension **extArray;
-    CRMFCertExtension  *newExt, *currExt;
-
-    mark = PORT_ArenaMark(poolp);
-    if (inTemplate->extensions == NULL) {
-        newSize = extensions->numExtensions;
-        extArray = PORT_ZNewArray(CRMFCertExtension*,newSize+1);
-    } else {
-        newSize = inTemplate->numExtensions + extensions->numExtensions;
-        extArray = PORT_Realloc(inTemplate->extensions, 
-				sizeof(CRMFCertExtension*)*(newSize+1));
-    }
-    if (extArray == NULL) {
-        goto loser;
-    }
-    oldSize                   = inTemplate->numExtensions;
-    inTemplate->extensions    = extArray;
-    inTemplate->numExtensions = newSize;
-    for (i=oldSize; i < newSize; i++) {
-        newExt = PORT_ArenaZNew(poolp, CRMFCertExtension);
-	if (newExt == NULL) {
-	    goto loser2;
-	}
-	currExt = extensions->extensions[i-oldSize];
-	rv = crmf_copy_secitem(poolp, &(newExt->id), &(currExt->id));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	rv = crmf_copy_secitem(poolp, &(newExt->critical),
-			       &(currExt->critical));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	rv = crmf_copy_secitem(poolp, &(newExt->value), &(currExt->value));
-	if (rv != SECSuccess) {
-	    goto loser2;
-	}
-	extArray[i] = newExt;
-    }
-    extArray[newSize] = NULL;
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
- loser2:
-    crmf_zeroize_new_extensions (&(inTemplate->extensions[oldSize]),
-				 extensions->numExtensions);
-    inTemplate->numExtensions = oldSize;
- loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
-				 CRMFCertTemplateField  inTemplateField,
-				 void                  *data)
-{
-    CRMFCertTemplate *certTemplate;
-    PRArenaPool      *poolp;
-    SECStatus         rv = SECFailure;
-    void             *mark;
-    
-
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-
-    certTemplate = &(inCertReq->certTemplate);
-
-    poolp = inCertReq->poolp;
-    mark = PORT_ArenaMark(poolp);
-    switch (inTemplateField) {
-    case crmfVersion:
-      rv = crmf_template_add_version(poolp,&(certTemplate->version), 
-				     *(long*)data);
-      break;
-    case crmfSerialNumber:
-      rv = crmf_template_add_serialnumber(poolp, 
-					  &(certTemplate->serialNumber),
-					  *(long*)data);
-      break;
-    case crmfSigningAlg:
-      rv = crmf_template_copy_secalg (poolp, &(certTemplate->signingAlg),
-				      (SECAlgorithmID*)data);
-      break;
-    case crmfIssuer:
-      rv = crmf_template_add_issuer (poolp, &(certTemplate->issuer), 
-				     (CERTName*)data);
-      break;
-    case crmfValidity:
-      rv = crmf_template_add_validity (poolp, &(certTemplate->validity),
-				       (CRMFValidityCreationInfo*)data);
-      break;
-    case crmfSubject:
-      rv = crmf_template_add_subject (poolp, &(certTemplate->subject),
-				      (CERTName*)data);
-      break;
-    case crmfPublicKey:
-      rv = crmf_template_add_public_key(poolp, &(certTemplate->publicKey),
-					(CERTSubjectPublicKeyInfo*)data);
-      break;
-    case crmfIssuerUID:
-      rv = crmf_template_add_issuer_uid(poolp, &(certTemplate->issuerUID),
-					(SECItem*)data);
-      break;
-    case crmfSubjectUID:
-      rv = crmf_template_add_subject_uid(poolp, &(certTemplate->subjectUID),
-					 (SECItem*)data);
-      break;
-    case crmfExtension:
-      rv = crmf_template_add_extensions(poolp, certTemplate, 
-					(CRMFCertExtCreationInfo*)data);
-      break;
-    }
-    if (rv != SECSuccess) {
-        PORT_ArenaRelease(poolp, mark);
-    } else {
-        PORT_ArenaUnmark(poolp, mark);
-    }
-    return rv;
-}
-
-SECStatus
-CRMF_CertReqMsgSetCertRequest (CRMFCertReqMsg  *inCertReqMsg, 
-			       CRMFCertRequest *inCertReq)
-{
-    PORT_Assert (inCertReqMsg != NULL && inCertReq != NULL);
-    if (inCertReqMsg == NULL || inCertReq == NULL) {
-        return SECFailure;
-    }
-    inCertReqMsg->certReq = crmf_copy_cert_request(inCertReqMsg->poolp,
-						   inCertReq);
-    return (inCertReqMsg->certReq == NULL) ? SECFailure : SECSuccess;
-}
-
-CRMFCertReqMsg*
-CRMF_CreateCertReqMsg(void)
-{
-    PRArenaPool    *poolp;
-    CRMFCertReqMsg *reqMsg;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    reqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
-    if (reqMsg == NULL) {
-        goto loser;
-    }
-    reqMsg->poolp = poolp;
-    return reqMsg;
-    
- loser:
-    if (poolp) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus 
-CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg)
-{
-    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->poolp != NULL);
-    if (!inCertReqMsg->isDecoded) {
-        if (inCertReqMsg->certReq->certTemplate.extensions != NULL) {
-	    PORT_Free(inCertReqMsg->certReq->certTemplate.extensions);
-	}
-	if (inCertReqMsg->certReq->controls != NULL) {
-	    PORT_Free(inCertReqMsg->certReq->controls);
-	}
-    }
-    PORT_FreeArena(inCertReqMsg->poolp, PR_TRUE);
-    return SECSuccess;
-}
-
-CRMFCertExtension*
-crmf_create_cert_extension(PRArenaPool *poolp, 
-			   SECOidTag    id,
-			   PRBool       isCritical,
-			   SECItem     *data)
-{
-    CRMFCertExtension *newExt;
-    SECOidData        *oidData;
-    SECStatus          rv;
-
-    newExt = (poolp == NULL) ? PORT_ZNew(CRMFCertExtension) :
-                               PORT_ArenaZNew(poolp, CRMFCertExtension);
-    if (newExt == NULL) {
-        goto loser;
-    }
-    oidData = SECOID_FindOIDByTag(id);
-    if (oidData == NULL || 
-	oidData->supportedExtension != SUPPORTED_CERT_EXTENSION) {
-       goto loser;
-    }
-
-    rv = SECITEM_CopyItem(poolp, &(newExt->id), &(oidData->oid));
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    if (isCritical) {
-        newExt->critical.data = (poolp == NULL) ? 
-	                                PORT_New(unsigned char) :
-	                                PORT_ArenaNew(poolp, unsigned char);
-	if (newExt->critical.data == NULL) {
-	    goto loser;
-	}
-	newExt->critical.data[0] = hexTrue;
-	newExt->critical.len = 1;
-    }
-    return newExt;
- loser:
-    if (newExt != NULL && poolp == NULL) {
-        CRMF_DestroyCertExtension(newExt);
-    }
-    return NULL;
-}
-
-CRMFCertExtension *
-CRMF_CreateCertExtension(SECOidTag id,
-			 PRBool    isCritical,
-			 SECItem  *data) 
-{
-    return crmf_create_cert_extension(NULL, id, isCritical, data);
-}
-
-SECStatus
-crmf_destroy_cert_extension(CRMFCertExtension *inExtension, PRBool freeit)
-{
-    if (inExtension != NULL) {
-        SECITEM_FreeItem (&(inExtension->id), PR_FALSE);
-	SECITEM_FreeItem (&(inExtension->value), PR_FALSE);
-	SECITEM_FreeItem (&(inExtension->critical), PR_FALSE);
-	if (freeit) {
-	    PORT_Free(inExtension);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CRMF_DestroyCertExtension(CRMFCertExtension *inExtension)
-{
-    return crmf_destroy_cert_extension(inExtension, PR_TRUE);
-}
-
-SECStatus
-CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs) 
-{
-    PORT_Assert (inCertReqMsgs != NULL);
-    if (inCertReqMsgs != NULL) {
-        PORT_FreeArena(inCertReqMsgs->poolp, PR_TRUE);
-    }
-    return SECSuccess;
-}
-
-static PRBool
-crmf_item_has_data(SECItem *item)
-{
-    if (item != NULL && item->data != NULL) {
-        return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-PRBool
-CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
-			       CRMFCertTemplateField  inTemplateField)
-{
-    PRBool             retVal;
-    CRMFCertTemplate *certTemplate;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        /* This is probably some kind of error, but this is 
-	 * the safest return value for this function.
-	 */
-        return PR_FALSE;
-    }
-    certTemplate = &inCertReq->certTemplate;
-    switch (inTemplateField) {
-    case crmfVersion:
-      retVal = crmf_item_has_data(&certTemplate->version);
-      break;
-    case crmfSerialNumber:
-      retVal = crmf_item_has_data(&certTemplate->serialNumber);
-      break;
-    case crmfSigningAlg:
-      retVal = IS_NOT_NULL(certTemplate->signingAlg);
-      break;
-    case crmfIssuer:
-      retVal = IS_NOT_NULL(certTemplate->issuer);
-      break;
-    case crmfValidity:
-      retVal = IS_NOT_NULL(certTemplate->validity);
-      break;
-    case crmfSubject:
-      retVal = IS_NOT_NULL(certTemplate->subject);
-      break;
-    case crmfPublicKey:
-      retVal = IS_NOT_NULL(certTemplate->publicKey);
-      break;
-    case crmfIssuerUID:
-      retVal = crmf_item_has_data(&certTemplate->issuerUID);
-      break;
-    case crmfSubjectUID:
-      retVal = crmf_item_has_data(&certTemplate->subjectUID);
-      break;
-    case crmfExtension:
-      retVal = IS_NOT_NULL(certTemplate->extensions);
-      break;
-    default:
-      retVal = PR_FALSE;
-    }
-    return retVal;
-}
diff --git a/security/nss/lib/crmf/crmft.h b/security/nss/lib/crmf/crmft.h
deleted file mode 100644
index 5ea0d01ac..000000000
--- a/security/nss/lib/crmf/crmft.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-/* Header file with all of the structures and types that will be exported 
- * by the security library for implementation of CRMF.
- */
-
-#ifndef _CRMFT_H_
-#define _CRMFT_H_
-
-/* Use these enumerated values for adding fields to the certificate request */
-typedef enum {
-    crmfVersion = 0,
-    crmfSerialNumber = 1,
-    crmfSigningAlg = 2,
-    crmfIssuer = 3,
-    crmfValidity = 4,
-    crmfSubject = 5,
-    crmfPublicKey = 6,
-    crmfIssuerUID = 7,
-    crmfSubjectUID = 8,
-    crmfExtension = 9
-} CRMFCertTemplateField;
-
-/*
- * An enumeration for the different types of controls.
- */
-typedef enum {
-    crmfNoControl = 0,
-    crmfRegTokenControl = 1,
-    crmfAuthenticatorControl = 2,
-    crmfPKIPublicationInfoControl = 3,
-    crmfPKIArchiveOptionsControl = 4,
-    crmfOldCertIDControl = 5,
-    crmfProtocolEncrKeyControl = 6
-} CRMFControlType;
-
-/*
- * The possible values that are passed into CRMF_CreatePKIPublicationInfo
- */
-typedef enum {
-    crmfDontPublish = 0,
-    crmfPleasePublish = 1
-} CRMFPublicationAction;
-
-/*
- * An enumeration for the possible for pubMethod which is a part of 
- * the SinglePubInfo ASN1 type.
- */
-typedef enum {
-    crmfDontCare = 0,
-    crmfX500 = 1,
-    crmfWeb = 2,
-    crmfLdap = 3
-} CRMFPublicationMethod;
-
-/*
- * An enumeration for the different options for PKIArchiveOptions type.
- */
-typedef enum {
-    crmfNoArchiveOptions = 0,
-    crmfEncryptedPrivateKey = 1,
-    crmfKeyGenParameters = 2,
-    crmfArchiveRemGenPrivKey = 3
-} CRMFPKIArchiveOptionsType;
-
-/*
- * An enumeration for the different options for ProofOfPossession
- */
-typedef enum {
-    crmfNoPOPChoice = 0,
-    crmfRAVerified = 1,
-    crmfSignature = 2,
-    crmfKeyEncipherment = 3,
-    crmfKeyAgreement = 4
-} CRMFPOPChoice;
-
-/*
- * An enumertion type for options for the authInfo field of the 
- * CRMFPOPOSigningKeyInput structure.
- */
-typedef enum {
-    crmfSender = 0,
-    crmfPublicKeyMAC = 1
-} CRMFPOPOSkiInputAuthChoice;
-
-/*
- * An enumeration for the SubsequentMessage Options.
- */
-typedef enum {
-    crmfNoSubseqMess = 0,
-    crmfEncrCert = 1,
-    crmfChallengeResp = 2
-} CRMFSubseqMessOptions;
-
-/*
- * An enumeration for the choice used by POPOPrivKey.
- */
-typedef enum {
-    crmfNoMessage = 0,
-    crmfThisMessage = 1,
-    crmfSubsequentMessage = 2,
-    crmfDHMAC = 3
-} CRMFPOPOPrivKeyChoice;
-
-/*
- * An enumeration for the choices for the EncryptedKey type.
- */
-typedef enum {
-    crmfNoEncryptedKeyChoice = 0,
-    crmfEncryptedValueChoice = 1,
-    crmfEnvelopedDataChoice = 2
-} CRMFEncryptedKeyChoice;
-
-/*
- * TYPE: CRMFEncoderOutputCallback
- *     This function type defines a prototype for a function that the CRMF
- *     library expects when encoding is performed.
- *
- * ARGUMENTS:
- *     arg
- *         This will be a pointer the user passed into an encoding function.
- *         The user of the library is free to use this pointer in any way.
- *         The most common use is to keep around a buffer for writing out
- *         the DER encoded bytes.
- *     buf
- *         The DER encoded bytes that should be written out.
- *     len
- *         The number of DER encoded bytes to write out.
- *
- */
-typedef void (*CRMFEncoderOutputCallback) (void *arg,
-					   const char *buf,
-					   unsigned long len);
-
-/*
- * Type for the function that gets a password.  Just in case we ever
- * need to support publicKeyMAC for POPOSigningKeyInput
- */
-typedef SECItem* (*CRMFMACPasswordCallback) (void *arg);
-
-typedef struct CRMFOptionalValidityStr      CRMFOptionalValidity;
-typedef struct CRMFValidityCreationInfoStr  CRMFGetValidity;
-typedef struct CRMFCertTemplateStr          CRMFCertTemplate;
-typedef struct CRMFCertRequestStr           CRMFCertRequest;
-typedef struct CRMFCertReqMsgStr            CRMFCertReqMsg;
-typedef struct CRMFCertReqMessagesStr       CRMFCertReqMessages;
-typedef struct CRMFProofOfPossessionStr     CRMFProofOfPossession;
-typedef struct CRMFPOPOSigningKeyStr        CRMFPOPOSigningKey;
-typedef struct CRMFPOPOSigningKeyInputStr   CRMFPOPOSigningKeyInput;
-typedef struct CRMFPOPOPrivKeyStr           CRMFPOPOPrivKey;
-typedef struct CRMFPKIPublicationInfoStr    CRMFPKIPublicationInfo;
-typedef struct CRMFSinglePubInfoStr         CRMFSinglePubInfo;
-typedef struct CRMFPKIArchiveOptionsStr     CRMFPKIArchiveOptions;
-typedef struct CRMFEncryptedKeyStr          CRMFEncryptedKey;
-typedef struct CRMFEncryptedValueStr        CRMFEncryptedValue;
-typedef struct CRMFCertIDStr                CRMFCertID;
-typedef struct CRMFCertIDStr                CRMFOldCertID;
-typedef CERTSubjectPublicKeyInfo            CRMFProtocolEncrKey;
-typedef struct CRMFValidityCreationInfoStr  CRMFValidityCreationInfo;
-typedef struct CRMFCertExtCreationInfoStr   CRMFCertExtCreationInfo;
-typedef struct CRMFPKMACValueStr            CRMFPKMACValue;
-typedef struct CRMFAttributeStr             CRMFAttribute;
-typedef struct CRMFControlStr               CRMFControl;
-typedef CERTGeneralName                     CRMFGeneralName;
-typedef struct CRMFCertExtensionStr         CRMFCertExtension;
-
-struct CRMFValidityCreationInfoStr {
-    PRTime *notBefore;
-    PRTime *notAfter;
-};
-
-struct CRMFCertExtCreationInfoStr {
-    CRMFCertExtension **extensions;
-    int numExtensions;
-};
-
-/*
- * Some ASN1 Templates that may be needed.
- */
-extern const SEC_ASN1Template CRMFCertReqMessagesTemplate[];
-extern const SEC_ASN1Template CRMFCertRequestTemplate[];
-
-
-#endif /*_CRMFT_H_*/
diff --git a/security/nss/lib/crmf/crmftmpl.c b/security/nss/lib/crmf/crmftmpl.c
deleted file mode 100644
index 594feea3e..000000000
--- a/security/nss/lib/crmf/crmftmpl.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "crmf.h"
-#include "crmfi.h"
-#include "secoid.h"
-#include "secasn1.h"
-
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
-SEC_ASN1_MKSUB(SEC_AnyTemplate)
-SEC_ASN1_MKSUB(SEC_NullTemplate)
-SEC_ASN1_MKSUB(SEC_BitStringTemplate)
-SEC_ASN1_MKSUB(SEC_IntegerTemplate)
-SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
-SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
-SEC_ASN1_MKSUB(CERT_SubjectPublicKeyInfoTemplate)
-SEC_ASN1_MKSUB(CERT_NameTemplate)
-
-/* 
- * It's all implicit tagging.
- */
-
-const SEC_ASN1Template CRMFControlTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFControl)},
-    { SEC_ASN1_OBJECT_ID, offsetof(CRMFControl, derTag)},
-    { SEC_ASN1_ANY, offsetof(CRMFControl, derValue) },
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CRMFCertExtension) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CRMFCertExtension,id) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,
-	  offsetof(CRMFCertExtension,critical) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CRMFCertExtension,value) },
-    { 0, }
-};
-
-static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, CRMFCertExtensionTemplate }
-};
-
-static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 0, 
-      offsetof (CRMFOptionalValidity, notBefore),
-      SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1, 
-      offsetof (CRMFOptionalValidity, notAfter),
-      SEC_ASN1_SUB(CERT_TimeChoiceTemplate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template crmfPointerToNameTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(CERT_NameTemplate)},
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
-   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertTemplate) },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
-     offsetof(CRMFCertTemplate, version), 
-     SEC_ASN1_SUB(SEC_IntegerTemplate) },
-   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1 ,
-     offsetof (CRMFCertTemplate, serialNumber), 
-     SEC_ASN1_SUB(SEC_IntegerTemplate) },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-     SEC_ASN1_XTRN | 2, 
-     offsetof (CRMFCertTemplate, signingAlg), 
-     SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 3, 
-     offsetof (CRMFCertTemplate, issuer), crmfPointerToNameTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 4, 
-     offsetof (CRMFCertTemplate, validity), 
-     CRMFOptionalValidityTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 5, 
-     offsetof (CRMFCertTemplate, subject), crmfPointerToNameTemplate },
-   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-     SEC_ASN1_XTRN | 6, 
-     offsetof (CRMFCertTemplate, publicKey), 
-     SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) }, 
-   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
-     SEC_ASN1_XTRN | 7,
-     offsetof (CRMFCertTemplate, issuerUID), 
-     SEC_ASN1_SUB(SEC_BitStringTemplate) },
-   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL |
-     SEC_ASN1_XTRN | 8,
-     offsetof (CRMFCertTemplate, subjectUID), 
-     SEC_ASN1_SUB(SEC_BitStringTemplate) },
-   { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | 
-     SEC_ASN1_CONTEXT_SPECIFIC | 9, 
-     offsetof (CRMFCertTemplate, extensions), 
-     CRMFSequenceOfCertExtensionTemplate },
-   { 0 }
-};
-
-static const SEC_ASN1Template CRMFAttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFAttribute)},
-    { SEC_ASN1_OBJECT_ID, offsetof(CRMFAttribute, derTag)},
-    { SEC_ASN1_ANY, offsetof(CRMFAttribute, derValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertRequestTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFCertRequest) },
-    { SEC_ASN1_INTEGER, offsetof(CRMFCertRequest, certReqId)},
-    { SEC_ASN1_INLINE, offsetof(CRMFCertRequest, certTemplate), 
-      CRMFCertTemplateTemplate},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-      offsetof(CRMFCertRequest,controls), 
-      CRMFControlTemplate}, /* SEQUENCE SIZE (1...MAX)*/
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertReqMsgTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertReqMsg) },
-    { SEC_ASN1_POINTER, offsetof(CRMFCertReqMsg, certReq),
-      CRMFCertRequestTemplate },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-      offsetof(CRMFCertReqMsg, derPOP) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-      offsetof(CRMFCertReqMsg, regInfo), 
-      CRMFAttributeTemplate}, /* SEQUENCE SIZE (1...MAX)*/
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, offsetof(CRMFCertReqMessages, messages), 
-      CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
-};
-
-static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
-      offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
-      offsetof(CRMFPOPOSigningKeyInput, publicKey), 
-      SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN, 
-      0,
-      SEC_ASN1_SUB(SEC_NullTemplate) },
-    { 0 }
-};
-
-
-/* This template will need to add POPOSigningKeyInput eventually, maybe*/
-static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) },
-    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-      SEC_ASN1_XTRN | 0,
-      offsetof(CRMFPOPOSigningKey, derInput), 
-      SEC_ASN1_SUB(SEC_AnyTemplate) },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 
-      offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
-      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_XTRN, 
-      offsetof(CRMFPOPOSigningKey, signature),
-      SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
-      0,
-      crmfPOPOSigningKeyTemplate},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFThisMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-      0,
-      SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFSubsequentMessageTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
-      0, 
-      SEC_ASN1_SUB(SEC_IntegerTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFDHMACTemplate[] = {
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-      0,
-      SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
-      0,
-      SEC_ASN1_SUB(SEC_AnyTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 3,
-      0,
-      SEC_ASN1_SUB(SEC_AnyTemplate)},
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFEncryptedValueTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFEncryptedValue)},
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-      SEC_ASN1_XTRN | 0,
-      offsetof(CRMFEncryptedValue, intendedAlg), 
-      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-      SEC_ASN1_XTRN | 1,
-      offsetof (CRMFEncryptedValue, symmAlg), 
-      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
-      SEC_ASN1_XTRN | 2, 
-      offsetof(CRMFEncryptedValue, encSymmKey), 
-      SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
-      SEC_ASN1_XTRN | 3,
-      offsetof(CRMFEncryptedValue, keyAlg), 
-      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
-      SEC_ASN1_XTRN | 4,
-      offsetof(CRMFEncryptedValue, valueHint),
-      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
-    { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      0,
-      CRMFEncryptedValueTemplate},
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
-    { SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
-      offsetof(CRMFSinglePubInfo, pubLocation) },
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={ 
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
-    { SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
-    { SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
-      CRMFSinglePubInfoTemplate},
-    { 0 }
-};
diff --git a/security/nss/lib/crmf/encutil.c b/security/nss/lib/crmf/encutil.c
deleted file mode 100644
index 2e324b681..000000000
--- a/security/nss/lib/crmf/encutil.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secasn1.h"
-#include "crmf.h"
-#include "crmfi.h"
-
-void
-crmf_encoder_out(void *arg, const char *buf, unsigned long len,
-		 int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct crmfEncoderOutput *output;
-
-    output = (struct crmfEncoderOutput*) arg;
-    output->fn (output->outputArg, buf, len);
-}
-
-SECStatus
-cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
-		 const SEC_ASN1Template *inTemplate)
-{
-    struct crmfEncoderOutput output;
-
-    PORT_Assert(src != NULL);
-    if (src == NULL) {
-        return SECFailure;
-    }
-    output.fn        = inCallback;
-    output.outputArg = inArg;
-    return SEC_ASN1Encode(src, inTemplate, crmf_encoder_out, &output);    
-}
-
diff --git a/security/nss/lib/crmf/manifest.mn b/security/nss/lib/crmf/manifest.mn
deleted file mode 100644
index 832eab47a..000000000
--- a/security/nss/lib/crmf/manifest.mn
+++ /dev/null
@@ -1,75 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS = \
-	crmf.h	\
-	crmft.h	\
-	cmmf.h  \
-	cmmft.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	crmfi.h   \
-	crmfit.h  \
-	cmmfi.h   \
-	cmmfit.h  \
-	$(NULL)
-
-CSRCS = crmfenc.c	\
-	crmftmpl.c	\
-	crmfreq.c	\
-	crmfpop.c	\
-	crmfdec.c	\
-	crmfget.c	\
-	crmfcont.c	\
-	cmmfasn1.c	\
-	cmmfresp.c	\
-	cmmfrec.c	\
-	cmmfchal.c	\
-	servget.c	\
-	encutil.c	\
-	respcli.c	\
-	respcmn.c	\
-	challcli.c	\
-	asn1cmn.c	\
-	$(NULL)
-
-LIBRARY_NAME = crmf
diff --git a/security/nss/lib/crmf/respcli.c b/security/nss/lib/crmf/respcli.c
deleted file mode 100644
index e1176a797..000000000
--- a/security/nss/lib/crmf/respcli.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-/*
- * This file will contain all routines needed by a client that has 
- * to parse a CMMFCertRepContent structure and retirieve the appropriate
- * data.
- */
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "crmf.h"
-#include "crmfi.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h"
-
-CMMFCertRepContent*
-CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
-				 long len)
-{
-    PRArenaPool        *poolp;
-    CMMFCertRepContent *certRepContent;
-    SECStatus           rv;
-    int                 i;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    certRepContent = PORT_ArenaZNew(poolp, CMMFCertRepContent);
-    if (certRepContent == NULL) {
-        goto loser;
-    }
-    certRepContent->poolp = poolp;
-    rv = SEC_ASN1Decode(poolp, certRepContent, CMMFCertRepContentTemplate,
-			buf, len);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    if (certRepContent->response != NULL) {
-        for (i=0; certRepContent->response[i] != NULL; i++) {
-	    rv = cmmf_decode_process_cert_response(poolp, db,
-					       certRepContent->response[i]);
-	    if (rv != SECSuccess) {
-	        goto loser;
-	    }
-	}
-    }
-    certRepContent->isDecoded = PR_TRUE;
-    return certRepContent;
- loser:
-    PORT_FreeArena(poolp, PR_FALSE);
-    return NULL;
-}
-
-long
-CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL) {
-        return -1;
-    }
-    return DER_GetInteger(&inCertResp->certReqId);
-}
-
-PRBool
-cmmf_CertRepContentIsIndexValid(CMMFCertRepContent *inCertRepContent,
-                                int                 inIndex)
-{
-    int numResponses;
-
-    PORT_Assert(inCertRepContent != NULL);
-    numResponses = CMMF_CertRepContentGetNumResponses(inCertRepContent);
-    return (PRBool)(inIndex >= 0 && inIndex < numResponses);
-}
-
-CMMFCertResponse*
-CMMF_CertRepContentGetResponseAtIndex(CMMFCertRepContent *inCertRepContent,
-				      int                 inIndex)
-{
-    CMMFCertResponse *certResponse;
-    SECStatus         rv;
-
-    PORT_Assert(inCertRepContent != NULL &&
-		cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex));
-    if (inCertRepContent == NULL ||
-	!cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) {
-        return NULL;
-    }
-    certResponse = PORT_ZNew(CMMFCertResponse);
-    rv = cmmf_CopyCertResponse(NULL, certResponse, 
-			       inCertRepContent->response[inIndex]);
-    if (rv != SECSuccess) {
-        CMMF_DestroyCertResponse(certResponse);
-	certResponse = NULL;
-    }
-    return certResponse;
-}
-
-CMMFPKIStatus
-CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL) {
-        return cmmfNoPKIStatus;
-    }
-    return cmmf_PKIStatusInfoGetStatus(&inCertResp->status);
-}
-
-CERTCertificate*
-CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
-				CERTCertDBHandle *inCertdb)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp == NULL || inCertResp->certifiedKeyPair == NULL) {
-        return NULL;
-    }
-    
-    return cmmf_CertOrEncCertGetCertificate(
-		&inCertResp->certifiedKeyPair->certOrEncCert, inCertdb);
-				   
-}
-
-CERTCertList*
-CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent)
-{
-    PORT_Assert (inCertRepContent != NULL);
-    if (inCertRepContent == NULL || inCertRepContent->caPubs == NULL) {
-        return NULL;
-    }
-    return cmmf_MakeCertList(inCertRepContent->caPubs);
-}
-
diff --git a/security/nss/lib/crmf/respcmn.c b/security/nss/lib/crmf/respcmn.c
deleted file mode 100644
index 153ecee51..000000000
--- a/security/nss/lib/crmf/respcmn.c
+++ /dev/null
@@ -1,424 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrenam.h"
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "secder.h"
-
-SECStatus 
-cmmf_DestroyPKIStatusInfo (CMMFPKIStatusInfo *info, PRBool freeit)
-{
-    if (info->status.data != NULL) {
-        PORT_Free(info->status.data);
-    }
-    if (info->statusString.data != NULL) {
-        PORT_Free(info->statusString.data);
-    }
-    if (info->failInfo.data != NULL) {
-        PORT_Free(info->failInfo.data);
-    }
-    if (freeit) {
-        PORT_Free(info);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp)
-{
-    PORT_Assert(inCertResp != NULL);
-    if (inCertResp != NULL) {
-        if (inCertResp->certReqId.data != NULL) {
-	    PORT_Free(inCertResp->certReqId.data);
-	}
-	cmmf_DestroyPKIStatusInfo(&inCertResp->status, PR_FALSE);
-	if (inCertResp->certifiedKeyPair != NULL) {
-	    CMMF_DestroyCertifiedKeyPair(inCertResp->certifiedKeyPair);
-	}
-	PORT_Free(inCertResp);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
-{
-    PORT_Assert(inCertRepContent != NULL);
-    if (inCertRepContent != NULL) {
-        CMMFCertResponse   **pResponse = inCertRepContent->response;
-        if (pResponse != NULL) {
-            for (; *pResponse != NULL; pResponse++) {
-	        CMMFCertifiedKeyPair *certKeyPair = (*pResponse)->certifiedKeyPair;
-		/* XXX Why not call CMMF_DestroyCertifiedKeyPair or
-		** XXX cmmf_DestroyCertOrEncCert ?  
-		*/
-                if (certKeyPair != NULL                    &&
-                    certKeyPair->certOrEncCert.choice == cmmfCertificate &&
-                    certKeyPair->certOrEncCert.cert.certificate != NULL) {
-                    CERT_DestroyCertificate
-                                 (certKeyPair->certOrEncCert.cert.certificate);
-		    certKeyPair->certOrEncCert.cert.certificate = NULL;
-                }
-            }
-        }
-	if (inCertRepContent->caPubs) {
-	    CERTCertificate     **caPubs = inCertRepContent->caPubs;
-	    for (; *caPubs; ++caPubs) {
-		CERT_DestroyCertificate(*caPubs);
-		*caPubs = NULL;
-	    }
-	}
-	if (inCertRepContent->poolp != NULL) {
-	    PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont)
-{
-    PORT_Assert(inDecKeyCont != NULL);
-    if (inDecKeyCont != NULL && inDecKeyCont->poolp) {
-        PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-crmf_create_prtime(SECItem *src, PRTime **dest)
-{
-   *dest = PORT_ZNew(PRTime);
-    return DER_DecodeTimeChoice(*dest, src);
-}
-
-CRMFCertExtension*
-crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension)
-{
-    PRBool             isCritical;
-    SECOidTag          id;
-    SECItem           *data;
-    CRMFCertExtension *newExt;
-
-    PORT_Assert(inExtension != NULL);
-    if (inExtension == NULL) {
-        return NULL;
-    }
-    id         = CRMF_CertExtensionGetOidTag(inExtension);
-    isCritical = CRMF_CertExtensionGetIsCritical(inExtension);
-    data       = CRMF_CertExtensionGetValue(inExtension);
-    newExt = crmf_create_cert_extension(poolp, id, 
-					isCritical,
-					data);
-    SECITEM_FreeItem(data, PR_TRUE);
-    return newExt;    
-}
-
-static SECItem*
-cmmf_encode_certificate(CERTCertificate *inCert)
-{
-    return SEC_ASN1EncodeItem(NULL, NULL, inCert, 
-			      SEC_ASN1_GET(SEC_SignedCertificateTemplate));
-}
-
-CERTCertList*
-cmmf_MakeCertList(CERTCertificate **inCerts)
-{
-    CERTCertList    *certList;
-    CERTCertificate *currCert;
-    SECItem         *derCert, *freeCert = NULL;
-    SECStatus        rv;
-    int              i;
-
-    certList = CERT_NewCertList();
-    if (certList == NULL) {
-        return NULL;
-    }
-    for (i=0; inCerts[i] != NULL; i++) {
-        derCert = &inCerts[i]->derCert;
-	if (derCert->data == NULL) {
-	    derCert = freeCert = cmmf_encode_certificate(inCerts[i]);
-	}
-	currCert=CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-	                                 derCert, NULL, PR_FALSE, PR_TRUE);
-	if (freeCert != NULL) {
-	    SECITEM_FreeItem(freeCert, PR_TRUE);
-	    freeCert = NULL;
-	}
-	if (currCert == NULL) {
-	    goto loser;
-	}
-	rv = CERT_AddCertToListTail(certList, currCert);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-    return certList;
- loser:
-    CERT_DestroyCertList(certList);
-    return NULL;
-}
-
-CMMFPKIStatus
-cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus)
-{
-    long derVal;
-
-    derVal = DER_GetInteger(&inStatus->status);
-    if (derVal == -1 || derVal < cmmfGranted || derVal >= cmmfNumPKIStatus) {
-        return cmmfNoPKIStatus;
-    }
-    return (CMMFPKIStatus)derVal;
-}
-
-int
-CMMF_CertRepContentGetNumResponses(CMMFCertRepContent *inCertRepContent)
-{
-    int numResponses = 0;
-    PORT_Assert (inCertRepContent != NULL);
-    if (inCertRepContent != NULL && inCertRepContent->response != NULL) {
-        while (inCertRepContent->response[numResponses] != NULL) {
-	    numResponses++;
-	}
-    }
-    return numResponses;
-}
-
-
-SECStatus
-cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, PRBool freeit)
-{
-    switch (certOrEncCert->choice) {
-    case cmmfCertificate:
-        CERT_DestroyCertificate(certOrEncCert->cert.certificate);
-	certOrEncCert->cert.certificate = NULL;
-	break;
-    case cmmfEncryptedCert:
-        crmf_destroy_encrypted_value(certOrEncCert->cert.encryptedCert,
-				     PR_TRUE);
-	break;
-    default:
-        break;
-    }
-    if (freeit) {
-        PORT_Free(certOrEncCert);
-    }
-    return SECSuccess;
-}
-
-SECStatus
-cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
-{
-    SECStatus rv;
-
-    if (src->data != NULL) {
-        rv = SECITEM_CopyItem(poolp, dest, src);
-    } else {
-        dest->data = NULL;
-	dest->len  = 0;
-	rv = SECSuccess;
-    }
-    return rv;
-}
-
-SECStatus
-CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair)
-{
-    PORT_Assert(inCertKeyPair != NULL);
-    if (inCertKeyPair != NULL) {
-        cmmf_DestroyCertOrEncCert(&inCertKeyPair->certOrEncCert, PR_FALSE);
-    }
-    if (inCertKeyPair->privateKey) {
-        crmf_destroy_encrypted_value(inCertKeyPair->privateKey, PR_TRUE);
-    }
-    if (inCertKeyPair->derPublicationInfo.data) {
-        PORT_Free(inCertKeyPair->derPublicationInfo.data);
-    }
-    PORT_Free(inCertKeyPair);
-    return SECSuccess;
-}
-
-SECStatus
-cmmf_CopyCertResponse(PRArenaPool      *poolp, 
-		      CMMFCertResponse *dest,
-		      CMMFCertResponse *src)
-{
-    SECStatus rv;
-
-    if (src->certReqId.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &dest->certReqId, &src->certReqId);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    rv = cmmf_CopyPKIStatusInfo(poolp, &dest->status, &src->status);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    if (src->certifiedKeyPair != NULL) {
-        dest->certifiedKeyPair = (poolp == NULL) ?
-                                  PORT_ZNew(CMMFCertifiedKeyPair) :
-	                          PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
-	if (dest->certifiedKeyPair == NULL) {
-	    return SECFailure;
-	}
-        rv = cmmf_CopyCertifiedKeyPair(poolp, dest->certifiedKeyPair,
-				       src->certifiedKeyPair);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-cmmf_CopyCertOrEncCert(PRArenaPool *poolp, CMMFCertOrEncCert *dest,
-		       CMMFCertOrEncCert *src)
-{
-    SECStatus           rv = SECSuccess;
-    CRMFEncryptedValue *encVal;
-
-    dest->choice = src->choice;
-    rv = cmmf_copy_secitem(poolp, &dest->derValue, &src->derValue);
-    switch (src->choice) {
-    case cmmfCertificate:
-        dest->cert.certificate = CERT_DupCertificate(src->cert.certificate);
-	break;
-    case cmmfEncryptedCert:
-        dest->cert.encryptedCert = encVal = (poolp == NULL) ?
-	                             PORT_ZNew(CRMFEncryptedValue) :
-				     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (encVal == NULL) {
-	    return SECFailure;
-	}
-        rv = crmf_copy_encryptedvalue(poolp, src->cert.encryptedCert, encVal);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-	break;
-    default:
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus
-cmmf_CopyCertifiedKeyPair(PRArenaPool *poolp, CMMFCertifiedKeyPair *dest,
-			  CMMFCertifiedKeyPair *src)
-{
-    SECStatus rv;
-
-    rv = cmmf_CopyCertOrEncCert(poolp, &dest->certOrEncCert, 
-				&src->certOrEncCert);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-
-    if (src->privateKey != NULL) {
-        CRMFEncryptedValue *encVal;
-
-	encVal = dest->privateKey = (poolp == NULL) ?
-	                             PORT_ZNew(CRMFEncryptedValue) :
-                                     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
-	if (encVal == NULL) {
-	    return SECFailure;
-	}
-        rv = crmf_copy_encryptedvalue(poolp, src->privateKey, 
-				      dest->privateKey);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    rv = cmmf_copy_secitem(poolp, &dest->derPublicationInfo, 
-			   &src->derPublicationInfo);
-    return rv;
-}
-
-SECStatus
-cmmf_CopyPKIStatusInfo(PRArenaPool *poolp, CMMFPKIStatusInfo *dest,
-		       CMMFPKIStatusInfo *src)
-{
-    SECStatus rv;
-
-    rv = cmmf_copy_secitem (poolp, &dest->status, &src->status);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = cmmf_copy_secitem (poolp, &dest->statusString, &src->statusString);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = cmmf_copy_secitem (poolp, &dest->failInfo, &src->failInfo);
-    return rv;
-}
-
-CERTCertificate*
-cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
-				 CERTCertDBHandle  *certdb)
-{
-    if (certOrEncCert->choice           != cmmfCertificate || 
-	certOrEncCert->cert.certificate == NULL) {
-        return NULL;
-    }
-    return CERT_NewTempCertificate(certdb,
-				   &certOrEncCert->cert.certificate->derCert,
-				   NULL, PR_FALSE, PR_TRUE);
-}
-
-SECStatus 
-cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
-			    PRArenaPool          *poolp,
-			    CMMFPKIStatus         inStatus)
-{
-    SECItem *dummy;
-    
-    if (inStatus <cmmfGranted || inStatus >= cmmfNumPKIStatus) {
-        return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(poolp, &statusInfo->status, inStatus); 
-    PORT_Assert(dummy == &statusInfo->status);
-    if (dummy != &statusInfo->status) {
-        SECITEM_FreeItem(dummy, PR_TRUE);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
diff --git a/security/nss/lib/crmf/servget.c b/security/nss/lib/crmf/servget.c
deleted file mode 100644
index 165ce5924..000000000
--- a/security/nss/lib/crmf/servget.c
+++ /dev/null
@@ -1,1011 +0,0 @@
-/* -*- Mode: C; tab-width: 8 -*-*/
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "cmmf.h"
-#include "cmmfi.h"
-#include "secitem.h"
-#include "keyhi.h"
-#include "secder.h"
-
-CRMFEncryptedKeyChoice
-CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey)
-{
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey == NULL) {
-        return crmfNoEncryptedKeyChoice;
-    }
-    return inEncrKey->encKeyChoice;
-}
-
-CRMFEncryptedValue*
-CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inEncrKey)
-{
-    CRMFEncryptedValue *newEncrValue = NULL;
-    SECStatus           rv;
-
-    PORT_Assert(inEncrKey != NULL);
-    if (inEncrKey == NULL ||
-	CRMF_EncryptedKeyGetChoice(inEncrKey) != crmfEncryptedValueChoice) {
-        goto loser;
-    }
-    newEncrValue = PORT_ZNew(CRMFEncryptedValue);
-    if (newEncrValue == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_encryptedvalue(NULL, &inEncrKey->value.encryptedValue,
-				  newEncrValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newEncrValue;
- loser:
-    if (newEncrValue != NULL) {
-        CRMF_DestroyEncryptedValue(newEncrValue);
-    }
-    return NULL;
-}
-
-static SECItem*
-crmf_get_encvalue_bitstring(SECItem *srcItem)
-{
-    SECItem   *newItem = NULL;
-    SECStatus rv;
-    
-    if (srcItem->data == NULL) {
-        return NULL;
-    }
-    newItem = PORT_ZNew(SECItem);
-    if (newItem == NULL) {
-        goto loser;
-    }
-    rv = crmf_make_bitstring_copy(NULL, newItem, srcItem);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newItem;
- loser:
-    if (newItem != NULL) {
-        SECITEM_FreeItem(newItem, PR_TRUE);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_bitstring(&inEncValue->encSymmKey);
-}
-
-SECItem*
-CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncrValue)
-{
-    if (inEncrValue == NULL || inEncrValue->encValue.data == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_bitstring(&inEncrValue->encValue);
-}
-
-static SECAlgorithmID*
-crmf_get_encvalue_algid(SECAlgorithmID *srcAlg)
-{
-    SECStatus       rv;
-    SECAlgorithmID *newAlgID;
-    
-    if (srcAlg == NULL) {
-        return NULL;
-    }
-    rv = crmf_copy_encryptedvalue_secalg(NULL, srcAlg, &newAlgID);
-    if (rv != SECSuccess) {
-        return NULL;
-    }
-    return newAlgID;
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->intendedAlg);
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->keyAlg);
-}
-
-SECAlgorithmID*
-CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL) {
-        return NULL;
-    }
-    return crmf_get_encvalue_algid(inEncValue->symmAlg);
-}
-
-SECItem*
-CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue)
-{
-    if (inEncValue == NULL || inEncValue->valueHint.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inEncValue->valueHint);
-}
-
-SECStatus
-CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt, 
-					      PRBool                *destVal)
-{
-    if (inOpt == NULL || destVal == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOpt) != crmfArchiveRemGenPrivKey){
-        return SECFailure;
-    }
-    *destVal = (inOpt->option.archiveRemGenPrivKey.data[0] == hexFalse) 
-                                                                 ? PR_FALSE:
-                                                                   PR_TRUE;
-    return SECSuccess;
-}
-			     
-CRMFEncryptedKey*
-CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts)
-{
-    CRMFEncryptedKey *newEncrKey = NULL;
-    SECStatus         rv;
-
-    PORT_Assert(inOpts != NULL);
-    if (inOpts == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOpts) != crmfEncryptedPrivateKey){
-        return NULL;
-    }
-    newEncrKey = PORT_ZNew(CRMFEncryptedKey);
-    if (newEncrKey == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_encryptedkey(NULL, &inOpts->option.encryptedKey,
-				newEncrKey);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newEncrKey;
- loser:
-    if (newEncrKey != NULL) {
-        CRMF_DestroyEncryptedKey(newEncrKey);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions)
-{
-    if (inOptions == NULL ||
-	CRMF_PKIArchiveOptionsGetOptionType(inOptions) != crmfKeyGenParameters ||
-	inOptions->option.keyGenParameters.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inOptions->option.keyGenParameters);
-}
-
-CRMFPKIArchiveOptionsType
-CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions)
-{
-    PORT_Assert (inOptions != NULL);
-    if (inOptions == NULL) {
-        return crmfNoArchiveOptions;
-    }
-    return inOptions->archOption;
-}
-
-static SECStatus
-crmf_extract_long_from_item(SECItem *intItem, long *destLong)
-{
-    *destLong = DER_GetInteger(intItem);
-    return (*destLong == -1) ? SECFailure : SECSuccess;
-}
-
-SECStatus
-CRMF_POPOPrivGetKeySubseqMess(CRMFPOPOPrivKey       *inKey,
-			      CRMFSubseqMessOptions *destOpt)
-{
-    long      value;
-    SECStatus rv;
-
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL ||
-	inKey->messageChoice != crmfSubsequentMessage) {
-        return SECFailure;
-    }
-    rv = crmf_extract_long_from_item(&inKey->message.subsequentMessage,&value);
-    if (rv != SECSuccess) {
-        return SECFailure;
-    }
-    switch (value) {
-    case 0:
-        *destOpt = crmfEncrCert;
-	break;
-    case 1:
-        *destOpt = crmfChallengeResp;
-	break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    return SECSuccess;
-}
-
-CRMFPOPOPrivKeyChoice
-CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inPrivKey)
-{
-    PORT_Assert(inPrivKey != NULL);
-    if (inPrivKey != NULL) {
-        return inPrivKey->messageChoice;
-    }
-    return crmfNoMessage;
-}
-
-SECStatus
-CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey, SECItem *destMAC)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL || inKey->message.dhMAC.data == NULL) {
-        return SECFailure;
-    }
-    return crmf_make_bitstring_copy(NULL, destMAC, &inKey->message.dhMAC);
-}
-
-SECStatus
-CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
-			       SECItem          *destString)
-{
-    PORT_Assert(inKey != NULL);
-    if (inKey == NULL           ||
-	inKey->messageChoice != crmfThisMessage) {
-        return SECFailure;
-    }
-
-    return crmf_make_bitstring_copy(NULL, destString, 
-				    &inKey->message.thisMessage);
-}
-
-SECAlgorithmID*
-CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey)
-{
-    SECAlgorithmID *newAlgId = NULL;
-    SECStatus       rv;
-
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL) {
-        return NULL;
-    }
-    newAlgId = PORT_ZNew(SECAlgorithmID);
-    if (newAlgId == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(NULL, newAlgId, 
-				inSignKey->algorithmIdentifier);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newAlgId;
-
- loser:
-    if (newAlgId != NULL) {
-        SECOID_DestroyAlgorithmID(newAlgId, PR_TRUE);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey)
-{
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL || inSignKey->derInput.data == NULL) {
-        return NULL;
-    }
-    return SECITEM_DupItem(&inSignKey->derInput);
-}
-
-SECItem*
-CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey)
-{
-    SECItem   *newSig = NULL;
-    SECStatus  rv;
-
-    PORT_Assert(inSignKey != NULL);
-    if (inSignKey == NULL) {
-        return NULL;
-    }
-    newSig = PORT_ZNew(SECItem);
-    if (newSig == NULL) {
-        goto loser;
-    }
-    rv = crmf_make_bitstring_copy(NULL, newSig, &inSignKey->signature);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newSig;
- loser:
-    if (newSig != NULL) {
-        SECITEM_FreeItem(newSig, PR_TRUE);
-    }
-    return NULL;
-}
-
-static SECStatus 
-crmf_copy_poposigningkey(PRArenaPool        *poolp, 
-			 CRMFPOPOSigningKey *inPopoSignKey,
-			 CRMFPOPOSigningKey *destPopoSignKey)
-{
-    SECStatus rv;
-
-    /* We don't support use of the POPOSigningKeyInput, so we'll only 
-     * store away the DER encoding.
-     */
-    if (inPopoSignKey->derInput.data != NULL) {
-        rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput, 
-			      &inPopoSignKey->derInput);
-    }
-    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? 
-                                         PORT_ZNew(SECAlgorithmID) :
-                                         PORT_ArenaZNew(poolp, SECAlgorithmID);
-
-    if (destPopoSignKey->algorithmIdentifier == NULL) {
-        goto loser;
-    }
-    rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
-				inPopoSignKey->algorithmIdentifier);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    
-    rv = crmf_make_bitstring_copy(poolp, &destPopoSignKey->signature, 
-				  &inPopoSignKey->signature);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return SECSuccess;
- loser:
-    if (destPopoSignKey && poolp == NULL) {
-        CRMF_DestroyPOPOSigningKey(destPopoSignKey);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_popoprivkey(PRArenaPool     *poolp,
-		      CRMFPOPOPrivKey *srcPrivKey,
-		      CRMFPOPOPrivKey *destPrivKey)
-{
-    SECStatus        rv;
-
-    destPrivKey->messageChoice = srcPrivKey->messageChoice;
-    switch (destPrivKey->messageChoice) {
-    case crmfThisMessage:
-    case crmfDHMAC:
-        /* I've got a union, so taking the address of one, will also give
-	 * me a pointer to the other (eg, message.dhMAC)
-	 */
-        rv = crmf_make_bitstring_copy(poolp, &destPrivKey->message.thisMessage,
-				      &srcPrivKey->message.thisMessage);
-	break;
-    case crmfSubsequentMessage:
-        rv = SECITEM_CopyItem(poolp, &destPrivKey->message.subsequentMessage,
-			      &srcPrivKey->message.subsequentMessage);
-	break;
-    default:
-        rv = SECFailure;
-    }
-
-    if (rv != SECSuccess) {
-        if (destPrivKey && poolp == NULL) {
-	    CRMF_DestroyPOPOPrivKey(destPrivKey);
-	}
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static CRMFProofOfPossession*
-crmf_copy_pop(PRArenaPool *poolp, CRMFProofOfPossession *srcPOP)
-{
-    CRMFProofOfPossession *newPOP;
-    SECStatus              rv;
-
-    /* 
-     * Proof Of Possession structures are always part of the Request
-     * message, so there will always be an arena for allocating memory.
-     */
-    if (poolp == NULL) {
-        return NULL;
-    }
-    newPOP = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
-    if (newPOP == NULL) {
-        return NULL;
-    }
-    switch (srcPOP->popUsed) {
-    case crmfRAVerified:
-        newPOP->popChoice.raVerified.data = NULL;
-	newPOP->popChoice.raVerified.len  = 0;
-	break;
-    case crmfSignature:
-        rv = crmf_copy_poposigningkey(poolp, &srcPOP->popChoice.signature,
-				      &newPOP->popChoice.signature);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	break;
-    case crmfKeyEncipherment:
-    case crmfKeyAgreement:
-        /* We've got a union, so a pointer to one, is a pointer to the
-	 * other one.
-	 */
-        rv = crmf_copy_popoprivkey(poolp, &srcPOP->popChoice.keyEncipherment,
-				   &newPOP->popChoice.keyEncipherment);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	break;
-    default:
-        goto loser;
-    }
-    newPOP->popUsed = srcPOP->popUsed;
-    return newPOP;
-
- loser:
-    return NULL;
-}
-
-static CRMFCertReqMsg*
-crmf_copy_cert_req_msg(CRMFCertReqMsg *srcReqMsg)
-{
-    CRMFCertReqMsg *newReqMsg;
-    PRArenaPool    *poolp;
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        return NULL;
-    }
-    newReqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
-    newReqMsg->poolp = poolp;
-    if (newReqMsg == NULL) {
-        goto loser;
-    }
-    newReqMsg->certReq = crmf_copy_cert_request(poolp, srcReqMsg->certReq);
-    if (newReqMsg->certReq == NULL) {
-        goto loser;
-    }
-    newReqMsg->pop = crmf_copy_pop(poolp, srcReqMsg->pop);
-    if (newReqMsg->pop == NULL) {
-        goto loser;
-    }
-    /* None of my set/get routines operate on the regInfo field, so
-     * for now, that won't get copied over.
-     */
-    return newReqMsg;
-
- loser:
-    if (newReqMsg != NULL) {
-        CRMF_DestroyCertReqMsg(newReqMsg);
-    }
-    return NULL;
-}
-
-CRMFCertReqMsg*
-CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
-					 int                  index)
-{
-    int numMsgs;
-
-    PORT_Assert(inReqMsgs != NULL && index >= 0);
-    if (inReqMsgs == NULL) {
-        return NULL;
-    }
-    numMsgs = CRMF_CertReqMessagesGetNumMessages(inReqMsgs);
-    if (index < 0 || index >= numMsgs) {
-        return NULL;
-    }
-    return crmf_copy_cert_req_msg(inReqMsgs->messages[index]);
-}
-
-int
-CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs)
-{
-    int numMessages = 0;
-
-    PORT_Assert(inCertReqMsgs != NULL);
-    if (inCertReqMsgs == NULL) {
-        return 0;
-    }
-    while (inCertReqMsgs->messages[numMessages] != NULL) {
-        numMessages++;
-    }
-    return numMessages;
-}
-
-CRMFCertRequest*
-CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg)
-{
-    PRArenaPool     *poolp      = NULL;
-    CRMFCertRequest *newCertReq = NULL;
-
-    PORT_Assert(inCertReqMsg != NULL);
-
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-    if (poolp == NULL) {
-        goto loser;
-    }
-    newCertReq = crmf_copy_cert_request(poolp, inCertReqMsg->certReq);
-    if (newCertReq == NULL) {
-        goto loser;
-    }
-    newCertReq->poolp = poolp;
-    return newCertReq;
- loser:
-    if (poolp != NULL) {
-        PORT_FreeArena(poolp, PR_FALSE);
-    }
-    return NULL;
-}
-
-SECStatus
-CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, long *destID)
-{
-    PORT_Assert(inCertReqMsg != NULL && destID != NULL);
-    if (inCertReqMsg == NULL || inCertReqMsg->certReq == NULL) {
-        return SECFailure;
-    }
-    return crmf_extract_long_from_item(&inCertReqMsg->certReq->certReqId, 
-				       destID);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
-				  CRMFPOPOPrivKey **destKey)
-{
-    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
-    if (inCertReqMsg == NULL || destKey == NULL ||
-	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyAgreement) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
-    if (*destKey == NULL) {
-        return SECFailure;
-    }
-    return crmf_copy_popoprivkey(NULL,
-				 &inCertReqMsg->pop->popChoice.keyAgreement,
-				 *destKey);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
-				     CRMFPOPOPrivKey **destKey)
-{
-    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
-    if (inCertReqMsg == NULL || destKey == NULL ||
-	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyEncipherment) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
-    if (destKey == NULL) {
-       return SECFailure;
-    }
-    return crmf_copy_popoprivkey(NULL,
-				 &inCertReqMsg->pop->popChoice.keyEncipherment,
-				 *destKey);
-}
-
-SECStatus
-CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
-				 CRMFPOPOSigningKey **destKey)
-{
-    CRMFProofOfPossession *pop;
-    PORT_Assert(inCertReqMsg != NULL);
-    if (inCertReqMsg  == NULL) {
-        return SECFailure;
-    }
-    pop = inCertReqMsg->pop;;
-    if (pop->popUsed != crmfSignature) {
-        return SECFailure;
-    }
-    *destKey = PORT_ZNew(CRMFPOPOSigningKey);
-    if (*destKey == NULL) {
-        return SECFailure;
-    }
-    return crmf_copy_poposigningkey(NULL,&pop->popChoice.signature, *destKey);
-}
-
-static SECStatus
-crmf_copy_name(CERTName *destName, CERTName *srcName)
-{
-  PRArenaPool *poolp = NULL;
-  SECStatus rv;
-
-  if (destName->arena != NULL) {
-    poolp = destName->arena;
-  } else {
-    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
-  }
-  if (poolp == NULL) {
-    return SECFailure;
-  }
-  /* Need to do this so that CERT_CopyName doesn't free out
-   * the arena from underneath us.
-   */
-  destName->arena = NULL;
-  rv = CERT_CopyName(poolp, destName, srcName); 
-  destName->arena = poolp;
-  return rv;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
-				      CERTName        *destIssuer)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuer)) {
-        return crmf_copy_name(destIssuer, 
-			      inCertReq->certTemplate.issuer);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
-					 SECItem         *destIssuerUID)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuerUID)) {
-        return crmf_make_bitstring_copy(NULL, destIssuerUID,
-					&inCertReq->certTemplate.issuerUID);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest          *inCertReq,
-				       CERTSubjectPublicKeyInfo *destPublicKey)
-{
-    PORT_Assert (inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfPublicKey)) {
-        return SECKEY_CopySubjectPublicKeyInfo(NULL, destPublicKey,
-					inCertReq->certTemplate.publicKey);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
-					    long            *serialNumber)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSerialNumber)) {
-        return 
-	  crmf_extract_long_from_item(&inCertReq->certTemplate.serialNumber,
-				      serialNumber);
-    }
-    return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
-					  SECAlgorithmID  *destAlg)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSigningAlg)) {
-        return SECOID_CopyAlgorithmID(NULL, destAlg, 
-				      inCertReq->certTemplate.signingAlg);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq,
-				       CERTName        *destSubject)
-{
-  PORT_Assert(inCertReq != NULL);
-  if (inCertReq == NULL) {
-      return SECFailure;
-  }
-  if (CRMF_DoesRequestHaveField(inCertReq, crmfSubject)) {
-      return crmf_copy_name(destSubject, inCertReq->certTemplate.subject);
-  }
-  return SECFailure;
-}
-
-SECStatus
-CRMF_CertRequestGetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
-					  SECItem         *destSubjectUID)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfSubjectUID)) {
-        return crmf_make_bitstring_copy(NULL, destSubjectUID, 
-					&inCertReq->certTemplate.subjectUID);
-    }
-    return SECFailure;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
-				       long            *version)
-{
-    PORT_Assert (inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfVersion)) {
-        return crmf_extract_long_from_item(&inCertReq->certTemplate.version,
-					   version);
-    } 
-    return SECFailure;
-}
-
-static SECStatus
-crmf_copy_validity(CRMFGetValidity      *destValidity,
-		   CRMFOptionalValidity *src)
-{
-    SECStatus rv;
-    
-    destValidity->notBefore = destValidity->notAfter = NULL;
-    if (src->notBefore.data != NULL) {
-        rv = crmf_create_prtime(&src->notBefore, 
-				&destValidity->notBefore);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    if (src->notAfter.data != NULL) {
-        rv = crmf_create_prtime(&src->notAfter,
-				&destValidity->notAfter);
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
-					CRMFGetValidity *destValidity)
-{
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return SECFailure;
-    }
-    if (CRMF_DoesRequestHaveField(inCertReq, crmfValidity)) {
-        return crmf_copy_validity(destValidity, 
-				  inCertReq->certTemplate.validity);
-    }
-    return SECFailure;
-}
-
-CRMFControl*
-CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, int index)
-{
-    CRMFControl *newControl, *srcControl;
-    int          numControls;
-    SECStatus    rv;
-
-    PORT_Assert(inCertReq != NULL);
-    if (inCertReq == NULL) {
-        return NULL;
-    }
-    numControls = CRMF_CertRequestGetNumControls(inCertReq);
-    if (index >= numControls || index < 0) {
-        return NULL;
-    }
-    newControl = PORT_ZNew(CRMFControl);
-    if (newControl == NULL) {
-        return NULL;
-    }
-    srcControl = inCertReq->controls[index];
-    newControl->tag = srcControl->tag;
-    rv = SECITEM_CopyItem (NULL, &newControl->derTag, &srcControl->derTag);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
-    rv = SECITEM_CopyItem(NULL, &newControl->derValue, 
-			  &srcControl->derValue);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    /* Copy over the PKIArchiveOptions stuff */
-    switch (srcControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        /* No further processing necessary for these types. */
-        rv = SECSuccess;
-	break;
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        /* These aren't supported yet, so no post-processing will
-	 * be done at this time.  But we don't want to fail in case
-	 * we read in DER that has one of these options.
-	 */
-        rv = SECSuccess;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        rv = crmf_copy_pkiarchiveoptions(NULL, 
-					 &newControl->value.archiveOptions,
-					 &srcControl->value.archiveOptions);
-	break;
-    default:
-        rv = SECFailure;
-    }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-    return newControl;
- loser:
-    if (newControl != NULL) {
-        CRMF_DestroyControl(newControl);
-    }
-    return NULL;
-}
-
-static SECItem*
-crmf_copy_control_value(CRMFControl *inControl)
-{
-    return SECITEM_DupItem(&inControl->derValue);
-}
-
-SECItem*
-CRMF_ControlGetAuthenticatorControlValue(CRMFControl *inControl)
-{
-    PORT_Assert (inControl!= NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfAuthenticatorControl) {
-        return NULL;
-    }
-    return crmf_copy_control_value(inControl);
-}
-
-CRMFControlType
-CRMF_ControlGetControlType(CRMFControl *inControl)
-{
-    CRMFControlType retType;
-
-    PORT_Assert(inControl != NULL);
-    switch (inControl->tag) {
-    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
-        retType = crmfRegTokenControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
-        retType = crmfAuthenticatorControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
-        retType = crmfPKIPublicationInfoControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
-        retType = crmfPKIArchiveOptionsControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
-        retType = crmfOldCertIDControl;
-	break;
-    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
-        retType = crmfProtocolEncrKeyControl;
-	break;
-    default:
-        retType = crmfNoControl;
-    }
-    return retType;
-}
-
-CRMFPKIArchiveOptions*
-CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl)
-{
-    CRMFPKIArchiveOptions *newOpt = NULL;
-    SECStatus rv;
-
-    PORT_Assert(inControl != NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfPKIArchiveOptionsControl){
-        goto loser;
-    }
-    newOpt = PORT_ZNew(CRMFPKIArchiveOptions);
-    if (newOpt == NULL) {
-        goto loser;
-    }
-    rv = crmf_copy_pkiarchiveoptions(NULL, newOpt, 
-				     &inControl->value.archiveOptions);
-    if (rv != SECSuccess) {
-        goto loser;
-    }
-
- loser:
-    if (newOpt != NULL) {
-        CRMF_DestroyPKIArchiveOptions(newOpt);
-    }
-    return NULL;
-}
-
-SECItem*
-CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl)
-{
-    PORT_Assert(inControl != NULL);
-    if (inControl == NULL ||
-	CRMF_ControlGetControlType(inControl) != crmfRegTokenControl) {
-        return NULL;
-    }
-    return crmf_copy_control_value(inControl);;
-}
-
-CRMFCertExtension*
-CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
-				    int              index)
-{
-    int numExtensions;
-
-    PORT_Assert(inCertReq != NULL);
-    numExtensions = CRMF_CertRequestGetNumberOfExtensions(inCertReq);
-    if (index >= numExtensions || index < 0) {
-        return NULL;
-    }
-    return 
-      crmf_copy_cert_extension(NULL, 
-			       inCertReq->certTemplate.extensions[index]);
-}
-
diff --git a/security/nss/lib/cryptohi/Makefile b/security/nss/lib/cryptohi/Makefile
deleted file mode 100644
index e0c68c26e..000000000
--- a/security/nss/lib/cryptohi/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-export:: private_export
-
diff --git a/security/nss/lib/cryptohi/config.mk b/security/nss/lib/cryptohi/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/cryptohi/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
deleted file mode 100644
index 0cc700703..000000000
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _CRYPTOHI_H_
-#define _CRYPTOHI_H_
-
-#include "blapit.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "cryptoht.h"
-#include "keyt.h"
-#include "certt.h"
-
-
-SEC_BEGIN_PROTOS
-
-
-/****************************************/
-/*
-** DER encode/decode (EC)DSA signatures
-*/
-
-/* ANSI X9.57 defines DSA signatures as DER encoded data.  Our DSA code (and
- * most of the rest of the world) just generates 40 bytes of raw data.  These
- * functions convert between formats.
- */
-extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src);
-extern SECItem *DSAU_DecodeDerSig(SECItem *item);
-
-/*
- * Unlike DSA, raw ECDSA signatures do not have a fixed length.
- * Rather they contain two integers r and s whose length depends
- * on the size of the EC key used for signing.
- *
- * We can reuse the DSAU_EncodeDerSig interface to DER encode
- * raw ECDSA signature keeping in mind that the length of r 
- * is the same as that of s and exactly half of src->len.
- *
- * For decoding, we need to pass the length of the desired
- * raw signature (twice the key size) explicitly.
- */
-extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, 
-					  unsigned int len);
-extern SECItem *DSAU_DecodeDerSigToLen(SECItem *item, unsigned int len);
-
-/****************************************/
-/*
-** Signature creation operations
-*/
-
-/*
-** Create a new signature context used for signing a data stream.
-**	"alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5)
-**	"privKey" the private key to use
-*/
-extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
-
-/*
-** Destroy a signature-context object
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
-
-/*
-** Reset the signing context "cx" to its initial state, preparing it for
-** another stream of data.
-*/
-extern SECStatus SGN_Begin(SGNContext *cx);
-
-/*
-** Update the signing context with more data to sign.
-**	"cx" the context
-**	"input" the input data to sign
-**	"inputLen" the length of the input data
-*/
-extern SECStatus SGN_Update(SGNContext *cx, unsigned char *input,
-			   unsigned int inputLen);
-
-/*
-** Finish the signature process. Use either k0 or k1 to sign the data
-** stream that was input using SGN_Update. The resulting signature is
-** formatted using PKCS#1 and then encrypted using RSA private or public
-** encryption.
-**	"cx" the context
-**	"result" the final signature data (memory is allocated)
-*/
-extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
-
-/*
-** Sign a single block of data using private key encryption and given
-** signature/hash algorithm.
-**	"result" the final signature data (memory is allocated)
-**	"buf" the input data to sign
-**	"len" the amount of data to sign
-**	"pk" the private key to encrypt with
-**	"algid" the signature/hash algorithm to sign with 
-**		(must be compatible with the key type).
-*/
-extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
-			     SECKEYPrivateKey *pk, SECOidTag algid);
-
-/*
-** Sign a pre-digested block of data using private key encryption, encoding
-**  The given signature/hash algorithm.
-**	"result" the final signature data (memory is allocated)
-**	"digest" the digest to sign
-**	"pk" the private key to encrypt with
-**	"algtag" The algorithm tag to encode (need for RSA only)
-*/
-extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
-                SECOidTag algtag, SECItem *result, SECItem *digest);
-
-/*
-** DER sign a single block of data using private key encryption and the
-** MD5 hashing algorithm. This routine first computes a digital signature
-** using SEC_SignData, then wraps it with an CERTSignedData and then der
-** encodes the result.
-**	"arena" is the memory arena to use to allocate data from
-** 	"result" the final der encoded data (memory is allocated)
-** 	"buf" the input data to sign
-** 	"len" the amount of data to sign
-** 	"pk" the private key to encrypt with
-*/
-extern SECStatus SEC_DerSignData(PRArenaPool *arena, SECItem *result,
-				unsigned char *buf, int len,
-				SECKEYPrivateKey *pk, SECOidTag algid);
-
-/*
-** Destroy a signed-data object.
-**	"sd" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
-
-/*
-** Get the hash algorithm tag number for the given type of the key and
-** algorithm tag. Returns SEC_OID_UNKNOWN if key and algorithm
-** are not match.
-*/
-extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType,
-                                                 SECOidTag hashAlgTag);
-
-/****************************************/
-/*
-** Signature verification operations
-*/
-
-/*
-** Create a signature verification context.
-**	"key" the public key to verify with
-**	"sig" the encrypted signature data if sig is NULL then
-**	   VFY_EndWithSignature must be called with the correct signature at
-**	   the end of the processing.
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-**	"wincx" void pointer to the window context
-*/
-extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig,
-				     SECOidTag algid, void *wincx);
-
-/*
-** Destroy a verification-context object.
-**	"cx" the context to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit);
-
-extern SECStatus VFY_Begin(VFYContext *cx);
-
-/*
-** Update a verification context with more input data. The input data
-** is fed to a secure hash function (depending on what was in the
-** encrypted signature data).
-**	"cx" the context
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus VFY_Update(VFYContext *cx, unsigned char *input,
-			    unsigned int inputLen);
-
-/*
-** Finish the verification process. The return value is a status which
-** indicates success or failure. On success, the SECSuccess value is
-** returned. Otherwise, SECFailure is returned and the error code found
-** using PORT_GetError() indicates what failure occurred.
-** 	"cx" the context
-*/
-extern SECStatus VFY_End(VFYContext *cx);
-
-/*
-** Finish the verification process. The return value is a status which
-** indicates success or failure. On success, the SECSuccess value is
-** returned. Otherwise, SECFailure is returned and the error code found
-** using PORT_GetError() indicates what failure occurred. If signature is
-** supplied the verification uses this signature to verify, otherwise the
-** signature passed in VFY_CreateContext() is used. 
-** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);.
-** 	"cx" the context
-** 	"sig" the encrypted signature data
-*/
-extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig);
-
-
-/*
-** Verify the signature on a block of data for which we already have
-** the digest. The signature data is an RSA private key encrypted
-** block of data formatted according to PKCS#1.
-** 	"dig" the digest
-** 	"key" the public key to check the signature with
-** 	"sig" the encrypted signature data
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-**/
-extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key,
-				  SECItem *sig, SECOidTag algid, void *wincx);
-
-/*
-** Verify the signature on a block of data. The signature data is an RSA
-** private key encrypted block of data formatted according to PKCS#1.
-** 	"buf" the input data
-** 	"len" the length of the input data
-** 	"key" the public key to check the signature with
-** 	"sig" the encrypted signature data
-**	"algid" specifies the signing algorithm to use.  This must match
-**	    the key type.
-*/
-extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
-				SECKEYPublicKey *key, SECItem *sig,
-				SECOidTag algid, void *wincx);
-
-
-SEC_END_PROTOS
-
-#endif /* _CRYPTOHI_H_ */
diff --git a/security/nss/lib/cryptohi/cryptoht.h b/security/nss/lib/cryptohi/cryptoht.h
deleted file mode 100644
index c5aab7ac6..000000000
--- a/security/nss/lib/cryptohi/cryptoht.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * cryptoht.h - public data structures for the crypto library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _CRYPTOHT_H_
-#define _CRYPTOHT_H_
-
-typedef struct SGNContextStr SGNContext;
-typedef struct VFYContextStr VFYContext;
-
-
-#endif /* _CRYPTOHT_H_ */
diff --git a/security/nss/lib/cryptohi/dsautil.c b/security/nss/lib/cryptohi/dsautil.c
deleted file mode 100644
index a53138775..000000000
--- a/security/nss/lib/cryptohi/dsautil.c
+++ /dev/null
@@ -1,300 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "cryptohi.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "prerr.h"
-
-#ifndef DSA_SUBPRIME_LEN
-#define DSA_SUBPRIME_LEN 20	/* bytes */
-#endif
-
-typedef struct {
-    SECItem r;
-    SECItem s;
-} DSA_ASN1Signature;
-
-const SEC_ASN1Template DSA_SignatureTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) },
-    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,r) },
-    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,s) },
-    { 0, }
-};
-
-/* Input is variable length multi-byte integer, MSB first (big endian).
-** Most signficant bit of first byte is NOT treated as a sign bit. 
-** May be one or more leading bytes of zeros. 
-** Output is variable length multi-byte integer, MSB first (big endian).
-** Most significant bit of first byte will be zero (positive sign bit)
-** No more than one leading zero byte.
-** Caller supplies dest buffer, and assures that it is long enough,
-** e.g. at least one byte longer that src's buffer.
-*/
-void
-DSAU_ConvertUnsignedToSigned(SECItem *dest, SECItem *src)
-{
-    unsigned char *pSrc = src->data;
-    unsigned char *pDst = dest->data;
-    unsigned int   cntSrc = src->len;
-
-    /* skip any leading zeros. */
-    while (cntSrc && !(*pSrc)) { 
-    	pSrc++; 
-	cntSrc--;
-    }
-    if (!cntSrc) {
-    	*pDst = 0; 
-	dest->len = 1; 
-	return; 
-    }
-
-    if (*pSrc & 0x80)
-    	*pDst++ = 0;
-
-    PORT_Memcpy(pDst, pSrc, cntSrc);
-    dest->len = (pDst - dest->data) + cntSrc;
-}
-
-/*
-** src is a buffer holding a signed variable length integer.
-** dest is a buffer which will be filled with an unsigned integer,
-** MSB first (big endian) with leading zeros, so that the last byte
-** of src will be the LSB of the integer.  The result will be exactly
-** the length specified by the caller in dest->len.
-** src can be shorter than dest.  src can be longer than dst, but only
-** if the extra leading bytes are zeros.
-*/
-SECStatus
-DSAU_ConvertSignedToFixedUnsigned(SECItem *dest, SECItem *src)
-{
-    unsigned char *pSrc = src->data;
-    unsigned char *pDst = dest->data;
-    unsigned int   cntSrc = src->len;
-    unsigned int   cntDst = dest->len;
-    int            zCount = cntDst - cntSrc;
-
-    if (zCount > 0) {
-    	PORT_Memset(pDst, 0, zCount);
-	PORT_Memcpy(pDst + zCount, pSrc, cntSrc);
-	return SECSuccess;
-    }
-    if (zCount <= 0) {
-	/* Source is longer than destination.  Check for leading zeros. */
-	while (zCount++ < 0) {
-	    if (*pSrc++ != 0)
-		goto loser;
-	}
-    }
-    PORT_Memcpy(pDst, pSrc, cntDst);
-    return SECSuccess;
-
-loser:
-    PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
-    return SECFailure;
-}
-
-/* src is a "raw" ECDSA or DSA signature, the first half contains r
- * and the second half contains s. dest is the DER encoded signature.
-*/
-static SECStatus
-common_EncodeDerSig(SECItem *dest, SECItem *src)
-{
-    SECItem *         item;
-    SECItem           srcItem;
-    DSA_ASN1Signature sig;
-    unsigned char     *signedR;
-    unsigned char     *signedS;
-    unsigned int len;
-
-    /* Allocate memory with room for an extra byte that
-     * may be required if the top bit in the first byte
-     * is already set.
-     */
-    len = src->len/2;
-    signedR = (unsigned char *) PORT_Alloc(len + 1);
-    if (!signedR) return SECFailure;
-    signedS = (unsigned char *) PORT_ZAlloc(len + 1);
-    if (!signedS) {
-        if (signedR) PORT_Free(signedR);
-	return SECFailure;
-    }
-
-    PORT_Memset(&sig, 0, sizeof(sig));
-
-    /* Must convert r and s from "unsigned" integers to "signed" integers.
-    ** If the high order bit of the first byte (MSB) is 1, then must
-    ** prepend with leading zero.  
-    ** Must remove all but one leading zero byte from numbers.
-    */
-    sig.r.type = siUnsignedInteger;
-    sig.r.data = signedR;
-    sig.r.len  = sizeof signedR;
-    sig.s.type = siUnsignedInteger;
-    sig.s.data = signedS;
-    sig.s.len  = sizeof signedR;
-
-    srcItem.data = src->data;
-    srcItem.len  = len;
-
-    DSAU_ConvertUnsignedToSigned(&sig.r, &srcItem);
-    srcItem.data += len;
-    DSAU_ConvertUnsignedToSigned(&sig.s, &srcItem);
-
-    item = SEC_ASN1EncodeItem(NULL, dest, &sig, DSA_SignatureTemplate);
-    if (signedR) PORT_Free(signedR);
-    if (signedS) PORT_Free(signedS);
-    if (item == NULL)
-	return SECFailure;
-
-    /* XXX leak item? */
-    return SECSuccess;
-}
-
-/* src is a DER-encoded ECDSA or DSA signature.
-** Returns a newly-allocated SECItem structure, pointing at a newly allocated
-** buffer containing the "raw" signature, which is len bytes of r,
-** followed by len bytes of s. For DSA, len is always DSA_SUBPRIME_LEN.
-** For ECDSA, len depends on the key size used to create the signature.
-*/
-static SECItem *
-common_DecodeDerSig(SECItem *item, unsigned int len)
-{
-    SECItem *         result = NULL;
-    SECStatus         status;
-    DSA_ASN1Signature sig;
-    SECItem           dst;
-
-    PORT_Memset(&sig, 0, sizeof(sig));
-
-    result = PORT_ZNew(SECItem);
-    if (result == NULL)
-	goto loser;
-
-    result->len  = 2 * len;
-    result->data = (unsigned char*)PORT_Alloc(2 * len);
-    if (result->data == NULL)
-	goto loser;
-
-    sig.r.type = siUnsignedInteger;
-    sig.s.type = siUnsignedInteger;
-    status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item);
-    if (status != SECSuccess)
-	goto loser;
-
-    /* Convert sig.r and sig.s from variable  length signed integers to 
-    ** fixed length unsigned integers.
-    */
-    dst.data = result->data;
-    dst.len  = len;
-    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.r);
-    if (status != SECSuccess)
-    	goto loser;
-
-    dst.data += len;
-    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s);
-    if (status != SECSuccess)
-    	goto loser;
-
-done:
-    if (sig.r.data != NULL)
-	PORT_Free(sig.r.data);
-    if (sig.s.data != NULL)
-	PORT_Free(sig.s.data);
-
-    return result;
-
-loser:
-    if (result != NULL) {
-	SECITEM_FreeItem(result, PR_TRUE);
-	result = NULL;
-    }
-    goto done;
-}
-
-/* src is a "raw" DSA signature, 20 bytes of r followed by 20 bytes of s.
-** dest is the signature DER encoded. ?
-*/
-SECStatus
-DSAU_EncodeDerSig(SECItem *dest, SECItem *src)
-{
-    PORT_Assert(src->len == 2 * DSA_SUBPRIME_LEN);
-    if (src->len != 2 * DSA_SUBPRIME_LEN) {
-    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
-	return SECFailure;
-    }
-
-    return common_EncodeDerSig(dest, src);
-}
-
-/* src is a "raw" DSA signature of length len (len/2 bytes of r followed
-** by len/2 bytes of s). dest is the signature DER encoded.
-*/
-SECStatus
-DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, unsigned int len)
-{
-
-    PORT_Assert((src->len == len) && (len % 2 == 0));
-    if ((src->len != len) || (src->len % 2 != 0)) {
-    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
-	return SECFailure;
-    }
-
-    return common_EncodeDerSig(dest, src);
-}
-
-/* src is a DER-encoded DSA signature.
-** Returns a newly-allocated SECItem structure, pointing at a newly allocated
-** buffer containing the "raw" DSA signature, which is 20 bytes of r,
-** followed by 20 bytes of s.
-*/
-SECItem *
-DSAU_DecodeDerSig(SECItem *item)
-{
-    return common_DecodeDerSig(item, DSA_SUBPRIME_LEN);
-}
-
-/* src is a DER-encoded ECDSA signature.
-** Returns a newly-allocated SECItem structure, pointing at a newly allocated
-** buffer containing the "raw" ECDSA signature of length len containing
-** r followed by s (both padded to take up exactly len/2 bytes).
-*/
-SECItem *
-DSAU_DecodeDerSigToLen(SECItem *item, unsigned int len)
-{
-    return common_DecodeDerSig(item, len/2);
-}
diff --git a/security/nss/lib/cryptohi/hasht.h b/security/nss/lib/cryptohi/hasht.h
deleted file mode 100644
index 6df38b49a..000000000
--- a/security/nss/lib/cryptohi/hasht.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _HASHT_H_
-#define _HASHT_H_
-
-/* Opaque objects */
-typedef struct SECHashObjectStr SECHashObject;
-typedef struct HASHContextStr HASHContext;
-
-/*
- * The hash functions the security library supports
- * NOTE the order must match the definition of SECHashObjects[]!
- */
-typedef enum {
-    HASH_AlgNULL   = 0,
-    HASH_AlgMD2    = 1,
-    HASH_AlgMD5    = 2,
-    HASH_AlgSHA1   = 3,
-    HASH_AlgSHA256 = 4,
-    HASH_AlgSHA384 = 5,
-    HASH_AlgSHA512 = 6,
-    HASH_AlgTOTAL
-} HASH_HashType;
-
-/*
- * Number of bytes each hash algorithm produces
- */
-#define MD2_LENGTH	16
-#define MD5_LENGTH	16
-#define SHA1_LENGTH	20
-#define SHA256_LENGTH 	32
-#define SHA384_LENGTH 	48
-#define SHA512_LENGTH 	64
-#define HASH_LENGTH_MAX SHA512_LENGTH
-
-/*
- * Structure to hold hash computation info and routines
- */
-struct SECHashObjectStr {
-    unsigned int length;  /* hash output length (in bytes) */
-    void * (*create)(void);
-    void * (*clone)(void *);
-    void (*destroy)(void *, PRBool);
-    void (*begin)(void *);
-    void (*update)(void *, const unsigned char *, unsigned int);
-    void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
-    unsigned int blocklength;  /* hash input block size (in bytes) */
-    HASH_HashType type;
-};
-
-struct HASHContextStr {
-    const struct SECHashObjectStr *hashobj;
-    void *hash_context;
-};
-
-/* This symbol is NOT exported from the NSS DLL.  Code that needs a 
- * pointer to one of the SECHashObjects should call HASH_GetHashObject()
- * instead. See "sechash.h".
- */
-extern const SECHashObject SECHashObjects[];
-
-/* Only those functions below the PKCS #11 line should use SECRawHashObjects.
- * This symbol is not exported from the NSS DLL.
- */
-extern const SECHashObject SECRawHashObjects[];
-
-#endif /* _HASHT_H_ */
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
deleted file mode 100644
index 1094bd082..000000000
--- a/security/nss/lib/cryptohi/key.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _KEY_H_
-#define _KEY_H_
-
-#include "keyhi.h"
-
-#endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h
deleted file mode 100644
index 8707c3d1d..000000000
--- a/security/nss/lib/cryptohi/keyhi.h
+++ /dev/null
@@ -1,290 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _KEYHI_H_
-#define _KEYHI_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "keythi.h"
-#include "certt.h"
-/*#include "secpkcs5.h" */
-
-SEC_BEGIN_PROTOS
-
-
-/*
-** Destroy a subject-public-key-info object.
-*/
-extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki);
-
-/*
-** Copy subject-public-key-info "src" to "dst". "dst" is filled in
-** appropriately (memory is allocated for each of the sub objects).
-*/
-extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
-					     CERTSubjectPublicKeyInfo *dst,
-					     CERTSubjectPublicKeyInfo *src);
-
-/*
-** Update the PQG parameters for a cert's public key.
-** Only done for DSA and Fortezza certs
-*/
-extern SECStatus
-SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
-
-
-/* Compare the KEA parameters of two public keys.  
- * Only used by fortezza.      */
-
-extern SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
-
-/*
-** Return the strength of the public key in bytes
-*/
-extern unsigned SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk);
-
-/*
-** Return the strength of the public key in bits
-*/
-extern unsigned SECKEY_PublicKeyStrengthInBits(SECKEYPublicKey *pubk);
-
-/*
-** Make a copy of the private key "privKey"
-*/
-extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(SECKEYPrivateKey *privKey);
-
-/*
-** Make a copy of the public key "pubKey"
-*/
-extern SECKEYPublicKey *SECKEY_CopyPublicKey(SECKEYPublicKey *pubKey);
-
-/*
-** Convert a private key "privateKey" into a public key
-*/
-extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey);
-
-/*
- * create a new RSA key pair. The private Key is returned...
- */
-SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits,
-					   SECKEYPublicKey **pubk, void *cx);
-	
-/*
- * create a new DH key pair. The private Key is returned...
- */
-SECKEYPrivateKey *SECKEY_CreateDHPrivateKey(SECKEYDHParams *param,
-					   SECKEYPublicKey **pubk, void *cx);
-
-/*
- * create a new EC key pair. The private Key is returned...
- */
-SECKEYPrivateKey *SECKEY_CreateECPrivateKey(SECKEYECParams *param,
-                                           SECKEYPublicKey **pubk, void *cx);
-
-/*
-** Create a subject-public-key-info based on a public key.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *k);
-
-/*
-** Decode a DER encoded public key into an SECKEYPublicKey structure.
-*/
-extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder);
-
-/*
-** Convert a base64 ascii encoded DER public key to our internal format.
-*/
-extern SECKEYPublicKey *SECKEY_ConvertAndDecodePublicKey(char *pubkstr);
-
-/*
-** Convert a base64 ascii encoded DER public key and challenge to spki,
-** and verify the signature and challenge data are correct
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
-								void *cx);
-
-/*
-** Encode a  CERTSubjectPublicKeyInfo structure. into a
-** DER encoded subject public key info. 
-*/
-SECItem *
-SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk);
-
-/*
-** Decode a DER encoded subject public key info into a
-** CERTSubjectPublicKeyInfo structure.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider);
-
-/*
-** Convert a base64 ascii encoded DER subject public key info to our
-** internal format.
-*/
-extern CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr);
-
-/*
- * extract the public key from a subject Public Key info structure.
- * (used by JSS).
- */
-extern SECKEYPublicKey *
-SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *);
-
-/*
-** Destroy a private key object.
-**	"key" the object
-*/
-extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key);
-
-
-/*
-** Destroy a public key object.
-**	"key" the object
-*/
-extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key);
-
-/* Destroy and zero out a private key info structure.  for now this
- * function zero's out memory allocated in an arena for the key 
- * since PORT_FreeArena does not currently do this.  
- *
- * NOTE -- If a private key info is allocated in an arena, one should 
- * not call this function with freeit = PR_FALSE.  The function should 
- * destroy the arena.  
- */
-extern void
-SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit);
-
-/* Destroy and zero out an encrypted private key info.
- *
- * NOTE -- If a encrypted private key info is allocated in an arena, one should 
- * not call this function with freeit = PR_FALSE.  The function should 
- * destroy the arena.  
- */
-extern void
-SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
-				      PRBool freeit);
-
-/* Copy private key info structure.  
- *  poolp is the arena into which the contents of from is to be copied.
- *	NULL is a valid entry.
- *  to is the destination private key info
- *  from is the source private key info
- * if either from or to is NULL or an error occurs, SECFailure is 
- * returned.  otherwise, SECSuccess is returned.
- */
-extern SECStatus
-SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
-			  SECKEYPrivateKeyInfo *to,
-			  SECKEYPrivateKeyInfo *from);
-
-extern SECStatus
-SECKEY_CacheStaticFlags(SECKEYPrivateKey* key);
-
-/* Copy encrypted private key info structure.  
- *  poolp is the arena into which the contents of from is to be copied.
- *	NULL is a valid entry.
- *  to is the destination encrypted private key info
- *  from is the source encrypted private key info
- * if either from or to is NULL or an error occurs, SECFailure is 
- * returned.  otherwise, SECSuccess is returned.
- */
-extern SECStatus
-SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp,
-				   SECKEYEncryptedPrivateKeyInfo *to,
-				   SECKEYEncryptedPrivateKeyInfo *from);
-/*
- * Accessor functions for key type of public and private keys.
- */
-KeyType SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey);
-KeyType SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey);
-
-/*
- * Creates a PublicKey from its DER encoding.
- * Currently only supports RSA and DSA keys.
- */
-SECKEYPublicKey*
-SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type);
-
-SECKEYPrivateKeyList*
-SECKEY_NewPrivateKeyList(void);
-
-void
-SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys);
-
-void
-SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node);
-
-SECStatus
-SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
-                                SECKEYPrivateKey *key);
-
-#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode*)PR_LIST_HEAD(&l->list))
-#define PRIVKEY_LIST_NEXT(n) ((SECKEYPrivateKeyListNode *)n->links.next)
-#define PRIVKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
-
-SECKEYPublicKeyList*
-SECKEY_NewPublicKeyList(void);
-
-void
-SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys);
-
-void
-SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node);
-
-SECStatus
-SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
-                                SECKEYPublicKey *key);
-
-#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode*)PR_LIST_HEAD(&l->list))
-#define PUBKEY_LIST_NEXT(n) ((SECKEYPublicKeyListNode *)n->links.next)
-#define PUBKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
-
-extern int SECKEY_ECParamsToKeySize(const SECItem *params);
-
-SEC_END_PROTOS
-
-#endif /* _KEYHI_H_ */
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
deleted file mode 100644
index 634fb9c3e..000000000
--- a/security/nss/lib/cryptohi/keyt.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _KEYT_H_
-#define _KEYT_H_
-
-#include "keythi.h"
-
-#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
deleted file mode 100644
index 81d4ed74e..000000000
--- a/security/nss/lib/cryptohi/keythi.h
+++ /dev/null
@@ -1,268 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _KEYTHI_H_
-#define _KEYTHI_H_ 1
-
-#include "plarena.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "prclist.h"
-
-typedef enum { 
-    nullKey = 0, 
-    rsaKey = 1, 
-    dsaKey = 2, 
-    fortezzaKey = 3,
-    dhKey = 4, 
-    keaKey = 5,
-    ecKey = 6
-} KeyType;
-
-/*
-** Template Definitions
-**/
-
-SEC_BEGIN_PROTOS
-extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
-extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
-extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
-
-/* Windows DLL accessor functions */
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
-SEC_END_PROTOS
-
-
-/*
-** RSA Public Key structures
-** member names from PKCS#1, section 7.1 
-*/
-
-struct SECKEYRSAPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem modulus;
-    SECItem publicExponent;
-};
-typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
-
-
-/*
-** DSA Public Key and related structures
-*/
-
-struct SECKEYPQGParamsStr {
-    PRArenaPool *arena;
-    SECItem prime;    /* p */
-    SECItem subPrime; /* q */
-    SECItem base;     /* g */
-    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
-};
-typedef struct SECKEYPQGParamsStr SECKEYPQGParams;
-
-struct SECKEYDSAPublicKeyStr {
-    SECKEYPQGParams params;
-    SECItem publicValue;
-};
-typedef struct SECKEYDSAPublicKeyStr SECKEYDSAPublicKey;
-
-
-/*
-** Diffie-Hellman Public Key structure
-** Structure member names suggested by PKCS#3.
-*/
-struct SECKEYDHParamsStr {
-    PRArenaPool * arena;
-    SECItem prime; /* p */
-    SECItem base; /* g */
-};
-typedef struct SECKEYDHParamsStr SECKEYDHParams;
-
-struct SECKEYDHPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem publicValue;
-};
-typedef struct SECKEYDHPublicKeyStr SECKEYDHPublicKey;
-
-/*
-** Elliptic curve Public Key structure
-** The PKCS#11 layer needs DER encoding of ANSI X9.62
-** parameters value
-*/
-typedef SECItem SECKEYECParams;
-
-struct SECKEYECPublicKeyStr {
-    SECKEYECParams DEREncodedParams;
-    int     size;             /* size in bits */
-    SECItem publicValue;      /* encoded point */
-    /* XXX Even though the PKCS#11 interface takes encoded parameters,
-     * we may still wish to decode them above PKCS#11 for things like
-     * printing key information. For named curves, which is what
-     * we initially support, we ought to have the curve name at the
-     * very least.
-     */
-};
-typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey;
-
-/*
-** FORTEZZA Public Key structures
-*/
-struct SECKEYFortezzaPublicKeyStr {
-    int      KEAversion;
-    int      DSSversion;
-    unsigned char    KMID[8];
-    SECItem clearance;
-    SECItem KEApriviledge;
-    SECItem DSSpriviledge;
-    SECItem KEAKey;
-    SECItem DSSKey;
-    SECKEYPQGParams params;
-    SECKEYPQGParams keaParams;
-};
-typedef struct SECKEYFortezzaPublicKeyStr SECKEYFortezzaPublicKey;
-
-struct SECKEYDiffPQGParamsStr {
-    SECKEYPQGParams DiffKEAParams;
-    SECKEYPQGParams DiffDSAParams;
-};
-typedef struct SECKEYDiffPQGParamsStr SECKEYDiffPQGParams;
-
-struct SECKEYPQGDualParamsStr {
-    SECKEYPQGParams CommParams;
-    SECKEYDiffPQGParams DiffParams;
-};
-typedef struct SECKEYPQGDualParamsStr SECKEYPQGDualParams;
-
-struct SECKEYKEAParamsStr {
-    PLArenaPool *arena;
-    SECItem hash;
-};
-typedef struct SECKEYKEAParamsStr SECKEYKEAParams;
- 
-struct SECKEYKEAPublicKeyStr {
-    SECKEYKEAParams params;
-    SECItem publicValue;
-};
-typedef struct SECKEYKEAPublicKeyStr SECKEYKEAPublicKey;
-
-/*
-** A Generic  public key object.
-*/
-struct SECKEYPublicKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    PK11SlotInfo *pkcs11Slot;
-    CK_OBJECT_HANDLE pkcs11ID;
-    union {
-        SECKEYRSAPublicKey rsa;
-	SECKEYDSAPublicKey dsa;
-	SECKEYDHPublicKey  dh;
-        SECKEYKEAPublicKey kea;
-        SECKEYFortezzaPublicKey fortezza;
-	SECKEYECPublicKey  ec;
-    } u;
-};
-typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
-
-#define CachedAttribute(attribute,setbit) \
-static const PRUint32 SECKEY_##attribute = 1 << setbit;
-
-/* bit flag definitions for staticflags */
-#define SECKEY_Attributes_Cached 0x1    /* bit 0 states
-                                           whether attributes are cached */
-CachedAttribute(CKA_PRIVATE,1) /* bit 1 is the value of CKA_PRIVATE */
-
-#define SECKEY_ATTRIBUTES_CACHED(key) \
-     (0 != (key->staticflags & SECKEY_Attributes_Cached))
-
-#define SECKEY_ATTRIBUTE_VALUE(key,attribute) \
-     (0 != (key->staticflags & SECKEY_##attribute))
-
-#define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \
-    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
-    (0 != (key->staticflags & SECKEY_##attribute)) : \
-    PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute)
-
-/*
-** A generic key structure
-*/ 
-struct SECKEYPrivateKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    PK11SlotInfo *pkcs11Slot;	/* pkcs11 slot this key lives in */
-    CK_OBJECT_HANDLE pkcs11ID;  /* ID of pkcs11 object */
-    PRBool pkcs11IsTemp;	/* temp pkcs11 object, delete it when done */
-    void *wincx;		/* context for errors and pw prompts */
-    PRUint32 staticflags;       /* bit flag of cached PKCS#11 attributes */
-};
-typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
-
-/* Despite the name, this struct isn't used by any pkcs5 code.
-** It's used by pkcs7 and pkcs12 code.
-*/
-typedef struct {
-    SECItem *pwitem;
-    PK11SymKey *key;
-    PK11SlotInfo *slot;
-    void *wincx;
-} SEC_PKCS5KeyAndPassword;
-
-typedef struct {
-    PRCList links;
-    SECKEYPrivateKey *key;
-} SECKEYPrivateKeyListNode;
-
-typedef struct {
-    PRCList list;
-    PRArenaPool *arena;
-} SECKEYPrivateKeyList;
-
-typedef struct {
-    PRCList links;
-    SECKEYPublicKey *key;
-} SECKEYPublicKeyListNode;
-
-typedef struct {
-    PRCList list;
-    PRArenaPool *arena;
-} SECKEYPublicKeyList;
-#endif /* _KEYTHI_H_ */
-
diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn
deleted file mode 100644
index 897559896..000000000
--- a/security/nss/lib/cryptohi/manifest.mn
+++ /dev/null
@@ -1,67 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-REQUIRES = dbm
-
-LIBRARY_NAME = cryptohi
-
-EXPORTS = \
-	cryptohi.h \
-	cryptoht.h \
-	hasht.h   \
-	key.h     \
-	keyhi.h   \
-	keyt.h    \
-	keythi.h  \
-	sechash.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	$(NULL)
-
-LIBSRCS = \
-	sechash.c \
-	seckey.c  \
-	secsign.c \
-	secvfy.c  \
-	dsautil.c \
-	$(NULL)
-
-CSRCS = $(LIBSRCS)
diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c
deleted file mode 100644
index eebe23d95..000000000
--- a/security/nss/lib/cryptohi/sechash.c
+++ /dev/null
@@ -1,381 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "sechash.h"
-#include "secoidt.h"
-#include "secerr.h"
-#include "blapi.h"
-#include "pk11func.h"	/* for the PK11_ calls below. */
-
-static void *
-null_hash_new_context(void)
-{
-    return NULL;
-}
-
-static void *
-null_hash_clone_context(void *v)
-{
-    PORT_Assert(v == NULL);
-    return NULL;
-}
-
-static void
-null_hash_begin(void *v)
-{
-}
-
-static void
-null_hash_update(void *v, const unsigned char *input, unsigned int length)
-{
-}
-
-static void
-null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
-	      unsigned int maxOut)
-{
-    *outLen = 0;
-}
-
-static void
-null_hash_destroy_context(void *v, PRBool b)
-{
-    PORT_Assert(v == NULL);
-}
-
-
-static void *
-md2_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_MD2);
-}
-
-static void *
-md5_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_MD5);
-}
-
-static void *
-sha1_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
-}
-
-static void *
-sha256_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_SHA256);
-}
-
-static void *
-sha384_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_SHA384);
-}
-
-static void *
-sha512_NewContext(void) {
-	return (void *) PK11_CreateDigestContext(SEC_OID_SHA512);
-}
-
-const SECHashObject SECHashObjects[] = {
-  { 0,
-    (void * (*)(void)) null_hash_new_context,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) null_hash_destroy_context,
-    (void (*)(void *)) null_hash_begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) null_hash_end,
-    0,
-    HASH_AlgNULL
-  },
-  { MD2_LENGTH,
-    (void * (*)(void)) md2_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    MD2_BLOCK_LENGTH,
-    HASH_AlgMD2
-  },
-  { MD5_LENGTH,
-    (void * (*)(void)) md5_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    MD5_BLOCK_LENGTH,
-    HASH_AlgMD5
-  },
-  { SHA1_LENGTH,
-    (void * (*)(void)) sha1_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    SHA1_BLOCK_LENGTH,
-    HASH_AlgSHA1
-  },
-  { SHA256_LENGTH,
-    (void * (*)(void)) sha256_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    SHA256_BLOCK_LENGTH,
-    HASH_AlgSHA256
-  },
-  { SHA384_LENGTH,
-    (void * (*)(void)) sha384_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    SHA384_BLOCK_LENGTH,
-    HASH_AlgSHA384
-  },
-  { SHA512_LENGTH,
-    (void * (*)(void)) sha512_NewContext,
-    (void * (*)(void *)) PK11_CloneContext,
-    (void (*)(void *, PRBool)) PK11_DestroyContext,
-    (void (*)(void *)) PK11_DigestBegin,
-    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
-							PK11_DigestFinal,
-    SHA512_BLOCK_LENGTH,
-    HASH_AlgSHA512
-  },
-};
-
-const SECHashObject * 
-HASH_GetHashObject(HASH_HashType type)
-{
-    return &SECHashObjects[type];
-}
-
-HASH_HashType
-HASH_GetHashTypeByOidTag(SECOidTag hashOid)
-{
-    HASH_HashType ht	= HASH_AlgNULL;
-
-    switch(hashOid) {
-    case SEC_OID_MD2:	 ht = HASH_AlgMD2;    break;
-    case SEC_OID_MD5:	 ht = HASH_AlgMD5;    break;
-    case SEC_OID_SHA1:	 ht = HASH_AlgSHA1;   break;
-    case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
-    case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
-    case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
-    default:             ht = HASH_AlgNULL;   
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	break;
-    }
-    return ht;
-}
-
-const SECHashObject * 
-HASH_GetHashObjectByOidTag(SECOidTag hashOid)
-{
-    HASH_HashType ht	= HASH_GetHashTypeByOidTag(hashOid);
-
-    return (ht == HASH_AlgNULL) ? NULL : &SECHashObjects[ht];
-}
-
-/* returns zero for unknown hash OID */
-unsigned int
-HASH_ResultLenByOidTag(SECOidTag hashOid)
-{
-    const SECHashObject * hashObject = HASH_GetHashObjectByOidTag(hashOid);
-    unsigned int          resultLen = 0;
-
-    if (hashObject)
-    	resultLen = hashObject->length;
-    return resultLen;
-}
-
-/* returns zero if hash type invalid. */
-unsigned int
-HASH_ResultLen(HASH_HashType type)
-{
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return(0);
-    }
-    
-    return(SECHashObjects[type].length);
-}
-
-unsigned int
-HASH_ResultLenContext(HASHContext *context)
-{
-    return(context->hashobj->length);
-}
-
-
-
-SECStatus
-HASH_HashBuf(HASH_HashType type,
-	     unsigned char *dest,
-	     unsigned char *src,
-	     uint32 src_len)
-{
-    HASHContext *cx;
-    unsigned int part;
-    
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	return(SECFailure);
-    }
-    
-    cx = HASH_Create(type);
-    if ( cx == NULL ) {
-	return(SECFailure);
-    }
-    HASH_Begin(cx);
-    HASH_Update(cx, src, src_len);
-    HASH_End(cx, dest, &part, HASH_ResultLenContext(cx));
-    HASH_Destroy(cx);
-
-    return(SECSuccess);
-}
-
-HASHContext *
-HASH_Create(HASH_HashType type)
-{
-    void *hash_context = NULL;
-    HASHContext *ret = NULL;
-    
-    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
-	return(NULL);
-    }
-    
-    hash_context = (* SECHashObjects[type].create)();
-    if ( hash_context == NULL ) {
-	goto loser;
-    }
-
-    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-
-    ret->hash_context = hash_context;
-    ret->hashobj = &SECHashObjects[type];
-    
-    return(ret);
-    
-loser:
-    if ( hash_context != NULL ) {
-	(* SECHashObjects[type].destroy)(hash_context, PR_TRUE);
-    }
-    
-    return(NULL);
-}
-
-
-HASHContext *
-HASH_Clone(HASHContext *context)
-{
-    void *hash_context = NULL;
-    HASHContext *ret = NULL;
-    
-    hash_context = (* context->hashobj->clone)(context->hash_context);
-    if ( hash_context == NULL ) {
-	goto loser;
-    }
-
-    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
-    if ( ret == NULL ) {
-	goto loser;
-    }
-
-    ret->hash_context = hash_context;
-    ret->hashobj = context->hashobj;
-    
-    return(ret);
-    
-loser:
-    if ( hash_context != NULL ) {
-	(* context->hashobj->destroy)(hash_context, PR_TRUE);
-    }
-    
-    return(NULL);
-
-}
-
-void
-HASH_Destroy(HASHContext *context)
-{
-    (* context->hashobj->destroy)(context->hash_context, PR_TRUE);
-    PORT_Free(context);
-    return;
-}
-
-
-void
-HASH_Begin(HASHContext *context)
-{
-    (* context->hashobj->begin)(context->hash_context);
-    return;
-}
-
-
-void
-HASH_Update(HASHContext *context,
-	    const unsigned char *src,
-	    unsigned int len)
-{
-    (* context->hashobj->update)(context->hash_context, src, len);
-    return;
-}
-
-void
-HASH_End(HASHContext *context,
-	 unsigned char *result,
-	 unsigned int *result_len,
-	 unsigned int max_result_len)
-{
-    (* context->hashobj->end)(context->hash_context, result, result_len,
-			      max_result_len);
-    return;
-}
-
-
-
diff --git a/security/nss/lib/cryptohi/sechash.h b/security/nss/lib/cryptohi/sechash.h
deleted file mode 100644
index 0bcb72c7f..000000000
--- a/security/nss/lib/cryptohi/sechash.h
+++ /dev/null
@@ -1,86 +0,0 @@
-#ifndef _HASH_H_
-#define _HASH_H_
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "seccomon.h"
-#include "hasht.h"
-#include "secoidt.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Generic hash api.  
-*/
-
-extern unsigned int  HASH_ResultLen(HASH_HashType type);
-
-extern unsigned int  HASH_ResultLenContext(HASHContext *context);
-
-extern unsigned int  HASH_ResultLenByOidTag(SECOidTag hashOid);
-
-extern SECStatus     HASH_HashBuf(HASH_HashType type,
-				 unsigned char *dest,
-				 unsigned char *src,
-				 uint32 src_len);
-
-extern HASHContext * HASH_Create(HASH_HashType type);
-
-extern HASHContext * HASH_Clone(HASHContext *context);
-
-extern void          HASH_Destroy(HASHContext *context);
-
-extern void          HASH_Begin(HASHContext *context);
-
-extern void          HASH_Update(HASHContext *context,
-				const unsigned char *src,
-				unsigned int len);
-
-extern void          HASH_End(HASHContext *context,
-			     unsigned char *result,
-			     unsigned int *result_len,
-			     unsigned int max_result_len);
-
-extern const SECHashObject * HASH_GetHashObject(HASH_HashType type);
-
-extern const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid);
-
-extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid);
-
-SEC_END_PROTOS
-
-#endif /* _HASH_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
deleted file mode 100644
index 97f79d99e..000000000
--- a/security/nss/lib/cryptohi/seckey.c
+++ /dev/null
@@ -1,2334 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "cryptohi.h"
-#include "keyhi.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secder.h"
-#include "base64.h"
-#include "secasn1.h"
-#include "cert.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "secdig.h"
-#include "prtime.h"
-#include "ec.h"
-
-const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSubjectPublicKeyInfo) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSubjectPublicKeyInfo,algorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSubjectPublicKeyInfo,subjectPublicKey), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) },
-    { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge,spki) },
-    { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge,challenge) },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPublicKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.prime), },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.base), },
-    /* XXX chrisk: this needs to be expanded for decoding of j and validationParms (RFC2459 7.3.2) */
-    { SEC_ASN1_SKIP_REST },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_FortezzaParameterTemplate[] = {
-    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPQGParams) },
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,prime), },
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,subPrime), },
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,base), },
-    { 0 },
-};
- 
-const SEC_ASN1Template SECKEY_FortezzaDiffParameterTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYDiffPQGParams) },
-    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffKEAParams), 
-                       SECKEY_FortezzaParameterTemplate},
-    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffDSAParams), 
-                       SECKEY_FortezzaParameterTemplate},
-    { 0 },
-};
-
-const SEC_ASN1Template SECKEY_FortezzaPreParamTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(SECKEYPQGDualParams,CommParams),
-                SECKEY_FortezzaParameterTemplate},
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_FortezzaAltPreParamTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(SECKEYPQGDualParams,DiffParams),
-                SECKEY_FortezzaDiffParameterTemplate},
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_KEAPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.kea.publicValue), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = {
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, 
-    { 0, }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
-
-/*
- * See bugzilla bug 125359
- * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
- * all of the templates above that en/decode into integers must be converted
- * from ASN.1's signed integer type.  This is done by marking either the
- * source or destination (encoding or decoding, respectively) type as
- * siUnsignedInteger.
- */
-static void
-prepare_rsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
-{
-    pubk->u.rsa.modulus.type = siUnsignedInteger;
-    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
-}
-
-static void
-prepare_dsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
-{
-    pubk->u.dsa.publicValue.type = siUnsignedInteger;
-}
-
-static void
-prepare_pqg_params_for_asn1(SECKEYPQGParams *params)
-{
-    params->prime.type = siUnsignedInteger;
-    params->subPrime.type = siUnsignedInteger;
-    params->base.type = siUnsignedInteger;
-}
-
-static void
-prepare_dh_pub_key_for_asn1(SECKEYPublicKey *pubk)
-{
-    pubk->u.dh.prime.type = siUnsignedInteger;
-    pubk->u.dh.base.type = siUnsignedInteger;
-    pubk->u.dh.publicValue.type = siUnsignedInteger;
-}
-
-static void
-prepare_kea_pub_key_for_asn1(SECKEYPublicKey *pubk)
-{
-    pubk->u.kea.publicValue.type = siUnsignedInteger;
-}
-
-/* Create an RSA key pair is any slot able to do so.
-** The created keys are "session" (temporary), not "token" (permanent), 
-** and they are "sensitive", which makes them costly to move to another token.
-*/
-SECKEYPrivateKey *
-SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx)
-{
-    SECKEYPrivateKey *privk;
-    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx);
-    PK11RSAGenParams param;
-
-    param.keySizeInBits = keySizeInBits;
-    param.pe = 65537L;
-    
-    privk = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN,&param,pubk,
-					PR_FALSE, PR_TRUE, cx);
-    PK11_FreeSlot(slot);
-    return(privk);
-}
-
-/* Create a DH key pair in any slot able to do so, 
-** This is a "session" (temporary), not "token" (permanent) key. 
-** Because of the high probability that this key will need to be moved to
-** another token, and the high cost of moving "sensitive" keys, we attempt
-** to create this key pair without the "sensitive" attribute, but revert to 
-** creating a "sensitive" key if necessary.
-*/
-SECKEYPrivateKey *
-SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *cx)
-{
-    SECKEYPrivateKey *privk;
-    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,cx);
-
-    privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
-                                 pubk, PR_FALSE, PR_FALSE, cx);
-    if (!privk) 
-	privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
-	                             pubk, PR_FALSE, PR_TRUE, cx);
-
-    PK11_FreeSlot(slot);
-    return(privk);
-}
-
-/* Create an EC key pair in any slot able to do so, 
-** This is a "session" (temporary), not "token" (permanent) key. 
-** Because of the high probability that this key will need to be moved to
-** another token, and the high cost of moving "sensitive" keys, we attempt
-** to create this key pair without the "sensitive" attribute, but revert to 
-** creating a "sensitive" key if necessary.
-*/
-SECKEYPrivateKey *
-SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx)
-{
-    SECKEYPrivateKey *privk;
-    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx);
-
-    privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
-                                 pubk, PR_FALSE, PR_FALSE, cx);
-    if (!privk) 
-	privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, 
-	                             pubk, PR_FALSE, PR_TRUE, cx);
-
-    PK11_FreeSlot(slot);
-    return(privk);
-}
-
-void
-SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
-{
-    if (privk) {
-	if (privk->pkcs11Slot) {
-	    if (privk->pkcs11IsTemp) {
-	    	PK11_DestroyObject(privk->pkcs11Slot,privk->pkcs11ID);
-	    }
-	    PK11_FreeSlot(privk->pkcs11Slot);
-
-	}
-    	if (privk->arena) {
-	    PORT_FreeArena(privk->arena, PR_TRUE);
-	}
-    }
-}
-
-void
-SECKEY_DestroyPublicKey(SECKEYPublicKey *pubk)
-{
-    if (pubk) {
-	if (pubk->pkcs11Slot) {
-	    if (!PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
-		PK11_DestroyObject(pubk->pkcs11Slot,pubk->pkcs11ID);
-	    }
-	    PK11_FreeSlot(pubk->pkcs11Slot);
-	}
-    	if (pubk->arena) {
-	    PORT_FreeArena(pubk->arena, PR_FALSE);
-	}
-    }
-}
-
-SECStatus
-SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
-			     CERTSubjectPublicKeyInfo *to,
-			     CERTSubjectPublicKeyInfo *from)
-{
-    SECStatus rv;
-    SECItem spk;
-
-    rv = SECOID_CopyAlgorithmID(arena, &to->algorithm, &from->algorithm);
-    if (rv == SECSuccess) {
-	/*
-	 * subjectPublicKey is a bit string, whose length is in bits.
-	 * Convert the length from bits to bytes for SECITEM_CopyItem.
-	 */
-	spk = from->subjectPublicKey;
-	DER_ConvertBitString(&spk);
-	rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &spk);
-	/* Set the length back to bits. */
-	if (rv == SECSuccess) {
-	    to->subjectPublicKey.len = from->subjectPublicKey.len;
-	}
-    }
-
-    return rv;
-}
-
-SECStatus
-SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) {
-
-    if (pubKey->keyType == fortezzaKey) {
-        /* the key is a fortezza V1 public key  */
-
-	/* obtain hash of pubkey->u.fortezza.params.prime.data +
-		          pubkey->u.fortezza.params.subPrime.data +
-			  pubkey->u.fortezza.params.base.data  */
-
-	/* store hash in params->hash */
-
-    } else if (pubKey->keyType == keaKey) {
-
-        /* the key is a new fortezza KEA public key. */
-        SECITEM_CopyItem(pubKey->arena, &params->hash, 
-	                 &pubKey->u.kea.params.hash );
-
-    } else {
-
-	/* the key has no KEA parameters */
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) 
-{
-
-    SECStatus rv;
-
-    SECKEYPublicKey *pubKey1 = 0;
-    SECKEYPublicKey *pubKey2 = 0;
-
-    SECKEYKEAParams params1;
-    SECKEYKEAParams params2;
-
-
-    rv = SECFailure;
-
-    /* get cert1's public key */
-    pubKey1 = CERT_ExtractPublicKey(cert1);
-    if ( !pubKey1 ) {
-	return(SECFailure);
-    }
-    
-
-    /* get cert2's public key */
-    pubKey2 = CERT_ExtractPublicKey(cert2);
-    if ( !pubKey2 ) {
-	return(SECFailure);
-    }
-
-    /* handle the case when both public keys are new
-     * fortezza KEA public keys.    */
-
-    if ((pubKey1->keyType == keaKey) &&
-        (pubKey2->keyType == keaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
-	                         &pubKey2->u.kea.params.hash);
-	goto done;
-    }
-
-    /* handle the case when both public keys are old fortezza
-     * public keys.              */
-
-    if ((pubKey1->keyType == fortezzaKey) &&
-        (pubKey2->keyType == fortezzaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
-	                         &pubKey2->u.fortezza.keaParams.prime);
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
-	                             &pubKey2->u.fortezza.keaParams.subPrime);
-	}
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
-	                             &pubKey2->u.fortezza.keaParams.base);
-	}
-	
-	goto done;
-    }
-
-
-    /* handle the case when the public keys are a mixture of 
-     * old and new.                          */
-
-    rv = SECKEY_KEASetParams(&params1, pubKey1);
-    if (rv != SECSuccess) return rv;
-
-    rv = SECKEY_KEASetParams(&params2, pubKey2);
-    if (rv != SECSuccess) return rv;
-
-    rv = (SECStatus)SECITEM_CompareItem(&params1.hash, &params2.hash);
-
-done:
-    SECKEY_DestroyPublicKey(pubKey1);
-    SECKEY_DestroyPublicKey(pubKey2);
-
-    return rv;   /* returns SECEqual if parameters are equal */
-
-}
-
-
-/* Procedure to update the pqg parameters for a cert's public key.
- * pqg parameters only need to be updated for DSA and fortezza certificates.
- * The procedure uses calls to itself recursively to update a certificate
- * issuer's pqg parameters.  Some important rules are:
- *    - Do nothing if the cert already has PQG parameters.
- *    - If the cert does not have PQG parameters, obtain them from the issuer.
- *    - A valid cert chain cannot have a DSA or Fortezza cert without
- *      pqg parameters that has a parent that is not a DSA or Fortezza cert.
- *    - pqg paramters are stored in two different formats: the standard
- *      DER encoded format and the fortezza-only wrapped format.  The params
- *      should be copied from issuer to subject cert without modifying the
- *      formats.  The public key extraction code will deal with the different
- *      formats at the time of extraction.  */
-
-static SECStatus
-seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
-{
-    SECStatus rv, rvCompare;
-    SECOidData *oid=NULL;
-    int tag;
-    CERTSubjectPublicKeyInfo * subjectSpki=NULL;
-    CERTSubjectPublicKeyInfo * issuerSpki=NULL;
-    CERTCertificate *issuerCert = NULL;
-
-    rv = SECSuccess;
-
-    /* increment cert chain length counter*/
-    count++;
-
-    /* check if cert chain length exceeds the maximum length*/
-    if (count > CERT_MAX_CERT_CHAIN) {
-	return SECFailure;
-    }
-
-    oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
-    if (oid != NULL) {  
-        tag = oid->offset;
-             
-        /* Check if cert has a DSA or Fortezza public key. If not, return
-         * success since no PQG params need to be updated.  */
-
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
-            
-            return SECSuccess;
-        }
-    } else {
-        return SECFailure;  /* return failure if oid is NULL */  
-    }
-
-    /* if cert has PQG parameters, return success */
-
-    subjectSpki=&subjectCert->subjectPublicKeyInfo;
-
-    if (subjectSpki->algorithm.parameters.len != 0) {
-        return SECSuccess;
-    }
-
-    /* check if the cert is self-signed */
-    rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject,
-				    &subjectCert->derIssuer);
-    if (rvCompare == SECEqual) {
-      /* fail since cert is self-signed and has no pqg params. */
-	return SECFailure;     
-    }
-     
-    /* get issuer cert */
-    issuerCert = CERT_FindCertIssuer(subjectCert, PR_Now(), certUsageAnyCA);
-    if ( ! issuerCert ) {
-	return SECFailure;
-    }
-
-    /* if parent is not DSA or fortezza, return failure since
-       we don't allow this case. */
-
-    oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
-    if (oid != NULL) {  
-        tag = oid->offset;
-             
-        /* Check if issuer cert has a DSA or Fortezza public key. If not,
-         * return failure.   */
-
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
-             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
-             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {            
-            rv = SECFailure;
-            goto loser;
-        }
-    } else {
-        rv = SECFailure;  /* return failure if oid is NULL */  
-        goto loser;
-    }
-
-
-    /* at this point the subject cert has no pqg parameters and the
-     * issuer cert has a DSA or fortezza public key.  Update the issuer's
-     * pqg parameters with a recursive call to this same function. */
-
-    rv = seckey_UpdateCertPQGChain(issuerCert, count);
-    if (rv != SECSuccess) {
-        rv = SECFailure;
-        goto loser;
-    }
-
-    /* ensure issuer has pqg parameters */
-
-    issuerSpki=&issuerCert->subjectPublicKeyInfo;
-    if (issuerSpki->algorithm.parameters.len == 0) {
-        rv = SECFailure; 
-    }
-
-    /* if update was successful and pqg params present, then copy the
-     * parameters to the subject cert's key. */
-
-    if (rv == SECSuccess) {
-        rv = SECITEM_CopyItem(subjectCert->arena,
-                              &subjectSpki->algorithm.parameters, 
-	   		      &issuerSpki->algorithm.parameters);
-    }
-
-loser:
-    if (issuerCert) {
-        CERT_DestroyCertificate(issuerCert);
-    }
-    return rv;
-
-}
- 
-
-SECStatus
-SECKEY_UpdateCertPQG(CERTCertificate * subjectCert)
-{
-    if (!subjectCert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    return seckey_UpdateCertPQGChain(subjectCert,0);
-}
-   
-
-/* Decode the PQG parameters.  The params could be stored in two
- * possible formats, the old fortezza-only wrapped format or
- * the standard DER encoded format.   Store the decoded parameters in an
- * old fortezza cert data structure */
- 
-SECStatus
-SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
-                              SECItem *params) {
-    SECStatus rv;
-    SECKEYPQGDualParams dual_params;
-    SECItem newparams;
-
-    PORT_Assert(arena);
-
-    if (params == NULL) return SECFailure; 
-    
-    if (params->data == NULL) return SECFailure;
-
-    /* make a copy of the data into the arena so QuickDER output is valid */
-    rv = SECITEM_CopyItem(arena, &newparams, params);
-
-    /* Check if params use the standard format.
-     * The value 0xa1 will appear in the first byte of the parameter data
-     * if the PQG parameters are not using the standard format. This
-     * code should be changed to use a better method to detect non-standard
-     * parameters.    */
-
-    if ((newparams.data[0] != 0xa1) &&
-        (newparams.data[0] != 0xa0)) {
-
-        if (SECSuccess == rv) {
-            /* PQG params are in the standard format */
-
-	    /* Store DSA PQG parameters */
-	    prepare_pqg_params_for_asn1(&pubk->u.fortezza.params);
-            rv = SEC_QuickDERDecodeItem(arena, &pubk->u.fortezza.params,
-                              SECKEY_PQGParamsTemplate,
-                              &newparams);
-        }
-
-	if (SECSuccess == rv) {
-
-	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
-	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                  &pubk->u.fortezza.params.prime);
-        }
-        if (SECSuccess == rv) {
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                  &pubk->u.fortezza.params.subPrime);
-        }
-        if (SECSuccess == rv) {
-            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                  &pubk->u.fortezza.params.base);
-        }
-    } else {
-
-	dual_params.CommParams.prime.len = 0;
-        dual_params.CommParams.subPrime.len = 0;
-	dual_params.CommParams.base.len = 0;
-	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
-        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
-	dual_params.DiffParams.DiffDSAParams.base.len = 0;
-
-        /* else the old fortezza-only wrapped format is used. */
-
-        if (SECSuccess == rv) {
-	    if (newparams.data[0] == 0xa1) {
-                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
-				    SECKEY_FortezzaPreParamTemplate, &newparams);
-	    } else {
-                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
-	   			        SECKEY_FortezzaAltPreParamTemplate, &newparams);
-            }
-        }
-	
-        if ( (dual_params.CommParams.prime.len > 0) &&
-             (dual_params.CommParams.subPrime.len > 0) && 
-             (dual_params.CommParams.base.len > 0) ) {
-            /* copy in common params */
-	    if (SECSuccess == rv) {
-	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
-                                      &dual_params.CommParams.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
-                                      &dual_params.CommParams.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
-                                      &dual_params.CommParams.base);
-            }
-
-	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
-            if (SECSuccess == rv) {
-	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                      &pubk->u.fortezza.params.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                      &pubk->u.fortezza.params.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                      &pubk->u.fortezza.params.base);
-            }
-        } else {
-
-	    /* else copy in different params */
-
-	    /* copy DSA PQG parameters */
-            if (SECSuccess == rv) {
-	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
-                                  &dual_params.DiffParams.DiffDSAParams.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
-                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
-                                  &dual_params.DiffParams.DiffDSAParams.base);
-            }
-
-	    /* copy KEA PQG parameters */
-
-            if (SECSuccess == rv) {
-	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
-                                  &dual_params.DiffParams.DiffKEAParams.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
-                                  &dual_params.DiffParams.DiffKEAParams.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
-                                  &dual_params.DiffParams.DiffKEAParams.base);
-            }
-        }
-    }
-    return rv;
-}
-
-
-/* Decode the DSA PQG parameters.  The params could be stored in two
- * possible formats, the old fortezza-only wrapped format or
- * the normal standard format.  Store the decoded parameters in
- * a V3 certificate data structure.  */ 
-
-SECStatus
-SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) {
-    SECStatus rv;
-    SECKEYPQGDualParams dual_params;
-    SECItem newparams;
-
-    if (params == NULL) return SECFailure; 
-    
-    if (params->data == NULL) return SECFailure;
-
-    PORT_Assert(arena);
-
-    /* make a copy of the data into the arena so QuickDER output is valid */
-    rv = SECITEM_CopyItem(arena, &newparams, params);
-
-    /* Check if params use the standard format.
-     * The value 0xa1 will appear in the first byte of the parameter data
-     * if the PQG parameters are not using the standard format.  This
-     * code should be changed to use a better method to detect non-standard
-     * parameters.    */
-
-    if ((newparams.data[0] != 0xa1) &&
-        (newparams.data[0] != 0xa0)) {
-    
-        if (SECSuccess == rv) {
-             /* PQG params are in the standard format */
-             prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
-             rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params,
-                                 SECKEY_PQGParamsTemplate,
-                                 &newparams);
-        }
-    } else {
-
-	dual_params.CommParams.prime.len = 0;
-        dual_params.CommParams.subPrime.len = 0;
-	dual_params.CommParams.base.len = 0;
-	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
-        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
-	dual_params.DiffParams.DiffDSAParams.base.len = 0;
-
-        if (SECSuccess == rv) {
-            /* else the old fortezza-only wrapped format is used. */
-            if (newparams.data[0] == 0xa1) {
-                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
-				    SECKEY_FortezzaPreParamTemplate, &newparams);
-	    } else {
-                rv = SEC_QuickDERDecodeItem(arena, &dual_params, 
-	   			        SECKEY_FortezzaAltPreParamTemplate, &newparams);
-            }
-        }
-
-        if ( (dual_params.CommParams.prime.len > 0) &&
-             (dual_params.CommParams.subPrime.len > 0) && 
-             (dual_params.CommParams.base.len > 0) ) {
-            /* copy in common params */
-
-            if (SECSuccess == rv) {	    
-	        rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-                                      &dual_params.CommParams.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-                                      &dual_params.CommParams.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-                                    &dual_params.CommParams.base);
-            }
-        } else {
-
-	    /* else copy in different params */
-
-	    /* copy DSA PQG parameters */
-            if (SECSuccess == rv) {
-	        rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-                                      &dual_params.DiffParams.DiffDSAParams.prime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-                                      &dual_params.DiffParams.DiffDSAParams.subPrime);
-            }
-            if (SECSuccess == rv) {
-                rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-                                      &dual_params.DiffParams.DiffDSAParams.base);
-            }
-        }
-    }
-    return rv;
-}
-
-
-/* Decodes the DER encoded fortezza public key and stores the results in a
- * structure of type SECKEYPublicKey. */
-
-SECStatus
-SECKEY_FortezzaDecodeCertKey(PRArenaPool *arena, SECKEYPublicKey *pubk,
-                             SECItem *rawkey, SECItem *params) {
-
-	unsigned char *rawptr = rawkey->data;
-	unsigned char *end = rawkey->data + rawkey->len;
-	unsigned char *clearptr;
-
-	/* first march down and decode the raw key data */
-
-	/* version */	
-	pubk->u.fortezza.KEAversion = *rawptr++;
-	if (*rawptr++ != 0x01) {
-		return SECFailure;
-	}
-
-	/* KMID */
-	PORT_Memcpy(pubk->u.fortezza.KMID,rawptr,
-				sizeof(pubk->u.fortezza.KMID));
-	rawptr += sizeof(pubk->u.fortezza.KMID);
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.clearance.len = rawptr - clearptr;
-	pubk->u.fortezza.clearance.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.clearance.len);
-	if (pubk->u.fortezza.clearance.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.clearance.data,clearptr,
-					pubk->u.fortezza.clearance.len);
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.KEApriviledge.len = rawptr - clearptr;
-	pubk->u.fortezza.KEApriviledge.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEApriviledge.len);
-	if (pubk->u.fortezza.KEApriviledge.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.KEApriviledge.data,clearptr,
-				pubk->u.fortezza.KEApriviledge.len);
-
-
-	/* now copy the key. The next to bytes are the key length, and the
-	 * key follows */
-	pubk->u.fortezza.KEAKey.len = (*rawptr << 8) | rawptr[1];
-
-	rawptr += 2;
-	if (rawptr+pubk->u.fortezza.KEAKey.len > end) { return SECFailure; }
-	pubk->u.fortezza.KEAKey.data = 
-			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAKey.len);
-	if (pubk->u.fortezza.KEAKey.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.KEAKey.data,rawptr,
-					pubk->u.fortezza.KEAKey.len);
-	rawptr += pubk->u.fortezza.KEAKey.len;
-
-	/* shared key */
-	if (rawptr >= end) {
-	    pubk->u.fortezza.DSSKey.len = pubk->u.fortezza.KEAKey.len;
-	    /* this depends on the fact that we are going to get freed with an
-	     * ArenaFree call. We cannot free DSSKey and KEAKey separately */
-	    pubk->u.fortezza.DSSKey.data=
-					pubk->u.fortezza.KEAKey.data;
-	    pubk->u.fortezza.DSSpriviledge.len = 
-				pubk->u.fortezza.KEApriviledge.len;
-	    pubk->u.fortezza.DSSpriviledge.data =
-			pubk->u.fortezza.DSSpriviledge.data;
-	    goto done;
-	}
-		
-
-	/* DSS Version is next */
-	pubk->u.fortezza.DSSversion = *rawptr++;
-
-	if (*rawptr++ != 2) {
-		return SECFailure;
-	}
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	clearptr = rawptr;
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return SECFailure; }
-	pubk->u.fortezza.DSSpriviledge.len = rawptr - clearptr;
-	pubk->u.fortezza.DSSpriviledge.data = 
-		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSpriviledge.len);
-	if (pubk->u.fortezza.DSSpriviledge.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.DSSpriviledge.data,clearptr,
-				pubk->u.fortezza.DSSpriviledge.len);
-
-	/* finally copy the DSS key. The next to bytes are the key length,
-	 *  and the key follows */
-	pubk->u.fortezza.DSSKey.len = (*rawptr << 8) | rawptr[1];
-
-	rawptr += 2;
-	if (rawptr+pubk->u.fortezza.DSSKey.len > end){ return SECFailure; }
-	pubk->u.fortezza.DSSKey.data = 
-			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSKey.len);
-	if (pubk->u.fortezza.DSSKey.data == NULL) {
-		return SECFailure;
-	}
-	PORT_Memcpy(pubk->u.fortezza.DSSKey.data,rawptr,
-					pubk->u.fortezza.DSSKey.len);
-
-	/* ok, now we decode the parameters */
-done:
-
-        return SECKEY_FortezzaDecodePQGtoOld(arena, pubk, params);
-}
-
-
-/* Function used to determine what kind of cert we are dealing with. */
-KeyType 
-CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki) {
-    int tag;
-    KeyType keyType;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    switch (tag) {
-      case SEC_OID_X500_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	keyType = rsaKey;
-	break;
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	keyType = dsaKey;
-	break;
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS_OLD:
-      case SEC_OID_MISSI_DSS:  
-	keyType = fortezzaKey;
-	break;
-      case SEC_OID_MISSI_KEA:
-      case SEC_OID_MISSI_ALT_KEA:
-	keyType = keaKey;
-	break;
-      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	keyType = dhKey;
-	break;
-      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	keyType = ecKey;
-	break;
-      default:
-	keyType = nullKey;
-    }
-    return keyType;
-}
-
-static SECKEYPublicKey *
-seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
-{
-    SECKEYPublicKey *pubk;
-    SECItem os, newOs, newParms;
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECOidTag tag;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	return NULL;
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubk->arena = arena;
-    pubk->pkcs11Slot = 0;
-    pubk->pkcs11ID = CK_INVALID_HANDLE;
-
-
-    /* Convert bit string length from bits to bytes */
-    os = spki->subjectPublicKey;
-    DER_ConvertBitString (&os);
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newOs, &os);
-    if ( rv == SECSuccess )
-    switch ( tag ) {
-      case SEC_OID_X500_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	pubk->keyType = rsaKey;
-	prepare_rsa_pub_key_for_asn1(pubk);        
-        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &newOs);
-	if (rv == SECSuccess)
-	    return pubk;
-	break;
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-      case SEC_OID_SDN702_DSA_SIGNATURE:
-	pubk->keyType = dsaKey;
-	prepare_dsa_pub_key_for_asn1(pubk);
-	rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &newOs);
-	if (rv != SECSuccess) break;
-
-        rv = SECKEY_DSADecodePQG(arena, pubk,
-                                 &spki->algorithm.parameters); 
-
-	if (rv == SECSuccess) return pubk;
-	break;
-      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	pubk->keyType = dhKey;
-	prepare_dh_pub_key_for_asn1(pubk);
-	rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &newOs);
-	if (rv != SECSuccess) break;
-
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
-        if ( rv != SECSuccess )
-            break;
-
-        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate,
-                                 &newParms); 
-
-	if (rv == SECSuccess) return pubk;
-	break;
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS_OLD:
-      case SEC_OID_MISSI_DSS:
-	pubk->keyType = fortezzaKey;
-	rv = SECKEY_FortezzaDecodeCertKey(arena, pubk, &newOs,
-				          &spki->algorithm.parameters);
-	if (rv == SECSuccess)
-	    return pubk;
-	break;
-
-      case SEC_OID_MISSI_KEA:
-	pubk->keyType = keaKey;
-
-	prepare_kea_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(arena, pubk,
-                                SECKEY_KEAPublicKeyTemplate, &newOs);
-        if (rv != SECSuccess) break;
-
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
-        if ( rv != SECSuccess )
-            break;
-
-        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
-                        &newParms);
-
-	if (rv == SECSuccess)
-	    return pubk;
-
-        break;
-
-      case SEC_OID_MISSI_ALT_KEA:
-	pubk->keyType = keaKey;
-
-        rv = SECITEM_CopyItem(arena,&pubk->u.kea.publicValue,&newOs);
-        if (rv != SECSuccess) break;
- 
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters);
-        if ( rv != SECSuccess )
-            break;
-
-        rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
-                        &newParms);
-
-	if (rv == SECSuccess)
-	    return pubk;
-
-        break;
-
-      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	pubk->keyType = ecKey;
-	pubk->u.ec.size = 0;
-
-	/* Since PKCS#11 directly takes the DER encoding of EC params
-	 * and public value, we don't need any decoding here.
-	 */
-        rv = SECITEM_CopyItem(arena, &pubk->u.ec.DEREncodedParams, 
-	    &spki->algorithm.parameters);
-        if ( rv != SECSuccess )
-            break;
-        rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs);
-	if (rv == SECSuccess) return pubk;
-	break;
-
-      default:
-	rv = SECFailure;
-	break;
-    }
-
-    SECKEY_DestroyPublicKey (pubk);
-    return NULL;
-}
-
-
-/* required for JSS */
-SECKEYPublicKey *
-SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
-{
-    return seckey_ExtractPublicKey(spki);
-}
-
-SECKEYPublicKey *
-CERT_ExtractPublicKey(CERTCertificate *cert)
-{
-    SECStatus rv;
-
-    if (!cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    rv = SECKEY_UpdateCertPQG(cert);
-    if (rv != SECSuccess) return NULL;
-
-    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
-}
-
-/*
- * Get the public key for the fortezza KMID. NOTE this requires the
- * PQG paramters to be set. We probably should have a fortezza call that 
- * just extracts the kmid for us directly so this function can work
- * without having the whole cert chain
- */
-SECKEYPublicKey *
-CERT_KMIDPublicKey(CERTCertificate *cert)
-{
-    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
-}
-
-int
-SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
-{
-    SECOidTag tag;
-    SECItem oid = { siBuffer, NULL, 0};
-	
-    /* The encodedParams data contains 0x06 (SEC_ASN1_OBJECT_ID),
-     * followed by the length of the curve oid and the curve oid.
-     */
-    oid.len = encodedParams->data[1];
-    oid.data = encodedParams->data + 2;
-    if ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)
-	return 0;
-
-    switch (tag) {
-    case SEC_OID_SECG_EC_SECP112R1:
-    case SEC_OID_SECG_EC_SECP112R2:
-        return 112;
-
-    case SEC_OID_SECG_EC_SECT113R1:
-    case SEC_OID_SECG_EC_SECT113R2:
-	return 113;
-
-    case SEC_OID_SECG_EC_SECP128R1:
-    case SEC_OID_SECG_EC_SECP128R2:
-	return 128;
-
-    case SEC_OID_SECG_EC_SECT131R1:
-    case SEC_OID_SECG_EC_SECT131R2:
-	return 131;
-
-    case SEC_OID_SECG_EC_SECP160K1:
-    case SEC_OID_SECG_EC_SECP160R1:
-    case SEC_OID_SECG_EC_SECP160R2:
-	return 160;
-
-    case SEC_OID_SECG_EC_SECT163K1:
-    case SEC_OID_SECG_EC_SECT163R1:
-    case SEC_OID_SECG_EC_SECT163R2:
-    case SEC_OID_ANSIX962_EC_C2PNB163V1:
-    case SEC_OID_ANSIX962_EC_C2PNB163V2:
-    case SEC_OID_ANSIX962_EC_C2PNB163V3:
-	return 163;
-
-    case SEC_OID_ANSIX962_EC_C2PNB176V1:
-	return 176;
-
-    case SEC_OID_ANSIX962_EC_C2TNB191V1:
-    case SEC_OID_ANSIX962_EC_C2TNB191V2:
-    case SEC_OID_ANSIX962_EC_C2TNB191V3:
-    case SEC_OID_ANSIX962_EC_C2ONB191V4:
-    case SEC_OID_ANSIX962_EC_C2ONB191V5:
-	return 191;
-
-    case SEC_OID_SECG_EC_SECP192K1:
-    case SEC_OID_ANSIX962_EC_PRIME192V1:
-    case SEC_OID_ANSIX962_EC_PRIME192V2:
-    case SEC_OID_ANSIX962_EC_PRIME192V3:
-	return 192;
-
-    case SEC_OID_SECG_EC_SECT193R1:
-    case SEC_OID_SECG_EC_SECT193R2:
-	return 193;
-
-    case SEC_OID_ANSIX962_EC_C2PNB208W1:
-	return 208;
-
-    case SEC_OID_SECG_EC_SECP224K1:
-    case SEC_OID_SECG_EC_SECP224R1:
-	return 224;
-
-    case SEC_OID_SECG_EC_SECT233K1:
-    case SEC_OID_SECG_EC_SECT233R1:
-	return 233;
-
-    case SEC_OID_SECG_EC_SECT239K1:
-    case SEC_OID_ANSIX962_EC_C2TNB239V1:
-    case SEC_OID_ANSIX962_EC_C2TNB239V2:
-    case SEC_OID_ANSIX962_EC_C2TNB239V3:
-    case SEC_OID_ANSIX962_EC_C2ONB239V4:
-    case SEC_OID_ANSIX962_EC_C2ONB239V5:
-    case SEC_OID_ANSIX962_EC_PRIME239V1:
-    case SEC_OID_ANSIX962_EC_PRIME239V2:
-    case SEC_OID_ANSIX962_EC_PRIME239V3:
-	return 239;
-
-    case SEC_OID_SECG_EC_SECP256K1:
-    case SEC_OID_ANSIX962_EC_PRIME256V1:
-	return 256;
-
-    case SEC_OID_ANSIX962_EC_C2PNB272W1:
-	return 272;
-
-    case SEC_OID_SECG_EC_SECT283K1:
-    case SEC_OID_SECG_EC_SECT283R1:
-	return 283;
-
-    case SEC_OID_ANSIX962_EC_C2PNB304W1:
-	return 304;
-
-    case SEC_OID_ANSIX962_EC_C2TNB359V1:
-	return 359;
-
-    case SEC_OID_ANSIX962_EC_C2PNB368W1:
-	return 368;
-
-    case SEC_OID_SECG_EC_SECP384R1:
-	return 384;
-
-    case SEC_OID_SECG_EC_SECT409K1:
-    case SEC_OID_SECG_EC_SECT409R1:
-	return 409;
-
-    case SEC_OID_ANSIX962_EC_C2TNB431R1:
-	return 431;
-
-    case SEC_OID_SECG_EC_SECP521R1:
-	return 521;
-
-    case SEC_OID_SECG_EC_SECT571K1:
-    case SEC_OID_SECG_EC_SECT571R1:
-	return 571;
-
-    default:
-	    return 0;
-    }
-}
-
-/* returns key strength in bytes (not bits) */
-unsigned
-SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk)
-{
-    unsigned char b0;
-
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
-
-    switch (pubk->keyType) {
-    case rsaKey:
-    	b0 = pubk->u.rsa.modulus.data[0];
-    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    case dsaKey:
-    	b0 = pubk->u.dsa.publicValue.data[0];
-    	return b0 ? pubk->u.dsa.publicValue.len :
-	    pubk->u.dsa.publicValue.len - 1;
-    case dhKey:
-    	b0 = pubk->u.dh.publicValue.data[0];
-    	return b0 ? pubk->u.dh.publicValue.len :
-	    pubk->u.dh.publicValue.len - 1;
-    case fortezzaKey:
-	return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
-    case ecKey:
-	/* Get the key size in bits and adjust */
-	if (pubk->u.ec.size == 0) {
-	    pubk->u.ec.size = 
-		SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
-	} 
-	return (pubk->u.ec.size + 7)/8;
-    default:
-	break;
-    }
-    return 0;
-}
-
-/* returns key strength in bits */
-unsigned
-SECKEY_PublicKeyStrengthInBits(SECKEYPublicKey *pubk)
-{
-    switch (pubk->keyType) {
-    case rsaKey:
-    case dsaKey:
-    case dhKey:
-    case fortezzaKey:
-	return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */
-    case ecKey:
-	if (pubk->u.ec.size == 0) {
-	    pubk->u.ec.size = 
-		SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
-	} 
-	return pubk->u.ec.size;
-    default:
-	break;
-    }
-    return 0;
-}
-
-SECKEYPrivateKey *
-SECKEY_CopyPrivateKey(SECKEYPrivateKey *privk)
-{
-    SECKEYPrivateKey *copyk;
-    PRArenaPool *arena;
-    
-    if (privk == NULL) {
-	return NULL;
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    copyk = (SECKEYPrivateKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPrivateKey));
-    if (copyk) {
-	copyk->arena = arena;
-	copyk->keyType = privk->keyType;
-
-	/* copy the PKCS #11 parameters */
-	copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
-	/* if the key we're referencing was a temparary key we have just
-	 * created, that we want to go away when we're through, we need
-	 * to make a copy of it */
-	if (privk->pkcs11IsTemp) {
-	    copyk->pkcs11ID = 
-			PK11_CopyKey(privk->pkcs11Slot,privk->pkcs11ID);
-	    if (copyk->pkcs11ID == CK_INVALID_HANDLE) goto fail;
-	} else {
-	    copyk->pkcs11ID = privk->pkcs11ID;
-	}
-	copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
-	copyk->wincx = privk->wincx;
-	copyk->staticflags = privk->staticflags;
-	return copyk;
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-fail:
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-SECKEYPublicKey *
-SECKEY_CopyPublicKey(SECKEYPublicKey *pubk)
-{
-    SECKEYPublicKey *copyk;
-    PRArenaPool *arena;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    copyk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
-    if (copyk != NULL) {
-	SECStatus rv = SECSuccess;
-
-	copyk->arena = arena;
-	copyk->keyType = pubk->keyType;
-	if (pubk->pkcs11Slot && 
-			PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
-	    copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot);
-	    copyk->pkcs11ID = pubk->pkcs11ID;
-	} else {
-	    copyk->pkcs11Slot = NULL;	/* go get own reference */
-	    copyk->pkcs11ID = CK_INVALID_HANDLE;
-	}
-	switch (pubk->keyType) {
-	  case rsaKey:
-	    rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
-				  &pubk->u.rsa.modulus);
-	    if (rv == SECSuccess) {
-		rv = SECITEM_CopyItem (arena, &copyk->u.rsa.publicExponent,
-				       &pubk->u.rsa.publicExponent);
-		if (rv == SECSuccess)
-		    return copyk;
-	    }
-	    break;
-	  case dsaKey:
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.publicValue,
-				  &pubk->u.dsa.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.prime,
-				  &pubk->u.dsa.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.subPrime,
-				  &pubk->u.dsa.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.base,
-				  &pubk->u.dsa.params.base);
-	    break;
-          case keaKey:
-            rv = SECITEM_CopyItem(arena, &copyk->u.kea.publicValue,
-                                  &pubk->u.kea.publicValue);
-            if (rv != SECSuccess) break;
-            rv = SECITEM_CopyItem(arena, &copyk->u.kea.params.hash,
-                                  &pubk->u.kea.params.hash);
-            break;
-	  case fortezzaKey:
-	    copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
-	    copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
-	    PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
-			sizeof(pubk->u.fortezza.KMID));
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.clearance, 
-				  &pubk->u.fortezza.clearance);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEApriviledge, 
-				&pubk->u.fortezza.KEApriviledge);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSpriviledge, 
-				&pubk->u.fortezza.DSSpriviledge);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAKey, 
-				&pubk->u.fortezza.KEAKey);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSKey, 
-				&pubk->u.fortezza.DSSKey);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.prime, 
-				  &pubk->u.fortezza.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.subPrime, 
-				&pubk->u.fortezza.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.base, 
-				&pubk->u.fortezza.params.base);
-            if (rv != SECSuccess) break;
-            rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.prime, 
-				  &pubk->u.fortezza.keaParams.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.subPrime, 
-				&pubk->u.fortezza.keaParams.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.base, 
-				&pubk->u.fortezza.keaParams.base);
-	    break;
-	  case dhKey:
-            rv = SECITEM_CopyItem(arena,&copyk->u.dh.prime,&pubk->u.dh.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena,&copyk->u.dh.base,&pubk->u.dh.base);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &copyk->u.dh.publicValue, 
-				&pubk->u.dh.publicValue);
-	    break;
-	  case ecKey:
-	    copyk->u.ec.size = pubk->u.ec.size;
-            rv = SECITEM_CopyItem(arena,&copyk->u.ec.DEREncodedParams,
-		&pubk->u.ec.DEREncodedParams);
-	    if (rv != SECSuccess) break;
-            rv = SECITEM_CopyItem(arena,&copyk->u.ec.publicValue,
-		&pubk->u.ec.publicValue);
-	    break;
-	  case nullKey:
-	    return copyk;
-	  default:
-	    rv = SECFailure;
-	    break;
-	}
-	if (rv == SECSuccess)
-	    return copyk;
-
-	SECKEY_DestroyPublicKey (copyk);
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-
-SECKEYPublicKey *
-SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
-{
-    SECKEYPublicKey *pubk;
-    PRArenaPool *arena;
-    CERTCertificate *cert;
-    SECStatus rv;
-
-    /*
-     * First try to look up the cert.
-     */
-    cert = PK11_GetCertFromPrivateKey(privk);
-    if (cert) {
-	pubk = CERT_ExtractPublicKey(cert);
-	CERT_DestroyCertificate(cert);
-	return pubk;
-    }
-
-    /* couldn't find the cert, build pub key by hand */
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						   sizeof (SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    pubk->keyType = privk->keyType;
-    pubk->pkcs11Slot = NULL;
-    pubk->pkcs11ID = CK_INVALID_HANDLE;
-    pubk->arena = arena;
-
-    /*
-     * fortezza is at the head of this switch, since we don't want to
-     * allocate an arena... CERT_ExtractPublicKey will to that for us.
-     */
-    switch(privk->keyType) {
-      case fortezzaKey:
-      case nullKey:
-      case dhKey:
-      case dsaKey:
-	/* Nothing to query, if the cert isn't there, we're done -- no way
-	 * to get the public key */
-	break;
-      case rsaKey:
-	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
-				CKA_MODULUS,arena,&pubk->u.rsa.modulus);
-	if (rv != SECSuccess)  break;
-	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
-			CKA_PUBLIC_EXPONENT,arena,&pubk->u.rsa.publicExponent);
-	if (rv != SECSuccess)  break;
-	return pubk;
-	break;
-    default:
-	break;
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-CERTSubjectPublicKeyInfo *
-SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    PRArenaPool *arena;
-    SECItem params = { siBuffer, NULL, 0 };
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    spki = (CERTSubjectPublicKeyInfo *) PORT_ArenaZAlloc(arena, sizeof (*spki));
-    if (spki != NULL) {
-	SECStatus rv;
-	SECItem *rv_item;
-	
-	spki->arena = arena;
-	switch(pubk->keyType) {
-	  case rsaKey:
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				     SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
-	    if (rv == SECSuccess) {
-		/*
-		 * DER encode the public key into the subjectPublicKeyInfo.
-		 */
-		prepare_rsa_pub_key_for_asn1(pubk);
-		rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
-					     pubk, SECKEY_RSAPublicKeyTemplate);
-		if (rv_item != NULL) {
-		    /*
-		     * The stored value is supposed to be a BIT_STRING,
-		     * so convert the length.
-		     */
-		    spki->subjectPublicKey.len <<= 3;
-		    /*
-		     * We got a good one; return it.
-		     */
-		    return spki;
-		}
-	    }
-	    break;
-	  case dsaKey:
-	    /* DER encode the params. */
-	    prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
-	    rv_item = SEC_ASN1EncodeItem(arena, &params, &pubk->u.dsa.params,
-					 SECKEY_PQGParamsTemplate);
-	    if (rv_item != NULL) {
-		rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-					   SEC_OID_ANSIX9_DSA_SIGNATURE,
-					   &params);
-		if (rv == SECSuccess) {
-		    /*
-		     * DER encode the public key into the subjectPublicKeyInfo.
-		     */
-		    prepare_dsa_pub_key_for_asn1(pubk);
-		    rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
-						 pubk,
-						 SECKEY_DSAPublicKeyTemplate);
-		    if (rv_item != NULL) {
-			/*
-			 * The stored value is supposed to be a BIT_STRING,
-			 * so convert the length.
-			 */
-			spki->subjectPublicKey.len <<= 3;
-			/*
-			 * We got a good one; return it.
-			 */
-			return spki;
-		    }
-		}
-	    }
-	    SECITEM_FreeItem(&params, PR_FALSE);
-	    break;
-	  case ecKey:
-	    rv = SECITEM_CopyItem(arena, &params, 
-				  &pubk->u.ec.DEREncodedParams);
-	    if (rv != SECSuccess) break;
-
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				       SEC_OID_ANSIX962_EC_PUBLIC_KEY,
-				       &params);
-	    if (rv != SECSuccess) break;
-
-	    rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey,
-				  &pubk->u.ec.publicValue);
-
-	    if (rv == SECSuccess) {
-	        /*
-		 * The stored value is supposed to be a BIT_STRING,
-		 * so convert the length.
-		 */
-	        spki->subjectPublicKey.len <<= 3;
-		/*
-		 * We got a good one; return it.
-		 */
-		return spki;
-	    }
-	    break;
-	  case keaKey:
-	  case dhKey: /* later... */
-
-	  break;  
-	  case fortezzaKey:
-#ifdef notdef
-	    /* encode the DSS parameters (PQG) */
-	    rv = FortezzaBuildParams(&params,pubk);
-	    if (rv != SECSuccess) break;
-
-	    /* set the algorithm */
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				       SEC_OID_MISSI_KEA_DSS, &params);
-	    PORT_Free(params.data);
-	    if (rv == SECSuccess) {
-		/*
-		 * Encode the public key into the subjectPublicKeyInfo.
-		 * Fortezza key material is not standard DER
-		 */
-		rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
-		if (rv == SECSuccess) {
-		    /*
-		     * The stored value is supposed to be a BIT_STRING,
-		     * so convert the length.
-		     */
-		    spki->subjectPublicKey.len <<= 3;
-
-		    /*
-		     * We got a good one; return it.
-		     */
-		    return spki;
-		}
-	    }
-#endif
-	    break;
-	  default:
-	    break;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-void
-SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki)
-{
-    if (spki && spki->arena) {
-	PORT_FreeArena(spki->arena, PR_FALSE);
-    }
-}
-
-/*
- * this only works for RSA keys... need to do something
- * similiar to CERT_ExtractPublicKey for other key times.
- */
-SECKEYPublicKey *
-SECKEY_DecodeDERPublicKey(SECItem *pubkder)
-{
-    PRArenaPool *arena;
-    SECKEYPublicKey *pubk;
-    SECStatus rv;
-    SECItem newPubkder;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
-    if (pubk != NULL) {
-	pubk->arena = arena;
-	pubk->pkcs11Slot = NULL;
-	pubk->pkcs11ID = 0;
-	prepare_rsa_pub_key_for_asn1(pubk);
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newPubkder, pubkder);
-        if ( rv == SECSuccess ) {
-	    rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate,
-				&newPubkder);
-        }
-	if (rv == SECSuccess)
-	    return pubk;
-	SECKEY_DestroyPublicKey (pubk);
-    } else {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded public key.
- */
-SECKEYPublicKey *
-SECKEY_ConvertAndDecodePublicKey(char *pubkstr)
-{
-    SECKEYPublicKey *pubk;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem (&der, pubkstr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    pubk = SECKEY_DecodeDERPublicKey (&der);
-
-    PORT_Free (der.data);
-    return pubk;
-}
-
-SECItem *
-SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
-{
-    CERTSubjectPublicKeyInfo *spki=NULL;
-    SECItem *spkiDER=NULL;
-
-    /* get the subjectpublickeyinfo */
-    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
-    if( spki == NULL ) {
-	goto finish;
-    }
-
-    /* DER-encode the subjectpublickeyinfo */
-    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
-					CERT_SubjectPublicKeyInfoTemplate);
-finish:
-    if (spki!=NULL) {
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    return spkiDER;
-}
-
-
-CERTSubjectPublicKeyInfo *
-SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider)
-{
-    PRArenaPool *arena;
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-    SECItem newSpkider;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    spki = (CERTSubjectPublicKeyInfo *)
-		PORT_ArenaZAlloc(arena, sizeof (CERTSubjectPublicKeyInfo));
-    if (spki != NULL) {
-	spki->arena = arena;
-
-        /* copy the DER into the arena, since Quick DER returns data that points
-           into the DER input, which may get freed by the caller */
-        rv = SECITEM_CopyItem(arena, &newSpkider, spkider);
-        if ( rv == SECSuccess ) {
-            rv = SEC_QuickDERDecodeItem(arena,spki,
-				    CERT_SubjectPublicKeyInfoTemplate, &newSpkider);
-        }
-	if (rv == SECSuccess)
-	    return spki;
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded subject public key info.
- */
-CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr)
-{
-    CERTSubjectPublicKeyInfo *spki;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem(&der, spkistr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
-
-    PORT_Free(der.data);
-    return spki;
-}
-
-/*
- * Decode a base64 ascii encoded DER encoded public key and challenge
- * Verify digital signature and make sure challenge matches
- */
-CERTSubjectPublicKeyInfo *
-SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
-								void *wincx)
-{
-    CERTSubjectPublicKeyInfo *spki = NULL;
-    CERTPublicKeyAndChallenge pkac;
-    SECStatus rv;
-    SECItem signedItem;
-    PRArenaPool *arena = NULL;
-    CERTSignedData sd;
-    SECItem sig;
-    SECKEYPublicKey *pubKey = NULL;
-    unsigned int len;
-    
-    signedItem.data = NULL;
-    
-    /* convert the base64 encoded data to binary */
-    rv = ATOB_ConvertAsciiToItem(&signedItem, pkacstr);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* create an arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-
-    /* decode the outer wrapping of signed data */
-    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
-    rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem );
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* decode the public key and challenge wrapper */
-    PORT_Memset(&pkac, 0, sizeof(CERTPublicKeyAndChallenge));
-    rv = SEC_QuickDERDecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, 
-			    &sd.data);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* decode the subject public key info */
-    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&pkac.spki);
-    if ( spki == NULL ) {
-	goto loser;
-    }
-    
-    /* get the public key */
-    pubKey = seckey_ExtractPublicKey(spki);
-    if ( pubKey == NULL ) {
-	goto loser;
-    }
-
-    /* check the signature */
-    sig = sd.signature;
-    DER_ConvertBitString(&sig);
-    rv = VFY_VerifyData(sd.data.data, sd.data.len, pubKey, &sig,
-			SECOID_GetAlgorithmTag(&(sd.signatureAlgorithm)), wincx);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    /* check the challenge */
-    if ( challenge ) {
-	len = PORT_Strlen(challenge);
-	/* length is right */
-	if ( len != pkac.challenge.len ) {
-	    goto loser;
-	}
-	/* actual data is right */
-	if ( PORT_Memcmp(challenge, pkac.challenge.data, len) != 0 ) {
-	    goto loser;
-	}
-    }
-    goto done;
-
-loser:
-    /* make sure that we return null if we got an error */
-    if ( spki ) {
-	SECKEY_DestroySubjectPublicKeyInfo(spki);
-    }
-    spki = NULL;
-    
-done:
-    if ( signedItem.data ) {
-	PORT_Free(signedItem.data);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( pubKey ) {
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    
-    return spki;
-}
-
-void
-SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
-			     PRBool freeit)
-{
-    PRArenaPool *poolp;
-
-    if(pvk != NULL) {
-	if(pvk->arena) {
-	    poolp = pvk->arena;
-	    /* zero structure since PORT_FreeArena does not support
-	     * this yet.
-	     */
-	    PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
-	    PORT_Memset((char *)pvk, 0, sizeof(*pvk));
-	    if(freeit == PR_TRUE) {
-		PORT_FreeArena(poolp, PR_TRUE);
-	    } else {
-		pvk->arena = poolp;
-	    }
-	} else {
-	    SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
-	    SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
-	    SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
-	    PORT_Memset((char *)pvk, 0, sizeof(pvk));
-	    if(freeit == PR_TRUE) {
-		PORT_Free(pvk);
-	    }
-	}
-    }
-}
-
-void
-SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
-				      PRBool freeit)
-{
-    PRArenaPool *poolp;
-
-    if(epki != NULL) {
-	if(epki->arena) {
-	    poolp = epki->arena;
-	    /* zero structure since PORT_FreeArena does not support
-	     * this yet.
-	     */
-	    PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
-	    PORT_Memset((char *)epki, 0, sizeof(*epki));
-	    if(freeit == PR_TRUE) {
-		PORT_FreeArena(poolp, PR_TRUE);
-	    } else {
-		epki->arena = poolp;
-	    }
-	} else {
-	    SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
-	    SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
-	    PORT_Memset((char *)epki, 0, sizeof(epki));
-	    if(freeit == PR_TRUE) {
-		PORT_Free(epki);
-	    }
-	}
-    }
-}
-
-SECStatus
-SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
-			  SECKEYPrivateKeyInfo *to,
-			  SECKEYPrivateKeyInfo *from)
-{
-    SECStatus rv = SECFailure;
-
-    if((to == NULL) || (from == NULL)) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->privateKey, &from->privateKey);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->version, &from->version);
-
-    return rv;
-}
-
-SECStatus
-SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp, 
-				   SECKEYEncryptedPrivateKeyInfo *to,
-				   SECKEYEncryptedPrivateKeyInfo *from)
-{
-    SECStatus rv = SECFailure;
-
-    if((to == NULL) || (from == NULL)) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
-    if(rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = SECITEM_CopyItem(poolp, &to->encryptedData, &from->encryptedData);
-
-    return rv;
-}
-
-KeyType
-SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey)
-{
-   return privKey->keyType;
-}
-
-KeyType
-SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey)
-{
-   return pubKey->keyType;
-}
-
-SECKEYPublicKey*
-SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type)
-{
-    SECKEYPublicKey *pubk = NULL;
-    SECStatus rv = SECFailure;
-    SECItem newDerKey;
-
-    if (!derKey) {
-        return NULL;
-    } 
-
-    pubk = PORT_ZNew(SECKEYPublicKey);
-    if(pubk == NULL) {
-        goto finish;
-    }
-    pubk->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (NULL == pubk->arena) {
-        goto finish;
-    }
-    rv = SECITEM_CopyItem(pubk->arena, &newDerKey, derKey);
-    if (SECSuccess != rv) {
-        goto finish;
-    }
-
-    pubk->pkcs11Slot = NULL;
-    pubk->pkcs11ID = CK_INVALID_HANDLE;
-
-    switch( type ) {
-      case CKK_RSA:
-	prepare_rsa_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_RSAPublicKeyTemplate, &newDerKey);
-        pubk->keyType = rsaKey;
-        break;
-      case CKK_DSA:
-	prepare_dsa_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DSAPublicKeyTemplate, &newDerKey);
-        pubk->keyType = dsaKey;
-        break;
-      case CKK_DH:
-	prepare_dh_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DHPublicKeyTemplate, &newDerKey);
-        pubk->keyType = dhKey;
-        break;
-      default:
-        rv = SECFailure;
-        break;
-    }
-
-finish:
-    if( rv != SECSuccess && pubk != NULL) {
-        if (pubk->arena) {
-            PORT_FreeArena(pubk->arena, PR_TRUE);
-        }
-        PORT_Free(pubk);
-        pubk = NULL;
-    }
-    return pubk;
-}
-
-SECKEYPrivateKeyList*
-SECKEY_NewPrivateKeyList(void)
-{
-    PRArenaPool *arena = NULL;
-    SECKEYPrivateKeyList *ret = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-        goto loser;
-    }
-
-    ret = (SECKEYPrivateKeyList *)PORT_ArenaZAlloc(arena,
-                sizeof(SECKEYPrivateKeyList));
-    if ( ret == NULL ) {
-        goto loser;
-    }
-
-    ret->arena = arena;
-
-    PR_INIT_CLIST(&ret->list);
-
-    return(ret);
-
-loser:
-    if ( arena != NULL ) {
-        PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return(NULL);
-}
-
-void
-SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys)
-{
-    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
-        SECKEY_RemovePrivateKeyListNode(
-            (SECKEYPrivateKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
-    }
-
-    PORT_FreeArena(keys->arena, PR_FALSE);
-
-    return;
-}
-
-
-void
-SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node)
-{
-    PR_ASSERT(node->key);
-    SECKEY_DestroyPrivateKey(node->key);
-    node->key = NULL;
-    PR_REMOVE_LINK(&node->links);
-    return;
-
-}
-
-SECStatus
-SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
-                                SECKEYPrivateKey *key)
-{
-    SECKEYPrivateKeyListNode *node;
-
-    node = (SECKEYPrivateKeyListNode *)PORT_ArenaZAlloc(list->arena,
-                sizeof(SECKEYPrivateKeyListNode));
-    if ( node == NULL ) {
-        goto loser;
-    }
-
-    PR_INSERT_BEFORE(&node->links, &list->list);
-    node->key = key;
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-
-SECKEYPublicKeyList*
-SECKEY_NewPublicKeyList(void)
-{
-    PRArenaPool *arena = NULL;
-    SECKEYPublicKeyList *ret = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-        goto loser;
-    }
-
-    ret = (SECKEYPublicKeyList *)PORT_ArenaZAlloc(arena,
-                sizeof(SECKEYPublicKeyList));
-    if ( ret == NULL ) {
-        goto loser;
-    }
-
-    ret->arena = arena;
-
-    PR_INIT_CLIST(&ret->list);
-
-    return(ret);
-
-loser:
-    if ( arena != NULL ) {
-        PORT_FreeArena(arena, PR_FALSE);
-    }
-
-    return(NULL);
-}
-
-void
-SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys)
-{
-    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
-        SECKEY_RemovePublicKeyListNode(
-            (SECKEYPublicKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
-    }
-
-    PORT_FreeArena(keys->arena, PR_FALSE);
-
-    return;
-}
-
-
-void
-SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node)
-{
-    PR_ASSERT(node->key);
-    SECKEY_DestroyPublicKey(node->key);
-    node->key = NULL;
-    PR_REMOVE_LINK(&node->links);
-    return;
-
-}
-
-SECStatus
-SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
-                                SECKEYPublicKey *key)
-{
-    SECKEYPublicKeyListNode *node;
-
-    node = (SECKEYPublicKeyListNode *)PORT_ArenaZAlloc(list->arena,
-                sizeof(SECKEYPublicKeyListNode));
-    if ( node == NULL ) {
-        goto loser;
-    }
-
-    PR_INSERT_BEFORE(&node->links, &list->list);
-    node->key = key;
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-#define SECKEY_CacheAttribute(key, attribute) \
-    if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute)) { \
-        key->staticflags |= SECKEY_##attribute; \
-    } else { \
-        key->staticflags &= (~SECKEY_##attribute); \
-    }
-
-SECStatus
-SECKEY_CacheStaticFlags(SECKEYPrivateKey* key)
-{
-    SECStatus rv = SECFailure;
-    if (key && key->pkcs11Slot && key->pkcs11ID) {
-        key->staticflags |= SECKEY_Attributes_Cached;
-        SECKEY_CacheAttribute(key, CKA_PRIVATE);
-        rv = SECSuccess;
-    }
-    return rv;
-}
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
deleted file mode 100644
index 12e6ed3ad..000000000
--- a/security/nss/lib/cryptohi/secsign.c
+++ /dev/null
@@ -1,513 +0,0 @@
-/*
- * Signature stuff.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include "cryptohi.h"
-#include "sechash.h"
-#include "secder.h"
-#include "keyhi.h"
-#include "secoid.h"
-#include "secdig.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-struct SGNContextStr {
-    SECOidTag signalg;
-    SECOidTag hashalg;
-    void *hashcx;
-    const SECHashObject *hashobj;
-    SECKEYPrivateKey *key;
-};
-
-SGNContext *
-SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
-{
-    SGNContext *cx;
-    SECOidTag hashalg, signalg;
-    KeyType keyType;
-
-    /* OK, map a PKCS #7 hash and encrypt algorithm into
-     * a standard hashing algorithm. Why did we pass in the whole
-     * PKCS #7 algTag if we were just going to change here you might
-     * ask. Well the answer is for some cards we may have to do the
-     * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
-     * it may just support CKM_RSA_PKCS_WITH_SHA1 and/or CKM_RSA_PKCS_WITH_MD5.
-     */
-    switch (alg) {
-      /* We probably shouldn't be generating MD2 signatures either */
-      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-	hashalg = SEC_OID_MD2;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-        hashalg = SEC_OID_MD5;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-
-      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
-	hashalg = SEC_OID_SHA256;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
-	hashalg = SEC_OID_SHA384;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-	hashalg = SEC_OID_SHA512;
-	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	keyType = rsaKey;
-	break;
-
-      /* what about normal DSA? */
-      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
-	keyType = dsaKey;
-	break;
-      case SEC_OID_MISSI_DSS:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_DSS_OLD:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_MISSI_DSS; /* XXX Is there a better algid? */
-	keyType = fortezzaKey;
-	break;
-      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST:
-	hashalg = SEC_OID_SHA1;
-	signalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
-	keyType = ecKey;
-	break;
-      /* we don't implement MD4 hashes. 
-       * we *CERTAINLY* don't want to sign one! */
-      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return 0;
-    }
-
-    /* verify our key type */
-    if (key->keyType != keyType &&
-	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
-	!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return 0;
-    }
-
-    cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext));
-    if (cx) {
-	cx->hashalg = hashalg;
-	cx->signalg = signalg;
-	cx->key = key;
-    }
-    return cx;
-}
-
-void
-SGN_DestroyContext(SGNContext *cx, PRBool freeit)
-{
-    if (cx) {
-	if (cx->hashcx != NULL) {
-	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	    cx->hashcx = NULL;
-	}
-	if (freeit) {
-	    PORT_ZFree(cx, sizeof(SGNContext));
-	}
-    }
-}
-
-SECStatus
-SGN_Begin(SGNContext *cx)
-{
-    if (cx->hashcx != NULL) {
-	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	cx->hashcx = NULL;
-    }
-
-    cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg);
-    if (!cx->hashobj)
-	return SECFailure;	/* error code is already set */
-
-    cx->hashcx = (*cx->hashobj->create)();
-    if (cx->hashcx == NULL)
-	return SECFailure;
-
-    (*cx->hashobj->begin)(cx->hashcx);
-    return SECSuccess;
-}
-
-SECStatus
-SGN_Update(SGNContext *cx, unsigned char *input, unsigned inputLen)
-{
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
-    return SECSuccess;
-}
-
-SECStatus
-SGN_End(SGNContext *cx, SECItem *result)
-{
-    unsigned char digest[HASH_LENGTH_MAX];
-    unsigned part1, signatureLen;
-    SECStatus rv;
-    SECItem digder, sigitem;
-    PRArenaPool *arena = 0;
-    SECKEYPrivateKey *privKey = cx->key;
-    SGNDigestInfo *di = 0;
-
-    result->data = 0;
-    digder.data = 0;
-
-    /* Finish up digest function */
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest));
-
-
-    if (privKey->keyType == rsaKey) {
-
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    
-	/* Construct digest info */
-	di = SGN_CreateDigestInfo(cx->hashalg, digest, part1);
-	if (!di) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* Der encode the digest as a DigestInfo */
-	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	digder.data = digest;
-	digder.len = part1;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    signatureLen = PK11_SignatureLen(privKey);
-    sigitem.len = signatureLen;
-    sigitem.data = (unsigned char*) PORT_Alloc(signatureLen);
-
-    if (sigitem.data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_Sign(privKey, &sigitem, &digder);
-    if (rv != SECSuccess) {
-	PORT_Free(sigitem.data);
-	sigitem.data = NULL;
-	goto loser;
-    }
-
-    if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
-        (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
-        /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */
-	rv = DSAU_EncodeDerSigWithLen(result, &sigitem, signatureLen); 
-	PORT_Free(sigitem.data);
-	if (rv != SECSuccess)
-	    goto loser;
-    } else {
-	result->len = sigitem.len;
-	result->data = sigitem.data;
-    }
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Sign a block of data returning in result a bunch of bytes that are the
-** signature. Returns zero on success, an error code on failure.
-*/
-SECStatus
-SEC_SignData(SECItem *res, unsigned char *buf, int len,
-	     SECKEYPrivateKey *pk, SECOidTag algid)
-{
-    SECStatus rv;
-    SGNContext *sgn;
-
-
-    sgn = SGN_NewContext(algid, pk);
-
-    if (sgn == NULL)
-	return SECFailure;
-
-    rv = SGN_Begin(sgn);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SGN_Update(sgn, buf, len);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SGN_End(sgn, res);
-
-  loser:
-    SGN_DestroyContext(sgn, PR_TRUE);
-    return rv;
-}
-
-/************************************************************************/
-    
-DERTemplate CERTSignedDataTemplate[] =
-{
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedData) },
-    { DER_ANY,
-	  offsetof(CERTSignedData,data), },
-    { DER_INLINE,
-	  offsetof(CERTSignedData,signatureAlgorithm),
-	  SECAlgorithmIDTemplate, },
-    { DER_BIT_STRING,
-	  offsetof(CERTSignedData,signature), },
-    { 0, }
-};
-
-const SEC_ASN1Template CERT_SignedDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedData) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTSignedData,data), },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedData,signatureAlgorithm),
-	  SECOID_AlgorithmIDTemplate, },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedData,signature), },
-    { 0, }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
-
-
-SECStatus
-SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
-	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
-{
-    SECItem it;
-    CERTSignedData sd;
-    SECStatus rv;
-
-    it.data = 0;
-
-    /* XXX We should probably have some asserts here to make sure the key type
-     * and algID match
-     */
-
-    if (algID == SEC_OID_UNKNOWN) {
-	switch(pk->keyType) {
-	  case rsaKey:
-	    algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	    break;
-	  case dsaKey:
-	    algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	    break;
-	  case ecKey:
-	    algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-	    break;
-	  default:
-	    PORT_SetError(SEC_ERROR_INVALID_KEY);
-	    return SECFailure;
-	}
-    }
-
-    /* Sign input buffer */
-    rv = SEC_SignData(&it, buf, len, pk, algID);
-    if (rv) goto loser;
-
-    /* Fill out SignedData object */
-    PORT_Memset(&sd, 0, sizeof(sd));
-    sd.data.data = buf;
-    sd.data.len = len;
-    sd.signature.data = it.data;
-    sd.signature.len = it.len << 3;		/* convert to bit string */
-    rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0);
-    if (rv) goto loser;
-
-    /* DER encode the signed data object */
-    rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd);
-    /* FALL THROUGH */
-
-  loser:
-    PORT_Free(it.data);
-    return rv;
-}
-
-SECStatus
-SGN_Digest(SECKEYPrivateKey *privKey,
-		SECOidTag algtag, SECItem *result, SECItem *digest)
-{
-    unsigned modulusLen;
-    SECStatus rv;
-    SECItem digder;
-    PRArenaPool *arena = 0;
-    SGNDigestInfo *di = 0;
-
-
-    result->data = 0;
-
-    if (privKey->keyType == rsaKey) {
-
-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if ( !arena ) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    
-	/* Construct digest info */
-	di = SGN_CreateDigestInfo(algtag, digest->data, digest->len);
-	if (!di) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* Der encode the digest as a DigestInfo */
-	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	digder.data = digest->data;
-	digder.len = digest->len;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    modulusLen = PK11_SignatureLen(privKey);
-    result->len = modulusLen;
-    result->data = (unsigned char*) PORT_Alloc(modulusLen);
-
-    if (result->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_Sign(privKey, result, &digder);
-    if (rv != SECSuccess) {
-	PORT_Free(result->data);
-	result->data = NULL;
-    }
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-SECOidTag
-SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
-{
-    SECOidTag sigTag = SEC_OID_UNKNOWN;
-
-    switch (keyType) {
-    case rsaKey:
-	switch (hashAlgTag) {
-	case SEC_OID_MD2:
-	    sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;	break;
-	case SEC_OID_UNKNOWN:	/* default for RSA if not specified */
-	case SEC_OID_MD5:
-	    sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;	break;
-	case SEC_OID_SHA1:
-	    sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;	break;
-	case SEC_OID_SHA256:
-	    sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;	break;
-	case SEC_OID_SHA384:
-	    sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;	break;
-	case SEC_OID_SHA512:
-	    sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;	break;
-	default:
-	    break;
-	}
-	break;
-    case dsaKey:
-	switch (hashAlgTag) {
-	case SEC_OID_UNKNOWN:	/* default for DSA if not specified */
-	case SEC_OID_SHA1:
-	    sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break;
-	default:
-	    break;
-	}
-	break;
-    case ecKey:
-        /* XXX For now only ECDSA with SHA1 is supported */
-        sigTag = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-	break;
-    default:
-    	break;
-    }
-    return sigTag;
-}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
deleted file mode 100644
index 311bec35e..000000000
--- a/security/nss/lib/cryptohi/secvfy.c
+++ /dev/null
@@ -1,512 +0,0 @@
-/*
- * Verification stuff.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include "cryptohi.h"
-#include "sechash.h"
-#include "keyhi.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secdig.h"
-#include "secerr.h"
-
-/*
-** Decrypt signature block using public key
-** Store the hash algorithm oid tag in *tagp
-** Store the digest in the digest buffer
-** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
-*/
-static SECStatus
-DecryptSigBlock(SECOidTag *tagp, unsigned char *digest, unsigned int len,
-		SECKEYPublicKey *key, SECItem *sig, char *wincx)
-{
-    SGNDigestInfo *di   = NULL;
-    unsigned char *buf  = NULL;
-    SECStatus      rv;
-    SECOidTag      tag;
-    SECItem        it;
-
-    if (key == NULL) goto loser;
-
-    it.len  = SECKEY_PublicKeyStrength(key);
-    if (!it.len) goto loser;
-    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
-    if (!buf) goto loser;
-
-    /* decrypt the block */
-    rv = PK11_VerifyRecover(key, sig, &it, wincx);
-    if (rv != SECSuccess) goto loser;
-
-    di = SGN_DecodeDigestInfo(&it);
-    if (di == NULL) goto sigloser;
-
-    /*
-    ** Finally we have the digest info; now we can extract the algorithm
-    ** ID and the signature block
-    */
-    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
-    /* XXX Check that tag is an appropriate algorithm? */
-    if (di->digest.len > len) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	goto loser;
-    }
-    PORT_Memcpy(digest, di->digest.data, di->digest.len);
-    *tagp = tag;
-    goto done;
-
-  sigloser:
-    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    if (di   != NULL) SGN_DestroyDigestInfo(di);
-    if (buf  != NULL) PORT_Free(buf);
-    
-    return rv;
-}
-
-typedef enum { VFY_RSA, VFY_DSA, VFY_ECDSA } VerifyType;
-
-struct VFYContextStr {
-    SECOidTag alg;  /* the hash algorithm */
-    VerifyType type;
-    SECKEYPublicKey *key;
-    /*
-     * This buffer holds either the digest or the full signature
-     * depending on the type of the signature.  It is defined as a
-     * union to make sure it always has enough space.
-     *
-     * Use the "buffer" union member to reference the buffer.
-     * Note: do not take the size of the "buffer" union member.  Take
-     * the size of the union or some other union member instead.
-     */
-    union {
-	unsigned char buffer[1];
-
-	/* the digest in the decrypted RSA signature */
-	unsigned char rsadigest[HASH_LENGTH_MAX];
-	/* the full DSA signature... 40 bytes */
-	unsigned char dsasig[DSA_SIGNATURE_LEN];
-	/* the full ECDSA signature */
-	unsigned char ecdsasig[2 * MAX_ECKEY_LEN];
-    } u;
-    void * wincx;
-    void *hashcx;
-    const SECHashObject *hashobj;
-    SECOidTag sigAlg;  /* the (composite) signature algorithm */
-    PRBool hasSignature;  /* true if the signature was provided in the
-                           * VFY_CreateContext call.  If false, the
-                           * signature must be provided with a
-                           * VFY_EndWithSignature call. */
-};
-
-/*
- * decode the ECDSA or DSA signature from it's DER wrapping.
- * The unwrapped/raw signature is placed in the buffer pointed
- * to by dsig and has enough room for len bytes.
- */
-static SECStatus
-decodeECorDSASignature(SECOidTag algid, SECItem *sig, unsigned char *dsig,
-		       unsigned int len) {
-    SECItem *dsasig = NULL; /* also used for ECDSA */
-    SECStatus rv=SECSuccess;
-
-    switch (algid) {
-    case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-    case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-    case SEC_OID_ANSIX9_DSA_SIGNATURE:
-    case SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST:
-        if (algid == SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST) {
-	    if (len > MAX_ECKEY_LEN * 2) {
-	        PORT_SetError(SEC_ERROR_BAD_DER);
-		return SECFailure;
-	    }
-	    dsasig = DSAU_DecodeDerSigToLen(sig, len);
-	} else {
-	    dsasig = DSAU_DecodeDerSig(sig);
-	}
-
-	if ((dsasig == NULL) || (dsasig->len != len)) {
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(dsig, dsasig->data, dsasig->len);
-	}
-	break;
-    default:
-        if (sig->len != len) {
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(dsig, sig->data, sig->len);
-	}
-	break;
-    }
-
-    if (dsasig != NULL) SECITEM_FreeItem(dsasig, PR_TRUE);
-    if (rv == SECFailure) PORT_SetError(SEC_ERROR_BAD_DER);
-    return rv;
-}
-
-/*
- * Pulls the hash algorithm, signing algorithm, and key type out of a
- * composite algorithm.
- *
- * alg: the composite algorithm to dissect.
- * hashalg: address of a SECOidTag which will be set with the hash algorithm.
- * signalg: address of a SECOidTag which will be set with the signing alg.
- *          (not implemented)
- * keyType: address of a KeyType which will be set with the key type.
- *          (not implemented)
- * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
- *	algorithm was not found or was not a signing algorithm.
- */
-static SECStatus
-decodeSigAlg(SECOidTag alg, SECOidTag *hashalg)
-{
-    PR_ASSERT(hashalg!=NULL);
-
-    switch (alg) {
-      /* We probably shouldn't be generating MD2 signatures either */
-      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-        *hashalg = SEC_OID_MD2;
-	break;
-      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-        *hashalg = SEC_OID_MD5;
-	break;
-      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
-        *hashalg = SEC_OID_SHA1;
-	break;
-
-      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
-	*hashalg = SEC_OID_SHA256;
-	break;
-      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
-	*hashalg = SEC_OID_SHA384;
-	break;
-      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-	*hashalg = SEC_OID_SHA512;
-	break;
-
-      /* what about normal DSA? */
-      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-      case SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST:
-        *hashalg = SEC_OID_SHA1;
-	break;
-      case SEC_OID_MISSI_DSS:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_DSS_OLD:
-        *hashalg = SEC_OID_SHA1;
-	break;
-      /* we don't implement MD4 hashes */
-      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-      default:
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-VFYContext *
-VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
-		  void *wincx)
-{
-    VFYContext *cx;
-    SECStatus rv;
-    unsigned int sigLen;
-
-    cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext));
-    if (cx) {
-        cx->wincx = wincx;
-	cx->hasSignature = (sig != NULL);
-	cx->sigAlg = algid;
-	rv = SECSuccess;
-	switch (key->keyType) {
-	case rsaKey:
-	    cx->type = VFY_RSA;
-	    cx->key = SECKEY_CopyPublicKey(key); /* extra safety precautions */
-	    if (sig) {
-		SECOidTag hashid = SEC_OID_UNKNOWN;
-	    	rv = DecryptSigBlock(&hashid, cx->u.buffer,
-			HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
-		cx->alg = hashid;
-	    } else {
-		rv = decodeSigAlg(algid,&cx->alg);
-	    }
-	    break;
-	case fortezzaKey:
-	case dsaKey:
-	case ecKey:
-	    if (key->keyType == ecKey) {
-	        cx->type = VFY_ECDSA;
-		/* Unlike DSA, EDSA does not have a fixed signature length
-		 * (it depends on the key size)
-		 */
-		sigLen = SECKEY_PublicKeyStrength(key) * 2;
-	    } else {
-	        cx->type = VFY_DSA;
-		sigLen = DSA_SIGNATURE_LEN;
-	    }
-  	    cx->alg = SEC_OID_SHA1;
-  	    cx->key = SECKEY_CopyPublicKey(key);
-  	    if (sig) {
-	        rv = decodeECorDSASignature(algid,sig,cx->u.buffer,sigLen);
-  	    }
-  	    break;
-	default:
-	    rv = SECFailure;
-	    break;
-	}
-	if (rv) goto loser;
-	switch (cx->alg) {
-	case SEC_OID_MD2:
-	case SEC_OID_MD5:
-	case SEC_OID_SHA1:
-	case SEC_OID_SHA256:
-	case SEC_OID_SHA384:
-	case SEC_OID_SHA512:
-	    break;
-	default:
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	    goto loser;
-	}
-    }
-    return cx;
-
-  loser:
-    VFY_DestroyContext(cx, PR_TRUE);
-    return 0;
-}
-
-void
-VFY_DestroyContext(VFYContext *cx, PRBool freeit)
-{
-    if (cx) {
-	if (cx->hashcx != NULL) {
-	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	    cx->hashcx = NULL;
-	}
-	if (cx->key) {
-	    SECKEY_DestroyPublicKey(cx->key);
-	}
-	if (freeit) {
-	    PORT_ZFree(cx, sizeof(VFYContext));
-	}
-    }
-}
-
-SECStatus
-VFY_Begin(VFYContext *cx)
-{
-    if (cx->hashcx != NULL) {
-	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
-	cx->hashcx = NULL;
-    }
-
-    cx->hashobj = HASH_GetHashObjectByOidTag(cx->alg);
-    if (!cx->hashobj) 
-	return SECFailure;	/* error code is set */
-
-    cx->hashcx = (*cx->hashobj->create)();
-    if (cx->hashcx == NULL)
-	return SECFailure;
-
-    (*cx->hashobj->begin)(cx->hashcx);
-    return SECSuccess;
-}
-
-SECStatus
-VFY_Update(VFYContext *cx, unsigned char *input, unsigned inputLen)
-{
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
-    return SECSuccess;
-}
-
-SECStatus
-VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
-{
-    unsigned char final[HASH_LENGTH_MAX];
-    unsigned part;
-    SECItem hash,dsasig; /* dsasig is also used for ECDSA */
-    SECStatus rv;
-
-    if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (cx->hashcx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
-    switch (cx->type) {
-      case VFY_DSA:
-      case VFY_ECDSA:
-	dsasig.data = cx->u.buffer;
-	if (cx->type == VFY_DSA) {
-	    dsasig.len = DSA_SIGNATURE_LEN;
-	} else {
-	    dsasig.len = SECKEY_PublicKeyStrength(cx->key) * 2;
-	}
-	if (sig) {
-	    rv = decodeECorDSASignature(cx->sigAlg,sig,dsasig.data,
-					dsasig.len);
-	    if (rv != SECSuccess) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		return SECFailure;
-	    }
-	} 
-	hash.data = final;
-	hash.len = part;
-	if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		return SECFailure;
-	}
-	break;
-      case VFY_RSA:
-	if (sig) {
-	    SECOidTag hashid = SEC_OID_UNKNOWN;
-	    rv = DecryptSigBlock(&hashid, cx->u.buffer, 
-		    HASH_LENGTH_MAX, cx->key, sig, (char*)cx->wincx);
-	    if ((rv != SECSuccess) || (hashid != cx->alg)) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-		return SECFailure;
-	    }
-	}
-	if (PORT_Memcmp(final, cx->u.buffer, part)) {
-	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    return SECFailure;
-	}
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	return SECFailure; /* shouldn't happen */
-    }
-    return SECSuccess;
-}
-
-SECStatus
-VFY_End(VFYContext *cx)
-{
-    return VFY_EndWithSignature(cx,NULL);
-}
-
-/************************************************************************/
-/*
- * Verify that a previously-computed digest matches a signature.
- * XXX This should take a parameter that specifies the digest algorithm,
- * and we should compare that the algorithm found in the DigestInfo
- * matches it!
- */
-SECStatus
-VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig,
-		 SECOidTag algid, void *wincx)
-{
-    SECStatus rv;
-    VFYContext *cx;
-    SECItem dsasig; /* also used for ECDSA */
-
-    rv = SECFailure;
-
-    cx = VFY_CreateContext(key, sig, algid, wincx);
-    if (cx != NULL) {
-	switch (key->keyType) {
-	case rsaKey:
-	    if (PORT_Memcmp(digest->data, cx->u.buffer, digest->len)) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    } else {
-		rv = SECSuccess;
-	    }
-	    break;
-	case fortezzaKey:
-	case dsaKey:
-	case ecKey:
-	    dsasig.data = cx->u.buffer;
-	    if (key->keyType == ecKey) {
-		dsasig.len = SECKEY_PublicKeyStrength(cx->key) * 2;
-	    } else {
-		/* magic size of dsa signature */
-		dsasig.len = DSA_SIGNATURE_LEN;
-	    }
-	    if (PK11_Verify(cx->key, &dsasig, digest, cx->wincx)
-		!= SECSuccess) {
-		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	    } else {
-		rv = SECSuccess;
-	    }
-	    break;
-	default:
-	    break;
-	}
-	VFY_DestroyContext(cx, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	       SECItem *sig, SECOidTag algid, void *wincx)
-{
-    SECStatus rv;
-    VFYContext *cx;
-
-    cx = VFY_CreateContext(key, sig, algid, wincx);
-    if (cx == NULL)
-	return SECFailure;
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	rv = VFY_Update(cx, buf, len);
-	if (rv == SECSuccess)
-	    rv = VFY_End(cx);
-    }
-
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
diff --git a/security/nss/lib/dev/Makefile b/security/nss/lib/dev/Makefile
deleted file mode 100644
index 051a89a26..000000000
--- a/security/nss/lib/dev/Makefile
+++ /dev/null
@@ -1,57 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
-# ckhelper.c in 64-bit mode for unknown reasons.  A workaround is
-# to compile it with optimizations turned on.  (Bugzilla bug #63815)
-ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
-ifeq ($(USE_64),1)
-ifndef BUILD_OPT
-$(OBJDIR)/ckhelper.o: ckhelper.c
-	@$(MAKE_OBJDIR)
-	$(CC) -o $@ -c -O2 $(CFLAGS) $<
-endif
-endif
-endif
-
-export:: private_export
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
deleted file mode 100644
index df102c78f..000000000
--- a/security/nss/lib/dev/ckhelper.c
+++ /dev/null
@@ -1,728 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#ifndef CKHELPER_H
-#include "ckhelper.h"
-#endif /* CKHELPER_H */
-
-extern const NSSError NSS_ERROR_DEVICE_ERROR;
-
-static const CK_BBOOL s_true = CK_TRUE;
-NSS_IMPLEMENT_DATA const NSSItem
-g_ck_true = { (CK_VOID_PTR)&s_true, sizeof(s_true) };
-
-static const CK_BBOOL s_false = CK_FALSE;
-NSS_IMPLEMENT_DATA const NSSItem
-g_ck_false = { (CK_VOID_PTR)&s_false, sizeof(s_false) };
-
-static const CK_OBJECT_CLASS s_class_cert = CKO_CERTIFICATE;
-NSS_IMPLEMENT_DATA const NSSItem
-g_ck_class_cert = { (CK_VOID_PTR)&s_class_cert, sizeof(s_class_cert) };
-
-static const CK_OBJECT_CLASS s_class_pubkey = CKO_PUBLIC_KEY;
-NSS_IMPLEMENT_DATA const NSSItem
-g_ck_class_pubkey = { (CK_VOID_PTR)&s_class_pubkey, sizeof(s_class_pubkey) };
-
-static const CK_OBJECT_CLASS s_class_privkey = CKO_PRIVATE_KEY;
-NSS_IMPLEMENT_DATA const NSSItem
-g_ck_class_privkey = { (CK_VOID_PTR)&s_class_privkey, sizeof(s_class_privkey) };
-
-static PRBool
-is_string_attribute (
-  CK_ATTRIBUTE_TYPE aType
-)
-{
-    PRBool isString;
-    switch (aType) {
-    case CKA_LABEL:
-    case CKA_NETSCAPE_EMAIL:
-	isString = PR_TRUE;
-	break;
-    default:
-	isString = PR_FALSE;
-	break;
-    }
-    return isString;
-}
-
-NSS_IMPLEMENT PRStatus 
-nssCKObject_GetAttributes (
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG count,
-  NSSArena *arenaOpt,
-  nssSession *session,
-  NSSSlot *slot
-)
-{
-    nssArenaMark *mark = NULL;
-    CK_SESSION_HANDLE hSession;
-    CK_ULONG i = 0;
-    CK_RV ckrv;
-    PRStatus nssrv;
-    PRBool alloced = PR_FALSE;
-    void *epv = nssSlot_GetCryptokiEPV(slot);
-    hSession = session->handle; 
-    if (arenaOpt) {
-	mark = nssArena_Mark(arenaOpt);
-	if (!mark) {
-	    goto loser;
-	}
-    }
-    nssSession_EnterMonitor(session);
-    /* XXX kinda hacky, if the storage size is already in the first template
-     * item, then skip the alloc portion
-     */
-    if (obj_template[0].ulValueLen == 0) {
-	/* Get the storage size needed for each attribute */
-	ckrv = CKAPI(epv)->C_GetAttributeValue(hSession,
-	                                       object, obj_template, count);
-	if (ckrv != CKR_OK && 
-	    ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
-	    ckrv != CKR_ATTRIBUTE_SENSITIVE) 
-	{
-	    nssSession_ExitMonitor(session);
-	    nss_SetError(NSS_ERROR_DEVICE_ERROR);
-	    goto loser;
-	}
-	/* Allocate memory for each attribute. */
-	for (i=0; i<count; i++) {
-	    CK_ULONG ulValueLen = obj_template[i].ulValueLen;
-	    if (ulValueLen == 0) continue;
-	    if (ulValueLen == (CK_ULONG) -1) {
-		obj_template[i].ulValueLen = 0;
-		continue;
-	    }
-	    if (is_string_attribute(obj_template[i].type)) {
-		ulValueLen++;
-	    }
-	    obj_template[i].pValue = nss_ZAlloc(arenaOpt, ulValueLen);
-	    if (!obj_template[i].pValue) {
-		nssSession_ExitMonitor(session);
-		goto loser;
-	    }
-	}
-	alloced = PR_TRUE;
-    }
-    /* Obtain the actual attribute values. */
-    ckrv = CKAPI(epv)->C_GetAttributeValue(hSession,
-                                           object, obj_template, count);
-    nssSession_ExitMonitor(session);
-    if (ckrv != CKR_OK && 
-        ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
-        ckrv != CKR_ATTRIBUTE_SENSITIVE) 
-    {
-	nss_SetError(NSS_ERROR_DEVICE_ERROR);
-	goto loser;
-    }
-    if (alloced && arenaOpt) {
-	nssrv = nssArena_Unmark(arenaOpt, mark);
-	if (nssrv != PR_SUCCESS) {
-	    goto loser;
-	}
-    }
-
-    if (count > 1 && ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) || 
-					(ckrv == CKR_ATTRIBUTE_SENSITIVE))) {
-	/* old tokens would keep the length of '0' and not deal with any
-	 * of the attributes we passed. For those tokens read them one at
-	 * a time */
-	for (i=0; i < count; i++) {
-	    if ((obj_template[i].ulValueLen == 0) 
-				|| (obj_template[i].ulValueLen == -1)) {
-		obj_template[i].ulValueLen=0;
-		(void) nssCKObject_GetAttributes(object,&obj_template[i], 1,
-			arenaOpt, session, slot);
-	    }
-	}
-    }
-    return PR_SUCCESS;
-loser:
-    if (alloced) {
-	if (arenaOpt) {
-	    /* release all arena memory allocated before the failure. */
-	    (void)nssArena_Release(arenaOpt, mark);
-	} else {
-	    CK_ULONG j;
-	    /* free each heap object that was allocated before the failure. */
-	    for (j=0; j<i; j++) {
-		nss_ZFreeIf(obj_template[j].pValue);
-	    }
-	}
-    }
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCKObject_GetAttributeItem (
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSArena *arenaOpt,
-  nssSession *session,
-  NSSSlot *slot,
-  NSSItem *rvItem
-)
-{
-    CK_ATTRIBUTE attr = { 0, NULL, 0 };
-    PRStatus nssrv;
-    attr.type = attribute;
-    nssrv = nssCKObject_GetAttributes(object, &attr, 1, 
-                                      arenaOpt, session, slot);
-    if (nssrv != PR_SUCCESS) {
-	return nssrv;
-    }
-    rvItem->data = (void *)attr.pValue;
-    rvItem->size = (PRUint32)attr.ulValueLen;
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRBool
-nssCKObject_IsAttributeTrue (
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_TYPE attribute,
-  nssSession *session,
-  NSSSlot *slot,
-  PRStatus *rvStatus
-)
-{
-    CK_BBOOL bool;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE atemplate = { 0, NULL, 0 };
-    CK_RV ckrv;
-    void *epv = nssSlot_GetCryptokiEPV(slot);
-    attr = &atemplate;
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, attribute, bool);
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_GetAttributeValue(session->handle, object, 
-                                           &atemplate, 1);
-    nssSession_ExitMonitor(session);
-    if (ckrv != CKR_OK) {
-	*rvStatus = PR_FAILURE;
-	return PR_FALSE;
-    }
-    *rvStatus = PR_SUCCESS;
-    return (PRBool)(bool == CK_TRUE);
-}
-
-NSS_IMPLEMENT PRStatus 
-nssCKObject_SetAttributes (
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG count,
-  nssSession *session,
-  NSSSlot  *slot
-)
-{
-    CK_RV ckrv;
-    void *epv = nssSlot_GetCryptokiEPV(slot);
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, object, 
-                                           obj_template, count);
-    nssSession_ExitMonitor(session);
-    if (ckrv == CKR_OK) {
-	return PR_SUCCESS;
-    } else {
-	return PR_FAILURE;
-    }
-}
-
-NSS_IMPLEMENT PRBool
-nssCKObject_IsTokenObjectTemplate (
-  CK_ATTRIBUTE_PTR objectTemplate, 
-  CK_ULONG otsize
-)
-{
-    CK_ULONG ul;
-    for (ul=0; ul<otsize; ul++) {
-	if (objectTemplate[ul].type == CKA_TOKEN) {
-	    return (*((CK_BBOOL*)objectTemplate[ul].pValue) == CK_TRUE);
-	}
-    }
-    return PR_FALSE;
-}
-
-static NSSCertificateType
-nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
-{
-    CK_CERTIFICATE_TYPE ckCertType;
-    if (!attrib->pValue) {
-	/* default to PKIX */
-	return NSSCertificateType_PKIX;
-    }
-    ckCertType = *((CK_ULONG *)attrib->pValue);
-    switch (ckCertType) {
-    case CKC_X_509:
-	return NSSCertificateType_PKIX;
-    default:
-	break;
-    }
-    return NSSCertificateType_Unknown;
-}
-
-/* incoming pointers must be valid */
-NSS_IMPLEMENT PRStatus
-nssCryptokiCertificate_GetAttributes (
-  nssCryptokiObject *certObject,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSCertificateType *certTypeOpt,
-  NSSItem *idOpt,
-  NSSDER *encodingOpt,
-  NSSDER *issuerOpt,
-  NSSDER *serialOpt,
-  NSSDER *subjectOpt
-)
-{
-    PRStatus status;
-    PRUint32 i;
-    nssSession *session;
-    NSSSlot *slot;
-    CK_ULONG template_size;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE cert_template[6];
-    /* Set up a template of all options chosen by caller */
-    NSS_CK_TEMPLATE_START(cert_template, attr, template_size);
-    if (certTypeOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CERTIFICATE_TYPE);
-    }
-    if (idOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ID);
-    }
-    if (encodingOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
-    }
-    if (issuerOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ISSUER);
-    }
-    if (serialOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SERIAL_NUMBER);
-    }
-    if (subjectOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
-    }
-    NSS_CK_TEMPLATE_FINISH(cert_template, attr, template_size);
-    if (template_size == 0) {
-	/* caller didn't want anything */
-	return PR_SUCCESS;
-    }
-
-    status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
-                                                certObject, CKO_CERTIFICATE,
-                                                cert_template, template_size);
-    if (status != PR_SUCCESS) {
-
-	session = sessionOpt ? 
-	          sessionOpt : 
-	          nssToken_GetDefaultSession(certObject->token);
-
-	slot = nssToken_GetSlot(certObject->token);
-	status = nssCKObject_GetAttributes(certObject->handle, 
-	                                   cert_template, template_size,
-	                                   arenaOpt, session, slot);
-	nssSlot_Destroy(slot);
-	if (status != PR_SUCCESS) {
-	    return status;
-	}
-    }
-
-    i=0;
-    if (certTypeOpt) {
-	*certTypeOpt = nss_cert_type_from_ck_attrib(&cert_template[i]); i++;
-    }
-    if (idOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], idOpt); i++;
-    }
-    if (encodingOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], encodingOpt); i++;
-    }
-    if (issuerOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], issuerOpt); i++;
-    }
-    if (serialOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], serialOpt); i++;
-    }
-    if (subjectOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], subjectOpt); i++;
-    }
-    return PR_SUCCESS;
-}
-
-#ifdef PURE_STAN_BUILD
-static NSSKeyPairType
-nss_key_pair_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
-{
-    CK_KEY_TYPE ckKeyType;
-    PR_ASSERT(attrib->pValue);
-    ckKeyType = *((CK_ULONG *)attrib->pValue);
-    switch (ckKeyType) {
-    case CKK_RSA: return NSSKeyPairType_RSA;
-    case CKK_DSA: return NSSKeyPairType_DSA;
-    default: break;
-    }
-    return NSSKeyPairType_Unknown;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptokiPrivateKey_GetAttributes (
-  nssCryptokiObject *keyObject,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSKeyPairType *keyTypeOpt,
-  NSSItem *idOpt
-)
-{
-    PRStatus status;
-    PRUint32 i;
-    nssSession *session;
-    NSSSlot *slot;
-    CK_ULONG template_size;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[2];
-    /* Set up a template of all options chosen by caller */
-    NSS_CK_TEMPLATE_START(key_template, attr, template_size);
-    if (keyTypeOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_KEY_TYPE);
-    }
-    if (idOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ID);
-    }
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, template_size);
-    if (template_size == 0) {
-	/* caller didn't want anything */
-	return PR_SUCCESS;
-    }
-
-    session = sessionOpt ? 
-              sessionOpt : 
-              nssToken_GetDefaultSession(keyObject->token);
-
-    slot = nssToken_GetSlot(keyObject->token);
-    status = nssCKObject_GetAttributes(keyObject->handle, 
-                                       key_template, template_size,
-                                       arenaOpt, session, slot);
-    nssSlot_Destroy(slot);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-
-    i=0;
-    if (keyTypeOpt) {
-	*keyTypeOpt = nss_key_pair_type_from_ck_attrib(&key_template[i]); i++;
-    }
-    if (idOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&key_template[i], idOpt); i++;
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptokiPublicKey_GetAttributes (
-  nssCryptokiObject *keyObject,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSKeyPairType *keyTypeOpt,
-  NSSItem *idOpt
-)
-{
-    PRStatus status;
-    PRUint32 i;
-    nssSession *session;
-    NSSSlot *slot;
-    CK_ULONG template_size;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[2];
-    /* Set up a template of all options chosen by caller */
-    NSS_CK_TEMPLATE_START(key_template, attr, template_size);
-    if (keyTypeOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_KEY_TYPE);
-    }
-    if (idOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ID);
-    }
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, template_size);
-    if (template_size == 0) {
-	/* caller didn't want anything */
-	return PR_SUCCESS;
-    }
-
-    session = sessionOpt ? 
-              sessionOpt : 
-              nssToken_GetDefaultSession(keyObject->token);
-
-    slot = nssToken_GetSlot(keyObject->token);
-    status = nssCKObject_GetAttributes(keyObject->handle, 
-                                       key_template, template_size,
-                                       arenaOpt, session, slot);
-    nssSlot_Destroy(slot);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-
-    i=0;
-    if (keyTypeOpt) {
-	*keyTypeOpt = nss_key_pair_type_from_ck_attrib(&key_template[i]); i++;
-    }
-    if (idOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&key_template[i], idOpt); i++;
-    }
-    return PR_SUCCESS;
-}
-#endif /* PURE_STAN_BUILD */
-
-static nssTrustLevel 
-get_nss_trust (
-  CK_TRUST ckt
-)
-{
-    nssTrustLevel t;
-    switch (ckt) {
-    case CKT_NETSCAPE_UNTRUSTED: t = nssTrustLevel_NotTrusted; break;
-    case CKT_NETSCAPE_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; 
-	break;
-    case CKT_NETSCAPE_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
-    case CKT_NETSCAPE_TRUSTED: t = nssTrustLevel_Trusted; break;
-    case CKT_NETSCAPE_VALID: t = nssTrustLevel_Valid; break;
-    case CKT_NETSCAPE_MUST_VERIFY:
-    case CKT_NETSCAPE_TRUST_UNKNOWN:
-    default:
-	t = nssTrustLevel_Unknown; break;
-    }
-    return t;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptokiTrust_GetAttributes (
-  nssCryptokiObject *trustObject,
-  nssSession *sessionOpt,
-  NSSItem *sha1_hash,
-  nssTrustLevel *serverAuth,
-  nssTrustLevel *clientAuth,
-  nssTrustLevel *codeSigning,
-  nssTrustLevel *emailProtection,
-  PRBool *stepUpApproved
-)
-{
-    PRStatus status;
-    NSSSlot *slot;
-    nssSession *session;
-    CK_BBOOL isToken = PR_FALSE;
-    CK_BBOOL stepUp = PR_FALSE;
-    CK_TRUST saTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST caTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST epTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST csTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE trust_template[7];
-    CK_ULONG trust_size;
-
-    /* Use the trust object to find the trust settings */
-    NSS_CK_TEMPLATE_START(trust_template, attr, trust_size);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN,                  isToken);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      saTrust);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      caTrust);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_STEP_UP_APPROVED, stepUp);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH,     sha1_hash);
-    NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
-
-    status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
-                                                trustObject, 
-                                                CKO_NETSCAPE_TRUST,
-                                                trust_template, trust_size);
-    if (status != PR_SUCCESS) {
-	session = sessionOpt ? 
-	          sessionOpt : 
-	          nssToken_GetDefaultSession(trustObject->token);
-
-	slot = nssToken_GetSlot(trustObject->token);
-	status = nssCKObject_GetAttributes(trustObject->handle,
-	                                   trust_template, trust_size,
-	                                   NULL, session, slot);
-	nssSlot_Destroy(slot);
-	if (status != PR_SUCCESS) {
-	    return status;
-	}
-    }
-
-    *serverAuth = get_nss_trust(saTrust);
-    *clientAuth = get_nss_trust(caTrust);
-    *emailProtection = get_nss_trust(epTrust);
-    *codeSigning = get_nss_trust(csTrust);
-    *stepUpApproved = stepUp;
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptokiCRL_GetAttributes (
-  nssCryptokiObject *crlObject,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSItem *encodingOpt,
-  NSSItem *subjectOpt,
-  CK_ULONG* crl_class,
-  NSSUTF8 **urlOpt,
-  PRBool *isKRLOpt
-)
-{
-    PRStatus status;
-    NSSSlot *slot;
-    nssSession *session;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE crl_template[7];
-    CK_ULONG crl_size;
-    PRUint32 i;
-
-    NSS_CK_TEMPLATE_START(crl_template, attr, crl_size);
-    if (crl_class) {
-        NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CLASS);
-    }
-    if (encodingOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
-    }
-    if (urlOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_URL);
-    }
-    if (isKRLOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_KRL);
-    }
-    if (subjectOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
-    }
-    NSS_CK_TEMPLATE_FINISH(crl_template, attr, crl_size);
-
-    status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
-                                                crlObject, 
-                                                CKO_NETSCAPE_CRL,
-                                                crl_template, crl_size);
-    if (status != PR_SUCCESS) {
-	session = sessionOpt ? 
-	          sessionOpt : 
-	          nssToken_GetDefaultSession(crlObject->token);
-
-	slot = nssToken_GetSlot(crlObject->token);
-	status = nssCKObject_GetAttributes(crlObject->handle, 
-	                                   crl_template, crl_size,
-	                                   arenaOpt, session, slot);
-	nssSlot_Destroy(slot);
-	if (status != PR_SUCCESS) {
-	    return status;
-	}
-    }
-
-    i=0;
-    if (crl_class) {
-        NSS_CK_ATTRIBUTE_TO_ULONG(&crl_template[i], *crl_class); i++;
-    }
-    if (encodingOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], encodingOpt); i++;
-    }
-    if (urlOpt) {
-	NSS_CK_ATTRIBUTE_TO_UTF8(&crl_template[i], *urlOpt); i++;
-    }
-    if (isKRLOpt) {
-	NSS_CK_ATTRIBUTE_TO_BOOL(&crl_template[i], *isKRLOpt); i++;
-    }
-    if (subjectOpt) {
-	NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], subjectOpt); i++;
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptokiPrivateKey_SetCertificate (
-  nssCryptokiObject *keyObject,
-  nssSession *sessionOpt,
-  NSSUTF8 *nickname,
-  NSSItem *id,
-  NSSDER *subject
-)
-{
-    CK_RV ckrv;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[3];
-    CK_ULONG key_size;
-    void *epv = nssToken_GetCryptokiEPV(keyObject->token);
-    nssSession *session;
-    NSSToken *token = keyObject->token;
-    nssSession *defaultSession = nssToken_GetDefaultSession(token);
-    PRBool createdSession = PR_FALSE;
-
-    NSS_CK_TEMPLATE_START(key_template, attr, key_size);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
-
-    if (sessionOpt) {
-	if (!nssSession_IsReadWrite(sessionOpt)) {
-	    return PR_FAILURE;
-	} else {
-	    session = sessionOpt;
-	}
-    } else if (nssSession_IsReadWrite(defaultSession)) {
-	session = defaultSession;
-    } else {
-	NSSSlot *slot = nssToken_GetSlot(token);
-	session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
-	createdSession = PR_TRUE;
-	nssSlot_Destroy(slot);
-    }
-
-    ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle,
-                                           keyObject->handle,
-                                           key_template,
-                                           key_size);
-
-    if (createdSession) {
-	nssSession_Destroy(session);
-    }
-
-    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-}
-
diff --git a/security/nss/lib/dev/ckhelper.h b/security/nss/lib/dev/ckhelper.h
deleted file mode 100644
index 52f2cd9c9..000000000
--- a/security/nss/lib/dev/ckhelper.h
+++ /dev/null
@@ -1,197 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * ckhelper.h
- *
- * This file contains some helper utilities for interaction with cryptoki.
- */
-
-#ifndef CKHELPER_H
-#define CKHELPER_H
-
-#ifdef DEBUG
-static const char CKHELPER_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-PR_BEGIN_EXTERN_C
-
-/* Some globals to keep from constantly redeclaring common cryptoki
- * attribute types on the stack.
- */
-
-/* Boolean values */
-NSS_EXTERN_DATA const NSSItem g_ck_true;
-NSS_EXTERN_DATA const NSSItem g_ck_false;
-
-/* Object classes */
-NSS_EXTERN_DATA const NSSItem g_ck_class_cert;
-NSS_EXTERN_DATA const NSSItem g_ck_class_pubkey;
-NSS_EXTERN_DATA const NSSItem g_ck_class_privkey;
-
-#define NSS_CK_TEMPLATE_START(_template, attr, size)   \
-    attr = _template;                                  \
-    size = 0;
-
-#define NSS_CK_SET_ATTRIBUTE_ITEM(pattr, kind, item)  \
-    (pattr)->type = kind;                             \
-    (pattr)->pValue = (CK_VOID_PTR)(item)->data;      \
-    (pattr)->ulValueLen = (CK_ULONG)(item)->size;     \
-    (pattr)++;
-
-#define NSS_CK_SET_ATTRIBUTE_UTF8(pattr, kind, utf8)  \
-    (pattr)->type = kind;                             \
-    (pattr)->pValue = (CK_VOID_PTR)utf8;              \
-    (pattr)->ulValueLen = (CK_ULONG)nssUTF8_Size(utf8, NULL); \
-    if ((pattr)->ulValueLen) ((pattr)->ulValueLen)--; \
-    (pattr)++;
-
-#define NSS_CK_SET_ATTRIBUTE_VAR(pattr, kind, var)    \
-    (pattr)->type = kind;                             \
-    (pattr)->pValue = (CK_VOID_PTR)&var;              \
-    (pattr)->ulValueLen = (CK_ULONG)sizeof(var);      \
-    (pattr)++;
-
-#define NSS_CK_SET_ATTRIBUTE_NULL(pattr, kind)        \
-    (pattr)->type = kind;                             \
-    (pattr)->pValue = (CK_VOID_PTR)NULL;              \
-    (pattr)->ulValueLen = 0;                          \
-    (pattr)++;
-
-#define NSS_CK_TEMPLATE_FINISH(_template, attr, size) \
-    size = (attr) - (_template);                      \
-    PR_ASSERT(size <= sizeof(_template)/sizeof(_template[0]));
-
-/* NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)
- *
- * Convert a CK_ATTRIBUTE to an NSSItem.
- */
-#define NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)         \
-    if ((CK_LONG)(attrib)->ulValueLen > 0) {           \
-	(item)->data = (void *)(attrib)->pValue;       \
-	(item)->size = (PRUint32)(attrib)->ulValueLen; \
-    } else {                                           \
-	(item)->data = 0;                              \
-	(item)->size = 0;                              \
-    }
-
-#define NSS_CK_ATTRIBUTE_TO_BOOL(attrib, boolvar)        \
-    if ((attrib)->ulValueLen > 0) {                      \
-	if (*((CK_BBOOL*)(attrib)->pValue) == CK_TRUE) { \
-	    boolvar = PR_TRUE;                           \
-	} else {                                         \
-	    boolvar = PR_FALSE;                          \
-	}                                                \
-    }
-
-#define NSS_CK_ATTRIBUTE_TO_ULONG(attrib, ulongvar)      \
-    if ((attrib)->ulValueLen > 0) {                      \
-	ulongvar = *((CK_ULONG*)(attrib)->pValue);       \
-    }
-
-/* NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)
- *
- * Convert a CK_ATTRIBUTE to a string.
- */
-#define NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)      \
-    str = (NSSUTF8 *)((attrib)->pValue);
-
-/* NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)
- *
- * Convert an NSSItem to a  CK_ATTRIBUTE.
- */
-#define NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)     \
-    (attrib)->pValue = (CK_VOID_PTR)(item)->data;  \
-    (attrib)->ulValueLen = (CK_ULONG)(item)->size; \
-
-/* Get an array of attributes from an object. */
-NSS_EXTERN PRStatus 
-nssCKObject_GetAttributes
-(
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG count,
-  NSSArena *arenaOpt,
-  nssSession *session,
-  NSSSlot *slot
-);
-
-/* Get a single attribute as an item. */
-NSS_EXTERN PRStatus
-nssCKObject_GetAttributeItem
-(
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_TYPE attribute,
-  NSSArena *arenaOpt,
-  nssSession *session,
-  NSSSlot *slot,
-  NSSItem *rvItem
-);
-
-NSS_EXTERN PRBool
-nssCKObject_IsAttributeTrue
-(
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_TYPE attribute,
-  nssSession *session,
-  NSSSlot *slot,
-  PRStatus *rvStatus
-);
-
-NSS_EXTERN PRStatus 
-nssCKObject_SetAttributes
-(
-  CK_OBJECT_HANDLE object,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG count,
-  nssSession *session,
-  NSSSlot  *slot
-);
-
-NSS_EXTERN PRBool
-nssCKObject_IsTokenObjectTemplate
-(
-  CK_ATTRIBUTE_PTR objectTemplate, 
-  CK_ULONG otsize
-);
-
-PR_END_EXTERN_C
-
-#endif /* CKHELPER_H */
diff --git a/security/nss/lib/dev/config.mk b/security/nss/lib/dev/config.mk
deleted file mode 100644
index f4e5b965b..000000000
--- a/security/nss/lib/dev/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
deleted file mode 100644
index 262d934bc..000000000
--- a/security/nss/lib/dev/dev.h
+++ /dev/null
@@ -1,1004 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef DEV_H
-#define DEV_H
-
-/*
- * dev.h
- *
- * Low-level methods for interaction with cryptoki devices
- */
-
-#ifdef DEBUG
-static const char DEV_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef NSSDEV_H
-#include "nssdev.h"
-#endif /* NSSDEV_H */
-
-#ifndef DEVT_H
-#include "devt.h"
-#endif /* DEVT_H */
-
-PR_BEGIN_EXTERN_C
-
-/* the global module list
- *
- * These functions are for managing the global set of modules.  Trust Domains,
- * etc., will draw from this set.  These functions are completely internal
- * and only invoked when there are changes to the global module state
- * (load or unload).
- *
- * nss_InitializeGlobalModuleList
- * nss_DestroyGlobalModuleList
- * nss_GetLoadedModules
- *
- * nssGlobalModuleList_Add
- * nssGlobalModuleList_Remove
- * nssGlobalModuleList_FindModuleByName
- * nssGlobalModuleList_FindSlotByName
- * nssGlobalModuleList_FindTokenByName
- */
-
-NSS_EXTERN PRStatus
-nss_InitializeGlobalModuleList
-(
-  void
-);
-
-NSS_EXTERN PRStatus
-nss_DestroyGlobalModuleList
-(
-  void
-);
-
-NSS_EXTERN NSSModule **
-nss_GetLoadedModules
-(
-  void
-);
-
-NSS_EXTERN PRStatus
-nssGlobalModuleList_Add
-(
-  NSSModule *module
-);
-
-NSS_EXTERN PRStatus
-nssGlobalModuleList_Remove
-(
-  NSSModule *module
-);
-
-NSS_EXTERN NSSModule *
-nssGlobalModuleList_FindModuleByName
-(
-  NSSUTF8 *moduleName
-);
-
-NSS_EXTERN NSSSlot *
-nssGlobalModuleList_FindSlotByName
-(
-  NSSUTF8 *slotName
-);
-
-NSS_EXTERN NSSToken *
-nssGlobalModuleList_FindTokenByName
-(
-  NSSUTF8 *tokenName
-);
-
-NSS_EXTERN NSSToken *
-nss_GetDefaultCryptoToken
-(
-  void
-);
-
-NSS_EXTERN NSSToken *
-nss_GetDefaultDatabaseToken
-(
-  void
-);
-
-/*
- *  |-----------|<---> NSSSlot <--> NSSToken
- *  | NSSModule |<---> NSSSlot <--> NSSToken
- *  |-----------|<---> NSSSlot <--> NSSToken
- */
-
-/* NSSModule
- *
- * nssModule_Create
- * nssModule_CreateFromSpec
- * nssModule_AddRef
- * nssModule_GetName
- * nssModule_GetSlots
- * nssModule_FindSlotByName
- * nssModule_FindTokenByName
- * nssModule_GetCertOrder
- */
-
-NSS_EXTERN NSSModule *
-nssModule_Create
-(
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void    *reserved
-);
-
-/* This is to use the new loading mechanism. */
-NSS_EXTERN NSSModule *
-nssModule_CreateFromSpec
-(
-  NSSUTF8 *moduleSpec,
-  NSSModule *parent,
-  PRBool loadSubModules
-);
-
-NSS_EXTERN PRStatus
-nssModule_Destroy
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN NSSModule *
-nssModule_AddRef
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN NSSUTF8 *
-nssModule_GetName
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN NSSSlot **
-nssModule_GetSlots
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN NSSSlot *
-nssModule_FindSlotByName
-(
-  NSSModule *mod,
-  NSSUTF8 *slotName
-);
-
-NSS_EXTERN NSSToken *
-nssModule_FindTokenByName
-(
-  NSSModule *mod,
-  NSSUTF8 *tokenName
-);
-
-NSS_EXTERN PRInt32
-nssModule_GetCertOrder
-(
-  NSSModule *module
-);
-
-/* NSSSlot
- *
- * nssSlot_Destroy
- * nssSlot_AddRef
- * nssSlot_GetName
- * nssSlot_GetTokenName
- * nssSlot_IsTokenPresent
- * nssSlot_IsPermanent
- * nssSlot_IsFriendly
- * nssSlot_IsHardware
- * nssSlot_Refresh
- * nssSlot_GetModule
- * nssSlot_GetToken
- * nssSlot_Login
- * nssSlot_Logout
- * nssSlot_SetPassword
- * nssSlot_CreateSession
- */
-
-NSS_EXTERN PRStatus
-nssSlot_Destroy
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSSlot *
-nssSlot_AddRef
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN void
-nssSlot_ResetDelay
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSUTF8 *
-nssSlot_GetName
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSUTF8 *
-nssSlot_GetTokenName
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSModule *
-nssSlot_GetModule
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSToken *
-nssSlot_GetToken
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRBool
-nssSlot_IsTokenPresent
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRBool
-nssSlot_IsPermanent
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRBool
-nssSlot_IsFriendly
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRBool
-nssSlot_IsHardware
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRBool
-nssSlot_IsLoggedIn
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRStatus
-nssSlot_Refresh
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN PRStatus
-nssSlot_Login
-(
-  NSSSlot *slot,
-  NSSCallback *pwcb
-);
-extern const NSSError NSS_ERROR_INVALID_PASSWORD;
-extern const NSSError NSS_ERROR_USER_CANCELED;
-
-NSS_EXTERN PRStatus
-nssSlot_Logout
-(
-  NSSSlot *slot,
-  nssSession *sessionOpt
-);
-
-NSS_EXTERN void
-nssSlot_EnterMonitor
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN void
-nssSlot_ExitMonitor
-(
-  NSSSlot *slot
-);
-
-#define NSSSLOT_ASK_PASSWORD_FIRST_TIME -1
-#define NSSSLOT_ASK_PASSWORD_EVERY_TIME  0
-NSS_EXTERN void
-nssSlot_SetPasswordDefaults
-(
-  NSSSlot *slot,
-  PRInt32 askPasswordTimeout
-);
-
-NSS_EXTERN PRStatus
-nssSlot_SetPassword
-(
-  NSSSlot *slot,
-  NSSUTF8 *oldPasswordOpt,
-  NSSUTF8 *newPassword
-);
-extern const NSSError NSS_ERROR_INVALID_PASSWORD;
-extern const NSSError NSS_ERROR_USER_CANCELED;
-
-/*
- * nssSlot_IsLoggedIn
- */
-
-NSS_EXTERN nssSession *
-nssSlot_CreateSession
-(
-  NSSSlot *slot,
-  NSSArena *arenaOpt,
-  PRBool readWrite /* so far, this is the only flag used */
-);
-
-/* NSSToken
- *
- * nssToken_Destroy
- * nssToken_AddRef
- * nssToken_GetName
- * nssToken_GetModule
- * nssToken_GetSlot
- * nssToken_NeedsPINInitialization
- * nssToken_ImportCertificate
- * nssToken_ImportTrust
- * nssToken_ImportCRL
- * nssToken_GenerateKeyPair
- * nssToken_GenerateSymmetricKey
- * nssToken_DeleteStoredObject
- * nssToken_FindCertificates
- * nssToken_FindCertificatesBySubject
- * nssToken_FindCertificatesByNickname
- * nssToken_FindCertificatesByEmail
- * nssToken_FindCertificateByIssuerAndSerialNumber
- * nssToken_FindCertificateByEncodedCertificate
- * nssToken_FindTrustObjects
- * nssToken_FindTrustForCertificate
- * nssToken_FindCRLs
- * nssToken_FindCRLsBySubject
- * nssToken_FindPrivateKeys
- * nssToken_FindPrivateKeyByID
- * nssToken_Digest
- * nssToken_BeginDigest
- * nssToken_ContinueDigest
- * nssToken_FinishDigest
- */
-
-NSS_EXTERN PRStatus
-nssToken_Destroy
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN NSSToken *
-nssToken_AddRef
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN NSSUTF8 *
-nssToken_GetName
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN NSSModule *
-nssToken_GetModule
-(
-  NSSToken *token
-);
-
-NSS_EXTERN NSSSlot *
-nssToken_GetSlot
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN PRBool
-nssToken_NeedsPINInitialization
-(
-  NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_ImportCertificate
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSCertificateType certType,
-  NSSItem *id,
-  NSSUTF8 *nickname,
-  NSSDER *encoding,
-  NSSDER *issuer,
-  NSSDER *subject,
-  NSSDER *serial,
-  NSSASCII7 *emailAddr,
-  PRBool asTokenObject
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_ImportTrust
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSDER *certEncoding,
-  NSSDER *certIssuer,
-  NSSDER *certSerial,
-  nssTrustLevel serverAuth,
-  nssTrustLevel clientAuth,
-  nssTrustLevel codeSigning,
-  nssTrustLevel emailProtection,
-  PRBool stepUpApproved,
-  PRBool asTokenObject
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_ImportCRL
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  NSSDER *encoding,
-  PRBool isKRL,
-  NSSUTF8 *url,
-  PRBool asTokenObject
-);
-
-/* Permanently remove an object from the token. */
-NSS_EXTERN PRStatus
-nssToken_DeleteStoredObject
-(
-  nssCryptokiObject *instance
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificates
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificatesBySubject
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificatesByNickname
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSUTF8 *name,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificatesByEmail
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSASCII7 *email,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCertificatesByID
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *id,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_FindCertificateByIssuerAndSerialNumber
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *issuer,
-  NSSDER *serial,
-  nssTokenSearchType searchType,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_FindCertificateByEncodedCertificate
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSBER *encodedCertificate,
-  nssTokenSearchType searchType,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindTrustObjects
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_FindTrustForCertificate
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *certEncoding,
-  NSSDER *certIssuer,
-  NSSDER *certSerial,
-  nssTokenSearchType searchType
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCRLs
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindCRLsBySubject
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssToken_FindPrivateKeys
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_FindPrivateKeyByID
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *keyID
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssToken_FindPublicKeyByID
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *keyID
-);
-
-NSS_EXTERN NSSItem *
-nssToken_Digest
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSAlgorithmAndParameters *ap,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN PRStatus
-nssToken_BeginDigest
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSAlgorithmAndParameters *ap
-);
-
-NSS_EXTERN PRStatus
-nssToken_ContinueDigest
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSItem *item
-);
-
-NSS_EXTERN NSSItem *
-nssToken_FinishDigest
-(
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/* nssSession
- *
- * nssSession_Destroy
- * nssSession_EnterMonitor
- * nssSession_ExitMonitor
- * nssSession_IsReadWrite
- */
-
-NSS_EXTERN PRStatus
-nssSession_Destroy
-(
-  nssSession *s
-);
-
-/* would like to inline */
-NSS_EXTERN PRStatus
-nssSession_EnterMonitor
-(
-  nssSession *s
-);
-
-/* would like to inline */
-NSS_EXTERN PRStatus
-nssSession_ExitMonitor
-(
-  nssSession *s
-);
-
-/* would like to inline */
-NSS_EXTERN PRBool
-nssSession_IsReadWrite
-(
-  nssSession *s
-);
-
-/* nssCryptokiObject
- *
- * An object living on a cryptoki token.
- * Not really proper to mix up the object types just because 
- * nssCryptokiObject itself is generic, but doing so anyway.
- *
- * nssCryptokiObject_Destroy
- * nssCryptokiObject_Equal
- * nssCryptokiObject_Clone
- * nssCryptokiCertificate_GetAttributes
- * nssCryptokiPrivateKey_GetAttributes
- * nssCryptokiPublicKey_GetAttributes
- * nssCryptokiTrust_GetAttributes
- * nssCryptokiCRL_GetAttributes
- */
-
-NSS_EXTERN void
-nssCryptokiObject_Destroy
-(
-  nssCryptokiObject *object
-);
-
-NSS_EXTERN PRBool
-nssCryptokiObject_Equal
-(
-  nssCryptokiObject *object1,
-  nssCryptokiObject *object2
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssCryptokiObject_Clone
-(
-  nssCryptokiObject *object
-);
-
-NSS_EXTERN PRStatus
-nssCryptokiCertificate_GetAttributes
-(
-  nssCryptokiObject *object,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSCertificateType *certTypeOpt,
-  NSSItem *idOpt,
-  NSSDER *encodingOpt,
-  NSSDER *issuerOpt,
-  NSSDER *serialOpt,
-  NSSDER *subjectOpt
-);
-
-NSS_EXTERN PRStatus
-nssCryptokiTrust_GetAttributes
-(
-  nssCryptokiObject *trustObject,
-  nssSession *sessionOpt,
-  NSSItem *sha1_hash,
-  nssTrustLevel *serverAuth,
-  nssTrustLevel *clientAuth,
-  nssTrustLevel *codeSigning,
-  nssTrustLevel *emailProtection,
-  PRBool *stepUpApproved
-);
-
-NSS_EXTERN PRStatus
-nssCryptokiCRL_GetAttributes
-(
-  nssCryptokiObject *crlObject,
-  nssSession *sessionOpt,
-  NSSArena *arenaOpt,
-  NSSItem *encodingOpt,
-  NSSItem * subjectOpt,
-  CK_ULONG * crl_class,
-  NSSUTF8 **urlOpt,
-  PRBool *isKRLOpt
-);
-
-/* I'm including this to handle import of certificates in NSS 3.5.  This
- * function will set the cert-related attributes of a key, in order to
- * associate it with a cert.  Does it stay like this for 4.0?
- */
-NSS_EXTERN PRStatus
-nssCryptokiPrivateKey_SetCertificate
-(
-  nssCryptokiObject *keyObject,
-  nssSession *sessionOpt,
-  NSSUTF8 *nickname,
-  NSSItem *id,
-  NSSDER *subject
-);
-
-NSS_EXTERN void
-nssModuleArray_Destroy
-(
-  NSSModule **modules
-);
-
-/* nssSlotArray
- *
- * nssSlotArray_Destroy
- */
-
-NSS_EXTERN void
-nssSlotArray_Destroy
-(
-  NSSSlot **slots
-);
-
-/* nssTokenArray
- *
- * nssTokenArray_Destroy
- */
-
-NSS_EXTERN void
-nssTokenArray_Destroy
-(
-  NSSToken **tokens
-);
-
-/* nssCryptokiObjectArray
- *
- * nssCryptokiObjectArray_Destroy
- */
-NSS_EXTERN void
-nssCryptokiObjectArray_Destroy
-(
-  nssCryptokiObject **object
-);
-
-/* nssSlotList
-*
- * An ordered list of slots.  The order can be anything, it is set in the
- * Add methods.  Perhaps it should be CreateInCertOrder, ...?
- *
- * nssSlotList_Create
- * nssSlotList_Destroy
- * nssSlotList_Add
- * nssSlotList_AddModuleSlots
- * nssSlotList_GetSlots
- * nssSlotList_FindSlotByName
- * nssSlotList_FindTokenByName
- * nssSlotList_GetBestSlot
- * nssSlotList_GetBestSlotForAlgorithmAndParameters
- * nssSlotList_GetBestSlotForAlgorithmsAndParameters
- */
-
-/* nssSlotList_Create
- */
-NSS_EXTERN nssSlotList *
-nssSlotList_Create
-(
-  NSSArena *arenaOpt
-);
-
-/* nssSlotList_Destroy
- */
-NSS_EXTERN void
-nssSlotList_Destroy
-(
-  nssSlotList *slotList
-);
-
-/* nssSlotList_Add
- *
- * Add the given slot in the given order.
- */
-NSS_EXTERN PRStatus
-nssSlotList_Add
-(
-  nssSlotList *slotList,
-  NSSSlot *slot,
-  PRUint32 order
-);
-
-/* nssSlotList_AddModuleSlots
- *
- * Add all slots in the module, in the given order (the slots will have
- * equal weight).
- */
-NSS_EXTERN PRStatus
-nssSlotList_AddModuleSlots
-(
-  nssSlotList *slotList,
-  NSSModule *module,
-  PRUint32 order
-);
-
-/* nssSlotList_GetSlots
- */
-NSS_EXTERN NSSSlot **
-nssSlotList_GetSlots
-(
-  nssSlotList *slotList
-);
-
-/* nssSlotList_FindSlotByName
- */
-NSS_EXTERN NSSSlot *
-nssSlotList_FindSlotByName
-(
-  nssSlotList *slotList,
-  NSSUTF8 *slotName
-);
-
-/* nssSlotList_FindTokenByName
- */
-NSS_EXTERN NSSToken *
-nssSlotList_FindTokenByName
-(
-  nssSlotList *slotList,
-  NSSUTF8 *tokenName
-);
-
-/* nssSlotList_GetBestSlot
- *
- * The best slot is the highest ranking in order, i.e., the first in the
- * list.
- */
-NSS_EXTERN NSSSlot *
-nssSlotList_GetBestSlot
-(
-  nssSlotList *slotList
-);
-
-/* nssSlotList_GetBestSlotForAlgorithmAndParameters
- *
- * Highest-ranking slot than can handle algorithm/parameters.
- */
-NSS_EXTERN NSSSlot *
-nssSlotList_GetBestSlotForAlgorithmAndParameters
-(
-  nssSlotList *slotList,
-  NSSAlgorithmAndParameters *ap
-);
-
-/* nssSlotList_GetBestSlotForAlgorithmsAndParameters
- *
- * Highest-ranking slot than can handle all algorithms/parameters.
- */
-NSS_EXTERN NSSSlot *
-nssSlotList_GetBestSlotForAlgorithmsAndParameters
-(
-  nssSlotList *slotList,
-  NSSAlgorithmAndParameters **ap
-);
-
-#ifdef NSS_3_4_CODE
-
-NSS_EXTERN PRBool
-nssToken_IsPresent
-(
-  NSSToken *token
-);
-
-NSS_EXTERN nssSession *
-nssToken_GetDefaultSession
-(
-  NSSToken *token
-);
-
-NSS_EXTERN PRStatus
-nssToken_GetTrustOrder
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN PRStatus
-nssToken_NotifyCertsNotVisible
-(
-  NSSToken *tok
-);
-
-NSS_EXTERN PRStatus
-nssToken_TraverseCertificates
-(
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRStatus (* callback)(nssCryptokiObject *instance, void *arg),
-  void *arg
-);
-
-NSS_EXTERN PRBool
-nssToken_IsPrivateKeyAvailable
-(
-  NSSToken *token,
-  NSSCertificate *c,
-  nssCryptokiObject *instance
-);
-
-
-#endif
-
-PR_END_EXTERN_C
-
-#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devm.h b/security/nss/lib/dev/devm.h
deleted file mode 100644
index faf61b35d..000000000
--- a/security/nss/lib/dev/devm.h
+++ /dev/null
@@ -1,245 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef DEVM_H
-#define DEVM_H
-
-#ifdef DEBUG
-static const char DEVM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#ifndef DEVTM_H
-#include "devtm.h"
-#endif /* DEVTM_H */
-
-PR_BEGIN_EXTERN_C
-
-/* Shortcut to cryptoki API functions. */
-#define CKAPI(epv) \
-    ((CK_FUNCTION_LIST_PTR)(epv))
-
-NSS_EXTERN void
-nssDevice_AddRef
-(
- struct nssDeviceBaseStr *device
-);
-
-NSS_EXTERN PRBool
-nssDevice_Destroy
-(
- struct nssDeviceBaseStr *device
-);
-
-NSS_EXTERN PRBool
-nssModule_IsThreadSafe
-(
-  NSSModule *module
-);
-
-NSS_EXTERN PRBool
-nssModule_IsInternal
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN PRBool
-nssModule_IsModuleDBOnly
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN void *
-nssModule_GetCryptokiEPV
-(
-  NSSModule *mod
-);
-
-NSS_EXTERN NSSSlot *
-nssSlot_Create
-(
-  CK_SLOT_ID slotId,
-  NSSModule *parent
-);
-
-NSS_EXTERN void *
-nssSlot_GetCryptokiEPV
-(
-  NSSSlot *slot
-);
-
-NSS_EXTERN NSSToken *
-nssToken_Create
-(
-  CK_SLOT_ID slotID,
-  NSSSlot *peer
-);
-
-NSS_EXTERN void *
-nssToken_GetCryptokiEPV
-(
-  NSSToken *token
-);
-
-NSS_EXTERN nssSession *
-nssToken_GetDefaultSession
-(
-  NSSToken *token
-);
-
-NSS_EXTERN PRBool
-nssToken_IsLoginRequired
-(
-  NSSToken *token
-);
-
-NSS_EXTERN void
-nssToken_Remove
-(
-  NSSToken *token
-);
-
-NSS_EXTERN nssCryptokiObject *
-nssCryptokiObject_Create
-(
-  NSSToken *t, 
-  nssSession *session,
-  CK_OBJECT_HANDLE h
-);
-
-NSS_EXTERN nssTokenObjectCache *
-nssTokenObjectCache_Create
-(
-  NSSToken *token,
-  PRBool cacheCerts,
-  PRBool cacheTrust,
-  PRBool cacheCRLs
-);
-
-NSS_EXTERN void
-nssTokenObjectCache_Destroy
-(
-  nssTokenObjectCache *cache
-);
-
-NSS_EXTERN void
-nssTokenObjectCache_Clear
-(
-  nssTokenObjectCache *cache
-);
-
-NSS_EXTERN PRBool
-nssTokenObjectCache_HaveObjectClass
-(
-  nssTokenObjectCache *cache,
-  CK_OBJECT_CLASS objclass
-);
-
-NSS_EXTERN nssCryptokiObject **
-nssTokenObjectCache_FindObjectsByTemplate
-(
-  nssTokenObjectCache *cache,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR otemplate,
-  CK_ULONG otlen,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN PRStatus
-nssTokenObjectCache_GetObjectAttributes
-(
-  nssTokenObjectCache *cache,
-  NSSArena *arenaOpt,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR atemplate,
-  CK_ULONG atlen
-);
-
-NSS_EXTERN PRStatus
-nssTokenObjectCache_ImportObject
-(
-  nssTokenObjectCache *cache,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR ot,
-  CK_ULONG otlen
-);
-
-NSS_EXTERN void
-nssTokenObjectCache_RemoveObject
-(
-  nssTokenObjectCache *cache,
-  nssCryptokiObject *object
-);
-
-/* XXX allows peek back into token */
-NSS_EXTERN PRStatus
-nssToken_GetCachedObjectAttributes
-(
-  NSSToken *token,
-  NSSArena *arenaOpt,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR atemplate,
-  CK_ULONG atlen
-);
-
-/* PKCS#11 stores strings in a fixed-length buffer padded with spaces.  This
- * function gets the length of the actual string.
- */
-NSS_EXTERN PRUint32
-nssPKCS11String_Length
-(
-  CK_CHAR *pkcs11str, 
-  PRUint32 bufLen
-);
-
-PR_END_EXTERN_C
-
-#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devmod.c b/security/nss/lib/dev/devmod.c
deleted file mode 100644
index 85e5c9dda..000000000
--- a/security/nss/lib/dev/devmod.c
+++ /dev/null
@@ -1,878 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#ifndef CKHELPER_H
-#include "ckhelper.h"
-#endif /* CKHELPER_H */
-
-#ifdef PURE_STAN_CODE
-
-extern void FC_GetFunctionList(void);
-extern void NSC_GetFunctionList(void);
-extern void NSC_ModuleDBFunc(void);
-
-/* The list of boolean flags used to describe properties of a
- * module.
- */
-#define NSSMODULE_FLAGS_NOT_THREADSAFE 0x0001 /* isThreadSafe */
-#define NSSMODULE_FLAGS_INTERNAL       0x0002 /* isInternal   */
-#define NSSMODULE_FLAGS_FIPS           0x0004 /* isFIPS       */
-#define NSSMODULE_FLAGS_MODULE_DB      0x0008 /* isModuleDB   */
-#define NSSMODULE_FLAGS_MODULE_DB_ONLY 0x0010 /* moduleDBOnly */
-#define NSSMODULE_FLAGS_CRITICAL       0x0020 /* isCritical   */
-
-struct NSSModuleStr {
-  struct nssDeviceBaseStr base;
-  NSSUTF8 *libraryName;
-  PRLibrary *library;
-  char *libraryParams;
-  void *moduleDBFunc;
-  void *epv;
-  CK_INFO info;
-  NSSSlot **slots;
-  PRUint32 numSlots;
-  PRBool isLoaded;
-  struct {
-    PRInt32 trust;
-    PRInt32 cipher;
-    PRInt32 certStorage;
-  } order;
-};
-
-#define NSSMODULE_IS_THREADSAFE(module) \
-    (!(module->base.flags & NSSMODULE_FLAGS_NOT_THREADSAFE))
-
-#define NSSMODULE_IS_INTERNAL(module) \
-    (module->base.flags & NSSMODULE_FLAGS_INTERNAL)
-
-#define NSSMODULE_IS_FIPS(module) \
-    (module->base.flags & NSSMODULE_FLAGS_FIPS)
-
-#define NSSMODULE_IS_MODULE_DB(module) \
-    (module->base.flags & NSSMODULE_FLAGS_MODULE_DB)
-
-#define NSSMODULE_IS_MODULE_DB_ONLY(module) \
-    (module->base.flags & NSSMODULE_FLAGS_MODULE_DB_ONLY)
-
-#define NSSMODULE_IS_CRITICAL(module) \
-    (module->base.flags & NSSMODULE_FLAGS_CRITICAL)
-
-/* Threading callbacks for C_Initialize.  Use NSPR threads. */
-
-CK_RV PR_CALLBACK 
-nss_ck_CreateMutex(CK_VOID_PTR_PTR pMutex)
-{
-    CK_VOID_PTR mutex = (CK_VOID_PTR)PZ_NewLock(nssILockOther);
-    if (mutex != NULL) {
-	*pMutex = (CK_VOID_PTR)mutex;
-	return CKR_OK;
-    }
-    return CKR_HOST_MEMORY;
-}
-
-CK_RV PR_CALLBACK
-nss_ck_DestroyMutex(CK_VOID_PTR mutex)
-{
-    PZ_DestroyLock((PZLock *)mutex);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK
-nss_ck_LockMutex(CK_VOID_PTR mutex)
-{
-    PZ_Lock((PZLock *)mutex);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK
-nss_ck_UnlockMutex(CK_VOID_PTR mutex)
-{
-    return (PZ_Unlock((PZLock *)mutex) == PR_SUCCESS) ? 
-	CKR_OK : CKR_MUTEX_NOT_LOCKED;
-}
-
-/* Default callback args to C_Initialize */
-/* XXX not const because we are modifying the pReserved argument in order
- *     to use the libraryParams extension.
- */
-static CK_C_INITIALIZE_ARGS 
-s_ck_initialize_args = {
-    nss_ck_CreateMutex,         /* CreateMutex  */
-    nss_ck_DestroyMutex,        /* DestroyMutex */
-    nss_ck_LockMutex,           /* LockMutex    */
-    nss_ck_UnlockMutex,         /* UnlockMutex  */
-    CKF_LIBRARY_CANT_CREATE_OS_THREADS |
-    CKF_OS_LOCKING_OK,          /* flags        */
-    NULL                        /* pReserved    */
-};
-
-/* load all slots in a module. */
-static PRStatus
-module_load_slots(NSSModule *mod)
-{
-    CK_ULONG i, ulNumSlots;
-    CK_SLOT_ID *slotIDs;
-    nssArenaMark *mark = NULL;
-    NSSSlot **slots;
-    PRStatus nssrv;
-    CK_RV ckrv;
-    /* Get the number of slots */
-    ckrv = CKAPI(mod->epv)->C_GetSlotList(CK_FALSE, NULL, &ulNumSlots);
-    if (ckrv != CKR_OK) {
-	/* what is the error? */
-	return PR_FAILURE;
-    }
-    /* Alloc memory for the array of slot ID's */
-    slotIDs = nss_ZNEWARRAY(NULL, CK_SLOT_ID, ulNumSlots);
-    if (!slotIDs) {
-	goto loser;
-    }
-    /* Get the actual slot list */
-    ckrv = CKAPI(mod->epv)->C_GetSlotList(CK_FALSE, slotIDs, &ulNumSlots);
-    if (ckrv != CKR_OK) {
-	/* what is the error? */
-	goto loser;
-    }
-    /* Alloc memory for the array of slots, in the module's arena */
-    mark = nssArena_Mark(mod->base.arena); /* why mark? it'll be destroyed */
-    if (!mark) {
-	return PR_FAILURE;
-    }
-    slots = nss_ZNEWARRAY(mod->base.arena, NSSSlot *, ulNumSlots);
-    if (!slots) {
-	goto loser;
-    }
-    /* Initialize each slot */
-    for (i=0; i<ulNumSlots; i++) {
-	slots[i] = nssSlot_Create(slotIDs[i], mod);
-    }
-    nss_ZFreeIf(slotIDs);
-    nssrv = nssArena_Unmark(mod->base.arena, mark);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    mod->slots = slots;
-    mod->numSlots = ulNumSlots;
-    return PR_SUCCESS;
-loser:
-    if (mark) {
-	nssArena_Release(mod->base.arena, mark);
-    }
-    nss_ZFreeIf(slotIDs);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssModule_Load (
-  NSSModule *mod
-)
-{
-    PRLibrary *library = NULL;
-    CK_C_GetFunctionList epv;
-    CK_RV ckrv;
-    if (NSSMODULE_IS_INTERNAL(mod)) {
-	/* internal, statically get the C_GetFunctionList function */
-	if (NSSMODULE_IS_FIPS(mod)) {
-	    epv = (CK_C_GetFunctionList) FC_GetFunctionList;
-	} else {
-	    epv = (CK_C_GetFunctionList) NSC_GetFunctionList;
-	}
-	if (NSSMODULE_IS_MODULE_DB(mod)) {
-	    mod->moduleDBFunc = (void *) NSC_ModuleDBFunc;
-	}
-	if (NSSMODULE_IS_MODULE_DB_ONLY(mod)) {
-	    mod->isLoaded = PR_TRUE; /* XXX needed? */
-	    return PR_SUCCESS;
-	}
-    } else {
-	/* Use NSPR to load the library */
-	library = PR_LoadLibrary(mod->libraryName);
-	if (!library) {
-	    /* what's the error to set? */
-	    return PR_FAILURE;
-	}
-	mod->library = library;
-	/* Skip if only getting the db loader function */
-	if (!NSSMODULE_IS_MODULE_DB_ONLY(mod)) {
-	    /* Load the cryptoki entry point function */
-	    epv = (CK_C_GetFunctionList)PR_FindSymbol(library, 
-	                                              "C_GetFunctionList");
-	}
-	/* Load the module database loader function */
-	if (NSSMODULE_IS_MODULE_DB(mod)) {
-	    mod->moduleDBFunc = (void *)PR_FindSymbol(library, 
-	                                          "NSS_ReturnModuleSpecData");
-	}
-    }
-    if (epv == NULL) {
-	goto loser;
-    }
-    /* Load the cryptoki entry point vector (function list) */
-    ckrv = (*epv)((CK_FUNCTION_LIST_PTR *)&mod->epv);
-    if (ckrv != CKR_OK) {
-	goto loser;
-    }
-    /* Initialize the module */
-    if (mod->libraryParams) {
-	s_ck_initialize_args.LibraryParameters = (void *)mod->libraryParams;
-    } else {
-	s_ck_initialize_args.LibraryParameters = NULL;
-    }
-    ckrv = CKAPI(mod->epv)->C_Initialize(&s_ck_initialize_args);
-    if (ckrv != CKR_OK) {
-	/* Apparently the token is not thread safe.  Retry without 
-	 * threading parameters. 
-	 */
-        mod->base.flags |= NSSMODULE_FLAGS_NOT_THREADSAFE;
-	ckrv = CKAPI(mod->epv)->C_Initialize((CK_VOID_PTR)NULL);
-	if (ckrv != CKR_OK) {
-	    goto loser;
-	}
-    }
-    /* TODO: check the version # using C_GetInfo */
-    ckrv = CKAPI(mod->epv)->C_GetInfo(&mod->info);
-    if (ckrv != CKR_OK) {
-	goto loser;
-    }
-    /* TODO: if the name is not set, get it from info.libraryDescription */
-    /* Now load the slots */
-    if (module_load_slots(mod) != PR_SUCCESS) {
-	goto loser;
-    }
-    /* Module has successfully loaded */
-    mod->isLoaded = PR_TRUE;
-    return PR_SUCCESS;
-loser:
-    if (library) {
-	PR_UnloadLibrary(library);
-    }
-    /* clear all values set above, they are invalid now */
-    mod->library = NULL;
-    mod->epv = NULL;
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssModule_Unload (
-  NSSModule *mod
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    if (mod->library) {
-	(void)CKAPI(mod->epv)->C_Finalize(NULL);
-	nssrv = PR_UnloadLibrary(mod->library);
-    }
-    /* Free the slots, yes? */
-    mod->library = NULL;
-    mod->epv = NULL;
-    mod->isLoaded = PR_FALSE;
-    return nssrv;
-}
-
-/* Alloc memory for a module.  Copy in the module name and library path
- *  if provided.  XXX use the opaque arg also, right? 
- */
-NSS_IMPLEMENT NSSModule *
-nssModule_Create (
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void    *reserved
-)
-{
-    NSSArena *arena;
-    NSSModule *rvMod;
-    arena = NSSArena_Create();
-    if(!arena) {
-	return (NSSModule *)NULL;
-    }
-    rvMod = nss_ZNEW(arena, NSSModule);
-    if (!rvMod) {
-	goto loser;
-    }
-    if (moduleOpt) {
-	/* XXX making the gross assumption this is just the module name */
-	/* if the name is a duplicate, should that be tested here?  or
-	 *  wait for Load? 
-	 */
-	rvMod->base.name = nssUTF8_Duplicate(moduleOpt, arena);
-	if (!rvMod->base.name) {
-	    goto loser;
-	}
-    }
-    if (uriOpt) {
-	/* Load the module from a URI. */
-	/* XXX at this time - only file URI (even worse, no file:// for now) */
-	rvMod->libraryName = nssUTF8_Duplicate(uriOpt, arena);
-	if (!rvMod->libraryName) {
-	    goto loser;
-	}
-    }
-    rvMod->base.arena = arena;
-    rvMod->base.refCount = 1;
-    rvMod->base.lock = PZ_NewLock(nssNSSILockOther);
-    if (!rvMod->base.lock) {
-	goto loser;
-    }
-    /* everything else is 0/NULL at this point. */
-    return rvMod;
-loser:
-    nssArena_Destroy(arena);
-    return (NSSModule *)NULL;
-}
-
-NSS_EXTERN PRStatus
-nssCryptokiArgs_ParseNextPair (
-  NSSUTF8 *start,
-  NSSUTF8 **attrib,
-  NSSUTF8 **value,
-  NSSUTF8 **remainder,
-  NSSArena *arenaOpt
-);
-
-static PRStatus
-parse_slot_flags (
-  NSSSlot *slot,
-  NSSUTF8 *slotFlags
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-#if 0
-    PRBool done = PR_FALSE;
-    NSSUTF8 *mark, *last;
-    last = mark = slotFlags;
-    while (PR_TRUE) {
-	while (*mark && *mark != ',') ++mark;
-	if (!*mark) done = PR_TRUE;
-	*mark = '\0';
-	if (nssUTF8_Equal(last, "RANDOM", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_HAS_RANDOM;
-	} else if (nssUTF8_Equal(last, "RSA", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_RSA;
-	} else if (nssUTF8_Equal(last, "DSA", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_DSA;
-	} else if (nssUTF8_Equal(last, "DH", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_DH;
-	} else if (nssUTF8_Equal(last, "RC2", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_RC2;
-	} else if (nssUTF8_Equal(last, "RC4", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_RC4;
-	} else if (nssUTF8_Equal(last, "RC5", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_RC5;
-	} else if (nssUTF8_Equal(last, "DES", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_DES;
-	} else if (nssUTF8_Equal(last, "AES", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_AES;
-	} else if (nssUTF8_Equal(last, "SHA1", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_SHA1;
-	} else if (nssUTF8_Equal(last, "MD2", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_MD2;
-	} else if (nssUTF8_Equal(last, "MD5", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_MD5;
-	} else if (nssUTF8_Equal(last, "SSL", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_SSL;
-	} else if (nssUTF8_Equal(last, "TLS", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_TLS;
-	} else if (nssUTF8_Equal(last, "PublicCerts", &nssrv)) {
-	    slot->base.flags |= NSSSLOT_FLAGS_FRIENDLY;
-	} else {
-	    return PR_FAILURE;
-	}
-	if (done) break;
-	last = ++mark;
-    }
-#endif
-    return nssrv;
-}
-
-static PRStatus
-parse_slot_parameters (
-  NSSSlot *slot,
-  NSSUTF8 *slotParams,
-  NSSArena *tmparena
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSUTF8 *current, *remainder;
-    NSSUTF8 *attrib, *value;
-    current = slotParams;
-    while (nssrv == PR_SUCCESS) {
-	nssrv = nssCryptokiArgs_ParseNextPair(current, 
-	                                      &attrib, &value, 
-	                                      &remainder, tmparena);
-	if (nssrv != PR_SUCCESS) break;
-	if (value) {
-	    if (nssUTF8_Equal(attrib, "slotFlags", &nssrv)) {
-		nssrv = parse_slot_flags(slot, value);
-	    } else if (nssUTF8_Equal(attrib, "askpw", &nssrv)) {
-	    } else if (nssUTF8_Equal(attrib, "timeout", &nssrv)) {
-	    }
-	}
-	if (*remainder == '\0') break;
-	current = remainder;
-    }
-    return nssrv;
-}
-
-/* softoken seems to use "0x0000001", but no standard yet...  perhaps this
- * should store the number as an ID, in case the input isn't 1,2,3,...?
- */
-static PRIntn
-get_slot_number(NSSUTF8* snString)
-{
-    /* XXX super big hack */
-    return atoi(&snString[strlen(snString)-1]);
-}
-
-static PRStatus
-parse_module_slot_parameters (
-  NSSModule *mod,
-  NSSUTF8 *slotParams
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSUTF8 *current, *remainder;
-    NSSUTF8 *attrib, *value;
-    NSSArena *tmparena;
-    PRIntn slotNum;
-    tmparena = nssArena_Create();
-    if (!tmparena) {
-	return PR_FAILURE;
-    }
-    current = slotParams;
-    while (nssrv == PR_SUCCESS) {
-	nssrv = nssCryptokiArgs_ParseNextPair(current, 
-	                                      &attrib, &value, 
-	                                      &remainder, tmparena);
-	if (nssrv != PR_SUCCESS) break;
-	if (value) {
-	    slotNum = get_slot_number(attrib);
-	    if (slotNum < 0 || slotNum > mod->numSlots) {
-		return PR_FAILURE;
-	    }
-	    nssrv = parse_slot_parameters(mod->slots[slotNum], 
-	                                  value, tmparena);
-	    if (nssrv != PR_SUCCESS) break;
-	}
-	if (*remainder == '\0') break;
-	current = remainder;
-    }
-    return nssrv;
-}
-
-static PRStatus
-parse_nss_flags (
-  NSSModule *mod,
-  NSSUTF8 *nssFlags
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    PRBool done = PR_FALSE;
-    NSSUTF8 *mark, *last;
-    last = mark = nssFlags;
-    while (PR_TRUE) {
-	while (*mark && *mark != ',') ++mark;
-	if (!*mark) done = PR_TRUE;
-	*mark = '\0';
-	if (nssUTF8_Equal(last, "internal", &nssrv)) {
-	    mod->base.flags |= NSSMODULE_FLAGS_INTERNAL;
-	} else if (nssUTF8_Equal(last, "moduleDB", &nssrv)) {
-	    mod->base.flags |= NSSMODULE_FLAGS_MODULE_DB;
-	} else if (nssUTF8_Equal(last, "moduleDBOnly", &nssrv)) {
-	    mod->base.flags |= NSSMODULE_FLAGS_MODULE_DB_ONLY;
-	} else if (nssUTF8_Equal(last, "critical", &nssrv)) {
-	    mod->base.flags |= NSSMODULE_FLAGS_CRITICAL;
-	} else {
-	    return PR_FAILURE;
-	}
-	if (done) break;
-	last = ++mark;
-    }
-    return nssrv;
-}
-
-static PRStatus
-parse_nss_parameters (
-  NSSModule *mod,
-  NSSUTF8 *nssParams,
-  NSSArena *tmparena,
-  NSSUTF8 **slotParams
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSUTF8 *current, *remainder;
-    NSSUTF8 *attrib, *value;
-    current = nssParams;
-    while (nssrv == PR_SUCCESS) {
-	nssrv = nssCryptokiArgs_ParseNextPair(current, 
-	                                      &attrib, &value, 
-	                                      &remainder, tmparena);
-	if (nssrv != PR_SUCCESS) break;
-	if (value) {
-	    if (nssUTF8_Equal(attrib, "flags", &nssrv) ||
-	        nssUTF8_Equal(attrib, "Flags", &nssrv)) {
-		nssrv = parse_nss_flags(mod, value);
-	    } else if (nssUTF8_Equal(attrib, "trustOrder", &nssrv)) {
-		mod->order.trust = atoi(value);
-	    } else if (nssUTF8_Equal(attrib, "cipherOrder", &nssrv)) {
-		mod->order.cipher = atoi(value);
-	    } else if (nssUTF8_Equal(attrib, "ciphers", &nssrv)) {
-	    } else if (nssUTF8_Equal(attrib, "slotParams", &nssrv)) {
-		/* slotParams doesn't get an arena, it is handled separately */
-		*slotParams = nssUTF8_Duplicate(value, NULL);
-	    }
-	}
-	if (*remainder == '\0') break;
-	current = remainder;
-    }
-    return nssrv;
-}
-
-static PRStatus
-parse_module_parameters (
-  NSSModule *mod,
-  NSSUTF8 *moduleParams,
-  NSSUTF8 **slotParams
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSUTF8 *current, *remainder;
-    NSSUTF8 *attrib, *value;
-    NSSArena *arena = mod->base.arena;
-    NSSArena *tmparena;
-    current = moduleParams;
-    tmparena = nssArena_Create();
-    if (!tmparena) {
-	return PR_FAILURE;
-    }
-    while (nssrv == PR_SUCCESS) {
-	nssrv = nssCryptokiArgs_ParseNextPair(current, 
-	                                      &attrib, &value, 
-	                                      &remainder, tmparena);
-	if (nssrv != PR_SUCCESS) break;
-	if (value) {
-	    if (nssUTF8_Equal(attrib, "name", &nssrv)) {
-		mod->base.name = nssUTF8_Duplicate(value, arena);
-	    } else if (nssUTF8_Equal(attrib, "library", &nssrv)) {
-		mod->libraryName = nssUTF8_Duplicate(value, arena);
-	    } else if (nssUTF8_Equal(attrib, "parameters", &nssrv)) {
-		mod->libraryParams = nssUTF8_Duplicate(value, arena);
-	    } else if (nssUTF8_Equal(attrib, "NSS", &nssrv)) {
-		parse_nss_parameters(mod, value, tmparena, slotParams);
-	    }
-	}
-	if (*remainder == '\0') break;
-	current = remainder;
-    }
-    nssArena_Destroy(tmparena);
-    return nssrv;
-}
-
-static NSSUTF8 **
-get_module_specs (
-  NSSModule *mod
-)
-{
-    SECMODModuleDBFunc func = (SECMODModuleDBFunc)mod->moduleDBFunc;
-    if (func) {
-	return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND,
-	               mod->libraryParams,
-	               NULL);
-    }
-    return NULL;
-}
-
-/* XXX continue working on */
-NSS_IMPLEMENT NSSModule *
-nssModule_CreateFromSpec (
-  NSSUTF8 *moduleSpec,
-  NSSModule *parent,
-  PRBool loadSubModules
-)
-{
-    PRStatus nssrv;
-    NSSModule *thisModule;
-    NSSArena *arena;
-    NSSUTF8 *slotParams = NULL;
-    arena = nssArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    thisModule = nss_ZNEW(arena, NSSModule);
-    if (!thisModule) {
-	goto loser;
-    }
-    thisModule->base.lock = PZ_NewLock(nssILockOther);
-    if (!thisModule->base.lock) {
-	goto loser;
-    }
-    PR_AtomicIncrement(&thisModule->base.refCount);
-    thisModule->base.arena = arena;
-    thisModule->base.lock = PZ_NewLock(nssNSSILockOther);
-    if (!thisModule->base.lock) {
-	goto loser;
-    }
-    nssrv = parse_module_parameters(thisModule, moduleSpec, &slotParams);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    nssrv = nssModule_Load(thisModule);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    if (slotParams) {
-	nssrv = parse_module_slot_parameters(thisModule, slotParams);
-	nss_ZFreeIf(slotParams);
-	if (nssrv != PR_SUCCESS) {
-	    goto loser;
-	}
-    }
-    if (loadSubModules && NSSMODULE_IS_MODULE_DB(thisModule)) {
-	NSSUTF8 **moduleSpecs;
-	NSSUTF8 **index;
-	/* get the array of sub modules one level below this module */
-	moduleSpecs = get_module_specs(thisModule);
-	/* iterate over the array */
-	for (index = moduleSpecs; index && *index; index++) {
-	    NSSModule *child;
-	    /* load the child recursively */
-	    child = nssModule_CreateFromSpec(*index, thisModule, PR_TRUE);
-	    if (!child) {
-		/* when children fail, does the parent? */
-		nssrv = PR_FAILURE;
-		break;
-	    }
-	    if (NSSMODULE_IS_CRITICAL(child) && !child->isLoaded) {
-		nssrv = PR_FAILURE;
-		nssModule_Destroy(child);
-		break;
-	    }
-	    nssModule_Destroy(child);
-	    /*nss_ZFreeIf(*index);*/
-	}
-	/*nss_ZFreeIf(moduleSpecs);*/
-    }
-    /* The global list inherits the reference */
-    nssrv = nssGlobalModuleList_Add(thisModule);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    return thisModule;
-loser:
-    if (thisModule->base.lock) {
-	PZ_DestroyLock(thisModule->base.lock);
-    }
-    nssArena_Destroy(arena);
-    return (NSSModule *)NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-nssModule_Destroy (
-  NSSModule *mod
-)
-{
-    PRUint32 i, numSlots;
-    if (PR_AtomicDecrement(&mod->base.refCount) == 0) {
-	if (mod->numSlots == 0) {
-	    (void)nssModule_Unload(mod);
-	    return nssArena_Destroy(mod->base.arena);
-	} else {
-	    numSlots = mod->numSlots;
-	    for (i=0; i<numSlots; i++) {
-		nssSlot_Destroy(mod->slots[i]);
-	    }
-	}
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssModule_DestroyFromSlot (
-  NSSModule *mod,
-  NSSSlot *slot
-)
-{
-    PRUint32 i, numSlots = 0;
-    PR_ASSERT(mod->base.refCount == 0);
-    for (i=0; i<mod->numSlots; i++) {
-	if (mod->slots[i] == slot) {
-	    mod->slots[i] = NULL;
-	} else if (mod->slots[i]) {
-	    numSlots++;
-	}
-    }
-    if (numSlots == 0) {
-	(void)nssModule_Unload(mod);
-	return nssArena_Destroy(mod->base.arena);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT NSSModule *
-nssModule_AddRef (
-  NSSModule *mod
-)
-{
-    PR_AtomicIncrement(&mod->base.refCount);
-    return mod;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssModule_GetName (
-  NSSModule *mod
-)
-{
-    return mod->base.name;
-}
-
-NSS_IMPLEMENT PRBool
-nssModule_IsThreadSafe (
-  NSSModule *module
-)
-{
-    return NSSMODULE_IS_THREADSAFE(module);
-}
-
-NSS_IMPLEMENT PRBool
-nssModule_IsInternal (
-  NSSModule *mod
-)
-{
-    return NSSMODULE_IS_INTERNAL(mod);
-}
-
-NSS_IMPLEMENT PRBool
-nssModule_IsModuleDBOnly (
-  NSSModule *mod
-)
-{
-    return NSSMODULE_IS_MODULE_DB_ONLY(mod);
-}
-
-NSS_IMPLEMENT void *
-nssModule_GetCryptokiEPV (
-  NSSModule *mod
-)
-{
-    return mod->epv;
-}
-
-NSS_IMPLEMENT NSSSlot **
-nssModule_GetSlots (
-  NSSModule *mod
-)
-{
-    PRUint32 i;
-    NSSSlot **rvSlots;
-    rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, mod->numSlots + 1);
-    if (rvSlots) {
-	for (i=0; i<mod->numSlots; i++) {
-	    rvSlots[i] = nssSlot_AddRef(mod->slots[i]);
-	}
-    }
-    return rvSlots;
-}
-
-NSS_IMPLEMENT NSSSlot *
-nssModule_FindSlotByName (
-  NSSModule *mod,
-  NSSUTF8 *slotName
-)
-{
-    PRUint32 i;
-    PRStatus nssrv;
-    NSSSlot *slot;
-    NSSUTF8 *name;
-    for (i=0; i<mod->numSlots; i++) {
-	slot = mod->slots[i];
-	name = nssSlot_GetName(slot);
-	if (nssUTF8_Equal(name, slotName, &nssrv)) {
-	    return nssSlot_AddRef(slot);
-	}
-	if (nssrv != PR_SUCCESS) {
-	    break;
-	}
-    }
-    return (NSSSlot *)NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-nssModule_FindTokenByName (
-  NSSModule *mod,
-  NSSUTF8 *tokenName
-)
-{
-    PRUint32 i;
-    PRStatus nssrv;
-    NSSToken *tok;
-    NSSUTF8 *name;
-    for (i=0; i<mod->numSlots; i++) {
-	tok = nssSlot_GetToken(mod->slots[i]);
-	if (tok) {
-	    name = nssToken_GetName(tok);
-	    if (nssUTF8_Equal(name, tokenName, &nssrv)) {
-		return tok;
-	    }
-	    if (nssrv != PR_SUCCESS) {
-		break;
-	    }
-	}
-    }
-    return (NSSToken *)NULL;
-}
-
-NSS_IMPLEMENT PRInt32
-nssModule_GetCertOrder (
-  NSSModule *module
-)
-{
-    return 1; /* XXX */
-}
-
-#endif /* PURE_STAN_BUILD */
-
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
deleted file mode 100644
index 586531f9c..000000000
--- a/security/nss/lib/dev/devslot.c
+++ /dev/null
@@ -1,852 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#ifndef CKHELPER_H
-#include "ckhelper.h"
-#endif /* CKHELPER_H */
-
-/* measured in seconds */
-#define NSSSLOT_TOKEN_DELAY_TIME 1
-
-/* this should track global and per-transaction login information */
-
-#ifdef PURE_STAN_CODE
-typedef enum {
-  nssSlotAskPasswordTimes_FirstTime = 0,
-  nssSlotAskPasswordTimes_EveryTime = 1,
-  nssSlotAskPasswordTimes_Timeout = 2
-} 
-nssSlotAskPasswordTimes;
-
-struct nssSlotAuthInfoStr
-{
-  PRTime lastLogin;
-  nssSlotAskPasswordTimes askTimes;
-  PRIntervalTime askPasswordTimeout;
-};
-
-struct NSSSlotStr
-{
-  struct nssDeviceBaseStr base;
-  NSSModule *module; /* Parent */
-  NSSToken *token;  /* Peer */
-  CK_SLOT_ID slotID;
-  CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
-  struct nssSlotAuthInfoStr authInfo;
-  PRIntervalTime lastTokenPing;
-  PZLock *lock;
-#ifdef NSS_3_4_CODE
-  PK11SlotInfo *pk11slot;
-#endif
-};
-#endif /* PURE_STAN_CODE */
-
-#define NSSSLOT_IS_FRIENDLY(slot) \
-  (slot->base.flags & NSSSLOT_FLAGS_FRIENDLY)
-
-/* measured as interval */
-static PRIntervalTime s_token_delay_time = 0;
-
-/* The flags needed to open a read-only session. */
-static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
-
-#ifdef PURE_STAN_BUILD
-/* In pk11slot.c, this was a no-op.  So it is here also. */
-static CK_RV PR_CALLBACK
-nss_ck_slot_notify (
-  CK_SESSION_HANDLE session,
-  CK_NOTIFICATION event,
-  CK_VOID_PTR pData
-)
-{
-    return CKR_OK;
-}
-
-NSS_IMPLEMENT NSSSlot *
-nssSlot_Create (
-  CK_SLOT_ID slotID,
-  NSSModule *parent
-)
-{
-    NSSArena *arena = NULL;
-    NSSSlot *rvSlot;
-    NSSToken *token = NULL;
-    NSSUTF8 *slotName = NULL;
-    PRUint32 length;
-    CK_SLOT_INFO slotInfo;
-    CK_RV ckrv;
-    void *epv;
-    arena = NSSArena_Create();
-    if(!arena) {
-	return (NSSSlot *)NULL;
-    }
-    rvSlot = nss_ZNEW(arena, NSSSlot);
-    if (!rvSlot) {
-	goto loser;
-    }
-    /* Get slot information */
-    epv = nssModule_GetCryptokiEPV(parent);
-    ckrv = CKAPI(epv)->C_GetSlotInfo(slotID, &slotInfo);
-    if (ckrv != CKR_OK) {
-	/* set an error here, eh? */
-	goto loser;
-    }
-    /* Grab the slot description from the PKCS#11 fixed-length buffer */
-    length = nssPKCS11String_Length(slotInfo.slotDescription, 
-                                    sizeof(slotInfo.slotDescription));
-    if (length > 0) {
-	slotName = nssUTF8_Create(arena, nssStringType_UTF8String, 
-	                          (void *)slotInfo.slotDescription, length);
-	if (!slotName) {
-	    goto loser;
-	}
-    }
-    rvSlot->base.arena = arena;
-    rvSlot->base.refCount = 1;
-    rvSlot->base.name = slotName;
-    rvSlot->base.lock = PZ_NewLock(nssNSSILockOther); /* XXX */
-    if (!rvSlot->base.lock) {
-	goto loser;
-    }
-    if (!nssModule_IsThreadSafe(parent)) {
-	rvSlot->lock = nssModule_GetLock(parent);
-    }
-    rvSlot->module = parent; /* refs go from module to slots */
-    rvSlot->slotID = slotID;
-    rvSlot->ckFlags = slotInfo.flags;
-    /* Initialize the token if present. */
-    if (slotInfo.flags & CKF_TOKEN_PRESENT) {
-	token = nssToken_Create(slotID, rvSlot);
-	if (!token) {
-	    goto loser;
-	}
-    }
-    rvSlot->token = token;
-    return rvSlot;
-loser:
-    nssArena_Destroy(arena);
-    /* everything was created in the arena, nothing to see here, move along */
-    return (NSSSlot *)NULL;
-}
-#endif /* PURE_STAN_BUILD */
-
-NSS_IMPLEMENT PRStatus
-nssSlot_Destroy (
-  NSSSlot *slot
-)
-{
-    if (slot) {
-	if (PR_AtomicDecrement(&slot->base.refCount) == 0) {
-	    PZ_DestroyLock(slot->base.lock);
-#ifdef PURE_STAN_BUILD
-	    nssToken_Destroy(slot->token);
-	    nssModule_DestroyFromSlot(slot->module, slot);
-#endif
-	    return nssArena_Destroy(slot->base.arena);
-	}
-    }
-    return PR_SUCCESS;
-}
-
-void
-nssSlot_EnterMonitor(NSSSlot *slot)
-{
-    if (slot->lock) {
-	PZ_Lock(slot->lock);
-    }
-}
-
-void
-nssSlot_ExitMonitor(NSSSlot *slot)
-{
-    if (slot->lock) {
-	PZ_Unlock(slot->lock);
-    }
-}
-
-NSS_IMPLEMENT void
-NSSSlot_Destroy (
-  NSSSlot *slot
-)
-{
-    (void)nssSlot_Destroy(slot);
-}
-
-NSS_IMPLEMENT NSSSlot *
-nssSlot_AddRef (
-  NSSSlot *slot
-)
-{
-    PR_AtomicIncrement(&slot->base.refCount);
-    return slot;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssSlot_GetName (
-  NSSSlot *slot
-)
-{
-    return slot->base.name;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssSlot_GetTokenName (
-  NSSSlot *slot
-)
-{
-    return nssToken_GetName(slot->token);
-}
-
-NSS_IMPLEMENT void
-nssSlot_ResetDelay (
-  NSSSlot *slot
-)
-{
-    slot->lastTokenPing = 0;
-}
-
-static PRBool
-within_token_delay_period(NSSSlot *slot)
-{
-    PRIntervalTime time, lastTime;
-    /* Set the delay time for checking the token presence */
-    if (s_token_delay_time == 0) {
-	s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
-    }
-    time = PR_IntervalNow();
-    lastTime = slot->lastTokenPing;
-    if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
-	return PR_TRUE;
-    }
-    slot->lastTokenPing = time;
-    return PR_FALSE;
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsTokenPresent (
-  NSSSlot *slot
-)
-{
-    CK_RV ckrv;
-    PRStatus nssrv;
-    /* XXX */
-    nssSession *session;
-    CK_SLOT_INFO slotInfo;
-    void *epv;
-    /* permanent slots are always present */
-    if (nssSlot_IsPermanent(slot)) {
-	return PR_TRUE;
-    }
-    /* avoid repeated calls to check token status within set interval */
-    if (within_token_delay_period(slot)) {
-	return (PRBool)((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
-    }
-
-    /* First obtain the slot info */
-#ifdef PURE_STAN_BUILD
-    epv = nssModule_GetCryptokiEPV(slot->module);
-#else
-    epv = slot->epv;
-#endif
-    if (!epv) {
-	return PR_FALSE;
-    }
-    nssSlot_EnterMonitor(slot);
-    ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
-    nssSlot_ExitMonitor(slot);
-    if (ckrv != CKR_OK) {
-	slot->token->base.name[0] = 0; /* XXX */
-	return PR_FALSE;
-    }
-    slot->ckFlags = slotInfo.flags;
-    /* check for the presence of the token */
-    if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
-	if (!slot->token) {
-	    /* token was ne'er present */
-	    return PR_FALSE;
-	}
-	session = nssToken_GetDefaultSession(slot->token);
-	nssSession_EnterMonitor(session);
-	/* token is not present */
-	if (session->handle != CK_INVALID_SESSION) {
-	    /* session is valid, close and invalidate it */
-	    CKAPI(epv)->C_CloseSession(session->handle);
-	    session->handle = CK_INVALID_SESSION;
-	}
-	nssSession_ExitMonitor(session);
-#ifdef NSS_3_4_CODE
-	if (slot->token->base.name[0] != 0) {
-	    /* notify the high-level cache that the token is removed */
-	    slot->token->base.name[0] = 0; /* XXX */
-	    nssToken_NotifyCertsNotVisible(slot->token);
-	}
-#endif
-	slot->token->base.name[0] = 0; /* XXX */
-	/* clear the token cache */
-	nssToken_Remove(slot->token);
-	return PR_FALSE;
-#ifdef PURE_STAN_CODE
-    } else if (!slot->token) {
-	/* token was not present at boot time, is now */
-	slot->token = nssToken_Create(slot->slotID, slot);
-	return (slot->token != NULL);
-#endif
-    }
-    /* token is present, use the session info to determine if the card
-     * has been removed and reinserted.
-     */
-    session = nssToken_GetDefaultSession(slot->token);
-    nssSession_EnterMonitor(session);
-    if (session->handle != CK_INVALID_SESSION) {
-	CK_SESSION_INFO sessionInfo;
-	ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
-	if (ckrv != CKR_OK) {
-	    /* session is screwy, close and invalidate it */
-	    CKAPI(epv)->C_CloseSession(session->handle);
-	    session->handle = CK_INVALID_SESSION;
-	}
-    }
-    nssSession_ExitMonitor(session);
-    /* token not removed, finished */
-    if (session->handle != CK_INVALID_SESSION) {
-	return PR_TRUE;
-    } else {
-	/* the token has been removed, and reinserted, or the slot contains
-	 * a token it doesn't recognize. invalidate all the old
-	 * information we had on this token, if we can't refresh, clear
-	 * the present flag */
-#ifdef NSS_3_4_CODE
-	nssToken_NotifyCertsNotVisible(slot->token);
-#endif /* NSS_3_4_CODE */
-	nssToken_Remove(slot->token);
-	/* token has been removed, need to refresh with new session */
-	nssrv = nssSlot_Refresh(slot);
-	if (nssrv != PR_SUCCESS) {
-	    slot->token->base.name[0] = 0; /* XXX */
-	    slot->ckFlags &= ~CKF_TOKEN_PRESENT;
-	    return PR_FALSE;
-	}
-	return PR_TRUE;
-    }
-}
-
-#ifdef PURE_STAN_BUILD
-NSS_IMPLEMENT NSSModule *
-nssSlot_GetModule (
-  NSSSlot *slot
-)
-{
-    return nssModule_AddRef(slot->module);
-}
-#endif /* PURE_STAN_BUILD */
-
-NSS_IMPLEMENT void *
-nssSlot_GetCryptokiEPV (
-  NSSSlot *slot
-)
-{
-#ifdef PURE_STAN_BUILD
-    return nssModule_GetCryptokiEPV(slot->module);
-#else
-    return slot->epv;
-#endif
-}
-
-NSS_IMPLEMENT NSSToken *
-nssSlot_GetToken (
-  NSSSlot *slot
-)
-{
-    if (nssSlot_IsTokenPresent(slot)) {
-	return nssToken_AddRef(slot->token);
-    }
-    return (NSSToken *)NULL;
-}
-
-#ifdef PURE_STAN_BUILD
-NSS_IMPLEMENT PRBool
-nssSlot_IsPermanent (
-  NSSSlot *slot
-)
-{
-    return (!(slot->ckFlags & CKF_REMOVABLE_DEVICE));
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsFriendly (
-  NSSSlot *slot
-)
-{
-    return PR_TRUE /* XXX NSSSLOT_IS_FRIENDLY(slot)*/;
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsHardware (
-  NSSSlot *slot
-)
-{
-    return (slot->ckFlags & CKF_HW_SLOT);
-}
-
-NSS_IMPLEMENT PRStatus
-nssSlot_Refresh (
-  NSSSlot *slot
-)
-{
-    /* XXX */
-#if 0
-    nssToken_Destroy(slot->token);
-    if (slotInfo.flags & CKF_TOKEN_PRESENT) {
-	slot->token = nssToken_Create(NULL, slotID, slot);
-    }
-#endif
-    return PR_SUCCESS;
-}
-
-static PRBool
-slot_needs_login (
-  NSSSlot *slot,
-  nssSession *session
-)
-{
-    PRBool needsLogin, logout;
-    struct nssSlotAuthInfoStr *authInfo = &slot->authInfo;
-    void *epv = nssModule_GetCryptokiEPV(slot->module);
-    if (!nssToken_IsLoginRequired(slot->token)) {
-	return PR_FALSE;
-    }
-    if (authInfo->askTimes == nssSlotAskPasswordTimes_EveryTime) {
-	logout = PR_TRUE;
-    } else if (authInfo->askTimes == nssSlotAskPasswordTimes_Timeout) {
-	PRIntervalTime currentTime = PR_IntervalNow();
-	if (authInfo->lastLogin - currentTime < authInfo->askPasswordTimeout) {
-	    logout = PR_FALSE;
-	} else {
-	    logout = PR_TRUE;
-	}
-    } else { /* nssSlotAskPasswordTimes_FirstTime */
-	logout = PR_FALSE;
-    }
-    if (logout) {
-	/* The login has expired, timeout */
-	nssSession_EnterMonitor(session);
-	CKAPI(epv)->C_Logout(session->handle);
-	nssSession_ExitMonitor(session);
-	needsLogin = PR_TRUE;
-    } else {
-	CK_RV ckrv;
-	CK_SESSION_INFO sessionInfo;
-	nssSession_EnterMonitor(session);
-	ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
-	nssSession_ExitMonitor(session);
-	if (ckrv != CKR_OK) {
-	    /* XXX error -- invalidate session */ 
-	    return PR_FALSE;
-	}
-	switch (sessionInfo.state) {
-	case CKS_RW_PUBLIC_SESSION:
-	case CKS_RO_PUBLIC_SESSION:
-	default:
-	    needsLogin = PR_TRUE;
-	    break;
-	case CKS_RW_USER_FUNCTIONS:
-	case CKS_RW_SO_FUNCTIONS:
-	case CKS_RO_USER_FUNCTIONS:
-	    needsLogin = PR_FALSE;
-	    break;
-	}
-    }
-    return needsLogin;
-}
-
-static PRStatus
-slot_login (
-  NSSSlot *slot, 
-  nssSession *session, 
-  CK_USER_TYPE userType, 
-  NSSCallback *pwcb
-)
-{
-    PRStatus nssrv;
-    PRUint32 attempts;
-    PRBool keepTrying;
-    NSSUTF8 *password = NULL;
-    CK_ULONG pwLen;
-    CK_RV ckrv;
-    void *epv;
-    if (!pwcb->getPW) {
-	/* set error INVALID_ARG */
-	return PR_FAILURE;
-    }
-    epv = nssModule_GetCryptokiEPV(slot->module);
-    keepTrying = PR_TRUE;
-    nssrv = PR_FAILURE;
-    attempts = 0;
-    while (keepTrying) {
-	/* use the token name, since it is present */
-	NSSUTF8 *tokenName = nssToken_GetName(slot->token);
-	nssrv = pwcb->getPW(tokenName, attempts, pwcb->arg, &password);
-	if (nssrv != PR_SUCCESS) {
-	    nss_SetError(NSS_ERROR_USER_CANCELED);
-	    break;
-	}
-	pwLen = (CK_ULONG)nssUTF8_Length(password, &nssrv); 
-	if (nssrv != PR_SUCCESS) {
-	    break;
-	}
-	nssSession_EnterMonitor(session);
-	ckrv = CKAPI(epv)->C_Login(session->handle, userType, 
-                                   (CK_CHAR_PTR)password, pwLen);
-	nssSession_ExitMonitor(session);
-	switch (ckrv) {
-	case CKR_OK:
-	case CKR_USER_ALREADY_LOGGED_IN:
-	    slot->authInfo.lastLogin = PR_Now();
-	    nssrv = PR_SUCCESS;
-	    keepTrying = PR_FALSE;
-	    break;
-	case CKR_PIN_INCORRECT:
-	    nss_SetError(NSS_ERROR_INVALID_PASSWORD);
-	    keepTrying = PR_TRUE; /* received bad pw, keep going */
-	    break;
-	default:
-	    nssrv = PR_FAILURE;
-	    keepTrying = PR_FALSE;
-	    break;
-	}
-	nss_ZFreeIf(password);
-	password = NULL;
-	++attempts;
-    }
-    return nssrv;
-}
-
-static PRStatus
-init_slot_password (
-  NSSSlot *slot, 
-  nssSession *rwSession, 
-  NSSUTF8 *password
-)
-{
-    PRStatus status;
-    NSSUTF8 *ssoPW = "";
-    CK_ULONG userPWLen, ssoPWLen;
-    CK_RV ckrv;
-    void *epv = nssModule_GetCryptokiEPV(slot->module);
-    /* Get the SO and user passwords */
-    userPWLen = (CK_ULONG)nssUTF8_Length(password, &status); 
-    if (status != PR_SUCCESS) {
-	goto loser;
-    }
-    ssoPWLen = (CK_ULONG)nssUTF8_Length(ssoPW, &status); 
-    if (status != PR_SUCCESS) {
-	goto loser;
-    }
-    /* First log in as SO */
-    ckrv = CKAPI(epv)->C_Login(rwSession->handle, CKU_SO, 
-                               (CK_CHAR_PTR)ssoPW, ssoPWLen);
-    if (ckrv != CKR_OK) {
-	/* set error ...SO_LOGIN_FAILED */
-	goto loser;
-    }
-	/* Now change the user PIN */
-    ckrv = CKAPI(epv)->C_InitPIN(rwSession->handle, 
-                                 (CK_CHAR_PTR)password, userPWLen);
-    if (ckrv != CKR_OK) {
-	/* set error */
-	goto loser;
-    }
-    return PR_SUCCESS;
-loser:
-    return PR_FAILURE;
-}
-
-static PRStatus
-change_slot_password (
-  NSSSlot *slot, 
-  nssSession *rwSession, 
-  NSSUTF8 *oldPassword,
-  NSSUTF8 *newPassword
-)
-{
-    PRStatus status;
-    CK_ULONG userPWLen, newPWLen;
-    CK_RV ckrv;
-    void *epv = nssModule_GetCryptokiEPV(slot->module);
-    userPWLen = (CK_ULONG)nssUTF8_Length(oldPassword, &status); 
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    newPWLen = (CK_ULONG)nssUTF8_Length(newPassword, &status); 
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    nssSession_EnterMonitor(rwSession);
-    ckrv = CKAPI(epv)->C_SetPIN(rwSession->handle,
-                                (CK_CHAR_PTR)oldPassword, userPWLen,
-                                (CK_CHAR_PTR)newPassword, newPWLen);
-    nssSession_ExitMonitor(rwSession);
-    switch (ckrv) {
-    case CKR_OK:
-	slot->authInfo.lastLogin = PR_Now();
-	status = PR_SUCCESS;
-	break;
-    case CKR_PIN_INCORRECT:
-	nss_SetError(NSS_ERROR_INVALID_PASSWORD);
-	status = PR_FAILURE;
-	break;
-    default:
-	status = PR_FAILURE;
-	break;
-    }
-    return status;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSlot_Login (
-  NSSSlot *slot,
-  NSSCallback *pwcb
-)
-{
-    PRStatus status;
-    CK_USER_TYPE userType = CKU_USER;
-    NSSToken *token = nssSlot_GetToken(slot);
-    nssSession *session;
-    if (!token) {
-	return PR_FAILURE;
-    }
-    if (!nssToken_IsLoginRequired(token)) {
-	nssToken_Destroy(token);
-	return PR_SUCCESS;
-    }
-    session = nssToken_GetDefaultSession(slot->token);
-    if (nssToken_NeedsPINInitialization(token)) {
-	NSSUTF8 *password = NULL;
-	if (!pwcb->getInitPW) {
-	    nssToken_Destroy(token);
-	    return PR_FAILURE; /* don't know how to get initial password */
-	}
-	status = (*pwcb->getInitPW)(slot->base.name, pwcb->arg, &password);
-	if (status == PR_SUCCESS) {
-	    session = nssSlot_CreateSession(slot, NULL, PR_TRUE);
-	    status = init_slot_password(slot, session, password);
-	    nssSession_Destroy(session);
-	}
-    } else if (slot_needs_login(slot, session)) {
-	status = slot_login(slot, session, userType, pwcb);
-    } else {
-	status = PR_SUCCESS;
-    }
-    nssToken_Destroy(token);
-    return status;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSlot_Logout (
-  NSSSlot *slot,
-  nssSession *sessionOpt
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    nssSession *session;
-    CK_RV ckrv;
-    void *epv = nssModule_GetCryptokiEPV(slot->module);
-    session = sessionOpt ? 
-              sessionOpt : 
-              nssToken_GetDefaultSession(slot->token);
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_Logout(session->handle);
-    nssSession_ExitMonitor(session);
-    if (ckrv != CKR_OK) {
-	/* translate the error */
-	nssrv = PR_FAILURE;
-    }
-    return nssrv;
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsLoggedIn (
-  NSSSlot *slot
-)
-{
-    nssSession *session = nssToken_GetDefaultSession(slot->token);
-    return !slot_needs_login(slot, session);
-}
-
-NSS_IMPLEMENT void
-nssSlot_SetPasswordDefaults (
-  NSSSlot *slot,
-  PRInt32 askPasswordTimeout
-)
-{
-    slot->authInfo.askPasswordTimeout = askPasswordTimeout;
-}
-
-
-NSS_IMPLEMENT PRStatus
-nssSlot_SetPassword (
-  NSSSlot *slot,
-  NSSUTF8 *oldPasswordOpt,
-  NSSUTF8 *newPassword
-)
-{
-    PRStatus status;
-    nssSession *rwSession;
-    NSSToken *token = nssSlot_GetToken(slot);
-    if (!token) {
-	return PR_FAILURE;
-    }
-    rwSession = nssSlot_CreateSession(slot, NULL, PR_TRUE);
-    if (nssToken_NeedsPINInitialization(token)) {
-	status = init_slot_password(slot, rwSession, newPassword);
-    } else if (oldPasswordOpt) {
-	status = change_slot_password(slot, rwSession, 
-	                              oldPasswordOpt, newPassword);
-    } else {
-	/* old password must be given in order to change */
-	status = PR_FAILURE;
-    }
-    nssSession_Destroy(rwSession);
-    nssToken_Destroy(token);
-    return status;
-}
-
-NSS_IMPLEMENT nssSession *
-nssSlot_CreateSession (
-  NSSSlot *slot,
-  NSSArena *arenaOpt,
-  PRBool readWrite /* so far, this is the only flag used */
-)
-{
-    CK_RV ckrv;
-    CK_FLAGS ckflags;
-    CK_SESSION_HANDLE handle;
-    void *epv = nssModule_GetCryptokiEPV(slot->module);
-    nssSession *rvSession;
-    ckflags = s_ck_readonly_flags;
-    if (readWrite) {
-	ckflags |= CKF_RW_SESSION;
-    }
-    ckrv = CKAPI(epv)->C_OpenSession(slot->slotID, ckflags,
-                                     slot, nss_ck_slot_notify, &handle);
-    if (ckrv != CKR_OK) {
-	/* set an error here, eh? */
-	return (nssSession *)NULL;
-    }
-    rvSession = nss_ZNEW(arenaOpt, nssSession);
-    if (!rvSession) {
-	return (nssSession *)NULL;
-    }
-    if (nssModule_IsThreadSafe(slot->module)) {
-	/* If the parent module is threadsafe, 
-         * create lock to protect just this session.
-	 */
-	rvSession->lock = PZ_NewLock(nssILockOther);
-	if (!rvSession->lock) {
-	    /* need to translate NSPR error? */
-	    if (arenaOpt) {
-	    } else {
-		nss_ZFreeIf(rvSession);
-	    }
-	    return (nssSession *)NULL;
-	}
-        rvSession->ownLock = PR_TRUE;
-    } else {
-        rvSession->lock = slot->lock;
-        rvSession->ownLock = PR_FALSE;
-    }
-	
-    rvSession->handle = handle;
-    rvSession->slot = slot;
-    rvSession->isRW = readWrite;
-    return rvSession;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSession_Destroy (
-  nssSession *s
-)
-{
-    CK_RV ckrv = CKR_OK;
-    if (s) {
-	void *epv = s->slot->epv;
-	ckrv = CKAPI(epv)->C_CloseSession(s->handle);
-	if (s->ownLock && s->lock) {
-	    PZ_DestroyLock(s->lock);
-	}
-	nss_ZFreeIf(s);
-    }
-    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-}
-#endif /* PURE_STAN_BUILD */
-
-NSS_IMPLEMENT PRStatus
-nssSession_EnterMonitor (
-  nssSession *s
-)
-{
-    if (s->lock) PZ_Lock(s->lock);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSession_ExitMonitor (
-  nssSession *s
-)
-{
-    return (s->lock) ? PZ_Unlock(s->lock) : PR_SUCCESS;
-}
-
-NSS_EXTERN PRBool
-nssSession_IsReadWrite (
-  nssSession *s
-)
-{
-    return s->isRW;
-}
-
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
deleted file mode 100644
index e6ce0aaf5..000000000
--- a/security/nss/lib/dev/devt.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef DEVT_H
-#define DEVT_H
-
-#ifdef DEBUG
-static const char DEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * devt.h
- *
- * This file contains definitions for the low-level cryptoki devices.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifdef NSS_3_4_CODE
-#include "secmodt.h"
-#endif /* NSS_3_4_CODE */
-
-PR_BEGIN_EXTERN_C
-
-typedef struct nssSessionStr nssSession;
-
-/* XXX until NSSTokenStr is moved */
-struct nssDeviceBaseStr
-{
-  NSSArena *arena;
-  PZLock *lock;
-  PRInt32 refCount;
-  NSSUTF8 *name;
-  PRUint32 flags;
-};
-
-typedef struct nssTokenObjectCacheStr nssTokenObjectCache;
-
-/* XXX until devobject.c goes away */
-struct NSSTokenStr
-{
-    struct nssDeviceBaseStr base;
-    NSSSlot *slot;  /* Parent (or peer, if you will) */
-    CK_FLAGS ckFlags; /* from CK_TOKEN_INFO.flags */
-    PRUint32 flags;
-    void *epv;
-    nssSession *defaultSession;
-    NSSTrustDomain *trustDomain;
-    PRIntervalTime lastTime;
-    nssTokenObjectCache *cache;
-#ifdef NSS_3_4_CODE
-    PK11SlotInfo *pk11slot;
-#endif
-};
-
-typedef enum {
-  nssSlotAskPasswordTimes_FirstTime = 0,
-  nssSlotAskPasswordTimes_EveryTime = 1,
-  nssSlotAskPasswordTimes_Timeout = 2
-} 
-nssSlotAskPasswordTimes;
-
-struct nssSlotAuthInfoStr
-{
-  PRTime lastLogin;
-  nssSlotAskPasswordTimes askTimes;
-  PRIntervalTime askPasswordTimeout;
-};
-
-struct NSSSlotStr
-{
-  struct nssDeviceBaseStr base;
-  NSSModule *module; /* Parent */
-  NSSToken *token;  /* Peer */
-  CK_SLOT_ID slotID;
-  CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
-  struct nssSlotAuthInfoStr authInfo;
-  PRIntervalTime lastTokenPing;
-  PZLock *lock;
-#ifdef NSS_3_4_CODE
-  void *epv;
-  PK11SlotInfo *pk11slot;
-#endif
-};
-
-struct nssSessionStr
-{
-  PZLock *lock;
-  CK_SESSION_HANDLE handle;
-  NSSSlot *slot;
-  PRBool isRW;
-  PRBool ownLock;
-};
-
-typedef enum {
-    NSSCertificateType_Unknown = 0,
-    NSSCertificateType_PKIX = 1
-} NSSCertificateType;
-
-typedef enum {
-    nssTrustLevel_Unknown = 0,
-    nssTrustLevel_NotTrusted = 1,
-    nssTrustLevel_Trusted = 2,
-    nssTrustLevel_TrustedDelegator = 3,
-    nssTrustLevel_Valid = 4,
-    nssTrustLevel_ValidDelegator = 5
-} nssTrustLevel;
-
-typedef struct nssCryptokiInstanceStr nssCryptokiInstance;
-
-struct nssCryptokiInstanceStr
-{
-    CK_OBJECT_HANDLE handle;
-    NSSToken *token;
-    PRBool isTokenObject;
-    NSSUTF8 *label;
-};
-
-typedef struct nssCryptokiInstanceStr nssCryptokiObject;
-
-typedef struct nssTokenCertSearchStr nssTokenCertSearch;
-
-typedef enum {
-    nssTokenSearchType_AllObjects = 0,
-    nssTokenSearchType_SessionOnly = 1,
-    nssTokenSearchType_TokenOnly = 2,
-    nssTokenSearchType_TokenForced = 3
-} nssTokenSearchType;
-
-struct nssTokenCertSearchStr
-{
-    nssTokenSearchType searchType;
-    PRStatus (* callback)(NSSCertificate *c, void *arg);
-    void *cbarg;
-    nssList *cached;
-    /* TODO: add a cache query callback if the list would be large 
-     *       (traversal) 
-     */
-};
-
-struct nssSlotListStr;
-typedef struct nssSlotListStr nssSlotList;
-
-struct NSSAlgorithmAndParametersStr
-{
-    CK_MECHANISM mechanism;
-};
-
-PR_END_EXTERN_C
-
-#endif /* DEVT_H */
diff --git a/security/nss/lib/dev/devtm.h b/security/nss/lib/dev/devtm.h
deleted file mode 100644
index 330ed3311..000000000
--- a/security/nss/lib/dev/devtm.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef DEVTM_H
-#define DEVTM_H
-
-#ifdef DEBUG
-static const char DEVTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * devtm.h
- *
- * This file contains module-private definitions for the low-level 
- * cryptoki devices.
- */
-
-#ifndef DEVT_H
-#include "devt.h"
-#endif /* DEVT_H */
-
-PR_BEGIN_EXTERN_C
-
-#define MAX_LOCAL_CACHE_OBJECTS 10
-
-PR_END_EXTERN_C
-
-#endif /* DEVTM_H */
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
deleted file mode 100644
index 112277f08..000000000
--- a/security/nss/lib/dev/devtoken.c
+++ /dev/null
@@ -1,1722 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSCKEPV_H
-#include "nssckepv.h"
-#endif /* NSSCKEPV_H */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#ifndef CKHELPER_H
-#include "ckhelper.h"
-#endif /* CKHELPER_H */
-
-#ifdef NSS_3_4_CODE
-#include "pk11func.h"
-#include "dev3hack.h"
-#include "secerr.h"
-#endif
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-/* The number of object handles to grab during each call to C_FindObjects */
-#define OBJECT_STACK_SIZE 16
-
-#ifdef PURE_STAN_BUILD
-struct NSSTokenStr
-{
-  struct nssDeviceBaseStr base;
-  NSSSlot *slot;  /* Peer */
-  CK_FLAGS ckFlags; /* from CK_TOKEN_INFO.flags */
-  nssSession *defaultSession;
-  nssTokenObjectCache *cache;
-};
-
-NSS_IMPLEMENT NSSToken *
-nssToken_Create (
-  CK_SLOT_ID slotID,
-  NSSSlot *peer
-)
-{
-    NSSArena *arena;
-    NSSToken *rvToken;
-    nssSession *session = NULL;
-    NSSUTF8 *tokenName = NULL;
-    PRUint32 length;
-    PRBool readWrite;
-    CK_TOKEN_INFO tokenInfo;
-    CK_RV ckrv;
-    void *epv = nssSlot_GetCryptokiEPV(peer);
-    arena = NSSArena_Create();
-    if(!arena) {
-	return (NSSToken *)NULL;
-    }
-    rvToken = nss_ZNEW(arena, NSSToken);
-    if (!rvToken) {
-	goto loser;
-    }
-    /* Get token information */
-    ckrv = CKAPI(epv)->C_GetTokenInfo(slotID, &tokenInfo);
-    if (ckrv != CKR_OK) {
-	/* set an error here, eh? */
-	goto loser;
-    }
-    /* Grab the slot description from the PKCS#11 fixed-length buffer */
-    length = nssPKCS11String_Length(tokenInfo.label, sizeof(tokenInfo.label));
-    if (length > 0) {
-	tokenName = nssUTF8_Create(arena, nssStringType_UTF8String, 
-	                           (void *)tokenInfo.label, length);
-	if (!tokenName) {
-	    goto loser;
-	}
-    }
-    /* Open a default session handle for the token. */
-    if (tokenInfo.ulMaxSessionCount == 1) {
-	/* if the token can only handle one session, it must be RW. */
-	readWrite = PR_TRUE;
-    } else {
-	readWrite = PR_FALSE;
-    }
-    session = nssSlot_CreateSession(peer, arena, readWrite);
-    if (session == NULL) {
-	goto loser;
-    }
-    /* TODO: seed the RNG here */
-    rvToken->base.arena = arena;
-    rvToken->base.refCount = 1;
-    rvToken->base.name = tokenName;
-    rvToken->base.lock = PZ_NewLock(nssNSSILockOther); /* XXX */
-    if (!rvToken->base.lock) {
-	goto loser;
-    }
-    rvToken->slot = peer; /* slot owns ref to token */
-    rvToken->ckFlags = tokenInfo.flags;
-    rvToken->defaultSession = session;
-    if (nssSlot_IsHardware(peer)) {
-	rvToken->cache = nssTokenObjectCache_Create(rvToken, 
-	                                            PR_TRUE, PR_TRUE, PR_TRUE);
-	if (!rvToken->cache) {
-	    nssSlot_Destroy(peer);
-	    goto loser;
-	}
-    }
-    return rvToken;
-loser:
-    if (session) {
-	nssSession_Destroy(session);
-    }
-    nssArena_Destroy(arena);
-    return (NSSToken *)NULL;
-}
-#endif /* PURE_STAN_BUILD */
-
-NSS_IMPLEMENT PRStatus
-nssToken_Destroy (
-  NSSToken *tok
-)
-{
-    if (tok) {
-	if (PR_AtomicDecrement(&tok->base.refCount) == 0) {
-	    PZ_DestroyLock(tok->base.lock);
-	    nssTokenObjectCache_Destroy(tok->cache);
-	    return nssArena_Destroy(tok->base.arena);
-	}
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT void
-nssToken_Remove (
-  NSSToken *tok
-)
-{
-    nssTokenObjectCache_Clear(tok->cache);
-}
-
-NSS_IMPLEMENT void
-NSSToken_Destroy (
-  NSSToken *tok
-)
-{
-    (void)nssToken_Destroy(tok);
-}
-
-NSS_IMPLEMENT NSSToken *
-nssToken_AddRef (
-  NSSToken *tok
-)
-{
-    PR_AtomicIncrement(&tok->base.refCount);
-    return tok;
-}
-
-NSS_IMPLEMENT NSSSlot *
-nssToken_GetSlot (
-  NSSToken *tok
-)
-{
-    return nssSlot_AddRef(tok->slot);
-}
-
-#ifdef PURE_STAN_BUILD
-NSS_IMPLEMENT NSSModule *
-nssToken_GetModule (
-  NSSToken *token
-)
-{
-    return nssSlot_GetModule(token->slot);
-}
-#endif
-
-NSS_IMPLEMENT void *
-nssToken_GetCryptokiEPV (
-  NSSToken *token
-)
-{
-    return nssSlot_GetCryptokiEPV(token->slot);
-}
-
-NSS_IMPLEMENT nssSession *
-nssToken_GetDefaultSession (
-  NSSToken *token
-)
-{
-    return token->defaultSession;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssToken_GetName (
-  NSSToken *tok
-)
-{
-    if (tok == NULL) {
-	return "";
-    }
-    if (tok->base.name[0] == 0) {
-	(void) nssSlot_IsTokenPresent(tok->slot);
-    } 
-    return tok->base.name;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSToken_GetName (
-  NSSToken *token
-)
-{
-    return nssToken_GetName(token);
-}
-
-NSS_IMPLEMENT PRBool
-nssToken_IsLoginRequired (
-  NSSToken *token
-)
-{
-    return (token->ckFlags & CKF_LOGIN_REQUIRED);
-}
-
-NSS_IMPLEMENT PRBool
-nssToken_NeedsPINInitialization (
-  NSSToken *token
-)
-{
-    return (!(token->ckFlags & CKF_USER_PIN_INITIALIZED));
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_DeleteStoredObject (
-  nssCryptokiObject *instance
-)
-{
-    CK_RV ckrv;
-    PRStatus status;
-    PRBool createdSession = PR_FALSE;
-    NSSToken *token = instance->token;
-    nssSession *session = NULL;
-    void *epv = nssToken_GetCryptokiEPV(instance->token);
-    if (token->cache) {
-	nssTokenObjectCache_RemoveObject(token->cache, instance);
-    }
-    if (instance->isTokenObject) {
-       if (nssSession_IsReadWrite(token->defaultSession)) {
-	   session = token->defaultSession;
-       } else {
-	   session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
-	   createdSession = PR_TRUE;
-       }
-    }
-    if (session == NULL) {
-	return PR_FAILURE;
-    }
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_DestroyObject(session->handle, instance->handle);
-    nssSession_ExitMonitor(session);
-    if (createdSession) {
-	nssSession_Destroy(session);
-    }
-    status = (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-    return status;
-}
-
-static nssCryptokiObject *
-import_object (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  CK_ATTRIBUTE_PTR objectTemplate,
-  CK_ULONG otsize
-)
-{
-    nssSession *session = NULL;
-    PRBool createdSession = PR_FALSE;
-    nssCryptokiObject *object = NULL;
-    CK_OBJECT_HANDLE handle;
-    CK_RV ckrv;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
-	if (sessionOpt) {
-	    if (!nssSession_IsReadWrite(sessionOpt)) {
-		return CK_INVALID_HANDLE;
-	    } else {
-		session = sessionOpt;
-	    }
-	} else if (nssSession_IsReadWrite(tok->defaultSession)) {
-	    session = tok->defaultSession;
-	} else {
-	    session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
-	    createdSession = PR_TRUE;
-	}
-    } else {
-	session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-    }
-    if (session == NULL) {
-	return CK_INVALID_HANDLE;
-    }
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_CreateObject(session->handle, 
-                                      objectTemplate, otsize,
-                                      &handle);
-    nssSession_ExitMonitor(session);
-    if (ckrv == CKR_OK) {
-	object = nssCryptokiObject_Create(tok, session, handle);
-    }
-    if (createdSession) {
-	nssSession_Destroy(session);
-    }
-    return object;
-}
-
-static nssCryptokiObject **
-create_objects_from_handles (
-  NSSToken *tok,
-  nssSession *session,
-  CK_OBJECT_HANDLE *handles,
-  PRUint32 numH
-)
-{
-    nssCryptokiObject **objects;
-    objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numH + 1);
-    if (objects) {
-	PRInt32 i;
-	for (i=0; i<(PRInt32)numH; i++) {
-	    objects[i] = nssCryptokiObject_Create(tok, session, handles[i]);
-	    if (!objects[i]) {
-		for (--i; i>0; --i) {
-		    nssCryptokiObject_Destroy(objects[i]);
-		}
-		return (nssCryptokiObject **)NULL;
-	    }
-	}
-    }
-    return objects;
-}
-
-static nssCryptokiObject **
-find_objects (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG otsize,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_RV ckrv = CKR_OK;
-    CK_ULONG count;
-    CK_OBJECT_HANDLE *objectHandles;
-    CK_OBJECT_HANDLE staticObjects[OBJECT_STACK_SIZE];
-    PRUint32 arraySize, numHandles;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    nssCryptokiObject **objects;
-    nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-
-    /* the arena is only for the array of object handles */
-    if (maximumOpt > 0) {
-	arraySize = maximumOpt;
-    } else {
-	arraySize = OBJECT_STACK_SIZE;
-    }
-    numHandles = 0;
-    if (arraySize <= OBJECT_STACK_SIZE) {
-	objectHandles = staticObjects;
-    } else {
-	objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
-    }
-    if (!objectHandles) {
-	ckrv = CKR_HOST_MEMORY;
-	goto loser;
-    }
-    nssSession_EnterMonitor(session); /* ==== session lock === */
-    /* Initialize the find with the template */
-    ckrv = CKAPI(epv)->C_FindObjectsInit(session->handle, 
-                                         obj_template, otsize);
-    if (ckrv != CKR_OK) {
-	nssSession_ExitMonitor(session);
-	goto loser;
-    }
-    while (PR_TRUE) {
-	/* Issue the find for up to arraySize - numHandles objects */
-	ckrv = CKAPI(epv)->C_FindObjects(session->handle, 
-	                                 objectHandles + numHandles, 
-	                                 arraySize - numHandles, 
-	                                 &count);
-	if (ckrv != CKR_OK) {
-	    nssSession_ExitMonitor(session);
-	    goto loser;
-	}
-	/* bump the number of found objects */
-	numHandles += count;
-	if (maximumOpt > 0 || numHandles < arraySize) {
-	    /* When a maximum is provided, the search is done all at once,
-	     * so the search is finished.  If the number returned was less 
-	     * than the number sought, the search is finished.
-	     */
-	    break;
-	}
-	/* the array is filled, double it and continue */
-	arraySize *= 2;
-	if (objectHandles == staticObjects) {
-	    objectHandles = nss_ZNEWARRAY(NULL,CK_OBJECT_HANDLE, arraySize);
-	    if (objectHandles) {
-		PORT_Memcpy(objectHandles, staticObjects, 
-			OBJECT_STACK_SIZE * sizeof(objectHandles[1]));
-	    }
-	} else {
-	    objectHandles = nss_ZREALLOCARRAY(objectHandles, 
-	                                  CK_OBJECT_HANDLE, 
-	                                  arraySize);
-	}
-	if (!objectHandles) {
-	    nssSession_ExitMonitor(session);
-	    ckrv = CKR_HOST_MEMORY;
-	    goto loser;
-	}
-    }
-    ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
-    nssSession_ExitMonitor(session); /* ==== end session lock === */
-    if (ckrv != CKR_OK) {
-	goto loser;
-    }
-    if (numHandles > 0) {
-	objects = create_objects_from_handles(tok, session,
-	                                      objectHandles, numHandles);
-    } else {
-	nss_SetError(NSS_ERROR_NOT_FOUND);
-	objects = NULL;
-    }
-    if (objectHandles && objectHandles != staticObjects) {
-	nss_ZFreeIf(objectHandles);
-    }
-    if (statusOpt) *statusOpt = PR_SUCCESS;
-    return objects;
-loser:
-    if (objectHandles && objectHandles != staticObjects) {
-	nss_ZFreeIf(objectHandles);
-    }
-    /*
-     * These errors should be treated the same as if the objects just weren't
-     * found..
-     */
-    if ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) ||
-	(ckrv == CKR_ATTRIBUTE_VALUE_INVALID) ||
-	(ckrv == CKR_DATA_INVALID) ||
-	(ckrv == CKR_DATA_LEN_RANGE) ||
-	(ckrv == CKR_FUNCTION_NOT_SUPPORTED) ||
-	(ckrv == CKR_TEMPLATE_INCOMPLETE) ||
-	(ckrv == CKR_TEMPLATE_INCONSISTENT)) {
-
-	nss_SetError(NSS_ERROR_NOT_FOUND);
-	if (statusOpt) *statusOpt = PR_SUCCESS;
-    } else {
-	if (statusOpt) *statusOpt = PR_FAILURE;
-    }
-    return (nssCryptokiObject **)NULL;
-}
-
-static nssCryptokiObject **
-find_objects_by_template (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  CK_ATTRIBUTE_PTR obj_template,
-  CK_ULONG otsize,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_OBJECT_CLASS objclass = (CK_OBJECT_CLASS)-1;
-    nssCryptokiObject **objects = NULL;
-    PRUint32 i;
-    for (i=0; i<otsize; i++) {
-	if (obj_template[i].type == CKA_CLASS) {
-	    objclass = *(CK_OBJECT_CLASS *)obj_template[i].pValue;
-	    break;
-	}
-    }
-    PR_ASSERT(i < otsize);
-    if (i == otsize) {
-#ifdef NSS_3_4_CODE
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-#endif
-	if (statusOpt) *statusOpt = PR_FAILURE;
-	return NULL;
-    }
-    /* If these objects are being cached, try looking there first */
-    if (token->cache && 
-        nssTokenObjectCache_HaveObjectClass(token->cache, objclass)) 
-    {
-	PRStatus status;
-	objects = nssTokenObjectCache_FindObjectsByTemplate(token->cache,
-	                                                    objclass,
-	                                                    obj_template,
-	                                                    otsize,
-	                                                    maximumOpt,
-	                                                    &status);
-	if (status == PR_SUCCESS) {
-	    if (statusOpt) *statusOpt = status;
-	    return objects;
-	}
-    }
-    /* Either they are not cached, or cache failed; look on token. */
-    objects = find_objects(token, sessionOpt, 
-                           obj_template, otsize, 
-                           maximumOpt, statusOpt);
-    return objects;
-}
-
-extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_ImportCertificate (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSCertificateType certType,
-  NSSItem *id,
-  NSSUTF8 *nickname,
-  NSSDER *encoding,
-  NSSDER *issuer,
-  NSSDER *subject,
-  NSSDER *serial,
-  NSSASCII7 *email,
-  PRBool asTokenObject
-)
-{
-    PRStatus status;
-    CK_CERTIFICATE_TYPE cert_type;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE cert_tmpl[10];
-    CK_ULONG ctsize;
-    nssTokenSearchType searchType;
-    nssCryptokiObject *rvObject = NULL;
-
-    if (certType == NSSCertificateType_PKIX) {
-	cert_type = CKC_X_509;
-    } else {
-	return (nssCryptokiObject *)NULL;
-    }
-    NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
-    if (asTokenObject) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-	searchType = nssTokenSearchType_TokenOnly;
-    } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-	searchType = nssTokenSearchType_SessionOnly;
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,            &g_ck_class_cert);
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CERTIFICATE_TYPE,  cert_type);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,                id);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL,             nickname);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,             encoding);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,            issuer);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,           subject);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,     serial);
-    if (email) {
-	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL,    email);
-    }
-    NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
-    /* see if the cert is already there */
-    rvObject = nssToken_FindCertificateByIssuerAndSerialNumber(tok,
-                                                               sessionOpt,
-                                                               issuer,
-                                                               serial,
-                                                               searchType,
-                                                               NULL);
-    if (rvObject) {
-	NSSItem existingDER;
-	NSSSlot *slot = nssToken_GetSlot(tok);
-	nssSession *session = nssSlot_CreateSession(slot, NULL, PR_TRUE);
-	if (!session) {
-	    nssCryptokiObject_Destroy(rvObject);
-	    nssSlot_Destroy(slot);
-	    return (nssCryptokiObject *)NULL;
-	}
-	/* Reject any attempt to import a new cert that has the same
-	 * issuer/serial as an existing cert, but does not have the
-	 * same encoding
-	 */
-	NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
-	NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
-	status = nssCKObject_GetAttributes(rvObject->handle, 
-	                                   cert_tmpl, ctsize, NULL,
-	                                   session, slot);
-	NSS_CK_ATTRIBUTE_TO_ITEM(cert_tmpl, &existingDER);
-	if (status == PR_SUCCESS) {
-	    if (!nssItem_Equal(encoding, &existingDER, NULL)) {
-		nss_SetError(NSS_ERROR_INVALID_CERTIFICATE);
-		status = PR_FAILURE;
-	    }
-	    nss_ZFreeIf(existingDER.data);
-	}
-	if (status == PR_FAILURE) {
-	    nssCryptokiObject_Destroy(rvObject);
-	    nssSession_Destroy(session);
-	    nssSlot_Destroy(slot);
-	    return (nssCryptokiObject *)NULL;
-	}
-	/* according to PKCS#11, label, ID, issuer, and serial number 
-	 * may change after the object has been created.  For PKIX, the
-	 * last two attributes can't change, so for now we'll only worry
-	 * about the first two.
-	 */
-	NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,    id);
-	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
-	NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
-	/* reset the mutable attributes on the token */
-	nssCKObject_SetAttributes(rvObject->handle, 
-	                          cert_tmpl, ctsize,
-	                          session, slot);
-	if (!rvObject->label && nickname) {
-	    rvObject->label = nssUTF8_Duplicate(nickname, NULL);
-	}
-	nssSession_Destroy(session);
-	nssSlot_Destroy(slot);
-    } else {
-	/* Import the certificate onto the token */
-	rvObject = import_object(tok, sessionOpt, cert_tmpl, ctsize);
-    }
-    if (rvObject && tok->cache) {
-	/* The cache will overwrite the attributes if the object already
-	 * exists.
-	 */
-	nssTokenObjectCache_ImportObject(tok->cache, rvObject,
-	                                 CKO_CERTIFICATE,
-	                                 cert_tmpl, ctsize);
-    }
-    return rvObject;
-}
-
-/* traverse all certificates - this should only happen if the token
- * has been marked as "traversable"
- */
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificates (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE cert_template[2];
-    CK_ULONG ctsize;
-    nssCryptokiObject **objects;
-    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
-
-    if (searchType == nssTokenSearchType_TokenForced) {
-	objects = find_objects(token, sessionOpt,
-	                       cert_template, ctsize,
-	                       maximumOpt, statusOpt);
-    } else {
-	objects = find_objects_by_template(token, sessionOpt,
-	                                   cert_template, ctsize,
-	                                   maximumOpt, statusOpt);
-    }
-    return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificatesBySubject (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE subj_template[3];
-    CK_ULONG stsize;
-    nssCryptokiObject **objects;
-    NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
-    NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
-    /* now locate the token certs matching this template */
-    objects = find_objects_by_template(token, sessionOpt,
-                                       subj_template, stsize,
-                                       maximumOpt, statusOpt);
-    return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificatesByNickname (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSUTF8 *name,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE nick_template[3];
-    CK_ULONG ntsize;
-    nssCryptokiObject **objects;
-    NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
-    /* now locate the token certs matching this template */
-    objects = find_objects_by_template(token, sessionOpt,
-                                       nick_template, ntsize, 
-                                       maximumOpt, statusOpt);
-    if (!objects) {
-	/* This is to workaround the fact that PKCS#11 doesn't specify
-	 * whether the '\0' should be included.  XXX Is that still true?
-	 * im - this is not needed by the current softoken.  However, I'm 
-	 * leaving it in until I have surveyed more tokens to see if it needed.
-	 * well, its needed by the builtin token...
-	 */
-	nick_template[0].ulValueLen++;
-	objects = find_objects_by_template(token, sessionOpt,
-	                                   nick_template, ntsize, 
-	                                   maximumOpt, statusOpt);
-    }
-    return objects;
-}
-
-/* XXX
- * This function *does not* use the token object cache, because not even
- * the softoken will return a value for CKA_NETSCAPE_EMAIL from a call
- * to GetAttributes.  The softoken does allow searches with that attribute,
- * it just won't return a value for it.
- */
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificatesByEmail (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSASCII7 *email,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE email_template[3];
-    CK_ULONG etsize;
-    nssCryptokiObject **objects;
-    NSS_CK_TEMPLATE_START(email_template, attr, etsize);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
-    /* now locate the token certs matching this template */
-    objects = find_objects(token, sessionOpt,
-                           email_template, etsize,
-                           maximumOpt, statusOpt);
-    if (!objects) {
-	/* This is to workaround the fact that PKCS#11 doesn't specify
-	 * whether the '\0' should be included.  XXX Is that still true?
-	 * im - this is not needed by the current softoken.  However, I'm 
-	 * leaving it in until I have surveyed more tokens to see if it needed.
-	 * well, its needed by the builtin token...
-	 */
-	email_template[0].ulValueLen++;
-	objects = find_objects(token, sessionOpt,
-	                       email_template, etsize,
-	                       maximumOpt, statusOpt);
-    }
-    return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCertificatesByID (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *id,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE id_template[3];
-    CK_ULONG idtsize;
-    nssCryptokiObject **objects;
-    NSS_CK_TEMPLATE_START(id_template, attr, idtsize);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_TEMPLATE_FINISH(id_template, attr, idtsize);
-    /* now locate the token certs matching this template */
-    objects = find_objects_by_template(token, sessionOpt,
-                                       id_template, idtsize,
-                                       maximumOpt, statusOpt);
-    return objects;
-}
-
-/*
- * decode the serial item and return our result.
- * NOTE serialDecode's data is really stored in serial. Don't free it.
- */
-static PRStatus
-nssToken_decodeSerialItem(NSSItem *serial, NSSItem *serialDecode)
-{
-    unsigned char *data = (unsigned char *)serial->data;
-    int data_left, data_len, index;
-
-    if ((serial->size >= 3) && (data[0] == 0x2)) {
-	/* remove the der encoding of the serial number before generating the
-	 * key.. */
-	data_left = serial->size-2;
-	data_len = data[1];
-	index = 2;
-
-	/* extended length ? (not very likely for a serial number) */
-	if (data_len & 0x80) {
-	    int len_count = data_len & 0x7f;
-
-	    data_len = 0;
-	    data_left -= len_count;
-	    if (data_left > 0) {
-		while (len_count --) {
-		    data_len = (data_len << 8) | data[index++];
-		}
-	    } 
-	}
-	/* XXX leaving any leading zeros on the serial number for backwards
-	 * compatibility
-	 */
-	/* not a valid der, must be just an unlucky serial number value */
-	if (data_len == data_left) {
-	    serialDecode->size = data_len;
-	    serialDecode->data = &data[index];
-	    return PR_SUCCESS;
-	}
-    }
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_FindCertificateByIssuerAndSerialNumber (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *issuer,
-  NSSDER *serial,
-  nssTokenSearchType searchType,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE_PTR serialAttr;
-    CK_ATTRIBUTE cert_template[4];
-    CK_ULONG ctsize;
-    nssCryptokiObject **objects;
-    nssCryptokiObject *rvObject = NULL;
-    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if ((searchType == nssTokenSearchType_TokenOnly) ||
-               (searchType == nssTokenSearchType_TokenForced)) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    /* Set the unique id */
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,         &g_ck_class_cert);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         issuer);
-    serialAttr = attr;
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  serial);
-    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
-    /* get the object handle */
-    if (searchType == nssTokenSearchType_TokenForced) {
-	objects = find_objects(token, sessionOpt,
-	                       cert_template, ctsize,
-	                       1, statusOpt);
-    } else {
-	objects = find_objects_by_template(token, sessionOpt,
-                                       cert_template, ctsize,
-                                       1, statusOpt);
-    }
-    if (objects) {
-	rvObject = objects[0];
-	nss_ZFreeIf(objects);
-    }
-
-    /*
-     * NSS used to incorrectly store serial numbers in their decoded form.
-     * because of this old tokens have decoded serial numbers.
-     */
-    if (!objects) {
-	NSSItem serialDecode;
-	PRStatus status;
-
-	status = nssToken_decodeSerialItem(serial, &serialDecode);
-	if (status != PR_SUCCESS) {
-	    return NULL;
-	}
-    	NSS_CK_SET_ATTRIBUTE_ITEM(serialAttr,CKA_SERIAL_NUMBER,&serialDecode);
-	if (searchType == nssTokenSearchType_TokenForced) {
-	    objects = find_objects(token, sessionOpt,
-	                       cert_template, ctsize,
-	                       1, statusOpt);
-	} else {
-	    objects = find_objects_by_template(token, sessionOpt,
-                                       cert_template, ctsize,
-                                       1, statusOpt);
-	}
-	if (objects) {
-	    rvObject = objects[0];
-	    nss_ZFreeIf(objects);
-	}
-    }
-    return rvObject;
-}
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_FindCertificateByEncodedCertificate (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSBER *encodedCertificate,
-  nssTokenSearchType searchType,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE cert_template[3];
-    CK_ULONG ctsize;
-    nssCryptokiObject **objects;
-    nssCryptokiObject *rvObject = NULL;
-    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
-    /* Set the search to token/session only if provided */
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
-    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
-    /* get the object handle */
-    objects = find_objects_by_template(token, sessionOpt,
-                                       cert_template, ctsize,
-                                       1, statusOpt);
-    if (objects) {
-	rvObject = objects[0];
-	nss_ZFreeIf(objects);
-    }
-    return rvObject;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindPrivateKeys (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[2];
-    CK_ULONG ktsize;
-    nssCryptokiObject **objects;
-
-    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
-
-    objects = find_objects_by_template(token, sessionOpt,
-                                       key_template, ktsize, 
-                                       maximumOpt, statusOpt);
-    return objects;
-}
-
-/* XXX ?there are no session cert objects, so only search token objects */
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_FindPrivateKeyByID (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *keyID
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[3];
-    CK_ULONG ktsize;
-    nssCryptokiObject **objects;
-    nssCryptokiObject *rvKey = NULL;
-
-    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID);
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
-
-    objects = find_objects_by_template(token, sessionOpt,
-                                       key_template, ktsize, 
-                                       1, NULL);
-    if (objects) {
-	rvKey = objects[0];
-	nss_ZFreeIf(objects);
-    }
-    return rvKey;
-}
-
-/* XXX ?there are no session cert objects, so only search token objects */
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_FindPublicKeyByID (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSItem *keyID
-)
-{
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE key_template[3];
-    CK_ULONG ktsize;
-    nssCryptokiObject **objects;
-    nssCryptokiObject *rvKey = NULL;
-
-    NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_pubkey);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID);
-    NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
-
-    objects = find_objects_by_template(token, sessionOpt,
-                                       key_template, ktsize, 
-                                       1, NULL);
-    if (objects) {
-	rvKey = objects[0];
-	nss_ZFreeIf(objects);
-    }
-    return rvKey;
-}
-
-static void
-sha1_hash(NSSItem *input, NSSItem *output)
-{
-    NSSAlgorithmAndParameters *ap;
-#ifdef NSS_3_4_CODE
-    PK11SlotInfo *internal = PK11_GetInternalSlot();
-    NSSToken *token = PK11Slot_GetNSSToken(internal);
-#else
-    NSSToken *token = nss_GetDefaultCryptoToken();
-#endif
-    ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL);
-    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
-#ifdef NSS_3_4_CODE
-    PK11_FreeSlot(token->pk11slot);
-#endif
-    nss_ZFreeIf(ap);
-}
-
-static void
-md5_hash(NSSItem *input, NSSItem *output)
-{
-    NSSAlgorithmAndParameters *ap;
-#ifdef NSS_3_4_CODE
-    PK11SlotInfo *internal = PK11_GetInternalSlot();
-    NSSToken *token = PK11Slot_GetNSSToken(internal);
-#else
-    NSSToken *token = nss_GetDefaultCryptoToken();
-#endif
-    ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL);
-    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
-#ifdef NSS_3_4_CODE
-    PK11_FreeSlot(token->pk11slot);
-#endif
-    nss_ZFreeIf(ap);
-}
-
-static CK_TRUST
-get_ck_trust (
-  nssTrustLevel nssTrust
-)
-{
-    CK_TRUST t;
-    switch (nssTrust) {
-    case nssTrustLevel_NotTrusted: t = CKT_NETSCAPE_UNTRUSTED; break;
-    case nssTrustLevel_TrustedDelegator: t = CKT_NETSCAPE_TRUSTED_DELEGATOR; 
-	break;
-    case nssTrustLevel_ValidDelegator: t = CKT_NETSCAPE_VALID_DELEGATOR; break;
-    case nssTrustLevel_Trusted: t = CKT_NETSCAPE_TRUSTED; break;
-    case nssTrustLevel_Valid: t = CKT_NETSCAPE_VALID; break;
-    case nssTrustLevel_Unknown:
-    default: t = CKT_NETSCAPE_TRUST_UNKNOWN; break;
-    }
-    return t;
-}
- 
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_ImportTrust (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSDER *certEncoding,
-  NSSDER *certIssuer,
-  NSSDER *certSerial,
-  nssTrustLevel serverAuth,
-  nssTrustLevel clientAuth,
-  nssTrustLevel codeSigning,
-  nssTrustLevel emailProtection,
-  PRBool stepUpApproved,
-  PRBool asTokenObject
-)
-{
-    nssCryptokiObject *object;
-    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
-    CK_TRUST ckSA, ckCA, ckCS, ckEP;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE trust_tmpl[11];
-    CK_ULONG tsize;
-    PRUint8 sha1[20]; /* this is cheating... */
-    PRUint8 md5[16];
-    NSSItem sha1_result, md5_result;
-    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
-    md5_result.data = md5; md5_result.size = sizeof md5;
-    sha1_hash(certEncoding, &sha1_result);
-    md5_hash(certEncoding, &md5_result);
-    ckSA = get_ck_trust(serverAuth);
-    ckCA = get_ck_trust(clientAuth);
-    ckCS = get_ck_trust(codeSigning);
-    ckEP = get_ck_trust(emailProtection);
-    NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
-    if (asTokenObject) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,           tobjc);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,          certIssuer);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,   certSerial);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH,  &md5_result);
-    /* now set the trust values */
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      ckSA);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      ckCA);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     ckCS);
-    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, ckEP);
-    if (stepUpApproved) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED, 
-	                          &g_ck_true);
-    } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED, 
-	                          &g_ck_false);
-    }
-    NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
-    /* import the trust object onto the token */
-    object = import_object(tok, sessionOpt, trust_tmpl, tsize);
-    if (object && tok->cache) {
-	nssTokenObjectCache_ImportObject(tok->cache, object, tobjc,
-	                                 trust_tmpl, tsize);
-    }
-    return object;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindTrustObjects (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE tobj_template[2];
-    CK_ULONG tobj_size;
-    nssCryptokiObject **objects;
-    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-
-    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
-    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
-
-    if (searchType == nssTokenSearchType_TokenForced) {
-	objects = find_objects(token, session,
-	                       tobj_template, tobj_size,
-	                       maximumOpt, statusOpt);
-    } else {
-	objects = find_objects_by_template(token, session,
-	                                   tobj_template, tobj_size,
-	                                   maximumOpt, statusOpt);
-    }
-    return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_FindTrustForCertificate (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *certEncoding,
-  NSSDER *certIssuer,
-  NSSDER *certSerial,
-  nssTokenSearchType searchType
-)
-{
-    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE tobj_template[5];
-    CK_ULONG tobj_size;
-    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-    nssCryptokiObject *object, **objects;
-
-    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         certIssuer);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial);
-    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
-    object = NULL;
-    objects = find_objects_by_template(token, session,
-                                       tobj_template, tobj_size,
-                                       1, NULL);
-    if (objects) {
-	object = objects[0];
-	nss_ZFreeIf(objects);
-    }
-    return object;
-}
- 
-NSS_IMPLEMENT nssCryptokiObject *
-nssToken_ImportCRL (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  NSSDER *encoding,
-  PRBool isKRL,
-  NSSUTF8 *url,
-  PRBool asTokenObject
-)
-{
-    nssCryptokiObject *object;
-    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE crl_tmpl[6];
-    CK_ULONG crlsize;
-
-    NSS_CK_TEMPLATE_START(crl_tmpl, attr, crlsize);
-    if (asTokenObject) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,        crlobjc);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,      subject);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,        encoding);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_URL, url);
-    if (isKRL) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_true);
-    } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_false);
-    }
-    NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
-
-    /* import the crl object onto the token */
-    object = import_object(token, sessionOpt, crl_tmpl, crlsize);
-    if (object && token->cache) {
-	nssTokenObjectCache_ImportObject(token->cache, object, crlobjc,
-	                                 crl_tmpl, crlsize);
-    }
-    return object;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCRLs (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE crlobj_template[2];
-    CK_ULONG crlobj_size;
-    nssCryptokiObject **objects;
-    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-
-    NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
-    NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
-
-    if (searchType == nssTokenSearchType_TokenForced) {
-	objects = find_objects(token, session,
-	                       crlobj_template, crlobj_size,
-	                       maximumOpt, statusOpt);
-    } else {
-	objects = find_objects_by_template(token, session,
-	                                   crlobj_template, crlobj_size,
-	                                   maximumOpt, statusOpt);
-    }
-    return objects;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssToken_FindCRLsBySubject (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  NSSDER *subject,
-  nssTokenSearchType searchType,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE crlobj_template[3];
-    CK_ULONG crlobj_size;
-    nssCryptokiObject **objects;
-    nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
-
-    NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
-    NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
-
-    objects = find_objects_by_template(token, session,
-                                       crlobj_template, crlobj_size,
-                                       maximumOpt, statusOpt);
-    return objects;
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_GetCachedObjectAttributes (
-  NSSToken *token,
-  NSSArena *arenaOpt,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR atemplate,
-  CK_ULONG atlen
-)
-{
-    if (!token->cache) {
-	return PR_FAILURE;
-    }
-    return nssTokenObjectCache_GetObjectAttributes(token->cache, arenaOpt,
-                                                   object, objclass,
-                                                   atemplate, atlen);
-}
-
-NSS_IMPLEMENT NSSItem *
-nssToken_Digest (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSAlgorithmAndParameters *ap,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    CK_RV ckrv;
-    CK_ULONG digestLen;
-    CK_BYTE_PTR digest;
-    NSSItem *rvItem = NULL;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    nssSession *session;
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
-    if (ckrv != CKR_OK) {
-	nssSession_ExitMonitor(session);
-	return NULL;
-    }
-#if 0
-    /* XXX the standard says this should work, but it doesn't */
-    ckrv = CKAPI(epv)->C_Digest(session->handle, NULL, 0, NULL, &digestLen);
-    if (ckrv != CKR_OK) {
-	nssSession_ExitMonitor(session);
-	return NULL;
-    }
-#endif
-    digestLen = 0; /* XXX for now */
-    digest = NULL;
-    if (rvOpt) {
-	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
-	    nssSession_ExitMonitor(session);
-	    /* the error should be bad args */
-	    return NULL;
-	}
-	if (rvOpt->data) {
-	    digest = rvOpt->data;
-	}
-	digestLen = rvOpt->size;
-    }
-    if (!digest) {
-	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
-	if (!digest) {
-	    nssSession_ExitMonitor(session);
-	    return NULL;
-	}
-    }
-    ckrv = CKAPI(epv)->C_Digest(session->handle, 
-                                (CK_BYTE_PTR)data->data, 
-                                (CK_ULONG)data->size,
-                                (CK_BYTE_PTR)digest,
-                                &digestLen);
-    nssSession_ExitMonitor(session);
-    if (ckrv != CKR_OK) {
-	nss_ZFreeIf(digest);
-	return NULL;
-    }
-    if (!rvOpt) {
-	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
-    }
-    return rvItem;
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_BeginDigest (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSAlgorithmAndParameters *ap
-)
-{
-    CK_RV ckrv;
-    nssSession *session;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
-    nssSession_ExitMonitor(session);
-    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_ContinueDigest (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSItem *item
-)
-{
-    CK_RV ckrv;
-    nssSession *session;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_DigestUpdate(session->handle, 
-                                      (CK_BYTE_PTR)item->data, 
-                                      (CK_ULONG)item->size);
-    nssSession_ExitMonitor(session);
-    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-nssToken_FinishDigest (
-  NSSToken *tok,
-  nssSession *sessionOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    CK_RV ckrv;
-    CK_ULONG digestLen;
-    CK_BYTE_PTR digest;
-    NSSItem *rvItem = NULL;
-    void *epv = nssToken_GetCryptokiEPV(tok);
-    nssSession *session;
-    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
-    nssSession_EnterMonitor(session);
-    ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen);
-    if (ckrv != CKR_OK || digestLen == 0) {
-	nssSession_ExitMonitor(session);
-	return NULL;
-    }
-    digest = NULL;
-    if (rvOpt) {
-	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
-	    nssSession_ExitMonitor(session);
-	    /* the error should be bad args */
-	    return NULL;
-	}
-	if (rvOpt->data) {
-	    digest = rvOpt->data;
-	}
-	digestLen = rvOpt->size;
-    }
-    if (!digest) {
-	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
-	if (!digest) {
-	    nssSession_ExitMonitor(session);
-	    return NULL;
-	}
-    }
-    ckrv = CKAPI(epv)->C_DigestFinal(session->handle, digest, &digestLen);
-    nssSession_ExitMonitor(session);
-    if (ckrv != CKR_OK) {
-	nss_ZFreeIf(digest);
-	return NULL;
-    }
-    if (!rvOpt) {
-	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
-    }
-    return rvItem;
-}
-
-NSS_IMPLEMENT PRBool
-nssToken_IsPresent (
-  NSSToken *token
-)
-{
-    return nssSlot_IsTokenPresent(token->slot);
-}
-
-/* Sigh.  The methods to find objects declared above cause problems with
- * the low-level object cache in the softoken -- the objects are found in 
- * toto, then one wave of GetAttributes is done, then another.  Having a 
- * large number of objects causes the cache to be thrashed, as the objects 
- * are gone before there's any chance to ask for their attributes.
- * So, for now, bringing back traversal methods for certs.  This way all of 
- * the cert's attributes can be grabbed immediately after finding it,
- * increasing the likelihood that the cache takes care of it.
- */
-NSS_IMPLEMENT PRStatus
-nssToken_TraverseCertificates (
-  NSSToken *token,
-  nssSession *sessionOpt,
-  nssTokenSearchType searchType,
-  PRStatus (* callback)(nssCryptokiObject *instance, void *arg),
-  void *arg
-)
-{
-    CK_RV ckrv;
-    CK_ULONG count;
-    CK_OBJECT_HANDLE *objectHandles;
-    CK_ATTRIBUTE_PTR attr;
-    CK_ATTRIBUTE cert_template[2];
-    CK_ULONG ctsize;
-    NSSArena *arena;
-    PRStatus status;
-    PRUint32 arraySize, numHandles;
-    nssCryptokiObject **objects;
-    void *epv = nssToken_GetCryptokiEPV(token);
-    nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
-
-    /* template for all certs */
-    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
-    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
-
-    /* the arena is only for the array of object handles */
-    arena = nssArena_Create();
-    if (!arena) {
-	return PR_FAILURE;
-    }
-    arraySize = OBJECT_STACK_SIZE;
-    numHandles = 0;
-    objectHandles = nss_ZNEWARRAY(arena, CK_OBJECT_HANDLE, arraySize);
-    if (!objectHandles) {
-	goto loser;
-    }
-    nssSession_EnterMonitor(session); /* ==== session lock === */
-    /* Initialize the find with the template */
-    ckrv = CKAPI(epv)->C_FindObjectsInit(session->handle, 
-                                         cert_template, ctsize);
-    if (ckrv != CKR_OK) {
-	nssSession_ExitMonitor(session);
-	goto loser;
-    }
-    while (PR_TRUE) {
-	/* Issue the find for up to arraySize - numHandles objects */
-	ckrv = CKAPI(epv)->C_FindObjects(session->handle, 
-	                                 objectHandles + numHandles, 
-	                                 arraySize - numHandles, 
-	                                 &count);
-	if (ckrv != CKR_OK) {
-	    nssSession_ExitMonitor(session);
-	    goto loser;
-	}
-	/* bump the number of found objects */
-	numHandles += count;
-	if (numHandles < arraySize) {
-	    break;
-	}
-	/* the array is filled, double it and continue */
-	arraySize *= 2;
-	objectHandles = nss_ZREALLOCARRAY(objectHandles, 
-	                                  CK_OBJECT_HANDLE, 
-	                                  arraySize);
-	if (!objectHandles) {
-	    nssSession_ExitMonitor(session);
-	    goto loser;
-	}
-    }
-    ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
-    nssSession_ExitMonitor(session); /* ==== end session lock === */
-    if (ckrv != CKR_OK) {
-	goto loser;
-    }
-    if (numHandles > 0) {
-	objects = create_objects_from_handles(token, session,
-	                                      objectHandles, numHandles);
-	if (objects) {
-	    nssCryptokiObject **op;
-	    for (op = objects; *op; op++) {
-		status = (*callback)(*op, arg);
-	    }
-	    nss_ZFreeIf(objects);
-	}
-    }
-    nssArena_Destroy(arena);
-    return PR_SUCCESS;
-loser:
-    nssArena_Destroy(arena);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRBool
-nssToken_IsPrivateKeyAvailable (
-  NSSToken *token,
-  NSSCertificate *c,
-  nssCryptokiObject *instance
-)
-{
-    CK_OBJECT_CLASS theClass;
-
-    if (token == NULL) return PR_FALSE;
-    if (c == NULL) return PR_FALSE;
-
-    theClass = CKO_PRIVATE_KEY;
-    if (!nssSlot_IsLoggedIn(token->slot)) {
-	theClass = CKO_PUBLIC_KEY;
-    }
-    if (PK11_MatchItem(token->pk11slot, instance->handle, theClass) 
-						!= CK_INVALID_HANDLE) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
deleted file mode 100644
index 2495a9f3e..000000000
--- a/security/nss/lib/dev/devutil.c
+++ /dev/null
@@ -1,1454 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#ifndef CKHELPER_H
-#include "ckhelper.h"
-#endif /* CKHELPER_H */
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssCryptokiObject_Create (
-  NSSToken *t, 
-  nssSession *session,
-  CK_OBJECT_HANDLE h
-)
-{
-    PRStatus status;
-    NSSSlot *slot;
-    nssCryptokiObject *object;
-    CK_BBOOL *isTokenObject;
-    CK_ATTRIBUTE cert_template[] = {
-	{ CKA_TOKEN, NULL, 0 },
-	{ CKA_LABEL, NULL, 0 }
-    };
-    slot = nssToken_GetSlot(t);
-    status = nssCKObject_GetAttributes(h, cert_template, 2,
-                                       NULL, session, slot);
-    nssSlot_Destroy(slot);
-    if (status != PR_SUCCESS) {
-	/* a failure here indicates a device error */
-	return (nssCryptokiObject *)NULL;
-    }
-    object = nss_ZNEW(NULL, nssCryptokiObject);
-    if (!object) {
-	return (nssCryptokiObject *)NULL;
-    }
-    object->handle = h;
-    object->token = nssToken_AddRef(t);
-    isTokenObject = (CK_BBOOL *)cert_template[0].pValue;
-    object->isTokenObject = *isTokenObject;
-    nss_ZFreeIf(isTokenObject);
-    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[1], object->label);
-    return object;
-}
-
-NSS_IMPLEMENT void
-nssCryptokiObject_Destroy (
-  nssCryptokiObject *object
-)
-{
-    if (object) {
-	nssToken_Destroy(object->token);
-	nss_ZFreeIf(object->label);
-	nss_ZFreeIf(object);
-    }
-}
-
-NSS_IMPLEMENT nssCryptokiObject *
-nssCryptokiObject_Clone (
-  nssCryptokiObject *object
-)
-{
-    nssCryptokiObject *rvObject;
-    rvObject = nss_ZNEW(NULL, nssCryptokiObject);
-    if (rvObject) {
-	rvObject->handle = object->handle;
-	rvObject->token = nssToken_AddRef(object->token);
-	rvObject->isTokenObject = object->isTokenObject;
-	if (object->label) {
-	    rvObject->label = nssUTF8_Duplicate(object->label, NULL);
-	}
-    }
-    return rvObject;
-}
-
-NSS_EXTERN PRBool
-nssCryptokiObject_Equal (
-  nssCryptokiObject *o1,
-  nssCryptokiObject *o2
-)
-{
-    return (o1->token == o2->token && o1->handle == o2->handle);
-}
-
-NSS_IMPLEMENT PRUint32
-nssPKCS11String_Length(CK_CHAR *pkcs11Str, PRUint32 bufLen)
-{
-    PRInt32 i;
-    for (i = bufLen - 1; i>=0; ) {
-	if (pkcs11Str[i] != ' ' && pkcs11Str[i] != '\0') break;
-	--i;
-    }
-    return (PRUint32)(i + 1);
-}
-
-/*
- * Slot arrays
- */
-
-NSS_IMPLEMENT NSSSlot **
-nssSlotArray_Clone (
-  NSSSlot **slots
-)
-{
-    NSSSlot **rvSlots = NULL;
-    NSSSlot **sp = slots;
-    PRUint32 count = 0;
-    while (sp && *sp) count++;
-    if (count > 0) {
-	rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1);
-	if (rvSlots) {
-	    sp = slots;
-	    count = 0;
-	    for (sp = slots; *sp; sp++) {
-		rvSlots[count++] = nssSlot_AddRef(*sp);
-	    }
-	}
-    }
-    return rvSlots;
-}
-
-#ifdef PURE_STAN_BUILD
-NSS_IMPLEMENT void
-nssModuleArray_Destroy (
-  NSSModule **modules
-)
-{
-    if (modules) {
-	NSSModule **mp;
-	for (mp = modules; *mp; mp++) {
-	    nssModule_Destroy(*mp);
-	}
-	nss_ZFreeIf(modules);
-    }
-}
-#endif
-
-NSS_IMPLEMENT void
-nssSlotArray_Destroy (
-  NSSSlot **slots
-)
-{
-    if (slots) {
-	NSSSlot **slotp;
-	for (slotp = slots; *slotp; slotp++) {
-	    nssSlot_Destroy(*slotp);
-	}
-	nss_ZFreeIf(slots);
-    }
-}
-
-NSS_IMPLEMENT void
-NSSSlotArray_Destroy (
-  NSSSlot **slots
-)
-{
-    nssSlotArray_Destroy(slots);
-}
-
-NSS_IMPLEMENT void
-nssTokenArray_Destroy (
-  NSSToken **tokens
-)
-{
-    if (tokens) {
-	NSSToken **tokenp;
-	for (tokenp = tokens; *tokenp; tokenp++) {
-	    nssToken_Destroy(*tokenp);
-	}
-	nss_ZFreeIf(tokens);
-    }
-}
-
-NSS_IMPLEMENT void
-NSSTokenArray_Destroy (
-  NSSToken **tokens
-)
-{
-    nssTokenArray_Destroy(tokens);
-}
-
-NSS_IMPLEMENT void
-nssCryptokiObjectArray_Destroy (
-  nssCryptokiObject **objects
-)
-{
-    if (objects) {
-	nssCryptokiObject **op;
-	for (op = objects; *op; op++) {
-	    nssCryptokiObject_Destroy(*op);
-	}
-	nss_ZFreeIf(objects);
-    }
-}
-
-#ifdef PURE_STAN_BUILD
-/*
- * Slot lists
- */
-
-struct nssSlotListNodeStr
-{
-  PRCList link;
-  NSSSlot *slot;
-  PRUint32 order;
-};
-
-/* XXX separate slots with non-present tokens? */
-struct nssSlotListStr 
-{
-  NSSArena *arena;
-  PRBool i_allocated_arena;
-  PZLock *lock;
-  PRCList head;
-  PRUint32 count;
-};
-
-NSS_IMPLEMENT nssSlotList *
-nssSlotList_Create (
-  NSSArena *arenaOpt
-)
-{
-    nssSlotList *rvList;
-    NSSArena *arena;
-    nssArenaMark *mark;
-    if (arenaOpt) {
-	arena = arenaOpt;
-	mark = nssArena_Mark(arena);
-	if (!mark) {
-	    return (nssSlotList *)NULL;
-	}
-    } else {
-	arena = nssArena_Create();
-	if (!arena) {
-	    return (nssSlotList *)NULL;
-	}
-    }
-    rvList = nss_ZNEW(arena, nssSlotList);
-    if (!rvList) {
-	goto loser;
-    }
-    rvList->lock = PZ_NewLock(nssILockOther); /* XXX */
-    if (!rvList->lock) {
-	goto loser;
-    }
-    PR_INIT_CLIST(&rvList->head);
-    rvList->arena = arena;
-    rvList->i_allocated_arena = (arenaOpt == NULL);
-    nssArena_Unmark(arena, mark);
-    return rvList;
-loser:
-    if (arenaOpt) {
-	nssArena_Release(arena, mark);
-    } else {
-	nssArena_Destroy(arena);
-    }
-    return (nssSlotList *)NULL;
-}
-
-NSS_IMPLEMENT void
-nssSlotList_Destroy (
-  nssSlotList *slotList
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    if (slotList) {
-	link = PR_NEXT_LINK(&slotList->head);
-	while (link != &slotList->head) {
-	    node = (struct nssSlotListNodeStr *)link;
-	    nssSlot_Destroy(node->slot);
-	    link = PR_NEXT_LINK(link);
-	}
-	if (slotList->i_allocated_arena) {
-	    nssArena_Destroy(slotList->arena);
-	}
-    }
-}
-
-/* XXX should do allocs outside of lock */
-NSS_IMPLEMENT PRStatus
-nssSlotList_Add (
-  nssSlotList *slotList,
-  NSSSlot *slot,
-  PRUint32 order
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    PZ_Lock(slotList->lock);
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	node = (struct nssSlotListNodeStr *)link;
-	if (order < node->order) {
-	    break;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    node = nss_ZNEW(slotList->arena, struct nssSlotListNodeStr);
-    if (!node) {
-	return PR_FAILURE;
-    }
-    PR_INIT_CLIST(&node->link);
-    node->slot = nssSlot_AddRef(slot);
-    node->order = order;
-    PR_INSERT_AFTER(&node->link, link);
-    slotList->count++;
-    PZ_Unlock(slotList->lock);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSlotList_AddModuleSlots (
-  nssSlotList *slotList,
-  NSSModule *module,
-  PRUint32 order
-)
-{
-    nssArenaMark *mark = NULL;
-    NSSSlot **sp, **slots = NULL;
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    PZ_Lock(slotList->lock);
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	node = (struct nssSlotListNodeStr *)link;
-	if (order < node->order) {
-	    break;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    slots = nssModule_GetSlots(module);
-    if (!slots) {
-	PZ_Unlock(slotList->lock);
-	return PR_SUCCESS;
-    }
-    mark = nssArena_Mark(slotList->arena);
-    if (!mark) {
-	goto loser;
-    }
-    for (sp = slots; *sp; sp++) {
-	node = nss_ZNEW(slotList->arena, struct nssSlotListNodeStr);
-	if (!node) {
-	    goto loser;
-	}
-	PR_INIT_CLIST(&node->link);
-	node->slot = *sp; /* have ref from nssModule_GetSlots */
-	node->order = order;
-	PR_INSERT_AFTER(&node->link, link);
-	slotList->count++;
-    }
-    PZ_Unlock(slotList->lock);
-    nssArena_Unmark(slotList->arena, mark);
-    return PR_SUCCESS;
-loser:
-    PZ_Unlock(slotList->lock);
-    if (mark) {
-	nssArena_Release(slotList->arena, mark);
-    }
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSSlot **
-nssSlotList_GetSlots (
-  nssSlotList *slotList
-)
-{
-    PRUint32 i;
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    NSSSlot **rvSlots = NULL;
-    PZ_Lock(slotList->lock);
-    rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, slotList->count + 1);
-    if (!rvSlots) {
-	PZ_Unlock(slotList->lock);
-	return (NSSSlot **)NULL;
-    }
-    i = 0;
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	node = (struct nssSlotListNodeStr *)link;
-	rvSlots[i] = nssSlot_AddRef(node->slot);
-	link = PR_NEXT_LINK(link);
-	i++;
-    }
-    PZ_Unlock(slotList->lock);
-    return rvSlots;
-}
-
-#if 0
-NSS_IMPLEMENT NSSSlot *
-nssSlotList_GetBestSlotForAlgorithmAndParameters (
-  nssSlotList *slotList,
-  NSSAlgorithmAndParameters *ap
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    NSSSlot *rvSlot = NULL;
-    PZ_Lock(slotList->lock);
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	node = (struct nssSlotListNodeStr *)link;
-	if (nssSlot_DoesAlgorithmAndParameters(ap)) {
-	    rvSlot = nssSlot_AddRef(node->slot); /* XXX check isPresent? */
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    PZ_Unlock(slotList->lock);
-    return rvSlot;
-}
-#endif
-
-NSS_IMPLEMENT NSSSlot *
-nssSlotList_GetBestSlot (
-  nssSlotList *slotList
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    NSSSlot *rvSlot = NULL;
-    PZ_Lock(slotList->lock);
-    if (PR_CLIST_IS_EMPTY(&slotList->head)) {
-	PZ_Unlock(slotList->lock);
-	return (NSSSlot *)NULL;
-    }
-    link = PR_NEXT_LINK(&slotList->head);
-    node = (struct nssSlotListNodeStr *)link;
-    rvSlot = nssSlot_AddRef(node->slot); /* XXX check isPresent? */
-    PZ_Unlock(slotList->lock);
-    return rvSlot;
-}
-
-NSS_IMPLEMENT NSSSlot *
-nssSlotList_FindSlotByName (
-  nssSlotList *slotList,
-  NSSUTF8 *slotName
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    NSSSlot *rvSlot = NULL;
-    PZ_Lock(slotList->lock);
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	NSSUTF8 *sName;
-	node = (struct nssSlotListNodeStr *)link;
-	sName = nssSlot_GetName(node->slot);
-	if (nssUTF8_Equal(sName, slotName, NULL)) {
-	    rvSlot = nssSlot_AddRef(node->slot);
-	    break;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    PZ_Unlock(slotList->lock);
-    return rvSlot;
-}
-
-NSS_IMPLEMENT NSSToken *
-nssSlotList_FindTokenByName (
-  nssSlotList *slotList,
-  NSSUTF8 *tokenName
-)
-{
-    PRCList *link;
-    struct nssSlotListNodeStr *node;
-    NSSToken *rvToken = NULL;
-    PZ_Lock(slotList->lock);
-    link = PR_NEXT_LINK(&slotList->head);
-    while (link != &slotList->head) {
-	NSSUTF8 *tName;
-	node = (struct nssSlotListNodeStr *)link;
-	tName = nssSlot_GetTokenName(node->slot);
-	if (nssUTF8_Equal(tName, tokenName, NULL)) {
-	    rvToken = nssSlot_GetToken(node->slot);
-	    break;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    PZ_Unlock(slotList->lock);
-    return rvToken;
-}
-#endif /* PURE_STAN_BUILD */
-
-/* object cache for token */
-
-typedef struct
-{
-  NSSArena *arena;
-  nssCryptokiObject *object;
-  CK_ATTRIBUTE_PTR attributes;
-  CK_ULONG numAttributes;
-}
-nssCryptokiObjectAndAttributes;
-
-enum {
-  cachedCerts = 0,
-  cachedTrust = 1,
-  cachedCRLs = 2
-} cachedObjectType;
-
-struct nssTokenObjectCacheStr
-{
-  NSSToken *token;
-  PZLock *lock;
-  PRBool loggedIn;
-  PRBool doObjectType[3];
-  PRBool searchedObjectType[3];
-  nssCryptokiObjectAndAttributes **objects[3];
-};
-
-NSS_IMPLEMENT nssTokenObjectCache *
-nssTokenObjectCache_Create (
-  NSSToken *token,
-  PRBool cacheCerts,
-  PRBool cacheTrust,
-  PRBool cacheCRLs
-)
-{
-    nssTokenObjectCache *rvCache;
-    rvCache = nss_ZNEW(NULL, nssTokenObjectCache);
-    if (!rvCache) {
-	goto loser;
-    }
-    rvCache->lock = PZ_NewLock(nssILockOther); /* XXX */
-    if (!rvCache->lock) {
-	goto loser;
-    }
-    rvCache->doObjectType[cachedCerts] = cacheCerts;
-    rvCache->doObjectType[cachedTrust] = cacheTrust;
-    rvCache->doObjectType[cachedCRLs] = cacheCRLs;
-    rvCache->token = token; /* cache goes away with token */
-    return rvCache;
-loser:
-    return (nssTokenObjectCache *)NULL;
-}
-
-static void
-clear_cache (
-  nssTokenObjectCache *cache
-)
-{
-    nssCryptokiObjectAndAttributes **oa;
-    PRUint32 objectType;
-    for (objectType = cachedCerts; objectType <= cachedCRLs; objectType++) {
-	cache->searchedObjectType[objectType] = PR_FALSE;
-	if (!cache->objects[objectType]) {
-	    continue;
-	}
-	for (oa = cache->objects[objectType]; *oa; oa++) {
-	    /* prevent the token from being destroyed */
-	    (*oa)->object->token = NULL;
-	    nssCryptokiObject_Destroy((*oa)->object);
-	    nssArena_Destroy((*oa)->arena);
-	}
-	nss_ZFreeIf(cache->objects[objectType]);
-	cache->objects[objectType] = NULL;
-    }
-}
-
-NSS_IMPLEMENT void
-nssTokenObjectCache_Clear (
-  nssTokenObjectCache *cache
-)
-{
-    if (cache) {
-	PZ_Lock(cache->lock);
-	clear_cache(cache);
-	PZ_Unlock(cache->lock);
-    }
-}
-
-NSS_IMPLEMENT void
-nssTokenObjectCache_Destroy (
-  nssTokenObjectCache *cache
-)
-{
-    if (cache) {
-	clear_cache(cache);
-	PZ_DestroyLock(cache->lock);
-	nss_ZFreeIf(cache);
-    }
-}
-
-NSS_IMPLEMENT PRBool
-nssTokenObjectCache_HaveObjectClass (
-  nssTokenObjectCache *cache,
-  CK_OBJECT_CLASS objclass
-)
-{
-    PRBool haveIt;
-    PZ_Lock(cache->lock);
-    switch (objclass) {
-    case CKO_CERTIFICATE:    haveIt = cache->doObjectType[cachedCerts]; break;
-    case CKO_NETSCAPE_TRUST: haveIt = cache->doObjectType[cachedTrust]; break;
-    case CKO_NETSCAPE_CRL:   haveIt = cache->doObjectType[cachedCRLs];  break;
-    default:                 haveIt = PR_FALSE;
-    }
-    PZ_Unlock(cache->lock);
-    return haveIt;
-}
-
-static nssCryptokiObjectAndAttributes **
-create_object_array (
-  nssCryptokiObject **objects,
-  PRBool *doObjects,
-  PRUint32 *numObjects,
-  PRStatus *status
-)
-{
-    nssCryptokiObjectAndAttributes **rvOandA = NULL;
-    *numObjects = 0;
-    /* There are no objects for this type */
-    if (!objects || !*objects) {
-	*status = PR_SUCCESS;
-	return rvOandA;
-    }
-    while (*objects++) (*numObjects)++;
-    if (*numObjects >= MAX_LOCAL_CACHE_OBJECTS) {
-	/* Hit the maximum allowed, so don't use a cache (there are
-	 * too many objects to make caching worthwhile, presumably, if
-	 * the token can handle that many objects, it can handle searching.
-	 */
-	*doObjects = PR_FALSE;
-	*status = PR_FAILURE;
-	*numObjects = 0;
-    } else {
-	rvOandA = nss_ZNEWARRAY(NULL, 
-	                        nssCryptokiObjectAndAttributes *, 
-	                        *numObjects + 1);
-	*status = rvOandA ? PR_SUCCESS : PR_FAILURE;
-    }
-    return rvOandA;
-}
-
-static nssCryptokiObjectAndAttributes *
-create_object (
-  nssCryptokiObject *object,
-  const CK_ATTRIBUTE_TYPE *types,
-  PRUint32 numTypes,
-  PRStatus *status
-)
-{
-    PRUint32 j;
-    NSSArena *arena;
-    NSSSlot *slot = NULL;
-    nssSession *session = NULL;
-    nssCryptokiObjectAndAttributes *rvCachedObject = NULL;
-
-    slot = nssToken_GetSlot(object->token);
-    session = nssToken_GetDefaultSession(object->token);
-
-    arena = nssArena_Create();
-    if (!arena) {
-	goto loser;
-    }
-    rvCachedObject = nss_ZNEW(arena, nssCryptokiObjectAndAttributes);
-    if (!rvCachedObject) {
-	goto loser;
-    }
-    rvCachedObject->arena = arena;
-    /* The cache is tied to the token, and therefore the objects
-     * in it should not hold references to the token.
-     */
-    nssToken_Destroy(object->token);
-    rvCachedObject->object = object;
-    rvCachedObject->attributes = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, numTypes);
-    if (!rvCachedObject->attributes) {
-	goto loser;
-    }
-    for (j=0; j<numTypes; j++) {
-	rvCachedObject->attributes[j].type = types[j];
-    }
-    *status = nssCKObject_GetAttributes(object->handle,
-                                        rvCachedObject->attributes,
-                                        numTypes,
-                                        arena,
-                                        session,
-                                        slot);
-    if (*status != PR_SUCCESS) {
-	goto loser;
-    }
-    rvCachedObject->numAttributes = numTypes;
-    *status = PR_SUCCESS;
-    if (slot) {
-	nssSlot_Destroy(slot);
-    }
-    return rvCachedObject;
-loser:
-    *status = PR_FAILURE;
-    if (slot) {
-	nssSlot_Destroy(slot);
-    }
-    if (arena)
-	nssArena_Destroy(arena);
-    return (nssCryptokiObjectAndAttributes *)NULL;
-}
-
-/*
- *
- * State diagram for cache:
- *
- *            token !present            token removed
- *        +-------------------------+<----------------------+
- *        |                         ^                       |
- *        v                         |                       |
- *  +----------+   slot friendly    |  token present   +----------+ 
- *  |   cache  | -----------------> % ---------------> |   cache  |
- *  | unloaded |                                       |  loaded  |
- *  +----------+                                       +----------+
- *    ^   |                                                 ^   |
- *    |   |   slot !friendly           slot logged in       |   |
- *    |   +-----------------------> % ----------------------+   |
- *    |                             |                           |
- *    | slot logged out             v  slot !friendly           |
- *    +-----------------------------+<--------------------------+
- *
- */
-
-/* This function must not be called with cache->lock locked. */
-static PRBool
-token_is_present (
-  nssTokenObjectCache *cache
-)
-{
-    NSSSlot *slot = nssToken_GetSlot(cache->token);
-    PRBool tokenPresent = nssSlot_IsTokenPresent(slot);
-    nssSlot_Destroy(slot);
-    return tokenPresent;
-}
-
-static PRBool
-search_for_objects (
-  nssTokenObjectCache *cache
-)
-{
-    PRBool doSearch = PR_FALSE;
-    NSSSlot *slot = nssToken_GetSlot(cache->token);
-    /* Handle non-friendly slots (slots which require login for objects) */
-    if (!nssSlot_IsFriendly(slot)) {
-	if (nssSlot_IsLoggedIn(slot)) {
-	    /* Either no state change, or went from !logged in -> logged in */
-	    cache->loggedIn = PR_TRUE;
-	    doSearch = PR_TRUE;
-	} else {
-	    if (cache->loggedIn) {
-		/* went from logged in -> !logged in, destroy cached objects */
-		clear_cache(cache);
-		cache->loggedIn = PR_FALSE;
-	    } /* else no state change, still not logged in, so exit */
-	}
-    } else {
-	/* slot is friendly, thus always available for search */
-	doSearch = PR_TRUE;
-    }
-    nssSlot_Destroy(slot);
-    return doSearch;
-}
-
-static nssCryptokiObjectAndAttributes *
-create_cert (
-  nssCryptokiObject *object,
-  PRStatus *status
-)
-{
-    static const CK_ATTRIBUTE_TYPE certAttr[] = {
-	CKA_CLASS,
-	CKA_TOKEN,
-	CKA_LABEL,
-	CKA_CERTIFICATE_TYPE,
-	CKA_ID,
-	CKA_VALUE,
-	CKA_ISSUER,
-	CKA_SERIAL_NUMBER,
-	CKA_SUBJECT,
-	CKA_NETSCAPE_EMAIL
-    };
-    static const PRUint32 numCertAttr = sizeof(certAttr) / sizeof(certAttr[0]);
-    return create_object(object, certAttr, numCertAttr, status);
-}
-
-static PRStatus
-get_token_certs_for_cache (
-  nssTokenObjectCache *cache
-)
-{
-    PRStatus status;
-    nssCryptokiObject **objects;
-    PRBool *doIt = &cache->doObjectType[cachedCerts];
-    PRUint32 i, numObjects;
-
-    if (!search_for_objects(cache) || 
-         cache->searchedObjectType[cachedCerts] || 
-        !cache->doObjectType[cachedCerts]) 
-    {
-	/* Either there was a state change that prevents a search
-	 * (token logged out), or the search was already done,
-	 * or certs are not being cached.
-	 */
-	return PR_SUCCESS;
-    }
-    objects = nssToken_FindCertificates(cache->token, NULL,
-                                        nssTokenSearchType_TokenForced,
-				        MAX_LOCAL_CACHE_OBJECTS, &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    cache->objects[cachedCerts] = create_object_array(objects,
-                                                      doIt,
-                                                      &numObjects,
-                                                      &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    for (i=0; i<numObjects; i++) {
-	cache->objects[cachedCerts][i] = create_cert(objects[i], &status);
-	if (status != PR_SUCCESS) {
-	    break;
-	}
-    }
-    if (status == PR_SUCCESS) {
-	nss_ZFreeIf(objects);
-    } else {
-	PRUint32 j;
-	for (j=0; j<i; j++) {
-	    /* sigh */
-	    nssToken_AddRef(cache->objects[cachedCerts][j]->object->token);
-	    nssArena_Destroy(cache->objects[cachedCerts][j]->arena);
-	}
-	nssCryptokiObjectArray_Destroy(objects);
-    }
-    cache->searchedObjectType[cachedCerts] = PR_TRUE;
-    return status;
-}
-
-static nssCryptokiObjectAndAttributes *
-create_trust (
-  nssCryptokiObject *object,
-  PRStatus *status
-)
-{
-    static const CK_ATTRIBUTE_TYPE trustAttr[] = {
-	CKA_CLASS,
-	CKA_TOKEN,
-	CKA_LABEL,
-	CKA_CERT_SHA1_HASH,
-	CKA_CERT_MD5_HASH,
-	CKA_ISSUER,
-	CKA_SUBJECT,
-	CKA_TRUST_SERVER_AUTH,
-	CKA_TRUST_CLIENT_AUTH,
-	CKA_TRUST_EMAIL_PROTECTION,
-	CKA_TRUST_CODE_SIGNING
-    };
-    static const PRUint32 numTrustAttr = sizeof(trustAttr) / sizeof(trustAttr[0]);
-    return create_object(object, trustAttr, numTrustAttr, status);
-}
-
-static PRStatus
-get_token_trust_for_cache (
-  nssTokenObjectCache *cache
-)
-{
-    PRStatus status;
-    nssCryptokiObject **objects;
-    PRBool *doIt = &cache->doObjectType[cachedTrust];
-    PRUint32 i, numObjects;
-
-    if (!search_for_objects(cache) || 
-         cache->searchedObjectType[cachedTrust] || 
-        !cache->doObjectType[cachedTrust]) 
-    {
-	/* Either there was a state change that prevents a search
-	 * (token logged out), or the search was already done,
-	 * or trust is not being cached.
-	 */
-	return PR_SUCCESS;
-    }
-    objects = nssToken_FindTrustObjects(cache->token, NULL,
-                                        nssTokenSearchType_TokenForced,
-				        MAX_LOCAL_CACHE_OBJECTS, &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    cache->objects[cachedTrust] = create_object_array(objects,
-                                                      doIt,
-                                                      &numObjects,
-                                                      &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    for (i=0; i<numObjects; i++) {
-	cache->objects[cachedTrust][i] = create_trust(objects[i], &status);
-	if (status != PR_SUCCESS) {
-	    break;
-	}
-    }
-    if (status == PR_SUCCESS) {
-	nss_ZFreeIf(objects);
-    } else {
-	PRUint32 j;
-	for (j=0; j<i; j++) {
-	    /* sigh */
-	    nssToken_AddRef(cache->objects[cachedTrust][j]->object->token);
-	    nssArena_Destroy(cache->objects[cachedTrust][j]->arena);
-	}
-	nssCryptokiObjectArray_Destroy(objects);
-    }
-    cache->searchedObjectType[cachedTrust] = PR_TRUE;
-    return status;
-}
-
-static nssCryptokiObjectAndAttributes *
-create_crl (
-  nssCryptokiObject *object,
-  PRStatus *status
-)
-{
-    static const CK_ATTRIBUTE_TYPE crlAttr[] = {
-	CKA_CLASS,
-	CKA_TOKEN,
-	CKA_LABEL,
-	CKA_VALUE,
-	CKA_SUBJECT,
-	CKA_NETSCAPE_KRL,
-	CKA_NETSCAPE_URL
-    };
-    static const PRUint32 numCRLAttr = sizeof(crlAttr) / sizeof(crlAttr[0]);
-    return create_object(object, crlAttr, numCRLAttr, status);
-}
-
-static PRStatus
-get_token_crls_for_cache (
-  nssTokenObjectCache *cache
-)
-{
-    PRStatus status;
-    nssCryptokiObject **objects;
-    PRBool *doIt = &cache->doObjectType[cachedCRLs];
-    PRUint32 i, numObjects;
-
-    if (!search_for_objects(cache) || 
-         cache->searchedObjectType[cachedCRLs] || 
-        !cache->doObjectType[cachedCRLs]) 
-    {
-	/* Either there was a state change that prevents a search
-	 * (token logged out), or the search was already done,
-	 * or CRLs are not being cached.
-	 */
-	return PR_SUCCESS;
-    }
-    objects = nssToken_FindCRLs(cache->token, NULL,
-                                nssTokenSearchType_TokenForced,
-				MAX_LOCAL_CACHE_OBJECTS, &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    cache->objects[cachedCRLs] = create_object_array(objects,
-                                                     doIt,
-                                                     &numObjects,
-                                                     &status);
-    if (status != PR_SUCCESS) {
-	return status;
-    }
-    for (i=0; i<numObjects; i++) {
-	cache->objects[cachedCRLs][i] = create_crl(objects[i], &status);
-	if (status != PR_SUCCESS) {
-	    break;
-	}
-    }
-    if (status == PR_SUCCESS) {
-	nss_ZFreeIf(objects);
-    } else {
-	PRUint32 j;
-	for (j=0; j<i; j++) {
-	    /* sigh */
-	    nssToken_AddRef(cache->objects[cachedCRLs][j]->object->token);
-	    nssArena_Destroy(cache->objects[cachedCRLs][j]->arena);
-	}
-	nssCryptokiObjectArray_Destroy(objects);
-    }
-    cache->searchedObjectType[cachedCRLs] = PR_TRUE;
-    return status;
-}
-
-static CK_ATTRIBUTE_PTR
-find_attribute_in_object (
-  nssCryptokiObjectAndAttributes *obj,
-  CK_ATTRIBUTE_TYPE attrType
-)
-{
-    PRUint32 j;
-    for (j=0; j<obj->numAttributes; j++) {
-	if (attrType == obj->attributes[j].type) {
-	    return &obj->attributes[j];
-	}
-    }
-    return (CK_ATTRIBUTE_PTR)NULL;
-}
-
-/* Find all objects in the array that match the supplied template */
-static nssCryptokiObject **
-find_objects_in_array (
-  nssCryptokiObjectAndAttributes **objArray,
-  CK_ATTRIBUTE_PTR ot,
-  CK_ULONG otlen,
-  PRUint32 maximumOpt
-)
-{
-    PRIntn oi = 0;
-    PRUint32 i;
-    NSSArena *arena;
-    PRUint32 size = 8;
-    PRUint32 numMatches = 0;
-    nssCryptokiObject **objects = NULL;
-    nssCryptokiObjectAndAttributes **matches = NULL;
-    CK_ATTRIBUTE_PTR attr;
-
-    if (!objArray) {
-	return (nssCryptokiObject **)NULL;
-    }
-    arena = nssArena_Create();
-    if (!arena) {
-	return (nssCryptokiObject **)NULL;
-    }
-    matches = nss_ZNEWARRAY(arena, nssCryptokiObjectAndAttributes *, size);
-    if (!matches) {
-	goto loser;
-    }
-    if (maximumOpt == 0) maximumOpt = ~0;
-    /* loop over the cached objects */
-    for (; *objArray && numMatches < maximumOpt; objArray++) {
-	nssCryptokiObjectAndAttributes *obj = *objArray;
-	/* loop over the test template */
-	for (i=0; i<otlen; i++) {
-	    /* see if the object has the attribute */
-	    attr = find_attribute_in_object(obj, ot[i].type);
-	    if (!attr) {
-		/* nope, match failed */
-		break;
-	    }
-	    /* compare the attribute against the test value */
-	    if (ot[i].ulValueLen != attr->ulValueLen ||
-	        !nsslibc_memequal(ot[i].pValue, 
-	                          attr->pValue,
-	                          attr->ulValueLen, NULL))
-	    {
-		/* nope, match failed */
-		break;
-	    }
-	}
-	if (i == otlen) {
-	    /* all of the attributes in the test template were found
-	     * in the object's template, and they all matched
-	     */
-	    matches[numMatches++] = obj;
-	    if (numMatches == size) {
-		size *= 2;
-		matches = nss_ZREALLOCARRAY(matches, 
-		                            nssCryptokiObjectAndAttributes *, 
-		                            size);
-		if (!matches) {
-		    goto loser;
-		}
-	    }
-	}
-    }
-    if (numMatches > 0) {
-	objects = nss_ZNEWARRAY(NULL, nssCryptokiObject *, numMatches + 1);
-	if (!objects) {
-	    goto loser;
-	}
-	for (oi=0; oi<(PRIntn)numMatches; oi++) {
-	    objects[oi] = nssCryptokiObject_Clone(matches[oi]->object);
-	    if (!objects[oi]) {
-		goto loser;
-	    }
-	}
-    }
-    nssArena_Destroy(arena);
-    return objects;
-loser:
-    if (objects) {
-	for (--oi; oi>=0; --oi) {
-	    nssCryptokiObject_Destroy(objects[oi]);
-	}
-    }
-    nssArena_Destroy(arena);
-    return (nssCryptokiObject **)NULL;
-}
-
-NSS_IMPLEMENT nssCryptokiObject **
-nssTokenObjectCache_FindObjectsByTemplate (
-  nssTokenObjectCache *cache,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR otemplate,
-  CK_ULONG otlen,
-  PRUint32 maximumOpt,
-  PRStatus *statusOpt
-)
-{
-    PRStatus status = PR_FAILURE;
-    nssCryptokiObject **rvObjects = NULL;
-    if (!token_is_present(cache)) {
-	status = PR_SUCCESS;
-	goto finish;
-    }
-    PZ_Lock(cache->lock);
-    switch (objclass) {
-    case CKO_CERTIFICATE:
-	if (cache->doObjectType[cachedCerts]) {
-	    status = get_token_certs_for_cache(cache);
-	    if (status != PR_SUCCESS) {
-		goto unlock;
-	    }
-	    rvObjects = find_objects_in_array(cache->objects[cachedCerts], 
-	                                      otemplate, otlen, maximumOpt);
-	}
-	break;
-    case CKO_NETSCAPE_TRUST:
-	if (cache->doObjectType[cachedTrust]) {
-	    status = get_token_trust_for_cache(cache);
-	    if (status != PR_SUCCESS) {
-		goto unlock;
-	    }
-	    rvObjects = find_objects_in_array(cache->objects[cachedTrust], 
-	                                      otemplate, otlen, maximumOpt);
-	}
-	break;
-    case CKO_NETSCAPE_CRL:
-	if (cache->doObjectType[cachedCRLs]) {
-	    status = get_token_crls_for_cache(cache);
-	    if (status != PR_SUCCESS) {
-		goto unlock;
-	    }
-	    rvObjects = find_objects_in_array(cache->objects[cachedCRLs], 
-	                                      otemplate, otlen, maximumOpt);
-	}
-	break;
-    default: break;
-    }
-unlock:
-    PZ_Unlock(cache->lock);
-finish:
-    if (statusOpt) {
-	*statusOpt = status;
-    }
-    return rvObjects;
-}
-
-static PRBool
-cache_available_for_object_type (
-  nssTokenObjectCache *cache,
-  PRUint32 objectType
-)
-{
-    if (!cache->doObjectType[objectType]) {
-	/* not caching this object kind */
-	return PR_FALSE;
-    }
-    if (!cache->searchedObjectType[objectType]) {
-	/* objects are not cached yet */
-	return PR_FALSE;
-    }
-    if (!search_for_objects(cache)) {
-	/* not logged in */
-	return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssTokenObjectCache_GetObjectAttributes (
-  nssTokenObjectCache *cache,
-  NSSArena *arenaOpt,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR atemplate,
-  CK_ULONG atlen
-)
-{
-    PRUint32 i, j;
-    NSSArena *arena = NULL;
-    nssArenaMark *mark = NULL;
-    nssCryptokiObjectAndAttributes *cachedOA = NULL;
-    nssCryptokiObjectAndAttributes **oa = NULL;
-    PRUint32 objectType;
-    if (!token_is_present(cache)) {
-	return PR_FAILURE;
-    }
-    PZ_Lock(cache->lock);
-    switch (objclass) {
-    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
-    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
-    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
-    default: goto loser;
-    }
-    if (!cache_available_for_object_type(cache, objectType)) {
-	goto loser;
-    }
-    oa = cache->objects[objectType];
-    if (!oa) {
-	goto loser;
-    }
-    for (; *oa; oa++) {
-	if (nssCryptokiObject_Equal((*oa)->object, object)) {
-	    cachedOA = *oa;
-	    break;
-	}
-    }
-    if (!cachedOA) {
-	goto loser; /* don't have this object */
-    }
-    if (arenaOpt) {
-	arena = arenaOpt;
-	mark = nssArena_Mark(arena);
-    }
-    for (i=0; i<atlen; i++) {
-	for (j=0; j<cachedOA->numAttributes; j++) {
-	    if (atemplate[i].type == cachedOA->attributes[j].type) {
-		CK_ATTRIBUTE_PTR attr = &cachedOA->attributes[j];
-		if (cachedOA->attributes[j].ulValueLen == 0 ||
-		    cachedOA->attributes[j].ulValueLen == (CK_ULONG)-1) 
-		{
-		    break; /* invalid attribute */
-		}
-		if (atemplate[i].ulValueLen > 0) {
-		    if (atemplate[i].pValue == NULL ||
-		        atemplate[i].ulValueLen < attr->ulValueLen) 
-		    {
-			goto loser;
-		    }
-		} else {
-		    atemplate[i].pValue = nss_ZAlloc(arena, attr->ulValueLen);
-		    if (!atemplate[i].pValue) {
-			goto loser;
-		    }
-		}
-		nsslibc_memcpy(atemplate[i].pValue,
-		               attr->pValue, attr->ulValueLen);
-		atemplate[i].ulValueLen = attr->ulValueLen;
-		break;
-	    }
-	}
-	if (j == cachedOA->numAttributes) {
-	    atemplate[i].ulValueLen = (CK_ULONG)-1;
-	}
-    }
-    PZ_Unlock(cache->lock);
-    if (mark) {
-	nssArena_Unmark(arena, mark);
-    }
-    return PR_SUCCESS;
-loser:
-    PZ_Unlock(cache->lock);
-    if (mark) {
-	nssArena_Release(arena, mark);
-    }
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssTokenObjectCache_ImportObject (
-  nssTokenObjectCache *cache,
-  nssCryptokiObject *object,
-  CK_OBJECT_CLASS objclass,
-  CK_ATTRIBUTE_PTR ot,
-  CK_ULONG otlen
-)
-{
-    PRStatus status = PR_SUCCESS;
-    PRUint32 count;
-    nssCryptokiObjectAndAttributes **oa, ***otype;
-    PRUint32 objectType;
-    PRBool haveIt = PR_FALSE;
-
-    if (!token_is_present(cache)) {
-	return PR_SUCCESS; /* cache not active, ignored */
-    }
-    PZ_Lock(cache->lock);
-    switch (objclass) {
-    case CKO_CERTIFICATE:    objectType = cachedCerts; break;
-    case CKO_NETSCAPE_TRUST: objectType = cachedTrust; break;
-    case CKO_NETSCAPE_CRL:   objectType = cachedCRLs;  break;
-    default:
-	PZ_Unlock(cache->lock);
-	return PR_SUCCESS; /* don't need to import it here */
-    }
-    if (!cache_available_for_object_type(cache, objectType)) {
-	PZ_Unlock(cache->lock);
-	return PR_SUCCESS; /* cache not active, ignored */
-    }
-    count = 0;
-    otype = &cache->objects[objectType]; /* index into array of types */
-    oa = *otype; /* the array of objects for this type */
-    while (oa && *oa) {
-	if (nssCryptokiObject_Equal((*oa)->object, object)) {
-	    haveIt = PR_TRUE;
-	    break;
-	}
-	count++;
-	oa++;
-    }
-    if (haveIt) {
-	/* Destroy the old entry */
-	(*oa)->object->token = NULL;
-	nssCryptokiObject_Destroy((*oa)->object);
-	nssArena_Destroy((*oa)->arena);
-    } else {
-	/* Create space for a new entry */
-	if (count > 0) {
-	    *otype = nss_ZREALLOCARRAY(*otype,
-	                               nssCryptokiObjectAndAttributes *, 
-	                               count + 2);
-	} else {
-	    *otype = nss_ZNEWARRAY(NULL, nssCryptokiObjectAndAttributes *, 2);
-	}
-    }
-    if (*otype) {
-	nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
-	if (objectType == cachedCerts) {
-	    (*otype)[count] = create_cert(copyObject, &status);
-	} else if (objectType == cachedTrust) {
-	    (*otype)[count] = create_trust(copyObject, &status);
-	} else if (objectType == cachedCRLs) {
-	    (*otype)[count] = create_crl(copyObject, &status);
-	}
-    } else {
-	status = PR_FAILURE;
-    }
-    PZ_Unlock(cache->lock);
-    return status;
-}
-
-NSS_IMPLEMENT void
-nssTokenObjectCache_RemoveObject (
-  nssTokenObjectCache *cache,
-  nssCryptokiObject *object
-)
-{
-    PRUint32 oType;
-    nssCryptokiObjectAndAttributes **oa, **swp = NULL;
-    if (!token_is_present(cache)) {
-	return;
-    }
-    PZ_Lock(cache->lock);
-    for (oType=0; oType<3; oType++) {
-	if (!cache_available_for_object_type(cache, oType) ||
-	    !cache->objects[oType])
-	{
-	    continue;
-	}
-	for (oa = cache->objects[oType]; *oa; oa++) {
-	    if (nssCryptokiObject_Equal((*oa)->object, object)) {
-		swp = oa; /* the entry to remove */
-		while (oa[1]) oa++; /* go to the tail */
-		(*swp)->object->token = NULL;
-		nssCryptokiObject_Destroy((*swp)->object);
-		nssArena_Destroy((*swp)->arena); /* destroy it */
-		*swp = *oa; /* swap the last with the removed */
-		*oa = NULL; /* null-terminate the array */
-		break;
-	    }
-	}
-	if (swp) {
-	    break;
-	}
-    }
-    if ((oType <3) &&
-		cache->objects[oType] && cache->objects[oType][0] == NULL) {
-	nss_ZFreeIf(cache->objects[oType]); /* no entries remaining */
-	cache->objects[oType] = NULL;
-    }
-    PZ_Unlock(cache->lock);
-}
-
-/* These two hash algorithms are presently sufficient.
-** They are used for fingerprints of certs which are stored as the 
-** CKA_CERT_SHA1_HASH and CKA_CERT_MD5_HASH attributes.
-** We don't need to add SHAxxx to these now.
-*/
-/* XXX of course this doesn't belong here */
-NSS_IMPLEMENT NSSAlgorithmAndParameters *
-NSSAlgorithmAndParameters_CreateSHA1Digest (
-  NSSArena *arenaOpt
-)
-{
-    NSSAlgorithmAndParameters *rvAP = NULL;
-    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
-    if (rvAP) {
-	rvAP->mechanism.mechanism = CKM_SHA_1;
-	rvAP->mechanism.pParameter = NULL;
-	rvAP->mechanism.ulParameterLen = 0;
-    }
-    return rvAP;
-}
-
-NSS_IMPLEMENT NSSAlgorithmAndParameters *
-NSSAlgorithmAndParameters_CreateMD5Digest (
-  NSSArena *arenaOpt
-)
-{
-    NSSAlgorithmAndParameters *rvAP = NULL;
-    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
-    if (rvAP) {
-	rvAP->mechanism.mechanism = CKM_MD5;
-	rvAP->mechanism.pParameter = NULL;
-	rvAP->mechanism.ulParameterLen = 0;
-    }
-    return rvAP;
-}
-
diff --git a/security/nss/lib/dev/manifest.mn b/security/nss/lib/dev/manifest.mn
deleted file mode 100644
index 3b520c86f..000000000
--- a/security/nss/lib/dev/manifest.mn
+++ /dev/null
@@ -1,70 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	ckhelper.h \
-	devt.h     \
-	dev.h      \
-	nssdevt.h  \
-	nssdev.h   \
-	$(NULL)
-
-EXPORTS =	   \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS =		        \
-	devmod.c        \
-	devslot.c       \
-	devtoken.c      \
-	devutil.c       \
-	ckhelper.c      \
-	$(NULL)
-
-# here is where the 3.4 glue code is added
-ifndef PURE_STAN_BUILD
-DEFINES = -DNSS_3_4_CODE
-PRIVATE_EXPORTS += devm.h devtm.h
-endif
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nssdev
diff --git a/security/nss/lib/dev/nssdev.h b/security/nss/lib/dev/nssdev.h
deleted file mode 100644
index 0ce4d3e33..000000000
--- a/security/nss/lib/dev/nssdev.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSDEV_H
-#define NSSDEV_H
-
-#ifdef DEBUG
-static const char NSSDEV_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-/*
- * nssdev.h
- *
- * High-level methods for interaction with cryptoki devices
- */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-PR_BEGIN_EXTERN_C
-
-/* NSSAlgorithmAndParameters
- *
- * NSSAlgorithmAndParameters_CreateSHA1Digest
- * NSSAlgorithmAndParameters_CreateMD5Digest
- */
-
-NSS_EXTERN NSSAlgorithmAndParameters *
-NSSAlgorithmAndParameters_CreateSHA1Digest
-(
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSAlgorithmAndParameters *
-NSSAlgorithmAndParameters_CreateMD5Digest
-(
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* DEV_H */
diff --git a/security/nss/lib/dev/nssdevt.h b/security/nss/lib/dev/nssdevt.h
deleted file mode 100644
index e2c9e18ca..000000000
--- a/security/nss/lib/dev/nssdevt.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSDEVT_H
-#define NSSDEVT_H
-
-#ifdef DEBUG
-static const char NSSDEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nssdevt.h
- *
- * This file contains definitions for the low-level cryptoki devices.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSModule and NSSSlot -- placeholders for the PKCS#11 types
- */
-
-typedef struct NSSModuleStr NSSModule;
-
-typedef struct NSSSlotStr NSSSlot;
-
-typedef struct NSSTokenStr NSSToken;
-
-PR_END_EXTERN_C
-
-#endif /* NSSDEVT_H */
diff --git a/security/nss/lib/freebl/GF2m_ecl.c b/security/nss/lib/freebl/GF2m_ecl.c
deleted file mode 100644
index 4c0ab88f7..000000000
--- a/security/nss/lib/freebl/GF2m_ecl.c
+++ /dev/null
@@ -1,540 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef NSS_ENABLE_ECC
-/*
- * GF2m_ecl.c: Contains an implementation of elliptic curve math library
- * for curves over GF2m.
- *
- * XXX Can be moved to a separate subdirectory later.
- *
- */
-
-#include "GF2m_ecl.h"
-#include "mpi/mplogic.h"
-#include "mpi/mp_gf2m.h"
-#include <stdlib.h>
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err 
-GF2m_ec_pt_is_inf_aff(const mp_int *px, const mp_int *py)
-{
-
-    if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
-        return MP_YES;
-    } else {
-        return MP_NO;
-    }
-
-}
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err 
-GF2m_ec_pt_set_inf_aff(mp_int *px, mp_int *py)
-{
-    mp_zero(px);
-    mp_zero(py);
-    return MP_OKAY;
-}
-
-/* Computes R = P + Q based on IEEE P1363 A.10.2.
- * Elliptic curve points P, Q, and R can all be identical.
- * Uses affine coordinates.
- */
-mp_err 
-GF2m_ec_pt_add_aff(const mp_int *pp, const mp_int *a, const mp_int *px, 
-    const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int lambda, xtemp, ytemp;
-    unsigned int *p;
-    int p_size;
-
-    p_size = mp_bpoly2arr(pp, p, 0) + 1;
-    p = (unsigned int *) (malloc(sizeof(unsigned int) * p_size));
-    if (p == NULL) goto cleanup;
-    mp_bpoly2arr(pp, p, p_size);
-    
-    CHECK_MPI_OK( mp_init(&lambda) );
-    CHECK_MPI_OK( mp_init(&xtemp) );
-    CHECK_MPI_OK( mp_init(&ytemp) );
-    /* if P = inf, then R = Q */
-    if (GF2m_ec_pt_is_inf_aff(px, py) == 0) {
-        CHECK_MPI_OK( mp_copy(qx, rx) );
-        CHECK_MPI_OK( mp_copy(qy, ry) );
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* if Q = inf, then R = P */
-    if (GF2m_ec_pt_is_inf_aff(qx, qy) == 0) {
-        CHECK_MPI_OK( mp_copy(px, rx) );
-        CHECK_MPI_OK( mp_copy(py, ry) );
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* if px != qx, then lambda = (py+qy) / (px+qx), 
-     *                   xtemp = a + lambda^2 + lambda + px + qx
-     */
-    if (mp_cmp(px, qx) != 0) {
-        CHECK_MPI_OK( mp_badd(py, qy, &ytemp) );
-        CHECK_MPI_OK( mp_badd(px, qx, &xtemp) );
-        CHECK_MPI_OK( mp_bdivmod(&ytemp, &xtemp, pp, p, &lambda) );
-        CHECK_MPI_OK( mp_bsqrmod(&lambda, p, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, &lambda, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, a, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, px, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, qx, &xtemp) );
-    } else {
-        /* if py != qy or qx = 0, then R = inf */
-        if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qx) == 0)) {
-            mp_zero(rx);
-            mp_zero(ry);
-            err = MP_OKAY;
-            goto cleanup;
-        }
-        /* lambda = qx + qy / qx  */
-        CHECK_MPI_OK( mp_bdivmod(qy, qx, pp, p, &lambda) );
-        CHECK_MPI_OK( mp_badd(&lambda, qx, &lambda) );
-        /* xtemp = a + lambda^2 + lambda */
-        CHECK_MPI_OK( mp_bsqrmod(&lambda, p, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, &lambda, &xtemp) );
-        CHECK_MPI_OK( mp_badd(&xtemp, a, &xtemp) );
-    }
-    /* ry = (qx + xtemp) * lambda + xtemp + qy */
-    CHECK_MPI_OK( mp_badd(qx, &xtemp, &ytemp) );
-    CHECK_MPI_OK( mp_bmulmod(&ytemp, &lambda, p, &ytemp) );
-    CHECK_MPI_OK( mp_badd(&ytemp, &xtemp, &ytemp) );
-    CHECK_MPI_OK( mp_badd(&ytemp, qy, ry) );
-    /* rx = xtemp */
-    CHECK_MPI_OK( mp_copy(&xtemp, rx) );
-
-cleanup:
-    mp_clear(&lambda);
-    mp_clear(&xtemp);
-    mp_clear(&ytemp);
-    free(p);
-    return err;
-}
-
-/* Computes R = P - Q. 
- * Elliptic curve points P, Q, and R can all be identical.
- * Uses affine coordinates.
- */
-mp_err 
-GF2m_ec_pt_sub_aff(const mp_int *pp, const mp_int *a, const mp_int *px, 
-    const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int nqy;
-    MP_DIGITS(&nqy) = 0;
-    CHECK_MPI_OK( mp_init(&nqy) );
-    /* nqy = qx+qy */
-    CHECK_MPI_OK( mp_badd(qx, qy, &nqy) );
-    err = GF2m_ec_pt_add_aff(pp, a, px, py, qx, &nqy, rx, ry);
-cleanup:
-    mp_clear(&nqy);
-    return err;
-}
-
-/* Computes R = 2P. 
- * Elliptic curve points P and R can be identical.
- * Uses affine coordinates.
- */
-mp_err 
-GF2m_ec_pt_dbl_aff(const mp_int *pp, const mp_int *a, const mp_int *px, 
-    const mp_int *py, mp_int *rx, mp_int *ry)
-{
-    return GF2m_ec_pt_add_aff(pp, a, px, py, px, py, rx, ry);
-}
-
-/* Gets the i'th bit in the binary representation of a.
- * If i >= length(a), then return 0.
- * (The above behaviour differs from mpl_get_bit, which
- * causes an error if i >= length(a).)
- */
-#define MP_GET_BIT(a, i) \
-    ((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
-
-/* Computes R = nP based on IEEE P1363 A.10.3.
- * Elliptic curve points P and R can be identical.
- * Uses affine coordinates.
- */
-mp_err 
-GF2m_ec_pt_mul_aff(const mp_int *pp, const mp_int *a, const mp_int *b, 
-    const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int k, k3, qx, qy, sx, sy;
-    int b1, b3, i, l;
-    unsigned int *p;
-    int p_size;
-
-    MP_DIGITS(&k) = 0;
-    MP_DIGITS(&k3) = 0;
-    MP_DIGITS(&qx) = 0;
-    MP_DIGITS(&qy) = 0;
-    MP_DIGITS(&sx) = 0;
-    MP_DIGITS(&sy) = 0;
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_init(&k3) );
-    CHECK_MPI_OK( mp_init(&qx) );
-    CHECK_MPI_OK( mp_init(&qy) );
-    CHECK_MPI_OK( mp_init(&sx) );
-    CHECK_MPI_OK( mp_init(&sy) );
-    
-    p_size = mp_bpoly2arr(pp, p, 0) + 1;
-    p = (unsigned int *) (malloc(sizeof(unsigned int) * p_size));
-    if (p == NULL) goto cleanup;
-    mp_bpoly2arr(pp, p, p_size);
-    
-    /* if n = 0 then r = inf */
-    if (mp_cmp_z(n) == 0) {
-        mp_zero(rx);
-        mp_zero(ry);
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* Q = P, k = n */
-    CHECK_MPI_OK( mp_copy(px, &qx) );
-    CHECK_MPI_OK( mp_copy(py, &qy) );
-    CHECK_MPI_OK( mp_copy(n, &k) );
-    /* if n < 0 then Q = -Q, k = -k */
-    if (mp_cmp_z(n) < 0) {
-        CHECK_MPI_OK( mp_badd(&qx, &qy, &qy) );
-        CHECK_MPI_OK( mp_neg(&k, &k) );
-    }
-#ifdef EC_DEBUG /* basic double and add method */
-    l = mpl_significant_bits(&k) - 1;
-    mp_zero(&sx);
-    mp_zero(&sy);
-    for (i = l; i >= 0; i--) {
-        /* if k_i = 1, then S = S + Q */
-        if (mpl_get_bit(&k, i) != 0) {
-            CHECK_MPI_OK( GF2m_ec_pt_add_aff(pp, a, &sx, &sy, &qx, &qy, &sx, &sy) );
-        }
-        if (i > 0) {
-            /* S = 2S */
-            CHECK_MPI_OK( GF2m_ec_pt_dbl_aff(pp, a, &sx, &sy, &sx, &sy) );
-        }
-    }
-#else /* double and add/subtract method from standard */
-    /* k3 = 3 * k */
-    mp_set(&k3, 0x3);
-    CHECK_MPI_OK( mp_mul(&k, &k3, &k3) );
-    /* S = Q */
-    CHECK_MPI_OK( mp_copy(&qx, &sx) );
-    CHECK_MPI_OK( mp_copy(&qy, &sy) );
-    /* l = index of high order bit in binary representation of 3*k */
-    l = mpl_significant_bits(&k3) - 1;
-    /* for i = l-1 downto 1 */
-    for (i = l - 1; i >= 1; i--) {
-        /* S = 2S */
-        CHECK_MPI_OK( GF2m_ec_pt_dbl_aff(pp, a, &sx, &sy, &sx, &sy) );
-        b3 = MP_GET_BIT(&k3, i);
-        b1 = MP_GET_BIT(&k, i);
-        /* if k3_i = 1 and k_i = 0, then S = S + Q */
-        if ((b3 == 1) && (b1 == 0)) {
-            CHECK_MPI_OK( GF2m_ec_pt_add_aff(pp, a, &sx, &sy, &qx, &qy, &sx, &sy) );
-        /* if k3_i = 0 and k_i = 1, then S = S - Q */
-        } else if ((b3 == 0) && (b1 == 1)) {
-            CHECK_MPI_OK( GF2m_ec_pt_sub_aff(pp, a, &sx, &sy, &qx, &qy, &sx, &sy) );
-        }
-    }
-#endif
-    /* output S */
-    CHECK_MPI_OK( mp_copy(&sx, rx) );
-    CHECK_MPI_OK( mp_copy(&sy, ry) );
-
-cleanup:
-    mp_clear(&k);
-    mp_clear(&k3);
-    mp_clear(&qx);
-    mp_clear(&qy);
-    mp_clear(&sx);
-    mp_clear(&sy);
-    free(p);
-    return err;
-}
-
-/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective 
- * coordinates.
- * Uses algorithm Mdouble in appendix of 
- *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
- *     GF(2^m) without precomputation".
- * modified to not require precomputation of c=b^{2^{m-1}}.
- */
-static mp_err 
-gf2m_Mdouble(const mp_int *pp, const unsigned int p[], const mp_int *a, 
-    const mp_int *b, mp_int *x, mp_int *z) 
-{
-    mp_err err = MP_OKAY;
-    mp_int t1;
-
-    MP_DIGITS(&t1) = 0;
-    CHECK_MPI_OK( mp_init(&t1) );
-    
-    CHECK_MPI_OK( mp_bsqrmod(x, p, x) );
-    CHECK_MPI_OK( mp_bsqrmod(z, p, &t1) );
-    CHECK_MPI_OK( mp_bmulmod(x, &t1, p, z) );
-    CHECK_MPI_OK( mp_bsqrmod(x, p, x) );
-    CHECK_MPI_OK( mp_bsqrmod(&t1, p, &t1) );
-    CHECK_MPI_OK( mp_bmulmod(b, &t1, p, &t1) );
-    CHECK_MPI_OK( mp_badd(x, &t1, x) );
-
-cleanup:
-    mp_clear(&t1);
-    return err;
-}
-
-/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery 
- * projective coordinates.
- * Uses algorithm Madd in appendix of 
- *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
- *     GF(2^m) without precomputation".
- */
-static mp_err 
-gf2m_Madd(const mp_int *pp, const unsigned int p[], const mp_int *a, 
-    const mp_int *b, const mp_int *x, mp_int *x1, mp_int *z1, mp_int *x2,
-    mp_int *z2)
-{
-    mp_err err = MP_OKAY;
-    mp_int t1, t2;
-
-    MP_DIGITS(&t1) = 0;
-    MP_DIGITS(&t2) = 0;
-    CHECK_MPI_OK( mp_init(&t1) );
-    CHECK_MPI_OK( mp_init(&t2) );
-    
-    CHECK_MPI_OK( mp_copy(x, &t1) );
-    CHECK_MPI_OK( mp_bmulmod(x1, z2, p, x1) );
-    CHECK_MPI_OK( mp_bmulmod(z1, x2, p, z1) );
-    CHECK_MPI_OK( mp_bmulmod(x1, z1, p, &t2) );
-    CHECK_MPI_OK( mp_badd(z1, x1, z1) );
-    CHECK_MPI_OK( mp_bsqrmod(z1, p, z1) );
-    CHECK_MPI_OK( mp_bmulmod(z1, &t1, p, x1) );
-    CHECK_MPI_OK( mp_badd(x1, &t2, x1) );
-    
-cleanup:
-    mp_clear(&t1);
-    mp_clear(&t2);
-    return err;
-}
-
-/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
- * using Montgomery point multiplication algorithm Mxy() in appendix of 
- *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
- *     GF(2^m) without precomputation".
- * Returns:
- *     0 on error
- *     1 if return value should be the point at infinity
- *     2 otherwise
- */
-static int
-gf2m_Mxy(const mp_int *pp, const unsigned int p[], const mp_int *a, 
-    const mp_int *b, const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1, 
-    mp_int *x2, mp_int *z2)
-{
-    mp_err err = MP_OKAY;
-    int ret;
-    mp_int t3, t4, t5;
-
-    MP_DIGITS(&t3) = 0;
-    MP_DIGITS(&t4) = 0;
-    MP_DIGITS(&t5) = 0;
-    CHECK_MPI_OK( mp_init(&t3) );
-    CHECK_MPI_OK( mp_init(&t4) );
-    CHECK_MPI_OK( mp_init(&t5) );
-    
-    if (mp_cmp_z(z1) == 0) {
-        mp_zero(x2);
-        mp_zero(z2);
-        ret = 1;
-        goto cleanup;
-    }
-    
-    if (mp_cmp_z(z2) == 0) {
-        CHECK_MPI_OK( mp_copy(x, x2) );
-        CHECK_MPI_OK( mp_badd(x, y, z2) );
-        ret = 2;
-        goto cleanup;
-    }
-        
-    mp_set(&t5, 0x1);
-
-    CHECK_MPI_OK( mp_bmulmod(z1, z2, p, &t3) );
-
-    CHECK_MPI_OK( mp_bmulmod(z1, x, p, z1) );
-    CHECK_MPI_OK( mp_badd(z1, x1, z1) );
-    CHECK_MPI_OK( mp_bmulmod(z2, x, p, z2) );
-    CHECK_MPI_OK( mp_bmulmod(z2, x1, p, x1) );
-    CHECK_MPI_OK( mp_badd(z2, x2, z2) );
-
-    CHECK_MPI_OK( mp_bmulmod(z2, z1, p, z2) );
-    CHECK_MPI_OK( mp_bsqrmod(x, p, &t4) );
-    CHECK_MPI_OK( mp_badd(&t4, y, &t4) );
-    CHECK_MPI_OK( mp_bmulmod(&t4, &t3, p, &t4) );
-    CHECK_MPI_OK( mp_badd(&t4, z2, &t4) );
-
-    CHECK_MPI_OK( mp_bmulmod(&t3, x, p, &t3) );
-    CHECK_MPI_OK( mp_bdivmod(&t5, &t3, pp, p, &t3) );
-    CHECK_MPI_OK( mp_bmulmod(&t3, &t4, p, &t4) );
-    CHECK_MPI_OK( mp_bmulmod(x1, &t3, p, x2) );
-    CHECK_MPI_OK( mp_badd(x2, x, z2) );
-
-    CHECK_MPI_OK( mp_bmulmod(z2, &t4, p, z2) );
-    CHECK_MPI_OK( mp_badd(z2, y, z2) );
-
-    ret = 2;
-    
-cleanup:
-    mp_clear(&t3);
-    mp_clear(&t4);
-    mp_clear(&t5);
-    if (err == MP_OKAY) {
-        return ret;
-    } else {
-        return 0;
-    }
-}
-
-/* Computes R = nP based on algorithm 2P of
- *     Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
- *     GF(2^m) without precomputation".
- * Elliptic curve points P and R can be identical.
- * Uses Montgomery projective coordinates.
- */
-mp_err 
-GF2m_ec_pt_mul_mont(const mp_int *pp, const mp_int *a, const mp_int *b, 
-    const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int x1, x2, z1, z2;
-    int i, j;
-    mp_digit top_bit, mask;
-    unsigned int *p;
-    int p_size;
-
-    MP_DIGITS(&x1) = 0;
-    MP_DIGITS(&x2) = 0;
-    MP_DIGITS(&z1) = 0;
-    MP_DIGITS(&z2) = 0;
-    CHECK_MPI_OK( mp_init(&x1) );
-    CHECK_MPI_OK( mp_init(&x2) );
-    CHECK_MPI_OK( mp_init(&z1) );
-    CHECK_MPI_OK( mp_init(&z2) );
-
-    p_size = mp_bpoly2arr(pp, p, 0) + 1;
-    p = (unsigned int *) (malloc(sizeof(unsigned int) * p_size));
-    if (p == NULL) goto cleanup;
-    mp_bpoly2arr(pp, p, p_size);
-    
-	/* if result should be point at infinity */
-    if ((mp_cmp_z(n) == 0) || (GF2m_ec_pt_is_inf_aff(px, py) == MP_YES)) {
-        CHECK_MPI_OK( GF2m_ec_pt_set_inf_aff(rx, ry) );
-        goto cleanup;
-    }
-
-    CHECK_MPI_OK( mp_copy(rx, &x2) );           /* x2 = rx */
-    CHECK_MPI_OK( mp_copy(ry, &z2) );           /* z2 = ry */
-
-    CHECK_MPI_OK( mp_copy(px, &x1) );           /* x1 = px */
-    mp_set(&z1, 0x1);                           /* z1 = 1 */
-    CHECK_MPI_OK( mp_bsqrmod(&x1, p, &z2) );    /* z2 = x1^2 = x2^2 */
-    CHECK_MPI_OK( mp_bsqrmod(&z2, p, &x2) );
-    CHECK_MPI_OK( mp_badd(&x2, b, &x2) );       /* x2 = px^4 + b */
-    
-    /* find top-most bit and go one past it */
-    i = MP_USED(n) - 1;
-    j = MP_DIGIT_BIT - 1;
-    top_bit = 1;
-    top_bit <<= MP_DIGIT_BIT - 1;
-    mask = top_bit;
-    while (!(MP_DIGITS(n)[i] & mask)) {
-        mask >>= 1;
-        j--;
-    }
-    mask >>= 1; j--;
-    
-    /* if top most bit was at word break, go to next word */
-    if (!mask) {
-	i--; 
-        j = MP_DIGIT_BIT - 1;
-	mask = top_bit;
-    }
-
-    for (; i >= 0; i--) {
-	for (; j >= 0; j--) {
-	    if (MP_DIGITS(n)[i] & mask) {
-		CHECK_MPI_OK( gf2m_Madd(pp, p, a, b, px, &x1, &z1, &x2, &z2) );
-                CHECK_MPI_OK( gf2m_Mdouble(pp, p, a, b, &x2, &z2) );
-            } else {
-                CHECK_MPI_OK( gf2m_Madd(pp, p, a, b, px, &x2, &z2, &x1, &z1) );
-                CHECK_MPI_OK( gf2m_Mdouble(pp, p, a, b, &x1, &z1) );
-            }
-	    mask >>= 1;
-	}
-	j = MP_DIGIT_BIT - 1;
-	mask = top_bit;
-    }
-
-    /* convert out of "projective" coordinates */
-    i = gf2m_Mxy(pp, p, a, b, px, py, &x1, &z1, &x2, &z2);
-    if (i == 0) {
-	err = MP_BADARG;
-        goto cleanup;
-    } else if (i == 1) {
-	CHECK_MPI_OK( GF2m_ec_pt_set_inf_aff(rx, ry) );
-    } else {
-        CHECK_MPI_OK( mp_copy(&x2, rx) );
-        CHECK_MPI_OK( mp_copy(&z2, ry) );
-    }
-
-cleanup:
-    mp_clear(&x1);
-    mp_clear(&x2);
-    mp_clear(&z1);
-    mp_clear(&z2);
-    free(p);
-    return err;
-}
-
-#endif /* NSS_ENABLE_ECC */
diff --git a/security/nss/lib/freebl/GF2m_ecl.h b/security/nss/lib/freebl/GF2m_ecl.h
deleted file mode 100644
index 3641d63da..000000000
--- a/security/nss/lib/freebl/GF2m_ecl.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __gf2m_ecl_h_
-#define __gf2m_ecl_h_
-#ifdef NSS_ENABLE_ECC
-
-#include "secmpi.h"
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err GF2m_ec_pt_is_inf_aff(const mp_int *px, const mp_int *py);
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err GF2m_ec_pt_set_inf_aff(mp_int *px, mp_int *py);
-
-/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx, qy). 
- * Uses affine coordinates.
- */
-mp_err GF2m_ec_pt_add_aff(const mp_int *pp, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry);
-
-/* Computes R = P - Q.  Uses affine coordinates. */
-mp_err GF2m_ec_pt_sub_aff(const mp_int *pp, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry);
-
-/* Computes R = 2P.  Uses affine coordinates. */
-mp_err GF2m_ec_pt_dbl_aff(const mp_int *pp, const mp_int *a, 
-    const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the irreducible that 
- * determines the field GF2m.  Uses affine coordinates.
- */
-mp_err GF2m_ec_pt_mul_aff(const mp_int *pp, const mp_int *a, const mp_int *b, 
-    const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the irreducible that 
- * determines the field GF2m.  Uses Montgomery projective coordinates.
- */
-mp_err GF2m_ec_pt_mul_mont(const mp_int *pp, const mp_int *a, 
-    const mp_int *b, const mp_int *px, const mp_int *py, 
-    const mp_int *n, mp_int *rx, mp_int *ry);
-
-#define GF2m_ec_pt_is_inf(px, py)    GF2m_ec_pt_is_inf_aff((px), (py))
-#define GF2m_ec_pt_add(p, a, px, py, qx, qy, rx, ry) \
-        GF2m_ec_pt_add_aff((p), (a), (px), (py), (qx), (qy), (rx), (ry))
-
-#define GF2m_ECL_MONTGOMERY
-#ifdef GF2m_ECL_AFFINE
-#define GF2m_ec_pt_mul(pp, a, b, px, py, n, rx, ry) \
-	GF2m_ec_pt_mul_aff((pp), (a), (b), (px), (py), (n), (rx), (ry))
-#elif defined(GF2m_ECL_MONTGOMERY)
-#define GF2m_ec_pt_mul(pp, a, b, px, py, n, rx, ry) \
-	GF2m_ec_pt_mul_mont((pp), (a), (b), (px), (py), (n), (rx), (ry))
-#endif /* GF2m_ECL_AFFINE or GF2m_ECL_MONTGOMERY */
-
-#endif /* NSS_ENABLE_ECC */
-#endif /* __gf2m_ecl_h_ */
diff --git a/security/nss/lib/freebl/GFp_ecl.c b/security/nss/lib/freebl/GFp_ecl.c
deleted file mode 100644
index 7b460cc58..000000000
--- a/security/nss/lib/freebl/GFp_ecl.c
+++ /dev/null
@@ -1,648 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *   Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>,
- *   Nils Larsch <nla@trustcenter.de>, and
- *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
- 
-#ifdef NSS_ENABLE_ECC
-/*
- * GFp_ecl.c: Contains an implementation of elliptic curve math library
- * for curves over GFp.
- *
- * XXX Can be moved to a separate subdirectory later.
- *
- */
-
-#include "GFp_ecl.h"
-#include "mpi/mplogic.h"
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err
-GFp_ec_pt_is_inf_aff(const mp_int *px, const mp_int *py)
-{
-
-    if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
-        return MP_YES;
-    } else {
-        return MP_NO;
-    }
-
-}
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err
-GFp_ec_pt_set_inf_aff(mp_int *px, mp_int *py)
-{
-    mp_zero(px);
-    mp_zero(py);
-    return MP_OKAY;
-}
-
-/* Computes R = P + Q based on IEEE P1363 A.10.1.
- * Elliptic curve points P, Q, and R can all be identical.
- * Uses affine coordinates.
- */
-mp_err
-GFp_ec_pt_add_aff(const mp_int *p, const mp_int *a, const mp_int *px,
-    const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int lambda, temp, xtemp, ytemp;
-
-    CHECK_MPI_OK( mp_init(&lambda) );
-    CHECK_MPI_OK( mp_init(&temp) );
-    CHECK_MPI_OK( mp_init(&xtemp) );
-    CHECK_MPI_OK( mp_init(&ytemp) );
-    /* if P = inf, then R = Q */
-    if (GFp_ec_pt_is_inf_aff(px, py) == 0) {
-        CHECK_MPI_OK( mp_copy(qx, rx) );
-        CHECK_MPI_OK( mp_copy(qy, ry) );
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* if Q = inf, then R = P */
-    if (GFp_ec_pt_is_inf_aff(qx, qy) == 0) {
-        CHECK_MPI_OK( mp_copy(px, rx) );
-        CHECK_MPI_OK( mp_copy(py, ry) );
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* if px != qx, then lambda = (py-qy) / (px-qx) */
-    if (mp_cmp(px, qx) != 0) {
-        CHECK_MPI_OK( mp_submod(py, qy, p, &ytemp) );
-        CHECK_MPI_OK( mp_submod(px, qx, p, &xtemp) );
-        CHECK_MPI_OK( mp_invmod(&xtemp, p, &xtemp) );
-        CHECK_MPI_OK( mp_mulmod(&ytemp, &xtemp, p, &lambda) );
-    } else {
-        /* if py != qy or qy = 0, then R = inf */
-        if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) {
-            mp_zero(rx);
-            mp_zero(ry);
-            err = MP_OKAY;
-            goto cleanup;
-        }
-        /* lambda = (3qx^2+a) / (2qy) */
-        CHECK_MPI_OK( mp_sqrmod(qx, p, &xtemp) );
-        mp_set(&temp, 0x3);
-        CHECK_MPI_OK( mp_mulmod(&xtemp, &temp, p, &xtemp) );
-        CHECK_MPI_OK( mp_addmod(&xtemp, a, p, &xtemp) );
-        mp_set(&temp, 0x2);
-        CHECK_MPI_OK( mp_mulmod(qy, &temp, p, &ytemp) );
-        CHECK_MPI_OK( mp_invmod(&ytemp, p, &ytemp) );
-        CHECK_MPI_OK( mp_mulmod(&xtemp, &ytemp, p, &lambda) );
-    }
-    /* rx = lambda^2 - px - qx */
-    CHECK_MPI_OK( mp_sqrmod(&lambda, p, &xtemp) );
-    CHECK_MPI_OK( mp_submod(&xtemp, px, p, &xtemp) );
-    CHECK_MPI_OK( mp_submod(&xtemp, qx, p, &xtemp) );
-    /* ry = (x1-x2) * lambda - y1 */
-    CHECK_MPI_OK( mp_submod(qx, &xtemp, p, &ytemp) );
-    CHECK_MPI_OK( mp_mulmod(&ytemp, &lambda, p, &ytemp) );
-    CHECK_MPI_OK( mp_submod(&ytemp, qy, p, &ytemp) );
-    CHECK_MPI_OK( mp_copy(&xtemp, rx) );
-    CHECK_MPI_OK( mp_copy(&ytemp, ry) );
-
-cleanup:
-    mp_clear(&lambda);
-    mp_clear(&temp);
-    mp_clear(&xtemp);
-    mp_clear(&ytemp);
-    return err;
-}
-
-/* Computes R = P - Q. 
- * Elliptic curve points P, Q, and R can all be identical.
- * Uses affine coordinates.
- */
-mp_err
-GFp_ec_pt_sub_aff(const mp_int *p, const mp_int *a, const mp_int *px, 
-    const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int nqy;
-    MP_DIGITS(&nqy) = 0;
-    CHECK_MPI_OK( mp_init(&nqy) );
-    /* nqy = -qy */
-    CHECK_MPI_OK( mp_neg(qy, &nqy) );
-    err = GFp_ec_pt_add_aff(p, a, px, py, qx, &nqy, rx, ry);
-cleanup:
-    mp_clear(&nqy);
-    return err;
-}
-
-/* Computes R = 2P. 
- * Elliptic curve points P and R can be identical.
- * Uses affine coordinates.
- */
-mp_err
-GFp_ec_pt_dbl_aff(const mp_int *p, const mp_int *a, const mp_int *px, 
-    const mp_int *py, mp_int *rx, mp_int *ry)
-{
-    return GFp_ec_pt_add_aff(p, a, px, py, px, py, rx, ry);
-}
-
-/* Gets the i'th bit in the binary representation of a.
- * If i >= length(a), then return 0.
- * (The above behaviour differs from mpl_get_bit, which
- * causes an error if i >= length(a).)
- */
-#define MP_GET_BIT(a, i) \
-    ((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
-
-/* Computes R = nP based on IEEE P1363 A.10.3.
- * Elliptic curve points P and R can be identical.
- * Uses affine coordinates.
- */
-mp_err
-GFp_ec_pt_mul_aff(const mp_int *p, const mp_int *a, const mp_int *b,
-    const mp_int *px, const mp_int *py, const mp_int *n, mp_int *rx,
-    mp_int *ry) 
-{
-    mp_err err = MP_OKAY;
-    mp_int k, k3, qx, qy, sx, sy;
-    int b1, b3, i, l;
-
-    MP_DIGITS(&k) = 0;
-    MP_DIGITS(&k3) = 0;
-    MP_DIGITS(&qx) = 0;
-    MP_DIGITS(&qy) = 0;
-    MP_DIGITS(&sx) = 0;
-    MP_DIGITS(&sy) = 0;
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_init(&k3) );
-    CHECK_MPI_OK( mp_init(&qx) );
-    CHECK_MPI_OK( mp_init(&qy) );
-    CHECK_MPI_OK( mp_init(&sx) );
-    CHECK_MPI_OK( mp_init(&sy) );
-    
-    /* if n = 0 then r = inf */
-    if (mp_cmp_z(n) == 0) {
-        mp_zero(rx);
-        mp_zero(ry);
-        err = MP_OKAY;
-        goto cleanup;
-    }
-    /* Q = P, k = n */
-    CHECK_MPI_OK( mp_copy(px, &qx) );
-    CHECK_MPI_OK( mp_copy(py, &qy) );
-    CHECK_MPI_OK( mp_copy(n, &k) );
-    /* if n < 0 Q = -Q, k = -k */
-    if (mp_cmp_z(n) < 0) {
-        CHECK_MPI_OK( mp_neg(&qy, &qy) );
-        CHECK_MPI_OK( mp_mod(&qy, p, &qy) );
-        CHECK_MPI_OK( mp_neg(&k, &k) );
-        CHECK_MPI_OK( mp_mod(&k, p, &k) );
-    }
-#ifdef EC_DEBUG /* basic double and add method */
-    l = mpl_significant_bits(&k) - 1;
-    mp_zero(&sx);
-    mp_zero(&sy);
-    for (i = l; i >= 0; i--) {
-        /* if k_i = 1, then S = S + Q */
-        if (mpl_get_bit(&k, i) != 0) {
-            CHECK_MPI_OK( GFp_ec_pt_add_aff(p, a, &sx, &sy, 
-		&qx, &qy, &sx, &sy) );
-        }
-        if (i > 0) {
-            /* S = 2S */
-            CHECK_MPI_OK( GFp_ec_pt_dbl_aff(p, a, &sx, &sy, &sx, &sy) );
-        }
-    }
-#else /* double and add/subtract method from standard */
-    /* k3 = 3 * k */
-    mp_set(&k3, 0x3);
-    CHECK_MPI_OK( mp_mul(&k, &k3, &k3) );
-    /* S = Q */
-    CHECK_MPI_OK( mp_copy(&qx, &sx) );
-    CHECK_MPI_OK( mp_copy(&qy, &sy) );
-    /* l = index of high order bit in binary representation of 3*k */
-    l = mpl_significant_bits(&k3) - 1;
-    /* for i = l-1 downto 1 */
-    for (i = l - 1; i >= 1; i--) {
-        /* S = 2S */
-        CHECK_MPI_OK( GFp_ec_pt_dbl_aff(p, a, &sx, &sy, &sx, &sy) );
-		b3 = MP_GET_BIT(&k3, i);
-		b1 = MP_GET_BIT(&k, i);
-        /* if k3_i = 1 and k_i = 0, then S = S + Q */
-        if ((b3 == 1) && (b1 == 0)) {
-            CHECK_MPI_OK( GFp_ec_pt_add_aff(p, a, &sx, &sy, 
-		&qx, &qy, &sx, &sy) );
-        /* if k3_i = 0 and k_i = 1, then S = S - Q */
-        } else if ((b3 == 0) && (b1 == 1)) {
-            CHECK_MPI_OK( GFp_ec_pt_sub_aff(p, a, &sx, &sy, 
-		&qx, &qy, &sx, &sy) );
-        }
-    }
-#endif
-    /* output S */
-    CHECK_MPI_OK( mp_copy(&sx, rx) );
-    CHECK_MPI_OK( mp_copy(&sy, ry) );
-
-cleanup:
-    mp_clear(&k);
-    mp_clear(&k3);
-    mp_clear(&qx);
-    mp_clear(&qy);
-    mp_clear(&sx);
-    mp_clear(&sy);
-    return err;
-}
-
-/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
- * affine coordinates R(rx, ry).  P and R can share x and y coordinates.
- */
-mp_err
-GFp_ec_pt_jac2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
-    const mp_int *p, mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int z1, z2, z3;
-    MP_DIGITS(&z1) = 0;
-    MP_DIGITS(&z2) = 0;
-    MP_DIGITS(&z3) = 0;
-    CHECK_MPI_OK( mp_init(&z1) );
-    CHECK_MPI_OK( mp_init(&z2) );
-    CHECK_MPI_OK( mp_init(&z3) );
-
-    /* if point at infinity, then set point at infinity and exit */
-    if (GFp_ec_pt_is_inf_jac(px, py, pz) == MP_YES) {
-        CHECK_MPI_OK( GFp_ec_pt_set_inf_aff(rx, ry) );
-	goto cleanup;
-    }
-
-    /* transform (px, py, pz) into (px / pz^2, py / pz^3) */
-    if (mp_cmp_d(pz, 1) == 0) {
-        CHECK_MPI_OK( mp_copy(px, rx) );
-	CHECK_MPI_OK( mp_copy(py, ry) );
-    } else {
-        CHECK_MPI_OK( mp_invmod(pz, p, &z1) );
-	CHECK_MPI_OK( mp_sqrmod(&z1, p, &z2) );
-	CHECK_MPI_OK( mp_mulmod(&z1, &z2, p, &z3) );
-	CHECK_MPI_OK( mp_mulmod(px, &z2, p, rx) );
-	CHECK_MPI_OK( mp_mulmod(py, &z3, p, ry) );
-    }
-	
-cleanup:
-    mp_clear(&z1);
-    mp_clear(&z2);
-    mp_clear(&z3);
-	return err;
-}
-
-/* Checks if point P(px, py, pz) is at infinity.  
- * Uses Jacobian coordinates.
- */
-mp_err
-GFp_ec_pt_is_inf_jac(const mp_int *px, const mp_int *py, const mp_int *pz) 
-{
-    return mp_cmp_z(pz);
-}
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian 
- * coordinates. 
- */
-mp_err
-GFp_ec_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz) 
-{
-    mp_zero(pz);
-    return MP_OKAY;
-}
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and 
- * Q is (qx, qy, qz).  Elliptic curve points P, Q, and R can all be 
- * identical. Uses Jacobian coordinates.
- *
- * This routine implements Point Addition in the Jacobian Projective 
- * space as described in the paper "Efficient elliptic curve exponentiation 
- * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono.
- */
-mp_err
-GFp_ec_pt_add_jac(const mp_int *p, const mp_int *a, const mp_int *px,
-    const mp_int *py, const mp_int *pz, const mp_int *qx, 
-    const mp_int *qy, const mp_int *qz, mp_int *rx, mp_int *ry, mp_int *rz)
-{
-    mp_err err = MP_OKAY;
-    mp_int n0, u1, u2, s1, s2, H, G;
-    MP_DIGITS(&n0) = 0;
-    MP_DIGITS(&u1) = 0;
-    MP_DIGITS(&u2) = 0;
-    MP_DIGITS(&s1) = 0;
-    MP_DIGITS(&s2) = 0;
-    MP_DIGITS(&H) = 0;
-    MP_DIGITS(&G) = 0;
-    CHECK_MPI_OK( mp_init(&n0) );
-    CHECK_MPI_OK( mp_init(&u1) );
-    CHECK_MPI_OK( mp_init(&u2) );
-    CHECK_MPI_OK( mp_init(&s1) );
-    CHECK_MPI_OK( mp_init(&s2) );
-    CHECK_MPI_OK( mp_init(&H) );
-    CHECK_MPI_OK( mp_init(&G) );
-
-    /* Use point double if pointers are equal. */
-    if ((px == qx) && (py == qy) && (pz == qz)) {
-        err = GFp_ec_pt_dbl_jac(p, a, px, py, pz, rx, ry, rz);
-	goto cleanup;
-    }
-	
-    /* If either P or Q is the point at infinity, then return 
-     * the other point 
-     */
-    if (GFp_ec_pt_is_inf_jac(px, py, pz) == MP_YES) {
-        CHECK_MPI_OK( mp_copy(qx, rx) );
-	CHECK_MPI_OK( mp_copy(qy, ry) );
-	CHECK_MPI_OK( mp_copy(qz, rz) );
-	goto cleanup;
-    }
-    if (GFp_ec_pt_is_inf_jac(qx, qy, qz) == MP_YES) {
-        CHECK_MPI_OK( mp_copy(px, rx) );
-	CHECK_MPI_OK( mp_copy(py, ry) );
-	CHECK_MPI_OK( mp_copy(pz, rz) );
-	goto cleanup;
-    }
-	
-    /* Compute u1 = px * qz^2, s1 = py * qz^3 */
-    if (mp_cmp_d(qz, 1) == 0) {
-        CHECK_MPI_OK( mp_copy(px, &u1) );
-	CHECK_MPI_OK( mp_copy(py, &s1) );
-    } else {
-        CHECK_MPI_OK( mp_sqrmod(qz, p, &n0) );
-	CHECK_MPI_OK( mp_mulmod(px, &n0, p, &u1) );
-	CHECK_MPI_OK( mp_mulmod(&n0, qz, p, &n0) );
-	CHECK_MPI_OK( mp_mulmod(py, &n0, p, &s1) );
-    }
-
-    /* Compute u2 = qx * pz^2, s2 = qy * pz^3 */
-    if (mp_cmp_d(pz, 1) == 0) {
-        CHECK_MPI_OK( mp_copy(qx, &u2) );
-	CHECK_MPI_OK( mp_copy(qy, &s2) );
-    } else {
-        CHECK_MPI_OK( mp_sqrmod(pz, p, &n0) );
-	CHECK_MPI_OK( mp_mulmod(qx, &n0, p, &u2) );
-	CHECK_MPI_OK( mp_mulmod(&n0, pz, p, &n0) );
-	CHECK_MPI_OK( mp_mulmod(qy, &n0, p, &s2) );
-    }
-
-    /* Compute H = u2 - u1 ; G = s2 - s1 */
-    CHECK_MPI_OK( mp_submod(&u2, &u1, p, &H) );
-    CHECK_MPI_OK( mp_submod(&s2, &s1, p, &G) );
-
-    if (mp_cmp_z(&H) == 0) {
-        if (mp_cmp_z(&G) == 0) {
-	    /* P = Q; double */
-	    err = GFp_ec_pt_dbl_jac(p, a, px, py, pz, 
-				    rx, ry, rz);
-	    goto cleanup;
-	} else {
-	    /* P = -Q; return point at infinity */
-	    CHECK_MPI_OK( GFp_ec_pt_set_inf_jac(rx, ry, rz) );
-	    goto cleanup;
-	}
-    }
-
-    /* rz = pz * qz * H */
-    if (mp_cmp_d(pz, 1) == 0) {
-        if (mp_cmp_d(qz, 1) == 0) {
-	    /* if pz == qz == 1, then rz = H */
-	    CHECK_MPI_OK( mp_copy(&H, rz) );
-	} else {
-	    CHECK_MPI_OK( mp_mulmod(qz, &H, p, rz) );
-	}
-    } else {
-        if (mp_cmp_d(qz, 1) == 0) {
-	    CHECK_MPI_OK( mp_mulmod(pz, &H, p, rz) );
-	} else {
-	    CHECK_MPI_OK( mp_mulmod(pz, qz, p, &n0) );
-	    CHECK_MPI_OK( mp_mulmod(&n0, &H, p, rz) );
-	}
-    }
-	
-    /* rx = G^2 - H^3 - 2 * u1 * H^2 */
-    CHECK_MPI_OK( mp_sqrmod(&G, p, rx) );
-    CHECK_MPI_OK( mp_sqrmod(&H, p, &n0) );
-    CHECK_MPI_OK( mp_mulmod(&n0, &u1, p, &u1) );
-    CHECK_MPI_OK( mp_addmod(&u1, &u1, p, &u2) );
-    CHECK_MPI_OK( mp_mulmod(&H, &n0, p, &H) );
-    CHECK_MPI_OK( mp_submod(rx, &H, p, rx) );
-    CHECK_MPI_OK( mp_submod(rx, &u2, p, rx) );
-
-    /* ry = - s1 * H^3 + G * (u1 * H^2 - rx) */
-    /* (formula based on values of variables before block above) */
-    CHECK_MPI_OK( mp_submod(&u1, rx, p, &u1) );
-    CHECK_MPI_OK( mp_mulmod(&G, &u1, p, ry) );
-    CHECK_MPI_OK( mp_mulmod(&s1, &H, p, &s1) );
-    CHECK_MPI_OK( mp_submod(ry, &s1, p, ry) );
-
-cleanup:
-    mp_clear(&n0);
-    mp_clear(&u1);
-    mp_clear(&u2);
-    mp_clear(&s1);
-    mp_clear(&s2);
-    mp_clear(&H);
-    mp_clear(&G);
-	return err;
-}
-
-/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
- * Jacobian coordinates.
- *
- * This routine implements Point Doubling in the Jacobian Projective 
- * space as described in the paper "Efficient elliptic curve exponentiation 
- * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono.
- */
-mp_err
-GFp_ec_pt_dbl_jac(const mp_int *p, const mp_int *a, const mp_int *px, 
-    const mp_int *py, const mp_int *pz, mp_int *rx, mp_int *ry, mp_int *rz)
-{
-    mp_err err = MP_OKAY;
-    mp_int t0, t1, M, S;
-    MP_DIGITS(&t0) = 0;
-    MP_DIGITS(&t1) = 0;
-    MP_DIGITS(&M) = 0;
-    MP_DIGITS(&S) = 0;
-    CHECK_MPI_OK( mp_init(&t0) );
-    CHECK_MPI_OK( mp_init(&t1) );
-    CHECK_MPI_OK( mp_init(&M) );
-    CHECK_MPI_OK( mp_init(&S) );
-
-    if (GFp_ec_pt_is_inf_jac(px, py, pz) == MP_YES) {
-        CHECK_MPI_OK( GFp_ec_pt_set_inf_jac(rx, ry, rz) );
-	goto cleanup;
-    }
-
-    if (mp_cmp_d(pz, 1) == 0) {
-        /* M = 3 * px^2 + a */
-        CHECK_MPI_OK( mp_sqrmod(px, p, &t0) );
-	CHECK_MPI_OK( mp_addmod(&t0, &t0, p, &M) );
-	CHECK_MPI_OK( mp_addmod(&t0, &M, p, &t0) );
-	CHECK_MPI_OK( mp_addmod(&t0, a, p, &M) );
-    } else if (mp_cmp_int(a, -3) == 0) {
-        /* M = 3 * (px + pz^2) * (px - pz) */
-        CHECK_MPI_OK( mp_sqrmod(pz, p, &M) );
-	CHECK_MPI_OK( mp_addmod(px, &M, p, &t0) );
-	CHECK_MPI_OK( mp_submod(px, &M, p, &t1) );
-	CHECK_MPI_OK( mp_mulmod(&t0, &t1, p, &M) );
-	CHECK_MPI_OK( mp_addmod(&M, &M, p, &t0) );
-	CHECK_MPI_OK( mp_addmod(&t0, &M, p, &M) );
-    } else {
-        CHECK_MPI_OK( mp_sqrmod(px, p, &t0) );
-	CHECK_MPI_OK( mp_addmod(&t0, &t0, p, &M) );
-	CHECK_MPI_OK( mp_addmod(&t0, &M, p, &t0) );
-	CHECK_MPI_OK( mp_sqrmod(pz, p, &M) );
-	CHECK_MPI_OK( mp_sqrmod(&M, p, &M) );
-	CHECK_MPI_OK( mp_mulmod(&M, a, p, &M) );
-	CHECK_MPI_OK( mp_addmod(&M, &t0, p, &M) );
-    }
-
-    /* rz = 2 * py * pz */
-    if (mp_cmp_d(pz, 1) == 0) {
-        CHECK_MPI_OK( mp_addmod(py, py, p, rz) );
-	CHECK_MPI_OK( mp_sqrmod(rz, p, &t0) );
-    } else {
-        CHECK_MPI_OK( mp_addmod(py, py, p, &t0) );
-	CHECK_MPI_OK( mp_mulmod(&t0, pz, p, rz) );
-	CHECK_MPI_OK( mp_sqrmod(&t0, p, &t0) );
-    }
-
-    /* S = 4 * px * py^2 = pz * (2 * py)^2 */
-    CHECK_MPI_OK( mp_mulmod(px, &t0, p, &S) );
-
-    /* rx = M^2 - 2 * S */
-    CHECK_MPI_OK( mp_addmod(&S, &S, p, &t1) );
-    CHECK_MPI_OK( mp_sqrmod(&M, p, rx) );
-    CHECK_MPI_OK( mp_submod(rx, &t1, p, rx) );
-
-    /* ry = M * (S - rx) - 8 * py^4 */
-    CHECK_MPI_OK( mp_sqrmod(&t0, p, &t1) );
-    if (mp_isodd(&t1)) {
-        CHECK_MPI_OK( mp_add(&t1, p, &t1) );
-    }
-    CHECK_MPI_OK( mp_div_2(&t1, &t1) );
-    CHECK_MPI_OK( mp_submod(&S, rx, p, &S) );
-    CHECK_MPI_OK( mp_mulmod(&M, &S, p, &M) );
-    CHECK_MPI_OK( mp_submod(&M, &t1, p, ry) );
-	
-cleanup:
-    mp_clear(&t0);
-    mp_clear(&t1);
-    mp_clear(&M);
-    mp_clear(&S);
-    return err;
-}
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that 
- * determines the field GFp.  Elliptic curve points P and R can be 
- * identical.  Uses Jacobian coordinates.
- */
-mp_err
-GFp_ec_pt_mul_jac(const mp_int *p, const mp_int *a, const mp_int *b, 
-    const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry)
-{
-    mp_err err = MP_OKAY;
-    mp_int k, qx, qy, qz, sx, sy, sz;
-    int i, l;
-
-    MP_DIGITS(&k) = 0;
-    MP_DIGITS(&qx) = 0;
-    MP_DIGITS(&qy) = 0;
-    MP_DIGITS(&qz) = 0;
-    MP_DIGITS(&sx) = 0;
-    MP_DIGITS(&sy) = 0;
-    MP_DIGITS(&sz) = 0;
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_init(&qx) );
-    CHECK_MPI_OK( mp_init(&qy) );
-    CHECK_MPI_OK( mp_init(&qz) );
-    CHECK_MPI_OK( mp_init(&sx) );
-    CHECK_MPI_OK( mp_init(&sy) );
-    CHECK_MPI_OK( mp_init(&sz) );
-
-    /* if n = 0 then r = inf */
-    if (mp_cmp_z(n) == 0) {
-        mp_zero(rx);
-        mp_zero(ry);
-        err = MP_OKAY;
-        goto cleanup;
-	/* if n < 0 then out of range error */
-    } else if (mp_cmp_z(n) < 0) {
-        err = MP_RANGE;
-	goto cleanup;
-    }
-    /* Q = P, k = n */
-    CHECK_MPI_OK( mp_copy(px, &qx) );
-    CHECK_MPI_OK( mp_copy(py, &qy) );
-    CHECK_MPI_OK( mp_set_int(&qz, 1) );
-    CHECK_MPI_OK( mp_copy(n, &k) );
-
-    /* double and add method */
-    l = mpl_significant_bits(&k) - 1;
-    mp_zero(&sx);
-    mp_zero(&sy);
-    mp_zero(&sz);
-    for (i = l; i >= 0; i--) {
-        /* if k_i = 1, then S = S + Q */
-        if (MP_GET_BIT(&k, i) != 0) {
-            CHECK_MPI_OK( GFp_ec_pt_add_jac(p, a, &sx, &sy, &sz, 
-					    &qx, &qy, &qz, &sx, &sy, &sz) );
-        }
-        if (i > 0) {
-            /* S = 2S */
-            CHECK_MPI_OK( GFp_ec_pt_dbl_jac(p, a, &sx, &sy, &sz, 
-					    &sx, &sy, &sz) );
-        }
-    }
-
-    /* convert result S to affine coordinates */
-    CHECK_MPI_OK( GFp_ec_pt_jac2aff(&sx, &sy, &sz, p, rx, ry) );
-
-cleanup:
-    mp_clear(&k);
-    mp_clear(&qx);
-    mp_clear(&qy);
-    mp_clear(&qz);
-    mp_clear(&sx);
-    mp_clear(&sy);
-    mp_clear(&sz);
-    return err;
-}
-#endif /* NSS_ENABLE_ECC */
diff --git a/security/nss/lib/freebl/GFp_ecl.h b/security/nss/lib/freebl/GFp_ecl.h
deleted file mode 100644
index d920b2e7c..000000000
--- a/security/nss/lib/freebl/GFp_ecl.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __gfp_ecl_h_
-#define __gfp_ecl_h_
-#ifdef NSS_ENABLE_ECC
-
-#include "secmpi.h"
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-extern mp_err GFp_ec_pt_is_inf_aff(const mp_int *px, const mp_int *py);
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-extern mp_err GFp_ec_pt_set_inf_aff(mp_int *px, mp_int *py);
-
-/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx, qy). 
- * Uses affine coordinates.
- */
-extern mp_err GFp_ec_pt_add_aff(const mp_int *p, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry);
-
-/* Computes R = P - Q.  Uses affine coordinates. */
-extern mp_err GFp_ec_pt_sub_aff(const mp_int *p, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *qx, const mp_int *qy, 
-    mp_int *rx, mp_int *ry);
-
-/* Computes R = 2P.  Uses affine coordinates. */
-extern mp_err GFp_ec_pt_dbl_aff(const mp_int *p, const mp_int *a, 
-    const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that 
- * determines the field GFp.  Uses affine coordinates.
- */
-extern mp_err GFp_ec_pt_mul_aff(const mp_int *p, const mp_int *a, 
-    const mp_int *b, const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry);
-
-/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
- * affine coordinates R(rx, ry).
- */
-extern mp_err GFp_ec_pt_jac2aff(const mp_int *px, const mp_int *py, 
-    const mp_int *pz, const mp_int *p, mp_int *rx, mp_int *ry);
-
-/* Checks if point P(px, py, pz) is at infinity.  Uses Jacobian 
- * coordinates. 
- */
-extern mp_err GFp_ec_pt_is_inf_jac(const mp_int *px, const mp_int *py, 
-	const mp_int *pz);
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian 
- * coordinates. 
- */
-extern mp_err GFp_ec_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz);
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and 
- * Q is (qx, qy, qz).  Uses Jacobian coordinates.
- */
-extern mp_err GFp_ec_pt_add_jac(const mp_int *p, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *pz, 
-    const mp_int *qx, const mp_int *qy, const mp_int *qz, 
-    mp_int *rx, mp_int *ry, mp_int *rz);
-
-/* Computes R = 2P.  Uses Jacobian coordinates. */
-extern mp_err GFp_ec_pt_dbl_jac(const mp_int *p, const mp_int *a, 
-    const mp_int *px, const mp_int *py, const mp_int *pz, 
-    mp_int *rx, mp_int *ry, mp_int *rz);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that 
- * determines the field GFp.  Uses Jacobian coordinates.
- */
-mp_err GFp_ec_pt_mul_jac(const mp_int *p, const mp_int *a, const mp_int *b, 
-    const mp_int *px, const mp_int *py, const mp_int *n, 
-    mp_int *rx, mp_int *ry);
-
-#define GFp_ec_pt_is_inf(px, py)    GFp_ec_pt_is_inf_aff((px), (py))
-#define GFp_ec_pt_add(p, a, px, py, qx, qy, rx, ry) \
-        GFp_ec_pt_add_aff((p), (a), (px), (py), (qx), (qy), (rx), (ry))
-
-#define GFp_ECL_JACOBIAN
-#ifdef GFp_ECL_AFFINE
-#define GFp_ec_pt_mul(p, a, b, px, py, n, rx, ry) \
-	GFp_ec_pt_mul_aff((p), (a), (b), (px), (py), (n), (rx), (ry))
-#elif defined(GFp_ECL_JACOBIAN)
-#define GFp_ec_pt_mul(p, a, b, px, py, n, rx, ry) \
-	GFp_ec_pt_mul_jac((p), (a), (b), (px), (py), (n), (rx), (ry))
-#endif /* GFp_ECL_AFFINE or GFp_ECL_JACOBIAN*/
-
-#endif /* NSS_ENABLE_ECC */
-#endif /* __gfp_ecl_h_ */
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
deleted file mode 100644
index 491696ac1..000000000
--- a/security/nss/lib/freebl/Makefile
+++ /dev/null
@@ -1,532 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Stephen Fung <fungstep@hotmail.com> and
-#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-# default for all platforms
-# unset this on those that have multiple freebl libraries
-FREEBL_BUILD_SINGLE_SHLIB = 1
-
-ifdef USE_64
-	DEFINES += -DNSS_USE_64
-endif
-
-ifdef USE_ABI32_FPU
-	DEFINES += -DNSS_USE_ABI32_FPU
-endif
-
-# des.c wants _X86_ defined for intel CPUs.  
-# coreconf does this for windows, but not for Linux, FreeBSD, etc.
-ifeq ($(CPU_ARCH),x86)
-ifneq (,$(filter-out WIN%,$(OS_TARGET)))
-	OS_REL_CFLAGS += -D_X86_
-endif
-endif
-
-ifeq ($(OS_TARGET),OSF1)
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
-    MPI_SRCS += mpvalpha.c
-endif
-
-ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WIN16 and WINCE
-ifdef NS_USE_GCC
-# Ideally, we want to use assembler
-#     ASFILES  = mpi_x86.s
-#     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \
-#                -DMP_ASSEMBLY_DIV_2DX1D
-# but we haven't figured out how to make it work, so we are not
-# using assembler right now.
-    ASFILES  =
-    DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT
-else
-    ASFILES  = mpi_x86.asm
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
-    ifdef BUILD_OPT
-	OPTIMIZER += -Ox  # maximum optimization for freebl
-    endif
-endif
-endif
-
-ifeq ($(OS_TARGET),WINCE)
-    DEFINES += -DMP_ARGCHK=0	# no assert in WinCE
-    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
-endif
-
-ifdef XP_OS2_VACPP
-    ASFILES  = mpi_x86.asm
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
-endif
-
-ifeq ($(OS_TARGET),IRIX)
-ifeq ($(USE_N32),1)
-    ASFILES  = mpi_mips.s
-    ifeq ($(NS_USE_GCC),1)
-	ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3
-    else
-	ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
-    endif
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-    DEFINES += -DMP_USE_UINT_DIGIT
-endif
-endif
-
-ifeq ($(OS_TARGET),Linux)
-ifeq ($(CPU_ARCH),x86_64)
-    ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
-    ASFLAGS += -march=opteron -m64 -fPIC
-    DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
-    DEFINES += -DNSS_USE_COMBA
-    MPI_SRCS += mpi_amd64.c mp_comba.c
-endif
-ifeq ($(CPU_ARCH),x86)
-    ASFILES  = mpi_x86.s
-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
-    # The floating point ECC code doesn't work on Linux x86 (bug 311432).
-    #ECL_USE_FP = 1
-endif
-endif # Linux
-
-ifeq ($(OS_TARGET),AIX)
-    DEFINES += -DMP_USE_UINT_DIGIT
-    ifndef USE_64
-	DEFINES += -DMP_NO_DIV_WORD -DMP_NO_ADD_WORD -DMP_NO_SUB_WORD
-    endif
-endif # AIX
-
-ifeq ($(OS_TARGET), HP-UX)
-ifneq ($(OS_TEST), ia64)
-# PA-RISC
-ASFILES += ret_cr16.s
-ifndef USE_64
-    FREEBL_BUILD_SINGLE_SHLIB = 
-    HAVE_ABI32_INT32 = 1
-    HAVE_ABI32_FPU = 1
-endif
-ifdef FREEBL_CHILD_BUILD
-ifdef USE_ABI32_INT32
-# build for DA1.1 (HP PA 1.1) 32-bit ABI build with 32-bit arithmetic
-    DEFINES  += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
-    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
-else
-ifdef USE_64
-# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 32-bit digits 
-    MPI_SRCS += mpi_hp.c 
-    ASFILES  += hpma512.s hppa20.s 
-    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-else
-# this builds for DA2.0 (HP PA 2.0 Narrow) ABI32_FPU model 
-# (the 32-bit ABI with 64-bit registers) using 32-bit digits
-    MPI_SRCS += mpi_hp.c 
-    ASFILES  += hpma512.s hppa20.s 
-    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-    ARCHFLAG = -Aa +e +DA2.0 +DS2.0
-endif
-endif
-endif
-endif
-endif
-
-ifeq ($(OS_TARGET),SunOS)
-
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-ifdef NS_USE_GCC
-    ifdef GCC_USE_GNU_LD
-	MKSHLIB += -Wl,-Bsymbolic,-z,defs,-z,now,-z,text
-    else
-	MKSHLIB += -Wl,-B,symbolic,-z,defs,-z,now,-z,text
-    endif # GCC_USE_GNU_LD
-else
-    MKSHLIB += -B symbolic -z defs -z now -z text
-endif # NS_USE_GCC
-
-# Sun's WorkShop defines v8, v8plus and v9 architectures.
-# gcc on Solaris defines v8 and v9 "cpus".  
-# gcc's v9 is equivalent to Workshop's v8plus.
-# gcc's -m64 is equivalent to Workshop's v9
-# We always use Sun's assembler, which uses Sun's naming convention.
-ifeq ($(CPU_ARCH),sparc)
-    FREEBL_BUILD_SINGLE_SHLIB=
-    ifdef USE_64
-        HAVE_ABI64_INT = 1
-        HAVE_ABI64_FPU = 1
-    else
-        HAVE_ABI32_INT32 = 1
-        HAVE_ABI32_FPU = 1
-        HAVE_ABI32_INT64 = 1
-    endif
-    SYSV_SPARC = 1
-    SOLARIS_AS = /usr/ccs/bin/as
-    #### set arch, asm, c flags
-    ifdef NS_USE_GCC
-	ifdef USE_ABI32_INT32
-	    # default ARCHFLAG=-mcpu=v8 set by coreconf/sunOS5.mk
-	endif
-	ifdef USE_ABI32_INT64
-	    ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus
-	endif
-	ifdef USE_ABI32_FPU
-	    ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus
-	endif # USE_ABI32_FPU
-	ifdef USE_ABI64_INT
-	    # this builds for Sparc v9a pure 64-bit architecture
-	endif
-	ifdef USE_ABI64_FPU
-	    # this builds for Sparc v9a pure 64-bit architecture
-	    # It uses floating point, and 32-bit word size
-	endif
-    else # NS_USE_GCC
-	ifdef USE_ABI32_INT32
-	    #ARCHFLAG=-xarch=v8 set in coreconf/sunOS5.mk
-	endif
-	ifdef USE_ABI32_INT64
-	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
-	    # 32-bit ABI, it uses 64-bit words, integer arithmetic,
-	    # no FPU (non-VIS cpus).
-	    # These flags were suggested by the compiler group for building
-	    # with SunStudio 10.
- 	    SOL_CFLAGS += -xO4 -xtarget=generic
-	    ARCHFLAG = -xarch=v8plus
-	    SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC
-	endif
-	ifdef USE_ABI32_FPU
-	    # this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
-	    # 32-bit ABI, it uses FPU code, and 32-bit word size.
-	    # these flags were determined by running cc -### -fast and copying
-	    # the generated flag settings
-	    SOL_CFLAGS += -D__MATHERR_ERRNO_DONTCARE -fns -fsimple=2 -fsingle
-	    SOL_CFLAGS += -xalias_level=basic -xbuiltin=%all
-	    SOL_CFLAGS += -xcache=64/32/4:1024/64/4 -xchip=ultra3 -xdepend
-	    SOL_CFLAGS += -xlibmil -xmemalign=8s -xO5
-	    ARCHFLAG = -xarch=v8plusa
-	    SOLARIS_AS_FLAGS = -xarch=v8plusa -K PIC
-	endif
-	ifdef USE_ABI64_INT
-	    # this builds for Sparc v9a pure 64-bit architecture,
-	    # no FPU (non-VIS cpus). For building with SunStudio 10.
- 	    SOL_CFLAGS += -xO4 -xtarget=generic
-	    ARCHFLAG = -xarch=v9
-	    SOLARIS_AS_FLAGS = -xarch=v9 -K PIC
-	endif
-	ifdef USE_ABI64_FPU
-	    # this builds for Sparc v9a pure 64-bit architecture
-	    # It uses floating point, and 32-bit word size.
-	    # See comment for USE_ABI32_FPU.
-	    SOL_CFLAGS += -D__MATHERR_ERRNO_DONTCARE -fns -fsimple=2 -fsingle
-	    SOL_CFLAGS += -xalias_level=basic -xbuiltin=%all
-	    SOL_CFLAGS += -xcache=64/32/4:1024/64/4 -xchip=ultra3 -xdepend
-	    SOL_CFLAGS += -xlibmil -xmemalign=8s -xO5
-	    ARCHFLAG = -xarch=v9a
-	    SOLARIS_AS_FLAGS = -xarch=v9a -K PIC
-	endif
-    endif # NS_USE_GCC
-
-    ### set MP_ flags for both GCC and Sun cc
-    ifdef USE_ABI32_INT32
-	# this builds for Sparc v8 pure 32-bit architecture
-	DEFINES += -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
-	ASFILES  = mpv_sparcv8x.s
-	DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
-    endif
-    ifdef USE_ABI32_INT64
-	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
-	# 32-bit ABI, it uses 64-bit words, integer arithmetic, no FPU
-	# best times are with no MP_ flags specified
-    endif
-    ifdef USE_ABI32_FPU
-	# this builds for Sparc v8+a ABI32_FPU architecture, 64-bit registers, 
-	# 32-bit ABI, it uses FPU code, and 32-bit word size
-	MPI_SRCS += mpi_sparc.c
-	ASFILES  = mpv_sparcv8.s montmulfv8.s
-	DEFINES  += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
-	DEFINES  += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL
-    endif
-    ifdef USE_ABI64_INT
-	# this builds for Sparc v9a pure 64-bit architecture
-	# best times are with no MP_ flags specified
-    endif
-    ifdef USE_ABI64_FPU
-	# this builds for Sparc v9a pure 64-bit architecture
-	# It uses floating point, and 32-bit word size
-	MPI_SRCS += mpi_sparc.c
-	ASFILES   = mpv_sparcv9.s montmulfv9.s
-	DEFINES  += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY
-	DEFINES  += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL
-    endif
-
-    ECL_USE_FP = 1
-else
-    # Solaris for non-sparc family CPUs
-    ifdef NS_USE_GCC
-	LD = gcc
-	AS = gcc
-	ASFLAGS =
-    endif
-    ifeq ($(USE_64),1)
-	# Solaris for AMD64
-	ifdef NS_USE_GCC
-	    ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
-	    ASFLAGS += -march=opteron -m64 -fPIC
-	    MPI_SRCS += mp_comba.c
-	else
-	    ASFILES  = arcfour-amd64-sun.s mpi_amd64_sun.s sha-fast-amd64-sun.s
-	    ASFILES += mp_comba_amd64_sun.s
-	    ASFLAGS += -xarch=generic64 -K PIC
-	    SHA_SRCS =
-	endif
-	DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
-	DEFINES += -DNSS_USE_COMBA
-	MPI_SRCS += mpi_amd64.c
-    else
-	# Solaris x86
-	DEFINES += -D_X86_
-	DEFINES += -DMP_USE_UINT_DIGIT
-	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
-	ASFILES  = mpi_i86pc.s
-    endif
-endif # Solaris for non-sparc family CPUs
-endif # target == SunOS
-
-ifdef NSS_ENABLE_ECC
-    ifdef ECL_USE_FP
-	#enable floating point ECC code	
-	DEFINES  += -DECL_USE_FP
-	ECL_SRCS += ecp_fp160.c ecp_fp192.c ecp_fp224.c ecp_fp.c
-	ECL_HDRS += ecp_fp.h
-    endif
-endif # NSS_ENABLE_ECC
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-rijndael_tables:
-	$(CC) -o $(OBJDIR)/make_rijndael_tab rijndael_tables.c \
-	         $(DEFINES) $(INCLUDES) $(OBJDIR)/libfreebl.a
-	$(OBJDIR)/make_rijndael_tab
-
-vpath %.h mpi ecl
-vpath %.c mpi ecl
-vpath %.S mpi ecl
-vpath %.s mpi ecl
-vpath %.asm mpi ecl
-INCLUDES += -Impi -Iecl
-
-
-DEFINES += -DMP_API_COMPATIBLE
-
-MPI_USERS = dh.c pqg.c dsa.c rsa.c ec.c
-
-MPI_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_SRCS:.c=$(OBJ_SUFFIX)))
-MPI_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_USERS:.c=$(OBJ_SUFFIX)))
-
-$(MPI_OBJS): $(MPI_HDRS)
-
-ECL_USERS = ec.c
-
-ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX)))
-ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
-
-$(ECL_OBJS): $(ECL_HDRS)
-
-
-
-$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c mac_rand.c os2_rand.c
-
-$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
-
-$(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
-
-ifeq ($(SYSV_SPARC),1)
-
-$(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/mpv_sparcv8x.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s
-	@$(MAKE_OBJDIR)
-	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
-
-$(OBJDIR)/mpv_sparcv9.o $(OBJDIR)/montmulfv9.o : $(OBJDIR)/%.o : %.s
-	@$(MAKE_OBJDIR)
-	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
-
-$(OBJDIR)/mpmontg.o: mpmontg.c montmulf.h
-
-endif
-
-ifndef FREEBL_CHILD_BUILD
-
-# Parent build. This is where we decide which shared libraries to build
-
-ifdef FREEBL_BUILD_SINGLE_SHLIB
-
-################### Single shared lib stuff #########################
-SINGLE_SHLIB_DIR = $(OBJDIR)/$(OS_TARGET)_SINGLE_SHLIB
-ALL_TRASH += $(SINGLE_SHLIB_DIR) 
-
-$(SINGLE_SHLIB_DIR):
-	-mkdir $(SINGLE_SHLIB_DIR)
-
-release_md libs:: $(SINGLE_SHLIB_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 \
- OBJDIR=$(SINGLE_SHLIB_DIR) $@
-######################## common stuff #########################
-
-endif
-
-# multiple shared libraries
-
-######################## ABI32_FPU stuff #########################
-ifdef HAVE_ABI32_FPU
-ABI32_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_FPU
-ALL_TRASH += $(ABI32_FPU_DIR) 
-
-$(ABI32_FPU_DIR):
-	-mkdir $(ABI32_FPU_DIR)
-
-release_md libs:: $(ABI32_FPU_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_FPU=1 \
- OBJDIR=$(ABI32_FPU_DIR) $@
-endif
-
-######################## ABI32_INT32 stuff #########################
-ifdef HAVE_ABI32_INT32
-ABI32_INT32_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT32
-ALL_TRASH += $(ABI32_INT32_DIR) 
-
-$(ABI32_INT32_DIR):
-	-mkdir $(ABI32_INT32_DIR)
-
-release_md libs:: $(ABI32_INT32_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_INT32=1 \
- OBJDIR=$(ABI32_INT32_DIR) $@
-endif
-
-######################## ABI32_INT64 stuff #########################
-ifdef HAVE_ABI32_INT64
-ABI32_INT64_DIR = $(OBJDIR)/$(OS_TARGET)_ABI32_INT64
-ALL_TRASH += $(ABI32_INT64_DIR) 
-
-$(ABI32_INT64_DIR):
-	-mkdir $(ABI32_INT64_DIR)
-
-release_md libs:: $(ABI32_INT64_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI32_INT64=1\
- OBJDIR=$(ABI32_INT64_DIR) $@
-endif
-
-######################## END of 32-bit stuff #########################
-
-# above is 32-bit builds, below is 64-bit builds
-
-######################## ABI64_FPU stuff #########################
-ifdef HAVE_ABI64_FPU
-ABI64_FPU_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_FPU
-ALL_TRASH += $(ABI64_FPU_DIR) 
-
-$(ABI64_FPU_DIR):
-	-mkdir $(ABI64_FPU_DIR)
-
-release_md libs:: $(ABI64_FPU_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI64_FPU=1 \
- OBJDIR=$(ABI64_FPU_DIR) $@
-endif
-
-######################## ABI64_INT stuff #########################
-ifdef HAVE_ABI64_INT
-ABI64_INT_DIR = $(OBJDIR)/$(OS_TARGET)_ABI64_INT
-ALL_TRASH += $(ABI64_INT_DIR) 
-
-$(ABI64_INT_DIR):
-	-mkdir $(ABI64_INT_DIR)
-
-release_md libs:: $(ABI64_INT_DIR)
-	$(MAKE) FREEBL_CHILD_BUILD=1 USE_ABI64_INT=1 \
- OBJDIR=$(ABI64_INT_DIR) $@
-endif
-
-endif  # FREEBL_CHILD_BUILD
-
-
-# Bugzilla Bug 209827: disable optimization to work around what appears
-# to be a VACPP optimizer bug.
-ifdef XP_OS2_VACPP
-$(OBJDIR)/alg2268.obj: alg2268.c
-	@$(MAKE_OBJDIR)
-	$(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<)
-endif
diff --git a/security/nss/lib/freebl/aeskeywrap.c b/security/nss/lib/freebl/aeskeywrap.c
deleted file mode 100644
index c61a94a4d..000000000
--- a/security/nss/lib/freebl/aeskeywrap.c
+++ /dev/null
@@ -1,413 +0,0 @@
-/*
- * aeskeywrap.c - implement AES Key Wrap algorithm from RFC 3394
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2002
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* $Id$ */
-
-#include "prcpucfg.h"
-#if defined(IS_LITTLE_ENDIAN) || defined(SHA_NO_LONG_LONG)
-#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 0
-#else
-#define BIG_ENDIAN_WITH_64_BIT_REGISTERS 1
-#endif
-#include "prtypes.h"	/* for PRUintXX */
-#include "secport.h"	/* for PORT_XXX */
-#include "secerr.h"
-#include "blapi.h"	/* for AES_ functions */
-#include "rijndael.h"
-
-struct AESKeyWrapContextStr {
-     unsigned char iv[AES_KEY_WRAP_IV_BYTES];
-     AESContext    aescx;
-};
-
-/******************************************/
-/*
-** AES key wrap algorithm, RFC 3394
-*/
-
-AESKeyWrapContext * 
-AESKeyWrap_AllocateContext(void)
-{
-    AESKeyWrapContext * cx = PORT_New(AESKeyWrapContext);
-    return cx;
-}
-
-SECStatus  
-AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
-		       const unsigned char *key, 
-		       unsigned int keylen,
-		       const unsigned char *iv, 
-		       int x1,
-		       unsigned int encrypt,
-		       unsigned int x2)
-{
-    SECStatus rv = SECFailure;
-    if (!cx) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-    if (iv) {
-    	memcpy(cx->iv, iv, sizeof cx->iv);
-    } else {
-	memset(cx->iv, 0xA6, sizeof cx->iv);
-    }
-    rv = AES_InitContext(&cx->aescx, key, keylen, NULL, NSS_AES, encrypt, 
-                                  AES_BLOCK_SIZE);
-    return rv;
-}
-
-/*
-** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
-*/
-extern AESKeyWrapContext *
-AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                         int encrypt, unsigned int keylen)
-{
-    SECStatus rv;
-    AESKeyWrapContext * cx = AESKeyWrap_AllocateContext();
-    if (!cx) 
-    	return NULL;	/* error is already set */
-    rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0);
-    if (rv != SECSuccess) {
-        PORT_Free(cx);
-	cx = NULL; 	/* error should already be set */
-    }
-    return cx;
-}
-
-/*
-** Destroy a AES KeyWrap context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void 
-AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
-{
-    if (cx) {
-	AES_DestroyContext(&cx->aescx, PR_FALSE);
-/*	memset(cx, 0, sizeof *cx); */
-	if (freeit)
-	    PORT_Free(cx);
-    }
-}
-
-#if !BIG_ENDIAN_WITH_64_BIT_REGISTERS
-
-/* The AES Key Wrap algorithm has 64-bit values that are ALWAYS big-endian
-** (Most significant byte first) in memory.  The only ALU operations done
-** on them are increment, decrement, and XOR.  So, on little-endian CPUs,
-** and on CPUs that lack 64-bit registers, these big-endian 64-bit operations
-** are simulated in the following code.  This is thought to be faster and
-** simpler than trying to convert the data to little-endian and back.
-*/
-
-/* A and T point to two 64-bit values stored most signficant byte first
-** (big endian).  This function increments the 64-bit value T, and then
-** XORs it with A, changing A.
-*/ 
-static void
-increment_and_xor(unsigned char *A, unsigned char *T)
-{
-    if (!++T[7])
-        if (!++T[6])
-	    if (!++T[5])
-		if (!++T[4])
-		    if (!++T[3])
-			if (!++T[2])
-			    if (!++T[1])
-				 ++T[0];
-
-    A[0] ^= T[0];
-    A[1] ^= T[1];
-    A[2] ^= T[2];
-    A[3] ^= T[3];
-    A[4] ^= T[4];
-    A[5] ^= T[5];
-    A[6] ^= T[6];
-    A[7] ^= T[7];
-}
-
-/* A and T point to two 64-bit values stored most signficant byte first
-** (big endian).  This function XORs T with A, giving a new A, then 
-** decrements the 64-bit value T.
-*/ 
-static void
-xor_and_decrement(unsigned char *A, unsigned char *T)
-{
-    A[0] ^= T[0];
-    A[1] ^= T[1];
-    A[2] ^= T[2];
-    A[3] ^= T[3];
-    A[4] ^= T[4];
-    A[5] ^= T[5];
-    A[6] ^= T[6];
-    A[7] ^= T[7];
-
-    if (!T[7]--)
-        if (!T[6]--)
-	    if (!T[5]--)
-		if (!T[4]--)
-		    if (!T[3]--)
-			if (!T[2]--)
-			    if (!T[1]--)
-				 T[0]--;
-
-}
-
-/* Given an unsigned long t (in host byte order), store this value as a
-** 64-bit big-endian value (MSB first) in *pt.
-*/
-static void
-set_t(unsigned char *pt, unsigned long t)
-{
-    pt[7] = (unsigned char)t; t >>= 8;
-    pt[6] = (unsigned char)t; t >>= 8;
-    pt[5] = (unsigned char)t; t >>= 8;
-    pt[4] = (unsigned char)t; t >>= 8;
-    pt[3] = (unsigned char)t; t >>= 8;
-    pt[2] = (unsigned char)t; t >>= 8;
-    pt[1] = (unsigned char)t; t >>= 8;
-    pt[0] = (unsigned char)t;
-}
-
-#endif
-
-/*
-** Perform AES key wrap.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *pOutputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-    PRUint64 *     R          = NULL;
-    unsigned int   nBlocks;
-    unsigned int   i, j;
-    unsigned int   aesLen     = AES_BLOCK_SIZE;
-    unsigned int   outLen     = inputLen + AES_KEY_WRAP_BLOCK_SIZE;
-    SECStatus      s          = SECFailure;
-    /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
-    PRUint64       t;
-    PRUint64       B[2];
-
-#define A B[0]
-
-    /* Check args */
-    if (!inputLen || 0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return s;
-    }
-#ifdef maybe
-    if (!output && pOutputLen) {	/* caller is asking for output size */
-    	*pOutputLen = outLen;
-	return SECSuccess;
-    }
-#endif
-    if (maxOutputLen < outLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return s;
-    }
-    if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return s;
-    }
-    nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
-    R = PORT_NewArray(PRUint64, nBlocks + 1);
-    if (!R)
-    	return s;	/* error is already set. */
-    /* 
-    ** 1) Initialize variables.
-    */
-    memcpy(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
-    memcpy(&R[1], input, inputLen);
-#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-    t = 0;
-#else
-    memset(&t, 0, sizeof t);
-#endif
-    /* 
-    ** 2) Calculate intermediate values.
-    */
-    for (j = 0; j < 6; ++j) {
-    	for (i = 1; i <= nBlocks; ++i) {
-	    B[1] = R[i];
-	    s = AES_Encrypt(&cx->aescx, (unsigned char *)B, &aesLen, 
-	                    sizeof B,  (unsigned char *)B, sizeof B);
-	    if (s != SECSuccess) 
-	        break;
-	    R[i] = B[1];
-	    /* here, increment t and XOR A with t (in big endian order); */
-#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-   	    A ^= ++t; 
-#else
-	    increment_and_xor((unsigned char *)&A, (unsigned char *)&t);
-#endif
-	}
-    }
-    /* 
-    ** 3) Output the results.
-    */
-    if (s == SECSuccess) {
-    	R[0] =  A;
-	memcpy(output, &R[0], outLen);
-	if (pOutputLen)
-	    *pOutputLen = outLen;
-    } else if (pOutputLen) {
-    	*pOutputLen = 0;
-    }
-    PORT_ZFree(R, outLen);
-    return s;
-}
-#undef A
-
-/*
-** Perform AES key unwrap.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *pOutputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-    PRUint64 *     R          = NULL;
-    unsigned int   nBlocks;
-    unsigned int   i, j;
-    unsigned int   aesLen     = AES_BLOCK_SIZE;
-    unsigned int   outLen;
-    SECStatus      s          = SECFailure;
-    /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
-    PRUint64       t;
-    PRUint64       B[2];
-
-#define A B[0]
-
-    /* Check args */
-    if (inputLen < 3 * AES_KEY_WRAP_BLOCK_SIZE || 
-        0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return s;
-    }
-    outLen = inputLen - AES_KEY_WRAP_BLOCK_SIZE;
-#ifdef maybe
-    if (!output && pOutputLen) {	/* caller is asking for output size */
-    	*pOutputLen = outLen;
-	return SECSuccess;
-    }
-#endif
-    if (maxOutputLen < outLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return s;
-    }
-    if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return s;
-    }
-    nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
-    R = PORT_NewArray(PRUint64, nBlocks);
-    if (!R)
-    	return s;	/* error is already set. */
-    nBlocks--;
-    /* 
-    ** 1) Initialize variables.
-    */
-    memcpy(&R[0], input, inputLen);
-    A = R[0];
-#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-    t = 6UL * nBlocks;
-#else
-    set_t((unsigned char *)&t, 6UL * nBlocks);
-#endif
-    /* 
-    ** 2) Calculate intermediate values.
-    */
-    for (j = 0; j < 6; ++j) {
-    	for (i = nBlocks; i; --i) {
-	    /* here, XOR A with t (in big endian order) and decrement t; */
-#if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-   	    A ^= t--; 
-#else
-	    xor_and_decrement((unsigned char *)&A, (unsigned char *)&t);
-#endif
-	    B[1] = R[i];
-	    s = AES_Decrypt(&cx->aescx, (unsigned char *)B, &aesLen, 
-	                    sizeof B,  (unsigned char *)B, sizeof B);
-	    if (s != SECSuccess) 
-	        break;
-	    R[i] = B[1];
-	}
-    }
-    /* 
-    ** 3) Output the results.
-    */
-    if (s == SECSuccess) {
-	int bad = memcmp(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
-	if (!bad) {
-	    memcpy(output, &R[1], outLen);
-	    if (pOutputLen)
-		*pOutputLen = outLen;
-	} else {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    if (pOutputLen) 
-		*pOutputLen = 0;
-    	}
-    } else if (pOutputLen) {
-    	*pOutputLen = 0;
-    }
-    PORT_ZFree(R, inputLen);
-    return s;
-}
-#undef A
diff --git a/security/nss/lib/freebl/alg2268.c b/security/nss/lib/freebl/alg2268.c
deleted file mode 100644
index dcc5418dc..000000000
--- a/security/nss/lib/freebl/alg2268.c
+++ /dev/null
@@ -1,515 +0,0 @@
-/*
- * alg2268.c - implementation of the algorithm in RFC 2268
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* $Id$ */
-
-#include "blapi.h"
-#include "secerr.h"
-#ifdef XP_UNIX_XXX
-#include <stddef.h>	/* for ptrdiff_t */
-#endif
-
-/*
-** RC2 symmetric block cypher
-*/
-
-typedef SECStatus (rc2Func)(RC2Context *cx, unsigned char *output,
-		           const unsigned char *input, unsigned int inputLen);
-
-/* forward declarations */
-static rc2Func rc2_EncryptECB;
-static rc2Func rc2_DecryptECB;
-static rc2Func rc2_EncryptCBC;
-static rc2Func rc2_DecryptCBC;
-
-typedef union {
-    PRUint32	l[2];
-    PRUint16	s[4];
-    PRUint8	b[8];
-} RC2Block;
-
-struct RC2ContextStr {
-    union {
-    	PRUint8  Kb[128];
-	PRUint16 Kw[64];
-    } u;
-    RC2Block     iv;
-    rc2Func      *enc;
-    rc2Func      *dec;
-};
-
-#define B u.Kb
-#define K u.Kw
-#define BYTESWAP(x) ((x) << 8 | (x) >> 8)
-#define SWAPK(i)  cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
-#define RC2_BLOCK_SIZE 8
-
-#define LOAD_HARD(R) \
-    R[0] = (PRUint16)input[1] << 8 | input[0]; \
-    R[1] = (PRUint16)input[3] << 8 | input[2]; \
-    R[2] = (PRUint16)input[5] << 8 | input[4]; \
-    R[3] = (PRUint16)input[7] << 8 | input[6];
-#define LOAD_EASY(R) \
-    R[0] = ((PRUint16 *)input)[0]; \
-    R[1] = ((PRUint16 *)input)[1]; \
-    R[2] = ((PRUint16 *)input)[2]; \
-    R[3] = ((PRUint16 *)input)[3];
-#define STORE_HARD(R) \
-    output[0] =  (PRUint8)(R[0]);   output[1] = (PRUint8)(R[0] >> 8); \
-    output[2] =  (PRUint8)(R[1]);   output[3] = (PRUint8)(R[1] >> 8); \
-    output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
-    output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
-#define STORE_EASY(R) \
-    ((PRUint16 *)output)[0] =  R[0]; \
-    ((PRUint16 *)output)[1] =  R[1]; \
-    ((PRUint16 *)output)[2] =  R[2]; \
-    ((PRUint16 *)output)[3] =  R[3];   
-
-#if defined (_X86_)
-#define LOAD(R)  LOAD_EASY(R)
-#define STORE(R) STORE_EASY(R)
-#elif !defined(IS_LITTLE_ENDIAN)
-#define LOAD(R)  LOAD_HARD(R)
-#define STORE(R) STORE_HARD(R)
-#else
-#define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
-#define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
-#endif
-
-static const PRUint8 S[256] = {
-0331,0170,0371,0304,0031,0335,0265,0355,0050,0351,0375,0171,0112,0240,0330,0235,
-0306,0176,0067,0203,0053,0166,0123,0216,0142,0114,0144,0210,0104,0213,0373,0242,
-0027,0232,0131,0365,0207,0263,0117,0023,0141,0105,0155,0215,0011,0201,0175,0062,
-0275,0217,0100,0353,0206,0267,0173,0013,0360,0225,0041,0042,0134,0153,0116,0202,
-0124,0326,0145,0223,0316,0140,0262,0034,0163,0126,0300,0024,0247,0214,0361,0334,
-0022,0165,0312,0037,0073,0276,0344,0321,0102,0075,0324,0060,0243,0074,0266,0046,
-0157,0277,0016,0332,0106,0151,0007,0127,0047,0362,0035,0233,0274,0224,0103,0003,
-0370,0021,0307,0366,0220,0357,0076,0347,0006,0303,0325,0057,0310,0146,0036,0327,
-0010,0350,0352,0336,0200,0122,0356,0367,0204,0252,0162,0254,0065,0115,0152,0052,
-0226,0032,0322,0161,0132,0025,0111,0164,0113,0237,0320,0136,0004,0030,0244,0354,
-0302,0340,0101,0156,0017,0121,0313,0314,0044,0221,0257,0120,0241,0364,0160,0071,
-0231,0174,0072,0205,0043,0270,0264,0172,0374,0002,0066,0133,0045,0125,0227,0061,
-0055,0135,0372,0230,0343,0212,0222,0256,0005,0337,0051,0020,0147,0154,0272,0311,
-0323,0000,0346,0317,0341,0236,0250,0054,0143,0026,0001,0077,0130,0342,0211,0251,
-0015,0070,0064,0033,0253,0063,0377,0260,0273,0110,0014,0137,0271,0261,0315,0056,
-0305,0363,0333,0107,0345,0245,0234,0167,0012,0246,0040,0150,0376,0177,0301,0255
-};
-
-RC2Context * RC2_AllocateContext(void)
-{
-    return PORT_ZNew(RC2Context);
-}
-SECStatus   
-RC2_InitContext(RC2Context *cx, const unsigned char *key, unsigned int len,
-	        const unsigned char *input, int mode, unsigned int efLen8, 
-		unsigned int unused)
-{
-    PRUint8    *L,*L2;
-    int         i;
-#if !defined(IS_LITTLE_ENDIAN)
-    PRUint16    tmpS;
-#endif
-    PRUint8     tmpB;
-
-    if (!key || !cx || !len || len > (sizeof cx->B) || 
-	efLen8 > (sizeof cx->B)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-    if (mode == NSS_RC2) {
-    	/* groovy */
-    } else if (mode == NSS_RC2_CBC) {
-    	if (!input) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (mode == NSS_RC2_CBC) {
-    	cx->enc = & rc2_EncryptCBC;
-	cx->dec = & rc2_DecryptCBC;
-	LOAD(cx->iv.s);
-    } else {
-    	cx->enc = & rc2_EncryptECB;
-	cx->dec = & rc2_DecryptECB;
-    }
-
-    /* Step 0. Copy key into table. */
-    memcpy(cx->B, key, len);
-
-    /* Step 1. Compute all values to the right of the key. */
-    L2 = cx->B;
-    L = L2 + len;
-    tmpB = L[-1];
-    for (i = (sizeof cx->B) - len; i > 0; --i) {
-	*L++ = tmpB = S[ (PRUint8)(tmpB + *L2++) ];
-    }
-
-    /* step 2. Adjust left most byte of effective key. */
-    i = (sizeof cx->B) - efLen8;
-    L = cx->B + i;
-    *L = tmpB = S[*L];				/* mask is always 0xff */
-
-    /* step 3. Recompute all values to the left of effective key. */
-    L2 = --L + efLen8;
-    while(L >= cx->B) {
-	*L-- = tmpB = S[ tmpB ^ *L2-- ];
-    }
-
-#if !defined(IS_LITTLE_ENDIAN)
-    for (i = 63; i >= 0; --i) {
-        SWAPK(i);		/* candidate for unrolling */
-    }
-#endif
-    return SECSuccess;
-}
-
-/*
-** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" in bytes, not bits.
-**
-** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
-** chaining" mode.
-*/
-RC2Context *
-RC2_CreateContext(const unsigned char *key, unsigned int len,
-		  const unsigned char *iv, int mode, unsigned efLen8)
-{
-    RC2Context *cx = PORT_ZNew(RC2Context);
-    if (cx) {
-	SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0);
-	if (rv != SECSuccess) {
-	    RC2_DestroyContext(cx, PR_TRUE);
-	    cx = NULL;
-	}
-    }
-    return cx;
-}
-
-/*
-** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-void 
-RC2_DestroyContext(RC2Context *cx, PRBool freeit)
-{
-    if (cx) {
-	memset(cx, 0, sizeof *cx);
-	if (freeit) {
-	    PORT_Free(cx);
-	}
-    }
-}
-
-#define ROL(x,k) (x << k | x >> (16-k))
-#define MIX(j) \
-    R0 = R0 + cx->K[ 4*j+0] + (R3 & R2) + (~R3 & R1);  R0 = ROL(R0,1);\
-    R1 = R1 + cx->K[ 4*j+1] + (R0 & R3) + (~R0 & R2);  R1 = ROL(R1,2);\
-    R2 = R2 + cx->K[ 4*j+2] + (R1 & R0) + (~R1 & R3);  R2 = ROL(R2,3);\
-    R3 = R3 + cx->K[ 4*j+3] + (R2 & R1) + (~R2 & R0);  R3 = ROL(R3,5)
-#define MASH \
-    R0 = R0 + cx->K[R3 & 63];\
-    R1 = R1 + cx->K[R0 & 63];\
-    R2 = R2 + cx->K[R1 & 63];\
-    R3 = R3 + cx->K[R2 & 63]
-
-/* Encrypt one block */
-static void 
-rc2_Encrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
-{
-    register PRUint16 R0, R1, R2, R3;
-
-    /* step 1. Initialize input. */
-    R0 = input->s[0];
-    R1 = input->s[1];
-    R2 = input->s[2];
-    R3 = input->s[3];
-
-    /* step 2.  Expand Key (already done, in context) */
-    /* step 3.  j = 0 */
-    /* step 4.  Perform 5 mixing rounds. */
-
-    MIX(0);
-    MIX(1);
-    MIX(2);
-    MIX(3);
-    MIX(4);
-
-    /* step 5. Perform 1 mashing round. */
-    MASH;
-
-    /* step 6. Perform 6 mixing rounds. */
-
-    MIX(5);
-    MIX(6);
-    MIX(7);
-    MIX(8);
-    MIX(9);
-    MIX(10);
-
-    /* step 7. Perform 1 mashing round. */
-    MASH;
-
-    /* step 8. Perform 5 mixing rounds. */
-
-    MIX(11);
-    MIX(12);
-    MIX(13);
-    MIX(14);
-    MIX(15);
-
-    /* output results */
-    output->s[0] = R0;
-    output->s[1] = R1;
-    output->s[2] = R2;
-    output->s[3] = R3;
-}
-
-#define ROR(x,k) (x >> k | x << (16-k))
-#define R_MIX(j) \
-    R3 = ROR(R3,5); R3 = R3 - cx->K[ 4*j+3] - (R2 & R1) - (~R2 & R0);  \
-    R2 = ROR(R2,3); R2 = R2 - cx->K[ 4*j+2] - (R1 & R0) - (~R1 & R3);  \
-    R1 = ROR(R1,2); R1 = R1 - cx->K[ 4*j+1] - (R0 & R3) - (~R0 & R2);  \
-    R0 = ROR(R0,1); R0 = R0 - cx->K[ 4*j+0] - (R3 & R2) - (~R3 & R1)
-#define R_MASH \
-    R3 = R3 - cx->K[R2 & 63];\
-    R2 = R2 - cx->K[R1 & 63];\
-    R1 = R1 - cx->K[R0 & 63];\
-    R0 = R0 - cx->K[R3 & 63]
-
-/* Encrypt one block */
-static void 
-rc2_Decrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
-{
-    register PRUint16 R0, R1, R2, R3;
-
-    /* step 1. Initialize input. */
-    R0 = input->s[0];
-    R1 = input->s[1];
-    R2 = input->s[2];
-    R3 = input->s[3];
-
-    /* step 2.  Expand Key (already done, in context) */
-    /* step 3.  j = 63 */
-    /* step 4.  Perform 5 r_mixing rounds. */
-    R_MIX(15);
-    R_MIX(14);
-    R_MIX(13);
-    R_MIX(12);
-    R_MIX(11);
-
-    /* step 5.  Perform 1 r_mashing round. */
-    R_MASH;
-
-    /* step 6.  Perform 6 r_mixing rounds. */
-    R_MIX(10);
-    R_MIX(9);
-    R_MIX(8);
-    R_MIX(7);
-    R_MIX(6);
-    R_MIX(5);
-
-    /* step 7.  Perform 1 r_mashing round. */
-    R_MASH;
-
-    /* step 8.  Perform 5 r_mixing rounds. */
-    R_MIX(4);
-    R_MIX(3);
-    R_MIX(2);
-    R_MIX(1);
-    R_MIX(0);
-
-    /* output results */
-    output->s[0] = R0;
-    output->s[1] = R1;
-    output->s[2] = R2;
-    output->s[3] = R3;
-}
-
-static SECStatus
-rc2_EncryptECB(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_DecryptECB(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_EncryptCBC(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-
-    while (inputLen > 0) {
-
-	LOAD(iBlock.s)
-	iBlock.l[0] ^= cx->iv.l[0];
-	iBlock.l[1] ^= cx->iv.l[1];
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	cx->iv = iBlock;
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-static SECStatus
-rc2_DecryptCBC(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
-{
-    RC2Block  iBlock;
-    RC2Block  oBlock;
-
-    while (inputLen > 0) {
-	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &oBlock, &iBlock);
-	oBlock.l[0] ^= cx->iv.l[0];
-	oBlock.l[1] ^= cx->iv.l[1];
-	cx->iv = iBlock;
-	STORE(oBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
-    }
-    return SECSuccess;
-}
-
-
-/*
-** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      const unsigned char *input, unsigned int inputLen)
-{
-    SECStatus rv = SECSuccess;
-    if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->enc)(cx, output, input, inputLen);
-    }
-    if (rv == SECSuccess) {
-    	*outputLen = inputLen;
-    }
-    return rv;
-}
-
-/*
-** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      const unsigned char *input, unsigned int inputLen)
-{
-    SECStatus rv = SECSuccess;
-    if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->dec)(cx, output, input, inputLen);
-    }
-    if (rv == SECSuccess) {
-	*outputLen = inputLen;
-    }
-    return rv;
-}
-
diff --git a/security/nss/lib/freebl/alghmac.c b/security/nss/lib/freebl/alghmac.c
deleted file mode 100644
index b1174f460..000000000
--- a/security/nss/lib/freebl/alghmac.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secport.h"
-#include "hasht.h"
-#include "blapit.h"
-#include "alghmac.h"
-#include "secerr.h"
-
-#define HMAC_PAD_SIZE HASH_BLOCK_LENGTH_MAX
-
-struct HMACContextStr {
-    void *hash;
-    const SECHashObject *hashobj;
-    PRBool        wasAllocated;
-    unsigned char ipad[HMAC_PAD_SIZE];
-    unsigned char opad[HMAC_PAD_SIZE];
-};
-
-void
-HMAC_Destroy(HMACContext *cx, PRBool freeit)
-{
-    if (cx == NULL)
-	return;
-
-    PORT_Assert(!freeit == !cx->wasAllocated);
-    if (cx->hash != NULL) {
-	cx->hashobj->destroy(cx->hash, PR_TRUE);
-	PORT_Memset(cx, 0, sizeof *cx);
-    }
-    if (freeit)
-	PORT_Free(cx);
-}
-
-SECStatus
-HMAC_Init( HMACContext * cx, const SECHashObject *hash_obj, 
-	   const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
-{
-    unsigned int i;
-    unsigned char hashed_secret[HASH_LENGTH_MAX];
-
-    /* required by FIPS 198 Section 3 */
-    if (isFIPS && secret_len < hash_obj->length/2) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (cx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    cx->wasAllocated = PR_FALSE;
-    cx->hashobj = hash_obj;
-    cx->hash = cx->hashobj->create();
-    if (cx->hash == NULL)
-	goto loser;
-
-    if (secret_len > cx->hashobj->blocklength) {
-	cx->hashobj->begin( cx->hash);
-	cx->hashobj->update(cx->hash, secret, secret_len);
-	PORT_Assert(cx->hashobj->length <= sizeof hashed_secret);
-	cx->hashobj->end(   cx->hash, hashed_secret, &secret_len, 
-	                 sizeof hashed_secret);
-	if (secret_len != cx->hashobj->length) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    goto loser;
-	}
-	secret = (const unsigned char *)&hashed_secret[0];
-    }
-
-    PORT_Memset(cx->ipad, 0x36, cx->hashobj->blocklength);
-    PORT_Memset(cx->opad, 0x5c, cx->hashobj->blocklength);
-
-    /* fold secret into padding */
-    for (i = 0; i < secret_len; i++) {
-	cx->ipad[i] ^= secret[i];
-	cx->opad[i] ^= secret[i];
-    }
-    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
-    return SECSuccess;
-
-loser:
-    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
-    if (cx->hash != NULL)
-	cx->hashobj->destroy(cx->hash, PR_TRUE);
-    return SECFailure;
-}
-
-HMACContext *
-HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
-            unsigned int secret_len, PRBool isFIPS)
-{
-    SECStatus rv;
-    HMACContext * cx = PORT_ZNew(HMACContext);
-    if (cx == NULL)
-	return NULL;
-    rv = HMAC_Init(cx, hash_obj, secret, secret_len, isFIPS);
-    cx->wasAllocated = PR_TRUE;
-    if (rv != SECSuccess) {
-	PORT_Free(cx); /* contains no secret info */
-	cx = NULL;
-    }
-    return cx;
-}
-
-void
-HMAC_Begin(HMACContext *cx)
-{
-    /* start inner hash */
-    cx->hashobj->begin(cx->hash);
-    cx->hashobj->update(cx->hash, cx->ipad, cx->hashobj->blocklength);
-}
-
-void
-HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
-{
-    cx->hashobj->update(cx->hash, data, data_len);
-}
-
-SECStatus
-HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len)
-{
-    if (max_result_len < cx->hashobj->length) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
-    if (*result_len != cx->hashobj->length)
-	return SECFailure;
-
-    cx->hashobj->begin(cx->hash);
-    cx->hashobj->update(cx->hash, cx->opad, cx->hashobj->blocklength);
-    cx->hashobj->update(cx->hash, result, *result_len);
-    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
-    return SECSuccess;
-}
-
-HMACContext *
-HMAC_Clone(HMACContext *cx)
-{
-    HMACContext *newcx;
-
-    newcx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
-    if (newcx == NULL)
-	goto loser;
-
-    newcx->wasAllocated = PR_TRUE;
-    newcx->hashobj = cx->hashobj;
-    newcx->hash = cx->hashobj->clone(cx->hash);
-    if (newcx->hash == NULL)
-	goto loser;
-    PORT_Memcpy(newcx->ipad, cx->ipad, cx->hashobj->blocklength);
-    PORT_Memcpy(newcx->opad, cx->opad, cx->hashobj->blocklength);
-    return newcx;
-
-loser:
-    HMAC_Destroy(newcx, PR_TRUE);
-    return NULL;
-}
diff --git a/security/nss/lib/freebl/alghmac.h b/security/nss/lib/freebl/alghmac.h
deleted file mode 100644
index 81c5bfa50..000000000
--- a/security/nss/lib/freebl/alghmac.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _ALGHMAC_H_
-#define _ALGHMAC_H_
-
-typedef struct HMACContextStr HMACContext;
-
-SEC_BEGIN_PROTOS
-
-/* destroy HMAC context */
-extern void
-HMAC_Destroy(HMACContext *cx, PRBool freeit);
-
-/* create HMAC context
- *  hash_obj    hash object from SECRawHashObjects[]
- *  secret	the secret with which the HMAC is performed.
- *  secret_len	the length of the secret.
- *  isFIPS	true if conforming to FIPS 198.
- *
- * NULL is returned if an error occurs.
- */
-extern HMACContext *
-HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
-	    unsigned int secret_len, PRBool isFIPS);
-
-/* like HMAC_Create, except caller allocates HMACContext. */
-SECStatus
-HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, 
-	  const unsigned char *secret, unsigned int secret_len, PRBool isFIPS);
-
-/* reset HMAC for a fresh round */
-extern void
-HMAC_Begin(HMACContext *cx);
-
-/* update HMAC 
- *  cx		HMAC Context
- *  data	the data to perform HMAC on
- *  data_len	the length of the data to process
- */
-extern void 
-HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
-
-/* Finish HMAC -- place the results within result
- *  cx		HMAC context
- *  result	buffer for resulting hmac'd data
- *  result_len	where the resultant hmac length is stored
- *  max_result_len  maximum possible length that can be stored in result
- */
-extern SECStatus
-HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len);
-
-/* clone a copy of the HMAC state.  this is usefult when you would
- * need to keep a running hmac but also need to extract portions 
- * partway through the process.
- */
-extern HMACContext *
-HMAC_Clone(HMACContext *cx);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/freebl/arcfive.c b/security/nss/lib/freebl/arcfive.c
deleted file mode 100644
index 42e6bf7e3..000000000
--- a/security/nss/lib/freebl/arcfive.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * arcfive.c - stubs for RC5 - NOT a working implementation!
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "blapi.h"
-#include "prerror.h"
-
-/******************************************/
-/*
-** RC5 symmetric block cypher -- 64-bit block size
-*/
-
-/*
-** Create a new RC5 context suitable for RC5 encryption/decryption.
-**      "key" raw key data
-**      "len" the number of bytes of key data
-**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
-**      "mode" one of NSS_RC5 or NSS_RC5_CBC
-**
-** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
-** chaining" mode.
-*/
-RC5Context *
-RC5_CreateContext(const SECItem *key, unsigned int rounds,
-                  unsigned int wordSize, const unsigned char *iv, int mode)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return NULL;
-}
-
-/*
-** Destroy an RC5 encryption/decryption context.
-**      "cx" the context
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-void 
-RC5_DestroyContext(RC5Context *cx, PRBool freeit) 
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-}
-
-/*
-** Perform RC5 encryption.
-**      "cx" the context
-**      "output" the output buffer to store the encrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-SECStatus 
-RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, 
-	    const unsigned char *input, unsigned int inputLen)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
-/*
-** Perform RC5 decryption.
-**      "cx" the context
-**      "output" the output buffer to store the decrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-SECStatus 
-RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/freebl/arcfour-amd64-gas.s b/security/nss/lib/freebl/arcfour-amd64-gas.s
deleted file mode 100644
index 66daf07ba..000000000
--- a/security/nss/lib/freebl/arcfour-amd64-gas.s
+++ /dev/null
@@ -1,116 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is "Marc Bevand's fast AMD64 ARCFOUR source"
-#
-# The Initial Developer of the Original Code is
-# Marc Bevand <bevand_m@epita.fr> .
-# Portions created by the Initial Developer are 
-# Copyright (C) 2004 the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# ** ARCFOUR implementation optimized for AMD64.
-# **
-# ** The throughput achieved by this code is about 320 MBytes/sec, on
-# ** a 1.8 GHz AMD Opteron (rev C0) processor.
-
-.text
-.align 16
-.globl ARCFOUR
-.type ARCFOUR,@function
-ARCFOUR:
-	pushq	%rbp
-	pushq	%rbx
-	movq	%rdi,		%rbp	# key = ARG(key)
-	movq	%rsi,		%rbx	# rbx = ARG(len)
-	movq	%rdx,		%rsi	# in = ARG(in)
-	movq	%rcx,		%rdi	# out = ARG(out)
-	movq	(%rbp),		%rcx	# x = key->x
-	movq	8(%rbp),	%rdx	# y = key->y
-	addq	$16,		%rbp	# d = key->data
-	incq	%rcx			# x++
-	andq	$255,		%rcx	# x &= 0xff
-	leaq	-8(%rbx,%rsi),	%rbx	# rbx = in+len-8
-	movq	%rbx,		%r9	# tmp = in+len-8
-	movq	0(%rbp,%rcx,8),	%rax	# tx = d[x]
-	cmpq	%rsi,		%rbx	# cmp in with in+len-8
-	jl	.Lend			# jump if (in+len-8 < in)
-
-.Lstart:
-	addq	$8,		%rsi		# increment in
-	addq	$8,		%rdi		# increment out
-
-	# generate the next 8 bytes of the rc4 stream into %r8
-	movq	$8,		%r11		# byte counter
-1:	addb	%al,		%dl		# y += tx
-	movl	0(%rbp,%rdx,8),	%ebx		# ty = d[y]
-	movl	%ebx,		0(%rbp,%rcx,8)	# d[x] = ty
-	addb	%al,		%bl		# val = ty + tx
-	movl	%eax,		0(%rbp,%rdx,8)	# d[y] = tx
-	incb	%cl				# x++		(NEXT ROUND)
-	movl	0(%rbp,%rcx,8),	%eax		# tx = d[x]	(NEXT ROUND)
-	movb	0(%rbp,%rbx,8),	%r8b		# val = d[val]
-	decb	%r11b
-	rorq	$8,		%r8		# (ror does not change ZF)
-	jnz 	1b
-
-	# xor 8 bytes
-	xorq	-8(%rsi),	%r8
-	cmpq	%r9,		%rsi		# cmp in+len-8 with in
-	movq	%r8,		-8(%rdi)
-	jle	.Lstart				# jump if (in <= in+len-8)
-
-.Lend:
-	addq	$8,		%r9		# tmp = in+len
-
-	# handle the last bytes, one by one
-1:	cmpq	%rsi,		%r9		# cmp in with in+len
-	jle	.Lfinished			# jump if (in+len <= in)
-	addb	%al,		%dl		# y += tx
-	movl	0(%rbp,%rdx,8),	%ebx		# ty = d[y]
-	movl	%ebx,		0(%rbp,%rcx,8)	# d[x] = ty
-	addb	%al,		%bl		# val = ty + tx
-	movl	%eax,		0(%rbp,%rdx,8)	# d[y] = tx
-	incb	%cl				# x++		(NEXT ROUND)
-	movl	0(%rbp,%rcx,8),	%eax		# tx = d[x]	(NEXT ROUND)
-	movb	0(%rbp,%rbx,8),	%r8b		# val = d[val]
-	xorb	(%rsi),		%r8b		# xor 1 byte
-	movb	%r8b,		(%rdi)
-	incq	%rsi				# in++
-	incq	%rdi				# out++
-	jmp 1b
-
-.Lfinished:
-	decq	%rcx				# x--
-	movb	%dl,		-8(%rbp)	# key->y = y
-	movb	%cl,		-16(%rbp)	# key->x = x
-	popq	%rbx
-	popq	%rbp
-	ret
-.L_ARCFOUR_end:
-.size ARCFOUR,.L_ARCFOUR_end-ARCFOUR
diff --git a/security/nss/lib/freebl/arcfour-amd64-sun.s b/security/nss/lib/freebl/arcfour-amd64-sun.s
deleted file mode 100644
index 7f684d222..000000000
--- a/security/nss/lib/freebl/arcfour-amd64-sun.s
+++ /dev/null
@@ -1,116 +0,0 @@
-/ ***** BEGIN LICENSE BLOCK *****
-/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
-/
-/ The contents of this file are subject to the Mozilla Public License Version
-/ 1.1 (the "License"); you may not use this file except in compliance with
-/ the License. You may obtain a copy of the License at
-/ http://www.mozilla.org/MPL/
-/
-/ Software distributed under the License is distributed on an "AS IS" basis,
-/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-/ for the specific language governing rights and limitations under the
-/ License.
-/
-/ The Original Code is "Marc Bevand's fast AMD64 ARCFOUR source"
-/
-/ The Initial Developer of the Original Code is
-/ Marc Bevand <bevand_m@epita.fr> .
-/ Portions created by the Initial Developer are 
-/ Copyright (C) 2004 the Initial Developer. All Rights Reserved.
-/
-/ Contributor(s):
-/
-/ Alternatively, the contents of this file may be used under the terms of
-/ either the GNU General Public License Version 2 or later (the "GPL"), or
-/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-/ in which case the provisions of the GPL or the LGPL are applicable instead
-/ of those above. If you wish to allow use of your version of this file only
-/ under the terms of either the GPL or the LGPL, and not to allow others to
-/ use your version of this file under the terms of the MPL, indicate your
-/ decision by deleting the provisions above and replace them with the notice
-/ and other provisions required by the GPL or the LGPL. If you do not delete
-/ the provisions above, a recipient may use your version of this file under
-/ the terms of any one of the MPL, the GPL or the LGPL.
-/
-/ ***** END LICENSE BLOCK *****
-
-/ ** ARCFOUR implementation optimized for AMD64.
-/ **
-/ ** The throughput achieved by this code is about 320 MBytes/sec, on
-/ ** a 1.8 GHz AMD Opteron (rev C0) processor.
-
-.text
-.align 16
-.globl ARCFOUR
-.type ARCFOUR,@function
-ARCFOUR:
-	pushq	%rbp
-	pushq	%rbx
-	movq	%rdi,		%rbp	/ key = ARG(key)
-	movq	%rsi,		%rbx	/ rbx = ARG(len)
-	movq	%rdx,		%rsi	/ in = ARG(in)
-	movq	%rcx,		%rdi	/ out = ARG(out)
-	movq	(%rbp),		%rcx	/ x = key->x
-	movq	8(%rbp),	%rdx	/ y = key->y
-	addq	$16,		%rbp	/ d = key->data
-	incq	%rcx			/ x++
-	andq	$255,		%rcx	/ x &= 0xff
-	leaq	-8(%rbx,%rsi),	%rbx	/ rbx = in+len-8
-	movq	%rbx,		%r9	/ tmp = in+len-8
-	movq	0(%rbp,%rcx,8),	%rax	/ tx = d[x]
-	cmpq	%rsi,		%rbx	/ cmp in with in+len-8
-	jl	.Lend			/ jump if (in+len-8 < in)
-
-.Lstart:
-	addq	$8,		%rsi		/ increment in
-	addq	$8,		%rdi		/ increment out
-
-	/ generate the next 8 bytes of the rc4 stream into %r8
-	movq	$8,		%r11		/ byte counter
-1:	addb	%al,		%dl		/ y += tx
-	movl	0(%rbp,%rdx,8),	%ebx		/ ty = d[y]
-	movl	%ebx,		0(%rbp,%rcx,8)	/ d[x] = ty
-	addb	%al,		%bl		/ val = ty + tx
-	movl	%eax,		0(%rbp,%rdx,8)	/ d[y] = tx
-	incb	%cl				/ x++		(NEXT ROUND)
-	movl	0(%rbp,%rcx,8),	%eax		/ tx = d[x]	(NEXT ROUND)
-	movb	0(%rbp,%rbx,8),	%r8b		/ val = d[val]
-	decb	%r11b
-	rorq	$8,		%r8		/ (ror does not change ZF)
-	jnz 	1b
-
-	/ xor 8 bytes
-	xorq	-8(%rsi),	%r8
-	cmpq	%r9,		%rsi		/ cmp in+len-8 with in
-	movq	%r8,		-8(%rdi)
-	jle	.Lstart				/ jump if (in <= in+len-8)
-
-.Lend:
-	addq	$8,		%r9		/ tmp = in+len
-
-	/ handle the last bytes, one by one
-1:	cmpq	%rsi,		%r9		/ cmp in with in+len
-	jle	.Lfinished			/ jump if (in+len <= in)
-	addb	%al,		%dl		/ y += tx
-	movl	0(%rbp,%rdx,8),	%ebx		/ ty = d[y]
-	movl	%ebx,		0(%rbp,%rcx,8)	/ d[x] = ty
-	addb	%al,		%bl		/ val = ty + tx
-	movl	%eax,		0(%rbp,%rdx,8)	/ d[y] = tx
-	incb	%cl				/ x++		(NEXT ROUND)
-	movl	0(%rbp,%rcx,8),	%eax		/ tx = d[x]	(NEXT ROUND)
-	movb	0(%rbp,%rbx,8),	%r8b		/ val = d[val]
-	xorb	(%rsi),		%r8b		/ xor 1 byte
-	movb	%r8b,		(%rdi)
-	incq	%rsi				/ in++
-	incq	%rdi				/ out++
-	jmp 1b
-
-.Lfinished:
-	decq	%rcx				/ x--
-	movb	%dl,		-8(%rbp)	/ key->y = y
-	movb	%cl,		-16(%rbp)	/ key->x = x
-	popq	%rbx
-	popq	%rbp
-	ret
-.L_ARCFOUR_end:
-.size ARCFOUR,.L_ARCFOUR_end-ARCFOUR
diff --git a/security/nss/lib/freebl/arcfour.c b/security/nss/lib/freebl/arcfour.c
deleted file mode 100644
index 52329beda..000000000
--- a/security/nss/lib/freebl/arcfour.c
+++ /dev/null
@@ -1,639 +0,0 @@
-/* arcfour.c - the arc four algorithm.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* See NOTES ON UMRs, Unititialized Memory Reads, below. */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "blapi.h"
-
-/* Architecture-dependent defines */
-
-#if defined(SOLARIS) || defined(HPUX) || defined(i386) || defined(IRIX)
-/* Convert the byte-stream to a word-stream */
-#define CONVERT_TO_WORDS
-#endif
-
-#if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR)
-/* Treat array variables as longs, not bytes, on CPUs that take 
- * much longer to write bytes than to write longs, or when using 
- * assembler code that required it.
- */
-#define USE_LONG
-#endif
-
-#if defined(_WIN32_WCE)
-#undef WORD
-#define WORD ARC4WORD
-#endif
-
-#if defined(IS_64) && !defined(__sparc) && !defined(NSS_USE_64) 
-typedef unsigned long long WORD;
-#else
-typedef unsigned long WORD;
-#endif
-#define WORDSIZE sizeof(WORD)
-
-#ifdef USE_LONG
-typedef unsigned long Stype;
-#else
-typedef PRUint8 Stype;
-#endif
-
-#define ARCFOUR_STATE_SIZE 256
-
-#define MASK1BYTE (WORD)(0xff)
-
-#define SWAP(a, b) \
-	tmp = a; \
-	a = b; \
-	b = tmp;
-
-/*
- * State information for stream cipher.
- */
-struct RC4ContextStr
-{
-#if defined(NSS_ARCFOUR_IJ_B4_S) || defined(NSS_BEVAND_ARCFOUR)
-	Stype i;
-	Stype j;
-	Stype S[ARCFOUR_STATE_SIZE];
-#else
-	Stype S[ARCFOUR_STATE_SIZE];
-	Stype i;
-	Stype j;
-#endif
-};
-
-/*
- * array indices [0..255] to initialize cx->S array (faster than loop).
- */
-static const Stype Kinit[256] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-	0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
-	0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-RC4Context *
-RC4_AllocateContext(void)
-{
-    return PORT_ZNew(RC4Context);
-}
-
-SECStatus   
-RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
-	        const unsigned char * unused1, int unused2, 
-		unsigned int unused3, unsigned int unused4)
-{
-	int i;
-	PRUint8 j, tmp;
-	PRUint8 K[256];
-	PRUint8 *L;
-	/* verify the key length. */
-	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
-	if (len < 0 || len >= ARCFOUR_STATE_SIZE) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if (cx == NULL) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	/* Initialize the state using array indices. */
-	memcpy(cx->S, Kinit, sizeof cx->S);
-	/* Fill in K repeatedly with values from key. */
-	L = K;
-	for (i = sizeof K; i > len; i-= len) {
-		memcpy(L, key, len);
-		L += len;
-	}
-	memcpy(L, key, i);
-	/* Stir the state of the generator.  At this point it is assumed
-	 * that the key is the size of the state buffer.  If this is not
-	 * the case, the key bytes are repeated to fill the buffer.
-	 */
-	j = 0;
-#define ARCFOUR_STATE_STIR(ii) \
-	j = j + cx->S[ii] + K[ii]; \
-	SWAP(cx->S[ii], cx->S[j]);
-	for (i=0; i<ARCFOUR_STATE_SIZE; i++) {
-		ARCFOUR_STATE_STIR(i);
-	}
-	cx->i = 0;
-	cx->j = 0;
-	return SECSuccess;
-}
-
-
-/*
- * Initialize a new generator.
- */
-RC4Context *
-RC4_CreateContext(const unsigned char *key, int len)
-{
-    RC4Context *cx = RC4_AllocateContext();
-    if (cx) {
-	SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0);
-	if (rv != SECSuccess) {
-	    PORT_ZFree(cx, sizeof(*cx));
-	    cx = NULL;
-	}
-    }
-    return cx;
-}
-
-void 
-RC4_DestroyContext(RC4Context *cx, PRBool freeit)
-{
-	if (freeit)
-		PORT_ZFree(cx, sizeof(*cx));
-}
-
-#if defined(NSS_BEVAND_ARCFOUR)
-extern void ARCFOUR(RC4Context *cx, unsigned long inputLen, 
-	const unsigned char *input, unsigned char *output);
-#else
-/*
- * Generate the next byte in the stream.
- */
-#define ARCFOUR_NEXT_BYTE() \
-	tmpSi = cx->S[++tmpi]; \
-	tmpj += tmpSi; \
-	tmpSj = cx->S[tmpj]; \
-	cx->S[tmpi] = tmpSj; \
-	cx->S[tmpj] = tmpSi; \
-	t = tmpSi + tmpSj;
-
-#ifdef CONVERT_TO_WORDS
-/*
- * Straight ARCFOUR op.  No optimization.
- */
-static SECStatus 
-rc4_no_opt(RC4Context *cx, unsigned char *output,
-           unsigned int *outputLen, unsigned int maxOutputLen,
-           const unsigned char *input, unsigned int inputLen)
-{
-    PRUint8 t;
-	Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	unsigned int index;
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	for (index=0; index < inputLen; index++) {
-		/* Generate next byte from stream. */
-		ARCFOUR_NEXT_BYTE();
-		/* output = next stream byte XOR next input byte */
-		output[index] = cx->S[t] ^ input[index];
-	}
-	*outputLen = inputLen;
-	cx->i = tmpi;
-	cx->j = tmpj;
-	return SECSuccess;
-}
-#endif
-
-#ifndef CONVERT_TO_WORDS
-/*
- * Byte-at-a-time ARCFOUR, unrolling the loop into 8 pieces.
- */
-static SECStatus 
-rc4_unrolled(RC4Context *cx, unsigned char *output,
-             unsigned int *outputLen, unsigned int maxOutputLen,
-             const unsigned char *input, unsigned int inputLen)
-{
-	PRUint8 t;
-	Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	int index;
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
-		ARCFOUR_NEXT_BYTE();
-		output[0] = cx->S[t] ^ input[0];
-		ARCFOUR_NEXT_BYTE();
-		output[1] = cx->S[t] ^ input[1];
-		ARCFOUR_NEXT_BYTE();
-		output[2] = cx->S[t] ^ input[2];
-		ARCFOUR_NEXT_BYTE();
-		output[3] = cx->S[t] ^ input[3];
-		ARCFOUR_NEXT_BYTE();
-		output[4] = cx->S[t] ^ input[4];
-		ARCFOUR_NEXT_BYTE();
-		output[5] = cx->S[t] ^ input[5];
-		ARCFOUR_NEXT_BYTE();
-		output[6] = cx->S[t] ^ input[6];
-		ARCFOUR_NEXT_BYTE();
-		output[7] = cx->S[t] ^ input[7];
-	}
-	index = inputLen % 8;
-	if (index) {
-		input += index;
-		output += index;
-		switch (index) {
-		case 7:
-			ARCFOUR_NEXT_BYTE();
-			output[-7] = cx->S[t] ^ input[-7]; /* FALLTHRU */
-		case 6:
-			ARCFOUR_NEXT_BYTE();
-			output[-6] = cx->S[t] ^ input[-6]; /* FALLTHRU */
-		case 5:
-			ARCFOUR_NEXT_BYTE();
-			output[-5] = cx->S[t] ^ input[-5]; /* FALLTHRU */
-		case 4:
-			ARCFOUR_NEXT_BYTE();
-			output[-4] = cx->S[t] ^ input[-4]; /* FALLTHRU */
-		case 3:
-			ARCFOUR_NEXT_BYTE();
-			output[-3] = cx->S[t] ^ input[-3]; /* FALLTHRU */
-		case 2:
-			ARCFOUR_NEXT_BYTE();
-			output[-2] = cx->S[t] ^ input[-2]; /* FALLTHRU */
-		case 1:
-			ARCFOUR_NEXT_BYTE();
-			output[-1] = cx->S[t] ^ input[-1]; /* FALLTHRU */
-		default:
-			/* FALLTHRU */
-			; /* hp-ux build breaks without this */
-		}
-	}
-	cx->i = tmpi;
-	cx->j = tmpj;
-	*outputLen = inputLen;
-	return SECSuccess;
-}
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT4BYTES_L(n) \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     ); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24);
-#else
-#define ARCFOUR_NEXT4BYTES_B(n) \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     );
-#endif
-
-#if (defined(IS_64) && !defined(__sparc)) || defined(NSS_USE_64)
-/* 64-bit wordsize */
-#ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); ARCFOUR_NEXT4BYTES_L(32); }
-#else
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(32); ARCFOUR_NEXT4BYTES_B(0); }
-#endif
-#else
-/* 32-bit wordsize */
-#ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); }
-#else
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(0); }
-#endif
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-#define RSH <<
-#define LSH >>
-#else
-#define RSH >>
-#define LSH <<
-#endif
-
-#ifdef CONVERT_TO_WORDS
-/* NOTE about UMRs, Uninitialized Memory Reads.
- *
- * This code reads all input data a WORD at a time, rather than byte at 
- * a time, and writes all output data a WORD at a time.  Shifting and 
- * masking is used to remove unwanted data and realign bytes when 
- * needed.  The first and last words of output are read, modified, and
- * written when needed to preserve any unchanged bytes.  This is a huge
- * win on machines with high memory latency.  
- *
- * However, when the input and output buffers do not begin and end on WORD 
- * boundaries, and the WORDS in memory that contain the first and last 
- * bytes of those buffers contain uninitialized data, then this code will 
- * read those uninitialized bytes, causing a UMR error to be reported by 
- * some tools.  
- *
- * These UMRs are NOT a problem, NOT errors, and do NOT need to be "fixed".
- * 
- * All the words read and written contain at least one byte that is 
- * part of the input data or output data.  No words are read or written
- * that do not contain data that is part of the buffer.  Therefore, 
- * these UMRs cannot cause page faults or other problems unless the 
- * buffers have been assigned to improper addresses that would cause
- * page faults with or without UMRs.  
- */
-static SECStatus 
-rc4_wordconv(RC4Context *cx, unsigned char *output,
-             unsigned int *outputLen, unsigned int maxOutputLen,
-             const unsigned char *input, unsigned int inputLen)
-{
-	ptrdiff_t inOffset = (ptrdiff_t)input % WORDSIZE;
-	ptrdiff_t outOffset = (ptrdiff_t)output % WORDSIZE;
-	register WORD streamWord, mask;
-	register WORD *pInWord, *pOutWord;
-	register WORD inWord, nextInWord;
-	PRUint8 t;
-	register Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	unsigned int byteCount;
-	unsigned int bufShift, invBufShift;
-	int i;
-
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	if (inputLen < 2*WORDSIZE) {
-		/* Ignore word conversion, do byte-at-a-time */
-		return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
-	}
-	*outputLen = inputLen;
-	pInWord = (WORD *)(input - inOffset);
-	if (inOffset < outOffset) {
-		bufShift = 8*(outOffset - inOffset);
-		invBufShift = 8*WORDSIZE - bufShift;
-	} else {
-		invBufShift = 8*(inOffset - outOffset);
-		bufShift = 8*WORDSIZE - invBufShift;
-	}
-	/*****************************************************************/
-	/* Step 1:                                                       */
-	/* If the first output word is partial, consume the bytes in the */
-	/* first partial output word by loading one or two words of      */
-	/* input and shifting them accordingly.  Otherwise, just load    */
-	/* in the first word of input.  At the end of this block, at     */
-	/* least one partial word of input should ALWAYS be loaded.      */
-	/*****************************************************************/
-	if (outOffset) {
-		/* Generate input and stream words aligned relative to the
-		 * partial output buffer.
-		 */
-		byteCount = WORDSIZE - outOffset; 
-		pOutWord = (WORD *)(output - outOffset);
-		mask = streamWord = 0;
-#ifdef IS_LITTLE_ENDIAN
-		for (i = WORDSIZE - byteCount; i < WORDSIZE; i++) {
-#else
-		for (i = byteCount - 1; i >= 0; --i) {
-#endif
-			ARCFOUR_NEXT_BYTE();
-			streamWord |= (WORD)(cx->S[t]) << 8*i;
-			mask |= MASK1BYTE << 8*i;
-		} /* } */
-		inWord = *pInWord++; /* UMR? see comments above. */
-		/* If buffers are relatively misaligned, shift the bytes in inWord
-		 * to be aligned to the output buffer.
-		 */
-		nextInWord = 0;
-		if (inOffset < outOffset) {
-			/* Have more bytes than needed, shift remainder into nextInWord */
-			nextInWord = inWord LSH 8*(inOffset + byteCount);
-			inWord = inWord RSH bufShift;
-		} else if (inOffset > outOffset) {
-			/* Didn't get enough bytes from current input word, load another
-			 * word and then shift remainder into nextInWord.
-			 */
-			nextInWord = *pInWord++;
-			inWord = (inWord LSH invBufShift) | 
-			         (nextInWord RSH bufShift);
-			nextInWord = nextInWord LSH invBufShift;
-		}
-		/* Store output of first partial word */
-		*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
-		/* UMR?  See comments above. */
-
-		/* Consumed byteCount bytes of input */
-		inputLen -= byteCount;
-		/* move to next word of output */
-		pOutWord++;
-		/* inWord has been consumed, but there may be bytes in nextInWord */
-		inWord = nextInWord;
-	} else {
-		/* output is word-aligned */
-		pOutWord = (WORD *)output;
-		if (inOffset) {
-			/* Input is not word-aligned.  The first word load of input 
-			 * will not produce a full word of input bytes, so one word
-			 * must be pre-loaded.  The main loop below will load in the
-			 * next input word and shift some of its bytes into inWord
-			 * in order to create a full input word.  Note that the main
-			 * loop must execute at least once because the input must
-			 * be at least two words.
-			 */
-			inWord = *pInWord++; /* UMR? see comments above. */
-			inWord = inWord LSH invBufShift;
-		} else {
-			/* Input is word-aligned.  The first word load of input 
-			 * will produce a full word of input bytes, so nothing
-			 * needs to be loaded here.
-			 */
-			inWord = 0;
-		}
-	}
-	/* Output buffer is aligned, inOffset is now measured relative to
-	 * outOffset (and not a word boundary).
-	 */
-	inOffset = (inOffset + WORDSIZE - outOffset) % WORDSIZE;
-	/*****************************************************************/
-	/* Step 2: main loop                                             */
-	/* At this point the output buffer is word-aligned.  Any unused  */
-	/* bytes from above will be in inWord (shifted correctly).  If   */
-	/* the input buffer is unaligned relative to the output buffer,  */
-	/* shifting has to be done.                                      */
-	/*****************************************************************/
-	if (inOffset) {
-		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
-			nextInWord = *pInWord++;
-			inWord |= nextInWord RSH bufShift;
-			nextInWord = nextInWord LSH invBufShift;
-			ARCFOUR_NEXT_WORD();
-			*pOutWord++ = inWord ^ streamWord;
-			inWord = nextInWord;
-		}
-		if (inputLen == 0) {
-			/* Nothing left to do. */
-			cx->i = tmpi;
-			cx->j = tmpj;
-			return SECSuccess;
-		}
-		/* If the amount of remaining input is greater than the amount
-		 * bytes pulled from the current input word, need to do another
-		 * word load.  What's left in inWord will be consumed in step 3.
-		 */
-		if (inputLen > WORDSIZE - inOffset)
-			inWord |= *pInWord RSH bufShift; /* UMR?  See above. */
-	} else {
-		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
-			inWord = *pInWord++;
-			ARCFOUR_NEXT_WORD();
-			*pOutWord++ = inWord ^ streamWord;
-		}
-		if (inputLen == 0) {
-			/* Nothing left to do. */
-			cx->i = tmpi;
-			cx->j = tmpj;
-			return SECSuccess;
-		} else {
-			/* A partial input word remains at the tail.  Load it. 
-			 * The relevant bytes will be consumed in step 3.
-			 */
-			inWord = *pInWord; /* UMR?  See comments above */
-		}
-	}
-	/*****************************************************************/
-	/* Step 3:                                                       */
-	/* A partial word of input remains, and it is already loaded     */
-	/* into nextInWord.  Shift appropriately and consume the bytes   */
-	/* used in the partial word.                                     */
-	/*****************************************************************/
-	mask = streamWord = 0;
-#ifdef IS_LITTLE_ENDIAN
-	for (i = 0; i < inputLen; ++i) {
-#else
-	for (i = WORDSIZE - 1; i >= WORDSIZE - inputLen; --i) {
-#endif
-		ARCFOUR_NEXT_BYTE();
-		streamWord |= (WORD)(cx->S[t]) << 8*i;
-		mask |= MASK1BYTE << 8*i;
-	} /* } */
-	/* UMR?  See comments above. */
-	*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
-	cx->i = tmpi;
-	cx->j = tmpj;
-	return SECSuccess;
-}
-#endif
-#endif /* NSS_BEVAND_ARCFOUR */
-
-SECStatus 
-RC4_Encrypt(RC4Context *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-#if defined(NSS_BEVAND_ARCFOUR)
-	ARCFOUR(cx, inputLen, input, output);
-        *outputLen = inputLen;
-	return SECSuccess;
-#elif defined( CONVERT_TO_WORDS )
-	/* Convert the byte-stream to a word-stream */
-	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
-#else
-	/* Operate on bytes, but unroll the main loop */
-	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
-#endif
-}
-
-SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
-                      unsigned int *outputLen, unsigned int maxOutputLen,
-                      const unsigned char *input, unsigned int inputLen)
-{
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return SECFailure;
-	}
-	/* decrypt and encrypt are same operation. */
-#if defined(NSS_BEVAND_ARCFOUR)
-	ARCFOUR(cx, inputLen, input, output);
-        *outputLen = inputLen;
-	return SECSuccess;
-#elif defined( CONVERT_TO_WORDS )
-	/* Convert the byte-stream to a word-stream */
-	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
-#else
-	/* Operate on bytes, but unroll the main loop */
-	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
-#endif
-}
-
-#undef CONVERT_TO_WORDS
-#undef USE_LONG
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
deleted file mode 100644
index 899eadd45..000000000
--- a/security/nss/lib/freebl/blapi.h
+++ /dev/null
@@ -1,1062 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _BLAPI_H_
-#define _BLAPI_H_
-
-#include "blapit.h"
-#include "hasht.h"
-#include "alghmac.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** RSA encryption/decryption. When encrypting/decrypting the output
-** buffer must be at least the size of the public key modulus.
-*/
-
-/*
-** Generate and return a new RSA public and private key.
-**	Both keys are encoded in a single RSAPrivateKey structure.
-**	"cx" is the random number generator context
-**	"keySizeInBits" is the size of the key to be generated, in bits.
-**	   512, 1024, etc.
-**	"publicExponent" when not NULL is a pointer to some data that
-**	   represents the public exponent to use. The data is a byte
-**	   encoded integer, in "big endian" order.
-*/
-extern RSAPrivateKey *RSA_NewKey(int         keySizeInBits,
-				 SECItem *   publicExponent);
-
-/*
-** Perform a raw public-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-extern SECStatus RSA_PublicKeyOp(RSAPublicKey *   key,
-				 unsigned char *  output,
-				 const unsigned char *  input);
-
-/*
-** Perform a raw private-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *  key,
-				  unsigned char *  output,
-				  const unsigned char *  input);
-
-/*
-** Perform a raw private-key operation, and check the parameters used in
-** the operation for validity by performing a test operation first.
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *  key,
-				               unsigned char *  output,
-				               const unsigned char *  input);
-
-/*
-** Perform a check of private key parameters for consistency.
-*/
-extern SECStatus RSA_PrivateKeyCheck(RSAPrivateKey *key);
-
-
-/********************************************************************
-** DSA signing algorithm
-*/
-
-/*
-** Generate and return a new DSA public and private key pair,
-**	both of which are encoded into a single DSAPrivateKey struct.
-**	"params" is a pointer to the PQG parameters for the domain
-**	Uses a random seed.
-*/
-extern SECStatus DSA_NewKey(const PQGParams *     params, 
-		            DSAPrivateKey **      privKey);
-
-/* signature is caller-supplied buffer of at least 20 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-** On output, signature->len == size of signature in buffer.
-** Uses a random seed.
-*/
-extern SECStatus DSA_SignDigest(DSAPrivateKey *   key,
-				SECItem *         signature,
-				const SECItem *   digest);
-
-/* signature is caller-supplied buffer of at least 20 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-*/
-extern SECStatus DSA_VerifyDigest(DSAPublicKey *  key,
-				  const SECItem * signature,
-				  const SECItem * digest);
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
-extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 
-                                    const unsigned char * seed,
-                                    DSAPrivateKey **privKey);
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
-extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey * key,
-                                        SECItem *       signature,
-                                        const SECItem * digest,
-                                        const unsigned char * seed);
-
-/******************************************************
-** Diffie Helman key exchange algorithm 
-*/
-
-/* Generates parameters for Diffie-Helman key generation.
-**	primeLen is the length in bytes of prime P to be generated.
-*/
-extern SECStatus DH_GenParam(int primeLen, DHParams ** params);
-
-/* Generates a public and private key, both of which are encoded in a single
-**	DHPrivateKey struct. Params is input, privKey are output.  
-**	This is Phase 1 of Diffie Hellman.
-*/
-extern SECStatus DH_NewKey(DHParams *           params, 
-                           DHPrivateKey **	privKey);
-
-/* 
-** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 
-** other party's publicValue, and the prime and our privateValue.
-** maxOutBytes is the requested length of the generated secret in bytes.  
-** A zero value means produce a value of any length up to the size of 
-** the prime.   If successful, derivedSecret->data is set 
-** to the address of the newly allocated buffer containing the derived 
-** secret, and derivedSecret->len is the size of the secret produced.
-** The size of the secret produced will never be larger than the length
-** of the prime, and it may be smaller than maxOutBytes.
-** It is the caller's responsibility to free the allocated buffer 
-** containing the derived secret.
-*/
-extern SECStatus DH_Derive(SECItem *    publicValue, 
-		           SECItem *    prime, 
-			   SECItem *    privateValue, 
-			   SECItem *    derivedSecret,
-			   unsigned int maxOutBytes);
-
-/* 
-** KEA_CalcKey returns octet string with the private key for a dual
-** Diffie-Helman  key generation as specified for government key exchange.
-*/
-extern SECStatus KEA_Derive(SECItem *prime, 
-                            SECItem *public1, 
-                            SECItem *public2, 
-			    SECItem *private1, 
-			    SECItem *private2,
-			    SECItem *derivedSecret);
-
-/*
- * verify that a KEA or DSA public key is a valid key for this prime and
- * subprime domain.
- */
-extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
-
-/******************************************************
-** Elliptic Curve algorithms
-*/
-
-/* Generates a public and private key, both of which are encoded 
-** in a single ECPrivateKey struct. Params is input, privKey are
-** output.
-*/
-extern SECStatus EC_NewKey(ECParams *          params, 
-                           ECPrivateKey **     privKey);
-
-extern SECStatus EC_NewKeyFromSeed(ECParams *  params, 
-                           ECPrivateKey **     privKey,
-                           const unsigned char* seed,
-                           int                 seedlen);
-
-/* Validates an EC public key as described in Section 5.2.2 of
- * X9.62. Such validation prevents against small subgroup attacks
- * when the ECDH primitive is used with the cofactor.
- */
-extern SECStatus EC_ValidatePublicKey(ECParams * params, 
-                           SECItem *           publicValue);
-
-/* 
-** ECDH_Derive performs a scalar point multiplication of a point
-** representing a (peer's) public key and a large integer representing
-** a private key (its own). Both keys must use the same elliptic curve
-** parameters. If the withCofactor parameter is true, the
-** multiplication also uses the cofactor associated with the curve
-** parameters.  The output of this scheme is the x-coordinate of the
-** resulting point. If successful, derivedSecret->data is set to the
-** address of the newly allocated buffer containing the derived
-** secret, and derivedSecret->len is the size of the secret
-** produced. It is the caller's responsibility to free the allocated
-** buffer containing the derived secret.
-*/
-extern SECStatus ECDH_Derive(SECItem *       publicValue,
-                             ECParams *      params,
-                             SECItem *       privateValue,
-                             PRBool          withCofactor,
-                             SECItem *       derivedSecret);
-
-/* On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-** On output, signature->len == size of signature in buffer.
-** Uses a random seed.
-*/
-extern SECStatus ECDSA_SignDigest(ECPrivateKey  *key, 
-                                  SECItem       *signature, 
-                                  const SECItem *digest);
-
-/* On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-*/
-extern SECStatus ECDSA_VerifyDigest(ECPublicKey   *key, 
-                                    const SECItem *signature, 
-                                    const SECItem *digest);
-
-/* Uses the provided seed. */
-extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey        *key,
-                                          SECItem             *signature,
-                                          const SECItem       *digest,
-                                          const unsigned char *seed, 
-                                          const int           seedlen);
-
-/******************************************/
-/*
-** RC4 symmetric stream cypher
-*/
-
-/*
-** Create a new RC4 context suitable for RC4 encryption/decryption.
-**	"key" raw key data
-**	"len" the number of bytes of key data
-*/
-extern RC4Context *RC4_CreateContext(const unsigned char *key, int len);
-
-extern RC4Context *RC4_AllocateContext(void);
-extern SECStatus   RC4_InitContext(RC4Context *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *, 
-				   int, 
-				   unsigned int ,
-				   unsigned int );
-
-/*
-** Destroy an RC4 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit);
-
-/*
-** Perform RC4 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC4 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** RC2 symmetric block cypher
-*/
-
-/*
-** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" is the effective key length (as specified in 
-**	    RFC 2268) in bytes (not bits).
-**
-** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
-** chaining" mode.
-*/
-extern RC2Context *RC2_CreateContext(const unsigned char *key, unsigned int len,
-				     const unsigned char *iv, int mode, 
-				     unsigned effectiveKeyLen);
-extern RC2Context *RC2_AllocateContext(void);
-extern SECStatus   RC2_InitContext(RC2Context *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode, 
-				   unsigned int effectiveKeyLen,
-				   unsigned int );
-
-/*
-** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit);
-
-/*
-** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** RC5 symmetric block cypher -- 64-bit block size
-*/
-
-/*
-** Create a new RC5 context suitable for RC5 encryption/decryption.
-**      "key" raw key data
-**      "len" the number of bytes of key data
-**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
-**      "mode" one of NSS_RC5 or NSS_RC5_CBC
-**
-** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
-** chaining" mode.
-*/
-extern RC5Context *RC5_CreateContext(const SECItem *key, unsigned int rounds,
-                     unsigned int wordSize, const unsigned char *iv, int mode);
-extern RC5Context *RC5_AllocateContext(void);
-extern SECStatus   RC5_InitContext(RC5Context *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode,
-				   unsigned int rounds, 
-				   unsigned int wordSize);
-
-/*
-** Destroy an RC5 encryption/decryption context.
-**      "cx" the context
-**      "freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit);
-
-/*
-** Perform RC5 encryption.
-**      "cx" the context
-**      "output" the output buffer to store the encrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform RC5 decryption.
-**      "cx" the context
-**      "output" the output buffer to store the decrypted data.
-**      "outputLen" how much data is stored in "output". Set by the routine
-**         after some data is stored in output.
-**      "maxOutputLen" the maximum amount of data that can ever be
-**         stored in "output"
-**      "input" the input data
-**      "inputLen" the amount of input data
-*/
-
-extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
-
-
-
-/******************************************/
-/*
-** DES symmetric block cypher
-*/
-
-/*
-** Create a new DES context suitable for DES encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_DES_CBC or
-** 	   mode is DES_EDE3_CBC)
-** 	"mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC
-**	"encrypt" is PR_TRUE if the context will be used for encryption
-**
-** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES
-** cipher is run in "cipher block chaining" mode.
-*/
-extern DESContext *DES_CreateContext(const unsigned char *key, 
-                                     const unsigned char *iv,
-				     int mode, PRBool encrypt);
-extern DESContext *DES_AllocateContext(void);
-extern SECStatus   DES_InitContext(DESContext *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode,
-				   unsigned int encrypt,
-				   unsigned int );
-
-/*
-** Destroy an DES encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void DES_DestroyContext(DESContext *cx, PRBool freeit);
-
-/*
-** Perform DES encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-**
-** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
-*/
-extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform DES decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-**
-** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
-*/
-extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** AES symmetric block cypher (Rijndael)
-*/
-
-/*
-** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
-**      "blocklen" is the blocksize to use (16, 24, or 32)
-**                        XXX currently only blocksize==16 has been tested!
-*/
-extern AESContext *
-AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                  int mode, int encrypt,
-                  unsigned int keylen, unsigned int blocklen);
-extern AESContext *AES_AllocateContext(void);
-extern SECStatus   AES_InitContext(AESContext *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen, 
-				   const unsigned char *iv, 
-				   int mode, 
-				   unsigned int encrypt,
-				   unsigned int blocklen);
-
-/*
-** Destroy a AES encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void 
-AES_DestroyContext(AESContext *cx, PRBool freeit);
-
-/*
-** Perform AES encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AES_Encrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform AES decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AES_Decrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
-/******************************************/
-/*
-** AES key wrap algorithm, RFC 3394
-*/
-
-/*
-** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
-**      "iv"  The 8 byte "initial value"
-**      "encrypt", a boolean, true for key wrapping, false for unwrapping.
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
-*/
-extern AESKeyWrapContext *
-AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                         int encrypt, unsigned int keylen);
-extern AESKeyWrapContext * AESKeyWrap_AllocateContext(void);
-extern SECStatus  
-     AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int ,
-				   unsigned int encrypt,
-				   unsigned int );
-
-/*
-** Destroy a AES KeyWrap context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void 
-AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit);
-
-/*
-** Perform AES key wrap.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
-/*
-** Perform AES key unwrap.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
-*/
-extern SECStatus 
-AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
-
-/******************************************/
-/*
-** MD5 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using MD5
-*/
-extern SECStatus MD5_Hash(unsigned char *dest, const char *src);
-
-/*
-** Hash a non-null terminated string "src" into "dest" using MD5
-*/
-extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src,
-			     uint32 src_length);
-
-/*
-** Create a new MD5 context
-*/
-extern MD5Context *MD5_NewContext(void);
-
-
-/*
-** Destroy an MD5 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit);
-
-/*
-** Reset an MD5 context, preparing it for a fresh round of hashing
-*/
-extern void MD5_Begin(MD5Context *cx);
-
-/*
-** Update the MD5 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void MD5_Update(MD5Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
-/*
-** Finish the MD5 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void MD5_End(MD5Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-
-/*
- * Return the the size of a buffer needed to flatten the MD5 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int MD5_FlattenSize(MD5Context *cx);
-
-/*
- * Flatten the MD5 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus MD5_Flatten(MD5Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a MD5 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern MD5Context * MD5_Resurrect(unsigned char *space, void *arg);
-extern void MD5_Clone(MD5Context *dest, MD5Context *src);
-
-/*
-** trace the intermediate state info of the MD5 hash.
-*/
-extern void MD5_TraceState(MD5Context *cx);
-
-
-/******************************************/
-/*
-** MD2 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using MD2
-*/
-extern SECStatus MD2_Hash(unsigned char *dest, const char *src);
-
-/*
-** Create a new MD2 context
-*/
-extern MD2Context *MD2_NewContext(void);
-
-
-/*
-** Destroy an MD2 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit);
-
-/*
-** Reset an MD2 context, preparing it for a fresh round of hashing
-*/
-extern void MD2_Begin(MD2Context *cx);
-
-/*
-** Update the MD2 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void MD2_Update(MD2Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
-/*
-** Finish the MD2 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void MD2_End(MD2Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-
-/*
- * Return the the size of a buffer needed to flatten the MD2 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int MD2_FlattenSize(MD2Context *cx);
-
-/*
- * Flatten the MD2 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus MD2_Flatten(MD2Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a MD2 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern MD2Context * MD2_Resurrect(unsigned char *space, void *arg);
-extern void MD2_Clone(MD2Context *dest, MD2Context *src);
-
-/******************************************/
-/*
-** SHA-1 secure hash function
-*/
-
-/*
-** Hash a null terminated string "src" into "dest" using SHA-1
-*/
-extern SECStatus SHA1_Hash(unsigned char *dest, const char *src);
-
-/*
-** Hash a non-null terminated string "src" into "dest" using SHA-1
-*/
-extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-
-/*
-** Create a new SHA-1 context
-*/
-extern SHA1Context *SHA1_NewContext(void);
-
-
-/*
-** Destroy a SHA-1 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit);
-
-/*
-** Reset a SHA-1 context, preparing it for a fresh round of hashing
-*/
-extern void SHA1_Begin(SHA1Context *cx);
-
-/*
-** Update the SHA-1 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
-*/
-extern void SHA1_Update(SHA1Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-
-/*
-** Finish the SHA-1 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (20) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
-*/
-extern void SHA1_End(SHA1Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-
-/*
-** trace the intermediate state info of the SHA1 hash.
-*/
-extern void SHA1_TraceState(SHA1Context *cx);
-
-/*
- * Return the the size of a buffer needed to flatten the SHA-1 Context into
- *    "cx" the context
- *  returns size;
- */
-extern unsigned int SHA1_FlattenSize(SHA1Context *cx);
-
-/*
- * Flatten the SHA-1 Context into a buffer:
- *    "cx" the context
- *    "space" the buffer to flatten to
- *  returns status;
- */
-extern SECStatus SHA1_Flatten(SHA1Context *cx,unsigned char *space);
-
-/*
- * Resurrect a flattened context into a SHA-1 Context
- *    "space" the buffer of the flattend buffer
- *    "arg" ptr to void used by cryptographic resurrect
- *  returns resurected context;
- */
-extern SHA1Context * SHA1_Resurrect(unsigned char *space, void *arg);
-extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
-
-/******************************************/
-
-extern SHA256Context *SHA256_NewContext(void);
-extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit);
-extern void SHA256_Begin(SHA256Context *cx);
-extern void SHA256_Update(SHA256Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-extern void SHA256_End(SHA256Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-extern SECStatus SHA256_HashBuf(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-extern SECStatus SHA256_Hash(unsigned char *dest, const char *src);
-extern void SHA256_TraceState(SHA256Context *cx);
-extern unsigned int SHA256_FlattenSize(SHA256Context *cx);
-extern SECStatus SHA256_Flatten(SHA256Context *cx,unsigned char *space);
-extern SHA256Context * SHA256_Resurrect(unsigned char *space, void *arg);
-extern void SHA256_Clone(SHA256Context *dest, SHA256Context *src);
-
-/******************************************/
-
-extern SHA512Context *SHA512_NewContext(void);
-extern void SHA512_DestroyContext(SHA512Context *cx, PRBool freeit);
-extern void SHA512_Begin(SHA512Context *cx);
-extern void SHA512_Update(SHA512Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-extern void SHA512_End(SHA512Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-extern SECStatus SHA512_HashBuf(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-extern SECStatus SHA512_Hash(unsigned char *dest, const char *src);
-extern void SHA512_TraceState(SHA512Context *cx);
-extern unsigned int SHA512_FlattenSize(SHA512Context *cx);
-extern SECStatus SHA512_Flatten(SHA512Context *cx,unsigned char *space);
-extern SHA512Context * SHA512_Resurrect(unsigned char *space, void *arg);
-extern void SHA512_Clone(SHA512Context *dest, SHA512Context *src);
-
-/******************************************/
-
-extern SHA384Context *SHA384_NewContext(void);
-extern void SHA384_DestroyContext(SHA384Context *cx, PRBool freeit);
-extern void SHA384_Begin(SHA384Context *cx);
-extern void SHA384_Update(SHA384Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-extern void SHA384_End(SHA384Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-extern SECStatus SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-extern SECStatus SHA384_Hash(unsigned char *dest, const char *src);
-extern void SHA384_TraceState(SHA384Context *cx);
-extern unsigned int SHA384_FlattenSize(SHA384Context *cx);
-extern SECStatus SHA384_Flatten(SHA384Context *cx,unsigned char *space);
-extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg);
-extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
-
-/****************************************
- * implement TLS Pseudo Random Function (PRF)
- */
-
-extern SECStatus
-TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
-         SECItem *result, PRBool isFIPS);
-
-/******************************************/
-/*
-** Pseudo Random Number Generation.  FIPS compliance desirable.
-*/
-
-/*
-** Initialize the global RNG context and give it some seed input taken
-** from the system.  This function is thread-safe and will only allow
-** the global context to be initialized once.  The seed input is likely
-** small, so it is imperative that RNG_RandomUpdate() be called with
-** additional seed data before the generator is used.  A good way to
-** provide the generator with additional entropy is to call
-** RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
-*/
-extern SECStatus RNG_RNGInit(void);
-
-/*
-** Update the global random number generator with more seeding
-** material
-*/
-extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes);
-
-/*
-** Generate some random bytes, using the global random number generator
-** object.
-*/
-extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len);
-
-/* Destroy the global RNG context.  After a call to RNG_RNGShutdown()
-** a call to RNG_RNGInit() is required in order to use the generator again,
-** along with seed data (see the comment above RNG_RNGInit()).
-*/
-extern void  RNG_RNGShutdown(void);
-
-extern void RNG_SystemInfoForRNG(void);
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of seed and length of h both equal length of P. 
- * All lengths are specified by "j", according to the table above.
- */
-extern SECStatus
-PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
-             PQGParams **pParams,  /* output: P Q and G returned here */
-	     PQGVerify **pVfy);    /* output: counter and seed. */
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of P specified by j.  Length of h will match length of P.
- * Length of SEED in bytes specified in seedBytes.
- * seedBbytes must be in the range [20..255] or an error will result.
- */
-extern SECStatus
-PQG_ParamGenSeedLen(
-             unsigned int j, 	     /* input : determines length of P. */
-	     unsigned int seedBytes, /* input : length of seed in bytes.*/
-             PQGParams **pParams,    /* output: P Q and G returned here */
-	     PQGVerify **pVfy);      /* output: counter and seed. */
-
-
-/*  Test PQGParams for validity as DSS PQG values.
- *  If vfy is non-NULL, test PQGParams to make sure they were generated
- *       using the specified seed, counter, and h values.
- *
- *  Return value indicates whether Verification operation ran succesfully
- *  to completion, but does not indicate if PQGParams are valid or not.
- *  If return value is SECSuccess, then *pResult has these meanings:
- *       SECSuccess: PQGParams are valid.
- *       SECFailure: PQGParams are invalid.
- *
- * Verify the following 12 facts about PQG counter SEED g and h
- * 1.  Q is 160 bits long.
- * 2.  P is one of the 9 valid lengths.
- * 3.  G < P
- * 4.  P % Q == 1
- * 5.  Q is prime
- * 6.  P is prime
- * Steps 7-12 are done only if the optional PQGVerify is supplied.
- * 7.  counter < 4096
- * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
- * 9.  Q generated from SEED matches Q in PQGParams.
- * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
- * 11. 1 < h < P-1
- * 12. G generated from h matches G in PQGParams.
- */
-
-extern SECStatus   PQG_VerifyParams(const PQGParams *params, 
-                                    const PQGVerify *vfy, SECStatus *result);
-
-
-/*
- * clean-up any global tables freebl may have allocated after it starts up.
- * This function is not thread safe and should be called only after the
- * library has been quiessed.
- */
-extern void BL_Cleanup(void);
-
-
-/**************************************************************************
- *  Verify a given Shared library signature                               *
- **************************************************************************/
-PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr);
-
-/**************************************************************************
- *  Verify Are Own Shared library signature                               *
- **************************************************************************/
-PRBool BLAPI_VerifySelf(const char *name);
-
-/*********************************************************************/
-extern const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType);
-
-SEC_END_PROTOS
-
-#endif /* _BLAPI_H_ */
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
deleted file mode 100644
index 2400ce325..000000000
--- a/security/nss/lib/freebl/blapit.h
+++ /dev/null
@@ -1,372 +0,0 @@
-/*
- * blapit.h - public data structures for the crypto library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _BLAPIT_H_
-#define _BLAPIT_H_
-
-#include "seccomon.h"
-#include "prlink.h"
-#include "plarena.h"
-#include "ecl-exp.h"
-
-
-/* RC2 operation modes */
-#define NSS_RC2			0
-#define NSS_RC2_CBC		1
-
-/* RC5 operation modes */
-#define NSS_RC5                 0
-#define NSS_RC5_CBC             1
-
-/* DES operation modes */
-#define NSS_DES			0
-#define NSS_DES_CBC		1
-#define NSS_DES_EDE3		2
-#define NSS_DES_EDE3_CBC	3
-
-#define DES_KEY_LENGTH		8	/* Bytes */
-
-/* AES operation modes */
-#define NSS_AES                 0
-#define NSS_AES_CBC             1
-
-#define DSA_SIGNATURE_LEN 	40	/* Bytes */
-#define DSA_SUBPRIME_LEN	20	/* Bytes */
-
-/* XXX We shouldn't have to hard code this limit. For
- * now, this is the quickest way to support ECDSA signature
- * processing (ECDSA signature lengths depend on curve
- * size). This limit is sufficient for curves upto
- * 576 bits.
- */
-#define MAX_ECKEY_LEN 	        72	/* Bytes */
-
-/*
- * Number of bytes each hash algorithm produces
- */
-#define MD2_LENGTH		16	/* Bytes */
-#define MD5_LENGTH		16	/* Bytes */
-#define SHA1_LENGTH		20	/* Bytes */
-#define SHA256_LENGTH 		32 	/* bytes */
-#define SHA384_LENGTH 		48 	/* bytes */
-#define SHA512_LENGTH 		64 	/* bytes */
-#define HASH_LENGTH_MAX         SHA512_LENGTH
-
-/*
- * Input block size for each hash algorithm.
- */
-
-#define MD2_BLOCK_LENGTH 	 64 	/* bytes */
-#define MD5_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA1_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA256_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA384_BLOCK_LENGTH 	128 	/* bytes */
-#define SHA512_BLOCK_LENGTH 	128 	/* bytes */
-#define HASH_BLOCK_LENGTH_MAX 	SHA512_BLOCK_LENGTH
-
-#define AES_KEY_WRAP_IV_BYTES    8
-#define AES_KEY_WRAP_BLOCK_SIZE  8  /* bytes */
-#define AES_BLOCK_SIZE          16  /* bytes */
-
-#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
-
-/*
- * these values come from the intial key size limits from the PKCS #11
- * module. They may be aribitarily adjusted to any value freebl supports
- * RSA_MAX_MODULUS_BITS is not defined since there is only memory constraints
- * on the largest RSA Modulus that PKCS #11 or freebl may support.
- */
-#define RSA_MIN_MODULUS_BITS   128
-#define DH_MIN_P_BITS	       128
-#define DH_MAX_P_BITS         2236
-
-/*
- * The FIPS 186 algorithm for generating primes P and Q allows only 9
- * distinct values for the length of P, and only one value for the
- * length of Q.
- * The algorithm uses a variable j to indicate which of the 9 lengths
- * of P is to be used.
- * The following table relates j to the lengths of P and Q in bits.
- *
- *	j	bits in P	bits in Q
- *	_	_________	_________
- *	0	 512		160
- *	1	 576		160
- *	2	 640		160
- *	3	 704		160
- *	4	 768		160
- *	5	 832		160
- *	6	 896		160
- *	7	 960		160
- *	8	1024		160
- *
- * The FIPS-186 compliant PQG generator takes j as an input parameter.
- */
-
-#define DSA_Q_BITS       160
-#define DSA_MAX_P_BITS	1024
-#define DSA_MIN_P_BITS	 512
-
-/*
- * function takes desired number of bits in P,
- * returns index (0..8) or -1 if number of bits is invalid.
- */
-#define PQG_PBITS_TO_INDEX(bits) \
-    (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? \
-    -1 : (int)((bits)-512)/64)
-
-/*
- * function takes index (0-8)
- * returns number of bits in P for that index, or -1 if index is invalid.
- */
-#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
-
-
-/***************************************************************************
-** Opaque objects 
-*/
-
-struct DESContextStr        ;
-struct RC2ContextStr        ;
-struct RC4ContextStr        ;
-struct RC5ContextStr        ;
-struct AESContextStr        ;
-struct MD2ContextStr        ;
-struct MD5ContextStr        ;
-struct SHA1ContextStr       ;
-struct SHA256ContextStr     ;
-struct SHA512ContextStr     ;
-struct AESKeyWrapContextStr ;
-
-typedef struct DESContextStr        DESContext;
-typedef struct RC2ContextStr        RC2Context;
-typedef struct RC4ContextStr        RC4Context;
-typedef struct RC5ContextStr        RC5Context;
-typedef struct AESContextStr        AESContext;
-typedef struct MD2ContextStr        MD2Context;
-typedef struct MD5ContextStr        MD5Context;
-typedef struct SHA1ContextStr       SHA1Context;
-typedef struct SHA256ContextStr     SHA256Context;
-typedef struct SHA512ContextStr     SHA512Context;
-/* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
-typedef struct SHA512ContextStr     SHA384Context;
-typedef struct AESKeyWrapContextStr AESKeyWrapContext;
-
-/***************************************************************************
-** RSA Public and Private Key structures
-*/
-
-/* member names from PKCS#1, section 7.1 */
-struct RSAPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem modulus;
-    SECItem publicExponent;
-};
-typedef struct RSAPublicKeyStr RSAPublicKey;
-
-/* member names from PKCS#1, section 7.2 */
-struct RSAPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem version;
-    SECItem modulus;
-    SECItem publicExponent;
-    SECItem privateExponent;
-    SECItem prime1;
-    SECItem prime2;
-    SECItem exponent1;
-    SECItem exponent2;
-    SECItem coefficient;
-};
-typedef struct RSAPrivateKeyStr RSAPrivateKey;
-
-
-/***************************************************************************
-** DSA Public and Private Key and related structures
-*/
-
-struct PQGParamsStr {
-    PRArenaPool *arena;
-    SECItem prime;    /* p */
-    SECItem subPrime; /* q */
-    SECItem base;     /* g */
-    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
-};
-typedef struct PQGParamsStr PQGParams;
-
-struct PQGVerifyStr {
-    PRArenaPool * arena;	/* includes this struct, seed, & h. */
-    unsigned int  counter;
-    SECItem       seed;
-    SECItem       h;
-};
-typedef struct PQGVerifyStr PQGVerify;
-
-struct DSAPublicKeyStr {
-    PQGParams params;
-    SECItem publicValue;
-};
-typedef struct DSAPublicKeyStr DSAPublicKey;
-
-struct DSAPrivateKeyStr {
-    PQGParams params;
-    SECItem publicValue;
-    SECItem privateValue;
-};
-typedef struct DSAPrivateKeyStr DSAPrivateKey;
-
-/***************************************************************************
-** Diffie-Hellman Public and Private Key and related structures
-** Structure member names suggested by PKCS#3.
-*/
-
-struct DHParamsStr {
-    PRArenaPool * arena;
-    SECItem prime; /* p */
-    SECItem base; /* g */
-};
-typedef struct DHParamsStr DHParams;
-
-struct DHPublicKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem publicValue;
-};
-typedef struct DHPublicKeyStr DHPublicKey;
-
-struct DHPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem publicValue;
-    SECItem privateValue;
-};
-typedef struct DHPrivateKeyStr DHPrivateKey;
-
-/***************************************************************************
-** Data structures used for elliptic curve parameters and
-** public and private keys.
-*/
-
-/*
-** The ECParams data structures can encode elliptic curve 
-** parameters for both GFp and GF2m curves.
-*/
-
-typedef enum { ec_params_explicit,
-	       ec_params_named
-} ECParamsType;
-
-typedef enum { ec_field_GFp = 1,
-               ec_field_GF2m
-} ECFieldType;
-
-struct ECFieldIDStr {
-    int         size;   /* field size in bits */
-    ECFieldType type;
-    union {
-        SECItem  prime; /* prime p for (GFp) */
-        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
-    } u;
-    int         k1;     /* first coefficient of pentanomial or
-                         * the only coefficient of trinomial 
-                         */
-    int         k2;     /* two remaining coefficients of pentanomial */
-    int         k3;
-};
-typedef struct ECFieldIDStr ECFieldID;
-
-struct ECCurveStr {
-    SECItem a;          /* contains octet stream encoding of
-                         * field element (X9.62 section 4.3.3) 
-			 */
-    SECItem b;
-    SECItem seed;
-};
-typedef struct ECCurveStr ECCurve;
-
-struct ECParamsStr {
-    PRArenaPool * arena;
-    ECParamsType  type;
-    ECFieldID     fieldID;
-    ECCurve       curve; 
-    SECItem       base;
-    SECItem       order; 
-    int           cofactor;
-    SECItem       DEREncoding;
-    ECCurveName   name;
-    SECItem       curveOID;
-};
-typedef struct ECParamsStr ECParams;
-
-struct ECPublicKeyStr {
-    ECParams ecParams;   
-    SECItem publicValue;   /* elliptic curve point encoded as 
-			    * octet stream.
-			    */
-};
-typedef struct ECPublicKeyStr ECPublicKey;
-
-struct ECPrivateKeyStr {
-    ECParams ecParams;   
-    SECItem publicValue;   /* encoded ec point */
-    SECItem privateValue;  /* private big integer */
-    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
-};
-typedef struct ECPrivateKeyStr ECPrivateKey;
-
-typedef void * (*BLapiAllocateFunc)(void);
-typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit);
-typedef SECStatus (*BLapiInitContextFunc)(void *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *, 
-				   int, 
-				   unsigned int ,
-				   unsigned int );
-typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output,
-				unsigned int *outputLen, 
-				unsigned int maxOutputLen,
-				const unsigned char *input, 
-				unsigned int inputLen);
-
-#endif /* _BLAPIT_H_ */
diff --git a/security/nss/lib/freebl/config.mk b/security/nss/lib/freebl/config.mk
deleted file mode 100644
index ecbc9373f..000000000
--- a/security/nss/lib/freebl/config.mk
+++ /dev/null
@@ -1,112 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# only do this in the outermost freebl build.
-ifndef FREEBL_CHILD_BUILD
-
-# We're going to change this build so that it builds libfreebl.a with
-# just loader.c.  Then we have to build this directory twice again to 
-# build the two DSOs.
-# To build libfreebl.a with just loader.c, we must now override many
-# of the make variables setup by the prior inclusion of CORECONF's config.mk
-
-CSRCS		= loader.c 
-SIMPLE_OBJS 	= $(CSRCS:.c=$(OBJ_SUFFIX))
-OBJS 		= $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(SIMPLE_OBJS))
-ALL_TRASH :=    $(TARGETS) $(OBJS) $(OBJDIR) LOGS TAGS $(GARBAGE) \
-                $(NOSUCHFILE) so_locations 
-
-# this is not a recursive child make.  We make a static lib. (archive)
-
-# Override the values defined in coreconf's ruleset.mk.
-#
-# - (1) LIBRARY: a static (archival) library
-# - (2) SHARED_LIBRARY: a shared (dynamic link) library
-# - (3) IMPORT_LIBRARY: an import library, used only on Windows
-# - (4) PROGRAM: an executable binary
-#
-# override these variables to prevent building a DSO/DLL.
-  TARGETS        = $(LIBRARY)
-  SHARED_LIBRARY =
-  IMPORT_LIBRARY =
-  PROGRAM        =
-
-else
-# This is a recursive child make. We build the shared lib.
-
-TARGETS      = $(SHARED_LIBRARY)
-LIBRARY      =
-IMPORT_LIBRARY =
-PROGRAM      =
-
-EXTRA_LIBS   += $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX)
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-
-RES     = $(OBJDIR)/$(LIBRARY_NAME).res
-RESNAME = freebl.rc
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else # ! NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-endif
-
-endif
diff --git a/security/nss/lib/freebl/des.c b/security/nss/lib/freebl/des.c
deleted file mode 100644
index 684a466f8..000000000
--- a/security/nss/lib/freebl/des.c
+++ /dev/null
@@ -1,689 +0,0 @@
-/*
- *  des.c
- *
- *  core source file for DES-150 library
- *  Make key schedule from DES key.
- *  Encrypt/Decrypt one 8-byte block.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the DES-150 library.
- *
- * The Initial Developer of the Original Code is
- * Nelson B. Bolyard, nelsonb@iname.com.
- * Portions created by the Initial Developer are Copyright (C) 1990
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "des.h"
-#include <stddef.h>	/* for ptrdiff_t */
-/* #define USE_INDEXING 1 */
-
-/*
- * The tables below are the 8 sbox functions, with the 6-bit input permutation 
- * and the 32-bit output permutation pre-computed.
- * They are shifted circularly to the left 3 bits, which removes 2 shifts
- * and an or from each round by reducing the number of sboxes whose
- * indices cross word broundaries from 2 to 1.  
- */
-
-static const HALF SP[8][64] = {
-/* Box S1 */ { 
-	0x04041000, 0x00000000, 0x00040000, 0x04041010, 
-	0x04040010, 0x00041010, 0x00000010, 0x00040000, 
-	0x00001000, 0x04041000, 0x04041010, 0x00001000, 
-	0x04001010, 0x04040010, 0x04000000, 0x00000010, 
-	0x00001010, 0x04001000, 0x04001000, 0x00041000, 
-	0x00041000, 0x04040000, 0x04040000, 0x04001010, 
-	0x00040010, 0x04000010, 0x04000010, 0x00040010, 
-	0x00000000, 0x00001010, 0x00041010, 0x04000000, 
-	0x00040000, 0x04041010, 0x00000010, 0x04040000, 
-	0x04041000, 0x04000000, 0x04000000, 0x00001000, 
-	0x04040010, 0x00040000, 0x00041000, 0x04000010, 
-	0x00001000, 0x00000010, 0x04001010, 0x00041010, 
-	0x04041010, 0x00040010, 0x04040000, 0x04001010, 
-	0x04000010, 0x00001010, 0x00041010, 0x04041000, 
-	0x00001010, 0x04001000, 0x04001000, 0x00000000, 
-	0x00040010, 0x00041000, 0x00000000, 0x04040010
-    },
-/* Box S2 */ { 
-	0x00420082, 0x00020002, 0x00020000, 0x00420080, 
-	0x00400000, 0x00000080, 0x00400082, 0x00020082, 
-	0x00000082, 0x00420082, 0x00420002, 0x00000002, 
-	0x00020002, 0x00400000, 0x00000080, 0x00400082, 
-	0x00420000, 0x00400080, 0x00020082, 0x00000000, 
-	0x00000002, 0x00020000, 0x00420080, 0x00400002, 
-	0x00400080, 0x00000082, 0x00000000, 0x00420000, 
-	0x00020080, 0x00420002, 0x00400002, 0x00020080, 
-	0x00000000, 0x00420080, 0x00400082, 0x00400000, 
-	0x00020082, 0x00400002, 0x00420002, 0x00020000, 
-	0x00400002, 0x00020002, 0x00000080, 0x00420082, 
-	0x00420080, 0x00000080, 0x00020000, 0x00000002, 
-	0x00020080, 0x00420002, 0x00400000, 0x00000082, 
-	0x00400080, 0x00020082, 0x00000082, 0x00400080, 
-	0x00420000, 0x00000000, 0x00020002, 0x00020080, 
-	0x00000002, 0x00400082, 0x00420082, 0x00420000 
-    },
-/* Box S3 */ { 
-	0x00000820, 0x20080800, 0x00000000, 0x20080020, 
-	0x20000800, 0x00000000, 0x00080820, 0x20000800, 
-	0x00080020, 0x20000020, 0x20000020, 0x00080000, 
-	0x20080820, 0x00080020, 0x20080000, 0x00000820, 
-	0x20000000, 0x00000020, 0x20080800, 0x00000800, 
-	0x00080800, 0x20080000, 0x20080020, 0x00080820, 
-	0x20000820, 0x00080800, 0x00080000, 0x20000820, 
-	0x00000020, 0x20080820, 0x00000800, 0x20000000, 
-	0x20080800, 0x20000000, 0x00080020, 0x00000820, 
-	0x00080000, 0x20080800, 0x20000800, 0x00000000, 
-	0x00000800, 0x00080020, 0x20080820, 0x20000800, 
-	0x20000020, 0x00000800, 0x00000000, 0x20080020, 
-	0x20000820, 0x00080000, 0x20000000, 0x20080820, 
-	0x00000020, 0x00080820, 0x00080800, 0x20000020, 
-	0x20080000, 0x20000820, 0x00000820, 0x20080000, 
-	0x00080820, 0x00000020, 0x20080020, 0x00080800 
-    },
-/* Box S4 */ { 
-	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
-	0x02008200, 0x02000204, 0x02000004, 0x00008004, 
-	0x00000000, 0x02008000, 0x02008000, 0x02008204, 
-	0x00000204, 0x00000000, 0x02000200, 0x02000004, 
-	0x00000004, 0x00008000, 0x02000000, 0x02008004, 
-	0x00000200, 0x02000000, 0x00008004, 0x00008200, 
-	0x02000204, 0x00000004, 0x00008200, 0x02000200, 
-	0x00008000, 0x02008200, 0x02008204, 0x00000204, 
-	0x02000200, 0x02000004, 0x02008000, 0x02008204, 
-	0x00000204, 0x00000000, 0x00000000, 0x02008000, 
-	0x00008200, 0x02000200, 0x02000204, 0x00000004, 
-	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
-	0x02008204, 0x00000204, 0x00000004, 0x00008000, 
-	0x02000004, 0x00008004, 0x02008200, 0x02000204, 
-	0x00008004, 0x00008200, 0x02000000, 0x02008004, 
-	0x00000200, 0x02000000, 0x00008000, 0x02008200 
-    },
-/* Box S5 */ { 
-	0x00000400, 0x08200400, 0x08200000, 0x08000401, 
-	0x00200000, 0x00000400, 0x00000001, 0x08200000, 
-	0x00200401, 0x00200000, 0x08000400, 0x00200401, 
-	0x08000401, 0x08200001, 0x00200400, 0x00000001, 
-	0x08000000, 0x00200001, 0x00200001, 0x00000000, 
-	0x00000401, 0x08200401, 0x08200401, 0x08000400, 
-	0x08200001, 0x00000401, 0x00000000, 0x08000001, 
-	0x08200400, 0x08000000, 0x08000001, 0x00200400, 
-	0x00200000, 0x08000401, 0x00000400, 0x08000000, 
-	0x00000001, 0x08200000, 0x08000401, 0x00200401, 
-	0x08000400, 0x00000001, 0x08200001, 0x08200400, 
-	0x00200401, 0x00000400, 0x08000000, 0x08200001, 
-	0x08200401, 0x00200400, 0x08000001, 0x08200401, 
-	0x08200000, 0x00000000, 0x00200001, 0x08000001, 
-	0x00200400, 0x08000400, 0x00000401, 0x00200000, 
-	0x00000000, 0x00200001, 0x08200400, 0x00000401
-    },
-/* Box S6 */ { 
-	0x80000040, 0x81000000, 0x00010000, 0x81010040, 
-	0x81000000, 0x00000040, 0x81010040, 0x01000000, 
-	0x80010000, 0x01010040, 0x01000000, 0x80000040, 
-	0x01000040, 0x80010000, 0x80000000, 0x00010040, 
-	0x00000000, 0x01000040, 0x80010040, 0x00010000, 
-	0x01010000, 0x80010040, 0x00000040, 0x81000040, 
-	0x81000040, 0x00000000, 0x01010040, 0x81010000, 
-	0x00010040, 0x01010000, 0x81010000, 0x80000000, 
-	0x80010000, 0x00000040, 0x81000040, 0x01010000, 
-	0x81010040, 0x01000000, 0x00010040, 0x80000040, 
-	0x01000000, 0x80010000, 0x80000000, 0x00010040, 
-	0x80000040, 0x81010040, 0x01010000, 0x81000000, 
-	0x01010040, 0x81010000, 0x00000000, 0x81000040, 
-	0x00000040, 0x00010000, 0x81000000, 0x01010040, 
-	0x00010000, 0x01000040, 0x80010040, 0x00000000, 
-	0x81010000, 0x80000000, 0x01000040, 0x80010040 
-    },
-/* Box S7 */ { 
-	0x00800000, 0x10800008, 0x10002008, 0x00000000, 
-	0x00002000, 0x10002008, 0x00802008, 0x10802000, 
-	0x10802008, 0x00800000, 0x00000000, 0x10000008, 
-	0x00000008, 0x10000000, 0x10800008, 0x00002008, 
-	0x10002000, 0x00802008, 0x00800008, 0x10002000, 
-	0x10000008, 0x10800000, 0x10802000, 0x00800008, 
-	0x10800000, 0x00002000, 0x00002008, 0x10802008, 
-	0x00802000, 0x00000008, 0x10000000, 0x00802000, 
-	0x10000000, 0x00802000, 0x00800000, 0x10002008, 
-	0x10002008, 0x10800008, 0x10800008, 0x00000008, 
-	0x00800008, 0x10000000, 0x10002000, 0x00800000, 
-	0x10802000, 0x00002008, 0x00802008, 0x10802000, 
-	0x00002008, 0x10000008, 0x10802008, 0x10800000, 
-	0x00802000, 0x00000000, 0x00000008, 0x10802008, 
-	0x00000000, 0x00802008, 0x10800000, 0x00002000, 
-	0x10000008, 0x10002000, 0x00002000, 0x00800008 
-    },
-/* Box S8 */ { 
-	0x40004100, 0x00004000, 0x00100000, 0x40104100, 
-	0x40000000, 0x40004100, 0x00000100, 0x40000000, 
-	0x00100100, 0x40100000, 0x40104100, 0x00104000, 
-	0x40104000, 0x00104100, 0x00004000, 0x00000100, 
-	0x40100000, 0x40000100, 0x40004000, 0x00004100, 
-	0x00104000, 0x00100100, 0x40100100, 0x40104000, 
-	0x00004100, 0x00000000, 0x00000000, 0x40100100, 
-	0x40000100, 0x40004000, 0x00104100, 0x00100000, 
-	0x00104100, 0x00100000, 0x40104000, 0x00004000, 
-	0x00000100, 0x40100100, 0x00004000, 0x00104100, 
-	0x40004000, 0x00000100, 0x40000100, 0x40100000, 
-	0x40100100, 0x40000000, 0x00100000, 0x40004100, 
-	0x00000000, 0x40104100, 0x00100100, 0x40000100, 
-	0x40100000, 0x40004000, 0x40004100, 0x00000000, 
-	0x40104100, 0x00104000, 0x00104000, 0x00004100, 
-	0x00004100, 0x00100100, 0x40000000, 0x40104000 
-    }
-};
-
-static const HALF PC2[8][64] = {
-/* table 0 */ {
-    0x00000000, 0x00001000, 0x04000000, 0x04001000, 
-    0x00100000, 0x00101000, 0x04100000, 0x04101000, 
-    0x00008000, 0x00009000, 0x04008000, 0x04009000, 
-    0x00108000, 0x00109000, 0x04108000, 0x04109000, 
-    0x00000004, 0x00001004, 0x04000004, 0x04001004, 
-    0x00100004, 0x00101004, 0x04100004, 0x04101004, 
-    0x00008004, 0x00009004, 0x04008004, 0x04009004, 
-    0x00108004, 0x00109004, 0x04108004, 0x04109004, 
-    0x08000000, 0x08001000, 0x0c000000, 0x0c001000, 
-    0x08100000, 0x08101000, 0x0c100000, 0x0c101000, 
-    0x08008000, 0x08009000, 0x0c008000, 0x0c009000, 
-    0x08108000, 0x08109000, 0x0c108000, 0x0c109000, 
-    0x08000004, 0x08001004, 0x0c000004, 0x0c001004, 
-    0x08100004, 0x08101004, 0x0c100004, 0x0c101004, 
-    0x08008004, 0x08009004, 0x0c008004, 0x0c009004, 
-    0x08108004, 0x08109004, 0x0c108004, 0x0c109004
-  },
-/* table 1 */ {
-    0x00000000, 0x00002000, 0x80000000, 0x80002000, 
-    0x00000008, 0x00002008, 0x80000008, 0x80002008, 
-    0x00200000, 0x00202000, 0x80200000, 0x80202000, 
-    0x00200008, 0x00202008, 0x80200008, 0x80202008, 
-    0x20000000, 0x20002000, 0xa0000000, 0xa0002000, 
-    0x20000008, 0x20002008, 0xa0000008, 0xa0002008, 
-    0x20200000, 0x20202000, 0xa0200000, 0xa0202000, 
-    0x20200008, 0x20202008, 0xa0200008, 0xa0202008, 
-    0x00000400, 0x00002400, 0x80000400, 0x80002400, 
-    0x00000408, 0x00002408, 0x80000408, 0x80002408, 
-    0x00200400, 0x00202400, 0x80200400, 0x80202400, 
-    0x00200408, 0x00202408, 0x80200408, 0x80202408, 
-    0x20000400, 0x20002400, 0xa0000400, 0xa0002400, 
-    0x20000408, 0x20002408, 0xa0000408, 0xa0002408, 
-    0x20200400, 0x20202400, 0xa0200400, 0xa0202400, 
-    0x20200408, 0x20202408, 0xa0200408, 0xa0202408
-  },
-/* table 2 */ {
-    0x00000000, 0x00004000, 0x00000020, 0x00004020, 
-    0x00080000, 0x00084000, 0x00080020, 0x00084020, 
-    0x00000800, 0x00004800, 0x00000820, 0x00004820, 
-    0x00080800, 0x00084800, 0x00080820, 0x00084820, 
-    0x00000010, 0x00004010, 0x00000030, 0x00004030, 
-    0x00080010, 0x00084010, 0x00080030, 0x00084030, 
-    0x00000810, 0x00004810, 0x00000830, 0x00004830, 
-    0x00080810, 0x00084810, 0x00080830, 0x00084830, 
-    0x00400000, 0x00404000, 0x00400020, 0x00404020, 
-    0x00480000, 0x00484000, 0x00480020, 0x00484020, 
-    0x00400800, 0x00404800, 0x00400820, 0x00404820, 
-    0x00480800, 0x00484800, 0x00480820, 0x00484820, 
-    0x00400010, 0x00404010, 0x00400030, 0x00404030, 
-    0x00480010, 0x00484010, 0x00480030, 0x00484030, 
-    0x00400810, 0x00404810, 0x00400830, 0x00404830, 
-    0x00480810, 0x00484810, 0x00480830, 0x00484830 
-  },
-/* table 3 */ {
-    0x00000000, 0x40000000, 0x00000080, 0x40000080, 
-    0x00040000, 0x40040000, 0x00040080, 0x40040080, 
-    0x00000040, 0x40000040, 0x000000c0, 0x400000c0, 
-    0x00040040, 0x40040040, 0x000400c0, 0x400400c0, 
-    0x10000000, 0x50000000, 0x10000080, 0x50000080, 
-    0x10040000, 0x50040000, 0x10040080, 0x50040080, 
-    0x10000040, 0x50000040, 0x100000c0, 0x500000c0, 
-    0x10040040, 0x50040040, 0x100400c0, 0x500400c0, 
-    0x00800000, 0x40800000, 0x00800080, 0x40800080, 
-    0x00840000, 0x40840000, 0x00840080, 0x40840080, 
-    0x00800040, 0x40800040, 0x008000c0, 0x408000c0, 
-    0x00840040, 0x40840040, 0x008400c0, 0x408400c0, 
-    0x10800000, 0x50800000, 0x10800080, 0x50800080, 
-    0x10840000, 0x50840000, 0x10840080, 0x50840080, 
-    0x10800040, 0x50800040, 0x108000c0, 0x508000c0, 
-    0x10840040, 0x50840040, 0x108400c0, 0x508400c0 
-  },
-/* table 4 */ {
-    0x00000000, 0x00000008, 0x08000000, 0x08000008, 
-    0x00040000, 0x00040008, 0x08040000, 0x08040008, 
-    0x00002000, 0x00002008, 0x08002000, 0x08002008, 
-    0x00042000, 0x00042008, 0x08042000, 0x08042008, 
-    0x80000000, 0x80000008, 0x88000000, 0x88000008, 
-    0x80040000, 0x80040008, 0x88040000, 0x88040008, 
-    0x80002000, 0x80002008, 0x88002000, 0x88002008, 
-    0x80042000, 0x80042008, 0x88042000, 0x88042008, 
-    0x00080000, 0x00080008, 0x08080000, 0x08080008, 
-    0x000c0000, 0x000c0008, 0x080c0000, 0x080c0008, 
-    0x00082000, 0x00082008, 0x08082000, 0x08082008, 
-    0x000c2000, 0x000c2008, 0x080c2000, 0x080c2008, 
-    0x80080000, 0x80080008, 0x88080000, 0x88080008, 
-    0x800c0000, 0x800c0008, 0x880c0000, 0x880c0008, 
-    0x80082000, 0x80082008, 0x88082000, 0x88082008, 
-    0x800c2000, 0x800c2008, 0x880c2000, 0x880c2008 
-  },
-/* table 5 */ {
-    0x00000000, 0x00400000, 0x00008000, 0x00408000, 
-    0x40000000, 0x40400000, 0x40008000, 0x40408000, 
-    0x00000020, 0x00400020, 0x00008020, 0x00408020, 
-    0x40000020, 0x40400020, 0x40008020, 0x40408020, 
-    0x00001000, 0x00401000, 0x00009000, 0x00409000, 
-    0x40001000, 0x40401000, 0x40009000, 0x40409000, 
-    0x00001020, 0x00401020, 0x00009020, 0x00409020, 
-    0x40001020, 0x40401020, 0x40009020, 0x40409020, 
-    0x00100000, 0x00500000, 0x00108000, 0x00508000, 
-    0x40100000, 0x40500000, 0x40108000, 0x40508000, 
-    0x00100020, 0x00500020, 0x00108020, 0x00508020, 
-    0x40100020, 0x40500020, 0x40108020, 0x40508020, 
-    0x00101000, 0x00501000, 0x00109000, 0x00509000, 
-    0x40101000, 0x40501000, 0x40109000, 0x40509000, 
-    0x00101020, 0x00501020, 0x00109020, 0x00509020, 
-    0x40101020, 0x40501020, 0x40109020, 0x40509020 
-  },
-/* table 6 */ {
-    0x00000000, 0x00000040, 0x04000000, 0x04000040, 
-    0x00000800, 0x00000840, 0x04000800, 0x04000840, 
-    0x00800000, 0x00800040, 0x04800000, 0x04800040, 
-    0x00800800, 0x00800840, 0x04800800, 0x04800840, 
-    0x10000000, 0x10000040, 0x14000000, 0x14000040, 
-    0x10000800, 0x10000840, 0x14000800, 0x14000840, 
-    0x10800000, 0x10800040, 0x14800000, 0x14800040, 
-    0x10800800, 0x10800840, 0x14800800, 0x14800840, 
-    0x00000080, 0x000000c0, 0x04000080, 0x040000c0, 
-    0x00000880, 0x000008c0, 0x04000880, 0x040008c0, 
-    0x00800080, 0x008000c0, 0x04800080, 0x048000c0, 
-    0x00800880, 0x008008c0, 0x04800880, 0x048008c0, 
-    0x10000080, 0x100000c0, 0x14000080, 0x140000c0, 
-    0x10000880, 0x100008c0, 0x14000880, 0x140008c0, 
-    0x10800080, 0x108000c0, 0x14800080, 0x148000c0, 
-    0x10800880, 0x108008c0, 0x14800880, 0x148008c0 
-  },
-/* table 7 */ {
-    0x00000000, 0x00000010, 0x00000400, 0x00000410, 
-    0x00000004, 0x00000014, 0x00000404, 0x00000414, 
-    0x00004000, 0x00004010, 0x00004400, 0x00004410, 
-    0x00004004, 0x00004014, 0x00004404, 0x00004414, 
-    0x20000000, 0x20000010, 0x20000400, 0x20000410, 
-    0x20000004, 0x20000014, 0x20000404, 0x20000414, 
-    0x20004000, 0x20004010, 0x20004400, 0x20004410, 
-    0x20004004, 0x20004014, 0x20004404, 0x20004414, 
-    0x00200000, 0x00200010, 0x00200400, 0x00200410, 
-    0x00200004, 0x00200014, 0x00200404, 0x00200414, 
-    0x00204000, 0x00204010, 0x00204400, 0x00204410, 
-    0x00204004, 0x00204014, 0x00204404, 0x00204414, 
-    0x20200000, 0x20200010, 0x20200400, 0x20200410, 
-    0x20200004, 0x20200014, 0x20200404, 0x20200414, 
-    0x20204000, 0x20204010, 0x20204400, 0x20204410, 
-    0x20204004, 0x20204014, 0x20204404, 0x20204414 
-  }
-};
-
-/*
- * The PC-1 Permutation
- * If we number the bits of the 8 bytes of key input like this (in octal):
- *     00 01 02 03 04 05 06 07 
- *     10 11 12 13 14 15 16 17 
- *     20 21 22 23 24 25 26 27 
- *     30 31 32 33 34 35 36 37 
- *     40 41 42 43 44 45 46 47 
- *     50 51 52 53 54 55 56 57 
- *     60 61 62 63 64 65 66 67 
- *     70 71 72 73 74 75 76 77 
- * then after the PC-1 permutation, 
- * C0 is
- *     70 60 50 40 30 20 10 00 
- *     71 61 51 41 31 21 11 01 
- *     72 62 52 42 32 22 12 02 
- *     73 63 53 43 
- * D0 is
- *     76 66 56 46 36 26 16 06 
- *     75 65 55 45 35 25 15 05 
- *     74 64 54 44 34 24 14 04 
- *                 33 23 13 03 
- * and these parity bits have been discarded:
- *     77 67 57 47 37 27 17 07 
- * 
- * We achieve this by flipping the input matrix about the diagonal from 70-07,
- * getting left = 
- *     77 67 57 47 37 27 17 07 	(these are the parity bits)
- *     76 66 56 46 36 26 16 06 
- *     75 65 55 45 35 25 15 05 
- *     74 64 54 44 34 24 14 04 
- * right = 
- *     73 63 53 43 33 23 13 03 
- *     72 62 52 42 32 22 12 02 
- *     71 61 51 41 31 21 11 01 
- *     70 60 50 40 30 20 10 00 
- * then byte swap right, ala htonl() on a little endian machine.
- * right = 
- *     70 60 50 40 30 20 10 00 
- *     71 67 57 47 37 27 11 07 
- *     72 62 52 42 32 22 12 02 
- *     73 63 53 43 33 23 13 03 
- * then
- *     c0 = right >> 4;
- *     d0 = ((left & 0x00ffffff) << 4) | (right & 0xf);
-*/
-
-#define FLIP_RIGHT_DIAGONAL(word, temp) \
-    temp  = (word ^ (word >> 18)) & 0x00003333; \
-    word ^=  temp | (temp << 18); \
-    temp  = (word ^ (word >> 9)) & 0x00550055; \
-    word ^=  temp | (temp << 9);
-
-#define BYTESWAP(word, temp) \
-    word = (word >> 16) | (word << 16); \
-    temp = 0x00ff00ff; \
-    word = ((word & temp) << 8) | ((word >> 8) & temp); 
-
-#define PC1(left, right, c0, d0, temp) \
-    right ^= temp = ((left >> 4) ^ right) & 0x0f0f0f0f; \
-    left  ^= temp << 4; \
-    FLIP_RIGHT_DIAGONAL(left, temp); \
-    FLIP_RIGHT_DIAGONAL(right, temp); \
-    BYTESWAP(right, temp); \
-    c0 = right >> 4; \
-    d0 = ((left & 0x00ffffff) << 4) | (right & 0xf); 
-
-#define LEFT_SHIFT_1( reg ) (((reg << 1) | (reg >> 27)) & 0x0FFFFFFF)
-#define LEFT_SHIFT_2( reg ) (((reg << 2) | (reg >> 26)) & 0x0FFFFFFF)
-
-/*
- *   setup key schedules from key
- */
-
-void 
-DES_MakeSchedule( HALF * ks, const BYTE * key,   DESDirection direction)
-{
-    register HALF left, right;
-    register HALF c0, d0;
-    register HALF temp;
-    int           delta;
-    unsigned int  ls;
-
-#if defined(_X86_)
-    left  = HALFPTR(key)[0]; 
-    right = HALFPTR(key)[1]; 
-    BYTESWAP(left, temp);
-    BYTESWAP(right, temp);
-#else
-    if (((ptrdiff_t)key & 0x03) == 0) {
-	left  = HALFPTR(key)[0]; 
-	right = HALFPTR(key)[1]; 
-#if defined(IS_LITTLE_ENDIAN)
-	BYTESWAP(left, temp);
-	BYTESWAP(right, temp);
-#endif
-    } else {
-	left    = ((HALF)key[0] << 24) | ((HALF)key[1] << 16) | 
-		  ((HALF)key[2] << 8)  | key[3];
-	right   = ((HALF)key[4] << 24) | ((HALF)key[5] << 16) | 
-		  ((HALF)key[6] << 8)  | key[7];
-    }
-#endif
-
-    PC1(left, right, c0, d0, temp);
-
-    if (direction == DES_ENCRYPT) {
-	delta = 2 * (int)sizeof(HALF);
-    } else {
-	ks += 30;
-	delta = (-2) * (int)sizeof(HALF);
-    }
-
-    for (ls = 0x8103; ls; ls >>= 1) {
-	if ( ls & 1 ) {
-	    c0 = LEFT_SHIFT_1( c0 );
-	    d0 = LEFT_SHIFT_1( d0 );
-	} else {
-	    c0 = LEFT_SHIFT_2( c0 );
-	    d0 = LEFT_SHIFT_2( d0 );
-	}
-
-#ifdef USE_INDEXING
-#define PC2LOOKUP(b,c) PC2[b][c]
-
-	left   = PC2LOOKUP(0, ((c0 >> 22) & 0x3F) );
-	left  |= PC2LOOKUP(1, ((c0 >> 13) & 0x3F) );
-	left  |= PC2LOOKUP(2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
-	left  |= PC2LOOKUP(3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
-
-	right  = PC2LOOKUP(4, ((d0 >> 22) & 0x3F) );
-	right |= PC2LOOKUP(5, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
-	right |= PC2LOOKUP(6, ((d0 >>  7) & 0x3F) );
-	right |= PC2LOOKUP(7, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
-#else
-#define PC2LOOKUP(b,c) *(HALF *)((BYTE *)&PC2[b][0]+(c))
-
-	left   = PC2LOOKUP(0, ((c0 >> 20) & 0xFC) );
-	left  |= PC2LOOKUP(1, ((c0 >> 11) & 0xFC) );
-	left  |= PC2LOOKUP(2, ((c0 >>  2) & 0xE0) | ((c0 <<  2) & 0x1C) );
-	left  |= PC2LOOKUP(3, ((c0>>16)&0x30)|((c0>>9)&0xC)|((c0<<2)&0xC0));
-
-	right  = PC2LOOKUP(4, ((d0 >> 20) & 0xFC) );
-	right |= PC2LOOKUP(5, ((d0 >> 13) & 0xC0) | ((d0 >> 12) & 0x3C) );
-	right |= PC2LOOKUP(6, ((d0 >>  5) & 0xFC) );
-	right |= PC2LOOKUP(7, ((d0 <<  1) & 0xF0) | ((d0 << 2) & 0x0C));
-#endif
-	/* left  contains key bits for S1 S3 S2 S4 */
-	/* right contains key bits for S6 S8 S5 S7 */
-	temp = (left  << 16)        /* S2 S4 XX XX */
-	     | (right >> 16);       /* XX XX S6 S8 */
-	ks[0] = temp;
-
-	temp = (left  & 0xffff0000) /* S1 S3 XX XX */
-	     | (right & 0x0000ffff);/* XX XX S5 S7 */
-	ks[1] = temp;
-
-	ks = (HALF*)((BYTE *)ks + delta);
-    }
-}
-
-/*
- * The DES Initial Permutation
- * if we number the bits of the 8 bytes of input like this (in octal):
- *     00 01 02 03 04 05 06 07 
- *     10 11 12 13 14 15 16 17 
- *     20 21 22 23 24 25 26 27 
- *     30 31 32 33 34 35 36 37 
- *     40 41 42 43 44 45 46 47 
- *     50 51 52 53 54 55 56 57 
- *     60 61 62 63 64 65 66 67 
- *     70 71 72 73 74 75 76 77 
- * then after the initial permutation, they will be in this order. 
- *     71 61 51 41 31 21 11 01 
- *     73 63 53 43 33 23 13 03 
- *     75 65 55 45 35 25 15 05 
- *     77 67 57 47 37 27 17 07 
- *     70 60 50 40 30 20 10 00 
- *     72 62 52 42 32 22 12 02 
- *     74 64 54 44 34 24 14 04 
- *     76 66 56 46 36 26 16 06 
- *
- * One way to do this is in two steps:
- * 1. Flip this matrix about the diagonal from 70-07 as done for PC1.
- * 2. Rearrange the bytes (rows in the matrix above) with the following code.
- *
- * #define swapHiLo(word, temp) \
- *   temp  = (word ^ (word >> 24)) & 0x000000ff; \
- *   word ^=  temp | (temp << 24); 
- *
- *   right ^= temp = ((left << 8) ^ right) & 0xff00ff00; 
- *   left  ^= temp >> 8; 
- *   swapHiLo(left, temp);
- *   swapHiLo(right,temp);
- *
- * However, the two steps can be combined, so that the rows are rearranged
- * while the matrix is being flipped, reducing the number of bit exchange
- * operations from 8 ot 5.  
- *
- * Initial Permutation */
-#define IP(left, right, temp) \
-    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
-    left  ^= temp << 4; \
-    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
-    left  ^= temp << 16; \
-    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
-    left  ^= temp >> 2; \
-    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
-    left  ^= temp >> 8; \
-    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
-    left  ^= temp << 1; 
-
-/* The Final (Inverse Initial) permutation is done by reversing the 
-** steps of the Initital Permutation 
-*/
-
-#define FP(left, right, temp) \
-    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
-    left  ^= temp << 1; \
-    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
-    left  ^= temp >> 8; \
-    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
-    left  ^= temp >> 2; \
-    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
-    left  ^= temp << 16; \
-    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
-    left  ^= temp << 4; 
-
-void 
-DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
-{
-    register HALF left, right;
-    register HALF temp;
-
-#if defined(_X86_)
-    left  = HALFPTR(inbuf)[0]; 
-    right = HALFPTR(inbuf)[1]; 
-    BYTESWAP(left, temp);
-    BYTESWAP(right, temp);
-#else
-    if (((ptrdiff_t)inbuf & 0x03) == 0) {
-	left  = HALFPTR(inbuf)[0]; 
-	right = HALFPTR(inbuf)[1]; 
-#if defined(IS_LITTLE_ENDIAN)
-	BYTESWAP(left, temp);
-	BYTESWAP(right, temp);
-#endif
-    } else {
-	left    = ((HALF)inbuf[0] << 24) | ((HALF)inbuf[1] << 16) | 
-		  ((HALF)inbuf[2] << 8)  | inbuf[3];
-	right   = ((HALF)inbuf[4] << 24) | ((HALF)inbuf[5] << 16) | 
-		  ((HALF)inbuf[6] << 8)  | inbuf[7];
-    }
-#endif
-
-    IP(left, right, temp);
-
-    /* shift the values left circularly 3 bits. */
-    left  = (left  << 3) | (left  >> 29);
-    right = (right << 3) | (right >> 29);
-
-#ifdef USE_INDEXING
-#define KSLOOKUP(s,b) SP[s][((temp >> (b+2)) & 0x3f)]
-#else
-#define KSLOOKUP(s,b) *(HALF*)((BYTE*)&SP[s][0]+((temp >> b) & 0xFC))
-#endif
-#define ROUND(out, in, r) \
-    temp  = in ^ ks[2*r]; \
-    out ^= KSLOOKUP( 1,  24 ); \
-    out ^= KSLOOKUP( 3,  16 ); \
-    out ^= KSLOOKUP( 5,   8 ); \
-    out ^= KSLOOKUP( 7,   0 ); \
-    temp  = ((in >> 4) | (in << 28)) ^ ks[2*r+1]; \
-    out ^= KSLOOKUP( 0,  24 ); \
-    out ^= KSLOOKUP( 2,  16 ); \
-    out ^= KSLOOKUP( 4,   8 ); \
-    out ^= KSLOOKUP( 6,   0 ); 
-
-    /* Do the 16 Feistel rounds */
-    ROUND(left, right, 0)
-    ROUND(right, left, 1)
-    ROUND(left, right, 2)
-    ROUND(right, left, 3)
-    ROUND(left, right, 4)
-    ROUND(right, left, 5)
-    ROUND(left, right, 6)
-    ROUND(right, left, 7)
-    ROUND(left, right, 8)
-    ROUND(right, left, 9)
-    ROUND(left, right, 10)
-    ROUND(right, left, 11)
-    ROUND(left, right, 12)
-    ROUND(right, left, 13)
-    ROUND(left, right, 14)
-    ROUND(right, left, 15)
-
-    /* now shift circularly right 3 bits to undo the shifting done 
-    ** above.  switch left and right here. 
-    */
-    temp  = (left >> 3) | (left << 29); 
-    left  = (right >> 3) | (right << 29); 
-    right = temp;
-
-    FP(left, right, temp);
-
-#if defined(_X86_)
-    BYTESWAP(left, temp);
-    BYTESWAP(right, temp);
-    HALFPTR(outbuf)[0]  = left; 
-    HALFPTR(outbuf)[1]  = right; 
-#else
-    if (((ptrdiff_t)inbuf & 0x03) == 0) {
-#if defined(IS_LITTLE_ENDIAN)
-	BYTESWAP(left, temp);
-	BYTESWAP(right, temp);
-#endif
-	HALFPTR(outbuf)[0]  = left; 
-	HALFPTR(outbuf)[1]  = right; 
-    } else {
-	outbuf[0] = (BYTE)(left >> 24);
-	outbuf[1] = (BYTE)(left >> 16);
-	outbuf[2] = (BYTE)(left >>  8);
-	outbuf[3] = (BYTE)(left      );
-
-	outbuf[4] = (BYTE)(right >> 24);
-	outbuf[5] = (BYTE)(right >> 16);
-	outbuf[6] = (BYTE)(right >>  8);
-	outbuf[7] = (BYTE)(right      );
-    }
-#endif
-
-}
-
-/* Ackowledgements:
-** Two ideas used in this implementation were shown to me by Dennis Ferguson 
-** in 1990.  He credits them to Richard Outerbridge and Dan Hoey.  They were:
-** 1. The method of computing the Initial and Final permutations.
-** 2. Circularly rotating the SP tables and the initial values of left and 
-**	right to reduce the number of shifts required during the 16 rounds.
-*/
diff --git a/security/nss/lib/freebl/des.h b/security/nss/lib/freebl/des.h
deleted file mode 100644
index 1191f026e..000000000
--- a/security/nss/lib/freebl/des.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- *  des.h
- *
- *  header file for DES-150 library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the DES-150 library.
- *
- * The Initial Developer of the Original Code is
- * Nelson B. Bolyard, nelsonb@iname.com.
- * Portions created by the Initial Developer are Copyright (C) 1990
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _DES_H_
-#define _DES_H_ 1
-
-#include "blapi.h"
-
-typedef unsigned char BYTE;
-typedef unsigned int  HALF;
-
-#define HALFPTR(x) ((HALF *)(x))
-#define SHORTPTR(x) ((unsigned short *)(x))
-#define BYTEPTR(x) ((BYTE *)(x))
-
-typedef enum {
-    DES_ENCRYPT = 0x5555,
-    DES_DECRYPT = 0xAAAA
-} DESDirection;
-
-typedef void DESFunc(struct DESContextStr *cx, BYTE *out, const BYTE *in, 
-                     unsigned int len);
-
-struct DESContextStr {
-    /* key schedule, 16 internal keys, each with 8 6-bit parts */
-    HALF ks0 [32];
-    HALF ks1 [32];
-    HALF ks2 [32];
-    HALF iv  [2];
-    DESDirection direction;
-    DESFunc  *worker;
-};
-
-void DES_MakeSchedule( HALF * ks, const BYTE * key,   DESDirection direction);
-void DES_Do1Block(     HALF * ks, const BYTE * inbuf, BYTE * outbuf);
-
-#endif
diff --git a/security/nss/lib/freebl/desblapi.c b/security/nss/lib/freebl/desblapi.c
deleted file mode 100644
index b9b3288ac..000000000
--- a/security/nss/lib/freebl/desblapi.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- *  desblapi.c
- *
- *  core source file for DES-150 library
- *  Implement DES Modes of Operation and Triple-DES.
- *  Adapt DES-150 to blapi API.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the DES-150 library.
- *
- * The Initial Developer of the Original Code is
- * Nelson B. Bolyard, nelsonb@iname.com.
- * Portions created by the Initial Developer are Copyright (C) 1990
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "des.h"
-#include <stddef.h>
-#include "secerr.h"
-
-#if defined(_X86_)
-/* Intel X86 CPUs do unaligned loads and stores without complaint. */
-#define COPY8B(to, from, ptr) \
-    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
-    	HALFPTR(to)[1] = HALFPTR(from)[1]; 
-#elif defined(USE_MEMCPY)
-#define COPY8B(to, from, ptr) memcpy(to, from, 8)
-#else
-#define COPY8B(to, from, ptr) \
-    if (((ptrdiff_t)(ptr) & 0x3) == 0) { \
-    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
-    	HALFPTR(to)[1] = HALFPTR(from)[1]; \
-    } else if (((ptrdiff_t)(ptr) & 0x1) == 0) { \
-    	SHORTPTR(to)[0] = SHORTPTR(from)[0]; \
-    	SHORTPTR(to)[1] = SHORTPTR(from)[1]; \
-    	SHORTPTR(to)[2] = SHORTPTR(from)[2]; \
-    	SHORTPTR(to)[3] = SHORTPTR(from)[3]; \
-    } else { \
-    	BYTEPTR(to)[0] = BYTEPTR(from)[0]; \
-    	BYTEPTR(to)[1] = BYTEPTR(from)[1]; \
-    	BYTEPTR(to)[2] = BYTEPTR(from)[2]; \
-    	BYTEPTR(to)[3] = BYTEPTR(from)[3]; \
-    	BYTEPTR(to)[4] = BYTEPTR(from)[4]; \
-    	BYTEPTR(to)[5] = BYTEPTR(from)[5]; \
-    	BYTEPTR(to)[6] = BYTEPTR(from)[6]; \
-    	BYTEPTR(to)[7] = BYTEPTR(from)[7]; \
-    } 
-#endif
-#define COPY8BTOHALF(to, from) COPY8B(to, from, from)
-#define COPY8BFROMHALF(to, from) COPY8B(to, from, to)
-
-static void 
-DES_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    while (len) {
-	DES_Do1Block(cx->ks0, in, out);
-	len -= 8;
-	in  += 8;
-	out += 8;
-    }
-}
-
-static void 
-DES_EDE3_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    while (len) {
-	DES_Do1Block(cx->ks0,  in, out);
-	len -= 8;
-	in  += 8;
-	DES_Do1Block(cx->ks1, out, out);
-	DES_Do1Block(cx->ks2, out, out);
-	out += 8;
-    }
-}
-
-static void 
-DES_CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    const BYTE * bufend = in + len;
-    HALF  vec[2];
-
-    while (in != bufend) {
-	COPY8BTOHALF(vec, in);
-	in += 8;
-	vec[0] ^= cx->iv[0];
-	vec[1] ^= cx->iv[1];
-	DES_Do1Block( cx->ks0, (BYTE *)vec, (BYTE *)cx->iv);
-	COPY8BFROMHALF(out, cx->iv);
-	out += 8;
-    }
-}
-
-static void 
-DES_CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    const BYTE * bufend;
-    HALF oldciphertext[2];
-    HALF plaintext    [2];
-
-    for (bufend = in + len; in != bufend; ) {
-	oldciphertext[0] = cx->iv[0];
-	oldciphertext[1] = cx->iv[1];
-	COPY8BTOHALF(cx->iv, in);
-	in += 8;
-	DES_Do1Block(cx->ks0, (BYTE *)cx->iv, (BYTE *)plaintext);
-	plaintext[0] ^= oldciphertext[0];
-	plaintext[1] ^= oldciphertext[1];
-	COPY8BFROMHALF(out, plaintext);
-	out += 8;
-    }
-}
-
-static void 
-DES_EDE3CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    const BYTE * bufend = in + len;
-    HALF  vec[2];
-
-    while (in != bufend) {
-	COPY8BTOHALF(vec, in);
-	in += 8;
-	vec[0] ^= cx->iv[0];
-	vec[1] ^= cx->iv[1];
-	DES_Do1Block( cx->ks0, (BYTE *)vec,    (BYTE *)cx->iv);
-	DES_Do1Block( cx->ks1, (BYTE *)cx->iv, (BYTE *)cx->iv);
-	DES_Do1Block( cx->ks2, (BYTE *)cx->iv, (BYTE *)cx->iv);
-	COPY8BFROMHALF(out, cx->iv);
-	out += 8;
-    }
-}
-
-static void 
-DES_EDE3CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
-{
-    const BYTE * bufend;
-    HALF oldciphertext[2];
-    HALF plaintext    [2];
-
-    for (bufend = in + len; in != bufend; ) {
-	oldciphertext[0] = cx->iv[0];
-	oldciphertext[1] = cx->iv[1];
-	COPY8BTOHALF(cx->iv, in);
-	in += 8;
-	DES_Do1Block(cx->ks0, (BYTE *)cx->iv,    (BYTE *)plaintext);
-	DES_Do1Block(cx->ks1, (BYTE *)plaintext, (BYTE *)plaintext);
-	DES_Do1Block(cx->ks2, (BYTE *)plaintext, (BYTE *)plaintext);
-	plaintext[0] ^= oldciphertext[0];
-	plaintext[1] ^= oldciphertext[1];
-	COPY8BFROMHALF(out, plaintext);
-	out += 8;
-    }
-}
-
-DESContext *
-DES_AllocateContext(void)
-{
-    return PORT_ZNew(DESContext);
-}
-
-SECStatus   
-DES_InitContext(DESContext *cx, const unsigned char *key, unsigned int keylen,
-	        const unsigned char *iv, int mode, unsigned int encrypt,
-	        unsigned int unused)
-{
-    DESDirection opposite;
-    if (!cx) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-    cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT;
-    opposite      = encrypt ? DES_DECRYPT : DES_ENCRYPT;
-    switch (mode) {
-    case NSS_DES:	/* DES ECB */
-	DES_MakeSchedule( cx->ks0, key, cx->direction);
-	cx->worker = &DES_ECB;
-	break;
-
-    case NSS_DES_EDE3:	/* DES EDE ECB */
-	cx->worker = &DES_EDE3_ECB;
-	if (encrypt) {
-	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
-	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
-	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
-	} else {
-	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
-	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
-	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
-	}
-	break;
-
-    case NSS_DES_CBC:	/* DES CBC */
-	COPY8BTOHALF(cx->iv, iv);
-	cx->worker = encrypt ? &DES_CBCEn : &DES_CBCDe;
-	DES_MakeSchedule(cx->ks0, key, cx->direction);
-	break;
-
-    case NSS_DES_EDE3_CBC:	/* DES EDE CBC */
-	COPY8BTOHALF(cx->iv, iv);
-	if (encrypt) {
-	    cx->worker = &DES_EDE3CBCEn;
-	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
-	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
-	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
-	} else {
-	    cx->worker = &DES_EDE3CBCDe;
-	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
-	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
-	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
-	}
-	break;
-
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-DESContext *
-DES_CreateContext(const BYTE * key, const BYTE *iv, int mode, PRBool encrypt)
-{
-    DESContext *cx = PORT_ZNew(DESContext);
-    SECStatus rv   = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
-
-    if (rv != SECSuccess) {
-    	PORT_ZFree(cx, sizeof *cx);
-	cx = NULL;
-    }
-    return cx;
-}
-
-void
-DES_DestroyContext(DESContext *cx, PRBool freeit)
-{
-    if (cx) {
-    	memset(cx, 0, sizeof *cx);
-	if (freeit)
-	    PORT_Free(cx);
-    }
-}
-
-SECStatus
-DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
-            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
-{
-
-    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
-        cx->direction != DES_ENCRYPT) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    cx->worker(cx, out, in, inLen);
-    if (outLen)
-	*outLen = inLen;
-    return SECSuccess;
-}
-
-SECStatus
-DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
-            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
-{
-
-    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
-        cx->direction != DES_DECRYPT) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    cx->worker(cx, out, in, inLen);
-    if (outLen)
-	*outLen = inLen;
-    return SECSuccess;
-}
diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c
deleted file mode 100644
index 4f9a3a746..000000000
--- a/security/nss/lib/freebl/dh.c
+++ /dev/null
@@ -1,388 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Diffie-Hellman parameter generation, key generation, and secret derivation.
- * KEA secret generation and verification.
- *
- * $Id$
- */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "blapi.h"
-#include "secitem.h"
-#include "mpi.h"
-#include "mpprime.h"
-#include "secmpi.h"
-
-#define DH_SECRET_KEY_LEN      20
-#define KEA_DERIVED_SECRET_LEN 128
-
-SECStatus 
-DH_GenParam(int primeLen, DHParams **params)
-{
-    PRArenaPool *arena;
-    DHParams *dhparams;
-    unsigned char *pb = NULL;
-    unsigned char *ab = NULL;
-    unsigned long counter = 0;
-    mp_int p, q, a, h, psub1, test;
-    mp_err err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    if (!params || primeLen < 0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    dhparams = (DHParams *)PORT_ArenaZAlloc(arena, sizeof(DHParams));
-    if (!dhparams) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-    dhparams->arena = arena;
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&q) = 0;
-    MP_DIGITS(&a) = 0;
-    MP_DIGITS(&h) = 0;
-    MP_DIGITS(&psub1) = 0;
-    MP_DIGITS(&test) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&q) );
-    CHECK_MPI_OK( mp_init(&a) );
-    CHECK_MPI_OK( mp_init(&h) );
-    CHECK_MPI_OK( mp_init(&psub1) );
-    CHECK_MPI_OK( mp_init(&test) );
-    /* generate prime with MPI, uses Miller-Rabin to generate strong prime. */
-    pb = PORT_Alloc(primeLen);
-    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
-    pb[0]          |= 0x80; /* set high-order bit */
-    pb[primeLen-1] |= 0x01; /* set low-order bit  */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&p, pb, primeLen) );
-    CHECK_MPI_OK( mpp_make_prime(&p, primeLen * 8, PR_TRUE, &counter) );
-    /* construct Sophie-Germain prime q = (p-1)/2. */
-    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
-    CHECK_MPI_OK( mp_div_2(&psub1, &q)    );
-    /* construct a generator from the prime. */
-    ab = PORT_Alloc(primeLen);
-    /* generate a candidate number a in p's field */
-    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(ab, primeLen) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&a, ab, primeLen) );
-    /* force a < p (note that quot(a/p) <= 1) */
-    if ( mp_cmp(&a, &p) > 0 )
-	CHECK_MPI_OK( mp_sub(&a, &p, &a) );
-    do {
-	/* check that a is in the range [2..p-1] */
-	if ( mp_cmp_d(&a, 2) < 0 || mp_cmp(&a, &psub1) >= 0) {
-	    /* a is outside of the allowed range.  Set a=3 and keep going. */
-            mp_set(&a, 3);
-	}
-	/* if a**q mod p != 1 then a is a generator */
-	CHECK_MPI_OK( mp_exptmod(&a, &q, &p, &test) );
-	if ( mp_cmp_d(&test, 1) != 0 )
-	    break;
-	/* increment the candidate and try again. */
-	CHECK_MPI_OK( mp_add_d(&a, 1, &a) );
-    } while (PR_TRUE);
-    MPINT_TO_SECITEM(&p, &dhparams->prime, arena);
-    MPINT_TO_SECITEM(&a, &dhparams->base, arena);
-    *params = dhparams;
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&a);
-    mp_clear(&h);
-    mp_clear(&psub1);
-    mp_clear(&test);
-    if (pb) PORT_ZFree(pb, primeLen);
-    if (ab) PORT_ZFree(ab, primeLen);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    if (rv)
-	PORT_FreeArena(arena, PR_TRUE);
-    return rv;
-}
-
-SECStatus 
-DH_NewKey(DHParams *params, DHPrivateKey **privKey)
-{
-    PRArenaPool *arena;
-    DHPrivateKey *key;
-    mp_int g, xa, p, Ya;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    if (!params || !privKey) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey));
-    if (!key) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-    key->arena = arena;
-    MP_DIGITS(&g)  = 0;
-    MP_DIGITS(&xa) = 0;
-    MP_DIGITS(&p)  = 0;
-    MP_DIGITS(&Ya) = 0;
-    CHECK_MPI_OK( mp_init(&g)  );
-    CHECK_MPI_OK( mp_init(&xa) );
-    CHECK_MPI_OK( mp_init(&p)  );
-    CHECK_MPI_OK( mp_init(&Ya) );
-    /* Set private key's p */
-    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->prime, &params->prime) );
-    SECITEM_TO_MPINT(key->prime, &p);
-    /* Set private key's g */
-    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, &params->base) );
-    SECITEM_TO_MPINT(key->base, &g);
-    /* Generate private key xa */
-    SECITEM_AllocItem(arena, &key->privateValue, DH_SECRET_KEY_LEN);
-    RNG_GenerateGlobalRandomBytes(key->privateValue.data, 
-                                  key->privateValue.len);
-    SECITEM_TO_MPINT( key->privateValue, &xa );
-    /* xa < p */
-    CHECK_MPI_OK( mp_mod(&xa, &p, &xa) );
-    /* Compute public key Ya = g ** xa mod p */
-    CHECK_MPI_OK( mp_exptmod(&g, &xa, &p, &Ya) );
-    MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena);
-    *privKey = key;
-cleanup:
-    mp_clear(&g);
-    mp_clear(&xa);
-    mp_clear(&p);
-    mp_clear(&Ya);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    if (rv)
-	PORT_FreeArena(arena, PR_TRUE);
-    return rv;
-}
-
-SECStatus 
-DH_Derive(SECItem *publicValue, 
-          SECItem *prime, 
-          SECItem *privateValue, 
-          SECItem *derivedSecret, 
-          unsigned int maxOutBytes)
-{
-    mp_int p, Xa, Yb, ZZ;
-    mp_err err = MP_OKAY;
-    unsigned int len = 0, nb;
-    unsigned char *secret = NULL;
-    if (!publicValue || !prime || !privateValue || !derivedSecret) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    memset(derivedSecret, 0, sizeof *derivedSecret);
-    MP_DIGITS(&p)  = 0;
-    MP_DIGITS(&Xa) = 0;
-    MP_DIGITS(&Yb) = 0;
-    MP_DIGITS(&ZZ) = 0;
-    CHECK_MPI_OK( mp_init(&p)  );
-    CHECK_MPI_OK( mp_init(&Xa) );
-    CHECK_MPI_OK( mp_init(&Yb) );
-    CHECK_MPI_OK( mp_init(&ZZ) );
-    SECITEM_TO_MPINT(*publicValue,  &Yb);
-    SECITEM_TO_MPINT(*privateValue, &Xa);
-    SECITEM_TO_MPINT(*prime,        &p);
-    /* ZZ = (Yb)**Xa mod p */
-    CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
-    /* number of bytes in the derived secret */
-    len = mp_unsigned_octet_size(&ZZ);
-    /* allocate a buffer which can hold the entire derived secret. */
-    secret = PORT_Alloc(len);
-    /* grab the derived secret */
-    err = mp_to_unsigned_octets(&ZZ, secret, len);
-    if (err >= 0) err = MP_OKAY;
-    /* Take minimum of bytes requested and bytes in derived secret,
-    ** if maxOutBytes is 0 take all of the bytes from the derived secret.
-    */
-    if (maxOutBytes > 0)
-	nb = PR_MIN(len, maxOutBytes);
-    else
-	nb = len;
-    SECITEM_AllocItem(NULL, derivedSecret, nb);
-    memcpy(derivedSecret->data, secret, nb);
-cleanup:
-    mp_clear(&p);
-    mp_clear(&Xa);
-    mp_clear(&Yb);
-    mp_clear(&ZZ);
-    if (secret) {
-	/* free the buffer allocated for the full secret. */
-	PORT_ZFree(secret, len);
-    }
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	if (derivedSecret->data) 
-	    PORT_ZFree(derivedSecret->data, derivedSecret->len);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-KEA_Derive(SECItem *prime, 
-           SECItem *public1, 
-           SECItem *public2, 
-           SECItem *private1, 
-           SECItem *private2,
-           SECItem *derivedSecret)
-{
-    mp_int p, Y, R, r, x, t, u, w;
-    mp_err err;
-    unsigned char *secret = NULL;
-    unsigned int len = 0, offset;
-    if (!prime || !public1 || !public2 || !private1 || !private2 ||
-        !derivedSecret) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    memset(derivedSecret, 0, sizeof *derivedSecret);
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&Y) = 0;
-    MP_DIGITS(&R) = 0;
-    MP_DIGITS(&r) = 0;
-    MP_DIGITS(&x) = 0;
-    MP_DIGITS(&t) = 0;
-    MP_DIGITS(&u) = 0;
-    MP_DIGITS(&w) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&Y) );
-    CHECK_MPI_OK( mp_init(&R) );
-    CHECK_MPI_OK( mp_init(&r) );
-    CHECK_MPI_OK( mp_init(&x) );
-    CHECK_MPI_OK( mp_init(&t) );
-    CHECK_MPI_OK( mp_init(&u) );
-    CHECK_MPI_OK( mp_init(&w) );
-    SECITEM_TO_MPINT(*prime,    &p);
-    SECITEM_TO_MPINT(*public1,  &Y);
-    SECITEM_TO_MPINT(*public2,  &R);
-    SECITEM_TO_MPINT(*private1, &r);
-    SECITEM_TO_MPINT(*private2, &x);
-    /* t = DH(Y, r, p) = Y ** r mod p */
-    CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
-    /* u = DH(R, x, p) = R ** x mod p */
-    CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
-    /* w = (t + u) mod p */
-    CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
-    /* allocate a buffer for the full derived secret */
-    len = mp_unsigned_octet_size(&w);
-    secret = PORT_Alloc(len);
-    /* grab the secret */
-    err = mp_to_unsigned_octets(&w, secret, len);
-    if (err > 0) err = MP_OKAY;
-    /* allocate output buffer */
-    SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN);
-    memset(derivedSecret->data, 0, derivedSecret->len);
-    /* copy in the 128 lsb of the secret */
-    if (len >= KEA_DERIVED_SECRET_LEN) {
-	memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
-	       KEA_DERIVED_SECRET_LEN);
-    } else {
-	offset = KEA_DERIVED_SECRET_LEN - len;
-	memcpy(derivedSecret->data + offset, secret, len);
-    }
-cleanup:
-    mp_clear(&p);
-    mp_clear(&Y);
-    mp_clear(&R);
-    mp_clear(&r);
-    mp_clear(&x);
-    mp_clear(&t);
-    mp_clear(&u);
-    mp_clear(&w);
-    if (secret)
-	PORT_ZFree(secret, len);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-PRBool 
-KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
-{
-    mp_int p, q, y, r;
-    mp_err err;
-    int cmp = 1;  /* default is false */
-    if (!Y || !prime || !subPrime) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&q) = 0;
-    MP_DIGITS(&y) = 0;
-    MP_DIGITS(&r) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&q) );
-    CHECK_MPI_OK( mp_init(&y) );
-    CHECK_MPI_OK( mp_init(&r) );
-    SECITEM_TO_MPINT(*prime,    &p);
-    SECITEM_TO_MPINT(*subPrime, &q);
-    SECITEM_TO_MPINT(*Y,        &y);
-    /* compute r = y**q mod p */
-    CHECK_MPI_OK( mp_exptmod(&y, &q, &p, &r) );
-    /* compare to 1 */
-    cmp = mp_cmp_d(&r, 1);
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&y);
-    mp_clear(&r);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	return PR_FALSE;
-    }
-    return (cmp == 0) ? PR_TRUE : PR_FALSE;
-}
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
deleted file mode 100644
index 7f4c42863..000000000
--- a/security/nss/lib/freebl/dsa.c
+++ /dev/null
@@ -1,450 +0,0 @@
-/*
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "prinit.h"
-#include "blapi.h"
-#include "nssilock.h"
-#include "secitem.h"
-#include "blapi.h"
-#include "mpi.h"
-#include "secmpi.h"
-
- /* XXX to be replaced by define in blapit.h */
-#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
-
-/* DSA-specific random number function defined in prng_fips1861.c. */
-extern SECStatus 
-DSA_GenerateGlobalRandomBytes(void *dest, size_t len, const unsigned char *q);
-
-static void translate_mpi_error(mp_err err)
-{
-    MP_TO_SEC_ERROR(err);
-}
-
-SECStatus 
-dsa_NewKey(const PQGParams *params, DSAPrivateKey **privKey, 
-           const unsigned char *xb)
-{
-    mp_int p, g;
-    mp_int x, y;
-    mp_err err;
-    PRArenaPool *arena;
-    DSAPrivateKey *key;
-    /* Check args. */
-    if (!params || !privKey) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* Initialize an arena for the DSA key. */
-    arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
-    if (!key) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-    key->params.arena = arena;
-    /* Initialize MPI integers. */
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&g) = 0;
-    MP_DIGITS(&x) = 0;
-    MP_DIGITS(&y) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&g) );
-    CHECK_MPI_OK( mp_init(&x) );
-    CHECK_MPI_OK( mp_init(&y) );
-    /* Copy over the PQG params */
-    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.prime,
-                                          &params->prime) );
-    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.subPrime,
-                                          &params->subPrime) );
-    CHECK_MPI_OK( SECITEM_CopyItem(arena, &key->params.base, &params->base) );
-    /* Convert stored p, g, and received x into MPI integers. */
-    SECITEM_TO_MPINT(params->prime, &p);
-    SECITEM_TO_MPINT(params->base,  &g);
-    OCTETS_TO_MPINT(xb, &x, DSA_SUBPRIME_LEN);
-    /* Store x in private key */
-    SECITEM_AllocItem(arena, &key->privateValue, DSA_SUBPRIME_LEN);
-    memcpy(key->privateValue.data, xb, DSA_SUBPRIME_LEN);
-    /* Compute public key y = g**x mod p */
-    CHECK_MPI_OK( mp_exptmod(&g, &x, &p, &y) );
-    /* Store y in public key */
-    MPINT_TO_SECITEM(&y, &key->publicValue, arena);
-    *privKey = key;
-    key = NULL;
-cleanup:
-    mp_clear(&p);
-    mp_clear(&g);
-    mp_clear(&x);
-    mp_clear(&y);
-    if (key)
-	PORT_FreeArena(key->params.arena, PR_TRUE);
-    if (err) {
-	translate_mpi_error(err);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
-** Generate and return a new DSA public and private key pair,
-**	both of which are encoded into a single DSAPrivateKey struct.
-**	"params" is a pointer to the PQG parameters for the domain
-**	Uses a random seed.
-*/
-SECStatus 
-DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
-{
-    SECStatus rv;
-    unsigned char seed[DSA_SUBPRIME_LEN];
-    int retries = 10;
-    int i;
-    PRBool good;
-
-    do {
-	/* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
-	if (DSA_GenerateGlobalRandomBytes(seed, DSA_SUBPRIME_LEN,
-					  params->subPrime.data))
-	    return SECFailure;
-	/* Disallow values of 0 and 1 for x. */
-	good = PR_FALSE;
-	for (i = 0; i < DSA_SUBPRIME_LEN-1; i++) {
-	    if (seed[i] != 0) {
-		good = PR_TRUE;
-		break;
-	    }
-	}
-	if (!good && seed[i] > 1) {
-	    good = PR_TRUE;
-	}
-    } while (!good && --retries > 0);
-
-    if (!good) {
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	return SECFailure;
-    }
-
-    /* Generate a new DSA key using random seed. */
-    rv = dsa_NewKey(params, privKey, seed);
-    return rv;
-}
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
-SECStatus 
-DSA_NewKeyFromSeed(const PQGParams *params, 
-                   const unsigned char *seed,
-                   DSAPrivateKey **privKey)
-{
-    SECStatus rv;
-    rv = dsa_NewKey(params, privKey, seed);
-    return rv;
-}
-
-static SECStatus 
-dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
-               const unsigned char *kb)
-{
-    mp_int p, q, g;  /* PQG parameters */
-    mp_int x, k;     /* private key & pseudo-random integer */
-    mp_int r, s;     /* tuple (r, s) is signature) */
-    mp_err err   = MP_OKAY;
-    SECStatus rv = SECSuccess;
-
-    /* FIPS-compliance dictates that digest is a SHA1 hash. */
-    /* Check args. */
-    if (!key || !signature || !digest ||
-        (signature->len < DSA_SIGNATURE_LEN) ||
-	(digest->len != SHA1_LENGTH)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* Initialize MPI integers. */
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&q) = 0;
-    MP_DIGITS(&g) = 0;
-    MP_DIGITS(&x) = 0;
-    MP_DIGITS(&k) = 0;
-    MP_DIGITS(&r) = 0;
-    MP_DIGITS(&s) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&q) );
-    CHECK_MPI_OK( mp_init(&g) );
-    CHECK_MPI_OK( mp_init(&x) );
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_init(&r) );
-    CHECK_MPI_OK( mp_init(&s) );
-    /*
-    ** Convert stored PQG and private key into MPI integers.
-    */
-    SECITEM_TO_MPINT(key->params.prime,    &p);
-    SECITEM_TO_MPINT(key->params.subPrime, &q);
-    SECITEM_TO_MPINT(key->params.base,     &g);
-    SECITEM_TO_MPINT(key->privateValue,    &x);
-    OCTETS_TO_MPINT(kb, &k, DSA_SUBPRIME_LEN);
-    /*
-    ** FIPS 186-1, Section 5, Step 1
-    **
-    ** r = (g**k mod p) mod q
-    */
-    CHECK_MPI_OK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
-    CHECK_MPI_OK(     mp_mod(&r, &q, &r) );     /* r = r mod q    */
-    /*                                  
-    ** FIPS 186-1, Section 5, Step 2
-    **
-    ** s = (k**-1 * (SHA1(M) + x*r)) mod q
-    */
-    SECITEM_TO_MPINT(*digest, &s);         /* s = SHA1(M)     */
-    CHECK_MPI_OK( mp_invmod(&k, &q, &k) );      /* k = k**-1 mod q */
-    CHECK_MPI_OK( mp_mulmod(&x, &r, &q, &x) );  /* x = x * r mod q */
-    CHECK_MPI_OK( mp_addmod(&s, &x, &q, &s) );  /* s = s + x mod q */
-    CHECK_MPI_OK( mp_mulmod(&s, &k, &q, &s) );  /* s = s * k mod q */
-    /*
-    ** verify r != 0 and s != 0
-    ** mentioned as optional in FIPS 186-1.
-    */
-    if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	rv = SECFailure;
-	goto cleanup;
-    }
-    /*
-    ** Step 4
-    **
-    ** Signature is tuple (r, s)
-    */
-    err = mp_to_fixlen_octets(&r, signature->data, DSA_SUBPRIME_LEN);
-    if (err < 0) goto cleanup; 
-    err = mp_to_fixlen_octets(&s, signature->data + DSA_SUBPRIME_LEN, 
-                                  DSA_SUBPRIME_LEN);
-    if (err < 0) goto cleanup; 
-    err = MP_OKAY;
-    signature->len = DSA_SIGNATURE_LEN;
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&g);
-    mp_clear(&x);
-    mp_clear(&k);
-    mp_clear(&r);
-    mp_clear(&s);
-    if (err) {
-	translate_mpi_error(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/* signature is caller-supplied buffer of at least 40 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-** On output, signature->len == size of signature in buffer.
-** Uses a random seed.
-*/
-SECStatus 
-DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
-{
-    SECStatus rv;
-    int       retries = 10;
-    unsigned char kSeed[DSA_SUBPRIME_LEN];
-    int       i;
-    PRBool    good;
-
-    PORT_SetError(0);
-    do {
-	rv = DSA_GenerateGlobalRandomBytes(kSeed, DSA_SUBPRIME_LEN, 
-					   key->params.subPrime.data);
-	if (rv != SECSuccess) 
-	    break;
-	/* Disallow a value of 0 for k. */
-	good = PR_FALSE;
-	for (i = 0; i < DSA_SUBPRIME_LEN; i++) {
-	    if (kSeed[i] != 0) {
-		good = PR_TRUE;
-		break;
-	    }
-	}
-	if (!good) {
-	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	    rv = SECFailure;
-	    continue;
-	}
-	rv = dsa_SignDigest(key, signature, digest, kSeed);
-    } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
-	     --retries > 0);
-    return rv;
-}
-
-/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
-SECStatus 
-DSA_SignDigestWithSeed(DSAPrivateKey * key,
-                       SECItem *       signature,
-                       const SECItem * digest,
-                       const unsigned char * seed)
-{
-    SECStatus rv;
-    rv = dsa_SignDigest(key, signature, digest, seed);
-    return rv;
-}
-
-/* signature is caller-supplied buffer of at least 20 bytes.
-** On input,  signature->len == size of buffer to hold signature.
-**            digest->len    == size of digest.
-*/
-SECStatus 
-DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, 
-                 const SECItem *digest)
-{
-    /* FIPS-compliance dictates that digest is a SHA1 hash. */
-    mp_int p, q, g;      /* PQG parameters */
-    mp_int r_, s_;       /* tuple (r', s') is received signature) */
-    mp_int u1, u2, v, w; /* intermediate values used in verification */
-    mp_int y;            /* public key */
-    mp_err err;
-    SECStatus verified = SECFailure;
-
-    /* Check args. */
-    if (!key || !signature || !digest ||
-        (signature->len != DSA_SIGNATURE_LEN) ||
-	(digest->len != SHA1_LENGTH)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* Initialize MPI integers. */
-    MP_DIGITS(&p)  = 0;
-    MP_DIGITS(&q)  = 0;
-    MP_DIGITS(&g)  = 0;
-    MP_DIGITS(&y)  = 0;
-    MP_DIGITS(&r_) = 0;
-    MP_DIGITS(&s_) = 0;
-    MP_DIGITS(&u1) = 0;
-    MP_DIGITS(&u2) = 0;
-    MP_DIGITS(&v)  = 0;
-    MP_DIGITS(&w)  = 0;
-    CHECK_MPI_OK( mp_init(&p)  );
-    CHECK_MPI_OK( mp_init(&q)  );
-    CHECK_MPI_OK( mp_init(&g)  );
-    CHECK_MPI_OK( mp_init(&y)  );
-    CHECK_MPI_OK( mp_init(&r_) );
-    CHECK_MPI_OK( mp_init(&s_) );
-    CHECK_MPI_OK( mp_init(&u1) );
-    CHECK_MPI_OK( mp_init(&u2) );
-    CHECK_MPI_OK( mp_init(&v)  );
-    CHECK_MPI_OK( mp_init(&w)  );
-    /*
-    ** Convert stored PQG and public key into MPI integers.
-    */
-    SECITEM_TO_MPINT(key->params.prime,    &p);
-    SECITEM_TO_MPINT(key->params.subPrime, &q);
-    SECITEM_TO_MPINT(key->params.base,     &g);
-    SECITEM_TO_MPINT(key->publicValue,     &y);
-    /*
-    ** Convert received signature (r', s') into MPI integers.
-    */
-    OCTETS_TO_MPINT(signature->data, &r_, DSA_SUBPRIME_LEN);
-    OCTETS_TO_MPINT(signature->data + DSA_SUBPRIME_LEN, &s_, DSA_SUBPRIME_LEN);
-    /*
-    ** Verify that 0 < r' < q and 0 < s' < q
-    */
-    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
-        mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0) {
-	/* err is zero here. */
-	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	goto cleanup; /* will return verified == SECFailure */
-    }
-    /*
-    ** FIPS 186-1, Section 6, Step 1
-    **
-    ** w = (s')**-1 mod q
-    */
-    CHECK_MPI_OK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */
-    /*
-    ** FIPS 186-1, Section 6, Step 2
-    **
-    ** u1 = ((SHA1(M')) * w) mod q
-    */
-    SECITEM_TO_MPINT(*digest, &u1);              /* u1 = SHA1(M')     */
-    CHECK_MPI_OK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
-    /*
-    ** FIPS 186-1, Section 6, Step 3
-    **
-    ** u2 = ((r') * w) mod q
-    */
-    CHECK_MPI_OK( mp_mulmod(&r_, &w, &q, &u2) );
-    /*
-    ** FIPS 186-1, Section 6, Step 4
-    **
-    ** v = ((g**u1 * y**u2) mod p) mod q
-    */
-    CHECK_MPI_OK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */
-    CHECK_MPI_OK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */
-    CHECK_MPI_OK(  mp_mulmod(&g, &y, &p, &v)  ); /* v = g * y mod p */
-    CHECK_MPI_OK(     mp_mod(&v, &q, &v)      ); /* v = v mod q     */
-    /*
-    ** Verification:  v == r'
-    */
-    if (mp_cmp(&v, &r_)) {
-	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	verified = SECFailure; /* Signature failed to verify. */
-    } else {
-	verified = SECSuccess; /* Signature verified. */
-    }
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&g);
-    mp_clear(&y);
-    mp_clear(&r_);
-    mp_clear(&s_);
-    mp_clear(&u1);
-    mp_clear(&u2);
-    mp_clear(&v);
-    mp_clear(&w);
-    if (err) {
-	translate_mpi_error(err);
-    }
-    return verified;
-}
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
deleted file mode 100644
index 563e10438..000000000
--- a/security/nss/lib/freebl/ec.c
+++ /dev/null
@@ -1,1053 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Elliptic Curve Cryptography library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "blapi.h"
-#include "prerr.h"
-#include "secerr.h"
-#include "secmpi.h"
-#include "secitem.h"
-#include "ec.h"
-#include "ecl.h"
-
-#ifdef NSS_ENABLE_ECC
-
-/* 
- * Returns true if pointP is the point at infinity, false otherwise
- */
-PRBool
-ec_point_at_infinity(SECItem *pointP)
-{
-    int i;
-
-    for (i = 1; i < pointP->len; i++) {
-	if (pointP->data[i] != 0x00) return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/* 
- * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for
- * the curve whose parameters are encoded in params with base point G.
- */
-SECStatus 
-ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
-             const SECItem *pointP, SECItem *pointQ)
-{
-    mp_int Px, Py, Qx, Qy;
-    mp_int Gx, Gy, order, irreducible, a, b;
-#if 0 /* currently don't support non-named curves */
-    unsigned int irr_arr[5];
-#endif
-    ECGroup *group = NULL;
-    SECStatus rv = SECFailure;
-    mp_err err = MP_OKAY;
-    int len;
-
-#if EC_DEBUG
-    int i;
-    char mpstr[256];
-
-    printf("ec_points_mul: params [len=%d]:", params->DEREncoding.len);
-    for (i = 0; i < params->DEREncoding.len; i++) 
-	    printf("%02x:", params->DEREncoding.data[i]);
-    printf("\n");
-
-	if (k1 != NULL) {
-		mp_tohex(k1, mpstr);
-		printf("ec_points_mul: scalar k1: %s\n", mpstr);
-		mp_todecimal(k1, mpstr);
-		printf("ec_points_mul: scalar k1: %s (dec)\n", mpstr);
-	}
-
-	if (k2 != NULL) {
-		mp_tohex(k2, mpstr);
-		printf("ec_points_mul: scalar k2: %s\n", mpstr);
-		mp_todecimal(k2, mpstr);
-		printf("ec_points_mul: scalar k2: %s (dec)\n", mpstr);
-	}
-
-	if (pointP != NULL) {
-		printf("ec_points_mul: pointP [len=%d]:", pointP->len);
-		for (i = 0; i < pointP->len; i++) 
-			printf("%02x:", pointP->data[i]);
-		printf("\n");
-	}
-#endif
-
-	/* NOTE: We only support uncompressed points for now */
-	len = (params->fieldID.size + 7) >> 3;
-	if (pointP != NULL) {
-		if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||
-			(pointP->len != (2 * len + 1))) {
-			return SECFailure;
-		};
-	}
-
-	MP_DIGITS(&Px) = 0;
-	MP_DIGITS(&Py) = 0;
-	MP_DIGITS(&Qx) = 0;
-	MP_DIGITS(&Qy) = 0;
-	MP_DIGITS(&Gx) = 0;
-	MP_DIGITS(&Gy) = 0;
-	MP_DIGITS(&order) = 0;
-	MP_DIGITS(&irreducible) = 0;
-	MP_DIGITS(&a) = 0;
-	MP_DIGITS(&b) = 0;
-	CHECK_MPI_OK( mp_init(&Px) );
-	CHECK_MPI_OK( mp_init(&Py) );
-	CHECK_MPI_OK( mp_init(&Qx) );
-	CHECK_MPI_OK( mp_init(&Qy) );
-	CHECK_MPI_OK( mp_init(&Gx) );
-	CHECK_MPI_OK( mp_init(&Gy) );
-	CHECK_MPI_OK( mp_init(&order) );
-	CHECK_MPI_OK( mp_init(&irreducible) );
-	CHECK_MPI_OK( mp_init(&a) );
-	CHECK_MPI_OK( mp_init(&b) );
-
-	if ((k2 != NULL) && (pointP != NULL)) {
-		/* Initialize Px and Py */
-		CHECK_MPI_OK( mp_read_unsigned_octets(&Px, pointP->data + 1, (mp_size) len) );
-		CHECK_MPI_OK( mp_read_unsigned_octets(&Py, pointP->data + 1 + len, (mp_size) len) );
-	}
-
-	/* construct from named params, if possible */
-	if (params->name != ECCurve_noName) {
-		group = ECGroup_fromName(params->name);
-	}
-
-#if 0 /* currently don't support non-named curves */
-	if (group == NULL) {
-		/* Set up mp_ints containing the curve coefficients */
-		CHECK_MPI_OK( mp_read_unsigned_octets(&Gx, params->base.data + 1, 
-										  (mp_size) len) );
-		CHECK_MPI_OK( mp_read_unsigned_octets(&Gy, params->base.data + 1 + len, 
-										  (mp_size) len) );
-		SECITEM_TO_MPINT( params->order, &order );
-		SECITEM_TO_MPINT( params->curve.a, &a );
-		SECITEM_TO_MPINT( params->curve.b, &b );
-		if (params->fieldID.type == ec_field_GFp) {
-			SECITEM_TO_MPINT( params->fieldID.u.prime, &irreducible );
-			group = ECGroup_consGFp(&irreducible, &a, &b, &Gx, &Gy, &order, params->cofactor);
-		} else {
-			SECITEM_TO_MPINT( params->fieldID.u.poly, &irreducible );
-			irr_arr[0] = params->fieldID.size;
-			irr_arr[1] = params->fieldID.k1;
-			irr_arr[2] = params->fieldID.k2;
-			irr_arr[3] = params->fieldID.k3;
-			irr_arr[4] = 0;
-			group = ECGroup_consGF2m(&irreducible, irr_arr, &a, &b, &Gx, &Gy, &order, params->cofactor);
-		}
-	}
-#endif
-	if (group == NULL)
-		goto cleanup;
-
-	if ((k2 != NULL) && (pointP != NULL)) {
-		CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
-	} else {
-		CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
-    }
-
-    /* Construct the SECItem representation of point Q */
-    pointQ->data[0] = EC_POINT_FORM_UNCOMPRESSED;
-    CHECK_MPI_OK( mp_to_fixlen_octets(&Qx, pointQ->data + 1,
-	                              (mp_size) len) );
-    CHECK_MPI_OK( mp_to_fixlen_octets(&Qy, pointQ->data + 1 + len,
-	                              (mp_size) len) );
-
-    rv = SECSuccess;
-
-#if EC_DEBUG
-    printf("ec_points_mul: pointQ [len=%d]:", pointQ->len);
-    for (i = 0; i < pointQ->len; i++) 
-	    printf("%02x:", pointQ->data[i]);
-    printf("\n");
-#endif
-
-cleanup:
-    ECGroup_free(group);
-    mp_clear(&Px);
-    mp_clear(&Py);
-    mp_clear(&Qx);
-    mp_clear(&Qy);
-    mp_clear(&Gx);
-    mp_clear(&Gy);
-    mp_clear(&order);
-    mp_clear(&irreducible);
-    mp_clear(&a);
-    mp_clear(&b);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-
-    return rv;
-}
-#endif /* NSS_ENABLE_ECC */
-
-/* Generates a new EC key pair. The private key is a supplied
- * value and the public key is the result of performing a scalar 
- * point multiplication of that value with the curve's base point.
- */
-SECStatus 
-ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, 
-    const unsigned char *privKeyBytes, int privKeyLen)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    PRArenaPool *arena;
-    ECPrivateKey *key;
-    mp_int k;
-    mp_err err = MP_OKAY;
-    int len;
-
-#if EC_DEBUG
-    printf("ec_NewKey called\n");
-#endif
-
-    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* Initialize an arena for the EC key. */
-    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
-	return SECFailure;
-
-    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
-    if (!key) {
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-
-    /* Set the version number (SEC 1 section C.4 says it should be 1) */
-    SECITEM_AllocItem(arena, &key->version, 1);
-    key->version.data[0] = 1;
-
-    /* Copy all of the fields from the ECParams argument to the
-     * ECParams structure within the private key.
-     */
-    key->ecParams.arena = arena;
-    key->ecParams.type = ecParams->type;
-    key->ecParams.fieldID.size = ecParams->fieldID.size;
-    key->ecParams.fieldID.type = ecParams->fieldID.type;
-    if (ecParams->fieldID.type == ec_field_GFp) {
-	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime,
-	    &ecParams->fieldID.u.prime));
-    } else {
-	CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.poly,
-	    &ecParams->fieldID.u.poly));
-    }
-    key->ecParams.fieldID.k1 = ecParams->fieldID.k1;
-    key->ecParams.fieldID.k2 = ecParams->fieldID.k2;
-    key->ecParams.fieldID.k3 = ecParams->fieldID.k3;
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.a,
-	&ecParams->curve.a));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.b,
-	&ecParams->curve.b));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.seed,
-	&ecParams->curve.seed));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.base,
-	&ecParams->base));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.order,
-	&ecParams->order));
-    key->ecParams.cofactor = ecParams->cofactor;
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.DEREncoding,
-	&ecParams->DEREncoding));
-    key->ecParams.name = ecParams->name;
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curveOID,
-	&ecParams->curveOID));
-
-    len = (ecParams->fieldID.size + 7) >> 3;
-    SECITEM_AllocItem(arena, &key->publicValue, 2*len + 1);
-    len = ecParams->order.len;
-    SECITEM_AllocItem(arena, &key->privateValue, len);
-
-    /* Copy private key */
-    if (privKeyLen >= len) {
-	memcpy(key->privateValue.data, privKeyBytes, len);
-    } else {
-	memset(key->privateValue.data, 0, (len - privKeyLen));
-	memcpy(key->privateValue.data + (len - privKeyLen), privKeyBytes, privKeyLen);
-    }
-
-    /* Compute corresponding public key */
-    MP_DIGITS(&k) = 0;
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, 
-	(mp_size) len) );
-
-    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue));
-    if (rv != SECSuccess) goto cleanup;
-    *privKey = key;
-
-cleanup:
-    mp_clear(&k);
-    if (rv)
-	PORT_FreeArena(arena, PR_TRUE);
-
-#if EC_DEBUG
-    printf("ec_NewKey returning %s\n", 
-	(rv == SECSuccess) ? "success" : "failure");
-#endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-
-    return rv;
-
-}
-
-/* Generates a new EC key pair. The private key is a supplied
- * random value (in seed) and the public key is the result of 
- * performing a scalar point multiplication of that value with 
- * the curve's base point.
- */
-SECStatus 
-EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey, 
-    const unsigned char *seed, int seedlen)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    rv = ec_NewKey(ecParams, privKey, seed, seedlen);
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-    return rv;
-}
-
-/* Generates a new EC key pair. The private key is a random value and
- * the public key is the result of performing a scalar point multiplication
- * of that value with the curve's base point.  The random value for the
- * private key is generated using the algorithm A.4.1 of ANSI X9.62,
- * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
- * random number generator.
- */
-SECStatus 
-EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    mp_err err;
-    int len;
-    unsigned char *privKeyBytes = NULL;
-    mp_int privKeyVal, order_1, one;
-
-    if (!ecParams || !privKey) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    MP_DIGITS(&privKeyVal) = 0;
-    MP_DIGITS(&order_1) = 0;
-    MP_DIGITS(&one) = 0;
-    CHECK_MPI_OK( mp_init(&privKeyVal) );
-    CHECK_MPI_OK( mp_init(&order_1) );
-    CHECK_MPI_OK( mp_init(&one) );
-
-    /* Generate random private key.
-     * Generates 2*len random bytes using the global random bit generator
-     * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
-     * reduces modulo the group order.
-     */
-    len = ecParams->order.len;
-    if ((privKeyBytes = PORT_Alloc(2*len)) == NULL) goto cleanup;
-    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&order_1,
-					  ecParams->order.data, len) );
-    CHECK_MPI_OK( mp_set_int(&one, 1) );
-    CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );
-    CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );
-    CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );
-    CHECK_MPI_OK( mp_to_unsigned_octets(&privKeyVal, privKeyBytes, len) );
-    /* generate public key */
-    CHECK_SEC_OK( ec_NewKey(ecParams, privKey, privKeyBytes, len) );
-
-cleanup:
-    mp_clear(&privKeyVal);
-    mp_clear(&order_1);
-    mp_clear(&one);
-    if (privKeyBytes) {
-	PORT_ZFree(privKeyBytes, 2*len);
-    }
-    if (err < MP_OKAY) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-#if EC_DEBUG
-    printf("EC_NewKey returning %s\n", 
-	(rv == SECSuccess) ? "success" : "failure");
-#endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-    
-    return rv;
-}
-
-/* Validates an EC public key as described in Section 5.2.2 of
- * X9.62. The ECDH primitive when used without the cofactor does
- * not address small subgroup attacks, which may occur when the
- * public key is not valid. These attacks can be prevented by 
- * validating the public key before using ECDH.
- */
-SECStatus 
-EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
-{
-#ifdef NSS_ENABLE_ECC
-    mp_int Px, Py;
-    ECGroup *group = NULL;
-    SECStatus rv = SECFailure;
-    mp_err err = MP_OKAY;
-    int len;
-
-    if (!ecParams || !publicValue) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-	
-    /* NOTE: We only support uncompressed points for now */
-    len = (ecParams->fieldID.size + 7) >> 3;
-    if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
-	return SECFailure;
-    } else if (publicValue->len != (2 * len + 1)) {
-	PORT_SetError(SEC_ERROR_BAD_KEY);
-	return SECFailure;
-    }
-
-    MP_DIGITS(&Px) = 0;
-    MP_DIGITS(&Py) = 0;
-    CHECK_MPI_OK( mp_init(&Px) );
-    CHECK_MPI_OK( mp_init(&Py) );
-
-    /* Initialize Px and Py */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&Px, publicValue->data + 1, (mp_size) len) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&Py, publicValue->data + 1 + len, (mp_size) len) );
-
-    /* construct from named params */
-    group = ECGroup_fromName(ecParams->name);
-    if (group == NULL) {
-	/*
-	 * ECGroup_fromName fails if ecParams->name is not a valid
-	 * ECCurveName value, or if we run out of memory, or perhaps
-	 * for other reasons.  Unfortunately if ecParams->name is a
-	 * valid ECCurveName value, we don't know what the right error
-	 * code should be because ECGroup_fromName doesn't return an
-	 * error code to the caller.  Set err to MP_UNDEF because
-	 * that's what ECGroup_fromName uses internally.
-	 */
-	if ((ecParams->name <= ECCurve_noName) ||
-	    (ecParams->name >= ECCurve_pastLastCurve)) {
-	    err = MP_BADARG;
-	} else {
-	    err = MP_UNDEF;
-	}
-	goto cleanup;
-    }
-
-    /* validate public point */
-    if ((err = ECPoint_validate(group, &Px, &Py)) < MP_YES) {
-	if (err == MP_NO) {
-	    PORT_SetError(SEC_ERROR_BAD_KEY);
-	    rv = SECFailure;
-	    err = MP_OKAY;  /* don't change the error code */
-	}
-	goto cleanup;
-    }
-
-    rv = SECSuccess;
-
-cleanup:
-    ECGroup_free(group);
-    mp_clear(&Px);
-    mp_clear(&Py);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-    return SECFailure;
-#endif /* NSS_ENABLE_ECC */
-}
-
-/* 
-** Performs an ECDH key derivation by computing the scalar point
-** multiplication of privateValue and publicValue (with or without the
-** cofactor) and returns the x-coordinate of the resulting elliptic
-** curve point in derived secret.  If successful, derivedSecret->data
-** is set to the address of the newly allocated buffer containing the
-** derived secret, and derivedSecret->len is the size of the secret
-** produced. It is the caller's responsibility to free the allocated
-** buffer containing the derived secret.
-*/
-SECStatus 
-ECDH_Derive(SECItem  *publicValue, 
-            ECParams *ecParams,
-            SECItem  *privateValue,
-            PRBool    withCofactor,
-            SECItem  *derivedSecret)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    unsigned int len = 0;
-    SECItem pointQ = {siBuffer, NULL, 0};
-    mp_int k; /* to hold the private value */
-    mp_int cofactor;
-    mp_err err = MP_OKAY;
-#if EC_DEBUG
-    int i;
-#endif
-
-    if (!publicValue || !ecParams || !privateValue || 
-	!derivedSecret) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    memset(derivedSecret, 0, sizeof *derivedSecret);
-    len = (ecParams->fieldID.size + 7) >> 3;  
-    pointQ.len = 2*len + 1;
-    if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup;
-
-    MP_DIGITS(&k) = 0;
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data, 
-	                                  (mp_size) privateValue->len) );
-
-    if (withCofactor && (ecParams->cofactor != 1)) {
-	    /* multiply k with the cofactor */
-	    MP_DIGITS(&cofactor) = 0;
-	    CHECK_MPI_OK( mp_init(&cofactor) );
-	    mp_set(&cofactor, ecParams->cofactor);
-	    CHECK_MPI_OK( mp_mul(&k, &cofactor, &k) );
-    }
-
-    /* Multiply our private key and peer's public point */
-    if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess) ||
-	ec_point_at_infinity(&pointQ))
-	goto cleanup;
-
-    /* Allocate memory for the derived secret and copy
-     * the x co-ordinate of pointQ into it.
-     */
-    SECITEM_AllocItem(NULL, derivedSecret, len);
-    memcpy(derivedSecret->data, pointQ.data + 1, len);
-
-    rv = SECSuccess;
-
-#if EC_DEBUG
-    printf("derived_secret:\n");
-    for (i = 0; i < derivedSecret->len; i++) 
-	printf("%02x:", derivedSecret->data[i]);
-    printf("\n");
-#endif
-
-cleanup:
-    mp_clear(&k);
-
-    if (pointQ.data) {
-	PORT_ZFree(pointQ.data, 2*len + 1);
-    }
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-
-    return rv;
-}
-
-/* Computes the ECDSA signature (a concatenation of two values r and s)
- * on the digest using the given key and the random value kb (used in
- * computing s).
- */
-SECStatus 
-ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, 
-    const SECItem *digest, const unsigned char *kb, const int kblen)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    mp_int x1;
-    mp_int d, k;     /* private key, random integer */
-    mp_int r, s;     /* tuple (r, s) is the signature */
-    mp_int n;
-    mp_err err = MP_OKAY;
-    ECParams *ecParams = NULL;
-    SECItem kGpoint = { siBuffer, NULL, 0};
-    int len = 0;
-
-#if EC_DEBUG
-    char mpstr[256];
-#endif
-
-    /* Check args */
-    if (!key || !signature || !digest || !kb || (kblen < 0) ||
-	(digest->len != SHA1_LENGTH)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto cleanup;
-    }
-
-    ecParams = &(key->ecParams);
-    len = (ecParams->fieldID.size + 7) >> 3;  
-    if (signature->len < 2*len) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto cleanup;
-    }
-
-    /* Initialize MPI integers. */
-    MP_DIGITS(&x1) = 0;
-    MP_DIGITS(&d) = 0;
-    MP_DIGITS(&k) = 0;
-    MP_DIGITS(&r) = 0;
-    MP_DIGITS(&s) = 0;
-    MP_DIGITS(&n) = 0;
-    CHECK_MPI_OK( mp_init(&x1) );
-    CHECK_MPI_OK( mp_init(&d) );
-    CHECK_MPI_OK( mp_init(&k) );
-    CHECK_MPI_OK( mp_init(&r) );
-    CHECK_MPI_OK( mp_init(&s) );
-    CHECK_MPI_OK( mp_init(&n) );
-
-    SECITEM_TO_MPINT( ecParams->order, &n );
-    SECITEM_TO_MPINT( key->privateValue, &d );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );
-    /* Make sure k is in the interval [1, n-1] */
-    if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {
-#if EC_DEBUG
-        printf("k is outside [1, n-1]\n");
-        mp_tohex(&k, mpstr);
-	printf("k : %s \n", mpstr);
-        mp_tohex(&n, mpstr);
-	printf("n : %s \n", mpstr);
-#endif
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	goto cleanup;
-    }
-
-    /* 
-    ** ANSI X9.62, Section 5.3.2, Step 2
-    **
-    ** Compute kG
-    */
-    kGpoint.len = 2*len + 1;
-    kGpoint.data = PORT_Alloc(2*len + 1);
-    if ((kGpoint.data == NULL) ||
-	(ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint)
-	    != SECSuccess))
-	goto cleanup;
-
-    /* 
-    ** ANSI X9.62, Section 5.3.3, Step 1
-    **
-    ** Extract the x co-ordinate of kG into x1
-    */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1, 
-	                                  (mp_size) len) );
-
-    /* 
-    ** ANSI X9.62, Section 5.3.3, Step 2
-    **
-    ** r = x1 mod n  NOTE: n is the order of the curve
-    */
-    CHECK_MPI_OK( mp_mod(&x1, &n, &r) );
-
-    /*
-    ** ANSI X9.62, Section 5.3.3, Step 3
-    **
-    ** verify r != 0 
-    */
-    if (mp_cmp_z(&r) == 0) {
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	goto cleanup;
-    }
-
-    /*                                  
-    ** ANSI X9.62, Section 5.3.3, Step 4
-    **
-    ** s = (k**-1 * (SHA1(M) + d*r)) mod n 
-    */
-    SECITEM_TO_MPINT(*digest, &s);        /* s = SHA1(M)     */
-
-#if EC_DEBUG
-    mp_todecimal(&n, mpstr);
-    printf("n : %s (dec)\n", mpstr);
-    mp_todecimal(&d, mpstr);
-    printf("d : %s (dec)\n", mpstr);
-    mp_tohex(&x1, mpstr);
-    printf("x1: %s\n", mpstr);
-    mp_todecimal(&s, mpstr);
-    printf("digest: %s (decimal)\n", mpstr);
-    mp_todecimal(&r, mpstr);
-    printf("r : %s (dec)\n", mpstr);
-    mp_tohex(&r, mpstr);
-    printf("r : %s\n", mpstr);
-#endif
-
-    CHECK_MPI_OK( mp_invmod(&k, &n, &k) );      /* k = k**-1 mod n */
-    CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) );  /* d = d * r mod n */
-    CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) );  /* s = s + d mod n */
-    CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) );  /* s = s * k mod n */
-
-#if EC_DEBUG
-    mp_todecimal(&s, mpstr);
-    printf("s : %s (dec)\n", mpstr);
-    mp_tohex(&s, mpstr);
-    printf("s : %s\n", mpstr);
-#endif
-
-    /*
-    ** ANSI X9.62, Section 5.3.3, Step 5
-    **
-    ** verify s != 0
-    */
-    if (mp_cmp_z(&s) == 0) {
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	goto cleanup;
-    }
-
-   /*
-    **
-    ** Signature is tuple (r, s)
-    */
-    CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, len) );
-    CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + len, len) );
-    signature->len = 2*len;
-
-    rv = SECSuccess;
-    err = MP_OKAY;
-cleanup:
-    mp_clear(&x1);
-    mp_clear(&d);
-    mp_clear(&k);
-    mp_clear(&r);
-    mp_clear(&s);
-    mp_clear(&n);
-
-    if (kGpoint.data) {
-	PORT_ZFree(kGpoint.data, 2*len + 1);
-    }
-
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-
-#if EC_DEBUG
-    printf("ECDSA signing with seed %s\n",
-	(rv == SECSuccess) ? "succeeded" : "failed");
-#endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-
-   return rv;
-}
-
-/*
-** Computes the ECDSA signature on the digest using the given key 
-** and a random seed.
-*/
-SECStatus 
-ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    int prerr = 0;
-    int n = key->ecParams.order.len;
-    unsigned char *kseed = NULL;
-    unsigned char *mask;
-    int i;
-
-    /* Generate random seed of appropriate size as dictated 
-     * by field size.
-     */
-    if ((kseed = PORT_Alloc(n)) == NULL) return SECFailure;
-
-    do {
-        if (RNG_GenerateGlobalRandomBytes(kseed, n) != SECSuccess) 
-	    goto cleanup;
-	/* make sure that kseed is smaller than the curve order */
-	mask = key->ecParams.order.data;
-	for (i = 0; (i < n) && (*mask == 0x00); i++, mask++) {
-#if EC_DEBUG
-	  printf("replacing byte %02x in position %d [n=%d] with zero\n", 
-		 *(kseed + i), i, n);
-#endif
-	  *(kseed + i) = 0x00;
-	}
-
-	if (i == n) {
-	    rv = SECFailure;
-	    prerr = SEC_ERROR_NEED_RANDOM;
-	} else {
-#if EC_DEBUG
-	    printf("replacing byte %02x in position %d [n=%d] with %d\n", 
-		   *(kseed + i), i, n, (*mask - 1));
-#endif
-	    if (*(kseed + i) >= *mask) 
-	        *(kseed + i) = *mask - 1;
-	    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kseed, n);
-	    if (rv) prerr = PORT_GetError();
-	}
-    } while ((rv != SECSuccess) && (prerr == SEC_ERROR_NEED_RANDOM));
-
-cleanup:    
-    if (kseed) PORT_ZFree(kseed, n);
-
-#if EC_DEBUG
-    printf("ECDSA signing %s\n",
-	(rv == SECSuccess) ? "succeeded" : "failed");
-#endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-
-    return rv;
-}
-
-/*
-** Checks the signature on the given digest using the key provided.
-*/
-SECStatus 
-ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, 
-                 const SECItem *digest)
-{
-    SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
-    mp_int r_, s_;           /* tuple (r', s') is received signature) */
-    mp_int c, u1, u2, v;     /* intermediate values used in verification */
-    mp_int x1, y1;
-    mp_int x2, y2;
-    mp_int n;
-    mp_err err = MP_OKAY;
-    PRArenaPool *arena = NULL;
-    ECParams *ecParams = NULL;
-    SECItem pointA = { siBuffer, NULL, 0 };
-    SECItem pointB = { siBuffer, NULL, 0 };
-    SECItem pointC = { siBuffer, NULL, 0 };
-    int len;
-
-#if EC_DEBUG
-    char mpstr[256];
-    printf("ECDSA verification called\n");
-#endif
-
-    /* Check args */
-    if (!key || !signature || !digest ||
-	(digest->len != SHA1_LENGTH)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto cleanup;
-    }
-
-    ecParams = &(key->ecParams);
-    len = (ecParams->fieldID.size + 7) >> 3;  
-    if (signature->len < 2*len) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto cleanup;
-    }
-
-    /* Initialize an arena for pointA, pointB and pointC */
-    if ((arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)) == NULL)
-	goto cleanup;
-
-    SECITEM_AllocItem(arena, &pointA, 2*len + 1);
-    SECITEM_AllocItem(arena, &pointB, 2*len + 1);
-    SECITEM_AllocItem(arena, &pointC, 2*len + 1);
-    if (pointA.data == NULL || pointB.data == NULL || pointC.data == NULL)
-	goto cleanup;
-
-    /* Initialize MPI integers. */
-    MP_DIGITS(&r_) = 0;
-    MP_DIGITS(&s_) = 0;
-    MP_DIGITS(&c) = 0;
-    MP_DIGITS(&u1) = 0;
-    MP_DIGITS(&u2) = 0;
-    MP_DIGITS(&x1) = 0;
-    MP_DIGITS(&y1) = 0;
-    MP_DIGITS(&x2) = 0;
-    MP_DIGITS(&y2) = 0;
-    MP_DIGITS(&v)  = 0;
-    MP_DIGITS(&n)  = 0;
-    CHECK_MPI_OK( mp_init(&r_) );
-    CHECK_MPI_OK( mp_init(&s_) );
-    CHECK_MPI_OK( mp_init(&c)  );
-    CHECK_MPI_OK( mp_init(&u1) );
-    CHECK_MPI_OK( mp_init(&u2) );
-    CHECK_MPI_OK( mp_init(&x1)  );
-    CHECK_MPI_OK( mp_init(&y1)  );
-    CHECK_MPI_OK( mp_init(&x2)  );
-    CHECK_MPI_OK( mp_init(&y2)  );
-    CHECK_MPI_OK( mp_init(&v)  );
-    CHECK_MPI_OK( mp_init(&n)  );
-
-    /*
-    ** Convert received signature (r', s') into MPI integers.
-    */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, len) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + len, len) );
-                                          
-    /* 
-    ** ANSI X9.62, Section 5.4.2, Steps 1 and 2
-    **
-    ** Verify that 0 < r' < n and 0 < s' < n
-    */
-    SECITEM_TO_MPINT(ecParams->order, &n);
-    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
-        mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0)
-	goto cleanup; /* will return rv == SECFailure */
-
-    /*
-    ** ANSI X9.62, Section 5.4.2, Step 3
-    **
-    ** c = (s')**-1 mod n
-    */
-    CHECK_MPI_OK( mp_invmod(&s_, &n, &c) );      /* c = (s')**-1 mod n */
-
-    /*
-    ** ANSI X9.62, Section 5.4.2, Step 4
-    **
-    ** u1 = ((SHA1(M')) * c) mod n
-    */
-    SECITEM_TO_MPINT(*digest, &u1);         /* u1 = SHA1(M')     */
-
-#if EC_DEBUG
-    mp_todecimal(&r_, mpstr);
-    printf("r_: %s (dec)\n", mpstr);
-    mp_todecimal(&s_, mpstr);
-    printf("s_: %s (dec)\n", mpstr);
-    mp_todecimal(&c, mpstr);
-    printf("c : %s (dec)\n", mpstr);
-    mp_todecimal(&u1, mpstr);
-    printf("digest: %s (dec)\n", mpstr);
-#endif
-
-    CHECK_MPI_OK( mp_mulmod(&u1, &c, &n, &u1) );  /* u1 = u1 * c mod n */
-
-    /*
-    ** ANSI X9.62, Section 5.4.2, Step 4
-    **
-    ** u2 = ((r') * c) mod n
-    */
-    CHECK_MPI_OK( mp_mulmod(&r_, &c, &n, &u2) );
-
-    /*
-    ** ANSI X9.62, Section 5.4.3, Step 1
-    **
-    ** Compute u1*G + u2*Q
-    ** Here, A = u1.G     B = u2.Q    and   C = A + B
-    ** If the result, C, is the point at infinity, reject the signature
-    */
-	if ((ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC) == SECFailure) ||
-	ec_point_at_infinity(&pointC)) {
-	    rv = SECFailure;
-	    goto cleanup;
-    }
-
-    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, pointC.data + 1, len) );
-
-    /*
-    ** ANSI X9.62, Section 5.4.4, Step 2
-    **
-    ** v = x1 mod n
-    */
-    CHECK_MPI_OK( mp_mod(&x1, &n, &v) );
-
-#if EC_DEBUG
-    mp_todecimal(&r_, mpstr);
-    printf("r_: %s (dec)\n", mpstr);
-    mp_todecimal(&v, mpstr);
-    printf("v : %s (dec)\n", mpstr);
-#endif
-
-    /*
-    ** ANSI X9.62, Section 5.4.4, Step 3
-    **
-    ** Verification:  v == r'
-    */
-    if (mp_cmp(&v, &r_)) {
-	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-	rv = SECFailure; /* Signature failed to verify. */
-    } else {
-	rv = SECSuccess; /* Signature verified. */
-    }
-
-#if EC_DEBUG
-    mp_todecimal(&u1, mpstr);
-    printf("u1: %s (dec)\n", mpstr);
-    mp_todecimal(&u2, mpstr);
-    printf("u2: %s (dec)\n", mpstr);
-    mp_tohex(&x1, mpstr);
-    printf("x1: %s\n", mpstr);
-    mp_todecimal(&v, mpstr);
-    printf("v : %s (dec)\n", mpstr);
-#endif
-
-cleanup:
-    mp_clear(&r_);
-    mp_clear(&s_);
-    mp_clear(&c);
-    mp_clear(&u1);
-    mp_clear(&u2);
-    mp_clear(&x1);
-    mp_clear(&y1);
-    mp_clear(&x2);
-    mp_clear(&y2);
-    mp_clear(&v);
-    mp_clear(&n);
-
-    if (arena) PORT_FreeArena(arena, PR_TRUE);	
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-
-#if EC_DEBUG
-    printf("ECDSA verification %s\n",
-	(rv == SECSuccess) ? "succeeded" : "failed");
-#endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
-
-    return rv;
-}
-
diff --git a/security/nss/lib/freebl/ec.h b/security/nss/lib/freebl/ec.h
deleted file mode 100644
index 3de424145..000000000
--- a/security/nss/lib/freebl/ec.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Elliptic Curve Cryptography library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ec_h_
-#define __ec_h_
-
-#define EC_DEBUG                          0
-#define EC_POINT_FORM_COMPRESSED_Y0    0x02
-#define EC_POINT_FORM_COMPRESSED_Y1    0x03
-#define EC_POINT_FORM_UNCOMPRESSED     0x04
-#define EC_POINT_FORM_HYBRID_Y0        0x06
-#define EC_POINT_FORM_HYBRID_Y1        0x07
-
-#define ANSI_X962_CURVE_OID_TOTAL_LEN    10
-#define SECG_CURVE_OID_TOTAL_LEN          7
-
-#endif /* __ec_h_ */
diff --git a/security/nss/lib/freebl/ecl/Makefile b/security/nss/lib/freebl/ecl/Makefile
deleted file mode 100644
index c791531eb..000000000
--- a/security/nss/lib/freebl/ecl/Makefile
+++ /dev/null
@@ -1,227 +0,0 @@
-#
-# Makefile for elliptic curve library
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the elliptic curve math library.
-#
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2003
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Douglas Stebila <douglas@stebila.ca>
-#   Michael J. Fromberger <sting@linguist.dartmouth.edu>
-#   Netscape Communications Corporation
-#   Richard C. Swift        (swift@netscape.com)
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-## Define CC to be the C compiler you wish to use.  The GNU cc
-## compiler (gcc) should work, at the very least
-#CC=cc
-#CC=gcc
-
-## 
-## Define PERL to point to your local Perl interpreter.  It
-## should be Perl 5.x, although it's conceivable that Perl 4
-## might work ... I haven't tested it.
-##
-#PERL=/usr/bin/perl
-PERL=perl
-
-include ../mpi/target.mk
-
-##
-## Define platform-dependent variables for use of floating-point code.
-##
-ifeq ($(TARGET),v9SOLARIS)
-ECL_USE_FP=1
-else
-ifeq ($(TARGET),v8plusSOLARIS)
-ECL_USE_FP=1
-else
-ifeq ($(TARGET),v8SOLARIS)
-ECL_USE_FP=1
-else
-ifeq ($(TARGET),x86LINUX)
-ECL_USE_FP=1
-endif
-endif
-endif
-endif
-
-##
-## Add to definition of CFLAGS depending on use of floating-point code.
-##
-ifeq ($(ECL_USE_FP),1)
-CFLAGS+= -DECL_USE_FP
-endif
-
-##
-## Define LIBS to include any libraries you need to link against.
-## If NO_TABLE is define, LIBS should include '-lm' or whatever is
-## necessary to bring in the math library.  Otherwise, it can be
-## left alone, unless your system has other peculiar requirements.
-##
-LIBS=-L../mpi -lmpi -lm#-lmalloc#-lefence
-
-##
-## Define INCLUDES to include any include directories you need to 
-## compile with.  
-##
-INCLUDES=-I../mpi
-CFLAGS+= $(INCLUDES) $(XCFLAGS)
-
-## 
-## Define RANLIB to be the library header randomizer; you might not
-## need this on some systems (just set it to 'echo' on these systems,
-## such as IRIX)
-##
-RANLIB=echo
-
-## 
-## Define LIBOBJS to be the object files that will be created during
-## the build process.
-##
-LIBOBJS = ecl.o ecl_curve.o ecl_mult.o ecl_gf.o \
-	ec2_aff.o ec2_mont.o ec2_proj.o \
-	ec2_163.o ec2_193.o ec2_233.o \
-	ecp_aff.o ecp_jac.o ecp_mont.o \
-	ec_naf.o ecp_jm.o \
-	ecp_192.o ecp_224.o
-ifeq ($(ECL_USE_FP),1)
-LIBOBJS+= ecp_fp160.o ecp_fp192.o ecp_fp224.o ecp_fp.o
-endif
-
-## The headers contained in this library.
-LIBHDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h ecl-curve.h
-APPHDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h ecl-curve.h
-ifeq ($(ECL_GFP_ASSEMBLY_FP),1)
-LIBHDRS += ecp_fp.h
-APPHDRS += ecp_fp.h
-endif
-
-
-help:
-	@ echo ""
-	@ echo "The following targets can be built with this Makefile:"
-	@ echo ""
-	@ echo "libecl.a     - elliptic curve library"
-	@ echo "tests        - build command line tests"
-	@ echo "test         - run command line tests"
-	@ echo "clean        - clean up objects and such"
-	@ echo ""
-
-.SUFFIXES: .c .o .i
-
-.c.i:
-	$(CC) $(CFLAGS) -E $< > $@
-
-#---------------------------------------
-
-$(LIBOBJS): $(LIBHDRS)
-
-ecl.o: ecl.c $(LIBHDRS)
-ecl_curve.o: ecl_curve.c $(LIBHDRS)
-ecl_mult.o: ecl_mult.c $(LIBHDRS)
-ecl_gf.o: ecl_gf.c $(LIBHDRS)
-ec2_aff.o: ec2_aff.c $(LIBHDRS)
-ec2_mont.o: ec2_mont.c $(LIBHDRS)
-ec2_proj.o: ec2_proj.c $(LIBHDRS)
-ec2_163.o: ec2_163.c $(LIBHDRS)
-ec2_193.o: ec2_193.c $(LIBHDRS)
-ec2_233.o: ec2_233.c $(LIBHDRS)
-ecp_aff.o: ecp_aff.c $(LIBHDRS)
-ecp_jac.o: ecp_jac.c $(LIBHDRS)
-ecp_jm.o: ecp_jm.c $(LIBHDRS)
-ecp_mont.o: ecp_mont.c $(LIBHDRS)
-ecp_192.o: ecp_192.c $(LIBHDRS)
-ecp_224.o: ecp_224.c $(LIBHDRS)
-ecp_fp.o: ecp_fp.c $(LIBHDRS)
-ifeq ($(ECL_USE_FP),1)
-ecp_fp160.o: ecp_fp160.c ecp_fpinc.c $(LIBHDRS)
-ecp_fp192.o: ecp_fp192.c ecp_fpinc.c $(LIBHDRS)
-ecp_fp224.o: ecp_fp224.c ecp_fpinc.c $(LIBHDRS)
-endif
-
-libecl.a: $(LIBOBJS)
-	ar -cvr libecl.a $(LIBOBJS)
-	$(RANLIB) libecl.a
-
-lib libs: libecl.a
-
-ecl.i: ecl.h
-
-#---------------------------------------
-
-ECLTESTOBJS = ec2_test.o ecp_test.o ec_naft.o
-ifeq ($(ECL_USE_FP),1)
-ECLTESTOBJS+= ecp_fpt.o
-endif
-ECLTESTS = $(ECLTESTOBJS:.o=)
-
-$(ECLTESTOBJS): %.o: tests/%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -o $@ -c $<  $(INCLUDES)
-
-$(ECLTESTS): %: %.o libecl.a
-	$(CC) $(CFLAGS) -o $@ $^  $(LIBS)
-
-ifeq ($(ECL_USE_FP),1)
-tests: ec2_test ecp_test ec_naft ecp_fpt 
-else
-tests: ec2_test ecp_test ec_naft
-endif
-
-#---------------------------------------
-
-ifeq ($(ECL_USE_FP),1)
-test: tests
-	./ecp_test
-	./ec2_test
-	./ec_naft
-	./ecp_fpt
-else
-test: tests
-	./ecp_test
-	./ec_naft
-	./ec2_test
-endif
-
-#---------------------------------------
-
-alltests: tests
-
-clean:
-	rm -f *.o *.a *.i
-	rm -f core
-	rm -f *~ .*~
-	rm -f $(ECLTESTS)
-
-clobber: clean
-
-# END
diff --git a/security/nss/lib/freebl/ecl/README b/security/nss/lib/freebl/ecl/README
deleted file mode 100644
index b4c92400d..000000000
--- a/security/nss/lib/freebl/ecl/README
+++ /dev/null
@@ -1,330 +0,0 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the elliptic curve math library.
-
-The Initial Developer of the Original Code is Sun Microsystems, Inc.
-Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
-Sun Microsystems, Inc. All Rights Reserved.
-
-Contributor(s):
-    Stephen Fung <fungstep@hotmail.com> and
-    Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
- 
-The ECL exposes routines for constructing and converting curve
-parameters for internal use.
-
-
-HEADER FILES
-============
-
-ecl-exp.h - Exports data structures and curve names. For use by code
-that does not have access to mp_ints.
-
-ecl-curve.h - Provides hex encodings (in the form of ECCurveParams
-structs) of standardizes elliptic curve domain parameters and mappings
-from ECCurveName to ECCurveParams. For use by code that does not have
-access to mp_ints.
-
-ecl.h - Interface to constructors for curve parameters and group object,
-and point multiplication operations. Used by higher level algorithms
-(like ECDH and ECDSA) to actually perform elliptic curve cryptography.
-
-ecl-priv.h - Data structures and functions for internal use within the
-library.
-
-ec2.h - Internal header file that contains all functions for point
-arithmetic over binary polynomial fields.
-
-ecp.h - Internal header file that contains all functions for point
-arithmetic over prime fields.
-
-DATA STRUCTURES AND TYPES
-=========================
-
-ECCurveName (from ecl-exp.h) - Opaque name for standardized elliptic
-curve domain parameters.
-
-ECCurveParams (from ecl-exp.h) - Provides hexadecimal encoding
-of elliptic curve domain parameters. Can be generated by a user
-and passed to ECGroup_fromHex or can be generated from a name by
-EC_GetNamedCurveParams. ecl-curve.h contains ECCurveParams structs for
-the standardized curves defined by ECCurveName.
-
-ECGroup (from ecl.h and ecl-priv.h) - Opaque data structure that
-represents a group of elliptic curve points for a particular set of
-elliptic curve domain parameters. Contains all domain parameters (curve
-a and b, field, base point) as well as pointers to the functions that
-should be used for point arithmetic and the underlying field GFMethod.
-Generated by either ECGroup_fromHex or ECGroup_fromName.
-
-GFMethod (from ecl-priv.h) - Represents a field underlying a set of
-elliptic curve domain parameters. Contains the irreducible that defines
-the field (either the prime or the binary polynomial) as well as
-pointers to the functions that should be used for field arithmetic.
-
-ARITHMETIC FUNCTIONS
-====================
-
-Higher-level algorithms (like ECDH and ECDSA) should call ECPoint_mul
-or ECPoints_mul (from ecl.h) to do point arithmetic. These functions
-will choose which underlying algorithms to use, based on the ECGroup
-structure.
-
-Point Multiplication
---------------------
-
-ecl_mult.c provides the ECPoints_mul and ECPoint_mul wrappers.
-It also provides two implementations for the pts_mul operation -
-ec_pts_mul_basic (which computes kP, lQ, and then adds kP + lQ) and
-ec_pts_mul_simul_w2 (which does a simultaneous point multiplication
-using a table with window size 2*2).
-
-ec_naf.c provides an implementation of an algorithm to calculate a
-non-adjacent form of a scalar, minimizing the number of point
-additions that need to be done in a point multiplication.
-
-Point Arithmetic over Prime Fields
-----------------------------------
-
-ecp_aff.c provides point arithmetic using affine coordinates.
-
-ecp_jac.c provides point arithmetic using Jacobian projective
-coordinates and mixed Jacobian-affine coordinates. (Jacobian projective
-coordinates represent a point (x, y) as (X, Y, Z), where x=X/Z^2,
-y=Y/Z^3).
-
-ecp_jm.c provides point arithmetic using Modified Jacobian
-coordinates and mixed Modified_Jacobian-affine coordinates.
-(Modified Jacobian coordinates represent a point (x, y)
-as (X, Y, Z, a*Z^4), where x=X/Z^2, y=Y/Z^3, and a is
-the linear coefficient in the curve defining equation).
-
-ecp_192.c and ecp_224.c provide optimized field arithmetic.
-
-Point Arithmetic over Binary Polynomial Fields
-----------------------------------------------
-
-ec2_aff.c provides point arithmetic using affine coordinates.
-
-ec2_proj.c provides point arithmetic using projective coordinates.
-(Projective coordinates represent a point (x, y) as (X, Y, Z), where
-x=X/Z, y=Y/Z^2).
-
-ec2_mont.c provides point multiplication using Montgomery projective
-coordinates.
-
-ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field arithmetic.
-
-Field Arithmetic
-----------------
-
-ecl_gf.c provides constructors for field objects (GFMethod) with the
-functions GFMethod_cons*. It also provides wrappers around the basic
-field operations.
-
-Prime Field Arithmetic
-----------------------
-
-The mpi library provides the basic prime field arithmetic.
-
-ecp_mont.c provides wrappers around the Montgomery multiplication
-functions from the mpi library and adds encoding and decoding functions.
-It also provides the function to construct a GFMethod object using
-Montgomery multiplication.
-
-ecp_192.c and ecp_224.c provide optimized modular reduction for the
-fields defined by nistp192 and nistp224 primes.
-
-ecl_gf.c provides wrappers around the basic field operations.
-
-Binary Polynomial Field Arithmetic
-----------------------------------
-
-../mpi/mp_gf2m.c provides basic binary polynomial field arithmetic,
-including addition, multiplication, squaring, mod, and division, as well
-as conversion ob polynomial representations between bitstring and int[].
-
-ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field mod, mul,
-and sqr operations.
-
-ecl_gf.c provides wrappers around the basic field operations.
-
-Field Encoding
---------------
-
-By default, field elements are encoded in their basic form. It is
-possible to use an alternative encoding, however. For example, it is
-possible to Montgomery representation of prime field elements and
-take advantage of the fast modular multiplication that Montgomery
-representation provides. The process of converting from basic form to
-Montgomery representation is called field encoding, and the opposite
-process would be field decoding. All internal point operations assume
-that the operands are field encoded as appropriate. By rewiring the
-underlying field arithmetic to perform operations on these encoded
-values, the same overlying point arithmetic operations can be used
-regardless of field representation.
-
-ALGORITHM WIRING
-================
-
-The EC library allows point and field arithmetic algorithms to be
-substituted ("wired-in") on a fine-grained basis. This allows for
-generic algorithms and algorithms that are optimized for a particular
-curve, field, or architecture, to coexist and to be automatically
-selected at runtime.
-
-Wiring Mechanism
-----------------
-
-The ECGroup and GFMethod structure contain pointers to the point and
-field arithmetic functions, respectively, that are to be used in
-operations.
-
-The selection of algorithms to use is handled in the function
-ecgroup_fromNameAndHex in ecl.c.
-
-Default Wiring
---------------
-
-Curves over prime fields by default use montgomery field arithmetic,
-point multiplication using 5-bit window non-adjacent-form with 
-Modified Jacobian coordinates, and 2*2-bit simultaneous point 
-multiplication using Jacobian coordinates.
-(Wiring in function ECGroup_consGFp_mont in ecl.c.)
-
-Curves over prime fields that have optimized modular reduction (i.e.,
-secp160r1, nistp192, and nistp224) do not use Montgomery field
-arithmetic. Instead, they use basic field arithmetic with their
-optimized reduction (as in ecp_192.c and ecp_224.c). They
-use the same point multiplication and simultaneous point multiplication
-algorithms as other curves over prime fields.
-
-Curves over binary polynomial fields by default use generic field
-arithmetic with montgomery point multiplication and basic kP + lQ
-computation (multiply, multiply, and add). (Wiring in function
-ECGroup_cons_GF2m in ecl.c.)
-
-Curves over binary polynomial fields that have optimized field
-arithmetic (i.e., any 163-, 193, or 233-bit field) use their optimized
-field arithmetic. They use the same point multiplication and
-simultaneous point multiplication algorithms as other curves over binary
-fields.
-
-Example
--------
-
-We provide an example for plugging in an optimized implementation for
-the Koblitz curve nistk163.
-
-Suppose the file ec2_k163.c contains the optimized implementation. In
-particular it contains a point multiplication function:
-
-	mp_err ec_GF2m_nistk163_pt_mul(const mp_int *n, const mp_int *px, 
-		const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group);
-
-Since only a pt_mul function is provided, the generic pt_add function
-will be used.
-
-There are two options for handling the optimized field arithmetic used
-by the ..._pt_mul function. Say the optimized field arithmetic includes
-the following functions:
-
-	mp_err ec_GF2m_nistk163_add(const mp_int *a, const mp_int *b,
-		mp_int *r, const GFMethod *meth);
-	mp_err ec_GF2m_nistk163_mul(const mp_int *a, const mp_int *b,
-		mp_int *r, const GFMethod *meth);
-	mp_err ec_GF2m_nistk163_sqr(const mp_int *a, const mp_int *b,
-		mp_int *r, const GFMethod *meth);
-	mp_err ec_GF2m_nistk163_div(const mp_int *a, const mp_int *b,
-		mp_int *r, const GFMethod *meth);
-
-First, the optimized field arithmetic could simply be called directly
-by the ..._pt_mul function. This would be accomplished by changing
-the ecgroup_fromNameAndHex function in ecl.c to include the following
-statements:
-
-	if (name == ECCurve_NIST_K163) {
-		group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx,
-			&geny, &order, params->cofactor);
-		if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
-		MP_CHECKOK( ec_group_set_nistk163(group) );
-	}
-
-and including in ec2_k163.c the following function:
-
-	mp_err ec_group_set_nistk163(ECGroup *group) {
-		group->point_mul = &ec_GF2m_nistk163_pt_mul;
-		return MP_OKAY;
-	}
-
-As a result, ec_GF2m_pt_add and similar functions would use the
-basic binary polynomial field arithmetic ec_GF2m_add, ec_GF2m_mul,
-ec_GF2m_sqr, and ec_GF2m_div.
-
-Alternatively, the optimized field arithmetic could be wired into the
-group's GFMethod. This would be accomplished by putting the following
-function in ec2_k163.c:
-
-	mp_err ec_group_set_nistk163(ECGroup *group) {
-		group->meth->field_add = &ec_GF2m_nistk163_add;
-		group->meth->field_mul = &ec_GF2m_nistk163_mul;
-		group->meth->field_sqr = &ec_GF2m_nistk163_sqr;
-		group->meth->field_div = &ec_GF2m_nistk163_div;
-		group->point_mul = &ec_GF2m_nistk163_pt_mul;
-		return MP_OKAY;
-	}
-
-For an example of functions that use special field encodings, take a
-look at ecp_mont.c.
-
-TESTING
-=======
-
-The ecl/tests directory contains a collection of standalone tests that
-verify the correctness of the elliptic curve library.
-
-Both ecp_test and ec2_test take the following arguments:
-
-	--print     Print out results of each point arithmetic test.
-	--time      Benchmark point operations and print results.
-
-The set of curves over which ecp_test and ec2_test run is coded into the
-program, but can be changed by editing the source files.
-
-BUILDING
-========
-
-The ecl can be built as a standalone library, separate from NSS,
-dependent only on the mpi library. To build the library:
-
-	> cd ../mpi
-	> make libs
-	> cd ../ecl
-	> make libs
-	> make tests # to build test files
-	> make test  # to run automated tests
diff --git a/security/nss/lib/freebl/ecl/README.FP b/security/nss/lib/freebl/ecl/README.FP
deleted file mode 100644
index 858ac67b8..000000000
--- a/security/nss/lib/freebl/ecl/README.FP
+++ /dev/null
@@ -1,317 +0,0 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the elliptic curve math library.
-
-The Initial Developer of the Original Code is Sun Microsystems, Inc.
-Portions created by Sun Microsystems, Inc. are Copyright (C) 2003
-Sun Microsystems, Inc. All Rights Reserved.
-
-Contributor(s):
-     Stephen Fung <fungstep@hotmail.com> and
-     Nils Gura <nils.gura@sun.com>, Sun Microsystems Laboratories
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-The ECL exposes routines for constructing and converting curve
-parameters for internal use.
-
-The floating point code of the ECL provides algorithms for performing
-elliptic-curve point multiplications in floating point.
-
-The point multiplication algorithms perform calculations almost
-exclusively in floating point for efficiency, but have the same
-(integer) interface as the ECL for compatibility and to be easily
-wired-in to the ECL.  Please see README file (not this README.FP file)
-for information on wiring-in.
-
-This has been implemented for 3 curves as specified in [1]:
-	secp160r1
-	secp192r1
-	secp224r1
-
-RATIONALE
-=========
-Calculations are done in the  floating-point unit (FPU) since it
-gives better performance on the UltraSPARC III chips.  This is
-because the FPU allows for faster multiplication than the integer unit.
-The integer unit has a longer multiplication instruction latency, and
-does not allow full pipelining, as described in [2].
-Since performance is an important selling feature of Elliptic Curve
-Cryptography (ECC), this implementation was created.
-
-DATA REPRESENTATION
-===================
-Data is primarily represented in an array of double-precision floating
-point numbers.  Generally, each array element has 24 bits of precision
-(i.e. be x * 2^y, where x is an integer of at most 24 bits, y some positive
-integer), although the actual implementation details are more complicated.
-
-e.g. a way to store an 80 bit number might be:
-double p[4] = { 632613 * 2^0, 329841 * 2^24, 9961 * 2^48, 51 * 2^64 };
-See section ARITHMETIC OPERATIONS for more details.
-
-This implementation assumes that the floating-point unit rounding mode 
-is round-to-even as specified in IEEE 754
-(as opposed to chopping, rounding up, or rounding down).
-When subtracting integers represented as arrays of floating point 
-numbers, some coefficients (array elements) may become negative.
-This effectively gives an extra bit of precision that is important
-for correctness in some cases.
-
-The described number presentation limits the size of integers to 1023 bits.
-This is due to an upper bound of 1024 for the exponent of a double precision
-floating point number as specified in IEEE-754.
-However, this is acceptable for ECC key sizes of the foreseeable future.
-
-DATA STRUCTURES
-===============
-For more information on coordinate representations, see [3].
-
-ecfp_aff_pt
------------
-Affine EC Point Representation.  This is the basic 
-representation (x, y) of an elliptic curve point.
-
-ecfp_jac_pt
------------
-Jacobian EC Point.  This stores a point as (X, Y, Z), where
-the affine point corresponds to (X/Z^2, Y/Z^3).  This allows
-for fewer inversions in calculations.
-
-ecfp_chud_pt
-------------
-Chudnovsky Jacobian Point.  This representation stores a point
-as (X, Y, Z, Z^2, Z^3), the same as a Jacobian representation
-but also storing Z^2 and Z^3 for faster point additions.
-
-ecfp_jm_pt
-----------
-Modified Jacobian Point.  This representation stores a point
-as (X, Y, Z, a*Z^4), the same as Jacobian representation but
-also storing a*Z^4 for faster point doublings.  Here "a" represents
-the linear coefficient of x defining the curve.
-
-EC_group_fp
------------
-Stores information on the elliptic curve group for floating
-point calculations.  Contains curve specific information, as
-well as function pointers to routines, allowing different
-optimizations to be easily wired in.
-This should be made accessible from an ECGroup for the floating
-point implementations of point multiplication.
-
-POINT MULTIPLICATION ALGORITHMS
-===============================
-Elliptic Curve Point multiplication can be done at a higher level orthogonal
-to the implementation of point additions and point doublings.  There
-are a variety of algorithms that can be used.
-
-The following algorithms have been implemented:
-
-4-bit Window (Jacobian Coordinates)
-Double & Add (Jacobian & Affine Coordinates)
-5-bit Non-Adjacent Form (Modified Jacobian & Chudnovsky Jacobian)
-
-Currently, the fastest algorithm for multiplying a generic point
-is the 5-bit Non-Adjacent Form.
-
-See comments in ecp_fp.c for more details and references.
-
-SOURCE / HEADER FILES
-=====================
-
-ecp_fp.c
---------
-Main source file for floating point calculations.  Contains routines
-to convert from floating-point to integer (mp_int format), point
-multiplication algorithms, and several other routines.
-
-ecp_fp.h
---------
-Main header file.  Contains most constants used and function prototypes.
-
-ecp_fp[160, 192, 224].c
------------------------
-Source files for specific curves.  Contains curve specific code such
-as specialized reduction based on the field defining prime.  Contains
-code wiring-in different algorithms and optimizations.
-
-ecp_fpinc.c
------------
-Source file that is included by ecp_fp[160, 192, 224].c.  This generates
-functions with different preprocessor-defined names and loop iterations,
-allowing for static linking and strong compiler optimizations without
-code duplication.
-
-TESTING
-=======
-The test suite can be found in ecl/tests/ecp_fpt.  This tests and gets
-timings of the different algorithms for the curves implemented.
-
-ARITHMETIC OPERATIONS
----------------------
-The primary operations in ECC over the prime fields are modular arithmetic:
-i.e. n * m (mod p) and n + m (mod p).  In this implementation, multiplication,
-addition, and reduction are implemented as separate functions.  This
-enables computation of formulae with fewer reductions, e.g.
-(a * b) + (c * d) (mod p) rather than:
-((a * b) (mod p)) + ((c * d) (mod p)) (mod p)
-This takes advantage of the fact that the double precision mantissa in
-floating point can hold numbers up to 2^53, i.e. it has some leeway to
-store larger intermediate numbers.  See further detail in the section on 
-FLOATING POINT PRECISION.
-
-Multiplication
---------------
-Multiplication is implemented in a standard polynomial multiplication
-fashion.  The terms in opposite factors are pairwise multiplied and
-added together appropriately.  Note that the result requires twice 
-as many doubles for storage, as the bit size of the product is twice
-that of the multiplicands.
-e.g. suppose we have double n[3], m[3], r[6], and want to calculate r = n * m
-r[0] = n[0] * m[0]
-r[1] = n[0] * m[1] + n[1] * m[0]
-r[2] = n[0] * m[2] + n[1] * m[1] + n[2] * m[0]
-r[3] = n[1] * m[2] + n[2] * m[1]
-r[4] = n[2] * m[2]
-r[5] = 0 (This is used later to hold spillover from r[4], see tidying in
-the reduction section.)
-
-Addition
---------
-Addition is done term by term.  The only caveat is to be careful with
-the number of terms that need to be added.  When adding results of
-multiplication (before reduction), twice as many terms need to be added
-together.  This is done in the addLong function.
-e.g. for double n[4], m[4], r[4]:  r = n + m
-r[0] = n[0] + m[0]
-r[1] = n[1] + m[1]
-r[2] = n[2] + m[2]
-r[3] = n[3] + m[3]
-
-Modular Reduction
------------------
-For the curves implemented, reduction is possible by fast reduction
-for Generalized Mersenne Primes, as described in [4].  For the 
-floating point implementation, a significant step of the reduction 
-process is tidying:  that is, the propagation of carry bits from 
-low-order to high-order coefficients to reduce the precision of each 
-coefficient to 24 bits.
-This is done by adding and then subtracting
-ecfp_alpha, a large floating point number that induces precision roundoff.
-See [5] for more details on tidying using floating point arithmetic.
-e.g. suppose we have r = 961838 * 2^24 + 519308
-then if we set alpha = 3 * 2^51 * 2^24,
-FP(FP(r + alpha) - alpha) = 961838 * 2^24, because the precision for
-the intermediate results is limited.  Our values of alpha are chosen
-to truncate to a desired number of bits.
-
-The reduction is then performed as in [4], adding multiples of prime p.
-e.g. suppose we are working over a polynomial of 10^2.  Take the number
-2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95, stored in 5 elements
-for coefficients of 10^0, 10^2, ..., 10^8.
-We wish to reduce modulo p = 10^6 - 2 * 10^4 + 1
-We can subtract off from the higher terms
-(2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95) - (2 * 10^2) * (10^6 - 2 * 10^4 + 1)
-= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95
-= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95 - (15) * (10^6 - 2 * 10^4 + 1)
-= 83 * 10^4 + 21 * 10^2 + 80
-
-Integrated Example
-------------------
-This example shows how multiplication, addition, tidying, and reduction
-work together in our modular arithmetic.  This is simplified from the
-actual implementation, but should convey the main concepts.  
-Working over polynomials of 10^2 and with p as in the prior example,
-Let a = 16 * 10^4 + 53 * 10^2 + 33
-let b = 81 * 10^4 + 31 * 10^2 + 49
-let c = 22 * 10^4 +  0 * 10^2 + 95
-And suppose we want to compute a * b + c mod p.  
-We first do a multiplication:  then a * b =
-0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5100 * 10^4 + 3620 * 10^2 + 1617
-Then we add in c before doing reduction, allowing us to get a * b + c =
-0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
-We then perform a tidying on the upper half of the terms:
-0 * 10^10 + 1296 * 10^8 + 4789 * 10^6
-0 * 10^10 + (1296 + 47) * 10^8 + 89 * 10^6
-0 * 10^10 + 1343 * 10^8 + 89 * 10^6
-13 * 10^10 + 43 * 10^8 + 89 * 10^6
-which then gives us
-13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
-we then reduce modulo p similar to the reduction example above:
-13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712 
-	- (13 * 10^4 * p)
-69 * 10^8 + 89 * 10^6 + 5109 * 10^4 + 3620 * 10^2 + 1712
-	- (69 * 10^2 * p)
-227 * 10^6 + 5109 * 10^4 + 3551 * 10^2 + 1712
-	- (227 * p)
-5563 * 10^4 + 3551 * 10^2 + 1485
-finally, we do tidying to get the precision of each term down to 2 digits
-5563 * 10^4 + 3565 * 10^2 + 85
-5598 * 10^4 + 65 * 10^2 + 85
-55 * 10^6 + 98 * 10^4 + 65 * 10^2 + 85
-and perform another reduction step
-	- (55 * p)
-208 * 10^4 + 65 * 10^2 + 30
-There may be a small number of further reductions that could be done at
-this point, but this is typically done only at the end when converting
-from floating point  to an integer unit representation.
-
-FLOATING POINT PRECISION
-========================
-This section discusses the precision of floating point numbers, which
-one writing new formulae or a larger bit size should be aware of.  The
-danger is that an intermediate result may be required to store a
-mantissa larger than 53 bits, which would cause error by rounding off.
-
-Note that the tidying with IEEE rounding mode set to round-to-even
-allows negative numbers, which actually reduces the size of the double
-mantissa to 23 bits - since it rounds the mantissa to the nearest number 
-modulo 2^24, i.e. roughly between -2^23 and 2^23.
-A multiplication increases the bit size to 2^46 * n, where n is the number
-of doubles to store a number.  For the 224 bit curve, n = 10.  This gives 
-doubles of size 5 * 2^47.  Adding two of these doubles gives a result
-of size 5 * 2^48, which is less than 2^53, so this is safe.  
-Similar analysis can be done for other formulae to ensure numbers remain
-below 2^53.
-
-Extended-Precision Floating Point
----------------------------------
-Some platforms, notably x86 Linux, may use an extended-precision floating
-point representation that has a 64-bit mantissa.  [6]  Although this
-implementation is optimized for the IEEE standard 53-bit mantissa,
-it should work with the 64-bit mantissa.  A check is done at run-time
-in the function ec_set_fp_precision that detects if the precision is
-greater than 53 bits, and runs code for the 64-bit mantissa accordingly.
-
-REFERENCES
-==========
-[1] Certicom Corp., "SEC 2: Recommended Elliptic Curve Domain Parameters", Sept. 20, 2000.  www.secg.org
-[2] Sun Microsystems Inc.  UltraSPARC III Cu User's Manual, Version 1.0, May 2002, Table 4.4
-[3] H. Cohen, A. Miyaji, and T. Ono, "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates".
-[4] Henk C.A. van Tilborg, Generalized Mersenne Prime.  http://www.win.tue.nl/~henkvt/GenMersenne.pdf
-[5] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2.
-[6] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2 Notes.
diff --git a/security/nss/lib/freebl/ecl/ec2.h b/security/nss/lib/freebl/ecl/ec2.h
deleted file mode 100644
index 2ca8418b3..000000000
--- a/security/nss/lib/freebl/ecl/ec2.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ec2_h_
-#define __ec2_h_
-
-#include "ecl-priv.h"
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py);
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py);
-
-/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
- * qy). Uses affine coordinates. */
-mp_err ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py,
-						  const mp_int *qx, const mp_int *qy, mp_int *rx,
-						  mp_int *ry, const ECGroup *group);
-
-/* Computes R = P - Q.  Uses affine coordinates. */
-mp_err ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py,
-						  const mp_int *qx, const mp_int *qy, mp_int *rx,
-						  mp_int *ry, const ECGroup *group);
-
-/* Computes R = 2P.  Uses affine coordinates. */
-mp_err ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
-						  mp_int *ry, const ECGroup *group);
-
-/* Validates a point on a GF2m curve. */
-mp_err ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
-
-/* by default, this routine is unused and thus doesn't need to be compiled */
-#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the irreducible that 
- * determines the field GF2m.  Uses affine coordinates. */
-mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px,
-						  const mp_int *py, mp_int *rx, mp_int *ry,
-						  const ECGroup *group);
-#endif
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the irreducible that 
- * determines the field GF2m.  Uses Montgomery projective coordinates. */
-mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
-						   const mp_int *py, mp_int *rx, mp_int *ry,
-						   const ECGroup *group);
-
-#ifdef ECL_ENABLE_GF2M_PROJ
-/* Converts a point P(px, py) from affine coordinates to projective
- * coordinates R(rx, ry, rz). */
-mp_err ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
-						   mp_int *ry, mp_int *rz, const ECGroup *group);
-
-/* Converts a point P(px, py, pz) from projective coordinates to affine
- * coordinates R(rx, ry). */
-mp_err ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py,
-						   const mp_int *pz, mp_int *rx, mp_int *ry,
-						   const ECGroup *group);
-
-/* Checks if point P(px, py, pz) is at infinity.  Uses projective
- * coordinates. */
-mp_err ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
-							  const mp_int *pz);
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses projective
- * coordinates. */
-mp_err ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz);
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
- * (qx, qy, qz).  Uses projective coordinates. */
-mp_err ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py,
-						   const mp_int *pz, const mp_int *qx,
-						   const mp_int *qy, mp_int *rx, mp_int *ry,
-						   mp_int *rz, const ECGroup *group);
-
-/* Computes R = 2P.  Uses projective coordinates. */
-mp_err ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py,
-						   const mp_int *pz, mp_int *rx, mp_int *ry,
-						   mp_int *rz, const ECGroup *group);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GF2m.  Uses projective coordinates. */
-mp_err ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px,
-						   const mp_int *py, mp_int *rx, mp_int *ry,
-						   const ECGroup *group);
-#endif
-
-#endif							/* __ec2_h_ */
diff --git a/security/nss/lib/freebl/ecl/ec2_163.c b/security/nss/lib/freebl/ecl/ec2_163.c
deleted file mode 100644
index 641632146..000000000
--- a/security/nss/lib/freebl/ecl/ec2_163.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mp_gf2m.h"
-#include "mp_gf2m-priv.h"
-#include "mpi.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast reduction for polynomials over a 163-bit curve. Assumes reduction
- * polynomial with terms {163, 7, 6, 3, 0}. */
-mp_err
-ec_GF2m_163_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, z;
-
-	if (a != r) {
-		MP_CHECKOK(mp_copy(a, r));
-	}
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(r) < 6) {
-		MP_CHECKOK(s_mp_pad(r, 6));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 6;
-
-	/* u[5] only has 6 significant bits */
-	z = u[5];
-	u[2] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
-	z = u[4];
-	u[2] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
-	u[1] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
-	z = u[3];
-	u[1] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
-	u[0] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
-	z = u[2] >> 35;				/* z only has 29 significant bits */
-	u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
-	/* clear bits above 163 */
-	u[5] = u[4] = u[3] = 0;
-	u[2] ^= z << 35;
-#else
-	if (MP_USED(r) < 11) {
-		MP_CHECKOK(s_mp_pad(r, 11));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 11;
-
-	/* u[11] only has 6 significant bits */
-	z = u[10];
-	u[5] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
-	u[4] ^= (z << 29);
-	z = u[9];
-	u[5] ^= (z >> 28) ^ (z >> 29);
-	u[4] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
-	u[3] ^= (z << 29);
-	z = u[8];
-	u[4] ^= (z >> 28) ^ (z >> 29);
-	u[3] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
-	u[2] ^= (z << 29);
-	z = u[7];
-	u[3] ^= (z >> 28) ^ (z >> 29);
-	u[2] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
-	u[1] ^= (z << 29);
-	z = u[6];
-	u[2] ^= (z >> 28) ^ (z >> 29);
-	u[1] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
-	u[0] ^= (z << 29);
-	z = u[5] >> 3;				/* z only has 29 significant bits */
-	u[1] ^= (z >> 25) ^ (z >> 26);
-	u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
-	/* clear bits above 163 */
-	u[11] = u[10] = u[9] = u[8] = u[7] = u[6] = 0;
-	u[5] ^= z << 3;
-#endif
-	s_mp_clamp(r);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast squaring for polynomials over a 163-bit curve. Assumes reduction
- * polynomial with terms {163, 7, 6, 3, 0}. */
-mp_err
-ec_GF2m_163_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, *v;
-
-	v = MP_DIGITS(a);
-
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(a) < 3) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 6) {
-		MP_CHECKOK(s_mp_pad(r, 6));
-	}
-	MP_USED(r) = 6;
-#else
-	if (MP_USED(a) < 6) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 12) {
-		MP_CHECKOK(s_mp_pad(r, 12));
-	}
-	MP_USED(r) = 12;
-#endif
-	u = MP_DIGITS(r);
-
-#ifdef ECL_THIRTY_TWO_BIT
-	u[11] = gf2m_SQR1(v[5]);
-	u[10] = gf2m_SQR0(v[5]);
-	u[9] = gf2m_SQR1(v[4]);
-	u[8] = gf2m_SQR0(v[4]);
-	u[7] = gf2m_SQR1(v[3]);
-	u[6] = gf2m_SQR0(v[3]);
-#endif
-	u[5] = gf2m_SQR1(v[2]);
-	u[4] = gf2m_SQR0(v[2]);
-	u[3] = gf2m_SQR1(v[1]);
-	u[2] = gf2m_SQR0(v[1]);
-	u[1] = gf2m_SQR1(v[0]);
-	u[0] = gf2m_SQR0(v[0]);
-	return ec_GF2m_163_mod(r, r, meth);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast multiplication for polynomials over a 163-bit curve. Assumes
- * reduction polynomial with terms {163, 7, 6, 3, 0}. */
-mp_err
-ec_GF2m_163_mul(const mp_int *a, const mp_int *b, mp_int *r,
-				const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit a2 = 0, a1 = 0, a0, b2 = 0, b1 = 0, b0;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit a5 = 0, a4 = 0, a3 = 0, b5 = 0, b4 = 0, b3 = 0;
-	mp_digit rm[6];
-#endif
-
-	if (a == b) {
-		return ec_GF2m_163_sqr(a, r, meth);
-	} else {
-		switch (MP_USED(a)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 6:
-			a5 = MP_DIGIT(a, 5);
-		case 5:
-			a4 = MP_DIGIT(a, 4);
-		case 4:
-			a3 = MP_DIGIT(a, 3);
-#endif
-		case 3:
-			a2 = MP_DIGIT(a, 2);
-		case 2:
-			a1 = MP_DIGIT(a, 1);
-		default:
-			a0 = MP_DIGIT(a, 0);
-		}
-		switch (MP_USED(b)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 6:
-			b5 = MP_DIGIT(b, 5);
-		case 5:
-			b4 = MP_DIGIT(b, 4);
-		case 4:
-			b3 = MP_DIGIT(b, 3);
-#endif
-		case 3:
-			b2 = MP_DIGIT(b, 2);
-		case 2:
-			b1 = MP_DIGIT(b, 1);
-		default:
-			b0 = MP_DIGIT(b, 0);
-		}
-#ifdef ECL_SIXTY_FOUR_BIT
-		MP_CHECKOK(s_mp_pad(r, 6));
-		s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
-		MP_USED(r) = 6;
-		s_mp_clamp(r);
-#else
-		MP_CHECKOK(s_mp_pad(r, 12));
-		s_bmul_3x3(MP_DIGITS(r) + 6, a5, a4, a3, b5, b4, b3);
-		s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
-		s_bmul_3x3(rm, a5 ^ a2, a4 ^ a1, a3 ^ a0, b5 ^ b2, b4 ^ b1,
-				   b3 ^ b0);
-		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 11);
-		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 10);
-		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 9);
-		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 8);
-		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 7);
-		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 6);
-		MP_DIGIT(r, 8) ^= rm[5];
-		MP_DIGIT(r, 7) ^= rm[4];
-		MP_DIGIT(r, 6) ^= rm[3];
-		MP_DIGIT(r, 5) ^= rm[2];
-		MP_DIGIT(r, 4) ^= rm[1];
-		MP_DIGIT(r, 3) ^= rm[0];
-		MP_USED(r) = 12;
-		s_mp_clamp(r);
-#endif
-		return ec_GF2m_163_mod(r, r, meth);
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic for 163-bit curves. */
-mp_err
-ec_group_set_gf2m163(ECGroup *group, ECCurveName name)
-{
-	group->meth->field_mod = &ec_GF2m_163_mod;
-	group->meth->field_mul = &ec_GF2m_163_mul;
-	group->meth->field_sqr = &ec_GF2m_163_sqr;
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ec2_193.c b/security/nss/lib/freebl/ecl/ec2_193.c
deleted file mode 100644
index 1a1e8189e..000000000
--- a/security/nss/lib/freebl/ecl/ec2_193.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mp_gf2m.h"
-#include "mp_gf2m-priv.h"
-#include "mpi.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast reduction for polynomials over a 193-bit curve. Assumes reduction
- * polynomial with terms {193, 15, 0}. */
-mp_err
-ec_GF2m_193_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, z;
-
-	if (a != r) {
-		MP_CHECKOK(mp_copy(a, r));
-	}
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(r) < 7) {
-		MP_CHECKOK(s_mp_pad(r, 7));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 7;
-
-	/* u[6] only has 2 significant bits */
-	z = u[6];
-	u[3] ^= (z << 14) ^ (z >> 1);
-	u[2] ^= (z << 63);
-	z = u[5];
-	u[3] ^= (z >> 50);
-	u[2] ^= (z << 14) ^ (z >> 1);
-	u[1] ^= (z << 63);
-	z = u[4];
-	u[2] ^= (z >> 50);
-	u[1] ^= (z << 14) ^ (z >> 1);
-	u[0] ^= (z << 63);
-	z = u[3] >> 1;				/* z only has 63 significant bits */
-	u[1] ^= (z >> 49);
-	u[0] ^= (z << 15) ^ z;
-	/* clear bits above 193 */
-	u[6] = u[5] = u[4] = 0;
-	u[3] ^= z << 1;
-#else
-	if (MP_USED(r) < 13) {
-		MP_CHECKOK(s_mp_pad(r, 13));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 13;
-
-	/* u[12] only has 2 significant bits */
-	z = u[12];
-	u[6] ^= (z << 14) ^ (z >> 1);
-	u[5] ^= (z << 31);
-	z = u[11];
-	u[6] ^= (z >> 18);
-	u[5] ^= (z << 14) ^ (z >> 1);
-	u[4] ^= (z << 31);
-	z = u[10];
-	u[5] ^= (z >> 18);
-	u[4] ^= (z << 14) ^ (z >> 1);
-	u[3] ^= (z << 31);
-	z = u[9];
-	u[4] ^= (z >> 18);
-	u[3] ^= (z << 14) ^ (z >> 1);
-	u[2] ^= (z << 31);
-	z = u[8];
-	u[3] ^= (z >> 18);
-	u[2] ^= (z << 14) ^ (z >> 1);
-	u[1] ^= (z << 31);
-	z = u[7];
-	u[2] ^= (z >> 18);
-	u[1] ^= (z << 14) ^ (z >> 1);
-	u[0] ^= (z << 31);
-	z = u[6] >> 1;				/* z only has 31 significant bits */
-	u[1] ^= (z >> 17);
-	u[0] ^= (z << 15) ^ z;
-	/* clear bits above 193 */
-	u[12] = u[11] = u[10] = u[9] = u[8] = u[7] = 0;
-	u[6] ^= z << 1;
-#endif
-	s_mp_clamp(r);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast squaring for polynomials over a 193-bit curve. Assumes reduction
- * polynomial with terms {193, 15, 0}. */
-mp_err
-ec_GF2m_193_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, *v;
-
-	v = MP_DIGITS(a);
-
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(a) < 4) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 7) {
-		MP_CHECKOK(s_mp_pad(r, 7));
-	}
-	MP_USED(r) = 7;
-#else
-	if (MP_USED(a) < 7) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 13) {
-		MP_CHECKOK(s_mp_pad(r, 13));
-	}
-	MP_USED(r) = 13;
-#endif
-	u = MP_DIGITS(r);
-
-#ifdef ECL_THIRTY_TWO_BIT
-	u[12] = gf2m_SQR0(v[6]);
-	u[11] = gf2m_SQR1(v[5]);
-	u[10] = gf2m_SQR0(v[5]);
-	u[9] = gf2m_SQR1(v[4]);
-	u[8] = gf2m_SQR0(v[4]);
-	u[7] = gf2m_SQR1(v[3]);
-#endif
-	u[6] = gf2m_SQR0(v[3]);
-	u[5] = gf2m_SQR1(v[2]);
-	u[4] = gf2m_SQR0(v[2]);
-	u[3] = gf2m_SQR1(v[1]);
-	u[2] = gf2m_SQR0(v[1]);
-	u[1] = gf2m_SQR1(v[0]);
-	u[0] = gf2m_SQR0(v[0]);
-	return ec_GF2m_193_mod(r, r, meth);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast multiplication for polynomials over a 193-bit curve. Assumes
- * reduction polynomial with terms {193, 15, 0}. */
-mp_err
-ec_GF2m_193_mul(const mp_int *a, const mp_int *b, mp_int *r,
-				const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit a6 = 0, a5 = 0, a4 = 0, b6 = 0, b5 = 0, b4 = 0;
-	mp_digit rm[8];
-#endif
-
-	if (a == b) {
-		return ec_GF2m_193_sqr(a, r, meth);
-	} else {
-		switch (MP_USED(a)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 7:
-			a6 = MP_DIGIT(a, 6);
-		case 6:
-			a5 = MP_DIGIT(a, 5);
-		case 5:
-			a4 = MP_DIGIT(a, 4);
-#endif
-		case 4:
-			a3 = MP_DIGIT(a, 3);
-		case 3:
-			a2 = MP_DIGIT(a, 2);
-		case 2:
-			a1 = MP_DIGIT(a, 1);
-		default:
-			a0 = MP_DIGIT(a, 0);
-		}
-		switch (MP_USED(b)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 7:
-			b6 = MP_DIGIT(b, 6);
-		case 6:
-			b5 = MP_DIGIT(b, 5);
-		case 5:
-			b4 = MP_DIGIT(b, 4);
-#endif
-		case 4:
-			b3 = MP_DIGIT(b, 3);
-		case 3:
-			b2 = MP_DIGIT(b, 2);
-		case 2:
-			b1 = MP_DIGIT(b, 1);
-		default:
-			b0 = MP_DIGIT(b, 0);
-		}
-#ifdef ECL_SIXTY_FOUR_BIT
-		MP_CHECKOK(s_mp_pad(r, 8));
-		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
-		MP_USED(r) = 8;
-		s_mp_clamp(r);
-#else
-		MP_CHECKOK(s_mp_pad(r, 14));
-		s_bmul_3x3(MP_DIGITS(r) + 8, a6, a5, a4, b6, b5, b4);
-		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
-		s_bmul_4x4(rm, a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b3, b6 ^ b2, b5 ^ b1,
-				   b4 ^ b0);
-		rm[7] ^= MP_DIGIT(r, 7);
-		rm[6] ^= MP_DIGIT(r, 6);
-		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
-		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
-		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
-		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
-		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
-		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
-		MP_DIGIT(r, 11) ^= rm[7];
-		MP_DIGIT(r, 10) ^= rm[6];
-		MP_DIGIT(r, 9) ^= rm[5];
-		MP_DIGIT(r, 8) ^= rm[4];
-		MP_DIGIT(r, 7) ^= rm[3];
-		MP_DIGIT(r, 6) ^= rm[2];
-		MP_DIGIT(r, 5) ^= rm[1];
-		MP_DIGIT(r, 4) ^= rm[0];
-		MP_USED(r) = 14;
-		s_mp_clamp(r);
-#endif
-		return ec_GF2m_193_mod(r, r, meth);
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic for 193-bit curves. */
-mp_err
-ec_group_set_gf2m193(ECGroup *group, ECCurveName name)
-{
-	group->meth->field_mod = &ec_GF2m_193_mod;
-	group->meth->field_mul = &ec_GF2m_193_mul;
-	group->meth->field_sqr = &ec_GF2m_193_sqr;
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ec2_233.c b/security/nss/lib/freebl/ecl/ec2_233.c
deleted file mode 100644
index 3ecea93ff..000000000
--- a/security/nss/lib/freebl/ecl/ec2_233.c
+++ /dev/null
@@ -1,299 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mp_gf2m.h"
-#include "mp_gf2m-priv.h"
-#include "mpi.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast reduction for polynomials over a 233-bit curve. Assumes reduction
- * polynomial with terms {233, 74, 0}. */
-mp_err
-ec_GF2m_233_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, z;
-
-	if (a != r) {
-		MP_CHECKOK(mp_copy(a, r));
-	}
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(r) < 8) {
-		MP_CHECKOK(s_mp_pad(r, 8));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 8;
-
-	/* u[7] only has 18 significant bits */
-	z = u[7];
-	u[4] ^= (z << 33) ^ (z >> 41);
-	u[3] ^= (z << 23);
-	z = u[6];
-	u[4] ^= (z >> 31);
-	u[3] ^= (z << 33) ^ (z >> 41);
-	u[2] ^= (z << 23);
-	z = u[5];
-	u[3] ^= (z >> 31);
-	u[2] ^= (z << 33) ^ (z >> 41);
-	u[1] ^= (z << 23);
-	z = u[4];
-	u[2] ^= (z >> 31);
-	u[1] ^= (z << 33) ^ (z >> 41);
-	u[0] ^= (z << 23);
-	z = u[3] >> 41;				/* z only has 23 significant bits */
-	u[1] ^= (z << 10);
-	u[0] ^= z;
-	/* clear bits above 233 */
-	u[7] = u[6] = u[5] = u[4] = 0;
-	u[3] ^= z << 41;
-#else
-	if (MP_USED(r) < 15) {
-		MP_CHECKOK(s_mp_pad(r, 15));
-	}
-	u = MP_DIGITS(r);
-	MP_USED(r) = 15;
-
-	/* u[14] only has 18 significant bits */
-	z = u[14];
-	u[9] ^= (z << 1);
-	u[7] ^= (z >> 9);
-	u[6] ^= (z << 23);
-	z = u[13];
-	u[9] ^= (z >> 31);
-	u[8] ^= (z << 1);
-	u[6] ^= (z >> 9);
-	u[5] ^= (z << 23);
-	z = u[12];
-	u[8] ^= (z >> 31);
-	u[7] ^= (z << 1);
-	u[5] ^= (z >> 9);
-	u[4] ^= (z << 23);
-	z = u[11];
-	u[7] ^= (z >> 31);
-	u[6] ^= (z << 1);
-	u[4] ^= (z >> 9);
-	u[3] ^= (z << 23);
-	z = u[10];
-	u[6] ^= (z >> 31);
-	u[5] ^= (z << 1);
-	u[3] ^= (z >> 9);
-	u[2] ^= (z << 23);
-	z = u[9];
-	u[5] ^= (z >> 31);
-	u[4] ^= (z << 1);
-	u[2] ^= (z >> 9);
-	u[1] ^= (z << 23);
-	z = u[8];
-	u[4] ^= (z >> 31);
-	u[3] ^= (z << 1);
-	u[1] ^= (z >> 9);
-	u[0] ^= (z << 23);
-	z = u[7] >> 9;				/* z only has 23 significant bits */
-	u[3] ^= (z >> 22);
-	u[2] ^= (z << 10);
-	u[0] ^= z;
-	/* clear bits above 233 */
-	u[14] = u[13] = u[12] = u[11] = u[10] = u[9] = u[8] = 0;
-	u[7] ^= z << 9;
-#endif
-	s_mp_clamp(r);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast squaring for polynomials over a 233-bit curve. Assumes reduction
- * polynomial with terms {233, 74, 0}. */
-mp_err
-ec_GF2m_233_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit *u, *v;
-
-	v = MP_DIGITS(a);
-
-#ifdef ECL_SIXTY_FOUR_BIT
-	if (MP_USED(a) < 4) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 8) {
-		MP_CHECKOK(s_mp_pad(r, 8));
-	}
-	MP_USED(r) = 8;
-#else
-	if (MP_USED(a) < 8) {
-		return mp_bsqrmod(a, meth->irr_arr, r);
-	}
-	if (MP_USED(r) < 15) {
-		MP_CHECKOK(s_mp_pad(r, 15));
-	}
-	MP_USED(r) = 15;
-#endif
-	u = MP_DIGITS(r);
-
-#ifdef ECL_THIRTY_TWO_BIT
-	u[14] = gf2m_SQR0(v[7]);
-	u[13] = gf2m_SQR1(v[6]);
-	u[12] = gf2m_SQR0(v[6]);
-	u[11] = gf2m_SQR1(v[5]);
-	u[10] = gf2m_SQR0(v[5]);
-	u[9] = gf2m_SQR1(v[4]);
-	u[8] = gf2m_SQR0(v[4]);
-#endif
-	u[7] = gf2m_SQR1(v[3]);
-	u[6] = gf2m_SQR0(v[3]);
-	u[5] = gf2m_SQR1(v[2]);
-	u[4] = gf2m_SQR0(v[2]);
-	u[3] = gf2m_SQR1(v[1]);
-	u[2] = gf2m_SQR0(v[1]);
-	u[1] = gf2m_SQR1(v[0]);
-	u[0] = gf2m_SQR0(v[0]);
-	return ec_GF2m_233_mod(r, r, meth);
-
-  CLEANUP:
-	return res;
-}
-
-/* Fast multiplication for polynomials over a 233-bit curve. Assumes
- * reduction polynomial with terms {233, 74, 0}. */
-mp_err
-ec_GF2m_233_mul(const mp_int *a, const mp_int *b, mp_int *r,
-				const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit a7 = 0, a6 = 0, a5 = 0, a4 = 0, b7 = 0, b6 = 0, b5 = 0, b4 =
-		0;
-	mp_digit rm[8];
-#endif
-
-	if (a == b) {
-		return ec_GF2m_233_sqr(a, r, meth);
-	} else {
-		switch (MP_USED(a)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 8:
-			a7 = MP_DIGIT(a, 7);
-		case 7:
-			a6 = MP_DIGIT(a, 6);
-		case 6:
-			a5 = MP_DIGIT(a, 5);
-		case 5:
-			a4 = MP_DIGIT(a, 4);
-#endif
-		case 4:
-			a3 = MP_DIGIT(a, 3);
-		case 3:
-			a2 = MP_DIGIT(a, 2);
-		case 2:
-			a1 = MP_DIGIT(a, 1);
-		default:
-			a0 = MP_DIGIT(a, 0);
-		}
-		switch (MP_USED(b)) {
-#ifdef ECL_THIRTY_TWO_BIT
-		case 8:
-			b7 = MP_DIGIT(b, 7);
-		case 7:
-			b6 = MP_DIGIT(b, 6);
-		case 6:
-			b5 = MP_DIGIT(b, 5);
-		case 5:
-			b4 = MP_DIGIT(b, 4);
-#endif
-		case 4:
-			b3 = MP_DIGIT(b, 3);
-		case 3:
-			b2 = MP_DIGIT(b, 2);
-		case 2:
-			b1 = MP_DIGIT(b, 1);
-		default:
-			b0 = MP_DIGIT(b, 0);
-		}
-#ifdef ECL_SIXTY_FOUR_BIT
-		MP_CHECKOK(s_mp_pad(r, 8));
-		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
-		MP_USED(r) = 8;
-		s_mp_clamp(r);
-#else
-		MP_CHECKOK(s_mp_pad(r, 16));
-		s_bmul_4x4(MP_DIGITS(r) + 8, a7, a6, a5, a4, b7, b6, b5, b4);
-		s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
-		s_bmul_4x4(rm, a7 ^ a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b7 ^ b3,
-				   b6 ^ b2, b5 ^ b1, b4 ^ b0);
-		rm[7] ^= MP_DIGIT(r, 7) ^ MP_DIGIT(r, 15);
-		rm[6] ^= MP_DIGIT(r, 6) ^ MP_DIGIT(r, 14);
-		rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
-		rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
-		rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
-		rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
-		rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
-		rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
-		MP_DIGIT(r, 11) ^= rm[7];
-		MP_DIGIT(r, 10) ^= rm[6];
-		MP_DIGIT(r, 9) ^= rm[5];
-		MP_DIGIT(r, 8) ^= rm[4];
-		MP_DIGIT(r, 7) ^= rm[3];
-		MP_DIGIT(r, 6) ^= rm[2];
-		MP_DIGIT(r, 5) ^= rm[1];
-		MP_DIGIT(r, 4) ^= rm[0];
-		MP_USED(r) = 16;
-		s_mp_clamp(r);
-#endif
-		return ec_GF2m_233_mod(r, r, meth);
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic for 233-bit curves. */
-mp_err
-ec_group_set_gf2m233(ECGroup *group, ECCurveName name)
-{
-	group->meth->field_mod = &ec_GF2m_233_mod;
-	group->meth->field_mul = &ec_GF2m_233_mul;
-	group->meth->field_sqr = &ec_GF2m_233_sqr;
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ec2_aff.c b/security/nss/lib/freebl/ecl/ec2_aff.c
deleted file mode 100644
index 45b277001..000000000
--- a/security/nss/lib/freebl/ecl/ec2_aff.c
+++ /dev/null
@@ -1,347 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mplogic.h"
-#include "mp_gf2m.h"
-#include <stdlib.h>
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err
-ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py)
-{
-
-	if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
-		return MP_YES;
-	} else {
-		return MP_NO;
-	}
-
-}
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err
-ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py)
-{
-	mp_zero(px);
-	mp_zero(py);
-	return MP_OKAY;
-}
-
-/* Computes R = P + Q based on IEEE P1363 A.10.2. Elliptic curve points P, 
- * Q, and R can all be identical. Uses affine coordinates. */
-mp_err
-ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
-				   const mp_int *qy, mp_int *rx, mp_int *ry,
-				   const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int lambda, tempx, tempy;
-
-	MP_DIGITS(&lambda) = 0;
-	MP_DIGITS(&tempx) = 0;
-	MP_DIGITS(&tempy) = 0;
-	MP_CHECKOK(mp_init(&lambda));
-	MP_CHECKOK(mp_init(&tempx));
-	MP_CHECKOK(mp_init(&tempy));
-	/* if P = inf, then R = Q */
-	if (ec_GF2m_pt_is_inf_aff(px, py) == 0) {
-		MP_CHECKOK(mp_copy(qx, rx));
-		MP_CHECKOK(mp_copy(qy, ry));
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* if Q = inf, then R = P */
-	if (ec_GF2m_pt_is_inf_aff(qx, qy) == 0) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* if px != qx, then lambda = (py+qy) / (px+qx), tempx = a + lambda^2
-	 * + lambda + px + qx */
-	if (mp_cmp(px, qx) != 0) {
-		MP_CHECKOK(group->meth->field_add(py, qy, &tempy, group->meth));
-		MP_CHECKOK(group->meth->field_add(px, qx, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_div(&tempy, &tempx, &lambda, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, &lambda, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, &group->curvea, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, px, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, qx, &tempx, group->meth));
-	} else {
-		/* if py != qy or qx = 0, then R = inf */
-		if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qx) == 0)) {
-			mp_zero(rx);
-			mp_zero(ry);
-			res = MP_OKAY;
-			goto CLEANUP;
-		}
-		/* lambda = qx + qy / qx */
-		MP_CHECKOK(group->meth->field_div(qy, qx, &lambda, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&lambda, qx, &lambda, group->meth));
-		/* tempx = a + lambda^2 + lambda */
-		MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, &lambda, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, &group->curvea, &tempx, group->meth));
-	}
-	/* ry = (qx + tempx) * lambda + tempx + qy */
-	MP_CHECKOK(group->meth->field_add(qx, &tempx, &tempy, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_mul(&tempy, &lambda, &tempy, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_add(&tempy, &tempx, &tempy, group->meth));
-	MP_CHECKOK(group->meth->field_add(&tempy, qy, ry, group->meth));
-	/* rx = tempx */
-	MP_CHECKOK(mp_copy(&tempx, rx));
-
-  CLEANUP:
-	mp_clear(&lambda);
-	mp_clear(&tempx);
-	mp_clear(&tempy);
-	return res;
-}
-
-/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
- * identical. Uses affine coordinates. */
-mp_err
-ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
-				   const mp_int *qy, mp_int *rx, mp_int *ry,
-				   const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int nqy;
-
-	MP_DIGITS(&nqy) = 0;
-	MP_CHECKOK(mp_init(&nqy));
-	/* nqy = qx+qy */
-	MP_CHECKOK(group->meth->field_add(qx, qy, &nqy, group->meth));
-	MP_CHECKOK(group->point_add(px, py, qx, &nqy, rx, ry, group));
-  CLEANUP:
-	mp_clear(&nqy);
-	return res;
-}
-
-/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
- * affine coordinates. */
-mp_err
-ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
-				   mp_int *ry, const ECGroup *group)
-{
-	return group->point_add(px, py, px, py, rx, ry, group);
-}
-
-/* by default, this routine is unused and thus doesn't need to be compiled */
-#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
-/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and 
- * R can be identical. Uses affine coordinates. */
-mp_err
-ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
-				   mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int k, k3, qx, qy, sx, sy;
-	int b1, b3, i, l;
-
-	MP_DIGITS(&k) = 0;
-	MP_DIGITS(&k3) = 0;
-	MP_DIGITS(&qx) = 0;
-	MP_DIGITS(&qy) = 0;
-	MP_DIGITS(&sx) = 0;
-	MP_DIGITS(&sy) = 0;
-	MP_CHECKOK(mp_init(&k));
-	MP_CHECKOK(mp_init(&k3));
-	MP_CHECKOK(mp_init(&qx));
-	MP_CHECKOK(mp_init(&qy));
-	MP_CHECKOK(mp_init(&sx));
-	MP_CHECKOK(mp_init(&sy));
-
-	/* if n = 0 then r = inf */
-	if (mp_cmp_z(n) == 0) {
-		mp_zero(rx);
-		mp_zero(ry);
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* Q = P, k = n */
-	MP_CHECKOK(mp_copy(px, &qx));
-	MP_CHECKOK(mp_copy(py, &qy));
-	MP_CHECKOK(mp_copy(n, &k));
-	/* if n < 0 then Q = -Q, k = -k */
-	if (mp_cmp_z(n) < 0) {
-		MP_CHECKOK(group->meth->field_add(&qx, &qy, &qy, group->meth));
-		MP_CHECKOK(mp_neg(&k, &k));
-	}
-#ifdef ECL_DEBUG				/* basic double and add method */
-	l = mpl_significant_bits(&k) - 1;
-	MP_CHECKOK(mp_copy(&qx, &sx));
-	MP_CHECKOK(mp_copy(&qy, &sy));
-	for (i = l - 1; i >= 0; i--) {
-		/* S = 2S */
-		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
-		/* if k_i = 1, then S = S + Q */
-		if (mpl_get_bit(&k, i) != 0) {
-			MP_CHECKOK(group->
-					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
-		}
-	}
-#else							/* double and add/subtract method from
-								 * standard */
-	/* k3 = 3 * k */
-	MP_CHECKOK(mp_set_int(&k3, 3));
-	MP_CHECKOK(mp_mul(&k, &k3, &k3));
-	/* S = Q */
-	MP_CHECKOK(mp_copy(&qx, &sx));
-	MP_CHECKOK(mp_copy(&qy, &sy));
-	/* l = index of high order bit in binary representation of 3*k */
-	l = mpl_significant_bits(&k3) - 1;
-	/* for i = l-1 downto 1 */
-	for (i = l - 1; i >= 1; i--) {
-		/* S = 2S */
-		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
-		b3 = MP_GET_BIT(&k3, i);
-		b1 = MP_GET_BIT(&k, i);
-		/* if k3_i = 1 and k_i = 0, then S = S + Q */
-		if ((b3 == 1) && (b1 == 0)) {
-			MP_CHECKOK(group->
-					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
-			/* if k3_i = 0 and k_i = 1, then S = S - Q */
-		} else if ((b3 == 0) && (b1 == 1)) {
-			MP_CHECKOK(group->
-					   point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
-		}
-	}
-#endif
-	/* output S */
-	MP_CHECKOK(mp_copy(&sx, rx));
-	MP_CHECKOK(mp_copy(&sy, ry));
-
-  CLEANUP:
-	mp_clear(&k);
-	mp_clear(&k3);
-	mp_clear(&qx);
-	mp_clear(&qy);
-	mp_clear(&sx);
-	mp_clear(&sy);
-	return res;
-}
-#endif
-
-/* Validates a point on a GF2m curve. */
-mp_err 
-ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
-{
-	mp_err res = MP_NO;
-	mp_int accl, accr, tmp, pxt, pyt;
-
-	MP_DIGITS(&accl) = 0;
-	MP_DIGITS(&accr) = 0;
-	MP_DIGITS(&tmp) = 0;
-	MP_DIGITS(&pxt) = 0;
-	MP_DIGITS(&pyt) = 0;
-	MP_CHECKOK(mp_init(&accl));
-	MP_CHECKOK(mp_init(&accr));
-	MP_CHECKOK(mp_init(&tmp));
-	MP_CHECKOK(mp_init(&pxt));
-	MP_CHECKOK(mp_init(&pyt));
-
-    /* 1: Verify that publicValue is not the point at infinity */
-	if (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 2: Verify that the coordinates of publicValue are elements 
-     *    of the field.
-     */
-	if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || 
-		(MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 3: Verify that publicValue is on the curve. */
-	if (group->meth->field_enc) {
-		group->meth->field_enc(px, &pxt, group->meth);
-		group->meth->field_enc(py, &pyt, group->meth);
-	} else {
-		mp_copy(px, &pxt);
-		mp_copy(py, &pyt);
-	}
-	/* left-hand side: y^2 + x*y  */
-	MP_CHECKOK( group->meth->field_sqr(&pyt, &accl, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&pxt, &pyt, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&pxt, &pyt, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_add(&accl, &tmp, &accl, group->meth) );
-	/* right-hand side: x^3 + a*x^2 + b */
-	MP_CHECKOK( group->meth->field_sqr(&pxt, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&pxt, &tmp, &accr, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&group->curvea, &tmp, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_add(&tmp, &accr, &accr, group->meth) );
-	MP_CHECKOK( group->meth->field_add(&accr, &group->curveb, &accr, group->meth) );
-	/* check LHS - RHS == 0 */
-	MP_CHECKOK( group->meth->field_add(&accl, &accr, &accr, group->meth) );
-	if (mp_cmp_z(&accr) != 0) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 4: Verify that the order of the curve times the publicValue
-     *    is the point at infinity.
-     */
-	MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
-	if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	res = MP_YES;
-
-CLEANUP:
-	mp_clear(&accl);
-	mp_clear(&accr);
-	mp_clear(&tmp);
-	mp_clear(&pxt);
-	mp_clear(&pyt);
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ec2_mont.c b/security/nss/lib/freebl/ecl/ec2_mont.c
deleted file mode 100644
index 17c9f6de4..000000000
--- a/security/nss/lib/freebl/ecl/ec2_mont.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mplogic.h"
-#include "mp_gf2m.h"
-#include <stdlib.h>
-
-/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery
- * projective coordinates. Uses algorithm Mdouble in appendix of Lopez, J. 
- * and Dahab, R.  "Fast multiplication on elliptic curves over GF(2^m)
- * without precomputation". modified to not require precomputation of
- * c=b^{2^{m-1}}. */
-static mp_err
-gf2m_Mdouble(mp_int *x, mp_int *z, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int t1;
-
-	MP_DIGITS(&t1) = 0;
-	MP_CHECKOK(mp_init(&t1));
-
-	MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(z, &t1, group->meth));
-	MP_CHECKOK(group->meth->field_mul(x, &t1, z, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_mul(&group->curveb, &t1, &t1, group->meth));
-	MP_CHECKOK(group->meth->field_add(x, &t1, x, group->meth));
-
-  CLEANUP:
-	mp_clear(&t1);
-	return res;
-}
-
-/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in
- * Montgomery projective coordinates. Uses algorithm Madd in appendix of
- * Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over
- * GF(2^m) without precomputation". */
-static mp_err
-gf2m_Madd(const mp_int *x, mp_int *x1, mp_int *z1, mp_int *x2, mp_int *z2,
-		  const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int t1, t2;
-
-	MP_DIGITS(&t1) = 0;
-	MP_DIGITS(&t2) = 0;
-	MP_CHECKOK(mp_init(&t1));
-	MP_CHECKOK(mp_init(&t2));
-
-	MP_CHECKOK(mp_copy(x, &t1));
-	MP_CHECKOK(group->meth->field_mul(x1, z2, x1, group->meth));
-	MP_CHECKOK(group->meth->field_mul(z1, x2, z1, group->meth));
-	MP_CHECKOK(group->meth->field_mul(x1, z1, &t2, group->meth));
-	MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(z1, z1, group->meth));
-	MP_CHECKOK(group->meth->field_mul(z1, &t1, x1, group->meth));
-	MP_CHECKOK(group->meth->field_add(x1, &t2, x1, group->meth));
-
-  CLEANUP:
-	mp_clear(&t1);
-	mp_clear(&t2);
-	return res;
-}
-
-/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
- * using Montgomery point multiplication algorithm Mxy() in appendix of
- * Lopex, J. and Dahab, R.  "Fast multiplication on elliptic curves over
- * GF(2^m) without precomputation". Returns: 0 on error 1 if return value
- * should be the point at infinity 2 otherwise */
-static int
-gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1,
-		 mp_int *x2, mp_int *z2, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	int ret = 0;
-	mp_int t3, t4, t5;
-
-	MP_DIGITS(&t3) = 0;
-	MP_DIGITS(&t4) = 0;
-	MP_DIGITS(&t5) = 0;
-	MP_CHECKOK(mp_init(&t3));
-	MP_CHECKOK(mp_init(&t4));
-	MP_CHECKOK(mp_init(&t5));
-
-	if (mp_cmp_z(z1) == 0) {
-		mp_zero(x2);
-		mp_zero(z2);
-		ret = 1;
-		goto CLEANUP;
-	}
-
-	if (mp_cmp_z(z2) == 0) {
-		MP_CHECKOK(mp_copy(x, x2));
-		MP_CHECKOK(group->meth->field_add(x, y, z2, group->meth));
-		ret = 2;
-		goto CLEANUP;
-	}
-
-	MP_CHECKOK(mp_set_int(&t5, 1));
-	if (group->meth->field_enc) {
-		MP_CHECKOK(group->meth->field_enc(&t5, &t5, group->meth));
-	}
-
-	MP_CHECKOK(group->meth->field_mul(z1, z2, &t3, group->meth));
-
-	MP_CHECKOK(group->meth->field_mul(z1, x, z1, group->meth));
-	MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
-	MP_CHECKOK(group->meth->field_mul(z2, x, z2, group->meth));
-	MP_CHECKOK(group->meth->field_mul(z2, x1, x1, group->meth));
-	MP_CHECKOK(group->meth->field_add(z2, x2, z2, group->meth));
-
-	MP_CHECKOK(group->meth->field_mul(z2, z1, z2, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(x, &t4, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t4, y, &t4, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&t4, &t3, &t4, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t4, z2, &t4, group->meth));
-
-	MP_CHECKOK(group->meth->field_mul(&t3, x, &t3, group->meth));
-	MP_CHECKOK(group->meth->field_div(&t5, &t3, &t3, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&t3, &t4, &t4, group->meth));
-	MP_CHECKOK(group->meth->field_mul(x1, &t3, x2, group->meth));
-	MP_CHECKOK(group->meth->field_add(x2, x, z2, group->meth));
-
-	MP_CHECKOK(group->meth->field_mul(z2, &t4, z2, group->meth));
-	MP_CHECKOK(group->meth->field_add(z2, y, z2, group->meth));
-
-	ret = 2;
-
-  CLEANUP:
-	mp_clear(&t3);
-	mp_clear(&t4);
-	mp_clear(&t5);
-	if (res == MP_OKAY) {
-		return ret;
-	} else {
-		return 0;
-	}
-}
-
-/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R.  "Fast 
- * multiplication on elliptic curves over GF(2^m) without
- * precomputation". Elliptic curve points P and R can be identical. Uses
- * Montgomery projective coordinates. */
-mp_err
-ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
-					mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int x1, x2, z1, z2;
-	int i, j;
-	mp_digit top_bit, mask;
-
-	MP_DIGITS(&x1) = 0;
-	MP_DIGITS(&x2) = 0;
-	MP_DIGITS(&z1) = 0;
-	MP_DIGITS(&z2) = 0;
-	MP_CHECKOK(mp_init(&x1));
-	MP_CHECKOK(mp_init(&x2));
-	MP_CHECKOK(mp_init(&z1));
-	MP_CHECKOK(mp_init(&z2));
-
-	/* if result should be point at infinity */
-	if ((mp_cmp_z(n) == 0) || (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES)) {
-		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
-		goto CLEANUP;
-	}
-
-	MP_CHECKOK(mp_copy(rx, &x2));	/* x2 = rx */
-	MP_CHECKOK(mp_copy(ry, &z2));	/* z2 = ry */
-
-	MP_CHECKOK(mp_copy(px, &x1));	/* x1 = px */
-	MP_CHECKOK(mp_set_int(&z1, 1));	/* z1 = 1 */
-	MP_CHECKOK(group->meth->field_sqr(&x1, &z2, group->meth));	/* z2 =
-																 * x1^2 =
-																 * x2^2 */
-	MP_CHECKOK(group->meth->field_sqr(&z2, &x2, group->meth));
-	MP_CHECKOK(group->meth->field_add(&x2, &group->curveb, &x2, group->meth));	/* x2 
-																				 * = 
-																				 * px^4 
-																				 * + 
-																				 * b 
-																				 */
-
-	/* find top-most bit and go one past it */
-	i = MP_USED(n) - 1;
-	j = MP_DIGIT_BIT - 1;
-	top_bit = 1;
-	top_bit <<= MP_DIGIT_BIT - 1;
-	mask = top_bit;
-	while (!(MP_DIGITS(n)[i] & mask)) {
-		mask >>= 1;
-		j--;
-	}
-	mask >>= 1;
-	j--;
-
-	/* if top most bit was at word break, go to next word */
-	if (!mask) {
-		i--;
-		j = MP_DIGIT_BIT - 1;
-		mask = top_bit;
-	}
-
-	for (; i >= 0; i--) {
-		for (; j >= 0; j--) {
-			if (MP_DIGITS(n)[i] & mask) {
-				MP_CHECKOK(gf2m_Madd(px, &x1, &z1, &x2, &z2, group));
-				MP_CHECKOK(gf2m_Mdouble(&x2, &z2, group));
-			} else {
-				MP_CHECKOK(gf2m_Madd(px, &x2, &z2, &x1, &z1, group));
-				MP_CHECKOK(gf2m_Mdouble(&x1, &z1, group));
-			}
-			mask >>= 1;
-		}
-		j = MP_DIGIT_BIT - 1;
-		mask = top_bit;
-	}
-
-	/* convert out of "projective" coordinates */
-	i = gf2m_Mxy(px, py, &x1, &z1, &x2, &z2, group);
-	if (i == 0) {
-		res = MP_BADARG;
-		goto CLEANUP;
-	} else if (i == 1) {
-		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
-	} else {
-		MP_CHECKOK(mp_copy(&x2, rx));
-		MP_CHECKOK(mp_copy(&z2, ry));
-	}
-
-  CLEANUP:
-	mp_clear(&x1);
-	mp_clear(&x2);
-	mp_clear(&z1);
-	mp_clear(&z2);
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ec2_proj.c b/security/nss/lib/freebl/ecl/ec2_proj.c
deleted file mode 100644
index 340e47d08..000000000
--- a/security/nss/lib/freebl/ecl/ec2_proj.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ec2.h"
-#include "mplogic.h"
-#include "mp_gf2m.h"
-#include <stdlib.h>
-#ifdef ECL_DEBUG
-#include <assert.h>
-#endif
-
-/* by default, these routines are unused and thus don't need to be compiled */
-#ifdef ECL_ENABLE_GF2M_PROJ
-/* Converts a point P(px, py) from affine coordinates to projective
- * coordinates R(rx, ry, rz). Assumes input is already field-encoded using 
- * field_enc, and returns output that is still field-encoded. */
-mp_err
-ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
-					mp_int *ry, mp_int *rz, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_copy(px, rx));
-	MP_CHECKOK(mp_copy(py, ry));
-	MP_CHECKOK(mp_set_int(rz, 1));
-	if (group->meth->field_enc) {
-		MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth));
-	}
-  CLEANUP:
-	return res;
-}
-
-/* Converts a point P(px, py, pz) from projective coordinates to affine
- * coordinates R(rx, ry).  P and R can share x and y coordinates. Assumes
- * input is already field-encoded using field_enc, and returns output that
- * is still field-encoded. */
-mp_err
-ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
-					mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int z1, z2;
-
-	MP_DIGITS(&z1) = 0;
-	MP_DIGITS(&z2) = 0;
-	MP_CHECKOK(mp_init(&z1));
-	MP_CHECKOK(mp_init(&z2));
-
-	/* if point at infinity, then set point at infinity and exit */
-	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
-		MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
-		goto CLEANUP;
-	}
-
-	/* transform (px, py, pz) into (px / pz, py / pz^2) */
-	if (mp_cmp_d(pz, 1) == 0) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-	} else {
-		MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth));
-		MP_CHECKOK(group->meth->field_mul(px, &z1, rx, group->meth));
-		MP_CHECKOK(group->meth->field_mul(py, &z2, ry, group->meth));
-	}
-
-  CLEANUP:
-	mp_clear(&z1);
-	mp_clear(&z2);
-	return res;
-}
-
-/* Checks if point P(px, py, pz) is at infinity. Uses projective
- * coordinates. */
-mp_err
-ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
-					   const mp_int *pz)
-{
-	return mp_cmp_z(pz);
-}
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses projective
- * coordinates. */
-mp_err
-ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz)
-{
-	mp_zero(pz);
-	return MP_OKAY;
-}
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
- * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
- * Uses mixed projective-affine coordinates. Assumes input is already
- * field-encoded using field_enc, and returns output that is still
- * field-encoded. Uses equation (3) from Hankerson, Hernandez, Menezes.
- * Software Implementation of Elliptic Curve Cryptography Over Binary
- * Fields. */
-mp_err
-ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
-					const mp_int *qx, const mp_int *qy, mp_int *rx,
-					mp_int *ry, mp_int *rz, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int A, B, C, D, E, F, G;
-
-	/* If either P or Q is the point at infinity, then return the other
-	 * point */
-	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
-		return ec_GF2m_pt_aff2proj(qx, qy, rx, ry, rz, group);
-	}
-	if (ec_GF2m_pt_is_inf_aff(qx, qy) == MP_YES) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		return mp_copy(pz, rz);
-	}
-
-	MP_DIGITS(&A) = 0;
-	MP_DIGITS(&B) = 0;
-	MP_DIGITS(&C) = 0;
-	MP_DIGITS(&D) = 0;
-	MP_DIGITS(&E) = 0;
-	MP_DIGITS(&F) = 0;
-	MP_DIGITS(&G) = 0;
-	MP_CHECKOK(mp_init(&A));
-	MP_CHECKOK(mp_init(&B));
-	MP_CHECKOK(mp_init(&C));
-	MP_CHECKOK(mp_init(&D));
-	MP_CHECKOK(mp_init(&E));
-	MP_CHECKOK(mp_init(&F));
-	MP_CHECKOK(mp_init(&G));
-
-	/* D = pz^2 */
-	MP_CHECKOK(group->meth->field_sqr(pz, &D, group->meth));
-
-	/* A = qy * pz^2 + py */
-	MP_CHECKOK(group->meth->field_mul(qy, &D, &A, group->meth));
-	MP_CHECKOK(group->meth->field_add(&A, py, &A, group->meth));
-
-	/* B = qx * pz + px */
-	MP_CHECKOK(group->meth->field_mul(qx, pz, &B, group->meth));
-	MP_CHECKOK(group->meth->field_add(&B, px, &B, group->meth));
-
-	/* C = pz * B */
-	MP_CHECKOK(group->meth->field_mul(pz, &B, &C, group->meth));
-
-	/* D = B^2 * (C + a * pz^2) (using E as a temporary variable) */
-	MP_CHECKOK(group->meth->
-			   field_mul(&group->curvea, &D, &D, group->meth));
-	MP_CHECKOK(group->meth->field_add(&C, &D, &D, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(&B, &E, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&E, &D, &D, group->meth));
-
-	/* rz = C^2 */
-	MP_CHECKOK(group->meth->field_sqr(&C, rz, group->meth));
-
-	/* E = A * C */
-	MP_CHECKOK(group->meth->field_mul(&A, &C, &E, group->meth));
-
-	/* rx = A^2 + D + E */
-	MP_CHECKOK(group->meth->field_sqr(&A, rx, group->meth));
-	MP_CHECKOK(group->meth->field_add(rx, &D, rx, group->meth));
-	MP_CHECKOK(group->meth->field_add(rx, &E, rx, group->meth));
-
-	/* F = rx + qx * rz */
-	MP_CHECKOK(group->meth->field_mul(qx, rz, &F, group->meth));
-	MP_CHECKOK(group->meth->field_add(rx, &F, &F, group->meth));
-
-	/* G = rx + qy * rz */
-	MP_CHECKOK(group->meth->field_mul(qy, rz, &G, group->meth));
-	MP_CHECKOK(group->meth->field_add(rx, &G, &G, group->meth));
-
-	/* ry = E * F + rz * G (using G as a temporary variable) */
-	MP_CHECKOK(group->meth->field_mul(rz, &G, &G, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&E, &F, ry, group->meth));
-	MP_CHECKOK(group->meth->field_add(ry, &G, ry, group->meth));
-
-  CLEANUP:
-	mp_clear(&A);
-	mp_clear(&B);
-	mp_clear(&C);
-	mp_clear(&D);
-	mp_clear(&E);
-	mp_clear(&F);
-	mp_clear(&G);
-	return res;
-}
-
-/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
- * projective coordinates.
- *
- * Assumes input is already field-encoded using field_enc, and returns 
- * output that is still field-encoded.
- *
- * Uses equation (3) from Hankerson, Hernandez, Menezes. Software 
- * Implementation of Elliptic Curve Cryptography Over Binary Fields.
- */
-mp_err
-ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
-					mp_int *rx, mp_int *ry, mp_int *rz,
-					const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int t0, t1;
-
-	if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
-		return ec_GF2m_pt_set_inf_proj(rx, ry, rz);
-	}
-
-	MP_DIGITS(&t0) = 0;
-	MP_DIGITS(&t1) = 0;
-	MP_CHECKOK(mp_init(&t0));
-	MP_CHECKOK(mp_init(&t1));
-
-	/* t0 = px^2 */
-	/* t1 = pz^2 */
-	MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(pz, &t1, group->meth));
-
-	/* rz = px^2 * pz^2 */
-	MP_CHECKOK(group->meth->field_mul(&t0, &t1, rz, group->meth));
-
-	/* t0 = px^4 */
-	/* t1 = b * pz^4 */
-	MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_mul(&group->curveb, &t1, &t1, group->meth));
-
-	/* rx = px^4 + b * pz^4 */
-	MP_CHECKOK(group->meth->field_add(&t0, &t1, rx, group->meth));
-
-	/* ry = b * pz^4 * rz + rx * (a * rz + py^2 + b * pz^4) */
-	MP_CHECKOK(group->meth->field_sqr(py, ry, group->meth));
-	MP_CHECKOK(group->meth->field_add(ry, &t1, ry, group->meth));
-	/* t0 = a * rz */
-	MP_CHECKOK(group->meth->
-			   field_mul(&group->curvea, rz, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t0, ry, ry, group->meth));
-	MP_CHECKOK(group->meth->field_mul(rx, ry, ry, group->meth));
-	/* t1 = b * pz^4 * rz */
-	MP_CHECKOK(group->meth->field_mul(&t1, rz, &t1, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t1, ry, ry, group->meth));
-
-  CLEANUP:
-	mp_clear(&t0);
-	mp_clear(&t1);
-	return res;
-}
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GF2m.  Elliptic curve points P and R can be
- * identical.  Uses mixed projective-affine coordinates. Assumes input is
- * already field-encoded using field_enc, and returns output that is still
- * field-encoded. Uses 4-bit window method. */
-mp_err
-ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px, const mp_int *py,
-					mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int precomp[16][2], rz;
-	mp_digit precomp_arr[ECL_MAX_FIELD_SIZE_DIGITS * 16 * 2], *t;
-	int i, ni, d;
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
-
-	/* initialize precomputation table */
-	t = precomp_arr;
-	for (i = 0; i < 16; i++) {
-		/* x co-ord */
-		MP_SIGN(&precomp[i][0]) = MP_ZPOS;
-		MP_ALLOC(&precomp[i][0]) = ECL_MAX_FIELD_SIZE_DIGITS;
-		MP_USED(&precomp[i][0]) = 1;
-		*t = 0;
-		MP_DIGITS(&precomp[i][0]) = t;
-		t += ECL_MAX_FIELD_SIZE_DIGITS;
-		/* y co-ord */
-		MP_SIGN(&precomp[i][1]) = MP_ZPOS;
-		MP_ALLOC(&precomp[i][1]) = ECL_MAX_FIELD_SIZE_DIGITS;
-		MP_USED(&precomp[i][1]) = 1;
-		*t = 0;
-		MP_DIGITS(&precomp[i][1]) = t;
-		t += ECL_MAX_FIELD_SIZE_DIGITS;
-	}
-
-	/* fill precomputation table */
-	mp_zero(&precomp[0][0]);
-	mp_zero(&precomp[0][1]);
-	MP_CHECKOK(mp_copy(px, &precomp[1][0]));
-	MP_CHECKOK(mp_copy(py, &precomp[1][1]));
-	for (i = 2; i < 16; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[1][0], &precomp[1][1],
-							 &precomp[i - 1][0], &precomp[i - 1][1],
-							 &precomp[i][0], &precomp[i][1], group));
-	}
-
-	d = (mpl_significant_bits(n) + 3) / 4;
-
-	/* R = inf */
-	MP_DIGITS(&rz) = 0;
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(ec_GF2m_pt_set_inf_proj(rx, ry, &rz));
-
-	for (i = d - 1; i >= 0; i--) {
-		/* compute window ni */
-		ni = MP_GET_BIT(n, 4 * i + 3);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 2);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 1);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i);
-		/* R = 2^4 * R */
-		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
-		/* R = R + (ni * P) */
-		MP_CHECKOK(ec_GF2m_pt_add_proj
-				   (rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry,
-					&rz, group));
-	}
-
-	/* convert result S to affine coordinates */
-	MP_CHECKOK(ec_GF2m_pt_proj2aff(rx, ry, &rz, rx, ry, group));
-
-  CLEANUP:
-	mp_clear(&rz);
-	return res;
-}
-#endif
diff --git a/security/nss/lib/freebl/ecl/ec_naf.c b/security/nss/lib/freebl/ecl/ec_naf.c
deleted file mode 100644
index 9ef3a55f2..000000000
--- a/security/nss/lib/freebl/ecl/ec_naf.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecl-priv.h"
-
-/* Returns 2^e as an integer. This is meant to be used for small powers of 
- * two. */
-int
-ec_twoTo(int e)
-{
-	int a = 1;
-	int i;
-
-	for (i = 0; i < e; i++) {
-		a *= 2;
-	}
-	return a;
-}
-
-/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
- * be an array of signed char's to output to, bitsize should be the number 
- * of bits of out, in is the original scalar, and w is the window size.
- * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A.
- * Menezes, "Software implementation of elliptic curve cryptography over
- * binary fields", Proc. CHES 2000. */
-mp_err
-ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in, int w)
-{
-	mp_int k;
-	mp_err res = MP_OKAY;
-	int i, twowm1, mask;
-
-	twowm1 = ec_twoTo(w - 1);
-	mask = 2 * twowm1 - 1;
-
-	MP_DIGITS(&k) = 0;
-	MP_CHECKOK(mp_init_copy(&k, in));
-
-	i = 0;
-	/* Compute wNAF form */
-	while (mp_cmp_z(&k) > 0) {
-		if (mp_isodd(&k)) {
-			out[i] = MP_DIGIT(&k, 0) & mask;
-			if (out[i] >= twowm1)
-				out[i] -= 2 * twowm1;
-
-			/* Subtract off out[i].  Note mp_sub_d only works with
-			 * unsigned digits */
-			if (out[i] >= 0) {
-				mp_sub_d(&k, out[i], &k);
-			} else {
-				mp_add_d(&k, -(out[i]), &k);
-			}
-		} else {
-			out[i] = 0;
-		}
-		mp_div_2(&k, &k);
-		i++;
-	}
-	/* Zero out the remaining elements of the out array. */
-	for (; i < bitsize + 1; i++) {
-		out[i] = 0;
-	}
-  CLEANUP:
-	mp_clear(&k);
-	return res;
-
-}
diff --git a/security/nss/lib/freebl/ecl/ecl-curve.h b/security/nss/lib/freebl/ecl/ecl-curve.h
deleted file mode 100644
index cba22b2a7..000000000
--- a/security/nss/lib/freebl/ecl/ecl-curve.h
+++ /dev/null
@@ -1,648 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecl-exp.h"
-#include <stdlib.h>
-
-#ifndef __ecl_curve_h_
-#define __ecl_curve_h_
-
-/* NIST prime curves */
-static const ECCurveParams ecCurve_NIST_P192 = {
-	"NIST-P192", ECField_GFp, 192,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
-	"64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
-	"188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
-	"07192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
-	"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 1
-};
-static const ECCurveParams ecCurve_NIST_P224 = {
-	"NIST-P224", ECField_GFp, 224,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
-	"B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
-	"B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
-	"BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", 1
-};
-static const ECCurveParams ecCurve_NIST_P256 = {
-	"NIST-P256", ECField_GFp, 256,
-	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
-	"FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
-	"5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
-	"6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
-	"4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
-	"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", 1
-};
-static const ECCurveParams ecCurve_NIST_P384 = {
-	"NIST-P384", ECField_GFp, 384,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
-	"B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
-	"AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
-	"3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
-	1
-};
-static const ECCurveParams ecCurve_NIST_P521 = {
-	"NIST-P521", ECField_GFp, 521,
-	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
-	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
-	"0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
-	"00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
-	"011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
-	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
-	1
-};
-
-/* NIST binary curves */
-static const ECCurveParams ecCurve_NIST_K163 = {
-	"NIST-K163", ECField_GF2m, 163,
-	"0800000000000000000000000000000000000000C9",
-	"000000000000000000000000000000000000000001",
-	"000000000000000000000000000000000000000001",
-	"02FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8",
-	"0289070FB05D38FF58321F2E800536D538CCDAA3D9",
-	"04000000000000000000020108A2E0CC0D99F8A5EF", 2
-};
-static const ECCurveParams ecCurve_NIST_B163 = {
-	"NIST-B163", ECField_GF2m, 163,
-	"0800000000000000000000000000000000000000C9",
-	"000000000000000000000000000000000000000001",
-	"020A601907B8C953CA1481EB10512F78744A3205FD",
-	"03F0EBA16286A2D57EA0991168D4994637E8343E36",
-	"00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1",
-	"040000000000000000000292FE77E70C12A4234C33", 2
-};
-static const ECCurveParams ecCurve_NIST_K233 = {
-	"NIST-K233", ECField_GF2m, 233,
-	"020000000000000000000000000000000000000004000000000000000001",
-	"000000000000000000000000000000000000000000000000000000000000",
-	"000000000000000000000000000000000000000000000000000000000001",
-	"017232BA853A7E731AF129F22FF4149563A419C26BF50A4C9D6EEFAD6126",
-	"01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3",
-	"008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 4
-};
-static const ECCurveParams ecCurve_NIST_B233 = {
-	"NIST-B233", ECField_GF2m, 233,
-	"020000000000000000000000000000000000000004000000000000000001",
-	"000000000000000000000000000000000000000000000000000000000001",
-	"0066647EDE6C332C7F8C0923BB58213B333B20E9CE4281FE115F7D8F90AD",
-	"00FAC9DFCBAC8313BB2139F1BB755FEF65BC391F8B36F8F8EB7371FD558B",
-	"01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052",
-	"01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 2
-};
-static const ECCurveParams ecCurve_NIST_K283 = {
-	"NIST-K283", ECField_GF2m, 283,
-	"0800000000000000000000000000000000000000000000000000000000000000000010A1",
-	"000000000000000000000000000000000000000000000000000000000000000000000000",
-	"000000000000000000000000000000000000000000000000000000000000000000000001",
-	"0503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836",
-	"01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259",
-	"01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61",
-	4
-};
-static const ECCurveParams ecCurve_NIST_B283 = {
-	"NIST-B283", ECField_GF2m, 283,
-	"0800000000000000000000000000000000000000000000000000000000000000000010A1",
-	"000000000000000000000000000000000000000000000000000000000000000000000001",
-	"027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5",
-	"05F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053",
-	"03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4",
-	"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307",
-	2
-};
-static const ECCurveParams ecCurve_NIST_K409 = {
-	"NIST-K409", ECField_GF2m, 409,
-	"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
-	"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-	"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
-	"0060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27ACCFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746",
-	"01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E6325165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B",
-	"007FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF",
-	4
-};
-static const ECCurveParams ecCurve_NIST_B409 = {
-	"NIST-B409", ECField_GF2m, 409,
-	"02000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000001",
-	"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
-	"0021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F",
-	"015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01FFE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7",
-	"0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706",
-	"010000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173",
-	2
-};
-static const ECCurveParams ecCurve_NIST_K571 = {
-	"NIST-K571", ECField_GF2m, 571,
-	"080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
-	"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-	"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
-	"026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA44370958493B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972",
-	"0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3",
-	"020000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001",
-	4
-};
-static const ECCurveParams ecCurve_NIST_B571 = {
-	"NIST-B571", ECField_GF2m, 571,
-	"080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000425",
-	"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
-	"02F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A",
-	"0303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19",
-	"037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B",
-	"03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47",
-	2
-};
-
-/* ANSI X9.62 prime curves */
-static const ECCurveParams ecCurve_X9_62_PRIME_192V2 = {
-	"X9.62 P-192V2", ECField_GFp, 192,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
-	"CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
-	"EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
-	"6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15",
-	"FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31", 1
-};
-static const ECCurveParams ecCurve_X9_62_PRIME_192V3 = {
-	"X9.62 P-192V3", ECField_GFp, 192,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
-	"22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
-	"7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
-	"38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0",
-	"FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13", 1
-};
-static const ECCurveParams ecCurve_X9_62_PRIME_239V1 = {
-	"X9.62 P-239V1", ECField_GFp, 239,
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
-	"6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
-	"0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
-	"7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE",
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B", 1
-};
-static const ECCurveParams ecCurve_X9_62_PRIME_239V2 = {
-	"X9.62 P-239V2", ECField_GFp, 239,
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
-	"617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
-	"38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
-	"5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA",
-	"7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063", 1
-};
-static const ECCurveParams ecCurve_X9_62_PRIME_239V3 = {
-	"X9.62 P-239V3", ECField_GFp, 239,
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
-	"255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
-	"6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
-	"1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3",
-	"7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551", 1
-};
-
-/* ANSI X9.62 binary curves */
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB163V1 = {
-	"X9.62 C2-PNB163V1", ECField_GF2m, 163,
-	"080000000000000000000000000000000000000107",
-	"072546B5435234A422E0789675F432C89435DE5242",
-	"00C9517D06D5240D3CFF38C74B20B6CD4D6F9DD4D9",
-	"07AF69989546103D79329FCC3D74880F33BBE803CB",
-	"01EC23211B5966ADEA1D3F87F7EA5848AEF0B7CA9F",
-	"0400000000000000000001E60FC8821CC74DAEAFC1", 2
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB163V2 = {
-	"X9.62 C2-PNB163V2", ECField_GF2m, 163,
-	"080000000000000000000000000000000000000107",
-	"0108B39E77C4B108BED981ED0E890E117C511CF072",
-	"0667ACEB38AF4E488C407433FFAE4F1C811638DF20",
-	"0024266E4EB5106D0A964D92C4860E2671DB9B6CC5",
-	"079F684DDF6684C5CD258B3890021B2386DFD19FC5",
-	"03FFFFFFFFFFFFFFFFFFFDF64DE1151ADBB78F10A7", 2
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB163V3 = {
-	"X9.62 C2-PNB163V3", ECField_GF2m, 163,
-	"080000000000000000000000000000000000000107",
-	"07A526C63D3E25A256A007699F5447E32AE456B50E",
-	"03F7061798EB99E238FD6F1BF95B48FEEB4854252B",
-	"02F9F87B7C574D0BDECF8A22E6524775F98CDEBDCB",
-	"05B935590C155E17EA48EB3FF3718B893DF59A05D0",
-	"03FFFFFFFFFFFFFFFFFFFE1AEE140F110AFF961309", 2
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB176V1 = {
-	"X9.62 C2-PNB176V1", ECField_GF2m, 176,
-	"0100000000000000000000000000000000080000000007",
-	"E4E6DB2995065C407D9D39B8D0967B96704BA8E9C90B",
-	"5DDA470ABE6414DE8EC133AE28E9BBD7FCEC0AE0FFF2",
-	"8D16C2866798B600F9F08BB4A8E860F3298CE04A5798",
-	"6FA4539C2DADDDD6BAB5167D61B436E1D92BB16A562C",
-	"00010092537397ECA4F6145799D62B0A19CE06FE26AD", 0xFF6E
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB191V1 = {
-	"X9.62 C2-TNB191V1", ECField_GF2m, 191,
-	"800000000000000000000000000000000000000000000201",
-	"2866537B676752636A68F56554E12640276B649EF7526267",
-	"2E45EF571F00786F67B0081B9495A3D95462F5DE0AA185EC",
-	"36B3DAF8A23206F9C4F299D7B21A9C369137F2C84AE1AA0D",
-	"765BE73433B3F95E332932E70EA245CA2418EA0EF98018FB",
-	"40000000000000000000000004A20E90C39067C893BBB9A5", 2
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB191V2 = {
-	"X9.62 C2-TNB191V2", ECField_GF2m, 191,
-	"800000000000000000000000000000000000000000000201",
-	"401028774D7777C7B7666D1366EA432071274F89FF01E718",
-	"0620048D28BCBD03B6249C99182B7C8CD19700C362C46A01",
-	"3809B2B7CC1B28CC5A87926AAD83FD28789E81E2C9E3BF10",
-	"17434386626D14F3DBF01760D9213A3E1CF37AEC437D668A",
-	"20000000000000000000000050508CB89F652824E06B8173", 4
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB191V3 = {
-	"X9.62 C2-TNB191V3", ECField_GF2m, 191,
-	"800000000000000000000000000000000000000000000201",
-	"6C01074756099122221056911C77D77E77A777E7E7E77FCB",
-	"71FE1AF926CF847989EFEF8DB459F66394D90F32AD3F15E8",
-	"375D4CE24FDE434489DE8746E71786015009E66E38A926DD",
-	"545A39176196575D985999366E6AD34CE0A77CD7127B06BE",
-	"155555555555555555555555610C0B196812BFB6288A3EA3", 6
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB208W1 = {
-	"X9.62 C2-PNB208W1", ECField_GF2m, 208,
-	"010000000000000000000000000000000800000000000000000007",
-	"0000000000000000000000000000000000000000000000000000",
-	"C8619ED45A62E6212E1160349E2BFA844439FAFC2A3FD1638F9E",
-	"89FDFBE4ABE193DF9559ECF07AC0CE78554E2784EB8C1ED1A57A",
-	"0F55B51A06E78E9AC38A035FF520D8B01781BEB1A6BB08617DE3",
-	"000101BAF95C9723C57B6C21DA2EFF2D5ED588BDD5717E212F9D", 0xFE48
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB239V1 = {
-	"X9.62 C2-TNB239V1", ECField_GF2m, 239,
-	"800000000000000000000000000000000000000000000000001000000001",
-	"32010857077C5431123A46B808906756F543423E8D27877578125778AC76",
-	"790408F2EEDAF392B012EDEFB3392F30F4327C0CA3F31FC383C422AA8C16",
-	"57927098FA932E7C0A96D3FD5B706EF7E5F5C156E16B7E7C86038552E91D",
-	"61D8EE5077C33FECF6F1A16B268DE469C3C7744EA9A971649FC7A9616305",
-	"2000000000000000000000000000000F4D42FFE1492A4993F1CAD666E447", 4
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB239V2 = {
-	"X9.62 C2-TNB239V2", ECField_GF2m, 239,
-	"800000000000000000000000000000000000000000000000001000000001",
-	"4230017757A767FAE42398569B746325D45313AF0766266479B75654E65F",
-	"5037EA654196CFF0CD82B2C14A2FCF2E3FF8775285B545722F03EACDB74B",
-	"28F9D04E900069C8DC47A08534FE76D2B900B7D7EF31F5709F200C4CA205",
-	"5667334C45AFF3B5A03BAD9DD75E2C71A99362567D5453F7FA6E227EC833",
-	"1555555555555555555555555555553C6F2885259C31E3FCDF154624522D", 6
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB239V3 = {
-	"X9.62 C2-TNB239V3", ECField_GF2m, 239,
-	"800000000000000000000000000000000000000000000000001000000001",
-	"01238774666A67766D6676F778E676B66999176666E687666D8766C66A9F",
-	"6A941977BA9F6A435199ACFC51067ED587F519C5ECB541B8E44111DE1D40",
-	"70F6E9D04D289C4E89913CE3530BFDE903977D42B146D539BF1BDE4E9C92",
-	"2E5A0EAF6E5E1305B9004DCE5C0ED7FE59A35608F33837C816D80B79F461",
-	"0CCCCCCCCCCCCCCCCCCCCCCCCCCCCCAC4912D2D9DF903EF9888B8A0E4CFF", 0xA
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB272W1 = {
-	"X9.62 C2-PNB272W1", ECField_GF2m, 272,
-	"010000000000000000000000000000000000000000000000000000010000000000000B",
-	"91A091F03B5FBA4AB2CCF49C4EDD220FB028712D42BE752B2C40094DBACDB586FB20",
-	"7167EFC92BB2E3CE7C8AAAFF34E12A9C557003D7C73A6FAF003F99F6CC8482E540F7",
-	"6108BABB2CEEBCF787058A056CBE0CFE622D7723A289E08A07AE13EF0D10D171DD8D",
-	"10C7695716851EEF6BA7F6872E6142FBD241B830FF5EFCACECCAB05E02005DDE9D23",
-	"000100FAF51354E0E39E4892DF6E319C72C8161603FA45AA7B998A167B8F1E629521",
-	0xFF06
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB304W1 = {
-	"X9.62 C2-PNB304W1", ECField_GF2m, 304,
-	"010000000000000000000000000000000000000000000000000000000000000000000000000807",
-	"FD0D693149A118F651E6DCE6802085377E5F882D1B510B44160074C1288078365A0396C8E681",
-	"BDDB97E555A50A908E43B01C798EA5DAA6788F1EA2794EFCF57166B8C14039601E55827340BE",
-	"197B07845E9BE2D96ADB0F5F3C7F2CFFBD7A3EB8B6FEC35C7FD67F26DDF6285A644F740A2614",
-	"E19FBEB76E0DA171517ECF401B50289BF014103288527A9B416A105E80260B549FDC1B92C03B",
-	"000101D556572AABAC800101D556572AABAC8001022D5C91DD173F8FB561DA6899164443051D",
-	0xFE2E
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB359V1 = {
-	"X9.62 C2-TNB359V1", ECField_GF2m, 359,
-	"800000000000000000000000000000000000000000000000000000000000000000000000100000000000000001",
-	"5667676A654B20754F356EA92017D946567C46675556F19556A04616B567D223A5E05656FB549016A96656A557",
-	"2472E2D0197C49363F1FE7F5B6DB075D52B6947D135D8CA445805D39BC345626089687742B6329E70680231988",
-	"3C258EF3047767E7EDE0F1FDAA79DAEE3841366A132E163ACED4ED2401DF9C6BDCDE98E8E707C07A2239B1B097",
-	"53D7E08529547048121E9C95F3791DD804963948F34FAE7BF44EA82365DC7868FE57E4AE2DE211305A407104BD",
-	"01AF286BCA1AF286BCA1AF286BCA1AF286BCA1AF286BC9FB8F6B85C556892C20A7EB964FE7719E74F490758D3B",
-	0x4C
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_PNB368W1 = {
-	"X9.62 C2-PNB368W1", ECField_GF2m, 368,
-	"0100000000000000000000000000000000000000000000000000000000000000000000002000000000000000000007",
-	"E0D2EE25095206F5E2A4F9ED229F1F256E79A0E2B455970D8D0D865BD94778C576D62F0AB7519CCD2A1A906AE30D",
-	"FC1217D4320A90452C760A58EDCD30C8DD069B3C34453837A34ED50CB54917E1C2112D84D164F444F8F74786046A",
-	"1085E2755381DCCCE3C1557AFA10C2F0C0C2825646C5B34A394CBCFA8BC16B22E7E789E927BE216F02E1FB136A5F",
-	"7B3EB1BDDCBA62D5D8B2059B525797FC73822C59059C623A45FF3843CEE8F87CD1855ADAA81E2A0750B80FDA2310",
-	"00010090512DA9AF72B08349D98A5DD4C7B0532ECA51CE03E2D10F3B7AC579BD87E909AE40A6F131E9CFCE5BD967",
-	0xFF70
-};
-static const ECCurveParams ecCurve_X9_62_CHAR2_TNB431R1 = {
-	"X9.62 C2-TNB431R1", ECField_GF2m, 431,
-	"800000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000001",
-	"1A827EF00DD6FC0E234CAF046C6A5D8A85395B236CC4AD2CF32A0CADBDC9DDF620B0EB9906D0957F6C6FEACD615468DF104DE296CD8F",
-	"10D9B4A3D9047D8B154359ABFB1B7F5485B04CEB868237DDC9DEDA982A679A5A919B626D4E50A8DD731B107A9962381FB5D807BF2618",
-	"120FC05D3C67A99DE161D2F4092622FECA701BE4F50F4758714E8A87BBF2A658EF8C21E7C5EFE965361F6C2999C0C247B0DBD70CE6B7",
-	"20D0AF8903A96F8D5FA2C255745D3C451B302C9346D9B7E485E7BCE41F6B591F3E8F6ADDCBB0BC4C2F947A7DE1A89B625D6A598B3760",
-	"0340340340340340340340340340340340340340340340340340340323C313FAB50589703B5EC68D3587FEC60D161CC149C1AD4A91",
-	0x2760
-};
-
-/* SEC2 prime curves */
-static const ECCurveParams ecCurve_SECG_PRIME_112R1 = {
-	"SECP-112R1", ECField_GFp, 112,
-	"DB7C2ABF62E35E668076BEAD208B",
-	"DB7C2ABF62E35E668076BEAD2088",
-	"659EF8BA043916EEDE8911702B22",
-	"09487239995A5EE76B55F9C2F098",
-	"A89CE5AF8724C0A23E0E0FF77500",
-	"DB7C2ABF62E35E7628DFAC6561C5", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_112R2 = {
-	"SECP-112R2", ECField_GFp, 112,
-	"DB7C2ABF62E35E668076BEAD208B",
-	"6127C24C05F38A0AAAF65C0EF02C",
-	"51DEF1815DB5ED74FCC34C85D709",
-	"4BA30AB5E892B4E1649DD0928643",
-	"adcd46f5882e3747def36e956e97",
-	"36DF0AAFD8B8D7597CA10520D04B", 4
-};
-static const ECCurveParams ecCurve_SECG_PRIME_128R1 = {
-	"SECP-128R1", ECField_GFp, 128,
-	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
-	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC",
-	"E87579C11079F43DD824993C2CEE5ED3",
-	"161FF7528B899B2D0C28607CA52C5B86",
-	"CF5AC8395BAFEB13C02DA292DDED7A83",
-	"FFFFFFFE0000000075A30D1B9038A115", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_128R2 = {
-	"SECP-128R2", ECField_GFp, 128,
-	"FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
-	"D6031998D1B3BBFEBF59CC9BBFF9AEE1",
-	"5EEEFCA380D02919DC2C6558BB6D8A5D",
-	"7B6AA5D85E572983E6FB32A7CDEBC140",
-	"27B6916A894D3AEE7106FE805FC34B44",
-	"3FFFFFFF7FFFFFFFBE0024720613B5A3", 4
-};
-static const ECCurveParams ecCurve_SECG_PRIME_160K1 = {
-	"SECP-160K1", ECField_GFp, 160,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
-	"0000000000000000000000000000000000000000",
-	"0000000000000000000000000000000000000007",
-	"3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
-	"938CF935318FDCED6BC28286531733C3F03C4FEE",
-	"0100000000000000000001B8FA16DFAB9ACA16B6B3", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_160R1 = {
-	"SECP-160R1", ECField_GFp, 160,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
-	"1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
-	"4A96B5688EF573284664698968C38BB913CBFC82",
-	"23A628553168947D59DCC912042351377AC5FB32",
-	"0100000000000000000001F4C8F927AED3CA752257", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_160R2 = {
-	"SECP-160R2", ECField_GFp, 160,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
-	"B4E134D3FB59EB8BAB57274904664D5AF50388BA",
-	"52DCB034293A117E1F4FF11B30F7199D3144CE6D",
-	"FEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E",
-	"0100000000000000000000351EE786A818F3A1A16B", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_192K1 = {
-	"SECP-192K1", ECField_GFp, 192,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
-	"000000000000000000000000000000000000000000000000",
-	"000000000000000000000000000000000000000000000003",
-	"DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
-	"9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D",
-	"FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_224K1 = {
-	"SECP-224K1", ECField_GFp, 224,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
-	"00000000000000000000000000000000000000000000000000000000",
-	"00000000000000000000000000000000000000000000000000000005",
-	"A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
-	"7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5",
-	"010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7", 1
-};
-static const ECCurveParams ecCurve_SECG_PRIME_256K1 = {
-	"SECP-256K1", ECField_GFp, 256,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
-	"0000000000000000000000000000000000000000000000000000000000000000",
-	"0000000000000000000000000000000000000000000000000000000000000007",
-	"79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
-	"483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8",
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", 1
-};
-
-/* SEC2 binary curves */
-static const ECCurveParams ecCurve_SECG_CHAR2_113R1 = {
-	"SECT-113R1", ECField_GF2m, 113,
-	"020000000000000000000000000201",
-	"003088250CA6E7C7FE649CE85820F7",
-	"00E8BEE4D3E2260744188BE0E9C723",
-	"009D73616F35F4AB1407D73562C10F",
-	"00A52830277958EE84D1315ED31886",
-	"0100000000000000D9CCEC8A39E56F", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_113R2 = {
-	"SECT-113R2", ECField_GF2m, 113,
-	"020000000000000000000000000201",
-	"00689918DBEC7E5A0DD6DFC0AA55C7",
-	"0095E9A9EC9B297BD4BF36E059184F",
-	"01A57A6A7B26CA5EF52FCDB8164797",
-	"00B3ADC94ED1FE674C06E695BABA1D",
-	"010000000000000108789B2496AF93", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_131R1 = {
-	"SECT-131R1", ECField_GF2m, 131,
-	"080000000000000000000000000000010D",
-	"07A11B09A76B562144418FF3FF8C2570B8",
-	"0217C05610884B63B9C6C7291678F9D341",
-	"0081BAF91FDF9833C40F9C181343638399",
-	"078C6E7EA38C001F73C8134B1B4EF9E150",
-	"0400000000000000023123953A9464B54D", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_131R2 = {
-	"SECT-131R2", ECField_GF2m, 131,
-	"080000000000000000000000000000010D",
-	"03E5A88919D7CAFCBF415F07C2176573B2",
-	"04B8266A46C55657AC734CE38F018F2192",
-	"0356DCD8F2F95031AD652D23951BB366A8",
-	"0648F06D867940A5366D9E265DE9EB240F",
-	"0400000000000000016954A233049BA98F", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_163R1 = {
-	"SECT-163R1", ECField_GF2m, 163,
-	"0800000000000000000000000000000000000000C9",
-	"07B6882CAAEFA84F9554FF8428BD88E246D2782AE2",
-	"0713612DCDDCB40AAB946BDA29CA91F73AF958AFD9",
-	"0369979697AB43897789566789567F787A7876A654",
-	"00435EDB42EFAFB2989D51FEFCE3C80988F41FF883",
-	"03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_193R1 = {
-	"SECT-193R1", ECField_GF2m, 193,
-	"02000000000000000000000000000000000000000000008001",
-	"0017858FEB7A98975169E171F77B4087DE098AC8A911DF7B01",
-	"00FDFB49BFE6C3A89FACADAA7A1E5BBC7CC1C2E5D831478814",
-	"01F481BC5F0FF84A74AD6CDF6FDEF4BF6179625372D8C0C5E1",
-	"0025E399F2903712CCF3EA9E3A1AD17FB0B3201B6AF7CE1B05",
-	"01000000000000000000000000C7F34A778F443ACC920EBA49", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_193R2 = {
-	"SECT-193R2", ECField_GF2m, 193,
-	"02000000000000000000000000000000000000000000008001",
-	"0163F35A5137C2CE3EA6ED8667190B0BC43ECD69977702709B",
-	"00C9BB9E8927D4D64C377E2AB2856A5B16E3EFB7F61D4316AE",
-	"00D9B67D192E0367C803F39E1A7E82CA14A651350AAE617E8F",
-	"01CE94335607C304AC29E7DEFBD9CA01F596F927224CDECF6C",
-	"010000000000000000000000015AAB561B005413CCD4EE99D5", 2
-};
-static const ECCurveParams ecCurve_SECG_CHAR2_239K1 = {
-	"SECT-239K1", ECField_GF2m, 239,
-	"800000000000000000004000000000000000000000000000000000000001",
-	"000000000000000000000000000000000000000000000000000000000000",
-	"000000000000000000000000000000000000000000000000000000000001",
-	"29A0B6A887A983E9730988A68727A8B2D126C44CC2CC7B2A6555193035DC",
-	"76310804F12E549BDB011C103089E73510ACB275FC312A5DC6B76553F0CA",
-	"2000000000000000000000000000005A79FEC67CB6E91F1C1DA800E478A5", 4
-};
-
-/* WTLS curves */
-static const ECCurveParams ecCurve_WTLS_1 = {
-	"WTLS-1", ECField_GF2m, 113,
-	"020000000000000000000000000201",
-	"000000000000000000000000000001",
-	"000000000000000000000000000001",
-	"01667979A40BA497E5D5C270780617",
-	"00F44B4AF1ECC2630E08785CEBCC15",
-	"00FFFFFFFFFFFFFFFDBF91AF6DEA73", 2
-};
-static const ECCurveParams ecCurve_WTLS_8 = {
-	"WTLS-8", ECField_GFp, 112,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFDE7",
-	"0000000000000000000000000000",
-	"0000000000000000000000000003",
-	"0000000000000000000000000001",
-	"0000000000000000000000000002",
-	"0100000000000001ECEA551AD837E9", 1
-};
-static const ECCurveParams ecCurve_WTLS_9 = {
-	"WTLS-9", ECField_GFp, 160,
-	"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC808F",
-	"0000000000000000000000000000000000000000",
-	"0000000000000000000000000000000000000003",
-	"0000000000000000000000000000000000000001",
-	"0000000000000000000000000000000000000002",
-	"0100000000000000000001CDC98AE0E2DE574ABF33", 1
-};
-
-/* mapping between ECCurveName enum and pointers to ECCurveParams */
-static const ECCurveParams *ecCurve_map[] = {
-	NULL,						/* ECCurve_noName */
-	&ecCurve_NIST_P192,			/* ECCurve_NIST_P192 */
-	&ecCurve_NIST_P224,			/* ECCurve_NIST_P224 */
-	&ecCurve_NIST_P256,			/* ECCurve_NIST_P256 */
-	&ecCurve_NIST_P384,			/* ECCurve_NIST_P384 */
-	&ecCurve_NIST_P521,			/* ECCurve_NIST_P521 */
-	&ecCurve_NIST_K163,			/* ECCurve_NIST_K163 */
-	&ecCurve_NIST_B163,			/* ECCurve_NIST_B163 */
-	&ecCurve_NIST_K233,			/* ECCurve_NIST_K233 */
-	&ecCurve_NIST_B233,			/* ECCurve_NIST_B233 */
-	&ecCurve_NIST_K283,			/* ECCurve_NIST_K283 */
-	&ecCurve_NIST_B283,			/* ECCurve_NIST_B283 */
-	&ecCurve_NIST_K409,			/* ECCurve_NIST_K409 */
-	&ecCurve_NIST_B409,			/* ECCurve_NIST_B409 */
-	&ecCurve_NIST_K571,			/* ECCurve_NIST_K571 */
-	&ecCurve_NIST_B571,			/* ECCurve_NIST_B571 */
-	&ecCurve_X9_62_PRIME_192V2,	/* ECCurve_X9_62_PRIME_192V2 */
-	&ecCurve_X9_62_PRIME_192V3,	/* ECCurve_X9_62_PRIME_192V3 */
-	&ecCurve_X9_62_PRIME_239V1,	/* ECCurve_X9_62_PRIME_239V1 */
-	&ecCurve_X9_62_PRIME_239V2,	/* ECCurve_X9_62_PRIME_239V2 */
-	&ecCurve_X9_62_PRIME_239V3,	/* ECCurve_X9_62_PRIME_239V3 */
-	&ecCurve_X9_62_CHAR2_PNB163V1,	/* ECCurve_X9_62_CHAR2_PNB163V1 */
-	&ecCurve_X9_62_CHAR2_PNB163V2,	/* ECCurve_X9_62_CHAR2_PNB163V2 */
-	&ecCurve_X9_62_CHAR2_PNB163V3,	/* ECCurve_X9_62_CHAR2_PNB163V3 */
-	&ecCurve_X9_62_CHAR2_PNB176V1,	/* ECCurve_X9_62_CHAR2_PNB176V1 */
-	&ecCurve_X9_62_CHAR2_TNB191V1,	/* ECCurve_X9_62_CHAR2_TNB191V1 */
-	&ecCurve_X9_62_CHAR2_TNB191V2,	/* ECCurve_X9_62_CHAR2_TNB191V2 */
-	&ecCurve_X9_62_CHAR2_TNB191V3,	/* ECCurve_X9_62_CHAR2_TNB191V3 */
-	&ecCurve_X9_62_CHAR2_PNB208W1,	/* ECCurve_X9_62_CHAR2_PNB208W1 */
-	&ecCurve_X9_62_CHAR2_TNB239V1,	/* ECCurve_X9_62_CHAR2_TNB239V1 */
-	&ecCurve_X9_62_CHAR2_TNB239V2,	/* ECCurve_X9_62_CHAR2_TNB239V2 */
-	&ecCurve_X9_62_CHAR2_TNB239V3,	/* ECCurve_X9_62_CHAR2_TNB239V3 */
-	&ecCurve_X9_62_CHAR2_PNB272W1,	/* ECCurve_X9_62_CHAR2_PNB272W1 */
-	&ecCurve_X9_62_CHAR2_PNB304W1,	/* ECCurve_X9_62_CHAR2_PNB304W1 */
-	&ecCurve_X9_62_CHAR2_TNB359V1,	/* ECCurve_X9_62_CHAR2_TNB359V1 */
-	&ecCurve_X9_62_CHAR2_PNB368W1,	/* ECCurve_X9_62_CHAR2_PNB368W1 */
-	&ecCurve_X9_62_CHAR2_TNB431R1,	/* ECCurve_X9_62_CHAR2_TNB431R1 */
-	&ecCurve_SECG_PRIME_112R1,	/* ECCurve_SECG_PRIME_112R1 */
-	&ecCurve_SECG_PRIME_112R2,	/* ECCurve_SECG_PRIME_112R2 */
-	&ecCurve_SECG_PRIME_128R1,	/* ECCurve_SECG_PRIME_128R1 */
-	&ecCurve_SECG_PRIME_128R2,	/* ECCurve_SECG_PRIME_128R2 */
-	&ecCurve_SECG_PRIME_160K1,	/* ECCurve_SECG_PRIME_160K1 */
-	&ecCurve_SECG_PRIME_160R1,	/* ECCurve_SECG_PRIME_160R1 */
-	&ecCurve_SECG_PRIME_160R2,	/* ECCurve_SECG_PRIME_160R2 */
-	&ecCurve_SECG_PRIME_192K1,	/* ECCurve_SECG_PRIME_192K1 */
-	&ecCurve_SECG_PRIME_224K1,	/* ECCurve_SECG_PRIME_224K1 */
-	&ecCurve_SECG_PRIME_256K1,	/* ECCurve_SECG_PRIME_256K1 */
-	&ecCurve_SECG_CHAR2_113R1,	/* ECCurve_SECG_CHAR2_113R1 */
-	&ecCurve_SECG_CHAR2_113R2,	/* ECCurve_SECG_CHAR2_113R2 */
-	&ecCurve_SECG_CHAR2_131R1,	/* ECCurve_SECG_CHAR2_131R1 */
-	&ecCurve_SECG_CHAR2_131R2,	/* ECCurve_SECG_CHAR2_131R2 */
-	&ecCurve_SECG_CHAR2_163R1,	/* ECCurve_SECG_CHAR2_163R1 */
-	&ecCurve_SECG_CHAR2_193R1,	/* ECCurve_SECG_CHAR2_193R1 */
-	&ecCurve_SECG_CHAR2_193R2,	/* ECCurve_SECG_CHAR2_193R2 */
-	&ecCurve_SECG_CHAR2_239K1,	/* ECCurve_SECG_CHAR2_239K1 */
-	&ecCurve_WTLS_1,			/* ECCurve_WTLS_1 */
-	&ecCurve_WTLS_8,			/* ECCurve_WTLS_8 */
-	&ecCurve_WTLS_9,			/* ECCurve_WTLS_9 */
-	NULL						/* ECCurve_pastLastCurve */
-};
-
-#endif
diff --git a/security/nss/lib/freebl/ecl/ecl-exp.h b/security/nss/lib/freebl/ecl/ecl-exp.h
deleted file mode 100644
index 77f3ebb12..000000000
--- a/security/nss/lib/freebl/ecl/ecl-exp.h
+++ /dev/null
@@ -1,196 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ecl_exp_h_
-#define __ecl_exp_h_
-
-/* Curve field type */
-typedef enum {
-	ECField_GFp,
-	ECField_GF2m
-} ECField;
-
-/* Hexadecimal encoding of curve parameters */
-struct ECCurveParamsStr {
-	char *text;
-	ECField field;
-	unsigned int size;
-	char *irr;
-	char *curvea;
-	char *curveb;
-	char *genx;
-	char *geny;
-	char *order;
-	int cofactor;
-};
-typedef struct ECCurveParamsStr ECCurveParams;
-
-/* Named curve parameters */
-typedef enum {
-
-	ECCurve_noName = 0,
-
-	/* NIST prime curves */
-	ECCurve_NIST_P192,
-	ECCurve_NIST_P224,
-	ECCurve_NIST_P256,
-	ECCurve_NIST_P384,
-	ECCurve_NIST_P521,
-
-	/* NIST binary curves */
-	ECCurve_NIST_K163,
-	ECCurve_NIST_B163,
-	ECCurve_NIST_K233,
-	ECCurve_NIST_B233,
-	ECCurve_NIST_K283,
-	ECCurve_NIST_B283,
-	ECCurve_NIST_K409,
-	ECCurve_NIST_B409,
-	ECCurve_NIST_K571,
-	ECCurve_NIST_B571,
-
-	/* ANSI X9.62 prime curves */
-	/* ECCurve_X9_62_PRIME_192V1 == ECCurve_NIST_P192 */
-	ECCurve_X9_62_PRIME_192V2,
-	ECCurve_X9_62_PRIME_192V3,
-	ECCurve_X9_62_PRIME_239V1,
-	ECCurve_X9_62_PRIME_239V2,
-	ECCurve_X9_62_PRIME_239V3,
-	/* ECCurve_X9_62_PRIME_256V1 == ECCurve_NIST_P256 */
-
-	/* ANSI X9.62 binary curves */
-	ECCurve_X9_62_CHAR2_PNB163V1,
-	ECCurve_X9_62_CHAR2_PNB163V2,
-	ECCurve_X9_62_CHAR2_PNB163V3,
-	ECCurve_X9_62_CHAR2_PNB176V1,
-	ECCurve_X9_62_CHAR2_TNB191V1,
-	ECCurve_X9_62_CHAR2_TNB191V2,
-	ECCurve_X9_62_CHAR2_TNB191V3,
-	ECCurve_X9_62_CHAR2_PNB208W1,
-	ECCurve_X9_62_CHAR2_TNB239V1,
-	ECCurve_X9_62_CHAR2_TNB239V2,
-	ECCurve_X9_62_CHAR2_TNB239V3,
-	ECCurve_X9_62_CHAR2_PNB272W1,
-	ECCurve_X9_62_CHAR2_PNB304W1,
-	ECCurve_X9_62_CHAR2_TNB359V1,
-	ECCurve_X9_62_CHAR2_PNB368W1,
-	ECCurve_X9_62_CHAR2_TNB431R1,
-
-	/* SEC2 prime curves */
-	ECCurve_SECG_PRIME_112R1,
-	ECCurve_SECG_PRIME_112R2,
-	ECCurve_SECG_PRIME_128R1,
-	ECCurve_SECG_PRIME_128R2,
-	ECCurve_SECG_PRIME_160K1,
-	ECCurve_SECG_PRIME_160R1,
-	ECCurve_SECG_PRIME_160R2,
-	ECCurve_SECG_PRIME_192K1,
-	/* ECCurve_SECG_PRIME_192R1 == ECCurve_NIST_P192 */
-	ECCurve_SECG_PRIME_224K1,
-	/* ECCurve_SECG_PRIME_224R1 == ECCurve_NIST_P224 */
-	ECCurve_SECG_PRIME_256K1,
-	/* ECCurve_SECG_PRIME_256R1 == ECCurve_NIST_P256 */
-	/* ECCurve_SECG_PRIME_384R1 == ECCurve_NIST_P384 */
-	/* ECCurve_SECG_PRIME_521R1 == ECCurve_NIST_P521 */
-
-	/* SEC2 binary curves */
-	ECCurve_SECG_CHAR2_113R1,
-	ECCurve_SECG_CHAR2_113R2,
-	ECCurve_SECG_CHAR2_131R1,
-	ECCurve_SECG_CHAR2_131R2,
-	/* ECCurve_SECG_CHAR2_163K1 == ECCurve_NIST_K163 */
-	ECCurve_SECG_CHAR2_163R1,
-	/* ECCurve_SECG_CHAR2_163R2 == ECCurve_NIST_B163 */
-	ECCurve_SECG_CHAR2_193R1,
-	ECCurve_SECG_CHAR2_193R2,
-	/* ECCurve_SECG_CHAR2_233K1 == ECCurve_NIST_K233 */
-	/* ECCurve_SECG_CHAR2_233R1 == ECCurve_NIST_B233 */
-	ECCurve_SECG_CHAR2_239K1,
-	/* ECCurve_SECG_CHAR2_283K1 == ECCurve_NIST_K283 */
-	/* ECCurve_SECG_CHAR2_283R1 == ECCurve_NIST_B283 */
-	/* ECCurve_SECG_CHAR2_409K1 == ECCurve_NIST_K409 */
-	/* ECCurve_SECG_CHAR2_409R1 == ECCurve_NIST_B409 */
-	/* ECCurve_SECG_CHAR2_571K1 == ECCurve_NIST_K571 */
-	/* ECCurve_SECG_CHAR2_571R1 == ECCurve_NIST_B571 */
-
-	/* WTLS curves */
-	ECCurve_WTLS_1,
-	/* there is no WTLS 2 curve */
-	/* ECCurve_WTLS_3 == ECCurve_NIST_K163 */
-	/* ECCurve_WTLS_4 == ECCurve_SECG_CHAR2_113R1 */
-	/* ECCurve_WTLS_5 == ECCurve_X9_62_CHAR2_PNB163V1 */
-	/* ECCurve_WTLS_6 == ECCurve_SECG_PRIME_112R1 */
-	/* ECCurve_WTLS_7 == ECCurve_SECG_PRIME_160R1 */
-	ECCurve_WTLS_8,
-	ECCurve_WTLS_9,
-	/* ECCurve_WTLS_10 == ECCurve_NIST_K233 */
-	/* ECCurve_WTLS_11 == ECCurve_NIST_B233 */
-	/* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
-
-	ECCurve_pastLastCurve
-} ECCurveName;
-
-/* Aliased named curves */
-
-#define ECCurve_X9_62_PRIME_192V1 ECCurve_NIST_P192
-#define ECCurve_X9_62_PRIME_256V1 ECCurve_NIST_P256
-#define ECCurve_SECG_PRIME_192R1 ECCurve_NIST_P192
-#define ECCurve_SECG_PRIME_224R1 ECCurve_NIST_P224
-#define ECCurve_SECG_PRIME_256R1 ECCurve_NIST_P256
-#define ECCurve_SECG_PRIME_384R1 ECCurve_NIST_P384
-#define ECCurve_SECG_PRIME_521R1 ECCurve_NIST_P521
-#define ECCurve_SECG_CHAR2_163K1 ECCurve_NIST_K163
-#define ECCurve_SECG_CHAR2_163R2 ECCurve_NIST_B163
-#define ECCurve_SECG_CHAR2_233K1 ECCurve_NIST_K233
-#define ECCurve_SECG_CHAR2_233R1 ECCurve_NIST_B233
-#define ECCurve_SECG_CHAR2_283K1 ECCurve_NIST_K283
-#define ECCurve_SECG_CHAR2_283R1 ECCurve_NIST_B283
-#define ECCurve_SECG_CHAR2_409K1 ECCurve_NIST_K409
-#define ECCurve_SECG_CHAR2_409R1 ECCurve_NIST_B409
-#define ECCurve_SECG_CHAR2_571K1 ECCurve_NIST_K571
-#define ECCurve_SECG_CHAR2_571R1 ECCurve_NIST_B571
-#define ECCurve_WTLS_3 ECCurve_NIST_K163
-#define ECCurve_WTLS_4 ECCurve_SECG_CHAR2_113R1
-#define ECCurve_WTLS_5 ECCurve_X9_62_CHAR2_PNB163V1
-#define ECCurve_WTLS_6 ECCurve_SECG_PRIME_112R1
-#define ECCurve_WTLS_7 ECCurve_SECG_PRIME_160R1
-#define ECCurve_WTLS_10 ECCurve_NIST_K233
-#define ECCurve_WTLS_11 ECCurve_NIST_B233
-#define ECCurve_WTLS_12 ECCurve_NIST_P224
-
-#endif							/* __ecl_exp_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl-priv.h b/security/nss/lib/freebl/ecl/ecl-priv.h
deleted file mode 100644
index bce7ccf09..000000000
--- a/security/nss/lib/freebl/ecl/ecl-priv.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ecl_priv_h_
-#define __ecl_priv_h_
-
-#include "ecl.h"
-#include "mpi.h"
-#include "mplogic.h"
-
-/* MAX_FIELD_SIZE_DIGITS is the maximum size of field element supported */
-#if defined(MP_USE_LONG_LONG_DIGIT) || defined(MP_USE_LONG_DIGIT)
-#define ECL_SIXTY_FOUR_BIT
-#define ECL_BITS 64
-#define ECL_MAX_FIELD_SIZE_DIGITS 10
-#else
-#define ECL_THIRTY_TWO_BIT
-#define ECL_BITS 32
-#define ECL_MAX_FIELD_SIZE_DIGITS 20
-#endif
-
-/* Gets the i'th bit in the binary representation of a. If i >= length(a), 
- * then return 0. (The above behaviour differs from mpl_get_bit, which
- * causes an error if i >= length(a).) */
-#define MP_GET_BIT(a, i) \
-	((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
-
-struct GFMethodStr;
-typedef struct GFMethodStr GFMethod;
-struct GFMethodStr {
-	/* Indicates whether the structure was constructed from dynamic memory 
-	 * or statically created. */
-	int constructed;
-	/* Irreducible that defines the field. For prime fields, this is the
-	 * prime p. For binary polynomial fields, this is the bitstring
-	 * representation of the irreducible polynomial. */
-	mp_int irr;
-	/* For prime fields, the value irr_arr[0] is the number of bits in the 
-	 * field. For binary polynomial fields, the irreducible polynomial
-	 * f(t) is represented as an array of unsigned int[], where f(t) is
-	 * of the form: f(t) = t^p[0] + t^p[1] + ... + t^p[4] where m = p[0]
-	 * > p[1] > ... > p[4] = 0. */
-	unsigned int irr_arr[5];
-	/* Field arithmetic methods. All methods (except field_enc and
-	 * field_dec) are assumed to take field-encoded parameters and return
-	 * field-encoded values. All methods (except field_enc and field_dec)
-	 * are required to be implemented. */
-	mp_err (*field_add) (const mp_int *a, const mp_int *b, mp_int *r,
-						 const GFMethod *meth);
-	mp_err (*field_neg) (const mp_int *a, mp_int *r, const GFMethod *meth);
-	mp_err (*field_sub) (const mp_int *a, const mp_int *b, mp_int *r,
-						 const GFMethod *meth);
-	mp_err (*field_mod) (const mp_int *a, mp_int *r, const GFMethod *meth);
-	mp_err (*field_mul) (const mp_int *a, const mp_int *b, mp_int *r,
-						 const GFMethod *meth);
-	mp_err (*field_sqr) (const mp_int *a, mp_int *r, const GFMethod *meth);
-	mp_err (*field_div) (const mp_int *a, const mp_int *b, mp_int *r,
-						 const GFMethod *meth);
-	mp_err (*field_enc) (const mp_int *a, mp_int *r, const GFMethod *meth);
-	mp_err (*field_dec) (const mp_int *a, mp_int *r, const GFMethod *meth);
-	/* Extra storage for implementation-specific data.  Any memory
-	 * allocated to these extra fields will be cleared by extra_free. */
-	void *extra1;
-	void *extra2;
-	void (*extra_free) (GFMethod *meth);
-};
-
-/* Construct generic GFMethods. */
-GFMethod *GFMethod_consGFp(const mp_int *irr);
-GFMethod *GFMethod_consGFp_mont(const mp_int *irr);
-GFMethod *GFMethod_consGF2m(const mp_int *irr,
-							const unsigned int irr_arr[5]);
-/* Free the memory allocated (if any) to a GFMethod object. */
-void GFMethod_free(GFMethod *meth);
-
-struct ECGroupStr {
-	/* Indicates whether the structure was constructed from dynamic memory 
-	 * or statically created. */
-	int constructed;
-	/* Field definition and arithmetic. */
-	GFMethod *meth;
-	/* Textual representation of curve name, if any. */
-	char *text;
-	/* Curve parameters, field-encoded. */
-	mp_int curvea, curveb;
-	/* x and y coordinates of the base point, field-encoded. */
-	mp_int genx, geny;
-	/* Order and cofactor of the base point. */
-	mp_int order;
-	int cofactor;
-	/* Point arithmetic methods. All methods are assumed to take
-	 * field-encoded parameters and return field-encoded values. All
-	 * methods (except base_point_mul and points_mul) are required to be
-	 * implemented. */
-	mp_err (*point_add) (const mp_int *px, const mp_int *py,
-						 const mp_int *qx, const mp_int *qy, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-	mp_err (*point_sub) (const mp_int *px, const mp_int *py,
-						 const mp_int *qx, const mp_int *qy, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-	mp_err (*point_dbl) (const mp_int *px, const mp_int *py, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-	mp_err (*point_mul) (const mp_int *n, const mp_int *px,
-						 const mp_int *py, mp_int *rx, mp_int *ry,
-						 const ECGroup *group);
-	mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
-							  const ECGroup *group);
-	mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
-						  const mp_int *px, const mp_int *py, mp_int *rx,
-						  mp_int *ry, const ECGroup *group);
-	mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
-	/* Extra storage for implementation-specific data.  Any memory
-	 * allocated to these extra fields will be cleared by extra_free. */
-	void *extra1;
-	void *extra2;
-	void (*extra_free) (ECGroup *group);
-};
-
-/* Wrapper functions for generic prime field arithmetic. */
-mp_err ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r,
-				  const GFMethod *meth);
-mp_err ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r,
-				  const GFMethod *meth);
-mp_err ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r,
-				  const GFMethod *meth);
-mp_err ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r,
-				  const GFMethod *meth);
-/* Wrapper functions for generic binary polynomial field arithmetic. */
-mp_err ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r,
-				   const GFMethod *meth);
-mp_err ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r,
-				   const GFMethod *meth);
-mp_err ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r,
-				   const GFMethod *meth);
-
-/* Montgomery prime field arithmetic. */
-mp_err ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
-					   const GFMethod *meth);
-mp_err ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
-					   const GFMethod *meth);
-mp_err ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
-mp_err ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth);
-void ec_GFp_extra_free_mont(GFMethod *meth);
-
-/* point multiplication */
-mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
-						const mp_int *px, const mp_int *py, mp_int *rx,
-						mp_int *ry, const ECGroup *group);
-mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
-						   const mp_int *px, const mp_int *py, mp_int *rx,
-						   mp_int *ry, const ECGroup *group);
-
-/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
- * be an array of signed char's to output to, bitsize should be the number 
- * of bits of out, in is the original scalar, and w is the window size.
- * NAF is discussed in the paper: D. Hankerson, J. Hernandez and A.
- * Menezes, "Software implementation of elliptic curve cryptography over
- * binary fields", Proc. CHES 2000. */
-mp_err ec_compute_wNAF(signed char *out, int bitsize, const mp_int *in,
-					   int w);
-
-/* Optimized field arithmetic */
-mp_err ec_group_set_gfp192(ECGroup *group, ECCurveName);
-mp_err ec_group_set_gfp224(ECGroup *group, ECCurveName);
-mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name);
-mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name);
-mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name);
-
-/* Optimized floating-point arithmetic */
-#ifdef ECL_USE_FP
-mp_err ec_group_set_secp160r1_fp(ECGroup *group);
-mp_err ec_group_set_nistp192_fp(ECGroup *group);
-mp_err ec_group_set_nistp224_fp(ECGroup *group);
-#endif
-
-#endif							/* __ecl_priv_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl.c b/security/nss/lib/freebl/ecl/ecl.c
deleted file mode 100644
index 520755f6a..000000000
--- a/security/nss/lib/freebl/ecl/ecl.c
+++ /dev/null
@@ -1,426 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "ecl.h"
-#include "ecl-priv.h"
-#include "ec2.h"
-#include "ecp.h"
-#include <stdlib.h>
-#include <string.h>
-
-/* Allocate memory for a new ECGroup object. */
-ECGroup *
-ECGroup_new()
-{
-	mp_err res = MP_OKAY;
-	ECGroup *group;
-	group = (ECGroup *) malloc(sizeof(ECGroup));
-	if (group == NULL)
-		return NULL;
-	group->constructed = MP_YES;
-	group->text = NULL;
-	MP_DIGITS(&group->curvea) = 0;
-	MP_DIGITS(&group->curveb) = 0;
-	MP_DIGITS(&group->genx) = 0;
-	MP_DIGITS(&group->geny) = 0;
-	MP_DIGITS(&group->order) = 0;
-	MP_CHECKOK(mp_init(&group->curvea));
-	MP_CHECKOK(mp_init(&group->curveb));
-	MP_CHECKOK(mp_init(&group->genx));
-	MP_CHECKOK(mp_init(&group->geny));
-	MP_CHECKOK(mp_init(&group->order));
-	group->base_point_mul = NULL;
-	group->points_mul = NULL;
-	group->validate_point = NULL;
-	group->extra1 = NULL;
-	group->extra2 = NULL;
-	group->extra_free = NULL;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-/* Construct a generic ECGroup for elliptic curves over prime fields. */
-ECGroup *
-ECGroup_consGFp(const mp_int *irr, const mp_int *curvea,
-				const mp_int *curveb, const mp_int *genx,
-				const mp_int *geny, const mp_int *order, int cofactor)
-{
-	mp_err res = MP_OKAY;
-	ECGroup *group = NULL;
-
-	group = ECGroup_new();
-	if (group == NULL)
-		return NULL;
-
-	group->meth = GFMethod_consGFp(irr);
-	if (group->meth == NULL) {
-		res = MP_MEM;
-		goto CLEANUP;
-	}
-	MP_CHECKOK(mp_copy(curvea, &group->curvea));
-	MP_CHECKOK(mp_copy(curveb, &group->curveb));
-	MP_CHECKOK(mp_copy(genx, &group->genx));
-	MP_CHECKOK(mp_copy(geny, &group->geny));
-	MP_CHECKOK(mp_copy(order, &group->order));
-	group->cofactor = cofactor;
-	group->point_add = &ec_GFp_pt_add_aff;
-	group->point_sub = &ec_GFp_pt_sub_aff;
-	group->point_dbl = &ec_GFp_pt_dbl_aff;
-	group->point_mul = &ec_GFp_pt_mul_jm_wNAF;
-	group->base_point_mul = NULL;
-	group->points_mul = &ec_GFp_pts_mul_jac;
-	group->validate_point = &ec_GFp_validate_point;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-/* Construct a generic ECGroup for elliptic curves over prime fields with
- * field arithmetic implemented in Montgomery coordinates. */
-ECGroup *
-ECGroup_consGFp_mont(const mp_int *irr, const mp_int *curvea,
-					 const mp_int *curveb, const mp_int *genx,
-					 const mp_int *geny, const mp_int *order, int cofactor)
-{
-	mp_err res = MP_OKAY;
-	ECGroup *group = NULL;
-
-	group = ECGroup_new();
-	if (group == NULL)
-		return NULL;
-
-	group->meth = GFMethod_consGFp_mont(irr);
-	if (group->meth == NULL) {
-		res = MP_MEM;
-		goto CLEANUP;
-	}
-	MP_CHECKOK(group->meth->
-			   field_enc(curvea, &group->curvea, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_enc(curveb, &group->curveb, group->meth));
-	MP_CHECKOK(group->meth->field_enc(genx, &group->genx, group->meth));
-	MP_CHECKOK(group->meth->field_enc(geny, &group->geny, group->meth));
-	MP_CHECKOK(mp_copy(order, &group->order));
-	group->cofactor = cofactor;
-	group->point_add = &ec_GFp_pt_add_aff;
-	group->point_sub = &ec_GFp_pt_sub_aff;
-	group->point_dbl = &ec_GFp_pt_dbl_aff;
-	group->point_mul = &ec_GFp_pt_mul_jm_wNAF;
-	group->base_point_mul = NULL;
-	group->points_mul = &ec_GFp_pts_mul_jac;
-	group->validate_point = &ec_GFp_validate_point;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-/* Construct a generic ECGroup for elliptic curves over binary polynomial
- * fields. */
-ECGroup *
-ECGroup_consGF2m(const mp_int *irr, const unsigned int irr_arr[5],
-				 const mp_int *curvea, const mp_int *curveb,
-				 const mp_int *genx, const mp_int *geny,
-				 const mp_int *order, int cofactor)
-{
-	mp_err res = MP_OKAY;
-	ECGroup *group = NULL;
-
-	group = ECGroup_new();
-	if (group == NULL)
-		return NULL;
-
-	group->meth = GFMethod_consGF2m(irr, irr_arr);
-	if (group->meth == NULL) {
-		res = MP_MEM;
-		goto CLEANUP;
-	}
-	MP_CHECKOK(mp_copy(curvea, &group->curvea));
-	MP_CHECKOK(mp_copy(curveb, &group->curveb));
-	MP_CHECKOK(mp_copy(genx, &group->genx));
-	MP_CHECKOK(mp_copy(geny, &group->geny));
-	MP_CHECKOK(mp_copy(order, &group->order));
-	group->cofactor = cofactor;
-	group->point_add = &ec_GF2m_pt_add_aff;
-	group->point_sub = &ec_GF2m_pt_sub_aff;
-	group->point_dbl = &ec_GF2m_pt_dbl_aff;
-	group->point_mul = &ec_GF2m_pt_mul_mont;
-	group->base_point_mul = NULL;
-	group->points_mul = &ec_pts_mul_basic;
-	group->validate_point = &ec_GF2m_validate_point;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-/* Helper macros for ecgroup_fromNameAndHex. */
-#define CHECK_GROUP \
-	if (group == NULL) { res = MP_UNDEF; goto CLEANUP; }
-#define CONS_GF2M \
-	group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, &geny, &order, params->cofactor); \
-	CHECK_GROUP
-
-/* Construct ECGroup from hex parameters and name, if any. Called by
- * ECGroup_fromHex and ECGroup_fromName. */
-ECGroup *
-ecgroup_fromNameAndHex(const ECCurveName name,
-					   const ECCurveParams * params)
-{
-	mp_int irr, curvea, curveb, genx, geny, order;
-	int bits;
-	ECGroup *group = NULL;
-	mp_err res = MP_OKAY;
-
-	/* initialize values */
-	MP_DIGITS(&irr) = 0;
-	MP_DIGITS(&curvea) = 0;
-	MP_DIGITS(&curveb) = 0;
-	MP_DIGITS(&genx) = 0;
-	MP_DIGITS(&geny) = 0;
-	MP_DIGITS(&order) = 0;
-	MP_CHECKOK(mp_init(&irr));
-	MP_CHECKOK(mp_init(&curvea));
-	MP_CHECKOK(mp_init(&curveb));
-	MP_CHECKOK(mp_init(&genx));
-	MP_CHECKOK(mp_init(&geny));
-	MP_CHECKOK(mp_init(&order));
-	MP_CHECKOK(mp_read_radix(&irr, params->irr, 16));
-	MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16));
-	MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16));
-	MP_CHECKOK(mp_read_radix(&genx, params->genx, 16));
-	MP_CHECKOK(mp_read_radix(&geny, params->geny, 16));
-	MP_CHECKOK(mp_read_radix(&order, params->order, 16));
-
-	/* determine number of bits */
-	bits = mpl_significant_bits(&irr) - 1;
-	if (bits < MP_OKAY) {
-		res = bits;
-		goto CLEANUP;
-	}
-
-	/* determine which optimizations (if any) to use */
-	if (params->field == ECField_GFp) {
-		if ((name == ECCurve_SECG_PRIME_160K1)
-			|| (name == ECCurve_SECG_PRIME_160R2)) {
-			group =
-				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
-									 &order, params->cofactor);
-		} else if ((name == ECCurve_SECG_PRIME_160R1)) {
-#ifdef ECL_USE_FP
-			group =
-				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-								&order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_secp160r1_fp(group));
-#else
-			group =
-				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
-									 &order, params->cofactor);
-#endif
-		} else if ((name == ECCurve_SECG_PRIME_192K1)) {
-			group =
-				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
-									 &order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_gfp192(group, name));
-		} else if ((name == ECCurve_SECG_PRIME_192R1)) {
-#ifdef ECL_USE_FP
-			group =
-				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-								&order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_nistp192_fp(group));
-#else
-			group =
-				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-								&order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_gfp192(group, name));
-#endif
-		} else if ((name == ECCurve_SECG_PRIME_224K1)) {
-			group =
-				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
-									 &order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_gfp224(group, name));
-		} else if ((name == ECCurve_SECG_PRIME_224R1)) {
-#ifdef ECL_USE_FP
-			group =
-				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-								&order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_nistp224_fp(group));
-#else
-			group =
-				ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny,
-								&order, params->cofactor);
-			CHECK_GROUP MP_CHECKOK(ec_group_set_gfp224(group, name));
-#endif
-		} else {
-			group =
-				ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny,
-									 &order, params->cofactor);
-		CHECK_GROUP}
-		/* XXX secp521r1 fails ecp_test with &ec_GFp_pts_mul_jac */
-		if (name == ECCurve_SECG_PRIME_521R1) {
-			group->points_mul = &ec_pts_mul_simul_w2;
-		}
-	} else if (params->field == ECField_GF2m) {
-		switch (bits) {
-		case 163:
-			CONS_GF2M MP_CHECKOK(ec_group_set_gf2m163(group, name));
-			break;
-		case 193:
-			CONS_GF2M MP_CHECKOK(ec_group_set_gf2m193(group, name));
-			break;
-		case 233:
-			CONS_GF2M MP_CHECKOK(ec_group_set_gf2m233(group, name));
-			break;
-		default:
-			group =
-				ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx,
-								 &geny, &order, params->cofactor);
-			CHECK_GROUP break;
-		}
-	}
-
-	/* set name, if any */
-	if (params->text != NULL) {
-		group->text = strdup(params->text);
-		if (group->text == NULL) {
-			res = MP_MEM;
-		}
-	}
-
-  CLEANUP:
-	mp_clear(&irr);
-	mp_clear(&curvea);
-	mp_clear(&curveb);
-	mp_clear(&genx);
-	mp_clear(&geny);
-	mp_clear(&order);
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-#undef CHECK_GROUP
-#undef CONS_GFP
-#undef CONS_GF2M
-
-/* Construct ECGroup from hexadecimal representations of parameters. */
-ECGroup *
-ECGroup_fromHex(const ECCurveParams * params)
-{
-	return ecgroup_fromNameAndHex(ECCurve_noName, params);
-}
-
-/* Construct ECGroup from named parameters. */
-ECGroup *
-ECGroup_fromName(const ECCurveName name)
-{
-	ECGroup *group = NULL;
-	ECCurveParams *params = NULL;
-	mp_err res = MP_OKAY;
-
-	params = EC_GetNamedCurveParams(name);
-	if (params == NULL) {
-		res = MP_UNDEF;
-		goto CLEANUP;
-	}
-
-	/* construct actual group */
-	group = ecgroup_fromNameAndHex(name, params);
-	if (group == NULL) {
-		res = MP_UNDEF;
-		goto CLEANUP;
-	}
-
-  CLEANUP:
-	EC_FreeCurveParams(params);
-	if (res != MP_OKAY) {
-		ECGroup_free(group);
-		return NULL;
-	}
-	return group;
-}
-
-/* Validates an EC public key as described in Section 5.2.2 of X9.62. */
-mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const 
-					mp_int *py)
-{
-    /* 1: Verify that publicValue is not the point at infinity */
-    /* 2: Verify that the coordinates of publicValue are elements 
-     *    of the field.
-     */
-    /* 3: Verify that publicValue is on the curve. */
-    /* 4: Verify that the order of the curve times the publicValue
-     *    is the point at infinity.
-     */
-	return group->validate_point(px, py, group);
-}
-
-/* Free the memory allocated (if any) to an ECGroup object. */
-void
-ECGroup_free(ECGroup *group)
-{
-	if (group == NULL)
-		return;
-	GFMethod_free(group->meth);
-	if (group->constructed == MP_NO)
-		return;
-	if (group->text != NULL)
-		free(group->text);
-	if (group->extra_free != NULL)
-		group->extra_free(group);
-	free(group);
-}
diff --git a/security/nss/lib/freebl/ecl/ecl.h b/security/nss/lib/freebl/ecl/ecl.h
deleted file mode 100644
index dbd86c253..000000000
--- a/security/nss/lib/freebl/ecl/ecl.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Although this is not an exported header file, code which uses elliptic
- * curve point operations will need to include it. */
-
-#ifndef __ecl_h_
-#define __ecl_h_
-
-#include "ecl-exp.h"
-#include "mpi.h"
-
-struct ECGroupStr;
-typedef struct ECGroupStr ECGroup;
-
-/* Construct ECGroup from hexadecimal representations of parameters. */
-ECGroup *ECGroup_fromHex(const ECCurveParams * params);
-
-/* Construct ECGroup from named parameters. */
-ECGroup *ECGroup_fromName(const ECCurveName name);
-
-/* Free an allocated ECGroup. */
-void ECGroup_free(ECGroup *group);
-
-/* Construct ECCurveParams from an ECCurveName */
-ECCurveParams *EC_GetNamedCurveParams(const ECCurveName name);
-
-/* Duplicates an ECCurveParams */
-ECCurveParams *ECCurveParams_dup(const ECCurveParams * params);
-
-/* Free an allocated ECCurveParams */
-void EC_FreeCurveParams(ECCurveParams * params);
-
-/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k * P(x, 
- * y).  If x, y = NULL, then P is assumed to be the generator (base point) 
- * of the group of points on the elliptic curve. Input and output values
- * are assumed to be NOT field-encoded. */
-mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
-				   const mp_int *py, mp_int *qx, mp_int *qy);
-
-/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G + 
- * k2 * P(x, y), where G is the generator (base point) of the group of
- * points on the elliptic curve. Input and output values are assumed to
- * be NOT field-encoded. */
-mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1,
-					const mp_int *k2, const mp_int *px, const mp_int *py,
-					mp_int *qx, mp_int *qy);
-
-/* Validates an EC public key as described in Section 5.2.2 of X9.62.
- * Returns MP_YES if the public key is valid, MP_NO if the public key
- * is invalid, or an error code if the validation could not be
- * performed. */
-mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const 
-					mp_int *py);
-
-#endif							/* __ecl_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecl_curve.c b/security/nss/lib/freebl/ecl/ecl_curve.c
deleted file mode 100644
index b0a7d5074..000000000
--- a/security/nss/lib/freebl/ecl/ecl_curve.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecl.h"
-#include "ecl-curve.h"
-#include "ecl-priv.h"
-#include <stdlib.h>
-#include <string.h>
-
-#define CHECK(func) if ((func) == NULL) { res = 0; goto CLEANUP; }
-
-/* Duplicates an ECCurveParams */
-ECCurveParams *
-ECCurveParams_dup(const ECCurveParams * params)
-{
-	int res = 1;
-	ECCurveParams *ret = NULL;
-
-	CHECK(ret = (ECCurveParams *) malloc(sizeof(ECCurveParams)));
-	if (params->text != NULL) {
-		CHECK(ret->text = strdup(params->text));
-	}
-	ret->field = params->field;
-	ret->size = params->size;
-	if (params->irr != NULL) {
-		CHECK(ret->irr = strdup(params->irr));
-	}
-	if (params->curvea != NULL) {
-		CHECK(ret->curvea = strdup(params->curvea));
-	}
-	if (params->curveb != NULL) {
-		CHECK(ret->curveb = strdup(params->curveb));
-	}
-	if (params->genx != NULL) {
-		CHECK(ret->genx = strdup(params->genx));
-	}
-	if (params->geny != NULL) {
-		CHECK(ret->geny = strdup(params->geny));
-	}
-	if (params->order != NULL) {
-		CHECK(ret->order = strdup(params->order));
-	}
-	ret->cofactor = params->cofactor;
-
-  CLEANUP:
-	if (res != 1) {
-		EC_FreeCurveParams(ret);
-		return NULL;
-	}
-	return ret;
-}
-
-#undef CHECK
-
-/* Construct ECCurveParams from an ECCurveName */
-ECCurveParams *
-EC_GetNamedCurveParams(const ECCurveName name)
-{
-	if ((name <= ECCurve_noName) || (ECCurve_pastLastCurve <= name)) {
-		return NULL;
-	} else {
-		return ECCurveParams_dup(ecCurve_map[name]);
-	}
-}
-
-/* Free the memory allocated (if any) to an ECCurveParams object. */
-void
-EC_FreeCurveParams(ECCurveParams * params)
-{
-	if (params == NULL)
-		return;
-	if (params->text != NULL)
-		free(params->text);
-	if (params->irr != NULL)
-		free(params->irr);
-	if (params->curvea != NULL)
-		free(params->curvea);
-	if (params->curveb != NULL)
-		free(params->curveb);
-	if (params->genx != NULL)
-		free(params->genx);
-	if (params->geny != NULL)
-		free(params->geny);
-	if (params->order != NULL)
-		free(params->order);
-	free(params);
-}
diff --git a/security/nss/lib/freebl/ecl/ecl_gf.c b/security/nss/lib/freebl/ecl/ecl_gf.c
deleted file mode 100644
index 9ee3bb6ac..000000000
--- a/security/nss/lib/freebl/ecl/ecl_gf.c
+++ /dev/null
@@ -1,339 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mp_gf2m.h"
-#include "ecl-priv.h"
-#include <stdlib.h>
-
-/* Allocate memory for a new GFMethod object. */
-GFMethod *
-GFMethod_new()
-{
-	mp_err res = MP_OKAY;
-	GFMethod *meth;
-	meth = (GFMethod *) malloc(sizeof(GFMethod));
-	if (meth == NULL)
-		return NULL;
-	meth->constructed = MP_YES;
-	MP_CHECKOK(mp_init(&meth->irr));
-	meth->extra_free = NULL;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		GFMethod_free(meth);
-		return NULL;
-	}
-	return meth;
-}
-
-/* Construct a generic GFMethod for arithmetic over prime fields with
- * irreducible irr. */
-GFMethod *
-GFMethod_consGFp(const mp_int *irr)
-{
-	mp_err res = MP_OKAY;
-	GFMethod *meth = NULL;
-
-	meth = GFMethod_new();
-	if (meth == NULL)
-		return NULL;
-
-	MP_CHECKOK(mp_copy(irr, &meth->irr));
-	meth->irr_arr[0] = mpl_significant_bits(irr);
-	meth->irr_arr[1] = meth->irr_arr[2] = meth->irr_arr[3] =
-		meth->irr_arr[4] = 0;
-	meth->field_add = &ec_GFp_add;
-	meth->field_neg = &ec_GFp_neg;
-	meth->field_sub = &ec_GFp_sub;
-	meth->field_mod = &ec_GFp_mod;
-	meth->field_mul = &ec_GFp_mul;
-	meth->field_sqr = &ec_GFp_sqr;
-	meth->field_div = &ec_GFp_div;
-	meth->field_enc = NULL;
-	meth->field_dec = NULL;
-	meth->extra1 = NULL;
-	meth->extra2 = NULL;
-	meth->extra_free = NULL;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		GFMethod_free(meth);
-		return NULL;
-	}
-	return meth;
-}
-
-/* Construct a generic GFMethod for arithmetic over binary polynomial
- * fields with irreducible irr that has array representation irr_arr (see
- * ecl-priv.h for description of the representation).  If irr_arr is NULL, 
- * then it is constructed from the bitstring representation. */
-GFMethod *
-GFMethod_consGF2m(const mp_int *irr, const unsigned int irr_arr[5])
-{
-	mp_err res = MP_OKAY;
-	int ret;
-	GFMethod *meth = NULL;
-
-	meth = GFMethod_new();
-	if (meth == NULL)
-		return NULL;
-
-	MP_CHECKOK(mp_copy(irr, &meth->irr));
-	if (irr_arr != NULL) {
-		/* Irreducible polynomials are either trinomials or pentanomials. */
-		meth->irr_arr[0] = irr_arr[0];
-		meth->irr_arr[1] = irr_arr[1];
-		meth->irr_arr[2] = irr_arr[2];
-		if (irr_arr[2] > 0) {
-			meth->irr_arr[3] = irr_arr[3];
-			meth->irr_arr[4] = irr_arr[4];
-		} else {
-			meth->irr_arr[3] = meth->irr_arr[4] = 0;
-		}
-	} else {
-		ret = mp_bpoly2arr(irr, meth->irr_arr, 5);
-		/* Irreducible polynomials are either trinomials or pentanomials. */
-		if ((ret != 5) && (ret != 3)) {
-			res = MP_UNDEF;
-			goto CLEANUP;
-		}
-	}
-	meth->field_add = &ec_GF2m_add;
-	meth->field_neg = &ec_GF2m_neg;
-	meth->field_sub = &ec_GF2m_add;
-	meth->field_mod = &ec_GF2m_mod;
-	meth->field_mul = &ec_GF2m_mul;
-	meth->field_sqr = &ec_GF2m_sqr;
-	meth->field_div = &ec_GF2m_div;
-	meth->field_enc = NULL;
-	meth->field_dec = NULL;
-	meth->extra1 = NULL;
-	meth->extra2 = NULL;
-	meth->extra_free = NULL;
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		GFMethod_free(meth);
-		return NULL;
-	}
-	return meth;
-}
-
-/* Free the memory allocated (if any) to a GFMethod object. */
-void
-GFMethod_free(GFMethod *meth)
-{
-	if (meth == NULL)
-		return;
-	if (meth->constructed == MP_NO)
-		return;
-	if (meth->extra_free != NULL)
-		meth->extra_free(meth);
-	free(meth);
-}
-
-/* Wrapper functions for generic prime field arithmetic. */
-
-/* Add two field elements.  Assumes that 0 <= a, b < meth->irr */
-mp_err
-ec_GFp_add(const mp_int *a, const mp_int *b, mp_int *r,
-		   const GFMethod *meth)
-{
-	/* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a + b (mod p) */
-	mp_err res;
-
-	if ((res = mp_add(a, b, r)) != MP_OKAY) {
-		return res;
-	}
-	if (mp_cmp(r, &meth->irr) >= 0) {
-		return mp_sub(r, &meth->irr, r);
-	}
-	return res;
-}
-
-/* Negates a field element.  Assumes that 0 <= a < meth->irr */
-mp_err
-ec_GFp_neg(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	/* PRE: 0 <= a < p = meth->irr POST: 0 <= r < p, r = -a (mod p) */
-
-	if (mp_cmp_z(a) == 0) {
-		mp_zero(r);
-		return MP_OKAY;
-	}
-	return mp_sub(&meth->irr, a, r);
-}
-
-/* Subtracts two field elements.  Assumes that 0 <= a, b < meth->irr */
-mp_err
-ec_GFp_sub(const mp_int *a, const mp_int *b, mp_int *r,
-		   const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	/* PRE: 0 <= a, b < p = meth->irr POST: 0 <= r < p, r = a - b (mod p) */
-	res = mp_sub(a, b, r);
-	if (res == MP_RANGE) {
-		MP_CHECKOK(mp_sub(b, a, r));
-		if (mp_cmp_z(r) < 0) {
-			MP_CHECKOK(mp_add(r, &meth->irr, r));
-		}
-		MP_CHECKOK(ec_GFp_neg(r, r, meth));
-	}
-	if (mp_cmp_z(r) < 0) {
-		MP_CHECKOK(mp_add(r, &meth->irr, r));
-	}
-  CLEANUP:
-	return res;
-}
-
-/* Reduces an integer to a field element. */
-mp_err
-ec_GFp_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	return mp_mod(a, &meth->irr, r);
-}
-
-/* Multiplies two field elements. */
-mp_err
-ec_GFp_mul(const mp_int *a, const mp_int *b, mp_int *r,
-		   const GFMethod *meth)
-{
-	return mp_mulmod(a, b, &meth->irr, r);
-}
-
-/* Squares a field element. */
-mp_err
-ec_GFp_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	return mp_sqrmod(a, &meth->irr, r);
-}
-
-/* Divides two field elements. If a is NULL, then returns the inverse of
- * b. */
-mp_err
-ec_GFp_div(const mp_int *a, const mp_int *b, mp_int *r,
-		   const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_int t;
-
-	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
-	if (a == NULL) {
-		return mp_invmod(b, &meth->irr, r);
-	} else {
-		/* MPI doesn't support divmod, so we implement it using invmod and 
-		 * mulmod. */
-		MP_CHECKOK(mp_init(&t));
-		MP_CHECKOK(mp_invmod(b, &meth->irr, &t));
-		MP_CHECKOK(mp_mulmod(a, &t, &meth->irr, r));
-	  CLEANUP:
-		mp_clear(&t);
-		return res;
-	}
-}
-
-/* Wrapper functions for generic binary polynomial field arithmetic. */
-
-/* Adds two field elements. */
-mp_err
-ec_GF2m_add(const mp_int *a, const mp_int *b, mp_int *r,
-			const GFMethod *meth)
-{
-	return mp_badd(a, b, r);
-}
-
-/* Negates a field element. Note that for binary polynomial fields, the
- * negation of a field element is the field element itself. */
-mp_err
-ec_GF2m_neg(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	if (a == r) {
-		return MP_OKAY;
-	} else {
-		return mp_copy(a, r);
-	}
-}
-
-/* Reduces a binary polynomial to a field element. */
-mp_err
-ec_GF2m_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	return mp_bmod(a, meth->irr_arr, r);
-}
-
-/* Multiplies two field elements. */
-mp_err
-ec_GF2m_mul(const mp_int *a, const mp_int *b, mp_int *r,
-			const GFMethod *meth)
-{
-	return mp_bmulmod(a, b, meth->irr_arr, r);
-}
-
-/* Squares a field element. */
-mp_err
-ec_GF2m_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	return mp_bsqrmod(a, meth->irr_arr, r);
-}
-
-/* Divides two field elements. If a is NULL, then returns the inverse of
- * b. */
-mp_err
-ec_GF2m_div(const mp_int *a, const mp_int *b, mp_int *r,
-			const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_int t;
-
-	/* If a is NULL, then return the inverse of b, otherwise return a/b. */
-	if (a == NULL) {
-		/* The GF(2^m) portion of MPI doesn't support invmod, so we
-		 * compute 1/b. */
-		MP_CHECKOK(mp_init(&t));
-		MP_CHECKOK(mp_set_int(&t, 1));
-		MP_CHECKOK(mp_bdivmod(&t, b, &meth->irr, meth->irr_arr, r));
-	  CLEANUP:
-		mp_clear(&t);
-		return res;
-	} else {
-		return mp_bdivmod(a, b, &meth->irr, meth->irr_arr, r);
-	}
-}
diff --git a/security/nss/lib/freebl/ecl/ecl_mult.c b/security/nss/lib/freebl/ecl/ecl_mult.c
deleted file mode 100644
index 69eae6965..000000000
--- a/security/nss/lib/freebl/ecl/ecl_mult.c
+++ /dev/null
@@ -1,356 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "ecl.h"
-#include "ecl-priv.h"
-#include <stdlib.h>
-
-/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k * P(x, 
- * y).  If x, y = NULL, then P is assumed to be the generator (base point) 
- * of the group of points on the elliptic curve. Input and output values
- * are assumed to be NOT field-encoded. */
-mp_err
-ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
-			const mp_int *py, mp_int *rx, mp_int *ry)
-{
-	mp_err res = MP_OKAY;
-	mp_int kt;
-
-	ARGCHK((k != NULL) && (group != NULL), MP_BADARG);
-	MP_DIGITS(&kt) = 0;
-
-	/* want scalar to be less than or equal to group order */
-	if (mp_cmp(k, &group->order) >= 0) {
-		MP_CHECKOK(mp_init(&kt));
-		MP_CHECKOK(mp_mod(k, &group->order, &kt));
-	} else {
-		MP_SIGN(&kt) = MP_ZPOS;
-		MP_USED(&kt) = MP_USED(k);
-		MP_ALLOC(&kt) = MP_ALLOC(k);
-		MP_DIGITS(&kt) = MP_DIGITS(k);
-	}
-
-	if ((px == NULL) || (py == NULL)) {
-		if (group->base_point_mul) {
-			MP_CHECKOK(group->base_point_mul(&kt, rx, ry, group));
-		} else {
-			MP_CHECKOK(group->
-					   point_mul(&kt, &group->genx, &group->geny, rx, ry,
-								 group));
-		}
-	} else {
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->field_enc(px, rx, group->meth));
-			MP_CHECKOK(group->meth->field_enc(py, ry, group->meth));
-			MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group));
-		} else {
-			MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group));
-		}
-	}
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
-	}
-
-  CLEANUP:
-	if (MP_DIGITS(&kt) != MP_DIGITS(k)) {
-		mp_clear(&kt);
-	}
-	return res;
-}
-
-/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
- * k2 * P(x, y), where G is the generator (base point) of the group of
- * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
- * Input and output values are assumed to be NOT field-encoded. */
-mp_err
-ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
-				 const mp_int *py, mp_int *rx, mp_int *ry,
-				 const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int sx, sy;
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK(!((k1 == NULL)
-			 && ((k2 == NULL) || (px == NULL)
-				 || (py == NULL))), MP_BADARG);
-
-	/* if some arguments are not defined used ECPoint_mul */
-	if (k1 == NULL) {
-		return ECPoint_mul(group, k2, px, py, rx, ry);
-	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
-	}
-
-	MP_DIGITS(&sx) = 0;
-	MP_DIGITS(&sy) = 0;
-	MP_CHECKOK(mp_init(&sx));
-	MP_CHECKOK(mp_init(&sy));
-
-	MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy));
-	MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry));
-
-	if (group->meth->field_enc) {
-		MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth));
-		MP_CHECKOK(group->meth->field_enc(&sy, &sy, group->meth));
-		MP_CHECKOK(group->meth->field_enc(rx, rx, group->meth));
-		MP_CHECKOK(group->meth->field_enc(ry, ry, group->meth));
-	}
-
-	MP_CHECKOK(group->point_add(&sx, &sy, rx, ry, rx, ry, group));
-
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
-	}
-
-  CLEANUP:
-	mp_clear(&sx);
-	mp_clear(&sy);
-	return res;
-}
-
-/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
- * k2 * P(x, y), where G is the generator (base point) of the group of
- * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
- * Input and output values are assumed to be NOT field-encoded. Uses
- * algorithm 15 (simultaneous multiple point multiplication) from Brown,
- * Hankerson, Lopez, Menezes. Software Implementation of the NIST
- * Elliptic Curves over Prime Fields. */
-mp_err
-ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
-					const mp_int *py, mp_int *rx, mp_int *ry,
-					const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int precomp[4][4][2];
-	mp_digit precomp_arr[ECL_MAX_FIELD_SIZE_DIGITS * 4 * 4 * 2], *t;
-	const mp_int *a, *b;
-	int i, j;
-	int ai, bi, d;
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK(!((k1 == NULL)
-			 && ((k2 == NULL) || (px == NULL)
-				 || (py == NULL))), MP_BADARG);
-
-	/* if some arguments are not defined used ECPoint_mul */
-	if (k1 == NULL) {
-		return ECPoint_mul(group, k2, px, py, rx, ry);
-	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
-	}
-
-	/* initialize precomputation table */
-	t = precomp_arr;
-	for (i = 0; i < 4; i++) {
-		for (j = 0; j < 4; j++) {
-			/* x co-ord */
-			MP_SIGN(&precomp[i][j][0]) = MP_ZPOS;
-			MP_ALLOC(&precomp[i][j][0]) = ECL_MAX_FIELD_SIZE_DIGITS;
-			MP_USED(&precomp[i][j][0]) = 1;
-			*t = 0;
-			MP_DIGITS(&precomp[i][j][0]) = t;
-			t += ECL_MAX_FIELD_SIZE_DIGITS;
-			/* y co-ord */
-			MP_SIGN(&precomp[i][j][1]) = MP_ZPOS;
-			MP_ALLOC(&precomp[i][j][1]) = ECL_MAX_FIELD_SIZE_DIGITS;
-			MP_USED(&precomp[i][j][1]) = 1;
-			*t = 0;
-			MP_DIGITS(&precomp[i][j][1]) = t;
-			t += ECL_MAX_FIELD_SIZE_DIGITS;
-		}
-	}
-
-	/* fill precomputation table */
-	/* assign {k1, k2} = {a, b} such that len(a) >= len(b) */
-	if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) {
-		a = k2;
-		b = k1;
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->
-					   field_enc(px, &precomp[1][0][0], group->meth));
-			MP_CHECKOK(group->meth->
-					   field_enc(py, &precomp[1][0][1], group->meth));
-		} else {
-			MP_CHECKOK(mp_copy(px, &precomp[1][0][0]));
-			MP_CHECKOK(mp_copy(py, &precomp[1][0][1]));
-		}
-		MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0]));
-		MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1]));
-	} else {
-		a = k1;
-		b = k2;
-		MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0]));
-		MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1]));
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->
-					   field_enc(px, &precomp[0][1][0], group->meth));
-			MP_CHECKOK(group->meth->
-					   field_enc(py, &precomp[0][1][1], group->meth));
-		} else {
-			MP_CHECKOK(mp_copy(px, &precomp[0][1][0]));
-			MP_CHECKOK(mp_copy(py, &precomp[0][1][1]));
-		}
-	}
-	/* precompute [*][0][*] */
-	mp_zero(&precomp[0][0][0]);
-	mp_zero(&precomp[0][0][1]);
-	MP_CHECKOK(group->
-			   point_dbl(&precomp[1][0][0], &precomp[1][0][1],
-						 &precomp[2][0][0], &precomp[2][0][1], group));
-	MP_CHECKOK(group->
-			   point_add(&precomp[1][0][0], &precomp[1][0][1],
-						 &precomp[2][0][0], &precomp[2][0][1],
-						 &precomp[3][0][0], &precomp[3][0][1], group));
-	/* precompute [*][1][*] */
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][1][0], &precomp[0][1][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][1][0], &precomp[i][1][1], group));
-	}
-	/* precompute [*][2][*] */
-	MP_CHECKOK(group->
-			   point_dbl(&precomp[0][1][0], &precomp[0][1][1],
-						 &precomp[0][2][0], &precomp[0][2][1], group));
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][2][0], &precomp[0][2][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][2][0], &precomp[i][2][1], group));
-	}
-	/* precompute [*][3][*] */
-	MP_CHECKOK(group->
-			   point_add(&precomp[0][1][0], &precomp[0][1][1],
-						 &precomp[0][2][0], &precomp[0][2][1],
-						 &precomp[0][3][0], &precomp[0][3][1], group));
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][3][0], &precomp[0][3][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][3][0], &precomp[i][3][1], group));
-	}
-
-	d = (mpl_significant_bits(a) + 1) / 2;
-
-	/* R = inf */
-	mp_zero(rx);
-	mp_zero(ry);
-
-	for (i = d - 1; i >= 0; i--) {
-		ai = MP_GET_BIT(a, 2 * i + 1);
-		ai <<= 1;
-		ai |= MP_GET_BIT(a, 2 * i);
-		bi = MP_GET_BIT(b, 2 * i + 1);
-		bi <<= 1;
-		bi |= MP_GET_BIT(b, 2 * i);
-		/* R = 2^2 * R */
-		MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group));
-		MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group));
-		/* R = R + (ai * A + bi * B) */
-		MP_CHECKOK(group->
-				   point_add(rx, ry, &precomp[ai][bi][0],
-							 &precomp[ai][bi][1], rx, ry, group));
-	}
-
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
-	}
-
-  CLEANUP:
-	return res;
-}
-
-/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
- * k2 * P(x, y), where G is the generator (base point) of the group of
- * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
- * Input and output values are assumed to be NOT field-encoded. */
-mp_err
-ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
-			 const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry)
-{
-	mp_err res = MP_OKAY;
-	mp_int k1t, k2t;
-	const mp_int *k1p, *k2p;
-
-	MP_DIGITS(&k1t) = 0;
-	MP_DIGITS(&k2t) = 0;
-
-	ARGCHK(group != NULL, MP_BADARG);
-
-	/* want scalar to be less than or equal to group order */
-	if (k1 != NULL) {
-		if (mp_cmp(k1, &group->order) >= 0) {
-			MP_CHECKOK(mp_init(&k1t));
-			MP_CHECKOK(mp_mod(k1, &group->order, &k1t));
-			k1p = &k1t;
-		} else {
-			k1p = k1;
-		}
-	} else {
-		k1p = k1;
-	}
-	if (k2 != NULL) {
-		if (mp_cmp(k2, &group->order) >= 0) {
-			MP_CHECKOK(mp_init(&k2t));
-			MP_CHECKOK(mp_mod(k2, &group->order, &k2t));
-			k2p = &k2t;
-		} else {
-			k2p = k2;
-		}
-	} else {
-		k2p = k2;
-	}
-
-	/* if points_mul is defined, then use it */
-	if (group->points_mul) {
-		res = group->points_mul(k1p, k2p, px, py, rx, ry, group);
-	} else {
-		res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group);
-	}
-
-  CLEANUP:
-	mp_clear(&k1t);
-	mp_clear(&k2t);
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp.h b/security/nss/lib/freebl/ecl/ecp.h
deleted file mode 100644
index 1d247b154..000000000
--- a/security/nss/lib/freebl/ecl/ecp.h
+++ /dev/null
@@ -1,140 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ecp_h_
-#define __ecp_h_
-
-#include "ecl-priv.h"
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py);
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py);
-
-/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
- * qy). Uses affine coordinates. */
-mp_err ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py,
-						 const mp_int *qx, const mp_int *qy, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-
-/* Computes R = P - Q.  Uses affine coordinates. */
-mp_err ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py,
-						 const mp_int *qx, const mp_int *qy, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-
-/* Computes R = 2P.  Uses affine coordinates. */
-mp_err ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
-						 mp_int *ry, const ECGroup *group);
-
-/* Validates a point on a GFp curve. */
-mp_err ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GFp.  Uses affine coordinates. */
-mp_err ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px,
-						 const mp_int *py, mp_int *rx, mp_int *ry,
-						 const ECGroup *group);
-#endif
-
-/* Converts a point P(px, py) from affine coordinates to Jacobian
- * projective coordinates R(rx, ry, rz). */
-mp_err ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx,
-						 mp_int *ry, mp_int *rz, const ECGroup *group);
-
-/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
- * affine coordinates R(rx, ry). */
-mp_err ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py,
-						 const mp_int *pz, mp_int *rx, mp_int *ry,
-						 const ECGroup *group);
-
-/* Checks if point P(px, py, pz) is at infinity.  Uses Jacobian
- * coordinates. */
-mp_err ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py,
-							const mp_int *pz);
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian
- * coordinates. */
-mp_err ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz);
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
- * (qx, qy, qz).  Uses Jacobian coordinates. */
-mp_err ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py,
-							 const mp_int *pz, const mp_int *qx,
-							 const mp_int *qy, mp_int *rx, mp_int *ry,
-							 mp_int *rz, const ECGroup *group);
-
-/* Computes R = 2P.  Uses Jacobian coordinates. */
-mp_err ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py,
-						 const mp_int *pz, mp_int *rx, mp_int *ry,
-						 mp_int *rz, const ECGroup *group);
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GFp.  Uses Jacobian coordinates. */
-mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px,
-						 const mp_int *py, mp_int *rx, mp_int *ry,
-						 const ECGroup *group);
-#endif
-
-/* Computes R(x, y) = k1 * G + k2 * P(x, y), where G is the generator
- * (base point) of the group of points on the elliptic curve. Allows k1 =
- * NULL or { k2, P } = NULL.  Implemented using mixed Jacobian-affine
- * coordinates. Input and output values are assumed to be NOT
- * field-encoded and are in affine form. */
-mp_err
- ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
-					const mp_int *py, mp_int *rx, mp_int *ry,
-					const ECGroup *group);
-
-/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
- * curve points P and R can be identical. Uses mixed Modified-Jacobian
- * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
- * additions. Assumes input is already field-encoded using field_enc, and
- * returns output that is still field-encoded. Uses 5-bit window NAF
- * method (algorithm 11) for scalar-point multiplication from Brown,
- * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic 
- * Curves Over Prime Fields. */
-mp_err
- ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
-					   mp_int *rx, mp_int *ry, const ECGroup *group);
-
-#endif							/* __ecp_h_ */
diff --git a/security/nss/lib/freebl/ecl/ecp_192.c b/security/nss/lib/freebl/ecl/ecp_192.c
deleted file mode 100644
index 26867ae3e..000000000
--- a/security/nss/lib/freebl/ecl/ecp_192.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast modular reduction for p192 = 2^192 - 2^64 - 1.  a can be r. Uses
- * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
- * Implementation of the NIST Elliptic Curves over Prime Fields. */
-mp_err
-ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_size a_used = MP_USED(a);
-
-	/* s is a statically-allocated mp_int of exactly the size we need */
-	mp_int s;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit sa[6];
-	mp_digit a11 = 0, a10, a9 = 0, a8, a7 = 0, a6;
-
-	MP_SIGN(&s) = MP_ZPOS;
-	MP_ALLOC(&s) = 6;
-	MP_USED(&s) = 6;
-	MP_DIGITS(&s) = sa;
-#else
-	mp_digit sa[3];
-	mp_digit a5 = 0, a4 = 0, a3 = 0;
-
-	MP_SIGN(&s) = MP_ZPOS;
-	MP_ALLOC(&s) = 3;
-	MP_USED(&s) = 3;
-	MP_DIGITS(&s) = sa;
-#endif
-
-	/* reduction not needed if a is not larger than field size */
-#ifdef ECL_THIRTY_TWO_BIT
-	if (a_used < 6) {
-#else
-	if (a_used < 3) {
-#endif
-		return mp_copy(a, r);
-	}
-#ifdef ECL_THIRTY_TWO_BIT
-	/* for polynomials larger than twice the field size, use regular
-	 * reduction */
-	if (a_used > 12) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		/* copy out upper words of a */
-		switch (a_used) {
-		case 12:
-			a11 = MP_DIGIT(a, 11);
-		case 11:
-			a10 = MP_DIGIT(a, 10);
-		case 10:
-			a9 = MP_DIGIT(a, 9);
-		case 9:
-			a8 = MP_DIGIT(a, 8);
-		case 8:
-			a7 = MP_DIGIT(a, 7);
-		case 7:
-			a6 = MP_DIGIT(a, 6);
-		}
-		/* set the lower words of r */
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r, 7));
-			MP_DIGIT(r, 5) = MP_DIGIT(a, 5);
-			MP_DIGIT(r, 4) = MP_DIGIT(a, 4);
-			MP_DIGIT(r, 3) = MP_DIGIT(a, 3);
-			MP_DIGIT(r, 2) = MP_DIGIT(a, 2);
-			MP_DIGIT(r, 1) = MP_DIGIT(a, 1);
-			MP_DIGIT(r, 0) = MP_DIGIT(a, 0);
-		}
-		MP_USED(r) = 6;
-		/* compute r = s1 + s2 + s3 + s4, where s1 = (a2,a1,a0), s2 =
-		 * (0,a3,a3), s3 = (a4,a4,0), and s4 = (a5,a5,a5), for
-		 * sixty-four-bit words */
-		switch (a_used) {
-		case 12:
-		case 11:
-			sa[5] = sa[3] = sa[1] = a11;
-			sa[4] = sa[2] = sa[0] = a10;
-			MP_CHECKOK(mp_add(r, &s, r));
-		case 10:
-		case 9:
-			sa[5] = sa[3] = a9;
-			sa[4] = sa[2] = a8;
-			sa[1] = sa[0] = 0;
-			MP_CHECKOK(mp_add(r, &s, r));
-		case 8:
-		case 7:
-			sa[5] = sa[4] = 0;
-			sa[3] = sa[1] = a7;
-			sa[2] = sa[0] = a6;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		/* there might be 1 or 2 bits left to reduce; use regular
-		 * reduction for this */
-		MP_CHECKOK(mp_mod(r, &meth->irr, r));
-	}
-#else
-	/* for polynomials larger than twice the field size, use regular
-	 * reduction */
-	if (a_used > 6) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		/* copy out upper words of a */
-		switch (a_used) {
-		case 6:
-			a5 = MP_DIGIT(a, 5);
-		case 5:
-			a4 = MP_DIGIT(a, 4);
-		case 4:
-			a3 = MP_DIGIT(a, 3);
-		}
-		/* set the lower words of r */
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r, 4));
-			MP_DIGIT(r, 2) = MP_DIGIT(a, 2);
-			MP_DIGIT(r, 1) = MP_DIGIT(a, 1);
-			MP_DIGIT(r, 0) = MP_DIGIT(a, 0);
-		}
-		MP_USED(r) = 3;
-		/* compute r = s1 + s2 + s3 + s4, where s1 = (a2,a1,a0), s2 =
-		 * (0,a3,a3), s3 = (a4,a4,0), and s4 = (a5,a5,a5) */
-		switch (a_used) {
-		case 6:
-			sa[2] = sa[1] = sa[0] = a5;
-			MP_CHECKOK(mp_add(r, &s, r));
-		case 5:
-			sa[2] = sa[1] = a4;
-			sa[0] = 0;
-			MP_CHECKOK(mp_add(r, &s, r));
-		case 4:
-			sa[2] = 0;
-			sa[1] = sa[0] = a3;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		/* there might be 1 or 2 bits left to reduce; use regular
-		 * reduction for this */
-		MP_CHECKOK(mp_mod(r, &meth->irr, r));
-	}
-#endif
-
-  CLEANUP:
-	return res;
-}
-
-/* Compute the square of polynomial a, reduce modulo p192. Store the
- * result in r.  r could be a.  Uses optimized modular reduction for p192. 
- */
-mp_err
-ec_GFp_nistp192_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_sqr(a, r));
-	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p192.
- * Store the result in r.  r could be a or b; a could be b.  Uses
- * optimized modular reduction for p192. */
-mp_err
-ec_GFp_nistp192_mul(const mp_int *a, const mp_int *b, mp_int *r,
-					const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(ec_GFp_nistp192_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic and precomputation of base point for
- * named curves. */
-mp_err
-ec_group_set_gfp192(ECGroup *group, ECCurveName name)
-{
-	if (name == ECCurve_NIST_P192) {
-		group->meth->field_mod = &ec_GFp_nistp192_mod;
-		group->meth->field_mul = &ec_GFp_nistp192_mul;
-		group->meth->field_sqr = &ec_GFp_nistp192_sqr;
-	}
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_224.c b/security/nss/lib/freebl/ecl/ecp_224.c
deleted file mode 100644
index c3d8fa362..000000000
--- a/security/nss/lib/freebl/ecl/ecp_224.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include <stdlib.h>
-
-/* Fast modular reduction for p224 = 2^224 - 2^96 + 1.  a can be r. Uses
- * algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
- * Implementation of the NIST Elliptic Curves over Prime Fields. */
-mp_err
-ec_GFp_nistp224_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-	mp_size a_used = MP_USED(a);
-
-	/* s is a statically-allocated mp_int of exactly the size we need */
-	mp_int s;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	mp_digit sa[8];
-	mp_digit a13 = 0, a12 = 0, a11 = 0, a10, a9 = 0, a8, a7;
-
-	MP_SIGN(&s) = MP_ZPOS;
-	MP_ALLOC(&s) = 8;
-	MP_USED(&s) = 7;
-	MP_DIGITS(&s) = sa;
-#else
-	mp_digit sa[4];
-	mp_digit a6 = 0, a5 = 0, a4 = 0, a3 = 0;
-
-	MP_SIGN(&s) = MP_ZPOS;
-	MP_ALLOC(&s) = 4;
-	MP_USED(&s) = 4;
-	MP_DIGITS(&s) = sa;
-#endif
-
-	/* reduction not needed if a is not larger than field size */
-#ifdef ECL_THIRTY_TWO_BIT
-	if (a_used < 8) {
-#else
-	if (a_used < 4) {
-#endif
-		return mp_copy(a, r);
-	}
-#ifdef ECL_THIRTY_TWO_BIT
-	/* for polynomials larger than twice the field size, use regular
-	 * reduction */
-	if (a_used > 14) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		/* copy out upper words of a */
-		switch (a_used) {
-		case 14:
-			a13 = MP_DIGIT(a, 13);
-		case 13:
-			a12 = MP_DIGIT(a, 12);
-		case 12:
-			a11 = MP_DIGIT(a, 11);
-		case 11:
-			a10 = MP_DIGIT(a, 10);
-		case 10:
-			a9 = MP_DIGIT(a, 9);
-		case 9:
-			a8 = MP_DIGIT(a, 8);
-		case 8:
-			a7 = MP_DIGIT(a, 7);
-		}
-		/* set the lower words of r */
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r, 8));
-			MP_DIGIT(r, 6) = MP_DIGIT(a, 6);
-			MP_DIGIT(r, 5) = MP_DIGIT(a, 5);
-			MP_DIGIT(r, 4) = MP_DIGIT(a, 4);
-			MP_DIGIT(r, 3) = MP_DIGIT(a, 3);
-			MP_DIGIT(r, 2) = MP_DIGIT(a, 2);
-			MP_DIGIT(r, 1) = MP_DIGIT(a, 1);
-			MP_DIGIT(r, 0) = MP_DIGIT(a, 0);
-		}
-		MP_USED(r) = 7;
-		switch (a_used) {
-		case 14:
-		case 13:
-		case 12:
-		case 11:
-			sa[6] = a10;
-		case 10:
-			sa[5] = a9;
-		case 9:
-			sa[4] = a8;
-		case 8:
-			sa[3] = a7;
-			sa[2] = sa[1] = sa[0] = 0;
-			MP_USED(&s) = a_used - 4;
-			if (MP_USED(&s) > 7)
-				MP_USED(&s) = 7;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		switch (a_used) {
-		case 14:
-			sa[5] = a13;
-		case 13:
-			sa[4] = a12;
-		case 12:
-			sa[3] = a11;
-			sa[2] = sa[1] = sa[0] = 0;
-			MP_USED(&s) = a_used - 8;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		switch (a_used) {
-		case 14:
-			sa[6] = a13;
-		case 13:
-			sa[5] = a12;
-		case 12:
-			sa[4] = a11;
-		case 11:
-			sa[3] = a10;
-		case 10:
-			sa[2] = a9;
-		case 9:
-			sa[1] = a8;
-		case 8:
-			sa[0] = a7;
-			MP_USED(&s) = a_used - 7;
-			MP_CHECKOK(mp_sub(r, &s, r));
-		}
-		switch (a_used) {
-		case 14:
-			sa[2] = a13;
-		case 13:
-			sa[1] = a12;
-		case 12:
-			sa[0] = a11;
-			MP_USED(&s) = a_used - 11;
-			MP_CHECKOK(mp_sub(r, &s, r));
-		}
-		/* there might be 1 or 2 bits left to reduce; use regular
-		 * reduction for this */
-		MP_CHECKOK(mp_mod(r, &meth->irr, r));
-	}
-#else
-	/* for polynomials larger than twice the field size, use regular
-	 * reduction */
-	if (a_used > 7) {
-		MP_CHECKOK(mp_mod(a, &meth->irr, r));
-	} else {
-		/* copy out upper words of a */
-		switch (a_used) {
-		case 7:
-			a6 = MP_DIGIT(a, 6);
-		case 6:
-			a5 = MP_DIGIT(a, 5);
-		case 5:
-			a4 = MP_DIGIT(a, 4);
-		case 4:
-			a3 = MP_DIGIT(a, 3) >> 32;
-		}
-		/* set the lower words of r */
-		if (a != r) {
-			MP_CHECKOK(s_mp_pad(r, 5));
-			MP_DIGIT(r, 3) = MP_DIGIT(a, 3) & 0xFFFFFFFF;
-			MP_DIGIT(r, 2) = MP_DIGIT(a, 2);
-			MP_DIGIT(r, 1) = MP_DIGIT(a, 1);
-			MP_DIGIT(r, 0) = MP_DIGIT(a, 0);
-		} else {
-			MP_DIGIT(r, 3) &= 0xFFFFFFFF;
-		}
-		MP_USED(r) = 4;
-		switch (a_used) {
-		case 7:
-		case 6:
-			sa[3] = a5 & 0xFFFFFFFF;
-		case 5:
-			sa[2] = a4;
-		case 4:
-			sa[1] = a3 << 32;
-			sa[0] = 0;
-			MP_USED(&s) = a_used - 2;
-			if (MP_USED(&s) == 5)
-				MP_USED(&s) = 4;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		switch (a_used) {
-		case 7:
-			sa[2] = a6;
-		case 6:
-			sa[1] = (a5 >> 32) << 32;
-			sa[0] = 0;
-			MP_USED(&s) = a_used - 4;
-			MP_CHECKOK(mp_add(r, &s, r));
-		}
-		sa[2] = sa[1] = sa[0] = 0;
-		switch (a_used) {
-		case 7:
-			sa[3] = a6 >> 32;
-			sa[2] = a6 << 32;
-		case 6:
-			sa[2] |= a5 >> 32;
-			sa[1] = a5 << 32;
-		case 5:
-			sa[1] |= a4 >> 32;
-			sa[0] = a4 << 32;
-		case 4:
-			sa[0] |= a3;
-			MP_USED(&s) = a_used - 3;
-			MP_CHECKOK(mp_sub(r, &s, r));
-		}
-		sa[0] = 0;
-		switch (a_used) {
-		case 7:
-			sa[1] = a6 >> 32;
-			sa[0] = a6 << 32;
-		case 6:
-			sa[0] |= a5 >> 32;
-			MP_USED(&s) = a_used - 5;
-			MP_CHECKOK(mp_sub(r, &s, r));
-		}
-		/* there might be 1 or 2 bits left to reduce; use regular
-		 * reduction for this */
-		MP_CHECKOK(mp_mod(r, &meth->irr, r));
-	}
-#endif
-
-  CLEANUP:
-	return res;
-}
-
-/* Compute the square of polynomial a, reduce modulo p224. Store the
- * result in r.  r could be a.  Uses optimized modular reduction for p224. 
- */
-mp_err
-ec_GFp_nistp224_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_sqr(a, r));
-	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p224.
- * Store the result in r.  r could be a or b; a could be b.  Uses
- * optimized modular reduction for p224. */
-mp_err
-ec_GFp_nistp224_mul(const mp_int *a, const mp_int *b, mp_int *r,
-					const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(ec_GFp_nistp224_mod(r, r, meth));
-  CLEANUP:
-	return res;
-}
-
-/* Wire in fast field arithmetic and precomputation of base point for
- * named curves. */
-mp_err
-ec_group_set_gfp224(ECGroup *group, ECCurveName name)
-{
-	if (name == ECCurve_NIST_P224) {
-		group->meth->field_mod = &ec_GFp_nistp224_mod;
-		group->meth->field_mul = &ec_GFp_nistp224_mul;
-		group->meth->field_sqr = &ec_GFp_nistp224_sqr;
-	}
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_aff.c b/security/nss/lib/freebl/ecl/ecp_aff.c
deleted file mode 100644
index cda04ed22..000000000
--- a/security/nss/lib/freebl/ecl/ecp_aff.c
+++ /dev/null
@@ -1,357 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *   Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>,
- *   Nils Larsch <nla@trustcenter.de>, and
- *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mplogic.h"
-#include <stdlib.h>
-
-/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
-mp_err
-ec_GFp_pt_is_inf_aff(const mp_int *px, const mp_int *py)
-{
-
-	if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
-		return MP_YES;
-	} else {
-		return MP_NO;
-	}
-
-}
-
-/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
-mp_err
-ec_GFp_pt_set_inf_aff(mp_int *px, mp_int *py)
-{
-	mp_zero(px);
-	mp_zero(py);
-	return MP_OKAY;
-}
-
-/* Computes R = P + Q based on IEEE P1363 A.10.1. Elliptic curve points P, 
- * Q, and R can all be identical. Uses affine coordinates. Assumes input
- * is already field-encoded using field_enc, and returns output that is
- * still field-encoded. */
-mp_err
-ec_GFp_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
-				  const mp_int *qy, mp_int *rx, mp_int *ry,
-				  const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int lambda, temp, tempx, tempy;
-
-	MP_DIGITS(&lambda) = 0;
-	MP_DIGITS(&temp) = 0;
-	MP_DIGITS(&tempx) = 0;
-	MP_DIGITS(&tempy) = 0;
-	MP_CHECKOK(mp_init(&lambda));
-	MP_CHECKOK(mp_init(&temp));
-	MP_CHECKOK(mp_init(&tempx));
-	MP_CHECKOK(mp_init(&tempy));
-	/* if P = inf, then R = Q */
-	if (ec_GFp_pt_is_inf_aff(px, py) == 0) {
-		MP_CHECKOK(mp_copy(qx, rx));
-		MP_CHECKOK(mp_copy(qy, ry));
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* if Q = inf, then R = P */
-	if (ec_GFp_pt_is_inf_aff(qx, qy) == 0) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* if px != qx, then lambda = (py-qy) / (px-qx) */
-	if (mp_cmp(px, qx) != 0) {
-		MP_CHECKOK(group->meth->field_sub(py, qy, &tempy, group->meth));
-		MP_CHECKOK(group->meth->field_sub(px, qx, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_div(&tempy, &tempx, &lambda, group->meth));
-	} else {
-		/* if py != qy or qy = 0, then R = inf */
-		if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qy) == 0)) {
-			mp_zero(rx);
-			mp_zero(ry);
-			res = MP_OKAY;
-			goto CLEANUP;
-		}
-		/* lambda = (3qx^2+a) / (2qy) */
-		MP_CHECKOK(group->meth->field_sqr(qx, &tempx, group->meth));
-		MP_CHECKOK(mp_set_int(&temp, 3));
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
-		}
-		MP_CHECKOK(group->meth->
-				   field_mul(&tempx, &temp, &tempx, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&tempx, &group->curvea, &tempx, group->meth));
-		MP_CHECKOK(mp_set_int(&temp, 2));
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->field_enc(&temp, &temp, group->meth));
-		}
-		MP_CHECKOK(group->meth->field_mul(qy, &temp, &tempy, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_div(&tempx, &tempy, &lambda, group->meth));
-	}
-	/* rx = lambda^2 - px - qx */
-	MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&tempx, px, &tempx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&tempx, qx, &tempx, group->meth));
-	/* ry = (x1-x2) * lambda - y1 */
-	MP_CHECKOK(group->meth->field_sub(qx, &tempx, &tempy, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_mul(&tempy, &lambda, &tempy, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&tempy, qy, &tempy, group->meth));
-	MP_CHECKOK(mp_copy(&tempx, rx));
-	MP_CHECKOK(mp_copy(&tempy, ry));
-
-  CLEANUP:
-	mp_clear(&lambda);
-	mp_clear(&temp);
-	mp_clear(&tempx);
-	mp_clear(&tempy);
-	return res;
-}
-
-/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
- * identical. Uses affine coordinates. Assumes input is already
- * field-encoded using field_enc, and returns output that is still
- * field-encoded. */
-mp_err
-ec_GFp_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
-				  const mp_int *qy, mp_int *rx, mp_int *ry,
-				  const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int nqy;
-
-	MP_DIGITS(&nqy) = 0;
-	MP_CHECKOK(mp_init(&nqy));
-	/* nqy = -qy */
-	MP_CHECKOK(group->meth->field_neg(qy, &nqy, group->meth));
-	res = group->point_add(px, py, qx, &nqy, rx, ry, group);
-  CLEANUP:
-	mp_clear(&nqy);
-	return res;
-}
-
-/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
- * affine coordinates. Assumes input is already field-encoded using
- * field_enc, and returns output that is still field-encoded. */
-mp_err
-ec_GFp_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
-				  mp_int *ry, const ECGroup *group)
-{
-	return ec_GFp_pt_add_aff(px, py, px, py, rx, ry, group);
-}
-
-/* by default, this routine is unused and thus doesn't need to be compiled */
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and 
- * R can be identical. Uses affine coordinates. Assumes input is already
- * field-encoded using field_enc, and returns output that is still
- * field-encoded. */
-mp_err
-ec_GFp_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
-				  mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int k, k3, qx, qy, sx, sy;
-	int b1, b3, i, l;
-
-	MP_DIGITS(&k) = 0;
-	MP_DIGITS(&k3) = 0;
-	MP_DIGITS(&qx) = 0;
-	MP_DIGITS(&qy) = 0;
-	MP_DIGITS(&sx) = 0;
-	MP_DIGITS(&sy) = 0;
-	MP_CHECKOK(mp_init(&k));
-	MP_CHECKOK(mp_init(&k3));
-	MP_CHECKOK(mp_init(&qx));
-	MP_CHECKOK(mp_init(&qy));
-	MP_CHECKOK(mp_init(&sx));
-	MP_CHECKOK(mp_init(&sy));
-
-	/* if n = 0 then r = inf */
-	if (mp_cmp_z(n) == 0) {
-		mp_zero(rx);
-		mp_zero(ry);
-		res = MP_OKAY;
-		goto CLEANUP;
-	}
-	/* Q = P, k = n */
-	MP_CHECKOK(mp_copy(px, &qx));
-	MP_CHECKOK(mp_copy(py, &qy));
-	MP_CHECKOK(mp_copy(n, &k));
-	/* if n < 0 then Q = -Q, k = -k */
-	if (mp_cmp_z(n) < 0) {
-		MP_CHECKOK(group->meth->field_neg(&qy, &qy, group->meth));
-		MP_CHECKOK(mp_neg(&k, &k));
-	}
-#ifdef ECL_DEBUG				/* basic double and add method */
-	l = mpl_significant_bits(&k) - 1;
-	MP_CHECKOK(mp_copy(&qx, &sx));
-	MP_CHECKOK(mp_copy(&qy, &sy));
-	for (i = l - 1; i >= 0; i--) {
-		/* S = 2S */
-		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
-		/* if k_i = 1, then S = S + Q */
-		if (mpl_get_bit(&k, i) != 0) {
-			MP_CHECKOK(group->
-					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
-		}
-	}
-#else							/* double and add/subtract method from
-								 * standard */
-	/* k3 = 3 * k */
-	MP_CHECKOK(mp_set_int(&k3, 3));
-	MP_CHECKOK(mp_mul(&k, &k3, &k3));
-	/* S = Q */
-	MP_CHECKOK(mp_copy(&qx, &sx));
-	MP_CHECKOK(mp_copy(&qy, &sy));
-	/* l = index of high order bit in binary representation of 3*k */
-	l = mpl_significant_bits(&k3) - 1;
-	/* for i = l-1 downto 1 */
-	for (i = l - 1; i >= 1; i--) {
-		/* S = 2S */
-		MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
-		b3 = MP_GET_BIT(&k3, i);
-		b1 = MP_GET_BIT(&k, i);
-		/* if k3_i = 1 and k_i = 0, then S = S + Q */
-		if ((b3 == 1) && (b1 == 0)) {
-			MP_CHECKOK(group->
-					   point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
-			/* if k3_i = 0 and k_i = 1, then S = S - Q */
-		} else if ((b3 == 0) && (b1 == 1)) {
-			MP_CHECKOK(group->
-					   point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
-		}
-	}
-#endif
-	/* output S */
-	MP_CHECKOK(mp_copy(&sx, rx));
-	MP_CHECKOK(mp_copy(&sy, ry));
-
-  CLEANUP:
-	mp_clear(&k);
-	mp_clear(&k3);
-	mp_clear(&qx);
-	mp_clear(&qy);
-	mp_clear(&sx);
-	mp_clear(&sy);
-	return res;
-}
-#endif
-
-/* Validates a point on a GFp curve. */
-mp_err 
-ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
-{
-	mp_err res = MP_NO;
-	mp_int accl, accr, tmp, pxt, pyt;
-
-	MP_DIGITS(&accl) = 0;
-	MP_DIGITS(&accr) = 0;
-	MP_DIGITS(&tmp) = 0;
-	MP_DIGITS(&pxt) = 0;
-	MP_DIGITS(&pyt) = 0;
-	MP_CHECKOK(mp_init(&accl));
-	MP_CHECKOK(mp_init(&accr));
-	MP_CHECKOK(mp_init(&tmp));
-	MP_CHECKOK(mp_init(&pxt));
-	MP_CHECKOK(mp_init(&pyt));
-
-    /* 1: Verify that publicValue is not the point at infinity */
-	if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 2: Verify that the coordinates of publicValue are elements 
-     *    of the field.
-     */
-	if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) || 
-		(MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 3: Verify that publicValue is on the curve. */
-	if (group->meth->field_enc) {
-		group->meth->field_enc(px, &pxt, group->meth);
-		group->meth->field_enc(py, &pyt, group->meth);
-	} else {
-		mp_copy(px, &pxt);
-		mp_copy(py, &pyt);
-	}
-	/* left-hand side: y^2  */
-	MP_CHECKOK( group->meth->field_sqr(&pyt, &accl, group->meth) );
-	/* right-hand side: x^3 + a*x + b */
-	MP_CHECKOK( group->meth->field_sqr(&pxt, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&pxt, &tmp, &accr, group->meth) );
-	MP_CHECKOK( group->meth->field_mul(&group->curvea, &pxt, &tmp, group->meth) );
-	MP_CHECKOK( group->meth->field_add(&tmp, &accr, &accr, group->meth) );
-	MP_CHECKOK( group->meth->field_add(&accr, &group->curveb, &accr, group->meth) );
-	/* check LHS - RHS == 0 */
-	MP_CHECKOK( group->meth->field_sub(&accl, &accr, &accr, group->meth) );
-	if (mp_cmp_z(&accr) != 0) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-    /* 4: Verify that the order of the curve times the publicValue
-     *    is the point at infinity.
-     */
-	MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
-	if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	res = MP_YES;
-
-CLEANUP:
-	mp_clear(&accl);
-	mp_clear(&accr);
-	mp_clear(&tmp);
-	mp_clear(&pxt);
-	mp_clear(&pyt);
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp.c b/security/nss/lib/freebl/ecl/ecp_fp.c
deleted file mode 100644
index 9dcb7b073..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fp.c
+++ /dev/null
@@ -1,568 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves
- * using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp_fp.h"
-#include "ecl-priv.h"
-#include <stdlib.h>
-
-/* Performs tidying on a short multi-precision floating point integer (the 
- * lower group->numDoubles floats). */
-void
-ecfp_tidyShort(double *t, const EC_group_fp * group)
-{
-	group->ecfp_tidy(t, group->alpha, group);
-}
-
-/* Performs tidying on only the upper float digits of a multi-precision
- * floating point integer, i.e. the digits beyond the regular length which 
- * are removed in the reduction step. */
-void
-ecfp_tidyUpper(double *t, const EC_group_fp * group)
-{
-	group->ecfp_tidy(t + group->numDoubles,
-					 group->alpha + group->numDoubles, group);
-}
-
-/* Performs a "tidy" operation, which performs carrying, moving excess
- * bits from one double to the next double, so that the precision of the
- * doubles is reduced to the regular precision group->doubleBitSize. This
- * might result in some float digits being negative. Alternative C version 
- * for portability. */
-void
-ecfp_tidy(double *t, const double *alpha, const EC_group_fp * group)
-{
-	double q;
-	int i;
-
-	/* Do carrying */
-	for (i = 0; i < group->numDoubles - 1; i++) {
-		q = t[i] + alpha[i + 1];
-		q -= alpha[i + 1];
-		t[i] -= q;
-		t[i + 1] += q;
-
-		/* If we don't assume that truncation rounding is used, then q
-		 * might be 2^n bigger than expected (if it rounds up), then t[0]
-		 * could be negative and t[1] 2^n larger than expected. */
-	}
-}
-
-/* Performs a more mathematically precise "tidying" so that each term is
- * positive.  This is slower than the regular tidying, and is used for
- * conversion from floating point to integer. */
-void
-ecfp_positiveTidy(double *t, const EC_group_fp * group)
-{
-	double q;
-	int i;
-
-	/* Do carrying */
-	for (i = 0; i < group->numDoubles - 1; i++) {
-		/* Subtract beta to force rounding down */
-		q = t[i] - ecfp_beta[i + 1];
-		q += group->alpha[i + 1];
-		q -= group->alpha[i + 1];
-		t[i] -= q;
-		t[i + 1] += q;
-
-		/* Due to subtracting ecfp_beta, we should have each term a
-		 * non-negative int */
-		ECFP_ASSERT(t[i] / ecfp_exp[i] ==
-					(unsigned long long) (t[i] / ecfp_exp[i]));
-		ECFP_ASSERT(t[i] >= 0);
-	}
-}
-
-/* Converts from a floating point representation into an mp_int. Expects
- * that d is already reduced. */
-void
-ecfp_fp2i(mp_int *mpout, double *d, const ECGroup *ecgroup)
-{
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-	unsigned short i16[(group->primeBitSize + 15) / 16];
-	double q = 1;
-
-#ifdef ECL_THIRTY_TWO_BIT
-	/* TEST uint32_t z = 0; */
-	unsigned int z = 0;
-#else
-	uint64_t z = 0;
-#endif
-	int zBits = 0;
-	int copiedBits = 0;
-	int i = 0;
-	int j = 0;
-
-	mp_digit *out;
-
-	/* Result should always be >= 0, so set sign accordingly */
-	MP_SIGN(mpout) = MP_ZPOS;
-
-	/* Tidy up so we're just dealing with positive numbers */
-	ecfp_positiveTidy(d, group);
-
-	/* We might need to do this reduction step more than once if the
-	 * reduction adds smaller terms which carry-over to cause another
-	 * reduction. However, this should happen very rarely, if ever,
-	 * depending on the elliptic curve. */
-	do {
-		/* Init loop data */
-		z = 0;
-		zBits = 0;
-		q = 1;
-		i = 0;
-		j = 0;
-		copiedBits = 0;
-
-		/* Might have to do a bit more reduction */
-		group->ecfp_singleReduce(d, group);
-
-		/* Grow the size of the mpint if it's too small */
-		s_mp_grow(mpout, group->numInts);
-		MP_USED(mpout) = group->numInts;
-		out = MP_DIGITS(mpout);
-
-		/* Convert double to 16 bit integers */
-		while (copiedBits < group->primeBitSize) {
-			if (zBits < 16) {
-				z += d[i] * q;
-				i++;
-				ECFP_ASSERT(i < (group->primeBitSize + 15) / 16);
-				zBits += group->doubleBitSize;
-			}
-			i16[j] = z;
-			j++;
-			z >>= 16;
-			zBits -= 16;
-			q *= ecfp_twom16;
-			copiedBits += 16;
-		}
-	} while (z != 0);
-
-	/* Convert 16 bit integers to mp_digit */
-#ifdef ECL_THIRTY_TWO_BIT
-	for (i = 0; i < (group->primeBitSize + 15) / 16; i += 2) {
-		*out = 0;
-		if (i + 1 < (group->primeBitSize + 15) / 16) {
-			*out = i16[i + 1];
-			*out <<= 16;
-		}
-		*out++ += i16[i];
-	}
-#else							/* 64 bit */
-	for (i = 0; i < (group->primeBitSize + 15) / 16; i += 4) {
-		*out = 0;
-		if (i + 3 < (group->primeBitSize + 15) / 16) {
-			*out = i16[i + 3];
-			*out <<= 16;
-		}
-		if (i + 2 < (group->primeBitSize + 15) / 16) {
-			*out += i16[i + 2];
-			*out <<= 16;
-		}
-		if (i + 1 < (group->primeBitSize + 15) / 16) {
-			*out += i16[i + 1];
-			*out <<= 16;
-		}
-		*out++ += i16[i];
-	}
-#endif
-
-	/* Perform final reduction.  mpout should already be the same number
-	 * of bits as p, but might not be less than p.  Make it so. Since
-	 * mpout has the same number of bits as p, and 2p has a larger bit
-	 * size, then mpout < 2p, so a single subtraction of p will suffice. */
-	if (mp_cmp(mpout, &ecgroup->meth->irr) >= 0) {
-		mp_sub(mpout, &ecgroup->meth->irr, mpout);
-	}
-
-	/* Shrink the size of the mp_int to the actual used size (required for 
-	 * mp_cmp_z == 0) */
-	out = MP_DIGITS(mpout);
-	for (i = group->numInts - 1; i > 0; i--) {
-		if (out[i] != 0)
-			break;
-	}
-	MP_USED(mpout) = i + 1;
-
-	/* Should be between 0 and p-1 */
-	ECFP_ASSERT(mp_cmp(mpout, &ecgroup->meth->irr) < 0);
-	ECFP_ASSERT(mp_cmp_z(mpout) >= 0);
-}
-
-/* Converts from an mpint into a floating point representation. */
-void
-ecfp_i2fp(double *out, const mp_int *x, const ECGroup *ecgroup)
-{
-	int i;
-	int j = 0;
-	int size;
-	double shift = 1;
-	mp_digit *in;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-#ifdef ECL_DEBUG
-	/* if debug mode, convert result back using ecfp_fp2i into cmp, then
-	 * compare to x. */
-	mp_int cmp;
-
-	MP_DIGITS(&cmp) = NULL;
-	mp_init(&cmp);
-#endif
-
-	ECFP_ASSERT(group != NULL);
-
-	/* init output to 0 (since we skip over some terms) */
-	for (i = 0; i < group->numDoubles; i++)
-		out[i] = 0;
-	i = 0;
-
-	size = MP_USED(x);
-	in = MP_DIGITS(x);
-
-	/* Copy from int into doubles */
-#ifdef ECL_THIRTY_TWO_BIT
-	while (j < size) {
-		while (group->doubleBitSize * (i + 1) <= 32 * j) {
-			i++;
-		}
-		ECFP_ASSERT(group->doubleBitSize * i <= 32 * j);
-		out[i] = in[j];
-		out[i] *= shift;
-		shift *= ecfp_two32;
-		j++;
-	}
-#else
-	while (j < size) {
-		while (group->doubleBitSize * (i + 1) <= 64 * j) {
-			i++;
-		}
-		ECFP_ASSERT(group->doubleBitSize * i <= 64 * j);
-		out[i] = (in[j] & 0x00000000FFFFFFFF) * shift;
-
-		while (group->doubleBitSize * (i + 1) <= 64 * j + 32) {
-			i++;
-		}
-		ECFP_ASSERT(24 * i <= 64 * j + 32);
-		out[i] = (in[j] & 0xFFFFFFFF00000000) * shift;
-
-		shift *= ecfp_two64;
-		j++;
-	}
-#endif
-	/* Realign bits to match double boundaries */
-	ecfp_tidyShort(out, group);
-
-#ifdef ECL_DEBUG
-	/* Convert result back to mp_int, compare to original */
-	ecfp_fp2i(&cmp, out, ecgroup);
-	ECFP_ASSERT(mp_cmp(&cmp, x) == 0);
-	mp_clear(&cmp);
-#endif
-}
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GFp.  Elliptic curve points P and R can be
- * identical.  Uses Jacobian coordinates. Uses 4-bit window method. */
-mp_err
-ec_GFp_point_mul_jac_4w_fp(const mp_int *n, const mp_int *px,
-						   const mp_int *py, mp_int *rx, mp_int *ry,
-						   const ECGroup *ecgroup)
-{
-	mp_err res = MP_OKAY;
-	ecfp_jac_pt precomp[16], r;
-	ecfp_aff_pt p;
-	EC_group_fp *group;
-
-	mp_int rz;
-	int i, ni, d;
-
-	ARGCHK(ecgroup != NULL, MP_BADARG);
-	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
-
-	group = (EC_group_fp *) ecgroup->extra1;
-	MP_DIGITS(&rz) = 0;
-	MP_CHECKOK(mp_init(&rz));
-
-	/* init p, da */
-	ecfp_i2fp(p.x, px, ecgroup);
-	ecfp_i2fp(p.y, py, ecgroup);
-	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
-
-	/* Do precomputation */
-	group->precompute_jac(precomp, &p, group);
-
-	/* Do main body of calculations */
-	d = (mpl_significant_bits(n) + 3) / 4;
-
-	/* R = inf */
-	for (i = 0; i < group->numDoubles; i++) {
-		r.z[i] = 0;
-	}
-
-	for (i = d - 1; i >= 0; i--) {
-		/* compute window ni */
-		ni = MP_GET_BIT(n, 4 * i + 3);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 2);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 1);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i);
-
-		/* R = 2^4 * R */
-		group->pt_dbl_jac(&r, &r, group);
-		group->pt_dbl_jac(&r, &r, group);
-		group->pt_dbl_jac(&r, &r, group);
-		group->pt_dbl_jac(&r, &r, group);
-
-		/* R = R + (ni * P) */
-		group->pt_add_jac(&r, &precomp[ni], &r, group);
-	}
-
-	/* Convert back to integer */
-	ecfp_fp2i(rx, r.x, ecgroup);
-	ecfp_fp2i(ry, r.y, ecgroup);
-	ecfp_fp2i(&rz, r.z, ecgroup);
-
-	/* convert result S to affine coordinates */
-	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, ecgroup));
-
-  CLEANUP:
-	mp_clear(&rz);
-	return res;
-}
-
-/* Uses mixed Jacobian-affine coordinates to perform a point
- * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine
- * coordinates (Jacobian coordinates for doubles and affine coordinates
- * for additions; based on recommendation from Brown et al.). Not very
- * time efficient but quite space efficient, no precomputation needed.
- * group contains the elliptic curve coefficients and the prime that
- * determines the field GFp.  Elliptic curve points P and R can be
- * identical. Performs calculations in floating point number format, since 
- * this is faster than the integer operations on the ULTRASPARC III.
- * Uses left-to-right binary method (double & add) (algorithm 9) for
- * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes.
- * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */
-mp_err
-ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py,
-					 mp_int *rx, mp_int *ry, const ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int sx, sy, sz;
-
-	ecfp_aff_pt p;
-	ecfp_jac_pt r;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	int i, l;
-
-	MP_DIGITS(&sx) = 0;
-	MP_DIGITS(&sy) = 0;
-	MP_DIGITS(&sz) = 0;
-	MP_CHECKOK(mp_init(&sx));
-	MP_CHECKOK(mp_init(&sy));
-	MP_CHECKOK(mp_init(&sz));
-
-	/* if n = 0 then r = inf */
-	if (mp_cmp_z(n) == 0) {
-		mp_zero(rx);
-		mp_zero(ry);
-		res = MP_OKAY;
-		goto CLEANUP;
-		/* if n < 0 then out of range error */
-	} else if (mp_cmp_z(n) < 0) {
-		res = MP_RANGE;
-		goto CLEANUP;
-	}
-
-	/* Convert from integer to floating point */
-	ecfp_i2fp(p.x, px, ecgroup);
-	ecfp_i2fp(p.y, py, ecgroup);
-	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
-
-	/* Init r to point at infinity */
-	for (i = 0; i < group->numDoubles; i++) {
-		r.z[i] = 0;
-	}
-
-	/* double and add method */
-	l = mpl_significant_bits(n) - 1;
-
-	for (i = l; i >= 0; i--) {
-		/* R = 2R */
-		group->pt_dbl_jac(&r, &r, group);
-
-		/* if n_i = 1, then R = R + Q */
-		if (MP_GET_BIT(n, i) != 0) {
-			group->pt_add_jac_aff(&r, &p, &r, group);
-		}
-	}
-
-	/* Convert from floating point to integer */
-	ecfp_fp2i(&sx, r.x, ecgroup);
-	ecfp_fp2i(&sy, r.y, ecgroup);
-	ecfp_fp2i(&sz, r.z, ecgroup);
-
-	/* convert result R to affine coordinates */
-	MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup));
-
-  CLEANUP:
-	mp_clear(&sx);
-	mp_clear(&sy);
-	mp_clear(&sz);
-	return res;
-}
-
-/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
- * curve points P and R can be identical. Uses mixed Modified-Jacobian
- * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
- * additions. Uses 5-bit window NAF method (algorithm 11) for scalar-point 
- * multiplication from Brown, Hankerson, Lopez, Menezes. Software
- * Implementation of the NIST Elliptic Curves Over Prime Fields. */
-mp_err
-ec_GFp_point_mul_wNAF_fp(const mp_int *n, const mp_int *px,
-						 const mp_int *py, mp_int *rx, mp_int *ry,
-						 const ECGroup *ecgroup)
-{
-	mp_err res = MP_OKAY;
-	mp_int sx, sy, sz;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-	ecfp_chud_pt precomp[16];
-
-	ecfp_aff_pt p;
-	ecfp_jm_pt r;
-
-	signed char naf[group->orderBitSize + 1];
-	int i;
-
-	MP_DIGITS(&sx) = 0;
-	MP_DIGITS(&sy) = 0;
-	MP_DIGITS(&sz) = 0;
-	MP_CHECKOK(mp_init(&sx));
-	MP_CHECKOK(mp_init(&sy));
-	MP_CHECKOK(mp_init(&sz));
-
-	/* if n = 0 then r = inf */
-	if (mp_cmp_z(n) == 0) {
-		mp_zero(rx);
-		mp_zero(ry);
-		res = MP_OKAY;
-		goto CLEANUP;
-		/* if n < 0 then out of range error */
-	} else if (mp_cmp_z(n) < 0) {
-		res = MP_RANGE;
-		goto CLEANUP;
-	}
-
-	/* Convert from integer to floating point */
-	ecfp_i2fp(p.x, px, ecgroup);
-	ecfp_i2fp(p.y, py, ecgroup);
-	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
-
-	/* Perform precomputation */
-	group->precompute_chud(precomp, &p, group);
-
-	/* Compute 5NAF */
-	ec_compute_wNAF(naf, group->orderBitSize, n, 5);
-
-	/* Init R = pt at infinity */
-	for (i = 0; i < group->numDoubles; i++) {
-		r.z[i] = 0;
-	}
-
-	/* wNAF method */
-	for (i = group->orderBitSize; i >= 0; i--) {
-		/* R = 2R */
-		group->pt_dbl_jm(&r, &r, group);
-
-		if (naf[i] != 0) {
-			group->pt_add_jm_chud(&r, &precomp[(naf[i] + 15) / 2], &r,
-								  group);
-		}
-	}
-
-	/* Convert from floating point to integer */
-	ecfp_fp2i(&sx, r.x, ecgroup);
-	ecfp_fp2i(&sy, r.y, ecgroup);
-	ecfp_fp2i(&sz, r.z, ecgroup);
-
-	/* convert result R to affine coordinates */
-	MP_CHECKOK(ec_GFp_pt_jac2aff(&sx, &sy, &sz, rx, ry, ecgroup));
-
-  CLEANUP:
-	mp_clear(&sx);
-	mp_clear(&sy);
-	mp_clear(&sz);
-	return res;
-}
-
-/* Cleans up extra memory allocated in ECGroup for this implementation. */
-void
-ec_GFp_extra_free_fp(ECGroup *group)
-{
-	if (group->extra1 != NULL) {
-		free(group->extra1);
-		group->extra1 = NULL;
-	}
-}
-
-/* Tests what precision floating point arithmetic is set to. This should
- * be either a 53-bit mantissa (IEEE standard) or a 64-bit mantissa
- * (extended precision on x86) and sets it into the EC_group_fp. Returns
- * either 53 or 64 accordingly. */
-int
-ec_set_fp_precision(EC_group_fp * group)
-{
-	double a = 9007199254740992.0;	/* 2^53 */
-	double b = a + 1;
-
-	if (a == b) {
-		group->fpPrecision = 53;
-		group->alpha = ecfp_alpha_53;
-		return 53;
-	}
-	group->fpPrecision = 64;
-	group->alpha = ecfp_alpha_64;
-	return 64;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp.h b/security/nss/lib/freebl/ecl/ecp_fp.h
deleted file mode 100644
index 8eedeb4be..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fp.h
+++ /dev/null
@@ -1,406 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __ecp_fp_h_
-#define __ecp_fp_h_
-
-#include "mpi.h"
-#include "ecl.h"
-#include "ecp.h"
-
-#include <sys/types.h>
-#include "mpi-priv.h"
-
-#ifdef ECL_DEBUG
-#include <assert.h>
-#endif
-
-/* Largest number of doubles to store one reduced number in floating
- * point. Used for memory allocation on the stack. */
-#define ECFP_MAXDOUBLES 10
-
-/* For debugging purposes */
-#ifndef ECL_DEBUG
-#define ECFP_ASSERT(x)
-#else
-#define ECFP_ASSERT(x) assert(x)
-#endif
-
-/* ECFP_Ti = 2^(i*24) Define as preprocessor constants so we can use in
- * multiple static constants */
-#define ECFP_T0 1.0
-#define ECFP_T1 16777216.0
-#define ECFP_T2 281474976710656.0
-#define ECFP_T3 4722366482869645213696.0
-#define ECFP_T4 79228162514264337593543950336.0
-#define ECFP_T5 1329227995784915872903807060280344576.0
-#define ECFP_T6 22300745198530623141535718272648361505980416.0
-#define ECFP_T7 374144419156711147060143317175368453031918731001856.0
-#define ECFP_T8 6277101735386680763835789423207666416102355444464034512896.0
-#define ECFP_T9 105312291668557186697918027683670432318895095400549111254310977536.0
-#define ECFP_T10  1766847064778384329583297500742918515827483896875618958121606201292619776.0
-#define ECFP_T11 29642774844752946028434172162224104410437116074403984394101141506025761187823616.0
-#define ECFP_T12 497323236409786642155382248146820840100456150797347717440463976893159497012533375533056.0
-#define ECFP_T13  8343699359066055009355553539724812947666814540455674882605631280555545803830627148527195652096.0
-#define ECFP_T14 139984046386112763159840142535527767382602843577165595931249318810236991948760059086304843329475444736.0
-#define ECFP_T15 2348542582773833227889480596789337027375682548908319870707290971532209025114608443463698998384768703031934976.0
-#define ECFP_T16 39402006196394479212279040100143613805079739270465446667948293404245\
-721771497210611414266254884915640806627990306816.0
-#define ECFP_T17 66105596879024859895191530803277103982840468296428121928464879527440\
-5791236311345825189210439715284847591212025023358304256.0
-#define ECFP_T18 11090678776483259438313656736572334813745748301503266300681918322458\
-485231222502492159897624416558312389564843845614287315896631296.0
-#define ECFP_T19 18607071341967536398062689481932916079453218833595342343206149099024\
-36577570298683715049089827234727835552055312041415509848580169253519\
-36.0
-
-#define ECFP_TWO160 1461501637330902918203684832716283019655932542976.0
-#define ECFP_TWO192 6277101735386680763835789423207666416102355444464034512896.0
-#define ECFP_TWO224 26959946667150639794667015087019630673637144422540572481103610249216.0
-
-/* Multiplicative constants */
-static const double ecfp_two32 = 4294967296.0;
-static const double ecfp_two64 = 18446744073709551616.0;
-static const double ecfp_twom16 = .0000152587890625;
-static const double ecfp_twom128 =
-	.00000000000000000000000000000000000000293873587705571876992184134305561419454666389193021880377187926569604314863681793212890625;
-static const double ecfp_twom129 =
-	.000000000000000000000000000000000000001469367938527859384960920671527807097273331945965109401885939632848021574318408966064453125;
-static const double ecfp_twom160 =
-	.0000000000000000000000000000000000000000000000006842277657836020854119773355907793609766904013068924666782559979930620520927053718196475529111921787261962890625;
-static const double ecfp_twom192 =
-	.000000000000000000000000000000000000000000000000000000000159309191113245227702888039776771180559110455519261878607388585338616290151305816094308987472018268594098344692611135542392730712890625;
-static const double ecfp_twom224 =
-	.00000000000000000000000000000000000000000000000000000000000000000003709206150687421385731735261547639513367564778757791002453039058917581340095629358997312082723208437536338919136001159027049567384892725385725498199462890625;
-
-/* ecfp_exp[i] = 2^(i*ECFP_DSIZE) */
-static const double ecfp_exp[2 * ECFP_MAXDOUBLES] = {
-	ECFP_T0, ECFP_T1, ECFP_T2, ECFP_T3, ECFP_T4, ECFP_T5,
-	ECFP_T6, ECFP_T7, ECFP_T8, ECFP_T9, ECFP_T10, ECFP_T11,
-	ECFP_T12, ECFP_T13, ECFP_T14, ECFP_T15, ECFP_T16, ECFP_T17, ECFP_T18,
-	ECFP_T19
-};
-
-/* 1.1 * 2^52 Uses 2^52 to truncate, the .1 is an extra 2^51 to protect
- * the 2^52 bit, so that adding alphas to a negative number won't borrow
- * and empty the important 2^52 bit */
-#define ECFP_ALPHABASE_53 6755399441055744.0
-/* Special case: On some platforms, notably x86 Linux, there is an
- * extended-precision floating point representation with 64-bits of
- * precision in the mantissa.  These extra bits of precision require a
- * larger value of alpha to truncate, i.e. 1.1 * 2^63. */
-#define ECFP_ALPHABASE_64 13835058055282163712.0
-
-/* 
- * ecfp_alpha[i] = 1.5 * 2^(52 + i*ECFP_DSIZE) we add and subtract alpha
- * to truncate floating point numbers to a certain number of bits for
- * tidying */
-static const double ecfp_alpha_53[2 * ECFP_MAXDOUBLES] = {
-	ECFP_ALPHABASE_53 * ECFP_T0,
-	ECFP_ALPHABASE_53 * ECFP_T1,
-	ECFP_ALPHABASE_53 * ECFP_T2,
-	ECFP_ALPHABASE_53 * ECFP_T3,
-	ECFP_ALPHABASE_53 * ECFP_T4,
-	ECFP_ALPHABASE_53 * ECFP_T5,
-	ECFP_ALPHABASE_53 * ECFP_T6,
-	ECFP_ALPHABASE_53 * ECFP_T7,
-	ECFP_ALPHABASE_53 * ECFP_T8,
-	ECFP_ALPHABASE_53 * ECFP_T9,
-	ECFP_ALPHABASE_53 * ECFP_T10,
-	ECFP_ALPHABASE_53 * ECFP_T11,
-	ECFP_ALPHABASE_53 * ECFP_T12,
-	ECFP_ALPHABASE_53 * ECFP_T13,
-	ECFP_ALPHABASE_53 * ECFP_T14,
-	ECFP_ALPHABASE_53 * ECFP_T15,
-	ECFP_ALPHABASE_53 * ECFP_T16,
-	ECFP_ALPHABASE_53 * ECFP_T17,
-	ECFP_ALPHABASE_53 * ECFP_T18,
-	ECFP_ALPHABASE_53 * ECFP_T19
-};
-
-/* 
- * ecfp_alpha[i] = 1.5 * 2^(63 + i*ECFP_DSIZE) we add and subtract alpha
- * to truncate floating point numbers to a certain number of bits for
- * tidying */
-static const double ecfp_alpha_64[2 * ECFP_MAXDOUBLES] = {
-	ECFP_ALPHABASE_64 * ECFP_T0,
-	ECFP_ALPHABASE_64 * ECFP_T1,
-	ECFP_ALPHABASE_64 * ECFP_T2,
-	ECFP_ALPHABASE_64 * ECFP_T3,
-	ECFP_ALPHABASE_64 * ECFP_T4,
-	ECFP_ALPHABASE_64 * ECFP_T5,
-	ECFP_ALPHABASE_64 * ECFP_T6,
-	ECFP_ALPHABASE_64 * ECFP_T7,
-	ECFP_ALPHABASE_64 * ECFP_T8,
-	ECFP_ALPHABASE_64 * ECFP_T9,
-	ECFP_ALPHABASE_64 * ECFP_T10,
-	ECFP_ALPHABASE_64 * ECFP_T11,
-	ECFP_ALPHABASE_64 * ECFP_T12,
-	ECFP_ALPHABASE_64 * ECFP_T13,
-	ECFP_ALPHABASE_64 * ECFP_T14,
-	ECFP_ALPHABASE_64 * ECFP_T15,
-	ECFP_ALPHABASE_64 * ECFP_T16,
-	ECFP_ALPHABASE_64 * ECFP_T17,
-	ECFP_ALPHABASE_64 * ECFP_T18,
-	ECFP_ALPHABASE_64 * ECFP_T19
-};
-
-/* 0.011111111111111111111111 (binary) = 0.5 - 2^25 (24 ones) */
-#define ECFP_BETABASE 0.4999999701976776123046875
-
-/* 
- * We subtract beta prior to using alpha to simulate rounding down. We
- * make this close to 0.5 to round almost everything down, but exactly 0.5 
- * would cause some incorrect rounding. */
-static const double ecfp_beta[2 * ECFP_MAXDOUBLES] = {
-	ECFP_BETABASE * ECFP_T0,
-	ECFP_BETABASE * ECFP_T1,
-	ECFP_BETABASE * ECFP_T2,
-	ECFP_BETABASE * ECFP_T3,
-	ECFP_BETABASE * ECFP_T4,
-	ECFP_BETABASE * ECFP_T5,
-	ECFP_BETABASE * ECFP_T6,
-	ECFP_BETABASE * ECFP_T7,
-	ECFP_BETABASE * ECFP_T8,
-	ECFP_BETABASE * ECFP_T9,
-	ECFP_BETABASE * ECFP_T10,
-	ECFP_BETABASE * ECFP_T11,
-	ECFP_BETABASE * ECFP_T12,
-	ECFP_BETABASE * ECFP_T13,
-	ECFP_BETABASE * ECFP_T14,
-	ECFP_BETABASE * ECFP_T15,
-	ECFP_BETABASE * ECFP_T16,
-	ECFP_BETABASE * ECFP_T17,
-	ECFP_BETABASE * ECFP_T18,
-	ECFP_BETABASE * ECFP_T19
-};
-
-static const double ecfp_beta_160 = ECFP_BETABASE * ECFP_TWO160;
-static const double ecfp_beta_192 = ECFP_BETABASE * ECFP_TWO192;
-static const double ecfp_beta_224 = ECFP_BETABASE * ECFP_TWO224;
-
-/* Affine EC Point. This is the basic representation (x, y) of an elliptic 
- * curve point. */
-typedef struct {
-	double x[ECFP_MAXDOUBLES];
-	double y[ECFP_MAXDOUBLES];
-} ecfp_aff_pt;
-
-/* Jacobian EC Point. This coordinate system uses X = x/z^2, Y = y/z^3,
- * which enables calculations with fewer inversions than affine
- * coordinates. */
-typedef struct {
-	double x[ECFP_MAXDOUBLES];
-	double y[ECFP_MAXDOUBLES];
-	double z[ECFP_MAXDOUBLES];
-} ecfp_jac_pt;
-
-/* Chudnovsky Jacobian EC Point. This coordinate system is the same as
- * Jacobian, except it keeps z^2, z^3 for faster additions. */
-typedef struct {
-	double x[ECFP_MAXDOUBLES];
-	double y[ECFP_MAXDOUBLES];
-	double z[ECFP_MAXDOUBLES];
-	double z2[ECFP_MAXDOUBLES];
-	double z3[ECFP_MAXDOUBLES];
-} ecfp_chud_pt;
-
-/* Modified Jacobian EC Point. This coordinate system is the same as
- * Jacobian, except it keeps a*z^4 for faster doublings. */
-typedef struct {
-	double x[ECFP_MAXDOUBLES];
-	double y[ECFP_MAXDOUBLES];
-	double z[ECFP_MAXDOUBLES];
-	double az4[ECFP_MAXDOUBLES];
-} ecfp_jm_pt;
-
-struct EC_group_fp_str;
-
-typedef struct EC_group_fp_str EC_group_fp;
-struct EC_group_fp_str {
-	int fpPrecision;			/* Set to number of bits in mantissa, 53
-								 * or 64 */
-	int numDoubles;
-	int primeBitSize;
-	int orderBitSize;
-	int doubleBitSize;
-	int numInts;
-	int aIsM3;					/* True if curvea == -3 (mod p), then we
-								 * can optimize doubling */
-	double curvea[ECFP_MAXDOUBLES];
-	/* Used to truncate a double to the number of bits in the curve */
-	double bitSize_alpha;
-	/* Pointer to either ecfp_alpha_53 or ecfp_alpha_64 */
-	const double *alpha;
-
-	void (*ecfp_singleReduce) (double *r, const EC_group_fp * group);
-	void (*ecfp_reduce) (double *r, double *x, const EC_group_fp * group);
-	/* Performs a "tidy" operation, which performs carrying, moving excess 
-	 * bits from one double to the next double, so that the precision of
-	 * the doubles is reduced to the regular precision ECFP_DSIZE. This
-	 * might result in some float digits being negative. */
-	void (*ecfp_tidy) (double *t, const double *alpha,
-					   const EC_group_fp * group);
-	/* Perform a point addition using coordinate system Jacobian + Affine
-	 * -> Jacobian. Input and output should be multi-precision floating
-	 * point integers. */
-	void (*pt_add_jac_aff) (const ecfp_jac_pt * p, const ecfp_aff_pt * q,
-							ecfp_jac_pt * r, const EC_group_fp * group);
-	/* Perform a point doubling in Jacobian coordinates. Input and output
-	 * should be multi-precision floating point integers. */
-	void (*pt_dbl_jac) (const ecfp_jac_pt * dp, ecfp_jac_pt * dr,
-						const EC_group_fp * group);
-	/* Perform a point addition using Jacobian coordinate system. Input
-	 * and output should be multi-precision floating point integers. */
-	void (*pt_add_jac) (const ecfp_jac_pt * p, const ecfp_jac_pt * q,
-						ecfp_jac_pt * r, const EC_group_fp * group);
-	/* Perform a point doubling in Modified Jacobian coordinates. Input
-	 * and output should be multi-precision floating point integers. */
-	void (*pt_dbl_jm) (const ecfp_jm_pt * p, ecfp_jm_pt * r,
-					   const EC_group_fp * group);
-	/* Perform a point doubling using coordinates Affine -> Chudnovsky
-	 * Jacobian. Input and output should be multi-precision floating point 
-	 * integers. */
-	void (*pt_dbl_aff2chud) (const ecfp_aff_pt * p, ecfp_chud_pt * r,
-							 const EC_group_fp * group);
-	/* Perform a point addition using coordinates: Modified Jacobian +
-	 * Chudnovsky Jacobian -> Modified Jacobian. Input and output should
-	 * be multi-precision floating point integers. */
-	void (*pt_add_jm_chud) (ecfp_jm_pt * p, ecfp_chud_pt * q,
-							ecfp_jm_pt * r, const EC_group_fp * group);
-	/* Perform a point addition using Chudnovsky Jacobian coordinates.
-	 * Input and output should be multi-precision floating point integers. 
-	 */
-	void (*pt_add_chud) (const ecfp_chud_pt * p, const ecfp_chud_pt * q,
-						 ecfp_chud_pt * r, const EC_group_fp * group);
-	/* Expects out to be an array of size 16 of Chudnovsky Jacobian
-	 * points. Fills in Chudnovsky Jacobian form (x, y, z, z^2, z^3), for
-	 * -15P, -13P, -11P, -9P, -7P, -5P, -3P, -P, P, 3P, 5P, 7P, 9P, 11P,
-	 * 13P, 15P */
-	void (*precompute_chud) (ecfp_chud_pt * out, const ecfp_aff_pt * p,
-							 const EC_group_fp * group);
-	/* Expects out to be an array of size 16 of Jacobian points. Fills in
-	 * Chudnovsky Jacobian form (x, y, z), for O, P, 2P, ... 15P */
-	void (*precompute_jac) (ecfp_jac_pt * out, const ecfp_aff_pt * p,
-							const EC_group_fp * group);
-
-};
-
-/* Computes r = x*y.
- * r must be different (point to different memory) than x and y.
- * Does not tidy or reduce. */
-void ecfp_multiply(double *r, const double *x, const double *y);
-
-/* Performs a "tidy" operation, which performs carrying, moving excess
- * bits from one double to the next double, so that the precision of the
- * doubles is reduced to the regular precision group->doubleBitSize. This
- * might result in some float digits being negative. */
-void ecfp_tidy(double *t, const double *alpha, const EC_group_fp * group);
-
-/* Performs tidying on only the upper float digits of a multi-precision
- * floating point integer, i.e. the digits beyond the regular length which 
- * are removed in the reduction step. */
-void ecfp_tidyUpper(double *t, const EC_group_fp * group);
-
-/* Performs tidying on a short multi-precision floating point integer (the 
- * lower group->numDoubles floats). */
-void ecfp_tidyShort(double *t, const EC_group_fp * group);
-
-/* Performs a more mathematically precise "tidying" so that each term is
- * positive.  This is slower than the regular tidying, and is used for
- * conversion from floating point to integer. */
-void ecfp_positiveTidy(double *t, const EC_group_fp * group);
-
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GFp.  Elliptic curve points P and R can be
- * identical.  Uses mixed Jacobian-affine coordinates. Uses 4-bit window
- * method. */
-mp_err
- ec_GFp_point_mul_jac_4w_fp(const mp_int *n, const mp_int *px,
-							const mp_int *py, mp_int *rx, mp_int *ry,
-							const ECGroup *ecgroup);
-
-/* Computes R = nP where R is (rx, ry) and P is the base point. The
- * parameters a, b and p are the elliptic curve coefficients and the prime 
- * that determines the field GFp.  Elliptic curve points P and R can be
- * identical.  Uses mixed Jacobian-affine coordinates (Jacobian
- * coordinates for doubles and affine coordinates for additions; based on
- * recommendation from Brown et al.). Uses window NAF method (algorithm
- * 11) for scalar-point multiplication from Brown, Hankerson, Lopez,
- * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime
- * Fields. */
-mp_err ec_GFp_point_mul_wNAF_fp(const mp_int *n, const mp_int *px,
-								const mp_int *py, mp_int *rx, mp_int *ry,
-								const ECGroup *ecgroup);
-
-/* Uses mixed Jacobian-affine coordinates to perform a point
- * multiplication: R = n * P, n scalar. Uses mixed Jacobian-affine
- * coordinates (Jacobian coordinates for doubles and affine coordinates
- * for additions; based on recommendation from Brown et al.). Not very
- * time efficient but quite space efficient, no precomputation needed.
- * group contains the elliptic curve coefficients and the prime that
- * determines the field GFp.  Elliptic curve points P and R can be
- * identical. Performs calculations in floating point number format, since 
- * this is faster than the integer operations on the ULTRASPARC III.
- * Uses left-to-right binary method (double & add) (algorithm 9) for
- * scalar-point multiplication from Brown, Hankerson, Lopez, Menezes.
- * Software Implementation of the NIST Elliptic Curves Over Prime Fields. */
-mp_err
- ec_GFp_pt_mul_jac_fp(const mp_int *n, const mp_int *px, const mp_int *py,
-					  mp_int *rx, mp_int *ry, const ECGroup *ecgroup);
-
-/* Cleans up extra memory allocated in ECGroup for this implementation. */
-void ec_GFp_extra_free_fp(ECGroup *group);
-
-/* Converts from a floating point representation into an mp_int. Expects
- * that d is already reduced. */
-void
- ecfp_fp2i(mp_int *mpout, double *d, const ECGroup *ecgroup);
-
-/* Converts from an mpint into a floating point representation. */
-void
- ecfp_i2fp(double *out, const mp_int *x, const ECGroup *ecgroup);
-
-/* Tests what precision floating point arithmetic is set to. This should
- * be either a 53-bit mantissa (IEEE standard) or a 64-bit mantissa
- * (extended precision on x86) and sets it into the EC_group_fp. Returns
- * either 53 or 64 accordingly. */
-int ec_set_fp_precision(EC_group_fp * group);
-
-#endif
diff --git a/security/nss/lib/freebl/ecl/ecp_fp160.c b/security/nss/lib/freebl/ecl/ecp_fp160.c
deleted file mode 100644
index 8721579f2..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fp160.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp_fp.h"
-#include <stdlib.h>
-
-#define ECFP_BSIZE 160
-#define ECFP_NUMDOUBLES 7
-
-#include "ecp_fpinc.c"
-
-/* Performs a single step of reduction, just on the uppermost float
- * (assumes already tidied), and then retidies. Note, this does not
- * guarantee that the result will be less than p, but truncates the number 
- * of bits. */
-void
-ecfp160_singleReduce(double *d, const EC_group_fp * group)
-{
-	double q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 160);
-	ECFP_ASSERT(ECFP_NUMDOUBLES == 7);
-
-	q = d[ECFP_NUMDOUBLES - 1] - ecfp_beta_160;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	d[ECFP_NUMDOUBLES - 1] -= q;
-	d[0] += q * ecfp_twom160;
-	d[1] += q * ecfp_twom129;
-	ecfp_positiveTidy(d, group);
-
-	/* Assertions for the highest order term */
-	ECFP_ASSERT(d[ECFP_NUMDOUBLES - 1] / ecfp_exp[ECFP_NUMDOUBLES - 1] ==
-				(unsigned long long) (d[ECFP_NUMDOUBLES - 1] /
-									  ecfp_exp[ECFP_NUMDOUBLES - 1]));
-	ECFP_ASSERT(d[ECFP_NUMDOUBLES - 1] >= 0);
-}
-
-/* Performs imperfect reduction.  This might leave some negative terms,
- * and one more reduction might be required for the result to be between 0 
- * and p-1. x should not already be reduced, i.e. should have
- * 2*ECFP_NUMDOUBLES significant terms. x and r can be the same, but then
- * the upper parts of r are not zeroed */
-void
-ecfp160_reduce(double *r, double *x, const EC_group_fp * group)
-{
-
-	double x7, x8, q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 160);
-	ECFP_ASSERT(ECFP_NUMDOUBLES == 7);
-
-	/* Tidy just the upper bits, the lower bits can wait. */
-	ecfp_tidyUpper(x, group);
-
-	/* Assume that this is already tidied so that we have enough extra
-	 * bits */
-	x7 = x[7] + x[13] * ecfp_twom129;	/* adds bits 15-39 */
-
-	/* Tidy x7, or we won't have enough bits later to add it in */
-	q = x7 + group->alpha[8];
-	q -= group->alpha[8];
-	x7 -= q;					/* holds bits 0-24 */
-	x8 = x[8] + q;				/* holds bits 0-25 */
-
-	r[6] = x[6] + x[13] * ecfp_twom160 + x[12] * ecfp_twom129;	/* adds
-																 * bits
-																 * 8-39 */
-	r[5] = x[5] + x[12] * ecfp_twom160 + x[11] * ecfp_twom129;
-	r[4] = x[4] + x[11] * ecfp_twom160 + x[10] * ecfp_twom129;
-	r[3] = x[3] + x[10] * ecfp_twom160 + x[9] * ecfp_twom129;
-	r[2] = x[2] + x[9] * ecfp_twom160 + x8 * ecfp_twom129;	/* adds bits
-															 * 8-40 */
-	r[1] = x[1] + x8 * ecfp_twom160 + x7 * ecfp_twom129;	/* adds bits
-															 * 8-39 */
-	r[0] = x[0] + x7 * ecfp_twom160;
-
-	/* Tidy up just r[ECFP_NUMDOUBLES-2] so that the number of reductions
-	 * is accurate plus or minus one.  (Rather than tidy all to make it
-	 * totally accurate, which is more costly.) */
-	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
-	q -= group->alpha[ECFP_NUMDOUBLES - 1];
-	r[ECFP_NUMDOUBLES - 2] -= q;
-	r[ECFP_NUMDOUBLES - 1] += q;
-
-	/* Tidy up the excess bits on r[ECFP_NUMDOUBLES-1] using reduction */
-	/* Use ecfp_beta so we get a positive result */
-	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_160;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	r[ECFP_NUMDOUBLES - 1] -= q;
-	r[0] += q * ecfp_twom160;
-	r[1] += q * ecfp_twom129;
-
-	/* Tidy the result */
-	ecfp_tidyShort(r, group);
-}
-
-/* Sets group to use optimized calculations in this file */
-mp_err
-ec_group_set_secp160r1_fp(ECGroup *group)
-{
-
-	EC_group_fp *fpg = NULL;
-
-	/* Allocate memory for floating point group data */
-	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
-	if (fpg == NULL) {
-		return MP_MEM;
-	}
-
-	fpg->numDoubles = ECFP_NUMDOUBLES;
-	fpg->primeBitSize = ECFP_BSIZE;
-	fpg->orderBitSize = 161;
-	fpg->doubleBitSize = 24;
-	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
-	fpg->aIsM3 = 1;
-	fpg->ecfp_singleReduce = &ecfp160_singleReduce;
-	fpg->ecfp_reduce = &ecfp160_reduce;
-	fpg->ecfp_tidy = &ecfp_tidy;
-
-	fpg->pt_add_jac_aff = &ecfp160_pt_add_jac_aff;
-	fpg->pt_add_jac = &ecfp160_pt_add_jac;
-	fpg->pt_add_jm_chud = &ecfp160_pt_add_jm_chud;
-	fpg->pt_add_chud = &ecfp160_pt_add_chud;
-	fpg->pt_dbl_jac = &ecfp160_pt_dbl_jac;
-	fpg->pt_dbl_jm = &ecfp160_pt_dbl_jm;
-	fpg->pt_dbl_aff2chud = &ecfp160_pt_dbl_aff2chud;
-	fpg->precompute_chud = &ecfp160_precompute_chud;
-	fpg->precompute_jac = &ecfp160_precompute_jac;
-
-	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
-	group->points_mul = &ec_pts_mul_basic;
-	group->extra1 = fpg;
-	group->extra_free = &ec_GFp_extra_free_fp;
-
-	ec_set_fp_precision(fpg);
-	fpg->bitSize_alpha = ECFP_TWO160 * fpg->alpha[0];
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp192.c b/security/nss/lib/freebl/ecl/ecp_fp192.c
deleted file mode 100644
index b5ee533e0..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fp192.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp_fp.h"
-#include <stdlib.h>
-
-#define ECFP_BSIZE 192
-#define ECFP_NUMDOUBLES 8
-
-#include "ecp_fpinc.c"
-
-/* Performs a single step of reduction, just on the uppermost float
- * (assumes already tidied), and then retidies. Note, this does not
- * guarantee that the result will be less than p. */
-void
-ecfp192_singleReduce(double *d, const EC_group_fp * group)
-{
-	double q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 192);
-	ECFP_ASSERT(group->numDoubles == 8);
-
-	q = d[ECFP_NUMDOUBLES - 1] - ecfp_beta_192;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	d[ECFP_NUMDOUBLES - 1] -= q;
-	d[0] += q * ecfp_twom192;
-	d[2] += q * ecfp_twom128;
-	ecfp_positiveTidy(d, group);
-}
-
-/* 
- * Performs imperfect reduction.  This might leave some negative terms,
- * and one more reduction might be required for the result to be between 0 
- * and p-1. x should be be an array of at least 16, and r at least 8 x and 
- * r can be the same, but then the upper parts of r are not zeroed */
-void
-ecfp_reduce_192(double *r, double *x, const EC_group_fp * group)
-{
-	double x8, x9, x10, q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 192);
-	ECFP_ASSERT(group->numDoubles == 8);
-
-	/* Tidy just the upper portion, the lower part can wait */
-	ecfp_tidyUpper(x, group);
-
-	x8 = x[8] + x[14] * ecfp_twom128;	/* adds bits 16-40 */
-	x9 = x[9] + x[15] * ecfp_twom128;	/* adds bits 16-40 */
-
-	/* Tidy up, or we won't have enough bits later to add it in */
-
-	q = x8 + group->alpha[9];
-	q -= group->alpha[9];
-	x8 -= q;
-	x9 += q;
-
-	q = x9 + group->alpha[10];
-	q -= group->alpha[10];
-	x9 -= q;
-	x10 = x[10] + q;
-
-	r[7] = x[7] + x[15] * ecfp_twom192 + x[13] * ecfp_twom128;	/* adds
-																 * bits
-																 * 0-40 */
-	r[6] = x[6] + x[14] * ecfp_twom192 + x[12] * ecfp_twom128;
-	r[5] = x[5] + x[13] * ecfp_twom192 + x[11] * ecfp_twom128;
-	r[4] = x[4] + x[12] * ecfp_twom192 + x10 * ecfp_twom128;
-	r[3] = x[3] + x[11] * ecfp_twom192 + x9 * ecfp_twom128;	/* adds bits
-															 * 0-40 */
-	r[2] = x[2] + x10 * ecfp_twom192 + x8 * ecfp_twom128;
-	r[1] = x[1] + x9 * ecfp_twom192;	/* adds bits 16-40 */
-	r[0] = x[0] + x8 * ecfp_twom192;
-
-	/* 
-	 * Tidy up just r[group->numDoubles-2] so that the number of
-	 * reductions is accurate plus or minus one.  (Rather than tidy all to 
-	 * make it totally accurate) */
-	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
-	q -= group->alpha[ECFP_NUMDOUBLES - 1];
-	r[ECFP_NUMDOUBLES - 2] -= q;
-	r[ECFP_NUMDOUBLES - 1] += q;
-
-	/* Tidy up the excess bits on r[group->numDoubles-1] using reduction */
-	/* Use ecfp_beta so we get a positive res */
-	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_192;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	r[ECFP_NUMDOUBLES - 1] -= q;
-	r[0] += q * ecfp_twom192;
-	r[2] += q * ecfp_twom128;
-
-	/* Tidy the result */
-	ecfp_tidyShort(r, group);
-}
-
-/* Sets group to use optimized calculations in this file */
-mp_err
-ec_group_set_nistp192_fp(ECGroup *group)
-{
-	EC_group_fp *fpg;
-
-	/* Allocate memory for floating point group data */
-	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
-	if (fpg == NULL) {
-		return MP_MEM;
-	}
-
-	fpg->numDoubles = ECFP_NUMDOUBLES;
-	fpg->primeBitSize = ECFP_BSIZE;
-	fpg->orderBitSize = 192;
-	fpg->doubleBitSize = 24;
-	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
-	fpg->aIsM3 = 1;
-	fpg->ecfp_singleReduce = &ecfp192_singleReduce;
-	fpg->ecfp_reduce = &ecfp_reduce_192;
-	fpg->ecfp_tidy = &ecfp_tidy;
-
-	fpg->pt_add_jac_aff = &ecfp192_pt_add_jac_aff;
-	fpg->pt_add_jac = &ecfp192_pt_add_jac;
-	fpg->pt_add_jm_chud = &ecfp192_pt_add_jm_chud;
-	fpg->pt_add_chud = &ecfp192_pt_add_chud;
-	fpg->pt_dbl_jac = &ecfp192_pt_dbl_jac;
-	fpg->pt_dbl_jm = &ecfp192_pt_dbl_jm;
-	fpg->pt_dbl_aff2chud = &ecfp192_pt_dbl_aff2chud;
-	fpg->precompute_chud = &ecfp192_precompute_chud;
-	fpg->precompute_jac = &ecfp192_precompute_jac;
-
-	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
-	group->points_mul = &ec_pts_mul_basic;
-	group->extra1 = fpg;
-	group->extra_free = &ec_GFp_extra_free_fp;
-
-	ec_set_fp_precision(fpg);
-	fpg->bitSize_alpha = ECFP_TWO192 * fpg->alpha[0];
-
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_fp224.c b/security/nss/lib/freebl/ecl/ecp_fp224.c
deleted file mode 100644
index e1ee536cc..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fp224.c
+++ /dev/null
@@ -1,190 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp_fp.h"
-#include <stdlib.h>
-
-#define ECFP_BSIZE 224
-#define ECFP_NUMDOUBLES 10
-
-#include "ecp_fpinc.c"
-
-/* Performs a single step of reduction, just on the uppermost float
- * (assumes already tidied), and then retidies. Note, this does not
- * guarantee that the result will be less than p. */
-void
-ecfp224_singleReduce(double *r, const EC_group_fp * group)
-{
-	double q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 224);
-	ECFP_ASSERT(group->numDoubles == 10);
-
-	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_224;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	r[ECFP_NUMDOUBLES - 1] -= q;
-	r[0] -= q * ecfp_twom224;
-	r[4] += q * ecfp_twom128;
-
-	ecfp_positiveTidy(r, group);
-}
-
-/* 
- * Performs imperfect reduction.  This might leave some negative terms,
- * and one more reduction might be required for the result to be between 0 
- * and p-1. x should be be an array of at least 20, and r at least 10 x
- * and r can be the same, but then the upper parts of r are not zeroed */
-void
-ecfp224_reduce(double *r, double *x, const EC_group_fp * group)
-{
-
-	double x10, x11, x12, x13, x14, q;
-
-	ECFP_ASSERT(group->doubleBitSize == 24);
-	ECFP_ASSERT(group->primeBitSize == 224);
-	ECFP_ASSERT(group->numDoubles == 10);
-
-	/* Tidy just the upper bits of x.  Don't need to tidy the lower ones
-	 * yet. */
-	ecfp_tidyUpper(x, group);
-
-	x10 = x[10] + x[16] * ecfp_twom128;
-	x11 = x[11] + x[17] * ecfp_twom128;
-	x12 = x[12] + x[18] * ecfp_twom128;
-	x13 = x[13] + x[19] * ecfp_twom128;
-
-	/* Tidy up, or we won't have enough bits later to add it in */
-	q = x10 + group->alpha[11];
-	q -= group->alpha[11];
-	x10 -= q;
-	x11 = x11 + q;
-
-	q = x11 + group->alpha[12];
-	q -= group->alpha[12];
-	x11 -= q;
-	x12 = x12 + q;
-
-	q = x12 + group->alpha[13];
-	q -= group->alpha[13];
-	x12 -= q;
-	x13 = x13 + q;
-
-	q = x13 + group->alpha[14];
-	q -= group->alpha[14];
-	x13 -= q;
-	x14 = x[14] + q;
-
-	r[9] = x[9] + x[15] * ecfp_twom128 - x[19] * ecfp_twom224;
-	r[8] = x[8] + x14 * ecfp_twom128 - x[18] * ecfp_twom224;
-	r[7] = x[7] + x13 * ecfp_twom128 - x[17] * ecfp_twom224;
-	r[6] = x[6] + x12 * ecfp_twom128 - x[16] * ecfp_twom224;
-	r[5] = x[5] + x11 * ecfp_twom128 - x[15] * ecfp_twom224;
-	r[4] = x[4] + x10 * ecfp_twom128 - x14 * ecfp_twom224;
-	r[3] = x[3] - x13 * ecfp_twom224;
-	r[2] = x[2] - x12 * ecfp_twom224;
-	r[1] = x[1] - x11 * ecfp_twom224;
-	r[0] = x[0] - x10 * ecfp_twom224;
-
-	/* 
-	 * Tidy up just r[ECFP_NUMDOUBLES-2] so that the number of reductions
-	 * is accurate plus or minus one.  (Rather than tidy all to make it
-	 * totally accurate) */
-	q = r[ECFP_NUMDOUBLES - 2] + group->alpha[ECFP_NUMDOUBLES - 1];
-	q -= group->alpha[ECFP_NUMDOUBLES - 1];
-	r[ECFP_NUMDOUBLES - 2] -= q;
-	r[ECFP_NUMDOUBLES - 1] += q;
-
-	/* Tidy up the excess bits on r[ECFP_NUMDOUBLES-1] using reduction */
-	/* Use ecfp_beta so we get a positive res */
-	q = r[ECFP_NUMDOUBLES - 1] - ecfp_beta_224;
-	q += group->bitSize_alpha;
-	q -= group->bitSize_alpha;
-
-	r[ECFP_NUMDOUBLES - 1] -= q;
-	r[0] -= q * ecfp_twom224;
-	r[4] += q * ecfp_twom128;
-
-	ecfp_tidyShort(r, group);
-}
-
-/* Sets group to use optimized calculations in this file */
-mp_err
-ec_group_set_nistp224_fp(ECGroup *group)
-{
-
-	EC_group_fp *fpg;
-
-	/* Allocate memory for floating point group data */
-	fpg = (EC_group_fp *) malloc(sizeof(EC_group_fp));
-	if (fpg == NULL) {
-		return MP_MEM;
-	}
-
-	fpg->numDoubles = ECFP_NUMDOUBLES;
-	fpg->primeBitSize = ECFP_BSIZE;
-	fpg->orderBitSize = 224;
-	fpg->doubleBitSize = 24;
-	fpg->numInts = (ECFP_BSIZE + ECL_BITS - 1) / ECL_BITS;
-	fpg->aIsM3 = 1;
-	fpg->ecfp_singleReduce = &ecfp224_singleReduce;
-	fpg->ecfp_reduce = &ecfp224_reduce;
-	fpg->ecfp_tidy = &ecfp_tidy;
-
-	fpg->pt_add_jac_aff = &ecfp224_pt_add_jac_aff;
-	fpg->pt_add_jac = &ecfp224_pt_add_jac;
-	fpg->pt_add_jm_chud = &ecfp224_pt_add_jm_chud;
-	fpg->pt_add_chud = &ecfp224_pt_add_chud;
-	fpg->pt_dbl_jac = &ecfp224_pt_dbl_jac;
-	fpg->pt_dbl_jm = &ecfp224_pt_dbl_jm;
-	fpg->pt_dbl_aff2chud = &ecfp224_pt_dbl_aff2chud;
-	fpg->precompute_chud = &ecfp224_precompute_chud;
-	fpg->precompute_jac = &ecfp224_precompute_jac;
-
-	group->point_mul = &ec_GFp_point_mul_wNAF_fp;
-	group->points_mul = &ec_pts_mul_basic;
-	group->extra1 = fpg;
-	group->extra_free = &ec_GFp_extra_free_fp;
-
-	ec_set_fp_precision(fpg);
-	fpg->bitSize_alpha = ECFP_TWO224 * fpg->alpha[0];
-
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_fpinc.c b/security/nss/lib/freebl/ecl/ecp_fpinc.c
deleted file mode 100644
index 61b16ff28..000000000
--- a/security/nss/lib/freebl/ecl/ecp_fpinc.c
+++ /dev/null
@@ -1,855 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* This source file is meant to be included by other source files
- * (ecp_fp###.c, where ### is one of 160, 192, 224) and should not
- * constitute an independent compilation unit. It requires the following
- * preprocessor definitions be made: ECFP_BSIZE - the number of bits in
- * the field's prime 
- * ECFP_NUMDOUBLES - the number of doubles to store one
- * multi-precision integer in floating point 
-
-/* Adds a prefix to a given token to give a unique token name. Prefixes
- * with "ecfp" + ECFP_BSIZE + "_". e.g. if ECFP_BSIZE = 160, then
- * PREFIX(hello) = ecfp160_hello This optimization allows static function
- * linking and compiler loop unrolling without code duplication. */
-#ifndef PREFIX
-#define PREFIX(b) PREFIX1(ECFP_BSIZE, b)
-#define PREFIX1(bsize, b) PREFIX2(bsize, b)
-#define PREFIX2(bsize, b) ecfp ## bsize ## _ ## b
-#endif
-
-/* Returns true iff every double in d is 0. (If d == 0 and it is tidied,
- * this will be true.) */
-mp_err PREFIX(isZero) (const double *d) {
-	int i;
-
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		if (d[i] != 0)
-			return MP_NO;
-	}
-	return MP_YES;
-}
-
-/* Sets the multi-precision floating point number at t = 0 */
-void PREFIX(zero) (double *t) {
-	int i;
-
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		t[i] = 0;
-	}
-}
-
-/* Sets the multi-precision floating point number at t = 1 */
-void PREFIX(one) (double *t) {
-	int i;
-
-	t[0] = 1;
-	for (i = 1; i < ECFP_NUMDOUBLES; i++) {
-		t[i] = 0;
-	}
-}
-
-/* Checks if point P(x, y, z) is at infinity. Uses Jacobian coordinates. */
-mp_err PREFIX(pt_is_inf_jac) (const ecfp_jac_pt * p) {
-	return PREFIX(isZero) (p->z);
-}
-
-/* Sets the Jacobian point P to be at infinity. */
-void PREFIX(set_pt_inf_jac) (ecfp_jac_pt * p) {
-	PREFIX(zero) (p->z);
-}
-
-/* Checks if point P(x, y) is at infinity. Uses Affine coordinates. */
-mp_err PREFIX(pt_is_inf_aff) (const ecfp_aff_pt * p) {
-	if (PREFIX(isZero) (p->x) == MP_YES && PREFIX(isZero) (p->y) == MP_YES)
-		return MP_YES;
-	return MP_NO;
-}
-
-/* Sets the affine point P to be at infinity. */
-void PREFIX(set_pt_inf_aff) (ecfp_aff_pt * p) {
-	PREFIX(zero) (p->x);
-	PREFIX(zero) (p->y);
-}
-
-/* Checks if point P(x, y, z, a*z^4) is at infinity. Uses Modified
- * Jacobian coordinates. */
-mp_err PREFIX(pt_is_inf_jm) (const ecfp_jm_pt * p) {
-	return PREFIX(isZero) (p->z);
-}
-
-/* Sets the Modified Jacobian point P to be at infinity. */
-void PREFIX(set_pt_inf_jm) (ecfp_jm_pt * p) {
-	PREFIX(zero) (p->z);
-}
-
-/* Checks if point P(x, y, z, z^2, z^3) is at infinity. Uses Chudnovsky
- * Jacobian coordinates */
-mp_err PREFIX(pt_is_inf_chud) (const ecfp_chud_pt * p) {
-	return PREFIX(isZero) (p->z);
-}
-
-/* Sets the Chudnovsky Jacobian point P to be at infinity. */
-void PREFIX(set_pt_inf_chud) (ecfp_chud_pt * p) {
-	PREFIX(zero) (p->z);
-}
-
-/* Copies a multi-precision floating point number, Setting dest = src */
-void PREFIX(copy) (double *dest, const double *src) {
-	int i;
-
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		dest[i] = src[i];
-	}
-}
-
-/* Sets dest = -src */
-void PREFIX(negLong) (double *dest, const double *src) {
-	int i;
-
-	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
-		dest[i] = -src[i];
-	}
-}
-
-/* Sets r = -p p = (x, y, z, z2, z3) r = (x, -y, z, z2, z3) Uses
- * Chudnovsky Jacobian coordinates. */
-/* TODO reverse order */
-void PREFIX(pt_neg_chud) (const ecfp_chud_pt * p, ecfp_chud_pt * r) {
-	int i;
-
-	PREFIX(copy) (r->x, p->x);
-	PREFIX(copy) (r->z, p->z);
-	PREFIX(copy) (r->z2, p->z2);
-	PREFIX(copy) (r->z3, p->z3);
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		r->y[i] = -p->y[i];
-	}
-}
-
-/* Computes r = x + y. Does not tidy or reduce. Any combinations of r, x,
- * y can point to the same data. Componentwise adds first ECFP_NUMDOUBLES
- * doubles of x and y and stores the result in r. */
-void PREFIX(addShort) (double *r, const double *x, const double *y) {
-	int i;
-
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		*r++ = *x++ + *y++;
-	}
-}
-
-/* Computes r = x + y. Does not tidy or reduce. Any combinations of r, x,
- * y can point to the same data. Componentwise adds first
- * 2*ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
-void PREFIX(addLong) (double *r, const double *x, const double *y) {
-	int i;
-
-	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
-		*r++ = *x++ + *y++;
-	}
-}
-
-/* Computes r = x - y. Does not tidy or reduce. Any combinations of r, x,
- * y can point to the same data. Componentwise subtracts first
- * ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
-void PREFIX(subtractShort) (double *r, const double *x, const double *y) {
-	int i;
-
-	for (i = 0; i < ECFP_NUMDOUBLES; i++) {
-		*r++ = *x++ - *y++;
-	}
-}
-
-/* Computes r = x - y. Does not tidy or reduce. Any combinations of r, x,
- * y can point to the same data. Componentwise subtracts first
- * 2*ECFP_NUMDOUBLES doubles of x and y and stores the result in r. */
-void PREFIX(subtractLong) (double *r, const double *x, const double *y) {
-	int i;
-
-	for (i = 0; i < 2 * ECFP_NUMDOUBLES; i++) {
-		*r++ = *x++ - *y++;
-	}
-}
-
-/* Computes r = x*y.  Both x and y should be tidied and reduced,
- * r must be different (point to different memory) than x and y.
- * Does not tidy or reduce. */
-void PREFIX(multiply)(double *r, const double *x, const double *y) {
-	int i, j;
-
-	for(j=0;j<ECFP_NUMDOUBLES-1;j++) {
-		r[j] = x[0] * y[j];
-		r[j+(ECFP_NUMDOUBLES-1)] = x[ECFP_NUMDOUBLES-1] * y[j];
-	}
-	r[ECFP_NUMDOUBLES-1] = x[0] * y[ECFP_NUMDOUBLES-1];
-	r[ECFP_NUMDOUBLES-1] += x[ECFP_NUMDOUBLES-1] * y[0];
-	r[2*ECFP_NUMDOUBLES-2] = x[ECFP_NUMDOUBLES-1] * y[ECFP_NUMDOUBLES-1];
-	r[2*ECFP_NUMDOUBLES-1] = 0;
-	
-	for(i=1;i<ECFP_NUMDOUBLES-1;i++) {
-		for(j=0;j<ECFP_NUMDOUBLES;j++) {
-			r[i+j] += (x[i] * y[j]);
-		}
-	}
-}
-
-/* Computes the square of x and stores the result in r.  x should be
- * tidied & reduced, r will be neither tidied nor reduced. 
- * r should point to different memory than x */
-void PREFIX(square) (double *r, const double *x) {
-	PREFIX(multiply) (r, x, x);
-}
-
-/* Perform a point doubling in Jacobian coordinates. Input and output
- * should be multi-precision floating point integers. */
-void PREFIX(pt_dbl_jac) (const ecfp_jac_pt * dp, ecfp_jac_pt * dr,
-						 const EC_group_fp * group) {
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		M[2 * ECFP_NUMDOUBLES], S[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity */
-	if (PREFIX(pt_is_inf_jac) (dp) == MP_YES) {
-		/* Set r = pt at infinity */
-		PREFIX(set_pt_inf_jac) (dr);
-		goto CLEANUP;
-	}
-
-	/* Perform typical point doubling operations */
-
-	/* TODO? is it worthwhile to do optimizations for when pz = 1? */
-
-	if (group->aIsM3) {
-		/* When a = -3, M = 3(px - pz^2)(px + pz^2) */
-		PREFIX(square) (t1, dp->z);
-		group->ecfp_reduce(t1, t1, group);	/* 2^23 since the negative
-											 * rounding buys another bit */
-		PREFIX(addShort) (t0, dp->x, t1);	/* 2*2^23 */
-		PREFIX(subtractShort) (t1, dp->x, t1);	/* 2 * 2^23 */
-		PREFIX(multiply) (M, t0, t1);	/* 40 * 2^46 */
-		PREFIX(addLong) (t0, M, M);	/* 80 * 2^46 */
-		PREFIX(addLong) (M, t0, M);	/* 120 * 2^46 < 2^53 */
-		group->ecfp_reduce(M, M, group);
-	} else {
-		/* Generic case */
-		/* M = 3 (px^2) + a*(pz^4) */
-		PREFIX(square) (t0, dp->x);
-		PREFIX(addLong) (M, t0, t0);
-		PREFIX(addLong) (t0, t0, M);	/* t0 = 3(px^2) */
-		PREFIX(square) (M, dp->z);
-		group->ecfp_reduce(M, M, group);
-		PREFIX(square) (t1, M);
-		group->ecfp_reduce(t1, t1, group);
-		PREFIX(multiply) (M, t1, group->curvea);	/* M = a(pz^4) */
-		PREFIX(addLong) (M, M, t0);
-		group->ecfp_reduce(M, M, group);
-	}
-
-	/* rz = 2 * py * pz */
-	PREFIX(multiply) (t1, dp->y, dp->z);
-	PREFIX(addLong) (t1, t1, t1);
-	group->ecfp_reduce(dr->z, t1, group);
-
-	/* t0 = 2y^2 */
-	PREFIX(square) (t0, dp->y);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(addShort) (t0, t0, t0);
-
-	/* S = 4 * px * py^2 = 2 * px * t0 */
-	PREFIX(multiply) (S, dp->x, t0);
-	PREFIX(addLong) (S, S, S);
-	group->ecfp_reduce(S, S, group);
-
-	/* rx = M^2 - 2 * S */
-	PREFIX(square) (t1, M);
-	PREFIX(subtractShort) (t1, t1, S);
-	PREFIX(subtractShort) (t1, t1, S);
-	group->ecfp_reduce(dr->x, t1, group);
-
-	/* ry = M * (S - rx) - 8 * py^4 */
-	PREFIX(square) (t1, t0);	/* t1 = 4y^4 */
-	PREFIX(subtractShort) (S, S, dr->x);
-	PREFIX(multiply) (t0, M, S);
-	PREFIX(subtractLong) (t0, t0, t1);
-	PREFIX(subtractLong) (t0, t0, t1);
-	group->ecfp_reduce(dr->y, t0, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Perform a point addition using coordinate system Jacobian + Affine ->
- * Jacobian. Input and output should be multi-precision floating point
- * integers. */
-void PREFIX(pt_add_jac_aff) (const ecfp_jac_pt * p, const ecfp_aff_pt * q,
-							 ecfp_jac_pt * r, const EC_group_fp * group) {
-	/* Temporary storage */
-	double A[2 * ECFP_NUMDOUBLES], B[2 * ECFP_NUMDOUBLES],
-		C[2 * ECFP_NUMDOUBLES], C2[2 * ECFP_NUMDOUBLES],
-		D[2 * ECFP_NUMDOUBLES], C3[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity for p or q */
-	if (PREFIX(pt_is_inf_aff) (q) == MP_YES) {
-		PREFIX(copy) (r->x, p->x);
-		PREFIX(copy) (r->y, p->y);
-		PREFIX(copy) (r->z, p->z);
-		goto CLEANUP;
-	} else if (PREFIX(pt_is_inf_jac) (p) == MP_YES) {
-		PREFIX(copy) (r->x, q->x);
-		PREFIX(copy) (r->y, q->y);
-		/* Since the affine point is not infinity, we can set r->z = 1 */
-		PREFIX(one) (r->z);
-		goto CLEANUP;
-	}
-
-	/* Calculates c = qx * pz^2 - px d = (qy * b - py) rx = d^2 - c^3 + 2
-	 * (px * c^2) ry = d * (c-rx) - py*c^3 rz = c * pz */
-
-	/* A = pz^2, B = pz^3 */
-	PREFIX(square) (A, p->z);
-	group->ecfp_reduce(A, A, group);
-	PREFIX(multiply) (B, A, p->z);
-	group->ecfp_reduce(B, B, group);
-
-	/* C = qx * A - px */
-	PREFIX(multiply) (C, q->x, A);
-	PREFIX(subtractShort) (C, C, p->x);
-	group->ecfp_reduce(C, C, group);
-
-	/* D = qy * B - py */
-	PREFIX(multiply) (D, q->y, B);
-	PREFIX(subtractShort) (D, D, p->y);
-	group->ecfp_reduce(D, D, group);
-
-	/* C2 = C^2, C3 = C^3 */
-	PREFIX(square) (C2, C);
-	group->ecfp_reduce(C2, C2, group);
-	PREFIX(multiply) (C3, C2, C);
-	group->ecfp_reduce(C3, C3, group);
-
-	/* rz = A = pz * C */
-	PREFIX(multiply) (A, p->z, C);
-	group->ecfp_reduce(r->z, A, group);
-
-	/* C = px * C^2, untidied, unreduced */
-	PREFIX(multiply) (C, p->x, C2);
-
-	/* A = D^2, untidied, unreduced */
-	PREFIX(square) (A, D);
-
-	/* rx = B = A - C3 - C - C = D^2 - (C^3 + 2 * (px * C^2) */
-	PREFIX(subtractShort) (A, A, C3);
-	PREFIX(subtractLong) (A, A, C);
-	PREFIX(subtractLong) (A, A, C);
-	group->ecfp_reduce(r->x, A, group);
-
-	/* B = py * C3, untidied, unreduced */
-	PREFIX(multiply) (B, p->y, C3);
-
-	/* C = px * C^2 - rx */
-	PREFIX(subtractShort) (C, C, r->x);
-	group->ecfp_reduce(C, C, group);
-
-	/* ry = A = D * C - py * C^3 */
-	PREFIX(multiply) (A, D, C);
-	PREFIX(subtractLong) (A, A, B);
-	group->ecfp_reduce(r->y, A, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Perform a point addition using Jacobian coordinate system. Input and
- * output should be multi-precision floating point integers. */
-void PREFIX(pt_add_jac) (const ecfp_jac_pt * p, const ecfp_jac_pt * q,
-						 ecfp_jac_pt * r, const EC_group_fp * group) {
-
-	/* Temporary Storage */
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
-		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
-		H3[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity for p, if so set r = q */
-	if (PREFIX(pt_is_inf_jac) (p) == MP_YES) {
-		PREFIX(copy) (r->x, q->x);
-		PREFIX(copy) (r->y, q->y);
-		PREFIX(copy) (r->z, q->z);
-		goto CLEANUP;
-	}
-
-	/* Check for point at infinity for p, if so set r = q */
-	if (PREFIX(pt_is_inf_jac) (q) == MP_YES) {
-		PREFIX(copy) (r->x, p->x);
-		PREFIX(copy) (r->y, p->y);
-		PREFIX(copy) (r->z, p->z);
-		goto CLEANUP;
-	}
-
-	/* U = px * qz^2 , S = py * qz^3 */
-	PREFIX(square) (t0, q->z);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (U, p->x, t0);
-	group->ecfp_reduce(U, U, group);
-	PREFIX(multiply) (t1, t0, q->z);
-	group->ecfp_reduce(t1, t1, group);
-	PREFIX(multiply) (t0, p->y, t1);
-	group->ecfp_reduce(S, t0, group);
-
-	/* H = qx*(pz)^2 - U , R = (qy * pz^3 - S) */
-	PREFIX(square) (t0, p->z);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (H, q->x, t0);
-	PREFIX(subtractShort) (H, H, U);
-	group->ecfp_reduce(H, H, group);
-	PREFIX(multiply) (t1, t0, p->z);	/* t1 = pz^3 */
-	group->ecfp_reduce(t1, t1, group);
-	PREFIX(multiply) (t0, t1, q->y);	/* t0 = qy * pz^3 */
-	PREFIX(subtractShort) (t0, t0, S);
-	group->ecfp_reduce(R, t0, group);
-
-	/* U = U*H^2, H3 = H^3 */
-	PREFIX(square) (t0, H);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (t1, U, t0);
-	group->ecfp_reduce(U, t1, group);
-	PREFIX(multiply) (H3, t0, H);
-	group->ecfp_reduce(H3, H3, group);
-
-	/* rz = pz * qz * H */
-	PREFIX(multiply) (t0, q->z, H);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (t1, t0, p->z);
-	group->ecfp_reduce(r->z, t1, group);
-
-	/* rx = R^2 - H^3 - 2 * U */
-	PREFIX(square) (t0, R);
-	PREFIX(subtractShort) (t0, t0, H3);
-	PREFIX(subtractShort) (t0, t0, U);
-	PREFIX(subtractShort) (t0, t0, U);
-	group->ecfp_reduce(r->x, t0, group);
-
-	/* ry = R(U - rx) - S*H3 */
-	PREFIX(subtractShort) (t1, U, r->x);
-	PREFIX(multiply) (t0, t1, R);
-	PREFIX(multiply) (t1, S, H3);
-	PREFIX(subtractLong) (t1, t0, t1);
-	group->ecfp_reduce(r->y, t1, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Perform a point doubling in Modified Jacobian coordinates. Input and
- * output should be multi-precision floating point integers. */
-void PREFIX(pt_dbl_jm) (const ecfp_jm_pt * p, ecfp_jm_pt * r,
-						const EC_group_fp * group) {
-
-	/* Temporary storage */
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		M[2 * ECFP_NUMDOUBLES], S[2 * ECFP_NUMDOUBLES],
-		U[2 * ECFP_NUMDOUBLES], T[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity */
-	if (PREFIX(pt_is_inf_jm) (p) == MP_YES) {
-		/* Set r = pt at infinity by setting rz = 0 */
-		PREFIX(set_pt_inf_jm) (r);
-		goto CLEANUP;
-	}
-
-	/* M = 3 (px^2) + a*(pz^4) */
-	PREFIX(square) (t0, p->x);
-	PREFIX(addLong) (M, t0, t0);
-	PREFIX(addLong) (t0, t0, M);	/* t0 = 3(px^2) */
-	PREFIX(addShort) (t0, t0, p->az4);
-	group->ecfp_reduce(M, t0, group);
-
-	/* rz = 2 * py * pz */
-	PREFIX(multiply) (t1, p->y, p->z);
-	PREFIX(addLong) (t1, t1, t1);
-	group->ecfp_reduce(r->z, t1, group);
-
-	/* t0 = 2y^2, U = 8y^4 */
-	PREFIX(square) (t0, p->y);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(addShort) (t0, t0, t0);
-	PREFIX(square) (U, t0);
-	group->ecfp_reduce(U, U, group);
-	PREFIX(addShort) (U, U, U);
-
-	/* S = 4 * px * py^2 = 2 * px * t0 */
-	PREFIX(multiply) (S, p->x, t0);
-	group->ecfp_reduce(S, S, group);
-	PREFIX(addShort) (S, S, S);
-
-	/* rx = M^2 - 2S */
-	PREFIX(square) (T, M);
-	PREFIX(subtractShort) (T, T, S);
-	PREFIX(subtractShort) (T, T, S);
-	group->ecfp_reduce(r->x, T, group);
-
-	/* ry = M * (S - rx) - U */
-	PREFIX(subtractShort) (S, S, r->x);
-	PREFIX(multiply) (t0, M, S);
-	PREFIX(subtractShort) (t0, t0, U);
-	group->ecfp_reduce(r->y, t0, group);
-
-	/* ra*z^4 = 2*U*(apz4) */
-	PREFIX(multiply) (t1, U, p->az4);
-	PREFIX(addLong) (t1, t1, t1);
-	group->ecfp_reduce(r->az4, t1, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Perform a point doubling using coordinates Affine -> Chudnovsky
- * Jacobian. Input and output should be multi-precision floating point
- * integers. */
-void PREFIX(pt_dbl_aff2chud) (const ecfp_aff_pt * p, ecfp_chud_pt * r,
-							  const EC_group_fp * group) {
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		M[2 * ECFP_NUMDOUBLES], twoY2[2 * ECFP_NUMDOUBLES],
-		S[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity for p, if so set r = O */
-	if (PREFIX(pt_is_inf_aff) (p) == MP_YES) {
-		PREFIX(set_pt_inf_chud) (r);
-		goto CLEANUP;
-	}
-
-	/* M = 3(px)^2 + a */
-	PREFIX(square) (t0, p->x);
-	PREFIX(addLong) (t1, t0, t0);
-	PREFIX(addLong) (t1, t1, t0);
-	PREFIX(addShort) (t1, t1, group->curvea);
-	group->ecfp_reduce(M, t1, group);
-
-	/* twoY2 = 2*(py)^2, S = 4(px)(py)^2 */
-	PREFIX(square) (twoY2, p->y);
-	PREFIX(addLong) (twoY2, twoY2, twoY2);
-	group->ecfp_reduce(twoY2, twoY2, group);
-	PREFIX(multiply) (S, p->x, twoY2);
-	PREFIX(addLong) (S, S, S);
-	group->ecfp_reduce(S, S, group);
-
-	/* rx = M^2 - 2S */
-	PREFIX(square) (t0, M);
-	PREFIX(subtractShort) (t0, t0, S);
-	PREFIX(subtractShort) (t0, t0, S);
-	group->ecfp_reduce(r->x, t0, group);
-
-	/* ry = M(S-rx) - 8y^4 */
-	PREFIX(subtractShort) (t0, S, r->x);
-	PREFIX(multiply) (t1, t0, M);
-	PREFIX(square) (t0, twoY2);
-	PREFIX(subtractLong) (t1, t1, t0);
-	PREFIX(subtractLong) (t1, t1, t0);
-	group->ecfp_reduce(r->y, t1, group);
-
-	/* rz = 2py */
-	PREFIX(addShort) (r->z, p->y, p->y);
-
-	/* rz2 = rz^2 */
-	PREFIX(square) (t0, r->z);
-	group->ecfp_reduce(r->z2, t0, group);
-
-	/* rz3 = rz^3 */
-	PREFIX(multiply) (t0, r->z, r->z2);
-	group->ecfp_reduce(r->z3, t0, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Perform a point addition using coordinates: Modified Jacobian +
- * Chudnovsky Jacobian -> Modified Jacobian. Input and output should be
- * multi-precision floating point integers. */
-void PREFIX(pt_add_jm_chud) (ecfp_jm_pt * p, ecfp_chud_pt * q,
-							 ecfp_jm_pt * r, const EC_group_fp * group) {
-
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
-		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
-		H3[2 * ECFP_NUMDOUBLES], pz2[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity for p, if so set r = q need to convert
-	 * from Chudnovsky form to Modified Jacobian form */
-	if (PREFIX(pt_is_inf_jm) (p) == MP_YES) {
-		PREFIX(copy) (r->x, q->x);
-		PREFIX(copy) (r->y, q->y);
-		PREFIX(copy) (r->z, q->z);
-		PREFIX(square) (t0, q->z2);
-		group->ecfp_reduce(t0, t0, group);
-		PREFIX(multiply) (t1, t0, group->curvea);
-		group->ecfp_reduce(r->az4, t1, group);
-		goto CLEANUP;
-	}
-	/* Check for point at infinity for q, if so set r = p */
-	if (PREFIX(pt_is_inf_chud) (q) == MP_YES) {
-		PREFIX(copy) (r->x, p->x);
-		PREFIX(copy) (r->y, p->y);
-		PREFIX(copy) (r->z, p->z);
-		PREFIX(copy) (r->az4, p->az4);
-		goto CLEANUP;
-	}
-
-	/* U = px * qz^2 */
-	PREFIX(multiply) (U, p->x, q->z2);
-	group->ecfp_reduce(U, U, group);
-
-	/* H = qx*(pz)^2 - U */
-	PREFIX(square) (t0, p->z);
-	group->ecfp_reduce(pz2, t0, group);
-	PREFIX(multiply) (H, pz2, q->x);
-	group->ecfp_reduce(H, H, group);
-	PREFIX(subtractShort) (H, H, U);
-
-	/* U = U*H^2, H3 = H^3 */
-	PREFIX(square) (t0, H);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (t1, U, t0);
-	group->ecfp_reduce(U, t1, group);
-	PREFIX(multiply) (H3, t0, H);
-	group->ecfp_reduce(H3, H3, group);
-
-	/* S = py * qz^3 */
-	PREFIX(multiply) (S, p->y, q->z3);
-	group->ecfp_reduce(S, S, group);
-
-	/* R = (qy * z1^3 - s) */
-	PREFIX(multiply) (t0, pz2, p->z);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (R, t0, q->y);
-	PREFIX(subtractShort) (R, R, S);
-	group->ecfp_reduce(R, R, group);
-
-	/* rz = pz * qz * H */
-	PREFIX(multiply) (t1, q->z, H);
-	group->ecfp_reduce(t1, t1, group);
-	PREFIX(multiply) (t0, p->z, t1);
-	group->ecfp_reduce(r->z, t0, group);
-
-	/* rx = R^2 - H^3 - 2 * U */
-	PREFIX(square) (t0, R);
-	PREFIX(subtractShort) (t0, t0, H3);
-	PREFIX(subtractShort) (t0, t0, U);
-	PREFIX(subtractShort) (t0, t0, U);
-	group->ecfp_reduce(r->x, t0, group);
-
-	/* ry = R(U - rx) - S*H3 */
-	PREFIX(subtractShort) (t1, U, r->x);
-	PREFIX(multiply) (t0, t1, R);
-	PREFIX(multiply) (t1, S, H3);
-	PREFIX(subtractLong) (t1, t0, t1);
-	group->ecfp_reduce(r->y, t1, group);
-
-	if (group->aIsM3) {			/* a == -3 */
-		/* a(rz^4) = -3 * ((rz^2)^2) */
-		PREFIX(square) (t0, r->z);
-		group->ecfp_reduce(t0, t0, group);
-		PREFIX(square) (t1, t0);
-		PREFIX(addLong) (t0, t1, t1);
-		PREFIX(addLong) (t0, t0, t1);
-		PREFIX(negLong) (t0, t0);
-		group->ecfp_reduce(r->az4, t0, group);
-	} else {					/* Generic case */
-		/* a(rz^4) = a * ((rz^2)^2) */
-		PREFIX(square) (t0, r->z);
-		group->ecfp_reduce(t0, t0, group);
-		PREFIX(square) (t1, t0);
-		group->ecfp_reduce(t1, t1, group);
-		PREFIX(multiply) (t0, group->curvea, t1);
-		group->ecfp_reduce(r->az4, t0, group);
-	}
-  CLEANUP:
-	return;
-}
-
-/* Perform a point addition using Chudnovsky Jacobian coordinates. Input
- * and output should be multi-precision floating point integers. */
-void PREFIX(pt_add_chud) (const ecfp_chud_pt * p, const ecfp_chud_pt * q,
-						  ecfp_chud_pt * r, const EC_group_fp * group) {
-
-	/* Temporary Storage */
-	double t0[2 * ECFP_NUMDOUBLES], t1[2 * ECFP_NUMDOUBLES],
-		U[2 * ECFP_NUMDOUBLES], R[2 * ECFP_NUMDOUBLES],
-		S[2 * ECFP_NUMDOUBLES], H[2 * ECFP_NUMDOUBLES],
-		H3[2 * ECFP_NUMDOUBLES];
-
-	/* Check for point at infinity for p, if so set r = q */
-	if (PREFIX(pt_is_inf_chud) (p) == MP_YES) {
-		PREFIX(copy) (r->x, q->x);
-		PREFIX(copy) (r->y, q->y);
-		PREFIX(copy) (r->z, q->z);
-		PREFIX(copy) (r->z2, q->z2);
-		PREFIX(copy) (r->z3, q->z3);
-		goto CLEANUP;
-	}
-
-	/* Check for point at infinity for p, if so set r = q */
-	if (PREFIX(pt_is_inf_chud) (q) == MP_YES) {
-		PREFIX(copy) (r->x, p->x);
-		PREFIX(copy) (r->y, p->y);
-		PREFIX(copy) (r->z, p->z);
-		PREFIX(copy) (r->z2, p->z2);
-		PREFIX(copy) (r->z3, p->z3);
-		goto CLEANUP;
-	}
-
-	/* U = px * qz^2 */
-	PREFIX(multiply) (U, p->x, q->z2);
-	group->ecfp_reduce(U, U, group);
-
-	/* H = qx*(pz)^2 - U */
-	PREFIX(multiply) (H, q->x, p->z2);
-	PREFIX(subtractShort) (H, H, U);
-	group->ecfp_reduce(H, H, group);
-
-	/* U = U*H^2, H3 = H^3 */
-	PREFIX(square) (t0, H);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (t1, U, t0);
-	group->ecfp_reduce(U, t1, group);
-	PREFIX(multiply) (H3, t0, H);
-	group->ecfp_reduce(H3, H3, group);
-
-	/* S = py * qz^3 */
-	PREFIX(multiply) (S, p->y, q->z3);
-	group->ecfp_reduce(S, S, group);
-
-	/* rz = pz * qz * H */
-	PREFIX(multiply) (t0, q->z, H);
-	group->ecfp_reduce(t0, t0, group);
-	PREFIX(multiply) (t1, t0, p->z);
-	group->ecfp_reduce(r->z, t1, group);
-
-	/* R = (qy * z1^3 - s) */
-	PREFIX(multiply) (t0, q->y, p->z3);
-	PREFIX(subtractShort) (t0, t0, S);
-	group->ecfp_reduce(R, t0, group);
-
-	/* rx = R^2 - H^3 - 2 * U */
-	PREFIX(square) (t0, R);
-	PREFIX(subtractShort) (t0, t0, H3);
-	PREFIX(subtractShort) (t0, t0, U);
-	PREFIX(subtractShort) (t0, t0, U);
-	group->ecfp_reduce(r->x, t0, group);
-
-	/* ry = R(U - rx) - S*H3 */
-	PREFIX(subtractShort) (t1, U, r->x);
-	PREFIX(multiply) (t0, t1, R);
-	PREFIX(multiply) (t1, S, H3);
-	PREFIX(subtractLong) (t1, t0, t1);
-	group->ecfp_reduce(r->y, t1, group);
-
-	/* rz2 = rz^2 */
-	PREFIX(square) (t0, r->z);
-	group->ecfp_reduce(r->z2, t0, group);
-
-	/* rz3 = rz^3 */
-	PREFIX(multiply) (t0, r->z, r->z2);
-	group->ecfp_reduce(r->z3, t0, group);
-
-  CLEANUP:
-	return;
-}
-
-/* Expects out to be an array of size 16 of Chudnovsky Jacobian points.
- * Fills in Chudnovsky Jacobian form (x, y, z, z^2, z^3), for -15P, -13P,
- * -11P, -9P, -7P, -5P, -3P, -P, P, 3P, 5P, 7P, 9P, 11P, 13P, 15P */
-void PREFIX(precompute_chud) (ecfp_chud_pt * out, const ecfp_aff_pt * p,
-							  const EC_group_fp * group) {
-
-	ecfp_chud_pt p2;
-
-	/* Set out[8] = P */
-	PREFIX(copy) (out[8].x, p->x);
-	PREFIX(copy) (out[8].y, p->y);
-	PREFIX(one) (out[8].z);
-	PREFIX(one) (out[8].z2);
-	PREFIX(one) (out[8].z3);
-
-	/* Set p2 = 2P */
-	PREFIX(pt_dbl_aff2chud) (p, &p2, group);
-
-	/* Set 3P, 5P, ..., 15P */
-	PREFIX(pt_add_chud) (&out[8], &p2, &out[9], group);
-	PREFIX(pt_add_chud) (&out[9], &p2, &out[10], group);
-	PREFIX(pt_add_chud) (&out[10], &p2, &out[11], group);
-	PREFIX(pt_add_chud) (&out[11], &p2, &out[12], group);
-	PREFIX(pt_add_chud) (&out[12], &p2, &out[13], group);
-	PREFIX(pt_add_chud) (&out[13], &p2, &out[14], group);
-	PREFIX(pt_add_chud) (&out[14], &p2, &out[15], group);
-
-	/* Set -15P, -13P, ..., -P */
-	PREFIX(pt_neg_chud) (&out[8], &out[7]);
-	PREFIX(pt_neg_chud) (&out[9], &out[6]);
-	PREFIX(pt_neg_chud) (&out[10], &out[5]);
-	PREFIX(pt_neg_chud) (&out[11], &out[4]);
-	PREFIX(pt_neg_chud) (&out[12], &out[3]);
-	PREFIX(pt_neg_chud) (&out[13], &out[2]);
-	PREFIX(pt_neg_chud) (&out[14], &out[1]);
-	PREFIX(pt_neg_chud) (&out[15], &out[0]);
-}
-
-/* Expects out to be an array of size 16 of Jacobian points. Fills in
- * Jacobian form (x, y, z), for O, P, 2P, ... 15P */
-void PREFIX(precompute_jac) (ecfp_jac_pt * precomp, const ecfp_aff_pt * p,
-							 const EC_group_fp * group) {
-	int i;
-
-	/* fill precomputation table */
-	/* set precomp[0] */
-	PREFIX(set_pt_inf_jac) (&precomp[0]);
-	/* set precomp[1] */
-	PREFIX(copy) (precomp[1].x, p->x);
-	PREFIX(copy) (precomp[1].y, p->y);
-	if (PREFIX(pt_is_inf_aff) (p) == MP_YES) {
-		PREFIX(zero) (precomp[1].z);
-	} else {
-		PREFIX(one) (precomp[1].z);
-	}
-	/* set precomp[2] */
-	group->pt_dbl_jac(&precomp[1], &precomp[2], group);
-
-	/* set rest of precomp */
-	for (i = 3; i < 16; i++) {
-		group->pt_add_jac_aff(&precomp[i - 1], p, &precomp[i], group);
-	}
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_jac.c b/security/nss/lib/freebl/ecl/ecp_jac.c
deleted file mode 100644
index 2659dbb82..000000000
--- a/security/nss/lib/freebl/ecl/ecp_jac.c
+++ /dev/null
@@ -1,553 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang-Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <fungstep@hotmail.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *   Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>,
- *   Nils Larsch <nla@trustcenter.de>, and
- *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "mplogic.h"
-#include <stdlib.h>
-#ifdef ECL_DEBUG
-#include <assert.h>
-#endif
-
-/* Converts a point P(px, py) from affine coordinates to Jacobian
- * projective coordinates R(rx, ry, rz). Assumes input is already
- * field-encoded using field_enc, and returns output that is still
- * field-encoded. */
-mp_err
-ec_GFp_pt_aff2jac(const mp_int *px, const mp_int *py, mp_int *rx,
-				  mp_int *ry, mp_int *rz, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-
-	if (ec_GFp_pt_is_inf_aff(px, py) == MP_YES) {
-		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
-	} else {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		MP_CHECKOK(mp_set_int(rz, 1));
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth));
-		}
-	}
-  CLEANUP:
-	return res;
-}
-
-/* Converts a point P(px, py, pz) from Jacobian projective coordinates to
- * affine coordinates R(rx, ry).  P and R can share x and y coordinates.
- * Assumes input is already field-encoded using field_enc, and returns
- * output that is still field-encoded. */
-mp_err
-ec_GFp_pt_jac2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
-				  mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int z1, z2, z3;
-
-	MP_DIGITS(&z1) = 0;
-	MP_DIGITS(&z2) = 0;
-	MP_DIGITS(&z3) = 0;
-	MP_CHECKOK(mp_init(&z1));
-	MP_CHECKOK(mp_init(&z2));
-	MP_CHECKOK(mp_init(&z3));
-
-	/* if point at infinity, then set point at infinity and exit */
-	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
-		MP_CHECKOK(ec_GFp_pt_set_inf_aff(rx, ry));
-		goto CLEANUP;
-	}
-
-	/* transform (px, py, pz) into (px / pz^2, py / pz^3) */
-	if (mp_cmp_d(pz, 1) == 0) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-	} else {
-		MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth));
-		MP_CHECKOK(group->meth->field_mul(&z1, &z2, &z3, group->meth));
-		MP_CHECKOK(group->meth->field_mul(px, &z2, rx, group->meth));
-		MP_CHECKOK(group->meth->field_mul(py, &z3, ry, group->meth));
-	}
-
-  CLEANUP:
-	mp_clear(&z1);
-	mp_clear(&z2);
-	mp_clear(&z3);
-	return res;
-}
-
-/* Checks if point P(px, py, pz) is at infinity. Uses Jacobian
- * coordinates. */
-mp_err
-ec_GFp_pt_is_inf_jac(const mp_int *px, const mp_int *py, const mp_int *pz)
-{
-	return mp_cmp_z(pz);
-}
-
-/* Sets P(px, py, pz) to be the point at infinity.  Uses Jacobian
- * coordinates. */
-mp_err
-ec_GFp_pt_set_inf_jac(mp_int *px, mp_int *py, mp_int *pz)
-{
-	mp_zero(pz);
-	return MP_OKAY;
-}
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
- * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
- * Uses mixed Jacobian-affine coordinates. Assumes input is already
- * field-encoded using field_enc, and returns output that is still
- * field-encoded. Uses equation (2) from Brown, Hankerson, Lopez, and
- * Menezes. Software Implementation of the NIST Elliptic Curves Over Prime
- * Fields. */
-mp_err
-ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
-					  const mp_int *qx, const mp_int *qy, mp_int *rx,
-					  mp_int *ry, mp_int *rz, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int A, B, C, D, C2, C3;
-
-	MP_DIGITS(&A) = 0;
-	MP_DIGITS(&B) = 0;
-	MP_DIGITS(&C) = 0;
-	MP_DIGITS(&D) = 0;
-	MP_DIGITS(&C2) = 0;
-	MP_DIGITS(&C3) = 0;
-	MP_CHECKOK(mp_init(&A));
-	MP_CHECKOK(mp_init(&B));
-	MP_CHECKOK(mp_init(&C));
-	MP_CHECKOK(mp_init(&D));
-	MP_CHECKOK(mp_init(&C2));
-	MP_CHECKOK(mp_init(&C3));
-
-	/* If either P or Q is the point at infinity, then return the other
-	 * point */
-	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
-		MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group));
-		goto CLEANUP;
-	}
-	if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		MP_CHECKOK(mp_copy(pz, rz));
-		goto CLEANUP;
-	}
-
-	/* A = qx * pz^2, B = qy * pz^3 */
-	MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
-
-	/* C = A - px, D = B - py */
-	MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
-
-	/* C2 = C^2, C3 = C^3 */
-	MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth));
-
-	/* rz = pz * C */
-	MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth));
-
-	/* C = px * C^2 */
-	MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth));
-	/* A = D^2 */
-	MP_CHECKOK(group->meth->field_sqr(&D, &A, group->meth));
-
-	/* rx = D^2 - (C^3 + 2 * (px * C^2)) */
-	MP_CHECKOK(group->meth->field_add(&C, &C, rx, group->meth));
-	MP_CHECKOK(group->meth->field_add(&C3, rx, rx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&A, rx, rx, group->meth));
-
-	/* C3 = py * C^3 */
-	MP_CHECKOK(group->meth->field_mul(py, &C3, &C3, group->meth));
-
-	/* ry = D * (px * C^2 - rx) - py * C^3 */
-	MP_CHECKOK(group->meth->field_sub(&C, rx, ry, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&D, ry, ry, group->meth));
-	MP_CHECKOK(group->meth->field_sub(ry, &C3, ry, group->meth));
-
-  CLEANUP:
-	mp_clear(&A);
-	mp_clear(&B);
-	mp_clear(&C);
-	mp_clear(&D);
-	mp_clear(&C2);
-	mp_clear(&C3);
-	return res;
-}
-
-/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
- * Jacobian coordinates.
- *
- * Assumes input is already field-encoded using field_enc, and returns 
- * output that is still field-encoded.
- *
- * This routine implements Point Doubling in the Jacobian Projective 
- * space as described in the paper "Efficient elliptic curve exponentiation 
- * using mixed coordinates", by H. Cohen, A Miyaji, T. Ono.
- */
-mp_err
-ec_GFp_pt_dbl_jac(const mp_int *px, const mp_int *py, const mp_int *pz,
-				  mp_int *rx, mp_int *ry, mp_int *rz, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int t0, t1, M, S;
-
-	MP_DIGITS(&t0) = 0;
-	MP_DIGITS(&t1) = 0;
-	MP_DIGITS(&M) = 0;
-	MP_DIGITS(&S) = 0;
-	MP_CHECKOK(mp_init(&t0));
-	MP_CHECKOK(mp_init(&t1));
-	MP_CHECKOK(mp_init(&M));
-	MP_CHECKOK(mp_init(&S));
-
-	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
-		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
-		goto CLEANUP;
-	}
-
-	if (mp_cmp_d(pz, 1) == 0) {
-		/* M = 3 * px^2 + a */
-		MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
-		MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_add(&t0, &group->curvea, &M, group->meth));
-	} else if (mp_cmp_int(&group->curvea, -3) == 0) {
-		/* M = 3 * (px + pz^2) * (px - pz^2) */
-		MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth));
-		MP_CHECKOK(group->meth->field_add(px, &M, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_sub(px, &M, &t1, group->meth));
-		MP_CHECKOK(group->meth->field_mul(&t0, &t1, &M, group->meth));
-		MP_CHECKOK(group->meth->field_add(&M, &M, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_add(&t0, &M, &M, group->meth));
-	} else {
-		/* M = 3 * (px^2) + a * (pz^4) */
-		MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
-		MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(pz, &M, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(&M, &M, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_mul(&M, &group->curvea, &M, group->meth));
-		MP_CHECKOK(group->meth->field_add(&M, &t0, &M, group->meth));
-	}
-
-	/* rz = 2 * py * pz */
-	/* t0 = 4 * py^2 */
-	if (mp_cmp_d(pz, 1) == 0) {
-		MP_CHECKOK(group->meth->field_add(py, py, rz, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(rz, &t0, group->meth));
-	} else {
-		MP_CHECKOK(group->meth->field_add(py, py, &t0, group->meth));
-		MP_CHECKOK(group->meth->field_mul(&t0, pz, rz, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth));
-	}
-
-	/* S = 4 * px * py^2 = px * (2 * py)^2 */
-	MP_CHECKOK(group->meth->field_mul(px, &t0, &S, group->meth));
-
-	/* rx = M^2 - 2 * S */
-	MP_CHECKOK(group->meth->field_add(&S, &S, &t1, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(&M, rx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(rx, &t1, rx, group->meth));
-
-	/* ry = M * (S - rx) - 8 * py^4 */
-	MP_CHECKOK(group->meth->field_sqr(&t0, &t1, group->meth));
-	if (mp_isodd(&t1)) {
-		MP_CHECKOK(mp_add(&t1, &group->meth->irr, &t1));
-	}
-	MP_CHECKOK(mp_div_2(&t1, &t1));
-	MP_CHECKOK(group->meth->field_sub(&S, rx, &S, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&M, &S, &M, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&M, &t1, ry, group->meth));
-
-  CLEANUP:
-	mp_clear(&t0);
-	mp_clear(&t1);
-	mp_clear(&M);
-	mp_clear(&S);
-	return res;
-}
-
-/* by default, this routine is unused and thus doesn't need to be compiled */
-#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
-/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
- * a, b and p are the elliptic curve coefficients and the prime that
- * determines the field GFp.  Elliptic curve points P and R can be
- * identical.  Uses mixed Jacobian-affine coordinates. Assumes input is
- * already field-encoded using field_enc, and returns output that is still 
- * field-encoded. Uses 4-bit window method. */
-mp_err
-ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py,
-				  mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int precomp[16][2], rz;
-	int i, ni, d;
-
-	MP_DIGITS(&rz) = 0;
-	for (i = 0; i < 16; i++) {
-		MP_DIGITS(&precomp[i][0]) = 0;
-		MP_DIGITS(&precomp[i][1]) = 0;
-	}
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
-
-	/* initialize precomputation table */
-	for (i = 0; i < 16; i++) {
-		MP_CHECKOK(mp_init(&precomp[i][0]));
-		MP_CHECKOK(mp_init(&precomp[i][1]));
-	}
-
-	/* fill precomputation table */
-	mp_zero(&precomp[0][0]);
-	mp_zero(&precomp[0][1]);
-	MP_CHECKOK(mp_copy(px, &precomp[1][0]));
-	MP_CHECKOK(mp_copy(py, &precomp[1][1]));
-	for (i = 2; i < 16; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[1][0], &precomp[1][1],
-							 &precomp[i - 1][0], &precomp[i - 1][1],
-							 &precomp[i][0], &precomp[i][1], group));
-	}
-
-	d = (mpl_significant_bits(n) + 3) / 4;
-
-	/* R = inf */
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
-
-	for (i = d - 1; i >= 0; i--) {
-		/* compute window ni */
-		ni = MP_GET_BIT(n, 4 * i + 3);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 2);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i + 1);
-		ni <<= 1;
-		ni |= MP_GET_BIT(n, 4 * i);
-		/* R = 2^4 * R */
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		/* R = R + (ni * P) */
-		MP_CHECKOK(ec_GFp_pt_add_jac_aff
-				   (rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry,
-					&rz, group));
-	}
-
-	/* convert result S to affine coordinates */
-	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
-
-  CLEANUP:
-	mp_clear(&rz);
-	for (i = 0; i < 16; i++) {
-		mp_clear(&precomp[i][0]);
-		mp_clear(&precomp[i][1]);
-	}
-	return res;
-}
-#endif
-
-/* Elliptic curve scalar-point multiplication. Computes R(x, y) = k1 * G + 
- * k2 * P(x, y), where G is the generator (base point) of the group of
- * points on the elliptic curve. Allows k1 = NULL or { k2, P } = NULL.
- * Uses mixed Jacobian-affine coordinates. Input and output values are
- * assumed to be NOT field-encoded. Uses algorithm 15 (simultaneous
- * multiple point multiplication) from Brown, Hankerson, Lopez, Menezes.
- * Software Implementation of the NIST Elliptic Curves over Prime Fields. */
-mp_err
-ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
-				   const mp_int *py, mp_int *rx, mp_int *ry,
-				   const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int precomp[4][4][2];
-	mp_int rz;
-	const mp_int *a, *b;
-	int i, j;
-	int ai, bi, d;
-
-	for (i = 0; i < 4; i++) {
-		for (j = 0; j < 4; j++) {
-			MP_DIGITS(&precomp[i][j][0]) = 0;
-			MP_DIGITS(&precomp[i][j][1]) = 0;
-		}
-	}
-	MP_DIGITS(&rz) = 0;
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK(!((k1 == NULL)
-			 && ((k2 == NULL) || (px == NULL)
-				 || (py == NULL))), MP_BADARG);
-
-	/* if some arguments are not defined used ECPoint_mul */
-	if (k1 == NULL) {
-		return ECPoint_mul(group, k2, px, py, rx, ry);
-	} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-		return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
-	}
-
-	/* initialize precomputation table */
-	for (i = 0; i < 4; i++) {
-		for (j = 0; j < 4; j++) {
-			MP_CHECKOK(mp_init(&precomp[i][j][0]));
-			MP_CHECKOK(mp_init(&precomp[i][j][1]));
-		}
-	}
-
-	/* fill precomputation table */
-	/* assign {k1, k2} = {a, b} such that len(a) >= len(b) */
-	if (mpl_significant_bits(k1) < mpl_significant_bits(k2)) {
-		a = k2;
-		b = k1;
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->
-					   field_enc(px, &precomp[1][0][0], group->meth));
-			MP_CHECKOK(group->meth->
-					   field_enc(py, &precomp[1][0][1], group->meth));
-		} else {
-			MP_CHECKOK(mp_copy(px, &precomp[1][0][0]));
-			MP_CHECKOK(mp_copy(py, &precomp[1][0][1]));
-		}
-		MP_CHECKOK(mp_copy(&group->genx, &precomp[0][1][0]));
-		MP_CHECKOK(mp_copy(&group->geny, &precomp[0][1][1]));
-	} else {
-		a = k1;
-		b = k2;
-		MP_CHECKOK(mp_copy(&group->genx, &precomp[1][0][0]));
-		MP_CHECKOK(mp_copy(&group->geny, &precomp[1][0][1]));
-		if (group->meth->field_enc) {
-			MP_CHECKOK(group->meth->
-					   field_enc(px, &precomp[0][1][0], group->meth));
-			MP_CHECKOK(group->meth->
-					   field_enc(py, &precomp[0][1][1], group->meth));
-		} else {
-			MP_CHECKOK(mp_copy(px, &precomp[0][1][0]));
-			MP_CHECKOK(mp_copy(py, &precomp[0][1][1]));
-		}
-	}
-	/* precompute [*][0][*] */
-	mp_zero(&precomp[0][0][0]);
-	mp_zero(&precomp[0][0][1]);
-	MP_CHECKOK(group->
-			   point_dbl(&precomp[1][0][0], &precomp[1][0][1],
-						 &precomp[2][0][0], &precomp[2][0][1], group));
-	MP_CHECKOK(group->
-			   point_add(&precomp[1][0][0], &precomp[1][0][1],
-						 &precomp[2][0][0], &precomp[2][0][1],
-						 &precomp[3][0][0], &precomp[3][0][1], group));
-	/* precompute [*][1][*] */
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][1][0], &precomp[0][1][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][1][0], &precomp[i][1][1], group));
-	}
-	/* precompute [*][2][*] */
-	MP_CHECKOK(group->
-			   point_dbl(&precomp[0][1][0], &precomp[0][1][1],
-						 &precomp[0][2][0], &precomp[0][2][1], group));
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][2][0], &precomp[0][2][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][2][0], &precomp[i][2][1], group));
-	}
-	/* precompute [*][3][*] */
-	MP_CHECKOK(group->
-			   point_add(&precomp[0][1][0], &precomp[0][1][1],
-						 &precomp[0][2][0], &precomp[0][2][1],
-						 &precomp[0][3][0], &precomp[0][3][1], group));
-	for (i = 1; i < 4; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[0][3][0], &precomp[0][3][1],
-							 &precomp[i][0][0], &precomp[i][0][1],
-							 &precomp[i][3][0], &precomp[i][3][1], group));
-	}
-
-	d = (mpl_significant_bits(a) + 1) / 2;
-
-	/* R = inf */
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
-
-	for (i = d - 1; i >= 0; i--) {
-		ai = MP_GET_BIT(a, 2 * i + 1);
-		ai <<= 1;
-		ai |= MP_GET_BIT(a, 2 * i);
-		bi = MP_GET_BIT(b, 2 * i + 1);
-		bi <<= 1;
-		bi |= MP_GET_BIT(b, 2 * i);
-		/* R = 2^2 * R */
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
-		/* R = R + (ai * A + bi * B) */
-		MP_CHECKOK(ec_GFp_pt_add_jac_aff
-				   (rx, ry, &rz, &precomp[ai][bi][0], &precomp[ai][bi][1],
-					rx, ry, &rz, group));
-	}
-
-	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
-
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(rx, rx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(ry, ry, group->meth));
-	}
-
-  CLEANUP:
-	mp_clear(&rz);
-	for (i = 0; i < 4; i++) {
-		for (j = 0; j < 4; j++) {
-			mp_clear(&precomp[i][j][0]);
-			mp_clear(&precomp[i][j][1]);
-		}
-	}
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_jm.c b/security/nss/lib/freebl/ecl/ecp_jm.c
deleted file mode 100644
index 3b19cc825..000000000
--- a/security/nss/lib/freebl/ecl/ecp_jm.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp.h"
-#include "ecl-priv.h"
-#include "mplogic.h"
-#include <stdlib.h>
-
-/* Computes R = 2P.  Elliptic curve points P and R can be identical.  Uses 
- * Modified Jacobian coordinates.
- *
- * Assumes input is already field-encoded using field_enc, and returns 
- * output that is still field-encoded.
- *
- */
-mp_err
-ec_GFp_pt_dbl_jm(const mp_int *px, const mp_int *py, const mp_int *pz,
-				 const mp_int *paz4, mp_int *rx, mp_int *ry, mp_int *rz,
-				 mp_int *raz4, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int t0, t1, M, S;
-
-	MP_DIGITS(&t0) = 0;
-	MP_DIGITS(&t1) = 0;
-	MP_DIGITS(&M) = 0;
-	MP_DIGITS(&S) = 0;
-	MP_CHECKOK(mp_init(&t0));
-	MP_CHECKOK(mp_init(&t1));
-	MP_CHECKOK(mp_init(&M));
-	MP_CHECKOK(mp_init(&S));
-
-	/* Check for point at infinity */
-	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
-		/* Set r = pt at infinity by setting rz = 0 */
-
-		MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz));
-		goto CLEANUP;
-	}
-
-	/* M = 3 (px^2) + a*(pz^4) */
-	MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t0, &M, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t0, paz4, &M, group->meth));
-
-	/* rz = 2 * py * pz */
-	MP_CHECKOK(group->meth->field_mul(py, pz, rz, group->meth));
-	MP_CHECKOK(group->meth->field_add(rz, rz, rz, group->meth));
-
-	/* t0 = 2y^2 , t1 = 8y^4 */
-	MP_CHECKOK(group->meth->field_sqr(py, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t0, &t0, &t0, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(&t0, &t1, group->meth));
-	MP_CHECKOK(group->meth->field_add(&t1, &t1, &t1, group->meth));
-
-	/* S = 4 * px * py^2 = 2 * px * t0 */
-	MP_CHECKOK(group->meth->field_mul(px, &t0, &S, group->meth));
-	MP_CHECKOK(group->meth->field_add(&S, &S, &S, group->meth));
-
-	/* rx = M^2 - 2S */
-	MP_CHECKOK(group->meth->field_sqr(&M, rx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(rx, &S, rx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(rx, &S, rx, group->meth));
-
-	/* ry = M * (S - rx) - t1 */
-	MP_CHECKOK(group->meth->field_sub(&S, rx, ry, group->meth));
-	MP_CHECKOK(group->meth->field_mul(ry, &M, ry, group->meth));
-	MP_CHECKOK(group->meth->field_sub(ry, &t1, ry, group->meth));
-
-	/* ra*z^4 = 2*t1*(apz4) */
-	MP_CHECKOK(group->meth->field_mul(paz4, &t1, raz4, group->meth));
-	MP_CHECKOK(group->meth->field_add(raz4, raz4, raz4, group->meth));
-
-  CLEANUP:
-	mp_clear(&t0);
-	mp_clear(&t1);
-	mp_clear(&M);
-	mp_clear(&S);
-	return res;
-}
-
-/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
- * (qx, qy, 1).  Elliptic curve points P, Q, and R can all be identical.
- * Uses mixed Modified_Jacobian-affine coordinates. Assumes input is
- * already field-encoded using field_enc, and returns output that is still
- * field-encoded. */
-mp_err
-ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
-					 const mp_int *paz4, const mp_int *qx,
-					 const mp_int *qy, mp_int *rx, mp_int *ry, mp_int *rz,
-					 mp_int *raz4, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int A, B, C, D, C2, C3;
-
-	MP_DIGITS(&A) = 0;
-	MP_DIGITS(&B) = 0;
-	MP_DIGITS(&C) = 0;
-	MP_DIGITS(&D) = 0;
-	MP_DIGITS(&C2) = 0;
-	MP_DIGITS(&C3) = 0;
-	MP_CHECKOK(mp_init(&A));
-	MP_CHECKOK(mp_init(&B));
-	MP_CHECKOK(mp_init(&C));
-	MP_CHECKOK(mp_init(&D));
-	MP_CHECKOK(mp_init(&C2));
-	MP_CHECKOK(mp_init(&C3));
-
-	/* If either P or Q is the point at infinity, then return the other
-	 * point */
-	if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) {
-		MP_CHECKOK(ec_GFp_pt_aff2jac(qx, qy, rx, ry, rz, group));
-		MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
-		MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
-		MP_CHECKOK(group->meth->
-				   field_mul(raz4, &group->curvea, raz4, group->meth));
-		goto CLEANUP;
-	}
-	if (ec_GFp_pt_is_inf_aff(qx, qy) == MP_YES) {
-		MP_CHECKOK(mp_copy(px, rx));
-		MP_CHECKOK(mp_copy(py, ry));
-		MP_CHECKOK(mp_copy(pz, rz));
-		MP_CHECKOK(mp_copy(paz4, raz4));
-		goto CLEANUP;
-	}
-
-	/* A = qx * pz^2, B = qy * pz^3 */
-	MP_CHECKOK(group->meth->field_sqr(pz, &A, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
-
-	/* C = A - px, D = B - py */
-	MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
-
-	/* C2 = C^2, C3 = C^3 */
-	MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth));
-
-	/* rz = pz * C */
-	MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth));
-
-	/* C = px * C^2 */
-	MP_CHECKOK(group->meth->field_mul(px, &C2, &C, group->meth));
-	/* A = D^2 */
-	MP_CHECKOK(group->meth->field_sqr(&D, &A, group->meth));
-
-	/* rx = D^2 - (C^3 + 2 * (px * C^2)) */
-	MP_CHECKOK(group->meth->field_add(&C, &C, rx, group->meth));
-	MP_CHECKOK(group->meth->field_add(&C3, rx, rx, group->meth));
-	MP_CHECKOK(group->meth->field_sub(&A, rx, rx, group->meth));
-
-	/* C3 = py * C^3 */
-	MP_CHECKOK(group->meth->field_mul(py, &C3, &C3, group->meth));
-
-	/* ry = D * (px * C^2 - rx) - py * C^3 */
-	MP_CHECKOK(group->meth->field_sub(&C, rx, ry, group->meth));
-	MP_CHECKOK(group->meth->field_mul(&D, ry, ry, group->meth));
-	MP_CHECKOK(group->meth->field_sub(ry, &C3, ry, group->meth));
-
-	/* raz4 = a * rz^4 */
-	MP_CHECKOK(group->meth->field_sqr(rz, raz4, group->meth));
-	MP_CHECKOK(group->meth->field_sqr(raz4, raz4, group->meth));
-	MP_CHECKOK(group->meth->
-			   field_mul(raz4, &group->curvea, raz4, group->meth));
-
-  CLEANUP:
-	mp_clear(&A);
-	mp_clear(&B);
-	mp_clear(&C);
-	mp_clear(&D);
-	mp_clear(&C2);
-	mp_clear(&C3);
-	return res;
-}
-
-/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
- * curve points P and R can be identical. Uses mixed Modified-Jacobian
- * co-ordinates for doubling and Chudnovsky Jacobian coordinates for
- * additions. Assumes input is already field-encoded using field_enc, and
- * returns output that is still field-encoded. Uses 5-bit window NAF
- * method (algorithm 11) for scalar-point multiplication from Brown,
- * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic 
- * Curves Over Prime Fields. */
-mp_err
-ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
-					  mp_int *rx, mp_int *ry, const ECGroup *group)
-{
-	mp_err res = MP_OKAY;
-	mp_int precomp[16][2], rz, tpx, tpy;
-	mp_int raz4;
-	signed char *naf = NULL;
-	int i, orderBitSize;
-
-	MP_DIGITS(&rz) = 0;
-	MP_DIGITS(&raz4) = 0;
-	MP_DIGITS(&tpx) = 0;
-	MP_DIGITS(&tpy) = 0;
-	for (i = 0; i < 16; i++) {
-		MP_DIGITS(&precomp[i][0]) = 0;
-		MP_DIGITS(&precomp[i][1]) = 0;
-	}
-
-	ARGCHK(group != NULL, MP_BADARG);
-	ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
-
-	/* initialize precomputation table */
-	MP_CHECKOK(mp_init(&tpx));
-	MP_CHECKOK(mp_init(&tpy));;
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(mp_init(&raz4));
-
-	for (i = 0; i < 16; i++) {
-		MP_CHECKOK(mp_init(&precomp[i][0]));
-		MP_CHECKOK(mp_init(&precomp[i][1]));
-	}
-
-	/* Set out[8] = P */
-	MP_CHECKOK(mp_copy(px, &precomp[8][0]));
-	MP_CHECKOK(mp_copy(py, &precomp[8][1]));
-
-	/* Set (tpx, tpy) = 2P */
-	MP_CHECKOK(group->
-			   point_dbl(&precomp[8][0], &precomp[8][1], &tpx, &tpy,
-						 group));
-
-	/* Set 3P, 5P, ..., 15P */
-	for (i = 8; i < 15; i++) {
-		MP_CHECKOK(group->
-				   point_add(&precomp[i][0], &precomp[i][1], &tpx, &tpy,
-							 &precomp[i + 1][0], &precomp[i + 1][1],
-							 group));
-	}
-
-	/* Set -15P, -13P, ..., -P */
-	for (i = 0; i < 8; i++) {
-		MP_CHECKOK(mp_copy(&precomp[15 - i][0], &precomp[i][0]));
-		MP_CHECKOK(group->meth->
-				   field_neg(&precomp[15 - i][1], &precomp[i][1],
-							 group->meth));
-	}
-
-	/* R = inf */
-	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
-
-	orderBitSize = mpl_significant_bits(&group->order);
-
-	/* Allocate memory for NAF */
-	naf = (signed char *) malloc(sizeof(signed char) * (orderBitSize + 1));
-	if (naf == NULL) {
-		res = MP_MEM;
-		goto CLEANUP;
-	}
-
-	/* Compute 5NAF */
-	ec_compute_wNAF(naf, orderBitSize, n, 5);
-
-	/* wNAF method */
-	for (i = orderBitSize; i >= 0; i--) {
-		/* R = 2R */
-		ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz, &raz4, group);
-		if (naf[i] != 0) {
-			ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
-								 &precomp[(naf[i] + 15) / 2][0],
-								 &precomp[(naf[i] + 15) / 2][1], rx, ry,
-								 &rz, &raz4, group);
-		}
-	}
-
-	/* convert result S to affine coordinates */
-	MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
-
-  CLEANUP:
-	for (i = 0; i < 16; i++) {
-		mp_clear(&precomp[i][0]);
-		mp_clear(&precomp[i][1]);
-	}
-	mp_clear(&tpx);
-	mp_clear(&tpy);
-	mp_clear(&rz);
-	mp_clear(&raz4);
-	free(naf);
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/ecp_mont.c b/security/nss/lib/freebl/ecl/ecp_mont.c
deleted file mode 100644
index c8829b6d1..000000000
--- a/security/nss/lib/freebl/ecl/ecp_mont.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Uses Montgomery reduction for field arithmetic.  See mpi/mpmontg.c for
- * code implementation. */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-#include "ecl-priv.h"
-#include "ecp.h"
-#include <stdlib.h>
-#include <stdio.h>
-
-/* Construct a generic GFMethod for arithmetic over prime fields with
- * irreducible irr. */
-GFMethod *
-GFMethod_consGFp_mont(const mp_int *irr)
-{
-	mp_err res = MP_OKAY;
-	int i;
-	GFMethod *meth = NULL;
-	mp_mont_modulus *mmm;
-
-	meth = GFMethod_consGFp(irr);
-	if (meth == NULL)
-		return NULL;
-
-	mmm = (mp_mont_modulus *) malloc(sizeof(mp_mont_modulus));
-	if (mmm == NULL) {
-		res = MP_MEM;
-		goto CLEANUP;
-	}
-
-	meth->field_mul = &ec_GFp_mul_mont;
-	meth->field_sqr = &ec_GFp_sqr_mont;
-	meth->field_div = &ec_GFp_div_mont;
-	meth->field_enc = &ec_GFp_enc_mont;
-	meth->field_dec = &ec_GFp_dec_mont;
-	meth->extra1 = mmm;
-	meth->extra2 = NULL;
-	meth->extra_free = &ec_GFp_extra_free_mont;
-
-	mmm->N = meth->irr;
-	i = mpl_significant_bits(&meth->irr);
-	i += MP_DIGIT_BIT - 1;
-	mmm->b = i - i % MP_DIGIT_BIT;
-	mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0));
-
-  CLEANUP:
-	if (res != MP_OKAY) {
-		GFMethod_free(meth);
-		return NULL;
-	}
-	return meth;
-}
-
-/* Wrapper functions for generic prime field arithmetic. */
-
-/* Field multiplication using Montgomery reduction. */
-mp_err
-ec_GFp_mul_mont(const mp_int *a, const mp_int *b, mp_int *r,
-				const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-#ifdef MP_MONT_USE_MP_MUL
-	/* if MP_MONT_USE_MP_MUL is defined, then the function s_mp_mul_mont
-	 * is not implemented and we have to use mp_mul and s_mp_redc directly 
-	 */
-	MP_CHECKOK(mp_mul(a, b, r));
-	MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
-#else
-	mp_int s;
-
-	MP_DIGITS(&s) = 0;
-	/* s_mp_mul_mont doesn't allow source and destination to be the same */
-	if ((a == r) || (b == r)) {
-		MP_CHECKOK(mp_init(&s));
-		MP_CHECKOK(s_mp_mul_mont
-				   (a, b, &s, (mp_mont_modulus *) meth->extra1));
-		MP_CHECKOK(mp_copy(&s, r));
-		mp_clear(&s);
-	} else {
-		return s_mp_mul_mont(a, b, r, (mp_mont_modulus *) meth->extra1);
-	}
-#endif
-  CLEANUP:
-	return res;
-}
-
-/* Field squaring using Montgomery reduction. */
-mp_err
-ec_GFp_sqr_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	return ec_GFp_mul_mont(a, a, r, meth);
-}
-
-/* Field division using Montgomery reduction. */
-mp_err
-ec_GFp_div_mont(const mp_int *a, const mp_int *b, mp_int *r,
-				const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	/* if A=aZ represents a encoded in montgomery coordinates with Z and # 
-	 * and \ respectively represent multiplication and division in
-	 * montgomery coordinates, then A\B = (a/b)Z = (A/B)Z and Binv =
-	 * (1/b)Z = (1/B)(Z^2) where B # Binv = Z */
-	MP_CHECKOK(ec_GFp_div(a, b, r, meth));
-	MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
-	if (a == NULL) {
-		MP_CHECKOK(ec_GFp_enc_mont(r, r, meth));
-	}
-  CLEANUP:
-	return res;
-}
-
-/* Encode a field element in Montgomery form. See s_mp_to_mont in
- * mpi/mpmontg.c */
-mp_err
-ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_mont_modulus *mmm;
-	mp_err res = MP_OKAY;
-
-	mmm = (mp_mont_modulus *) meth->extra1;
-	MP_CHECKOK(mpl_lsh(a, r, mmm->b));
-	MP_CHECKOK(mp_mod(r, &mmm->N, r));
-  CLEANUP:
-	return res;
-}
-
-/* Decode a field element from Montgomery form. */
-mp_err
-ec_GFp_dec_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
-{
-	mp_err res = MP_OKAY;
-
-	if (a != r) {
-		MP_CHECKOK(mp_copy(a, r));
-	}
-	MP_CHECKOK(s_mp_redc(r, (mp_mont_modulus *) meth->extra1));
-  CLEANUP:
-	return res;
-}
-
-/* Free the memory allocated to the extra fields of Montgomery GFMethod
- * object. */
-void
-ec_GFp_extra_free_mont(GFMethod *meth)
-{
-	if (meth->extra1 != NULL) {
-		free(meth->extra1);
-		meth->extra1 = NULL;
-	}
-}
diff --git a/security/nss/lib/freebl/ecl/tests/ec2_test.c b/security/nss/lib/freebl/ecl/tests/ec2_test.c
deleted file mode 100644
index e82b47da0..000000000
--- a/security/nss/lib/freebl/ecl/tests/ec2_test.c
+++ /dev/null
@@ -1,473 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for binary polynomial field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpprime.h"
-#include "mp_gf2m.h"
-#include "ecl.h"
-#include "ecl-curve.h"
-#include "ec2.h"
-#include <stdio.h>
-#include <strings.h>
-#include <assert.h>
-
-#include <time.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-/* Time k repetitions of operation op. */
-#define M_TimeOperation(op, k) { \
-	double dStart, dNow, dUserTime; \
-	struct rusage ru; \
-	int i; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	for (i = 0; i < k; i++) { \
-		{ op; } \
-	}; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	dUserTime = dNow-dStart; \
-	if (dUserTime) printf("    %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
-}
-
-/* Test curve using generic field arithmetic. */
-#define ECTEST_GENERIC_GF2M(name_c, name) \
-	printf("Testing %s using generic implementation...\n", name_c); \
-	params = EC_GetNamedCurveParams(name); \
-	if (params == NULL) { \
-			printf("  Error: could not construct params.\n"); \
-			res = MP_NO; \
-			goto CLEANUP; \
-	} \
-	ECGroup_free(group); \
-	group = ECGroup_fromHex(params); \
-	if (group == NULL) { \
-		printf("  Error: could not construct group.\n"); \
-		res = MP_NO; \
-		goto CLEANUP; \
-	} \
-	MP_CHECKOK( ectest_curve_GF2m(group, ectestPrint, ectestTime, 1) ); \
-	printf("... okay.\n");
-
-/* Test curve using specific field arithmetic. */
-#define ECTEST_NAMED_GF2M(name_c, name) \
-	printf("Testing %s using specific implementation...\n", name_c); \
-	ECGroup_free(group); \
-	group = ECGroup_fromName(name); \
-	if (group == NULL) { \
-		printf("  Warning: could not construct group.\n"); \
-		printf("... failed; continuing with remaining tests.\n"); \
-	} else { \
-		MP_CHECKOK( ectest_curve_GF2m(group, ectestPrint, ectestTime, 0) ); \
-		printf("... okay.\n"); \
-	}
-
-/* Performs basic tests of elliptic curve cryptography over binary
- * polynomial fields. If tests fail, then it prints an error message,
- * aborts, and returns an error code. Otherwise, returns 0. */
-int
-ectest_curve_GF2m(ECGroup *group, int ectestPrint, int ectestTime,
-				  int generic)
-{
-
-	mp_int one, order_1, gx, gy, rx, ry, n;
-	int size;
-	mp_err res;
-	char s[1000];
-
-	/* initialize values */
-	MP_CHECKOK(mp_init(&one));
-	MP_CHECKOK(mp_init(&order_1));
-	MP_CHECKOK(mp_init(&gx));
-	MP_CHECKOK(mp_init(&gy));
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&n));
-
-	MP_CHECKOK(mp_set_int(&one, 1));
-	MP_CHECKOK(mp_sub(&group->order, &one, &order_1));
-
-	/* encode base point */
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth));
-	} else {
-		MP_CHECKOK(mp_copy(&group->genx, &gx));
-		MP_CHECKOK(mp_copy(&group->geny, &gy));
-	}
-
-	if (ectestPrint) {
-		/* output base point */
-		printf("  base point P:\n");
-		MP_CHECKOK(mp_toradix(&gx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&gy, s, 16));
-		printf("    %s\n", s);
-		if (group->meth->field_enc) {
-			printf("  base point P (encoded):\n");
-			MP_CHECKOK(mp_toradix(&group->genx, s, 16));
-			printf("    %s\n", s);
-			MP_CHECKOK(mp_toradix(&group->geny, s, 16));
-			printf("    %s\n", s);
-		}
-	}
-
-#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ec_GF2m_pt_mul_aff
-			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
-	if (ectestPrint) {
-		printf("  (order-1)*P (affine):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &group->genx) != 0)
-		|| (mp_cmp(&ry, &group->geny) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ec_GF2m_pt_mul_mont
-			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
-	if (ectestPrint) {
-		printf("  (order-1)*P (montgomery):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &group->genx) != 0)
-		|| (mp_cmp(&ry, &group->geny) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-#ifdef ECL_ENABLE_GF2M_PROJ
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ec_GF2m_pt_mul_proj
-			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
-	if (ectestPrint) {
-		printf("  (order-1)*P (projective):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(group->meth->field_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &group->genx) != 0)
-		|| (mp_cmp(&ry, &group->geny) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order-1)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order-1)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ec_GF2m_pt_mul_aff
-			   (&group->order, &group->genx, &group->geny, &rx, &ry,
-				group));
-	if (ectestPrint) {
-		printf("  (order)*P (affine):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ec_GF2m_pt_mul_mont
-			   (&group->order, &group->genx, &group->geny, &rx, &ry,
-				group));
-	if (ectestPrint) {
-		printf("  (order)*P (montgomery):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-#ifdef ECL_ENABLE_GF2M_PROJ
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ec_GF2m_pt_mul_proj
-			   (&group->order, &group->genx, &group->geny, &rx, &ry,
-				group));
-	if (ectestPrint) {
-		printf("  (order)*P (projective):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GF2m_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* check that (order-1)P + (order-1)P + P == (order-1)P */
-	MP_CHECKOK(ECPoints_mul
-			   (group, &order_1, &order_1, &gx, &gy, &rx, &ry));
-	MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry));
-	if (ectestPrint) {
-		printf
-			("  (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(ec_GF2m_add(&ry, &rx, &ry, group->meth));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* test validate_point function */
-	if (ECPoint_validate(group, &gx, &gy) != MP_YES) {
-		printf("  Error: validate point on base point failed.\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-	MP_CHECKOK(mp_add_d(&gy, 1, &ry));
-	if (ECPoint_validate(group, &gx, &ry) != MP_NO) {
-		printf("  Error: validate point on invalid point passed.\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	if (ectestTime) {
-		/* compute random scalar */
-		size = mpl_significant_bits(&group->meth->irr);
-		if (size < MP_OKAY) {
-			goto CLEANUP;
-		}
-		MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
-		MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth));
-		/* timed test */
-		if (generic) {
-#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
-			M_TimeOperation(MP_CHECKOK
-							(ec_GF2m_pt_mul_aff
-							 (&n, &group->genx, &group->geny, &rx, &ry,
-							  group)), 100);
-#endif
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoints_mul
-							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
-		} else {
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoints_mul
-							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
-		}
-	}
-
-  CLEANUP:
-	mp_clear(&one);
-	mp_clear(&order_1);
-	mp_clear(&gx);
-	mp_clear(&gy);
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&n);
-	if (res != MP_OKAY) {
-		printf("  Error: exiting with error value %i\n", res);
-	}
-	return res;
-}
-
-/* Prints help information. */
-void
-printUsage()
-{
-	printf("Usage: ecp_test [--print] [--time]\n");
-	printf
-		("	--print     Print out results of each point arithmetic test.\n");
-	printf
-		("	--time      Benchmark point operations and print results.\n");
-}
-
-/* Performs tests of elliptic curve cryptography over binary polynomial
- * fields. If tests fail, then it prints an error message, aborts, and
- * returns an error code. Otherwise, returns 0. */
-int
-main(int argv, char **argc)
-{
-
-	int ectestTime = 0;
-	int ectestPrint = 0;
-	int i;
-	ECGroup *group = NULL;
-	ECCurveParams *params = NULL;
-	mp_err res;
-
-	/* read command-line arguments */
-	for (i = 1; i < argv; i++) {
-		if ((strcasecmp(argc[i], "time") == 0)
-			|| (strcasecmp(argc[i], "-time") == 0)
-			|| (strcasecmp(argc[i], "--time") == 0)) {
-			ectestTime = 1;
-		} else if ((strcasecmp(argc[i], "print") == 0)
-				   || (strcasecmp(argc[i], "-print") == 0)
-				   || (strcasecmp(argc[i], "--print") == 0)) {
-			ectestPrint = 1;
-		} else {
-			printUsage();
-			return 0;
-		}
-	}
-
-	/* generic arithmetic tests */
-	ECTEST_GENERIC_GF2M("SECT-131R1", ECCurve_SECG_CHAR2_131R1);
-
-	/* specific arithmetic tests */
-	ECTEST_NAMED_GF2M("SECT-163K1", ECCurve_SECG_CHAR2_163K1);
-	ECTEST_NAMED_GF2M("SECT-163R1", ECCurve_SECG_CHAR2_163R1);
-	ECTEST_NAMED_GF2M("SECT-163R2", ECCurve_SECG_CHAR2_163R2);
-	ECTEST_NAMED_GF2M("SECT-193R1", ECCurve_SECG_CHAR2_193R1);
-	ECTEST_NAMED_GF2M("SECT-193R2", ECCurve_SECG_CHAR2_193R2);
-	ECTEST_NAMED_GF2M("SECT-233K1", ECCurve_SECG_CHAR2_233K1);
-	ECTEST_NAMED_GF2M("SECT-233R1", ECCurve_SECG_CHAR2_233R1);
-
-  CLEANUP:
-	EC_FreeCurveParams(params);
-	ECGroup_free(group);
-	if (res != MP_OKAY) {
-		printf("Error: exiting with error value %i\n", res);
-	}
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/tests/ec_naft.c b/security/nss/lib/freebl/ecl/tests/ec_naft.c
deleted file mode 100644
index 490794db7..000000000
--- a/security/nss/lib/freebl/ecl/tests/ec_naft.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "ecl.h"
-#include "ecp.h"
-#include "ecl-priv.h"
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <time.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-/* Returns 2^e as an integer. This is meant to be used for small powers of 
- * two. */
-int ec_twoTo(int e);
-
-/* Number of bits of scalar to test */
-#define BITSIZE 160
-
-/* Time k repetitions of operation op. */
-#define M_TimeOperation(op, k) { \
-	double dStart, dNow, dUserTime; \
-	struct rusage ru; \
-	int i; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	for (i = 0; i < k; i++) { \
-		{ op; } \
-	}; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	dUserTime = dNow-dStart; \
-	if (dUserTime) printf("    %-45s\n      k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
-}
-
-/* Tests wNAF computation. Non-adjacent-form is discussed in the paper: D. 
- * Hankerson, J. Hernandez and A. Menezes, "Software implementation of
- * elliptic curve cryptography over binary fields", Proc. CHES 2000. */
-
-mp_err
-main(void)
-{
-	signed char naf[BITSIZE + 1];
-	ECGroup *group = NULL;
-	mp_int k;
-	mp_int *scalar;
-	int i, count;
-	int res;
-	int w = 5;
-	char s[1000];
-
-	/* Get a 160 bit scalar to compute wNAF from */
-	group = ECGroup_fromName(ECCurve_SECG_PRIME_160R1);
-	scalar = &group->genx;
-
-	/* Compute wNAF representation of scalar */
-	ec_compute_wNAF(naf, BITSIZE, scalar, w);
-
-	/* Verify correctness of representation */
-	mp_init(&k);				/* init k to 0 */
-
-	for (i = BITSIZE; i >= 0; i--) {
-		mp_add(&k, &k, &k);
-		/* digits in mp_???_d are unsigned */
-		if (naf[i] >= 0) {
-			mp_add_d(&k, naf[i], &k);
-		} else {
-			mp_sub_d(&k, -naf[i], &k);
-		}
-	}
-
-	if (mp_cmp(&k, scalar) != 0) {
-		printf("Error:  incorrect NAF value.\n");
-		MP_CHECKOK(mp_toradix(&k, s, 16));
-		printf("NAF value   %s\n", s);
-		MP_CHECKOK(mp_toradix(scalar, s, 16));
-		printf("original value   %s\n", s);
-		goto CLEANUP;
-	}
-
-	/* Verify digits of representation are valid */
-	for (i = 0; i <= BITSIZE; i++) {
-		if (naf[i] % 2 == 0 && naf[i] != 0) {
-			printf("Error:  Even non-zero digit found.\n");
-			goto CLEANUP;
-		}
-		if (naf[i] < -(ec_twoTo(w - 1)) || naf[i] >= ec_twoTo(w - 1)) {
-			printf("Error:  Magnitude of naf digit too large.\n");
-			goto CLEANUP;
-		}
-	}
-
-	/* Verify sparsity of representation */
-	count = w - 1;
-	for (i = 0; i <= BITSIZE; i++) {
-		if (naf[i] != 0) {
-			if (count < w - 1) {
-				printf("Error:  Sparsity failed.\n");
-				goto CLEANUP;
-			}
-			count = 0;
-		} else
-			count++;
-	}
-
-	/* Check timing */
-	M_TimeOperation(ec_compute_wNAF(naf, BITSIZE, scalar, w), 10000);
-
-	printf("Test passed.\n");
-  CLEANUP:
-	ECGroup_free(group);
-	return MP_OKAY;
-}
diff --git a/security/nss/lib/freebl/ecl/tests/ecp_fpt.c b/security/nss/lib/freebl/ecl/tests/ecp_fpt.c
deleted file mode 100644
index 538f4d018..000000000
--- a/security/nss/lib/freebl/ecl/tests/ecp_fpt.c
+++ /dev/null
@@ -1,1123 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves using floating point operations.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Stephen Fung <fungstep@hotmail.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "ecp_fp.h"
-#include "mpprime.h"
-
-#include <stdio.h>
-#include <time.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-/* Time k repetitions of operation op. */
-#define M_TimeOperation(op, k) { \
-  double dStart, dNow, dUserTime; \
-  struct rusage ru; \
-  int i; \
-  getrusage(RUSAGE_SELF, &ru); \
-  dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-  for (i = 0; i < k; i++) { \
-    { op; } \
-  }; \
-  getrusage(RUSAGE_SELF, &ru); \
-  dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-  dUserTime = dNow-dStart; \
-  if (dUserTime) printf("    %-45s\n      k: %6i, t: %6.2f sec, k/t: %6.2f ops/sec\n", #op, k, dUserTime, k/dUserTime); \
-}
-
-/* Test curve using specific floating point field arithmetic. */
-#define M_TestCurve(name_c, name) { \
-  printf("Testing %s using specific floating point implementation...\n", name_c); \
-  ECGroup_free(ecgroup); \
-  ecgroup = ECGroup_fromName(name); \
-  if (ecgroup == NULL) { \
-    printf("  Warning: could not construct group.\n"); \
-    printf("%s failed.\n", name_c); \
-    res = MP_NO; \
-    goto CLEANUP; \
-  } else { \
-    MP_CHECKOK( testCurve(ecgroup)); \
-    printf("%s passed.\n", name_c); \
-  } \
-}
-
-/* Outputs a floating point double (currently not used) */
-void
-d_output(const double *u, int len, char *name, const EC_group_fp * group)
-{
-	int i;
-
-	printf("%s:  ", name);
-	for (i = 0; i < len; i++) {
-		printf("+ %.2f * 2^%i ", u[i] / ecfp_exp[i],
-			   group->doubleBitSize * i);
-	}
-	printf("\n");
-}
-
-/* Tests a point p in Jacobian coordinates, comparing against the
- * expected affine result (x, y). */
-mp_err
-testJacPoint(ecfp_jac_pt * p, mp_int *x, mp_int *y, ECGroup *ecgroup)
-{
-	char s[1000];
-	mp_int rx, ry, rz;
-	mp_err res = MP_OKAY;
-
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&rz) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&rz));
-
-	ecfp_fp2i(&rx, p->x, ecgroup);
-	ecfp_fp2i(&ry, p->y, ecgroup);
-	ecfp_fp2i(&rz, p->z, ecgroup);
-
-	/* convert result R to affine coordinates */
-	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
-
-	/* Compare to expected result */
-	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
-		printf("  Error: Jacobian Floating Point Incorrect.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("floating point result\nrx    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry    %s\n", s);
-		MP_CHECKOK(mp_toradix(x, s, 16));
-		printf("integer result\nx   %s\n", s);
-		MP_CHECKOK(mp_toradix(y, s, 16));
-		printf("y   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-  CLEANUP:
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&rz);
-
-	return res;
-}
-
-/* Tests a point p in Chudnovsky Jacobian coordinates, comparing against
- * the expected affine result (x, y). */
-mp_err
-testChudPoint(ecfp_chud_pt * p, mp_int *x, mp_int *y, ECGroup *ecgroup)
-{
-
-	char s[1000];
-	mp_int rx, ry, rz, rz2, rz3, test;
-	mp_err res = MP_OKAY;
-
-	/* Initialization */
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&rz) = 0;
-	MP_DIGITS(&rz2) = 0;
-	MP_DIGITS(&rz3) = 0;
-	MP_DIGITS(&test) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(mp_init(&rz2));
-	MP_CHECKOK(mp_init(&rz3));
-	MP_CHECKOK(mp_init(&test));
-
-	/* Convert to integers */
-	ecfp_fp2i(&rx, p->x, ecgroup);
-	ecfp_fp2i(&ry, p->y, ecgroup);
-	ecfp_fp2i(&rz, p->z, ecgroup);
-	ecfp_fp2i(&rz2, p->z2, ecgroup);
-	ecfp_fp2i(&rz3, p->z3, ecgroup);
-
-	/* Verify z2, z3 are valid */
-	mp_sqrmod(&rz, &ecgroup->meth->irr, &test);
-	if (mp_cmp(&test, &rz2) != 0) {
-		printf("  Error: rzp2 not valid\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-	mp_mulmod(&test, &rz, &ecgroup->meth->irr, &test);
-	if (mp_cmp(&test, &rz3) != 0) {
-		printf("  Error: rzp2 not valid\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* convert result R to affine coordinates */
-	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
-
-	/* Compare against expected result */
-	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
-		printf("  Error: Chudnovsky Floating Point Incorrect.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("floating point result\nrx    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry    %s\n", s);
-		MP_CHECKOK(mp_toradix(x, s, 16));
-		printf("integer result\nx   %s\n", s);
-		MP_CHECKOK(mp_toradix(y, s, 16));
-		printf("y   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-  CLEANUP:
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&rz);
-	mp_clear(&rz2);
-	mp_clear(&rz3);
-	mp_clear(&test);
-
-	return res;
-}
-
-/* Tests a point p in Modified Jacobian coordinates, comparing against the 
- * expected affine result (x, y). */
-mp_err
-testJmPoint(ecfp_jm_pt * r, mp_int *x, mp_int *y, ECGroup *ecgroup)
-{
-
-	char s[1000];
-	mp_int rx, ry, rz, raz4, test;
-	mp_err res = MP_OKAY;
-
-	/* Initialization */
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&rz) = 0;
-	MP_DIGITS(&raz4) = 0;
-	MP_DIGITS(&test) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(mp_init(&raz4));
-	MP_CHECKOK(mp_init(&test));
-
-	/* Convert to integer */
-	ecfp_fp2i(&rx, r->x, ecgroup);
-	ecfp_fp2i(&ry, r->y, ecgroup);
-	ecfp_fp2i(&rz, r->z, ecgroup);
-	ecfp_fp2i(&raz4, r->az4, ecgroup);
-
-	/* Verify raz4 = rz^4 * a */
-	mp_sqrmod(&rz, &ecgroup->meth->irr, &test);
-	mp_sqrmod(&test, &ecgroup->meth->irr, &test);
-	mp_mulmod(&test, &ecgroup->curvea, &ecgroup->meth->irr, &test);
-	if (mp_cmp(&test, &raz4) != 0) {
-		printf("  Error: a*z^4 not valid\n");
-		MP_CHECKOK(mp_toradix(&ecgroup->curvea, s, 16));
-		printf("a    %s\n", s);
-		MP_CHECKOK(mp_toradix(&rz, s, 16));
-		printf("rz   %s\n", s);
-		MP_CHECKOK(mp_toradix(&raz4, s, 16));
-		printf("raz4    %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* convert result R to affine coordinates */
-	ec_GFp_pt_jac2aff(&rx, &ry, &rz, &rx, &ry, ecgroup);
-
-	/* Compare against expected result */
-	if ((mp_cmp(&rx, x) != 0) || (mp_cmp(&ry, y) != 0)) {
-		printf("  Error: Modified Jacobian Floating Point Incorrect.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("floating point result\nrx    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry    %s\n", s);
-		MP_CHECKOK(mp_toradix(x, s, 16));
-		printf("integer result\nx   %s\n", s);
-		MP_CHECKOK(mp_toradix(y, s, 16));
-		printf("y   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-  CLEANUP:
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&rz);
-	mp_clear(&raz4);
-	mp_clear(&test);
-
-	return res;
-}
-
-/* Tests point addition of Jacobian + Affine -> Jacobian */
-mp_err
-testPointAddJacAff(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int pz, rx2, ry2, rz2;
-	ecfp_jac_pt p, r;
-	ecfp_aff_pt q;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	/* Init */
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&rz2) = 0;
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&rz2));
-
-	MP_CHECKOK(mp_set_int(&pz, 5));
-
-	/* Set p */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	/* Set q */
-	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
-
-	/* Do calculations */
-	group->pt_add_jac_aff(&p, &q, &r, group);
-
-	/* Do calculation in integer to compare against */
-	MP_CHECKOK(ec_GFp_pt_add_jac_aff
-			   (&ecgroup->genx, &ecgroup->geny, &pz, &ecgroup->geny,
-				&ecgroup->genx, &rx2, &ry2, &rz2, ecgroup));
-	/* convert result R to affine coordinates */
-	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
-
-	MP_CHECKOK(testJacPoint(&r, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Addition - Jacobian & Affine\n");
-	else
-		printf("TEST FAILED - Point Addition - Jacobian & Affine\n");
-
-	mp_clear(&pz);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&rz2);
-
-	return res;
-}
-
-/* Tests point addition in Jacobian coordinates */
-mp_err
-testPointAddJac(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int pz, qz, qx, qy, rx2, ry2, rz2;
-	ecfp_jac_pt p, q, r;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	/* Init */
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&qx) = 0;
-	MP_DIGITS(&qy) = 0;
-	MP_DIGITS(&qz) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&rz2) = 0;
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&qx));
-	MP_CHECKOK(mp_init(&qy));
-	MP_CHECKOK(mp_init(&qz));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&rz2));
-
-	MP_CHECKOK(mp_set_int(&pz, 5));
-	MP_CHECKOK(mp_set_int(&qz, 105));
-
-	/* Set p */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	/* Set q */
-	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(q.z, &qz, ecgroup);
-
-	/* Do calculations */
-	group->pt_add_jac(&p, &q, &r, group);
-
-	/* Do calculation in integer to compare against */
-	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
-					  ecgroup);
-	MP_CHECKOK(ec_GFp_pt_add_jac_aff
-			   (&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy, &rx2, &ry2,
-				&rz2, ecgroup));
-	/* convert result R to affine coordinates */
-	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
-
-	MP_CHECKOK(testJacPoint(&r, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Addition - Jacobian\n");
-	else
-		printf("TEST FAILED - Point Addition - Jacobian\n");
-
-	mp_clear(&pz);
-	mp_clear(&qx);
-	mp_clear(&qy);
-	mp_clear(&qz);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&rz2);
-
-	return res;
-}
-
-/* Tests point addition in Chudnovsky Jacobian Coordinates */
-mp_err
-testPointAddChud(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int rx2, ry2, ix, iy, iz, test, pz, qx, qy, qz;
-	ecfp_chud_pt p, q, r;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&qx) = 0;
-	MP_DIGITS(&qy) = 0;
-	MP_DIGITS(&qz) = 0;
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&ix) = 0;
-	MP_DIGITS(&iy) = 0;
-	MP_DIGITS(&iz) = 0;
-	MP_DIGITS(&test) = 0;
-
-	MP_CHECKOK(mp_init(&qx));
-	MP_CHECKOK(mp_init(&qy));
-	MP_CHECKOK(mp_init(&qz));
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&ix));
-	MP_CHECKOK(mp_init(&iy));
-	MP_CHECKOK(mp_init(&iz));
-	MP_CHECKOK(mp_init(&test));
-
-	/* Test Chudnovsky form addition */
-	/* Set p */
-	MP_CHECKOK(mp_set_int(&pz, 5));
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	mp_sqrmod(&pz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(p.z2, &test, ecgroup);
-	mp_mulmod(&test, &pz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(p.z3, &test, ecgroup);
-
-	/* Set q */
-	MP_CHECKOK(mp_set_int(&qz, 105));
-	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(q.z, &qz, ecgroup);
-	mp_sqrmod(&qz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(q.z2, &test, ecgroup);
-	mp_mulmod(&test, &qz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(q.z3, &test, ecgroup);
-
-	group->pt_add_chud(&p, &q, &r, group);
-
-	/* Calculate addition to compare against */
-	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
-					  ecgroup);
-	ec_GFp_pt_add_jac_aff(&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy,
-						  &ix, &iy, &iz, ecgroup);
-	ec_GFp_pt_jac2aff(&ix, &iy, &iz, &rx2, &ry2, ecgroup);
-
-	MP_CHECKOK(testChudPoint(&r, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Addition - Chudnovsky Jacobian\n");
-	else
-		printf("TEST FAILED - Point Addition - Chudnovsky Jacobian\n");
-
-	mp_clear(&qx);
-	mp_clear(&qy);
-	mp_clear(&qz);
-	mp_clear(&pz);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&ix);
-	mp_clear(&iy);
-	mp_clear(&iz);
-	mp_clear(&test);
-
-	return res;
-}
-
-/* Tests point addition in Modified Jacobian + Chudnovsky Jacobian ->
- * Modified Jacobian coordinates. */
-mp_err
-testPointAddJmChud(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int rx2, ry2, ix, iy, iz, test, pz, paz4, qx, qy, qz;
-	ecfp_chud_pt q;
-	ecfp_jm_pt p, r;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&qx) = 0;
-	MP_DIGITS(&qy) = 0;
-	MP_DIGITS(&qz) = 0;
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&paz4) = 0;
-	MP_DIGITS(&iz) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&ix) = 0;
-	MP_DIGITS(&iy) = 0;
-	MP_DIGITS(&iz) = 0;
-	MP_DIGITS(&test) = 0;
-
-	MP_CHECKOK(mp_init(&qx));
-	MP_CHECKOK(mp_init(&qy));
-	MP_CHECKOK(mp_init(&qz));
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&paz4));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&ix));
-	MP_CHECKOK(mp_init(&iy));
-	MP_CHECKOK(mp_init(&iz));
-	MP_CHECKOK(mp_init(&test));
-
-	/* Test Modified Jacobian form addition */
-	/* Set p */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
-	/* paz4 = az^4 */
-	MP_CHECKOK(mp_set_int(&pz, 5));
-	mp_sqrmod(&pz, &ecgroup->meth->irr, &paz4);
-	mp_sqrmod(&paz4, &ecgroup->meth->irr, &paz4);
-	mp_mulmod(&paz4, &ecgroup->curvea, &ecgroup->meth->irr, &paz4);
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	ecfp_i2fp(p.az4, &paz4, ecgroup);
-
-	/* Set q */
-	MP_CHECKOK(mp_set_int(&qz, 105));
-	ecfp_i2fp(q.x, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(q.y, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(q.z, &qz, ecgroup);
-	mp_sqrmod(&qz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(q.z2, &test, ecgroup);
-	mp_mulmod(&test, &qz, &ecgroup->meth->irr, &test);
-	ecfp_i2fp(q.z3, &test, ecgroup);
-
-	/* Do calculation */
-	group->pt_add_jm_chud(&p, &q, &r, group);
-
-	/* Calculate addition to compare against */
-	ec_GFp_pt_jac2aff(&ecgroup->geny, &ecgroup->genx, &qz, &qx, &qy,
-					  ecgroup);
-	ec_GFp_pt_add_jac_aff(&ecgroup->genx, &ecgroup->geny, &pz, &qx, &qy,
-						  &ix, &iy, &iz, ecgroup);
-	ec_GFp_pt_jac2aff(&ix, &iy, &iz, &rx2, &ry2, ecgroup);
-
-	MP_CHECKOK(testJmPoint(&r, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf
-			("  Test Passed - Point Addition - Modified & Chudnovsky Jacobian\n");
-	else
-		printf
-			("TEST FAILED - Point Addition - Modified & Chudnovsky Jacobian\n");
-
-	mp_clear(&qx);
-	mp_clear(&qy);
-	mp_clear(&qz);
-	mp_clear(&pz);
-	mp_clear(&paz4);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&ix);
-	mp_clear(&iy);
-	mp_clear(&iz);
-	mp_clear(&test);
-
-	return res;
-}
-
-/* Tests point doubling in Modified Jacobian coordinates */
-mp_err
-testPointDoubleJm(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int pz, paz4, rx2, ry2, rz2, raz4;
-	ecfp_jm_pt p, r;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&paz4) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&rz2) = 0;
-	MP_DIGITS(&raz4) = 0;
-
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&paz4));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&rz2));
-	MP_CHECKOK(mp_init(&raz4));
-
-	/* Set p */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
-
-	/* paz4 = az^4 */
-	MP_CHECKOK(mp_set_int(&pz, 5));
-	mp_sqrmod(&pz, &ecgroup->meth->irr, &paz4);
-	mp_sqrmod(&paz4, &ecgroup->meth->irr, &paz4);
-	mp_mulmod(&paz4, &ecgroup->curvea, &ecgroup->meth->irr, &paz4);
-
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	ecfp_i2fp(p.az4, &paz4, ecgroup);
-
-	group->pt_dbl_jm(&p, &r, group);
-
-	M_TimeOperation(group->pt_dbl_jm(&p, &r, group), 100000);
-
-	/* Calculate doubling to compare against */
-	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
-					  &rz2, ecgroup);
-	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
-
-	/* Do comparison and check az^4 */
-	MP_CHECKOK(testJmPoint(&r, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Doubling - Modified Jacobian\n");
-	else
-		printf("TEST FAILED - Point Doubling - Modified Jacobian\n");
-	mp_clear(&pz);
-	mp_clear(&paz4);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&rz2);
-	mp_clear(&raz4);
-
-	return res;
-
-}
-
-/* Tests point doubling in Chudnovsky Jacobian coordinates */
-mp_err
-testPointDoubleChud(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int px, py, pz, rx2, ry2, rz2;
-	ecfp_aff_pt p;
-	ecfp_chud_pt p2;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&rz2) = 0;
-	MP_DIGITS(&px) = 0;
-	MP_DIGITS(&py) = 0;
-	MP_DIGITS(&pz) = 0;
-
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&rz2));
-	MP_CHECKOK(mp_init(&px));
-	MP_CHECKOK(mp_init(&py));
-	MP_CHECKOK(mp_init(&pz));
-
-	/* Set p2 = 2P */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
-
-	group->pt_dbl_aff2chud(&p, &p2, group);
-
-	/* Calculate doubling to compare against */
-	MP_CHECKOK(mp_set_int(&pz, 1));
-	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
-					  &rz2, ecgroup);
-	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
-
-	/* Do comparison and check az^4 */
-	MP_CHECKOK(testChudPoint(&p2, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Doubling - Chudnovsky Jacobian\n");
-	else
-		printf("TEST FAILED - Point Doubling - Chudnovsky Jacobian\n");
-
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&rz2);
-	mp_clear(&px);
-	mp_clear(&py);
-	mp_clear(&pz);
-
-	return res;
-}
-
-/* Test point doubling in Jacobian coordinates */
-mp_err
-testPointDoubleJac(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int pz, rx, ry, rz, rx2, ry2, rz2;
-	ecfp_jac_pt p, p2;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&pz) = 0;
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&rz) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&rz2) = 0;
-
-	MP_CHECKOK(mp_init(&pz));
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&rz));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&rz2));
-
-	MP_CHECKOK(mp_set_int(&pz, 5));
-
-	/* Set p2 = 2P */
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(p.z, &pz, ecgroup);
-	ecfp_i2fp(group->curvea, &ecgroup->curvea, ecgroup);
-
-	group->pt_dbl_jac(&p, &p2, group);
-	M_TimeOperation(group->pt_dbl_jac(&p, &p2, group), 100000);
-
-	/* Calculate doubling to compare against */
-	ec_GFp_pt_dbl_jac(&ecgroup->genx, &ecgroup->geny, &pz, &rx2, &ry2,
-					  &rz2, ecgroup);
-	ec_GFp_pt_jac2aff(&rx2, &ry2, &rz2, &rx2, &ry2, ecgroup);
-
-	/* Do comparison */
-	MP_CHECKOK(testJacPoint(&p2, &rx2, &ry2, ecgroup));
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Doubling - Jacobian\n");
-	else
-		printf("TEST FAILED - Point Doubling - Jacobian\n");
-
-	mp_clear(&pz);
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&rz);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&rz2);
-
-	return res;
-}
-
-/* Tests a point multiplication (various algorithms) */
-mp_err
-testPointMul(ECGroup *ecgroup)
-{
-	mp_err res;
-	char s[1000];
-	mp_int rx, ry, order_1;
-
-	/* Init */
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&order_1) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&order_1));
-
-	MP_CHECKOK(mp_set_int(&order_1, 1));
-	MP_CHECKOK(mp_sub(&ecgroup->order, &order_1, &order_1));
-
-	/* Test Algorithm 1: Jacobian-Affine Double & Add */
-	ec_GFp_pt_mul_jac_fp(&order_1, &ecgroup->genx, &ecgroup->geny, &rx,
-						 &ry, ecgroup);
-	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
-	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
-		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
-		printf
-			("  Error: ec_GFp_pt_mul_jac_fp invalid result (expected (- base point)).\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	ec_GFp_pt_mul_jac_fp(&ecgroup->order, &ecgroup->genx, &ecgroup->geny,
-						 &rx, &ry, ecgroup);
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf
-			("  Error: ec_GFp_pt_mul_jac_fp invalid result (expected point at infinity.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* Test Algorithm 2: 4-bit Window in Jacobian */
-	ec_GFp_point_mul_jac_4w_fp(&order_1, &ecgroup->genx, &ecgroup->geny,
-							   &rx, &ry, ecgroup);
-	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
-	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
-		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
-		printf
-			("  Error: ec_GFp_point_mul_jac_4w_fp invalid result (expected (- base point)).\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	ec_GFp_point_mul_jac_4w_fp(&ecgroup->order, &ecgroup->genx,
-							   &ecgroup->geny, &rx, &ry, ecgroup);
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf
-			("  Error: ec_GFp_point_mul_jac_4w_fp invalid result (expected point at infinity.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* Test Algorithm 3: wNAF with modified Jacobian coordinates */
-	ec_GFp_point_mul_wNAF_fp(&order_1, &ecgroup->genx, &ecgroup->geny, &rx,
-							 &ry, ecgroup);
-	MP_CHECKOK(ecgroup->meth->field_neg(&ry, &ry, ecgroup->meth));
-	if ((mp_cmp(&rx, &ecgroup->genx) != 0)
-		|| (mp_cmp(&ry, &ecgroup->geny) != 0)) {
-		printf
-			("  Error: ec_GFp_pt_mul_wNAF_fp invalid result (expected (- base point)).\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	ec_GFp_point_mul_wNAF_fp(&ecgroup->order, &ecgroup->genx,
-							 &ecgroup->geny, &rx, &ry, ecgroup);
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf
-			("  Error: ec_GFp_pt_mul_wNAF_fp invalid result (expected point at infinity.\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("rx   %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("ry   %s\n", s);
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Multiplication\n");
-	else
-		printf("TEST FAILED - Point Multiplication\n");
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&order_1);
-
-	return res;
-}
-
-/* Tests point multiplication with a random scalar repeatedly, comparing
- * for consistency within different algorithms. */
-mp_err
-testPointMulRandom(ECGroup *ecgroup)
-{
-	mp_err res;
-	mp_int rx, ry, rx2, ry2, n;
-	int i, size;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&rx2) = 0;
-	MP_DIGITS(&ry2) = 0;
-	MP_DIGITS(&n) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&rx2));
-	MP_CHECKOK(mp_init(&ry2));
-	MP_CHECKOK(mp_init(&n));
-
-	for (i = 0; i < 100; i++) {
-		/* compute random scalar */
-		size = mpl_significant_bits(&ecgroup->meth->irr);
-		if (size < MP_OKAY) {
-			res = MP_NO;
-			goto CLEANUP;
-		}
-		MP_CHECKOK(mpp_random_size(&n, group->orderBitSize));
-		MP_CHECKOK(mp_mod(&n, &ecgroup->order, &n));
-
-		ec_GFp_pt_mul_jac(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
-						  ecgroup);
-		ec_GFp_pt_mul_jac_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx2,
-							 &ry2, ecgroup);
-
-		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
-			printf
-				("  Error: different results for Point Multiplication - Double & Add.\n");
-			res = MP_NO;
-			goto CLEANUP;
-		}
-
-		ec_GFp_point_mul_wNAF_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx,
-								 &ry, ecgroup);
-		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
-			printf
-				("  Error: different results for Point Multiplication - wNAF.\n");
-			res = MP_NO;
-			goto CLEANUP;
-		}
-
-		ec_GFp_point_mul_jac_4w_fp(&n, &ecgroup->genx, &ecgroup->geny, &rx,
-								   &ry, ecgroup);
-		if ((mp_cmp(&rx, &rx2) != 0) || (mp_cmp(&ry, &ry2) != 0)) {
-			printf
-				("  Error: different results for Point Multiplication - 4 bit window.\n");
-			res = MP_NO;
-			goto CLEANUP;
-		}
-
-	}
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Random Multiplication\n");
-	else
-		printf("TEST FAILED - Point Random Multiplication\n");
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&rx2);
-	mp_clear(&ry2);
-	mp_clear(&n);
-
-	return res;
-}
-
-/* Tests the time required for a point multiplication */
-mp_err
-testPointMulTime(ECGroup *ecgroup)
-{
-	mp_err res = MP_OKAY;
-	mp_int rx, ry, n;
-	int size;
-
-	MP_DIGITS(&rx) = 0;
-	MP_DIGITS(&ry) = 0;
-	MP_DIGITS(&n) = 0;
-
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&n));
-
-	/* compute random scalar */
-	size = mpl_significant_bits(&ecgroup->meth->irr);
-	if (size < MP_OKAY) {
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
-	MP_CHECKOK(ecgroup->meth->field_mod(&n, &n, ecgroup->meth));
-
-	M_TimeOperation(ec_GFp_pt_mul_jac_fp
-					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
-					 ecgroup), 1000);
-
-	M_TimeOperation(ec_GFp_point_mul_jac_4w_fp
-					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
-					 ecgroup), 1000);
-
-	M_TimeOperation(ec_GFp_point_mul_wNAF_fp
-					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
-					 ecgroup), 1000);
-
-	M_TimeOperation(ec_GFp_pt_mul_jac
-					(&n, &ecgroup->genx, &ecgroup->geny, &rx, &ry,
-					 ecgroup), 100);
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Point Multiplication Timing\n");
-	else
-		printf("TEST FAILED - Point Multiplication Timing\n");
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&n);
-
-	return res;
-}
-
-/* Tests pre computation of Chudnovsky Jacobian points used in wNAF form */
-mp_err
-testPreCompute(ECGroup *ecgroup)
-{
-	ecfp_chud_pt precomp[16];
-	ecfp_aff_pt p;
-	EC_group_fp *group = (EC_group_fp *) ecgroup->extra1;
-	int i;
-	mp_err res;
-
-	mp_int x, y, ny, x2, y2;
-
-	MP_DIGITS(&x) = 0;
-	MP_DIGITS(&y) = 0;
-	MP_DIGITS(&ny) = 0;
-	MP_DIGITS(&x2) = 0;
-	MP_DIGITS(&y2) = 0;
-
-	MP_CHECKOK(mp_init(&x));
-	MP_CHECKOK(mp_init(&y));
-	MP_CHECKOK(mp_init(&ny));
-	MP_CHECKOK(mp_init(&x2));
-	MP_CHECKOK(mp_init(&y2));
-
-	ecfp_i2fp(p.x, &ecgroup->genx, ecgroup);
-	ecfp_i2fp(p.y, &ecgroup->geny, ecgroup);
-	ecfp_i2fp(group->curvea, &(ecgroup->curvea), ecgroup);
-
-	/* Perform precomputation */
-	group->precompute_chud(precomp, &p, group);
-
-	M_TimeOperation(group->precompute_chud(precomp, &p, group), 10000);
-
-	/* Calculate addition to compare against */
-	MP_CHECKOK(mp_copy(&ecgroup->genx, &x));
-	MP_CHECKOK(mp_copy(&ecgroup->geny, &y));
-	MP_CHECKOK(ecgroup->meth->field_neg(&y, &ny, ecgroup->meth));
-
-	ec_GFp_pt_dbl_aff(&x, &y, &x2, &y2, ecgroup);
-
-	for (i = 0; i < 8; i++) {
-		MP_CHECKOK(testChudPoint(&precomp[8 + i], &x, &y, ecgroup));
-		MP_CHECKOK(testChudPoint(&precomp[7 - i], &x, &ny, ecgroup));
-		ec_GFp_pt_add_aff(&x, &y, &x2, &y2, &x, &y, ecgroup);
-		MP_CHECKOK(ecgroup->meth->field_neg(&y, &ny, ecgroup->meth));
-	}
-
-  CLEANUP:
-	if (res == MP_OKAY)
-		printf("  Test Passed - Precomputation\n");
-	else
-		printf("TEST FAILED - Precomputation\n");
-
-	mp_clear(&x);
-	mp_clear(&y);
-	mp_clear(&ny);
-	mp_clear(&x2);
-	mp_clear(&y2);
-	return res;
-}
-
-/* Given a curve using floating point arithmetic, test it. This method
- * specifies which of the above tests to run. */
-mp_err
-testCurve(ECGroup *ecgroup)
-{
-	int res = MP_OKAY;
-
-	MP_CHECKOK(testPointAddJacAff(ecgroup));
-	MP_CHECKOK(testPointAddJac(ecgroup));
-	MP_CHECKOK(testPointAddChud(ecgroup));
-	MP_CHECKOK(testPointAddJmChud(ecgroup));
-	MP_CHECKOK(testPointDoubleJac(ecgroup));
-	MP_CHECKOK(testPointDoubleChud(ecgroup));
-	MP_CHECKOK(testPointDoubleJm(ecgroup));
-	MP_CHECKOK(testPreCompute(ecgroup));
-	MP_CHECKOK(testPointMul(ecgroup));
-	MP_CHECKOK(testPointMulRandom(ecgroup));
-	MP_CHECKOK(testPointMulTime(ecgroup));
-  CLEANUP:
-	return res;
-}
-
-/* Tests a number of curves optimized using floating point arithmetic */
-int
-main(void)
-{
-	mp_err res = MP_OKAY;
-	ECGroup *ecgroup = NULL;
-
-	/* specific arithmetic tests */
-	M_TestCurve("SECG-160R1", ECCurve_SECG_PRIME_160R1);
-	M_TestCurve("SECG-192R1", ECCurve_SECG_PRIME_192R1);
-	M_TestCurve("SEGC-224R1", ECCurve_SECG_PRIME_224R1);
-
-  CLEANUP:
-	ECGroup_free(ecgroup);
-	if (res != MP_OKAY) {
-		printf("Error: exiting with error value %i\n", res);
-	}
-	return res;
-}
diff --git a/security/nss/lib/freebl/ecl/tests/ecp_test.c b/security/nss/lib/freebl/ecl/tests/ecp_test.c
deleted file mode 100644
index d7ce299ec..000000000
--- a/security/nss/lib/freebl/ecl/tests/ecp_test.c
+++ /dev/null
@@ -1,435 +0,0 @@
-/* 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the elliptic curve math library for prime field curves.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpprime.h"
-#include "ecl.h"
-#include "ecl-curve.h"
-#include "ecp.h"
-#include <stdio.h>
-#include <strings.h>
-#include <assert.h>
-
-#include <time.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-/* Time k repetitions of operation op. */
-#define M_TimeOperation(op, k) { \
-	double dStart, dNow, dUserTime; \
-	struct rusage ru; \
-	int i; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dStart = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	for (i = 0; i < k; i++) { \
-		{ op; } \
-	}; \
-	getrusage(RUSAGE_SELF, &ru); \
-	dNow = (double)ru.ru_utime.tv_sec+(double)ru.ru_utime.tv_usec*0.000001; \
-	dUserTime = dNow-dStart; \
-	if (dUserTime) printf("    %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \
-}
-
-/* Test curve using generic field arithmetic. */
-#define ECTEST_GENERIC_GFP(name_c, name) \
-	printf("Testing %s using generic implementation...\n", name_c); \
-	params = EC_GetNamedCurveParams(name); \
-	if (params == NULL) { \
-			printf("  Error: could not construct params.\n"); \
-			res = MP_NO; \
-			goto CLEANUP; \
-	} \
-	ECGroup_free(group); \
-	group = ECGroup_fromHex(params); \
-	if (group == NULL) { \
-		printf("  Error: could not construct group.\n"); \
-		res = MP_NO; \
-		goto CLEANUP; \
-	} \
-	MP_CHECKOK( ectest_curve_GFp(group, ectestPrint, ectestTime, 1) ); \
-	printf("... okay.\n");
-
-/* Test curve using specific field arithmetic. */
-#define ECTEST_NAMED_GFP(name_c, name) \
-	printf("Testing %s using specific implementation...\n", name_c); \
-	ECGroup_free(group); \
-	group = ECGroup_fromName(name); \
-	if (group == NULL) { \
-		printf("  Warning: could not construct group.\n"); \
-		printf("... failed; continuing with remaining tests.\n"); \
-	} else { \
-		MP_CHECKOK( ectest_curve_GFp(group, ectestPrint, ectestTime, 0) ); \
-		printf("... okay.\n"); \
-	}
-
-/* Performs basic tests of elliptic curve cryptography over prime fields.
- * If tests fail, then it prints an error message, aborts, and returns an
- * error code. Otherwise, returns 0. */
-int
-ectest_curve_GFp(ECGroup *group, int ectestPrint, int ectestTime,
-				 int generic)
-{
-
-	mp_int one, order_1, gx, gy, rx, ry, n;
-	int size;
-	mp_err res;
-	char s[1000];
-
-	/* initialize values */
-	MP_CHECKOK(mp_init(&one));
-	MP_CHECKOK(mp_init(&order_1));
-	MP_CHECKOK(mp_init(&gx));
-	MP_CHECKOK(mp_init(&gy));
-	MP_CHECKOK(mp_init(&rx));
-	MP_CHECKOK(mp_init(&ry));
-	MP_CHECKOK(mp_init(&n));
-
-	MP_CHECKOK(mp_set_int(&one, 1));
-	MP_CHECKOK(mp_sub(&group->order, &one, &order_1));
-
-	/* encode base point */
-	if (group->meth->field_dec) {
-		MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth));
-		MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth));
-	} else {
-		MP_CHECKOK(mp_copy(&group->genx, &gx));
-		MP_CHECKOK(mp_copy(&group->geny, &gy));
-	}
-	if (ectestPrint) {
-		/* output base point */
-		printf("  base point P:\n");
-		MP_CHECKOK(mp_toradix(&gx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&gy, s, 16));
-		printf("    %s\n", s);
-		if (group->meth->field_enc) {
-			printf("  base point P (encoded):\n");
-			MP_CHECKOK(mp_toradix(&group->genx, s, 16));
-			printf("    %s\n", s);
-			MP_CHECKOK(mp_toradix(&group->geny, s, 16));
-			printf("    %s\n", s);
-		}
-	}
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ec_GFp_pt_mul_aff
-			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
-	if (ectestPrint) {
-		printf("  (order-1)*P (affine):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
-	if ((mp_cmp(&rx, &group->genx) != 0)
-		|| (mp_cmp(&ry, &group->geny) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ec_GFp_pt_mul_jac
-			   (&order_1, &group->genx, &group->geny, &rx, &ry, group));
-	if (ectestPrint) {
-		printf("  (order-1)*P (jacobian):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth));
-	if ((mp_cmp(&rx, &group->genx) != 0)
-		|| (mp_cmp(&ry, &group->geny) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order-1)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* multiply base point by order - 1 and check for negative of base
-	 * point */
-	MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order-1)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ec_GFp_pt_mul_aff
-			   (&group->order, &group->genx, &group->geny, &rx, &ry,
-				group));
-	if (ectestPrint) {
-		printf("  (order)*P (affine):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-#ifdef ECL_ENABLE_GFP_PT_MUL_JAC
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ec_GFp_pt_mul_jac
-			   (&group->order, &group->genx, &group->geny, &rx, &ry,
-				group));
-	if (ectestPrint) {
-		printf("  (order)*P (jacobian):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-#endif
-
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* multiply base point by order and check for point at infinity */
-	MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry));
-	if (ectestPrint) {
-		printf("  (order)*P (ECPoint_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) {
-		printf("  Error: invalid result (expected point at infinity).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* check that (order-1)P + (order-1)P + P == (order-1)P */
-	MP_CHECKOK(ECPoints_mul
-			   (group, &order_1, &order_1, &gx, &gy, &rx, &ry));
-	MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry));
-	if (ectestPrint) {
-		printf
-			("  (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n");
-		MP_CHECKOK(mp_toradix(&rx, s, 16));
-		printf("    %s\n", s);
-		MP_CHECKOK(mp_toradix(&ry, s, 16));
-		printf("    %s\n", s);
-	}
-	MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry));
-	if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) {
-		printf("  Error: invalid result (expected (- base point)).\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	/* test validate_point function */
-	if (ECPoint_validate(group, &gx, &gy) != MP_YES) {
-		printf("  Error: validate point on base point failed.\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-	MP_CHECKOK(mp_add_d(&gy, 1, &ry));
-	if (ECPoint_validate(group, &gx, &ry) != MP_NO) {
-		printf("  Error: validate point on invalid point passed.\n");
-		res = MP_NO;
-		goto CLEANUP;
-	}
-
-	if (ectestTime) {
-		/* compute random scalar */
-		size = mpl_significant_bits(&group->meth->irr);
-		if (size < MP_OKAY) {
-			goto CLEANUP;
-		}
-		MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS));
-		MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth));
-		/* timed test */
-		if (generic) {
-#ifdef ECL_ENABLE_GFP_PT_MUL_AFF
-			M_TimeOperation(MP_CHECKOK
-							(ec_GFp_pt_mul_aff
-							 (&n, &group->genx, &group->geny, &rx, &ry,
-							  group)), 100);
-#endif
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoints_mul
-							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
-		} else {
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)),
-							100);
-			M_TimeOperation(MP_CHECKOK
-							(ECPoints_mul
-							 (group, &n, &n, &gx, &gy, &rx, &ry)), 100);
-		}
-	}
-
-  CLEANUP:
-	mp_clear(&one);
-	mp_clear(&order_1);
-	mp_clear(&gx);
-	mp_clear(&gy);
-	mp_clear(&rx);
-	mp_clear(&ry);
-	mp_clear(&n);
-	if (res != MP_OKAY) {
-		printf("  Error: exiting with error value %i\n", res);
-	}
-	return res;
-}
-
-/* Prints help information. */
-void
-printUsage()
-{
-	printf("Usage: ecp_test [--print] [--time]\n");
-	printf
-		("	--print     Print out results of each point arithmetic test.\n");
-	printf
-		("	--time      Benchmark point operations and print results.\n");
-}
-
-/* Performs tests of elliptic curve cryptography over prime fields If
- * tests fail, then it prints an error message, aborts, and returns an
- * error code. Otherwise, returns 0. */
-int
-main(int argv, char **argc)
-{
-
-	int ectestTime = 0;
-	int ectestPrint = 0;
-	int i;
-	ECGroup *group = NULL;
-	ECCurveParams *params = NULL;
-	mp_err res;
-
-	/* read command-line arguments */
-	for (i = 1; i < argv; i++) {
-		if ((strcasecmp(argc[i], "time") == 0)
-			|| (strcasecmp(argc[i], "-time") == 0)
-			|| (strcasecmp(argc[i], "--time") == 0)) {
-			ectestTime = 1;
-		} else if ((strcasecmp(argc[i], "print") == 0)
-				   || (strcasecmp(argc[i], "-print") == 0)
-				   || (strcasecmp(argc[i], "--print") == 0)) {
-			ectestPrint = 1;
-		} else {
-			printUsage();
-			return 0;
-		}
-	}
-
-	/* generic arithmetic tests */
-	ECTEST_GENERIC_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
-
-	/* specific arithmetic tests */
-	ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
-	ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
-	ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
-	ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
-	ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
-	ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
-	ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
-
-  CLEANUP:
-	EC_FreeCurveParams(params);
-	ECGroup_free(group);
-	if (res != MP_OKAY) {
-		printf("Error: exiting with error value %i\n", res);
-	}
-	return res;
-}
diff --git a/security/nss/lib/freebl/freebl.def b/security/nss/lib/freebl/freebl.def
deleted file mode 100644
index 61b3337c2..000000000
--- a/security/nss/lib/freebl/freebl.def
+++ /dev/null
@@ -1,58 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#	line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.  
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.  
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSSprivate_3.11 {               # NSS 3.11 release
-;+    global:
-LIBRARY freebl3 ;-
-EXPORTS	;-
-FREEBL_GetVector;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/lib/freebl/freebl.rc b/security/nss/lib/freebl/freebl.rc
deleted file mode 100644
index 4f60cba9f..000000000
--- a/security/nss/lib/freebl/freebl.rc
+++ /dev/null
@@ -1,101 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nss.h"
-#include <winver.h>
-
-#define MY_LIBNAME "freebl"
-#define MY_FILEDESCRIPTION "NSS freebl Library"
-
-#define STRINGIZE(x) #x
-#define STRINGIZE2(x) STRINGIZE(x)
-#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 2005 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/freebl/freeblver.c b/security/nss/lib/freebl/freeblver.c
deleted file mode 100644
index e2c6a538c..000000000
--- a/security/nss/lib/freebl/freeblver.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nss.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_freebl_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_freebl_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c
deleted file mode 100644
index 595d7dd8b..000000000
--- a/security/nss/lib/freebl/ldvector.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * ldvector.c - platform dependent DSO containing freebl implementation.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "loader.h"
-#include "alghmac.h"
-
-static const struct FREEBLVectorStr vector = 
-{
-
-    sizeof vector,
-    FREEBL_VERSION,
-
-    RSA_NewKey,
-    RSA_PublicKeyOp,
-    RSA_PrivateKeyOp,
-    DSA_NewKey,
-    DSA_SignDigest,
-    DSA_VerifyDigest,
-    DSA_NewKeyFromSeed,
-    DSA_SignDigestWithSeed,
-    DH_GenParam,
-    DH_NewKey,
-    DH_Derive,
-    KEA_Derive,
-    KEA_Verify,
-    RC4_CreateContext,
-    RC4_DestroyContext,
-    RC4_Encrypt,
-    RC4_Decrypt,
-    RC2_CreateContext,
-    RC2_DestroyContext,
-    RC2_Encrypt,
-    RC2_Decrypt,
-    RC5_CreateContext,
-    RC5_DestroyContext,
-    RC5_Encrypt,
-    RC5_Decrypt,
-    DES_CreateContext,
-    DES_DestroyContext,
-    DES_Encrypt,
-    DES_Decrypt,
-    AES_CreateContext,
-    AES_DestroyContext,
-    AES_Encrypt,
-    AES_Decrypt,
-    MD5_Hash,
-    MD5_HashBuf,
-    MD5_NewContext,
-    MD5_DestroyContext,
-    MD5_Begin,
-    MD5_Update,
-    MD5_End,
-    MD5_FlattenSize,
-    MD5_Flatten,
-    MD5_Resurrect,
-    MD5_TraceState,
-    MD2_Hash,
-    MD2_NewContext,
-    MD2_DestroyContext,
-    MD2_Begin,
-    MD2_Update,
-    MD2_End,
-    MD2_FlattenSize,
-    MD2_Flatten,
-    MD2_Resurrect,
-    SHA1_Hash,
-    SHA1_HashBuf,
-    SHA1_NewContext,
-    SHA1_DestroyContext,
-    SHA1_Begin,
-    SHA1_Update,
-    SHA1_End,
-    SHA1_TraceState,
-    SHA1_FlattenSize,
-    SHA1_Flatten,
-    SHA1_Resurrect,
-    RNG_RNGInit,
-    RNG_RandomUpdate,
-    RNG_GenerateGlobalRandomBytes,
-    RNG_RNGShutdown,
-    PQG_ParamGen,
-    PQG_ParamGenSeedLen,
-    PQG_VerifyParams,
-
-    /* End of Version 3.001. */
-
-    RSA_PrivateKeyOpDoubleChecked,
-    RSA_PrivateKeyCheck,
-    BL_Cleanup,
-
-    /* End of Version 3.002. */
-
-    SHA256_NewContext,
-    SHA256_DestroyContext,
-    SHA256_Begin,
-    SHA256_Update,
-    SHA256_End,
-    SHA256_HashBuf,
-    SHA256_Hash,
-    SHA256_TraceState,
-    SHA256_FlattenSize,
-    SHA256_Flatten,
-    SHA256_Resurrect,
-
-    SHA512_NewContext,
-    SHA512_DestroyContext,
-    SHA512_Begin,
-    SHA512_Update,
-    SHA512_End,
-    SHA512_HashBuf,
-    SHA512_Hash,
-    SHA512_TraceState,
-    SHA512_FlattenSize,
-    SHA512_Flatten,
-    SHA512_Resurrect,
-
-    SHA384_NewContext,
-    SHA384_DestroyContext,
-    SHA384_Begin,
-    SHA384_Update,
-    SHA384_End,
-    SHA384_HashBuf,
-    SHA384_Hash,
-    SHA384_TraceState,
-    SHA384_FlattenSize,
-    SHA384_Flatten,
-    SHA384_Resurrect,
-
-    /* End of Version 3.003. */
-
-    AESKeyWrap_CreateContext,
-    AESKeyWrap_DestroyContext,
-    AESKeyWrap_Encrypt,
-    AESKeyWrap_Decrypt,
-
-    /* End of Version 3.004. */
-
-    BLAPI_SHVerify,
-    BLAPI_VerifySelf,
-
-    /* End of Version 3.005. */
-
-    EC_NewKey,
-    EC_NewKeyFromSeed,
-    EC_ValidatePublicKey,
-    ECDH_Derive,
-    ECDSA_SignDigest,
-    ECDSA_VerifyDigest,
-    ECDSA_SignDigestWithSeed,
-
-    /* End of Version 3.006. */
-    /* End of Version 3.007. */
-
-    AES_InitContext,
-    AESKeyWrap_InitContext,
-    DES_InitContext,
-    RC2_InitContext,
-    RC4_InitContext,
-
-    AES_AllocateContext,
-    AESKeyWrap_AllocateContext,
-    DES_AllocateContext,
-    RC2_AllocateContext,
-    RC4_AllocateContext,
-
-    MD2_Clone,
-    MD5_Clone,
-    SHA1_Clone,
-    SHA256_Clone,
-    SHA384_Clone,
-    SHA512_Clone,
-
-    TLS_PRF,
-    HASH_GetRawHashObject,
-
-    HMAC_Create,
-    HMAC_Init,
-    HMAC_Begin,
-    HMAC_Update,
-    HMAC_Clone,
-    HMAC_Finish,
-    HMAC_Destroy,
-
-    RNG_SystemInfoForRNG,
-
-    /* End of Version 3.008. */
-};
-
-const FREEBLVector * 
-FREEBL_GetVector(void)
-{
-    extern const char __nss_freebl_rcsid[];
-    extern const char __nss_freebl_sccsid[];
-
-    /* force a reference that won't get optimized away */
-    volatile char c = __nss_freebl_rcsid[0] + __nss_freebl_sccsid[0]; 
-
-    return &vector;
-}
-
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
deleted file mode 100644
index b98ea9c68..000000000
--- a/security/nss/lib/freebl/loader.c
+++ /dev/null
@@ -1,1616 +0,0 @@
-/*
- * loader.c - load platform dependent DSO containing freebl implementation.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "loader.h"
-#include "prmem.h"
-#include "prerror.h"
-#include "prinit.h"
-
-static const char* default_name =
-    SHLIB_PREFIX"freebl"SHLIB_VERSION"."SHLIB_SUFFIX;
-
-/* getLibName() returns the name of the library to load. */
-
-#if defined(SOLARIS) && defined(__sparc)
-#include <stddef.h>
-#include <strings.h>
-#include <sys/systeminfo.h>
-
-
-#if defined(NSS_USE_64)
-
-const static char fpu_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
-const static char int_hybrid_shared_lib[] = "libfreebl_64int_3.so";
-const static char non_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
-
-const static char int_hybrid_isa[] = "sparcv9";
-const static char fpu_hybrid_isa[] = "sparcv9+vis";
-
-#else
-
-const static char fpu_hybrid_shared_lib[] = "libfreebl_32fpu_3.so";
-const static char int_hybrid_shared_lib[] = "libfreebl_32int64_3.so";
-const static char non_hybrid_shared_lib[] = "libfreebl_32int_3.so";
-
-const static char int_hybrid_isa[] = "sparcv8plus";
-const static char fpu_hybrid_isa[] = "sparcv8plus+vis";
-
-#endif
-
-static const char *
-getLibName(void)
-{
-    char * found_int_hybrid;
-    char * found_fpu_hybrid;
-    long buflen;
-    char buf[256];
-
-    buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
-    if (buflen <= 0) 
-	return NULL;
-    /* The ISA list is a space separated string of names of ISAs and
-     * ISA extensions, in order of decreasing performance.
-     * There are two different ISAs with which NSS's crypto code can be
-     * accelerated. If both are in the list, we take the first one.
-     * If one is in the list, we use it, and if neither then we use
-     * the base unaccelerated code.
-     */
-    found_int_hybrid = strstr(buf, int_hybrid_isa);
-    found_fpu_hybrid = strstr(buf, fpu_hybrid_isa);
-    if (found_fpu_hybrid && 
-	(!found_int_hybrid ||
-	 (found_int_hybrid - found_fpu_hybrid) >= 0)) {
-	return fpu_hybrid_shared_lib;
-    }
-    if (found_int_hybrid) {
-	return int_hybrid_shared_lib;
-    }
-    return non_hybrid_shared_lib;
-}
-
-#elif defined(HPUX) && !defined(NSS_USE_64) && !defined(__ia64)
-/* This code tests to see if we're running on a PA2.x CPU.
-** It returns true (1) if so, and false (0) otherwise.
-*/
-static const char *
-getLibName(void)
-{
-    long cpu = sysconf(_SC_CPU_VERSION);
-    return (cpu == CPU_PA_RISC2_0) 
-		? "libfreebl_32fpu_3.sl"
-	        : "libfreebl_32int32_3.sl" ;
-}
-#else
-/* default case, for platforms/ABIs that have only one freebl shared lib. */
-static const char * getLibName(void) { return default_name; }
-#endif
-
-#ifdef XP_UNIX
-#include <unistd.h>
-#endif
-
-#define BL_MAXSYMLINKS 20
-
-/*
- * If 'link' is a symbolic link, this function follows the symbolic links
- * and returns the pathname of the ultimate source of the symbolic links.
- * If 'link' is not a symbolic link, this function returns a copy of 'link'.
- * The caller should call PR_Free to free the string returned by this
- * function.
- */
-static char* bl_GetOriginalPathname(const char* link)
-{
-#ifdef XP_UNIX
-    char* resolved = NULL;
-    char* input = NULL;
-    PRUint32 iterations = 0;
-    PRInt32 len = 0, retlen = 0;
-    if (!link) {
-        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        return NULL;
-    }
-    len = PR_MAX(1024, strlen(link) + 1);
-    resolved = PR_Malloc(len);
-    input = PR_Malloc(len);
-    if (!resolved || !input) {
-        if (resolved) {
-            PR_Free(resolved);
-        }
-        if (input) {
-            PR_Free(input);
-        }
-        return NULL;
-    }
-    strcpy(input, link);
-    while ( (iterations++ < BL_MAXSYMLINKS) &&
-            ( (retlen = readlink(input, resolved, len - 1)) > 0) ) {
-        char* tmp = input;
-        resolved[retlen] = '\0'; /* NULL termination */
-        input = resolved;
-        resolved = tmp;
-    }
-    PR_Free(resolved);
-    return input;
-#else
-    if (link) {
-        return PL_strdup(link);
-    } else {
-        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        return NULL;
-    }
-#endif
-}
-
-/*
- * We use PR_GetLibraryFilePathname to get the pathname of the loaded 
- * shared lib that contains this function, and then do a PR_LoadLibrary
- * with an absolute pathname for the freebl shared library.
- */
-
-#include "prio.h"
-#include "prprf.h"
-#include <stdio.h>
-#include "prsystem.h"
-
-const char* softoken=SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX;
-
-typedef struct {
-    PRLibrary *dlh;
-} BLLibrary;
-
-static BLLibrary *
-bl_LoadLibrary(const char *name)
-{
-    BLLibrary *lib = NULL;
-    PRFuncPtr fn_addr;
-    char* softokenPath = NULL;
-    char* fullName = NULL;
-    PRLibSpec libSpec;
-
-    libSpec.type = PR_LibSpec_Pathname;
-    lib = PR_NEWZAP(BLLibrary);
-    if (NULL == lib) {
-        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
-        return NULL;
-    }
-
-    /* Get the pathname for the loaded libsoftokn, i.e. /usr/lib/libsoftokn3.so
-     * PR_GetLibraryFilePathname works with either the base library name or a
-     * function pointer, depending on the platform. We can't query an exported
-     * symbol such as NSC_GetFunctionList, because on some platforms we can't
-     * find symbols in loaded implicit dependencies such as libsoftokn.
-     * But we can just get the address of this function !
-     */
-    fn_addr = (PRFuncPtr) &bl_LoadLibrary;
-    softokenPath = PR_GetLibraryFilePathname(softoken, fn_addr);
-
-    /* Remove "libsoftokn" from the pathname and add the freebl libname */
-    if (softokenPath) {
-       char* c;
-       char* originalSoftokenPath = bl_GetOriginalPathname(softokenPath);
-       if (originalSoftokenPath) {
-           PR_Free(softokenPath);
-           softokenPath = originalSoftokenPath;
-       }
-       c = strrchr(softokenPath, PR_GetDirectorySeparator());
-       if (c) {
-           size_t softoknPathSize = 1 + c - softokenPath;
-           fullName = (char*) PORT_Alloc(strlen(name) + softoknPathSize + 1);
-           if (fullName) {
-               memcpy(fullName, softokenPath, softoknPathSize);
-               strcpy(fullName + softoknPathSize, name); 
-           }
-       }
-       PR_Free(softokenPath);
-    }
-    if (fullName) {
-#ifdef DEBUG_LOADER
-        PR_fprintf(PR_STDOUT, "\nAttempting to load fully-qualified %s\n", 
-                   fullName);
-#endif
-        libSpec.value.pathname = fullName;
-        lib->dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
-        PORT_Free(fullName);
-    }
-    if (!lib->dlh) {
-#ifdef DEBUG_LOADER
-        PR_fprintf(PR_STDOUT, "\nAttempting to load %s\n", name);
-#endif
-        libSpec.value.pathname = name;
-        lib->dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
-    }
-    if (NULL == lib->dlh) {
-#ifdef DEBUG_LOADER
-        PR_fprintf(PR_STDOUT, "\nLoading failed : %s.\n", name);
-#endif
-        PR_Free(lib);
-        lib = NULL;
-    }
-    return lib;
-}
-
-static void *
-bl_FindSymbol(BLLibrary *lib, const char *name)
-{
-    void *f;
-
-    f = PR_FindSymbol(lib->dlh, name);
-    return f;
-}
-
-static PRStatus
-bl_UnloadLibrary(BLLibrary *lib)
-{
-    if (PR_SUCCESS != PR_UnloadLibrary(lib->dlh)) {
-        return PR_FAILURE;
-    }
-    PR_Free(lib);
-    return PR_SUCCESS;
-}
-
-#define LSB(x) ((x)&0xff)
-#define MSB(x) ((x)>>8)
-
-static const FREEBLVector *vector;
-static const char *libraryName = NULL;
-
-/* This function must be run only once. */
-/*  determine if hybrid platform, then actually load the DSO. */
-static PRStatus
-freebl_LoadDSO( void ) 
-{
-  BLLibrary *  handle;
-  const char * name = getLibName();
-
-  if (!name) {
-    PR_SetError(PR_LOAD_LIBRARY_ERROR, 0);
-    return PR_FAILURE;
-  }
-
-  handle = bl_LoadLibrary(name);
-  if (handle) {
-    void * address = bl_FindSymbol(handle, "FREEBL_GetVector");
-    if (address) {
-      FREEBLGetVectorFn  * getVector = (FREEBLGetVectorFn *)address;
-      const FREEBLVector * dsoVector = getVector();
-      if (dsoVector) {
-	unsigned short dsoVersion = dsoVector->version;
-	unsigned short  myVersion = FREEBL_VERSION;
-	if (MSB(dsoVersion) == MSB(myVersion) && 
-	    LSB(dsoVersion) >= LSB(myVersion) &&
-	    dsoVector->length >= sizeof(FREEBLVector)) {
-          vector = dsoVector;
-	  libraryName = name;
-	  return PR_SUCCESS;
-	}
-      }
-    }
-    bl_UnloadLibrary(handle);
-  }
-  return PR_FAILURE;
-}
-
-static PRStatus
-freebl_RunLoaderOnce( void )
-{
-  PRStatus status;
-  static PRCallOnceType once;
-
-  status = PR_CallOnce(&once, &freebl_LoadDSO);
-  return status;
-}
-
-
-RSAPrivateKey * 
-RSA_NewKey(int keySizeInBits, SECItem * publicExponent)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RSA_NewKey)(keySizeInBits, publicExponent);
-}
-
-SECStatus 
-RSA_PublicKeyOp(RSAPublicKey *   key,
-				 unsigned char *  output,
-				 const unsigned char *  input)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RSA_PublicKeyOp)(key, output, input);
-}
-
-SECStatus 
-RSA_PrivateKeyOp(RSAPrivateKey *  key,
-				  unsigned char *  output,
-				  const unsigned char *  input)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RSA_PrivateKeyOp)(key, output, input);
-}
-
-SECStatus
-RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
-                              unsigned char *output,
-                              const unsigned char *input)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RSA_PrivateKeyOpDoubleChecked)(key, output, input);
-}
-
-SECStatus
-RSA_PrivateKeyCheck(RSAPrivateKey *key)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RSA_PrivateKeyCheck)(key);
-}
-
-SECStatus 
-DSA_NewKey(const PQGParams * params, DSAPrivateKey ** privKey)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DSA_NewKey)(params, privKey);
-}
-
-SECStatus 
-DSA_SignDigest(DSAPrivateKey * key, SECItem * signature, const SECItem * digest)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DSA_SignDigest)( key,  signature,  digest);
-}
-
-SECStatus 
-DSA_VerifyDigest(DSAPublicKey * key, const SECItem * signature, 
-                 const SECItem * digest)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DSA_VerifyDigest)( key,  signature,  digest);
-}
-
-SECStatus 
-DSA_NewKeyFromSeed(const PQGParams *params, const unsigned char * seed,
-                   DSAPrivateKey **privKey)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DSA_NewKeyFromSeed)(params,  seed, privKey);
-}
-
-SECStatus 
-DSA_SignDigestWithSeed(DSAPrivateKey * key, SECItem * signature,
-		       const SECItem * digest, const unsigned char * seed)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DSA_SignDigestWithSeed)( key, signature, digest, seed);
-}
-
-SECStatus 
-DH_GenParam(int primeLen, DHParams ** params)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DH_GenParam)(primeLen, params);
-}
-
-SECStatus 
-DH_NewKey(DHParams * params, DHPrivateKey ** privKey)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DH_NewKey)( params, privKey);
-}
-
-SECStatus 
-DH_Derive(SECItem * publicValue, SECItem * prime, SECItem * privateValue, 
-			 SECItem * derivedSecret, unsigned int maxOutBytes)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DH_Derive)( publicValue, prime, privateValue, 
-				derivedSecret, maxOutBytes);
-}
-
-SECStatus 
-KEA_Derive(SECItem *prime, SECItem *public1, SECItem *public2, 
-	   SECItem *private1, SECItem *private2, SECItem *derivedSecret)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_KEA_Derive)(prime, public1, public2, 
-	                        private1, private2, derivedSecret);
-}
-
-PRBool 
-KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return PR_FALSE;
-  return (vector->p_KEA_Verify)(Y, prime, subPrime);
-}
-
-RC4Context *
-RC4_CreateContext(const unsigned char *key, int len)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RC4_CreateContext)(key, len);
-}
-
-void 
-RC4_DestroyContext(RC4Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_RC4_DestroyContext)(cx, freeit);
-}
-
-SECStatus 
-RC4_Encrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC4_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-SECStatus 
-RC4_Decrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC4_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-RC2Context *
-RC2_CreateContext(const unsigned char *key, unsigned int len,
-		  const unsigned char *iv, int mode, unsigned effectiveKeyLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RC2_CreateContext)(key, len, iv, mode, effectiveKeyLen);
-}
-
-void 
-RC2_DestroyContext(RC2Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_RC2_DestroyContext)(cx, freeit);
-}
-
-SECStatus 
-RC2_Encrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC2_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-SECStatus 
-RC2_Decrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC2_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-RC5Context *
-RC5_CreateContext(const SECItem *key, unsigned int rounds,
-		  unsigned int wordSize, const unsigned char *iv, int mode)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RC5_CreateContext)(key, rounds, wordSize, iv, mode);
-}
-
-void 
-RC5_DestroyContext(RC5Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_RC5_DestroyContext)(cx, freeit);
-}
-
-SECStatus 
-RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC5_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
-				 inputLen);
-}
-
-SECStatus 
-RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC5_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-DESContext *
-DES_CreateContext(const unsigned char *key, const unsigned char *iv,
-		  int mode, PRBool encrypt)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_DES_CreateContext)(key, iv, mode, encrypt);
-}
-
-void 
-DES_DestroyContext(DESContext *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_DES_DestroyContext)(cx, freeit);
-}
-
-SECStatus 
-DES_Encrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DES_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-SECStatus 
-DES_Decrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, const unsigned char *input, 
-	    unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DES_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
-	                         inputLen);
-}
-
-AESContext *
-AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                  int mode, int encrypt,
-                  unsigned int keylen, unsigned int blocklen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_AES_CreateContext)(key, iv, mode, encrypt, keylen, 
-				       blocklen);
-}
-
-void 
-AES_DestroyContext(AESContext *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_AES_DestroyContext)(cx, freeit);
-}
-
-SECStatus 
-AES_Encrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_AES_Encrypt)(cx, output, outputLen, maxOutputLen, 
-				 input, inputLen);
-}
-
-SECStatus 
-AES_Decrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_AES_Decrypt)(cx, output, outputLen, maxOutputLen, 
-				 input, inputLen);
-}
-
-SECStatus 
-MD5_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_MD5_Hash)(dest, src);
-}
-
-SECStatus 
-MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_MD5_HashBuf)(dest, src, src_length);
-}
-
-MD5Context *
-MD5_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_MD5_NewContext)();
-}
-
-void 
-MD5_DestroyContext(MD5Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD5_DestroyContext)(cx, freeit);
-}
-
-void 
-MD5_Begin(MD5Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD5_Begin)(cx);
-}
-
-void 
-MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD5_Update)(cx, input, inputLen);
-}
-
-void 
-MD5_End(MD5Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD5_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-unsigned int 
-MD5_FlattenSize(MD5Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_MD5_FlattenSize)(cx);
-}
-
-SECStatus 
-MD5_Flatten(MD5Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_MD5_Flatten)(cx, space);
-}
-
-MD5Context * 
-MD5_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_MD5_Resurrect)(space, arg);
-}
-
-void 
-MD5_TraceState(MD5Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_MD5_TraceState)(cx);
-}
-
-SECStatus 
-MD2_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_MD2_Hash)(dest, src);
-}
-
-MD2Context *
-MD2_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_MD2_NewContext)();
-}
-
-void 
-MD2_DestroyContext(MD2Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_MD2_DestroyContext)(cx, freeit);
-}
-
-void 
-MD2_Begin(MD2Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_MD2_Begin)(cx);
-}
-
-void 
-MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_MD2_Update)(cx, input, inputLen);
-}
-
-void 
-MD2_End(MD2Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_MD2_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-unsigned int 
-MD2_FlattenSize(MD2Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_MD2_FlattenSize)(cx);
-}
-
-SECStatus 
-MD2_Flatten(MD2Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_MD2_Flatten)(cx, space);
-}
-
-MD2Context * 
-MD2_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_MD2_Resurrect)(space, arg);
-}
-
-
-SECStatus 
-SHA1_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA1_Hash)(dest, src);
-}
-
-SECStatus 
-SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA1_HashBuf)(dest, src, src_length);
-}
-
-SHA1Context *
-SHA1_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA1_NewContext)();
-}
-
-void 
-SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA1_DestroyContext)(cx, freeit);
-}
-
-void 
-SHA1_Begin(SHA1Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA1_Begin)(cx);
-}
-
-void 
-SHA1_Update(SHA1Context *cx, const unsigned char *input,
-			unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA1_Update)(cx, input, inputLen);
-}
-
-void 
-SHA1_End(SHA1Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA1_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-void 
-SHA1_TraceState(SHA1Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA1_TraceState)(cx);
-}
-
-unsigned int 
-SHA1_FlattenSize(SHA1Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_SHA1_FlattenSize)(cx);
-}
-
-SECStatus 
-SHA1_Flatten(SHA1Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA1_Flatten)(cx, space);
-}
-
-SHA1Context * 
-SHA1_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA1_Resurrect)(space, arg);
-}
-
-SECStatus 
-RNG_RNGInit(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RNG_RNGInit)();
-}
-
-SECStatus 
-RNG_RandomUpdate(const void *data, size_t bytes)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RNG_RandomUpdate)(data, bytes);
-}
-
-SECStatus 
-RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RNG_GenerateGlobalRandomBytes)(dest, len);
-}
-
-void  
-RNG_RNGShutdown(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_RNG_RNGShutdown)();
-}
-
-SECStatus
-PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_PQG_ParamGen)(j, pParams, pVfy); 
-}
-
-SECStatus
-PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, 
-                     PQGParams **pParams, PQGVerify **pVfy)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_PQG_ParamGenSeedLen)(j, seedBytes, pParams, pVfy);
-}
-
-SECStatus   
-PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
-		 SECStatus *result)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_PQG_VerifyParams)(params, vfy, result);
-}
-
-void 
-BL_Cleanup(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_BL_Cleanup)();
-}
-
-/* ============== New for 3.003 =============================== */
-
-SECStatus 
-SHA256_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA256_Hash)(dest, src);
-}
-
-SECStatus 
-SHA256_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA256_HashBuf)(dest, src, src_length);
-}
-
-SHA256Context *
-SHA256_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA256_NewContext)();
-}
-
-void 
-SHA256_DestroyContext(SHA256Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA256_DestroyContext)(cx, freeit);
-}
-
-void 
-SHA256_Begin(SHA256Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA256_Begin)(cx);
-}
-
-void 
-SHA256_Update(SHA256Context *cx, const unsigned char *input,
-			unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA256_Update)(cx, input, inputLen);
-}
-
-void 
-SHA256_End(SHA256Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA256_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-void 
-SHA256_TraceState(SHA256Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA256_TraceState)(cx);
-}
-
-unsigned int 
-SHA256_FlattenSize(SHA256Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_SHA256_FlattenSize)(cx);
-}
-
-SECStatus 
-SHA256_Flatten(SHA256Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA256_Flatten)(cx, space);
-}
-
-SHA256Context * 
-SHA256_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA256_Resurrect)(space, arg);
-}
-
-SECStatus 
-SHA512_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA512_Hash)(dest, src);
-}
-
-SECStatus 
-SHA512_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA512_HashBuf)(dest, src, src_length);
-}
-
-SHA512Context *
-SHA512_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA512_NewContext)();
-}
-
-void 
-SHA512_DestroyContext(SHA512Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA512_DestroyContext)(cx, freeit);
-}
-
-void 
-SHA512_Begin(SHA512Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA512_Begin)(cx);
-}
-
-void 
-SHA512_Update(SHA512Context *cx, const unsigned char *input,
-			unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA512_Update)(cx, input, inputLen);
-}
-
-void 
-SHA512_End(SHA512Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA512_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-void 
-SHA512_TraceState(SHA512Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA512_TraceState)(cx);
-}
-
-unsigned int 
-SHA512_FlattenSize(SHA512Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_SHA512_FlattenSize)(cx);
-}
-
-SECStatus 
-SHA512_Flatten(SHA512Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA512_Flatten)(cx, space);
-}
-
-SHA512Context * 
-SHA512_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA512_Resurrect)(space, arg);
-}
-
-
-SECStatus 
-SHA384_Hash(unsigned char *dest, const char *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA384_Hash)(dest, src);
-}
-
-SECStatus 
-SHA384_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA384_HashBuf)(dest, src, src_length);
-}
-
-SHA384Context *
-SHA384_NewContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA384_NewContext)();
-}
-
-void 
-SHA384_DestroyContext(SHA384Context *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA384_DestroyContext)(cx, freeit);
-}
-
-void 
-SHA384_Begin(SHA384Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA384_Begin)(cx);
-}
-
-void 
-SHA384_Update(SHA384Context *cx, const unsigned char *input,
-			unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA384_Update)(cx, input, inputLen);
-}
-
-void 
-SHA384_End(SHA384Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA384_End)(cx, digest, digestLen, maxDigestLen);
-}
-
-void 
-SHA384_TraceState(SHA384Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_SHA384_TraceState)(cx);
-}
-
-unsigned int 
-SHA384_FlattenSize(SHA384Context *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return 0;
-  return (vector->p_SHA384_FlattenSize)(cx);
-}
-
-SECStatus 
-SHA384_Flatten(SHA384Context *cx,unsigned char *space)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_SHA384_Flatten)(cx, space);
-}
-
-SHA384Context * 
-SHA384_Resurrect(unsigned char *space, void *arg)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_SHA384_Resurrect)(space, arg);
-}
-
-
-AESKeyWrapContext *
-AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                         int encrypt, unsigned int keylen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return vector->p_AESKeyWrap_CreateContext(key, iv, encrypt, keylen);
-}
-
-void 
-AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  vector->p_AESKeyWrap_DestroyContext(cx, freeit);
-}
-
-SECStatus 
-AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
-		   unsigned int *outputLen, unsigned int maxOutputLen,
-		   const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return vector->p_AESKeyWrap_Encrypt(cx, output, outputLen, maxOutputLen,
-                                      input, inputLen);
-}
-SECStatus 
-AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
-		   unsigned int *outputLen, unsigned int maxOutputLen,
-		   const unsigned char *input, unsigned int inputLen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return vector->p_AESKeyWrap_Decrypt(cx, output, outputLen, maxOutputLen,
-		                      input, inputLen);
-}
-
-PRBool
-BLAPI_SHVerify(const char *name, PRFuncPtr addr)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return PR_FALSE;
-  return vector->p_BLAPI_SHVerify(name, addr);
-}
-
-/*
- * The Caller is expected to pass NULL as the name, which will
- * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. If we really loaded
- * from a shared library, BLAPI_VerifySelf will get pick up the real name
- * from the static set in freebl_LoadDSO( void ) 
- */
-PRBool
-BLAPI_VerifySelf(const char *name)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return PR_FALSE;
-  return vector->p_BLAPI_VerifySelf(libraryName);
-}
-
-/* ============== New for 3.006 =============================== */
-
-SECStatus 
-EC_NewKey(ECParams * params, ECPrivateKey ** privKey)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_EC_NewKey)( params, privKey );
-}
-
-SECStatus 
-EC_NewKeyFromSeed(ECParams * params, ECPrivateKey ** privKey,
-    const unsigned char *seed, int seedlen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_EC_NewKeyFromSeed)( params, privKey, seed, seedlen );
-}
-
-SECStatus 
-EC_ValidatePublicKey(ECParams * params, SECItem * publicValue)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_EC_ValidatePublicKey)( params, publicValue );
-}
-
-SECStatus 
-ECDH_Derive(SECItem * publicValue, ECParams * params, SECItem * privateValue,
-            PRBool withCofactor, SECItem * derivedSecret)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_ECDH_Derive)( publicValue, params, privateValue,
-                                  withCofactor, derivedSecret );
-}
-
-SECStatus
-ECDSA_SignDigest(ECPrivateKey * key, SECItem * signature,
-    const SECItem * digest)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_ECDSA_SignDigest)( key, signature, digest );
-}
-
-SECStatus
-ECDSA_VerifyDigest(ECPublicKey * key, const SECItem * signature,
-    const SECItem * digest)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_ECDSA_VerifyDigest)( key, signature, digest );
-}
-
-SECStatus
-ECDSA_SignDigestWithSeed(ECPrivateKey * key, SECItem * signature,
-    const SECItem * digest, const unsigned char *seed, const int seedlen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_ECDSA_SignDigestWithSeed)( key, signature, digest, 
-      seed, seedlen );
-}
-
-/* ============== New for 3.008 =============================== */
-
-AESContext *
-AES_AllocateContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_AES_AllocateContext)();
-}
-
-AESKeyWrapContext *
-AESKeyWrap_AllocateContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_AESKeyWrap_AllocateContext)();
-}
-
-DESContext *
-DES_AllocateContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_DES_AllocateContext)();
-}
-
-RC2Context *
-RC2_AllocateContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RC2_AllocateContext)();
-}
-
-RC4Context *
-RC4_AllocateContext(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_RC4_AllocateContext)();
-}
-
-SECStatus 
-AES_InitContext(AESContext *cx, const unsigned char *key, 
-		unsigned int keylen, const unsigned char *iv, int mode,
-		unsigned int encrypt, unsigned int blocklen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_AES_InitContext)(cx, key, keylen, iv, mode, encrypt, 
-				     blocklen);
-}
-
-SECStatus 
-AESKeyWrap_InitContext(AESKeyWrapContext *cx, const unsigned char *key, 
-		unsigned int keylen, const unsigned char *iv, int mode,
-		unsigned int encrypt, unsigned int blocklen)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_AESKeyWrap_InitContext)(cx, key, keylen, iv, mode, 
-					    encrypt, blocklen);
-}
-
-SECStatus 
-DES_InitContext(DESContext *cx, const unsigned char *key, 
-		unsigned int keylen, const unsigned char *iv, int mode,
-		unsigned int encrypt, unsigned int xtra)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_DES_InitContext)(cx, key, keylen, iv, mode, encrypt, xtra);
-}
-
-SECStatus 
-RC2_InitContext(RC2Context *cx, const unsigned char *key, 
-		unsigned int keylen, const unsigned char *iv, int mode,
-		unsigned int effectiveKeyLen, unsigned int xtra)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC2_InitContext)(cx, key, keylen, iv, mode, 
-				     effectiveKeyLen, xtra);
-}
-
-SECStatus 
-RC4_InitContext(RC4Context *cx, const unsigned char *key, 
-		unsigned int keylen, const unsigned char *x1, int x2,
-		unsigned int x3, unsigned int x4)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_RC4_InitContext)(cx, key, keylen, x1, x2, x3, x4);
-}
-
-void 
-MD2_Clone(MD2Context *dest, MD2Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD2_Clone)(dest, src);
-}
-
-void 
-MD5_Clone(MD5Context *dest, MD5Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_MD5_Clone)(dest, src);
-}
-
-void 
-SHA1_Clone(SHA1Context *dest, SHA1Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_SHA1_Clone)(dest, src);
-}
-
-void 
-SHA256_Clone(SHA256Context *dest, SHA256Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_SHA256_Clone)(dest, src);
-}
-
-void 
-SHA384_Clone(SHA384Context *dest, SHA384Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_SHA384_Clone)(dest, src);
-}
-
-void 
-SHA512_Clone(SHA512Context *dest, SHA512Context *src)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_SHA512_Clone)(dest, src);
-}
-
-SECStatus 
-TLS_PRF(const SECItem *secret, const char *label, 
-		     SECItem *seed, SECItem *result, PRBool isFIPS)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_TLS_PRF)(secret, label, seed, result, isFIPS);
-}
-
-const SECHashObject *
-HASH_GetRawHashObject(HASH_HashType hashType)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_HASH_GetRawHashObject)(hashType);
-}
-
-
-void
-HMAC_Destroy(HMACContext *cx, PRBool freeit)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_HMAC_Destroy)(cx, freeit);
-}
-
-HMACContext *
-HMAC_Create(const SECHashObject *hashObj, const unsigned char *secret, 
-	    unsigned int secret_len, PRBool isFIPS)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_HMAC_Create)(hashObj, secret, secret_len, isFIPS);
-}
-
-SECStatus
-HMAC_Init(HMACContext *cx, const SECHashObject *hashObj, 
-	  const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_HMAC_Init)(cx, hashObj, secret, secret_len, isFIPS);
-}
-
-void
-HMAC_Begin(HMACContext *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_HMAC_Begin)(cx);
-}
-
-void 
-HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return;
-  (vector->p_HMAC_Update)(cx, data, data_len);
-}
-
-SECStatus
-HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return SECFailure;
-  return (vector->p_HMAC_Finish)(cx, result, result_len, max_result_len);
-}
-
-HMACContext *
-HMAC_Clone(HMACContext *cx)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return NULL;
-  return (vector->p_HMAC_Clone)(cx);
-}
-
-void
-RNG_SystemInfoForRNG(void)
-{
-  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
-      return ;
-  (vector->p_RNG_SystemInfoForRNG)();
-
-}
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
deleted file mode 100644
index 89bab5401..000000000
--- a/security/nss/lib/freebl/loader.h
+++ /dev/null
@@ -1,464 +0,0 @@
-/*
- * loader.h - load platform dependent DSO containing freebl implementation.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _LOADER_H_
-#define _LOADER_H_ 1
-
-#include "blapi.h"
-
-#define FREEBL_VERSION 0x0308
-
-struct FREEBLVectorStr {
-
-  unsigned short length;  /* of this struct in bytes */
-  unsigned short version; /* of this struct. */
-
-  RSAPrivateKey * (* p_RSA_NewKey)(int         keySizeInBits,
-				 SECItem *   publicExponent);
-
-  SECStatus (* p_RSA_PublicKeyOp) (RSAPublicKey *   key,
-				 unsigned char *  output,
-				 const unsigned char *  input);
-
-  SECStatus (* p_RSA_PrivateKeyOp)(RSAPrivateKey *  key,
-				  unsigned char *  output,
-				  const unsigned char *  input);
-
-  SECStatus (* p_DSA_NewKey)(const PQGParams *    params, 
-		            DSAPrivateKey **      privKey);
-
-  SECStatus (* p_DSA_SignDigest)(DSAPrivateKey *   key,
-				SECItem *         signature,
-				const SECItem *   digest);
-
-  SECStatus (* p_DSA_VerifyDigest)(DSAPublicKey *  key,
-				  const SECItem *  signature,
-				  const SECItem *  digest);
-
-  SECStatus (* p_DSA_NewKeyFromSeed)(const PQGParams *params, 
-				     const unsigned char * seed,
-                                     DSAPrivateKey **privKey);
-
-  SECStatus (* p_DSA_SignDigestWithSeed)(DSAPrivateKey * key,
-				        SECItem *             signature,
-				        const SECItem *       digest,
-				        const unsigned char * seed);
-
- SECStatus (* p_DH_GenParam)(int primeLen, DHParams ** params);
-
- SECStatus (* p_DH_NewKey)(DHParams *           params, 
-                           DHPrivateKey **	privKey);
-
- SECStatus (* p_DH_Derive)(SECItem *    publicValue, 
-		           SECItem *    prime, 
-			   SECItem *    privateValue, 
-			   SECItem *    derivedSecret,
-			   unsigned int maxOutBytes);
-
- SECStatus (* p_KEA_Derive)(SECItem *prime, 
-                            SECItem *public1, 
-                            SECItem *public2, 
-			    SECItem *private1, 
-			    SECItem *private2,
-			    SECItem *derivedSecret);
-
- PRBool (* p_KEA_Verify)(SECItem *Y, SECItem *prime, SECItem *subPrime);
-
- RC4Context * (* p_RC4_CreateContext)(const unsigned char *key, int len);
-
- void (* p_RC4_DestroyContext)(RC4Context *cx, PRBool freeit);
-
- SECStatus (* p_RC4_Encrypt)(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_RC4_Decrypt)(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- RC2Context * (* p_RC2_CreateContext)(const unsigned char *key, 
-                     unsigned int len, const unsigned char *iv, 
-		     int mode, unsigned effectiveKeyLen);
-
- void (* p_RC2_DestroyContext)(RC2Context *cx, PRBool freeit);
-
- SECStatus (* p_RC2_Encrypt)(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_RC2_Decrypt)(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- RC5Context *(* p_RC5_CreateContext)(const SECItem *key, unsigned int rounds,
-                     unsigned int wordSize, const unsigned char *iv, int mode);
-
- void (* p_RC5_DestroyContext)(RC5Context *cx, PRBool freeit);
-
- SECStatus (* p_RC5_Encrypt)(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_RC5_Decrypt)(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
-
- DESContext *(* p_DES_CreateContext)(const unsigned char *key, 
-                                     const unsigned char *iv,
-				     int mode, PRBool encrypt);
-
- void (* p_DES_DestroyContext)(DESContext *cx, PRBool freeit);
-
- SECStatus (* p_DES_Encrypt)(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_DES_Decrypt)(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- AESContext * (* p_AES_CreateContext)(const unsigned char *key, 
-                            const unsigned char *iv, 
-			    int mode, int encrypt, unsigned int keylen, 
-			    unsigned int blocklen);
-
- void (* p_AES_DestroyContext)(AESContext *cx, PRBool freeit);
-
- SECStatus (* p_AES_Encrypt)(AESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_AES_Decrypt)(AESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_MD5_Hash)(unsigned char *dest, const char *src);
-
- SECStatus (* p_MD5_HashBuf)(unsigned char *dest, const unsigned char *src,
-			     uint32 src_length);
-
- MD5Context *(* p_MD5_NewContext)(void);
-
- void (* p_MD5_DestroyContext)(MD5Context *cx, PRBool freeit);
-
- void (* p_MD5_Begin)(MD5Context *cx);
-
- void (* p_MD5_Update)(MD5Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
- void (* p_MD5_End)(MD5Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-
- unsigned int (* p_MD5_FlattenSize)(MD5Context *cx);
-
- SECStatus (* p_MD5_Flatten)(MD5Context *cx,unsigned char *space);
-
- MD5Context * (* p_MD5_Resurrect)(unsigned char *space, void *arg);
-
- void (* p_MD5_TraceState)(MD5Context *cx);
-
- SECStatus (* p_MD2_Hash)(unsigned char *dest, const char *src);
-
- MD2Context *(* p_MD2_NewContext)(void);
-
- void (* p_MD2_DestroyContext)(MD2Context *cx, PRBool freeit);
-
- void (* p_MD2_Begin)(MD2Context *cx);
-
- void (* p_MD2_Update)(MD2Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
-
- void (* p_MD2_End)(MD2Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
-
- unsigned int (* p_MD2_FlattenSize)(MD2Context *cx);
-
- SECStatus (* p_MD2_Flatten)(MD2Context *cx,unsigned char *space);
-
- MD2Context * (* p_MD2_Resurrect)(unsigned char *space, void *arg);
-
- SECStatus (* p_SHA1_Hash)(unsigned char *dest, const char *src);
-
- SECStatus (* p_SHA1_HashBuf)(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
-
- SHA1Context *(* p_SHA1_NewContext)(void);
-
- void (* p_SHA1_DestroyContext)(SHA1Context *cx, PRBool freeit);
-
- void (* p_SHA1_Begin)(SHA1Context *cx);
-
- void (* p_SHA1_Update)(SHA1Context *cx, const unsigned char *input,
-			unsigned int inputLen);
-
- void (* p_SHA1_End)(SHA1Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
-
- void (* p_SHA1_TraceState)(SHA1Context *cx);
-
- unsigned int (* p_SHA1_FlattenSize)(SHA1Context *cx);
-
- SECStatus (* p_SHA1_Flatten)(SHA1Context *cx,unsigned char *space);
-
- SHA1Context * (* p_SHA1_Resurrect)(unsigned char *space, void *arg);
-
- SECStatus (* p_RNG_RNGInit)(void);
-
- SECStatus (* p_RNG_RandomUpdate)(const void *data, size_t bytes);
-
- SECStatus (* p_RNG_GenerateGlobalRandomBytes)(void *dest, size_t len);
-
- void  (* p_RNG_RNGShutdown)(void);
-
- SECStatus (* p_PQG_ParamGen)(unsigned int j, PQGParams **pParams,  
-	                      PQGVerify **pVfy);    
-
- SECStatus (* p_PQG_ParamGenSeedLen)( unsigned int j, unsigned int seedBytes, 
-                                     PQGParams **pParams, PQGVerify **pVfy); 
-
- SECStatus (* p_PQG_VerifyParams)(const PQGParams *params, 
-                                  const PQGVerify *vfy, SECStatus *result);
-
-  /* Version 3.001 came to here */
-
-  SECStatus (* p_RSA_PrivateKeyOpDoubleChecked)(RSAPrivateKey *key,
-                              unsigned char *output,
-                              const unsigned char *input);
-
-  SECStatus (* p_RSA_PrivateKeyCheck)(RSAPrivateKey *key);
-
-  void (* p_BL_Cleanup)(void);
-
-  /* Version 3.002 came to here */
-
- SHA256Context *(* p_SHA256_NewContext)(void);
- void (* p_SHA256_DestroyContext)(SHA256Context *cx, PRBool freeit);
- void (* p_SHA256_Begin)(SHA256Context *cx);
- void (* p_SHA256_Update)(SHA256Context *cx, const unsigned char *input,
-			unsigned int inputLen);
- void (* p_SHA256_End)(SHA256Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
- SECStatus (* p_SHA256_HashBuf)(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
- SECStatus (* p_SHA256_Hash)(unsigned char *dest, const char *src);
- void (* p_SHA256_TraceState)(SHA256Context *cx);
- unsigned int (* p_SHA256_FlattenSize)(SHA256Context *cx);
- SECStatus (* p_SHA256_Flatten)(SHA256Context *cx,unsigned char *space);
- SHA256Context * (* p_SHA256_Resurrect)(unsigned char *space, void *arg);
-
- SHA512Context *(* p_SHA512_NewContext)(void);
- void (* p_SHA512_DestroyContext)(SHA512Context *cx, PRBool freeit);
- void (* p_SHA512_Begin)(SHA512Context *cx);
- void (* p_SHA512_Update)(SHA512Context *cx, const unsigned char *input,
-			unsigned int inputLen);
- void (* p_SHA512_End)(SHA512Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
- SECStatus (* p_SHA512_HashBuf)(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
- SECStatus (* p_SHA512_Hash)(unsigned char *dest, const char *src);
- void (* p_SHA512_TraceState)(SHA512Context *cx);
- unsigned int (* p_SHA512_FlattenSize)(SHA512Context *cx);
- SECStatus (* p_SHA512_Flatten)(SHA512Context *cx,unsigned char *space);
- SHA512Context * (* p_SHA512_Resurrect)(unsigned char *space, void *arg);
-
- SHA384Context *(* p_SHA384_NewContext)(void);
- void (* p_SHA384_DestroyContext)(SHA384Context *cx, PRBool freeit);
- void (* p_SHA384_Begin)(SHA384Context *cx);
- void (* p_SHA384_Update)(SHA384Context *cx, const unsigned char *input,
-			unsigned int inputLen);
- void (* p_SHA384_End)(SHA384Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
- SECStatus (* p_SHA384_HashBuf)(unsigned char *dest, const unsigned char *src,
-			      uint32 src_length);
- SECStatus (* p_SHA384_Hash)(unsigned char *dest, const char *src);
- void (* p_SHA384_TraceState)(SHA384Context *cx);
- unsigned int (* p_SHA384_FlattenSize)(SHA384Context *cx);
- SECStatus (* p_SHA384_Flatten)(SHA384Context *cx,unsigned char *space);
- SHA384Context * (* p_SHA384_Resurrect)(unsigned char *space, void *arg);
-
-  /* Version 3.003 came to here */
-
- AESKeyWrapContext * (* p_AESKeyWrap_CreateContext)(const unsigned char *key, 
-                   const unsigned char *iv, int encrypt, unsigned int keylen);
-
- void (* p_AESKeyWrap_DestroyContext)(AESKeyWrapContext *cx, PRBool freeit);
-
- SECStatus (* p_AESKeyWrap_Encrypt)(AESKeyWrapContext *cx, 
-            unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
- SECStatus (* p_AESKeyWrap_Decrypt)(AESKeyWrapContext *cx, 
-            unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
-
-  /* Version 3.004 came to here */
-
- PRBool (*p_BLAPI_SHVerify)(const char *name, PRFuncPtr addr);
- PRBool (*p_BLAPI_VerifySelf)(const char *name);
-
-  /* Version 3.005 came to here */
-
- SECStatus (* p_EC_NewKey)(ECParams *           params, 
-                           ECPrivateKey **	privKey);
-
- SECStatus (* p_EC_NewKeyFromSeed)(ECParams *   params, 
-                             ECPrivateKey **	privKey,
-                             const unsigned char * seed,
-                             int                seedlen);
-
- SECStatus (* p_EC_ValidatePublicKey)(ECParams *   params, 
-			     SECItem *	        publicValue);
-
- SECStatus (* p_ECDH_Derive)(SECItem *          publicValue, 
-                             ECParams *         params,
-                             SECItem *          privateValue,
-                             PRBool             withCofactor,
-                             SECItem *          derivedSecret);
-
- SECStatus (* p_ECDSA_SignDigest)(ECPrivateKey * key,
-                             SECItem *          signature,
-                             const SECItem *    digest);
-
- SECStatus (* p_ECDSA_VerifyDigest)(ECPublicKey * key,
-                             const SECItem *    signature,
-                             const SECItem *    digest);
-
- SECStatus (* p_ECDSA_SignDigestWithSeed)(ECPrivateKey * key,
-                             SECItem *          signature,
-                             const SECItem *    digest,
-                             const unsigned char * seed,
-                             const int          seedlen);
-
-  /* Version 3.006 came to here */
-
-  /* no modification to FREEBLVectorStr itself 
-   * but ECParamStr was modified 
-   */
-
-  /* Version 3.007 came to here */
-
- SECStatus (* p_AES_InitContext)(AESContext *cx,
-				 const unsigned char *key, 
-				 unsigned int keylen, 
-				 const unsigned char *iv, 
-				 int mode, 
-				 unsigned int encrypt,
-				 unsigned int blocklen);
- SECStatus (* p_AESKeyWrap_InitContext)(AESKeyWrapContext *cx,
-				 const unsigned char *key, 
-				 unsigned int keylen, 
-				 const unsigned char *iv, 
-				 int mode, 
-				 unsigned int encrypt,
-				 unsigned int blocklen);
- SECStatus (* p_DES_InitContext)(DESContext *cx,
-				 const unsigned char *key, 
-				 unsigned int keylen,
-				 const unsigned char *iv, 
-				 int mode,
-				 unsigned int encrypt,
-				 unsigned int );
- SECStatus (* p_RC2_InitContext)(RC2Context *cx,
-				 const unsigned char *key, 
-				 unsigned int keylen,
-				 const unsigned char *iv, 
-				 int mode, 
-				 unsigned int effectiveKeyLen,
-				 unsigned int );
- SECStatus (* p_RC4_InitContext)(RC4Context *cx, 
-				 const unsigned char *key, 
-				 unsigned int keylen,
-				 const unsigned char *, 
-				 int, 
-				 unsigned int ,
-				 unsigned int );
-
- AESContext *(*p_AES_AllocateContext)(void);
- AESKeyWrapContext *(*p_AESKeyWrap_AllocateContext)(void);
- DESContext *(*p_DES_AllocateContext)(void);
- RC2Context *(*p_RC2_AllocateContext)(void);
- RC4Context *(*p_RC4_AllocateContext)(void);
-
- void (* p_MD2_Clone)(MD2Context *dest, MD2Context *src);
- void (* p_MD5_Clone)(MD5Context *dest, MD5Context *src);
- void (* p_SHA1_Clone)(SHA1Context *dest, SHA1Context *src);
- void (* p_SHA256_Clone)(SHA256Context *dest, SHA256Context *src);
- void (* p_SHA384_Clone)(SHA384Context *dest, SHA384Context *src);
- void (* p_SHA512_Clone)(SHA512Context *dest, SHA512Context *src);
-
- SECStatus (* p_TLS_PRF)(const SECItem *secret, const char *label, 
-		         SECItem *seed, SECItem *result, PRBool isFIPS);
-
- const SECHashObject *(* p_HASH_GetRawHashObject)(HASH_HashType hashType);
-
- HMACContext * (* p_HMAC_Create)(const SECHashObject *hashObj, 
-				 const unsigned char *secret, 
-				 unsigned int secret_len, PRBool isFIPS);
- SECStatus (* p_HMAC_Init)(HMACContext *cx, const SECHashObject *hash_obj, 
-			   const unsigned char *secret, 
-			   unsigned int secret_len, PRBool isFIPS);
- void (* p_HMAC_Begin)(HMACContext *cx);
- void  (* p_HMAC_Update)(HMACContext *cx, const unsigned char *data, 
-			 unsigned int data_len);
- HMACContext * (* p_HMAC_Clone)(HMACContext *cx);
- SECStatus (* p_HMAC_Finish)(HMACContext *cx, unsigned char *result, 
-			     unsigned int *result_len, 
-			     unsigned int max_result_len);
- void (* p_HMAC_Destroy)(HMACContext *cx, PRBool freeit);
-
- void (* p_RNG_SystemInfoForRNG)(void);
-
-  /* Version 3.008 came to here */
-};
-
-typedef struct FREEBLVectorStr FREEBLVector;
-
-SEC_BEGIN_PROTOS
-
-typedef const FREEBLVector * FREEBLGetVectorFn(void);
-
-extern FREEBLGetVectorFn FREEBL_GetVector;
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/freebl/mac_rand.c b/security/nss/lib/freebl/mac_rand.c
deleted file mode 100644
index 7d5cdf432..000000000
--- a/security/nss/lib/freebl/mac_rand.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef notdef
-#include "xp_core.h"
-#include "xp_file.h"
-#endif
-#include "secrng.h"
-#include "mcom_db.h"
-#ifdef XP_MAC
-#include <Events.h>
-#include <OSUtils.h>
-#include <QDOffscreen.h>
-#include <PPCToolbox.h>
-#include <Processes.h>
-#include <LowMem.h>
-#include <Scrap.h>
-
-/* Static prototypes */
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen);
-void FE_ReadScreen();
-
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
-    union endianness {
-        int32 i;
-        char c[4];
-    } u;
-
-    if (srclen <= dstlen) {
-        memcpy(dst, src, srclen);
-        return srclen;
-    }
-    u.i = 0x01020304;
-    if (u.c[0] == 0x01) {
-        /* big-endian case */
-        memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
-    } else {
-        /* little-endian case */
-        memcpy(dst, src, dstlen);
-    }
-    return dstlen;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
-    UnsignedWide microTickCount;
-    Microseconds(&microTickCount);
-    return CopyLowBits(buf, maxbytes,  &microTickCount, sizeof(microTickCount));
-}
-
-void RNG_FileForRNG(const char *filename)
-{   
-    unsigned char buffer[BUFSIZ];
-    size_t bytes;
-#ifdef notdef /*sigh*/
-    XP_File file;
-	unsigned long totalFileBytes = 0;
-
-	if (filename == NULL)	/* For now, read in global history if filename is null */
-		file = XP_FileOpen(NULL, xpGlobalHistory,XP_FILE_READ_BIN);
-	else
-		file = XP_FileOpen(NULL, xpURL,XP_FILE_READ_BIN);
-    if (file != NULL) {
-        for (;;) {
-            bytes = XP_FileRead(buffer, sizeof(buffer), file);
-            if (bytes == 0) break;
-            RNG_RandomUpdate( buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > 100*1024) break;	/* No more than 100 K */
-        }
-		XP_FileClose(file);
-    }
-#endif
-    /*
-     * Pass yet another snapshot of our highest resolution clock into
-     * the hash function.
-     */
-    bytes = RNG_GetNoise(buffer, sizeof(buffer));
-    RNG_RandomUpdate(buffer, sizeof(buffer));
-}
-
-void RNG_SystemInfoForRNG()
-{
-/* Time */
-	{
-		unsigned long sec;
-		size_t bytes;
-		GetDateTime(&sec);	/* Current time since 1970 */
-		RNG_RandomUpdate( &sec, sizeof(sec));
-	    bytes = RNG_GetNoise(&sec, sizeof(sec));
-	    RNG_RandomUpdate(&sec, bytes);
-    }
-/* User specific variables */
-	{
-		MachineLocation loc;
-		ReadLocation(&loc);
-		RNG_RandomUpdate( &loc, sizeof(loc));
-	}
-#if !TARGET_CARBON
-/* User name */
-	{
-		unsigned long userRef;
-		Str32 userName;
-		GetDefaultUser(&userRef, userName);
-		RNG_RandomUpdate( &userRef, sizeof(userRef));
-		RNG_RandomUpdate( userName, sizeof(userName));
-	}
-#endif
-/* Mouse location */
-	{
-		Point mouseLoc;
-		GetMouse(&mouseLoc);
-		RNG_RandomUpdate( &mouseLoc, sizeof(mouseLoc));
-	}
-/* Keyboard time threshold */
-	{
-		SInt16 keyTresh = LMGetKeyThresh();
-		RNG_RandomUpdate( &keyTresh, sizeof(keyTresh));
-	}
-/* Last key pressed */
-	{
-		SInt8 keyLast;
-		keyLast = LMGetKbdLast();
-		RNG_RandomUpdate( &keyLast, sizeof(keyLast));
-	}
-/* Volume */
-	{
-		UInt8 volume = LMGetSdVolume();
-		RNG_RandomUpdate( &volume, sizeof(volume));
-	}
-#if !TARGET_CARBON
-/* Current directory */
-	{
-		SInt32 dir = LMGetCurDirStore();
-		RNG_RandomUpdate( &dir, sizeof(dir));
-	}
-#endif
-/* Process information about all the processes in the machine */
-	{
-		ProcessSerialNumber 	process;
-		ProcessInfoRec pi;
-	
-		process.highLongOfPSN = process.lowLongOfPSN  = kNoProcess;
-		
-		while (GetNextProcess(&process) == noErr)
-		{
-			FSSpec fileSpec;
-			pi.processInfoLength = sizeof(ProcessInfoRec);
-			pi.processName = NULL;
-			pi.processAppSpec = &fileSpec;
-			GetProcessInformation(&process, &pi);
-			RNG_RandomUpdate( &pi, sizeof(pi));
-			RNG_RandomUpdate( &fileSpec, sizeof(fileSpec));
-		}
-	}
-	
-#if !TARGET_CARBON
-/* Heap */
-	{
-		THz zone = LMGetTheZone();
-		RNG_RandomUpdate( &zone, sizeof(zone));
-	}
-#endif
-	
-/* Screen */
-	{
-		GDHandle h = GetMainDevice();		/* GDHandle is **GDevice */
-		RNG_RandomUpdate( *h, sizeof(GDevice));
-	}
-
-#if !TARGET_CARBON
-/* Scrap size */
-	{
-		SInt32 scrapSize = LMGetScrapSize();
-		RNG_RandomUpdate( &scrapSize, sizeof(scrapSize));
-	}
-/* Scrap count */
-	{
-		SInt16 scrapCount = LMGetScrapCount();
-		RNG_RandomUpdate( &scrapCount, sizeof(scrapCount));
-	}
-#else
-	{
-	    ScrapRef scrap;
-        if (GetCurrentScrap(&scrap) == noErr) {
-            UInt32 flavorCount;
-            if (GetScrapFlavorCount(scrap, &flavorCount) == noErr) {
-                ScrapFlavorInfo* flavorInfo = (ScrapFlavorInfo*) malloc(flavorCount * sizeof(ScrapFlavorInfo));
-                if (flavorInfo != NULL) {
-                    if (GetScrapFlavorInfoList(scrap, &flavorCount, flavorInfo) == noErr) {
-                        UInt32 i;
-                        RNG_RandomUpdate(&flavorCount, sizeof(flavorCount));
-                        for (i = 0; i < flavorCount; ++i) {
-                            Size flavorSize;
-                            if (GetScrapFlavorSize(scrap, flavorInfo[i].flavorType, &flavorSize) == noErr)
-                                RNG_RandomUpdate(&flavorSize, sizeof(flavorSize));
-                        }
-                    }
-                    free(flavorInfo);
-                }
-            }
-        }
-    }
-#endif
-/*  File stuff, last modified, etc. */
-	{
-		HParamBlockRec			pb;
-		GetVolParmsInfoBuffer	volInfo;
-		pb.ioParam.ioVRefNum = 0;
-		pb.ioParam.ioNamePtr = nil;
-		pb.ioParam.ioBuffer = (Ptr) &volInfo;
-		pb.ioParam.ioReqCount = sizeof(volInfo);
-		PBHGetVolParmsSync(&pb);
-		RNG_RandomUpdate( &volInfo, sizeof(volInfo));
-	}
-#if !TARGET_CARBON
-/* Event queue */
-	{
-		EvQElPtr		eventQ;
-		for (eventQ = (EvQElPtr) LMGetEventQueue()->qHead; 
-				eventQ; 
-				eventQ = (EvQElPtr)eventQ->qLink)
-			RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord));
-	}
-#endif
-	FE_ReadScreen();
-	RNG_FileForRNG(NULL);
-}
-
-void FE_ReadScreen()
-{
-	UInt16				coords[4];
-	PixMapHandle 		pmap;
-	GDHandle			gh;	
-	UInt16				screenHeight;
-	UInt16				screenWidth;			/* just what they say */
-	UInt32				bytesToRead;			/* number of bytes we're giving */
-	UInt32				offset;					/* offset into the graphics buffer */
-	UInt16				rowBytes;
-	UInt32				rowsToRead;
-	float				bytesPerPixel;			/* dependent on buffer depth */
-	Ptr					p;						/* temporary */
-	UInt16				x, y, w, h;
-
-	gh = LMGetMainDevice();
-	if ( !gh )
-		return;
-	pmap = (**gh).gdPMap;
-	if ( !pmap )
-		return;
-		
-	RNG_GenerateGlobalRandomBytes( coords, sizeof( coords ) );
-	
-	/* make x and y inside the screen rect */	
-	screenHeight = (**pmap).bounds.bottom - (**pmap).bounds.top;
-	screenWidth = (**pmap).bounds.right - (**pmap).bounds.left;
-	x = coords[0] % screenWidth;
-	y = coords[1] % screenHeight;
-	w = ( coords[2] & 0x7F ) | 0x40;		/* Make sure that w is in the range 64..128 */
-	h = ( coords[3] & 0x7F ) | 0x40;		/* same for h */
-
-	bytesPerPixel = (**pmap).pixelSize / 8;
-	rowBytes = (**pmap).rowBytes & 0x7FFF;
-
-	/* starting address */
-	offset = ( rowBytes * y ) + (UInt32)( (float)x * bytesPerPixel );
-	
-	/* don't read past the end of the pixmap's rowbytes */
-	bytesToRead = PR_MIN(	(UInt32)( w * bytesPerPixel ),
-						(UInt32)( rowBytes - ( x * bytesPerPixel ) ) );
-
-	/* don't read past the end of the graphics device pixmap */
-	rowsToRead = PR_MIN(	h, 
-						( screenHeight - y ) );
-	
-	p = GetPixBaseAddr( pmap ) + offset;
-	
-	while ( rowsToRead-- )
-	{
-		RNG_RandomUpdate( p, bytesToRead );
-		p += rowBytes;
-	}
-}
-#endif
diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn
deleted file mode 100644
index 844b1deab..000000000
--- a/security/nss/lib/freebl/manifest.mn
+++ /dev/null
@@ -1,184 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Dr Vipul Gupta <vipul.gupta@sun.com> and
-#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# NOTE: any ifdefs in this file must be defined on the gmake command line
-# (if anywhere).  They cannot come from Makefile or config.mk 
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-LIBRARY_NAME = freebl
-LIBRARY_VERSION = 3
-
-ifdef FREEBL_CHILD_BUILD
-  ifdef USE_ABI32_INT32
-    LIBRARY_NAME = freebl_32int
-  endif
-  ifdef USE_ABI32_INT64
-    LIBRARY_NAME = freebl_32int64
-  endif
-  ifdef USE_ABI32_FPU
-    LIBRARY_NAME = freebl_32fpu
-  endif
-  ifdef USE_ABI64_INT
-    LIBRARY_NAME = freebl_64int
-  endif
-  ifdef USE_ABI64_FPU
-    LIBRARY_NAME = freebl_64fpu
-  endif
-endif
-
-# if the library name contains _, we prefix the version with _
-ifneq (,$(findstring _,$(LIBRARY_NAME)))
-  LIBRARY_VERSION := _$(LIBRARY_VERSION)
-endif
-
-MAPFILE_SOURCE = freebl.def
-MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
-
-SOFTOKEN_LIBRARY_VERSION = 3
-
-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" \
-	-DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" \
-	-DSOFTOKEN_SHLIB_VERSION=\"$(SOFTOKEN_LIBRARY_VERSION)\"
-
-REQUIRES = 
-
-EXPORTS = \
-	blapit.h \
-	shsign.h \
-	ecl-exp.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	alghmac.h \
-	blapi.h \
-	secmpi.h \
-	secrng.h \
-	ec.h \
-	ecl.h \
-	ecl-curve.h \
-	$(NULL)
-
-MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
-
-
-ECL_HDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h
-ifdef NSS_ENABLE_ECC
-ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \
-	ec2_aff.c ec2_mont.c ec2_proj.c \
-	ec2_163.c ec2_193.c ec2_233.c \
-	ecp_aff.c ecp_jac.c ecp_mont.c \
-	ecp_192.c ecp_224.c \
-	ec_naf.c ecp_jm.c
-else
-ECL_SRCS = $(NULL)
-endif
-SHA_SRCS = sha_fast.c
-
-CSRCS = \
-	freeblver.c \
-	ldvector.c \
-	prng_fips1861.c \
-	sysrand.c \
-	$(SHA_SRCS) \
-	md2.c \
-	md5.c \
-	sha512.c \
-	alghmac.c \
-	rawhash.c \
-	alg2268.c \
-	arcfour.c \
-	arcfive.c \
-	desblapi.c \
-	des.c \
-	rijndael.c \
-	aeskeywrap.c \
-	dh.c \
-	ec.c \
-	pqg.c \
-	dsa.c \
-	rsa.c \
-	shvfy.c \
-	tlsprfalg.c \
-	$(MPI_SRCS) \
-	$(ECL_SRCS) \
-	$(NULL)
-
-ALL_CSRCS := $(CSRCS)
-
-ALL_HDRS =  \
-	alghmac.h \
-	blapi.h \
-	blapit.h \
-	des.h \
-	ec.h \
-	loader.h \
-	rijndael.h \
-	secmpi.h \
-	sha.h \
-	sha_fast.h \
-	shsign.h \
-	vis_proto.h \
-	$(NULL)
-
-
-ifdef NSS_ENABLE_ECC
-DEFINES += -DNSS_ENABLE_ECC
-endif
-
-ifdef AES_GEN_TBL
-DEFINES += -DRIJNDAEL_GENERATE_TABLES
-else 
-ifdef AES_GEN_TBL_M
-DEFINES += -DRIJNDAEL_GENERATE_TABLES_MACRO
-else
-ifdef AES_GEN_VAL
-DEFINES += -DRIJNDAEL_GENERATE_VALUES
-else
-ifdef AES_GEN_VAL_M
-DEFINES += -DRIJNDAEL_GENERATE_VALUES_MACRO
-else
-DEFINES += -DRIJNDAEL_INCLUDE_TABLES
-endif
-endif
-endif
-endif
diff --git a/security/nss/lib/freebl/mapfile.Solaris b/security/nss/lib/freebl/mapfile.Solaris
deleted file mode 100644
index 2db951327..000000000
--- a/security/nss/lib/freebl/mapfile.Solaris
+++ /dev/null
@@ -1,43 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-libfreebl_3.so {
-	global:
-		FREEBL_GetVector;
-	local:
-		*;
-};
diff --git a/security/nss/lib/freebl/md2.c b/security/nss/lib/freebl/md2.c
deleted file mode 100644
index ddc7a9d7e..000000000
--- a/security/nss/lib/freebl/md2.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-
-#include "blapi.h"
-
-#define MD2_DIGEST_LEN    16
-#define MD2_BUFSIZE       16
-#define MD2_X_SIZE        48  /* The X array, [CV | INPUT | TMP VARS] */
-#define MD2_CV             0  /* index into X for chaining variables */
-#define MD2_INPUT         16  /* index into X for input */
-#define MD2_TMPVARS       32  /* index into X for temporary variables */
-#define MD2_CHECKSUM_SIZE 16
-
-struct MD2ContextStr {
-	unsigned char checksum[MD2_BUFSIZE];
-	unsigned char X[MD2_X_SIZE];
-	PRUint8 unusedBuffer;
-};
-
-static const PRUint8 MD2S[256] = {
- 0051, 0056, 0103, 0311, 0242, 0330, 0174, 0001,
- 0075, 0066, 0124, 0241, 0354, 0360, 0006, 0023,
- 0142, 0247, 0005, 0363, 0300, 0307, 0163, 0214,
- 0230, 0223, 0053, 0331, 0274, 0114, 0202, 0312,
- 0036, 0233, 0127, 0074, 0375, 0324, 0340, 0026,
- 0147, 0102, 0157, 0030, 0212, 0027, 0345, 0022,
- 0276, 0116, 0304, 0326, 0332, 0236, 0336, 0111,
- 0240, 0373, 0365, 0216, 0273, 0057, 0356, 0172,
- 0251, 0150, 0171, 0221, 0025, 0262, 0007, 0077,
- 0224, 0302, 0020, 0211, 0013, 0042, 0137, 0041,
- 0200, 0177, 0135, 0232, 0132, 0220, 0062, 0047,
- 0065, 0076, 0314, 0347, 0277, 0367, 0227, 0003,
- 0377, 0031, 0060, 0263, 0110, 0245, 0265, 0321,
- 0327, 0136, 0222, 0052, 0254, 0126, 0252, 0306,
- 0117, 0270, 0070, 0322, 0226, 0244, 0175, 0266,
- 0166, 0374, 0153, 0342, 0234, 0164, 0004, 0361,
- 0105, 0235, 0160, 0131, 0144, 0161, 0207, 0040,
- 0206, 0133, 0317, 0145, 0346, 0055, 0250, 0002,
- 0033, 0140, 0045, 0255, 0256, 0260, 0271, 0366,
- 0034, 0106, 0141, 0151, 0064, 0100, 0176, 0017,
- 0125, 0107, 0243, 0043, 0335, 0121, 0257, 0072,
- 0303, 0134, 0371, 0316, 0272, 0305, 0352, 0046,
- 0054, 0123, 0015, 0156, 0205, 0050, 0204, 0011,
- 0323, 0337, 0315, 0364, 0101, 0201, 0115, 0122,
- 0152, 0334, 0067, 0310, 0154, 0301, 0253, 0372,
- 0044, 0341, 0173, 0010, 0014, 0275, 0261, 0112,
- 0170, 0210, 0225, 0213, 0343, 0143, 0350, 0155,
- 0351, 0313, 0325, 0376, 0073, 0000, 0035, 0071,
- 0362, 0357, 0267, 0016, 0146, 0130, 0320, 0344,
- 0246, 0167, 0162, 0370, 0353, 0165, 0113, 0012,
- 0061, 0104, 0120, 0264, 0217, 0355, 0037, 0032,
- 0333, 0231, 0215, 0063, 0237, 0021, 0203, 0024
-};
-
-SECStatus 
-MD2_Hash(unsigned char *dest, const char *src)
-{
-	unsigned int len;
-	MD2Context *cx = MD2_NewContext();
-	if (!cx) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return SECFailure;
-	}
-	MD2_Begin(cx);
-	MD2_Update(cx, (unsigned char *)src, PL_strlen(src));
-	MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
-	MD2_DestroyContext(cx, PR_TRUE);
-	return SECSuccess;
-}
-
-MD2Context *
-MD2_NewContext(void)
-{
-	MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	return cx;
-}
-
-void 
-MD2_DestroyContext(MD2Context *cx, PRBool freeit)
-{
-	if (freeit)
-		PORT_ZFree(cx, sizeof(*cx));
-}
-
-void 
-MD2_Begin(MD2Context *cx)
-{
-	memset(cx, 0, sizeof(*cx));
-	cx->unusedBuffer = MD2_BUFSIZE;
-}
-
-static void
-md2_compress(MD2Context *cx)
-{
-	int j;
-	unsigned char P;
-	P = cx->checksum[MD2_CHECKSUM_SIZE-1];
-	/* Compute the running checksum, and set the tmp variables to be 
-	 * CV[i] XOR input[i] 
-	 */
-#define CKSUMFN(n) \
-	P = cx->checksum[n] ^ MD2S[cx->X[MD2_INPUT+n] ^ P]; \
-	cx->checksum[n] = P; \
-	cx->X[MD2_TMPVARS+n] = cx->X[n] ^ cx->X[MD2_INPUT+n];
-	CKSUMFN(0);
-	CKSUMFN(1);
-	CKSUMFN(2);
-	CKSUMFN(3);
-	CKSUMFN(4);
-	CKSUMFN(5);
-	CKSUMFN(6);
-	CKSUMFN(7);
-	CKSUMFN(8);
-	CKSUMFN(9);
-	CKSUMFN(10);
-	CKSUMFN(11);
-	CKSUMFN(12);
-	CKSUMFN(13);
-	CKSUMFN(14);
-	CKSUMFN(15);
-	/* The compression function. */
-#define COMPRESS(n) \
-	P = cx->X[n] ^ MD2S[P]; \
-	cx->X[n] = P;
-	P = 0x00;
-	for (j=0; j<18; j++) {
-		COMPRESS(0);
-		COMPRESS(1);
-		COMPRESS(2);
-		COMPRESS(3);
-		COMPRESS(4);
-		COMPRESS(5);
-		COMPRESS(6);
-		COMPRESS(7);
-		COMPRESS(8);
-		COMPRESS(9);
-		COMPRESS(10);
-		COMPRESS(11);
-		COMPRESS(12);
-		COMPRESS(13);
-		COMPRESS(14);
-		COMPRESS(15);
-		COMPRESS(16);
-		COMPRESS(17);
-		COMPRESS(18);
-		COMPRESS(19);
-		COMPRESS(20);
-		COMPRESS(21);
-		COMPRESS(22);
-		COMPRESS(23);
-		COMPRESS(24);
-		COMPRESS(25);
-		COMPRESS(26);
-		COMPRESS(27);
-		COMPRESS(28);
-		COMPRESS(29);
-		COMPRESS(30);
-		COMPRESS(31);
-		COMPRESS(32);
-		COMPRESS(33);
-		COMPRESS(34);
-		COMPRESS(35);
-		COMPRESS(36);
-		COMPRESS(37);
-		COMPRESS(38);
-		COMPRESS(39);
-		COMPRESS(40);
-		COMPRESS(41);
-		COMPRESS(42);
-		COMPRESS(43);
-		COMPRESS(44);
-		COMPRESS(45);
-		COMPRESS(46);
-		COMPRESS(47);
-		P = (P + j) % 256;
-	}
-	cx->unusedBuffer = MD2_BUFSIZE;
-}
-
-void 
-MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-	PRUint32 bytesToConsume;
-	
-	/* Fill the remaining input buffer. */
-	if (cx->unusedBuffer != MD2_BUFSIZE) {
-		bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer);
-		memcpy(&cx->X[MD2_INPUT + (MD2_BUFSIZE - cx->unusedBuffer)],
-		            input, bytesToConsume);
-		if (cx->unusedBuffer + bytesToConsume >= MD2_BUFSIZE)
-			md2_compress(cx);
-		inputLen -= bytesToConsume;
-		input += bytesToConsume;
-	}
-
-	/* Iterate over 16-byte chunks of the input. */
-	while (inputLen >= MD2_BUFSIZE) {
-		memcpy(&cx->X[MD2_INPUT], input, MD2_BUFSIZE);
-		md2_compress(cx);
-		inputLen -= MD2_BUFSIZE;
-		input += MD2_BUFSIZE;
-	}
-
-	/* Copy any input that remains into the buffer. */
-	if (inputLen)
-		memcpy(&cx->X[MD2_INPUT], input, inputLen);
-	cx->unusedBuffer = MD2_BUFSIZE - inputLen;
-}
-
-void 
-MD2_End(MD2Context *cx, unsigned char *digest,
-        unsigned int *digestLen, unsigned int maxDigestLen)
-{
-	PRUint8 padStart;
-	if (maxDigestLen < MD2_BUFSIZE) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return;
-	}
-	padStart = MD2_BUFSIZE - cx->unusedBuffer;
-	memset(&cx->X[MD2_INPUT + padStart], cx->unusedBuffer, 
-	            cx->unusedBuffer);
-	md2_compress(cx);
-	memcpy(&cx->X[MD2_INPUT], cx->checksum, MD2_BUFSIZE);
-	md2_compress(cx);
-	*digestLen = MD2_DIGEST_LEN;
-	memcpy(digest, &cx->X[MD2_CV], MD2_DIGEST_LEN);
-}
-
-unsigned int 
-MD2_FlattenSize(MD2Context *cx)
-{
-	return sizeof(*cx);
-}
-
-SECStatus 
-MD2_Flatten(MD2Context *cx, unsigned char *space)
-{
-	memcpy(space, cx, sizeof(*cx));
-	return SECSuccess;
-}
-
-MD2Context * 
-MD2_Resurrect(unsigned char *space, void *arg)
-{
-	MD2Context *cx = MD2_NewContext();
-	if (cx)
-		memcpy(cx, space, sizeof(*cx));
-	return cx;
-}
-
-void MD2_Clone(MD2Context *dest, MD2Context *src) 
-{
-	memcpy(dest, src, sizeof *dest);
-}
diff --git a/security/nss/lib/freebl/md5.c b/security/nss/lib/freebl/md5.c
deleted file mode 100644
index fbcee7f46..000000000
--- a/security/nss/lib/freebl/md5.c
+++ /dev/null
@@ -1,595 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "prlong.h"
-
-#include "blapi.h"
-
-#define MD5_HASH_LEN 16
-#define MD5_BUFFER_SIZE 64
-#define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8)
-
-#define CV0_1 0x67452301
-#define CV0_2 0xefcdab89
-#define CV0_3 0x98badcfe
-#define CV0_4 0x10325476
-
-#define T1_0  0xd76aa478
-#define T1_1  0xe8c7b756
-#define T1_2  0x242070db
-#define T1_3  0xc1bdceee
-#define T1_4  0xf57c0faf
-#define T1_5  0x4787c62a
-#define T1_6  0xa8304613
-#define T1_7  0xfd469501
-#define T1_8  0x698098d8
-#define T1_9  0x8b44f7af
-#define T1_10 0xffff5bb1
-#define T1_11 0x895cd7be
-#define T1_12 0x6b901122
-#define T1_13 0xfd987193
-#define T1_14 0xa679438e
-#define T1_15 0x49b40821
-
-#define T2_0  0xf61e2562
-#define T2_1  0xc040b340
-#define T2_2  0x265e5a51
-#define T2_3  0xe9b6c7aa
-#define T2_4  0xd62f105d
-#define T2_5  0x02441453
-#define T2_6  0xd8a1e681
-#define T2_7  0xe7d3fbc8
-#define T2_8  0x21e1cde6
-#define T2_9  0xc33707d6
-#define T2_10 0xf4d50d87
-#define T2_11 0x455a14ed
-#define T2_12 0xa9e3e905
-#define T2_13 0xfcefa3f8
-#define T2_14 0x676f02d9
-#define T2_15 0x8d2a4c8a
-
-#define T3_0  0xfffa3942
-#define T3_1  0x8771f681
-#define T3_2  0x6d9d6122
-#define T3_3  0xfde5380c
-#define T3_4  0xa4beea44
-#define T3_5  0x4bdecfa9
-#define T3_6  0xf6bb4b60
-#define T3_7  0xbebfbc70
-#define T3_8  0x289b7ec6
-#define T3_9  0xeaa127fa
-#define T3_10 0xd4ef3085
-#define T3_11 0x04881d05
-#define T3_12 0xd9d4d039
-#define T3_13 0xe6db99e5
-#define T3_14 0x1fa27cf8
-#define T3_15 0xc4ac5665
-
-#define T4_0  0xf4292244
-#define T4_1  0x432aff97
-#define T4_2  0xab9423a7
-#define T4_3  0xfc93a039
-#define T4_4  0x655b59c3
-#define T4_5  0x8f0ccc92
-#define T4_6  0xffeff47d
-#define T4_7  0x85845dd1
-#define T4_8  0x6fa87e4f
-#define T4_9  0xfe2ce6e0
-#define T4_10 0xa3014314
-#define T4_11 0x4e0811a1
-#define T4_12 0xf7537e82
-#define T4_13 0xbd3af235
-#define T4_14 0x2ad7d2bb
-#define T4_15 0xeb86d391
-
-#define R1B0  0
-#define R1B1  1
-#define R1B2  2
-#define R1B3  3
-#define R1B4  4
-#define R1B5  5
-#define R1B6  6
-#define R1B7  7
-#define R1B8  8
-#define R1B9  9
-#define R1B10 10
-#define R1B11 11
-#define R1B12 12
-#define R1B13 13
-#define R1B14 14
-#define R1B15 15
-
-#define R2B0  1
-#define R2B1  6
-#define R2B2  11
-#define R2B3  0
-#define R2B4  5
-#define R2B5  10
-#define R2B6  15
-#define R2B7  4
-#define R2B8  9
-#define R2B9  14
-#define R2B10 3 
-#define R2B11 8 
-#define R2B12 13
-#define R2B13 2 
-#define R2B14 7 
-#define R2B15 12
-
-#define R3B0  5
-#define R3B1  8
-#define R3B2  11
-#define R3B3  14
-#define R3B4  1
-#define R3B5  4
-#define R3B6  7
-#define R3B7  10
-#define R3B8  13
-#define R3B9  0
-#define R3B10 3 
-#define R3B11 6 
-#define R3B12 9 
-#define R3B13 12
-#define R3B14 15
-#define R3B15 2 
-
-#define R4B0  0
-#define R4B1  7
-#define R4B2  14
-#define R4B3  5
-#define R4B4  12
-#define R4B5  3
-#define R4B6  10
-#define R4B7  1
-#define R4B8  8
-#define R4B9  15
-#define R4B10 6 
-#define R4B11 13
-#define R4B12 4 
-#define R4B13 11
-#define R4B14 2 
-#define R4B15 9 
-
-#define S1_0 7
-#define S1_1 12
-#define S1_2 17
-#define S1_3 22
-
-#define S2_0 5
-#define S2_1 9
-#define S2_2 14
-#define S2_3 20
-
-#define S3_0 4
-#define S3_1 11
-#define S3_2 16
-#define S3_3 23
-
-#define S4_0 6
-#define S4_1 10
-#define S4_2 15
-#define S4_3 21
-
-struct MD5ContextStr {
-	PRUint32      lsbInput;
-	PRUint32      msbInput;
-	PRUint32      cv[4];
-	union {
-		PRUint8 b[64];
-		PRUint32 w[16];
-	} u;
-};
-
-#define inBuf u.b
-
-SECStatus 
-MD5_Hash(unsigned char *dest, const char *src)
-{
-	return MD5_HashBuf(dest, (unsigned char *)src, PL_strlen(src));
-}
-
-SECStatus 
-MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-	unsigned int len;
-	MD5Context cx;
-
-	MD5_Begin(&cx);
-	MD5_Update(&cx, src, src_length);
-	MD5_End(&cx, dest, &len, MD5_HASH_LEN);
-/*	memset(&cx, 0, sizeof cx); */
-	return SECSuccess;
-}
-
-MD5Context *
-MD5_NewContext(void)
-{
-	/* no need to ZAlloc, MD5_Begin will init the context */
-	MD5Context *cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context));
-	if (cx == NULL) {
-		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-		return NULL;
-	}
-	return cx;
-}
-
-void 
-MD5_DestroyContext(MD5Context *cx, PRBool freeit)
-{
-/*	memset(cx, 0, sizeof *cx); */
-	if (freeit) {
-	    PORT_Free(cx);
-	}
-}
-
-void 
-MD5_Begin(MD5Context *cx)
-{
-	cx->lsbInput = 0;
-	cx->msbInput = 0;
-/*	memset(cx->inBuf, 0, sizeof(cx->inBuf)); */
-	cx->cv[0] = CV0_1;
-	cx->cv[1] = CV0_2;
-	cx->cv[2] = CV0_3;
-	cx->cv[3] = CV0_4;
-}
-
-#define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s))
-
-#if defined(SOLARIS) || defined(HPUX)
-#define addto64(sumhigh, sumlow, addend) \
-	sumlow += addend; sumhigh += (sumlow < addend);
-#else
-#define addto64(sumhigh, sumlow, addend) \
-	sumlow += addend; if (sumlow < addend) ++sumhigh;
-#endif
-
-#define MASK 0x00ff00ff
-#ifdef IS_LITTLE_ENDIAN
-#define lendian(i32) \
-	(i32)
-#else
-#define lendian(i32) \
-	(tmp = i32 >> 16 | i32 << 16, (tmp & MASK) << 8 | tmp >> 8 & MASK)
-#endif
-
-#ifndef IS_LITTLE_ENDIAN
-
-#define lebytes(b4) \
-	((b4)[3] << 24 | (b4)[2] << 16 | (b4)[1] << 8 | (b4)[0])
-
-static void
-md5_prep_state_le(MD5Context *cx)
-{
-	PRUint32 tmp;
-	cx->u.w[0] = lendian(cx->u.w[0]);
-	cx->u.w[1] = lendian(cx->u.w[1]);
-	cx->u.w[2] = lendian(cx->u.w[2]);
-	cx->u.w[3] = lendian(cx->u.w[3]);
-	cx->u.w[4] = lendian(cx->u.w[4]);
-	cx->u.w[5] = lendian(cx->u.w[5]);
-	cx->u.w[6] = lendian(cx->u.w[6]);
-	cx->u.w[7] = lendian(cx->u.w[7]);
-	cx->u.w[8] = lendian(cx->u.w[8]);
-	cx->u.w[9] = lendian(cx->u.w[9]);
-	cx->u.w[10] = lendian(cx->u.w[10]);
-	cx->u.w[11] = lendian(cx->u.w[11]);
-	cx->u.w[12] = lendian(cx->u.w[12]);
-	cx->u.w[13] = lendian(cx->u.w[13]);
-	cx->u.w[14] = lendian(cx->u.w[14]);
-	cx->u.w[15] = lendian(cx->u.w[15]);
-}
-
-static void
-md5_prep_buffer_le(MD5Context *cx, const PRUint8 *beBuf)
-{
-	cx->u.w[0] = lebytes(&beBuf[0]);
-	cx->u.w[1] = lebytes(&beBuf[4]);
-	cx->u.w[2] = lebytes(&beBuf[8]);
-	cx->u.w[3] = lebytes(&beBuf[12]);
-	cx->u.w[4] = lebytes(&beBuf[16]);
-	cx->u.w[5] = lebytes(&beBuf[20]);
-	cx->u.w[6] = lebytes(&beBuf[24]);
-	cx->u.w[7] = lebytes(&beBuf[28]);
-	cx->u.w[8] = lebytes(&beBuf[32]);
-	cx->u.w[9] = lebytes(&beBuf[36]);
-	cx->u.w[10] = lebytes(&beBuf[40]);
-	cx->u.w[11] = lebytes(&beBuf[44]);
-	cx->u.w[12] = lebytes(&beBuf[48]);
-	cx->u.w[13] = lebytes(&beBuf[52]);
-	cx->u.w[14] = lebytes(&beBuf[56]);
-	cx->u.w[15] = lebytes(&beBuf[60]);
-}
-#endif
-
-
-#define F(X, Y, Z) \
-	((X & Y) | ((~X) & Z))
-
-#define G(X, Y, Z) \
-	((X & Z) | (Y & (~Z)))
-
-#define H(X, Y, Z) \
-	(X ^ Y ^ Z)
-
-#define I(X, Y, Z) \
-	(Y ^ (X | (~Z)))
-
-#define FF(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + F(b, c, d) + bufint + ti, s)
-
-#define GG(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + G(b, c, d) + bufint + ti, s)
-
-#define HH(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + H(b, c, d) + bufint + ti, s)
-
-#define II(a, b, c, d, bufint, s, ti) \
-	a = b + cls(a + I(b, c, d) + bufint + ti, s)
-
-static void
-md5_compress(MD5Context *cx, const PRUint32 *wBuf)
-{
-	PRUint32 a, b, c, d;
-	PRUint32 tmp;
-	a = cx->cv[0];
-	b = cx->cv[1];
-	c = cx->cv[2];
-	d = cx->cv[3];
-	FF(a, b, c, d, wBuf[R1B0 ], S1_0, T1_0);
-	FF(d, a, b, c, wBuf[R1B1 ], S1_1, T1_1);
-	FF(c, d, a, b, wBuf[R1B2 ], S1_2, T1_2);
-	FF(b, c, d, a, wBuf[R1B3 ], S1_3, T1_3);
-	FF(a, b, c, d, wBuf[R1B4 ], S1_0, T1_4);
-	FF(d, a, b, c, wBuf[R1B5 ], S1_1, T1_5);
-	FF(c, d, a, b, wBuf[R1B6 ], S1_2, T1_6);
-	FF(b, c, d, a, wBuf[R1B7 ], S1_3, T1_7);
-	FF(a, b, c, d, wBuf[R1B8 ], S1_0, T1_8);
-	FF(d, a, b, c, wBuf[R1B9 ], S1_1, T1_9);
-	FF(c, d, a, b, wBuf[R1B10], S1_2, T1_10);
-	FF(b, c, d, a, wBuf[R1B11], S1_3, T1_11);
-	FF(a, b, c, d, wBuf[R1B12], S1_0, T1_12);
-	FF(d, a, b, c, wBuf[R1B13], S1_1, T1_13);
-	FF(c, d, a, b, wBuf[R1B14], S1_2, T1_14);
-	FF(b, c, d, a, wBuf[R1B15], S1_3, T1_15);
-	GG(a, b, c, d, wBuf[R2B0 ], S2_0, T2_0);
-	GG(d, a, b, c, wBuf[R2B1 ], S2_1, T2_1);
-	GG(c, d, a, b, wBuf[R2B2 ], S2_2, T2_2);
-	GG(b, c, d, a, wBuf[R2B3 ], S2_3, T2_3);
-	GG(a, b, c, d, wBuf[R2B4 ], S2_0, T2_4);
-	GG(d, a, b, c, wBuf[R2B5 ], S2_1, T2_5);
-	GG(c, d, a, b, wBuf[R2B6 ], S2_2, T2_6);
-	GG(b, c, d, a, wBuf[R2B7 ], S2_3, T2_7);
-	GG(a, b, c, d, wBuf[R2B8 ], S2_0, T2_8);
-	GG(d, a, b, c, wBuf[R2B9 ], S2_1, T2_9);
-	GG(c, d, a, b, wBuf[R2B10], S2_2, T2_10);
-	GG(b, c, d, a, wBuf[R2B11], S2_3, T2_11);
-	GG(a, b, c, d, wBuf[R2B12], S2_0, T2_12);
-	GG(d, a, b, c, wBuf[R2B13], S2_1, T2_13);
-	GG(c, d, a, b, wBuf[R2B14], S2_2, T2_14);
-	GG(b, c, d, a, wBuf[R2B15], S2_3, T2_15);
-	HH(a, b, c, d, wBuf[R3B0 ], S3_0, T3_0);
-	HH(d, a, b, c, wBuf[R3B1 ], S3_1, T3_1);
-	HH(c, d, a, b, wBuf[R3B2 ], S3_2, T3_2);
-	HH(b, c, d, a, wBuf[R3B3 ], S3_3, T3_3);
-	HH(a, b, c, d, wBuf[R3B4 ], S3_0, T3_4);
-	HH(d, a, b, c, wBuf[R3B5 ], S3_1, T3_5);
-	HH(c, d, a, b, wBuf[R3B6 ], S3_2, T3_6);
-	HH(b, c, d, a, wBuf[R3B7 ], S3_3, T3_7);
-	HH(a, b, c, d, wBuf[R3B8 ], S3_0, T3_8);
-	HH(d, a, b, c, wBuf[R3B9 ], S3_1, T3_9);
-	HH(c, d, a, b, wBuf[R3B10], S3_2, T3_10);
-	HH(b, c, d, a, wBuf[R3B11], S3_3, T3_11);
-	HH(a, b, c, d, wBuf[R3B12], S3_0, T3_12);
-	HH(d, a, b, c, wBuf[R3B13], S3_1, T3_13);
-	HH(c, d, a, b, wBuf[R3B14], S3_2, T3_14);
-	HH(b, c, d, a, wBuf[R3B15], S3_3, T3_15);
-	II(a, b, c, d, wBuf[R4B0 ], S4_0, T4_0);
-	II(d, a, b, c, wBuf[R4B1 ], S4_1, T4_1);
-	II(c, d, a, b, wBuf[R4B2 ], S4_2, T4_2);
-	II(b, c, d, a, wBuf[R4B3 ], S4_3, T4_3);
-	II(a, b, c, d, wBuf[R4B4 ], S4_0, T4_4);
-	II(d, a, b, c, wBuf[R4B5 ], S4_1, T4_5);
-	II(c, d, a, b, wBuf[R4B6 ], S4_2, T4_6);
-	II(b, c, d, a, wBuf[R4B7 ], S4_3, T4_7);
-	II(a, b, c, d, wBuf[R4B8 ], S4_0, T4_8);
-	II(d, a, b, c, wBuf[R4B9 ], S4_1, T4_9);
-	II(c, d, a, b, wBuf[R4B10], S4_2, T4_10);
-	II(b, c, d, a, wBuf[R4B11], S4_3, T4_11);
-	II(a, b, c, d, wBuf[R4B12], S4_0, T4_12);
-	II(d, a, b, c, wBuf[R4B13], S4_1, T4_13);
-	II(c, d, a, b, wBuf[R4B14], S4_2, T4_14);
-	II(b, c, d, a, wBuf[R4B15], S4_3, T4_15);
-	cx->cv[0] += a;
-	cx->cv[1] += b;
-	cx->cv[2] += c;
-	cx->cv[3] += d;
-}
-
-void 
-MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
-{
-	PRUint32 bytesToConsume;
-	PRUint32 inBufIndex = cx->lsbInput & 63;
-	const PRUint32 *wBuf;
-
-	/* Add the number of input bytes to the 64-bit input counter. */
-	addto64(cx->msbInput, cx->lsbInput, inputLen);
-	if (inBufIndex) {
-		/* There is already data in the buffer.  Fill with input. */
-		bytesToConsume = PR_MIN(inputLen, MD5_BUFFER_SIZE - inBufIndex);
-		memcpy(&cx->inBuf[inBufIndex], input, bytesToConsume);
-		if (inBufIndex + bytesToConsume >= MD5_BUFFER_SIZE) {
-			/* The buffer is filled.  Run the compression function. */
-#ifndef IS_LITTLE_ENDIAN
-			md5_prep_state_le(cx);
-#endif
-			md5_compress(cx, cx->u.w);
-		}
-		/* Remaining input. */
-		inputLen -= bytesToConsume;
-		input += bytesToConsume;
-	}
-
-	/* Iterate over 64-byte chunks of the message. */
-	while (inputLen >= MD5_BUFFER_SIZE) {
-#ifdef IS_LITTLE_ENDIAN
-#ifdef _X86_
-		/* x86 can handle arithmetic on non-word-aligned buffers */
-		wBuf = (PRUint32 *)input;
-#else
-		if ((ptrdiff_t)input & 0x3) {
-			/* buffer not aligned, copy it to force alignment */
-			memcpy(cx->inBuf, input, MD5_BUFFER_SIZE);
-			wBuf = cx->u.w;
-		} else {
-			/* buffer is aligned */
-			wBuf = (PRUint32 *)input;
-		}
-#endif
-#else
-		md5_prep_buffer_le(cx, input);
-		wBuf = cx->u.w;
-#endif
-		md5_compress(cx, wBuf);
-		inputLen -= MD5_BUFFER_SIZE;
-		input += MD5_BUFFER_SIZE;
-	}
-
-	/* Tail of message (message bytes mod 64). */
-	if (inputLen)
-		memcpy(cx->inBuf, input, inputLen);
-}
-
-static const unsigned char padbytes[] = {
-	0x80, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
-	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00
-};
-
-void 
-MD5_End(MD5Context *cx, unsigned char *digest,
-        unsigned int *digestLen, unsigned int maxDigestLen)
-{
-#ifndef IS_LITTLE_ENDIAN
-	PRUint32 tmp;
-#endif
-	PRUint32 lowInput, highInput;
-	PRUint32 inBufIndex = cx->lsbInput & 63;
-
-	if (maxDigestLen < MD5_HASH_LEN) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		return;
-	}
-
-	/* Copy out the length of bits input before padding. */
-	lowInput = cx->lsbInput; 
-	highInput = (cx->msbInput << 3) | (lowInput >> 29);
-	lowInput <<= 3;
-
-	if (inBufIndex < MD5_END_BUFFER) {
-		MD5_Update(cx, padbytes, MD5_END_BUFFER - inBufIndex);
-	} else {
-		MD5_Update(cx, padbytes, 
-		           MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex);
-	}
-
-	/* Store the number of bytes input (before padding) in final 64 bits. */
-	cx->u.w[14] = lendian(lowInput);
-	cx->u.w[15] = lendian(highInput);
-
-	/* Final call to compress. */
-#ifndef IS_LITTLE_ENDIAN
-	md5_prep_state_le(cx);
-#endif
-	md5_compress(cx, cx->u.w);
-
-	/* Copy the resulting values out of the chain variables into return buf. */
-	*digestLen = MD5_HASH_LEN;
-#ifndef IS_LITTLE_ENDIAN
-	cx->cv[0] = lendian(cx->cv[0]);
-	cx->cv[1] = lendian(cx->cv[1]);
-	cx->cv[2] = lendian(cx->cv[2]);
-	cx->cv[3] = lendian(cx->cv[3]);
-#endif
-	memcpy(digest, cx->cv, MD5_HASH_LEN);
-}
-
-unsigned int 
-MD5_FlattenSize(MD5Context *cx)
-{
-	return sizeof(*cx);
-}
-
-SECStatus 
-MD5_Flatten(MD5Context *cx, unsigned char *space)
-{
-	memcpy(space, cx, sizeof(*cx));
-	return SECSuccess;
-}
-
-MD5Context * 
-MD5_Resurrect(unsigned char *space, void *arg)
-{
-	MD5Context *cx = MD5_NewContext();
-	if (cx)
-		memcpy(cx, space, sizeof(*cx));
-	return cx;
-}
-
-void MD5_Clone(MD5Context *dest, MD5Context *src) 
-{
-	memcpy(dest, src, sizeof *dest);
-}
-
-void 
-MD5_TraceState(MD5Context *cx)
-{
-	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-}
diff --git a/security/nss/lib/freebl/mknewpc2.c b/security/nss/lib/freebl/mknewpc2.c
deleted file mode 100644
index e2872598f..000000000
--- a/security/nss/lib/freebl/mknewpc2.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- *  mknewpc2.c
- *
- *  Generate PC-2 tables for DES-150 library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the DES-150 library.
- *
- * The Initial Developer of the Original Code is
- * Nelson B. Bolyard, nelsonb@iname.com.
- * Portions created by the Initial Developer are Copyright (C) 1990
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-typedef unsigned char BYTE;
-typedef unsigned int  HALF;
-
-#define DES_ENCRYPT 0
-#define DES_DECRYPT 1
-
-/* two 28-bit registers defined in key schedule production process */
-static HALF C0, D0;
-
-static HALF L0, R0;
-
-/* key schedule, 16 internal keys, each with 8 6-bit parts */
-static BYTE KS [8] [16];
-
-
-/*
- * This table takes the 56 bits in C0 and D0 and shows show they are 
- * permuted into the 8 6-bit parts of the key in the key schedule.
- * The bits of C0 are numbered left to right, 1-28.
- * The bits of D0 are numbered left to right, 29-56.
- * Zeros in this table represent bits that are always zero.
- * Note that all the bits in the first  4 rows come from C0, 
- *       and all the bits in the second 4 rows come from D0.
- */
-static const BYTE PC2[64] = {
-    14, 17, 11, 24,  1,  5,  0,  0,	/* S1 */
-     3, 28, 15,  6, 21, 10,  0,  0,	/* S2 */
-    23, 19, 12,  4, 26,  8,  0,  0,	/* S3 */
-    16,  7, 27, 20, 13,  2,  0,  0,	/* S4 */
-
-    41, 52, 31, 37, 47, 55,  0,  0,	/* S5 */
-    30, 40, 51, 45, 33, 48,  0,  0,	/* S6 */
-    44, 49, 39, 56, 34, 53,  0,  0,	/* S7 */
-    46, 42, 50, 36, 29, 32,  0,  0	/* S8 */
-};
-
-/* This table represents the same info as PC2, except that 
- * The bits of C0 and D0 are each numbered right to left, 0-27.
- * -1 values indicate bits that are always zero.
- * As before all the bits in the first  4 rows come from C0, 
- *       and all the bits in the second 4 rows come from D0.
- */
-static       signed char PC2a[64] = {
-/* bits of C0 */
-    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
-    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
-     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
-    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
-/* bits of D0 */
-    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
-    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
-    12,  7, 17,  0, 22,  3, -1, -1,	/* S7 */
-    10, 14,  6, 20, 27, 24, -1, -1 	/* S8 */
-};
-
-/* This table represents the same info as PC2a, except that 
- * The order of of the rows has been changed to increase the efficiency
- * with which the key sechedule is created.
- * Fewer shifts and ANDs are required to make the KS from these.
- */
-static const signed char PC2b[64] = {
-/* bits of C0 */
-    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
-     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
-    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
-    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
-/* bits of D0 */
-    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
-    10, 14,  6, 20, 27, 24, -1, -1,	/* S8 */
-    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
-    12,  7, 17,  0, 22,  3, -1, -1 	/* S7 */
-};
-
-/* Only 24 of the 28 bits in C0 and D0 are used in PC2.
- * The used bits of C0 and D0 are grouped into 4 groups of 6,
- * so that the PC2 permutation can be accomplished with 4 lookups
- * in tables of 64 entries.
- * The following table shows how the bits of C0 and D0 are grouped
- * into indexes for the respective table lookups.  
- * Bits are numbered right-to-left, 0-27, as in PC2b.
- */
-static BYTE NDX[48] = {
-/* Bits of C0 */
-    27, 26, 25, 24, 23, 22,	/* C0 table 0 */
-    18, 17, 16, 15, 14, 13,	/* C0 table 1 */
-     9,  8,  7,  2,  1,  0,	/* C0 table 2 */
-     5,  4, 21, 20, 12, 11,	/* C0 table 3 */
-/* bits of D0 */
-    27, 26, 25, 24, 23, 22,	/* D0 table 0 */
-    20, 19, 17, 16, 15, 14,	/* D0 table 1 */
-    12, 11, 10,  9,  8,  7,	/* D0 table 2 */
-     6,  5,  4,  3,  1,  0	/* D0 table 3 */
-};
-
-/* Here's the code that does that grouping. 
-	left   = PC2LOOKUP(0, 0, ((c0 >> 22) & 0x3F) );
-	left  |= PC2LOOKUP(0, 1, ((c0 >> 13) & 0x3F) );
-	left  |= PC2LOOKUP(0, 2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
-	left  |= PC2LOOKUP(0, 3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
-
-	right  = PC2LOOKUP(1, 0, ((d0 >> 22) & 0x3F) );
-	right |= PC2LOOKUP(1, 1, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
-	right |= PC2LOOKUP(1, 2, ((d0 >>  7) & 0x3F) );
-	right |= PC2LOOKUP(1, 3, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
-*/
-
-void
-make_pc2a( void )
-{
-
-    int i, j;
-
-    for ( i = 0; i < 64; ++i ) {
-	j = PC2[i];
-	if (j == 0)
-	    j = -1;
-	else if ( j < 29 )
-	    j = 28 - j ;
-	else
-	    j = 56 - j;
-	PC2a[i] = j;
-    }
-    for ( i = 0; i < 64; i += 8 ) {
-	printf("%3d,%3d,%3d,%3d,%3d,%3d,%3d,%3d,\n",
-		PC2a[i+0],PC2a[i+1],PC2a[i+2],PC2a[i+3],
-		PC2a[i+4],PC2a[i+5],PC2a[i+6],PC2a[i+7] );
-    }
-}
-
-HALF PC2cd0[64];
-
-HALF PC_2H[8][64];
-
-void
-mktable( )
-{
-    int i;
-    int table;
-    const BYTE * ndx   = NDX;
-    HALF         mask;
-
-    mask  = 0x80000000;
-    for (i = 0; i < 32; ++i, mask >>= 1) {
-	int bit = PC2b[i];
-	if (bit < 0)
-	    continue;
-	PC2cd0[bit + 32] = mask;
-    }
-
-    mask  = 0x80000000;
-    for (i = 32; i < 64; ++i, mask >>= 1) {
-	int bit = PC2b[i];
-	if (bit < 0)
-	    continue;
-	PC2cd0[bit] = mask;
-    }
-
-#if DEBUG
-    for (i = 0; i < 64; ++i) {
-    	printf("0x%08x,\n", PC2cd0[i]);
-    }
-#endif
-    for (i = 0; i < 24; ++i) {
-    	NDX[i] += 32;	/* because c0 is the upper half */
-    }
-
-    for (table = 0; table < 8; ++table) {
-	HALF bitvals[6];
-    	for (i = 0; i < 6; ++i) {
-	    bitvals[5-i] = PC2cd0[*ndx++];
-	}
-	for (i = 0; i < 64; ++i) {
-	    int  j;
-	    int  k     = 0;
-	    HALF value = 0;
-
-	    for (j = i; j; j >>= 1, ++k) {
-	    	if (j & 1) {
-		    value |= bitvals[k];
-		}
-	    }
-	    PC_2H[table][i] = value;
-	}
-	printf("/* table %d */ {\n", table );
-	for (i = 0; i < 64; i += 4) {
-	    printf("    0x%08x, 0x%08x, 0x%08x, 0x%08x, \n",
-		    PC_2H[table][i],   PC_2H[table][i+1],
-		    PC_2H[table][i+2], PC_2H[table][i+3]);
-	}
-	printf("  },\n");
-    }
-}
-
-
-int
-main(void)
-{
-/*   make_pc2a(); */
-   mktable();
-   return 0;
-}
diff --git a/security/nss/lib/freebl/mksp.c b/security/nss/lib/freebl/mksp.c
deleted file mode 100644
index 994dcff0c..000000000
--- a/security/nss/lib/freebl/mksp.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- *  mksp.c
- *
- *  Generate SP tables for DES-150 library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the DES-150 library.
- *
- * The Initial Developer of the Original Code is
- * Nelson B. Bolyard, nelsonb@iname.com.
- * Portions created by the Initial Developer are Copyright (C) 1990
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-
-/*
- * sboxes - the tables for the s-box functions
- *        from FIPS 46, pages 15-16.
- */
-unsigned char S[8][64] = {
-/* Func S1 = */ {
-	14,  0,  4, 15, 13,  7,  1,  4,  2, 14, 15,  2, 11, 13,  8,  1,
-	 3, 10, 10,  6,  6, 12, 12, 11,  5,  9,  9,  5,  0,  3,  7,  8,
-	 4, 15,  1, 12, 14,  8,  8,  2, 13,  4,  6,  9,  2,  1, 11,  7,
-	15,  5, 12, 11,  9,  3,  7, 14,  3, 10, 10,  0,  5,  6,  0, 13
-    },
-/* Func S2 = */ {
-	15,  3,  1, 13,  8,  4, 14,  7,  6, 15, 11,  2,  3,  8,  4, 14,
-	 9, 12,  7,  0,  2,  1, 13, 10, 12,  6,  0,  9,  5, 11, 10,  5,
-	 0, 13, 14,  8,  7, 10, 11,  1, 10,  3,  4, 15, 13,  4,  1,  2,
-	 5, 11,  8,  6, 12,  7,  6, 12,  9,  0,  3,  5,  2, 14, 15,  9
-    },
-/* Func S3 = */ {
-	10, 13,  0,  7,  9,  0, 14,  9,  6,  3,  3,  4, 15,  6,  5, 10,
-	 1,  2, 13,  8, 12,  5,  7, 14, 11, 12,  4, 11,  2, 15,  8,  1,
-	13,  1,  6, 10,  4, 13,  9,  0,  8,  6, 15,  9,  3,  8,  0,  7,
-	11,  4,  1, 15,  2, 14, 12,  3,  5, 11, 10,  5, 14,  2,  7, 12
-    },
-/* Func S4 = */ {
-	 7, 13, 13,  8, 14, 11,  3,  5,  0,  6,  6, 15,  9,  0, 10,  3,
-	 1,  4,  2,  7,  8,  2,  5, 12, 11,  1, 12, 10,  4, 14, 15,  9,
-	10,  3,  6, 15,  9,  0,  0,  6, 12, 10, 11,  1,  7, 13, 13,  8,
-	15,  9,  1,  4,  3,  5, 14, 11,  5, 12,  2,  7,  8,  2,  4, 14
-    },
-/* Func S5 = */ {
-	 2, 14, 12, 11,  4,  2,  1, 12,  7,  4, 10,  7, 11, 13,  6,  1,
-	 8,  5,  5,  0,  3, 15, 15, 10, 13,  3,  0,  9, 14,  8,  9,  6,
-	 4, 11,  2,  8,  1, 12, 11,  7, 10,  1, 13, 14,  7,  2,  8, 13,
-	15,  6,  9, 15, 12,  0,  5,  9,  6, 10,  3,  4,  0,  5, 14,  3
-    },
-/* Func S6 = */ {
-	12, 10,  1, 15, 10,  4, 15,  2,  9,  7,  2, 12,  6,  9,  8,  5,
-	 0,  6, 13,  1,  3, 13,  4, 14, 14,  0,  7, 11,  5,  3, 11,  8,
-	 9,  4, 14,  3, 15,  2,  5, 12,  2,  9,  8,  5, 12, 15,  3, 10,
-	 7, 11,  0, 14,  4,  1, 10,  7,  1,  6, 13,  0, 11,  8,  6, 13
-    },
-/* Func S7 = */ {
-	 4, 13, 11,  0,  2, 11, 14,  7, 15,  4,  0,  9,  8,  1, 13, 10,
-	 3, 14, 12,  3,  9,  5,  7, 12,  5,  2, 10, 15,  6,  8,  1,  6,
-	 1,  6,  4, 11, 11, 13, 13,  8, 12,  1,  3,  4,  7, 10, 14,  7,
-	10,  9, 15,  5,  6,  0,  8, 15,  0, 14,  5,  2,  9,  3,  2, 12
-    },
-/* Func S8 = */ {
-	13,  1,  2, 15,  8, 13,  4,  8,  6, 10, 15,  3, 11,  7,  1,  4,
-	10, 12,  9,  5,  3,  6, 14, 11,  5,  0,  0, 14, 12,  9,  7,  2,
-	 7,  2, 11,  1,  4, 14,  1,  7,  9,  4, 12, 10, 14,  8,  2, 13,
-	 0, 15,  6, 12, 10,  9, 13,  0, 15,  3,  3,  5,  5,  6,  8, 11
-    }
-};
-
-/*
- * Permutation function for results from s-boxes
- *   from FIPS 46 pages 12 and 16.
- * P = 
- */
-unsigned char P[32] = {
-	16,   7,  20,  21,  29,  12,  28,  17,
-	 1,  15,  23,  26,   5,  18,  31,  10,
-	 2,   8,  24,  14,  32,  27,   3,   9,
-	19,  13,  30,   6,  22,  11,   4,  25
-};
-
-unsigned int Pinv[32];
-unsigned int SP[8][64];
-
-void
-makePinv(void)
-{
-    int i;
-    unsigned int Pi = 0x80000000;
-    for (i = 0; i < 32; ++i) {
-    	int j = 32 - P[i];
-	Pinv[j] = Pi;
-	Pi >>= 1;
-    }
-}
-
-void
-makeSP(void)
-{
-    int box;
-    for (box = 0; box < 8; ++box) {
-	int item;
-	printf("/* box S%d */ {\n", box + 1);
-    	for (item = 0; item < 64; ++item ) {
-	    unsigned int s = S[box][item];
-	    unsigned int val = 0;
-	    unsigned int bitnum = (7-box) * 4;
-	    for (; s; s >>= 1, ++bitnum) {
-		if (s & 1) {
-		    val |= Pinv[bitnum];
-		}
-	    }
-	    val = (val << 3) | (val >> 29);
-	    SP[box][item] = val;
-	}
-	for (item = 0; item < 64; item += 4) {
-	    printf("\t0x%08x, 0x%08x, 0x%08x, 0x%08x,\n",
-	    SP[box][item], SP[box][item+1], SP[box][item+2], SP[box][item+3]);
-	}
-	printf("    },\n");
-    }
-}
-
-int
-main()
-{
-    makePinv();
-    makeSP();
-    return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile
deleted file mode 100644
index c28002701..000000000
--- a/security/nss/lib/freebl/mpi/Makefile
+++ /dev/null
@@ -1,278 +0,0 @@
-#
-# Makefile for MPI library
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#   Richard C. Swift        (swift@netscape.com)
-#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# $Id$
-#
-
-## Define CC to be the C compiler you wish to use.  The GNU cc
-## compiler (gcc) should work, at the very least
-#CC=cc
-#CC=gcc
-
-## 
-## Define PERL to point to your local Perl interpreter.  It
-## should be Perl 5.x, although it's conceivable that Perl 4
-## might work ... I haven't tested it.
-##
-#PERL=/usr/bin/perl
-PERL=perl
-
-include target.mk
-
-CFLAGS+= $(XCFLAGS)
-
-##
-## Define LIBS to include any libraries you need to link against.
-## If NO_TABLE is define, LIBS should include '-lm' or whatever is
-## necessary to bring in the math library.  Otherwise, it can be
-## left alone, unless your system has other peculiar requirements.
-##
-LIBS=#-lmalloc#-lefence#-lm
-
-## 
-## Define RANLIB to be the library header randomizer; you might not
-## need this on some systems (just set it to 'echo' on these systems,
-## such as IRIX)
-##
-RANLIB=echo
-
-##
-## This is the version string used for the documentation and 
-## building the distribution tarball.  Don't mess with it unless
-## you are releasing a new version
-VERS=1.7p6
-
-## ----------------------------------------------------------------------
-## You probably don't need to change anything below this line...
-##
-
-##
-## This is the list of source files that need to be packed into
-## the distribution file
-SRCS=   mpi.c mpprime.c mplogic.c mp_gf2m.c mpmontg.c mpi-test.c primes.c tests/ \
-	utils/gcd.c utils/invmod.c utils/lap.c \
-	utils/ptab.pl utils/sieve.c utils/isprime.c\
-	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
-	utils/bbsrand.c utils/prng.c utils/primegen.c \
-	utils/basecvt.c utils/makeprime.c\
-	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
-	utils/mpi.h utils/mpprime.h mulsqr.c \
-	make-test-arrays test-arrays.txt all-tests make-logtab \
-	types.pl stats timetest multest
-
-## These are the header files that go into the distribution file
-HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h mp_gf2m.h \
-     mp_gf2m-priv.h utils/bbs_rand.h tests/mpi.h tests/mpprime.h
-
-## These are the documentation files that go into the distribution file
-DOCS=README doc utils/README utils/PRIMES 
-
-## This is the list of tools built by 'make tools'
-TOOLS=gcd invmod isprime lap dec2hex hex2dec primegen prng \
-	basecvt fact exptmod pi makeprime identest
-
-LIBOBJS = mpprime.o mpmontg.o mplogic.o mp_gf2m.o mpi.o $(AS_OBJS)
-LIBHDRS = mpi-config.h mpi-priv.h mpi.h
-APPHDRS = mpi-config.h mpi.h mplogic.h mp_gf2m.h mpprime.h
-
-help:
-	@ echo ""
-	@ echo "The following targets can be built with this Makefile:"
-	@ echo ""
-	@ echo "libmpi.a     - arithmetic and prime testing library"
-	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
-	@ echo "tools        - command line tools"
-	@ echo "doc          - manual pages for tools"
-	@ echo "clean        - clean up objects and such"
-	@ echo "distclean    - get ready for distribution"
-	@ echo "dist         - distribution tarball"
-	@ echo ""
-
-.SUFFIXES: .c .o .i
-
-.c.i:
-	$(CC) $(CFLAGS) -E $< > $@
-
-#.c.o: $*.h $*.c
-#	$(CC) $(CFLAGS) -c $<
-
-#---------------------------------------
-
-$(LIBOBJS): $(LIBHDRS)
-
-logtab.h: make-logtab
-	$(PERL) make-logtab > logtab.h
-
-mpi.o: mpi.c logtab.h $(LIBHDRS)
-
-mplogic.o: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
-
-mp_gf2m.o: mp_gf2m.c mpi-priv.h mp_gf2m.h mp_gf2m-priv.h $(LIBHDRS)
-
-mpmontg.o: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
-
-mpprime.o: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
-
-mpi_mips.o: mpi_mips.s
-	$(CC) -o $@ $(ASFLAGS) -c mpi_mips.s
-
-mpi_sparc.o : montmulf.h
-
-mpv_sparcv9.s: vis_64.il mpv_sparc.c
-	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_64.il mpv_sparc.c
-
-mpv_sparcv8.s: vis_64.il mpv_sparc.c
-	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_32.il mpv_sparc.c
-
-montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s 
-	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $<
-
-# This rule is used to build the .s sources, which are then hand optimized.
-#montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h 
-#	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c
-
-
-libmpi.a: $(LIBOBJS)
-	ar -cvr libmpi.a $(LIBOBJS)
-	$(RANLIB) libmpi.a
-
-lib libs: libmpi.a
-
-mpi.i: mpi.h
-
-#---------------------------------------
-
-MPTESTOBJS = mptest1.o mptest2.o mptest3.o mptest3a.o mptest4.o mptest4a.o \
-	mptest4b.o mptest6.o mptest7.o mptest8.o mptest9.o mptestb.o
-MPTESTS = $(MPTESTOBJS:.o=)
-
-$(MPTESTOBJS): mptest%.o: tests/mptest-%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -o $@ -c $<
-
-$(MPTESTS): mptest%: mptest%.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^  $(LIBS)
-
-tests: mptest1 mptest2 mptest3 mptest3a mptest4 mptest4a mptest4b mptest6 \
-	mptestb bbsrand
-
-utests: mptest7 mptest8 mptest9
-
-#---------------------------------------
-
-EXTRAOBJS = bbsrand.o bbs_rand.o prng.o
-UTILOBJS = primegen.o metime.o identest.o basecvt.o fact.o exptmod.o pi.o \
-	makeprime.o gcd.o invmod.o lap.o isprime.o \
-	dec2hex.o hex2dec.o
-UTILS = $(UTILOBJS:.o=) 
-
-$(UTILS): % : %.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-$(UTILOBJS) $(EXTRAOBJS): %.o : utils/%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -o $@ -c $<
-
-prng: prng.o bbs_rand.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-bbsrand: bbsrand.o bbs_rand.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-utils: $(UTILS) prng bbsrand
-
-#---------------------------------------
-
-test-info.c: test-arrays.txt
-	$(PERL) make-test-arrays test-arrays.txt > test-info.c
-
-mpi-test.o: mpi-test.c test-info.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -o $@ -c $<
-
-mpi-test: mpi-test.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-mdxptest.o: mdxptest.c $(LIBHDRS) mpi-priv.h
-
-mdxptest: mdxptest.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-mulsqr.o: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
-	$(CC) $(CFLAGS) -DMP_SQUARE=1 -o $@ -c mulsqr.c 
-
-mulsqr: mulsqr.o libmpi.a
-	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
-
-#---------------------------------------
-
-alltests: tests utests mpi-test
-
-tools: $(TOOLS)
-
-doc:
-	(cd doc; ./build)
-
-clean:
-	rm -f *.o *.a *.i
-	rm -f core
-	rm -f *~ .*~
-	rm -f utils/*.o
-	rm -f utils/core
-	rm -f utils/*~ utils/.*~
-
-clobber: clean
-	rm -f $(TOOLS) $(UTILS)
-
-distclean: clean
-	rm -f mptest? mpi-test metime mulsqr karatsuba
-	rm -f mptest?a mptest?b
-	rm -f utils/mptest?
-	rm -f test-info.c logtab.h
-	rm -f libmpi.a
-	rm -f $(TOOLS)
-
-dist: Makefile $(HDRS) $(SRCS) $(DOCS)
-	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
-	pgps -ab mpi-$(VERS).tar
-	chmod +r mpi-$(VERS).tar.asc
-	gzip -9 mpi-$(VERS).tar
-
-# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.os2 b/security/nss/lib/freebl/mpi/Makefile.os2
deleted file mode 100644
index a3ea63683..000000000
--- a/security/nss/lib/freebl/mpi/Makefile.os2
+++ /dev/null
@@ -1,280 +0,0 @@
-#
-# Makefile.win - gmake Makefile for building MPI with VACPP on OS/2
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# $Id$
-#
-
-## Define CC to be the C compiler you wish to use.  The GNU cc
-## compiler (gcc) should work, at the very least
-#CC=cc
-#CC=gcc
-CC=icc.exe
-AS=alp.exe
-
-## 
-## Define PERL to point to your local Perl interpreter.  It
-## should be Perl 5.x, although it's conceivable that Perl 4
-## might work ... I haven't tested it.
-##
-#PERL=/usr/bin/perl
-PERL=perl
-
-##
-## Define CFLAGS to contain any local options your compiler
-## setup requires.
-##
-## Conditional compilation options are no longer here; see
-## the file 'mpi-config.h' instead.
-##
-MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
-
-#OS/2
-AS_SRCS = mpi_x86.asm
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
-#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
- -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-CFLAGS = /Ti+ -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- $(MPICMN)
-ASFLAGS =
-
-##
-## Define LIBS to include any libraries you need to link against.
-## If NO_TABLE is define, LIBS should include '-lm' or whatever is
-## necessary to bring in the math library.  Otherwise, it can be
-## left alone, unless your system has other peculiar requirements.
-##
-LIBS=#-lmalloc#-lefence#-lm
-
-## 
-## Define RANLIB to be the library header randomizer; you might not
-## need this on some systems (just set it to 'echo' on these systems,
-## such as IRIX)
-##
-RANLIB=echo
-
-##
-## This is the version string used for the documentation and 
-## building the distribution tarball.  Don't mess with it unless
-## you are releasing a new version
-VERS=1.7p6
-
-## ----------------------------------------------------------------------
-## You probably don't need to change anything below this line...
-##
-
-##
-## This is the list of source files that need to be packed into
-## the distribution file
-SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
-	utils/gcd.c utils/invmod.c utils/lap.c \
-	utils/ptab.pl utils/sieve.c utils/isprime.c\
-	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
-	utils/bbsrand.c utils/prng.c utils/primegen.c \
-	utils/basecvt.c utils/makeprime.c\
-	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
-	utils/mpi.h utils/mpprime.h mulsqr.c \
-	make-test-arrays test-arrays.txt all-tests make-logtab \
-	types.pl stats timetest multest
-
-## These are the header files that go into the distribution file
-HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
-     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
-
-## These are the documentation files that go into the distribution file
-DOCS=README doc utils/README utils/PRIMES 
-
-## This is the list of tools built by 'make tools'
-TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
- primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
-
-AS_OBJS = $(AS_SRCS:.asm=.obj)
-LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
-LIBHDRS = mpi-config.h mpi-priv.h mpi.h
-APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
-
-
-help:
-	@ echo ""
-	@ echo "The following targets can be built with this Makefile:"
-	@ echo ""
-	@ echo "mpi.lib      - arithmetic and prime testing library"
-	@ echo "mpi-test.exe - test driver (requires MP_IOFUNC)"
-	@ echo "tools        - command line tools"
-	@ echo "doc          - manual pages for tools"
-	@ echo "clean        - clean up objects and such"
-	@ echo "distclean    - get ready for distribution"
-	@ echo "dist         - distribution tarball"
-	@ echo ""
-
-.SUFFIXES: .c .obj .i .lib .exe .asm
-
-.c.i:
-	$(CC) $(CFLAGS) -E $< > $@
-
-.c.obj: 
-	$(CC) $(CFLAGS) -c $<
-
-.asm.obj:
-	$(AS) $(ASFLAGS) $<
-
-.obj.exe:
-	$(CC) $(CFLAGS) -Fo$@ $<
-
-#---------------------------------------
-
-$(LIBOBJS): $(LIBHDRS)
-
-logtab.h: make-logtab
-	$(PERL) make-logtab > logtab.h
-
-mpi.obj: mpi.c logtab.h $(LIBHDRS)
-
-mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
-
-mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
-
-mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
-
-mpi_mips.obj: mpi_mips.s
-	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
-
-mpi.lib: $(LIBOBJS)
-	ilib /out:mpi.lib $(LIBOBJS)
-	$(RANLIB) mpi.lib
-
-lib libs: mpi.lib
-
-#---------------------------------------
-
-MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
- mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
-MPTESTS = $(MPTESTOBJS:.obj=.exe)
-
-$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^ 
-
-tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
- mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
-
-utests: mptest7.exe mptest8.exe mptest9.exe
-
-#---------------------------------------
-
-EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
-UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
- exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
- isprime.obj dec2hex.obj hex2dec.obj
-UTILS = $(UTILOBJS:.obj=.exe) 
-
-$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^ 
-
-$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-utils: $(UTILS) prng.exe bbsrand.exe
-
-#---------------------------------------
-
-test-info.c: test-arrays.txt
-	$(PERL) make-test-arrays test-arrays.txt > test-info.c
-
-mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
-
-mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
-	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
-
-mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-#---------------------------------------
-
-alltests: tests utests mpi-test.exe
-
-tools: $(TOOLS)
-
-doc:
-	(cd doc; ./build)
-
-clean:
-	rm -f *.obj *.lib *.pdb *.ilk
-	cd utils; rm -f *.obj *.lib *.pdb *.ilk
-
-distclean: clean
-	rm -f mptest? mpi-test metime mulsqr karatsuba
-	rm -f mptest?a mptest?b
-	rm -f utils/mptest?
-	rm -f test-info.c logtab.h
-	rm -f mpi.lib
-	rm -f $(TOOLS)
-
-dist: Makefile $(HDRS) $(SRCS) $(DOCS)
-	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
-	pgps -ab mpi-$(VERS).tar
-	chmod +r mpi-$(VERS).tar.asc
-	gzip -9 mpi-$(VERS).tar
-
-
-print: 
-	@echo LIBOBJS = $(LIBOBJS)
-# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.win b/security/nss/lib/freebl/mpi/Makefile.win
deleted file mode 100644
index de4e4958f..000000000
--- a/security/nss/lib/freebl/mpi/Makefile.win
+++ /dev/null
@@ -1,280 +0,0 @@
-#
-# Makefile.win - gmake Makefile for building MPI with MSVC on NT
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# $Id$
-#
-
-## Define CC to be the C compiler you wish to use.  The GNU cc
-## compiler (gcc) should work, at the very least
-#CC=cc
-#CC=gcc
-CC=cl.exe
-AS=ml.exe
-
-## 
-## Define PERL to point to your local Perl interpreter.  It
-## should be Perl 5.x, although it's conceivable that Perl 4
-## might work ... I haven't tested it.
-##
-#PERL=/usr/bin/perl
-PERL=perl
-
-##
-## Define CFLAGS to contain any local options your compiler
-## setup requires.
-##
-## Conditional compilation options are no longer here; see
-## the file 'mpi-config.h' instead.
-##
-MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
-
-#NT
-AS_SRCS = mpi_x86.asm
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
-#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
- -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-CFLAGS = -O2 -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
- -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
-ASFLAGS = -Cp -Sn -Zi -coff -I. 
-
-##
-## Define LIBS to include any libraries you need to link against.
-## If NO_TABLE is define, LIBS should include '-lm' or whatever is
-## necessary to bring in the math library.  Otherwise, it can be
-## left alone, unless your system has other peculiar requirements.
-##
-LIBS=#-lmalloc#-lefence#-lm
-
-## 
-## Define RANLIB to be the library header randomizer; you might not
-## need this on some systems (just set it to 'echo' on these systems,
-## such as IRIX)
-##
-RANLIB=echo
-
-##
-## This is the version string used for the documentation and 
-## building the distribution tarball.  Don't mess with it unless
-## you are releasing a new version
-VERS=1.7p6
-
-## ----------------------------------------------------------------------
-## You probably don't need to change anything below this line...
-##
-
-##
-## This is the list of source files that need to be packed into
-## the distribution file
-SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
-	utils/gcd.c utils/invmod.c utils/lap.c \
-	utils/ptab.pl utils/sieve.c utils/isprime.c\
-	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
-	utils/bbsrand.c utils/prng.c utils/primegen.c \
-	utils/basecvt.c utils/makeprime.c\
-	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
-	utils/mpi.h utils/mpprime.h mulsqr.c \
-	make-test-arrays test-arrays.txt all-tests make-logtab \
-	types.pl stats timetest multest
-
-## These are the header files that go into the distribution file
-HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
-     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
-
-## These are the documentation files that go into the distribution file
-DOCS=README doc utils/README utils/PRIMES 
-
-## This is the list of tools built by 'make tools'
-TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
- primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
-
-AS_OBJS = $(AS_SRCS:.asm=.obj)
-LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
-LIBHDRS = mpi-config.h mpi-priv.h mpi.h
-APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
-
-
-help:
-	@ echo ""
-	@ echo "The following targets can be built with this Makefile:"
-	@ echo ""
-	@ echo "mpi.lib     - arithmetic and prime testing library"
-	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
-	@ echo "tools        - command line tools"
-	@ echo "doc          - manual pages for tools"
-	@ echo "clean        - clean up objects and such"
-	@ echo "distclean    - get ready for distribution"
-	@ echo "dist         - distribution tarball"
-	@ echo ""
-
-.SUFFIXES: .c .obj .i .lib .exe .asm
-
-.c.i:
-	$(CC) $(CFLAGS) -E $< > $@
-
-.c.obj: 
-	$(CC) $(CFLAGS) -c $<
-
-.asm.obj:
-	$(AS) $(ASFLAGS) -c $<
-
-.obj.exe:
-	$(CC) $(CFLAGS) -Fo$@ $<
-
-#---------------------------------------
-
-$(LIBOBJS): $(LIBHDRS)
-
-logtab.h: make-logtab
-	$(PERL) make-logtab > logtab.h
-
-mpi.obj: mpi.c logtab.h $(LIBHDRS)
-
-mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
-
-mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
-
-mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
-
-mpi_mips.obj: mpi_mips.s
-	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
-
-mpi.lib: $(LIBOBJS)
-	ar -cvr mpi.lib $(LIBOBJS)
-	$(RANLIB) mpi.lib
-
-lib libs: mpi.lib
-
-#---------------------------------------
-
-MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
- mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
-MPTESTS = $(MPTESTOBJS:.obj=.exe)
-
-$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^ 
-
-tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
- mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
-
-utests: mptest7.exe mptest8.exe mptest9.exe
-
-#---------------------------------------
-
-EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
-UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
- exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
- isprime.obj dec2hex.obj hex2dec.obj
-UTILS = $(UTILOBJS:.obj=.exe) 
-
-$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^ 
-
-$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-utils: $(UTILS) prng.exe bbsrand.exe
-
-#---------------------------------------
-
-test-info.c: test-arrays.txt
-	$(PERL) make-test-arrays test-arrays.txt > test-info.c
-
-mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
-	$(CC) $(CFLAGS) -Fo$@ -c $<
-
-mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
-
-mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
-	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
-
-mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
-	$(CC) $(CFLAGS) -Fo$@ $^
-
-#---------------------------------------
-
-alltests: tests utests mpi-test.exe
-
-tools: $(TOOLS)
-
-doc:
-	(cd doc; ./build)
-
-clean:
-	rm -f *.obj *.lib *.pdb *.ilk
-	cd utils; rm -f *.obj *.lib *.pdb *.ilk
-
-distclean: clean
-	rm -f mptest? mpi-test metime mulsqr karatsuba
-	rm -f mptest?a mptest?b
-	rm -f utils/mptest?
-	rm -f test-info.c logtab.h
-	rm -f mpi.lib
-	rm -f $(TOOLS)
-
-dist: Makefile $(HDRS) $(SRCS) $(DOCS)
-	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
-	pgps -ab mpi-$(VERS).tar
-	chmod +r mpi-$(VERS).tar.asc
-	gzip -9 mpi-$(VERS).tar
-
-
-print: 
-	@echo LIBOBJS = $(LIBOBJS)
-# END
diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README
deleted file mode 100644
index 50ec394e4..000000000
--- a/security/nss/lib/freebl/mpi/README
+++ /dev/null
@@ -1,799 +0,0 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1997-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-About the MPI Library
----------------------
-
-The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
-signed integer arithmetic package.  The implementation is not the most
-efficient possible, but the code is small and should be fairly easily
-portable to just about any machine that supports an ANSI C compiler,
-as long as it is capable of at least 16-bit arithmetic (but also see
-below for more on this).
-
-This library was written with an eye to cryptographic applications;
-thus, some care is taken to make sure that temporary values are not
-left lying around in memory when they are no longer in use.  This adds
-some overhead for zeroing buffers before they are released back into
-the free pool; however, it gives you the assurance that there is only
-one copy of your important values residing in your process's address
-space at a time.  Obviously, it is difficult to guarantee anything, in
-a pre-emptive multitasking environment, but this at least helps you
-keep a lid on the more obvious ways your data can get spread around in
-memory.
-
-
-Using the Library
------------------
-
-To use the MPI library in your program, you must include the header:
-
-#include "mpi.h"
-
-This header provides all the type and function declarations you'll
-need to use the library.  Almost all the names defined by the library
-begin with the prefix 'mp_', so it should be easy to keep them from
-clashing with your program's namespace (he says, glibly, knowing full
-well there are always pathological cases).
-
-There are a few things you may want to configure about the library.
-By default, the MPI library uses an unsigned short for its digit type,
-and an unsigned int for its word type.  The word type must be big
-enough to contain at least two digits, for the primitive arithmetic to
-work out.  On my machine, a short is 2 bytes and an int is 4 bytes --
-but if you have 64-bit ints, you might want to use a 4-byte digit and
-an 8-byte word.  I have tested the library using 1-byte digits and
-2-byte words, as well.  Whatever you choose to do, the things you need
-to change are:
-
-(1) The type definitions for mp_digit and mp_word.
-
-(2) The macro DIGIT_FMT which tells mp_print() how to display a
-    single digit.  This is just a printf() format string, so you
-    can adjust it appropriately.
-
-(3) The macros DIGIT_MAX and MP_WORD_MAX, which specify the 
-    largest value expressible in an mp_digit and an mp_word,
-    respectively.
-
-Both the mp_digit and mp_word should be UNSIGNED integer types.  The
-code relies on having the full positive precision of the type used for
-digits and words.
-
-The remaining type definitions should be left alone, for the most
-part.  The code in the library does not make any significant
-assumptions about the sizes of things, but there is little if any
-reason to change the other parameters, so I would recommend you leave
-them as you found them.
-
-The library comes with a Perl script, 'types.pl', which will scan your
-current Makefile settings, and attempt to find good definitions for
-these types.  It relies on a Unix sort of build environment, so it
-probably won't work under MacOS or Windows, but it can be convenient
-if you're porting to a new flavour of Unix.  Just run 'types.pl' at
-the command line, and it will spit out its results to the standard
-output.
-
-
-Conventions
------------
-
-Most functions in the library return a value of type mp_err.  This
-permits the library to communicate success or various kinds of failure
-to the calling program.  The return values currently defined are:
-
-        MP_OKAY         - okay, operation succeeded, all's well
-        MP_YES          - okay, the answer is yes (same as MP_OKAY)
-        MP_NO           - okay, but answer is no (not MP_OKAY)
-        MP_MEM          - operation ran out of memory
-        MP_RANGE        - input parameter was out of range
-        MP_BADARG       - an invalid input parameter was provided
-        MP_UNDEF        - no output value is defined for this input
-
-The only function which currently uses MP_UNDEF is mp_invmod().
-Division by zero is undefined, but the division functions will return
-MP_RANGE for a zero divisor.  MP_BADARG usually means you passed a
-bogus mp_int structure to the function.  MP_YES and MP_NO are not used
-by the library itself; they're defined so you can use them in your own
-extensions.
-
-If you need a readable interpretation of these error codes in your
-program, you may also use the mp_strerror() function.  This function
-takes an mp_err as input, and returns a pointer to a human-readable
-string describing the meaning of the error.  These strings are stored
-as constants within the library, so the caller should not attempt to
-modify or free the memory associated with these strings.
-
-The library represents values in signed-magnitude format.  Values
-strictly less than zero are negative, all others are considered
-positive (zero is positive by fiat).  You can access the 'sign' member
-of the mp_int structure directly, but better is to use the mp_cmp_z()
-function, to find out which side of zero the value lies on.
-
-Most arithmetic functions have a single-digit variant, as well as the
-full arbitrary-precision.  An mp_digit is an unsigned value between 0
-and DIGIT_MAX inclusive.  The radix is available as RADIX.  The number
-of bits in a given digit is given as DIGIT_BIT.
-
-Generally, input parameters are given before output parameters.
-Unless otherwise specified, any input parameter can be re-used as an
-output parameter, without confusing anything.
-
-The basic numeric type defined by the library is an mp_int.  Virtually
-all the functions in the library take a pointer to an mp_int as one of
-their parameters.  An explanation of how to create and use these
-<HR>
-<A NAME="p23">
-<H3>Problem 23:</H3>
-
-structures follows.  And so, without further ado...
-
-
-Initialization and Cleanup
---------------------------
-
-The basic numeric type defined by the library is an 'mp_int'.
-However, it is not sufficient to simply declare a variable of type
-mp_int in your program.  These variables also need to be initialized
-before they can be used, to allocate the internal storage they require
-for computation.
-
-This is done using one of the following functions:
-
-        mp_init(mp_int *mp);
-        mp_init_copy(mp_int *mp, mp_int *from);
-        mp_init_size(mp_int *mp, mp_size p);
-
-Each of these requires a pointer to a structure of type mp_int.  The
-basic mp_init() simply initializes the mp_int to a default size, and
-sets its value to zero.  If you would like to initialize a copy of an
-existing mp_int, use mp_init_copy(), where the 'from' parameter is the
-mp_int you'd like to make a copy of.  The third function,
-mp_init_size(), permits you to specify how many digits of precision
-should be preallocated for your mp_int.  This can help the library
-avoid unnecessary re-allocations later on.
-
-The default precision used by mp_init() can be retrieved using:
-
-        precision = mp_get_prec();
-
-This returns the number of digits that will be allocated.  You can
-change this value by using:
-
-        mp_set_prec(unsigned int prec);
-
-Any positive value is acceptable -- if you pass zero, the default
-precision will be re-set to the compiled-in library default (this is
-specified in the header file 'mpi-config.h', and typically defaults to
-8 or 16).
-
-Just as you must allocate an mp_int before you can use it, you must
-clean up the structure when you are done with it.  This is performed
-using the mp_clear() function.  Remember that any mp_int that you
-create as a local variable in a function must be mp_clear()'d before
-that function exits, or else the memory allocated to that mp_int will
-be orphaned and unrecoverable.
-
-To set an mp_int to a given value, the following functions are given:
-
-        mp_set(mp_int *mp, mp_digit d);
-        mp_set_int(mp_int *mp, long z);
-
-The mp_set() function sets the mp_int to a single digit value, while
-mp_set_int() sets the mp_int to a signed long integer value.
-
-To set an mp_int to zero, use:
-
-        mp_zero(mp_int *mp);
-
-
-Copying and Moving
-------------------
-
-If you have two initialized mp_int's, and you want to copy the value
-of one into the other, use:
-
-        mp_copy(from, to)
-
-This takes care of clearing the old value of 'to', and copies the new
-value into it.  If 'to' is not yet initialized, use mp_init_copy()
-instead (see above).
-
-Note:   The library tries, whenever possible, to avoid allocating
-----    new memory.  Thus, mp_copy() tries first to satisfy the needs
-        of the copy by re-using the memory already allocated to 'to'.
-        Only if this proves insufficient will mp_copy() actually
-        allocate new memory.
-
-        For this reason, if you know a priori that 'to' has enough
-        available space to hold 'from', you don't need to check the
-        return value of mp_copy() for memory failure.  The USED()
-        macro tells you how many digits are used by an mp_int, and
-        the ALLOC() macro tells you how many are allocated.
-
-If you have two initialized mp_int's, and you want to exchange their
-values, use:
-
-        mp_exch(a, b)
-
-This is better than using mp_copy() with a temporary, since it will
-not (ever) touch the memory allocator -- it just swaps the exact
-contents of the two structures.  The mp_exch() function cannot fail;
-if you pass it an invalid structure, it just ignores it, and does
-nothing.
-
-
-Basic Arithmetic
-----------------
-
-Once you have initialized your integers, you can operate on them.  The
-basic arithmetic functions on full mp_int values are:
-
-mp_add(a, b, c)         - computes c = a + b
-mp_sub(a, b, c)         - computes c = a - b
-mp_mul(a, b, c)         - computes c = a * b
-mp_sqr(a, b)            - computes b = a * a
-mp_div(a, b, q, r)      - computes q, r such that a = bq + r
-mp_div_2d(a, d, q, r)   - computes q = a / 2^d, r = a % 2^d
-mp_expt(a, b, c)        - computes c = a ** b
-mp_2expt(a, k)          - computes a = 2^k
-mp_sqrt(a, c)           - computes c = floor(sqrt(a))
-
-The mp_div_2d() function efficiently computes division by powers of
-two.  Either the q or r parameter may be NULL, in which case that
-portion of the computation will be discarded.
-
-The algorithms used for some of the computations here are described in
-the following files which are included with this distribution:
-
-mul.txt         Describes the multiplication algorithm
-div.txt         Describes the division algorithm
-expt.txt        Describes the exponentiation algorithm
-sqrt.txt        Describes the square-root algorithm
-square.txt      Describes the squaring algorithm
-
-There are single-digit versions of most of these routines, as well.
-In the following prototypes, 'd' is a single mp_digit:
-
-mp_add_d(a, d, c)       - computes c = a + d
-mp_sub_d(a, d, c)       - computes c = a - d
-mp_mul_d(a, d, c)       - computes c = a * d
-mp_mul_2(a, c)          - computes c = a * 2
-mp_div_d(a, d, q, r)    - computes q, r such that a = bq + r
-mp_div_2(a, c)          - computes c = a / 2
-mp_expt_d(a, d, c)      - computes c = a ** d
-
-The mp_mul_2() and mp_div_2() functions take advantage of the internal
-representation of an mp_int to do multiplication by two more quickly
-than mp_mul_d() would.  Other basic functions of an arithmetic variety
-include:
-
-mp_zero(a)              - assign 0 to a
-mp_neg(a, c)            - negate a: c = -a
-mp_abs(a, c)            - absolute value: c = |a|
-
-
-Comparisons
------------
-
-Several comparison functions are provided.  Each of these, unless
-otherwise specified, returns zero if the comparands are equal, < 0 if
-the first is less than the second, and > 0 if the first is greater
-than the second:
-
-mp_cmp_z(a)             - compare a <=> 0
-mp_cmp_d(a, d)          - compare a <=> d, d is a single digit
-mp_cmp(a, b)            - compare a <=> b
-mp_cmp_mag(a, b)        - compare |a| <=> |b|
-mp_cmp_int(a, z)        - compare a <=> z, z is a signed long integer
-mp_isodd(a)             - return nonzero if odd, zero otherwise
-mp_iseven(a)            - return nonzero if even, zero otherwise
-
-
-Modular Arithmetic
-------------------
-
-Modular variations of the basic arithmetic functions are also
-supported.  These are available if the MP_MODARITH parameter in
-mpi-config.h is turned on (it is by default).  The modular arithmetic
-functions are:
-
-mp_mod(a, m, c)         - compute c = a (mod m), 0 <= c < m
-mp_mod_d(a, d, c)       - compute c = a (mod d), 0 <= c < d (see below)
-mp_addmod(a, b, m, c)   - compute c = (a + b) mod m
-mp_submod(a, b, m, c)   - compute c = (a - b) mod m
-mp_mulmod(a, b, m, c)   - compute c = (a * b) mod m
-mp_sqrmod(a, m, c)      - compute c = (a * a) mod m
-mp_exptmod(a, b, m, c)  - compute c = (a ** b) mod m
-mp_exptmod_d(a, d, m, c)- compute c = (a ** d) mod m
-
-The mp_sqr() function squares its input argument.  A call to mp_sqr(a,
-c) is identical in meaning to mp_mul(a, a, c); however, if the
-MP_SQUARE variable is set true in mpi-config.h (see below), then it
-will be implemented with a different algorithm, that is supposed to
-take advantage of the redundant computation that takes place during
-squaring.  Unfortunately, some compilers result in worse performance
-on this code, so you can change the behaviour at will.  There is a
-utility program "mulsqr.c" that lets you test which does better on
-your system.
-
-The mp_sqrmod() function is analogous to the mp_sqr() function; it
-uses the mp_sqr() function rather than mp_mul(), and then performs the
-modular reduction.  This probably won't help much unless you are doing
-a lot of them.
-
-See the file 'square.txt' for a synopsis of the algorithm used.
-
-Note:   The mp_mod_d() function computes a modular reduction around
-----    a single digit d.  The result is a single digit c.
-
-Because an inverse is defined for a (mod m) if and only if (a, m) = 1
-(that is, if a and m are relatively prime), mp_invmod() may not be
-able to compute an inverse for the arguments.  In this case, it
-returns the value MP_UNDEF, and does not modify c.  If an inverse is
-defined, however, it returns MP_OKAY, and sets c to the value of the
-inverse (mod m).
-
-See the file 'redux.txt' for a description of the modular reduction
-algorithm used by mp_exptmod().
-
-
-Greatest Common Divisor
------------------------
-
-If The greates common divisor of two values can be found using one of the
-following functions:
-
-mp_gcd(a, b, c)         - compute c = (a, b) using binary algorithm
-mp_lcm(a, b, c)         - compute c = [a, b] = ab / (a, b)
-mp_xgcd(a, b, g, x, y)  - compute g, x, y so that ax + by = g = (a, b)
-
-Also provided is a function to compute modular inverses, if they
-exist:
-
-mp_invmod(a, m, c)      - compute c = a^-1 (mod m), if it exists
-
-The function mp_xgcd() computes the greatest common divisor, and also
-returns values of x and y satisfying Bezout's identity.  This is used
-by mp_invmod() to find modular inverses.  However, if you do not need
-these values, you will find that mp_gcd() is MUCH more efficient,
-since it doesn't need all the intermediate values that mp_xgcd()
-requires in order to compute x and y. 
-
-The mp_gcd() (and mp_xgcd()) functions use the binary (extended) GCD
-algorithm due to Josef Stein.
-
-
-Input & Output Functions
-------------------------
-
-The following basic I/O routines are provided.  These are present at
-all times:
-
-mp_read_radix(mp, str, r)  - convert a string in radix r to an mp_int
-mp_read_raw(mp, s, len)    - convert a string of bytes to an mp_int
-mp_radix_size(mp, r)       - return length of buffer needed by mp_toradix()
-mp_raw_size(mp)            - return length of buffer needed by mp_toraw()
-mp_toradix(mp, str, r)     - convert an mp_int to a string of radix r 
-                             digits
-mp_toraw(mp, str)          - convert an mp_int to a string of bytes
-mp_tovalue(ch, r)          - convert ch to its value when taken as
-                             a radix r digit, or -1 if invalid
-mp_strerror(err)           - get a string describing mp_err value 'err'
-
-If you compile the MPI library with MP_IOFUNC defined, you will also
-have access to the following additional I/O function:
-
-mp_print(mp, ofp)       - print an mp_int as text to output stream ofp
-
-Note that mp_radix_size() returns a size in bytes guaranteed to be AT
-LEAST big enough for the digits output by mp_toradix().  Because it
-uses an approximation technique to figure out how many digits will be
-needed, it may return a figure which is larger than necessary.  Thus,
-the caller should not rely on the value to determine how many bytes
-will actually be written by mp_toradix().  The string mp_toradix()
-creates will be NUL terminated, so the standard C library function
-strlen() should be able to ascertain this for you, if you need it.
-
-The mp_read_radix() and mp_toradix() functions support bases from 2 to
-64 inclusive.  If you require more general radix conversion facilities
-than this, you will need to write them yourself (that's why mp_div_d()
-is provided, after all).
-
-Note:   mp_read_radix() will accept as digits either capital or 
-----    lower-case letters.  However, the current implementation of
-        mp_toradix() only outputs upper-case letters, when writing
-        bases betwee 10 and 36.  The underlying code supports using
-        lower-case letters, but the interface stub does not have a
-        selector for it.  You can add one yourself if you think it
-        is worthwhile -- I do not.  Bases from 36 to 64 use lower-
-        case letters as distinct from upper-case.  Bases 63 and
-        64 use the characters '+' and '/' as digits.
-
-        Note also that compiling with MP_IOFUNC defined will cause
-        inclusion of <stdio.h>, so if you are trying to write code
-        which does not depend on the standard C library, you will
-        probably want to avoid this option.  This is needed because
-        the mp_print() function takes a standard library FILE * as
-        one of its parameters, and uses the fprintf() function.
-
-The mp_toraw() function converts the integer to a sequence of bytes,
-in big-endian ordering (most-significant byte first).  Assuming your
-bytes are 8 bits wide, this corresponds to base 256.  The sign is
-encoded as a single leading byte, whose value is 0 for zero or
-positive values, or 1 for negative values.  The mp_read_raw() function
-reverses this process -- it takes a buffer of bytes, interprets the
-first as a sign indicator (0 = zero/positive, nonzero = negative), and
-the rest as a sequence of 1-byte digits in big-endian ordering.
-
-The mp_raw_size() function returns the exact number of bytes required
-to store the given integer in "raw" format (as described in the
-previous paragraph).  Zero is returned in case of error; a valid
-integer will require at least three bytes of storage.
-
-In previous versions of the MPI library, an "external representation
-format" was supported.  This was removed, however, because I found I
-was never using it, it was not as portable as I would have liked, and
-I decided it was a waste of space.
-
-
-Other Functions
----------------
-
-The files 'mpprime.h' and 'mpprime.c' define some routines which are
-useful for divisibility testing and probabilistic primality testing.
-The routines defined are:
-
-mpp_divis(a, b)          - is a divisible by b?
-mpp_divis_d(a, d)        - is a divisible by digit d?
-mpp_random(a)            - set a to random value at current precision
-mpp_random_size(a, prec) - set a to random value at given precision
-
-Note:  The mpp_random() and mpp_random_size() functions use the C
-----   library's rand() function to generate random values.  It is
-       up to the caller to seed this generator before it is called.
-       These functions are not suitable for generating quantities
-       requiring cryptographic-quality randomness; they are intended
-       primarily for use in primality testing.
-
-       Note too that the MPI library does not call srand(), so your
-       application should do this, if you ever want the sequence
-       to change.
-
-mpp_divis_vector(a, v, s, w)  - is a divisible by any of the s digits
-                                in v?  If so, let w be the index of 
-                                that digit
-
-mpp_divis_primes(a, np)       - is a divisible by any of the first np
-                                primes?  If so, set np to the prime 
-                                which divided a.
-
-mpp_fermat(a, d)              - test if w^a = w (mod a).  If so, 
-                                returns MP_YES, otherwise MP_NO.
-
-mpp_pprime(a, nt)             - perform nt iterations of the Rabin-
-                                Miller probabilistic primality test
-                                on a.  Returns MP_YES if all tests
-                                passed, or MP_NO if any test fails.
-
-The mpp_fermat() function works based on Fermat's little theorem, a
-consequence of which is that if p is a prime, and (w, p) = 1, then:
-
-        w^p = w (mod p)
-
-Put another way, if w^p != w (mod p), then p is not prime.  The test
-is expensive to compute, but it helps to quickly eliminate an enormous
-class of composite numbers prior to Rabin-Miller testing.
-
-Building the Library
---------------------
-
-The MPI library is designed to be as self-contained as possible.  You
-should be able to compile it with your favourite ANSI C compiler, and
-link it into your program directly.  If you are on a Unix system using
-the GNU C compiler (gcc), the following should work:
-
-% gcc -ansi -pedantic -Wall -O2 -c mpi.c
-
-The file 'mpi-config.h' defines several configurable parameters for
-the library, which you can adjust to suit your application.  At the
-time of this writing, the available options are:
-
-MP_IOFUNC       - Define true to include the mp_print() function, 
-                  which is moderately useful for debugging.  This
-                  implicitly includes <stdio.h>.
-
-MP_MODARITH     - Define true to include the modular arithmetic
-                  functions.  If you don't need modular arithmetic
-                  in your application, you can set this to zero to
-                  leave out all the modular routines.
-
-MP_NUMTH        - Define true to include number theoretic functions
-                  such as mp_gcd(), mp_lcm(), and mp_invmod().
-
-MP_LOGTAB       - If true, the file "logtab.h" is included, which
-                  is basically a static table of base 2 logarithms.
-                  These are used to compute how big the buffers for
-                  radix conversion need to be.  If you set this false,
-                  the library includes <math.h> and uses log().  This
-                  typically forces you to link against math libraries.
-
-MP_MEMSET       - If true, use memset() to zero buffers.  If you run
-                  into weird alignment related bugs, set this to zero
-                  and an explicit loop will be used.
-
-MP_MEMCPY       - If true, use memcpy() to copy buffers.  If you run
-                  into weird alignment bugs, set this to zero and an
-                  explicit loop will be used.
-
-MP_CRYPTO       - If true, whenever arrays of digits are free'd, they
-                  are zeroed first.  This is useful if you're using
-                  the library in a cryptographic environment; however,
-                  it does add overhead to each free operation.  For
-                  performance, if you don't care about zeroing your
-                  buffers, set this to false.
-
-MP_ARGCHK       - Set to 0, 1, or 2.  This defines how the argument
-                  checking macro, ARGCHK(), gets expanded.  If this 
-                  is set to zero, ARGCHK() expands to nothing; no 
-                  argument checks are performed.  If this is 1, the
-                  ARGCHK() macro expands to code that returns MP_BADARG
-                  or similar at runtime.  If it is 2, ARGCHK() expands 
-                  to an assert() call that aborts the program on a 
-                  bad input.
-
-MP_DEBUG        - Turns on debugging output.  This is probably not at
-                  all useful unless you are debugging the library.  It
-                  tends to spit out a LOT of output.
-
-MP_DEFPREC      - The default precision of a newly-created mp_int, in
-                  digits.  The precision can be changed at runtime by
-                  the mp_set_prec() function, but this is its initial
-                  value.
-
-MP_SQUARE       - If this is set to a nonzero value, the mp_sqr() 
-                  function will use an alternate algorithm that takes
-                  advantage of the redundant inner product computation
-                  when both multiplicands are identical.  Unfortunately,
-                  with some compilers this is actually SLOWER than just
-                  calling mp_mul() with the same argument twice.  So
-                  if you set MP_SQUARE to zero, mp_sqr() will be expan-
-                  ded into a call to mp_mul().  This applies to all 
-                  the uses of mp_sqr(), including mp_sqrmod() and the
-                  internal calls to s_mp_sqr() inside mpi.c
-
-                  The program 'mulsqr' (mulsqr.c) can be used to test
-                  which works best for your configuration.  Set up the
-                  CC and CFLAGS variables in the Makefile, then type:
-
-                        make mulsqr
-
-                  Invoke it with arguments similar to the following:
-
-                        mulsqr 25000 1024
-
-                  That is, 25000 products computed on 1024-bit values.
-                  The output will compare the two timings, and recommend
-                  a setting for MP_SQUARE.  It is off by default.
-
-If you would like to use the mp_print() function (see above), be sure
-to define MP_IOFUNC in mpi-config.h.  Many of the test drivers in the
-'tests' subdirectory expect this to be defined (although the test
-driver 'mpi-test' doesn't need it)
-
-The Makefile which comes with the library should take care of building
-the library for you, if you have set the CC and CFLAGS variables at
-the top of the file appropriately.  By default, they are set up to
-use the GNU C compiler:
-
-CC=gcc
-CFLAGS=-ansi -pedantic -Wall -O2
-
-If all goes well, the library should compile without warnings using
-this combination.  You should, of course, make whatever adjustments
-you find necessary.  
-
-The MPI library distribution comes with several additional programs
-which are intended to demonstrate the use of the library, and provide
-a framework for testing it.  There are a handful of test driver
-programs, in the files named 'mptest-X.c', where X is a digit.  Also,
-there are some simple command-line utilities (in the 'utils'
-directory) for manipulating large numbers.  These include:
-
-basecvt.c       A radix-conversion program, supporting bases from
-                2 to 64 inclusive.
-
-bbsrand.c       A BBS (quadratic residue) pseudo-random number 
-                generator.  The file 'bbsrand.c' is just the driver
-                for the program; the real code lives in the files
-                'bbs_rand.h' and 'bbs_rand.c'
-
-dec2hex.c       Converts decimal to hexadecimal
-
-gcd.c           Computes the greatest common divisor of two values.
-                If invoked as 'xgcd', also computes constants x and
-                y such that (a, b) = ax + by, in accordance with
-                Bezout's identity.
-
-hex2dec.c       Converts hexadecimal to decimal
-
-invmod.c        Computes modular inverses
-
-isprime.c       Performs the Rabin-Miller probabilistic primality
-                test on a number.  Values which fail this test are
-                definitely composite, and those which pass are very
-                likely to be prime (although there are no guarantees)
-
-lap.c           Computes the order (least annihilating power) of
-                a value v modulo m.  Very dumb algorithm.
-
-primegen.c      Generates large (probable) primes.
-
-prng.c          A pseudo-random number generator based on the
-                BBS generator code in 'bbs_rand.c'
-
-sieve.c         Implements the Sieve of Eratosthenes, using a big
-                bitmap, to generate a list of prime numbers.
-
-fact.c          Computes the factorial of an arbitrary precision
-                integer (iterative).
-
-exptmod.c       Computes arbitrary precision modular exponentiation
-                from the command line (exptmod a b m -> a^b (mod m))
-
-Most of these can be built from the Makefile that comes with the
-library.  Try 'make tools', if your environment supports it.  (If you
-are compiling on a Macintosh, I'm afraid you'll have to build them by
-hand -- fortunately, this is not difficult -- the library itself
-should compile just fine under Metrowerks CodeWarrior).
-
-
-Testing the Library
--------------------
-
-Automatic test vectors are included, in the form of a program called
-'mpi-test'.  To build this program and run all the tests, simply
-invoke the shell script 'all-tests'.  If all the tests pass, you
-should see a message:
-
-        All tests passed
-
-If something went wrong, you'll get:
-
-        One or more tests failed.
-
-If this happens, scan back through the preceding lines, to see which
-test failed.  Any failure indicates a bug in the library, which needs
-to be fixed before it will give accurate results.  If you get any such
-thing, please let me know, and I'll try to fix it.  Please let me know
-what platform and compiler you were using, as well as which test
-failed.  If a reason for failure was given, please send me that text
-as well.
-
-If you're on a system such as the Macintosh, where the standard Unix
-build tools don't work, you can build the 'mpi-test' program manually,
-and run it by hand.  This is tedious and obnoxious, sorry.
-
-Further manual testing can be performed by building the manual testing
-programs, whose source is found in the 'tests' subdirectory.  Each
-test is in a source file called 'mptest-X.c'.  The Makefile contains a
-target to build all of them at once:
-
-        make tests
-
-Read the comments at the top of each source file to see what the
-driver is supposed to test.  You probably don't need to do this; these
-programs were only written to help me as I was developing the library.
-
-The relevant files are:
-
-mpi-test.c              The source for the test driver
-
-make-test-arrays        A Perl script to generate some of the internal
-                        data structures used by mpi-test.c
-
-test-arrays.txt         The source file for make-test-arrays
-
-all-tests               A Bourne shell script which runs all the
-                        tests in the mpi-test suite
-
-Running 'make mpi-test' should build the mpi-test program.  If you
-cannot use make, here is what needs to be done:
-
-(1) Use 'make-test-arrays' to generate the file 'test-info.c' from
-    the 'test-arrays.txt' file.  Since Perl can be found everywhere,
-    even on the Macintosh, this should be no trouble.  Under Unix, 
-    this looks like:
-
-        make-test-arrays test-arrays.txt > test-info.c
-
-(2) Build the MPI library:
-
-        gcc -ansi -pedantic -Wall -c mpi.c
-
-(3) Build the mpi-test program:
-
-        gcc -ansi -pedantic -Wall -o mpi-test mpi.o mpi-test.c
-
-When you've got mpi-test, you can use 'all-tests' to run all the tests
-made available by mpi-test.  If any of them fail, there should be a
-diagnostic indicating what went wrong.  These are fairly high-level
-diagnostics, and won't really help you debug the problem; they're
-simply intended to help you isolate which function caused the problem.
-If you encounter a problem of this sort, feel free to e-mail me, and I
-will certainly attempt to help you debug it.
-
-Note:   Several of the tests hard-wired into 'mpi-test' operate under
-----    the assumption that you are using at least a 16-bit mp_digit 
-        type.  If that is not true, several tests might fail, because 
-        of range problems with the maximum digit value.
-
-        If you are using an 8-bit digit, you will also need to 
-        modify the code for mp_read_raw(), which assumes that
-        multiplication by 256 can be done with mp_mul_d(), a
-        fact that fails when DIGIT_MAX is 255.  You can replace
-        the call with s_mp_lshd(), which will give you the same
-        effect, and without doing as much work. :)
-
-Acknowledgements:
-----------------
-
-The algorithms used in this library were drawn primarily from Volume
-2 of Donald Knuth's magnum opus, _The Art of Computer Programming_, 
-"Semi-Numerical Methods".  Barrett's algorithm for modular reduction
-came from Menezes, Oorschot, and Vanstone's _Handbook of Applied
-Cryptography_, Chapter 14.
-
-Thanks are due to Tom St. Denis, for finding an obnoxious sign-related
-bug in mp_read_raw() that made things break on platforms which use
-signed chars.
-
-About the Author
-----------------
-
-This software was written by Michael J. Fromberger.  You can contact
-the author as follows:
-
-E-mail:   <sting@linguist.dartmouth.edu>
-
-Postal:   8000 Cummings Hall, Thayer School of Engineering
-          Dartmouth College, Hanover, New Hampshire, USA
-
-PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
-          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
-
-Last updated:  16-Jan-2000
diff --git a/security/nss/lib/freebl/mpi/all-tests b/security/nss/lib/freebl/mpi/all-tests
deleted file mode 100755
index 5177e0a80..000000000
--- a/security/nss/lib/freebl/mpi/all-tests
+++ /dev/null
@@ -1,115 +0,0 @@
-#!/bin/sh
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1997
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-ECHO=/bin/echo
-MAKE=gmake
-
-$ECHO "\n** Running unit tests for MPI library\n"
-
-# Build the mpi-test program, which comprises all the unit tests for
-# the MPI library...
-
-$ECHO "Bringing mpi-test up to date ... "
-if $MAKE mpi-test ; then
-  :
-else
-  $ECHO " "
-  $ECHO "Make failed to build mpi-test."
-  $ECHO " "
-  exit 1
-fi
-
-if [ ! -x mpi-test ] ; then
-  $ECHO " "
-  $ECHO "Cannot find 'mpi-test' program, testing cannot continue."
-  $ECHO " "
-  exit 1
-fi
-
-# Get the list of available test suites...
-tests=`mpi-test list | awk '{print $1}'`
-errs=0
-
-# Run each test suite and check the result code of mpi-test
-for test in $tests ; do
-  $ECHO "$test ... \c"
-  if mpi-test $test ; then
-    $ECHO "passed"
-  else
-    $ECHO "FAILED"
-    errs=1
-  fi
-done
-
-# If any tests failed, we'll stop at this point
-if [ "$errs" = "0" ] ; then
-  $ECHO "All unit tests passed"
-else
-  $ECHO "One or more tests failed"
-  exit 1
-fi
-
-# Now try to build the 'pi' program, and see if it can compute the
-# first thousand digits of pi correctly
-$ECHO "\n** Running other tests\n"
-
-$ECHO "Bringing 'pi' up to date ... "
-if $MAKE pi ; then
-    :
-else
-    $ECHO "\nMake failed to build pi.\n"
-    exit 1
-fi
-
-if [ ! -x pi ] ; then
-    $ECHO "\nCannot find 'pi' program; testing cannot continue.\n"
-    exit 1
-fi
-
-./pi 2000 > /tmp/pi.tmp.$$
-if cmp tests/pi2k.txt /tmp/pi.tmp.$$ ; then
-    $ECHO "Okay!  The pi test passes."
-else
-    $ECHO "Oops!  The pi test failed. :("
-    exit 1
-fi
-
-rm -f /tmp/pi.tmp.$$
-
-exit 0
-
-# Here there be dragons
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE b/security/nss/lib/freebl/mpi/doc/LICENSE
deleted file mode 100644
index 35cca68ce..000000000
--- a/security/nss/lib/freebl/mpi/doc/LICENSE
+++ /dev/null
@@ -1,11 +0,0 @@
-Within this directory, each of the file listed below is licensed under 
-the terms given in the file LICENSE-MPL, also in this directory.
-
-basecvt.pod
-gcd.pod
-invmod.pod
-isprime.pod
-lap.pod
-mpi-test.pod
-prime.txt
-prng.pod
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
deleted file mode 100644
index 9ff410e4b..000000000
--- a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
+++ /dev/null
@@ -1,32 +0,0 @@
-The contents of this file are subject to the Mozilla Public
-License Version 1.1 (the "License"); you may not use this file
-except in compliance with the License. You may obtain a copy of
-the License at http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS
-IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-implied. See the License for the specific language governing
-rights and limitations under the License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the
-terms of the GNU General Public License Version 2 or later (the
-"GPL"), in which case the provisions of the GPL are applicable 
-instead of those above.  If you wish to allow use of your 
-version of this file only under the terms of the GPL and not to
-allow others to use your version of this file under the MPL,
-indicate your decision by deleting the provisions above and
-replace them with the notice and other provisions required by
-the GPL.  If you do not delete the provisions above, a recipient
-may use your version of this file under either the MPL or the
-GPL.
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/basecvt.pod b/security/nss/lib/freebl/mpi/doc/basecvt.pod
deleted file mode 100644
index 5c072ccd6..000000000
--- a/security/nss/lib/freebl/mpi/doc/basecvt.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=head1 NAME
-
- basecvt - radix conversion for arbitrary precision integers
-
-=head1 SYNOPSIS
-
- basecvt <ibase> <obase> [values]
-
-=head1 DESCRIPTION
-
-The B<basecvt> program is a command-line tool for converting integers
-of arbitrary precision from one radix to another.  The current version
-supports radix values from 2 (binary) to 64, inclusive.  The first two
-command line arguments specify the input and output radix, in base 10.
-Any further arguments are taken to be integers notated in the input
-radix, and these are converted to the output radix.  The output is
-written, one integer per line, to standard output.
-
-When reading integers, only digits considered "valid" for the input
-radix are considered.  Processing of an integer terminates when an
-invalid input digit is encountered.  So, for example, if you set the
-input radix to 10 and enter '10ACF', B<basecvt> would assume that you
-had entered '10' and ignore the rest of the string.
-
-If no values are provided, no output is written, but the program
-simply terminates with a zero exit status.  Error diagnostics are
-written to standard error in the event of out-of-range radix
-specifications.  Regardless of the actual values of the input and
-output radix, the radix arguments are taken to be in base 10 (decimal)
-notation.
-
-=head1 DIGITS
-
-For radices from 2-10, standard ASCII decimal digits 0-9 are used for
-both input and output.  For radices from 11-36, the ASCII letters A-Z
-are also included, following the convention used in hexadecimal.  In
-this range, input is accepted in either upper or lower case, although
-on output only lower-case letters are used.
-
-For radices from 37-62, the output includes both upper- and lower-case
-ASCII letters, and case matters.  In this range, case is distinguished
-both for input and for output values.
-
-For radices 63 and 64, the characters '+' (plus) and '/' (forward
-solidus) are also used.  These are derived from the MIME base64
-encoding scheme.  The overall encoding is not the same as base64,
-because the ASCII digits are used for the bottom of the range, and the
-letters are shifted upward; however, the output will consist of the
-same character set.
-
-This input and output behaviour is inherited from the MPI library used
-by B<basecvt>, and so is not configurable at runtime.
-
-=head1 SEE ALSO
-
- dec2hex(1), hex2dec(1)
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
-
- $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/build b/security/nss/lib/freebl/mpi/doc/build
deleted file mode 100755
index 64a2e6ac9..000000000
--- a/security/nss/lib/freebl/mpi/doc/build
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-VERS="1.7p6"
-SECT="1"
-NAME="MPI Tools"
-
-echo "Building manual pages ..."
-case $# in
-  0)
-    files=`ls *.pod`
-    ;;
-  *)
-    files=$*
-    ;;
-esac
-
-for name in $files
-do
-   echo -n "$name ... "
-#  sname=`noext $name`
-   sname=`basename $name .pod`
-   pod2man --section="$SECT" --center="$NAME" --release="$VERS" $name > $sname.$SECT
-   echo "(done)"
-done
-
-echo "Finished building."
-
diff --git a/security/nss/lib/freebl/mpi/doc/div.txt b/security/nss/lib/freebl/mpi/doc/div.txt
deleted file mode 100644
index aaf4e14b8..000000000
--- a/security/nss/lib/freebl/mpi/doc/div.txt
+++ /dev/null
@@ -1,101 +0,0 @@
-Division
-
-This describes the division algorithm used by the MPI library.
-
-Input:    a, b; a > b
-Compute:  Q, R; a = Qb + R
-
-The input numbers are normalized so that the high-order digit of b is
-at least half the radix.  This guarantees that we have a reasonable
-way to guess at the digits of the quotient (this method was taken from
-Knuth, vol. 2, with adaptations).
-
-To normalize, test the high-order digit of b.  If it is less than half
-the radix, multiply both a and b by d, where:
-
-             radix - 1
-	d = -----------
-              bmax + 1
-
-...where bmax is the high-order digit of b.  Otherwise, set d = 1.
-
-Given normalize values for a and b, let the notation a[n] denote the
-nth digit of a.  Let #a be the number of significant figures of a (not
-including any leading zeroes).
-
-	Let R = 0
-	Let p = #a - 1
-
-	while(p >= 0)
-	  do
-	    R = (R * radix) + a[p]
-	    p = p - 1
-	  while(R < b and p >= 0)
-
-	  if(R < b)
-	    break
-
-	  q = (R[#R - 1] * radix) + R[#R - 2]
-	  q = q / b[#b - 1]
-
-	  T = b * q
-
-	  while(T > L)
-	    q = q - 1
-	    T = T - b
-	  endwhile
-
-	  L = L - T
-
-	  Q = (Q * radix) + q
-
-	endwhile
-
-At this point, Q is the quotient, and R is the normalized remainder.
-To denormalize R, compute:
-
-	R = (R / d)
-
-At this point, you are finished.
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/expt.txt b/security/nss/lib/freebl/mpi/doc/expt.txt
deleted file mode 100644
index cea9dcc58..000000000
--- a/security/nss/lib/freebl/mpi/doc/expt.txt
+++ /dev/null
@@ -1,132 +0,0 @@
-Exponentiation
-
-For exponentiation, the MPI library uses a simple and fairly standard
-square-and-multiply method.  The algorithm is this:
-
-Input:	a, b
-Output: a ** b
-
-	s = 1
-
-	while(b != 0)
-	  if(b is odd)
-	    s = s * a
-	  endif
-
-	  b = b / 2
-
-	  x = x * x
-	endwhile
-
-	return s
-
-The modular exponentiation is done the same way, except replacing:
-
-	s = s * a
-
-with
-	s = (s * a) mod m
-
-and replacing
-
-	x = x * x
-
-with
-
-	x = (x * x) mod m
-
-Here is a sample exponentiation using the MPI library, as compared to
-the same problem solved by the Unix 'bc' program on my system:
-
-Computation of 2,381,283 ** 235
-
-'bc' says:
-
-4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
-4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
-6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
-4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
-6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
-FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
-CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
-5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
-CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
-49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
-5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
-A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
-D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
-92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
-A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
-AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
-E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
-1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
-CFFF2E1AC93F3CA264A1B
-
-MPI says:
-
-4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
-4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
-6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
-4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
-6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
-FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
-CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
-5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
-CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
-49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
-5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
-A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
-D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
-92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
-A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
-AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
-E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
-1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
-CFFF2E1AC93F3CA264A1B
-
-Diff says:
-% diff bc.txt mp.txt
-%
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/gcd.pod b/security/nss/lib/freebl/mpi/doc/gcd.pod
deleted file mode 100644
index 53b955f7e..000000000
--- a/security/nss/lib/freebl/mpi/doc/gcd.pod
+++ /dev/null
@@ -1,27 +0,0 @@
-=head1 NAME
-
- gcd - compute greatest common divisor of two integers
-
-=head1 SYNOPSIS
-
- gcd <a> <b>
-
-=head1 DESCRIPTION
-
-The B<gcd> program computes the greatest common divisor of two
-arbitrary-precision integers I<a> and I<b>.  The result is written in
-standard decimal notation to the standard output.
-
-If I<b> is zero, B<gcd> will print an error message and exit.
-
-=head1 SEE ALSO
-
-invmod(1), isprime(1), lap(1)
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
- 
- $Date$
-
diff --git a/security/nss/lib/freebl/mpi/doc/invmod.pod b/security/nss/lib/freebl/mpi/doc/invmod.pod
deleted file mode 100644
index faa8f9d0c..000000000
--- a/security/nss/lib/freebl/mpi/doc/invmod.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=head1 NAME
-
- invmod - compute modular inverse of an integer
-
-=head1 SYNOPSIS
-
- invmod <a> <m>
-
-=head1 DESCRIPTION
-
-The B<invmod> program computes the inverse of I<a>, modulo I<m>, if
-that inverse exists.  Both I<a> and I<m> are arbitrary-precision
-integers in decimal notation.  The result is written in standard
-decimal notation to the standard output.
-
-If there is no inverse, the message:
-
- No inverse
-
-...will be printed to the standard output (an inverse exists if and
-only if the greatest common divisor of I<a> and I<m> is 1).
-
-=head1 SEE ALSO
-
-gcd(1), isprime(1), lap(1)
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
- 
- $Date$
-
diff --git a/security/nss/lib/freebl/mpi/doc/isprime.pod b/security/nss/lib/freebl/mpi/doc/isprime.pod
deleted file mode 100644
index a17c1c1bd..000000000
--- a/security/nss/lib/freebl/mpi/doc/isprime.pod
+++ /dev/null
@@ -1,62 +0,0 @@
-=head1 NAME
-
- isprime - probabilistic primality testing
-
-=head1 SYNOPSIS
-
- isprime <a>
-
-=head1 DESCRIPTION
-
-The B<isprime> program attempts to determine whether the arbitrary
-precision integer I<a> is prime.  It first tests I<a> for divisibility
-by the first 170 or so small primes, and assuming I<a> is not
-divisible by any of these, applies 15 iterations of the Rabin-Miller
-probabilistic primality test.
-
-If the program discovers that the number is composite, it will print:
-
- Not prime (reason)
-
-Where I<reason> is either:
-
-	divisible by small prime x
-
-Or:
-
-	failed nth pseudoprime test
-
-In the first case, I<x> indicates the first small prime factor that
-was found.  In the second case, I<n> indicates which of the
-pseudoprime tests failed (numbered from 1)
-
-If this happens, the number is definitely not prime.  However, if the
-number succeeds, this message results:
-
- Probably prime, 1 in 4^15 chance of false positive
-
-If this happens, the number is prime with very high probability, but
-its primality has not been absolutely proven, only demonstrated to a
-very convincing degree.
-
-The value I<a> can be input in standard decimal notation, or, if it is
-prefixed with I<Ox>, it will be read as hexadecimal.
-
-=head1 ENVIRONMENT
-
-You can control how many iterations of Rabin-Miller are performed on
-the candidate number by setting the I<RM_TESTS> environment variable
-to an integer value before starting up B<isprime>.  This will change
-the output slightly if the number passes all the tests.
-
-=head1 SEE ALSO
-
-gcd(1), invmod(1), lap(1)
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
- 
- $Date$
-
diff --git a/security/nss/lib/freebl/mpi/doc/lap.pod b/security/nss/lib/freebl/mpi/doc/lap.pod
deleted file mode 100644
index ac100639b..000000000
--- a/security/nss/lib/freebl/mpi/doc/lap.pod
+++ /dev/null
@@ -1,35 +0,0 @@
-=head1 NAME
-
- lap - compute least annihilating power of a number
-
-=head1 SYNOPSIS
-
- lap <a> <m>
-
-=head1 DESCRIPTION
-
-The B<lap> program computes the order of I<a> modulo I<m>, for
-arbitrary precision integers I<a> and I<m>.  The B<order> of I<a>
-modulo I<m> is defined as the smallest positive value I<n> for which
-I<a> raised to the I<n>th power, modulo I<m>, is equal to 1.  The
-order may not exist, if I<m> is composite.
-
-=head1 RESTRICTIONS
-
-This program is very slow, especially for large moduli.  It is
-intended as a way to help find primitive elements in a modular field,
-but it does not do so in a particularly inefficient manner.  It was
-written simply to help verify that a particular candidate does not
-have an obviously short cycle mod I<m>.
-
-=head1 SEE ALSO
-
-gcd(1), invmod(1), isprime(1)
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
- 
- $Date$
-
diff --git a/security/nss/lib/freebl/mpi/doc/mpi-test.pod b/security/nss/lib/freebl/mpi/doc/mpi-test.pod
deleted file mode 100644
index 16050f09f..000000000
--- a/security/nss/lib/freebl/mpi/doc/mpi-test.pod
+++ /dev/null
@@ -1,49 +0,0 @@
-=head1 NAME
-
- mpi-test - automated test program for MPI library
-
-=head1 SYNOPSIS
-
- mpi-test <suite-name> [quiet]
- mpi-test list
- mpi-test help
-
-=head1 DESCRIPTION
-
-The B<mpi-test> program is a general unit test driver for the MPI
-library.  It is used to verify that the library works as it is
-supposed to on your architecture.  As with most such things, passing
-all the tests in B<mpi-test> does not guarantee the code is correct,
-but if any of them fail, there are certainly problems.
-
-Each major function of the library can be tested individually.  For a
-list of the test suites understood by B<mpi-test>, run it with the
-I<list> command line option:
-
- mpi-test list
-
-This will display a list of the available test suites and a brief
-synopsis of what each one does.  For a brief overview of this
-document, run B<mpi-test> I<help>.
-
-B<mpi-test> exits with a zero status if the selected test succeeds, or
-a nonzero status if it fails.  If a I<suite-name> which is not
-understood by B<mpi-test> is given, a diagnostic is printed to the
-standard error, and the program exits with a result code of 2.  If a
-test fails, the result code will be 1, and a diagnostic is ordinarily
-printed to the standard error.  However, if the I<quiet> option is
-provided, these diagnostics will be suppressed.
-
-=head1 RESTRICTIONS
-
-Only a few canned test cases are provided.  The solutions have been
-verified using the GNU bc(1) program, so bugs there may cause problems
-here; however, this is very unlikely, so if a test fails, it is almost
-certainly my fault, not bc(1)'s.
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Thayer School of Engineering, Hanover, New Hampshire, USA
- 
- $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/mul.txt b/security/nss/lib/freebl/mpi/doc/mul.txt
deleted file mode 100644
index 01464f251..000000000
--- a/security/nss/lib/freebl/mpi/doc/mul.txt
+++ /dev/null
@@ -1,114 +0,0 @@
-Multiplication
-
-This describes the multiplication algorithm used by the MPI library.
-
-This is basically a standard "schoolbook" algorithm.  It is slow --
-O(mn) for m = #a, n = #b -- but easy to implement and verify.
-Basically, we run two nested loops, as illustrated here (R is the
-radix):
-
-k = 0
-for j <- 0 to (#b - 1)
-  for i <- 0 to (#a - 1)
-    w = (a[j] * b[i]) + k + c[i+j]
-    c[i+j] = w mod R
-    k = w div R
-  endfor
-  c[i+j] = k;
-  k = 0;
-endfor
-
-It is necessary that 'w' have room for at least two radix R digits.
-The product of any two digits in radix R is at most:
-
-	(R - 1)(R - 1) = R^2 - 2R + 1
-
-Since a two-digit radix-R number can hold R^2 - 1 distinct values,
-this insures that the product will fit into the two-digit register.
-
-To insure that two digits is enough for w, we must also show that
-there is room for the carry-in from the previous multiplication, and
-the current value of the product digit that is being recomputed.
-Assuming each of these may be as big as R - 1 (and no larger,
-certainly), two digits will be enough if and only if:
-
-	(R^2 - 2R + 1) + 2(R - 1) <= R^2 - 1
-
-Solving this equation shows that, indeed, this is the case:
-
-	R^2 - 2R + 1 + 2R - 2 <= R^2 - 1
-
-	R^2 - 1 <= R^2 - 1
-
-This suggests that a good radix would be one more than the largest
-value that can be held in half a machine word -- so, for example, as
-in this implementation, where we used a radix of 65536 on a machine
-with 4-byte words.  Another advantage of a radix of this sort is that
-binary-level operations are easy on numbers in this representation.
-
-Here's an example multiplication worked out longhand in radix-10,
-using the above algorithm:
-
-   a =     999
-   b =   x 999
-  -------------
-   p =   98001
-
-w = (a[jx] * b[ix]) + kin + c[ix + jx]
-c[ix+jx] = w % RADIX
-k = w / RADIX
-                                                               product
-ix	jx	a[jx]	b[ix]	kin	w	c[i+j]	kout	000000
-0	0	9	9	0	81+0+0	1	8	000001
-0	1	9	9	8	81+8+0	9	8	000091
-0	2	9	9	8	81+8+0	9	8	000991
-				8			0	008991
-1	0	9	9	0	81+0+9	0	9	008901
-1	1	9	9	9	81+9+9	9	9	008901
-1	2	9	9	9	81+9+8	8	9	008901
-				9			0	098901
-2	0	9	9	0	81+0+9	0	9	098001
-2	1	9	9	9	81+9+8	8	9	098001
-2	2	9	9	9	81+9+9	9	9	098001
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/pi.txt b/security/nss/lib/freebl/mpi/doc/pi.txt
deleted file mode 100644
index 01c82abe9..000000000
--- a/security/nss/lib/freebl/mpi/doc/pi.txt
+++ /dev/null
@@ -1,90 +0,0 @@
-This file describes how pi is computed by the program in 'pi.c' (see
-the utils subdirectory).
-
-Basically, we use Machin's formula, which is what everyone in the
-world uses as a simple method for computing approximations to pi.
-This works for up to a few thousand digits without too much effort.
-Beyond that, though, it gets too slow.
-
-Machin's formula states:
-
-	 pi := 16 * arctan(1/5) - 4 * arctan(1/239)
-
-We compute this in integer arithmetic by first multiplying everything
-through by 10^d, where 'd' is the number of digits of pi we wanted to
-compute.  It turns out, the last few digits will be wrong, but the
-number that are wrong is usually very small (ordinarly only 2-3).
-Having done this, we compute the arctan() function using the formula:
-
-                       1      1       1       1       1     
-       arctan(1/x) := --- - ----- + ----- - ----- + ----- - ...
-                       x    3 x^3   5 x^5   7 x^7   9 x^9
-
-This is done iteratively by computing the first term manually, and
-then iteratively dividing x^2 and k, where k = 3, 5, 7, ... out of the
-current figure.  This is then added to (or subtracted from) a running
-sum, as appropriate.  The iteration continues until we overflow our
-available precision and the current figure goes to zero under integer
-division.  At that point, we're finished.
-
-Actually, we get a couple extra bits of precision out of the fact that
-we know we're computing y * arctan(1/x), by setting up the multiplier
-as:
-
-      y * 10^d
-
-... instead of just 10^d.  There is also a bit of cleverness in how
-the loop is constructed, to avoid special-casing the first term.
-Check out the code for arctan() in 'pi.c', if you are interested in
-seeing how it is set up.
-
-Thanks to Jason P. for this algorithm, which I assembled from notes
-and programs found on his cool "Pile of Pi Programs" page, at:
-
-      http://www.isr.umd.edu/~jasonp/pipage.html
-
-Thanks also to Henrik Johansson <Henrik.Johansson@Nexus.Comm.SE>, from
-whose pi program I borrowed the clever idea of pre-multiplying by x in
-order to avoid a special case on the loop iteration.
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/prime.txt b/security/nss/lib/freebl/mpi/doc/prime.txt
deleted file mode 100644
index 694797d5f..000000000
--- a/security/nss/lib/freebl/mpi/doc/prime.txt
+++ /dev/null
@@ -1,6542 +0,0 @@
-2
-3
-5
-7
-11
-13
-17
-19
-23
-29
-31
-37
-41
-43
-47
-53
-59
-61
-67
-71
-73
-79
-83
-89
-97
-101
-103
-107
-109
-113
-127
-131
-137
-139
-149
-151
-157
-163
-167
-173
-179
-181
-191
-193
-197
-199
-211
-223
-227
-229
-233
-239
-241
-251
-257
-263
-269
-271
-277
-281
-283
-293
-307
-311
-313
-317
-331
-337
-347
-349
-353
-359
-367
-373
-379
-383
-389
-397
-401
-409
-419
-421
-431
-433
-439
-443
-449
-457
-461
-463
-467
-479
-487
-491
-499
-503
-509
-521
-523
-541
-547
-557
-563
-569
-571
-577
-587
-593
-599
-601
-607
-613
-617
-619
-631
-641
-643
-647
-653
-659
-661
-673
-677
-683
-691
-701
-709
-719
-727
-733
-739
-743
-751
-757
-761
-769
-773
-787
-797
-809
-811
-821
-823
-827
-829
-839
-853
-857
-859
-863
-877
-881
-883
-887
-907
-911
-919
-929
-937
-941
-947
-953
-967
-971
-977
-983
-991
-997
-1009
-1013
-1019
-1021
-1031
-1033
-1039
-1049
-1051
-1061
-1063
-1069
-1087
-1091
-1093
-1097
-1103
-1109
-1117
-1123
-1129
-1151
-1153
-1163
-1171
-1181
-1187
-1193
-1201
-1213
-1217
-1223
-1229
-1231
-1237
-1249
-1259
-1277
-1279
-1283
-1289
-1291
-1297
-1301
-1303
-1307
-1319
-1321
-1327
-1361
-1367
-1373
-1381
-1399
-1409
-1423
-1427
-1429
-1433
-1439
-1447
-1451
-1453
-1459
-1471
-1481
-1483
-1487
-1489
-1493
-1499
-1511
-1523
-1531
-1543
-1549
-1553
-1559
-1567
-1571
-1579
-1583
-1597
-1601
-1607
-1609
-1613
-1619
-1621
-1627
-1637
-1657
-1663
-1667
-1669
-1693
-1697
-1699
-1709
-1721
-1723
-1733
-1741
-1747
-1753
-1759
-1777
-1783
-1787
-1789
-1801
-1811
-1823
-1831
-1847
-1861
-1867
-1871
-1873
-1877
-1879
-1889
-1901
-1907
-1913
-1931
-1933
-1949
-1951
-1973
-1979
-1987
-1993
-1997
-1999
-2003
-2011
-2017
-2027
-2029
-2039
-2053
-2063
-2069
-2081
-2083
-2087
-2089
-2099
-2111
-2113
-2129
-2131
-2137
-2141
-2143
-2153
-2161
-2179
-2203
-2207
-2213
-2221
-2237
-2239
-2243
-2251
-2267
-2269
-2273
-2281
-2287
-2293
-2297
-2309
-2311
-2333
-2339
-2341
-2347
-2351
-2357
-2371
-2377
-2381
-2383
-2389
-2393
-2399
-2411
-2417
-2423
-2437
-2441
-2447
-2459
-2467
-2473
-2477
-2503
-2521
-2531
-2539
-2543
-2549
-2551
-2557
-2579
-2591
-2593
-2609
-2617
-2621
-2633
-2647
-2657
-2659
-2663
-2671
-2677
-2683
-2687
-2689
-2693
-2699
-2707
-2711
-2713
-2719
-2729
-2731
-2741
-2749
-2753
-2767
-2777
-2789
-2791
-2797
-2801
-2803
-2819
-2833
-2837
-2843
-2851
-2857
-2861
-2879
-2887
-2897
-2903
-2909
-2917
-2927
-2939
-2953
-2957
-2963
-2969
-2971
-2999
-3001
-3011
-3019
-3023
-3037
-3041
-3049
-3061
-3067
-3079
-3083
-3089
-3109
-3119
-3121
-3137
-3163
-3167
-3169
-3181
-3187
-3191
-3203
-3209
-3217
-3221
-3229
-3251
-3253
-3257
-3259
-3271
-3299
-3301
-3307
-3313
-3319
-3323
-3329
-3331
-3343
-3347
-3359
-3361
-3371
-3373
-3389
-3391
-3407
-3413
-3433
-3449
-3457
-3461
-3463
-3467
-3469
-3491
-3499
-3511
-3517
-3527
-3529
-3533
-3539
-3541
-3547
-3557
-3559
-3571
-3581
-3583
-3593
-3607
-3613
-3617
-3623
-3631
-3637
-3643
-3659
-3671
-3673
-3677
-3691
-3697
-3701
-3709
-3719
-3727
-3733
-3739
-3761
-3767
-3769
-3779
-3793
-3797
-3803
-3821
-3823
-3833
-3847
-3851
-3853
-3863
-3877
-3881
-3889
-3907
-3911
-3917
-3919
-3923
-3929
-3931
-3943
-3947
-3967
-3989
-4001
-4003
-4007
-4013
-4019
-4021
-4027
-4049
-4051
-4057
-4073
-4079
-4091
-4093
-4099
-4111
-4127
-4129
-4133
-4139
-4153
-4157
-4159
-4177
-4201
-4211
-4217
-4219
-4229
-4231
-4241
-4243
-4253
-4259
-4261
-4271
-4273
-4283
-4289
-4297
-4327
-4337
-4339
-4349
-4357
-4363
-4373
-4391
-4397
-4409
-4421
-4423
-4441
-4447
-4451
-4457
-4463
-4481
-4483
-4493
-4507
-4513
-4517
-4519
-4523
-4547
-4549
-4561
-4567
-4583
-4591
-4597
-4603
-4621
-4637
-4639
-4643
-4649
-4651
-4657
-4663
-4673
-4679
-4691
-4703
-4721
-4723
-4729
-4733
-4751
-4759
-4783
-4787
-4789
-4793
-4799
-4801
-4813
-4817
-4831
-4861
-4871
-4877
-4889
-4903
-4909
-4919
-4931
-4933
-4937
-4943
-4951
-4957
-4967
-4969
-4973
-4987
-4993
-4999
-5003
-5009
-5011
-5021
-5023
-5039
-5051
-5059
-5077
-5081
-5087
-5099
-5101
-5107
-5113
-5119
-5147
-5153
-5167
-5171
-5179
-5189
-5197
-5209
-5227
-5231
-5233
-5237
-5261
-5273
-5279
-5281
-5297
-5303
-5309
-5323
-5333
-5347
-5351
-5381
-5387
-5393
-5399
-5407
-5413
-5417
-5419
-5431
-5437
-5441
-5443
-5449
-5471
-5477
-5479
-5483
-5501
-5503
-5507
-5519
-5521
-5527
-5531
-5557
-5563
-5569
-5573
-5581
-5591
-5623
-5639
-5641
-5647
-5651
-5653
-5657
-5659
-5669
-5683
-5689
-5693
-5701
-5711
-5717
-5737
-5741
-5743
-5749
-5779
-5783
-5791
-5801
-5807
-5813
-5821
-5827
-5839
-5843
-5849
-5851
-5857
-5861
-5867
-5869
-5879
-5881
-5897
-5903
-5923
-5927
-5939
-5953
-5981
-5987
-6007
-6011
-6029
-6037
-6043
-6047
-6053
-6067
-6073
-6079
-6089
-6091
-6101
-6113
-6121
-6131
-6133
-6143
-6151
-6163
-6173
-6197
-6199
-6203
-6211
-6217
-6221
-6229
-6247
-6257
-6263
-6269
-6271
-6277
-6287
-6299
-6301
-6311
-6317
-6323
-6329
-6337
-6343
-6353
-6359
-6361
-6367
-6373
-6379
-6389
-6397
-6421
-6427
-6449
-6451
-6469
-6473
-6481
-6491
-6521
-6529
-6547
-6551
-6553
-6563
-6569
-6571
-6577
-6581
-6599
-6607
-6619
-6637
-6653
-6659
-6661
-6673
-6679
-6689
-6691
-6701
-6703
-6709
-6719
-6733
-6737
-6761
-6763
-6779
-6781
-6791
-6793
-6803
-6823
-6827
-6829
-6833
-6841
-6857
-6863
-6869
-6871
-6883
-6899
-6907
-6911
-6917
-6947
-6949
-6959
-6961
-6967
-6971
-6977
-6983
-6991
-6997
-7001
-7013
-7019
-7027
-7039
-7043
-7057
-7069
-7079
-7103
-7109
-7121
-7127
-7129
-7151
-7159
-7177
-7187
-7193
-7207
-7211
-7213
-7219
-7229
-7237
-7243
-7247
-7253
-7283
-7297
-7307
-7309
-7321
-7331
-7333
-7349
-7351
-7369
-7393
-7411
-7417
-7433
-7451
-7457
-7459
-7477
-7481
-7487
-7489
-7499
-7507
-7517
-7523
-7529
-7537
-7541
-7547
-7549
-7559
-7561
-7573
-7577
-7583
-7589
-7591
-7603
-7607
-7621
-7639
-7643
-7649
-7669
-7673
-7681
-7687
-7691
-7699
-7703
-7717
-7723
-7727
-7741
-7753
-7757
-7759
-7789
-7793
-7817
-7823
-7829
-7841
-7853
-7867
-7873
-7877
-7879
-7883
-7901
-7907
-7919
-7927
-7933
-7937
-7949
-7951
-7963
-7993
-8009
-8011
-8017
-8039
-8053
-8059
-8069
-8081
-8087
-8089
-8093
-8101
-8111
-8117
-8123
-8147
-8161
-8167
-8171
-8179
-8191
-8209
-8219
-8221
-8231
-8233
-8237
-8243
-8263
-8269
-8273
-8287
-8291
-8293
-8297
-8311
-8317
-8329
-8353
-8363
-8369
-8377
-8387
-8389
-8419
-8423
-8429
-8431
-8443
-8447
-8461
-8467
-8501
-8513
-8521
-8527
-8537
-8539
-8543
-8563
-8573
-8581
-8597
-8599
-8609
-8623
-8627
-8629
-8641
-8647
-8663
-8669
-8677
-8681
-8689
-8693
-8699
-8707
-8713
-8719
-8731
-8737
-8741
-8747
-8753
-8761
-8779
-8783
-8803
-8807
-8819
-8821
-8831
-8837
-8839
-8849
-8861
-8863
-8867
-8887
-8893
-8923
-8929
-8933
-8941
-8951
-8963
-8969
-8971
-8999
-9001
-9007
-9011
-9013
-9029
-9041
-9043
-9049
-9059
-9067
-9091
-9103
-9109
-9127
-9133
-9137
-9151
-9157
-9161
-9173
-9181
-9187
-9199
-9203
-9209
-9221
-9227
-9239
-9241
-9257
-9277
-9281
-9283
-9293
-9311
-9319
-9323
-9337
-9341
-9343
-9349
-9371
-9377
-9391
-9397
-9403
-9413
-9419
-9421
-9431
-9433
-9437
-9439
-9461
-9463
-9467
-9473
-9479
-9491
-9497
-9511
-9521
-9533
-9539
-9547
-9551
-9587
-9601
-9613
-9619
-9623
-9629
-9631
-9643
-9649
-9661
-9677
-9679
-9689
-9697
-9719
-9721
-9733
-9739
-9743
-9749
-9767
-9769
-9781
-9787
-9791
-9803
-9811
-9817
-9829
-9833
-9839
-9851
-9857
-9859
-9871
-9883
-9887
-9901
-9907
-9923
-9929
-9931
-9941
-9949
-9967
-9973
-10007
-10009
-10037
-10039
-10061
-10067
-10069
-10079
-10091
-10093
-10099
-10103
-10111
-10133
-10139
-10141
-10151
-10159
-10163
-10169
-10177
-10181
-10193
-10211
-10223
-10243
-10247
-10253
-10259
-10267
-10271
-10273
-10289
-10301
-10303
-10313
-10321
-10331
-10333
-10337
-10343
-10357
-10369
-10391
-10399
-10427
-10429
-10433
-10453
-10457
-10459
-10463
-10477
-10487
-10499
-10501
-10513
-10529
-10531
-10559
-10567
-10589
-10597
-10601
-10607
-10613
-10627
-10631
-10639
-10651
-10657
-10663
-10667
-10687
-10691
-10709
-10711
-10723
-10729
-10733
-10739
-10753
-10771
-10781
-10789
-10799
-10831
-10837
-10847
-10853
-10859
-10861
-10867
-10883
-10889
-10891
-10903
-10909
-10937
-10939
-10949
-10957
-10973
-10979
-10987
-10993
-11003
-11027
-11047
-11057
-11059
-11069
-11071
-11083
-11087
-11093
-11113
-11117
-11119
-11131
-11149
-11159
-11161
-11171
-11173
-11177
-11197
-11213
-11239
-11243
-11251
-11257
-11261
-11273
-11279
-11287
-11299
-11311
-11317
-11321
-11329
-11351
-11353
-11369
-11383
-11393
-11399
-11411
-11423
-11437
-11443
-11447
-11467
-11471
-11483
-11489
-11491
-11497
-11503
-11519
-11527
-11549
-11551
-11579
-11587
-11593
-11597
-11617
-11621
-11633
-11657
-11677
-11681
-11689
-11699
-11701
-11717
-11719
-11731
-11743
-11777
-11779
-11783
-11789
-11801
-11807
-11813
-11821
-11827
-11831
-11833
-11839
-11863
-11867
-11887
-11897
-11903
-11909
-11923
-11927
-11933
-11939
-11941
-11953
-11959
-11969
-11971
-11981
-11987
-12007
-12011
-12037
-12041
-12043
-12049
-12071
-12073
-12097
-12101
-12107
-12109
-12113
-12119
-12143
-12149
-12157
-12161
-12163
-12197
-12203
-12211
-12227
-12239
-12241
-12251
-12253
-12263
-12269
-12277
-12281
-12289
-12301
-12323
-12329
-12343
-12347
-12373
-12377
-12379
-12391
-12401
-12409
-12413
-12421
-12433
-12437
-12451
-12457
-12473
-12479
-12487
-12491
-12497
-12503
-12511
-12517
-12527
-12539
-12541
-12547
-12553
-12569
-12577
-12583
-12589
-12601
-12611
-12613
-12619
-12637
-12641
-12647
-12653
-12659
-12671
-12689
-12697
-12703
-12713
-12721
-12739
-12743
-12757
-12763
-12781
-12791
-12799
-12809
-12821
-12823
-12829
-12841
-12853
-12889
-12893
-12899
-12907
-12911
-12917
-12919
-12923
-12941
-12953
-12959
-12967
-12973
-12979
-12983
-13001
-13003
-13007
-13009
-13033
-13037
-13043
-13049
-13063
-13093
-13099
-13103
-13109
-13121
-13127
-13147
-13151
-13159
-13163
-13171
-13177
-13183
-13187
-13217
-13219
-13229
-13241
-13249
-13259
-13267
-13291
-13297
-13309
-13313
-13327
-13331
-13337
-13339
-13367
-13381
-13397
-13399
-13411
-13417
-13421
-13441
-13451
-13457
-13463
-13469
-13477
-13487
-13499
-13513
-13523
-13537
-13553
-13567
-13577
-13591
-13597
-13613
-13619
-13627
-13633
-13649
-13669
-13679
-13681
-13687
-13691
-13693
-13697
-13709
-13711
-13721
-13723
-13729
-13751
-13757
-13759
-13763
-13781
-13789
-13799
-13807
-13829
-13831
-13841
-13859
-13873
-13877
-13879
-13883
-13901
-13903
-13907
-13913
-13921
-13931
-13933
-13963
-13967
-13997
-13999
-14009
-14011
-14029
-14033
-14051
-14057
-14071
-14081
-14083
-14087
-14107
-14143
-14149
-14153
-14159
-14173
-14177
-14197
-14207
-14221
-14243
-14249
-14251
-14281
-14293
-14303
-14321
-14323
-14327
-14341
-14347
-14369
-14387
-14389
-14401
-14407
-14411
-14419
-14423
-14431
-14437
-14447
-14449
-14461
-14479
-14489
-14503
-14519
-14533
-14537
-14543
-14549
-14551
-14557
-14561
-14563
-14591
-14593
-14621
-14627
-14629
-14633
-14639
-14653
-14657
-14669
-14683
-14699
-14713
-14717
-14723
-14731
-14737
-14741
-14747
-14753
-14759
-14767
-14771
-14779
-14783
-14797
-14813
-14821
-14827
-14831
-14843
-14851
-14867
-14869
-14879
-14887
-14891
-14897
-14923
-14929
-14939
-14947
-14951
-14957
-14969
-14983
-15013
-15017
-15031
-15053
-15061
-15073
-15077
-15083
-15091
-15101
-15107
-15121
-15131
-15137
-15139
-15149
-15161
-15173
-15187
-15193
-15199
-15217
-15227
-15233
-15241
-15259
-15263
-15269
-15271
-15277
-15287
-15289
-15299
-15307
-15313
-15319
-15329
-15331
-15349
-15359
-15361
-15373
-15377
-15383
-15391
-15401
-15413
-15427
-15439
-15443
-15451
-15461
-15467
-15473
-15493
-15497
-15511
-15527
-15541
-15551
-15559
-15569
-15581
-15583
-15601
-15607
-15619
-15629
-15641
-15643
-15647
-15649
-15661
-15667
-15671
-15679
-15683
-15727
-15731
-15733
-15737
-15739
-15749
-15761
-15767
-15773
-15787
-15791
-15797
-15803
-15809
-15817
-15823
-15859
-15877
-15881
-15887
-15889
-15901
-15907
-15913
-15919
-15923
-15937
-15959
-15971
-15973
-15991
-16001
-16007
-16033
-16057
-16061
-16063
-16067
-16069
-16073
-16087
-16091
-16097
-16103
-16111
-16127
-16139
-16141
-16183
-16187
-16189
-16193
-16217
-16223
-16229
-16231
-16249
-16253
-16267
-16273
-16301
-16319
-16333
-16339
-16349
-16361
-16363
-16369
-16381
-16411
-16417
-16421
-16427
-16433
-16447
-16451
-16453
-16477
-16481
-16487
-16493
-16519
-16529
-16547
-16553
-16561
-16567
-16573
-16603
-16607
-16619
-16631
-16633
-16649
-16651
-16657
-16661
-16673
-16691
-16693
-16699
-16703
-16729
-16741
-16747
-16759
-16763
-16787
-16811
-16823
-16829
-16831
-16843
-16871
-16879
-16883
-16889
-16901
-16903
-16921
-16927
-16931
-16937
-16943
-16963
-16979
-16981
-16987
-16993
-17011
-17021
-17027
-17029
-17033
-17041
-17047
-17053
-17077
-17093
-17099
-17107
-17117
-17123
-17137
-17159
-17167
-17183
-17189
-17191
-17203
-17207
-17209
-17231
-17239
-17257
-17291
-17293
-17299
-17317
-17321
-17327
-17333
-17341
-17351
-17359
-17377
-17383
-17387
-17389
-17393
-17401
-17417
-17419
-17431
-17443
-17449
-17467
-17471
-17477
-17483
-17489
-17491
-17497
-17509
-17519
-17539
-17551
-17569
-17573
-17579
-17581
-17597
-17599
-17609
-17623
-17627
-17657
-17659
-17669
-17681
-17683
-17707
-17713
-17729
-17737
-17747
-17749
-17761
-17783
-17789
-17791
-17807
-17827
-17837
-17839
-17851
-17863
-17881
-17891
-17903
-17909
-17911
-17921
-17923
-17929
-17939
-17957
-17959
-17971
-17977
-17981
-17987
-17989
-18013
-18041
-18043
-18047
-18049
-18059
-18061
-18077
-18089
-18097
-18119
-18121
-18127
-18131
-18133
-18143
-18149
-18169
-18181
-18191
-18199
-18211
-18217
-18223
-18229
-18233
-18251
-18253
-18257
-18269
-18287
-18289
-18301
-18307
-18311
-18313
-18329
-18341
-18353
-18367
-18371
-18379
-18397
-18401
-18413
-18427
-18433
-18439
-18443
-18451
-18457
-18461
-18481
-18493
-18503
-18517
-18521
-18523
-18539
-18541
-18553
-18583
-18587
-18593
-18617
-18637
-18661
-18671
-18679
-18691
-18701
-18713
-18719
-18731
-18743
-18749
-18757
-18773
-18787
-18793
-18797
-18803
-18839
-18859
-18869
-18899
-18911
-18913
-18917
-18919
-18947
-18959
-18973
-18979
-19001
-19009
-19013
-19031
-19037
-19051
-19069
-19073
-19079
-19081
-19087
-19121
-19139
-19141
-19157
-19163
-19181
-19183
-19207
-19211
-19213
-19219
-19231
-19237
-19249
-19259
-19267
-19273
-19289
-19301
-19309
-19319
-19333
-19373
-19379
-19381
-19387
-19391
-19403
-19417
-19421
-19423
-19427
-19429
-19433
-19441
-19447
-19457
-19463
-19469
-19471
-19477
-19483
-19489
-19501
-19507
-19531
-19541
-19543
-19553
-19559
-19571
-19577
-19583
-19597
-19603
-19609
-19661
-19681
-19687
-19697
-19699
-19709
-19717
-19727
-19739
-19751
-19753
-19759
-19763
-19777
-19793
-19801
-19813
-19819
-19841
-19843
-19853
-19861
-19867
-19889
-19891
-19913
-19919
-19927
-19937
-19949
-19961
-19963
-19973
-19979
-19991
-19993
-19997
-20011
-20021
-20023
-20029
-20047
-20051
-20063
-20071
-20089
-20101
-20107
-20113
-20117
-20123
-20129
-20143
-20147
-20149
-20161
-20173
-20177
-20183
-20201
-20219
-20231
-20233
-20249
-20261
-20269
-20287
-20297
-20323
-20327
-20333
-20341
-20347
-20353
-20357
-20359
-20369
-20389
-20393
-20399
-20407
-20411
-20431
-20441
-20443
-20477
-20479
-20483
-20507
-20509
-20521
-20533
-20543
-20549
-20551
-20563
-20593
-20599
-20611
-20627
-20639
-20641
-20663
-20681
-20693
-20707
-20717
-20719
-20731
-20743
-20747
-20749
-20753
-20759
-20771
-20773
-20789
-20807
-20809
-20849
-20857
-20873
-20879
-20887
-20897
-20899
-20903
-20921
-20929
-20939
-20947
-20959
-20963
-20981
-20983
-21001
-21011
-21013
-21017
-21019
-21023
-21031
-21059
-21061
-21067
-21089
-21101
-21107
-21121
-21139
-21143
-21149
-21157
-21163
-21169
-21179
-21187
-21191
-21193
-21211
-21221
-21227
-21247
-21269
-21277
-21283
-21313
-21317
-21319
-21323
-21341
-21347
-21377
-21379
-21383
-21391
-21397
-21401
-21407
-21419
-21433
-21467
-21481
-21487
-21491
-21493
-21499
-21503
-21517
-21521
-21523
-21529
-21557
-21559
-21563
-21569
-21577
-21587
-21589
-21599
-21601
-21611
-21613
-21617
-21647
-21649
-21661
-21673
-21683
-21701
-21713
-21727
-21737
-21739
-21751
-21757
-21767
-21773
-21787
-21799
-21803
-21817
-21821
-21839
-21841
-21851
-21859
-21863
-21871
-21881
-21893
-21911
-21929
-21937
-21943
-21961
-21977
-21991
-21997
-22003
-22013
-22027
-22031
-22037
-22039
-22051
-22063
-22067
-22073
-22079
-22091
-22093
-22109
-22111
-22123
-22129
-22133
-22147
-22153
-22157
-22159
-22171
-22189
-22193
-22229
-22247
-22259
-22271
-22273
-22277
-22279
-22283
-22291
-22303
-22307
-22343
-22349
-22367
-22369
-22381
-22391
-22397
-22409
-22433
-22441
-22447
-22453
-22469
-22481
-22483
-22501
-22511
-22531
-22541
-22543
-22549
-22567
-22571
-22573
-22613
-22619
-22621
-22637
-22639
-22643
-22651
-22669
-22679
-22691
-22697
-22699
-22709
-22717
-22721
-22727
-22739
-22741
-22751
-22769
-22777
-22783
-22787
-22807
-22811
-22817
-22853
-22859
-22861
-22871
-22877
-22901
-22907
-22921
-22937
-22943
-22961
-22963
-22973
-22993
-23003
-23011
-23017
-23021
-23027
-23029
-23039
-23041
-23053
-23057
-23059
-23063
-23071
-23081
-23087
-23099
-23117
-23131
-23143
-23159
-23167
-23173
-23189
-23197
-23201
-23203
-23209
-23227
-23251
-23269
-23279
-23291
-23293
-23297
-23311
-23321
-23327
-23333
-23339
-23357
-23369
-23371
-23399
-23417
-23431
-23447
-23459
-23473
-23497
-23509
-23531
-23537
-23539
-23549
-23557
-23561
-23563
-23567
-23581
-23593
-23599
-23603
-23609
-23623
-23627
-23629
-23633
-23663
-23669
-23671
-23677
-23687
-23689
-23719
-23741
-23743
-23747
-23753
-23761
-23767
-23773
-23789
-23801
-23813
-23819
-23827
-23831
-23833
-23857
-23869
-23873
-23879
-23887
-23893
-23899
-23909
-23911
-23917
-23929
-23957
-23971
-23977
-23981
-23993
-24001
-24007
-24019
-24023
-24029
-24043
-24049
-24061
-24071
-24077
-24083
-24091
-24097
-24103
-24107
-24109
-24113
-24121
-24133
-24137
-24151
-24169
-24179
-24181
-24197
-24203
-24223
-24229
-24239
-24247
-24251
-24281
-24317
-24329
-24337
-24359
-24371
-24373
-24379
-24391
-24407
-24413
-24419
-24421
-24439
-24443
-24469
-24473
-24481
-24499
-24509
-24517
-24527
-24533
-24547
-24551
-24571
-24593
-24611
-24623
-24631
-24659
-24671
-24677
-24683
-24691
-24697
-24709
-24733
-24749
-24763
-24767
-24781
-24793
-24799
-24809
-24821
-24841
-24847
-24851
-24859
-24877
-24889
-24907
-24917
-24919
-24923
-24943
-24953
-24967
-24971
-24977
-24979
-24989
-25013
-25031
-25033
-25037
-25057
-25073
-25087
-25097
-25111
-25117
-25121
-25127
-25147
-25153
-25163
-25169
-25171
-25183
-25189
-25219
-25229
-25237
-25243
-25247
-25253
-25261
-25301
-25303
-25307
-25309
-25321
-25339
-25343
-25349
-25357
-25367
-25373
-25391
-25409
-25411
-25423
-25439
-25447
-25453
-25457
-25463
-25469
-25471
-25523
-25537
-25541
-25561
-25577
-25579
-25583
-25589
-25601
-25603
-25609
-25621
-25633
-25639
-25643
-25657
-25667
-25673
-25679
-25693
-25703
-25717
-25733
-25741
-25747
-25759
-25763
-25771
-25793
-25799
-25801
-25819
-25841
-25847
-25849
-25867
-25873
-25889
-25903
-25913
-25919
-25931
-25933
-25939
-25943
-25951
-25969
-25981
-25997
-25999
-26003
-26017
-26021
-26029
-26041
-26053
-26083
-26099
-26107
-26111
-26113
-26119
-26141
-26153
-26161
-26171
-26177
-26183
-26189
-26203
-26209
-26227
-26237
-26249
-26251
-26261
-26263
-26267
-26293
-26297
-26309
-26317
-26321
-26339
-26347
-26357
-26371
-26387
-26393
-26399
-26407
-26417
-26423
-26431
-26437
-26449
-26459
-26479
-26489
-26497
-26501
-26513
-26539
-26557
-26561
-26573
-26591
-26597
-26627
-26633
-26641
-26647
-26669
-26681
-26683
-26687
-26693
-26699
-26701
-26711
-26713
-26717
-26723
-26729
-26731
-26737
-26759
-26777
-26783
-26801
-26813
-26821
-26833
-26839
-26849
-26861
-26863
-26879
-26881
-26891
-26893
-26903
-26921
-26927
-26947
-26951
-26953
-26959
-26981
-26987
-26993
-27011
-27017
-27031
-27043
-27059
-27061
-27067
-27073
-27077
-27091
-27103
-27107
-27109
-27127
-27143
-27179
-27191
-27197
-27211
-27239
-27241
-27253
-27259
-27271
-27277
-27281
-27283
-27299
-27329
-27337
-27361
-27367
-27397
-27407
-27409
-27427
-27431
-27437
-27449
-27457
-27479
-27481
-27487
-27509
-27527
-27529
-27539
-27541
-27551
-27581
-27583
-27611
-27617
-27631
-27647
-27653
-27673
-27689
-27691
-27697
-27701
-27733
-27737
-27739
-27743
-27749
-27751
-27763
-27767
-27773
-27779
-27791
-27793
-27799
-27803
-27809
-27817
-27823
-27827
-27847
-27851
-27883
-27893
-27901
-27917
-27919
-27941
-27943
-27947
-27953
-27961
-27967
-27983
-27997
-28001
-28019
-28027
-28031
-28051
-28057
-28069
-28081
-28087
-28097
-28099
-28109
-28111
-28123
-28151
-28163
-28181
-28183
-28201
-28211
-28219
-28229
-28277
-28279
-28283
-28289
-28297
-28307
-28309
-28319
-28349
-28351
-28387
-28393
-28403
-28409
-28411
-28429
-28433
-28439
-28447
-28463
-28477
-28493
-28499
-28513
-28517
-28537
-28541
-28547
-28549
-28559
-28571
-28573
-28579
-28591
-28597
-28603
-28607
-28619
-28621
-28627
-28631
-28643
-28649
-28657
-28661
-28663
-28669
-28687
-28697
-28703
-28711
-28723
-28729
-28751
-28753
-28759
-28771
-28789
-28793
-28807
-28813
-28817
-28837
-28843
-28859
-28867
-28871
-28879
-28901
-28909
-28921
-28927
-28933
-28949
-28961
-28979
-29009
-29017
-29021
-29023
-29027
-29033
-29059
-29063
-29077
-29101
-29123
-29129
-29131
-29137
-29147
-29153
-29167
-29173
-29179
-29191
-29201
-29207
-29209
-29221
-29231
-29243
-29251
-29269
-29287
-29297
-29303
-29311
-29327
-29333
-29339
-29347
-29363
-29383
-29387
-29389
-29399
-29401
-29411
-29423
-29429
-29437
-29443
-29453
-29473
-29483
-29501
-29527
-29531
-29537
-29567
-29569
-29573
-29581
-29587
-29599
-29611
-29629
-29633
-29641
-29663
-29669
-29671
-29683
-29717
-29723
-29741
-29753
-29759
-29761
-29789
-29803
-29819
-29833
-29837
-29851
-29863
-29867
-29873
-29879
-29881
-29917
-29921
-29927
-29947
-29959
-29983
-29989
-30011
-30013
-30029
-30047
-30059
-30071
-30089
-30091
-30097
-30103
-30109
-30113
-30119
-30133
-30137
-30139
-30161
-30169
-30181
-30187
-30197
-30203
-30211
-30223
-30241
-30253
-30259
-30269
-30271
-30293
-30307
-30313
-30319
-30323
-30341
-30347
-30367
-30389
-30391
-30403
-30427
-30431
-30449
-30467
-30469
-30491
-30493
-30497
-30509
-30517
-30529
-30539
-30553
-30557
-30559
-30577
-30593
-30631
-30637
-30643
-30649
-30661
-30671
-30677
-30689
-30697
-30703
-30707
-30713
-30727
-30757
-30763
-30773
-30781
-30803
-30809
-30817
-30829
-30839
-30841
-30851
-30853
-30859
-30869
-30871
-30881
-30893
-30911
-30931
-30937
-30941
-30949
-30971
-30977
-30983
-31013
-31019
-31033
-31039
-31051
-31063
-31069
-31079
-31081
-31091
-31121
-31123
-31139
-31147
-31151
-31153
-31159
-31177
-31181
-31183
-31189
-31193
-31219
-31223
-31231
-31237
-31247
-31249
-31253
-31259
-31267
-31271
-31277
-31307
-31319
-31321
-31327
-31333
-31337
-31357
-31379
-31387
-31391
-31393
-31397
-31469
-31477
-31481
-31489
-31511
-31513
-31517
-31531
-31541
-31543
-31547
-31567
-31573
-31583
-31601
-31607
-31627
-31643
-31649
-31657
-31663
-31667
-31687
-31699
-31721
-31723
-31727
-31729
-31741
-31751
-31769
-31771
-31793
-31799
-31817
-31847
-31849
-31859
-31873
-31883
-31891
-31907
-31957
-31963
-31973
-31981
-31991
-32003
-32009
-32027
-32029
-32051
-32057
-32059
-32063
-32069
-32077
-32083
-32089
-32099
-32117
-32119
-32141
-32143
-32159
-32173
-32183
-32189
-32191
-32203
-32213
-32233
-32237
-32251
-32257
-32261
-32297
-32299
-32303
-32309
-32321
-32323
-32327
-32341
-32353
-32359
-32363
-32369
-32371
-32377
-32381
-32401
-32411
-32413
-32423
-32429
-32441
-32443
-32467
-32479
-32491
-32497
-32503
-32507
-32531
-32533
-32537
-32561
-32563
-32569
-32573
-32579
-32587
-32603
-32609
-32611
-32621
-32633
-32647
-32653
-32687
-32693
-32707
-32713
-32717
-32719
-32749
-32771
-32779
-32783
-32789
-32797
-32801
-32803
-32831
-32833
-32839
-32843
-32869
-32887
-32909
-32911
-32917
-32933
-32939
-32941
-32957
-32969
-32971
-32983
-32987
-32993
-32999
-33013
-33023
-33029
-33037
-33049
-33053
-33071
-33073
-33083
-33091
-33107
-33113
-33119
-33149
-33151
-33161
-33179
-33181
-33191
-33199
-33203
-33211
-33223
-33247
-33287
-33289
-33301
-33311
-33317
-33329
-33331
-33343
-33347
-33349
-33353
-33359
-33377
-33391
-33403
-33409
-33413
-33427
-33457
-33461
-33469
-33479
-33487
-33493
-33503
-33521
-33529
-33533
-33547
-33563
-33569
-33577
-33581
-33587
-33589
-33599
-33601
-33613
-33617
-33619
-33623
-33629
-33637
-33641
-33647
-33679
-33703
-33713
-33721
-33739
-33749
-33751
-33757
-33767
-33769
-33773
-33791
-33797
-33809
-33811
-33827
-33829
-33851
-33857
-33863
-33871
-33889
-33893
-33911
-33923
-33931
-33937
-33941
-33961
-33967
-33997
-34019
-34031
-34033
-34039
-34057
-34061
-34123
-34127
-34129
-34141
-34147
-34157
-34159
-34171
-34183
-34211
-34213
-34217
-34231
-34253
-34259
-34261
-34267
-34273
-34283
-34297
-34301
-34303
-34313
-34319
-34327
-34337
-34351
-34361
-34367
-34369
-34381
-34403
-34421
-34429
-34439
-34457
-34469
-34471
-34483
-34487
-34499
-34501
-34511
-34513
-34519
-34537
-34543
-34549
-34583
-34589
-34591
-34603
-34607
-34613
-34631
-34649
-34651
-34667
-34673
-34679
-34687
-34693
-34703
-34721
-34729
-34739
-34747
-34757
-34759
-34763
-34781
-34807
-34819
-34841
-34843
-34847
-34849
-34871
-34877
-34883
-34897
-34913
-34919
-34939
-34949
-34961
-34963
-34981
-35023
-35027
-35051
-35053
-35059
-35069
-35081
-35083
-35089
-35099
-35107
-35111
-35117
-35129
-35141
-35149
-35153
-35159
-35171
-35201
-35221
-35227
-35251
-35257
-35267
-35279
-35281
-35291
-35311
-35317
-35323
-35327
-35339
-35353
-35363
-35381
-35393
-35401
-35407
-35419
-35423
-35437
-35447
-35449
-35461
-35491
-35507
-35509
-35521
-35527
-35531
-35533
-35537
-35543
-35569
-35573
-35591
-35593
-35597
-35603
-35617
-35671
-35677
-35729
-35731
-35747
-35753
-35759
-35771
-35797
-35801
-35803
-35809
-35831
-35837
-35839
-35851
-35863
-35869
-35879
-35897
-35899
-35911
-35923
-35933
-35951
-35963
-35969
-35977
-35983
-35993
-35999
-36007
-36011
-36013
-36017
-36037
-36061
-36067
-36073
-36083
-36097
-36107
-36109
-36131
-36137
-36151
-36161
-36187
-36191
-36209
-36217
-36229
-36241
-36251
-36263
-36269
-36277
-36293
-36299
-36307
-36313
-36319
-36341
-36343
-36353
-36373
-36383
-36389
-36433
-36451
-36457
-36467
-36469
-36473
-36479
-36493
-36497
-36523
-36527
-36529
-36541
-36551
-36559
-36563
-36571
-36583
-36587
-36599
-36607
-36629
-36637
-36643
-36653
-36671
-36677
-36683
-36691
-36697
-36709
-36713
-36721
-36739
-36749
-36761
-36767
-36779
-36781
-36787
-36791
-36793
-36809
-36821
-36833
-36847
-36857
-36871
-36877
-36887
-36899
-36901
-36913
-36919
-36923
-36929
-36931
-36943
-36947
-36973
-36979
-36997
-37003
-37013
-37019
-37021
-37039
-37049
-37057
-37061
-37087
-37097
-37117
-37123
-37139
-37159
-37171
-37181
-37189
-37199
-37201
-37217
-37223
-37243
-37253
-37273
-37277
-37307
-37309
-37313
-37321
-37337
-37339
-37357
-37361
-37363
-37369
-37379
-37397
-37409
-37423
-37441
-37447
-37463
-37483
-37489
-37493
-37501
-37507
-37511
-37517
-37529
-37537
-37547
-37549
-37561
-37567
-37571
-37573
-37579
-37589
-37591
-37607
-37619
-37633
-37643
-37649
-37657
-37663
-37691
-37693
-37699
-37717
-37747
-37781
-37783
-37799
-37811
-37813
-37831
-37847
-37853
-37861
-37871
-37879
-37889
-37897
-37907
-37951
-37957
-37963
-37967
-37987
-37991
-37993
-37997
-38011
-38039
-38047
-38053
-38069
-38083
-38113
-38119
-38149
-38153
-38167
-38177
-38183
-38189
-38197
-38201
-38219
-38231
-38237
-38239
-38261
-38273
-38281
-38287
-38299
-38303
-38317
-38321
-38327
-38329
-38333
-38351
-38371
-38377
-38393
-38431
-38447
-38449
-38453
-38459
-38461
-38501
-38543
-38557
-38561
-38567
-38569
-38593
-38603
-38609
-38611
-38629
-38639
-38651
-38653
-38669
-38671
-38677
-38693
-38699
-38707
-38711
-38713
-38723
-38729
-38737
-38747
-38749
-38767
-38783
-38791
-38803
-38821
-38833
-38839
-38851
-38861
-38867
-38873
-38891
-38903
-38917
-38921
-38923
-38933
-38953
-38959
-38971
-38977
-38993
-39019
-39023
-39041
-39043
-39047
-39079
-39089
-39097
-39103
-39107
-39113
-39119
-39133
-39139
-39157
-39161
-39163
-39181
-39191
-39199
-39209
-39217
-39227
-39229
-39233
-39239
-39241
-39251
-39293
-39301
-39313
-39317
-39323
-39341
-39343
-39359
-39367
-39371
-39373
-39383
-39397
-39409
-39419
-39439
-39443
-39451
-39461
-39499
-39503
-39509
-39511
-39521
-39541
-39551
-39563
-39569
-39581
-39607
-39619
-39623
-39631
-39659
-39667
-39671
-39679
-39703
-39709
-39719
-39727
-39733
-39749
-39761
-39769
-39779
-39791
-39799
-39821
-39827
-39829
-39839
-39841
-39847
-39857
-39863
-39869
-39877
-39883
-39887
-39901
-39929
-39937
-39953
-39971
-39979
-39983
-39989
-40009
-40013
-40031
-40037
-40039
-40063
-40087
-40093
-40099
-40111
-40123
-40127
-40129
-40151
-40153
-40163
-40169
-40177
-40189
-40193
-40213
-40231
-40237
-40241
-40253
-40277
-40283
-40289
-40343
-40351
-40357
-40361
-40387
-40423
-40427
-40429
-40433
-40459
-40471
-40483
-40487
-40493
-40499
-40507
-40519
-40529
-40531
-40543
-40559
-40577
-40583
-40591
-40597
-40609
-40627
-40637
-40639
-40693
-40697
-40699
-40709
-40739
-40751
-40759
-40763
-40771
-40787
-40801
-40813
-40819
-40823
-40829
-40841
-40847
-40849
-40853
-40867
-40879
-40883
-40897
-40903
-40927
-40933
-40939
-40949
-40961
-40973
-40993
-41011
-41017
-41023
-41039
-41047
-41051
-41057
-41077
-41081
-41113
-41117
-41131
-41141
-41143
-41149
-41161
-41177
-41179
-41183
-41189
-41201
-41203
-41213
-41221
-41227
-41231
-41233
-41243
-41257
-41263
-41269
-41281
-41299
-41333
-41341
-41351
-41357
-41381
-41387
-41389
-41399
-41411
-41413
-41443
-41453
-41467
-41479
-41491
-41507
-41513
-41519
-41521
-41539
-41543
-41549
-41579
-41593
-41597
-41603
-41609
-41611
-41617
-41621
-41627
-41641
-41647
-41651
-41659
-41669
-41681
-41687
-41719
-41729
-41737
-41759
-41761
-41771
-41777
-41801
-41809
-41813
-41843
-41849
-41851
-41863
-41879
-41887
-41893
-41897
-41903
-41911
-41927
-41941
-41947
-41953
-41957
-41959
-41969
-41981
-41983
-41999
-42013
-42017
-42019
-42023
-42043
-42061
-42071
-42073
-42083
-42089
-42101
-42131
-42139
-42157
-42169
-42179
-42181
-42187
-42193
-42197
-42209
-42221
-42223
-42227
-42239
-42257
-42281
-42283
-42293
-42299
-42307
-42323
-42331
-42337
-42349
-42359
-42373
-42379
-42391
-42397
-42403
-42407
-42409
-42433
-42437
-42443
-42451
-42457
-42461
-42463
-42467
-42473
-42487
-42491
-42499
-42509
-42533
-42557
-42569
-42571
-42577
-42589
-42611
-42641
-42643
-42649
-42667
-42677
-42683
-42689
-42697
-42701
-42703
-42709
-42719
-42727
-42737
-42743
-42751
-42767
-42773
-42787
-42793
-42797
-42821
-42829
-42839
-42841
-42853
-42859
-42863
-42899
-42901
-42923
-42929
-42937
-42943
-42953
-42961
-42967
-42979
-42989
-43003
-43013
-43019
-43037
-43049
-43051
-43063
-43067
-43093
-43103
-43117
-43133
-43151
-43159
-43177
-43189
-43201
-43207
-43223
-43237
-43261
-43271
-43283
-43291
-43313
-43319
-43321
-43331
-43391
-43397
-43399
-43403
-43411
-43427
-43441
-43451
-43457
-43481
-43487
-43499
-43517
-43541
-43543
-43573
-43577
-43579
-43591
-43597
-43607
-43609
-43613
-43627
-43633
-43649
-43651
-43661
-43669
-43691
-43711
-43717
-43721
-43753
-43759
-43777
-43781
-43783
-43787
-43789
-43793
-43801
-43853
-43867
-43889
-43891
-43913
-43933
-43943
-43951
-43961
-43963
-43969
-43973
-43987
-43991
-43997
-44017
-44021
-44027
-44029
-44041
-44053
-44059
-44071
-44087
-44089
-44101
-44111
-44119
-44123
-44129
-44131
-44159
-44171
-44179
-44189
-44201
-44203
-44207
-44221
-44249
-44257
-44263
-44267
-44269
-44273
-44279
-44281
-44293
-44351
-44357
-44371
-44381
-44383
-44389
-44417
-44449
-44453
-44483
-44491
-44497
-44501
-44507
-44519
-44531
-44533
-44537
-44543
-44549
-44563
-44579
-44587
-44617
-44621
-44623
-44633
-44641
-44647
-44651
-44657
-44683
-44687
-44699
-44701
-44711
-44729
-44741
-44753
-44771
-44773
-44777
-44789
-44797
-44809
-44819
-44839
-44843
-44851
-44867
-44879
-44887
-44893
-44909
-44917
-44927
-44939
-44953
-44959
-44963
-44971
-44983
-44987
-45007
-45013
-45053
-45061
-45077
-45083
-45119
-45121
-45127
-45131
-45137
-45139
-45161
-45179
-45181
-45191
-45197
-45233
-45247
-45259
-45263
-45281
-45289
-45293
-45307
-45317
-45319
-45329
-45337
-45341
-45343
-45361
-45377
-45389
-45403
-45413
-45427
-45433
-45439
-45481
-45491
-45497
-45503
-45523
-45533
-45541
-45553
-45557
-45569
-45587
-45589
-45599
-45613
-45631
-45641
-45659
-45667
-45673
-45677
-45691
-45697
-45707
-45737
-45751
-45757
-45763
-45767
-45779
-45817
-45821
-45823
-45827
-45833
-45841
-45853
-45863
-45869
-45887
-45893
-45943
-45949
-45953
-45959
-45971
-45979
-45989
-46021
-46027
-46049
-46051
-46061
-46073
-46091
-46093
-46099
-46103
-46133
-46141
-46147
-46153
-46171
-46181
-46183
-46187
-46199
-46219
-46229
-46237
-46261
-46271
-46273
-46279
-46301
-46307
-46309
-46327
-46337
-46349
-46351
-46381
-46399
-46411
-46439
-46441
-46447
-46451
-46457
-46471
-46477
-46489
-46499
-46507
-46511
-46523
-46549
-46559
-46567
-46573
-46589
-46591
-46601
-46619
-46633
-46639
-46643
-46649
-46663
-46679
-46681
-46687
-46691
-46703
-46723
-46727
-46747
-46751
-46757
-46769
-46771
-46807
-46811
-46817
-46819
-46829
-46831
-46853
-46861
-46867
-46877
-46889
-46901
-46919
-46933
-46957
-46993
-46997
-47017
-47041
-47051
-47057
-47059
-47087
-47093
-47111
-47119
-47123
-47129
-47137
-47143
-47147
-47149
-47161
-47189
-47207
-47221
-47237
-47251
-47269
-47279
-47287
-47293
-47297
-47303
-47309
-47317
-47339
-47351
-47353
-47363
-47381
-47387
-47389
-47407
-47417
-47419
-47431
-47441
-47459
-47491
-47497
-47501
-47507
-47513
-47521
-47527
-47533
-47543
-47563
-47569
-47581
-47591
-47599
-47609
-47623
-47629
-47639
-47653
-47657
-47659
-47681
-47699
-47701
-47711
-47713
-47717
-47737
-47741
-47743
-47777
-47779
-47791
-47797
-47807
-47809
-47819
-47837
-47843
-47857
-47869
-47881
-47903
-47911
-47917
-47933
-47939
-47947
-47951
-47963
-47969
-47977
-47981
-48017
-48023
-48029
-48049
-48073
-48079
-48091
-48109
-48119
-48121
-48131
-48157
-48163
-48179
-48187
-48193
-48197
-48221
-48239
-48247
-48259
-48271
-48281
-48299
-48311
-48313
-48337
-48341
-48353
-48371
-48383
-48397
-48407
-48409
-48413
-48437
-48449
-48463
-48473
-48479
-48481
-48487
-48491
-48497
-48523
-48527
-48533
-48539
-48541
-48563
-48571
-48589
-48593
-48611
-48619
-48623
-48647
-48649
-48661
-48673
-48677
-48679
-48731
-48733
-48751
-48757
-48761
-48767
-48779
-48781
-48787
-48799
-48809
-48817
-48821
-48823
-48847
-48857
-48859
-48869
-48871
-48883
-48889
-48907
-48947
-48953
-48973
-48989
-48991
-49003
-49009
-49019
-49031
-49033
-49037
-49043
-49057
-49069
-49081
-49103
-49109
-49117
-49121
-49123
-49139
-49157
-49169
-49171
-49177
-49193
-49199
-49201
-49207
-49211
-49223
-49253
-49261
-49277
-49279
-49297
-49307
-49331
-49333
-49339
-49363
-49367
-49369
-49391
-49393
-49409
-49411
-49417
-49429
-49433
-49451
-49459
-49463
-49477
-49481
-49499
-49523
-49529
-49531
-49537
-49547
-49549
-49559
-49597
-49603
-49613
-49627
-49633
-49639
-49663
-49667
-49669
-49681
-49697
-49711
-49727
-49739
-49741
-49747
-49757
-49783
-49787
-49789
-49801
-49807
-49811
-49823
-49831
-49843
-49853
-49871
-49877
-49891
-49919
-49921
-49927
-49937
-49939
-49943
-49957
-49991
-49993
-49999
-50021
-50023
-50033
-50047
-50051
-50053
-50069
-50077
-50087
-50093
-50101
-50111
-50119
-50123
-50129
-50131
-50147
-50153
-50159
-50177
-50207
-50221
-50227
-50231
-50261
-50263
-50273
-50287
-50291
-50311
-50321
-50329
-50333
-50341
-50359
-50363
-50377
-50383
-50387
-50411
-50417
-50423
-50441
-50459
-50461
-50497
-50503
-50513
-50527
-50539
-50543
-50549
-50551
-50581
-50587
-50591
-50593
-50599
-50627
-50647
-50651
-50671
-50683
-50707
-50723
-50741
-50753
-50767
-50773
-50777
-50789
-50821
-50833
-50839
-50849
-50857
-50867
-50873
-50891
-50893
-50909
-50923
-50929
-50951
-50957
-50969
-50971
-50989
-50993
-51001
-51031
-51043
-51047
-51059
-51061
-51071
-51109
-51131
-51133
-51137
-51151
-51157
-51169
-51193
-51197
-51199
-51203
-51217
-51229
-51239
-51241
-51257
-51263
-51283
-51287
-51307
-51329
-51341
-51343
-51347
-51349
-51361
-51383
-51407
-51413
-51419
-51421
-51427
-51431
-51437
-51439
-51449
-51461
-51473
-51479
-51481
-51487
-51503
-51511
-51517
-51521
-51539
-51551
-51563
-51577
-51581
-51593
-51599
-51607
-51613
-51631
-51637
-51647
-51659
-51673
-51679
-51683
-51691
-51713
-51719
-51721
-51749
-51767
-51769
-51787
-51797
-51803
-51817
-51827
-51829
-51839
-51853
-51859
-51869
-51871
-51893
-51899
-51907
-51913
-51929
-51941
-51949
-51971
-51973
-51977
-51991
-52009
-52021
-52027
-52051
-52057
-52067
-52069
-52081
-52103
-52121
-52127
-52147
-52153
-52163
-52177
-52181
-52183
-52189
-52201
-52223
-52237
-52249
-52253
-52259
-52267
-52289
-52291
-52301
-52313
-52321
-52361
-52363
-52369
-52379
-52387
-52391
-52433
-52453
-52457
-52489
-52501
-52511
-52517
-52529
-52541
-52543
-52553
-52561
-52567
-52571
-52579
-52583
-52609
-52627
-52631
-52639
-52667
-52673
-52691
-52697
-52709
-52711
-52721
-52727
-52733
-52747
-52757
-52769
-52783
-52807
-52813
-52817
-52837
-52859
-52861
-52879
-52883
-52889
-52901
-52903
-52919
-52937
-52951
-52957
-52963
-52967
-52973
-52981
-52999
-53003
-53017
-53047
-53051
-53069
-53077
-53087
-53089
-53093
-53101
-53113
-53117
-53129
-53147
-53149
-53161
-53171
-53173
-53189
-53197
-53201
-53231
-53233
-53239
-53267
-53269
-53279
-53281
-53299
-53309
-53323
-53327
-53353
-53359
-53377
-53381
-53401
-53407
-53411
-53419
-53437
-53441
-53453
-53479
-53503
-53507
-53527
-53549
-53551
-53569
-53591
-53593
-53597
-53609
-53611
-53617
-53623
-53629
-53633
-53639
-53653
-53657
-53681
-53693
-53699
-53717
-53719
-53731
-53759
-53773
-53777
-53783
-53791
-53813
-53819
-53831
-53849
-53857
-53861
-53881
-53887
-53891
-53897
-53899
-53917
-53923
-53927
-53939
-53951
-53959
-53987
-53993
-54001
-54011
-54013
-54037
-54049
-54059
-54083
-54091
-54101
-54121
-54133
-54139
-54151
-54163
-54167
-54181
-54193
-54217
-54251
-54269
-54277
-54287
-54293
-54311
-54319
-54323
-54331
-54347
-54361
-54367
-54371
-54377
-54401
-54403
-54409
-54413
-54419
-54421
-54437
-54443
-54449
-54469
-54493
-54497
-54499
-54503
-54517
-54521
-54539
-54541
-54547
-54559
-54563
-54577
-54581
-54583
-54601
-54617
-54623
-54629
-54631
-54647
-54667
-54673
-54679
-54709
-54713
-54721
-54727
-54751
-54767
-54773
-54779
-54787
-54799
-54829
-54833
-54851
-54869
-54877
-54881
-54907
-54917
-54919
-54941
-54949
-54959
-54973
-54979
-54983
-55001
-55009
-55021
-55049
-55051
-55057
-55061
-55073
-55079
-55103
-55109
-55117
-55127
-55147
-55163
-55171
-55201
-55207
-55213
-55217
-55219
-55229
-55243
-55249
-55259
-55291
-55313
-55331
-55333
-55337
-55339
-55343
-55351
-55373
-55381
-55399
-55411
-55439
-55441
-55457
-55469
-55487
-55501
-55511
-55529
-55541
-55547
-55579
-55589
-55603
-55609
-55619
-55621
-55631
-55633
-55639
-55661
-55663
-55667
-55673
-55681
-55691
-55697
-55711
-55717
-55721
-55733
-55763
-55787
-55793
-55799
-55807
-55813
-55817
-55819
-55823
-55829
-55837
-55843
-55849
-55871
-55889
-55897
-55901
-55903
-55921
-55927
-55931
-55933
-55949
-55967
-55987
-55997
-56003
-56009
-56039
-56041
-56053
-56081
-56087
-56093
-56099
-56101
-56113
-56123
-56131
-56149
-56167
-56171
-56179
-56197
-56207
-56209
-56237
-56239
-56249
-56263
-56267
-56269
-56299
-56311
-56333
-56359
-56369
-56377
-56383
-56393
-56401
-56417
-56431
-56437
-56443
-56453
-56467
-56473
-56477
-56479
-56489
-56501
-56503
-56509
-56519
-56527
-56531
-56533
-56543
-56569
-56591
-56597
-56599
-56611
-56629
-56633
-56659
-56663
-56671
-56681
-56687
-56701
-56711
-56713
-56731
-56737
-56747
-56767
-56773
-56779
-56783
-56807
-56809
-56813
-56821
-56827
-56843
-56857
-56873
-56891
-56893
-56897
-56909
-56911
-56921
-56923
-56929
-56941
-56951
-56957
-56963
-56983
-56989
-56993
-56999
-57037
-57041
-57047
-57059
-57073
-57077
-57089
-57097
-57107
-57119
-57131
-57139
-57143
-57149
-57163
-57173
-57179
-57191
-57193
-57203
-57221
-57223
-57241
-57251
-57259
-57269
-57271
-57283
-57287
-57301
-57329
-57331
-57347
-57349
-57367
-57373
-57383
-57389
-57397
-57413
-57427
-57457
-57467
-57487
-57493
-57503
-57527
-57529
-57557
-57559
-57571
-57587
-57593
-57601
-57637
-57641
-57649
-57653
-57667
-57679
-57689
-57697
-57709
-57713
-57719
-57727
-57731
-57737
-57751
-57773
-57781
-57787
-57791
-57793
-57803
-57809
-57829
-57839
-57847
-57853
-57859
-57881
-57899
-57901
-57917
-57923
-57943
-57947
-57973
-57977
-57991
-58013
-58027
-58031
-58043
-58049
-58057
-58061
-58067
-58073
-58099
-58109
-58111
-58129
-58147
-58151
-58153
-58169
-58171
-58189
-58193
-58199
-58207
-58211
-58217
-58229
-58231
-58237
-58243
-58271
-58309
-58313
-58321
-58337
-58363
-58367
-58369
-58379
-58391
-58393
-58403
-58411
-58417
-58427
-58439
-58441
-58451
-58453
-58477
-58481
-58511
-58537
-58543
-58549
-58567
-58573
-58579
-58601
-58603
-58613
-58631
-58657
-58661
-58679
-58687
-58693
-58699
-58711
-58727
-58733
-58741
-58757
-58763
-58771
-58787
-58789
-58831
-58889
-58897
-58901
-58907
-58909
-58913
-58921
-58937
-58943
-58963
-58967
-58979
-58991
-58997
-59009
-59011
-59021
-59023
-59029
-59051
-59053
-59063
-59069
-59077
-59083
-59093
-59107
-59113
-59119
-59123
-59141
-59149
-59159
-59167
-59183
-59197
-59207
-59209
-59219
-59221
-59233
-59239
-59243
-59263
-59273
-59281
-59333
-59341
-59351
-59357
-59359
-59369
-59377
-59387
-59393
-59399
-59407
-59417
-59419
-59441
-59443
-59447
-59453
-59467
-59471
-59473
-59497
-59509
-59513
-59539
-59557
-59561
-59567
-59581
-59611
-59617
-59621
-59627
-59629
-59651
-59659
-59663
-59669
-59671
-59693
-59699
-59707
-59723
-59729
-59743
-59747
-59753
-59771
-59779
-59791
-59797
-59809
-59833
-59863
-59879
-59887
-59921
-59929
-59951
-59957
-59971
-59981
-59999
-60013
-60017
-60029
-60037
-60041
-60077
-60083
-60089
-60091
-60101
-60103
-60107
-60127
-60133
-60139
-60149
-60161
-60167
-60169
-60209
-60217
-60223
-60251
-60257
-60259
-60271
-60289
-60293
-60317
-60331
-60337
-60343
-60353
-60373
-60383
-60397
-60413
-60427
-60443
-60449
-60457
-60493
-60497
-60509
-60521
-60527
-60539
-60589
-60601
-60607
-60611
-60617
-60623
-60631
-60637
-60647
-60649
-60659
-60661
-60679
-60689
-60703
-60719
-60727
-60733
-60737
-60757
-60761
-60763
-60773
-60779
-60793
-60811
-60821
-60859
-60869
-60887
-60889
-60899
-60901
-60913
-60917
-60919
-60923
-60937
-60943
-60953
-60961
-61001
-61007
-61027
-61031
-61043
-61051
-61057
-61091
-61099
-61121
-61129
-61141
-61151
-61153
-61169
-61211
-61223
-61231
-61253
-61261
-61283
-61291
-61297
-61331
-61333
-61339
-61343
-61357
-61363
-61379
-61381
-61403
-61409
-61417
-61441
-61463
-61469
-61471
-61483
-61487
-61493
-61507
-61511
-61519
-61543
-61547
-61553
-61559
-61561
-61583
-61603
-61609
-61613
-61627
-61631
-61637
-61643
-61651
-61657
-61667
-61673
-61681
-61687
-61703
-61717
-61723
-61729
-61751
-61757
-61781
-61813
-61819
-61837
-61843
-61861
-61871
-61879
-61909
-61927
-61933
-61949
-61961
-61967
-61979
-61981
-61987
-61991
-62003
-62011
-62017
-62039
-62047
-62053
-62057
-62071
-62081
-62099
-62119
-62129
-62131
-62137
-62141
-62143
-62171
-62189
-62191
-62201
-62207
-62213
-62219
-62233
-62273
-62297
-62299
-62303
-62311
-62323
-62327
-62347
-62351
-62383
-62401
-62417
-62423
-62459
-62467
-62473
-62477
-62483
-62497
-62501
-62507
-62533
-62539
-62549
-62563
-62581
-62591
-62597
-62603
-62617
-62627
-62633
-62639
-62653
-62659
-62683
-62687
-62701
-62723
-62731
-62743
-62753
-62761
-62773
-62791
-62801
-62819
-62827
-62851
-62861
-62869
-62873
-62897
-62903
-62921
-62927
-62929
-62939
-62969
-62971
-62981
-62983
-62987
-62989
-63029
-63031
-63059
-63067
-63073
-63079
-63097
-63103
-63113
-63127
-63131
-63149
-63179
-63197
-63199
-63211
-63241
-63247
-63277
-63281
-63299
-63311
-63313
-63317
-63331
-63337
-63347
-63353
-63361
-63367
-63377
-63389
-63391
-63397
-63409
-63419
-63421
-63439
-63443
-63463
-63467
-63473
-63487
-63493
-63499
-63521
-63527
-63533
-63541
-63559
-63577
-63587
-63589
-63599
-63601
-63607
-63611
-63617
-63629
-63647
-63649
-63659
-63667
-63671
-63689
-63691
-63697
-63703
-63709
-63719
-63727
-63737
-63743
-63761
-63773
-63781
-63793
-63799
-63803
-63809
-63823
-63839
-63841
-63853
-63857
-63863
-63901
-63907
-63913
-63929
-63949
-63977
-63997
-64007
-64013
-64019
-64033
-64037
-64063
-64067
-64081
-64091
-64109
-64123
-64151
-64153
-64157
-64171
-64187
-64189
-64217
-64223
-64231
-64237
-64271
-64279
-64283
-64301
-64303
-64319
-64327
-64333
-64373
-64381
-64399
-64403
-64433
-64439
-64451
-64453
-64483
-64489
-64499
-64513
-64553
-64567
-64577
-64579
-64591
-64601
-64609
-64613
-64621
-64627
-64633
-64661
-64663
-64667
-64679
-64693
-64709
-64717
-64747
-64763
-64781
-64783
-64793
-64811
-64817
-64849
-64853
-64871
-64877
-64879
-64891
-64901
-64919
-64921
-64927
-64937
-64951
-64969
-64997
-65003
-65011
-65027
-65029
-65033
-65053
-65063
-65071
-65089
-65099
-65101
-65111
-65119
-65123
-65129
-65141
-65147
-65167
-65171
-65173
-65179
-65183
-65203
-65213
-65239
-65257
-65267
-65269
-65287
-65293
-65309
-65323
-65327
-65353
-65357
-65371
-65381
-65393
-65407
-65413
-65419
-65423
-65437
-65447
-65449
-65479
-65497
-65519
-65521
diff --git a/security/nss/lib/freebl/mpi/doc/prng.pod b/security/nss/lib/freebl/mpi/doc/prng.pod
deleted file mode 100644
index 1ae75da82..000000000
--- a/security/nss/lib/freebl/mpi/doc/prng.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=head1 NAME
-
- prng - pseudo-random number generator
-
-=head1 SYNOPSIS
-
- prng [count]
-
-=head1 DESCRIPTION
-
-B<Prng> generates 32-bit pseudo-random integers using the
-Blum-Blum-Shub (BBS) quadratic residue generator.  It is seeded using
-the standard C library's rand() function, which itself seeded from the
-system clock and the process ID number.  Thus, the values generated
-are not particularly useful for cryptographic applications, but they
-are in general much better than the typical output of the usual
-multiplicative congruency generator used by most runtime libraries.
-
-You may optionally specify how many random values should be generated
-by giving a I<count> argument on the command line.  If you do not
-specify a count, only one random value will be generated.  The results
-are output to the standard output in decimal notation, one value per
-line.
-
-=head1 RESTRICTIONS
-
-As stated above, B<prng> uses the C library's rand() function to seed
-the generator, so it is not terribly suitable for cryptographic
-applications.  Also note that each time you run the program, a new
-seed is generated, so it is better to run it once with a I<count>
-parameter than it is to run it multiple times to generate several
-values.
-
-=head1 AUTHOR
-
- Michael J. Fromberger <sting@linguist.dartmouth.edu>
- Copyright (C) 1998 Michael J. Fromberger, All Rights Reserved
- Thayer School of Engineering, Dartmouth College, Hanover, NH  USA
-
- $Date$
-
diff --git a/security/nss/lib/freebl/mpi/doc/redux.txt b/security/nss/lib/freebl/mpi/doc/redux.txt
deleted file mode 100644
index d6eb7844f..000000000
--- a/security/nss/lib/freebl/mpi/doc/redux.txt
+++ /dev/null
@@ -1,121 +0,0 @@
-Modular Reduction
-
-Usually, modular reduction is accomplished by long division, using the
-mp_div() or mp_mod() functions.  However, when performing modular
-exponentiation, you spend a lot of time reducing by the same modulus
-again and again.  For this purpose, doing a full division for each
-multiplication is quite inefficient.
-
-For this reason, the mp_exptmod() function does not perform modular
-reductions in the usual way, but instead takes advantage of an
-algorithm due to Barrett, as described by Menezes, Oorschot and
-VanStone in their book _Handbook of Applied Cryptography_, published
-by the CRC Press (see Chapter 14 for details).  This method reduces
-most of the computation of reduction to efficient shifting and masking
-operations, and avoids the multiple-precision division entirely.
-
-Here is a brief synopsis of Barrett reduction, as it is implemented in
-this library.
-
-Let b denote the radix of the computation (one more than the maximum
-value that can be denoted by an mp_digit).  Let m be the modulus, and
-let k be the number of significant digits of m.  Let x be the value to
-be reduced modulo m.  By the Division Theorem, there exist unique
-integers Q and R such that:
-
-	 x = Qm + R, 0 <= R < m
-
-Barrett reduction takes advantage of the fact that you can easily
-approximate Q to within two, given a value M such that:
-
-	                  2k
-	                 b
-	    M = floor( ----- )
-	                 m
-
-Computation of M requires a full-precision division step, so if you
-are only doing a single reduction by m, you gain no advantage.
-However, when multiple reductions by the same m are required, this
-division need only be done once, beforehand.  Using this, we can use
-the following equation to compute Q', an approximation of Q:
-
-                     x
-            floor( ------ ) M
-                      k-1
-                     b
-Q' = floor( ----------------- )
-                    k+1
-                   b
-
-The divisions by b^(k-1) and b^(k+1) and the floor() functions can be
-efficiently implemented with shifts and masks, leaving only a single
-multiplication to be performed to get this approximation.  It can be
-shown that Q - 2 <= Q' <= Q, so in the worst case, we can get out with
-two additional subtractions to bring the value into line with the
-actual value of Q.
-
-Once we've got Q', we basically multiply that by m and subtract from
-x, yielding:
-
-   x - Q'm = Qm + R - Q'm
-
-Since we know the constraint on Q', this is one of:
-
-      R
-      m + R
-      2m + R
-
-Since R < m by the Division Theorem, we can simply subtract off m
-until we get a value in the correct range, which will happen with no
-more than 2 subtractions:
-
-     v = x - Q'm
-
-     while(v >= m)
-       v = v - m
-     endwhile
-
-
-In random performance trials, modular exponentiation using this method
-of reduction gave around a 40% speedup over using the division for
-reduction.
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
diff --git a/security/nss/lib/freebl/mpi/doc/sqrt.txt b/security/nss/lib/freebl/mpi/doc/sqrt.txt
deleted file mode 100644
index c709217a5..000000000
--- a/security/nss/lib/freebl/mpi/doc/sqrt.txt
+++ /dev/null
@@ -1,87 +0,0 @@
-Square Root
-
-A simple iterative algorithm is used to compute the greatest integer
-less than or equal to the square root.  Essentially, this is Newton's
-linear approximation, computed by finding successive values of the
-equation:
-
-		    x[k]^2 - V
-x[k+1]	 =  x[k] - ------------
-	             2 x[k]
-
-...where V is the value for which the square root is being sought.  In
-essence, what is happening here is that we guess a value for the
-square root, then figure out how far off we were by squaring our guess
-and subtracting the target.  Using this value, we compute a linear
-approximation for the error, and adjust the "guess".  We keep doing
-this until the precision gets low enough that the above equation
-yields a quotient of zero.  At this point, our last guess is one
-greater than the square root we're seeking.
-
-The initial guess is computed by dividing V by 4, which is a heuristic
-I have found to be fairly good on average.  This also has the
-advantage of being very easy to compute efficiently, even for large
-values.
-
-So, the resulting algorithm works as follows:
-
-    x = V / 4   /* compute initial guess */
-    
-    loop
-	t = (x * x) - V   /* Compute absolute error  */
-	u = 2 * x         /* Adjust by tangent slope */
-	t = t / u
-
-	/* Loop is done if error is zero */
-	if(t == 0)
-	    break
-
-	/* Adjust guess by error term    */
-	x = x - t
-    end
-
-    x = x - 1
-
-The result of the computation is the value of x.
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/square.txt b/security/nss/lib/freebl/mpi/doc/square.txt
deleted file mode 100644
index 319ea9657..000000000
--- a/security/nss/lib/freebl/mpi/doc/square.txt
+++ /dev/null
@@ -1,109 +0,0 @@
-Squaring Algorithm
-
-When you are squaring a value, you can take advantage of the fact that
-half the multiplications performed by the more general multiplication
-algorithm (see 'mul.txt' for a description) are redundant when the
-multiplicand equals the multiplier.
-
-In particular, the modified algorithm is:
-
-k = 0
-for j <- 0 to (#a - 1)
-  w = c[2*j] + (a[j] ^ 2);
-  k = w div R
-
-  for i <- j+1 to (#a - 1)
-    w = (2 * a[j] * a[i]) + k + c[i+j]
-    c[i+j] = w mod R
-    k = w div R
-  endfor
-  c[i+j] = k;
-  k = 0;
-endfor
-
-On the surface, this looks identical to the multiplication algorithm;
-however, note the following differences:
-
-  - precomputation of the leading term in the outer loop
-
-  - i runs from j+1 instead of from zero
-
-  - doubling of a[i] * a[j] in the inner product
-
-Unfortunately, the construction of the inner product is such that we
-need more than two digits to represent the inner product, in some
-cases.  In a C implementation, this means that some gymnastics must be
-performed in order to handle overflow, for which C has no direct
-abstraction.  We do this by observing the following:
-
-If we have multiplied a[i] and a[j], and the product is more than half
-the maximum value expressible in two digits, then doubling this result
-will overflow into a third digit.  If this occurs, we take note of the
-overflow, and double it anyway -- C integer arithmetic ignores
-overflow, so the two digits we get back should still be valid, modulo
-the overflow.
-
-Having doubled this value, we now have to add in the remainders and
-the digits already computed by earlier steps.  If we did not overflow
-in the previous step, we might still cause an overflow here.  That
-will happen whenever the maximum value expressible in two digits, less
-the amount we have to add, is greater than the result of the previous
-step.  Thus, the overflow computation is:
-
-
-  u = 0
-  w = a[i] * a[j]
-
-  if(w > (R - 1)/ 2)
-    u = 1;
-
-  w = w * 2
-  v = c[i + j] + k
-
-  if(u == 0 && (R - 1 - v) < w)
-    u = 1
-
-If there is an overflow, u will be 1, otherwise u will be 0.  The rest
-of the parameters are the same as they are in the above description.
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/doc/timing.txt b/security/nss/lib/freebl/mpi/doc/timing.txt
deleted file mode 100644
index 4c77da79f..000000000
--- a/security/nss/lib/freebl/mpi/doc/timing.txt
+++ /dev/null
@@ -1,250 +0,0 @@
-MPI Library Timing Tests
-
-Hardware/OS
-(A) SGI O2 1 x MIPS R10000 250MHz IRIX 6.5.3
-(B) IBM RS/6000 43P-240 1 x PowerPC 603e 223MHz AIX 4.3
-(C) Dell GX1/L+ 1 x Pentium III 550MHz Linux 2.2.12-20
-(D) PowerBook G3 1 x PowerPC 750 266MHz LinuxPPC 2.2.6-15apmac
-(E) PowerBook G3 1 x PowerPC 750 266MHz MacOS 8.5.1
-(F) PowerBook G3 1 x PowerPC 750 400MHz MacOS 9.0.2
-
-Compiler
-(1) MIPSpro C 7.2.1 -O3 optimizations
-(2) GCC 2.95.1 -O3 optimizations
-(3) IBM AIX xlc -O3 optimizations (version unknown)
-(4) EGCS 2.91.66 -O3 optimizations
-(5) Metrowerks CodeWarrior 5.0 C, all optimizations
-(6) MIPSpro C 7.30 -O3 optimizations
-(7) same as (6), with optimized libmalloc.so
-
-Timings are given in seconds, computed using the C library's clock()
-function.  The first column gives the hardware and compiler
-configuration used for the test. The second column indicates the
-number of tests that were aggregated to get the statistics for that
-size.  These were compiled using 16 bit digits.
-
-Source data were generated randomly using a fixed seed, so they should
-be internally consistent, but may vary on different systems depending
-on the C library.  Also, since the resolution of the timer accessed by
-clock() varies, there may be some variance in the precision of these
-measurements.
-
-Prime Generation (primegen)
-
-128 bits:
-A1      200     min=0.03, avg=0.19, max=0.72, sum=38.46
-A2      200     min=0.02, avg=0.16, max=0.62, sum=32.55
-B3      200     min=0.01, avg=0.07, max=0.22, sum=13.29
-C4      200     min=0.00, avg=0.03, max=0.20, sum=6.14
-D4      200     min=0.00, avg=0.05, max=0.33, sum=9.70
-A6      200     min=0.01, avg=0.09, max=0.36, sum=17.48
-A7      200     min=0.00, avg=0.05, max=0.24, sum=10.07
-
-192 bits:
-A1      200     min=0.05, avg=0.45, max=3.13, sum=89.96
-A2      200     min=0.04, avg=0.39, max=2.61, sum=77.55
-B3      200     min=0.02, avg=0.18, max=1.25, sum=36.97
-C4      200     min=0.01, avg=0.09, max=0.33, sum=18.24
-D4      200     min=0.02, avg=0.15, max=0.54, sum=29.63
-A6      200     min=0.02, avg=0.24, max=1.70, sum=47.84
-A7      200     min=0.01, avg=0.15, max=1.05, sum=30.88
-
-256 bits:
-A1      200     min=0.08, avg=0.92, max=6.13, sum=184.79
-A2      200     min=0.06, avg=0.76, max=5.03, sum=151.11
-B3      200     min=0.04, avg=0.41, max=2.68, sum=82.35
-C4      200     min=0.02, avg=0.19, max=0.69, sum=37.91
-D4      200     min=0.03, avg=0.31, max=1.15, sum=63.00
-A6      200     min=0.04, avg=0.48, max=3.13, sum=95.46
-A7      200     min=0.03, avg=0.37, max=2.36, sum=73.60
-
-320 bits:
-A1      200     min=0.11, avg=1.59, max=6.14, sum=318.81
-A2      200     min=0.09, avg=1.27, max=4.93, sum=254.03
-B3      200     min=0.07, avg=0.82, max=3.13, sum=163.80
-C4      200     min=0.04, avg=0.44, max=1.91, sum=87.59
-D4      200     min=0.06, avg=0.73, max=3.22, sum=146.73
-A6      200     min=0.07, avg=0.93, max=3.50, sum=185.01
-A7      200     min=0.05, avg=0.76, max=2.94, sum=151.78
-
-384 bits:
-A1      200     min=0.16, avg=2.69, max=11.41, sum=537.89
-A2      200     min=0.13, avg=2.15, max=9.03, sum=429.14
-B3      200     min=0.11, avg=1.54, max=6.49, sum=307.78
-C4      200     min=0.06, avg=0.81, max=4.84, sum=161.13
-D4      200     min=0.10, avg=1.38, max=8.31, sum=276.81
-A6      200     min=0.11, avg=1.73, max=7.36, sum=345.55
-A7      200     min=0.09, avg=1.46, max=6.12, sum=292.02
-
-448 bits:
-A1      200     min=0.23, avg=3.36, max=15.92, sum=672.63
-A2      200     min=0.17, avg=2.61, max=12.25, sum=522.86
-B3      200     min=0.16, avg=2.10, max=9.83, sum=420.86
-C4      200     min=0.09, avg=1.44, max=7.64, sum=288.36
-D4      200     min=0.16, avg=2.50, max=13.29, sum=500.17
-A6      200     min=0.15, avg=2.31, max=10.81, sum=461.58
-A7      200     min=0.14, avg=2.03, max=9.53, sum=405.16
-
-512 bits:
-A1      200     min=0.30, avg=6.12, max=22.18, sum=1223.35
-A2      200     min=0.25, avg=4.67, max=16.90, sum=933.18
-B3      200     min=0.23, avg=4.13, max=14.94, sum=825.45
-C4      200     min=0.13, avg=2.08, max=9.75, sum=415.22
-D4      200     min=0.24, avg=4.04, max=20.18, sum=808.11
-A6      200     min=0.22, avg=4.47, max=16.19, sum=893.83
-A7      200     min=0.20, avg=4.03, max=14.65, sum=806.02
-
-Modular Exponentation (metime)
-
-The following results are aggregated from 200 pseudo-randomly
-generated tests, based on a fixed seed. 
-
-                      base, exponent, and modulus size (bits)
-P/C       128   192   256   320   384   448   512   640   768   896  1024
-------- -----------------------------------------------------------------
-A1      0.015 0.027 0.047 0.069 0.098 0.133 0.176 0.294 0.458 0.680 1.040
-A2      0.013 0.024 0.037 0.053 0.077 0.102 0.133 0.214 0.326 0.476 0.668
-B3      0.005 0.011 0.021 0.036 0.056 0.084 0.121 0.222 0.370 0.573 0.840
-C4      0.002 0.006 0.011 0.020 0.032 0.048 0.069 0.129 0.223 0.344 0.507
-D4      0.004 0.010 0.019 0.034 0.056 0.085 0.123 0.232 0.390 0.609 0.899
-E5      0.007 0.015 0.031 0.055 0.088 0.133 0.183 0.342 0.574 0.893 1.317
-A6      0.008 0.016 0.038 0.042 0.064 0.093 0.133 0.239 0.393 0.604 0.880
-A7      0.005 0.011 0.020 0.036 0.056 0.083 0.121 0.223 0.374 0.583 0.855
-
-Multiplication and Squaring tests, (mulsqr)
-
-The following results are aggregated from 500000 pseudo-randomly
-generated tests, based on a per-run wall-clock seed.  Times are given
-in seconds, except where indicated in microseconds (us).
-
-(A1)
-
-bits    multiply    square  ad  percent time/mult   time/square
-64      9.33        9.15    >   1.9     18.7us      18.3us
-128     10.88       10.44   >   4.0     21.8us      20.9us
-192     13.30       11.89   >   10.6    26.7us      23.8us
-256     14.88       12.64   >   15.1    29.8us      25.3us
-320     18.64       15.01   >   19.5    37.3us      30.0us
-384     23.11       17.70   >   23.4    46.2us      35.4us
-448     28.28       20.88   >   26.2    56.6us      41.8us
-512     34.09       24.51   >   28.1    68.2us      49.0us
-640     47.86       33.25   >   30.5    95.7us      66.5us
-768     64.91       43.54   >   32.9    129.8us     87.1us
-896     84.49       55.48   >   34.3    169.0us     111.0us
-1024    107.25      69.21   >   35.5    214.5us     138.4us
-1536    227.97      141.91  >   37.8    456.0us     283.8us
-2048    394.05      242.15  >   38.5    788.1us     484.3us
-
-(A2)
-
-bits    multiply    square  ad  percent time/mult   time/square
-64      7.87        7.95    <   1.0     15.7us      15.9us
-128     9.40        9.19    >   2.2     18.8us      18.4us
-192     11.15       10.59   >   5.0     22.3us      21.2us
-256     12.02       11.16   >   7.2     24.0us      22.3us
-320     14.62       13.43   >   8.1     29.2us      26.9us
-384     17.72       15.80   >   10.8    35.4us      31.6us
-448     21.24       18.51   >   12.9    42.5us      37.0us
-512     25.36       21.78   >   14.1    50.7us      43.6us
-640     34.57       29.00   >   16.1    69.1us      58.0us
-768     46.10       37.60   >   18.4    92.2us      75.2us
-896     58.94       47.72   >   19.0    117.9us     95.4us
-1024    73.76       59.12   >   19.8    147.5us     118.2us
-1536    152.00      118.80  >   21.8    304.0us     237.6us
-2048    259.41      199.57  >   23.1    518.8us     399.1us
-
-(B3)
-
-bits    multiply    square  ad  percent time/mult   time/square
-64      2.60        2.47    >   5.0     5.20us      4.94us
-128     4.43        4.06    >   8.4     8.86us      8.12us
-192     7.03        6.10    >   13.2    14.1us      12.2us
-256     10.44       8.59    >   17.7    20.9us      17.2us
-320     14.44       11.64   >   19.4    28.9us      23.3us
-384     19.12       15.08   >   21.1    38.2us      30.2us
-448     24.55       19.09   >   22.2    49.1us      38.2us
-512     31.03       23.53   >   24.2    62.1us      47.1us
-640     45.05       33.80   >   25.0    90.1us      67.6us
-768     63.02       46.05   >   26.9    126.0us     92.1us
-896     83.74       60.29   >   28.0    167.5us     120.6us
-1024    106.73      76.65   >   28.2    213.5us     153.3us
-1536    228.94      160.98  >   29.7    457.9us     322.0us
-2048    398.08      275.93  >   30.7    796.2us     551.9us
-
-(C4)
-
-bits    multiply    square  ad  percent time/mult   time/square
-64      1.34        1.28    >   4.5     2.68us      2.56us
-128     2.76        2.59    >   6.2     5.52us      5.18us
-192     4.52        4.16    >   8.0     9.04us      8.32us
-256     6.64        5.99    >   9.8     13.3us      12.0us
-320     9.20        8.13    >   11.6    18.4us      16.3us
-384     12.01       10.58   >   11.9    24.0us      21.2us
-448     15.24       13.33   >   12.5    30.5us      26.7us
-512     19.02       16.46   >   13.5    38.0us      32.9us
-640     27.56       23.54   >   14.6    55.1us      47.1us
-768     37.89       31.78   >   16.1    75.8us      63.6us
-896     49.24       41.42   >   15.9    98.5us      82.8us
-1024    62.59       52.18   >   16.6    125.2us     104.3us
-1536    131.66      107.72  >   18.2    263.3us     215.4us
-2048    226.45      182.95  >   19.2    453.0us     365.9us
-
-(A7)
-
-bits    multiply    square  ad  percent time/mult   time/square
-64      1.74        1.71    >   1.7     3.48us      3.42us
-128     3.48        2.96    >   14.9    6.96us      5.92us
-192     5.74        4.60    >   19.9    11.5us      9.20us
-256     8.75        6.61    >   24.5    17.5us      13.2us
-320     12.5        8.99    >   28.1    25.0us      18.0us
-384     16.9        11.9    >   29.6    33.8us      23.8us
-448     22.2        15.2    >   31.7    44.4us      30.4us
-512     28.3        19.0    >   32.7    56.6us      38.0us
-640     42.4        28.0    >   34.0    84.8us      56.0us
-768     59.4        38.5    >   35.2    118.8us     77.0us
-896     79.5        51.2    >   35.6    159.0us     102.4us
-1024    102.6	    65.5    >	36.2	205.2us	    131.0us
-1536    224.3	    140.6   >	37.3	448.6us	    281.2us
-2048    393.4	    244.3   >	37.9	786.8us	    488.6us
-
-------------------------------------------------------------------
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-$Id$
-
-
diff --git a/security/nss/lib/freebl/mpi/hpma512.s b/security/nss/lib/freebl/mpi/hpma512.s
deleted file mode 100644
index f8241ac3e..000000000
--- a/security/nss/lib/freebl/mpi/hpma512.s
+++ /dev/null
@@ -1,640 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is multacc512 multiple-precision integer arithmetic.
- * 
- * The Initial Developer of the Original Code is Hewlett-Packard Company.
- * Portions created by Hewlett-Packard Company are 
- * Copyright (C) March 1999, Hewlett-Packard Company. All Rights Reserved.
- * 
- * Contributor(s):
- *  coded by:   Bill Worley, Hewlett-Packard labs
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *
- *  This PA-RISC 2.0 function computes the product of two unsigned integers,
- *  and adds the result to a previously computed integer.  The multiplicand
- *  is a 512-bit (64-byte, eight doubleword) unsigned integer, stored in
- *  memory in little-double-wordian order.  The multiplier is an unsigned
- *  64-bit integer.  The previously computed integer to which the product is
- *  added is located in the result ("res") area, and is assumed to be a
- *  576-bit (72-byte, nine doubleword) unsigned integer, stored in memory
- *  in little-double-wordian order.  This value normally will be the result
- *  of a previously computed nine doubleword result.  It is not necessary
- *  to pad the multiplicand with an additional 64-bit zero doubleword.
- *
- *  Multiplicand, multiplier, and addend ideally should be aligned at
- *  16-byte boundaries for best performance.  The code will function
- *  correctly for alignment at eight-byte boundaries which are not 16-byte
- *  boundaries, but the execution may be slightly slower due to even/odd
- *  bank conflicts on PA-RISC 8000 processors.
- *
- *  This function is designed to accept the same calling sequence as Bill
- *  Ackerman's "maxpy_little" function.  The carry from the ninth doubleword
- *  of the result is written to the tenth word of the result, as is done by
- *  Bill Ackerman's function.  The final carry also is returned as an
- *  integer, which may be ignored.  The function prototype may be either
- *  of the following:
- *
- *      void multacc512( int l, chunk* m, const chunk* a, chunk* res );
- *          or
- *      int multacc512( int l, chunk* m, const chunk* a, chunk* res );
- *
- *  where:  "l" originally denoted vector lengths.  This parameter is
- *      ignored.  This function always assumes a multiplicand length of
- *      512 bits (eight doublewords), and addend and result lengths of
- *      576 bits (nine doublewords).
- *
- *      "m" is a pointer to the doubleword multiplier, ideally aligned
- *      on a 16-byte boundary.
- *
- *      "a" is a pointer to the eight-doubleword multiplicand, stored
- *      in little-double-wordian order, and ideally aligned on a 16-byte
- *      boundary.
- *
- *      "res" is a pointer to the nine doubleword addend, and to the
- *      nine-doubleword product computed by this function.  The result
- *      also is stored in little-double-wordian order, and ideally is
- *      aligned on a 16-byte boundary. It is expected that the alignment
- *      of the "res" area may alternate between even/odd doubleword
- *      boundaries for successive calls for 512-bit x 512-bit
- *      multiplications.
- *
- *  The code for this function has been scheduled to use the parallelism
- *  of the PA-RISC 8000 series microprocessors as well as the author was
- *  able.  Comments and/or suggestions for improvement are welcomed.
- *
- *  The code is "64-bit safe".  This means it may be called in either
- *  the 32ILP context or the 64LP context.  All 64-bits of registers are
- *  saved and restored.
- *
- *  This code is self-contained.  It requires no other header files in order
- *  to compile and to be linkable on a PA-RISC 2.0 machine.  Symbolic
- *  definitions for registers and stack offsets are included within this
- *  one source file.
- *
- *  This is a leaf routine.  As such, minimal use is made of the stack area.
- *  Of the 192 bytes allocated, 64 bytes are used for saving/restoring eight
- *  general registers, and 128 bytes are used to move intermediate products
- *  from the floating-point registers to the general registers.  Stack
- *  protocols assure proper alignment of these areas.
- *
- */
-
-
-/*  ====================================================================*/
-/*      symbolic definitions for PA-RISC registers      */
-/*      in the MIPS style, avoids lots of case shifts       */
-/*      assigments (except t4) preserve register number parity  */
-/*  ====================================================================*/
-
-#define zero    %r0         /* permanent zero */
-#define t5      %r1         /* temp register, altered by addil */
-
-#define rp      %r2         /* return pointer */
-
-#define s1      %r3         /* callee saves register*/
-#define s0      %r4         /* callee saves register*/
-#define s3      %r5         /* callee saves register*/
-#define s2      %r6         /* callee saves register*/
-#define s5      %r7         /* callee saves register*/
-#define s4      %r8         /* callee saves register*/
-#define s7      %r9         /* callee saves register*/
-#define s6      %r10        /* callee saves register*/
-
-#define t1      %r19        /* caller saves register*/
-#define t0      %r20        /* caller saves register*/
-#define t3      %r21        /* caller saves register*/
-#define t2      %r22        /* caller saves register*/
-
-#define a3      %r23        /* fourth argument register, high word */
-#define a2      %r24        /* third argument register, low word*/
-#define a1      %r25        /* second argument register, high word*/
-#define a0      %r26        /* first argument register, low word*/
-
-#define v0      %r28        /* high order return value*/
-#define v1      %r29        /* low order return value*/
-
-#define sp      %r30        /* stack pointer*/
-#define t4      %r31        /* temporary register   */
-
-#define fa0     %fr4        /* first argument register*/
-#define fa1     %fr5        /* second argument register*/
-#define fa2     %fr6        /* third argument register*/
-#define fa3     %fr7        /* fourth argument register*/
-
-#define fa0r    %fr4R       /* first argument register*/
-#define fa1r    %fr5R       /* second argument register*/
-#define fa2r    %fr6R       /* third argument register*/
-#define fa3r    %fr7R       /* fourth argument register*/
-
-#define ft0     %fr8        /* caller saves register*/
-#define ft1     %fr9        /* caller saves register*/
-#define ft2     %fr10       /* caller saves register*/
-#define ft3     %fr11       /* caller saves register*/
-
-#define ft0r    %fr8R       /* caller saves register*/
-#define ft1r    %fr9R       /* caller saves register*/
-#define ft2r    %fr10R      /* caller saves register*/
-#define ft3r    %fr11R      /* caller saves register*/
-
-#define ft4     %fr22       /* caller saves register*/
-#define ft5     %fr23       /* caller saves register*/
-#define ft6     %fr24       /* caller saves register*/
-#define ft7     %fr25       /* caller saves register*/
-#define ft8     %fr26       /* caller saves register*/
-#define ft9     %fr27       /* caller saves register*/
-#define ft10    %fr28       /* caller saves register*/
-#define ft11    %fr29       /* caller saves register*/
-#define ft12    %fr30       /* caller saves register*/
-#define ft13    %fr31       /* caller saves register*/
-
-#define ft4r    %fr22R      /* caller saves register*/
-#define ft5r    %fr23R      /* caller saves register*/
-#define ft6r    %fr24R      /* caller saves register*/
-#define ft7r    %fr25R      /* caller saves register*/
-#define ft8r    %fr26R      /* caller saves register*/
-#define ft9r    %fr27R      /* caller saves register*/
-#define ft10r   %fr28R      /* caller saves register*/
-#define ft11r   %fr29R      /* caller saves register*/
-#define ft12r   %fr30R      /* caller saves register*/
-#define ft13r   %fr31R      /* caller saves register*/
-
-
-
-/*  ================================================================== */
-/*      functional definitions for PA-RISC registers           */
-/*  ================================================================== */
-
-/*              general registers           */
-
-#define T1      a0          /* temp, (length parameter ignored)             */
-
-#define pM      a1          /* -> 64-bit multiplier                         */
-#define T2      a1          /* temp, (after fetching multiplier)            */
-
-#define pA      a2          /* -> multiplicand vector (8 64-bit words)      */
-#define T3      a2          /* temp, (after fetching multiplicand)          */
-
-#define pR      a3          /* -> addend vector (8 64-bit doublewords,
-                                  result vector (9 64-bit words)            */
-
-#define S0      s0          /* callee saves summand registers               */
-#define S1      s1
-#define S2      s2
-#define S3      s3
-#define S4      s4
-#define S5      s5
-#define S6      s6
-#define S7      s7
-
-#define S8      v0          /* caller saves summand registers               */
-#define S9      v1
-#define S10     t0
-#define S11     t1
-#define S12     t2
-#define S13     t3
-#define S14     t4
-#define S15     t5
-
-
-
-/*              floating-point registers                                    */
-
-#define M       fa0         /* multiplier double word                       */
-#define MR      fa0r        /* low order half of multiplier double word     */
-#define ML      fa0         /* high order half of multiplier double word    */
-
-#define A0      fa2         /* multiplicand double word 0                   */
-#define A0R     fa2r        /* low order half of multiplicand double word   */
-#define A0L     fa2         /* high order half of multiplicand double word  */
-
-#define A1      fa3         /* multiplicand double word 1                   */
-#define A1R     fa3r        /* low order half of multiplicand double word   */
-#define A1L     fa3         /* high order half of multiplicand double word  */
-
-#define A2      ft0         /* multiplicand double word 2                   */
-#define A2R     ft0r        /* low order half of multiplicand double word   */
-#define A2L     ft0         /* high order half of multiplicand double word  */
-
-#define A3      ft1         /* multiplicand double word 3                   */
-#define A3R     ft1r        /* low order half of multiplicand double word   */
-#define A3L     ft1         /* high order half of multiplicand double word  */
-
-#define A4      ft2         /* multiplicand double word 4                   */
-#define A4R     ft2r        /* low order half of multiplicand double word   */
-#define A4L     ft2         /* high order half of multiplicand double word  */
-
-#define A5      ft3         /* multiplicand double word 5                   */
-#define A5R     ft3r        /* low order half of multiplicand double word   */
-#define A5L     ft3         /* high order half of multiplicand double word  */
-
-#define A6      ft4         /* multiplicand double word 6                   */
-#define A6R     ft4r        /* low order half of multiplicand double word   */
-#define A6L     ft4         /* high order half of multiplicand double word  */
-
-#define A7      ft5         /* multiplicand double word 7                   */
-#define A7R     ft5r        /* low order half of multiplicand double word   */
-#define A7L     ft5         /* high order half of multiplicand double word  */
-
-#define P0      ft6         /* product word 0                               */
-#define P1      ft7         /* product word 0                               */
-#define P2      ft8         /* product word 0                               */
-#define P3      ft9         /* product word 0                               */
-#define P4      ft10        /* product word 0                               */
-#define P5      ft11        /* product word 0                               */
-#define P6      ft12        /* product word 0                               */
-#define P7      ft13        /* product word 0                               */
-
-
-
-
-/*  ======================================================================  */
-/*      symbolic definitions for HP-UX stack offsets                        */
-/*      symbolic definitions for memory NOPs                                */
-/*  ======================================================================  */
-
-#define ST_SZ       192         /* stack area total size                    */
-
-#define SV0         -192(sp)    /* general register save area               */
-#define SV1         -184(sp)
-#define SV2         -176(sp)
-#define SV3         -168(sp)
-#define SV4         -160(sp)
-#define SV5         -152(sp)
-#define SV6         -144(sp)
-#define SV7         -136(sp)
-
-#define XF0         -128(sp)    /* data transfer area                       */
-#define XF1         -120(sp)    /* for floating-pt to integer regs          */
-#define XF2         -112(sp)
-#define XF3         -104(sp)
-#define XF4         -96(sp)
-#define XF5         -88(sp)
-#define XF6         -80(sp)
-#define XF7         -72(sp)
-#define XF8         -64(sp)
-#define XF9         -56(sp)
-#define XF10        -48(sp)
-#define XF11        -40(sp)
-#define XF12        -32(sp)
-#define XF13        -24(sp)
-#define XF14        -16(sp)
-#define XF15        -8(sp)
-
-#define mnop    proberi (sp),3,zero     /* memory NOP                       */
-
-
-
-
-/*  ======================================================================  */
-/*      assembler formalities                                               */
-/*  ======================================================================  */
-
-#ifdef __LP64__
-                .level  2.0W
-#else
-                .level  2.0
-#endif
-                .space    $TEXT$
-                .subspa   $CODE$
-                .align    16
-
-/*  ======================================================================  */
-/*      here to compute 64-bit x 512-bit product + 512-bit addend           */
-/*  ======================================================================  */
-
-multacc512
-        .PROC
-        .CALLINFO
-        .ENTER
-    fldd    0(pM),M                 ; multiplier double word
-    ldo     ST_SZ(sp),sp            ; push stack
-
-    fldd    0(pA),A0                ; multiplicand double word 0
-    std     S1,SV1                  ; save s1
-
-    fldd    16(pA),A2               ; multiplicand double word 2
-    std     S3,SV3                  ; save s3
-
-    fldd    32(pA),A4               ; multiplicand double word 4
-    std     S5,SV5                  ; save s5
-
-    fldd    48(pA),A6               ; multiplicand double word 6
-    std     S7,SV7                  ; save s7
-
-
-    std     S0,SV0                  ; save s0
-    fldd    8(pA),A1                ; multiplicand double word 1
-    xmpyu   MR,A0L,P0               ; A0 cross 32-bit word products
-    xmpyu   ML,A0R,P2
-
-    std     S2,SV2                  ; save s2
-    fldd    24(pA),A3               ; multiplicand double word 3
-    xmpyu   MR,A2L,P4               ; A2 cross 32-bit word products
-    xmpyu   ML,A2R,P6
-
-    std     S4,SV4                  ; save s4
-    fldd    40(pA),A5               ; multiplicand double word 5
-
-    std     S6,SV6                  ; save s6
-    fldd    56(pA),A7               ; multiplicand double word 7
-
-
-    fstd    P0,XF0                  ; MR * A0L
-    xmpyu   MR,A0R,P0               ; A0 right 32-bit word product
-    xmpyu   MR,A1L,P1               ; A1 cross 32-bit word product
-
-    fstd    P2,XF2                  ; ML * A0R
-    xmpyu   ML,A0L,P2               ; A0 left 32-bit word product
-    xmpyu   ML,A1R,P3               ; A1 cross 32-bit word product
-
-    fstd    P4,XF4                  ; MR * A2L
-    xmpyu   MR,A2R,P4               ; A2 right 32-bit word product
-    xmpyu   MR,A3L,P5               ; A3 cross 32-bit word product
-
-    fstd    P6,XF6                  ; ML * A2R
-    xmpyu   ML,A2L,P6               ; A2 parallel 32-bit word product
-    xmpyu   ML,A3R,P7               ; A3 cross 32-bit word product
-
-
-    ldd     XF0,S0                  ; MR * A0L
-    fstd    P1,XF1                  ; MR * A1L
-
-    ldd     XF2,S2                  ; ML * A0R
-    fstd    P3,XF3                  ; ML * A1R
-
-    ldd     XF4,S4                  ; MR * A2L
-    fstd    P5,XF5                  ; MR * A3L
-    xmpyu   MR,A1R,P1               ; A1 parallel 32-bit word products
-    xmpyu   ML,A1L,P3
-
-    ldd     XF6,S6                  ; ML * A2R
-    fstd    P7,XF7                  ; ML * A3R
-    xmpyu   MR,A3R,P5               ; A3 parallel 32-bit word products
-    xmpyu   ML,A3L,P7
-
-
-    fstd    P0,XF0                  ; MR * A0R
-    ldd     XF1,S1                  ; MR * A1L
-    nop
-    add     S0,S2,T1                ; A0 cross product sum
-
-    fstd    P2,XF2                  ; ML * A0L
-    ldd     XF3,S3                  ; ML * A1R
-    add,dc  zero,zero,S0            ; A0 cross product sum carry
-    depd,z  T1,31,32,S2             ; A0 cross product sum << 32
-
-    fstd    P4,XF4                  ; MR * A2R
-    ldd     XF5,S5                  ; MR * A3L
-    shrpd   S0,T1,32,S0             ; A0 carry | cross product sum >> 32
-    add     S4,S6,T3                ; A2 cross product sum
-
-    fstd    P6,XF6                  ; ML * A2L
-    ldd     XF7,S7                  ; ML * A3R
-    add,dc  zero,zero,S4            ; A2 cross product sum carry
-    depd,z  T3,31,32,S6             ; A2 cross product sum << 32
-
-
-    ldd     XF0,S8                  ; MR * A0R
-    fstd    P1,XF1                  ; MR * A1R
-    xmpyu   MR,A4L,P0               ; A4 cross 32-bit word product
-    xmpyu   MR,A5L,P1               ; A5 cross 32-bit word product
-
-    ldd     XF2,S10                 ; ML * A0L
-    fstd    P3,XF3                  ; ML * A1L
-    xmpyu   ML,A4R,P2               ; A4 cross 32-bit word product
-    xmpyu   ML,A5R,P3               ; A5 cross 32-bit word product
-
-    ldd     XF4,S12                 ; MR * A2R
-    fstd    P5,XF5                  ; MR * A3L
-    xmpyu   MR,A6L,P4               ; A6 cross 32-bit word product
-    xmpyu   MR,A7L,P5               ; A7 cross 32-bit word product
-
-    ldd     XF6,S14                 ; ML * A2L
-    fstd    P7,XF7                  ; ML * A3L
-    xmpyu   ML,A6R,P6               ; A6 cross 32-bit word product
-    xmpyu   ML,A7R,P7               ; A7 cross 32-bit word product
-
-
-    fstd    P0,XF0                  ; MR * A4L
-    ldd     XF1,S9                  ; MR * A1R
-    shrpd   S4,T3,32,S4             ; A2 carry | cross product sum >> 32
-    add     S1,S3,T1                ; A1 cross product sum
-
-    fstd    P2,XF2                  ; ML * A4R
-    ldd     XF3,S11                 ; ML * A1L
-    add,dc  zero,zero,S1            ; A1 cross product sum carry
-    depd,z  T1,31,32,S3             ; A1 cross product sum << 32
-
-    fstd    P4,XF4                  ; MR * A6L
-    ldd     XF5,S13                 ; MR * A3R
-    shrpd   S1,T1,32,S1             ; A1 carry | cross product sum >> 32
-    add     S5,S7,T3                ; A3 cross product sum
-
-    fstd    P6,XF6                  ; ML * A6R
-    ldd     XF7,S15                 ; ML * A3L
-    add,dc  zero,zero,S5            ; A3 cross product sum carry
-    depd,z  T3,31,32,S7             ; A3 cross product sum << 32
-
-
-    shrpd   S5,T3,32,S5             ; A3 carry | cross product sum >> 32
-    add     S2,S8,S8                ; M * A0 right doubleword, P0 doubleword
-
-    add,dc  S0,S10,S10              ; M * A0 left doubleword
-    add     S3,S9,S9                ; M * A1 right doubleword
-
-    add,dc  S1,S11,S11              ; M * A1 left doubleword
-    add     S6,S12,S12              ; M * A2 right doubleword
-
-
-    ldd     24(pR),S3               ; Addend word 3
-    fstd    P1,XF1                  ; MR * A5L
-    add,dc  S4,S14,S14              ; M * A2 left doubleword
-    xmpyu   MR,A5R,P1               ; A5 right 32-bit word product
-
-    ldd     8(pR),S1                ; Addend word 1
-    fstd    P3,XF3                  ; ML * A5R
-    add     S7,S13,S13              ; M * A3 right doubleword
-    xmpyu   ML,A5L,P3               ; A5 left 32-bit word product
-
-    ldd     0(pR),S7                ; Addend word 0
-    fstd    P5,XF5                  ; MR * A7L
-    add,dc  S5,S15,S15              ; M * A3 left doubleword
-    xmpyu   MR,A7R,P5               ; A7 right 32-bit word product
-
-    ldd     16(pR),S5               ; Addend word 2
-    fstd    P7,XF7                  ; ML * A7R
-    add     S10,S9,S9               ; P1 doubleword
-    xmpyu   ML,A7L,P7               ; A7 left 32-bit word products
-
-
-    ldd     XF0,S0                  ; MR * A4L
-    fstd    P1,XF9                  ; MR * A5R
-    add,dc  S11,S12,S12             ; P2 doubleword
-    xmpyu   MR,A4R,P0               ; A4 right 32-bit word product
-
-    ldd     XF2,S2                  ; ML * A4R
-    fstd    P3,XF11                 ; ML * A5L
-    add,dc  S14,S13,S13             ; P3 doubleword
-    xmpyu   ML,A4L,P2               ; A4 left 32-bit word product
-
-    ldd     XF6,S6                  ; ML * A6R
-    fstd    P5,XF13                 ; MR * A7R
-    add,dc  zero,S15,T2             ; P4 partial doubleword
-    xmpyu   MR,A6R,P4               ; A6 right 32-bit word product
-
-    ldd     XF4,S4                  ; MR * A6L
-    fstd    P7,XF15                 ; ML * A7L
-    add     S7,S8,S8                ; R0 + P0, new R0 doubleword
-    xmpyu   ML,A6L,P6               ; A6 left 32-bit word product
-
-
-    fstd    P0,XF0                  ; MR * A4R
-    ldd     XF7,S7                  ; ML * A7R
-    add,dc  S1,S9,S9                ; c + R1 + P1, new R1 doubleword
-
-    fstd    P2,XF2                  ; ML * A4L
-    ldd     XF1,S1                  ; MR * A5L
-    add,dc  S5,S12,S12              ; c + R2 + P2, new R2 doubleword
-
-    fstd    P4,XF4                  ; MR * A6R
-    ldd     XF5,S5                  ; MR * A7L
-    add,dc  S3,S13,S13              ; c + R3 + P3, new R3 doubleword
-
-    fstd    P6,XF6                  ; ML * A6L
-    ldd     XF3,S3                  ; ML * A5R
-    add,dc  zero,T2,T2              ; c + partial P4
-    add     S0,S2,T1                ; A4 cross product sum
-
-
-    std     S8,0(pR)                ; save R0
-    add,dc  zero,zero,S0            ; A4 cross product sum carry
-    depd,z  T1,31,32,S2             ; A4 cross product sum << 32
-
-    std     S9,8(pR)                ; save R1
-    shrpd   S0,T1,32,S0             ; A4 carry | cross product sum >> 32
-    add     S4,S6,T3                ; A6 cross product sum
-
-    std     S12,16(pR)              ; save R2
-    add,dc  zero,zero,S4            ; A6 cross product sum carry
-    depd,z  T3,31,32,S6             ; A6 cross product sum << 32
-
-
-    std     S13,24(pR)              ; save R3
-    shrpd   S4,T3,32,S4             ; A6 carry | cross product sum >> 32
-    add     S1,S3,T1                ; A5 cross product sum
-
-    ldd     XF0,S8                  ; MR * A4R
-    add,dc  zero,zero,S1            ; A5 cross product sum carry
-    depd,z  T1,31,32,S3             ; A5 cross product sum << 32
-
-    ldd     XF2,S10                 ; ML * A4L
-    ldd     XF9,S9                  ; MR * A5R
-    shrpd   S1,T1,32,S1             ; A5 carry | cross product sum >> 32
-    add     S5,S7,T3                ; A7 cross product sum
-
-    ldd     XF4,S12                 ; MR * A6R
-    ldd     XF11,S11                ; ML * A5L
-    add,dc  zero,zero,S5            ; A7 cross product sum carry
-    depd,z  T3,31,32,S7             ; A7 cross product sum << 32
-
-    ldd     XF6,S14                 ; ML * A6L
-    ldd     XF13,S13                ; MR * A7R
-    shrpd   S5,T3,32,S5             ; A7 carry | cross product sum >> 32
-    add     S2,S8,S8                ; M * A4 right doubleword
-
-
-    ldd     XF15,S15                ; ML * A7L
-    add,dc  S0,S10,S10              ; M * A4 left doubleword
-    add     S3,S9,S9                ; M * A5 right doubleword
-
-    add,dc  S1,S11,S11              ; M * A5 left doubleword
-    add     S6,S12,S12              ; M * A6 right doubleword
-
-    ldd     32(pR),S0               ; Addend word 4
-    ldd     40(pR),S1               ; Addend word 5
-    add,dc  S4,S14,S14              ; M * A6 left doubleword
-    add     S7,S13,S13              ; M * A7 right doubleword
-
-    ldd     48(pR),S2               ; Addend word 6
-    ldd     56(pR),S3               ; Addend word 7
-    add,dc  S5,S15,S15              ; M * A7 left doubleword
-    add     S8,T2,S8                ; P4 doubleword
-
-    ldd     64(pR),S4               ; Addend word 8
-    ldd     SV5,s5                  ; restore s5
-    add,dc  S10,S9,S9               ; P5 doubleword
-    add,dc  S11,S12,S12             ; P6 doubleword
-
-
-    ldd     SV6,s6                  ; restore s6
-    ldd     SV7,s7                  ; restore s7
-    add,dc  S14,S13,S13             ; P7 doubleword
-    add,dc  zero,S15,S15            ; P8 doubleword
-
-    add     S0,S8,S8                ; new R4 doubleword
-
-    ldd     SV0,s0                  ; restore s0
-    std     S8,32(pR)               ; save R4
-    add,dc  S1,S9,S9                ; new R5 doubleword
-
-    ldd     SV1,s1                  ; restore s1
-    std     S9,40(pR)               ; save R5
-    add,dc  S2,S12,S12              ; new R6 doubleword
-
-    ldd     SV2,s2                  ; restore s2
-    std     S12,48(pR)              ; save R6
-    add,dc  S3,S13,S13              ; new R7 doubleword
-
-    ldd     SV3,s3                  ; restore s3
-    std     S13,56(pR)              ; save R7
-    add,dc  S4,S15,S15              ; new R8 doubleword
-
-    ldd     SV4,s4                  ; restore s4
-    std     S15,64(pR)              ; save result[8]
-    add,dc  zero,zero,v0            ; return carry from R8
-
-    CMPIB,*= 0,v0,$L0               ; if no overflow, exit
-    LDO     8(pR),pR
-
-$FINAL1                             ; Final carry propagation
-    LDD     64(pR),v0
-    LDO     8(pR),pR
-    ADDI    1,v0,v0
-    CMPIB,*= 0,v0,$FINAL1           ; Keep looping if there is a carry.
-    STD     v0,56(pR)
-$L0
-    bv      zero(rp)                ; -> caller
-    ldo     -ST_SZ(sp),sp           ; pop stack
-
-/*  ======================================================================  */
-/*      end of module                                                       */
-/*  ======================================================================  */
-
-                .LEAVE
-
-                .PROCEND
-                .SPACE         $TEXT$
-                .SUBSPA        $CODE$
-                .EXPORT        multacc512,ENTRY
-
-        .end
diff --git a/security/nss/lib/freebl/mpi/hppa20.s b/security/nss/lib/freebl/mpi/hppa20.s
deleted file mode 100644
index f7579b805..000000000
--- a/security/nss/lib/freebl/mpi/hppa20.s
+++ /dev/null
@@ -1,929 +0,0 @@
-; The contents of this file are subject to the Mozilla Public
-; License Version 1.1 (the "License"); you may not use this file
-; except in compliance with the License. You may obtain a copy of
-; the License at http://www.mozilla.org/MPL/
-; 
-; Software distributed under the License is distributed on an "AS
-; IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-; implied. See the License for the specific language governing
-; rights and limitations under the License.
-; 
-; The Original Code is MAXPY multiple-precision integer arithmetic.
-; 
-; The Initial Developer of the Original Code is the Hewlett-Packard Company.
-; Portions created by Hewlett-Packard Company are 
-; Copyright (C) 1997 Hewlett-Packard Company.  All Rights Reserved.
-; 
-; Contributor(s):
-;  coded by:   William B. Ackerman
-; 
-; Alternatively, the contents of this file may be used under the
-; terms of the GNU General Public License Version 2 or later (the
-; "GPL"), in which case the provisions of the GPL are applicable 
-; instead of those above.  If you wish to allow use of your 
-; version of this file only under the terms of the GPL and not to
-; allow others to use your version of this file under the MPL,
-; indicate your decision by deleting the provisions above and
-; replace them with the notice and other provisions required by
-; the GPL.  If you do not delete the provisions above, a recipient
-; may use your version of this file under either the MPL or the
-; GPL.
-
-#ifdef __LP64__
-        .LEVEL   2.0W
-#else
-;       .LEVEL   1.1
-;       .ALLOW   2.0N
-        .LEVEL   2.0N
-#endif
-        .SPACE   $TEXT$,SORT=8
-        .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
-
-; ***************************************************************
-;
-;                 maxpy_[little/big]
-;
-; ***************************************************************
-
-; There is no default -- you must specify one or the other.
-#define LITTLE_WORDIAN 1
-
-#ifdef LITTLE_WORDIAN
-#define EIGHT 8
-#define SIXTEEN 16
-#define THIRTY_TWO 32
-#define UN_EIGHT -8
-#define UN_SIXTEEN -16
-#define UN_TWENTY_FOUR -24
-#endif
-
-#ifdef BIG_WORDIAN
-#define EIGHT -8
-#define SIXTEEN -16
-#define THIRTY_TWO -32
-#define UN_EIGHT 8
-#define UN_SIXTEEN 16
-#define UN_TWENTY_FOUR 24
-#endif
-
-; This performs a multiple-precision integer version of "daxpy",
-; Using the selected addressing direction.  "Little-wordian" means that
-; the least significant word of a number is stored at the lowest address.
-; "Big-wordian" means that the most significant word is at the lowest
-; address.  Either way, the incoming address of the vector is that
-; of the least significant word.  That means that, for little-wordian
-; addressing, we move the address upward as we propagate carries
-; from the least significant word to the most significant.  For
-; big-wordian we move the address downward.
-
-; We use the following registers:
-;
-;     r2   return PC, of course
-;     r26 = arg1 =  length
-;     r25 = arg2 =  address of scalar
-;     r24 = arg3 =  multiplicand vector
-;     r23 = arg4 =  result vector
-;
-;     fr9 = scalar loaded once only from r25
-
-; The cycle counts shown in the bodies below are simply the result of a
-; scheduling by hand.  The actual PCX-U hardware does it differently.
-; The intention is that the overall speed is the same.
-
-; The pipeline startup and shutdown code is constructed in the usual way,
-; by taking the loop bodies and removing unnecessary instructions.
-; We have left the comments describing cycle numbers in the code.
-; These are intended for reference when comparing with the main loop,
-; and have no particular relationship to actual cycle numbers.
-
-#ifdef LITTLE_WORDIAN
-maxpy_little
-#else
-maxpy_big
-#endif
-        .PROC
-        .CALLINFO FRAME=120,ENTRY_GR=%r4
-        .ENTER
-
-; Of course, real men don't use the sissy "enter" and "leave" commands.
-; They write their own stack manipulation stuff.  Unfortunately,
-; that doesn't generate complete unwind info, whereas "enter" and
-; "leave" (if the documentation is to be believed) do so.  Therefore,
-; we use the sissy commands.  We have verified (by real-man methods)
-; that the above command generates what we want:
-;       STW,MA  %r3,128(%sp)
-;       STW     %r4,-124(%sp)
-
-        ADDIB,< -1,%r26,$L0         ; If N = 0, exit immediately.
-        FLDD    0(%r25),%fr9        ; fr9 = scalar
-
-; First startup
-
-        FLDD    0(%r24),%fr24       ; Cycle 1
-        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
-        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
-        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
-        CMPIB,> 3,%r26,$N_IS_SMALL  ; Pick out cases N = 1, 2, or 3
-        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
-        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
-        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
-        FSTD    %fr24,-96(%sp)
-        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
-        FSTD    %fr25,-80(%sp)
-        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
-        FSTD    %fr31,-64(%sp)
-        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
-        FSTD    %fr27,-48(%sp)
-
-; Second startup
-
-        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
-        FSTD    %fr30,-56(%sp)
-        FLDD    0(%r24),%fr24
-
-        FSTD    %fr26,-88(%sp)      ; Cycle 2
-
-        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
-        FSTD    %fr28,-104(%sp)
-
-        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
-        LDD     -96(%sp),%r3
-        FSTD    %fr29,-72(%sp)
-
-        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
-        LDD     -64(%sp),%r19
-        LDD     -80(%sp),%r21
-
-        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
-        LDD     -56(%sp),%r20
-        ADD     %r21,%r3,%r3
-
-        ADD,DC  %r20,%r19,%r19      ; Cycle 7
-        LDD     -88(%sp),%r4
-        SHRPD   %r3,%r0,32,%r21
-        LDD     -48(%sp),%r1
-
-        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
-        LDD     -104(%sp),%r31
-        ADD,DC  %r0,%r0,%r20
-        SHRPD   %r19,%r3,32,%r3
-
-        LDD     -72(%sp),%r29       ; Cycle 9
-        SHRPD   %r20,%r19,32,%r20
-        ADD     %r21,%r1,%r1
-
-        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
-        ADD,DC  %r3,%r4,%r4
-        FSTD    %fr24,-96(%sp)
-
-        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
-        ADD,DC  %r0,%r20,%r20
-        LDD     0(%r23),%r3
-        FSTD    %fr25,-80(%sp)
-
-        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
-        FSTD    %fr31,-64(%sp)
-
-        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
-        ADD     %r0,%r0,%r0         ; clear the carry bit
-        ADDIB,<= -4,%r26,$ENDLOOP   ; actually happens in cycle 12
-        FSTD    %fr27,-48(%sp)
-;        MFCTL   %cr16,%r21         ; for timing
-;        STD     %r21,-112(%sp)
-
-; Here is the loop.
-
-$LOOP   XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
-        ADD,DC  %r29,%r4,%r4
-        FSTD    %fr30,-56(%sp)
-        FLDD    0(%r24),%fr24
-
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        ADD,DC  %r0,%r20,%r20
-        FSTD    %fr26,-88(%sp)
-
-        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
-        ADD     %r3,%r1,%r1
-        FSTD    %fr28,-104(%sp)
-        LDD     UN_EIGHT(%r23),%r21
-
-        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
-        ADD,DC  %r21,%r4,%r28
-        FSTD    %fr29,-72(%sp)    
-        LDD     -96(%sp),%r3
-
-        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
-        ADD,DC  %r20,%r31,%r22
-        LDD     -64(%sp),%r19
-        LDD     -80(%sp),%r21
-
-        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
-        ADD     %r21,%r3,%r3
-        LDD     -56(%sp),%r20
-        STD     %r1,UN_SIXTEEN(%r23)
-
-        ADD,DC  %r20,%r19,%r19      ; Cycle 7
-        SHRPD   %r3,%r0,32,%r21
-        LDD     -88(%sp),%r4
-        LDD     -48(%sp),%r1
-
-        ADD,DC  %r0,%r0,%r20        ; Cycle 8
-        SHRPD   %r19,%r3,32,%r3
-        FLDD    EIGHT(%r24),%fr28
-        LDD     -104(%sp),%r31
-
-        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
-        ADD     %r21,%r1,%r1
-        STD     %r28,UN_EIGHT(%r23)
-        LDD     -72(%sp),%r29
-
-        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
-        ADD,DC  %r3,%r4,%r4
-        FSTD    %fr24,-96(%sp)
-
-        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
-        ADD,DC  %r0,%r20,%r20
-        FSTD    %fr25,-80(%sp)
-        LDD     0(%r23),%r3
-
-        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
-        FSTD    %fr31,-64(%sp)
-
-        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
-        ADD     %r22,%r1,%r1
-        ADDIB,> -2,%r26,$LOOP       ; actually happens in cycle 12
-        FSTD    %fr27,-48(%sp)
-
-$ENDLOOP
-
-; Shutdown code, first stage.
-
-;        MFCTL   %cr16,%r21         ; for timing
-;        STD     %r21,UN_SIXTEEN(%r23)
-;        LDD     -112(%sp),%r21
-;        STD     %r21,UN_EIGHT(%r23)
-
-        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
-        ADD,DC  %r29,%r4,%r4
-        CMPIB,= 0,%r26,$ONEMORE
-        FSTD    %fr30,-56(%sp)
-
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        ADD,DC  %r0,%r20,%r20
-        FSTD    %fr26,-88(%sp)
-
-        ADD     %r3,%r1,%r1         ; Cycle 3
-        FSTD    %fr28,-104(%sp)
-        LDD     UN_EIGHT(%r23),%r21
-
-        ADD,DC  %r21,%r4,%r28       ; Cycle 4
-        FSTD    %fr29,-72(%sp)    
-        STD     %r28,UN_EIGHT(%r23) ; moved up from cycle 9
-        LDD     -96(%sp),%r3
-
-        ADD,DC  %r20,%r31,%r22      ; Cycle 5
-        STD     %r1,UN_SIXTEEN(%r23)
-$JOIN4
-        LDD     -64(%sp),%r19
-        LDD     -80(%sp),%r21
-
-        ADD     %r21,%r3,%r3        ; Cycle 6
-        LDD     -56(%sp),%r20
-
-        ADD,DC  %r20,%r19,%r19      ; Cycle 7
-        SHRPD   %r3,%r0,32,%r21
-        LDD     -88(%sp),%r4
-        LDD     -48(%sp),%r1
-
-        ADD,DC  %r0,%r0,%r20        ; Cycle 8
-        SHRPD   %r19,%r3,32,%r3
-        LDD     -104(%sp),%r31
-
-        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
-        ADD     %r21,%r1,%r1
-        LDD     -72(%sp),%r29
-
-        ADD,DC  %r3,%r4,%r4         ; Cycle 10
-
-        ADD,DC  %r0,%r20,%r20       ; Cycle 11
-        LDD     0(%r23),%r3
-
-        ADD     %r22,%r1,%r1        ; Cycle 13
-
-; Shutdown code, second stage.
-
-        ADD,DC  %r29,%r4,%r4        ; Cycle 1
-
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        ADD,DC  %r0,%r20,%r20
-
-        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
-        ADD     %r3,%r1,%r1
-
-        ADD,DC  %r21,%r4,%r28       ; Cycle 4
-
-        ADD,DC  %r20,%r31,%r22      ; Cycle 5
-
-        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
-
-        STD     %r28,UN_EIGHT(%r23) ; Cycle 9
-
-        LDD     0(%r23),%r3         ; Cycle 11
-
-; Shutdown code, third stage.
-
-        LDO     SIXTEEN(%r23),%r23
-        ADD     %r3,%r22,%r1
-$JOIN1  ADD,DC  %r0,%r0,%r21
-        CMPIB,*= 0,%r21,$L0         ; if no overflow, exit
-        STD     %r1,UN_SIXTEEN(%r23)
-
-; Final carry propagation
-
-$FINAL1 LDO     EIGHT(%r23),%r23
-        LDD     UN_SIXTEEN(%r23),%r21
-        ADDI    1,%r21,%r21
-        CMPIB,*= 0,%r21,$FINAL1     ; Keep looping if there is a carry.
-        STD     %r21,UN_SIXTEEN(%r23)
-        B       $L0
-        NOP
-
-; Here is the code that handles the difficult cases N=1, N=2, and N=3.
-; We do the usual trick -- branch out of the startup code at appropriate
-; points, and branch into the shutdown code.
-
-$N_IS_SMALL
-        CMPIB,= 0,%r26,$N_IS_ONE
-        FSTD    %fr24,-96(%sp)      ; Cycle 10
-        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
-        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
-        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
-        FSTD    %fr25,-80(%sp)
-        FSTD    %fr31,-64(%sp)      ; Cycle 12
-        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
-        FSTD    %fr27,-48(%sp)
-        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
-        CMPIB,= 2,%r26,$N_IS_THREE
-        FSTD    %fr30,-56(%sp)
-
-; N = 2
-        FSTD    %fr26,-88(%sp)      ; Cycle 2
-        FSTD    %fr28,-104(%sp)     ; Cycle 3
-        LDD     -96(%sp),%r3        ; Cycle 4
-        FSTD    %fr29,-72(%sp)
-        B       $JOIN4
-        ADD     %r0,%r0,%r22
-
-$N_IS_THREE
-        FLDD    SIXTEEN(%r24),%fr24
-        FSTD    %fr26,-88(%sp)      ; Cycle 2
-        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
-        FSTD    %fr28,-104(%sp)
-        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
-        LDD     -96(%sp),%r3
-        FSTD    %fr29,-72(%sp)
-        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
-        LDD     -64(%sp),%r19
-        LDD     -80(%sp),%r21
-        B       $JOIN3
-        ADD     %r0,%r0,%r22
-
-$N_IS_ONE
-        FSTD    %fr25,-80(%sp)
-        FSTD    %fr27,-48(%sp)
-        FSTD    %fr26,-88(%sp)      ; Cycle 2
-        B       $JOIN5
-        ADD     %r0,%r0,%r22
-
-; We came out of the unrolled loop with wrong parity.  Do one more
-; single cycle.  This is quite tricky, because of the way the
-; carry chains and SHRPD chains have been chopped up.
-
-$ONEMORE
-
-        FLDD    0(%r24),%fr24
-
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        ADD,DC  %r0,%r20,%r20
-        FSTD    %fr26,-88(%sp)
-
-        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
-        FSTD    %fr28,-104(%sp)
-        LDD     UN_EIGHT(%r23),%r21
-        ADD     %r3,%r1,%r1
-
-        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
-        ADD,DC  %r21,%r4,%r28
-        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
-        LDD     -96(%sp),%r3
-        FSTD    %fr29,-72(%sp)    
-
-        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
-        ADD,DC  %r20,%r31,%r22
-        LDD     -64(%sp),%r19
-        LDD     -80(%sp),%r21
-
-        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
-$JOIN3
-        XMPYU   %fr9L,%fr24R,%fr24
-        LDD     -56(%sp),%r20
-        ADD     %r21,%r3,%r3
-
-        ADD,DC  %r20,%r19,%r19      ; Cycle 7
-        LDD     -88(%sp),%r4
-        SHRPD   %r3,%r0,32,%r21
-        LDD     -48(%sp),%r1
-
-        LDD     -104(%sp),%r31      ; Cycle 8
-        ADD,DC  %r0,%r0,%r20
-        SHRPD   %r19,%r3,32,%r3
-
-        LDD     -72(%sp),%r29       ; Cycle 9
-        SHRPD   %r20,%r19,32,%r20
-        ADD     %r21,%r1,%r1
-
-        ADD,DC  %r3,%r4,%r4         ; Cycle 10
-        FSTD    %fr24,-96(%sp)
-
-        ADD,DC  %r0,%r20,%r20       ; Cycle 11
-        LDD     0(%r23),%r3
-        FSTD    %fr25,-80(%sp)
-
-        ADD     %r22,%r1,%r1        ; Cycle 13
-        FSTD    %fr27,-48(%sp)
-
-; Shutdown code, stage 1-1/2.
-
-        ADD,DC  %r29,%r4,%r4        ; Cycle 1
-
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        ADD,DC  %r0,%r20,%r20     
-        FSTD    %fr26,-88(%sp)
-
-        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
-        ADD     %r3,%r1,%r1
-
-        ADD,DC  %r21,%r4,%r28       ; Cycle 4
-        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
-
-        ADD,DC  %r20,%r31,%r22      ; Cycle 5
-        STD     %r1,UN_SIXTEEN(%r23)
-$JOIN5
-        LDD     -96(%sp),%r3        ; moved from cycle 4
-        LDD     -80(%sp),%r21
-        ADD     %r21,%r3,%r3        ; Cycle 6
-        ADD,DC  %r0,%r0,%r19        ; Cycle 7
-        LDD     -88(%sp),%r4
-        SHRPD   %r3,%r0,32,%r21
-        LDD     -48(%sp),%r1
-        SHRPD   %r19,%r3,32,%r3     ; Cycle 8
-        ADD     %r21,%r1,%r1        ; Cycle 9
-        ADD,DC  %r3,%r4,%r4         ; Cycle 10
-        LDD     0(%r23),%r3         ; Cycle 11
-        ADD     %r22,%r1,%r1        ; Cycle 13
-
-; Shutdown code, stage 2-1/2.
-
-        ADD,DC  %r0,%r4,%r4         ; Cycle 1
-        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
-        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
-        ADD     %r3,%r1,%r1
-        STD     %r1,UN_SIXTEEN(%r23)
-        ADD,DC  %r21,%r4,%r1
-        B       $JOIN1
-        LDO     EIGHT(%r23),%r23
-
-; exit
-
-$L0
-        .LEAVE
-
-; We have verified that the above command generates what we want:
-;       LDW     -124(%sp),%r4
-;       BVE     (%r2)
-;       LDW,MB  -128(%sp),%r3
-
-        .PROCEND
-
-; ***************************************************************
-;
-;                 add_diag_[little/big]
-;
-; ***************************************************************
-
-; The arguments are as follows:
-;     r2   return PC, of course
-;     r26 = arg1 =  length
-;     r25 = arg2 =  vector to square
-;     r24 = arg3 =  result vector
-
-#ifdef LITTLE_WORDIAN
-add_diag_little
-#else
-add_diag_big
-#endif
-        .PROC
-        .CALLINFO FRAME=120,ENTRY_GR=%r4
-        .ENTER
-
-        ADDIB,< -1,%r26,$Z0         ; If N=0, exit immediately.
-        NOP
-
-; Startup code
-
-        FLDD    0(%r25),%fr7        ; Cycle 2 (alternate body)
-        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
-        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
-        XMPYU   %fr7L,%fr7L,%fr30
-        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
-        FSTD    %fr29,-88(%sp)
-        FSTD    %fr27,-72(%sp)      ; Cycle 7
-        CMPIB,= 0,%r26,$DIAG_N_IS_ONE ; Cycle 1 (main body)
-        FSTD    %fr30,-96(%sp)
-        FLDD    UN_EIGHT(%r25),%fr7 ; Cycle 2
-        LDD     -88(%sp),%r22       ; Cycle 3
-        LDD     -72(%sp),%r31       ; Cycle 4
-        XMPYU   %fr7R,%fr7R,%fr28
-        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
-        XMPYU   %fr7L,%fr7L,%fr31
-        LDD     -96(%sp),%r20       ; Cycle 6
-        FSTD    %fr28,-80(%sp)
-        ADD     %r0,%r0,%r0         ; clear the carry bit
-        ADDIB,<= -2,%r26,$ENDDIAGLOOP ; Cycle 7
-        FSTD    %fr24,-64(%sp)
-
-; Here is the loop.  It is unrolled twice, modelled after the "alternate body" and then the "main body".
-
-$DIAGLOOP
-        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
-        LDO     SIXTEEN(%r25),%r25
-        LDD     0(%r24),%r1
-        FSTD    %fr31,-104(%sp)
-        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
-        ADD,DC  %r22,%r3,%r3
-        FLDD    UN_SIXTEEN(%r25),%fr7   
-        ADD,DC  %r0,%r20,%r20       ; Cycle 3
-        ADD     %r1,%r3,%r3
-        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
-        LDD     -80(%sp),%r21
-        STD     %r3,0(%r24)
-        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
-        XMPYU   %fr7L,%fr7L,%fr30
-        LDD     -64(%sp),%r29       
-        LDD     EIGHT(%r24),%r1  
-        ADD,DC  %r4,%r20,%r20       ; Cycle 6
-        LDD     -104(%sp),%r19
-        FSTD    %fr29,-88(%sp)
-        ADD     %r20,%r1,%r1        ; Cycle 7
-        FSTD    %fr27,-72(%sp)
-        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
-        LDO     THIRTY_TWO(%r24),%r24
-        LDD     UN_SIXTEEN(%r24),%r28
-        FSTD    %fr30,-96(%sp)
-        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
-        ADD,DC  %r21,%r4,%r4
-        FLDD    UN_EIGHT(%r25),%fr7
-        STD     %r1,UN_TWENTY_FOUR(%r24)
-        ADD,DC  %r0,%r19,%r19       ; Cycle 3
-        ADD     %r28,%r4,%r4
-        XMPYU   %fr7R,%fr7R,%fr28   ; Cycle 4
-        LDD     -88(%sp),%r22
-        STD     %r4,UN_SIXTEEN(%r24)
-        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
-        XMPYU   %fr7L,%fr7L,%fr31
-        LDD     -72(%sp),%r31
-        LDD     UN_EIGHT(%r24),%r28
-        ADD,DC  %r3,%r19,%r19       ; Cycle 6
-        LDD     -96(%sp),%r20
-        FSTD    %fr28,-80(%sp)
-        ADD     %r19,%r28,%r28      ; Cycle 7
-        FSTD    %fr24,-64(%sp)
-        ADDIB,> -2,%r26,$DIAGLOOP   ; Cycle 8
-        STD     %r28,UN_EIGHT(%r24)
-
-$ENDDIAGLOOP
-
-        ADD,DC  %r0,%r22,%r22    
-        CMPIB,= 0,%r26,$ONEMOREDIAG
-        SHRPD   %r31,%r0,31,%r3
-
-; Shutdown code, first stage.
-
-        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
-        LDD     0(%r24),%r28
-        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
-        ADD     %r3,%r22,%r3
-        ADD,DC  %r0,%r20,%r20       ; Cycle 3
-        LDD     -80(%sp),%r21
-        ADD     %r3,%r28,%r3
-        LDD     -64(%sp),%r29       ; Cycle 4
-        STD     %r3,0(%r24)
-        LDD     EIGHT(%r24),%r1     ; Cycle 5
-        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
-        LDD     -104(%sp),%r19
-        ADD,DC  %r4,%r20,%r20
-        ADD     %r20,%r1,%r1        ; Cycle 7
-        ADD,DC  %r0,%r21,%r21       ; Cycle 8
-        STD     %r1,EIGHT(%r24)
-
-; Shutdown code, second stage.
-
-        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
-        LDO     THIRTY_TWO(%r24),%r24
-        LDD     UN_SIXTEEN(%r24),%r1
-        SHRPD   %r0,%r29,31,%r3      ; Cycle 2
-        ADD     %r4,%r21,%r4
-        ADD,DC  %r0,%r19,%r19       ; Cycle 3
-        ADD     %r4,%r1,%r4
-        STD     %r4,UN_SIXTEEN(%r24); Cycle 4
-        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
-        ADD,DC  %r3,%r19,%r19       ; Cycle 6       
-        ADD     %r19,%r28,%r28      ; Cycle 7
-        ADD,DC  %r0,%r0,%r22        ; Cycle 8
-        CMPIB,*= 0,%r22,$Z0         ; if no overflow, exit
-        STD     %r28,UN_EIGHT(%r24)
-
-; Final carry propagation
-
-$FDIAG2
-        LDO     EIGHT(%r24),%r24
-        LDD     UN_EIGHT(%r24),%r26
-        ADDI    1,%r26,%r26
-        CMPIB,*= 0,%r26,$FDIAG2     ; Keep looping if there is a carry.
-        STD     %r26,UN_EIGHT(%r24)
-
-        B   $Z0
-        NOP
-
-; Here is the code that handles the difficult case N=1.
-; We do the usual trick -- branch out of the startup code at appropriate
-; points, and branch into the shutdown code.
-
-$DIAG_N_IS_ONE
-
-        LDD     -88(%sp),%r22
-        LDD     -72(%sp),%r31
-        B       $JOINDIAG
-        LDD     -96(%sp),%r20
-
-; We came out of the unrolled loop with wrong parity.  Do one more
-; single cycle.  This is the "alternate body".  It will, of course,
-; give us opposite registers from the other case, so we need
-; completely different shutdown code.
-
-$ONEMOREDIAG
-        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
-        LDD     0(%r24),%r28
-        FLDD    0(%r25),%fr7        ; Cycle 2
-        SHRPD   %r0,%r31,31,%r4
-        ADD     %r3,%r22,%r3
-        ADD,DC  %r0,%r20,%r20       ; Cycle 3
-        LDD     -80(%sp),%r21
-        ADD     %r3,%r28,%r3
-        LDD     -64(%sp),%r29       ; Cycle 4
-        STD     %r3,0(%r24)
-        XMPYU   %fr7R,%fr7R,%fr29
-        LDD     EIGHT(%r24),%r1     ; Cycle 5
-        XMPYU   %fr7L,%fr7R,%fr27
-        XMPYU   %fr7L,%fr7L,%fr30
-        LDD     -104(%sp),%r19      ; Cycle 6
-        FSTD    %fr29,-88(%sp)
-        ADD,DC  %r4,%r20,%r20
-        FSTD    %fr27,-72(%sp)      ; Cycle 7
-        ADD     %r20,%r1,%r1
-        ADD,DC  %r0,%r21,%r21       ; Cycle 8
-        STD     %r1,EIGHT(%r24)
-
-; Shutdown code, first stage.
-
-        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
-        LDO     THIRTY_TWO(%r24),%r24
-        FSTD    %fr30,-96(%sp)
-        LDD     UN_SIXTEEN(%r24),%r1
-        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
-        ADD     %r4,%r21,%r4
-        ADD,DC  %r0,%r19,%r19       ; Cycle 3
-        LDD     -88(%sp),%r22
-        ADD     %r4,%r1,%r4
-        LDD     -72(%sp),%r31       ; Cycle 4
-        STD     %r4,UN_SIXTEEN(%r24)
-        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
-        LDD     -96(%sp),%r20       ; Cycle 6
-        ADD,DC  %r3,%r19,%r19
-        ADD     %r19,%r28,%r28      ; Cycle 7
-        ADD,DC  %r0,%r22,%r22       ; Cycle 8
-        STD     %r28,UN_EIGHT(%r24)
-
-; Shutdown code, second stage.
-
-$JOINDIAG
-        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
-        LDD     0(%r24),%r28        
-        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
-        ADD     %r3,%r22,%r3
-        ADD,DC  %r0,%r20,%r20       ; Cycle 3
-        ADD     %r3,%r28,%r3
-        STD     %r3,0(%r24)         ; Cycle 4
-        LDD     EIGHT(%r24),%r1     ; Cycle 5
-        ADD,DC  %r4,%r20,%r20
-        ADD     %r20,%r1,%r1        ; Cycle 7
-        ADD,DC  %r0,%r0,%r21        ; Cycle 8
-        CMPIB,*= 0,%r21,$Z0         ; if no overflow, exit
-        STD     %r1,EIGHT(%r24)
-
-; Final carry propagation
-
-$FDIAG1
-        LDO     EIGHT(%r24),%r24
-        LDD     EIGHT(%r24),%r26
-        ADDI    1,%r26,%r26
-        CMPIB,*= 0,%r26,$FDIAG1    ; Keep looping if there is a carry.
-        STD     %r26,EIGHT(%r24)
-
-$Z0
-        .LEAVE
-        .PROCEND
-;	.ALLOW
-
-        .SPACE         $TEXT$
-        .SUBSPA        $CODE$
-#ifdef LITTLE_WORDIAN
-        .EXPORT        maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
-        .EXPORT        add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
-#else
-        .EXPORT        maxpy_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
-        .EXPORT        add_diag_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
-#endif
-        .END
-
-
-; How to use "maxpy_PA20_little" and "maxpy_PA20_big"
-; 
-; The routine "maxpy_PA20_little" or "maxpy_PA20_big"
-; performs a 64-bit x any-size multiply, and adds the
-; result to an area of memory.  That is, it performs
-; something like
-; 
-;      A B C D
-;    *       Z
-;   __________
-;    P Q R S T
-; 
-; and then adds the "PQRST" vector into an area of memory,
-; handling all carries.
-; 
-; Digression on nomenclature and endian-ness:
-; 
-; Each of the capital letters in the above represents a 64-bit
-; quantity.  That is, you could think of the discussion as
-; being in terms of radix-16-quintillion arithmetic.  The data
-; type being manipulated is "unsigned long long int".  This
-; requires the 64-bit extension of the HP-UX C compiler,
-; available at release 10.  You need these compiler flags to
-; enable these extensions:
-; 
-;       -Aa +e +DA2.0 +DS2.0
-; 
-; (The first specifies ANSI C, the second enables the
-; extensions, which are beyond ANSI C, and the third and
-; fourth tell the compiler to use whatever features of the
-; PA2.0 architecture it wishes, in order to made the code more
-; efficient.  Since the presence of the assembly code will
-; make the program unable to run on anything less than PA2.0,
-; you might as well gain the performance enhancements in the C
-; code as well.)
-; 
-; Questions of "endian-ness" often come up, usually in the
-; context of byte ordering in a word.  These routines have a
-; similar issue, that could be called "wordian-ness".
-; Independent of byte ordering (PA is always big-endian), one
-; can make two choices when representing extremely large
-; numbers as arrays of 64-bit doublewords in memory.
-; 
-; "Little-wordian" layout means that the least significant
-; word of a number is stored at the lowest address.
-; 
-;   MSW     LSW
-;    |       |
-;    V       V
-; 
-;    A B C D E
-; 
-;    ^     ^ ^
-;    |     | |____ address 0
-;    |     |
-;    |     |_______address 8
-;    |
-;    address 32
-; 
-; "Big-wordian" means that the most significant word is at the
-; lowest address.
-; 
-;   MSW     LSW
-;    |       |
-;    V       V
-; 
-;    A B C D E
-; 
-;    ^     ^ ^
-;    |     | |____ address 32
-;    |     |
-;    |     |_______address 24
-;    |
-;    address 0
-; 
-; When you compile the file, you must specify one or the other, with
-; a switch "-DLITTLE_WORDIAN" or "-DBIG_WORDIAN".
-; 
-;     Incidentally, you assemble this file as part of your
-;     project with the same C compiler as the rest of the program.
-;     My "makefile" for a superprecision arithmetic package has
-;     the following stuff:
-; 
-;     # definitions:
-;     CC = cc -Aa +e -z +DA2.0 +DS2.0 +w1
-;     CFLAGS = +O3
-;     LDFLAGS = -L /usr/lib -Wl,-aarchive
-; 
-;     # general build rule for ".s" files:
-;     .s.o:
-;             $(CC) $(CFLAGS) -c $< -DBIG_WORDIAN
-; 
-;     # Now any bind step that calls for pa20.o will assemble pa20.s
-; 
-; End of digression, back to arithmetic:
-; 
-; The way we multiply two huge numbers is, of course, to multiply
-; the "ABCD" vector by each of the "WXYZ" doublewords, adding
-; the result vectors with increasing offsets, the way we learned
-; in school, back before we all used calculators:
-; 
-;            A B C D
-;          * W X Y Z
-;         __________
-;          P Q R S T
-;        E F G H I
-;      M N O P Q
-;  + R S T U V
-;    _______________
-;    F I N A L S U M
-; 
-; So we call maxpy_PA20_big (in my case; my package is
-; big-wordian) repeatedly, giving the W, X, Y, and Z arguments
-; in turn as the "scalar", and giving the "ABCD" vector each
-; time.  We direct it to add its result into an area of memory
-; that we have cleared at the start.  We skew the exact
-; location into that area with each call.
-; 
-; The prototype for the function is
-; 
-; extern void maxpy_PA20_big(
-;    int length,        /* Number of doublewords in the multiplicand vector. */
-;    const long long int *scalaraddr,    /* Address to fetch the scalar. */
-;    const long long int *multiplicand,  /* The multiplicand vector. */
-;    long long int *result);             /* Where to accumulate the result. */
-; 
-; (You should place a copy of this prototype in an include file
-; or in your C file.)
-; 
-; Now, IN ALL CASES, the given address for the multiplicand or
-; the result is that of the LEAST SIGNIFICANT DOUBLEWORD.
-; That word is, of course, the word at which the routine
-; starts processing.  "maxpy_PA20_little" then increases the
-; addresses as it computes.  "maxpy_PA20_big" decreases them.
-; 
-; In our example above, "length" would be 4 in each case.
-; "multiplicand" would be the "ABCD" vector.  Specifically,
-; the address of the element "D".  "scalaraddr" would be the
-; address of "W", "X", "Y", or "Z" on the four calls that we
-; would make.  (The order doesn't matter, of course.)
-; "result" would be the appropriate address in the result
-; area.  When multiplying by "Z", that would be the least
-; significant word.  When multiplying by "Y", it would be the
-; next higher word (8 bytes higher if little-wordian; 8 bytes
-; lower if big-wordian), and so on.  The size of the result
-; area must be the the sum of the sizes of the multiplicand
-; and multiplier vectors, and must be initialized to zero
-; before we start.
-; 
-; Whenever the routine adds its partial product into the result
-; vector, it follows carry chains as far as they need to go.
-; 
-; Here is the super-precision multiply routine that I use for
-; my package.  The package is big-wordian.  I have taken out
-; handling of exponents (it's a floating point package):
-; 
-; static void mul_PA20(
-;   int size,
-;   const long long int *arg1,
-;   const long long int *arg2,
-;   long long int *result)
-; {
-;    int i;
-; 
-;    for (i=0 ; i<2*size ; i++) result[i] = 0ULL;
-; 
-;    for (i=0 ; i<size ; i++) {
-;       maxpy_PA20_big(size, &arg2[i], &arg1[size-1], &result[size+i]);
-;    }
-; }
diff --git a/security/nss/lib/freebl/mpi/hppatch.adb b/security/nss/lib/freebl/mpi/hppatch.adb
deleted file mode 100644
index f07cc29f5..000000000
--- a/security/nss/lib/freebl/mpi/hppatch.adb
+++ /dev/null
@@ -1,54 +0,0 @@
-#/bin/sh
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is script to change the system id in an object file from PA-RISC 2.0 to 1.1.
-#
-# The Initial Developer of the Original Code is
-# Hewlett-Packard Company.
-# Portions created by the Initial Developer are Copyright (C) 1999
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   wrapped by Dennis Handly on Tue Mar 23 15:23:43 1999
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# script to change the system id in an object file from PA-RISC 2.0 to 1.1
-
-adb -w $1 << EOF
-?m 0 -1 0
-0x0?X
-0x0?W (@0x0&~0x40000)|(~@0x0&0x40000)
-
-0?"change checksum"
-0x7c?X
-0x7c?W (@0x7c&~0x40000)|(~@0x7c&0x40000)
-$q
-EOF
-
-exit 0
-
diff --git a/security/nss/lib/freebl/mpi/logtab.h b/security/nss/lib/freebl/mpi/logtab.h
deleted file mode 100644
index 636fd7245..000000000
--- a/security/nss/lib/freebl/mpi/logtab.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- *  logtab.h
- *
- *  Arbitrary precision integer arithmetic library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-const float s_logv_2[] = {
-   0.000000000f, 0.000000000f, 1.000000000f, 0.630929754f,  /*  0  1  2  3 */
-   0.500000000f, 0.430676558f, 0.386852807f, 0.356207187f,  /*  4  5  6  7 */
-   0.333333333f, 0.315464877f, 0.301029996f, 0.289064826f,  /*  8  9 10 11 */
-   0.278942946f, 0.270238154f, 0.262649535f, 0.255958025f,  /* 12 13 14 15 */
-   0.250000000f, 0.244650542f, 0.239812467f, 0.235408913f,  /* 16 17 18 19 */
-   0.231378213f, 0.227670249f, 0.224243824f, 0.221064729f,  /* 20 21 22 23 */
-   0.218104292f, 0.215338279f, 0.212746054f, 0.210309918f,  /* 24 25 26 27 */
-   0.208014598f, 0.205846832f, 0.203795047f, 0.201849087f,  /* 28 29 30 31 */
-   0.200000000f, 0.198239863f, 0.196561632f, 0.194959022f,  /* 32 33 34 35 */
-   0.193426404f, 0.191958720f, 0.190551412f, 0.189200360f,  /* 36 37 38 39 */
-   0.187901825f, 0.186652411f, 0.185449023f, 0.184288833f,  /* 40 41 42 43 */
-   0.183169251f, 0.182087900f, 0.181042597f, 0.180031327f,  /* 44 45 46 47 */
-   0.179052232f, 0.178103594f, 0.177183820f, 0.176291434f,  /* 48 49 50 51 */
-   0.175425064f, 0.174583430f, 0.173765343f, 0.172969690f,  /* 52 53 54 55 */
-   0.172195434f, 0.171441601f, 0.170707280f, 0.169991616f,  /* 56 57 58 59 */
-   0.169293808f, 0.168613099f, 0.167948779f, 0.167300179f,  /* 60 61 62 63 */
-   0.166666667f
-};
-
diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab
deleted file mode 100755
index dc1ec575b..000000000
--- a/security/nss/lib/freebl/mpi/make-logtab
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/linguist/bin/perl
-
-#
-# make-logtab
-#
-# Generate a table of logarithms of 2 in various bases, for use in
-# estimating the output sizes of various bases.
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-# library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>
-# Portions created by the Initial Developer are Copyright (C) 1998, 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-
-$ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2";
-$ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float";
-
-printf("const %s %s[] = {\n   %0.9ff, %0.9ff, ", 
-       $ARRAYTYPE, $ARRAYNAME, 0, 0);
-$brk = 2;
-for($ix = 2; $ix < 64; $ix++) {
-    printf("%0.9ff, ", (log(2)/log($ix)));
-    $brk = ($brk + 1) & 3;
-    if(!$brk) {
-	printf(" /* %2d %2d %2d %2d */\n   ",
-	       $ix - 3, $ix - 2, $ix - 1, $ix);
-    }
-}
-printf("%0.9ff\n};\n\n", (log(2)/log($ix)));
-
-exit 0;
diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays
deleted file mode 100755
index 8dd19fc4f..000000000
--- a/security/nss/lib/freebl/mpi/make-test-arrays
+++ /dev/null
@@ -1,133 +0,0 @@
-#!/usr/linguist/bin/perl
-
-#
-# make-test-arrays
-#
-# Given a test-arrays file, which specifies the test suite names, the
-# names of the functions which perform those test suites, and
-# descriptive comments, this script generates C structures for the
-# mpi-test program.  The input consists of lines of the form:
-#
-# suite-name:function-name:comment
-#
-# The output is written to the standard output.  Blank lines are
-# ignored, and comments beginning with '#' are stripped.
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-# Read parameters from the environment, if available
-$NAMEVAR = $ENV{'NAMEVAR'} || "g_names";
-$COUNTVAR = $ENV{'COUNTVAR'} || "g_count";
-$FUNCVAR = $ENV{'FUNCVAR'} || "g_tests";
-$DESCVAR = $ENV{'DESCVAR'} || "g_descs";
-$FUNCLEN = 13;
-$NAMELEN = 18;
-$DESCLEN = 45;
-
-#------------------------------------------------------------------------
-# Suck in input from the files on the command line, or standard input
-while(<>) {
-    chomp;
-    s/\#.*$//;
-    next if /^\s*$/;
-
-    ($suite, $func, $desc) = split(/:/, $_);
-
-    $tmp = { "suite" => $suite,
-	     "func"  => $func,
-	     "desc"  => $desc };
-
-    push(@item, $tmp);
-}
-$count = scalar(@item);
-$last = pop(@item);
-
-#------------------------------------------------------------------------
-# Output the table of names
-print "/* Table mapping test suite names to index numbers */\n";
-printf("const int   %s = %d;\n", $COUNTVAR, $count);
-printf("const char *%s[] = {\n", $NAMEVAR);
-
-foreach $elt (@item) {
-    printf("   \"%s\",%s/* %s%s */\n", $elt->{"suite"},
-	   " " x ($NAMELEN - length($elt->{"suite"})),
-	   $elt->{"desc"},
-	   " " x ($DESCLEN - length($elt->{"desc"})));
-}
-printf("   \"%s\" %s/* %s%s */\n", $last->{"suite"},
-       " " x ($NAMELEN - length($last->{"suite"})),
-       $last->{"desc"},
-       " " x ($DESCLEN - length($last->{"desc"})));
-print "};\n\n";
-
-#------------------------------------------------------------------------
-# Output the driver function prototypes
-print "/* Test function prototypes */\n";
-foreach $elt (@item, $last) {
-    printf("int  %s(void);\n", $elt->{"func"});
-}
-print "\n";
-
-#------------------------------------------------------------------------
-# Output the table of functions
-print "/* Table mapping index numbers to functions */\n";
-printf("int (*%s[])(void)  = {\n   ", $FUNCVAR);
-$brk = 0;
-
-foreach $elt (@item) {
-    print($elt->{"func"}, ", ", 
-	  " " x ($FUNCLEN - length($elt->{"func"})));
-    $brk = ($brk + 1) & 3;
-    print "\n   " unless($brk);
-}
-print $last->{"func"}, "\n};\n\n";
-
-#------------------------------------------------------------------------
-# Output the table of descriptions
-print "/* Table mapping index numbers to descriptions */\n";
-printf("const char *%s[] = {\n", $DESCVAR);
-
-foreach $elt (@item) {
-    printf("   \"%s\",\n", $elt->{"desc"});
-}
-printf("   \"%s\"\n};\n\n", $last->{"desc"});
-
-exit 0;
-
diff --git a/security/nss/lib/freebl/mpi/mdxptest.c b/security/nss/lib/freebl/mpi/mdxptest.c
deleted file mode 100644
index 0377c5949..000000000
--- a/security/nss/lib/freebl/mpi/mdxptest.c
+++ /dev/null
@@ -1,342 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <malloc.h>
-#include <time.h>
-#include "mpi.h"
-#include "mpi-priv.h"
-
-/* #define OLD_WAY 1  */
-
-/* This key is the 1024-bit test key used for speed testing of RSA private 
-** key ops.
-*/
-
-#define CONST const
-
-static CONST unsigned char default_n[128] = {
-0xc2,0xae,0x96,0x89,0xaf,0xce,0xd0,0x7b,0x3b,0x35,0xfd,0x0f,0xb1,0xf4,0x7a,0xd1,
-0x3c,0x7d,0xb5,0x86,0xf2,0x68,0x36,0xc9,0x97,0xe6,0x82,0x94,0x86,0xaa,0x05,0x39,
-0xec,0x11,0x51,0xcc,0x5c,0xa1,0x59,0xba,0x29,0x18,0xf3,0x28,0xf1,0x9d,0xe3,0xae,
-0x96,0x5d,0x6d,0x87,0x73,0xf6,0xf6,0x1f,0xd0,0x2d,0xfb,0x2f,0x7a,0x13,0x7f,0xc8,
-0x0c,0x7a,0xe9,0x85,0xfb,0xce,0x74,0x86,0xf8,0xef,0x2f,0x85,0x37,0x73,0x0f,0x62,
-0x4e,0x93,0x17,0xb7,0x7e,0x84,0x9a,0x94,0x11,0x05,0xca,0x0d,0x31,0x4b,0x2a,0xc8,
-0xdf,0xfe,0xe9,0x0c,0x13,0xc7,0xf2,0xad,0x19,0x64,0x28,0x3c,0xb5,0x6a,0xc8,0x4b,
-0x79,0xea,0x7c,0xce,0x75,0x92,0x45,0x3e,0xa3,0x9d,0x64,0x6f,0x04,0x69,0x19,0x17
-};
-
-static CONST unsigned char default_d[128] = {
-0x13,0xcb,0xbc,0xf2,0xf3,0x35,0x8c,0x6d,0x7b,0x6f,0xd9,0xf3,0xa6,0x9c,0xbd,0x80,
-0x59,0x2e,0x4f,0x2f,0x11,0xa7,0x17,0x2b,0x18,0x8f,0x0f,0xe8,0x1a,0x69,0x5f,0x6e,
-0xac,0x5a,0x76,0x7e,0xd9,0x4c,0x6e,0xdb,0x47,0x22,0x8a,0x57,0x37,0x7a,0x5e,0x94,
-0x7a,0x25,0xb5,0xe5,0x78,0x1d,0x3c,0x99,0xaf,0x89,0x7d,0x69,0x2e,0x78,0x9d,0x1d,
-0x84,0xc8,0xc1,0xd7,0x1a,0xb2,0x6d,0x2d,0x8a,0xd9,0xab,0x6b,0xce,0xae,0xb0,0xa0,
-0x58,0x55,0xad,0x5c,0x40,0x8a,0xd6,0x96,0x08,0x8a,0xe8,0x63,0xe6,0x3d,0x6c,0x20,
-0x49,0xc7,0xaf,0x0f,0x25,0x73,0xd3,0x69,0x43,0x3b,0xf2,0x32,0xf8,0x3d,0x5e,0xee,
-0x7a,0xca,0xd6,0x94,0x55,0xe5,0xbd,0x25,0x34,0x8d,0x63,0x40,0xb5,0x8a,0xc3,0x01
-};
-
-
-#define DEFAULT_ITERS 50
-
-typedef clock_t timetype;
-#define gettime(x) *(x) = clock()
-#define subtime(a, b) a -= b
-#define msec(x) ((clock_t)((double)x * 1000.0 / CLOCKS_PER_SEC))
-#define sec(x) (x / CLOCKS_PER_SEC)
-
-struct TimingContextStr {
-    timetype start;
-    timetype end;
-    timetype interval;
-
-    int   minutes;  
-    int   seconds;  
-    int   millisecs;
-};
-
-typedef struct TimingContextStr TimingContext;
-
-TimingContext *CreateTimingContext(void) 
-{
-    return (TimingContext *)malloc(sizeof(TimingContext));
-}
-
-void DestroyTimingContext(TimingContext *ctx) 
-{
-    free(ctx);
-}
-
-void TimingBegin(TimingContext *ctx) 
-{
-    gettime(&ctx->start);
-}
-
-static void timingUpdate(TimingContext *ctx) 
-{
-
-    ctx->millisecs = msec(ctx->interval) % 1000;
-    ctx->seconds   = sec(ctx->interval);
-    ctx->minutes   = ctx->seconds / 60;
-    ctx->seconds  %= 60;
-
-}
-
-void TimingEnd(TimingContext *ctx) 
-{
-    gettime(&ctx->end);
-    ctx->interval = ctx->end;
-    subtime(ctx->interval, ctx->start);
-    timingUpdate(ctx);
-}
-
-char *TimingGenerateString(TimingContext *ctx) 
-{
-    static char sBuf[4096];
-
-    sprintf(sBuf, "%d minutes, %d.%03d seconds", ctx->minutes,
-				ctx->seconds, ctx->millisecs);
-    return sBuf;
-}
-
-static void
-dumpBytes( unsigned char * b, int l)
-{
-    int i;
-    if (l <= 0)
-        return;
-    for (i = 0; i < l; ++i) {
-        if (i % 16 == 0)
-            printf("\t");
-        printf(" %02x", b[i]);
-        if (i % 16 == 15)
-            printf("\n");
-    }
-    if ((i % 16) != 0)
-        printf("\n");
-    printf("\n");
-}
-
-static mp_err
-testNewFuncs(const unsigned char * modulusBytes, int modulus_len)
-{
-    mp_err mperr	= MP_OKAY;
-    mp_int modulus;
-    unsigned char buf[512];
-
-    mperr = mp_init(&modulus);
-    mperr = mp_read_unsigned_octets(&modulus,  modulusBytes,  modulus_len );
-    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len);
-    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+1);
-    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+4);
-    mperr = mp_to_unsigned_octets(&modulus, buf, modulus_len);
-    mperr = mp_to_signed_octets(&modulus, buf, modulus_len + 1);
-    mp_clear(&modulus);
-    return mperr;
-}
-
-int
-testModExp( const unsigned char *      modulusBytes, 
-	    const unsigned int         expo,
-	    const unsigned char *      input, 
-	          unsigned char *      output,
-	          int                  modulus_len)
-{
-    mp_err mperr	= MP_OKAY;
-    mp_int modulus;
-    mp_int base;
-    mp_int exponent;
-    mp_int result;
-
-    mperr  = mp_init(&modulus);
-    mperr += mp_init(&base);
-    mperr += mp_init(&exponent);
-    mperr += mp_init(&result);
-    /* we initialize all mp_ints unconditionally, even if some fail.
-    ** This guarantees that the DIGITS pointer is valid (even if null).
-    ** So, mp_clear will do the right thing below. 
-    */
-    if (mperr == MP_OKAY) {
-      mperr  = mp_read_unsigned_octets(&modulus,  
-		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
-      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
-      mp_set(&exponent, expo);
-      if (mperr == MP_OKAY) {
-#if OLD_WAY
-	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
-#else
-	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
-#endif
-	if (mperr == MP_OKAY) {
-	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
-	}
-      }
-    }
-    mp_clear(&base);
-    mp_clear(&result);
-
-    mp_clear(&modulus);
-    mp_clear(&exponent);
-
-    return (int)mperr;
-}
-
-int
-doModExp(   const unsigned char *      modulusBytes, 
-	    const unsigned char *      exponentBytes, 
-	    const unsigned char *      input, 
-	          unsigned char *      output,
-	          int                  modulus_len)
-{
-    mp_err mperr	= MP_OKAY;
-    mp_int modulus;
-    mp_int base;
-    mp_int exponent;
-    mp_int result;
-
-    mperr  = mp_init(&modulus);
-    mperr += mp_init(&base);
-    mperr += mp_init(&exponent);
-    mperr += mp_init(&result);
-    /* we initialize all mp_ints unconditionally, even if some fail.
-    ** This guarantees that the DIGITS pointer is valid (even if null).
-    ** So, mp_clear will do the right thing below. 
-    */
-    if (mperr == MP_OKAY) {
-      mperr  = mp_read_unsigned_octets(&modulus,  
-		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
-      mperr += mp_read_unsigned_octets(&exponent, exponentBytes, modulus_len );
-      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
-      if (mperr == MP_OKAY) {
-#if OLD_WAY
-	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
-#else
-	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
-#endif
-	if (mperr == MP_OKAY) {
-	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
-	}
-      }
-    }
-    mp_clear(&base);
-    mp_clear(&result);
-
-    mp_clear(&modulus);
-    mp_clear(&exponent);
-
-    return (int)mperr;
-}
-
-int
-main(int argc, char **argv)
-{
-    TimingContext *	  timeCtx;
-    char *		  progName;
-    long 		  iters 	= DEFAULT_ITERS;
-    unsigned int 	  modulus_len;
-    int		 	  i;
-    int 		  rv;
-    unsigned char 	  buf [1024];
-    unsigned char 	  buf2[1024];
-
-    progName = strrchr(argv[0], '/');
-    if (!progName)
-	progName = strrchr(argv[0], '\\');
-    progName = progName ? progName+1 : argv[0];
-
-    if (argc >= 2) {
-	iters = atol(argv[1]);
-    }
-
-    if (argc >= 3) {
-	modulus_len = atol(argv[2]);
-    } else 
-	modulus_len = sizeof default_n;
-
-    /* no library init function !? */
-
-    memset(buf, 0x41, sizeof buf);
-
-  if (iters < 2) {
-    testNewFuncs( default_n, modulus_len);
-    testNewFuncs( default_n+1, modulus_len - 1);
-    testNewFuncs( default_n+2, modulus_len - 2);
-    testNewFuncs( default_n+3, modulus_len - 3);
-
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-    rv = testModExp(default_n, 0, buf, buf2, modulus_len);
-    dumpBytes((unsigned char *)buf2, modulus_len);
-
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-    rv = testModExp(default_n, 1, buf, buf2, modulus_len);
-    dumpBytes((unsigned char *)buf2, modulus_len);
-
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-    rv = testModExp(default_n, 2, buf, buf2, modulus_len);
-    dumpBytes((unsigned char *)buf2, modulus_len);
-
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-    rv = testModExp(default_n, 3, buf, buf2, modulus_len);
-    dumpBytes((unsigned char *)buf2, modulus_len);
-  }
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-    rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
-    if (rv != 0) {
-	fprintf(stderr, "Error in modexp operation:\n");
-	exit(1);
-    }
-    dumpBytes((unsigned char *)buf2, modulus_len);
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-
-    timeCtx = CreateTimingContext();
-    TimingBegin(timeCtx);
-    i = iters;
-    while (i--) {
-	rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
-	if (rv != 0) {
-	    fprintf(stderr, "Error in modexp operation\n");
-	    exit(1);
-	}
-    }
-    TimingEnd(timeCtx);
-    printf("%ld iterations in %s\n", iters, TimingGenerateString(timeCtx));
-    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
-
-    return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/montmulf.c b/security/nss/lib/freebl/mpi/montmulf.c
deleted file mode 100644
index a1fe939a8..000000000
--- a/security/nss/lib/freebl/mpi/montmulf.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is SPARC optimized Montgomery multiply functions.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems Inc.
- * Portions created by the Initial Developer are Copyright (C) 1999-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifdef SOLARIS
-#define RF_INLINE_MACROS 1
-#endif
-
-static const double TwoTo16=65536.0;
-static const double TwoToMinus16=1.0/65536.0;
-static const double Zero=0.0;
-static const double TwoTo32=65536.0*65536.0;
-static const double TwoToMinus32=1.0/(65536.0*65536.0);
-
-#ifdef RF_INLINE_MACROS
-
-double upper32(double);
-double lower32(double, double);
-double mod(double, double, double);
-
-void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
-			  const double * /* 2^16*/,
-			  const double * /* 0 */,
-			  double *       /*result16*/, 
-			  double *       /* result32 */,
-			  float *  /*source - should be unsigned int*
-		          	       converted to float* */);
-
-#else
-#ifdef MP_USE_FLOOR
-#include <math.h>
-#else
-#define floor(d) ((double)((unsigned long long)(d)))
-#endif
-
-static double upper32(double x)
-{
-  return floor(x*TwoToMinus32);
-}
-
-static double lower32(double x, double y)
-{
-  return x-TwoTo32*floor(x*TwoToMinus32);
-}
-
-static double mod(double x, double oneoverm, double m)
-{
-  return x-m*floor(x*oneoverm);
-}
-
-#endif
-
-
-static void cleanup(double *dt, int from, int tlen)
-{
- int i;
- double tmp,tmp1,x,x1;
-
- tmp=tmp1=Zero;
- /* original code **
- for(i=2*from;i<2*tlen-2;i++)
-   {
-     x=dt[i];
-     dt[i]=lower32(x,Zero)+tmp1;
-     tmp1=tmp;
-     tmp=upper32(x);
-   }
- dt[tlen-2]+=tmp1;
- dt[tlen-1]+=tmp;
- **end original code ***/
- /* new code ***/
- for(i=2*from;i<2*tlen;i+=2)
-   {
-     x=dt[i];
-     x1=dt[i+1];
-     dt[i]=lower32(x,Zero)+tmp;
-     dt[i+1]=lower32(x1,Zero)+tmp1;
-     tmp=upper32(x);
-     tmp1=upper32(x1);
-   }
-  /** end new code **/
-}
-
-
-void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
-{
-int i;
-long long t, t1, a, b, c, d;
-
- t1=0;
- a=(long long)d16[0];
- b=(long long)d16[1];
- for(i=0; i<ilen-1; i++)
-   {
-     c=(long long)d16[2*i+2];
-     t1+=(unsigned int)a;
-     t=(a>>32);
-     d=(long long)d16[2*i+3];
-     t1+=(b&0xffff)<<16;
-     t+=(b>>16)+(t1>>32);
-     i32[i]=(unsigned int)t1;
-     t1=t;
-     a=c;
-     b=d;
-   }
- t1+=(unsigned int)a;
- t=(a>>32);
- t1+=(b&0xffff)<<16;
- i32[i]=(unsigned int)t1;
-}
-
-void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
-{
-int i;
-
-#pragma pipeloop(0)
- for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
-}
-
-
-void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
-{
-int i;
-unsigned int a;
-
-#pragma pipeloop(0)
- for(i=0;i<len;i++)
-   {
-     a=i32[i];
-     d16[2*i]=(double)(a&0xffff);
-     d16[2*i+1]=(double)(a>>16);
-   }
-}
-
-
-void conv_i32_to_d32_and_d16(double *d32, double *d16, 
-			     unsigned int *i32, int len)
-{
-int i = 0;
-unsigned int a;
-
-#pragma pipeloop(0)
-#ifdef RF_INLINE_MACROS
- for(;i<len-3;i+=4)
-   {
-     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
-			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
-   }
-#endif
- for(;i<len;i++)
-   {
-     a=i32[i];
-     d32[i]=(double)(i32[i]);
-     d16[2*i]=(double)(a&0xffff);
-     d16[2*i+1]=(double)(a>>16);
-   }
-}
-
-
-void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
-{
-long long acc;
-int i;
-
- if(i32[len]>0) i=-1;
- else
-   {
-     for(i=len-1; i>=0; i--)
-       {
-	 if(i32[i]!=nint[i]) break;
-       }
-   }
- if((i<0)||(i32[i]>nint[i]))
-   {
-     acc=0;
-     for(i=0;i<len;i++)
-       {
-	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
-	 i32[i]=(unsigned int)acc;
-	 acc=acc>>32;
-       }
-   }
-}
-
-
-
-
-/*
-** the lengths of the input arrays should be at least the following:
-** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
-** all of them should be different from one another
-**
-*/
-void mont_mulf_noconv(unsigned int *result,
-		     double *dm1, double *dm2, double *dt,
-		     double *dn, unsigned int *nint,
-		     int nlen, double dn0)
-{
- int i, j, jj;
- int tmp;
- double digit, m2j, nextm2j, a, b;
- double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
-
- pdm1=&(dm1[0]);
- pdm2=&(dm2[0]);
- pdn=&(dn[0]);
- pdm2[2*nlen]=Zero;
-
- if (nlen!=16)
-   {
-     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
-
-     a=dt[0]=pdm1[0]*pdm2[0];
-     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-
-     pdtj=&(dt[0]);
-     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
-       {
-	 m2j=pdm2[j];
-	 a=pdtj[0]+pdn[0]*digit;
-	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
-	 pdtj[1]=b;
-
-#pragma pipeloop(0)
-	 for(i=1;i<nlen;i++)
-	   {
-	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-	   }
- 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
-	 
-	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-       }
-   }
- else
-   {
-     a=dt[0]=pdm1[0]*pdm2[0];
-
-     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
-     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
-     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
-     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
-     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
-     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
-     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
-     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
-     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
-     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
-     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
-
-     pdn_0=pdn[0];
-     pdm1_0=pdm1[0];
-
-     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-     pdtj=&(dt[0]);
-
-     for(j=0;j<32;j++,pdtj++)
-       {
-
-	 m2j=pdm2[j];
-	 a=pdtj[0]+pdn_0*digit;
-	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
-	 pdtj[1]=b;
-
-	 /**** this loop will be fully unrolled:
-	 for(i=1;i<16;i++)
-	   {
-	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-	   }
-	 *************************************/
-	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
-	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
-	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
-	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
-	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
-	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
-	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
-	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
-	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
-	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
-	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
-	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
-	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
-	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
-	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
-	 /* no need for cleenup, cannot overflow */
-	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-       }
-   }
-
- conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
-
- adjust_montf_result(result,nint,nlen); 
- 
-}
-
diff --git a/security/nss/lib/freebl/mpi/montmulf.h b/security/nss/lib/freebl/mpi/montmulf.h
deleted file mode 100644
index 9bd0f72f8..000000000
--- a/security/nss/lib/freebl/mpi/montmulf.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is interface file for SPARC Montgomery multiply functions.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems Inc.
- * Portions created by the Initial Developer are Copyright (C) 1999-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/*  The functions that are to be called from outside of the .s file have the
- *  following interfaces and array size requirements:
- */
-
-
-void conv_i32_to_d32(double *d32, unsigned int *i32, int len);
-
-/*  Converts an array of int's to an array of doubles, so that each double
- *  corresponds to an int.  len is the number of items converted.
- *  Does not allocate the output array.
- *  The pointers d32 and i32 should point to arrays of size at least  len
- *  (doubles and unsigned ints, respectively)
- */
-
-
-void conv_i32_to_d16(double *d16, unsigned int *i32, int len);
-
-/*  Converts an array of int's to an array of doubles so that each element
- *  of the int array is converted to a pair of doubles, the first one
- *  corresponding to the lower (least significant) 16 bits of the int and
- *  the second one corresponding to the upper (most significant) 16 bits of
- *  the 32-bit int. len is the number of ints converted.
- *  Does not allocate the output array.
- *  The pointer d16 should point to an array of doubles of size at least
- *  2*len and i32 should point an array of ints of size at least  len
- */
-
-
-void conv_i32_to_d32_and_d16(double *d32, double *d16, 
-			     unsigned int *i32, int len);
-
-/*  Does the above two conversions together, it is much faster than doing
- *  both of those in succession
- */
-
-
-void mont_mulf_noconv(unsigned int *result,
-		     double *dm1, double *dm2, double *dt,
-		     double *dn, unsigned int *nint,
-		     int nlen, double dn0);
-
-/*  Does the Montgomery multiplication of the numbers stored in the arrays
- *  pointed to by dm1 and dm2, writing the result to the array pointed to by
- *  result. It uses the array pointed to by dt as a temporary work area.
- *  nint should point to the modulus in the array-of-integers representation, 
- *  dn should point to its array-of-doubles as obtained as a result of the
- *  function call   conv_i32_to_d32(dn, nint, nlen);
- *  nlen is the length of the array containing the modulus.
- *  The representation used for dm1 is the one that is a result of the function
- *  call   conv_i32_to_d32(dm1, m1, nlen), the representation for dm2 is the
- *  result of the function call   conv_i32_to_d16(dm2, m2, nlen).
- *  Note that m1 and m2 should both be of length nlen, so they should be
- *  padded with 0's if necessary before the conversion. The result comes in 
- *  this form (int representation, padded with 0's).
- *  dn0 is the value of the 16 least significant bits of n0'.
- *  The function does not allocate memory for any of the arrays, so the 
- *  pointers should point to arrays with the following minimal sizes:
- *  result - nlen+1
- *  dm1    - nlen
- *  dm2    - 2*nlen+1  ( the +1 is necessary for technical reasons )
- *  dt     - 4*nlen+2
- *  dn     - nlen
- *  nint   - nlen
- *  No two arrays should point to overlapping areas of memory.
- */  
diff --git a/security/nss/lib/freebl/mpi/montmulf.il b/security/nss/lib/freebl/mpi/montmulf.il
deleted file mode 100644
index 27ce26a77..000000000
--- a/security/nss/lib/freebl/mpi/montmulf.il
+++ /dev/null
@@ -1,141 +0,0 @@
-!  
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-!
-! The contents of this file are subject to the Mozilla Public License Version
-! 1.1 (the "License"); you may not use this file except in compliance with
-! the License. You may obtain a copy of the License at
-! http://www.mozilla.org/MPL/
-!
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is inline macros for SPARC Montgomery multiply functions.
-!
-! The Initial Developer of the Original Code is
-! Sun Microsystems Inc.
-! Portions created by the Initial Developer are Copyright (C) 1999-2000
-! the Initial Developer. All Rights Reserved.
-!
-! Contributor(s):
-!
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-!
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-!
-! double upper32(double /*frs1*/);
-!
-        .inline upper32,8
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f10
-
-	fdtox	%f10,%f10
-	fitod	%f10,%f0
-        .end
-
-!
-! double lower32(double /*frs1*/, double /* Zero */);
-!
-        .inline lower32,8
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f10
-        std     %o2,[%sp+0x48]
-        ldd     [%sp+0x48],%f12
-
-	fdtox	%f10,%f10
-	fmovs	%f12,%f10
-	fxtod	%f10,%f0
-        .end
-
-!
-! double mod(double /*x*/, double /*1/m*/, double /*m*/);
-!
-        .inline mod,12
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f2
-        std     %o2,[%sp+0x48]
-        ldd     [%sp+0x48],%f4
-        std     %o4,[%sp+0x48]
-        ldd     [%sp+0x48],%f6
-
-	fmuld	%f2,%f4,%f4
-	fdtox	%f4,%f4
-	fxtod	%f4,%f4
-	fmuld	%f4,%f6,%f4
-	fsubd	%f2,%f4,%f0
-        .end
-
-
-!
-! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
-!			    double * /* 0 */,
-!			    double * /*result16*/, double * /* result32 */
-!			    float *  /*source - should be unsigned int*
-!		            	       converted to float* */);
-!
-        .inline i16_to_d16_and_d32x4,24
-        ldd     [%o0],%f2  ! 1/(2^16)
-        ldd     [%o1],%f4  ! 2^16
-	ldd	[%o2],%f22
-
-	fmovd	%f22,%f6
-	ld	[%o5],%f7
-	fmovd	%f22,%f10
-	ld	[%o5+4],%f11
-	fmovd	%f22,%f14
-	ld	[%o5+8],%f15
-	fmovd	%f22,%f18
-	ld	[%o5+12],%f19
-	fxtod	%f6,%f6
-	std	%f6,[%o4]
-	fxtod	%f10,%f10
-	std	%f10,[%o4+8]
-	fxtod	%f14,%f14
-	std	%f14,[%o4+16]
-	fxtod	%f18,%f18
-	std	%f18,[%o4+24]
-	fmuld	%f2,%f6,%f8
-	fmuld	%f2,%f10,%f12
-	fmuld	%f2,%f14,%f16
-	fmuld	%f2,%f18,%f20
-	fdtox	%f8,%f8
-	fdtox	%f12,%f12
-	fdtox	%f16,%f16
-	fdtox	%f20,%f20
-	fxtod	%f8,%f8
-	std	%f8,[%o3+8]
-	fxtod	%f12,%f12
-	std	%f12,[%o3+24]
-	fxtod	%f16,%f16
-	std	%f16,[%o3+40]
-	fxtod	%f20,%f20
-	std	%f20,[%o3+56]
-	fmuld	%f8,%f4,%f8
-	fmuld	%f12,%f4,%f12
-	fmuld	%f16,%f4,%f16
-	fmuld	%f20,%f4,%f20
-	fsubd	%f6,%f8,%f8
-	std	%f8,[%o3]
-	fsubd	%f10,%f12,%f12
-	std	%f12,[%o3+16]
-	fsubd	%f14,%f16,%f16
-	std	%f16,[%o3+32]
-	fsubd	%f18,%f20,%f20
-	std	%f20,[%o3+48]
-        .end
-
-
diff --git a/security/nss/lib/freebl/mpi/montmulf.s b/security/nss/lib/freebl/mpi/montmulf.s
deleted file mode 100644
index cdb5d376e..000000000
--- a/security/nss/lib/freebl/mpi/montmulf.s
+++ /dev/null
@@ -1,1967 +0,0 @@
-!  
-!  The contents of this file are subject to the Mozilla Public
-!  License Version 1.1 (the "License"); you may not use this file
-!  except in compliance with the License. You may obtain a copy of
-!  the License at http://www.mozilla.org/MPL/
-!  
-!  Software distributed under the License is distributed on an "AS
-!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-!  implied. See the License for the specific language governing
-!  rights and limitations under the License.
-!  
-!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
-!   
-!  The Initial Developer of the Original Code is Sun Microsystems Inc.
-!  Portions created by Sun Microsystems Inc. are 
-!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
-!  
-!  Contributor(s):
-!  
-!  Alternatively, the contents of this file may be used under the
-!  terms of the GNU General Public License Version 2 or later (the
-!  "GPL"), in which case the provisions of the GPL are applicable 
-!  instead of those above.	If you wish to allow use of your 
-!  version of this file only under the terms of the GPL and not to
-!  allow others to use your version of this file under the MPL,
-!  indicate your decision by deleting the provisions above and
-!  replace them with the notice and other provisions required by
-!  the GPL.  If you do not delete the provisions above, a recipient
-!  may use your version of this file under either the MPL or the
-!  GPL.
-!  
-!   $Id$
-!  
-
-	.section	".text",#alloc,#execinstr
-	.file	"montmulf.c"
-
-	.section	".data",#alloc,#write
-	.align	8
-TwoTo16:		/* frequency 1.0 confidence 0.0 */
-	.word	1089470464
-	.word	0
-	.type	TwoTo16,#object
-	.size	TwoTo16,8
-TwoToMinus16:		/* frequency 1.0 confidence 0.0 */
-	.word	1055916032
-	.word	0
-	.type	TwoToMinus16,#object
-	.size	TwoToMinus16,8
-Zero:		/* frequency 1.0 confidence 0.0 */
-	.word	0
-	.word	0
-	.type	Zero,#object
-	.size	Zero,8
-TwoTo32:		/* frequency 1.0 confidence 0.0 */
-	.word	1106247680
-	.word	0
-	.type	TwoTo32,#object
-	.size	TwoTo32,8
-TwoToMinus32:		/* frequency 1.0 confidence 0.0 */
-	.word	1039138816
-	.word	0
-	.type	TwoToMinus32,#object
-	.size	TwoToMinus32,8
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE cleanup
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global cleanup
-                                   cleanup:		/* frequency 1.0 confidence 0.0 */
-! FILE montmulf.c
-
-!    1		                    !#define RF_INLINE_MACROS
-!    3		                    !static double TwoTo16=65536.0;
-!    4		                    !static double TwoToMinus16=1.0/65536.0;
-!    5		                    !static double Zero=0.0;
-!    6		                    !static double TwoTo32=65536.0*65536.0;
-!    7		                    !static double TwoToMinus32=1.0/(65536.0*65536.0);
-!    9		                    !#ifdef RF_INLINE_MACROS
-!   11		                    !double upper32(double);
-!   12		                    !double lower32(double, double);
-!   13		                    !double mod(double, double, double);
-!   15		                    !#else
-!   17		                    !static double upper32(double x)
-!   18		                    !{
-!   19		                    !  return floor(x*TwoToMinus32);
-!   20		                    !}
-!   22		                    !static double lower32(double x, double y)
-!   23		                    !{
-!   24		                    !  return x-TwoTo32*floor(x*TwoToMinus32);
-!   25		                    !}
-!   27		                    !static double mod(double x, double oneoverm, double m)
-!   28		                    !{
-!   29		                    !  return x-m*floor(x*oneoverm);
-!   30		                    !}
-!   32		                    !#endif
-!   35		                    !void cleanup(double *dt, int from, int tlen)
-!   36		                    !{
-!   37		                    ! int i;
-!   38		                    ! double tmp,tmp1,x,x1;
-!   40		                    ! tmp=tmp1=Zero;
-
-/* 000000	  40 ( 0  1) */		sethi	%hi(Zero),%g2
-
-!   41		                    ! /* original code **
-!   42		                    ! for(i=2*from;i<2*tlen-2;i++)
-!   43		                    !   {
-!   44		                    !     x=dt[i];
-!   45		                    !     dt[i]=lower32(x,Zero)+tmp1;
-!   46		                    !     tmp1=tmp;
-!   47		                    !     tmp=upper32(x);
-!   48		                    !   }
-!   49		                    ! dt[tlen-2]+=tmp1;
-!   50		                    ! dt[tlen-1]+=tmp;
-!   51		                    ! **end original code ***/
-!   52		                    ! /* new code ***/
-!   53		                    ! for(i=2*from;i<2*tlen;i+=2)
-
-/* 0x0004	  53 ( 1  2) */		sll	%o2,1,%g3
-/* 0x0008	  40 ( 1  4) */		ldd	[%g2+%lo(Zero)],%f0
-/* 0x000c	     ( 1  2) */		add	%g2,%lo(Zero),%g2
-/* 0x0010	  53 ( 2  3) */		sll	%o1,1,%g4
-/* 0x0014	  36 ( 3  4) */		sll	%o1,4,%g1
-/* 0x0018	  40 ( 3  4) */		fmovd	%f0,%f4
-/* 0x001c	  53 ( 3  4) */		cmp	%g4,%g3
-/* 0x0020	     ( 3  4) */		bge,pt	%icc,.L77000116	! tprob=0.56
-/* 0x0024	     ( 4  5) */		fmovd	%f0,%f2
-/* 0x0028	  36 ( 4  5) */		add	%o0,%g1,%g1
-/* 0x002c	     ( 4  5) */		sub	%g3,1,%g3
-
-!   54		                    !   {
-!   55		                    !     x=dt[i];
-
-/* 0x0030	  55 ( 5  8) */		ldd	[%g1],%f8
-                                   .L900000114:		/* frequency 6.4 confidence 0.0 */
-/* 0x0034	     ( 0  3) */		fdtox	%f8,%f6
-
-!   56		                    !     x1=dt[i+1];
-
-/* 0x0038	  56 ( 0  3) */		ldd	[%g1+8],%f10
-
-!   57		                    !     dt[i]=lower32(x,Zero)+tmp;
-!   58		                    !     dt[i+1]=lower32(x1,Zero)+tmp1;
-!   59		                    !     tmp=upper32(x);
-!   60		                    !     tmp1=upper32(x1);
-
-/* 0x003c	  60 ( 0  1) */		add	%g4,2,%g4
-/* 0x0040	     ( 1  4) */		fdtox	%f8,%f8
-/* 0x0044	     ( 1  2) */		cmp	%g4,%g3
-/* 0x0048	     ( 5  6) */		fmovs	%f0,%f6
-/* 0x004c	     ( 7 10) */		fxtod	%f6,%f6
-/* 0x0050	     ( 8 11) */		fdtox	%f10,%f0
-/* 0x0054	  57 (10 13) */		faddd	%f6,%f2,%f2
-/* 0x0058	     (10 11) */		std	%f2,[%g1]
-/* 0x005c	     (12 15) */		ldd	[%g2],%f2
-/* 0x0060	     (14 15) */		fmovs	%f2,%f0
-/* 0x0064	     (16 19) */		fxtod	%f0,%f6
-/* 0x0068	     (17 20) */		fdtox	%f10,%f0
-/* 0x006c	     (18 21) */		fitod	%f8,%f2
-/* 0x0070	  58 (19 22) */		faddd	%f6,%f4,%f4
-/* 0x0074	     (19 20) */		std	%f4,[%g1+8]
-/* 0x0078	  60 (19 20) */		add	%g1,16,%g1
-/* 0x007c	     (20 23) */		fitod	%f0,%f4
-/* 0x0080	     (20 23) */		ldd	[%g2],%f0
-/* 0x0084	     (20 21) */		ble,a,pt	%icc,.L900000114	! tprob=0.86
-/* 0x0088	     (21 24) */		ldd	[%g1],%f8
-                                   .L77000116:		/* frequency 1.0 confidence 0.0 */
-/* 0x008c	     ( 0  2) */		retl	! Result = 
-/* 0x0090	     ( 1  2) */		nop
-/* 0x0094	   0 ( 0  0) */		.type	cleanup,2
-/* 0x0094	     ( 0  0) */		.size	cleanup,(.-cleanup)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE conv_d16_to_i32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global conv_d16_to_i32
-                                   conv_d16_to_i32:		/* frequency 1.0 confidence 0.0 */
-/* 000000	     ( 0  1) */		save	%sp,-136,%sp
-
-!   61		                    !   }
-!   62		                    !  /** end new code **/
-!   63		                    !}
-!   66		                    !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
-!   67		                    !{
-!   68		                    !int i;
-!   69		                    !long long t, t1, a, b, c, d;
-!   71		                    ! t1=0;
-!   72		                    ! a=(long long)d16[0];
-
-/* 0x0004	  72 ( 1  4) */		ldd	[%i1],%f0
-
-!   73		                    ! b=(long long)d16[1];
-!   74		                    ! for(i=0; i<ilen-1; i++)
-
-/* 0x0008	  74 ( 1  2) */		sub	%i3,1,%g2
-/* 0x000c	  67 ( 1  2) */		or	%g0,%i0,%g5
-/* 0x0010	  74 ( 2  3) */		cmp	%g2,0
-/* 0x0014	  71 ( 2  3) */		or	%g0,0,%o4
-/* 0x0018	  72 ( 3  6) */		fdtox	%f0,%f0
-/* 0x001c	     ( 3  4) */		std	%f0,[%sp+120]
-/* 0x0020	  74 ( 3  4) */		or	%g0,0,%o7
-/* 0x0024	  67 ( 4  5) */		or	%g0,%i3,%o0
-/* 0x0028	     ( 4  5) */		sub	%i3,2,%o2
-/* 0x002c	  73 ( 5  8) */		ldd	[%i1+8],%f0
-/* 0x0030	  67 ( 5  6) */		sethi	%hi(0xfc00),%o0
-/* 0x0034	     ( 5  6) */		add	%o2,1,%g3
-/* 0x0038	     ( 6  7) */		add	%o0,1023,%o1
-/* 0x003c	     ( 6  7) */		or	%g0,%g5,%o5
-/* 0x0040	  73 ( 7 10) */		fdtox	%f0,%f0
-/* 0x0044	     ( 7  8) */		std	%f0,[%sp+112]
-/* 0x0048	  72 (11 13) */		ldx	[%sp+120],%g4
-/* 0x004c	  73 (12 14) */		ldx	[%sp+112],%g1
-/* 0x0050	  74 (12 13) */		ble,pt	%icc,.L900000214	! tprob=0.56
-/* 0x0054	     (12 13) */		sethi	%hi(0xfc00),%g2
-/* 0x0058	  67 (13 14) */		or	%g0,-1,%g2
-/* 0x005c	  74 (13 14) */		cmp	%g3,3
-/* 0x0060	  67 (14 15) */		srl	%g2,0,%o3
-/* 0x0064	     (14 15) */		or	%g0,%i1,%g2
-/* 0x0068	  74 (14 15) */		bl,pn	%icc,.L77000134	! tprob=0.44
-/* 0x006c	     (15 18) */		ldd	[%g2+16],%f0
-
-!   75		                    !   {
-!   76		                    !     c=(long long)d16[2*i+2];
-!   77		                    !     t1+=a&0xffffffff;
-!   78		                    !     t=(a>>32);
-!   79		                    !     d=(long long)d16[2*i+3];
-!   80		                    !     t1+=(b&0xffff)<<16;
-
-/* 0x0070	  80 (15 16) */		and	%g1,%o1,%o0
-
-!   81		                    !     t+=(b>>16)+(t1>>32);
-!   82		                    !     i32[i]=t1&0xffffffff;
-!   83		                    !     t1=t;
-!   84		                    !     a=c;
-!   85		                    !     b=d;
-
-/* 0x0074	  85 (15 16) */		add	%g2,16,%g2
-/* 0x0078	  80 (16 17) */		sllx	%o0,16,%g3
-/* 0x007c	  77 (16 17) */		and	%g4,%o3,%o0
-/* 0x0080	  76 (17 20) */		fdtox	%f0,%f0
-/* 0x0084	     (17 18) */		std	%f0,[%sp+104]
-/* 0x0088	  74 (17 18) */		add	%o0,%g3,%o4
-/* 0x008c	  79 (18 21) */		ldd	[%g2+8],%f2
-/* 0x0090	  81 (18 19) */		srax	%g1,16,%o0
-/* 0x0094	  82 (18 19) */		and	%o4,%o3,%o7
-/* 0x0098	  81 (19 20) */		stx	%o0,[%sp+112]
-/* 0x009c	     (19 20) */		srax	%o4,32,%o0
-/* 0x00a0	  85 (19 20) */		add	%g5,4,%o5
-/* 0x00a4	  81 (20 21) */		stx	%o0,[%sp+120]
-/* 0x00a8	  78 (20 21) */		srax	%g4,32,%o4
-/* 0x00ac	  79 (20 23) */		fdtox	%f2,%f0
-/* 0x00b0	     (21 22) */		std	%f0,[%sp+96]
-/* 0x00b4	  81 (22 24) */		ldx	[%sp+112],%o0
-/* 0x00b8	     (23 25) */		ldx	[%sp+120],%g4
-/* 0x00bc	  76 (25 27) */		ldx	[%sp+104],%g3
-/* 0x00c0	  81 (25 26) */		add	%o0,%g4,%g4
-/* 0x00c4	  79 (26 28) */		ldx	[%sp+96],%g1
-/* 0x00c8	  81 (26 27) */		add	%o4,%g4,%o4
-/* 0x00cc	  82 (27 28) */		st	%o7,[%g5]
-/* 0x00d0	     (27 28) */		or	%g0,1,%o7
-/* 0x00d4	  84 (27 28) */		or	%g0,%g3,%g4
-                                   .L900000209:		/* frequency 64.0 confidence 0.0 */
-/* 0x00d8	  76 (17 19) */		ldd	[%g2+16],%f0
-/* 0x00dc	  85 (17 18) */		add	%o7,1,%o7
-/* 0x00e0	     (17 18) */		add	%o5,4,%o5
-/* 0x00e4	     (18 18) */		cmp	%o7,%o2
-/* 0x00e8	     (18 19) */		add	%g2,16,%g2
-/* 0x00ec	  76 (19 22) */		fdtox	%f0,%f0
-/* 0x00f0	     (20 21) */		std	%f0,[%sp+104]
-/* 0x00f4	  79 (21 23) */		ldd	[%g2+8],%f0
-/* 0x00f8	     (23 26) */		fdtox	%f0,%f0
-/* 0x00fc	     (24 25) */		std	%f0,[%sp+96]
-/* 0x0100	  80 (25 26) */		and	%g1,%o1,%g3
-/* 0x0104	     (26 27) */		sllx	%g3,16,%g3
-/* 0x0108	     ( 0  0) */		stx	%g3,[%sp+120]
-/* 0x010c	  77 (26 27) */		and	%g4,%o3,%g3
-/* 0x0110	  74 ( 0  0) */		stx	%o7,[%sp+128]
-/* 0x0114	     ( 0  0) */		ldx	[%sp+120],%o7
-/* 0x0118	     (27 27) */		add	%g3,%o7,%g3
-/* 0x011c	     ( 0  0) */		ldx	[%sp+128],%o7
-/* 0x0120	  81 (28 29) */		srax	%g1,16,%g1
-/* 0x0124	  74 (28 28) */		add	%g3,%o4,%g3
-/* 0x0128	  81 (29 30) */		srax	%g3,32,%o4
-/* 0x012c	     ( 0  0) */		stx	%o4,[%sp+112]
-/* 0x0130	  78 (30 31) */		srax	%g4,32,%o4
-/* 0x0134	  81 ( 0  0) */		ldx	[%sp+112],%g4
-/* 0x0138	     (30 31) */		add	%g1,%g4,%g4
-/* 0x013c	  79 (31 33) */		ldx	[%sp+96],%g1
-/* 0x0140	  81 (31 32) */		add	%o4,%g4,%o4
-/* 0x0144	  82 (32 33) */		and	%g3,%o3,%g3
-/* 0x0148	  84 ( 0  0) */		ldx	[%sp+104],%g4
-/* 0x014c	  85 (33 34) */		ble,pt	%icc,.L900000209	! tprob=0.50
-/* 0x0150	     (33 34) */		st	%g3,[%o5-4]
-                                   .L900000212:		/* frequency 8.0 confidence 0.0 */
-/* 0x0154	  85 ( 0  1) */		ba	.L900000214	! tprob=1.00
-/* 0x0158	     ( 0  1) */		sethi	%hi(0xfc00),%g2
-                                   .L77000134:		/* frequency 0.7 confidence 0.0 */
-                                   .L900000213:		/* frequency 6.4 confidence 0.0 */
-/* 0x015c	  77 ( 0  1) */		and	%g4,%o3,%o0
-/* 0x0160	  80 ( 0  1) */		and	%g1,%o1,%g3
-/* 0x0164	  76 ( 0  3) */		fdtox	%f0,%f0
-/* 0x0168	  77 ( 1  2) */		add	%o4,%o0,%o0
-/* 0x016c	  76 ( 1  2) */		std	%f0,[%sp+104]
-/* 0x0170	  85 ( 1  2) */		add	%o7,1,%o7
-/* 0x0174	  80 ( 2  3) */		sllx	%g3,16,%o4
-/* 0x0178	  79 ( 2  5) */		ldd	[%g2+24],%f2
-/* 0x017c	  85 ( 2  3) */		add	%g2,16,%g2
-/* 0x0180	  80 ( 3  4) */		add	%o0,%o4,%o4
-/* 0x0184	  81 ( 3  4) */		stx	%o7,[%sp+128]
-/* 0x0188	     ( 4  5) */		srax	%g1,16,%o0
-/* 0x018c	     ( 4  5) */		stx	%o0,[%sp+112]
-/* 0x0190	  82 ( 4  5) */		and	%o4,%o3,%g3
-/* 0x0194	  81 ( 5  6) */		srax	%o4,32,%o0
-/* 0x0198	     ( 5  6) */		stx	%o0,[%sp+120]
-/* 0x019c	  79 ( 5  8) */		fdtox	%f2,%f0
-/* 0x01a0	     ( 6  7) */		std	%f0,[%sp+96]
-/* 0x01a4	  78 ( 6  7) */		srax	%g4,32,%o4
-/* 0x01a8	  81 ( 7  9) */		ldx	[%sp+120],%o7
-/* 0x01ac	     ( 8 10) */		ldx	[%sp+112],%g4
-/* 0x01b0	  76 (10 12) */		ldx	[%sp+104],%g1
-/* 0x01b4	  81 (10 11) */		add	%g4,%o7,%g4
-/* 0x01b8	     (11 13) */		ldx	[%sp+128],%o7
-/* 0x01bc	     (11 12) */		add	%o4,%g4,%o4
-/* 0x01c0	  79 (12 14) */		ldx	[%sp+96],%o0
-/* 0x01c4	  84 (12 13) */		or	%g0,%g1,%g4
-/* 0x01c8	  82 (13 14) */		st	%g3,[%o5]
-/* 0x01cc	  85 (13 14) */		add	%o5,4,%o5
-/* 0x01d0	     (13 14) */		cmp	%o7,%o2
-/* 0x01d4	     (14 15) */		or	%g0,%o0,%g1
-/* 0x01d8	     (14 15) */		ble,a,pt	%icc,.L900000213	! tprob=0.86
-/* 0x01dc	     (14 17) */		ldd	[%g2+16],%f0
-                                   .L77000127:		/* frequency 1.0 confidence 0.0 */
-
-!   86		                    !   }
-!   87		                    !     t1+=a&0xffffffff;
-!   88		                    !     t=(a>>32);
-!   89		                    !     t1+=(b&0xffff)<<16;
-!   90		                    !     i32[i]=t1&0xffffffff;
-
-/* 0x01e0	  90 ( 0  1) */		sethi	%hi(0xfc00),%g2
-                                   .L900000214:		/* frequency 1.0 confidence 0.0 */
-/* 0x01e4	  90 ( 0  1) */		or	%g0,-1,%g3
-/* 0x01e8	     ( 0  1) */		add	%g2,1023,%g2
-/* 0x01ec	     ( 1  2) */		srl	%g3,0,%g3
-/* 0x01f0	     ( 1  2) */		and	%g1,%g2,%g2
-/* 0x01f4	     ( 2  3) */		and	%g4,%g3,%g4
-/* 0x01f8	     ( 3  4) */		sllx	%g2,16,%g2
-/* 0x01fc	     ( 3  4) */		add	%o4,%g4,%g4
-/* 0x0200	     ( 4  5) */		add	%g4,%g2,%g2
-/* 0x0204	     ( 5  6) */		sll	%o7,2,%g4
-/* 0x0208	     ( 5  6) */		and	%g2,%g3,%g2
-/* 0x020c	     ( 6  7) */		st	%g2,[%g5+%g4]
-/* 0x0210	     ( 7  9) */		ret	! Result = 
-/* 0x0214	     ( 9 10) */		restore	%g0,%g0,%g0
-/* 0x0218	   0 ( 0  0) */		.type	conv_d16_to_i32,2
-/* 0x0218	     ( 0  0) */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	8
-!
-! CONSTANT POOL
-!
-                                   .L_const_seg_900000301:		/* frequency 1.0 confidence 0.0 */
-/* 000000	   0 ( 0  0) */		.word	1127219200,0
-/* 0x0008	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE conv_i32_to_d32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global conv_i32_to_d32
-                                   conv_i32_to_d32:		/* frequency 1.0 confidence 0.0 */
-/* 000000	     ( 0  1) */		orcc	%g0,%o2,%g1
-
-!   92		                    !}
-!   94		                    !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
-!   95		                    !{
-!   96		                    !int i;
-!   98		                    !#pragma pipeloop(0)
-!   99		                    ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
-
-/* 0x0004	  99 ( 0  1) */		ble,pt	%icc,.L77000140	! tprob=0.56
-/* 0x0008	     ( 0  1) */		nop
-/* 0x000c	     ( 1  2) */		sethi	%hi(.L_const_seg_900000301),%g2
-/* 0x0010	  95 ( 1  2) */		or	%g0,%o1,%g4
-/* 0x0014	  99 ( 2  3) */		add	%g2,%lo(.L_const_seg_900000301),%g2
-/* 0x0018	     ( 2  3) */		or	%g0,0,%o5
-/* 0x001c	  95 ( 3  4) */		or	%g0,%o0,%g5
-/* 0x0020	  99 ( 3  4) */		sub	%o2,1,%g3
-/* 0x0024	     ( 4  5) */		cmp	%o2,9
-/* 0x0028	     ( 4  5) */		bl,pn	%icc,.L77000144	! tprob=0.44
-/* 0x002c	     ( 4  7) */		ldd	[%g2],%f8
-/* 0x0030	     ( 5  8) */		ld	[%o1],%f7
-/* 0x0034	     ( 5  6) */		add	%o1,16,%g4
-/* 0x0038	     ( 5  6) */		sub	%o2,5,%g1
-/* 0x003c	     ( 6  9) */		ld	[%o1+4],%f5
-/* 0x0040	     ( 6  7) */		or	%g0,4,%o5
-/* 0x0044	     ( 7 10) */		ld	[%o1+8],%f3
-/* 0x0048	     ( 7  8) */		fmovs	%f8,%f6
-/* 0x004c	     ( 8 11) */		ld	[%o1+12],%f1
-                                   .L900000305:		/* frequency 64.0 confidence 0.0 */
-/* 0x0050	     ( 8 16) */		ld	[%g4],%f11
-/* 0x0054	     ( 8  9) */		add	%o5,5,%o5
-/* 0x0058	     ( 8  9) */		add	%g4,20,%g4
-/* 0x005c	     ( 8 11) */		fsubd	%f6,%f8,%f6
-/* 0x0060	     ( 9 10) */		std	%f6,[%g5]
-/* 0x0064	     ( 9  9) */		cmp	%o5,%g1
-/* 0x0068	     ( 9 10) */		add	%g5,40,%g5
-/* 0x006c	     ( 0  0) */		fmovs	%f8,%f4
-/* 0x0070	     (10 18) */		ld	[%g4-16],%f7
-/* 0x0074	     (10 13) */		fsubd	%f4,%f8,%f12
-/* 0x0078	     ( 0  0) */		fmovs	%f8,%f2
-/* 0x007c	     (11 12) */		std	%f12,[%g5-32]
-/* 0x0080	     (12 20) */		ld	[%g4-12],%f5
-/* 0x0084	     (12 15) */		fsubd	%f2,%f8,%f12
-/* 0x0088	     ( 0  0) */		fmovs	%f8,%f0
-/* 0x008c	     (13 14) */		std	%f12,[%g5-24]
-/* 0x0090	     (14 22) */		ld	[%g4-8],%f3
-/* 0x0094	     (14 17) */		fsubd	%f0,%f8,%f12
-/* 0x0098	     ( 0  0) */		fmovs	%f8,%f10
-/* 0x009c	     (15 16) */		std	%f12,[%g5-16]
-/* 0x00a0	     (16 24) */		ld	[%g4-4],%f1
-/* 0x00a4	     (16 19) */		fsubd	%f10,%f8,%f10
-/* 0x00a8	     ( 0  0) */		fmovs	%f8,%f6
-/* 0x00ac	     (17 18) */		ble,pt	%icc,.L900000305	! tprob=0.50
-/* 0x00b0	     (17 18) */		std	%f10,[%g5-8]
-                                   .L900000308:		/* frequency 8.0 confidence 0.0 */
-/* 0x00b4	     ( 0  1) */		fmovs	%f8,%f4
-/* 0x00b8	     ( 0  1) */		add	%g5,32,%g5
-/* 0x00bc	     ( 0  1) */		cmp	%o5,%g3
-/* 0x00c0	     ( 1  2) */		fmovs	%f8,%f2
-/* 0x00c4	     ( 2  3) */		fmovs	%f8,%f0
-/* 0x00c8	     ( 4  7) */		fsubd	%f6,%f8,%f6
-/* 0x00cc	     ( 4  5) */		std	%f6,[%g5-32]
-/* 0x00d0	     ( 5  8) */		fsubd	%f4,%f8,%f4
-/* 0x00d4	     ( 5  6) */		std	%f4,[%g5-24]
-/* 0x00d8	     ( 6  9) */		fsubd	%f2,%f8,%f2
-/* 0x00dc	     ( 6  7) */		std	%f2,[%g5-16]
-/* 0x00e0	     ( 7 10) */		fsubd	%f0,%f8,%f0
-/* 0x00e4	     ( 7  8) */		bg,pn	%icc,.L77000140	! tprob=0.14
-/* 0x00e8	     ( 7  8) */		std	%f0,[%g5-8]
-                                   .L77000144:		/* frequency 0.7 confidence 0.0 */
-/* 0x00ec	     ( 0  3) */		ld	[%g4],%f1
-                                   .L900000309:		/* frequency 6.4 confidence 0.0 */
-/* 0x00f0	     ( 0  3) */		ldd	[%g2],%f8
-/* 0x00f4	     ( 0  1) */		add	%o5,1,%o5
-/* 0x00f8	     ( 0  1) */		add	%g4,4,%g4
-/* 0x00fc	     ( 1  2) */		cmp	%o5,%g3
-/* 0x0100	     ( 2  3) */		fmovs	%f8,%f0
-/* 0x0104	     ( 4  7) */		fsubd	%f0,%f8,%f0
-/* 0x0108	     ( 4  5) */		std	%f0,[%g5]
-/* 0x010c	     ( 4  5) */		add	%g5,8,%g5
-/* 0x0110	     ( 4  5) */		ble,a,pt	%icc,.L900000309	! tprob=0.86
-/* 0x0114	     ( 6  9) */		ld	[%g4],%f1
-                                   .L77000140:		/* frequency 1.0 confidence 0.0 */
-/* 0x0118	     ( 0  2) */		retl	! Result = 
-/* 0x011c	     ( 1  2) */		nop
-/* 0x0120	   0 ( 0  0) */		.type	conv_i32_to_d32,2
-/* 0x0120	     ( 0  0) */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	8
-!
-! CONSTANT POOL
-!
-                                   .L_const_seg_900000401:		/* frequency 1.0 confidence 0.0 */
-/* 000000	   0 ( 0  0) */		.word	1127219200,0
-/* 0x0008	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE conv_i32_to_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global conv_i32_to_d16
-                                   conv_i32_to_d16:		/* frequency 1.0 confidence 0.0 */
-/* 000000	     ( 0  1) */		save	%sp,-104,%sp
-/* 0x0004	     ( 1  2) */		orcc	%g0,%i2,%o0
-
-!  100		                    !}
-!  103		                    !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
-!  104		                    !{
-!  105		                    !int i;
-!  106		                    !unsigned int a;
-!  108		                    !#pragma pipeloop(0)
-!  109		                    ! for(i=0;i<len;i++)
-
-/* 0x0008	 109 ( 1  2) */		ble,pt	%icc,.L77000150	! tprob=0.56
-/* 0x000c	     ( 1  2) */		nop
-/* 0x0010	     ( 2  3) */		sub	%o0,1,%o5
-/* 0x0014	     ( 2  3) */		sethi	%hi(0xfc00),%g2
-
-!  110		                    !   {
-!  111		                    !     a=i32[i];
-!  112		                    !     d16[2*i]=(double)(a&0xffff);
-!  113		                    !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x0018	 113 ( 3  4) */		sethi	%hi(.L_const_seg_900000401),%o0
-/* 0x001c	     ( 3  4) */		add	%o5,1,%g3
-/* 0x0020	     ( 4  5) */		add	%g2,1023,%o4
-/* 0x0024	 109 ( 4  5) */		or	%g0,0,%g1
-/* 0x0028	     ( 5  6) */		cmp	%g3,3
-/* 0x002c	     ( 5  6) */		or	%g0,%i1,%o7
-/* 0x0030	     ( 6  7) */		add	%o0,%lo(.L_const_seg_900000401),%o3
-/* 0x0034	     ( 6  7) */		or	%g0,%i0,%g2
-/* 0x0038	     ( 6  7) */		bl,pn	%icc,.L77000154	! tprob=0.44
-/* 0x003c	     ( 7  8) */		add	%o7,4,%o0
-/* 0x0040	 112 ( 7 10) */		ldd	[%o3],%f0
-/* 0x0044	 113 ( 7  8) */		or	%g0,1,%g1
-/* 0x0048	 111 ( 8 11) */		ld	[%o0-4],%o1
-/* 0x004c	   0 ( 8  9) */		or	%g0,%o0,%o7
-/* 0x0050	 112 (10 11) */		and	%o1,%o4,%o0
-                                   .L900000406:		/* frequency 64.0 confidence 0.0 */
-/* 0x0054	 112 (22 23) */		st	%o0,[%sp+96]
-/* 0x0058	 113 (22 23) */		add	%g1,1,%g1
-/* 0x005c	     (22 23) */		add	%g2,16,%g2
-/* 0x0060	     (23 23) */		cmp	%g1,%o5
-/* 0x0064	     (23 24) */		add	%o7,4,%o7
-/* 0x0068	 112 (29 31) */		ld	[%sp+96],%f3
-/* 0x006c	     ( 0  0) */		fmovs	%f0,%f2
-/* 0x0070	     (31 34) */		fsubd	%f2,%f0,%f2
-/* 0x0074	 113 (32 33) */		srl	%o1,16,%o0
-/* 0x0078	 112 (32 33) */		std	%f2,[%g2-16]
-/* 0x007c	 113 (33 34) */		st	%o0,[%sp+92]
-/* 0x0080	     (40 42) */		ld	[%sp+92],%f3
-/* 0x0084	 111 (41 43) */		ld	[%o7-4],%o1
-/* 0x0088	 113 ( 0  0) */		fmovs	%f0,%f2
-/* 0x008c	     (42 45) */		fsubd	%f2,%f0,%f2
-/* 0x0090	 112 (43 44) */		and	%o1,%o4,%o0
-/* 0x0094	 113 (43 44) */		ble,pt	%icc,.L900000406	! tprob=0.50
-/* 0x0098	     (43 44) */		std	%f2,[%g2-8]
-                                   .L900000409:		/* frequency 8.0 confidence 0.0 */
-/* 0x009c	 112 ( 0  1) */		st	%o0,[%sp+96]
-/* 0x00a0	     ( 0  1) */		fmovs	%f0,%f2
-/* 0x00a4	 113 ( 0  1) */		add	%g2,16,%g2
-/* 0x00a8	     ( 1  2) */		srl	%o1,16,%o0
-/* 0x00ac	 112 ( 4  7) */		ld	[%sp+96],%f3
-/* 0x00b0	     ( 6  9) */		fsubd	%f2,%f0,%f2
-/* 0x00b4	     ( 6  7) */		std	%f2,[%g2-16]
-/* 0x00b8	 113 ( 7  8) */		st	%o0,[%sp+92]
-/* 0x00bc	     (10 11) */		fmovs	%f0,%f2
-/* 0x00c0	     (11 14) */		ld	[%sp+92],%f3
-/* 0x00c4	     (13 16) */		fsubd	%f2,%f0,%f0
-/* 0x00c8	     (13 14) */		std	%f0,[%g2-8]
-/* 0x00cc	     (14 16) */		ret	! Result = 
-/* 0x00d0	     (16 17) */		restore	%g0,%g0,%g0
-                                   .L77000154:		/* frequency 0.7 confidence 0.0 */
-/* 0x00d4	 111 ( 0  3) */		ld	[%o7],%o0
-                                   .L900000410:		/* frequency 6.4 confidence 0.0 */
-/* 0x00d8	 112 ( 0  1) */		and	%o0,%o4,%o1
-/* 0x00dc	     ( 0  1) */		st	%o1,[%sp+96]
-/* 0x00e0	 113 ( 0  1) */		add	%g1,1,%g1
-/* 0x00e4	 112 ( 1  4) */		ldd	[%o3],%f0
-/* 0x00e8	 113 ( 1  2) */		srl	%o0,16,%o0
-/* 0x00ec	     ( 1  2) */		add	%o7,4,%o7
-/* 0x00f0	     ( 2  3) */		cmp	%g1,%o5
-/* 0x00f4	 112 ( 3  4) */		fmovs	%f0,%f2
-/* 0x00f8	     ( 4  7) */		ld	[%sp+96],%f3
-/* 0x00fc	     ( 6  9) */		fsubd	%f2,%f0,%f2
-/* 0x0100	     ( 6  7) */		std	%f2,[%g2]
-/* 0x0104	 113 ( 7  8) */		st	%o0,[%sp+92]
-/* 0x0108	     (10 11) */		fmovs	%f0,%f2
-/* 0x010c	     (11 14) */		ld	[%sp+92],%f3
-/* 0x0110	     (13 16) */		fsubd	%f2,%f0,%f0
-/* 0x0114	     (13 14) */		std	%f0,[%g2+8]
-/* 0x0118	     (13 14) */		add	%g2,16,%g2
-/* 0x011c	     (13 14) */		ble,a,pt	%icc,.L900000410	! tprob=0.86
-/* 0x0120	     (14 17) */		ld	[%o7],%o0
-                                   .L77000150:		/* frequency 1.0 confidence 0.0 */
-/* 0x0124	     ( 0  2) */		ret	! Result = 
-/* 0x0128	     ( 2  3) */		restore	%g0,%g0,%g0
-/* 0x012c	   0 ( 0  0) */		.type	conv_i32_to_d16,2
-/* 0x012c	     ( 0  0) */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	8
-!
-! CONSTANT POOL
-!
-                                   .L_const_seg_900000501:		/* frequency 1.0 confidence 0.0 */
-/* 000000	   0 ( 0  0) */		.word	1127219200,0
-/* 0x0008	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE conv_i32_to_d32_and_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global conv_i32_to_d32_and_d16
-                                   conv_i32_to_d32_and_d16:		/* frequency 1.0 confidence 0.0 */
-/* 000000	     ( 0  1) */		save	%sp,-104,%sp
-/* 0x0004	     ( 1  2) */		or	%g0,%i3,%i4
-/* 0x0008	     ( 1  2) */		or	%g0,%i2,%g1
-
-!  114		                    !   }
-!  115		                    !}
-!  118		                    !void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
-!  119		                    !			  double * /* 0 */,
-!  120		                    !			  double * /*result16*/, double * /* result32 */,
-!  121		                    !			  float *  /*source - should be unsigned int*
-!  122		                    !		          	       converted to float* */);
-!  126		                    !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
-!  127		                    !			     unsigned int *i32, int len)
-!  128		                    !{
-!  129		                    !int i;
-!  130		                    !unsigned int a;
-!  132		                    !#pragma pipeloop(0)
-!  133		                    ! for(i=0;i<len-3;i+=4)
-
-/* 0x000c	 133 ( 2  3) */		sub	%i4,3,%g2
-/* 0x0010	     ( 2  3) */		or	%g0,0,%o7
-/* 0x0014	     ( 3  4) */		cmp	%g2,0
-/* 0x0018	 128 ( 3  4) */		or	%g0,%i0,%i3
-/* 0x001c	 133 ( 3  4) */		ble,pt	%icc,.L900000515	! tprob=0.56
-/* 0x0020	     ( 4  5) */		cmp	%o7,%i4
-
-!  134		                    !   {
-!  135		                    !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
-!  136		                    !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
-
-/* 0x0024	 136 ( 4  5) */		sethi	%hi(Zero),%g2
-/* 0x0028	 133 ( 5  6) */		or	%g0,%g1,%o3
-/* 0x002c	     ( 5  6) */		sub	%i4,4,%o2
-/* 0x0030	 136 ( 6  7) */		add	%g2,%lo(Zero),%o1
-/* 0x0034	 133 ( 6  7) */		or	%g0,0,%o5
-/* 0x0038	     ( 7  8) */		or	%g0,0,%o4
-/* 0x003c	 136 ( 7  8) */		or	%g0,%o3,%g4
-                                   .L900000514:		/* frequency 6.4 confidence 0.0 */
-/* 0x0040	     ( 0  3) */		ldd	[%o1],%f2
-/* 0x0044	 136 ( 0  1) */		add	%i3,%o5,%g2
-/* 0x0048	     ( 0  1) */		add	%i1,%o4,%g3
-/* 0x004c	     ( 1  4) */		ldd	[%o1-8],%f0
-/* 0x0050	     ( 1  2) */		add	%o7,4,%o7
-/* 0x0054	     ( 1  2) */		add	%o3,16,%o3
-/* 0x0058	     ( 2  3) */		fmovd	%f2,%f14
-/* 0x005c	     ( 2  5) */		ld	[%g4],%f15
-/* 0x0060	     ( 2  3) */		cmp	%o7,%o2
-/* 0x0064	     ( 3  4) */		fmovd	%f2,%f10
-/* 0x0068	     ( 3  6) */		ld	[%g4+4],%f11
-/* 0x006c	     ( 4  5) */		fmovd	%f2,%f6
-/* 0x0070	     ( 4  7) */		ld	[%g4+8],%f7
-/* 0x0074	     ( 5  8) */		ld	[%g4+12],%f3
-/* 0x0078	     ( 5  8) */		fxtod	%f14,%f14
-/* 0x007c	     ( 6  9) */		fxtod	%f10,%f10
-/* 0x0080	     ( 6  9) */		ldd	[%o1-16],%f16
-/* 0x0084	     ( 7 10) */		fxtod	%f6,%f6
-/* 0x0088	     ( 7  8) */		std	%f14,[%i3+%o5]
-/* 0x008c	     ( 7  8) */		add	%o5,32,%o5
-/* 0x0090	     ( 8 11) */		fxtod	%f2,%f2
-/* 0x0094	     ( 8 11) */		fmuld	%f0,%f14,%f12
-/* 0x0098	     ( 8  9) */		std	%f10,[%g2+8]
-/* 0x009c	     ( 9 12) */		fmuld	%f0,%f10,%f8
-/* 0x00a0	     ( 9 10) */		std	%f6,[%g2+16]
-/* 0x00a4	     (10 13) */		fmuld	%f0,%f6,%f4
-/* 0x00a8	     (10 11) */		std	%f2,[%g2+24]
-/* 0x00ac	     (11 14) */		fmuld	%f0,%f2,%f0
-/* 0x00b0	     (11 14) */		fdtox	%f12,%f12
-/* 0x00b4	     (12 15) */		fdtox	%f8,%f8
-/* 0x00b8	     (13 16) */		fdtox	%f4,%f4
-/* 0x00bc	     (14 17) */		fdtox	%f0,%f0
-/* 0x00c0	     (15 18) */		fxtod	%f12,%f12
-/* 0x00c4	     (15 16) */		std	%f12,[%g3+8]
-/* 0x00c8	     (16 19) */		fxtod	%f8,%f8
-/* 0x00cc	     (16 17) */		std	%f8,[%g3+24]
-/* 0x00d0	     (17 20) */		fxtod	%f4,%f4
-/* 0x00d4	     (17 18) */		std	%f4,[%g3+40]
-/* 0x00d8	     (18 21) */		fxtod	%f0,%f0
-/* 0x00dc	     (18 21) */		fmuld	%f12,%f16,%f12
-/* 0x00e0	     (18 19) */		std	%f0,[%g3+56]
-/* 0x00e4	     (19 22) */		fmuld	%f8,%f16,%f8
-/* 0x00e8	     (20 23) */		fmuld	%f4,%f16,%f4
-/* 0x00ec	     (21 24) */		fmuld	%f0,%f16,%f0
-/* 0x00f0	     (21 24) */		fsubd	%f14,%f12,%f12
-/* 0x00f4	     (21 22) */		std	%f12,[%i1+%o4]
-/* 0x00f8	     (22 25) */		fsubd	%f10,%f8,%f8
-/* 0x00fc	     (22 23) */		std	%f8,[%g3+16]
-/* 0x0100	     (22 23) */		add	%o4,64,%o4
-/* 0x0104	     (23 26) */		fsubd	%f6,%f4,%f4
-/* 0x0108	     (23 24) */		std	%f4,[%g3+32]
-/* 0x010c	     (24 27) */		fsubd	%f2,%f0,%f0
-/* 0x0110	     (24 25) */		std	%f0,[%g3+48]
-/* 0x0114	     (24 25) */		ble,pt	%icc,.L900000514	! tprob=0.86
-/* 0x0118	     (25 26) */		or	%g0,%o3,%g4
-                                   .L77000159:		/* frequency 1.0 confidence 0.0 */
-
-!  137		                    !   }
-!  138		                    ! for(;i<len;i++)
-
-/* 0x011c	 138 ( 0  1) */		cmp	%o7,%i4
-                                   .L900000515:		/* frequency 1.0 confidence 0.0 */
-/* 0x0120	 138 ( 0  1) */		bge,pt	%icc,.L77000164	! tprob=0.56
-/* 0x0124	     ( 0  1) */		nop
-
-!  139		                    !   {
-!  140		                    !     a=i32[i];
-!  141		                    !     d32[i]=(double)(i32[i]);
-!  142		                    !     d16[2*i]=(double)(a&0xffff);
-!  143		                    !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x0128	 143 ( 0  1) */		sethi	%hi(.L_const_seg_900000501),%o1
-/* 0x012c	 138 ( 1  2) */		sethi	%hi(0xfc00),%o0
-/* 0x0130	 141 ( 1  4) */		ldd	[%o1+%lo(.L_const_seg_900000501)],%f0
-/* 0x0134	 138 ( 1  2) */		sub	%i4,%o7,%g3
-/* 0x0138	     ( 2  3) */		sll	%o7,2,%g2
-/* 0x013c	     ( 2  3) */		add	%o0,1023,%o3
-/* 0x0140	     ( 3  4) */		sll	%o7,3,%g4
-/* 0x0144	     ( 3  4) */		cmp	%g3,3
-/* 0x0148	     ( 4  5) */		add	%g1,%g2,%o0
-/* 0x014c	     ( 4  5) */		add	%o1,%lo(.L_const_seg_900000501),%o2
-/* 0x0150	     ( 5  6) */		add	%i3,%g4,%o4
-/* 0x0154	     ( 5  6) */		sub	%i4,1,%o1
-/* 0x0158	     ( 6  7) */		sll	%o7,4,%g5
-/* 0x015c	     ( 6  7) */		bl,pn	%icc,.L77000161	! tprob=0.44
-/* 0x0160	     ( 7  8) */		add	%i1,%g5,%o5
-/* 0x0164	 141 ( 7 10) */		ld	[%g1+%g2],%f3
-/* 0x0168	 143 ( 7  8) */		add	%o4,8,%o4
-/* 0x016c	 140 ( 8 11) */		ld	[%g1+%g2],%g1
-/* 0x0170	 143 ( 8  9) */		add	%o5,16,%o5
-/* 0x0174	     ( 8  9) */		add	%o7,1,%o7
-/* 0x0178	 141 ( 9 10) */		fmovs	%f0,%f2
-/* 0x017c	 143 ( 9 10) */		add	%o0,4,%o0
-/* 0x0180	 142 (10 11) */		and	%g1,%o3,%g2
-/* 0x0184	 141 (11 14) */		fsubd	%f2,%f0,%f2
-/* 0x0188	     (11 12) */		std	%f2,[%o4-8]
-/* 0x018c	 143 (11 12) */		srl	%g1,16,%g1
-/* 0x0190	 142 (12 13) */		st	%g2,[%sp+96]
-/* 0x0194	     (15 16) */		fmovs	%f0,%f2
-/* 0x0198	     (16 19) */		ld	[%sp+96],%f3
-/* 0x019c	     (18 21) */		fsubd	%f2,%f0,%f2
-/* 0x01a0	     (18 19) */		std	%f2,[%o5-16]
-/* 0x01a4	 143 (19 20) */		st	%g1,[%sp+92]
-/* 0x01a8	     (22 23) */		fmovs	%f0,%f2
-/* 0x01ac	     (23 26) */		ld	[%sp+92],%f3
-/* 0x01b0	     (25 28) */		fsubd	%f2,%f0,%f2
-/* 0x01b4	     (25 26) */		std	%f2,[%o5-8]
-                                   .L900000509:		/* frequency 64.0 confidence 0.0 */
-/* 0x01b8	 141 (26 28) */		ld	[%o0],%f3
-/* 0x01bc	 143 (26 27) */		add	%o7,2,%o7
-/* 0x01c0	     (26 27) */		add	%o5,32,%o5
-/* 0x01c4	 140 (27 29) */		ld	[%o0],%g1
-/* 0x01c8	 143 (27 27) */		cmp	%o7,%o1
-/* 0x01cc	     (27 28) */		add	%o4,16,%o4
-/* 0x01d0	 141 ( 0  0) */		fmovs	%f0,%f2
-/* 0x01d4	     (28 31) */		fsubd	%f2,%f0,%f2
-/* 0x01d8	     (29 30) */		std	%f2,[%o4-16]
-/* 0x01dc	 142 (29 30) */		and	%g1,%o3,%g2
-/* 0x01e0	     (30 31) */		st	%g2,[%sp+96]
-/* 0x01e4	     (37 39) */		ld	[%sp+96],%f3
-/* 0x01e8	     ( 0  0) */		fmovs	%f0,%f2
-/* 0x01ec	     (39 42) */		fsubd	%f2,%f0,%f2
-/* 0x01f0	 143 (40 41) */		srl	%g1,16,%g1
-/* 0x01f4	 142 (40 41) */		std	%f2,[%o5-32]
-/* 0x01f8	 143 (41 42) */		st	%g1,[%sp+92]
-/* 0x01fc	     (48 50) */		ld	[%sp+92],%f3
-/* 0x0200	     ( 0  0) */		fmovs	%f0,%f2
-/* 0x0204	     (50 53) */		fsubd	%f2,%f0,%f2
-/* 0x0208	     (51 52) */		std	%f2,[%o5-24]
-/* 0x020c	     (51 52) */		add	%o0,4,%o0
-/* 0x0210	 141 (52 54) */		ld	[%o0],%f3
-/* 0x0214	 140 (53 55) */		ld	[%o0],%g1
-/* 0x0218	 141 ( 0  0) */		fmovs	%f0,%f2
-/* 0x021c	     (54 57) */		fsubd	%f2,%f0,%f2
-/* 0x0220	     (55 56) */		std	%f2,[%o4-8]
-/* 0x0224	 142 (55 56) */		and	%g1,%o3,%g2
-/* 0x0228	     (56 57) */		st	%g2,[%sp+96]
-/* 0x022c	     (63 65) */		ld	[%sp+96],%f3
-/* 0x0230	     ( 0  0) */		fmovs	%f0,%f2
-/* 0x0234	     (65 68) */		fsubd	%f2,%f0,%f2
-/* 0x0238	 143 (66 67) */		srl	%g1,16,%g1
-/* 0x023c	 142 (66 67) */		std	%f2,[%o5-16]
-/* 0x0240	 143 (67 68) */		st	%g1,[%sp+92]
-/* 0x0244	     (74 76) */		ld	[%sp+92],%f3
-/* 0x0248	     ( 0  0) */		fmovs	%f0,%f2
-/* 0x024c	     (76 79) */		fsubd	%f2,%f0,%f2
-/* 0x0250	     (77 78) */		std	%f2,[%o5-8]
-/* 0x0254	     (77 78) */		bl,pt	%icc,.L900000509	! tprob=0.50
-/* 0x0258	     (77 78) */		add	%o0,4,%o0
-                                   .L900000512:		/* frequency 8.0 confidence 0.0 */
-/* 0x025c	 143 ( 0  1) */		cmp	%o7,%i4
-/* 0x0260	     ( 0  1) */		bge,pn	%icc,.L77000164	! tprob=0.14
-/* 0x0264	     ( 0  1) */		nop
-                                   .L77000161:		/* frequency 0.7 confidence 0.0 */
-/* 0x0268	 141 ( 0  3) */		ld	[%o0],%f3
-                                   .L900000513:		/* frequency 6.4 confidence 0.0 */
-/* 0x026c	 141 ( 0  3) */		ldd	[%o2],%f0
-/* 0x0270	 143 ( 0  1) */		add	%o7,1,%o7
-/* 0x0274	 140 ( 1  4) */		ld	[%o0],%o1
-/* 0x0278	 143 ( 1  2) */		add	%o0,4,%o0
-/* 0x027c	     ( 1  2) */		cmp	%o7,%i4
-/* 0x0280	 141 ( 2  3) */		fmovs	%f0,%f2
-/* 0x0284	 142 ( 3  4) */		and	%o1,%o3,%g1
-/* 0x0288	 141 ( 4  7) */		fsubd	%f2,%f0,%f2
-/* 0x028c	     ( 4  5) */		std	%f2,[%o4]
-/* 0x0290	 143 ( 4  5) */		srl	%o1,16,%o1
-/* 0x0294	 142 ( 5  6) */		st	%g1,[%sp+96]
-/* 0x0298	 143 ( 5  6) */		add	%o4,8,%o4
-/* 0x029c	 142 ( 8  9) */		fmovs	%f0,%f2
-/* 0x02a0	     ( 9 12) */		ld	[%sp+96],%f3
-/* 0x02a4	     (11 14) */		fsubd	%f2,%f0,%f2
-/* 0x02a8	     (11 12) */		std	%f2,[%o5]
-/* 0x02ac	 143 (12 13) */		st	%o1,[%sp+92]
-/* 0x02b0	     (15 16) */		fmovs	%f0,%f2
-/* 0x02b4	     (16 19) */		ld	[%sp+92],%f3
-/* 0x02b8	     (18 21) */		fsubd	%f2,%f0,%f0
-/* 0x02bc	     (18 19) */		std	%f0,[%o5+8]
-/* 0x02c0	     (18 19) */		add	%o5,16,%o5
-/* 0x02c4	     (18 19) */		bl,a,pt	%icc,.L900000513	! tprob=0.86
-/* 0x02c8	     (19 22) */		ld	[%o0],%f3
-                                   .L77000164:		/* frequency 1.0 confidence 0.0 */
-/* 0x02cc	     ( 0  2) */		ret	! Result = 
-/* 0x02d0	     ( 2  3) */		restore	%g0,%g0,%g0
-/* 0x02d4	   0 ( 0  0) */		.type	conv_i32_to_d32_and_d16,2
-/* 0x02d4	     ( 0  0) */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	4
-!
-! SUBROUTINE adjust_montf_result
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global adjust_montf_result
-                                   adjust_montf_result:		/* frequency 1.0 confidence 0.0 */
-
-!  144		                    !   }
-!  145		                    !}
-!  148		                    !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
-!  149		                    !{
-!  150		                    !long long acc;
-!  151		                    !int i;
-!  153		                    ! if(i32[len]>0) i=-1;
-
-/* 000000	 153 ( 0  1) */		sll	%o2,2,%g1
-/* 0x0004	     ( 0  1) */		or	%g0,-1,%g3
-/* 0x0008	     ( 1  4) */		ld	[%o0+%g1],%g1
-/* 0x000c	     ( 3  4) */		cmp	%g1,0
-/* 0x0010	     ( 3  4) */		bleu,pn	%icc,.L77000175	! tprob=0.50
-/* 0x0014	     ( 3  4) */		or	%g0,%o1,%o3
-/* 0x0018	     ( 4  5) */		ba	.L900000611	! tprob=1.00
-/* 0x001c	     ( 4  5) */		cmp	%g3,0
-                                   .L77000175:		/* frequency 0.8 confidence 0.0 */
-
-!  154		                    ! else
-!  155		                    !   {
-!  156		                    !     for(i=len-1; i>=0; i++)
-
-/* 0x0020	 156 ( 0  1) */		subcc	%o2,1,%g3
-/* 0x0024	     ( 0  1) */		bneg,pt	%icc,.L900000611	! tprob=0.60
-/* 0x0028	     ( 1  2) */		cmp	%g3,0
-/* 0x002c	     ( 1  2) */		sll	%g3,2,%g1
-/* 0x0030	     ( 2  3) */		add	%o0,%g1,%g2
-/* 0x0034	     ( 2  3) */		add	%o1,%g1,%g1
-
-!  157		                    !       {
-!  158		                    !	 if(i32[i]!=nint[i]) break;
-
-/* 0x0038	 158 ( 3  6) */		ld	[%g1],%g5
-                                   .L900000610:		/* frequency 5.3 confidence 0.0 */
-/* 0x003c	 158 ( 0  3) */		ld	[%g2],%o5
-/* 0x0040	     ( 0  1) */		add	%g1,4,%g1
-/* 0x0044	     ( 0  1) */		add	%g2,4,%g2
-/* 0x0048	     ( 2  3) */		cmp	%o5,%g5
-/* 0x004c	     ( 2  3) */		bne,pn	%icc,.L77000182	! tprob=0.16
-/* 0x0050	     ( 2  3) */		nop
-/* 0x0054	     ( 3  4) */		addcc	%g3,1,%g3
-/* 0x0058	     ( 3  4) */		bpos,a,pt	%icc,.L900000610	! tprob=0.84
-/* 0x005c	     ( 3  6) */		ld	[%g1],%g5
-                                   .L77000182:		/* frequency 1.0 confidence 0.0 */
-
-!  159		                    !       }
-!  160		                    !   }
-!  161		                    ! if((i<0)||(i32[i]>nint[i]))
-
-/* 0x0060	 161 ( 0  1) */		cmp	%g3,0
-                                   .L900000611:		/* frequency 1.0 confidence 0.0 */
-/* 0x0064	 161 ( 0  1) */		bl,pn	%icc,.L77000198	! tprob=0.50
-/* 0x0068	     ( 0  1) */		sll	%g3,2,%g2
-/* 0x006c	     ( 1  4) */		ld	[%o1+%g2],%g1
-/* 0x0070	     ( 2  5) */		ld	[%o0+%g2],%g2
-/* 0x0074	     ( 4  5) */		cmp	%g2,%g1
-/* 0x0078	     ( 4  5) */		bleu,pt	%icc,.L77000191	! tprob=0.56
-/* 0x007c	     ( 4  5) */		nop
-                                   .L77000198:		/* frequency 0.8 confidence 0.0 */
-
-!  162		                    !   {
-!  163		                    !     acc=0;
-!  164		                    !     for(i=0;i<len;i++)
-
-/* 0x0080	 164 ( 0  1) */		cmp	%o2,0
-/* 0x0084	     ( 0  1) */		ble,pt	%icc,.L77000191	! tprob=0.60
-/* 0x0088	     ( 0  1) */		nop
-/* 0x008c	 161 ( 1  2) */		or	%g0,-1,%g2
-/* 0x0090	     ( 1  2) */		sub	%o2,1,%g4
-/* 0x0094	     ( 2  3) */		srl	%g2,0,%g3
-/* 0x0098	 163 ( 2  3) */		or	%g0,0,%g5
-/* 0x009c	 164 ( 3  4) */		or	%g0,0,%o5
-/* 0x00a0	 161 ( 3  4) */		or	%g0,%o0,%o4
-/* 0x00a4	     ( 4  5) */		cmp	%o2,3
-/* 0x00a8	     ( 4  5) */		add	%o1,4,%g2
-/* 0x00ac	 164 ( 4  5) */		bl,pn	%icc,.L77000199	! tprob=0.40
-/* 0x00b0	     ( 5  6) */		add	%o0,8,%g1
-
-!  165		                    !       {
-!  166		                    !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
-
-/* 0x00b4	 166 ( 5  8) */		ld	[%o0],%o2
-/* 0x00b8	   0 ( 5  6) */		or	%g0,%g2,%o3
-/* 0x00bc	 166 ( 6  9) */		ld	[%o1],%o1
-/* 0x00c0	   0 ( 6  7) */		or	%g0,%g1,%o4
-
-!  167		                    !	 i32[i]=acc&0xffffffff;
-!  168		                    !	 acc=acc>>32;
-
-/* 0x00c4	 168 ( 6  7) */		or	%g0,2,%o5
-/* 0x00c8	 166 ( 7 10) */		ld	[%o0+4],%g1
-/* 0x00cc	 164 ( 8  9) */		sub	%o2,%o1,%o2
-/* 0x00d0	     ( 9 10) */		or	%g0,%o2,%g5
-/* 0x00d4	 167 ( 9 10) */		and	%o2,%g3,%o2
-/* 0x00d8	     ( 9 10) */		st	%o2,[%o0]
-/* 0x00dc	 168 (10 11) */		srax	%g5,32,%g5
-                                   .L900000605:		/* frequency 64.0 confidence 0.0 */
-/* 0x00e0	 166 (12 20) */		ld	[%o3],%o2
-/* 0x00e4	 168 (12 13) */		add	%o5,1,%o5
-/* 0x00e8	     (12 13) */		add	%o3,4,%o3
-/* 0x00ec	     (13 13) */		cmp	%o5,%g4
-/* 0x00f0	     (13 14) */		add	%o4,4,%o4
-/* 0x00f4	 164 (14 14) */		sub	%g1,%o2,%g1
-/* 0x00f8	     (15 15) */		add	%g1,%g5,%g5
-/* 0x00fc	 167 (16 17) */		and	%g5,%g3,%o2
-/* 0x0100	 166 (16 24) */		ld	[%o4-4],%g1
-/* 0x0104	 167 (17 18) */		st	%o2,[%o4-8]
-/* 0x0108	 168 (17 18) */		ble,pt	%icc,.L900000605	! tprob=0.50
-/* 0x010c	     (17 18) */		srax	%g5,32,%g5
-                                   .L900000608:		/* frequency 8.0 confidence 0.0 */
-/* 0x0110	 166 ( 0  3) */		ld	[%o3],%g2
-/* 0x0114	 164 ( 2  3) */		sub	%g1,%g2,%g1
-/* 0x0118	     ( 3  4) */		add	%g1,%g5,%g1
-/* 0x011c	 167 ( 4  5) */		and	%g1,%g3,%g2
-/* 0x0120	     ( 5  7) */		retl	! Result = 
-/* 0x0124	     ( 6  7) */		st	%g2,[%o4-4]
-                                   .L77000199:		/* frequency 0.6 confidence 0.0 */
-/* 0x0128	 166 ( 0  3) */		ld	[%o4],%g1
-                                   .L900000609:		/* frequency 5.3 confidence 0.0 */
-/* 0x012c	 166 ( 0  3) */		ld	[%o3],%g2
-/* 0x0130	     ( 0  1) */		add	%g5,%g1,%g1
-/* 0x0134	 168 ( 0  1) */		add	%o5,1,%o5
-/* 0x0138	     ( 1  2) */		add	%o3,4,%o3
-/* 0x013c	     ( 1  2) */		cmp	%o5,%g4
-/* 0x0140	 166 ( 2  3) */		sub	%g1,%g2,%g1
-/* 0x0144	 167 ( 3  4) */		and	%g1,%g3,%g2
-/* 0x0148	     ( 3  4) */		st	%g2,[%o4]
-/* 0x014c	 168 ( 3  4) */		add	%o4,4,%o4
-/* 0x0150	     ( 4  5) */		srax	%g1,32,%g5
-/* 0x0154	     ( 4  5) */		ble,a,pt	%icc,.L900000609	! tprob=0.84
-/* 0x0158	     ( 4  7) */		ld	[%o4],%g1
-                                   .L77000191:		/* frequency 1.0 confidence 0.0 */
-/* 0x015c	     ( 0  2) */		retl	! Result = 
-/* 0x0160	     ( 1  2) */		nop
-/* 0x0164	   0 ( 0  0) */		.type	adjust_montf_result,2
-/* 0x0164	     ( 0  0) */		.size	adjust_montf_result,(.-adjust_montf_result)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.align	32
-!
-! SUBROUTINE mont_mulf_noconv
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   	.global mont_mulf_noconv
-                                   mont_mulf_noconv:		/* frequency 1.0 confidence 0.0 */
-/* 000000	     ( 0  1) */		save	%sp,-144,%sp
-/* 0x0004	     ( 1  2) */		st	%i0,[%fp+68]
-
-!  169		                    !       }
-!  170		                    !   }
-!  171		                    !}
-!  175		                    !void cleanup(double *dt, int from, int tlen);
-!  177		                    !/*
-!  178		                    !** the lengths of the input arrays should be at least the following:
-!  179		                    !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
-!  180		                    !** all of them should be different from one another
-!  181		                    !**
-!  182		                    !*/
-!  183		                    !void mont_mulf_noconv(unsigned int *result,
-!  184		                    !		     double *dm1, double *dm2, double *dt,
-!  185		                    !		     double *dn, unsigned int *nint,
-!  186		                    !		     int nlen, double dn0)
-!  187		                    !{
-!  188		                    ! int i, j, jj;
-!  189		                    ! int tmp;
-!  190		                    ! double digit, m2j, nextm2j, a, b;
-!  191		                    ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
-!  193		                    ! pdm1=&(dm1[0]);
-!  194		                    ! pdm2=&(dm2[0]);
-!  195		                    ! pdn=&(dn[0]);
-!  196		                    ! pdm2[2*nlen]=Zero;
-
-/* 0x0008	 196 ( 1  2) */		sethi	%hi(Zero),%g2
-/* 0x000c	 187 ( 1  2) */		or	%g0,%i2,%o1
-/* 0x0010	     ( 2  3) */		st	%i5,[%fp+88]
-/* 0x0014	     ( 2  3) */		or	%g0,%i3,%o2
-/* 0x0018	 196 ( 2  3) */		add	%g2,%lo(Zero),%g4
-/* 0x001c	     ( 3  6) */		ldd	[%g2+%lo(Zero)],%f2
-/* 0x0020	 187 ( 3  4) */		or	%g0,%o2,%g5
-/* 0x0024	 196 ( 3  4) */		or	%g0,%o1,%i0
-/* 0x0028	 187 ( 4  5) */		or	%g0,%i4,%i2
-
-!  198		                    ! if (nlen!=16)
-!  199		                    !   {
-!  200		                    !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
-!  202		                    !     a=dt[0]=pdm1[0]*pdm2[0];
-!  203		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  205		                    !     pdtj=&(dt[0]);
-!  206		                    !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
-!  207		                    !       {
-!  208		                    !	 m2j=pdm2[j];
-!  209		                    !	 a=pdtj[0]+pdn[0]*digit;
-!  210		                    !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
-!  211		                    !	 pdtj[1]=b;
-!  213		                    !#pragma pipeloop(0)
-!  214		                    !	 for(i=1;i<nlen;i++)
-!  215		                    !	   {
-!  216		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  217		                    !	   }
-!  218		                    ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
-!  219		                    !	 
-!  220		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  221		                    !       }
-!  222		                    !   }
-!  223		                    ! else
-!  224		                    !   {
-!  225		                    !     a=dt[0]=pdm1[0]*pdm2[0];
-!  227		                    !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
-!  228		                    !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
-!  229		                    !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
-!  230		                    !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
-!  231		                    !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
-!  232		                    !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
-!  233		                    !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
-!  234		                    !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
-!  235		                    !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
-!  236		                    !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
-!  237		                    !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
-!  239		                    !     pdn_0=pdn[0];
-!  240		                    !     pdm1_0=pdm1[0];
-!  242		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  243		                    !     pdtj=&(dt[0]);
-!  245		                    !     for(j=0;j<32;j++,pdtj++)
-!  246		                    !       {
-!  248		                    !	 m2j=pdm2[j];
-!  249		                    !	 a=pdtj[0]+pdn_0*digit;
-!  250		                    !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
-!  251		                    !	 pdtj[1]=b;
-!  253		                    !	 /**** this loop will be fully unrolled:
-!  254		                    !	 for(i=1;i<16;i++)
-!  255		                    !	   {
-!  256		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  257		                    !	   }
-!  258		                    !	 *************************************/
-!  259		                    !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
-!  260		                    !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
-!  261		                    !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
-!  262		                    !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
-!  263		                    !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
-!  264		                    !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
-!  265		                    !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
-!  266		                    !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
-!  267		                    !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
-!  268		                    !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
-!  269		                    !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
-!  270		                    !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
-!  271		                    !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
-!  272		                    !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
-!  273		                    !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
-!  274		                    !	 /* no need for cleenup, cannot overflow */
-!  275		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  276		                    !       }
-!  277		                    !   }
-!  279		                    ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
-!  281		                    ! adjust_montf_result(result,nint,nlen); 
-
-/* 0x002c	 281 ( 4  5) */		or	%g0,1,%o4
-/* 0x0030	 187 ( 6  9) */		ldd	[%fp+96],%f0
-/* 0x0034	 196 ( 7 10) */		ld	[%fp+92],%o0
-/* 0x0038	 187 ( 8  9) */		fmovd	%f0,%f16
-/* 0x003c	 196 ( 9 10) */		sll	%o0,4,%g2
-/* 0x0040	     ( 9 10) */		or	%g0,%o0,%g1
-/* 0x0044	 198 (10 11) */		cmp	%o0,16
-/* 0x0048	     (10 11) */		be,pn	%icc,.L77000289	! tprob=0.50
-/* 0x004c	     (10 11) */		std	%f2,[%o1+%g2]
-/* 0x0050	 200 (11 12) */		sll	%o0,2,%g2
-/* 0x0054	     (11 14) */		ldd	[%g4],%f2
-/* 0x0058	     (12 13) */		add	%g2,2,%o1
-/* 0x005c	     (12 13) */		add	%g2,1,%o3
-/* 0x0060	 196 (13 14) */		sll	%o0,1,%o7
-/* 0x0064	 200 (13 14) */		cmp	%o1,0
-/* 0x0068	     (13 14) */		ble,a,pt	%icc,.L900000755	! tprob=0.55
-/* 0x006c	     (14 17) */		ldd	[%i1],%f0
-/* 0x0070	     (14 15) */		cmp	%o1,3
-/* 0x0074	 281 (14 15) */		or	%g0,1,%o1
-/* 0x0078	     (14 15) */		bl,pn	%icc,.L77000279	! tprob=0.40
-/* 0x007c	     (15 16) */		add	%o2,8,%o0
-/* 0x0080	     (15 16) */		std	%f2,[%g5]
-/* 0x0084	   0 (16 17) */		or	%g0,%o0,%o2
-                                   .L900000726:		/* frequency 64.0 confidence 0.0 */
-/* 0x0088	     ( 3  5) */		ldd	[%g4],%f0
-/* 0x008c	     ( 3  4) */		add	%o4,1,%o4
-/* 0x0090	     ( 3  4) */		add	%o2,8,%o2
-/* 0x0094	     ( 4  4) */		cmp	%o4,%o3
-/* 0x0098	     ( 5  6) */		ble,pt	%icc,.L900000726	! tprob=0.50
-/* 0x009c	     ( 5  6) */		std	%f0,[%o2-8]
-                                   .L900000729:		/* frequency 8.0 confidence 0.0 */
-/* 0x00a0	     ( 0  1) */		ba	.L900000755	! tprob=1.00
-/* 0x00a4	     ( 0  3) */		ldd	[%i1],%f0
-                                   .L77000279:		/* frequency 0.6 confidence 0.0 */
-/* 0x00a8	     ( 0  1) */		std	%f2,[%o2]
-                                   .L900000754:		/* frequency 5.3 confidence 0.0 */
-/* 0x00ac	     ( 0  3) */		ldd	[%g4],%f2
-/* 0x00b0	     ( 0  1) */		cmp	%o1,%o3
-/* 0x00b4	     ( 0  1) */		add	%o2,8,%o2
-/* 0x00b8	     ( 1  2) */		add	%o1,1,%o1
-/* 0x00bc	     ( 1  2) */		ble,a,pt	%icc,.L900000754	! tprob=0.87
-/* 0x00c0	     ( 3  4) */		std	%f2,[%o2]
-                                   .L77000284:		/* frequency 0.8 confidence 0.0 */
-/* 0x00c4	 202 ( 0  3) */		ldd	[%i1],%f0
-                                   .L900000755:		/* frequency 0.8 confidence 0.0 */
-/* 0x00c8	 202 ( 0  3) */		ldd	[%i0],%f2
-/* 0x00cc	     ( 0  1) */		add	%o7,1,%o2
-/* 0x00d0	 206 ( 0  1) */		cmp	%o7,0
-/* 0x00d4	     ( 1  2) */		sll	%o2,1,%o0
-/* 0x00d8	     ( 1  2) */		sub	%o7,1,%o1
-/* 0x00dc	 202 ( 2  5) */		fmuld	%f0,%f2,%f0
-/* 0x00e0	     ( 2  3) */		std	%f0,[%g5]
-/* 0x00e4	     ( 2  3) */		sub	%g1,1,%o7
-/* 0x00e8	     ( 3  6) */		ldd	[%g4],%f6
-/* 0x00ec	   0 ( 3  4) */		or	%g0,%o7,%g3
-/* 0x00f0	     ( 3  4) */		or	%g0,0,%l0
-/* 0x00f4	     ( 4  7) */		ldd	[%g4-8],%f2
-/* 0x00f8	     ( 4  5) */		or	%g0,0,%i5
-/* 0x00fc	     ( 4  5) */		or	%g0,%o1,%o5
-/* 0x0100	     ( 5  8) */		fdtox	%f0,%f0
-/* 0x0104	     ( 5  8) */		ldd	[%g4-16],%f4
-/* 0x0108	     ( 5  6) */		or	%g0,%o0,%o3
-/* 0x010c	 210 ( 6  7) */		add	%i0,8,%o4
-/* 0x0110	     ( 6  7) */		or	%g0,0,%i4
-/* 0x0114	     ( 9 10) */		fmovs	%f6,%f0
-/* 0x0118	     (11 14) */		fxtod	%f0,%f0
-/* 0x011c	 203 (14 17) */		fmuld	%f0,%f16,%f0
-/* 0x0120	     (17 20) */		fmuld	%f0,%f2,%f2
-/* 0x0124	     (20 23) */		fdtox	%f2,%f2
-/* 0x0128	     (23 26) */		fxtod	%f2,%f2
-/* 0x012c	     (26 29) */		fmuld	%f2,%f4,%f2
-/* 0x0130	     (29 32) */		fsubd	%f0,%f2,%f22
-/* 0x0134	 206 (29 30) */		ble,pt	%icc,.L900000748	! tprob=0.60
-/* 0x0138	     (29 30) */		sll	%g1,4,%g2
-/* 0x013c	 210 (30 33) */		ldd	[%i2],%f0
-                                   .L900000749:		/* frequency 5.3 confidence 0.0 */
-/* 0x0140	 210 ( 0  3) */		fmuld	%f0,%f22,%f8
-/* 0x0144	     ( 0  3) */		ldd	[%i1],%f0
-/* 0x0148	 214 ( 0  1) */		cmp	%g1,1
-/* 0x014c	 210 ( 1  4) */		ldd	[%o4+%i4],%f6
-/* 0x0150	     ( 1  2) */		add	%i1,8,%o0
-/* 0x0154	 214 ( 1  2) */		or	%g0,1,%o1
-/* 0x0158	 210 ( 2  5) */		ldd	[%i3],%f2
-/* 0x015c	     ( 2  3) */		add	%i3,16,%l1
-/* 0x0160	     ( 3  6) */		fmuld	%f0,%f6,%f6
-/* 0x0164	     ( 3  6) */		ldd	[%g4-8],%f4
-/* 0x0168	     ( 4  7) */		faddd	%f2,%f8,%f2
-/* 0x016c	     ( 4  7) */		ldd	[%i3+8],%f0
-/* 0x0170	 208 ( 5  8) */		ldd	[%i0+%i4],%f20
-/* 0x0174	 210 ( 6  9) */		faddd	%f0,%f6,%f0
-/* 0x0178	     ( 7 10) */		fmuld	%f2,%f4,%f2
-/* 0x017c	     (10 13) */		faddd	%f0,%f2,%f18
-/* 0x0180	 211 (10 11) */		std	%f18,[%i3+8]
-/* 0x0184	 214 (10 11) */		ble,pt	%icc,.L900000753	! tprob=0.54
-/* 0x0188	     (11 12) */		srl	%i5,31,%g2
-/* 0x018c	     (11 12) */		cmp	%g3,7
-/* 0x0190	 210 (12 13) */		add	%i2,8,%g2
-/* 0x0194	 214 (12 13) */		bl,pn	%icc,.L77000281	! tprob=0.36
-/* 0x0198	     (13 14) */		add	%g2,24,%o2
-/* 0x019c	 216 (13 16) */		ldd	[%o0+16],%f14
-/* 0x01a0	     (13 14) */		add	%i3,48,%l1
-/* 0x01a4	     (14 17) */		ldd	[%o0+24],%f12
-/* 0x01a8	   0 (14 15) */		or	%g0,%o2,%g2
-/* 0x01ac	 214 (14 15) */		sub	%g1,3,%o2
-/* 0x01b0	 216 (15 18) */		ldd	[%o0],%f2
-/* 0x01b4	     (15 16) */		or	%g0,5,%o1
-/* 0x01b8	     (16 19) */		ldd	[%g2-24],%f0
-/* 0x01bc	     (17 20) */		ldd	[%o0+8],%f6
-/* 0x01c0	     (17 20) */		fmuld	%f2,%f20,%f2
-/* 0x01c4	     (17 18) */		add	%o0,32,%o0
-/* 0x01c8	     (18 21) */		ldd	[%g2-16],%f8
-/* 0x01cc	     (18 21) */		fmuld	%f0,%f22,%f4
-/* 0x01d0	     (19 22) */		ldd	[%i3+16],%f0
-/* 0x01d4	     (19 22) */		fmuld	%f6,%f20,%f10
-/* 0x01d8	     (20 23) */		ldd	[%g2-8],%f6
-/* 0x01dc	     (21 24) */		faddd	%f2,%f4,%f4
-/* 0x01e0	     (21 24) */		ldd	[%i3+32],%f2
-                                   .L900000738:		/* frequency 512.0 confidence 0.0 */
-/* 0x01e4	 216 (16 24) */		ldd	[%g2],%f24
-/* 0x01e8	     (16 17) */		add	%o1,3,%o1
-/* 0x01ec	     (16 17) */		add	%g2,24,%g2
-/* 0x01f0	     (16 19) */		fmuld	%f8,%f22,%f8
-/* 0x01f4	     (17 25) */		ldd	[%l1],%f28
-/* 0x01f8	     (17 17) */		cmp	%o1,%o2
-/* 0x01fc	     (17 18) */		add	%o0,24,%o0
-/* 0x0200	     (18 26) */		ldd	[%o0-24],%f26
-/* 0x0204	     (18 21) */		faddd	%f0,%f4,%f0
-/* 0x0208	     (18 19) */		add	%l1,48,%l1
-/* 0x020c	     (19 22) */		faddd	%f10,%f8,%f10
-/* 0x0210	     (19 22) */		fmuld	%f14,%f20,%f4
-/* 0x0214	     (19 20) */		std	%f0,[%l1-80]
-/* 0x0218	     (20 28) */		ldd	[%g2-16],%f8
-/* 0x021c	     (20 23) */		fmuld	%f6,%f22,%f6
-/* 0x0220	     (21 29) */		ldd	[%l1-32],%f0
-/* 0x0224	     (22 30) */		ldd	[%o0-16],%f14
-/* 0x0228	     (22 25) */		faddd	%f2,%f10,%f2
-/* 0x022c	     (23 26) */		faddd	%f4,%f6,%f10
-/* 0x0230	     (23 26) */		fmuld	%f12,%f20,%f4
-/* 0x0234	     (23 24) */		std	%f2,[%l1-64]
-/* 0x0238	     (24 32) */		ldd	[%g2-8],%f6
-/* 0x023c	     (24 27) */		fmuld	%f24,%f22,%f24
-/* 0x0240	     (25 33) */		ldd	[%l1-16],%f2
-/* 0x0244	     (26 34) */		ldd	[%o0-8],%f12
-/* 0x0248	     (26 29) */		faddd	%f28,%f10,%f10
-/* 0x024c	     (27 28) */		std	%f10,[%l1-48]
-/* 0x0250	     (27 30) */		fmuld	%f26,%f20,%f10
-/* 0x0254	     (27 28) */		ble,pt	%icc,.L900000738	! tprob=0.50
-/* 0x0258	     (27 30) */		faddd	%f4,%f24,%f4
-                                   .L900000741:		/* frequency 64.0 confidence 0.0 */
-/* 0x025c	 216 ( 0  3) */		fmuld	%f8,%f22,%f28
-/* 0x0260	     ( 0  3) */		ldd	[%g2],%f24
-/* 0x0264	     ( 0  3) */		faddd	%f0,%f4,%f26
-/* 0x0268	     ( 1  4) */		fmuld	%f12,%f20,%f8
-/* 0x026c	     ( 1  2) */		add	%l1,32,%l1
-/* 0x0270	     ( 1  2) */		cmp	%o1,%g3
-/* 0x0274	     ( 2  5) */		fmuld	%f14,%f20,%f14
-/* 0x0278	     ( 2  5) */		ldd	[%l1-32],%f4
-/* 0x027c	     ( 2  3) */		add	%g2,8,%g2
-/* 0x0280	     ( 3  6) */		faddd	%f10,%f28,%f12
-/* 0x0284	     ( 3  6) */		fmuld	%f6,%f22,%f6
-/* 0x0288	     ( 3  6) */		ldd	[%l1-16],%f0
-/* 0x028c	     ( 4  7) */		fmuld	%f24,%f22,%f10
-/* 0x0290	     ( 4  5) */		std	%f26,[%l1-64]
-/* 0x0294	     ( 6  9) */		faddd	%f2,%f12,%f2
-/* 0x0298	     ( 6  7) */		std	%f2,[%l1-48]
-/* 0x029c	     ( 7 10) */		faddd	%f14,%f6,%f6
-/* 0x02a0	     ( 8 11) */		faddd	%f8,%f10,%f2
-/* 0x02a4	     (10 13) */		faddd	%f4,%f6,%f4
-/* 0x02a8	     (10 11) */		std	%f4,[%l1-32]
-/* 0x02ac	     (11 14) */		faddd	%f0,%f2,%f0
-/* 0x02b0	     (11 12) */		bg,pn	%icc,.L77000213	! tprob=0.13
-/* 0x02b4	     (11 12) */		std	%f0,[%l1-16]
-                                   .L77000281:		/* frequency 4.0 confidence 0.0 */
-/* 0x02b8	 216 ( 0  3) */		ldd	[%o0],%f0
-                                   .L900000752:		/* frequency 36.6 confidence 0.0 */
-/* 0x02bc	 216 ( 0  3) */		ldd	[%g2],%f4
-/* 0x02c0	     ( 0  3) */		fmuld	%f0,%f20,%f2
-/* 0x02c4	     ( 0  1) */		add	%o1,1,%o1
-/* 0x02c8	     ( 1  4) */		ldd	[%l1],%f0
-/* 0x02cc	     ( 1  2) */		add	%o0,8,%o0
-/* 0x02d0	     ( 1  2) */		add	%g2,8,%g2
-/* 0x02d4	     ( 2  5) */		fmuld	%f4,%f22,%f4
-/* 0x02d8	     ( 2  3) */		cmp	%o1,%g3
-/* 0x02dc	     ( 5  8) */		faddd	%f2,%f4,%f2
-/* 0x02e0	     ( 8 11) */		faddd	%f0,%f2,%f0
-/* 0x02e4	     ( 8  9) */		std	%f0,[%l1]
-/* 0x02e8	     ( 8  9) */		add	%l1,16,%l1
-/* 0x02ec	     ( 8  9) */		ble,a,pt	%icc,.L900000752	! tprob=0.87
-/* 0x02f0	     (10 13) */		ldd	[%o0],%f0
-                                   .L77000213:		/* frequency 5.3 confidence 0.0 */
-/* 0x02f4	     ( 0  1) */		srl	%i5,31,%g2
-                                   .L900000753:		/* frequency 5.3 confidence 0.0 */
-/* 0x02f8	 218 ( 0  1) */		cmp	%l0,30
-/* 0x02fc	     ( 0  1) */		bne,a,pt	%icc,.L900000751	! tprob=0.54
-/* 0x0300	     ( 0  3) */		fdtox	%f18,%f0
-/* 0x0304	     ( 1  2) */		add	%i5,%g2,%g2
-/* 0x0308	     ( 1  2) */		sub	%o3,1,%o2
-/* 0x030c	     ( 2  3) */		sra	%g2,1,%o0
-/* 0x0310	 216 ( 2  5) */		ldd	[%g4],%f0
-/* 0x0314	     ( 3  4) */		add	%o0,1,%g2
-/* 0x0318	     ( 4  5) */		sll	%g2,1,%o0
-/* 0x031c	     ( 4  5) */		fmovd	%f0,%f2
-/* 0x0320	     ( 5  6) */		sll	%g2,4,%o1
-/* 0x0324	     ( 5  6) */		cmp	%o0,%o3
-/* 0x0328	     ( 5  6) */		bge,pt	%icc,.L77000215	! tprob=0.53
-/* 0x032c	     ( 6  7) */		or	%g0,0,%l0
-/* 0x0330	 218 ( 6  7) */		add	%g5,%o1,%o1
-/* 0x0334	 216 ( 7 10) */		ldd	[%o1],%f8
-                                   .L900000750:		/* frequency 32.0 confidence 0.0 */
-/* 0x0338	     ( 0  3) */		fdtox	%f8,%f6
-/* 0x033c	     ( 0  3) */		ldd	[%g4],%f10
-/* 0x0340	     ( 0  1) */		add	%o0,2,%o0
-/* 0x0344	     ( 1  4) */		ldd	[%o1+8],%f4
-/* 0x0348	     ( 1  4) */		fdtox	%f8,%f8
-/* 0x034c	     ( 1  2) */		cmp	%o0,%o2
-/* 0x0350	     ( 5  6) */		fmovs	%f10,%f6
-/* 0x0354	     ( 7 10) */		fxtod	%f6,%f10
-/* 0x0358	     ( 8 11) */		fdtox	%f4,%f6
-/* 0x035c	     ( 9 12) */		fdtox	%f4,%f4
-/* 0x0360	     (10 13) */		faddd	%f10,%f2,%f2
-/* 0x0364	     (10 11) */		std	%f2,[%o1]
-/* 0x0368	     (12 15) */		ldd	[%g4],%f2
-/* 0x036c	     (14 15) */		fmovs	%f2,%f6
-/* 0x0370	     (16 19) */		fxtod	%f6,%f6
-/* 0x0374	     (17 20) */		fitod	%f8,%f2
-/* 0x0378	     (19 22) */		faddd	%f6,%f0,%f0
-/* 0x037c	     (19 20) */		std	%f0,[%o1+8]
-/* 0x0380	     (19 20) */		add	%o1,16,%o1
-/* 0x0384	     (20 23) */		fitod	%f4,%f0
-/* 0x0388	     (20 21) */		ble,a,pt	%icc,.L900000750	! tprob=0.87
-/* 0x038c	     (20 23) */		ldd	[%o1],%f8
-                                   .L77000233:		/* frequency 4.6 confidence 0.0 */
-/* 0x0390	     ( 0  0) */		or	%g0,0,%l0
-                                   .L77000215:		/* frequency 5.3 confidence 0.0 */
-/* 0x0394	     ( 0  3) */		fdtox	%f18,%f0
-                                   .L900000751:		/* frequency 5.3 confidence 0.0 */
-/* 0x0398	     ( 0  3) */		ldd	[%g4],%f6
-/* 0x039c	 220 ( 0  1) */		add	%i5,1,%i5
-/* 0x03a0	     ( 0  1) */		add	%i4,8,%i4
-/* 0x03a4	     ( 1  4) */		ldd	[%g4-8],%f2
-/* 0x03a8	     ( 1  2) */		add	%l0,1,%l0
-/* 0x03ac	     ( 1  2) */		add	%i3,8,%i3
-/* 0x03b0	     ( 2  3) */		fmovs	%f6,%f0
-/* 0x03b4	     ( 2  5) */		ldd	[%g4-16],%f4
-/* 0x03b8	     ( 2  3) */		cmp	%i5,%o5
-/* 0x03bc	     ( 4  7) */		fxtod	%f0,%f0
-/* 0x03c0	     ( 7 10) */		fmuld	%f0,%f16,%f0
-/* 0x03c4	     (10 13) */		fmuld	%f0,%f2,%f2
-/* 0x03c8	     (13 16) */		fdtox	%f2,%f2
-/* 0x03cc	     (16 19) */		fxtod	%f2,%f2
-/* 0x03d0	     (19 22) */		fmuld	%f2,%f4,%f2
-/* 0x03d4	     (22 25) */		fsubd	%f0,%f2,%f22
-/* 0x03d8	     (22 23) */		ble,a,pt	%icc,.L900000749	! tprob=0.89
-/* 0x03dc	     (22 25) */		ldd	[%i2],%f0
-                                   .L900000725:		/* frequency 0.7 confidence 0.0 */
-/* 0x03e0	 220 ( 0  1) */		ba	.L900000748	! tprob=1.00
-/* 0x03e4	     ( 0  1) */		sll	%g1,4,%g2
-
-	
-                                   .L77000289:		/* frequency 0.8 confidence 0.0 */
-/* 0x03e8	 225 ( 0  3) */		ldd	[%o1],%f6
-/* 0x03ec	 242 ( 0  1) */		add	%g4,-8,%g2
-/* 0x03f0	     ( 0  1) */		add	%g4,-16,%g3
-/* 0x03f4	 225 ( 1  4) */		ldd	[%i1],%f2
-/* 0x03f8	 245 ( 1  2) */		or	%g0,0,%o3
-/* 0x03fc	     ( 1  2) */		or	%g0,0,%o0
-/* 0x0400	 225 ( 3  6) */		fmuld	%f2,%f6,%f2
-/* 0x0404	     ( 3  4) */		std	%f2,[%o2]
-/* 0x0408	     ( 4  7) */		ldd	[%g4],%f6
-/* 0x040c	 237 ( 7  8) */		std	%f6,[%o2+8]
-/* 0x0410	     ( 8  9) */		std	%f6,[%o2+16]
-/* 0x0414	     ( 9 10) */		std	%f6,[%o2+24]
-/* 0x0418	     (10 11) */		std	%f6,[%o2+32]
-/* 0x041c	     (11 12) */		std	%f6,[%o2+40]
-/* 0x0420	     (12 13) */		std	%f6,[%o2+48]
-/* 0x0424	     (13 14) */		std	%f6,[%o2+56]
-/* 0x0428	     (14 15) */		std	%f6,[%o2+64]
-/* 0x042c	     (15 16) */		std	%f6,[%o2+72]
-!	prefetch	[%i4],0
-!	prefetch	[%i4+32],0
-!	prefetch	[%i4+64],0
-!	prefetch	[%i4+96],0
-!	prefetch	[%i4+120],0
-!	prefetch	[%i1],0
-!	prefetch	[%i1+32],0
-!	prefetch	[%i1+64],0
-!	prefetch	[%i1+96],0
-!	prefetch	[%i1+120],0
-/* 0x0430	     (16 17) */		std	%f6,[%o2+80]
-/* 0x0434	     (17 18) */		std	%f6,[%o2+88]
-/* 0x0438	     (18 19) */		std	%f6,[%o2+96]
-/* 0x043c	     (19 20) */		std	%f6,[%o2+104]
-/* 0x0440	     (20 21) */		std	%f6,[%o2+112]
-/* 0x0444	     (21 22) */		std	%f6,[%o2+120]
-/* 0x0448	     (22 23) */		std	%f6,[%o2+128]
-/* 0x044c	     (23 24) */		std	%f6,[%o2+136]
-/* 0x0450	     (24 25) */		std	%f6,[%o2+144]
-/* 0x0454	     (25 26) */		std	%f6,[%o2+152]
-/* 0x0458	     (26 27) */		std	%f6,[%o2+160]
-/* 0x045c	     (27 28) */		std	%f6,[%o2+168]
-/* 0x0460	     (27 30) */		fdtox	%f2,%f2
-/* 0x0464	     (28 29) */		std	%f6,[%o2+176]
-/* 0x0468	     (29 30) */		std	%f6,[%o2+184]
-/* 0x046c	     (30 31) */		std	%f6,[%o2+192]
-/* 0x0470	     (31 32) */		std	%f6,[%o2+200]
-/* 0x0474	     (32 33) */		std	%f6,[%o2+208]
-/* 0x0478	     (33 34) */		std	%f6,[%o2+216]
-/* 0x047c	     (34 35) */		std	%f6,[%o2+224]
-/* 0x0480	     (35 36) */		std	%f6,[%o2+232]
-/* 0x0484	     (36 37) */		std	%f6,[%o2+240]
-/* 0x0488	     (37 38) */		std	%f6,[%o2+248]
-/* 0x048c	     (38 39) */		std	%f6,[%o2+256]
-/* 0x0490	     (39 40) */		std	%f6,[%o2+264]
-/* 0x0494	     (40 41) */		std	%f6,[%o2+272]
-/* 0x0498	     (41 42) */		std	%f6,[%o2+280]
-/* 0x049c	     (42 43) */		std	%f6,[%o2+288]
-/* 0x04a0	     (43 44) */		std	%f6,[%o2+296]
-/* 0x04a4	     (44 45) */		std	%f6,[%o2+304]
-/* 0x04a8	     (45 46) */		std	%f6,[%o2+312]
-/* 0x04ac	     (46 47) */		std	%f6,[%o2+320]
-/* 0x04b0	     (47 48) */		std	%f6,[%o2+328]
-/* 0x04b4	     (48 49) */		std	%f6,[%o2+336]
-/* 0x04b8	     (49 50) */		std	%f6,[%o2+344]
-/* 0x04bc	     (50 51) */		std	%f6,[%o2+352]
-/* 0x04c0	     (51 52) */		std	%f6,[%o2+360]
-/* 0x04c4	     (52 53) */		std	%f6,[%o2+368]
-/* 0x04c8	     (53 54) */		std	%f6,[%o2+376]
-/* 0x04cc	     (54 55) */		std	%f6,[%o2+384]
-/* 0x04d0	     (55 56) */		std	%f6,[%o2+392]
-/* 0x04d4	     (56 57) */		std	%f6,[%o2+400]
-/* 0x04d8	     (57 58) */		std	%f6,[%o2+408]
-/* 0x04dc	     (58 59) */		std	%f6,[%o2+416]
-/* 0x04e0	     (59 60) */		std	%f6,[%o2+424]
-/* 0x04e4	     (60 61) */		std	%f6,[%o2+432]
-/* 0x04e8	     (61 62) */		std	%f6,[%o2+440]
-/* 0x04ec	     (62 63) */		std	%f6,[%o2+448]
-/* 0x04f0	     (63 64) */		std	%f6,[%o2+456]
-/* 0x04f4	     (64 65) */		std	%f6,[%o2+464]
-/* 0x04f8	     (65 66) */		std	%f6,[%o2+472]
-/* 0x04fc	     (66 67) */		std	%f6,[%o2+480]
-/* 0x0500	     (67 68) */		std	%f6,[%o2+488]
-/* 0x0504	     (68 69) */		std	%f6,[%o2+496]
-/* 0x0508	     (69 70) */		std	%f6,[%o2+504]
-/* 0x050c	     (70 71) */		std	%f6,[%o2+512]
-/* 0x0510	     (71 72) */		std	%f6,[%o2+520]
-/* 0x0514	 242 (72 75) */		ld	[%g4],%f2 ! dalign
-/* 0x0518	     (73 76) */		ld	[%g2],%f6 ! dalign
-/* 0x051c	     (74 77) */		fxtod	%f2,%f10
-/* 0x0520	     (74 77) */		ld	[%g2+4],%f7
-/* 0x0524	     (75 78) */		ld	[%g3],%f8 ! dalign
-/* 0x0528	     (76 79) */		ld	[%g3+4],%f9
-/* 0x052c	     (77 80) */		fmuld	%f10,%f0,%f0
-/* 0x0530	 239 (77 80) */		ldd	[%i4],%f4
-/* 0x0534	 240 (78 81) */		ldd	[%i1],%f2
-/* 0x0538	     (80 83) */		fmuld	%f0,%f6,%f6
-/* 0x053c	     (83 86) */		fdtox	%f6,%f6
-/* 0x0540	     (86 89) */		fxtod	%f6,%f6
-/* 0x0544	     (89 92) */		fmuld	%f6,%f8,%f6
-/* 0x0548	     (92 95) */		fsubd	%f0,%f6,%f0
-/* 0x054c	 250 (95 98) */		fmuld	%f4,%f0,%f10
-                                   .L900000747:		/* frequency 6.4 confidence 0.0 */
-
-
-	fmovd %f0,%f0
-	fmovd %f16,%f18
-	ldd [%i4],%f2
-	ldd [%o2],%f8
-	ldd [%i1],%f10
-	ldd [%g4-8],%f14
-	ldd [%g4-16],%f16
-	ldd [%o1],%f24
-
-	ldd [%i1+8],%f26
-	ldd [%i1+16],%f40
-	ldd [%i1+48],%f46
-	ldd [%i1+56],%f30
-	ldd [%i1+64],%f54
-	ldd [%i1+104],%f34
-	ldd [%i1+112],%f58
-
-	ldd [%i4+112],%f60
-	ldd [%i4+8],%f28	
-	ldd [%i4+104],%f38
-
-	nop
-	nop
-!
-	.L99999999:
-!1
-!!!
-	ldd	[%i1+24],%f32
-	fmuld	%f0,%f2,%f4
-!2
-!!!
-	ldd	[%i4+24],%f36
-	fmuld	%f26,%f24,%f20
-!3
-!!!
-	ldd	[%i1+40],%f42
-	fmuld	%f28,%f0,%f22
-!4
-!!!
-	ldd	[%i4+40],%f44
-	fmuld	%f32,%f24,%f32
-!5
-!!!
-	ldd	[%o1+8],%f6
-	faddd	%f4,%f8,%f4
-	fmuld	%f36,%f0,%f36
-!6
-!!!
-	add	%o1,8,%o1
-	ldd	[%i4+56],%f50
-	fmuld	%f42,%f24,%f42
-!7
-!!!
-	ldd	[%i1+72],%f52
-	faddd	%f20,%f22,%f20
-	fmuld	%f44,%f0,%f44
-!8
-!!!
-	ldd	[%o2+16],%f22
-	fmuld	%f10,%f6,%f12
-!9
-!!!
-	ldd	[%i4+72],%f56
-	faddd	%f32,%f36,%f32
-	fmuld	%f14,%f4,%f4
-!10
-!!!
-	ldd	[%o2+48],%f36
-	fmuld	%f30,%f24,%f48
-!11
-!!!
-	ldd	[%o2+8],%f8
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50	
-!12
-!!!
-	std	%f20,[%o2+16]
-	faddd	%f42,%f44,%f42
-	fmuld	%f52,%f24,%f52
-!13
-!!!
-	ldd	[%o2+80],%f44
-	faddd	%f4,%f12,%f4
-	fmuld	%f56,%f0,%f56
-!14
-!!!
-	ldd	[%i1+88],%f20
-	faddd	%f32,%f36,%f32
-!15
-!!!
-	ldd	[%i4+88],%f22
-	faddd	%f48,%f50,%f48
-!16
-!!!
-	ldd	[%o2+112],%f50
-	faddd	%f52,%f56,%f52
-!17
-!!!
-	ldd	[%o2+144],%f56
-	faddd	%f4,%f8,%f8
-	fmuld	%f20,%f24,%f20
-!18
-!!!
-	std	%f32,[%o2+48]
-	faddd	%f42,%f44,%f42
-	fmuld	%f22,%f0,%f22
-!19
-!!!
-	std	%f42,[%o2+80]
-	faddd	%f48,%f50,%f48
-	fmuld	%f34,%f24,%f32
-!20
-!!!
-	std	%f48,[%o2+112]
-	faddd	%f52,%f56,%f52
-	fmuld	%f38,%f0,%f36
-!21
-!!!
-	ldd	[%i1+120],%f42
-	fdtox	%f8,%f4
-!22
-!!!
-	std	%f52,[%o2+144]
-	faddd	%f20,%f22,%f20
-!23
-!!!
-	ldd	[%i4+120],%f44
-!24
-!!!
-	ldd	[%o2+176],%f22
-	faddd	%f32,%f36,%f32
-	fmuld	%f42,%f24,%f42
-!25
-!!!
-	ldd	[%i4+16],%f50
-	fmovs	%f17,%f4
-!26
-!!!
-	ldd	[%i1+32],%f52
-	fmuld	%f44,%f0,%f44
-!27
-!!!
-	ldd	[%i4+32],%f56
-	fmuld	%f40,%f24,%f48
-!28
-!!!
-	ldd	[%o2+208],%f36
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50
-!29
-!!!
-	std	%f20,[%o2+176]
-	fxtod	%f4,%f4
-	fmuld	%f52,%f24,%f52
-!30
-!!!
-	ldd	[%i4+48],%f22
-	faddd	%f42,%f44,%f42
-	fmuld	%f56,%f0,%f56
-!31
-!!!
-	ldd	[%o2+240],%f44
-	faddd	%f32,%f36,%f32
-!32
-!!!
-	std	%f32,[%o2+208]
-	faddd	%f48,%f50,%f48
-	fmuld	%f46,%f24,%f20
-!33
-!!!
-	ldd	[%o2+32],%f50
-	fmuld	%f4,%f18,%f12
-!34
-!!!
-	ldd	[%i4+64],%f36
-	faddd	%f52,%f56,%f52
-	fmuld	%f22,%f0,%f22
-!35
-!!!
-	ldd	[%o2+64],%f56
-	faddd	%f42,%f44,%f42
-!36
-!!!
-	std	%f42,[%o2+240]
-	faddd	%f48,%f50,%f48
-	fmuld	%f54,%f24,%f32
-!37
-!!!
-	std	%f48,[%o2+32]
-	fmuld	%f12,%f14,%f4
-!38
-!!!
-	ldd	[%i1+80],%f42
-	faddd	%f52,%f56,%f56	! yes, tmp52!
-	fmuld	%f36,%f0,%f36
-!39
-!!!
-	ldd	[%i4+80],%f44
-	faddd	%f20,%f22,%f20
-!40
-!!!
-	ldd	[%i1+96],%f48
-	fmuld	%f58,%f24,%f52
-!41
-!!!
-	ldd	[%i4+96],%f50
-	fdtox	%f4,%f4
-	fmuld	%f42,%f24,%f42
-!42
-!!!
-	std	%f56,[%o2+64]	! yes, tmp52!
-	faddd	%f32,%f36,%f32
-	fmuld	%f44,%f0,%f44
-!43
-!!!
-	ldd	[%o2+96],%f22
-	fmuld	%f48,%f24,%f48
-!44
-!!!
-	ldd	[%o2+128],%f36
-	fmovd	%f6,%f24
-	fmuld	%f50,%f0,%f50
-!45
-!!!
-	fxtod	%f4,%f4
-	fmuld	%f60,%f0,%f56
-!46
-!!!
-	add	%o2,8,%o2
-	faddd	%f42,%f44,%f42
-!47
-!!!
-	ldd	[%o2+160-8],%f44
-	faddd	%f20,%f22,%f20
-!48
-!!!
-	std	%f20,[%o2+96-8]
-	faddd	%f48,%f50,%f48
-!49
-!!!
-	ldd	[%o2+192-8],%f50
-	faddd	%f52,%f56,%f52
-	fmuld	%f4,%f16,%f4
-!50
-!!!
-	ldd	[%o2+224-8],%f56
-	faddd	%f32,%f36,%f32
-!51
-!!!
-	std	%f32,[%o2+128-8]
-	faddd	%f42,%f44,%f42
-!52
-	add	%o3,1,%o3
-	std	%f42,[%o2+160-8]
-	faddd	%f48,%f50,%f48
-!53
-!!!
-	cmp	%o3,31
-	std	%f48,[%o2+192-8]
-	faddd	%f52,%f56,%f52
-!54
-	std	%f52,[%o2+224-8]
-	ble,pt	%icc,.L99999999
-	fsubd	%f12,%f4,%f0
-
-
-
-!55
-	std %f8,[%o2]
-
-	
-	
-	
-	
-	
-	                                   .L77000285:		/* frequency 1.0 confidence 0.0 */
-/* 0x07a8	 279 ( 0  1) */		sll	%g1,4,%g2
-                                   .L900000748:		/* frequency 1.0 confidence 0.0 */
-/* 0x07ac	 279 ( 0  3) */		ldd	[%g5+%g2],%f0
-/* 0x07b0	     ( 0  1) */		add	%g5,%g2,%i1
-/* 0x07b4	     ( 0  1) */		or	%g0,0,%o4
-/* 0x07b8	 206 ( 1  4) */		ld	[%fp+68],%o0
-/* 0x07bc	 279 ( 1  2) */		or	%g0,0,%i0
-/* 0x07c0	     ( 1  2) */		cmp	%g1,0
-/* 0x07c4	     ( 2  5) */		fdtox	%f0,%f0
-/* 0x07c8	     ( 2  3) */		std	%f0,[%sp+120]
-/* 0x07cc	 275 ( 2  3) */		sethi	%hi(0xfc00),%o1
-/* 0x07d0	 206 ( 3  4) */		or	%g0,%o0,%o3
-/* 0x07d4	 275 ( 3  4) */		sub	%g1,1,%g4
-/* 0x07d8	 279 ( 4  7) */		ldd	[%i1+8],%f0
-/* 0x07dc	     ( 4  5) */		or	%g0,%o0,%g5
-/* 0x07e0	     ( 4  5) */		add	%o1,1023,%o1
-/* 0x07e4	     ( 6  9) */		fdtox	%f0,%f0
-/* 0x07e8	     ( 6  7) */		std	%f0,[%sp+112]
-/* 0x07ec	     (10 12) */		ldx	[%sp+112],%o5
-/* 0x07f0	     (11 13) */		ldx	[%sp+120],%o7
-/* 0x07f4	     (11 12) */		ble,pt	%icc,.L900000746	! tprob=0.56
-/* 0x07f8	     (11 12) */		sethi	%hi(0xfc00),%g2
-/* 0x07fc	 275 (12 13) */		or	%g0,-1,%g2
-/* 0x0800	 279 (12 13) */		cmp	%g1,3
-/* 0x0804	 275 (13 14) */		srl	%g2,0,%o2
-/* 0x0808	 279 (13 14) */		bl,pn	%icc,.L77000286	! tprob=0.44
-/* 0x080c	     (13 14) */		or	%g0,%i1,%g2
-/* 0x0810	     (14 17) */		ldd	[%i1+16],%f0
-/* 0x0814	     (14 15) */		and	%o5,%o1,%o0
-/* 0x0818	     (14 15) */		add	%i1,16,%g2
-/* 0x081c	     (15 16) */		sllx	%o0,16,%g3
-/* 0x0820	     (15 16) */		and	%o7,%o2,%o0
-/* 0x0824	     (16 19) */		fdtox	%f0,%f0
-/* 0x0828	     (16 17) */		std	%f0,[%sp+104]
-/* 0x082c	     (16 17) */		add	%o0,%g3,%o4
-/* 0x0830	     (17 20) */		ldd	[%i1+24],%f2
-/* 0x0834	     (17 18) */		srax	%o5,16,%o0
-/* 0x0838	     (17 18) */		add	%o3,4,%g5
-/* 0x083c	     (18 19) */		stx	%o0,[%sp+128]
-/* 0x0840	     (18 19) */		and	%o4,%o2,%o0
-/* 0x0844	     (18 19) */		or	%g0,1,%i0
-/* 0x0848	     (19 20) */		stx	%o0,[%sp+112]
-/* 0x084c	     (19 20) */		srax	%o4,32,%o0
-/* 0x0850	     (19 22) */		fdtox	%f2,%f0
-/* 0x0854	     (20 21) */		stx	%o0,[%sp+136]
-/* 0x0858	     (20 21) */		srax	%o7,32,%o4
-/* 0x085c	     (21 22) */		std	%f0,[%sp+96]
-/* 0x0860	     (22 24) */		ldx	[%sp+136],%o7
-/* 0x0864	     (23 25) */		ldx	[%sp+128],%o0
-/* 0x0868	     (25 27) */		ldx	[%sp+104],%g3
-/* 0x086c	     (25 26) */		add	%o0,%o7,%o0
-/* 0x0870	     (26 28) */		ldx	[%sp+112],%o7
-/* 0x0874	     (26 27) */		add	%o4,%o0,%o4
-/* 0x0878	     (27 29) */		ldx	[%sp+96],%o5
-/* 0x087c	     (28 29) */		st	%o7,[%o3]
-/* 0x0880	     (28 29) */		or	%g0,%g3,%o7
-                                   .L900000730:		/* frequency 64.0 confidence 0.0 */
-/* 0x0884	     (17 19) */		ldd	[%g2+16],%f0
-/* 0x0888	     (17 18) */		add	%i0,1,%i0
-/* 0x088c	     (17 18) */		add	%g5,4,%g5
-/* 0x0890	     (18 18) */		cmp	%i0,%g4
-/* 0x0894	     (18 19) */		add	%g2,16,%g2
-/* 0x0898	     (19 22) */		fdtox	%f0,%f0
-/* 0x089c	     (20 21) */		std	%f0,[%sp+104]
-/* 0x08a0	     (21 23) */		ldd	[%g2+8],%f0
-/* 0x08a4	     (23 26) */		fdtox	%f0,%f0
-/* 0x08a8	     (24 25) */		std	%f0,[%sp+96]
-/* 0x08ac	     (25 26) */		and	%o5,%o1,%g3
-/* 0x08b0	     (26 27) */		sllx	%g3,16,%g3
-/* 0x08b4	     ( 0  0) */		stx	%g3,[%sp+120]
-/* 0x08b8	     (26 27) */		and	%o7,%o2,%g3
-/* 0x08bc	     ( 0  0) */		stx	%o7,[%sp+128]
-/* 0x08c0	     ( 0  0) */		ldx	[%sp+120],%o7
-/* 0x08c4	     (27 27) */		add	%g3,%o7,%g3
-/* 0x08c8	     ( 0  0) */		ldx	[%sp+128],%o7
-/* 0x08cc	     (28 29) */		srax	%o5,16,%o5
-/* 0x08d0	     (28 28) */		add	%g3,%o4,%g3
-/* 0x08d4	     (29 30) */		srax	%g3,32,%o4
-/* 0x08d8	     ( 0  0) */		stx	%o4,[%sp+112]
-/* 0x08dc	     (30 31) */		srax	%o7,32,%o4
-/* 0x08e0	     ( 0  0) */		ldx	[%sp+112],%o7
-/* 0x08e4	     (30 31) */		add	%o5,%o7,%o7
-/* 0x08e8	     (31 33) */		ldx	[%sp+96],%o5
-/* 0x08ec	     (31 32) */		add	%o4,%o7,%o4
-/* 0x08f0	     (32 33) */		and	%g3,%o2,%g3
-/* 0x08f4	     ( 0  0) */		ldx	[%sp+104],%o7
-/* 0x08f8	     (33 34) */		ble,pt	%icc,.L900000730	! tprob=0.50
-/* 0x08fc	     (33 34) */		st	%g3,[%g5-4]
-                                   .L900000733:		/* frequency 8.0 confidence 0.0 */
-/* 0x0900	     ( 0  1) */		ba	.L900000746	! tprob=1.00
-/* 0x0904	     ( 0  1) */		sethi	%hi(0xfc00),%g2
-                                   .L77000286:		/* frequency 0.7 confidence 0.0 */
-/* 0x0908	     ( 0  3) */		ldd	[%g2+16],%f0
-                                   .L900000745:		/* frequency 6.4 confidence 0.0 */
-/* 0x090c	     ( 0  1) */		and	%o7,%o2,%o0
-/* 0x0910	     ( 0  1) */		and	%o5,%o1,%g3
-/* 0x0914	     ( 0  3) */		fdtox	%f0,%f0
-/* 0x0918	     ( 1  2) */		add	%o4,%o0,%o0
-/* 0x091c	     ( 1  2) */		std	%f0,[%sp+104]
-/* 0x0920	     ( 1  2) */		add	%i0,1,%i0
-/* 0x0924	     ( 2  3) */		sllx	%g3,16,%o4
-/* 0x0928	     ( 2  5) */		ldd	[%g2+24],%f2
-/* 0x092c	     ( 2  3) */		add	%g2,16,%g2
-/* 0x0930	     ( 3  4) */		add	%o0,%o4,%o4
-/* 0x0934	     ( 3  4) */		cmp	%i0,%g4
-/* 0x0938	     ( 4  5) */		srax	%o5,16,%o0
-/* 0x093c	     ( 4  5) */		stx	%o0,[%sp+112]
-/* 0x0940	     ( 4  5) */		and	%o4,%o2,%g3
-/* 0x0944	     ( 5  6) */		srax	%o4,32,%o5
-/* 0x0948	     ( 5  8) */		fdtox	%f2,%f0
-/* 0x094c	     ( 5  6) */		std	%f0,[%sp+96]
-/* 0x0950	     ( 6  7) */		srax	%o7,32,%o4
-/* 0x0954	     ( 6  8) */		ldx	[%sp+112],%o7
-/* 0x0958	     ( 8  9) */		add	%o7,%o5,%o7
-/* 0x095c	     ( 9 11) */		ldx	[%sp+104],%o5
-/* 0x0960	     ( 9 10) */		add	%o4,%o7,%o4
-/* 0x0964	     (10 12) */		ldx	[%sp+96],%o0
-/* 0x0968	     (11 12) */		st	%g3,[%g5]
-/* 0x096c	     (11 12) */		or	%g0,%o5,%o7
-/* 0x0970	     (11 12) */		add	%g5,4,%g5
-/* 0x0974	     (12 13) */		or	%g0,%o0,%o5
-/* 0x0978	     (12 13) */		ble,a,pt	%icc,.L900000745	! tprob=0.86
-/* 0x097c	     (12 15) */		ldd	[%g2+16],%f0
-                                   .L77000236:		/* frequency 1.0 confidence 0.0 */
-/* 0x0980	     ( 0  1) */		sethi	%hi(0xfc00),%g2
-                                   .L900000746:		/* frequency 1.0 confidence 0.0 */
-/* 0x0984	     ( 0  1) */		or	%g0,-1,%o0
-/* 0x0988	     ( 0  1) */		add	%g2,1023,%g2
-/* 0x098c	     ( 0  3) */		ld	[%fp+88],%o1
-/* 0x0990	     ( 1  2) */		srl	%o0,0,%g3
-/* 0x0994	     ( 1  2) */		and	%o5,%g2,%g2
-/* 0x0998	     ( 2  3) */		and	%o7,%g3,%g4
-/* 0x099c	 281 ( 2  3) */		or	%g0,-1,%o5
-/* 0x09a0	 275 ( 3  4) */		sllx	%g2,16,%g2
-/* 0x09a4	     ( 3  4) */		add	%o4,%g4,%g4
-/* 0x09a8	     ( 4  5) */		add	%g4,%g2,%g2
-/* 0x09ac	     ( 5  6) */		sll	%i0,2,%g4
-/* 0x09b0	     ( 5  6) */		and	%g2,%g3,%g2
-/* 0x09b4	     ( 6  7) */		st	%g2,[%o3+%g4]
-/* 0x09b8	 281 ( 6  7) */		sll	%g1,2,%g2
-/* 0x09bc	     ( 7 10) */		ld	[%o3+%g2],%g2
-/* 0x09c0	     ( 9 10) */		cmp	%g2,0
-/* 0x09c4	     ( 9 10) */		bleu,pn	%icc,.L77000241	! tprob=0.50
-/* 0x09c8	     ( 9 10) */		or	%g0,%o1,%o2
-/* 0x09cc	     (10 11) */		ba	.L900000744	! tprob=1.00
-/* 0x09d0	     (10 11) */		cmp	%o5,0
-                                   .L77000241:		/* frequency 0.8 confidence 0.0 */
-/* 0x09d4	     ( 0  1) */		subcc	%g1,1,%o5
-/* 0x09d8	     ( 0  1) */		bneg,pt	%icc,.L900000744	! tprob=0.60
-/* 0x09dc	     ( 1  2) */		cmp	%o5,0
-/* 0x09e0	     ( 1  2) */		sll	%o5,2,%g2
-/* 0x09e4	     ( 2  3) */		add	%o1,%g2,%o0
-/* 0x09e8	     ( 2  3) */		add	%o3,%g2,%o4
-/* 0x09ec	     ( 3  6) */		ld	[%o0],%g2
-                                   .L900000743:		/* frequency 5.3 confidence 0.0 */
-/* 0x09f0	     ( 0  3) */		ld	[%o4],%g3
-/* 0x09f4	     ( 0  1) */		add	%o0,4,%o0
-/* 0x09f8	     ( 0  1) */		add	%o4,4,%o4
-/* 0x09fc	     ( 2  3) */		cmp	%g3,%g2
-/* 0x0a00	     ( 2  3) */		bne,pn	%icc,.L77000244	! tprob=0.16
-/* 0x0a04	     ( 2  3) */		nop
-/* 0x0a08	     ( 3  4) */		addcc	%o5,1,%o5
-/* 0x0a0c	     ( 3  4) */		bpos,a,pt	%icc,.L900000743	! tprob=0.84
-/* 0x0a10	     ( 3  6) */		ld	[%o0],%g2
-                                   .L77000244:		/* frequency 1.0 confidence 0.0 */
-/* 0x0a14	     ( 0  1) */		cmp	%o5,0
-                                   .L900000744:		/* frequency 1.0 confidence 0.0 */
-/* 0x0a18	     ( 0  1) */		bl,pn	%icc,.L77000287	! tprob=0.50
-/* 0x0a1c	     ( 0  1) */		sll	%o5,2,%g2
-/* 0x0a20	     ( 1  4) */		ld	[%o2+%g2],%g3
-/* 0x0a24	     ( 2  5) */		ld	[%o3+%g2],%g2
-/* 0x0a28	     ( 4  5) */		cmp	%g2,%g3
-/* 0x0a2c	     ( 4  5) */		bleu,pt	%icc,.L77000224	! tprob=0.56
-/* 0x0a30	     ( 4  5) */		nop
-                                   .L77000287:		/* frequency 0.8 confidence 0.0 */
-/* 0x0a34	     ( 0  1) */		cmp	%g1,0
-/* 0x0a38	     ( 0  1) */		ble,pt	%icc,.L77000224	! tprob=0.60
-/* 0x0a3c	     ( 0  1) */		nop
-/* 0x0a40	 281 ( 1  2) */		sub	%g1,1,%o7
-/* 0x0a44	     ( 1  2) */		or	%g0,-1,%g2
-/* 0x0a48	     ( 2  3) */		srl	%g2,0,%o4
-/* 0x0a4c	     ( 2  3) */		add	%o7,1,%o0
-/* 0x0a50	 279 ( 3  4) */		or	%g0,0,%o5
-/* 0x0a54	     ( 3  4) */		or	%g0,0,%g1
-/* 0x0a58	     ( 4  5) */		cmp	%o0,3
-/* 0x0a5c	     ( 4  5) */		bl,pn	%icc,.L77000288	! tprob=0.40
-/* 0x0a60	     ( 4  5) */		add	%o3,8,%o1
-/* 0x0a64	     ( 5  6) */		add	%o2,4,%o0
-/* 0x0a68	     ( 5  8) */		ld	[%o1-8],%g2
-/* 0x0a6c	   0 ( 5  6) */		or	%g0,%o1,%o3
-/* 0x0a70	 279 ( 6  9) */		ld	[%o0-4],%g3
-/* 0x0a74	   0 ( 6  7) */		or	%g0,%o0,%o2
-/* 0x0a78	 279 ( 6  7) */		or	%g0,2,%g1
-/* 0x0a7c	     ( 7 10) */		ld	[%o3-4],%o0
-/* 0x0a80	     ( 8  9) */		sub	%g2,%g3,%g2
-/* 0x0a84	     ( 9 10) */		or	%g0,%g2,%o5
-/* 0x0a88	     ( 9 10) */		and	%g2,%o4,%g2
-/* 0x0a8c	     ( 9 10) */		st	%g2,[%o3-8]
-/* 0x0a90	     (10 11) */		srax	%o5,32,%o5
-                                   .L900000734:		/* frequency 64.0 confidence 0.0 */
-/* 0x0a94	     (12 20) */		ld	[%o2],%g2
-/* 0x0a98	     (12 13) */		add	%g1,1,%g1
-/* 0x0a9c	     (12 13) */		add	%o2,4,%o2
-/* 0x0aa0	     (13 13) */		cmp	%g1,%o7
-/* 0x0aa4	     (13 14) */		add	%o3,4,%o3
-/* 0x0aa8	     (14 14) */		sub	%o0,%g2,%o0
-/* 0x0aac	     (15 15) */		add	%o0,%o5,%o5
-/* 0x0ab0	     (16 17) */		and	%o5,%o4,%g2
-/* 0x0ab4	     (16 24) */		ld	[%o3-4],%o0
-/* 0x0ab8	     (17 18) */		st	%g2,[%o3-8]
-/* 0x0abc	     (17 18) */		ble,pt	%icc,.L900000734	! tprob=0.50
-/* 0x0ac0	     (17 18) */		srax	%o5,32,%o5
-                                   .L900000737:		/* frequency 8.0 confidence 0.0 */
-/* 0x0ac4	     ( 0  3) */		ld	[%o2],%o1
-/* 0x0ac8	     ( 2  3) */		sub	%o0,%o1,%o0
-/* 0x0acc	     ( 3  4) */		add	%o0,%o5,%o0
-/* 0x0ad0	     ( 4  5) */		and	%o0,%o4,%o1
-/* 0x0ad4	     ( 4  5) */		st	%o1,[%o3-4]
-/* 0x0ad8	     ( 5  7) */		ret	! Result = 
-/* 0x0adc	     ( 7  8) */		restore	%g0,%g0,%g0
-                                   .L77000288:		/* frequency 0.6 confidence 0.0 */
-/* 0x0ae0	     ( 0  3) */		ld	[%o3],%o0
-                                   .L900000742:		/* frequency 5.3 confidence 0.0 */
-/* 0x0ae4	     ( 0  3) */		ld	[%o2],%o1
-/* 0x0ae8	     ( 0  1) */		add	%o5,%o0,%o0
-/* 0x0aec	     ( 0  1) */		add	%g1,1,%g1
-/* 0x0af0	     ( 1  2) */		add	%o2,4,%o2
-/* 0x0af4	     ( 1  2) */		cmp	%g1,%o7
-/* 0x0af8	     ( 2  3) */		sub	%o0,%o1,%o0
-/* 0x0afc	     ( 3  4) */		and	%o0,%o4,%o1
-/* 0x0b00	     ( 3  4) */		st	%o1,[%o3]
-/* 0x0b04	     ( 3  4) */		add	%o3,4,%o3
-/* 0x0b08	     ( 4  5) */		srax	%o0,32,%o5
-/* 0x0b0c	     ( 4  5) */		ble,a,pt	%icc,.L900000742	! tprob=0.84
-/* 0x0b10	     ( 4  7) */		ld	[%o3],%o0
-                                   .L77000224:		/* frequency 1.0 confidence 0.0 */
-/* 0x0b14	     ( 0  2) */		ret	! Result = 
-/* 0x0b18	     ( 2  3) */		restore	%g0,%g0,%g0
-/* 0x0b1c	   0 ( 0  0) */		.type	mont_mulf_noconv,2
-/* 0x0b1c	     ( 0  0) */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
-
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.il b/security/nss/lib/freebl/mpi/montmulfv8.il
deleted file mode 100644
index 27ce26a77..000000000
--- a/security/nss/lib/freebl/mpi/montmulfv8.il
+++ /dev/null
@@ -1,141 +0,0 @@
-!  
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-!
-! The contents of this file are subject to the Mozilla Public License Version
-! 1.1 (the "License"); you may not use this file except in compliance with
-! the License. You may obtain a copy of the License at
-! http://www.mozilla.org/MPL/
-!
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is inline macros for SPARC Montgomery multiply functions.
-!
-! The Initial Developer of the Original Code is
-! Sun Microsystems Inc.
-! Portions created by the Initial Developer are Copyright (C) 1999-2000
-! the Initial Developer. All Rights Reserved.
-!
-! Contributor(s):
-!
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-!
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-!
-! double upper32(double /*frs1*/);
-!
-        .inline upper32,8
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f10
-
-	fdtox	%f10,%f10
-	fitod	%f10,%f0
-        .end
-
-!
-! double lower32(double /*frs1*/, double /* Zero */);
-!
-        .inline lower32,8
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f10
-        std     %o2,[%sp+0x48]
-        ldd     [%sp+0x48],%f12
-
-	fdtox	%f10,%f10
-	fmovs	%f12,%f10
-	fxtod	%f10,%f0
-        .end
-
-!
-! double mod(double /*x*/, double /*1/m*/, double /*m*/);
-!
-        .inline mod,12
-        std     %o0,[%sp+0x48]
-        ldd     [%sp+0x48],%f2
-        std     %o2,[%sp+0x48]
-        ldd     [%sp+0x48],%f4
-        std     %o4,[%sp+0x48]
-        ldd     [%sp+0x48],%f6
-
-	fmuld	%f2,%f4,%f4
-	fdtox	%f4,%f4
-	fxtod	%f4,%f4
-	fmuld	%f4,%f6,%f4
-	fsubd	%f2,%f4,%f0
-        .end
-
-
-!
-! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
-!			    double * /* 0 */,
-!			    double * /*result16*/, double * /* result32 */
-!			    float *  /*source - should be unsigned int*
-!		            	       converted to float* */);
-!
-        .inline i16_to_d16_and_d32x4,24
-        ldd     [%o0],%f2  ! 1/(2^16)
-        ldd     [%o1],%f4  ! 2^16
-	ldd	[%o2],%f22
-
-	fmovd	%f22,%f6
-	ld	[%o5],%f7
-	fmovd	%f22,%f10
-	ld	[%o5+4],%f11
-	fmovd	%f22,%f14
-	ld	[%o5+8],%f15
-	fmovd	%f22,%f18
-	ld	[%o5+12],%f19
-	fxtod	%f6,%f6
-	std	%f6,[%o4]
-	fxtod	%f10,%f10
-	std	%f10,[%o4+8]
-	fxtod	%f14,%f14
-	std	%f14,[%o4+16]
-	fxtod	%f18,%f18
-	std	%f18,[%o4+24]
-	fmuld	%f2,%f6,%f8
-	fmuld	%f2,%f10,%f12
-	fmuld	%f2,%f14,%f16
-	fmuld	%f2,%f18,%f20
-	fdtox	%f8,%f8
-	fdtox	%f12,%f12
-	fdtox	%f16,%f16
-	fdtox	%f20,%f20
-	fxtod	%f8,%f8
-	std	%f8,[%o3+8]
-	fxtod	%f12,%f12
-	std	%f12,[%o3+24]
-	fxtod	%f16,%f16
-	std	%f16,[%o3+40]
-	fxtod	%f20,%f20
-	std	%f20,[%o3+56]
-	fmuld	%f8,%f4,%f8
-	fmuld	%f12,%f4,%f12
-	fmuld	%f16,%f4,%f16
-	fmuld	%f20,%f4,%f20
-	fsubd	%f6,%f8,%f8
-	std	%f8,[%o3]
-	fsubd	%f10,%f12,%f12
-	std	%f12,[%o3+16]
-	fsubd	%f14,%f16,%f16
-	std	%f16,[%o3+32]
-	fsubd	%f18,%f20,%f20
-	std	%f20,[%o3+48]
-        .end
-
-
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.s b/security/nss/lib/freebl/mpi/montmulfv8.s
deleted file mode 100644
index ac74a530d..000000000
--- a/security/nss/lib/freebl/mpi/montmulfv8.s
+++ /dev/null
@@ -1,1847 +0,0 @@
-!  
-!  The contents of this file are subject to the Mozilla Public
-!  License Version 1.1 (the "License"); you may not use this file
-!  except in compliance with the License. You may obtain a copy of
-!  the License at http://www.mozilla.org/MPL/
-!  
-!  Software distributed under the License is distributed on an "AS
-!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-!  implied. See the License for the specific language governing
-!  rights and limitations under the License.
-!  
-!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
-!   
-!  The Initial Developer of the Original Code is Sun Microsystems Inc.
-!  Portions created by Sun Microsystems Inc. are 
-!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
-!  
-!  Contributor(s):
-!  
-!  Alternatively, the contents of this file may be used under the
-!  terms of the GNU General Public License Version 2 or later (the
-!  "GPL"), in which case the provisions of the GPL are applicable 
-!  instead of those above.	If you wish to allow use of your 
-!  version of this file only under the terms of the GPL and not to
-!  allow others to use your version of this file under the MPL,
-!  indicate your decision by deleting the provisions above and
-!  replace them with the notice and other provisions required by
-!  the GPL.  If you do not delete the provisions above, a recipient
-!  may use your version of this file under either the MPL or the
-!  GPL.
-!  
-!   $Id$
-!  
-
-	.section	".text",#alloc,#execinstr
-	.file	"montmulf.c"
-
-	.section	".rodata",#alloc
-	.global	TwoTo16
-	.align	8
-!
-! CONSTANT POOL
-!
-	.global TwoTo16
-TwoTo16:
-	.word	1089470464
-	.word	0
-	.type	TwoTo16,#object
-	.size	TwoTo16,8
-	.global	TwoToMinus16
-!
-! CONSTANT POOL
-!
-	.global TwoToMinus16
-TwoToMinus16:
-	.word	1055916032
-	.word	0
-	.type	TwoToMinus16,#object
-	.size	TwoToMinus16,8
-	.global	Zero
-!
-! CONSTANT POOL
-!
-	.global Zero
-Zero:
-	.word	0
-	.word	0
-	.type	Zero,#object
-	.size	Zero,8
-	.global	TwoTo32
-!
-! CONSTANT POOL
-!
-	.global TwoTo32
-TwoTo32:
-	.word	1106247680
-	.word	0
-	.type	TwoTo32,#object
-	.size	TwoTo32,8
-	.global	TwoToMinus32
-!
-! CONSTANT POOL
-!
-	.global TwoToMinus32
-TwoToMinus32:
-	.word	1039138816
-	.word	0
-	.type	TwoToMinus32,#object
-	.size	TwoToMinus32,8
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	4
-!
-! SUBROUTINE conv_d16_to_i32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_d16_to_i32
-                       conv_d16_to_i32:
-/* 000000	     */		save	%sp,-128,%sp
-! FILE montmulf.c
-
-!   36		      !#define RF_INLINE_MACROS
-!   38		      !static const double TwoTo16=65536.0;
-!   39		      !static const double TwoToMinus16=1.0/65536.0;
-!   40		      !static const double Zero=0.0;
-!   41		      !static const double TwoTo32=65536.0*65536.0;
-!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
-!   44		      !#ifdef RF_INLINE_MACROS
-!   46		      !double upper32(double);
-!   47		      !double lower32(double, double);
-!   48		      !double mod(double, double, double);
-!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
-!   51		      !			  const double * /* 2^16*/,
-!   52		      !			  const double * /* 0 */,
-!   53		      !			  double *       /*result16*/, 
-!   54		      !			  double *       /* result32 */,
-!   55		      !			  float *  /*source - should be unsigned int*
-!   56		      !		          	       converted to float* */);
-!   58		      !#else
-!   60		      !static double upper32(double x)
-!   61		      !{
-!   62		      !  return floor(x*TwoToMinus32);
-!   63		      !}
-!   65		      !static double lower32(double x, double y)
-!   66		      !{
-!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
-!   68		      !}
-!   70		      !static double mod(double x, double oneoverm, double m)
-!   71		      !{
-!   72		      !  return x-m*floor(x*oneoverm);
-!   73		      !}
-!   75		      !#endif
-!   78		      !static void cleanup(double *dt, int from, int tlen)
-!   79		      !{
-!   80		      ! int i;
-!   81		      ! double tmp,tmp1,x,x1;
-!   83		      ! tmp=tmp1=Zero;
-!   84		      ! /* original code **
-!   85		      ! for(i=2*from;i<2*tlen-2;i++)
-!   86		      !   {
-!   87		      !     x=dt[i];
-!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
-!   89		      !     tmp1=tmp;
-!   90		      !     tmp=upper32(x);
-!   91		      !   }
-!   92		      ! dt[tlen-2]+=tmp1;
-!   93		      ! dt[tlen-1]+=tmp;
-!   94		      ! **end original code ***/
-!   95		      ! /* new code ***/
-!   96		      ! for(i=2*from;i<2*tlen;i+=2)
-!   97		      !   {
-!   98		      !     x=dt[i];
-!   99		      !     x1=dt[i+1];
-!  100		      !     dt[i]=lower32(x,Zero)+tmp;
-!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
-!  102		      !     tmp=upper32(x);
-!  103		      !     tmp1=upper32(x1);
-!  104		      !   }
-!  105		      !  /** end new code **/
-!  106		      !}
-!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
-!  110		      !{
-!  111		      !int i;
-!  112		      !long long t, t1, a, b, c, d;
-!  114		      ! t1=0;
-!  115		      ! a=(long long)d16[0];
-
-/* 0x0004	 115 */		ldd	[%i1],%f0
-/* 0x0008	 110 */		or	%g0,%i1,%o0
-
-!  116		      ! b=(long long)d16[1];
-!  117		      ! for(i=0; i<ilen-1; i++)
-
-/* 0x000c	 117 */		sub	%i3,1,%g2
-/* 0x0010	     */		cmp	%g2,0
-/* 0x0014	 114 */		or	%g0,0,%o4
-/* 0x0018	 115 */		fdtox	%f0,%f0
-/* 0x001c	     */		std	%f0,[%sp+120]
-/* 0x0020	 117 */		or	%g0,0,%o7
-/* 0x0024	 110 */		or	%g0,%i3,%o1
-/* 0x0028	     */		sub	%i3,2,%o2
-/* 0x002c	 116 */		ldd	[%o0+8],%f0
-/* 0x0030	 110 */		sethi	%hi(0xfc00),%o1
-/* 0x0034	     */		add	%o2,1,%g3
-/* 0x0038	     */		add	%o1,1023,%o1
-/* 0x003c	     */		or	%g0,%i0,%o5
-/* 0x0040	 116 */		fdtox	%f0,%f0
-/* 0x0044	     */		std	%f0,[%sp+112]
-/* 0x0048	     */		ldx	[%sp+112],%g1
-/* 0x004c	 115 */		ldx	[%sp+120],%g4
-/* 0x0050	 117 */		ble,pt	%icc,.L900000117
-/* 0x0054	     */		sethi	%hi(0xfc00),%g2
-/* 0x0058	 110 */		or	%g0,-1,%g2
-/* 0x005c	 117 */		cmp	%g3,3
-/* 0x0060	 110 */		srl	%g2,0,%o3
-/* 0x0064	 117 */		bl,pn	%icc,.L77000134
-/* 0x0068	     */		or	%g0,%o0,%g2
-
-!  118		      !   {
-!  119		      !     c=(long long)d16[2*i+2];
-
-/* 0x006c	 119 */		ldd	[%o0+16],%f0
-
-!  120		      !     t1+=a&0xffffffff;
-!  121		      !     t=(a>>32);
-!  122		      !     d=(long long)d16[2*i+3];
-!  123		      !     t1+=(b&0xffff)<<16;
-!  124		      !     t+=(b>>16)+(t1>>32);
-!  125		      !     i32[i]=t1&0xffffffff;
-!  126		      !     t1=t;
-!  127		      !     a=c;
-!  128		      !     b=d;
-
-/* 0x0070	 128 */		add	%o0,16,%g2
-/* 0x0074	 123 */		and	%g1,%o1,%o0
-/* 0x0078	     */		sllx	%o0,16,%g3
-/* 0x007c	 120 */		and	%g4,%o3,%o0
-/* 0x0080	 117 */		add	%o0,%g3,%o4
-/* 0x0084	 119 */		fdtox	%f0,%f0
-/* 0x0088	     */		std	%f0,[%sp+104]
-/* 0x008c	 125 */		and	%o4,%o3,%g5
-/* 0x0090	 122 */		ldd	[%g2+8],%f2
-/* 0x0094	 128 */		add	%o5,4,%o5
-/* 0x0098	 124 */		srax	%o4,32,%o4
-/* 0x009c	     */		stx	%o4,[%sp+112]
-/* 0x00a0	 122 */		fdtox	%f2,%f0
-/* 0x00a4	     */		std	%f0,[%sp+96]
-/* 0x00a8	 124 */		srax	%g1,16,%o0
-/* 0x00ac	     */		ldx	[%sp+112],%o7
-/* 0x00b0	 121 */		srax	%g4,32,%o4
-/* 0x00b4	 124 */		add	%o0,%o7,%g4
-/* 0x00b8	 128 */		or	%g0,1,%o7
-/* 0x00bc	 119 */		ldx	[%sp+104],%g3
-/* 0x00c0	 124 */		add	%o4,%g4,%o4
-/* 0x00c4	 122 */		ldx	[%sp+96],%g1
-/* 0x00c8	 125 */		st	%g5,[%o5-4]
-/* 0x00cc	 127 */		or	%g0,%g3,%g4
-                       .L900000112:
-/* 0x00d0	 119 */		ldd	[%g2+16],%f0
-/* 0x00d4	 128 */		add	%o7,1,%o7
-/* 0x00d8	     */		add	%o5,4,%o5
-/* 0x00dc	     */		cmp	%o7,%o2
-/* 0x00e0	     */		add	%g2,16,%g2
-/* 0x00e4	 119 */		fdtox	%f0,%f0
-/* 0x00e8	     */		std	%f0,[%sp+104]
-/* 0x00ec	 122 */		ldd	[%g2+8],%f0
-/* 0x00f0	     */		fdtox	%f0,%f0
-/* 0x00f4	     */		std	%f0,[%sp+96]
-/* 0x00f8	 123 */		and	%g1,%o1,%g3
-/* 0x00fc	     */		sllx	%g3,16,%g5
-/* 0x0100	 120 */		and	%g4,%o3,%g3
-/* 0x0104	 117 */		add	%g3,%g5,%g3
-/* 0x0108	 124 */		srax	%g1,16,%g1
-/* 0x010c	 117 */		add	%g3,%o4,%g3
-/* 0x0110	 124 */		srax	%g3,32,%o4
-/* 0x0114	     */		stx	%o4,[%sp+112]
-/* 0x0118	 119 */		ldx	[%sp+104],%g5
-/* 0x011c	 121 */		srax	%g4,32,%o4
-/* 0x0120	 124 */		ldx	[%sp+112],%g4
-/* 0x0124	     */		add	%g1,%g4,%g4
-/* 0x0128	 122 */		ldx	[%sp+96],%g1
-/* 0x012c	 124 */		add	%o4,%g4,%o4
-/* 0x0130	 125 */		and	%g3,%o3,%g3
-/* 0x0134	 127 */		or	%g0,%g5,%g4
-/* 0x0138	 128 */		ble,pt	%icc,.L900000112
-/* 0x013c	     */		st	%g3,[%o5-4]
-                       .L900000115:
-/* 0x0140	 128 */		ba	.L900000117
-/* 0x0144	     */		sethi	%hi(0xfc00),%g2
-                       .L77000134:
-/* 0x0148	 119 */		ldd	[%g2+16],%f0
-                       .L900000116:
-/* 0x014c	 120 */		and	%g4,%o3,%o0
-/* 0x0150	 123 */		and	%g1,%o1,%g3
-/* 0x0154	 119 */		fdtox	%f0,%f0
-/* 0x0158	 120 */		add	%o4,%o0,%o0
-/* 0x015c	 119 */		std	%f0,[%sp+104]
-/* 0x0160	 128 */		add	%o7,1,%o7
-/* 0x0164	 123 */		sllx	%g3,16,%o4
-/* 0x0168	 122 */		ldd	[%g2+24],%f2
-/* 0x016c	 128 */		add	%g2,16,%g2
-/* 0x0170	 123 */		add	%o0,%o4,%o0
-/* 0x0174	 128 */		cmp	%o7,%o2
-/* 0x0178	 125 */		and	%o0,%o3,%g3
-/* 0x017c	 122 */		fdtox	%f2,%f0
-/* 0x0180	     */		std	%f0,[%sp+96]
-/* 0x0184	 124 */		srax	%o0,32,%o0
-/* 0x0188	     */		stx	%o0,[%sp+112]
-/* 0x018c	 121 */		srax	%g4,32,%o4
-/* 0x0190	 122 */		ldx	[%sp+96],%o0
-/* 0x0194	 124 */		srax	%g1,16,%g5
-/* 0x0198	     */		ldx	[%sp+112],%g4
-/* 0x019c	 119 */		ldx	[%sp+104],%g1
-/* 0x01a0	 125 */		st	%g3,[%o5]
-/* 0x01a4	 124 */		add	%g5,%g4,%g4
-/* 0x01a8	 128 */		add	%o5,4,%o5
-/* 0x01ac	 124 */		add	%o4,%g4,%o4
-/* 0x01b0	 127 */		or	%g0,%g1,%g4
-/* 0x01b4	 128 */		or	%g0,%o0,%g1
-/* 0x01b8	     */		ble,a,pt	%icc,.L900000116
-/* 0x01bc	     */		ldd	[%g2+16],%f0
-                       .L77000127:
-
-!  129		      !   }
-!  130		      !     t1+=a&0xffffffff;
-!  131		      !     t=(a>>32);
-!  132		      !     t1+=(b&0xffff)<<16;
-!  133		      !     i32[i]=t1&0xffffffff;
-
-/* 0x01c0	 133 */		sethi	%hi(0xfc00),%g2
-                       .L900000117:
-/* 0x01c4	 133 */		or	%g0,-1,%g3
-/* 0x01c8	     */		add	%g2,1023,%g2
-/* 0x01cc	     */		srl	%g3,0,%g3
-/* 0x01d0	     */		and	%g1,%g2,%g2
-/* 0x01d4	     */		and	%g4,%g3,%g4
-/* 0x01d8	     */		sllx	%g2,16,%g2
-/* 0x01dc	     */		add	%o4,%g4,%g4
-/* 0x01e0	     */		add	%g4,%g2,%g2
-/* 0x01e4	     */		sll	%o7,2,%g4
-/* 0x01e8	     */		and	%g2,%g3,%g2
-/* 0x01ec	     */		st	%g2,[%i0+%g4]
-/* 0x01f0	     */		ret	! Result = 
-/* 0x01f4	     */		restore	%g0,%g0,%g0
-/* 0x01f8	   0 */		.type	conv_d16_to_i32,2
-/* 0x01f8	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000201:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	4
-/* 0x0008	     */		.skip	16
-!
-! SUBROUTINE conv_i32_to_d32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d32
-                       conv_i32_to_d32:
-/* 000000	     */		or	%g0,%o7,%g2
-
-!  135		      !}
-!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
-!  138		      !{
-!  139		      !int i;
-!  141		      !#pragma pipeloop(0)
-!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
-
-/* 0x0004	 142 */		cmp	%o2,0
-                       .L900000210:
-/* 0x0008	     */		call	.+8
-/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
-/* 0x0010	 142 */		or	%g0,0,%o5
-/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
-/* 0x0018	     */		or	%g0,%o0,%g5
-/* 0x001c	     */		add	%g4,%o7,%g1
-/* 0x0020	 142 */		ble,pt	%icc,.L77000140
-/* 0x0024	     */		or	%g0,%g2,%o7
-/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g2
-/* 0x002c	 138 */		or	%g0,%o1,%g4
-/* 0x0030	 142 */		add	%g2,%lo(.L_const_seg_900000201),%g2
-/* 0x0034	     */		sub	%o2,1,%g3
-/* 0x0038	     */		ld	[%g1+%g2],%g2
-/* 0x003c	     */		cmp	%o2,9
-/* 0x0040	     */		bl,pn	%icc,.L77000144
-/* 0x0044	     */		ldd	[%g2],%f8
-/* 0x0048	     */		add	%o1,16,%g4
-/* 0x004c	     */		sub	%o2,5,%g1
-/* 0x0050	     */		ld	[%o1],%f7
-/* 0x0054	     */		or	%g0,4,%o5
-/* 0x0058	     */		ld	[%o1+4],%f5
-/* 0x005c	     */		ld	[%o1+8],%f3
-/* 0x0060	     */		fmovs	%f8,%f6
-/* 0x0064	     */		ld	[%o1+12],%f1
-                       .L900000205:
-/* 0x0068	     */		ld	[%g4],%f11
-/* 0x006c	     */		add	%o5,5,%o5
-/* 0x0070	     */		add	%g4,20,%g4
-/* 0x0074	     */		fsubd	%f6,%f8,%f6
-/* 0x0078	     */		std	%f6,[%g5]
-/* 0x007c	     */		cmp	%o5,%g1
-/* 0x0080	     */		add	%g5,40,%g5
-/* 0x0084	     */		fmovs	%f8,%f4
-/* 0x0088	     */		ld	[%g4-16],%f7
-/* 0x008c	     */		fsubd	%f4,%f8,%f12
-/* 0x0090	     */		fmovs	%f8,%f2
-/* 0x0094	     */		std	%f12,[%g5-32]
-/* 0x0098	     */		ld	[%g4-12],%f5
-/* 0x009c	     */		fsubd	%f2,%f8,%f12
-/* 0x00a0	     */		fmovs	%f8,%f0
-/* 0x00a4	     */		std	%f12,[%g5-24]
-/* 0x00a8	     */		ld	[%g4-8],%f3
-/* 0x00ac	     */		fsubd	%f0,%f8,%f12
-/* 0x00b0	     */		fmovs	%f8,%f10
-/* 0x00b4	     */		std	%f12,[%g5-16]
-/* 0x00b8	     */		ld	[%g4-4],%f1
-/* 0x00bc	     */		fsubd	%f10,%f8,%f10
-/* 0x00c0	     */		fmovs	%f8,%f6
-/* 0x00c4	     */		ble,pt	%icc,.L900000205
-/* 0x00c8	     */		std	%f10,[%g5-8]
-                       .L900000208:
-/* 0x00cc	     */		fmovs	%f8,%f4
-/* 0x00d0	     */		add	%g5,32,%g5
-/* 0x00d4	     */		cmp	%o5,%g3
-/* 0x00d8	     */		fmovs	%f8,%f2
-/* 0x00dc	     */		fmovs	%f8,%f0
-/* 0x00e0	     */		fsubd	%f6,%f8,%f6
-/* 0x00e4	     */		std	%f6,[%g5-32]
-/* 0x00e8	     */		fsubd	%f4,%f8,%f4
-/* 0x00ec	     */		std	%f4,[%g5-24]
-/* 0x00f0	     */		fsubd	%f2,%f8,%f2
-/* 0x00f4	     */		std	%f2,[%g5-16]
-/* 0x00f8	     */		fsubd	%f0,%f8,%f0
-/* 0x00fc	     */		bg,pn	%icc,.L77000140
-/* 0x0100	     */		std	%f0,[%g5-8]
-                       .L77000144:
-/* 0x0104	     */		ld	[%g4],%f1
-                       .L900000211:
-/* 0x0108	     */		ldd	[%g2],%f8
-/* 0x010c	     */		add	%o5,1,%o5
-/* 0x0110	     */		add	%g4,4,%g4
-/* 0x0114	     */		cmp	%o5,%g3
-/* 0x0118	     */		fmovs	%f8,%f0
-/* 0x011c	     */		fsubd	%f0,%f8,%f0
-/* 0x0120	     */		std	%f0,[%g5]
-/* 0x0124	     */		add	%g5,8,%g5
-/* 0x0128	     */		ble,a,pt	%icc,.L900000211
-/* 0x012c	     */		ld	[%g4],%f1
-                       .L77000140:
-/* 0x0130	     */		retl	! Result = 
-/* 0x0134	     */		nop
-/* 0x0138	   0 */		.type	conv_i32_to_d32,2
-/* 0x0138	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000301:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	4
-!
-! SUBROUTINE conv_i32_to_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d16
-                       conv_i32_to_d16:
-/* 000000	     */		save	%sp,-104,%sp
-/* 0x0004	     */		or	%g0,%i2,%o0
-
-!  143		      !}
-!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
-!  147		      !{
-!  148		      !int i;
-!  149		      !unsigned int a;
-!  151		      !#pragma pipeloop(0)
-!  152		      ! for(i=0;i<len;i++)
-!  153		      !   {
-!  154		      !     a=i32[i];
-!  155		      !     d16[2*i]=(double)(a&0xffff);
-!  156		      !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x0008	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
-                       .L900000310:
-/* 0x000c	     */		call	.+8
-/* 0x0010	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
-/* 0x0014	 152 */		cmp	%o0,0
-/* 0x0018	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
-/* 0x001c	 152 */		ble,pt	%icc,.L77000150
-/* 0x0020	     */		add	%g3,%o7,%o2
-/* 0x0024	     */		sub	%i2,1,%o5
-/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%o1
-/* 0x002c	 152 */		sethi	%hi(0xfc00),%o0
-/* 0x0030	     */		ld	[%o2+%o1],%o3
-/* 0x0034	     */		add	%o5,1,%g2
-/* 0x0038	     */		or	%g0,0,%g1
-/* 0x003c	     */		cmp	%g2,3
-/* 0x0040	     */		or	%g0,%i1,%o7
-/* 0x0044	     */		add	%o0,1023,%o4
-/* 0x0048	     */		or	%g0,%i0,%g3
-/* 0x004c	     */		bl,pn	%icc,.L77000154
-/* 0x0050	     */		add	%o7,4,%o0
-/* 0x0054	 155 */		ldd	[%o3],%f0
-/* 0x0058	 156 */		or	%g0,1,%g1
-/* 0x005c	 154 */		ld	[%o0-4],%o1
-/* 0x0060	   0 */		or	%g0,%o0,%o7
-/* 0x0064	 155 */		and	%o1,%o4,%o0
-                       .L900000306:
-/* 0x0068	 155 */		st	%o0,[%sp+96]
-/* 0x006c	 156 */		add	%g1,1,%g1
-/* 0x0070	     */		add	%g3,16,%g3
-/* 0x0074	     */		cmp	%g1,%o5
-/* 0x0078	     */		add	%o7,4,%o7
-/* 0x007c	 155 */		ld	[%sp+96],%f3
-/* 0x0080	     */		fmovs	%f0,%f2
-/* 0x0084	     */		fsubd	%f2,%f0,%f2
-/* 0x0088	 156 */		srl	%o1,16,%o0
-/* 0x008c	 155 */		std	%f2,[%g3-16]
-/* 0x0090	 156 */		st	%o0,[%sp+92]
-/* 0x0094	     */		ld	[%sp+92],%f3
-/* 0x0098	 154 */		ld	[%o7-4],%o1
-/* 0x009c	 156 */		fmovs	%f0,%f2
-/* 0x00a0	     */		fsubd	%f2,%f0,%f2
-/* 0x00a4	 155 */		and	%o1,%o4,%o0
-/* 0x00a8	 156 */		ble,pt	%icc,.L900000306
-/* 0x00ac	     */		std	%f2,[%g3-8]
-                       .L900000309:
-/* 0x00b0	 155 */		st	%o0,[%sp+96]
-/* 0x00b4	     */		fmovs	%f0,%f2
-/* 0x00b8	 156 */		add	%g3,16,%g3
-/* 0x00bc	     */		srl	%o1,16,%o0
-/* 0x00c0	 155 */		ld	[%sp+96],%f3
-/* 0x00c4	     */		fsubd	%f2,%f0,%f2
-/* 0x00c8	     */		std	%f2,[%g3-16]
-/* 0x00cc	 156 */		st	%o0,[%sp+92]
-/* 0x00d0	     */		fmovs	%f0,%f2
-/* 0x00d4	     */		ld	[%sp+92],%f3
-/* 0x00d8	     */		fsubd	%f2,%f0,%f0
-/* 0x00dc	     */		std	%f0,[%g3-8]
-/* 0x00e0	     */		ret	! Result = 
-/* 0x00e4	     */		restore	%g0,%g0,%g0
-                       .L77000154:
-/* 0x00e8	 154 */		ld	[%o7],%o0
-                       .L900000311:
-/* 0x00ec	 155 */		and	%o0,%o4,%o1
-/* 0x00f0	     */		st	%o1,[%sp+96]
-/* 0x00f4	 156 */		add	%g1,1,%g1
-/* 0x00f8	 155 */		ldd	[%o3],%f0
-/* 0x00fc	 156 */		srl	%o0,16,%o0
-/* 0x0100	     */		add	%o7,4,%o7
-/* 0x0104	     */		cmp	%g1,%o5
-/* 0x0108	 155 */		fmovs	%f0,%f2
-/* 0x010c	     */		ld	[%sp+96],%f3
-/* 0x0110	     */		fsubd	%f2,%f0,%f2
-/* 0x0114	     */		std	%f2,[%g3]
-/* 0x0118	 156 */		st	%o0,[%sp+92]
-/* 0x011c	     */		fmovs	%f0,%f2
-/* 0x0120	     */		ld	[%sp+92],%f3
-/* 0x0124	     */		fsubd	%f2,%f0,%f0
-/* 0x0128	     */		std	%f0,[%g3+8]
-/* 0x012c	     */		add	%g3,16,%g3
-/* 0x0130	     */		ble,a,pt	%icc,.L900000311
-/* 0x0134	     */		ld	[%o7],%o0
-                       .L77000150:
-/* 0x0138	     */		ret	! Result = 
-/* 0x013c	     */		restore	%g0,%g0,%g0
-/* 0x0140	   0 */		.type	conv_i32_to_d16,2
-/* 0x0140	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000401:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	4
-/* 0x0008	     */		.skip	16
-!
-! SUBROUTINE conv_i32_to_d32_and_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d32_and_d16
-                       conv_i32_to_d32_and_d16:
-/* 000000	     */		save	%sp,-120,%sp
-                       .L900000415:
-/* 0x0004	     */		call	.+8
-/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
-
-!  157		      !   }
-!  158		      !}
-!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
-!  162		      !			     unsigned int *i32, int len)
-!  163		      !{
-!  164		      !int i = 0;
-!  165		      !unsigned int a;
-!  167		      !#pragma pipeloop(0)
-!  168		      !#ifdef RF_INLINE_MACROS
-!  169		      ! for(;i<len-3;i+=4)
-
-/* 0x000c	 169 */		sub	%i3,3,%g2
-/* 0x0010	     */		cmp	%g2,0
-/* 0x0014	 163 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
-
-!  170		      !   {
-!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
-!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
-
-/* 0x0018	 172 */		sethi	%hi(Zero),%g2
-/* 0x001c	 163 */		add	%g4,%o7,%o4
-/* 0x0020	 172 */		add	%g2,%lo(Zero),%g2
-/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
-/* 0x0028	     */		ld	[%o4+%g2],%o1
-/* 0x002c	     */		sethi	%hi(TwoTo16),%g4
-/* 0x0030	     */		add	%g3,%lo(TwoToMinus16),%g2
-/* 0x0034	     */		ld	[%o4+%g2],%o3
-/* 0x0038	 164 */		or	%g0,0,%g5
-/* 0x003c	 172 */		add	%g4,%lo(TwoTo16),%g3
-/* 0x0040	     */		ld	[%o4+%g3],%o2
-/* 0x0044	 163 */		or	%g0,%i0,%i4
-/* 0x0048	 169 */		or	%g0,%i2,%o7
-/* 0x004c	     */		ble,pt	%icc,.L900000418
-/* 0x0050	     */		cmp	%g5,%i3
-/* 0x0054	 172 */		stx	%o7,[%sp+104]
-/* 0x0058	 169 */		sub	%i3,4,%o5
-/* 0x005c	     */		or	%g0,0,%g4
-/* 0x0060	     */		or	%g0,0,%g1
-                       .L900000417:
-/* 0x0064	     */		ldd	[%o1],%f2
-/* 0x0068	 172 */		add	%i4,%g4,%g2
-/* 0x006c	     */		add	%i1,%g1,%g3
-/* 0x0070	     */		ldd	[%o3],%f0
-/* 0x0074	     */		add	%g5,4,%g5
-/* 0x0078	     */		fmovd	%f2,%f14
-/* 0x007c	     */		ld	[%o7],%f15
-/* 0x0080	     */		cmp	%g5,%o5
-/* 0x0084	     */		fmovd	%f2,%f10
-/* 0x0088	     */		ld	[%o7+4],%f11
-/* 0x008c	     */		add	%o7,16,%o7
-/* 0x0090	     */		ldx	[%sp+104],%o0
-/* 0x0094	     */		fmovd	%f2,%f6
-/* 0x0098	     */		stx	%o7,[%sp+112]
-/* 0x009c	     */		fxtod	%f14,%f14
-/* 0x00a0	     */		ld	[%o0+8],%f7
-/* 0x00a4	     */		fxtod	%f10,%f10
-/* 0x00a8	     */		ld	[%o0+12],%f3
-/* 0x00ac	     */		fxtod	%f6,%f6
-/* 0x00b0	     */		ldd	[%o2],%f16
-/* 0x00b4	     */		fmuld	%f0,%f14,%f12
-/* 0x00b8	     */		fxtod	%f2,%f2
-/* 0x00bc	     */		fmuld	%f0,%f10,%f8
-/* 0x00c0	     */		std	%f14,[%i4+%g4]
-/* 0x00c4	     */		ldx	[%sp+112],%o7
-/* 0x00c8	     */		add	%g4,32,%g4
-/* 0x00cc	     */		fmuld	%f0,%f6,%f4
-/* 0x00d0	     */		fdtox	%f12,%f12
-/* 0x00d4	     */		std	%f10,[%g2+8]
-/* 0x00d8	     */		fmuld	%f0,%f2,%f0
-/* 0x00dc	     */		fdtox	%f8,%f8
-/* 0x00e0	     */		std	%f6,[%g2+16]
-/* 0x00e4	     */		std	%f2,[%g2+24]
-/* 0x00e8	     */		fdtox	%f4,%f4
-/* 0x00ec	     */		fdtox	%f0,%f0
-/* 0x00f0	     */		fxtod	%f12,%f12
-/* 0x00f4	     */		std	%f12,[%g3+8]
-/* 0x00f8	     */		fxtod	%f8,%f8
-/* 0x00fc	     */		std	%f8,[%g3+24]
-/* 0x0100	     */		fxtod	%f4,%f4
-/* 0x0104	     */		std	%f4,[%g3+40]
-/* 0x0108	     */		fxtod	%f0,%f0
-/* 0x010c	     */		std	%f0,[%g3+56]
-/* 0x0110	     */		fmuld	%f12,%f16,%f12
-/* 0x0114	     */		fmuld	%f8,%f16,%f8
-/* 0x0118	     */		fmuld	%f4,%f16,%f4
-/* 0x011c	     */		fsubd	%f14,%f12,%f12
-/* 0x0120	     */		std	%f12,[%i1+%g1]
-/* 0x0124	     */		fmuld	%f0,%f16,%f0
-/* 0x0128	     */		fsubd	%f10,%f8,%f8
-/* 0x012c	     */		std	%f8,[%g3+16]
-/* 0x0130	     */		add	%g1,64,%g1
-/* 0x0134	     */		fsubd	%f6,%f4,%f4
-/* 0x0138	     */		std	%f4,[%g3+32]
-/* 0x013c	     */		fsubd	%f2,%f0,%f0
-/* 0x0140	     */		std	%f0,[%g3+48]
-/* 0x0144	     */		ble,a,pt	%icc,.L900000417
-/* 0x0148	     */		stx	%o7,[%sp+104]
-                       .L77000159:
-
-!  173		      !   }
-!  174		      !#endif
-!  175		      ! for(;i<len;i++)
-
-/* 0x014c	 175 */		cmp	%g5,%i3
-                       .L900000418:
-/* 0x0150	 175 */		bge,pt	%icc,.L77000164
-/* 0x0154	     */		nop
-
-!  176		      !   {
-!  177		      !     a=i32[i];
-!  178		      !     d32[i]=(double)(i32[i]);
-!  179		      !     d16[2*i]=(double)(a&0xffff);
-!  180		      !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
-/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%o1
-/* 0x0160	 175 */		sethi	%hi(0xfc00),%o0
-/* 0x0164	     */		ld	[%o4+%o1],%o2
-/* 0x0168	     */		sll	%g5,2,%o3
-/* 0x016c	     */		sub	%i3,%g5,%g3
-/* 0x0170	     */		sll	%g5,3,%g2
-/* 0x0174	     */		add	%o0,1023,%o4
-/* 0x0178	 178 */		ldd	[%o2],%f0
-/* 0x017c	     */		add	%i2,%o3,%o0
-/* 0x0180	 175 */		cmp	%g3,3
-/* 0x0184	     */		add	%i4,%g2,%o3
-/* 0x0188	     */		sub	%i3,1,%o1
-/* 0x018c	     */		sll	%g5,4,%g4
-/* 0x0190	     */		bl,pn	%icc,.L77000161
-/* 0x0194	     */		add	%i1,%g4,%o5
-/* 0x0198	 178 */		ld	[%o0],%f3
-/* 0x019c	 180 */		add	%o3,8,%o3
-/* 0x01a0	 177 */		ld	[%o0],%o7
-/* 0x01a4	 180 */		add	%o5,16,%o5
-/* 0x01a8	     */		add	%g5,1,%g5
-/* 0x01ac	 178 */		fmovs	%f0,%f2
-/* 0x01b0	 180 */		add	%o0,4,%o0
-/* 0x01b4	 179 */		and	%o7,%o4,%g1
-/* 0x01b8	 178 */		fsubd	%f2,%f0,%f2
-/* 0x01bc	     */		std	%f2,[%o3-8]
-/* 0x01c0	 180 */		srl	%o7,16,%o7
-/* 0x01c4	 179 */		st	%g1,[%sp+96]
-/* 0x01c8	     */		fmovs	%f0,%f2
-/* 0x01cc	     */		ld	[%sp+96],%f3
-/* 0x01d0	     */		fsubd	%f2,%f0,%f2
-/* 0x01d4	     */		std	%f2,[%o5-16]
-/* 0x01d8	 180 */		st	%o7,[%sp+92]
-/* 0x01dc	     */		fmovs	%f0,%f2
-/* 0x01e0	     */		ld	[%sp+92],%f3
-/* 0x01e4	     */		fsubd	%f2,%f0,%f2
-/* 0x01e8	     */		std	%f2,[%o5-8]
-                       .L900000411:
-/* 0x01ec	 178 */		ld	[%o0],%f3
-/* 0x01f0	 180 */		add	%g5,2,%g5
-/* 0x01f4	     */		add	%o5,32,%o5
-/* 0x01f8	 177 */		ld	[%o0],%o7
-/* 0x01fc	 180 */		cmp	%g5,%o1
-/* 0x0200	     */		add	%o3,16,%o3
-/* 0x0204	 178 */		fmovs	%f0,%f2
-/* 0x0208	     */		fsubd	%f2,%f0,%f2
-/* 0x020c	     */		std	%f2,[%o3-16]
-/* 0x0210	 179 */		and	%o7,%o4,%g1
-/* 0x0214	     */		st	%g1,[%sp+96]
-/* 0x0218	     */		ld	[%sp+96],%f3
-/* 0x021c	     */		fmovs	%f0,%f2
-/* 0x0220	     */		fsubd	%f2,%f0,%f2
-/* 0x0224	 180 */		srl	%o7,16,%o7
-/* 0x0228	 179 */		std	%f2,[%o5-32]
-/* 0x022c	 180 */		st	%o7,[%sp+92]
-/* 0x0230	     */		ld	[%sp+92],%f3
-/* 0x0234	     */		fmovs	%f0,%f2
-/* 0x0238	     */		fsubd	%f2,%f0,%f2
-/* 0x023c	     */		std	%f2,[%o5-24]
-/* 0x0240	     */		add	%o0,4,%o0
-/* 0x0244	 178 */		ld	[%o0],%f3
-/* 0x0248	 177 */		ld	[%o0],%o7
-/* 0x024c	 178 */		fmovs	%f0,%f2
-/* 0x0250	     */		fsubd	%f2,%f0,%f2
-/* 0x0254	     */		std	%f2,[%o3-8]
-/* 0x0258	 179 */		and	%o7,%o4,%g1
-/* 0x025c	     */		st	%g1,[%sp+96]
-/* 0x0260	     */		ld	[%sp+96],%f3
-/* 0x0264	     */		fmovs	%f0,%f2
-/* 0x0268	     */		fsubd	%f2,%f0,%f2
-/* 0x026c	 180 */		srl	%o7,16,%o7
-/* 0x0270	 179 */		std	%f2,[%o5-16]
-/* 0x0274	 180 */		st	%o7,[%sp+92]
-/* 0x0278	     */		ld	[%sp+92],%f3
-/* 0x027c	     */		fmovs	%f0,%f2
-/* 0x0280	     */		fsubd	%f2,%f0,%f2
-/* 0x0284	     */		std	%f2,[%o5-8]
-/* 0x0288	     */		bl,pt	%icc,.L900000411
-/* 0x028c	     */		add	%o0,4,%o0
-                       .L900000414:
-/* 0x0290	 180 */		cmp	%g5,%i3
-/* 0x0294	     */		bge,pn	%icc,.L77000164
-/* 0x0298	     */		nop
-                       .L77000161:
-/* 0x029c	 178 */		ld	[%o0],%f3
-                       .L900000416:
-/* 0x02a0	 178 */		ldd	[%o2],%f0
-/* 0x02a4	 180 */		add	%g5,1,%g5
-/* 0x02a8	 177 */		ld	[%o0],%o1
-/* 0x02ac	 180 */		add	%o0,4,%o0
-/* 0x02b0	     */		cmp	%g5,%i3
-/* 0x02b4	 178 */		fmovs	%f0,%f2
-/* 0x02b8	 179 */		and	%o1,%o4,%o7
-/* 0x02bc	 178 */		fsubd	%f2,%f0,%f2
-/* 0x02c0	     */		std	%f2,[%o3]
-/* 0x02c4	 180 */		srl	%o1,16,%o1
-/* 0x02c8	 179 */		st	%o7,[%sp+96]
-/* 0x02cc	 180 */		add	%o3,8,%o3
-/* 0x02d0	 179 */		fmovs	%f0,%f2
-/* 0x02d4	     */		ld	[%sp+96],%f3
-/* 0x02d8	     */		fsubd	%f2,%f0,%f2
-/* 0x02dc	     */		std	%f2,[%o5]
-/* 0x02e0	 180 */		st	%o1,[%sp+92]
-/* 0x02e4	     */		fmovs	%f0,%f2
-/* 0x02e8	     */		ld	[%sp+92],%f3
-/* 0x02ec	     */		fsubd	%f2,%f0,%f0
-/* 0x02f0	     */		std	%f0,[%o5+8]
-/* 0x02f4	     */		add	%o5,16,%o5
-/* 0x02f8	     */		bl,a,pt	%icc,.L900000416
-/* 0x02fc	     */		ld	[%o0],%f3
-                       .L77000164:
-/* 0x0300	     */		ret	! Result = 
-/* 0x0304	     */		restore	%g0,%g0,%g0
-/* 0x0308	   0 */		.type	conv_i32_to_d32_and_d16,2
-/* 0x0308	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	4
-!
-! SUBROUTINE adjust_montf_result
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global adjust_montf_result
-                       adjust_montf_result:
-/* 000000	     */		or	%g0,%o2,%g5
-
-!  181		      !   }
-!  182		      !}
-!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
-!  186		      !{
-!  187		      !long long acc;
-!  188		      !int i;
-!  190		      ! if(i32[len]>0) i=-1;
-
-/* 0x0004	 190 */		or	%g0,-1,%g4
-/* 0x0008	     */		sll	%o2,2,%g1
-/* 0x000c	     */		ld	[%o0+%g1],%g1
-/* 0x0010	     */		cmp	%g1,0
-/* 0x0014	     */		bleu,pn	%icc,.L77000175
-/* 0x0018	     */		or	%g0,%o1,%o3
-/* 0x001c	     */		ba	.L900000511
-/* 0x0020	     */		cmp	%g4,0
-                       .L77000175:
-
-!  191		      ! else
-!  192		      !   {
-!  193		      !     for(i=len-1; i>=0; i--)
-
-/* 0x0024	 193 */		sub	%o2,1,%g4
-/* 0x0028	     */		sll	%g4,2,%g1
-/* 0x002c	     */		cmp	%g4,0
-/* 0x0030	     */		bl,pt	%icc,.L900000511
-/* 0x0034	     */		cmp	%g4,0
-/* 0x0038	     */		add	%o1,%g1,%g2
-
-!  194		      !       {
-!  195		      !	 if(i32[i]!=nint[i]) break;
-
-/* 0x003c	 195 */		ld	[%g2],%o5
-/* 0x0040	 193 */		add	%o0,%g1,%g3
-                       .L900000510:
-/* 0x0044	 195 */		ld	[%g3],%o2
-/* 0x0048	     */		sub	%g4,1,%g1
-/* 0x004c	     */		sub	%g2,4,%g2
-/* 0x0050	     */		sub	%g3,4,%g3
-/* 0x0054	     */		cmp	%o2,%o5
-/* 0x0058	     */		bne,pn	%icc,.L77000182
-/* 0x005c	     */		nop
-/* 0x0060	   0 */		or	%g0,%g1,%g4
-/* 0x0064	 195 */		cmp	%g1,0
-/* 0x0068	     */		bge,a,pt	%icc,.L900000510
-/* 0x006c	     */		ld	[%g2],%o5
-                       .L77000182:
-
-!  196		      !       }
-!  197		      !   }
-!  198		      ! if((i<0)||(i32[i]>nint[i]))
-
-/* 0x0070	 198 */		cmp	%g4,0
-                       .L900000511:
-/* 0x0074	 198 */		bl,pn	%icc,.L77000198
-/* 0x0078	     */		sll	%g4,2,%g2
-/* 0x007c	     */		ld	[%o1+%g2],%g1
-/* 0x0080	     */		ld	[%o0+%g2],%g2
-/* 0x0084	     */		cmp	%g2,%g1
-/* 0x0088	     */		bleu,pt	%icc,.L77000191
-/* 0x008c	     */		nop
-                       .L77000198:
-
-!  199		      !   {
-!  200		      !     acc=0;
-!  201		      !     for(i=0;i<len;i++)
-
-/* 0x0090	 201 */		cmp	%g5,0
-/* 0x0094	     */		ble,pt	%icc,.L77000191
-/* 0x0098	     */		nop
-/* 0x009c	     */		or	%g0,%g5,%g1
-/* 0x00a0	 198 */		or	%g0,-1,%g2
-/* 0x00a4	     */		srl	%g2,0,%g3
-/* 0x00a8	     */		sub	%g5,1,%g4
-/* 0x00ac	 200 */		or	%g0,0,%g5
-/* 0x00b0	 201 */		or	%g0,0,%o5
-/* 0x00b4	 198 */		or	%g0,%o0,%o4
-/* 0x00b8	     */		cmp	%g1,3
-/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
-/* 0x00c0	     */		add	%o0,8,%g1
-/* 0x00c4	     */		add	%o1,4,%g2
-
-!  202		      !       {
-!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
-
-/* 0x00c8	 203 */		ld	[%o0],%o2
-/* 0x00cc	     */		ld	[%o1],%o1
-/* 0x00d0	   0 */		or	%g0,%g1,%o4
-/* 0x00d4	     */		or	%g0,%g2,%o3
-/* 0x00d8	 203 */		ld	[%o0+4],%g1
-
-!  204		      !	 i32[i]=acc&0xffffffff;
-!  205		      !	 acc=acc>>32;
-
-/* 0x00dc	 205 */		or	%g0,2,%o5
-/* 0x00e0	 201 */		sub	%o2,%o1,%o2
-/* 0x00e4	     */		or	%g0,%o2,%g5
-/* 0x00e8	 204 */		and	%o2,%g3,%o2
-/* 0x00ec	     */		st	%o2,[%o0]
-/* 0x00f0	 205 */		srax	%g5,32,%g5
-                       .L900000505:
-/* 0x00f4	 203 */		ld	[%o3],%o2
-/* 0x00f8	 205 */		add	%o5,1,%o5
-/* 0x00fc	     */		add	%o3,4,%o3
-/* 0x0100	     */		cmp	%o5,%g4
-/* 0x0104	     */		add	%o4,4,%o4
-/* 0x0108	 201 */		sub	%g1,%o2,%g1
-/* 0x010c	     */		add	%g1,%g5,%g5
-/* 0x0110	 204 */		and	%g5,%g3,%o2
-/* 0x0114	 203 */		ld	[%o4-4],%g1
-/* 0x0118	 204 */		st	%o2,[%o4-8]
-/* 0x011c	 205 */		ble,pt	%icc,.L900000505
-/* 0x0120	     */		srax	%g5,32,%g5
-                       .L900000508:
-/* 0x0124	 203 */		ld	[%o3],%g2
-/* 0x0128	 201 */		sub	%g1,%g2,%g1
-/* 0x012c	     */		add	%g1,%g5,%g1
-/* 0x0130	 204 */		and	%g1,%g3,%g2
-/* 0x0134	     */		retl	! Result = 
-/* 0x0138	     */		st	%g2,[%o4-4]
-                       .L77000199:
-/* 0x013c	 203 */		ld	[%o4],%g1
-                       .L900000509:
-/* 0x0140	 203 */		ld	[%o3],%g2
-/* 0x0144	     */		add	%g5,%g1,%g1
-/* 0x0148	 205 */		add	%o5,1,%o5
-/* 0x014c	     */		add	%o3,4,%o3
-/* 0x0150	     */		cmp	%o5,%g4
-/* 0x0154	 203 */		sub	%g1,%g2,%g1
-/* 0x0158	 204 */		and	%g1,%g3,%g2
-/* 0x015c	     */		st	%g2,[%o4]
-/* 0x0160	 205 */		add	%o4,4,%o4
-/* 0x0164	     */		srax	%g1,32,%g5
-/* 0x0168	     */		ble,a,pt	%icc,.L900000509
-/* 0x016c	     */		ld	[%o4],%g1
-                       .L77000191:
-/* 0x0170	     */		retl	! Result = 
-/* 0x0174	     */		nop
-/* 0x0178	   0 */		.type	adjust_montf_result,2
-/* 0x0178	     */		.size	adjust_montf_result,(.-adjust_montf_result)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	4
-/* 000000	     */		.skip	16
-!
-! SUBROUTINE mont_mulf_noconv
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global mont_mulf_noconv
-                       mont_mulf_noconv:
-/* 000000	     */		save	%sp,-144,%sp
-                       .L900000646:
-/* 0x0004	     */		call	.+8
-/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
-
-!  206		      !       }
-!  207		      !   }
-!  208		      !}
-!  213		      !/*
-!  214		      !** the lengths of the input arrays should be at least the following:
-!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
-!  216		      !** all of them should be different from one another
-!  217		      !**
-!  218		      !*/
-!  219		      !void mont_mulf_noconv(unsigned int *result,
-!  220		      !		     double *dm1, double *dm2, double *dt,
-!  221		      !		     double *dn, unsigned int *nint,
-!  222		      !		     int nlen, double dn0)
-!  223		      !{
-!  224		      ! int i, j, jj;
-!  225		      ! int tmp;
-!  226		      ! double digit, m2j, nextm2j, a, b;
-!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
-!  229		      ! pdm1=&(dm1[0]);
-!  230		      ! pdm2=&(dm2[0]);
-!  231		      ! pdn=&(dn[0]);
-!  232		      ! pdm2[2*nlen]=Zero;
-
-/* 0x000c	 232 */		ld	[%fp+92],%o1
-/* 0x0010	     */		sethi	%hi(Zero),%g2
-/* 0x0014	 223 */		ldd	[%fp+96],%f2
-/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
-/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
-/* 0x0020	 223 */		st	%i0,[%fp+68]
-/* 0x0024	     */		add	%g5,%o7,%o3
-
-!  234		      ! if (nlen!=16)
-!  235		      !   {
-!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
-!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
-!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-
-/* 0x0028	 239 */		sethi	%hi(TwoToMinus16),%g3
-/* 0x002c	 232 */		ld	[%o3+%g2],%l0
-/* 0x0030	 239 */		sethi	%hi(TwoTo16),%g4
-/* 0x0034	 223 */		or	%g0,%i2,%o2
-/* 0x0038	     */		fmovd	%f2,%f16
-/* 0x003c	     */		st	%i5,[%fp+88]
-/* 0x0040	 239 */		add	%g3,%lo(TwoToMinus16),%g2
-/* 0x0044	 223 */		or	%g0,%i1,%i2
-/* 0x0048	 232 */		ldd	[%l0],%f0
-/* 0x004c	 239 */		add	%g4,%lo(TwoTo16),%g3
-/* 0x0050	 223 */		or	%g0,%i3,%o0
-/* 0x0054	 232 */		sll	%o1,4,%g4
-/* 0x0058	 239 */		ld	[%o3+%g2],%g5
-/* 0x005c	 223 */		or	%g0,%i3,%i1
-/* 0x0060	 239 */		ld	[%o3+%g3],%g1
-/* 0x0064	 232 */		or	%g0,%o1,%i0
-/* 0x0068	     */		or	%g0,%o2,%i3
-/* 0x006c	 234 */		cmp	%o1,16
-/* 0x0070	     */		be,pn	%icc,.L77000279
-/* 0x0074	     */		std	%f0,[%o2+%g4]
-/* 0x0078	 236 */		sll	%o1,2,%g2
-/* 0x007c	     */		or	%g0,%o0,%o3
-/* 0x0080	 232 */		sll	%o1,1,%o1
-/* 0x0084	 236 */		add	%g2,2,%o2
-/* 0x0088	     */		cmp	%o2,0
-/* 0x008c	     */		ble,a,pt	%icc,.L900000660
-/* 0x0090	     */		ldd	[%i2],%f0
-
-!  241		      !     pdtj=&(dt[0]);
-!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
-!  243		      !       {
-!  244		      !	 m2j=pdm2[j];
-!  245		      !	 a=pdtj[0]+pdn[0]*digit;
-!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
-!  247		      !	 pdtj[1]=b;
-!  249		      !#pragma pipeloop(0)
-!  250		      !	 for(i=1;i<nlen;i++)
-!  251		      !	   {
-!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  253		      !	   }
-!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
-!  255		      !	 
-!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  257		      !       }
-!  258		      !   }
-!  259		      ! else
-!  260		      !   {
-!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
-!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
-!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
-!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
-!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
-!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
-!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
-!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
-!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
-!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
-!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
-!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
-!  275		      !     pdn_0=pdn[0];
-!  276		      !     pdm1_0=pdm1[0];
-!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  279		      !     pdtj=&(dt[0]);
-!  281		      !     for(j=0;j<32;j++,pdtj++)
-
-/* 0x0094	 281 */		add	%g2,2,%o0
-/* 0x0098	 236 */		add	%g2,1,%o2
-/* 0x009c	 281 */		cmp	%o0,3
-/* 0x00a0	     */		bl,pn	%icc,.L77000280
-/* 0x00a4	     */		or	%g0,1,%o0
-/* 0x00a8	     */		add	%o3,8,%o3
-/* 0x00ac	     */		or	%g0,1,%o4
-/* 0x00b0	     */		std	%f0,[%o3-8]
-                       .L900000630:
-/* 0x00b4	     */		std	%f0,[%o3]
-/* 0x00b8	     */		add	%o4,2,%o4
-/* 0x00bc	     */		add	%o3,16,%o3
-/* 0x00c0	     */		cmp	%o4,%g2
-/* 0x00c4	     */		ble,pt	%icc,.L900000630
-/* 0x00c8	     */		std	%f0,[%o3-8]
-                       .L900000633:
-/* 0x00cc	     */		cmp	%o4,%o2
-/* 0x00d0	     */		bg,pn	%icc,.L77000285
-/* 0x00d4	     */		add	%o4,1,%o0
-                       .L77000280:
-/* 0x00d8	     */		std	%f0,[%o3]
-                       .L900000659:
-/* 0x00dc	     */		ldd	[%l0],%f0
-/* 0x00e0	     */		cmp	%o0,%o2
-/* 0x00e4	     */		add	%o3,8,%o3
-/* 0x00e8	     */		add	%o0,1,%o0
-/* 0x00ec	     */		ble,a,pt	%icc,.L900000659
-/* 0x00f0	     */		std	%f0,[%o3]
-                       .L77000285:
-/* 0x00f4	 238 */		ldd	[%i2],%f0
-                       .L900000660:
-/* 0x00f8	 238 */		ldd	[%i3],%f2
-/* 0x00fc	     */		add	%o1,1,%o2
-/* 0x0100	 242 */		cmp	%o1,0
-/* 0x0104	     */		sll	%o2,1,%o0
-/* 0x0108	     */		sub	%o1,1,%o1
-/* 0x010c	 238 */		fmuld	%f0,%f2,%f0
-/* 0x0110	     */		std	%f0,[%i1]
-/* 0x0114	   0 */		or	%g0,0,%l1
-/* 0x0118	     */		ldd	[%l0],%f6
-/* 0x011c	     */		or	%g0,0,%g4
-/* 0x0120	     */		or	%g0,%o2,%i5
-/* 0x0124	     */		ldd	[%g5],%f2
-/* 0x0128	     */		or	%g0,%o1,%g3
-/* 0x012c	     */		or	%g0,%o0,%o3
-/* 0x0130	     */		fdtox	%f0,%f0
-/* 0x0134	     */		ldd	[%g1],%f4
-/* 0x0138	 246 */		add	%i3,8,%o4
-/* 0x013c	     */		or	%g0,0,%l2
-/* 0x0140	     */		or	%g0,%i1,%o5
-/* 0x0144	     */		sub	%i0,1,%o7
-/* 0x0148	     */		fmovs	%f6,%f0
-/* 0x014c	     */		fxtod	%f0,%f0
-/* 0x0150	 239 */		fmuld	%f0,%f16,%f0
-/* 0x0154	     */		fmuld	%f0,%f2,%f2
-/* 0x0158	     */		fdtox	%f2,%f2
-/* 0x015c	     */		fxtod	%f2,%f2
-/* 0x0160	     */		fmuld	%f2,%f4,%f2
-/* 0x0164	     */		fsubd	%f0,%f2,%f22
-/* 0x0168	 242 */		ble,pt	%icc,.L900000653
-/* 0x016c	     */		sll	%i0,4,%g2
-/* 0x0170	 246 */		ldd	[%i4],%f0
-                       .L900000654:
-/* 0x0174	 246 */		fmuld	%f0,%f22,%f8
-/* 0x0178	     */		ldd	[%i2],%f0
-/* 0x017c	 250 */		cmp	%i0,1
-/* 0x0180	 246 */		ldd	[%o4+%l2],%f6
-/* 0x0184	     */		add	%i2,8,%o0
-/* 0x0188	 250 */		or	%g0,1,%o1
-/* 0x018c	 246 */		ldd	[%o5],%f2
-/* 0x0190	     */		add	%o5,16,%l3
-/* 0x0194	     */		fmuld	%f0,%f6,%f6
-/* 0x0198	     */		ldd	[%g5],%f4
-/* 0x019c	     */		faddd	%f2,%f8,%f2
-/* 0x01a0	     */		ldd	[%o5+8],%f0
-/* 0x01a4	 244 */		ldd	[%i3+%l2],%f20
-/* 0x01a8	 246 */		faddd	%f0,%f6,%f0
-/* 0x01ac	     */		fmuld	%f2,%f4,%f2
-/* 0x01b0	     */		faddd	%f0,%f2,%f18
-/* 0x01b4	 247 */		std	%f18,[%o5+8]
-/* 0x01b8	 250 */		ble,pt	%icc,.L900000658
-/* 0x01bc	     */		srl	%g4,31,%g2
-/* 0x01c0	     */		cmp	%o7,7
-/* 0x01c4	 246 */		add	%i4,8,%g2
-/* 0x01c8	 250 */		bl,pn	%icc,.L77000284
-/* 0x01cc	     */		add	%g2,24,%o2
-/* 0x01d0	 252 */		ldd	[%o0+24],%f12
-/* 0x01d4	     */		add	%o5,48,%l3
-/* 0x01d8	     */		ldd	[%o0],%f2
-/* 0x01dc	   0 */		or	%g0,%o2,%g2
-/* 0x01e0	 250 */		sub	%o7,2,%o2
-/* 0x01e4	 252 */		ldd	[%g2-24],%f0
-/* 0x01e8	     */		or	%g0,5,%o1
-/* 0x01ec	     */		ldd	[%o0+8],%f6
-/* 0x01f0	     */		fmuld	%f2,%f20,%f2
-/* 0x01f4	     */		ldd	[%o0+16],%f14
-/* 0x01f8	     */		fmuld	%f0,%f22,%f4
-/* 0x01fc	     */		add	%o0,32,%o0
-/* 0x0200	     */		ldd	[%g2-16],%f8
-/* 0x0204	     */		fmuld	%f6,%f20,%f10
-/* 0x0208	     */		ldd	[%o5+16],%f0
-/* 0x020c	     */		ldd	[%g2-8],%f6
-/* 0x0210	     */		faddd	%f2,%f4,%f4
-/* 0x0214	     */		ldd	[%o5+32],%f2
-                       .L900000642:
-/* 0x0218	 252 */		ldd	[%g2],%f24
-/* 0x021c	     */		add	%o1,3,%o1
-/* 0x0220	     */		add	%g2,24,%g2
-/* 0x0224	     */		fmuld	%f8,%f22,%f8
-/* 0x0228	     */		ldd	[%l3],%f28
-/* 0x022c	     */		cmp	%o1,%o2
-/* 0x0230	     */		add	%o0,24,%o0
-/* 0x0234	     */		ldd	[%o0-24],%f26
-/* 0x0238	     */		faddd	%f0,%f4,%f0
-/* 0x023c	     */		add	%l3,48,%l3
-/* 0x0240	     */		faddd	%f10,%f8,%f10
-/* 0x0244	     */		fmuld	%f14,%f20,%f4
-/* 0x0248	     */		std	%f0,[%l3-80]
-/* 0x024c	     */		ldd	[%g2-16],%f8
-/* 0x0250	     */		fmuld	%f6,%f22,%f6
-/* 0x0254	     */		ldd	[%l3-32],%f0
-/* 0x0258	     */		ldd	[%o0-16],%f14
-/* 0x025c	     */		faddd	%f2,%f10,%f2
-/* 0x0260	     */		faddd	%f4,%f6,%f10
-/* 0x0264	     */		fmuld	%f12,%f20,%f4
-/* 0x0268	     */		std	%f2,[%l3-64]
-/* 0x026c	     */		ldd	[%g2-8],%f6
-/* 0x0270	     */		fmuld	%f24,%f22,%f24
-/* 0x0274	     */		ldd	[%l3-16],%f2
-/* 0x0278	     */		ldd	[%o0-8],%f12
-/* 0x027c	     */		faddd	%f28,%f10,%f10
-/* 0x0280	     */		std	%f10,[%l3-48]
-/* 0x0284	     */		fmuld	%f26,%f20,%f10
-/* 0x0288	     */		ble,pt	%icc,.L900000642
-/* 0x028c	     */		faddd	%f4,%f24,%f4
-                       .L900000645:
-/* 0x0290	 252 */		fmuld	%f8,%f22,%f28
-/* 0x0294	     */		ldd	[%g2],%f24
-/* 0x0298	     */		faddd	%f0,%f4,%f26
-/* 0x029c	     */		fmuld	%f12,%f20,%f8
-/* 0x02a0	     */		add	%l3,32,%l3
-/* 0x02a4	     */		cmp	%o1,%o7
-/* 0x02a8	     */		fmuld	%f14,%f20,%f14
-/* 0x02ac	     */		ldd	[%l3-32],%f4
-/* 0x02b0	     */		add	%g2,8,%g2
-/* 0x02b4	     */		faddd	%f10,%f28,%f12
-/* 0x02b8	     */		fmuld	%f6,%f22,%f6
-/* 0x02bc	     */		ldd	[%l3-16],%f0
-/* 0x02c0	     */		fmuld	%f24,%f22,%f10
-/* 0x02c4	     */		std	%f26,[%l3-64]
-/* 0x02c8	     */		faddd	%f2,%f12,%f2
-/* 0x02cc	     */		std	%f2,[%l3-48]
-/* 0x02d0	     */		faddd	%f14,%f6,%f6
-/* 0x02d4	     */		faddd	%f8,%f10,%f2
-/* 0x02d8	     */		faddd	%f4,%f6,%f4
-/* 0x02dc	     */		std	%f4,[%l3-32]
-/* 0x02e0	     */		faddd	%f0,%f2,%f0
-/* 0x02e4	     */		bg,pn	%icc,.L77000213
-/* 0x02e8	     */		std	%f0,[%l3-16]
-                       .L77000284:
-/* 0x02ec	 252 */		ldd	[%o0],%f0
-                       .L900000657:
-/* 0x02f0	 252 */		ldd	[%g2],%f4
-/* 0x02f4	     */		fmuld	%f0,%f20,%f2
-/* 0x02f8	     */		add	%o1,1,%o1
-/* 0x02fc	     */		ldd	[%l3],%f0
-/* 0x0300	     */		add	%o0,8,%o0
-/* 0x0304	     */		add	%g2,8,%g2
-/* 0x0308	     */		fmuld	%f4,%f22,%f4
-/* 0x030c	     */		cmp	%o1,%o7
-/* 0x0310	     */		faddd	%f2,%f4,%f2
-/* 0x0314	     */		faddd	%f0,%f2,%f0
-/* 0x0318	     */		std	%f0,[%l3]
-/* 0x031c	     */		add	%l3,16,%l3
-/* 0x0320	     */		ble,a,pt	%icc,.L900000657
-/* 0x0324	     */		ldd	[%o0],%f0
-                       .L77000213:
-/* 0x0328	     */		srl	%g4,31,%g2
-                       .L900000658:
-/* 0x032c	 254 */		cmp	%l1,30
-/* 0x0330	     */		bne,a,pt	%icc,.L900000656
-/* 0x0334	     */		fdtox	%f18,%f0
-/* 0x0338	     */		add	%g4,%g2,%g2
-/* 0x033c	     */		sra	%g2,1,%o0
-/* 0x0340	 281 */		ldd	[%l0],%f0
-/* 0x0344	     */		sll	%i5,1,%o2
-/* 0x0348	     */		add	%o0,1,%g2
-/* 0x034c	     */		sll	%g2,1,%o0
-/* 0x0350	 254 */		sub	%o2,1,%o2
-/* 0x0354	 281 */		fmovd	%f0,%f2
-/* 0x0358	     */		sll	%g2,4,%o1
-/* 0x035c	     */		cmp	%o0,%o3
-/* 0x0360	     */		bge,pt	%icc,.L77000215
-/* 0x0364	     */		or	%g0,0,%l1
-/* 0x0368	 254 */		add	%i1,%o1,%o1
-/* 0x036c	 281 */		ldd	[%o1],%f6
-                       .L900000655:
-/* 0x0370	     */		fdtox	%f6,%f10
-/* 0x0374	     */		ldd	[%o1+8],%f4
-/* 0x0378	     */		add	%o0,2,%o0
-/* 0x037c	     */		ldd	[%l0],%f12
-/* 0x0380	     */		fdtox	%f6,%f6
-/* 0x0384	     */		cmp	%o0,%o2
-/* 0x0388	     */		fdtox	%f4,%f8
-/* 0x038c	     */		fdtox	%f4,%f4
-/* 0x0390	     */		fmovs	%f12,%f10
-/* 0x0394	     */		fmovs	%f12,%f8
-/* 0x0398	     */		fxtod	%f10,%f10
-/* 0x039c	     */		fxtod	%f8,%f8
-/* 0x03a0	     */		faddd	%f10,%f2,%f2
-/* 0x03a4	     */		std	%f2,[%o1]
-/* 0x03a8	     */		faddd	%f8,%f0,%f0
-/* 0x03ac	     */		std	%f0,[%o1+8]
-/* 0x03b0	     */		add	%o1,16,%o1
-/* 0x03b4	     */		fitod	%f6,%f2
-/* 0x03b8	     */		fitod	%f4,%f0
-/* 0x03bc	     */		ble,a,pt	%icc,.L900000655
-/* 0x03c0	     */		ldd	[%o1],%f6
-                       .L77000233:
-/* 0x03c4	     */		or	%g0,0,%l1
-                       .L77000215:
-/* 0x03c8	     */		fdtox	%f18,%f0
-                       .L900000656:
-/* 0x03cc	     */		ldd	[%l0],%f6
-/* 0x03d0	 256 */		add	%g4,1,%g4
-/* 0x03d4	     */		add	%l2,8,%l2
-/* 0x03d8	     */		ldd	[%g5],%f2
-/* 0x03dc	     */		add	%l1,1,%l1
-/* 0x03e0	     */		add	%o5,8,%o5
-/* 0x03e4	     */		fmovs	%f6,%f0
-/* 0x03e8	     */		ldd	[%g1],%f4
-/* 0x03ec	     */		cmp	%g4,%g3
-/* 0x03f0	     */		fxtod	%f0,%f0
-/* 0x03f4	     */		fmuld	%f0,%f16,%f0
-/* 0x03f8	     */		fmuld	%f0,%f2,%f2
-/* 0x03fc	     */		fdtox	%f2,%f2
-/* 0x0400	     */		fxtod	%f2,%f2
-/* 0x0404	     */		fmuld	%f2,%f4,%f2
-/* 0x0408	     */		fsubd	%f0,%f2,%f22
-/* 0x040c	     */		ble,a,pt	%icc,.L900000654
-/* 0x0410	     */		ldd	[%i4],%f0
-                       .L900000629:
-/* 0x0414	 256 */		ba	.L900000653
-/* 0x0418	     */		sll	%i0,4,%g2
-                       .L77000279:
-/* 0x041c	 261 */		ldd	[%o2],%f6
-/* 0x0420	 279 */		or	%g0,%o0,%o4
-/* 0x0424	 281 */		or	%g0,0,%o3
-/* 0x0428	 261 */		ldd	[%i2],%f4
-/* 0x042c	 273 */		std	%f0,[%o0+8]
-/* 0x0430	     */		std	%f0,[%o0+16]
-/* 0x0434	 261 */		fmuld	%f4,%f6,%f4
-/* 0x0438	     */		std	%f4,[%o0]
-/* 0x043c	 273 */		std	%f0,[%o0+24]
-/* 0x0440	     */		std	%f0,[%o0+32]
-/* 0x0444	     */		fdtox	%f4,%f4
-/* 0x0448	     */		std	%f0,[%o0+40]
-/* 0x044c	     */		std	%f0,[%o0+48]
-/* 0x0450	     */		std	%f0,[%o0+56]
-/* 0x0454	     */		std	%f0,[%o0+64]
-/* 0x0458	     */		std	%f0,[%o0+72]
-/* 0x045c	     */		std	%f0,[%o0+80]
-/* 0x0460	     */		std	%f0,[%o0+88]
-/* 0x0464	     */		std	%f0,[%o0+96]
-/* 0x0468	     */		std	%f0,[%o0+104]
-/* 0x046c	     */		std	%f0,[%o0+112]
-/* 0x0470	     */		std	%f0,[%o0+120]
-/* 0x0474	     */		std	%f0,[%o0+128]
-/* 0x0478	     */		std	%f0,[%o0+136]
-/* 0x047c	     */		std	%f0,[%o0+144]
-/* 0x0480	     */		std	%f0,[%o0+152]
-/* 0x0484	     */		std	%f0,[%o0+160]
-/* 0x0488	     */		std	%f0,[%o0+168]
-/* 0x048c	     */		fmovs	%f0,%f4
-/* 0x0490	     */		std	%f0,[%o0+176]
-/* 0x0494	 281 */		or	%g0,0,%o1
-/* 0x0498	 273 */		std	%f0,[%o0+184]
-/* 0x049c	     */		fxtod	%f4,%f4
-/* 0x04a0	     */		std	%f0,[%o0+192]
-/* 0x04a4	     */		std	%f0,[%o0+200]
-/* 0x04a8	     */		std	%f0,[%o0+208]
-/* 0x04ac	 278 */		fmuld	%f4,%f2,%f2
-/* 0x04b0	 273 */		std	%f0,[%o0+216]
-/* 0x04b4	     */		std	%f0,[%o0+224]
-/* 0x04b8	     */		std	%f0,[%o0+232]
-/* 0x04bc	     */		std	%f0,[%o0+240]
-/* 0x04c0	     */		std	%f0,[%o0+248]
-/* 0x04c4	     */		std	%f0,[%o0+256]
-/* 0x04c8	     */		std	%f0,[%o0+264]
-/* 0x04cc	     */		std	%f0,[%o0+272]
-/* 0x04d0	     */		std	%f0,[%o0+280]
-/* 0x04d4	     */		std	%f0,[%o0+288]
-/* 0x04d8	     */		std	%f0,[%o0+296]
-/* 0x04dc	     */		std	%f0,[%o0+304]
-/* 0x04e0	     */		std	%f0,[%o0+312]
-/* 0x04e4	     */		std	%f0,[%o0+320]
-/* 0x04e8	     */		std	%f0,[%o0+328]
-/* 0x04ec	     */		std	%f0,[%o0+336]
-/* 0x04f0	     */		std	%f0,[%o0+344]
-/* 0x04f4	     */		std	%f0,[%o0+352]
-/* 0x04f8	     */		std	%f0,[%o0+360]
-/* 0x04fc	     */		std	%f0,[%o0+368]
-/* 0x0500	     */		std	%f0,[%o0+376]
-/* 0x0504	     */		std	%f0,[%o0+384]
-/* 0x0508	     */		std	%f0,[%o0+392]
-/* 0x050c	     */		std	%f0,[%o0+400]
-/* 0x0510	     */		std	%f0,[%o0+408]
-/* 0x0514	     */		std	%f0,[%o0+416]
-/* 0x0518	     */		std	%f0,[%o0+424]
-/* 0x051c	     */		std	%f0,[%o0+432]
-/* 0x0520	     */		std	%f0,[%o0+440]
-/* 0x0524	     */		std	%f0,[%o0+448]
-/* 0x0528	     */		std	%f0,[%o0+456]
-/* 0x052c	     */		std	%f0,[%o0+464]
-/* 0x0530	     */		std	%f0,[%o0+472]
-/* 0x0534	     */		std	%f0,[%o0+480]
-/* 0x0538	     */		std	%f0,[%o0+488]
-/* 0x053c	     */		std	%f0,[%o0+496]
-/* 0x0540	     */		std	%f0,[%o0+504]
-/* 0x0544	     */		std	%f0,[%o0+512]
-/* 0x0548	     */		std	%f0,[%o0+520]
-/* 0x054c	     */		ldd	[%g5],%f0
-/* 0x0550	     */		ldd	[%g1],%f8
-/* 0x0554	     */		fmuld	%f2,%f0,%f6
-/* 0x0558	 275 */		ldd	[%i4],%f4
-/* 0x055c	 276 */		ldd	[%i2],%f0
-/* 0x0560	     */		fdtox	%f6,%f6
-/* 0x0564	     */		fxtod	%f6,%f6
-/* 0x0568	     */		fmuld	%f6,%f8,%f6
-/* 0x056c	     */		fsubd	%f2,%f6,%f2
-/* 0x0570	 286 */		fmuld	%f4,%f2,%f12
-
-!  282		      !       {
-!  284		      !	 m2j=pdm2[j];
-!  285		      !	 a=pdtj[0]+pdn_0*digit;
-!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
-
-!  287		      !	 pdtj[1]=b;
-!  289		      !	 /**** this loop will be fully unrolled:
-!  290		      !	 for(i=1;i<16;i++)
-!  291		      !	   {
-!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  293		      !	   }
-!  294		      !	 *************************************/
-!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
-!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
-!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
-!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
-!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
-!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
-!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
-!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
-!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
-!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
-!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
-!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
-!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
-!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
-!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
-!  310		      !	 /* no need for cleenup, cannot overflow */
-!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-
-	fmovd %f2,%f0		! hand modified
-	fmovd %f16,%f18			! hand modified
-	ldd [%i4],%f2
-	ldd [%o4],%f8
-	ldd [%i2],%f10
-	ldd [%g5],%f14		! hand modified
-	ldd [%g1],%f16		! hand modified
-	ldd [%i3],%f24
-
-	ldd [%i2+8],%f26
-	ldd [%i2+16],%f40
-	ldd [%i2+48],%f46
-	ldd [%i2+56],%f30
-	ldd [%i2+64],%f54
-	ldd [%i2+104],%f34
-	ldd [%i2+112],%f58
-
-	ldd [%i4+8],%f28	
-	ldd [%i4+104],%f38
-	ldd [%i4+112],%f60
-
-	.L99999999: 			!1
-	ldd	[%i2+24],%f32
-	fmuld	%f0,%f2,%f4 	!2
-	ldd	[%i4+24],%f36
-	fmuld	%f26,%f24,%f20 	!3
-	ldd	[%i2+40],%f42
-	fmuld	%f28,%f0,%f22 	!4
-	ldd	[%i4+40],%f44
-	fmuld	%f32,%f24,%f32 	!5
-	ldd	[%i3+8],%f6
-	faddd	%f4,%f8,%f4
-	fmuld	%f36,%f0,%f36 	!6
-	add	%i3,8,%i3
-	ldd	[%i4+56],%f50
-	fmuld	%f42,%f24,%f42 	!7
-	ldd	[%i2+72],%f52
-	faddd	%f20,%f22,%f20
-	fmuld	%f44,%f0,%f44 	!8
-	ldd	[%o4+16],%f22
-	fmuld	%f10,%f6,%f12 	!9
-	ldd	[%i4+72],%f56
-	faddd	%f32,%f36,%f32
-	fmuld	%f14,%f4,%f4 !10
-	ldd	[%o4+48],%f36
-	fmuld	%f30,%f24,%f48 	!11
-	ldd	[%o4+8],%f8
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50	!12
-	std	%f20,[%o4+16]
-	faddd	%f42,%f44,%f42
-	fmuld	%f52,%f24,%f52 	!13
-	ldd	[%o4+80],%f44
-	faddd	%f4,%f12,%f4
-	fmuld	%f56,%f0,%f56 	!14
-	ldd	[%i2+88],%f20
-	faddd	%f32,%f36,%f32 	!15
-	ldd	[%i4+88],%f22
-	faddd	%f48,%f50,%f48 	!16
-	ldd	[%o4+112],%f50
-	faddd	%f52,%f56,%f52 	!17
-	ldd	[%o4+144],%f56
-	faddd	%f4,%f8,%f8
-	fmuld	%f20,%f24,%f20 	!18
-	std	%f32,[%o4+48]
-	faddd	%f42,%f44,%f42
-	fmuld	%f22,%f0,%f22 	!19
-	std	%f42,[%o4+80]
-	faddd	%f48,%f50,%f48
-	fmuld	%f34,%f24,%f32 	!20
-	std	%f48,[%o4+112]
-	faddd	%f52,%f56,%f52
-	fmuld	%f38,%f0,%f36 	!21
-	ldd	[%i2+120],%f42
-	fdtox	%f8,%f4 		!22
-	std	%f52,[%o4+144]
-	faddd	%f20,%f22,%f20 	!23
-	ldd	[%i4+120],%f44 	!24
-	ldd	[%o4+176],%f22
-	faddd	%f32,%f36,%f32
-	fmuld	%f42,%f24,%f42 	!25
-	ldd	[%i4+16],%f50
-	fmovs	%f17,%f4 	!26
-	ldd	[%i2+32],%f52
-	fmuld	%f44,%f0,%f44 	!27
-	ldd	[%i4+32],%f56
-	fmuld	%f40,%f24,%f48 	!28
-	ldd	[%o4+208],%f36
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50 	!29
-	std	%f20,[%o4+176]
-	fxtod	%f4,%f4
-	fmuld	%f52,%f24,%f52 	!30
-	ldd	[%i4+48],%f22
-	faddd	%f42,%f44,%f42
-	fmuld	%f56,%f0,%f56 	!31
-	ldd	[%o4+240],%f44
-	faddd	%f32,%f36,%f32 	!32
-	std	%f32,[%o4+208]
-	faddd	%f48,%f50,%f48
-	fmuld	%f46,%f24,%f20 	!33
-	ldd	[%o4+32],%f50
-	fmuld	%f4,%f18,%f12 	!34
-	ldd	[%i4+64],%f36
-	faddd	%f52,%f56,%f52
-	fmuld	%f22,%f0,%f22 	!35
-	ldd	[%o4+64],%f56
-	faddd	%f42,%f44,%f42 	!36
-	std	%f42,[%o4+240]
-	faddd	%f48,%f50,%f48
-	fmuld	%f54,%f24,%f32 	!37
-	std	%f48,[%o4+32]
-	fmuld	%f12,%f14,%f4 !38
-	ldd	[%i2+80],%f42
-	faddd	%f52,%f56,%f56	! yes, tmp52!
-	fmuld	%f36,%f0,%f36 	!39
-	ldd	[%i4+80],%f44
-	faddd	%f20,%f22,%f20 	!40
-	ldd	[%i2+96],%f48
-	fmuld	%f58,%f24,%f52 	!41
-	ldd	[%i4+96],%f50
-	fdtox	%f4,%f4
-	fmuld	%f42,%f24,%f42 	!42
-	std	%f56,[%o4+64]	! yes, tmp52!
-	faddd	%f32,%f36,%f32
-	fmuld	%f44,%f0,%f44 	!43
-	ldd	[%o4+96],%f22
-	fmuld	%f48,%f24,%f48 	!44
-	ldd	[%o4+128],%f36
-	fmovd	%f6,%f24
-	fmuld	%f50,%f0,%f50 	!45
-	fxtod	%f4,%f4
-	fmuld	%f60,%f0,%f56 	!46
-	add	%o4,8,%o4
-	faddd	%f42,%f44,%f42 	!47
-	ldd	[%o4+160-8],%f44
-	faddd	%f20,%f22,%f20 	!48
-	std	%f20,[%o4+96-8]
-	faddd	%f48,%f50,%f48 	!49
-	ldd	[%o4+192-8],%f50
-	faddd	%f52,%f56,%f52
-	fmuld	%f4,%f16,%f4 	!50
-	ldd	[%o4+224-8],%f56
-	faddd	%f32,%f36,%f32 	!51
-	std	%f32,[%o4+128-8]
-	faddd	%f42,%f44,%f42 	!52
-	add	%o3,1,%o3
-	std	%f42,[%o4+160-8]
-	faddd	%f48,%f50,%f48 	!53
-	cmp	%o3,31
-	std	%f48,[%o4+192-8]
-	fsubd	%f12,%f4,%f0 	!54
-	faddd	%f52,%f56,%f52
-	ble,pt	%icc,.L99999999
-	std	%f52,[%o4+224-8] 	!55
-	std %f8,[%o4]
-
-!  312		      !       }
-!  313		      !   }
-!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
-
-/* 0x07c8	 315 */		sll	%i0,4,%g2
-                       .L900000653:
-/* 0x07cc	 315 */		add	%i1,%g2,%i1
-/* 0x07d0	 242 */		ld	[%fp+68],%o0
-/* 0x07d4	 315 */		or	%g0,0,%o4
-/* 0x07d8	     */		ldd	[%i1],%f0
-/* 0x07dc	     */		or	%g0,0,%g5
-/* 0x07e0	     */		cmp	%i0,0
-/* 0x07e4	 242 */		or	%g0,%o0,%o3
-/* 0x07e8	 311 */		sub	%i0,1,%g1
-/* 0x07ec	 315 */		fdtox	%f0,%f0
-/* 0x07f0	     */		std	%f0,[%sp+120]
-/* 0x07f4	 311 */		sethi	%hi(0xfc00),%o1
-/* 0x07f8	     */		add	%g1,1,%g3
-/* 0x07fc	     */		or	%g0,%o0,%g4
-/* 0x0800	 315 */		ldd	[%i1+8],%f0
-/* 0x0804	     */		add	%o1,1023,%o1
-/* 0x0808	     */		fdtox	%f0,%f0
-/* 0x080c	     */		std	%f0,[%sp+112]
-/* 0x0810	     */		ldx	[%sp+112],%o5
-/* 0x0814	     */		ldx	[%sp+120],%o7
-/* 0x0818	     */		ble,pt	%icc,.L900000651
-/* 0x081c	     */		sethi	%hi(0xfc00),%g2
-/* 0x0820	 311 */		or	%g0,-1,%g2
-/* 0x0824	 315 */		cmp	%g3,3
-/* 0x0828	 311 */		srl	%g2,0,%o2
-/* 0x082c	 315 */		bl,pn	%icc,.L77000287
-/* 0x0830	     */		or	%g0,%i1,%g2
-/* 0x0834	     */		ldd	[%i1+16],%f0
-/* 0x0838	     */		and	%o5,%o1,%o0
-/* 0x083c	     */		add	%i1,16,%g2
-/* 0x0840	     */		sllx	%o0,16,%g3
-/* 0x0844	     */		and	%o7,%o2,%o0
-/* 0x0848	     */		fdtox	%f0,%f0
-/* 0x084c	     */		std	%f0,[%sp+104]
-/* 0x0850	     */		add	%o0,%g3,%o4
-/* 0x0854	     */		ldd	[%i1+24],%f2
-/* 0x0858	     */		srax	%o5,16,%o0
-/* 0x085c	     */		add	%o3,4,%g4
-/* 0x0860	     */		stx	%o0,[%sp+128]
-/* 0x0864	     */		and	%o4,%o2,%o0
-/* 0x0868	     */		stx	%o0,[%sp+112]
-/* 0x086c	     */		srax	%o4,32,%o0
-/* 0x0870	     */		fdtox	%f2,%f0
-/* 0x0874	     */		stx	%o0,[%sp+136]
-/* 0x0878	     */		srax	%o7,32,%o4
-/* 0x087c	     */		std	%f0,[%sp+96]
-/* 0x0880	     */		ldx	[%sp+128],%g5
-/* 0x0884	     */		ldx	[%sp+136],%o7
-/* 0x0888	     */		ldx	[%sp+104],%g3
-/* 0x088c	     */		add	%g5,%o7,%o0
-/* 0x0890	     */		or	%g0,1,%g5
-/* 0x0894	     */		ldx	[%sp+112],%o7
-/* 0x0898	     */		add	%o4,%o0,%o4
-/* 0x089c	     */		ldx	[%sp+96],%o5
-/* 0x08a0	     */		st	%o7,[%o3]
-/* 0x08a4	     */		or	%g0,%g3,%o7
-                       .L900000634:
-/* 0x08a8	     */		ldd	[%g2+16],%f0
-/* 0x08ac	     */		add	%g5,1,%g5
-/* 0x08b0	     */		add	%g4,4,%g4
-/* 0x08b4	     */		cmp	%g5,%g1
-/* 0x08b8	     */		add	%g2,16,%g2
-/* 0x08bc	     */		fdtox	%f0,%f0
-/* 0x08c0	     */		std	%f0,[%sp+104]
-/* 0x08c4	     */		ldd	[%g2+8],%f0
-/* 0x08c8	     */		fdtox	%f0,%f0
-/* 0x08cc	     */		std	%f0,[%sp+96]
-/* 0x08d0	     */		and	%o5,%o1,%g3
-/* 0x08d4	     */		sllx	%g3,16,%g3
-/* 0x08d8	     */		stx	%g3,[%sp+120]
-/* 0x08dc	     */		and	%o7,%o2,%g3
-/* 0x08e0	     */		stx	%o7,[%sp+128]
-/* 0x08e4	     */		ldx	[%sp+120],%o7
-/* 0x08e8	     */		add	%g3,%o7,%g3
-/* 0x08ec	     */		ldx	[%sp+128],%o7
-/* 0x08f0	     */		srax	%o5,16,%o5
-/* 0x08f4	     */		add	%g3,%o4,%g3
-/* 0x08f8	     */		srax	%g3,32,%o4
-/* 0x08fc	     */		stx	%o4,[%sp+112]
-/* 0x0900	     */		srax	%o7,32,%o4
-/* 0x0904	     */		ldx	[%sp+112],%o7
-/* 0x0908	     */		add	%o5,%o7,%o7
-/* 0x090c	     */		ldx	[%sp+96],%o5
-/* 0x0910	     */		add	%o4,%o7,%o4
-/* 0x0914	     */		and	%g3,%o2,%g3
-/* 0x0918	     */		ldx	[%sp+104],%o7
-/* 0x091c	     */		ble,pt	%icc,.L900000634
-/* 0x0920	     */		st	%g3,[%g4-4]
-                       .L900000637:
-/* 0x0924	     */		ba	.L900000651
-/* 0x0928	     */		sethi	%hi(0xfc00),%g2
-                       .L77000287:
-/* 0x092c	     */		ldd	[%g2+16],%f0
-                       .L900000650:
-/* 0x0930	     */		and	%o7,%o2,%o0
-/* 0x0934	     */		and	%o5,%o1,%g3
-/* 0x0938	     */		fdtox	%f0,%f0
-/* 0x093c	     */		add	%o4,%o0,%o0
-/* 0x0940	     */		std	%f0,[%sp+104]
-/* 0x0944	     */		add	%g5,1,%g5
-/* 0x0948	     */		sllx	%g3,16,%o4
-/* 0x094c	     */		ldd	[%g2+24],%f2
-/* 0x0950	     */		add	%g2,16,%g2
-/* 0x0954	     */		add	%o0,%o4,%o4
-/* 0x0958	     */		cmp	%g5,%g1
-/* 0x095c	     */		srax	%o5,16,%o0
-/* 0x0960	     */		stx	%o0,[%sp+112]
-/* 0x0964	     */		and	%o4,%o2,%g3
-/* 0x0968	     */		srax	%o4,32,%o5
-/* 0x096c	     */		fdtox	%f2,%f0
-/* 0x0970	     */		std	%f0,[%sp+96]
-/* 0x0974	     */		srax	%o7,32,%o4
-/* 0x0978	     */		ldx	[%sp+112],%o7
-/* 0x097c	     */		add	%o7,%o5,%o7
-/* 0x0980	     */		ldx	[%sp+104],%o5
-/* 0x0984	     */		add	%o4,%o7,%o4
-/* 0x0988	     */		ldx	[%sp+96],%o0
-/* 0x098c	     */		st	%g3,[%g4]
-/* 0x0990	     */		or	%g0,%o5,%o7
-/* 0x0994	     */		add	%g4,4,%g4
-/* 0x0998	     */		or	%g0,%o0,%o5
-/* 0x099c	     */		ble,a,pt	%icc,.L900000650
-/* 0x09a0	     */		ldd	[%g2+16],%f0
-                       .L77000236:
-/* 0x09a4	     */		sethi	%hi(0xfc00),%g2
-                       .L900000651:
-/* 0x09a8	     */		or	%g0,-1,%o0
-/* 0x09ac	     */		add	%g2,1023,%g2
-/* 0x09b0	     */		ld	[%fp+88],%o1
-/* 0x09b4	     */		srl	%o0,0,%g3
-/* 0x09b8	     */		and	%o5,%g2,%g2
-/* 0x09bc	     */		and	%o7,%g3,%g4
-
-!  317		      ! adjust_montf_result(result,nint,nlen); 
-
-/* 0x09c0	 317 */		or	%g0,-1,%o5
-/* 0x09c4	 311 */		sllx	%g2,16,%g2
-/* 0x09c8	     */		add	%o4,%g4,%g4
-/* 0x09cc	     */		add	%g4,%g2,%g2
-/* 0x09d0	     */		sll	%g5,2,%g4
-/* 0x09d4	     */		and	%g2,%g3,%g2
-/* 0x09d8	     */		st	%g2,[%o3+%g4]
-/* 0x09dc	 317 */		sll	%i0,2,%g2
-/* 0x09e0	     */		ld	[%o3+%g2],%g2
-/* 0x09e4	     */		cmp	%g2,0
-/* 0x09e8	     */		bleu,pn	%icc,.L77000241
-/* 0x09ec	     */		or	%g0,%o1,%o2
-/* 0x09f0	     */		ba	.L900000649
-/* 0x09f4	     */		cmp	%o5,0
-                       .L77000241:
-/* 0x09f8	     */		sub	%i0,1,%o5
-/* 0x09fc	     */		sll	%o5,2,%g2
-/* 0x0a00	     */		cmp	%o5,0
-/* 0x0a04	     */		bl,pt	%icc,.L900000649
-/* 0x0a08	     */		cmp	%o5,0
-/* 0x0a0c	     */		add	%o1,%g2,%o1
-/* 0x0a10	     */		add	%o3,%g2,%o4
-/* 0x0a14	     */		ld	[%o1],%g2
-                       .L900000648:
-/* 0x0a18	     */		ld	[%o4],%g3
-/* 0x0a1c	     */		sub	%o5,1,%o0
-/* 0x0a20	     */		sub	%o1,4,%o1
-/* 0x0a24	     */		sub	%o4,4,%o4
-/* 0x0a28	     */		cmp	%g3,%g2
-/* 0x0a2c	     */		bne,pn	%icc,.L77000244
-/* 0x0a30	     */		nop
-/* 0x0a34	   0 */		or	%g0,%o0,%o5
-/* 0x0a38	 317 */		cmp	%o0,0
-/* 0x0a3c	     */		bge,a,pt	%icc,.L900000648
-/* 0x0a40	     */		ld	[%o1],%g2
-                       .L77000244:
-/* 0x0a44	     */		cmp	%o5,0
-                       .L900000649:
-/* 0x0a48	     */		bl,pn	%icc,.L77000288
-/* 0x0a4c	     */		sll	%o5,2,%g2
-/* 0x0a50	     */		ld	[%o2+%g2],%g3
-/* 0x0a54	     */		ld	[%o3+%g2],%g2
-/* 0x0a58	     */		cmp	%g2,%g3
-/* 0x0a5c	     */		bleu,pt	%icc,.L77000224
-/* 0x0a60	     */		nop
-                       .L77000288:
-/* 0x0a64	     */		cmp	%i0,0
-/* 0x0a68	     */		ble,pt	%icc,.L77000224
-/* 0x0a6c	     */		nop
-/* 0x0a70	 317 */		sub	%i0,1,%o7
-/* 0x0a74	     */		or	%g0,-1,%g2
-/* 0x0a78	     */		srl	%g2,0,%o4
-/* 0x0a7c	     */		add	%o7,1,%o0
-/* 0x0a80	 315 */		or	%g0,0,%o5
-/* 0x0a84	     */		or	%g0,0,%g1
-/* 0x0a88	     */		cmp	%o0,3
-/* 0x0a8c	     */		bl,pn	%icc,.L77000289
-/* 0x0a90	     */		add	%o3,8,%o1
-/* 0x0a94	     */		add	%o2,4,%o0
-/* 0x0a98	     */		ld	[%o1-8],%g2
-/* 0x0a9c	   0 */		or	%g0,%o1,%o3
-/* 0x0aa0	 315 */		ld	[%o0-4],%g3
-/* 0x0aa4	   0 */		or	%g0,%o0,%o2
-/* 0x0aa8	 315 */		or	%g0,2,%g1
-/* 0x0aac	     */		ld	[%o3-4],%o0
-/* 0x0ab0	     */		sub	%g2,%g3,%g2
-/* 0x0ab4	     */		or	%g0,%g2,%o5
-/* 0x0ab8	     */		and	%g2,%o4,%g2
-/* 0x0abc	     */		st	%g2,[%o3-8]
-/* 0x0ac0	     */		srax	%o5,32,%o5
-                       .L900000638:
-/* 0x0ac4	     */		ld	[%o2],%g2
-/* 0x0ac8	     */		add	%g1,1,%g1
-/* 0x0acc	     */		add	%o2,4,%o2
-/* 0x0ad0	     */		cmp	%g1,%o7
-/* 0x0ad4	     */		add	%o3,4,%o3
-/* 0x0ad8	     */		sub	%o0,%g2,%o0
-/* 0x0adc	     */		add	%o0,%o5,%o5
-/* 0x0ae0	     */		and	%o5,%o4,%g2
-/* 0x0ae4	     */		ld	[%o3-4],%o0
-/* 0x0ae8	     */		st	%g2,[%o3-8]
-/* 0x0aec	     */		ble,pt	%icc,.L900000638
-/* 0x0af0	     */		srax	%o5,32,%o5
-                       .L900000641:
-/* 0x0af4	     */		ld	[%o2],%o1
-/* 0x0af8	     */		sub	%o0,%o1,%o0
-/* 0x0afc	     */		add	%o0,%o5,%o0
-/* 0x0b00	     */		and	%o0,%o4,%o1
-/* 0x0b04	     */		st	%o1,[%o3-4]
-/* 0x0b08	     */		ret	! Result = 
-/* 0x0b0c	     */		restore	%g0,%g0,%g0
-                       .L77000289:
-/* 0x0b10	     */		ld	[%o3],%o0
-                       .L900000647:
-/* 0x0b14	     */		ld	[%o2],%o1
-/* 0x0b18	     */		add	%o5,%o0,%o0
-/* 0x0b1c	     */		add	%g1,1,%g1
-/* 0x0b20	     */		add	%o2,4,%o2
-/* 0x0b24	     */		cmp	%g1,%o7
-/* 0x0b28	     */		sub	%o0,%o1,%o0
-/* 0x0b2c	     */		and	%o0,%o4,%o1
-/* 0x0b30	     */		st	%o1,[%o3]
-/* 0x0b34	     */		add	%o3,4,%o3
-/* 0x0b38	     */		srax	%o0,32,%o5
-/* 0x0b3c	     */		ble,a,pt	%icc,.L900000647
-/* 0x0b40	     */		ld	[%o3],%o0
-                       .L77000224:
-/* 0x0b44	     */		ret	! Result = 
-/* 0x0b48	     */		restore	%g0,%g0,%g0
-/* 0x0b4c	   0 */		.type	mont_mulf_noconv,2
-/* 0x0b4c	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
-
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.il b/security/nss/lib/freebl/mpi/montmulfv9.il
deleted file mode 100644
index a37fdc768..000000000
--- a/security/nss/lib/freebl/mpi/montmulfv9.il
+++ /dev/null
@@ -1,126 +0,0 @@
-!  
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-!
-! The contents of this file are subject to the Mozilla Public License Version
-! 1.1 (the "License"); you may not use this file except in compliance with
-! the License. You may obtain a copy of the License at
-! http://www.mozilla.org/MPL/
-!
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is inline macros for SPARC Montgomery multiply functions.
-!
-! The Initial Developer of the Original Code is
-! Sun Microsystems Inc.
-! Portions created by the Initial Developer are Copyright (C) 1999-2000
-! the Initial Developer. All Rights Reserved.
-!
-! Contributor(s):
-!
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-!
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-!
-! double upper32(double /*frs1*/);
-!
-        .inline upper32,8
-	fdtox	%f0,%f10
-	fitod	%f10,%f0
-        .end
-
-!
-! double lower32(double /*frs1*/, double /* Zero */);
-!
-        .inline lower32,8
-	fdtox	%f0,%f10
-	fmovs	%f2,%f10
-	fxtod	%f10,%f0
-        .end
-
-!
-! double mod(double /*x*/, double /*1/m*/, double /*m*/);
-!
-        .inline mod,12
-	fmuld	%f0,%f2,%f2
-	fdtox	%f2,%f2
-	fxtod	%f2,%f2
-	fmuld	%f2,%f4,%f2
-	fsubd	%f0,%f2,%f0
-        .end
-
-
-!
-! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
-!			    double * /* 0 */,
-!			    double * /*result16*/, double * /* result32 */
-!			    float *  /*source - should be unsigned int*
-!		            	       converted to float* */);
-!
-        .inline i16_to_d16_and_d32x4,24
-        ldd     [%o0],%f2  ! 1/(2^16)
-        ldd     [%o1],%f4  ! 2^16
-	ldd	[%o2],%f22
-
-	fmovd	%f22,%f6
-	ld	[%o5],%f7
-	fmovd	%f22,%f10
-	ld	[%o5+4],%f11
-	fmovd	%f22,%f14
-	ld	[%o5+8],%f15
-	fmovd	%f22,%f18
-	ld	[%o5+12],%f19
-	fxtod	%f6,%f6
-	std	%f6,[%o4]
-	fxtod	%f10,%f10
-	std	%f10,[%o4+8]
-	fxtod	%f14,%f14
-	std	%f14,[%o4+16]
-	fxtod	%f18,%f18
-	std	%f18,[%o4+24]
-	fmuld	%f2,%f6,%f8
-	fmuld	%f2,%f10,%f12
-	fmuld	%f2,%f14,%f16
-	fmuld	%f2,%f18,%f20
-	fdtox	%f8,%f8
-	fdtox	%f12,%f12
-	fdtox	%f16,%f16
-	fdtox	%f20,%f20
-	fxtod	%f8,%f8
-	std	%f8,[%o3+8]
-	fxtod	%f12,%f12
-	std	%f12,[%o3+24]
-	fxtod	%f16,%f16
-	std	%f16,[%o3+40]
-	fxtod	%f20,%f20
-	std	%f20,[%o3+56]
-	fmuld	%f8,%f4,%f8
-	fmuld	%f12,%f4,%f12
-	fmuld	%f16,%f4,%f16
-	fmuld	%f20,%f4,%f20
-	fsubd	%f6,%f8,%f8
-	std	%f8,[%o3]
-	fsubd	%f10,%f12,%f12
-	std	%f12,[%o3+16]
-	fsubd	%f14,%f16,%f16
-	std	%f16,[%o3+32]
-	fsubd	%f18,%f20,%f20
-	std	%f20,[%o3+48]
-        .end
-
-
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.s b/security/nss/lib/freebl/mpi/montmulfv9.s
deleted file mode 100644
index 30fc4f645..000000000
--- a/security/nss/lib/freebl/mpi/montmulfv9.s
+++ /dev/null
@@ -1,2377 +0,0 @@
-!  
-!  The contents of this file are subject to the Mozilla Public
-!  License Version 1.1 (the "License"); you may not use this file
-!  except in compliance with the License. You may obtain a copy of
-!  the License at http://www.mozilla.org/MPL/
-!  
-!  Software distributed under the License is distributed on an "AS
-!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-!  implied. See the License for the specific language governing
-!  rights and limitations under the License.
-!  
-!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
-!   
-!  The Initial Developer of the Original Code is Sun Microsystems Inc.
-!  Portions created by Sun Microsystems Inc. are 
-!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
-!  
-!  Contributor(s):
-!  
-!  Alternatively, the contents of this file may be used under the
-!  terms of the GNU General Public License Version 2 or later (the
-!  "GPL"), in which case the provisions of the GPL are applicable 
-!  instead of those above.	If you wish to allow use of your 
-!  version of this file only under the terms of the GPL and not to
-!  allow others to use your version of this file under the MPL,
-!  indicate your decision by deleting the provisions above and
-!  replace them with the notice and other provisions required by
-!  the GPL.  If you do not delete the provisions above, a recipient
-!  may use your version of this file under either the MPL or the
-!  GPL.
-!  
-!   $Id$
-!  
-
-	.section	".text",#alloc,#execinstr
-	.file	"montmulf.c"
-
-	.section	".rodata",#alloc
-	.global	TwoTo16
-	.align	8
-!
-! CONSTANT POOL
-!
-	.global TwoTo16
-TwoTo16:
-	.word	1089470464
-	.word	0
-	.type	TwoTo16,#object
-	.size	TwoTo16,8
-	.global	TwoToMinus16
-!
-! CONSTANT POOL
-!
-	.global TwoToMinus16
-TwoToMinus16:
-	.word	1055916032
-	.word	0
-	.type	TwoToMinus16,#object
-	.size	TwoToMinus16,8
-	.global	Zero
-!
-! CONSTANT POOL
-!
-	.global Zero
-Zero:
-	.word	0
-	.word	0
-	.type	Zero,#object
-	.size	Zero,8
-	.global	TwoTo32
-!
-! CONSTANT POOL
-!
-	.global TwoTo32
-TwoTo32:
-	.word	1106247680
-	.word	0
-	.type	TwoTo32,#object
-	.size	TwoTo32,8
-	.global	TwoToMinus32
-!
-! CONSTANT POOL
-!
-	.global TwoToMinus32
-TwoToMinus32:
-	.word	1039138816
-	.word	0
-	.type	TwoToMinus32,#object
-	.size	TwoToMinus32,8
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.register	%g3,#scratch
-/* 000000	     */		.register	%g2,#scratch
-/* 000000	   0 */		.align	8
-!
-! SUBROUTINE conv_d16_to_i32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_d16_to_i32
-                       conv_d16_to_i32:
-/* 000000	     */		save	%sp,-208,%sp
-! FILE montmulf.c
-
-!    1		      !/*
-!    2		      ! * The contents of this file are subject to the Mozilla Public
-!    3		      ! * License Version 1.1 (the "License"); you may not use this file
-!    4		      ! * except in compliance with the License. You may obtain a copy of
-!    5		      ! * the License at http://www.mozilla.org/MPL/
-!    6		      ! * 
-!    7		      ! * Software distributed under the License is distributed on an "AS
-!    8		      ! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-!    9		      ! * implied. See the License for the specific language governing
-!   10		      ! * rights and limitations under the License.
-!   11		      ! * 
-!   12		      ! * The Original Code is SPARC optimized Montgomery multiply functions.
-!   13		      ! *
-!   14		      ! * The Initial Developer of the Original Code is Sun Microsystems Inc.
-!   15		      ! * Portions created by Sun Microsystems Inc. are 
-!   16		      ! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
-!   17		      ! * 
-!   18		      ! * Contributor(s):
-!   19		      ! *	Netscape Communications Corporation
-!   20		      ! * 
-!   21		      ! * Alternatively, the contents of this file may be used under the
-!   22		      ! * terms of the GNU General Public License Version 2 or later (the
-!   23		      ! * "GPL"), in which case the provisions of the GPL are applicable 
-!   24		      ! * instead of those above.	If you wish to allow use of your 
-!   25		      ! * version of this file only under the terms of the GPL and not to
-!   26		      ! * allow others to use your version of this file under the MPL,
-!   27		      ! * indicate your decision by deleting the provisions above and
-!   28		      ! * replace them with the notice and other provisions required by
-!   29		      ! * the GPL.  If you do not delete the provisions above, a recipient
-!   30		      ! * may use your version of this file under either the MPL or the
-!   31		      ! * GPL.
-!   32		      ! *
-!   33		      ! *  $Id$
-!   34		      ! */
-!   36		      !#define RF_INLINE_MACROS
-!   38		      !static const double TwoTo16=65536.0;
-!   39		      !static const double TwoToMinus16=1.0/65536.0;
-!   40		      !static const double Zero=0.0;
-!   41		      !static const double TwoTo32=65536.0*65536.0;
-!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
-!   44		      !#ifdef RF_INLINE_MACROS
-!   46		      !double upper32(double);
-!   47		      !double lower32(double, double);
-!   48		      !double mod(double, double, double);
-!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
-!   51		      !			  const double * /* 2^16*/,
-!   52		      !			  const double * /* 0 */,
-!   53		      !			  double *       /*result16*/, 
-!   54		      !			  double *       /* result32 */,
-!   55		      !			  float *  /*source - should be unsigned int*
-!   56		      !		          	       converted to float* */);
-!   58		      !#else
-!   60		      !static double upper32(double x)
-!   61		      !{
-!   62		      !  return floor(x*TwoToMinus32);
-!   63		      !}
-!   65		      !static double lower32(double x, double y)
-!   66		      !{
-!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
-!   68		      !}
-!   70		      !static double mod(double x, double oneoverm, double m)
-!   71		      !{
-!   72		      !  return x-m*floor(x*oneoverm);
-!   73		      !}
-!   75		      !#endif
-!   78		      !static void cleanup(double *dt, int from, int tlen)
-!   79		      !{
-!   80		      ! int i;
-!   81		      ! double tmp,tmp1,x,x1;
-!   83		      ! tmp=tmp1=Zero;
-!   84		      ! /* original code **
-!   85		      ! for(i=2*from;i<2*tlen-2;i++)
-!   86		      !   {
-!   87		      !     x=dt[i];
-!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
-!   89		      !     tmp1=tmp;
-!   90		      !     tmp=upper32(x);
-!   91		      !   }
-!   92		      ! dt[tlen-2]+=tmp1;
-!   93		      ! dt[tlen-1]+=tmp;
-!   94		      ! **end original code ***/
-!   95		      ! /* new code ***/
-!   96		      ! for(i=2*from;i<2*tlen;i+=2)
-!   97		      !   {
-!   98		      !     x=dt[i];
-!   99		      !     x1=dt[i+1];
-!  100		      !     dt[i]=lower32(x,Zero)+tmp;
-!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
-!  102		      !     tmp=upper32(x);
-!  103		      !     tmp1=upper32(x1);
-!  104		      !   }
-!  105		      !  /** end new code **/
-!  106		      !}
-!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
-!  110		      !{
-!  111		      !int i;
-!  112		      !long long t, t1, a, b, c, d;
-!  114		      ! t1=0;
-!  115		      ! a=(long long)d16[0];
-
-/* 0x0004	 115 */		ldd	[%i1],%f2
-
-!  116		      ! b=(long long)d16[1];
-!  117		      ! for(i=0; i<ilen-1; i++)
-
-/* 0x0008	 117 */		sub	%i3,1,%o1
-/* 0x000c	 110 */		or	%g0,%i0,%g1
-/* 0x0010	 116 */		ldd	[%i1+8],%f4
-/* 0x0014	 117 */		cmp	%o1,0
-/* 0x0018	 114 */		or	%g0,0,%g5
-/* 0x001c	 115 */		fdtox	%f2,%f2
-/* 0x0020	     */		std	%f2,[%sp+2247]
-/* 0x0024	 117 */		or	%g0,0,%o0
-/* 0x0028	 116 */		fdtox	%f4,%f2
-/* 0x002c	     */		std	%f2,[%sp+2239]
-/* 0x0030	 110 */		sub	%o1,1,%o7
-/* 0x0034	     */		or	%g0,%i1,%o4
-/* 0x0038	     */		sethi	%hi(0xfc00),%o3
-/* 0x003c	     */		or	%g0,-1,%o1
-/* 0x0040	     */		or	%g0,2,%i1
-/* 0x0044	     */		srl	%o1,0,%g3
-/* 0x0048	     */		or	%g0,%o4,%g4
-/* 0x004c	 116 */		ldx	[%sp+2239],%i2
-/* 0x0050	     */		add	%o3,1023,%o5
-/* 0x0054	 117 */		sub	%o7,1,%o2
-/* 0x0058	 115 */		ldx	[%sp+2247],%i3
-/* 0x005c	 117 */		ble,pt	%icc,.L900000113
-/* 0x0060	     */		sethi	%hi(0xfc00),%g2
-/* 0x0064	     */		add	%o7,1,%g2
-
-!  118		      !   {
-!  119		      !     c=(long long)d16[2*i+2];
-!  120		      !     t1+=a&0xffffffff;
-!  121		      !     t=(a>>32);
-!  122		      !     d=(long long)d16[2*i+3];
-!  123		      !     t1+=(b&0xffff)<<16;
-
-/* 0x0068	 123 */		and	%i2,%o5,%i4
-/* 0x006c	     */		sllx	%i4,16,%o1
-/* 0x0070	 117 */		cmp	%g2,6
-/* 0x0074	     */		bl,pn	%icc,.L77000134
-/* 0x0078	     */		or	%g0,3,%i0
-/* 0x007c	 119 */		ldd	[%o4+16],%f0
-/* 0x0080	 120 */		and	%i3,%g3,%o3
-
-!  124		      !     t+=(b>>16)+(t1>>32);
-
-/* 0x0084	 124 */		srax	%i2,16,%i5
-/* 0x0088	 117 */		add	%o3,%o1,%i4
-/* 0x008c	 121 */		srax	%i3,32,%i3
-/* 0x0090	 119 */		fdtox	%f0,%f0
-/* 0x0094	     */		std	%f0,[%sp+2231]
-
-!  125		      !     i32[i]=t1&0xffffffff;
-
-/* 0x0098	 125 */		and	%i4,%g3,%l0
-/* 0x009c	 117 */		or	%g0,72,%o3
-/* 0x00a0	 122 */		ldd	[%g4+24],%f0
-/* 0x00a4	 117 */		or	%g0,64,%o4
-/* 0x00a8	     */		or	%g0,4,%o1
-
-!  126		      !     t1=t;
-!  127		      !     a=c;
-!  128		      !     b=d;
-
-/* 0x00ac	 128 */		or	%g0,5,%i0
-/* 0x00b0	     */		or	%g0,4,%i1
-/* 0x00b4	 119 */		ldx	[%sp+2231],%g2
-/* 0x00b8	 122 */		fdtox	%f0,%f0
-/* 0x00bc	 128 */		or	%g0,4,%o0
-/* 0x00c0	 122 */		std	%f0,[%sp+2223]
-/* 0x00c4	     */		ldd	[%g4+40],%f2
-/* 0x00c8	 120 */		and	%g2,%g3,%i2
-/* 0x00cc	 119 */		ldd	[%g4+32],%f0
-/* 0x00d0	 121 */		srax	%g2,32,%g2
-/* 0x00d4	 122 */		ldd	[%g4+56],%f4
-/* 0x00d8	     */		fdtox	%f2,%f2
-/* 0x00dc	     */		ldx	[%sp+2223],%g5
-/* 0x00e0	 119 */		fdtox	%f0,%f0
-/* 0x00e4	 125 */		st	%l0,[%g1]
-/* 0x00e8	 124 */		srax	%i4,32,%l0
-/* 0x00ec	 122 */		fdtox	%f4,%f4
-/* 0x00f0	     */		std	%f2,[%sp+2223]
-/* 0x00f4	 123 */		and	%g5,%o5,%i4
-/* 0x00f8	 124 */		add	%i5,%l0,%i5
-/* 0x00fc	 119 */		std	%f0,[%sp+2231]
-/* 0x0100	 123 */		sllx	%i4,16,%i4
-/* 0x0104	 124 */		add	%i3,%i5,%i3
-/* 0x0108	 119 */		ldd	[%g4+48],%f2
-/* 0x010c	 124 */		srax	%g5,16,%g5
-/* 0x0110	 117 */		add	%i2,%i4,%i2
-/* 0x0114	 122 */		ldd	[%g4+72],%f0
-/* 0x0118	 117 */		add	%i2,%i3,%i4
-/* 0x011c	 124 */		srax	%i4,32,%i5
-/* 0x0120	 119 */		fdtox	%f2,%f2
-/* 0x0124	 125 */		and	%i4,%g3,%i4
-/* 0x0128	 122 */		ldx	[%sp+2223],%i2
-/* 0x012c	 124 */		add	%g5,%i5,%g5
-/* 0x0130	 119 */		ldx	[%sp+2231],%i3
-/* 0x0134	 124 */		add	%g2,%g5,%g5
-/* 0x0138	 119 */		std	%f2,[%sp+2231]
-/* 0x013c	 122 */		std	%f4,[%sp+2223]
-/* 0x0140	 119 */		ldd	[%g4+64],%f2
-/* 0x0144	 125 */		st	%i4,[%g1+4]
-                       .L900000108:
-/* 0x0148	 122 */		ldx	[%sp+2223],%i4
-/* 0x014c	 128 */		add	%o0,2,%o0
-/* 0x0150	     */		add	%i0,4,%i0
-/* 0x0154	 119 */		ldx	[%sp+2231],%l0
-/* 0x0158	 117 */		add	%o3,16,%o3
-/* 0x015c	 123 */		and	%i2,%o5,%g2
-/* 0x0160	     */		sllx	%g2,16,%i5
-/* 0x0164	 120 */		and	%i3,%g3,%g2
-/* 0x0168	 122 */		ldd	[%g4+%o3],%f4
-/* 0x016c	     */		fdtox	%f0,%f0
-/* 0x0170	     */		std	%f0,[%sp+2223]
-/* 0x0174	 124 */		srax	%i2,16,%i2
-/* 0x0178	 117 */		add	%g2,%i5,%g2
-/* 0x017c	 119 */		fdtox	%f2,%f0
-/* 0x0180	 117 */		add	%o4,16,%o4
-/* 0x0184	 119 */		std	%f0,[%sp+2231]
-/* 0x0188	 117 */		add	%g2,%g5,%g2
-/* 0x018c	 119 */		ldd	[%g4+%o4],%f2
-/* 0x0190	 124 */		srax	%g2,32,%i5
-/* 0x0194	 128 */		cmp	%o0,%o2
-/* 0x0198	 121 */		srax	%i3,32,%g5
-/* 0x019c	 124 */		add	%i2,%i5,%i2
-/* 0x01a0	     */		add	%g5,%i2,%i5
-/* 0x01a4	 117 */		add	%o1,4,%o1
-/* 0x01a8	 125 */		and	%g2,%g3,%g2
-/* 0x01ac	 127 */		or	%g0,%l0,%g5
-/* 0x01b0	 125 */		st	%g2,[%g1+%o1]
-/* 0x01b4	 128 */		add	%i1,4,%i1
-/* 0x01b8	 122 */		ldx	[%sp+2223],%i2
-/* 0x01bc	 119 */		ldx	[%sp+2231],%i3
-/* 0x01c0	 117 */		add	%o3,16,%o3
-/* 0x01c4	 123 */		and	%i4,%o5,%g2
-/* 0x01c8	     */		sllx	%g2,16,%l0
-/* 0x01cc	 120 */		and	%g5,%g3,%g2
-/* 0x01d0	 122 */		ldd	[%g4+%o3],%f0
-/* 0x01d4	     */		fdtox	%f4,%f4
-/* 0x01d8	     */		std	%f4,[%sp+2223]
-/* 0x01dc	 124 */		srax	%i4,16,%i4
-/* 0x01e0	 117 */		add	%g2,%l0,%g2
-/* 0x01e4	 119 */		fdtox	%f2,%f2
-/* 0x01e8	 117 */		add	%o4,16,%o4
-/* 0x01ec	 119 */		std	%f2,[%sp+2231]
-/* 0x01f0	 117 */		add	%g2,%i5,%g2
-/* 0x01f4	 119 */		ldd	[%g4+%o4],%f2
-/* 0x01f8	 124 */		srax	%g2,32,%i5
-/* 0x01fc	 121 */		srax	%g5,32,%g5
-/* 0x0200	 124 */		add	%i4,%i5,%i4
-/* 0x0204	     */		add	%g5,%i4,%g5
-/* 0x0208	 117 */		add	%o1,4,%o1
-/* 0x020c	 125 */		and	%g2,%g3,%g2
-/* 0x0210	 128 */		ble,pt	%icc,.L900000108
-/* 0x0214	     */		st	%g2,[%g1+%o1]
-                       .L900000111:
-/* 0x0218	 122 */		ldx	[%sp+2223],%o2
-/* 0x021c	 123 */		and	%i2,%o5,%i4
-/* 0x0220	 120 */		and	%i3,%g3,%g2
-/* 0x0224	 123 */		sllx	%i4,16,%i4
-/* 0x0228	 119 */		ldx	[%sp+2231],%i5
-/* 0x022c	 128 */		cmp	%o0,%o7
-/* 0x0230	 124 */		srax	%i2,16,%i2
-/* 0x0234	 117 */		add	%g2,%i4,%g2
-/* 0x0238	 122 */		fdtox	%f0,%f4
-/* 0x023c	     */		std	%f4,[%sp+2223]
-/* 0x0240	 117 */		add	%g2,%g5,%g5
-/* 0x0244	 123 */		and	%o2,%o5,%l0
-/* 0x0248	 124 */		srax	%g5,32,%l1
-/* 0x024c	 120 */		and	%i5,%g3,%i4
-/* 0x0250	 119 */		fdtox	%f2,%f0
-/* 0x0254	 121 */		srax	%i3,32,%g2
-/* 0x0258	 119 */		std	%f0,[%sp+2231]
-/* 0x025c	 124 */		add	%i2,%l1,%i2
-/* 0x0260	 123 */		sllx	%l0,16,%i3
-/* 0x0264	 124 */		add	%g2,%i2,%i2
-/* 0x0268	     */		srax	%o2,16,%o2
-/* 0x026c	 117 */		add	%o1,4,%g2
-/* 0x0270	     */		add	%i4,%i3,%o1
-/* 0x0274	 125 */		and	%g5,%g3,%g5
-/* 0x0278	     */		st	%g5,[%g1+%g2]
-/* 0x027c	 119 */		ldx	[%sp+2231],%i3
-/* 0x0280	 117 */		add	%o1,%i2,%o1
-/* 0x0284	     */		add	%g2,4,%g2
-/* 0x0288	 124 */		srax	%o1,32,%i4
-/* 0x028c	 122 */		ldx	[%sp+2223],%i2
-/* 0x0290	 125 */		and	%o1,%g3,%g5
-/* 0x0294	 121 */		srax	%i5,32,%o1
-/* 0x0298	 124 */		add	%o2,%i4,%o2
-/* 0x029c	 125 */		st	%g5,[%g1+%g2]
-/* 0x02a0	 128 */		bg,pn	%icc,.L77000127
-/* 0x02a4	     */		add	%o1,%o2,%g5
-/* 0x02a8	     */		add	%i0,6,%i0
-/* 0x02ac	     */		add	%i1,6,%i1
-                       .L77000134:
-/* 0x02b0	 119 */		sra	%i1,0,%o2
-                       .L900000112:
-/* 0x02b4	 119 */		sllx	%o2,3,%o3
-/* 0x02b8	 120 */		and	%i3,%g3,%o1
-/* 0x02bc	 119 */		ldd	[%g4+%o3],%f0
-/* 0x02c0	 122 */		sra	%i0,0,%o3
-/* 0x02c4	 123 */		and	%i2,%o5,%o2
-/* 0x02c8	 122 */		sllx	%o3,3,%o3
-/* 0x02cc	 120 */		add	%g5,%o1,%o1
-/* 0x02d0	 119 */		fdtox	%f0,%f0
-/* 0x02d4	     */		std	%f0,[%sp+2231]
-/* 0x02d8	 123 */		sllx	%o2,16,%o2
-/* 0x02dc	     */		add	%o1,%o2,%o2
-/* 0x02e0	 128 */		add	%i1,2,%i1
-/* 0x02e4	 122 */		ldd	[%g4+%o3],%f0
-/* 0x02e8	 124 */		srax	%o2,32,%g2
-/* 0x02ec	 125 */		and	%o2,%g3,%o3
-/* 0x02f0	 124 */		srax	%i2,16,%o1
-/* 0x02f4	 128 */		add	%i0,2,%i0
-/* 0x02f8	 122 */		fdtox	%f0,%f0
-/* 0x02fc	     */		std	%f0,[%sp+2223]
-/* 0x0300	 125 */		sra	%o0,0,%o2
-/* 0x0304	     */		sllx	%o2,2,%o2
-/* 0x0308	 124 */		add	%o1,%g2,%g5
-/* 0x030c	 121 */		srax	%i3,32,%g2
-/* 0x0310	 128 */		add	%o0,1,%o0
-/* 0x0314	 124 */		add	%g2,%g5,%g5
-/* 0x0318	 128 */		cmp	%o0,%o7
-/* 0x031c	 119 */		ldx	[%sp+2231],%o4
-/* 0x0320	 122 */		ldx	[%sp+2223],%i2
-/* 0x0324	 125 */		st	%o3,[%g1+%o2]
-/* 0x0328	 127 */		or	%g0,%o4,%i3
-/* 0x032c	 128 */		ble,pt	%icc,.L900000112
-/* 0x0330	     */		sra	%i1,0,%o2
-                       .L77000127:
-
-!  129		      !   }
-!  130		      !     t1+=a&0xffffffff;
-!  131		      !     t=(a>>32);
-!  132		      !     t1+=(b&0xffff)<<16;
-!  133		      !     i32[i]=t1&0xffffffff;
-
-/* 0x0334	 133 */		sethi	%hi(0xfc00),%g2
-                       .L900000113:
-/* 0x0338	 133 */		or	%g0,-1,%g3
-/* 0x033c	     */		add	%g2,1023,%g2
-/* 0x0340	     */		srl	%g3,0,%g3
-/* 0x0344	     */		and	%i2,%g2,%g2
-/* 0x0348	     */		and	%i3,%g3,%g4
-/* 0x034c	     */		sllx	%g2,16,%g2
-/* 0x0350	     */		add	%g5,%g4,%g4
-/* 0x0354	     */		sra	%o0,0,%g5
-/* 0x0358	     */		add	%g4,%g2,%g4
-/* 0x035c	     */		sllx	%g5,2,%g2
-/* 0x0360	     */		and	%g4,%g3,%g3
-/* 0x0364	     */		st	%g3,[%g1+%g2]
-/* 0x0368	     */		ret	! Result = 
-/* 0x036c	     */		restore	%g0,%g0,%g0
-/* 0x0370	   0 */		.type	conv_d16_to_i32,2
-/* 0x0370	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000201:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	8
-/* 0x0008	     */		.skip	24
-!
-! SUBROUTINE conv_i32_to_d32
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d32
-                       conv_i32_to_d32:
-/* 000000	     */		or	%g0,%o7,%g3
-
-!  135		      !}
-!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
-!  138		      !{
-!  139		      !int i;
-!  141		      !#pragma pipeloop(0)
-!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
-
-/* 0x0004	 142 */		cmp	%o2,0
-                       .L900000210:
-/* 0x0008	     */		call	.+8
-/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
-/* 0x0010	 142 */		or	%g0,0,%o3
-/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
-/* 0x0018	 142 */		sub	%o2,1,%o4
-/* 0x001c	 138 */		add	%g4,%o7,%g1
-/* 0x0020	 142 */		ble,pt	%icc,.L77000140
-/* 0x0024	     */		or	%g0,%g3,%o7
-/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g3
-/* 0x002c	     */		cmp	%o2,12
-/* 0x0030	     */		add	%g3,%lo(.L_const_seg_900000201),%g2
-/* 0x0034	     */		or	%g0,%o1,%g5
-/* 0x0038	     */		ldx	[%g1+%g2],%g4
-/* 0x003c	     */		or	%g0,0,%g1
-/* 0x0040	     */		or	%g0,24,%g2
-/* 0x0044	     */		bl,pn	%icc,.L77000144
-/* 0x0048	     */		or	%g0,0,%g3
-/* 0x004c	     */		ld	[%o1],%f13
-/* 0x0050	     */		or	%g0,7,%o3
-/* 0x0054	     */		ldd	[%g4],%f8
-/* 0x0058	     */		sub	%o2,5,%g3
-/* 0x005c	     */		or	%g0,8,%g1
-/* 0x0060	     */		ld	[%o1+4],%f11
-/* 0x0064	     */		ld	[%o1+8],%f7
-/* 0x0068	     */		fmovs	%f8,%f12
-/* 0x006c	     */		ld	[%o1+12],%f5
-/* 0x0070	     */		fmovs	%f8,%f10
-/* 0x0074	     */		ld	[%o1+16],%f3
-/* 0x0078	     */		fmovs	%f8,%f6
-/* 0x007c	     */		ld	[%o1+20],%f1
-/* 0x0080	     */		fsubd	%f12,%f8,%f12
-/* 0x0084	     */		std	%f12,[%o0]
-/* 0x0088	     */		fsubd	%f10,%f8,%f10
-/* 0x008c	     */		std	%f10,[%o0+8]
-                       .L900000205:
-/* 0x0090	     */		ld	[%o1+%g2],%f11
-/* 0x0094	     */		add	%g1,8,%g1
-/* 0x0098	     */		add	%o3,5,%o3
-/* 0x009c	     */		fsubd	%f6,%f8,%f6
-/* 0x00a0	     */		add	%g2,4,%g2
-/* 0x00a4	     */		std	%f6,[%o0+%g1]
-/* 0x00a8	     */		cmp	%o3,%g3
-/* 0x00ac	     */		fmovs	%f8,%f4
-/* 0x00b0	     */		ld	[%o1+%g2],%f7
-/* 0x00b4	     */		fsubd	%f4,%f8,%f12
-/* 0x00b8	     */		add	%g1,8,%g1
-/* 0x00bc	     */		add	%g2,4,%g2
-/* 0x00c0	     */		fmovs	%f8,%f2
-/* 0x00c4	     */		std	%f12,[%o0+%g1]
-/* 0x00c8	     */		ld	[%o1+%g2],%f5
-/* 0x00cc	     */		fsubd	%f2,%f8,%f12
-/* 0x00d0	     */		add	%g1,8,%g1
-/* 0x00d4	     */		add	%g2,4,%g2
-/* 0x00d8	     */		fmovs	%f8,%f0
-/* 0x00dc	     */		std	%f12,[%o0+%g1]
-/* 0x00e0	     */		ld	[%o1+%g2],%f3
-/* 0x00e4	     */		fsubd	%f0,%f8,%f12
-/* 0x00e8	     */		add	%g1,8,%g1
-/* 0x00ec	     */		add	%g2,4,%g2
-/* 0x00f0	     */		fmovs	%f8,%f10
-/* 0x00f4	     */		std	%f12,[%o0+%g1]
-/* 0x00f8	     */		ld	[%o1+%g2],%f1
-/* 0x00fc	     */		fsubd	%f10,%f8,%f10
-/* 0x0100	     */		add	%g1,8,%g1
-/* 0x0104	     */		add	%g2,4,%g2
-/* 0x0108	     */		std	%f10,[%o0+%g1]
-/* 0x010c	     */		ble,pt	%icc,.L900000205
-/* 0x0110	     */		fmovs	%f8,%f6
-                       .L900000208:
-/* 0x0114	     */		fmovs	%f8,%f4
-/* 0x0118	     */		ld	[%o1+%g2],%f11
-/* 0x011c	     */		add	%g1,8,%g3
-/* 0x0120	     */		fmovs	%f8,%f2
-/* 0x0124	     */		add	%g1,16,%g1
-/* 0x0128	     */		cmp	%o3,%o4
-/* 0x012c	     */		fmovs	%f8,%f0
-/* 0x0130	     */		add	%g1,8,%o1
-/* 0x0134	     */		add	%g1,16,%o2
-/* 0x0138	     */		fmovs	%f8,%f10
-/* 0x013c	     */		add	%g1,24,%g2
-/* 0x0140	     */		fsubd	%f6,%f8,%f6
-/* 0x0144	     */		std	%f6,[%o0+%g3]
-/* 0x0148	     */		fsubd	%f4,%f8,%f4
-/* 0x014c	     */		std	%f4,[%o0+%g1]
-/* 0x0150	     */		sra	%o3,0,%g1
-/* 0x0154	     */		fsubd	%f2,%f8,%f2
-/* 0x0158	     */		std	%f2,[%o0+%o1]
-/* 0x015c	     */		sllx	%g1,2,%g3
-/* 0x0160	     */		fsubd	%f0,%f8,%f0
-/* 0x0164	     */		std	%f0,[%o0+%o2]
-/* 0x0168	     */		fsubd	%f10,%f8,%f0
-/* 0x016c	     */		bg,pn	%icc,.L77000140
-/* 0x0170	     */		std	%f0,[%o0+%g2]
-                       .L77000144:
-/* 0x0174	     */		ldd	[%g4],%f8
-                       .L900000211:
-/* 0x0178	     */		ld	[%g5+%g3],%f13
-/* 0x017c	     */		sllx	%g1,3,%g2
-/* 0x0180	     */		add	%o3,1,%o3
-/* 0x0184	     */		sra	%o3,0,%g1
-/* 0x0188	     */		cmp	%o3,%o4
-/* 0x018c	     */		fmovs	%f8,%f12
-/* 0x0190	     */		sllx	%g1,2,%g3
-/* 0x0194	     */		fsubd	%f12,%f8,%f0
-/* 0x0198	     */		std	%f0,[%o0+%g2]
-/* 0x019c	     */		ble,a,pt	%icc,.L900000211
-/* 0x01a0	     */		ldd	[%g4],%f8
-                       .L77000140:
-/* 0x01a4	     */		retl	! Result = 
-/* 0x01a8	     */		nop
-/* 0x01ac	   0 */		.type	conv_i32_to_d32,2
-/* 0x01ac	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000301:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	8
-/* 0x0008	     */		.skip	24
-!
-! SUBROUTINE conv_i32_to_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d16
-                       conv_i32_to_d16:
-/* 000000	     */		save	%sp,-192,%sp
-                       .L900000310:
-/* 0x0004	     */		call	.+8
-/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
-
-!  143		      !}
-!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
-!  147		      !{
-!  148		      !int i;
-!  149		      !unsigned int a;
-!  151		      !#pragma pipeloop(0)
-!  152		      ! for(i=0;i<len;i++)
-
-/* 0x000c	 152 */		cmp	%i2,0
-/* 0x0010	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
-/* 0x0014	 152 */		ble,pt	%icc,.L77000150
-/* 0x0018	     */		add	%g3,%o7,%o0
-
-!  153		      !   {
-!  154		      !     a=i32[i];
-!  155		      !     d16[2*i]=(double)(a&0xffff);
-!  156		      !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x001c	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
-/* 0x0020	 147 */		or	%g0,%i2,%o1
-/* 0x0024	 152 */		sethi	%hi(0xfc00),%g3
-/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%g2
-/* 0x002c	 152 */		or	%g0,%o1,%g4
-/* 0x0030	 156 */		ldx	[%o0+%g2],%o5
-/* 0x0034	 152 */		add	%g3,1023,%g1
-/* 0x0038	 147 */		or	%g0,%i1,%o7
-/* 0x003c	 152 */		or	%g0,0,%i2
-/* 0x0040	     */		sub	%o1,1,%g5
-/* 0x0044	     */		or	%g0,0,%g3
-/* 0x0048	     */		or	%g0,1,%g2
-/* 0x004c	 154 */		or	%g0,0,%o2
-/* 0x0050	     */		cmp	%g4,6
-/* 0x0054	 152 */		bl,pn	%icc,.L77000154
-/* 0x0058	     */		ldd	[%o5],%f0
-/* 0x005c	     */		sub	%o1,2,%o3
-/* 0x0060	     */		or	%g0,16,%o2
-/* 0x0064	 154 */		ld	[%i1],%o4
-/* 0x0068	 156 */		or	%g0,3,%g2
-/* 0x006c	     */		or	%g0,2,%g3
-/* 0x0070	 155 */		fmovs	%f0,%f2
-/* 0x0074	 156 */		or	%g0,4,%i2
-/* 0x0078	 155 */		and	%o4,%g1,%o0
-/* 0x007c	     */		st	%o0,[%sp+2227]
-/* 0x0080	     */		fmovs	%f0,%f4
-/* 0x0084	 156 */		srl	%o4,16,%i4
-/* 0x0088	 152 */		or	%g0,12,%o4
-/* 0x008c	     */		or	%g0,24,%o0
-/* 0x0090	 155 */		ld	[%sp+2227],%f3
-/* 0x0094	     */		fsubd	%f2,%f0,%f2
-/* 0x0098	     */		std	%f2,[%i0]
-/* 0x009c	 156 */		st	%i4,[%sp+2223]
-/* 0x00a0	 154 */		ld	[%o7+4],%o1
-/* 0x00a4	 156 */		fmovs	%f0,%f2
-/* 0x00a8	 155 */		and	%o1,%g1,%i1
-/* 0x00ac	 156 */		ld	[%sp+2223],%f3
-/* 0x00b0	     */		srl	%o1,16,%o1
-/* 0x00b4	     */		fsubd	%f2,%f0,%f2
-/* 0x00b8	     */		std	%f2,[%i0+8]
-/* 0x00bc	     */		st	%o1,[%sp+2223]
-/* 0x00c0	 155 */		st	%i1,[%sp+2227]
-/* 0x00c4	 154 */		ld	[%o7+8],%o1
-/* 0x00c8	 156 */		fmovs	%f0,%f2
-/* 0x00cc	 155 */		and	%o1,%g1,%g4
-/* 0x00d0	     */		ld	[%sp+2227],%f5
-/* 0x00d4	 156 */		srl	%o1,16,%o1
-/* 0x00d8	     */		ld	[%sp+2223],%f3
-/* 0x00dc	     */		st	%o1,[%sp+2223]
-/* 0x00e0	 155 */		fsubd	%f4,%f0,%f4
-/* 0x00e4	     */		st	%g4,[%sp+2227]
-/* 0x00e8	 156 */		fsubd	%f2,%f0,%f2
-/* 0x00ec	 154 */		ld	[%o7+12],%o1
-/* 0x00f0	 155 */		std	%f4,[%i0+16]
-/* 0x00f4	 156 */		std	%f2,[%i0+24]
-                       .L900000306:
-/* 0x00f8	 155 */		ld	[%sp+2227],%f5
-/* 0x00fc	 156 */		add	%i2,2,%i2
-/* 0x0100	     */		add	%g2,4,%g2
-/* 0x0104	     */		ld	[%sp+2223],%f3
-/* 0x0108	     */		cmp	%i2,%o3
-/* 0x010c	     */		add	%g3,4,%g3
-/* 0x0110	 155 */		and	%o1,%g1,%g4
-/* 0x0114	 156 */		srl	%o1,16,%o1
-/* 0x0118	 155 */		st	%g4,[%sp+2227]
-/* 0x011c	 156 */		st	%o1,[%sp+2223]
-/* 0x0120	 152 */		add	%o4,4,%o1
-/* 0x0124	 154 */		ld	[%o7+%o1],%o4
-/* 0x0128	 156 */		fmovs	%f0,%f2
-/* 0x012c	 155 */		fmovs	%f0,%f4
-/* 0x0130	     */		fsubd	%f4,%f0,%f4
-/* 0x0134	 152 */		add	%o2,16,%o2
-/* 0x0138	 156 */		fsubd	%f2,%f0,%f2
-/* 0x013c	 155 */		std	%f4,[%i0+%o2]
-/* 0x0140	 152 */		add	%o0,16,%o0
-/* 0x0144	 156 */		std	%f2,[%i0+%o0]
-/* 0x0148	 155 */		ld	[%sp+2227],%f5
-/* 0x014c	 156 */		ld	[%sp+2223],%f3
-/* 0x0150	 155 */		and	%o4,%g1,%g4
-/* 0x0154	 156 */		srl	%o4,16,%o4
-/* 0x0158	 155 */		st	%g4,[%sp+2227]
-/* 0x015c	 156 */		st	%o4,[%sp+2223]
-/* 0x0160	 152 */		add	%o1,4,%o4
-/* 0x0164	 154 */		ld	[%o7+%o4],%o1
-/* 0x0168	 156 */		fmovs	%f0,%f2
-/* 0x016c	 155 */		fmovs	%f0,%f4
-/* 0x0170	     */		fsubd	%f4,%f0,%f4
-/* 0x0174	 152 */		add	%o2,16,%o2
-/* 0x0178	 156 */		fsubd	%f2,%f0,%f2
-/* 0x017c	 155 */		std	%f4,[%i0+%o2]
-/* 0x0180	 152 */		add	%o0,16,%o0
-/* 0x0184	 156 */		ble,pt	%icc,.L900000306
-/* 0x0188	     */		std	%f2,[%i0+%o0]
-                       .L900000309:
-/* 0x018c	 155 */		ld	[%sp+2227],%f5
-/* 0x0190	 156 */		fmovs	%f0,%f2
-/* 0x0194	     */		srl	%o1,16,%o3
-/* 0x0198	     */		ld	[%sp+2223],%f3
-/* 0x019c	 155 */		and	%o1,%g1,%i1
-/* 0x01a0	 152 */		add	%o2,16,%g4
-/* 0x01a4	 155 */		fmovs	%f0,%f4
-/* 0x01a8	     */		st	%i1,[%sp+2227]
-/* 0x01ac	 152 */		add	%o0,16,%o2
-/* 0x01b0	 156 */		st	%o3,[%sp+2223]
-/* 0x01b4	 154 */		sra	%i2,0,%o3
-/* 0x01b8	 152 */		add	%g4,16,%o1
-/* 0x01bc	 155 */		fsubd	%f4,%f0,%f4
-/* 0x01c0	     */		std	%f4,[%i0+%g4]
-/* 0x01c4	 152 */		add	%o0,32,%o0
-/* 0x01c8	 156 */		fsubd	%f2,%f0,%f2
-/* 0x01cc	     */		std	%f2,[%i0+%o2]
-/* 0x01d0	     */		sllx	%o3,2,%o2
-/* 0x01d4	 155 */		ld	[%sp+2227],%f5
-/* 0x01d8	 156 */		cmp	%i2,%g5
-/* 0x01dc	     */		add	%g2,6,%g2
-/* 0x01e0	     */		ld	[%sp+2223],%f3
-/* 0x01e4	     */		add	%g3,6,%g3
-/* 0x01e8	 155 */		fmovs	%f0,%f4
-/* 0x01ec	 156 */		fmovs	%f0,%f2
-/* 0x01f0	 155 */		fsubd	%f4,%f0,%f4
-/* 0x01f4	     */		std	%f4,[%i0+%o1]
-/* 0x01f8	 156 */		fsubd	%f2,%f0,%f0
-/* 0x01fc	     */		bg,pn	%icc,.L77000150
-/* 0x0200	     */		std	%f0,[%i0+%o0]
-                       .L77000154:
-/* 0x0204	 155 */		ldd	[%o5],%f0
-                       .L900000311:
-/* 0x0208	 154 */		ld	[%o7+%o2],%o0
-/* 0x020c	 155 */		sra	%g3,0,%o1
-/* 0x0210	     */		fmovs	%f0,%f2
-/* 0x0214	     */		sllx	%o1,3,%o2
-/* 0x0218	 156 */		add	%i2,1,%i2
-/* 0x021c	 155 */		and	%o0,%g1,%o1
-/* 0x0220	     */		st	%o1,[%sp+2227]
-/* 0x0224	 156 */		add	%g3,2,%g3
-/* 0x0228	     */		srl	%o0,16,%o1
-/* 0x022c	     */		cmp	%i2,%g5
-/* 0x0230	     */		sra	%g2,0,%o0
-/* 0x0234	     */		add	%g2,2,%g2
-/* 0x0238	     */		sllx	%o0,3,%o0
-/* 0x023c	 155 */		ld	[%sp+2227],%f3
-/* 0x0240	 154 */		sra	%i2,0,%o3
-/* 0x0244	 155 */		fsubd	%f2,%f0,%f2
-/* 0x0248	     */		std	%f2,[%i0+%o2]
-/* 0x024c	     */		sllx	%o3,2,%o2
-/* 0x0250	 156 */		st	%o1,[%sp+2223]
-/* 0x0254	     */		fmovs	%f0,%f2
-/* 0x0258	     */		ld	[%sp+2223],%f3
-/* 0x025c	     */		fsubd	%f2,%f0,%f0
-/* 0x0260	     */		std	%f0,[%i0+%o0]
-/* 0x0264	     */		ble,a,pt	%icc,.L900000311
-/* 0x0268	     */		ldd	[%o5],%f0
-                       .L77000150:
-/* 0x026c	     */		ret	! Result = 
-/* 0x0270	     */		restore	%g0,%g0,%g0
-/* 0x0274	   0 */		.type	conv_i32_to_d16,2
-/* 0x0274	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! CONSTANT POOL
-!
-                       .L_const_seg_900000401:
-/* 000000	   0 */		.word	1127219200,0
-/* 0x0008	   0 */		.align	8
-/* 0x0008	     */		.skip	24
-!
-! SUBROUTINE conv_i32_to_d32_and_d16
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global conv_i32_to_d32_and_d16
-                       conv_i32_to_d32_and_d16:
-/* 000000	     */		save	%sp,-192,%sp
-                       .L900000415:
-/* 0x0004	     */		call	.+8
-/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
-
-!  157		      !   }
-!  158		      !}
-!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
-!  162		      !			     unsigned int *i32, int len)
-!  163		      !{
-!  164		      !int i = 0;
-!  165		      !unsigned int a;
-!  167		      !#pragma pipeloop(0)
-!  168		      !#ifdef RF_INLINE_MACROS
-!  169		      ! for(;i<len-3;i+=4)
-!  170		      !   {
-!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
-!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
-
-/* 0x000c	 172 */		sethi	%hi(Zero),%g2
-/* 0x0010	 163 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
-/* 0x0014	     */		or	%g0,%i3,%g5
-/* 0x0018	     */		add	%g3,%o7,%o3
-/* 0x001c	 172 */		add	%g2,%lo(Zero),%g2
-/* 0x0020	     */		ldx	[%o3+%g2],%o0
-/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
-/* 0x0028	 163 */		or	%g0,%i0,%i3
-/* 0x002c	 169 */		sub	%g5,3,%o1
-/* 0x0030	 172 */		sethi	%hi(TwoTo16),%g4
-/* 0x0034	 163 */		or	%g0,%i2,%i0
-/* 0x0038	 172 */		add	%g3,%lo(TwoToMinus16),%g2
-/* 0x003c	     */		ldx	[%o3+%g2],%o2
-/* 0x0040	 169 */		cmp	%o1,0
-/* 0x0044	 164 */		or	%g0,0,%i2
-/* 0x0048	 169 */		ble,pt	%icc,.L900000418
-/* 0x004c	     */		cmp	%i2,%g5
-/* 0x0050	     */		ldd	[%o0],%f2
-/* 0x0054	 172 */		add	%g4,%lo(TwoTo16),%g3
-/* 0x0058	     */		ldx	[%o3+%g3],%o1
-/* 0x005c	 169 */		sub	%g5,4,%o4
-/* 0x0060	     */		or	%g0,0,%o5
-                       .L900000417:
-/* 0x0064	 172 */		sra	%i2,0,%g2
-/* 0x0068	     */		fmovd	%f2,%f14
-/* 0x006c	     */		ldd	[%o2],%f0
-/* 0x0070	     */		sllx	%g2,2,%g3
-/* 0x0074	     */		fmovd	%f2,%f10
-/* 0x0078	     */		ldd	[%o1],%f16
-/* 0x007c	     */		ld	[%g3+%i0],%f15
-/* 0x0080	     */		add	%i0,%g3,%g3
-/* 0x0084	     */		fmovd	%f2,%f6
-/* 0x0088	     */		ld	[%g3+4],%f11
-/* 0x008c	     */		sra	%o5,0,%g4
-/* 0x0090	     */		add	%i2,4,%i2
-/* 0x0094	     */		ld	[%g3+8],%f7
-/* 0x0098	     */		fxtod	%f14,%f14
-/* 0x009c	     */		sllx	%g2,3,%g2
-/* 0x00a0	     */		ld	[%g3+12],%f3
-/* 0x00a4	     */		fxtod	%f10,%f10
-/* 0x00a8	     */		sllx	%g4,3,%g3
-/* 0x00ac	     */		fxtod	%f6,%f6
-/* 0x00b0	     */		std	%f14,[%g2+%i3]
-/* 0x00b4	     */		add	%i3,%g2,%g4
-/* 0x00b8	     */		fxtod	%f2,%f2
-/* 0x00bc	     */		fmuld	%f0,%f14,%f12
-/* 0x00c0	     */		std	%f2,[%g4+24]
-/* 0x00c4	     */		fmuld	%f0,%f10,%f8
-/* 0x00c8	     */		std	%f10,[%g4+8]
-/* 0x00cc	     */		add	%i1,%g3,%g2
-/* 0x00d0	     */		fmuld	%f0,%f6,%f4
-/* 0x00d4	     */		std	%f6,[%g4+16]
-/* 0x00d8	     */		cmp	%i2,%o4
-/* 0x00dc	     */		fmuld	%f0,%f2,%f0
-/* 0x00e0	     */		fdtox	%f12,%f12
-/* 0x00e4	     */		add	%o5,8,%o5
-/* 0x00e8	     */		fdtox	%f8,%f8
-/* 0x00ec	     */		fdtox	%f4,%f4
-/* 0x00f0	     */		fdtox	%f0,%f0
-/* 0x00f4	     */		fxtod	%f12,%f12
-/* 0x00f8	     */		std	%f12,[%g2+8]
-/* 0x00fc	     */		fxtod	%f8,%f8
-/* 0x0100	     */		std	%f8,[%g2+24]
-/* 0x0104	     */		fxtod	%f4,%f4
-/* 0x0108	     */		std	%f4,[%g2+40]
-/* 0x010c	     */		fxtod	%f0,%f0
-/* 0x0110	     */		std	%f0,[%g2+56]
-/* 0x0114	     */		fmuld	%f12,%f16,%f12
-/* 0x0118	     */		fmuld	%f8,%f16,%f8
-/* 0x011c	     */		fmuld	%f4,%f16,%f4
-/* 0x0120	     */		fsubd	%f14,%f12,%f12
-/* 0x0124	     */		std	%f12,[%g3+%i1]
-/* 0x0128	     */		fmuld	%f0,%f16,%f0
-/* 0x012c	     */		fsubd	%f10,%f8,%f8
-/* 0x0130	     */		std	%f8,[%g2+16]
-/* 0x0134	     */		fsubd	%f6,%f4,%f4
-/* 0x0138	     */		std	%f4,[%g2+32]
-/* 0x013c	     */		fsubd	%f2,%f0,%f0
-/* 0x0140	     */		std	%f0,[%g2+48]
-/* 0x0144	     */		ble,a,pt	%icc,.L900000417
-/* 0x0148	     */		ldd	[%o0],%f2
-                       .L77000159:
-
-!  173		      !   }
-!  174		      !#endif
-!  175		      ! for(;i<len;i++)
-
-/* 0x014c	 175 */		cmp	%i2,%g5
-                       .L900000418:
-/* 0x0150	 175 */		bge,pt	%icc,.L77000164
-/* 0x0154	     */		nop
-
-!  176		      !   {
-!  177		      !     a=i32[i];
-!  178		      !     d32[i]=(double)(i32[i]);
-!  179		      !     d16[2*i]=(double)(a&0xffff);
-!  180		      !     d16[2*i+1]=(double)(a>>16);
-
-/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
-/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%g2
-/* 0x0160	 175 */		sethi	%hi(0xfc00),%g3
-/* 0x0164	 180 */		ldx	[%o3+%g2],%g1
-/* 0x0168	 175 */		sll	%i2,1,%i4
-/* 0x016c	     */		sub	%g5,%i2,%g4
-/* 0x0170	 177 */		sra	%i2,0,%o3
-/* 0x0174	 175 */		add	%g3,1023,%g3
-/* 0x0178	 178 */		ldd	[%g1],%f2
-/* 0x017c	     */		sllx	%o3,2,%o2
-/* 0x0180	 175 */		add	%i4,1,%g2
-/* 0x0184	 177 */		or	%g0,%o3,%o1
-/* 0x0188	     */		cmp	%g4,6
-/* 0x018c	 175 */		bl,pn	%icc,.L77000161
-/* 0x0190	     */		sra	%i2,0,%o3
-/* 0x0194	 177 */		or	%g0,%o2,%o0
-/* 0x0198	 178 */		ld	[%i0+%o2],%f5
-/* 0x019c	 179 */		fmovs	%f2,%f8
-/* 0x01a0	 175 */		add	%o0,4,%o3
-/* 0x01a4	 177 */		ld	[%i0+%o0],%o7
-/* 0x01a8	 180 */		fmovs	%f2,%f6
-/* 0x01ac	 178 */		fmovs	%f2,%f4
-/* 0x01b0	     */		sllx	%o1,3,%o2
-/* 0x01b4	 175 */		add	%o3,4,%o5
-/* 0x01b8	 179 */		sra	%i4,0,%o0
-/* 0x01bc	 175 */		add	%o3,8,%o4
-/* 0x01c0	 178 */		fsubd	%f4,%f2,%f4
-/* 0x01c4	     */		std	%f4,[%i3+%o2]
-/* 0x01c8	 179 */		sllx	%o0,3,%i5
-/* 0x01cc	     */		and	%o7,%g3,%o0
-/* 0x01d0	     */		st	%o0,[%sp+2227]
-/* 0x01d4	 175 */		add	%i5,16,%o1
-/* 0x01d8	 180 */		srl	%o7,16,%g4
-/* 0x01dc	     */		add	%i2,1,%i2
-/* 0x01e0	     */		sra	%g2,0,%o0
-/* 0x01e4	 175 */		add	%o2,8,%o2
-/* 0x01e8	 179 */		fmovs	%f2,%f4
-/* 0x01ec	 180 */		sllx	%o0,3,%l0
-/* 0x01f0	     */		add	%i4,3,%g2
-/* 0x01f4	 179 */		ld	[%sp+2227],%f5
-/* 0x01f8	 175 */		add	%l0,16,%o0
-/* 0x01fc	 180 */		add	%i4,2,%i4
-/* 0x0200	 175 */		sub	%g5,1,%o7
-/* 0x0204	 180 */		add	%i2,3,%i2
-/* 0x0208	 179 */		fsubd	%f4,%f2,%f4
-/* 0x020c	     */		std	%f4,[%i1+%i5]
-/* 0x0210	 180 */		st	%g4,[%sp+2223]
-/* 0x0214	 177 */		ld	[%i0+%o3],%i5
-/* 0x0218	 180 */		fmovs	%f2,%f4
-/* 0x021c	     */		srl	%i5,16,%g4
-/* 0x0220	 179 */		and	%i5,%g3,%i5
-/* 0x0224	 180 */		ld	[%sp+2223],%f5
-/* 0x0228	     */		fsubd	%f4,%f2,%f4
-/* 0x022c	     */		std	%f4,[%i1+%l0]
-/* 0x0230	     */		st	%g4,[%sp+2223]
-/* 0x0234	 177 */		ld	[%i0+%o5],%g4
-/* 0x0238	 179 */		st	%i5,[%sp+2227]
-/* 0x023c	 178 */		fmovs	%f2,%f4
-/* 0x0240	 180 */		srl	%g4,16,%i5
-/* 0x0244	 179 */		and	%g4,%g3,%g4
-/* 0x0248	 180 */		ld	[%sp+2223],%f7
-/* 0x024c	     */		st	%i5,[%sp+2223]
-/* 0x0250	 178 */		ld	[%i0+%o3],%f5
-/* 0x0254	 180 */		fsubd	%f6,%f2,%f6
-/* 0x0258	 177 */		ld	[%i0+%o4],%o3
-/* 0x025c	 178 */		fsubd	%f4,%f2,%f4
-/* 0x0260	 179 */		ld	[%sp+2227],%f9
-/* 0x0264	 180 */		ld	[%sp+2223],%f1
-/* 0x0268	 179 */		st	%g4,[%sp+2227]
-/* 0x026c	     */		fsubd	%f8,%f2,%f8
-/* 0x0270	     */		std	%f8,[%i1+%o1]
-/* 0x0274	 180 */		std	%f6,[%i1+%o0]
-/* 0x0278	 178 */		std	%f4,[%i3+%o2]
-                       .L900000411:
-/* 0x027c	 179 */		ld	[%sp+2227],%f13
-/* 0x0280	 180 */		srl	%o3,16,%g4
-/* 0x0284	     */		add	%i2,2,%i2
-/* 0x0288	     */		st	%g4,[%sp+2223]
-/* 0x028c	     */		cmp	%i2,%o7
-/* 0x0290	     */		add	%g2,4,%g2
-/* 0x0294	 178 */		ld	[%i0+%o5],%f11
-/* 0x0298	 180 */		add	%i4,4,%i4
-/* 0x029c	 175 */		add	%o4,4,%o5
-/* 0x02a0	 177 */		ld	[%i0+%o5],%g4
-/* 0x02a4	 179 */		and	%o3,%g3,%o3
-/* 0x02a8	     */		st	%o3,[%sp+2227]
-/* 0x02ac	 180 */		fmovs	%f2,%f0
-/* 0x02b0	 179 */		fmovs	%f2,%f12
-/* 0x02b4	 180 */		fsubd	%f0,%f2,%f8
-/* 0x02b8	 179 */		fsubd	%f12,%f2,%f4
-/* 0x02bc	 175 */		add	%o1,16,%o1
-/* 0x02c0	 180 */		ld	[%sp+2223],%f7
-/* 0x02c4	 178 */		fmovs	%f2,%f10
-/* 0x02c8	 179 */		std	%f4,[%i1+%o1]
-/* 0x02cc	 175 */		add	%o0,16,%o0
-/* 0x02d0	 178 */		fsubd	%f10,%f2,%f4
-/* 0x02d4	 175 */		add	%o2,8,%o2
-/* 0x02d8	 180 */		std	%f8,[%i1+%o0]
-/* 0x02dc	 178 */		std	%f4,[%i3+%o2]
-/* 0x02e0	 179 */		ld	[%sp+2227],%f9
-/* 0x02e4	 180 */		srl	%g4,16,%o3
-/* 0x02e8	     */		st	%o3,[%sp+2223]
-/* 0x02ec	 178 */		ld	[%i0+%o4],%f5
-/* 0x02f0	 175 */		add	%o4,8,%o4
-/* 0x02f4	 177 */		ld	[%i0+%o4],%o3
-/* 0x02f8	 179 */		and	%g4,%g3,%g4
-/* 0x02fc	     */		st	%g4,[%sp+2227]
-/* 0x0300	 180 */		fmovs	%f2,%f6
-/* 0x0304	 179 */		fmovs	%f2,%f8
-/* 0x0308	 180 */		fsubd	%f6,%f2,%f6
-/* 0x030c	 179 */		fsubd	%f8,%f2,%f8
-/* 0x0310	 175 */		add	%o1,16,%o1
-/* 0x0314	 180 */		ld	[%sp+2223],%f1
-/* 0x0318	 178 */		fmovs	%f2,%f4
-/* 0x031c	 179 */		std	%f8,[%i1+%o1]
-/* 0x0320	 175 */		add	%o0,16,%o0
-/* 0x0324	 178 */		fsubd	%f4,%f2,%f4
-/* 0x0328	 175 */		add	%o2,8,%o2
-/* 0x032c	 180 */		std	%f6,[%i1+%o0]
-/* 0x0330	     */		bl,pt	%icc,.L900000411
-/* 0x0334	     */		std	%f4,[%i3+%o2]
-                       .L900000414:
-/* 0x0338	 180 */		srl	%o3,16,%o7
-/* 0x033c	     */		st	%o7,[%sp+2223]
-/* 0x0340	 179 */		fmovs	%f2,%f12
-/* 0x0344	 178 */		ld	[%i0+%o5],%f11
-/* 0x0348	 180 */		fmovs	%f2,%f0
-/* 0x034c	 179 */		and	%o3,%g3,%g4
-/* 0x0350	 180 */		fmovs	%f2,%f6
-/* 0x0354	 175 */		add	%o1,16,%o3
-/* 0x0358	     */		add	%o0,16,%o7
-/* 0x035c	 178 */		fmovs	%f2,%f10
-/* 0x0360	 175 */		add	%o2,8,%o2
-/* 0x0364	     */		add	%o1,32,%o5
-/* 0x0368	 179 */		ld	[%sp+2227],%f13
-/* 0x036c	 178 */		fmovs	%f2,%f4
-/* 0x0370	 175 */		add	%o0,32,%o1
-/* 0x0374	 180 */		ld	[%sp+2223],%f7
-/* 0x0378	 175 */		add	%o2,8,%o0
-/* 0x037c	 180 */		cmp	%i2,%g5
-/* 0x0380	 179 */		st	%g4,[%sp+2227]
-/* 0x0384	     */		fsubd	%f12,%f2,%f8
-/* 0x0388	 180 */		add	%g2,6,%g2
-/* 0x038c	 179 */		std	%f8,[%i1+%o3]
-/* 0x0390	 180 */		fsubd	%f0,%f2,%f0
-/* 0x0394	 177 */		sra	%i2,0,%o3
-/* 0x0398	 180 */		std	%f0,[%i1+%o7]
-/* 0x039c	 178 */		fsubd	%f10,%f2,%f0
-/* 0x03a0	 180 */		add	%i4,6,%i4
-/* 0x03a4	 178 */		std	%f0,[%i3+%o2]
-/* 0x03a8	     */		sllx	%o3,2,%o2
-/* 0x03ac	 179 */		ld	[%sp+2227],%f9
-/* 0x03b0	 178 */		ld	[%i0+%o4],%f5
-/* 0x03b4	 179 */		fmovs	%f2,%f8
-/* 0x03b8	     */		fsubd	%f8,%f2,%f0
-/* 0x03bc	     */		std	%f0,[%i1+%o5]
-/* 0x03c0	 180 */		fsubd	%f6,%f2,%f0
-/* 0x03c4	     */		std	%f0,[%i1+%o1]
-/* 0x03c8	 178 */		fsubd	%f4,%f2,%f0
-/* 0x03cc	 180 */		bge,pn	%icc,.L77000164
-/* 0x03d0	     */		std	%f0,[%i3+%o0]
-                       .L77000161:
-/* 0x03d4	 178 */		ldd	[%g1],%f2
-                       .L900000416:
-/* 0x03d8	 178 */		ld	[%i0+%o2],%f5
-/* 0x03dc	 179 */		sra	%i4,0,%o0
-/* 0x03e0	 180 */		add	%i2,1,%i2
-/* 0x03e4	 177 */		ld	[%i0+%o2],%o1
-/* 0x03e8	 178 */		sllx	%o3,3,%o3
-/* 0x03ec	 180 */		add	%i4,2,%i4
-/* 0x03f0	 178 */		fmovs	%f2,%f4
-/* 0x03f4	 179 */		sllx	%o0,3,%o4
-/* 0x03f8	 180 */		cmp	%i2,%g5
-/* 0x03fc	 179 */		and	%o1,%g3,%o0
-/* 0x0400	 178 */		fsubd	%f4,%f2,%f0
-/* 0x0404	     */		std	%f0,[%i3+%o3]
-/* 0x0408	 180 */		srl	%o1,16,%o1
-/* 0x040c	 179 */		st	%o0,[%sp+2227]
-/* 0x0410	 180 */		sra	%g2,0,%o0
-/* 0x0414	     */		add	%g2,2,%g2
-/* 0x0418	 177 */		sra	%i2,0,%o3
-/* 0x041c	 180 */		sllx	%o0,3,%o0
-/* 0x0420	 179 */		fmovs	%f2,%f4
-/* 0x0424	     */		sllx	%o3,2,%o2
-/* 0x0428	     */		ld	[%sp+2227],%f5
-/* 0x042c	     */		fsubd	%f4,%f2,%f0
-/* 0x0430	     */		std	%f0,[%i1+%o4]
-/* 0x0434	 180 */		st	%o1,[%sp+2223]
-/* 0x0438	     */		fmovs	%f2,%f4
-/* 0x043c	     */		ld	[%sp+2223],%f5
-/* 0x0440	     */		fsubd	%f4,%f2,%f0
-/* 0x0444	     */		std	%f0,[%i1+%o0]
-/* 0x0448	     */		bl,a,pt	%icc,.L900000416
-/* 0x044c	     */		ldd	[%g1],%f2
-                       .L77000164:
-/* 0x0450	     */		ret	! Result = 
-/* 0x0454	     */		restore	%g0,%g0,%g0
-/* 0x0458	   0 */		.type	conv_i32_to_d32_and_d16,2
-/* 0x0458	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-!
-! SUBROUTINE adjust_montf_result
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global adjust_montf_result
-                       adjust_montf_result:
-/* 000000	     */		save	%sp,-176,%sp
-/* 0x0004	     */		or	%g0,%i2,%o1
-/* 0x0008	     */		or	%g0,%i0,%i2
-
-!  181		      !   }
-!  182		      !}
-!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
-!  186		      !{
-!  187		      !long long acc;
-!  188		      !int i;
-!  190		      ! if(i32[len]>0) i=-1;
-
-/* 0x000c	 190 */		sra	%o1,0,%g2
-/* 0x0010	     */		or	%g0,-1,%o2
-/* 0x0014	     */		sllx	%g2,2,%g2
-/* 0x0018	     */		ld	[%i2+%g2],%g2
-/* 0x001c	     */		cmp	%g2,0
-/* 0x0020	     */		bleu,pn	%icc,.L77000175
-/* 0x0024	     */		or	%g0,%i1,%i0
-/* 0x0028	     */		ba	.L900000511
-/* 0x002c	     */		cmp	%o2,0
-                       .L77000175:
-
-!  191		      ! else
-!  192		      !   {
-!  193		      !     for(i=len-1; i>=0; i--)
-
-/* 0x0030	 193 */		sub	%o1,1,%o2
-/* 0x0034	     */		cmp	%o2,0
-/* 0x0038	     */		bl,pn	%icc,.L77000182
-/* 0x003c	     */		sra	%o2,0,%g2
-                       .L900000510:
-
-!  194		      !       {
-!  195		      !	 if(i32[i]!=nint[i]) break;
-
-/* 0x0040	 195 */		sllx	%g2,2,%g2
-/* 0x0044	     */		sub	%o2,1,%o0
-/* 0x0048	     */		ld	[%i1+%g2],%g3
-/* 0x004c	     */		ld	[%i2+%g2],%g2
-/* 0x0050	     */		cmp	%g2,%g3
-/* 0x0054	     */		bne,pn	%icc,.L77000182
-/* 0x0058	     */		nop
-/* 0x005c	   0 */		or	%g0,%o0,%o2
-/* 0x0060	 195 */		cmp	%o0,0
-/* 0x0064	     */		bge,pt	%icc,.L900000510
-/* 0x0068	     */		sra	%o2,0,%g2
-                       .L77000182:
-
-!  196		      !       }
-!  197		      !   }
-!  198		      ! if((i<0)||(i32[i]>nint[i]))
-
-/* 0x006c	 198 */		cmp	%o2,0
-                       .L900000511:
-/* 0x0070	 198 */		bl,pn	%icc,.L77000198
-/* 0x0074	     */		sra	%o2,0,%g2
-/* 0x0078	     */		sllx	%g2,2,%g2
-/* 0x007c	     */		ld	[%i1+%g2],%g3
-/* 0x0080	     */		ld	[%i2+%g2],%g2
-/* 0x0084	     */		cmp	%g2,%g3
-/* 0x0088	     */		bleu,pt	%icc,.L77000191
-/* 0x008c	     */		nop
-                       .L77000198:
-
-!  199		      !   {
-!  200		      !     acc=0;
-!  201		      !     for(i=0;i<len;i++)
-
-/* 0x0090	 201 */		cmp	%o1,0
-/* 0x0094	     */		ble,pt	%icc,.L77000191
-/* 0x0098	     */		nop
-/* 0x009c	 198 */		or	%g0,-1,%g2
-/* 0x00a0	 201 */		or	%g0,%o1,%g3
-/* 0x00a4	 198 */		srl	%g2,0,%g2
-/* 0x00a8	     */		sub	%o1,1,%g4
-/* 0x00ac	     */		cmp	%o1,9
-/* 0x00b0	 201 */		or	%g0,0,%i1
-/* 0x00b4	 200 */		or	%g0,0,%g5
-
-!  202		      !       {
-!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
-
-/* 0x00b8	 203 */		or	%g0,0,%o1
-/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
-/* 0x00c0	     */		sub	%g3,4,%o7
-/* 0x00c4	 203 */		ld	[%i2],%o1
-
-!  204		      !	 i32[i]=acc&0xffffffff;
-!  205		      !	 acc=acc>>32;
-
-/* 0x00c8	 205 */		or	%g0,5,%i1
-/* 0x00cc	 203 */		ld	[%i0],%o2
-/* 0x00d0	 201 */		or	%g0,8,%o5
-/* 0x00d4	     */		or	%g0,12,%o4
-/* 0x00d8	 203 */		ld	[%i0+4],%o3
-/* 0x00dc	 201 */		or	%g0,16,%g1
-/* 0x00e0	 203 */		ld	[%i2+4],%o0
-/* 0x00e4	 201 */		sub	%o1,%o2,%o1
-/* 0x00e8	 203 */		ld	[%i0+8],%i3
-/* 0x00ec	 204 */		and	%o1,%g2,%g5
-/* 0x00f0	     */		st	%g5,[%i2]
-/* 0x00f4	 205 */		srax	%o1,32,%g5
-/* 0x00f8	 201 */		sub	%o0,%o3,%o0
-/* 0x00fc	 203 */		ld	[%i0+12],%o2
-/* 0x0100	 201 */		add	%o0,%g5,%o0
-/* 0x0104	 204 */		and	%o0,%g2,%g5
-/* 0x0108	     */		st	%g5,[%i2+4]
-/* 0x010c	 205 */		srax	%o0,32,%o0
-/* 0x0110	 203 */		ld	[%i2+8],%o1
-/* 0x0114	     */		ld	[%i2+12],%o3
-/* 0x0118	 201 */		sub	%o1,%i3,%o1
-                       .L900000505:
-/* 0x011c	     */		add	%g1,4,%g3
-/* 0x0120	 203 */		ld	[%g1+%i2],%g5
-/* 0x0124	 201 */		add	%o1,%o0,%o0
-/* 0x0128	 203 */		ld	[%i0+%g1],%i3
-/* 0x012c	 201 */		sub	%o3,%o2,%o1
-/* 0x0130	 204 */		and	%o0,%g2,%o2
-/* 0x0134	     */		st	%o2,[%o5+%i2]
-/* 0x0138	 205 */		srax	%o0,32,%o2
-/* 0x013c	     */		add	%i1,4,%i1
-/* 0x0140	 201 */		add	%g1,8,%o5
-/* 0x0144	 203 */		ld	[%g3+%i2],%o0
-/* 0x0148	 201 */		add	%o1,%o2,%o1
-/* 0x014c	 203 */		ld	[%i0+%g3],%o3
-/* 0x0150	 201 */		sub	%g5,%i3,%o2
-/* 0x0154	 204 */		and	%o1,%g2,%g5
-/* 0x0158	     */		st	%g5,[%o4+%i2]
-/* 0x015c	 205 */		srax	%o1,32,%g5
-/* 0x0160	     */		cmp	%i1,%o7
-/* 0x0164	 201 */		add	%g1,12,%o4
-/* 0x0168	 203 */		ld	[%o5+%i2],%o1
-/* 0x016c	 201 */		add	%o2,%g5,%o2
-/* 0x0170	 203 */		ld	[%i0+%o5],%i3
-/* 0x0174	 201 */		sub	%o0,%o3,%o0
-/* 0x0178	 204 */		and	%o2,%g2,%o3
-/* 0x017c	     */		st	%o3,[%g1+%i2]
-/* 0x0180	 205 */		srax	%o2,32,%g5
-/* 0x0184	 203 */		ld	[%o4+%i2],%o3
-/* 0x0188	 201 */		add	%g1,16,%g1
-/* 0x018c	     */		add	%o0,%g5,%o0
-/* 0x0190	 203 */		ld	[%i0+%o4],%o2
-/* 0x0194	 201 */		sub	%o1,%i3,%o1
-/* 0x0198	 204 */		and	%o0,%g2,%g5
-/* 0x019c	     */		st	%g5,[%g3+%i2]
-/* 0x01a0	 205 */		ble,pt	%icc,.L900000505
-/* 0x01a4	     */		srax	%o0,32,%o0
-                       .L900000508:
-/* 0x01a8	     */		add	%o1,%o0,%g3
-/* 0x01ac	     */		sub	%o3,%o2,%o1
-/* 0x01b0	 203 */		ld	[%g1+%i2],%o0
-/* 0x01b4	     */		ld	[%i0+%g1],%o2
-/* 0x01b8	 205 */		srax	%g3,32,%o7
-/* 0x01bc	 204 */		and	%g3,%g2,%o3
-/* 0x01c0	 201 */		add	%o1,%o7,%o1
-/* 0x01c4	 204 */		st	%o3,[%o5+%i2]
-/* 0x01c8	 205 */		cmp	%i1,%g4
-/* 0x01cc	 201 */		sub	%o0,%o2,%o0
-/* 0x01d0	 204 */		and	%o1,%g2,%o2
-/* 0x01d4	     */		st	%o2,[%o4+%i2]
-/* 0x01d8	 205 */		srax	%o1,32,%o1
-/* 0x01dc	 203 */		sra	%i1,0,%o2
-/* 0x01e0	 201 */		add	%o0,%o1,%o0
-/* 0x01e4	 205 */		srax	%o0,32,%g5
-/* 0x01e8	 204 */		and	%o0,%g2,%o1
-/* 0x01ec	     */		st	%o1,[%g1+%i2]
-/* 0x01f0	 205 */		bg,pn	%icc,.L77000191
-/* 0x01f4	     */		sllx	%o2,2,%o1
-                       .L77000199:
-/* 0x01f8	   0 */		or	%g0,%o1,%g1
-                       .L900000509:
-/* 0x01fc	 203 */		ld	[%o1+%i2],%o0
-/* 0x0200	 205 */		add	%i1,1,%i1
-/* 0x0204	 203 */		ld	[%i0+%o1],%o1
-/* 0x0208	     */		sra	%i1,0,%o2
-/* 0x020c	 205 */		cmp	%i1,%g4
-/* 0x0210	 203 */		add	%g5,%o0,%o0
-/* 0x0214	     */		sub	%o0,%o1,%o0
-/* 0x0218	 205 */		srax	%o0,32,%g5
-/* 0x021c	 204 */		and	%o0,%g2,%o1
-/* 0x0220	     */		st	%o1,[%g1+%i2]
-/* 0x0224	     */		sllx	%o2,2,%o1
-/* 0x0228	 205 */		ble,pt	%icc,.L900000509
-/* 0x022c	     */		or	%g0,%o1,%g1
-                       .L77000191:
-/* 0x0230	     */		ret	! Result = 
-/* 0x0234	     */		restore	%g0,%g0,%g0
-/* 0x0238	   0 */		.type	adjust_montf_result,2
-/* 0x0238	     */		.size	adjust_montf_result,(.-adjust_montf_result)
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 */		.align	8
-/* 000000	     */		.skip	24
-!
-! SUBROUTINE mont_mulf_noconv
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
-
-                       	.global mont_mulf_noconv
-                       mont_mulf_noconv:
-/* 000000	     */		save	%sp,-224,%sp
-                       .L900000643:
-/* 0x0004	     */		call	.+8
-/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
-/* 0x000c	     */		ldx	[%fp+2223],%l0
-
-!  206		      !       }
-!  207		      !   }
-!  208		      !}
-!  213		      !/*
-!  214		      !** the lengths of the input arrays should be at least the following:
-!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
-!  216		      !** all of them should be different from one another
-!  217		      !**
-!  218		      !*/
-!  219		      !void mont_mulf_noconv(unsigned int *result,
-!  220		      !		     double *dm1, double *dm2, double *dt,
-!  221		      !		     double *dn, unsigned int *nint,
-!  222		      !		     int nlen, double dn0)
-!  223		      !{
-!  224		      ! int i, j, jj;
-!  225		      ! int tmp;
-!  226		      ! double digit, m2j, nextm2j, a, b;
-!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
-!  229		      ! pdm1=&(dm1[0]);
-!  230		      ! pdm2=&(dm2[0]);
-!  231		      ! pdn=&(dn[0]);
-!  232		      ! pdm2[2*nlen]=Zero;
-
-/* 0x0010	 232 */		sethi	%hi(Zero),%g2
-/* 0x0014	 223 */		fmovd	%f14,%f30
-/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
-/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
-/* 0x0020	     */		sll	%l0,1,%o3
-/* 0x0024	 223 */		add	%g5,%o7,%o4
-/* 0x0028	 232 */		sra	%o3,0,%g5
-/* 0x002c	     */		ldx	[%o4+%g2],%o7
-
-!  234		      ! if (nlen!=16)
-!  235		      !   {
-!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
-!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
-!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-
-/* 0x0030	 239 */		sethi	%hi(TwoToMinus16),%g3
-/* 0x0034	     */		sethi	%hi(TwoTo16),%g4
-/* 0x0038	     */		add	%g3,%lo(TwoToMinus16),%g2
-/* 0x003c	 232 */		ldd	[%o7],%f0
-/* 0x0040	 239 */		add	%g4,%lo(TwoTo16),%g3
-/* 0x0044	 223 */		or	%g0,%i4,%o0
-/* 0x0048	 232 */		sllx	%g5,3,%g4
-/* 0x004c	 239 */		ldx	[%o4+%g2],%o5
-/* 0x0050	 223 */		or	%g0,%i5,%l3
-/* 0x0054	     */		or	%g0,%i0,%l2
-/* 0x0058	 239 */		ldx	[%o4+%g3],%o4
-/* 0x005c	 234 */		cmp	%l0,16
-/* 0x0060	 232 */		std	%f0,[%i2+%g4]
-/* 0x0064	 234 */		be,pn	%icc,.L77000279
-/* 0x0068	     */		or	%g0,%i3,%l4
-/* 0x006c	 236 */		sll	%l0,2,%g2
-/* 0x0070	 223 */		or	%g0,%o0,%i5
-/* 0x0074	 236 */		add	%g2,2,%o0
-/* 0x0078	 223 */		or	%g0,%i1,%i4
-/* 0x007c	 236 */		cmp	%o0,0
-/* 0x0080	 223 */		or	%g0,%i2,%l1
-/* 0x0084	 236 */		ble,a,pt	%icc,.L900000657
-/* 0x0088	     */		ldd	[%i1],%f6
-
-!  241		      !     pdtj=&(dt[0]);
-!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
-!  243		      !       {
-!  244		      !	 m2j=pdm2[j];
-!  245		      !	 a=pdtj[0]+pdn[0]*digit;
-!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
-!  247		      !	 pdtj[1]=b;
-!  249		      !#pragma pipeloop(0)
-!  250		      !	 for(i=1;i<nlen;i++)
-!  251		      !	   {
-!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  253		      !	   }
-!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
-!  255		      !	 
-!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  257		      !       }
-!  258		      !   }
-!  259		      ! else
-!  260		      !   {
-!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
-!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
-!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
-!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
-!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
-!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
-!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
-!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
-!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
-!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
-!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
-!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
-!  275		      !     pdn_0=pdn[0];
-!  276		      !     pdm1_0=pdm1[0];
-!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
-!  279		      !     pdtj=&(dt[0]);
-!  281		      !     for(j=0;j<32;j++,pdtj++)
-
-/* 0x008c	 281 */		or	%g0,%o0,%o1
-/* 0x0090	 236 */		sub	%o0,1,%g1
-/* 0x0094	     */		or	%g0,0,%g2
-/* 0x0098	 281 */		cmp	%o1,5
-/* 0x009c	     */		bl,pn	%icc,.L77000280
-/* 0x00a0	     */		or	%g0,8,%o0
-/* 0x00a4	     */		std	%f0,[%i3]
-/* 0x00a8	     */		or	%g0,2,%g2
-/* 0x00ac	     */		sub	%g1,2,%o1
-                       .L900000627:
-/* 0x00b0	     */		add	%o0,8,%g3
-/* 0x00b4	     */		std	%f0,[%i3+%o0]
-/* 0x00b8	     */		add	%g2,3,%g2
-/* 0x00bc	     */		add	%o0,16,%o2
-/* 0x00c0	     */		std	%f0,[%i3+%g3]
-/* 0x00c4	     */		cmp	%g2,%o1
-/* 0x00c8	     */		add	%o0,24,%o0
-/* 0x00cc	     */		ble,pt	%icc,.L900000627
-/* 0x00d0	     */		std	%f0,[%i3+%o2]
-                       .L900000630:
-/* 0x00d4	     */		cmp	%g2,%g1
-/* 0x00d8	     */		bg,pn	%icc,.L77000285
-/* 0x00dc	     */		std	%f0,[%i3+%o0]
-                       .L77000280:
-/* 0x00e0	     */		ldd	[%o7],%f0
-                       .L900000656:
-/* 0x00e4	     */		sra	%g2,0,%o0
-/* 0x00e8	     */		add	%g2,1,%g2
-/* 0x00ec	     */		sllx	%o0,3,%o0
-/* 0x00f0	     */		cmp	%g2,%g1
-/* 0x00f4	     */		std	%f0,[%i3+%o0]
-/* 0x00f8	     */		ble,a,pt	%icc,.L900000656
-/* 0x00fc	     */		ldd	[%o7],%f0
-                       .L77000285:
-/* 0x0100	 238 */		ldd	[%i1],%f6
-                       .L900000657:
-/* 0x0104	 238 */		ldd	[%i2],%f8
-/* 0x0108	 242 */		cmp	%o3,0
-/* 0x010c	     */		sub	%o3,1,%o1
-/* 0x0110	 239 */		ldd	[%o7],%f10
-/* 0x0114	     */		add	%o3,1,%o2
-/* 0x0118	   0 */		or	%g0,0,%i2
-/* 0x011c	 238 */		fmuld	%f6,%f8,%f6
-/* 0x0120	     */		std	%f6,[%i3]
-/* 0x0124	   0 */		or	%g0,0,%g3
-/* 0x0128	 239 */		ldd	[%o5],%f8
-/* 0x012c	   0 */		or	%g0,%o2,%g1
-/* 0x0130	 236 */		sub	%l0,1,%i1
-/* 0x0134	 239 */		ldd	[%o4],%f12
-/* 0x0138	 236 */		or	%g0,1,%g4
-/* 0x013c	     */		fdtox	%f6,%f0
-/* 0x0140	     */		fmovs	%f10,%f0
-/* 0x0144	     */		fxtod	%f0,%f6
-/* 0x0148	 239 */		fmuld	%f6,%f14,%f6
-/* 0x014c	     */		fmuld	%f6,%f8,%f8
-/* 0x0150	     */		fdtox	%f8,%f8
-/* 0x0154	     */		fxtod	%f8,%f8
-/* 0x0158	     */		fmuld	%f8,%f12,%f8
-/* 0x015c	     */		fsubd	%f6,%f8,%f20
-/* 0x0160	 242 */		ble,pt	%icc,.L900000650
-/* 0x0164	     */		sllx	%g5,3,%g2
-/* 0x0168	   0 */		st	%o1,[%sp+2223]
-/* 0x016c	 246 */		ldd	[%i5],%f6
-                       .L900000651:
-/* 0x0170	 246 */		sra	%g4,0,%g2
-/* 0x0174	     */		fmuld	%f6,%f20,%f6
-/* 0x0178	     */		ldd	[%i3],%f12
-/* 0x017c	     */		sllx	%g2,3,%g2
-/* 0x0180	     */		ldd	[%i4],%f8
-/* 0x0184	 250 */		cmp	%l0,1
-/* 0x0188	 246 */		ldd	[%l1+%g2],%f10
-/* 0x018c	 244 */		sra	%i2,0,%g2
-/* 0x0190	     */		add	%i2,1,%i0
-/* 0x0194	 246 */		faddd	%f12,%f6,%f6
-/* 0x0198	     */		ldd	[%o5],%f12
-/* 0x019c	 244 */		sllx	%g2,3,%g2
-/* 0x01a0	 246 */		fmuld	%f8,%f10,%f8
-/* 0x01a4	     */		ldd	[%i3+8],%f10
-/* 0x01a8	     */		srl	%i2,31,%o3
-/* 0x01ac	 244 */		ldd	[%l1+%g2],%f18
-/* 0x01b0	   0 */		or	%g0,1,%l5
-/* 0x01b4	 236 */		or	%g0,2,%g2
-/* 0x01b8	 246 */		fmuld	%f6,%f12,%f6
-/* 0x01bc	 250 */		or	%g0,32,%o1
-/* 0x01c0	     */		or	%g0,48,%o2
-/* 0x01c4	 246 */		faddd	%f10,%f8,%f8
-/* 0x01c8	     */		faddd	%f8,%f6,%f16
-/* 0x01cc	 250 */		ble,pn	%icc,.L77000213
-/* 0x01d0	     */		std	%f16,[%i3+8]
-/* 0x01d4	     */		cmp	%i1,8
-/* 0x01d8	     */		sub	%l0,3,%o3
-/* 0x01dc	     */		bl,pn	%icc,.L77000284
-/* 0x01e0	     */		or	%g0,8,%o0
-/* 0x01e4	 252 */		ldd	[%i5+8],%f0
-/* 0x01e8	     */		or	%g0,6,%l5
-/* 0x01ec	     */		ldd	[%i4+8],%f2
-/* 0x01f0	     */		or	%g0,4,%g2
-/* 0x01f4	 250 */		or	%g0,40,%o0
-/* 0x01f8	 252 */		ldd	[%i5+16],%f8
-/* 0x01fc	     */		fmuld	%f0,%f20,%f10
-/* 0x0200	     */		ldd	[%i4+16],%f4
-/* 0x0204	     */		fmuld	%f2,%f18,%f2
-/* 0x0208	     */		ldd	[%i3+16],%f0
-/* 0x020c	     */		fmuld	%f8,%f20,%f12
-/* 0x0210	     */		ldd	[%i4+24],%f6
-/* 0x0214	     */		fmuld	%f4,%f18,%f4
-/* 0x0218	     */		ldd	[%i5+24],%f8
-/* 0x021c	     */		faddd	%f2,%f10,%f2
-/* 0x0220	     */		ldd	[%i4+32],%f14
-/* 0x0224	     */		fmuld	%f6,%f18,%f10
-/* 0x0228	     */		ldd	[%i5+32],%f6
-/* 0x022c	     */		faddd	%f4,%f12,%f4
-/* 0x0230	     */		ldd	[%i4+40],%f12
-/* 0x0234	     */		faddd	%f0,%f2,%f0
-/* 0x0238	     */		std	%f0,[%i3+16]
-/* 0x023c	     */		ldd	[%i3+32],%f0
-/* 0x0240	     */		ldd	[%i3+48],%f2
-                       .L900000639:
-/* 0x0244	     */		add	%o2,16,%l6
-/* 0x0248	 252 */		ldd	[%i5+%o0],%f22
-/* 0x024c	     */		add	%l5,3,%l5
-/* 0x0250	     */		fmuld	%f8,%f20,%f8
-/* 0x0254	 250 */		add	%o0,8,%o0
-/* 0x0258	 252 */		ldd	[%l6+%i3],%f26
-/* 0x025c	     */		cmp	%l5,%o3
-/* 0x0260	     */		ldd	[%i4+%o0],%f24
-/* 0x0264	     */		faddd	%f0,%f4,%f0
-/* 0x0268	     */		add	%g2,6,%g2
-/* 0x026c	     */		faddd	%f10,%f8,%f10
-/* 0x0270	     */		fmuld	%f14,%f18,%f4
-/* 0x0274	     */		std	%f0,[%o1+%i3]
-/* 0x0278	 250 */		add	%o2,32,%o1
-/* 0x027c	 252 */		ldd	[%i5+%o0],%f8
-/* 0x0280	     */		fmuld	%f6,%f20,%f6
-/* 0x0284	 250 */		add	%o0,8,%o0
-/* 0x0288	 252 */		ldd	[%o1+%i3],%f0
-/* 0x028c	     */		ldd	[%i4+%o0],%f14
-/* 0x0290	     */		faddd	%f2,%f10,%f2
-/* 0x0294	     */		faddd	%f4,%f6,%f10
-/* 0x0298	     */		fmuld	%f12,%f18,%f4
-/* 0x029c	     */		std	%f2,[%o2+%i3]
-/* 0x02a0	 250 */		add	%o2,48,%o2
-/* 0x02a4	 252 */		ldd	[%i5+%o0],%f6
-/* 0x02a8	     */		fmuld	%f22,%f20,%f22
-/* 0x02ac	 250 */		add	%o0,8,%o0
-/* 0x02b0	 252 */		ldd	[%o2+%i3],%f2
-/* 0x02b4	     */		ldd	[%i4+%o0],%f12
-/* 0x02b8	     */		faddd	%f26,%f10,%f10
-/* 0x02bc	     */		std	%f10,[%l6+%i3]
-/* 0x02c0	     */		fmuld	%f24,%f18,%f10
-/* 0x02c4	     */		ble,pt	%icc,.L900000639
-/* 0x02c8	     */		faddd	%f4,%f22,%f4
-                       .L900000642:
-/* 0x02cc	 252 */		fmuld	%f8,%f20,%f24
-/* 0x02d0	     */		faddd	%f0,%f4,%f8
-/* 0x02d4	 250 */		add	%o2,16,%o3
-/* 0x02d8	 252 */		ldd	[%o3+%i3],%f4
-/* 0x02dc	     */		fmuld	%f14,%f18,%f0
-/* 0x02e0	     */		cmp	%l5,%i1
-/* 0x02e4	     */		std	%f8,[%o1+%i3]
-/* 0x02e8	     */		fmuld	%f12,%f18,%f8
-/* 0x02ec	 250 */		add	%o2,32,%o1
-/* 0x02f0	 252 */		faddd	%f10,%f24,%f12
-/* 0x02f4	     */		ldd	[%i5+%o0],%f22
-/* 0x02f8	     */		fmuld	%f6,%f20,%f6
-/* 0x02fc	     */		add	%g2,8,%g2
-/* 0x0300	     */		fmuld	%f22,%f20,%f10
-/* 0x0304	     */		faddd	%f2,%f12,%f2
-/* 0x0308	     */		faddd	%f0,%f6,%f6
-/* 0x030c	     */		ldd	[%o1+%i3],%f0
-/* 0x0310	     */		std	%f2,[%o2+%i3]
-/* 0x0314	     */		faddd	%f8,%f10,%f2
-/* 0x0318	     */		sra	%l5,0,%o2
-/* 0x031c	     */		sllx	%o2,3,%o0
-/* 0x0320	     */		faddd	%f4,%f6,%f4
-/* 0x0324	     */		std	%f4,[%o3+%i3]
-/* 0x0328	     */		faddd	%f0,%f2,%f0
-/* 0x032c	     */		std	%f0,[%o1+%i3]
-/* 0x0330	     */		bg,a,pn	%icc,.L77000213
-/* 0x0334	     */		srl	%i2,31,%o3
-                       .L77000284:
-/* 0x0338	 252 */		ldd	[%i4+%o0],%f2
-                       .L900000655:
-/* 0x033c	 252 */		ldd	[%i5+%o0],%f0
-/* 0x0340	     */		fmuld	%f2,%f18,%f2
-/* 0x0344	     */		sra	%g2,0,%o0
-/* 0x0348	     */		sllx	%o0,3,%o1
-/* 0x034c	     */		add	%l5,1,%l5
-/* 0x0350	     */		fmuld	%f0,%f20,%f4
-/* 0x0354	     */		ldd	[%o1+%i3],%f0
-/* 0x0358	     */		sra	%l5,0,%o2
-/* 0x035c	     */		sllx	%o2,3,%o0
-/* 0x0360	     */		add	%g2,2,%g2
-/* 0x0364	     */		cmp	%l5,%i1
-/* 0x0368	     */		faddd	%f2,%f4,%f2
-/* 0x036c	     */		faddd	%f0,%f2,%f0
-/* 0x0370	     */		std	%f0,[%o1+%i3]
-/* 0x0374	     */		ble,a,pt	%icc,.L900000655
-/* 0x0378	     */		ldd	[%i4+%o0],%f2
-                       .L900000626:
-/* 0x037c	     */		srl	%i2,31,%o3
-/* 0x0380	 252 */		ba	.L900000654
-/* 0x0384	     */		cmp	%g3,30
-                       .L77000213:
-/* 0x0388	 254 */		cmp	%g3,30
-                       .L900000654:
-/* 0x038c	     */		add	%i2,%o3,%o0
-/* 0x0390	 254 */		bne,a,pt	%icc,.L900000653
-/* 0x0394	     */		fdtox	%f16,%f0
-/* 0x0398	 281 */		sra	%o0,1,%g2
-/* 0x039c	     */		add	%g2,1,%g2
-/* 0x03a0	     */		ldd	[%o7],%f0
-/* 0x03a4	     */		sll	%g2,1,%o1
-/* 0x03a8	     */		sll	%g1,1,%g2
-/* 0x03ac	     */		or	%g0,%o1,%o2
-/* 0x03b0	     */		fmovd	%f0,%f2
-/* 0x03b4	     */		or	%g0,%g2,%o0
-/* 0x03b8	     */		cmp	%o1,%o0
-/* 0x03bc	     */		sub	%g2,1,%o0
-/* 0x03c0	     */		bge,pt	%icc,.L77000215
-/* 0x03c4	     */		or	%g0,0,%g3
-/* 0x03c8	 254 */		add	%o1,1,%o1
-/* 0x03cc	 281 */		sra	%o2,0,%g2
-                       .L900000652:
-/* 0x03d0	     */		sllx	%g2,3,%g2
-/* 0x03d4	     */		ldd	[%o7],%f6
-/* 0x03d8	     */		add	%o2,2,%o2
-/* 0x03dc	     */		sra	%o1,0,%g3
-/* 0x03e0	     */		ldd	[%g2+%l4],%f8
-/* 0x03e4	     */		cmp	%o2,%o0
-/* 0x03e8	     */		sllx	%g3,3,%g3
-/* 0x03ec	     */		add	%o1,2,%o1
-/* 0x03f0	     */		ldd	[%l4+%g3],%f10
-/* 0x03f4	     */		fdtox	%f8,%f12
-/* 0x03f8	     */		fdtox	%f10,%f4
-/* 0x03fc	     */		fmovd	%f12,%f8
-/* 0x0400	     */		fmovs	%f6,%f12
-/* 0x0404	     */		fmovs	%f6,%f4
-/* 0x0408	     */		fxtod	%f12,%f6
-/* 0x040c	     */		fxtod	%f4,%f12
-/* 0x0410	     */		fdtox	%f10,%f4
-/* 0x0414	     */		faddd	%f6,%f2,%f6
-/* 0x0418	     */		std	%f6,[%g2+%l4]
-/* 0x041c	     */		faddd	%f12,%f0,%f6
-/* 0x0420	     */		std	%f6,[%l4+%g3]
-/* 0x0424	     */		fitod	%f8,%f2
-/* 0x0428	     */		fitod	%f4,%f0
-/* 0x042c	     */		ble,pt	%icc,.L900000652
-/* 0x0430	     */		sra	%o2,0,%g2
-                       .L77000233:
-/* 0x0434	     */		or	%g0,0,%g3
-                       .L77000215:
-/* 0x0438	     */		fdtox	%f16,%f0
-                       .L900000653:
-/* 0x043c	 256 */		ldd	[%o7],%f6
-/* 0x0440	     */		add	%g4,1,%g4
-/* 0x0444	     */		or	%g0,%i0,%i2
-/* 0x0448	     */		ldd	[%o5],%f8
-/* 0x044c	     */		add	%g3,1,%g3
-/* 0x0450	     */		add	%i3,8,%i3
-/* 0x0454	     */		fmovs	%f6,%f0
-/* 0x0458	     */		ldd	[%o4],%f10
-/* 0x045c	     */		ld	[%sp+2223],%o0
-/* 0x0460	     */		fxtod	%f0,%f6
-/* 0x0464	     */		cmp	%i0,%o0
-/* 0x0468	     */		fmuld	%f6,%f30,%f6
-/* 0x046c	     */		fmuld	%f6,%f8,%f8
-/* 0x0470	     */		fdtox	%f8,%f8
-/* 0x0474	     */		fxtod	%f8,%f8
-/* 0x0478	     */		fmuld	%f8,%f10,%f8
-/* 0x047c	     */		fsubd	%f6,%f8,%f20
-/* 0x0480	     */		ble,a,pt	%icc,.L900000651
-/* 0x0484	     */		ldd	[%i5],%f6
-                       .L900000625:
-/* 0x0488	 256 */		ba	.L900000650
-/* 0x048c	     */		sllx	%g5,3,%g2
-                       .L77000279:
-/* 0x0490	 261 */		ldd	[%i1],%f4
-/* 0x0494	     */		ldd	[%i2],%f6
-/* 0x0498	 273 */		std	%f0,[%i3+8]
-/* 0x049c	     */		std	%f0,[%i3+16]
-/* 0x04a0	 261 */		fmuld	%f4,%f6,%f6
-/* 0x04a4	     */		std	%f6,[%i3]
-/* 0x04a8	 273 */		std	%f0,[%i3+24]
-/* 0x04ac	     */		std	%f0,[%i3+32]
-/* 0x04b0	     */		fdtox	%f6,%f2
-/* 0x04b4	     */		std	%f0,[%i3+40]
-/* 0x04b8	     */		std	%f0,[%i3+48]
-/* 0x04bc	     */		std	%f0,[%i3+56]
-/* 0x04c0	     */		std	%f0,[%i3+64]
-/* 0x04c4	     */		fmovs	%f0,%f2
-/* 0x04c8	     */		std	%f0,[%i3+72]
-/* 0x04cc	     */		std	%f0,[%i3+80]
-/* 0x04d0	     */		std	%f0,[%i3+88]
-/* 0x04d4	     */		std	%f0,[%i3+96]
-/* 0x04d8	     */		std	%f0,[%i3+104]
-/* 0x04dc	     */		std	%f0,[%i3+112]
-/* 0x04e0	     */		std	%f0,[%i3+120]
-/* 0x04e4	     */		std	%f0,[%i3+128]
-/* 0x04e8	     */		std	%f0,[%i3+136]
-/* 0x04ec	     */		std	%f0,[%i3+144]
-/* 0x04f0	     */		std	%f0,[%i3+152]
-/* 0x04f4	     */		std	%f0,[%i3+160]
-/* 0x04f8	     */		std	%f0,[%i3+168]
-/* 0x04fc	     */		fxtod	%f2,%f6
-/* 0x0500	     */		std	%f0,[%i3+176]
-/* 0x0504	 281 */		or	%g0,1,%o2
-/* 0x0508	 273 */		std	%f0,[%i3+184]
-
-!  282		      !       {
-!  284		      !	 m2j=pdm2[j];
-!  285		      !	 a=pdtj[0]+pdn_0*digit;
-!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
-
-/* 0x050c	 286 */		sra	%o2,0,%g2
-/* 0x0510	 279 */		or	%g0,%i3,%o3
-/* 0x0514	 273 */		std	%f0,[%i3+192]
-/* 0x0518	 278 */		fmuld	%f6,%f14,%f6
-/* 0x051c	 281 */		or	%g0,0,%g1
-/* 0x0520	 273 */		std	%f0,[%i3+200]
-/* 0x0524	     */		std	%f0,[%i3+208]
-/* 0x0528	     */		std	%f0,[%i3+216]
-/* 0x052c	     */		std	%f0,[%i3+224]
-/* 0x0530	     */		std	%f0,[%i3+232]
-/* 0x0534	     */		std	%f0,[%i3+240]
-/* 0x0538	     */		std	%f0,[%i3+248]
-/* 0x053c	     */		std	%f0,[%i3+256]
-/* 0x0540	     */		std	%f0,[%i3+264]
-/* 0x0544	     */		std	%f0,[%i3+272]
-/* 0x0548	     */		std	%f0,[%i3+280]
-/* 0x054c	     */		std	%f0,[%i3+288]
-/* 0x0550	     */		std	%f0,[%i3+296]
-/* 0x0554	     */		std	%f0,[%i3+304]
-/* 0x0558	     */		std	%f0,[%i3+312]
-/* 0x055c	     */		std	%f0,[%i3+320]
-/* 0x0560	     */		std	%f0,[%i3+328]
-/* 0x0564	     */		std	%f0,[%i3+336]
-/* 0x0568	     */		std	%f0,[%i3+344]
-/* 0x056c	     */		std	%f0,[%i3+352]
-/* 0x0570	     */		std	%f0,[%i3+360]
-/* 0x0574	     */		std	%f0,[%i3+368]
-/* 0x0578	     */		std	%f0,[%i3+376]
-/* 0x057c	     */		std	%f0,[%i3+384]
-/* 0x0580	     */		std	%f0,[%i3+392]
-/* 0x0584	     */		std	%f0,[%i3+400]
-/* 0x0588	     */		std	%f0,[%i3+408]
-/* 0x058c	     */		std	%f0,[%i3+416]
-/* 0x0590	     */		std	%f0,[%i3+424]
-/* 0x0594	     */		std	%f0,[%i3+432]
-/* 0x0598	     */		std	%f0,[%i3+440]
-/* 0x059c	     */		std	%f0,[%i3+448]
-/* 0x05a0	     */		std	%f0,[%i3+456]
-/* 0x05a4	     */		std	%f0,[%i3+464]
-/* 0x05a8	     */		std	%f0,[%i3+472]
-/* 0x05ac	     */		std	%f0,[%i3+480]
-/* 0x05b0	     */		std	%f0,[%i3+488]
-/* 0x05b4	     */		std	%f0,[%i3+496]
-/* 0x05b8	 278 */		ldd	[%o5],%f8
-/* 0x05bc	     */		ldd	[%o4],%f10
-/* 0x05c0	     */		fmuld	%f6,%f8,%f8
-/* 0x05c4	 273 */		std	%f0,[%i3+504]
-/* 0x05c8	     */		std	%f0,[%i3+512]
-/* 0x05cc	     */		std	%f0,[%i3+520]
-/* 0x05d0	     */		fdtox	%f8,%f8
-/* 0x05d4	 275 */		ldd	[%o0],%f0
-/* 0x05d8	     */		fxtod	%f8,%f8
-/* 0x05dc	     */		fmuld	%f8,%f10,%f8
-/* 0x05e0	     */		fsubd	%f6,%f8,%f2
-
-!  287		      !	 pdtj[1]=b;
-!  289		      !	 /**** this loop will be fully unrolled:
-!  290		      !	 for(i=1;i<16;i++)
-!  291		      !	   {
-!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
-!  293		      !	   }
-!  294		      !	 *************************************/
-!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
-!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
-!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
-!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
-!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
-!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
-!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
-!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
-!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
-!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
-!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
-!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
-!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
-!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
-!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
-!  310		      !	 /* no need for cleenup, cannot overflow */
-!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
-
-
-	fmovd %f2,%f0		! hand modified
-	fmovd %f30,%f18		! hand modified
-	ldd [%o0],%f2
-	ldd [%o3],%f8
-	ldd [%i1],%f10
-	ldd [%o5],%f14		! hand modified
-	ldd [%o4],%f16		! hand modified
-	ldd [%i2],%f24
-
-	ldd [%i1+8],%f26
-	ldd [%i1+16],%f40
-	ldd [%i1+48],%f46
-	ldd [%i1+56],%f30
-	ldd [%i1+64],%f54
-	ldd [%i1+104],%f34
-	ldd [%i1+112],%f58
-
-	ldd [%o0+8],%f28	
-	ldd [%o0+104],%f38
-	ldd [%o0+112],%f60
-
-	.L99999999: 			!1
-	ldd	[%i1+24],%f32
-	fmuld	%f0,%f2,%f4 	!2
-	ldd	[%o0+24],%f36
-	fmuld	%f26,%f24,%f20 	!3
-	ldd	[%i1+40],%f42
-	fmuld	%f28,%f0,%f22 	!4
-	ldd	[%o0+40],%f44
-	fmuld	%f32,%f24,%f32 	!5
-	ldd	[%i2+8],%f6
-	faddd	%f4,%f8,%f4
-	fmuld	%f36,%f0,%f36 	!6
-	add	%i2,8,%i2
-	ldd	[%o0+56],%f50
-	fmuld	%f42,%f24,%f42 	!7
-	ldd	[%i1+72],%f52
-	faddd	%f20,%f22,%f20
-	fmuld	%f44,%f0,%f44 	!8
-	ldd	[%o3+16],%f22
-	fmuld	%f10,%f6,%f12 	!9
-	ldd	[%o0+72],%f56
-	faddd	%f32,%f36,%f32
-	fmuld	%f14,%f4,%f4 !10
-	ldd	[%o3+48],%f36
-	fmuld	%f30,%f24,%f48 	!11
-	ldd	[%o3+8],%f8
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50	!12
-	std	%f20,[%o3+16]
-	faddd	%f42,%f44,%f42
-	fmuld	%f52,%f24,%f52 	!13
-	ldd	[%o3+80],%f44
-	faddd	%f4,%f12,%f4
-	fmuld	%f56,%f0,%f56 	!14
-	ldd	[%i1+88],%f20
-	faddd	%f32,%f36,%f32 	!15
-	ldd	[%o0+88],%f22
-	faddd	%f48,%f50,%f48 	!16
-	ldd	[%o3+112],%f50
-	faddd	%f52,%f56,%f52 	!17
-	ldd	[%o3+144],%f56
-	faddd	%f4,%f8,%f8
-	fmuld	%f20,%f24,%f20 	!18
-	std	%f32,[%o3+48]
-	faddd	%f42,%f44,%f42
-	fmuld	%f22,%f0,%f22 	!19
-	std	%f42,[%o3+80]
-	faddd	%f48,%f50,%f48
-	fmuld	%f34,%f24,%f32 	!20
-	std	%f48,[%o3+112]
-	faddd	%f52,%f56,%f52
-	fmuld	%f38,%f0,%f36 	!21
-	ldd	[%i1+120],%f42
-	fdtox	%f8,%f4 		!22
-	std	%f52,[%o3+144]
-	faddd	%f20,%f22,%f20 	!23
-	ldd	[%o0+120],%f44 	!24
-	ldd	[%o3+176],%f22
-	faddd	%f32,%f36,%f32
-	fmuld	%f42,%f24,%f42 	!25
-	ldd	[%o0+16],%f50
-	fmovs	%f17,%f4 	!26
-	ldd	[%i1+32],%f52
-	fmuld	%f44,%f0,%f44 	!27
-	ldd	[%o0+32],%f56
-	fmuld	%f40,%f24,%f48 	!28
-	ldd	[%o3+208],%f36
-	faddd	%f20,%f22,%f20
-	fmuld	%f50,%f0,%f50 	!29
-	std	%f20,[%o3+176]
-	fxtod	%f4,%f4
-	fmuld	%f52,%f24,%f52 	!30
-	ldd	[%o0+48],%f22
-	faddd	%f42,%f44,%f42
-	fmuld	%f56,%f0,%f56 	!31
-	ldd	[%o3+240],%f44
-	faddd	%f32,%f36,%f32 	!32
-	std	%f32,[%o3+208]
-	faddd	%f48,%f50,%f48
-	fmuld	%f46,%f24,%f20 	!33
-	ldd	[%o3+32],%f50
-	fmuld	%f4,%f18,%f12 	!34
-	ldd	[%o0+64],%f36
-	faddd	%f52,%f56,%f52
-	fmuld	%f22,%f0,%f22 	!35
-	ldd	[%o3+64],%f56
-	faddd	%f42,%f44,%f42 	!36
-	std	%f42,[%o3+240]
-	faddd	%f48,%f50,%f48
-	fmuld	%f54,%f24,%f32 	!37
-	std	%f48,[%o3+32]
-	fmuld	%f12,%f14,%f4 !38
-	ldd	[%i1+80],%f42
-	faddd	%f52,%f56,%f56	! yes, tmp52!
-	fmuld	%f36,%f0,%f36 	!39
-	ldd	[%o0+80],%f44
-	faddd	%f20,%f22,%f20 	!40
-	ldd	[%i1+96],%f48
-	fmuld	%f58,%f24,%f52 	!41
-	ldd	[%o0+96],%f50
-	fdtox	%f4,%f4
-	fmuld	%f42,%f24,%f42 	!42
-	std	%f56,[%o3+64]	! yes, tmp52!
-	faddd	%f32,%f36,%f32
-	fmuld	%f44,%f0,%f44 	!43
-	ldd	[%o3+96],%f22
-	fmuld	%f48,%f24,%f48 	!44
-	ldd	[%o3+128],%f36
-	fmovd	%f6,%f24
-	fmuld	%f50,%f0,%f50 	!45
-	fxtod	%f4,%f4
-	fmuld	%f60,%f0,%f56 	!46
-	add	%o3,8,%o3
-	faddd	%f42,%f44,%f42 	!47
-	ldd	[%o3+160-8],%f44
-	faddd	%f20,%f22,%f20 	!48
-	std	%f20,[%o3+96-8]
-	faddd	%f48,%f50,%f48 	!49
-	ldd	[%o3+192-8],%f50
-	faddd	%f52,%f56,%f52
-	fmuld	%f4,%f16,%f4 	!50
-	ldd	[%o3+224-8],%f56
-	faddd	%f32,%f36,%f32 	!51
-	std	%f32,[%o3+128-8]
-	faddd	%f42,%f44,%f42 	!52
-	add	%g1,1,%g1
-	std	%f42,[%o3+160-8]
-	faddd	%f48,%f50,%f48 	!53
-	cmp	%g1,31
-	std	%f48,[%o3+192-8]
-	fsubd	%f12,%f4,%f0 	!54
-	faddd	%f52,%f56,%f52
-	ble,pt	%icc,.L99999999
-	std	%f52,[%o3+224-8] 	!55
-	std %f8,[%o3]
-!  312		      !       }
-!  313		      !   }
-!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
-
-/* 0x0844	 315 */		sllx	%g5,3,%g2
-                       .L900000650:
-/* 0x0848	 315 */		ldd	[%g2+%l4],%f2
-/* 0x084c	     */		add	%l4,%g2,%o0
-/* 0x0850	     */		or	%g0,0,%g1
-/* 0x0854	     */		ldd	[%o0+8],%f4
-/* 0x0858	     */		or	%g0,0,%i2
-/* 0x085c	     */		cmp	%l0,0
-/* 0x0860	     */		fdtox	%f2,%f2
-/* 0x0864	     */		std	%f2,[%sp+2255]
-/* 0x0868	 311 */		sethi	%hi(0xfc00),%o3
-/* 0x086c	 315 */		fdtox	%f4,%f2
-/* 0x0870	     */		std	%f2,[%sp+2247]
-/* 0x0874	 311 */		or	%g0,-1,%o2
-/* 0x0878	     */		srl	%o2,0,%o5
-/* 0x087c	     */		or	%g0,2,%g5
-/* 0x0880	     */		sub	%l0,1,%g3
-/* 0x0884	     */		or	%g0,%o0,%o7
-/* 0x0888	     */		add	%o3,1023,%o4
-/* 0x088c	 315 */		or	%g0,64,%o3
-/* 0x0890	     */		ldx	[%sp+2255],%i0
-/* 0x0894	     */		sub	%l0,2,%o1
-/* 0x0898	     */		ldx	[%sp+2247],%i1
-/* 0x089c	     */		ble,pt	%icc,.L900000648
-/* 0x08a0	     */		sethi	%hi(0xfc00),%g2
-/* 0x08a4	     */		cmp	%l0,6
-/* 0x08a8	     */		and	%i0,%o5,%o2
-/* 0x08ac	     */		bl,pn	%icc,.L77000287
-/* 0x08b0	     */		or	%g0,3,%g4
-/* 0x08b4	     */		ldd	[%o7+16],%f0
-/* 0x08b8	     */		and	%i1,%o4,%i3
-/* 0x08bc	     */		sllx	%i3,16,%o0
-/* 0x08c0	     */		or	%g0,5,%g4
-/* 0x08c4	     */		srax	%i1,16,%i4
-/* 0x08c8	     */		fdtox	%f0,%f0
-/* 0x08cc	     */		std	%f0,[%sp+2239]
-/* 0x08d0	     */		srax	%i0,32,%i1
-/* 0x08d4	     */		add	%o2,%o0,%i5
-/* 0x08d8	     */		ldd	[%o7+24],%f0
-/* 0x08dc	     */		and	%i5,%o5,%l1
-/* 0x08e0	     */		or	%g0,72,%o2
-/* 0x08e4	     */		or	%g0,4,%o0
-/* 0x08e8	     */		or	%g0,4,%g5
-/* 0x08ec	     */		ldx	[%sp+2239],%g1
-/* 0x08f0	     */		fdtox	%f0,%f0
-/* 0x08f4	     */		or	%g0,4,%i2
-/* 0x08f8	     */		std	%f0,[%sp+2231]
-/* 0x08fc	     */		ldd	[%o7+40],%f2
-/* 0x0900	     */		and	%g1,%o5,%i3
-/* 0x0904	     */		ldd	[%o7+32],%f0
-/* 0x0908	     */		srax	%g1,32,%g1
-/* 0x090c	     */		ldd	[%o7+56],%f4
-/* 0x0910	     */		fdtox	%f2,%f2
-/* 0x0914	     */		ldx	[%sp+2231],%g2
-/* 0x0918	     */		fdtox	%f0,%f0
-/* 0x091c	     */		st	%l1,[%l2]
-/* 0x0920	     */		srax	%i5,32,%l1
-/* 0x0924	     */		fdtox	%f4,%f4
-/* 0x0928	     */		std	%f2,[%sp+2231]
-/* 0x092c	     */		and	%g2,%o4,%i5
-/* 0x0930	     */		add	%i4,%l1,%i4
-/* 0x0934	     */		std	%f0,[%sp+2239]
-/* 0x0938	     */		sllx	%i5,16,%i0
-/* 0x093c	     */		add	%i1,%i4,%i1
-/* 0x0940	     */		ldd	[%o7+48],%f2
-/* 0x0944	     */		srax	%g2,16,%g2
-/* 0x0948	     */		add	%i3,%i0,%i0
-/* 0x094c	     */		ldd	[%o7+72],%f0
-/* 0x0950	     */		add	%i0,%i1,%i3
-/* 0x0954	     */		srax	%i3,32,%i4
-/* 0x0958	     */		fdtox	%f2,%f2
-/* 0x095c	     */		and	%i3,%o5,%i3
-/* 0x0960	     */		ldx	[%sp+2231],%i1
-/* 0x0964	     */		add	%g2,%i4,%g2
-/* 0x0968	     */		ldx	[%sp+2239],%i0
-/* 0x096c	     */		add	%g1,%g2,%g1
-/* 0x0970	     */		std	%f2,[%sp+2239]
-/* 0x0974	     */		std	%f4,[%sp+2231]
-/* 0x0978	     */		ldd	[%o7+64],%f2
-/* 0x097c	     */		st	%i3,[%l2+4]
-                       .L900000631:
-/* 0x0980	     */		ldx	[%sp+2231],%i3
-/* 0x0984	     */		add	%i2,2,%i2
-/* 0x0988	     */		add	%g4,4,%g4
-/* 0x098c	     */		ldx	[%sp+2239],%i5
-/* 0x0990	     */		add	%o2,16,%o2
-/* 0x0994	     */		and	%i1,%o4,%g2
-/* 0x0998	     */		sllx	%g2,16,%i4
-/* 0x099c	     */		and	%i0,%o5,%g2
-/* 0x09a0	     */		ldd	[%o7+%o2],%f4
-/* 0x09a4	     */		fdtox	%f0,%f0
-/* 0x09a8	     */		std	%f0,[%sp+2231]
-/* 0x09ac	     */		srax	%i1,16,%i1
-/* 0x09b0	     */		add	%g2,%i4,%g2
-/* 0x09b4	     */		fdtox	%f2,%f0
-/* 0x09b8	     */		add	%o3,16,%o3
-/* 0x09bc	     */		std	%f0,[%sp+2239]
-/* 0x09c0	     */		add	%g2,%g1,%g1
-/* 0x09c4	     */		ldd	[%o7+%o3],%f2
-/* 0x09c8	     */		srax	%g1,32,%i4
-/* 0x09cc	     */		cmp	%i2,%o1
-/* 0x09d0	     */		srax	%i0,32,%g2
-/* 0x09d4	     */		add	%i1,%i4,%i0
-/* 0x09d8	     */		add	%g2,%i0,%i4
-/* 0x09dc	     */		add	%o0,4,%o0
-/* 0x09e0	     */		and	%g1,%o5,%g2
-/* 0x09e4	     */		or	%g0,%i5,%g1
-/* 0x09e8	     */		st	%g2,[%l2+%o0]
-/* 0x09ec	     */		add	%g5,4,%g5
-/* 0x09f0	     */		ldx	[%sp+2231],%i1
-/* 0x09f4	     */		ldx	[%sp+2239],%i0
-/* 0x09f8	     */		add	%o2,16,%o2
-/* 0x09fc	     */		and	%i3,%o4,%g2
-/* 0x0a00	     */		sllx	%g2,16,%i5
-/* 0x0a04	     */		and	%g1,%o5,%g2
-/* 0x0a08	     */		ldd	[%o7+%o2],%f0
-/* 0x0a0c	     */		fdtox	%f4,%f4
-/* 0x0a10	     */		std	%f4,[%sp+2231]
-/* 0x0a14	     */		srax	%i3,16,%i3
-/* 0x0a18	     */		add	%g2,%i5,%g2
-/* 0x0a1c	     */		fdtox	%f2,%f2
-/* 0x0a20	     */		add	%o3,16,%o3
-/* 0x0a24	     */		std	%f2,[%sp+2239]
-/* 0x0a28	     */		add	%g2,%i4,%g2
-/* 0x0a2c	     */		ldd	[%o7+%o3],%f2
-/* 0x0a30	     */		srax	%g2,32,%i4
-/* 0x0a34	     */		srax	%g1,32,%g1
-/* 0x0a38	     */		add	%i3,%i4,%i3
-/* 0x0a3c	     */		add	%g1,%i3,%g1
-/* 0x0a40	     */		add	%o0,4,%o0
-/* 0x0a44	     */		and	%g2,%o5,%g2
-/* 0x0a48	     */		ble,pt	%icc,.L900000631
-/* 0x0a4c	     */		st	%g2,[%l2+%o0]
-                       .L900000634:
-/* 0x0a50	     */		srax	%i1,16,%i5
-/* 0x0a54	     */		ldx	[%sp+2231],%o1
-/* 0x0a58	     */		and	%i1,%o4,%i3
-/* 0x0a5c	     */		sllx	%i3,16,%i3
-/* 0x0a60	     */		ldx	[%sp+2239],%i4
-/* 0x0a64	     */		and	%i0,%o5,%g2
-/* 0x0a68	     */		add	%g2,%i3,%g2
-/* 0x0a6c	     */		and	%o1,%o4,%i3
-/* 0x0a70	     */		fdtox	%f0,%f4
-/* 0x0a74	     */		sllx	%i3,16,%i3
-/* 0x0a78	     */		std	%f4,[%sp+2231]
-/* 0x0a7c	     */		add	%g2,%g1,%g2
-/* 0x0a80	     */		srax	%g2,32,%l1
-/* 0x0a84	     */		and	%i4,%o5,%i1
-/* 0x0a88	     */		fdtox	%f2,%f0
-/* 0x0a8c	     */		srax	%i0,32,%g1
-/* 0x0a90	     */		std	%f0,[%sp+2239]
-/* 0x0a94	     */		add	%i5,%l1,%i0
-/* 0x0a98	     */		srax	%o1,16,%o1
-/* 0x0a9c	     */		add	%g1,%i0,%i0
-/* 0x0aa0	     */		add	%o0,4,%g1
-/* 0x0aa4	     */		add	%i1,%i3,%o0
-/* 0x0aa8	     */		and	%g2,%o5,%g2
-/* 0x0aac	     */		st	%g2,[%l2+%g1]
-/* 0x0ab0	     */		add	%o0,%i0,%o0
-/* 0x0ab4	     */		srax	%o0,32,%i3
-/* 0x0ab8	     */		ldx	[%sp+2231],%i1
-/* 0x0abc	     */		add	%g1,4,%g1
-/* 0x0ac0	     */		ldx	[%sp+2239],%i0
-/* 0x0ac4	     */		and	%o0,%o5,%g2
-/* 0x0ac8	     */		add	%o1,%i3,%o1
-/* 0x0acc	     */		srax	%i4,32,%o0
-/* 0x0ad0	     */		cmp	%i2,%g3
-/* 0x0ad4	     */		st	%g2,[%l2+%g1]
-/* 0x0ad8	     */		bg,pn	%icc,.L77000236
-/* 0x0adc	     */		add	%o0,%o1,%g1
-/* 0x0ae0	     */		add	%g4,6,%g4
-/* 0x0ae4	     */		add	%g5,6,%g5
-                       .L77000287:
-/* 0x0ae8	     */		sra	%g5,0,%o1
-                       .L900000647:
-/* 0x0aec	     */		sllx	%o1,3,%o2
-/* 0x0af0	     */		and	%i0,%o5,%o0
-/* 0x0af4	     */		ldd	[%o7+%o2],%f0
-/* 0x0af8	     */		sra	%g4,0,%o2
-/* 0x0afc	     */		and	%i1,%o4,%o1
-/* 0x0b00	     */		sllx	%o2,3,%o2
-/* 0x0b04	     */		add	%g1,%o0,%o0
-/* 0x0b08	     */		fdtox	%f0,%f0
-/* 0x0b0c	     */		std	%f0,[%sp+2239]
-/* 0x0b10	     */		sllx	%o1,16,%o1
-/* 0x0b14	     */		add	%o0,%o1,%o1
-/* 0x0b18	     */		add	%g5,2,%g5
-/* 0x0b1c	     */		ldd	[%o7+%o2],%f0
-/* 0x0b20	     */		srax	%o1,32,%g1
-/* 0x0b24	     */		and	%o1,%o5,%o2
-/* 0x0b28	     */		srax	%i1,16,%o0
-/* 0x0b2c	     */		add	%g4,2,%g4
-/* 0x0b30	     */		fdtox	%f0,%f0
-/* 0x0b34	     */		std	%f0,[%sp+2231]
-/* 0x0b38	     */		sra	%i2,0,%o1
-/* 0x0b3c	     */		sllx	%o1,2,%o1
-/* 0x0b40	     */		add	%o0,%g1,%g2
-/* 0x0b44	     */		srax	%i0,32,%g1
-/* 0x0b48	     */		add	%i2,1,%i2
-/* 0x0b4c	     */		add	%g1,%g2,%g1
-/* 0x0b50	     */		cmp	%i2,%g3
-/* 0x0b54	     */		ldx	[%sp+2239],%o3
-/* 0x0b58	     */		ldx	[%sp+2231],%i1
-/* 0x0b5c	     */		st	%o2,[%l2+%o1]
-/* 0x0b60	     */		or	%g0,%o3,%i0
-/* 0x0b64	     */		ble,pt	%icc,.L900000647
-/* 0x0b68	     */		sra	%g5,0,%o1
-                       .L77000236:
-/* 0x0b6c	     */		sethi	%hi(0xfc00),%g2
-                       .L900000648:
-/* 0x0b70	     */		or	%g0,-1,%o0
-/* 0x0b74	     */		add	%g2,1023,%g2
-/* 0x0b78	     */		srl	%o0,0,%g3
-/* 0x0b7c	     */		and	%i1,%g2,%g2
-/* 0x0b80	     */		and	%i0,%g3,%g4
-/* 0x0b84	     */		sllx	%g2,16,%g2
-/* 0x0b88	     */		add	%g1,%g4,%g4
-/* 0x0b8c	     */		sra	%i2,0,%g5
-/* 0x0b90	     */		add	%g4,%g2,%g4
-/* 0x0b94	     */		sllx	%g5,2,%g2
-/* 0x0b98	     */		and	%g4,%g3,%g3
-/* 0x0b9c	     */		st	%g3,[%l2+%g2]
-
-!  317		      ! adjust_montf_result(result,nint,nlen); 
-
-/* 0x0ba0	 317 */		sra	%l0,0,%g4
-/* 0x0ba4	     */		sllx	%g4,2,%g2
-/* 0x0ba8	     */		ld	[%l2+%g2],%g2
-/* 0x0bac	     */		cmp	%g2,0
-/* 0x0bb0	     */		bleu,pn	%icc,.L77000241
-/* 0x0bb4	     */		or	%g0,-1,%o1
-/* 0x0bb8	     */		ba	.L900000646
-/* 0x0bbc	     */		cmp	%o1,0
-                       .L77000241:
-/* 0x0bc0	     */		sub	%l0,1,%o1
-/* 0x0bc4	     */		cmp	%o1,0
-/* 0x0bc8	     */		bl,pn	%icc,.L77000244
-/* 0x0bcc	     */		sra	%o1,0,%g2
-                       .L900000645:
-/* 0x0bd0	     */		sllx	%g2,2,%g2
-/* 0x0bd4	     */		sub	%o1,1,%o0
-/* 0x0bd8	     */		ld	[%l3+%g2],%g3
-/* 0x0bdc	     */		ld	[%l2+%g2],%g2
-/* 0x0be0	     */		cmp	%g2,%g3
-/* 0x0be4	     */		bne,pn	%icc,.L77000244
-/* 0x0be8	     */		nop
-/* 0x0bec	   0 */		or	%g0,%o0,%o1
-/* 0x0bf0	 317 */		cmp	%o0,0
-/* 0x0bf4	     */		bge,pt	%icc,.L900000645
-/* 0x0bf8	     */		sra	%o1,0,%g2
-                       .L77000244:
-/* 0x0bfc	     */		cmp	%o1,0
-                       .L900000646:
-/* 0x0c00	     */		bl,pn	%icc,.L77000288
-/* 0x0c04	     */		sra	%o1,0,%g2
-/* 0x0c08	     */		sllx	%g2,2,%g2
-/* 0x0c0c	     */		ld	[%l3+%g2],%g3
-/* 0x0c10	     */		ld	[%l2+%g2],%g2
-/* 0x0c14	     */		cmp	%g2,%g3
-/* 0x0c18	     */		bleu,pt	%icc,.L77000224
-/* 0x0c1c	     */		nop
-                       .L77000288:
-/* 0x0c20	     */		cmp	%l0,0
-/* 0x0c24	     */		ble,pt	%icc,.L77000224
-/* 0x0c28	     */		nop
-/* 0x0c2c	 317 */		or	%g0,-1,%g2
-/* 0x0c30	 315 */		or	%g0,0,%i0
-/* 0x0c34	 317 */		srl	%g2,0,%g2
-/* 0x0c38	 315 */		or	%g0,0,%g4
-/* 0x0c3c	     */		or	%g0,0,%o1
-/* 0x0c40	 317 */		sub	%l0,1,%g5
-/* 0x0c44	     */		cmp	%l0,9
-/* 0x0c48	 315 */		or	%g0,8,%o5
-/* 0x0c4c	     */		bl,pn	%icc,.L77000289
-/* 0x0c50	     */		sub	%l0,4,%o7
-/* 0x0c54	     */		ld	[%l2],%o1
-/* 0x0c58	     */		or	%g0,5,%i0
-/* 0x0c5c	     */		ld	[%l3],%o2
-/* 0x0c60	     */		or	%g0,12,%o4
-/* 0x0c64	     */		or	%g0,16,%g1
-/* 0x0c68	     */		ld	[%l3+4],%o3
-/* 0x0c6c	     */		ld	[%l2+4],%o0
-/* 0x0c70	     */		sub	%o1,%o2,%o1
-/* 0x0c74	     */		ld	[%l3+8],%i1
-/* 0x0c78	     */		and	%o1,%g2,%g4
-/* 0x0c7c	     */		st	%g4,[%l2]
-/* 0x0c80	     */		srax	%o1,32,%g4
-/* 0x0c84	     */		sub	%o0,%o3,%o0
-/* 0x0c88	     */		ld	[%l3+12],%o2
-/* 0x0c8c	     */		add	%o0,%g4,%o0
-/* 0x0c90	     */		and	%o0,%g2,%g4
-/* 0x0c94	     */		st	%g4,[%l2+4]
-/* 0x0c98	     */		srax	%o0,32,%o0
-/* 0x0c9c	     */		ld	[%l2+8],%o1
-/* 0x0ca0	     */		ld	[%l2+12],%o3
-/* 0x0ca4	     */		sub	%o1,%i1,%o1
-                       .L900000635:
-/* 0x0ca8	     */		add	%g1,4,%g3
-/* 0x0cac	     */		ld	[%g1+%l2],%g4
-/* 0x0cb0	     */		add	%o1,%o0,%o0
-/* 0x0cb4	     */		ld	[%l3+%g1],%i1
-/* 0x0cb8	     */		sub	%o3,%o2,%o1
-/* 0x0cbc	     */		and	%o0,%g2,%o2
-/* 0x0cc0	     */		st	%o2,[%o5+%l2]
-/* 0x0cc4	     */		srax	%o0,32,%o2
-/* 0x0cc8	     */		add	%i0,4,%i0
-/* 0x0ccc	     */		add	%g1,8,%o5
-/* 0x0cd0	     */		ld	[%g3+%l2],%o0
-/* 0x0cd4	     */		add	%o1,%o2,%o1
-/* 0x0cd8	     */		ld	[%l3+%g3],%o3
-/* 0x0cdc	     */		sub	%g4,%i1,%o2
-/* 0x0ce0	     */		and	%o1,%g2,%g4
-/* 0x0ce4	     */		st	%g4,[%o4+%l2]
-/* 0x0ce8	     */		srax	%o1,32,%g4
-/* 0x0cec	     */		cmp	%i0,%o7
-/* 0x0cf0	     */		add	%g1,12,%o4
-/* 0x0cf4	     */		ld	[%o5+%l2],%o1
-/* 0x0cf8	     */		add	%o2,%g4,%o2
-/* 0x0cfc	     */		ld	[%l3+%o5],%i1
-/* 0x0d00	     */		sub	%o0,%o3,%o0
-/* 0x0d04	     */		and	%o2,%g2,%o3
-/* 0x0d08	     */		st	%o3,[%g1+%l2]
-/* 0x0d0c	     */		srax	%o2,32,%g4
-/* 0x0d10	     */		ld	[%o4+%l2],%o3
-/* 0x0d14	     */		add	%g1,16,%g1
-/* 0x0d18	     */		add	%o0,%g4,%o0
-/* 0x0d1c	     */		ld	[%l3+%o4],%o2
-/* 0x0d20	     */		sub	%o1,%i1,%o1
-/* 0x0d24	     */		and	%o0,%g2,%g4
-/* 0x0d28	     */		st	%g4,[%g3+%l2]
-/* 0x0d2c	     */		ble,pt	%icc,.L900000635
-/* 0x0d30	     */		srax	%o0,32,%o0
-                       .L900000638:
-/* 0x0d34	     */		add	%o1,%o0,%g3
-/* 0x0d38	     */		sub	%o3,%o2,%o1
-/* 0x0d3c	     */		ld	[%g1+%l2],%o0
-/* 0x0d40	     */		ld	[%l3+%g1],%o2
-/* 0x0d44	     */		srax	%g3,32,%o7
-/* 0x0d48	     */		and	%g3,%g2,%o3
-/* 0x0d4c	     */		add	%o1,%o7,%o1
-/* 0x0d50	     */		st	%o3,[%o5+%l2]
-/* 0x0d54	     */		cmp	%i0,%g5
-/* 0x0d58	     */		sub	%o0,%o2,%o0
-/* 0x0d5c	     */		and	%o1,%g2,%o2
-/* 0x0d60	     */		st	%o2,[%o4+%l2]
-/* 0x0d64	     */		srax	%o1,32,%o1
-/* 0x0d68	     */		sra	%i0,0,%o2
-/* 0x0d6c	     */		add	%o0,%o1,%o0
-/* 0x0d70	     */		srax	%o0,32,%g4
-/* 0x0d74	     */		and	%o0,%g2,%o1
-/* 0x0d78	     */		st	%o1,[%g1+%l2]
-/* 0x0d7c	     */		bg,pn	%icc,.L77000224
-/* 0x0d80	     */		sllx	%o2,2,%o1
-                       .L77000289:
-/* 0x0d84	   0 */		or	%g0,%o1,%g1
-                       .L900000644:
-/* 0x0d88	     */		ld	[%o1+%l2],%o0
-/* 0x0d8c	     */		add	%i0,1,%i0
-/* 0x0d90	     */		ld	[%l3+%o1],%o1
-/* 0x0d94	     */		sra	%i0,0,%o2
-/* 0x0d98	     */		cmp	%i0,%g5
-/* 0x0d9c	     */		add	%g4,%o0,%o0
-/* 0x0da0	     */		sub	%o0,%o1,%o0
-/* 0x0da4	     */		srax	%o0,32,%g4
-/* 0x0da8	     */		and	%o0,%g2,%o1
-/* 0x0dac	     */		st	%o1,[%g1+%l2]
-/* 0x0db0	     */		sllx	%o2,2,%o1
-/* 0x0db4	     */		ble,pt	%icc,.L900000644
-/* 0x0db8	     */		or	%g0,%o1,%g1
-                       .L77000224:
-/* 0x0dbc	     */		ret	! Result = 
-/* 0x0dc0	     */		restore	%g0,%g0,%g0
-/* 0x0dc4	   0 */		.type	mont_mulf_noconv,2
-/* 0x0dc4	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
-
diff --git a/security/nss/lib/freebl/mpi/mp_comba.c b/security/nss/lib/freebl/mpi/mp_comba.c
deleted file mode 100644
index afac82a74..000000000
--- a/security/nss/lib/freebl/mpi/mp_comba.c
+++ /dev/null
@@ -1,1306 +0,0 @@
-/*
- * The below file is derived from TFM v0.03.
- * It contains code from fp_mul_comba.c and
- * fp_sqr_comba.c, which contained the following license.
- *
- * Right now, the assembly in this file limits
- * this code to AMD 64.
- *
- * This file is public domain.
- */
-
-/* TomsFastMath, a fast ISO C bignum library.
- * 
- * This project is meant to fill in where LibTomMath
- * falls short.  That is speed ;-)
- *
- * This project is public domain and free for all purposes.
- * 
- * Tom St Denis, tomstdenis@iahu.ca
- */
-
-
-#include "mpi-priv.h"
-
-
-
-/* clamp digits */
-#define mp_clamp(a)   { while ((a)->used && (a)->dp[(a)->used-1] == 0) --((a)->used); (a)->sign = (a)->used ? (a)->sign : ZPOS; }
-
-/* anything you need at the start */
-#define COMBA_START
-
-/* clear the chaining variables */
-#define COMBA_CLEAR \
-   c0 = c1 = c2 = 0;
-
-/* forward the carry to the next digit */
-#define COMBA_FORWARD \
-   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
-
-/* anything you need at the end */
-#define COMBA_FINI
-
-/* this should multiply i and j  */
-#define MULADD(i, j)                                      \
-__asm__  (                                                    \
-     "movq  %6,%%rax     \n\t"                            \
-     "mulq  %7           \n\t"                            \
-     "addq  %%rax,%0     \n\t"                            \
-     "adcq  %%rdx,%1     \n\t"                            \
-     "adcq  $0,%2        \n\t"                            \
-     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i), "g"(j)  :"%rax","%rdx","%cc");
-
-
-
-
-/* sqr macros only */
-#define CLEAR_CARRY \
-   c0 = c1 = c2 = 0;
-
-#define COMBA_STORE(x) \
-   x = c0;
-
-#define COMBA_STORE2(x) \
-   x = c1;
-
-#define CARRY_FORWARD \
-   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
-
-#define COMBA_FINI
-
-#define SQRADD(i, j)                                      \
-__asm__ (                                                     \
-     "movq  %6,%%rax     \n\t"                            \
-     "mulq  %%rax        \n\t"                            \
-     "addq  %%rax,%0     \n\t"                            \
-     "adcq  %%rdx,%1     \n\t"                            \
-     "adcq  $0,%2        \n\t"                            \
-     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i) :"%rax","%rdx","%cc");
-
-#define SQRADD2(i, j)                                     \
-__asm__ (                                                     \
-     "movq  %6,%%rax     \n\t"                            \
-     "mulq  %7           \n\t"                            \
-     "addq  %%rax,%0     \n\t"                            \
-     "adcq  %%rdx,%1     \n\t"                            \
-     "adcq  $0,%2        \n\t"                            \
-     "addq  %%rax,%0     \n\t"                            \
-     "adcq  %%rdx,%1     \n\t"                            \
-     "adcq  $0,%2        \n\t"                            \
-     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i), "g"(j)  :"%rax","%rdx","%cc");
-
-#define SQRADDSC(i, j)                                    \
-__asm__ (                                                     \
-     "movq  %6,%%rax     \n\t"                            \
-     "mulq  %7           \n\t"                            \
-     "movq  %%rax,%0     \n\t"                            \
-     "movq  %%rdx,%1     \n\t"                            \
-     "xorq  %2,%2        \n\t"                            \
-     :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%rax","%rdx","%cc");
-
-#define SQRADDAC(i, j)                                                         \
-__asm__ (                                                     \
-     "movq  %6,%%rax     \n\t"                            \
-     "mulq  %7           \n\t"                            \
-     "addq  %%rax,%0     \n\t"                            \
-     "adcq  %%rdx,%1     \n\t"                            \
-     "adcq  $0,%2        \n\t"                            \
-     :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%rax","%rdx","%cc");
-
-#define SQRADDDB                                                               \
-__asm__ (                                                     \
-     "addq %3,%0         \n\t"                            \
-     "adcq %4,%1         \n\t"                            \
-     "adcq %5,%2         \n\t"                            \
-     "addq %3,%0         \n\t"                            \
-     "adcq %4,%1         \n\t"                            \
-     "adcq %5,%2         \n\t"                            \
-     :"=r"(c0), "=r"(c1), "=r"(c2), "=r"(sc0), "=r"(sc1), "=r"(sc2) : "0"(c0), "1"(c1), "2"(c2), "3"(sc0), "4"(sc1), "5"(sc2) : "%cc");
-
-
-
-
-
-void s_mp_mul_comba_4(const mp_int *A, const mp_int *B, mp_int *C)
-{
-   mp_digit c0, c1, c2, at[8];
-
-   memcpy(at, A->dp, 4 * sizeof(mp_digit));
-   memcpy(at+4, B->dp, 4 * sizeof(mp_digit));
-   COMBA_START;
-   
-   COMBA_CLEAR;
-   /* 0 */
-   MULADD(at[0], at[4]); 
-   COMBA_STORE(C->dp[0]);
-   /* 1 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[5]);       MULADD(at[1], at[4]); 
-   COMBA_STORE(C->dp[1]);
-   /* 2 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[6]);       MULADD(at[1], at[5]);       MULADD(at[2], at[4]); 
-   COMBA_STORE(C->dp[2]);
-   /* 3 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[7]);       MULADD(at[1], at[6]);       MULADD(at[2], at[5]);       MULADD(at[3], at[4]); 
-   COMBA_STORE(C->dp[3]);
-   /* 4 */
-   COMBA_FORWARD;
-   MULADD(at[1], at[7]);       MULADD(at[2], at[6]);       MULADD(at[3], at[5]); 
-   COMBA_STORE(C->dp[4]);
-   /* 5 */
-   COMBA_FORWARD;
-   MULADD(at[2], at[7]);       MULADD(at[3], at[6]); 
-   COMBA_STORE(C->dp[5]);
-   /* 6 */
-   COMBA_FORWARD;
-   MULADD(at[3], at[7]); 
-   COMBA_STORE(C->dp[6]);
-   COMBA_STORE2(C->dp[7]);
-   C->used = 8;
-   C->sign = A->sign ^ B->sign;
-   mp_clamp(C);
-   COMBA_FINI;
-}
-
-void s_mp_mul_comba_8(const mp_int *A, const mp_int *B, mp_int *C)
-{
-   mp_digit c0, c1, c2, at[16];
-
-   memcpy(at, A->dp, 8 * sizeof(mp_digit));
-   memcpy(at+8, B->dp, 8 * sizeof(mp_digit));
-   COMBA_START;
-
-   COMBA_CLEAR;
-   /* 0 */
-   MULADD(at[0], at[8]); 
-   COMBA_STORE(C->dp[0]);
-   /* 1 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[9]);       MULADD(at[1], at[8]); 
-   COMBA_STORE(C->dp[1]);
-   /* 2 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[10]);       MULADD(at[1], at[9]);       MULADD(at[2], at[8]); 
-   COMBA_STORE(C->dp[2]);
-   /* 3 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[11]);       MULADD(at[1], at[10]);       MULADD(at[2], at[9]);       MULADD(at[3], at[8]); 
-   COMBA_STORE(C->dp[3]);
-   /* 4 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[12]);       MULADD(at[1], at[11]);       MULADD(at[2], at[10]);       MULADD(at[3], at[9]);       MULADD(at[4], at[8]); 
-   COMBA_STORE(C->dp[4]);
-   /* 5 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[13]);       MULADD(at[1], at[12]);       MULADD(at[2], at[11]);       MULADD(at[3], at[10]);       MULADD(at[4], at[9]);       MULADD(at[5], at[8]); 
-   COMBA_STORE(C->dp[5]);
-   /* 6 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[14]);       MULADD(at[1], at[13]);       MULADD(at[2], at[12]);       MULADD(at[3], at[11]);       MULADD(at[4], at[10]);       MULADD(at[5], at[9]);       MULADD(at[6], at[8]); 
-   COMBA_STORE(C->dp[6]);
-   /* 7 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[15]);       MULADD(at[1], at[14]);       MULADD(at[2], at[13]);       MULADD(at[3], at[12]);       MULADD(at[4], at[11]);       MULADD(at[5], at[10]);       MULADD(at[6], at[9]);       MULADD(at[7], at[8]); 
-   COMBA_STORE(C->dp[7]);
-   /* 8 */
-   COMBA_FORWARD;
-   MULADD(at[1], at[15]);       MULADD(at[2], at[14]);       MULADD(at[3], at[13]);       MULADD(at[4], at[12]);       MULADD(at[5], at[11]);       MULADD(at[6], at[10]);       MULADD(at[7], at[9]); 
-   COMBA_STORE(C->dp[8]);
-   /* 9 */
-   COMBA_FORWARD;
-   MULADD(at[2], at[15]);       MULADD(at[3], at[14]);       MULADD(at[4], at[13]);       MULADD(at[5], at[12]);       MULADD(at[6], at[11]);       MULADD(at[7], at[10]); 
-   COMBA_STORE(C->dp[9]);
-   /* 10 */
-   COMBA_FORWARD;
-   MULADD(at[3], at[15]);       MULADD(at[4], at[14]);       MULADD(at[5], at[13]);       MULADD(at[6], at[12]);       MULADD(at[7], at[11]); 
-   COMBA_STORE(C->dp[10]);
-   /* 11 */
-   COMBA_FORWARD;
-   MULADD(at[4], at[15]);       MULADD(at[5], at[14]);       MULADD(at[6], at[13]);       MULADD(at[7], at[12]); 
-   COMBA_STORE(C->dp[11]);
-   /* 12 */
-   COMBA_FORWARD;
-   MULADD(at[5], at[15]);       MULADD(at[6], at[14]);       MULADD(at[7], at[13]); 
-   COMBA_STORE(C->dp[12]);
-   /* 13 */
-   COMBA_FORWARD;
-   MULADD(at[6], at[15]);       MULADD(at[7], at[14]); 
-   COMBA_STORE(C->dp[13]);
-   /* 14 */
-   COMBA_FORWARD;
-   MULADD(at[7], at[15]); 
-   COMBA_STORE(C->dp[14]);
-   COMBA_STORE2(C->dp[15]);
-   C->used = 16;
-   C->sign = A->sign ^ B->sign;
-   mp_clamp(C);
-   COMBA_FINI;
-}
-
-void s_mp_mul_comba_16(const mp_int *A, const mp_int *B, mp_int *C)
-{
-   mp_digit c0, c1, c2, at[32];
-
-   memcpy(at, A->dp, 16 * sizeof(mp_digit));
-   memcpy(at+16, B->dp, 16 * sizeof(mp_digit));
-   COMBA_START;
-
-   COMBA_CLEAR;
-   /* 0 */
-   MULADD(at[0], at[16]); 
-   COMBA_STORE(C->dp[0]);
-   /* 1 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[17]);       MULADD(at[1], at[16]); 
-   COMBA_STORE(C->dp[1]);
-   /* 2 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[18]);       MULADD(at[1], at[17]);       MULADD(at[2], at[16]); 
-   COMBA_STORE(C->dp[2]);
-   /* 3 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[19]);       MULADD(at[1], at[18]);       MULADD(at[2], at[17]);       MULADD(at[3], at[16]); 
-   COMBA_STORE(C->dp[3]);
-   /* 4 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[20]);       MULADD(at[1], at[19]);       MULADD(at[2], at[18]);       MULADD(at[3], at[17]);       MULADD(at[4], at[16]); 
-   COMBA_STORE(C->dp[4]);
-   /* 5 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[21]);       MULADD(at[1], at[20]);       MULADD(at[2], at[19]);       MULADD(at[3], at[18]);       MULADD(at[4], at[17]);       MULADD(at[5], at[16]); 
-   COMBA_STORE(C->dp[5]);
-   /* 6 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[22]);       MULADD(at[1], at[21]);       MULADD(at[2], at[20]);       MULADD(at[3], at[19]);       MULADD(at[4], at[18]);       MULADD(at[5], at[17]);       MULADD(at[6], at[16]); 
-   COMBA_STORE(C->dp[6]);
-   /* 7 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[23]);       MULADD(at[1], at[22]);       MULADD(at[2], at[21]);       MULADD(at[3], at[20]);       MULADD(at[4], at[19]);       MULADD(at[5], at[18]);       MULADD(at[6], at[17]);       MULADD(at[7], at[16]); 
-   COMBA_STORE(C->dp[7]);
-   /* 8 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[24]);       MULADD(at[1], at[23]);       MULADD(at[2], at[22]);       MULADD(at[3], at[21]);       MULADD(at[4], at[20]);       MULADD(at[5], at[19]);       MULADD(at[6], at[18]);       MULADD(at[7], at[17]);       MULADD(at[8], at[16]); 
-   COMBA_STORE(C->dp[8]);
-   /* 9 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[25]);       MULADD(at[1], at[24]);       MULADD(at[2], at[23]);       MULADD(at[3], at[22]);       MULADD(at[4], at[21]);       MULADD(at[5], at[20]);       MULADD(at[6], at[19]);       MULADD(at[7], at[18]);       MULADD(at[8], at[17]);       MULADD(at[9], at[16]); 
-   COMBA_STORE(C->dp[9]);
-   /* 10 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[26]);       MULADD(at[1], at[25]);       MULADD(at[2], at[24]);       MULADD(at[3], at[23]);       MULADD(at[4], at[22]);       MULADD(at[5], at[21]);       MULADD(at[6], at[20]);       MULADD(at[7], at[19]);       MULADD(at[8], at[18]);       MULADD(at[9], at[17]);       MULADD(at[10], at[16]); 
-   COMBA_STORE(C->dp[10]);
-   /* 11 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[27]);       MULADD(at[1], at[26]);       MULADD(at[2], at[25]);       MULADD(at[3], at[24]);       MULADD(at[4], at[23]);       MULADD(at[5], at[22]);       MULADD(at[6], at[21]);       MULADD(at[7], at[20]);       MULADD(at[8], at[19]);       MULADD(at[9], at[18]);       MULADD(at[10], at[17]);       MULADD(at[11], at[16]); 
-   COMBA_STORE(C->dp[11]);
-   /* 12 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[28]);       MULADD(at[1], at[27]);       MULADD(at[2], at[26]);       MULADD(at[3], at[25]);       MULADD(at[4], at[24]);       MULADD(at[5], at[23]);       MULADD(at[6], at[22]);       MULADD(at[7], at[21]);       MULADD(at[8], at[20]);       MULADD(at[9], at[19]);       MULADD(at[10], at[18]);       MULADD(at[11], at[17]);       MULADD(at[12], at[16]); 
-   COMBA_STORE(C->dp[12]);
-   /* 13 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[29]);       MULADD(at[1], at[28]);       MULADD(at[2], at[27]);       MULADD(at[3], at[26]);       MULADD(at[4], at[25]);       MULADD(at[5], at[24]);       MULADD(at[6], at[23]);       MULADD(at[7], at[22]);       MULADD(at[8], at[21]);       MULADD(at[9], at[20]);       MULADD(at[10], at[19]);       MULADD(at[11], at[18]);       MULADD(at[12], at[17]);       MULADD(at[13], at[16]); 
-   COMBA_STORE(C->dp[13]);
-   /* 14 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[30]);       MULADD(at[1], at[29]);       MULADD(at[2], at[28]);       MULADD(at[3], at[27]);       MULADD(at[4], at[26]);       MULADD(at[5], at[25]);       MULADD(at[6], at[24]);       MULADD(at[7], at[23]);       MULADD(at[8], at[22]);       MULADD(at[9], at[21]);       MULADD(at[10], at[20]);       MULADD(at[11], at[19]);       MULADD(at[12], at[18]);       MULADD(at[13], at[17]);       MULADD(at[14], at[16]); 
-   COMBA_STORE(C->dp[14]);
-   /* 15 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[31]);       MULADD(at[1], at[30]);       MULADD(at[2], at[29]);       MULADD(at[3], at[28]);       MULADD(at[4], at[27]);       MULADD(at[5], at[26]);       MULADD(at[6], at[25]);       MULADD(at[7], at[24]);       MULADD(at[8], at[23]);       MULADD(at[9], at[22]);       MULADD(at[10], at[21]);       MULADD(at[11], at[20]);       MULADD(at[12], at[19]);       MULADD(at[13], at[18]);       MULADD(at[14], at[17]);       MULADD(at[15], at[16]); 
-   COMBA_STORE(C->dp[15]);
-   /* 16 */
-   COMBA_FORWARD;
-   MULADD(at[1], at[31]);       MULADD(at[2], at[30]);       MULADD(at[3], at[29]);       MULADD(at[4], at[28]);       MULADD(at[5], at[27]);       MULADD(at[6], at[26]);       MULADD(at[7], at[25]);       MULADD(at[8], at[24]);       MULADD(at[9], at[23]);       MULADD(at[10], at[22]);       MULADD(at[11], at[21]);       MULADD(at[12], at[20]);       MULADD(at[13], at[19]);       MULADD(at[14], at[18]);       MULADD(at[15], at[17]); 
-   COMBA_STORE(C->dp[16]);
-   /* 17 */
-   COMBA_FORWARD;
-   MULADD(at[2], at[31]);       MULADD(at[3], at[30]);       MULADD(at[4], at[29]);       MULADD(at[5], at[28]);       MULADD(at[6], at[27]);       MULADD(at[7], at[26]);       MULADD(at[8], at[25]);       MULADD(at[9], at[24]);       MULADD(at[10], at[23]);       MULADD(at[11], at[22]);       MULADD(at[12], at[21]);       MULADD(at[13], at[20]);       MULADD(at[14], at[19]);       MULADD(at[15], at[18]); 
-   COMBA_STORE(C->dp[17]);
-   /* 18 */
-   COMBA_FORWARD;
-   MULADD(at[3], at[31]);       MULADD(at[4], at[30]);       MULADD(at[5], at[29]);       MULADD(at[6], at[28]);       MULADD(at[7], at[27]);       MULADD(at[8], at[26]);       MULADD(at[9], at[25]);       MULADD(at[10], at[24]);       MULADD(at[11], at[23]);       MULADD(at[12], at[22]);       MULADD(at[13], at[21]);       MULADD(at[14], at[20]);       MULADD(at[15], at[19]); 
-   COMBA_STORE(C->dp[18]);
-   /* 19 */
-   COMBA_FORWARD;
-   MULADD(at[4], at[31]);       MULADD(at[5], at[30]);       MULADD(at[6], at[29]);       MULADD(at[7], at[28]);       MULADD(at[8], at[27]);       MULADD(at[9], at[26]);       MULADD(at[10], at[25]);       MULADD(at[11], at[24]);       MULADD(at[12], at[23]);       MULADD(at[13], at[22]);       MULADD(at[14], at[21]);       MULADD(at[15], at[20]); 
-   COMBA_STORE(C->dp[19]);
-   /* 20 */
-   COMBA_FORWARD;
-   MULADD(at[5], at[31]);       MULADD(at[6], at[30]);       MULADD(at[7], at[29]);       MULADD(at[8], at[28]);       MULADD(at[9], at[27]);       MULADD(at[10], at[26]);       MULADD(at[11], at[25]);       MULADD(at[12], at[24]);       MULADD(at[13], at[23]);       MULADD(at[14], at[22]);       MULADD(at[15], at[21]); 
-   COMBA_STORE(C->dp[20]);
-   /* 21 */
-   COMBA_FORWARD;
-   MULADD(at[6], at[31]);       MULADD(at[7], at[30]);       MULADD(at[8], at[29]);       MULADD(at[9], at[28]);       MULADD(at[10], at[27]);       MULADD(at[11], at[26]);       MULADD(at[12], at[25]);       MULADD(at[13], at[24]);       MULADD(at[14], at[23]);       MULADD(at[15], at[22]); 
-   COMBA_STORE(C->dp[21]);
-   /* 22 */
-   COMBA_FORWARD;
-   MULADD(at[7], at[31]);       MULADD(at[8], at[30]);       MULADD(at[9], at[29]);       MULADD(at[10], at[28]);       MULADD(at[11], at[27]);       MULADD(at[12], at[26]);       MULADD(at[13], at[25]);       MULADD(at[14], at[24]);       MULADD(at[15], at[23]); 
-   COMBA_STORE(C->dp[22]);
-   /* 23 */
-   COMBA_FORWARD;
-   MULADD(at[8], at[31]);       MULADD(at[9], at[30]);       MULADD(at[10], at[29]);       MULADD(at[11], at[28]);       MULADD(at[12], at[27]);       MULADD(at[13], at[26]);       MULADD(at[14], at[25]);       MULADD(at[15], at[24]); 
-   COMBA_STORE(C->dp[23]);
-   /* 24 */
-   COMBA_FORWARD;
-   MULADD(at[9], at[31]);       MULADD(at[10], at[30]);       MULADD(at[11], at[29]);       MULADD(at[12], at[28]);       MULADD(at[13], at[27]);       MULADD(at[14], at[26]);       MULADD(at[15], at[25]); 
-   COMBA_STORE(C->dp[24]);
-   /* 25 */
-   COMBA_FORWARD;
-   MULADD(at[10], at[31]);       MULADD(at[11], at[30]);       MULADD(at[12], at[29]);       MULADD(at[13], at[28]);       MULADD(at[14], at[27]);       MULADD(at[15], at[26]); 
-   COMBA_STORE(C->dp[25]);
-   /* 26 */
-   COMBA_FORWARD;
-   MULADD(at[11], at[31]);       MULADD(at[12], at[30]);       MULADD(at[13], at[29]);       MULADD(at[14], at[28]);       MULADD(at[15], at[27]); 
-   COMBA_STORE(C->dp[26]);
-   /* 27 */
-   COMBA_FORWARD;
-   MULADD(at[12], at[31]);       MULADD(at[13], at[30]);       MULADD(at[14], at[29]);       MULADD(at[15], at[28]); 
-   COMBA_STORE(C->dp[27]);
-   /* 28 */
-   COMBA_FORWARD;
-   MULADD(at[13], at[31]);       MULADD(at[14], at[30]);       MULADD(at[15], at[29]); 
-   COMBA_STORE(C->dp[28]);
-   /* 29 */
-   COMBA_FORWARD;
-   MULADD(at[14], at[31]);       MULADD(at[15], at[30]); 
-   COMBA_STORE(C->dp[29]);
-   /* 30 */
-   COMBA_FORWARD;
-   MULADD(at[15], at[31]); 
-   COMBA_STORE(C->dp[30]);
-   COMBA_STORE2(C->dp[31]);
-   C->used = 32;
-   C->sign = A->sign ^ B->sign;
-   mp_clamp(C);
-   COMBA_FINI;
-}
-
-void s_mp_mul_comba_32(const mp_int *A, const mp_int *B, mp_int *C)
-{
-   mp_digit c0, c1, c2, at[64];
-
-   memcpy(at, A->dp, 32 * sizeof(mp_digit));
-   memcpy(at+32, B->dp, 32 * sizeof(mp_digit));
-   COMBA_START;
-
-   COMBA_CLEAR;
-   /* 0 */
-   MULADD(at[0], at[32]); 
-   COMBA_STORE(C->dp[0]);
-   /* 1 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[33]);    MULADD(at[1], at[32]); 
-   COMBA_STORE(C->dp[1]);
-   /* 2 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[34]);    MULADD(at[1], at[33]);    MULADD(at[2], at[32]); 
-   COMBA_STORE(C->dp[2]);
-   /* 3 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[35]);    MULADD(at[1], at[34]);    MULADD(at[2], at[33]);    MULADD(at[3], at[32]); 
-   COMBA_STORE(C->dp[3]);
-   /* 4 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[36]);    MULADD(at[1], at[35]);    MULADD(at[2], at[34]);    MULADD(at[3], at[33]);    MULADD(at[4], at[32]); 
-   COMBA_STORE(C->dp[4]);
-   /* 5 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[37]);    MULADD(at[1], at[36]);    MULADD(at[2], at[35]);    MULADD(at[3], at[34]);    MULADD(at[4], at[33]);    MULADD(at[5], at[32]); 
-   COMBA_STORE(C->dp[5]);
-   /* 6 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[38]);    MULADD(at[1], at[37]);    MULADD(at[2], at[36]);    MULADD(at[3], at[35]);    MULADD(at[4], at[34]);    MULADD(at[5], at[33]);    MULADD(at[6], at[32]); 
-   COMBA_STORE(C->dp[6]);
-   /* 7 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[39]);    MULADD(at[1], at[38]);    MULADD(at[2], at[37]);    MULADD(at[3], at[36]);    MULADD(at[4], at[35]);    MULADD(at[5], at[34]);    MULADD(at[6], at[33]);    MULADD(at[7], at[32]); 
-   COMBA_STORE(C->dp[7]);
-   /* 8 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[40]);    MULADD(at[1], at[39]);    MULADD(at[2], at[38]);    MULADD(at[3], at[37]);    MULADD(at[4], at[36]);    MULADD(at[5], at[35]);    MULADD(at[6], at[34]);    MULADD(at[7], at[33]);    MULADD(at[8], at[32]); 
-   COMBA_STORE(C->dp[8]);
-   /* 9 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[41]);    MULADD(at[1], at[40]);    MULADD(at[2], at[39]);    MULADD(at[3], at[38]);    MULADD(at[4], at[37]);    MULADD(at[5], at[36]);    MULADD(at[6], at[35]);    MULADD(at[7], at[34]);    MULADD(at[8], at[33]);    MULADD(at[9], at[32]); 
-   COMBA_STORE(C->dp[9]);
-   /* 10 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[42]);    MULADD(at[1], at[41]);    MULADD(at[2], at[40]);    MULADD(at[3], at[39]);    MULADD(at[4], at[38]);    MULADD(at[5], at[37]);    MULADD(at[6], at[36]);    MULADD(at[7], at[35]);    MULADD(at[8], at[34]);    MULADD(at[9], at[33]);    MULADD(at[10], at[32]); 
-   COMBA_STORE(C->dp[10]);
-   /* 11 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[43]);    MULADD(at[1], at[42]);    MULADD(at[2], at[41]);    MULADD(at[3], at[40]);    MULADD(at[4], at[39]);    MULADD(at[5], at[38]);    MULADD(at[6], at[37]);    MULADD(at[7], at[36]);    MULADD(at[8], at[35]);    MULADD(at[9], at[34]);    MULADD(at[10], at[33]);    MULADD(at[11], at[32]); 
-   COMBA_STORE(C->dp[11]);
-   /* 12 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[44]);    MULADD(at[1], at[43]);    MULADD(at[2], at[42]);    MULADD(at[3], at[41]);    MULADD(at[4], at[40]);    MULADD(at[5], at[39]);    MULADD(at[6], at[38]);    MULADD(at[7], at[37]);    MULADD(at[8], at[36]);    MULADD(at[9], at[35]);    MULADD(at[10], at[34]);    MULADD(at[11], at[33]);    MULADD(at[12], at[32]); 
-   COMBA_STORE(C->dp[12]);
-   /* 13 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[45]);    MULADD(at[1], at[44]);    MULADD(at[2], at[43]);    MULADD(at[3], at[42]);    MULADD(at[4], at[41]);    MULADD(at[5], at[40]);    MULADD(at[6], at[39]);    MULADD(at[7], at[38]);    MULADD(at[8], at[37]);    MULADD(at[9], at[36]);    MULADD(at[10], at[35]);    MULADD(at[11], at[34]);    MULADD(at[12], at[33]);    MULADD(at[13], at[32]); 
-   COMBA_STORE(C->dp[13]);
-   /* 14 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[46]);    MULADD(at[1], at[45]);    MULADD(at[2], at[44]);    MULADD(at[3], at[43]);    MULADD(at[4], at[42]);    MULADD(at[5], at[41]);    MULADD(at[6], at[40]);    MULADD(at[7], at[39]);    MULADD(at[8], at[38]);    MULADD(at[9], at[37]);    MULADD(at[10], at[36]);    MULADD(at[11], at[35]);    MULADD(at[12], at[34]);    MULADD(at[13], at[33]);    MULADD(at[14], at[32]); 
-   COMBA_STORE(C->dp[14]);
-   /* 15 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[47]);    MULADD(at[1], at[46]);    MULADD(at[2], at[45]);    MULADD(at[3], at[44]);    MULADD(at[4], at[43]);    MULADD(at[5], at[42]);    MULADD(at[6], at[41]);    MULADD(at[7], at[40]);    MULADD(at[8], at[39]);    MULADD(at[9], at[38]);    MULADD(at[10], at[37]);    MULADD(at[11], at[36]);    MULADD(at[12], at[35]);    MULADD(at[13], at[34]);    MULADD(at[14], at[33]);    MULADD(at[15], at[32]); 
-   COMBA_STORE(C->dp[15]);
-   /* 16 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[48]);    MULADD(at[1], at[47]);    MULADD(at[2], at[46]);    MULADD(at[3], at[45]);    MULADD(at[4], at[44]);    MULADD(at[5], at[43]);    MULADD(at[6], at[42]);    MULADD(at[7], at[41]);    MULADD(at[8], at[40]);    MULADD(at[9], at[39]);    MULADD(at[10], at[38]);    MULADD(at[11], at[37]);    MULADD(at[12], at[36]);    MULADD(at[13], at[35]);    MULADD(at[14], at[34]);    MULADD(at[15], at[33]);    MULADD(at[16], at[32]); 
-   COMBA_STORE(C->dp[16]);
-   /* 17 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[49]);    MULADD(at[1], at[48]);    MULADD(at[2], at[47]);    MULADD(at[3], at[46]);    MULADD(at[4], at[45]);    MULADD(at[5], at[44]);    MULADD(at[6], at[43]);    MULADD(at[7], at[42]);    MULADD(at[8], at[41]);    MULADD(at[9], at[40]);    MULADD(at[10], at[39]);    MULADD(at[11], at[38]);    MULADD(at[12], at[37]);    MULADD(at[13], at[36]);    MULADD(at[14], at[35]);    MULADD(at[15], at[34]);    MULADD(at[16], at[33]);    MULADD(at[17], at[32]); 
-   COMBA_STORE(C->dp[17]);
-   /* 18 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[50]);    MULADD(at[1], at[49]);    MULADD(at[2], at[48]);    MULADD(at[3], at[47]);    MULADD(at[4], at[46]);    MULADD(at[5], at[45]);    MULADD(at[6], at[44]);    MULADD(at[7], at[43]);    MULADD(at[8], at[42]);    MULADD(at[9], at[41]);    MULADD(at[10], at[40]);    MULADD(at[11], at[39]);    MULADD(at[12], at[38]);    MULADD(at[13], at[37]);    MULADD(at[14], at[36]);    MULADD(at[15], at[35]);    MULADD(at[16], at[34]);    MULADD(at[17], at[33]);    MULADD(at[18], at[32]); 
-   COMBA_STORE(C->dp[18]);
-   /* 19 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[51]);    MULADD(at[1], at[50]);    MULADD(at[2], at[49]);    MULADD(at[3], at[48]);    MULADD(at[4], at[47]);    MULADD(at[5], at[46]);    MULADD(at[6], at[45]);    MULADD(at[7], at[44]);    MULADD(at[8], at[43]);    MULADD(at[9], at[42]);    MULADD(at[10], at[41]);    MULADD(at[11], at[40]);    MULADD(at[12], at[39]);    MULADD(at[13], at[38]);    MULADD(at[14], at[37]);    MULADD(at[15], at[36]);    MULADD(at[16], at[35]);    MULADD(at[17], at[34]);    MULADD(at[18], at[33]);    MULADD(at[19], at[32]); 
-   COMBA_STORE(C->dp[19]);
-   /* 20 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[52]);    MULADD(at[1], at[51]);    MULADD(at[2], at[50]);    MULADD(at[3], at[49]);    MULADD(at[4], at[48]);    MULADD(at[5], at[47]);    MULADD(at[6], at[46]);    MULADD(at[7], at[45]);    MULADD(at[8], at[44]);    MULADD(at[9], at[43]);    MULADD(at[10], at[42]);    MULADD(at[11], at[41]);    MULADD(at[12], at[40]);    MULADD(at[13], at[39]);    MULADD(at[14], at[38]);    MULADD(at[15], at[37]);    MULADD(at[16], at[36]);    MULADD(at[17], at[35]);    MULADD(at[18], at[34]);    MULADD(at[19], at[33]);    MULADD(at[20], at[32]); 
-   COMBA_STORE(C->dp[20]);
-   /* 21 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[53]);    MULADD(at[1], at[52]);    MULADD(at[2], at[51]);    MULADD(at[3], at[50]);    MULADD(at[4], at[49]);    MULADD(at[5], at[48]);    MULADD(at[6], at[47]);    MULADD(at[7], at[46]);    MULADD(at[8], at[45]);    MULADD(at[9], at[44]);    MULADD(at[10], at[43]);    MULADD(at[11], at[42]);    MULADD(at[12], at[41]);    MULADD(at[13], at[40]);    MULADD(at[14], at[39]);    MULADD(at[15], at[38]);    MULADD(at[16], at[37]);    MULADD(at[17], at[36]);    MULADD(at[18], at[35]);    MULADD(at[19], at[34]);    MULADD(at[20], at[33]);    MULADD(at[21], at[32]); 
-   COMBA_STORE(C->dp[21]);
-   /* 22 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[54]);    MULADD(at[1], at[53]);    MULADD(at[2], at[52]);    MULADD(at[3], at[51]);    MULADD(at[4], at[50]);    MULADD(at[5], at[49]);    MULADD(at[6], at[48]);    MULADD(at[7], at[47]);    MULADD(at[8], at[46]);    MULADD(at[9], at[45]);    MULADD(at[10], at[44]);    MULADD(at[11], at[43]);    MULADD(at[12], at[42]);    MULADD(at[13], at[41]);    MULADD(at[14], at[40]);    MULADD(at[15], at[39]);    MULADD(at[16], at[38]);    MULADD(at[17], at[37]);    MULADD(at[18], at[36]);    MULADD(at[19], at[35]);    MULADD(at[20], at[34]);    MULADD(at[21], at[33]);    MULADD(at[22], at[32]); 
-   COMBA_STORE(C->dp[22]);
-   /* 23 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[55]);    MULADD(at[1], at[54]);    MULADD(at[2], at[53]);    MULADD(at[3], at[52]);    MULADD(at[4], at[51]);    MULADD(at[5], at[50]);    MULADD(at[6], at[49]);    MULADD(at[7], at[48]);    MULADD(at[8], at[47]);    MULADD(at[9], at[46]);    MULADD(at[10], at[45]);    MULADD(at[11], at[44]);    MULADD(at[12], at[43]);    MULADD(at[13], at[42]);    MULADD(at[14], at[41]);    MULADD(at[15], at[40]);    MULADD(at[16], at[39]);    MULADD(at[17], at[38]);    MULADD(at[18], at[37]);    MULADD(at[19], at[36]);    MULADD(at[20], at[35]);    MULADD(at[21], at[34]);    MULADD(at[22], at[33]);    MULADD(at[23], at[32]); 
-   COMBA_STORE(C->dp[23]);
-   /* 24 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[56]);    MULADD(at[1], at[55]);    MULADD(at[2], at[54]);    MULADD(at[3], at[53]);    MULADD(at[4], at[52]);    MULADD(at[5], at[51]);    MULADD(at[6], at[50]);    MULADD(at[7], at[49]);    MULADD(at[8], at[48]);    MULADD(at[9], at[47]);    MULADD(at[10], at[46]);    MULADD(at[11], at[45]);    MULADD(at[12], at[44]);    MULADD(at[13], at[43]);    MULADD(at[14], at[42]);    MULADD(at[15], at[41]);    MULADD(at[16], at[40]);    MULADD(at[17], at[39]);    MULADD(at[18], at[38]);    MULADD(at[19], at[37]);    MULADD(at[20], at[36]);    MULADD(at[21], at[35]);    MULADD(at[22], at[34]);    MULADD(at[23], at[33]);    MULADD(at[24], at[32]); 
-   COMBA_STORE(C->dp[24]);
-   /* 25 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[57]);    MULADD(at[1], at[56]);    MULADD(at[2], at[55]);    MULADD(at[3], at[54]);    MULADD(at[4], at[53]);    MULADD(at[5], at[52]);    MULADD(at[6], at[51]);    MULADD(at[7], at[50]);    MULADD(at[8], at[49]);    MULADD(at[9], at[48]);    MULADD(at[10], at[47]);    MULADD(at[11], at[46]);    MULADD(at[12], at[45]);    MULADD(at[13], at[44]);    MULADD(at[14], at[43]);    MULADD(at[15], at[42]);    MULADD(at[16], at[41]);    MULADD(at[17], at[40]);    MULADD(at[18], at[39]);    MULADD(at[19], at[38]);    MULADD(at[20], at[37]);    MULADD(at[21], at[36]);    MULADD(at[22], at[35]);    MULADD(at[23], at[34]);    MULADD(at[24], at[33]);    MULADD(at[25], at[32]); 
-   COMBA_STORE(C->dp[25]);
-   /* 26 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[58]);    MULADD(at[1], at[57]);    MULADD(at[2], at[56]);    MULADD(at[3], at[55]);    MULADD(at[4], at[54]);    MULADD(at[5], at[53]);    MULADD(at[6], at[52]);    MULADD(at[7], at[51]);    MULADD(at[8], at[50]);    MULADD(at[9], at[49]);    MULADD(at[10], at[48]);    MULADD(at[11], at[47]);    MULADD(at[12], at[46]);    MULADD(at[13], at[45]);    MULADD(at[14], at[44]);    MULADD(at[15], at[43]);    MULADD(at[16], at[42]);    MULADD(at[17], at[41]);    MULADD(at[18], at[40]);    MULADD(at[19], at[39]);    MULADD(at[20], at[38]);    MULADD(at[21], at[37]);    MULADD(at[22], at[36]);    MULADD(at[23], at[35]);    MULADD(at[24], at[34]);    MULADD(at[25], at[33]);    MULADD(at[26], at[32]); 
-   COMBA_STORE(C->dp[26]);
-   /* 27 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[59]);    MULADD(at[1], at[58]);    MULADD(at[2], at[57]);    MULADD(at[3], at[56]);    MULADD(at[4], at[55]);    MULADD(at[5], at[54]);    MULADD(at[6], at[53]);    MULADD(at[7], at[52]);    MULADD(at[8], at[51]);    MULADD(at[9], at[50]);    MULADD(at[10], at[49]);    MULADD(at[11], at[48]);    MULADD(at[12], at[47]);    MULADD(at[13], at[46]);    MULADD(at[14], at[45]);    MULADD(at[15], at[44]);    MULADD(at[16], at[43]);    MULADD(at[17], at[42]);    MULADD(at[18], at[41]);    MULADD(at[19], at[40]);    MULADD(at[20], at[39]);    MULADD(at[21], at[38]);    MULADD(at[22], at[37]);    MULADD(at[23], at[36]);    MULADD(at[24], at[35]);    MULADD(at[25], at[34]);    MULADD(at[26], at[33]);    MULADD(at[27], at[32]); 
-   COMBA_STORE(C->dp[27]);
-   /* 28 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[60]);    MULADD(at[1], at[59]);    MULADD(at[2], at[58]);    MULADD(at[3], at[57]);    MULADD(at[4], at[56]);    MULADD(at[5], at[55]);    MULADD(at[6], at[54]);    MULADD(at[7], at[53]);    MULADD(at[8], at[52]);    MULADD(at[9], at[51]);    MULADD(at[10], at[50]);    MULADD(at[11], at[49]);    MULADD(at[12], at[48]);    MULADD(at[13], at[47]);    MULADD(at[14], at[46]);    MULADD(at[15], at[45]);    MULADD(at[16], at[44]);    MULADD(at[17], at[43]);    MULADD(at[18], at[42]);    MULADD(at[19], at[41]);    MULADD(at[20], at[40]);    MULADD(at[21], at[39]);    MULADD(at[22], at[38]);    MULADD(at[23], at[37]);    MULADD(at[24], at[36]);    MULADD(at[25], at[35]);    MULADD(at[26], at[34]);    MULADD(at[27], at[33]);    MULADD(at[28], at[32]); 
-   COMBA_STORE(C->dp[28]);
-   /* 29 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[61]);    MULADD(at[1], at[60]);    MULADD(at[2], at[59]);    MULADD(at[3], at[58]);    MULADD(at[4], at[57]);    MULADD(at[5], at[56]);    MULADD(at[6], at[55]);    MULADD(at[7], at[54]);    MULADD(at[8], at[53]);    MULADD(at[9], at[52]);    MULADD(at[10], at[51]);    MULADD(at[11], at[50]);    MULADD(at[12], at[49]);    MULADD(at[13], at[48]);    MULADD(at[14], at[47]);    MULADD(at[15], at[46]);    MULADD(at[16], at[45]);    MULADD(at[17], at[44]);    MULADD(at[18], at[43]);    MULADD(at[19], at[42]);    MULADD(at[20], at[41]);    MULADD(at[21], at[40]);    MULADD(at[22], at[39]);    MULADD(at[23], at[38]);    MULADD(at[24], at[37]);    MULADD(at[25], at[36]);    MULADD(at[26], at[35]);    MULADD(at[27], at[34]);    MULADD(at[28], at[33]);    MULADD(at[29], at[32]); 
-   COMBA_STORE(C->dp[29]);
-   /* 30 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[62]);    MULADD(at[1], at[61]);    MULADD(at[2], at[60]);    MULADD(at[3], at[59]);    MULADD(at[4], at[58]);    MULADD(at[5], at[57]);    MULADD(at[6], at[56]);    MULADD(at[7], at[55]);    MULADD(at[8], at[54]);    MULADD(at[9], at[53]);    MULADD(at[10], at[52]);    MULADD(at[11], at[51]);    MULADD(at[12], at[50]);    MULADD(at[13], at[49]);    MULADD(at[14], at[48]);    MULADD(at[15], at[47]);    MULADD(at[16], at[46]);    MULADD(at[17], at[45]);    MULADD(at[18], at[44]);    MULADD(at[19], at[43]);    MULADD(at[20], at[42]);    MULADD(at[21], at[41]);    MULADD(at[22], at[40]);    MULADD(at[23], at[39]);    MULADD(at[24], at[38]);    MULADD(at[25], at[37]);    MULADD(at[26], at[36]);    MULADD(at[27], at[35]);    MULADD(at[28], at[34]);    MULADD(at[29], at[33]);    MULADD(at[30], at[32]); 
-   COMBA_STORE(C->dp[30]);
-   /* 31 */
-   COMBA_FORWARD;
-   MULADD(at[0], at[63]);    MULADD(at[1], at[62]);    MULADD(at[2], at[61]);    MULADD(at[3], at[60]);    MULADD(at[4], at[59]);    MULADD(at[5], at[58]);    MULADD(at[6], at[57]);    MULADD(at[7], at[56]);    MULADD(at[8], at[55]);    MULADD(at[9], at[54]);    MULADD(at[10], at[53]);    MULADD(at[11], at[52]);    MULADD(at[12], at[51]);    MULADD(at[13], at[50]);    MULADD(at[14], at[49]);    MULADD(at[15], at[48]);    MULADD(at[16], at[47]);    MULADD(at[17], at[46]);    MULADD(at[18], at[45]);    MULADD(at[19], at[44]);    MULADD(at[20], at[43]);    MULADD(at[21], at[42]);    MULADD(at[22], at[41]);    MULADD(at[23], at[40]);    MULADD(at[24], at[39]);    MULADD(at[25], at[38]);    MULADD(at[26], at[37]);    MULADD(at[27], at[36]);    MULADD(at[28], at[35]);    MULADD(at[29], at[34]);    MULADD(at[30], at[33]);    MULADD(at[31], at[32]); 
-   COMBA_STORE(C->dp[31]);
-   /* 32 */
-   COMBA_FORWARD;
-   MULADD(at[1], at[63]);    MULADD(at[2], at[62]);    MULADD(at[3], at[61]);    MULADD(at[4], at[60]);    MULADD(at[5], at[59]);    MULADD(at[6], at[58]);    MULADD(at[7], at[57]);    MULADD(at[8], at[56]);    MULADD(at[9], at[55]);    MULADD(at[10], at[54]);    MULADD(at[11], at[53]);    MULADD(at[12], at[52]);    MULADD(at[13], at[51]);    MULADD(at[14], at[50]);    MULADD(at[15], at[49]);    MULADD(at[16], at[48]);    MULADD(at[17], at[47]);    MULADD(at[18], at[46]);    MULADD(at[19], at[45]);    MULADD(at[20], at[44]);    MULADD(at[21], at[43]);    MULADD(at[22], at[42]);    MULADD(at[23], at[41]);    MULADD(at[24], at[40]);    MULADD(at[25], at[39]);    MULADD(at[26], at[38]);    MULADD(at[27], at[37]);    MULADD(at[28], at[36]);    MULADD(at[29], at[35]);    MULADD(at[30], at[34]);    MULADD(at[31], at[33]); 
-   COMBA_STORE(C->dp[32]);
-   /* 33 */
-   COMBA_FORWARD;
-   MULADD(at[2], at[63]);    MULADD(at[3], at[62]);    MULADD(at[4], at[61]);    MULADD(at[5], at[60]);    MULADD(at[6], at[59]);    MULADD(at[7], at[58]);    MULADD(at[8], at[57]);    MULADD(at[9], at[56]);    MULADD(at[10], at[55]);    MULADD(at[11], at[54]);    MULADD(at[12], at[53]);    MULADD(at[13], at[52]);    MULADD(at[14], at[51]);    MULADD(at[15], at[50]);    MULADD(at[16], at[49]);    MULADD(at[17], at[48]);    MULADD(at[18], at[47]);    MULADD(at[19], at[46]);    MULADD(at[20], at[45]);    MULADD(at[21], at[44]);    MULADD(at[22], at[43]);    MULADD(at[23], at[42]);    MULADD(at[24], at[41]);    MULADD(at[25], at[40]);    MULADD(at[26], at[39]);    MULADD(at[27], at[38]);    MULADD(at[28], at[37]);    MULADD(at[29], at[36]);    MULADD(at[30], at[35]);    MULADD(at[31], at[34]); 
-   COMBA_STORE(C->dp[33]);
-   /* 34 */
-   COMBA_FORWARD;
-   MULADD(at[3], at[63]);    MULADD(at[4], at[62]);    MULADD(at[5], at[61]);    MULADD(at[6], at[60]);    MULADD(at[7], at[59]);    MULADD(at[8], at[58]);    MULADD(at[9], at[57]);    MULADD(at[10], at[56]);    MULADD(at[11], at[55]);    MULADD(at[12], at[54]);    MULADD(at[13], at[53]);    MULADD(at[14], at[52]);    MULADD(at[15], at[51]);    MULADD(at[16], at[50]);    MULADD(at[17], at[49]);    MULADD(at[18], at[48]);    MULADD(at[19], at[47]);    MULADD(at[20], at[46]);    MULADD(at[21], at[45]);    MULADD(at[22], at[44]);    MULADD(at[23], at[43]);    MULADD(at[24], at[42]);    MULADD(at[25], at[41]);    MULADD(at[26], at[40]);    MULADD(at[27], at[39]);    MULADD(at[28], at[38]);    MULADD(at[29], at[37]);    MULADD(at[30], at[36]);    MULADD(at[31], at[35]); 
-   COMBA_STORE(C->dp[34]);
-   /* 35 */
-   COMBA_FORWARD;
-   MULADD(at[4], at[63]);    MULADD(at[5], at[62]);    MULADD(at[6], at[61]);    MULADD(at[7], at[60]);    MULADD(at[8], at[59]);    MULADD(at[9], at[58]);    MULADD(at[10], at[57]);    MULADD(at[11], at[56]);    MULADD(at[12], at[55]);    MULADD(at[13], at[54]);    MULADD(at[14], at[53]);    MULADD(at[15], at[52]);    MULADD(at[16], at[51]);    MULADD(at[17], at[50]);    MULADD(at[18], at[49]);    MULADD(at[19], at[48]);    MULADD(at[20], at[47]);    MULADD(at[21], at[46]);    MULADD(at[22], at[45]);    MULADD(at[23], at[44]);    MULADD(at[24], at[43]);    MULADD(at[25], at[42]);    MULADD(at[26], at[41]);    MULADD(at[27], at[40]);    MULADD(at[28], at[39]);    MULADD(at[29], at[38]);    MULADD(at[30], at[37]);    MULADD(at[31], at[36]); 
-   COMBA_STORE(C->dp[35]);
-   /* 36 */
-   COMBA_FORWARD;
-   MULADD(at[5], at[63]);    MULADD(at[6], at[62]);    MULADD(at[7], at[61]);    MULADD(at[8], at[60]);    MULADD(at[9], at[59]);    MULADD(at[10], at[58]);    MULADD(at[11], at[57]);    MULADD(at[12], at[56]);    MULADD(at[13], at[55]);    MULADD(at[14], at[54]);    MULADD(at[15], at[53]);    MULADD(at[16], at[52]);    MULADD(at[17], at[51]);    MULADD(at[18], at[50]);    MULADD(at[19], at[49]);    MULADD(at[20], at[48]);    MULADD(at[21], at[47]);    MULADD(at[22], at[46]);    MULADD(at[23], at[45]);    MULADD(at[24], at[44]);    MULADD(at[25], at[43]);    MULADD(at[26], at[42]);    MULADD(at[27], at[41]);    MULADD(at[28], at[40]);    MULADD(at[29], at[39]);    MULADD(at[30], at[38]);    MULADD(at[31], at[37]); 
-   COMBA_STORE(C->dp[36]);
-   /* 37 */
-   COMBA_FORWARD;
-   MULADD(at[6], at[63]);    MULADD(at[7], at[62]);    MULADD(at[8], at[61]);    MULADD(at[9], at[60]);    MULADD(at[10], at[59]);    MULADD(at[11], at[58]);    MULADD(at[12], at[57]);    MULADD(at[13], at[56]);    MULADD(at[14], at[55]);    MULADD(at[15], at[54]);    MULADD(at[16], at[53]);    MULADD(at[17], at[52]);    MULADD(at[18], at[51]);    MULADD(at[19], at[50]);    MULADD(at[20], at[49]);    MULADD(at[21], at[48]);    MULADD(at[22], at[47]);    MULADD(at[23], at[46]);    MULADD(at[24], at[45]);    MULADD(at[25], at[44]);    MULADD(at[26], at[43]);    MULADD(at[27], at[42]);    MULADD(at[28], at[41]);    MULADD(at[29], at[40]);    MULADD(at[30], at[39]);    MULADD(at[31], at[38]); 
-   COMBA_STORE(C->dp[37]);
-   /* 38 */
-   COMBA_FORWARD;
-   MULADD(at[7], at[63]);    MULADD(at[8], at[62]);    MULADD(at[9], at[61]);    MULADD(at[10], at[60]);    MULADD(at[11], at[59]);    MULADD(at[12], at[58]);    MULADD(at[13], at[57]);    MULADD(at[14], at[56]);    MULADD(at[15], at[55]);    MULADD(at[16], at[54]);    MULADD(at[17], at[53]);    MULADD(at[18], at[52]);    MULADD(at[19], at[51]);    MULADD(at[20], at[50]);    MULADD(at[21], at[49]);    MULADD(at[22], at[48]);    MULADD(at[23], at[47]);    MULADD(at[24], at[46]);    MULADD(at[25], at[45]);    MULADD(at[26], at[44]);    MULADD(at[27], at[43]);    MULADD(at[28], at[42]);    MULADD(at[29], at[41]);    MULADD(at[30], at[40]);    MULADD(at[31], at[39]); 
-   COMBA_STORE(C->dp[38]);
-   /* 39 */
-   COMBA_FORWARD;
-   MULADD(at[8], at[63]);    MULADD(at[9], at[62]);    MULADD(at[10], at[61]);    MULADD(at[11], at[60]);    MULADD(at[12], at[59]);    MULADD(at[13], at[58]);    MULADD(at[14], at[57]);    MULADD(at[15], at[56]);    MULADD(at[16], at[55]);    MULADD(at[17], at[54]);    MULADD(at[18], at[53]);    MULADD(at[19], at[52]);    MULADD(at[20], at[51]);    MULADD(at[21], at[50]);    MULADD(at[22], at[49]);    MULADD(at[23], at[48]);    MULADD(at[24], at[47]);    MULADD(at[25], at[46]);    MULADD(at[26], at[45]);    MULADD(at[27], at[44]);    MULADD(at[28], at[43]);    MULADD(at[29], at[42]);    MULADD(at[30], at[41]);    MULADD(at[31], at[40]); 
-   COMBA_STORE(C->dp[39]);
-   /* 40 */
-   COMBA_FORWARD;
-   MULADD(at[9], at[63]);    MULADD(at[10], at[62]);    MULADD(at[11], at[61]);    MULADD(at[12], at[60]);    MULADD(at[13], at[59]);    MULADD(at[14], at[58]);    MULADD(at[15], at[57]);    MULADD(at[16], at[56]);    MULADD(at[17], at[55]);    MULADD(at[18], at[54]);    MULADD(at[19], at[53]);    MULADD(at[20], at[52]);    MULADD(at[21], at[51]);    MULADD(at[22], at[50]);    MULADD(at[23], at[49]);    MULADD(at[24], at[48]);    MULADD(at[25], at[47]);    MULADD(at[26], at[46]);    MULADD(at[27], at[45]);    MULADD(at[28], at[44]);    MULADD(at[29], at[43]);    MULADD(at[30], at[42]);    MULADD(at[31], at[41]); 
-   COMBA_STORE(C->dp[40]);
-   /* 41 */
-   COMBA_FORWARD;
-   MULADD(at[10], at[63]);    MULADD(at[11], at[62]);    MULADD(at[12], at[61]);    MULADD(at[13], at[60]);    MULADD(at[14], at[59]);    MULADD(at[15], at[58]);    MULADD(at[16], at[57]);    MULADD(at[17], at[56]);    MULADD(at[18], at[55]);    MULADD(at[19], at[54]);    MULADD(at[20], at[53]);    MULADD(at[21], at[52]);    MULADD(at[22], at[51]);    MULADD(at[23], at[50]);    MULADD(at[24], at[49]);    MULADD(at[25], at[48]);    MULADD(at[26], at[47]);    MULADD(at[27], at[46]);    MULADD(at[28], at[45]);    MULADD(at[29], at[44]);    MULADD(at[30], at[43]);    MULADD(at[31], at[42]); 
-   COMBA_STORE(C->dp[41]);
-   /* 42 */
-   COMBA_FORWARD;
-   MULADD(at[11], at[63]);    MULADD(at[12], at[62]);    MULADD(at[13], at[61]);    MULADD(at[14], at[60]);    MULADD(at[15], at[59]);    MULADD(at[16], at[58]);    MULADD(at[17], at[57]);    MULADD(at[18], at[56]);    MULADD(at[19], at[55]);    MULADD(at[20], at[54]);    MULADD(at[21], at[53]);    MULADD(at[22], at[52]);    MULADD(at[23], at[51]);    MULADD(at[24], at[50]);    MULADD(at[25], at[49]);    MULADD(at[26], at[48]);    MULADD(at[27], at[47]);    MULADD(at[28], at[46]);    MULADD(at[29], at[45]);    MULADD(at[30], at[44]);    MULADD(at[31], at[43]); 
-   COMBA_STORE(C->dp[42]);
-   /* 43 */
-   COMBA_FORWARD;
-   MULADD(at[12], at[63]);    MULADD(at[13], at[62]);    MULADD(at[14], at[61]);    MULADD(at[15], at[60]);    MULADD(at[16], at[59]);    MULADD(at[17], at[58]);    MULADD(at[18], at[57]);    MULADD(at[19], at[56]);    MULADD(at[20], at[55]);    MULADD(at[21], at[54]);    MULADD(at[22], at[53]);    MULADD(at[23], at[52]);    MULADD(at[24], at[51]);    MULADD(at[25], at[50]);    MULADD(at[26], at[49]);    MULADD(at[27], at[48]);    MULADD(at[28], at[47]);    MULADD(at[29], at[46]);    MULADD(at[30], at[45]);    MULADD(at[31], at[44]); 
-   COMBA_STORE(C->dp[43]);
-   /* 44 */
-   COMBA_FORWARD;
-   MULADD(at[13], at[63]);    MULADD(at[14], at[62]);    MULADD(at[15], at[61]);    MULADD(at[16], at[60]);    MULADD(at[17], at[59]);    MULADD(at[18], at[58]);    MULADD(at[19], at[57]);    MULADD(at[20], at[56]);    MULADD(at[21], at[55]);    MULADD(at[22], at[54]);    MULADD(at[23], at[53]);    MULADD(at[24], at[52]);    MULADD(at[25], at[51]);    MULADD(at[26], at[50]);    MULADD(at[27], at[49]);    MULADD(at[28], at[48]);    MULADD(at[29], at[47]);    MULADD(at[30], at[46]);    MULADD(at[31], at[45]); 
-   COMBA_STORE(C->dp[44]);
-   /* 45 */
-   COMBA_FORWARD;
-   MULADD(at[14], at[63]);    MULADD(at[15], at[62]);    MULADD(at[16], at[61]);    MULADD(at[17], at[60]);    MULADD(at[18], at[59]);    MULADD(at[19], at[58]);    MULADD(at[20], at[57]);    MULADD(at[21], at[56]);    MULADD(at[22], at[55]);    MULADD(at[23], at[54]);    MULADD(at[24], at[53]);    MULADD(at[25], at[52]);    MULADD(at[26], at[51]);    MULADD(at[27], at[50]);    MULADD(at[28], at[49]);    MULADD(at[29], at[48]);    MULADD(at[30], at[47]);    MULADD(at[31], at[46]); 
-   COMBA_STORE(C->dp[45]);
-   /* 46 */
-   COMBA_FORWARD;
-   MULADD(at[15], at[63]);    MULADD(at[16], at[62]);    MULADD(at[17], at[61]);    MULADD(at[18], at[60]);    MULADD(at[19], at[59]);    MULADD(at[20], at[58]);    MULADD(at[21], at[57]);    MULADD(at[22], at[56]);    MULADD(at[23], at[55]);    MULADD(at[24], at[54]);    MULADD(at[25], at[53]);    MULADD(at[26], at[52]);    MULADD(at[27], at[51]);    MULADD(at[28], at[50]);    MULADD(at[29], at[49]);    MULADD(at[30], at[48]);    MULADD(at[31], at[47]); 
-   COMBA_STORE(C->dp[46]);
-   /* 47 */
-   COMBA_FORWARD;
-   MULADD(at[16], at[63]);    MULADD(at[17], at[62]);    MULADD(at[18], at[61]);    MULADD(at[19], at[60]);    MULADD(at[20], at[59]);    MULADD(at[21], at[58]);    MULADD(at[22], at[57]);    MULADD(at[23], at[56]);    MULADD(at[24], at[55]);    MULADD(at[25], at[54]);    MULADD(at[26], at[53]);    MULADD(at[27], at[52]);    MULADD(at[28], at[51]);    MULADD(at[29], at[50]);    MULADD(at[30], at[49]);    MULADD(at[31], at[48]); 
-   COMBA_STORE(C->dp[47]);
-   /* 48 */
-   COMBA_FORWARD;
-   MULADD(at[17], at[63]);    MULADD(at[18], at[62]);    MULADD(at[19], at[61]);    MULADD(at[20], at[60]);    MULADD(at[21], at[59]);    MULADD(at[22], at[58]);    MULADD(at[23], at[57]);    MULADD(at[24], at[56]);    MULADD(at[25], at[55]);    MULADD(at[26], at[54]);    MULADD(at[27], at[53]);    MULADD(at[28], at[52]);    MULADD(at[29], at[51]);    MULADD(at[30], at[50]);    MULADD(at[31], at[49]); 
-   COMBA_STORE(C->dp[48]);
-   /* 49 */
-   COMBA_FORWARD;
-   MULADD(at[18], at[63]);    MULADD(at[19], at[62]);    MULADD(at[20], at[61]);    MULADD(at[21], at[60]);    MULADD(at[22], at[59]);    MULADD(at[23], at[58]);    MULADD(at[24], at[57]);    MULADD(at[25], at[56]);    MULADD(at[26], at[55]);    MULADD(at[27], at[54]);    MULADD(at[28], at[53]);    MULADD(at[29], at[52]);    MULADD(at[30], at[51]);    MULADD(at[31], at[50]); 
-   COMBA_STORE(C->dp[49]);
-   /* 50 */
-   COMBA_FORWARD;
-   MULADD(at[19], at[63]);    MULADD(at[20], at[62]);    MULADD(at[21], at[61]);    MULADD(at[22], at[60]);    MULADD(at[23], at[59]);    MULADD(at[24], at[58]);    MULADD(at[25], at[57]);    MULADD(at[26], at[56]);    MULADD(at[27], at[55]);    MULADD(at[28], at[54]);    MULADD(at[29], at[53]);    MULADD(at[30], at[52]);    MULADD(at[31], at[51]); 
-   COMBA_STORE(C->dp[50]);
-   /* 51 */
-   COMBA_FORWARD;
-   MULADD(at[20], at[63]);    MULADD(at[21], at[62]);    MULADD(at[22], at[61]);    MULADD(at[23], at[60]);    MULADD(at[24], at[59]);    MULADD(at[25], at[58]);    MULADD(at[26], at[57]);    MULADD(at[27], at[56]);    MULADD(at[28], at[55]);    MULADD(at[29], at[54]);    MULADD(at[30], at[53]);    MULADD(at[31], at[52]); 
-   COMBA_STORE(C->dp[51]);
-   /* 52 */
-   COMBA_FORWARD;
-   MULADD(at[21], at[63]);    MULADD(at[22], at[62]);    MULADD(at[23], at[61]);    MULADD(at[24], at[60]);    MULADD(at[25], at[59]);    MULADD(at[26], at[58]);    MULADD(at[27], at[57]);    MULADD(at[28], at[56]);    MULADD(at[29], at[55]);    MULADD(at[30], at[54]);    MULADD(at[31], at[53]); 
-   COMBA_STORE(C->dp[52]);
-   /* 53 */
-   COMBA_FORWARD;
-   MULADD(at[22], at[63]);    MULADD(at[23], at[62]);    MULADD(at[24], at[61]);    MULADD(at[25], at[60]);    MULADD(at[26], at[59]);    MULADD(at[27], at[58]);    MULADD(at[28], at[57]);    MULADD(at[29], at[56]);    MULADD(at[30], at[55]);    MULADD(at[31], at[54]); 
-   COMBA_STORE(C->dp[53]);
-   /* 54 */
-   COMBA_FORWARD;
-   MULADD(at[23], at[63]);    MULADD(at[24], at[62]);    MULADD(at[25], at[61]);    MULADD(at[26], at[60]);    MULADD(at[27], at[59]);    MULADD(at[28], at[58]);    MULADD(at[29], at[57]);    MULADD(at[30], at[56]);    MULADD(at[31], at[55]); 
-   COMBA_STORE(C->dp[54]);
-   /* 55 */
-   COMBA_FORWARD;
-   MULADD(at[24], at[63]);    MULADD(at[25], at[62]);    MULADD(at[26], at[61]);    MULADD(at[27], at[60]);    MULADD(at[28], at[59]);    MULADD(at[29], at[58]);    MULADD(at[30], at[57]);    MULADD(at[31], at[56]); 
-   COMBA_STORE(C->dp[55]);
-   /* 56 */
-   COMBA_FORWARD;
-   MULADD(at[25], at[63]);    MULADD(at[26], at[62]);    MULADD(at[27], at[61]);    MULADD(at[28], at[60]);    MULADD(at[29], at[59]);    MULADD(at[30], at[58]);    MULADD(at[31], at[57]); 
-   COMBA_STORE(C->dp[56]);
-   /* 57 */
-   COMBA_FORWARD;
-   MULADD(at[26], at[63]);    MULADD(at[27], at[62]);    MULADD(at[28], at[61]);    MULADD(at[29], at[60]);    MULADD(at[30], at[59]);    MULADD(at[31], at[58]); 
-   COMBA_STORE(C->dp[57]);
-   /* 58 */
-   COMBA_FORWARD;
-   MULADD(at[27], at[63]);    MULADD(at[28], at[62]);    MULADD(at[29], at[61]);    MULADD(at[30], at[60]);    MULADD(at[31], at[59]); 
-   COMBA_STORE(C->dp[58]);
-   /* 59 */
-   COMBA_FORWARD;
-   MULADD(at[28], at[63]);    MULADD(at[29], at[62]);    MULADD(at[30], at[61]);    MULADD(at[31], at[60]); 
-   COMBA_STORE(C->dp[59]);
-   /* 60 */
-   COMBA_FORWARD;
-   MULADD(at[29], at[63]);    MULADD(at[30], at[62]);    MULADD(at[31], at[61]); 
-   COMBA_STORE(C->dp[60]);
-   /* 61 */
-   COMBA_FORWARD;
-   MULADD(at[30], at[63]);    MULADD(at[31], at[62]); 
-   COMBA_STORE(C->dp[61]);
-   /* 62 */
-   COMBA_FORWARD;
-   MULADD(at[31], at[63]); 
-   COMBA_STORE(C->dp[62]);
-   COMBA_STORE2(C->dp[63]);
-   C->used = 64;
-   C->sign = A->sign ^ B->sign;
-   mp_clamp(C);
-   COMBA_FINI;
-}
-
-
-
-void s_mp_sqr_comba_4(const mp_int *A, mp_int *B)
-{
-   mp_digit *a, b[8], c0, c1, c2, sc0, sc1, sc2;
-   /* get rid of some compiler warnings */
-   sc0 = 0; sc1 = 0; sc2 = 0;
-
-   a = A->dp;
-   COMBA_START; 
-
-   /* clear carries */
-   CLEAR_CARRY;
-
-   /* output 0 */
-   SQRADD(a[0],a[0]);
-   COMBA_STORE(b[0]);
-
-   /* output 1 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[1]); 
-   COMBA_STORE(b[1]);
-
-   /* output 2 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
-   COMBA_STORE(b[2]);
-
-   /* output 3 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
-   COMBA_STORE(b[3]);
-
-   /* output 4 */
-   CARRY_FORWARD;
-   SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
-   COMBA_STORE(b[4]);
-
-   /* output 5 */
-   CARRY_FORWARD;
-   SQRADD2(a[2], a[3]); 
-   COMBA_STORE(b[5]);
-
-   /* output 6 */
-   CARRY_FORWARD;
-   SQRADD(a[3], a[3]); 
-   COMBA_STORE(b[6]);
-   COMBA_STORE2(b[7]);
-   COMBA_FINI;
-
-   B->used = 8;
-   B->sign = ZPOS;
-   memcpy(B->dp, b, 8 * sizeof(mp_digit));
-   mp_clamp(B);
-}
-
-void s_mp_sqr_comba_8(const mp_int *A, mp_int *B)
-{
-   mp_digit *a, b[16], c0, c1, c2, sc0, sc1, sc2;
-   /* get rid of some compiler warnings */
-   sc0 = 0; sc1 = 0; sc2 = 0;
-
-   a = A->dp;
-   COMBA_START; 
-
-   /* clear carries */
-   CLEAR_CARRY;
-
-   /* output 0 */
-   SQRADD(a[0],a[0]);
-   COMBA_STORE(b[0]);
-
-   /* output 1 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[1]); 
-   COMBA_STORE(b[1]);
-
-   /* output 2 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
-   COMBA_STORE(b[2]);
-
-   /* output 3 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
-   COMBA_STORE(b[3]);
-
-   /* output 4 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[4]);    SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
-   COMBA_STORE(b[4]);
-
-   /* output 5 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
-   COMBA_STORE(b[5]);
-
-   /* output 6 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
-   COMBA_STORE(b[6]);
-
-   /* output 7 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
-   COMBA_STORE(b[7]);
-
-   /* output 8 */
-   CARRY_FORWARD;
-   SQRADDSC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
-   COMBA_STORE(b[8]);
-
-   /* output 9 */
-   CARRY_FORWARD;
-   SQRADDSC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
-   COMBA_STORE(b[9]);
-
-   /* output 10 */
-   CARRY_FORWARD;
-   SQRADD2(a[3], a[7]);    SQRADD2(a[4], a[6]);    SQRADD(a[5], a[5]); 
-   COMBA_STORE(b[10]);
-
-   /* output 11 */
-   CARRY_FORWARD;
-   SQRADD2(a[4], a[7]);    SQRADD2(a[5], a[6]); 
-   COMBA_STORE(b[11]);
-
-   /* output 12 */
-   CARRY_FORWARD;
-   SQRADD2(a[5], a[7]);    SQRADD(a[6], a[6]); 
-   COMBA_STORE(b[12]);
-
-   /* output 13 */
-   CARRY_FORWARD;
-   SQRADD2(a[6], a[7]); 
-   COMBA_STORE(b[13]);
-
-   /* output 14 */
-   CARRY_FORWARD;
-   SQRADD(a[7], a[7]); 
-   COMBA_STORE(b[14]);
-   COMBA_STORE2(b[15]);
-   COMBA_FINI;
-
-   B->used = 16;
-   B->sign = ZPOS;
-   memcpy(B->dp, b, 16 * sizeof(mp_digit));
-   mp_clamp(B);
-}
-
-void s_mp_sqr_comba_16(const mp_int *A, mp_int *B)
-{
-   mp_digit *a, b[32], c0, c1, c2, sc0, sc1, sc2;
-   /* get rid of some compiler warnings */
-   sc0 = 0; sc1 = 0; sc2 = 0;
-
-   a = A->dp;
-   COMBA_START; 
-
-   /* clear carries */
-   CLEAR_CARRY;
-
-   /* output 0 */
-   SQRADD(a[0],a[0]);
-   COMBA_STORE(b[0]);
-
-   /* output 1 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[1]); 
-   COMBA_STORE(b[1]);
-
-   /* output 2 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[2]);    SQRADD(a[1], a[1]); 
-   COMBA_STORE(b[2]);
-
-   /* output 3 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[3]);    SQRADD2(a[1], a[2]); 
-   COMBA_STORE(b[3]);
-
-   /* output 4 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[4]);    SQRADD2(a[1], a[3]);    SQRADD(a[2], a[2]); 
-   COMBA_STORE(b[4]);
-
-   /* output 5 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
-   COMBA_STORE(b[5]);
-
-   /* output 6 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
-   COMBA_STORE(b[6]);
-
-   /* output 7 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
-   COMBA_STORE(b[7]);
-
-   /* output 8 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[8]); SQRADDAC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
-   COMBA_STORE(b[8]);
-
-   /* output 9 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[9]); SQRADDAC(a[1], a[8]); SQRADDAC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
-   COMBA_STORE(b[9]);
-
-   /* output 10 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[10]); SQRADDAC(a[1], a[9]); SQRADDAC(a[2], a[8]); SQRADDAC(a[3], a[7]); SQRADDAC(a[4], a[6]); SQRADDDB; SQRADD(a[5], a[5]); 
-   COMBA_STORE(b[10]);
-
-   /* output 11 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[11]); SQRADDAC(a[1], a[10]); SQRADDAC(a[2], a[9]); SQRADDAC(a[3], a[8]); SQRADDAC(a[4], a[7]); SQRADDAC(a[5], a[6]); SQRADDDB; 
-   COMBA_STORE(b[11]);
-
-   /* output 12 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[12]); SQRADDAC(a[1], a[11]); SQRADDAC(a[2], a[10]); SQRADDAC(a[3], a[9]); SQRADDAC(a[4], a[8]); SQRADDAC(a[5], a[7]); SQRADDDB; SQRADD(a[6], a[6]); 
-   COMBA_STORE(b[12]);
-
-   /* output 13 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[13]); SQRADDAC(a[1], a[12]); SQRADDAC(a[2], a[11]); SQRADDAC(a[3], a[10]); SQRADDAC(a[4], a[9]); SQRADDAC(a[5], a[8]); SQRADDAC(a[6], a[7]); SQRADDDB; 
-   COMBA_STORE(b[13]);
-
-   /* output 14 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[14]); SQRADDAC(a[1], a[13]); SQRADDAC(a[2], a[12]); SQRADDAC(a[3], a[11]); SQRADDAC(a[4], a[10]); SQRADDAC(a[5], a[9]); SQRADDAC(a[6], a[8]); SQRADDDB; SQRADD(a[7], a[7]); 
-   COMBA_STORE(b[14]);
-
-   /* output 15 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[15]); SQRADDAC(a[1], a[14]); SQRADDAC(a[2], a[13]); SQRADDAC(a[3], a[12]); SQRADDAC(a[4], a[11]); SQRADDAC(a[5], a[10]); SQRADDAC(a[6], a[9]); SQRADDAC(a[7], a[8]); SQRADDDB; 
-   COMBA_STORE(b[15]);
-
-   /* output 16 */
-   CARRY_FORWARD;
-   SQRADDSC(a[1], a[15]); SQRADDAC(a[2], a[14]); SQRADDAC(a[3], a[13]); SQRADDAC(a[4], a[12]); SQRADDAC(a[5], a[11]); SQRADDAC(a[6], a[10]); SQRADDAC(a[7], a[9]); SQRADDDB; SQRADD(a[8], a[8]); 
-   COMBA_STORE(b[16]);
-
-   /* output 17 */
-   CARRY_FORWARD;
-   SQRADDSC(a[2], a[15]); SQRADDAC(a[3], a[14]); SQRADDAC(a[4], a[13]); SQRADDAC(a[5], a[12]); SQRADDAC(a[6], a[11]); SQRADDAC(a[7], a[10]); SQRADDAC(a[8], a[9]); SQRADDDB; 
-   COMBA_STORE(b[17]);
-
-   /* output 18 */
-   CARRY_FORWARD;
-   SQRADDSC(a[3], a[15]); SQRADDAC(a[4], a[14]); SQRADDAC(a[5], a[13]); SQRADDAC(a[6], a[12]); SQRADDAC(a[7], a[11]); SQRADDAC(a[8], a[10]); SQRADDDB; SQRADD(a[9], a[9]); 
-   COMBA_STORE(b[18]);
-
-   /* output 19 */
-   CARRY_FORWARD;
-   SQRADDSC(a[4], a[15]); SQRADDAC(a[5], a[14]); SQRADDAC(a[6], a[13]); SQRADDAC(a[7], a[12]); SQRADDAC(a[8], a[11]); SQRADDAC(a[9], a[10]); SQRADDDB; 
-   COMBA_STORE(b[19]);
-
-   /* output 20 */
-   CARRY_FORWARD;
-   SQRADDSC(a[5], a[15]); SQRADDAC(a[6], a[14]); SQRADDAC(a[7], a[13]); SQRADDAC(a[8], a[12]); SQRADDAC(a[9], a[11]); SQRADDDB; SQRADD(a[10], a[10]); 
-   COMBA_STORE(b[20]);
-
-   /* output 21 */
-   CARRY_FORWARD;
-   SQRADDSC(a[6], a[15]); SQRADDAC(a[7], a[14]); SQRADDAC(a[8], a[13]); SQRADDAC(a[9], a[12]); SQRADDAC(a[10], a[11]); SQRADDDB; 
-   COMBA_STORE(b[21]);
-
-   /* output 22 */
-   CARRY_FORWARD;
-   SQRADDSC(a[7], a[15]); SQRADDAC(a[8], a[14]); SQRADDAC(a[9], a[13]); SQRADDAC(a[10], a[12]); SQRADDDB; SQRADD(a[11], a[11]); 
-   COMBA_STORE(b[22]);
-
-   /* output 23 */
-   CARRY_FORWARD;
-   SQRADDSC(a[8], a[15]); SQRADDAC(a[9], a[14]); SQRADDAC(a[10], a[13]); SQRADDAC(a[11], a[12]); SQRADDDB; 
-   COMBA_STORE(b[23]);
-
-   /* output 24 */
-   CARRY_FORWARD;
-   SQRADDSC(a[9], a[15]); SQRADDAC(a[10], a[14]); SQRADDAC(a[11], a[13]); SQRADDDB; SQRADD(a[12], a[12]); 
-   COMBA_STORE(b[24]);
-
-   /* output 25 */
-   CARRY_FORWARD;
-   SQRADDSC(a[10], a[15]); SQRADDAC(a[11], a[14]); SQRADDAC(a[12], a[13]); SQRADDDB; 
-   COMBA_STORE(b[25]);
-
-   /* output 26 */
-   CARRY_FORWARD;
-   SQRADD2(a[11], a[15]);    SQRADD2(a[12], a[14]);    SQRADD(a[13], a[13]); 
-   COMBA_STORE(b[26]);
-
-   /* output 27 */
-   CARRY_FORWARD;
-   SQRADD2(a[12], a[15]);    SQRADD2(a[13], a[14]); 
-   COMBA_STORE(b[27]);
-
-   /* output 28 */
-   CARRY_FORWARD;
-   SQRADD2(a[13], a[15]);    SQRADD(a[14], a[14]); 
-   COMBA_STORE(b[28]);
-
-   /* output 29 */
-   CARRY_FORWARD;
-   SQRADD2(a[14], a[15]); 
-   COMBA_STORE(b[29]);
-
-   /* output 30 */
-   CARRY_FORWARD;
-   SQRADD(a[15], a[15]); 
-   COMBA_STORE(b[30]);
-   COMBA_STORE2(b[31]);
-   COMBA_FINI;
-
-   B->used = 32;
-   B->sign = ZPOS;
-   memcpy(B->dp, b, 32 * sizeof(mp_digit));
-   mp_clamp(B);
-}
-
-
-void s_mp_sqr_comba_32(const mp_int *A, mp_int *B)
-{
-   mp_digit *a, b[64], c0, c1, c2, sc0, sc1, sc2;
-   /* get rid of some compiler warnings */
-   sc0 = 0; sc1 = 0; sc2 = 0;
-
-   a = A->dp;
-   COMBA_START; 
-
-   /* clear carries */
-   CLEAR_CARRY;
-
-   /* output 0 */
-   SQRADD(a[0],a[0]);
-   COMBA_STORE(b[0]);
-
-   /* output 1 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[1]); 
-   COMBA_STORE(b[1]);
-
-   /* output 2 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[2]); SQRADD(a[1], a[1]); 
-   COMBA_STORE(b[2]);
-
-   /* output 3 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[3]); SQRADD2(a[1], a[2]); 
-   COMBA_STORE(b[3]);
-
-   /* output 4 */
-   CARRY_FORWARD;
-   SQRADD2(a[0], a[4]); SQRADD2(a[1], a[3]); SQRADD(a[2], a[2]); 
-   COMBA_STORE(b[4]);
-
-   /* output 5 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[5]); SQRADDAC(a[1], a[4]); SQRADDAC(a[2], a[3]); SQRADDDB; 
-   COMBA_STORE(b[5]);
-
-   /* output 6 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[6]); SQRADDAC(a[1], a[5]); SQRADDAC(a[2], a[4]); SQRADDDB; SQRADD(a[3], a[3]); 
-   COMBA_STORE(b[6]);
-
-   /* output 7 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[7]); SQRADDAC(a[1], a[6]); SQRADDAC(a[2], a[5]); SQRADDAC(a[3], a[4]); SQRADDDB; 
-   COMBA_STORE(b[7]);
-
-   /* output 8 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[8]); SQRADDAC(a[1], a[7]); SQRADDAC(a[2], a[6]); SQRADDAC(a[3], a[5]); SQRADDDB; SQRADD(a[4], a[4]); 
-   COMBA_STORE(b[8]);
-
-   /* output 9 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[9]); SQRADDAC(a[1], a[8]); SQRADDAC(a[2], a[7]); SQRADDAC(a[3], a[6]); SQRADDAC(a[4], a[5]); SQRADDDB; 
-   COMBA_STORE(b[9]);
-
-   /* output 10 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[10]); SQRADDAC(a[1], a[9]); SQRADDAC(a[2], a[8]); SQRADDAC(a[3], a[7]); SQRADDAC(a[4], a[6]); SQRADDDB; SQRADD(a[5], a[5]); 
-   COMBA_STORE(b[10]);
-
-   /* output 11 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[11]); SQRADDAC(a[1], a[10]); SQRADDAC(a[2], a[9]); SQRADDAC(a[3], a[8]); SQRADDAC(a[4], a[7]); SQRADDAC(a[5], a[6]); SQRADDDB; 
-   COMBA_STORE(b[11]);
-
-   /* output 12 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[12]); SQRADDAC(a[1], a[11]); SQRADDAC(a[2], a[10]); SQRADDAC(a[3], a[9]); SQRADDAC(a[4], a[8]); SQRADDAC(a[5], a[7]); SQRADDDB; SQRADD(a[6], a[6]); 
-   COMBA_STORE(b[12]);
-
-   /* output 13 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[13]); SQRADDAC(a[1], a[12]); SQRADDAC(a[2], a[11]); SQRADDAC(a[3], a[10]); SQRADDAC(a[4], a[9]); SQRADDAC(a[5], a[8]); SQRADDAC(a[6], a[7]); SQRADDDB; 
-   COMBA_STORE(b[13]);
-
-   /* output 14 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[14]); SQRADDAC(a[1], a[13]); SQRADDAC(a[2], a[12]); SQRADDAC(a[3], a[11]); SQRADDAC(a[4], a[10]); SQRADDAC(a[5], a[9]); SQRADDAC(a[6], a[8]); SQRADDDB; SQRADD(a[7], a[7]); 
-   COMBA_STORE(b[14]);
-
-   /* output 15 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[15]); SQRADDAC(a[1], a[14]); SQRADDAC(a[2], a[13]); SQRADDAC(a[3], a[12]); SQRADDAC(a[4], a[11]); SQRADDAC(a[5], a[10]); SQRADDAC(a[6], a[9]); SQRADDAC(a[7], a[8]); SQRADDDB; 
-   COMBA_STORE(b[15]);
-
-   /* output 16 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[16]); SQRADDAC(a[1], a[15]); SQRADDAC(a[2], a[14]); SQRADDAC(a[3], a[13]); SQRADDAC(a[4], a[12]); SQRADDAC(a[5], a[11]); SQRADDAC(a[6], a[10]); SQRADDAC(a[7], a[9]); SQRADDDB; SQRADD(a[8], a[8]); 
-   COMBA_STORE(b[16]);
-
-   /* output 17 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[17]); SQRADDAC(a[1], a[16]); SQRADDAC(a[2], a[15]); SQRADDAC(a[3], a[14]); SQRADDAC(a[4], a[13]); SQRADDAC(a[5], a[12]); SQRADDAC(a[6], a[11]); SQRADDAC(a[7], a[10]); SQRADDAC(a[8], a[9]); SQRADDDB; 
-   COMBA_STORE(b[17]);
-
-   /* output 18 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[18]); SQRADDAC(a[1], a[17]); SQRADDAC(a[2], a[16]); SQRADDAC(a[3], a[15]); SQRADDAC(a[4], a[14]); SQRADDAC(a[5], a[13]); SQRADDAC(a[6], a[12]); SQRADDAC(a[7], a[11]); SQRADDAC(a[8], a[10]); SQRADDDB; SQRADD(a[9], a[9]); 
-   COMBA_STORE(b[18]);
-
-   /* output 19 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[19]); SQRADDAC(a[1], a[18]); SQRADDAC(a[2], a[17]); SQRADDAC(a[3], a[16]); SQRADDAC(a[4], a[15]); SQRADDAC(a[5], a[14]); SQRADDAC(a[6], a[13]); SQRADDAC(a[7], a[12]); SQRADDAC(a[8], a[11]); SQRADDAC(a[9], a[10]); SQRADDDB; 
-   COMBA_STORE(b[19]);
-
-   /* output 20 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[20]); SQRADDAC(a[1], a[19]); SQRADDAC(a[2], a[18]); SQRADDAC(a[3], a[17]); SQRADDAC(a[4], a[16]); SQRADDAC(a[5], a[15]); SQRADDAC(a[6], a[14]); SQRADDAC(a[7], a[13]); SQRADDAC(a[8], a[12]); SQRADDAC(a[9], a[11]); SQRADDDB; SQRADD(a[10], a[10]); 
-   COMBA_STORE(b[20]);
-
-   /* output 21 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[21]); SQRADDAC(a[1], a[20]); SQRADDAC(a[2], a[19]); SQRADDAC(a[3], a[18]); SQRADDAC(a[4], a[17]); SQRADDAC(a[5], a[16]); SQRADDAC(a[6], a[15]); SQRADDAC(a[7], a[14]); SQRADDAC(a[8], a[13]); SQRADDAC(a[9], a[12]); SQRADDAC(a[10], a[11]); SQRADDDB; 
-   COMBA_STORE(b[21]);
-
-   /* output 22 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[22]); SQRADDAC(a[1], a[21]); SQRADDAC(a[2], a[20]); SQRADDAC(a[3], a[19]); SQRADDAC(a[4], a[18]); SQRADDAC(a[5], a[17]); SQRADDAC(a[6], a[16]); SQRADDAC(a[7], a[15]); SQRADDAC(a[8], a[14]); SQRADDAC(a[9], a[13]); SQRADDAC(a[10], a[12]); SQRADDDB; SQRADD(a[11], a[11]); 
-   COMBA_STORE(b[22]);
-
-   /* output 23 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[23]); SQRADDAC(a[1], a[22]); SQRADDAC(a[2], a[21]); SQRADDAC(a[3], a[20]); SQRADDAC(a[4], a[19]); SQRADDAC(a[5], a[18]); SQRADDAC(a[6], a[17]); SQRADDAC(a[7], a[16]); SQRADDAC(a[8], a[15]); SQRADDAC(a[9], a[14]); SQRADDAC(a[10], a[13]); SQRADDAC(a[11], a[12]); SQRADDDB; 
-   COMBA_STORE(b[23]);
-
-   /* output 24 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[24]); SQRADDAC(a[1], a[23]); SQRADDAC(a[2], a[22]); SQRADDAC(a[3], a[21]); SQRADDAC(a[4], a[20]); SQRADDAC(a[5], a[19]); SQRADDAC(a[6], a[18]); SQRADDAC(a[7], a[17]); SQRADDAC(a[8], a[16]); SQRADDAC(a[9], a[15]); SQRADDAC(a[10], a[14]); SQRADDAC(a[11], a[13]); SQRADDDB; SQRADD(a[12], a[12]); 
-   COMBA_STORE(b[24]);
-
-   /* output 25 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[25]); SQRADDAC(a[1], a[24]); SQRADDAC(a[2], a[23]); SQRADDAC(a[3], a[22]); SQRADDAC(a[4], a[21]); SQRADDAC(a[5], a[20]); SQRADDAC(a[6], a[19]); SQRADDAC(a[7], a[18]); SQRADDAC(a[8], a[17]); SQRADDAC(a[9], a[16]); SQRADDAC(a[10], a[15]); SQRADDAC(a[11], a[14]); SQRADDAC(a[12], a[13]); SQRADDDB; 
-   COMBA_STORE(b[25]);
-
-   /* output 26 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[26]); SQRADDAC(a[1], a[25]); SQRADDAC(a[2], a[24]); SQRADDAC(a[3], a[23]); SQRADDAC(a[4], a[22]); SQRADDAC(a[5], a[21]); SQRADDAC(a[6], a[20]); SQRADDAC(a[7], a[19]); SQRADDAC(a[8], a[18]); SQRADDAC(a[9], a[17]); SQRADDAC(a[10], a[16]); SQRADDAC(a[11], a[15]); SQRADDAC(a[12], a[14]); SQRADDDB; SQRADD(a[13], a[13]); 
-   COMBA_STORE(b[26]);
-
-   /* output 27 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[27]); SQRADDAC(a[1], a[26]); SQRADDAC(a[2], a[25]); SQRADDAC(a[3], a[24]); SQRADDAC(a[4], a[23]); SQRADDAC(a[5], a[22]); SQRADDAC(a[6], a[21]); SQRADDAC(a[7], a[20]); SQRADDAC(a[8], a[19]); SQRADDAC(a[9], a[18]); SQRADDAC(a[10], a[17]); SQRADDAC(a[11], a[16]); SQRADDAC(a[12], a[15]); SQRADDAC(a[13], a[14]); SQRADDDB; 
-   COMBA_STORE(b[27]);
-
-   /* output 28 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[28]); SQRADDAC(a[1], a[27]); SQRADDAC(a[2], a[26]); SQRADDAC(a[3], a[25]); SQRADDAC(a[4], a[24]); SQRADDAC(a[5], a[23]); SQRADDAC(a[6], a[22]); SQRADDAC(a[7], a[21]); SQRADDAC(a[8], a[20]); SQRADDAC(a[9], a[19]); SQRADDAC(a[10], a[18]); SQRADDAC(a[11], a[17]); SQRADDAC(a[12], a[16]); SQRADDAC(a[13], a[15]); SQRADDDB; SQRADD(a[14], a[14]); 
-   COMBA_STORE(b[28]);
-
-   /* output 29 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[29]); SQRADDAC(a[1], a[28]); SQRADDAC(a[2], a[27]); SQRADDAC(a[3], a[26]); SQRADDAC(a[4], a[25]); SQRADDAC(a[5], a[24]); SQRADDAC(a[6], a[23]); SQRADDAC(a[7], a[22]); SQRADDAC(a[8], a[21]); SQRADDAC(a[9], a[20]); SQRADDAC(a[10], a[19]); SQRADDAC(a[11], a[18]); SQRADDAC(a[12], a[17]); SQRADDAC(a[13], a[16]); SQRADDAC(a[14], a[15]); SQRADDDB; 
-   COMBA_STORE(b[29]);
-
-   /* output 30 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[30]); SQRADDAC(a[1], a[29]); SQRADDAC(a[2], a[28]); SQRADDAC(a[3], a[27]); SQRADDAC(a[4], a[26]); SQRADDAC(a[5], a[25]); SQRADDAC(a[6], a[24]); SQRADDAC(a[7], a[23]); SQRADDAC(a[8], a[22]); SQRADDAC(a[9], a[21]); SQRADDAC(a[10], a[20]); SQRADDAC(a[11], a[19]); SQRADDAC(a[12], a[18]); SQRADDAC(a[13], a[17]); SQRADDAC(a[14], a[16]); SQRADDDB; SQRADD(a[15], a[15]); 
-   COMBA_STORE(b[30]);
-
-   /* output 31 */
-   CARRY_FORWARD;
-   SQRADDSC(a[0], a[31]); SQRADDAC(a[1], a[30]); SQRADDAC(a[2], a[29]); SQRADDAC(a[3], a[28]); SQRADDAC(a[4], a[27]); SQRADDAC(a[5], a[26]); SQRADDAC(a[6], a[25]); SQRADDAC(a[7], a[24]); SQRADDAC(a[8], a[23]); SQRADDAC(a[9], a[22]); SQRADDAC(a[10], a[21]); SQRADDAC(a[11], a[20]); SQRADDAC(a[12], a[19]); SQRADDAC(a[13], a[18]); SQRADDAC(a[14], a[17]); SQRADDAC(a[15], a[16]); SQRADDDB; 
-   COMBA_STORE(b[31]);
-
-   /* output 32 */
-   CARRY_FORWARD;
-   SQRADDSC(a[1], a[31]); SQRADDAC(a[2], a[30]); SQRADDAC(a[3], a[29]); SQRADDAC(a[4], a[28]); SQRADDAC(a[5], a[27]); SQRADDAC(a[6], a[26]); SQRADDAC(a[7], a[25]); SQRADDAC(a[8], a[24]); SQRADDAC(a[9], a[23]); SQRADDAC(a[10], a[22]); SQRADDAC(a[11], a[21]); SQRADDAC(a[12], a[20]); SQRADDAC(a[13], a[19]); SQRADDAC(a[14], a[18]); SQRADDAC(a[15], a[17]); SQRADDDB; SQRADD(a[16], a[16]); 
-   COMBA_STORE(b[32]);
-
-   /* output 33 */
-   CARRY_FORWARD;
-   SQRADDSC(a[2], a[31]); SQRADDAC(a[3], a[30]); SQRADDAC(a[4], a[29]); SQRADDAC(a[5], a[28]); SQRADDAC(a[6], a[27]); SQRADDAC(a[7], a[26]); SQRADDAC(a[8], a[25]); SQRADDAC(a[9], a[24]); SQRADDAC(a[10], a[23]); SQRADDAC(a[11], a[22]); SQRADDAC(a[12], a[21]); SQRADDAC(a[13], a[20]); SQRADDAC(a[14], a[19]); SQRADDAC(a[15], a[18]); SQRADDAC(a[16], a[17]); SQRADDDB; 
-   COMBA_STORE(b[33]);
-
-   /* output 34 */
-   CARRY_FORWARD;
-   SQRADDSC(a[3], a[31]); SQRADDAC(a[4], a[30]); SQRADDAC(a[5], a[29]); SQRADDAC(a[6], a[28]); SQRADDAC(a[7], a[27]); SQRADDAC(a[8], a[26]); SQRADDAC(a[9], a[25]); SQRADDAC(a[10], a[24]); SQRADDAC(a[11], a[23]); SQRADDAC(a[12], a[22]); SQRADDAC(a[13], a[21]); SQRADDAC(a[14], a[20]); SQRADDAC(a[15], a[19]); SQRADDAC(a[16], a[18]); SQRADDDB; SQRADD(a[17], a[17]); 
-   COMBA_STORE(b[34]);
-
-   /* output 35 */
-   CARRY_FORWARD;
-   SQRADDSC(a[4], a[31]); SQRADDAC(a[5], a[30]); SQRADDAC(a[6], a[29]); SQRADDAC(a[7], a[28]); SQRADDAC(a[8], a[27]); SQRADDAC(a[9], a[26]); SQRADDAC(a[10], a[25]); SQRADDAC(a[11], a[24]); SQRADDAC(a[12], a[23]); SQRADDAC(a[13], a[22]); SQRADDAC(a[14], a[21]); SQRADDAC(a[15], a[20]); SQRADDAC(a[16], a[19]); SQRADDAC(a[17], a[18]); SQRADDDB; 
-   COMBA_STORE(b[35]);
-
-   /* output 36 */
-   CARRY_FORWARD;
-   SQRADDSC(a[5], a[31]); SQRADDAC(a[6], a[30]); SQRADDAC(a[7], a[29]); SQRADDAC(a[8], a[28]); SQRADDAC(a[9], a[27]); SQRADDAC(a[10], a[26]); SQRADDAC(a[11], a[25]); SQRADDAC(a[12], a[24]); SQRADDAC(a[13], a[23]); SQRADDAC(a[14], a[22]); SQRADDAC(a[15], a[21]); SQRADDAC(a[16], a[20]); SQRADDAC(a[17], a[19]); SQRADDDB; SQRADD(a[18], a[18]); 
-   COMBA_STORE(b[36]);
-
-   /* output 37 */
-   CARRY_FORWARD;
-   SQRADDSC(a[6], a[31]); SQRADDAC(a[7], a[30]); SQRADDAC(a[8], a[29]); SQRADDAC(a[9], a[28]); SQRADDAC(a[10], a[27]); SQRADDAC(a[11], a[26]); SQRADDAC(a[12], a[25]); SQRADDAC(a[13], a[24]); SQRADDAC(a[14], a[23]); SQRADDAC(a[15], a[22]); SQRADDAC(a[16], a[21]); SQRADDAC(a[17], a[20]); SQRADDAC(a[18], a[19]); SQRADDDB; 
-   COMBA_STORE(b[37]);
-
-   /* output 38 */
-   CARRY_FORWARD;
-   SQRADDSC(a[7], a[31]); SQRADDAC(a[8], a[30]); SQRADDAC(a[9], a[29]); SQRADDAC(a[10], a[28]); SQRADDAC(a[11], a[27]); SQRADDAC(a[12], a[26]); SQRADDAC(a[13], a[25]); SQRADDAC(a[14], a[24]); SQRADDAC(a[15], a[23]); SQRADDAC(a[16], a[22]); SQRADDAC(a[17], a[21]); SQRADDAC(a[18], a[20]); SQRADDDB; SQRADD(a[19], a[19]); 
-   COMBA_STORE(b[38]);
-
-   /* output 39 */
-   CARRY_FORWARD;
-   SQRADDSC(a[8], a[31]); SQRADDAC(a[9], a[30]); SQRADDAC(a[10], a[29]); SQRADDAC(a[11], a[28]); SQRADDAC(a[12], a[27]); SQRADDAC(a[13], a[26]); SQRADDAC(a[14], a[25]); SQRADDAC(a[15], a[24]); SQRADDAC(a[16], a[23]); SQRADDAC(a[17], a[22]); SQRADDAC(a[18], a[21]); SQRADDAC(a[19], a[20]); SQRADDDB; 
-   COMBA_STORE(b[39]);
-
-   /* output 40 */
-   CARRY_FORWARD;
-   SQRADDSC(a[9], a[31]); SQRADDAC(a[10], a[30]); SQRADDAC(a[11], a[29]); SQRADDAC(a[12], a[28]); SQRADDAC(a[13], a[27]); SQRADDAC(a[14], a[26]); SQRADDAC(a[15], a[25]); SQRADDAC(a[16], a[24]); SQRADDAC(a[17], a[23]); SQRADDAC(a[18], a[22]); SQRADDAC(a[19], a[21]); SQRADDDB; SQRADD(a[20], a[20]); 
-   COMBA_STORE(b[40]);
-
-   /* output 41 */
-   CARRY_FORWARD;
-   SQRADDSC(a[10], a[31]); SQRADDAC(a[11], a[30]); SQRADDAC(a[12], a[29]); SQRADDAC(a[13], a[28]); SQRADDAC(a[14], a[27]); SQRADDAC(a[15], a[26]); SQRADDAC(a[16], a[25]); SQRADDAC(a[17], a[24]); SQRADDAC(a[18], a[23]); SQRADDAC(a[19], a[22]); SQRADDAC(a[20], a[21]); SQRADDDB; 
-   COMBA_STORE(b[41]);
-
-   /* output 42 */
-   CARRY_FORWARD;
-   SQRADDSC(a[11], a[31]); SQRADDAC(a[12], a[30]); SQRADDAC(a[13], a[29]); SQRADDAC(a[14], a[28]); SQRADDAC(a[15], a[27]); SQRADDAC(a[16], a[26]); SQRADDAC(a[17], a[25]); SQRADDAC(a[18], a[24]); SQRADDAC(a[19], a[23]); SQRADDAC(a[20], a[22]); SQRADDDB; SQRADD(a[21], a[21]); 
-   COMBA_STORE(b[42]);
-
-   /* output 43 */
-   CARRY_FORWARD;
-   SQRADDSC(a[12], a[31]); SQRADDAC(a[13], a[30]); SQRADDAC(a[14], a[29]); SQRADDAC(a[15], a[28]); SQRADDAC(a[16], a[27]); SQRADDAC(a[17], a[26]); SQRADDAC(a[18], a[25]); SQRADDAC(a[19], a[24]); SQRADDAC(a[20], a[23]); SQRADDAC(a[21], a[22]); SQRADDDB; 
-   COMBA_STORE(b[43]);
-
-   /* output 44 */
-   CARRY_FORWARD;
-   SQRADDSC(a[13], a[31]); SQRADDAC(a[14], a[30]); SQRADDAC(a[15], a[29]); SQRADDAC(a[16], a[28]); SQRADDAC(a[17], a[27]); SQRADDAC(a[18], a[26]); SQRADDAC(a[19], a[25]); SQRADDAC(a[20], a[24]); SQRADDAC(a[21], a[23]); SQRADDDB; SQRADD(a[22], a[22]); 
-   COMBA_STORE(b[44]);
-
-   /* output 45 */
-   CARRY_FORWARD;
-   SQRADDSC(a[14], a[31]); SQRADDAC(a[15], a[30]); SQRADDAC(a[16], a[29]); SQRADDAC(a[17], a[28]); SQRADDAC(a[18], a[27]); SQRADDAC(a[19], a[26]); SQRADDAC(a[20], a[25]); SQRADDAC(a[21], a[24]); SQRADDAC(a[22], a[23]); SQRADDDB; 
-   COMBA_STORE(b[45]);
-
-   /* output 46 */
-   CARRY_FORWARD;
-   SQRADDSC(a[15], a[31]); SQRADDAC(a[16], a[30]); SQRADDAC(a[17], a[29]); SQRADDAC(a[18], a[28]); SQRADDAC(a[19], a[27]); SQRADDAC(a[20], a[26]); SQRADDAC(a[21], a[25]); SQRADDAC(a[22], a[24]); SQRADDDB; SQRADD(a[23], a[23]); 
-   COMBA_STORE(b[46]);
-
-   /* output 47 */
-   CARRY_FORWARD;
-   SQRADDSC(a[16], a[31]); SQRADDAC(a[17], a[30]); SQRADDAC(a[18], a[29]); SQRADDAC(a[19], a[28]); SQRADDAC(a[20], a[27]); SQRADDAC(a[21], a[26]); SQRADDAC(a[22], a[25]); SQRADDAC(a[23], a[24]); SQRADDDB; 
-   COMBA_STORE(b[47]);
-
-   /* output 48 */
-   CARRY_FORWARD;
-   SQRADDSC(a[17], a[31]); SQRADDAC(a[18], a[30]); SQRADDAC(a[19], a[29]); SQRADDAC(a[20], a[28]); SQRADDAC(a[21], a[27]); SQRADDAC(a[22], a[26]); SQRADDAC(a[23], a[25]); SQRADDDB; SQRADD(a[24], a[24]); 
-   COMBA_STORE(b[48]);
-
-   /* output 49 */
-   CARRY_FORWARD;
-   SQRADDSC(a[18], a[31]); SQRADDAC(a[19], a[30]); SQRADDAC(a[20], a[29]); SQRADDAC(a[21], a[28]); SQRADDAC(a[22], a[27]); SQRADDAC(a[23], a[26]); SQRADDAC(a[24], a[25]); SQRADDDB; 
-   COMBA_STORE(b[49]);
-
-   /* output 50 */
-   CARRY_FORWARD;
-   SQRADDSC(a[19], a[31]); SQRADDAC(a[20], a[30]); SQRADDAC(a[21], a[29]); SQRADDAC(a[22], a[28]); SQRADDAC(a[23], a[27]); SQRADDAC(a[24], a[26]); SQRADDDB; SQRADD(a[25], a[25]); 
-   COMBA_STORE(b[50]);
-
-   /* output 51 */
-   CARRY_FORWARD;
-   SQRADDSC(a[20], a[31]); SQRADDAC(a[21], a[30]); SQRADDAC(a[22], a[29]); SQRADDAC(a[23], a[28]); SQRADDAC(a[24], a[27]); SQRADDAC(a[25], a[26]); SQRADDDB; 
-   COMBA_STORE(b[51]);
-
-   /* output 52 */
-   CARRY_FORWARD;
-   SQRADDSC(a[21], a[31]); SQRADDAC(a[22], a[30]); SQRADDAC(a[23], a[29]); SQRADDAC(a[24], a[28]); SQRADDAC(a[25], a[27]); SQRADDDB; SQRADD(a[26], a[26]); 
-   COMBA_STORE(b[52]);
-
-   /* output 53 */
-   CARRY_FORWARD;
-   SQRADDSC(a[22], a[31]); SQRADDAC(a[23], a[30]); SQRADDAC(a[24], a[29]); SQRADDAC(a[25], a[28]); SQRADDAC(a[26], a[27]); SQRADDDB; 
-   COMBA_STORE(b[53]);
-
-   /* output 54 */
-   CARRY_FORWARD;
-   SQRADDSC(a[23], a[31]); SQRADDAC(a[24], a[30]); SQRADDAC(a[25], a[29]); SQRADDAC(a[26], a[28]); SQRADDDB; SQRADD(a[27], a[27]); 
-   COMBA_STORE(b[54]);
-
-   /* output 55 */
-   CARRY_FORWARD;
-   SQRADDSC(a[24], a[31]); SQRADDAC(a[25], a[30]); SQRADDAC(a[26], a[29]); SQRADDAC(a[27], a[28]); SQRADDDB; 
-   COMBA_STORE(b[55]);
-
-   /* output 56 */
-   CARRY_FORWARD;
-   SQRADDSC(a[25], a[31]); SQRADDAC(a[26], a[30]); SQRADDAC(a[27], a[29]); SQRADDDB; SQRADD(a[28], a[28]); 
-   COMBA_STORE(b[56]);
-
-   /* output 57 */
-   CARRY_FORWARD;
-   SQRADDSC(a[26], a[31]); SQRADDAC(a[27], a[30]); SQRADDAC(a[28], a[29]); SQRADDDB; 
-   COMBA_STORE(b[57]);
-
-   /* output 58 */
-   CARRY_FORWARD;
-   SQRADD2(a[27], a[31]); SQRADD2(a[28], a[30]); SQRADD(a[29], a[29]); 
-   COMBA_STORE(b[58]);
-
-   /* output 59 */
-   CARRY_FORWARD;
-   SQRADD2(a[28], a[31]); SQRADD2(a[29], a[30]); 
-   COMBA_STORE(b[59]);
-
-   /* output 60 */
-   CARRY_FORWARD;
-   SQRADD2(a[29], a[31]); SQRADD(a[30], a[30]); 
-   COMBA_STORE(b[60]);
-
-   /* output 61 */
-   CARRY_FORWARD;
-   SQRADD2(a[30], a[31]); 
-   COMBA_STORE(b[61]);
-
-   /* output 62 */
-   CARRY_FORWARD;
-   SQRADD(a[31], a[31]); 
-   COMBA_STORE(b[62]);
-   COMBA_STORE2(b[63]);
-   COMBA_FINI;
-
-   B->used = 64;
-   B->sign = ZPOS;
-   memcpy(B->dp, b, 64 * sizeof(mp_digit));
-   mp_clamp(B);
-}
diff --git a/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s b/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s
deleted file mode 100644
index a5181df33..000000000
--- a/security/nss/lib/freebl/mpi/mp_comba_amd64_sun.s
+++ /dev/null
@@ -1,16097 +0,0 @@
-//* TomsFastMath, a fast ISO C bignum library.
-/ * 
-/ * This project is meant to fill in where LibTomMath
-/ * falls short.  That is speed ;-)
-/ *
-/ * This project is public domain and free for all purposes.
-/ * 
-/ * Tom St Denis, tomstdenis@iahu.ca
-/ */
-
-//*
-/ * The source file from which this assembly was derived
-/ * comes from TFM v0.03, which has the above license.
-/ * This source was compiled with an unnamed compiler at
-/ * the highest optimization level.  Afterwards, the
-/ * trailing .section was removed because it causes errors
-/ * in the Studio 10 compiler on AMD 64.
-/ */
-
-       	.file	"mp_comba.c"
-	.text
-	.align 16
-.globl s_mp_mul_comba_4
-	.type	s_mp_mul_comba_4, @function
-s_mp_mul_comba_4:
-.LFB2:
-	pushq	%r12
-.LCFI0:
-	pushq	%rbp
-.LCFI1:
-	pushq	%rbx
-.LCFI2:
-	movq	16(%rdi), %r9
-	movq	%rdx, %rbx
-	movq	16(%rsi), %rdx
-	movq	(%r9), %rax
-	movq	%rax, -64(%rsp)
-	movq	8(%r9), %r8
-	movq	%r8, -56(%rsp)
-	movq	16(%r9), %rbp
-	movq	%rbp, -48(%rsp)
-	movq	24(%r9), %r12
-	movq	%r12, -40(%rsp)
-	movq	(%rdx), %rcx
-	movq	%rcx, -32(%rsp)
-	movq	8(%rdx), %r10
-	movq	%r10, -24(%rsp)
-	movq	16(%rdx), %r11
-	xorl	%r10d, %r10d
-	movq	%r10, %r8
-	movq	%r10, %r9
-	movq	%r10, %rbp
-	movq	%r11, -16(%rsp)
-	movq	16(%rbx), %r11
-	movq	24(%rdx), %rax
-	movq	%rax, -8(%rsp)
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%r8, (%r11)
-	movq	%rbp, %r8
-	movq	%r10, %rbp
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rbp, %r12
-/APP
-	movq  -56(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r9, 8(%r11)
-	movq	%r12, %r9
-	movq	%r10, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r12, %rcx
-/APP
-	movq  -56(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -48(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 16(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 24(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -56(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 32(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -48(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r8, %r12
-	movq	%r9, %rbp
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 40(%r11)
-	movq	%rbp, %r8
-	movq	%r12, %rcx
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rcx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r8, 48(%r11)
-	movl	(%rsi), %esi
-	xorl	(%rdi), %esi
-	testq	%rcx, %rcx
-	movq	%rcx, 56(%r11)
-	movl	$8, 8(%rbx)
-	jne	.L9
-	.align 16
-.L18:
-	movl	8(%rbx), %edx
-	leal	-1(%rdx), %edi
-	testl	%edi, %edi
-	movl	%edi, 8(%rbx)
-	je	.L9
-	leal	-2(%rdx), %r10d
-	cmpq	$0, (%r11,%r10,8)
-	je	.L18
-.L9:
-	movl	8(%rbx), %edx
-	xorl	%r11d, %r11d
-	testl	%edx, %edx
-	cmovne	%esi, %r11d
-	movl	%r11d, (%rbx)
-	popq	%rbx
-	popq	%rbp
-	popq	%r12
-	ret
-.LFE2:
-	.size	s_mp_mul_comba_4, .-s_mp_mul_comba_4
-	.align 16
-.globl s_mp_mul_comba_8
-	.type	s_mp_mul_comba_8, @function
-s_mp_mul_comba_8:
-.LFB3:
-	pushq	%r12
-.LCFI3:
-	pushq	%rbp
-.LCFI4:
-	pushq	%rbx
-.LCFI5:
-	movq	%rdx, %rbx
-	subq	$8, %rsp
-.LCFI6:
-	movq	16(%rdi), %rdx
-	movq	(%rdx), %r8
-	movq	%r8, -120(%rsp)
-	movq	8(%rdx), %rbp
-	movq	%rbp, -112(%rsp)
-	movq	16(%rdx), %r9
-	movq	%r9, -104(%rsp)
-	movq	24(%rdx), %r12
-	movq	%r12, -96(%rsp)
-	movq	32(%rdx), %rcx
-	movq	%rcx, -88(%rsp)
-	movq	40(%rdx), %r10
-	movq	%r10, -80(%rsp)
-	movq	48(%rdx), %r11
-	movq	%r11, -72(%rsp)
-	movq	56(%rdx), %rax
-	movq	16(%rsi), %rdx
-	movq	%rax, -64(%rsp)
-	movq	(%rdx), %r8
-	movq	%r8, -56(%rsp)
-	movq	8(%rdx), %rbp
-	movq	%rbp, -48(%rsp)
-	movq	16(%rdx), %r9
-	movq	%r9, -40(%rsp)
-	movq	24(%rdx), %r12
-	movq	%r12, -32(%rsp)
-	movq	32(%rdx), %rcx
-	movq	%rcx, -24(%rsp)
-	movq	40(%rdx), %r10
-	movq	%r10, -16(%rsp)
-	movq	48(%rdx), %r11
-	xorl	%r10d, %r10d
-	movq	%r10, %r8
-	movq	%r10, %r9
-	movq	%r10, %rbp
-	movq	%r11, -8(%rsp)
-	movq	16(%rbx), %r11
-	movq	56(%rdx), %rax
-	movq	%rax, (%rsp)
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%r8, (%r11)
-	movq	%rbp, %r8
-	movq	%r10, %rbp
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rbp, %r12
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r9, 8(%r11)
-	movq	%r12, %r9
-	movq	%r10, %r12
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r12, %rcx
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -104(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 16(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -96(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 24(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -88(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 32(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -80(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 40(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -72(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 48(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 56(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 64(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -104(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 72(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -96(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 80(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -88(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 88(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -80(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 96(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -72(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r8, %r12
-	movq	%r9, %rbp
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  -8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 104(%r11)
-	movq	%rbp, %r8
-	movq	%r12, %rcx
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  (%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rcx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r8, 112(%r11)
-	movl	(%rsi), %esi
-	xorl	(%rdi), %esi
-	testq	%rcx, %rcx
-	movq	%rcx, 120(%r11)
-	movl	$16, 8(%rbx)
-	jne	.L35
-	.align 16
-.L43:
-	movl	8(%rbx), %edx
-	leal	-1(%rdx), %edi
-	testl	%edi, %edi
-	movl	%edi, 8(%rbx)
-	je	.L35
-	leal	-2(%rdx), %eax
-	cmpq	$0, (%r11,%rax,8)
-	je	.L43
-.L35:
-	movl	8(%rbx), %r11d
-	xorl	%edx, %edx
-	testl	%r11d, %r11d
-	cmovne	%esi, %edx
-	movl	%edx, (%rbx)
-	addq	$8, %rsp
-	popq	%rbx
-	popq	%rbp
-	popq	%r12
-	ret
-.LFE3:
-	.size	s_mp_mul_comba_8, .-s_mp_mul_comba_8
-	.align 16
-.globl s_mp_mul_comba_16
-	.type	s_mp_mul_comba_16, @function
-s_mp_mul_comba_16:
-.LFB4:
-	pushq	%r12
-.LCFI7:
-	pushq	%rbp
-.LCFI8:
-	pushq	%rbx
-.LCFI9:
-	movq	%rdx, %rbx
-	subq	$136, %rsp
-.LCFI10:
-	movq	16(%rdi), %rax
-	movq	(%rax), %r8
-	movq	%r8, -120(%rsp)
-	movq	8(%rax), %rbp
-	movq	%rbp, -112(%rsp)
-	movq	16(%rax), %r9
-	movq	%r9, -104(%rsp)
-	movq	24(%rax), %r12
-	movq	%r12, -96(%rsp)
-	movq	32(%rax), %rcx
-	movq	%rcx, -88(%rsp)
-	movq	40(%rax), %r10
-	movq	%r10, -80(%rsp)
-	movq	48(%rax), %rdx
-	movq	%rdx, -72(%rsp)
-	movq	56(%rax), %r11
-	movq	%r11, -64(%rsp)
-	movq	64(%rax), %r8
-	movq	%r8, -56(%rsp)
-	movq	72(%rax), %rbp
-	movq	%rbp, -48(%rsp)
-	movq	80(%rax), %r9
-	movq	%r9, -40(%rsp)
-	movq	88(%rax), %r12
-	movq	%r12, -32(%rsp)
-	movq	96(%rax), %rcx
-	movq	%rcx, -24(%rsp)
-	movq	104(%rax), %r10
-	movq	%r10, -16(%rsp)
-	movq	112(%rax), %rdx
-	movq	%rdx, -8(%rsp)
-	movq	120(%rax), %r11
-	movq	%r11, (%rsp)
-	movq	16(%rsi), %r11
-	movq	(%r11), %r8
-	movq	%r8, 8(%rsp)
-	movq	8(%r11), %rbp
-	movq	%rbp, 16(%rsp)
-	movq	16(%r11), %r9
-	movq	%r9, 24(%rsp)
-	movq	24(%r11), %r12
-	movq	%r12, 32(%rsp)
-	movq	32(%r11), %rcx
-	movq	%rcx, 40(%rsp)
-	movq	40(%r11), %r10
-	movq	%r10, 48(%rsp)
-	movq	48(%r11), %rdx
-	movq	%rdx, 56(%rsp)
-	movq	56(%r11), %rax
-	movq	%rax, 64(%rsp)
-	movq	64(%r11), %r8
-	movq	%r8, 72(%rsp)
-	movq	72(%r11), %rbp
-	movq	%rbp, 80(%rsp)
-	movq	80(%r11), %r9
-	movq	%r9, 88(%rsp)
-	movq	88(%r11), %r12
-	movq	%r12, 96(%rsp)
-	movq	96(%r11), %rcx
-	movq	%rcx, 104(%rsp)
-	movq	104(%r11), %r10
-	movq	%r10, 112(%rsp)
-	movq	112(%r11), %rdx
-	xorl	%r10d, %r10d
-	movq	%r10, %r8
-	movq	%r10, %r9
-	movq	%r10, %rbp
-	movq	%rdx, 120(%rsp)
-	movq	120(%r11), %rax
-	movq	%rax, 128(%rsp)
-	movq	16(%rbx), %r11
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%r8, (%r11)
-	movq	%rbp, %r8
-	movq	%r10, %rbp
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rbp, %r12
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r9, 8(%r11)
-	movq	%r12, %r9
-	movq	%r10, %r12
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r12, %rcx
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -104(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 16(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -96(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 24(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -88(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 32(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -80(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 40(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -72(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 48(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 56(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -56(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 64(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -48(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 72(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 80(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -32(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 88(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -24(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 96(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  -16(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 104(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -112(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  -8(%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 112(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -120(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -112(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -104(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  8(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 120(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -112(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -104(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -96(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  16(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 128(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -104(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -96(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -88(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  24(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 136(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -96(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -88(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -80(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  32(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 144(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -88(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -80(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -72(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  40(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 152(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -80(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -72(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -64(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  48(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 160(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -72(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -64(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -56(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  56(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 168(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -64(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -56(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -48(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  64(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 176(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -56(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -48(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -40(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  72(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 184(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -48(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -40(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -32(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  80(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 192(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -40(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -32(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -24(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  88(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 200(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -32(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -24(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -16(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  96(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 208(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -24(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -16(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-	movq  -8(%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%r8, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  104(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 216(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %r8
-	movq	%r10, %rcx
-/APP
-	movq  -16(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-	movq  -8(%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%r9, %rbp
-	movq	%rcx, %r12
-/APP
-	movq  (%rsp),%rax     
-	mulq  112(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, 224(%r11)
-	movq	%r12, %r9
-	movq	%rbp, %rcx
-	movq	%r10, %r8
-/APP
-	movq  -8(%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r8, %r12
-	movq	%r9, %rbp
-/APP
-	movq  (%rsp),%rax     
-	mulq  120(%rsp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rcx, 232(%r11)
-	movq	%rbp, %r8
-	movq	%r12, %rcx
-/APP
-	movq  (%rsp),%rax     
-	mulq  128(%rsp)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rcx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r8, 240(%r11)
-	movl	(%rsi), %esi
-	xorl	(%rdi), %esi
-	testq	%rcx, %rcx
-	movq	%rcx, 248(%r11)
-	movl	$32, 8(%rbx)
-	jne	.L76
-	.align 16
-.L84:
-	movl	8(%rbx), %edx
-	leal	-1(%rdx), %edi
-	testl	%edi, %edi
-	movl	%edi, 8(%rbx)
-	je	.L76
-	leal	-2(%rdx), %eax
-	cmpq	$0, (%r11,%rax,8)
-	je	.L84
-.L76:
-	movl	8(%rbx), %edx
-	xorl	%r11d, %r11d
-	testl	%edx, %edx
-	cmovne	%esi, %r11d
-	movl	%r11d, (%rbx)
-	addq	$136, %rsp
-	popq	%rbx
-	popq	%rbp
-	popq	%r12
-	ret
-.LFE4:
-	.size	s_mp_mul_comba_16, .-s_mp_mul_comba_16
-	.align 16
-.globl s_mp_mul_comba_32
-	.type	s_mp_mul_comba_32, @function
-s_mp_mul_comba_32:
-.LFB5:
-	pushq	%rbp
-.LCFI11:
-	movq	%rsp, %rbp
-.LCFI12:
-	pushq	%r13
-.LCFI13:
-	movq	%rdx, %r13
-	movl	$256, %edx
-	pushq	%r12
-.LCFI14:
-	movq	%rsi, %r12
-	pushq	%rbx
-.LCFI15:
-	movq	%rdi, %rbx
-	subq	$520, %rsp
-.LCFI16:
-	movq	16(%rdi), %rsi
-	leaq	-544(%rbp), %rdi
-	call	memcpy@PLT
-	movq	16(%r12), %rsi
-	leaq	-288(%rbp), %rdi
-	movl	$256, %edx
-	call	memcpy@PLT
-	movq	16(%r13), %r9
-	xorl	%r8d, %r8d
-	movq	%r8, %rsi
-	movq	%r8, %rdi
-	movq	%r8, %r10
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rsi, (%r9)
-	movq	%r10, %rsi
-	movq	%r8, %r10
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r10, %r11
-/APP
-	movq  -536(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rdi, 8(%r9)
-	movq	%r11, %rdi
-	movq	%r8, %r11
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r11, %rcx
-/APP
-	movq  -536(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -528(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 16(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -520(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 24(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -512(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 32(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -504(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 40(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -496(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 48(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -488(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 56(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -480(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 64(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -472(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 72(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -464(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 80(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -456(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 88(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -448(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 96(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -440(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 104(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -432(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 112(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -424(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 120(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -416(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 128(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -408(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 136(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -400(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 144(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -392(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 152(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -384(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 160(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -376(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 168(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -368(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 176(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -360(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 184(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -352(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 192(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -344(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 200(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -336(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 208(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -328(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 216(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -320(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 224(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -312(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 232(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -304(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 240(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -544(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -536(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -288(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 248(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -536(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -528(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -280(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 256(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -528(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -520(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -272(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 264(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -520(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -512(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -264(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 272(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -512(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -504(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -256(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 280(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -504(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -496(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -248(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 288(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -496(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -488(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -240(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 296(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -488(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -480(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -232(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 304(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -480(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -472(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -224(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 312(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -472(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -464(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -216(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 320(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -464(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -456(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -208(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 328(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %r11
-	movq	%r8, %r10
-/APP
-	movq  -456(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -448(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -440(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-	movq  -296(%rbp),%rax     
-	mulq  -200(%rbp)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r11, 336(%r9)
-	movq	%r10, %rsi
-	movq	%r8, %r10
-/APP
-	movq  -448(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r10, %rcx
-/APP
-	movq  -440(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -432(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rsi, %r11
-	movq	%rcx, %r10
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -192(%rbp)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r11     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rdi, 344(%r9)
-	movq	%r11, %rcx
-	movq	%r10, %rdi
-	movq	%r8, %r11
-/APP
-	movq  -440(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r11, %rsi
-/APP
-	movq  -432(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -184(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 352(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -432(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -424(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -176(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 360(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -424(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -416(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -168(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 368(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -416(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -408(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -160(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 376(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -408(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -400(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -152(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 384(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -400(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -392(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -144(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 392(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -392(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -384(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -136(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 400(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -384(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -376(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -128(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 408(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -376(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -368(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -120(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 416(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -368(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -360(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -112(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 424(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -360(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -352(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -104(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 432(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -352(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -344(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -96(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 440(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -344(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -336(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -88(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 448(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -336(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -328(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -80(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 456(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -328(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -320(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -72(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 464(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -320(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -312(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rcx, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -64(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 472(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rcx
-	movq	%r8, %rsi
-/APP
-	movq  -312(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  -304(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r10
-	movq	%rsi, %r11
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -56(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rcx, 480(%r9)
-	movq	%r11, %rdi
-	movq	%r10, %rsi
-	movq	%r8, %rcx
-/APP
-	movq  -304(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rcx        
-	
-/NO_APP
-	movq	%rcx, %r11
-	movq	%rdi, %r10
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -48(%rbp)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r10     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rsi, 488(%r9)
-	movq	%r10, %rcx
-	movq	%r11, %rsi
-/APP
-	movq  -296(%rbp),%rax     
-	mulq  -40(%rbp)           
-	addq  %rax,%rcx     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%rcx, 496(%r9)
-	movl	(%r12), %ecx
-	xorl	(%rbx), %ecx
-	testq	%rsi, %rsi
-	movq	%rsi, 504(%r9)
-	movl	$64, 8(%r13)
-	jne	.L149
-	.align 16
-.L157:
-	movl	8(%r13), %edx
-	leal	-1(%rdx), %ebx
-	testl	%ebx, %ebx
-	movl	%ebx, 8(%r13)
-	je	.L149
-	leal	-2(%rdx), %r12d
-	cmpq	$0, (%r9,%r12,8)
-	je	.L157
-.L149:
-	movl	8(%r13), %r9d
-	xorl	%edx, %edx
-	testl	%r9d, %r9d
-	cmovne	%ecx, %edx
-	movl	%edx, (%r13)
-	addq	$520, %rsp
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	leave
-	ret
-.LFE5:
-	.size	s_mp_mul_comba_32, .-s_mp_mul_comba_32
-	.align 16
-.globl s_mp_sqr_comba_4
-	.type	s_mp_sqr_comba_4, @function
-s_mp_sqr_comba_4:
-.LFB6:
-	pushq	%rbp
-.LCFI17:
-	movq	%rsi, %r11
-	xorl	%esi, %esi
-	movq	%rsi, %r10
-	movq	%rsi, %rbp
-	movq	%rsi, %r8
-	pushq	%rbx
-.LCFI18:
-	movq	%rsi, %rbx
-	movq	16(%rdi), %rcx
-	movq	%rsi, %rdi
-/APP
-	movq  (%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r10, -72(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  8(%rcx)           
-	addq  %rax,%rbx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rbp        
-	addq  %rax,%rbx     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rbx, -64(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r8        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rbp     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%rbp, %rbx
-	movq	%r8, %rbp
-/APP
-	movq  8(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rdi, -56(%rsp)
-	movq	%rbp, %r9
-	movq	%rbx, %r8
-	movq	%rsi, %rdi
-/APP
-	movq  (%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rdi        
-	addq  %rax,%r8     
-	adcq  %rdx,%r9     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r9, %rbx
-	movq	%rdi, %rbp
-/APP
-	movq  8(%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rbp        
-	addq  %rax,%r8     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%r8, -48(%rsp)
-	movq	%rbp, %r9
-	movq	%rbx, %rdi
-	movq	%rsi, %r8
-	movl	$8, 8(%r11)
-	movl	$0, (%r11)
-/APP
-	movq  8(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r9     
-	adcq  $0,%r8        
-	
-/NO_APP
-	movq	%r9, %rbx
-	movq	%r8, %rbp
-/APP
-	movq  16(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rbp        
-	
-/NO_APP
-	movq	%rbp, %rax
-	movq	%rdi, -40(%rsp)
-	movq	%rbx, %rbp
-	movq	%rax, %rdi
-	movq	%rsi, %rbx
-/APP
-	movq  16(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%rbp     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rbx        
-	addq  %rax,%rbp     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%rbp, -32(%rsp)
-	movq	%rbx, %r9
-/APP
-	movq  24(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r9     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	16(%r11), %rdx
-	movq	%rdi, -24(%rsp)
-	movq	%r9, -16(%rsp)
-	movq	%r10, (%rdx)
-	movq	-64(%rsp), %r8
-	movq	%r8, 8(%rdx)
-	movq	-56(%rsp), %rbp
-	movq	%rbp, 16(%rdx)
-	movq	-48(%rsp), %rdi
-	movq	%rdi, 24(%rdx)
-	movq	-40(%rsp), %rsi
-	movq	%rsi, 32(%rdx)
-	movq	-32(%rsp), %rbx
-	movq	%rbx, 40(%rdx)
-	movq	-24(%rsp), %rcx
-	movq	%rcx, 48(%rdx)
-	movq	-16(%rsp), %rax
-	movq	%rax, 56(%rdx)
-	movl	8(%r11), %edx
-	testl	%edx, %edx
-	je	.L168
-	leal	-1(%rdx), %ecx
-	movq	16(%r11), %rsi
-	mov	%ecx, %r10d
-	cmpq	$0, (%rsi,%r10,8)
-	jne	.L166
-	movl	%ecx, %edx
-	.align 16
-.L167:
-	testl	%edx, %edx
-	movl	%edx, %ecx
-	je	.L171
-	decl	%edx
-	mov	%edx, %eax
-	cmpq	$0, (%rsi,%rax,8)
-	je	.L167
-	movl	%ecx, 8(%r11)
-	movl	%ecx, %edx
-.L166:
-	testl	%edx, %edx
-	je	.L168
-	popq	%rbx
-	popq	%rbp
-	movl	(%r11), %eax
-	movl	%eax, (%r11)
-	ret
-.L171:
-	movl	%edx, 8(%r11)
-	.align 16
-.L168:
-	popq	%rbx
-	popq	%rbp
-	xorl	%eax, %eax
-	movl	%eax, (%r11)
-	ret
-.LFE6:
-	.size	s_mp_sqr_comba_4, .-s_mp_sqr_comba_4
-	.align 16
-.globl s_mp_sqr_comba_8
-	.type	s_mp_sqr_comba_8, @function
-s_mp_sqr_comba_8:
-.LFB7:
-	pushq	%r14
-.LCFI19:
-	xorl	%r9d, %r9d
-	movq	%r9, %r14
-	movq	%r9, %r10
-	pushq	%r13
-.LCFI20:
-	movq	%r9, %r13
-	pushq	%r12
-.LCFI21:
-	movq	%r9, %r12
-	pushq	%rbp
-.LCFI22:
-	movq	%rsi, %rbp
-	movq	%r9, %rsi
-	pushq	%rbx
-.LCFI23:
-	movq	%r9, %rbx
-	subq	$8, %rsp
-.LCFI24:
-	movq	16(%rdi), %rcx
-/APP
-	movq  (%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r14     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r14, -120(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  8(%rcx)           
-	addq  %rax,%rbx     
-	adcq  %rdx,%r12     
-	adcq  $0,%r10        
-	addq  %rax,%rbx     
-	adcq  %rdx,%r12     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rbx, -112(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%r10     
-	adcq  $0,%r13        
-	addq  %rax,%r12     
-	adcq  %rdx,%r10     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r10, %rbx
-	movq	%r13, %r10
-	movq	%r9, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r12     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r12, -104(%rsp)
-	movq	%r10, %rdi
-	movq	%rbx, %r11
-/APP
-	movq  (%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	addq  %rax,%r11     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %rbx
-	movq	%rsi, %r10
-	movq	%r9, %rdi
-/APP
-	movq  8(%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	addq  %rax,%r11     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r9, %rsi
-	movq	%r11, -96(%rsp)
-	movq	%r10, %r8
-	movq	%rbx, %r12
-	movq	%r9, %r11
-/APP
-	movq  (%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%r8     
-	adcq  $0,%r13        
-	addq  %rax,%r12     
-	adcq  %rdx,%r8     
-	adcq  $0,%r13        
-	
-	movq  8(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%r8     
-	adcq  $0,%r13        
-	addq  %rax,%r12     
-	adcq  %rdx,%r8     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%r13, %r10
-	movq	%r9, %r8
-/APP
-	movq  16(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r12     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r12, -88(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  40(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	
-/NO_APP
-	movq	%rbx, -80(%rsp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  48(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  24(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -72(%rsp)
-	movq	%r11, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  56(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-/APP
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rax         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rax         
-	
-/NO_APP
-	movq	%rbx, -64(%rsp)
-	movq	%rax, %r11
-	movq	%r9, %rbx
-/APP
-	movq  8(%rcx),%rax     
-	mulq  56(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-/NO_APP
-	movq	%rbx, %rsi
-	movq	%r13, %rdi
-	movq	%r11, %rbx
-	movq	%r12, %r13
-	movq	%rsi, %r11
-/APP
-	movq  32(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -56(%rsp)
-	movq	%r9, %r10
-/APP
-	movq  16(%rcx),%rax     
-	mulq  56(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %r13,%r13        
-	
-	movq  24(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r13        
-	
-	movq  32(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rdi, %r12
-	movq	%r13, %rax
-/APP
-	addq %r8,%rbx         
-	adcq %r12,%r11         
-	adcq %rax,%r10         
-	addq %r8,%rbx         
-	adcq %r12,%r11         
-	adcq %rax,%r10         
-	
-/NO_APP
-	movq	%rbx, -48(%rsp)
-	movq	%r11, %r12
-	movq	%r10, %rsi
-	movq	%r9, %rbx
-	movq	%r9, %r11
-/APP
-	movq  24(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rbx        
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%rbx, %r13
-/APP
-	movq  32(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r13        
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rsi, %r10
-	movq	%r13, %rbx
-	movq	%r9, %r13
-/APP
-	movq  40(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r12     
-	adcq  %rdx,%r10     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r12, -40(%rsp)
-	movq	%rbx, %r8
-	movq	%r10, %rdi
-/APP
-	movq  32(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r11        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r8, %r10
-	movq	%r11, %rbx
-/APP
-	movq  40(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r10     
-	adcq  $0,%rbx        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r10     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%rdi, -32(%rsp)
-	movq	%rbx, %rsi
-	movq	%r10, %r12
-/APP
-	movq  40(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r13        
-	addq  %rax,%r12     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rsi, %r10
-	movq	%r13, %rbx
-/APP
-	movq  48(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r12     
-	adcq  %rdx,%r10     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r12, -24(%rsp)
-	movq	%r10, %rdi
-	movq	%rbx, %rsi
-	movq	%r9, %r10
-	movl	$16, 8(%rbp)
-	movl	$0, (%rbp)
-/APP
-	movq  48(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r10        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rdi, -16(%rsp)
-	movq	%r10, %r8
-/APP
-	movq  56(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	16(%rbp), %rax
-	movq	%rsi, -8(%rsp)
-	movq	%r8, (%rsp)
-	movq	%r14, (%rax)
-	movq	-112(%rsp), %rbx
-	movq	%rbx, 8(%rax)
-	movq	-104(%rsp), %rcx
-	movq	%rcx, 16(%rax)
-	movq	-96(%rsp), %rdx
-	movq	%rdx, 24(%rax)
-	movq	-88(%rsp), %r14
-	movq	%r14, 32(%rax)
-	movq	-80(%rsp), %r13
-	movq	%r13, 40(%rax)
-	movq	-72(%rsp), %r12
-	movq	%r12, 48(%rax)
-	movq	-64(%rsp), %r11
-	movq	%r11, 56(%rax)
-	movq	-56(%rsp), %r10
-	movq	%r10, 64(%rax)
-	movq	-48(%rsp), %r9
-	movq	%r9, 72(%rax)
-	movq	-40(%rsp), %r8
-	movq	%r8, 80(%rax)
-	movq	-32(%rsp), %rdi
-	movq	%rdi, 88(%rax)
-	movq	-24(%rsp), %rsi
-	movq	%rsi, 96(%rax)
-	movq	-16(%rsp), %rbx
-	movq	%rbx, 104(%rax)
-	movq	-8(%rsp), %rcx
-	movq	%rcx, 112(%rax)
-	movq	(%rsp), %rdx
-	movq	%rdx, 120(%rax)
-	movl	8(%rbp), %edx
-	testl	%edx, %edx
-	je	.L192
-	leal	-1(%rdx), %ecx
-	movq	16(%rbp), %rsi
-	mov	%ecx, %r14d
-	cmpq	$0, (%rsi,%r14,8)
-	jne	.L190
-	movl	%ecx, %edx
-	.align 16
-.L191:
-	testl	%edx, %edx
-	movl	%edx, %ecx
-	je	.L195
-	decl	%edx
-	mov	%edx, %r9d
-	cmpq	$0, (%rsi,%r9,8)
-	je	.L191
-	movl	%ecx, 8(%rbp)
-	movl	%ecx, %edx
-.L190:
-	testl	%edx, %edx
-	je	.L192
-	movl	(%rbp), %eax
-	movl	%eax, (%rbp)
-	addq	$8, %rsp
-	popq	%rbx
-	popq	%rbp
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	ret
-.L195:
-	movl	%edx, 8(%rbp)
-	.align 16
-.L192:
-	xorl	%eax, %eax
-	movl	%eax, (%rbp)
-	addq	$8, %rsp
-	popq	%rbx
-	popq	%rbp
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	ret
-.LFE7:
-	.size	s_mp_sqr_comba_8, .-s_mp_sqr_comba_8
-	.align 16
-.globl s_mp_sqr_comba_16
-	.type	s_mp_sqr_comba_16, @function
-s_mp_sqr_comba_16:
-.LFB8:
-	pushq	%rbp
-.LCFI25:
-	xorl	%r9d, %r9d
-	movq	%r9, %r8
-	movq	%r9, %r11
-	movq	%rsp, %rbp
-.LCFI26:
-	pushq	%r14
-.LCFI27:
-	movq	%rsi, %r14
-	movq	%r9, %rsi
-	pushq	%r13
-.LCFI28:
-	movq	%r9, %r13
-	pushq	%r12
-.LCFI29:
-	movq	%r9, %r12
-	pushq	%rbx
-.LCFI30:
-	movq	%r9, %rbx
-	subq	$256, %rsp
-.LCFI31:
-	movq	16(%rdi), %rcx
-/APP
-	movq  (%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r8     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, -288(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  8(%rcx)           
-	addq  %rax,%rbx     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r12        
-	addq  %rax,%rbx     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rbx, -280(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r12, %rbx
-	movq	%r13, %r10
-/APP
-	movq  8(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rsi, -272(%rbp)
-	movq	%r10, %rdi
-	movq	%r9, %rsi
-	movq	%rbx, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r10     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	addq  %rax,%r10     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rdi, %r12
-	movq	%r11, %rbx
-	movq	%r9, %rdi
-/APP
-	movq  8(%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%rbx        
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r9, %r11
-	movq	%r10, -264(%rbp)
-	movq	%rbx, %r8
-	movq	%r12, %r13
-	movq	%r9, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-	movq  8(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%r12, %r10
-	movq	%r9, %r8
-/APP
-	movq  16(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r13     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r13, -256(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  40(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	
-/NO_APP
-	movq	%rbx, -248(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  48(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  24(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -240(%rbp)
-	movq	%r11, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  56(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rdx
-/APP
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rbx, -232(%rbp)
-	movq	%r9, %rbx
-/APP
-	movq  (%rcx),%rax     
-	mulq  64(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-	movq  32(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%r11     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r13, %rdi
-	movq	%r10, -224(%rbp)
-	movq	%r12, %rsi
-	movq	%rbx, %r10
-	movq	%r9, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  72(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r11         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	addq %r8,%r11         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%r11, -216(%rbp)
-	movq	%r12, %rbx
-/APP
-	movq  (%rcx),%rax     
-	mulq  80(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%rbx         
-	adcq %r12,%rax         
-	addq %r8,%r10         
-	adcq %r13,%rbx         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%rbx, %r11
-	movq	%r13, %rdi
-	movq	%rdx, %rbx
-	movq	%r12, %rsi
-/APP
-	movq  40(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%r11     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r10, -208(%rbp)
-	movq	%rbx, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  88(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rdx
-/APP
-	addq %r8,%r11         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	addq %r8,%r11         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rdx, %r13
-	movq	%r11, -200(%rbp)
-	movq	%r13, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  96(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %rdx
-	movq	%rsi, %r11
-/APP
-	addq %r8,%r10         
-	adcq %rdx,%r12         
-	adcq %r11,%rax         
-	addq %r8,%r10         
-	adcq %rdx,%r12         
-	adcq %r11,%rax         
-	
-/NO_APP
-	movq	%rdx, %rbx
-	movq	%rax, %r13
-	movq	%r11, %rsi
-/APP
-	movq  48(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rbx, %rdi
-	movq	%r10, -192(%rbp)
-	movq	%r13, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  104(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r9, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r13         
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r13         
-	
-/NO_APP
-	movq	%r12, -184(%rbp)
-	movq	%r13, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  112(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %rbx
-	movq	%rsi, %rdx
-/APP
-	addq %r8,%r10         
-	adcq %rbx,%r12         
-	adcq %rdx,%rax         
-	addq %r8,%r10         
-	adcq %rbx,%r12         
-	adcq %rdx,%rax         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r13
-	movq	%rbx, %rdi
-/APP
-	movq  56(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r10, -176(%rbp)
-	movq	%r13, %r10
-/APP
-	movq  (%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r9, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r13         
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r13         
-	
-/NO_APP
-	movq	%r12, -168(%rbp)
-	movq	%r13, %r12
-/APP
-	movq  8(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %rbx
-	movq	%rsi, %rdx
-/APP
-	addq %r8,%r10         
-	adcq %rbx,%r12         
-	adcq %rdx,%rax         
-	addq %r8,%r10         
-	adcq %rbx,%r12         
-	adcq %rdx,%rax         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r13
-	movq	%rbx, %rdi
-/APP
-	movq  64(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r10, -160(%rbp)
-	movq	%r9, %r11
-/APP
-	movq  16(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r13, %r10
-	movq	%r9, %rbx
-/APP
-	movq  24(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	addq %r8,%r12         
-	adcq %rdi,%r10         
-	adcq %rsi,%r11         
-	
-/NO_APP
-	movq	%r12, -152(%rbp)
-/APP
-	movq  24(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-/NO_APP
-	movq	%rbx, %rdx
-	movq	%r13, %rdi
-	movq	%r11, %rbx
-	movq	%r12, %rsi
-	movq	%rdx, %r11
-	movq	%r9, %r12
-/APP
-	movq  72(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -144(%rbp)
-	movq	%r11, %r10
-/APP
-	movq  32(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%rbx, -136(%rbp)
-	movq	%r12, %r11
-/APP
-	movq  40(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  80(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -128(%rbp)
-	movq	%r11, %r10
-/APP
-	movq  48(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rdx
-/APP
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rbx, -120(%rbp)
-	movq	%rdx, %r11
-	movq	%r9, %rbx
-/APP
-	movq  56(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-/NO_APP
-	movq	%rbx, %rdx
-	movq	%r13, %rdi
-	movq	%r11, %rbx
-	movq	%r12, %rsi
-	movq	%rdx, %r11
-	movq	%r9, %r12
-/APP
-	movq  88(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -112(%rbp)
-	movq	%r11, %r10
-/APP
-	movq  64(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  88(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	addq %r8,%rbx         
-	adcq %rdi,%r10         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%rbx, -104(%rbp)
-	movq	%r12, %r11
-/APP
-	movq  72(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  88(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r9, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r10         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  96(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r10     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r10, -96(%rbp)
-	movq	%r9, %r10
-/APP
-	movq  80(%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  88(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  96(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r12
-	movq	%rsi, %rax
-	movq	%r9, %rsi
-/APP
-	addq %r8,%rbx         
-	adcq %r12,%r11         
-	adcq %rax,%r10         
-	addq %r8,%rbx         
-	adcq %r12,%r11         
-	adcq %rax,%r10         
-	
-/NO_APP
-	movq	%r9, %r12
-	movq	%rbx, -88(%rbp)
-	movq	%r11, %r13
-	movq	%r10, %r11
-/APP
-	movq  88(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r11     
-	adcq  $0,%r12        
-	addq  %rax,%r13     
-	adcq  %rdx,%r11     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r12, %rdi
-/APP
-	movq  96(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r11     
-	adcq  $0,%rdi        
-	addq  %rax,%r13     
-	adcq  %rdx,%r11     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r11, %rbx
-	movq	%rdi, %r10
-	movq	%r9, %r11
-/APP
-	movq  104(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r13     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%r13, -80(%rbp)
-	movq	%r10, %r8
-	movq	%rbx, %r10
-/APP
-	movq  96(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r10     
-	adcq  %rdx,%r8     
-	adcq  $0,%rsi        
-	addq  %rax,%r10     
-	adcq  %rdx,%r8     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %r12
-	movq	%rsi, %rbx
-/APP
-	movq  104(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%rbx        
-	addq  %rax,%r10     
-	adcq  %rdx,%r12     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r10, -72(%rbp)
-	movq	%rbx, %r13
-	movq	%r12, %rbx
-/APP
-	movq  104(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rbx     
-	adcq  %rdx,%r13     
-	adcq  $0,%r11        
-	addq  %rax,%rbx     
-	adcq  %rdx,%r13     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r11, %r12
-	movq	%r13, %r10
-/APP
-	movq  112(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rbx     
-	adcq  %rdx,%r10     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rbx, -64(%rbp)
-	movq	%r10, %rdi
-	movq	%r9, %rbx
-	movq	%r12, %rsi
-/APP
-	movq  112(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rbx        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%rdi, -56(%rbp)
-	movq	%rbx, %r8
-/APP
-	movq  120(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	%rsi, -48(%rbp)
-	movq	16(%r14), %rdi
-	leaq	-288(%rbp), %rsi
-	movl	$256, %edx
-	movq	%r8, -40(%rbp)
-	movl	$32, 8(%r14)
-	movl	$0, (%r14)
-	call	memcpy@PLT
-	movl	8(%r14), %edx
-	testl	%edx, %edx
-	je	.L232
-	leal	-1(%rdx), %ecx
-	movq	16(%r14), %rsi
-	mov	%ecx, %r9d
-	cmpq	$0, (%rsi,%r9,8)
-	jne	.L230
-	movl	%ecx, %edx
-	.align 16
-.L231:
-	testl	%edx, %edx
-	movl	%edx, %ecx
-	je	.L235
-	decl	%edx
-	mov	%edx, %eax
-	cmpq	$0, (%rsi,%rax,8)
-	je	.L231
-	movl	%ecx, 8(%r14)
-	movl	%ecx, %edx
-.L230:
-	testl	%edx, %edx
-	je	.L232
-	movl	(%r14), %eax
-	movl	%eax, (%r14)
-	addq	$256, %rsp
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	leave
-	ret
-.L235:
-	movl	%edx, 8(%r14)
-	.align 16
-.L232:
-	xorl	%eax, %eax
-	movl	%eax, (%r14)
-	addq	$256, %rsp
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	leave
-	ret
-.LFE8:
-	.size	s_mp_sqr_comba_16, .-s_mp_sqr_comba_16
-	.align 16
-.globl s_mp_sqr_comba_32
-	.type	s_mp_sqr_comba_32, @function
-s_mp_sqr_comba_32:
-.LFB9:
-	pushq	%rbp
-.LCFI32:
-	xorl	%r10d, %r10d
-	movq	%r10, %r8
-	movq	%r10, %r11
-	movq	%rsp, %rbp
-.LCFI33:
-	pushq	%r14
-.LCFI34:
-	movq	%rsi, %r14
-	movq	%r10, %rsi
-	pushq	%r13
-.LCFI35:
-	movq	%r10, %r13
-	pushq	%r12
-.LCFI36:
-	movq	%r10, %r12
-	pushq	%rbx
-.LCFI37:
-	movq	%r10, %rbx
-	subq	$512, %rsp
-.LCFI38:
-	movq	16(%rdi), %rcx
-/APP
-	movq  (%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r8     
-	adcq  %rdx,%rbx     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, -544(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  8(%rcx)           
-	addq  %rax,%rbx     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r12        
-	addq  %rax,%rbx     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rbx, -536(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r12, %rbx
-	movq	%r13, %r9
-/APP
-	movq  8(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	%rsi, -528(%rbp)
-	movq	%r9, %rdi
-	movq	%r10, %rsi
-	movq	%rbx, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r9     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	addq  %rax,%r9     
-	adcq  %rdx,%rdi     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%rdi, %r12
-	movq	%r11, %r13
-	movq	%r10, %rdi
-/APP
-	movq  8(%rcx),%rax     
-	mulq  16(%rcx)           
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r10, %r11
-	movq	%r9, -520(%rbp)
-	movq	%r13, %r8
-	movq	%r12, %r13
-	movq	%r10, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-	movq  8(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	addq  %rax,%r13     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%r12, %r9
-	movq	%r10, %r8
-/APP
-	movq  16(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r13     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	%r13, -512(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  40(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  24(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r11         
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r11         
-	
-/NO_APP
-	movq	%rbx, -504(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  48(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  24(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r9, -496(%rbp)
-	movq	%r11, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  56(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  32(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rdx
-/APP
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rbx, -488(%rbp)
-	movq	%r10, %rbx
-/APP
-	movq  (%rcx),%rax     
-	mulq  64(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-	movq  32(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r11     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r13, %rdi
-	movq	%r9, -480(%rbp)
-	movq	%r12, %rsi
-	movq	%rbx, %r9
-	movq	%r10, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  72(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  40(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r11         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	addq %r8,%r11         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%r11, -472(%rbp)
-	movq	%r12, %rbx
-/APP
-	movq  (%rcx),%rax     
-	mulq  80(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%rbx         
-	adcq %r12,%rax         
-	addq %r8,%r9         
-	adcq %r13,%rbx         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%rbx, %r11
-	movq	%r13, %rdi
-	movq	%rdx, %rbx
-	movq	%r12, %rsi
-/APP
-	movq  40(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r11     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r9, -464(%rbp)
-	movq	%rbx, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  88(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  48(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rdx
-/APP
-	addq %r8,%r11         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	addq %r8,%r11         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rdx, %r13
-	movq	%r11, -456(%rbp)
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  96(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %rax
-	movq	%rsi, %r11
-/APP
-	addq %r8,%r9         
-	adcq %rax,%r12         
-	adcq %r11,%r13         
-	addq %r8,%r9         
-	adcq %rax,%r12         
-	adcq %r11,%r13         
-	
-/NO_APP
-	movq	%rax, %rbx
-	movq	%r11, %rsi
-/APP
-	movq  48(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rbx, %rdi
-	movq	%r9, -448(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  104(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  56(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%r13         
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%r13         
-	
-/NO_APP
-	movq	%r12, -440(%rbp)
-	movq	%r10, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  112(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r13, %rdx
-	movq	%rdi, %rbx
-	movq	%rsi, %r13
-/APP
-	addq %r8,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	addq %r8,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	
-/NO_APP
-	movq	%r12, %rax
-	movq	%r13, %r11
-	movq	%rdx, %r12
-	movq	%rax, %r13
-	movq	%rbx, %rdi
-	movq	%r11, %rsi
-/APP
-	movq  56(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, -432(%rbp)
-	movq	%r13, %r9
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  120(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  8(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  64(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rax
-	movq	%rdi, %rdx
-	movq	%rsi, %rbx
-/APP
-	addq %rax,%r12         
-	adcq %rdx,%r9         
-	adcq %rbx,%r13         
-	addq %rax,%r12         
-	adcq %rdx,%r9         
-	adcq %rbx,%r13         
-	
-/NO_APP
-	movq	%r12, -424(%rbp)
-	movq	%rdx, %r8
-	movq	%rax, %rsi
-	movq	%rbx, %rdi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  128(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  64(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -416(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  136(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  72(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -408(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  144(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  72(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -400(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  152(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  80(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -392(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  160(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  80(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -384(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  168(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  88(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -376(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  176(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  88(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -368(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  184(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  16(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  24(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  32(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  40(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  48(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  56(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  64(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  88(%rcx),%rax     
-	mulq  96(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %rdi
-	movq	%r12, -360(%rbp)
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  192(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-/APP
-	addq %rsi,%r9         
-	adcq %rbx,%r12         
-	adcq %rax,%r13         
-	addq %rsi,%r9         
-	adcq %rbx,%r12         
-	adcq %rax,%r13         
-	
-/NO_APP
-	movq	%rax, %r11
-	movq	%rbx, %r8
-/APP
-	movq  96(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rdi
-	movq	%r9, -352(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  200(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  104(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	
-/NO_APP
-	movq	%r12, -344(%rbp)
-	movq	%r10, %r12
-/APP
-	movq  (%rcx),%rax     
-	mulq  208(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r13, %rdx
-	movq	%r8, %rbx
-	movq	%rdi, %r13
-/APP
-	addq %rsi,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	addq %rsi,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	
-/NO_APP
-	movq	%r12, %rax
-	movq	%r13, %r11
-	movq	%rdx, %r12
-	movq	%rax, %r13
-	movq	%rbx, %r8
-	movq	%r11, %rdi
-/APP
-	movq  104(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, -336(%rbp)
-	movq	%r13, %r9
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  216(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  112(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	
-/NO_APP
-	movq	%r12, -328(%rbp)
-/APP
-	movq  (%rcx),%rax     
-	mulq  224(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r13, %rax
-	movq	%r10, %rdx
-	movq	%r8, %rbx
-	movq	%rdi, %r12
-/APP
-	addq %rsi,%r9         
-	adcq %rbx,%rax         
-	adcq %r12,%rdx         
-	addq %rsi,%r9         
-	adcq %rbx,%rax         
-	adcq %r12,%rdx         
-	
-/NO_APP
-	movq	%rdx, %rdi
-	movq	%r12, %r11
-	movq	%rbx, %r8
-	movq	%rax, %r12
-	movq	%rdi, %r13
-	movq	%r11, %rdi
-/APP
-	movq  112(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, -320(%rbp)
-	movq	%r13, %rbx
-	movq	%r10, %r9
-/APP
-	movq  (%rcx),%rax     
-	mulq  232(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  120(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%rbx         
-	adcq %rdi,%r9         
-	addq %rsi,%r12         
-	adcq %r8,%rbx         
-	adcq %rdi,%r9         
-	
-/NO_APP
-	movq	%r12, -312(%rbp)
-	movq	%r9, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  240(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%r8, %r11
-	movq	%rdi, %rdx
-/APP
-	addq %rsi,%rbx         
-	adcq %r11,%r13         
-	adcq %rdx,%rax         
-	addq %rsi,%rbx         
-	adcq %r11,%r13         
-	adcq %rdx,%rax         
-	
-/NO_APP
-	movq	%rdx, %r9
-	movq	%rax, %rdx
-	movq	%r13, %r12
-	movq	%r11, %r8
-	movq	%rdx, %r13
-	movq	%r9, %rdi
-/APP
-	movq  120(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rbx     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%rbx, -304(%rbp)
-	movq	%r13, %rbx
-	movq	%r10, %r13
-/APP
-	movq  (%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  8(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  128(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%rbx         
-	adcq %rdi,%r13         
-	addq %rsi,%r12         
-	adcq %r8,%rbx         
-	adcq %rdi,%r13         
-	
-/NO_APP
-	movq	%r12, -296(%rbp)
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  8(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  16(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  24(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r8, %r11
-	movq	%rdi, %rax
-/APP
-	addq %rsi,%rbx         
-	adcq %r11,%r12         
-	adcq %rax,%r13         
-	addq %rsi,%rbx         
-	adcq %r11,%r12         
-	adcq %rax,%r13         
-	
-/NO_APP
-	movq	%rax, %r9
-	movq	%r11, %r8
-/APP
-	movq  128(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rbx     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, %rdi
-	movq	%rbx, -288(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  16(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  24(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  136(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	
-/NO_APP
-	movq	%r12, -280(%rbp)
-	movq	%r10, %r12
-/APP
-	movq  24(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  32(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r13, %rdx
-	movq	%r8, %rbx
-	movq	%rdi, %r13
-/APP
-	addq %rsi,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	addq %rsi,%r9         
-	adcq %rbx,%rdx         
-	adcq %r13,%r12         
-	
-/NO_APP
-	movq	%r12, %rax
-	movq	%r13, %r11
-	movq	%rdx, %r12
-	movq	%rax, %r13
-	movq	%rbx, %r8
-	movq	%r11, %rdi
-/APP
-	movq  136(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, -272(%rbp)
-	movq	%r13, %r9
-	movq	%r10, %r13
-/APP
-	movq  32(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  40(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  144(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r13         
-	
-/NO_APP
-	movq	%r12, -264(%rbp)
-/APP
-	movq  40(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  48(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r13, %rax
-	movq	%r10, %rdx
-	movq	%r8, %rbx
-	movq	%rdi, %r12
-/APP
-	addq %rsi,%r9         
-	adcq %rbx,%rax         
-	adcq %r12,%rdx         
-	addq %rsi,%r9         
-	adcq %rbx,%rax         
-	adcq %r12,%rdx         
-	
-/NO_APP
-	movq	%rdx, %rdi
-	movq	%r12, %r11
-	movq	%rbx, %r8
-	movq	%rax, %r12
-	movq	%rdi, %r13
-	movq	%r11, %rdi
-/APP
-	movq  144(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r10, %r11
-	movq	%r9, -256(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  48(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  56(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  152(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r11         
-	addq %rsi,%r12         
-	adcq %r8,%r9         
-	adcq %rdi,%r11         
-	
-/NO_APP
-	movq	%r12, -248(%rbp)
-	movq	%r11, %r13
-/APP
-	movq  56(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  64(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  72(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%rsi, %rdx
-	movq	%r8, %rbx
-	movq	%rdi, %r12
-/APP
-	addq %rdx,%r9         
-	adcq %rbx,%r13         
-	adcq %r12,%rax         
-	addq %rdx,%r9         
-	adcq %rbx,%r13         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%r12, %r11
-	movq	%rdx, %r8
-	movq	%rax, %rdx
-	movq	%r13, %r12
-	movq	%rbx, %rdi
-	movq	%rdx, %r13
-	movq	%r11, %rsi
-/APP
-	movq  152(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r9, -240(%rbp)
-	movq	%r13, %r9
-	movq	%r10, %r13
-/APP
-	movq  64(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  72(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  80(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  88(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  96(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  104(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  112(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  120(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  128(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  136(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  160(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rax
-	movq	%rdi, %rdx
-	movq	%rsi, %rbx
-/APP
-	addq %rax,%r12         
-	adcq %rdx,%r9         
-	adcq %rbx,%r13         
-	addq %rax,%r12         
-	adcq %rdx,%r9         
-	adcq %rbx,%r13         
-	
-/NO_APP
-	movq	%r12, -232(%rbp)
-	movq	%rdx, %r8
-	movq	%rax, %rsi
-	movq	%rbx, %rdi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  72(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  80(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  88(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  152(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  160(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -224(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  80(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  88(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  96(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  104(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  112(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  120(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  128(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  136(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  168(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -216(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  88(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  96(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  104(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  152(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  160(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  168(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -208(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  96(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  104(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  112(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  120(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  128(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  136(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  176(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -200(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  104(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  112(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  120(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  152(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  160(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  168(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  176(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -192(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  112(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  120(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  128(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  136(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  184(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r8, %rbx
-	movq	%rdi, %rax
-	movq	%rsi, %rdx
-/APP
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	addq %rbx,%r12         
-	adcq %rax,%r9         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%r12, -184(%rbp)
-	movq	%rdx, %rdi
-	movq	%rax, %r8
-	movq	%rbx, %rsi
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  120(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%rsi     
-	movq  %rdx,%r8     
-	xorq  %rdi,%rdi        
-	
-	movq  128(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  136(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  144(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  152(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  160(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  168(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-	movq  176(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%rdi        
-	
-/NO_APP
-	movq	%rsi, %rax
-	movq	%r8, %rbx
-	movq	%rdi, %rdx
-/APP
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	addq %rax,%r9         
-	adcq %rbx,%r12         
-	adcq %rdx,%r13         
-	
-/NO_APP
-	movq	%rdx, %r11
-	movq	%rax, %r8
-	movq	%rbx, %rdi
-/APP
-	movq  184(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -176(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  128(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-/NO_APP
-	movq	%r10, %r13
-/APP
-	movq  136(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  192(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%r13         
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%r13         
-	
-/NO_APP
-	movq	%r12, -168(%rbp)
-	movq	%r13, %r12
-	movq	%r10, %r13
-/APP
-	movq  136(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  144(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %rbx
-	movq	%rsi, %rax
-/APP
-	addq %r8,%r9         
-	adcq %rbx,%r12         
-	adcq %rax,%r13         
-	addq %r8,%r9         
-	adcq %rbx,%r12         
-	adcq %rax,%r13         
-	
-/NO_APP
-	movq	%rax, %r11
-	movq	%rbx, %rdi
-	movq	%r10, %rbx
-/APP
-	movq  192(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r11, %rsi
-	movq	%r9, -160(%rbp)
-	movq	%r13, %r9
-/APP
-	movq  144(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  152(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  200(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%rbx         
-	addq %r8,%r12         
-	adcq %rdi,%r9         
-	adcq %rsi,%rbx         
-	
-/NO_APP
-	movq	%r12, -152(%rbp)
-/APP
-	movq  152(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  160(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rdx
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%rbx         
-	adcq %r12,%rdx         
-	addq %r8,%r9         
-	adcq %r13,%rbx         
-	adcq %r12,%rdx         
-	
-/NO_APP
-	movq	%rdx, %rax
-	movq	%r13, %rdi
-	movq	%r12, %rsi
-	movq	%rax, %r11
-	movq	%r10, %r12
-/APP
-	movq  200(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r9, -144(%rbp)
-	movq	%r11, %r9
-/APP
-	movq  160(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  168(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  200(%rcx),%rax     
-	mulq  208(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%rbx, -136(%rbp)
-	movq	%r12, %r11
-/APP
-	movq  168(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  176(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  200(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-/APP
-	movq  208(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r9, -128(%rbp)
-	movq	%r11, %r9
-/APP
-	movq  176(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  184(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  200(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  208(%rcx),%rax     
-	mulq  216(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rdx
-/APP
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%rdx         
-	
-/NO_APP
-	movq	%rbx, -120(%rbp)
-	movq	%rdx, %r11
-	movq	%r10, %rbx
-/APP
-	movq  184(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  192(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  200(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  208(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rbx         
-	
-/NO_APP
-	movq	%rbx, %rdx
-	movq	%r13, %rdi
-	movq	%r11, %rbx
-	movq	%r12, %rsi
-	movq	%rdx, %r11
-	movq	%r10, %r12
-/APP
-	movq  216(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r9, -112(%rbp)
-	movq	%r11, %r9
-/APP
-	movq  192(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  200(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  208(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  216(%rcx),%rax     
-	mulq  224(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	addq %r8,%rbx         
-	adcq %rdi,%r9         
-	adcq %rsi,%r12         
-	
-/NO_APP
-	movq	%rbx, -104(%rbp)
-	movq	%r12, %r11
-/APP
-	movq  200(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  208(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  216(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%r10, %rax
-	movq	%rdi, %r13
-	movq	%rsi, %r12
-/APP
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	addq %r8,%r9         
-	adcq %r13,%r11         
-	adcq %r12,%rax         
-	
-/NO_APP
-	movq	%rax, %rdx
-	movq	%r11, %rbx
-	movq	%r13, %rdi
-	movq	%rdx, %r11
-	movq	%r12, %rsi
-	movq	%r10, %r12
-/APP
-	movq  224(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r9     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r9, -96(%rbp)
-	movq	%r10, %r9
-/APP
-	movq  208(%rcx),%rax     
-	mulq  248(%rcx)           
-	movq  %rax,%r8     
-	movq  %rdx,%rdi     
-	xorq  %rsi,%rsi        
-	
-	movq  216(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-	movq  224(%rcx),%rax     
-	mulq  232(%rcx)           
-	addq  %rax,%r8     
-	adcq  %rdx,%rdi     
-	adcq  $0,%rsi        
-	
-/NO_APP
-	movq	%rdi, %r13
-	movq	%rsi, %rax
-/APP
-	addq %r8,%rbx         
-	adcq %r13,%r11         
-	adcq %rax,%r9         
-	addq %r8,%rbx         
-	adcq %r13,%r11         
-	adcq %rax,%r9         
-	
-/NO_APP
-	movq	%rbx, -88(%rbp)
-	movq	%r11, %rsi
-	movq	%r9, %r8
-/APP
-	movq  216(%rcx),%rax     
-	mulq  248(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%r12, %r11
-/APP
-	movq  224(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r11        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r11        
-	
-/NO_APP
-	movq	%r8, %r13
-	movq	%r11, %rbx
-/APP
-	movq  232(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r13     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%rsi, -80(%rbp)
-	movq	%rbx, %r12
-	movq	%r13, %rdi
-	movq	%r10, %r13
-/APP
-	movq  224(%rcx),%rax     
-	mulq  248(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r12     
-	adcq  $0,%r13        
-	
-/NO_APP
-	movq	%r12, %r9
-	movq	%r13, %r12
-/APP
-	movq  232(%rcx),%rax     
-	mulq  240(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%r9     
-	adcq  $0,%r12        
-	addq  %rax,%rdi     
-	adcq  %rdx,%r9     
-	adcq  $0,%r12        
-	
-/NO_APP
-	movq	%rdi, -72(%rbp)
-	movq	%r9, %r11
-	movq	%r12, %rbx
-	movq	%r10, %r9
-/APP
-	movq  232(%rcx),%rax     
-	mulq  248(%rcx)           
-	addq  %rax,%r11     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r9        
-	addq  %rax,%r11     
-	adcq  %rdx,%rbx     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	%rbx, %r13
-	movq	%r9, %rbx
-	movq	%r10, %r9
-/APP
-	movq  240(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%r11     
-	adcq  %rdx,%r13     
-	adcq  $0,%rbx        
-	
-/NO_APP
-	movq	%r11, -64(%rbp)
-	movq	%r13, %rdi
-	movq	%rbx, %rsi
-/APP
-	movq  240(%rcx),%rax     
-	mulq  248(%rcx)           
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r9        
-	addq  %rax,%rdi     
-	adcq  %rdx,%rsi     
-	adcq  $0,%r9        
-	
-/NO_APP
-	movq	%rdi, -56(%rbp)
-	movq	%r9, %r8
-/APP
-	movq  248(%rcx),%rax     
-	mulq  %rax        
-	addq  %rax,%rsi     
-	adcq  %rdx,%r8     
-	adcq  $0,%r10        
-	
-/NO_APP
-	movq	%rsi, -48(%rbp)
-	movq	16(%r14), %rdi
-	leaq	-544(%rbp), %rsi
-	movl	$512, %edx
-	movq	%r8, -40(%rbp)
-	movl	$64, 8(%r14)
-	movl	$0, (%r14)
-	call	memcpy@PLT
-	movl	8(%r14), %edx
-	testl	%edx, %edx
-	je	.L304
-	leal	-1(%rdx), %ecx
-	movq	16(%r14), %rsi
-	mov	%ecx, %r10d
-	cmpq	$0, (%rsi,%r10,8)
-	jne	.L302
-	movl	%ecx, %edx
-	.align 16
-.L303:
-	testl	%edx, %edx
-	movl	%edx, %ecx
-	je	.L307
-	decl	%edx
-	mov	%edx, %eax
-	cmpq	$0, (%rsi,%rax,8)
-	je	.L303
-	movl	%ecx, 8(%r14)
-	movl	%ecx, %edx
-.L302:
-	testl	%edx, %edx
-	je	.L304
-	movl	(%r14), %eax
-	movl	%eax, (%r14)
-	addq	$512, %rsp
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	leave
-	ret
-.L307:
-	movl	%edx, 8(%r14)
-	.align 16
-.L304:
-	xorl	%eax, %eax
-	movl	%eax, (%r14)
-	addq	$512, %rsp
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	leave
-	ret
-.LFE9:
-	.size	s_mp_sqr_comba_32, .-s_mp_sqr_comba_32
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m-priv.h b/security/nss/lib/freebl/mpi/mp_gf2m-priv.h
deleted file mode 100644
index f93597d59..000000000
--- a/security/nss/lib/freebl/mpi/mp_gf2m-priv.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _MP_GF2M_PRIV_H_
-#define _MP_GF2M_PRIV_H_
-
-#include "mpi-priv.h"
-
-extern const mp_digit mp_gf2m_sqr_tb[16];
-
-#if defined(MP_USE_UINT_DIGIT)
-#define MP_DIGIT_BITS 32
-#else
-#define MP_DIGIT_BITS 64
-#endif
-
-/* Platform-specific macros for fast binary polynomial squaring. */
-#if MP_DIGIT_BITS == 32
-#define gf2m_SQR1(w) \
-    mp_gf2m_sqr_tb[(w) >> 28 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >> 24 & 0xF] << 16 | \
-    mp_gf2m_sqr_tb[(w) >> 20 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w) >> 16 & 0xF]
-#define gf2m_SQR0(w) \
-    mp_gf2m_sqr_tb[(w) >> 12 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >>  8 & 0xF] << 16 | \
-    mp_gf2m_sqr_tb[(w) >>  4 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w)       & 0xF]
-#else
-#define gf2m_SQR1(w) \
-    mp_gf2m_sqr_tb[(w) >> 60 & 0xF] << 56 | mp_gf2m_sqr_tb[(w) >> 56 & 0xF] << 48 | \
-    mp_gf2m_sqr_tb[(w) >> 52 & 0xF] << 40 | mp_gf2m_sqr_tb[(w) >> 48 & 0xF] << 32 | \
-    mp_gf2m_sqr_tb[(w) >> 44 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >> 40 & 0xF] << 16 | \
-    mp_gf2m_sqr_tb[(w) >> 36 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w) >> 32 & 0xF]
-#define gf2m_SQR0(w) \
-    mp_gf2m_sqr_tb[(w) >> 28 & 0xF] << 56 | mp_gf2m_sqr_tb[(w) >> 24 & 0xF] << 48 | \
-    mp_gf2m_sqr_tb[(w) >> 20 & 0xF] << 40 | mp_gf2m_sqr_tb[(w) >> 16 & 0xF] << 32 | \
-    mp_gf2m_sqr_tb[(w) >> 12 & 0xF] << 24 | mp_gf2m_sqr_tb[(w) >>  8 & 0xF] << 16 | \
-    mp_gf2m_sqr_tb[(w) >>  4 & 0xF] <<  8 | mp_gf2m_sqr_tb[(w)       & 0xF]
-#endif
-
-/* Multiply two binary polynomials mp_digits a, b.
- * Result is a polynomial with degree < 2 * MP_DIGIT_BITS - 1.
- * Output in two mp_digits rh, rl.
- */
-void s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b);
-
-/* Compute xor-multiply of two binary polynomials  (a1, a0) x (b1, b0)  
- * result is a binary polynomial in 4 mp_digits r[4].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void s_bmul_2x2(mp_digit *r, const mp_digit a1, const mp_digit a0, const mp_digit b1,
-	const mp_digit b0);
-
-/* Compute xor-multiply of two binary polynomials  (a2, a1, a0) x (b2, b1, b0)  
- * result is a binary polynomial in 6 mp_digits r[6].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void s_bmul_3x3(mp_digit *r, const mp_digit a2, const mp_digit a1, const mp_digit a0, 
-	const mp_digit b2, const mp_digit b1, const mp_digit b0);
-
-/* Compute xor-multiply of two binary polynomials  (a3, a2, a1, a0) x (b3, b2, b1, b0)  
- * result is a binary polynomial in 8 mp_digits r[8].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void s_bmul_4x4(mp_digit *r, const mp_digit a3, const mp_digit a2, const mp_digit a1, 
-	const mp_digit a0, const mp_digit b3, const mp_digit b2, const mp_digit b1, 
-	const mp_digit b0);
-
-#endif /* _MP_GF2M_PRIV_H_ */
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m.c b/security/nss/lib/freebl/mpi/mp_gf2m.c
deleted file mode 100644
index 962fdb1fb..000000000
--- a/security/nss/lib/freebl/mpi/mp_gf2m.c
+++ /dev/null
@@ -1,600 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mp_gf2m.h"
-#include "mp_gf2m-priv.h"
-#include "mplogic.h"
-#include "mpi-priv.h"
-
-const mp_digit mp_gf2m_sqr_tb[16] =
-{
-      0,     1,     4,     5,    16,    17,    20,    21,
-     64,    65,    68,    69,    80,    81,    84,    85
-};
-
-/* Multiply two binary polynomials mp_digits a, b.
- * Result is a polynomial with degree < 2 * MP_DIGIT_BITS - 1.
- * Output in two mp_digits rh, rl.
- */
-#if MP_DIGIT_BITS == 32
-void 
-s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b)
-{
-    register mp_digit h, l, s;
-    mp_digit tab[8], top2b = a >> 30; 
-    register mp_digit a1, a2, a4;
-
-    a1 = a & (0x3FFFFFFF); a2 = a1 << 1; a4 = a2 << 1;
-
-    tab[0] =  0; tab[1] = a1;    tab[2] = a2;    tab[3] = a1^a2;
-    tab[4] = a4; tab[5] = a1^a4; tab[6] = a2^a4; tab[7] = a1^a2^a4;
-
-    s = tab[b       & 0x7]; l  = s;
-    s = tab[b >>  3 & 0x7]; l ^= s <<  3; h  = s >> 29;
-    s = tab[b >>  6 & 0x7]; l ^= s <<  6; h ^= s >> 26;
-    s = tab[b >>  9 & 0x7]; l ^= s <<  9; h ^= s >> 23;
-    s = tab[b >> 12 & 0x7]; l ^= s << 12; h ^= s >> 20;
-    s = tab[b >> 15 & 0x7]; l ^= s << 15; h ^= s >> 17;
-    s = tab[b >> 18 & 0x7]; l ^= s << 18; h ^= s >> 14;
-    s = tab[b >> 21 & 0x7]; l ^= s << 21; h ^= s >> 11;
-    s = tab[b >> 24 & 0x7]; l ^= s << 24; h ^= s >>  8;
-    s = tab[b >> 27 & 0x7]; l ^= s << 27; h ^= s >>  5;
-    s = tab[b >> 30      ]; l ^= s << 30; h ^= s >>  2;
-
-    /* compensate for the top two bits of a */
-
-    if (top2b & 01) { l ^= b << 30; h ^= b >> 2; } 
-    if (top2b & 02) { l ^= b << 31; h ^= b >> 1; } 
-
-    *rh = h; *rl = l;
-} 
-#else
-void 
-s_bmul_1x1(mp_digit *rh, mp_digit *rl, const mp_digit a, const mp_digit b)
-{
-    register mp_digit h, l, s;
-    mp_digit tab[16], top3b = a >> 61;
-    register mp_digit a1, a2, a4, a8;
-
-    a1 = a & (0x1FFFFFFFFFFFFFFF); a2 = a1 << 1; 
-    a4 = a2 << 1; a8 = a4 << 1;
-    tab[ 0] = 0;     tab[ 1] = a1;       tab[ 2] = a2;       tab[ 3] = a1^a2;
-    tab[ 4] = a4;    tab[ 5] = a1^a4;    tab[ 6] = a2^a4;    tab[ 7] = a1^a2^a4;
-    tab[ 8] = a8;    tab[ 9] = a1^a8;    tab[10] = a2^a8;    tab[11] = a1^a2^a8;
-    tab[12] = a4^a8; tab[13] = a1^a4^a8; tab[14] = a2^a4^a8; tab[15] = a1^a2^a4^a8;
-
-    s = tab[b       & 0xF]; l  = s;
-    s = tab[b >>  4 & 0xF]; l ^= s <<  4; h  = s >> 60;
-    s = tab[b >>  8 & 0xF]; l ^= s <<  8; h ^= s >> 56;
-    s = tab[b >> 12 & 0xF]; l ^= s << 12; h ^= s >> 52;
-    s = tab[b >> 16 & 0xF]; l ^= s << 16; h ^= s >> 48;
-    s = tab[b >> 20 & 0xF]; l ^= s << 20; h ^= s >> 44;
-    s = tab[b >> 24 & 0xF]; l ^= s << 24; h ^= s >> 40;
-    s = tab[b >> 28 & 0xF]; l ^= s << 28; h ^= s >> 36;
-    s = tab[b >> 32 & 0xF]; l ^= s << 32; h ^= s >> 32;
-    s = tab[b >> 36 & 0xF]; l ^= s << 36; h ^= s >> 28;
-    s = tab[b >> 40 & 0xF]; l ^= s << 40; h ^= s >> 24;
-    s = tab[b >> 44 & 0xF]; l ^= s << 44; h ^= s >> 20;
-    s = tab[b >> 48 & 0xF]; l ^= s << 48; h ^= s >> 16;
-    s = tab[b >> 52 & 0xF]; l ^= s << 52; h ^= s >> 12;
-    s = tab[b >> 56 & 0xF]; l ^= s << 56; h ^= s >>  8;
-    s = tab[b >> 60      ]; l ^= s << 60; h ^= s >>  4;
-
-    /* compensate for the top three bits of a */
-
-    if (top3b & 01) { l ^= b << 61; h ^= b >> 3; } 
-    if (top3b & 02) { l ^= b << 62; h ^= b >> 2; } 
-    if (top3b & 04) { l ^= b << 63; h ^= b >> 1; } 
-
-    *rh = h; *rl = l;
-} 
-#endif
-
-/* Compute xor-multiply of two binary polynomials  (a1, a0) x (b1, b0)  
- * result is a binary polynomial in 4 mp_digits r[4].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void 
-s_bmul_2x2(mp_digit *r, const mp_digit a1, const mp_digit a0, const mp_digit b1,
-           const mp_digit b0)
-{
-    mp_digit m1, m0;
-    /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
-    s_bmul_1x1(r+3, r+2, a1, b1);
-    s_bmul_1x1(r+1, r, a0, b0);
-    s_bmul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
-    /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
-    r[2] ^= m1 ^ r[1] ^ r[3];  /* h0 ^= m1 ^ l1 ^ h1; */
-    r[1]  = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0;  /* l1 ^= l0 ^ h0 ^ m0; */
-}
-
-/* Compute xor-multiply of two binary polynomials  (a2, a1, a0) x (b2, b1, b0)  
- * result is a binary polynomial in 6 mp_digits r[6].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void 
-s_bmul_3x3(mp_digit *r, const mp_digit a2, const mp_digit a1, const mp_digit a0, 
-	const mp_digit b2, const mp_digit b1, const mp_digit b0)
-{
-	mp_digit zm[4];
-
-	s_bmul_1x1(r+5, r+4, a2, b2);         /* fill top 2 words */
-	s_bmul_2x2(zm, a1, a2^a0, b1, b2^b0); /* fill middle 4 words */
-	s_bmul_2x2(r, a1, a0, b1, b0);        /* fill bottom 4 words */
-
-	zm[3] ^= r[3];
-	zm[2] ^= r[2]; 
-	zm[1] ^= r[1] ^ r[5];
-	zm[0] ^= r[0] ^ r[4];
-
-	r[5]  ^= zm[3];
-	r[4]  ^= zm[2];
-	r[3]  ^= zm[1];
-	r[2]  ^= zm[0];
-}
-
-/* Compute xor-multiply of two binary polynomials  (a3, a2, a1, a0) x (b3, b2, b1, b0)  
- * result is a binary polynomial in 8 mp_digits r[8].
- * The caller MUST ensure that r has the right amount of space allocated.
- */
-void s_bmul_4x4(mp_digit *r, const mp_digit a3, const mp_digit a2, const mp_digit a1, 
-	const mp_digit a0, const mp_digit b3, const mp_digit b2, const mp_digit b1, 
-	const mp_digit b0)
-{
-	mp_digit zm[4];
-
-	s_bmul_2x2(r+4, a3, a2, b3, b2);            /* fill top 4 words */
-	s_bmul_2x2(zm, a3^a1, a2^a0, b3^b1, b2^b0); /* fill middle 4 words */
-	s_bmul_2x2(r, a1, a0, b1, b0);              /* fill bottom 4 words */
-
-	zm[3] ^= r[3] ^ r[7]; 
-	zm[2] ^= r[2] ^ r[6]; 
-	zm[1] ^= r[1] ^ r[5]; 
-	zm[0] ^= r[0] ^ r[4]; 
-
-	r[5]  ^= zm[3];    
-	r[4]  ^= zm[2];
-	r[3]  ^= zm[1];    
-	r[2]  ^= zm[0];
-}
-
-/* Compute addition of two binary polynomials a and b,
- * store result in c; c could be a or b, a and b could be equal; 
- * c is the bitwise XOR of a and b.
- */
-mp_err
-mp_badd(const mp_int *a, const mp_int *b, mp_int *c)
-{
-    mp_digit *pa, *pb, *pc;
-    mp_size ix;
-    mp_size used_pa, used_pb;
-    mp_err res = MP_OKAY;
-
-    /* Add all digits up to the precision of b.  If b had more
-     * precision than a initially, swap a, b first
-     */
-    if (MP_USED(a) >= MP_USED(b)) {
-        pa = MP_DIGITS(a);
-        pb = MP_DIGITS(b);
-        used_pa = MP_USED(a);
-        used_pb = MP_USED(b);
-    } else {
-        pa = MP_DIGITS(b);
-        pb = MP_DIGITS(a);
-        used_pa = MP_USED(b);
-        used_pb = MP_USED(a);
-    }
-
-    /* Make sure c has enough precision for the output value */
-    MP_CHECKOK( s_mp_pad(c, used_pa) );
-
-    /* Do word-by-word xor */
-    pc = MP_DIGITS(c);
-    for (ix = 0; ix < used_pb; ix++) {
-        (*pc++) = (*pa++) ^ (*pb++);
-    }
-
-    /* Finish the rest of digits until we're actually done */
-    for (; ix < used_pa; ++ix) {
-        *pc++ = *pa++;
-    }
-
-    MP_USED(c) = used_pa;
-    MP_SIGN(c) = ZPOS;
-    s_mp_clamp(c);
-
-CLEANUP:
-    return res;
-} 
-
-#define s_mp_div2(a) MP_CHECKOK( mpl_rsh((a), (a), 1) );
-
-/* Compute binary polynomial multiply d = a * b */
-static void 
-s_bmul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *d)
-{
-    mp_digit a_i, a0b0, a1b1, carry = 0;
-    while (a_len--) {
-        a_i = *a++;
-        s_bmul_1x1(&a1b1, &a0b0, a_i, b);
-        *d++ = a0b0 ^ carry;
-        carry = a1b1;
-    }
-    *d = carry;
-}
-
-/* Compute binary polynomial xor multiply accumulate d ^= a * b */
-static void 
-s_bmul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *d)
-{
-    mp_digit a_i, a0b0, a1b1, carry = 0;
-    while (a_len--) {
-        a_i = *a++;
-        s_bmul_1x1(&a1b1, &a0b0, a_i, b);
-        *d++ ^= a0b0 ^ carry;
-        carry = a1b1;
-    }
-    *d ^= carry;
-}
-
-/* Compute binary polynomial xor multiply c = a * b.  
- * All parameters may be identical.
- */
-mp_err 
-mp_bmul(const mp_int *a, const mp_int *b, mp_int *c)
-{
-    mp_digit *pb, b_i;
-    mp_int tmp;
-    mp_size ib, a_used, b_used;
-    mp_err res = MP_OKAY;
-
-    MP_DIGITS(&tmp) = 0;
-
-    ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-    if (a == c) {
-        MP_CHECKOK( mp_init_copy(&tmp, a) );
-        if (a == b)
-            b = &tmp;
-        a = &tmp;
-    } else if (b == c) {
-        MP_CHECKOK( mp_init_copy(&tmp, b) );
-        b = &tmp;
-    }
-
-    if (MP_USED(a) < MP_USED(b)) {
-        const mp_int *xch = b;      /* switch a and b if b longer */
-        b = a;
-        a = xch;
-    }
-
-    MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
-    MP_CHECKOK( s_mp_pad(c, USED(a) + USED(b)) );
-
-    pb = MP_DIGITS(b);
-    s_bmul_d(MP_DIGITS(a), MP_USED(a), *pb++, MP_DIGITS(c));
-
-    /* Outer loop:  Digits of b */
-    a_used = MP_USED(a);
-    b_used = MP_USED(b);
-	MP_USED(c) = a_used + b_used;
-    for (ib = 1; ib < b_used; ib++) {
-        b_i = *pb++;
-
-        /* Inner product:  Digits of a */
-        if (b_i)
-            s_bmul_d_add(MP_DIGITS(a), a_used, b_i, MP_DIGITS(c) + ib);
-        else
-            MP_DIGIT(c, ib + a_used) = b_i;
-    }
-
-    s_mp_clamp(c);
-
-    SIGN(c) = ZPOS;
-
-CLEANUP:
-    mp_clear(&tmp);
-    return res;
-}
-
-
-/* Compute modular reduction of a and store result in r.  
- * r could be a. 
- * For modular arithmetic, the irreducible polynomial f(t) is represented 
- * as an array of int[], where f(t) is of the form: 
- *     f(t) = t^p[0] + t^p[1] + ... + t^p[k]
- * where m = p[0] > p[1] > ... > p[k] = 0.
- */
-mp_err
-mp_bmod(const mp_int *a, const unsigned int p[], mp_int *r)
-{
-    int j, k;
-    int n, dN, d0, d1;
-    mp_digit zz, *z, tmp;
-    mp_size used;
-    mp_err res = MP_OKAY;
-
-    /* The algorithm does the reduction in place in r, 
-     * if a != r, copy a into r first so reduction can be done in r
-     */
-    if (a != r) {
-        MP_CHECKOK( mp_copy(a, r) );
-    }
-    z = MP_DIGITS(r);
-
-    /* start reduction */
-    dN = p[0] / MP_DIGIT_BITS;
-    used = MP_USED(r);
-
-    for (j = used - 1; j > dN;) {
-
-        zz = z[j];
-        if (zz == 0) {
-            j--; continue;
-        }
-        z[j] = 0;
-
-        for (k = 1; p[k] > 0; k++) {
-            /* reducing component t^p[k] */
-            n = p[0] - p[k];
-            d0 = n % MP_DIGIT_BITS;  
-            d1 = MP_DIGIT_BITS - d0;
-            n /= MP_DIGIT_BITS;
-            z[j-n] ^= (zz>>d0);
-            if (d0) 
-                z[j-n-1] ^= (zz<<d1);
-        }
-
-        /* reducing component t^0 */
-        n = dN;  
-        d0 = p[0] % MP_DIGIT_BITS;
-        d1 = MP_DIGIT_BITS - d0;
-        z[j-n] ^= (zz >> d0);
-        if (d0) 
-            z[j-n-1] ^= (zz << d1);
-
-    }
-
-    /* final round of reduction */
-    while (j == dN) {
-
-        d0 = p[0] % MP_DIGIT_BITS;
-        zz = z[dN] >> d0;  
-        if (zz == 0) break;
-        d1 = MP_DIGIT_BITS - d0;
-
-        /* clear up the top d1 bits */
-        if (d0) z[dN] = (z[dN] << d1) >> d1; 
-        *z ^= zz; /* reduction t^0 component */
-
-        for (k = 1; p[k] > 0; k++) {
-            /* reducing component t^p[k]*/
-            n = p[k] / MP_DIGIT_BITS;
-            d0 = p[k] % MP_DIGIT_BITS;
-            d1 = MP_DIGIT_BITS - d0;
-            z[n] ^= (zz << d0);
-            tmp = zz >> d1;
-            if (d0 && tmp)
-                z[n+1] ^= tmp;
-        }
-    }
-
-    s_mp_clamp(r);
-CLEANUP:
-    return res;
-}
-
-/* Compute the product of two polynomials a and b, reduce modulo p, 
- * Store the result in r.  r could be a or b; a could be b.
- */
-mp_err 
-mp_bmulmod(const mp_int *a, const mp_int *b, const unsigned int p[], mp_int *r)
-{
-    mp_err res;
-    
-    if (a == b) return mp_bsqrmod(a, p, r);
-    if ((res = mp_bmul(a, b, r) ) != MP_OKAY)
-	return res;
-    return mp_bmod(r, p, r);
-}
-
-/* Compute binary polynomial squaring c = a*a mod p .  
- * Parameter r and a can be identical.
- */
-
-mp_err 
-mp_bsqrmod(const mp_int *a, const unsigned int p[], mp_int *r)
-{
-    mp_digit *pa, *pr, a_i;
-    mp_int tmp;
-    mp_size ia, a_used;
-    mp_err res;
-
-    ARGCHK(a != NULL && r != NULL, MP_BADARG);
-    MP_DIGITS(&tmp) = 0;
-
-    if (a == r) {
-        MP_CHECKOK( mp_init_copy(&tmp, a) );
-        a = &tmp;
-    }
-
-    MP_USED(r) = 1; MP_DIGIT(r, 0) = 0;
-    MP_CHECKOK( s_mp_pad(r, 2*USED(a)) );
-
-    pa = MP_DIGITS(a);
-    pr = MP_DIGITS(r);
-    a_used = MP_USED(a);
-	MP_USED(r) = 2 * a_used;
-
-    for (ia = 0; ia < a_used; ia++) {
-        a_i = *pa++;
-        *pr++ = gf2m_SQR0(a_i);
-        *pr++ = gf2m_SQR1(a_i);
-    }
-
-    MP_CHECKOK( mp_bmod(r, p, r) );
-    s_mp_clamp(r);
-    SIGN(r) = ZPOS;
-
-CLEANUP:
-    mp_clear(&tmp);
-    return res;
-}
-
-/* Compute binary polynomial y/x mod p, y divided by x, reduce modulo p.
- * Store the result in r. r could be x or y, and x could equal y.
- * Uses algorithm Modular_Division_GF(2^m) from 
- *     Chang-Shantz, S.  "From Euclid's GCD to Montgomery Multiplication to 
- *     the Great Divide".
- */
-int 
-mp_bdivmod(const mp_int *y, const mp_int *x, const mp_int *pp, 
-    const unsigned int p[], mp_int *r)
-{
-    mp_int aa, bb, uu;
-    mp_int *a, *b, *u, *v;
-    mp_err res = MP_OKAY;
-
-    MP_DIGITS(&aa) = 0;
-    MP_DIGITS(&bb) = 0;
-    MP_DIGITS(&uu) = 0;
-
-    MP_CHECKOK( mp_init_copy(&aa, x) );
-    MP_CHECKOK( mp_init_copy(&uu, y) );
-    MP_CHECKOK( mp_init_copy(&bb, pp) );
-    MP_CHECKOK( s_mp_pad(r, USED(pp)) );
-    MP_USED(r) = 1; MP_DIGIT(r, 0) = 0;
-
-    a = &aa; b= &bb; u=&uu; v=r;
-    /* reduce x and y mod p */
-    MP_CHECKOK( mp_bmod(a, p, a) );
-    MP_CHECKOK( mp_bmod(u, p, u) );
-
-    while (!mp_isodd(a)) {
-        s_mp_div2(a);
-        if (mp_isodd(u)) {
-            MP_CHECKOK( mp_badd(u, pp, u) );
-        }
-        s_mp_div2(u);
-    }
-
-    do {
-        if (mp_cmp_mag(b, a) > 0) {
-            MP_CHECKOK( mp_badd(b, a, b) );
-            MP_CHECKOK( mp_badd(v, u, v) );
-            do {
-                s_mp_div2(b);
-                if (mp_isodd(v)) {
-                    MP_CHECKOK( mp_badd(v, pp, v) );
-                }
-                s_mp_div2(v);
-            } while (!mp_isodd(b));
-        }
-        else if ((MP_DIGIT(a,0) == 1) && (MP_USED(a) == 1))
-            break;
-        else {
-            MP_CHECKOK( mp_badd(a, b, a) );
-            MP_CHECKOK( mp_badd(u, v, u) );
-            do {
-                s_mp_div2(a);
-                if (mp_isodd(u)) {
-                    MP_CHECKOK( mp_badd(u, pp, u) );
-                }
-                s_mp_div2(u);
-            } while (!mp_isodd(a));
-        }
-    } while (1);
-
-    MP_CHECKOK( mp_copy(u, r) );
-
-CLEANUP:
-    return res;
-
-}
-
-/* Convert the bit-string representation of a polynomial a into an array
- * of integers corresponding to the bits with non-zero coefficient.
- * Up to max elements of the array will be filled.  Return value is total
- * number of coefficients that would be extracted if array was large enough.
- */
-int
-mp_bpoly2arr(const mp_int *a, unsigned int p[], int max)
-{
-    int i, j, k;
-    mp_digit top_bit, mask;
-
-    top_bit = 1;
-    top_bit <<= MP_DIGIT_BIT - 1;
-
-    for (k = 0; k < max; k++) p[k] = 0;
-    k = 0;
-
-    for (i = MP_USED(a) - 1; i >= 0; i--) {
-        mask = top_bit;
-        for (j = MP_DIGIT_BIT - 1; j >= 0; j--) {
-            if (MP_DIGITS(a)[i] & mask) {
-                if (k < max) p[k] = MP_DIGIT_BIT * i + j;
-                k++;
-            }
-            mask >>= 1;
-        }
-    }
-
-    return k;
-}
-
-/* Convert the coefficient array representation of a polynomial to a 
- * bit-string.  The array must be terminated by 0.
- */
-mp_err
-mp_barr2poly(const unsigned int p[], mp_int *a)
-{
-
-    mp_err res = MP_OKAY;
-    int i;
-
-    mp_zero(a);
-    for (i = 0; p[i] > 0; i++) {
-	MP_CHECKOK( mpl_set_bit(a, p[i], 1) );
-    }
-    MP_CHECKOK( mpl_set_bit(a, 0, 1) );
-	
-CLEANUP:
-    return res;
-}
diff --git a/security/nss/lib/freebl/mpi/mp_gf2m.h b/security/nss/lib/freebl/mpi/mp_gf2m.h
deleted file mode 100644
index 1a305f336..000000000
--- a/security/nss/lib/freebl/mpi/mp_gf2m.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _MP_GF2M_H_
-#define _MP_GF2M_H_
-
-#include "mpi.h"
-
-mp_err mp_badd(const mp_int *a, const mp_int *b, mp_int *c);
-mp_err mp_bmul(const mp_int *a, const mp_int *b, mp_int *c);
-
-/* For modular arithmetic, the irreducible polynomial f(t) is represented 
- * as an array of int[], where f(t) is of the form: 
- *     f(t) = t^p[0] + t^p[1] + ... + t^p[k]
- * where m = p[0] > p[1] > ... > p[k] = 0.
- */
-mp_err mp_bmod(const mp_int *a, const unsigned int p[], mp_int *r);
-mp_err mp_bmulmod(const mp_int *a, const mp_int *b, const unsigned int p[], 
-    mp_int *r);
-mp_err mp_bsqrmod(const mp_int *a, const unsigned int p[], mp_int *r);
-mp_err mp_bdivmod(const mp_int *y, const mp_int *x, const mp_int *pp, 
-    const unsigned int p[], mp_int *r);
-
-int mp_bpoly2arr(const mp_int *a, unsigned int p[], int max);
-mp_err mp_barr2poly(const unsigned int p[], mp_int *a);
-
-#endif /* _MP_GF2M_H_ */
diff --git a/security/nss/lib/freebl/mpi/mpcpucache.c b/security/nss/lib/freebl/mpi/mpcpucache.c
deleted file mode 100644
index 8adbd33c6..000000000
--- a/security/nss/lib/freebl/mpi/mpcpucache.c
+++ /dev/null
@@ -1,773 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Red Hat, Inc
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Robert Relyea <rrelyea@redhat.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-
-/*
- * This file implements a single function: s_mpi_getProcessorLineSize();
- * s_mpi_getProcessorLineSize() returns the size in bytes of the cache line
- * if a cache exists, or zero if there is no cache. If more than one
- * cache line exists, it should return the smallest line size (which is 
- * usually the L1 cache).
- *
- * mp_modexp uses this information to make sure that private key information
- * isn't being leaked through the cache.
- *
- * Currently the file returns good data for most modern x86 processors, and
- * reasonable data on 64-bit ppc processors. All other processors are assumed
- * to have a cache line size of 32 bytes unless modified by target.mk.
- * 
- */
-
-#if defined(i386) || defined(__i386) || defined(__X86__) || defined (_M_IX86) || defined(__x86_64__) || defined(__x86_64)
-/* X86 processors have special instructions that tell us about the cache */
-#include "string.h"
-
-#if defined(__x86_64__) || defined(__x86_64)
-#define AMD_64 1
-#endif
-
-/* Generic CPUID function */
-#if defined(AMD_64)
-static void cpuid(unsigned long op, unsigned long *eax, 
-	                 unsigned long *ebx, unsigned long *ecx, 
-                         unsigned long *edx)
-{
-	__asm__("cpuid\n\t"
-		: "=a" (*eax),
-		  "=b" (*ebx),
-		  "=c" (*ecx),
-		  "=d" (*edx)
-		: "0" (op));
-}
-#elif !defined(_MSC_VER)
-static void cpuid(unsigned long op, unsigned long *eax, 
-	                 unsigned long *ebx, unsigned long *ecx, 
-                         unsigned long *edx)
-{
-/* sigh GCC isn't smart enough to save the ebx PIC register on it's own
- * in this case, so do it by hand. */
-	__asm__("pushl %%ebx\n\t"
-		  "cpuid\n\t"
-		  "mov %%ebx,%1\n\t"
-		  "popl %%ebx\n\t"
-		: "=a" (*eax),
-		  "=r" (*ebx),
-		  "=c" (*ecx),
-		  "=d" (*edx)
-		: "0" (op));
-}
-
-/*
- * try flipping a processor flag to determine CPU type
- */
-static unsigned long changeFlag(unsigned long flag)
-{
-	unsigned long changedFlags, originalFlags;
-	__asm__("pushfl\n\t"            /* get the flags */
-	        "popl %0\n\t"
-	        "movl %0,%1\n\t"	/* save the original flags */
-	        "xorl %2,%0\n\t" 	/* flip the bit */
-		"pushl %0\n\t"  	/* set the flags */
-	        "popfl\n\t"
-		"pushfl\n\t"		/* get the flags again (for return) */
-		"popl %0\n\t"
-		"pushl %1\n\t"		/* restore the original flags */
-		 "popfl\n\t"
-		: "=r" (changedFlags),
-		  "=r" (originalFlags),
-		  "=r" (flag)
-		: "2" (flag));
-	return changedFlags ^ originalFlags;
-}
-
-#else
-
-/*
- * windows versions of the above assembler
- */
-#define wcpuid __asm __emit 0fh __asm __emit 0a2h
-static void cpuid(unsigned long op,    unsigned long *Reax, 
-    unsigned long *Rebx, unsigned long *Recx, unsigned long *Redx)
-{
-        unsigned long  Leax, Lebx, Lecx, Ledx;
-        __asm {
-        pushad
-        mov     eax,op
-        wcpuid
-        mov     Leax,eax
-        mov     Lebx,ebx
-        mov     Lecx,ecx
-        mov     Ledx,edx
-        popad
-        }
-        *Reax = Leax;
-        *Rebx = Lebx;
-        *Recx = Lecx;
-        *Redx = Ledx;
-}
-
-static unsigned long changeFlag(unsigned long flag)
-{
-	unsigned long changedFlags, originalFlags;
-	__asm {
-		push eax
-		push ebx
-		pushfd 	                /* get the flags */
-	        pop  eax
-		push eax		/* save the flags on the stack */
-	        mov  originalFlags,eax  /* save the original flags */
-		mov  ebx,flag
-	        xor  eax,ebx            /* flip the bit */
-		push eax                /* set the flags */
-	        popfd
-		pushfd                  /* get the flags again (for return) */
-		pop  eax	
-		popfd                   /* restore the original flags */
-		mov changedFlags,eax
-		pop ebx
-		pop eax
-	}
-	return changedFlags ^ originalFlags;
-}
-#endif
-
-#if !defined(AMD_64)
-#define AC_FLAG 0x40000
-#define ID_FLAG 0x200000
-
-/* 386 processors can't flip the AC_FLAG, intel AP Note AP-485 */
-static int is386()
-{
-    return changeFlag(AC_FLAG) == 0;
-}
-
-/* 486 processors can't flip the ID_FLAG, intel AP Note AP-485 */
-static int is486()
-{
-    return changeFlag(ID_FLAG) == 0;
-}
-#endif
-
-
-/*
- * table for Intel Cache.
- * See Intel Application Note AP-485 for more information 
- */
-
-typedef unsigned char CacheTypeEntry;
-
-typedef enum {
-    Cache_NONE    = 0,
-    Cache_UNKNOWN = 1,
-    Cache_TLB     = 2,
-    Cache_TLBi    = 3,
-    Cache_TLBd    = 4,
-    Cache_Trace   = 5,
-    Cache_L1      = 6,
-    Cache_L1i     = 7,
-    Cache_L1d     = 8,
-    Cache_L2      = 9 ,
-    Cache_L2i     = 10 ,
-    Cache_L2d     = 11 ,
-    Cache_L3      = 12 ,
-    Cache_L3i     = 13,
-    Cache_L3d     = 14
-} CacheType;
-
-struct _cache {
-    CacheTypeEntry type;
-    unsigned char lineSize;
-};
-static const struct _cache CacheMap[256] = {
-/* 00 */ {Cache_NONE,    0   },
-/* 01 */ {Cache_TLBi,    0   },
-/* 02 */ {Cache_TLBi,    0   },
-/* 03 */ {Cache_TLBd,    0   },
-/* 04 */ {Cache_TLBd,        },
-/* 05 */ {Cache_UNKNOWN, 0   },
-/* 06 */ {Cache_L1i,     32  },
-/* 07 */ {Cache_UNKNOWN, 0   },
-/* 08 */ {Cache_L1i,     32  },
-/* 09 */ {Cache_UNKNOWN, 0   },
-/* 0a */ {Cache_L1d,     32  },
-/* 0b */ {Cache_UNKNOWN, 0   },
-/* 0c */ {Cache_L1d,     32  },
-/* 0d */ {Cache_UNKNOWN, 0   },
-/* 0e */ {Cache_UNKNOWN, 0   },
-/* 0f */ {Cache_UNKNOWN, 0   },
-/* 10 */ {Cache_UNKNOWN, 0   },
-/* 11 */ {Cache_UNKNOWN, 0   },
-/* 12 */ {Cache_UNKNOWN, 0   },
-/* 13 */ {Cache_UNKNOWN, 0   },
-/* 14 */ {Cache_UNKNOWN, 0   },
-/* 15 */ {Cache_UNKNOWN, 0   },
-/* 16 */ {Cache_UNKNOWN, 0   },
-/* 17 */ {Cache_UNKNOWN, 0   },
-/* 18 */ {Cache_UNKNOWN, 0   },
-/* 19 */ {Cache_UNKNOWN, 0   },
-/* 1a */ {Cache_UNKNOWN, 0   },
-/* 1b */ {Cache_UNKNOWN, 0   },
-/* 1c */ {Cache_UNKNOWN, 0   },
-/* 1d */ {Cache_UNKNOWN, 0   },
-/* 1e */ {Cache_UNKNOWN, 0   },
-/* 1f */ {Cache_UNKNOWN, 0   },
-/* 20 */ {Cache_UNKNOWN, 0   },
-/* 21 */ {Cache_UNKNOWN, 0   },
-/* 22 */ {Cache_L3,      64  },
-/* 23 */ {Cache_L3,      64  },
-/* 24 */ {Cache_UNKNOWN, 0   },
-/* 25 */ {Cache_L3,      64  },
-/* 26 */ {Cache_UNKNOWN, 0   },
-/* 27 */ {Cache_UNKNOWN, 0   },
-/* 28 */ {Cache_UNKNOWN, 0   },
-/* 29 */ {Cache_L3,      64  },
-/* 2a */ {Cache_UNKNOWN, 0   },
-/* 2b */ {Cache_UNKNOWN, 0   },
-/* 2c */ {Cache_L1d,     64  },
-/* 2d */ {Cache_UNKNOWN, 0   },
-/* 2e */ {Cache_UNKNOWN, 0   },
-/* 2f */ {Cache_UNKNOWN, 0   },
-/* 30 */ {Cache_L1i,     64  },
-/* 31 */ {Cache_UNKNOWN, 0   },
-/* 32 */ {Cache_UNKNOWN, 0   },
-/* 33 */ {Cache_UNKNOWN, 0   },
-/* 34 */ {Cache_UNKNOWN, 0   },
-/* 35 */ {Cache_UNKNOWN, 0   },
-/* 36 */ {Cache_UNKNOWN, 0   },
-/* 37 */ {Cache_UNKNOWN, 0   },
-/* 38 */ {Cache_UNKNOWN, 0   },
-/* 39 */ {Cache_L2,      64  },
-/* 3a */ {Cache_UNKNOWN, 0   },
-/* 3b */ {Cache_L2,      64  },
-/* 3c */ {Cache_L2,      64  },
-/* 3d */ {Cache_UNKNOWN, 0   },
-/* 3e */ {Cache_UNKNOWN, 0   },
-/* 3f */ {Cache_UNKNOWN, 0   },
-/* 40 */ {Cache_L2,      0   },
-/* 41 */ {Cache_L2,      32  },
-/* 42 */ {Cache_L2,      32  },
-/* 43 */ {Cache_L2,      32  },
-/* 44 */ {Cache_L2,      32  },
-/* 45 */ {Cache_L2,      32  },
-/* 46 */ {Cache_UNKNOWN, 0   },
-/* 47 */ {Cache_UNKNOWN, 0   },
-/* 48 */ {Cache_UNKNOWN, 0   },
-/* 49 */ {Cache_UNKNOWN, 0   },
-/* 4a */ {Cache_UNKNOWN, 0   },
-/* 4b */ {Cache_UNKNOWN, 0   },
-/* 4c */ {Cache_UNKNOWN, 0   },
-/* 4d */ {Cache_UNKNOWN, 0   },
-/* 4e */ {Cache_UNKNOWN, 0   },
-/* 4f */ {Cache_UNKNOWN, 0   },
-/* 50 */ {Cache_TLBi,    0   },
-/* 51 */ {Cache_TLBi,    0   },
-/* 52 */ {Cache_TLBi,    0   },
-/* 53 */ {Cache_UNKNOWN, 0   },
-/* 54 */ {Cache_UNKNOWN, 0   },
-/* 55 */ {Cache_UNKNOWN, 0   },
-/* 56 */ {Cache_UNKNOWN, 0   },
-/* 57 */ {Cache_UNKNOWN, 0   },
-/* 58 */ {Cache_UNKNOWN, 0   },
-/* 59 */ {Cache_UNKNOWN, 0   },
-/* 5a */ {Cache_UNKNOWN, 0   },
-/* 5b */ {Cache_TLBd,    0   },
-/* 5c */ {Cache_TLBd,    0   },
-/* 5d */ {Cache_TLBd,    0   },
-/* 5e */ {Cache_UNKNOWN, 0   },
-/* 5f */ {Cache_UNKNOWN, 0   },
-/* 60 */ {Cache_UNKNOWN, 0   },
-/* 61 */ {Cache_UNKNOWN, 0   },
-/* 62 */ {Cache_UNKNOWN, 0   },
-/* 63 */ {Cache_UNKNOWN, 0   },
-/* 64 */ {Cache_UNKNOWN, 0   },
-/* 65 */ {Cache_UNKNOWN, 0   },
-/* 66 */ {Cache_L1d,     64  },
-/* 67 */ {Cache_L1d,     64  },
-/* 68 */ {Cache_L1d,     64  },
-/* 69 */ {Cache_UNKNOWN, 0   },
-/* 6a */ {Cache_UNKNOWN, 0   },
-/* 6b */ {Cache_UNKNOWN, 0   },
-/* 6c */ {Cache_UNKNOWN, 0   },
-/* 6d */ {Cache_UNKNOWN, 0   },
-/* 6e */ {Cache_UNKNOWN, 0   },
-/* 6f */ {Cache_UNKNOWN, 0   },
-/* 70 */ {Cache_Trace,   1   },
-/* 71 */ {Cache_Trace,   1   },
-/* 72 */ {Cache_Trace,   1   },
-/* 73 */ {Cache_UNKNOWN, 0   },
-/* 74 */ {Cache_UNKNOWN, 0   },
-/* 75 */ {Cache_UNKNOWN, 0   },
-/* 76 */ {Cache_UNKNOWN, 0   },
-/* 77 */ {Cache_UNKNOWN, 0   },
-/* 78 */ {Cache_UNKNOWN, 0   },
-/* 79 */ {Cache_L2,      64  },
-/* 7a */ {Cache_L2,      64  },
-/* 7b */ {Cache_L2,      64  },
-/* 7c */ {Cache_L2,      64  },
-/* 7d */ {Cache_UNKNOWN, 0   },
-/* 7e */ {Cache_UNKNOWN, 0   },
-/* 7f */ {Cache_UNKNOWN, 0   },
-/* 80 */ {Cache_UNKNOWN, 0   },
-/* 81 */ {Cache_UNKNOWN, 0   },
-/* 82 */ {Cache_L2,      32  },
-/* 83 */ {Cache_L2,      32  },
-/* 84 */ {Cache_L2,      32  },
-/* 85 */ {Cache_L2,      32  },
-/* 86 */ {Cache_L2,      64  },
-/* 87 */ {Cache_L2,      64  },
-/* 88 */ {Cache_UNKNOWN, 0   },
-/* 89 */ {Cache_UNKNOWN, 0   },
-/* 8a */ {Cache_UNKNOWN, 0   },
-/* 8b */ {Cache_UNKNOWN, 0   },
-/* 8c */ {Cache_UNKNOWN, 0   },
-/* 8d */ {Cache_UNKNOWN, 0   },
-/* 8e */ {Cache_UNKNOWN, 0   },
-/* 8f */ {Cache_UNKNOWN, 0   },
-/* 90 */ {Cache_UNKNOWN, 0   },
-/* 91 */ {Cache_UNKNOWN, 0   },
-/* 92 */ {Cache_UNKNOWN, 0   },
-/* 93 */ {Cache_UNKNOWN, 0   },
-/* 94 */ {Cache_UNKNOWN, 0   },
-/* 95 */ {Cache_UNKNOWN, 0   },
-/* 96 */ {Cache_UNKNOWN, 0   },
-/* 97 */ {Cache_UNKNOWN, 0   },
-/* 98 */ {Cache_UNKNOWN, 0   },
-/* 99 */ {Cache_UNKNOWN, 0   },
-/* 9a */ {Cache_UNKNOWN, 0   },
-/* 9b */ {Cache_UNKNOWN, 0   },
-/* 9c */ {Cache_UNKNOWN, 0   },
-/* 9d */ {Cache_UNKNOWN, 0   },
-/* 9e */ {Cache_UNKNOWN, 0   },
-/* 9f */ {Cache_UNKNOWN, 0   },
-/* a0 */ {Cache_UNKNOWN, 0   },
-/* a1 */ {Cache_UNKNOWN, 0   },
-/* a2 */ {Cache_UNKNOWN, 0   },
-/* a3 */ {Cache_UNKNOWN, 0   },
-/* a4 */ {Cache_UNKNOWN, 0   },
-/* a5 */ {Cache_UNKNOWN, 0   },
-/* a6 */ {Cache_UNKNOWN, 0   },
-/* a7 */ {Cache_UNKNOWN, 0   },
-/* a8 */ {Cache_UNKNOWN, 0   },
-/* a9 */ {Cache_UNKNOWN, 0   },
-/* aa */ {Cache_UNKNOWN, 0   },
-/* ab */ {Cache_UNKNOWN, 0   },
-/* ac */ {Cache_UNKNOWN, 0   },
-/* ad */ {Cache_UNKNOWN, 0   },
-/* ae */ {Cache_UNKNOWN, 0   },
-/* af */ {Cache_UNKNOWN, 0   },
-/* b0 */ {Cache_TLBi,    0   },
-/* b1 */ {Cache_UNKNOWN, 0   },
-/* b2 */ {Cache_UNKNOWN, 0   },
-/* b3 */ {Cache_TLBd,    0   },
-/* b4 */ {Cache_UNKNOWN, 0   },
-/* b5 */ {Cache_UNKNOWN, 0   },
-/* b6 */ {Cache_UNKNOWN, 0   },
-/* b7 */ {Cache_UNKNOWN, 0   },
-/* b8 */ {Cache_UNKNOWN, 0   },
-/* b9 */ {Cache_UNKNOWN, 0   },
-/* ba */ {Cache_UNKNOWN, 0   },
-/* bb */ {Cache_UNKNOWN, 0   },
-/* bc */ {Cache_UNKNOWN, 0   },
-/* bd */ {Cache_UNKNOWN, 0   },
-/* be */ {Cache_UNKNOWN, 0   },
-/* bf */ {Cache_UNKNOWN, 0   },
-/* c0 */ {Cache_UNKNOWN, 0   },
-/* c1 */ {Cache_UNKNOWN, 0   },
-/* c2 */ {Cache_UNKNOWN, 0   },
-/* c3 */ {Cache_UNKNOWN, 0   },
-/* c4 */ {Cache_UNKNOWN, 0   },
-/* c5 */ {Cache_UNKNOWN, 0   },
-/* c6 */ {Cache_UNKNOWN, 0   },
-/* c7 */ {Cache_UNKNOWN, 0   },
-/* c8 */ {Cache_UNKNOWN, 0   },
-/* c9 */ {Cache_UNKNOWN, 0   },
-/* ca */ {Cache_UNKNOWN, 0   },
-/* cb */ {Cache_UNKNOWN, 0   },
-/* cc */ {Cache_UNKNOWN, 0   },
-/* cd */ {Cache_UNKNOWN, 0   },
-/* ce */ {Cache_UNKNOWN, 0   },
-/* cf */ {Cache_UNKNOWN, 0   },
-/* d0 */ {Cache_UNKNOWN, 0   },
-/* d1 */ {Cache_UNKNOWN, 0   },
-/* d2 */ {Cache_UNKNOWN, 0   },
-/* d3 */ {Cache_UNKNOWN, 0   },
-/* d4 */ {Cache_UNKNOWN, 0   },
-/* d5 */ {Cache_UNKNOWN, 0   },
-/* d6 */ {Cache_UNKNOWN, 0   },
-/* d7 */ {Cache_UNKNOWN, 0   },
-/* d8 */ {Cache_UNKNOWN, 0   },
-/* d9 */ {Cache_UNKNOWN, 0   },
-/* da */ {Cache_UNKNOWN, 0   },
-/* db */ {Cache_UNKNOWN, 0   },
-/* dc */ {Cache_UNKNOWN, 0   },
-/* dd */ {Cache_UNKNOWN, 0   },
-/* de */ {Cache_UNKNOWN, 0   },
-/* df */ {Cache_UNKNOWN, 0   },
-/* e0 */ {Cache_UNKNOWN, 0   },
-/* e1 */ {Cache_UNKNOWN, 0   },
-/* e2 */ {Cache_UNKNOWN, 0   },
-/* e3 */ {Cache_UNKNOWN, 0   },
-/* e4 */ {Cache_UNKNOWN, 0   },
-/* e5 */ {Cache_UNKNOWN, 0   },
-/* e6 */ {Cache_UNKNOWN, 0   },
-/* e7 */ {Cache_UNKNOWN, 0   },
-/* e8 */ {Cache_UNKNOWN, 0   },
-/* e9 */ {Cache_UNKNOWN, 0   },
-/* ea */ {Cache_UNKNOWN, 0   },
-/* eb */ {Cache_UNKNOWN, 0   },
-/* ec */ {Cache_UNKNOWN, 0   },
-/* ed */ {Cache_UNKNOWN, 0   },
-/* ee */ {Cache_UNKNOWN, 0   },
-/* ef */ {Cache_UNKNOWN, 0   },
-/* f0 */ {Cache_UNKNOWN, 0   },
-/* f1 */ {Cache_UNKNOWN, 0   },
-/* f2 */ {Cache_UNKNOWN, 0   },
-/* f3 */ {Cache_UNKNOWN, 0   },
-/* f4 */ {Cache_UNKNOWN, 0   },
-/* f5 */ {Cache_UNKNOWN, 0   },
-/* f6 */ {Cache_UNKNOWN, 0   },
-/* f7 */ {Cache_UNKNOWN, 0   },
-/* f8 */ {Cache_UNKNOWN, 0   },
-/* f9 */ {Cache_UNKNOWN, 0   },
-/* fa */ {Cache_UNKNOWN, 0   },
-/* fb */ {Cache_UNKNOWN, 0   },
-/* fc */ {Cache_UNKNOWN, 0   },
-/* fd */ {Cache_UNKNOWN, 0   },
-/* fe */ {Cache_UNKNOWN, 0   },
-/* ff */ {Cache_UNKNOWN, 0   }
-};
-
-
-/*
- * use the above table to determine the CacheEntryLineSize.
- */
-static void
-getIntelCacheEntryLineSize(unsigned long val, int *level, 
-						unsigned long *lineSize)
-{
-    CacheType type;
-
-    type = CacheMap[val].type;
-    /* only interested in data caches */
-    /* NOTE val = 0x40 is a special value that means no L2 or L3 cache.
-     * this data check has the side effect of rejecting that entry. If
-     * that wasn't the case, we could have to reject it explicitly */
-    if (CacheMap[val].lineSize == 0) {
-	return;
-    }
-    /* look at the caches, skip types we aren't interested in.
-     * if we already have a value for a lower level cache, skip the
-     * current entry */
-    if ((type == Cache_L1)|| (type == Cache_L1d)) {
-	*level = 1;
-	*lineSize = CacheMap[val].lineSize;
-    } else if ((*level >= 2) && ((type == Cache_L2) || (type == Cache_L2d))) {
-	*level = 2;
-	*lineSize = CacheMap[val].lineSize;
-    } else if ((*level >= 3) && ((type == Cache_L3) || (type == Cache_L3d))) {
-	*level = 3;
-	*lineSize = CacheMap[val].lineSize;
-    }
-    return;
-}
-
-
-static void
-getIntelRegisterCacheLineSize(unsigned long val, 
-			int *level, unsigned long *lineSize)
-{
-    getIntelCacheEntryLineSize(val >> 24 & 0xff, level, lineSize);
-    getIntelCacheEntryLineSize(val >> 16 & 0xff, level, lineSize);
-    getIntelCacheEntryLineSize(val >> 8 & 0xff, level, lineSize);
-    getIntelCacheEntryLineSize(val & 0xff, level, lineSize);
-}
-
-/*
- * returns '0' if no recognized cache is found, or if the cache
- * information is supported by this processor 
- */
-static unsigned long
-getIntelCacheLineSize(int cpuidLevel)
-{
-    int level = 4;
-    unsigned long lineSize = 0;
-    unsigned long eax, ebx, ecx, edx;
-    int repeat, count;
-
-    if (cpuidLevel < 2) {
-	return 0;
-    }
-
-    /* command '2' of the cpuid is intel's cache info call. Each byte of the
-     * 4 registers contain a potential descriptor for the cache. The CacheMap	
-     * table maps the cache entry with the processor cache. Register 'al'
-     * contains a count value that cpuid '2' needs to be called in order to 
-     * find all the cache descriptors. Only registers with the high bit set
-     * to 'zero' have valid descriptors. This code loops through all the
-     * required calls to cpuid '2' and passes any valid descriptors it finds
-     * to the getIntelRegisterCacheLineSize code, which breaks the registers
-     * down into their component descriptors. In the end the lineSize of the
-     * lowest level cache data cache is returned. */
-    cpuid(2, &eax, &ebx, &ecx, &edx);
-    repeat = eax & 0xf;
-    for (count = 0; count < repeat; count++) {
-	if ((eax & 0x80000000) == 0) {
-	    getIntelRegisterCacheLineSize(eax & 0xffffff00, &level, &lineSize);
-	}
-	if ((ebx & 0x80000000) == 0) {
-	    getIntelRegisterCacheLineSize(ebx, &level, &lineSize);
-	}
-	if ((ecx & 0x80000000) == 0) {
-	    getIntelRegisterCacheLineSize(ecx, &level, &lineSize);
-	}
-	if ((edx & 0x80000000) == 0) {
-	    getIntelRegisterCacheLineSize(edx, &level, &lineSize);
-	}
-	if (count+1 != repeat) {
-	    cpuid(2, &eax, &ebx, &ecx, &edx);
-	}
-    }
-    return lineSize;
-}
-
-/*
- * returns '0' if the cache info is not supported by this processor.
- * This is based on the AMD extended cache commands for cpuid. 
- * (see "AMD Processor Recognition Application Note" Publication 20734).
- * Some other processors use the identical scheme.
- * (see "Processor Recognition, Transmeta Corporation").
- */
-static unsigned long
-getOtherCacheLineSize(unsigned long cpuidLevel)
-{
-    unsigned long lineSize = 0;
-    unsigned long eax, ebx, ecx, edx;
-
-    /* get the Extended CPUID level */
-    cpuid(0x80000000, &eax, &ebx, &ecx, &edx);
-    cpuidLevel = eax;
-
-    if (cpuidLevel >= 0x80000005) {
-	cpuid(0x80000005, &eax, &ebx, &ecx, &edx);
-	lineSize = ecx & 0xff; /* line Size, L1 Data Cache */
-    }
-    return lineSize;
-}
-
-static const char * const manMap[] = {
-#define INTEL     0
-    "GenuineIntel",
-#define AMD       1
-    "AuthenticAMD",
-#define CYRIX     2
-    "CyrixInstead",
-#define CENTAUR   2
-    "CentaurHauls",
-#define NEXGEN    3
-    "NexGenDriven",
-#define TRANSMETA 4
-    "GenuineTMx86",
-#define RISE      5
-    "RiseRiseRise",
-#define UMC       6
-    "UMC UMC UMC ",
-#define SIS       7
-    "Sis Sis Sis ",
-#define NATIONAL  8
-    "Geode by NSC",
-};
-
-static const int n_manufacturers = sizeof(manMap)/sizeof(manMap[0]);
-
-#define MAN_UNKNOWN 9
-
-
-unsigned long
-s_mpi_getProcessorLineSize()
-{
-    unsigned long eax, ebx, ecx, edx;
-    unsigned long cpuidLevel;
-    unsigned long cacheLineSize = 0;
-    int manufacturer = MAN_UNKNOWN;
-    int i;
-    char string[65];
-
-#if !defined(AMD_64)
-    if (is386()) {
-	return 0; /* 386 had no cache */
-    } if (is486()) {
-	return 32; /* really? need more info */
-    }
-#endif
-
-    /* Pentium, cpuid command is available */
-    cpuid(0, &eax, &ebx, &ecx, &edx);
-    cpuidLevel = eax;
-    *(int *)string = ebx;
-    *(int *)&string[4] = edx;
-    *(int *)&string[8] = ecx;
-    string[12] = 0;
-
-    manufacturer = MAN_UNKNOWN;
-    for (i=0; i < n_manufacturers; i++) {
-	if ( strcmp(manMap[i],string) == 0) {
-	    manufacturer = i;
-	}
-    }
-
-    if (manufacturer == INTEL) {
-	cacheLineSize = getIntelCacheLineSize(cpuidLevel);
-    } else {
-	cacheLineSize = getOtherCacheLineSize(cpuidLevel);
-    }
-    /* doesn't support cache info based on cpuid. This means
-     * an old pentium class processor, which have cache lines of
-     * 32. If we learn differently, we can use a switch based on
-     * the Manufacturer id  */
-    if (cacheLineSize == 0) {
-	cacheLineSize = 32;
-    }
-    return cacheLineSize;
-}
-#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
-#endif
-
-#if defined(__ppc64__) 
-/*
- *  Sigh, The PPC has some really nice features to help us determine cache
- *  size, since it had lots of direct control functions to do so. The POWER
- *  processor even has an instruction to do this, but it was dropped in
- *  PowerPC. Unfortunately most of them are not available in user mode.
- *
- *  The dcbz function would be a great way to determine cache line size except
- *  1) it only works on write-back memory (it throws an exception otherwise), 
- *  and 2) because so many mac programs 'knew' the processor cache size was
- *  32 bytes, they used this instruction as a fast 'zero 32 bytes'. Now the new
- *  G5 processor has 128 byte cache, but dcbz only clears 32 bytes to keep
- *  these programs happy. dcbzl work if 64 bit instructions are supported.
- *  If you know 64 bit instructions are supported, and that stack is 
- *  write-back, you can use this code.
- */
-#include "memory.h"
-
-/* clear the cache line that contains 'array' */
-static inline void dcbzl(char *array)
-{
-	register char *a asm("r2") = array;
-	__asm__ __volatile__( "dcbzl %0,r0" : "=r" (a): "0"(a) );
-}
-
-
-#define PPC_DO_ALIGN(x,y) ((char *)\
-			((((long long) (x))+((y)-1))&~((y)-1)))
-
-#define PPC_MAX_LINE_SIZE 256
-unsigned long
-s_mpi_getProcessorLineSize()
-{
-    char testArray[2*PPC_MAX_LINE_SIZE+1];
-    char *test;
-    int i;
-
-    /* align the array on a maximum line size boundary, so we
-     * know we are starting to clear from the first address */
-    test = PPC_DO_ALIGN(testArray, PPC_MAX_LINE_SIZE); 
-    /* set all the values to 1's */
-    memset(test, 0xff, PPC_MAX_LINE_SIZE);
-    /* clear one cache block starting at 'test' */
-    dcbzl(test);
-
-    /* find the size of the cleared area, that's our block size */
-    for (i=PPC_MAX_LINE_SIZE; i != 0; i = i/2) {
-	if (test[i-1] == 0) {
-	    return i;
-	}
-    }
-    return 0;
-}
-
-#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
-#endif
-
-
-/*
- * put other processor and platform specific cache code here
- * return the smallest cache line size in bytes on the processor 
- * (usually the L1 cache). If the OS has a call, this would be
- * a greate place to put it.
- *
- * If there is no cache, return 0;
- * 
- * define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED so the generic functions
- * below aren't compiled.
- *
- */
-
-
-/* target.mk can define MPI_CACHE_LINE_SIZE if it's common for the family or 
- * OS */
-#if defined(MPI_CACHE_LINE_SIZE) && !defined(MPI_GET_PROCESSOR_LINE_SIZE_DEFINED)
-
-unsigned long
-s_mpi_getProcessorLineSize()
-{
-   return MPI_CACHE_LINE_SIZE;
-}
-#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
-#endif
-
-
-/* If no way to get the processor cache line size has been defined, assume
- * it's 32 bytes (most common value, does not significantly impact performance)
- */ 
-#ifndef MPI_GET_PROCESSOR_LINE_SIZE_DEFINED
-unsigned long
-s_mpi_getProcessorLineSize()
-{
-   return 32;
-}
-#endif
-
-#ifdef TEST_IT
-#include <stdio.h>
-
-main()
-{
-    printf("line size = %d\n", s_mpi_getProcessorLineSize());
-} 
-#endif
diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h
deleted file mode 100644
index 45d8fc233..000000000
--- a/security/nss/lib/freebl/mpi/mpi-config.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/* Default configuration for MPI library 
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef MPI_CONFIG_H_
-#define MPI_CONFIG_H_
-
-/*
-  For boolean options, 
-  0 = no
-  1 = yes
-
-  Other options are documented individually.
-
- */
-
-#ifndef MP_IOFUNC
-#define MP_IOFUNC     0  /* include mp_print() ?                */
-#endif
-
-#ifndef MP_MODARITH
-#define MP_MODARITH   1  /* include modular arithmetic ?        */
-#endif
-
-#ifndef MP_NUMTH
-#define MP_NUMTH      1  /* include number theoretic functions? */
-#endif
-
-#ifndef MP_LOGTAB
-#define MP_LOGTAB     1  /* use table of logs instead of log()? */
-#endif
-
-#ifndef MP_MEMSET
-#define MP_MEMSET     1  /* use memset() to zero buffers?       */
-#endif
-
-#ifndef MP_MEMCPY
-#define MP_MEMCPY     1  /* use memcpy() to copy buffers?       */
-#endif
-
-#ifndef MP_CRYPTO
-#define MP_CRYPTO     1  /* erase memory on free?               */
-#endif
-
-#ifndef MP_ARGCHK
-/*
-  0 = no parameter checks
-  1 = runtime checks, continue execution and return an error to caller
-  2 = assertions; dump core on parameter errors
- */
-#ifdef DEBUG
-#define MP_ARGCHK     2  /* how to check input arguments        */
-#else
-#define MP_ARGCHK     1  /* how to check input arguments        */
-#endif
-#endif
-
-#ifndef MP_DEBUG
-#define MP_DEBUG      0  /* print diagnostic output?            */
-#endif
-
-#ifndef MP_DEFPREC
-#define MP_DEFPREC    64 /* default precision, in digits        */
-#endif
-
-#ifndef MP_MACRO
-#define MP_MACRO      0  /* use macros for frequent calls?      */
-#endif
-
-#ifndef MP_SQUARE
-#define MP_SQUARE     1  /* use separate squaring code?         */
-#endif
-
-#endif /* ifndef MPI_CONFIG_H_ */
-
-
diff --git a/security/nss/lib/freebl/mpi/mpi-priv.h b/security/nss/lib/freebl/mpi/mpi-priv.h
deleted file mode 100644
index 916edfff4..000000000
--- a/security/nss/lib/freebl/mpi/mpi-priv.h
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- *  mpi-priv.h	- Private header file for MPI 
- *  Arbitrary precision integer arithmetic library
- *
- *  NOTE WELL: the content of this header file is NOT part of the "public"
- *  API for the MPI library, and may change at any time.  
- *  Application programs that use libmpi should NOT include this header file.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#ifndef _MPI_PRIV_H_
-#define _MPI_PRIV_H_ 1
-
-#include "mpi.h"
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-#if MP_DEBUG
-#include <stdio.h>
-
-#define DIAG(T,V) {fprintf(stderr,T);mp_print(V,stderr);fputc('\n',stderr);}
-#else
-#define DIAG(T,V)
-#endif
-
-/* If we aren't using a wired-in logarithm table, we need to include
-   the math library to get the log() function
- */
-
-/* {{{ s_logv_2[] - log table for 2 in various bases */
-
-#if MP_LOGTAB
-/*
-  A table of the logs of 2 for various bases (the 0 and 1 entries of
-  this table are meaningless and should not be referenced).  
-
-  This table is used to compute output lengths for the mp_toradix()
-  function.  Since a number n in radix r takes up about log_r(n)
-  digits, we estimate the output size by taking the least integer
-  greater than log_r(n), where:
-
-  log_r(n) = log_2(n) * log_r(2)
-
-  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
-  which are the output bases supported.  
- */
-
-extern const float s_logv_2[];
-#define LOG_V_2(R)  s_logv_2[(R)]
-
-#else
-
-/* 
-   If MP_LOGTAB is not defined, use the math library to compute the
-   logarithms on the fly.  Otherwise, use the table.
-   Pick which works best for your system.
- */
-
-#include <math.h>
-#define LOG_V_2(R)  (log(2.0)/log(R))
-
-#endif /* if MP_LOGTAB */
-
-/* }}} */
-
-/* {{{ Digit arithmetic macros */
-
-/*
-  When adding and multiplying digits, the results can be larger than
-  can be contained in an mp_digit.  Thus, an mp_word is used.  These
-  macros mask off the upper and lower digits of the mp_word (the
-  mp_word may be more than 2 mp_digits wide, but we only concern
-  ourselves with the low-order 2 mp_digits)
- */
-
-#define  CARRYOUT(W)  (mp_digit)((W)>>DIGIT_BIT)
-#define  ACCUM(W)     (mp_digit)(W)
-
-#define MP_MIN(a,b)   (((a) < (b)) ? (a) : (b))
-#define MP_MAX(a,b)   (((a) > (b)) ? (a) : (b))
-#define MP_HOWMANY(a,b) (((a) + (b) - 1)/(b))
-#define MP_ROUNDUP(a,b) (MP_HOWMANY(a,b) * (b))
-
-/* }}} */
-
-/* {{{ Comparison constants */
-
-#define  MP_LT       -1
-#define  MP_EQ        0
-#define  MP_GT        1
-
-/* }}} */
-
-/* {{{ private function declarations */
-
-/* 
-   If MP_MACRO is false, these will be defined as actual functions;
-   otherwise, suitable macro definitions will be used.  This works
-   around the fact that ANSI C89 doesn't support an 'inline' keyword
-   (although I hear C9x will ... about bloody time).  At present, the
-   macro definitions are identical to the function bodies, but they'll
-   expand in place, instead of generating a function call.
-
-   I chose these particular functions to be made into macros because
-   some profiling showed they are called a lot on a typical workload,
-   and yet they are primarily housekeeping.
- */
-#if MP_MACRO == 0
- void     s_mp_setz(mp_digit *dp, mp_size count); /* zero digits           */
- void     s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count); /* copy */
- void    *s_mp_alloc(size_t nb, size_t ni);       /* general allocator     */
- void     s_mp_free(void *ptr);                   /* general free function */
-extern unsigned long mp_allocs;
-extern unsigned long mp_frees;
-extern unsigned long mp_copies;
-#else
-
- /* Even if these are defined as macros, we need to respect the settings
-    of the MP_MEMSET and MP_MEMCPY configuration options...
-  */
- #if MP_MEMSET == 0
-  #define  s_mp_setz(dp, count) \
-       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=0;}
- #else
-  #define  s_mp_setz(dp, count) memset(dp, 0, (count) * sizeof(mp_digit))
- #endif /* MP_MEMSET */
-
- #if MP_MEMCPY == 0
-  #define  s_mp_copy(sp, dp, count) \
-       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=(sp)[ix];}
- #else
-  #define  s_mp_copy(sp, dp, count) memcpy(dp, sp, (count) * sizeof(mp_digit))
- #endif /* MP_MEMCPY */
-
- #define  s_mp_alloc(nb, ni)  calloc(nb, ni)
- #define  s_mp_free(ptr) {if(ptr) free(ptr);}
-#endif /* MP_MACRO */
-
-mp_err   s_mp_grow(mp_int *mp, mp_size min);   /* increase allocated size */
-mp_err   s_mp_pad(mp_int *mp, mp_size min);    /* left pad with zeroes    */
-
-#if MP_MACRO == 0
- void     s_mp_clamp(mp_int *mp);               /* clip leading zeroes     */
-#else
- #define  s_mp_clamp(mp)\
-  { mp_size used = MP_USED(mp); \
-    while (used > 1 && DIGIT(mp, used - 1) == 0) --used; \
-    MP_USED(mp) = used; \
-  } 
-#endif /* MP_MACRO */
-
-void     s_mp_exch(mp_int *a, mp_int *b);      /* swap a and b in place   */
-
-mp_err   s_mp_lshd(mp_int *mp, mp_size p);     /* left-shift by p digits  */
-void     s_mp_rshd(mp_int *mp, mp_size p);     /* right-shift by p digits */
-mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d);  /* multiply by 2^d in place */
-void     s_mp_div_2d(mp_int *mp, mp_digit d);  /* divide by 2^d in place  */
-void     s_mp_mod_2d(mp_int *mp, mp_digit d);  /* modulo 2^d in place     */
-void     s_mp_div_2(mp_int *mp);               /* divide by 2 in place    */
-mp_err   s_mp_mul_2(mp_int *mp);               /* multiply by 2 in place  */
-mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd); 
-                                               /* normalize for division  */
-mp_err   s_mp_add_d(mp_int *mp, mp_digit d);   /* unsigned digit addition */
-mp_err   s_mp_sub_d(mp_int *mp, mp_digit d);   /* unsigned digit subtract */
-mp_err   s_mp_mul_d(mp_int *mp, mp_digit d);   /* unsigned digit multiply */
-mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r);
-		                               /* unsigned digit divide   */
-mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu);
-                                               /* Barrett reduction       */
-mp_err   s_mp_add(mp_int *a, const mp_int *b); /* magnitude addition      */
-mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c);
-mp_err   s_mp_sub(mp_int *a, const mp_int *b); /* magnitude subtract      */
-mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c);
-mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset);
-                                               /* a += b * RADIX^offset   */
-mp_err   s_mp_mul(mp_int *a, const mp_int *b); /* magnitude multiply      */
-#if MP_SQUARE
-mp_err   s_mp_sqr(mp_int *a);                  /* magnitude square        */
-#else
-#define  s_mp_sqr(a) s_mp_mul(a, a)
-#endif
-mp_err   s_mp_div(mp_int *rem, mp_int *div, mp_int *quot); /* magnitude div */
-mp_err   s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
-mp_err   s_mp_2expt(mp_int *a, mp_digit k);    /* a = 2^k                 */
-int      s_mp_cmp(const mp_int *a, const mp_int *b); /* magnitude comparison */
-int      s_mp_cmp_d(const mp_int *a, mp_digit d); /* magnitude digit compare */
-int      s_mp_ispow2(const mp_int *v);         /* is v a power of 2?      */
-int      s_mp_ispow2d(mp_digit d);             /* is d a power of 2?      */
-
-int      s_mp_tovalue(char ch, int r);          /* convert ch to value    */
-char     s_mp_todigit(mp_digit val, int r, int low); /* convert val to digit */
-int      s_mp_outlen(int bits, int r);          /* output length in bytes */
-mp_digit s_mp_invmod_radix(mp_digit P);   /* returns (P ** -1) mod RADIX */
-mp_err   s_mp_invmod_odd_m( const mp_int *a, const mp_int *m, mp_int *c);
-mp_err   s_mp_invmod_2d(    const mp_int *a, mp_size k,       mp_int *c);
-mp_err   s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c);
-
-#ifdef NSS_USE_COMBA
-
-#define IS_POWER_OF_2(a) ((a) && !((a) & ((a)-1)))
-
-void s_mp_mul_comba_4(const mp_int *A, const mp_int *B, mp_int *C);
-void s_mp_mul_comba_8(const mp_int *A, const mp_int *B, mp_int *C);
-void s_mp_mul_comba_16(const mp_int *A, const mp_int *B, mp_int *C);
-void s_mp_mul_comba_32(const mp_int *A, const mp_int *B, mp_int *C);
-
-void s_mp_sqr_comba_4(const mp_int *A, mp_int *B);
-void s_mp_sqr_comba_8(const mp_int *A, mp_int *B);
-void s_mp_sqr_comba_16(const mp_int *A, mp_int *B);
-void s_mp_sqr_comba_32(const mp_int *A, mp_int *B);
-
-#endif /* end NSS_USE_COMBA */
-
-/* ------ mpv functions, operate on arrays of digits, not on mp_int's ------ */
-#if defined (__OS2__) && defined (__IBMC__)
-#define MPI_ASM_DECL __cdecl
-#else
-#define MPI_ASM_DECL
-#endif
-
-#ifdef MPI_AMD64
-
-mp_digit MPI_ASM_DECL s_mpv_mul_set_vec64(mp_digit*, mp_digit *, mp_size, mp_digit);
-mp_digit MPI_ASM_DECL s_mpv_mul_add_vec64(mp_digit*, const mp_digit*, mp_size, mp_digit);
-
-/* c = a * b */
-#define s_mpv_mul_d(a, a_len, b, c) \
-	((unsigned long*)c)[a_len] = s_mpv_mul_set_vec64(c, a, a_len, b)
-
-/* c += a * b */
-#define s_mpv_mul_d_add(a, a_len, b, c) \
-	((unsigned long*)c)[a_len] = s_mpv_mul_add_vec64(c, a, a_len, b)
-
-#else
-
-void     MPI_ASM_DECL s_mpv_mul_d(const mp_digit *a, mp_size a_len,
-                                        mp_digit b, mp_digit *c);
-void     MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
-                                            mp_digit b, mp_digit *c);
-
-#endif
-
-void     MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
-                                                mp_size a_len, mp_digit b, 
-			                        mp_digit *c);
-void     MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
-                                                mp_size a_len,
-                                                mp_digit *sqrs);
-
-mp_err   MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
-                            mp_digit divisor, mp_digit *quot, mp_digit *rem);
-
-/* c += a * b * (MP_RADIX ** offset);  */
-#define s_mp_mul_d_add_offset(a, b, c, off) \
-(s_mpv_mul_d_add_prop(MP_DIGITS(a), MP_USED(a), b, MP_DIGITS(c) + off), MP_OKAY)
-
-typedef struct {
-  mp_int       N;	/* modulus N */
-  mp_digit     n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
-  mp_size      b;	/* R == 2 ** b,  also b = # significant bits in N */
-} mp_mont_modulus;
-
-mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
-	               mp_mont_modulus *mmm);
-mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm);
-
-/* }}} */
-#endif
-
diff --git a/security/nss/lib/freebl/mpi/mpi-test.c b/security/nss/lib/freebl/mpi/mpi-test.c
deleted file mode 100644
index 735a8c3f6..000000000
--- a/security/nss/lib/freebl/mpi/mpi-test.c
+++ /dev/null
@@ -1,1986 +0,0 @@
-/*
- * mpi-test.c
- *
- * This is a general test suite for the MPI library, which tests
- * all the functions in the library with known values.  The program
- * exits with a zero (successful) status if the tests pass, or a 
- * nonzero status if the tests fail.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1999
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-#include <limits.h>
-#include <time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-#include "test-info.c"
-
-/* ZS means Zero Suppressed (no leading zeros) */
-#if MP_USE_LONG_DIGIT 
-#define ZS_DIGIT_FMT         "%lX"
-#elif MP_USE_LONG_LONG_DIGIT
-#define ZS_DIGIT_FMT         "%llX"
-#elif MP_USE_UINT_DIGIT 
-#define ZS_DIGIT_FMT         "%X"
-#else
-#error "unknown type of digit"
-#endif
-
-/*
-  Test vectors
-
-  If you intend to change any of these values, you must also recompute
-  the corresponding solutions below.  Basically, these are just hex
-  strings (for the big integers) or integer values (for the digits).
-
-  The comparison tests think they know what relationships hold between
-  these values.  If you change that, you may have to adjust the code
-  for the comparison tests accordingly.  Most of the other tests
-  should be fine as long as you re-compute the solutions, though.
- */
-const char   *mp1  = "639A868CDA0C569861B";
-const char   *mp2  = "AAFC0A3FE45E5E09DBE2C29";
-const char   *mp3  = "B55AA8DF8A7E83241F38AC7A9E479CAEF2E4D7C5";
-const char   *mp4  = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
-const char   *mp5  = "F595CB42";
-const char   *mp5a = "-4B597E";
-const char   *mp6  = "0";
-const char   *mp7  = "EBFA7121CD838CE6439CC59DDB4CBEF3";
-const char   *mp8  = "5";
-const char   *mp9  = "F74A2876A1432698923B0767DA19DCF3D71795EE";
-const char   *mp10 = "9184E72A000";
-const char   *mp11 = "54D79A3557E8";
-const char   *mp12 = "10000000000000000";
-const char   *mp13 = 
-"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342BDAB6163963C"
-"D5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45F2B050D226E6DA88";
-const char   *mp14 =
-"AC3FA0EABAAC45724814D798942A1E28E14C81E0DE8055CED630E7689DA648683645DB6E"
-"458D9F5338CC3D4E33A5D1C9BF42780133599E60DEE0049AFA8F9489501AE5C9AA2B8C13"
-"FD21285A538B2CA87A626BB56E0A654C8707535E637FF4E39174157402BDE3AA30C9F134"
-"0C1307BAA864B075A9CC828B6A5E2B2BF1AE406D920CC5E7657D7C0E697DEE5375773AF9"
-"E200A1B8FAD7CD141F9EE47ABB55511FEB9A4D99EBA22F3A3FF6792FA7EE9E5DC0EE94F7"
-"7A631EDF3D7DD7C2DAAAFDF234D60302AB63D5234CEAE941B9AF0ADDD9E6E3A940A94EE5"
-"5DB45A7C66E61EDD0477419BBEFA44C325129601C4F45671C6A0E64665DF341D17FBC71F"
-"77418BD9F4375DDB3B9D56126526D8E5E0F35A121FD4F347013DA880020A752324F31DDD"
-"9BCDB13A3B86E207A2DE086825E6EEB87B3A64232CFD8205B799BC018634AAE193F19531"
-"D6EBC19A75F27CFFAA03EB5974898F53FD569AA5CE60F431B53B0CDE715A5F382405C9C4"
-"761A8E24888328F09F7BCE4E8D80C957DF177629C8421ACCD0C268C63C0DD47C3C0D954F"
-"D79F7D7297C6788DF4B3E51381759864D880ACA246DF09533739B8BB6085EAF7AE8DC2D9"
-"F224E6874926C8D24D34B457FD2C9A586C6B99582DC24F787A39E3942786CF1D494B6EB4"
-"A513498CDA0B217C4E80BCE7DA1C704C35E071AC21E0DA9F57C27C3533F46A8D20B04137"
-"C1B1384BE4B2EB46";
-const char   *mp15 = 
-"39849CF7FD65AF2E3C4D87FE5526221103D90BA26A6642FFE3C3ECC0887BBBC57E011BF1"
-"05D822A841653509C68F79EBE51C0099B8CBB04DEF31F36F5954208A3209AC122F0E11D8"
-"4AE67A494D78336A2066D394D42E27EF6B03DDAF6D69F5112C93E714D27C94F82FC7EF77"
-"445768C68EAE1C4A1407BE1B303243391D325090449764AE469CC53EC8012C4C02A72F37"
-"07ED7275D2CC8D0A14B5BCC6BF264941520EBA97E3E6BAE4EE8BC87EE0DDA1F5611A6ECB"
-"65F8AEF4F184E10CADBDFA5A2FEF828901D18C20785E5CC63473D638762DA80625003711"
-"9E984AC43E707915B133543AF9D5522C3E7180DC58E1E5381C1FB7DC6A5F4198F3E88FA6"
-"CBB6DFA8B2D1C763226B253E18BCCB79A29EE82D2DE735078C8AE3C3C86D476AAA08434C"
-"09C274BDD40A1D8FDE38D6536C22F44E807EB73DE4FB36C9F51E0BC835DDBE3A8EFCF2FE"
-"672B525769DC39230EE624D5EEDBD837C82A52E153F37378C3AD68A81A7ADBDF3345DBCE"
-"8FA18CA1DE618EF94DF72EAD928D4F45B9E51632ACF158CF8332C51891D1D12C2A7E6684"
-"360C4BF177C952579A9F442CFFEC8DAE4821A8E7A31C4861D8464CA9116C60866C5E72F7"
-"434ADBED36D54ACDFDFF70A4EFB46E285131FE725F1C637D1C62115EDAD01C4189716327"
-"BFAA79618B1656CBFA22C2C965687D0381CC2FE0245913C4D8D96108213680BD8E93E821"
-"822AD9DDBFE4BD04";
-const char   *mp16 = "4A724340668DB150339A70";
-const char   *mp17 = "8ADB90F58";
-const char   *mp18 = "C64C230AB20E5";
-const char *mp19 = 
-"F1C9DACDA287F2E3C88DCE2393B8F53DAAAC1196DC36510962B6B59454CFE64B";
-const char *mp20 = 
-"D445662C8B6FE394107B867797750C326E0F4A967E135FC430F6CD7207913AC7";
-const char* mp21 = "2";
-
-const mp_digit md1 = 0;
-const mp_digit md2 = 0x1;
-const mp_digit md3 = 0x80;
-const mp_digit md4 = 0x9C97;
-const mp_digit md5 = 0xF5BF;
-const mp_digit md6 = 0x14A0;
-const mp_digit md7 = 0x03E8;
-const mp_digit md8 = 0x0101;
-const mp_digit md9 = 0xA;
-
-/* 
-   Solutions of the form x_mpABC, where:
-
-   x = (p)roduct, (s)um, (d)ifference, (q)uotient, (r)emainder, (g)cd,
-       (i)nverse, (e)xponent, square roo(t), (g)cd, (l)cm.  A
-       leading 'm' indicates a modular operation, e.g. ms_mp12 is the
-       modular sum of operands 1 and 2
-
-   ABC are the operand numbers involved in the computation.  If a 'd'
-   precedes the number, it is a digit operand; if a 'c' precedes it,
-   it is a constant; otherwise, it is a full integer.  
- */
-
-const char *p_mp12   = "4286AD72E095C9FE009938750743174ADDD7FD1E53";
-const char *p_mp34   = "-46BDBD66CA108C94A8CF46C325F7B6E2F2BA82D35"
-                       "A1BFD6934C441EE369B60CA29BADC26845E918B";
-const char *p_mp57   = "E260C265A0A27C17AD5F4E59D6E0360217A2EBA6";
-const char *p_mp22   = "7233B5C1097FFC77CCF55928FDC3A5D31B712FDE7A1E91";
-const char *p_mp1d4  = "3CECEA2331F4220BEF68DED";
-const char *p_mp8d6  = "6720";
-const char *p_mp1113 =
-"11590FC3831C8C3C51813142C88E566408DB04F9E27642F6471A1822E0100B12F7F1"
-"5699A127C0FA9D26DCBFF458522661F30C6ADA4A07C8C90F9116893F6DBFBF24C3A2"
-"4340";
-const char *p_mp1415 = 
-"26B36540DE8B3586699CCEAE218A2842C7D5A01590E70C4A26E789107FBCDB06AA2C"
-"6DDC39E6FA18B16FCB2E934C9A5F844DAD60EE3B1EA82199EC5E9608F67F860FB965"
-"736055DF0E8F2540EB28D07F47E309B5F5D7C94FF190AB9C83A6970160CA700B1081"
-"F60518132AF28C6CEE6B7C473E461ABAC52C39CED50A08DD4E7EA8BA18DAD545126D"
-"A388F6983C29B6BE3F9DCBC15766E8E6D626A92C5296A9C4653CAE5788350C0E2107"
-"F57E5E8B6994C4847D727FF1A63A66A6CEF42B9C9E6BD04C92550B85D5527DE8A132"
-"E6BE89341A9285C7CE7FB929D871BBCBD0ED2863B6B078B0DBB30FCA66D6C64284D6"
-"57F394A0271E15B6EC7A9D530EBAC6CA262EF6F97E1A29FCE7749240E4AECA591ECF"
-"272122BC587370F9371B67BB696B3CDC1BC8C5B64B6280994EBA00CDEB8EB0F5D06E"
-"18F401D65FDCECF23DD7B9BB5B4C5458AEF2CCC09BA7F70EACB844750ACFD027521E"
-"2E047DE8388B35F8512D3DA46FF1A12D4260213602BF7BFFDB6059439B1BD0676449"
-"8D98C74F48FB3F548948D5BA0C8ECFCD054465132DC43466D6BBD59FBAF8D6D4E157"
-"2D612B40A956C7D3E140F3B8562EF18568B24D335707D5BAC7495014DF2444172426"
-"FD099DED560D30D1F945386604AFC85C64BD1E5F531F5C7840475FC0CF0F79810012"
-"4572BAF5A9910CDBD02B27FFCC3C7E5E88EF59F3AE152476E33EDA696A4F751E0AE4"
-"A3D2792DEA78E25B9110E12A19EFD09EA47FF9D6594DA445478BEB6901EAF8A35B2D"
-"FD59BEE9BF7AA8535B7D326EFA5AA2121B5EBE04DD85827A3D43BD04F4AA6D7B62A2"
-"B6D7A3077286A511A431E1EF75FCEBA3FAE9D5843A8ED17AA02BBB1B571F904699C5"
-"A6073F87DDD012E2322AB3F41F2A61F428636FE86914148E19B8EF8314ED83332F2F"
-"8C2ADE95071E792C0A68B903E060DD322A75FD0C2B992059FCCBB58AFA06B50D1634"
-"BBD93F187FCE0566609FCC2BABB269C66CEB097598AA17957BB4FDA3E64A1B30402E"
-"851CF9208E33D52E459A92C63FBB66435BB018E155E2C7F055E0B7AB82CD58FC4889"
-"372ED9EEAC2A07E8E654AB445B9298D2830D6D4DFD117B9C8ABE3968927DC24B3633"
-"BAD6E6466DB45DDAE87A0AB00336AC2CCCE176704F7214FCAB55743AB76C2B6CA231"
-"7984610B27B5786DE55C184DDF556EDFEA79A3652831940DAD941E243F482DC17E50"
-"284BC2FB1AD712A92542C573E55678878F02DFD9E3A863C7DF863227AEDE14B47AD3"
-"957190124820ADC19F5353878EDB6BF7D0C77352A6E3BDB53EEB88F5AEF6226D6E68"
-"756776A8FB49B77564147A641664C2A54F7E5B680CCC6A4D22D894E464DF20537094"
-"548F1732452F9E7F810C0B4B430C073C0FBCE03F0D03F82630654BCE166AA772E1EE"
-"DD0C08D3E3EBDF0AF54203B43AFDFC40D8FC79C97A4B0A4E1BEB14D8FCEFDDED8758"
-"6ED65B18";
-const char *p_mp2121 = "4";
-const char *mp_mp345 = "B9B6D3A3";
-const char *mp_mp335 = "16609C2D";
-
-const char *s_mp13   = "B55AA8DF8A7E83241F38B2B446B06A4FB84E5DE0";
-const char *s_mp34   = "517EE6B92EF65C965736EB6BF7C325F73504CEB6";
-const char *s_mp46   = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
-const char *s_mp5d4  = "F59667D9";
-const char *s_mp2d5  = "AAFC0A3FE45E5E09DBF21E8";
-const char *s_mp1415 = 
-"E5C43DE2B811F4A084625F96E9504039E5258D8348E698CEB9F4D4292622042DB446"
-"F75F4B65C1FB7A317257FA354BB5A45E789AEC254EAECE11F80A53E3B513822491DB"
-"D9399DEC4807A2A3A10360129AC93F4A42388D3BF20B310DD0E9E9F4BE07FC88D53A"
-"78A26091E0AB506A70813712CCBFBDD440A69A906E650EE090FDD6A42A95AC1A414D"
-"317F1A9F781E6A30E9EE142ECDA45A1E3454A1417A7B9A613DA90831CF88EA1F2E82"
-"41AE88CC4053220903C2E05BCDD42F02B8CF8868F84C64C5858BAD356143C5494607"
-"EE22E11650148BAF65A985F6FC4CA540A55697F2B5AA95D6B8CF96EF638416DE1DD6"
-"3BA9E2C09E22D03E75B60BE456C642F86B82A709253E5E087B507DE3A45F8392423F"
-"4DBC284E8DC88C43CA77BC8DCEFB6129A59025F80F90FF978116DEBB9209E306FBB9"
-"1B6111F8B8CFACB7C7C9BC12691C22EE88303E1713F1DFCEB622B8EA102F6365678B"
-"C580ED87225467AA78E875868BD53B17574BA59305BC1AC666E4B7E9ED72FCFC200E"
-"189D98FC8C5C7533739C53F52DDECDDFA5A8668BFBD40DABC9640F8FCAE58F532940"
-"8162261320A25589E9FB51B50F80056471F24B7E1AEC35D1356FC2747FFC13A04B34"
-"24FCECE10880BD9D97CA8CDEB2F5969BF4F30256EB5ED2BCD1DC64BDC2EE65217848"
-"48A37FB13F84ED4FB7ACA18C4639EE64309BDD3D552AEB4AAF44295943DC1229A497"
-"A84A";
-
-const char *ms_mp345 = "1E71E292";
-
-const char *d_mp12   = "-AAFBA6A55DD183FD854A60E";
-const char *d_mp34   = "119366B05E606A9B1E73A6D8944CC1366B0C4E0D4";
-const char *d_mp5d4  = "F5952EAB";
-const char *d_mp6d2  = "-1";
-const char *md_mp345 = "26596B86";
-
-const char *q_mp42   = "-95825A1FFA1A155D5";
-const char *r_mp42   = "-6312E99D7700A3DCB32ADF2";
-const char *q_mp45a  = "15344CDA3D841F661D2B61B6EDF7828CE36";
-const char *r_mp45a  = "-47C47B";
-const char *q_mp7c2  = "75FD3890E6C1C67321CE62CEEDA65F79";
-const char *q_mp3d6  = "8CAFD53C272BD6FE8B0847BDC3B539EFAB5C3";
-const char *r_mp3d6  = "1E5";
-const char *r_mp5d5  = "1257";
-const char *r_mp47   = "B3A9018D970281A90FB729A181D95CB8";
-const char *q_mp1404 = 
-"-1B994D869142D3EF6123A3CBBC3C0114FA071CFCEEF4B7D231D65591D32501AD80F"
-"FF49AE4EC80514CC071EF6B42521C2508F4CB2FEAD69A2D2EF3934087DCAF88CC4C4"
-"659F1CA8A7F4D36817D802F778F1392337FE36302D6865BF0D4645625DF8BB044E19"
-"930635BE2609FAC8D99357D3A9F81F2578DE15A300964188292107DAC980E0A08CD7"
-"E938A2135FAD45D50CB1D8C2D4C4E60C27AB98B9FBD7E4DBF752C57D2674520E4BB2"
-"7E42324C0EFE84FB3E38CF6950E699E86FD45FE40D428400F2F94EDF7E94FAE10B45"
-"89329E1BF61E5A378C7B31C9C6A234F8254D4C24823B84D0BF8D671D8BC9154DFAC9"
-"49BD8ACABD6BD32DD4DC587F22C86153CB3954BDF7C2A890D623642492C482CF3E2C"
-"776FC019C3BBC61688B485E6FD35D6376089C1E33F880E84C4E51E8ABEACE1B3FB70"
-"3EAD0E28D2D44E7F1C0A859C840775E94F8C1369D985A3C5E8114B21D68B3CBB75D2"
-"791C586153C85B90CAA483E57A40E2D97950AAB84920A4396C950C87C7FFFE748358"
-"42A0BF65445B26D40F05BE164B822CA96321F41D85A289C5F5CD5F438A78704C9683"
-"422299D21899A22F853B0C93081CC9925E350132A0717A611DD932A68A0ACC6E4C7F"
-"7F685EF8C1F4910AEA5DC00BB5A36FCA07FFEAA490C547F6E14A08FE87041AB803E1"
-"BD9E23E4D367A2C35762F209073DFF48F3";
-const char *r_mp1404 = "12FF98621ABF63144BFFC3207AC8FC10D8D1A09";
-
-const char *q_mp13c  = 
-		"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342"
-		"BDAB6163963CD5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45";
-const char *r_mp13c  = "F2B050D226E6DA88";
-const char *q_mp9c16 = "F74A2876A1432698923B0767DA19DCF3D71795E";
-const char *r_mp9c16 = "E";
-
-const char *e_mp5d9 = "A8FD7145E727A20E52E73D22990D35D158090307A"
-		      "13A5215AAC4E9AB1E96BD34E531209E03310400";
-const char *e_mp78  = "AA5F72C737DFFD8CCD108008BFE7C79ADC01A819B"
-		      "32B75FB82EC0FB8CA83311DA36D4063F1E57857A2"
-		      "1AB226563D84A15BB63CE975FF1453BD6750C58D9"
-		      "D113175764F5D0B3C89B262D4702F4D9640A3";
-const char *me_mp817 = "E504493ACB02F7F802B327AB13BF25";
-const char *me_mp5d47 = "1D45ED0D78F2778157992C951DD2734C";
-const char *me_mp1512 = "FB5B2A28D902B9D9";
-const char *me_mp161718 = "423C6AC6DBD74";
-const char *me_mp5114 =
-"64F0F72807993578BBA3C7C36FFB184028F9EB9A810C92079E1498D8A80FC848E1F0"
-"25F1DE43B7F6AC063F5CC29D8A7C2D7A66269D72BF5CDC327AF88AF8EF9E601DCB0A"
-"3F35BFF3525FB1B61CE3A25182F17C0A0633B4089EA15BDC47664A43FEF639748AAC"
-"19CF58E83D8FA32CD10661D2D4210CC84792937E6F36CB601851356622E63ADD4BD5"
-"542412C2E0C4958E51FD2524AABDC7D60CFB5DB332EEC9DC84210F10FAE0BA2018F2"
-"14C9D6867C9D6E49CF28C18D06CE009FD4D04BFC8837C3FAAA773F5CCF6DED1C22DE"
-"181786AFE188540586F2D74BF312E595244E6936AE52E45742109BAA76C36F2692F5"
-"CEF97AD462B138BE92721194B163254CBAAEE9B9864B21CCDD5375BCAD0D24132724"
-"113D3374B4BCF9AA49BA5ACBC12288C0BCF46DCE6CB4A241A91BD559B130B6E9CD3D"
-"D7A2C8B280C2A278BA9BF5D93244D563015C9484B86D9FEB602501DC16EEBC3EFF19"
-"53D7999682BF1A1E3B2E7B21F4BDCA3C355039FEF55B9C0885F98DC355CA7A6D8ECF"
-"5F7F1A6E11A764F2343C823B879B44616B56BF6AE3FA2ACF5483660E618882018E3F"
-"C8459313BACFE1F93CECC37B2576A5C0B2714BD3EEDEEC22F0E7E3E77B11396B9B99"
-"D683F2447A4004BBD4A57F6A616CDDFEC595C4FC19884CC2FC21CF5BF5B0B81E0F83"
-"B9DDA0CF4DFF35BB8D31245912BF4497FD0BD95F0C604E26EA5A8EA4F5EAE870A5BD"
-"FE8C";
-
-const char *e_mpc2d3 = "100000000000000000000000000000000";
-
-const char *t_mp9    = "FB9B6E32FF0452A34746";
-const char *i_mp27   = "B6AD8DCCDAF92B6FE57D062FFEE3A99";
-const char *i_mp2019 = 
-"BDF3D88DC373A63EED92903115B03FC8501910AF68297B4C41870AED3EA9F839";
-/* "15E3FE09E8AE5523AABA197BD2D16318D3CA148EDF4AE1C1C52FC96AFAF5680B"; */
-
-
-const char *t_mp15 =
-"795853094E59B0008093BCA8DECF68587C64BDCA2F3F7F8963DABC12F1CFFFA9B8C4"
-"365232FD4751870A0EF6CA619287C5D8B7F1747D95076AB19645EF309773E9EACEA0"
-"975FA4AE16251A8DA5865349C3A903E3B8A2C0DEA3C0720B6020C7FED69AFF62BB72"
-"10FAC443F9FFA2950776F949E819260C2AF8D94E8A1431A40F8C23C1973DE5D49AA2"
-"0B3FF5DA5C1D5324E712A78FF33A9B1748F83FA529905924A31DF38643B3F693EF9B"
-"58D846BB1AEAE4523ECC843FF551C1B300A130B65C1677402778F98C51C10813250E"
-"2496882877B069E877B59740DC1226F18A5C0F66F64A5F59A9FAFC5E9FC45AEC0E7A"
-"BEE244F7DD3AC268CF512A0E52E4F5BE5B94";
-
-const char *g_mp71   = "1";
-const char *g_mp25   = "7";
-const char *l_mp1011 = "C589E3D7D64A6942A000";
-
-/* mp9 in radices from 5 to 64 inclusive */
-#define LOW_RADIX   5
-#define HIGH_RADIX  64
-const char *v_mp9[] = {
-  "404041130042310320100141302000203430214122130002340212132414134210033",
-  "44515230120451152500101352430105520150025145320010504454125502",
-  "644641136612541136016610100564613624243140151310023515322",
-  "173512120732412062323044435407317550316717172705712756",
-  "265785018434285762514442046172754680368422060744852",
-  "1411774500397290569709059837552310354075408897518",
-  "184064268501499311A17746095910428222A241708032A",
-  "47706011B225950B02BB45602AA039893118A85950892",
-  "1A188C826B982353CB58422563AC602B783101671A86",
-  "105957B358B89B018958908A9114BC3DDC410B77982",
-  "CB7B3387E23452178846C55DD9D70C7CA9AEA78E8",
-  "F74A2876A1432698923B0767DA19DCF3D71795EE",
-  "17BF7C3673B76D7G7A5GA836277296F806E7453A",
-  "2EBG8HH3HFA6185D6H0596AH96G24C966DD3HG2",
-  "6G3HGBFEG8I3F25EAF61B904EIA40CFDH2124F",
-  "10AHC3D29EBHDF3HD97905CG0JA8061855C3FI",
-  "3BA5A55J5K699B2D09C38A4B237CH51IHA132",
-  "EDEA90DJ0B5CB3FGG1C8587FEB99D3C143CA",
-  "31M26JI1BBD56K3I028MML4EEDMAJK60LGLE",
-  "GGG5M3142FKKG82EJ28111D70EMHC241E4E",
-  "4446F4D5H10982023N297BF0DKBBHLLJB0I",
-  "12E9DEEOBMKAKEP0IM284MIP7FO1O521M46",
-  "85NN0HD48NN2FDDB1F5BMMKIB8CK20MDPK",
-  "2D882A7A0O0JPCJ4APDRIB77IABAKDGJP2",
-  "MFMCI0R7S27AAA3O3L2S8K44HKA7O02CN",
-  "7IGQS73FFSHC50NNH44B6PTTNLC3M6H78",
-  "2KLUB3U9850CSN6ANIDNIF1LB29MJ43LH",
-  "UT52GTL18CJ9H4HR0TJTK6ESUFBHF5FE",
-  "BTVL87QQBMUGF8PFWU4W3VU7U922QTMW",
-  "4OG10HW0MSWJBIDEE2PDH24GA7RIHIAA",
-  "1W8W9AX2DRUX48GXOLMK0PE42H0FEUWN",
-  "SVWI84VBH069WR15W1U2VTK06USY8Z2",
-  "CPTPNPDa5TYCPPNLALENT9IMX2GL0W2",
-  "5QU21UJMRaUYYYYYN6GHSMPOYOXEEUY",
-  "2O2Q7C6RPPB1SXJ9bR4035SPaQQ3H2W",
-  "18d994IbT4PHbD7cGIPCRP00bbQO0bc",
-  "NcDUEEWRO7XT76260WGeBHPVa72RdA",
-  "BbX2WCF9VfSB5LPdJAdeXKV1fd6LC2",
-  "60QDKW67P4JSQaTdQg7JE9ISafLaVU",
-  "33ba9XbDbRdNF4BeDB2XYMhAVDaBdA",
-  "1RIPZJA8gT5L5H7fTcaRhQ39geMMTc",
-  "d65j70fBATjcDiidPYXUGcaBVVLME",
-  "LKA9jhPabDG612TXWkhfT2gMXNIP2",
-  "BgNaYhjfT0G8PBcYRP8khJCR3C9QE",
-  "6Wk8RhJTAgDh10fYAiUVB1aM0HacG",
-  "3dOCjaf78kd5EQNViUZWj3AfFL90I",
-  "290VWkL3aiJoW4MBbHk0Z0bDo22Ni",
-  "1DbDZ1hpPZNUDBUp6UigcJllEdC26",
-  "dFSOLBUM7UZX8Vnc6qokGIOiFo1h",
-  "NcoUYJOg0HVmKI9fR2ag0S8R2hrK",
-  "EOpiJ5Te7oDe2pn8ZhAUKkhFHlZh",
-  "8nXK8rp8neV8LWta1WDgd1QnlWsU",
-  "5T3d6bcSBtHgrH9bCbu84tblaa7r",
-  "3PlUDIYUvMqOVCir7AtquK5dWanq",
-  "2A70gDPX2AtiicvIGGk9poiMtgvu",
-  "1MjiRxjk10J6SVAxFguv9kZiUnIc",
-  "rpre2vIDeb4h3sp50r1YBbtEx9L",
-  "ZHcoip0AglDAfibrsUcJ9M1C8fm",
-  "NHP18+eoe6uU54W49Kc6ZK7+bT2",
-  "FTAA7QXGoQOaZi7PzePtFFN5vNk"
-};
-
-const unsigned char b_mp4[] = {
-  0x01, 
-#if MP_DIGIT_MAX > MP_32BIT_MAX
-  0x00, 0x00, 0x00, 0x00,
-#endif
-  0x63, 0xDB, 0xC2, 0x26, 
-  0x5B, 0x88, 0x26, 0x8D, 
-  0xC8, 0x01, 0xC1, 0x0E, 
-  0xA6, 0x84, 0x76, 0xB7, 
-  0xBD, 0xE0, 0x09, 0x0F
-};
-
-/* Search for a test suite name in the names table  */
-int  find_name(char *name);
-void reason(char *fmt, ...);
-
-/*------------------------------------------------------------------------*/
-/*------------------------------------------------------------------------*/
-
-char g_intbuf[4096];  /* buffer for integer comparison   */
-char a_intbuf[4096];  /* buffer for integer comparison   */
-int  g_verbose = 1;   /* print out reasons for failure?  */
-int  res;
-
-#define IFOK(x) { if (MP_OKAY > (res = (x))) { \
-  reason("test %s failed: error %d\n", #x, res); return 1; }}
-
-int main(int argc, char *argv[])
-{
-  int which, res;
-
-  srand((unsigned int)time(NULL));
-
-  if (argc < 2) {
-    fprintf(stderr, "Usage: %s <test-suite> | list\n"
-	    "Type '%s help' for assistance\n", argv[0], argv[0]);
-    return 2;
-  } else if(argc > 2) {
-    if(strcmp(argv[2], "quiet") == 0)
-      g_verbose = 0;
-  }
-
-  if(strcmp(argv[1], "help") == 0) {
-    fprintf(stderr, "Help for mpi-test\n\n"
-	    "This program is a test driver for the MPI library, which\n"
-	    "tests all the various functions in the library to make sure\n"
-	    "they are working correctly.  The syntax is:\n"
-	    "    %s <suite-name>\n"
-	    "...where <suite-name> is the name of the test you wish to\n"
-	    "run.  To get a list of the tests, use '%s list'.\n\n"
-	    "The program exits with a status of zero if the test passes,\n"
-	    "or non-zero if it fails.  Ordinarily, failure is accompanied\n"
-	    "by a diagnostic message to standard error.  To suppress this\n"
-	    "add the keyword 'quiet' after the suite-name on the command\n"
-	    "line.\n\n", argv[0], argv[0]);
-    return 0;
-  }
-
-  if ((which = find_name(argv[1])) < 0) {
-    fprintf(stderr, "%s: test suite '%s' is not known\n", argv[0], argv[1]);
-    return 2;
-  }
-
-  if((res = (g_tests[which])()) < 0) {
-    fprintf(stderr, "%s: test suite not implemented yet\n", argv[0]);
-    return 2;
-  } else {
-    return res; 
-  }
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int find_name(char *name)
-{
-  int ix = 0;
-  
-  while(ix < g_count) {
-    if (strcmp(name, g_names[ix]) == 0)
-      return ix;
-    
-    ++ix;
-  }
-  
-  return -1;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_list(void)
-{
-  int ix;
-  
-  fprintf(stderr, "There are currently %d test suites available\n",
-	  g_count);
-  
-  for(ix = 1; ix < g_count; ix++)
-    fprintf(stdout, "%-20s %s\n", g_names[ix], g_descs[ix]);
-  
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_copy(void)
-{
-  mp_int  a, b;
-  int     ix;
-
-  mp_init(&a); mp_init(&b);
-
-  mp_read_radix(&a, mp3, 16);
-  mp_copy(&a, &b);
-
-  if(SIGN(&a) != SIGN(&b) || USED(&a) != USED(&b)) {
-    if(SIGN(&a) != SIGN(&b)) {
-      reason("error: sign of original is %d, sign of copy is %d\n", 
-	     SIGN(&a), SIGN(&b));
-    } else {
-      reason("error: original precision is %d, copy precision is %d\n",
-	     USED(&a), USED(&b));
-    }
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  for(ix = 0; ix < USED(&b); ix++) {
-    if(DIGIT(&a, ix) != DIGIT(&b, ix)) {
-      reason("error: digit %d " DIGIT_FMT " != " DIGIT_FMT "\n",
-	     ix, DIGIT(&a, ix), DIGIT(&b, ix));
-      mp_clear(&a); mp_clear(&b);
-      return 1;
-    }
-  }
-     
-  mp_clear(&a); mp_clear(&b);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_exch(void)
-{
-  mp_int  a, b;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
-
-  mp_exch(&a, &b);
-  mp_toradix(&a, g_intbuf, 16);
-
-  mp_clear(&a);
-  if(strcmp(g_intbuf, mp1) != 0) {
-    mp_clear(&b);
-    reason("error: exchange failed\n");
-    return 1;
-  }
-
-  mp_toradix(&b, g_intbuf, 16);
-
-  mp_clear(&b);
-  if(strcmp(g_intbuf, mp7) != 0) {
-    reason("error: exchange failed\n");
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_zero(void)
-{
-  mp_int   a;
-
-  mp_init(&a); mp_read_radix(&a, mp7, 16);
-  mp_zero(&a);
-
-  if(USED(&a) != 1 || DIGIT(&a, 1) != 0) {
-    mp_toradix(&a, g_intbuf, 16);
-    reason("error: result is %s\n", g_intbuf);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_set(void)
-{
-  mp_int   a;
-
-  /* Test single digit set */
-  mp_init(&a); mp_set(&a, 5);
-  if(DIGIT(&a, 0) != 5) {
-    mp_toradix(&a, g_intbuf, 16);
-    reason("error: result is %s, expected 5\n", g_intbuf);
-    mp_clear(&a);
-    return 1;
-  }
-
-  /* Test integer set */
-  mp_set_int(&a, -4938110);
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a);
-  if(strcmp(g_intbuf, mp5a) != 0) {
-    reason("error: result is %s, expected %s\n", g_intbuf, mp5a);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_abs(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp4, 16);
-  mp_abs(&a, &a);
-  
-  if(SIGN(&a) != ZPOS) {
-    reason("error: sign of result is negative\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_neg(void)
-{
-  mp_int  a;
-  mp_sign s;
-
-  mp_init(&a); mp_read_radix(&a, mp4, 16);
-
-  s = SIGN(&a);
-  mp_neg(&a, &a);
-  if(SIGN(&a) == s) {
-    reason("error: sign of result is same as sign of nonzero input\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_add_d(void)
-{
-  mp_int  a;
-
-  mp_init(&a);
-  
-  mp_read_radix(&a, mp5, 16);
-  mp_add_d(&a, md4, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp5d4) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp5d4);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp2, 16);
-  mp_add_d(&a, md5, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp2d5) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp2d5);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_add(void)
-{
-  mp_int  a, b;
-  int     res = 0;
-
-  mp_init(&a); mp_init(&b);
-
-  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp3, 16);
-  mp_add(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp13) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp13);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp4, 16);
-  mp_add(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp34) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp34);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp6, 16);
-  mp_add(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp46) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp46);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
-  mp_add(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, s_mp1415) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, s_mp1415);
-    res = 1;
-  }
-
- CLEANUP:
-  mp_clear(&a); mp_clear(&b);
-  return res;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_sub_d(void)
-{
-  mp_int   a;
-
-  mp_init(&a);
-  mp_read_radix(&a, mp5, 16);
-
-  mp_sub_d(&a, md4, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, d_mp5d4) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, d_mp5d4);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp6, 16);
-  
-  mp_sub_d(&a, md2, &a);
-  mp_toradix(&a, g_intbuf, 16);
-  
-  mp_clear(&a);
-  if(strcmp(g_intbuf, d_mp6d2) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, d_mp6d2);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_sub(void)
-{
-  mp_int  a, b;
-
-  mp_init(&a); mp_init(&b);
-
-  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
-  mp_sub(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, d_mp12) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, d_mp12);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-  mp_sub(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, d_mp34) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, d_mp34);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_clear(&a); mp_clear(&b);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_mul_d(void)
-{
-  mp_int   a;
-
-  mp_init(&a);
-  mp_read_radix(&a, mp1, 16);
-
-  IFOK( mp_mul_d(&a, md4, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  
-  if(strcmp(g_intbuf, p_mp1d4) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1d4);    
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp8, 16);
-  IFOK( mp_mul_d(&a, md6, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  mp_clear(&a);
-  if(strcmp(g_intbuf, p_mp8d6) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp8d6); 
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_mul(void)
-{
-  mp_int   a, b;
-  int      res = 0;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
-
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, p_mp12) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp12);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, p_mp34) !=0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp34);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp7, 16);
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, p_mp57) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp57);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp11, 16); mp_read_radix(&b, mp13, 16);
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, p_mp1113) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1113);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, p_mp1415) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1415);
-    res = 1;
-  }
-  mp_read_radix(&a, mp21, 10); mp_read_radix(&b, mp21, 10);
-
-  IFOK( mp_mul(&a, &b, &a) );
-  mp_toradix(&a, g_intbuf, 10);
-
-  if(strcmp(g_intbuf, p_mp2121) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp2121);
-    res = 1; goto CLEANUP;
-  }
-
- CLEANUP:
-  mp_clear(&a); mp_clear(&b);
-  return res;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_sqr(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp2, 16);
-
-  mp_sqr(&a, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  mp_clear(&a);
-  if(strcmp(g_intbuf, p_mp22) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, p_mp22);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_div_d(void)
-{
-  mp_int    a, q;
-  mp_digit  r;
-  int       err = 0;
-
-  mp_init(&a); mp_init(&q);
-  mp_read_radix(&a, mp3, 16);
-
-  IFOK( mp_div_d(&a, md6, &q, &r) );
-  mp_toradix(&q, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp3d6) != 0) {
-    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp3d6);
-    ++err;
-  }
-
-  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
-
-  if(strcmp(g_intbuf, r_mp3d6) != 0) {
-    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp3d6);
-    ++err;
-  }
-
-  mp_read_radix(&a, mp9, 16);
-  IFOK( mp_div_d(&a, 16, &q, &r) );
-  mp_toradix(&q, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp9c16) != 0) {
-    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp9c16);
-    ++err;
-  }
-
-  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
-
-  if(strcmp(g_intbuf, r_mp9c16) != 0) {
-    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp9c16);
-    ++err;
-  }
-
-  mp_clear(&a); mp_clear(&q);
-  return err;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_div_2(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp7, 16);
-  IFOK( mp_div_2(&a, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  mp_clear(&a);
-  if(strcmp(g_intbuf, q_mp7c2) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, q_mp7c2);
-    return 1;
-  }
-    
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_div_2d(void)
-{
-  mp_int  a, q, r;
-
-  mp_init(&q); mp_init(&r);
-  mp_init(&a); mp_read_radix(&a, mp13, 16);
-
-  IFOK( mp_div_2d(&a, 64, &q, &r) );
-  mp_clear(&a);
-
-  mp_toradix(&q, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp13c) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, q_mp13c);
-    mp_clear(&q); mp_clear(&r);
-    return 1;
-  }
-
-  mp_clear(&q);
-
-  mp_toradix(&r, g_intbuf, 16);
-  if(strcmp(g_intbuf, r_mp13c) != 0) {
-    reason("error, computed %s, expected %s\n", g_intbuf, r_mp13c);
-    mp_clear(&r);
-    return 1;
-  }
-
-  mp_clear(&r);
-  
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_div(void)
-{
-  mp_int  a, b, r;
-  int     err = 0;
-
-  mp_init(&a); mp_init(&b); mp_init(&r);
-
-  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp2, 16);
-  IFOK( mp_div(&a, &b, &a, &r) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp42) != 0) {
-    reason("error: test 1 computed quot %s, expected %s\n", g_intbuf, q_mp42);
-    ++err;
-  }
-
-  mp_toradix(&r, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, r_mp42) != 0) {
-    reason("error: test 1 computed rem %s, expected %s\n", g_intbuf, r_mp42);
-    ++err;
-  }
-
-  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp5a, 16);
-  IFOK( mp_div(&a, &b, &a, &r) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp45a) != 0) {
-    reason("error: test 2 computed quot %s, expected %s\n", g_intbuf, q_mp45a);
-    ++err;
-  }
-
-  mp_toradix(&r, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, r_mp45a) != 0) {
-    reason("error: test 2 computed rem %s, expected %s\n", g_intbuf, r_mp45a);
-    ++err;
-  }
-
-  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp4, 16);
-  IFOK( mp_div(&a, &b, &a, &r) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, q_mp1404) != 0) {
-    reason("error: test 3 computed quot %s, expected %s\n", g_intbuf, q_mp1404);
-    ++err;
-  }
-
-  mp_toradix(&r, g_intbuf, 16);
-  
-  if(strcmp(g_intbuf, r_mp1404) != 0) {
-    reason("error: test 3 computed rem %s, expected %s\n", g_intbuf, r_mp1404);
-    ++err;
-  }
-
-  mp_clear(&a); mp_clear(&b); mp_clear(&r);
-
-  return err;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_expt_d(void)
-{
-  mp_int   a;
-
-  mp_init(&a); mp_read_radix(&a, mp5, 16);
-  mp_expt_d(&a, md9, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  mp_clear(&a);
-  if(strcmp(g_intbuf, e_mp5d9) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, e_mp5d9);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_expt(void)
-{
-  mp_int   a, b;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp8, 16);
-
-  mp_expt(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&b);
-
-  if(strcmp(g_intbuf, e_mp78) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, e_mp78);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_2expt(void)
-{
-  mp_int   a;
-
-  mp_init(&a);
-  mp_2expt(&a, md3);
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a);
-
-  if(strcmp(g_intbuf, e_mpc2d3) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, e_mpc2d3);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_sqrt(void)
-{
-  mp_int  a;
-  int     res = 0;
-
-  mp_init(&a); mp_read_radix(&a, mp9, 16);
-  mp_sqrt(&a, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, t_mp9) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, t_mp9);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp15, 16);
-  mp_sqrt(&a, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, t_mp15) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, t_mp15);
-    res = 1;
-  }
-
- CLEANUP:
-  mp_clear(&a);
-  return res;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_mod_d(void)
-{
-  mp_int     a;
-  mp_digit   r;
-
-  mp_init(&a); mp_read_radix(&a, mp5, 16);
-  IFOK( mp_mod_d(&a, md5, &r) );
-  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
-  mp_clear(&a);
-
-  if(strcmp(g_intbuf, r_mp5d5) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, r_mp5d5);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_mod(void)
-{
-  mp_int  a, m;
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, mp4, 16); mp_read_radix(&m, mp7, 16);
-  IFOK( mp_mod(&a, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&m);
-
-  if(strcmp(g_intbuf, r_mp47) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, r_mp47);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_addmod(void)
-{
-  mp_int a, b, m;
-
-  mp_init(&a); mp_init(&b); mp_init(&m);
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-  mp_read_radix(&m, mp5, 16);
-
-  IFOK( mp_addmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&b); mp_clear(&m);
-
-  if(strcmp(g_intbuf, ms_mp345) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, ms_mp345);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_submod(void)
-{
-  mp_int a, b, m;
-
-  mp_init(&a); mp_init(&b); mp_init(&m);
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-  mp_read_radix(&m, mp5, 16);
-
-  IFOK( mp_submod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&b); mp_clear(&m);
-
-  if(strcmp(g_intbuf, md_mp345) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, md_mp345);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_mulmod(void)
-{
-  mp_int a, b, m;
-
-  mp_init(&a); mp_init(&b); mp_init(&m);
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-  mp_read_radix(&m, mp5, 16);
-
-  IFOK( mp_mulmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&b); mp_clear(&m);
-
-  if(strcmp(g_intbuf, mp_mp345) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp345);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_sqrmod(void)
-{
-  mp_int a, m;
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&m, mp5, 16);
-
-  IFOK( mp_sqrmod(&a, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&m);
-
-  if(strcmp(g_intbuf, mp_mp335) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp335);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_exptmod(void)
-{
-  mp_int  a, b, m;
-  int     res = 0;
-
-  mp_init(&a); mp_init(&b); mp_init(&m);
-  mp_read_radix(&a, mp8, 16); mp_read_radix(&b, mp1, 16);
-  mp_read_radix(&m, mp7, 16);
-
-  IFOK( mp_exptmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, me_mp817) != 0) {
-    reason("case 1: error: computed %s, expected %s\n", g_intbuf, me_mp817);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp5, 16);
-  mp_read_radix(&m, mp12, 16);
-
-  IFOK( mp_exptmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, me_mp1512) != 0) {
-    reason("case 2: error: computed %s, expected %s\n", g_intbuf, me_mp1512);
-    res = 1; goto CLEANUP;
-  }
-
-  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp1, 16);
-  mp_read_radix(&m, mp14, 16);
-
-  IFOK( mp_exptmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, me_mp5114) != 0) {
-    reason("case 3: error: computed %s, expected %s\n", g_intbuf, me_mp5114);
-    res = 1;
-  }
-
-  mp_read_radix(&a, mp16, 16); mp_read_radix(&b, mp17, 16);
-  mp_read_radix(&m, mp18, 16);
-
-  IFOK( mp_exptmod(&a, &b, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, me_mp161718) != 0) {
-    reason("case 4: error: computed %s, expected %s\n", g_intbuf, me_mp161718);
-    res = 1;
-  }
-
- CLEANUP:
-  mp_clear(&a); mp_clear(&b); mp_clear(&m);
-  return res;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_exptmod_d(void)
-{
-  mp_int  a, m;
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, mp5, 16); mp_read_radix(&m, mp7, 16);
-
-  IFOK( mp_exptmod_d(&a, md4, &m, &a) );
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&m);
-
-  if(strcmp(g_intbuf, me_mp5d47) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, me_mp5d47);
-    return 1;
-  }
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_invmod(void)
-{
-  mp_int  a, m, c;
-  mp_int  p1, p2, p3, p4, p5;
-  mp_int  t1, t2, t3, t4;
-  mp_err  res;
-
-  /* 5 128-bit primes. */
-  static const char ivp1[] = { "AAD8A5A2A2BEF644BAEE7DB0CA643719" };
-  static const char ivp2[] = { "CB371AD2B79A90BCC88D0430663E40B9" };
-  static const char ivp3[] = { "C6C818D4DF2618406CA09280C0400099" };
-  static const char ivp4[] = { "CE949C04512E68918006B1F0D7E93F27" };
-  static const char ivp5[] = { "F8EE999B6416645040687440E0B89F51" };
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, mp2, 16); mp_read_radix(&m, mp7, 16);
-
-  IFOK( mp_invmod(&a, &m, &a) );
-
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&m);
-
-  if(strcmp(g_intbuf, i_mp27) != 0) {
-    reason("error: invmod test 1 computed %s, expected %s\n", g_intbuf, i_mp27);
-    return 1;
-  }
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, mp20, 16); mp_read_radix(&m, mp19, 16);
-
-  IFOK( mp_invmod(&a, &m, &a) );
-
-  mp_toradix(&a, g_intbuf, 16);
-  mp_clear(&a); mp_clear(&m);
-
-  if(strcmp(g_intbuf, i_mp2019) != 0) {
-    reason("error: invmod test 2 computed %s, expected %s\n", g_intbuf, i_mp2019);
-    return 1;
-  }
-
-/* Need the following test cases:
-  Odd modulus
-    - a is odd,      relatively prime to m
-    - a is odd,  not relatively prime to m
-    - a is even,     relatively prime to m
-    - a is even, not relatively prime to m
-  Even modulus
-    - a is even  (should fail)
-    - a is odd,  not relatively prime to m
-    - a is odd,      relatively prime to m,
-      m is not a power of 2
-	- m has factor 2**k, k < 32
-	- m has factor 2**k, k > 32
-      m is a power of 2, 2**k
-	- k < 32
-	- k > 32
-*/
-
-  mp_init(&a);  mp_init(&m);  mp_init(&c);  
-  mp_init(&p1); mp_init(&p2); mp_init(&p3); mp_init(&p4); mp_init(&p5); 
-  mp_init(&t1); mp_init(&t2); mp_init(&t3); mp_init(&t4); 
-
-  mp_read_radix(&p1, ivp1, 16);
-  mp_read_radix(&p2, ivp2, 16);
-  mp_read_radix(&p3, ivp3, 16);
-  mp_read_radix(&p4, ivp4, 16);
-  mp_read_radix(&p5, ivp5, 16);
-
-  IFOK( mp_2expt(&t2, 68) );	/* t2 = 2**68 */
-  IFOK( mp_2expt(&t3, 128) );	/* t3 = 2**128 */
-  IFOK( mp_2expt(&t4, 31) );	/* t4 = 2**31 */
-
-/* test 3: Odd modulus - a is odd, relatively prime to m */
-
-  IFOK( mp_mul(&p1, &p2, &a) );
-  IFOK( mp_mul(&p3, &p4, &m) );
-  IFOK( mp_invmod(&a, &m, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &m, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 3 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
-
-/* test 4: Odd modulus - a is odd, NOT relatively prime to m */
-
-  IFOK( mp_mul(&p1, &p3, &a) );
-  /* reuse same m as before */
-
-  res = mp_invmod_xgcd(&a, &m, &c);
-  if (res != MP_UNDEF) 
-    goto CLEANUP4;
-
-  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
-  if (res != MP_UNDEF) {
-CLEANUP4:
-    reason("error: invmod test 4 succeeded, should have failed.\n");
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
-
-/* test 5: Odd modulus - a is even, relatively prime to m */
-
-  IFOK( mp_mul(&p1, &t2, &a) );
-  /* reuse m */
-  IFOK( mp_invmod(&a, &m, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &m, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 5 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
-
-/* test 6: Odd modulus - a is odd, NOT relatively prime to m */
-
-  /* reuse t2 */
-  IFOK( mp_mul(&t2, &p3, &a) );
-  /* reuse same m as before */
-
-  res = mp_invmod_xgcd(&a, &m, &c);
-  if (res != MP_UNDEF) 
-    goto CLEANUP6;
-
-  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
-  if (res != MP_UNDEF) {
-CLEANUP6:
-    reason("error: invmod test 6 succeeded, should have failed.\n");
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
-  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
-
-/* test 7: Even modulus, even a, should fail */
-
-  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
-  /* reuse t2 */
-  IFOK( mp_mul(&p1, &t2, &a) ); /* even a */
-
-  res = mp_invmod_xgcd(&a, &m, &c);
-  if (res != MP_UNDEF) 
-    goto CLEANUP7;
-
-  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
-  if (res != MP_UNDEF) {
-CLEANUP7:
-    reason("error: invmod test 7 succeeded, should have failed.\n");
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&c);  mp_clear(&t1); 
-  mp_init(&a);   mp_init(&c);   mp_init(&t1); 
-
-/* test 8: Even modulus    - a is odd,  not relatively prime to m */
-
-  /* reuse m */
-  IFOK( mp_mul(&p3, &p1, &a) ); /* even a */
-
-  res = mp_invmod_xgcd(&a, &m, &c);
-  if (res != MP_UNDEF) 
-    goto CLEANUP8;
-
-  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
-  if (res != MP_UNDEF) {
-CLEANUP8:
-    reason("error: invmod test 8 succeeded, should have failed.\n");
-    return 1;
-  }
-  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
-  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
-
-/* test 9: Even modulus    - m has factor 2**k, k < 32
- *	                   - a is odd, relatively prime to m,
- */
-  IFOK( mp_mul(&p3, &t4, &m) ); /* even m */
-  IFOK( mp_mul(&p1, &p2, &a) );
-  IFOK( mp_invmod(&a, &m, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &m, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 9 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-  mp_clear(&m);  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&m);   mp_init(&t1);  mp_init(&c);   
-
-/* test 10: Even modulus    - m has factor 2**k, k > 32
- *	                    - a is odd, relatively prime to m,
- */
-  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
-  /* reuse a */
-  IFOK( mp_invmod(&a, &m, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &m, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 10 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&t1);  mp_init(&c);   
-
-/* test 11: Even modulus    - m is a power of 2, 2**k | k < 32
- *                          - a is odd, relatively prime to m,
- */
-  IFOK( mp_invmod(&a, &t4, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &t4, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 11 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-  mp_clear(&t1); mp_clear(&c);  
-  mp_init(&t1);  mp_init(&c);   
-
-/* test 12: Even modulus    - m is a power of 2, 2**k | k > 32
- *                          - a is odd, relatively prime to m,
- */
-  IFOK( mp_invmod(&a, &t3, &t1) );
-  IFOK( mp_invmod_xgcd(&a, &t3, &c) );
-
-  if (mp_cmp(&t1, &c) != 0) {
-    mp_toradix(&t1, g_intbuf, 16);
-    mp_toradix(&c,  a_intbuf, 16);
-    reason("error: invmod test 12 computed %s, expected %s\n", 
-           g_intbuf, a_intbuf);
-    return 1;
-  }
-
-  mp_clear(&a);  mp_clear(&m);  mp_clear(&c);  
-  mp_clear(&t1); mp_clear(&t2); mp_clear(&t3); mp_clear(&t4); 
-  mp_clear(&p1); mp_clear(&p2); mp_clear(&p3); mp_clear(&p4); mp_clear(&p5); 
-
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_cmp_d(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp8, 16);
-
-  if(mp_cmp_d(&a, md8) >= 0) {
-    reason("error: %s >= " DIGIT_FMT "\n", mp8, md8);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp5, 16);
-
-  if(mp_cmp_d(&a, md8) <= 0) {
-    reason("error: %s <= " DIGIT_FMT "\n", mp5, md8);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp6, 16);
-
-  if(mp_cmp_d(&a, md1) != 0) {
-    reason("error: %s != " DIGIT_FMT "\n", mp6, md1);
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_cmp_z(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp6, 16);
-
-  if(mp_cmp_z(&a) != 0) {
-    reason("error: someone thinks a zero value is non-zero\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp1, 16);
-  
-  if(mp_cmp_z(&a) <= 0) {
-    reason("error: someone thinks a positive value is non-positive\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp4, 16);
-
-  if(mp_cmp_z(&a) >= 0) {
-    reason("error: someone thinks a negative value is non-negative\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_cmp(void)
-{
-  mp_int  a, b;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
-
-  if(mp_cmp(&a, &b) <= 0) {
-    reason("error: %s <= %s\n", mp3, mp4);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&b, mp3, 16);
-  if(mp_cmp(&a, &b) != 0) {
-    reason("error: %s != %s\n", mp3, mp3);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp5, 16);
-  if(mp_cmp(&a, &b) >= 0) {
-    reason("error: %s >= %s\n", mp5, mp3);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp5a, 16);
-  if(mp_cmp_int(&a, 1000000) >= 0 ||
-     (mp_cmp_int(&a, -5000000) <= 0) ||
-     (mp_cmp_int(&a, -4938110) != 0)) {
-    reason("error: long integer comparison failed (%s)", mp5a);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_clear(&a); mp_clear(&b);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_cmp_mag(void)
-{
-  mp_int  a, b;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp4, 16);
-
-  if(mp_cmp_mag(&a, &b) >= 0) {
-    reason("error: %s >= %s\n", mp5, mp4);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&b, mp5, 16);
-  if(mp_cmp_mag(&a, &b) != 0) {
-    reason("error: %s != %s\n", mp5, mp5);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp1, 16);
-  if(mp_cmp_mag(&b, &a) >= 0) {
-    reason("error: %s >= %s\n", mp5, mp1);
-    mp_clear(&a); mp_clear(&b);
-    return 1;
-  }
-
-  mp_clear(&a); mp_clear(&b);
-  return 0;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_parity(void)
-{
-  mp_int  a;
-
-  mp_init(&a); mp_read_radix(&a, mp1, 16);
-
-  if(!mp_isodd(&a)) {
-    reason("error: expected operand to be odd, but it isn't\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_read_radix(&a, mp6, 16);
-  
-  if(!mp_iseven(&a)) {
-    reason("error: expected operand to be even, but it isn't\n");
-    mp_clear(&a);
-    return 1;
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_gcd(void)
-{
-  mp_int  a, b;
-  int     out = 0;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
-
-  mp_gcd(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, g_mp71) != 0) {
-    reason("error: computed %s, expected %s\n", g_intbuf, g_mp71);
-    out = 1;
-  }
-
-  mp_clear(&a); mp_clear(&b);
-  return out;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_lcm(void)
-{
-  mp_int  a, b;
-  int     out = 0;
-
-  mp_init(&a); mp_init(&b);
-  mp_read_radix(&a, mp10, 16); mp_read_radix(&b, mp11, 16);
-
-  mp_lcm(&a, &b, &a);
-  mp_toradix(&a, g_intbuf, 16);
-
-  if(strcmp(g_intbuf, l_mp1011) != 0) {
-    reason("error: computed %s, expected%s\n", g_intbuf, l_mp1011);
-    out = 1;
-  }
-
-  mp_clear(&a); mp_clear(&b);
-
-  return out;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_convert(void)
-{
-  int    ix;
-  mp_int a;
-
-  mp_init(&a); mp_read_radix(&a, mp9, 16);
-
-  for(ix = LOW_RADIX; ix <= HIGH_RADIX; ix++) {
-    mp_toradix(&a, g_intbuf, ix);
-
-    if(strcmp(g_intbuf, v_mp9[ix - LOW_RADIX]) != 0) {
-      reason("error: radix %d, computed %s, expected %s\n",
-	     ix, g_intbuf, v_mp9[ix - LOW_RADIX]);
-      mp_clear(&a);
-      return 1;
-    }
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_raw(void)
-{
-  int    len, out = 0;
-  mp_int a;
-  char   *buf;
-
-  mp_init(&a); mp_read_radix(&a, mp4, 16);
-
-  len = mp_raw_size(&a);
-  if(len != sizeof(b_mp4)) {
-    reason("error: test_raw: expected length %d, computed %d\n", sizeof(b_mp4),
-	   len);
-    mp_clear(&a);
-    return 1;
-  }
-
-  buf = calloc(len, sizeof(char));
-  mp_toraw(&a, buf);
-
-  if(memcmp(buf, b_mp4, sizeof(b_mp4)) != 0) {
-    reason("error: test_raw: binary output does not match test vector\n");
-    out = 1;
-  }
-
-  free(buf);
-  mp_clear(&a);
-
-  return out;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_pprime(void)
-{
-  mp_int   p;
-  int      err = 0;
-  mp_err   res;
-
-  mp_init(&p);
-  mp_read_radix(&p, mp7, 16);
-
-  if(mpp_pprime(&p, 5) != MP_YES) {
-    reason("error: %s failed Rabin-Miller test, but is prime\n", mp7);
-    err = 1;
-  }
-
-  IFOK( mp_set_int(&p, 9) );
-  res = mpp_pprime(&p, 50);
-  if (res == MP_YES) {
-    reason("error: 9 is composite but passed Rabin-Miller test\n");
-    err = 1;
-  } else if (res != MP_NO) {
-    reason("test mpp_pprime(9, 50) failed: error %d\n", res); 
-    err = 1;
-  }
-
-  IFOK( mp_set_int(&p, 15) );
-  res = mpp_pprime(&p, 50);
-  if (res == MP_YES) {
-    reason("error: 15 is composite but passed Rabin-Miller test\n");
-    err = 1;
-  } else if (res != MP_NO) {
-    reason("test mpp_pprime(15, 50) failed: error %d\n", res); 
-    err = 1;
-  }
-
-  mp_clear(&p);
-
-  return err;
-
-}
-
-/*------------------------------------------------------------------------*/
-
-int test_fermat(void)
-{
-  mp_int p;
-  mp_err res;
-  int    err = 0;
-
-  mp_init(&p);
-  mp_read_radix(&p, mp7, 16);
-  
-  if((res = mpp_fermat(&p, 2)) != MP_YES) {
-    reason("error: %s failed Fermat test on 2: %s\n", mp7, 
-	   mp_strerror(res));
-    ++err;
-  }
-
-  if((res = mpp_fermat(&p, 3)) != MP_YES) {
-    reason("error: %s failed Fermat test on 3: %s\n", mp7, 
-	   mp_strerror(res));
-    ++err;
-  }
-
-  mp_clear(&p);
-
-  return err;
-
-}
-
-/*------------------------------------------------------------------------*/
-/* Like fprintf(), but only if we are behaving in a verbose manner        */
-
-void reason(char *fmt, ...)
-{
-  va_list    ap;
-
-  if(!g_verbose)
-    return;
-
-  va_start(ap, fmt);
-  vfprintf(stderr, fmt, ap);
-  va_end(ap);
-}
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
deleted file mode 100644
index f9602c6aa..000000000
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ /dev/null
@@ -1,4841 +0,0 @@
-/*
- *  mpi.c
- *
- *  Arbitrary precision integer arithmetic library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "mpi-priv.h"
-#if defined(OSF1)
-#include <c_asm.h>
-#endif
-
-#if MP_LOGTAB
-/*
-  A table of the logs of 2 for various bases (the 0 and 1 entries of
-  this table are meaningless and should not be referenced).  
-
-  This table is used to compute output lengths for the mp_toradix()
-  function.  Since a number n in radix r takes up about log_r(n)
-  digits, we estimate the output size by taking the least integer
-  greater than log_r(n), where:
-
-  log_r(n) = log_2(n) * log_r(2)
-
-  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
-  which are the output bases supported.  
- */
-#include "logtab.h"
-#endif
-
-/* {{{ Constant strings */
-
-/* Constant strings returned by mp_strerror() */
-static const char *mp_err_string[] = {
-  "unknown result code",     /* say what?            */
-  "boolean true",            /* MP_OKAY, MP_YES      */
-  "boolean false",           /* MP_NO                */
-  "out of memory",           /* MP_MEM               */
-  "argument out of range",   /* MP_RANGE             */
-  "invalid input parameter", /* MP_BADARG            */
-  "result is undefined"      /* MP_UNDEF             */
-};
-
-/* Value to digit maps for radix conversion   */
-
-/* s_dmap_1 - standard digits and letters */
-static const char *s_dmap_1 = 
-  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
-
-/* }}} */
-
-unsigned long mp_allocs;
-unsigned long mp_frees;
-unsigned long mp_copies;
-
-/* {{{ Default precision manipulation */
-
-/* Default precision for newly created mp_int's      */
-static mp_size s_mp_defprec = MP_DEFPREC;
-
-mp_size mp_get_prec(void)
-{
-  return s_mp_defprec;
-
-} /* end mp_get_prec() */
-
-void         mp_set_prec(mp_size prec)
-{
-  if(prec == 0)
-    s_mp_defprec = MP_DEFPREC;
-  else
-    s_mp_defprec = prec;
-
-} /* end mp_set_prec() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ mp_init(mp) */
-
-/*
-  mp_init(mp)
-
-  Initialize a new zero-valued mp_int.  Returns MP_OKAY if successful,
-  MP_MEM if memory could not be allocated for the structure.
- */
-
-mp_err mp_init(mp_int *mp)
-{
-  return mp_init_size(mp, s_mp_defprec);
-
-} /* end mp_init() */
-
-/* }}} */
-
-/* {{{ mp_init_size(mp, prec) */
-
-/*
-  mp_init_size(mp, prec)
-
-  Initialize a new zero-valued mp_int with at least the given
-  precision; returns MP_OKAY if successful, or MP_MEM if memory could
-  not be allocated for the structure.
- */
-
-mp_err mp_init_size(mp_int *mp, mp_size prec)
-{
-  ARGCHK(mp != NULL && prec > 0, MP_BADARG);
-
-  prec = MP_ROUNDUP(prec, s_mp_defprec);
-  if((DIGITS(mp) = s_mp_alloc(prec, sizeof(mp_digit))) == NULL)
-    return MP_MEM;
-
-  SIGN(mp) = ZPOS;
-  USED(mp) = 1;
-  ALLOC(mp) = prec;
-
-  return MP_OKAY;
-
-} /* end mp_init_size() */
-
-/* }}} */
-
-/* {{{ mp_init_copy(mp, from) */
-
-/*
-  mp_init_copy(mp, from)
-
-  Initialize mp as an exact copy of from.  Returns MP_OKAY if
-  successful, MP_MEM if memory could not be allocated for the new
-  structure.
- */
-
-mp_err mp_init_copy(mp_int *mp, const mp_int *from)
-{
-  ARGCHK(mp != NULL && from != NULL, MP_BADARG);
-
-  if(mp == from)
-    return MP_OKAY;
-
-  if((DIGITS(mp) = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
-    return MP_MEM;
-
-  s_mp_copy(DIGITS(from), DIGITS(mp), USED(from));
-  USED(mp) = USED(from);
-  ALLOC(mp) = ALLOC(from);
-  SIGN(mp) = SIGN(from);
-
-  return MP_OKAY;
-
-} /* end mp_init_copy() */
-
-/* }}} */
-
-/* {{{ mp_copy(from, to) */
-
-/*
-  mp_copy(from, to)
-
-  Copies the mp_int 'from' to the mp_int 'to'.  It is presumed that
-  'to' has already been initialized (if not, use mp_init_copy()
-  instead). If 'from' and 'to' are identical, nothing happens.
- */
-
-mp_err mp_copy(const mp_int *from, mp_int *to)
-{
-  ARGCHK(from != NULL && to != NULL, MP_BADARG);
-
-  if(from == to)
-    return MP_OKAY;
-
-  ++mp_copies;
-  { /* copy */
-    mp_digit   *tmp;
-
-    /*
-      If the allocated buffer in 'to' already has enough space to hold
-      all the used digits of 'from', we'll re-use it to avoid hitting
-      the memory allocater more than necessary; otherwise, we'd have
-      to grow anyway, so we just allocate a hunk and make the copy as
-      usual
-     */
-    if(ALLOC(to) >= USED(from)) {
-      s_mp_setz(DIGITS(to) + USED(from), ALLOC(to) - USED(from));
-      s_mp_copy(DIGITS(from), DIGITS(to), USED(from));
-      
-    } else {
-      if((tmp = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
-	return MP_MEM;
-
-      s_mp_copy(DIGITS(from), tmp, USED(from));
-
-      if(DIGITS(to) != NULL) {
-#if MP_CRYPTO
-	s_mp_setz(DIGITS(to), ALLOC(to));
-#endif
-	s_mp_free(DIGITS(to));
-      }
-
-      DIGITS(to) = tmp;
-      ALLOC(to) = ALLOC(from);
-    }
-
-    /* Copy the precision and sign from the original */
-    USED(to) = USED(from);
-    SIGN(to) = SIGN(from);
-  } /* end copy */
-
-  return MP_OKAY;
-
-} /* end mp_copy() */
-
-/* }}} */
-
-/* {{{ mp_exch(mp1, mp2) */
-
-/*
-  mp_exch(mp1, mp2)
-
-  Exchange mp1 and mp2 without allocating any intermediate memory
-  (well, unless you count the stack space needed for this call and the
-  locals it creates...).  This cannot fail.
- */
-
-void mp_exch(mp_int *mp1, mp_int *mp2)
-{
-#if MP_ARGCHK == 2
-  assert(mp1 != NULL && mp2 != NULL);
-#else
-  if(mp1 == NULL || mp2 == NULL)
-    return;
-#endif
-
-  s_mp_exch(mp1, mp2);
-
-} /* end mp_exch() */
-
-/* }}} */
-
-/* {{{ mp_clear(mp) */
-
-/*
-  mp_clear(mp)
-
-  Release the storage used by an mp_int, and void its fields so that
-  if someone calls mp_clear() again for the same int later, we won't
-  get tollchocked.
- */
-
-void   mp_clear(mp_int *mp)
-{
-  if(mp == NULL)
-    return;
-
-  if(DIGITS(mp) != NULL) {
-#if MP_CRYPTO
-    s_mp_setz(DIGITS(mp), ALLOC(mp));
-#endif
-    s_mp_free(DIGITS(mp));
-    DIGITS(mp) = NULL;
-  }
-
-  USED(mp) = 0;
-  ALLOC(mp) = 0;
-
-} /* end mp_clear() */
-
-/* }}} */
-
-/* {{{ mp_zero(mp) */
-
-/*
-  mp_zero(mp) 
-
-  Set mp to zero.  Does not change the allocated size of the structure,
-  and therefore cannot fail (except on a bad argument, which we ignore)
- */
-void   mp_zero(mp_int *mp)
-{
-  if(mp == NULL)
-    return;
-
-  s_mp_setz(DIGITS(mp), ALLOC(mp));
-  USED(mp) = 1;
-  SIGN(mp) = ZPOS;
-
-} /* end mp_zero() */
-
-/* }}} */
-
-/* {{{ mp_set(mp, d) */
-
-void   mp_set(mp_int *mp, mp_digit d)
-{
-  if(mp == NULL)
-    return;
-
-  mp_zero(mp);
-  DIGIT(mp, 0) = d;
-
-} /* end mp_set() */
-
-/* }}} */
-
-/* {{{ mp_set_int(mp, z) */
-
-mp_err mp_set_int(mp_int *mp, long z)
-{
-  int            ix;
-  unsigned long  v = labs(z);
-  mp_err         res;
-
-  ARGCHK(mp != NULL, MP_BADARG);
-
-  mp_zero(mp);
-  if(z == 0)
-    return MP_OKAY;  /* shortcut for zero */
-
-  if (sizeof v <= sizeof(mp_digit)) {
-    DIGIT(mp,0) = v;
-  } else {
-    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
-      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
-	return res;
-
-      res = s_mp_add_d(mp, (mp_digit)((v >> (ix * CHAR_BIT)) & UCHAR_MAX));
-      if (res != MP_OKAY)
-	return res;
-    }
-  }
-  if(z < 0)
-    SIGN(mp) = NEG;
-
-  return MP_OKAY;
-
-} /* end mp_set_int() */
-
-/* }}} */
-
-/* {{{ mp_set_ulong(mp, z) */
-
-mp_err mp_set_ulong(mp_int *mp, unsigned long z)
-{
-  int            ix;
-  mp_err         res;
-
-  ARGCHK(mp != NULL, MP_BADARG);
-
-  mp_zero(mp);
-  if(z == 0)
-    return MP_OKAY;  /* shortcut for zero */
-
-  if (sizeof z <= sizeof(mp_digit)) {
-    DIGIT(mp,0) = z;
-  } else {
-    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
-      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
-	return res;
-
-      res = s_mp_add_d(mp, (mp_digit)((z >> (ix * CHAR_BIT)) & UCHAR_MAX));
-      if (res != MP_OKAY)
-	return res;
-    }
-  }
-  return MP_OKAY;
-} /* end mp_set_ulong() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ Digit arithmetic */
-
-/* {{{ mp_add_d(a, d, b) */
-
-/*
-  mp_add_d(a, d, b)
-
-  Compute the sum b = a + d, for a single digit d.  Respects the sign of
-  its primary addend (single digits are unsigned anyway).
- */
-
-mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b)
-{
-  mp_int   tmp;
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
-    return res;
-
-  if(SIGN(&tmp) == ZPOS) {
-    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
-      goto CLEANUP;
-  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
-    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
-      goto CLEANUP;
-  } else {
-    mp_neg(&tmp, &tmp);
-
-    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
-  }
-
-  if(s_mp_cmp_d(&tmp, 0) == 0)
-    SIGN(&tmp) = ZPOS;
-
-  s_mp_exch(&tmp, b);
-
-CLEANUP:
-  mp_clear(&tmp);
-  return res;
-
-} /* end mp_add_d() */
-
-/* }}} */
-
-/* {{{ mp_sub_d(a, d, b) */
-
-/*
-  mp_sub_d(a, d, b)
-
-  Compute the difference b = a - d, for a single digit d.  Respects the
-  sign of its subtrahend (single digits are unsigned anyway).
- */
-
-mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b)
-{
-  mp_int   tmp;
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
-    return res;
-
-  if(SIGN(&tmp) == NEG) {
-    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
-      goto CLEANUP;
-  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
-    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
-      goto CLEANUP;
-  } else {
-    mp_neg(&tmp, &tmp);
-
-    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
-    SIGN(&tmp) = NEG;
-  }
-
-  if(s_mp_cmp_d(&tmp, 0) == 0)
-    SIGN(&tmp) = ZPOS;
-
-  s_mp_exch(&tmp, b);
-
-CLEANUP:
-  mp_clear(&tmp);
-  return res;
-
-} /* end mp_sub_d() */
-
-/* }}} */
-
-/* {{{ mp_mul_d(a, d, b) */
-
-/*
-  mp_mul_d(a, d, b)
-
-  Compute the product b = a * d, for a single digit d.  Respects the sign
-  of its multiplicand (single digits are unsigned anyway)
- */
-
-mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if(d == 0) {
-    mp_zero(b);
-    return MP_OKAY;
-  }
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  res = s_mp_mul_d(b, d);
-
-  return res;
-
-} /* end mp_mul_d() */
-
-/* }}} */
-
-/* {{{ mp_mul_2(a, c) */
-
-mp_err mp_mul_2(const mp_int *a, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, c)) != MP_OKAY)
-    return res;
-
-  return s_mp_mul_2(c);
-
-} /* end mp_mul_2() */
-
-/* }}} */
-
-/* {{{ mp_div_d(a, d, q, r) */
-
-/*
-  mp_div_d(a, d, q, r)
-
-  Compute the quotient q = a / d and remainder r = a mod d, for a
-  single digit d.  Respects the sign of its divisor (single digits are
-  unsigned anyway).
- */
-
-mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r)
-{
-  mp_err   res;
-  mp_int   qp;
-  mp_digit rem;
-  int      pow;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  if(d == 0)
-    return MP_RANGE;
-
-  /* Shortcut for powers of two ... */
-  if((pow = s_mp_ispow2d(d)) >= 0) {
-    mp_digit  mask;
-
-    mask = ((mp_digit)1 << pow) - 1;
-    rem = DIGIT(a, 0) & mask;
-
-    if(q) {
-      mp_copy(a, q);
-      s_mp_div_2d(q, pow);
-    }
-
-    if(r)
-      *r = rem;
-
-    return MP_OKAY;
-  }
-
-  if((res = mp_init_copy(&qp, a)) != MP_OKAY)
-    return res;
-
-  res = s_mp_div_d(&qp, d, &rem);
-
-  if(s_mp_cmp_d(&qp, 0) == 0)
-    SIGN(q) = ZPOS;
-
-  if(r)
-    *r = rem;
-
-  if(q)
-    s_mp_exch(&qp, q);
-
-  mp_clear(&qp);
-  return res;
-
-} /* end mp_div_d() */
-
-/* }}} */
-
-/* {{{ mp_div_2(a, c) */
-
-/*
-  mp_div_2(a, c)
-
-  Compute c = a / 2, disregarding the remainder.
- */
-
-mp_err mp_div_2(const mp_int *a, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, c)) != MP_OKAY)
-    return res;
-
-  s_mp_div_2(c);
-
-  return MP_OKAY;
-
-} /* end mp_div_2() */
-
-/* }}} */
-
-/* {{{ mp_expt_d(a, d, b) */
-
-mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c)
-{
-  mp_int   s, x;
-  mp_err   res;
-
-  ARGCHK(a != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_init(&s)) != MP_OKAY)
-    return res;
-  if((res = mp_init_copy(&x, a)) != MP_OKAY)
-    goto X;
-
-  DIGIT(&s, 0) = 1;
-
-  while(d != 0) {
-    if(d & 1) {
-      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
-	goto CLEANUP;
-    }
-
-    d /= 2;
-
-    if((res = s_mp_sqr(&x)) != MP_OKAY)
-      goto CLEANUP;
-  }
-
-  s_mp_exch(&s, c);
-
-CLEANUP:
-  mp_clear(&x);
-X:
-  mp_clear(&s);
-
-  return res;
-
-} /* end mp_expt_d() */
-
-/* }}} */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ Full arithmetic */
-
-/* {{{ mp_abs(a, b) */
-
-/*
-  mp_abs(a, b)
-
-  Compute b = |a|.  'a' and 'b' may be identical.
- */
-
-mp_err mp_abs(const mp_int *a, mp_int *b)
-{
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  SIGN(b) = ZPOS;
-
-  return MP_OKAY;
-
-} /* end mp_abs() */
-
-/* }}} */
-
-/* {{{ mp_neg(a, b) */
-
-/*
-  mp_neg(a, b)
-
-  Compute b = -a.  'a' and 'b' may be identical.
- */
-
-mp_err mp_neg(const mp_int *a, mp_int *b)
-{
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  if(s_mp_cmp_d(b, 0) == MP_EQ) 
-    SIGN(b) = ZPOS;
-  else 
-    SIGN(b) = (SIGN(b) == NEG) ? ZPOS : NEG;
-
-  return MP_OKAY;
-
-} /* end mp_neg() */
-
-/* }}} */
-
-/* {{{ mp_add(a, b, c) */
-
-/*
-  mp_add(a, b, c)
-
-  Compute c = a + b.  All parameters may be identical.
- */
-
-mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(SIGN(a) == SIGN(b)) { /* same sign:  add values, keep sign */
-    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
-  } else if(s_mp_cmp(a, b) >= 0) {  /* different sign: |a| >= |b|   */
-    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
-  } else {                          /* different sign: |a|  < |b|   */
-    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
-  }
-
-  if (s_mp_cmp_d(c, 0) == MP_EQ)
-    SIGN(c) = ZPOS;
-
-CLEANUP:
-  return res;
-
-} /* end mp_add() */
-
-/* }}} */
-
-/* {{{ mp_sub(a, b, c) */
-
-/*
-  mp_sub(a, b, c)
-
-  Compute c = a - b.  All parameters may be identical.
- */
-
-mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c)
-{
-  mp_err  res;
-  int     magDiff;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if (a == b) {
-    mp_zero(c);
-    return MP_OKAY;
-  }
-
-  if (MP_SIGN(a) != MP_SIGN(b)) {
-    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
-  } else if (!(magDiff = s_mp_cmp(a, b))) {
-    mp_zero(c);
-    res = MP_OKAY;
-  } else if (magDiff > 0) {
-    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
-  } else {
-    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
-    MP_SIGN(c) = !MP_SIGN(a);
-  }
-
-  if (s_mp_cmp_d(c, 0) == MP_EQ)
-    MP_SIGN(c) = MP_ZPOS;
-
-CLEANUP:
-  return res;
-
-} /* end mp_sub() */
-
-/* }}} */
-
-/* {{{ mp_mul(a, b, c) */
-
-/*
-  mp_mul(a, b, c)
-
-  Compute c = a * b.  All parameters may be identical.
- */
-mp_err   mp_mul(const mp_int *a, const mp_int *b, mp_int * c)
-{
-  mp_digit *pb;
-  mp_int   tmp;
-  mp_err   res;
-  mp_size  ib;
-  mp_size  useda, usedb;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if (a == c) {
-    if ((res = mp_init_copy(&tmp, a)) != MP_OKAY)
-      return res;
-    if (a == b) 
-      b = &tmp;
-    a = &tmp;
-  } else if (b == c) {
-    if ((res = mp_init_copy(&tmp, b)) != MP_OKAY)
-      return res;
-    b = &tmp;
-  } else {
-    MP_DIGITS(&tmp) = 0;
-  }
-
-  if (MP_USED(a) < MP_USED(b)) {
-    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
-    b = a;
-    a = xch;
-  }
-
-  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
-  if((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
-    goto CLEANUP;
-
-#ifdef NSS_USE_COMBA
-  if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
-      if (MP_USED(a) == 4) {
-          s_mp_mul_comba_4(a, b, c);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 8) {
-          s_mp_mul_comba_8(a, b, c);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 16) {
-          s_mp_mul_comba_16(a, b, c);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 32) {
-          s_mp_mul_comba_32(a, b, c);
-          goto CLEANUP;
-      } 
-  }
-#endif
-
-  pb = MP_DIGITS(b);
-  s_mpv_mul_d(MP_DIGITS(a), MP_USED(a), *pb++, MP_DIGITS(c));
-
-  /* Outer loop:  Digits of b */
-  useda = MP_USED(a);
-  usedb = MP_USED(b);
-  for (ib = 1; ib < usedb; ib++) {
-    mp_digit b_i    = *pb++;
-
-    /* Inner product:  Digits of a */
-    if (b_i)
-      s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
-    else
-      MP_DIGIT(c, ib + useda) = b_i;
-  }
-
-  s_mp_clamp(c);
-
-  if(SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
-    SIGN(c) = ZPOS;
-  else
-    SIGN(c) = NEG;
-
-CLEANUP:
-  mp_clear(&tmp);
-  return res;
-} /* end mp_mul() */
-
-/* }}} */
-
-/* {{{ mp_sqr(a, sqr) */
-
-#if MP_SQUARE
-/*
-  Computes the square of a.  This can be done more
-  efficiently than a general multiplication, because many of the
-  computation steps are redundant when squaring.  The inner product
-  step is a bit more complicated, but we save a fair number of
-  iterations of the multiplication loop.
- */
-
-/* sqr = a^2;   Caller provides both a and tmp; */
-mp_err   mp_sqr(const mp_int *a, mp_int *sqr)
-{
-  mp_digit *pa;
-  mp_digit d;
-  mp_err   res;
-  mp_size  ix;
-  mp_int   tmp;
-  int      count;
-
-  ARGCHK(a != NULL && sqr != NULL, MP_BADARG);
-
-  if (a == sqr) {
-    if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
-      return res;
-    a = &tmp;
-  } else {
-    DIGITS(&tmp) = 0;
-    res = MP_OKAY;
-  }
-
-  ix = 2 * MP_USED(a);
-  if (ix > MP_ALLOC(sqr)) {
-    MP_USED(sqr) = 1; 
-    MP_CHECKOK( s_mp_grow(sqr, ix) );
-  } 
-  MP_USED(sqr) = ix;
-  MP_DIGIT(sqr, 0) = 0;
-
-#ifdef NSS_USE_COMBA
-  if (IS_POWER_OF_2(MP_USED(a))) {
-      if (MP_USED(a) == 4) {
-          s_mp_sqr_comba_4(a, sqr);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 8) {
-          s_mp_sqr_comba_8(a, sqr);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 16) {
-          s_mp_sqr_comba_16(a, sqr);
-          goto CLEANUP;
-      }
-      if (MP_USED(a) == 32) {
-          s_mp_sqr_comba_32(a, sqr);
-          goto CLEANUP;
-      } 
-  }
-#endif
-
-  pa = MP_DIGITS(a);
-  count = MP_USED(a) - 1;
-  if (count > 0) {
-    d = *pa++;
-    s_mpv_mul_d(pa, count, d, MP_DIGITS(sqr) + 1);
-    for (ix = 3; --count > 0; ix += 2) {
-      d = *pa++;
-      s_mpv_mul_d_add(pa, count, d, MP_DIGITS(sqr) + ix);
-    } /* for(ix ...) */
-    MP_DIGIT(sqr, MP_USED(sqr)-1) = 0; /* above loop stopped short of this. */
-
-    /* now sqr *= 2 */
-    s_mp_mul_2(sqr);
-  } else {
-    MP_DIGIT(sqr, 1) = 0;
-  }
-
-  /* now add the squares of the digits of a to sqr. */
-  s_mpv_sqr_add_prop(MP_DIGITS(a), MP_USED(a), MP_DIGITS(sqr));
-
-  SIGN(sqr) = ZPOS;
-  s_mp_clamp(sqr);
-
-CLEANUP:
-  mp_clear(&tmp);
-  return res;
-
-} /* end mp_sqr() */
-#endif
-
-/* }}} */
-
-/* {{{ mp_div(a, b, q, r) */
-
-/*
-  mp_div(a, b, q, r)
-
-  Compute q = a / b and r = a mod b.  Input parameters may be re-used
-  as output parameters.  If q or r is NULL, that portion of the
-  computation will be discarded (although it will still be computed)
- */
-mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r)
-{
-  mp_err   res;
-  mp_int   *pQ, *pR;
-  mp_int   qtmp, rtmp, btmp;
-  int      cmp;
-  mp_sign  signA = MP_SIGN(a);
-  mp_sign  signB = MP_SIGN(b);
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if(mp_cmp_z(b) == MP_EQ)
-    return MP_RANGE;
-
-  DIGITS(&qtmp) = 0;
-  DIGITS(&rtmp) = 0;
-  DIGITS(&btmp) = 0;
-
-  /* Set up some temporaries... */
-  if (!r || r == a || r == b) {
-    MP_CHECKOK( mp_init_copy(&rtmp, a) );
-    pR = &rtmp;
-  } else {
-    MP_CHECKOK( mp_copy(a, r) );
-    pR = r;
-  }
-
-  if (!q || q == a || q == b) {
-    MP_CHECKOK( mp_init_size(&qtmp, MP_USED(a)) );
-    pQ = &qtmp;
-  } else {
-    MP_CHECKOK( s_mp_pad(q, MP_USED(a)) );
-    pQ = q;
-    mp_zero(pQ);
-  }
-
-  /*
-    If |a| <= |b|, we can compute the solution without division;
-    otherwise, we actually do the work required.
-   */
-  if ((cmp = s_mp_cmp(a, b)) <= 0) {
-    if (cmp) {
-      /* r was set to a above. */
-      mp_zero(pQ);
-    } else {
-      mp_set(pQ, 1);
-      mp_zero(pR);
-    }
-  } else {
-    MP_CHECKOK( mp_init_copy(&btmp, b) );
-    MP_CHECKOK( s_mp_div(pR, &btmp, pQ) );
-  }
-
-  /* Compute the signs for the output  */
-  MP_SIGN(pR) = signA;   /* Sr = Sa              */
-  /* Sq = ZPOS if Sa == Sb */ /* Sq = NEG if Sa != Sb */
-  MP_SIGN(pQ) = (signA == signB) ? ZPOS : NEG;
-
-  if(s_mp_cmp_d(pQ, 0) == MP_EQ)
-    SIGN(pQ) = ZPOS;
-  if(s_mp_cmp_d(pR, 0) == MP_EQ)
-    SIGN(pR) = ZPOS;
-
-  /* Copy output, if it is needed      */
-  if(q && q != pQ) 
-    s_mp_exch(pQ, q);
-
-  if(r && r != pR) 
-    s_mp_exch(pR, r);
-
-CLEANUP:
-  mp_clear(&btmp);
-  mp_clear(&rtmp);
-  mp_clear(&qtmp);
-
-  return res;
-
-} /* end mp_div() */
-
-/* }}} */
-
-/* {{{ mp_div_2d(a, d, q, r) */
-
-mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  if(q) {
-    if((res = mp_copy(a, q)) != MP_OKAY)
-      return res;
-  }
-  if(r) {
-    if((res = mp_copy(a, r)) != MP_OKAY)
-      return res;
-  }
-  if(q) {
-    s_mp_div_2d(q, d);
-  }
-  if(r) {
-    s_mp_mod_2d(r, d);
-  }
-
-  return MP_OKAY;
-
-} /* end mp_div_2d() */
-
-/* }}} */
-
-/* {{{ mp_expt(a, b, c) */
-
-/*
-  mp_expt(a, b, c)
-
-  Compute c = a ** b, that is, raise a to the b power.  Uses a
-  standard iterative square-and-multiply technique.
- */
-
-mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_int   s, x;
-  mp_err   res;
-  mp_digit d;
-  int      dig, bit;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(mp_cmp_z(b) < 0)
-    return MP_RANGE;
-
-  if((res = mp_init(&s)) != MP_OKAY)
-    return res;
-
-  mp_set(&s, 1);
-
-  if((res = mp_init_copy(&x, a)) != MP_OKAY)
-    goto X;
-
-  /* Loop over low-order digits in ascending order */
-  for(dig = 0; dig < (USED(b) - 1); dig++) {
-    d = DIGIT(b, dig);
-
-    /* Loop over bits of each non-maximal digit */
-    for(bit = 0; bit < DIGIT_BIT; bit++) {
-      if(d & 1) {
-	if((res = s_mp_mul(&s, &x)) != MP_OKAY) 
-	  goto CLEANUP;
-      }
-
-      d >>= 1;
-      
-      if((res = s_mp_sqr(&x)) != MP_OKAY)
-	goto CLEANUP;
-    }
-  }
-
-  /* Consider now the last digit... */
-  d = DIGIT(b, dig);
-
-  while(d) {
-    if(d & 1) {
-      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
-	goto CLEANUP;
-    }
-
-    d >>= 1;
-
-    if((res = s_mp_sqr(&x)) != MP_OKAY)
-      goto CLEANUP;
-  }
-  
-  if(mp_iseven(b))
-    SIGN(&s) = SIGN(a);
-
-  res = mp_copy(&s, c);
-
-CLEANUP:
-  mp_clear(&x);
-X:
-  mp_clear(&s);
-
-  return res;
-
-} /* end mp_expt() */
-
-/* }}} */
-
-/* {{{ mp_2expt(a, k) */
-
-/* Compute a = 2^k */
-
-mp_err mp_2expt(mp_int *a, mp_digit k)
-{
-  ARGCHK(a != NULL, MP_BADARG);
-
-  return s_mp_2expt(a, k);
-
-} /* end mp_2expt() */
-
-/* }}} */
-
-/* {{{ mp_mod(a, m, c) */
-
-/*
-  mp_mod(a, m, c)
-
-  Compute c = a (mod m).  Result will always be 0 <= c < m.
- */
-
-mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c)
-{
-  mp_err  res;
-  int     mag;
-
-  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
-
-  if(SIGN(m) == NEG)
-    return MP_RANGE;
-
-  /*
-     If |a| > m, we need to divide to get the remainder and take the
-     absolute value.  
-
-     If |a| < m, we don't need to do any division, just copy and adjust
-     the sign (if a is negative).
-
-     If |a| == m, we can simply set the result to zero.
-
-     This order is intended to minimize the average path length of the
-     comparison chain on common workloads -- the most frequent cases are
-     that |a| != m, so we do those first.
-   */
-  if((mag = s_mp_cmp(a, m)) > 0) {
-    if((res = mp_div(a, m, NULL, c)) != MP_OKAY)
-      return res;
-    
-    if(SIGN(c) == NEG) {
-      if((res = mp_add(c, m, c)) != MP_OKAY)
-	return res;
-    }
-
-  } else if(mag < 0) {
-    if((res = mp_copy(a, c)) != MP_OKAY)
-      return res;
-
-    if(mp_cmp_z(a) < 0) {
-      if((res = mp_add(c, m, c)) != MP_OKAY)
-	return res;
-
-    }
-    
-  } else {
-    mp_zero(c);
-
-  }
-
-  return MP_OKAY;
-
-} /* end mp_mod() */
-
-/* }}} */
-
-/* {{{ mp_mod_d(a, d, c) */
-
-/*
-  mp_mod_d(a, d, c)
-
-  Compute c = a (mod d).  Result will always be 0 <= c < d
- */
-mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c)
-{
-  mp_err   res;
-  mp_digit rem;
-
-  ARGCHK(a != NULL && c != NULL, MP_BADARG);
-
-  if(s_mp_cmp_d(a, d) > 0) {
-    if((res = mp_div_d(a, d, NULL, &rem)) != MP_OKAY)
-      return res;
-
-  } else {
-    if(SIGN(a) == NEG)
-      rem = d - DIGIT(a, 0);
-    else
-      rem = DIGIT(a, 0);
-  }
-
-  if(c)
-    *c = rem;
-
-  return MP_OKAY;
-
-} /* end mp_mod_d() */
-
-/* }}} */
-
-/* {{{ mp_sqrt(a, b) */
-
-/*
-  mp_sqrt(a, b)
-
-  Compute the integer square root of a, and store the result in b.
-  Uses an integer-arithmetic version of Newton's iterative linear
-  approximation technique to determine this value; the result has the
-  following two properties:
-
-     b^2 <= a
-     (b+1)^2 >= a
-
-  It is a range error to pass a negative value.
- */
-mp_err mp_sqrt(const mp_int *a, mp_int *b)
-{
-  mp_int   x, t;
-  mp_err   res;
-  mp_size  used;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  /* Cannot take square root of a negative value */
-  if(SIGN(a) == NEG)
-    return MP_RANGE;
-
-  /* Special cases for zero and one, trivial     */
-  if(mp_cmp_d(a, 1) <= 0)
-    return mp_copy(a, b);
-    
-  /* Initialize the temporaries we'll use below  */
-  if((res = mp_init_size(&t, USED(a))) != MP_OKAY)
-    return res;
-
-  /* Compute an initial guess for the iteration as a itself */
-  if((res = mp_init_copy(&x, a)) != MP_OKAY)
-    goto X;
-
-  used = MP_USED(&x);
-  if (used > 1) {
-    s_mp_rshd(&x, used / 2);
-  }
-
-  for(;;) {
-    /* t = (x * x) - a */
-    mp_copy(&x, &t);      /* can't fail, t is big enough for original x */
-    if((res = mp_sqr(&t, &t)) != MP_OKAY ||
-       (res = mp_sub(&t, a, &t)) != MP_OKAY)
-      goto CLEANUP;
-
-    /* t = t / 2x       */
-    s_mp_mul_2(&x);
-    if((res = mp_div(&t, &x, &t, NULL)) != MP_OKAY)
-      goto CLEANUP;
-    s_mp_div_2(&x);
-
-    /* Terminate the loop, if the quotient is zero */
-    if(mp_cmp_z(&t) == MP_EQ)
-      break;
-
-    /* x = x - t       */
-    if((res = mp_sub(&x, &t, &x)) != MP_OKAY)
-      goto CLEANUP;
-
-  }
-
-  /* Copy result to output parameter */
-  mp_sub_d(&x, 1, &x);
-  s_mp_exch(&x, b);
-
- CLEANUP:
-  mp_clear(&x);
- X:
-  mp_clear(&t); 
-
-  return res;
-
-} /* end mp_sqrt() */
-
-/* }}} */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ Modular arithmetic */
-
-#if MP_MODARITH
-/* {{{ mp_addmod(a, b, m, c) */
-
-/*
-  mp_addmod(a, b, m, c)
-
-  Compute c = (a + b) mod m
- */
-
-mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_add(a, b, c)) != MP_OKAY)
-    return res;
-  if((res = mp_mod(c, m, c)) != MP_OKAY)
-    return res;
-
-  return MP_OKAY;
-
-}
-
-/* }}} */
-
-/* {{{ mp_submod(a, b, m, c) */
-
-/*
-  mp_submod(a, b, m, c)
-
-  Compute c = (a - b) mod m
- */
-
-mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_sub(a, b, c)) != MP_OKAY)
-    return res;
-  if((res = mp_mod(c, m, c)) != MP_OKAY)
-    return res;
-
-  return MP_OKAY;
-
-}
-
-/* }}} */
-
-/* {{{ mp_mulmod(a, b, m, c) */
-
-/*
-  mp_mulmod(a, b, m, c)
-
-  Compute c = (a * b) mod m
- */
-
-mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_mul(a, b, c)) != MP_OKAY)
-    return res;
-  if((res = mp_mod(c, m, c)) != MP_OKAY)
-    return res;
-
-  return MP_OKAY;
-
-}
-
-/* }}} */
-
-/* {{{ mp_sqrmod(a, m, c) */
-
-#if MP_SQUARE
-mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
-{
-  mp_err  res;
-
-  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_sqr(a, c)) != MP_OKAY)
-    return res;
-  if((res = mp_mod(c, m, c)) != MP_OKAY)
-    return res;
-
-  return MP_OKAY;
-
-} /* end mp_sqrmod() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_exptmod(a, b, m, c) */
-
-/*
-  s_mp_exptmod(a, b, m, c)
-
-  Compute c = (a ** b) mod m.  Uses a standard square-and-multiply
-  method with modular reductions at each step. (This is basically the
-  same code as mp_expt(), except for the addition of the reductions)
-  
-  The modular reductions are done using Barrett's algorithm (see
-  s_mp_reduce() below for details)
- */
-
-mp_err s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
-{
-  mp_int   s, x, mu;
-  mp_err   res;
-  mp_digit d;
-  int      dig, bit;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(mp_cmp_z(b) < 0 || mp_cmp_z(m) <= 0)
-    return MP_RANGE;
-
-  if((res = mp_init(&s)) != MP_OKAY)
-    return res;
-  if((res = mp_init_copy(&x, a)) != MP_OKAY ||
-     (res = mp_mod(&x, m, &x)) != MP_OKAY)
-    goto X;
-  if((res = mp_init(&mu)) != MP_OKAY)
-    goto MU;
-
-  mp_set(&s, 1);
-
-  /* mu = b^2k / m */
-  s_mp_add_d(&mu, 1); 
-  s_mp_lshd(&mu, 2 * USED(m));
-  if((res = mp_div(&mu, m, &mu, NULL)) != MP_OKAY)
-    goto CLEANUP;
-
-  /* Loop over digits of b in ascending order, except highest order */
-  for(dig = 0; dig < (USED(b) - 1); dig++) {
-    d = DIGIT(b, dig);
-
-    /* Loop over the bits of the lower-order digits */
-    for(bit = 0; bit < DIGIT_BIT; bit++) {
-      if(d & 1) {
-	if((res = s_mp_mul(&s, &x)) != MP_OKAY)
-	  goto CLEANUP;
-	if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
-	  goto CLEANUP;
-      }
-
-      d >>= 1;
-
-      if((res = s_mp_sqr(&x)) != MP_OKAY)
-	goto CLEANUP;
-      if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
-	goto CLEANUP;
-    }
-  }
-
-  /* Now do the last digit... */
-  d = DIGIT(b, dig);
-
-  while(d) {
-    if(d & 1) {
-      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
-	goto CLEANUP;
-      if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
-	goto CLEANUP;
-    }
-
-    d >>= 1;
-
-    if((res = s_mp_sqr(&x)) != MP_OKAY)
-      goto CLEANUP;
-    if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
-      goto CLEANUP;
-  }
-
-  s_mp_exch(&s, c);
-
- CLEANUP:
-  mp_clear(&mu);
- MU:
-  mp_clear(&x);
- X:
-  mp_clear(&s);
-
-  return res;
-
-} /* end s_mp_exptmod() */
-
-/* }}} */
-
-/* {{{ mp_exptmod_d(a, d, m, c) */
-
-mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c)
-{
-  mp_int   s, x;
-  mp_err   res;
-
-  ARGCHK(a != NULL && c != NULL, MP_BADARG);
-
-  if((res = mp_init(&s)) != MP_OKAY)
-    return res;
-  if((res = mp_init_copy(&x, a)) != MP_OKAY)
-    goto X;
-
-  mp_set(&s, 1);
-
-  while(d != 0) {
-    if(d & 1) {
-      if((res = s_mp_mul(&s, &x)) != MP_OKAY ||
-	 (res = mp_mod(&s, m, &s)) != MP_OKAY)
-	goto CLEANUP;
-    }
-
-    d /= 2;
-
-    if((res = s_mp_sqr(&x)) != MP_OKAY ||
-       (res = mp_mod(&x, m, &x)) != MP_OKAY)
-      goto CLEANUP;
-  }
-
-  s_mp_exch(&s, c);
-
-CLEANUP:
-  mp_clear(&x);
-X:
-  mp_clear(&s);
-
-  return res;
-
-} /* end mp_exptmod_d() */
-
-/* }}} */
-#endif /* if MP_MODARITH */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ Comparison functions */
-
-/* {{{ mp_cmp_z(a) */
-
-/*
-  mp_cmp_z(a)
-
-  Compare a <=> 0.  Returns <0 if a<0, 0 if a=0, >0 if a>0.
- */
-
-int    mp_cmp_z(const mp_int *a)
-{
-  if(SIGN(a) == NEG)
-    return MP_LT;
-  else if(USED(a) == 1 && DIGIT(a, 0) == 0)
-    return MP_EQ;
-  else
-    return MP_GT;
-
-} /* end mp_cmp_z() */
-
-/* }}} */
-
-/* {{{ mp_cmp_d(a, d) */
-
-/*
-  mp_cmp_d(a, d)
-
-  Compare a <=> d.  Returns <0 if a<d, 0 if a=d, >0 if a>d
- */
-
-int    mp_cmp_d(const mp_int *a, mp_digit d)
-{
-  ARGCHK(a != NULL, MP_EQ);
-
-  if(SIGN(a) == NEG)
-    return MP_LT;
-
-  return s_mp_cmp_d(a, d);
-
-} /* end mp_cmp_d() */
-
-/* }}} */
-
-/* {{{ mp_cmp(a, b) */
-
-int    mp_cmp(const mp_int *a, const mp_int *b)
-{
-  ARGCHK(a != NULL && b != NULL, MP_EQ);
-
-  if(SIGN(a) == SIGN(b)) {
-    int  mag;
-
-    if((mag = s_mp_cmp(a, b)) == MP_EQ)
-      return MP_EQ;
-
-    if(SIGN(a) == ZPOS)
-      return mag;
-    else
-      return -mag;
-
-  } else if(SIGN(a) == ZPOS) {
-    return MP_GT;
-  } else {
-    return MP_LT;
-  }
-
-} /* end mp_cmp() */
-
-/* }}} */
-
-/* {{{ mp_cmp_mag(a, b) */
-
-/*
-  mp_cmp_mag(a, b)
-
-  Compares |a| <=> |b|, and returns an appropriate comparison result
- */
-
-int    mp_cmp_mag(mp_int *a, mp_int *b)
-{
-  ARGCHK(a != NULL && b != NULL, MP_EQ);
-
-  return s_mp_cmp(a, b);
-
-} /* end mp_cmp_mag() */
-
-/* }}} */
-
-/* {{{ mp_cmp_int(a, z) */
-
-/*
-  This just converts z to an mp_int, and uses the existing comparison
-  routines.  This is sort of inefficient, but it's not clear to me how
-  frequently this wil get used anyway.  For small positive constants,
-  you can always use mp_cmp_d(), and for zero, there is mp_cmp_z().
- */
-int    mp_cmp_int(const mp_int *a, long z)
-{
-  mp_int  tmp;
-  int     out;
-
-  ARGCHK(a != NULL, MP_EQ);
-  
-  mp_init(&tmp); mp_set_int(&tmp, z);
-  out = mp_cmp(a, &tmp);
-  mp_clear(&tmp);
-
-  return out;
-
-} /* end mp_cmp_int() */
-
-/* }}} */
-
-/* {{{ mp_isodd(a) */
-
-/*
-  mp_isodd(a)
-
-  Returns a true (non-zero) value if a is odd, false (zero) otherwise.
- */
-int    mp_isodd(const mp_int *a)
-{
-  ARGCHK(a != NULL, 0);
-
-  return (int)(DIGIT(a, 0) & 1);
-
-} /* end mp_isodd() */
-
-/* }}} */
-
-/* {{{ mp_iseven(a) */
-
-int    mp_iseven(const mp_int *a)
-{
-  return !mp_isodd(a);
-
-} /* end mp_iseven() */
-
-/* }}} */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ Number theoretic functions */
-
-#if MP_NUMTH
-/* {{{ mp_gcd(a, b, c) */
-
-/*
-  Like the old mp_gcd() function, except computes the GCD using the
-  binary algorithm due to Josef Stein in 1961 (via Knuth).
- */
-mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_err   res;
-  mp_int   u, v, t;
-  mp_size  k = 0;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(mp_cmp_z(a) == MP_EQ && mp_cmp_z(b) == MP_EQ)
-      return MP_RANGE;
-  if(mp_cmp_z(a) == MP_EQ) {
-    return mp_copy(b, c);
-  } else if(mp_cmp_z(b) == MP_EQ) {
-    return mp_copy(a, c);
-  }
-
-  if((res = mp_init(&t)) != MP_OKAY)
-    return res;
-  if((res = mp_init_copy(&u, a)) != MP_OKAY)
-    goto U;
-  if((res = mp_init_copy(&v, b)) != MP_OKAY)
-    goto V;
-
-  SIGN(&u) = ZPOS;
-  SIGN(&v) = ZPOS;
-
-  /* Divide out common factors of 2 until at least 1 of a, b is even */
-  while(mp_iseven(&u) && mp_iseven(&v)) {
-    s_mp_div_2(&u);
-    s_mp_div_2(&v);
-    ++k;
-  }
-
-  /* Initialize t */
-  if(mp_isodd(&u)) {
-    if((res = mp_copy(&v, &t)) != MP_OKAY)
-      goto CLEANUP;
-    
-    /* t = -v */
-    if(SIGN(&v) == ZPOS)
-      SIGN(&t) = NEG;
-    else
-      SIGN(&t) = ZPOS;
-    
-  } else {
-    if((res = mp_copy(&u, &t)) != MP_OKAY)
-      goto CLEANUP;
-
-  }
-
-  for(;;) {
-    while(mp_iseven(&t)) {
-      s_mp_div_2(&t);
-    }
-
-    if(mp_cmp_z(&t) == MP_GT) {
-      if((res = mp_copy(&t, &u)) != MP_OKAY)
-	goto CLEANUP;
-
-    } else {
-      if((res = mp_copy(&t, &v)) != MP_OKAY)
-	goto CLEANUP;
-
-      /* v = -t */
-      if(SIGN(&t) == ZPOS)
-	SIGN(&v) = NEG;
-      else
-	SIGN(&v) = ZPOS;
-    }
-
-    if((res = mp_sub(&u, &v, &t)) != MP_OKAY)
-      goto CLEANUP;
-
-    if(s_mp_cmp_d(&t, 0) == MP_EQ)
-      break;
-  }
-
-  s_mp_2expt(&v, k);       /* v = 2^k   */
-  res = mp_mul(&u, &v, c); /* c = u * v */
-
- CLEANUP:
-  mp_clear(&v);
- V:
-  mp_clear(&u);
- U:
-  mp_clear(&t);
-
-  return res;
-
-} /* end mp_gcd() */
-
-/* }}} */
-
-/* {{{ mp_lcm(a, b, c) */
-
-/* We compute the least common multiple using the rule:
-
-   ab = [a, b](a, b)
-
-   ... by computing the product, and dividing out the gcd.
- */
-
-mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_int  gcd, prod;
-  mp_err  res;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  /* Set up temporaries */
-  if((res = mp_init(&gcd)) != MP_OKAY)
-    return res;
-  if((res = mp_init(&prod)) != MP_OKAY)
-    goto GCD;
-
-  if((res = mp_mul(a, b, &prod)) != MP_OKAY)
-    goto CLEANUP;
-  if((res = mp_gcd(a, b, &gcd)) != MP_OKAY)
-    goto CLEANUP;
-
-  res = mp_div(&prod, &gcd, c, NULL);
-
- CLEANUP:
-  mp_clear(&prod);
- GCD:
-  mp_clear(&gcd);
-
-  return res;
-
-} /* end mp_lcm() */
-
-/* }}} */
-
-/* {{{ mp_xgcd(a, b, g, x, y) */
-
-/*
-  mp_xgcd(a, b, g, x, y)
-
-  Compute g = (a, b) and values x and y satisfying Bezout's identity
-  (that is, ax + by = g).  This uses the binary extended GCD algorithm
-  based on the Stein algorithm used for mp_gcd()
-  See algorithm 14.61 in Handbook of Applied Cryptogrpahy.
- */
-
-mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y)
-{
-  mp_int   gx, xc, yc, u, v, A, B, C, D;
-  mp_int  *clean[9];
-  mp_err   res;
-  int      last = -1;
-
-  if(mp_cmp_z(b) == 0)
-    return MP_RANGE;
-
-  /* Initialize all these variables we need */
-  MP_CHECKOK( mp_init(&u) );
-  clean[++last] = &u;
-  MP_CHECKOK( mp_init(&v) );
-  clean[++last] = &v;
-  MP_CHECKOK( mp_init(&gx) );
-  clean[++last] = &gx;
-  MP_CHECKOK( mp_init(&A) );
-  clean[++last] = &A;
-  MP_CHECKOK( mp_init(&B) );
-  clean[++last] = &B;
-  MP_CHECKOK( mp_init(&C) );
-  clean[++last] = &C;
-  MP_CHECKOK( mp_init(&D) );
-  clean[++last] = &D;
-  MP_CHECKOK( mp_init_copy(&xc, a) );
-  clean[++last] = &xc;
-  mp_abs(&xc, &xc);
-  MP_CHECKOK( mp_init_copy(&yc, b) );
-  clean[++last] = &yc;
-  mp_abs(&yc, &yc);
-
-  mp_set(&gx, 1);
-
-  /* Divide by two until at least one of them is odd */
-  while(mp_iseven(&xc) && mp_iseven(&yc)) {
-    mp_size nx = mp_trailing_zeros(&xc);
-    mp_size ny = mp_trailing_zeros(&yc);
-    mp_size n  = MP_MIN(nx, ny);
-    s_mp_div_2d(&xc,n);
-    s_mp_div_2d(&yc,n);
-    MP_CHECKOK( s_mp_mul_2d(&gx,n) );
-  }
-
-  mp_copy(&xc, &u);
-  mp_copy(&yc, &v);
-  mp_set(&A, 1); mp_set(&D, 1);
-
-  /* Loop through binary GCD algorithm */
-  do {
-    while(mp_iseven(&u)) {
-      s_mp_div_2(&u);
-
-      if(mp_iseven(&A) && mp_iseven(&B)) {
-	s_mp_div_2(&A); s_mp_div_2(&B);
-      } else {
-	MP_CHECKOK( mp_add(&A, &yc, &A) );
-	s_mp_div_2(&A);
-	MP_CHECKOK( mp_sub(&B, &xc, &B) );
-	s_mp_div_2(&B);
-      }
-    }
-
-    while(mp_iseven(&v)) {
-      s_mp_div_2(&v);
-
-      if(mp_iseven(&C) && mp_iseven(&D)) {
-	s_mp_div_2(&C); s_mp_div_2(&D);
-      } else {
-	MP_CHECKOK( mp_add(&C, &yc, &C) );
-	s_mp_div_2(&C);
-	MP_CHECKOK( mp_sub(&D, &xc, &D) );
-	s_mp_div_2(&D);
-      }
-    }
-
-    if(mp_cmp(&u, &v) >= 0) {
-      MP_CHECKOK( mp_sub(&u, &v, &u) );
-      MP_CHECKOK( mp_sub(&A, &C, &A) );
-      MP_CHECKOK( mp_sub(&B, &D, &B) );
-    } else {
-      MP_CHECKOK( mp_sub(&v, &u, &v) );
-      MP_CHECKOK( mp_sub(&C, &A, &C) );
-      MP_CHECKOK( mp_sub(&D, &B, &D) );
-    }
-  } while (mp_cmp_z(&u) != 0);
-
-  /* copy results to output */
-  if(x)
-    MP_CHECKOK( mp_copy(&C, x) );
-
-  if(y)
-    MP_CHECKOK( mp_copy(&D, y) );
-      
-  if(g)
-    MP_CHECKOK( mp_mul(&gx, &v, g) );
-
- CLEANUP:
-  while(last >= 0)
-    mp_clear(clean[last--]);
-
-  return res;
-
-} /* end mp_xgcd() */
-
-/* }}} */
-
-mp_size mp_trailing_zeros(const mp_int *mp)
-{
-  mp_digit d;
-  mp_size  n = 0;
-  int      ix;
-
-  if (!mp || !MP_DIGITS(mp) || !mp_cmp_z(mp))
-    return n;
-
-  for (ix = 0; !(d = MP_DIGIT(mp,ix)) && (ix < MP_USED(mp)); ++ix)
-    n += MP_DIGIT_BIT;
-  if (!d)
-    return 0;	/* shouldn't happen, but ... */
-#if !defined(MP_USE_UINT_DIGIT)
-  if (!(d & 0xffffffffU)) {
-    d >>= 32;
-    n  += 32;
-  }
-#endif
-  if (!(d & 0xffffU)) {
-    d >>= 16;
-    n  += 16;
-  }
-  if (!(d & 0xffU)) {
-    d >>= 8;
-    n  += 8;
-  }
-  if (!(d & 0xfU)) {
-    d >>= 4;
-    n  += 4;
-  }
-  if (!(d & 0x3U)) {
-    d >>= 2;
-    n  += 2;
-  }
-  if (!(d & 0x1U)) {
-    d >>= 1;
-    n  += 1;
-  }
-#if MP_ARGCHK == 2
-  assert(0 != (d & 1));
-#endif
-  return n;
-}
-
-/* Given a and prime p, computes c and k such that a*c == 2**k (mod p).
-** Returns k (positive) or error (negative).
-** This technique from the paper "Fast Modular Reciprocals" (unpublished)
-** by Richard Schroeppel (a.k.a. Captain Nemo).
-*/
-mp_err s_mp_almost_inverse(const mp_int *a, const mp_int *p, mp_int *c)
-{
-  mp_err res;
-  mp_err k    = 0;
-  mp_int d, f, g;
-
-  ARGCHK(a && p && c, MP_BADARG);
-
-  MP_DIGITS(&d) = 0;
-  MP_DIGITS(&f) = 0;
-  MP_DIGITS(&g) = 0;
-  MP_CHECKOK( mp_init(&d) );
-  MP_CHECKOK( mp_init_copy(&f, a) );	/* f = a */
-  MP_CHECKOK( mp_init_copy(&g, p) );	/* g = p */
-
-  mp_set(c, 1);
-  mp_zero(&d);
-
-  if (mp_cmp_z(&f) == 0) {
-    res = MP_UNDEF;
-  } else 
-  for (;;) {
-    int diff_sign;
-    while (mp_iseven(&f)) {
-      mp_size n = mp_trailing_zeros(&f);
-      if (!n) {
-	res = MP_UNDEF;
-	goto CLEANUP;
-      }
-      s_mp_div_2d(&f, n);
-      MP_CHECKOK( s_mp_mul_2d(&d, n) );
-      k += n;
-    }
-    if (mp_cmp_d(&f, 1) == MP_EQ) {	/* f == 1 */
-      res = k;
-      break;
-    }
-    diff_sign = mp_cmp(&f, &g);
-    if (diff_sign < 0) {		/* f < g */
-      s_mp_exch(&f, &g);
-      s_mp_exch(c, &d);
-    } else if (diff_sign == 0) {		/* f == g */
-      res = MP_UNDEF;		/* a and p are not relatively prime */
-      break;
-    }
-    if ((MP_DIGIT(&f,0) % 4) == (MP_DIGIT(&g,0) % 4)) {
-      MP_CHECKOK( mp_sub(&f, &g, &f) );	/* f = f - g */
-      MP_CHECKOK( mp_sub(c,  &d,  c) );	/* c = c - d */
-    } else {
-      MP_CHECKOK( mp_add(&f, &g, &f) );	/* f = f + g */
-      MP_CHECKOK( mp_add(c,  &d,  c) );	/* c = c + d */
-    }
-  }
-  if (res >= 0) {
-    while (MP_SIGN(c) != MP_ZPOS) {
-      MP_CHECKOK( mp_add(c, p, c) );
-    }
-    res = k;
-  }
-
-CLEANUP:
-  mp_clear(&d);
-  mp_clear(&f);
-  mp_clear(&g);
-  return res;
-}
-
-/* Compute T = (P ** -1) mod MP_RADIX.  Also works for 16-bit mp_digits.
-** This technique from the paper "Fast Modular Reciprocals" (unpublished)
-** by Richard Schroeppel (a.k.a. Captain Nemo).
-*/
-mp_digit  s_mp_invmod_radix(mp_digit P)
-{
-  mp_digit T = P;
-  T *= 2 - (P * T);
-  T *= 2 - (P * T);
-  T *= 2 - (P * T);
-  T *= 2 - (P * T);
-#if !defined(MP_USE_UINT_DIGIT)
-  T *= 2 - (P * T);
-  T *= 2 - (P * T);
-#endif
-  return T;
-}
-
-/* Given c, k, and prime p, where a*c == 2**k (mod p), 
-** Compute x = (a ** -1) mod p.  This is similar to Montgomery reduction.
-** This technique from the paper "Fast Modular Reciprocals" (unpublished)
-** by Richard Schroeppel (a.k.a. Captain Nemo).
-*/
-mp_err  s_mp_fixup_reciprocal(const mp_int *c, const mp_int *p, int k, mp_int *x)
-{
-  int      k_orig = k;
-  mp_digit r;
-  mp_size  ix;
-  mp_err   res;
-
-  if (mp_cmp_z(c) < 0) {		/* c < 0 */
-    MP_CHECKOK( mp_add(c, p, x) );	/* x = c + p */
-  } else {
-    MP_CHECKOK( mp_copy(c, x) );	/* x = c */
-  }
-
-  /* make sure x is large enough */
-  ix = MP_HOWMANY(k, MP_DIGIT_BIT) + MP_USED(p) + 1;
-  ix = MP_MAX(ix, MP_USED(x));
-  MP_CHECKOK( s_mp_pad(x, ix) );
-
-  r = 0 - s_mp_invmod_radix(MP_DIGIT(p,0));
-
-  for (ix = 0; k > 0; ix++) {
-    int      j = MP_MIN(k, MP_DIGIT_BIT);
-    mp_digit v = r * MP_DIGIT(x, ix);
-    if (j < MP_DIGIT_BIT) {
-      v &= ((mp_digit)1 << j) - 1;	/* v = v mod (2 ** j) */
-    }
-    s_mp_mul_d_add_offset(p, v, x, ix); /* x += p * v * (RADIX ** ix) */
-    k -= j;
-  }
-  s_mp_clamp(x);
-  s_mp_div_2d(x, k_orig);
-  res = MP_OKAY;
-
-CLEANUP:
-  return res;
-}
-
-/* compute mod inverse using Schroeppel's method, only if m is odd */
-mp_err s_mp_invmod_odd_m(const mp_int *a, const mp_int *m, mp_int *c)
-{
-  int k;
-  mp_err  res;
-  mp_int  x;
-
-  ARGCHK(a && m && c, MP_BADARG);
-
-  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
-    return MP_RANGE;
-  if (mp_iseven(m))
-    return MP_UNDEF;
-
-  MP_DIGITS(&x) = 0;
-
-  if (a == c) {
-    if ((res = mp_init_copy(&x, a)) != MP_OKAY)
-      return res;
-    if (a == m) 
-      m = &x;
-    a = &x;
-  } else if (m == c) {
-    if ((res = mp_init_copy(&x, m)) != MP_OKAY)
-      return res;
-    m = &x;
-  } else {
-    MP_DIGITS(&x) = 0;
-  }
-
-  MP_CHECKOK( s_mp_almost_inverse(a, m, c) );
-  k = res;
-  MP_CHECKOK( s_mp_fixup_reciprocal(c, m, k, c) );
-CLEANUP:
-  mp_clear(&x);
-  return res;
-}
-
-/* Known good algorithm for computing modular inverse.  But slow. */
-mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c)
-{
-  mp_int  g, x;
-  mp_err  res;
-
-  ARGCHK(a && m && c, MP_BADARG);
-
-  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
-    return MP_RANGE;
-
-  MP_DIGITS(&g) = 0;
-  MP_DIGITS(&x) = 0;
-  MP_CHECKOK( mp_init(&x) );
-  MP_CHECKOK( mp_init(&g) );
-
-  MP_CHECKOK( mp_xgcd(a, m, &g, &x, NULL) );
-
-  if (mp_cmp_d(&g, 1) != MP_EQ) {
-    res = MP_UNDEF;
-    goto CLEANUP;
-  }
-
-  res = mp_mod(&x, m, c);
-  SIGN(c) = SIGN(a);
-
-CLEANUP:
-  mp_clear(&x);
-  mp_clear(&g);
-
-  return res;
-}
-
-/* modular inverse where modulus is 2**k. */
-/* c = a**-1 mod 2**k */
-mp_err s_mp_invmod_2d(const mp_int *a, mp_size k, mp_int *c)
-{
-  mp_err res;
-  mp_size ix = k + 4;
-  mp_int t0, t1, val, tmp, two2k;
-
-  static const mp_digit d2 = 2;
-  static const mp_int two = { MP_ZPOS, 1, 1, (mp_digit *)&d2 };
-
-  if (mp_iseven(a))
-    return MP_UNDEF;
-  if (k <= MP_DIGIT_BIT) {
-    mp_digit i = s_mp_invmod_radix(MP_DIGIT(a,0));
-    if (k < MP_DIGIT_BIT)
-      i &= ((mp_digit)1 << k) - (mp_digit)1;
-    mp_set(c, i);
-    return MP_OKAY;
-  }
-  MP_DIGITS(&t0) = 0;
-  MP_DIGITS(&t1) = 0;
-  MP_DIGITS(&val) = 0;
-  MP_DIGITS(&tmp) = 0;
-  MP_DIGITS(&two2k) = 0;
-  MP_CHECKOK( mp_init_copy(&val, a) );
-  s_mp_mod_2d(&val, k);
-  MP_CHECKOK( mp_init_copy(&t0, &val) );
-  MP_CHECKOK( mp_init_copy(&t1, &t0)  );
-  MP_CHECKOK( mp_init(&tmp) );
-  MP_CHECKOK( mp_init(&two2k) );
-  MP_CHECKOK( s_mp_2expt(&two2k, k) );
-  do {
-    MP_CHECKOK( mp_mul(&val, &t1, &tmp)  );
-    MP_CHECKOK( mp_sub(&two, &tmp, &tmp) );
-    MP_CHECKOK( mp_mul(&t1, &tmp, &t1)   );
-    s_mp_mod_2d(&t1, k);
-    while (MP_SIGN(&t1) != MP_ZPOS) {
-      MP_CHECKOK( mp_add(&t1, &two2k, &t1) );
-    }
-    if (mp_cmp(&t1, &t0) == MP_EQ) 
-      break;
-    MP_CHECKOK( mp_copy(&t1, &t0) );
-  } while (--ix > 0);
-  if (!ix) {
-    res = MP_UNDEF;
-  } else {
-    mp_exch(c, &t1);
-  }
-
-CLEANUP:
-  mp_clear(&t0);
-  mp_clear(&t1);
-  mp_clear(&val);
-  mp_clear(&tmp);
-  mp_clear(&two2k);
-  return res;
-}
-
-mp_err s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c)
-{
-  mp_err res;
-  mp_size k;
-  mp_int oddFactor, evenFactor;	/* factors of the modulus */
-  mp_int oddPart, evenPart;	/* parts to combine via CRT. */
-  mp_int C2, tmp1, tmp2;
-
-  /*static const mp_digit d1 = 1; */
-  /*static const mp_int one = { MP_ZPOS, 1, 1, (mp_digit *)&d1 }; */
-
-  if ((res = s_mp_ispow2(m)) >= 0) {
-    k = res;
-    return s_mp_invmod_2d(a, k, c);
-  }
-  MP_DIGITS(&oddFactor) = 0;
-  MP_DIGITS(&evenFactor) = 0;
-  MP_DIGITS(&oddPart) = 0;
-  MP_DIGITS(&evenPart) = 0;
-  MP_DIGITS(&C2)     = 0;
-  MP_DIGITS(&tmp1)   = 0;
-  MP_DIGITS(&tmp2)   = 0;
-
-  MP_CHECKOK( mp_init_copy(&oddFactor, m) );    /* oddFactor = m */
-  MP_CHECKOK( mp_init(&evenFactor) );
-  MP_CHECKOK( mp_init(&oddPart) );
-  MP_CHECKOK( mp_init(&evenPart) );
-  MP_CHECKOK( mp_init(&C2)     );
-  MP_CHECKOK( mp_init(&tmp1)   );
-  MP_CHECKOK( mp_init(&tmp2)   );
-
-  k = mp_trailing_zeros(m);
-  s_mp_div_2d(&oddFactor, k);
-  MP_CHECKOK( s_mp_2expt(&evenFactor, k) );
-
-  /* compute a**-1 mod oddFactor. */
-  MP_CHECKOK( s_mp_invmod_odd_m(a, &oddFactor, &oddPart) );
-  /* compute a**-1 mod evenFactor, where evenFactor == 2**k. */
-  MP_CHECKOK( s_mp_invmod_2d(   a,       k,    &evenPart) );
-
-  /* Use Chinese Remainer theorem to compute a**-1 mod m. */
-  /* let m1 = oddFactor,  v1 = oddPart, 
-   * let m2 = evenFactor, v2 = evenPart.
-   */
-
-  /* Compute C2 = m1**-1 mod m2. */
-  MP_CHECKOK( s_mp_invmod_2d(&oddFactor, k,    &C2) );
-
-  /* compute u = (v2 - v1)*C2 mod m2 */
-  MP_CHECKOK( mp_sub(&evenPart, &oddPart,   &tmp1) );
-  MP_CHECKOK( mp_mul(&tmp1,     &C2,        &tmp2) );
-  s_mp_mod_2d(&tmp2, k);
-  while (MP_SIGN(&tmp2) != MP_ZPOS) {
-    MP_CHECKOK( mp_add(&tmp2, &evenFactor, &tmp2) );
-  }
-
-  /* compute answer = v1 + u*m1 */
-  MP_CHECKOK( mp_mul(&tmp2,     &oddFactor, c) );
-  MP_CHECKOK( mp_add(&oddPart,  c,          c) );
-  /* not sure this is necessary, but it's low cost if not. */
-  MP_CHECKOK( mp_mod(c,         m,          c) );
-
-CLEANUP:
-  mp_clear(&oddFactor);
-  mp_clear(&evenFactor);
-  mp_clear(&oddPart);
-  mp_clear(&evenPart);
-  mp_clear(&C2);
-  mp_clear(&tmp1);
-  mp_clear(&tmp2);
-  return res;
-}
-
-
-/* {{{ mp_invmod(a, m, c) */
-
-/*
-  mp_invmod(a, m, c)
-
-  Compute c = a^-1 (mod m), if there is an inverse for a (mod m).
-  This is equivalent to the question of whether (a, m) = 1.  If not,
-  MP_UNDEF is returned, and there is no inverse.
- */
-
-mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c)
-{
-
-  ARGCHK(a && m && c, MP_BADARG);
-
-  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
-    return MP_RANGE;
-
-  if (mp_isodd(m)) {
-    return s_mp_invmod_odd_m(a, m, c);
-  }
-  if (mp_iseven(a))
-    return MP_UNDEF;	/* not invertable */
-
-  return s_mp_invmod_even_m(a, m, c);
-
-} /* end mp_invmod() */
-
-/* }}} */
-#endif /* if MP_NUMTH */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ mp_print(mp, ofp) */
-
-#if MP_IOFUNC
-/*
-  mp_print(mp, ofp)
-
-  Print a textual representation of the given mp_int on the output
-  stream 'ofp'.  Output is generated using the internal radix.
- */
-
-void   mp_print(mp_int *mp, FILE *ofp)
-{
-  int   ix;
-
-  if(mp == NULL || ofp == NULL)
-    return;
-
-  fputc((SIGN(mp) == NEG) ? '-' : '+', ofp);
-
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    fprintf(ofp, DIGIT_FMT, DIGIT(mp, ix));
-  }
-
-} /* end mp_print() */
-
-#endif /* if MP_IOFUNC */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* {{{ More I/O Functions */
-
-/* {{{ mp_read_raw(mp, str, len) */
-
-/* 
-   mp_read_raw(mp, str, len)
-
-   Read in a raw value (base 256) into the given mp_int
- */
-
-mp_err  mp_read_raw(mp_int *mp, char *str, int len)
-{
-  int            ix;
-  mp_err         res;
-  unsigned char *ustr = (unsigned char *)str;
-
-  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
-
-  mp_zero(mp);
-
-  /* Get sign from first byte */
-  if(ustr[0])
-    SIGN(mp) = NEG;
-  else
-    SIGN(mp) = ZPOS;
-
-  /* Read the rest of the digits */
-  for(ix = 1; ix < len; ix++) {
-    if((res = mp_mul_d(mp, 256, mp)) != MP_OKAY)
-      return res;
-    if((res = mp_add_d(mp, ustr[ix], mp)) != MP_OKAY)
-      return res;
-  }
-
-  return MP_OKAY;
-
-} /* end mp_read_raw() */
-
-/* }}} */
-
-/* {{{ mp_raw_size(mp) */
-
-int    mp_raw_size(mp_int *mp)
-{
-  ARGCHK(mp != NULL, 0);
-
-  return (USED(mp) * sizeof(mp_digit)) + 1;
-
-} /* end mp_raw_size() */
-
-/* }}} */
-
-/* {{{ mp_toraw(mp, str) */
-
-mp_err mp_toraw(mp_int *mp, char *str)
-{
-  int  ix, jx, pos = 1;
-
-  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
-
-  str[0] = (char)SIGN(mp);
-
-  /* Iterate over each digit... */
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    mp_digit  d = DIGIT(mp, ix);
-
-    /* Unpack digit bytes, high order first */
-    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-      str[pos++] = (char)(d >> (jx * CHAR_BIT));
-    }
-  }
-
-  return MP_OKAY;
-
-} /* end mp_toraw() */
-
-/* }}} */
-
-/* {{{ mp_read_radix(mp, str, radix) */
-
-/*
-  mp_read_radix(mp, str, radix)
-
-  Read an integer from the given string, and set mp to the resulting
-  value.  The input is presumed to be in base 10.  Leading non-digit
-  characters are ignored, and the function reads until a non-digit
-  character or the end of the string.
- */
-
-mp_err  mp_read_radix(mp_int *mp, const char *str, int radix)
-{
-  int     ix = 0, val = 0;
-  mp_err  res;
-  mp_sign sig = ZPOS;
-
-  ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX, 
-	 MP_BADARG);
-
-  mp_zero(mp);
-
-  /* Skip leading non-digit characters until a digit or '-' or '+' */
-  while(str[ix] && 
-	(s_mp_tovalue(str[ix], radix) < 0) && 
-	str[ix] != '-' &&
-	str[ix] != '+') {
-    ++ix;
-  }
-
-  if(str[ix] == '-') {
-    sig = NEG;
-    ++ix;
-  } else if(str[ix] == '+') {
-    sig = ZPOS; /* this is the default anyway... */
-    ++ix;
-  }
-
-  while((val = s_mp_tovalue(str[ix], radix)) >= 0) {
-    if((res = s_mp_mul_d(mp, radix)) != MP_OKAY)
-      return res;
-    if((res = s_mp_add_d(mp, val)) != MP_OKAY)
-      return res;
-    ++ix;
-  }
-
-  if(s_mp_cmp_d(mp, 0) == MP_EQ)
-    SIGN(mp) = ZPOS;
-  else
-    SIGN(mp) = sig;
-
-  return MP_OKAY;
-
-} /* end mp_read_radix() */
-
-mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix)
-{
-  int     radix = default_radix;
-  int     cx;
-  mp_sign sig   = ZPOS;
-  mp_err  res;
-
-  /* Skip leading non-digit characters until a digit or '-' or '+' */
-  while ((cx = *str) != 0 && 
-	(s_mp_tovalue(cx, radix) < 0) && 
-	cx != '-' &&
-	cx != '+') {
-    ++str;
-  }
-
-  if (cx == '-') {
-    sig = NEG;
-    ++str;
-  } else if (cx == '+') {
-    sig = ZPOS; /* this is the default anyway... */
-    ++str;
-  }
-
-  if (str[0] == '0') {
-    if ((str[1] | 0x20) == 'x') {
-      radix = 16;
-      str += 2;
-    } else {
-      radix = 8;
-      str++;
-    }
-  }
-  res = mp_read_radix(a, str, radix);
-  if (res == MP_OKAY) {
-    MP_SIGN(a) = (s_mp_cmp_d(a, 0) == MP_EQ) ? ZPOS : sig;
-  }
-  return res;
-}
-
-/* }}} */
-
-/* {{{ mp_radix_size(mp, radix) */
-
-int    mp_radix_size(mp_int *mp, int radix)
-{
-  int  bits;
-
-  if(!mp || radix < 2 || radix > MAX_RADIX)
-    return 0;
-
-  bits = USED(mp) * DIGIT_BIT - 1;
- 
-  return s_mp_outlen(bits, radix);
-
-} /* end mp_radix_size() */
-
-/* }}} */
-
-/* {{{ mp_toradix(mp, str, radix) */
-
-mp_err mp_toradix(mp_int *mp, char *str, int radix)
-{
-  int  ix, pos = 0;
-
-  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
-  ARGCHK(radix > 1 && radix <= MAX_RADIX, MP_RANGE);
-
-  if(mp_cmp_z(mp) == MP_EQ) {
-    str[0] = '0';
-    str[1] = '\0';
-  } else {
-    mp_err   res;
-    mp_int   tmp;
-    mp_sign  sgn;
-    mp_digit rem, rdx = (mp_digit)radix;
-    char     ch;
-
-    if((res = mp_init_copy(&tmp, mp)) != MP_OKAY)
-      return res;
-
-    /* Save sign for later, and take absolute value */
-    sgn = SIGN(&tmp); SIGN(&tmp) = ZPOS;
-
-    /* Generate output digits in reverse order      */
-    while(mp_cmp_z(&tmp) != 0) {
-      if((res = mp_div_d(&tmp, rdx, &tmp, &rem)) != MP_OKAY) {
-	mp_clear(&tmp);
-	return res;
-      }
-
-      /* Generate digits, use capital letters */
-      ch = s_mp_todigit(rem, radix, 0);
-
-      str[pos++] = ch;
-    }
-
-    /* Add - sign if original value was negative */
-    if(sgn == NEG)
-      str[pos++] = '-';
-
-    /* Add trailing NUL to end the string        */
-    str[pos--] = '\0';
-
-    /* Reverse the digits and sign indicator     */
-    ix = 0;
-    while(ix < pos) {
-      char tmp = str[ix];
-
-      str[ix] = str[pos];
-      str[pos] = tmp;
-      ++ix;
-      --pos;
-    }
-    
-    mp_clear(&tmp);
-  }
-
-  return MP_OKAY;
-
-} /* end mp_toradix() */
-
-/* }}} */
-
-/* {{{ mp_tovalue(ch, r) */
-
-int    mp_tovalue(char ch, int r)
-{
-  return s_mp_tovalue(ch, r);
-
-} /* end mp_tovalue() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ mp_strerror(ec) */
-
-/*
-  mp_strerror(ec)
-
-  Return a string describing the meaning of error code 'ec'.  The
-  string returned is allocated in static memory, so the caller should
-  not attempt to modify or free the memory associated with this
-  string.
- */
-const char  *mp_strerror(mp_err ec)
-{
-  int   aec = (ec < 0) ? -ec : ec;
-
-  /* Code values are negative, so the senses of these comparisons
-     are accurate */
-  if(ec < MP_LAST_CODE || ec > MP_OKAY) {
-    return mp_err_string[0];  /* unknown error code */
-  } else {
-    return mp_err_string[aec + 1];
-  }
-
-} /* end mp_strerror() */
-
-/* }}} */
-
-/*========================================================================*/
-/*------------------------------------------------------------------------*/
-/* Static function definitions (internal use only)                        */
-
-/* {{{ Memory management */
-
-/* {{{ s_mp_grow(mp, min) */
-
-/* Make sure there are at least 'min' digits allocated to mp              */
-mp_err   s_mp_grow(mp_int *mp, mp_size min)
-{
-  if(min > ALLOC(mp)) {
-    mp_digit   *tmp;
-
-    /* Set min to next nearest default precision block size */
-    min = MP_ROUNDUP(min, s_mp_defprec);
-
-    if((tmp = s_mp_alloc(min, sizeof(mp_digit))) == NULL)
-      return MP_MEM;
-
-    s_mp_copy(DIGITS(mp), tmp, USED(mp));
-
-#if MP_CRYPTO
-    s_mp_setz(DIGITS(mp), ALLOC(mp));
-#endif
-    s_mp_free(DIGITS(mp));
-    DIGITS(mp) = tmp;
-    ALLOC(mp) = min;
-  }
-
-  return MP_OKAY;
-
-} /* end s_mp_grow() */
-
-/* }}} */
-
-/* {{{ s_mp_pad(mp, min) */
-
-/* Make sure the used size of mp is at least 'min', growing if needed     */
-mp_err   s_mp_pad(mp_int *mp, mp_size min)
-{
-  if(min > USED(mp)) {
-    mp_err  res;
-
-    /* Make sure there is room to increase precision  */
-    if (min > ALLOC(mp)) {
-      if ((res = s_mp_grow(mp, min)) != MP_OKAY)
-	return res;
-    } else {
-      s_mp_setz(DIGITS(mp) + USED(mp), min - USED(mp));
-    }
-
-    /* Increase precision; should already be 0-filled */
-    USED(mp) = min;
-  }
-
-  return MP_OKAY;
-
-} /* end s_mp_pad() */
-
-/* }}} */
-
-/* {{{ s_mp_setz(dp, count) */
-
-#if MP_MACRO == 0
-/* Set 'count' digits pointed to by dp to be zeroes                       */
-void s_mp_setz(mp_digit *dp, mp_size count)
-{
-#if MP_MEMSET == 0
-  int  ix;
-
-  for(ix = 0; ix < count; ix++)
-    dp[ix] = 0;
-#else
-  memset(dp, 0, count * sizeof(mp_digit));
-#endif
-
-} /* end s_mp_setz() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_copy(sp, dp, count) */
-
-#if MP_MACRO == 0
-/* Copy 'count' digits from sp to dp                                      */
-void s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count)
-{
-#if MP_MEMCPY == 0
-  int  ix;
-
-  for(ix = 0; ix < count; ix++)
-    dp[ix] = sp[ix];
-#else
-  memcpy(dp, sp, count * sizeof(mp_digit));
-#endif
-
-} /* end s_mp_copy() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_alloc(nb, ni) */
-
-#if MP_MACRO == 0
-/* Allocate ni records of nb bytes each, and return a pointer to that     */
-void    *s_mp_alloc(size_t nb, size_t ni)
-{
-  ++mp_allocs;
-  return calloc(nb, ni);
-
-} /* end s_mp_alloc() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_free(ptr) */
-
-#if MP_MACRO == 0
-/* Free the memory pointed to by ptr                                      */
-void     s_mp_free(void *ptr)
-{
-  if(ptr) {
-    ++mp_frees;
-    free(ptr);
-  }
-} /* end s_mp_free() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_clamp(mp) */
-
-#if MP_MACRO == 0
-/* Remove leading zeroes from the given value                             */
-void     s_mp_clamp(mp_int *mp)
-{
-  mp_size used = MP_USED(mp);
-  while (used > 1 && DIGIT(mp, used - 1) == 0)
-    --used;
-  MP_USED(mp) = used;
-} /* end s_mp_clamp() */
-#endif
-
-/* }}} */
-
-/* {{{ s_mp_exch(a, b) */
-
-/* Exchange the data for a and b; (b, a) = (a, b)                         */
-void     s_mp_exch(mp_int *a, mp_int *b)
-{
-  mp_int   tmp;
-
-  tmp = *a;
-  *a = *b;
-  *b = tmp;
-
-} /* end s_mp_exch() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ Arithmetic helpers */
-
-/* {{{ s_mp_lshd(mp, p) */
-
-/* 
-   Shift mp leftward by p digits, growing if needed, and zero-filling
-   the in-shifted digits at the right end.  This is a convenient
-   alternative to multiplication by powers of the radix
-   The value of USED(mp) must already have been set to the value for
-   the shifted result.
- */   
-
-mp_err   s_mp_lshd(mp_int *mp, mp_size p)
-{
-  mp_err  res;
-  mp_size pos;
-  int     ix;
-
-  if(p == 0)
-    return MP_OKAY;
-
-  if (MP_USED(mp) == 1 && MP_DIGIT(mp, 0) == 0)
-    return MP_OKAY;
-
-  if((res = s_mp_pad(mp, USED(mp) + p)) != MP_OKAY)
-    return res;
-
-  pos = USED(mp) - 1;
-
-  /* Shift all the significant figures over as needed */
-  for(ix = pos - p; ix >= 0; ix--) 
-    DIGIT(mp, ix + p) = DIGIT(mp, ix);
-
-  /* Fill the bottom digits with zeroes */
-  for(ix = 0; ix < p; ix++)
-    DIGIT(mp, ix) = 0;
-
-  return MP_OKAY;
-
-} /* end s_mp_lshd() */
-
-/* }}} */
-
-/* {{{ s_mp_mul_2d(mp, d) */
-
-/*
-  Multiply the integer by 2^d, where d is a number of bits.  This
-  amounts to a bitwise shift of the value.
- */
-mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d)
-{
-  mp_err   res;
-  mp_digit dshift, bshift;
-  mp_digit mask;
-
-  ARGCHK(mp != NULL,  MP_BADARG);
-
-  dshift = d / MP_DIGIT_BIT;
-  bshift = d % MP_DIGIT_BIT;
-  /* bits to be shifted out of the top word */
-  mask   = ((mp_digit)~0 << (MP_DIGIT_BIT - bshift)); 
-  mask  &= MP_DIGIT(mp, MP_USED(mp) - 1);
-
-  if (MP_OKAY != (res = s_mp_pad(mp, MP_USED(mp) + dshift + (mask != 0) )))
-    return res;
-
-  if (dshift && MP_OKAY != (res = s_mp_lshd(mp, dshift)))
-    return res;
-
-  if (bshift) { 
-    mp_digit *pa = MP_DIGITS(mp);
-    mp_digit *alim = pa + MP_USED(mp);
-    mp_digit  prev = 0;
-
-    for (pa += dshift; pa < alim; ) {
-      mp_digit x = *pa;
-      *pa++ = (x << bshift) | prev;
-      prev = x >> (DIGIT_BIT - bshift);
-    }
-  }
-
-  s_mp_clamp(mp);
-  return MP_OKAY;
-} /* end s_mp_mul_2d() */
-
-/* {{{ s_mp_rshd(mp, p) */
-
-/* 
-   Shift mp rightward by p digits.  Maintains the invariant that
-   digits above the precision are all zero.  Digits shifted off the
-   end are lost.  Cannot fail.
- */
-
-void     s_mp_rshd(mp_int *mp, mp_size p)
-{
-  mp_size  ix;
-  mp_digit *src, *dst;
-
-  if(p == 0)
-    return;
-
-  /* Shortcut when all digits are to be shifted off */
-  if(p >= USED(mp)) {
-    s_mp_setz(DIGITS(mp), ALLOC(mp));
-    USED(mp) = 1;
-    SIGN(mp) = ZPOS;
-    return;
-  }
-
-  /* Shift all the significant figures over as needed */
-  dst = MP_DIGITS(mp);
-  src = dst + p;
-  for (ix = USED(mp) - p; ix > 0; ix--)
-    *dst++ = *src++;
-
-  MP_USED(mp) -= p;
-  /* Fill the top digits with zeroes */
-  while (p-- > 0)
-    *dst++ = 0;
-
-#if 0
-  /* Strip off any leading zeroes    */
-  s_mp_clamp(mp);
-#endif
-
-} /* end s_mp_rshd() */
-
-/* }}} */
-
-/* {{{ s_mp_div_2(mp) */
-
-/* Divide by two -- take advantage of radix properties to do it fast      */
-void     s_mp_div_2(mp_int *mp)
-{
-  s_mp_div_2d(mp, 1);
-
-} /* end s_mp_div_2() */
-
-/* }}} */
-
-/* {{{ s_mp_mul_2(mp) */
-
-mp_err s_mp_mul_2(mp_int *mp)
-{
-  mp_digit *pd;
-  int      ix, used;
-  mp_digit kin = 0;
-
-  /* Shift digits leftward by 1 bit */
-  used = MP_USED(mp);
-  pd = MP_DIGITS(mp);
-  for (ix = 0; ix < used; ix++) {
-    mp_digit d = *pd;
-    *pd++ = (d << 1) | kin;
-    kin = (d >> (DIGIT_BIT - 1));
-  }
-
-  /* Deal with rollover from last digit */
-  if (kin) {
-    if (ix >= ALLOC(mp)) {
-      mp_err res;
-      if((res = s_mp_grow(mp, ALLOC(mp) + 1)) != MP_OKAY)
-	return res;
-    }
-
-    DIGIT(mp, ix) = kin;
-    USED(mp) += 1;
-  }
-
-  return MP_OKAY;
-
-} /* end s_mp_mul_2() */
-
-/* }}} */
-
-/* {{{ s_mp_mod_2d(mp, d) */
-
-/*
-  Remainder the integer by 2^d, where d is a number of bits.  This
-  amounts to a bitwise AND of the value, and does not require the full
-  division code
- */
-void     s_mp_mod_2d(mp_int *mp, mp_digit d)
-{
-  mp_size  ndig = (d / DIGIT_BIT), nbit = (d % DIGIT_BIT);
-  mp_size  ix;
-  mp_digit dmask;
-
-  if(ndig >= USED(mp))
-    return;
-
-  /* Flush all the bits above 2^d in its digit */
-  dmask = ((mp_digit)1 << nbit) - 1;
-  DIGIT(mp, ndig) &= dmask;
-
-  /* Flush all digits above the one with 2^d in it */
-  for(ix = ndig + 1; ix < USED(mp); ix++)
-    DIGIT(mp, ix) = 0;
-
-  s_mp_clamp(mp);
-
-} /* end s_mp_mod_2d() */
-
-/* }}} */
-
-/* {{{ s_mp_div_2d(mp, d) */
-
-/*
-  Divide the integer by 2^d, where d is a number of bits.  This
-  amounts to a bitwise shift of the value, and does not require the
-  full division code (used in Barrett reduction, see below)
- */
-void     s_mp_div_2d(mp_int *mp, mp_digit d)
-{
-  int       ix;
-  mp_digit  save, next, mask;
-
-  s_mp_rshd(mp, d / DIGIT_BIT);
-  d %= DIGIT_BIT;
-  if (d) {
-    mask = ((mp_digit)1 << d) - 1;
-    save = 0;
-    for(ix = USED(mp) - 1; ix >= 0; ix--) {
-      next = DIGIT(mp, ix) & mask;
-      DIGIT(mp, ix) = (DIGIT(mp, ix) >> d) | (save << (DIGIT_BIT - d));
-      save = next;
-    }
-  }
-  s_mp_clamp(mp);
-
-} /* end s_mp_div_2d() */
-
-/* }}} */
-
-/* {{{ s_mp_norm(a, b, *d) */
-
-/*
-  s_mp_norm(a, b, *d)
-
-  Normalize a and b for division, where b is the divisor.  In order
-  that we might make good guesses for quotient digits, we want the
-  leading digit of b to be at least half the radix, which we
-  accomplish by multiplying a and b by a power of 2.  The exponent 
-  (shift count) is placed in *pd, so that the remainder can be shifted 
-  back at the end of the division process.
- */
-
-mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd)
-{
-  mp_digit  d;
-  mp_digit  mask;
-  mp_digit  b_msd;
-  mp_err    res    = MP_OKAY;
-
-  d = 0;
-  mask  = DIGIT_MAX & ~(DIGIT_MAX >> 1);	/* mask is msb of digit */
-  b_msd = DIGIT(b, USED(b) - 1);
-  while (!(b_msd & mask)) {
-    b_msd <<= 1;
-    ++d;
-  }
-
-  if (d) {
-    MP_CHECKOK( s_mp_mul_2d(a, d) );
-    MP_CHECKOK( s_mp_mul_2d(b, d) );
-  }
-
-  *pd = d;
-CLEANUP:
-  return res;
-
-} /* end s_mp_norm() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ Primitive digit arithmetic */
-
-/* {{{ s_mp_add_d(mp, d) */
-
-/* Add d to |mp| in place                                                 */
-mp_err   s_mp_add_d(mp_int *mp, mp_digit d)    /* unsigned digit addition */
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  mp_word   w, k = 0;
-  mp_size   ix = 1;
-
-  w = (mp_word)DIGIT(mp, 0) + d;
-  DIGIT(mp, 0) = ACCUM(w);
-  k = CARRYOUT(w);
-
-  while(ix < USED(mp) && k) {
-    w = (mp_word)DIGIT(mp, ix) + k;
-    DIGIT(mp, ix) = ACCUM(w);
-    k = CARRYOUT(w);
-    ++ix;
-  }
-
-  if(k != 0) {
-    mp_err  res;
-
-    if((res = s_mp_pad(mp, USED(mp) + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(mp, ix) = (mp_digit)k;
-  }
-
-  return MP_OKAY;
-#else
-  mp_digit * pmp = MP_DIGITS(mp);
-  mp_digit sum, mp_i, carry = 0;
-  mp_err   res = MP_OKAY;
-  int used = (int)MP_USED(mp);
-
-  mp_i = *pmp;
-  *pmp++ = sum = d + mp_i;
-  carry = (sum < d);
-  while (carry && --used > 0) {
-    mp_i = *pmp;
-    *pmp++ = sum = carry + mp_i;
-    carry = !sum;
-  }
-  if (carry && !used) {
-    /* mp is growing */
-    used = MP_USED(mp);
-    MP_CHECKOK( s_mp_pad(mp, used + 1) );
-    MP_DIGIT(mp, used) = carry;
-  }
-CLEANUP:
-  return res;
-#endif
-} /* end s_mp_add_d() */
-
-/* }}} */
-
-/* {{{ s_mp_sub_d(mp, d) */
-
-/* Subtract d from |mp| in place, assumes |mp| > d                        */
-mp_err   s_mp_sub_d(mp_int *mp, mp_digit d)    /* unsigned digit subtract */
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  mp_word   w, b = 0;
-  mp_size   ix = 1;
-
-  /* Compute initial subtraction    */
-  w = (RADIX + (mp_word)DIGIT(mp, 0)) - d;
-  b = CARRYOUT(w) ? 0 : 1;
-  DIGIT(mp, 0) = ACCUM(w);
-
-  /* Propagate borrows leftward     */
-  while(b && ix < USED(mp)) {
-    w = (RADIX + (mp_word)DIGIT(mp, ix)) - b;
-    b = CARRYOUT(w) ? 0 : 1;
-    DIGIT(mp, ix) = ACCUM(w);
-    ++ix;
-  }
-
-  /* Remove leading zeroes          */
-  s_mp_clamp(mp);
-
-  /* If we have a borrow out, it's a violation of the input invariant */
-  if(b)
-    return MP_RANGE;
-  else
-    return MP_OKAY;
-#else
-  mp_digit *pmp = MP_DIGITS(mp);
-  mp_digit mp_i, diff, borrow;
-  mp_size  used = MP_USED(mp);
-
-  mp_i = *pmp;
-  *pmp++ = diff = mp_i - d;
-  borrow = (diff > mp_i);
-  while (borrow && --used) {
-    mp_i = *pmp;
-    *pmp++ = diff = mp_i - borrow;
-    borrow = (diff > mp_i);
-  }
-  s_mp_clamp(mp);
-  return (borrow && !used) ? MP_RANGE : MP_OKAY;
-#endif
-} /* end s_mp_sub_d() */
-
-/* }}} */
-
-/* {{{ s_mp_mul_d(a, d) */
-
-/* Compute a = a * d, single digit multiplication                         */
-mp_err   s_mp_mul_d(mp_int *a, mp_digit d)
-{
-  mp_err  res;
-  mp_size used;
-  int     pow;
-
-  if (!d) {
-    mp_zero(a);
-    return MP_OKAY;
-  }
-  if (d == 1)
-    return MP_OKAY;
-  if (0 <= (pow = s_mp_ispow2d(d))) {
-    return s_mp_mul_2d(a, (mp_digit)pow);
-  }
-
-  used = MP_USED(a);
-  MP_CHECKOK( s_mp_pad(a, used + 1) );
-
-  s_mpv_mul_d(MP_DIGITS(a), used, d, MP_DIGITS(a));
-
-  s_mp_clamp(a);
-
-CLEANUP:
-  return res;
-  
-} /* end s_mp_mul_d() */
-
-/* }}} */
-
-/* {{{ s_mp_div_d(mp, d, r) */
-
-/*
-  s_mp_div_d(mp, d, r)
-
-  Compute the quotient mp = mp / d and remainder r = mp mod d, for a
-  single digit d.  If r is null, the remainder will be discarded.
- */
-
-mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-  mp_word   w = 0, q;
-#else
-  mp_digit  w, q;
-#endif
-  int       ix;
-  mp_err    res;
-  mp_int    quot;
-  mp_int    rem;
-
-  if(d == 0)
-    return MP_RANGE;
-  if (d == 1) {
-    if (r)
-      *r = 0;
-    return MP_OKAY;
-  }
-  /* could check for power of 2 here, but mp_div_d does that. */
-  if (MP_USED(mp) == 1) {
-    mp_digit n   = MP_DIGIT(mp,0);
-    mp_digit rem;
-
-    q   = n / d;
-    rem = n % d;
-    MP_DIGIT(mp,0) = q;
-    if (r)
-      *r = rem;
-    return MP_OKAY;
-  }
-
-  MP_DIGITS(&rem)  = 0;
-  MP_DIGITS(&quot) = 0;
-  /* Make room for the quotient */
-  MP_CHECKOK( mp_init_size(&quot, USED(mp)) );
-
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    w = (w << DIGIT_BIT) | DIGIT(mp, ix);
-
-    if(w >= d) {
-      q = w / d;
-      w = w % d;
-    } else {
-      q = 0;
-    }
-
-    s_mp_lshd(&quot, 1);
-    DIGIT(&quot, 0) = (mp_digit)q;
-  }
-#else
-  {
-    mp_digit p;
-#if !defined(MP_ASSEMBLY_DIV_2DX1D)
-    mp_digit norm;
-#endif
-
-    MP_CHECKOK( mp_init_copy(&rem, mp) );
-
-#if !defined(MP_ASSEMBLY_DIV_2DX1D)
-    MP_DIGIT(&quot, 0) = d;
-    MP_CHECKOK( s_mp_norm(&rem, &quot, &norm) );
-    if (norm)
-      d <<= norm;
-    MP_DIGIT(&quot, 0) = 0;
-#endif
-
-    p = 0;
-    for (ix = USED(&rem) - 1; ix >= 0; ix--) {
-      w = DIGIT(&rem, ix);
-
-      if (p) {
-        MP_CHECKOK( s_mpv_div_2dx1d(p, w, d, &q, &w) );
-      } else if (w >= d) {
-	q = w / d;
-	w = w % d;
-      } else {
-	q = 0;
-      }
-
-      MP_CHECKOK( s_mp_lshd(&quot, 1) );
-      DIGIT(&quot, 0) = q;
-      p = w;
-    }
-#if !defined(MP_ASSEMBLY_DIV_2DX1D)
-    if (norm)
-      w >>= norm;
-#endif
-  }
-#endif
-
-  /* Deliver the remainder, if desired */
-  if(r)
-    *r = (mp_digit)w;
-
-  s_mp_clamp(&quot);
-  mp_exch(&quot, mp);
-CLEANUP:
-  mp_clear(&quot);
-  mp_clear(&rem);
-
-  return res;
-} /* end s_mp_div_d() */
-
-/* }}} */
-
-
-/* }}} */
-
-/* {{{ Primitive full arithmetic */
-
-/* {{{ s_mp_add(a, b) */
-
-/* Compute a = |a| + |b|                                                  */
-mp_err   s_mp_add(mp_int *a, const mp_int *b)  /* magnitude addition      */
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  mp_word   w = 0;
-#else
-  mp_digit  d, sum, carry = 0;
-#endif
-  mp_digit *pa, *pb;
-  mp_size   ix;
-  mp_size   used;
-  mp_err    res;
-
-  /* Make sure a has enough precision for the output value */
-  if((USED(b) > USED(a)) && (res = s_mp_pad(a, USED(b))) != MP_OKAY)
-    return res;
-
-  /*
-    Add up all digits up to the precision of b.  If b had initially
-    the same precision as a, or greater, we took care of it by the
-    padding step above, so there is no problem.  If b had initially
-    less precision, we'll have to make sure the carry out is duly
-    propagated upward among the higher-order digits of the sum.
-   */
-  pa = MP_DIGITS(a);
-  pb = MP_DIGITS(b);
-  used = MP_USED(b);
-  for(ix = 0; ix < used; ix++) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-    w = w + *pa + *pb++;
-    *pa++ = ACCUM(w);
-    w = CARRYOUT(w);
-#else
-    d = *pa;
-    sum = d + *pb++;
-    d = (sum < d);			/* detect overflow */
-    *pa++ = sum += carry;
-    carry = d + (sum < carry);		/* detect overflow */
-#endif
-  }
-
-  /* If we run out of 'b' digits before we're actually done, make
-     sure the carries get propagated upward...  
-   */
-  used = MP_USED(a);
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  while (w && ix < used) {
-    w = w + *pa;
-    *pa++ = ACCUM(w);
-    w = CARRYOUT(w);
-    ++ix;
-  }
-#else
-  while (carry && ix < used) {
-    sum = carry + *pa;
-    *pa++ = sum;
-    carry = !sum;
-    ++ix;
-  }
-#endif
-
-  /* If there's an overall carry out, increase precision and include
-     it.  We could have done this initially, but why touch the memory
-     allocator unless we're sure we have to?
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  if (w) {
-    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(a, ix) = (mp_digit)w;
-  }
-#else
-  if (carry) {
-    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(a, used) = carry;
-  }
-#endif
-
-  return MP_OKAY;
-} /* end s_mp_add() */
-
-/* }}} */
-
-/* Compute c = |a| + |b|         */ /* magnitude addition      */
-mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
-{
-  mp_digit *pa, *pb, *pc;
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  mp_word   w = 0;
-#else
-  mp_digit  sum, carry = 0, d;
-#endif
-  mp_size   ix;
-  mp_size   used;
-  mp_err    res;
-
-  MP_SIGN(c) = MP_SIGN(a);
-  if (MP_USED(a) < MP_USED(b)) {
-    const mp_int *xch = a;
-    a = b;
-    b = xch;
-  }
-
-  /* Make sure a has enough precision for the output value */
-  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
-    return res;
-
-  /*
-    Add up all digits up to the precision of b.  If b had initially
-    the same precision as a, or greater, we took care of it by the
-    exchange step above, so there is no problem.  If b had initially
-    less precision, we'll have to make sure the carry out is duly
-    propagated upward among the higher-order digits of the sum.
-   */
-  pa = MP_DIGITS(a);
-  pb = MP_DIGITS(b);
-  pc = MP_DIGITS(c);
-  used = MP_USED(b);
-  for (ix = 0; ix < used; ix++) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-    w = w + *pa++ + *pb++;
-    *pc++ = ACCUM(w);
-    w = CARRYOUT(w);
-#else
-    d = *pa++;
-    sum = d + *pb++;
-    d = (sum < d);			/* detect overflow */
-    *pc++ = sum += carry;
-    carry = d + (sum < carry);		/* detect overflow */
-#endif
-  }
-
-  /* If we run out of 'b' digits before we're actually done, make
-     sure the carries get propagated upward...  
-   */
-  for (used = MP_USED(a); ix < used; ++ix) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-    w = w + *pa++;
-    *pc++ = ACCUM(w);
-    w = CARRYOUT(w);
-#else
-    *pc++ = sum = carry + *pa++;
-    carry = (sum < carry);
-#endif
-  }
-
-  /* If there's an overall carry out, increase precision and include
-     it.  We could have done this initially, but why touch the memory
-     allocator unless we're sure we have to?
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  if (w) {
-    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(c, used) = (mp_digit)w;
-    ++used;
-  }
-#else
-  if (carry) {
-    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(c, used) = carry;
-    ++used;
-  }
-#endif
-  MP_USED(c) = used;
-  return MP_OKAY;
-}
-/* {{{ s_mp_add_offset(a, b, offset) */
-
-/* Compute a = |a| + ( |b| * (RADIX ** offset) )             */
-mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset)   
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  mp_word   w, k = 0;
-#else
-  mp_digit  d, sum, carry = 0;
-#endif
-  mp_size   ib;
-  mp_size   ia;
-  mp_size   lim;
-  mp_err    res;
-
-  /* Make sure a has enough precision for the output value */
-  lim = MP_USED(b) + offset;
-  if((lim > USED(a)) && (res = s_mp_pad(a, lim)) != MP_OKAY)
-    return res;
-
-  /*
-    Add up all digits up to the precision of b.  If b had initially
-    the same precision as a, or greater, we took care of it by the
-    padding step above, so there is no problem.  If b had initially
-    less precision, we'll have to make sure the carry out is duly
-    propagated upward among the higher-order digits of the sum.
-   */
-  lim = USED(b);
-  for(ib = 0, ia = offset; ib < lim; ib++, ia++) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-    w = (mp_word)DIGIT(a, ia) + DIGIT(b, ib) + k;
-    DIGIT(a, ia) = ACCUM(w);
-    k = CARRYOUT(w);
-#else
-    d = MP_DIGIT(a, ia);
-    sum = d + MP_DIGIT(b, ib);
-    d = (sum < d);
-    MP_DIGIT(a,ia) = sum += carry;
-    carry = d + (sum < carry);
-#endif
-  }
-
-  /* If we run out of 'b' digits before we're actually done, make
-     sure the carries get propagated upward...  
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  for (lim = MP_USED(a); k && (ia < lim); ++ia) {
-    w = (mp_word)DIGIT(a, ia) + k;
-    DIGIT(a, ia) = ACCUM(w);
-    k = CARRYOUT(w);
-  }
-#else
-  for (lim = MP_USED(a); carry && (ia < lim); ++ia) {
-    d = MP_DIGIT(a, ia);
-    MP_DIGIT(a,ia) = sum = d + carry;
-    carry = (sum < d);
-  }
-#endif
-
-  /* If there's an overall carry out, increase precision and include
-     it.  We could have done this initially, but why touch the memory
-     allocator unless we're sure we have to?
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-  if(k) {
-    if((res = s_mp_pad(a, USED(a) + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(a, ia) = (mp_digit)k;
-  }
-#else
-  if (carry) {
-    if((res = s_mp_pad(a, lim + 1)) != MP_OKAY)
-      return res;
-
-    DIGIT(a, lim) = carry;
-  }
-#endif
-  s_mp_clamp(a);
-
-  return MP_OKAY;
-
-} /* end s_mp_add_offset() */
-
-/* }}} */
-
-/* {{{ s_mp_sub(a, b) */
-
-/* Compute a = |a| - |b|, assumes |a| >= |b|                              */
-mp_err   s_mp_sub(mp_int *a, const mp_int *b)  /* magnitude subtract      */
-{
-  mp_digit *pa, *pb, *limit;
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  mp_sword  w = 0;
-#else
-  mp_digit  d, diff, borrow = 0;
-#endif
-
-  /*
-    Subtract and propagate borrow.  Up to the precision of b, this
-    accounts for the digits of b; after that, we just make sure the
-    carries get to the right place.  This saves having to pad b out to
-    the precision of a just to make the loops work right...
-   */
-  pa = MP_DIGITS(a);
-  pb = MP_DIGITS(b);
-  limit = pb + MP_USED(b);
-  while (pb < limit) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-    w = w + *pa - *pb++;
-    *pa++ = ACCUM(w);
-    w >>= MP_DIGIT_BIT;
-#else
-    d = *pa;
-    diff = d - *pb++;
-    d = (diff > d);				/* detect borrow */
-    if (borrow && --diff == MP_DIGIT_MAX)
-      ++d;
-    *pa++ = diff;
-    borrow = d;	
-#endif
-  }
-  limit = MP_DIGITS(a) + MP_USED(a);
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  while (w && pa < limit) {
-    w = w + *pa;
-    *pa++ = ACCUM(w);
-    w >>= MP_DIGIT_BIT;
-  }
-#else
-  while (borrow && pa < limit) {
-    d = *pa;
-    *pa++ = diff = d - borrow;
-    borrow = (diff > d);
-  }
-#endif
-
-  /* Clobber any leading zeroes we created    */
-  s_mp_clamp(a);
-
-  /* 
-     If there was a borrow out, then |b| > |a| in violation
-     of our input invariant.  We've already done the work,
-     but we'll at least complain about it...
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  return w ? MP_RANGE : MP_OKAY;
-#else
-  return borrow ? MP_RANGE : MP_OKAY;
-#endif
-} /* end s_mp_sub() */
-
-/* }}} */
-
-/* Compute c = |a| - |b|, assumes |a| >= |b| */ /* magnitude subtract      */
-mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
-{
-  mp_digit *pa, *pb, *pc;
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  mp_sword  w = 0;
-#else
-  mp_digit  d, diff, borrow = 0;
-#endif
-  int       ix, limit;
-  mp_err    res;
-
-  MP_SIGN(c) = MP_SIGN(a);
-
-  /* Make sure a has enough precision for the output value */
-  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
-    return res;
-
-  /*
-    Subtract and propagate borrow.  Up to the precision of b, this
-    accounts for the digits of b; after that, we just make sure the
-    carries get to the right place.  This saves having to pad b out to
-    the precision of a just to make the loops work right...
-   */
-  pa = MP_DIGITS(a);
-  pb = MP_DIGITS(b);
-  pc = MP_DIGITS(c);
-  limit = MP_USED(b);
-  for (ix = 0; ix < limit; ++ix) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-    w = w + *pa++ - *pb++;
-    *pc++ = ACCUM(w);
-    w >>= MP_DIGIT_BIT;
-#else
-    d = *pa++;
-    diff = d - *pb++;
-    d = (diff > d);
-    if (borrow && --diff == MP_DIGIT_MAX)
-      ++d;
-    *pc++ = diff;
-    borrow = d;
-#endif
-  }
-  for (limit = MP_USED(a); ix < limit; ++ix) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-    w = w + *pa++;
-    *pc++ = ACCUM(w);
-    w >>= MP_DIGIT_BIT;
-#else
-    d = *pa++;
-    *pc++ = diff = d - borrow;
-    borrow = (diff > d);
-#endif
-  }
-
-  /* Clobber any leading zeroes we created    */
-  MP_USED(c) = ix;
-  s_mp_clamp(c);
-
-  /* 
-     If there was a borrow out, then |b| > |a| in violation
-     of our input invariant.  We've already done the work,
-     but we'll at least complain about it...
-   */
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
-  return w ? MP_RANGE : MP_OKAY;
-#else
-  return borrow ? MP_RANGE : MP_OKAY;
-#endif
-}
-/* {{{ s_mp_mul(a, b) */
-
-/* Compute a = |a| * |b|                                                  */
-mp_err   s_mp_mul(mp_int *a, const mp_int *b)
-{
-  return mp_mul(a, b, a);
-} /* end s_mp_mul() */
-
-/* }}} */
-
-#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
-/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
-#define MP_MUL_DxD(a, b, Phi, Plo) \
-  { unsigned long long product = (unsigned long long)a * b; \
-    Plo = (mp_digit)product; \
-    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
-#elif defined(OSF1)
-#define MP_MUL_DxD(a, b, Phi, Plo) \
-  { Plo = asm ("mulq %a0, %a1, %v0", a, b);\
-    Phi = asm ("umulh %a0, %a1, %v0", a, b); }
-#else
-#define MP_MUL_DxD(a, b, Phi, Plo) \
-  { mp_digit a0b1, a1b0; \
-    Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
-    Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
-    a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
-    a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
-    a1b0 += a0b1; \
-    Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
-    if (a1b0 < a0b1)  \
-      Phi += MP_HALF_RADIX; \
-    a1b0 <<= MP_HALF_DIGIT_BIT; \
-    Plo += a1b0; \
-    if (Plo < a1b0) \
-      ++Phi; \
-  }
-#endif
-
-#if !defined(MP_ASSEMBLY_MULTIPLY)
-/* c = a * b */
-void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-  *c = d;
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  *c = carry;
-#endif
-}
-
-/* c += a * b */
-void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
-			      mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + *c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-  *c = d;
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-    a0b0 += a_i = *c;
-    if (a0b0 < a_i)
-      ++a1b1;
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  *c = carry;
-#endif
-}
-
-/* Presently, this is only used by the Montgomery arithmetic code. */
-/* c += a * b */
-void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + *c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-
-  while (d) {
-    mp_word w = (mp_word)*c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-
-    a0b0 += a_i = *c;
-    if (a0b0 < a_i)
-      ++a1b1;
-
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  while (carry) {
-    mp_digit c_i = *c;
-    carry += c_i;
-    *c++ = carry;
-    carry = carry < c_i;
-  }
-#endif
-}
-#endif
-
-#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
-/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
-#define MP_SQR_D(a, Phi, Plo) \
-  { unsigned long long square = (unsigned long long)a * a; \
-    Plo = (mp_digit)square; \
-    Phi = (mp_digit)(square >> MP_DIGIT_BIT); }
-#elif defined(OSF1)
-#define MP_SQR_D(a, Phi, Plo) \
-  { Plo = asm ("mulq  %a0, %a0, %v0", a);\
-    Phi = asm ("umulh %a0, %a0, %v0", a); }
-#else
-#define MP_SQR_D(a, Phi, Plo) \
-  { mp_digit Pmid; \
-    Plo  = (a  & MP_HALF_DIGIT_MAX) * (a  & MP_HALF_DIGIT_MAX); \
-    Phi  = (a >> MP_HALF_DIGIT_BIT) * (a >> MP_HALF_DIGIT_BIT); \
-    Pmid = (a  & MP_HALF_DIGIT_MAX) * (a >> MP_HALF_DIGIT_BIT); \
-    Phi += Pmid >> (MP_HALF_DIGIT_BIT - 1);  \
-    Pmid <<= (MP_HALF_DIGIT_BIT + 1);  \
-    Plo += Pmid;  \
-    if (Plo < Pmid)  \
-      ++Phi;  \
-  }
-#endif
-
-#if !defined(MP_ASSEMBLY_SQUARE)
-/* Add the squares of the digits of a to the digits of b. */
-void s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
-{
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
-  mp_word  w;
-  mp_digit d;
-  mp_size  ix;
-
-  w  = 0;
-#define ADD_SQUARE(n) \
-    d = pa[n]; \
-    w += (d * (mp_word)d) + ps[2*n]; \
-    ps[2*n] = ACCUM(w); \
-    w = (w >> DIGIT_BIT) + ps[2*n+1]; \
-    ps[2*n+1] = ACCUM(w); \
-    w = (w >> DIGIT_BIT)
-
-  for (ix = a_len; ix >= 4; ix -= 4) {
-    ADD_SQUARE(0);
-    ADD_SQUARE(1);
-    ADD_SQUARE(2);
-    ADD_SQUARE(3);
-    pa += 4;
-    ps += 8;
-  }
-  if (ix) {
-    ps += 2*ix;
-    pa += ix;
-    switch (ix) {
-    case 3: ADD_SQUARE(-3); /* FALLTHRU */
-    case 2: ADD_SQUARE(-2); /* FALLTHRU */
-    case 1: ADD_SQUARE(-1); /* FALLTHRU */
-    case 0: break;
-    }
-  }
-  while (w) {
-    w += *ps;
-    *ps++ = ACCUM(w);
-    w = (w >> DIGIT_BIT);
-  }
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *pa++;
-    mp_digit a0a0, a1a1;
-
-    MP_SQR_D(a_i, a1a1, a0a0);
-
-    /* here a1a1 and a0a0 constitute a_i ** 2 */
-    a0a0 += carry;
-    if (a0a0 < carry)
-      ++a1a1;
-
-    /* now add to ps */
-    a0a0 += a_i = *ps;
-    if (a0a0 < a_i)
-      ++a1a1;
-    *ps++ = a0a0;
-    a1a1 += a_i = *ps;
-    carry = (a1a1 < a_i);
-    *ps++ = a1a1;
-  }
-  while (carry) {
-    mp_digit s_i = *ps;
-    carry += s_i;
-    *ps++ = carry;
-    carry = carry < s_i;
-  }
-#endif
-}
-#endif
-
-#if (defined(MP_NO_MP_WORD) || defined(MP_NO_DIV_WORD)) \
-&& !defined(MP_ASSEMBLY_DIV_2DX1D)
-/*
-** Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized 
-** so its high bit is 1.   This code is from NSPR.
-*/
-mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor, 
-		       mp_digit *qp, mp_digit *rp)
-{
-    mp_digit d1, d0, q1, q0;
-    mp_digit r1, r0, m;
-
-    d1 = divisor >> MP_HALF_DIGIT_BIT;
-    d0 = divisor & MP_HALF_DIGIT_MAX;
-    r1 = Nhi % d1;
-    q1 = Nhi / d1;
-    m = q1 * d0;
-    r1 = (r1 << MP_HALF_DIGIT_BIT) | (Nlo >> MP_HALF_DIGIT_BIT);
-    if (r1 < m) {
-        q1--, r1 += divisor;
-        if (r1 >= divisor && r1 < m) {
-	    q1--, r1 += divisor;
-	}
-    }
-    r1 -= m;
-    r0 = r1 % d1;
-    q0 = r1 / d1;
-    m = q0 * d0;
-    r0 = (r0 << MP_HALF_DIGIT_BIT) | (Nlo & MP_HALF_DIGIT_MAX);
-    if (r0 < m) {
-        q0--, r0 += divisor;
-        if (r0 >= divisor && r0 < m) {
-	    q0--, r0 += divisor;
-	}
-    }
-    if (qp)
-	*qp = (q1 << MP_HALF_DIGIT_BIT) | q0;
-    if (rp)
-	*rp = r0 - m;
-    return MP_OKAY;
-}
-#endif
-
-#if MP_SQUARE
-/* {{{ s_mp_sqr(a) */
-
-mp_err   s_mp_sqr(mp_int *a)
-{
-  mp_err   res;
-  mp_int   tmp;
-
-  if((res = mp_init_size(&tmp, 2 * USED(a))) != MP_OKAY)
-    return res;
-  res = mp_sqr(a, &tmp);
-  if (res == MP_OKAY) {
-    s_mp_exch(&tmp, a);
-  }
-  mp_clear(&tmp);
-  return res;
-}
-
-/* }}} */
-#endif
-
-/* {{{ s_mp_div(a, b) */
-
-/*
-  s_mp_div(a, b)
-
-  Compute a = a / b and b = a mod b.  Assumes b > a.
- */
-
-mp_err   s_mp_div(mp_int *rem, 	/* i: dividend, o: remainder */
-                  mp_int *div, 	/* i: divisor                */
-		  mp_int *quot)	/* i: 0;        o: quotient  */
-{
-  mp_int   part, t;
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-  mp_word  q_msd;
-#else
-  mp_digit q_msd;
-#endif
-  mp_err   res;
-  mp_digit d;
-  mp_digit div_msd;
-  int      ix;
-
-  if(mp_cmp_z(div) == 0)
-    return MP_RANGE;
-
-  /* Shortcut if divisor is power of two */
-  if((ix = s_mp_ispow2(div)) >= 0) {
-    MP_CHECKOK( mp_copy(rem, quot) );
-    s_mp_div_2d(quot, (mp_digit)ix);
-    s_mp_mod_2d(rem,  (mp_digit)ix);
-
-    return MP_OKAY;
-  }
-
-  DIGITS(&t) = 0;
-  MP_SIGN(rem) = ZPOS;
-  MP_SIGN(div) = ZPOS;
-
-  /* A working temporary for division     */
-  MP_CHECKOK( mp_init_size(&t, MP_ALLOC(rem)));
-
-  /* Normalize to optimize guessing       */
-  MP_CHECKOK( s_mp_norm(rem, div, &d) );
-
-  part = *rem;
-
-  /* Perform the division itself...woo!   */
-  MP_USED(quot) = MP_ALLOC(quot);
-
-  /* Find a partial substring of rem which is at least div */
-  /* If we didn't find one, we're finished dividing    */
-  while (MP_USED(rem) > MP_USED(div) || s_mp_cmp(rem, div) >= 0) {
-    int i;
-    int unusedRem;
-
-    unusedRem = MP_USED(rem) - MP_USED(div);
-    MP_DIGITS(&part) = MP_DIGITS(rem) + unusedRem;
-    MP_ALLOC(&part)  = MP_ALLOC(rem)  - unusedRem;
-    MP_USED(&part)   = MP_USED(div);
-    if (s_mp_cmp(&part, div) < 0) {
-      -- unusedRem;
-#if MP_ARGCHK == 2
-      assert(unusedRem >= 0);
-#endif
-      -- MP_DIGITS(&part);
-      ++ MP_USED(&part);
-      ++ MP_ALLOC(&part);
-    }
-
-    /* Compute a guess for the next quotient digit       */
-    q_msd = MP_DIGIT(&part, MP_USED(&part) - 1);
-    div_msd = MP_DIGIT(div, MP_USED(div) - 1);
-    if (q_msd >= div_msd) {
-      q_msd = 1;
-    } else if (MP_USED(&part) > 1) {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-      q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2);
-      q_msd /= div_msd;
-      if (q_msd == RADIX)
-        --q_msd;
-#else
-      mp_digit r;
-      MP_CHECKOK( s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2), 
-				  div_msd, &q_msd, &r) );
-#endif
-    } else {
-      q_msd = 0;
-    }
-#if MP_ARGCHK == 2
-    assert(q_msd > 0); /* This case should never occur any more. */
-#endif
-    if (q_msd <= 0)
-      break;
-
-    /* See what that multiplies out to                   */
-    mp_copy(div, &t);
-    MP_CHECKOK( s_mp_mul_d(&t, (mp_digit)q_msd) );
-
-    /* 
-       If it's too big, back it off.  We should not have to do this
-       more than once, or, in rare cases, twice.  Knuth describes a
-       method by which this could be reduced to a maximum of once, but
-       I didn't implement that here.
-     * When using s_mpv_div_2dx1d, we may have to do this 3 times.
-     */
-    for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) {
-      --q_msd;
-      s_mp_sub(&t, div);	/* t -= div */
-    }
-    if (i < 0) {
-      res = MP_RANGE;
-      goto CLEANUP;
-    }
-
-    /* At this point, q_msd should be the right next digit   */
-    MP_CHECKOK( s_mp_sub(&part, &t) );	/* part -= t */
-    s_mp_clamp(rem);
-
-    /*
-      Include the digit in the quotient.  We allocated enough memory
-      for any quotient we could ever possibly get, so we should not
-      have to check for failures here
-     */
-    MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd;
-  }
-
-  /* Denormalize remainder                */
-  if (d) {
-    s_mp_div_2d(rem, d);
-  }
-
-  s_mp_clamp(quot);
-
-CLEANUP:
-  mp_clear(&t);
-
-  return res;
-
-} /* end s_mp_div() */
-
-
-/* }}} */
-
-/* {{{ s_mp_2expt(a, k) */
-
-mp_err   s_mp_2expt(mp_int *a, mp_digit k)
-{
-  mp_err    res;
-  mp_size   dig, bit;
-
-  dig = k / DIGIT_BIT;
-  bit = k % DIGIT_BIT;
-
-  mp_zero(a);
-  if((res = s_mp_pad(a, dig + 1)) != MP_OKAY)
-    return res;
-  
-  DIGIT(a, dig) |= ((mp_digit)1 << bit);
-
-  return MP_OKAY;
-
-} /* end s_mp_2expt() */
-
-/* }}} */
-
-/* {{{ s_mp_reduce(x, m, mu) */
-
-/*
-  Compute Barrett reduction, x (mod m), given a precomputed value for
-  mu = b^2k / m, where b = RADIX and k = #digits(m).  This should be
-  faster than straight division, when many reductions by the same
-  value of m are required (such as in modular exponentiation).  This
-  can nearly halve the time required to do modular exponentiation,
-  as compared to using the full integer divide to reduce.
-
-  This algorithm was derived from the _Handbook of Applied
-  Cryptography_ by Menezes, Oorschot and VanStone, Ch. 14,
-  pp. 603-604.  
- */
-
-mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu)
-{
-  mp_int   q;
-  mp_err   res;
-
-  if((res = mp_init_copy(&q, x)) != MP_OKAY)
-    return res;
-
-  s_mp_rshd(&q, USED(m) - 1);  /* q1 = x / b^(k-1)  */
-  s_mp_mul(&q, mu);            /* q2 = q1 * mu      */
-  s_mp_rshd(&q, USED(m) + 1);  /* q3 = q2 / b^(k+1) */
-
-  /* x = x mod b^(k+1), quick (no division) */
-  s_mp_mod_2d(x, DIGIT_BIT * (USED(m) + 1));
-
-  /* q = q * m mod b^(k+1), quick (no division) */
-  s_mp_mul(&q, m);
-  s_mp_mod_2d(&q, DIGIT_BIT * (USED(m) + 1));
-
-  /* x = x - q */
-  if((res = mp_sub(x, &q, x)) != MP_OKAY)
-    goto CLEANUP;
-
-  /* If x < 0, add b^(k+1) to it */
-  if(mp_cmp_z(x) < 0) {
-    mp_set(&q, 1);
-    if((res = s_mp_lshd(&q, USED(m) + 1)) != MP_OKAY)
-      goto CLEANUP;
-    if((res = mp_add(x, &q, x)) != MP_OKAY)
-      goto CLEANUP;
-  }
-
-  /* Back off if it's too big */
-  while(mp_cmp(x, m) >= 0) {
-    if((res = s_mp_sub(x, m)) != MP_OKAY)
-      break;
-  }
-
- CLEANUP:
-  mp_clear(&q);
-
-  return res;
-
-} /* end s_mp_reduce() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ Primitive comparisons */
-
-/* {{{ s_mp_cmp(a, b) */
-
-/* Compare |a| <=> |b|, return 0 if equal, <0 if a<b, >0 if a>b           */
-int      s_mp_cmp(const mp_int *a, const mp_int *b)
-{
-  mp_size used_a = MP_USED(a);
-  {
-    mp_size used_b = MP_USED(b);
-
-    if (used_a > used_b)
-      goto IS_GT;
-    if (used_a < used_b)
-      goto IS_LT;
-  }
-  {
-    mp_digit *pa, *pb;
-    mp_digit da = 0, db = 0;
-
-#define CMP_AB(n) if ((da = pa[n]) != (db = pb[n])) goto done
-
-    pa = MP_DIGITS(a) + used_a;
-    pb = MP_DIGITS(b) + used_a;
-    while (used_a >= 4) {
-      pa     -= 4;
-      pb     -= 4;
-      used_a -= 4;
-      CMP_AB(3);
-      CMP_AB(2);
-      CMP_AB(1);
-      CMP_AB(0);
-    }
-    while (used_a-- > 0 && ((da = *--pa) == (db = *--pb))) 
-      /* do nothing */;
-done:
-    if (da > db)
-      goto IS_GT;
-    if (da < db) 
-      goto IS_LT;
-  }
-  return MP_EQ;
-IS_LT:
-  return MP_LT;
-IS_GT:
-  return MP_GT;
-} /* end s_mp_cmp() */
-
-/* }}} */
-
-/* {{{ s_mp_cmp_d(a, d) */
-
-/* Compare |a| <=> d, return 0 if equal, <0 if a<d, >0 if a>d             */
-int      s_mp_cmp_d(const mp_int *a, mp_digit d)
-{
-  if(USED(a) > 1)
-    return MP_GT;
-
-  if(DIGIT(a, 0) < d)
-    return MP_LT;
-  else if(DIGIT(a, 0) > d)
-    return MP_GT;
-  else
-    return MP_EQ;
-
-} /* end s_mp_cmp_d() */
-
-/* }}} */
-
-/* {{{ s_mp_ispow2(v) */
-
-/*
-  Returns -1 if the value is not a power of two; otherwise, it returns
-  k such that v = 2^k, i.e. lg(v).
- */
-int      s_mp_ispow2(const mp_int *v)
-{
-  mp_digit d;
-  int      extra = 0, ix;
-
-  ix = MP_USED(v) - 1;
-  d = MP_DIGIT(v, ix); /* most significant digit of v */
-
-  extra = s_mp_ispow2d(d);
-  if (extra < 0 || ix == 0)
-    return extra;
-
-  while (--ix >= 0) {
-    if (DIGIT(v, ix) != 0)
-      return -1; /* not a power of two */
-    extra += MP_DIGIT_BIT;
-  }
-
-  return extra;
-
-} /* end s_mp_ispow2() */
-
-/* }}} */
-
-/* {{{ s_mp_ispow2d(d) */
-
-int      s_mp_ispow2d(mp_digit d)
-{
-  if ((d != 0) && ((d & (d-1)) == 0)) { /* d is a power of 2 */
-    int pow = 0;
-#if defined (MP_USE_UINT_DIGIT)
-    if (d & 0xffff0000U)
-      pow += 16;
-    if (d & 0xff00ff00U)
-      pow += 8;
-    if (d & 0xf0f0f0f0U)
-      pow += 4;
-    if (d & 0xccccccccU)
-      pow += 2;
-    if (d & 0xaaaaaaaaU)
-      pow += 1;
-#elif defined(MP_USE_LONG_LONG_DIGIT)
-    if (d & 0xffffffff00000000ULL)
-      pow += 32;
-    if (d & 0xffff0000ffff0000ULL)
-      pow += 16;
-    if (d & 0xff00ff00ff00ff00ULL)
-      pow += 8;
-    if (d & 0xf0f0f0f0f0f0f0f0ULL)
-      pow += 4;
-    if (d & 0xccccccccccccccccULL)
-      pow += 2;
-    if (d & 0xaaaaaaaaaaaaaaaaULL)
-      pow += 1;
-#elif defined(MP_USE_LONG_DIGIT)
-    if (d & 0xffffffff00000000UL)
-      pow += 32;
-    if (d & 0xffff0000ffff0000UL)
-      pow += 16;
-    if (d & 0xff00ff00ff00ff00UL)
-      pow += 8;
-    if (d & 0xf0f0f0f0f0f0f0f0UL)
-      pow += 4;
-    if (d & 0xccccccccccccccccUL)
-      pow += 2;
-    if (d & 0xaaaaaaaaaaaaaaaaUL)
-      pow += 1;
-#else
-#error "unknown type for mp_digit"
-#endif
-    return pow;
-  }
-  return -1;
-
-} /* end s_mp_ispow2d() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ Primitive I/O helpers */
-
-/* {{{ s_mp_tovalue(ch, r) */
-
-/*
-  Convert the given character to its digit value, in the given radix.
-  If the given character is not understood in the given radix, -1 is
-  returned.  Otherwise the digit's numeric value is returned.
-
-  The results will be odd if you use a radix < 2 or > 62, you are
-  expected to know what you're up to.
- */
-int      s_mp_tovalue(char ch, int r)
-{
-  int    val, xch;
-  
-  if(r > 36)
-    xch = ch;
-  else
-    xch = toupper(ch);
-
-  if(isdigit(xch))
-    val = xch - '0';
-  else if(isupper(xch))
-    val = xch - 'A' + 10;
-  else if(islower(xch))
-    val = xch - 'a' + 36;
-  else if(xch == '+')
-    val = 62;
-  else if(xch == '/')
-    val = 63;
-  else 
-    return -1;
-
-  if(val < 0 || val >= r)
-    return -1;
-
-  return val;
-
-} /* end s_mp_tovalue() */
-
-/* }}} */
-
-/* {{{ s_mp_todigit(val, r, low) */
-
-/*
-  Convert val to a radix-r digit, if possible.  If val is out of range
-  for r, returns zero.  Otherwise, returns an ASCII character denoting
-  the value in the given radix.
-
-  The results may be odd if you use a radix < 2 or > 64, you are
-  expected to know what you're doing.
- */
-  
-char     s_mp_todigit(mp_digit val, int r, int low)
-{
-  char   ch;
-
-  if(val >= r)
-    return 0;
-
-  ch = s_dmap_1[val];
-
-  if(r <= 36 && low)
-    ch = tolower(ch);
-
-  return ch;
-
-} /* end s_mp_todigit() */
-
-/* }}} */
-
-/* {{{ s_mp_outlen(bits, radix) */
-
-/* 
-   Return an estimate for how long a string is needed to hold a radix
-   r representation of a number with 'bits' significant bits, plus an
-   extra for a zero terminator (assuming C style strings here)
- */
-int      s_mp_outlen(int bits, int r)
-{
-  return (int)((double)bits * LOG_V_2(r) + 1.5) + 1;
-
-} /* end s_mp_outlen() */
-
-/* }}} */
-
-/* }}} */
-
-/* {{{ mp_read_unsigned_octets(mp, str, len) */
-/* mp_read_unsigned_octets(mp, str, len)
-   Read in a raw value (base 256) into the given mp_int
-   No sign bit, number is positive.  Leading zeros ignored.
- */
-
-mp_err  
-mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len)
-{
-  int            count;
-  mp_err         res;
-  mp_digit       d;
-
-  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
-
-  mp_zero(mp);
-
-  count = len % sizeof(mp_digit);
-  if (count) {
-    for (d = 0; count-- > 0; --len) {
-      d = (d << 8) | *str++;
-    }
-    MP_DIGIT(mp, 0) = d;
-  }
-
-  /* Read the rest of the digits */
-  for(; len > 0; len -= sizeof(mp_digit)) {
-    for (d = 0, count = sizeof(mp_digit); count > 0; --count) {
-      d = (d << 8) | *str++;
-    }
-    if (MP_EQ == mp_cmp_z(mp)) {
-      if (!d)
-	continue;
-    } else {
-      if((res = s_mp_lshd(mp, 1)) != MP_OKAY)
-	return res;
-    }
-    MP_DIGIT(mp, 0) = d;
-  }
-  return MP_OKAY;
-} /* end mp_read_unsigned_octets() */
-/* }}} */
-
-/* {{{ mp_unsigned_octet_size(mp) */
-int    
-mp_unsigned_octet_size(const mp_int *mp)
-{
-  int  bytes;
-  int  ix;
-  mp_digit  d = 0;
-
-  ARGCHK(mp != NULL, MP_BADARG);
-  ARGCHK(MP_ZPOS == SIGN(mp), MP_BADARG);
-
-  bytes = (USED(mp) * sizeof(mp_digit));
-
-  /* subtract leading zeros. */
-  /* Iterate over each digit... */
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    d = DIGIT(mp, ix);
-    if (d) 
-	break;
-    bytes -= sizeof(d);
-  }
-  if (!bytes)
-    return 1;
-
-  /* Have MSD, check digit bytes, high order first */
-  for(ix = sizeof(mp_digit) - 1; ix >= 0; ix--) {
-    unsigned char x = (unsigned char)(d >> (ix * CHAR_BIT));
-    if (x) 
-	break;
-    --bytes;
-  }
-  return bytes;
-} /* end mp_unsigned_octet_size() */
-/* }}} */
-
-/* {{{ mp_to_unsigned_octets(mp, str) */
-/* output a buffer of big endian octets no longer than specified. */
-mp_err 
-mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
-{
-  int  ix, pos = 0;
-  int  bytes;
-
-  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
-  bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= maxlen, MP_BADARG);
-
-  /* Iterate over each digit... */
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    mp_digit  d = DIGIT(mp, ix);
-    int       jx;
-
-    /* Unpack digit bytes, high order first */
-    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
-      if (!pos && !x)	/* suppress leading zeros */
-	continue;
-      str[pos++] = x;
-    }
-  }
-  return pos;
-} /* end mp_to_unsigned_octets() */
-/* }}} */
-
-/* {{{ mp_to_signed_octets(mp, str) */
-/* output a buffer of big endian octets no longer than specified. */
-mp_err 
-mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
-{
-  int  ix, pos = 0;
-  int  bytes;
-
-  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
-  bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= maxlen, MP_BADARG);
-
-  /* Iterate over each digit... */
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    mp_digit  d = DIGIT(mp, ix);
-    int       jx;
-
-    /* Unpack digit bytes, high order first */
-    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
-      if (!pos) {
-	if (!x)		/* suppress leading zeros */
-	  continue;
-	if (x & 0x80) { /* add one leading zero to make output positive.  */
-	  ARGCHK(bytes + 1 <= maxlen, MP_BADARG);
-	  if (bytes + 1 > maxlen)
-	    return MP_BADARG;
-	  str[pos++] = 0;
-	}
-      }
-      str[pos++] = x;
-    }
-  }
-  return pos;
-} /* end mp_to_signed_octets() */
-/* }}} */
-
-/* {{{ mp_to_fixlen_octets(mp, str) */
-/* output a buffer of big endian octets exactly as long as requested. */
-mp_err 
-mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
-{
-  int  ix, pos = 0;
-  int  bytes;
-
-  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
-  bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= length, MP_BADARG);
-
-  /* place any needed leading zeros */
-  for (;length > bytes; --length) {
-	*str++ = 0;
-  }
-
-  /* Iterate over each digit... */
-  for(ix = USED(mp) - 1; ix >= 0; ix--) {
-    mp_digit  d = DIGIT(mp, ix);
-    int       jx;
-
-    /* Unpack digit bytes, high order first */
-    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
-      if (!pos && !x)	/* suppress leading zeros */
-	continue;
-      str[pos++] = x;
-    }
-  }
-  return MP_OKAY;
-} /* end mp_to_fixlen_octets() */
-/* }}} */
-
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
deleted file mode 100644
index 788d65205..000000000
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ /dev/null
@@ -1,336 +0,0 @@
-/*
- *  mpi.h
- *
- *  Arbitrary precision integer arithmetic library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _H_MPI_
-#define _H_MPI_
-
-#include "mpi-config.h"
-
-#if MP_DEBUG
-#undef MP_IOFUNC
-#define MP_IOFUNC 1
-#endif
-
-#if MP_IOFUNC
-#include <stdio.h>
-#include <ctype.h>
-#endif
-
-#include <limits.h>
-
-#if defined(BSDI)
-#undef ULLONG_MAX
-#endif
-
-#if defined( macintosh )
-#include <Types.h>
-#elif defined( _WIN32_WCE)
-/* #include <sys/types.h> What do we need here ?? */
-#else
-#include <sys/types.h>
-#endif
-
-#define  MP_NEG    1
-#define  MP_ZPOS   0
-
-#define  MP_OKAY          0 /* no error, all is well */
-#define  MP_YES           0 /* yes (boolean result)  */
-#define  MP_NO           -1 /* no (boolean result)   */
-#define  MP_MEM          -2 /* out of memory         */
-#define  MP_RANGE        -3 /* argument out of range */
-#define  MP_BADARG       -4 /* invalid parameter     */
-#define  MP_UNDEF        -5 /* answer is undefined   */
-#define  MP_LAST_CODE    MP_UNDEF
-
-typedef unsigned int      mp_sign;
-typedef unsigned int      mp_size;
-typedef int               mp_err;
-
-#define MP_32BIT_MAX 4294967295U
-
-#if !defined(ULONG_MAX) 
-#error "ULONG_MAX not defined"
-#elif !defined(UINT_MAX)
-#error "UINT_MAX not defined"
-#elif !defined(USHRT_MAX)
-#error "USHRT_MAX not defined"
-#endif
-
-#if defined(ULONG_LONG_MAX)			/* GCC, HPUX */
-#define MP_ULONG_LONG_MAX ULONG_LONG_MAX
-#elif defined(ULLONG_MAX)			/* Solaris */
-#define MP_ULONG_LONG_MAX ULLONG_MAX
-/* MP_ULONG_LONG_MAX was defined to be ULLONG_MAX */
-#elif defined(ULONGLONG_MAX)			/* IRIX, AIX */
-#define MP_ULONG_LONG_MAX ULONGLONG_MAX
-#endif
-
-/* We only use unsigned long for mp_digit iff long is more than 32 bits. */
-#if !defined(MP_USE_UINT_DIGIT) && ULONG_MAX > MP_32BIT_MAX
-typedef unsigned long     mp_digit;
-#define MP_DIGIT_MAX      ULONG_MAX
-#define MP_DIGIT_FMT      "%016lX"   /* printf() format for 1 digit */
-#define MP_HALF_DIGIT_MAX UINT_MAX
-#undef  MP_NO_MP_WORD
-#define MP_NO_MP_WORD 1
-#undef  MP_USE_LONG_DIGIT
-#define MP_USE_LONG_DIGIT 1
-#undef  MP_USE_LONG_LONG_DIGIT
-
-#elif !defined(MP_USE_UINT_DIGIT) && defined(MP_ULONG_LONG_MAX) 
-typedef unsigned long long mp_digit;
-#define MP_DIGIT_MAX       MP_ULONG_LONG_MAX
-#define MP_DIGIT_FMT      "%016llX"  /* printf() format for 1 digit */
-#define MP_HALF_DIGIT_MAX  UINT_MAX
-#undef  MP_NO_MP_WORD
-#define MP_NO_MP_WORD 1
-#undef  MP_USE_LONG_LONG_DIGIT
-#define MP_USE_LONG_LONG_DIGIT 1
-#undef  MP_USE_LONG_DIGIT
-
-#else
-typedef unsigned int      mp_digit;
-#define MP_DIGIT_MAX      UINT_MAX
-#define MP_DIGIT_FMT      "%08X"     /* printf() format for 1 digit */
-#define MP_HALF_DIGIT_MAX USHRT_MAX
-#undef  MP_USE_UINT_DIGIT
-#define MP_USE_UINT_DIGIT 1
-#undef  MP_USE_LONG_LONG_DIGIT
-#undef  MP_USE_LONG_DIGIT
-#endif
-
-#if !defined(MP_NO_MP_WORD) 
-#if  defined(MP_USE_UINT_DIGIT) && \
-    (defined(MP_ULONG_LONG_MAX) || (ULONG_MAX > UINT_MAX))
-
-#if (ULONG_MAX > UINT_MAX)
-typedef unsigned long     mp_word;
-typedef          long     mp_sword;
-#define MP_WORD_MAX       ULONG_MAX
-
-#else
-typedef unsigned long long mp_word;
-typedef          long long mp_sword;
-#define MP_WORD_MAX       MP_ULONG_LONG_MAX
-#endif
-
-#else 
-#define MP_NO_MP_WORD 1
-#endif
-#endif /* !defined(MP_NO_MP_WORD) */
-
-#if !defined(MP_WORD_MAX) && defined(MP_DEFINE_SMALL_WORD)
-typedef unsigned int      mp_word;
-typedef          int      mp_sword;
-#define MP_WORD_MAX       UINT_MAX
-#endif
-
-#define MP_DIGIT_BIT      (CHAR_BIT*sizeof(mp_digit))
-#define MP_WORD_BIT       (CHAR_BIT*sizeof(mp_word))
-#define MP_RADIX          (1+(mp_word)MP_DIGIT_MAX)
-
-#define MP_HALF_DIGIT_BIT (MP_DIGIT_BIT/2)
-#define MP_HALF_RADIX     (1+(mp_digit)MP_HALF_DIGIT_MAX)
-/* MP_HALF_RADIX really ought to be called MP_SQRT_RADIX, but it's named 
-** MP_HALF_RADIX because it's the radix for MP_HALF_DIGITs, and it's 
-** consistent with the other _HALF_ names.
-*/
-
-
-/* Macros for accessing the mp_int internals           */
-#define  MP_SIGN(MP)     ((MP)->sign)
-#define  MP_USED(MP)     ((MP)->used)
-#define  MP_ALLOC(MP)    ((MP)->alloc)
-#define  MP_DIGITS(MP)   ((MP)->dp)
-#define  MP_DIGIT(MP,N)  (MP)->dp[(N)]
-
-/* This defines the maximum I/O base (minimum is 2)   */
-#define MP_MAX_RADIX         64
-
-typedef struct {
-  mp_sign       sign;    /* sign of this quantity      */
-  mp_size       alloc;   /* how many digits allocated  */
-  mp_size       used;    /* how many digits used       */
-  mp_digit     *dp;      /* the digits themselves      */
-} mp_int;
-
-/* Default precision       */
-mp_size mp_get_prec(void);
-void    mp_set_prec(mp_size prec);
-
-/* Memory management       */
-mp_err mp_init(mp_int *mp);
-mp_err mp_init_size(mp_int *mp, mp_size prec);
-mp_err mp_init_copy(mp_int *mp, const mp_int *from);
-mp_err mp_copy(const mp_int *from, mp_int *to);
-void   mp_exch(mp_int *mp1, mp_int *mp2);
-void   mp_clear(mp_int *mp);
-void   mp_zero(mp_int *mp);
-void   mp_set(mp_int *mp, mp_digit d);
-mp_err mp_set_int(mp_int *mp, long z);
-#define mp_set_long(mp,z) mp_set_int(mp,z)
-mp_err mp_set_ulong(mp_int *mp, unsigned long z);
-
-/* Single digit arithmetic */
-mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b);
-mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b);
-mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b);
-mp_err mp_mul_2(const mp_int *a, mp_int *c);
-mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r);
-mp_err mp_div_2(const mp_int *a, mp_int *c);
-mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c);
-
-/* Sign manipulations      */
-mp_err mp_abs(const mp_int *a, mp_int *b);
-mp_err mp_neg(const mp_int *a, mp_int *b);
-
-/* Full arithmetic         */
-mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
-mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
-mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
-#if MP_SQUARE
-mp_err mp_sqr(const mp_int *a, mp_int *b);
-#else
-#define mp_sqr(a, b) mp_mul(a, a, b)
-#endif
-mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
-mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
-mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
-mp_err mp_2expt(mp_int *a, mp_digit k);
-mp_err mp_sqrt(const mp_int *a, mp_int *b);
-
-/* Modular arithmetic      */
-#if MP_MODARITH
-mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c);
-mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c);
-mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
-mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
-mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
-#if MP_SQUARE
-mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
-#else
-#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
-#endif
-mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
-mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
-#endif /* MP_MODARITH */
-
-/* Comparisons             */
-int    mp_cmp_z(const mp_int *a);
-int    mp_cmp_d(const mp_int *a, mp_digit d);
-int    mp_cmp(const mp_int *a, const mp_int *b);
-int    mp_cmp_mag(mp_int *a, mp_int *b);
-int    mp_cmp_int(const mp_int *a, long z);
-int    mp_isodd(const mp_int *a);
-int    mp_iseven(const mp_int *a);
-
-/* Number theoretic        */
-#if MP_NUMTH
-mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
-mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
-mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
-mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
-mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
-#endif /* end MP_NUMTH */
-
-/* Input and output        */
-#if MP_IOFUNC
-void   mp_print(mp_int *mp, FILE *ofp);
-#endif /* end MP_IOFUNC */
-
-/* Base conversion         */
-mp_err mp_read_raw(mp_int *mp, char *str, int len);
-int    mp_raw_size(mp_int *mp);
-mp_err mp_toraw(mp_int *mp, char *str);
-mp_err mp_read_radix(mp_int *mp, const char *str, int radix);
-mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix);
-int    mp_radix_size(mp_int *mp, int radix);
-mp_err mp_toradix(mp_int *mp, char *str, int radix);
-int    mp_tovalue(char ch, int r);
-
-#define mp_tobinary(M, S)  mp_toradix((M), (S), 2)
-#define mp_tooctal(M, S)   mp_toradix((M), (S), 8)
-#define mp_todecimal(M, S) mp_toradix((M), (S), 10)
-#define mp_tohex(M, S)     mp_toradix((M), (S), 16)
-
-/* Error strings           */
-const  char  *mp_strerror(mp_err ec);
-
-/* Octet string conversion functions */
-mp_err mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len);
-int    mp_unsigned_octet_size(const mp_int *mp);
-mp_err mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
-mp_err mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
-mp_err mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size len);
-
-/* Miscellaneous */
-mp_size mp_trailing_zeros(const mp_int *mp);
-
-#define MP_CHECKOK(x)  if (MP_OKAY > (res = (x))) goto CLEANUP
-#define MP_CHECKERR(x) if (MP_OKAY > (res = (x))) goto CLEANUP
-
-#if defined(MP_API_COMPATIBLE)
-#define NEG             MP_NEG
-#define ZPOS            MP_ZPOS
-#define DIGIT_MAX       MP_DIGIT_MAX
-#define DIGIT_BIT       MP_DIGIT_BIT
-#define DIGIT_FMT       MP_DIGIT_FMT
-#define RADIX           MP_RADIX
-#define MAX_RADIX       MP_MAX_RADIX
-#define SIGN(MP)        MP_SIGN(MP)
-#define USED(MP)        MP_USED(MP)
-#define ALLOC(MP)       MP_ALLOC(MP)
-#define DIGITS(MP)      MP_DIGITS(MP)
-#define DIGIT(MP,N)     MP_DIGIT(MP,N)
-
-#if MP_ARGCHK == 1
-#define  ARGCHK(X,Y)  {if(!(X)){return (Y);}}
-#elif MP_ARGCHK == 2
-#include <assert.h>
-#define  ARGCHK(X,Y)  assert(X)
-#else
-#define  ARGCHK(X,Y)  /*  */
-#endif
-#endif /* defined MP_API_COMPATIBLE */
-
-#endif /* end _H_MPI_ */
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64.c b/security/nss/lib/freebl/mpi/mpi_amd64.c
deleted file mode 100644
index 5befb8753..000000000
--- a/security/nss/lib/freebl/mpi/mpi_amd64.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Solaris software cryptographic token.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sun Microsystems, Inc.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef MPI_AMD64
-#error This file only works on AMD64 platforms.
-#endif
-
-#include <mpi-priv.h>
-
-/*
- * MPI glue
- *
- */
-
-/* Presently, this is only used by the Montgomery arithmetic code. */
-/* c += a * b */
-void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len,
-                                       mp_digit b, mp_digit *c)
-{
-  mp_digit w;
-  mp_digit d;
-
-  d = s_mpv_mul_add_vec64(c, a, a_len, b);
-  c += a_len;
-  while (d) {
-    w = c[0] + d;
-    d = (w < c[0] || w < d);
-    *c++ = w;
-  }
-}
-
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64_gas.s b/security/nss/lib/freebl/mpi/mpi_amd64_gas.s
deleted file mode 100644
index 7515ac20a..000000000
--- a/security/nss/lib/freebl/mpi/mpi_amd64_gas.s
+++ /dev/null
@@ -1,418 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-# 
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-# 
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-# 
-# The Original Code is the Solaris software cryptographic token.
-# 
-# The Initial Developer of the Original Code is
-# Sun Microsystems, Inc.
-# Portions created by the Initial Developer are Copyright (C) 2005
-# the Initial Developer. All Rights Reserved.
-# 
-# Contributor(s):
-#   Sun Microsystems, Inc.
-# 
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-# 
-# ***** END LICENSE BLOCK ***** */
-
-
-# ------------------------------------------------------------------------
-#
-#  Implementation of s_mpv_mul_set_vec which exploits
-#  the 64X64->128 bit  unsigned multiply instruction.
-#
-# ------------------------------------------------------------------------
-
-# r = a * digit, r and a are vectors of length len
-# returns the carry digit
-# r and a are 64 bit aligned.
-#
-# uint64_t
-# s_mpv_mul_set_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
-#
-
-.text; .align 16; .globl s_mpv_mul_set_vec64; .type s_mpv_mul_set_vec64, @function; s_mpv_mul_set_vec64:
-
-	xorq	%rax, %rax		# if (len == 0) return (0)
-	testq	%rdx, %rdx
-	jz	.L17
-
-	movq	%rdx, %r8		# Use r8 for len; %rdx is used by mul
-	xorq	%r9, %r9		# cy = 0
-
-.L15:
-	cmpq	$8, %r8			# 8 - len
-	jb	.L16
-	movq	0(%rsi), %rax		# rax = a[0]
-	movq	8(%rsi), %r11		# prefetch a[1]
-	mulq	%rcx			# p = a[0] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 0(%rdi)		# r[0] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	16(%rsi), %r11		# prefetch a[2]
-	mulq	%rcx			# p = a[1] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 8(%rdi)		# r[1] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	24(%rsi), %r11		# prefetch a[3]
-	mulq	%rcx			# p = a[2] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 16(%rdi)		# r[2] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	32(%rsi), %r11		# prefetch a[4]
-	mulq	%rcx			# p = a[3] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 24(%rdi)		# r[3] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	40(%rsi), %r11		# prefetch a[5]
-	mulq	%rcx			# p = a[4] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 32(%rdi)		# r[4] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	48(%rsi), %r11		# prefetch a[6]
-	mulq	%rcx			# p = a[5] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 40(%rdi)		# r[5] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	56(%rsi), %r11		# prefetch a[7]
-	mulq	%rcx			# p = a[6] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 48(%rdi)		# r[6] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	mulq	%rcx			# p = a[7] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 56(%rdi)		# r[7] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	addq	$64, %rsi
-	addq	$64, %rdi
-	subq	$8, %r8
-
-	jz	.L17
-	jmp	.L15
-
-.L16:
-	movq	0(%rsi), %rax
-	mulq	%rcx			# p = a[0] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 0(%rdi)		# r[0] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	8(%rsi), %rax
-	mulq	%rcx			# p = a[1] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 8(%rdi)		# r[1] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	16(%rsi), %rax
-	mulq	%rcx			# p = a[2] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 16(%rdi)		# r[2] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	24(%rsi), %rax
-	mulq	%rcx			# p = a[3] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 24(%rdi)		# r[3] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	32(%rsi), %rax
-	mulq	%rcx			# p = a[4] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 32(%rdi)		# r[4] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	40(%rsi), %rax
-	mulq	%rcx			# p = a[5] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 40(%rdi)		# r[5] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	48(%rsi), %rax
-	mulq	%rcx			# p = a[6] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 48(%rdi)		# r[6] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-
-.L17:
-	movq	%r9, %rax
-	ret
-
-.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
-
-# ------------------------------------------------------------------------
-#
-#  Implementation of s_mpv_mul_add_vec which exploits
-#  the 64X64->128 bit  unsigned multiply instruction.
-#
-# ------------------------------------------------------------------------
-
-# r += a * digit, r and a are vectors of length len
-# returns the carry digit
-# r and a are 64 bit aligned.
-#
-# uint64_t
-# s_mpv_mul_add_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
-#
-
-.text; .align 16; .globl s_mpv_mul_add_vec64; .type s_mpv_mul_add_vec64, @function; s_mpv_mul_add_vec64:
-
-	xorq	%rax, %rax		# if (len == 0) return (0)
-	testq	%rdx, %rdx
-	jz	.L27
-
-	movq	%rdx, %r8		# Use r8 for len; %rdx is used by mul
-	xorq	%r9, %r9		# cy = 0
-
-.L25:
-	cmpq	$8, %r8			# 8 - len
-	jb	.L26
-	movq	0(%rsi), %rax		# rax = a[0]
-	movq	0(%rdi), %r10		# r10 = r[0]
-	movq	8(%rsi), %r11		# prefetch a[1]
-	mulq	%rcx			# p = a[0] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[0]
-	movq	8(%rdi), %r10		# prefetch r[1]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 0(%rdi)		# r[0] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	16(%rsi), %r11		# prefetch a[2]
-	mulq	%rcx			# p = a[1] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[1]
-	movq	16(%rdi), %r10		# prefetch r[2]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 8(%rdi)		# r[1] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	24(%rsi), %r11		# prefetch a[3]
-	mulq	%rcx			# p = a[2] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[2]
-	movq	24(%rdi), %r10		# prefetch r[3]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 16(%rdi)		# r[2] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	32(%rsi), %r11		# prefetch a[4]
-	mulq	%rcx			# p = a[3] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[3]
-	movq	32(%rdi), %r10		# prefetch r[4]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 24(%rdi)		# r[3] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	40(%rsi), %r11		# prefetch a[5]
-	mulq	%rcx			# p = a[4] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[4]
-	movq	40(%rdi), %r10		# prefetch r[5]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 32(%rdi)		# r[4] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	48(%rsi), %r11		# prefetch a[6]
-	mulq	%rcx			# p = a[5] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[5]
-	movq	48(%rdi), %r10		# prefetch r[6]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 40(%rdi)		# r[5] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	movq	56(%rsi), %r11		# prefetch a[7]
-	mulq	%rcx			# p = a[6] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[6]
-	movq	56(%rdi), %r10		# prefetch r[7]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 48(%rdi)		# r[6] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	movq	%r11, %rax
-	mulq	%rcx			# p = a[7] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[7]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 56(%rdi)		# r[7] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-
-	addq	$64, %rsi
-	addq	$64, %rdi
-	subq	$8, %r8
-
-	jz	.L27
-	jmp	.L25
-
-.L26:
-	movq	0(%rsi), %rax
-	movq	0(%rdi), %r10
-	mulq	%rcx			# p = a[0] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[0]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 0(%rdi)		# r[0] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	8(%rsi), %rax
-	movq	8(%rdi), %r10
-	mulq	%rcx			# p = a[1] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[1]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 8(%rdi)		# r[1] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	16(%rsi), %rax
-	movq	16(%rdi), %r10
-	mulq	%rcx			# p = a[2] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[2]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 16(%rdi)		# r[2] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	24(%rsi), %rax
-	movq	24(%rdi), %r10
-	mulq	%rcx			# p = a[3] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[3]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 24(%rdi)		# r[3] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	32(%rsi), %rax
-	movq	32(%rdi), %r10
-	mulq	%rcx			# p = a[4] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[4]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 32(%rdi)		# r[4] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	40(%rsi), %rax
-	movq	40(%rdi), %r10
-	mulq	%rcx			# p = a[5] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[5]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 40(%rdi)		# r[5] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	48(%rsi), %rax
-	movq	48(%rdi), %r10
-	mulq	%rcx			# p = a[6] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		# p += r[6]
-	addq	%r9, %rax
-	adcq	$0, %rdx		# p += cy
-	movq	%rax, 48(%rdi)		# r[6] = lo(p)
-	movq	%rdx, %r9		# cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-
-.L27:
-	movq	%r9, %rax
-	ret
-        
-.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
diff --git a/security/nss/lib/freebl/mpi/mpi_amd64_sun.s b/security/nss/lib/freebl/mpi/mpi_amd64_sun.s
deleted file mode 100644
index ac7107415..000000000
--- a/security/nss/lib/freebl/mpi/mpi_amd64_sun.s
+++ /dev/null
@@ -1,418 +0,0 @@
-/ ***** BEGIN LICENSE BLOCK *****
-/ Version: MPL 1.1/GPL 2.0/LGPL 2.1
-/ 
-/ The contents of this file are subject to the Mozilla Public License Version
-/ 1.1 (the "License"); you may not use this file except in compliance with
-/ the License. You may obtain a copy of the License at
-/ http://www.mozilla.org/MPL/
-/ 
-/ Software distributed under the License is distributed on an "AS IS" basis,
-/ WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-/ for the specific language governing rights and limitations under the
-/ License.
-/ 
-/ The Original Code is the Solaris software cryptographic token.
-/ 
-/ The Initial Developer of the Original Code is
-/ Sun Microsystems, Inc.
-/ Portions created by the Initial Developer are Copyright (C) 2005
-/ the Initial Developer. All Rights Reserved.
-/ 
-/ Contributor(s):
-/   Sun Microsystems, Inc.
-/ 
-/ Alternatively, the contents of this file may be used under the terms of
-/ either the GNU General Public License Version 2 or later (the "GPL"), or
-/ the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-/ in which case the provisions of the GPL or the LGPL are applicable instead
-/ of those above. If you wish to allow use of your version of this file only
-/ under the terms of either the GPL or the LGPL, and not to allow others to
-/ use your version of this file under the terms of the MPL, indicate your
-/ decision by deleting the provisions above and replace them with the notice
-/ and other provisions required by the GPL or the LGPL. If you do not delete
-/ the provisions above, a recipient may use your version of this file under
-/ the terms of any one of the MPL, the GPL or the LGPL.
-/ 
-/ ***** END LICENSE BLOCK ***** */
-
-
-/ ------------------------------------------------------------------------
-/
-/  Implementation of s_mpv_mul_set_vec which exploits
-/  the 64X64->128 bit  unsigned multiply instruction.
-/
-/ ------------------------------------------------------------------------
-
-/ r = a * digit, r and a are vectors of length len
-/ returns the carry digit
-/ r and a are 64 bit aligned.
-/
-/ uint64_t
-/ s_mpv_mul_set_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
-/
-
-.text; .align 16; .globl s_mpv_mul_set_vec64; .type s_mpv_mul_set_vec64, @function; s_mpv_mul_set_vec64:
-
-	xorq	%rax, %rax		/ if (len == 0) return (0)
-	testq	%rdx, %rdx
-	jz	.L17
-
-	movq	%rdx, %r8		/ Use r8 for len; %rdx is used by mul
-	xorq	%r9, %r9		/ cy = 0
-
-.L15:
-	cmpq	$8, %r8			/ 8 - len
-	jb	.L16
-	movq	0(%rsi), %rax		/ rax = a[0]
-	movq	8(%rsi), %r11		/ prefetch a[1]
-	mulq	%rcx			/ p = a[0] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	16(%rsi), %r11		/ prefetch a[2]
-	mulq	%rcx			/ p = a[1] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	24(%rsi), %r11		/ prefetch a[3]
-	mulq	%rcx			/ p = a[2] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	32(%rsi), %r11		/ prefetch a[4]
-	mulq	%rcx			/ p = a[3] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	40(%rsi), %r11		/ prefetch a[5]
-	mulq	%rcx			/ p = a[4] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	48(%rsi), %r11		/ prefetch a[6]
-	mulq	%rcx			/ p = a[5] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	56(%rsi), %r11		/ prefetch a[7]
-	mulq	%rcx			/ p = a[6] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	mulq	%rcx			/ p = a[7] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 56(%rdi)		/ r[7] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	addq	$64, %rsi
-	addq	$64, %rdi
-	subq	$8, %r8
-
-	jz	.L17
-	jmp	.L15
-
-.L16:
-	movq	0(%rsi), %rax
-	mulq	%rcx			/ p = a[0] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	8(%rsi), %rax
-	mulq	%rcx			/ p = a[1] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	16(%rsi), %rax
-	mulq	%rcx			/ p = a[2] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	24(%rsi), %rax
-	mulq	%rcx			/ p = a[3] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	32(%rsi), %rax
-	mulq	%rcx			/ p = a[4] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	40(%rsi), %rax
-	mulq	%rcx			/ p = a[5] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-	movq	48(%rsi), %rax
-	mulq	%rcx			/ p = a[6] * digit
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L17
-
-
-.L17:
-	movq	%r9, %rax
-	ret
-
-.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
-
-/ ------------------------------------------------------------------------
-/
-/  Implementation of s_mpv_mul_add_vec which exploits
-/  the 64X64->128 bit  unsigned multiply instruction.
-/
-/ ------------------------------------------------------------------------
-
-/ r += a * digit, r and a are vectors of length len
-/ returns the carry digit
-/ r and a are 64 bit aligned.
-/
-/ uint64_t
-/ s_mpv_mul_add_vec64(uint64_t *r, uint64_t *a, int len, uint64_t digit)
-/
-
-.text; .align 16; .globl s_mpv_mul_add_vec64; .type s_mpv_mul_add_vec64, @function; s_mpv_mul_add_vec64:
-
-	xorq	%rax, %rax		/ if (len == 0) return (0)
-	testq	%rdx, %rdx
-	jz	.L27
-
-	movq	%rdx, %r8		/ Use r8 for len; %rdx is used by mul
-	xorq	%r9, %r9		/ cy = 0
-
-.L25:
-	cmpq	$8, %r8			/ 8 - len
-	jb	.L26
-	movq	0(%rsi), %rax		/ rax = a[0]
-	movq	0(%rdi), %r10		/ r10 = r[0]
-	movq	8(%rsi), %r11		/ prefetch a[1]
-	mulq	%rcx			/ p = a[0] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[0]
-	movq	8(%rdi), %r10		/ prefetch r[1]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	16(%rsi), %r11		/ prefetch a[2]
-	mulq	%rcx			/ p = a[1] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[1]
-	movq	16(%rdi), %r10		/ prefetch r[2]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	24(%rsi), %r11		/ prefetch a[3]
-	mulq	%rcx			/ p = a[2] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[2]
-	movq	24(%rdi), %r10		/ prefetch r[3]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	32(%rsi), %r11		/ prefetch a[4]
-	mulq	%rcx			/ p = a[3] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[3]
-	movq	32(%rdi), %r10		/ prefetch r[4]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	40(%rsi), %r11		/ prefetch a[5]
-	mulq	%rcx			/ p = a[4] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[4]
-	movq	40(%rdi), %r10		/ prefetch r[5]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	48(%rsi), %r11		/ prefetch a[6]
-	mulq	%rcx			/ p = a[5] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[5]
-	movq	48(%rdi), %r10		/ prefetch r[6]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	movq	56(%rsi), %r11		/ prefetch a[7]
-	mulq	%rcx			/ p = a[6] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[6]
-	movq	56(%rdi), %r10		/ prefetch r[7]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	movq	%r11, %rax
-	mulq	%rcx			/ p = a[7] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[7]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 56(%rdi)		/ r[7] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-
-	addq	$64, %rsi
-	addq	$64, %rdi
-	subq	$8, %r8
-
-	jz	.L27
-	jmp	.L25
-
-.L26:
-	movq	0(%rsi), %rax
-	movq	0(%rdi), %r10
-	mulq	%rcx			/ p = a[0] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[0]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 0(%rdi)		/ r[0] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	8(%rsi), %rax
-	movq	8(%rdi), %r10
-	mulq	%rcx			/ p = a[1] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[1]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 8(%rdi)		/ r[1] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	16(%rsi), %rax
-	movq	16(%rdi), %r10
-	mulq	%rcx			/ p = a[2] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[2]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 16(%rdi)		/ r[2] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	24(%rsi), %rax
-	movq	24(%rdi), %r10
-	mulq	%rcx			/ p = a[3] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[3]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 24(%rdi)		/ r[3] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	32(%rsi), %rax
-	movq	32(%rdi), %r10
-	mulq	%rcx			/ p = a[4] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[4]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 32(%rdi)		/ r[4] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	40(%rsi), %rax
-	movq	40(%rdi), %r10
-	mulq	%rcx			/ p = a[5] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[5]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 40(%rdi)		/ r[5] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-	movq	48(%rsi), %rax
-	movq	48(%rdi), %r10
-	mulq	%rcx			/ p = a[6] * digit
-	addq	%r10, %rax
-	adcq	$0, %rdx		/ p += r[6]
-	addq	%r9, %rax
-	adcq	$0, %rdx		/ p += cy
-	movq	%rax, 48(%rdi)		/ r[6] = lo(p)
-	movq	%rdx, %r9		/ cy = hi(p)
-	decq	%r8
-	jz	.L27
-
-
-.L27:
-	movq	%r9, %rax
-	ret
-        
-.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
diff --git a/security/nss/lib/freebl/mpi/mpi_hp.c b/security/nss/lib/freebl/mpi/mpi_hp.c
deleted file mode 100644
index c27e9cfa7..000000000
--- a/security/nss/lib/freebl/mpi/mpi_hp.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* This file contains routines that perform vector multiplication.  */
-
-#include "mpi-priv.h"
-#include <unistd.h>
-
-#include <stddef.h>
-/* #include <sys/systeminfo.h> */
-#include <strings.h>
-
-extern void multacc512( 
-   int             length,        /* doublewords in multiplicand vector. */
-   const mp_digit *scalaraddr,    /* Address of scalar. */
-   const mp_digit *multiplicand,  /* The multiplicand vector. */
-   mp_digit *      result);       /* Where to accumulate the result. */
-
-extern void maxpy_little(
-   int             length,        /* doublewords in multiplicand vector. */
-   const mp_digit *scalaraddr,    /* Address of scalar. */
-   const mp_digit *multiplicand,  /* The multiplicand vector. */
-   mp_digit *      result);       /* Where to accumulate the result. */
-
-extern void add_diag_little(
-   int            length,       /* doublewords in input vector. */
-   const mp_digit *root,         /* The vector to square. */
-   mp_digit *      result);      /* Where to accumulate the result. */
-
-void 
-s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
-{
-    add_diag_little(a_len, pa, ps);
-}
-
-#define MAX_STACK_DIGITS 258
-#define MULTACC512_LEN   (512 / MP_DIGIT_BIT)
-#define HP_MPY_ADD_FN    (a_len == MULTACC512_LEN ? multacc512 : maxpy_little)
-
-/* c = a * b */
-void 
-s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    mp_digit x[MAX_STACK_DIGITS];
-    mp_digit *px = x;
-    size_t   xSize = 0;
-
-    if (a == c) {
-	if (a_len > MAX_STACK_DIGITS) {
-	    xSize = sizeof(mp_digit) * (a_len + 2);
-	    px = malloc(xSize);
-	    if (!px)
-		return;
-	}
-	memcpy(px, a, a_len * sizeof(*a));
-	a = px;
-    }
-    s_mp_setz(c, a_len + 1);
-    HP_MPY_ADD_FN(a_len, &b, a, c);
-    if (px != x && px) {
-	memset(px, 0, xSize);
-	free(px);
-    }
-}
-
-/* c += a * b, where a is a_len words long. */
-void     
-s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    c[a_len] = 0;	/* so carry propagation stops here. */
-    HP_MPY_ADD_FN(a_len, &b, a, c);
-}
-
-/* c += a * b, where a is y words long. */
-void     
-s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
-			 mp_digit *c)
-{
-    HP_MPY_ADD_FN(a_len, &b, a, c);
-}
-
diff --git a/security/nss/lib/freebl/mpi/mpi_i86pc.s b/security/nss/lib/freebl/mpi/mpi_i86pc.s
deleted file mode 100644
index f6c167b1a..000000000
--- a/security/nss/lib/freebl/mpi/mpi_i86pc.s
+++ /dev/null
@@ -1,342 +0,0 @@
- /
- / The contents of this file are subject to the Mozilla Public
- / License Version 1.1 (the "License"); you may not use this file
- / except in compliance with the License. You may obtain a copy of
- / the License at http://www.mozilla.org/MPL/
- / 
- / Software distributed under the License is distributed on an "AS
- / IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- / implied. See the License for the specific language governing
- / rights and limitations under the License.
- / 
- / The Original Code is the Netscape security libraries.
- / 
- / The Initial Developer of the Original Code is Netscape
- / Communications Corporation.	Portions created by Netscape are 
- / Copyright (C) 2001 Netscape Communications Corporation.  All
- / Rights Reserved.
- / 
- / Contributor(s):
- / 
- / Alternatively, the contents of this file may be used under the
- / terms of the GNU General Public License Version 2 or later (the
- / "GPL"), in which case the provisions of the GPL are applicable 
- / instead of those above. If you wish to allow use of your 
- / version of this file only under the terms of the GPL and not to
- / allow others to use your version of this file under the MPL,
- / indicate your decision by deleting the provisions above and
- / replace them with the notice and other provisions required by
- / the GPL.  If you do not delete the provisions above, a recipient
- / may use your version of this file under either the MPL or the
- / GPL.
- /  $Id$
- /
-
-.text
-
- /  ebp - 36:	caller's esi
- /  ebp - 32:	caller's edi
- /  ebp - 28:	
- /  ebp - 24:	
- /  ebp - 20:	
- /  ebp - 16:	
- /  ebp - 12:	
- /  ebp - 8:	
- /  ebp - 4:	
- /  ebp + 0:	caller's ebp
- /  ebp + 4:	return address
- /  ebp + 8:	a	argument
- /  ebp + 12:	a_len	argument
- /  ebp + 16:	b	argument
- /  ebp + 20:	c	argument
- /  registers:
- / 	eax:
- /	ebx:	carry
- /	ecx:	a_len
- /	edx:
- /	esi:	a ptr
- /	edi:	c ptr
-.globl	s_mpv_mul_d
-.type	s_mpv_mul_d,@function
-s_mpv_mul_d:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		/ carry = 0
-    mov    12(%ebp),%ecx	/ ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     L2			/ jmp if a_len == 0
-    mov    8(%ebp),%esi		/ esi = a
-    cld
-L1:
-    lodsl			/ eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	/ edx = b
-    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    %edx,%ebx		/ high half of product becomes next carry
-
-    stosl			/ [es:edi] = ax; edi += 4;
-    dec    %ecx			/ --a_len
-    jnz    L1			/ jmp if a_len != 0
-L2:
-    mov    %ebx,0(%edi)		/ *c = carry
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- /  ebp - 36:	caller's esi
- /  ebp - 32:	caller's edi
- /  ebp - 28:	
- /  ebp - 24:	
- /  ebp - 20:	
- /  ebp - 16:	
- /  ebp - 12:	
- /  ebp - 8:	
- /  ebp - 4:	
- /  ebp + 0:	caller's ebp
- /  ebp + 4:	return address
- /  ebp + 8:	a	argument
- /  ebp + 12:	a_len	argument
- /  ebp + 16:	b	argument
- /  ebp + 20:	c	argument
- /  registers:
- / 	eax:
- /	ebx:	carry
- /	ecx:	a_len
- /	edx:
- /	esi:	a ptr
- /	edi:	c ptr
-.globl	s_mpv_mul_d_add
-.type	s_mpv_mul_d_add,@function
-s_mpv_mul_d_add:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		/ carry = 0
-    mov    12(%ebp),%ecx	/ ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     L4			/ jmp if a_len == 0
-    mov    8(%ebp),%esi		/ esi = a
-    cld
-L3:
-    lodsl			/ eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	/ edx = b
-    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    0(%edi),%ebx		/ add in current word from *c
-    add    %ebx,%eax		
-    adc    $0,%edx
-    mov    %edx,%ebx		/ high half of product becomes next carry
-
-    stosl			/ [es:edi] = ax; edi += 4;
-    dec    %ecx			/ --a_len
-    jnz    L3			/ jmp if a_len != 0
-L4:
-    mov    %ebx,0(%edi)		/ *c = carry
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- /  ebp - 36:	caller's esi
- /  ebp - 32:	caller's edi
- /  ebp - 28:	
- /  ebp - 24:	
- /  ebp - 20:	
- /  ebp - 16:	
- /  ebp - 12:	
- /  ebp - 8:	
- /  ebp - 4:	
- /  ebp + 0:	caller's ebp
- /  ebp + 4:	return address
- /  ebp + 8:	a	argument
- /  ebp + 12:	a_len	argument
- /  ebp + 16:	b	argument
- /  ebp + 20:	c	argument
- /  registers:
- / 	eax:
- /	ebx:	carry
- /	ecx:	a_len
- /	edx:
- /	esi:	a ptr
- /	edi:	c ptr
-.globl	s_mpv_mul_d_add_prop
-.type	s_mpv_mul_d_add_prop,@function
-s_mpv_mul_d_add_prop:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		/ carry = 0
-    mov    12(%ebp),%ecx	/ ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     L6			/ jmp if a_len == 0
-    cld
-    mov    8(%ebp),%esi		/ esi = a
-L5:
-    lodsl			/ eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	/ edx = b
-    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    0(%edi),%ebx		/ add in current word from *c
-    add    %ebx,%eax		
-    adc    $0,%edx
-    mov    %edx,%ebx		/ high half of product becomes next carry
-
-    stosl			/ [es:edi] = ax; edi += 4;
-    dec    %ecx			/ --a_len
-    jnz    L5			/ jmp if a_len != 0
-L6:
-    cmp    $0,%ebx		/ is carry zero?
-    jz     L8
-    mov    0(%edi),%eax		/ add in current word from *c
-    add	   %ebx,%eax
-    stosl			/ [es:edi] = ax; edi += 4;
-    jnc    L8
-L7:
-    mov    0(%edi),%eax		/ add in current word from *c
-    adc	   $0,%eax
-    stosl			/ [es:edi] = ax; edi += 4;
-    jc     L7
-L8:
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- /  ebp - 20:	caller's esi
- /  ebp - 16:	caller's edi
- /  ebp - 12:	
- /  ebp - 8:	carry
- /  ebp - 4:	a_len	local
- /  ebp + 0:	caller's ebp
- /  ebp + 4:	return address
- /  ebp + 8:	pa	argument
- /  ebp + 12:	a_len	argument
- /  ebp + 16:	ps	argument
- /  ebp + 20:	
- /  registers:
- / 	eax:
- /	ebx:	carry
- /	ecx:	a_len
- /	edx:
- /	esi:	a ptr
- /	edi:	c ptr
-
-.globl	s_mpv_sqr_add_prop
-.type	s_mpv_sqr_add_prop,@function
-s_mpv_sqr_add_prop:
-     push   %ebp
-     mov    %esp,%ebp
-     sub    $12,%esp
-     push   %edi
-     push   %esi
-     push   %ebx
-     movl   $0,%ebx		/ carry = 0
-     mov    12(%ebp),%ecx	/ a_len
-     mov    16(%ebp),%edi	/ edi = ps
-     cmp    $0,%ecx
-     je     L11			/ jump if a_len == 0
-     cld
-     mov    8(%ebp),%esi	/ esi = pa
-L10:
-     lodsl			/ %eax = [ds:si]; si += 4;
-     mull   %eax
-
-     add    %ebx,%eax		/ add "carry"
-     adc    $0,%edx
-     mov    0(%edi),%ebx
-     add    %ebx,%eax		/ add low word from result
-     mov    4(%edi),%ebx
-     stosl			/ [es:di] = %eax; di += 4;
-     adc    %ebx,%edx		/ add high word from result
-     movl   $0,%ebx
-     mov    %edx,%eax
-     adc    $0,%ebx
-     stosl			/ [es:di] = %eax; di += 4;
-     dec    %ecx		/ --a_len
-     jnz    L10			/ jmp if a_len != 0
-L11:
-    cmp    $0,%ebx		/ is carry zero?
-    jz     L14
-    mov    0(%edi),%eax		/ add in current word from *c
-    add	   %ebx,%eax
-    stosl			/ [es:edi] = ax; edi += 4;
-    jnc    L14
-L12:
-    mov    0(%edi),%eax		/ add in current word from *c
-    adc	   $0,%eax
-    stosl			/ [es:edi] = ax; edi += 4;
-    jc     L12
-L14:
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- /
- / Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
- / so its high bit is 1.   This code is from NSPR.
- /
- / mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
- / 		          mp_digit *qp, mp_digit *rp)
-
- /  esp +  0:   Caller's ebx
- /  esp +  4:	return address
- /  esp +  8:	Nhi	argument
- /  esp + 12:	Nlo	argument
- /  esp + 16:	divisor	argument
- /  esp + 20:	qp	argument
- /  esp + 24:   rp	argument
- /  registers:
- / 	eax:
- /	ebx:	carry
- /	ecx:	a_len
- /	edx:
- /	esi:	a ptr
- /	edi:	c ptr
- / 
-
-.globl	s_mpv_div_2dx1d
-.type	s_mpv_div_2dx1d,@function
-s_mpv_div_2dx1d:
-       push   %ebx
-       mov    8(%esp),%edx
-       mov    12(%esp),%eax
-       mov    16(%esp),%ebx
-       div    %ebx
-       mov    20(%esp),%ebx
-       mov    %eax,0(%ebx)
-       mov    24(%esp),%ebx
-       mov    %edx,0(%ebx)
-       xor    %eax,%eax		/ return zero
-       pop    %ebx
-       ret    
-       nop
-  
diff --git a/security/nss/lib/freebl/mpi/mpi_mips.s b/security/nss/lib/freebl/mpi/mpi_mips.s
deleted file mode 100644
index bb846ee57..000000000
--- a/security/nss/lib/freebl/mpi/mpi_mips.s
+++ /dev/null
@@ -1,502 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.	Portions created by Netscape are 
- * Copyright (C) 2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.	If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- *  $Id$
- */
-#include <regdef.h>
-        .set    noreorder
-        .set    noat
-
-        .section        .text, 1, 0x00000006, 4, 4
-.text:
-        .section        .text
-
-        .ent    s_mpv_mul_d_add
-        .globl  s_mpv_mul_d_add
-
-s_mpv_mul_d_add: 
- #/* c += a * b */
- #void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
- #			      mp_digit *c)
- #{
- #  mp_digit   a0, a1;	regs a4, a5
- #  mp_digit   c0, c1;  regs a6, a7
- #  mp_digit   cy = 0;  reg t2
- #  mp_word    w0, w1;  regs t0, t1
- #
- #  if (a_len) {
-	beq	a1,zero,.L.1
-	move	t2,zero		# cy = 0
-	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
-	dsrl32	a2,a2,0		# This clears the upper 32 bits.
- #    a0 = a[0];
-	lwu	a4,0(a0)
- #    w0 = ((mp_word)b * a0);
-	dmultu	a2,a4
- #    if (--a_len) {
-	addiu	a1,a1,-1
-	beq	a1,zero,.L.2
- #      while (a_len >= 2) {
-	sltiu	t3,a1,2
-	bne	t3,zero,.L.3
- #	  a1     = a[1];
-	lwu	a5,4(a0)
-.L.4:
- #	  a_len -= 2;
-        addiu	a1,a1,-2
- #	  c0     = c[0];
-	lwu	a6,0(a3)
- #	  w0    += cy;
-	mflo	t0
-	daddu	t0,t0,t2
- #	  w0    += c0;
-	daddu	t0,t0,a6
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5			#
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  a0     = a[2];
-	lwu	a4,8(a0)
- #	  a     += 2;
-	addiu	a0,a0,8
- #	  c1     = c[1];
-	lwu	a7,4(a3)
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  w1    += c1;
-	daddu	t1,t1,a7
- #	  w0     = (mp_word)b * a0;
-	dmultu	a2,a4			#
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  c     += 2;
-	addiu	a3,a3,8
-	sltiu	t3,a1,2
-	beq	t3,zero,.L.4
- #	  a1     = a[1];
-	lwu	a5,4(a0)
- #      }
-.L.3:
- #      c0       = c[0];
-	lwu	a6,0(a3)
- #      w0      += cy;
- #      if (a_len) {
-	mflo	t0
-	beq	a1,zero,.L.5
-	daddu	t0,t0,t2
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5
- #	  w0    += c0;
-	daddu	t0,t0,a6		#
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  c1     = c[1];
-	lwu	a7,4(a3)
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  w1    += c1;
-	daddu	t1,t1,a7
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  c     += 1;
-	b	.L.6
-	addiu	a3,a3,4
- #      } else {
-.L.5:
- #	  w0    += c0;
-	daddu	t0,t0,a6
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  cy     = CARRYOUT(w0);
-	b	.L.6
-	dsrl32	t2,t0,0
- #      }
- #    } else {
-.L.2:
- #      c0     = c[0];
-	lwu	a6,0(a3)
- #      w0    += c0;
-	mflo	t0
-	daddu	t0,t0,a6
- #      c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #      cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #    }
-.L.6:
- #    c[1] = cy;
-	jr	ra
-	sw	t2,4(a3)
- #  }
-.L.1:
-	jr	ra
-	nop
- #}
- #
-        .end    s_mpv_mul_d_add
-
-        .ent    s_mpv_mul_d_add_prop
-        .globl  s_mpv_mul_d_add_prop
-
-s_mpv_mul_d_add_prop: 
- #/* c += a * b */
- #void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
- #			      mp_digit *c)
- #{
- #  mp_digit   a0, a1;	regs a4, a5
- #  mp_digit   c0, c1;  regs a6, a7
- #  mp_digit   cy = 0;  reg t2
- #  mp_word    w0, w1;  regs t0, t1
- #
- #  if (a_len) {
-	beq	a1,zero,.M.1
-	move	t2,zero		# cy = 0
-	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
-	dsrl32	a2,a2,0		# This clears the upper 32 bits.
- #    a0 = a[0];
-	lwu	a4,0(a0)
- #    w0 = ((mp_word)b * a0);
-	dmultu	a2,a4
- #    if (--a_len) {
-	addiu	a1,a1,-1
-	beq	a1,zero,.M.2
- #      while (a_len >= 2) {
-	sltiu	t3,a1,2
-	bne	t3,zero,.M.3
- #	  a1     = a[1];
-	lwu	a5,4(a0)
-.M.4:
- #	  a_len -= 2;
-        addiu	a1,a1,-2
- #	  c0     = c[0];
-	lwu	a6,0(a3)
- #	  w0    += cy;
-	mflo	t0
-	daddu	t0,t0,t2
- #	  w0    += c0;
-	daddu	t0,t0,a6
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5			#
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  a0     = a[2];
-	lwu	a4,8(a0)
- #	  a     += 2;
-	addiu	a0,a0,8
- #	  c1     = c[1];
-	lwu	a7,4(a3)
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  w1    += c1;
-	daddu	t1,t1,a7
- #	  w0     = (mp_word)b * a0;
-	dmultu	a2,a4			#
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  c     += 2;
-	addiu	a3,a3,8
-	sltiu	t3,a1,2
-	beq	t3,zero,.M.4
- #	  a1     = a[1];
-	lwu	a5,4(a0)
- #      }
-.M.3:
- #      c0       = c[0];
-	lwu	a6,0(a3)
- #      w0      += cy;
- #      if (a_len) {
-	mflo	t0
-	beq	a1,zero,.M.5
-	daddu	t0,t0,t2
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5
- #	  w0    += c0;
-	daddu	t0,t0,a6		#
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  c1     = c[1];
-	lwu	a7,4(a3)
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  w1    += c1;
-	daddu	t1,t1,a7
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  c     += 1;
-	b	.M.6
-	addiu	a3,a3,8
- #      } else {
-.M.5:
- #	  w0    += c0;
-	daddu	t0,t0,a6
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
-	b	.M.6
-	addiu	a3,a3,4
- #      }
- #    } else {
-.M.2:
- #      c0     = c[0];
-	lwu	a6,0(a3)
- #      w0    += c0;
-	mflo	t0
-	daddu	t0,t0,a6
- #      c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #      cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
-	addiu	a3,a3,4
- #    }
-.M.6:
-
- #    while (cy) {
-	beq	t2,zero,.M.1
-	nop
-.M.7:
- #      mp_word w = (mp_word)*c + cy;
-	lwu	a6,0(a3)
-	daddu	t2,t2,a6
- #      *c++ = ACCUM(w);
-	sw	t2,0(a3)
- #      cy = CARRYOUT(w);
-	dsrl32	t2,t2,0
-	bne	t2,zero,.M.7
-	addiu	a3,a3,4
-
- #  }
-.M.1:
-	jr	ra
-	nop
- #}
- #
-        .end    s_mpv_mul_d_add_prop
-
-        .ent    s_mpv_mul_d
-        .globl  s_mpv_mul_d
-
-s_mpv_mul_d: 
- #/* c = a * b */
- #void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, 
- #			      mp_digit *c)
- #{
- #  mp_digit   a0, a1;	regs a4, a5
- #  mp_digit   cy = 0;  reg t2
- #  mp_word    w0, w1;  regs t0, t1
- #
- #  if (a_len) {
-	beq	a1,zero,.N.1
-	move	t2,zero		# cy = 0
-	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
-	dsrl32	a2,a2,0		# This clears the upper 32 bits.
- #    a0 = a[0];
-	lwu	a4,0(a0)
- #    w0 = ((mp_word)b * a0);
-	dmultu	a2,a4
- #    if (--a_len) {
-	addiu	a1,a1,-1
-	beq	a1,zero,.N.2
- #      while (a_len >= 2) {
-	sltiu	t3,a1,2
-	bne	t3,zero,.N.3
- #	  a1     = a[1];
-	lwu	a5,4(a0)
-.N.4:
- #	  a_len -= 2;
-        addiu	a1,a1,-2
- #	  w0    += cy;
-	mflo	t0
-	daddu	t0,t0,t2
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5	
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  a0     = a[2];
-	lwu	a4,8(a0)
- #	  a     += 2;
-	addiu	a0,a0,8
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  w0     = (mp_word)b * a0;
-	dmultu	a2,a4	
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  c     += 2;
-	addiu	a3,a3,8
-	sltiu	t3,a1,2
-	beq	t3,zero,.N.4
- #	  a1     = a[1];
-	lwu	a5,4(a0)
- #      }
-.N.3:
- #      w0      += cy;
- #      if (a_len) {
-	mflo	t0
-	beq	a1,zero,.N.5
-	daddu	t0,t0,t2
- #	  w1     = (mp_word)b * a1; 
-	dmultu	a2,a5			#
- #	  cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  w1    += cy;
-	mflo	t1
-	daddu	t1,t1,t2
- #	  c[1]   = ACCUM(w1);
-	sw	t1,4(a3)
- #	  cy     = CARRYOUT(w1);
-	dsrl32	t2,t1,0
- #	  c     += 1;
-	b	.N.6
-	addiu	a3,a3,4
- #      } else {
-.N.5:
- #	  c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #	  cy     = CARRYOUT(w0);
-	b	.N.6
-	dsrl32	t2,t0,0
- #      }
- #    } else {
-.N.2:
-	mflo	t0
- #      c[0]   = ACCUM(w0);
-	sw	t0,0(a3)
- #      cy     = CARRYOUT(w0);
-	dsrl32	t2,t0,0
- #    }
-.N.6:
- #    c[1] = cy;
-	jr	ra
-	sw	t2,4(a3)
- #  }
-.N.1:
-	jr	ra
-	nop
- #}
- #
-        .end    s_mpv_mul_d
-
-
-        .ent    s_mpv_sqr_add_prop
-        .globl  s_mpv_sqr_add_prop
- #void   s_mpv_sqr_add_prop(const mp_digit *a, mp_size a_len, mp_digit *sqrs);
- #	registers
- #	a0		*a
- #	a1		a_len
- #	a2		*sqr
- #	a3		digit from *a, a_i
- #	a4		square of digit from a
- #	a5,a6		next 2 digits in sqr
- #	a7,t0		carry 
-s_mpv_sqr_add_prop:
-	move	a7,zero
-	move	t0,zero
-	lwu	a3,0(a0)
-	addiu	a1,a1,-1	# --a_len
-	dmultu	a3,a3
-	beq	a1,zero,.P.3	# jump if we've already done the only sqr
-	addiu	a0,a0,4		# ++a
-.P.2:
-        lwu	a5,0(a2)
-        lwu	a6,4(a2)
-	addiu	a2,a2,8		# sqrs += 2;
-	dsll32	a6,a6,0
-	daddu	a5,a5,a6
-	lwu	a3,0(a0)
-	addiu	a0,a0,4		# ++a
-	mflo	a4
-	daddu	a6,a5,a4
-	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
-	dmultu	a3,a3
-	daddu	a4,a6,t0
-	sltu	t0,a4,a6
-	add	t0,t0,a7
-	sw	a4,-8(a2)
-	addiu	a1,a1,-1	# --a_len
-	dsrl32	a4,a4,0
-	bne	a1,zero,.P.2	# loop if a_len > 0
-	sw	a4,-4(a2)
-.P.3:
-        lwu	a5,0(a2)
-        lwu	a6,4(a2)
-	addiu	a2,a2,8		# sqrs += 2;
-	dsll32	a6,a6,0
-	daddu	a5,a5,a6
-	mflo	a4
-	daddu	a6,a5,a4
-	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
-	daddu	a4,a6,t0
-	sltu	t0,a4,a6
-	add	t0,t0,a7
-	sw	a4,-8(a2)
-	beq	t0,zero,.P.9	# jump if no carry
-	dsrl32	a4,a4,0
-.P.8:
-	sw	a4,-4(a2)
-	/* propagate final carry */
-	lwu	a5,0(a2)
-	daddu	a6,a5,t0
-	sltu	t0,a6,a5
-	bne	t0,zero,.P.8	# loop if carry persists
-	addiu	a2,a2,4		# sqrs++
-.P.9:
-	jr	ra
-	sw	a4,-4(a2)
-
-        .end    s_mpv_sqr_add_prop
diff --git a/security/nss/lib/freebl/mpi/mpi_sparc.c b/security/nss/lib/freebl/mpi/mpi_sparc.c
deleted file mode 100644
index eb2317dd0..000000000
--- a/security/nss/lib/freebl/mpi/mpi_sparc.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* Multiplication performance enhancements for sparc v8+vis CPUs. */
-
-#include "mpi-priv.h"
-#include <stddef.h>
-#include <sys/systeminfo.h>
-#include <strings.h>
-
-/* In the functions below, */
-/* vector y must be 8-byte aligned, and n must be even */
-/* returns carry out of high order word of result */
-/* maximum n is 256 */
-
-/* vector x += vector y * scaler a; where y is of length n words. */
-extern mp_digit mul_add_inp(mp_digit *x, const mp_digit *y, int n, mp_digit a);
-
-/* vector z = vector x + vector y * scaler a; where y is of length n words. */
-extern mp_digit mul_add(mp_digit *z, const mp_digit *x, const mp_digit *y, 
-			int n, mp_digit a);
-
-/* v8 versions of these functions run on any Sparc v8 CPU. */
-
-/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
-#define MP_MUL_DxD(a, b, Phi, Plo) \
-  { unsigned long long product = (unsigned long long)a * b; \
-    Plo = (mp_digit)product; \
-    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
-
-/* c = a * b */
-static void 
-v8_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-  *c = d;
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  *c = carry;
-#endif
-}
-
-/* c += a * b */
-static void 
-v8_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + *c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-  *c = d;
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-    a0b0 += a_i = *c;
-    if (a0b0 < a_i)
-      ++a1b1;
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  *c = carry;
-#endif
-}
-
-/* Presently, this is only used by the Montgomery arithmetic code. */
-/* c += a * b */
-static void 
-v8_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-#if !defined(MP_NO_MP_WORD)
-  mp_digit   d = 0;
-
-  /* Inner product:  Digits of a */
-  while (a_len--) {
-    mp_word w = ((mp_word)b * *a++) + *c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-
-  while (d) {
-    mp_word w = (mp_word)*c + d;
-    *c++ = ACCUM(w);
-    d = CARRYOUT(w);
-  }
-#else
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-
-    a0b0 += a_i = *c;
-    if (a0b0 < a_i)
-      ++a1b1;
-
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-  while (carry) {
-    mp_digit c_i = *c;
-    carry += c_i;
-    *c++ = carry;
-    carry = carry < c_i;
-  }
-#endif
-}
-
-/* vis versions of these functions run only on v8+vis or v9+vis CPUs. */
-
-/* c = a * b */
-static void 
-vis_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    mp_digit d;
-    mp_digit x[258];
-    if (a_len <= 256) {
-	if (a == c || ((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
-	    mp_digit * px;
-	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
-	    memcpy(px, a, a_len * sizeof(*a));
-	    a = px;
-	    if (a_len & 1) {
-		px[a_len] = 0;
-	    }
-	}
-	s_mp_setz(c, a_len + 1);
-	d = mul_add_inp(c, a, a_len, b);
-	c[a_len] = d;
-    } else {
-	v8_mpv_mul_d(a, a_len, b, c);
-    }
-}
-
-/* c += a * b, where a is a_len words long. */
-static void     
-vis_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    mp_digit d;
-    mp_digit x[258];
-    if (a_len <= 256) {
-	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
-	    mp_digit * px;
-	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
-	    memcpy(px, a, a_len * sizeof(*a));
-	    a = px;
-	    if (a_len & 1) {
-		px[a_len] = 0;
-	    }
-	}
-	d = mul_add_inp(c, a, a_len, b);
-	c[a_len] = d;
-    } else {
-	v8_mpv_mul_d_add(a, a_len, b, c);
-    }
-}
-
-/* c += a * b, where a is y words long. */
-static void     
-vis_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
-			 mp_digit *c)
-{
-    mp_digit d;
-    mp_digit x[258];
-    if (a_len <= 256) {
-	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
-	    mp_digit * px;
-	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
-	    memcpy(px, a, a_len * sizeof(*a));
-	    a = px;
-	    if (a_len & 1) {
-		px[a_len] = 0;
-	    }
-	}
-	d = mul_add_inp(c, a, a_len, b);
-	if (d) {
-	    c += a_len;
-	    do {
-		mp_digit sum = d + *c;
-		*c++ = sum;
-		d = sum < d;
-	    } while (d);
-	}
-    } else {
-	v8_mpv_mul_d_add_prop(a, a_len, b, c);
-    }
-}
-
-#if defined(SOLARIS2_5)
-static int
-isSparcV8PlusVis(void)
-{
-    long buflen;
-    int  rv             = 0;    /* false */
-    char buf[256];
-    buflen = sysinfo(SI_MACHINE, buf, sizeof buf);
-    if (buflen > 0) {
-        rv = (!strcmp(buf, "sun4u") || !strcmp(buf, "sun4u1"));
-    }
-    return rv;
-}
-#else   /* SunOS2.6or higher has SI_ISALIST */
-
-static int
-isSparcV8PlusVis(void)
-{
-    long buflen;
-    int  rv             = 0;    /* false */
-    char buf[256];
-    buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
-    if (buflen > 0) {
-#if defined(MP_USE_LONG_DIGIT)
-        char * found = strstr(buf, "sparcv9+vis");
-#else
-        char * found = strstr(buf, "sparcv8plus+vis");
-#endif
-        rv = (found != 0);
-    }
-    return rv;
-}
-#endif
-
-typedef void MPVmpy(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c);
-
-/* forward static function declarations */
-static MPVmpy sp_mpv_mul_d;
-static MPVmpy sp_mpv_mul_d_add;
-static MPVmpy sp_mpv_mul_d_add_prop;
-
-static MPVmpy *p_mpv_mul_d		= &sp_mpv_mul_d;
-static MPVmpy *p_mpv_mul_d_add		= &sp_mpv_mul_d_add;
-static MPVmpy *p_mpv_mul_d_add_prop	= &sp_mpv_mul_d_add_prop;
-
-static void
-initPtrs(void)
-{
-    if (isSparcV8PlusVis()) {
-	p_mpv_mul_d = 		&vis_mpv_mul_d;
-	p_mpv_mul_d_add = 	&vis_mpv_mul_d_add;
-	p_mpv_mul_d_add_prop = 	&vis_mpv_mul_d_add_prop;
-    } else {
-	p_mpv_mul_d = 		&v8_mpv_mul_d;
-	p_mpv_mul_d_add = 	&v8_mpv_mul_d_add;
-	p_mpv_mul_d_add_prop = 	&v8_mpv_mul_d_add_prop;
-    }
-}
-
-static void 
-sp_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    initPtrs();
-    (* p_mpv_mul_d)(a, a_len, b, c);
-}
-
-static void 
-sp_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    initPtrs();
-    (* p_mpv_mul_d_add)(a, a_len, b, c);
-}
-
-static void 
-sp_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    initPtrs();
-    (* p_mpv_mul_d_add_prop)(a, a_len, b, c);
-}
-
-
-/* This is the external interface */
-
-void 
-s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    (* p_mpv_mul_d)(a, a_len, b, c);
-}
-
-void 
-s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    (* p_mpv_mul_d_add)(a, a_len, b, c);
-}
-
-void 
-s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
-{
-    (* p_mpv_mul_d_add_prop)(a, a_len, b, c);
-}
-
-
diff --git a/security/nss/lib/freebl/mpi/mpi_x86.asm b/security/nss/lib/freebl/mpi/mpi_x86.asm
deleted file mode 100644
index 826747c39..000000000
--- a/security/nss/lib/freebl/mpi/mpi_x86.asm
+++ /dev/null
@@ -1,356 +0,0 @@
-;
-;  mpi_x86.asm - assembly language implementation of s_mpv_ functions.
-; 
-; ***** BEGIN LICENSE BLOCK *****
-; Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;
-; The contents of this file are subject to the Mozilla Public License Version
-; 1.1 (the "License"); you may not use this file except in compliance with
-; the License. You may obtain a copy of the License at
-; http://www.mozilla.org/MPL/
-;
-; Software distributed under the License is distributed on an "AS IS" basis,
-; WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-; for the specific language governing rights and limitations under the
-; License.
-;
-; The Original Code is the Netscape security libraries.
-;
-; The Initial Developer of the Original Code is
-; Netscape Communications Corporation.
-; Portions created by the Initial Developer are Copyright (C) 2000
-; the Initial Developer. All Rights Reserved.
-;
-; Contributor(s):
-;
-; Alternatively, the contents of this file may be used under the terms of
-; either the GNU General Public License Version 2 or later (the "GPL"), or
-; the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-; in which case the provisions of the GPL or the LGPL are applicable instead
-; of those above. If you wish to allow use of your version of this file only
-; under the terms of either the GPL or the LGPL, and not to allow others to
-; use your version of this file under the terms of the MPL, indicate your
-; decision by deleting the provisions above and replace them with the notice
-; and other provisions required by the GPL or the LGPL. If you do not delete
-; the provisions above, a recipient may use your version of this file under
-; the terms of any one of the MPL, the GPL or the LGPL.
-;
-; ***** END LICENSE BLOCK *****
-
-;   $Id$
-
-	.386p
-	.MODEL	FLAT
-	ASSUME  CS: FLAT, DS: FLAT, SS: FLAT
-_TEXT   SEGMENT
-
-;   ebp - 36:	caller's esi
-;   ebp - 32:	caller's edi
-;   ebp - 28:	
-;   ebp - 24:	
-;   ebp - 20:	
-;   ebp - 16:	
-;   ebp - 12:	
-;   ebp - 8:	
-;   ebp - 4:	
-;   ebp + 0:	caller's ebp
-;   ebp + 4:	return address
-;   ebp + 8:	a	argument
-;   ebp + 12:	a_len	argument
-;   ebp + 16:	b	argument
-;   ebp + 20:	c	argument
-;   registers:
-;  	eax:
-; 	ebx:	carry
-; 	ecx:	a_len
-; 	edx:
-; 	esi:	a ptr
-; 	edi:	c ptr
-
-public	_s_mpv_mul_d
-_s_mpv_mul_d PROC NEAR
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_2			; jmp if a_len == 0
-    mov    esi,[ebp+8]		; esi = a
-    cld
-L_1:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_1			; jmp if a_len != 0
-L_2:
-    mov    [edi],ebx		; *c = carry
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-_s_mpv_mul_d ENDP
-
-;   ebp - 36:	caller's esi
-;   ebp - 32:	caller's edi
-;   ebp - 28:	
-;   ebp - 24:	
-;   ebp - 20:	
-;   ebp - 16:	
-;   ebp - 12:	
-;   ebp - 8:	
-;   ebp - 4:	
-;   ebp + 0:	caller's ebp
-;   ebp + 4:	return address
-;   ebp + 8:	a	argument
-;   ebp + 12:	a_len	argument
-;   ebp + 16:	b	argument
-;   ebp + 20:	c	argument
-;   registers:
-;  	eax:
-; 	ebx:	carry
-; 	ecx:	a_len
-; 	edx:
-; 	esi:	a ptr
-; 	edi:	c ptr
-public	_s_mpv_mul_d_add
-_s_mpv_mul_d_add PROC NEAR
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_4			; jmp if a_len == 0
-    mov    esi,[ebp+8]		; esi = a
-    cld
-L_3:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,[edi]		; add in current word from *c
-    add    eax,ebx		
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_3			; jmp if a_len != 0
-L_4:
-    mov    [edi],ebx		; *c = carry
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-_s_mpv_mul_d_add ENDP
-
-;   ebp - 36:	caller's esi
-;   ebp - 32:	caller's edi
-;   ebp - 28:	
-;   ebp - 24:	
-;   ebp - 20:	
-;   ebp - 16:	
-;   ebp - 12:	
-;   ebp - 8:	
-;   ebp - 4:	
-;   ebp + 0:	caller's ebp
-;   ebp + 4:	return address
-;   ebp + 8:	a	argument
-;   ebp + 12:	a_len	argument
-;   ebp + 16:	b	argument
-;   ebp + 20:	c	argument
-;   registers:
-;  	eax:
-; 	ebx:	carry
-; 	ecx:	a_len
-; 	edx:
-; 	esi:	a ptr
-; 	edi:	c ptr
-public	_s_mpv_mul_d_add_prop
-_s_mpv_mul_d_add_prop PROC NEAR
-    push   ebp
-    mov    ebp,esp
-    sub    esp,28
-    push   edi
-    push   esi
-    push   ebx
-    mov    ebx,0		; carry = 0
-    mov    ecx,[ebp+12]		; ecx = a_len
-    mov    edi,[ebp+20]
-    cmp    ecx,0
-    je     L_6			; jmp if a_len == 0
-    cld
-    mov    esi,[ebp+8]		; esi = a
-L_5:
-    lodsd			; eax = [ds:esi]; esi += 4
-    mov    edx,[ebp+16]		; edx = b
-    mul    edx			; edx:eax = Phi:Plo = a_i * b
-
-    add    eax,ebx		; add carry (ebx) to edx:eax
-    adc    edx,0
-    mov    ebx,[edi]		; add in current word from *c
-    add    eax,ebx		
-    adc    edx,0
-    mov    ebx,edx		; high half of product becomes next carry
-
-    stosd			; [es:edi] = ax; edi += 4;
-    dec    ecx			; --a_len
-    jnz    L_5			; jmp if a_len != 0
-L_6:
-    cmp    ebx,0		; is carry zero?
-    jz     L_8
-    mov    eax,[edi]		; add in current word from *c
-    add    eax,ebx
-    stosd			; [es:edi] = ax; edi += 4;
-    jnc    L_8
-L_7:
-    mov    eax,[edi]		; add in current word from *c
-    adc    eax,0
-    stosd			; [es:edi] = ax; edi += 4;
-    jc     L_7
-L_8:
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-_s_mpv_mul_d_add_prop ENDP
-
-;   ebp - 20:	caller's esi
-;   ebp - 16:	caller's edi
-;   ebp - 12:	
-;   ebp - 8:	carry
-;   ebp - 4:	a_len	local
-;   ebp + 0:	caller's ebp
-;   ebp + 4:	return address
-;   ebp + 8:	pa	argument
-;   ebp + 12:	a_len	argument
-;   ebp + 16:	ps	argument
-;   ebp + 20:	
-;   registers:
-;  	eax:
-; 	ebx:	carry
-; 	ecx:	a_len
-; 	edx:
-; 	esi:	a ptr
-; 	edi:	c ptr
-
-public	_s_mpv_sqr_add_prop
-_s_mpv_sqr_add_prop PROC NEAR
-     push   ebp
-     mov    ebp,esp
-     sub    esp,12
-     push   edi
-     push   esi
-     push   ebx
-     mov    ebx,0		; carry = 0
-     mov    ecx,[ebp+12]	; a_len
-     mov    edi,[ebp+16]	; edi = ps
-     cmp    ecx,0
-     je     L_11		; jump if a_len == 0
-     cld
-     mov    esi,[ebp+8]		; esi = pa
-L_10:
-     lodsd			; eax = [ds:si]; si += 4;
-     mul    eax
-
-     add    eax,ebx		; add "carry"
-     adc    edx,0
-     mov    ebx,[edi]
-     add    eax,ebx		; add low word from result
-     mov    ebx,[edi+4]
-     stosd			; [es:di] = eax; di += 4;
-     adc    edx,ebx		; add high word from result
-     mov    ebx,0
-     mov    eax,edx
-     adc    ebx,0
-     stosd			; [es:di] = eax; di += 4;
-     dec    ecx			; --a_len
-     jnz    L_10		; jmp if a_len != 0
-L_11:
-    cmp    ebx,0		; is carry zero?
-    jz     L_14
-    mov    eax,[edi]		; add in current word from *c
-    add    eax,ebx
-    stosd			; [es:edi] = ax; edi += 4;
-    jnc    L_14
-L_12:
-    mov    eax,[edi]		; add in current word from *c
-    adc    eax,0
-    stosd			; [es:edi] = ax; edi += 4;
-    jc     L_12
-L_14:
-    pop    ebx
-    pop    esi
-    pop    edi
-    leave  
-    ret    
-    nop
-_s_mpv_sqr_add_prop ENDP
-
-; 
-;  Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
-;  so its high bit is 1.   This code is from NSPR.
-; 
-;  mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
-;  		          mp_digit *qp, mp_digit *rp)
-
-;  Dump of assembler code for function s_mpv_div_2dx1d:
-;  
-;   esp +  0:   Caller's ebx
-;   esp +  4:	return address
-;   esp +  8:	Nhi	argument
-;   esp + 12:	Nlo	argument
-;   esp + 16:	divisor	argument
-;   esp + 20:	qp	argument
-;   esp + 24:   rp	argument
-;   registers:
-;  	eax:
-; 	ebx:	carry
-; 	ecx:	a_len
-; 	edx:
-; 	esi:	a ptr
-; 	edi:	c ptr
-;  
-public	_s_mpv_div_2dx1d
-_s_mpv_div_2dx1d PROC NEAR
-       push   ebx
-       mov    edx,[esp+8]
-       mov    eax,[esp+12]
-       mov    ebx,[esp+16]
-       div    ebx
-       mov    ebx,[esp+20]
-       mov    [ebx],eax
-       mov    ebx,[esp+24]
-       mov    [ebx],edx
-       xor    eax,eax		; return zero
-       pop    ebx
-       ret    
-       nop
-_s_mpv_div_2dx1d ENDP
-
-_TEXT	ENDS
-END
diff --git a/security/nss/lib/freebl/mpi/mpi_x86.s b/security/nss/lib/freebl/mpi/mpi_x86.s
deleted file mode 100644
index 07d7a6159..000000000
--- a/security/nss/lib/freebl/mpi/mpi_x86.s
+++ /dev/null
@@ -1,345 +0,0 @@
- #
- # The contents of this file are subject to the Mozilla Public
- # License Version 1.1 (the "License"); you may not use this file
- # except in compliance with the License. You may obtain a copy of
- # the License at http://www.mozilla.org/MPL/
- # 
- # Software distributed under the License is distributed on an "AS
- # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- # implied. See the License for the specific language governing
- # rights and limitations under the License.
- # 
- # The Original Code is the Netscape security libraries.
- # 
- # The Initial Developer of the Original Code is Netscape
- # Communications Corporation.	Portions created by Netscape are 
- # Copyright (C) 2000 Netscape Communications Corporation.  All
- # Rights Reserved.
- # 
- # Contributor(s):
- # 
- # Alternatively, the contents of this file may be used under the
- # terms of the GNU General Public License Version 2 or later (the
- # "GPL"), in which case the provisions of the GPL are applicable 
- # instead of those above.	If you wish to allow use of your 
- # version of this file only under the terms of the GPL and not to
- # allow others to use your version of this file under the MPL,
- # indicate your decision by deleting the provisions above and
- # replace them with the notice and other provisions required by
- # the GPL.  If you do not delete the provisions above, a recipient
- # may use your version of this file under either the MPL or the
- # GPL.
- #  $Id$
- #
-
-.text
-
- #  ebp - 36:	caller's esi
- #  ebp - 32:	caller's edi
- #  ebp - 28:	
- #  ebp - 24:	
- #  ebp - 20:	
- #  ebp - 16:	
- #  ebp - 12:	
- #  ebp - 8:	
- #  ebp - 4:	
- #  ebp + 0:	caller's ebp
- #  ebp + 4:	return address
- #  ebp + 8:	a	argument
- #  ebp + 12:	a_len	argument
- #  ebp + 16:	b	argument
- #  ebp + 20:	c	argument
- #  registers:
- # 	eax:
- #	ebx:	carry
- #	ecx:	a_len
- #	edx:
- #	esi:	a ptr
- #	edi:	c ptr
-.globl	s_mpv_mul_d
-.type	s_mpv_mul_d,@function
-s_mpv_mul_d:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		# carry = 0
-    mov    12(%ebp),%ecx	# ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     2f			# jmp if a_len == 0
-    mov    8(%ebp),%esi		# esi = a
-    cld
-1:
-    lodsl			# eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	# edx = b
-    mull   %edx			# edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		# add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    %edx,%ebx		# high half of product becomes next carry
-
-    stosl			# [es:edi] = ax; edi += 4;
-    dec    %ecx			# --a_len
-    jnz    1b			# jmp if a_len != 0
-2:
-    mov    %ebx,0(%edi)		# *c = carry
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- #  ebp - 36:	caller's esi
- #  ebp - 32:	caller's edi
- #  ebp - 28:	
- #  ebp - 24:	
- #  ebp - 20:	
- #  ebp - 16:	
- #  ebp - 12:	
- #  ebp - 8:	
- #  ebp - 4:	
- #  ebp + 0:	caller's ebp
- #  ebp + 4:	return address
- #  ebp + 8:	a	argument
- #  ebp + 12:	a_len	argument
- #  ebp + 16:	b	argument
- #  ebp + 20:	c	argument
- #  registers:
- # 	eax:
- #	ebx:	carry
- #	ecx:	a_len
- #	edx:
- #	esi:	a ptr
- #	edi:	c ptr
-.globl	s_mpv_mul_d_add
-.type	s_mpv_mul_d_add,@function
-s_mpv_mul_d_add:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		# carry = 0
-    mov    12(%ebp),%ecx	# ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     4f			# jmp if a_len == 0
-    mov    8(%ebp),%esi		# esi = a
-    cld
-3:
-    lodsl			# eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	# edx = b
-    mull   %edx			# edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		# add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    0(%edi),%ebx		# add in current word from *c
-    add    %ebx,%eax		
-    adc    $0,%edx
-    mov    %edx,%ebx		# high half of product becomes next carry
-
-    stosl			# [es:edi] = ax; edi += 4;
-    dec    %ecx			# --a_len
-    jnz    3b			# jmp if a_len != 0
-4:
-    mov    %ebx,0(%edi)		# *c = carry
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- #  ebp - 36:	caller's esi
- #  ebp - 32:	caller's edi
- #  ebp - 28:	
- #  ebp - 24:	
- #  ebp - 20:	
- #  ebp - 16:	
- #  ebp - 12:	
- #  ebp - 8:	
- #  ebp - 4:	
- #  ebp + 0:	caller's ebp
- #  ebp + 4:	return address
- #  ebp + 8:	a	argument
- #  ebp + 12:	a_len	argument
- #  ebp + 16:	b	argument
- #  ebp + 20:	c	argument
- #  registers:
- # 	eax:
- #	ebx:	carry
- #	ecx:	a_len
- #	edx:
- #	esi:	a ptr
- #	edi:	c ptr
-.globl	s_mpv_mul_d_add_prop
-.type	s_mpv_mul_d_add_prop,@function
-s_mpv_mul_d_add_prop:
-    push   %ebp
-    mov    %esp,%ebp
-    sub    $28,%esp
-    push   %edi
-    push   %esi
-    push   %ebx
-    movl   $0,%ebx		# carry = 0
-    mov    12(%ebp),%ecx	# ecx = a_len
-    mov    20(%ebp),%edi
-    cmp    $0,%ecx
-    je     6f			# jmp if a_len == 0
-    cld
-    mov    8(%ebp),%esi		# esi = a
-5:
-    lodsl			# eax = [ds:esi]; esi += 4
-    mov    16(%ebp),%edx	# edx = b
-    mull   %edx			# edx:eax = Phi:Plo = a_i * b
-
-    add    %ebx,%eax		# add carry (%ebx) to edx:eax
-    adc    $0,%edx
-    mov    0(%edi),%ebx		# add in current word from *c
-    add    %ebx,%eax		
-    adc    $0,%edx
-    mov    %edx,%ebx		# high half of product becomes next carry
-
-    stosl			# [es:edi] = ax; edi += 4;
-    dec    %ecx			# --a_len
-    jnz    5b			# jmp if a_len != 0
-6:
-    cmp    $0,%ebx		# is carry zero?
-    jz     8f
-    mov    0(%edi),%eax		# add in current word from *c
-    add	   %ebx,%eax
-    stosl			# [es:edi] = ax; edi += 4;
-    jnc    8f
-7:
-    mov    0(%edi),%eax		# add in current word from *c
-    adc	   $0,%eax
-    stosl			# [es:edi] = ax; edi += 4;
-    jc     7b
-8:
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- #  ebp - 20:	caller's esi
- #  ebp - 16:	caller's edi
- #  ebp - 12:	
- #  ebp - 8:	carry
- #  ebp - 4:	a_len	local
- #  ebp + 0:	caller's ebp
- #  ebp + 4:	return address
- #  ebp + 8:	pa	argument
- #  ebp + 12:	a_len	argument
- #  ebp + 16:	ps	argument
- #  ebp + 20:	
- #  registers:
- # 	eax:
- #	ebx:	carry
- #	ecx:	a_len
- #	edx:
- #	esi:	a ptr
- #	edi:	c ptr
-
-.globl	s_mpv_sqr_add_prop
-.type	s_mpv_sqr_add_prop,@function
-s_mpv_sqr_add_prop:
-     push   %ebp
-     mov    %esp,%ebp
-     sub    $12,%esp
-     push   %edi
-     push   %esi
-     push   %ebx
-     movl   $0,%ebx		# carry = 0
-     mov    12(%ebp),%ecx	# a_len
-     mov    16(%ebp),%edi	# edi = ps
-     cmp    $0,%ecx
-     je     11f			# jump if a_len == 0
-     cld
-     mov    8(%ebp),%esi	# esi = pa
-10:
-     lodsl			# %eax = [ds:si]; si += 4;
-     mull   %eax
-
-     add    %ebx,%eax		# add "carry"
-     adc    $0,%edx
-     mov    0(%edi),%ebx
-     add    %ebx,%eax		# add low word from result
-     mov    4(%edi),%ebx
-     stosl			# [es:di] = %eax; di += 4;
-     adc    %ebx,%edx		# add high word from result
-     movl   $0,%ebx
-     mov    %edx,%eax
-     adc    $0,%ebx
-     stosl			# [es:di] = %eax; di += 4;
-     dec    %ecx		# --a_len
-     jnz    10b			# jmp if a_len != 0
-11:
-    cmp    $0,%ebx		# is carry zero?
-    jz     14f
-    mov    0(%edi),%eax		# add in current word from *c
-    add	   %ebx,%eax
-    stosl			# [es:edi] = ax; edi += 4;
-    jnc    14f
-12:
-    mov    0(%edi),%eax		# add in current word from *c
-    adc	   $0,%eax
-    stosl			# [es:edi] = ax; edi += 4;
-    jc     12b
-14:
-    pop    %ebx
-    pop    %esi
-    pop    %edi
-    leave  
-    ret    
-    nop
-
- #
- # Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
- # so its high bit is 1.   This code is from NSPR.
- #
- # mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
- # 		          mp_digit *qp, mp_digit *rp)
-
- #  esp +  0:   Caller's ebx
- #  esp +  4:	return address
- #  esp +  8:	Nhi	argument
- #  esp + 12:	Nlo	argument
- #  esp + 16:	divisor	argument
- #  esp + 20:	qp	argument
- #  esp + 24:   rp	argument
- #  registers:
- # 	eax:
- #	ebx:	carry
- #	ecx:	a_len
- #	edx:
- #	esi:	a ptr
- #	edi:	c ptr
- # 
-
-.globl	s_mpv_div_2dx1d
-.type	s_mpv_div_2dx1d,@function
-s_mpv_div_2dx1d:
-       push   %ebx
-       mov    8(%esp),%edx
-       mov    12(%esp),%eax
-       mov    16(%esp),%ebx
-       div    %ebx
-       mov    20(%esp),%ebx
-       mov    %eax,0(%ebx)
-       mov    24(%esp),%ebx
-       mov    %edx,0(%ebx)
-       xor    %eax,%eax		# return zero
-       pop    %ebx
-       ret    
-       nop
-  
- # Magic indicating no need for an executable stack
-.section .note.GNU-stack, "", @progbits
-.previous
diff --git a/security/nss/lib/freebl/mpi/mplogic.c b/security/nss/lib/freebl/mpi/mplogic.c
deleted file mode 100644
index 3d9973714..000000000
--- a/security/nss/lib/freebl/mpi/mplogic.c
+++ /dev/null
@@ -1,465 +0,0 @@
-/*
- *  mplogic.c
- *
- *  Bitwise logical operations on MPI values
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "mpi-priv.h"
-#include "mplogic.h"
-
-/* {{{ Lookup table for population count */
-
-static unsigned char bitc[] = {
-   0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 
-   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
-   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
-   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
-   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
-   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
-   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
-   4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8
-};
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/*
-  mpl_not(a, b)    - compute b = ~a
-  mpl_and(a, b, c) - compute c = a & b
-  mpl_or(a, b, c)  - compute c = a | b
-  mpl_xor(a, b, c) - compute c = a ^ b
- */
-
-/* {{{ mpl_not(a, b) */
-
-mp_err mpl_not(mp_int *a, mp_int *b)
-{
-  mp_err   res;
-  unsigned int      ix;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  /* This relies on the fact that the digit type is unsigned */
-  for(ix = 0; ix < USED(b); ix++) 
-    DIGIT(b, ix) = ~DIGIT(b, ix);
-
-  s_mp_clamp(b);
-
-  return MP_OKAY;
-
-} /* end mpl_not() */
-
-/* }}} */
-
-/* {{{ mpl_and(a, b, c) */
-
-mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_int  *which, *other;
-  mp_err   res;
-  unsigned int      ix;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(USED(a) <= USED(b)) {
-    which = a;
-    other = b;
-  } else {
-    which = b;
-    other = a;
-  }
-
-  if((res = mp_copy(which, c)) != MP_OKAY)
-    return res;
-
-  for(ix = 0; ix < USED(which); ix++)
-    DIGIT(c, ix) &= DIGIT(other, ix);
-
-  s_mp_clamp(c);
-
-  return MP_OKAY;
-
-} /* end mpl_and() */
-
-/* }}} */
-
-/* {{{ mpl_or(a, b, c) */
-
-mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_int  *which, *other;
-  mp_err   res;
-  unsigned int      ix;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(USED(a) >= USED(b)) {
-    which = a;
-    other = b;
-  } else {
-    which = b;
-    other = a;
-  }
-
-  if((res = mp_copy(which, c)) != MP_OKAY)
-    return res;
-
-  for(ix = 0; ix < USED(which); ix++)
-    DIGIT(c, ix) |= DIGIT(other, ix);
-
-  return MP_OKAY;
-
-} /* end mpl_or() */
-
-/* }}} */
-
-/* {{{ mpl_xor(a, b, c) */
-
-mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c)
-{
-  mp_int  *which, *other;
-  mp_err   res;
-  unsigned int      ix;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if(USED(a) >= USED(b)) {
-    which = a;
-    other = b;
-  } else {
-    which = b;
-    other = a;
-  }
-
-  if((res = mp_copy(which, c)) != MP_OKAY)
-    return res;
-
-  for(ix = 0; ix < USED(which); ix++)
-    DIGIT(c, ix) ^= DIGIT(other, ix);
-
-  s_mp_clamp(c);
-
-  return MP_OKAY;
-
-} /* end mpl_xor() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/*
-  mpl_rsh(a, b, d)     - b = a >> d
-  mpl_lsh(a, b, d)     - b = a << d
- */
-
-/* {{{ mpl_rsh(a, b, d) */
-
-mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d)
-{
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  s_mp_div_2d(b, d);
-
-  return MP_OKAY;
-
-} /* end mpl_rsh() */
-
-/* }}} */
-
-/* {{{ mpl_lsh(a, b, d) */
-
-mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d)
-{
-  mp_err   res;
-
-  ARGCHK(a != NULL && b != NULL, MP_BADARG);
-
-  if((res = mp_copy(a, b)) != MP_OKAY)
-    return res;
-
-  return s_mp_mul_2d(b, d);
-
-} /* end mpl_lsh() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/*
-  mpl_num_set(a, num)
-
-  Count the number of set bits in the binary representation of a.
-  Returns MP_OKAY and sets 'num' to be the number of such bits, if
-  possible.  If num is NULL, the result is thrown away, but it is
-  not considered an error.
-
-  mpl_num_clear() does basically the same thing for clear bits.
- */
-
-/* {{{ mpl_num_set(a, num) */
-
-mp_err mpl_num_set(mp_int *a, int *num)
-{
-  unsigned int   ix;
-  int            db, nset = 0;
-  mp_digit       cur;
-  unsigned char  reg;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  for(ix = 0; ix < USED(a); ix++) {
-    cur = DIGIT(a, ix);
-    
-    for(db = 0; db < sizeof(mp_digit); db++) {
-      reg = (unsigned char)(cur >> (CHAR_BIT * db));
-
-      nset += bitc[reg];
-    }
-  }
-
-  if(num)
-    *num = nset;
-
-  return MP_OKAY;
-
-} /* end mpl_num_set() */
-
-/* }}} */
-
-/* {{{ mpl_num_clear(a, num) */
-
-mp_err mpl_num_clear(mp_int *a, int *num)
-{
-  unsigned int   ix;
-  int            db, nset = 0;
-  mp_digit       cur;
-  unsigned char  reg;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  for(ix = 0; ix < USED(a); ix++) {
-    cur = DIGIT(a, ix);
-    
-    for(db = 0; db < sizeof(mp_digit); db++) {
-      reg = (unsigned char)(cur >> (CHAR_BIT * db));
-
-      nset += bitc[UCHAR_MAX - reg];
-    }
-  }
-
-  if(num)
-    *num = nset;
-
-  return MP_OKAY;
-
-
-} /* end mpl_num_clear() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/*
-  mpl_parity(a)
-
-  Determines the bitwise parity of the value given.  Returns MP_EVEN
-  if an even number of digits are set, MP_ODD if an odd number are
-  set.
- */
-
-/* {{{ mpl_parity(a) */
-
-mp_err mpl_parity(mp_int *a)
-{
-  unsigned int ix;
-  int      par = 0;
-  mp_digit cur;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  for(ix = 0; ix < USED(a); ix++) {
-    int   shft = (sizeof(mp_digit) * CHAR_BIT) / 2;
-
-    cur = DIGIT(a, ix);
-
-    /* Compute parity for current digit */
-    while(shft != 0) {
-      cur ^= (cur >> shft);
-      shft >>= 1;
-    }
-    cur &= 1;
-
-    /* XOR with running parity so far   */
-    par ^= cur;
-  }
-
-  if(par)
-    return MP_ODD;
-  else
-    return MP_EVEN;
-
-} /* end mpl_parity() */
-
-/* }}} */
-
-/*
-  mpl_set_bit
-
-  Returns MP_OKAY or some error code.
-  Grows a if needed to set a bit to 1.
- */
-mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value)
-{
-  mp_size      ix;
-  mp_err       rv;
-  mp_digit     mask;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  ix = bitNum / MP_DIGIT_BIT;
-  if (ix + 1 > MP_USED(a)) {
-    rv = s_mp_pad(a, ix + 1);
-    if (rv != MP_OKAY)
-      return rv;
-  }
-
-  bitNum = bitNum % MP_DIGIT_BIT;
-  mask = (mp_digit)1 << bitNum;
-  if (value)
-    MP_DIGIT(a,ix) |= mask;
-  else
-    MP_DIGIT(a,ix) &= ~mask;
-  s_mp_clamp(a);
-  return MP_OKAY;
-}
-
-/*
-  mpl_get_bit
-
-  returns 0 or 1 or some (negative) error code.
- */
-mp_err mpl_get_bit(const mp_int *a, mp_size bitNum)
-{
-  mp_size      bit, ix;
-  mp_err       rv;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  ix = bitNum / MP_DIGIT_BIT;
-  ARGCHK(ix <= MP_USED(a) - 1, MP_RANGE);
-
-  bit   = bitNum % MP_DIGIT_BIT;
-  rv = (mp_err)(MP_DIGIT(a, ix) >> bit) & 1;
-  return rv;
-}
-
-/*
-  mpl_get_bits
-  - Extracts numBits bits from a, where the least significant extracted bit
-  is bit lsbNum.  Returns a negative value if error occurs.
-  - Because sign bit is used to indicate error, maximum number of bits to 
-  be returned is the lesser of (a) the number of bits in an mp_digit, or
-  (b) one less than the number of bits in an mp_err.
-  - lsbNum + numbits can be greater than the number of significant bits in
-  integer a, as long as bit lsbNum is in the high order digit of a.
- */
-mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits) 
-{
-  mp_size    rshift = (lsbNum % MP_DIGIT_BIT);
-  mp_size    lsWndx = (lsbNum / MP_DIGIT_BIT);
-  mp_digit * digit  = MP_DIGITS(a) + lsWndx;
-  mp_digit   mask   = ((1 << numBits) - 1);
-
-  ARGCHK(numBits < CHAR_BIT * sizeof mask, MP_BADARG);
-  ARGCHK(MP_HOWMANY(lsbNum, MP_DIGIT_BIT) <= MP_USED(a), MP_RANGE);
-
-  if ((numBits + lsbNum % MP_DIGIT_BIT <= MP_DIGIT_BIT) ||
-      (lsWndx + 1 >= MP_USED(a))) {
-    mask &= (digit[0] >> rshift);
-  } else {
-    mask &= ((digit[0] >> rshift) | (digit[1] << (MP_DIGIT_BIT - rshift)));
-  }
-  return (mp_err)mask;
-}
-
-/*
-  mpl_significant_bits
-  returns number of significnant bits in abs(a).
-  returns 1 if value is zero.
- */
-mp_err mpl_significant_bits(const mp_int *a)
-{
-  mp_err bits 	= 0;
-  int    ix;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  ix = MP_USED(a);
-  for (ix = MP_USED(a); ix > 0; ) {
-    mp_digit d;
-    d = MP_DIGIT(a, --ix);
-    if (d) {
-      while (d) {
-	++bits;
-	d >>= 1;
-      }
-      break;
-    }
-  }
-  bits += ix * MP_DIGIT_BIT;
-  if (!bits)
-    bits = 1;
-  return bits;
-}
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mplogic.h b/security/nss/lib/freebl/mpi/mplogic.h
deleted file mode 100644
index e3bc924a2..000000000
--- a/security/nss/lib/freebl/mpi/mplogic.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- *  mplogic.h
- *
- *  Bitwise logical operations on MPI values
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _H_MPLOGIC_
-#define _H_MPLOGIC_
-
-#include "mpi.h"
-
-/*
-  The logical operations treat an mp_int as if it were a bit vector,
-  without regard to its sign (an mp_int is represented in a signed
-  magnitude format).  Values are treated as if they had an infinite
-  string of zeros left of the most-significant bit.
- */
-
-/* Parity results                    */
-
-#define MP_EVEN       MP_YES
-#define MP_ODD        MP_NO
-
-/* Bitwise functions                 */
-
-mp_err mpl_not(mp_int *a, mp_int *b);            /* one's complement  */
-mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c); /* bitwise AND       */
-mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c);  /* bitwise OR        */
-mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c); /* bitwise XOR       */
-
-/* Shift functions                   */
-
-mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d);   /* right shift    */
-mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d);   /* left shift     */
-
-/* Bit count and parity              */
-
-mp_err mpl_num_set(mp_int *a, int *num);         /* count set bits    */
-mp_err mpl_num_clear(mp_int *a, int *num);       /* count clear bits  */
-mp_err mpl_parity(mp_int *a);                    /* determine parity  */
-
-/* Get & Set the value of a bit */
-
-mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value);
-mp_err mpl_get_bit(const mp_int *a, mp_size bitNum);
-mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits);
-mp_err mpl_significant_bits(const mp_int *a);
-
-#endif /* end _H_MPLOGIC_ */
diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c
deleted file mode 100644
index 8879454ae..000000000
--- a/security/nss/lib/freebl/mpi/mpmontg.c
+++ /dev/null
@@ -1,584 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com>,
- *   Stephen Fung <stephen.fung@sun.com>, and
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* This file implements moduluar exponentiation using Montgomery's
- * method for modular reduction.  This file implements the method
- * described as "Improvement 1" in the paper "A Cryptogrpahic Library for
- * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
- * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
- * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
- * published by Springer Verlag.
- */
-
-/* #define MP_USING_MONT_MULF 1 */
-#include <string.h>
-#include "mpi-priv.h"
-#include "mplogic.h"
-#include "mpprime.h"
-#ifdef MP_USING_MONT_MULF
-#include "montmulf.h"
-#endif
-
-#define STATIC
-/* #define DEBUG 1  */
-
-#define MAX_WINDOW_BITS 6
-#define MAX_ODD_INTS    32   /* 2 ** (WINDOW_BITS - 1) */
-
-#if defined(_WIN32_WCE)
-#define ABORT  res = MP_UNDEF; goto CLEANUP
-#else
-#define ABORT abort()
-#endif
-
-/* computes T = REDC(T), 2^b == R */
-mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
-{
-  mp_err res;
-  mp_size i;
-
-  i = MP_USED(T) + MP_USED(&mmm->N) + 2;
-  MP_CHECKOK( s_mp_pad(T, i) );
-  for (i = 0; i < MP_USED(&mmm->N); ++i ) {
-    mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
-    /* T += N * m_i * (MP_RADIX ** i); */
-    MP_CHECKOK( s_mp_mul_d_add_offset(&mmm->N, m_i, T, i) );
-  }
-  s_mp_clamp(T);
-
-  /* T /= R */
-  s_mp_div_2d(T, mmm->b); 
-
-  if ((res = s_mp_cmp(T, &mmm->N)) >= 0) {
-    /* T = T - N */
-    MP_CHECKOK( s_mp_sub(T, &mmm->N) );
-#ifdef DEBUG
-    if ((res = mp_cmp(T, &mmm->N)) >= 0) {
-      res = MP_UNDEF;
-      goto CLEANUP;
-    }
-#endif
-  }
-  res = MP_OKAY;
-CLEANUP:
-  return res;
-}
-
-#if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL)
-mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
-	           mp_mont_modulus *mmm)
-{
-  mp_digit *pb;
-  mp_digit m_i;
-  mp_err   res;
-  mp_size  ib;
-  mp_size  useda, usedb;
-
-  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
-
-  if (MP_USED(a) < MP_USED(b)) {
-    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
-    b = a;
-    a = xch;
-  }
-
-  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
-  ib = MP_USED(a) + MP_MAX(MP_USED(b), MP_USED(&mmm->N)) + 2;
-  if((res = s_mp_pad(c, ib)) != MP_OKAY)
-    goto CLEANUP;
-
-  useda = MP_USED(a);
-  pb = MP_DIGITS(b);
-  s_mpv_mul_d(MP_DIGITS(a), useda, *pb++, MP_DIGITS(c));
-  s_mp_setz(MP_DIGITS(c) + useda + 1, ib - (useda + 1));
-  m_i = MP_DIGIT(c, 0) * mmm->n0prime;
-  s_mp_mul_d_add_offset(&mmm->N, m_i, c, 0);
-
-  /* Outer loop:  Digits of b */
-  usedb = MP_USED(b);
-  for (ib = 1; ib < usedb; ib++) {
-    mp_digit b_i    = *pb++;
-
-    /* Inner product:  Digits of a */
-    if (b_i)
-      s_mpv_mul_d_add_prop(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
-    m_i = MP_DIGIT(c, ib) * mmm->n0prime;
-    s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
-  }
-  if (usedb < MP_USED(&mmm->N)) {
-    for (usedb = MP_USED(&mmm->N); ib < usedb; ++ib ) {
-      m_i = MP_DIGIT(c, ib) * mmm->n0prime;
-      s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
-    }
-  }
-  s_mp_clamp(c);
-  s_mp_div_2d(c, mmm->b); 
-  if (s_mp_cmp(c, &mmm->N) >= 0) {
-    MP_CHECKOK( s_mp_sub(c, &mmm->N) );
-  }
-  res = MP_OKAY;
-
-CLEANUP:
-  return res;
-}
-#endif
-
-STATIC
-mp_err s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
-{
-  mp_err res;
-
-  /* xMont = x * R mod N   where  N is modulus */
-  MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) );  		/* xMont = x << b */
-  MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) );	/*         mod N */
-CLEANUP:
-  return res;
-}
-
-#ifdef MP_USING_MONT_MULF
-
-unsigned int mp_using_mont_mulf = 1;
-
-/* computes montgomery square of the integer in mResult */
-#define SQR \
-  conv_i32_to_d32_and_d16(dm1, d16Tmp, mResult, nLen); \
-  mont_mulf_noconv(mResult, dm1, d16Tmp, \
-		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
-
-/* computes montgomery product of x and the integer in mResult */
-#define MUL(x) \
-  conv_i32_to_d32(dm1, mResult, nLen); \
-  mont_mulf_noconv(mResult, dm1, oddPowers[x], \
-		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
-
-/* Do modular exponentiation using floating point multiply code. */
-mp_err mp_exptmod_f(const mp_int *   montBase, 
-                    const mp_int *   exponent, 
-		    const mp_int *   modulus, 
-		    mp_int *         result, 
-		    mp_mont_modulus *mmm, 
-		    int              nLen, 
-		    mp_size          bits_in_exponent, 
-		    mp_size          window_bits,
-		    mp_size          odd_ints)
-{
-  mp_digit *mResult;
-  double   *dBuf = 0, *dm1, *dn, *dSqr, *d16Tmp, *dTmp;
-  double    dn0;
-  mp_size   i;
-  mp_err    res;
-  int       expOff;
-  int       dSize = 0, oddPowSize, dTmpSize;
-  mp_int    accum1;
-  double   *oddPowers[MAX_ODD_INTS];
-
-  /* function for computing n0prime only works if n0 is odd */
-
-  MP_DIGITS(&accum1) = 0;
-
-  for (i = 0; i < MAX_ODD_INTS; ++i)
-    oddPowers[i] = 0;
-
-  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
-
-  mp_set(&accum1, 1);
-  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
-  MP_CHECKOK( s_mp_pad(&accum1, nLen) );
-
-  oddPowSize = 2 * nLen + 1;
-  dTmpSize   = 2 * oddPowSize;
-  dSize = sizeof(double) * (nLen * 4 + 1 + 
-			    ((odd_ints + 1) * oddPowSize) + dTmpSize);
-  dBuf   = (double *)malloc(dSize);
-  dm1    = dBuf;		/* array of d32 */
-  dn     = dBuf   + nLen;	/* array of d32 */
-  dSqr   = dn     + nLen;    	/* array of d32 */
-  d16Tmp = dSqr   + nLen;	/* array of d16 */
-  dTmp   = d16Tmp + oddPowSize;
-
-  for (i = 0; i < odd_ints; ++i) {
-      oddPowers[i] = dTmp;
-      dTmp += oddPowSize;
-  }
-  mResult = (mp_digit *)(dTmp + dTmpSize);	/* size is nLen + 1 */
-
-  /* Make dn and dn0 */
-  conv_i32_to_d32(dn, MP_DIGITS(modulus), nLen);
-  dn0 = (double)(mmm->n0prime & 0xffff);
-
-  /* Make dSqr */
-  conv_i32_to_d32_and_d16(dm1, oddPowers[0], MP_DIGITS(montBase), nLen);
-  mont_mulf_noconv(mResult, dm1, oddPowers[0], 
-		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
-  conv_i32_to_d32(dSqr, mResult, nLen);
-
-  for (i = 1; i < odd_ints; ++i) {
-    mont_mulf_noconv(mResult, dSqr, oddPowers[i - 1], 
-		     dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
-    conv_i32_to_d16(oddPowers[i], mResult, nLen);
-  }
-
-  s_mp_copy(MP_DIGITS(&accum1), mResult, nLen); /* from, to, len */
-
-  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
-    mp_size smallExp;
-    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
-    smallExp = (mp_size)res;
-
-    if (window_bits == 1) {
-      if (!smallExp) {
-	SQR;
-      } else if (smallExp & 1) {
-	SQR; MUL(0); 
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 4) {
-      if (!smallExp) {
-	SQR; SQR; SQR; SQR;
-      } else if (smallExp & 1) {
-	SQR; SQR; SQR; SQR; MUL(smallExp/2); 
-      } else if (smallExp & 2) {
-	SQR; SQR; SQR; MUL(smallExp/4); SQR; 
-      } else if (smallExp & 4) {
-	SQR; SQR; MUL(smallExp/8); SQR; SQR; 
-      } else if (smallExp & 8) {
-	SQR; MUL(smallExp/16); SQR; SQR; SQR; 
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 5) {
-      if (!smallExp) {
-	SQR; SQR; SQR; SQR; SQR; 
-      } else if (smallExp & 1) {
-	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2);
-      } else if (smallExp & 2) {
-	SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR;
-      } else if (smallExp & 4) {
-	SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR;
-      } else if (smallExp & 8) {
-	SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR;
-      } else if (smallExp & 0x10) {
-	SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR;
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 6) {
-      if (!smallExp) {
-	SQR; SQR; SQR; SQR; SQR; SQR;
-      } else if (smallExp & 1) {
-	SQR; SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2); 
-      } else if (smallExp & 2) {
-	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR; 
-      } else if (smallExp & 4) {
-	SQR; SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR; 
-      } else if (smallExp & 8) {
-	SQR; SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR; 
-      } else if (smallExp & 0x10) {
-	SQR; SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR; 
-      } else if (smallExp & 0x20) {
-	SQR; MUL(smallExp/64); SQR; SQR; SQR; SQR; SQR; 
-      } else {
-	ABORT;
-      }
-    } else {
-      ABORT;
-    }
-  }
-
-  s_mp_copy(mResult, MP_DIGITS(&accum1), nLen); /* from, to, len */
-
-  res = s_mp_redc(&accum1, mmm);
-  mp_exch(&accum1, result);
-
-CLEANUP:
-  mp_clear(&accum1);
-  if (dBuf) {
-    if (dSize)
-      memset(dBuf, 0, dSize);
-    free(dBuf);
-  }
-
-  return res;
-}
-#undef SQR
-#undef MUL
-#endif
-
-#define SQR(a,b) \
-  MP_CHECKOK( mp_sqr(a, b) );\
-  MP_CHECKOK( s_mp_redc(b, mmm) )
-
-#if defined(MP_MONT_USE_MP_MUL)
-#define MUL(x,a,b) \
-  MP_CHECKOK( mp_mul(a, oddPowers + (x), b) ); \
-  MP_CHECKOK( s_mp_redc(b, mmm) ) 
-#else
-#define MUL(x,a,b) \
-  MP_CHECKOK( s_mp_mul_mont(a, oddPowers + (x), b, mmm) )
-#endif
-
-#define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
-
-/* Do modular exponentiation using integer multiply code. */
-mp_err mp_exptmod_i(const mp_int *   montBase, 
-                    const mp_int *   exponent, 
-		    const mp_int *   modulus, 
-		    mp_int *         result, 
-		    mp_mont_modulus *mmm, 
-		    int              nLen, 
-		    mp_size          bits_in_exponent, 
-		    mp_size          window_bits,
-		    mp_size          odd_ints)
-{
-  mp_int *pa1, *pa2, *ptmp;
-  mp_size i;
-  mp_err  res;
-  int     expOff;
-  mp_int  accum1, accum2, power2, oddPowers[MAX_ODD_INTS];
-
-  /* power2 = base ** 2; oddPowers[i] = base ** (2*i + 1); */
-  /* oddPowers[i] = base ** (2*i + 1); */
-
-  MP_DIGITS(&accum1) = 0;
-  MP_DIGITS(&accum2) = 0;
-  MP_DIGITS(&power2) = 0;
-  for (i = 0; i < MAX_ODD_INTS; ++i) {
-    MP_DIGITS(oddPowers + i) = 0;
-  }
-
-  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
-  MP_CHECKOK( mp_init_size(&accum2, 3 * nLen + 2) );
-
-  MP_CHECKOK( mp_init_copy(&oddPowers[0], montBase) );
-
-  mp_init_size(&power2, nLen + 2 * MP_USED(montBase) + 2);
-  MP_CHECKOK( mp_sqr(montBase, &power2) );	/* power2 = montBase ** 2 */
-  MP_CHECKOK( s_mp_redc(&power2, mmm) );
-
-  for (i = 1; i < odd_ints; ++i) {
-    mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2);
-    MP_CHECKOK( mp_mul(oddPowers + (i - 1), &power2, oddPowers + i) );
-    MP_CHECKOK( s_mp_redc(oddPowers + i, mmm) );
-  }
-
-  /* set accumulator to montgomery residue of 1 */
-  mp_set(&accum1, 1);
-  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
-  pa1 = &accum1;
-  pa2 = &accum2;
-
-  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
-    mp_size smallExp;
-    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
-    smallExp = (mp_size)res;
-
-    if (window_bits == 1) {
-      if (!smallExp) {
-	SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 1) {
-	SQR(pa1,pa2); MUL(0,pa2,pa1);
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 4) {
-      if (!smallExp) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
-      } else if (smallExp & 1) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	MUL(smallExp/2, pa1,pa2); SWAPPA;
-      } else if (smallExp & 2) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
-	MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 4) {
-	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/8,pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 8) {
-	SQR(pa1,pa2); MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 5) {
-      if (!smallExp) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 1) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); MUL(smallExp/2,pa2,pa1);
-      } else if (smallExp & 2) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	MUL(smallExp/4,pa1,pa2); SQR(pa2,pa1);
-      } else if (smallExp & 4) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
-	MUL(smallExp/8,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
-      } else if (smallExp & 8) {
-	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/16,pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
-      } else if (smallExp & 0x10) {
-	SQR(pa1,pa2); MUL(smallExp/32,pa2,pa1); SQR(pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
-      } else {
-	ABORT;
-      }
-    } else if (window_bits == 6) {
-      if (!smallExp) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); SQR(pa2,pa1);
-      } else if (smallExp & 1) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/2,pa1,pa2); SWAPPA;
-      } else if (smallExp & 2) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 4) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	MUL(smallExp/8,pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 8) {
-	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
-	MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
-	SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 0x10) {
-	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/32,pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else if (smallExp & 0x20) {
-	SQR(pa1,pa2); MUL(smallExp/64,pa2,pa1); SQR(pa1,pa2); 
-	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
-      } else {
-	ABORT;
-      }
-    } else {
-      ABORT;
-    }
-  }
-
-  res = s_mp_redc(pa1, mmm);
-  mp_exch(pa1, result);
-
-CLEANUP:
-  mp_clear(&accum1);
-  mp_clear(&accum2);
-  mp_clear(&power2);
-  for (i = 0; i < odd_ints; ++i) {
-    mp_clear(oddPowers + i);
-  }
-  return res;
-}
-#undef SQR
-#undef MUL
-
-
-mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent, 
-		  const mp_int *modulus, mp_int *result)
-{
-  const mp_int *base;
-  mp_size bits_in_exponent, i, window_bits, odd_ints;
-  mp_err  res;
-  int     nLen;
-  mp_int  montBase, goodBase;
-  mp_mont_modulus mmm;
-
-  /* function for computing n0prime only works if n0 is odd */
-  if (!mp_isodd(modulus))
-    return s_mp_exptmod(inBase, exponent, modulus, result);
-
-  MP_DIGITS(&montBase) = 0;
-  MP_DIGITS(&goodBase) = 0;
-
-  if (mp_cmp(inBase, modulus) < 0) {
-    base = inBase;
-  } else {
-    MP_CHECKOK( mp_init(&goodBase) );
-    base = &goodBase;
-    MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) );
-  }
-
-  nLen  = MP_USED(modulus);
-  MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) );
-
-  mmm.N = *modulus;			/* a copy of the mp_int struct */
-  i = mpl_significant_bits(modulus);
-  i += MP_DIGIT_BIT - 1;
-  mmm.b = i - i % MP_DIGIT_BIT;
-
-  /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
-  **		where n0 = least significant mp_digit of N, the modulus.
-  */
-  mmm.n0prime = 0 - s_mp_invmod_radix( MP_DIGIT(modulus, 0) );
-
-  MP_CHECKOK( s_mp_to_mont(base, &mmm, &montBase) );
-
-  bits_in_exponent = mpl_significant_bits(exponent);
-  if (bits_in_exponent > 480)
-    window_bits = 6;
-  else if (bits_in_exponent > 160)
-    window_bits = 5;
-  else if (bits_in_exponent > 20)
-    window_bits = 4;
-  /* RSA public key exponents are typically under 20 bits (common values 
-   * are: 3, 17, 65537) and a 4-bit window is inefficient
-   */
-  else 
-    window_bits = 1;
-  odd_ints = 1 << (window_bits - 1);
-  i = bits_in_exponent % window_bits;
-  if (i != 0) {
-    bits_in_exponent += window_bits - i;
-  } 
-
-#ifdef MP_USING_MONT_MULF
-  if (mp_using_mont_mulf) {
-    MP_CHECKOK( s_mp_pad(&montBase, nLen) );
-    res = mp_exptmod_f(&montBase, exponent, modulus, result, &mmm, nLen, 
-		     bits_in_exponent, window_bits, odd_ints);
-  } else
-#endif
-  res = mp_exptmod_i(&montBase, exponent, modulus, result, &mmm, nLen, 
-		     bits_in_exponent, window_bits, odd_ints);
-
-CLEANUP:
-  mp_clear(&montBase);
-  mp_clear(&goodBase);
-  /* Don't mp_clear mmm.N because it is merely a copy of modulus.
-  ** Just zap it.
-  */
-  memset(&mmm, 0, sizeof mmm);
-  return res;
-}
diff --git a/security/nss/lib/freebl/mpi/mpprime.c b/security/nss/lib/freebl/mpi/mpprime.c
deleted file mode 100644
index dfe7988f7..000000000
--- a/security/nss/lib/freebl/mpi/mpprime.c
+++ /dev/null
@@ -1,626 +0,0 @@
-/*
- *  mpprime.c
- *
- *  Utilities for finding and working with prime and pseudo-prime
- *  integers
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi-priv.h"
-#include "mpprime.h"
-#include "mplogic.h"
-#include <stdlib.h>
-#include <string.h>
-
-#define SMALL_TABLE 0 /* determines size of hard-wired prime table */
-
-#define RANDOM() rand()
-
-#include "primes.c"  /* pull in the prime digit table */
-
-/* 
-   Test if any of a given vector of digits divides a.  If not, MP_NO
-   is returned; otherwise, MP_YES is returned and 'which' is set to
-   the index of the integer in the vector which divided a.
- */
-mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which);
-
-/* {{{ mpp_divis(a, b) */
-
-/*
-  mpp_divis(a, b)
-
-  Returns MP_YES if a is divisible by b, or MP_NO if it is not.
- */
-
-mp_err  mpp_divis(mp_int *a, mp_int *b)
-{
-  mp_err  res;
-  mp_int  rem;
-
-  if((res = mp_init(&rem)) != MP_OKAY)
-    return res;
-
-  if((res = mp_mod(a, b, &rem)) != MP_OKAY)
-    goto CLEANUP;
-
-  if(mp_cmp_z(&rem) == 0)
-    res = MP_YES;
-  else
-    res = MP_NO;
-
-CLEANUP:
-  mp_clear(&rem);
-  return res;
-
-} /* end mpp_divis() */
-
-/* }}} */
-
-/* {{{ mpp_divis_d(a, d) */
-
-/*
-  mpp_divis_d(a, d)
-
-  Return MP_YES if a is divisible by d, or MP_NO if it is not.
- */
-
-mp_err  mpp_divis_d(mp_int *a, mp_digit d)
-{
-  mp_err     res;
-  mp_digit   rem;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  if(d == 0)
-    return MP_NO;
-
-  if((res = mp_mod_d(a, d, &rem)) != MP_OKAY)
-    return res;
-
-  if(rem == 0)
-    return MP_YES;
-  else
-    return MP_NO;
-
-} /* end mpp_divis_d() */
-
-/* }}} */
-
-/* {{{ mpp_random(a) */
-
-/*
-  mpp_random(a)
-
-  Assigns a random value to a.  This value is generated using the
-  standard C library's rand() function, so it should not be used for
-  cryptographic purposes, but it should be fine for primality testing,
-  since all we really care about there is good statistical properties.
-
-  As many digits as a currently has are filled with random digits.
- */
-
-mp_err  mpp_random(mp_int *a)
-
-{
-  mp_digit  next = 0;
-  unsigned int       ix, jx;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  for(ix = 0; ix < USED(a); ix++) {
-    for(jx = 0; jx < sizeof(mp_digit); jx++) {
-      next = (next << CHAR_BIT) | (RANDOM() & UCHAR_MAX);
-    }
-    DIGIT(a, ix) = next;
-  }
-
-  return MP_OKAY;
-
-} /* end mpp_random() */
-
-/* }}} */
-
-/* {{{ mpp_random_size(a, prec) */
-
-mp_err  mpp_random_size(mp_int *a, mp_size prec)
-{
-  mp_err   res;
-
-  ARGCHK(a != NULL && prec > 0, MP_BADARG);
-  
-  if((res = s_mp_pad(a, prec)) != MP_OKAY)
-    return res;
-
-  return mpp_random(a);
-
-} /* end mpp_random_size() */
-
-/* }}} */
-
-/* {{{ mpp_divis_vector(a, vec, size, which) */
-
-/*
-  mpp_divis_vector(a, vec, size, which)
-
-  Determines if a is divisible by any of the 'size' digits in vec.
-  Returns MP_YES and sets 'which' to the index of the offending digit,
-  if it is; returns MP_NO if it is not.
- */
-
-mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which)
-{
-  ARGCHK(a != NULL && vec != NULL && size > 0, MP_BADARG);
-  
-  return s_mpp_divp(a, vec, size, which);
-
-} /* end mpp_divis_vector() */
-
-/* }}} */
-
-/* {{{ mpp_divis_primes(a, np) */
-
-/*
-  mpp_divis_primes(a, np)
-
-  Test whether a is divisible by any of the first 'np' primes.  If it
-  is, returns MP_YES and sets *np to the value of the digit that did
-  it.  If not, returns MP_NO.
- */
-mp_err  mpp_divis_primes(mp_int *a, mp_digit *np)
-{
-  int     size, which;
-  mp_err  res;
-
-  ARGCHK(a != NULL && np != NULL, MP_BADARG);
-
-  size = (int)*np;
-  if(size > prime_tab_size)
-    size = prime_tab_size;
-
-  res = mpp_divis_vector(a, prime_tab, size, &which);
-  if(res == MP_YES) 
-    *np = prime_tab[which];
-
-  return res;
-
-} /* end mpp_divis_primes() */
-
-/* }}} */
-
-/* {{{ mpp_fermat(a, w) */
-
-/*
-  Using w as a witness, try pseudo-primality testing based on Fermat's
-  little theorem.  If a is prime, and (w, a) = 1, then w^a == w (mod
-  a).  So, we compute z = w^a (mod a) and compare z to w; if they are
-  equal, the test passes and we return MP_YES.  Otherwise, we return
-  MP_NO.
- */
-mp_err  mpp_fermat(mp_int *a, mp_digit w)
-{
-  mp_int  base, test;
-  mp_err  res;
-  
-  if((res = mp_init(&base)) != MP_OKAY)
-    return res;
-
-  mp_set(&base, w);
-
-  if((res = mp_init(&test)) != MP_OKAY)
-    goto TEST;
-
-  /* Compute test = base^a (mod a) */
-  if((res = mp_exptmod(&base, a, a, &test)) != MP_OKAY)
-    goto CLEANUP;
-
-  
-  if(mp_cmp(&base, &test) == 0)
-    res = MP_YES;
-  else
-    res = MP_NO;
-
- CLEANUP:
-  mp_clear(&test);
- TEST:
-  mp_clear(&base);
-
-  return res;
-
-} /* end mpp_fermat() */
-
-/* }}} */
-
-/*
-  Perform the fermat test on each of the primes in a list until
-  a) one of them shows a is not prime, or 
-  b) the list is exhausted.
-  Returns:  MP_YES if it passes tests.
-	    MP_NO  if fermat test reveals it is composite
-	    Some MP error code if some other error occurs.
- */
-mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes)
-{
-  mp_err rv = MP_YES;
-
-  while (nPrimes-- > 0 && rv == MP_YES) {
-    rv = mpp_fermat(a, *primes++);
-  }
-  return rv;
-}
-
-/* {{{ mpp_pprime(a, nt) */
-
-/*
-  mpp_pprime(a, nt)
-
-  Performs nt iteration of the Miller-Rabin probabilistic primality
-  test on a.  Returns MP_YES if the tests pass, MP_NO if one fails.
-  If MP_NO is returned, the number is definitely composite.  If MP_YES
-  is returned, it is probably prime (but that is not guaranteed).
- */
-
-mp_err  mpp_pprime(mp_int *a, int nt)
-{
-  mp_err   res;
-  mp_int   x, amo, m, z;	/* "amo" = "a minus one" */
-  int      iter;
-  unsigned int jx;
-  mp_size  b;
-
-  ARGCHK(a != NULL, MP_BADARG);
-
-  MP_DIGITS(&x) = 0;
-  MP_DIGITS(&amo) = 0;
-  MP_DIGITS(&m) = 0;
-  MP_DIGITS(&z) = 0;
-
-  /* Initialize temporaries... */
-  MP_CHECKOK( mp_init(&amo));
-  /* Compute amo = a - 1 for what follows...    */
-  MP_CHECKOK( mp_sub_d(a, 1, &amo) );
-
-  b = mp_trailing_zeros(&amo);
-  if (!b) { /* a was even ? */
-    res = MP_NO;
-    goto CLEANUP;
-  }
-
-  MP_CHECKOK( mp_init_size(&x, MP_USED(a)) );
-  MP_CHECKOK( mp_init(&z) );
-  MP_CHECKOK( mp_init(&m) );
-  MP_CHECKOK( mp_div_2d(&amo, b, &m, 0) );
-
-  /* Do the test nt times... */
-  for(iter = 0; iter < nt; iter++) {
-
-    /* Choose a random value for x < a          */
-    s_mp_pad(&x, USED(a));
-    mpp_random(&x);
-    MP_CHECKOK( mp_mod(&x, a, &x) );
-
-    /* Compute z = (x ** m) mod a               */
-    MP_CHECKOK( mp_exptmod(&x, &m, a, &z) );
-    
-    if(mp_cmp_d(&z, 1) == 0 || mp_cmp(&z, &amo) == 0) {
-      res = MP_YES;
-      continue;
-    }
-    
-    res = MP_NO;  /* just in case the following for loop never executes. */
-    for (jx = 1; jx < b; jx++) {
-      /* z = z^2 (mod a) */
-      MP_CHECKOK( mp_sqrmod(&z, a, &z) );
-      res = MP_NO;	/* previous line set res to MP_YES */
-
-      if(mp_cmp_d(&z, 1) == 0) {
-	break;
-      }
-      if(mp_cmp(&z, &amo) == 0) {
-	res = MP_YES;
-	break;
-      } 
-    } /* end testing loop */
-
-    /* If the test passes, we will continue iterating, but a failed
-       test means the candidate is definitely NOT prime, so we will
-       immediately break out of this loop
-     */
-    if(res == MP_NO)
-      break;
-
-  } /* end iterations loop */
-  
-CLEANUP:
-  mp_clear(&m);
-  mp_clear(&z);
-  mp_clear(&x);
-  mp_clear(&amo);
-  return res;
-
-} /* end mpp_pprime() */
-
-/* }}} */
-
-/* Produce table of composites from list of primes and trial value.  
-** trial must be odd. List of primes must not include 2.
-** sieve should have dimension >= MAXPRIME/2, where MAXPRIME is largest 
-** prime in list of primes.  After this function is finished,
-** if sieve[i] is non-zero, then (trial + 2*i) is composite.
-** Each prime used in the sieve costs one division of trial, and eliminates
-** one or more values from the search space. (3 eliminates 1/3 of the values
-** alone!)  Each value left in the search space costs 1 or more modular 
-** exponentations.  So, these divisions are a bargain!
-*/
-mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
-		 unsigned char *sieve, mp_size nSieve)
-{
-  mp_err       res;
-  mp_digit     rem;
-  mp_size      ix;
-  unsigned long offset;
-
-  memset(sieve, 0, nSieve);
-
-  for(ix = 0; ix < nPrimes; ix++) {
-    mp_digit prime = primes[ix];
-    mp_size  i;
-    if((res = mp_mod_d(trial, prime, &rem)) != MP_OKAY) 
-      return res;
-
-    if (rem == 0) {
-      offset = 0;
-    } else {
-      offset = prime - (rem / 2);
-    }
-    for (i = offset; i < nSieve ; i += prime) {
-      sieve[i] = 1;
-    }
-  }
-
-  return MP_OKAY;
-}
-
-#define SIEVE_SIZE 32*1024
-
-mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
-		      unsigned long * nTries)
-{
-  mp_digit      np;
-  mp_err        res;
-  int           i	= 0;
-  mp_int        trial;
-  mp_int        q;
-  mp_size       num_tests;
-  /*
-   * Always make sieve the last variabale allocated so that 
-   * Mac builds don't break by adding an extra variable
-   * on the stack. -javi
-   */
-#if defined(macintosh) || defined (XP_OS2) \
-    || (defined(HPUX) && defined(__ia64))
-  unsigned char *sieve;
-  
-  sieve = malloc(SIEVE_SIZE);
-  ARGCHK(sieve != NULL, MP_MEM);
-#else
-  unsigned char sieve[SIEVE_SIZE];
-#endif  
-
-  ARGCHK(start != 0, MP_BADARG);
-  ARGCHK(nBits > 16, MP_RANGE);
-
-  MP_DIGITS(&trial) = 0;
-  MP_DIGITS(&q) = 0;
-  MP_CHECKOK( mp_init(&trial) );
-  MP_CHECKOK( mp_init(&q)     );
-  /* values taken from table 4.4, HandBook of Applied Cryptography */
-  if (nBits >= 1300) {
-    num_tests = 2;
-  } else if (nBits >= 850) {
-    num_tests = 3;
-  } else if (nBits >= 650) {
-    num_tests = 4;
-  } else if (nBits >= 550) {
-    num_tests = 5;
-  } else if (nBits >= 450) {
-    num_tests = 6;
-  } else if (nBits >= 400) {
-    num_tests = 7;
-  } else if (nBits >= 350) {
-    num_tests = 8;
-  } else if (nBits >= 300) {
-    num_tests = 9;
-  } else if (nBits >= 250) {
-    num_tests = 12;
-  } else if (nBits >= 200) {
-    num_tests = 15;
-  } else if (nBits >= 150) {
-    num_tests = 18;
-  } else if (nBits >= 100) {
-    num_tests = 27;
-  } else
-    num_tests = 50;
-
-  if (strong) 
-    --nBits;
-  MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) );
-  MP_CHECKOK( mpl_set_bit(start,         0, 1) );
-  for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) {
-    MP_CHECKOK( mpl_set_bit(start, i, 0) );
-  }
-  /* start sieveing with prime value of 3. */
-  MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, 
-		       sieve, SIEVE_SIZE) );
-
-#ifdef DEBUG_SIEVE
-  res = 0;
-  for (i = 0; i < SIEVE_SIZE; ++i) {
-    if (!sieve[i])
-      ++res;
-  }
-  fprintf(stderr,"sieve found %d potential primes.\n", res);
-#define FPUTC(x,y) fputc(x,y)
-#else
-#define FPUTC(x,y) 
-#endif
-
-  res = MP_NO;
-  for(i = 0; i < SIEVE_SIZE; ++i) {
-    if (sieve[i])	/* this number is composite */
-      continue;
-    MP_CHECKOK( mp_add_d(start, 2 * i, &trial) );
-    FPUTC('.', stderr);
-    /* run a Fermat test */
-    res = mpp_fermat(&trial, 2);
-    if (res != MP_OKAY) {
-      if (res == MP_NO)
-	continue;	/* was composite */
-      goto CLEANUP;
-    }
-      
-    FPUTC('+', stderr);
-    /* If that passed, run some Miller-Rabin tests	*/
-    res = mpp_pprime(&trial, num_tests);
-    if (res != MP_OKAY) {
-      if (res == MP_NO)
-	continue;	/* was composite */
-      goto CLEANUP;
-    }
-    FPUTC('!', stderr);
-
-    if (!strong) 
-      break;	/* success !! */
-
-    /* At this point, we have strong evidence that our candidate
-       is itself prime.  If we want a strong prime, we need now
-       to test q = 2p + 1 for primality...
-     */
-    MP_CHECKOK( mp_mul_2(&trial, &q) );
-    MP_CHECKOK( mp_add_d(&q, 1, &q)  );
-
-    /* Test q for small prime divisors ... */
-    np = prime_tab_size;
-    res = mpp_divis_primes(&q, &np);
-    if (res == MP_YES) { /* is composite */
-      mp_clear(&q);
-      continue;
-    }
-    if (res != MP_NO) 
-      goto CLEANUP;
-
-    /* And test with Fermat, as with its parent ... */
-    res = mpp_fermat(&q, 2);
-    if (res != MP_YES) {
-      mp_clear(&q);
-      if (res == MP_NO)
-	continue;	/* was composite */
-      goto CLEANUP;
-    }
-
-    /* And test with Miller-Rabin, as with its parent ... */
-    res = mpp_pprime(&q, num_tests);
-    if (res != MP_YES) {
-      mp_clear(&q);
-      if (res == MP_NO)
-	continue;	/* was composite */
-      goto CLEANUP;
-    }
-
-    /* If it passed, we've got a winner */
-    mp_exch(&q, &trial);
-    mp_clear(&q);
-    break;
-
-  } /* end of loop through sieved values */
-  if (res == MP_YES) 
-    mp_exch(&trial, start);
-CLEANUP:
-  mp_clear(&trial);
-  mp_clear(&q);
-  if (nTries)
-    *nTries += i;
-#if defined(macintosh) || defined(XP_OS2) \
-    || (defined(HPUX) && defined(__ia64))
-  if (sieve != NULL) {
-  	memset(sieve, 0, SIEVE_SIZE);
-  	free (sieve);
-  }
-#endif    
-  return res;
-}
-
-/*========================================================================*/
-/*------------------------------------------------------------------------*/
-/* Static functions visible only to the library internally                */
-
-/* {{{ s_mpp_divp(a, vec, size, which) */
-
-/* 
-   Test for divisibility by members of a vector of digits.  Returns
-   MP_NO if a is not divisible by any of them; returns MP_YES and sets
-   'which' to the index of the offender, if it is.  Will stop on the
-   first digit against which a is divisible.
- */
-
-mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which)
-{
-  mp_err    res;
-  mp_digit  rem;
-
-  int     ix;
-
-  for(ix = 0; ix < size; ix++) {
-    if((res = mp_mod_d(a, vec[ix], &rem)) != MP_OKAY) 
-      return res;
-
-    if(rem == 0) {
-      if(which)
-	*which = ix;
-      return MP_YES;
-    }
-  }
-
-  return MP_NO;
-
-} /* end s_mpp_divp() */
-
-/* }}} */
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpprime.h b/security/nss/lib/freebl/mpi/mpprime.h
deleted file mode 100644
index 486d4a1ad..000000000
--- a/security/nss/lib/freebl/mpi/mpprime.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- *  mpprime.h
- *
- *  Utilities for finding and working with prime and pseudo-prime
- *  integers
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _H_MP_PRIME_
-#define _H_MP_PRIME_
-
-#include "mpi.h"
-
-extern const int prime_tab_size;   /* number of primes available */
-extern const mp_digit prime_tab[];
-
-/* Tests for divisibility    */
-mp_err  mpp_divis(mp_int *a, mp_int *b);
-mp_err  mpp_divis_d(mp_int *a, mp_digit d);
-
-/* Random selection          */
-mp_err  mpp_random(mp_int *a);
-mp_err  mpp_random_size(mp_int *a, mp_size prec);
-
-/* Pseudo-primality testing  */
-mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which);
-mp_err  mpp_divis_primes(mp_int *a, mp_digit *np);
-mp_err  mpp_fermat(mp_int *a, mp_digit w);
-mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes);
-mp_err  mpp_pprime(mp_int *a, int nt);
-mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
-		 unsigned char *sieve, mp_size nSieve);
-mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
-		      unsigned long * nTries);
-
-#endif /* end _H_MP_PRIME_ */
diff --git a/security/nss/lib/freebl/mpi/mpv_sparc.c b/security/nss/lib/freebl/mpi/mpv_sparc.c
deleted file mode 100644
index 96ddde7fb..000000000
--- a/security/nss/lib/freebl/mpi/mpv_sparc.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is a SPARC/VIS optimized multiply and add function.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems Inc.
- * Portions created by the Initial Developer are Copyright (C) 1999-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "vis_proto.h"
-
-/***************************************************************/
-
-typedef  int                t_s32;
-typedef  unsigned int       t_u32;
-#if defined(__sparcv9)
-typedef  long               t_s64;
-typedef  unsigned long      t_u64;
-#else
-typedef  long long          t_s64;
-typedef  unsigned long long t_u64;
-#endif
-typedef  double             t_d64;
-
-/***************************************************************/
-
-typedef union {
-  t_d64 d64;
-  struct {
-    t_s32 i0;
-    t_s32 i1;
-  } i32s;
-} d64_2_i32;
-
-/***************************************************************/
-
-#define BUFF_SIZE  256
-
-#define A_BITS  19
-#define A_MASK  ((1 << A_BITS) - 1)
-
-/***************************************************************/
-
-static t_u64 mask_cnst[] = {
-  0x8000000080000000ull
-};
-
-/***************************************************************/
-
-#define DEF_VARS(N)                     \
-  t_d64 *py = (t_d64*)y;                \
-  t_d64 mask = *((t_d64*)mask_cnst);    \
-  t_d64 ca = (1u << 31) - 1;            \
-  t_d64 da = (t_d64)a;                  \
-  t_s64 buff[N], s;                     \
-  d64_2_i32 dy
-
-/***************************************************************/
-
-#define MUL_U32_S64_2(i)                                \
-  dy.d64 = vis_fxnor(mask, py[i]);                      \
-  buff[2*(i)  ] = (ca - (t_d64)dy.i32s.i0) * da;        \
-  buff[2*(i)+1] = (ca - (t_d64)dy.i32s.i1) * da
-
-#define MUL_U32_S64_2_D(i)              \
-  dy.d64 = vis_fxnor(mask, py[i]);      \
-  d0 = ca - (t_d64)dy.i32s.i0;          \
-  d1 = ca - (t_d64)dy.i32s.i1;          \
-  buff[4*(i)  ] = (t_s64)(d0 * da);     \
-  buff[4*(i)+1] = (t_s64)(d0 * db);     \
-  buff[4*(i)+2] = (t_s64)(d1 * da);     \
-  buff[4*(i)+3] = (t_s64)(d1 * db)
-
-/***************************************************************/
-
-#define ADD_S64_U32(i)          \
-  s = buff[i] + x[i] + c;       \
-  z[i] = s;                     \
-  c = (s >> 32)
-
-#define ADD_S64_U32_D(i)                        \
-  s = buff[2*(i)] +(((t_s64)(buff[2*(i)+1]))<<A_BITS) + x[i] + uc;   \
-  z[i] = s;                                     \
-  uc = ((t_u64)s >> 32)
-
-/***************************************************************/
-
-#define MUL_U32_S64_8(i)        \
-  MUL_U32_S64_2(i);             \
-  MUL_U32_S64_2(i+1);           \
-  MUL_U32_S64_2(i+2);           \
-  MUL_U32_S64_2(i+3)
-
-#define MUL_U32_S64_D_8(i)      \
-  MUL_U32_S64_2_D(i);           \
-  MUL_U32_S64_2_D(i+1);         \
-  MUL_U32_S64_2_D(i+2);         \
-  MUL_U32_S64_2_D(i+3)
-
-/***************************************************************/
-
-#define ADD_S64_U32_8(i)        \
-  ADD_S64_U32(i);               \
-  ADD_S64_U32(i+1);             \
-  ADD_S64_U32(i+2);             \
-  ADD_S64_U32(i+3);             \
-  ADD_S64_U32(i+4);             \
-  ADD_S64_U32(i+5);             \
-  ADD_S64_U32(i+6);             \
-  ADD_S64_U32(i+7)
-
-#define ADD_S64_U32_D_8(i)      \
-  ADD_S64_U32_D(i);             \
-  ADD_S64_U32_D(i+1);           \
-  ADD_S64_U32_D(i+2);           \
-  ADD_S64_U32_D(i+3);           \
-  ADD_S64_U32_D(i+4);           \
-  ADD_S64_U32_D(i+5);           \
-  ADD_S64_U32_D(i+6);           \
-  ADD_S64_U32_D(i+7)
-
-/***************************************************************/
-
-t_u32 mul_add(t_u32 *z, t_u32 *x, t_u32 *y, int n, t_u32 a)
-{
-  if (a < (1 << A_BITS)) {
-
-    if (n == 8) {
-      DEF_VARS(8);
-      t_s32 c = 0;
-
-      MUL_U32_S64_8(0);
-      ADD_S64_U32_8(0);
-
-      return c;
-
-    } else if (n == 16) {
-      DEF_VARS(16);
-      t_s32 c = 0;
-
-      MUL_U32_S64_8(0);
-      MUL_U32_S64_8(4);
-      ADD_S64_U32_8(0);
-      ADD_S64_U32_8(8);
-
-      return c;
-
-    } else {
-      DEF_VARS(BUFF_SIZE);
-      t_s32 i, c = 0;
-
-#pragma pipeloop(0)
-      for (i = 0; i < (n+1)/2; i ++) {
-        MUL_U32_S64_2(i);
-      }
-
-#pragma pipeloop(0)
-      for (i = 0; i < n; i ++) {
-        ADD_S64_U32(i);
-      }
-
-      return c;
-
-    }
-  } else {
-
-    if (n == 8) {
-      DEF_VARS(2*8);
-      t_d64 d0, d1, db;
-      t_u32 uc = 0;
-
-      da = (t_d64)(a &  A_MASK);
-      db = (t_d64)(a >> A_BITS);
-
-      MUL_U32_S64_D_8(0);
-      ADD_S64_U32_D_8(0);
-
-      return uc;
-
-    } else if (n == 16) {
-      DEF_VARS(2*16);
-      t_d64 d0, d1, db;
-      t_u32 uc = 0;
-
-      da = (t_d64)(a &  A_MASK);
-      db = (t_d64)(a >> A_BITS);
-
-      MUL_U32_S64_D_8(0);
-      MUL_U32_S64_D_8(4);
-      ADD_S64_U32_D_8(0);
-      ADD_S64_U32_D_8(8);
-
-      return uc;
-
-    } else {
-      DEF_VARS(2*BUFF_SIZE);
-      t_d64 d0, d1, db;
-      t_u32 i, uc = 0;
-
-      da = (t_d64)(a &  A_MASK);
-      db = (t_d64)(a >> A_BITS);
-
-#pragma pipeloop(0)
-      for (i = 0; i < (n+1)/2; i ++) {
-        MUL_U32_S64_2_D(i);
-      }
-
-#pragma pipeloop(0)
-      for (i = 0; i < n; i ++) {
-        ADD_S64_U32_D(i);
-      }
-
-      return uc;
-    }
-  }
-}
-
-/***************************************************************/
-
-t_u32 mul_add_inp(t_u32 *x, t_u32 *y, int n, t_u32 a)
-{
-  return mul_add(x, x, y, n, a);
-}
-
-/***************************************************************/
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv8.s b/security/nss/lib/freebl/mpi/mpv_sparcv8.s
deleted file mode 100644
index 8cfa4d0c4..000000000
--- a/security/nss/lib/freebl/mpi/mpv_sparcv8.s
+++ /dev/null
@@ -1,1639 +0,0 @@
-! Inner multiply loop functions for hybrid 32/64-bit Sparc v8plus CPUs.
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-! 
-! The contents of this file are subject to the Mozilla Public License Version 
-! 1.1 (the "License"); you may not use this file except in compliance with 
-! the License. You may obtain a copy of the License at 
-! http://www.mozilla.org/MPL/
-! 
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is a SPARC v8plus+VIS optimized multiply and add function
-! 
-! The Initial Developer of the Original Code is Sun Microsystems Inc.
-! Portions created by Sun Microsystems Inc. are 
-! Copyright (C) 2000-2005 Sun Microsystems Inc.  All Rights Reserved.
-! 
-! Contributor(s):
-! 
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-! 
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
-/* 000000	  14 ( 0  0) */		.align	8
-!
-! SUBROUTINE .L_const_seg_900000106
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-        .L_const_seg_900000106:		/* frequency 1.0 confidence 0.0 */
-/* 000000	  19 ( 0  0) */		.word	1127219200,0
-/* 0x0008	  20 ( 0  0) */		.word	1105199103,-4194304
-/* 0x0010	  21 ( 0  0) */		.align	16
-/* 0x0010	  27 ( 0  0) */		.global	mul_add
-
-!
-! ENTRY mul_add
-!
-
-        .global mul_add
-        mul_add:		/* frequency 1.0 confidence 0.0 */
-/* 0x0010	  29 ( 0  1) */		sethi	%hi(0x1800),%g1
-/* 0x0014	  30 ( 0  1) */		sethi	%hi(mask_cnst),%g2
-/* 0x0018	  31 ( 1  2) */		xor	%g1,-984,%g1
-/* 0x001c	  32 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
-/* 0x0020	  33 ( 2  4) */		save	%sp,%g1,%sp
-
-!
-! ENTRY .L900000154
-!
-
-        .L900000154:		/* frequency 1.0 confidence 0.0 */
-/* 0x0024	  35 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
-/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
-/* 0x002c	 177 ( 2  3) */		sethi	%hi(.L_const_seg_900000106),%g3
-/* 0x0030	 178 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
-/* 0x0034	 179 ( 3  4) */		or	%g0,%i4,%o1
-/* 0x0038	 180 ( 3  4) */		st	%o1,[%fp+84]
-/* 0x003c	 181 ( 3  4) */		add	%g5,%o7,%o3
-/* 0x0040	 182 ( 4  5) */		add	%g3,%lo(.L_const_seg_900000106),%g3
-/* 0x0044	 183 ( 4  6) */		ld	[%o3+%g2],%g2
-/* 0x0048	 184 ( 4  5) */		or	%g0,%i3,%o2
-/* 0x004c	 185 ( 5  6) */		sethi	%hi(0x80000),%g4
-/* 0x0050	 186 ( 5  7) */		ld	[%o3+%g3],%o0
-/* 0x0054	 187 ( 5  6) */		or	%g0,%i2,%g5
-/* 0x0058	 188 ( 6  7) */		or	%g0,%o2,%o3
-/* 0x005c	 189 ( 6 10) */		ldd	[%g2],%f0
-/* 0x0060	 190 ( 6  7) */		subcc	%o1,%g4,%g0
-/* 0x0064	 191 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
-/* 0x0068	     ( 7  8) */		subcc	%o2,8,%g0
-/* 0x006c	 193 ( 7  8) */		bne,pn	%icc,.L77000037	! tprob=0.50
-/* 0x0070	     ( 8 12) */		ldd	[%o0],%f8
-/* 0x0074	 195 ( 9 13) */		ldd	[%g5],%f4
-/* 0x0078	 196 (10 14) */		ldd	[%g5+8],%f6
-/* 0x007c	 197 (11 15) */		ldd	[%g5+16],%f10
-/* 0x0080	 198 (11 14) */		fmovs	%f8,%f12
-/* 0x0084	 199 (12 16) */		fxnor	%f0,%f4,%f4
-/* 0x0088	 200 (12 14) */		ld	[%fp+84],%f13
-/* 0x008c	 201 (13 17) */		ldd	[%o0+8],%f14
-/* 0x0090	 202 (13 17) */		fxnor	%f0,%f6,%f6
-/* 0x0094	 203 (14 18) */		ldd	[%g5+24],%f16
-/* 0x0098	 204 (14 18) */		fxnor	%f0,%f10,%f10
-/* 0x009c	 208 (15 17) */		ld	[%i1],%g2
-/* 0x00a0	 209 (15 20) */		fsubd	%f12,%f8,%f8
-/* 0x00a4	 210 (16 21) */		fitod	%f4,%f18
-/* 0x00a8	 211 (16 18) */		ld	[%i1+4],%g3
-/* 0x00ac	 212 (17 22) */		fitod	%f5,%f4
-/* 0x00b0	 213 (17 19) */		ld	[%i1+8],%g4
-/* 0x00b4	 214 (18 23) */		fitod	%f6,%f20
-/* 0x00b8	 215 (18 20) */		ld	[%i1+12],%g5
-/* 0x00bc	 216 (19 21) */		ld	[%i1+16],%o0
-/* 0x00c0	 217 (19 24) */		fitod	%f7,%f6
-/* 0x00c4	 218 (20 22) */		ld	[%i1+20],%o1
-/* 0x00c8	 219 (20 24) */		fxnor	%f0,%f16,%f16
-/* 0x00cc	 220 (21 26) */		fsubd	%f14,%f18,%f12
-/* 0x00d0	 221 (21 23) */		ld	[%i1+24],%o2
-/* 0x00d4	 222 (22 27) */		fsubd	%f14,%f4,%f4
-/* 0x00d8	 223 (22 24) */		ld	[%i1+28],%o3
-/* 0x00dc	 224 (23 28) */		fitod	%f10,%f18
-/* 0x00e0	 225 (24 29) */		fsubd	%f14,%f20,%f20
-/* 0x00e4	 226 (25 30) */		fitod	%f11,%f10
-/* 0x00e8	 227 (26 31) */		fsubd	%f14,%f6,%f6
-/* 0x00ec	 228 (26 31) */		fmuld	%f12,%f8,%f12
-/* 0x00f0	 229 (27 32) */		fitod	%f16,%f22
-/* 0x00f4	 230 (27 32) */		fmuld	%f4,%f8,%f4
-/* 0x00f8	 231 (28 33) */		fsubd	%f14,%f18,%f18
-/* 0x00fc	 232 (29 34) */		fitod	%f17,%f16
-/* 0x0100	 233 (29 34) */		fmuld	%f20,%f8,%f20
-/* 0x0104	 234 (30 35) */		fsubd	%f14,%f10,%f10
-/* 0x0108	 235 (31 36) */		fdtox	%f12,%f12
-/* 0x010c	 236 (31 32) */		std	%f12,[%sp+152]
-/* 0x0110	 237 (31 36) */		fmuld	%f6,%f8,%f6
-/* 0x0114	 238 (32 37) */		fdtox	%f4,%f4
-/* 0x0118	 239 (32 33) */		std	%f4,[%sp+144]
-/* 0x011c	 240 (33 38) */		fsubd	%f14,%f22,%f4
-/* 0x0120	 241 (33 38) */		fmuld	%f18,%f8,%f12
-/* 0x0124	 242 (34 39) */		fdtox	%f20,%f18
-/* 0x0128	 243 (34 35) */		std	%f18,[%sp+136]
-/* 0x012c	 244 (35 37) */		ldx	[%sp+152],%o4
-/* 0x0130	 245 (35 40) */		fsubd	%f14,%f16,%f14
-/* 0x0134	 246 (35 40) */		fmuld	%f10,%f8,%f10
-/* 0x0138	 247 (36 41) */		fdtox	%f6,%f6
-/* 0x013c	 248 (36 37) */		std	%f6,[%sp+128]
-/* 0x0140	 249 (37 39) */		ldx	[%sp+144],%o5
-/* 0x0144	 250 (37 38) */		add	%o4,%g2,%o4
-/* 0x0148	 251 (38 39) */		st	%o4,[%i0]
-/* 0x014c	 252 (38 39) */		srax	%o4,32,%g2
-/* 0x0150	 253 (38 43) */		fdtox	%f12,%f6
-/* 0x0154	 254 (38 43) */		fmuld	%f4,%f8,%f4
-/* 0x0158	 255 (39 40) */		std	%f6,[%sp+120]
-/* 0x015c	 256 (39 40) */		add	%o5,%g3,%g3
-/* 0x0160	 257 (40 42) */		ldx	[%sp+136],%o7
-/* 0x0164	 258 (40 41) */		add	%g3,%g2,%g2
-/* 0x0168	 259 (40 45) */		fmuld	%f14,%f8,%f6
-/* 0x016c	 260 (40 45) */		fdtox	%f10,%f8
-/* 0x0170	 261 (41 42) */		std	%f8,[%sp+112]
-/* 0x0174	 262 (41 42) */		srax	%g2,32,%o5
-/* 0x0178	 263 (42 44) */		ldx	[%sp+128],%g3
-/* 0x017c	 264 (42 43) */		add	%o7,%g4,%g4
-/* 0x0180	 265 (43 44) */		st	%g2,[%i0+4]
-/* 0x0184	 266 (43 44) */		add	%g4,%o5,%g4
-/* 0x0188	 267 (43 48) */		fdtox	%f4,%f4
-/* 0x018c	 268 (44 46) */		ldx	[%sp+120],%o5
-/* 0x0190	 269 (44 45) */		add	%g3,%g5,%g3
-/* 0x0194	 270 (44 45) */		srax	%g4,32,%g5
-/* 0x0198	 271 (45 46) */		std	%f4,[%sp+104]
-/* 0x019c	 272 (45 46) */		add	%g3,%g5,%g3
-/* 0x01a0	 273 (45 50) */		fdtox	%f6,%f4
-/* 0x01a4	 274 (46 47) */		std	%f4,[%sp+96]
-/* 0x01a8	 275 (46 47) */		add	%o5,%o0,%o0
-/* 0x01ac	 276 (46 47) */		srax	%g3,32,%o5
-/* 0x01b0	 277 (47 49) */		ldx	[%sp+112],%g5
-/* 0x01b4	 278 (47 48) */		add	%o0,%o5,%o0
-/* 0x01b8	 279 (48 49) */		st	%g4,[%i0+8]
-/* 0x01bc	 280 (49 51) */		ldx	[%sp+104],%o5
-/* 0x01c0	 281 (49 50) */		add	%g5,%o1,%o1
-/* 0x01c4	 282 (49 50) */		srax	%o0,32,%g5
-/* 0x01c8	 283 (50 51) */		st	%o0,[%i0+16]
-/* 0x01cc	 284 (50 51) */		add	%o1,%g5,%o1
-/* 0x01d0	 285 (51 53) */		ldx	[%sp+96],%g5
-/* 0x01d4	 286 (51 52) */		add	%o5,%o2,%o2
-/* 0x01d8	 287 (51 52) */		srax	%o1,32,%o5
-/* 0x01dc	 288 (52 53) */		st	%o1,[%i0+20]
-/* 0x01e0	 289 (52 53) */		add	%o2,%o5,%o2
-/* 0x01e4	 290 (53 54) */		st	%o2,[%i0+24]
-/* 0x01e8	 291 (53 54) */		srax	%o2,32,%g4
-/* 0x01ec	 292 (53 54) */		add	%g5,%o3,%g2
-/* 0x01f0	 293 (54 55) */		st	%g3,[%i0+12]
-/* 0x01f4	 294 (54 55) */		add	%g2,%g4,%g2
-/* 0x01f8	 295 (55 56) */		st	%g2,[%i0+28]
-/* 0x01fc	 299 (55 56) */		srax	%g2,32,%o7
-/* 0x0200	 300 (56 57) */		or	%g0,%o7,%i0
-/* 0x0204	     (57 64) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0208	     (59 61) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000037
-!
-
-        .L77000037:		/* frequency 1.0 confidence 0.0 */
-/* 0x020c	 307 ( 0  1) */		subcc	%o2,16,%g0
-/* 0x0210	 308 ( 0  1) */		bne,pn	%icc,.L77000076	! tprob=0.50
-/* 0x0214	     ( 1  5) */		ldd	[%o0],%f8
-/* 0x0218	 310 ( 2  6) */		ldd	[%g5],%f4
-/* 0x021c	 311 ( 3  7) */		ldd	[%g5+8],%f6
-/* 0x0220	 317 ( 4  8) */		ldd	[%o0+8],%f14
-/* 0x0224	 318 ( 4  7) */		fmovs	%f8,%f12
-/* 0x0228	 319 ( 5  7) */		ld	[%fp+84],%f13
-/* 0x022c	 320 ( 5  9) */		fxnor	%f0,%f4,%f4
-/* 0x0230	 321 ( 6 10) */		ldd	[%g5+16],%f10
-/* 0x0234	 322 ( 6 10) */		fxnor	%f0,%f6,%f6
-/* 0x0238	 323 ( 7 11) */		ldd	[%g5+24],%f16
-/* 0x023c	 324 ( 8 12) */		ldd	[%g5+32],%f20
-/* 0x0240	 325 ( 8 13) */		fsubd	%f12,%f8,%f8
-/* 0x0244	 331 ( 9 11) */		ld	[%i1+40],%o7
-/* 0x0248	 332 ( 9 14) */		fitod	%f4,%f18
-/* 0x024c	 333 (10 14) */		ldd	[%g5+40],%f22
-/* 0x0250	 334 (10 15) */		fitod	%f5,%f4
-/* 0x0254	 335 (11 12) */		stx	%o7,[%sp+96]
-/* 0x0258	 336 (11 16) */		fitod	%f6,%f24
-/* 0x025c	 337 (12 14) */		ld	[%i1+44],%o7
-/* 0x0260	 338 (12 16) */		fxnor	%f0,%f10,%f10
-/* 0x0264	 339 (13 17) */		ldd	[%g5+48],%f26
-/* 0x0268	 340 (13 18) */		fitod	%f7,%f6
-/* 0x026c	 341 (14 15) */		stx	%o7,[%sp+104]
-/* 0x0270	 342 (14 19) */		fsubd	%f14,%f18,%f18
-/* 0x0274	 343 (15 17) */		ld	[%i1+48],%o7
-/* 0x0278	 344 (15 20) */		fsubd	%f14,%f4,%f4
-/* 0x027c	 345 (16 18) */		ld	[%i1+36],%o5
-/* 0x0280	 346 (16 21) */		fitod	%f10,%f28
-/* 0x0284	 347 (17 18) */		stx	%o7,[%sp+112]
-/* 0x0288	 348 (17 21) */		fxnor	%f0,%f16,%f16
-/* 0x028c	 349 (18 20) */		ld	[%i1],%g2
-/* 0x0290	 350 (18 23) */		fsubd	%f14,%f24,%f24
-/* 0x0294	 351 (19 20) */		stx	%o5,[%sp+120]
-/* 0x0298	 352 (19 24) */		fitod	%f11,%f10
-/* 0x029c	 353 (19 24) */		fmuld	%f18,%f8,%f18
-/* 0x02a0	 354 (20 22) */		ld	[%i1+52],%o5
-/* 0x02a4	 355 (20 25) */		fsubd	%f14,%f6,%f6
-/* 0x02a8	 356 (20 25) */		fmuld	%f4,%f8,%f4
-/* 0x02ac	 357 (21 26) */		fitod	%f16,%f30
-/* 0x02b0	 358 (22 26) */		fxnor	%f0,%f20,%f20
-/* 0x02b4	 359 (22 24) */		ld	[%i1+4],%g3
-/* 0x02b8	 360 (23 27) */		ldd	[%g5+56],%f2
-/* 0x02bc	 361 (23 28) */		fsubd	%f14,%f28,%f28
-/* 0x02c0	 362 (23 28) */		fmuld	%f24,%f8,%f24
-/* 0x02c4	 363 (24 25) */		stx	%o5,[%sp+128]
-/* 0x02c8	 364 (24 29) */		fdtox	%f18,%f18
-/* 0x02cc	 365 (25 26) */		std	%f18,[%sp+272]
-/* 0x02d0	 366 (25 30) */		fitod	%f17,%f16
-/* 0x02d4	 367 (25 30) */		fmuld	%f6,%f8,%f6
-/* 0x02d8	 368 (26 31) */		fsubd	%f14,%f10,%f10
-/* 0x02dc	 369 (27 32) */		fitod	%f20,%f18
-/* 0x02e0	 370 (28 33) */		fdtox	%f4,%f4
-/* 0x02e4	 371 (28 29) */		std	%f4,[%sp+264]
-/* 0x02e8	 372 (28 33) */		fmuld	%f28,%f8,%f28
-/* 0x02ec	 373 (29 31) */		ld	[%i1+8],%g4
-/* 0x02f0	 374 (29 34) */		fsubd	%f14,%f30,%f4
-/* 0x02f4	 375 (30 34) */		fxnor	%f0,%f22,%f22
-/* 0x02f8	 376 (30 32) */		ld	[%i1+12],%g5
-/* 0x02fc	 377 (31 33) */		ld	[%i1+16],%o0
-/* 0x0300	 378 (31 36) */		fitod	%f21,%f20
-/* 0x0304	 379 (31 36) */		fmuld	%f10,%f8,%f10
-/* 0x0308	 380 (32 34) */		ld	[%i1+20],%o1
-/* 0x030c	 381 (32 37) */		fdtox	%f24,%f24
-/* 0x0310	 382 (33 34) */		std	%f24,[%sp+256]
-/* 0x0314	 383 (33 38) */		fsubd	%f14,%f16,%f16
-/* 0x0318	 384 (34 36) */		ldx	[%sp+272],%o7
-/* 0x031c	 385 (34 39) */		fdtox	%f6,%f6
-/* 0x0320	 386 (34 39) */		fmuld	%f4,%f8,%f4
-/* 0x0324	 387 (35 36) */		std	%f6,[%sp+248]
-/* 0x0328	 388 (35 40) */		fitod	%f22,%f24
-/* 0x032c	 389 (36 38) */		ld	[%i1+32],%o4
-/* 0x0330	 390 (36 41) */		fsubd	%f14,%f18,%f6
-/* 0x0334	 391 (36 37) */		add	%o7,%g2,%g2
-/* 0x0338	 392 (37 39) */		ldx	[%sp+264],%o7
-/* 0x033c	 393 (37 41) */		fxnor	%f0,%f26,%f26
-/* 0x0340	 394 (37 38) */		srax	%g2,32,%o5
-/* 0x0344	 395 (38 39) */		st	%g2,[%i0]
-/* 0x0348	 396 (38 43) */		fitod	%f23,%f18
-/* 0x034c	 397 (38 43) */		fmuld	%f16,%f8,%f16
-/* 0x0350	 398 (39 41) */		ldx	[%sp+248],%g2
-/* 0x0354	 399 (39 44) */		fdtox	%f28,%f22
-/* 0x0358	 400 (39 40) */		add	%o7,%g3,%g3
-/* 0x035c	 401 (40 42) */		ldx	[%sp+256],%o7
-/* 0x0360	 402 (40 45) */		fsubd	%f14,%f20,%f20
-/* 0x0364	 403 (40 41) */		add	%g3,%o5,%g3
-/* 0x0368	 404 (41 42) */		std	%f22,[%sp+240]
-/* 0x036c	 405 (41 46) */		fitod	%f26,%f22
-/* 0x0370	 406 (41 42) */		srax	%g3,32,%o5
-/* 0x0374	 407 (41 42) */		add	%g2,%g5,%g2
-/* 0x0378	 408 (42 43) */		st	%g3,[%i0+4]
-/* 0x037c	 409 (42 47) */		fdtox	%f10,%f10
-/* 0x0380	 410 (42 43) */		add	%o7,%g4,%g4
-/* 0x0384	 411 (42 47) */		fmuld	%f6,%f8,%f6
-/* 0x0388	 412 (43 44) */		std	%f10,[%sp+232]
-/* 0x038c	 413 (43 47) */		fxnor	%f0,%f2,%f12
-/* 0x0390	 414 (43 44) */		add	%g4,%o5,%g4
-/* 0x0394	 415 (44 45) */		st	%g4,[%i0+8]
-/* 0x0398	 416 (44 45) */		srax	%g4,32,%o5
-/* 0x039c	 417 (44 49) */		fsubd	%f14,%f24,%f10
-/* 0x03a0	 418 (45 47) */		ldx	[%sp+240],%o7
-/* 0x03a4	 419 (45 50) */		fdtox	%f4,%f4
-/* 0x03a8	 420 (45 46) */		add	%g2,%o5,%g2
-/* 0x03ac	 421 (45 50) */		fmuld	%f20,%f8,%f20
-/* 0x03b0	 422 (46 47) */		std	%f4,[%sp+224]
-/* 0x03b4	 423 (46 47) */		srax	%g2,32,%g5
-/* 0x03b8	 424 (46 51) */		fsubd	%f14,%f18,%f4
-/* 0x03bc	 425 (47 48) */		st	%g2,[%i0+12]
-/* 0x03c0	 426 (47 52) */		fitod	%f27,%f24
-/* 0x03c4	 427 (47 48) */		add	%o7,%o0,%g3
-/* 0x03c8	 428 (48 50) */		ldx	[%sp+232],%o5
-/* 0x03cc	 429 (48 53) */		fdtox	%f16,%f16
-/* 0x03d0	 430 (48 49) */		add	%g3,%g5,%g2
-/* 0x03d4	 431 (49 50) */		std	%f16,[%sp+216]
-/* 0x03d8	 432 (49 50) */		srax	%g2,32,%g4
-/* 0x03dc	 433 (49 54) */		fitod	%f12,%f18
-/* 0x03e0	 434 (49 54) */		fmuld	%f10,%f8,%f10
-/* 0x03e4	 435 (50 51) */		st	%g2,[%i0+16]
-/* 0x03e8	 436 (50 55) */		fsubd	%f14,%f22,%f16
-/* 0x03ec	 437 (50 51) */		add	%o5,%o1,%g2
-/* 0x03f0	 438 (51 53) */		ld	[%i1+24],%o2
-/* 0x03f4	 439 (51 56) */		fitod	%f13,%f12
-/* 0x03f8	 440 (51 52) */		add	%g2,%g4,%g2
-/* 0x03fc	 441 (51 56) */		fmuld	%f4,%f8,%f22
-/* 0x0400	 442 (52 54) */		ldx	[%sp+224],%g3
-/* 0x0404	 443 (52 53) */		srax	%g2,32,%g4
-/* 0x0408	 444 (52 57) */		fdtox	%f6,%f6
-/* 0x040c	 445 (53 54) */		std	%f6,[%sp+208]
-/* 0x0410	 446 (53 58) */		fdtox	%f20,%f6
-/* 0x0414	 447 (54 55) */		stx	%o4,[%sp+136]
-/* 0x0418	 448 (54 59) */		fsubd	%f14,%f24,%f4
-/* 0x041c	 449 (55 56) */		std	%f6,[%sp+200]
-/* 0x0420	 450 (55 60) */		fsubd	%f14,%f18,%f6
-/* 0x0424	 451 (55 60) */		fmuld	%f16,%f8,%f16
-/* 0x0428	 452 (56 57) */		st	%g2,[%i0+20]
-/* 0x042c	 453 (56 57) */		add	%g3,%o2,%g2
-/* 0x0430	 454 (56 61) */		fdtox	%f10,%f10
-/* 0x0434	 455 (57 59) */		ld	[%i1+28],%o3
-/* 0x0438	 456 (57 58) */		add	%g2,%g4,%g2
-/* 0x043c	 457 (58 60) */		ldx	[%sp+216],%g5
-/* 0x0440	 458 (58 59) */		srax	%g2,32,%g4
-/* 0x0444	 459 (59 60) */		std	%f10,[%sp+192]
-/* 0x0448	 460 (59 64) */		fsubd	%f14,%f12,%f10
-/* 0x044c	 461 (59 64) */		fmuld	%f4,%f8,%f4
-/* 0x0450	 462 (60 61) */		st	%g2,[%i0+24]
-/* 0x0454	 463 (60 61) */		add	%g5,%o3,%g2
-/* 0x0458	 464 (60 65) */		fdtox	%f22,%f12
-/* 0x045c	 465 (60 65) */		fmuld	%f6,%f8,%f6
-/* 0x0460	 466 (61 63) */		ldx	[%sp+136],%o0
-/* 0x0464	 467 (61 62) */		add	%g2,%g4,%g2
-/* 0x0468	 468 (62 64) */		ldx	[%sp+208],%g3
-/* 0x046c	 469 (62 63) */		srax	%g2,32,%g4
-/* 0x0470	 470 (63 65) */		ldx	[%sp+120],%o1
-/* 0x0474	 471 (64 66) */		ldx	[%sp+200],%g5
-/* 0x0478	 472 (64 65) */		add	%g3,%o0,%g3
-/* 0x047c	 473 (64 69) */		fdtox	%f4,%f4
-/* 0x0480	 474 (64 69) */		fmuld	%f10,%f8,%f8
-/* 0x0484	 475 (65 66) */		std	%f12,[%sp+184]
-/* 0x0488	 476 (65 66) */		add	%g3,%g4,%g3
-/* 0x048c	 477 (65 70) */		fdtox	%f16,%f12
-/* 0x0490	 478 (66 67) */		std	%f12,[%sp+176]
-/* 0x0494	 479 (66 67) */		srax	%g3,32,%o0
-/* 0x0498	 480 (66 67) */		add	%g5,%o1,%g5
-/* 0x049c	 481 (67 69) */		ldx	[%sp+192],%o2
-/* 0x04a0	 482 (67 68) */		add	%g5,%o0,%g5
-/* 0x04a4	 483 (68 70) */		ldx	[%sp+96],%g4
-/* 0x04a8	 484 (68 69) */		srax	%g5,32,%o1
-/* 0x04ac	 485 (69 71) */		ld	[%i1+56],%o4
-/* 0x04b0	 486 (70 72) */		ldx	[%sp+104],%o0
-/* 0x04b4	 487 (70 71) */		add	%o2,%g4,%g4
-/* 0x04b8	 488 (71 72) */		std	%f4,[%sp+168]
-/* 0x04bc	 489 (71 72) */		add	%g4,%o1,%g4
-/* 0x04c0	 490 (71 76) */		fdtox	%f6,%f4
-/* 0x04c4	 491 (72 74) */		ldx	[%sp+184],%o3
-/* 0x04c8	 492 (72 73) */		srax	%g4,32,%o2
-/* 0x04cc	 493 (73 75) */		ldx	[%sp+112],%o1
-/* 0x04d0	 494 (74 75) */		std	%f4,[%sp+160]
-/* 0x04d4	 495 (74 75) */		add	%o3,%o0,%o0
-/* 0x04d8	 496 (74 79) */		fdtox	%f8,%f4
-/* 0x04dc	 497 (75 77) */		ldx	[%sp+176],%o5
-/* 0x04e0	 498 (75 76) */		add	%o0,%o2,%o0
-/* 0x04e4	 499 (76 77) */		stx	%o4,[%sp+144]
-/* 0x04e8	 500 (77 78) */		st	%g2,[%i0+28]
-/* 0x04ec	 501 (77 78) */		add	%o5,%o1,%g2
-/* 0x04f0	 502 (77 78) */		srax	%o0,32,%o1
-/* 0x04f4	 503 (78 79) */		std	%f4,[%sp+152]
-/* 0x04f8	 504 (78 79) */		add	%g2,%o1,%o1
-/* 0x04fc	 505 (79 81) */		ldx	[%sp+168],%o7
-/* 0x0500	 506 (79 80) */		srax	%o1,32,%o3
-/* 0x0504	 507 (80 82) */		ldx	[%sp+128],%o2
-/* 0x0508	 508 (81 83) */		ld	[%i1+60],%o4
-/* 0x050c	 509 (82 83) */		add	%o7,%o2,%o2
-/* 0x0510	 510 (83 84) */		add	%o2,%o3,%o2
-/* 0x0514	 511 (83 85) */		ldx	[%sp+144],%o5
-/* 0x0518	 512 (84 86) */		ldx	[%sp+160],%g2
-/* 0x051c	 513 (85 87) */		ldx	[%sp+152],%o3
-/* 0x0520	 514 (86 87) */		st	%g3,[%i0+32]
-/* 0x0524	 515 (86 87) */		add	%g2,%o5,%g2
-/* 0x0528	 516 (86 87) */		srax	%o2,32,%o5
-/* 0x052c	 517 (87 88) */		st	%g5,[%i0+36]
-/* 0x0530	 518 (87 88) */		add	%g2,%o5,%g2
-/* 0x0534	 519 (87 88) */		add	%o3,%o4,%g3
-/* 0x0538	 520 (88 89) */		st	%o0,[%i0+44]
-/* 0x053c	 521 (88 89) */		srax	%g2,32,%g5
-/* 0x0540	 522 (89 90) */		st	%o1,[%i0+48]
-/* 0x0544	 523 (89 90) */		add	%g3,%g5,%g3
-/* 0x0548	 524 (90 91) */		st	%o2,[%i0+52]
-/* 0x054c	 528 (90 91) */		srax	%g3,32,%o7
-/* 0x0550	 529 (91 92) */		st	%g4,[%i0+40]
-/* 0x0554	 530 (92 93) */		st	%g2,[%i0+56]
-/* 0x0558	 531 (93 94) */		st	%g3,[%i0+60]
-/* 0x055c	 532 (93 94) */		or	%g0,%o7,%i0
-/* 0x0560	     (94 101) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0564	     (96 98) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000076
-!
-
-        .L77000076:		/* frequency 1.0 confidence 0.0 */
-/* 0x0568	 540 ( 0  4) */		ldd	[%o0],%f6
-/* 0x056c	 546 ( 0  1) */		add	%o2,1,%g2
-/* 0x0570	 547 ( 0  3) */		fmovd	%f0,%f14
-/* 0x0574	 548 ( 0  1) */		or	%g0,0,%o7
-/* 0x0578	 549 ( 1  3) */		ld	[%fp+84],%f9
-/* 0x057c	 550 ( 1  2) */		srl	%g2,31,%g3
-/* 0x0580	 551 ( 1  2) */		add	%fp,-2264,%o5
-/* 0x0584	 552 ( 2  3) */		add	%g2,%g3,%g2
-/* 0x0588	 553 ( 2  6) */		ldd	[%o0+8],%f18
-/* 0x058c	 554 ( 2  3) */		add	%fp,-2256,%o4
-/* 0x0590	 555 ( 3  6) */		fmovs	%f6,%f8
-/* 0x0594	 556 ( 3  4) */		sra	%g2,1,%o1
-/* 0x0598	 557 ( 3  4) */		or	%g0,0,%g2
-/* 0x059c	 558 ( 4  5) */		subcc	%o1,0,%g0
-/* 0x05a0	 559 ( 4  5) */		sub	%o1,1,%o2
-/* 0x05a4	 563 ( 5  6) */		add	%g5,32,%o0
-/* 0x05a8	 564 ( 6 11) */		fsubd	%f8,%f6,%f16
-/* 0x05ac	 565 ( 6  7) */		ble,pt	%icc,.L900000161	! tprob=0.50
-/* 0x05b0	     ( 6  7) */		subcc	%o3,0,%g0
-/* 0x05b4	 567 ( 7  8) */		subcc	%o1,7,%g0
-/* 0x05b8	 568 ( 7  8) */		bl,pn	%icc,.L77000077	! tprob=0.50
-/* 0x05bc	     ( 7  8) */		sub	%o1,2,%o1
-/* 0x05c0	 570 ( 8 12) */		ldd	[%g5],%f2
-/* 0x05c4	 571 ( 9 13) */		ldd	[%g5+8],%f4
-/* 0x05c8	 572 ( 9 10) */		or	%g0,5,%g2
-/* 0x05cc	 573 (10 14) */		ldd	[%g5+16],%f0
-/* 0x05d0	 574 (11 15) */		fxnor	%f14,%f2,%f2
-/* 0x05d4	 575 (11 15) */		ldd	[%g5+24],%f12
-/* 0x05d8	 576 (12 16) */		fxnor	%f14,%f4,%f6
-/* 0x05dc	 577 (12 16) */		ldd	[%g5+32],%f10
-/* 0x05e0	 578 (13 17) */		fxnor	%f14,%f0,%f8
-/* 0x05e4	 579 (15 20) */		fitod	%f3,%f0
-/* 0x05e8	 580 (16 21) */		fitod	%f2,%f4
-/* 0x05ec	 581 (17 22) */		fitod	%f7,%f2
-/* 0x05f0	 582 (18 23) */		fitod	%f6,%f6
-/* 0x05f4	 583 (20 25) */		fsubd	%f18,%f0,%f0
-/* 0x05f8	 584 (21 26) */		fsubd	%f18,%f4,%f4
-
-!
-! ENTRY .L900000149
-!
-
-        .L900000149:		/* frequency 1.0 confidence 0.0 */
-/* 0x05fc	 586 ( 0  4) */		fxnor	%f14,%f12,%f22
-/* 0x0600	 587 ( 0  5) */		fmuld	%f4,%f16,%f4
-/* 0x0604	 588 ( 0  1) */		add	%g2,2,%g2
-/* 0x0608	 589 ( 0  1) */		add	%o4,32,%o4
-/* 0x060c	 590 ( 1  6) */		fitod	%f9,%f24
-/* 0x0610	 591 ( 1  6) */		fmuld	%f0,%f16,%f20
-/* 0x0614	 592 ( 1  2) */		add	%o0,8,%o0
-/* 0x0618	 593 ( 1  2) */		subcc	%g2,%o1,%g0
-/* 0x061c	 594 ( 2  6) */		ldd	[%o0],%f12
-/* 0x0620	 595 ( 2  7) */		fsubd	%f18,%f2,%f0
-/* 0x0624	 596 ( 2  3) */		add	%o5,32,%o5
-/* 0x0628	 597 ( 3  8) */		fsubd	%f18,%f6,%f2
-/* 0x062c	 598 ( 5 10) */		fdtox	%f4,%f4
-/* 0x0630	 599 ( 6 11) */		fdtox	%f20,%f6
-/* 0x0634	 600 ( 6  7) */		std	%f4,[%o5-32]
-/* 0x0638	 601 ( 7 12) */		fitod	%f8,%f4
-/* 0x063c	 602 ( 7  8) */		std	%f6,[%o4-32]
-/* 0x0640	 603 ( 8 12) */		fxnor	%f14,%f10,%f8
-/* 0x0644	 604 ( 8 13) */		fmuld	%f2,%f16,%f6
-/* 0x0648	 605 ( 9 14) */		fitod	%f23,%f2
-/* 0x064c	 606 ( 9 14) */		fmuld	%f0,%f16,%f20
-/* 0x0650	 607 ( 9 10) */		add	%o0,8,%o0
-/* 0x0654	 608 (10 14) */		ldd	[%o0],%f10
-/* 0x0658	 609 (10 15) */		fsubd	%f18,%f24,%f0
-/* 0x065c	 610 (12 17) */		fsubd	%f18,%f4,%f4
-/* 0x0660	 611 (13 18) */		fdtox	%f6,%f6
-/* 0x0664	 612 (14 19) */		fdtox	%f20,%f20
-/* 0x0668	 613 (14 15) */		std	%f6,[%o5-16]
-/* 0x066c	 614 (15 20) */		fitod	%f22,%f6
-/* 0x0670	 615 (15 16) */		ble,pt	%icc,.L900000149	! tprob=0.50
-/* 0x0674	     (15 16) */		std	%f20,[%o4-16]
-
-!
-! ENTRY .L900000152
-!
-
-        .L900000152:		/* frequency 1.0 confidence 0.0 */
-/* 0x0678	 618 ( 0  4) */		fxnor	%f14,%f12,%f12
-/* 0x067c	 619 ( 0  5) */		fmuld	%f0,%f16,%f22
-/* 0x0680	 620 ( 0  1) */		add	%o5,80,%o5
-/* 0x0684	 621 ( 0  1) */		add	%o4,80,%o4
-/* 0x0688	 622 ( 1  5) */		fxnor	%f14,%f10,%f0
-/* 0x068c	 623 ( 1  6) */		fmuld	%f4,%f16,%f24
-/* 0x0690	 624 ( 1  2) */		subcc	%g2,%o2,%g0
-/* 0x0694	 625 ( 1  2) */		add	%o0,8,%g5
-/* 0x0698	 626 ( 2  7) */		fitod	%f8,%f20
-/* 0x069c	 627 ( 3  8) */		fitod	%f9,%f8
-/* 0x06a0	 628 ( 4  9) */		fsubd	%f18,%f6,%f6
-/* 0x06a4	 629 ( 5 10) */		fitod	%f12,%f26
-/* 0x06a8	 630 ( 6 11) */		fitod	%f13,%f4
-/* 0x06ac	 631 ( 7 12) */		fsubd	%f18,%f2,%f12
-/* 0x06b0	 632 ( 8 13) */		fitod	%f0,%f2
-/* 0x06b4	 633 ( 9 14) */		fitod	%f1,%f0
-/* 0x06b8	 634 (10 15) */		fsubd	%f18,%f20,%f10
-/* 0x06bc	 635 (10 15) */		fmuld	%f6,%f16,%f20
-/* 0x06c0	 636 (11 16) */		fsubd	%f18,%f8,%f8
-/* 0x06c4	 637 (12 17) */		fsubd	%f18,%f26,%f6
-/* 0x06c8	 638 (12 17) */		fmuld	%f12,%f16,%f12
-/* 0x06cc	 639 (13 18) */		fsubd	%f18,%f4,%f4
-/* 0x06d0	 640 (14 19) */		fsubd	%f18,%f2,%f2
-/* 0x06d4	 641 (15 20) */		fsubd	%f18,%f0,%f0
-/* 0x06d8	 642 (15 20) */		fmuld	%f10,%f16,%f10
-/* 0x06dc	 643 (16 21) */		fdtox	%f24,%f24
-/* 0x06e0	 644 (16 17) */		std	%f24,[%o5-80]
-/* 0x06e4	 645 (16 21) */		fmuld	%f8,%f16,%f8
-/* 0x06e8	 646 (17 22) */		fdtox	%f22,%f22
-/* 0x06ec	 647 (17 18) */		std	%f22,[%o4-80]
-/* 0x06f0	 648 (17 22) */		fmuld	%f6,%f16,%f6
-/* 0x06f4	 649 (18 23) */		fdtox	%f20,%f20
-/* 0x06f8	 650 (18 19) */		std	%f20,[%o5-64]
-/* 0x06fc	 651 (18 23) */		fmuld	%f4,%f16,%f4
-/* 0x0700	 652 (19 24) */		fdtox	%f12,%f12
-/* 0x0704	 653 (19 20) */		std	%f12,[%o4-64]
-/* 0x0708	 654 (19 24) */		fmuld	%f2,%f16,%f2
-/* 0x070c	 655 (20 25) */		fdtox	%f10,%f10
-/* 0x0710	 656 (20 21) */		std	%f10,[%o5-48]
-/* 0x0714	 657 (20 25) */		fmuld	%f0,%f16,%f0
-/* 0x0718	 658 (21 26) */		fdtox	%f8,%f8
-/* 0x071c	 659 (21 22) */		std	%f8,[%o4-48]
-/* 0x0720	 660 (22 27) */		fdtox	%f6,%f6
-/* 0x0724	 661 (22 23) */		std	%f6,[%o5-32]
-/* 0x0728	 662 (23 28) */		fdtox	%f4,%f4
-/* 0x072c	 663 (23 24) */		std	%f4,[%o4-32]
-/* 0x0730	 664 (24 29) */		fdtox	%f2,%f2
-/* 0x0734	 665 (24 25) */		std	%f2,[%o5-16]
-/* 0x0738	 666 (25 30) */		fdtox	%f0,%f0
-/* 0x073c	 667 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
-/* 0x0740	     (25 26) */		std	%f0,[%o4-16]
-
-!
-! ENTRY .L77000077
-!
-
-        .L77000077:		/* frequency 1.0 confidence 0.0 */
-/* 0x0744	 670 ( 0  4) */		ldd	[%g5],%f0
-
-!
-! ENTRY .L900000160
-!
-
-        .L900000160:		/* frequency 1.0 confidence 0.0 */
-/* 0x0748	 672 ( 0  4) */		fxnor	%f14,%f0,%f0
-/* 0x074c	 673 ( 0  1) */		add	%g2,1,%g2
-/* 0x0750	 674 ( 0  1) */		add	%g5,8,%g5
-/* 0x0754	 675 ( 1  2) */		subcc	%g2,%o2,%g0
-/* 0x0758	 676 ( 4  9) */		fitod	%f0,%f2
-/* 0x075c	 677 ( 5 10) */		fitod	%f1,%f0
-/* 0x0760	 678 ( 9 14) */		fsubd	%f18,%f2,%f2
-/* 0x0764	 679 (10 15) */		fsubd	%f18,%f0,%f0
-/* 0x0768	 680 (14 19) */		fmuld	%f2,%f16,%f2
-/* 0x076c	 681 (15 20) */		fmuld	%f0,%f16,%f0
-/* 0x0770	 682 (19 24) */		fdtox	%f2,%f2
-/* 0x0774	 683 (19 20) */		std	%f2,[%o5]
-/* 0x0778	 684 (19 20) */		add	%o5,16,%o5
-/* 0x077c	 685 (20 25) */		fdtox	%f0,%f0
-/* 0x0780	 686 (20 21) */		std	%f0,[%o4]
-/* 0x0784	 687 (20 21) */		add	%o4,16,%o4
-/* 0x0788	 688 (20 21) */		ble,a,pt	%icc,.L900000160	! tprob=0.50
-/* 0x078c	     (23 27) */		ldd	[%g5],%f0
-
-!
-! ENTRY .L77000043
-!
-
-        .L77000043:		/* frequency 1.0 confidence 0.0 */
-/* 0x0790	 696 ( 0  1) */		subcc	%o3,0,%g0
-
-!
-! ENTRY .L900000161
-!
-
-        .L900000161:		/* frequency 1.0 confidence 0.0 */
-/* 0x0794	 698 ( 0  1) */		ble,a,pt	%icc,.L900000159	! tprob=0.50
-/* 0x0798	     ( 0  1) */		or	%g0,%o7,%i0
-/* 0x079c	 703 ( 0  2) */		ldx	[%fp-2256],%o2
-/* 0x07a0	 704 ( 0  1) */		or	%g0,%i1,%g3
-/* 0x07a4	 705 ( 1  2) */		sub	%o3,1,%o5
-/* 0x07a8	 706 ( 1  2) */		or	%g0,0,%g4
-/* 0x07ac	 707 ( 2  3) */		add	%fp,-2264,%g5
-/* 0x07b0	 708 ( 2  3) */		or	%g0,%i0,%g2
-/* 0x07b4	 709 ( 3  4) */		subcc	%o3,6,%g0
-/* 0x07b8	 710 ( 3  4) */		sub	%o5,2,%o4
-/* 0x07bc	 711 ( 3  4) */		bl,pn	%icc,.L77000078	! tprob=0.50
-/* 0x07c0	     ( 3  5) */		ldx	[%fp-2264],%o0
-/* 0x07c4	 713 ( 4  6) */		ld	[%g3],%o1
-/* 0x07c8	 714 ( 4  5) */		add	%g2,4,%g2
-/* 0x07cc	 715 ( 4  5) */		or	%g0,3,%g4
-/* 0x07d0	 716 ( 5  7) */		ld	[%g3+4],%o3
-/* 0x07d4	 717 ( 5  6) */		add	%g3,8,%g3
-/* 0x07d8	 718 ( 5  6) */		add	%fp,-2240,%g5
-/* 0x07dc	 719 ( 6  7) */		add	%o0,%o1,%o0
-/* 0x07e0	 720 ( 6  8) */		ldx	[%fp-2248],%o1
-/* 0x07e4	 721 ( 7  8) */		st	%o0,[%g2-4]
-/* 0x07e8	 722 ( 7  8) */		srax	%o0,32,%o0
-
-!
-! ENTRY .L900000145
-!
-
-        .L900000145:		/* frequency 1.0 confidence 0.0 */
-/* 0x07ec	 724 ( 0  2) */		ld	[%g3],%o7
-/* 0x07f0	 725 ( 0  1) */		add	%o2,%o3,%o2
-/* 0x07f4	 726 ( 0  1) */		sra	%o0,0,%o3
-/* 0x07f8	 727 ( 1  3) */		ldx	[%g5],%o0
-/* 0x07fc	 728 ( 1  2) */		add	%o2,%o3,%o2
-/* 0x0800	 729 ( 1  2) */		add	%g4,3,%g4
-/* 0x0804	 730 ( 2  3) */		st	%o2,[%g2]
-/* 0x0808	 731 ( 2  3) */		srax	%o2,32,%o3
-/* 0x080c	 732 ( 2  3) */		subcc	%g4,%o4,%g0
-/* 0x0810	 733 ( 3  5) */		ld	[%g3+4],%o2
-/* 0x0814	 734 ( 4  5) */		stx	%o2,[%sp+96]
-/* 0x0818	 735 ( 4  5) */		add	%o1,%o7,%o1
-/* 0x081c	 736 ( 5  7) */		ldx	[%g5+8],%o2
-/* 0x0820	 737 ( 5  6) */		add	%o1,%o3,%o1
-/* 0x0824	 738 ( 5  6) */		add	%g2,12,%g2
-/* 0x0828	 739 ( 6  7) */		st	%o1,[%g2-8]
-/* 0x082c	 740 ( 6  7) */		srax	%o1,32,%o7
-/* 0x0830	 741 ( 6  7) */		add	%g3,12,%g3
-/* 0x0834	 742 ( 7  9) */		ld	[%g3-4],%o3
-/* 0x0838	 743 ( 8 10) */		ldx	[%sp+96],%o1
-/* 0x083c	 744 (10 11) */		add	%o0,%o1,%o0
-/* 0x0840	 745 (10 12) */		ldx	[%g5+16],%o1
-/* 0x0844	 746 (11 12) */		add	%o0,%o7,%o0
-/* 0x0848	 747 (11 12) */		add	%g5,24,%g5
-/* 0x084c	 748 (11 12) */		st	%o0,[%g2-4]
-/* 0x0850	 749 (11 12) */		ble,pt	%icc,.L900000145	! tprob=0.50
-/* 0x0854	     (12 13) */		srax	%o0,32,%o0
-
-!
-! ENTRY .L900000148
-!
-
-        .L900000148:		/* frequency 1.0 confidence 0.0 */
-/* 0x0858	 752 ( 0  1) */		add	%o2,%o3,%o2
-/* 0x085c	 753 ( 0  1) */		sra	%o0,0,%o3
-/* 0x0860	 754 ( 0  2) */		ld	[%g3],%o0
-/* 0x0864	 755 ( 1  2) */		add	%o2,%o3,%o3
-/* 0x0868	 756 ( 1  2) */		add	%g2,8,%g2
-/* 0x086c	 757 ( 2  3) */		srax	%o3,32,%o2
-/* 0x0870	 758 ( 2  3) */		st	%o3,[%g2-8]
-/* 0x0874	 759 ( 2  3) */		add	%o1,%o0,%o0
-/* 0x0878	 760 ( 3  4) */		add	%o0,%o2,%o0
-/* 0x087c	 761 ( 3  4) */		st	%o0,[%g2-4]
-/* 0x0880	 762 ( 3  4) */		subcc	%g4,%o5,%g0
-/* 0x0884	 763 ( 3  4) */		bg,pn	%icc,.L77000061	! tprob=0.50
-/* 0x0888	     ( 4  5) */		srax	%o0,32,%o7
-/* 0x088c	 765 ( 4  5) */		add	%g3,4,%g3
-
-!
-! ENTRY .L77000078
-!
-
-        .L77000078:		/* frequency 1.0 confidence 0.0 */
-/* 0x0890	 767 ( 0  2) */		ld	[%g3],%o2
-
-!
-! ENTRY .L900000158
-!
-
-        .L900000158:		/* frequency 1.0 confidence 0.0 */
-/* 0x0894	 769 ( 0  2) */		ldx	[%g5],%o0
-/* 0x0898	 770 ( 0  1) */		sra	%o7,0,%o1
-/* 0x089c	 771 ( 0  1) */		add	%g4,1,%g4
-/* 0x08a0	 772 ( 1  2) */		add	%g3,4,%g3
-/* 0x08a4	 773 ( 1  2) */		add	%g5,8,%g5
-/* 0x08a8	 774 ( 2  3) */		add	%o0,%o2,%o0
-/* 0x08ac	 775 ( 2  3) */		subcc	%g4,%o5,%g0
-/* 0x08b0	 776 ( 3  4) */		add	%o0,%o1,%o0
-/* 0x08b4	 777 ( 3  4) */		st	%o0,[%g2]
-/* 0x08b8	 778 ( 3  4) */		add	%g2,4,%g2
-/* 0x08bc	 779 ( 4  5) */		srax	%o0,32,%o7
-/* 0x08c0	 780 ( 4  5) */		ble,a,pt	%icc,.L900000158	! tprob=0.50
-/* 0x08c4	     ( 4  6) */		ld	[%g3],%o2
-
-!
-! ENTRY .L77000047
-!
-
-        .L77000047:		/* frequency 1.0 confidence 0.0 */
-/* 0x08c8	 783 ( 0  1) */		or	%g0,%o7,%i0
-/* 0x08cc	     ( 1  8) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x08d0	     ( 3  5) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000048
-!
-
-        .L77000048:		/* frequency 1.0 confidence 0.0 */
-/* 0x08d4	 794 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
-/* 0x08d8	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
-/* 0x08dc	 796 ( 0  4) */		ldd	[%g5],%f4
-/* 0x08e0	 804 ( 0  1) */		srl	%o1,19,%g3
-/* 0x08e4	 805 ( 1  2) */		st	%g3,[%sp+240]
-/* 0x08e8	 806 ( 1  2) */		andn	%o1,%g2,%g2
-/* 0x08ec	 807 ( 2  6) */		ldd	[%o0],%f8
-/* 0x08f0	 808 ( 3  4) */		st	%g2,[%sp+244]
-/* 0x08f4	 809 ( 3  7) */		fxnor	%f0,%f4,%f4
-/* 0x08f8	 810 ( 4  8) */		ldd	[%g5+8],%f6
-/* 0x08fc	 814 ( 5  9) */		ldd	[%o0+8],%f18
-/* 0x0900	 815 ( 5  8) */		fmovs	%f8,%f12
-/* 0x0904	 816 ( 6 10) */		ldd	[%g5+16],%f10
-/* 0x0908	 817 ( 6  9) */		fmovs	%f8,%f16
-/* 0x090c	 818 ( 7 11) */		ldd	[%g5+24],%f20
-/* 0x0910	 819 ( 7 12) */		fitod	%f4,%f14
-/* 0x0914	 823 ( 8 10) */		ld	[%i1],%g2
-/* 0x0918	 824 ( 8 13) */		fitod	%f5,%f4
-/* 0x091c	 825 ( 9 11) */		ld	[%sp+240],%f13
-/* 0x0920	 826 ( 9 13) */		fxnor	%f0,%f6,%f6
-/* 0x0924	 827 (10 12) */		ld	[%sp+244],%f17
-/* 0x0928	 828 (10 14) */		fxnor	%f0,%f10,%f10
-/* 0x092c	 829 (11 13) */		ld	[%i1+28],%o3
-/* 0x0930	 830 (11 15) */		fxnor	%f0,%f20,%f20
-/* 0x0934	 831 (12 14) */		ld	[%i1+4],%g3
-/* 0x0938	 832 (12 17) */		fsubd	%f12,%f8,%f12
-/* 0x093c	 833 (13 14) */		stx	%o3,[%sp+96]
-/* 0x0940	 834 (13 18) */		fsubd	%f18,%f14,%f14
-/* 0x0944	 835 (14 16) */		ld	[%i1+8],%g4
-/* 0x0948	 836 (14 19) */		fsubd	%f16,%f8,%f8
-/* 0x094c	 837 (15 17) */		ld	[%i1+12],%g5
-/* 0x0950	 838 (15 20) */		fsubd	%f18,%f4,%f4
-/* 0x0954	 839 (16 18) */		ld	[%i1+16],%o0
-/* 0x0958	 840 (16 21) */		fitod	%f6,%f22
-/* 0x095c	 841 (17 19) */		ld	[%i1+20],%o1
-/* 0x0960	 842 (17 22) */		fitod	%f7,%f6
-/* 0x0964	 843 (18 20) */		ld	[%i1+24],%o2
-/* 0x0968	 844 (18 23) */		fitod	%f10,%f16
-/* 0x096c	 845 (18 23) */		fmuld	%f14,%f12,%f24
-/* 0x0970	 846 (19 24) */		fitod	%f20,%f28
-/* 0x0974	 847 (19 24) */		fmuld	%f14,%f8,%f14
-/* 0x0978	 848 (20 25) */		fitod	%f11,%f10
-/* 0x097c	 849 (20 25) */		fmuld	%f4,%f12,%f26
-/* 0x0980	 850 (21 26) */		fsubd	%f18,%f22,%f22
-/* 0x0984	 851 (21 26) */		fmuld	%f4,%f8,%f4
-/* 0x0988	 852 (22 27) */		fsubd	%f18,%f6,%f6
-/* 0x098c	 853 (23 28) */		fdtox	%f24,%f24
-/* 0x0990	 854 (23 24) */		std	%f24,[%sp+224]
-/* 0x0994	 855 (24 29) */		fdtox	%f14,%f14
-/* 0x0998	 856 (24 25) */		std	%f14,[%sp+232]
-/* 0x099c	 857 (25 30) */		fdtox	%f26,%f14
-/* 0x09a0	 858 (25 26) */		std	%f14,[%sp+208]
-/* 0x09a4	 859 (26 28) */		ldx	[%sp+224],%o4
-/* 0x09a8	 860 (26 31) */		fitod	%f21,%f20
-/* 0x09ac	 861 (26 31) */		fmuld	%f22,%f12,%f30
-/* 0x09b0	 862 (27 29) */		ldx	[%sp+232],%o5
-/* 0x09b4	 863 (27 32) */		fsubd	%f18,%f16,%f16
-/* 0x09b8	 864 (27 32) */		fmuld	%f22,%f8,%f22
-/* 0x09bc	 865 (28 29) */		sllx	%o4,19,%o4
-/* 0x09c0	 866 (28 33) */		fdtox	%f4,%f4
-/* 0x09c4	 867 (28 29) */		std	%f4,[%sp+216]
-/* 0x09c8	 868 (28 33) */		fmuld	%f6,%f12,%f24
-/* 0x09cc	 869 (29 34) */		fsubd	%f18,%f28,%f26
-/* 0x09d0	 870 (29 30) */		add	%o5,%o4,%o4
-/* 0x09d4	 871 (29 34) */		fmuld	%f6,%f8,%f6
-/* 0x09d8	 872 (30 35) */		fsubd	%f18,%f10,%f10
-/* 0x09dc	 873 (30 31) */		add	%o4,%g2,%g2
-/* 0x09e0	 874 (30 31) */		st	%g2,[%i0]
-/* 0x09e4	 875 (31 33) */		ldx	[%sp+208],%o7
-/* 0x09e8	 876 (31 32) */		srlx	%g2,32,%o5
-/* 0x09ec	 877 (31 36) */		fsubd	%f18,%f20,%f18
-/* 0x09f0	 878 (32 37) */		fdtox	%f30,%f28
-/* 0x09f4	 879 (32 33) */		std	%f28,[%sp+192]
-/* 0x09f8	 880 (32 37) */		fmuld	%f16,%f12,%f14
-/* 0x09fc	 881 (33 34) */		sllx	%o7,19,%o4
-/* 0x0a00	 882 (33 35) */		ldx	[%sp+216],%o7
-/* 0x0a04	 883 (33 38) */		fdtox	%f22,%f20
-/* 0x0a08	 884 (33 38) */		fmuld	%f16,%f8,%f16
-/* 0x0a0c	 885 (34 35) */		std	%f20,[%sp+200]
-/* 0x0a10	 886 (34 39) */		fdtox	%f24,%f20
-/* 0x0a14	 887 (34 39) */		fmuld	%f26,%f12,%f22
-/* 0x0a18	 888 (35 36) */		std	%f20,[%sp+176]
-/* 0x0a1c	 889 (35 36) */		add	%o7,%o4,%o4
-/* 0x0a20	 890 (35 40) */		fdtox	%f6,%f6
-/* 0x0a24	 891 (35 40) */		fmuld	%f10,%f12,%f4
-/* 0x0a28	 892 (36 38) */		ldx	[%sp+192],%o3
-/* 0x0a2c	 893 (36 37) */		add	%o4,%g3,%g3
-/* 0x0a30	 894 (36 41) */		fmuld	%f10,%f8,%f10
-/* 0x0a34	 895 (37 38) */		std	%f6,[%sp+184]
-/* 0x0a38	 896 (37 38) */		add	%g3,%o5,%g3
-/* 0x0a3c	 897 (37 42) */		fdtox	%f14,%f6
-/* 0x0a40	 898 (37 42) */		fmuld	%f26,%f8,%f20
-/* 0x0a44	 899 (38 40) */		ldx	[%sp+200],%o4
-/* 0x0a48	 900 (38 39) */		sllx	%o3,19,%o3
-/* 0x0a4c	 901 (38 39) */		srlx	%g3,32,%o5
-/* 0x0a50	 902 (38 43) */		fdtox	%f16,%f14
-/* 0x0a54	 903 (39 40) */		std	%f6,[%sp+160]
-/* 0x0a58	 904 (39 44) */		fmuld	%f18,%f12,%f12
-/* 0x0a5c	 905 (40 42) */		ldx	[%sp+176],%o7
-/* 0x0a60	 906 (40 41) */		add	%o4,%o3,%o3
-/* 0x0a64	 907 (40 45) */		fdtox	%f4,%f16
-/* 0x0a68	 908 (40 45) */		fmuld	%f18,%f8,%f18
-/* 0x0a6c	 909 (41 42) */		std	%f14,[%sp+168]
-/* 0x0a70	 910 (41 42) */		add	%o3,%g4,%g4
-/* 0x0a74	 911 (41 46) */		fdtox	%f10,%f4
-/* 0x0a78	 912 (42 44) */		ldx	[%sp+184],%o3
-/* 0x0a7c	 913 (42 43) */		sllx	%o7,19,%o4
-/* 0x0a80	 914 (42 43) */		add	%g4,%o5,%g4
-/* 0x0a84	 915 (42 47) */		fdtox	%f22,%f14
-/* 0x0a88	 916 (43 44) */		std	%f16,[%sp+144]
-/* 0x0a8c	 917 (43 44) */		srlx	%g4,32,%o5
-/* 0x0a90	 918 (43 48) */		fdtox	%f20,%f6
-/* 0x0a94	 919 (44 46) */		ldx	[%sp+160],%o7
-/* 0x0a98	 920 (44 45) */		add	%o3,%o4,%o3
-/* 0x0a9c	 921 (44 49) */		fdtox	%f12,%f16
-/* 0x0aa0	 922 (45 46) */		std	%f4,[%sp+152]
-/* 0x0aa4	 923 (45 46) */		add	%o3,%g5,%g5
-/* 0x0aa8	 924 (45 50) */		fdtox	%f18,%f8
-/* 0x0aac	 925 (46 48) */		ldx	[%sp+168],%o3
-/* 0x0ab0	 926 (46 47) */		sllx	%o7,19,%o4
-/* 0x0ab4	 927 (46 47) */		add	%g5,%o5,%g5
-/* 0x0ab8	 928 (47 48) */		std	%f14,[%sp+128]
-/* 0x0abc	 929 (47 48) */		srlx	%g5,32,%o5
-/* 0x0ac0	 930 (48 49) */		std	%f6,[%sp+136]
-/* 0x0ac4	 931 (48 49) */		add	%o3,%o4,%o3
-/* 0x0ac8	 932 (49 50) */		std	%f16,[%sp+112]
-/* 0x0acc	 933 (49 50) */		add	%o3,%o0,%o0
-/* 0x0ad0	 934 (50 52) */		ldx	[%sp+144],%o7
-/* 0x0ad4	 935 (50 51) */		add	%o0,%o5,%o0
-/* 0x0ad8	 936 (51 53) */		ldx	[%sp+152],%o3
-/* 0x0adc	 937 (52 53) */		std	%f8,[%sp+120]
-/* 0x0ae0	 938 (52 53) */		sllx	%o7,19,%o4
-/* 0x0ae4	 939 (52 53) */		srlx	%o0,32,%o7
-/* 0x0ae8	 940 (53 54) */		stx	%o0,[%sp+104]
-/* 0x0aec	 941 (53 54) */		add	%o3,%o4,%o3
-/* 0x0af0	 942 (54 56) */		ldx	[%sp+128],%o5
-/* 0x0af4	 943 (54 55) */		add	%o3,%o1,%o1
-/* 0x0af8	 944 (55 57) */		ldx	[%sp+136],%o0
-/* 0x0afc	 945 (55 56) */		add	%o1,%o7,%o1
-/* 0x0b00	 946 (56 57) */		st	%g3,[%i0+4]
-/* 0x0b04	 947 (56 57) */		sllx	%o5,19,%o3
-/* 0x0b08	 948 (57 59) */		ldx	[%sp+112],%o4
-/* 0x0b0c	 949 (57 58) */		add	%o0,%o3,%o3
-/* 0x0b10	 950 (58 60) */		ldx	[%sp+120],%o0
-/* 0x0b14	 951 (58 59) */		add	%o3,%o2,%o2
-/* 0x0b18	 952 (58 59) */		srlx	%o1,32,%o3
-/* 0x0b1c	 953 (59 60) */		st	%o1,[%i0+20]
-/* 0x0b20	 954 (59 60) */		sllx	%o4,19,%g2
-/* 0x0b24	 955 (59 60) */		add	%o2,%o3,%o2
-/* 0x0b28	 956 (60 62) */		ldx	[%sp+96],%o4
-/* 0x0b2c	 957 (60 61) */		srlx	%o2,32,%g3
-/* 0x0b30	 958 (60 61) */		add	%o0,%g2,%g2
-/* 0x0b34	 959 (61 63) */		ldx	[%sp+104],%o0
-/* 0x0b38	 960 (62 63) */		st	%o2,[%i0+24]
-/* 0x0b3c	 961 (62 63) */		add	%g2,%o4,%g2
-/* 0x0b40	 962 (63 64) */		st	%o0,[%i0+16]
-/* 0x0b44	 963 (63 64) */		add	%g2,%g3,%g2
-/* 0x0b48	 964 (64 65) */		st	%g4,[%i0+8]
-/* 0x0b4c	 968 (64 65) */		srlx	%g2,32,%o7
-/* 0x0b50	 969 (65 66) */		st	%g5,[%i0+12]
-/* 0x0b54	 970 (66 67) */		st	%g2,[%i0+28]
-/* 0x0b58	 971 (66 67) */		or	%g0,%o7,%i0
-/* 0x0b5c	     (67 74) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0b60	     (69 71) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000050
-!
-
-        .L77000050:		/* frequency 1.0 confidence 0.0 */
-/* 0x0b64	 978 ( 0  1) */		subcc	%o2,16,%g0
-/* 0x0b68	 979 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
-/* 0x0b6c	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
-/* 0x0b70	 981 ( 1  5) */		ldd	[%g5],%f4
-/* 0x0b74	 982 ( 2  6) */		ldd	[%g5+8],%f6
-/* 0x0b78	 989 ( 2  3) */		andn	%o1,%g2,%g2
-/* 0x0b7c	 993 ( 2  3) */		srl	%o1,19,%g3
-/* 0x0b80	 994 ( 3  7) */		ldd	[%g5+16],%f8
-/* 0x0b84	 995 ( 4  8) */		fxnor	%f0,%f4,%f4
-/* 0x0b88	 996 ( 4  5) */		st	%g2,[%sp+356]
-/* 0x0b8c	 997 ( 5  9) */		ldd	[%o0],%f20
-/* 0x0b90	 998 ( 5  9) */		fxnor	%f0,%f6,%f6
-/* 0x0b94	 999 ( 6  7) */		st	%g3,[%sp+352]
-/* 0x0b98	1000 ( 6 10) */		fxnor	%f0,%f8,%f8
-/* 0x0b9c	1005 ( 7 11) */		ldd	[%o0+8],%f30
-/* 0x0ba0	1006 ( 8 13) */		fitod	%f4,%f22
-/* 0x0ba4	1007 ( 8 12) */		ldd	[%g5+24],%f10
-/* 0x0ba8	1008 ( 9 12) */		fmovs	%f20,%f24
-/* 0x0bac	1009 ( 9 13) */		ldd	[%g5+32],%f12
-/* 0x0bb0	1010 (10 15) */		fitod	%f5,%f4
-/* 0x0bb4	1011 (10 14) */		ldd	[%g5+40],%f14
-/* 0x0bb8	1012 (11 14) */		fmovs	%f20,%f26
-/* 0x0bbc	1013 (11 15) */		ldd	[%g5+48],%f16
-/* 0x0bc0	1014 (12 14) */		ld	[%sp+356],%f25
-/* 0x0bc4	1015 (12 17) */		fitod	%f6,%f28
-/* 0x0bc8	1016 (13 15) */		ld	[%sp+352],%f27
-/* 0x0bcc	1017 (13 18) */		fitod	%f8,%f32
-/* 0x0bd0	1018 (14 19) */		fsubd	%f30,%f22,%f22
-/* 0x0bd4	1019 (14 18) */		ldd	[%g5+56],%f18
-/* 0x0bd8	1020 (15 20) */		fsubd	%f24,%f20,%f24
-/* 0x0bdc	1021 (16 21) */		fsubd	%f26,%f20,%f20
-/* 0x0be0	1022 (17 22) */		fsubd	%f30,%f4,%f4
-/* 0x0be4	1023 (18 23) */		fsubd	%f30,%f28,%f26
-/* 0x0be8	1024 (19 24) */		fitod	%f7,%f6
-/* 0x0bec	1025 (20 25) */		fsubd	%f30,%f32,%f28
-/* 0x0bf0	1026 (20 25) */		fmuld	%f22,%f24,%f32
-/* 0x0bf4	1027 (21 26) */		fmuld	%f22,%f20,%f22
-/* 0x0bf8	1028 (21 25) */		fxnor	%f0,%f10,%f10
-/* 0x0bfc	1029 (22 27) */		fmuld	%f4,%f24,%f44
-/* 0x0c00	1030 (22 27) */		fitod	%f9,%f8
-/* 0x0c04	1031 (23 28) */		fmuld	%f4,%f20,%f4
-/* 0x0c08	1032 (23 27) */		fxnor	%f0,%f12,%f12
-/* 0x0c0c	1033 (24 29) */		fsubd	%f30,%f6,%f6
-/* 0x0c10	1034 (24 29) */		fmuld	%f26,%f24,%f46
-/* 0x0c14	1035 (25 30) */		fitod	%f10,%f34
-/* 0x0c18	1036 (26 31) */		fdtox	%f22,%f22
-/* 0x0c1c	1037 (26 27) */		std	%f22,[%sp+336]
-/* 0x0c20	1038 (27 32) */		fmuld	%f26,%f20,%f22
-/* 0x0c24	1039 (27 32) */		fdtox	%f44,%f26
-/* 0x0c28	1040 (27 28) */		std	%f26,[%sp+328]
-/* 0x0c2c	1041 (28 33) */		fdtox	%f4,%f4
-/* 0x0c30	1042 (28 29) */		std	%f4,[%sp+320]
-/* 0x0c34	1043 (29 34) */		fmuld	%f6,%f24,%f26
-/* 0x0c38	1044 (29 34) */		fsubd	%f30,%f8,%f8
-/* 0x0c3c	1045 (30 35) */		fdtox	%f46,%f4
-/* 0x0c40	1046 (30 31) */		std	%f4,[%sp+312]
-/* 0x0c44	1047 (31 36) */		fmuld	%f28,%f24,%f4
-/* 0x0c48	1048 (31 36) */		fdtox	%f32,%f32
-/* 0x0c4c	1049 (31 32) */		std	%f32,[%sp+344]
-/* 0x0c50	1050 (32 37) */		fitod	%f11,%f10
-/* 0x0c54	1051 (32 37) */		fmuld	%f6,%f20,%f32
-/* 0x0c58	1052 (33 38) */		fsubd	%f30,%f34,%f34
-/* 0x0c5c	1053 (34 39) */		fdtox	%f22,%f6
-/* 0x0c60	1054 (34 35) */		std	%f6,[%sp+304]
-/* 0x0c64	1058 (35 40) */		fitod	%f12,%f36
-/* 0x0c68	1059 (35 40) */		fmuld	%f28,%f20,%f6
-/* 0x0c6c	1060 (36 41) */		fdtox	%f26,%f22
-/* 0x0c70	1061 (36 37) */		std	%f22,[%sp+296]
-/* 0x0c74	1062 (37 42) */		fmuld	%f8,%f24,%f22
-/* 0x0c78	1063 (37 42) */		fdtox	%f4,%f4
-/* 0x0c7c	1064 (37 38) */		std	%f4,[%sp+280]
-/* 0x0c80	1065 (38 43) */		fmuld	%f8,%f20,%f8
-/* 0x0c84	1066 (38 43) */		fsubd	%f30,%f10,%f10
-/* 0x0c88	1067 (39 44) */		fmuld	%f34,%f24,%f4
-/* 0x0c8c	1068 (39 44) */		fitod	%f13,%f12
-/* 0x0c90	1069 (40 45) */		fsubd	%f30,%f36,%f36
-/* 0x0c94	1070 (41 46) */		fdtox	%f6,%f6
-/* 0x0c98	1071 (41 42) */		std	%f6,[%sp+272]
-/* 0x0c9c	1072 (42 46) */		fxnor	%f0,%f14,%f14
-/* 0x0ca0	1073 (42 47) */		fmuld	%f34,%f20,%f6
-/* 0x0ca4	1074 (43 48) */		fdtox	%f22,%f22
-/* 0x0ca8	1075 (43 44) */		std	%f22,[%sp+264]
-/* 0x0cac	1076 (44 49) */		fdtox	%f8,%f8
-/* 0x0cb0	1077 (44 45) */		std	%f8,[%sp+256]
-/* 0x0cb4	1078 (44 49) */		fmuld	%f10,%f24,%f22
-/* 0x0cb8	1079 (45 50) */		fdtox	%f4,%f4
-/* 0x0cbc	1080 (45 46) */		std	%f4,[%sp+248]
-/* 0x0cc0	1081 (45 50) */		fmuld	%f10,%f20,%f8
-/* 0x0cc4	1082 (46 51) */		fsubd	%f30,%f12,%f4
-/* 0x0cc8	1083 (46 51) */		fmuld	%f36,%f24,%f10
-/* 0x0ccc	1084 (47 52) */		fitod	%f14,%f38
-/* 0x0cd0	1085 (48 53) */		fdtox	%f6,%f6
-/* 0x0cd4	1086 (48 49) */		std	%f6,[%sp+240]
-/* 0x0cd8	1087 (49 54) */		fdtox	%f22,%f12
-/* 0x0cdc	1088 (49 50) */		std	%f12,[%sp+232]
-/* 0x0ce0	1089 (49 54) */		fmuld	%f36,%f20,%f6
-/* 0x0ce4	1090 (50 55) */		fdtox	%f8,%f8
-/* 0x0ce8	1091 (50 51) */		std	%f8,[%sp+224]
-/* 0x0cec	1092 (51 56) */		fdtox	%f10,%f22
-/* 0x0cf0	1093 (51 52) */		std	%f22,[%sp+216]
-/* 0x0cf4	1094 (51 56) */		fmuld	%f4,%f24,%f8
-/* 0x0cf8	1095 (52 57) */		fitod	%f15,%f14
-/* 0x0cfc	1096 (52 57) */		fmuld	%f4,%f20,%f4
-/* 0x0d00	1097 (53 58) */		fsubd	%f30,%f38,%f22
-/* 0x0d04	1098 (54 58) */		fxnor	%f0,%f16,%f16
-/* 0x0d08	1099 (55 60) */		fdtox	%f6,%f6
-/* 0x0d0c	1100 (55 56) */		std	%f6,[%sp+208]
-/* 0x0d10	1101 (56 61) */		fdtox	%f8,%f6
-/* 0x0d14	1102 (56 57) */		std	%f6,[%sp+200]
-/* 0x0d18	1103 (57 62) */		fsubd	%f30,%f14,%f10
-/* 0x0d1c	1104 (58 63) */		fitod	%f16,%f40
-/* 0x0d20	1105 (58 63) */		fmuld	%f22,%f24,%f6
-/* 0x0d24	1106 (59 64) */		fdtox	%f4,%f4
-/* 0x0d28	1107 (59 60) */		std	%f4,[%sp+192]
-/* 0x0d2c	1108 (60 65) */		fitod	%f17,%f16
-/* 0x0d30	1109 (60 65) */		fmuld	%f22,%f20,%f4
-/* 0x0d34	1110 (61 65) */		fxnor	%f0,%f18,%f18
-/* 0x0d38	1111 (62 67) */		fdtox	%f32,%f32
-/* 0x0d3c	1112 (62 63) */		std	%f32,[%sp+288]
-/* 0x0d40	1113 (62 67) */		fmuld	%f10,%f24,%f8
-/* 0x0d44	1114 (63 68) */		fdtox	%f6,%f6
-/* 0x0d48	1115 (63 64) */		std	%f6,[%sp+184]
-/* 0x0d4c	1116 (63 68) */		fmuld	%f10,%f20,%f22
-/* 0x0d50	1117 (64 69) */		fsubd	%f30,%f40,%f6
-/* 0x0d54	1118 (65 70) */		fdtox	%f4,%f4
-/* 0x0d58	1119 (65 66) */		std	%f4,[%sp+176]
-/* 0x0d5c	1120 (66 71) */		fsubd	%f30,%f16,%f10
-/* 0x0d60	1121 (67 72) */		fdtox	%f8,%f4
-/* 0x0d64	1122 (67 68) */		std	%f4,[%sp+168]
-/* 0x0d68	1123 (68 73) */		fdtox	%f22,%f4
-/* 0x0d6c	1124 (68 69) */		std	%f4,[%sp+160]
-/* 0x0d70	1125 (69 74) */		fitod	%f18,%f42
-/* 0x0d74	1126 (69 74) */		fmuld	%f6,%f24,%f4
-/* 0x0d78	1127 (70 75) */		fmuld	%f6,%f20,%f22
-/* 0x0d7c	1128 (71 76) */		fmuld	%f10,%f24,%f6
-/* 0x0d80	1129 (72 77) */		fmuld	%f10,%f20,%f8
-/* 0x0d84	1130 (74 79) */		fdtox	%f4,%f4
-/* 0x0d88	1131 (74 75) */		std	%f4,[%sp+152]
-/* 0x0d8c	1132 (75 80) */		fsubd	%f30,%f42,%f4
-/* 0x0d90	1133 (76 81) */		fdtox	%f6,%f6
-/* 0x0d94	1134 (76 77) */		std	%f6,[%sp+136]
-/* 0x0d98	1135 (77 82) */		fdtox	%f22,%f22
-/* 0x0d9c	1136 (77 78) */		std	%f22,[%sp+144]
-/* 0x0da0	1137 (78 83) */		fdtox	%f8,%f22
-/* 0x0da4	1138 (78 79) */		std	%f22,[%sp+128]
-/* 0x0da8	1139 (79 84) */		fitod	%f19,%f22
-/* 0x0dac	1140 (80 85) */		fmuld	%f4,%f24,%f6
-/* 0x0db0	1141 (81 86) */		fmuld	%f4,%f20,%f4
-/* 0x0db4	1142 (84 89) */		fsubd	%f30,%f22,%f22
-/* 0x0db8	1143 (85 90) */		fdtox	%f6,%f6
-/* 0x0dbc	1144 (85 86) */		std	%f6,[%sp+120]
-/* 0x0dc0	1145 (86 91) */		fdtox	%f4,%f4
-/* 0x0dc4	1146 (86 87) */		std	%f4,[%sp+112]
-/* 0x0dc8	1150 (87 89) */		ldx	[%sp+336],%g2
-/* 0x0dcc	1151 (88 90) */		ldx	[%sp+344],%g3
-/* 0x0dd0	1152 (89 91) */		ld	[%i1],%g4
-/* 0x0dd4	1153 (89 90) */		sllx	%g2,19,%g2
-/* 0x0dd8	1154 (89 94) */		fmuld	%f22,%f20,%f4
-/* 0x0ddc	1155 (90 92) */		ldx	[%sp+328],%g5
-/* 0x0de0	1156 (90 91) */		add	%g3,%g2,%g2
-/* 0x0de4	1157 (90 95) */		fmuld	%f22,%f24,%f6
-/* 0x0de8	1158 (91 93) */		ldx	[%sp+320],%g3
-/* 0x0dec	1159 (91 92) */		add	%g2,%g4,%g4
-/* 0x0df0	1160 (92 94) */		ldx	[%sp+304],%o0
-/* 0x0df4	1161 (93 94) */		st	%g4,[%i0]
-/* 0x0df8	1162 (93 94) */		sllx	%g3,19,%g2
-/* 0x0dfc	1163 (93 94) */		srlx	%g4,32,%g4
-/* 0x0e00	1164 (94 96) */		ld	[%i1+4],%g3
-/* 0x0e04	1165 (94 95) */		add	%g5,%g2,%g2
-/* 0x0e08	1166 (94 99) */		fdtox	%f4,%f4
-/* 0x0e0c	1167 (95 97) */		ldx	[%sp+312],%g5
-/* 0x0e10	1168 (95 100) */		fdtox	%f6,%f6
-/* 0x0e14	1169 (96 98) */		ldx	[%sp+288],%o1
-/* 0x0e18	1170 (96 97) */		add	%g2,%g3,%g2
-/* 0x0e1c	1171 (96 97) */		sllx	%o0,19,%g3
-/* 0x0e20	1172 (97 99) */		ldx	[%sp+272],%o2
-/* 0x0e24	1173 (97 98) */		add	%g2,%g4,%g2
-/* 0x0e28	1174 (97 98) */		add	%g5,%g3,%g3
-/* 0x0e2c	1175 (98 100) */		ld	[%i1+8],%g4
-/* 0x0e30	1176 (98 99) */		srlx	%g2,32,%o0
-/* 0x0e34	1177 (99 101) */		ldx	[%sp+296],%g5
-/* 0x0e38	1178 (100 101) */		st	%g2,[%i0+4]
-/* 0x0e3c	1179 (100 101) */		sllx	%o2,19,%g2
-/* 0x0e40	1180 (100 101) */		add	%g3,%g4,%g3
-/* 0x0e44	1181 (101 103) */		ldx	[%sp+256],%o2
-/* 0x0e48	1182 (101 102) */		sllx	%o1,19,%g4
-/* 0x0e4c	1183 (101 102) */		add	%g3,%o0,%g3
-/* 0x0e50	1184 (102 104) */		ld	[%i1+12],%o0
-/* 0x0e54	1185 (102 103) */		srlx	%g3,32,%o1
-/* 0x0e58	1186 (102 103) */		add	%g5,%g4,%g4
-/* 0x0e5c	1187 (103 105) */		ldx	[%sp+280],%g5
-/* 0x0e60	1188 (104 105) */		st	%g3,[%i0+8]
-/* 0x0e64	1189 (104 105) */		sllx	%o2,19,%g3
-/* 0x0e68	1190 (104 105) */		add	%g4,%o0,%g4
-/* 0x0e6c	1191 (105 107) */		ld	[%i1+16],%o0
-/* 0x0e70	1192 (105 106) */		add	%g5,%g2,%g2
-/* 0x0e74	1193 (105 106) */		add	%g4,%o1,%g4
-/* 0x0e78	1194 (106 108) */		ldx	[%sp+264],%g5
-/* 0x0e7c	1195 (106 107) */		srlx	%g4,32,%o1
-/* 0x0e80	1196 (107 109) */		ldx	[%sp+240],%o2
-/* 0x0e84	1197 (107 108) */		add	%g2,%o0,%g2
-/* 0x0e88	1198 (108 110) */		ld	[%i1+20],%o0
-/* 0x0e8c	1199 (108 109) */		add	%g5,%g3,%g3
-/* 0x0e90	1200 (108 109) */		add	%g2,%o1,%g2
-/* 0x0e94	1201 (109 111) */		ldx	[%sp+248],%g5
-/* 0x0e98	1202 (109 110) */		srlx	%g2,32,%o1
-/* 0x0e9c	1203 (110 111) */		st	%g4,[%i0+12]
-/* 0x0ea0	1204 (110 111) */		sllx	%o2,19,%g4
-/* 0x0ea4	1205 (110 111) */		add	%g3,%o0,%g3
-/* 0x0ea8	1206 (111 113) */		ld	[%i1+24],%o0
-/* 0x0eac	1207 (111 112) */		add	%g5,%g4,%g4
-/* 0x0eb0	1208 (111 112) */		add	%g3,%o1,%g3
-/* 0x0eb4	1209 (112 114) */		ldx	[%sp+224],%o2
-/* 0x0eb8	1210 (112 113) */		srlx	%g3,32,%o1
-/* 0x0ebc	1211 (113 115) */		ldx	[%sp+232],%g5
-/* 0x0ec0	1212 (113 114) */		add	%g4,%o0,%g4
-/* 0x0ec4	1213 (114 115) */		st	%g2,[%i0+16]
-/* 0x0ec8	1214 (114 115) */		sllx	%o2,19,%g2
-/* 0x0ecc	1215 (114 115) */		add	%g4,%o1,%g4
-/* 0x0ed0	1216 (115 117) */		ld	[%i1+28],%o0
-/* 0x0ed4	1217 (115 116) */		srlx	%g4,32,%o1
-/* 0x0ed8	1218 (115 116) */		add	%g5,%g2,%g2
-/* 0x0edc	1222 (116 118) */		ldx	[%sp+208],%o2
-/* 0x0ee0	1223 (117 119) */		ldx	[%sp+216],%g5
-/* 0x0ee4	1224 (117 118) */		add	%g2,%o0,%g2
-/* 0x0ee8	1225 (118 119) */		st	%g3,[%i0+20]
-/* 0x0eec	1226 (118 119) */		sllx	%o2,19,%g3
-/* 0x0ef0	1227 (118 119) */		add	%g2,%o1,%g2
-/* 0x0ef4	1228 (119 121) */		ld	[%i1+32],%o0
-/* 0x0ef8	1229 (119 120) */		srlx	%g2,32,%o1
-/* 0x0efc	1230 (119 120) */		add	%g5,%g3,%g3
-/* 0x0f00	1231 (120 122) */		ldx	[%sp+192],%o2
-/* 0x0f04	1232 (121 123) */		ldx	[%sp+200],%g5
-/* 0x0f08	1233 (121 122) */		add	%g3,%o0,%g3
-/* 0x0f0c	1234 (122 123) */		st	%g4,[%i0+24]
-/* 0x0f10	1235 (122 123) */		sllx	%o2,19,%g4
-/* 0x0f14	1236 (122 123) */		add	%g3,%o1,%g3
-/* 0x0f18	1237 (123 125) */		ld	[%i1+36],%o0
-/* 0x0f1c	1238 (123 124) */		srlx	%g3,32,%o1
-/* 0x0f20	1239 (123 124) */		add	%g5,%g4,%g4
-/* 0x0f24	1240 (124 126) */		ldx	[%sp+176],%o2
-/* 0x0f28	1241 (125 127) */		ldx	[%sp+184],%g5
-/* 0x0f2c	1242 (125 126) */		add	%g4,%o0,%g4
-/* 0x0f30	1243 (126 127) */		st	%g2,[%i0+28]
-/* 0x0f34	1244 (126 127) */		sllx	%o2,19,%g2
-/* 0x0f38	1245 (126 127) */		add	%g4,%o1,%g4
-/* 0x0f3c	1246 (127 129) */		ld	[%i1+40],%o0
-/* 0x0f40	1247 (127 128) */		srlx	%g4,32,%o1
-/* 0x0f44	1248 (127 128) */		add	%g5,%g2,%g2
-/* 0x0f48	1249 (128 130) */		ldx	[%sp+160],%o2
-/* 0x0f4c	1250 (129 131) */		ldx	[%sp+168],%g5
-/* 0x0f50	1251 (129 130) */		add	%g2,%o0,%g2
-/* 0x0f54	1252 (130 131) */		st	%g3,[%i0+32]
-/* 0x0f58	1253 (130 131) */		sllx	%o2,19,%g3
-/* 0x0f5c	1254 (130 131) */		add	%g2,%o1,%g2
-/* 0x0f60	1255 (131 133) */		ld	[%i1+44],%o0
-/* 0x0f64	1256 (131 132) */		srlx	%g2,32,%o1
-/* 0x0f68	1257 (131 132) */		add	%g5,%g3,%g3
-/* 0x0f6c	1258 (132 134) */		ldx	[%sp+144],%o2
-/* 0x0f70	1259 (133 135) */		ldx	[%sp+152],%g5
-/* 0x0f74	1260 (133 134) */		add	%g3,%o0,%g3
-/* 0x0f78	1261 (134 135) */		st	%g4,[%i0+36]
-/* 0x0f7c	1262 (134 135) */		sllx	%o2,19,%g4
-/* 0x0f80	1263 (134 135) */		add	%g3,%o1,%g3
-/* 0x0f84	1264 (135 137) */		ld	[%i1+48],%o0
-/* 0x0f88	1265 (135 136) */		srlx	%g3,32,%o1
-/* 0x0f8c	1266 (135 136) */		add	%g5,%g4,%g4
-/* 0x0f90	1267 (136 138) */		ldx	[%sp+128],%o2
-/* 0x0f94	1268 (137 139) */		ldx	[%sp+136],%g5
-/* 0x0f98	1269 (137 138) */		add	%g4,%o0,%g4
-/* 0x0f9c	1270 (138 139) */		std	%f4,[%sp+96]
-/* 0x0fa0	1271 (138 139) */		add	%g4,%o1,%g4
-/* 0x0fa4	1272 (139 140) */		st	%g2,[%i0+40]
-/* 0x0fa8	1273 (139 140) */		sllx	%o2,19,%g2
-/* 0x0fac	1274 (139 140) */		srlx	%g4,32,%o1
-/* 0x0fb0	1275 (140 142) */		ld	[%i1+52],%o0
-/* 0x0fb4	1276 (140 141) */		add	%g5,%g2,%g2
-/* 0x0fb8	1277 (141 142) */		std	%f6,[%sp+104]
-/* 0x0fbc	1278 (142 144) */		ldx	[%sp+120],%g5
-/* 0x0fc0	1279 (142 143) */		add	%g2,%o0,%g2
-/* 0x0fc4	1280 (143 144) */		st	%g3,[%i0+44]
-/* 0x0fc8	1281 (143 144) */		add	%g2,%o1,%g2
-/* 0x0fcc	1282 (144 146) */		ldx	[%sp+112],%o2
-/* 0x0fd0	1283 (144 145) */		srlx	%g2,32,%o1
-/* 0x0fd4	1284 (145 147) */		ld	[%i1+56],%o0
-/* 0x0fd8	1285 (146 147) */		st	%g4,[%i0+48]
-/* 0x0fdc	1286 (146 147) */		sllx	%o2,19,%g3
-/* 0x0fe0	1287 (147 149) */		ldx	[%sp+96],%o2
-/* 0x0fe4	1288 (147 148) */		add	%g5,%g3,%g3
-/* 0x0fe8	1289 (148 150) */		ldx	[%sp+104],%g5
-/* 0x0fec	1290 (148 149) */		add	%g3,%o0,%g3
-/* 0x0ff0	1291 (149 151) */		ld	[%i1+60],%o0
-/* 0x0ff4	1292 (149 150) */		sllx	%o2,19,%g4
-/* 0x0ff8	1293 (149 150) */		add	%g3,%o1,%g3
-/* 0x0ffc	1294 (150 151) */		st	%g2,[%i0+52]
-/* 0x1000	1295 (150 151) */		srlx	%g3,32,%o1
-/* 0x1004	1296 (150 151) */		add	%g5,%g4,%g4
-/* 0x1008	1297 (151 152) */		st	%g3,[%i0+56]
-/* 0x100c	1298 (151 152) */		add	%g4,%o0,%g2
-/* 0x1010	1299 (152 153) */		add	%g2,%o1,%g2
-/* 0x1014	1300 (152 153) */		st	%g2,[%i0+60]
-/* 0x1018	1304 (153 154) */		srlx	%g2,32,%o7
-
-!
-! ENTRY .L77000061
-!
-
-        .L77000061:		/* frequency 1.0 confidence 0.0 */
-/* 0x119c	1437 ( 0  1) */		or	%g0,%o7,%i0
-
-!
-! ENTRY .L900000159
-!
-
-        .L900000159:		/* frequency 1.0 confidence 0.0 */
-/* 0x11a0	     ( 0  7) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x11a4	     ( 2  4) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000073
-!
-
-        .L77000073:		/* frequency 1.0 confidence 0.0 */
-	or	%g0, %i4, %o2
-	or	%g0, %o0, %o1
-	or	%g0, %i3, %o0
-
-!
-! ENTRY .L77000052
-!
-
-        .L77000052:		/* frequency 1.0 confidence 0.0 */
-/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
-/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+96]
-/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
-/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
-/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
-/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+92]
-/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
-/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
-/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
-/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1800),%g1
-/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
-/* 0x1054	1337 ( 3  4) */		xor	%g1,-304,%g1
-/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
-/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
-/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
-/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
-/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
-/* 0x106c	1343 ( 5  7) */		ld	[%sp+96],%f9
-/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
-/* 0x1074	1345 ( 6  8) */		ld	[%sp+92],%f11
-/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1800),%g1
-/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
-/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
-/* 0x1084	1349 ( 7  8) */		xor	%g1,-296,%g1
-/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
-/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
-/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
-/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
-/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
-/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1800),%g1
-/* 0x10a0	1356 (10 11) */		xor	%g1,-288,%g1
-/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
-/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
-/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1800),%g1
-/* 0x10b0	1360 (12 13) */		xor	%g1,-280,%g1
-/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
-/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
-/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
-/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
-/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
-/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
-/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
-/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
-/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
-/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
-/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
-/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
-/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
-/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
-/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
-/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
-/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
-/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
-/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
-/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
-/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
-/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
-
-!
-! ENTRY .L990000154
-!
-
-        .L990000154:		/* frequency 1.0 confidence 0.0 */
-/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
-/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
-/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
-/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
-/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
-/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
-/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
-/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
-/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
-/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
-/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
-/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
-/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
-/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
-/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
-/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
-/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
-/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
-/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
-/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
-/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
-/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
-/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
-/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
-/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
-/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
-/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
-/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
-/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
-/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
-/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
-/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
-/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
-/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
-/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
-/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
-/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
-/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
-/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
-/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
-/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
-/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
-/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
-/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
-/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
-/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
-/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
-/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
-/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
-/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
-/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
-/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
-/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
-/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
-/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
-/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
-/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
-/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
-/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
-/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
-/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
-/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
-/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
-/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
-
-!
-! ENTRY .L990000157
-!
-
-        .L990000157:		/* frequency 1.0 confidence 0.0 */
-/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
-/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
-/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
-/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
-/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
-/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
-/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
-/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
-/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
-/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
-/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
-/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
-/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
-/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
-/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
-/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
-/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
-/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
-/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
-/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
-/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
-/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
-/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
-/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
-/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
-/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
-/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
-/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
-/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
-/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
-/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
-/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
-/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
-/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
-/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
-/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
-/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
-/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
-/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
-/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
-/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
-/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
-/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
-/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
-/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
-/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
-/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
-/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
-/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
-/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
-/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
-/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
-/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
-/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
-/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
-/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
-/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
-/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
-/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
-/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
-/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
-/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
-/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
-/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
-
-!
-! ENTRY .L77000054
-!
-
-        .L77000054:		/* frequency 1.0 confidence 0.0 */
-/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
-
-!
-! ENTRY .L990000161
-!
-
-        .L990000161:		/* frequency 1.0 confidence 0.0 */
-/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
-/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
-/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
-/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
-/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
-/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
-/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
-/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
-/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
-/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
-/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
-/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
-/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
-/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
-/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
-/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
-/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
-/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
-/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
-/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
-/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
-/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
-/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
-/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
-/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
-/* 0x1374	     (16 19) */		ldd	[%o1],%f0
-
-!
-! ENTRY .L77000056
-!
-
-         .L77000056:		/* frequency 1.0 confidence 0.0 */
-/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
-
-!
-! ENTRY .L990000162
-!
-
-         .L990000162:		/* frequency 1.0 confidence 0.0 */
-/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
-/* 0x1380	     ( 0  1) */		nop
-/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1800),%g1
-/* 0x1388	1556 ( 1  2) */		xor	%g1,-304,%g1
-/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
-/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
-/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1800),%g1
-/* 0x1398	1560 ( 3  4) */		xor	%g1,-296,%g1
-/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
-/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
-/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
-/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
-/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
-/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
-/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1800),%g1
-/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
-/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
-/* 0x13c0	1570 ( 7  8) */		xor	%g1,-264,%g1
-/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
-/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
-/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1800),%g1
-/* 0x13d0	1574 ( 9 10) */		xor	%g1,-272,%g1
-/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
-/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
-/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1800),%g1
-/* 0x13e0	1578 (11 12) */		xor	%g1,-296,%g1
-/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
-/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
-/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
-/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
-/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
-/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
-/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
-/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
-/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
-/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
-/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
-/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
-/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
-
-!
-! ENTRY .L990000142
-!
-
-        .L990000142:		/* frequency 1.0 confidence 0.0 */
-/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
-/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
-/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
-/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
-/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
-/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
-/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
-/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
-/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
-/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
-/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
-/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
-/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
-/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
-/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
-/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
-/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
-/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
-/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
-/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
-/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
-/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
-/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
-/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
-/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
-/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
-/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
-/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
-/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
-/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
-/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
-/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
-/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
-/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
-/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
-/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
-/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
-/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
-/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
-/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
-/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
-/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
-/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
-/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
-
-!
-! ENTRY .L990000145
-!
-
-        .L990000145:		/* frequency 1.0 confidence 0.0 */
-/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
-/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
-/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
-/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
-/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
-/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
-/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
-/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
-/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
-
-!
-! ENTRY .L77000058
-!
-
-        .L77000058:		/* frequency 1.0 confidence 0.0 */
-/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
-
-!
-! ENTRY .L990000160
-!
-
-        .L990000160:		/* frequency 1.0 confidence 0.0 */
-/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
-/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
-/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
-/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
-/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
-/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
-/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
-/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
-/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
-/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
-/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
-/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
-/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
-/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
-/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
-/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
-/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
-
-!
-! ENTRY .L77770061
-!
-
-        .L77770061:		/* frequency 1.0 confidence 0.0 */
-/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
-
-/* 0x11a8	1441 ( 0  0) */		.type	mul_add,2
-/* 0x11a8	1442 ( 0  0) */		.size	mul_add,(.-mul_add)
-/* 0x11a8	1445 ( 0  0) */		.align	16
-/* 0x11b0	1451 ( 0  0) */		.global	mul_add_inp
-
-!
-! ENTRY mul_add_inp
-!
-
-        .global mul_add_inp
-        mul_add_inp:		/* frequency 1.0 confidence 0.0 */
-/* 0x11b0	1453 ( 0  1) */		or	%g0,%o2,%g1
-/* 0x11b4	1454 ( 0  1) */		or	%g0,%o3,%o4
-/* 0x11b8	1455 ( 1  2) */		or	%g0,%o0,%g3
-/* 0x11bc	1456 ( 1  2) */		or	%g0,%o1,%g2
-/* 0x11c0	1466 ( 2  3) */		or	%g0,%g1,%o3
-/* 0x11c4	1467 ( 2  3) */		or	%g0,%g3,%o1
-/* 0x11c8	1468 ( 3  4) */		or	%g0,%g2,%o2
-/* 0x11cc	1469 ( 3  4) */		or	%g0,%o7,%g1
-/* 0x11d0	1470 ( 4  6) */		call	mul_add	! params = 	! Result = 
-/* 0x11d4	     ( 5  6) */		or	%g0,%g1,%o7
-/* 0x11d8	1472 ( 0  0) */		.type	mul_add_inp,2
-/* 0x11d8	1473 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
-
-	.section	".data",#alloc,#write
-/* 0x11d8	   6 ( 0  0) */		.align	8
-
-!
-! ENTRY mask_cnst
-!
-
-        mask_cnst:		/* frequency 1.0 confidence 0.0 */
-/* 0x11d8	   8 ( 0  0) */		.word	-2147483648
-/* 0x11dc	   9 ( 0  0) */		.word	-2147483648
-/* 0x11e0	  10 ( 0  0) */		.type	mask_cnst,#object
-/* 0x11e0	  11 ( 0  0) */		.size	mask_cnst,8
-
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv8x.s b/security/nss/lib/freebl/mpi/mpv_sparcv8x.s
deleted file mode 100644
index 154d69965..000000000
--- a/security/nss/lib/freebl/mpi/mpv_sparcv8x.s
+++ /dev/null
@@ -1,175 +0,0 @@
-! Inner multiply loop functions for pure 32-bit Sparc v8 CPUs.
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-! 
-! The contents of this file are subject to the Mozilla Public License Version 
-! 1.1 (the "License"); you may not use this file except in compliance with 
-! the License. You may obtain a copy of the License at 
-! http://www.mozilla.org/MPL/
-! 
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is a SPARC v8 optimized multiply and add function
-! 
-! The Initial Developer of the Original Code is Sun Microsystems Inc.
-! Portions created by Sun Microsystems Inc. are 
-! Copyright (C) 2000-2005 Sun Microsystems Inc.  All Rights Reserved.
-! 
-! Contributor(s):
-! 
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-! 
-! ***** END LICENSE BLOCK *****
-
-! $Id$
-
-	.file	"mpv_sparcv8x.s"
-	.align	8
-
-	.section     ".text",#alloc,#execinstr
-	.global      s_mpv_mul_d
- s_mpv_mul_d:
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %g4
-	cmp          %i1, 0x0
-	be           .L103
-	sub          %i1, 0x1, %o5
-	ld           [%o0], %g1
-.L101:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %g4, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %g4
-	blu,a        .L102
-	add          %g1, 0x1, %o4
-.L102:
-	st           %g3, [%i3]
-	mov          %o5, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %g4
-	sub          %o5, 0x1, %o5
-	bne,a        .L101
-	ld           [%o0], %g1
-.L103:
-	st           %g4, [%i3]
-	ret
-	restore
-
-	.type	s_mpv_mul_d,2
-	.size	s_mpv_mul_d,(.-s_mpv_mul_d)
-
-	.align	16
-	.global      s_mpv_mul_d_add
- s_mpv_mul_d_add:
-
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %g4
-	cmp          %i1, 0x0
-	be           .L204
-	sub          %i1, 0x1, %o5
-	ld           [%o0], %g1
-.L201:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %g4, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %g4
-	blu,a        .L202
-	add          %g1, 0x1, %o4
-.L202:
-	ld           [%i3], %g2
-	add          %g3, %g2, %g1
-	cmp          %g1, %g2
-	blu,a        .L203
-	add          %o4, 0x1, %o4
-.L203:
-	st           %g1, [%i3]
-	mov          %o5, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %g4
-	sub          %o5, 0x1, %o5
-	bne,a        .L201
-	ld           [%o0], %g1
-.L204:
-	st           %g4, [%i3]
-	ret
-	restore
-
-	.type	s_mpv_mul_d_add,2
-	.size	s_mpv_mul_d_add,(.-s_mpv_mul_d_add)
-
-	.align	16
-	.global      s_mpv_mul_d_add_prop
- s_mpv_mul_d_add_prop:
-
-	save         %sp, -0x60, %sp
-	mov          %i0, %o0
-	clr          %o5
-	cmp          %i1, 0x0
-	be           .L30x70
-	sub          %i1, 0x1, %g4
-	ld           [%o0], %g1
-.L30x1c:
-	umul         %g1, %i2, %g2
-	rd           %y, %g1
-	add          %g2, %o5, %g3
-	mov          %g1, %o4
-	add          %o0, 0x4, %o0
-	cmp          %g3, %o5
-	blu,a        .L30x3c
-	add          %g1, 0x1, %o4
-.L30x3c:
-	ld           [%i3], %g2
-	add          %g3, %g2, %g1
-	cmp          %g1, %g2
-	blu,a        .L30x50
-	add          %o4, 0x1, %o4
-.L30x50:
-	st           %g1, [%i3]
-	mov          %g4, %g1
-	add          %i3, 0x4, %i3
-	cmp          %g1, 0x0
-	mov          %o4, %o5
-	sub          %g4, 0x1, %g4
-	bne,a        .L30x1c
-	ld           [%o0], %g1
-.L30x70:
-	cmp          %o5, 0x0
-	be           .L30xa0
-	nop
-	ld           [%i3], %g1
-.L30x80:
-	add          %o5, %g1, %g2
-	st           %g2, [%i3]
-	add          %i3, 0x4, %i3
-	cmp          %g2, %g1
-	addx         %g0, 0x0, %o5
-	cmp          %o5, 0x0
-	bne,a        .L30x80
-	ld           [%i3], %g1
-.L30xa0:
-	ret
-	restore
-
-	.type	s_mpv_mul_d_add_prop,2
-	.size	s_mpv_mul_d_add_prop,(.-s_mpv_mul_d_add_prop)
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv9.s b/security/nss/lib/freebl/mpi/mpv_sparcv9.s
deleted file mode 100644
index 1a7997e4a..000000000
--- a/security/nss/lib/freebl/mpi/mpv_sparcv9.s
+++ /dev/null
@@ -1,1673 +0,0 @@
-!/*
-! * The contents of this file are subject to the Mozilla Public
-! * License Version 1.1 (the "License"); you may not use this file
-! * except in compliance with the License. You may obtain a copy of
-! * the License at http://www.mozilla.org/MPL/
-! * 
-! * Software distributed under the License is distributed on an "AS
-! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-! * implied. See the License for the specific language governing
-! * rights and limitations under the License.
-! * 
-! * The Original Code is a SPARC/VIS optimized multiply and add function
-! *
-! * The Initial Developer of the Original Code is Sun Microsystems Inc.
-! * Portions created by Sun Microsystems Inc. are 
-! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
-! * 
-! * Contributor(s):
-! * 
-! * Alternatively, the contents of this file may be used under the
-! * terms of the GNU General Public License Version 2 or later (the
-! * "GPL"), in which case the provisions of the GPL are applicable 
-! * instead of those above.   If you wish to allow use of your 
-! * version of this file only under the terms of the GPL and not to
-! * allow others to use your version of this file under the MPL,
-! * indicate your decision by deleting the provisions above and
-! * replace them with the notice and other provisions required by
-! * the GPL.  If you do not delete the provisions above, a recipient
-! * may use your version of this file under either the MPL or the
-! * GPL.
-! *  $Id$
-! */
-
-	.section	".text",#alloc,#execinstr
-/* 000000	   0 ( 0  0) */		.register	%g2,#scratch
-/* 000000	     ( 0  0) */		.register	%g3,#scratch
-/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
-/* 000000	  15 ( 0  0) */		.align	8
-!
-! SUBROUTINE .L_const_seg_900000101
-!
-! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
-
-                                   .L_const_seg_900000101:		/* frequency 1.0 confidence 0.0 */
-/* 000000	  20 ( 0  0) */		.word	1127219200,0
-/* 0x0008	  21 ( 0  0) */		.word	1105199103,-4194304
-/* 0x0010	  22 ( 0  0) */		.align	8
-/* 0x0010	  28 ( 0  0) */		.global	mul_add
-
-!
-! ENTRY mul_add
-!
-
-                                   	.global mul_add
-                                   mul_add:		/* frequency 1.0 confidence 0.0 */
-/* 0x0010	  30 ( 0  1) */		sethi	%hi(0x1c00),%g1
-/* 0x0014	  31 ( 0  1) */		sethi	%hi(mask_cnst),%g2
-/* 0x0018	  32 ( 1  2) */		xor	%g1,-48,%g1
-/* 0x001c	  33 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
-/* 0x0020	  34 ( 2  3) */		save	%sp,%g1,%sp
-
-!
-! ENTRY .L900000149
-!
-
-                                   .L900000149:		/* frequency 1.0 confidence 0.0 */
-/* 0x0024	  36 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
-/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
-/* 0x002c	 178 ( 2  3) */		sethi	%hi(.L_const_seg_900000101),%g3
-/* 0x0030	 179 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
-/* 0x0034	 180 ( 3  4) */		add	%g3,%lo(.L_const_seg_900000101),%g3
-/* 0x0038	 181 ( 3  4) */		add	%g5,%o7,%o1
-/* 0x003c	 182 ( 4  5) */		sethi	%hi(0x80000),%g4
-/* 0x0040	 183 ( 4  6) */		ldx	[%o1+%g2],%g2
-/* 0x0044	 184 ( 4  5) */		or	%g0,%i2,%o2
-/* 0x0048	 185 ( 5  6) */		subcc	%i4,%g4,%g0
-/* 0x004c	 186 ( 5  7) */		ldx	[%o1+%g3],%o0
-/* 0x0050	 187 ( 6  7) */		or	%g0,%i0,%o7
-/* 0x0054	 188 ( 6  7) */		or	%g0,%i1,%o5
-/* 0x0058	 189 ( 6  9) */		ldd	[%g2],%f0
-/* 0x005c	 190 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
-/* 0x0060	     ( 7  8) */		subcc	%i3,8,%g0
-/* 0x0064	 192 ( 7  8) */		bne,pn	%icc,.L900000158	! tprob=0.50
-/* 0x0068	     ( 8  9) */		subcc	%i3,16,%g0
-/* 0x006c	 194 ( 9 12) */		ldd	[%o2],%f4
-/* 0x0070	 195 (10 11) */		st	%i4,[%sp+2287]
-/* 0x0074	 196 (11 14) */		ldd	[%o0],%f8
-/* 0x0078	 197 (11 13) */		fxnor	%f0,%f4,%f4
-/* 0x007c	 198 (12 15) */		ldd	[%o2+8],%f10
-/* 0x0080	 199 (13 16) */		fitod	%f4,%f12
-/* 0x0084	 200 (13 16) */		ldd	[%o0+8],%f14
-/* 0x0088	 201 (14 17) */		ld	[%sp+2287],%f7
-/* 0x008c	 202 (14 17) */		fitod	%f5,%f4
-/* 0x0090	 203 (15 17) */		fxnor	%f0,%f10,%f10
-/* 0x0094	 204 (15 18) */		ldd	[%o2+16],%f16
-/* 0x0098	 205 (16 19) */		ldd	[%o2+24],%f18
-/* 0x009c	 206 (17 20) */		fsubd	%f14,%f4,%f4
-/* 0x00a0	 210 (17 20) */		ld	[%i1],%g2
-/* 0x00a4	 211 (18 20) */		fxnor	%f0,%f16,%f16
-/* 0x00a8	 212 (18 21) */		ld	[%i1+4],%g3
-/* 0x00ac	 213 (19 22) */		ld	[%i1+8],%g4
-/* 0x00b0	 214 (20 23) */		fitod	%f16,%f20
-/* 0x00b4	 215 (20 23) */		ld	[%i1+16],%o0
-/* 0x00b8	 216 (21 24) */		ld	[%i1+12],%g5
-/* 0x00bc	 217 (22 25) */		ld	[%i1+20],%o1
-/* 0x00c0	 218 (23 26) */		ld	[%i1+24],%o2
-/* 0x00c4	 219 (24 25) */		fmovs	%f8,%f6
-/* 0x00c8	 220 (24 27) */		ld	[%i1+28],%o3
-/* 0x00cc	 221 (26 29) */		fsubd	%f6,%f8,%f6
-/* 0x00d0	 222 (27 30) */		fsubd	%f14,%f12,%f8
-/* 0x00d4	 223 (28 31) */		fitod	%f10,%f12
-/* 0x00d8	 224 (29 32) */		fmuld	%f4,%f6,%f4
-/* 0x00dc	 225 (29 32) */		fitod	%f11,%f10
-/* 0x00e0	 226 (30 33) */		fmuld	%f8,%f6,%f8
-/* 0x00e4	 227 (31 34) */		fsubd	%f14,%f12,%f12
-/* 0x00e8	 228 (32 35) */		fdtox	%f4,%f4
-/* 0x00ec	 229 (32 33) */		std	%f4,[%sp+2271]
-/* 0x00f0	 230 (33 36) */		fdtox	%f8,%f8
-/* 0x00f4	 231 (33 34) */		std	%f8,[%sp+2279]
-/* 0x00f8	 232 (34 37) */		fmuld	%f12,%f6,%f12
-/* 0x00fc	 233 (34 37) */		fsubd	%f14,%f10,%f10
-/* 0x0100	 234 (35 38) */		fsubd	%f14,%f20,%f4
-/* 0x0104	 235 (36 39) */		fitod	%f17,%f8
-/* 0x0108	 236 (37 39) */		fxnor	%f0,%f18,%f16
-/* 0x010c	 237 (37 39) */		ldx	[%sp+2279],%o4
-/* 0x0110	 238 (37 40) */		fmuld	%f10,%f6,%f10
-/* 0x0114	 239 (38 41) */		fdtox	%f12,%f12
-/* 0x0118	 240 (38 39) */		std	%f12,[%sp+2263]
-/* 0x011c	 241 (38 41) */		fmuld	%f4,%f6,%f4
-/* 0x0120	 242 (39 42) */		fitod	%f16,%f18
-/* 0x0124	 243 (39 40) */		add	%o4,%g2,%g2
-/* 0x0128	 244 (39 40) */		st	%g2,[%i0]
-/* 0x012c	 245 (40 42) */		ldx	[%sp+2271],%o4
-/* 0x0130	 246 (40 43) */		fsubd	%f14,%f8,%f8
-/* 0x0134	 247 (40 41) */		srax	%g2,32,%o5
-/* 0x0138	 248 (41 44) */		fdtox	%f10,%f10
-/* 0x013c	 249 (41 42) */		std	%f10,[%sp+2255]
-/* 0x0140	 250 (42 45) */		fdtox	%f4,%f4
-/* 0x0144	 251 (42 43) */		std	%f4,[%sp+2247]
-/* 0x0148	 252 (42 43) */		add	%o4,%g3,%o4
-/* 0x014c	 253 (43 46) */		fitod	%f17,%f12
-/* 0x0150	 254 (43 45) */		ldx	[%sp+2263],%g2
-/* 0x0154	 255 (43 44) */		add	%o4,%o5,%g3
-/* 0x0158	 256 (43 46) */		fmuld	%f8,%f6,%f8
-/* 0x015c	 257 (44 47) */		fsubd	%f14,%f18,%f10
-/* 0x0160	 258 (44 45) */		st	%g3,[%i0+4]
-/* 0x0164	 259 (44 45) */		srax	%g3,32,%g3
-/* 0x0168	 260 (45 46) */		add	%g2,%g4,%g4
-/* 0x016c	 261 (45 47) */		ldx	[%sp+2255],%g2
-/* 0x0170	 262 (46 49) */		fsubd	%f14,%f12,%f4
-/* 0x0174	 263 (46 47) */		add	%g4,%g3,%g3
-/* 0x0178	 264 (46 48) */		ldx	[%sp+2247],%g4
-/* 0x017c	 265 (47 50) */		fmuld	%f10,%f6,%f10
-/* 0x0180	 266 (47 50) */		fdtox	%f8,%f8
-/* 0x0184	 267 (47 48) */		std	%f8,[%sp+2239]
-/* 0x0188	 268 (48 49) */		add	%g4,%o0,%g4
-/* 0x018c	 269 (48 49) */		add	%g2,%g5,%g2
-/* 0x0190	 270 (48 49) */		st	%g3,[%i0+8]
-/* 0x0194	 271 (49 52) */		fmuld	%f4,%f6,%f4
-/* 0x0198	 272 (49 50) */		srax	%g3,32,%o0
-/* 0x019c	 273 (49 51) */		ldx	[%sp+2239],%g5
-/* 0x01a0	 274 (50 53) */		fdtox	%f10,%f6
-/* 0x01a4	 275 (50 51) */		std	%f6,[%sp+2231]
-/* 0x01a8	 276 (50 51) */		add	%g2,%o0,%g2
-/* 0x01ac	 277 (51 52) */		srax	%g2,32,%g3
-/* 0x01b0	 278 (51 52) */		add	%g5,%o1,%o1
-/* 0x01b4	 279 (51 52) */		st	%g2,[%i0+12]
-/* 0x01b8	 280 (52 55) */		fdtox	%f4,%f4
-/* 0x01bc	 281 (52 53) */		std	%f4,[%sp+2223]
-/* 0x01c0	 282 (52 53) */		add	%g4,%g3,%g3
-/* 0x01c4	 283 (53 54) */		srax	%g3,32,%g4
-/* 0x01c8	 284 (53 54) */		st	%g3,[%i0+16]
-/* 0x01cc	 285 (54 56) */		ldx	[%sp+2231],%o0
-/* 0x01d0	 286 (54 55) */		add	%o1,%g4,%g4
-/* 0x01d4	 287 (55 56) */		srax	%g4,32,%g2
-/* 0x01d8	 288 (55 57) */		ldx	[%sp+2223],%g5
-/* 0x01dc	 289 (56 57) */		add	%o0,%o2,%o2
-/* 0x01e0	 290 (56 57) */		st	%g4,[%i0+20]
-/* 0x01e4	 291 (57 58) */		add	%o2,%g2,%g2
-/* 0x01e8	 292 (57 58) */		add	%g5,%o3,%g5
-/* 0x01ec	 293 (57 58) */		st	%g2,[%i0+24]
-/* 0x01f0	 294 (58 59) */		srax	%g2,32,%g3
-/* 0x01f4	 295 (59 60) */		add	%g5,%g3,%g2
-/* 0x01f8	 296 (59 60) */		st	%g2,[%i0+28]
-/* 0x01fc	 300 (60 61) */		srax	%g2,32,%o3
-/* 0x0200	 301 (61 62) */		srl	%o3,0,%i0
-/* 0x0204	     (62 64) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0208	     (64 65) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L900000158
-!
-
-                                   .L900000158:		/* frequency 1.0 confidence 0.0 */
-/* 0x020c	 308 ( 0  1) */		bne,a,pn	%icc,.L900000157	! tprob=0.50
-/* 0x0210	     ( 0  1) */		st	%i4,[%sp+2223]
-/* 0x0214	 315 ( 1  4) */		ldd	[%o2],%f4
-/* 0x0218	 316 ( 2  3) */		st	%i4,[%sp+2351]
-/* 0x021c	 317 ( 3  6) */		ldd	[%o0],%f8
-/* 0x0220	 318 ( 3  5) */		fxnor	%f0,%f4,%f4
-/* 0x0224	 319 ( 4  7) */		ldd	[%o2+8],%f10
-/* 0x0228	 320 ( 5  8) */		ldd	[%o0+8],%f14
-/* 0x022c	 321 ( 5  8) */		fitod	%f4,%f12
-/* 0x0230	 322 ( 6  9) */		ld	[%sp+2351],%f7
-/* 0x0234	 323 ( 6  8) */		fxnor	%f0,%f10,%f10
-/* 0x0238	 324 ( 7 10) */		ldd	[%o2+16],%f16
-/* 0x023c	 325 ( 7 10) */		fitod	%f5,%f4
-/* 0x0240	 326 ( 8 11) */		ldd	[%o2+24],%f18
-/* 0x0244	 330 ( 9 12) */		ldd	[%o2+32],%f20
-/* 0x0248	 331 ( 9 11) */		fxnor	%f0,%f16,%f16
-/* 0x024c	 335 (10 13) */		ld	[%i1],%g2
-/* 0x0250	 336 (10 13) */		fsubd	%f14,%f4,%f4
-/* 0x0254	 337 (11 14) */		ldd	[%o2+40],%f22
-/* 0x0258	 338 (11 14) */		fitod	%f16,%f28
-/* 0x025c	 339 (12 15) */		ld	[%i1+4],%g3
-/* 0x0260	 340 (13 16) */		ld	[%i1+8],%g4
-/* 0x0264	 341 (13 15) */		fxnor	%f0,%f22,%f22
-/* 0x0268	 342 (14 17) */		ld	[%i1+12],%g5
-/* 0x026c	 343 (15 18) */		ld	[%i1+16],%o0
-/* 0x0270	 344 (16 19) */		ldd	[%o2+48],%f24
-/* 0x0274	 345 (17 20) */		ld	[%i1+20],%o1
-/* 0x0278	 346 (17 18) */		fmovs	%f8,%f6
-/* 0x027c	 347 (18 21) */		ldd	[%o2+56],%f26
-/* 0x0280	 348 (19 22) */		ld	[%i1+24],%o2
-/* 0x0284	 349 (19 22) */		fsubd	%f6,%f8,%f6
-/* 0x0288	 350 (20 23) */		ld	[%i1+28],%o3
-/* 0x028c	 351 (20 23) */		fsubd	%f14,%f12,%f8
-/* 0x0290	 355 (21 24) */		ld	[%i1+32],%o4
-/* 0x0294	 356 (21 24) */		fitod	%f10,%f12
-/* 0x0298	 357 (22 25) */		ld	[%i1+36],%o7
-/* 0x029c	 358 (22 25) */		fitod	%f11,%f10
-/* 0x02a0	 359 (22 25) */		fmuld	%f4,%f6,%f4
-/* 0x02a4	 360 (23 26) */		ld	[%i1+40],%l1
-/* 0x02a8	 361 (23 26) */		fmuld	%f8,%f6,%f8
-/* 0x02ac	 362 (24 27) */		ld	[%i1+56],%l5
-/* 0x02b0	 363 (24 27) */		fsubd	%f14,%f12,%f12
-/* 0x02b4	 364 (25 28) */		fsubd	%f14,%f10,%f10
-/* 0x02b8	 365 (26 29) */		fdtox	%f8,%f8
-/* 0x02bc	 366 (26 27) */		std	%f8,[%sp+2343]
-/* 0x02c0	 367 (27 30) */		fitod	%f17,%f8
-/* 0x02c4	 368 (27 30) */		fmuld	%f12,%f6,%f12
-/* 0x02c8	 369 (28 31) */		fdtox	%f4,%f4
-/* 0x02cc	 370 (28 29) */		std	%f4,[%sp+2335]
-/* 0x02d0	 371 (28 31) */		fmuld	%f10,%f6,%f10
-/* 0x02d4	 372 (29 31) */		fxnor	%f0,%f18,%f16
-/* 0x02d8	 373 (30 33) */		fdtox	%f12,%f12
-/* 0x02dc	 374 (30 31) */		std	%f12,[%sp+2327]
-/* 0x02e0	 375 (31 33) */		ldx	[%sp+2343],%o5
-/* 0x02e4	 376 (31 34) */		fsubd	%f14,%f8,%f8
-/* 0x02e8	 377 (32 35) */		fsubd	%f14,%f28,%f4
-/* 0x02ec	 378 (33 36) */		fitod	%f17,%f12
-/* 0x02f0	 379 (33 34) */		add	%o5,%g2,%g2
-/* 0x02f4	 380 (33 34) */		st	%g2,[%i0]
-/* 0x02f8	 381 (34 36) */		ldx	[%sp+2335],%o5
-/* 0x02fc	 382 (34 37) */		fitod	%f16,%f18
-/* 0x0300	 383 (34 35) */		srax	%g2,32,%l0
-/* 0x0304	 384 (35 37) */		fxnor	%f0,%f20,%f16
-/* 0x0308	 385 (35 38) */		fmuld	%f8,%f6,%f20
-/* 0x030c	 386 (36 39) */		fdtox	%f10,%f10
-/* 0x0310	 387 (36 37) */		std	%f10,[%sp+2319]
-/* 0x0314	 388 (36 37) */		add	%o5,%g3,%g3
-/* 0x0318	 389 (36 39) */		fmuld	%f4,%f6,%f4
-/* 0x031c	 390 (37 40) */		fitod	%f16,%f8
-/* 0x0320	 391 (37 38) */		add	%g3,%l0,%g3
-/* 0x0324	 392 (37 38) */		st	%g3,[%i0+4]
-/* 0x0328	 393 (38 40) */		ldx	[%sp+2327],%o5
-/* 0x032c	 394 (38 41) */		fsubd	%f14,%f18,%f18
-/* 0x0330	 395 (38 39) */		srax	%g3,32,%l3
-/* 0x0334	 396 (39 41) */		ldx	[%sp+2319],%l2
-/* 0x0338	 397 (39 42) */		fdtox	%f4,%f4
-/* 0x033c	 398 (40 41) */		std	%f4,[%sp+2311]
-/* 0x0340	 399 (40 43) */		fdtox	%f20,%f20
-/* 0x0344	 400 (40 41) */		add	%o5,%g4,%g4
-/* 0x0348	 401 (41 42) */		std	%f20,[%sp+2303]
-/* 0x034c	 402 (41 44) */		fsubd	%f14,%f12,%f4
-/* 0x0350	 403 (41 42) */		add	%g4,%l3,%g4
-/* 0x0354	 404 (41 44) */		fmuld	%f18,%f6,%f18
-/* 0x0358	 405 (42 43) */		st	%g4,[%i0+8]
-/* 0x035c	 406 (42 45) */		fitod	%f17,%f16
-/* 0x0360	 407 (42 43) */		srax	%g4,32,%l4
-/* 0x0364	 408 (43 46) */		ld	[%i1+44],%l0
-/* 0x0368	 409 (43 46) */		fsubd	%f14,%f8,%f20
-/* 0x036c	 410 (43 44) */		add	%l2,%g5,%l2
-/* 0x0370	 411 (44 46) */		ldx	[%sp+2311],%g5
-/* 0x0374	 412 (44 47) */		fitod	%f22,%f8
-/* 0x0378	 413 (44 45) */		add	%l2,%l4,%l2
-/* 0x037c	 414 (44 47) */		fmuld	%f4,%f6,%f4
-/* 0x0380	 415 (45 46) */		st	%l2,[%i0+12]
-/* 0x0384	 416 (45 48) */		fsubd	%f14,%f16,%f10
-/* 0x0388	 417 (46 49) */		ld	[%i1+52],%l3
-/* 0x038c	 418 (46 49) */		fdtox	%f18,%f18
-/* 0x0390	 419 (46 47) */		add	%g5,%o0,%l4
-/* 0x0394	 420 (46 49) */		fmuld	%f20,%f6,%f12
-/* 0x0398	 421 (47 48) */		std	%f18,[%sp+2295]
-/* 0x039c	 422 (47 48) */		srax	%l2,32,%o0
-/* 0x03a0	 423 (47 50) */		fitod	%f23,%f16
-/* 0x03a4	 424 (48 51) */		ld	[%i1+48],%o5
-/* 0x03a8	 425 (48 51) */		fsubd	%f14,%f8,%f8
-/* 0x03ac	 426 (48 49) */		add	%l4,%o0,%l4
-/* 0x03b0	 427 (49 50) */		st	%l4,[%i0+16]
-/* 0x03b4	 428 (49 50) */		srax	%l4,32,%o0
-/* 0x03b8	 429 (49 51) */		fxnor	%f0,%f24,%f18
-/* 0x03bc	 430 (50 52) */		ldx	[%sp+2303],%g5
-/* 0x03c0	 431 (50 53) */		fdtox	%f4,%f4
-/* 0x03c4	 432 (51 52) */		std	%f4,[%sp+2287]
-/* 0x03c8	 433 (51 54) */		fdtox	%f12,%f12
-/* 0x03cc	 434 (51 54) */		fmuld	%f10,%f6,%f4
-/* 0x03d0	 435 (52 53) */		std	%f12,[%sp+2279]
-/* 0x03d4	 436 (52 55) */		fsubd	%f14,%f16,%f12
-/* 0x03d8	 437 (52 53) */		add	%g5,%o1,%g2
-/* 0x03dc	 438 (52 55) */		fmuld	%f8,%f6,%f8
-/* 0x03e0	 439 (53 55) */		ldx	[%sp+2295],%g5
-/* 0x03e4	 440 (53 56) */		fitod	%f18,%f10
-/* 0x03e8	 441 (53 54) */		add	%g2,%o0,%g2
-/* 0x03ec	 442 (54 55) */		st	%g2,[%i0+20]
-/* 0x03f0	 443 (54 57) */		fitod	%f19,%f16
-/* 0x03f4	 444 (54 55) */		srax	%g2,32,%o0
-/* 0x03f8	 445 (55 58) */		fdtox	%f8,%f8
-/* 0x03fc	 446 (55 56) */		std	%f8,[%sp+2263]
-/* 0x0400	 447 (55 56) */		add	%g5,%o2,%g3
-/* 0x0404	 448 (56 58) */		ldx	[%sp+2287],%g5
-/* 0x0408	 449 (56 59) */		fsubd	%f14,%f10,%f10
-/* 0x040c	 450 (56 57) */		add	%g3,%o0,%g3
-/* 0x0410	 451 (57 58) */		st	%g3,[%i0+24]
-/* 0x0414	 452 (57 60) */		fsubd	%f14,%f16,%f8
-/* 0x0418	 453 (57 58) */		srax	%g3,32,%o0
-/* 0x041c	 454 (58 61) */		fdtox	%f4,%f4
-/* 0x0420	 455 (58 59) */		std	%f4,[%sp+2271]
-/* 0x0424	 456 (58 59) */		add	%g5,%o3,%g4
-/* 0x0428	 457 (59 61) */		fxnor	%f0,%f26,%f18
-/* 0x042c	 458 (59 62) */		fmuld	%f12,%f6,%f4
-/* 0x0430	 459 (59 60) */		add	%g4,%o0,%g4
-/* 0x0434	 460 (60 61) */		st	%g4,[%i0+28]
-/* 0x0438	 461 (60 63) */		fmuld	%f10,%f6,%f10
-/* 0x043c	 462 (60 61) */		srax	%g4,32,%o0
-/* 0x0440	 463 (61 63) */		ldx	[%sp+2279],%g5
-/* 0x0444	 464 (61 64) */		fitod	%f18,%f12
-/* 0x0448	 465 (61 64) */		fmuld	%f8,%f6,%f8
-/* 0x044c	 466 (62 65) */		fdtox	%f4,%f4
-/* 0x0450	 467 (62 63) */		std	%f4,[%sp+2255]
-/* 0x0454	 468 (63 64) */		add	%g5,%o4,%l2
-/* 0x0458	 469 (63 65) */		ldx	[%sp+2271],%g5
-/* 0x045c	 470 (63 66) */		fdtox	%f10,%f16
-/* 0x0460	 471 (64 67) */		fsubd	%f14,%f12,%f4
-/* 0x0464	 472 (64 65) */		std	%f16,[%sp+2247]
-/* 0x0468	 473 (64 65) */		add	%l2,%o0,%l2
-/* 0x046c	 474 (65 68) */		fdtox	%f8,%f8
-/* 0x0470	 475 (65 66) */		std	%f8,[%sp+2239]
-/* 0x0474	 476 (65 66) */		add	%g5,%o7,%l4
-/* 0x0478	 477 (66 69) */		fitod	%f19,%f10
-/* 0x047c	 478 (66 68) */		ldx	[%sp+2263],%g5
-/* 0x0480	 479 (66 67) */		srax	%l2,32,%o0
-/* 0x0484	 480 (67 68) */		add	%l4,%o0,%l4
-/* 0x0488	 481 (67 70) */		fmuld	%f4,%f6,%f4
-/* 0x048c	 482 (67 69) */		ldx	[%sp+2255],%o0
-/* 0x0490	 483 (68 69) */		srax	%l4,32,%o1
-/* 0x0494	 484 (68 69) */		add	%g5,%l1,%l1
-/* 0x0498	 485 (68 69) */		st	%l2,[%i0+32]
-/* 0x049c	 486 (69 72) */		fsubd	%f14,%f10,%f8
-/* 0x04a0	 487 (69 71) */		ldx	[%sp+2239],%o3
-/* 0x04a4	 488 (69 70) */		add	%l1,%o1,%o1
-/* 0x04a8	 489 (70 72) */		ldx	[%sp+2247],%g5
-/* 0x04ac	 490 (70 71) */		srax	%o1,32,%o2
-/* 0x04b0	 491 (70 71) */		add	%o0,%l0,%o0
-/* 0x04b4	 492 (71 74) */		fdtox	%f4,%f4
-/* 0x04b8	 493 (71 72) */		std	%f4,[%sp+2231]
-/* 0x04bc	 494 (71 72) */		add	%o0,%o2,%o2
-/* 0x04c0	 495 (72 73) */		add	%o3,%l3,%l3
-/* 0x04c4	 496 (72 75) */		fmuld	%f8,%f6,%f4
-/* 0x04c8	 497 (72 73) */		add	%g5,%o5,%g5
-/* 0x04cc	 498 (73 74) */		srax	%o2,32,%o3
-/* 0x04d0	 499 (73 74) */		st	%l4,[%i0+36]
-/* 0x04d4	 500 (74 75) */		add	%g5,%o3,%g2
-/* 0x04d8	 501 (74 76) */		ldx	[%sp+2231],%o0
-/* 0x04dc	 502 (75 76) */		srax	%g2,32,%g3
-/* 0x04e0	 503 (75 78) */		fdtox	%f4,%f4
-/* 0x04e4	 504 (75 76) */		std	%f4,[%sp+2223]
-/* 0x04e8	 505 (76 77) */		st	%o1,[%i0+40]
-/* 0x04ec	 506 (76 77) */		add	%l3,%g3,%g3
-/* 0x04f0	 507 (76 77) */		add	%o0,%l5,%g5
-/* 0x04f4	 508 (77 78) */		st	%o2,[%i0+44]
-/* 0x04f8	 509 (77 78) */		srax	%g3,32,%g4
-/* 0x04fc	 510 (78 79) */		st	%g2,[%i0+48]
-/* 0x0500	 511 (78 79) */		add	%g5,%g4,%g4
-/* 0x0504	 512 (79 80) */		st	%g3,[%i0+52]
-/* 0x0508	 513 (79 80) */		srax	%g4,32,%g5
-/* 0x050c	 514 (80 83) */		ld	[%i1+60],%g3
-/* 0x0510	 515 (81 83) */		ldx	[%sp+2223],%g2
-/* 0x0514	 516 (82 83) */		st	%g4,[%i0+56]
-/* 0x0518	 517 (83 84) */		add	%g2,%g3,%g2
-/* 0x051c	 518 (84 85) */		add	%g2,%g5,%g2
-/* 0x0520	 519 (84 85) */		st	%g2,[%i0+60]
-/* 0x0524	 523 (85 86) */		srax	%g2,32,%o3
-/* 0x0528	 524 (86 87) */		srl	%o3,0,%i0
-/* 0x052c	     (87 89) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0530	     (89 90) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L900000157
-!
-
-                                   .L900000157:		/* frequency 1.0 confidence 0.0 */
-/* 0x0534	 532 ( 0  1) */		fmovd	%f0,%f14
-/* 0x0538	 533 ( 0  3) */		ldd	[%o0],%f8
-/* 0x053c	 539 ( 0  1) */		add	%i3,1,%g2
-/* 0x0540	 540 ( 1  4) */		ld	[%sp+2223],%f7
-/* 0x0544	 541 ( 1  2) */		srl	%g2,31,%g3
-/* 0x0548	 545 ( 1  2) */		add	%fp,-217,%g4
-/* 0x054c	 546 ( 2  3) */		add	%g2,%g3,%g2
-/* 0x0550	 547 ( 2  3) */		or	%g0,0,%g5
-/* 0x0554	 548 ( 2  5) */		ldd	[%o0+8],%f18
-/* 0x0558	 549 ( 3  4) */		fmovs	%f8,%f6
-/* 0x055c	 550 ( 3  4) */		sra	%g2,1,%o1
-/* 0x0560	 551 ( 3  4) */		or	%g0,0,%o0
-/* 0x0564	 552 ( 4  5) */		subcc	%o1,0,%g0
-/* 0x0568	 553 ( 5  6) */		or	%g0,%o1,%o3
-/* 0x056c	 554 ( 5  8) */		fsubd	%f6,%f8,%f16
-/* 0x0570	 555 ( 5  6) */		ble,pt	%icc,.L900000156	! tprob=0.50
-/* 0x0574	     ( 6  7) */		subcc	%i3,0,%g0
-/* 0x0578	 557 ( 6  7) */		sub	%o1,1,%g2
-/* 0x057c	 558 ( 7  8) */		or	%g0,0,%i0
-/* 0x0580	 559 ( 7  8) */		or	%g0,1,%g3
-/* 0x0584	 560 ( 8  9) */		subcc	%o3,10,%g0
-/* 0x0588	 561 ( 8  9) */		bl,pn	%icc,.L77000077	! tprob=0.50
-/* 0x058c	     ( 9 10) */		or	%g0,0,%o1
-/* 0x0590	 563 ( 9 12) */		ldd	[%i2+8],%f0
-/* 0x0594	 564 ( 9 10) */		sub	%o3,3,%o3
-/* 0x0598	 565 (10 13) */		ldd	[%i2],%f2
-/* 0x059c	 566 (10 11) */		or	%g0,7,%o0
-/* 0x05a0	 567 (10 11) */		or	%g0,2,%i0
-/* 0x05a4	 568 (11 13) */		fxnor	%f14,%f0,%f8
-/* 0x05a8	 569 (11 14) */		ldd	[%i2+16],%f4
-/* 0x05ac	 570 (11 12) */		or	%g0,16,%o2
-/* 0x05b0	 571 (12 14) */		fxnor	%f14,%f2,%f2
-/* 0x05b4	 572 (12 15) */		ldd	[%i2+24],%f6
-/* 0x05b8	 573 (12 13) */		or	%g0,48,%o4
-/* 0x05bc	 574 (13 16) */		fitod	%f8,%f12
-/* 0x05c0	 575 (13 14) */		or	%g0,24,%o1
-/* 0x05c4	 576 (13 14) */		or	%g0,3,%g3
-/* 0x05c8	 577 (14 17) */		fitod	%f2,%f0
-/* 0x05cc	 578 (15 18) */		fitod	%f3,%f20
-/* 0x05d0	 579 (15 18) */		ldd	[%i2+32],%f2
-/* 0x05d4	 580 (16 19) */		fitod	%f9,%f10
-/* 0x05d8	 581 (16 19) */		ldd	[%i2+40],%f8
-/* 0x05dc	 582 (17 20) */		fsubd	%f18,%f0,%f0
-/* 0x05e0	 583 (18 21) */		fsubd	%f18,%f20,%f22
-/* 0x05e4	 584 (19 22) */		fsubd	%f18,%f12,%f20
-/* 0x05e8	 585 (19 22) */		ldd	[%i2+48],%f12
-/* 0x05ec	 586 (20 23) */		fsubd	%f18,%f10,%f10
-/* 0x05f0	 587 (20 23) */		fmuld	%f0,%f16,%f0
-/* 0x05f4	 588 (21 23) */		fxnor	%f14,%f4,%f4
-/* 0x05f8	 589 (21 24) */		fmuld	%f22,%f16,%f22
-/* 0x05fc	 590 (22 24) */		fxnor	%f14,%f6,%f6
-/* 0x0600	 591 (22 25) */		fmuld	%f20,%f16,%f20
-/* 0x0604	 592 (23 26) */		fdtox	%f0,%f0
-/* 0x0608	 593 (23 24) */		std	%f0,[%fp-217]
-/* 0x060c	 594 (23 26) */		fmuld	%f10,%f16,%f10
-/* 0x0610	 595 (24 27) */		fdtox	%f22,%f22
-/* 0x0614	 596 (24 25) */		std	%f22,[%fp-209]
-/* 0x0618	 597 (25 28) */		fitod	%f5,%f0
-/* 0x061c	 598 (26 29) */		fdtox	%f10,%f10
-/* 0x0620	 599 (27 30) */		fdtox	%f20,%f20
-/* 0x0624	 600 (27 28) */		std	%f20,[%fp-201]
-/* 0x0628	 601 (28 31) */		fitod	%f4,%f4
-/* 0x062c	 602 (28 29) */		std	%f10,[%fp-193]
-/* 0x0630	 603 (29 31) */		fxnor	%f14,%f2,%f10
-/* 0x0634	 604 (30 33) */		fitod	%f7,%f2
-/* 0x0638	 605 (31 34) */		fsubd	%f18,%f0,%f0
-/* 0x063c	 606 (32 35) */		fsubd	%f18,%f4,%f4
-/* 0x0640	 607 (33 35) */		fxnor	%f14,%f8,%f8
-
-!
-! ENTRY .L900000144
-!
-
-                                   .L900000144:		/* frequency 1.0 confidence 0.0 */
-/* 0x0644	 609 ( 0  3) */		fitod	%f11,%f22
-/* 0x0648	 610 ( 0  1) */		add	%o0,3,%o0
-/* 0x064c	 611 ( 0  1) */		add	%g3,6,%g3
-/* 0x0650	 612 ( 0  3) */		fmuld	%f0,%f16,%f0
-/* 0x0654	 613 ( 1  4) */		fmuld	%f4,%f16,%f24
-/* 0x0658	 614 ( 1  2) */		subcc	%o0,%o3,%g0
-/* 0x065c	 615 ( 1  2) */		add	%i0,6,%i0
-/* 0x0660	 616 ( 1  4) */		fsubd	%f18,%f2,%f2
-/* 0x0664	 617 ( 2  5) */		fitod	%f6,%f4
-/* 0x0668	 618 ( 3  6) */		fdtox	%f0,%f0
-/* 0x066c	 619 ( 3  4) */		add	%o4,8,%i1
-/* 0x0670	 620 ( 4  7) */		ldd	[%i2+%i1],%f20
-/* 0x0674	 621 ( 4  7) */		fdtox	%f24,%f6
-/* 0x0678	 622 ( 4  5) */		add	%o2,16,%o4
-/* 0x067c	 623 ( 5  8) */		fsubd	%f18,%f4,%f4
-/* 0x0680	 624 ( 5  6) */		std	%f6,[%o4+%g4]
-/* 0x0684	 625 ( 5  6) */		add	%o1,16,%o2
-/* 0x0688	 626 ( 6  8) */		fxnor	%f14,%f12,%f6
-/* 0x068c	 627 ( 6  7) */		std	%f0,[%o2+%g4]
-/* 0x0690	 628 ( 7 10) */		fitod	%f9,%f0
-/* 0x0694	 629 ( 7 10) */		fmuld	%f2,%f16,%f2
-/* 0x0698	 630 ( 8 11) */		fmuld	%f4,%f16,%f24
-/* 0x069c	 631 ( 8 11) */		fsubd	%f18,%f22,%f12
-/* 0x06a0	 632 ( 9 12) */		fitod	%f10,%f4
-/* 0x06a4	 633 (10 13) */		fdtox	%f2,%f2
-/* 0x06a8	 634 (10 11) */		add	%i1,8,%o1
-/* 0x06ac	 635 (11 14) */		ldd	[%i2+%o1],%f22
-/* 0x06b0	 636 (11 14) */		fdtox	%f24,%f10
-/* 0x06b4	 637 (11 12) */		add	%o4,16,%i4
-/* 0x06b8	 638 (12 15) */		fsubd	%f18,%f4,%f4
-/* 0x06bc	 639 (12 13) */		std	%f10,[%i4+%g4]
-/* 0x06c0	 640 (12 13) */		add	%o2,16,%i1
-/* 0x06c4	 641 (13 15) */		fxnor	%f14,%f20,%f10
-/* 0x06c8	 642 (13 14) */		std	%f2,[%i1+%g4]
-/* 0x06cc	 643 (14 17) */		fitod	%f7,%f2
-/* 0x06d0	 644 (14 17) */		fmuld	%f12,%f16,%f12
-/* 0x06d4	 645 (15 18) */		fmuld	%f4,%f16,%f24
-/* 0x06d8	 646 (15 18) */		fsubd	%f18,%f0,%f0
-/* 0x06dc	 647 (16 19) */		fitod	%f8,%f4
-/* 0x06e0	 648 (17 20) */		fdtox	%f12,%f20
-/* 0x06e4	 649 (17 18) */		add	%o1,8,%o4
-/* 0x06e8	 650 (18 21) */		ldd	[%i2+%o4],%f12
-/* 0x06ec	 651 (18 21) */		fdtox	%f24,%f8
-/* 0x06f0	 652 (18 19) */		add	%i4,16,%o2
-/* 0x06f4	 653 (19 22) */		fsubd	%f18,%f4,%f4
-/* 0x06f8	 654 (19 20) */		std	%f8,[%o2+%g4]
-/* 0x06fc	 655 (19 20) */		add	%i1,16,%o1
-/* 0x0700	 656 (20 22) */		fxnor	%f14,%f22,%f8
-/* 0x0704	 657 (20 21) */		ble,pt	%icc,.L900000144	! tprob=0.50
-/* 0x0708	     (20 21) */		std	%f20,[%o1+%g4]
-
-!
-! ENTRY .L900000147
-!
-
-                                   .L900000147:		/* frequency 1.0 confidence 0.0 */
-/* 0x070c	 660 ( 0  3) */		fitod	%f6,%f6
-/* 0x0710	 661 ( 0  3) */		fmuld	%f4,%f16,%f24
-/* 0x0714	 662 ( 0  1) */		add	%i4,32,%l4
-/* 0x0718	 663 ( 1  4) */		fsubd	%f18,%f2,%f2
-/* 0x071c	 664 ( 1  4) */		fmuld	%f0,%f16,%f22
-/* 0x0720	 665 ( 1  2) */		add	%i1,32,%l3
-/* 0x0724	 666 ( 2  5) */		fitod	%f10,%f28
-/* 0x0728	 667 ( 2  3) */		sra	%o0,0,%o2
-/* 0x072c	 668 ( 2  3) */		add	%i4,48,%l2
-/* 0x0730	 669 ( 3  6) */		fsubd	%f18,%f6,%f4
-/* 0x0734	 670 ( 3  4) */		add	%i1,48,%l1
-/* 0x0738	 671 ( 3  4) */		add	%i4,64,%l0
-/* 0x073c	 672 ( 4  7) */		fitod	%f11,%f26
-/* 0x0740	 673 ( 4  5) */		sllx	%o2,3,%o1
-/* 0x0744	 674 ( 4  5) */		add	%i1,64,%i5
-/* 0x0748	 675 ( 5  8) */		fitod	%f8,%f6
-/* 0x074c	 676 ( 5  6) */		add	%i4,80,%i4
-/* 0x0750	 677 ( 5  6) */		add	%i1,80,%i1
-/* 0x0754	 678 ( 6  8) */		fxnor	%f14,%f12,%f0
-/* 0x0758	 679 ( 6  9) */		fmuld	%f4,%f16,%f20
-/* 0x075c	 680 ( 6  7) */		add	%i4,16,%o4
-/* 0x0760	 681 ( 7 10) */		fitod	%f9,%f4
-/* 0x0764	 682 ( 7 10) */		fmuld	%f2,%f16,%f12
-/* 0x0768	 683 ( 7  8) */		add	%i1,16,%o3
-/* 0x076c	 684 ( 8 11) */		fsubd	%f18,%f28,%f10
-/* 0x0770	 685 ( 8  9) */		subcc	%o0,%g2,%g0
-/* 0x0774	 686 ( 8  9) */		add	%g3,12,%g3
-/* 0x0778	 687 ( 9 12) */		fitod	%f0,%f2
-/* 0x077c	 688 (10 13) */		fsubd	%f18,%f26,%f8
-/* 0x0780	 689 (11 14) */		fitod	%f1,%f0
-/* 0x0784	 690 (11 14) */		fmuld	%f10,%f16,%f10
-/* 0x0788	 691 (12 15) */		fdtox	%f24,%f24
-/* 0x078c	 692 (12 13) */		std	%f24,[%l4+%g4]
-/* 0x0790	 693 (12 13) */		add	%i0,12,%i0
-/* 0x0794	 694 (13 16) */		fsubd	%f18,%f6,%f6
-/* 0x0798	 695 (13 16) */		fmuld	%f8,%f16,%f8
-/* 0x079c	 696 (14 17) */		fdtox	%f22,%f22
-/* 0x07a0	 697 (14 15) */		std	%f22,[%l3+%g4]
-/* 0x07a4	 698 (15 18) */		fsubd	%f18,%f4,%f4
-/* 0x07a8	 699 (16 19) */		fdtox	%f20,%f20
-/* 0x07ac	 700 (16 17) */		std	%f20,[%l2+%g4]
-/* 0x07b0	 701 (16 19) */		fmuld	%f6,%f16,%f6
-/* 0x07b4	 702 (17 20) */		fsubd	%f18,%f2,%f2
-/* 0x07b8	 703 (18 21) */		fsubd	%f18,%f0,%f0
-/* 0x07bc	 704 (18 21) */		fmuld	%f4,%f16,%f4
-/* 0x07c0	 705 (19 22) */		fdtox	%f12,%f12
-/* 0x07c4	 706 (19 20) */		std	%f12,[%l1+%g4]
-/* 0x07c8	 707 (20 23) */		fdtox	%f10,%f10
-/* 0x07cc	 708 (20 21) */		std	%f10,[%l0+%g4]
-/* 0x07d0	 709 (20 23) */		fmuld	%f2,%f16,%f2
-/* 0x07d4	 710 (21 24) */		fdtox	%f8,%f8
-/* 0x07d8	 711 (21 22) */		std	%f8,[%i5+%g4]
-/* 0x07dc	 712 (21 24) */		fmuld	%f0,%f16,%f0
-/* 0x07e0	 713 (22 25) */		fdtox	%f6,%f6
-/* 0x07e4	 714 (22 23) */		std	%f6,[%i4+%g4]
-/* 0x07e8	 715 (23 26) */		fdtox	%f4,%f4
-/* 0x07ec	 716 (23 24) */		std	%f4,[%i1+%g4]
-/* 0x07f0	 717 (24 27) */		fdtox	%f2,%f2
-/* 0x07f4	 718 (24 25) */		std	%f2,[%o4+%g4]
-/* 0x07f8	 719 (25 28) */		fdtox	%f0,%f0
-/* 0x07fc	 720 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
-/* 0x0800	     (25 26) */		std	%f0,[%o3+%g4]
-
-!
-! ENTRY .L77000077
-!
-
-                                   .L77000077:		/* frequency 1.0 confidence 0.0 */
-/* 0x0804	 723 ( 0  3) */		ldd	[%i2+%o1],%f0
-
-!
-! ENTRY .L900000155
-!
-
-                                   .L900000155:		/* frequency 1.0 confidence 0.0 */
-/* 0x0808	 725 ( 0  2) */		fxnor	%f14,%f0,%f0
-/* 0x080c	 726 ( 0  1) */		sra	%i0,0,%o1
-/* 0x0810	 727 ( 0  1) */		add	%o0,1,%o0
-/* 0x0814	 728 ( 1  2) */		sllx	%o1,3,%i4
-/* 0x0818	 729 ( 1  2) */		add	%i0,2,%i0
-/* 0x081c	 730 ( 2  5) */		fitod	%f0,%f2
-/* 0x0820	 731 ( 2  3) */		sra	%g3,0,%o1
-/* 0x0824	 732 ( 2  3) */		add	%g3,2,%g3
-/* 0x0828	 733 ( 3  6) */		fitod	%f1,%f0
-/* 0x082c	 734 ( 3  4) */		sllx	%o1,3,%i1
-/* 0x0830	 735 ( 3  4) */		subcc	%o0,%g2,%g0
-/* 0x0834	 736 ( 4  5) */		sra	%o0,0,%o2
-/* 0x0838	 737 ( 5  8) */		fsubd	%f18,%f2,%f2
-/* 0x083c	 738 ( 5  6) */		sllx	%o2,3,%o1
-/* 0x0840	 739 ( 6  9) */		fsubd	%f18,%f0,%f0
-/* 0x0844	 740 ( 8 11) */		fmuld	%f2,%f16,%f2
-/* 0x0848	 741 ( 9 12) */		fmuld	%f0,%f16,%f0
-/* 0x084c	 742 (11 14) */		fdtox	%f2,%f2
-/* 0x0850	 743 (11 12) */		std	%f2,[%i4+%g4]
-/* 0x0854	 744 (12 15) */		fdtox	%f0,%f0
-/* 0x0858	 745 (12 13) */		std	%f0,[%i1+%g4]
-/* 0x085c	 746 (12 13) */		ble,a,pt	%icc,.L900000155	! tprob=0.50
-/* 0x0860	     (14 17) */		ldd	[%i2+%o1],%f0
-
-!
-! ENTRY .L77000043
-!
-
-                                   .L77000043:		/* frequency 1.0 confidence 0.0 */
-/* 0x0864	 754 ( 0  1) */		subcc	%i3,0,%g0
-
-!
-! ENTRY .L900000156
-!
-
-                                   .L900000156:		/* frequency 1.0 confidence 0.0 */
-/* 0x0868	 756 ( 0  1) */		ble,a,pt	%icc,.L77000061	! tprob=0.50
-/* 0x086c	     ( 0  1) */		or	%g0,%g5,%o3
-/* 0x0870	 761 ( 0  2) */		ldx	[%fp-209],%i1
-/* 0x0874	 762 ( 1  2) */		sub	%i3,1,%g3
-/* 0x0878	 763 ( 1  2) */		or	%g0,0,%i0
-/* 0x087c	 764 ( 2  3) */		subcc	%i3,5,%g0
-/* 0x0880	 765 ( 2  3) */		bl,pn	%icc,.L77000078	! tprob=0.50
-/* 0x0884	     ( 2  4) */		ldx	[%fp-217],%i2
-/* 0x0888	 767 ( 3  6) */		ld	[%o5],%i3
-/* 0x088c	 768 ( 3  4) */		or	%g0,8,%g2
-/* 0x0890	 769 ( 3  4) */		or	%g0,16,%o4
-/* 0x0894	 770 ( 4  5) */		sub	%g3,1,%o3
-/* 0x0898	 771 ( 4  5) */		or	%g0,3,%i0
-/* 0x089c	 772 ( 5  6) */		add	%i2,%i3,%o1
-/* 0x08a0	 773 ( 5  8) */		ld	[%o5+4],%i2
-/* 0x08a4	 774 ( 6  7) */		st	%o1,[%o7]
-/* 0x08a8	 775 ( 6  7) */		srax	%o1,32,%o1
-/* 0x08ac	 776 ( 7  9) */		ldx	[%fp-201],%o2
-/* 0x08b0	 777 ( 7  8) */		add	%i1,%i2,%o0
-/* 0x08b4	 778 ( 7  8) */		or	%g0,%o1,%i1
-/* 0x08b8	 779 ( 8 11) */		ld	[%o5+8],%o1
-/* 0x08bc	 780 ( 8  9) */		add	%o0,%i1,%o0
-/* 0x08c0	 781 ( 9 10) */		st	%o0,[%o7+4]
-/* 0x08c4	 782 ( 9 10) */		srax	%o0,32,%o0
-
-!
-! ENTRY .L900000140
-!
-
-                                   .L900000140:		/* frequency 1.0 confidence 0.0 */
-/* 0x08c8	 784 ( 0  1) */		add	%g2,4,%i1
-/* 0x08cc	 785 ( 0  1) */		add	%o4,8,%o4
-/* 0x08d0	 786 ( 1  3) */		ldx	[%o4+%g4],%i2
-/* 0x08d4	 787 ( 1  2) */		sra	%o0,0,%g5
-/* 0x08d8	 788 ( 1  2) */		add	%o2,%o1,%o1
-/* 0x08dc	 789 ( 2  5) */		ld	[%o5+%i1],%o0
-/* 0x08e0	 790 ( 2  3) */		add	%o1,%g5,%o1
-/* 0x08e4	 791 ( 2  3) */		add	%i0,2,%i0
-/* 0x08e8	 792 ( 3  4) */		st	%o1,[%o7+%g2]
-/* 0x08ec	 793 ( 3  4) */		srax	%o1,32,%g5
-/* 0x08f0	 794 ( 3  4) */		subcc	%i0,%o3,%g0
-/* 0x08f4	 795 ( 4  5) */		add	%g2,8,%g2
-/* 0x08f8	 796 ( 4  5) */		add	%o4,8,%o4
-/* 0x08fc	 797 ( 5  7) */		ldx	[%o4+%g4],%o2
-/* 0x0900	 798 ( 5  6) */		add	%i2,%o0,%o0
-/* 0x0904	 799 ( 6  9) */		ld	[%o5+%g2],%o1
-/* 0x0908	 800 ( 6  7) */		add	%o0,%g5,%o0
-/* 0x090c	 801 ( 7  8) */		st	%o0,[%o7+%i1]
-/* 0x0910	 802 ( 7  8) */		ble,pt	%icc,.L900000140	! tprob=0.50
-/* 0x0914	     ( 7  8) */		srax	%o0,32,%o0
-
-!
-! ENTRY .L900000143
-!
-
-                                   .L900000143:		/* frequency 1.0 confidence 0.0 */
-/* 0x0918	 805 ( 0  1) */		sra	%o0,0,%o3
-/* 0x091c	 806 ( 0  1) */		add	%o2,%o1,%o0
-/* 0x0920	 807 ( 1  2) */		add	%o0,%o3,%o0
-/* 0x0924	 808 ( 1  2) */		st	%o0,[%o7+%g2]
-/* 0x0928	 809 ( 1  2) */		subcc	%i0,%g3,%g0
-/* 0x092c	 810 ( 2  3) */		srax	%o0,32,%g5
-/* 0x0930	 811 ( 2  3) */		bg,a,pn	%icc,.L77000061	! tprob=0.50
-/* 0x0934	     ( 3  4) */		or	%g0,%g5,%o3
-
-!
-! ENTRY .L77000078
-!
-
-                                   .L77000078:		/* frequency 1.0 confidence 0.0 */
-/* 0x0938	 814 ( 0  1) */		sra	%i0,0,%o0
-
-!
-! ENTRY .L900000154
-!
-
-                                   .L900000154:		/* frequency 1.0 confidence 0.0 */
-/* 0x093c	 816 ( 0  1) */		sllx	%o0,2,%g2
-/* 0x0940	 817 ( 0  1) */		add	%i0,1,%i0
-/* 0x0944	 818 ( 1  2) */		sllx	%o0,3,%o4
-/* 0x0948	 819 ( 1  4) */		ld	[%o5+%g2],%o2
-/* 0x094c	 820 ( 1  2) */		subcc	%i0,%g3,%g0
-/* 0x0950	 821 ( 2  4) */		ldx	[%o4+%g4],%o0
-/* 0x0954	 822 ( 2  3) */		sra	%g5,0,%o1
-/* 0x0958	 823 ( 4  5) */		add	%o0,%o2,%o0
-/* 0x095c	 824 ( 5  6) */		add	%o0,%o1,%o0
-/* 0x0960	 825 ( 5  6) */		st	%o0,[%o7+%g2]
-/* 0x0964	 826 ( 6  7) */		srax	%o0,32,%g5
-/* 0x0968	 827 ( 6  7) */		ble,pt	%icc,.L900000154	! tprob=0.50
-/* 0x096c	     ( 7  8) */		sra	%i0,0,%o0
-
-!
-! ENTRY .L77000047
-!
-
-                                   .L77000047:		/* frequency 1.0 confidence 0.0 */
-/* 0x0970	 834 ( 0  1) */		or	%g0,%g5,%o3
-
-!
-! ENTRY .L77000061
-!
-
-                                  .L77000061:		/* frequency 1.0 confidence 0.0 */
-
-/* 0x0974	 835 ( 1  2) */		srl	%o3,0,%i0
-/* 0x0978	     ( 2  4) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x097c	     ( 4  5) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000048
-!
-
-                                   .L77000048:		/* frequency 1.0 confidence 0.0 */
-/* 0x0980	 844 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
-/* 0x0984	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
-/* 0x0988	 854 ( 0  3) */		ldd	[%o2],%f4
-/* 0x098c	 855 ( 1  4) */		ldd	[%o0],%f6
-/* 0x0990	 856 ( 1  2) */		srl	%i4,19,%g3
-/* 0x0994	 857 ( 1  2) */		andn	%i4,%g2,%g2
-/* 0x0998	 858 ( 2  3) */		st	%g3,[%sp+2351]
-/* 0x099c	 859 ( 2  4) */		fxnor	%f0,%f4,%f4
-/* 0x09a0	 860 ( 3  4) */		st	%g2,[%sp+2355]
-/* 0x09a4	 861 ( 4  7) */		ldd	[%o2+8],%f12
-/* 0x09a8	 862 ( 4  7) */		fitod	%f4,%f10
-/* 0x09ac	 863 ( 5  8) */		ldd	[%o0+8],%f16
-/* 0x09b0	 864 ( 5  8) */		fitod	%f5,%f4
-/* 0x09b4	 865 ( 6  9) */		ldd	[%o2+16],%f18
-/* 0x09b8	 866 ( 6  8) */		fxnor	%f0,%f12,%f12
-/* 0x09bc	 867 ( 7 10) */		ld	[%sp+2351],%f9
-/* 0x09c0	 868 ( 7 10) */		fsubd	%f16,%f10,%f10
-/* 0x09c4	 869 ( 8 11) */		ld	[%sp+2355],%f15
-/* 0x09c8	 870 ( 8 11) */		fitod	%f12,%f22
-/* 0x09cc	 871 ( 9 12) */		ldd	[%o2+24],%f20
-/* 0x09d0	 872 ( 9 12) */		fitod	%f13,%f12
-/* 0x09d4	 876 (10 13) */		ld	[%i1],%g2
-/* 0x09d8	 877 (10 13) */		fsubd	%f16,%f4,%f4
-/* 0x09dc	 878 (11 14) */		ld	[%i1+4],%g3
-/* 0x09e0	 879 (11 14) */		fsubd	%f16,%f22,%f22
-/* 0x09e4	 880 (12 15) */		ld	[%i1+8],%g4
-/* 0x09e8	 881 (12 14) */		fxnor	%f0,%f18,%f18
-/* 0x09ec	 882 (13 16) */		ld	[%i1+12],%g5
-/* 0x09f0	 883 (13 16) */		fsubd	%f16,%f12,%f12
-/* 0x09f4	 884 (14 17) */		ld	[%i1+16],%o0
-/* 0x09f8	 885 (14 17) */		fitod	%f18,%f26
-/* 0x09fc	 886 (15 18) */		ld	[%i1+20],%o1
-/* 0x0a00	 887 (15 17) */		fxnor	%f0,%f20,%f20
-/* 0x0a04	 888 (16 19) */		ld	[%i1+24],%o2
-/* 0x0a08	 889 (17 20) */		ld	[%i1+28],%o3
-/* 0x0a0c	 890 (19 20) */		fmovs	%f6,%f8
-/* 0x0a10	 891 (20 21) */		fmovs	%f6,%f14
-/* 0x0a14	 892 (22 25) */		fsubd	%f8,%f6,%f8
-/* 0x0a18	 893 (23 26) */		fsubd	%f14,%f6,%f6
-/* 0x0a1c	 894 (25 28) */		fmuld	%f10,%f8,%f14
-/* 0x0a20	 895 (26 29) */		fmuld	%f10,%f6,%f10
-/* 0x0a24	 896 (27 30) */		fmuld	%f4,%f8,%f24
-/* 0x0a28	 897 (28 31) */		fdtox	%f14,%f14
-/* 0x0a2c	 898 (28 29) */		std	%f14,[%sp+2335]
-/* 0x0a30	 899 (28 31) */		fmuld	%f22,%f8,%f28
-/* 0x0a34	 900 (29 32) */		fitod	%f19,%f14
-/* 0x0a38	 901 (29 32) */		fmuld	%f22,%f6,%f18
-/* 0x0a3c	 902 (30 33) */		fdtox	%f10,%f10
-/* 0x0a40	 903 (30 31) */		std	%f10,[%sp+2343]
-/* 0x0a44	 904 (30 33) */		fmuld	%f4,%f6,%f4
-/* 0x0a48	 905 (31 34) */		fmuld	%f12,%f8,%f22
-/* 0x0a4c	 906 (32 35) */		fdtox	%f18,%f18
-/* 0x0a50	 907 (32 33) */		std	%f18,[%sp+2311]
-/* 0x0a54	 908 (32 35) */		fmuld	%f12,%f6,%f10
-/* 0x0a58	 909 (33 35) */		ldx	[%sp+2335],%o4
-/* 0x0a5c	 910 (33 36) */		fdtox	%f24,%f12
-/* 0x0a60	 911 (34 35) */		std	%f12,[%sp+2319]
-/* 0x0a64	 912 (34 37) */		fsubd	%f16,%f26,%f12
-/* 0x0a68	 913 (35 37) */		ldx	[%sp+2343],%o5
-/* 0x0a6c	 914 (35 36) */		sllx	%o4,19,%o4
-/* 0x0a70	 915 (35 38) */		fdtox	%f4,%f4
-/* 0x0a74	 916 (36 37) */		std	%f4,[%sp+2327]
-/* 0x0a78	 917 (36 39) */		fdtox	%f28,%f24
-/* 0x0a7c	 918 (37 38) */		std	%f24,[%sp+2303]
-/* 0x0a80	 919 (37 40) */		fitod	%f20,%f4
-/* 0x0a84	 920 (37 38) */		add	%o5,%o4,%o4
-/* 0x0a88	 921 (37 40) */		fmuld	%f12,%f8,%f24
-/* 0x0a8c	 922 (38 40) */		ldx	[%sp+2319],%o7
-/* 0x0a90	 923 (38 41) */		fsubd	%f16,%f14,%f14
-/* 0x0a94	 924 (38 39) */		add	%o4,%g2,%o4
-/* 0x0a98	 925 (38 41) */		fmuld	%f12,%f6,%f12
-/* 0x0a9c	 926 (39 41) */		ldx	[%sp+2327],%o5
-/* 0x0aa0	 927 (39 42) */		fitod	%f21,%f18
-/* 0x0aa4	 928 (40 41) */		st	%o4,[%i0]
-/* 0x0aa8	 929 (40 41) */		sllx	%o7,19,%o7
-/* 0x0aac	 930 (40 43) */		fdtox	%f22,%f20
-/* 0x0ab0	 931 (41 42) */		std	%f20,[%sp+2287]
-/* 0x0ab4	 932 (41 44) */		fdtox	%f10,%f10
-/* 0x0ab8	 933 (41 42) */		add	%o5,%o7,%o5
-/* 0x0abc	 934 (41 44) */		fmuld	%f14,%f8,%f20
-/* 0x0ac0	 935 (42 43) */		std	%f10,[%sp+2295]
-/* 0x0ac4	 936 (42 43) */		srlx	%o4,32,%o7
-/* 0x0ac8	 937 (42 45) */		fsubd	%f16,%f4,%f4
-/* 0x0acc	 938 (42 45) */		fmuld	%f14,%f6,%f14
-/* 0x0ad0	 939 (43 45) */		ldx	[%sp+2311],%g2
-/* 0x0ad4	 940 (43 46) */		fdtox	%f24,%f10
-/* 0x0ad8	 941 (43 44) */		add	%o5,%g3,%g3
-/* 0x0adc	 942 (44 45) */		std	%f10,[%sp+2271]
-/* 0x0ae0	 943 (44 45) */		add	%g3,%o7,%g3
-/* 0x0ae4	 944 (44 47) */		fdtox	%f12,%f12
-/* 0x0ae8	 945 (45 47) */		ldx	[%sp+2303],%l0
-/* 0x0aec	 946 (45 48) */		fsubd	%f16,%f18,%f10
-/* 0x0af0	 947 (45 48) */		fmuld	%f4,%f8,%f16
-/* 0x0af4	 948 (46 47) */		std	%f12,[%sp+2279]
-/* 0x0af8	 949 (46 49) */		fdtox	%f20,%f12
-/* 0x0afc	 950 (46 49) */		fmuld	%f4,%f6,%f4
-/* 0x0b00	 951 (47 48) */		std	%f12,[%sp+2255]
-/* 0x0b04	 952 (47 48) */		sllx	%l0,19,%l0
-/* 0x0b08	 953 (47 50) */		fdtox	%f14,%f12
-/* 0x0b0c	 954 (48 50) */		ldx	[%sp+2287],%o5
-/* 0x0b10	 955 (48 49) */		add	%g2,%l0,%g2
-/* 0x0b14	 956 (48 51) */		fmuld	%f10,%f8,%f8
-/* 0x0b18	 957 (49 51) */		ldx	[%sp+2295],%l1
-/* 0x0b1c	 958 (49 50) */		srlx	%g3,32,%l0
-/* 0x0b20	 959 (49 50) */		add	%g2,%g4,%g4
-/* 0x0b24	 960 (49 52) */		fmuld	%f10,%f6,%f6
-/* 0x0b28	 961 (50 51) */		std	%f12,[%sp+2263]
-/* 0x0b2c	 962 (50 51) */		sllx	%o5,19,%g2
-/* 0x0b30	 963 (50 51) */		add	%g4,%l0,%g4
-/* 0x0b34	 964 (51 53) */		ldx	[%sp+2279],%l0
-/* 0x0b38	 965 (51 52) */		srlx	%g4,32,%o5
-/* 0x0b3c	 966 (51 52) */		add	%l1,%g2,%g2
-/* 0x0b40	 967 (52 53) */		st	%g3,[%i0+4]
-/* 0x0b44	 968 (52 53) */		add	%g2,%g5,%g2
-/* 0x0b48	 969 (52 55) */		fdtox	%f16,%f10
-/* 0x0b4c	 970 (53 55) */		ldx	[%sp+2271],%o7
-/* 0x0b50	 971 (53 54) */		add	%g2,%o5,%g2
-/* 0x0b54	 972 (53 56) */		fdtox	%f4,%f4
-/* 0x0b58	 973 (54 55) */		std	%f10,[%sp+2239]
-/* 0x0b5c	 974 (55 56) */		sllx	%o7,19,%o7
-/* 0x0b60	 975 (55 56) */		std	%f4,[%sp+2247]
-/* 0x0b64	 976 (55 58) */		fdtox	%f8,%f4
-/* 0x0b68	 977 (56 57) */		add	%l0,%o7,%o7
-/* 0x0b6c	 978 (56 58) */		ldx	[%sp+2263],%o5
-/* 0x0b70	 979 (57 58) */		add	%o7,%o0,%o0
-/* 0x0b74	 980 (57 58) */		std	%f4,[%sp+2223]
-/* 0x0b78	 981 (57 60) */		fdtox	%f6,%f4
-/* 0x0b7c	 982 (58 60) */		ldx	[%sp+2255],%g5
-/* 0x0b80	 983 (58 59) */		srlx	%g2,32,%o7
-/* 0x0b84	 984 (59 60) */		std	%f4,[%sp+2231]
-/* 0x0b88	 985 (59 60) */		add	%o0,%o7,%o0
-/* 0x0b8c	 986 (60 61) */		sllx	%g5,19,%g5
-/* 0x0b90	 987 (60 62) */		ldx	[%sp+2247],%l1
-/* 0x0b94	 988 (61 62) */		add	%o5,%g5,%g5
-/* 0x0b98	 989 (61 62) */		st	%g2,[%i0+12]
-/* 0x0b9c	 990 (62 64) */		ldx	[%sp+2239],%l0
-/* 0x0ba0	 991 (62 63) */		srlx	%o0,32,%o4
-/* 0x0ba4	 992 (62 63) */		add	%g5,%o1,%o1
-/* 0x0ba8	 993 (63 64) */		add	%o1,%o4,%o1
-/* 0x0bac	 994 (63 65) */		ldx	[%sp+2223],%o7
-/* 0x0bb0	 995 (64 65) */		sllx	%l0,19,%g3
-/* 0x0bb4	 996 (64 66) */		ldx	[%sp+2231],%o5
-/* 0x0bb8	 997 (65 66) */		add	%l1,%g3,%o4
-/* 0x0bbc	 998 (65 66) */		st	%o0,[%i0+16]
-/* 0x0bc0	 999 (66 67) */		add	%o4,%o2,%o2
-/* 0x0bc4	1000 (66 67) */		st	%o1,[%i0+20]
-/* 0x0bc8	1001 (67 68) */		srlx	%o1,32,%o4
-/* 0x0bcc	1002 (67 68) */		st	%g4,[%i0+8]
-/* 0x0bd0	1003 (68 69) */		sllx	%o7,19,%g2
-/* 0x0bd4	1004 (68 69) */		add	%o2,%o4,%o4
-/* 0x0bd8	1005 (68 69) */		st	%o4,[%i0+24]
-/* 0x0bdc	1006 (69 70) */		add	%o5,%g2,%g2
-/* 0x0be0	1007 (70 71) */		srlx	%o4,32,%g3
-/* 0x0be4	1008 (70 71) */		add	%g2,%o3,%g2
-/* 0x0be8	1009 (71 72) */		add	%g2,%g3,%g2
-/* 0x0bec	1010 (71 72) */		st	%g2,[%i0+28]
-/* 0x0bf0	1014 (72 73) */		srlx	%g2,32,%o3
-/* 0x0bf4	1015 (73 74) */		srl	%o3,0,%i0
-/* 0x0bf8	     (74 76) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x0bfc	     (76 77) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000050
-!
-
-                                   .L77000050:		/* frequency 1.0 confidence 0.0 */
-/* 0x0c00	1022 ( 0  1) */		subcc	%i3,16,%g0
-/* 0x0c04	1023 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
-/* 0x0c08	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
-/* 0x0c0c	1034 ( 1  4) */		ldd	[%o2],%f4
-/* 0x0c10	1035 ( 1  2) */		andn	%i4,%g2,%g2
-/* 0x0c14	1036 ( 2  3) */		st	%g2,[%sp+2483]
-/* 0x0c18	1037 ( 2  3) */		srl	%i4,19,%g2
-/* 0x0c1c	1038 ( 3  4) */		st	%g2,[%sp+2479]
-/* 0x0c20	1039 ( 3  5) */		fxnor	%f0,%f4,%f4
-/* 0x0c24	1040 ( 4  7) */		ldd	[%o0],%f8
-/* 0x0c28	1041 ( 5  8) */		fitod	%f4,%f10
-/* 0x0c2c	1042 ( 5  8) */		ldd	[%o0+8],%f16
-/* 0x0c30	1043 ( 6  9) */		ldd	[%o2+8],%f14
-/* 0x0c34	1044 ( 6  9) */		fitod	%f5,%f4
-/* 0x0c38	1045 ( 7 10) */		ld	[%sp+2483],%f13
-/* 0x0c3c	1046 ( 8 11) */		ld	[%sp+2479],%f7
-/* 0x0c40	1047 ( 8 11) */		fsubd	%f16,%f10,%f10
-/* 0x0c44	1048 ( 9 11) */		fxnor	%f0,%f14,%f14
-/* 0x0c48	1049 (10 13) */		fsubd	%f16,%f4,%f4
-/* 0x0c4c	1050 (14 15) */		fmovs	%f8,%f12
-/* 0x0c50	1051 (15 16) */		fmovs	%f8,%f6
-/* 0x0c54	1052 (17 20) */		fsubd	%f12,%f8,%f12
-/* 0x0c58	1053 (18 21) */		fsubd	%f6,%f8,%f6
-/* 0x0c5c	1054 (19 22) */		fitod	%f14,%f8
-/* 0x0c60	1055 (20 23) */		fmuld	%f10,%f12,%f18
-/* 0x0c64	1056 (20 23) */		fitod	%f15,%f14
-/* 0x0c68	1057 (21 24) */		fmuld	%f10,%f6,%f10
-/* 0x0c6c	1058 (22 25) */		fsubd	%f16,%f8,%f8
-/* 0x0c70	1059 (22 25) */		fmuld	%f4,%f12,%f20
-/* 0x0c74	1060 (23 26) */		fmuld	%f4,%f6,%f4
-/* 0x0c78	1061 (23 26) */		fsubd	%f16,%f14,%f14
-/* 0x0c7c	1062 (24 27) */		fdtox	%f10,%f10
-/* 0x0c80	1063 (24 25) */		std	%f10,[%sp+2463]
-/* 0x0c84	1064 (25 28) */		fmuld	%f8,%f12,%f10
-/* 0x0c88	1065 (25 28) */		fdtox	%f18,%f18
-/* 0x0c8c	1066 (25 26) */		std	%f18,[%sp+2471]
-/* 0x0c90	1067 (26 29) */		fmuld	%f8,%f6,%f8
-/* 0x0c94	1068 (26 29) */		fdtox	%f4,%f4
-/* 0x0c98	1069 (26 27) */		std	%f4,[%sp+2447]
-/* 0x0c9c	1070 (27 30) */		fmuld	%f14,%f12,%f4
-/* 0x0ca0	1071 (27 30) */		fdtox	%f20,%f18
-/* 0x0ca4	1072 (27 28) */		std	%f18,[%sp+2455]
-/* 0x0ca8	1073 (28 31) */		fdtox	%f10,%f10
-/* 0x0cac	1074 (28 29) */		std	%f10,[%sp+2439]
-/* 0x0cb0	1075 (28 31) */		fmuld	%f14,%f6,%f14
-/* 0x0cb4	1076 (29 32) */		fdtox	%f8,%f8
-/* 0x0cb8	1077 (29 30) */		std	%f8,[%sp+2431]
-/* 0x0cbc	1078 (30 33) */		ldd	[%o2+16],%f10
-/* 0x0cc0	1079 (30 33) */		fdtox	%f4,%f4
-/* 0x0cc4	1080 (31 34) */		ldd	[%o2+24],%f8
-/* 0x0cc8	1081 (31 34) */		fdtox	%f14,%f14
-/* 0x0ccc	1082 (32 33) */		std	%f4,[%sp+2423]
-/* 0x0cd0	1083 (32 34) */		fxnor	%f0,%f10,%f10
-/* 0x0cd4	1084 (33 35) */		fxnor	%f0,%f8,%f4
-/* 0x0cd8	1085 (33 34) */		std	%f14,[%sp+2415]
-/* 0x0cdc	1086 (34 37) */		fitod	%f10,%f8
-/* 0x0ce0	1087 (35 38) */		fitod	%f11,%f10
-/* 0x0ce4	1088 (36 39) */		fitod	%f4,%f14
-/* 0x0ce8	1089 (37 40) */		fsubd	%f16,%f8,%f8
-/* 0x0cec	1090 (38 41) */		fsubd	%f16,%f10,%f10
-/* 0x0cf0	1091 (39 42) */		fsubd	%f16,%f14,%f14
-/* 0x0cf4	1092 (40 43) */		fmuld	%f8,%f12,%f18
-/* 0x0cf8	1093 (40 43) */		fitod	%f5,%f4
-/* 0x0cfc	1094 (41 44) */		fmuld	%f8,%f6,%f8
-/* 0x0d00	1095 (42 45) */		fmuld	%f10,%f12,%f20
-/* 0x0d04	1096 (43 46) */		fmuld	%f10,%f6,%f10
-/* 0x0d08	1097 (43 46) */		fsubd	%f16,%f4,%f4
-/* 0x0d0c	1098 (44 47) */		fdtox	%f8,%f8
-/* 0x0d10	1099 (44 45) */		std	%f8,[%sp+2399]
-/* 0x0d14	1100 (45 48) */		fmuld	%f14,%f12,%f8
-/* 0x0d18	1101 (45 48) */		fdtox	%f18,%f18
-/* 0x0d1c	1102 (45 46) */		std	%f18,[%sp+2407]
-/* 0x0d20	1103 (46 49) */		fdtox	%f10,%f10
-/* 0x0d24	1104 (46 47) */		std	%f10,[%sp+2383]
-/* 0x0d28	1105 (46 49) */		fmuld	%f14,%f6,%f14
-/* 0x0d2c	1106 (47 50) */		fmuld	%f4,%f12,%f10
-/* 0x0d30	1107 (47 50) */		fdtox	%f20,%f18
-/* 0x0d34	1108 (47 48) */		std	%f18,[%sp+2391]
-/* 0x0d38	1109 (48 51) */		fdtox	%f8,%f8
-/* 0x0d3c	1110 (48 49) */		std	%f8,[%sp+2375]
-/* 0x0d40	1111 (48 51) */		fmuld	%f4,%f6,%f4
-/* 0x0d44	1112 (49 52) */		fdtox	%f14,%f14
-/* 0x0d48	1113 (49 50) */		std	%f14,[%sp+2367]
-/* 0x0d4c	1117 (50 53) */		ldd	[%o2+32],%f8
-/* 0x0d50	1118 (50 53) */		fdtox	%f10,%f10
-/* 0x0d54	1119 (51 54) */		fdtox	%f4,%f4
-/* 0x0d58	1120 (51 52) */		std	%f4,[%sp+2351]
-/* 0x0d5c	1121 (52 54) */		fxnor	%f0,%f8,%f8
-/* 0x0d60	1122 (52 55) */		ldd	[%o2+40],%f14
-/* 0x0d64	1123 (53 54) */		std	%f10,[%sp+2359]
-/* 0x0d68	1124 (54 57) */		fitod	%f8,%f4
-/* 0x0d6c	1125 (55 57) */		fxnor	%f0,%f14,%f10
-/* 0x0d70	1126 (56 59) */		fitod	%f9,%f8
-/* 0x0d74	1127 (57 60) */		fsubd	%f16,%f4,%f4
-/* 0x0d78	1128 (58 61) */		fitod	%f10,%f14
-/* 0x0d7c	1129 (59 62) */		fsubd	%f16,%f8,%f8
-/* 0x0d80	1130 (60 63) */		fmuld	%f4,%f12,%f18
-/* 0x0d84	1131 (60 63) */		fitod	%f11,%f10
-/* 0x0d88	1132 (61 64) */		fmuld	%f4,%f6,%f4
-/* 0x0d8c	1133 (61 64) */		fsubd	%f16,%f14,%f14
-/* 0x0d90	1134 (62 65) */		fmuld	%f8,%f12,%f20
-/* 0x0d94	1135 (63 66) */		fmuld	%f8,%f6,%f8
-/* 0x0d98	1136 (63 66) */		fsubd	%f16,%f10,%f10
-/* 0x0d9c	1137 (64 67) */		fdtox	%f4,%f4
-/* 0x0da0	1138 (64 65) */		std	%f4,[%sp+2335]
-/* 0x0da4	1139 (65 68) */		fmuld	%f14,%f12,%f4
-/* 0x0da8	1140 (65 68) */		fdtox	%f18,%f18
-/* 0x0dac	1141 (65 66) */		std	%f18,[%sp+2343]
-/* 0x0db0	1142 (66 69) */		fdtox	%f8,%f8
-/* 0x0db4	1143 (66 67) */		std	%f8,[%sp+2319]
-/* 0x0db8	1144 (66 69) */		fmuld	%f14,%f6,%f14
-/* 0x0dbc	1145 (67 70) */		fmuld	%f10,%f12,%f8
-/* 0x0dc0	1146 (67 70) */		fdtox	%f20,%f18
-/* 0x0dc4	1147 (67 68) */		std	%f18,[%sp+2327]
-/* 0x0dc8	1148 (68 71) */		fdtox	%f4,%f4
-/* 0x0dcc	1149 (68 69) */		std	%f4,[%sp+2311]
-/* 0x0dd0	1150 (68 71) */		fmuld	%f10,%f6,%f10
-/* 0x0dd4	1151 (69 72) */		fdtox	%f14,%f14
-/* 0x0dd8	1152 (69 70) */		std	%f14,[%sp+2303]
-/* 0x0ddc	1153 (70 73) */		ldd	[%o2+48],%f4
-/* 0x0de0	1154 (70 73) */		fdtox	%f8,%f8
-/* 0x0de4	1155 (71 74) */		fdtox	%f10,%f10
-/* 0x0de8	1156 (71 72) */		std	%f10,[%sp+2287]
-/* 0x0dec	1157 (72 74) */		fxnor	%f0,%f4,%f4
-/* 0x0df0	1158 (72 75) */		ldd	[%o2+56],%f14
-/* 0x0df4	1159 (73 74) */		std	%f8,[%sp+2295]
-/* 0x0df8	1160 (74 77) */		fitod	%f4,%f10
-/* 0x0dfc	1161 (75 78) */		fitod	%f5,%f4
-/* 0x0e00	1162 (76 78) */		fxnor	%f0,%f14,%f8
-/* 0x0e04	1163 (77 80) */		fsubd	%f16,%f10,%f10
-/* 0x0e08	1164 (78 81) */		fsubd	%f16,%f4,%f4
-/* 0x0e0c	1165 (79 82) */		fitod	%f8,%f14
-/* 0x0e10	1166 (80 83) */		fmuld	%f10,%f12,%f18
-/* 0x0e14	1167 (80 83) */		fitod	%f9,%f8
-/* 0x0e18	1168 (81 84) */		fmuld	%f10,%f6,%f10
-/* 0x0e1c	1169 (82 85) */		fmuld	%f4,%f12,%f20
-/* 0x0e20	1170 (82 85) */		fsubd	%f16,%f14,%f14
-/* 0x0e24	1171 (83 86) */		fdtox	%f18,%f18
-/* 0x0e28	1172 (83 84) */		std	%f18,[%sp+2279]
-/* 0x0e2c	1173 (83 86) */		fmuld	%f4,%f6,%f4
-/* 0x0e30	1174 (84 87) */		fdtox	%f10,%f10
-/* 0x0e34	1175 (84 85) */		std	%f10,[%sp+2271]
-/* 0x0e38	1176 (85 88) */		fdtox	%f20,%f10
-/* 0x0e3c	1177 (85 86) */		std	%f10,[%sp+2263]
-/* 0x0e40	1178 (86 89) */		fdtox	%f4,%f4
-/* 0x0e44	1179 (86 87) */		std	%f4,[%sp+2255]
-/* 0x0e48	1180 (86 89) */		fmuld	%f14,%f12,%f10
-/* 0x0e4c	1181 (87 90) */		fmuld	%f14,%f6,%f4
-/* 0x0e50	1182 (89 92) */		fdtox	%f10,%f10
-/* 0x0e54	1183 (89 90) */		std	%f10,[%sp+2247]
-/* 0x0e58	1184 (90 93) */		fdtox	%f4,%f4
-/* 0x0e5c	1185 (90 91) */		std	%f4,[%sp+2239]
-/* 0x0e60	1189 (91 93) */		ldx	[%sp+2463],%g2
-/* 0x0e64	1190 (91 94) */		fsubd	%f16,%f8,%f4
-/* 0x0e68	1191 (92 94) */		ldx	[%sp+2471],%g3
-/* 0x0e6c	1192 (93 96) */		ld	[%i1],%g4
-/* 0x0e70	1193 (93 94) */		sllx	%g2,19,%g2
-/* 0x0e74	1194 (94 96) */		ldx	[%sp+2455],%g5
-/* 0x0e78	1195 (94 95) */		add	%g3,%g2,%g2
-/* 0x0e7c	1196 (94 97) */		fmuld	%f4,%f6,%f6
-/* 0x0e80	1197 (95 97) */		ldx	[%sp+2447],%g3
-/* 0x0e84	1198 (95 96) */		add	%g2,%g4,%g4
-/* 0x0e88	1199 (95 98) */		fmuld	%f4,%f12,%f4
-/* 0x0e8c	1200 (96 97) */		st	%g4,[%i0]
-/* 0x0e90	1201 (96 97) */		srlx	%g4,32,%g4
-/* 0x0e94	1202 (97 100) */		ld	[%i1+8],%o0
-/* 0x0e98	1203 (97 98) */		sllx	%g3,19,%g2
-/* 0x0e9c	1204 (97 100) */		fdtox	%f6,%f6
-/* 0x0ea0	1205 (98 101) */		ld	[%i1+4],%g3
-/* 0x0ea4	1206 (98 99) */		add	%g5,%g2,%g2
-/* 0x0ea8	1207 (98 101) */		fdtox	%f4,%f4
-/* 0x0eac	1208 (99 101) */		ldx	[%sp+2439],%g5
-/* 0x0eb0	1209 (100 103) */		ld	[%i1+12],%o1
-/* 0x0eb4	1210 (100 101) */		add	%g2,%g3,%g2
-/* 0x0eb8	1211 (101 103) */		ldx	[%sp+2431],%g3
-/* 0x0ebc	1212 (101 102) */		add	%g2,%g4,%g4
-/* 0x0ec0	1213 (102 103) */		st	%g4,[%i0+4]
-/* 0x0ec4	1214 (103 104) */		std	%f6,[%sp+2223]
-/* 0x0ec8	1215 (103 104) */		sllx	%g3,19,%g2
-/* 0x0ecc	1216 (104 106) */		ldx	[%sp+2423],%g3
-/* 0x0ed0	1217 (104 105) */		add	%g5,%g2,%g2
-/* 0x0ed4	1218 (105 107) */		ldx	[%sp+2415],%g5
-/* 0x0ed8	1219 (105 106) */		add	%g2,%o0,%g2
-/* 0x0edc	1220 (106 107) */		std	%f4,[%sp+2231]
-/* 0x0ee0	1221 (106 107) */		srlx	%g4,32,%o0
-/* 0x0ee4	1222 (107 109) */		ldx	[%sp+2407],%g4
-/* 0x0ee8	1223 (107 108) */		sllx	%g5,19,%g5
-/* 0x0eec	1224 (107 108) */		add	%g2,%o0,%g2
-/* 0x0ef0	1225 (108 109) */		st	%g2,[%i0+8]
-/* 0x0ef4	1226 (108 109) */		srlx	%g2,32,%o0
-/* 0x0ef8	1227 (108 109) */		add	%g3,%g5,%g3
-/* 0x0efc	1228 (109 111) */		ldx	[%sp+2399],%g5
-/* 0x0f00	1229 (109 110) */		add	%g3,%o1,%g3
-/* 0x0f04	1230 (110 113) */		ld	[%i1+16],%o1
-/* 0x0f08	1231 (110 111) */		add	%g3,%o0,%g3
-/* 0x0f0c	1232 (111 112) */		st	%g3,[%i0+12]
-/* 0x0f10	1233 (111 112) */		sllx	%g5,19,%g5
-/* 0x0f14	1234 (112 113) */		srlx	%g3,32,%o0
-/* 0x0f18	1235 (112 113) */		add	%g4,%g5,%g2
-/* 0x0f1c	1236 (112 114) */		ldx	[%sp+2383],%g5
-/* 0x0f20	1237 (113 115) */		ldx	[%sp+2391],%g4
-/* 0x0f24	1238 (113 114) */		add	%g2,%o1,%g2
-/* 0x0f28	1239 (114 117) */		ld	[%i1+20],%o1
-/* 0x0f2c	1240 (114 115) */		sllx	%g5,19,%g5
-/* 0x0f30	1241 (114 115) */		add	%g2,%o0,%g2
-/* 0x0f34	1242 (115 116) */		st	%g2,[%i0+16]
-/* 0x0f38	1243 (115 116) */		srlx	%g2,32,%o0
-/* 0x0f3c	1244 (115 116) */		add	%g4,%g5,%g3
-/* 0x0f40	1245 (116 118) */		ldx	[%sp+2367],%g5
-/* 0x0f44	1246 (116 117) */		add	%g3,%o1,%g3
-/* 0x0f48	1247 (117 119) */		ldx	[%sp+2375],%g4
-/* 0x0f4c	1248 (117 118) */		add	%g3,%o0,%g3
-/* 0x0f50	1249 (118 121) */		ld	[%i1+24],%o1
-/* 0x0f54	1250 (118 119) */		sllx	%g5,19,%g5
-/* 0x0f58	1251 (119 120) */		st	%g3,[%i0+20]
-/* 0x0f5c	1252 (119 120) */		add	%g4,%g5,%g2
-/* 0x0f60	1253 (120 122) */		ldx	[%sp+2351],%g5
-/* 0x0f64	1254 (120 121) */		srlx	%g3,32,%o0
-/* 0x0f68	1255 (120 121) */		add	%g2,%o1,%g2
-/* 0x0f6c	1256 (121 123) */		ldx	[%sp+2359],%g4
-/* 0x0f70	1257 (121 122) */		add	%g2,%o0,%g2
-/* 0x0f74	1258 (122 125) */		ld	[%i1+28],%o1
-/* 0x0f78	1259 (122 123) */		sllx	%g5,19,%g5
-/* 0x0f7c	1260 (123 124) */		st	%g2,[%i0+24]
-/* 0x0f80	1261 (123 124) */		add	%g4,%g5,%g3
-/* 0x0f84	1265 (124 126) */		ldx	[%sp+2335],%g5
-/* 0x0f88	1266 (124 125) */		srlx	%g2,32,%o0
-/* 0x0f8c	1267 (124 125) */		add	%g3,%o1,%g3
-/* 0x0f90	1268 (125 127) */		ldx	[%sp+2343],%g4
-/* 0x0f94	1269 (125 126) */		add	%g3,%o0,%g3
-/* 0x0f98	1270 (126 127) */		sllx	%g5,19,%g5
-/* 0x0f9c	1271 (126 129) */		ld	[%i1+32],%o1
-/* 0x0fa0	1272 (127 128) */		add	%g4,%g5,%g2
-/* 0x0fa4	1273 (127 129) */		ldx	[%sp+2319],%g5
-/* 0x0fa8	1274 (128 130) */		ldx	[%sp+2327],%g4
-/* 0x0fac	1275 (128 129) */		srlx	%g3,32,%o0
-/* 0x0fb0	1276 (128 129) */		add	%g2,%o1,%g2
-/* 0x0fb4	1277 (129 130) */		st	%g3,[%i0+28]
-/* 0x0fb8	1278 (129 130) */		sllx	%g5,19,%g5
-/* 0x0fbc	1279 (129 130) */		add	%g2,%o0,%g2
-/* 0x0fc0	1280 (130 133) */		ld	[%i1+36],%o1
-/* 0x0fc4	1281 (130 131) */		add	%g4,%g5,%g3
-/* 0x0fc8	1282 (131 133) */		ldx	[%sp+2303],%g5
-/* 0x0fcc	1283 (131 132) */		srlx	%g2,32,%o0
-/* 0x0fd0	1284 (132 134) */		ldx	[%sp+2311],%g4
-/* 0x0fd4	1285 (132 133) */		add	%g3,%o1,%g3
-/* 0x0fd8	1286 (133 134) */		sllx	%g5,19,%g5
-/* 0x0fdc	1287 (133 134) */		st	%g2,[%i0+32]
-/* 0x0fe0	1288 (133 134) */		add	%g3,%o0,%g3
-/* 0x0fe4	1289 (134 135) */		add	%g4,%g5,%g2
-/* 0x0fe8	1290 (134 136) */		ldx	[%sp+2287],%g5
-/* 0x0fec	1291 (135 137) */		ldx	[%sp+2295],%g4
-/* 0x0ff0	1292 (135 136) */		srlx	%g3,32,%o0
-/* 0x0ff4	1293 (136 139) */		ld	[%i1+40],%o1
-/* 0x0ff8	1294 (136 137) */		sllx	%g5,19,%g5
-/* 0x0ffc	1295 (137 138) */		st	%g3,[%i0+36]
-/* 0x1000	1296 (137 138) */		add	%g4,%g5,%g3
-/* 0x1004	1297 (138 140) */		ldx	[%sp+2271],%g5
-/* 0x1008	1298 (138 139) */		add	%g2,%o1,%g2
-/* 0x100c	1299 (139 141) */		ldx	[%sp+2279],%g4
-/* 0x1010	1300 (139 140) */		add	%g2,%o0,%g2
-/* 0x1014	1301 (140 143) */		ld	[%i1+44],%o1
-/* 0x1018	1302 (140 141) */		sllx	%g5,19,%g5
-/* 0x101c	1303 (141 142) */		st	%g2,[%i0+40]
-/* 0x1020	1304 (141 142) */		srlx	%g2,32,%o0
-/* 0x1024	1305 (141 142) */		add	%g4,%g5,%g2
-/* 0x1028	1306 (142 144) */		ldx	[%sp+2255],%g5
-/* 0x102c	1307 (142 143) */		add	%g3,%o1,%g3
-/* 0x1030	1308 (143 145) */		ldx	[%sp+2263],%g4
-/* 0x1034	1309 (143 144) */		add	%g3,%o0,%g3
-/* 0x1038	1310 (144 147) */		ld	[%i1+48],%o1
-/* 0x103c	1311 (144 145) */		sllx	%g5,19,%g5
-/* 0x1040	1312 (145 146) */		srlx	%g3,32,%o0
-/* 0x1044	1313 (145 146) */		st	%g3,[%i0+44]
-/* 0x1048	1314 (145 146) */		add	%g4,%g5,%g3
-/* 0x104c	1315 (146 148) */		ldx	[%sp+2239],%g5
-/* 0x1050	1316 (146 147) */		add	%g2,%o1,%g2
-/* 0x1054	1317 (147 150) */		ld	[%i1+52],%o1
-/* 0x1058	1318 (147 148) */		add	%g2,%o0,%g2
-/* 0x105c	1319 (148 150) */		ldx	[%sp+2247],%g4
-/* 0x1060	1320 (148 149) */		sllx	%g5,19,%g5
-/* 0x1064	1321 (149 150) */		srlx	%g2,32,%o0
-/* 0x1068	1322 (149 150) */		st	%g2,[%i0+48]
-/* 0x106c	1323 (149 150) */		add	%g3,%o1,%g3
-/* 0x1070	1324 (150 153) */		ld	[%i1+56],%o1
-/* 0x1074	1325 (150 151) */		add	%g4,%g5,%g2
-/* 0x1078	1326 (150 151) */		add	%g3,%o0,%g3
-/* 0x107c	1327 (151 153) */		ldx	[%sp+2223],%g5
-/* 0x1080	1328 (151 152) */		srlx	%g3,32,%o0
-/* 0x1084	1329 (152 154) */		ldx	[%sp+2231],%g4
-/* 0x1088	1330 (152 153) */		add	%g2,%o1,%g2
-/* 0x108c	1331 (153 154) */		sllx	%g5,19,%g5
-/* 0x1090	1332 (153 156) */		ld	[%i1+60],%o1
-/* 0x1094	1333 (153 154) */		add	%g2,%o0,%g2
-/* 0x1098	1334 (154 155) */		st	%g3,[%i0+52]
-/* 0x109c	1335 (154 155) */		add	%g4,%g5,%g3
-/* 0x10a0	1336 (155 156) */		st	%g2,[%i0+56]
-/* 0x10a4	1337 (155 156) */		srlx	%g2,32,%g2
-/* 0x10a8	1338 (155 156) */		add	%g3,%o1,%g3
-/* 0x10ac	1339 (156 157) */		add	%g3,%g2,%g2
-/* 0x10b0	1340 (156 157) */		st	%g2,[%i0+60]
-/* 0x10b4	1344 (157 158) */		srlx	%g2,32,%o3
-/* 0x10b8	1345 (158 159) */		srl	%o3,0,%i0
-/* 0x10bc	     (159 161) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x10c0	     (161 162) */		restore	%g0,%g0,%g0
-
-!
-! ENTRY .L77000073
-!
-
-                                   .L77000073:		/* frequency 1.0 confidence 0.0 */
-
-
-	or	%g0, %i4, %o2
-	or	%g0, %o0, %o1
-	or	%g0, %i3, %o0
-
-!
-! ENTRY .L77000052
-!
-
-                                   .L77000052:		/* frequency 1.0 confidence 0.0 */
-/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
-/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+2227]
-/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
-/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
-/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
-/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+2223]
-/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
-/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
-/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
-/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1000),%g1
-/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
-/* 0x1054	1337 ( 3  4) */		xor	%g1,-625,%g1
-/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
-/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
-/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
-/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
-/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
-/* 0x106c	1343 ( 5  7) */		ld	[%sp+2227],%f9
-/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
-/* 0x1074	1345 ( 6  8) */		ld	[%sp+2223],%f11
-/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1000),%g1
-/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
-/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
-/* 0x1084	1349 ( 7  8) */		xor	%g1,-617,%g1
-/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
-/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
-/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
-/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
-/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
-/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1000),%g1
-/* 0x10a0	1356 (10 11) */		xor	%g1,-609,%g1
-/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
-/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
-/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1000),%g1
-/* 0x10b0	1360 (12 13) */		xor	%g1,-601,%g1
-/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
-/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
-/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
-/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
-/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
-/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
-/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
-/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
-/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
-/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
-/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
-/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
-/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
-/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
-/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
-/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
-/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
-/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
-/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
-/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
-/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
-/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
-
-!
-! ENTRY .L990000154
-!
-
-                                   .L990000154:		/* frequency 1.0 confidence 0.0 */
-/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
-/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
-/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
-/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
-/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
-/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
-/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
-/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
-/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
-/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
-/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
-/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
-/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
-/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
-/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
-/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
-/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
-/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
-/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
-/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
-/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
-/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
-/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
-/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
-/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
-/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
-/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
-/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
-/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
-/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
-/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
-/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
-/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
-/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
-/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
-/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
-/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
-/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
-/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
-/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
-/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
-/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
-/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
-/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
-/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
-/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
-/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
-/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
-/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
-/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
-/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
-/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
-/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
-/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
-/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
-/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
-/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
-/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
-/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
-/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
-/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
-/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
-/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
-/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
-
-!
-! ENTRY .L990000157
-!
-
-                                   .L990000157:		/* frequency 1.0 confidence 0.0 */
-/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
-/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
-/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
-/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
-/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
-/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
-/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
-/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
-/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
-/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
-/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
-/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
-/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
-/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
-/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
-/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
-/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
-/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
-/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
-/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
-/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
-/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
-/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
-/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
-/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
-/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
-/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
-/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
-/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
-/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
-/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
-/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
-/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
-/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
-/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
-/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
-/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
-/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
-/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
-/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
-/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
-/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
-/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
-/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
-/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
-/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
-/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
-/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
-/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
-/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
-/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
-/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
-/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
-/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
-/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
-/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
-/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
-/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
-/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
-/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
-/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
-/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
-/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
-/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
-
-!
-! ENTRY .L77000054
-!
-
-                                   .L77000054:		/* frequency 1.0 confidence 0.0 */
-/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
-
-!
-! ENTRY .L990000161
-!
-
-                                   .L990000161:		/* frequency 1.0 confidence 0.0 */
-/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
-/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
-/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
-/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
-/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
-/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
-/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
-/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
-/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
-/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
-/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
-/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
-/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
-/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
-/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
-/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
-/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
-/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
-/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
-/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
-/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
-/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
-/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
-/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
-/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
-/* 0x1374	     (16 19) */		ldd	[%o1],%f0
-
-!
-! ENTRY .L77000056
-!
-
-                                   .L77000056:		/* frequency 1.0 confidence 0.0 */
-/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
-
-!
-! ENTRY .L990000162
-!
-
-                                   .L990000162:		/* frequency 1.0 confidence 0.0 */
-/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
-/* 0x1380	     ( 0  1) */		nop
-/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1000),%g1
-/* 0x1388	1556 ( 1  2) */		xor	%g1,-625,%g1
-/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
-/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
-/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1000),%g1
-/* 0x1398	1560 ( 3  4) */		xor	%g1,-617,%g1
-/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
-/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
-/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
-/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
-/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
-/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
-/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1000),%g1
-/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
-/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
-/* 0x13c0	1570 ( 7  8) */		xor	%g1,-585,%g1
-/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
-/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
-/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1000),%g1
-/* 0x13d0	1574 ( 9 10) */		xor	%g1,-593,%g1
-/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
-/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
-/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1000),%g1
-/* 0x13e0	1578 (11 12) */		xor	%g1,-617,%g1
-/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
-/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
-/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
-/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
-/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
-/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
-/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
-/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
-/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
-/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
-/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
-/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
-/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
-
-!
-! ENTRY .L990000142
-!
-
-                                   .L990000142:		/* frequency 1.0 confidence 0.0 */
-/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
-/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
-/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
-/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
-/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
-/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
-/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
-/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
-/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
-/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
-/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
-/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
-/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
-/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
-/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
-/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
-/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
-/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
-/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
-/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
-/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
-/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
-/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
-/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
-/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
-/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
-/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
-/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
-/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
-/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
-/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
-/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
-/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
-/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
-/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
-/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
-/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
-/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
-/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
-/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
-/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
-/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
-/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
-/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
-
-!
-! ENTRY .L990000145
-!
-
-                                   .L990000145:		/* frequency 1.0 confidence 0.0 */
-/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
-/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
-/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
-/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
-/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
-/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
-/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
-/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
-/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
-
-!
-! ENTRY .L77000058
-!
-
-                                   .L77000058:		/* frequency 1.0 confidence 0.0 */
-/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
-
-!
-! ENTRY .L990000160
-!
-
-                                   .L990000160:		/* frequency 1.0 confidence 0.0 */
-/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
-/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
-/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
-/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
-/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
-/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
-/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
-/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
-/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
-/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
-/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
-/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
-/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
-/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
-/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
-/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
-/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
-
-!
-! ENTRY .L77770061
-!
-
-                                   .L77770061:		/* frequency 1.0 confidence 0.0 */
-/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
-
-
-/* 0x124c	1476 ( 0  0) */		.type	mul_add,2
-/* 0x124c	1477 ( 0  0) */		.size	mul_add,(.-mul_add)
-/* 0x124c	1480 ( 0  0) */		.align	8
-/* 0x1250	1486 ( 0  0) */		.global	mul_add_inp
-
-!
-! ENTRY mul_add_inp
-!
-
-                                   	.global mul_add_inp
-                                   mul_add_inp:		/* frequency 1.0 confidence 0.0 */
-/* 0x1250	1488 ( 0  1) */		save	%sp,-176,%sp
-/* 0x1254	1500 ( 1  2) */		sra	%i2,0,%o3
-/* 0x1258	1501 ( 1  2) */		or	%g0,%i1,%o2
-/* 0x125c	1502 ( 2  3) */		or	%g0,%i0,%o0
-/* 0x1260	1503 ( 2  3) */		or	%g0,%i0,%o1
-/* 0x1264	1504 ( 3  5) */		call	mul_add	! params = 	! Result = 
-/* 0x1268	     ( 4  5) */		srl	%i3,0,%o4
-/* 0x126c	1506 ( 5  6) */		srl	%o0,0,%i0
-/* 0x1270	     ( 6  8) */		ret	! Result =  %o1 %o0 %f0 %f1
-/* 0x1274	     ( 8  9) */		restore	%g0,%g0,%g0
-/* 0x1278	1509 ( 0  0) */		.type	mul_add_inp,2
-/* 0x1278	1510 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
-
-	.section	".data",#alloc,#write
-/* 0x1278	   6 ( 0  0) */		.align	8
-
-!
-! ENTRY mask_cnst
-!
-
-                                   mask_cnst:		/* frequency 1.0 confidence 0.0 */
-/* 0x1278	   8 ( 0  0) */		.xword	-9223372034707292160
-/* 0x1280	   9 ( 0  0) */		.type	mask_cnst,#object
-/* 0x1280	  10 ( 0  0) */		.size	mask_cnst,8
-
diff --git a/security/nss/lib/freebl/mpi/mpvalpha.c b/security/nss/lib/freebl/mpi/mpvalpha.c
deleted file mode 100644
index 5118e73c3..000000000
--- a/security/nss/lib/freebl/mpi/mpvalpha.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is Multiple Precision Integer optimization code for 
- * the Compaq Alpha processor.
- *
- * The Initial Developer of the Original Code is
- * Richard C. Swift.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):	Richard C. Swift	(swift@netscape.com)
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi-priv.h"
-#include <c_asm.h>
-
-
-#define MP_MUL_DxD(a, b, Phi, Plo)		\
- { Plo = asm ("mulq %a0, %a1, %v0", a, b);	\
-   Phi = asm ("umulh %a0, %a1, %v0", a, b); }	\
-
-/* This is empty for the loop in s_mpv_mul_d	*/
-#define CARRY_ADD
-
-#define ONE_MUL				\
-    a_i = *a++;				\
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);	\
-    a0b0 += carry;			\
-    if (a0b0 < carry)			\
-      ++a1b1;				\
-    CARRY_ADD				\
-    *c++ = a0b0;			\
-    carry = a1b1;			\
-
-#define FOUR_MUL			\
-	ONE_MUL				\
-	ONE_MUL				\
-	ONE_MUL				\
-	ONE_MUL				\
-
-#define SIXTEEN_MUL			\
-	FOUR_MUL			\
-	FOUR_MUL			\
-	FOUR_MUL			\
-	FOUR_MUL			\
-
-#define THIRTYTWO_MUL			\
-	SIXTEEN_MUL			\
-	SIXTEEN_MUL			\
-
-#define ONETWENTYEIGHT_MUL		\
-	THIRTYTWO_MUL			\
-	THIRTYTWO_MUL			\
-	THIRTYTWO_MUL			\
-	THIRTYTWO_MUL			\
-
-
-#define EXPAND_256(CALL)		\
- mp_digit carry = 0;			\
- mp_digit a_i;				\
- mp_digit a0b0, a1b1;			\
- if (a_len &255) {			\
-	if (a_len &1) {			\
-	  ONE_MUL			\
-	}				\
-	if (a_len &2) {			\
-	  ONE_MUL			\
-	  ONE_MUL			\
-	}				\
-	if (a_len &4) {			\
-	  FOUR_MUL			\
-	}				\
-	if (a_len &8) {			\
-	  FOUR_MUL			\
-	  FOUR_MUL			\
-	}				\
-	if (a_len & 16 ) {		\
-	  SIXTEEN_MUL			\
-	}				\
-	if (a_len & 32 ) {		\
-	  THIRTYTWO_MUL			\
-	}				\
-	if (a_len & 64 ) {		\
-	  THIRTYTWO_MUL			\
-	  THIRTYTWO_MUL			\
-	}				\
-	if (a_len & 128) {		\
-	  ONETWENTYEIGHT_MUL		\
-	}				\
-	a_len = a_len & (-256);		\
-  }					\
-  if (a_len>=256 ) {			\
-	carry = CALL(a, a_len, b, c, carry);	\
-	c += a_len;			\
-  }					\
-
-#define FUNC_NAME(NAME)			\
-mp_digit NAME(const mp_digit *a, 	\
-	mp_size a_len,			\
-	mp_digit b, mp_digit *c, 	\
-	mp_digit carry)			\
-
-#define DECLARE_MUL_256(FNAME)		\
-FUNC_NAME(FNAME)			\
-{					\
-  mp_digit a_i;				\
-  mp_digit a0b0, a1b1;			\
-  while (a_len) {			\
-	ONETWENTYEIGHT_MUL		\
-	ONETWENTYEIGHT_MUL		\
-	a_len-= 256;			\
-  }					\
-  return carry;				\
-}					\
-
-/* Expanding the loop in s_mpv_mul_d appeared to slow down the
-   (admittedly) small number of tests (i.e., timetest) used to
-   measure performance, so this define disables that optimization. */
-#define DO_NOT_EXPAND 1
-
-/* Need forward declaration so it can be instantiated after
-	the routine that uses it; this helps locality somewhat	*/
-#if !defined(DO_NOT_EXPAND)
-FUNC_NAME(s_mpv_mul_d_MUL256);
-#endif
-
-/* c = a * b */
-void s_mpv_mul_d(const mp_digit *a, mp_size a_len, 
-			mp_digit b, mp_digit *c)
-{
-#if defined(DO_NOT_EXPAND)
-  mp_digit carry = 0;
-  while (a_len--) {
-    mp_digit a_i = *a++;
-    mp_digit a0b0, a1b1;
-
-    MP_MUL_DxD(a_i, b, a1b1, a0b0);
-
-    a0b0 += carry;
-    if (a0b0 < carry)
-      ++a1b1;
-    *c++ = a0b0;
-    carry = a1b1;
-  }
-#else
-  EXPAND_256(s_mpv_mul_d_MUL256)
-#endif
-  *c = carry;
-}
-
-#if !defined(DO_NOT_EXPAND)
-DECLARE_MUL_256(s_mpv_mul_d_MUL256)
-#endif
-
-#undef CARRY_ADD
-/* This is redefined for the loop in s_mpv_mul_d_add */
-#define CARRY_ADD			\
-    a0b0 += a_i = *c;			\
-    if (a0b0 < a_i)			\
-      ++a1b1;				\
-
-/* Need forward declaration so it can be instantiated between the
-	two routines that use it; this helps locality somewhat	*/
-FUNC_NAME(s_mpv_mul_d_add_MUL256);
-
-/* c += a * b */
-void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, 
-			mp_digit b, mp_digit *c)
-{
-  EXPAND_256(s_mpv_mul_d_add_MUL256)
-  *c = carry;
-}
-
-/* Instantiate multiply 256 routine here */
-DECLARE_MUL_256(s_mpv_mul_d_add_MUL256)
-
-/* Presently, this is only used by the Montgomery arithmetic code. */
-/* c += a * b */
-void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, 
-			mp_digit b, mp_digit *c)
-{
-  EXPAND_256(s_mpv_mul_d_add_MUL256)
-  while (carry) {
-    mp_digit c_i = *c;
-    carry += c_i;
-    *c++ = carry;
-    carry = carry < c_i;
-  }
-}
-
diff --git a/security/nss/lib/freebl/mpi/mulsqr.c b/security/nss/lib/freebl/mpi/mulsqr.c
deleted file mode 100644
index d73ad8d69..000000000
--- a/security/nss/lib/freebl/mpi/mulsqr.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Test whether to include squaring code given the current settings
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <time.h>
-
-#define MP_SQUARE 1  /* make sure squaring code is included */
-
-#include "mpi.h"
-#include "mpprime.h"
-
-int main(int argc, char *argv[])
-{
-  int           ntests, prec, ix;
-  unsigned int  seed;
-  clock_t       start, stop;
-  double        multime, sqrtime;
-  mp_int        a, c;
-
-  seed = (unsigned int)time(NULL);
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <ntests> <nbits>\n", argv[0]);
-    return 1;
-  }
-
-  if((ntests = abs(atoi(argv[1]))) == 0) {
-    fprintf(stderr, "%s: must request at least 1 test.\n", argv[0]);
-    return 1;
-  }
-  if((prec = abs(atoi(argv[2]))) < CHAR_BIT) {
-    fprintf(stderr, "%s: must request at least %d bits.\n", argv[0],
-	    CHAR_BIT);
-    return 1;
-  }
-
-  prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
-
-  mp_init_size(&a, prec);
-  mp_init_size(&c, 2 * prec);
-
-  /* Test multiplication by self */
-  srand(seed);
-  start = clock();
-  for(ix = 0; ix < ntests; ix++) {
-    mpp_random_size(&a, prec);
-    mp_mul(&a, &a, &c);
-  }
-  stop = clock();
-
-  multime = (double)(stop - start) / CLOCKS_PER_SEC;
-
-  /* Test squaring */
-  srand(seed);
-  start = clock();
-  for(ix = 0; ix < ntests; ix++) {
-    mpp_random_size(&a, prec);
-    mp_sqr(&a, &c);
-  }
-  stop = clock();
-
-  sqrtime = (double)(stop - start) / CLOCKS_PER_SEC;
-
-  printf("Multiply: %.4f\n", multime);
-  printf("Square:   %.4f\n", sqrtime);
-  if(multime < sqrtime) {
-    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - multime / sqrtime));
-    printf("Prefer:   multiply\n");
-  } else {
-    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - sqrtime / multime));
-    printf("Prefer:   square\n");
-  }
-
-  mp_clear(&a); mp_clear(&c);
-  return 0;
-
-}
diff --git a/security/nss/lib/freebl/mpi/multest b/security/nss/lib/freebl/mpi/multest
deleted file mode 100755
index e8004ffd9..000000000
--- a/security/nss/lib/freebl/mpi/multest
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/sh
-#
-# multest
-#
-# Run multiply and square timing tests, to compute a chart for the
-# current processor and compiler combination.
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-ECHO=/bin/echo
-MAKE=gmake
-
-$ECHO "\n** Running multiply and square timing tests\n"
-
-$ECHO "Bringing 'mulsqr' up to date ... "
-if $MAKE mulsqr ; then
-    :
-else
-    $ECHO "\nMake failed to build mulsqr.\n"
-    exit 1
-fi
-
-if [ ! -x ./mulsqr ] ; then
-    $ECHO "\nCannot find 'mulsqr' program, testing cannot continue.\n"
-    exit 1
-fi
-
-sizes='64 128 192 256 320 384 448 512 640 768 896 1024 1536 2048'
-ntests=500000
-
-$ECHO "Running timing tests, please wait ... "
-
-trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
-
-touch tt$$.tmp
-$ECHO $ntests tests >> tt$$.tmp
-for size in $sizes ; do
-    $ECHO "$size bits ... \c"
-    set -A res `./mulsqr $ntests $size|head -3|tr -d '%'|awk '{print $2}'`
-    $ECHO $size"\t"${res[0]}"\t"${res[1]}"\t"${res[2]} >> tt$$.tmp
-    $ECHO "(done)"
-done
-mv tt$$.tmp mulsqr-results.txt
-rm -f tt$$.tmp
-
-$ECHO "\n** Running Karatsuba-Ofman multiplication tests\n"
-
-$ECHO "Brining 'karatsuba' up to date ... "
-if $MAKE karatsuba ; then
-    :
-else
-    $ECHO "\nMake failed to build karatsuba.\n"
-    exit 1
-fi
-
-if [ ! -x ./karatsuba ] ; then
-    $ECHO "\nCannot find 'karatsuba' program, testing cannot continue.\n"
-    exit 1
-fi
-
-ntests=100000
-
-trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
-
-touch tt$$.tmp
-for size in $sizes ; do
-    $ECHO "$size bits ... "
-    ./karatsuba $ntests $size >> tt$$.tmp
-    tail -2 tt$$.tmp
-done
-mv tt$$.tmp karatsuba-results.txt
-rm -f tt$$.tmp
-
-exit 0
diff --git a/security/nss/lib/freebl/mpi/primes.c b/security/nss/lib/freebl/mpi/primes.c
deleted file mode 100644
index 2391c5e4b..000000000
--- a/security/nss/lib/freebl/mpi/primes.c
+++ /dev/null
@@ -1,874 +0,0 @@
-/*
- * These tables of primes wwere generated using the 'sieve' program
- * (sieve.c) and converted to this format with 'ptab.pl'.  
- *
- * The 'small' table is just the first 128 primes.  The 'large' table
- * is a table of all the prime values that will fit into a single
- * mp_digit (given the current size of an mp_digit, which is two bytes).
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#if SMALL_TABLE
-#define MP_PRIME_TAB_SIZE 128
-#else
-#define MP_PRIME_TAB_SIZE 6542
-#endif
-
-const int prime_tab_size = MP_PRIME_TAB_SIZE;
-const mp_digit  prime_tab[] = {
-	0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013, 
-	0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035, 
-	0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059, 
-	0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083, 
-	0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD, 
-	0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF, 
-	0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107, 
-	0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137, 
-	0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167, 
-	0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199, 
-	0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9, 
-	0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7, 
-	0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239, 
-	0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265, 
-	0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293, 
-	0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF, 
-#if ! SMALL_TABLE
-	0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301, 
-	0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B, 
-	0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371, 
-	0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD, 
-	0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5, 
-	0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419, 
-	0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449, 
-	0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B, 
-	0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7, 
-	0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503, 
-	0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529, 
-	0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F, 
-	0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3, 
-	0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7, 
-	0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623, 
-	0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653, 
-	0x0655, 0x065B, 0x0665, 0x0679, 0x067F, 0x0683, 0x0685, 0x069D, 
-	0x06A1, 0x06A3, 0x06AD, 0x06B9, 0x06BB, 0x06C5, 0x06CD, 0x06D3, 
-	0x06D9, 0x06DF, 0x06F1, 0x06F7, 0x06FB, 0x06FD, 0x0709, 0x0713, 
-	0x071F, 0x0727, 0x0737, 0x0745, 0x074B, 0x074F, 0x0751, 0x0755, 
-	0x0757, 0x0761, 0x076D, 0x0773, 0x0779, 0x078B, 0x078D, 0x079D, 
-	0x079F, 0x07B5, 0x07BB, 0x07C3, 0x07C9, 0x07CD, 0x07CF, 0x07D3, 
-	0x07DB, 0x07E1, 0x07EB, 0x07ED, 0x07F7, 0x0805, 0x080F, 0x0815, 
-	0x0821, 0x0823, 0x0827, 0x0829, 0x0833, 0x083F, 0x0841, 0x0851, 
-	0x0853, 0x0859, 0x085D, 0x085F, 0x0869, 0x0871, 0x0883, 0x089B, 
-	0x089F, 0x08A5, 0x08AD, 0x08BD, 0x08BF, 0x08C3, 0x08CB, 0x08DB, 
-	0x08DD, 0x08E1, 0x08E9, 0x08EF, 0x08F5, 0x08F9, 0x0905, 0x0907, 
-	0x091D, 0x0923, 0x0925, 0x092B, 0x092F, 0x0935, 0x0943, 0x0949, 
-	0x094D, 0x094F, 0x0955, 0x0959, 0x095F, 0x096B, 0x0971, 0x0977, 
-	0x0985, 0x0989, 0x098F, 0x099B, 0x09A3, 0x09A9, 0x09AD, 0x09C7, 
-	0x09D9, 0x09E3, 0x09EB, 0x09EF, 0x09F5, 0x09F7, 0x09FD, 0x0A13, 
-	0x0A1F, 0x0A21, 0x0A31, 0x0A39, 0x0A3D, 0x0A49, 0x0A57, 0x0A61, 
-	0x0A63, 0x0A67, 0x0A6F, 0x0A75, 0x0A7B, 0x0A7F, 0x0A81, 0x0A85, 
-	0x0A8B, 0x0A93, 0x0A97, 0x0A99, 0x0A9F, 0x0AA9, 0x0AAB, 0x0AB5, 
-	0x0ABD, 0x0AC1, 0x0ACF, 0x0AD9, 0x0AE5, 0x0AE7, 0x0AED, 0x0AF1, 
-	0x0AF3, 0x0B03, 0x0B11, 0x0B15, 0x0B1B, 0x0B23, 0x0B29, 0x0B2D, 
-	0x0B3F, 0x0B47, 0x0B51, 0x0B57, 0x0B5D, 0x0B65, 0x0B6F, 0x0B7B, 
-	0x0B89, 0x0B8D, 0x0B93, 0x0B99, 0x0B9B, 0x0BB7, 0x0BB9, 0x0BC3, 
-	0x0BCB, 0x0BCF, 0x0BDD, 0x0BE1, 0x0BE9, 0x0BF5, 0x0BFB, 0x0C07, 
-	0x0C0B, 0x0C11, 0x0C25, 0x0C2F, 0x0C31, 0x0C41, 0x0C5B, 0x0C5F, 
-	0x0C61, 0x0C6D, 0x0C73, 0x0C77, 0x0C83, 0x0C89, 0x0C91, 0x0C95, 
-	0x0C9D, 0x0CB3, 0x0CB5, 0x0CB9, 0x0CBB, 0x0CC7, 0x0CE3, 0x0CE5, 
-	0x0CEB, 0x0CF1, 0x0CF7, 0x0CFB, 0x0D01, 0x0D03, 0x0D0F, 0x0D13, 
-	0x0D1F, 0x0D21, 0x0D2B, 0x0D2D, 0x0D3D, 0x0D3F, 0x0D4F, 0x0D55, 
-	0x0D69, 0x0D79, 0x0D81, 0x0D85, 0x0D87, 0x0D8B, 0x0D8D, 0x0DA3, 
-	0x0DAB, 0x0DB7, 0x0DBD, 0x0DC7, 0x0DC9, 0x0DCD, 0x0DD3, 0x0DD5, 
-	0x0DDB, 0x0DE5, 0x0DE7, 0x0DF3, 0x0DFD, 0x0DFF, 0x0E09, 0x0E17, 
-	0x0E1D, 0x0E21, 0x0E27, 0x0E2F, 0x0E35, 0x0E3B, 0x0E4B, 0x0E57, 
-	0x0E59, 0x0E5D, 0x0E6B, 0x0E71, 0x0E75, 0x0E7D, 0x0E87, 0x0E8F, 
-	0x0E95, 0x0E9B, 0x0EB1, 0x0EB7, 0x0EB9, 0x0EC3, 0x0ED1, 0x0ED5, 
-	0x0EDB, 0x0EED, 0x0EEF, 0x0EF9, 0x0F07, 0x0F0B, 0x0F0D, 0x0F17, 
-	0x0F25, 0x0F29, 0x0F31, 0x0F43, 0x0F47, 0x0F4D, 0x0F4F, 0x0F53, 
-	0x0F59, 0x0F5B, 0x0F67, 0x0F6B, 0x0F7F, 0x0F95, 0x0FA1, 0x0FA3, 
-	0x0FA7, 0x0FAD, 0x0FB3, 0x0FB5, 0x0FBB, 0x0FD1, 0x0FD3, 0x0FD9, 
-	0x0FE9, 0x0FEF, 0x0FFB, 0x0FFD, 0x1003, 0x100F, 0x101F, 0x1021, 
-	0x1025, 0x102B, 0x1039, 0x103D, 0x103F, 0x1051, 0x1069, 0x1073, 
-	0x1079, 0x107B, 0x1085, 0x1087, 0x1091, 0x1093, 0x109D, 0x10A3, 
-	0x10A5, 0x10AF, 0x10B1, 0x10BB, 0x10C1, 0x10C9, 0x10E7, 0x10F1, 
-	0x10F3, 0x10FD, 0x1105, 0x110B, 0x1115, 0x1127, 0x112D, 0x1139, 
-	0x1145, 0x1147, 0x1159, 0x115F, 0x1163, 0x1169, 0x116F, 0x1181, 
-	0x1183, 0x118D, 0x119B, 0x11A1, 0x11A5, 0x11A7, 0x11AB, 0x11C3, 
-	0x11C5, 0x11D1, 0x11D7, 0x11E7, 0x11EF, 0x11F5, 0x11FB, 0x120D, 
-	0x121D, 0x121F, 0x1223, 0x1229, 0x122B, 0x1231, 0x1237, 0x1241, 
-	0x1247, 0x1253, 0x125F, 0x1271, 0x1273, 0x1279, 0x127D, 0x128F, 
-	0x1297, 0x12AF, 0x12B3, 0x12B5, 0x12B9, 0x12BF, 0x12C1, 0x12CD, 
-	0x12D1, 0x12DF, 0x12FD, 0x1307, 0x130D, 0x1319, 0x1327, 0x132D, 
-	0x1337, 0x1343, 0x1345, 0x1349, 0x134F, 0x1357, 0x135D, 0x1367, 
-	0x1369, 0x136D, 0x137B, 0x1381, 0x1387, 0x138B, 0x1391, 0x1393, 
-	0x139D, 0x139F, 0x13AF, 0x13BB, 0x13C3, 0x13D5, 0x13D9, 0x13DF, 
-	0x13EB, 0x13ED, 0x13F3, 0x13F9, 0x13FF, 0x141B, 0x1421, 0x142F, 
-	0x1433, 0x143B, 0x1445, 0x144D, 0x1459, 0x146B, 0x146F, 0x1471, 
-	0x1475, 0x148D, 0x1499, 0x149F, 0x14A1, 0x14B1, 0x14B7, 0x14BD, 
-	0x14CB, 0x14D5, 0x14E3, 0x14E7, 0x1505, 0x150B, 0x1511, 0x1517, 
-	0x151F, 0x1525, 0x1529, 0x152B, 0x1537, 0x153D, 0x1541, 0x1543, 
-	0x1549, 0x155F, 0x1565, 0x1567, 0x156B, 0x157D, 0x157F, 0x1583, 
-	0x158F, 0x1591, 0x1597, 0x159B, 0x15B5, 0x15BB, 0x15C1, 0x15C5, 
-	0x15CD, 0x15D7, 0x15F7, 0x1607, 0x1609, 0x160F, 0x1613, 0x1615, 
-	0x1619, 0x161B, 0x1625, 0x1633, 0x1639, 0x163D, 0x1645, 0x164F, 
-	0x1655, 0x1669, 0x166D, 0x166F, 0x1675, 0x1693, 0x1697, 0x169F, 
-	0x16A9, 0x16AF, 0x16B5, 0x16BD, 0x16C3, 0x16CF, 0x16D3, 0x16D9, 
-	0x16DB, 0x16E1, 0x16E5, 0x16EB, 0x16ED, 0x16F7, 0x16F9, 0x1709, 
-	0x170F, 0x1723, 0x1727, 0x1733, 0x1741, 0x175D, 0x1763, 0x1777, 
-	0x177B, 0x178D, 0x1795, 0x179B, 0x179F, 0x17A5, 0x17B3, 0x17B9, 
-	0x17BF, 0x17C9, 0x17CB, 0x17D5, 0x17E1, 0x17E9, 0x17F3, 0x17F5, 
-	0x17FF, 0x1807, 0x1813, 0x181D, 0x1835, 0x1837, 0x183B, 0x1843, 
-	0x1849, 0x184D, 0x1855, 0x1867, 0x1871, 0x1877, 0x187D, 0x187F, 
-	0x1885, 0x188F, 0x189B, 0x189D, 0x18A7, 0x18AD, 0x18B3, 0x18B9, 
-	0x18C1, 0x18C7, 0x18D1, 0x18D7, 0x18D9, 0x18DF, 0x18E5, 0x18EB, 
-	0x18F5, 0x18FD, 0x1915, 0x191B, 0x1931, 0x1933, 0x1945, 0x1949, 
-	0x1951, 0x195B, 0x1979, 0x1981, 0x1993, 0x1997, 0x1999, 0x19A3, 
-	0x19A9, 0x19AB, 0x19B1, 0x19B5, 0x19C7, 0x19CF, 0x19DB, 0x19ED, 
-	0x19FD, 0x1A03, 0x1A05, 0x1A11, 0x1A17, 0x1A21, 0x1A23, 0x1A2D, 
-	0x1A2F, 0x1A35, 0x1A3F, 0x1A4D, 0x1A51, 0x1A69, 0x1A6B, 0x1A7B, 
-	0x1A7D, 0x1A87, 0x1A89, 0x1A93, 0x1AA7, 0x1AAB, 0x1AAD, 0x1AB1, 
-	0x1AB9, 0x1AC9, 0x1ACF, 0x1AD5, 0x1AD7, 0x1AE3, 0x1AF3, 0x1AFB, 
-	0x1AFF, 0x1B05, 0x1B23, 0x1B25, 0x1B2F, 0x1B31, 0x1B37, 0x1B3B, 
-	0x1B41, 0x1B47, 0x1B4F, 0x1B55, 0x1B59, 0x1B65, 0x1B6B, 0x1B73, 
-	0x1B7F, 0x1B83, 0x1B91, 0x1B9D, 0x1BA7, 0x1BBF, 0x1BC5, 0x1BD1, 
-	0x1BD7, 0x1BD9, 0x1BEF, 0x1BF7, 0x1C09, 0x1C13, 0x1C19, 0x1C27, 
-	0x1C2B, 0x1C2D, 0x1C33, 0x1C3D, 0x1C45, 0x1C4B, 0x1C4F, 0x1C55, 
-	0x1C73, 0x1C81, 0x1C8B, 0x1C8D, 0x1C99, 0x1CA3, 0x1CA5, 0x1CB5, 
-	0x1CB7, 0x1CC9, 0x1CE1, 0x1CF3, 0x1CF9, 0x1D09, 0x1D1B, 0x1D21, 
-	0x1D23, 0x1D35, 0x1D39, 0x1D3F, 0x1D41, 0x1D4B, 0x1D53, 0x1D5D, 
-	0x1D63, 0x1D69, 0x1D71, 0x1D75, 0x1D7B, 0x1D7D, 0x1D87, 0x1D89, 
-	0x1D95, 0x1D99, 0x1D9F, 0x1DA5, 0x1DA7, 0x1DB3, 0x1DB7, 0x1DC5, 
-	0x1DD7, 0x1DDB, 0x1DE1, 0x1DF5, 0x1DF9, 0x1E01, 0x1E07, 0x1E0B, 
-	0x1E13, 0x1E17, 0x1E25, 0x1E2B, 0x1E2F, 0x1E3D, 0x1E49, 0x1E4D, 
-	0x1E4F, 0x1E6D, 0x1E71, 0x1E89, 0x1E8F, 0x1E95, 0x1EA1, 0x1EAD, 
-	0x1EBB, 0x1EC1, 0x1EC5, 0x1EC7, 0x1ECB, 0x1EDD, 0x1EE3, 0x1EEF, 
-	0x1EF7, 0x1EFD, 0x1F01, 0x1F0D, 0x1F0F, 0x1F1B, 0x1F39, 0x1F49, 
-	0x1F4B, 0x1F51, 0x1F67, 0x1F75, 0x1F7B, 0x1F85, 0x1F91, 0x1F97, 
-	0x1F99, 0x1F9D, 0x1FA5, 0x1FAF, 0x1FB5, 0x1FBB, 0x1FD3, 0x1FE1, 
-	0x1FE7, 0x1FEB, 0x1FF3, 0x1FFF, 0x2011, 0x201B, 0x201D, 0x2027, 
-	0x2029, 0x202D, 0x2033, 0x2047, 0x204D, 0x2051, 0x205F, 0x2063, 
-	0x2065, 0x2069, 0x2077, 0x207D, 0x2089, 0x20A1, 0x20AB, 0x20B1, 
-	0x20B9, 0x20C3, 0x20C5, 0x20E3, 0x20E7, 0x20ED, 0x20EF, 0x20FB, 
-	0x20FF, 0x210D, 0x2113, 0x2135, 0x2141, 0x2149, 0x214F, 0x2159, 
-	0x215B, 0x215F, 0x2173, 0x217D, 0x2185, 0x2195, 0x2197, 0x21A1, 
-	0x21AF, 0x21B3, 0x21B5, 0x21C1, 0x21C7, 0x21D7, 0x21DD, 0x21E5, 
-	0x21E9, 0x21F1, 0x21F5, 0x21FB, 0x2203, 0x2209, 0x220F, 0x221B, 
-	0x2221, 0x2225, 0x222B, 0x2231, 0x2239, 0x224B, 0x224F, 0x2263, 
-	0x2267, 0x2273, 0x2275, 0x227F, 0x2285, 0x2287, 0x2291, 0x229D, 
-	0x229F, 0x22A3, 0x22B7, 0x22BD, 0x22DB, 0x22E1, 0x22E5, 0x22ED, 
-	0x22F7, 0x2303, 0x2309, 0x230B, 0x2327, 0x2329, 0x232F, 0x2333, 
-	0x2335, 0x2345, 0x2351, 0x2353, 0x2359, 0x2363, 0x236B, 0x2383, 
-	0x238F, 0x2395, 0x23A7, 0x23AD, 0x23B1, 0x23BF, 0x23C5, 0x23C9, 
-	0x23D5, 0x23DD, 0x23E3, 0x23EF, 0x23F3, 0x23F9, 0x2405, 0x240B, 
-	0x2417, 0x2419, 0x2429, 0x243D, 0x2441, 0x2443, 0x244D, 0x245F, 
-	0x2467, 0x246B, 0x2479, 0x247D, 0x247F, 0x2485, 0x249B, 0x24A1, 
-	0x24AF, 0x24B5, 0x24BB, 0x24C5, 0x24CB, 0x24CD, 0x24D7, 0x24D9, 
-	0x24DD, 0x24DF, 0x24F5, 0x24F7, 0x24FB, 0x2501, 0x2507, 0x2513, 
-	0x2519, 0x2527, 0x2531, 0x253D, 0x2543, 0x254B, 0x254F, 0x2573, 
-	0x2581, 0x258D, 0x2593, 0x2597, 0x259D, 0x259F, 0x25AB, 0x25B1, 
-	0x25BD, 0x25CD, 0x25CF, 0x25D9, 0x25E1, 0x25F7, 0x25F9, 0x2605, 
-	0x260B, 0x260F, 0x2615, 0x2627, 0x2629, 0x2635, 0x263B, 0x263F, 
-	0x264B, 0x2653, 0x2659, 0x2665, 0x2669, 0x266F, 0x267B, 0x2681, 
-	0x2683, 0x268F, 0x269B, 0x269F, 0x26AD, 0x26B3, 0x26C3, 0x26C9, 
-	0x26CB, 0x26D5, 0x26DD, 0x26EF, 0x26F5, 0x2717, 0x2719, 0x2735, 
-	0x2737, 0x274D, 0x2753, 0x2755, 0x275F, 0x276B, 0x276D, 0x2773, 
-	0x2777, 0x277F, 0x2795, 0x279B, 0x279D, 0x27A7, 0x27AF, 0x27B3, 
-	0x27B9, 0x27C1, 0x27C5, 0x27D1, 0x27E3, 0x27EF, 0x2803, 0x2807, 
-	0x280D, 0x2813, 0x281B, 0x281F, 0x2821, 0x2831, 0x283D, 0x283F, 
-	0x2849, 0x2851, 0x285B, 0x285D, 0x2861, 0x2867, 0x2875, 0x2881, 
-	0x2897, 0x289F, 0x28BB, 0x28BD, 0x28C1, 0x28D5, 0x28D9, 0x28DB, 
-	0x28DF, 0x28ED, 0x28F7, 0x2903, 0x2905, 0x2911, 0x2921, 0x2923, 
-	0x293F, 0x2947, 0x295D, 0x2965, 0x2969, 0x296F, 0x2975, 0x2983, 
-	0x2987, 0x298F, 0x299B, 0x29A1, 0x29A7, 0x29AB, 0x29BF, 0x29C3, 
-	0x29D5, 0x29D7, 0x29E3, 0x29E9, 0x29ED, 0x29F3, 0x2A01, 0x2A13, 
-	0x2A1D, 0x2A25, 0x2A2F, 0x2A4F, 0x2A55, 0x2A5F, 0x2A65, 0x2A6B, 
-	0x2A6D, 0x2A73, 0x2A83, 0x2A89, 0x2A8B, 0x2A97, 0x2A9D, 0x2AB9, 
-	0x2ABB, 0x2AC5, 0x2ACD, 0x2ADD, 0x2AE3, 0x2AEB, 0x2AF1, 0x2AFB, 
-	0x2B13, 0x2B27, 0x2B31, 0x2B33, 0x2B3D, 0x2B3F, 0x2B4B, 0x2B4F, 
-	0x2B55, 0x2B69, 0x2B6D, 0x2B6F, 0x2B7B, 0x2B8D, 0x2B97, 0x2B99, 
-	0x2BA3, 0x2BA5, 0x2BA9, 0x2BBD, 0x2BCD, 0x2BE7, 0x2BEB, 0x2BF3, 
-	0x2BF9, 0x2BFD, 0x2C09, 0x2C0F, 0x2C17, 0x2C23, 0x2C2F, 0x2C35, 
-	0x2C39, 0x2C41, 0x2C57, 0x2C59, 0x2C69, 0x2C77, 0x2C81, 0x2C87, 
-	0x2C93, 0x2C9F, 0x2CAD, 0x2CB3, 0x2CB7, 0x2CCB, 0x2CCF, 0x2CDB, 
-	0x2CE1, 0x2CE3, 0x2CE9, 0x2CEF, 0x2CFF, 0x2D07, 0x2D1D, 0x2D1F, 
-	0x2D3B, 0x2D43, 0x2D49, 0x2D4D, 0x2D61, 0x2D65, 0x2D71, 0x2D89, 
-	0x2D9D, 0x2DA1, 0x2DA9, 0x2DB3, 0x2DB5, 0x2DC5, 0x2DC7, 0x2DD3, 
-	0x2DDF, 0x2E01, 0x2E03, 0x2E07, 0x2E0D, 0x2E19, 0x2E1F, 0x2E25, 
-	0x2E2D, 0x2E33, 0x2E37, 0x2E39, 0x2E3F, 0x2E57, 0x2E5B, 0x2E6F, 
-	0x2E79, 0x2E7F, 0x2E85, 0x2E93, 0x2E97, 0x2E9D, 0x2EA3, 0x2EA5, 
-	0x2EB1, 0x2EB7, 0x2EC1, 0x2EC3, 0x2ECD, 0x2ED3, 0x2EE7, 0x2EEB, 
-	0x2F05, 0x2F09, 0x2F0B, 0x2F11, 0x2F27, 0x2F29, 0x2F41, 0x2F45, 
-	0x2F4B, 0x2F4D, 0x2F51, 0x2F57, 0x2F6F, 0x2F75, 0x2F7D, 0x2F81, 
-	0x2F83, 0x2FA5, 0x2FAB, 0x2FB3, 0x2FC3, 0x2FCF, 0x2FD1, 0x2FDB, 
-	0x2FDD, 0x2FE7, 0x2FED, 0x2FF5, 0x2FF9, 0x3001, 0x300D, 0x3023, 
-	0x3029, 0x3037, 0x303B, 0x3055, 0x3059, 0x305B, 0x3067, 0x3071, 
-	0x3079, 0x307D, 0x3085, 0x3091, 0x3095, 0x30A3, 0x30A9, 0x30B9, 
-	0x30BF, 0x30C7, 0x30CB, 0x30D1, 0x30D7, 0x30DF, 0x30E5, 0x30EF, 
-	0x30FB, 0x30FD, 0x3103, 0x3109, 0x3119, 0x3121, 0x3127, 0x312D, 
-	0x3139, 0x3143, 0x3145, 0x314B, 0x315D, 0x3161, 0x3167, 0x316D, 
-	0x3173, 0x317F, 0x3191, 0x3199, 0x319F, 0x31A9, 0x31B1, 0x31C3, 
-	0x31C7, 0x31D5, 0x31DB, 0x31ED, 0x31F7, 0x31FF, 0x3209, 0x3215, 
-	0x3217, 0x321D, 0x3229, 0x3235, 0x3259, 0x325D, 0x3263, 0x326B, 
-	0x326F, 0x3275, 0x3277, 0x327B, 0x328D, 0x3299, 0x329F, 0x32A7, 
-	0x32AD, 0x32B3, 0x32B7, 0x32C9, 0x32CB, 0x32CF, 0x32D1, 0x32E9, 
-	0x32ED, 0x32F3, 0x32F9, 0x3307, 0x3325, 0x332B, 0x332F, 0x3335, 
-	0x3341, 0x3347, 0x335B, 0x335F, 0x3367, 0x336B, 0x3373, 0x3379, 
-	0x337F, 0x3383, 0x33A1, 0x33A3, 0x33AD, 0x33B9, 0x33C1, 0x33CB, 
-	0x33D3, 0x33EB, 0x33F1, 0x33FD, 0x3401, 0x340F, 0x3413, 0x3419, 
-	0x341B, 0x3437, 0x3445, 0x3455, 0x3457, 0x3463, 0x3469, 0x346D, 
-	0x3481, 0x348B, 0x3491, 0x3497, 0x349D, 0x34A5, 0x34AF, 0x34BB, 
-	0x34C9, 0x34D3, 0x34E1, 0x34F1, 0x34FF, 0x3509, 0x3517, 0x351D, 
-	0x352D, 0x3533, 0x353B, 0x3541, 0x3551, 0x3565, 0x356F, 0x3571, 
-	0x3577, 0x357B, 0x357D, 0x3581, 0x358D, 0x358F, 0x3599, 0x359B, 
-	0x35A1, 0x35B7, 0x35BD, 0x35BF, 0x35C3, 0x35D5, 0x35DD, 0x35E7, 
-	0x35EF, 0x3605, 0x3607, 0x3611, 0x3623, 0x3631, 0x3635, 0x3637, 
-	0x363B, 0x364D, 0x364F, 0x3653, 0x3659, 0x3661, 0x366B, 0x366D, 
-	0x368B, 0x368F, 0x36AD, 0x36AF, 0x36B9, 0x36BB, 0x36CD, 0x36D1, 
-	0x36E3, 0x36E9, 0x36F7, 0x3701, 0x3703, 0x3707, 0x371B, 0x373F, 
-	0x3745, 0x3749, 0x374F, 0x375D, 0x3761, 0x3775, 0x377F, 0x378D, 
-	0x37A3, 0x37A9, 0x37AB, 0x37C9, 0x37D5, 0x37DF, 0x37F1, 0x37F3, 
-	0x37F7, 0x3805, 0x380B, 0x3821, 0x3833, 0x3835, 0x3841, 0x3847, 
-	0x384B, 0x3853, 0x3857, 0x385F, 0x3865, 0x386F, 0x3871, 0x387D, 
-	0x388F, 0x3899, 0x38A7, 0x38B7, 0x38C5, 0x38C9, 0x38CF, 0x38D5, 
-	0x38D7, 0x38DD, 0x38E1, 0x38E3, 0x38FF, 0x3901, 0x391D, 0x3923, 
-	0x3925, 0x3929, 0x392F, 0x393D, 0x3941, 0x394D, 0x395B, 0x396B, 
-	0x3979, 0x397D, 0x3983, 0x398B, 0x3991, 0x3995, 0x399B, 0x39A1, 
-	0x39A7, 0x39AF, 0x39B3, 0x39BB, 0x39BF, 0x39CD, 0x39DD, 0x39E5, 
-	0x39EB, 0x39EF, 0x39FB, 0x3A03, 0x3A13, 0x3A15, 0x3A1F, 0x3A27, 
-	0x3A2B, 0x3A31, 0x3A4B, 0x3A51, 0x3A5B, 0x3A63, 0x3A67, 0x3A6D, 
-	0x3A79, 0x3A87, 0x3AA5, 0x3AA9, 0x3AB7, 0x3ACD, 0x3AD5, 0x3AE1, 
-	0x3AE5, 0x3AEB, 0x3AF3, 0x3AFD, 0x3B03, 0x3B11, 0x3B1B, 0x3B21, 
-	0x3B23, 0x3B2D, 0x3B39, 0x3B45, 0x3B53, 0x3B59, 0x3B5F, 0x3B71, 
-	0x3B7B, 0x3B81, 0x3B89, 0x3B9B, 0x3B9F, 0x3BA5, 0x3BA7, 0x3BAD, 
-	0x3BB7, 0x3BB9, 0x3BC3, 0x3BCB, 0x3BD1, 0x3BD7, 0x3BE1, 0x3BE3, 
-	0x3BF5, 0x3BFF, 0x3C01, 0x3C0D, 0x3C11, 0x3C17, 0x3C1F, 0x3C29, 
-	0x3C35, 0x3C43, 0x3C4F, 0x3C53, 0x3C5B, 0x3C65, 0x3C6B, 0x3C71, 
-	0x3C85, 0x3C89, 0x3C97, 0x3CA7, 0x3CB5, 0x3CBF, 0x3CC7, 0x3CD1, 
-	0x3CDD, 0x3CDF, 0x3CF1, 0x3CF7, 0x3D03, 0x3D0D, 0x3D19, 0x3D1B, 
-	0x3D1F, 0x3D21, 0x3D2D, 0x3D33, 0x3D37, 0x3D3F, 0x3D43, 0x3D6F, 
-	0x3D73, 0x3D75, 0x3D79, 0x3D7B, 0x3D85, 0x3D91, 0x3D97, 0x3D9D, 
-	0x3DAB, 0x3DAF, 0x3DB5, 0x3DBB, 0x3DC1, 0x3DC9, 0x3DCF, 0x3DF3, 
-	0x3E05, 0x3E09, 0x3E0F, 0x3E11, 0x3E1D, 0x3E23, 0x3E29, 0x3E2F, 
-	0x3E33, 0x3E41, 0x3E57, 0x3E63, 0x3E65, 0x3E77, 0x3E81, 0x3E87, 
-	0x3EA1, 0x3EB9, 0x3EBD, 0x3EBF, 0x3EC3, 0x3EC5, 0x3EC9, 0x3ED7, 
-	0x3EDB, 0x3EE1, 0x3EE7, 0x3EEF, 0x3EFF, 0x3F0B, 0x3F0D, 0x3F37, 
-	0x3F3B, 0x3F3D, 0x3F41, 0x3F59, 0x3F5F, 0x3F65, 0x3F67, 0x3F79, 
-	0x3F7D, 0x3F8B, 0x3F91, 0x3FAD, 0x3FBF, 0x3FCD, 0x3FD3, 0x3FDD, 
-	0x3FE9, 0x3FEB, 0x3FF1, 0x3FFD, 0x401B, 0x4021, 0x4025, 0x402B, 
-	0x4031, 0x403F, 0x4043, 0x4045, 0x405D, 0x4061, 0x4067, 0x406D, 
-	0x4087, 0x4091, 0x40A3, 0x40A9, 0x40B1, 0x40B7, 0x40BD, 0x40DB, 
-	0x40DF, 0x40EB, 0x40F7, 0x40F9, 0x4109, 0x410B, 0x4111, 0x4115, 
-	0x4121, 0x4133, 0x4135, 0x413B, 0x413F, 0x4159, 0x4165, 0x416B, 
-	0x4177, 0x417B, 0x4193, 0x41AB, 0x41B7, 0x41BD, 0x41BF, 0x41CB, 
-	0x41E7, 0x41EF, 0x41F3, 0x41F9, 0x4205, 0x4207, 0x4219, 0x421F, 
-	0x4223, 0x4229, 0x422F, 0x4243, 0x4253, 0x4255, 0x425B, 0x4261, 
-	0x4273, 0x427D, 0x4283, 0x4285, 0x4289, 0x4291, 0x4297, 0x429D, 
-	0x42B5, 0x42C5, 0x42CB, 0x42D3, 0x42DD, 0x42E3, 0x42F1, 0x4307, 
-	0x430F, 0x431F, 0x4325, 0x4327, 0x4333, 0x4337, 0x4339, 0x434F, 
-	0x4357, 0x4369, 0x438B, 0x438D, 0x4393, 0x43A5, 0x43A9, 0x43AF, 
-	0x43B5, 0x43BD, 0x43C7, 0x43CF, 0x43E1, 0x43E7, 0x43EB, 0x43ED, 
-	0x43F1, 0x43F9, 0x4409, 0x440B, 0x4417, 0x4423, 0x4429, 0x443B, 
-	0x443F, 0x4445, 0x444B, 0x4451, 0x4453, 0x4459, 0x4465, 0x446F, 
-	0x4483, 0x448F, 0x44A1, 0x44A5, 0x44AB, 0x44AD, 0x44BD, 0x44BF, 
-	0x44C9, 0x44D7, 0x44DB, 0x44F9, 0x44FB, 0x4505, 0x4511, 0x4513, 
-	0x452B, 0x4531, 0x4541, 0x4549, 0x4553, 0x4555, 0x4561, 0x4577, 
-	0x457D, 0x457F, 0x458F, 0x45A3, 0x45AD, 0x45AF, 0x45BB, 0x45C7, 
-	0x45D9, 0x45E3, 0x45EF, 0x45F5, 0x45F7, 0x4601, 0x4603, 0x4609, 
-	0x4613, 0x4625, 0x4627, 0x4633, 0x4639, 0x463D, 0x4643, 0x4645, 
-	0x465D, 0x4679, 0x467B, 0x467F, 0x4681, 0x468B, 0x468D, 0x469D, 
-	0x46A9, 0x46B1, 0x46C7, 0x46C9, 0x46CF, 0x46D3, 0x46D5, 0x46DF, 
-	0x46E5, 0x46F9, 0x4705, 0x470F, 0x4717, 0x4723, 0x4729, 0x472F, 
-	0x4735, 0x4739, 0x474B, 0x474D, 0x4751, 0x475D, 0x476F, 0x4771, 
-	0x477D, 0x4783, 0x4787, 0x4789, 0x4799, 0x47A5, 0x47B1, 0x47BF, 
-	0x47C3, 0x47CB, 0x47DD, 0x47E1, 0x47ED, 0x47FB, 0x4801, 0x4807, 
-	0x480B, 0x4813, 0x4819, 0x481D, 0x4831, 0x483D, 0x4847, 0x4855, 
-	0x4859, 0x485B, 0x486B, 0x486D, 0x4879, 0x4897, 0x489B, 0x48A1, 
-	0x48B9, 0x48CD, 0x48E5, 0x48EF, 0x48F7, 0x4903, 0x490D, 0x4919, 
-	0x491F, 0x492B, 0x4937, 0x493D, 0x4945, 0x4955, 0x4963, 0x4969, 
-	0x496D, 0x4973, 0x4997, 0x49AB, 0x49B5, 0x49D3, 0x49DF, 0x49E1, 
-	0x49E5, 0x49E7, 0x4A03, 0x4A0F, 0x4A1D, 0x4A23, 0x4A39, 0x4A41, 
-	0x4A45, 0x4A57, 0x4A5D, 0x4A6B, 0x4A7D, 0x4A81, 0x4A87, 0x4A89, 
-	0x4A8F, 0x4AB1, 0x4AC3, 0x4AC5, 0x4AD5, 0x4ADB, 0x4AED, 0x4AEF, 
-	0x4B07, 0x4B0B, 0x4B0D, 0x4B13, 0x4B1F, 0x4B25, 0x4B31, 0x4B3B, 
-	0x4B43, 0x4B49, 0x4B59, 0x4B65, 0x4B6D, 0x4B77, 0x4B85, 0x4BAD, 
-	0x4BB3, 0x4BB5, 0x4BBB, 0x4BBF, 0x4BCB, 0x4BD9, 0x4BDD, 0x4BDF, 
-	0x4BE3, 0x4BE5, 0x4BE9, 0x4BF1, 0x4BF7, 0x4C01, 0x4C07, 0x4C0D, 
-	0x4C0F, 0x4C15, 0x4C1B, 0x4C21, 0x4C2D, 0x4C33, 0x4C4B, 0x4C55, 
-	0x4C57, 0x4C61, 0x4C67, 0x4C73, 0x4C79, 0x4C7F, 0x4C8D, 0x4C93, 
-	0x4C99, 0x4CCD, 0x4CE1, 0x4CE7, 0x4CF1, 0x4CF3, 0x4CFD, 0x4D05, 
-	0x4D0F, 0x4D1B, 0x4D27, 0x4D29, 0x4D2F, 0x4D33, 0x4D41, 0x4D51, 
-	0x4D59, 0x4D65, 0x4D6B, 0x4D81, 0x4D83, 0x4D8D, 0x4D95, 0x4D9B, 
-	0x4DB1, 0x4DB3, 0x4DC9, 0x4DCF, 0x4DD7, 0x4DE1, 0x4DED, 0x4DF9, 
-	0x4DFB, 0x4E05, 0x4E0B, 0x4E17, 0x4E19, 0x4E1D, 0x4E2B, 0x4E35, 
-	0x4E37, 0x4E3D, 0x4E4F, 0x4E53, 0x4E5F, 0x4E67, 0x4E79, 0x4E85, 
-	0x4E8B, 0x4E91, 0x4E95, 0x4E9B, 0x4EA1, 0x4EAF, 0x4EB3, 0x4EB5, 
-	0x4EC1, 0x4ECD, 0x4ED1, 0x4ED7, 0x4EE9, 0x4EFB, 0x4F07, 0x4F09, 
-	0x4F19, 0x4F25, 0x4F2D, 0x4F3F, 0x4F49, 0x4F63, 0x4F67, 0x4F6D, 
-	0x4F75, 0x4F7B, 0x4F81, 0x4F85, 0x4F87, 0x4F91, 0x4FA5, 0x4FA9, 
-	0x4FAF, 0x4FB7, 0x4FBB, 0x4FCF, 0x4FD9, 0x4FDB, 0x4FFD, 0x4FFF, 
-	0x5003, 0x501B, 0x501D, 0x5029, 0x5035, 0x503F, 0x5045, 0x5047, 
-	0x5053, 0x5071, 0x5077, 0x5083, 0x5093, 0x509F, 0x50A1, 0x50B7, 
-	0x50C9, 0x50D5, 0x50E3, 0x50ED, 0x50EF, 0x50FB, 0x5107, 0x510B, 
-	0x510D, 0x5111, 0x5117, 0x5123, 0x5125, 0x5135, 0x5147, 0x5149, 
-	0x5171, 0x5179, 0x5189, 0x518F, 0x5197, 0x51A1, 0x51A3, 0x51A7, 
-	0x51B9, 0x51C1, 0x51CB, 0x51D3, 0x51DF, 0x51E3, 0x51F5, 0x51F7, 
-	0x5209, 0x5213, 0x5215, 0x5219, 0x521B, 0x521F, 0x5227, 0x5243, 
-	0x5245, 0x524B, 0x5261, 0x526D, 0x5273, 0x5281, 0x5293, 0x5297, 
-	0x529D, 0x52A5, 0x52AB, 0x52B1, 0x52BB, 0x52C3, 0x52C7, 0x52C9, 
-	0x52DB, 0x52E5, 0x52EB, 0x52FF, 0x5315, 0x531D, 0x5323, 0x5341, 
-	0x5345, 0x5347, 0x534B, 0x535D, 0x5363, 0x5381, 0x5383, 0x5387, 
-	0x538F, 0x5395, 0x5399, 0x539F, 0x53AB, 0x53B9, 0x53DB, 0x53E9, 
-	0x53EF, 0x53F3, 0x53F5, 0x53FB, 0x53FF, 0x540D, 0x5411, 0x5413, 
-	0x5419, 0x5435, 0x5437, 0x543B, 0x5441, 0x5449, 0x5453, 0x5455, 
-	0x545F, 0x5461, 0x546B, 0x546D, 0x5471, 0x548F, 0x5491, 0x549D, 
-	0x54A9, 0x54B3, 0x54C5, 0x54D1, 0x54DF, 0x54E9, 0x54EB, 0x54F7, 
-	0x54FD, 0x5507, 0x550D, 0x551B, 0x5527, 0x552B, 0x5539, 0x553D, 
-	0x554F, 0x5551, 0x555B, 0x5563, 0x5567, 0x556F, 0x5579, 0x5585, 
-	0x5597, 0x55A9, 0x55B1, 0x55B7, 0x55C9, 0x55D9, 0x55E7, 0x55ED, 
-	0x55F3, 0x55FD, 0x560B, 0x560F, 0x5615, 0x5617, 0x5623, 0x562F, 
-	0x5633, 0x5639, 0x563F, 0x564B, 0x564D, 0x565D, 0x565F, 0x566B, 
-	0x5671, 0x5675, 0x5683, 0x5689, 0x568D, 0x568F, 0x569B, 0x56AD, 
-	0x56B1, 0x56D5, 0x56E7, 0x56F3, 0x56FF, 0x5701, 0x5705, 0x5707, 
-	0x570B, 0x5713, 0x571F, 0x5723, 0x5747, 0x574D, 0x575F, 0x5761, 
-	0x576D, 0x5777, 0x577D, 0x5789, 0x57A1, 0x57A9, 0x57AF, 0x57B5, 
-	0x57C5, 0x57D1, 0x57D3, 0x57E5, 0x57EF, 0x5803, 0x580D, 0x580F, 
-	0x5815, 0x5827, 0x582B, 0x582D, 0x5855, 0x585B, 0x585D, 0x586D, 
-	0x586F, 0x5873, 0x587B, 0x588D, 0x5897, 0x58A3, 0x58A9, 0x58AB, 
-	0x58B5, 0x58BD, 0x58C1, 0x58C7, 0x58D3, 0x58D5, 0x58DF, 0x58F1, 
-	0x58F9, 0x58FF, 0x5903, 0x5917, 0x591B, 0x5921, 0x5945, 0x594B, 
-	0x594D, 0x5957, 0x595D, 0x5975, 0x597B, 0x5989, 0x5999, 0x599F, 
-	0x59B1, 0x59B3, 0x59BD, 0x59D1, 0x59DB, 0x59E3, 0x59E9, 0x59ED, 
-	0x59F3, 0x59F5, 0x59FF, 0x5A01, 0x5A0D, 0x5A11, 0x5A13, 0x5A17, 
-	0x5A1F, 0x5A29, 0x5A2F, 0x5A3B, 0x5A4D, 0x5A5B, 0x5A67, 0x5A77, 
-	0x5A7F, 0x5A85, 0x5A95, 0x5A9D, 0x5AA1, 0x5AA3, 0x5AA9, 0x5ABB, 
-	0x5AD3, 0x5AE5, 0x5AEF, 0x5AFB, 0x5AFD, 0x5B01, 0x5B0F, 0x5B19, 
-	0x5B1F, 0x5B25, 0x5B2B, 0x5B3D, 0x5B49, 0x5B4B, 0x5B67, 0x5B79, 
-	0x5B87, 0x5B97, 0x5BA3, 0x5BB1, 0x5BC9, 0x5BD5, 0x5BEB, 0x5BF1, 
-	0x5BF3, 0x5BFD, 0x5C05, 0x5C09, 0x5C0B, 0x5C0F, 0x5C1D, 0x5C29, 
-	0x5C2F, 0x5C33, 0x5C39, 0x5C47, 0x5C4B, 0x5C4D, 0x5C51, 0x5C6F, 
-	0x5C75, 0x5C77, 0x5C7D, 0x5C87, 0x5C89, 0x5CA7, 0x5CBD, 0x5CBF, 
-	0x5CC3, 0x5CC9, 0x5CD1, 0x5CD7, 0x5CDD, 0x5CED, 0x5CF9, 0x5D05, 
-	0x5D0B, 0x5D13, 0x5D17, 0x5D19, 0x5D31, 0x5D3D, 0x5D41, 0x5D47, 
-	0x5D4F, 0x5D55, 0x5D5B, 0x5D65, 0x5D67, 0x5D6D, 0x5D79, 0x5D95, 
-	0x5DA3, 0x5DA9, 0x5DAD, 0x5DB9, 0x5DC1, 0x5DC7, 0x5DD3, 0x5DD7, 
-	0x5DDD, 0x5DEB, 0x5DF1, 0x5DFD, 0x5E07, 0x5E0D, 0x5E13, 0x5E1B, 
-	0x5E21, 0x5E27, 0x5E2B, 0x5E2D, 0x5E31, 0x5E39, 0x5E45, 0x5E49, 
-	0x5E57, 0x5E69, 0x5E73, 0x5E75, 0x5E85, 0x5E8B, 0x5E9F, 0x5EA5, 
-	0x5EAF, 0x5EB7, 0x5EBB, 0x5ED9, 0x5EFD, 0x5F09, 0x5F11, 0x5F27, 
-	0x5F33, 0x5F35, 0x5F3B, 0x5F47, 0x5F57, 0x5F5D, 0x5F63, 0x5F65, 
-	0x5F77, 0x5F7B, 0x5F95, 0x5F99, 0x5FA1, 0x5FB3, 0x5FBD, 0x5FC5, 
-	0x5FCF, 0x5FD5, 0x5FE3, 0x5FE7, 0x5FFB, 0x6011, 0x6023, 0x602F, 
-	0x6037, 0x6053, 0x605F, 0x6065, 0x606B, 0x6073, 0x6079, 0x6085, 
-	0x609D, 0x60AD, 0x60BB, 0x60BF, 0x60CD, 0x60D9, 0x60DF, 0x60E9, 
-	0x60F5, 0x6109, 0x610F, 0x6113, 0x611B, 0x612D, 0x6139, 0x614B, 
-	0x6155, 0x6157, 0x615B, 0x616F, 0x6179, 0x6187, 0x618B, 0x6191, 
-	0x6193, 0x619D, 0x61B5, 0x61C7, 0x61C9, 0x61CD, 0x61E1, 0x61F1, 
-	0x61FF, 0x6209, 0x6217, 0x621D, 0x6221, 0x6227, 0x623B, 0x6241, 
-	0x624B, 0x6251, 0x6253, 0x625F, 0x6265, 0x6283, 0x628D, 0x6295, 
-	0x629B, 0x629F, 0x62A5, 0x62AD, 0x62D5, 0x62D7, 0x62DB, 0x62DD, 
-	0x62E9, 0x62FB, 0x62FF, 0x6305, 0x630D, 0x6317, 0x631D, 0x632F, 
-	0x6341, 0x6343, 0x634F, 0x635F, 0x6367, 0x636D, 0x6371, 0x6377, 
-	0x637D, 0x637F, 0x63B3, 0x63C1, 0x63C5, 0x63D9, 0x63E9, 0x63EB, 
-	0x63EF, 0x63F5, 0x6401, 0x6403, 0x6409, 0x6415, 0x6421, 0x6427, 
-	0x642B, 0x6439, 0x6443, 0x6449, 0x644F, 0x645D, 0x6467, 0x6475, 
-	0x6485, 0x648D, 0x6493, 0x649F, 0x64A3, 0x64AB, 0x64C1, 0x64C7, 
-	0x64C9, 0x64DB, 0x64F1, 0x64F7, 0x64F9, 0x650B, 0x6511, 0x6521, 
-	0x652F, 0x6539, 0x653F, 0x654B, 0x654D, 0x6553, 0x6557, 0x655F, 
-	0x6571, 0x657D, 0x658D, 0x658F, 0x6593, 0x65A1, 0x65A5, 0x65AD, 
-	0x65B9, 0x65C5, 0x65E3, 0x65F3, 0x65FB, 0x65FF, 0x6601, 0x6607, 
-	0x661D, 0x6629, 0x6631, 0x663B, 0x6641, 0x6647, 0x664D, 0x665B, 
-	0x6661, 0x6673, 0x667D, 0x6689, 0x668B, 0x6695, 0x6697, 0x669B, 
-	0x66B5, 0x66B9, 0x66C5, 0x66CD, 0x66D1, 0x66E3, 0x66EB, 0x66F5, 
-	0x6703, 0x6713, 0x6719, 0x671F, 0x6727, 0x6731, 0x6737, 0x673F, 
-	0x6745, 0x6751, 0x675B, 0x676F, 0x6779, 0x6781, 0x6785, 0x6791, 
-	0x67AB, 0x67BD, 0x67C1, 0x67CD, 0x67DF, 0x67E5, 0x6803, 0x6809, 
-	0x6811, 0x6817, 0x682D, 0x6839, 0x683B, 0x683F, 0x6845, 0x684B, 
-	0x684D, 0x6857, 0x6859, 0x685D, 0x6863, 0x6869, 0x686B, 0x6871, 
-	0x6887, 0x6899, 0x689F, 0x68B1, 0x68BD, 0x68C5, 0x68D1, 0x68D7, 
-	0x68E1, 0x68ED, 0x68EF, 0x68FF, 0x6901, 0x690B, 0x690D, 0x6917, 
-	0x6929, 0x692F, 0x6943, 0x6947, 0x6949, 0x694F, 0x6965, 0x696B, 
-	0x6971, 0x6983, 0x6989, 0x6997, 0x69A3, 0x69B3, 0x69B5, 0x69BB, 
-	0x69C1, 0x69C5, 0x69D3, 0x69DF, 0x69E3, 0x69E5, 0x69F7, 0x6A07, 
-	0x6A2B, 0x6A37, 0x6A3D, 0x6A4B, 0x6A67, 0x6A69, 0x6A75, 0x6A7B, 
-	0x6A87, 0x6A8D, 0x6A91, 0x6A93, 0x6AA3, 0x6AC1, 0x6AC9, 0x6AE1, 
-	0x6AE7, 0x6B05, 0x6B0F, 0x6B11, 0x6B23, 0x6B27, 0x6B2D, 0x6B39, 
-	0x6B41, 0x6B57, 0x6B59, 0x6B5F, 0x6B75, 0x6B87, 0x6B89, 0x6B93, 
-	0x6B95, 0x6B9F, 0x6BBD, 0x6BBF, 0x6BDB, 0x6BE1, 0x6BEF, 0x6BFF, 
-	0x6C05, 0x6C19, 0x6C29, 0x6C2B, 0x6C31, 0x6C35, 0x6C55, 0x6C59, 
-	0x6C5B, 0x6C5F, 0x6C65, 0x6C67, 0x6C73, 0x6C77, 0x6C7D, 0x6C83, 
-	0x6C8F, 0x6C91, 0x6C97, 0x6C9B, 0x6CA1, 0x6CA9, 0x6CAF, 0x6CB3, 
-	0x6CC7, 0x6CCB, 0x6CEB, 0x6CF5, 0x6CFD, 0x6D0D, 0x6D0F, 0x6D25, 
-	0x6D27, 0x6D2B, 0x6D31, 0x6D39, 0x6D3F, 0x6D4F, 0x6D5D, 0x6D61, 
-	0x6D73, 0x6D7B, 0x6D7F, 0x6D93, 0x6D99, 0x6DA5, 0x6DB1, 0x6DB7, 
-	0x6DC1, 0x6DC3, 0x6DCD, 0x6DCF, 0x6DDB, 0x6DF7, 0x6E03, 0x6E15, 
-	0x6E17, 0x6E29, 0x6E33, 0x6E3B, 0x6E45, 0x6E75, 0x6E77, 0x6E7B, 
-	0x6E81, 0x6E89, 0x6E93, 0x6E95, 0x6E9F, 0x6EBD, 0x6EBF, 0x6EE3, 
-	0x6EE9, 0x6EF3, 0x6EF9, 0x6EFB, 0x6F0D, 0x6F11, 0x6F17, 0x6F1F, 
-	0x6F2F, 0x6F3D, 0x6F4D, 0x6F53, 0x6F61, 0x6F65, 0x6F79, 0x6F7D, 
-	0x6F83, 0x6F85, 0x6F8F, 0x6F9B, 0x6F9D, 0x6FA3, 0x6FAF, 0x6FB5, 
-	0x6FBB, 0x6FBF, 0x6FCB, 0x6FCD, 0x6FD3, 0x6FD7, 0x6FE3, 0x6FE9, 
-	0x6FF1, 0x6FF5, 0x6FF7, 0x6FFD, 0x700F, 0x7019, 0x701F, 0x7027, 
-	0x7033, 0x7039, 0x704F, 0x7051, 0x7057, 0x7063, 0x7075, 0x7079, 
-	0x7087, 0x708D, 0x7091, 0x70A5, 0x70AB, 0x70BB, 0x70C3, 0x70C7, 
-	0x70CF, 0x70E5, 0x70ED, 0x70F9, 0x70FF, 0x7105, 0x7115, 0x7121, 
-	0x7133, 0x7151, 0x7159, 0x715D, 0x715F, 0x7163, 0x7169, 0x7183, 
-	0x7187, 0x7195, 0x71AD, 0x71C3, 0x71C9, 0x71CB, 0x71D1, 0x71DB, 
-	0x71E1, 0x71EF, 0x71F5, 0x71FB, 0x7207, 0x7211, 0x7217, 0x7219, 
-	0x7225, 0x722F, 0x723B, 0x7243, 0x7255, 0x7267, 0x7271, 0x7277, 
-	0x727F, 0x728F, 0x7295, 0x729B, 0x72A3, 0x72B3, 0x72C7, 0x72CB, 
-	0x72CD, 0x72D7, 0x72D9, 0x72E3, 0x72EF, 0x72F5, 0x72FD, 0x7303, 
-	0x730D, 0x7321, 0x732B, 0x733D, 0x7357, 0x735B, 0x7361, 0x737F, 
-	0x7381, 0x7385, 0x738D, 0x7393, 0x739F, 0x73AB, 0x73BD, 0x73C1, 
-	0x73C9, 0x73DF, 0x73E5, 0x73E7, 0x73F3, 0x7415, 0x741B, 0x742D, 
-	0x7439, 0x743F, 0x7441, 0x745D, 0x746B, 0x747B, 0x7489, 0x748D, 
-	0x749B, 0x74A7, 0x74AB, 0x74B1, 0x74B7, 0x74B9, 0x74DD, 0x74E1, 
-	0x74E7, 0x74FB, 0x7507, 0x751F, 0x7525, 0x753B, 0x753D, 0x754D, 
-	0x755F, 0x756B, 0x7577, 0x7589, 0x758B, 0x7591, 0x7597, 0x759D, 
-	0x75A1, 0x75A7, 0x75B5, 0x75B9, 0x75BB, 0x75D1, 0x75D9, 0x75E5, 
-	0x75EB, 0x75F5, 0x75FB, 0x7603, 0x760F, 0x7621, 0x762D, 0x7633, 
-	0x763D, 0x763F, 0x7655, 0x7663, 0x7669, 0x766F, 0x7673, 0x7685, 
-	0x768B, 0x769F, 0x76B5, 0x76B7, 0x76C3, 0x76DB, 0x76DF, 0x76F1, 
-	0x7703, 0x7705, 0x771B, 0x771D, 0x7721, 0x772D, 0x7735, 0x7741, 
-	0x774B, 0x7759, 0x775D, 0x775F, 0x7771, 0x7781, 0x77A7, 0x77AD, 
-	0x77B3, 0x77B9, 0x77C5, 0x77CF, 0x77D5, 0x77E1, 0x77E9, 0x77EF, 
-	0x77F3, 0x77F9, 0x7807, 0x7825, 0x782B, 0x7835, 0x783D, 0x7853, 
-	0x7859, 0x7861, 0x786D, 0x7877, 0x7879, 0x7883, 0x7885, 0x788B, 
-	0x7895, 0x7897, 0x78A1, 0x78AD, 0x78BF, 0x78D3, 0x78D9, 0x78DD, 
-	0x78E5, 0x78FB, 0x7901, 0x7907, 0x7925, 0x792B, 0x7939, 0x793F, 
-	0x794B, 0x7957, 0x795D, 0x7967, 0x7969, 0x7973, 0x7991, 0x7993, 
-	0x79A3, 0x79AB, 0x79AF, 0x79B1, 0x79B7, 0x79C9, 0x79CD, 0x79CF, 
-	0x79D5, 0x79D9, 0x79F3, 0x79F7, 0x79FF, 0x7A05, 0x7A0F, 0x7A11, 
-	0x7A15, 0x7A1B, 0x7A23, 0x7A27, 0x7A2D, 0x7A4B, 0x7A57, 0x7A59, 
-	0x7A5F, 0x7A65, 0x7A69, 0x7A7D, 0x7A93, 0x7A9B, 0x7A9F, 0x7AA1, 
-	0x7AA5, 0x7AED, 0x7AF5, 0x7AF9, 0x7B01, 0x7B17, 0x7B19, 0x7B1D, 
-	0x7B2B, 0x7B35, 0x7B37, 0x7B3B, 0x7B4F, 0x7B55, 0x7B5F, 0x7B71, 
-	0x7B77, 0x7B8B, 0x7B9B, 0x7BA1, 0x7BA9, 0x7BAF, 0x7BB3, 0x7BC7, 
-	0x7BD3, 0x7BE9, 0x7BEB, 0x7BEF, 0x7BF1, 0x7BFD, 0x7C07, 0x7C19, 
-	0x7C1B, 0x7C31, 0x7C37, 0x7C49, 0x7C67, 0x7C69, 0x7C73, 0x7C81, 
-	0x7C8B, 0x7C93, 0x7CA3, 0x7CD5, 0x7CDB, 0x7CE5, 0x7CED, 0x7CF7, 
-	0x7D03, 0x7D09, 0x7D1B, 0x7D1D, 0x7D33, 0x7D39, 0x7D3B, 0x7D3F, 
-	0x7D45, 0x7D4D, 0x7D53, 0x7D59, 0x7D63, 0x7D75, 0x7D77, 0x7D8D, 
-	0x7D8F, 0x7D9F, 0x7DAD, 0x7DB7, 0x7DBD, 0x7DBF, 0x7DCB, 0x7DD5, 
-	0x7DE9, 0x7DED, 0x7DFB, 0x7E01, 0x7E05, 0x7E29, 0x7E2B, 0x7E2F, 
-	0x7E35, 0x7E41, 0x7E43, 0x7E47, 0x7E55, 0x7E61, 0x7E67, 0x7E6B, 
-	0x7E71, 0x7E73, 0x7E79, 0x7E7D, 0x7E91, 0x7E9B, 0x7E9D, 0x7EA7, 
-	0x7EAD, 0x7EB9, 0x7EBB, 0x7ED3, 0x7EDF, 0x7EEB, 0x7EF1, 0x7EF7, 
-	0x7EFB, 0x7F13, 0x7F15, 0x7F19, 0x7F31, 0x7F33, 0x7F39, 0x7F3D, 
-	0x7F43, 0x7F4B, 0x7F5B, 0x7F61, 0x7F63, 0x7F6D, 0x7F79, 0x7F87, 
-	0x7F8D, 0x7FAF, 0x7FB5, 0x7FC3, 0x7FC9, 0x7FCD, 0x7FCF, 0x7FED, 
-	0x8003, 0x800B, 0x800F, 0x8015, 0x801D, 0x8021, 0x8023, 0x803F, 
-	0x8041, 0x8047, 0x804B, 0x8065, 0x8077, 0x808D, 0x808F, 0x8095, 
-	0x80A5, 0x80AB, 0x80AD, 0x80BD, 0x80C9, 0x80CB, 0x80D7, 0x80DB, 
-	0x80E1, 0x80E7, 0x80F5, 0x80FF, 0x8105, 0x810D, 0x8119, 0x811D, 
-	0x812F, 0x8131, 0x813B, 0x8143, 0x8153, 0x8159, 0x815F, 0x817D, 
-	0x817F, 0x8189, 0x819B, 0x819D, 0x81A7, 0x81AF, 0x81B3, 0x81BB, 
-	0x81C7, 0x81DF, 0x8207, 0x8209, 0x8215, 0x821F, 0x8225, 0x8231, 
-	0x8233, 0x823F, 0x8243, 0x8245, 0x8249, 0x824F, 0x8261, 0x826F, 
-	0x827B, 0x8281, 0x8285, 0x8293, 0x82B1, 0x82B5, 0x82BD, 0x82C7, 
-	0x82CF, 0x82D5, 0x82DF, 0x82F1, 0x82F9, 0x82FD, 0x830B, 0x831B, 
-	0x8321, 0x8329, 0x832D, 0x8333, 0x8335, 0x833F, 0x8341, 0x834D, 
-	0x8351, 0x8353, 0x8357, 0x835D, 0x8365, 0x8369, 0x836F, 0x838F, 
-	0x83A7, 0x83B1, 0x83B9, 0x83CB, 0x83D5, 0x83D7, 0x83DD, 0x83E7, 
-	0x83E9, 0x83ED, 0x83FF, 0x8405, 0x8411, 0x8413, 0x8423, 0x8425, 
-	0x843B, 0x8441, 0x8447, 0x844F, 0x8461, 0x8465, 0x8477, 0x8483, 
-	0x848B, 0x8491, 0x8495, 0x84A9, 0x84AF, 0x84CD, 0x84E3, 0x84EF, 
-	0x84F1, 0x84F7, 0x8509, 0x850D, 0x854B, 0x854F, 0x8551, 0x855D, 
-	0x8563, 0x856D, 0x856F, 0x857B, 0x8587, 0x85A3, 0x85A5, 0x85A9, 
-	0x85B7, 0x85CD, 0x85D3, 0x85D5, 0x85DB, 0x85E1, 0x85EB, 0x85F9, 
-	0x85FD, 0x85FF, 0x8609, 0x860F, 0x8617, 0x8621, 0x862F, 0x8639, 
-	0x863F, 0x8641, 0x864D, 0x8663, 0x8675, 0x867D, 0x8687, 0x8699, 
-	0x86A5, 0x86A7, 0x86B3, 0x86B7, 0x86C3, 0x86C5, 0x86CF, 0x86D1, 
-	0x86D7, 0x86E9, 0x86EF, 0x86F5, 0x8717, 0x871D, 0x871F, 0x872B, 
-	0x872F, 0x8735, 0x8747, 0x8759, 0x875B, 0x876B, 0x8771, 0x8777, 
-	0x877F, 0x8785, 0x878F, 0x87A1, 0x87A9, 0x87B3, 0x87BB, 0x87C5, 
-	0x87C7, 0x87CB, 0x87DD, 0x87F7, 0x8803, 0x8819, 0x881B, 0x881F, 
-	0x8821, 0x8837, 0x883D, 0x8843, 0x8851, 0x8861, 0x8867, 0x887B, 
-	0x8885, 0x8891, 0x8893, 0x88A5, 0x88CF, 0x88D3, 0x88EB, 0x88ED, 
-	0x88F3, 0x88FD, 0x8909, 0x890B, 0x8911, 0x891B, 0x8923, 0x8927, 
-	0x892D, 0x8939, 0x8945, 0x894D, 0x8951, 0x8957, 0x8963, 0x8981, 
-	0x8995, 0x899B, 0x89B3, 0x89B9, 0x89C3, 0x89CF, 0x89D1, 0x89DB, 
-	0x89EF, 0x89F5, 0x89FB, 0x89FF, 0x8A0B, 0x8A19, 0x8A23, 0x8A35, 
-	0x8A41, 0x8A49, 0x8A4F, 0x8A5B, 0x8A5F, 0x8A6D, 0x8A77, 0x8A79, 
-	0x8A85, 0x8AA3, 0x8AB3, 0x8AB5, 0x8AC1, 0x8AC7, 0x8ACB, 0x8ACD, 
-	0x8AD1, 0x8AD7, 0x8AF1, 0x8AF5, 0x8B07, 0x8B09, 0x8B0D, 0x8B13, 
-	0x8B21, 0x8B57, 0x8B5D, 0x8B91, 0x8B93, 0x8BA3, 0x8BA9, 0x8BAF, 
-	0x8BBB, 0x8BD5, 0x8BD9, 0x8BDB, 0x8BE1, 0x8BF7, 0x8BFD, 0x8BFF, 
-	0x8C0B, 0x8C17, 0x8C1D, 0x8C27, 0x8C39, 0x8C3B, 0x8C47, 0x8C53, 
-	0x8C5D, 0x8C6F, 0x8C7B, 0x8C81, 0x8C89, 0x8C8F, 0x8C99, 0x8C9F, 
-	0x8CA7, 0x8CAB, 0x8CAD, 0x8CB1, 0x8CC5, 0x8CDD, 0x8CE3, 0x8CE9, 
-	0x8CF3, 0x8D01, 0x8D0B, 0x8D0D, 0x8D23, 0x8D29, 0x8D37, 0x8D41, 
-	0x8D5B, 0x8D5F, 0x8D71, 0x8D79, 0x8D85, 0x8D91, 0x8D9B, 0x8DA7, 
-	0x8DAD, 0x8DB5, 0x8DC5, 0x8DCB, 0x8DD3, 0x8DD9, 0x8DDF, 0x8DF5, 
-	0x8DF7, 0x8E01, 0x8E15, 0x8E1F, 0x8E25, 0x8E51, 0x8E63, 0x8E69, 
-	0x8E73, 0x8E75, 0x8E79, 0x8E7F, 0x8E8D, 0x8E91, 0x8EAB, 0x8EAF, 
-	0x8EB1, 0x8EBD, 0x8EC7, 0x8ECF, 0x8ED3, 0x8EDB, 0x8EE7, 0x8EEB, 
-	0x8EF7, 0x8EFF, 0x8F15, 0x8F1D, 0x8F23, 0x8F2D, 0x8F3F, 0x8F45, 
-	0x8F4B, 0x8F53, 0x8F59, 0x8F65, 0x8F69, 0x8F71, 0x8F83, 0x8F8D, 
-	0x8F99, 0x8F9F, 0x8FAB, 0x8FAD, 0x8FB3, 0x8FB7, 0x8FB9, 0x8FC9, 
-	0x8FD5, 0x8FE1, 0x8FEF, 0x8FF9, 0x9007, 0x900D, 0x9017, 0x9023, 
-	0x9025, 0x9031, 0x9037, 0x903B, 0x9041, 0x9043, 0x904F, 0x9053, 
-	0x906D, 0x9073, 0x9085, 0x908B, 0x9095, 0x909B, 0x909D, 0x90AF, 
-	0x90B9, 0x90C1, 0x90C5, 0x90DF, 0x90E9, 0x90FD, 0x9103, 0x9113, 
-	0x9127, 0x9133, 0x913D, 0x9145, 0x914F, 0x9151, 0x9161, 0x9167, 
-	0x917B, 0x9185, 0x9199, 0x919D, 0x91BB, 0x91BD, 0x91C1, 0x91C9, 
-	0x91D9, 0x91DB, 0x91ED, 0x91F1, 0x91F3, 0x91F9, 0x9203, 0x9215, 
-	0x9221, 0x922F, 0x9241, 0x9247, 0x9257, 0x926B, 0x9271, 0x9275, 
-	0x927D, 0x9283, 0x9287, 0x928D, 0x9299, 0x92A1, 0x92AB, 0x92AD, 
-	0x92B9, 0x92BF, 0x92C3, 0x92C5, 0x92CB, 0x92D5, 0x92D7, 0x92E7, 
-	0x92F3, 0x9301, 0x930B, 0x9311, 0x9319, 0x931F, 0x933B, 0x933D, 
-	0x9343, 0x9355, 0x9373, 0x9395, 0x9397, 0x93A7, 0x93B3, 0x93B5, 
-	0x93C7, 0x93D7, 0x93DD, 0x93E5, 0x93EF, 0x93F7, 0x9401, 0x9409, 
-	0x9413, 0x943F, 0x9445, 0x944B, 0x944F, 0x9463, 0x9467, 0x9469, 
-	0x946D, 0x947B, 0x9497, 0x949F, 0x94A5, 0x94B5, 0x94C3, 0x94E1, 
-	0x94E7, 0x9505, 0x9509, 0x9517, 0x9521, 0x9527, 0x952D, 0x9535, 
-	0x9539, 0x954B, 0x9557, 0x955D, 0x955F, 0x9575, 0x9581, 0x9589, 
-	0x958F, 0x959B, 0x959F, 0x95AD, 0x95B1, 0x95B7, 0x95B9, 0x95BD, 
-	0x95CF, 0x95E3, 0x95E9, 0x95F9, 0x961F, 0x962F, 0x9631, 0x9635, 
-	0x963B, 0x963D, 0x9665, 0x968F, 0x969D, 0x96A1, 0x96A7, 0x96A9, 
-	0x96C1, 0x96CB, 0x96D1, 0x96D3, 0x96E5, 0x96EF, 0x96FB, 0x96FD, 
-	0x970D, 0x970F, 0x9715, 0x9725, 0x972B, 0x9733, 0x9737, 0x9739, 
-	0x9743, 0x9749, 0x9751, 0x975B, 0x975D, 0x976F, 0x977F, 0x9787, 
-	0x9793, 0x97A5, 0x97B1, 0x97B7, 0x97C3, 0x97CD, 0x97D3, 0x97D9, 
-	0x97EB, 0x97F7, 0x9805, 0x9809, 0x980B, 0x9815, 0x9829, 0x982F, 
-	0x983B, 0x9841, 0x9851, 0x986B, 0x986F, 0x9881, 0x9883, 0x9887, 
-	0x98A7, 0x98B1, 0x98B9, 0x98BF, 0x98C3, 0x98C9, 0x98CF, 0x98DD, 
-	0x98E3, 0x98F5, 0x98F9, 0x98FB, 0x990D, 0x9917, 0x991F, 0x9929, 
-	0x9931, 0x993B, 0x993D, 0x9941, 0x9947, 0x9949, 0x9953, 0x997D, 
-	0x9985, 0x9991, 0x9995, 0x999B, 0x99AD, 0x99AF, 0x99BF, 0x99C7, 
-	0x99CB, 0x99CD, 0x99D7, 0x99E5, 0x99F1, 0x99FB, 0x9A0F, 0x9A13, 
-	0x9A1B, 0x9A25, 0x9A4B, 0x9A4F, 0x9A55, 0x9A57, 0x9A61, 0x9A75, 
-	0x9A7F, 0x9A8B, 0x9A91, 0x9A9D, 0x9AB7, 0x9AC3, 0x9AC7, 0x9ACF, 
-	0x9AEB, 0x9AF3, 0x9AF7, 0x9AFF, 0x9B17, 0x9B1D, 0x9B27, 0x9B2F, 
-	0x9B35, 0x9B45, 0x9B51, 0x9B59, 0x9B63, 0x9B6F, 0x9B77, 0x9B8D, 
-	0x9B93, 0x9B95, 0x9B9F, 0x9BA1, 0x9BA7, 0x9BB1, 0x9BB7, 0x9BBD, 
-	0x9BC5, 0x9BCB, 0x9BCF, 0x9BDD, 0x9BF9, 0x9C01, 0x9C11, 0x9C23, 
-	0x9C2B, 0x9C2F, 0x9C35, 0x9C49, 0x9C4D, 0x9C5F, 0x9C65, 0x9C67, 
-	0x9C7F, 0x9C97, 0x9C9D, 0x9CA3, 0x9CAF, 0x9CBB, 0x9CBF, 0x9CC1, 
-	0x9CD7, 0x9CD9, 0x9CE3, 0x9CE9, 0x9CF1, 0x9CFD, 0x9D01, 0x9D15, 
-	0x9D27, 0x9D2D, 0x9D31, 0x9D3D, 0x9D55, 0x9D5B, 0x9D61, 0x9D97, 
-	0x9D9F, 0x9DA5, 0x9DA9, 0x9DC3, 0x9DE7, 0x9DEB, 0x9DED, 0x9DF1, 
-	0x9E0B, 0x9E17, 0x9E23, 0x9E27, 0x9E2D, 0x9E33, 0x9E3B, 0x9E47, 
-	0x9E51, 0x9E53, 0x9E5F, 0x9E6F, 0x9E81, 0x9E87, 0x9E8F, 0x9E95, 
-	0x9EA1, 0x9EB3, 0x9EBD, 0x9EBF, 0x9EF5, 0x9EF9, 0x9EFB, 0x9F05, 
-	0x9F23, 0x9F2F, 0x9F37, 0x9F3B, 0x9F43, 0x9F53, 0x9F61, 0x9F6D, 
-	0x9F73, 0x9F77, 0x9F7D, 0x9F89, 0x9F8F, 0x9F91, 0x9F95, 0x9FA3, 
-	0x9FAF, 0x9FB3, 0x9FC1, 0x9FC7, 0x9FDF, 0x9FE5, 0x9FEB, 0x9FF5, 
-	0xA001, 0xA00D, 0xA021, 0xA033, 0xA039, 0xA03F, 0xA04F, 0xA057, 
-	0xA05B, 0xA061, 0xA075, 0xA079, 0xA099, 0xA09D, 0xA0AB, 0xA0B5, 
-	0xA0B7, 0xA0BD, 0xA0C9, 0xA0D9, 0xA0DB, 0xA0DF, 0xA0E5, 0xA0F1, 
-	0xA0F3, 0xA0FD, 0xA105, 0xA10B, 0xA10F, 0xA111, 0xA11B, 0xA129, 
-	0xA12F, 0xA135, 0xA141, 0xA153, 0xA175, 0xA17D, 0xA187, 0xA18D, 
-	0xA1A5, 0xA1AB, 0xA1AD, 0xA1B7, 0xA1C3, 0xA1C5, 0xA1E3, 0xA1ED, 
-	0xA1FB, 0xA207, 0xA213, 0xA223, 0xA229, 0xA22F, 0xA231, 0xA243, 
-	0xA247, 0xA24D, 0xA26B, 0xA279, 0xA27D, 0xA283, 0xA289, 0xA28B, 
-	0xA291, 0xA295, 0xA29B, 0xA2A9, 0xA2AF, 0xA2B3, 0xA2BB, 0xA2C5, 
-	0xA2D1, 0xA2D7, 0xA2F7, 0xA301, 0xA309, 0xA31F, 0xA321, 0xA32B, 
-	0xA331, 0xA349, 0xA351, 0xA355, 0xA373, 0xA379, 0xA37B, 0xA387, 
-	0xA397, 0xA39F, 0xA3A5, 0xA3A9, 0xA3AF, 0xA3B7, 0xA3C7, 0xA3D5, 
-	0xA3DB, 0xA3E1, 0xA3E5, 0xA3E7, 0xA3F1, 0xA3FD, 0xA3FF, 0xA40F, 
-	0xA41D, 0xA421, 0xA423, 0xA427, 0xA43B, 0xA44D, 0xA457, 0xA459, 
-	0xA463, 0xA469, 0xA475, 0xA493, 0xA49B, 0xA4AD, 0xA4B9, 0xA4C3, 
-	0xA4C5, 0xA4CB, 0xA4D1, 0xA4D5, 0xA4E1, 0xA4ED, 0xA4EF, 0xA4F3, 
-	0xA4FF, 0xA511, 0xA529, 0xA52B, 0xA535, 0xA53B, 0xA543, 0xA553, 
-	0xA55B, 0xA561, 0xA56D, 0xA577, 0xA585, 0xA58B, 0xA597, 0xA59D, 
-	0xA5A3, 0xA5A7, 0xA5A9, 0xA5C1, 0xA5C5, 0xA5CB, 0xA5D3, 0xA5D9, 
-	0xA5DD, 0xA5DF, 0xA5E3, 0xA5E9, 0xA5F7, 0xA5FB, 0xA603, 0xA60D, 
-	0xA625, 0xA63D, 0xA649, 0xA64B, 0xA651, 0xA65D, 0xA673, 0xA691, 
-	0xA693, 0xA699, 0xA6AB, 0xA6B5, 0xA6BB, 0xA6C1, 0xA6C9, 0xA6CD, 
-	0xA6CF, 0xA6D5, 0xA6DF, 0xA6E7, 0xA6F1, 0xA6F7, 0xA6FF, 0xA70F, 
-	0xA715, 0xA723, 0xA729, 0xA72D, 0xA745, 0xA74D, 0xA757, 0xA759, 
-	0xA765, 0xA76B, 0xA76F, 0xA793, 0xA795, 0xA7AB, 0xA7B1, 0xA7B9, 
-	0xA7BF, 0xA7C9, 0xA7D1, 0xA7D7, 0xA7E3, 0xA7ED, 0xA7FB, 0xA805, 
-	0xA80B, 0xA81D, 0xA829, 0xA82B, 0xA837, 0xA83B, 0xA855, 0xA85F, 
-	0xA86D, 0xA87D, 0xA88F, 0xA897, 0xA8A9, 0xA8B5, 0xA8C1, 0xA8C7, 
-	0xA8D7, 0xA8E5, 0xA8FD, 0xA907, 0xA913, 0xA91B, 0xA931, 0xA937, 
-	0xA939, 0xA943, 0xA97F, 0xA985, 0xA987, 0xA98B, 0xA993, 0xA9A3, 
-	0xA9B1, 0xA9BB, 0xA9C1, 0xA9D9, 0xA9DF, 0xA9EB, 0xA9FD, 0xAA15, 
-	0xAA17, 0xAA35, 0xAA39, 0xAA3B, 0xAA47, 0xAA4D, 0xAA57, 0xAA59, 
-	0xAA5D, 0xAA6B, 0xAA71, 0xAA81, 0xAA83, 0xAA8D, 0xAA95, 0xAAAB, 
-	0xAABF, 0xAAC5, 0xAAC9, 0xAAE9, 0xAAEF, 0xAB01, 0xAB05, 0xAB07, 
-	0xAB0B, 0xAB0D, 0xAB11, 0xAB19, 0xAB4D, 0xAB5B, 0xAB71, 0xAB73, 
-	0xAB89, 0xAB9D, 0xABA7, 0xABAF, 0xABB9, 0xABBB, 0xABC1, 0xABC5, 
-	0xABD3, 0xABD7, 0xABDD, 0xABF1, 0xABF5, 0xABFB, 0xABFD, 0xAC09, 
-	0xAC15, 0xAC1B, 0xAC27, 0xAC37, 0xAC39, 0xAC45, 0xAC4F, 0xAC57, 
-	0xAC5B, 0xAC61, 0xAC63, 0xAC7F, 0xAC8B, 0xAC93, 0xAC9D, 0xACA9, 
-	0xACAB, 0xACAF, 0xACBD, 0xACD9, 0xACE1, 0xACE7, 0xACEB, 0xACED, 
-	0xACF1, 0xACF7, 0xACF9, 0xAD05, 0xAD3F, 0xAD45, 0xAD53, 0xAD5D, 
-	0xAD5F, 0xAD65, 0xAD81, 0xADA1, 0xADA5, 0xADC3, 0xADCB, 0xADD1, 
-	0xADD5, 0xADDB, 0xADE7, 0xADF3, 0xADF5, 0xADF9, 0xADFF, 0xAE05, 
-	0xAE13, 0xAE23, 0xAE2B, 0xAE49, 0xAE4D, 0xAE4F, 0xAE59, 0xAE61, 
-	0xAE67, 0xAE6B, 0xAE71, 0xAE8B, 0xAE8F, 0xAE9B, 0xAE9D, 0xAEA7, 
-	0xAEB9, 0xAEC5, 0xAED1, 0xAEE3, 0xAEE5, 0xAEE9, 0xAEF5, 0xAEFD, 
-	0xAF09, 0xAF13, 0xAF27, 0xAF2B, 0xAF33, 0xAF43, 0xAF4F, 0xAF57, 
-	0xAF5D, 0xAF6D, 0xAF75, 0xAF7F, 0xAF8B, 0xAF99, 0xAF9F, 0xAFA3, 
-	0xAFAB, 0xAFB7, 0xAFBB, 0xAFCF, 0xAFD5, 0xAFFD, 0xB005, 0xB015, 
-	0xB01B, 0xB03F, 0xB041, 0xB047, 0xB04B, 0xB051, 0xB053, 0xB069, 
-	0xB07B, 0xB07D, 0xB087, 0xB08D, 0xB0B1, 0xB0BF, 0xB0CB, 0xB0CF, 
-	0xB0E1, 0xB0E9, 0xB0ED, 0xB0FB, 0xB105, 0xB107, 0xB111, 0xB119, 
-	0xB11D, 0xB11F, 0xB131, 0xB141, 0xB14D, 0xB15B, 0xB165, 0xB173, 
-	0xB179, 0xB17F, 0xB1A9, 0xB1B3, 0xB1B9, 0xB1BF, 0xB1D3, 0xB1DD, 
-	0xB1E5, 0xB1F1, 0xB1F5, 0xB201, 0xB213, 0xB215, 0xB21F, 0xB22D, 
-	0xB23F, 0xB249, 0xB25B, 0xB263, 0xB269, 0xB26D, 0xB27B, 0xB281, 
-	0xB28B, 0xB2A9, 0xB2B7, 0xB2BD, 0xB2C3, 0xB2C7, 0xB2D3, 0xB2F9, 
-	0xB2FD, 0xB2FF, 0xB303, 0xB309, 0xB311, 0xB31D, 0xB327, 0xB32D, 
-	0xB33F, 0xB345, 0xB377, 0xB37D, 0xB381, 0xB387, 0xB393, 0xB39B, 
-	0xB3A5, 0xB3C5, 0xB3CB, 0xB3E1, 0xB3E3, 0xB3ED, 0xB3F9, 0xB40B, 
-	0xB40D, 0xB413, 0xB417, 0xB435, 0xB43D, 0xB443, 0xB449, 0xB45B, 
-	0xB465, 0xB467, 0xB46B, 0xB477, 0xB48B, 0xB495, 0xB49D, 0xB4B5, 
-	0xB4BF, 0xB4C1, 0xB4C7, 0xB4DD, 0xB4E3, 0xB4E5, 0xB4F7, 0xB501, 
-	0xB50D, 0xB50F, 0xB52D, 0xB53F, 0xB54B, 0xB567, 0xB569, 0xB56F, 
-	0xB573, 0xB579, 0xB587, 0xB58D, 0xB599, 0xB5A3, 0xB5AB, 0xB5AF, 
-	0xB5BB, 0xB5D5, 0xB5DF, 0xB5E7, 0xB5ED, 0xB5FD, 0xB5FF, 0xB609, 
-	0xB61B, 0xB629, 0xB62F, 0xB633, 0xB639, 0xB647, 0xB657, 0xB659, 
-	0xB65F, 0xB663, 0xB66F, 0xB683, 0xB687, 0xB69B, 0xB69F, 0xB6A5, 
-	0xB6B1, 0xB6B3, 0xB6D7, 0xB6DB, 0xB6E1, 0xB6E3, 0xB6ED, 0xB6EF, 
-	0xB705, 0xB70D, 0xB713, 0xB71D, 0xB729, 0xB735, 0xB747, 0xB755, 
-	0xB76D, 0xB791, 0xB795, 0xB7A9, 0xB7C1, 0xB7CB, 0xB7D1, 0xB7D3, 
-	0xB7EF, 0xB7F5, 0xB807, 0xB80F, 0xB813, 0xB819, 0xB821, 0xB827, 
-	0xB82B, 0xB82D, 0xB839, 0xB855, 0xB867, 0xB875, 0xB885, 0xB893, 
-	0xB8A5, 0xB8AF, 0xB8B7, 0xB8BD, 0xB8C1, 0xB8C7, 0xB8CD, 0xB8D5, 
-	0xB8EB, 0xB8F7, 0xB8F9, 0xB903, 0xB915, 0xB91B, 0xB91D, 0xB92F, 
-	0xB939, 0xB93B, 0xB947, 0xB951, 0xB963, 0xB983, 0xB989, 0xB98D, 
-	0xB993, 0xB999, 0xB9A1, 0xB9A7, 0xB9AD, 0xB9B7, 0xB9CB, 0xB9D1, 
-	0xB9DD, 0xB9E7, 0xB9EF, 0xB9F9, 0xBA07, 0xBA0D, 0xBA17, 0xBA25, 
-	0xBA29, 0xBA2B, 0xBA41, 0xBA53, 0xBA55, 0xBA5F, 0xBA61, 0xBA65, 
-	0xBA79, 0xBA7D, 0xBA7F, 0xBAA1, 0xBAA3, 0xBAAF, 0xBAB5, 0xBABF, 
-	0xBAC1, 0xBACB, 0xBADD, 0xBAE3, 0xBAF1, 0xBAFD, 0xBB09, 0xBB1F, 
-	0xBB27, 0xBB2D, 0xBB3D, 0xBB43, 0xBB4B, 0xBB4F, 0xBB5B, 0xBB61, 
-	0xBB69, 0xBB6D, 0xBB91, 0xBB97, 0xBB9D, 0xBBB1, 0xBBC9, 0xBBCF, 
-	0xBBDB, 0xBBED, 0xBBF7, 0xBBF9, 0xBC03, 0xBC1D, 0xBC23, 0xBC33, 
-	0xBC3B, 0xBC41, 0xBC45, 0xBC5D, 0xBC6F, 0xBC77, 0xBC83, 0xBC8F, 
-	0xBC99, 0xBCAB, 0xBCB7, 0xBCB9, 0xBCD1, 0xBCD5, 0xBCE1, 0xBCF3, 
-	0xBCFF, 0xBD0D, 0xBD17, 0xBD19, 0xBD1D, 0xBD35, 0xBD41, 0xBD4F, 
-	0xBD59, 0xBD5F, 0xBD61, 0xBD67, 0xBD6B, 0xBD71, 0xBD8B, 0xBD8F, 
-	0xBD95, 0xBD9B, 0xBD9D, 0xBDB3, 0xBDBB, 0xBDCD, 0xBDD1, 0xBDE3, 
-	0xBDEB, 0xBDEF, 0xBE07, 0xBE09, 0xBE15, 0xBE21, 0xBE25, 0xBE27, 
-	0xBE5B, 0xBE5D, 0xBE6F, 0xBE75, 0xBE79, 0xBE7F, 0xBE8B, 0xBE8D, 
-	0xBE93, 0xBE9F, 0xBEA9, 0xBEB1, 0xBEB5, 0xBEB7, 0xBECF, 0xBED9, 
-	0xBEDB, 0xBEE5, 0xBEE7, 0xBEF3, 0xBEF9, 0xBF0B, 0xBF33, 0xBF39, 
-	0xBF4D, 0xBF5D, 0xBF5F, 0xBF6B, 0xBF71, 0xBF7B, 0xBF87, 0xBF89, 
-	0xBF8D, 0xBF93, 0xBFA1, 0xBFAD, 0xBFB9, 0xBFCF, 0xBFD5, 0xBFDD, 
-	0xBFE1, 0xBFE3, 0xBFF3, 0xC005, 0xC011, 0xC013, 0xC019, 0xC029, 
-	0xC02F, 0xC031, 0xC037, 0xC03B, 0xC047, 0xC065, 0xC06D, 0xC07D, 
-	0xC07F, 0xC091, 0xC09B, 0xC0B3, 0xC0B5, 0xC0BB, 0xC0D3, 0xC0D7, 
-	0xC0D9, 0xC0EF, 0xC0F1, 0xC101, 0xC103, 0xC109, 0xC115, 0xC119, 
-	0xC12B, 0xC133, 0xC137, 0xC145, 0xC149, 0xC15B, 0xC173, 0xC179, 
-	0xC17B, 0xC181, 0xC18B, 0xC18D, 0xC197, 0xC1BD, 0xC1C3, 0xC1CD, 
-	0xC1DB, 0xC1E1, 0xC1E7, 0xC1FF, 0xC203, 0xC205, 0xC211, 0xC221, 
-	0xC22F, 0xC23F, 0xC24B, 0xC24D, 0xC253, 0xC25D, 0xC277, 0xC27B, 
-	0xC27D, 0xC289, 0xC28F, 0xC293, 0xC29F, 0xC2A7, 0xC2B3, 0xC2BD, 
-	0xC2CF, 0xC2D5, 0xC2E3, 0xC2FF, 0xC301, 0xC307, 0xC311, 0xC313, 
-	0xC317, 0xC325, 0xC347, 0xC349, 0xC34F, 0xC365, 0xC367, 0xC371, 
-	0xC37F, 0xC383, 0xC385, 0xC395, 0xC39D, 0xC3A7, 0xC3AD, 0xC3B5, 
-	0xC3BF, 0xC3C7, 0xC3CB, 0xC3D1, 0xC3D3, 0xC3E3, 0xC3E9, 0xC3EF, 
-	0xC401, 0xC41F, 0xC42D, 0xC433, 0xC437, 0xC455, 0xC457, 0xC461, 
-	0xC46F, 0xC473, 0xC487, 0xC491, 0xC499, 0xC49D, 0xC4A5, 0xC4B7, 
-	0xC4BB, 0xC4C9, 0xC4CF, 0xC4D3, 0xC4EB, 0xC4F1, 0xC4F7, 0xC509, 
-	0xC51B, 0xC51D, 0xC541, 0xC547, 0xC551, 0xC55F, 0xC56B, 0xC56F, 
-	0xC575, 0xC577, 0xC595, 0xC59B, 0xC59F, 0xC5A1, 0xC5A7, 0xC5C3, 
-	0xC5D7, 0xC5DB, 0xC5EF, 0xC5FB, 0xC613, 0xC623, 0xC635, 0xC641, 
-	0xC64F, 0xC655, 0xC659, 0xC665, 0xC685, 0xC691, 0xC697, 0xC6A1, 
-	0xC6A9, 0xC6B3, 0xC6B9, 0xC6CB, 0xC6CD, 0xC6DD, 0xC6EB, 0xC6F1, 
-	0xC707, 0xC70D, 0xC719, 0xC71B, 0xC72D, 0xC731, 0xC739, 0xC757, 
-	0xC763, 0xC767, 0xC773, 0xC775, 0xC77F, 0xC7A5, 0xC7BB, 0xC7BD, 
-	0xC7C1, 0xC7CF, 0xC7D5, 0xC7E1, 0xC7F9, 0xC7FD, 0xC7FF, 0xC803, 
-	0xC811, 0xC81D, 0xC827, 0xC829, 0xC839, 0xC83F, 0xC853, 0xC857, 
-	0xC86B, 0xC881, 0xC88D, 0xC88F, 0xC893, 0xC895, 0xC8A1, 0xC8B7, 
-	0xC8CF, 0xC8D5, 0xC8DB, 0xC8DD, 0xC8E3, 0xC8E7, 0xC8ED, 0xC8EF, 
-	0xC8F9, 0xC905, 0xC911, 0xC917, 0xC919, 0xC91F, 0xC92F, 0xC937, 
-	0xC93D, 0xC941, 0xC953, 0xC95F, 0xC96B, 0xC979, 0xC97D, 0xC989, 
-	0xC98F, 0xC997, 0xC99D, 0xC9AF, 0xC9B5, 0xC9BF, 0xC9CB, 0xC9D9, 
-	0xC9DF, 0xC9E3, 0xC9EB, 0xCA01, 0xCA07, 0xCA09, 0xCA25, 0xCA37, 
-	0xCA39, 0xCA4B, 0xCA55, 0xCA5B, 0xCA69, 0xCA73, 0xCA75, 0xCA7F, 
-	0xCA8D, 0xCA93, 0xCA9D, 0xCA9F, 0xCAB5, 0xCABB, 0xCAC3, 0xCAC9, 
-	0xCAD9, 0xCAE5, 0xCAED, 0xCB03, 0xCB05, 0xCB09, 0xCB17, 0xCB29, 
-	0xCB35, 0xCB3B, 0xCB53, 0xCB59, 0xCB63, 0xCB65, 0xCB71, 0xCB87, 
-	0xCB99, 0xCB9F, 0xCBB3, 0xCBB9, 0xCBC3, 0xCBD1, 0xCBD5, 0xCBD7, 
-	0xCBDD, 0xCBE9, 0xCBFF, 0xCC0D, 0xCC19, 0xCC1D, 0xCC23, 0xCC2B, 
-	0xCC41, 0xCC43, 0xCC4D, 0xCC59, 0xCC61, 0xCC89, 0xCC8B, 0xCC91, 
-	0xCC9B, 0xCCA3, 0xCCA7, 0xCCD1, 0xCCE5, 0xCCE9, 0xCD09, 0xCD15, 
-	0xCD1F, 0xCD25, 0xCD31, 0xCD3D, 0xCD3F, 0xCD49, 0xCD51, 0xCD57, 
-	0xCD5B, 0xCD63, 0xCD67, 0xCD81, 0xCD93, 0xCD97, 0xCD9F, 0xCDBB, 
-	0xCDC1, 0xCDD3, 0xCDD9, 0xCDE5, 0xCDE7, 0xCDF1, 0xCDF7, 0xCDFD, 
-	0xCE0B, 0xCE15, 0xCE21, 0xCE2F, 0xCE47, 0xCE4D, 0xCE51, 0xCE65, 
-	0xCE7B, 0xCE7D, 0xCE8F, 0xCE93, 0xCE99, 0xCEA5, 0xCEA7, 0xCEB7, 
-	0xCEC9, 0xCED7, 0xCEDD, 0xCEE3, 0xCEE7, 0xCEED, 0xCEF5, 0xCF07, 
-	0xCF0B, 0xCF19, 0xCF37, 0xCF3B, 0xCF4D, 0xCF55, 0xCF5F, 0xCF61, 
-	0xCF65, 0xCF6D, 0xCF79, 0xCF7D, 0xCF89, 0xCF9B, 0xCF9D, 0xCFA9, 
-	0xCFB3, 0xCFB5, 0xCFC5, 0xCFCD, 0xCFD1, 0xCFEF, 0xCFF1, 0xCFF7, 
-	0xD013, 0xD015, 0xD01F, 0xD021, 0xD033, 0xD03D, 0xD04B, 0xD04F, 
-	0xD069, 0xD06F, 0xD081, 0xD085, 0xD099, 0xD09F, 0xD0A3, 0xD0AB, 
-	0xD0BD, 0xD0C1, 0xD0CD, 0xD0E7, 0xD0FF, 0xD103, 0xD117, 0xD12D, 
-	0xD12F, 0xD141, 0xD157, 0xD159, 0xD15D, 0xD169, 0xD16B, 0xD171, 
-	0xD177, 0xD17D, 0xD181, 0xD187, 0xD195, 0xD199, 0xD1B1, 0xD1BD, 
-	0xD1C3, 0xD1D5, 0xD1D7, 0xD1E3, 0xD1FF, 0xD20D, 0xD211, 0xD217, 
-	0xD21F, 0xD235, 0xD23B, 0xD247, 0xD259, 0xD261, 0xD265, 0xD279, 
-	0xD27F, 0xD283, 0xD289, 0xD28B, 0xD29D, 0xD2A3, 0xD2A7, 0xD2B3, 
-	0xD2BF, 0xD2C7, 0xD2E3, 0xD2E9, 0xD2F1, 0xD2FB, 0xD2FD, 0xD315, 
-	0xD321, 0xD32B, 0xD343, 0xD34B, 0xD355, 0xD369, 0xD375, 0xD37B, 
-	0xD387, 0xD393, 0xD397, 0xD3A5, 0xD3B1, 0xD3C9, 0xD3EB, 0xD3FD, 
-	0xD405, 0xD40F, 0xD415, 0xD427, 0xD42F, 0xD433, 0xD43B, 0xD44B, 
-	0xD459, 0xD45F, 0xD463, 0xD469, 0xD481, 0xD483, 0xD489, 0xD48D, 
-	0xD493, 0xD495, 0xD4A5, 0xD4AB, 0xD4B1, 0xD4C5, 0xD4DD, 0xD4E1, 
-	0xD4E3, 0xD4E7, 0xD4F5, 0xD4F9, 0xD50B, 0xD50D, 0xD513, 0xD51F, 
-	0xD523, 0xD531, 0xD535, 0xD537, 0xD549, 0xD559, 0xD55F, 0xD565, 
-	0xD567, 0xD577, 0xD58B, 0xD591, 0xD597, 0xD5B5, 0xD5B9, 0xD5C1, 
-	0xD5C7, 0xD5DF, 0xD5EF, 0xD5F5, 0xD5FB, 0xD603, 0xD60F, 0xD62D, 
-	0xD631, 0xD643, 0xD655, 0xD65D, 0xD661, 0xD67B, 0xD685, 0xD687, 
-	0xD69D, 0xD6A5, 0xD6AF, 0xD6BD, 0xD6C3, 0xD6C7, 0xD6D9, 0xD6E1, 
-	0xD6ED, 0xD709, 0xD70B, 0xD711, 0xD715, 0xD721, 0xD727, 0xD73F, 
-	0xD745, 0xD74D, 0xD757, 0xD76B, 0xD77B, 0xD783, 0xD7A1, 0xD7A7, 
-	0xD7AD, 0xD7B1, 0xD7B3, 0xD7BD, 0xD7CB, 0xD7D1, 0xD7DB, 0xD7FB, 
-	0xD811, 0xD823, 0xD825, 0xD829, 0xD82B, 0xD82F, 0xD837, 0xD84D, 
-	0xD855, 0xD867, 0xD873, 0xD88F, 0xD891, 0xD8A1, 0xD8AD, 0xD8BF, 
-	0xD8CD, 0xD8D7, 0xD8E9, 0xD8F5, 0xD8FB, 0xD91B, 0xD925, 0xD933, 
-	0xD939, 0xD943, 0xD945, 0xD94F, 0xD951, 0xD957, 0xD96D, 0xD96F, 
-	0xD973, 0xD979, 0xD981, 0xD98B, 0xD991, 0xD99F, 0xD9A5, 0xD9A9, 
-	0xD9B5, 0xD9D3, 0xD9EB, 0xD9F1, 0xD9F7, 0xD9FF, 0xDA05, 0xDA09, 
-	0xDA0B, 0xDA0F, 0xDA15, 0xDA1D, 0xDA23, 0xDA29, 0xDA3F, 0xDA51, 
-	0xDA59, 0xDA5D, 0xDA5F, 0xDA71, 0xDA77, 0xDA7B, 0xDA7D, 0xDA8D, 
-	0xDA9F, 0xDAB3, 0xDABD, 0xDAC3, 0xDAC9, 0xDAE7, 0xDAE9, 0xDAF5, 
-	0xDB11, 0xDB17, 0xDB1D, 0xDB23, 0xDB25, 0xDB31, 0xDB3B, 0xDB43, 
-	0xDB55, 0xDB67, 0xDB6B, 0xDB73, 0xDB85, 0xDB8F, 0xDB91, 0xDBAD, 
-	0xDBAF, 0xDBB9, 0xDBC7, 0xDBCB, 0xDBCD, 0xDBEB, 0xDBF7, 0xDC0D, 
-	0xDC27, 0xDC31, 0xDC39, 0xDC3F, 0xDC49, 0xDC51, 0xDC61, 0xDC6F, 
-	0xDC75, 0xDC7B, 0xDC85, 0xDC93, 0xDC99, 0xDC9D, 0xDC9F, 0xDCA9, 
-	0xDCB5, 0xDCB7, 0xDCBD, 0xDCC7, 0xDCCF, 0xDCD3, 0xDCD5, 0xDCDF, 
-	0xDCF9, 0xDD0F, 0xDD15, 0xDD17, 0xDD23, 0xDD35, 0xDD39, 0xDD53, 
-	0xDD57, 0xDD5F, 0xDD69, 0xDD6F, 0xDD7D, 0xDD87, 0xDD89, 0xDD9B, 
-	0xDDA1, 0xDDAB, 0xDDBF, 0xDDC5, 0xDDCB, 0xDDCF, 0xDDE7, 0xDDE9, 
-	0xDDED, 0xDDF5, 0xDDFB, 0xDE0B, 0xDE19, 0xDE29, 0xDE3B, 0xDE3D, 
-	0xDE41, 0xDE4D, 0xDE4F, 0xDE59, 0xDE5B, 0xDE61, 0xDE6D, 0xDE77, 
-	0xDE7D, 0xDE83, 0xDE97, 0xDE9D, 0xDEA1, 0xDEA7, 0xDECD, 0xDED1, 
-	0xDED7, 0xDEE3, 0xDEF1, 0xDEF5, 0xDF01, 0xDF09, 0xDF13, 0xDF1F, 
-	0xDF2B, 0xDF33, 0xDF37, 0xDF3D, 0xDF4B, 0xDF55, 0xDF5B, 0xDF67, 
-	0xDF69, 0xDF73, 0xDF85, 0xDF87, 0xDF99, 0xDFA3, 0xDFAB, 0xDFB5, 
-	0xDFB7, 0xDFC3, 0xDFC7, 0xDFD5, 0xDFF1, 0xDFF3, 0xE003, 0xE005, 
-	0xE017, 0xE01D, 0xE027, 0xE02D, 0xE035, 0xE045, 0xE053, 0xE071, 
-	0xE07B, 0xE08F, 0xE095, 0xE09F, 0xE0B7, 0xE0B9, 0xE0D5, 0xE0D7, 
-	0xE0E3, 0xE0F3, 0xE0F9, 0xE101, 0xE125, 0xE129, 0xE131, 0xE135, 
-	0xE143, 0xE14F, 0xE159, 0xE161, 0xE16D, 0xE171, 0xE177, 0xE17F, 
-	0xE183, 0xE189, 0xE197, 0xE1AD, 0xE1B5, 0xE1BB, 0xE1BF, 0xE1C1, 
-	0xE1CB, 0xE1D1, 0xE1E5, 0xE1EF, 0xE1F7, 0xE1FD, 0xE203, 0xE219, 
-	0xE22B, 0xE22D, 0xE23D, 0xE243, 0xE257, 0xE25B, 0xE275, 0xE279, 
-	0xE287, 0xE29D, 0xE2AB, 0xE2AF, 0xE2BB, 0xE2C1, 0xE2C9, 0xE2CD, 
-	0xE2D3, 0xE2D9, 0xE2F3, 0xE2FD, 0xE2FF, 0xE311, 0xE323, 0xE327, 
-	0xE329, 0xE339, 0xE33B, 0xE34D, 0xE351, 0xE357, 0xE35F, 0xE363, 
-	0xE369, 0xE375, 0xE377, 0xE37D, 0xE383, 0xE39F, 0xE3C5, 0xE3C9, 
-	0xE3D1, 0xE3E1, 0xE3FB, 0xE3FF, 0xE401, 0xE40B, 0xE417, 0xE419, 
-	0xE423, 0xE42B, 0xE431, 0xE43B, 0xE447, 0xE449, 0xE453, 0xE455, 
-	0xE46D, 0xE471, 0xE48F, 0xE4A9, 0xE4AF, 0xE4B5, 0xE4C7, 0xE4CD, 
-	0xE4D3, 0xE4E9, 0xE4EB, 0xE4F5, 0xE507, 0xE521, 0xE525, 0xE537, 
-	0xE53F, 0xE545, 0xE54B, 0xE557, 0xE567, 0xE56D, 0xE575, 0xE585, 
-	0xE58B, 0xE593, 0xE5A3, 0xE5A5, 0xE5CF, 0xE609, 0xE611, 0xE615, 
-	0xE61B, 0xE61D, 0xE621, 0xE629, 0xE639, 0xE63F, 0xE653, 0xE657, 
-	0xE663, 0xE66F, 0xE675, 0xE681, 0xE683, 0xE68D, 0xE68F, 0xE695, 
-	0xE6AB, 0xE6AD, 0xE6B7, 0xE6BD, 0xE6C5, 0xE6CB, 0xE6D5, 0xE6E3, 
-	0xE6E9, 0xE6EF, 0xE6F3, 0xE705, 0xE70D, 0xE717, 0xE71F, 0xE72F, 
-	0xE73D, 0xE747, 0xE749, 0xE753, 0xE755, 0xE761, 0xE767, 0xE76B, 
-	0xE77F, 0xE789, 0xE791, 0xE7C5, 0xE7CD, 0xE7D7, 0xE7DD, 0xE7DF, 
-	0xE7E9, 0xE7F1, 0xE7FB, 0xE801, 0xE807, 0xE80F, 0xE819, 0xE81B, 
-	0xE831, 0xE833, 0xE837, 0xE83D, 0xE84B, 0xE84F, 0xE851, 0xE869, 
-	0xE875, 0xE879, 0xE893, 0xE8A5, 0xE8A9, 0xE8AF, 0xE8BD, 0xE8DB, 
-	0xE8E1, 0xE8E5, 0xE8EB, 0xE8ED, 0xE903, 0xE90B, 0xE90F, 0xE915, 
-	0xE917, 0xE92D, 0xE933, 0xE93B, 0xE94B, 0xE951, 0xE95F, 0xE963, 
-	0xE969, 0xE97B, 0xE983, 0xE98F, 0xE995, 0xE9A1, 0xE9B9, 0xE9D7, 
-	0xE9E7, 0xE9EF, 0xEA11, 0xEA19, 0xEA2F, 0xEA35, 0xEA43, 0xEA4D, 
-	0xEA5F, 0xEA6D, 0xEA71, 0xEA7D, 0xEA85, 0xEA89, 0xEAAD, 0xEAB3, 
-	0xEAB9, 0xEABB, 0xEAC5, 0xEAC7, 0xEACB, 0xEADF, 0xEAE5, 0xEAEB, 
-	0xEAF5, 0xEB01, 0xEB07, 0xEB09, 0xEB31, 0xEB39, 0xEB3F, 0xEB5B, 
-	0xEB61, 0xEB63, 0xEB6F, 0xEB81, 0xEB85, 0xEB9D, 0xEBAB, 0xEBB1, 
-	0xEBB7, 0xEBC1, 0xEBD5, 0xEBDF, 0xEBED, 0xEBFD, 0xEC0B, 0xEC1B, 
-	0xEC21, 0xEC29, 0xEC4D, 0xEC51, 0xEC5D, 0xEC69, 0xEC6F, 0xEC7B, 
-	0xECAD, 0xECB9, 0xECBF, 0xECC3, 0xECC9, 0xECCF, 0xECD7, 0xECDD, 
-	0xECE7, 0xECE9, 0xECF3, 0xECF5, 0xED07, 0xED11, 0xED1F, 0xED2F, 
-	0xED37, 0xED3D, 0xED41, 0xED55, 0xED59, 0xED5B, 0xED65, 0xED6B, 
-	0xED79, 0xED8B, 0xED95, 0xEDBB, 0xEDC5, 0xEDD7, 0xEDD9, 0xEDE3, 
-	0xEDE5, 0xEDF1, 0xEDF5, 0xEDF7, 0xEDFB, 0xEE09, 0xEE0F, 0xEE19, 
-	0xEE21, 0xEE49, 0xEE4F, 0xEE63, 0xEE67, 0xEE73, 0xEE7B, 0xEE81, 
-	0xEEA3, 0xEEAB, 0xEEC1, 0xEEC9, 0xEED5, 0xEEDF, 0xEEE1, 0xEEF1, 
-	0xEF1B, 0xEF27, 0xEF2F, 0xEF45, 0xEF4D, 0xEF63, 0xEF6B, 0xEF71, 
-	0xEF93, 0xEF95, 0xEF9B, 0xEF9F, 0xEFAD, 0xEFB3, 0xEFC3, 0xEFC5, 
-	0xEFDB, 0xEFE1, 0xEFE9, 0xF001, 0xF017, 0xF01D, 0xF01F, 0xF02B, 
-	0xF02F, 0xF035, 0xF043, 0xF047, 0xF04F, 0xF067, 0xF06B, 0xF071, 
-	0xF077, 0xF079, 0xF08F, 0xF0A3, 0xF0A9, 0xF0AD, 0xF0BB, 0xF0BF, 
-	0xF0C5, 0xF0CB, 0xF0D3, 0xF0D9, 0xF0E3, 0xF0E9, 0xF0F1, 0xF0F7, 
-	0xF107, 0xF115, 0xF11B, 0xF121, 0xF137, 0xF13D, 0xF155, 0xF175, 
-	0xF17B, 0xF18D, 0xF193, 0xF1A5, 0xF1AF, 0xF1B7, 0xF1D5, 0xF1E7, 
-	0xF1ED, 0xF1FD, 0xF209, 0xF20F, 0xF21B, 0xF21D, 0xF223, 0xF227, 
-	0xF233, 0xF23B, 0xF241, 0xF257, 0xF25F, 0xF265, 0xF269, 0xF277, 
-	0xF281, 0xF293, 0xF2A7, 0xF2B1, 0xF2B3, 0xF2B9, 0xF2BD, 0xF2BF, 
-	0xF2DB, 0xF2ED, 0xF2EF, 0xF2F9, 0xF2FF, 0xF305, 0xF30B, 0xF319, 
-	0xF341, 0xF359, 0xF35B, 0xF35F, 0xF367, 0xF373, 0xF377, 0xF38B, 
-	0xF38F, 0xF3AF, 0xF3C1, 0xF3D1, 0xF3D7, 0xF3FB, 0xF403, 0xF409, 
-	0xF40D, 0xF413, 0xF421, 0xF425, 0xF42B, 0xF445, 0xF44B, 0xF455, 
-	0xF463, 0xF475, 0xF47F, 0xF485, 0xF48B, 0xF499, 0xF4A3, 0xF4A9, 
-	0xF4AF, 0xF4BD, 0xF4C3, 0xF4DB, 0xF4DF, 0xF4ED, 0xF503, 0xF50B, 
-	0xF517, 0xF521, 0xF529, 0xF535, 0xF547, 0xF551, 0xF563, 0xF56B, 
-	0xF583, 0xF58D, 0xF595, 0xF599, 0xF5B1, 0xF5B7, 0xF5C9, 0xF5CF, 
-	0xF5D1, 0xF5DB, 0xF5F9, 0xF5FB, 0xF605, 0xF607, 0xF60B, 0xF60D, 
-	0xF635, 0xF637, 0xF653, 0xF65B, 0xF661, 0xF667, 0xF679, 0xF67F, 
-	0xF689, 0xF697, 0xF69B, 0xF6AD, 0xF6CB, 0xF6DD, 0xF6DF, 0xF6EB, 
-	0xF709, 0xF70F, 0xF72D, 0xF731, 0xF743, 0xF74F, 0xF751, 0xF755, 
-	0xF763, 0xF769, 0xF773, 0xF779, 0xF781, 0xF787, 0xF791, 0xF79D, 
-	0xF79F, 0xF7A5, 0xF7B1, 0xF7BB, 0xF7BD, 0xF7CF, 0xF7D3, 0xF7E7, 
-	0xF7EB, 0xF7F1, 0xF7FF, 0xF805, 0xF80B, 0xF821, 0xF827, 0xF82D, 
-	0xF835, 0xF847, 0xF859, 0xF863, 0xF865, 0xF86F, 0xF871, 0xF877, 
-	0xF87B, 0xF881, 0xF88D, 0xF89F, 0xF8A1, 0xF8AB, 0xF8B3, 0xF8B7, 
-	0xF8C9, 0xF8CB, 0xF8D1, 0xF8D7, 0xF8DD, 0xF8E7, 0xF8EF, 0xF8F9, 
-	0xF8FF, 0xF911, 0xF91D, 0xF925, 0xF931, 0xF937, 0xF93B, 0xF941, 
-	0xF94F, 0xF95F, 0xF961, 0xF96D, 0xF971, 0xF977, 0xF99D, 0xF9A3, 
-	0xF9A9, 0xF9B9, 0xF9CD, 0xF9E9, 0xF9FD, 0xFA07, 0xFA0D, 0xFA13, 
-	0xFA21, 0xFA25, 0xFA3F, 0xFA43, 0xFA51, 0xFA5B, 0xFA6D, 0xFA7B, 
-	0xFA97, 0xFA99, 0xFA9D, 0xFAAB, 0xFABB, 0xFABD, 0xFAD9, 0xFADF, 
-	0xFAE7, 0xFAED, 0xFB0F, 0xFB17, 0xFB1B, 0xFB2D, 0xFB2F, 0xFB3F, 
-	0xFB47, 0xFB4D, 0xFB75, 0xFB7D, 0xFB8F, 0xFB93, 0xFBB1, 0xFBB7, 
-	0xFBC3, 0xFBC5, 0xFBE3, 0xFBE9, 0xFBF3, 0xFC01, 0xFC29, 0xFC37, 
-	0xFC41, 0xFC43, 0xFC4F, 0xFC59, 0xFC61, 0xFC65, 0xFC6D, 0xFC73, 
-	0xFC79, 0xFC95, 0xFC97, 0xFC9B, 0xFCA7, 0xFCB5, 0xFCC5, 0xFCCD, 
-	0xFCEB, 0xFCFB, 0xFD0D, 0xFD0F, 0xFD19, 0xFD2B, 0xFD31, 0xFD51, 
-	0xFD55, 0xFD67, 0xFD6D, 0xFD6F, 0xFD7B, 0xFD85, 0xFD97, 0xFD99, 
-	0xFD9F, 0xFDA9, 0xFDB7, 0xFDC9, 0xFDE5, 0xFDEB, 0xFDF3, 0xFE03, 
-	0xFE05, 0xFE09, 0xFE1D, 0xFE27, 0xFE2F, 0xFE41, 0xFE4B, 0xFE4D, 
-	0xFE57, 0xFE5F, 0xFE63, 0xFE69, 0xFE75, 0xFE7B, 0xFE8F, 0xFE93, 
-	0xFE95, 0xFE9B, 0xFE9F, 0xFEB3, 0xFEBD, 0xFED7, 0xFEE9, 0xFEF3, 
-	0xFEF5, 0xFF07, 0xFF0D, 0xFF1D, 0xFF2B, 0xFF2F, 0xFF49, 0xFF4D, 
-	0xFF5B, 0xFF65, 0xFF71, 0xFF7F, 0xFF85, 0xFF8B, 0xFF8F, 0xFF9D, 
-	0xFFA7, 0xFFA9, 0xFFC7, 0xFFD9, 0xFFEF, 0xFFF1, 
-#endif
-};
-
diff --git a/security/nss/lib/freebl/mpi/stats b/security/nss/lib/freebl/mpi/stats
deleted file mode 100755
index 4e8c44357..000000000
--- a/security/nss/lib/freebl/mpi/stats
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/perl
-
-#
-# Treat each line as a sequence of comma and/or space delimited
-# floating point numbers, and compute basic statistics on them.
-# These are written to standard output
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998, 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-$min = 1.7976931348623157E+308;
-$max = 2.2250738585072014E-308;
-$sum = $num = 0;
-
-while(<>) {
-    chomp;
-
-    @nums = split(/[\s,]+/, $_);
-    next if($#nums < 0);
-
-    $num += scalar @nums;
-    foreach (@nums) {
-	$min = $_ if($_ < $min);
-	$max = $_ if($_ > $max);
-	$sum += $_;
-    }
-}
-
-if($num) {
-    $avg = $sum / $num;
-} else {
-    $min = $max = 0;
-}
-
-printf "%d\tmin=%.2f, avg=%.2f, max=%.2f, sum=%.2f\n",
-    $num, $min, $avg, $max, $sum;
-
-# end
diff --git a/security/nss/lib/freebl/mpi/target.mk b/security/nss/lib/freebl/mpi/target.mk
deleted file mode 100644
index 0edaf8813..000000000
--- a/security/nss/lib/freebl/mpi/target.mk
+++ /dev/null
@@ -1,230 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#   Richard C. Swift  (swift@netscape.com)
-#   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-##
-## Define CFLAGS to contain any local options your compiler
-## setup requires.
-##
-## Conditional compilation options are no longer here; see
-## the file 'mpi-config.h' instead.
-##
-MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
-CFLAGS= -O $(MPICMN)
-#CFLAGS=-ansi -fullwarn -woff 1521 -O3 $(MPICMN)
-#CFLAGS=-ansi -pedantic -Wall -O3 $(MPICMN)
-#CFLAGS=-ansi -pedantic -Wall -g -O2 -DMP_DEBUG=1 $(MPICMN)
-
-ifeq ($(TARGET),mipsIRIX)
-#IRIX
-#MPICMN += -DMP_MONT_USE_MP_MUL 
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-MPICMN += -DMP_USE_UINT_DIGIT
-#MPICMN += -DMP_NO_MP_WORD
-AS_OBJS = mpi_mips.o
-#ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 -exceptions
-ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
-#CFLAGS=-ansi -n32 -O3 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
-CFLAGS=-ansi -n32 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
-#CFLAGS=-ansi -n32 -g -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
-#CFLAGS=-ansi -64 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE -DMP_NO_MP_WORD \
- $(MPICMN)
-endif
-
-ifeq ($(TARGET),alphaOSF1)
-#Alpha/OSF1
-MPICMN += -DMP_ASSEMBLY_MULTIPLY
-AS_OBJS+= mpvalpha.o
-#CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT $(MPICMN)
-CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT \
- -DMP_NO_MP_WORD $(MPICMN)
-endif
-
-ifeq ($(TARGET),v9SOLARIS)
-#Solaris 64
-SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xchip=ultra -xarch=v9a -KPIC -mt
-#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v9a -KPIC -mt
-SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v9a -KPIC -mt 
-AS_OBJS += montmulfv9.o 
-AS_OBJS += mpi_sparc.o mpv_sparcv9.o
-MPICMN += -DMP_USE_UINT_DIGIT 
-#MPICMN += -DMP_NO_MP_WORD 
-MPICMN += -DMP_ASSEMBLY_MULTIPLY 
-MPICMN += -DMP_USING_MONT_MULF
-CFLAGS= -O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
- -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN)
-#CFLAGS= -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
- -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN)
-endif
-
-ifeq ($(TARGET),v8plusSOLARIS)
-#Solaris 32
-SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8plusa -KPIC -mt
-SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
-AS_OBJS += montmulfv8.o 
-AS_OBJS += mpi_sparc.o mpv_sparcv8.o
-#AS_OBJS = montmulf.o
-MPICMN += -DMP_ASSEMBLY_MULTIPLY 
-MPICMN += -DMP_USING_MONT_MULF 
-MPICMN += -DMP_USE_UINT_DIGIT
-MPICMN += -DMP_NO_MP_WORD
-CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
- -DSOLARIS2_6 -xarch=v8plus -DXP_UNIX $(MPICMN)
-endif
-
-ifeq ($(TARGET),v8SOLARIS)
-#Solaris 32
-#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8 -KPIC -mt
-#SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
-#AS_OBJS = montmulfv8.o mpi_sparc.o mpv_sparcv8.o
-#AS_OBJS = montmulf.o
-#MPICMN += -DMP_USING_MONT_MULF
-#MPICMN += -DMP_ASSEMBLY_MULTIPLY 
-MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -DMP_USE_UINT_DIGIT
-MPICMN += -DMP_NO_MP_WORD
-CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
- -DSOLARIS2_6 -xarch=v8 -DXP_UNIX $(MPICMN)
-endif
-
-ifeq ($(TARGET),ia64HPUX)
-#HPUX 32 on ia64  -- 64 bit digits SCREAM.
-# This one is for DD32 which is the 32-bit ABI with 64-bit registers.
-CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
-#CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
-#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
-endif
-
-ifeq ($(TARGET),ia64HPUX64)
-#HPUX 32 on ia64
-# This one is for DD64 which is the 64-bit ABI 
-CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
-#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN)
-endif
-
-ifeq ($(TARGET),PA2.0WHPUX)
-#HPUX64 (HP PA 2.0 Wide) using MAXPY and 64-bit digits
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
-CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +O3 +DChpux -DHPUX11  -DXP_UNIX \
- $(MPICMN)
-#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
- $(MPICMN)
-AS = $(CC) $(CFLAGS) -c
-endif
-
-ifeq ($(TARGET),PA2.0NHPUX)
-#HPUX32 (HP PA 2.0 Narrow) hybrid model, using 32-bit digits
-# This one is for DA2.0 (N) which is the 32-bit ABI with 64-bit registers.
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
-AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
-CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
- -Wl,+k $(MPICMN)
-#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
- -Wl,+k $(MPICMN)
-AS = $(CC) $(CFLAGS) -c
-endif
-
-ifeq ($(TARGET),PA1.1HPUX)
-#HPUX32 (HP PA 1.1) Pure 32 bit
-MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
-#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
-CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
- -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
-##CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
-# -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
-endif
-
-ifeq ($(TARGET),32AIX)
-#
-CC = xlC_r
-MPICMN += -DMP_USE_UINT_DIGIT
-MPICMN += -DMP_NO_DIV_WORD
-#MPICMN += -DMP_NO_MUL_WORD
-MPICMN += -DMP_NO_ADD_WORD
-MPICMN += -DMP_NO_SUB_WORD
-#MPICMN += -DMP_NO_MP_WORD
-#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
-CFLAGS = -O -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
-#CFLAGS = -g -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
-#CFLAGS += -pg
-endif
-
-ifeq ($(TARGET),64AIX)
-#
-CC = xlC_r
-MPICMN += -DMP_USE_UINT_DIGIT
-CFLAGS = -O -O2 -DAIX -DSYSV -qarch=com -DAIX_64BIT -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN)
-OBJECT_MODE=64
-export OBJECT_MODE
-endif
-
-ifeq ($(TARGET),x86LINUX)
-#Linux
-AS_OBJS = mpi_x86.o
-MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
-MPICMN += -DMP_MONT_USE_MP_MUL
-CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
- -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
- -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
-#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
- -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
- -DXP_UNIX -DDEBUG -UNDEBUG -D_REENTRANT $(MPICMN)
-#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
- -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
- -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
-endif
-
-ifeq ($(TARGET),AMD64SOLARIS)
-ASFLAGS += -xarch=generic64
-AS_OBJS = mpi_amd64.o mpi_amd64_sun.o
-MP_CONFIG = -DMP_ASSEMBLY_MULTIPLY -DMPI_AMD64
-CFLAGS = -xarch=generic64 -xO4 -I. -DMP_API_COMPATIBLE -DMP_IOFUNC $(MP_CONFIG)
-MPICMN += $(MP_CONFIG)
-
-mpi_amd64_asm.o: mpi_amd64_sun.s
-	$(AS) -xarch=generic64 -P -D_ASM mpi_amd64_sun.s
-endif
diff --git a/security/nss/lib/freebl/mpi/test-arrays.txt b/security/nss/lib/freebl/mpi/test-arrays.txt
deleted file mode 100644
index 62c4c3d61..000000000
--- a/security/nss/lib/freebl/mpi/test-arrays.txt
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Test suite table for MPI library
-#
-# Format of entries:
-# suite-name:function-name:description
-#
-# suite-name	The name used to identify this test in mpi-test
-# function-name	The function called to perform this test in mpi-test.c
-# description   A brief description of what the suite tests
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-list:test_list:print out a list of the available test suites
-copy:test_copy:test assignment of mp-int structures
-exchange:test_exch:test exchange of mp-int structures
-zero:test_zero:test zeroing of an mp-int
-set:test_set:test setting an mp-int to a small constant
-absolute-value:test_abs:test the absolute value function
-negate:test_neg:test the arithmetic negation function
-add-digit:test_add_d:test digit addition
-add:test_add:test full addition
-subtract-digit:test_sub_d:test digit subtraction
-subtract:test_sub:test full subtraction
-multiply-digit:test_mul_d:test digit multiplication
-multiply:test_mul:test full multiplication
-square:test_sqr:test full squaring function
-divide-digit:test_div_d:test digit division
-divide-2:test_div_2:test division by two
-divide-2d:test_div_2d:test division & remainder by 2^d
-divide:test_div:test full division
-expt-digit:test_expt_d:test digit exponentiation
-expt:test_expt:test full exponentiation
-expt-2:test_2expt:test power-of-two exponentiation
-square-root:test_sqrt:test integer square root function
-modulo-digit:test_mod_d:test digit modular reduction
-modulo:test_mod:test full modular reduction
-mod-add:test_addmod:test modular addition
-mod-subtract:test_submod:test modular subtraction
-mod-multiply:test_mulmod:test modular multiplication
-mod-square:test_sqrmod:test modular squaring function
-mod-expt:test_exptmod:test full modular exponentiation
-mod-expt-digit:test_exptmod_d:test digit modular exponentiation
-mod-inverse:test_invmod:test modular inverse function
-compare-digit:test_cmp_d:test digit comparison function
-compare-zero:test_cmp_z:test zero comparison function
-compare:test_cmp:test general signed comparison
-compare-magnitude:test_cmp_mag:test general magnitude comparison
-parity:test_parity:test parity comparison functions
-gcd:test_gcd:test greatest common divisor functions
-lcm:test_lcm:test least common multiple function
-conversion:test_convert:test general radix conversion facilities
-binary:test_raw:test raw output format
-pprime:test_pprime:test probabilistic primality tester
-fermat:test_fermat:test Fermat pseudoprimality tester
diff --git a/security/nss/lib/freebl/mpi/test-info.c b/security/nss/lib/freebl/mpi/test-info.c
deleted file mode 100644
index 86682ecd5..000000000
--- a/security/nss/lib/freebl/mpi/test-info.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- *  test-info.c
- *
- *  Arbitrary precision integer arithmetic library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* Table mapping test suite names to index numbers */
-const int   g_count = 42;
-const char *g_names[] = {
-   "list",              /* print out a list of the available test suites */
-   "copy",              /* test assignment of mp-int structures          */
-   "exchange",          /* test exchange of mp-int structures            */
-   "zero",              /* test zeroing of an mp-int                     */
-   "set",               /* test setting an mp-int to a small constant    */
-   "absolute-value",    /* test the absolute value function              */
-   "negate",            /* test the arithmetic negation function         */
-   "add-digit",         /* test digit addition                           */
-   "add",               /* test full addition                            */
-   "subtract-digit",    /* test digit subtraction                        */
-   "subtract",          /* test full subtraction                         */
-   "multiply-digit",    /* test digit multiplication                     */
-   "multiply",          /* test full multiplication                      */
-   "square",            /* test full squaring function                   */
-   "divide-digit",      /* test digit division                           */
-   "divide-2",          /* test division by two                          */
-   "divide-2d",         /* test division & remainder by 2^d              */
-   "divide",            /* test full division                            */
-   "expt-digit",        /* test digit exponentiation                     */
-   "expt",              /* test full exponentiation                      */
-   "expt-2",            /* test power-of-two exponentiation              */
-   "square-root",       /* test integer square root function             */
-   "modulo-digit",      /* test digit modular reduction                  */
-   "modulo",            /* test full modular reduction                   */
-   "mod-add",           /* test modular addition                         */
-   "mod-subtract",      /* test modular subtraction                      */
-   "mod-multiply",      /* test modular multiplication                   */
-   "mod-square",        /* test modular squaring function                */
-   "mod-expt",          /* test full modular exponentiation              */
-   "mod-expt-digit",    /* test digit modular exponentiation             */
-   "mod-inverse",       /* test modular inverse function                 */
-   "compare-digit",     /* test digit comparison function                */
-   "compare-zero",      /* test zero comparison function                 */
-   "compare",           /* test general signed comparison                */
-   "compare-magnitude", /* test general magnitude comparison             */
-   "parity",            /* test parity comparison functions              */
-   "gcd",               /* test greatest common divisor functions        */
-   "lcm",               /* test least common multiple function           */
-   "conversion",        /* test general radix conversion facilities      */
-   "binary",            /* test raw output format                        */
-   "pprime",            /* test probabilistic primality tester           */
-   "fermat"             /* test Fermat pseudoprimality tester            */
-};
-
-/* Test function prototypes */
-int  test_list(void);
-int  test_copy(void);
-int  test_exch(void);
-int  test_zero(void);
-int  test_set(void);
-int  test_abs(void);
-int  test_neg(void);
-int  test_add_d(void);
-int  test_add(void);
-int  test_sub_d(void);
-int  test_sub(void);
-int  test_mul_d(void);
-int  test_mul(void);
-int  test_sqr(void);
-int  test_div_d(void);
-int  test_div_2(void);
-int  test_div_2d(void);
-int  test_div(void);
-int  test_expt_d(void);
-int  test_expt(void);
-int  test_2expt(void);
-int  test_sqrt(void);
-int  test_mod_d(void);
-int  test_mod(void);
-int  test_addmod(void);
-int  test_submod(void);
-int  test_mulmod(void);
-int  test_sqrmod(void);
-int  test_exptmod(void);
-int  test_exptmod_d(void);
-int  test_invmod(void);
-int  test_cmp_d(void);
-int  test_cmp_z(void);
-int  test_cmp(void);
-int  test_cmp_mag(void);
-int  test_parity(void);
-int  test_gcd(void);
-int  test_lcm(void);
-int  test_convert(void);
-int  test_raw(void);
-int  test_pprime(void);
-int  test_fermat(void);
-
-/* Table mapping index numbers to functions */
-int (*g_tests[])(void)  = {
-   test_list,     test_copy,     test_exch,     test_zero,     
-   test_set,      test_abs,      test_neg,      test_add_d,    
-   test_add,      test_sub_d,    test_sub,      test_mul_d,    
-   test_mul,      test_sqr,      test_div_d,    test_div_2,    
-   test_div_2d,   test_div,      test_expt_d,   test_expt,     
-   test_2expt,    test_sqrt,     test_mod_d,    test_mod,      
-   test_addmod,   test_submod,   test_mulmod,   test_sqrmod,   
-   test_exptmod,  test_exptmod_d, test_invmod,   test_cmp_d,    
-   test_cmp_z,    test_cmp,      test_cmp_mag,  test_parity,   
-   test_gcd,      test_lcm,      test_convert,  test_raw,      
-   test_pprime,   test_fermat
-};
-
-/* Table mapping index numbers to descriptions */
-const char *g_descs[] = {
-   "print out a list of the available test suites",
-   "test assignment of mp-int structures",
-   "test exchange of mp-int structures",
-   "test zeroing of an mp-int",
-   "test setting an mp-int to a small constant",
-   "test the absolute value function",
-   "test the arithmetic negation function",
-   "test digit addition",
-   "test full addition",
-   "test digit subtraction",
-   "test full subtraction",
-   "test digit multiplication",
-   "test full multiplication",
-   "test full squaring function",
-   "test digit division",
-   "test division by two",
-   "test division & remainder by 2^d",
-   "test full division",
-   "test digit exponentiation",
-   "test full exponentiation",
-   "test power-of-two exponentiation",
-   "test integer square root function",
-   "test digit modular reduction",
-   "test full modular reduction",
-   "test modular addition",
-   "test modular subtraction",
-   "test modular multiplication",
-   "test modular squaring function",
-   "test full modular exponentiation",
-   "test digit modular exponentiation",
-   "test modular inverse function",
-   "test digit comparison function",
-   "test zero comparison function",
-   "test general signed comparison",
-   "test general magnitude comparison",
-   "test parity comparison functions",
-   "test greatest common divisor functions",
-   "test least common multiple function",
-   "test general radix conversion facilities",
-   "test raw output format",
-   "test probabilistic primality tester",
-   "test Fermat pseudoprimality tester"
-};
-
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE b/security/nss/lib/freebl/mpi/tests/LICENSE
deleted file mode 100644
index c2c5d0190..000000000
--- a/security/nss/lib/freebl/mpi/tests/LICENSE
+++ /dev/null
@@ -1,6 +0,0 @@
-Within this directory, each of the file listed below is licensed under 
-the terms given in the file LICENSE-MPL, also in this directory.
-
-pi1k.txt
-pi2k.txt
-pi5k.txt
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
deleted file mode 100644
index 9ff410e4b..000000000
--- a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
+++ /dev/null
@@ -1,32 +0,0 @@
-The contents of this file are subject to the Mozilla Public
-License Version 1.1 (the "License"); you may not use this file
-except in compliance with the License. You may obtain a copy of
-the License at http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS
-IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-implied. See the License for the specific language governing
-rights and limitations under the License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the
-terms of the GNU General Public License Version 2 or later (the
-"GPL"), in which case the provisions of the GPL are applicable 
-instead of those above.  If you wish to allow use of your 
-version of this file only under the terms of the GPL and not to
-allow others to use your version of this file under the MPL,
-indicate your decision by deleting the provisions above and
-replace them with the notice and other provisions required by
-the GPL.  If you do not delete the provisions above, a recipient
-may use your version of this file under either the MPL or the
-GPL.
-
-
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-1.c b/security/nss/lib/freebl/mpi/tests/mptest-1.c
deleted file mode 100644
index 98a36cb06..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-1.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 1: Simple input test (drives single-digit multiply and add,
- *         as well as I/O routines)
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#ifdef MAC_CW_SIOUX
-#include <console.h>
-#endif
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  int    ix;
-  mp_int mp;
-
-#ifdef MAC_CW_SIOUX
-  argc = ccommand(&argv);
-#endif
-
-  mp_init(&mp);
-  
-  for(ix = 1; ix < argc; ix++) {
-    mp_read_radix(&mp, argv[ix], 10);
-    mp_print(&mp, stdout);
-    fputc('\n', stdout);
-  }
-
-  mp_clear(&mp);
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-2.c b/security/nss/lib/freebl/mpi/tests/mptest-2.c
deleted file mode 100644
index 7c09e7d2d..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-2.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 2: Basic addition and subtraction test
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int a, b, c;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 2: Basic addition and subtraction\n\n");
-
-  mp_init(&a);
-  mp_init(&b);
-
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&b, argv[2], 10);
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  
-  mp_init(&c);
-  printf("c = a + b\n");
-
-  mp_add(&a, &b, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-  
-  printf("c = a - b\n");
-  
-  mp_sub(&a, &b, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
-
-  mp_clear(&c);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3.c b/security/nss/lib/freebl/mpi/tests/mptest-3.c
deleted file mode 100644
index 43a287996..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-3.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 3: Multiplication, division, and exponentiation test
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include <time.h>
-
-#include "mpi.h"
-
-#define  SQRT 1  /* define nonzero to get square-root test  */
-#define  EXPT 0  /* define nonzero to get exponentiate test */
-
-int main(int argc, char *argv[])
-{
-  int      ix;
-  mp_int   a, b, c, d;
-  mp_digit r;
-  mp_err   res;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 3: Multiplication and division\n\n");
-  srand(time(NULL));
-
-  mp_init(&a);
-  mp_init(&b);
-
-  mp_read_variable_radix(&a, argv[1], 10);
-  mp_read_variable_radix(&b, argv[2], 10);
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  
-  mp_init(&c);
-  printf("\nc = a * b\n");
-
-  mp_mul(&a, &b, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = b * 32523\n");
-
-  mp_mul_d(&b, 32523, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-  
-  mp_init(&d);
-  printf("\nc = a / b, d = a mod b\n");
-  
-  mp_div(&a, &b, &c, &d);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
-  printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);  
-
-  ix = rand() % 256;
-  printf("\nc = a / %d, r = a mod %d\n", ix, ix);
-  mp_div_d(&a, (mp_digit)ix, &c, &r);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
-  printf("r = %04X\n", r);
-
-#if EXPT
-  printf("\nc = a ** b\n");
-  mp_expt(&a, &b, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
-#endif
-
-  ix = rand() % 256;
-  printf("\nc = 2^%d\n", ix);
-  mp_2expt(&c, ix);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-#if SQRT
-  printf("\nc = sqrt(a)\n");
-  if((res = mp_sqrt(&a, &c)) != MP_OKAY) {
-    printf("mp_sqrt: %s\n", mp_strerror(res));
-  } else {
-    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-    mp_sqr(&c, &c);
-    printf("c^2 = "); mp_print(&c, stdout); fputc('\n', stdout);
-  }
-#endif
-
-  mp_clear(&d);
-  mp_clear(&c);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3a.c b/security/nss/lib/freebl/mpi/tests/mptest-3a.c
deleted file mode 100644
index a4d246212..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-3a.c
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 3a: Multiplication vs. squaring timing test
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include <time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-int main(int argc, char *argv[])
-{
-  int        ix, num, prec = 8;
-  double     d1, d2;
-  clock_t    start, finish;
-  time_t     seed;
-  mp_int     a, c, d;
-
-  seed = time(NULL);
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
-    return 1;
-  }
-
-  if((num = atoi(argv[1])) < 0)
-    num = -num;
-
-  if(!num) {
-    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
-    return 1;
-  }
-
-  if(argc > 2) {
-    if((prec = atoi(argv[2])) <= 0)
-      prec = 8;
-    else
-      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
-  }
-  
-  printf("Test 3a: Multiplication vs squaring timing test\n"
-	 "Precision:  %d digits (%u bits)\n"
-	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
-
-  mp_init_size(&a, prec);
-
-  mp_init(&c); mp_init(&d);
-
-  printf("Verifying accuracy ... \n");
-  srand((unsigned int)seed);
-  for(ix = 0; ix < num; ix++) {
-    mpp_random_size(&a, prec);
-    mp_mul(&a, &a, &c);
-    mp_sqr(&a, &d);
-
-    if(mp_cmp(&c, &d) != 0) {
-      printf("Error!  Results not accurate:\n");
-      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
-      mp_sub(&c, &d, &d);
-      printf("dif "); mp_print(&d, stdout); fputc('\n', stdout);
-      mp_clear(&c); mp_clear(&d);
-      mp_clear(&a);
-      return 1;
-    }
-  }
-  printf("Accuracy is confirmed for the %d test samples\n", num);
-  mp_clear(&d);
-
-  printf("Testing squaring ... \n");
-  srand((unsigned int)seed);
-  start = clock();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random_size(&a, prec);
-    mp_sqr(&a, &c);
-  }
-  finish = clock();
-
-  d2 = (double)(finish - start) / CLOCKS_PER_SEC;
-
-  printf("Testing multiplication ... \n");
-  srand((unsigned int)seed);
-  start = clock();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random(&a);
-    mp_mul(&a, &a, &c);
-  }
-  finish = clock();
-
-  d1 = (double)(finish - start) / CLOCKS_PER_SEC;
-
-  printf("Multiplication time: %.3f sec (%.3f each)\n", d1, d1 / num);
-  printf("Squaring time:       %.3f sec (%.3f each)\n", d2, d2 / num);
-  printf("Improvement:         %.2f%%\n", (1.0 - (d2 / d1)) * 100.0);
-
-  mp_clear(&c);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4.c b/security/nss/lib/freebl/mpi/tests/mptest-4.c
deleted file mode 100644
index 181cd4116..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-4.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 4: Modular arithmetic tests
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  int      ix;
-  mp_int   a, b, c, m;
-  mp_digit r;
-
-  if(argc < 4) {
-    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 4: Modular arithmetic\n\n");
-
-  mp_init(&a);
-  mp_init(&b);
-  mp_init(&m);
-
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&b, argv[2], 10);
-  mp_read_radix(&m, argv[3], 10);
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  printf("m = "); mp_print(&m, stdout); fputc('\n', stdout);
-  
-  mp_init(&c);
-  printf("\nc = a (mod m)\n");
-
-  mp_mod(&a, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = b (mod m)\n");
-
-  mp_mod(&b, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = b (mod 1853)\n");
-
-  mp_mod_d(&b, 1853, &r);
-  printf("c = %04X\n", r);
-
-  printf("\nc = (a + b) mod m\n");
-
-  mp_addmod(&a, &b, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = (a - b) mod m\n");
-
-  mp_submod(&a, &b, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = (a * b) mod m\n");
-
-  mp_mulmod(&a, &b, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nc = (a ** b) mod m\n");
-
-  mp_exptmod(&a, &b, &m, &c);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  printf("\nIn-place modular squaring test:\n");
-  for(ix = 0; ix < 5; ix++) {
-    printf("a = (a * a) mod m   a = ");
-    mp_sqrmod(&a, &m, &a);
-    mp_print(&a, stdout);
-    fputc('\n', stdout);
-  }
-  
-
-  mp_clear(&c);
-  mp_clear(&m);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4a.c b/security/nss/lib/freebl/mpi/tests/mptest-4a.c
deleted file mode 100644
index 87cb37547..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-4a.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* 
- *  mptest4a - modular exponentiation speed test 
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include <time.h>
-
-#include <sys/time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-typedef struct {
-  unsigned int  sec;
-  unsigned int  usec;
-} instant_t;
-
-instant_t now(void)
-{
-  struct timeval clk;
-  instant_t      res;
-
-  res.sec = res.usec = 0;
-
-  if(gettimeofday(&clk, NULL) != 0)
-    return res;
-
-  res.sec = clk.tv_sec;
-  res.usec = clk.tv_usec;
-
-  return res;
-}
-
-extern mp_err s_mp_pad();
-
-int main(int argc, char *argv[])
-{
-  int        ix, num, prec = 8;
-  unsigned   int d;
-  instant_t  start, finish;
-  time_t     seed;
-  mp_int     a, m, c;
-
-  seed = time(NULL);
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
-    return 1;
-  }
-
-  if((num = atoi(argv[1])) < 0)
-    num = -num;
-
-  if(!num) {
-    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
-    return 1;
-  }
-
-  if(argc > 2) {
-    if((prec = atoi(argv[2])) <= 0)
-      prec = 8;
-  }
-  
-  printf("Test 3a: Modular exponentiation timing test\n"
-	 "Precision:  %d digits (%d bits)\n"
-	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
-
-  mp_init_size(&a, prec);
-  mp_init_size(&m, prec);
-  mp_init_size(&c, prec);
-  s_mp_pad(&a, prec);
-  s_mp_pad(&m, prec);
-  s_mp_pad(&c, prec);
-
-  printf("Testing modular exponentiation ... \n");
-  srand((unsigned int)seed);
-
-  start = now();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random(&a);
-    mpp_random(&c);
-    mpp_random(&m);
-    mp_exptmod(&a, &c, &m, &c);
-  }
-  finish = now();
-
-  d = (finish.sec - start.sec) * 1000000;
-  d -= start.usec; d += finish.usec;
-
-  printf("Total time elapsed:        %u usec\n", d);
-  printf("Time per exponentiation:   %u usec (%.3f sec)\n", 
-	 (d / num), (double)(d / num) / 1000000);
-
-  mp_clear(&c);
-  mp_clear(&a);
-  mp_clear(&m);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4b.c b/security/nss/lib/freebl/mpi/tests/mptest-4b.c
deleted file mode 100644
index 3b5f3b924..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-4b.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * mptest-4b.c
- *
- * Test speed of a large modular exponentiation of a primitive element
- * modulo a prime.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include <time.h>
-
-#include <sys/time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-char *g_prime = 
-  "34BD53C07350E817CCD49721020F1754527959C421C1533244769D4CF060A8B1C3DA"
-  "25094BE723FB1E2369B55FEEBBE0FAC16425161BF82684062B5EC5D7D47D1B23C117"
-  "0FA19745E44A55E148314E582EB813AC9EE5126295E2E380CACC2F6D206B293E5ED9"
-  "23B54EE961A8C69CD625CE4EC38B70C649D7F014432AEF3A1C93";
-char *g_gen = "5";
-
-typedef struct {
-  unsigned int  sec;
-  unsigned int  usec;
-} instant_t;
-
-instant_t now(void)
-{
-  struct timeval clk;
-  instant_t      res;
-
-  res.sec = res.usec = 0;
-
-  if(gettimeofday(&clk, NULL) != 0)
-    return res;
-
-  res.sec = clk.tv_sec;
-  res.usec = clk.tv_usec;
-
-  return res;
-}
-
-extern mp_err s_mp_pad();
-
-int main(int argc, char *argv[])
-{
-  instant_t    start, finish;
-  mp_int       prime, gen, expt, res;
-  unsigned int ix, diff;
-  int          num;
-
-  srand(time(NULL));
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
-    return 1;
-  }
-
-  if((num = atoi(argv[1])) < 0)
-    num = -num;
-
-  if(num == 0)
-    ++num;
-
-  mp_init(&prime); mp_init(&gen); mp_init(&res);
-  mp_read_radix(&prime, g_prime, 16);
-  mp_read_radix(&gen, g_gen, 16);
-
-  mp_init_size(&expt, USED(&prime) - 1);
-  s_mp_pad(&expt, USED(&prime) - 1);
-
-  printf("Testing %d modular exponentations ... \n", num);
-
-  start = now();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random(&expt);
-    mp_exptmod(&gen, &expt, &prime, &res);
-  }
-  finish = now();
-
-  diff = (finish.sec - start.sec) * 1000000;
-  diff += finish.usec; diff -= start.usec;
-
-  printf("%d operations took %u usec (%.3f sec)\n",
-	 num, diff, (double)diff / 1000000.0);
-  printf("That is %.3f sec per operation.\n",
-	 ((double)diff / 1000000.0) / num);
-
-  mp_clear(&expt);
-  mp_clear(&res);
-  mp_clear(&gen);
-  mp_clear(&prime);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5.c b/security/nss/lib/freebl/mpi/tests/mptest-5.c
deleted file mode 100644
index e77c5b0f2..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-5.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 5: Other number theoretic functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int   a, b, c, x, y;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 5: Number theoretic functions\n\n");
-
-  mp_init(&a);
-  mp_init(&b);
-
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&b, argv[2], 10);
-
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  
-  mp_init(&c);
-  printf("\nc = (a, b)\n");
-
-  mp_gcd(&a, &b, &c);
-  printf("Euclid: c = "); mp_print(&c, stdout); fputc('\n', stdout);
-/*
-  mp_bgcd(&a, &b, &c);
-  printf("Binary: c = "); mp_print(&c, stdout); fputc('\n', stdout);
-*/
-  mp_init(&x);
-  mp_init(&y);
-  printf("\nc = (a, b) = ax + by\n");
-
-  mp_xgcd(&a, &b, &c, &x, &y);
-  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-  printf("x = "); mp_print(&x, stdout); fputc('\n', stdout);
-  printf("y = "); mp_print(&y, stdout); fputc('\n', stdout);
-
-  printf("\nc = a^-1 (mod b)\n");
-  if(mp_invmod(&a, &b, &c) == MP_UNDEF) {
-    printf("a has no inverse mod b\n");
-  } else {
-    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-  }
-
-  mp_clear(&y);
-  mp_clear(&x);
-  mp_clear(&c);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5a.c b/security/nss/lib/freebl/mpi/tests/mptest-5a.c
deleted file mode 100644
index 0cc2f0349..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-5a.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test 5a: Greatest common divisor speed test, binary vs. Euclid
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-#include <time.h>
-
-#include <sys/time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-typedef struct {
-  unsigned int  sec;
-  unsigned int  usec;
-} instant_t;
-
-instant_t now(void)
-{
-  struct timeval clk;
-  instant_t      res;
-
-  res.sec = res.usec = 0;
-
-  if(gettimeofday(&clk, NULL) != 0)
-    return res;
-
-  res.sec = clk.tv_sec;
-  res.usec = clk.tv_usec;
-
-  return res;
-}
-
-#define PRECISION 16
-
-int main(int argc, char *argv[])
-{
-  int          ix, num, prec = PRECISION;
-  mp_int       a, b, c, d;
-  instant_t    start, finish;
-  time_t       seed;
-  unsigned int d1, d2;
-
-  seed = time(NULL);
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
-    return 1;
-  }
-
-  if((num = atoi(argv[1])) < 0)
-    num = -num;
-
-  printf("Test 5a: Euclid vs. Binary, a GCD speed test\n\n"
-	 "Number of tests: %d\n"
-	 "Precision:       %d digits\n\n", num, prec);
-
-  mp_init_size(&a, prec);
-  mp_init_size(&b, prec);
-  mp_init(&c);
-  mp_init(&d);
-
-  printf("Verifying accuracy ... \n");
-  srand((unsigned int)seed);
-  for(ix = 0; ix < num; ix++) {
-    mpp_random_size(&a, prec);
-    mpp_random_size(&b, prec);
-
-    mp_gcd(&a, &b, &c);
-    mp_bgcd(&a, &b, &d);
-
-    if(mp_cmp(&c, &d) != 0) {
-      printf("Error!  Results not accurate:\n");
-      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-      printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
-
-      mp_clear(&a); mp_clear(&b); mp_clear(&c); mp_clear(&d);
-      return 1;
-    }
-  }
-  mp_clear(&d);
-  printf("Accuracy confirmed for the %d test samples\n", num);
-
-  printf("Testing Euclid ... \n");
-  srand((unsigned int)seed);
-  start = now();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random_size(&a, prec);
-    mpp_random_size(&b, prec);
-    mp_gcd(&a, &b, &c);
-
-  }
-  finish = now();
-
-  d1 = (finish.sec - start.sec) * 1000000;
-  d1 -= start.usec; d1 += finish.usec;
-
-  printf("Testing binary ... \n");
-  srand((unsigned int)seed);
-  start = now();
-  for(ix = 0; ix < num; ix++) {
-    mpp_random_size(&a, prec);
-    mpp_random_size(&b, prec);
-    mp_bgcd(&a, &b, &c);
-  }
-  finish = now();
-
-  d2 = (finish.sec - start.sec) * 1000000;
-  d2 -= start.usec; d2 += finish.usec;
-
-  printf("Euclidean algorithm time: %u usec\n", d1);
-  printf("Binary algorithm time:    %u usec\n", d2);
-  printf("Improvement:              %.2f%%\n",
-         (1.0 - ((double)d2 / (double)d1)) * 100.0);
-
-  mp_clear(&c);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-6.c b/security/nss/lib/freebl/mpi/tests/mptest-6.c
deleted file mode 100644
index a587778c9..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-6.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- *  Simple test driver for MPI library
- *
- *  Test 6: Output functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include "mpi.h"
-
-void print_buf(FILE *ofp, char *buf, int len)
-{
-  int ix, brk = 0;
-
-  for(ix = 0; ix < len; ix++) {
-    fprintf(ofp, "%02X ", buf[ix]);
-
-    brk = (brk + 1) & 0xF;
-    if(!brk) 
-      fputc('\n', ofp);
-  }
-
-  if(brk)
-    fputc('\n', ofp);
-
-}
-
-int main(int argc, char *argv[])
-{
-  int       ix, size;
-  mp_int    a;
-  char     *buf;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 6: Output functions\n\n");
-
-  mp_init(&a);
-
-  mp_read_radix(&a, argv[1], 10);
-
-  printf("\nConverting to a string:\n");
-
-  printf("Rx Size Representation\n");
-  for(ix = 2; ix <= MAX_RADIX; ix++) {
-    size = mp_radix_size(&a, ix);
-
-    buf = calloc(size, sizeof(char));
-    mp_toradix(&a, buf, ix);
-    printf("%2d: %3d: %s\n", ix, size, buf);
-    free(buf);
-
-  }
-
-  printf("\nRaw output:\n");
-  size = mp_raw_size(&a);
-  buf = calloc(size, sizeof(char));
-
-  printf("Size:  %d bytes\n", size);
-
-  mp_toraw(&a, buf);
-  print_buf(stdout, buf, size);
-  free(buf);
-  
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-7.c b/security/nss/lib/freebl/mpi/tests/mptest-7.c
deleted file mode 100644
index a32be1978..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-7.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- *  Simple test driver for MPI library
- *
- *  Test 7: Random and divisibility tests
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-#include <time.h>
-
-#define MP_IOFUNC
-#include "mpi.h"
-
-#include "mpprime.h"
-
-int main(int argc, char *argv[])
-{
-  mp_digit  num;
-  mp_int    a, b;
-
-  srand(time(NULL));
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 7: Random & divisibility tests\n\n");
-
-  mp_init(&a);
-  mp_init(&b);
-
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&b, argv[2], 10);
-
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-
-  if(mpp_divis(&a, &b) == MP_YES)
-    printf("a is divisible by b\n");
-  else
-    printf("a is not divisible by b\n");
-
-  if(mpp_divis(&b, &a) == MP_YES)
-    printf("b is divisible by a\n");
-  else
-    printf("b is not divisible by a\n");
-
-  printf("\nb = mpp_random()\n");
-  mpp_random(&b);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  mpp_random(&b);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-  mpp_random(&b);
-  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-
-  printf("\nTesting a for divisibility by first 170 primes\n");
-  num = 170;
-  if(mpp_divis_primes(&a, &num) == MP_YES)
-    printf("It is divisible by at least one of them\n");
-  else
-    printf("It is not divisible by any of them\n");
-
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-8.c b/security/nss/lib/freebl/mpi/tests/mptest-8.c
deleted file mode 100644
index 7cf95a9b1..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-8.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- *  Simple test driver for MPI library
- *
- *  Test 8: Probabilistic primality tester
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-#include <time.h>
-
-#define MP_IOFUNC
-#include "mpi.h"
-
-#include "mpprime.h"
-
-int main(int argc, char *argv[])
-{
-  int       ix;
-  mp_digit  num;
-  mp_int    a;
-
-  srand(time(NULL));
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
-    return 1;
-  }
-
-  printf("Test 8: Probabilistic primality testing\n\n");
-
-  mp_init(&a);
-
-  mp_read_radix(&a, argv[1], 10);
-
-  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-
-  printf("\nChecking for divisibility by small primes ... \n");
-  num = 170;
-  if(mpp_divis_primes(&a, &num) == MP_YES) {
-    printf("it is not prime\n");
-    goto CLEANUP;
-  }
-  printf("Passed that test (not divisible by any small primes).\n");
-
-  for(ix = 0; ix < 10; ix++) {
-    printf("\nPerforming Rabin-Miller test, iteration %d\n", ix + 1);
-
-    if(mpp_pprime(&a, 5) == MP_NO) {
-      printf("it is not prime\n");
-      goto CLEANUP;
-    }
-  }
-  printf("All tests passed; a is probably prime\n");
-
-CLEANUP:
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-9.c b/security/nss/lib/freebl/mpi/tests/mptest-9.c
deleted file mode 100644
index 03444cba1..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-9.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- *    mptest-9.c
- *
- *   Test logical functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-#include <time.h>
-
-#include "mpi.h"
-#include "mplogic.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int    a, b, c;
-  int       pco;
-  mp_err    res;
-
-  printf("Test 9: Logical functions\n\n");
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a); mp_init(&b); mp_init(&c);
-  mp_read_radix(&a, argv[1], 16);
-  mp_read_radix(&b, argv[2], 16);
-
-  printf("a       = "); mp_print(&a, stdout); fputc('\n', stdout);
-  printf("b       = "); mp_print(&b, stdout); fputc('\n', stdout);
-
-  mpl_not(&a, &c);
-  printf("~a      = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_and(&a, &b, &c);
-  printf("a & b   = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_or(&a, &b, &c);
-  printf("a | b   = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_xor(&a, &b, &c);
-  printf("a ^ b   = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_rsh(&a, &c, 1);
-  printf("a >>  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
-  mpl_rsh(&a, &c, 5);
-  printf("a >>  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
-  mpl_rsh(&a, &c, 16);
-  printf("a >> 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_lsh(&a, &c, 1);
-  printf("a <<  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
-  mpl_lsh(&a, &c, 5);
-  printf("a <<  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
-  mpl_lsh(&a, &c, 16);
-  printf("a << 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
-
-  mpl_num_set(&a, &pco);
-  printf("population(a) = %d\n", pco);
-  mpl_num_set(&b, &pco);
-  printf("population(b) = %d\n", pco);
-
-  res = mpl_parity(&a);
-  if(res == MP_EVEN)
-    printf("a has even parity\n");
-  else
-    printf("a has odd parity\n");
-  
-  mp_clear(&c);
-  mp_clear(&b);
-  mp_clear(&a);
-
-  return 0;
-}
-
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-b.c b/security/nss/lib/freebl/mpi/tests/mptest-b.c
deleted file mode 100644
index 6da6b136a..000000000
--- a/security/nss/lib/freebl/mpi/tests/mptest-b.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Simple test driver for MPI library
- *
- * Test GF2m: Binary Polynomial Arithmetic
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Multi-precision Binary Polynomial Arithmetic Library.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Sheueling Chang Shantz <sheueling.chang@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include "mp_gf2m.h"
-
-int main(int argc, char *argv[])
-{
-    int      ix;
-    mp_int   pp, a, b, x, y, order;
-    mp_int   c, d, e;
-    mp_digit r;
-    mp_err   res;
-    unsigned int p[] = {163,7,6,3,0};
-    unsigned int ptemp[10];
-
-    printf("Test b: Binary Polynomial Arithmetic\n\n");
-
-    mp_init(&pp);
-    mp_init(&a);
-    mp_init(&b);
-    mp_init(&x);
-    mp_init(&y);
-    mp_init(&order);
-
-    mp_read_radix(&pp, "0800000000000000000000000000000000000000C9", 16);
-    mp_read_radix(&a, "1", 16);
-    mp_read_radix(&b, "020A601907B8C953CA1481EB10512F78744A3205FD", 16);
-    mp_read_radix(&x, "03F0EBA16286A2D57EA0991168D4994637E8343E36", 16);
-    mp_read_radix(&y, "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 16);
-    mp_read_radix(&order, "040000000000000000000292FE77E70C12A4234C33", 16);
-    printf("pp = "); mp_print(&pp, stdout); fputc('\n', stdout);
-    printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-    printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-    printf("x = "); mp_print(&x, stdout); fputc('\n', stdout);
-    printf("y = "); mp_print(&y, stdout); fputc('\n', stdout);
-    printf("order = "); mp_print(&order, stdout); fputc('\n', stdout);
-
-    mp_init(&c);
-    mp_init(&d);
-    mp_init(&e);
-
-    /* Test polynomial conversion */
-    ix = mp_bpoly2arr(&pp, ptemp, 10);
-    if (
-	(ix != 5) ||
-	(ptemp[0] != p[0]) ||
-	(ptemp[1] != p[1]) ||
-	(ptemp[2] != p[2]) ||
-	(ptemp[3] != p[3]) ||
-	(ptemp[4] != p[4])
-    ) {
-	printf("Polynomial to array conversion not correct\n"); 
-	return -1;
-    }
-
-    printf("Polynomial conversion test #1 successful.\n");
-    MP_CHECKOK( mp_barr2poly(p, &c) );
-    if (mp_cmp(&pp, &c) != 0) {
-        printf("Array to polynomial conversion not correct\n"); 
-        return -1;
-    }
-    printf("Polynomial conversion test #2 successful.\n");
-
-    /* Test addition */
-    MP_CHECKOK( mp_badd(&a, &a, &c) );
-    if (mp_cmp_z(&c) != 0) {
-        printf("a+a should equal zero\n"); 
-        return -1;
-    }
-    printf("Addition test #1 successful.\n");
-    MP_CHECKOK( mp_badd(&a, &b, &c) );
-    MP_CHECKOK( mp_badd(&b, &c, &c) );
-    if (mp_cmp(&c, &a) != 0) {
-        printf("c = (a + b) + b should equal a\n"); 
-        printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Addition test #2 successful.\n");
-    
-    /* Test multiplication */
-    mp_set(&c, 2);
-    MP_CHECKOK( mp_bmul(&b, &c, &c) );
-    MP_CHECKOK( mp_badd(&b, &c, &c) );
-    mp_set(&d, 3);
-    MP_CHECKOK( mp_bmul(&b, &d, &d) );
-    if (mp_cmp(&c, &d) != 0) {
-        printf("c = (2 * b) + b should equal c = 3 * b\n"); 
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Multiplication test #1 successful.\n");
-
-    /* Test modular reduction */
-    MP_CHECKOK( mp_bmod(&b, p, &c) );
-    if (mp_cmp(&b, &c) != 0) {
-        printf("c = b mod p should equal b\n"); 
-        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular reduction test #1 successful.\n");
-    MP_CHECKOK( mp_badd(&b, &pp, &c) );
-    MP_CHECKOK( mp_bmod(&c, p, &c) );
-    if (mp_cmp(&b, &c) != 0) {
-        printf("c = (b + p) mod p should equal b\n"); 
-        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular reduction test #2 successful.\n");
-    MP_CHECKOK( mp_bmul(&b, &pp, &c) );
-    MP_CHECKOK( mp_bmod(&c, p, &c) );
-    if (mp_cmp_z(&c) != 0) {
-        printf("c = (b * p) mod p should equal 0\n"); 
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular reduction test #3 successful.\n");
-
-    /* Test modular multiplication */
-    MP_CHECKOK( mp_bmulmod(&b, &pp, p, &c) );
-    if (mp_cmp_z(&c) != 0) {
-        printf("c = (b * p) mod p should equal 0\n"); 
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular multiplication test #1 successful.\n");
-    mp_set(&c, 1);
-    MP_CHECKOK( mp_badd(&pp, &c, &c) );
-    MP_CHECKOK( mp_bmulmod(&b, &c, p, &c) );
-    if (mp_cmp(&b, &c) != 0) {
-        printf("c = (b * (p + 1)) mod p should equal b\n"); 
-        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular multiplication test #2 successful.\n");
-
-    /* Test modular squaring */
-    MP_CHECKOK( mp_copy(&b, &c) );
-    MP_CHECKOK( mp_bmulmod(&b, &c, p, &c) );
-    MP_CHECKOK( mp_bsqrmod(&b, p, &d) );
-    if (mp_cmp(&c, &d) != 0) {
-        printf("c = (b * b) mod p should equal d = b^2 mod p\n"); 
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular squaring test #1 successful.\n");
-    
-    /* Test modular division */
-    MP_CHECKOK( mp_bdivmod(&b, &x, &pp, p, &c) );
-    MP_CHECKOK( mp_bmulmod(&c, &x, p, &c) );
-    if (mp_cmp(&b, &c) != 0) {
-        printf("c = (b / x) * x mod p should equal b\n"); 
-        printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
-        printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
-        return -1;
-    }
-    printf("Modular division test #1 successful.\n");
-
-CLEANUP:
-
-    mp_clear(&order);
-    mp_clear(&y);
-    mp_clear(&x);
-    mp_clear(&b);
-    mp_clear(&a);
-    mp_clear(&pp);
-
-    return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/tests/pi1k.txt b/security/nss/lib/freebl/mpi/tests/pi1k.txt
deleted file mode 100644
index 5ff6209ff..000000000
--- a/security/nss/lib/freebl/mpi/tests/pi1k.txt
+++ /dev/null
@@ -1 +0,0 @@
-31415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989
diff --git a/security/nss/lib/freebl/mpi/tests/pi2k.txt b/security/nss/lib/freebl/mpi/tests/pi2k.txt
deleted file mode 100644
index 9ce82acd1..000000000
--- a/security/nss/lib/freebl/mpi/tests/pi2k.txt
+++ /dev/null
@@ -1 +0,0 @@
-314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759010
diff --git a/security/nss/lib/freebl/mpi/tests/pi5k.txt b/security/nss/lib/freebl/mpi/tests/pi5k.txt
deleted file mode 100644
index 901fac2ea..000000000
--- a/security/nss/lib/freebl/mpi/tests/pi5k.txt
+++ /dev/null
@@ -1 +0,0 @@
-314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759009946576407895126946839835259570982582262052248940772671947826848260147699090264013639443745530506820349625245174939965143142980919065925093722169646151570985838741059788595977297549893016175392846813826868386894277415599185592524595395943104997252468084598727364469584865383673622262609912460805124388439045124413654976278079771569143599770012961608944169486855584840635342207222582848864815845602850601684273945226746767889525213852254995466672782398645659611635488623057745649803559363456817432411251507606947945109659609402522887971089314566913686722874894056010150330861792868092087476091782493858900971490967598526136554978189312978482168299894872265880485756401427047755513237964145152374623436454285844479526586782105114135473573952311342716610213596953623144295248493718711014576540359027993440374200731057853906219838744780847848968332144571386875194350643021845319104848100537061468067491927819119793995206141966342875444064374512371819217999839101591956181467514269123974894090718649423196156794520809514655022523160388193014209376213785595663893778708303906979207734672218256259966150142150306803844773454920260541466592520149744285073251866600213243408819071048633173464965145390579626856100550810665879699816357473638405257145910289706414011097120628043903975951567715770042033786993600723055876317635942187312514712053292819182618612586732157919841484882916447060957527069572209175671167229109816909152801735067127485832228718352093539657251210835791513698820914442100675103346711031412671113699086585163983150197016515116851714376576183515565088490998985998238734552833163550764791853589322618548963213293308985706420467525907091548141654985946163718027098199430992448895757128289059232332609729971208443357326548938239119325974636673058360414281388303203824903758985243744170291327656180937734440307074692112019130203303801976211011004492932151608424448596376698389522868478312355265821314495768572624334418930396864262434107732269780280731891544110104468232527162010526522721116603966655730925471105578537634668206531098965269186205647693125705863566201855810072936065987648611791045334885034611365768675324944166803962657978771855608455296541266540853061434443185867697514566140680070023787765913440171274947042056223053899456131407112700040785473326993908145466464588079727082668306343285878569830523580893306575740679545716377525420211495576158140025012622859413021647155097925923099079654737612551765675135751782966645477917450112996148903046399471329621073404375189573596145890193897131117904297828564750320319869151402870808599048010941214722131794764777262241425485454033215718530614228813758504306332175182979866223717215916077166925474873898665494945011465406284336639379003976926567214638530673609657120918076383271664162748888007869256029022847210403172118608204190004229661711963779213375751149595015660496318629472654736425230817703675159067350235072835405670403867435136222247715891504953098444893330963408780769325993978054193414473774418426312986080998886874132604721
diff --git a/security/nss/lib/freebl/mpi/timetest b/security/nss/lib/freebl/mpi/timetest
deleted file mode 100755
index e665a7d07..000000000
--- a/security/nss/lib/freebl/mpi/timetest
+++ /dev/null
@@ -1,135 +0,0 @@
-#!/bin/sh
-
-# Simple timing test for the MPI library.  Basically, we use prime
-# generation as a timing test, since it exercises most of the pathways
-# of the library fairly heavily.  The 'primegen' tool outputs a line
-# summarizing timing results.  We gather these and process them for
-# statistical information, which is collected into a file.
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#   Netscape Communications Corporation
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# 
-# $Id$
-#
-
-# Avoid using built-in shell echoes
-ECHO=/bin/echo
-MAKE=gmake
-
-# Use a fixed seed so timings will be more consistent
-# This one is the 11th-18th decimal digits of 'e'
-#export SEED=45904523
-SEED=45904523; export SEED
-
-#------------------------------------------------------------------------
-
-$ECHO "\n** Running timing tests for MPI library\n"
-
-$ECHO "Bringing 'metime' up to date ... "
-if $MAKE metime ; then
-    :
-else 
-    $ECHO "\nMake failed to build metime.\n"
-    exit 1
-fi
-
-if [ ! -x ./metime ] ; then 
-    $ECHO "\nCannot find 'metime' program, testing cannot continue.\n"
-    exit 1
-fi
-
-#------------------------------------------------------------------------
-
-$ECHO "Bringing 'primegen' up to date ... "
-if $MAKE primegen ; then
-    :
-else
-    $ECHO "\nMake failed to build primegen.\n"
-    exit 1
-fi
-
-if [ ! -x ./primegen ] ; then
-    $ECHO "\nCannot find 'primegen' program, testing cannot continue.\n"
-    exit 1
-fi
-
-#------------------------------------------------------------------------
-
-rm -f timing-results.txt
-touch timing-results.txt
-
-sizes="256 512 1024 2048"
-ntests=10
-
-trap 'echo "oop!";rm -f tt*.tmp timing-results.txt;exit 0' INT HUP
-
-$ECHO "\n-- Modular exponentiation\n"
-$ECHO "Modular exponentiation:" >> timing-results.txt
-
-$ECHO "Running $ntests modular exponentiations per test:"
-for size in $sizes ; do
-    $ECHO "- Gathering statistics for $size bits ... "
-    secs=`./metime $ntests $size | tail -1 | awk '{print $2}'`
-    $ECHO "$size: " $secs " seconds per op" >> timing-results.txt
-    tail -1 timing-results.txt
-done
-
-$ECHO "<done>";
-
-sizes="256 512 1024"
-ntests=1
-
-$ECHO "\n-- Prime generation\n"
-$ECHO "Prime generation:" >> timing-results.txt
-
-$ECHO "Generating $ntests prime values per test:"
-for size in $sizes ; do
-    $ECHO "- Gathering statistics for $size bits ... "
-    ./primegen $size $ntests | grep ticks | awk '{print $7}' | tr -d '(' > tt$$.tmp
-    $ECHO "$size:" >> timing-results.txt
-    perl stats tt$$.tmp >> timing-results.txt
-    tail -1 timing-results.txt
-    rm -f tt$$.tmp
-done
-
-$ECHO "<done>"
-
-trap 'rm -f tt*.tmp timing-results.txt' INT HUP
-
-exit 0
-
diff --git a/security/nss/lib/freebl/mpi/types.pl b/security/nss/lib/freebl/mpi/types.pl
deleted file mode 100755
index 6933d0dfe..000000000
--- a/security/nss/lib/freebl/mpi/types.pl
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/usr/bin/perl
-
-#
-# types.pl - find recommended type definitions for digits and words
-#
-# This script scans the Makefile for the C compiler and compilation
-# flags currently in use, and using this combination, attempts to
-# compile a simple test program that outputs the sizes of the various
-# unsigned integer types, in bytes.  Armed with these, it finds all
-# the "viable" type combinations for mp_digit and mp_word, where
-# viability is defined by the requirement that mp_word be at least two
-# times the precision of mp_digit.
-#
-# Of these, the one with the largest digit size is chosen, and
-# appropriate typedef statements are written to standard output.
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-@_=split(/\//,$0);chomp($prog=pop(@_));
-
-# The array of integer types to be considered...
-@TYPES = ( 
-	   "unsigned char", 
-	   "unsigned short", 
-	   "unsigned int", 
-	   "unsigned long"
-);
-
-# Macro names for the maximum unsigned value of each type
-%TMAX = ( 
-	  "unsigned char"   => "UCHAR_MAX",
-	  "unsigned short"  => "USHRT_MAX",
-	  "unsigned int"    => "UINT_MAX",
-	  "unsigned long"   => "ULONG_MAX"
-);
-
-# Read the Makefile to find out which C compiler to use
-open(MFP, "<Makefile") or die "$prog: Makefile: $!\n";
-while(<MFP>) {
-    chomp;
-    if(/^CC=(.*)$/) {
-	$cc = $1;
-	last if $cflags;
-    } elsif(/^CFLAGS=(.*)$/) {
-	$cflags = $1;
-	last if $cc;
-    }
-}
-close(MFP);
-
-# If we couldn't find that, use 'cc' by default
-$cc = "cc" unless $cc;
-
-printf STDERR "Using '%s' as the C compiler.\n", $cc;
-
-print STDERR "Determining type sizes ... \n";
-open(OFP, ">tc$$.c") or die "$prog: tc$$.c: $!\n";
-print OFP "#include <stdio.h>\n\nint main(void)\n{\n";
-foreach $type (@TYPES) {
-    printf OFP "\tprintf(\"%%d\\n\", (int)sizeof(%s));\n", $type;
-}
-print OFP "\n\treturn 0;\n}\n";
-close(OFP);
-
-system("$cc $cflags -o tc$$ tc$$.c");
-
-die "$prog: unable to build test program\n" unless(-x "tc$$");
-
-open(IFP, "./tc$$|") or die "$prog: can't execute test program\n";
-$ix = 0;
-while(<IFP>) {
-    chomp;
-    $size{$TYPES[$ix++]} = $_;
-}
-close(IFP);
-
-unlink("tc$$");
-unlink("tc$$.c");
-
-print STDERR "Selecting viable combinations ... \n";
-while(($type, $size) = each(%size)) {
-    push(@ts, [ $size, $type ]);
-}
-
-# Sort them ascending by size 
-@ts = sort { $a->[0] <=> $b->[0] } @ts;
-
-# Try all possible combinations, finding pairs in which the word size
-# is twice the digit size.  The number of possible pairs is too small
-# to bother doing this more efficiently than by brute force
-for($ix = 0; $ix <= $#ts; $ix++) {
-    $w = $ts[$ix];
-
-    for($jx = 0; $jx <= $#ts; $jx++) {
-	$d = $ts[$jx];
-
-	if($w->[0] == 2 * $d->[0]) {
-	    push(@valid, [ $d, $w ]);
-	}
-    }
-}
-
-# Sort descending by digit size
-@valid = sort { $b->[0]->[0] <=> $a->[0]->[0] } @valid;
-
-# Select the maximum as the recommended combination
-$rec = shift(@valid);
-
-printf("typedef %-18s mp_sign;\n", "char");
-printf("typedef %-18s mp_digit;  /* %d byte type */\n", 
-       $rec->[0]->[1], $rec->[0]->[0]);
-printf("typedef %-18s mp_word;   /* %d byte type */\n", 
-       $rec->[1]->[1], $rec->[1]->[0]);
-printf("typedef %-18s mp_size;\n", "unsigned int");
-printf("typedef %-18s mp_err;\n\n", "int");
-
-printf("#define %-18s (CHAR_BIT*sizeof(mp_digit))\n", "DIGIT_BIT");
-printf("#define %-18s %s\n", "DIGIT_MAX", $TMAX{$rec->[0]->[1]});
-printf("#define %-18s (CHAR_BIT*sizeof(mp_word))\n", "MP_WORD_BIT");
-printf("#define %-18s %s\n\n", "MP_WORD_MAX", $TMAX{$rec->[1]->[1]});
-printf("#define %-18s (DIGIT_MAX+1)\n\n", "RADIX");
-
-printf("#define %-18s \"%%0%dX\"\n", "DIGIT_FMT", (2 * $rec->[0]->[0]));
-
-exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE b/security/nss/lib/freebl/mpi/utils/LICENSE
deleted file mode 100644
index 5f96df7ab..000000000
--- a/security/nss/lib/freebl/mpi/utils/LICENSE
+++ /dev/null
@@ -1,4 +0,0 @@
-Within this directory, each of the file listed below is licensed under 
-the terms given in the file LICENSE-MPL, also in this directory.
-
-PRIMES
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
deleted file mode 100644
index 9ff410e4b..000000000
--- a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
+++ /dev/null
@@ -1,32 +0,0 @@
-The contents of this file are subject to the Mozilla Public
-License Version 1.1 (the "License"); you may not use this file
-except in compliance with the License. You may obtain a copy of
-the License at http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS
-IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-implied. See the License for the specific language governing
-rights and limitations under the License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is Netscape
-Communications Corporation.  Portions created by Netscape are 
-Copyright (C) 1994-2000 Netscape Communications Corporation.  All
-Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the
-terms of the GNU General Public License Version 2 or later (the
-"GPL"), in which case the provisions of the GPL are applicable 
-instead of those above.  If you wish to allow use of your 
-version of this file only under the terms of the GPL and not to
-allow others to use your version of this file under the MPL,
-indicate your decision by deleting the provisions above and
-replace them with the notice and other provisions required by
-the GPL.  If you do not delete the provisions above, a recipient
-may use your version of this file under either the MPL or the
-GPL.
-
-
diff --git a/security/nss/lib/freebl/mpi/utils/PRIMES b/security/nss/lib/freebl/mpi/utils/PRIMES
deleted file mode 100644
index ed65703ff..000000000
--- a/security/nss/lib/freebl/mpi/utils/PRIMES
+++ /dev/null
@@ -1,41 +0,0 @@
-Probable primes (sorted by number of significant bits)
-
- 128: 81386202757205669562183851789305348631
-
- 128: 180241813863264101444573802809858694397
-
- 128: 245274683055224433281596312431122059021
-
- 128: 187522309397665259809392608791686659539
-
- 256: 83252422946206411852330647237287722547866360773229941071371588246436\
-      513990159
-
- 256: 79132571131322331023736933767063051273085304521895229780914612117520\
-      058517909
-
- 256: 72081815425552909748220041100909735706208853818662000557743644603407\
-      965465527
-
- 256: 87504602391905701494845474079163412737334477797316409702279059573654\
-      274811271
-
- 512: 12233064210800062190450937494718705259777386009095453001870729392786\
-      63450255179083524798507997690270500580265258111668148238355016411719\
-      9168737693316468563
-
- 512: 12003639081420725322369909586347545220275253633035565716386136197501\
-      88208318984400479275215620499883521216480724155582768193682335576385\
-      2069481074929084063
-
-1024: 16467877625718912296741904171202513097057724053648819680815842057593\
-      20371835940722471475475803725455063836431454757000451907612224427007\
-      63984592414360595161051906727075047683803534852982766542661204179549\
-      77327573530800542562611753617736693359790119074768292178493884576587\
-      0230450429880021317876149636714743053
-
-1024: 16602953991090311275234291158294516471009930684624948451178742895360\
-      86073703307475884280944414508444679430090561246728195735962931545473\
-      40743240318558456247740186704660778277799687988031119436541068736925\
-      20563780233711166724859277827382391527748470939542560819625727876091\
-      5372193745283891895989104479029844957
diff --git a/security/nss/lib/freebl/mpi/utils/README b/security/nss/lib/freebl/mpi/utils/README
deleted file mode 100644
index 90da5fee5..000000000
--- a/security/nss/lib/freebl/mpi/utils/README
+++ /dev/null
@@ -1,241 +0,0 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version
-1.1 (the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the MPI Arbitrary Precision Integer Arithmetic
-library.
-
-The Initial Developer of the Original Code is
-Michael J. Fromberger <sting@linguist.dartmouth.edu>
-Portions created by the Initial Developer are Copyright (C) 1998, 2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-Additional MPI utilities
-------------------------
-
-The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
-the MPI library for dealing with prime numbers (in particular, testing
-for divisbility, and the Rabin-Miller probabilistic primality test).
-
-The files 'mplogic.h' and 'mplogic.c' define extensions to the MPI
-library for doing bitwise logical operations and shifting.
-
-This document assumes you have read the help file for the MPI library
-and understand its conventions.
-
-Divisibility (mpprime.h)
-------------
-
-To test a number for divisibility by another number:
-
-mpp_divis(a, b)		- test if b|a
-mpp_divis_d(a, d)	- test if d|a
-
-Each of these functions returns MP_YES if its initial argument is
-divisible by its second, or MP_NO if it is not.  Other errors may be
-returned as appropriate (such as MP_RANGE if you try to test for
-divisibility by zero).
-
-Randomness (mpprime.h)
-----------
-
-To generate random data:
-
-mpp_random(a)		- fill a with random data
-mpp_random_size(a, p)   - fill a with p digits of random data
-
-The mpp_random_size() function increases the precision of a to at
-least p, then fills all those digits randomly.  The mp_random()
-function fills a to its current precision (as determined by the number
-of significant digits, USED(a))
-
-Note that these functions simply use the C library's rand() function
-to fill a with random digits up to its precision.  This should be
-adequate for primality testing, but should not be used for
-cryptographic applications where truly random values are required for
-security.  
-
-You should call srand() in your driver program in order to seed the
-random generator; this function doesn't call it.
-
-Primality Testing (mpprime.h)
------------------
-
-mpp_divis_vector(a, v, s, w)   - is a divisible by any of the s values
-                                 in v, and if so, w = which.
-mpp_divis_primes(a, np)   - is a divisible by any of the first np primes?
-mpp_fermat(a, w)          - is a pseudoprime with respect to witness w?
-mpp_pprime(a, nt)	  - run nt iterations of Rabin-Miller on a.
-
-The mpp_divis_vector() function tests a for divisibility by each
-member of an array of digits.  The array is v, the size of that array
-is s.  Returns MP_YES if a is divisible, and stores the index of the
-offending digit in w.  Returns MP_NO if a is not divisible by any of
-the digits in the array.
-
-A small table of primes is compiled into the library (typically the
-first 128 primes, although you can change this by editing the file
-'primes.c' before you build).  The global variable prime_tab_size
-contains the number of primes in the table, and the values themselves
-are in the array prime_tab[], which is an array of mp_digit.
-
-The mpp_divis_primes() function is basically just a wrapper around
-mpp_divis_vector() that uses prime_tab[] as the test vector.  The np
-parameter is a pointer to an mp_digit -- on input, it should specify
-the number of primes to be tested against.  If a is divisible by any
-of the primes, MP_YES is returned and np is given the prime value that
-divided a (you can use this if you're factoring, for example).
-Otherwise, MP_NO is returned and np is untouched.
-
-The function mpp_fermat() performs Fermat's test, using w as a
-witness.  This test basically relies on the fact that if a is prime,
-and w is relatively prime to a, then:
-
-	w^a = w (mod a)
-
-That is,
-
-	w^(a - 1) = 1 (mod a)
-
-The function returns MP_YES if the test passes, MP_NO if it fails.  If
-w is relatively prime to a, and the test fails, a is definitely
-composite.  If w is relatively prime to a and the test passes, then a
-is either prime, or w is a false witness (the probability of this
-happening depends on the choice of w and of a ... consult a number
-theory textbook for more information about this).  
-
-Note:  If (w, a) != 1, the output of this test is meaningless.
-----
-
-The function mpp_pprime() performs the Rabin-Miller probabilistic
-primality test for nt rounds.  If all the tests pass, MP_YES is
-returned, and a is probably prime.  The probability that an answer of
-MP_YES is incorrect is no greater than 1 in 4^nt, and in fact is
-usually much less than that (this is a pessimistic estimate).  If any
-test fails, MP_NO is returned, and a is definitely composite.
-
-Bruce Schneier recommends at least 5 iterations of this test for most
-cryptographic applications; Knuth suggests that 25 are reasonable.
-Run it as many times as you feel are necessary.
-
-See the programs 'makeprime.c' and 'isprime.c' for reasonable examples
-of how to use these functions for primality testing.
-
-
-Bitwise Logic (mplogic.c)
--------------
-
-The four commonest logical operations are implemented as:
-
-mpl_not(a, b)		- Compute bitwise (one's) complement, b = ~a
-
-mpl_and(a, b, c)	- Compute bitwise AND, c = a & b
-
-mpl_or(a, b, c)		- Compute bitwise OR, c = a | b
-
-mpl_xor(a, b, c)	- Compute bitwise XOR, c = a ^ b
-
-Left and right shifts are available as well.  These take a number to
-shift, a destination, and a shift amount.  The shift amount must be a
-digit value between 0 and DIGIT_BIT inclusive; if it is not, MP_RANGE
-will be returned and the shift will not happen.
-
-mpl_rsh(a, b, d)	- Compute logical right shift, b = a >> d
-
-mpl_lsh(a, b, d)	- Compute logical left shift, b = a << d
-
-Since these are logical shifts, they fill with zeroes (the library
-uses a signed magnitude representation, so there are no sign bits to
-extend anyway).
-
-
-Command-line Utilities
-----------------------
-
-A handful of interesting command-line utilities are provided.  These
-are:
-
-lap.c		- Find the order of a mod m.  Usage is 'lap <a> <m>'.
-                  This uses a dumb algorithm, so don't use it for 
-                  a really big modulus.
-
-invmod.c	- Find the inverse of a mod m, if it exists.  Usage
-		  is 'invmod <a> <m>'
-
-sieve.c		- A simple bitmap-based implementation of the Sieve
-		  of Eratosthenes.  Used to generate the table of 
-		  primes in primes.c.  Usage is 'sieve <nbits>'
-
-prng.c          - Uses the routines in bbs_rand.{h,c} to generate
-                  one or more 32-bit pseudo-random integers.  This
-                  is mainly an example, not intended for use in a
-                  cryptographic application (the system time is 
-                  the only source of entropy used)
-
-dec2hex.c       - Convert decimal to hexadecimal
-
-hex2dec.c       - Convert hexadecimal to decimal
-
-basecvt.c       - General radix conversion tool (supports 2-64)
-
-isprime.c       - Probabilistically test an integer for primality
-                  using the Rabin-Miller pseudoprime test combined
-                  with division by small primes.
-
-primegen.c      - Generate primes at random.
-
-exptmod.c       - Perform modular exponentiation
-
-ptab.pl		- A Perl script to munge the output of the sieve
-		  program into a compilable C structure.
-
-
-Other Files
------------
-
-PRIMES		- Some randomly generated numbers which are prime with
-		  extremely high probability.
-
-README		- You're reading me already.
-
-
-About the Author
-----------------
-
-This software was written by Michael J. Fromberger.  You can contact
-the author as follows:
-
-E-mail:	  <sting@linguist.dartmouth.edu>
-
-Postal:	  8000 Cummings Hall, Thayer School of Engineering
-	  Dartmouth College, Hanover, New Hampshire, USA
-
-PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
-          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
-
-Last updated:  $Id$
diff --git a/security/nss/lib/freebl/mpi/utils/basecvt.c b/security/nss/lib/freebl/mpi/utils/basecvt.c
deleted file mode 100644
index cf6d61196..000000000
--- a/security/nss/lib/freebl/mpi/utils/basecvt.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- *  basecvt.c
- *
- *  Convert integer values specified on the command line from one input
- *  base to another.  Accepts input and output bases between 2 and 36
- *  inclusive.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-#define IBASE     10
-#define OBASE     16
-#define USAGE     "Usage: %s ibase obase [value]\n"
-#define MAXBASE   64
-#define MINBASE   2
-
-int main(int argc, char *argv[])
-{
-  int    ix, ibase = IBASE, obase = OBASE;
-  mp_int val;
-
-  ix = 1;
-  if(ix < argc) {
-    ibase = atoi(argv[ix++]);
-    
-    if(ibase < MINBASE || ibase > MAXBASE) {
-      fprintf(stderr, "%s: input radix must be between %d and %d inclusive\n",
-	      argv[0], MINBASE, MAXBASE);
-      return 1;
-    }
-  }
-  if(ix < argc) {
-    obase = atoi(argv[ix++]);
-
-    if(obase < MINBASE || obase > MAXBASE) {
-      fprintf(stderr, "%s: output radix must be between %d and %d inclusive\n",
-	      argv[0], MINBASE, MAXBASE);
-      return 1;
-    }
-  }
-
-  mp_init(&val);
-  while(ix < argc) {
-    char  *out;
-    int    outlen;
-
-    mp_read_radix(&val, argv[ix++], ibase);
-
-    outlen = mp_radix_size(&val, obase);
-    out = calloc(outlen, sizeof(char));
-    mp_toradix(&val, out, obase);
-
-    printf("%s\n", out);
-    free(out);
-  }
-
-  mp_clear(&val);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.c b/security/nss/lib/freebl/mpi/utils/bbs_rand.c
deleted file mode 100644
index 8ec867d14..000000000
--- a/security/nss/lib/freebl/mpi/utils/bbs_rand.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- *  Blum, Blum & Shub PRNG using the MPI library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "bbs_rand.h"
-
-#define SEED     1
-#define MODULUS  2
-
-/* This modulus is the product of two randomly generated 512-bit
-   prime integers, each of which is congruent to 3 (mod 4).          */
-static char *bbs_modulus = 
-"75A2A6E1D27393B86562B9CE7279A8403CB4258A637DAB5233465373E37837383EDC"
-"332282B8575927BC4172CE8C147B4894050EE9D2BDEED355C121037270CA2570D127"
-"7D2390CD1002263326635CC6B259148DE3A1A03201980A925E395E646A5E9164B0EC"
-"28559EBA58C87447245ADD0651EDA507056A1129E3A3E16E903D64B437";
-
-static int    bbs_init = 0;  /* flag set when library is initialized */
-static mp_int bbs_state;     /* the current state of the generator   */
-
-/* Suggested size of random seed data */
-int           bbs_seed_size = (sizeof(bbs_modulus) / 2);
-
-void         bbs_srand(unsigned char *data, int len)
-{
-  if((bbs_init & SEED) == 0) {
-    mp_init(&bbs_state);
-    bbs_init |= SEED;
-  }
-
-  mp_read_raw(&bbs_state, (char *)data, len);
-
-} /* end bbs_srand() */
-
-unsigned int bbs_rand(void)
-{
-  static mp_int   modulus;
-  unsigned int    result = 0, ix;
-
-  if((bbs_init & MODULUS) == 0) {
-    mp_init(&modulus);
-    mp_read_radix(&modulus, bbs_modulus, 16);
-    bbs_init |= MODULUS;
-  }
-
-  for(ix = 0; ix < sizeof(unsigned int); ix++) {
-    mp_digit   d;
-
-    mp_sqrmod(&bbs_state, &modulus, &bbs_state);
-    d = DIGIT(&bbs_state, 0);
-
-    result = (result << CHAR_BIT) | (d & UCHAR_MAX);
-  }
-
-  return result;
-
-} /* end bbs_rand() */
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.h b/security/nss/lib/freebl/mpi/utils/bbs_rand.h
deleted file mode 100644
index 3bfe2d7fe..000000000
--- a/security/nss/lib/freebl/mpi/utils/bbs_rand.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- *  bbs_rand.h
- *
- *  Blum, Blum & Shub PRNG using the MPI library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _H_BBSRAND_
-#define _H_BBSRAND_
-
-#include <limits.h>
-#include "mpi.h"
-
-#define  BBS_RAND_MAX    UINT_MAX
-
-/* Suggested length of seed data */
-extern int bbs_seed_size;
-
-void         bbs_srand(unsigned char *data, int len);
-unsigned int bbs_rand(void);
-
-#endif /* end _H_BBSRAND_ */
diff --git a/security/nss/lib/freebl/mpi/utils/bbsrand.c b/security/nss/lib/freebl/mpi/utils/bbsrand.c
deleted file mode 100644
index 317058d69..000000000
--- a/security/nss/lib/freebl/mpi/utils/bbsrand.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- *  bbsrand.c
- *
- *  Test driver for routines in bbs_rand.h
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <limits.h>
-
-#include "bbs_rand.h"
-
-#define NUM_TESTS   100
-
-int main(void)
-{
-  unsigned int   seed, result, ix;
-
-  seed = time(NULL);
-  bbs_srand((unsigned char *)&seed, sizeof(seed));
-
-  for(ix = 0; ix < NUM_TESTS; ix++) {
-    result = bbs_rand();
-    
-    printf("Test %3u: %08X\n", ix + 1, result);
-  }
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/dec2hex.c b/security/nss/lib/freebl/mpi/utils/dec2hex.c
deleted file mode 100644
index a1658b54b..000000000
--- a/security/nss/lib/freebl/mpi/utils/dec2hex.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- *  dec2hex.c
- *
- *  Convert decimal integers into hexadecimal
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int  a;
-  char   *buf;
-  int     len;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a); mp_read_radix(&a, argv[1], 10);
-  len = mp_radix_size(&a, 16);
-  buf = malloc(len);
-  mp_toradix(&a, buf, 16);
-
-  printf("%s\n", buf);
-
-  free(buf);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/exptmod.c b/security/nss/lib/freebl/mpi/utils/exptmod.c
deleted file mode 100644
index e1a87fa50..000000000
--- a/security/nss/lib/freebl/mpi/utils/exptmod.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- *  exptmod.c
- *
- * Command line tool to perform modular exponentiation on arbitrary
- * precision integers.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int  a, b, m;
-  mp_err  res;
-  char   *str;
-  int     len, rval = 0;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a); mp_init(&b); mp_init(&m);
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&b, argv[2], 10);
-  mp_read_radix(&m, argv[3], 10);
-
-  if((res = mp_exptmod(&a, &b, &m, &a)) != MP_OKAY) {
-    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
-    rval = 1;
-  } else {
-    len = mp_radix_size(&a, 10);
-    str = calloc(len, sizeof(char));
-    mp_toradix(&a, str, 10);
-
-    printf("%s\n", str);
-
-    free(str);
-  }
-
-  mp_clear(&a); mp_clear(&b); mp_clear(&m);
-
-  return rval;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/fact.c b/security/nss/lib/freebl/mpi/utils/fact.c
deleted file mode 100644
index d549cfa74..000000000
--- a/security/nss/lib/freebl/mpi/utils/fact.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * fact.c
- *
- * Compute factorial of input integer
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-mp_err mp_fact(mp_int *a, mp_int *b);
-
-int main(int argc, char *argv[])
-{
-  mp_int  a;
-  mp_err  res;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <number>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a);
-  mp_read_radix(&a, argv[1], 10);
-
-  if((res = mp_fact(&a, &a)) != MP_OKAY) {
-    fprintf(stderr, "%s: error: %s\n", argv[0],
-	    mp_strerror(res));
-    mp_clear(&a);
-    return 1;
-  }
-
-  {
-    char  *buf;
-    int    len;
-
-    len = mp_radix_size(&a, 10);
-    buf = malloc(len);
-    mp_todecimal(&a, buf);
-
-    puts(buf);
-
-    free(buf);
-  }
-
-  mp_clear(&a);
-  return 0;
-}
-
-mp_err mp_fact(mp_int *a, mp_int *b)
-{
-  mp_int    ix, s;
-  mp_err    res = MP_OKAY;
-
-  if(mp_cmp_z(a) < 0)
-    return MP_UNDEF;
-
-  mp_init(&s);
-  mp_add_d(&s, 1, &s);   /* s = 1  */
-  mp_init(&ix);
-  mp_add_d(&ix, 1, &ix); /* ix = 1 */
-
-  for(/*  */; mp_cmp(&ix, a) <= 0; mp_add_d(&ix, 1, &ix)) {
-    if((res = mp_mul(&s, &ix, &s)) != MP_OKAY)
-      break;
-  }
-
-  mp_clear(&ix);
-
-  /* Copy out results if we got them */
-  if(res == MP_OKAY)
-    mp_copy(&s, b);
-
-  mp_clear(&s);
-
-  return res;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/gcd.c b/security/nss/lib/freebl/mpi/utils/gcd.c
deleted file mode 100644
index 11980b86e..000000000
--- a/security/nss/lib/freebl/mpi/utils/gcd.c
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- *  gcd.c
- *
- *  Greatest common divisor
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-char     *g_prog = NULL;
-
-void print_mp_int(mp_int *mp, FILE *ofp);
-
-int main(int argc, char *argv[]) 
-{
-  mp_int   a, b, x, y;
-  mp_err   res;
-  int      ext = 0;
-
-  g_prog = argv[0];
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <b>\n", g_prog);
-    return 1;
-  }
-
-  mp_init(&a); mp_read_radix(&a, argv[1], 10);
-  mp_init(&b); mp_read_radix(&b, argv[2], 10);
-
-  /* If we were called 'xgcd', compute x, y so that g = ax + by */
-  if(strcmp(g_prog, "xgcd") == 0) {
-    ext = 1;
-    mp_init(&x); mp_init(&y);
-  }
-
-  if(ext) {
-    if((res = mp_xgcd(&a, &b, &a, &x, &y)) != MP_OKAY) {
-      fprintf(stderr, "%s: error: %s\n", g_prog, mp_strerror(res));
-      mp_clear(&a); mp_clear(&b);
-      mp_clear(&x); mp_clear(&y);
-      return 1;
-    }
-  } else {
-    if((res = mp_gcd(&a, &b, &a)) != MP_OKAY) {
-      fprintf(stderr, "%s: error: %s\n", g_prog,
-	      mp_strerror(res));
-      mp_clear(&a); mp_clear(&b);
-      return 1;
-    }
-  }
-
-  print_mp_int(&a, stdout); 
-  if(ext) {
-    fputs("x = ", stdout); print_mp_int(&x, stdout); 
-    fputs("y = ", stdout); print_mp_int(&y, stdout); 
-  }
-
-  mp_clear(&a); mp_clear(&b);
-
-  if(ext) {
-    mp_clear(&x);
-    mp_clear(&y);
-  }
-
-  return 0;
-
-}
-
-void print_mp_int(mp_int *mp, FILE *ofp)
-{
-  char  *buf;
-  int    len;
-
-  len = mp_radix_size(mp, 10);
-  buf = calloc(len, sizeof(char));
-  mp_todecimal(mp, buf);
-  fprintf(ofp, "%s\n", buf);
-  free(buf);
-
-}
diff --git a/security/nss/lib/freebl/mpi/utils/hex2dec.c b/security/nss/lib/freebl/mpi/utils/hex2dec.c
deleted file mode 100644
index 6d7d54d7f..000000000
--- a/security/nss/lib/freebl/mpi/utils/hex2dec.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- *  hex2dec.c
- *
- *  Convert decimal integers into hexadecimal
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int  a;
-  char   *buf;
-  int     len;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a); mp_read_radix(&a, argv[1], 16);
-  len = mp_radix_size(&a, 10);
-  buf = malloc(len);
-  mp_toradix(&a, buf, 10);
-
-  printf("%s\n", buf);
-
-  free(buf);
-  mp_clear(&a);
-
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/identest.c b/security/nss/lib/freebl/mpi/utils/identest.c
deleted file mode 100644
index a75d2b352..000000000
--- a/security/nss/lib/freebl/mpi/utils/identest.c
+++ /dev/null
@@ -1,79 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include "mpi.h"
-#include "mpprime.h"
-#include <sys/types.h>
-#include <time.h>
-
-#define MAX_PREC (4096 / MP_DIGIT_BIT)
-
-mp_err identity_test(void)
-{
-  mp_size       preca, precb;
-  mp_err        res;
-  mp_int        a, b;
-  mp_int        t1, t2, t3, t4, t5;
-
-  preca = (rand() % MAX_PREC) + 1;
-  precb = (rand() % MAX_PREC) + 1;
-
-  MP_DIGITS(&a) = 0;
-  MP_DIGITS(&b) = 0;
-  MP_DIGITS(&t1) = 0;
-  MP_DIGITS(&t2) = 0;
-  MP_DIGITS(&t3) = 0;
-  MP_DIGITS(&t4) = 0;
-  MP_DIGITS(&t5) = 0;
-
-  MP_CHECKOK( mp_init(&a)  );
-  MP_CHECKOK( mp_init(&b)  );
-  MP_CHECKOK( mp_init(&t1) );
-  MP_CHECKOK( mp_init(&t2) );
-  MP_CHECKOK( mp_init(&t3) );
-  MP_CHECKOK( mp_init(&t4) );
-  MP_CHECKOK( mp_init(&t5) );
-
-  MP_CHECKOK( mpp_random_size(&a, preca) );
-  MP_CHECKOK( mpp_random_size(&b, precb) );
-
-  if (mp_cmp(&a, &b) < 0)
-    mp_exch(&a, &b);
-
-  MP_CHECKOK( mp_mod(&a, &b, &t1) );       /* t1 = a%b */
-  MP_CHECKOK( mp_div(&a, &b, &t2, NULL) ); /* t2 = a/b */
-  MP_CHECKOK( mp_mul(&b, &t2, &t3) );      /* t3 = (a/b)*b */
-  MP_CHECKOK( mp_add(&t1, &t3, &t4) );     /* t4 = a%b + (a/b)*b */
-  MP_CHECKOK( mp_sub(&t4, &a, &t5) );      /* t5 = a%b + (a/b)*b - a */
-  if (mp_cmp_z(&t5) != 0) {
-    res = MP_UNDEF;
-    goto CLEANUP;
-  }
-
-CLEANUP:
-  mp_clear(&t5);
-  mp_clear(&t4);
-  mp_clear(&t3);
-  mp_clear(&t2);
-  mp_clear(&t1);
-  mp_clear(&b);
-  mp_clear(&a);
-  return res;
-}
-
-int
-main(void)
-{
-  unsigned int  seed = (unsigned int)time(NULL);
-  unsigned long count = 0;
-  mp_err        res;
-
-  srand(seed);
-
-  while (MP_OKAY == (res = identity_test())) {
-     if ((++count % 100) == 0)
-       fputc('.', stderr);
-  }
-
-  fprintf(stderr, "\ntest failed, err %d\n", res);
-  return res;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/invmod.c b/security/nss/lib/freebl/mpi/utils/invmod.c
deleted file mode 100644
index c1d488c5a..000000000
--- a/security/nss/lib/freebl/mpi/utils/invmod.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- *  invmod.c
- *
- *  Compute modular inverses
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1997
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "mpi.h"
-
-int main(int argc, char *argv[])
-{
-  mp_int    a, m;
-  mp_err    res;
-  char     *buf;
-  int       len, out = 0;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a); mp_init(&m);
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&m, argv[2], 10);
-
-  if(mp_cmp(&a, &m) > 0)
-    mp_mod(&a, &m, &a);
-
-  switch((res = mp_invmod(&a, &m, &a))) {
-  case MP_OKAY:
-    len = mp_radix_size(&a, 10);
-    buf = malloc(len);
-
-    mp_toradix(&a, buf, 10);
-    printf("%s\n", buf);
-    free(buf);
-    break;
-
-  case MP_UNDEF:
-    printf("No inverse\n");
-    out = 1;
-    break;
-
-  default:
-    printf("error: %s (%d)\n", mp_strerror(res), res);
-    out = 2;
-    break;
-  }
-
-  mp_clear(&a);
-  mp_clear(&m);
-
-  return out;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/isprime.c b/security/nss/lib/freebl/mpi/utils/isprime.c
deleted file mode 100644
index b413f826f..000000000
--- a/security/nss/lib/freebl/mpi/utils/isprime.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- *  isprime.c
- *
- *  Probabilistic primality tester command-line tool
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-#define  RM_TESTS       15   /* how many iterations of Rabin-Miller? */
-#define  MINIMUM        1024 /* don't bother us with a < this        */
-
-int      g_tests = RM_TESTS;
-char    *g_prog = NULL;
-
-int main(int argc, char *argv[])
-{
-  mp_int   a;
-  mp_digit np = prime_tab_size; /* from mpprime.h */
-  int      res = 0;
-
-  g_prog = argv[0];
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <a>, where <a> is a decimal integer\n"
-	    "Use '0x' prefix for a hexadecimal value\n", g_prog);
-    return 1;
-  }
-
-  /* Read number of tests from environment, if present */
-  {
-    char *tmp;
-
-    if((tmp = getenv("RM_TESTS")) != NULL) {
-      if((g_tests = atoi(tmp)) <= 0)
-	g_tests = RM_TESTS;
-    }
-  }
-
-  mp_init(&a);
-  if(argv[1][0] == '0' && argv[1][1] == 'x')
-    mp_read_radix(&a, argv[1] + 2, 16);
-  else
-    mp_read_radix(&a, argv[1], 10);
-
-  if(mp_cmp_d(&a, MINIMUM) <= 0) {
-    fprintf(stderr, "%s: please use a value greater than %d\n", 
-	    g_prog, MINIMUM);
-    mp_clear(&a);
-    return 1;
-  }
-
-  /* Test for divisibility by small primes */
-  if(mpp_divis_primes(&a, &np) != MP_NO) {
-    printf("Not prime (divisible by small prime %d)\n", np);
-    res = 2;
-    goto CLEANUP;
-  }
-
-  /* Test with Fermat's test, using 2 as a witness */
-  if(mpp_fermat(&a, 2) != MP_YES) {
-    printf("Not prime (failed Fermat test)\n");
-    res = 2;
-    goto CLEANUP;
-  }
- 
-  /* Test with Rabin-Miller probabilistic test */
-  if(mpp_pprime(&a, g_tests) == MP_NO) {
-      printf("Not prime (failed pseudoprime test)\n");
-      res = 2;
-      goto CLEANUP;
-  }
-
-  printf("Probably prime, 1 in 4^%d chance of false positive\n", g_tests);
-
-CLEANUP:
-  mp_clear(&a);
-  
-  return res;
-
-}
diff --git a/security/nss/lib/freebl/mpi/utils/lap.c b/security/nss/lib/freebl/mpi/utils/lap.c
deleted file mode 100644
index 5697c941d..000000000
--- a/security/nss/lib/freebl/mpi/utils/lap.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- *  lap.c
- *
- *  Find least annihilating power of a mod m
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-
-#include "mpi.h"
-
-void sig_catch(int ign);
-
-int g_quit = 0;
-
-int main(int argc, char *argv[])
-{
-  mp_int   a, m, p, k;
-
-  if(argc < 3) {
-    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
-    return 1;
-  }
-
-  mp_init(&a);
-  mp_init(&m);
-  mp_init(&p);
-  mp_add_d(&p, 1, &p);
-
-  mp_read_radix(&a, argv[1], 10);
-  mp_read_radix(&m, argv[2], 10);
-
-  mp_init_copy(&k, &a);
-
-  signal(SIGINT, sig_catch);
-#ifndef __OS2__
-  signal(SIGHUP, sig_catch);
-#endif
-  signal(SIGTERM, sig_catch);
-
-  while(mp_cmp(&p, &m) < 0) {
-    if(g_quit) {
-	int  len;
-	char *buf;
-
-	len = mp_radix_size(&p, 10);
-	buf = malloc(len);
-	mp_toradix(&p, buf, 10);
-	
-	fprintf(stderr, "Terminated at: %s\n", buf);
-	free(buf);
-	return 1;
-    }
-    if(mp_cmp_d(&k, 1) == 0) {
-      int    len;
-      char  *buf;
-
-      len = mp_radix_size(&p, 10);
-      buf = malloc(len);
-      mp_toradix(&p, buf, 10);
-
-      printf("%s\n", buf);
-
-      free(buf);
-      break;
-    }
-
-    mp_mulmod(&k, &a, &m, &k);
-    mp_add_d(&p, 1, &p);
-  }
-
-  if(mp_cmp(&p, &m) >= 0) 
-    printf("No annihilating power.\n");
-
-  mp_clear(&p);
-  mp_clear(&m);
-  mp_clear(&a);
-  return 0;
-}
-
-void sig_catch(int ign)
-{
-  g_quit = 1;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/makeprime.c b/security/nss/lib/freebl/mpi/utils/makeprime.c
deleted file mode 100644
index f081c7e56..000000000
--- a/security/nss/lib/freebl/mpi/utils/makeprime.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * makeprime.c
- *
- * A simple prime generator function (and test driver).  Prints out the
- * first prime it finds greater than or equal to the starting value.
- *
- * Usage: makeprime <start>
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-
-/* These two must be included for make_prime() to work */
-
-#include "mpi.h"
-#include "mpprime.h"
-
-/*
-  make_prime(p, nr)
-
-  Find the smallest prime integer greater than or equal to p, where
-  primality is verified by 'nr' iterations of the Rabin-Miller
-  probabilistic primality test.  The caller is responsible for
-  generating the initial value of p.
-
-  Returns MP_OKAY if a prime has been generated, otherwise the error
-  code indicates some other problem.  The value of p is clobbered; the
-  caller should keep a copy if the value is needed.  
- */
-mp_err   make_prime(mp_int *p, int nr);
-
-/* The main() is not required -- it's just a test driver */
-int main(int argc, char *argv[])
-{
-  mp_int    start;
-  mp_err    res;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <start-value>\n", argv[0]);
-    return 1;
-  }
-	    
-  mp_init(&start);
-  if(argv[1][0] == '0' && tolower(argv[1][1]) == 'x') {
-    mp_read_radix(&start, argv[1] + 2, 16);
-  } else {
-    mp_read_radix(&start, argv[1], 10);
-  }
-  mp_abs(&start, &start);
-
-  if((res = make_prime(&start, 5)) != MP_OKAY) {
-    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
-    mp_clear(&start);
-
-    return 1;
-
-  } else {
-    char  *buf = malloc(mp_radix_size(&start, 10));
-
-    mp_todecimal(&start, buf);
-    printf("%s\n", buf);
-    free(buf);
-    
-    mp_clear(&start);
-
-    return 0;
-  }
-  
-} /* end main() */
-
-/*------------------------------------------------------------------------*/
-
-mp_err   make_prime(mp_int *p, int nr)
-{
-  mp_err  res;
-
-  if(mp_iseven(p)) {
-    mp_add_d(p, 1, p);
-  }
-
-  do {
-    mp_digit   which = prime_tab_size;
-
-    /*  First test for divisibility by a few small primes */
-    if((res = mpp_divis_primes(p, &which)) == MP_YES)
-      continue;
-    else if(res != MP_NO)
-      goto CLEANUP;
-
-    /* If that passes, try one iteration of Fermat's test */
-    if((res = mpp_fermat(p, 2)) == MP_NO)
-      continue;
-    else if(res != MP_YES)
-      goto CLEANUP;
-
-    /* If that passes, run Rabin-Miller as often as requested */
-    if((res = mpp_pprime(p, nr)) == MP_YES)
-      break;
-    else if(res != MP_NO)
-      goto CLEANUP;
-      
-  } while((res = mp_add_d(p, 2, p)) == MP_OKAY);
-
- CLEANUP:
-  return res;
-
-} /* end make_prime() */
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/metime.c b/security/nss/lib/freebl/mpi/utils/metime.c
deleted file mode 100644
index 29ee59050..000000000
--- a/security/nss/lib/freebl/mpi/utils/metime.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/* 
- *  metime.c
- *
- * Modular exponentiation timing test
- *
- * $Id$
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Netscape Communications Corporation
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include <time.h>
-
-#include "mpi.h"
-#include "mpprime.h"
-
-double clk_to_sec(clock_t start, clock_t stop);
-
-int main(int argc, char *argv[])
-{
-  int          ix, num, prec = 8;
-  unsigned int seed;
-  clock_t      start, stop;
-  double       sec;
-
-  mp_int     a, m, c;
-
-  if(getenv("SEED") != NULL)
-    seed = abs(atoi(getenv("SEED")));
-  else 
-    seed = (unsigned int)time(NULL);
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-tests> [<nbits>]\n", argv[0]);
-    return 1;
-  }
-
-  if((num = atoi(argv[1])) < 0)
-    num = -num;
-
-  if(!num) {
-    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
-    return 1;
-  }
-
-  if(argc > 2) {
-    if((prec = atoi(argv[2])) <= 0)
-      prec = 8;
-    else 
-      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
-
-  }
-  
-  printf("Modular exponentiation timing test\n"
-	 "Precision:  %d digits (%d bits)\n"
-	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
-
-  mp_init_size(&a, prec);
-  mp_init_size(&m, prec);
-  mp_init_size(&c, prec);
-
-  srand(seed);
-
-  start = clock();
-  for(ix = 0; ix < num; ix++) {
-
-    mpp_random_size(&a, prec);
-    mpp_random_size(&c, prec);
-    mpp_random_size(&m, prec);
-    /* set msb and lsb of m */
-    DIGIT(&m,0) |= 1;
-    DIGIT(&m, USED(&m)-1) |= (mp_digit)1 << (DIGIT_BIT - 1);
-    if (mp_cmp(&a, &m) > 0)
-      mp_sub(&a, &m, &a);
-
-    mp_exptmod(&a, &c, &m, &c);
-  }
-  stop = clock();
-
-  sec = clk_to_sec(start, stop);
-
-  printf("Total:      %.3f seconds\n", sec);
-  printf("Individual: %.3f seconds\n", sec / num);
-
-  mp_clear(&c);
-  mp_clear(&a);
-  mp_clear(&m);
-
-  return 0;
-}
-
-double clk_to_sec(clock_t start, clock_t stop)
-{
-  return (double)(stop - start) / CLOCKS_PER_SEC;
-}
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/pi.c b/security/nss/lib/freebl/mpi/utils/pi.c
deleted file mode 100644
index 1ca17669e..000000000
--- a/security/nss/lib/freebl/mpi/utils/pi.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * pi.c
- *
- * Compute pi to an arbitrary number of digits.  Uses Machin's formula,
- * like everyone else on the planet:
- * 
- *    pi = 16 * arctan(1/5) - 4 * arctan(1/239)
- *
- * This is pretty effective for up to a few thousand digits, but it
- * gets pretty slow after that.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1999
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include <time.h>
-
-#include "mpi.h"
-
-mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum);
-
-int main(int argc, char *argv[])
-{
-  mp_err       res;
-  mp_digit     ndigits;
-  mp_int       sum1, sum2;
-  clock_t      start, stop;
-  int          out = 0;
-
-  /* Make the user specify precision on the command line */
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <num-digits>\n", argv[0]);
-    return 1;
-  }
-
-  if((ndigits = abs(atoi(argv[1]))) == 0) {
-    fprintf(stderr, "%s: you must request at least 1 digit\n", argv[0]);
-    return 1;
-  }
-
-  start = clock();
-  mp_init(&sum1); mp_init(&sum2);
-
-  /* sum1 = 16 * arctan(1/5)  */
-  if((res = arctan(16, 5, ndigits, &sum1)) != MP_OKAY) {
-    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
-    out = 1; goto CLEANUP;
-  }
-
-  /* sum2 = 4 * arctan(1/239) */
-  if((res = arctan(4, 239, ndigits, &sum2)) != MP_OKAY) {
-    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
-    out = 1; goto CLEANUP;
-  }
-
-  /* pi = sum1 - sum2         */
-  if((res = mp_sub(&sum1, &sum2, &sum1)) != MP_OKAY) {
-    fprintf(stderr, "%s: mp_sub: %s\n", argv[0], mp_strerror(res));
-    out = 1; goto CLEANUP;
-  }
-  stop = clock();
-
-  /* Write the output in decimal */
-  {
-    char  *buf = malloc(mp_radix_size(&sum1, 10));
-
-    if(buf == NULL) {
-      fprintf(stderr, "%s: out of memory\n", argv[0]);
-      out = 1; goto CLEANUP;
-    }
-    mp_todecimal(&sum1, buf);
-    printf("%s\n", buf);
-    free(buf);
-  }
-
-  fprintf(stderr, "Computation took %.2f sec.\n", 
-	  (double)(stop - start) / CLOCKS_PER_SEC);
-
- CLEANUP:
-  mp_clear(&sum1);
-  mp_clear(&sum2);
-
-  return out;
-
-}
-
-/* Compute sum := mul * arctan(1/x), to 'prec' digits of precision */
-mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum)
-{
-  mp_int   t, v;
-  mp_digit q = 1, rd;
-  mp_err   res;
-  int      sign = 1;
-
-  prec += 3;  /* push inaccuracies off the end */
-
-  mp_init(&t); mp_set(&t, 10);
-  mp_init(&v); 
-  if((res = mp_expt_d(&t, prec, &t)) != MP_OKAY ||  /* get 10^prec    */
-     (res = mp_mul_d(&t, mul, &t)) != MP_OKAY ||    /* ... times mul  */
-     (res = mp_mul_d(&t, x, &t)) != MP_OKAY)        /* ... times x    */
-    goto CLEANUP;
-
-  /*
-    The extra multiplication by x in the above takes care of what
-    would otherwise have to be a special case for 1 / x^1 during the
-    first loop iteration.  A little sneaky, but effective.
-
-    We compute arctan(1/x) by the formula:
-
-         1     1       1       1
-	 - - ----- + ----- - ----- + ...
-	 x   3 x^3   5 x^5   7 x^7
-
-    We multiply through by 'mul' beforehand, which gives us a couple
-    more iterations and more precision
-   */
-
-  x *= x; /* works as long as x < sqrt(RADIX), which it is here */
-
-  mp_zero(sum);
-
-  do {
-    if((res = mp_div_d(&t, x, &t, &rd)) != MP_OKAY)
-      goto CLEANUP;
-
-    if(sign < 0 && rd != 0)
-      mp_add_d(&t, 1, &t);
-
-    if((res = mp_div_d(&t, q, &v, &rd)) != MP_OKAY)
-      goto CLEANUP;
-
-    if(sign < 0 && rd != 0)
-      mp_add_d(&v, 1, &v);
-
-    if(sign > 0)
-      res = mp_add(sum, &v, sum);
-    else
-      res = mp_sub(sum, &v, sum);
-
-    if(res != MP_OKAY)
-      goto CLEANUP;
-
-    sign *= -1;
-    q += 2;
-
-  } while(mp_cmp_z(&t) != 0);
-
-  /* Chop off inaccurate low-order digits */
-  mp_div_d(sum, 1000, sum, NULL);
-
- CLEANUP:
-  mp_clear(&v);
-  mp_clear(&t);
-
-  return res;
-}
-
-/*------------------------------------------------------------------------*/
-/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c
deleted file mode 100644
index 1cd5c9f5b..000000000
--- a/security/nss/lib/freebl/mpi/utils/primegen.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- *  primegen.c
- *
- * Generates random integers which are prime with a high degree of
- * probability using the Miller-Rabin probabilistic primality testing
- * algorithm.
- *
- * Usage:
- *    primegen <bits> [<num>]
- *
- *    <bits>   - number of significant bits each prime should have
- *    <num>    - number of primes to generate
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <limits.h>
-#include <time.h>
-
-#include "mpi.h"
-#include "mplogic.h"
-#include "mpprime.h"
-
-#undef MACOS		/* define if running on a Macintosh */
-
-#ifdef MACOS
-#include <console.h>
-#endif
-
-#define NUM_TESTS 5  /* Number of Rabin-Miller iterations to test with */
-
-#ifdef DEBUG
-#define FPUTC(x,y) fputc(x,y)
-#else
-#define FPUTC(x,y) 
-#endif
-
-int main(int argc, char *argv[])
-{
-  unsigned char *raw;
-  char          *out;
-  unsigned long nTries;
-  int		rawlen, bits, outlen, ngen, ix, jx;
-  int           g_strong = 0;
-  mp_int	testval;
-  mp_err	res;
-  clock_t	start, end;
-
-#ifdef MACOS
-  argc = ccommand(&argv);
-#endif
-
-  /* We'll just use the C library's rand() for now, although this
-     won't be good enough for cryptographic purposes */
-  if((out = getenv("SEED")) == NULL) {
-    srand((unsigned int)time(NULL));
-  } else {
-    srand((unsigned int)atoi(out));
-  }
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <bits> [<count> [strong]]\n", argv[0]);
-    return 1;
-  }
-	
-  if((bits = abs(atoi(argv[1]))) < CHAR_BIT) {
-    fprintf(stderr, "%s: please request at least %d bits.\n",
-	    argv[0], CHAR_BIT);
-    return 1;
-  }
-
-  /* If optional third argument is given, use that as the number of
-     primes to generate; otherwise generate one prime only.
-   */
-  if(argc < 3) {
-    ngen = 1;
-  } else {
-    ngen = abs(atoi(argv[2]));
-  }
-
-  /* If fourth argument is given, and is the word "strong", we'll 
-     generate strong (Sophie Germain) primes. 
-   */
-  if(argc > 3 && strcmp(argv[3], "strong") == 0)
-    g_strong = 1;
-
-  /* testval - candidate being tested; nTries - number tried so far */
-  if ((res = mp_init(&testval)) != MP_OKAY) {
-    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
-    return 1;
-  }
-  
-  if(g_strong) {
-    printf("Requested %d strong prime value(s) of %d bits.\n", 
-	   ngen, bits);
-  } else {
-    printf("Requested %d prime value(s) of %d bits.\n", ngen, bits);
-  }
-
-  rawlen = (bits / CHAR_BIT) + ((bits % CHAR_BIT) ? 1 : 0) + 1;
-
-  if((raw = calloc(rawlen, sizeof(unsigned char))) == NULL) {
-    fprintf(stderr, "%s: out of memory, sorry.\n", argv[0]);
-    return 1;
-  }
-
-  /* This loop is one for each prime we need to generate */
-  for(jx = 0; jx < ngen; jx++) {
-
-    raw[0] = 0;  /* sign is positive */
-
-    /*	Pack the initializer with random bytes	*/
-    for(ix = 1; ix < rawlen; ix++) 
-      raw[ix] = (rand() * rand()) & UCHAR_MAX;
-
-    raw[1] |= 0x80;             /* set high-order bit of test value     */
-    raw[rawlen - 1] |= 1;       /* set low-order bit of test value      */
-
-    /* Make an mp_int out of the initializer */
-    mp_read_raw(&testval, (char *)raw, rawlen);
-
-    /* Initialize candidate counter */
-    nTries = 0;
-
-    start = clock(); /* time generation for this prime */
-    do {
-      res = mpp_make_prime(&testval, bits, g_strong, &nTries);
-      if (res != MP_NO)
-	break;
-      /* This code works whether digits are 16 or 32 bits */
-      res = mp_add_d(&testval, 32 * 1024, &testval);
-      res = mp_add_d(&testval, 32 * 1024, &testval);
-      FPUTC(',', stderr);
-    } while (1);
-    end = clock();
-
-    if (res != MP_YES) {
-      break;
-    }
-    FPUTC('\n', stderr);
-    puts("The following value is probably prime:");
-    outlen = mp_radix_size(&testval, 10);
-    out = calloc(outlen, sizeof(unsigned char));
-    mp_toradix(&testval, (char *)out, 10);
-    printf("10: %s\n", out);
-    mp_toradix(&testval, (char *)out, 16);
-    printf("16: %s\n\n", out);
-    free(out);
-    
-    printf("Number of candidates tried: %lu\n", nTries);
-    printf("This computation took %ld clock ticks (%.2f seconds)\n",
-	   (end - start), ((double)(end - start) / CLOCKS_PER_SEC));
-    
-    FPUTC('\n', stderr);
-  } /* end of loop to generate all requested primes */
-  
-  if(res != MP_OKAY) 
-    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
-
-  free(raw);
-  mp_clear(&testval);	
-  
-  return 0;
-}
diff --git a/security/nss/lib/freebl/mpi/utils/prng.c b/security/nss/lib/freebl/mpi/utils/prng.c
deleted file mode 100644
index 320d12828..000000000
--- a/security/nss/lib/freebl/mpi/utils/prng.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- *  prng.c
- *
- *  Command-line pseudo-random number generator
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <time.h>
-
-#ifdef __OS2__
-#include <types.h>
-#include <process.h>
-#else
-#include <unistd.h>
-#endif
-
-#include "bbs_rand.h"
-
-int main(int argc, char *argv[])
-{
-  unsigned char *seed;
-  unsigned int   ix, num = 1;
-  pid_t          pid;
-  
-  if(argc > 1) {
-    num = atoi(argv[1]);
-    if(num <= 0) 
-      num = 1;
-  }
-
-  pid = getpid();
-  srand(time(NULL) * (unsigned int)pid);
-
-  /* Not a perfect seed, but not bad */
-  seed = malloc(bbs_seed_size);
-  for(ix = 0; ix < bbs_seed_size; ix++) {
-    seed[ix] = rand() % UCHAR_MAX;
-  }
-
-  bbs_srand(seed, bbs_seed_size);
-  memset(seed, 0, bbs_seed_size);
-  free(seed);
-
-  while(num-- > 0) {
-    ix = bbs_rand();
-
-    printf("%u\n", ix);
-  }
-
-  return 0;
-
-}
diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl
deleted file mode 100755
index a1d9c3046..000000000
--- a/security/nss/lib/freebl/mpi/utils/ptab.pl
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/linguist/bin/perl
-
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
-#
-# The Initial Developer of the Original Code is
-# Michael J. Fromberger <sting@linguist.dartmouth.edu>.
-# Portions created by the Initial Developer are Copyright (C) 1998
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $Id$
-#
-
-while(<>) {
-    chomp;
-    push(@primes, $_);
-}
-
-printf("mp_size   prime_tab_size = %d;\n", ($#primes + 1));
-print "mp_digit  prime_tab[] = {\n";
-
-print "\t";
-$last = pop(@primes);
-foreach $prime (sort {$a<=>$b} @primes) {
-    printf("0x%04X, ", $prime);
-    $brk = ($brk + 1) % 8;
-    print "\n\t" if(!$brk);
-}
-printf("0x%04X", $last);
-print "\n" if($brk);
-print "};\n\n";
-
-exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/sieve.c b/security/nss/lib/freebl/mpi/utils/sieve.c
deleted file mode 100644
index b699bec1a..000000000
--- a/security/nss/lib/freebl/mpi/utils/sieve.c
+++ /dev/null
@@ -1,268 +0,0 @@
-/*
- * sieve.c
- *
- * Finds prime numbers using the Sieve of Eratosthenes
- *
- * This implementation uses a bitmap to represent all odd integers in a
- * given range.  We iterate over this bitmap, crossing off the
- * multiples of each prime we find.  At the end, all the remaining set
- * bits correspond to prime integers.
- *
- * Here, we make two passes -- once we have generated a sieve-ful of
- * primes, we copy them out, reset the sieve using the highest
- * generated prime from the first pass as a base.  Then we cross out
- * all the multiples of all the primes we found the first time through,
- * and re-sieve.  In this way, we get double use of the memory we
- * allocated for the sieve the first time though.  Since we also
- * implicitly ignore multiples of 2, this amounts to 4 times the
- * values.
- *
- * This could (and probably will) be generalized to re-use the sieve a
- * few more times.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the MPI Arbitrary Precision Integer Arithmetic library.
- *
- * The Initial Developer of the Original Code is
- * Michael J. Fromberger.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <limits.h>
-
-typedef unsigned char  byte;
-
-typedef struct {
-  int   size;
-  byte *bits;
-  long  base;
-  int   next;
-  int   nbits;
-} sieve;
-
-void sieve_init(sieve *sp, long base, int nbits);
-void sieve_grow(sieve *sp, int nbits);
-long sieve_next(sieve *sp);
-void sieve_reset(sieve *sp, long base);
-void sieve_cross(sieve *sp, long val);
-void sieve_clear(sieve *sp);
-
-#define S_ISSET(S, B)  (((S)->bits[(B)/CHAR_BIT]>>((B)%CHAR_BIT))&1)
-#define S_SET(S, B)    ((S)->bits[(B)/CHAR_BIT]|=(1<<((B)%CHAR_BIT)))
-#define S_CLR(S, B)    ((S)->bits[(B)/CHAR_BIT]&=~(1<<((B)%CHAR_BIT)))
-#define S_VAL(S, B)    ((S)->base+(2*(B)))
-#define S_BIT(S, V)    (((V)-((S)->base))/2)
-
-int main(int argc, char *argv[])
-{
-  sieve   s;
-  long    pr, *p;
-  int     c, ix, cur = 0;
-
-  if(argc < 2) {
-    fprintf(stderr, "Usage: %s <width>\n", argv[0]);
-    return 1;
-  }
-
-  c = atoi(argv[1]);
-  if(c < 0) c = -c;
-
-  fprintf(stderr, "%s: sieving to %d positions\n", argv[0], c);
-
-  sieve_init(&s, 3, c);
-
-  c = 0;
-  while((pr = sieve_next(&s)) > 0) {
-    ++c;
-  }
-
-  p = calloc(c, sizeof(long));
-  if(!p) {
-    fprintf(stderr, "%s: out of memory after first half\n", argv[0]);
-    sieve_clear(&s);
-    exit(1);
-  }
-
-  fprintf(stderr, "%s: half done ... \n", argv[0]);
-
-  for(ix = 0; ix < s.nbits; ix++) {
-    if(S_ISSET(&s, ix)) {
-      p[cur] = S_VAL(&s, ix);
-      printf("%ld\n", p[cur]);
-      ++cur;
-    }
-  }
-
-  sieve_reset(&s, p[cur - 1]);
-  fprintf(stderr, "%s: crossing off %d found primes ... \n", argv[0], cur);
-  for(ix = 0; ix < cur; ix++) {
-    sieve_cross(&s, p[ix]);
-    if(!(ix % 1000))
-      fputc('.', stderr);
-  }
-  fputc('\n', stderr);
-
-  free(p);
-
-  fprintf(stderr, "%s: sieving again from %ld ... \n", argv[0], p[cur - 1]);
-  c = 0;
-  while((pr = sieve_next(&s)) > 0) {
-    ++c;
-  }
-  
-  fprintf(stderr, "%s: done!\n", argv[0]);
-  for(ix = 0; ix < s.nbits; ix++) {
-    if(S_ISSET(&s, ix)) {
-      printf("%ld\n", S_VAL(&s, ix));
-    }
-  }
-
-  sieve_clear(&s);
-
-  return 0;
-}
-
-void sieve_init(sieve *sp, long base, int nbits)
-{
-  sp->size = (nbits / CHAR_BIT);
-
-  if(nbits % CHAR_BIT)
-    ++sp->size;
-
-  sp->bits = calloc(sp->size, sizeof(byte));
-  memset(sp->bits, UCHAR_MAX, sp->size);
-  if(!(base & 1))
-    ++base;
-  sp->base = base;
-  
-  sp->next = 0;
-  sp->nbits = sp->size * CHAR_BIT;
-}
-
-void sieve_grow(sieve *sp, int nbits)
-{
-  int  ns = (nbits / CHAR_BIT);
-
-  if(nbits % CHAR_BIT)
-    ++ns;
-
-  if(ns > sp->size) {
-    byte   *tmp;
-    int     ix;
-
-    tmp = calloc(ns, sizeof(byte));
-    if(tmp == NULL) {
-      fprintf(stderr, "Error: out of memory in sieve_grow\n");
-      return;
-    }
-
-    memcpy(tmp, sp->bits, sp->size);
-    for(ix = sp->size; ix < ns; ix++) {
-      tmp[ix] = UCHAR_MAX;
-    }
-
-    free(sp->bits);
-    sp->bits = tmp;
-    sp->size = ns;
-
-    sp->nbits = sp->size * CHAR_BIT;
-  }
-}
-
-long sieve_next(sieve *sp)
-{
-  long out;
-  int  ix = 0;
-  long val;
-
-  if(sp->next > sp->nbits)
-    return -1;
-
-  out = S_VAL(sp, sp->next);
-#ifdef DEBUG
-  fprintf(stderr, "Sieving %ld\n", out);
-#endif
-
-  /* Sieve out all multiples of the current prime */
-  val = out;
-  while(ix < sp->nbits) {
-    val += out;
-    ix = S_BIT(sp, val);
-    if((val & 1) && ix < sp->nbits) { /* && S_ISSET(sp, ix)) { */
-      S_CLR(sp, ix);
-#ifdef DEBUG
-      fprintf(stderr, "Crossing out %ld (bit %d)\n", val, ix);
-#endif
-    }
-  }
-
-  /* Scan ahead to the next prime */
-  ++sp->next;
-  while(sp->next < sp->nbits && !S_ISSET(sp, sp->next))
-    ++sp->next;
-
-  return out;
-}
-
-void sieve_cross(sieve *sp, long val)
-{
-  int  ix = 0;
-  long cur = val;
-
-  while(cur < sp->base)
-    cur += val;
-
-  ix = S_BIT(sp, cur);
-  while(ix < sp->nbits) {
-    if(cur & 1) 
-      S_CLR(sp, ix);
-    cur += val;
-    ix = S_BIT(sp, cur);
-  }
-}
-
-void sieve_reset(sieve *sp, long base)
-{
-  memset(sp->bits, UCHAR_MAX, sp->size);
-  sp->base = base;
-  sp->next = 0;
-}
-
-void sieve_clear(sieve *sp)
-{
-  if(sp->bits) 
-    free(sp->bits);
-
-  sp->bits = NULL;
-}
diff --git a/security/nss/lib/freebl/mpi/vis_32.il b/security/nss/lib/freebl/mpi/vis_32.il
deleted file mode 100644
index 8a57fbde3..000000000
--- a/security/nss/lib/freebl/mpi/vis_32.il
+++ /dev/null
@@ -1,1324 +0,0 @@
-! 
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-!
-! The contents of this file are subject to the Mozilla Public License Version
-! 1.1 (the "License"); you may not use this file except in compliance with
-! the License. You may obtain a copy of the License at
-! http://www.mozilla.org/MPL/
-!
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is vis inline macros (32 bit).  (vis_32.il 3.3).
-!
-! The Initial Developer of the Original Code is
-! Sun Microsystems Inc.
-! Portions created by the Initial Developer are Copyright (C) 1995-2000
-! the Initial Developer. All Rights Reserved.
-!
-! Contributor(s):
-!
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-!
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-! The interface to the VIS instructions as declared below (and in the VIS
-! User's Manual) will not change, but the macro implementation might change
-! in the future.
-
-!--------------------------------------------------------------------
-! Pure edge handling instructions
-!
-! int vis_edge8(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8,8
-	edge8	%o0,%o1,%o0
-	.end
-!
-! int vis_edge8l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8l,8
-	edge8l	%o0,%o1,%o0
-	.end
-!
-! int vis_edge16(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16,8
-	edge16	%o0,%o1,%o0
-	.end
-!
-! int vis_edge16l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16l,8
-	edge16l	%o0,%o1,%o0
-	.end
-!
-! int vis_edge32(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32,8
-	edge32	%o0,%o1,%o0
-	.end
-!
-! int vis_edge32l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32l,8
-	edge32l	%o0,%o1,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Edge handling instructions with negative return values if cc set
-!
-! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8cc,8
-	edge8	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8lcc,8
-	edge8l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16cc,8
-	edge16	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16lcc,8
-	edge16l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32cc,8
-	edge32	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32lcc,8
-	edge32l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %icc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Alignment instructions
-!
-! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
-!
-	.inline vis_alignaddr,8
-	alignaddr	%o0,%o1,%o0
-	.end
-!
-! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
-!
-	.inline vis_alignaddrl,8
-	alignaddrl	%o0,%o1,%o0
-	.end
-!
-! double vis_faligndata(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_faligndata,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	faligndata	%f4,%f10,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Partitioned comparison instructions
-!
-! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmple16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmple16	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpne16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpne16	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmple32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmple32	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpne32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpne32	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpgt16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpgt16	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpeq16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpeq16	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpgt32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpgt32	%f4,%f10,%o0
-	.end
-!
-! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpeq32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fcmpeq32	%f4,%f10,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Partitioned arithmetic
-!
-! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8x16,12
-	st	%o0,[%sp+0x44]
-	ld	[%sp+0x44],%f4
-	st	%o1,[%sp+0x48]
-	st	%o2,[%sp+0x4c]
-	ldd	[%sp+0x48],%f10
-	fmul8x16	%f4,%f10,%f0
-	.end
-!
-! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
-!
-	.inline vis_fmul8x16_dummy,16
-	st	%o0,[%sp+0x44]
-	ld	[%sp+0x44],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fmul8x16	%f4,%f10,%f0
-	.end
-!
-! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmul8x16au,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fmul8x16au	%f4,%f10,%f0
-	.end
-!
-! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmul8x16al,8
-	st	%o0,[%sp+0x44]
-	ld	[%sp+0x44],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fmul8x16al	%f4,%f10,%f0
-	.end
-!
-! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8sux16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fmul8sux16	%f4,%f10,%f0
-	.end
-!
-! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8ulx16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fmul8ulx16	%f4,%f10,%f0
-	.end
-!
-! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmuld8sux16,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fmuld8sux16	%f4,%f10,%f0
-	.end
-!
-! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmuld8ulx16,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fmuld8ulx16	%f4,%f10,%f0
-	.end
-!
-! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpadd16,16
-	std	%o0,[%sp+0x40]
-	ldd	[%sp+0x40],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpadd16	%f4,%f10,%f0
-	.end
-!
-! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpadd16s,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fpadd16s	%f4,%f10,%f0
-	.end
-!
-! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpadd32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpadd32	%f4,%f10,%f0
-	.end
-!
-! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpadd32s,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fpadd32s	%f4,%f10,%f0
-	.end
-!
-! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpsub16,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpsub16	%f4,%f10,%f0
-	.end
-!
-! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpsub16s,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fpsub16s	%f4,%f10,%f0
-	.end
-!
-! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpsub32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpsub32	%f4,%f10,%f0
-	.end
-!
-! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpsub32s,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fpsub32s	%f4,%f10,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Pixel packing
-!
-! float vis_fpack16(double /*frs2*/);
-!
-	.inline vis_fpack16,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fpack16	%f4,%f0
-	.end
-
-!
-! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
-!
-	.inline vis_fpack16_pair,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpack16	%f4,%f0
-	fpack16	%f10,%f1
-	.end
-!
-! void vis_st2_fpack16(double, double, double *)
-!
-	.inline vis_st2_fpack16,20
- 	std	%o0,[%sp+0x48]
- 	ldd	[%sp+0x48],%f4
- 	std	%o2,[%sp+0x48]
- 	ldd	[%sp+0x48],%f10
- 	fpack16	%f4,%f0
- 	fpack16	%f10,%f1
- 	st	%f0,[%o4+0]
- 	st	%f1,[%o4+4]
- 	.end
-!
-! void vis_std_fpack16(double, double, double *)
-!
-	.inline vis_std_fpack16,20
-	std     %o0,[%sp+0x48]
-	ldd     [%sp+0x48],%f4
-	std     %o2,[%sp+0x48]
-	ldd     [%sp+0x48],%f10
-	fpack16 %f4,%f0
-	fpack16 %f10,%f1
-	std     %f0,[%o4]
-	.end
-!
-! void vis_st2_fpackfix(double, double, double *)
-!
-	.inline vis_st2_fpackfix,20
- 	std	%o0,[%sp+0x48]
- 	ldd	[%sp+0x48],%f4
- 	std	%o2,[%sp+0x48]
- 	ldd	[%sp+0x48],%f10
- 	fpackfix %f4,%f0
- 	fpackfix %f10,%f1
- 	st	%f0,[%o4+0]
- 	st	%f1,[%o4+4]
- 	.end
-!
-! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack16_to_hi,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f0
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fpack16	%f4,%f0
-	.end
-
-! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack16_to_lo,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f0
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fpack16	%f4,%f3
-	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
-	.end
-
-!
-! double vis_fpack32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack32,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fpack32	%f4,%f10,%f0
-	.end
-!
-! float vis_fpackfix(double /*frs2*/);
-!
-	.inline vis_fpackfix,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fpackfix	%f4,%f0
-	.end
-!
-! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
-!
-	.inline vis_fpackfix_pair,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f6
-	fpackfix	%f4,%f0
-	fpackfix	%f6,%f1
-	.end
-
-!--------------------------------------------------------------------
-! Motion estimation
-!
-! double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
-!
-	.inline vis_pdist,24
-	std	%o4,[%sp+0x48]
-	ldd	[%sp+0x48],%f0
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	pdist	%f4,%f10,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Channel merging
-!
-! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpmerge,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fpmerge	%f4,%f10,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Pixel expansion
-!
-! double vis_fexpand(float /*frs2*/);
-!
-	.inline vis_fexpand,4
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	fexpand	%f4,%f0
-	.end
-
-! double vis_fexpand_hi(double /*frs2*/);
-!
-	.inline vis_fexpand_hi,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fexpand	%f4,%f0
-	.end
-
-! double vis_fexpand_lo(double /*frs2*/);
-!
-	.inline vis_fexpand_lo,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fmovs	%f5, %f2
-	fexpand	%f2,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Bitwise logical operations
-!
-! double vis_fnor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fnor,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fnor	%f4,%f10,%f0
-	.end
-!
-! float vis_fnors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fnors,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fnors	%f4,%f10,%f0
-	.end
-!
-! double vis_fandnot(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fandnot,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fandnot1	%f4,%f10,%f0
-	.end
-!
-! float vis_fandnots(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fandnots,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fandnot1s	%f4,%f10,%f0
-	.end
-!
-! double vis_fnot(double /*frs1*/);
-!
-	.inline vis_fnot,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fnot1	%f4,%f0
-	.end
-!
-! float vis_fnots(float /*frs1*/);
-!
-	.inline vis_fnots,4
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	fnot1s	%f4,%f0
-	.end
-!
-! double vis_fxor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fxor,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fxor	%f4,%f10,%f0
-	.end
-!
-! float vis_fxors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fxors,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fxors	%f4,%f10,%f0
-	.end
-!
-! double vis_fnand(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fnand,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fnand	%f4,%f10,%f0
-	.end
-!
-! float vis_fnands(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fnands,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fnands	%f4,%f10,%f0
-	.end
-!
-! double vis_fand(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fand,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fand	%f4,%f10,%f0
-	.end
-!
-! float vis_fands(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fands,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fands	%f4,%f10,%f0
-	.end
-!
-! double vis_fxnor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fxnor,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fxnor	%f4,%f10,%f0
-	.end
-!
-! float vis_fxnors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fxnors,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fxnors	%f4,%f10,%f0
-	.end
-!
-! double vis_fsrc(double /*frs1*/);
-!
-	.inline vis_fsrc,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	fsrc1	%f4,%f0
-	.end
-!
-! float vis_fsrcs(float /*frs1*/);
-!
-	.inline vis_fsrcs,4
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	fsrc1s	%f4,%f0
-	.end
-!
-! double vis_fornot(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fornot,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	fornot1	%f4,%f10,%f0
-	.end
-!
-! float vis_fornots(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fornots,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fornot1s	%f4,%f10,%f0
-	.end
-!
-! double vis_for(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_for,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	std	%o2,[%sp+0x48]
-	ldd	[%sp+0x48],%f10
-	for	%f4,%f10,%f0
-	.end
-!
-! float vis_fors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fors,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	st	%o1,[%sp+0x48]
-	ld	[%sp+0x48],%f10
-	fors	%f4,%f10,%f0
-	.end
-!
-! double vis_fzero(/* void */)
-!
-	.inline	vis_fzero,0
-	fzero	%f0
-	.end
-!
-! float vis_fzeros(/* void */)
-!
-	.inline	vis_fzeros,0
-	fzeros	%f0
-	.end
-!
-! double vis_fone(/* void */)
-!
-	.inline	vis_fone,0
-	fone	%f0
-	.end
-!
-! float vis_fones(/* void */)
-!
-	.inline	vis_fones,0
-	fones	%f0
-	.end
-
-!--------------------------------------------------------------------
-! Partial store instructions
-!
-! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8P,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
-	.end
-!
-! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8PL,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc8	! ASI_PST8_PL
-	.end
-!
-! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
-!
-	.inline vis_stdfa_ASI_PST8P_int_pair,16
-        ld	[%o0],%f4
-        ld	[%o1],%f5
-	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
-	.end
-!
-! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8S,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc1	! ASI_PST8_S
-	.end
-!
-! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST16P,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc2	! ASI_PST16_P
-	.end
-!
-! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST16S,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc3	! ASI_PST16_S
-	.end
-!
-! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST32P,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc4	! ASI_PST32_P
-	.end
-!
-! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST32S,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]%o3,0xc5	! ASI_PST32_S
-	.end
-
-!--------------------------------------------------------------------
-! Short store instructions
-!
-! vis_stdfa_ASI_FL8P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8P,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd0	! ASI_FL8_P
-	.end
-!
-! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
-!
-	.inline vis_stdfa_ASI_FL8P_index,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2+%o3]0xd0 ! ASI_FL8_P
-	.end
-!
-! vis_stdfa_ASI_FL8S(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8S,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd1	! ASI_FL8_S
-	.end
-!
-! vis_stdfa_ASI_FL16P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16P,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd2	! ASI_FL16_P
-	.end
-!
-! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
-!
-	.inline vis_stdfa_ASI_FL16P_index,16
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2+%o3]0xd2 ! ASI_FL16_P
-	.end
-!
-! vis_stdfa_ASI_FL16S(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16S,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd3	! ASI_FL16_S
-	.end
-!
-! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8PL,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd8	! ASI_FL8_PL
-	.end
-!
-! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8SL,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xd9	! ASI_FL8_SL
-	.end
-!
-! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16PL,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xda	! ASI_FL16_PL
-	.end
-!
-! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16SL,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0xdb	! ASI_FL16_SL
-	.end
-
-!--------------------------------------------------------------------
-! Short load instructions
-!
-! double vis_lddfa_ASI_FL8P(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8P,4
-	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL8P_index,8
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
-!
-	.inline vis_lddfa_ASI_FL8P_hi,8
-	sra     %o1,16,%o1
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
-!
-	.inline vis_lddfa_ASI_FL8P_lo,8
-	sll     %o1,16,%o1
-	sra     %o1,16,%o1
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8S(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8S,4
-	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16P(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16P,4
-	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL16P_index,8
-	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16S(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16S,4
-	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8PL,4
-	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL8PL_index,8
-	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8SL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8SL,4
-	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16PL,4
-	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL16PL_index,8
-	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16SL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16SL,4
-	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
-	fmovd	%f4,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Graphics status register
-!
-! unsigned int vis_read_gsr(void)
-!
-	.inline vis_read_gsr,0
-	rd	%gsr,%o0
-	.end
-!
-! void vis_write_gsr(unsigned int /* GSR */)
-!
-	.inline vis_write_gsr,4
-	wr	%g0,%o0,%gsr
-	.end
-
-!--------------------------------------------------------------------
-! Voxel texture mapping
-!
-! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
-!
-	.inline	vis_array8,12
-	sllx	%o0,32,%o0
-	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
-	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
-	array8	%o3,%o2,%o0
-	.end
-!
-! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
-!
-	.inline	vis_array16,12
-	sllx	%o0,32,%o0
-	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
-	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
-	array16	%o3,%o2,%o0
-	.end
-!
-! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
-!
-	.inline	vis_array32,12
-	sllx	%o0,32,%o0
-	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
-	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
-	array32	%o3,%o2,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Register aliasing and type casts
-!
-! float vis_read_hi(double /* frs1 */);
-!
-	.inline vis_read_hi,8
-	std	%o0,[%sp+0x48]	! store double frs1
-	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1; return %f0;
-	.end
-!
-! float vis_read_lo(double /* frs1 */);
-!
-	.inline vis_read_lo,8
-	std	%o0,[%sp+0x48]	! store double frs1
-	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
-	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
-	.end
-!
-! double vis_write_hi(double /* frs1 */, float /* frs2 */);
-!
-	.inline vis_write_hi,12
-	std	%o0,[%sp+0x48]	! store double frs1;
-	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
-	st	%o2,[%sp+0x44]	! store float frs2;
-	ld	[%sp+0x44],%f2	! %f2 = float frs2;
-	fmovs	%f2,%f0		! %f0 = float frs2; return %f0:f1;
-	.end
-!
-! double vis_write_lo(double /* frs1 */, float /* frs2 */);
-!
-	.inline vis_write_lo,12
-	std	%o0,[%sp+0x48]	! store double frs1;
-	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
-	st	%o2,[%sp+0x44]	! store float frs2;
-	ld	[%sp+0x44],%f2	! %f2 = float frs2;
-	fmovs	%f2,%f1		! %f1 = float frs2; return %f0:f1;
-	.end
-!
-! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
-!
-	.inline vis_freg_pair,8
-	st	%o0,[%sp+0x48]	! store float frs1
-	ld	[%sp+0x48],%f0
-	st	%o1,[%sp+0x48]	! store float frs2
-	ld	[%sp+0x48],%f1
-	.end
-!
-! float vis_to_float(unsigned int /*value*/);
-!
-	.inline vis_to_float,4
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f0
-	.end
-!
-! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
-!
-	.inline vis_to_double,8
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f0
-	.end
-!
-! double vis_to_double_dup(unsigned int /*value*/);
-!
-	.inline vis_to_double_dup,4
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f1
-	fmovs	%f1,%f0		! duplicate value
-	.end
-!
-! double vis_ll_to_double(unsigned long long /*value*/);
-!
-	.inline vis_ll_to_double,8
-	std     %o0,[%sp+0x48]
-	ldd     [%sp+0x48],%f0
-	.end
-
-!--------------------------------------------------------------------
-! Address space identifier (ASI) register
-!
-! unsigned int vis_read_asi(void)
-!
-	.inline vis_read_asi,0
-	rd	%asi,%o0
-	.end
-!
-! void vis_write_asi(unsigned int /* ASI */)
-!
-	.inline vis_write_asi,4
-	wr	%g0,%o0,%asi
-	.end
-
-!--------------------------------------------------------------------
-! Load/store from/into alternate space
-!
-! float vis_ldfa_ASI_REG(void *rs1)
-!
-	.inline vis_ldfa_ASI_REG,4
-	lda	[%o0+0]%asi,%f4
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! float vis_ldfa_ASI_P(void *rs1)
-!
-	.inline vis_ldfa_ASI_P,4
-	lda	[%o0]0x80,%f4	! ASI_P
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! float vis_ldfa_ASI_PL(void *rs1)
-!
-	.inline vis_ldfa_ASI_PL,4
-	lda	[%o0]0x88,%f4	! ASI_PL
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_REG(void *rs1)
-!
-	.inline vis_lddfa_ASI_REG,4
-	ldda	[%o0+0]%asi,%f4
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_P(void *rs1)
-!
-	.inline vis_lddfa_ASI_P,4
-	ldda	[%o0]0x80,%f4	! ASI_P
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_PL,4
-	ldda	[%o0]0x88,%f4	! ASI_PL
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! vis_stfa_ASI_REG(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_REG,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	sta	%f4,[%o1+0]%asi
-	.end
-!
-! vis_stfa_ASI_P(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_P,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	sta	%f4,[%o1]0x80	! ASI_P
-	.end
-!
-! vis_stfa_ASI_PL(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_PL,8
-	st	%o0,[%sp+0x48]
-	ld	[%sp+0x48],%f4
-	sta	%f4,[%o1]0x88	! ASI_PL
-	.end
-!
-! vis_stdfa_ASI_REG(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_REG,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2+0]%asi
-	.end
-!
-! vis_stdfa_ASI_P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_P,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0x80	! ASI_P
-	.end
-!
-! vis_stdfa_ASI_PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_PL,12
-	std	%o0,[%sp+0x48]
-	ldd	[%sp+0x48],%f4
-	stda	%f4,[%o2]0x88	! ASI_PL
-	.end
-!
-! unsigned short vis_lduha_ASI_REG(void *rs1)
-!
-	.inline vis_lduha_ASI_REG,4
-	lduha	[%o0+0]%asi,%o0
-	.end
-!
-! unsigned short vis_lduha_ASI_P(void *rs1)
-!
-	.inline vis_lduha_ASI_P,4
-	lduha	[%o0]0x80,%o0	! ASI_P
-	.end
-!
-! unsigned short vis_lduha_ASI_PL(void *rs1)
-!
-	.inline vis_lduha_ASI_PL,4
-	lduha	[%o0]0x88,%o0	! ASI_PL
-	.end
-!
-! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
-!
-	.inline vis_lduha_ASI_P_index,8
-	lduha	[%o0+%o1]0x80,%o0	! ASI_P
-	.end
-!
-! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
-!
-	.inline vis_lduha_ASI_PL_index,8
-	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
-	.end
-
-!--------------------------------------------------------------------
-! Prefetch
-!
-! void vis_prefetch_read(void * /*address*/);
-!
-	.inline vis_prefetch_read,4
-	prefetch	[%o0+0],0
-	.end
-!
-! void vis_prefetch_write(void * /*address*/);
-!
-	.inline vis_prefetch_write,4
-	prefetch	[%o0+0],2
-	.end
diff --git a/security/nss/lib/freebl/mpi/vis_64.il b/security/nss/lib/freebl/mpi/vis_64.il
deleted file mode 100644
index 1ad8207fa..000000000
--- a/security/nss/lib/freebl/mpi/vis_64.il
+++ /dev/null
@@ -1,1030 +0,0 @@
-! 
-! ***** BEGIN LICENSE BLOCK *****
-! Version: MPL 1.1/GPL 2.0/LGPL 2.1
-!
-! The contents of this file are subject to the Mozilla Public License Version
-! 1.1 (the "License"); you may not use this file except in compliance with
-! the License. You may obtain a copy of the License at
-! http://www.mozilla.org/MPL/
-!
-! Software distributed under the License is distributed on an "AS IS" basis,
-! WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-! for the specific language governing rights and limitations under the
-! License.
-!
-! The Original Code is vis inline macros (64 bit).  (vis_64.il 3.4).
-!
-! The Initial Developer of the Original Code is
-! Sun Microsystems Inc.
-! Portions created by the Initial Developer are Copyright (C) 1998-2000
-! the Initial Developer. All Rights Reserved.
-!
-! Contributor(s):
-!
-! Alternatively, the contents of this file may be used under the terms of
-! either the GNU General Public License Version 2 or later (the "GPL"), or
-! the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-! in which case the provisions of the GPL or the LGPL are applicable instead
-! of those above. If you wish to allow use of your version of this file only
-! under the terms of either the GPL or the LGPL, and not to allow others to
-! use your version of this file under the terms of the MPL, indicate your
-! decision by deleting the provisions above and replace them with the notice
-! and other provisions required by the GPL or the LGPL. If you do not delete
-! the provisions above, a recipient may use your version of this file under
-! the terms of any one of the MPL, the GPL or the LGPL.
-!
-! ***** END LICENSE BLOCK *****
-! $Id$
-
-! This file is to be used in place of vis.il in 64-bit builds.
-
-!--------------------------------------------------------------------
-! Pure edge handling instructions
-!
-! int vis_edge8(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8,16
-	edge8	%o0,%o1,%o0
-	.end
-!
-! int vis_edge8l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8l,16
-	edge8l	%o0,%o1,%o0
-	.end
-!
-! int vis_edge16(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16,16
-	edge16	%o0,%o1,%o0
-	.end
-!
-! int vis_edge16l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16l,16
-	edge16l	%o0,%o1,%o0
-	.end
-!
-! int vis_edge32(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32,16
-	edge32	%o0,%o1,%o0
-	.end
-!
-! int vis_edge32l(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32l,16
-	edge32l	%o0,%o1,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Edge handling instructions with negative return values if cc set
-!
-! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8cc,16
-	edge8	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge8lcc,16
-	edge8l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16cc,16
-	edge16	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge16lcc,16
-	edge16l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32cc,16
-	edge32	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-!
-! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
-!
-	.inline vis_edge32lcc,16
-	edge32l	%o0,%o1,%o0
-	mov     0,%o1
-	movgu   %xcc,-1024,%o1
-	or      %o1,%o0,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Alignment instructions
-!
-! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
-!
-	.inline vis_alignaddr,12
-	alignaddr	%o0,%o1,%o0
-	.end
-!
-! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
-!
-	.inline vis_alignaddrl,12
-	alignaddrl	%o0,%o1,%o0
-	.end
-!
-! double vis_faligndata(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_faligndata,16
-	faligndata	%f0,%f2,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Partitioned comparison instructions
-!
-! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmple16,16
-	fcmple16	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpne16,16
-	fcmpne16	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmple32,16
-	fcmple32	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpne32,16
-	fcmpne32	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpgt16,16
-	fcmpgt16	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpeq16,16
-	fcmpeq16	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpgt32,16
-	fcmpgt32	%f0,%f2,%o0
-	.end
-!
-! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fcmpeq32,16
-	fcmpeq32	%f0,%f2,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Partitioned arithmetic
-!
-! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8x16,12
-	fmul8x16	%f1,%f2,%f0
-	.end
-!
-! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
-!
-	.inline vis_fmul8x16_dummy,16
-	fmul8x16	%f1,%f4,%f0
-	.end
-!
-! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmul8x16au,8
-	fmul8x16au	%f1,%f3,%f0
-	.end
-!
-! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmul8x16al,8
-	fmul8x16al	%f1,%f3,%f0
-	.end
-!
-! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8sux16,16
-	fmul8sux16	%f0,%f2,%f0
-	.end
-!
-! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fmul8ulx16,16
-	fmul8ulx16	%f0,%f2,%f0
-	.end
-!
-! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmuld8sux16,8
-	fmuld8sux16	%f1,%f3,%f0
-	.end
-!
-! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fmuld8ulx16,8
-	fmuld8ulx16	%f1,%f3,%f0
-	.end
-!
-! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpadd16,16
-	fpadd16	%f0,%f2,%f0
-	.end
-!
-! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpadd16s,8
-	fpadd16s	%f1,%f3,%f0
-	.end
-!
-! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpadd32,16
-	fpadd32	%f0,%f2,%f0
-	.end
-!
-! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpadd32s,8
-	fpadd32s	%f1,%f3,%f0
-	.end
-!
-! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpsub16,16
-	fpsub16	%f0,%f2,%f0
-	.end
-!
-! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpsub16s,8
-	fpsub16s	%f1,%f3,%f0
-	.end
-!
-! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpsub32,16
-	fpsub32	%f0,%f2,%f0
-	.end
-!
-! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpsub32s,8
-	fpsub32s	%f1,%f3,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Pixel packing
-!
-! float vis_fpack16(double /*frs2*/);
-!
-	.inline vis_fpack16,8
-	fpack16	%f0,%f0
-	.end
-!
-! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
-!
-	.inline vis_fpack16_pair,16
-	fpack16	%f0,%f0
-	fpack16	%f2,%f1
-	.end
-!
-! void vis_st2_fpack16(double, double, double *)
-!
-	.inline vis_st2_fpack16,24
- 	fpack16	%f0,%f0
- 	fpack16	%f2,%f1
- 	st	%f0,[%o2+0]
- 	st	%f1,[%o2+4]
- 	.end
-!
-! void vis_std_fpack16(double, double, double *)
-!
-	.inline vis_std_fpack16,24
-	fpack16	%f0,%f0
-	fpack16	%f2,%f1
-	std	%f0,[%o2]
-	.end
-!
-! void vis_st2_fpackfix(double, double, double *)
-!
-	.inline vis_st2_fpackfix,24
- 	fpackfix %f0,%f0
- 	fpackfix %f2,%f1
- 	st	%f0,[%o2+0]
- 	st	%f1,[%o2+4]
- 	.end
-!
-! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack16_to_hi,16
-	fpack16	%f2,%f0
-	.end
-
-! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack16_to_lo,16
-	fpack16	%f2,%f3
-	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
-	.end
-
-!
-! double vis_fpack32(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fpack32,16
-	fpack32	%f0,%f2,%f0
-	.end
-!
-! float vis_fpackfix(double /*frs2*/);
-!
-	.inline vis_fpackfix,8
-	fpackfix	%f0,%f0
-	.end
-!
-! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
-!
-	.inline vis_fpackfix_pair,16
-	fpackfix	%f0,%f0
-	fpackfix	%f2,%f1
-	.end
-
-!--------------------------------------------------------------------
-! Motion estimation
-!
-! double vis_pxldist64(double accum /*frd*/, double pxls1 /*frs1*/, 
-!		       double pxls2 /*frs2*/);
-!
-	.inline vis_pxldist64,24
-	pdist	%f2,%f4,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Channel merging
-!
-! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fpmerge,8
-	fpmerge	%f1,%f3,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Pixel expansion
-!
-! double vis_fexpand(float /*frs2*/);
-!
-	.inline vis_fexpand,4
-	fexpand	%f1,%f0
-	.end
-
-! double vis_fexpand_hi(double /*frs2*/);
-!
-	.inline vis_fexpand_hi,8
-	fexpand	%f0,%f0
-	.end
-
-! double vis_fexpand_lo(double /*frs2*/);
-!
-	.inline vis_fexpand_lo,8
-	fexpand	%f1,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Bitwise logical operations
-!
-! double vis_fnor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fnor,16
-	fnor	%f0,%f2,%f0
-	.end
-!
-! float vis_fnors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fnors,8
-	fnors	%f1,%f3,%f0
-	.end
-!
-! double vis_fandnot(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fandnot,16
-	fandnot1 %f0,%f2,%f0
-	.end
-!
-! float vis_fandnots(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fandnots,8
-	fandnot1s %f1,%f3,%f0
-	.end
-!
-! double vis_fnot(double /*frs1*/);
-!
-	.inline vis_fnot,8
-	fnot1	%f0,%f0
-	.end
-!
-! float vis_fnots(float /*frs1*/);
-!
-	.inline vis_fnots,4
-	fnot1s	%f1,%f0
-	.end
-!
-! double vis_fxor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fxor,16
-	fxor	%f0,%f2,%f0
-	.end
-!
-! float vis_fxors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fxors,8
-	fxors	%f1,%f3,%f0
-	.end
-!
-! double vis_fnand(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fnand,16
-	fnand	%f0,%f2,%f0
-	.end
-!
-! float vis_fnands(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fnands,8
-	fnands	%f1,%f3,%f0
-	.end
-!
-! double vis_fand(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fand,16
-	fand	%f0,%f2,%f0
-	.end
-!
-! float vis_fands(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fands,8
-	fands	%f1,%f3,%f0
-	.end
-!
-! double vis_fxnor(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fxnor,16
-	fxnor	%f0,%f2,%f0
-	.end
-!
-! float vis_fxnors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fxnors,8
-	fxnors	%f1,%f3,%f0
-	.end
-!
-! double vis_fsrc(double /*frs1*/);
-!
-	.inline vis_fsrc,8
-	fsrc1	%f0,%f0
-	.end
-!
-! float vis_fsrcs(float /*frs1*/);
-!
-	.inline vis_fsrcs,4
-	fsrc1s	%f1,%f0
-	.end
-!
-! double vis_fornot(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_fornot,16
-	fornot1	%f0,%f2,%f0
-	.end
-!
-! float vis_fornots(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fornots,8
-	fornot1s %f1,%f3,%f0
-	.end
-!
-! double vis_for(double /*frs1*/, double /*frs2*/);
-!
-	.inline vis_for,16
-	for	%f0,%f2,%f0
-	.end
-!
-! float vis_fors(float /*frs1*/, float /*frs2*/);
-!
-	.inline vis_fors,8
-	fors	%f1,%f3,%f0
-	.end
-!
-! double vis_fzero(/* void */)
-!
-	.inline	vis_fzero,0
-	fzero	%f0
-	.end
-!
-! float vis_fzeros(/* void */)
-!
-	.inline	vis_fzeros,0
-	fzeros	%f0
-	.end
-!
-! double vis_fone(/* void */)
-!
-	.inline	vis_fone,0
-	fone	%f0
-	.end
-!
-! float vis_fones(/* void */)
-!
-	.inline	vis_fones,0
-	fones	%f0
-	.end
-
-!--------------------------------------------------------------------
-! Partial store instructions
-!
-! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8P,20
-	stda	%f0,[%o1]%o2,0xc0	! ASI_PST8_P
-	.end
-!
-! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8PL,20
-	stda	%f0,[%o1]%o2,0xc8	! ASI_PST8_PL
-	.end
-!
-! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
-!
-	.inline vis_stdfa_ASI_PST8P_int_pair,28
-        ld	[%o0],%f4
-        ld	[%o1],%f5
-	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
-	.end
-!
-! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST8S,20
-	stda	%f0,[%o1]%o2,0xc1	! ASI_PST8_S
-	.end
-!
-! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST16P,20
-	stda	%f0,[%o1]%o2,0xc2	! ASI_PST16_P
-	.end
-!
-! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST16S,20
-	stda	%f0,[%o1]%o2,0xc3	! ASI_PST16_S
-	.end
-!
-! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST32P,20
-	stda	%f0,[%o1]%o2,0xc4	! ASI_PST32_P
-	.end
-!
-! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
-!
-	.inline vis_stdfa_ASI_PST32S,20
-	stda	%f0,[%o1]%o2,0xc5	! ASI_PST32_S
-	.end
-
-!--------------------------------------------------------------------
-! Short store instructions
-!
-! vis_stdfa_ASI_FL8P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8P,16
-	stda	%f0,[%o1]0xd0	! ASI_FL8_P
-	.end
-!
-! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
-!
-	.inline vis_stdfa_ASI_FL8P_index,24
-	stda	%f0,[%o1+%o2]0xd0 ! ASI_FL8_P
-	.end
-!
-! vis_stdfa_ASI_FL8S(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8S,16
-	stda	%f0,[%o1]0xd1	! ASI_FL8_S
-	.end
-!
-! vis_stdfa_ASI_FL16P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16P,16
-	stda	%f0,[%o1]0xd2	! ASI_FL16_P
-	.end
-!
-! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
-!
-	.inline vis_stdfa_ASI_FL16P_index,24
-	stda	%f0,[%o1+%o2]0xd2 ! ASI_FL16_P
-	.end
-!
-! vis_stdfa_ASI_FL16S(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16S,16
-	stda	%f0,[%o1]0xd3	! ASI_FL16_S
-	.end
-!
-! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8PL,16
-	stda	%f0,[%o1]0xd8	! ASI_FL8_PL
-	.end
-!
-! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL8SL,16
-	stda	%f0,[%o1]0xd9	! ASI_FL8_SL
-	.end
-!
-! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16PL,16
-	stda	%f0,[%o1]0xda	! ASI_FL16_PL
-	.end
-!
-! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_FL16SL,16
-	stda	%f0,[%o1]0xdb	! ASI_FL16_SL
-	.end
-
-!--------------------------------------------------------------------
-! Short load instructions
-!
-! double vis_lddfa_ASI_FL8P(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8P,8
-	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL8P_index,16
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
-!
-	.inline vis_lddfa_ASI_FL8P_hi,12
-	sra     %o1,16,%o1
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
-!
-	.inline vis_lddfa_ASI_FL8P_lo,12
-	sll     %o1,16,%o1
-	sra     %o1,16,%o1
-	ldda	[%o0+%o1]0xd0,%f4
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8S(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8S,8
-	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16P(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16P,8
-	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL16P_index,16
-	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16S(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16S,8
-	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8PL,8
-	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL8PL_index,16
-	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL8SL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL8SL,8
-	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16PL,8
-	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
-!
-	.inline vis_lddfa_ASI_FL16PL_index,16
-	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
-	fmovd	%f4,%f0
-	.end
-!
-! double vis_lddfa_ASI_FL16SL(void *rs1)
-!
-	.inline vis_lddfa_ASI_FL16SL,8
-	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
-	fmovd	%f4,%f0
-	.end
-
-!--------------------------------------------------------------------
-! Graphics status register
-!
-! unsigned int vis_read_gsr(void)
-!
-	.inline vis_read_gsr,0
-	rd	%gsr,%o0
-	.end
-!
-! void vis_write_gsr(unsigned int /* GSR */)
-!
-	.inline vis_write_gsr,4
-	wr	%g0,%o0,%gsr
-	.end
-
-!--------------------------------------------------------------------
-! Voxel texture mapping
-!
-! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
-!
-	.inline	vis_array8,12
-	array8	%o0,%o1,%o0
-	.end
-!
-! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
-!
-	.inline	vis_array16,12
-	array16	%o0,%o1,%o0
-	.end
-!
-! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
-!
-	.inline	vis_array32,12
-	array32	%o0,%o1,%o0
-	.end
-
-!--------------------------------------------------------------------
-! Register aliasing and type casts
-!
-! float vis_read_hi(double /* frs1 */);
-!
-	.inline vis_read_hi,8
-	fmovs	%f0,%f0
-	.end
-!
-! float vis_read_lo(double /* frs1 */);
-!
-	.inline vis_read_lo,8
-	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
-	.end
-!
-! double vis_write_hi(double /* frs1 */, float /* frs2 */);
-!
-	.inline vis_write_hi,12
-	fmovs	%f3,%f0		! %f3 = float frs2; return %f0:f1;
-	.end
-!
-! double vis_write_lo(double /* frs1 */, float /* frs2 */);
-!
-	.inline vis_write_lo,12
-	fmovs	%f3,%f1		! %f3 = float frs2; return %f0:f1;
-	.end
-!
-! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
-!
-	.inline vis_freg_pair,8
-	fmovs	%f1,%f0		! %f1 = float frs1; put in hi;
-	fmovs	%f3,%f1		! %f3 = float frs2; put in lo; return %f0:f1;
-	.end
-!
-! float vis_to_float(unsigned int /*value*/);
-!
-	.inline vis_to_float,4
-	st	%o0,[%sp+2183]
-	ld	[%sp+2183],%f0
-	.end
-!
-! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
-!
-	.inline vis_to_double,8
-	st	%o0,[%sp+2183]
-	ld	[%sp+2183],%f0
-	st	%o1,[%sp+2183]
-	ld	[%sp+2183],%f1
-	.end
-!
-! double vis_to_double_dup(unsigned int /*value*/);
-!
-	.inline vis_to_double_dup,4
-	st	%o0,[%sp+2183]
-	ld	[%sp+2183],%f1
-	fmovs	%f1,%f0		! duplicate value
-	.end
-!
-! double vis_ll_to_double(unsigned long long /*value*/);
-!
-	.inline vis_ll_to_double,8
-	stx     %o0,[%sp+2183]
-	ldd     [%sp+2183],%f0
-        .end
-
-!--------------------------------------------------------------------
-! Address space identifier (ASI) register
-!
-! unsigned int vis_read_asi(void)
-!
-	.inline vis_read_asi,0
-	rd	%asi,%o0
-	.end
-!
-! void vis_write_asi(unsigned int /* ASI */)
-!
-	.inline vis_write_asi,4
-	wr	%g0,%o0,%asi
-	.end
-
-!--------------------------------------------------------------------
-! Load/store from/into alternate space
-!
-! float vis_ldfa_ASI_REG(void *rs1)
-!
-	.inline vis_ldfa_ASI_REG,8
-	lda	[%o0+0]%asi,%f4
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! float vis_ldfa_ASI_P(void *rs1)
-!
-	.inline vis_ldfa_ASI_P,8
-	lda	[%o0]0x80,%f4	! ASI_P
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! float vis_ldfa_ASI_PL(void *rs1)
-!
-	.inline vis_ldfa_ASI_PL,8
-	lda	[%o0]0x88,%f4	! ASI_PL
-	fmovs	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_REG(void *rs1)
-!
-	.inline vis_lddfa_ASI_REG,8
-	ldda	[%o0+0]%asi,%f4
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_P(void *rs1)
-!
-	.inline vis_lddfa_ASI_P,8
-	ldda	[%o0]0x80,%f4	! ASI_P
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! double vis_lddfa_ASI_PL(void *rs1)
-!
-	.inline vis_lddfa_ASI_PL,8
-	ldda	[%o0]0x88,%f4	! ASI_PL
-	fmovd	%f4,%f0	        ! Compiler can clean this up
-	.end
-!
-! vis_stfa_ASI_REG(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_REG,12
-	sta	%f1,[%o1+0]%asi
-	.end
-!
-! vis_stfa_ASI_P(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_P,12
-	sta	%f1,[%o1]0x80	! ASI_P
-	.end
-!
-! vis_stfa_ASI_PL(float frs, void *rs1)
-!
-	.inline vis_stfa_ASI_PL,12
-	sta	%f1,[%o1]0x88	! ASI_PL
-	.end
-!
-! vis_stdfa_ASI_REG(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_REG,16
-	stda	%f0,[%o1+0]%asi
-	.end
-!
-! vis_stdfa_ASI_P(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_P,16
-	stda	%f0,[%o1]0x80	! ASI_P
-	.end
-!
-! vis_stdfa_ASI_PL(double frd, void *rs1)
-!
-	.inline vis_stdfa_ASI_PL,16
-	stda	%f0,[%o1]0x88	! ASI_PL
-	.end
-!
-! unsigned short vis_lduha_ASI_REG(void *rs1)
-!
-	.inline vis_lduha_ASI_REG,8
-	lduha	[%o0+0]%asi,%o0
-	.end
-!
-! unsigned short vis_lduha_ASI_P(void *rs1)
-!
-	.inline vis_lduha_ASI_P,8
-	lduha	[%o0]0x80,%o0	! ASI_P
-	.end
-!
-! unsigned short vis_lduha_ASI_PL(void *rs1)
-!
-	.inline vis_lduha_ASI_PL,8
-	lduha	[%o0]0x88,%o0	! ASI_PL
-	.end
-!
-! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
-!
-	.inline vis_lduha_ASI_P_index,16
-	lduha	[%o0+%o1]0x80,%o0	! ASI_P
-	.end
-!
-! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
-!
-	.inline vis_lduha_ASI_PL_index,16
-	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
-	.end
-
-!--------------------------------------------------------------------
-! Prefetch
-!
-! void vis_prefetch_read(void * /*address*/);
-!
-	.inline vis_prefetch_read,8
-	prefetch	[%o0+0],0
-	.end
-!
-! void vis_prefetch_write(void * /*address*/);
-!
-	.inline vis_prefetch_write,8
-	prefetch	[%o0+0],2
-	.end
diff --git a/security/nss/lib/freebl/mpi/vis_proto.h b/security/nss/lib/freebl/mpi/vis_proto.h
deleted file mode 100644
index 2790fedd0..000000000
--- a/security/nss/lib/freebl/mpi/vis_proto.h
+++ /dev/null
@@ -1,267 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is prototypes for vis.il  (vis_proto.h 1.3).
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems Inc.
- * Portions created by the Initial Developer are Copyright (C) 1995
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/*
- * Prototypes for the inline templates in vis.il
- */
-
-#ifndef VIS_PROTO_H
-#define VIS_PROTO_H
-
-#pragma ident	"@(#)vis_proto.h	1.3	97/03/30 SMI"
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-/* Pure edge handling instructions */
-int vis_edge8(void * /*frs1*/, void * /*frs2*/);
-int vis_edge8l(void * /*frs1*/, void * /*frs2*/);
-int vis_edge16(void * /*frs1*/, void * /*frs2*/);
-int vis_edge16l(void * /*frs1*/, void * /*frs2*/);
-int vis_edge32(void * /*frs1*/, void * /*frs2*/);
-int vis_edge32l(void * /*frs1*/, void * /*frs2*/);
-
-/* Edge handling instructions with negative return values if cc set. */
-int vis_edge8cc(void * /*frs1*/, void * /*frs2*/);
-int vis_edge8lcc(void * /*frs1*/, void * /*frs2*/);
-int vis_edge16cc(void * /*frs1*/, void * /*frs2*/);
-int vis_edge16lcc(void * /*frs1*/, void * /*frs2*/);
-int vis_edge32cc(void * /*frs1*/, void * /*frs2*/);
-int vis_edge32lcc(void * /*frs1*/, void * /*frs2*/);
-
-/* Alignment instructions. */
-void *vis_alignaddr(void * /*rs1*/, int /*rs2*/);
-void *vis_alignaddrl(void * /*rs1*/, int /*rs2*/);
-double vis_faligndata(double /*frs1*/, double /*frs2*/);
-
-/* Partitioned comparison instructions. */
-int vis_fcmple16(double /*frs1*/, double /*frs2*/);
-int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
-int vis_fcmple32(double /*frs1*/, double /*frs2*/);
-int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
-int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
-int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
-int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
-int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
-
-/* Partitioned multiplication. */
-#if 0
-double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
-#endif
-double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
-double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
-double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
-double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
-double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
-double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
-double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
-
-/* Partitioned addition & subtraction. */
-double vis_fpadd16(double /*frs1*/, double /*frs2*/);
-float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
-double vis_fpadd32(double /*frs1*/, double /*frs2*/);
-float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
-double vis_fpsub16(double /*frs1*/, double /*frs2*/);
-float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
-double vis_fpsub32(double /*frs1*/, double /*frs2*/);
-float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
-
-/* Pixel packing & clamping. */
-float vis_fpack16(double /*frs2*/);
-double vis_fpack32(double /*frs1*/, double /*frs2*/);
-float vis_fpackfix(double /*frs2*/);
-
-/* Combined pack ops. */
-double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
-double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
-void vis_st2_fpack16(double, double, double *);
-void vis_std_fpack16(double, double, double *);
-void vis_st2_fpackfix(double, double, double *);
-
-double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
-double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
-
-/* Motion estimation. */
-double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
-
-/* Channel merging. */
-double vis_fpmerge(float /*frs1*/, float /*frs2*/);
-
-/* Pixel expansion. */
-double vis_fexpand(float /*frs2*/);
-double vis_fexpand_hi(double /*frs2*/);
-double vis_fexpand_lo(double /*frs2*/);
-
-/* Bitwise logical operators. */
-double vis_fnor(double /*frs1*/, double /*frs2*/);
-float vis_fnors(float /*frs1*/, float /*frs2*/);
-double vis_fandnot(double /*frs1*/, double /*frs2*/);
-float vis_fandnots(float /*frs1*/, float /*frs2*/);
-double vis_fnot(double /*frs1*/);
-float vis_fnots(float /*frs1*/);
-double vis_fxor(double /*frs1*/, double /*frs2*/);
-float vis_fxors(float /*frs1*/, float /*frs2*/);
-double vis_fnand(double /*frs1*/, double /*frs2*/);
-float vis_fnands(float /*frs1*/, float /*frs2*/);
-double vis_fand(double /*frs1*/, double /*frs2*/);
-float vis_fands(float /*frs1*/, float /*frs2*/);
-double vis_fxnor(double /*frs1*/, double /*frs2*/);
-float vis_fxnors(float /*frs1*/, float /*frs2*/);
-double vis_fsrc(double /*frs1*/);
-float vis_fsrcs(float /*frs1*/);
-double vis_fornot(double /*frs1*/, double /*frs2*/);
-float vis_fornots(float /*frs1*/, float /*frs2*/);
-double vis_for(double /*frs1*/, double /*frs2*/);
-float vis_fors(float /*frs1*/, float /*frs2*/);
-double vis_fzero(void);
-float vis_fzeros(void);
-double vis_fone(void);
-float vis_fones(void);
-
-/* Partial stores. */
-void vis_stdfa_ASI_PST8P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST8PL(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST8P_int_pair(void * /*rs1*/, void * /*rs2*/,
-                                  void * /*rs3*/, int /*rmask*/);
-void vis_stdfa_ASI_PST8S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST16P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST16S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST32P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-void vis_stdfa_ASI_PST32S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
-
-/* Byte & short stores. */
-void vis_stdfa_ASI_FL8P(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL8P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
-void vis_stdfa_ASI_FL8S(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL16P(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL16P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
-void vis_stdfa_ASI_FL16S(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL8PL(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL8SL(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL16PL(double /*frd*/, void * /*rs1*/);
-void vis_stdfa_ASI_FL16SL(double /*frd*/, void * /*rs1*/);
-
-/* Byte & short loads. */
-double vis_lddfa_ASI_FL8P(void * /*rs1*/);
-double vis_lddfa_ASI_FL8P_index(void * /*rs1*/, long /*index*/);
-double vis_lddfa_ASI_FL8P_hi(void * /*rs1*/, unsigned int /*index*/);
-double vis_lddfa_ASI_FL8P_lo(void * /*rs1*/, unsigned int /*index*/);
-double vis_lddfa_ASI_FL8S(void * /*rs1*/);
-double vis_lddfa_ASI_FL16P(void * /*rs1*/);
-double vis_lddfa_ASI_FL16P_index(void * /*rs1*/, long /*index*/);
-double vis_lddfa_ASI_FL16S(void * /*rs1*/);
-double vis_lddfa_ASI_FL8PL(void * /*rs1*/);
-double vis_lddfa_ASI_FL8SL(void * /*rs1*/);
-double vis_lddfa_ASI_FL16PL(void * /*rs1*/);
-double vis_lddfa_ASI_FL16SL(void * /*rs1*/);
-
-/* Direct write to GSR, read from GSR */
-void vis_write_gsr(unsigned int /*GSR*/);
-unsigned int vis_read_gsr(void);
-
-/* Voxel texture mapping. */
-#if !defined(_NO_LONGLONG)
-unsigned long vis_array8(unsigned long long /*rs1*/, int /*rs2*/);
-unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/);
-unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/);
-#endif /* !defined(_NO_LONGLONG) */
-
-/* Register aliasing and type casts. */
-float vis_read_hi(double /*frs1*/);
-float vis_read_lo(double /*frs1*/);
-double vis_write_hi(double /*frs1*/, float /*frs2*/);
-double vis_write_lo(double /*frs1*/, float /*frs2*/);
-double vis_freg_pair(float /*frs1*/, float /*frs2*/);
-float vis_to_float(unsigned int /*value*/);
-double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
-double vis_to_double_dup(unsigned int /*value*/);
-#if !defined(_NO_LONGLONG)
-double vis_ll_to_double(unsigned long long /*value*/);
-#endif /* !defined(_NO_LONGLONG) */
-
-/* Miscellany (no inlines) */
-void vis_error(char * /*fmt*/, int /*a0*/);
-void vis_sim_init(void);
-
-/* For better performance */
-#define vis_fmul8x16(farg,darg) vis_fmul8x16_dummy((farg),0,(darg))
-
-/* Nicknames for explicit ASI loads and stores. */
-#define vis_st_u8      vis_stdfa_ASI_FL8P
-#define vis_st_u8_i    vis_stdfa_ASI_FL8P_index
-#define vis_st_u8_le   vis_stdfa_ASI_FL8PL
-#define vis_st_u16     vis_stdfa_ASI_FL16P
-#define vis_st_u16_i   vis_stdfa_ASI_FL16P_index
-#define vis_st_u16_le  vis_stdfa_ASI_FL16PL
-
-#define vis_ld_u8      vis_lddfa_ASI_FL8P
-#define vis_ld_u8_i    vis_lddfa_ASI_FL8P_index
-#define vis_ld_u8_le   vis_lddfa_ASI_FL8PL
-#define vis_ld_u16     vis_lddfa_ASI_FL16P
-#define vis_ld_u16_i   vis_lddfa_ASI_FL16P_index
-#define vis_ld_u16_le  vis_lddfa_ASI_FL16PL
-
-#define vis_pst_8      vis_stdfa_ASI_PST8P
-#define vis_pst_16     vis_stdfa_ASI_PST16P
-#define vis_pst_32     vis_stdfa_ASI_PST32P
-
-#define vis_st_u8s     vis_stdfa_ASI_FL8S
-#define vis_st_u8s_le  vis_stdfa_ASI_FL8SL
-#define vis_st_u16s    vis_stdfa_ASI_FL16S
-#define vis_st_u16s_le vis_stdfa_ASI_FL16SL
-
-#define vis_ld_u8s     vis_lddfa_ASI_FL8S
-#define vis_ld_u8s_le  vis_lddfa_ASI_FL8SL
-#define vis_ld_u16s    vis_lddfa_ASI_FL16S
-#define vis_ld_u16s_le vis_lddfa_ASI_FL16SL
-
-#define vis_pst_8s     vis_stdfa_ASI_PST8S
-#define vis_pst_16s    vis_stdfa_ASI_PST16S
-#define vis_pst_32s    vis_stdfa_ASI_PST32S
-
-/* "<" and ">=" may be implemented in terms of ">" and "<=". */
-#define vis_fcmplt16(a,b) vis_fcmpgt16((b),(a))
-#define vis_fcmplt32(a,b) vis_fcmpgt32((b),(a))
-#define vis_fcmpge16(a,b) vis_fcmple16((b),(a))
-#define vis_fcmpge32(a,b) vis_fcmple32((b),(a))
-
-#ifdef __cplusplus
-} // End of extern "C"
-#endif /* __cplusplus */
-
-#endif /* VIS_PROTO_H */
diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c
deleted file mode 100644
index 8138d30ae..000000000
--- a/security/nss/lib/freebl/os2_rand.c
+++ /dev/null
@@ -1,333 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#define INCL_DOS
-#define INCL_DOSERRORS
-#include <os2.h>
-#include <secrng.h>
-#include <stdlib.h>
-#include <time.h>
-#include <stdio.h>
-#include <sys/stat.h>
-
-static BOOL clockTickTime(unsigned long *phigh, unsigned long *plow)
-{
-    APIRET rc = NO_ERROR;
-    QWORD qword = {0,0};
-
-    rc = DosTmrQueryTime(&qword);
-    if (rc != NO_ERROR)
-       return FALSE;
-
-    *phigh = qword.ulHi;
-    *plow  = qword.ulLo;
-
-    return TRUE;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbuf)
-{
-    unsigned long high = 0;
-    unsigned long low  = 0;
-    clock_t val = 0;
-    int n = 0;
-    int nBytes = 0;
-    time_t sTime;
-
-    if (maxbuf <= 0)
-       return 0;
-
-    clockTickTime(&high, &low);
-
-    /* get the maximally changing bits first */
-    nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low);
-    memcpy(buf, &low, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high);
-    memcpy(((char *)buf) + n, &high, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    /* get the number of milliseconds that have elapsed since application started */
-    val = clock();
-
-    nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val);
-    memcpy(((char *)buf) + n, &val, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-       return n;
-
-    /* get the time in seconds since midnight Jan 1, 1970 */
-    time(&sTime);
-    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
-    memcpy(((char *)buf) + n, &sTime, nBytes);
-    n += nBytes;
-
-    return n;
-}
-
-static BOOL
-EnumSystemFiles(void (*func)(const char *))
-{
-    APIRET              rc;
-    ULONG               sysInfo = 0;
-    char                bootLetter[2];
-    char                sysDir[_MAX_PATH] = "";
-    char                filename[_MAX_PATH];
-    HDIR                hdir = HDIR_CREATE;
-    ULONG               numFiles = 1;
-    FILEFINDBUF3        fileBuf = {0};
-    ULONG               buflen = sizeof(FILEFINDBUF3);
-
-    if (DosQuerySysInfo(QSV_BOOT_DRIVE, QSV_BOOT_DRIVE, (PVOID)&sysInfo,
-                        sizeof(ULONG)) == NO_ERROR)
-    {
-      bootLetter[0] = sysInfo + 'A' -1;
-      bootLetter[1] = '\0';
-      strcpy(sysDir, bootLetter);
-      strcpy(sysDir+1, ":\\OS2\\");
-
-      strcpy( filename, sysDir );
-      strcat( filename, "*.*" );
-    }
-
-    rc =DosFindFirst( filename, &hdir, FILE_NORMAL, &fileBuf, buflen,
-                      &numFiles, FIL_STANDARD );
-    if( rc == NO_ERROR )
-    {
-      do {
-        // pass the full pathname to the callback
-        sprintf( filename, "%s\\%s", sysDir, fileBuf.achName );
-        (*func)(filename);
-
-        numFiles = 1;
-        rc = DosFindNext( hdir, &fileBuf, buflen, &numFiles );
-        if( rc != NO_ERROR && rc != ERROR_NO_MORE_FILES )
-          printf( "DosFindNext errod code = %d\n", rc );
-      } while ( rc == NO_ERROR );
-
-      rc = DosFindClose(hdir);
-      if( rc != NO_ERROR )
-        printf( "DosFindClose error code = %d", rc );
-    }
-    else
-      printf( "DosFindFirst error code = %d", rc );
-
-    return TRUE;
-}
-
-static int    dwNumFiles, dwReadEvery;
-
-static void
-CountFiles(const char *file)
-{
-    dwNumFiles++;
-}
-
-static void
-ReadFiles(const char *file)
-{
-    if ((dwNumFiles % dwReadEvery) == 0)
-        RNG_FileForRNG(file);
-
-    dwNumFiles++;
-}
-
-static void
-ReadSystemFiles(void)
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read 10 files
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
-void RNG_SystemInfoForRNG(void)
-{
-   unsigned long *plong = 0;
-   PTIB ptib;
-   PPIB ppib;
-   APIRET rc = NO_ERROR;
-   DATETIME dt;
-   COUNTRYCODE cc = {0};
-   COUNTRYINFO ci = {0};
-   unsigned long actual = 0;
-   char path[_MAX_PATH]="";
-   char fullpath[_MAX_PATH]="";
-   unsigned long pathlength = sizeof(path);
-   FSALLOCATE fsallocate;
-   FILESTATUS3 fstatus;
-   unsigned long defaultdrive = 0;
-   unsigned long logicaldrives = 0;
-   unsigned long sysInfo[QSV_MAX] = {0};
-   char buffer[20];
-   int nBytes = 0;
-
-   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
-   RNG_RandomUpdate(buffer, nBytes);
-   
-   /* allocate memory and use address and memory */
-   plong = (unsigned long *)malloc(sizeof(*plong));
-   RNG_RandomUpdate(&plong, sizeof(plong));
-   RNG_RandomUpdate(plong, sizeof(*plong));
-   free(plong);
-
-   /* process info */
-   rc = DosGetInfoBlocks(&ptib, &ppib);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(ptib, sizeof(*ptib));
-      RNG_RandomUpdate(ppib, sizeof(*ppib));
-   }
-
-   /* time */
-   rc = DosGetDateTime(&dt);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&dt, sizeof(dt));
-   }
-
-   /* country */
-   rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&cc, sizeof(cc));
-      RNG_RandomUpdate(&ci, sizeof(ci));
-      RNG_RandomUpdate(&actual, sizeof(actual));
-   }
-
-   /* current directory */
-   rc = DosQueryCurrentDir(0, path, &pathlength);
-   strcat(fullpath, "\\");
-   strcat(fullpath, path);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(fullpath, strlen(fullpath));
-      // path info
-      rc = DosQueryPathInfo(fullpath, FIL_STANDARD, &fstatus, sizeof(fstatus));
-      if (rc == NO_ERROR)
-      {
-         RNG_RandomUpdate(&fstatus, sizeof(fstatus));
-      }
-   }
-
-   /* file system info */
-   rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate));
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&fsallocate, sizeof(fsallocate));
-   }
-
-   /* drive info */
-   rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive));
-      RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives));
-   }
-
-   /* system info */
-   rc = DosQuerySysInfo(1L, QSV_MAX, (PVOID)&sysInfo, sizeof(ULONG)*QSV_MAX);
-   if (rc == NO_ERROR)
-   {
-      RNG_RandomUpdate(&sysInfo, sizeof(sysInfo));
-   }
-
-   // now let's do some files
-   ReadSystemFiles();
-
-   /* more noise */
-   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
-   RNG_RandomUpdate(buffer, nBytes);
-}
-
-void RNG_FileForRNG(const char *filename)
-{
-    struct stat stat_buf;
-    unsigned char buffer[1024];
-    FILE *file = 0;
-    int nBytes = 0;
-    static int totalFileBytes = 0;
-    
-    if (stat((char *)filename, &stat_buf) < 0)
-       return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-    
-    file = fopen((char *)filename, "r");
-    if (file != NULL)
-    {
-       for (;;)
-       {
-           size_t bytes = fread(buffer, 1, sizeof(buffer), file);
-
-           if (bytes == 0)
-              break;
-
-           RNG_RandomUpdate(buffer, bytes);
-           totalFileBytes += bytes;
-           if (totalFileBytes > 250000)
-              break;
-       }
-       fclose(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20); 
-    RNG_RandomUpdate(buffer, nBytes);
-}
diff --git a/security/nss/lib/freebl/pqg.c b/security/nss/lib/freebl/pqg.c
deleted file mode 100644
index c3e92c62d..000000000
--- a/security/nss/lib/freebl/pqg.c
+++ /dev/null
@@ -1,671 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * PQG parameter generation/verification.  Based on FIPS 186-1.
- *
- * $Id$
- */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "blapi.h"
-#include "secitem.h"
-#include "mpi.h"
-#include "mpprime.h"
-#include "mplogic.h"
-#include "secmpi.h"
-
-#define MAX_ITERATIONS 600  /* Maximum number of iterations of primegen */
-#define PQG_Q_PRIMALITY_TESTS 18 /* from HAC table 4.4 */
-#define PQG_P_PRIMALITY_TESTS 5  /* from HAC table 4.4 */
-
- /* XXX to be replaced by define in blapit.h */
-#define BITS_IN_Q 160
-
-/* For FIPS-compliance testing.
-** The following array holds the seed defined in FIPS 186-1 appendix 5.
-** This seed is used to generate P and Q according to appendix 2; use of
-** this seed will exactly generate the PQG specified in appendix 2.
-*/
-#ifdef FIPS_186_1_A5_TEST
-static const unsigned char fips_186_1_a5_pqseed[] = {
-    0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8,
-    0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24,
-    0xe0, 0x42, 0x7d, 0xd3
-};
-#endif
-
-/* Get a seed for generating P and Q.  If in testing mode, copy in the
-** seed from FIPS 186-1 appendix 5.  Otherwise, obtain bytes from the
-** global random number generator.
-*/
-static SECStatus
-getPQseed(SECItem *seed, PRArenaPool* arena)
-{
-    if (!seed->data) {
-        seed->data = (unsigned char*)PORT_ArenaZAlloc(arena, seed->len);
-    }
-    if (!seed->data) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-#ifdef FIPS_186_1_A5_TEST
-    memcpy(seed->data, fips_186_1_a5_pqseed, seed->len);
-    return SECSuccess;
-#else
-    return RNG_GenerateGlobalRandomBytes(seed->data, seed->len);
-#endif
-}
-
-/* Generate a candidate h value.  If in testing mode, use the h value
-** specified in FIPS 186-1 appendix 5, h = 2.  Otherwise, obtain bytes
-** from the global random number generator.
-*/
-static SECStatus
-generate_h_candidate(SECItem *hit, mp_int *H)
-{
-    SECStatus rv = SECSuccess;
-    mp_err   err = MP_OKAY;
-#ifdef FIPS_186_1_A5_TEST
-    memset(hit->data, 0, hit->len);
-    hit->data[hit->len-1] = 0x02;
-#else
-    rv = RNG_GenerateGlobalRandomBytes(hit->data, hit->len);
-#endif
-    if (rv)
-	return SECFailure;
-    err = mp_read_unsigned_octets(H, hit->data, hit->len);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Compute SHA[(SEED + addend) mod 2**g]
-** Result is placed in shaOutBuf.
-** This computation is used in steps 2 and 7 of FIPS 186 Appendix 2.2 .
-*/
-static SECStatus
-addToSeedThenSHA(const SECItem * seed,
-                 unsigned long   addend,
-                 int             g,
-                 unsigned char * shaOutBuf)
-{
-    SECItem str = { 0, 0, 0 };
-    mp_int s, sum, modulus, tmp;
-    mp_err    err = MP_OKAY;
-    SECStatus rv  = SECSuccess;
-    MP_DIGITS(&s)       = 0;
-    MP_DIGITS(&sum)     = 0;
-    MP_DIGITS(&modulus) = 0;
-    MP_DIGITS(&tmp)     = 0;
-    CHECK_MPI_OK( mp_init(&s) );
-    CHECK_MPI_OK( mp_init(&sum) );
-    CHECK_MPI_OK( mp_init(&modulus) );
-    SECITEM_TO_MPINT(*seed, &s); /* s = seed */
-    /* seed += addend */
-    if (addend < MP_DIGIT_MAX) {
-	CHECK_MPI_OK( mp_add_d(&s, (mp_digit)addend, &s) );
-    } else {
-	CHECK_MPI_OK( mp_init(&tmp) );
-	CHECK_MPI_OK( mp_set_ulong(&tmp, addend) );
-	CHECK_MPI_OK( mp_add(&s, &tmp, &s) );
-    }
-    CHECK_MPI_OK( mp_div_2d(&s, (mp_digit)g, NULL, &sum) );/*sum = s mod 2**g */
-    MPINT_TO_SECITEM(&sum, &str, NULL);
-    rv = SHA1_HashBuf(shaOutBuf, str.data, str.len); /* SHA1 hash result */
-cleanup:
-    mp_clear(&s);
-    mp_clear(&sum);
-    mp_clear(&modulus);
-    mp_clear(&tmp);
-    if (str.data)
-	SECITEM_ZfreeItem(&str, PR_FALSE);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	return SECFailure;
-    }
-    return rv;
-}
-
-/*
-**  Perform steps 2 and 3 of FIPS 186, appendix 2.2.
-**  Generate Q from seed.
-*/
-static SECStatus
-makeQfromSeed(
-      unsigned int  g,          /* input.  Length of seed in bits. */
-const SECItem   *   seed,       /* input.  */
-      mp_int    *   Q)          /* output. */
-{
-    unsigned char sha1[SHA1_LENGTH];
-    unsigned char sha2[SHA1_LENGTH];
-    unsigned char U[SHA1_LENGTH];
-    SECStatus rv  = SECSuccess;
-    mp_err    err = MP_OKAY;
-    int i;
-    /* ******************************************************************
-    ** Step 2.
-    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
-    **/
-    CHECK_SEC_OK( SHA1_HashBuf(sha1, seed->data, seed->len) );
-    CHECK_SEC_OK( addToSeedThenSHA(seed, 1, g, sha2) );
-    for (i=0; i<SHA1_LENGTH; ++i) 
-	U[i] = sha1[i] ^ sha2[i];
-    /* ******************************************************************
-    ** Step 3.
-    ** "Form Q from U by setting the most signficant bit (the 2**159 bit)
-    **  and the least signficant bit to 1.  In terms of boolean operations,
-    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
-    */
-    U[0]             |= 0x80;  /* U is MSB first */
-    U[SHA1_LENGTH-1] |= 0x01;
-    err = mp_read_unsigned_octets(Q, U, SHA1_LENGTH);
-cleanup:
-     memset(U, 0, SHA1_LENGTH);
-     memset(sha1, 0, SHA1_LENGTH);
-     memset(sha2, 0, SHA1_LENGTH);
-     if (err) {
-	MP_TO_SEC_ERROR(err);
-	return SECFailure;
-     }
-     return rv;
-}
-
-/*  Perform steps 7, 8 and 9 of FIPS 186, appendix 2.2.
-**  Generate P from Q, seed, L, and offset.
-*/
-static SECStatus
-makePfromQandSeed(
-      unsigned int  L,          /* Length of P in bits.  Per FIPS 186. */
-      unsigned int  offset,     /* Per FIPS 186, appendix 2.2. */
-      unsigned int  g,          /* input.  Length of seed in bits. */
-const SECItem   *   seed,       /* input.  */
-const mp_int    *   Q,          /* input.  */
-      mp_int    *   P)          /* output. */
-{
-    unsigned int  k;            /* Per FIPS 186, appendix 2.2. */
-    unsigned int  n;            /* Per FIPS 186, appendix 2.2. */
-    mp_digit      b;            /* Per FIPS 186, appendix 2.2. */
-    unsigned char V_k[SHA1_LENGTH];
-    mp_int        W, X, c, twoQ, V_n, tmp;
-    mp_err    err = MP_OKAY;
-    SECStatus rv  = SECSuccess;
-    /* Initialize bignums */
-    MP_DIGITS(&W)     = 0;
-    MP_DIGITS(&X)     = 0;
-    MP_DIGITS(&c)     = 0;
-    MP_DIGITS(&twoQ)  = 0;
-    MP_DIGITS(&V_n)   = 0;
-    MP_DIGITS(&tmp)   = 0;
-    CHECK_MPI_OK( mp_init(&W)    );
-    CHECK_MPI_OK( mp_init(&X)    );
-    CHECK_MPI_OK( mp_init(&c)    );
-    CHECK_MPI_OK( mp_init(&twoQ) );
-    CHECK_MPI_OK( mp_init(&tmp)  );
-    CHECK_MPI_OK( mp_init(&V_n)  );
-    /* L - 1 = n*160 + b */
-    n = (L - 1) / BITS_IN_Q;
-    b = (L - 1) % BITS_IN_Q;
-    /* ******************************************************************
-    ** Step 7.
-    **  "for k = 0 ... n let
-    **           V_k = SHA[(SEED + offset + k) mod 2**g]."
-    **
-    ** Step 8.
-    **  "Let W be the integer 
-    **    W = V_0 + (V_1 * 2**160) + ... + (V_n-1 * 2**((n-1)*160)) 
-    **         + ((V_n mod 2**b) * 2**(n*160))
-    */
-    for (k=0; k<n; ++k) { /* Do the first n terms of V_k */
-	/* Do step 7 for iteration k.
-	** V_k = SHA[(seed + offset + k) mod 2**g]
-	*/
-	CHECK_SEC_OK( addToSeedThenSHA(seed, offset + k, g, V_k) );
-	/* Do step 8 for iteration k.
-	** W += V_k * 2**(k*160)
-	*/
-	OCTETS_TO_MPINT(V_k, &tmp, SHA1_LENGTH);      /* get bignum V_k     */
-	CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, k*160) );   /* tmp = V_k << k*160 */
-	CHECK_MPI_OK( mp_add(&W, &tmp, &W) );         /* W += tmp           */
-    }
-    /* Step 8, continued.
-    **   [W += ((V_n mod 2**b) * 2**(n*160))] 
-    */
-    CHECK_SEC_OK( addToSeedThenSHA(seed, offset + n, g, V_k) );
-    OCTETS_TO_MPINT(V_k, &V_n, SHA1_LENGTH);          /* get bignum V_n     */
-    CHECK_MPI_OK( mp_div_2d(&V_n, b, NULL, &tmp) );   /* tmp = V_n mod 2**b */
-    CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, n*160) );       /* tmp = tmp << n*160 */
-    CHECK_MPI_OK( mp_add(&W, &tmp, &W) );             /* W += tmp           */
-    /* Step 8, continued.
-    ** "and let X = W + 2**(L-1).
-    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
-    */
-    CHECK_MPI_OK( mpl_set_bit(&X, (mp_size)(L-1), 1) );    /* X = 2**(L-1) */
-    CHECK_MPI_OK( mp_add(&X, &W, &X) );                    /* X += W       */
-    /*************************************************************
-    ** Step 9.
-    ** "Let c = X mod 2q  and set p = X - (c - 1).
-    **  Note that p is congruent to 1 mod 2q."
-    */
-    CHECK_MPI_OK( mp_mul_2(Q, &twoQ) );                    /* 2q           */
-    CHECK_MPI_OK( mp_mod(&X, &twoQ, &c) );                 /* c = X mod 2q */
-    CHECK_MPI_OK( mp_sub_d(&c, 1, &c) );                   /* c -= 1       */
-    CHECK_MPI_OK( mp_sub(&X, &c, P) );                     /* P = X - c    */
-cleanup:
-    mp_clear(&W);
-    mp_clear(&X);
-    mp_clear(&c);
-    mp_clear(&twoQ);
-    mp_clear(&V_n);
-    mp_clear(&tmp);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	return SECFailure;
-    }
-    return rv;
-}
-
-/*
-** Generate G from h, P, and Q.
-*/
-static SECStatus
-makeGfromH(const mp_int *P,     /* input.  */
-           const mp_int *Q,     /* input.  */
-                 mp_int *H,     /* input and output. */
-                 mp_int *G,     /* output. */
-                 PRBool *passed)
-{
-    mp_int exp, pm1;
-    mp_err err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    *passed = PR_FALSE;
-    MP_DIGITS(&exp) = 0;
-    MP_DIGITS(&pm1) = 0;
-    CHECK_MPI_OK( mp_init(&exp) );
-    CHECK_MPI_OK( mp_init(&pm1) );
-    CHECK_MPI_OK( mp_sub_d(P, 1, &pm1) );        /* P - 1            */
-    if ( mp_cmp(H, &pm1) > 0)                   /* H = H mod (P-1)  */
-	CHECK_MPI_OK( mp_sub(H, &pm1, H) );
-    /* Let b = 2**n (smallest power of 2 greater than P).
-    ** Since P-1 >= b/2, and H < b, quotient(H/(P-1)) = 0 or 1
-    ** so the above operation safely computes H mod (P-1)
-    */
-    /* Check for H = to 0 or 1.  Regen H if so.  (Regen means return error). */
-    if (mp_cmp_d(H, 1) <= 0) {
-	rv = SECFailure;
-	goto cleanup;
-    }
-    /* Compute G, according to the equation  G = (H ** ((P-1)/Q)) mod P */
-    CHECK_MPI_OK( mp_div(&pm1, Q, &exp, NULL) );  /* exp = (P-1)/Q      */
-    CHECK_MPI_OK( mp_exptmod(H, &exp, P, G) );    /* G = H ** exp mod P */
-    /* Check for G == 0 or G == 1, return error if so. */
-    if (mp_cmp_d(G, 1) <= 0) {
-	rv = SECFailure;
-	goto cleanup;
-    }
-    *passed = PR_TRUE;
-cleanup:
-    mp_clear(&exp);
-    mp_clear(&pm1);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus
-PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
-{
-    unsigned int L;            /* Length of P in bits.  Per FIPS 186. */
-    unsigned int seedBytes;
-
-    if (j > 8 || !pParams || !pVfy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    L = 512 + (j * 64);         /* bits in P */
-    seedBytes = L/8;
-    return PQG_ParamGenSeedLen(j, seedBytes, pParams, pVfy);
-}
-
-/* This code uses labels and gotos, so that it can follow the numbered
-** steps in the algorithms from FIPS 186 appendix 2.2 very closely,
-** and so that the correctness of this code can be easily verified.
-** So, please forgive the ugly c code.
-**/
-SECStatus
-PQG_ParamGenSeedLen(unsigned int j, unsigned int seedBytes,
-                    PQGParams **pParams, PQGVerify **pVfy)
-{
-    unsigned int  L;        /* Length of P in bits.  Per FIPS 186. */
-    unsigned int  n;        /* Per FIPS 186, appendix 2.2. */
-    unsigned int  b;        /* Per FIPS 186, appendix 2.2. */
-    unsigned int  g;        /* Per FIPS 186, appendix 2.2. */
-    unsigned int  counter;  /* Per FIPS 186, appendix 2.2. */
-    unsigned int  offset;   /* Per FIPS 186, appendix 2.2. */
-    SECItem      *seed;     /* Per FIPS 186, appendix 2.2. */
-    PRArenaPool  *arena  = NULL;
-    PQGParams    *params = NULL;
-    PQGVerify    *verify = NULL;
-    PRBool passed;
-    SECItem hit = { 0, 0, 0 };
-    mp_int P, Q, G, H, l;
-    mp_err    err = MP_OKAY;
-    SECStatus rv  = SECFailure;
-    int iterations = 0;
-    if (j > 8 || !pParams || !pVfy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* Initialize an arena for the params. */
-    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
-    if (!params) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-    params->arena = arena;
-    /* Initialize an arena for the verify. */
-    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(params->arena, PR_TRUE);
-	return SECFailure;
-    }
-    verify = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
-    if (!verify) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	PORT_FreeArena(params->arena, PR_TRUE);
-	return SECFailure;
-    }
-    verify->arena = arena;
-    seed = &verify->seed;
-    arena = NULL;
-    /* Initialize bignums */
-    MP_DIGITS(&P) = 0;
-    MP_DIGITS(&Q) = 0;
-    MP_DIGITS(&G) = 0;
-    MP_DIGITS(&H) = 0;
-    MP_DIGITS(&l) = 0;
-    CHECK_MPI_OK( mp_init(&P) );
-    CHECK_MPI_OK( mp_init(&Q) );
-    CHECK_MPI_OK( mp_init(&G) );
-    CHECK_MPI_OK( mp_init(&H) );
-    CHECK_MPI_OK( mp_init(&l) );
-    /* Compute lengths. */
-    L = 512 + (j * 64);               /* bits in P */
-    n = (L - 1) / BITS_IN_Q;          /* BITS_IN_Q is 160 */  
-    b = (L - 1) % BITS_IN_Q;
-    g = seedBytes * BITS_PER_BYTE;    /* bits in seed, NOT G of PQG. */
-step_1:
-    /* ******************************************************************
-    ** Step 1.
-    ** "Choose an abitrary sequence of at least 160 bits and call it SEED.
-    **  Let g be the length of SEED in bits."
-    */
-    if (++iterations > MAX_ITERATIONS) {        /* give up after a while */
-        PORT_SetError(SEC_ERROR_NEED_RANDOM);
-        goto cleanup;
-    }
-    seed->len = seedBytes;
-    CHECK_SEC_OK( getPQseed(seed, verify->arena) );
-    /* ******************************************************************
-    ** Step 2.
-    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
-    **
-    ** Step 3.
-    ** "Form Q from U by setting the most signficant bit (the 2**159 bit) 
-    **  and the least signficant bit to 1.  In terms of boolean operations,
-    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
-    */
-    CHECK_SEC_OK( makeQfromSeed(g, seed, &Q) );
-    /* ******************************************************************
-    ** Step 4.
-    ** "Use a robust primality testing algorithm to test whether q is prime."
-    **
-    ** Appendix 2.1 states that a Rabin test with at least 50 iterations
-    ** "will give an acceptable probability of error."
-    */
-    /*CHECK_SEC_OK( prm_RabinTest(&Q, &passed) );*/
-    err = mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS);
-    passed = (err == MP_YES) ? SECSuccess : SECFailure;
-    /* ******************************************************************
-    ** Step 5. "If q is not prime, goto step 1."
-    */
-    if (passed != SECSuccess)
-        goto step_1;
-    /* ******************************************************************
-    ** Step 6. "Let counter = 0 and offset = 2."
-    */
-    counter = 0;
-    offset  = 2;
-step_7:
-    /* ******************************************************************
-    ** Step 7.
-    ** "for k = 0 ... n let
-    **          V_k = SHA[(SEED + offset + k) mod 2**g]."
-    **
-    ** Step 8.
-    ** "Let W be the sum of  (V_k * 2**(k*160)) for k = 0 ... n
-    **  and let X = W + 2**(L-1).
-    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
-    **
-    ** Step 9.
-    ** "Let c = X mod 2q  and set p = X - (c - 1).
-    **  Note that p is congruent to 1 mod 2q."
-    */
-    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, seed, &Q, &P) );
-    /*************************************************************
-    ** Step 10.
-    ** "if p < 2**(L-1), then goto step 13."
-    */
-    CHECK_MPI_OK( mpl_set_bit(&l, (mp_size)(L-1), 1) ); /* l = 2**(L-1) */
-    if (mp_cmp(&P, &l) < 0)
-        goto step_13;
-    /************************************************************
-    ** Step 11.
-    ** "Perform a robust primality test on p."
-    */
-    /*CHECK_SEC_OK( prm_RabinTest(&P, &passed) );*/
-    err = mpp_pprime(&P, PQG_P_PRIMALITY_TESTS);
-    passed = (err == MP_YES) ? SECSuccess : SECFailure;
-    /* ******************************************************************
-    ** Step 12. "If p passes the test performed in step 11, go to step 15."
-    */
-    if (passed == SECSuccess)
-        goto step_15;
-step_13:
-    /* ******************************************************************
-    ** Step 13.  "Let counter = counter + 1 and offset = offset + n + 1."
-    */
-    counter++;
-    offset += n + 1;
-    /* ******************************************************************
-    ** Step 14.  "If counter >= 4096 goto step 1, otherwise go to step 7."
-    */
-    if (counter >= 4096)
-        goto step_1;
-    goto step_7;
-step_15:
-    /* ******************************************************************
-    ** Step 15.  
-    ** "Save the value of SEED and the value of counter for use
-    **  in certifying the proper generation of p and q."
-    */
-    /* Generate h. */
-    SECITEM_AllocItem(NULL, &hit, seedBytes); /* h is no longer than p */
-    if (!hit.data) goto cleanup;
-    do {
-	/* loop generate h until 1<h<p-1 and (h**[(p-1)/q])mod p > 1 */
-	CHECK_SEC_OK( generate_h_candidate(&hit, &H) );
-        CHECK_SEC_OK( makeGfromH(&P, &Q, &H, &G, &passed) );
-    } while (passed != PR_TRUE);
-    /* All generation is done.  Now, save the PQG params.  */
-    MPINT_TO_SECITEM(&P, &params->prime,    params->arena);
-    MPINT_TO_SECITEM(&Q, &params->subPrime, params->arena);
-    MPINT_TO_SECITEM(&G, &params->base,     params->arena);
-    MPINT_TO_SECITEM(&H, &verify->h,        verify->arena);
-    verify->counter = counter;
-    *pParams = params;
-    *pVfy = verify;
-cleanup:
-    mp_clear(&P);
-    mp_clear(&Q);
-    mp_clear(&G);
-    mp_clear(&H);
-    mp_clear(&l);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    if (rv) {
-	PORT_FreeArena(params->arena, PR_TRUE);
-	PORT_FreeArena(verify->arena, PR_TRUE);
-    }
-    if (hit.data) {
-        SECITEM_FreeItem(&hit, PR_FALSE);
-    }
-    return rv;
-}
-
-SECStatus   
-PQG_VerifyParams(const PQGParams *params, 
-                 const PQGVerify *vfy, SECStatus *result)
-{
-    SECStatus rv = SECSuccess;
-    int passed;
-    unsigned int g, n, L, offset;
-    mp_int P, Q, G, P_, Q_, G_, r, h;
-    mp_err err = MP_OKAY;
-    int j;
-#define CHECKPARAM(cond)      \
-    if (!(cond)) {            \
-	*result = SECFailure; \
-	goto cleanup;         \
-    }
-    if (!params || !vfy || !result) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    MP_DIGITS(&P) = 0;
-    MP_DIGITS(&Q) = 0;
-    MP_DIGITS(&G) = 0;
-    MP_DIGITS(&P_) = 0;
-    MP_DIGITS(&Q_) = 0;
-    MP_DIGITS(&G_) = 0;
-    MP_DIGITS(&r) = 0;
-    MP_DIGITS(&h) = 0;
-    CHECK_MPI_OK( mp_init(&P) );
-    CHECK_MPI_OK( mp_init(&Q) );
-    CHECK_MPI_OK( mp_init(&G) );
-    CHECK_MPI_OK( mp_init(&P_) );
-    CHECK_MPI_OK( mp_init(&Q_) );
-    CHECK_MPI_OK( mp_init(&G_) );
-    CHECK_MPI_OK( mp_init(&r) );
-    CHECK_MPI_OK( mp_init(&h) );
-    *result = SECSuccess;
-    SECITEM_TO_MPINT(params->prime,    &P);
-    SECITEM_TO_MPINT(params->subPrime, &Q);
-    SECITEM_TO_MPINT(params->base,     &G);
-    /* 1.  Q is 160 bits long. */
-    CHECKPARAM( mpl_significant_bits(&Q) == 160 );
-    /* 2.  P is one of the 9 valid lengths. */
-    L = mpl_significant_bits(&P);
-    j = PQG_PBITS_TO_INDEX(L);
-    CHECKPARAM( j >= 0 && j <= 8 );
-    /* 3.  G < P */
-    CHECKPARAM( mp_cmp(&G, &P) < 0 );
-    /* 4.  P % Q == 1 */
-    CHECK_MPI_OK( mp_mod(&P, &Q, &r) );
-    CHECKPARAM( mp_cmp_d(&r, 1) == 0 );
-    /* 5.  Q is prime */
-    CHECKPARAM( mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS) == MP_YES );
-    /* 6.  P is prime */
-    CHECKPARAM( mpp_pprime(&P, PQG_P_PRIMALITY_TESTS) == MP_YES );
-    /* Steps 7-12 are done only if the optional PQGVerify is supplied. */
-    if (!vfy) goto cleanup;
-    /* 7.  counter < 4096 */
-    CHECKPARAM( vfy->counter < 4096 );
-    /* 8.  g >= 160 and g < 2048   (g is length of seed in bits) */
-    g = vfy->seed.len * 8;
-    CHECKPARAM( g >= 160 && g < 2048 );
-    /* 9.  Q generated from SEED matches Q in PQGParams. */
-    CHECK_SEC_OK( makeQfromSeed(g, &vfy->seed, &Q_) );
-    CHECKPARAM( mp_cmp(&Q, &Q_) == 0 );
-    /* 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams. */
-    n = (L - 1) / BITS_IN_Q;
-    offset = vfy->counter * (n + 1) + 2;
-    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, &vfy->seed, &Q, &P_) );
-    CHECKPARAM( mp_cmp(&P, &P_) == 0 );
-    /* Next two are optional: if h == 0 ignore */
-    if (vfy->h.len == 0) goto cleanup;
-    /* 11. 1 < h < P-1 */
-    SECITEM_TO_MPINT(vfy->h, &h);
-    CHECK_MPI_OK( mpl_set_bit(&P, 0, 0) ); /* P is prime, p-1 == zero 1st bit */
-    CHECKPARAM( mp_cmp_d(&h, 1) > 0 && mp_cmp(&h, &P) );
-    CHECK_MPI_OK( mpl_set_bit(&P, 0, 1) ); /* set it back */
-    /* 12. G generated from h matches G in PQGParams. */
-    CHECK_SEC_OK( makeGfromH(&P, &Q, &h, &G_, &passed) );
-    CHECKPARAM( passed && mp_cmp(&G, &G_) == 0 );
-cleanup:
-    mp_clear(&P);
-    mp_clear(&Q);
-    mp_clear(&G);
-    mp_clear(&P_);
-    mp_clear(&Q_);
-    mp_clear(&G_);
-    mp_clear(&r);
-    mp_clear(&h);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-
diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c
deleted file mode 100644
index 900b98ab8..000000000
--- a/security/nss/lib/freebl/prng_fips1861.c
+++ /dev/null
@@ -1,586 +0,0 @@
-/*
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "prinit.h"
-#include "blapi.h"
-#include "nssilock.h"
-#include "secitem.h"
-#include "sha_fast.h"
-#include "secrng.h"	/* for RNG_GetNoise() */
-#include "secmpi.h"
-
-/*
- * The minimum amount of seed data required before the generator will
- * provide data.
- * Note that this is a measure of the number of bytes sent to
- * RNG_RandomUpdate, not the actual amount of entropy present in the
- * generator.  Naturally, it is impossible to know (at this level) just
- * how much entropy is present in the provided seed data.  A bare minimum
- * of entropy would be 20 bytes, so by requiring 1K this code is making
- * the tacit assumption that at least 1 byte of pure entropy is provided
- * with every 8 bytes supplied to RNG_RandomUpdate.  The reality of this
- * assumption is left up to the caller.
- */
-#define MIN_SEED_COUNT 1024
-
-/*
- * Steps taken from Algorithm 1 of FIPS 186-2 Change Notice 1
- */
-
-/*
- * According to FIPS 186-2, 160 <= b <= 512.
- * For our purposes, we will assume b == 160,
- * 256, or 512 (the output size of SHA-1,
- * SHA-256, or SHA-512).
- */
-#define FIPS_B     256
-#define B_HASH_BUF SHA256_HashBuf
-#define BSIZE      (FIPS_B / PR_BITS_PER_BYTE)
-
-/* Output size of the G function */
-#define FIPS_G     160
-#define GSIZE      (FIPS_G / PR_BITS_PER_BYTE)
-
-/*
- * Add two b-bit numbers represented as arrays of BSIZE bytes.
- * The numbers are big-endian, MSB first, so addition is done
- * from the end of the buffer to the beginning.
- */
-#define ADD_B_BIT_PLUS_CARRY(dest, add1, add2, cy) \
-    carry = cy; \
-    for (k=BSIZE-1; k>=0; --k) { \
-	carry += add1[k] + add2[k]; \
-	dest[k] = (PRUint8)carry; \
-	carry >>= 8; \
-    }
-
-#define ADD_B_BIT_2(dest, add1, add2) \
-	ADD_B_BIT_PLUS_CARRY(dest, add1, add2, 0)
-
-
-/*
- * FIPS requires result from Step 3.3 to be reduced mod q when generating
- * random numbers for DSA.
- *
- * Input: w, 2*GSIZE bytes
- *        q, DSA_SUBPRIME_LEN bytes
- * Output: xj, DSA_SUBPRIME_LEN bytes
- */
-static SECStatus
-dsa_reduce_mod_q(const unsigned char *w, const unsigned char *q,
-    unsigned char *xj)
-{
-    mp_int W, Q, Xj;
-    mp_err err;
-    SECStatus rv = SECSuccess;
-
-    /* Initialize MPI integers. */
-    MP_DIGITS(&W) = 0;
-    MP_DIGITS(&Q) = 0;
-    MP_DIGITS(&Xj) = 0;
-    CHECK_MPI_OK( mp_init(&W) );
-    CHECK_MPI_OK( mp_init(&Q) );
-    CHECK_MPI_OK( mp_init(&Xj) );
-    /*
-     * Convert input arguments into MPI integers.
-     */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&W, w, 2*GSIZE) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&Q, q, DSA_SUBPRIME_LEN) );
-    /*
-     * Algorithm 1 of FIPS 186-2 Change Notice 1, Step 3.3
-     *
-     * xj = (w0 || w1) mod q
-     */
-    CHECK_MPI_OK( mp_mod(&W, &Q, &Xj) );
-    CHECK_MPI_OK( mp_to_fixlen_octets(&Xj, xj, DSA_SUBPRIME_LEN) );
-cleanup:
-    mp_clear(&W);
-    mp_clear(&Q);
-    mp_clear(&Xj);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
- * Specialized SHA1-like function.  This function appends zeroes to a 
- * single input block and runs a single instance of the compression function, 
- * as specified in FIPS 186-2 appendix 3.3.
- */
-static void 
-RNG_UpdateAndEnd_FIPS186_2(SHA1Context *ctx, 
-                           unsigned char *input, unsigned int inputLen,
-                           unsigned char *hashout, unsigned int *pDigestLen, 
-                           unsigned int maxDigestLen);
-
-/*
- * Global RNG context
- */ 
-struct RNGContextStr {
-    PRUint8   XKEY[BSIZE]; /* Seed for next SHA iteration */
-    PRUint8   Xj[2*GSIZE]; /* Output from previous operation. */
-    PZLock   *lock;        /* Lock to serialize access to global rng */
-    PRUint8   avail;       /* # bytes of output available, [0...2*GSIZE] */
-    PRUint32  seedCount;   /* number of seed bytes given to generator */
-    PRBool    isValid;     /* false if RNG reaches an invalid state */
-};
-typedef struct RNGContextStr RNGContext;
-static RNGContext *globalrng = NULL;
-
-/*
- * Free the global RNG context
- */
-static void
-freeRNGContext()
-{
-    PZ_DestroyLock(globalrng->lock);
-    PORT_ZFree(globalrng, sizeof *globalrng);
-    globalrng = NULL;
-}
-
-/*
- * Implementation of Algorithm 1 of FIPS 186-2 Change Notice 1,
- * hereinafter called alg_cn_1().  It is assumed a lock for the global
- * rng context has already been acquired.
- * Calling this function with XSEEDj == NULL is equivalent to saying there
- * is no optional user input, which is further equivalent to saying that
- * the optional user input is 0.
- */
-static SECStatus
-alg_fips186_2_cn_1(RNGContext *rng, const unsigned char *XSEEDj)
-{
-    /* SHA1 context for G(t, XVAL) function */
-    SHA1Context sha1cx;
-    /* XKEY for iteration 1 */
-    PRUint8 XKEY_1[BSIZE];
-    const PRUint8 *XKEY_old;
-    PRUint8 *XKEY_new;
-    /* input to hash function */
-    PRUint8 XVAL[BSIZE];
-    /* store a copy of the output to compare with the previous output */
-    PRUint8 x_j[2*GSIZE];
-    /* used by ADD_B_BIT macros */
-    int k, carry;
-    /* store the output of G(t, XVAL) in the rightmost GSIZE bytes */
-    PRUint8 w_i[BSIZE];
-    int i;
-    unsigned int len;
-    SECStatus rv = SECSuccess;
-
-    if (!rng->isValid) {
-	/* RNG has alread entered an invalid state. */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-#if GSIZE < BSIZE
-    /* zero the leftmost bytes so we can pass it to ADD_B_BIT_PLUS_CARRY */
-    memset(w_i, 0, BSIZE - GSIZE);
-#endif
-    /* 
-     * <Step 2> Initialize t, taken care of in SHA-1 (same initial values)
-     *
-     * <Step 3.1> XSEEDj is optional user input
-     */ 
-    for (i = 0; i < 2; i++) {
-	/* only update rng->XKEY when both iterations have been completed */
-	if (i == 0) {
-	    /* for iteration 0 */
-	    XKEY_old = rng->XKEY;
-	    XKEY_new = XKEY_1;
-	} else {
-	    /* for iteration 1 */
-	    XKEY_old = XKEY_1;
-	    XKEY_new = rng->XKEY;
-	}
-	/* 
-	 * <Step 3.2a> XVAL = (XKEY + XSEEDj) mod 2^b
-	 *     :always reduced mod 2^b, since storing as b-bit value
-	 */
-	if (XSEEDj) {
-	    /* XSEEDj > 0 */
-	    if (memcmp(XKEY_old, XSEEDj, BSIZE) == 0) {
-		/* Should we add the error code SEC_ERROR_BAD_RNG_SEED? */
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		rv = SECFailure;
-		goto done;
-	    }
-	    ADD_B_BIT_2(XVAL, XKEY_old, XSEEDj);
-	} else {
-	    /* XSEEDj == 0 */
-	    memcpy(XVAL, XKEY_old, BSIZE);
-	}
-	/* 
-	 * <Step 3.2b> Wi = G(t, XVAL)
-	 *     :FIPS 186-2 specifies a different padding than the SHA1 180-1
-	 *     :specification, this function is implemented in
-	 *     :RNG_UpdateAndEnd_FIPS186_2 below.
-	 */ 
-	SHA1_Begin(&sha1cx);
-	RNG_UpdateAndEnd_FIPS186_2(&sha1cx, XVAL, BSIZE,
-				   &w_i[BSIZE - GSIZE], &len, GSIZE);
-	/* 
-	 * <Step 3.2c> XKEY = (1 + XKEY + Wi) mod 2^b
-	 *     :always reduced mod 2^b, since storing as 160-bit value 
-	 */
-	ADD_B_BIT_PLUS_CARRY(XKEY_new, XKEY_old, w_i, 1);
-	/*
-	 * <Step 3.3> Xj = (W0 || W1)
-	 */
-	memcpy(&x_j[i*GSIZE], &w_i[BSIZE - GSIZE], GSIZE);
-    }
-    /*     [FIPS 140-2] verify output does not match previous output */
-    if (memcmp(x_j, rng->Xj, 2*GSIZE) == 0) {
-	/* failed FIPS 140-2 continuous RNG test.  RNG now invalid. */
-	rng->isValid = PR_FALSE;
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	rv = SECFailure;
-	goto done;
-    }
-    /* Xj is the output */
-    memcpy(rng->Xj, x_j, 2*GSIZE);
-    /* Always have a full buffer after executing alg_cn_1() */
-    rng->avail = 2*GSIZE;
-
-done:
-    /* housekeeping */
-    memset(&w_i[BSIZE - GSIZE], 0, GSIZE);
-    memset(x_j, 0, 2*GSIZE);
-    memset(XVAL, 0, BSIZE);
-    memset(XKEY_1, 0, BSIZE);
-    return rv;
-}
-
-/* Use NSPR to prevent RNG_RNGInit from being called from separate
- * threads, creating a race condition.
- */
-static PRCallOnceType coRNGInit = { 0, 0, 0 };
-static PRStatus rng_init(void)
-{
-    unsigned char bytes[120];
-    unsigned int numBytes;
-    if (globalrng == NULL) {
-	/* create a new global RNG context */
-	globalrng = (RNGContext *)PORT_ZAlloc(sizeof(RNGContext));
-	if (globalrng == NULL) {
-	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-	    return PR_FAILURE;
-	}
-	/* create a lock for it */
-	globalrng->lock = PZ_NewLock(nssILockOther);
-	if (globalrng->lock == NULL) {
-	    PORT_Free(globalrng);
-	    globalrng = NULL;
-	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
-	    return PR_FAILURE;
-	}
-	/* the RNG is in a valid state */
-	globalrng->isValid = PR_TRUE;
-	/* Try to get some seed data for the RNG */
-	numBytes = RNG_GetNoise(bytes, sizeof bytes);
-	RNG_RandomUpdate(bytes, numBytes);
-    }
-    return PR_SUCCESS;
-}
-
-/*
- * Initialize the global RNG context and give it some seed input taken
- * from the system.  This function is thread-safe and will only allow
- * the global context to be initialized once.  The seed input is likely
- * small, so it is imperative that RNG_RandomUpdate() be called with
- * additional seed data before the generator is used.  A good way to
- * provide the generator with additional entropy is to call
- * RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
- */
-SECStatus 
-RNG_RNGInit(void)
-{
-    /* Allow only one call to initialize the context */
-    PR_CallOnce(&coRNGInit, rng_init);
-    /* Make sure there is a context */
-    return (globalrng != NULL) ? PR_SUCCESS : PR_FAILURE;
-}
-
-/*
-** Update the global random number generator with more seeding
-** material
-*/
-static SECStatus 
-prng_RandomUpdate(RNGContext *rng, const void *data, size_t bytes)
-{
-    SECStatus rv = SECSuccess;
-    unsigned char inputhash[BSIZE];
-    /* check for a valid global RNG context */
-    PORT_Assert(rng != NULL);
-    if (rng == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* RNG_SystemInfoForRNG() sometimes does this, not really an error */
-    if (bytes == 0)
-	return SECSuccess;
-    /* If received 20 bytes of input, use it, else hash the input before 
-     * locking.
-     */
-    if (bytes == BSIZE)
-	memcpy(inputhash, data, BSIZE);
-    else
-	rv = B_HASH_BUF(inputhash, data, bytes);
-    if (rv != SECSuccess) {
-	/* B_HASH_BUF set error */
-	return SECFailure;
-    }
-    /* --- LOCKED --- */
-    PZ_Lock(rng->lock);
-    /*
-     * Random information is initially supplied by a call to
-     * RNG_SystemInfoForRNG().  That function collects entropy from
-     * the system and calls RNG_RandomUpdate() to seed the generator.
-     * Algorithm 1 of FIPS 186-2 Change Notice 1, step 1 specifies that
-     * a secret value for the seed-key must be chosen before the
-     * generator can begin.  The size of XKEY is b bits, so fill it
-     * with the first b bits sent to RNG_RandomUpdate().
-     */
-    if (rng->seedCount == 0) {
-	/* This is the first call to RandomUpdate().  Use a hash
-	 * of the input to set the seed, XKEY.
-	 *
-	 * <Step 1> copy seed bytes into context's XKEY
-	 */
-	memcpy(rng->XKEY, inputhash, BSIZE);
-	/* 
-	 * Now continue with algorithm.  Since the input was used to
-	 * initialize XKEY, the "optional user input" at this stage
-	 * will be a pad of zeros, XSEEDj = 0.
-	 */
-	rv = alg_fips186_2_cn_1(rng, NULL);
-	/* As per FIPS 140-2 continuous RNG test requirement, the first
-	 * iteration of output is discarded.  So here there is really
-	 * no output available.  This forces another execution of alg_cn_1()
-	 * before any bytes can be extracted from the generator.
-	 */
-	rng->avail = 0;
-    } else {
-	/* Execute the algorithm from FIPS 186-2 Change Notice 1 */
-	rv = alg_fips186_2_cn_1(rng, inputhash);
-    }
-    /* If got this far, have added bytes of seed data. */
-    if (rv == SECSuccess)
-	rng->seedCount += bytes;
-    PZ_Unlock(rng->lock);
-    /* --- UNLOCKED --- */
-    /* housekeeping */
-    memset(inputhash, 0, BSIZE);
-    return rv;
-}
-
-/*
-** Update the global random number generator with more seeding
-** material.
-*/
-SECStatus 
-RNG_RandomUpdate(const void *data, size_t bytes)
-{
-    return prng_RandomUpdate(globalrng, data, bytes);
-}
-
-/*
-** Generate some random bytes, using the global random number generator
-** object.
-*/
-SECStatus 
-prng_GenerateGlobalRandomBytes(RNGContext *rng,
-                               void *dest, size_t len)
-{
-    PRUint8 num;
-    SECStatus rv = SECSuccess;
-    unsigned char *output = dest;
-    /* check for a valid global RNG context */
-    PORT_Assert(rng != NULL);
-    if (rng == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* --- LOCKED --- */
-    PZ_Lock(rng->lock);
-    /* Check the amount of seed data in the generator.  If not enough,
-     * don't produce any data.
-     */
-    if (rng->seedCount < MIN_SEED_COUNT) {
-	PZ_Unlock(rng->lock);
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	return SECFailure;
-    }
-    /*
-     * If there are enough bytes of random data, send back Xj, 
-     * else call alg_cn_1() with 0's to generate more random data.
-     */
-    while (len > 0 && rv == SECSuccess) {
-	if (rng->avail == 0) {
-	    /* All available bytes are used, so generate more. */
-	    rv = alg_fips186_2_cn_1(rng, NULL);
-	}
-	/* number of bytes to obtain on this iteration (max of 40) */
-	num = PR_MIN(rng->avail, len);
-	/*
-	 * if avail < 2*GSIZE, the first 2*GSIZE - avail bytes have
-	 * already been used.
-	 */
-	if (num) {
-	    memcpy(output, rng->Xj + (2*GSIZE - rng->avail), num);
-	    rng->avail -= num;
-	    len -= num;
-	    output += num;
-	}
-    }
-    PZ_Unlock(rng->lock);
-    /* --- UNLOCKED --- */
-    return rv;
-}
-
-/*
-** Generate some random bytes, using the global random number generator
-** object.
-*/
-SECStatus 
-RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
-{
-    return prng_GenerateGlobalRandomBytes(globalrng, dest, len);
-}
-
-void
-RNG_RNGShutdown(void)
-{
-    /* check for a valid global RNG context */
-    PORT_Assert(globalrng != NULL);
-    if (globalrng == NULL) {
-	/* Should set a "not initialized" error code. */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return;
-    }
-    /* clear */
-    freeRNGContext();
-    /* zero the callonce struct to allow a new call to RNG_RNGInit() */
-    memset(&coRNGInit, 0, sizeof coRNGInit);
-}
-
-/*
- *  SHA: Generate hash value from context
- *       Specialized function for PRNG
- *       The PRNG specified in FIPS 186-2 3.3 uses a function, G,
- *       which has the same initialization and compression functions
- *       as SHA1 180-1, but uses different padding.  FIPS 186-2 3.3 
- *       specifies that the message be padded with 0's until the size
- *       reaches 512 bits.
- */
-static void 
-RNG_UpdateAndEnd_FIPS186_2(SHA1Context *ctx, 
-                           unsigned char *input, unsigned int inputLen,
-                           unsigned char *hashout, unsigned int *pDigestLen, 
-                           unsigned int maxDigestLen)
-{
-#if defined(SHA_NEED_TMP_VARIABLE)
-    register PRUint32 tmp;
-#endif
-    static const unsigned char bulk_pad0[64] = { 0,0,0,0,0,0,0,0,0,0,
-               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
-
-    PORT_Assert(maxDigestLen >= SHA1_LENGTH);
-    PORT_Assert(inputLen <= SHA1_INPUT_LEN);
-
-    /*
-     *  Add the input
-     */
-    SHA1_Update(ctx, input, inputLen);
-    /*
-     *  Pad with zeroes
-     *  This will fill the input block and cause the compression function
-     *  to be called.
-     */
-    SHA1_Update(ctx, bulk_pad0, SHA1_INPUT_LEN - inputLen);
-
-    /*
-     *  Output hash
-     */
-    SHA_STORE_RESULT;
-    *pDigestLen = SHA1_LENGTH;
-}
-
-/*
- * Specialized RNG for DSA
- *
- * As per Algorithm 1 of FIPS 186-2 Change Notice 1, in step 3.3 the value
- * Xj should be reduced mod q, a 160-bit prime number.  Since this parameter
- * is only meaningful in the context of DSA, the above RNG functions
- * were implemented without it.  They are re-implemented below for use
- * with DSA.
- *
- */
-
-/*
-** Generate some random bytes, using the global random number generator
-** object.  In DSA mode, so there is a q.
-*/
-SECStatus 
-DSA_GenerateGlobalRandomBytes(void *dest, size_t len, const unsigned char *q)
-{
-    SECStatus rv;
-    unsigned char w[2*GSIZE];
-
-    PORT_Assert(q && len == DSA_SUBPRIME_LEN);
-    if (len != DSA_SUBPRIME_LEN) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    if (*q == 0) {
-        ++q;
-    }
-    rv = prng_GenerateGlobalRandomBytes(globalrng, w, 2*GSIZE);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-    dsa_reduce_mod_q(w, q, (unsigned char *)dest);
-    return rv;
-}
diff --git a/security/nss/lib/freebl/rawhash.c b/security/nss/lib/freebl/rawhash.c
deleted file mode 100644
index a3efe9b30..000000000
--- a/security/nss/lib/freebl/rawhash.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nspr.h"
-#include "sechash.h"
-#include "blapi.h"	/* below the line */
-#include "secerr.h"
-
-static void *
-null_hash_new_context(void)
-{
-    return NULL;
-}
-
-static void *
-null_hash_clone_context(void *v)
-{
-    PORT_Assert(v == NULL);
-    return NULL;
-}
-
-static void
-null_hash_begin(void *v)
-{
-}
-
-static void
-null_hash_update(void *v, const unsigned char *input, unsigned int length)
-{
-}
-
-static void
-null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
-	      unsigned int maxOut)
-{
-    *outLen = 0;
-}
-
-static void
-null_hash_destroy_context(void *v, PRBool b)
-{
-    PORT_Assert(v == NULL);
-}
-
-
-const SECHashObject SECRawHashObjects[] = {
-  { 0,
-    (void * (*)(void)) null_hash_new_context,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) null_hash_destroy_context,
-    (void (*)(void *)) null_hash_begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) null_hash_end,
-    0,
-    HASH_AlgNULL
-  },
-  { MD2_LENGTH,
-    (void * (*)(void)) MD2_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) MD2_DestroyContext,
-    (void (*)(void *)) MD2_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) MD2_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD2_End,
-    MD2_BLOCK_LENGTH,
-    HASH_AlgMD2
-  },
-  { MD5_LENGTH,
-    (void * (*)(void)) MD5_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) MD5_DestroyContext,
-    (void (*)(void *)) MD5_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) MD5_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD5_End,
-    MD5_BLOCK_LENGTH,
-    HASH_AlgMD5
-  },
-  { SHA1_LENGTH,
-    (void * (*)(void)) SHA1_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) SHA1_DestroyContext,
-    (void (*)(void *)) SHA1_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) SHA1_Update,
-    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) SHA1_End,
-    SHA1_BLOCK_LENGTH,
-    HASH_AlgSHA1
-  },
-  { SHA256_LENGTH,
-    (void * (*)(void)) SHA256_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) SHA256_DestroyContext,
-    (void (*)(void *)) SHA256_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) SHA256_Update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) SHA256_End,
-    SHA256_BLOCK_LENGTH,
-    HASH_AlgSHA256
-  },
-  { SHA384_LENGTH,
-    (void * (*)(void)) SHA384_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) SHA384_DestroyContext,
-    (void (*)(void *)) SHA384_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) SHA384_Update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) SHA384_End,
-    SHA384_BLOCK_LENGTH,
-    HASH_AlgSHA384
-  },
-  { SHA512_LENGTH,
-    (void * (*)(void)) SHA512_NewContext,
-    (void * (*)(void *)) null_hash_clone_context,
-    (void (*)(void *, PRBool)) SHA512_DestroyContext,
-    (void (*)(void *)) SHA512_Begin,
-    (void (*)(void *, const unsigned char *, unsigned int)) SHA512_Update,
-    (void (*)(void *, unsigned char *, unsigned int *,
-	      unsigned int)) SHA512_End,
-    SHA512_BLOCK_LENGTH,
-    HASH_AlgSHA512
-  },
-};
-
-const SECHashObject *
-HASH_GetRawHashObject(HASH_HashType hashType)
-{
-    if (hashType < HASH_AlgNULL || hashType >= HASH_AlgTOTAL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    return &SECRawHashObjects[hashType];
-}
diff --git a/security/nss/lib/freebl/ret_cr16.s b/security/nss/lib/freebl/ret_cr16.s
deleted file mode 100644
index d1fffc577..000000000
--- a/security/nss/lib/freebl/ret_cr16.s
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape security libraries.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-#ifdef __LP64__
-        .LEVEL   2.0W
-#else
-        .LEVEL   1.1
-#endif
-
-	.CODE	; equivalent to the following two lines
-;       .SPACE   $TEXT$,SORT=8
-;       .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
-
-ret_cr16
-	.PROC
-	.CALLINFO 	FRAME=0, NO_CALLS
-	.EXPORT 	ret_cr16,ENTRY
-	.ENTER
-;	BV		%r0(%rp)
-	BV		0(%rp)
-	MFCTL		%cr16,%ret0
-        .LEAVE
-        .PROCEND
-        .END
diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c
deleted file mode 100644
index 58f5e5cdf..000000000
--- a/security/nss/lib/freebl/rijndael.c
+++ /dev/null
@@ -1,1155 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "prinit.h"
-#include "prerr.h"
-#include "secerr.h"
-
-#include "prtypes.h"
-#include "blapi.h"
-#include "rijndael.h"
-
-/*
- * There are currently five ways to build this code, varying in performance
- * and code size.
- *
- * RIJNDAEL_INCLUDE_TABLES         Include all tables from rijndael32.tab
- * RIJNDAEL_GENERATE_TABLES        Generate tables on first 
- *                                 encryption/decryption, then store them;
- *                                 use the function gfm
- * RIJNDAEL_GENERATE_TABLES_MACRO  Same as above, but use macros to do
- *                                 the generation
- * RIJNDAEL_GENERATE_VALUES        Do not store tables, generate the table
- *                                 values "on-the-fly", using gfm
- * RIJNDAEL_GENERATE_VALUES_MACRO  Same as above, but use macros
- *
- * The default is RIJNDAEL_INCLUDE_TABLES.
- */
-
-/*
- * When building RIJNDAEL_INCLUDE_TABLES, includes S**-1, Rcon, T[0..4], 
- *                                                 T**-1[0..4], IMXC[0..4]
- * When building anything else, includes S, S**-1, Rcon
- */
-#include "rijndael32.tab"
-
-#if defined(RIJNDAEL_INCLUDE_TABLES)
-/*
- * RIJNDAEL_INCLUDE_TABLES
- */
-#define T0(i)    _T0[i]
-#define T1(i)    _T1[i]
-#define T2(i)    _T2[i]
-#define T3(i)    _T3[i]
-#define TInv0(i) _TInv0[i]
-#define TInv1(i) _TInv1[i]
-#define TInv2(i) _TInv2[i]
-#define TInv3(i) _TInv3[i]
-#define IMXC0(b) _IMXC0[b]
-#define IMXC1(b) _IMXC1[b]
-#define IMXC2(b) _IMXC2[b]
-#define IMXC3(b) _IMXC3[b]
-/* The S-box can be recovered from the T-tables */
-#ifdef IS_LITTLE_ENDIAN
-#define SBOX(b)    ((PRUint8)_T3[b])
-#else
-#define SBOX(b)    ((PRUint8)_T1[b])
-#endif
-#define SINV(b) (_SInv[b])
-
-#else /* not RIJNDAEL_INCLUDE_TABLES */
-
-/*
- * Code for generating T-table values.
- */
-
-#ifdef IS_LITTLE_ENDIAN
-#define WORD4(b0, b1, b2, b3) \
-    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | (b0))
-#else
-#define WORD4(b0, b1, b2, b3) \
-    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | (b3))
-#endif
-
-/*
- * Define the S and S**-1 tables (both have been stored)
- */
-#define SBOX(b)    (_S[b])
-#define SINV(b) (_SInv[b])
-
-/*
- * The function xtime, used for Galois field multiplication
- */
-#define XTIME(a) \
-    ((a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1))
-
-/* Choose GFM method (macros or function) */
-#if defined(RIJNDAEL_GENERATE_TABLES_MACRO) ||  \
-    defined(RIJNDAEL_GENERATE_VALUES_MACRO)
-
-/*
- * Galois field GF(2**8) multipliers, in macro form
- */
-#define GFM01(a) \
-    (a)                                 /* a * 01 = a, the identity */
-#define GFM02(a) \
-    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
-#define GFM04(a) \
-    (GFM02(GFM02(a)))                   /* a * 04 = xtime**2(a) */
-#define GFM08(a) \
-    (GFM02(GFM04(a)))                   /* a * 08 = xtime**3(a) */
-#define GFM03(a) \
-    (GFM01(a) ^ GFM02(a))               /* a * 03 = a * (01 + 02) */
-#define GFM09(a) \
-    (GFM01(a) ^ GFM08(a))               /* a * 09 = a * (01 + 08) */
-#define GFM0B(a) \
-    (GFM01(a) ^ GFM02(a) ^ GFM08(a))    /* a * 0B = a * (01 + 02 + 08) */
-#define GFM0D(a) \
-    (GFM01(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0D = a * (01 + 04 + 08) */
-#define GFM0E(a) \
-    (GFM02(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0E = a * (02 + 04 + 08) */
-
-#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_VALUES */
-
-/* GF_MULTIPLY
- *
- * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
- */
-PRUint8 gfm(PRUint8 a, PRUint8 b)
-{
-    PRUint8 res = 0;
-    while (b > 0) {
-	res = (b & 0x01) ? res ^ a : res;
-	a = XTIME(a);
-	b >>= 1;
-    }
-    return res;
-}
-
-#define GFM01(a) \
-    (a)                                 /* a * 01 = a, the identity */
-#define GFM02(a) \
-    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
-#define GFM03(a) \
-    (gfm(a, 0x03))                      /* a * 03 */
-#define GFM09(a) \
-    (gfm(a, 0x09))                      /* a * 09 */
-#define GFM0B(a) \
-    (gfm(a, 0x0B))                      /* a * 0B */
-#define GFM0D(a) \
-    (gfm(a, 0x0D))                      /* a * 0D */
-#define GFM0E(a) \
-    (gfm(a, 0x0E))                      /* a * 0E */
-
-#endif /* choosing GFM function */
-
-/*
- * The T-tables
- */
-#define G_T0(i) \
-    ( WORD4( GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)) ) )
-#define G_T1(i) \
-    ( WORD4( GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)) ) )
-#define G_T2(i) \
-    ( WORD4( GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)) ) )
-#define G_T3(i) \
-    ( WORD4( GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)) ) )
-
-/*
- * The inverse T-tables
- */
-#define G_TInv0(i) \
-    ( WORD4( GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)) ) )
-#define G_TInv1(i) \
-    ( WORD4( GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)) ) )
-#define G_TInv2(i) \
-    ( WORD4( GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)) ) )
-#define G_TInv3(i) \
-    ( WORD4( GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)) ) )
-
-/*
- * The inverse mix column tables
- */
-#define G_IMXC0(i) \
-    ( WORD4( GFM0E(i), GFM09(i), GFM0D(i), GFM0B(i) ) )
-#define G_IMXC1(i) \
-    ( WORD4( GFM0B(i), GFM0E(i), GFM09(i), GFM0D(i) ) )
-#define G_IMXC2(i) \
-    ( WORD4( GFM0D(i), GFM0B(i), GFM0E(i), GFM09(i) ) )
-#define G_IMXC3(i) \
-    ( WORD4( GFM09(i), GFM0D(i), GFM0B(i), GFM0E(i) ) )
-
-/* Now choose the T-table indexing method */
-#if defined(RIJNDAEL_GENERATE_VALUES)
-/* generate values for the tables with a function*/
-static PRUint32 gen_TInvXi(PRUint8 tx, PRUint8 i)
-{
-    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
-    si01 = SINV(i);
-    si02 = XTIME(si01);
-    si04 = XTIME(si02);
-    si08 = XTIME(si04);
-    si03 = si02 ^ si01;
-    si09 = si08 ^ si01;
-    si0B = si08 ^ si03;
-    si0D = si09 ^ si04;
-    si0E = si08 ^ si04 ^ si02;
-    switch (tx) {
-    case 0:
-	return WORD4(si0E, si09, si0D, si0B);
-    case 1:
-	return WORD4(si0B, si0E, si09, si0D);
-    case 2:
-	return WORD4(si0D, si0B, si0E, si09);
-    case 3:
-	return WORD4(si09, si0D, si0B, si0E);
-    }
-    return -1;
-}
-#define T0(i)    G_T0(i)
-#define T1(i)    G_T1(i)
-#define T2(i)    G_T2(i)
-#define T3(i)    G_T3(i)
-#define TInv0(i) gen_TInvXi(0, i)
-#define TInv1(i) gen_TInvXi(1, i)
-#define TInv2(i) gen_TInvXi(2, i)
-#define TInv3(i) gen_TInvXi(3, i)
-#define IMXC0(b) G_IMXC0(b)
-#define IMXC1(b) G_IMXC1(b)
-#define IMXC2(b) G_IMXC2(b)
-#define IMXC3(b) G_IMXC3(b)
-#elif defined(RIJNDAEL_GENERATE_VALUES_MACRO)
-/* generate values for the tables with macros */
-#define T0(i)    G_T0(i)
-#define T1(i)    G_T1(i)
-#define T2(i)    G_T2(i)
-#define T3(i)    G_T3(i)
-#define TInv0(i) G_TInv0(i)
-#define TInv1(i) G_TInv1(i)
-#define TInv2(i) G_TInv2(i)
-#define TInv3(i) G_TInv3(i)
-#define IMXC0(b) G_IMXC0(b)
-#define IMXC1(b) G_IMXC1(b)
-#define IMXC2(b) G_IMXC2(b)
-#define IMXC3(b) G_IMXC3(b)
-#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_TABLES_MACRO */
-/* Generate T and T**-1 table values and store, then index */
-/* The inverse mix column tables are still generated */
-#define T0(i)    rijndaelTables->T0[i]
-#define T1(i)    rijndaelTables->T1[i]
-#define T2(i)    rijndaelTables->T2[i]
-#define T3(i)    rijndaelTables->T3[i]
-#define TInv0(i) rijndaelTables->TInv0[i]
-#define TInv1(i) rijndaelTables->TInv1[i]
-#define TInv2(i) rijndaelTables->TInv2[i]
-#define TInv3(i) rijndaelTables->TInv3[i]
-#define IMXC0(b) G_IMXC0(b)
-#define IMXC1(b) G_IMXC1(b)
-#define IMXC2(b) G_IMXC2(b)
-#define IMXC3(b) G_IMXC3(b)
-#endif /* choose T-table indexing method */
-
-#endif /* not RIJNDAEL_INCLUDE_TABLES */
-
-#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
-    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
-
-/* Code to generate and store the tables */
-
-struct rijndael_tables_str {
-    PRUint32 T0[256];
-    PRUint32 T1[256];
-    PRUint32 T2[256];
-    PRUint32 T3[256];
-    PRUint32 TInv0[256];
-    PRUint32 TInv1[256];
-    PRUint32 TInv2[256];
-    PRUint32 TInv3[256];
-};
-
-static struct rijndael_tables_str *rijndaelTables = NULL;
-static PRCallOnceType coRTInit = { 0, 0, 0 };
-static PRStatus 
-init_rijndael_tables(void)
-{
-    PRUint32 i;
-    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
-    struct rijndael_tables_str *rts;
-    rts = (struct rijndael_tables_str *)
-                   PORT_Alloc(sizeof(struct rijndael_tables_str));
-    if (!rts) return PR_FAILURE;
-    for (i=0; i<256; i++) {
-	/* The forward values */
-	si01 = SBOX(i);
-	si02 = XTIME(si01);
-	si03 = si02 ^ si01;
-	rts->T0[i] = WORD4(si02, si01, si01, si03);
-	rts->T1[i] = WORD4(si03, si02, si01, si01);
-	rts->T2[i] = WORD4(si01, si03, si02, si01);
-	rts->T3[i] = WORD4(si01, si01, si03, si02);
-	/* The inverse values */
-	si01 = SINV(i);
-	si02 = XTIME(si01);
-	si04 = XTIME(si02);
-	si08 = XTIME(si04);
-	si03 = si02 ^ si01;
-	si09 = si08 ^ si01;
-	si0B = si08 ^ si03;
-	si0D = si09 ^ si04;
-	si0E = si08 ^ si04 ^ si02;
-	rts->TInv0[i] = WORD4(si0E, si09, si0D, si0B);
-	rts->TInv1[i] = WORD4(si0B, si0E, si09, si0D);
-	rts->TInv2[i] = WORD4(si0D, si0B, si0E, si09);
-	rts->TInv3[i] = WORD4(si09, si0D, si0B, si0E);
-    }
-    /* wait until all the values are in to set */
-    rijndaelTables = rts;
-    return PR_SUCCESS;
-}
-
-#endif /* code to generate tables */
-
-/**************************************************************************
- *
- * Stuff related to the Rijndael key schedule
- *
- *************************************************************************/
-
-#define SUBBYTE(w) \
-    ((SBOX((w >> 24) & 0xff) << 24) | \
-     (SBOX((w >> 16) & 0xff) << 16) | \
-     (SBOX((w >>  8) & 0xff) <<  8) | \
-     (SBOX((w      ) & 0xff)         ))
-
-#ifdef IS_LITTLE_ENDIAN
-#define ROTBYTE(b) \
-    ((b >> 8) | (b << 24))
-#else
-#define ROTBYTE(b) \
-    ((b << 8) | (b >> 24))
-#endif
-
-/* rijndael_key_expansion7
- *
- * Generate the expanded key from the key input by the user.
- * XXX
- * Nk == 7 (224 key bits) is a weird case.  Since Nk > 6, an added SubByte
- * transformation is done periodically.  The period is every 4 bytes, and
- * since 7%4 != 0 this happens at different times for each key word (unlike
- * Nk == 8 where it happens twice in every key word, in the same positions).
- * For now, I'm implementing this case "dumbly", w/o any unrolling.
- */
-static SECStatus
-rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int Nk)
-{
-    unsigned int i;
-    PRUint32 *W;
-    PRUint32 *pW;
-    PRUint32 tmp;
-    W = cx->expandedKey;
-    /* 1.  the first Nk words contain the cipher key */
-    memcpy(W, key, Nk * 4);
-    i = Nk;
-    /* 2.  loop until full expanded key is obtained */
-    pW = W + i - 1;
-    for (; i < cx->Nb * (cx->Nr + 1); ++i) {
-	tmp = *pW++;
-	if (i % Nk == 0)
-	    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
-	else if (i % Nk == 4)
-	    tmp = SUBBYTE(tmp);
-	*pW = W[i - Nk] ^ tmp;
-    }
-    return SECSuccess;
-}
-
-/* rijndael_key_expansion
- *
- * Generate the expanded key from the key input by the user.
- */
-static SECStatus
-rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk)
-{
-    unsigned int i;
-    PRUint32 *W;
-    PRUint32 *pW;
-    PRUint32 tmp;
-    unsigned int round_key_words = cx->Nb * (cx->Nr + 1);
-    if (Nk == 7)
-	return rijndael_key_expansion7(cx, key, Nk);
-    W = cx->expandedKey;
-    /* The first Nk words contain the input cipher key */
-    memcpy(W, key, Nk * 4);
-    i = Nk;
-    pW = W + i - 1;
-    /* Loop over all sets of Nk words, except the last */
-    while (i < round_key_words - Nk) {
-	tmp = *pW++;
-	tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
-	*pW = W[i++ - Nk] ^ tmp;
-	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	if (Nk == 4)
-	    continue;
-	switch (Nk) {
-	case 8: tmp = *pW++; tmp = SUBBYTE(tmp); *pW = W[i++ - Nk] ^ tmp;
-	case 7: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	case 6: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	case 5: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
-	}
-    }
-    /* Generate the last word */
-    tmp = *pW++;
-    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
-    *pW = W[i++ - Nk] ^ tmp;
-    /* There may be overflow here, if Nk % (Nb * (Nr + 1)) > 0.  However,
-     * since the above loop generated all but the last Nk key words, there
-     * is no more need for the SubByte transformation.
-     */
-    if (Nk < 8) {
-	for (; i < round_key_words; ++i) {
-	    tmp = *pW++; 
-	    *pW = W[i - Nk] ^ tmp;
-	}
-    } else {
-	/* except in the case when Nk == 8.  Then one more SubByte may have
-	 * to be performed, at i % Nk == 4.
-	 */
-	for (; i < round_key_words; ++i) {
-	    tmp = *pW++;
-	    if (i % Nk == 4)
-		tmp = SUBBYTE(tmp);
-	    *pW = W[i - Nk] ^ tmp;
-	}
-    }
-    return SECSuccess;
-}
-
-/* rijndael_invkey_expansion
- *
- * Generate the expanded key for the inverse cipher from the key input by 
- * the user.
- */
-static SECStatus
-rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk)
-{
-    unsigned int r;
-    PRUint32 *roundkeyw;
-    PRUint8 *b;
-    int Nb = cx->Nb;
-    /* begins like usual key expansion ... */
-    if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
-	return SECFailure;
-    /* ... but has the additional step of InvMixColumn,
-     * excepting the first and last round keys.
-     */
-    roundkeyw = cx->expandedKey + cx->Nb;
-    for (r=1; r<cx->Nr; ++r) {
-	/* each key word, roundkeyw, represents a column in the key
-	 * matrix.  Each column is multiplied by the InvMixColumn matrix.
-	 *   [ 0E 0B 0D 09 ]   [ b0 ]
-	 *   [ 09 0E 0B 0D ] * [ b1 ]
-	 *   [ 0D 09 0E 0B ]   [ b2 ]
-	 *   [ 0B 0D 09 0E ]   [ b3 ]
-	 */
-	b = (PRUint8 *)roundkeyw;
-	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
-	b = (PRUint8 *)roundkeyw;
-	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
-	b = (PRUint8 *)roundkeyw;
-	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
-	b = (PRUint8 *)roundkeyw;
-	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
-	if (Nb <= 4)
-	    continue;
-	switch (Nb) {
-	case 8: b = (PRUint8 *)roundkeyw;
-	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
-	                       IMXC2(b[2]) ^ IMXC3(b[3]);
-	case 7: b = (PRUint8 *)roundkeyw;
-	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
-	                       IMXC2(b[2]) ^ IMXC3(b[3]);
-	case 6: b = (PRUint8 *)roundkeyw;
-	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
-	                       IMXC2(b[2]) ^ IMXC3(b[3]);
-	case 5: b = (PRUint8 *)roundkeyw;
-	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
-	                       IMXC2(b[2]) ^ IMXC3(b[3]);
-	}
-    }
-    return SECSuccess;
-}
-/**************************************************************************
- *
- * Stuff related to Rijndael encryption/decryption, optimized for
- * a 128-bit blocksize.
- *
- *************************************************************************/
-
-#ifdef IS_LITTLE_ENDIAN
-#define BYTE0WORD(w) ((w) & 0x000000ff)
-#define BYTE1WORD(w) ((w) & 0x0000ff00)
-#define BYTE2WORD(w) ((w) & 0x00ff0000)
-#define BYTE3WORD(w) ((w) & 0xff000000)
-#else
-#define BYTE0WORD(w) ((w) & 0xff000000)
-#define BYTE1WORD(w) ((w) & 0x00ff0000)
-#define BYTE2WORD(w) ((w) & 0x0000ff00)
-#define BYTE3WORD(w) ((w) & 0x000000ff)
-#endif
-
-typedef union {
-    PRUint32 w[4];
-    PRUint8  b[16];
-} rijndael_state;
-
-#define COLUMN_0(state) state.w[0]
-#define COLUMN_1(state) state.w[1]
-#define COLUMN_2(state) state.w[2]
-#define COLUMN_3(state) state.w[3]
-
-#define STATE_BYTE(i) state.b[i]
-
-static SECStatus 
-rijndael_encryptBlock128(AESContext *cx, 
-                         unsigned char *output,
-                         const unsigned char *input)
-{
-    unsigned int r;
-    PRUint32 *roundkeyw;
-    rijndael_state state;
-    PRUint32 C0, C1, C2, C3;
-#if defined(_X86_)
-#define pIn input
-#define pOut output
-#else
-    unsigned char *pIn, *pOut;
-    PRUint32 inBuf[4], outBuf[4];
-
-    if ((ptrdiff_t)input & 0x3) {
-	memcpy(inBuf, input, sizeof inBuf);
-	pIn = (unsigned char *)inBuf;
-    } else {
-	pIn = (unsigned char *)input;
-    }
-    if ((ptrdiff_t)output & 0x3) {
-	pOut = (unsigned char *)outBuf;
-    } else {
-	pOut = (unsigned char *)output;
-    }
-#endif
-    roundkeyw = cx->expandedKey;
-    /* Step 1: Add Round Key 0 to initial state */
-    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw++;
-    COLUMN_1(state) = *((PRUint32 *)(pIn + 4 )) ^ *roundkeyw++;
-    COLUMN_2(state) = *((PRUint32 *)(pIn + 8 )) ^ *roundkeyw++;
-    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw++;
-    /* Step 2: Loop over rounds [1..NR-1] */
-    for (r=1; r<cx->Nr; ++r) {
-        /* Do ShiftRow, ByteSub, and MixColumn all at once */
-	C0 = T0(STATE_BYTE(0))  ^
-	     T1(STATE_BYTE(5))  ^
-	     T2(STATE_BYTE(10)) ^
-	     T3(STATE_BYTE(15));
-	C1 = T0(STATE_BYTE(4))  ^
-	     T1(STATE_BYTE(9))  ^
-	     T2(STATE_BYTE(14)) ^
-	     T3(STATE_BYTE(3));
-	C2 = T0(STATE_BYTE(8))  ^
-	     T1(STATE_BYTE(13)) ^
-	     T2(STATE_BYTE(2))  ^
-	     T3(STATE_BYTE(7));
-	C3 = T0(STATE_BYTE(12)) ^
-	     T1(STATE_BYTE(1))  ^
-	     T2(STATE_BYTE(6))  ^
-	     T3(STATE_BYTE(11));
-	/* Round key addition */
-	COLUMN_0(state) = C0 ^ *roundkeyw++;
-	COLUMN_1(state) = C1 ^ *roundkeyw++;
-	COLUMN_2(state) = C2 ^ *roundkeyw++;
-	COLUMN_3(state) = C3 ^ *roundkeyw++;
-    }
-    /* Step 3: Do the last round */
-    /* Final round does not employ MixColumn */
-    C0 = ((BYTE0WORD(T2(STATE_BYTE(0))))   |
-          (BYTE1WORD(T3(STATE_BYTE(5))))   |
-          (BYTE2WORD(T0(STATE_BYTE(10))))  |
-          (BYTE3WORD(T1(STATE_BYTE(15)))))  ^
-          *roundkeyw++;
-    C1 = ((BYTE0WORD(T2(STATE_BYTE(4))))   |
-          (BYTE1WORD(T3(STATE_BYTE(9))))   |
-          (BYTE2WORD(T0(STATE_BYTE(14))))  |
-          (BYTE3WORD(T1(STATE_BYTE(3)))))   ^
-          *roundkeyw++;
-    C2 = ((BYTE0WORD(T2(STATE_BYTE(8))))   |
-          (BYTE1WORD(T3(STATE_BYTE(13))))  |
-          (BYTE2WORD(T0(STATE_BYTE(2))))   |
-          (BYTE3WORD(T1(STATE_BYTE(7)))))   ^
-          *roundkeyw++;
-    C3 = ((BYTE0WORD(T2(STATE_BYTE(12))))  |
-          (BYTE1WORD(T3(STATE_BYTE(1))))   |
-          (BYTE2WORD(T0(STATE_BYTE(6))))   |
-          (BYTE3WORD(T1(STATE_BYTE(11)))))  ^
-          *roundkeyw++;
-    *((PRUint32 *) pOut     )  = C0;
-    *((PRUint32 *)(pOut + 4))  = C1;
-    *((PRUint32 *)(pOut + 8))  = C2;
-    *((PRUint32 *)(pOut + 12)) = C3;
-#if defined(_X86_)
-#undef pIn
-#undef pOut
-#else
-    if ((ptrdiff_t)output & 0x3) {
-	memcpy(output, outBuf, sizeof outBuf);
-    }
-#endif
-    return SECSuccess;
-}
-
-static SECStatus 
-rijndael_decryptBlock128(AESContext *cx, 
-                         unsigned char *output,
-                         const unsigned char *input)
-{
-    int r;
-    PRUint32 *roundkeyw;
-    rijndael_state state;
-    PRUint32 C0, C1, C2, C3;
-#if defined(_X86_)
-#define pIn input
-#define pOut output
-#else
-    unsigned char *pIn, *pOut;
-    PRUint32 inBuf[4], outBuf[4];
-
-    if ((ptrdiff_t)input & 0x3) {
-	memcpy(inBuf, input, sizeof inBuf);
-	pIn = (unsigned char *)inBuf;
-    } else {
-	pIn = (unsigned char *)input;
-    }
-    if ((ptrdiff_t)output & 0x3) {
-	pOut = (unsigned char *)outBuf;
-    } else {
-	pOut = (unsigned char *)output;
-    }
-#endif
-    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
-    /* reverse the final key addition */
-    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--;
-    COLUMN_2(state) = *((PRUint32 *)(pIn +  8)) ^ *roundkeyw--;
-    COLUMN_1(state) = *((PRUint32 *)(pIn +  4)) ^ *roundkeyw--;
-    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw--;
-    /* Loop over rounds in reverse [NR..1] */
-    for (r=cx->Nr; r>1; --r) {
-	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
-	C0 = TInv0(STATE_BYTE(0))  ^
-	     TInv1(STATE_BYTE(13)) ^
-	     TInv2(STATE_BYTE(10)) ^
-	     TInv3(STATE_BYTE(7));
-	C1 = TInv0(STATE_BYTE(4))  ^
-	     TInv1(STATE_BYTE(1))  ^
-	     TInv2(STATE_BYTE(14)) ^
-	     TInv3(STATE_BYTE(11));
-	C2 = TInv0(STATE_BYTE(8))  ^
-	     TInv1(STATE_BYTE(5))  ^
-	     TInv2(STATE_BYTE(2))  ^
-	     TInv3(STATE_BYTE(15));
-	C3 = TInv0(STATE_BYTE(12)) ^
-	     TInv1(STATE_BYTE(9))  ^
-	     TInv2(STATE_BYTE(6))  ^
-	     TInv3(STATE_BYTE(3));
-	/* Invert the key addition step */
-	COLUMN_3(state) = C3 ^ *roundkeyw--;
-	COLUMN_2(state) = C2 ^ *roundkeyw--;
-	COLUMN_1(state) = C1 ^ *roundkeyw--;
-	COLUMN_0(state) = C0 ^ *roundkeyw--;
-    }
-    /* inverse sub */
-    pOut[ 0] = SINV(STATE_BYTE( 0));
-    pOut[ 1] = SINV(STATE_BYTE(13));
-    pOut[ 2] = SINV(STATE_BYTE(10));
-    pOut[ 3] = SINV(STATE_BYTE( 7));
-    pOut[ 4] = SINV(STATE_BYTE( 4));
-    pOut[ 5] = SINV(STATE_BYTE( 1));
-    pOut[ 6] = SINV(STATE_BYTE(14));
-    pOut[ 7] = SINV(STATE_BYTE(11));
-    pOut[ 8] = SINV(STATE_BYTE( 8));
-    pOut[ 9] = SINV(STATE_BYTE( 5));
-    pOut[10] = SINV(STATE_BYTE( 2));
-    pOut[11] = SINV(STATE_BYTE(15));
-    pOut[12] = SINV(STATE_BYTE(12));
-    pOut[13] = SINV(STATE_BYTE( 9));
-    pOut[14] = SINV(STATE_BYTE( 6));
-    pOut[15] = SINV(STATE_BYTE( 3));
-    /* final key addition */
-    *((PRUint32 *)(pOut + 12)) ^= *roundkeyw--;
-    *((PRUint32 *)(pOut +  8)) ^= *roundkeyw--;
-    *((PRUint32 *)(pOut +  4)) ^= *roundkeyw--;
-    *((PRUint32 *) pOut      ) ^= *roundkeyw--;
-#if defined(_X86_)
-#undef pIn
-#undef pOut
-#else
-    if ((ptrdiff_t)output & 0x3) {
-	memcpy(output, outBuf, sizeof outBuf);
-    }
-#endif
-    return SECSuccess;
-}
-
-/**************************************************************************
- *
- * Stuff related to general Rijndael encryption/decryption, for blocksizes
- * greater than 128 bits.
- *
- * XXX This code is currently untested!  So far, AES specs have only been
- *     released for 128 bit blocksizes.  This will be tested, but for now
- *     only the code above has been tested using known values.
- *
- *************************************************************************/
-
-#define COLUMN(array, j) *((PRUint32 *)(array + j))
-
-SECStatus 
-rijndael_encryptBlock(AESContext *cx, 
-                      unsigned char *output,
-                      const unsigned char *input)
-{
-    return SECFailure;
-#ifdef rijndael_large_blocks_fixed
-    unsigned int j, r, Nb;
-    unsigned int c2=0, c3=0;
-    PRUint32 *roundkeyw;
-    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
-    Nb = cx->Nb;
-    roundkeyw = cx->expandedKey;
-    /* Step 1: Add Round Key 0 to initial state */
-    for (j=0; j<4*Nb; j+=4) {
-	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw++;
-    }
-    /* Step 2: Loop over rounds [1..NR-1] */
-    for (r=1; r<cx->Nr; ++r) {
-	for (j=0; j<Nb; ++j) {
-	    COLUMN(output, j) = T0(STATE_BYTE(4*  j          )) ^
-	                        T1(STATE_BYTE(4*((j+ 1)%Nb)+1)) ^
-	                        T2(STATE_BYTE(4*((j+c2)%Nb)+2)) ^
-	                        T3(STATE_BYTE(4*((j+c3)%Nb)+3));
-	}
-	for (j=0; j<4*Nb; j+=4) {
-	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw++;
-	}
-    }
-    /* Step 3: Do the last round */
-    /* Final round does not employ MixColumn */
-    for (j=0; j<Nb; ++j) {
-	COLUMN(output, j) = ((BYTE0WORD(T2(STATE_BYTE(4* j         ))))  |
-                             (BYTE1WORD(T3(STATE_BYTE(4*(j+ 1)%Nb)+1)))  |
-                             (BYTE2WORD(T0(STATE_BYTE(4*(j+c2)%Nb)+2)))  |
-                             (BYTE3WORD(T1(STATE_BYTE(4*(j+c3)%Nb)+3)))) ^
-	                     *roundkeyw++;
-    }
-    return SECSuccess;
-#endif
-}
-
-SECStatus 
-rijndael_decryptBlock(AESContext *cx, 
-                      unsigned char *output,
-                      const unsigned char *input)
-{
-    return SECFailure;
-#ifdef rijndael_large_blocks_fixed
-    int j, r, Nb;
-    int c2=0, c3=0;
-    PRUint32 *roundkeyw;
-    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
-    Nb = cx->Nb;
-    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
-    /* reverse key addition */
-    for (j=4*Nb; j>=0; j-=4) {
-	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw--;
-    }
-    /* Loop over rounds in reverse [NR..1] */
-    for (r=cx->Nr; r>1; --r) {
-	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
-	for (j=0; j<Nb; ++j) {
-	    COLUMN(output, 4*j) = TInv0(STATE_BYTE(4* j            )) ^
-	                          TInv1(STATE_BYTE(4*(j+Nb- 1)%Nb)+1) ^
-	                          TInv2(STATE_BYTE(4*(j+Nb-c2)%Nb)+2) ^
-	                          TInv3(STATE_BYTE(4*(j+Nb-c3)%Nb)+3);
-	}
-	/* Invert the key addition step */
-	for (j=4*Nb; j>=0; j-=4) {
-	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw--;
-	}
-    }
-    /* inverse sub */
-    for (j=0; j<4*Nb; ++j) {
-	output[j] = SINV(clone[j]);
-    }
-    /* final key addition */
-    for (j=4*Nb; j>=0; j-=4) {
-	COLUMN(output, j) ^= *roundkeyw--;
-    }
-    return SECSuccess;
-#endif
-}
-
-/**************************************************************************
- *
- *  Rijndael modes of operation (ECB and CBC)
- *
- *************************************************************************/
-
-static SECStatus 
-rijndael_encryptECB(AESContext *cx, unsigned char *output,
-                    unsigned int *outputLen, unsigned int maxOutputLen,
-                    const unsigned char *input, unsigned int inputLen, 
-                    unsigned int blocksize)
-{
-    SECStatus rv;
-    AESBlockFunc *encryptor;
-    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
-				  ? &rijndael_encryptBlock128 
-				  : &rijndael_encryptBlock;
-    while (inputLen > 0) {
-        rv = (*encryptor)(cx, output, input);
-	if (rv != SECSuccess)
-	    return rv;
-	output += blocksize;
-	input += blocksize;
-	inputLen -= blocksize;
-    }
-    return SECSuccess;
-}
-
-static SECStatus 
-rijndael_encryptCBC(AESContext *cx, unsigned char *output,
-                    unsigned int *outputLen, unsigned int maxOutputLen,
-                    const unsigned char *input, unsigned int inputLen, 
-                    unsigned int blocksize)
-{
-    unsigned int j;
-    SECStatus rv;
-    AESBlockFunc *encryptor;
-    unsigned char *lastblock;
-    unsigned char inblock[RIJNDAEL_MAX_STATE_SIZE * 8];
-
-    if (!inputLen)
-	return SECSuccess;
-    lastblock = cx->iv;
-    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
-				  ? &rijndael_encryptBlock128 
-				  : &rijndael_encryptBlock;
-    while (inputLen > 0) {
-	/* XOR with the last block (IV if first block) */
-	for (j=0; j<blocksize; ++j)
-	    inblock[j] = input[j] ^ lastblock[j];
-	/* encrypt */
-        rv = (*encryptor)(cx, output, inblock);
-	if (rv != SECSuccess)
-	    return rv;
-	/* move to the next block */
-	lastblock = output;
-	output += blocksize;
-	input += blocksize;
-	inputLen -= blocksize;
-    }
-    memcpy(cx->iv, lastblock, blocksize);
-    return SECSuccess;
-}
-
-static SECStatus 
-rijndael_decryptECB(AESContext *cx, unsigned char *output,
-                    unsigned int *outputLen, unsigned int maxOutputLen,
-                    const unsigned char *input, unsigned int inputLen, 
-                    unsigned int blocksize)
-{
-    SECStatus rv;
-    AESBlockFunc *decryptor;
-    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
-				  ? &rijndael_decryptBlock128 
-				  : &rijndael_decryptBlock;
-    while (inputLen > 0) {
-        rv = (*decryptor)(cx, output, input);
-	if (rv != SECSuccess)
-	    return rv;
-	output += blocksize;
-	input += blocksize;
-	inputLen -= blocksize;
-    }
-    return SECSuccess;
-}
-
-static SECStatus 
-rijndael_decryptCBC(AESContext *cx, unsigned char *output,
-                    unsigned int *outputLen, unsigned int maxOutputLen,
-                    const unsigned char *input, unsigned int inputLen, 
-                    unsigned int blocksize)
-{
-    SECStatus rv;
-    AESBlockFunc *decryptor;
-    const unsigned char *in;
-    unsigned char *out;
-    unsigned int j;
-    unsigned char newIV[RIJNDAEL_MAX_BLOCKSIZE];
-
-    if (!inputLen) 
-	return SECSuccess;
-    PORT_Assert(output - input >= 0 || input - output >= (int)inputLen );
-    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
-                                  ? &rijndael_decryptBlock128 
-				  : &rijndael_decryptBlock;
-    in  = input  + (inputLen - blocksize);
-    memcpy(newIV, in, blocksize);
-    out = output + (inputLen - blocksize);
-    while (inputLen > blocksize) {
-        rv = (*decryptor)(cx, out, in);
-	if (rv != SECSuccess)
-	    return rv;
-	for (j=0; j<blocksize; ++j)
-	    out[j] ^= in[(int)(j - blocksize)];
-	out -= blocksize;
-	in -= blocksize;
-	inputLen -= blocksize;
-    }
-    if (in == input) {
-        rv = (*decryptor)(cx, out, in);
-	if (rv != SECSuccess)
-	    return rv;
-	for (j=0; j<blocksize; ++j)
-	    out[j] ^= cx->iv[j];
-    }
-    memcpy(cx->iv, newIV, blocksize);
-    return SECSuccess;
-}
-
-/************************************************************************
- *
- * BLAPI Interface functions
- *
- * The following functions implement the encryption routines defined in
- * BLAPI for the AES cipher, Rijndael.
- *
- ***********************************************************************/
-
-AESContext * AES_AllocateContext(void)
-{
-    return PORT_ZNew(AESContext);
-}
-
-SECStatus   
-AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, 
-	        const unsigned char *iv, int mode, unsigned int encrypt,
-	        unsigned int blocksize)
-{
-    unsigned int Nk;
-    /* According to Rijndael AES Proposal, section 12.1, block and key
-     * lengths between 128 and 256 bits are supported, as long as the
-     * length in bytes is divisible by 4.
-     */
-    if (key == NULL || 
-        keysize < RIJNDAEL_MIN_BLOCKSIZE   || 
-	keysize > RIJNDAEL_MAX_BLOCKSIZE   || 
-	keysize % 4 != 0 ||
-        blocksize < RIJNDAEL_MIN_BLOCKSIZE || 
-	blocksize > RIJNDAEL_MAX_BLOCKSIZE || 
-	blocksize % 4 != 0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (mode != NSS_AES && mode != NSS_AES_CBC) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (mode == NSS_AES_CBC && iv == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (!cx) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-    /* Nb = (block size in bits) / 32 */
-    cx->Nb = blocksize / 4;
-    /* Nk = (key size in bits) / 32 */
-    Nk = keysize / 4;
-    /* Obtain number of rounds from "table" */
-    cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
-    /* copy in the iv, if neccessary */
-    if (mode == NSS_AES_CBC) {
-	memcpy(cx->iv, iv, blocksize);
-	cx->worker = (encrypt) ? &rijndael_encryptCBC : &rijndael_decryptCBC;
-    } else {
-	cx->worker = (encrypt) ? &rijndael_encryptECB : &rijndael_decryptECB;
-    }
-    PORT_Assert((cx->Nb * (cx->Nr + 1)) <= RIJNDAEL_MAX_EXP_KEY_SIZE);
-    if ((cx->Nb * (cx->Nr + 1)) > RIJNDAEL_MAX_EXP_KEY_SIZE) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	goto cleanup;
-    }
-    /* Generate expanded key */
-    if (encrypt) {
-	if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
-	    goto cleanup;
-    } else {
-	if (rijndael_invkey_expansion(cx, key, Nk) != SECSuccess)
-	    goto cleanup;
-    }
-    return SECSuccess;
-cleanup:
-    return SECFailure;
-}
-
-
-/* AES_CreateContext
- *
- * create a new context for Rijndael operations
- */
-AESContext *
-AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
-                  int mode, int encrypt,
-                  unsigned int keysize, unsigned int blocksize)
-{
-    AESContext *cx = AES_AllocateContext();
-    if (cx) {
-	SECStatus rv = AES_InitContext(cx, key, keysize, iv, mode, encrypt,
-				       blocksize);
-	if (rv != SECSuccess) {
-	    AES_DestroyContext(cx, PR_TRUE);
-	    cx = NULL;
-	}
-    }
-    return cx;
-}
-
-/*
- * AES_DestroyContext
- * 
- * Zero an AES cipher context.  If freeit is true, also free the pointer
- * to the context.
- */
-void 
-AES_DestroyContext(AESContext *cx, PRBool freeit)
-{
-/*  memset(cx, 0, sizeof *cx); */
-    if (freeit)
-	PORT_Free(cx);
-}
-
-/*
- * AES_Encrypt
- *
- * Encrypt an arbitrary-length buffer.  The output buffer must already be
- * allocated to at least inputLen.
- */
-SECStatus 
-AES_Encrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-    int blocksize;
-    /* Check args */
-    if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    blocksize = 4 * cx->Nb;
-    if (inputLen % blocksize != 0) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return SECFailure;
-    }
-    if (maxOutputLen < inputLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    *outputLen = inputLen;
-#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
-    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
-    if (rijndaelTables == NULL) {
-	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
-	      != PR_SUCCESS) {
-	    return PR_FAILURE;
-	}
-    }
-#endif
-    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
-                             input, inputLen, blocksize);
-}
-
-/*
- * AES_Decrypt
- *
- * Decrypt and arbitrary-length buffer.  The output buffer must already be
- * allocated to at least inputLen.
- */
-SECStatus 
-AES_Decrypt(AESContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
-{
-    int blocksize;
-    /* Check args */
-    if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    blocksize = 4 * cx->Nb;
-    if (inputLen % blocksize != 0) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return SECFailure;
-    }
-    if (maxOutputLen < inputLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
-    }
-    *outputLen = inputLen;
-#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
-    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
-    if (rijndaelTables == NULL) {
-	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
-	      != PR_SUCCESS) {
-	    return PR_FAILURE;
-	}
-    }
-#endif
-    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
-                             input, inputLen, blocksize);
-}
-
diff --git a/security/nss/lib/freebl/rijndael.h b/security/nss/lib/freebl/rijndael.h
deleted file mode 100644
index 4ace67528..000000000
--- a/security/nss/lib/freebl/rijndael.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _RIJNDAEL_H_
-#define _RIJNDAEL_H_ 1
-
-#define RIJNDAEL_MIN_BLOCKSIZE 16 /* bytes */
-#define RIJNDAEL_MAX_BLOCKSIZE 32 /* bytes */
-
-typedef SECStatus AESFunc(AESContext *cx, unsigned char *output,
-                          unsigned int *outputLen, unsigned int maxOutputLen,
-                          const unsigned char *input, unsigned int inputLen, 
-                          unsigned int blocksize);
-
-typedef SECStatus AESBlockFunc(AESContext *cx, 
-                               unsigned char *output,
-                               const unsigned char *input);
-
-/* RIJNDAEL_NUM_ROUNDS
- *
- * Number of rounds per execution
- * Nk - number of key bytes
- * Nb - blocksize (in bytes)
- */
-#define RIJNDAEL_NUM_ROUNDS(Nk, Nb) \
-    (PR_MAX(Nk, Nb) + 6)
-
-/* RIJNDAEL_MAX_STATE_SIZE 
- *
- * Maximum number of bytes in the state (spec includes up to 256-bit block
- * size)
- */
-#define RIJNDAEL_MAX_STATE_SIZE 32
-
-/*
- * This magic number is (Nb_max * (Nr_max + 1))
- * where Nb_max is the maximum block size in 32-bit words,
- *       Nr_max is the maximum number of rounds, which is Nb_max + 6
- */
-#define RIJNDAEL_MAX_EXP_KEY_SIZE (8 * 15)
-
-/* AESContextStr
- *
- * Values which maintain the state for Rijndael encryption/decryption.
- *
- * iv          - initialization vector for CBC mode
- * Nb          - the number of bytes in a block, specified by user
- * Nr          - the number of rounds, specified by a table
- * expandedKey - the round keys in 4-byte words, the length is Nr * Nb
- * worker      - the encryption/decryption function to use with this context
- */
-struct AESContextStr
-{
-    unsigned int   Nb;
-    unsigned int   Nr;
-    AESFunc       *worker;
-    unsigned char iv[RIJNDAEL_MAX_BLOCKSIZE];
-    PRUint32      expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE];
-};
-
-#endif /* _RIJNDAEL_H_ */
diff --git a/security/nss/lib/freebl/rijndael32.tab b/security/nss/lib/freebl/rijndael32.tab
deleted file mode 100644
index 6b78e2e8b..000000000
--- a/security/nss/lib/freebl/rijndael32.tab
+++ /dev/null
@@ -1,1215 +0,0 @@
-#ifndef RIJNDAEL_INCLUDE_TABLES
-static const PRUint8 _S[256] = 
-{
- 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118,
-202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192,
-183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21,
-  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117,
-  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132,
- 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207,
-208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168,
- 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210,
-205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115,
- 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219,
-224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121,
-231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8,
-186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138,
-112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158,
-225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
-140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22 
-};
-#endif /* not RIJNDAEL_INCLUDE_TABLES */
-
-static const PRUint8 _SInv[256] = 
-{
- 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251,
-124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203,
- 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78,
-  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37,
-114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146,
-108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132,
-144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6,
-208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107,
- 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115,
-150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110,
- 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27,
-252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244,
- 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95,
- 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239,
-160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97,
- 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125 
-};
-
-#ifdef RIJNDAEL_INCLUDE_TABLES
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _T0[256] = 
-{
-0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, 0xbd6b6bd6,
-0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
-0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 0x45caca8f, 0x9d82821f,
-0x40c9c989, 0x877d7dfa, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
-0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453,
-0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
-0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0x5c343468, 0xf4a5a551,
-0x34e5e5d1, 0x08f1f1f9, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
-0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637,
-0x0f05050a, 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
-0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, 0x9e83831d,
-0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
-0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x7b292952, 0x3ee3e3dd,
-0x712f2f5e, 0x97848413, 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
-0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d,
-0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
-0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0xc5434386, 0xd74d4d9a,
-0x55333366, 0x94858511, 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
-0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d,
-0xc0404080, 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
-0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, 0x1affffe5,
-0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
-0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, 0x57c4c493, 0xf2a7a755,
-0x827e7efc, 0x473d3d7a, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
-0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54,
-0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
-0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 0x3be0e0db, 0x56323264,
-0x4e3a3a74, 0x1e0a0a14, 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
-0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531,
-0x37e4e4d3, 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
-0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, 0xfa5656ac,
-0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
-0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x241c1c38, 0xf1a6a657,
-0xc7b4b473, 0x51c6c697, 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
-0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c,
-0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
-0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0x91868617, 0x58c1c199,
-0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
-0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c,
-0x92878715, 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
-0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, 0x31e6e6d7,
-0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
-0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c  
-};
-#else
-static const PRUint32 _T0[256] = 
-{
-0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd,
-0xde6f6fb1, 0x91c5c554, 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
-0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, 0x8fcaca45, 0x1f82829d,
-0x89c9c940, 0xfa7d7d87, 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
-0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, 0x239c9cbf, 0x53a4a4f7,
-0xe4727296, 0x9bc0c05b, 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
-0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, 0x6834345c, 0x51a5a5f4,
-0xd1e5e534, 0xf9f1f108, 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
-0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, 0x30181828, 0x379696a1,
-0x0a05050f, 0x2f9a9ab5, 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
-0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, 0x1209091b, 0x1d83839e,
-0x582c2c74, 0x341a1a2e, 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
-0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, 0x5229297b, 0xdde3e33e,
-0x5e2f2f71, 0x13848497, 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
-0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, 0xd46a6abe, 0x8dcbcb46,
-0x67bebed9, 0x7239394b, 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
-0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, 0x864343c5, 0x9a4d4dd7,
-0x66333355, 0x11858594, 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
-0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, 0xa25151f3, 0x5da3a3fe,
-0x804040c0, 0x058f8f8a, 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
-0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, 0x20101030, 0xe5ffff1a,
-0xfdf3f30e, 0xbfd2d26d, 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
-0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, 0x93c4c457, 0x55a7a7f2,
-0xfc7e7e82, 0x7a3d3d47, 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
-0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, 0x44222266, 0x542a2a7e,
-0x3b9090ab, 0x0b888883, 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
-0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, 0xdbe0e03b, 0x64323256,
-0x743a3a4e, 0x140a0a1e, 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
-0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, 0x399191a8, 0x319595a4,
-0xd3e4e437, 0xf279798b, 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
-0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, 0xd86c6cb4, 0xac5656fa,
-0xf3f4f407, 0xcfeaea25, 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
-0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, 0x381c1c24, 0x57a6a6f1,
-0x73b4b4c7, 0x97c6c651, 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
-0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, 0xe0707090, 0x7c3e3e42,
-0x71b5b5c4, 0xcc6666aa, 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
-0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, 0x17868691, 0x99c1c158,
-0x3a1d1d27, 0x279e9eb9, 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
-0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, 0x2d9b9bb6, 0x3c1e1e22,
-0x15878792, 0xc9e9e920, 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
-0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, 0x65bfbfda, 0xd7e6e631,
-0x844242c6, 0xd06868b8, 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
-0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _T1[256] = 
-{
-0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 0xf2f2ff0d, 0x6b6bd6bd,
-0x6f6fdeb1, 0xc5c59154, 0x30306050, 0x01010203, 0x6767cea9, 0x2b2b567d,
-0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, 0xcaca8f45, 0x82821f9d,
-0xc9c98940, 0x7d7dfa87, 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b,
-0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, 0x9c9c23bf, 0xa4a453f7,
-0x7272e496, 0xc0c09b5b, 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a,
-0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, 0x3434685c, 0xa5a551f4,
-0xe5e5d134, 0xf1f1f908, 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f,
-0x0404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, 0x18183028, 0x969637a1,
-0x05050a0f, 0x9a9a2fb5, 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d,
-0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, 0x0909121b, 0x83831d9e,
-0x2c2c5874, 0x1a1a342e, 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb,
-0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, 0x2929527b, 0xe3e3dd3e,
-0x2f2f5e71, 0x84841397, 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c,
-0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, 0x6a6ad4be, 0xcbcb8d46,
-0xbebe67d9, 0x3939724b, 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a,
-0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, 0x434386c5, 0x4d4d9ad7,
-0x33336655, 0x85851194, 0x45458acf, 0xf9f9e910, 0x02020406, 0x7f7ffe81,
-0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, 0x5151a2f3, 0xa3a35dfe,
-0x404080c0, 0x8f8f058a, 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104,
-0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, 0x10102030, 0xffffe51a,
-0xf3f3fd0e, 0xd2d2bf6d, 0xcdcd814c, 0x0c0c1814, 0x13132635, 0xececc32f,
-0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, 0xc4c49357, 0xa7a755f2,
-0x7e7efc82, 0x3d3d7a47, 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695,
-0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, 0x22224466, 0x2a2a547e,
-0x90903bab, 0x88880b83, 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c,
-0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, 0xe0e0db3b, 0x32326456,
-0x3a3a744e, 0x0a0a141e, 0x494992db, 0x06060c0a, 0x2424486c, 0x5c5cb8e4,
-0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, 0x919139a8, 0x959531a4,
-0xe4e4d337, 0x7979f28b, 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7,
-0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, 0x6c6cd8b4, 0x5656acfa,
-0xf4f4f307, 0xeaeacf25, 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x08081018,
-0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, 0x1c1c3824, 0xa6a657f1,
-0xb4b473c7, 0xc6c69751, 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21,
-0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, 0x7070e090, 0x3e3e7c42,
-0xb5b571c4, 0x6666ccaa, 0x484890d8, 0x03030605, 0xf6f6f701, 0x0e0e1c12,
-0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, 0x86861791, 0xc1c19958,
-0x1d1d3a27, 0x9e9e27b9, 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233,
-0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, 0x9b9b2db6, 0x1e1e3c22,
-0x87871592, 0xe9e9c920, 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a,
-0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, 0xbfbf65da, 0xe6e6d731,
-0x424284c6, 0x6868d0b8, 0x414182c3, 0x999929b0, 0x2d2d5a77, 0x0f0f1e11,
-0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a  
-};
-#else
-static const PRUint32 _T1[256] = 
-{
-0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, 0x0dfff2f2, 0xbdd66b6b,
-0xb1de6f6f, 0x5491c5c5, 0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b,
-0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, 0x458fcaca, 0x9d1f8282,
-0x4089c9c9, 0x87fa7d7d, 0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0,
-0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, 0xbf239c9c, 0xf753a4a4,
-0x96e47272, 0x5b9bc0c0, 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626,
-0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc, 0x5c683434, 0xf451a5a5,
-0x34d1e5e5, 0x08f9f1f1, 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515,
-0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, 0x28301818, 0xa1379696,
-0x0f0a0505, 0xb52f9a9a, 0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2,
-0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, 0x1b120909, 0x9e1d8383,
-0x74582c2c, 0x2e341a1a, 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0,
-0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, 0x7b522929, 0x3edde3e3,
-0x715e2f2f, 0x97138484, 0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded,
-0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, 0xbed46a6a, 0x468dcbcb,
-0xd967bebe, 0x4b723939, 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf,
-0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, 0xc5864343, 0xd79a4d4d,
-0x55663333, 0x94118585, 0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f,
-0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, 0xf3a25151, 0xfe5da3a3,
-0xc0804040, 0x8a058f8f, 0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5,
-0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, 0x30201010, 0x1ae5ffff,
-0x0efdf3f3, 0x6dbfd2d2, 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec,
-0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, 0x5793c4c4, 0xf255a7a7,
-0x82fc7e7e, 0x477a3d3d, 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373,
-0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, 0x66442222, 0x7e542a2a,
-0xab3b9090, 0x830b8888, 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414,
-0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, 0x3bdbe0e0, 0x56643232,
-0x4e743a3a, 0x1e140a0a, 0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c,
-0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, 0xa8399191, 0xa4319595,
-0x37d3e4e4, 0x8bf27979, 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d,
-0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, 0xb4d86c6c, 0xfaac5656,
-0x07f3f4f4, 0x25cfeaea, 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808,
-0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, 0x24381c1c, 0xf157a6a6,
-0xc773b4b4, 0x5197c6c6, 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f,
-0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, 0x90e07070, 0x427c3e3e,
-0xc471b5b5, 0xaacc6666, 0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e,
-0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, 0x91178686, 0x5899c1c1,
-0x273a1d1d, 0xb9279e9e, 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111,
-0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, 0xb62d9b9b, 0x223c1e1e,
-0x92158787, 0x20c9e9e9, 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf,
-0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, 0xda65bfbf, 0x31d7e6e6,
-0xc6844242, 0xb8d06868, 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f,
-0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _T2[256] = 
-{
-0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 0xf2ff0df2, 0x6bd6bd6b,
-0x6fdeb16f, 0xc59154c5, 0x30605030, 0x01020301, 0x67cea967, 0x2b567d2b,
-0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, 0xca8f45ca, 0x821f9d82,
-0xc98940c9, 0x7dfa877d, 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0,
-0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, 0x9c23bf9c, 0xa453f7a4,
-0x72e49672, 0xc09b5bc0, 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26,
-0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, 0x34685c34, 0xa551f4a5,
-0xe5d134e5, 0xf1f908f1, 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15,
-0x04080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, 0x18302818, 0x9637a196,
-0x050a0f05, 0x9a2fb59a, 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2,
-0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, 0x09121b09, 0x831d9e83,
-0x2c58742c, 0x1a342e1a, 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0,
-0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, 0x29527b29, 0xe3dd3ee3,
-0x2f5e712f, 0x84139784, 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced,
-0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, 0x6ad4be6a, 0xcb8d46cb,
-0xbe67d9be, 0x39724b39, 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf,
-0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, 0x4386c543, 0x4d9ad74d,
-0x33665533, 0x85119485, 0x458acf45, 0xf9e910f9, 0x02040602, 0x7ffe817f,
-0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, 0x51a2f351, 0xa35dfea3,
-0x4080c040, 0x8f058a8f, 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5,
-0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, 0x10203010, 0xffe51aff,
-0xf3fd0ef3, 0xd2bf6dd2, 0xcd814ccd, 0x0c18140c, 0x13263513, 0xecc32fec,
-0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, 0xc49357c4, 0xa755f2a7,
-0x7efc827e, 0x3d7a473d, 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573,
-0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, 0x22446622, 0x2a547e2a,
-0x903bab90, 0x880b8388, 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14,
-0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, 0xe0db3be0, 0x32645632,
-0x3a744e3a, 0x0a141e0a, 0x4992db49, 0x060c0a06, 0x24486c24, 0x5cb8e45c,
-0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, 0x9139a891, 0x9531a495,
-0xe4d337e4, 0x79f28b79, 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d,
-0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, 0x6cd8b46c, 0x56acfa56,
-0xf4f307f4, 0xeacf25ea, 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x08101808,
-0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, 0x1c38241c, 0xa657f1a6,
-0xb473c7b4, 0xc69751c6, 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f,
-0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, 0x70e09070, 0x3e7c423e,
-0xb571c4b5, 0x66ccaa66, 0x4890d848, 0x03060503, 0xf6f701f6, 0x0e1c120e,
-0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, 0x86179186, 0xc19958c1,
-0x1d3a271d, 0x9e27b99e, 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311,
-0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, 0x9b2db69b, 0x1e3c221e,
-0x87159287, 0xe9c920e9, 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf,
-0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, 0xbf65dabf, 0xe6d731e6,
-0x4284c642, 0x68d0b868, 0x4182c341, 0x9929b099, 0x2d5a772d, 0x0f1e110f,
-0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16  
-};
-#else
-static const PRUint32 _T2[256] = 
-{
-0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, 0xf20dfff2, 0x6bbdd66b,
-0x6fb1de6f, 0xc55491c5, 0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b,
-0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, 0xca458fca, 0x829d1f82,
-0xc94089c9, 0x7d87fa7d, 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0,
-0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, 0x9cbf239c, 0xa4f753a4,
-0x7296e472, 0xc05b9bc0, 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26,
-0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, 0x345c6834, 0xa5f451a5,
-0xe534d1e5, 0xf108f9f1, 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15,
-0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, 0x18283018, 0x96a13796,
-0x050f0a05, 0x9ab52f9a, 0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2,
-0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, 0x091b1209, 0x839e1d83,
-0x2c74582c, 0x1a2e341a, 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0,
-0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, 0x297b5229, 0xe33edde3,
-0x2f715e2f, 0x84971384, 0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed,
-0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, 0x6abed46a, 0xcb468dcb,
-0xbed967be, 0x394b7239, 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf,
-0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, 0x43c58643, 0x4dd79a4d,
-0x33556633, 0x85941185, 0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f,
-0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, 0x51f3a251, 0xa3fe5da3,
-0x40c08040, 0x8f8a058f, 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5,
-0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, 0x10302010, 0xff1ae5ff,
-0xf30efdf3, 0xd26dbfd2, 0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec,
-0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, 0xc45793c4, 0xa7f255a7,
-0x7e82fc7e, 0x3d477a3d, 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673,
-0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, 0x22664422, 0x2a7e542a,
-0x90ab3b90, 0x88830b88, 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814,
-0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb, 0xe03bdbe0, 0x32566432,
-0x3a4e743a, 0x0a1e140a, 0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c,
-0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, 0x91a83991, 0x95a43195,
-0xe437d3e4, 0x798bf279, 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d,
-0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, 0x6cb4d86c, 0x56faac56,
-0xf407f3f4, 0xea25cfea, 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008,
-0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, 0x1c24381c, 0xa6f157a6,
-0xb4c773b4, 0xc65197c6, 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f,
-0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, 0x7090e070, 0x3e427c3e,
-0xb5c471b5, 0x66aacc66, 0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e,
-0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, 0x86911786, 0xc15899c1,
-0x1d273a1d, 0x9eb9279e, 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211,
-0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, 0x9bb62d9b, 0x1e223c1e,
-0x87921587, 0xe920c9e9, 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df,
-0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d, 0xbfda65bf, 0xe631d7e6,
-0x42c68442, 0x68b8d068, 0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f,
-0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _T3[256] = 
-{
-0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 0xff0df2f2, 0xd6bd6b6b,
-0xdeb16f6f, 0x9154c5c5, 0x60503030, 0x02030101, 0xcea96767, 0x567d2b2b,
-0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, 0x8f45caca, 0x1f9d8282,
-0x8940c9c9, 0xfa877d7d, 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0,
-0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, 0x23bf9c9c, 0x53f7a4a4,
-0xe4967272, 0x9b5bc0c0, 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626,
-0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, 0x685c3434, 0x51f4a5a5,
-0xd134e5e5, 0xf908f1f1, 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515,
-0x080c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, 0x30281818, 0x37a19696,
-0x0a0f0505, 0x2fb59a9a, 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2,
-0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, 0x121b0909, 0x1d9e8383,
-0x58742c2c, 0x342e1a1a, 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0,
-0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, 0x527b2929, 0xdd3ee3e3,
-0x5e712f2f, 0x13978484, 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded,
-0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, 0xd4be6a6a, 0x8d46cbcb,
-0x67d9bebe, 0x724b3939, 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf,
-0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, 0x86c54343, 0x9ad74d4d,
-0x66553333, 0x11948585, 0x8acf4545, 0xe910f9f9, 0x04060202, 0xfe817f7f,
-0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, 0xa2f35151, 0x5dfea3a3,
-0x80c04040, 0x058a8f8f, 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5,
-0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, 0x20301010, 0xe51affff,
-0xfd0ef3f3, 0xbf6dd2d2, 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec,
-0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, 0x9357c4c4, 0x55f2a7a7,
-0xfc827e7e, 0x7a473d3d, 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373,
-0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, 0x44662222, 0x547e2a2a,
-0x3bab9090, 0x0b838888, 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414,
-0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, 0xdb3be0e0, 0x64563232,
-0x744e3a3a, 0x141e0a0a, 0x92db4949, 0x0c0a0606, 0x486c2424, 0xb8e45c5c,
-0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, 0x39a89191, 0x31a49595,
-0xd337e4e4, 0xf28b7979, 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d,
-0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, 0xd8b46c6c, 0xacfa5656,
-0xf307f4f4, 0xcf25eaea, 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808,
-0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, 0x38241c1c, 0x57f1a6a6,
-0x73c7b4b4, 0x9751c6c6, 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f,
-0x96dd4b4b, 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, 0xe0907070, 0x7c423e3e,
-0x71c4b5b5, 0xccaa6666, 0x90d84848, 0x06050303, 0xf701f6f6, 0x1c120e0e,
-0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, 0x17918686, 0x9958c1c1,
-0x3a271d1d, 0x27b99e9e, 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111,
-0xd2bb6969, 0xa970d9d9, 0x07898e8e, 0x33a79494, 0x2db69b9b, 0x3c221e1e,
-0x15928787, 0xc920e9e9, 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf,
-0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, 0x65dabfbf, 0xd731e6e6,
-0x84c64242, 0xd0b86868, 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f,
-0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616  
-};
-#else
-static const PRUint32 _T3[256] = 
-{
-0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, 0xf2f20dff, 0x6b6bbdd6,
-0x6f6fb1de, 0xc5c55491, 0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56,
-0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, 0xcaca458f, 0x82829d1f,
-0xc9c94089, 0x7d7d87fa, 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb,
-0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, 0x9c9cbf23, 0xa4a4f753,
-0x727296e4, 0xc0c05b9b, 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c,
-0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, 0x34345c68, 0xa5a5f451,
-0xe5e534d1, 0xf1f108f9, 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a,
-0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, 0x18182830, 0x9696a137,
-0x05050f0a, 0x9a9ab52f, 0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf,
-0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, 0x09091b12, 0x83839e1d,
-0x2c2c7458, 0x1a1a2e34, 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b,
-0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, 0x29297b52, 0xe3e33edd,
-0x2f2f715e, 0x84849713, 0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1,
-0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, 0x6a6abed4, 0xcbcb468d,
-0xbebed967, 0x39394b72, 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85,
-0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, 0x4343c586, 0x4d4dd79a,
-0x33335566, 0x85859411, 0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe,
-0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, 0x5151f3a2, 0xa3a3fe5d,
-0x4040c080, 0x8f8f8a05, 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1,
-0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, 0x10103020, 0xffff1ae5,
-0xf3f30efd, 0xd2d26dbf, 0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3,
-0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, 0xc4c45793, 0xa7a7f255,
-0x7e7e82fc, 0x3d3d477a, 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6,
-0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, 0x22226644, 0x2a2a7e54,
-0x9090ab3b, 0x8888830b, 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28,
-0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad, 0xe0e03bdb, 0x32325664,
-0x3a3a4e74, 0x0a0a1e14, 0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8,
-0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, 0x9191a839, 0x9595a431,
-0xe4e437d3, 0x79798bf2, 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da,
-0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, 0x6c6cb4d8, 0x5656faac,
-0xf4f407f3, 0xeaea25cf, 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810,
-0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, 0x1c1c2438, 0xa6a6f157,
-0xb4b4c773, 0xc6c65197, 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e,
-0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, 0x707090e0, 0x3e3e427c,
-0xb5b5c471, 0x6666aacc, 0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c,
-0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, 0x86869117, 0xc1c15899,
-0x1d1d273a, 0x9e9eb927, 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322,
-0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, 0x9b9bb62d, 0x1e1e223c,
-0x87879215, 0xe9e920c9, 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5,
-0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a, 0xbfbfda65, 0xe6e631d7,
-0x4242c684, 0x6868b8d0, 0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e,
-0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _TInv0[256] = 
-{
-0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f,
-0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5,
-0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, 0x495ab1de, 0x671bba25,
-0x980eea45, 0xe1c0fe5d, 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
-0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458,
-0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927,
-0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, 0x184adf63, 0x82311ae5,
-0x60335197, 0x457f5362, 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
-0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72,
-0x578f1fe3, 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3,
-0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, 0x92b479a7,
-0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
-0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 0x39ec830b, 0xaaef6040,
-0x069f715e, 0x51106ebd, 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d,
-0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6,
-0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
-0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, 0x83868009, 0x48ed2b32,
-0xac70111e, 0x4e725a6c, 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36,
-0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793,
-0xd296eeb4, 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
-0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, 0xadc78bf2,
-0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3,
-0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, 0x7629438b, 0xdcc623cb,
-0x68fcedb6, 0x63f1e4b8, 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
-0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc,
-0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947,
-0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, 0xc74e4987, 0xc1d138d9,
-0xfea2ca8c, 0x360bd498, 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
-0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890,
-0x5ef7392e, 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf,
-0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, 0xf418596e,
-0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef,
-0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 0xafb2a431, 0x31233f2a,
-0x3094a5c6, 0xc066a235, 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733,
-0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43,
-0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
-0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 0x5a1d67b3, 0x52d2db92,
-0x335610e9, 0x1347d66d, 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb,
-0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255,
-0x79ce1418, 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
-0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, 0x0c25e2bc,
-0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664,
-0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0  
-};
-#else
-static const PRUint32 _TInv0[256] = 
-{
-0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, 0x3bab6bcb, 0x1f9d45f1,
-0xacfa58ab, 0x4be30393, 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
-0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, 0xdeb15a49, 0x25ba1b67,
-0x45ea0e98, 0x5dfec0e1, 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
-0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, 0xd4be832d, 0x587421d3,
-0x49e06929, 0x8ec9c844, 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
-0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, 0x63df4a18, 0xe51a3182,
-0x97513360, 0x62537f45, 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
-0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, 0xab73d323, 0x724b02e2,
-0xe31f8f57, 0x6655ab2a, 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
-0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c, 0x8acf1c2b, 0xa779b492,
-0xf307f2f0, 0x4e69e2a1, 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
-0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75, 0x0b83ec39, 0x4060efaa,
-0x5e719f06, 0xbd6e1051, 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
-0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff, 0x1998fb24, 0xd6bde997,
-0x894043cc, 0x67d99e77, 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
-0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000, 0x09808683, 0x322bed48,
-0x1e1170ac, 0x6c5a724e, 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
-0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, 0x0c0a67b1, 0x9357e70f,
-0xb4ee96d2, 0x1b9b919e, 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
-0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, 0x0e090d0b, 0xf28bc7ad,
-0x2db6a8b9, 0x141ea9c8, 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
-0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, 0x8b432976, 0xcb23c6dc,
-0xb6edfc68, 0xb8e4f163, 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
-0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, 0x1d9e2f4b, 0xdcb230f3,
-0x0d8652ec, 0x77c1e3d0, 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
-0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, 0x87494ec7, 0xd938d1c1,
-0x8ccaa2fe, 0x98d40b36, 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
-0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, 0xf68d13c2, 0x90d8b8e8,
-0x2e39f75e, 0x82c3aff5, 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
-0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, 0xcd267809, 0x6e5918f4,
-0xec9ab701, 0x834f9aa8, 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
-0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, 0x31a4b2af, 0x2a3f2331,
-0xc6a59430, 0x35a266c0, 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
-0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, 0x764dd68d, 0x43efb04d,
-0xccaa4d54, 0xe49604df, 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
-0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e, 0xb3671d5a, 0x92dbd252,
-0xe9105633, 0x6dd64713, 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
-0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, 0x9cd2df59, 0x55f2733f,
-0x1814ce79, 0x73c737bf, 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
-0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, 0x161dc372, 0xbce2250c,
-0x283c498b, 0xff0d9541, 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
-0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _TInv1[256] = 
-{
-0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 0x6bab3bcb, 0x459d1ff1,
-0x58faacab, 0x03e34b93, 0xfa302055, 0x6d76adf6, 0x76cc8891, 0x4c02f525,
-0xd7e54ffc, 0xcb2ac5d7, 0x44352680, 0xa362b58f, 0x5ab1de49, 0x1bba2567,
-0x0eea4598, 0xc0fe5de1, 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6,
-0x5f8f03e7, 0x9c921595, 0x7a6dbfeb, 0x595295da, 0x83bed42d, 0x217458d3,
-0x69e04929, 0xc8c98e44, 0x89c2756a, 0x798ef478, 0x3e58996b, 0x71b927dd,
-0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, 0x4adf6318, 0x311ae582,
-0x33519760, 0x7f536245, 0x7764b1e0, 0xae6bbb84, 0xa081fe1c, 0x2b08f994,
-0x68487058, 0xfd458f19, 0x6cde9487, 0xf87b52b7, 0xd373ab23, 0x024b72e2,
-0x8f1fe357, 0xab55662a, 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x0837d3a5,
-0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, 0x1ccf8a2b, 0xb479a792,
-0xf207f3f0, 0xe2694ea1, 0xf4da65cd, 0xbe0506d5, 0x6234d11f, 0xfea6c48a,
-0x532e349d, 0x55f3a2a0, 0xe18a0532, 0xebf6a475, 0xec830b39, 0xef6040aa,
-0x9f715e06, 0x106ebd51, 0x8a213ef9, 0x06dd963d, 0x053eddae, 0xbde64d46,
-0x8d5491b5, 0x5dc47105, 0xd406046f, 0x155060ff, 0xfb981924, 0xe9bdd697,
-0x434089cc, 0x9ed96777, 0x42e8b0bd, 0x8b890788, 0x5b19e738, 0xeec879db,
-0x0a7ca147, 0x0f427ce9, 0x1e84f8c9, 0x00000000, 0x86800983, 0xed2b3248,
-0x70111eac, 0x725a6c4e, 0xff0efdfb, 0x38850f56, 0xd5ae3d1e, 0x392d3627,
-0xd90f0a64, 0xa65c6821, 0x545b9bd1, 0x2e36243a, 0x670a0cb1, 0xe757930f,
-0x96eeb4d2, 0x919b1b9e, 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16,
-0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, 0x0d090e0b, 0xc78bf2ad,
-0xa8b62db9, 0xa91e14c8, 0x19f15785, 0x0775af4c, 0xdd99eebb, 0x607fa3fd,
-0x2601f79f, 0xf5725cbc, 0x3b6644c5, 0x7efb5b34, 0x29438b76, 0xc623cbdc,
-0xfcedb668, 0xf1e4b863, 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420,
-0x244a857d, 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, 0x2f9e1d4b, 0x30b2dcf3,
-0x52860dec, 0xe3c177d0, 0x16b32b6c, 0xb970a999, 0x489411fa, 0x64e94722,
-0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, 0x4e4987c7, 0xd138d9c1,
-0xa2ca8cfe, 0x0bd49836, 0x81f5a6cf, 0xde7aa528, 0x8eb7da26, 0xbfad3fa4,
-0x9d3a2ce4, 0x9278500d, 0xcc5f6a9b, 0x467e5462, 0x138df6c2, 0xb8d890e8,
-0xf7392e5e, 0xafc382f5, 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3,
-0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, 0x7826cd09, 0x18596ef4,
-0xb79aec01, 0x9a4f83a8, 0x6e95e665, 0xe6ffaa7e, 0xcfbc2108, 0xe815efe6,
-0x9be7bad9, 0x366f4ace, 0x099fead4, 0x7cb029d6, 0xb2a431af, 0x233f2a31,
-0x94a5c630, 0x66a235c0, 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315,
-0x9804f14a, 0xdaec41f7, 0x50cd7f0e, 0xf691172f, 0xd64d768d, 0xb0ef434d,
-0x4daacc54, 0x0496e4df, 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, 0x5165467f,
-0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, 0x1d67b35a, 0xd2db9252,
-0x5610e933, 0x47d66d13, 0x61d79a8c, 0x0ca1377a, 0x14f8598e, 0x3c13eb89,
-0x27a9ceee, 0xc961b735, 0xe51ce1ed, 0xb1477a3c, 0xdfd29c59, 0x73f2553f,
-0xce141879, 0x37c773bf, 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886,
-0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, 0xc31d1672, 0x25e2bc0c,
-0x493c288b, 0x950dff41, 0x01a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490,
-0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042  
-};
-#else
-static const PRUint32 _TInv1[256] = 
-{
-0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, 0xcb3bab6b, 0xf11f9d45,
-0xabacfa58, 0x934be303, 0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c,
-0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3, 0x49deb15a, 0x6725ba1b,
-0x9845ea0e, 0xe15dfec0, 0x02c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9,
-0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259, 0x2dd4be83, 0xd3587421,
-0x2949e069, 0x448ec9c8, 0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971,
-0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a, 0x1863df4a, 0x82e51a31,
-0x60975133, 0x4562537f, 0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b,
-0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8, 0x23ab73d3, 0xe2724b02,
-0x57e31f8f, 0x2a6655ab, 0x07b2eb28, 0x032fb5c2, 0x9a86c57b, 0xa5d33708,
-0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682, 0x2b8acf1c, 0x92a779b4,
-0xf0f307f2, 0xa14e69e2, 0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe,
-0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb, 0x390b83ec, 0xaa4060ef,
-0x065e719f, 0x51bd6e10, 0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd,
-0xb591548d, 0x0571c45d, 0x6f0406d4, 0xff605015, 0x241998fb, 0x97d6bde9,
-0xcc894043, 0x7767d99e, 0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee,
-0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x00000000, 0x83098086, 0x48322bed,
-0xac1e1170, 0x4e6c5a72, 0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39,
-0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e, 0xb10c0a67, 0x0f9357e7,
-0xd2b4ee96, 0x9e1b9b91, 0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a,
-0x0ae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17, 0x0b0e090d, 0xadf28bc7,
-0xb92db6a8, 0xc8141ea9, 0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60,
-0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e, 0x768b4329, 0xdccb23c6,
-0x68b6edfc, 0x63b8e4f1, 0xcad731dc, 0x10426385, 0x40139722, 0x2084c611,
-0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1, 0x4b1d9e2f, 0xf3dcb230,
-0xec0d8652, 0xd077c1e3, 0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964,
-0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390, 0xc787494e, 0xc1d938d1,
-0xfe8ccaa2, 0x3698d40b, 0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf,
-0xe42c3a9d, 0x0d507892, 0x9b6a5fcc, 0x62547e46, 0xc2f68d13, 0xe890d8b8,
-0x5e2e39f7, 0xf582c3af, 0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512,
-0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb, 0x09cd2678, 0xf46e5918,
-0x01ec9ab7, 0xa8834f9a, 0x65e6956e, 0x7eaaffe6, 0x0821bccf, 0xe6ef15e8,
-0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c, 0xaf31a4b2, 0x312a3f23,
-0x30c6a594, 0xc035a266, 0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8,
-0x4af10498, 0xf741ecda, 0x0e7fcd50, 0x2f1791f6, 0x8d764dd6, 0x4d43efb0,
-0x54ccaa4d, 0xdfe49604, 0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551,
-0x049d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41, 0x5ab3671d, 0x5292dbd2,
-0x33e91056, 0x136dd647, 0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c,
-0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1, 0x599cd2df, 0x3f55f273,
-0x791814ce, 0xbf73c737, 0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db,
-0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340, 0x72161dc3, 0x0cbce225,
-0x8b283c49, 0x41ff0d95, 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1,
-0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _TInv2[256] = 
-{
-0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 0xab3bcb6b, 0x9d1ff145,
-0xfaacab58, 0xe34b9303, 0x302055fa, 0x76adf66d, 0xcc889176, 0x02f5254c,
-0xe54ffcd7, 0x2ac5d7cb, 0x35268044, 0x62b58fa3, 0xb1de495a, 0xba25671b,
-0xea45980e, 0xfe5de1c0, 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9,
-0x8f03e75f, 0x9215959c, 0x6dbfeb7a, 0x5295da59, 0xbed42d83, 0x7458d321,
-0xe0492969, 0xc98e44c8, 0xc2756a89, 0x8ef47879, 0x58996b3e, 0xb927dd71,
-0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, 0xdf63184a, 0x1ae58231,
-0x51976033, 0x5362457f, 0x64b1e077, 0x6bbb84ae, 0x81fe1ca0, 0x08f9942b,
-0x48705868, 0x458f19fd, 0xde94876c, 0x7b52b7f8, 0x73ab23d3, 0x4b72e202,
-0x1fe3578f, 0x55662aab, 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508,
-0x2830f287, 0xbf23b2a5, 0x0302ba6a, 0x16ed5c82, 0xcf8a2b1c, 0x79a792b4,
-0x07f3f0f2, 0x694ea1e2, 0xda65cdf4, 0x0506d5be, 0x34d11f62, 0xa6c48afe,
-0x2e349d53, 0xf3a2a055, 0x8a0532e1, 0xf6a475eb, 0x830b39ec, 0x6040aaef,
-0x715e069f, 0x6ebd5110, 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd,
-0x5491b58d, 0xc471055d, 0x06046fd4, 0x5060ff15, 0x981924fb, 0xbdd697e9,
-0x4089cc43, 0xd967779e, 0xe8b0bd42, 0x8907888b, 0x19e7385b, 0xc879dbee,
-0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x00000000, 0x80098386, 0x2b3248ed,
-0x111eac70, 0x5a6c4e72, 0x0efdfbff, 0x850f5638, 0xae3d1ed5, 0x2d362739,
-0x0f0a64d9, 0x5c6821a6, 0x5b9bd154, 0x36243a2e, 0x0a0cb167, 0x57930fe7,
-0xeeb4d296, 0x9b1b9e91, 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a,
-0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, 0x090e0b0d, 0x8bf2adc7,
-0xb62db9a8, 0x1e14c8a9, 0xf1578519, 0x75af4c07, 0x99eebbdd, 0x7fa3fd60,
-0x01f79f26, 0x725cbcf5, 0x6644c53b, 0xfb5b347e, 0x438b7629, 0x23cbdcc6,
-0xedb668fc, 0xe4b863f1, 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011,
-0x4a857d24, 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, 0x9e1d4b2f, 0xb2dcf330,
-0x860dec52, 0xc177d0e3, 0xb32b6c16, 0x70a999b9, 0x9411fa48, 0xe9472264,
-0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, 0x4987c74e, 0x38d9c1d1,
-0xca8cfea2, 0xd498360b, 0xf5a6cf81, 0x7aa528de, 0xb7da268e, 0xad3fa4bf,
-0x3a2ce49d, 0x78500d92, 0x5f6a9bcc, 0x7e546246, 0x8df6c213, 0xd890e8b8,
-0x392e5ef7, 0xc382f5af, 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312,
-0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, 0x26cd0978, 0x596ef418,
-0x9aec01b7, 0x4f83a89a, 0x95e6656e, 0xffaa7ee6, 0xbc2108cf, 0x15efe6e8,
-0xe7bad99b, 0x6f4ace36, 0x9fead409, 0xb029d67c, 0xa431afb2, 0x3f2a3123,
-0xa5c63094, 0xa235c066, 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8,
-0x04f14a98, 0xec41f7da, 0xcd7f0e50, 0x91172ff6, 0x4d768dd6, 0xef434db0,
-0xaacc544d, 0x96e4df04, 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, 0x65467f51,
-0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0x0bfb2e41, 0x67b35a1d, 0xdb9252d2,
-0x10e93356, 0xd66d1347, 0xd79a8c61, 0xa1377a0c, 0xf8598e14, 0x13eb893c,
-0xa9ceee27, 0x61b735c9, 0x1ce1ede5, 0x477a3cb1, 0xd29c59df, 0xf2553f73,
-0x141879ce, 0xc773bf37, 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db,
-0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, 0x1d1672c3, 0xe2bc0c25,
-0x3c288b49, 0x0dff4195, 0xa8397101, 0x0c08deb3, 0xb4d89ce4, 0x566490c1,
-0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257  
-};
-#else
-static const PRUint32 _TInv2[256] = 
-{
-0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, 0x6bcb3bab, 0x45f11f9d,
-0x58abacfa, 0x03934be3, 0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502,
-0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562, 0x5a49deb1, 0x1b6725ba,
-0x0e9845ea, 0xc0e15dfe, 0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3,
-0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552, 0x832dd4be, 0x21d35874,
-0x692949e0, 0xc8448ec9, 0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9,
-0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce, 0x4a1863df, 0x3182e51a,
-0x33609751, 0x7f456253, 0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908,
-0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b, 0xd323ab73, 0x02e2724b,
-0x8f57e31f, 0xab2a6655, 0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x08a5d337,
-0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16, 0x1c2b8acf, 0xb492a779,
-0xf2f0f307, 0xe2a14e69, 0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6,
-0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6, 0xec390b83, 0xefaa4060,
-0x9f065e71, 0x1051bd6e, 0x8af93e21, 0x063d96dd, 0x05aedd3e, 0xbd464de6,
-0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050, 0xfb241998, 0xe997d6bd,
-0x43cc8940, 0x9e7767d9, 0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8,
-0x0a47a17c, 0x0fe97c42, 0x1ec9f884, 0x00000000, 0x86830980, 0xed48322b,
-0x70ac1e11, 0x724e6c5a, 0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d,
-0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436, 0x67b10c0a, 0xe70f9357,
-0x96d2b4ee, 0x919e1b9b, 0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12,
-0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b, 0x0d0b0e09, 0xc7adf28b,
-0xa8b92db6, 0xa9c8141e, 0x198557f1, 0x074caf75, 0xddbbee99, 0x60fda37f,
-0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb, 0x29768b43, 0xc6dccb23,
-0xfc68b6ed, 0xf163b8e4, 0xdccad731, 0x85104263, 0x22401397, 0x112084c6,
-0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729, 0x2f4b1d9e, 0x30f3dcb2,
-0x52ec0d86, 0xe3d077c1, 0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9,
-0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233, 0x4ec78749, 0xd1c1d938,
-0xa2fe8cca, 0x0b3698d4, 0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad,
-0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e, 0x13c2f68d, 0xb8e890d8,
-0xf75e2e39, 0xaff582c3, 0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25,
-0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b, 0x7809cd26, 0x18f46e59,
-0xb701ec9a, 0x9aa8834f, 0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15,
-0x9bd9bae7, 0x36ce4a6f, 0x09d4ea9f, 0x7cd629b0, 0xb2af31a4, 0x23312a3f,
-0x9430c6a5, 0x66c035a2, 0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7,
-0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791, 0xd68d764d, 0xb04d43ef,
-0x4d54ccaa, 0x04dfe496, 0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665,
-0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b, 0x1d5ab367, 0xd25292db,
-0x5633e910, 0x47136dd6, 0x618c9ad7, 0x0c7a37a1, 0x148e59f8, 0x3c89eb13,
-0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47, 0xdf599cd2, 0x733f55f2,
-0xce791814, 0x37bf73c7, 0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844,
-0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3, 0xc372161d, 0x250cbce2,
-0x498b283c, 0x9541ff0d, 0x017139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456,
-0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _TInv3[256] = 
-{
-0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 0x3bcb6bab, 0x1ff1459d,
-0xacab58fa, 0x4b9303e3, 0x2055fa30, 0xadf66d76, 0x889176cc, 0xf5254c02,
-0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, 0xb58fa362, 0xde495ab1, 0x25671bba,
-0x45980eea, 0x5de1c0fe, 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3,
-0x03e75f8f, 0x15959c92, 0xbfeb7a6d, 0x95da5952, 0xd42d83be, 0x58d32174,
-0x492969e0, 0x8e44c8c9, 0x756a89c2, 0xf478798e, 0x996b3e58, 0x27dd71b9,
-0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, 0x63184adf, 0xe582311a,
-0x97603351, 0x62457f53, 0xb1e07764, 0xbb84ae6b, 0xfe1ca081, 0xf9942b08,
-0x70586848, 0x8f19fd45, 0x94876cde, 0x52b7f87b, 0xab23d373, 0x72e2024b,
-0xe3578f1f, 0x662aab55, 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837,
-0x30f28728, 0x23b2a5bf, 0x02ba6a03, 0xed5c8216, 0x8a2b1ccf, 0xa792b479,
-0xf3f0f207, 0x4ea1e269, 0x65cdf4da, 0x06d5be05, 0xd11f6234, 0xc48afea6,
-0x349d532e, 0xa2a055f3, 0x0532e18a, 0xa475ebf6, 0x0b39ec83, 0x40aaef60,
-0x5e069f71, 0xbd51106e, 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6,
-0x91b58d54, 0x71055dc4, 0x046fd406, 0x60ff1550, 0x1924fb98, 0xd697e9bd,
-0x89cc4340, 0x67779ed9, 0xb0bd42e8, 0x07888b89, 0xe7385b19, 0x79dbeec8,
-0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x00000000, 0x09838680, 0x3248ed2b,
-0x1eac7011, 0x6c4e725a, 0xfdfbff0e, 0x0f563885, 0x3d1ed5ae, 0x3627392d,
-0x0a64d90f, 0x6821a65c, 0x9bd1545b, 0x243a2e36, 0x0cb1670a, 0x930fe757,
-0xb4d296ee, 0x1b9e919b, 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12,
-0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, 0x0e0b0d09, 0xf2adc78b,
-0x2db9a8b6, 0x14c8a91e, 0x578519f1, 0xaf4c0775, 0xeebbdd99, 0xa3fd607f,
-0xf79f2601, 0x5cbcf572, 0x44c53b66, 0x5b347efb, 0x8b762943, 0xcbdcc623,
-0xb668fced, 0xb863f1e4, 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6,
-0x857d244a, 0xd2f83dbb, 0xae1132f9, 0xc76da129, 0x1d4b2f9e, 0xdcf330b2,
-0x0dec5286, 0x77d0e3c1, 0x2b6c16b3, 0xa999b970, 0x11fa4894, 0x472264e9,
-0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, 0x87c74e49, 0xd9c1d138,
-0x8cfea2ca, 0x98360bd4, 0xa6cf81f5, 0xa528de7a, 0xda268eb7, 0x3fa4bfad,
-0x2ce49d3a, 0x500d9278, 0x6a9bcc5f, 0x5462467e, 0xf6c2138d, 0x90e8b8d8,
-0x2e5ef739, 0x82f5afc3, 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225,
-0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, 0xcd097826, 0x6ef41859,
-0xec01b79a, 0x83a89a4f, 0xe6656e95, 0xaa7ee6ff, 0x2108cfbc, 0xefe6e815,
-0xbad99be7, 0x4ace366f, 0xead4099f, 0x29d67cb0, 0x31afb2a4, 0x2a31233f,
-0xc63094a5, 0x35c066a2, 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7,
-0xf14a9804, 0x41f7daec, 0x7f0e50cd, 0x172ff691, 0x768dd64d, 0x434db0ef,
-0xcc544daa, 0xe4df0496, 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, 0x467f5165,
-0x9d04ea5e, 0x015d358c, 0xfa737487, 0xfb2e410b, 0xb35a1d67, 0x9252d2db,
-0xe9335610, 0x6d1347d6, 0x9a8c61d7, 0x377a0ca1, 0x598e14f8, 0xeb893c13,
-0xceee27a9, 0xb735c961, 0xe1ede51c, 0x7a3cb147, 0x9c59dfd2, 0x553f73f2,
-0x1879ce14, 0x73bf37c7, 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44,
-0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, 0x1672c31d, 0xbc0c25e2,
-0x288b493c, 0xff41950d, 0x397101a8, 0x08deb30c, 0xd89ce4b4, 0x6490c156,
-0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8  
-};
-#else
-static const PRUint32 _TInv3[256] = 
-{
-0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, 0xab6bcb3b, 0x9d45f11f,
-0xfa58abac, 0xe303934b, 0x30fa5520, 0x766df6ad, 0xcc769188, 0x024c25f5,
-0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5, 0xb15a49de, 0xba1b6725,
-0xea0e9845, 0xfec0e15d, 0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b,
-0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95, 0xbe832dd4, 0x7421d358,
-0xe0692949, 0xc9c8448e, 0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27,
-0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d, 0xdf4a1863, 0x1a3182e5,
-0x51336097, 0x537f4562, 0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x082b94f9,
-0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752, 0x73d323ab, 0x4b02e272,
-0x1f8f57e3, 0x55ab2a66, 0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3,
-0x2887f230, 0xbfa5b223, 0x036aba02, 0x16825ced, 0xcf1c2b8a, 0x79b492a7,
-0x07f2f0f3, 0x69e2a14e, 0xdaf4cd65, 0x05bed506, 0x34621fd1, 0xa6fe8ac4,
-0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4, 0x83ec390b, 0x60efaa40,
-0x719f065e, 0x6e1051bd, 0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d,
-0x548db591, 0xc45d0571, 0x06d46f04, 0x5015ff60, 0x98fb2419, 0xbde997d6,
-0x4043cc89, 0xd99e7767, 0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79,
-0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x00000000, 0x80868309, 0x2bed4832,
-0x1170ac1e, 0x5a724e6c, 0x0efffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736,
-0x0fd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24, 0x0a67b10c, 0x57e70f93,
-0xee96d2b4, 0x9b919e1b, 0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c,
-0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12, 0x090d0b0e, 0x8bc7adf2,
-0xb6a8b92d, 0x1ea9c814, 0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3,
-0x01269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b, 0x4329768b, 0x23c6dccb,
-0xedfc68b6, 0xe4f163b8, 0x31dccad7, 0x63851042, 0x97224013, 0xc6112084,
-0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7, 0x9e2f4b1d, 0xb230f3dc,
-0x8652ec0d, 0xc1e3d077, 0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247,
-0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22, 0x494ec787, 0x38d1c1d9,
-0xcaa2fe8c, 0xd40b3698, 0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f,
-0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254, 0x8d13c2f6, 0xd8b8e890,
-0x39f75e2e, 0xc3aff582, 0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf,
-0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb, 0x267809cd, 0x5918f46e,
-0x9ab701ec, 0x4f9aa883, 0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef,
-0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629, 0xa4b2af31, 0x3f23312a,
-0xa59430c6, 0xa266c035, 0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533,
-0x04984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17, 0x4dd68d76, 0xefb04d43,
-0xaa4d54cc, 0x9604dfe4, 0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46,
-0x5eea049d, 0x8c355d01, 0x877473fa, 0x0b412efb, 0x671d5ab3, 0xdbd25292,
-0x105633e9, 0xd647136d, 0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb,
-0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a, 0xd2df599c, 0xf2733f55,
-0x14ce7918, 0xc737bf73, 0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678,
-0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2, 0x1dc37216, 0xe2250cbc,
-0x3c498b28, 0x0d9541ff, 0xa8017139, 0x0cb3de08, 0xb4e49cd8, 0x56c19064,
-0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _IMXC0[256] = 
-{
-0x00000000, 0x0b0d090e, 0x161a121c, 0x1d171b12, 0x2c342438, 0x27392d36,
-0x3a2e3624, 0x31233f2a, 0x58684870, 0x5365417e, 0x4e725a6c, 0x457f5362,
-0x745c6c48, 0x7f516546, 0x62467e54, 0x694b775a, 0xb0d090e0, 0xbbdd99ee,
-0xa6ca82fc, 0xadc78bf2, 0x9ce4b4d8, 0x97e9bdd6, 0x8afea6c4, 0x81f3afca,
-0xe8b8d890, 0xe3b5d19e, 0xfea2ca8c, 0xf5afc382, 0xc48cfca8, 0xcf81f5a6,
-0xd296eeb4, 0xd99be7ba, 0x7bbb3bdb, 0x70b632d5, 0x6da129c7, 0x66ac20c9,
-0x578f1fe3, 0x5c8216ed, 0x41950dff, 0x4a9804f1, 0x23d373ab, 0x28de7aa5,
-0x35c961b7, 0x3ec468b9, 0x0fe75793, 0x04ea5e9d, 0x19fd458f, 0x12f04c81,
-0xcb6bab3b, 0xc066a235, 0xdd71b927, 0xd67cb029, 0xe75f8f03, 0xec52860d,
-0xf1459d1f, 0xfa489411, 0x9303e34b, 0x980eea45, 0x8519f157, 0x8e14f859,
-0xbf37c773, 0xb43ace7d, 0xa92dd56f, 0xa220dc61, 0xf66d76ad, 0xfd607fa3,
-0xe07764b1, 0xeb7a6dbf, 0xda595295, 0xd1545b9b, 0xcc434089, 0xc74e4987,
-0xae053edd, 0xa50837d3, 0xb81f2cc1, 0xb31225cf, 0x82311ae5, 0x893c13eb,
-0x942b08f9, 0x9f2601f7, 0x46bde64d, 0x4db0ef43, 0x50a7f451, 0x5baafd5f,
-0x6a89c275, 0x6184cb7b, 0x7c93d069, 0x779ed967, 0x1ed5ae3d, 0x15d8a733,
-0x08cfbc21, 0x03c2b52f, 0x32e18a05, 0x39ec830b, 0x24fb9819, 0x2ff69117,
-0x8dd64d76, 0x86db4478, 0x9bcc5f6a, 0x90c15664, 0xa1e2694e, 0xaaef6040,
-0xb7f87b52, 0xbcf5725c, 0xd5be0506, 0xdeb30c08, 0xc3a4171a, 0xc8a91e14,
-0xf98a213e, 0xf2872830, 0xef903322, 0xe49d3a2c, 0x3d06dd96, 0x360bd498,
-0x2b1ccf8a, 0x2011c684, 0x1132f9ae, 0x1a3ff0a0, 0x0728ebb2, 0x0c25e2bc,
-0x656e95e6, 0x6e639ce8, 0x737487fa, 0x78798ef4, 0x495ab1de, 0x4257b8d0,
-0x5f40a3c2, 0x544daacc, 0xf7daec41, 0xfcd7e54f, 0xe1c0fe5d, 0xeacdf753,
-0xdbeec879, 0xd0e3c177, 0xcdf4da65, 0xc6f9d36b, 0xafb2a431, 0xa4bfad3f,
-0xb9a8b62d, 0xb2a5bf23, 0x83868009, 0x888b8907, 0x959c9215, 0x9e919b1b,
-0x470a7ca1, 0x4c0775af, 0x51106ebd, 0x5a1d67b3, 0x6b3e5899, 0x60335197,
-0x7d244a85, 0x7629438b, 0x1f6234d1, 0x146f3ddf, 0x097826cd, 0x02752fc3,
-0x335610e9, 0x385b19e7, 0x254c02f5, 0x2e410bfb, 0x8c61d79a, 0x876cde94,
-0x9a7bc586, 0x9176cc88, 0xa055f3a2, 0xab58faac, 0xb64fe1be, 0xbd42e8b0,
-0xd4099fea, 0xdf0496e4, 0xc2138df6, 0xc91e84f8, 0xf83dbbd2, 0xf330b2dc,
-0xee27a9ce, 0xe52aa0c0, 0x3cb1477a, 0x37bc4e74, 0x2aab5566, 0x21a65c68,
-0x10856342, 0x1b886a4c, 0x069f715e, 0x0d927850, 0x64d90f0a, 0x6fd40604,
-0x72c31d16, 0x79ce1418, 0x48ed2b32, 0x43e0223c, 0x5ef7392e, 0x55fa3020,
-0x01b79aec, 0x0aba93e2, 0x17ad88f0, 0x1ca081fe, 0x2d83bed4, 0x268eb7da,
-0x3b99acc8, 0x3094a5c6, 0x59dfd29c, 0x52d2db92, 0x4fc5c080, 0x44c8c98e,
-0x75ebf6a4, 0x7ee6ffaa, 0x63f1e4b8, 0x68fcedb6, 0xb1670a0c, 0xba6a0302,
-0xa77d1810, 0xac70111e, 0x9d532e34, 0x965e273a, 0x8b493c28, 0x80443526,
-0xe90f427c, 0xe2024b72, 0xff155060, 0xf418596e, 0xc53b6644, 0xce366f4a,
-0xd3217458, 0xd82c7d56, 0x7a0ca137, 0x7101a839, 0x6c16b32b, 0x671bba25,
-0x5638850f, 0x5d358c01, 0x40229713, 0x4b2f9e1d, 0x2264e947, 0x2969e049,
-0x347efb5b, 0x3f73f255, 0x0e50cd7f, 0x055dc471, 0x184adf63, 0x1347d66d,
-0xcadc31d7, 0xc1d138d9, 0xdcc623cb, 0xd7cb2ac5, 0xe6e815ef, 0xede51ce1,
-0xf0f207f3, 0xfbff0efd, 0x92b479a7, 0x99b970a9, 0x84ae6bbb, 0x8fa362b5,
-0xbe805d9f, 0xb58d5491, 0xa89a4f83, 0xa397468d  
-};
-#else
-static const PRUint32 _IMXC0[256] = 
-{
-0x00000000, 0x0e090d0b, 0x1c121a16, 0x121b171d, 0x3824342c, 0x362d3927,
-0x24362e3a, 0x2a3f2331, 0x70486858, 0x7e416553, 0x6c5a724e, 0x62537f45,
-0x486c5c74, 0x4665517f, 0x547e4662, 0x5a774b69, 0xe090d0b0, 0xee99ddbb,
-0xfc82caa6, 0xf28bc7ad, 0xd8b4e49c, 0xd6bde997, 0xc4a6fe8a, 0xcaaff381,
-0x90d8b8e8, 0x9ed1b5e3, 0x8ccaa2fe, 0x82c3aff5, 0xa8fc8cc4, 0xa6f581cf,
-0xb4ee96d2, 0xbae79bd9, 0xdb3bbb7b, 0xd532b670, 0xc729a16d, 0xc920ac66,
-0xe31f8f57, 0xed16825c, 0xff0d9541, 0xf104984a, 0xab73d323, 0xa57ade28,
-0xb761c935, 0xb968c43e, 0x9357e70f, 0x9d5eea04, 0x8f45fd19, 0x814cf012,
-0x3bab6bcb, 0x35a266c0, 0x27b971dd, 0x29b07cd6, 0x038f5fe7, 0x0d8652ec,
-0x1f9d45f1, 0x119448fa, 0x4be30393, 0x45ea0e98, 0x57f11985, 0x59f8148e,
-0x73c737bf, 0x7dce3ab4, 0x6fd52da9, 0x61dc20a2, 0xad766df6, 0xa37f60fd,
-0xb16477e0, 0xbf6d7aeb, 0x955259da, 0x9b5b54d1, 0x894043cc, 0x87494ec7,
-0xdd3e05ae, 0xd33708a5, 0xc12c1fb8, 0xcf2512b3, 0xe51a3182, 0xeb133c89,
-0xf9082b94, 0xf701269f, 0x4de6bd46, 0x43efb04d, 0x51f4a750, 0x5ffdaa5b,
-0x75c2896a, 0x7bcb8461, 0x69d0937c, 0x67d99e77, 0x3daed51e, 0x33a7d815,
-0x21bccf08, 0x2fb5c203, 0x058ae132, 0x0b83ec39, 0x1998fb24, 0x1791f62f,
-0x764dd68d, 0x7844db86, 0x6a5fcc9b, 0x6456c190, 0x4e69e2a1, 0x4060efaa,
-0x527bf8b7, 0x5c72f5bc, 0x0605bed5, 0x080cb3de, 0x1a17a4c3, 0x141ea9c8,
-0x3e218af9, 0x302887f2, 0x223390ef, 0x2c3a9de4, 0x96dd063d, 0x98d40b36,
-0x8acf1c2b, 0x84c61120, 0xaef93211, 0xa0f03f1a, 0xb2eb2807, 0xbce2250c,
-0xe6956e65, 0xe89c636e, 0xfa877473, 0xf48e7978, 0xdeb15a49, 0xd0b85742,
-0xc2a3405f, 0xccaa4d54, 0x41ecdaf7, 0x4fe5d7fc, 0x5dfec0e1, 0x53f7cdea,
-0x79c8eedb, 0x77c1e3d0, 0x65daf4cd, 0x6bd3f9c6, 0x31a4b2af, 0x3fadbfa4,
-0x2db6a8b9, 0x23bfa5b2, 0x09808683, 0x07898b88, 0x15929c95, 0x1b9b919e,
-0xa17c0a47, 0xaf75074c, 0xbd6e1051, 0xb3671d5a, 0x99583e6b, 0x97513360,
-0x854a247d, 0x8b432976, 0xd134621f, 0xdf3d6f14, 0xcd267809, 0xc32f7502,
-0xe9105633, 0xe7195b38, 0xf5024c25, 0xfb0b412e, 0x9ad7618c, 0x94de6c87,
-0x86c57b9a, 0x88cc7691, 0xa2f355a0, 0xacfa58ab, 0xbee14fb6, 0xb0e842bd,
-0xea9f09d4, 0xe49604df, 0xf68d13c2, 0xf8841ec9, 0xd2bb3df8, 0xdcb230f3,
-0xcea927ee, 0xc0a02ae5, 0x7a47b13c, 0x744ebc37, 0x6655ab2a, 0x685ca621,
-0x42638510, 0x4c6a881b, 0x5e719f06, 0x5078920d, 0x0a0fd964, 0x0406d46f,
-0x161dc372, 0x1814ce79, 0x322bed48, 0x3c22e043, 0x2e39f75e, 0x2030fa55,
-0xec9ab701, 0xe293ba0a, 0xf088ad17, 0xfe81a01c, 0xd4be832d, 0xdab78e26,
-0xc8ac993b, 0xc6a59430, 0x9cd2df59, 0x92dbd252, 0x80c0c54f, 0x8ec9c844,
-0xa4f6eb75, 0xaaffe67e, 0xb8e4f163, 0xb6edfc68, 0x0c0a67b1, 0x02036aba,
-0x10187da7, 0x1e1170ac, 0x342e539d, 0x3a275e96, 0x283c498b, 0x26354480,
-0x7c420fe9, 0x724b02e2, 0x605015ff, 0x6e5918f4, 0x44663bc5, 0x4a6f36ce,
-0x587421d3, 0x567d2cd8, 0x37a10c7a, 0x39a80171, 0x2bb3166c, 0x25ba1b67,
-0x0f853856, 0x018c355d, 0x13972240, 0x1d9e2f4b, 0x47e96422, 0x49e06929,
-0x5bfb7e34, 0x55f2733f, 0x7fcd500e, 0x71c45d05, 0x63df4a18, 0x6dd64713,
-0xd731dcca, 0xd938d1c1, 0xcb23c6dc, 0xc52acbd7, 0xef15e8e6, 0xe11ce5ed,
-0xf307f2f0, 0xfd0efffb, 0xa779b492, 0xa970b999, 0xbb6bae84, 0xb562a38f,
-0x9f5d80be, 0x91548db5, 0x834f9aa8, 0x8d4697a3  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _IMXC1[256] = 
-{
-0x00000000, 0x0d090e0b, 0x1a121c16, 0x171b121d, 0x3424382c, 0x392d3627,
-0x2e36243a, 0x233f2a31, 0x68487058, 0x65417e53, 0x725a6c4e, 0x7f536245,
-0x5c6c4874, 0x5165467f, 0x467e5462, 0x4b775a69, 0xd090e0b0, 0xdd99eebb,
-0xca82fca6, 0xc78bf2ad, 0xe4b4d89c, 0xe9bdd697, 0xfea6c48a, 0xf3afca81,
-0xb8d890e8, 0xb5d19ee3, 0xa2ca8cfe, 0xafc382f5, 0x8cfca8c4, 0x81f5a6cf,
-0x96eeb4d2, 0x9be7bad9, 0xbb3bdb7b, 0xb632d570, 0xa129c76d, 0xac20c966,
-0x8f1fe357, 0x8216ed5c, 0x950dff41, 0x9804f14a, 0xd373ab23, 0xde7aa528,
-0xc961b735, 0xc468b93e, 0xe757930f, 0xea5e9d04, 0xfd458f19, 0xf04c8112,
-0x6bab3bcb, 0x66a235c0, 0x71b927dd, 0x7cb029d6, 0x5f8f03e7, 0x52860dec,
-0x459d1ff1, 0x489411fa, 0x03e34b93, 0x0eea4598, 0x19f15785, 0x14f8598e,
-0x37c773bf, 0x3ace7db4, 0x2dd56fa9, 0x20dc61a2, 0x6d76adf6, 0x607fa3fd,
-0x7764b1e0, 0x7a6dbfeb, 0x595295da, 0x545b9bd1, 0x434089cc, 0x4e4987c7,
-0x053eddae, 0x0837d3a5, 0x1f2cc1b8, 0x1225cfb3, 0x311ae582, 0x3c13eb89,
-0x2b08f994, 0x2601f79f, 0xbde64d46, 0xb0ef434d, 0xa7f45150, 0xaafd5f5b,
-0x89c2756a, 0x84cb7b61, 0x93d0697c, 0x9ed96777, 0xd5ae3d1e, 0xd8a73315,
-0xcfbc2108, 0xc2b52f03, 0xe18a0532, 0xec830b39, 0xfb981924, 0xf691172f,
-0xd64d768d, 0xdb447886, 0xcc5f6a9b, 0xc1566490, 0xe2694ea1, 0xef6040aa,
-0xf87b52b7, 0xf5725cbc, 0xbe0506d5, 0xb30c08de, 0xa4171ac3, 0xa91e14c8,
-0x8a213ef9, 0x872830f2, 0x903322ef, 0x9d3a2ce4, 0x06dd963d, 0x0bd49836,
-0x1ccf8a2b, 0x11c68420, 0x32f9ae11, 0x3ff0a01a, 0x28ebb207, 0x25e2bc0c,
-0x6e95e665, 0x639ce86e, 0x7487fa73, 0x798ef478, 0x5ab1de49, 0x57b8d042,
-0x40a3c25f, 0x4daacc54, 0xdaec41f7, 0xd7e54ffc, 0xc0fe5de1, 0xcdf753ea,
-0xeec879db, 0xe3c177d0, 0xf4da65cd, 0xf9d36bc6, 0xb2a431af, 0xbfad3fa4,
-0xa8b62db9, 0xa5bf23b2, 0x86800983, 0x8b890788, 0x9c921595, 0x919b1b9e,
-0x0a7ca147, 0x0775af4c, 0x106ebd51, 0x1d67b35a, 0x3e58996b, 0x33519760,
-0x244a857d, 0x29438b76, 0x6234d11f, 0x6f3ddf14, 0x7826cd09, 0x752fc302,
-0x5610e933, 0x5b19e738, 0x4c02f525, 0x410bfb2e, 0x61d79a8c, 0x6cde9487,
-0x7bc5869a, 0x76cc8891, 0x55f3a2a0, 0x58faacab, 0x4fe1beb6, 0x42e8b0bd,
-0x099fead4, 0x0496e4df, 0x138df6c2, 0x1e84f8c9, 0x3dbbd2f8, 0x30b2dcf3,
-0x27a9ceee, 0x2aa0c0e5, 0xb1477a3c, 0xbc4e7437, 0xab55662a, 0xa65c6821,
-0x85634210, 0x886a4c1b, 0x9f715e06, 0x9278500d, 0xd90f0a64, 0xd406046f,
-0xc31d1672, 0xce141879, 0xed2b3248, 0xe0223c43, 0xf7392e5e, 0xfa302055,
-0xb79aec01, 0xba93e20a, 0xad88f017, 0xa081fe1c, 0x83bed42d, 0x8eb7da26,
-0x99acc83b, 0x94a5c630, 0xdfd29c59, 0xd2db9252, 0xc5c0804f, 0xc8c98e44,
-0xebf6a475, 0xe6ffaa7e, 0xf1e4b863, 0xfcedb668, 0x670a0cb1, 0x6a0302ba,
-0x7d1810a7, 0x70111eac, 0x532e349d, 0x5e273a96, 0x493c288b, 0x44352680,
-0x0f427ce9, 0x024b72e2, 0x155060ff, 0x18596ef4, 0x3b6644c5, 0x366f4ace,
-0x217458d3, 0x2c7d56d8, 0x0ca1377a, 0x01a83971, 0x16b32b6c, 0x1bba2567,
-0x38850f56, 0x358c015d, 0x22971340, 0x2f9e1d4b, 0x64e94722, 0x69e04929,
-0x7efb5b34, 0x73f2553f, 0x50cd7f0e, 0x5dc47105, 0x4adf6318, 0x47d66d13,
-0xdc31d7ca, 0xd138d9c1, 0xc623cbdc, 0xcb2ac5d7, 0xe815efe6, 0xe51ce1ed,
-0xf207f3f0, 0xff0efdfb, 0xb479a792, 0xb970a999, 0xae6bbb84, 0xa362b58f,
-0x805d9fbe, 0x8d5491b5, 0x9a4f83a8, 0x97468da3  
-};
-#else
-static const PRUint32 _IMXC1[256] = 
-{
-0x00000000, 0x0b0e090d, 0x161c121a, 0x1d121b17, 0x2c382434, 0x27362d39,
-0x3a24362e, 0x312a3f23, 0x58704868, 0x537e4165, 0x4e6c5a72, 0x4562537f,
-0x74486c5c, 0x7f466551, 0x62547e46, 0x695a774b, 0xb0e090d0, 0xbbee99dd,
-0xa6fc82ca, 0xadf28bc7, 0x9cd8b4e4, 0x97d6bde9, 0x8ac4a6fe, 0x81caaff3,
-0xe890d8b8, 0xe39ed1b5, 0xfe8ccaa2, 0xf582c3af, 0xc4a8fc8c, 0xcfa6f581,
-0xd2b4ee96, 0xd9bae79b, 0x7bdb3bbb, 0x70d532b6, 0x6dc729a1, 0x66c920ac,
-0x57e31f8f, 0x5ced1682, 0x41ff0d95, 0x4af10498, 0x23ab73d3, 0x28a57ade,
-0x35b761c9, 0x3eb968c4, 0x0f9357e7, 0x049d5eea, 0x198f45fd, 0x12814cf0,
-0xcb3bab6b, 0xc035a266, 0xdd27b971, 0xd629b07c, 0xe7038f5f, 0xec0d8652,
-0xf11f9d45, 0xfa119448, 0x934be303, 0x9845ea0e, 0x8557f119, 0x8e59f814,
-0xbf73c737, 0xb47dce3a, 0xa96fd52d, 0xa261dc20, 0xf6ad766d, 0xfda37f60,
-0xe0b16477, 0xebbf6d7a, 0xda955259, 0xd19b5b54, 0xcc894043, 0xc787494e,
-0xaedd3e05, 0xa5d33708, 0xb8c12c1f, 0xb3cf2512, 0x82e51a31, 0x89eb133c,
-0x94f9082b, 0x9ff70126, 0x464de6bd, 0x4d43efb0, 0x5051f4a7, 0x5b5ffdaa,
-0x6a75c289, 0x617bcb84, 0x7c69d093, 0x7767d99e, 0x1e3daed5, 0x1533a7d8,
-0x0821bccf, 0x032fb5c2, 0x32058ae1, 0x390b83ec, 0x241998fb, 0x2f1791f6,
-0x8d764dd6, 0x867844db, 0x9b6a5fcc, 0x906456c1, 0xa14e69e2, 0xaa4060ef,
-0xb7527bf8, 0xbc5c72f5, 0xd50605be, 0xde080cb3, 0xc31a17a4, 0xc8141ea9,
-0xf93e218a, 0xf2302887, 0xef223390, 0xe42c3a9d, 0x3d96dd06, 0x3698d40b,
-0x2b8acf1c, 0x2084c611, 0x11aef932, 0x1aa0f03f, 0x07b2eb28, 0x0cbce225,
-0x65e6956e, 0x6ee89c63, 0x73fa8774, 0x78f48e79, 0x49deb15a, 0x42d0b857,
-0x5fc2a340, 0x54ccaa4d, 0xf741ecda, 0xfc4fe5d7, 0xe15dfec0, 0xea53f7cd,
-0xdb79c8ee, 0xd077c1e3, 0xcd65daf4, 0xc66bd3f9, 0xaf31a4b2, 0xa43fadbf,
-0xb92db6a8, 0xb223bfa5, 0x83098086, 0x8807898b, 0x9515929c, 0x9e1b9b91,
-0x47a17c0a, 0x4caf7507, 0x51bd6e10, 0x5ab3671d, 0x6b99583e, 0x60975133,
-0x7d854a24, 0x768b4329, 0x1fd13462, 0x14df3d6f, 0x09cd2678, 0x02c32f75,
-0x33e91056, 0x38e7195b, 0x25f5024c, 0x2efb0b41, 0x8c9ad761, 0x8794de6c,
-0x9a86c57b, 0x9188cc76, 0xa0a2f355, 0xabacfa58, 0xb6bee14f, 0xbdb0e842,
-0xd4ea9f09, 0xdfe49604, 0xc2f68d13, 0xc9f8841e, 0xf8d2bb3d, 0xf3dcb230,
-0xeecea927, 0xe5c0a02a, 0x3c7a47b1, 0x37744ebc, 0x2a6655ab, 0x21685ca6,
-0x10426385, 0x1b4c6a88, 0x065e719f, 0x0d507892, 0x640a0fd9, 0x6f0406d4,
-0x72161dc3, 0x791814ce, 0x48322bed, 0x433c22e0, 0x5e2e39f7, 0x552030fa,
-0x01ec9ab7, 0x0ae293ba, 0x17f088ad, 0x1cfe81a0, 0x2dd4be83, 0x26dab78e,
-0x3bc8ac99, 0x30c6a594, 0x599cd2df, 0x5292dbd2, 0x4f80c0c5, 0x448ec9c8,
-0x75a4f6eb, 0x7eaaffe6, 0x63b8e4f1, 0x68b6edfc, 0xb10c0a67, 0xba02036a,
-0xa710187d, 0xac1e1170, 0x9d342e53, 0x963a275e, 0x8b283c49, 0x80263544,
-0xe97c420f, 0xe2724b02, 0xff605015, 0xf46e5918, 0xc544663b, 0xce4a6f36,
-0xd3587421, 0xd8567d2c, 0x7a37a10c, 0x7139a801, 0x6c2bb316, 0x6725ba1b,
-0x560f8538, 0x5d018c35, 0x40139722, 0x4b1d9e2f, 0x2247e964, 0x2949e069,
-0x345bfb7e, 0x3f55f273, 0x0e7fcd50, 0x0571c45d, 0x1863df4a, 0x136dd647,
-0xcad731dc, 0xc1d938d1, 0xdccb23c6, 0xd7c52acb, 0xe6ef15e8, 0xede11ce5,
-0xf0f307f2, 0xfbfd0eff, 0x92a779b4, 0x99a970b9, 0x84bb6bae, 0x8fb562a3,
-0xbe9f5d80, 0xb591548d, 0xa8834f9a, 0xa38d4697  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _IMXC2[256] = 
-{
-0x00000000, 0x090e0b0d, 0x121c161a, 0x1b121d17, 0x24382c34, 0x2d362739,
-0x36243a2e, 0x3f2a3123, 0x48705868, 0x417e5365, 0x5a6c4e72, 0x5362457f,
-0x6c48745c, 0x65467f51, 0x7e546246, 0x775a694b, 0x90e0b0d0, 0x99eebbdd,
-0x82fca6ca, 0x8bf2adc7, 0xb4d89ce4, 0xbdd697e9, 0xa6c48afe, 0xafca81f3,
-0xd890e8b8, 0xd19ee3b5, 0xca8cfea2, 0xc382f5af, 0xfca8c48c, 0xf5a6cf81,
-0xeeb4d296, 0xe7bad99b, 0x3bdb7bbb, 0x32d570b6, 0x29c76da1, 0x20c966ac,
-0x1fe3578f, 0x16ed5c82, 0x0dff4195, 0x04f14a98, 0x73ab23d3, 0x7aa528de,
-0x61b735c9, 0x68b93ec4, 0x57930fe7, 0x5e9d04ea, 0x458f19fd, 0x4c8112f0,
-0xab3bcb6b, 0xa235c066, 0xb927dd71, 0xb029d67c, 0x8f03e75f, 0x860dec52,
-0x9d1ff145, 0x9411fa48, 0xe34b9303, 0xea45980e, 0xf1578519, 0xf8598e14,
-0xc773bf37, 0xce7db43a, 0xd56fa92d, 0xdc61a220, 0x76adf66d, 0x7fa3fd60,
-0x64b1e077, 0x6dbfeb7a, 0x5295da59, 0x5b9bd154, 0x4089cc43, 0x4987c74e,
-0x3eddae05, 0x37d3a508, 0x2cc1b81f, 0x25cfb312, 0x1ae58231, 0x13eb893c,
-0x08f9942b, 0x01f79f26, 0xe64d46bd, 0xef434db0, 0xf45150a7, 0xfd5f5baa,
-0xc2756a89, 0xcb7b6184, 0xd0697c93, 0xd967779e, 0xae3d1ed5, 0xa73315d8,
-0xbc2108cf, 0xb52f03c2, 0x8a0532e1, 0x830b39ec, 0x981924fb, 0x91172ff6,
-0x4d768dd6, 0x447886db, 0x5f6a9bcc, 0x566490c1, 0x694ea1e2, 0x6040aaef,
-0x7b52b7f8, 0x725cbcf5, 0x0506d5be, 0x0c08deb3, 0x171ac3a4, 0x1e14c8a9,
-0x213ef98a, 0x2830f287, 0x3322ef90, 0x3a2ce49d, 0xdd963d06, 0xd498360b,
-0xcf8a2b1c, 0xc6842011, 0xf9ae1132, 0xf0a01a3f, 0xebb20728, 0xe2bc0c25,
-0x95e6656e, 0x9ce86e63, 0x87fa7374, 0x8ef47879, 0xb1de495a, 0xb8d04257,
-0xa3c25f40, 0xaacc544d, 0xec41f7da, 0xe54ffcd7, 0xfe5de1c0, 0xf753eacd,
-0xc879dbee, 0xc177d0e3, 0xda65cdf4, 0xd36bc6f9, 0xa431afb2, 0xad3fa4bf,
-0xb62db9a8, 0xbf23b2a5, 0x80098386, 0x8907888b, 0x9215959c, 0x9b1b9e91,
-0x7ca1470a, 0x75af4c07, 0x6ebd5110, 0x67b35a1d, 0x58996b3e, 0x51976033,
-0x4a857d24, 0x438b7629, 0x34d11f62, 0x3ddf146f, 0x26cd0978, 0x2fc30275,
-0x10e93356, 0x19e7385b, 0x02f5254c, 0x0bfb2e41, 0xd79a8c61, 0xde94876c,
-0xc5869a7b, 0xcc889176, 0xf3a2a055, 0xfaacab58, 0xe1beb64f, 0xe8b0bd42,
-0x9fead409, 0x96e4df04, 0x8df6c213, 0x84f8c91e, 0xbbd2f83d, 0xb2dcf330,
-0xa9ceee27, 0xa0c0e52a, 0x477a3cb1, 0x4e7437bc, 0x55662aab, 0x5c6821a6,
-0x63421085, 0x6a4c1b88, 0x715e069f, 0x78500d92, 0x0f0a64d9, 0x06046fd4,
-0x1d1672c3, 0x141879ce, 0x2b3248ed, 0x223c43e0, 0x392e5ef7, 0x302055fa,
-0x9aec01b7, 0x93e20aba, 0x88f017ad, 0x81fe1ca0, 0xbed42d83, 0xb7da268e,
-0xacc83b99, 0xa5c63094, 0xd29c59df, 0xdb9252d2, 0xc0804fc5, 0xc98e44c8,
-0xf6a475eb, 0xffaa7ee6, 0xe4b863f1, 0xedb668fc, 0x0a0cb167, 0x0302ba6a,
-0x1810a77d, 0x111eac70, 0x2e349d53, 0x273a965e, 0x3c288b49, 0x35268044,
-0x427ce90f, 0x4b72e202, 0x5060ff15, 0x596ef418, 0x6644c53b, 0x6f4ace36,
-0x7458d321, 0x7d56d82c, 0xa1377a0c, 0xa8397101, 0xb32b6c16, 0xba25671b,
-0x850f5638, 0x8c015d35, 0x97134022, 0x9e1d4b2f, 0xe9472264, 0xe0492969,
-0xfb5b347e, 0xf2553f73, 0xcd7f0e50, 0xc471055d, 0xdf63184a, 0xd66d1347,
-0x31d7cadc, 0x38d9c1d1, 0x23cbdcc6, 0x2ac5d7cb, 0x15efe6e8, 0x1ce1ede5,
-0x07f3f0f2, 0x0efdfbff, 0x79a792b4, 0x70a999b9, 0x6bbb84ae, 0x62b58fa3,
-0x5d9fbe80, 0x5491b58d, 0x4f83a89a, 0x468da397  
-};
-#else
-static const PRUint32 _IMXC2[256] = 
-{
-0x00000000, 0x0d0b0e09, 0x1a161c12, 0x171d121b, 0x342c3824, 0x3927362d,
-0x2e3a2436, 0x23312a3f, 0x68587048, 0x65537e41, 0x724e6c5a, 0x7f456253,
-0x5c74486c, 0x517f4665, 0x4662547e, 0x4b695a77, 0xd0b0e090, 0xddbbee99,
-0xcaa6fc82, 0xc7adf28b, 0xe49cd8b4, 0xe997d6bd, 0xfe8ac4a6, 0xf381caaf,
-0xb8e890d8, 0xb5e39ed1, 0xa2fe8cca, 0xaff582c3, 0x8cc4a8fc, 0x81cfa6f5,
-0x96d2b4ee, 0x9bd9bae7, 0xbb7bdb3b, 0xb670d532, 0xa16dc729, 0xac66c920,
-0x8f57e31f, 0x825ced16, 0x9541ff0d, 0x984af104, 0xd323ab73, 0xde28a57a,
-0xc935b761, 0xc43eb968, 0xe70f9357, 0xea049d5e, 0xfd198f45, 0xf012814c,
-0x6bcb3bab, 0x66c035a2, 0x71dd27b9, 0x7cd629b0, 0x5fe7038f, 0x52ec0d86,
-0x45f11f9d, 0x48fa1194, 0x03934be3, 0x0e9845ea, 0x198557f1, 0x148e59f8,
-0x37bf73c7, 0x3ab47dce, 0x2da96fd5, 0x20a261dc, 0x6df6ad76, 0x60fda37f,
-0x77e0b164, 0x7aebbf6d, 0x59da9552, 0x54d19b5b, 0x43cc8940, 0x4ec78749,
-0x05aedd3e, 0x08a5d337, 0x1fb8c12c, 0x12b3cf25, 0x3182e51a, 0x3c89eb13,
-0x2b94f908, 0x269ff701, 0xbd464de6, 0xb04d43ef, 0xa75051f4, 0xaa5b5ffd,
-0x896a75c2, 0x84617bcb, 0x937c69d0, 0x9e7767d9, 0xd51e3dae, 0xd81533a7,
-0xcf0821bc, 0xc2032fb5, 0xe132058a, 0xec390b83, 0xfb241998, 0xf62f1791,
-0xd68d764d, 0xdb867844, 0xcc9b6a5f, 0xc1906456, 0xe2a14e69, 0xefaa4060,
-0xf8b7527b, 0xf5bc5c72, 0xbed50605, 0xb3de080c, 0xa4c31a17, 0xa9c8141e,
-0x8af93e21, 0x87f23028, 0x90ef2233, 0x9de42c3a, 0x063d96dd, 0x0b3698d4,
-0x1c2b8acf, 0x112084c6, 0x3211aef9, 0x3f1aa0f0, 0x2807b2eb, 0x250cbce2,
-0x6e65e695, 0x636ee89c, 0x7473fa87, 0x7978f48e, 0x5a49deb1, 0x5742d0b8,
-0x405fc2a3, 0x4d54ccaa, 0xdaf741ec, 0xd7fc4fe5, 0xc0e15dfe, 0xcdea53f7,
-0xeedb79c8, 0xe3d077c1, 0xf4cd65da, 0xf9c66bd3, 0xb2af31a4, 0xbfa43fad,
-0xa8b92db6, 0xa5b223bf, 0x86830980, 0x8b880789, 0x9c951592, 0x919e1b9b,
-0x0a47a17c, 0x074caf75, 0x1051bd6e, 0x1d5ab367, 0x3e6b9958, 0x33609751,
-0x247d854a, 0x29768b43, 0x621fd134, 0x6f14df3d, 0x7809cd26, 0x7502c32f,
-0x5633e910, 0x5b38e719, 0x4c25f502, 0x412efb0b, 0x618c9ad7, 0x6c8794de,
-0x7b9a86c5, 0x769188cc, 0x55a0a2f3, 0x58abacfa, 0x4fb6bee1, 0x42bdb0e8,
-0x09d4ea9f, 0x04dfe496, 0x13c2f68d, 0x1ec9f884, 0x3df8d2bb, 0x30f3dcb2,
-0x27eecea9, 0x2ae5c0a0, 0xb13c7a47, 0xbc37744e, 0xab2a6655, 0xa621685c,
-0x85104263, 0x881b4c6a, 0x9f065e71, 0x920d5078, 0xd9640a0f, 0xd46f0406,
-0xc372161d, 0xce791814, 0xed48322b, 0xe0433c22, 0xf75e2e39, 0xfa552030,
-0xb701ec9a, 0xba0ae293, 0xad17f088, 0xa01cfe81, 0x832dd4be, 0x8e26dab7,
-0x993bc8ac, 0x9430c6a5, 0xdf599cd2, 0xd25292db, 0xc54f80c0, 0xc8448ec9,
-0xeb75a4f6, 0xe67eaaff, 0xf163b8e4, 0xfc68b6ed, 0x67b10c0a, 0x6aba0203,
-0x7da71018, 0x70ac1e11, 0x539d342e, 0x5e963a27, 0x498b283c, 0x44802635,
-0x0fe97c42, 0x02e2724b, 0x15ff6050, 0x18f46e59, 0x3bc54466, 0x36ce4a6f,
-0x21d35874, 0x2cd8567d, 0x0c7a37a1, 0x017139a8, 0x166c2bb3, 0x1b6725ba,
-0x38560f85, 0x355d018c, 0x22401397, 0x2f4b1d9e, 0x642247e9, 0x692949e0,
-0x7e345bfb, 0x733f55f2, 0x500e7fcd, 0x5d0571c4, 0x4a1863df, 0x47136dd6,
-0xdccad731, 0xd1c1d938, 0xc6dccb23, 0xcbd7c52a, 0xe8e6ef15, 0xe5ede11c,
-0xf2f0f307, 0xfffbfd0e, 0xb492a779, 0xb999a970, 0xae84bb6b, 0xa38fb562,
-0x80be9f5d, 0x8db59154, 0x9aa8834f, 0x97a38d46  
-};
-#endif
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 _IMXC3[256] = 
-{
-0x00000000, 0x0e0b0d09, 0x1c161a12, 0x121d171b, 0x382c3424, 0x3627392d,
-0x243a2e36, 0x2a31233f, 0x70586848, 0x7e536541, 0x6c4e725a, 0x62457f53,
-0x48745c6c, 0x467f5165, 0x5462467e, 0x5a694b77, 0xe0b0d090, 0xeebbdd99,
-0xfca6ca82, 0xf2adc78b, 0xd89ce4b4, 0xd697e9bd, 0xc48afea6, 0xca81f3af,
-0x90e8b8d8, 0x9ee3b5d1, 0x8cfea2ca, 0x82f5afc3, 0xa8c48cfc, 0xa6cf81f5,
-0xb4d296ee, 0xbad99be7, 0xdb7bbb3b, 0xd570b632, 0xc76da129, 0xc966ac20,
-0xe3578f1f, 0xed5c8216, 0xff41950d, 0xf14a9804, 0xab23d373, 0xa528de7a,
-0xb735c961, 0xb93ec468, 0x930fe757, 0x9d04ea5e, 0x8f19fd45, 0x8112f04c,
-0x3bcb6bab, 0x35c066a2, 0x27dd71b9, 0x29d67cb0, 0x03e75f8f, 0x0dec5286,
-0x1ff1459d, 0x11fa4894, 0x4b9303e3, 0x45980eea, 0x578519f1, 0x598e14f8,
-0x73bf37c7, 0x7db43ace, 0x6fa92dd5, 0x61a220dc, 0xadf66d76, 0xa3fd607f,
-0xb1e07764, 0xbfeb7a6d, 0x95da5952, 0x9bd1545b, 0x89cc4340, 0x87c74e49,
-0xddae053e, 0xd3a50837, 0xc1b81f2c, 0xcfb31225, 0xe582311a, 0xeb893c13,
-0xf9942b08, 0xf79f2601, 0x4d46bde6, 0x434db0ef, 0x5150a7f4, 0x5f5baafd,
-0x756a89c2, 0x7b6184cb, 0x697c93d0, 0x67779ed9, 0x3d1ed5ae, 0x3315d8a7,
-0x2108cfbc, 0x2f03c2b5, 0x0532e18a, 0x0b39ec83, 0x1924fb98, 0x172ff691,
-0x768dd64d, 0x7886db44, 0x6a9bcc5f, 0x6490c156, 0x4ea1e269, 0x40aaef60,
-0x52b7f87b, 0x5cbcf572, 0x06d5be05, 0x08deb30c, 0x1ac3a417, 0x14c8a91e,
-0x3ef98a21, 0x30f28728, 0x22ef9033, 0x2ce49d3a, 0x963d06dd, 0x98360bd4,
-0x8a2b1ccf, 0x842011c6, 0xae1132f9, 0xa01a3ff0, 0xb20728eb, 0xbc0c25e2,
-0xe6656e95, 0xe86e639c, 0xfa737487, 0xf478798e, 0xde495ab1, 0xd04257b8,
-0xc25f40a3, 0xcc544daa, 0x41f7daec, 0x4ffcd7e5, 0x5de1c0fe, 0x53eacdf7,
-0x79dbeec8, 0x77d0e3c1, 0x65cdf4da, 0x6bc6f9d3, 0x31afb2a4, 0x3fa4bfad,
-0x2db9a8b6, 0x23b2a5bf, 0x09838680, 0x07888b89, 0x15959c92, 0x1b9e919b,
-0xa1470a7c, 0xaf4c0775, 0xbd51106e, 0xb35a1d67, 0x996b3e58, 0x97603351,
-0x857d244a, 0x8b762943, 0xd11f6234, 0xdf146f3d, 0xcd097826, 0xc302752f,
-0xe9335610, 0xe7385b19, 0xf5254c02, 0xfb2e410b, 0x9a8c61d7, 0x94876cde,
-0x869a7bc5, 0x889176cc, 0xa2a055f3, 0xacab58fa, 0xbeb64fe1, 0xb0bd42e8,
-0xead4099f, 0xe4df0496, 0xf6c2138d, 0xf8c91e84, 0xd2f83dbb, 0xdcf330b2,
-0xceee27a9, 0xc0e52aa0, 0x7a3cb147, 0x7437bc4e, 0x662aab55, 0x6821a65c,
-0x42108563, 0x4c1b886a, 0x5e069f71, 0x500d9278, 0x0a64d90f, 0x046fd406,
-0x1672c31d, 0x1879ce14, 0x3248ed2b, 0x3c43e022, 0x2e5ef739, 0x2055fa30,
-0xec01b79a, 0xe20aba93, 0xf017ad88, 0xfe1ca081, 0xd42d83be, 0xda268eb7,
-0xc83b99ac, 0xc63094a5, 0x9c59dfd2, 0x9252d2db, 0x804fc5c0, 0x8e44c8c9,
-0xa475ebf6, 0xaa7ee6ff, 0xb863f1e4, 0xb668fced, 0x0cb1670a, 0x02ba6a03,
-0x10a77d18, 0x1eac7011, 0x349d532e, 0x3a965e27, 0x288b493c, 0x26804435,
-0x7ce90f42, 0x72e2024b, 0x60ff1550, 0x6ef41859, 0x44c53b66, 0x4ace366f,
-0x58d32174, 0x56d82c7d, 0x377a0ca1, 0x397101a8, 0x2b6c16b3, 0x25671bba,
-0x0f563885, 0x015d358c, 0x13402297, 0x1d4b2f9e, 0x472264e9, 0x492969e0,
-0x5b347efb, 0x553f73f2, 0x7f0e50cd, 0x71055dc4, 0x63184adf, 0x6d1347d6,
-0xd7cadc31, 0xd9c1d138, 0xcbdcc623, 0xc5d7cb2a, 0xefe6e815, 0xe1ede51c,
-0xf3f0f207, 0xfdfbff0e, 0xa792b479, 0xa999b970, 0xbb84ae6b, 0xb58fa362,
-0x9fbe805d, 0x91b58d54, 0x83a89a4f, 0x8da39746  
-};
-#else
-static const PRUint32 _IMXC3[256] = 
-{
-0x00000000, 0x090d0b0e, 0x121a161c, 0x1b171d12, 0x24342c38, 0x2d392736,
-0x362e3a24, 0x3f23312a, 0x48685870, 0x4165537e, 0x5a724e6c, 0x537f4562,
-0x6c5c7448, 0x65517f46, 0x7e466254, 0x774b695a, 0x90d0b0e0, 0x99ddbbee,
-0x82caa6fc, 0x8bc7adf2, 0xb4e49cd8, 0xbde997d6, 0xa6fe8ac4, 0xaff381ca,
-0xd8b8e890, 0xd1b5e39e, 0xcaa2fe8c, 0xc3aff582, 0xfc8cc4a8, 0xf581cfa6,
-0xee96d2b4, 0xe79bd9ba, 0x3bbb7bdb, 0x32b670d5, 0x29a16dc7, 0x20ac66c9,
-0x1f8f57e3, 0x16825ced, 0x0d9541ff, 0x04984af1, 0x73d323ab, 0x7ade28a5,
-0x61c935b7, 0x68c43eb9, 0x57e70f93, 0x5eea049d, 0x45fd198f, 0x4cf01281,
-0xab6bcb3b, 0xa266c035, 0xb971dd27, 0xb07cd629, 0x8f5fe703, 0x8652ec0d,
-0x9d45f11f, 0x9448fa11, 0xe303934b, 0xea0e9845, 0xf1198557, 0xf8148e59,
-0xc737bf73, 0xce3ab47d, 0xd52da96f, 0xdc20a261, 0x766df6ad, 0x7f60fda3,
-0x6477e0b1, 0x6d7aebbf, 0x5259da95, 0x5b54d19b, 0x4043cc89, 0x494ec787,
-0x3e05aedd, 0x3708a5d3, 0x2c1fb8c1, 0x2512b3cf, 0x1a3182e5, 0x133c89eb,
-0x082b94f9, 0x01269ff7, 0xe6bd464d, 0xefb04d43, 0xf4a75051, 0xfdaa5b5f,
-0xc2896a75, 0xcb84617b, 0xd0937c69, 0xd99e7767, 0xaed51e3d, 0xa7d81533,
-0xbccf0821, 0xb5c2032f, 0x8ae13205, 0x83ec390b, 0x98fb2419, 0x91f62f17,
-0x4dd68d76, 0x44db8678, 0x5fcc9b6a, 0x56c19064, 0x69e2a14e, 0x60efaa40,
-0x7bf8b752, 0x72f5bc5c, 0x05bed506, 0x0cb3de08, 0x17a4c31a, 0x1ea9c814,
-0x218af93e, 0x2887f230, 0x3390ef22, 0x3a9de42c, 0xdd063d96, 0xd40b3698,
-0xcf1c2b8a, 0xc6112084, 0xf93211ae, 0xf03f1aa0, 0xeb2807b2, 0xe2250cbc,
-0x956e65e6, 0x9c636ee8, 0x877473fa, 0x8e7978f4, 0xb15a49de, 0xb85742d0,
-0xa3405fc2, 0xaa4d54cc, 0xecdaf741, 0xe5d7fc4f, 0xfec0e15d, 0xf7cdea53,
-0xc8eedb79, 0xc1e3d077, 0xdaf4cd65, 0xd3f9c66b, 0xa4b2af31, 0xadbfa43f,
-0xb6a8b92d, 0xbfa5b223, 0x80868309, 0x898b8807, 0x929c9515, 0x9b919e1b,
-0x7c0a47a1, 0x75074caf, 0x6e1051bd, 0x671d5ab3, 0x583e6b99, 0x51336097,
-0x4a247d85, 0x4329768b, 0x34621fd1, 0x3d6f14df, 0x267809cd, 0x2f7502c3,
-0x105633e9, 0x195b38e7, 0x024c25f5, 0x0b412efb, 0xd7618c9a, 0xde6c8794,
-0xc57b9a86, 0xcc769188, 0xf355a0a2, 0xfa58abac, 0xe14fb6be, 0xe842bdb0,
-0x9f09d4ea, 0x9604dfe4, 0x8d13c2f6, 0x841ec9f8, 0xbb3df8d2, 0xb230f3dc,
-0xa927eece, 0xa02ae5c0, 0x47b13c7a, 0x4ebc3774, 0x55ab2a66, 0x5ca62168,
-0x63851042, 0x6a881b4c, 0x719f065e, 0x78920d50, 0x0fd9640a, 0x06d46f04,
-0x1dc37216, 0x14ce7918, 0x2bed4832, 0x22e0433c, 0x39f75e2e, 0x30fa5520,
-0x9ab701ec, 0x93ba0ae2, 0x88ad17f0, 0x81a01cfe, 0xbe832dd4, 0xb78e26da,
-0xac993bc8, 0xa59430c6, 0xd2df599c, 0xdbd25292, 0xc0c54f80, 0xc9c8448e,
-0xf6eb75a4, 0xffe67eaa, 0xe4f163b8, 0xedfc68b6, 0x0a67b10c, 0x036aba02,
-0x187da710, 0x1170ac1e, 0x2e539d34, 0x275e963a, 0x3c498b28, 0x35448026,
-0x420fe97c, 0x4b02e272, 0x5015ff60, 0x5918f46e, 0x663bc544, 0x6f36ce4a,
-0x7421d358, 0x7d2cd856, 0xa10c7a37, 0xa8017139, 0xb3166c2b, 0xba1b6725,
-0x8538560f, 0x8c355d01, 0x97224013, 0x9e2f4b1d, 0xe9642247, 0xe0692949,
-0xfb7e345b, 0xf2733f55, 0xcd500e7f, 0xc45d0571, 0xdf4a1863, 0xd647136d,
-0x31dccad7, 0x38d1c1d9, 0x23c6dccb, 0x2acbd7c5, 0x15e8e6ef, 0x1ce5ede1,
-0x07f2f0f3, 0x0efffbfd, 0x79b492a7, 0x70b999a9, 0x6bae84bb, 0x62a38fb5,
-0x5d80be9f, 0x548db591, 0x4f9aa883, 0x4697a38d  
-};
-#endif
-
-#endif /* RIJNDAEL_INCLUDE_TABLES */
-
-#ifdef IS_LITTLE_ENDIAN
-static const PRUint32 Rcon[30] = {
-0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020,
-0x00000040, 0x00000080, 0x0000001b, 0x00000036, 0x0000006c, 0x000000d8,
-0x000000ab, 0x0000004d, 0x0000009a, 0x0000002f, 0x0000005e, 0x000000bc,
-0x00000063, 0x000000c6, 0x00000097, 0x00000035, 0x0000006a, 0x000000d4,
-0x000000b3, 0x0000007d, 0x000000fa, 0x000000ef, 0x000000c5, 0x00000091 
-};
-#else
-static const PRUint32 Rcon[30] = {
-0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000,
-0x40000000, 0x80000000, 0x1b000000, 0x36000000, 0x6c000000, 0xd8000000,
-0xab000000, 0x4d000000, 0x9a000000, 0x2f000000, 0x5e000000, 0xbc000000,
-0x63000000, 0xc6000000, 0x97000000, 0x35000000, 0x6a000000, 0xd4000000,
-0xb3000000, 0x7d000000, 0xfa000000, 0xef000000, 0xc5000000, 0x91000000 
-};
-#endif
-
diff --git a/security/nss/lib/freebl/rijndael_tables.c b/security/nss/lib/freebl/rijndael_tables.c
deleted file mode 100644
index e2ebdeec6..000000000
--- a/security/nss/lib/freebl/rijndael_tables.c
+++ /dev/null
@@ -1,246 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "stdio.h"
-#include "prtypes.h"
-#include "blapi.h"
-
-/*
- * what follows is code thrown together to generate the myriad of tables
- * used by Rijndael, the AES cipher.
- */
-
-
-#define WORD_LE(b0, b1, b2, b3) \
-    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | b0)
-
-#define WORD_BE(b0, b1, b2, b3) \
-    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | b3)
-
-static const PRUint8 __S[256] = 
-{
- 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118, 
-202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 
-183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21, 
-  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117, 
-  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132, 
- 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207, 
-208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168, 
- 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210, 
-205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115, 
- 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219, 
-224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121, 
-231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8, 
-186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138, 
-112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158, 
-225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223, 
-140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22, 
-};
-
-static const PRUint8 __SInv[256] = 
-{
- 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251, 
-124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203, 
- 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78, 
-  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37, 
-114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146, 
-108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132, 
-144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6, 
-208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107, 
- 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, 
-150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110, 
- 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27, 
-252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244, 
- 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95, 
- 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239, 
-160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97, 
- 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125
-};
-
-/* GF_MULTIPLY
- *
- * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
- */
-PRUint8 gf_multiply(PRUint8 a, PRUint8 b)
-{
-    PRUint8 res = 0;
-    while (b > 0) {
-	res = (b & 0x01) ? res ^ a : res;
-	a = (a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1);
-	b >>= 1;
-    }
-    return res;
-}
-
-void
-make_T_Table(char *table, const PRUint8 Sx[256], FILE *file,
-             unsigned char m0, unsigned char m1, 
-             unsigned char m2, unsigned char m3)
-{
-    PRUint32 Ti;
-    int i;
-    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
-    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
-    for (i=0; i<256; i++) {
-	Ti = WORD_LE( gf_multiply(Sx[i], m0),
-	              gf_multiply(Sx[i], m1),
-	              gf_multiply(Sx[i], m2),
-	              gf_multiply(Sx[i], m3) );
-	if (Ti == 0)
-	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
-	                                    (i%6==5)?'\n':' ');
-	else
-	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
-	                                   (i%6==5)?'\n':' ');
-    }
-    fprintf(file, "\n};\n");
-    fprintf(file, "#else\n");
-    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
-    for (i=0; i<256; i++) {
-	Ti = WORD_BE( gf_multiply(Sx[i], m0),
-	              gf_multiply(Sx[i], m1),
-	              gf_multiply(Sx[i], m2),
-	              gf_multiply(Sx[i], m3) );
-	if (Ti == 0)
-	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
-	                                    (i%6==5)?'\n':' ');
-	else
-	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
-	                                   (i%6==5)?'\n':' ');
-    }
-    fprintf(file, "\n};\n");
-    fprintf(file, "#endif\n\n");
-}
-
-void make_InvMixCol_Table(int num, FILE *file, PRUint8 m0, PRUint8 m1, PRUint8 m2, PRUint8 m3)
-{
-    PRUint16 i;
-    PRUint8 b0, b1, b2, b3;
-    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
-    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
-    for (i=0; i<256; i++) {
-	b0 = gf_multiply(i, m0);
-	b1 = gf_multiply(i, m1);
-	b2 = gf_multiply(i, m2);
-	b3 = gf_multiply(i, m3);
-	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b3, b2, b1, b0, (i==255)?' ':',', (i%6==5)?'\n':' ');
-    }
-    fprintf(file, "\n};\n");
-    fprintf(file, "#else\n");
-    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
-    for (i=0; i<256; i++) {
-	b0 = gf_multiply(i, m0);
-	b1 = gf_multiply(i, m1);
-	b2 = gf_multiply(i, m2);
-	b3 = gf_multiply(i, m3);
-	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b0, b1, b2, b3, (i==255)?' ':',', (i%6==5)?'\n':' ');
-    }
-    fprintf(file, "\n};\n");
-    fprintf(file, "#endif\n\n");
-}
-
-int main()
-{
-    int i, j;
-    PRUint8 cur, last;
-    PRUint32 tmp;
-    FILE *optfile;
-    optfile = fopen("rijndael32.tab", "w");
-    /* output S, if there are no T tables */
-    fprintf(optfile, "#ifndef RIJNDAEL_INCLUDE_TABLES\n");
-    fprintf(optfile, "static const PRUint8 _S[256] = \n{\n");
-    for (i=0; i<256; i++) {
-	fprintf(optfile, "%3d%c%c", __S[i],(i==255)?' ':',', 
-	                            (i%16==15)?'\n':' ');
-    }
-    fprintf(optfile, "};\n#endif /* not RIJNDAEL_INCLUDE_TABLES */\n\n");
-    /* output S**-1 */
-    fprintf(optfile, "static const PRUint8 _SInv[256] = \n{\n");
-    for (i=0; i<256; i++) {
-	fprintf(optfile, "%3d%c%c", __SInv[i],(i==255)?' ':',', 
-	                            (i%16==15)?'\n':' ');
-    }
-    fprintf(optfile, "};\n\n");
-    fprintf(optfile, "#ifdef RIJNDAEL_INCLUDE_TABLES\n");
-    /* The 32-bit word tables for optimized implementation */
-    /* T0 = [ S[a] * 02, S[a], S[a], S[a] * 03 ] */
-    make_T_Table("0", __S, optfile, 0x02, 0x01, 0x01, 0x03);
-    /* T1 = [ S[a] * 03, S[a] * 02, S[a], S[a] ] */
-    make_T_Table("1", __S, optfile, 0x03, 0x02, 0x01, 0x01);
-    /* T2 = [ S[a], S[a] * 03, S[a] * 02, S[a] ] */
-    make_T_Table("2", __S, optfile, 0x01, 0x03, 0x02, 0x01);
-    /* T3 = [ S[a], S[a], S[a] * 03, S[a] * 02 ] */
-    make_T_Table("3", __S, optfile, 0x01, 0x01, 0x03, 0x02);
-    /* TInv0 = [ Si[a] * 0E, Si[a] * 09, Si[a] * 0D, Si[a] * 0B ] */
-    make_T_Table("Inv0", __SInv, optfile, 0x0e, 0x09, 0x0d, 0x0b);
-    /* TInv1 = [ Si[a] * 0B, Si[a] * 0E, Si[a] * 09, Si[a] * 0D ] */
-    make_T_Table("Inv1", __SInv, optfile, 0x0b, 0x0e, 0x09, 0x0d);
-    /* TInv2 = [ Si[a] * 0D, Si[a] * 0B, Si[a] * 0E, Si[a] * 09 ] */
-    make_T_Table("Inv2", __SInv, optfile, 0x0d, 0x0b, 0x0e, 0x09);
-    /* TInv3 = [ Si[a] * 09, Si[a] * 0D, Si[a] * 0B, Si[a] * 0E ] */
-    make_T_Table("Inv3", __SInv, optfile, 0x09, 0x0d, 0x0b, 0x0e);
-    /* byte multiply tables for inverse key expansion (mimics InvMixColumn) */
-    make_InvMixCol_Table(0, optfile, 0x0e, 0x09, 0x0d, 0x0b);
-    make_InvMixCol_Table(1, optfile, 0x0b, 0x0E, 0x09, 0x0d);
-    make_InvMixCol_Table(2, optfile, 0x0d, 0x0b, 0x0e, 0x09);
-    make_InvMixCol_Table(3, optfile, 0x09, 0x0d, 0x0b, 0x0e);
-    fprintf(optfile, "#endif /* RIJNDAEL_INCLUDE_TABLES */\n\n");
-    /* round constants for key expansion */
-    fprintf(optfile, "#ifdef IS_LITTLE_ENDIAN\n");
-    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
-    cur = 0x01;
-    for (i=0; i<30; i++) {
-	fprintf(optfile, "%#.8x%c%c", WORD_LE(cur, 0, 0, 0), 
-	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
-	last = cur;
-	cur = gf_multiply(last, 0x02);
-    }
-    fprintf(optfile, "};\n");
-    fprintf(optfile, "#else\n");
-    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
-    cur = 0x01;
-    for (i=0; i<30; i++) {
-	fprintf(optfile, "%#.8x%c%c", WORD_BE(cur, 0, 0, 0), 
-	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
-	last = cur;
-	cur = gf_multiply(last, 0x02);
-    }
-    fprintf(optfile, "};\n");
-    fprintf(optfile, "#endif\n\n");
-    fclose(optfile);
-    return 0;
-}
diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
deleted file mode 100644
index 33d41f1fc..000000000
--- a/security/nss/lib/freebl/rsa.c
+++ /dev/null
@@ -1,960 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * RSA key generation, public key op, private key op.
- *
- * $Id$
- */
-
-#include "secerr.h"
-
-#include "prclist.h"
-#include "nssilock.h"
-#include "prinit.h"
-#include "blapi.h"
-#include "mpi.h"
-#include "mpprime.h"
-#include "mplogic.h"
-#include "secmpi.h"
-#include "secitem.h"
-
-/*
-** Number of times to attempt to generate a prime (p or q) from a random
-** seed (the seed changes for each iteration).
-*/
-#define MAX_PRIME_GEN_ATTEMPTS 10
-/*
-** Number of times to attempt to generate a key.  The primes p and q change
-** for each attempt.
-*/
-#define MAX_KEY_GEN_ATTEMPTS 10
-
-#define MAX_RSA_MODULUS  1024 /* bytes, 8k bits */
-#define MAX_RSA_EXPONENT    8 /* bytes, 64 bits */
-
-/* exponent should not be greater than modulus */
-#define BAD_RSA_KEY_SIZE(modLen, expLen) \
-    ((expLen) > (modLen) || (modLen) > MAX_RSA_MODULUS || \
-    (expLen) > MAX_RSA_EXPONENT)
-
-/*
-** RSABlindingParamsStr
-**
-** For discussion of Paul Kocher's timing attack against an RSA private key
-** operation, see http://www.cryptography.com/timingattack/paper.html.  The 
-** countermeasure to this attack, known as blinding, is also discussed in 
-** the Handbook of Applied Cryptography, 11.118-11.119.
-*/
-struct RSABlindingParamsStr
-{
-    /* Blinding-specific parameters */
-    PRCList   link;                  /* link to list of structs            */
-    SECItem   modulus;               /* list element "key"                 */
-    mp_int    f, g;                  /* Blinding parameters                */
-    int       counter;               /* number of remaining uses of (f, g) */
-};
-
-/*
-** RSABlindingParamsListStr
-**
-** List of key-specific blinding params.  The arena holds the volatile pool
-** of memory for each entry and the list itself.  The lock is for list
-** operations, in this case insertions and iterations, as well as control
-** of the counter for each set of blinding parameters.
-*/
-struct RSABlindingParamsListStr
-{
-    PZLock  *lock;   /* Lock for the list   */
-    PRCList  head;   /* Pointer to the list */
-};
-
-/*
-** The master blinding params list.
-*/
-static struct RSABlindingParamsListStr blindingParamsList = { 0 };
-
-/* Number of times to reuse (f, g).  Suggested by Paul Kocher */
-#define RSA_BLINDING_PARAMS_MAX_REUSE 50
-
-/* Global, allows optional use of blinding.  On by default. */
-/* Cannot be changed at the moment, due to thread-safety issues. */
-static PRBool nssRSAUseBlinding = PR_TRUE;
-
-static SECStatus
-rsa_keygen_from_primes(mp_int *p, mp_int *q, mp_int *e, RSAPrivateKey *key,
-                       unsigned int keySizeInBits)
-{
-    mp_int n, d, phi;
-    mp_int psub1, qsub1, tmp;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    MP_DIGITS(&n)     = 0;
-    MP_DIGITS(&d)     = 0;
-    MP_DIGITS(&phi)   = 0;
-    MP_DIGITS(&psub1) = 0;
-    MP_DIGITS(&qsub1) = 0;
-    MP_DIGITS(&tmp)   = 0;
-    CHECK_MPI_OK( mp_init(&n)     );
-    CHECK_MPI_OK( mp_init(&d)     );
-    CHECK_MPI_OK( mp_init(&phi)   );
-    CHECK_MPI_OK( mp_init(&psub1) );
-    CHECK_MPI_OK( mp_init(&qsub1) );
-    CHECK_MPI_OK( mp_init(&tmp)   );
-    /* 1.  Compute n = p*q */
-    CHECK_MPI_OK( mp_mul(p, q, &n) );
-    /*     verify that the modulus has the desired number of bits */
-    if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {
-	PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	rv = SECFailure;
-	goto cleanup;
-    }
-    /* 2.  Compute phi = (p-1)*(q-1) */
-    CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) );
-    CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) );
-    CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) );
-    /* 3.  Compute d = e**-1 mod(phi) */
-    err = mp_invmod(e, &phi, &d);
-    /*     Verify that phi(n) and e have no common divisors */
-    if (err != MP_OKAY) {
-	if (err == MP_UNDEF) {
-	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
-	    err = MP_OKAY; /* to keep PORT_SetError from being called again */
-	    rv = SECFailure;
-	}
-	goto cleanup;
-    }
-    MPINT_TO_SECITEM(&n, &key->modulus, key->arena);
-    MPINT_TO_SECITEM(&d, &key->privateExponent, key->arena);
-    /* 4.  Compute exponent1 = d mod (p-1) */
-    CHECK_MPI_OK( mp_mod(&d, &psub1, &tmp) );
-    MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
-    /* 5.  Compute exponent2 = d mod (q-1) */
-    CHECK_MPI_OK( mp_mod(&d, &qsub1, &tmp) );
-    MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena);
-    /* 6.  Compute coefficient = q**-1 mod p */
-    CHECK_MPI_OK( mp_invmod(q, p, &tmp) );
-    MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);
-cleanup:
-    mp_clear(&n);
-    mp_clear(&d);
-    mp_clear(&phi);
-    mp_clear(&psub1);
-    mp_clear(&qsub1);
-    mp_clear(&tmp);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-static SECStatus
-generate_prime(mp_int *prime, int primeLen)
-{
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    unsigned long counter = 0;
-    int piter;
-    unsigned char *pb = NULL;
-    pb = PORT_Alloc(primeLen);
-    if (!pb) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto cleanup;
-    }
-    for (piter = 0; piter < MAX_PRIME_GEN_ATTEMPTS; piter++) {
-	CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
-	pb[0]          |= 0xC0; /* set two high-order bits */
-	pb[primeLen-1] |= 0x01; /* set low-order bit       */
-	CHECK_MPI_OK( mp_read_unsigned_octets(prime, pb, primeLen) );
-	err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter);
-	if (err != MP_NO)
-	    goto cleanup;
-	/* keep going while err == MP_NO */
-    }
-cleanup:
-    if (pb)
-	PORT_ZFree(pb, primeLen);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
-** Generate and return a new RSA public and private key.
-**	Both keys are encoded in a single RSAPrivateKey structure.
-**	"cx" is the random number generator context
-**	"keySizeInBits" is the size of the key to be generated, in bits.
-**	   512, 1024, etc.
-**	"publicExponent" when not NULL is a pointer to some data that
-**	   represents the public exponent to use. The data is a byte
-**	   encoded integer, in "big endian" order.
-*/
-RSAPrivateKey *
-RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
-{
-    unsigned int primeLen;
-    mp_int p, q, e;
-    int kiter;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    int prerr = 0;
-    RSAPrivateKey *key = NULL;
-    PRArenaPool *arena = NULL;
-    /* Require key size to be a multiple of 16 bits. */
-    if (!publicExponent || keySizeInBits % 16 != 0 ||
-	    BAD_RSA_KEY_SIZE(keySizeInBits/8, publicExponent->len)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* 1. Allocate arena & key */
-    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
-    if (!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
-    if (!key) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_FreeArena(arena, PR_TRUE);
-	return NULL;
-    }
-    key->arena = arena;
-    /* length of primes p and q (in bytes) */
-    primeLen = keySizeInBits / (2 * BITS_PER_BYTE);
-    MP_DIGITS(&p) = 0;
-    MP_DIGITS(&q) = 0;
-    MP_DIGITS(&e) = 0;
-    CHECK_MPI_OK( mp_init(&p) );
-    CHECK_MPI_OK( mp_init(&q) );
-    CHECK_MPI_OK( mp_init(&e) );
-    /* 2.  Set the version number (PKCS1 v1.5 says it should be zero) */
-    SECITEM_AllocItem(arena, &key->version, 1);
-    key->version.data[0] = 0;
-    /* 3.  Set the public exponent */
-    SECITEM_CopyItem(arena, &key->publicExponent, publicExponent);
-    SECITEM_TO_MPINT(*publicExponent, &e);
-    kiter = 0;
-    do {
-	prerr = 0;
-	PORT_SetError(0);
-	CHECK_SEC_OK( generate_prime(&p, primeLen) );
-	CHECK_SEC_OK( generate_prime(&q, primeLen) );
-	/* Assure q < p */
-	if (mp_cmp(&p, &q) < 0)
-	    mp_exch(&p, &q);
-	/* Attempt to use these primes to generate a key */
-	rv = rsa_keygen_from_primes(&p, &q, &e, key, keySizeInBits);
-	if (rv == SECSuccess)
-	    break; /* generated two good primes */
-	prerr = PORT_GetError();
-	kiter++;
-	/* loop until have primes */
-    } while (prerr == SEC_ERROR_NEED_RANDOM && kiter < MAX_KEY_GEN_ATTEMPTS);
-    if (prerr)
-	goto cleanup;
-    MPINT_TO_SECITEM(&p, &key->prime1, arena);
-    MPINT_TO_SECITEM(&q, &key->prime2, arena);
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&e);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    if (rv && arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-	key = NULL;
-    }
-    return key;
-}
-
-static unsigned int
-rsa_modulusLen(SECItem *modulus)
-{
-    unsigned char byteZero = modulus->data[0];
-    unsigned int modLen = modulus->len - !byteZero;
-    return modLen;
-}
-
-/*
-** Perform a raw public-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-SECStatus 
-RSA_PublicKeyOp(RSAPublicKey  *key, 
-                unsigned char *output, 
-                const unsigned char *input)
-{
-    unsigned int modLen, expLen, offset;
-    mp_int n, e, m, c;
-    mp_err err   = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    if (!key || !output || !input) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    MP_DIGITS(&n) = 0;
-    MP_DIGITS(&e) = 0;
-    MP_DIGITS(&m) = 0;
-    MP_DIGITS(&c) = 0;
-    CHECK_MPI_OK( mp_init(&n) );
-    CHECK_MPI_OK( mp_init(&e) );
-    CHECK_MPI_OK( mp_init(&m) );
-    CHECK_MPI_OK( mp_init(&c) );
-    modLen = rsa_modulusLen(&key->modulus);
-    expLen = rsa_modulusLen(&key->publicExponent);
-    /* 1.  Obtain public key (n, e) */
-    if (BAD_RSA_KEY_SIZE(modLen, expLen)) {
-    	PORT_SetError(SEC_ERROR_INVALID_KEY);
-	rv = SECFailure;
-	goto cleanup;
-    }
-    SECITEM_TO_MPINT(key->modulus, &n);
-    SECITEM_TO_MPINT(key->publicExponent, &e);
-    if (e.used > n.used) {
-	/* exponent should not be greater than modulus */
-    	PORT_SetError(SEC_ERROR_INVALID_KEY);
-	rv = SECFailure;
-	goto cleanup;
-    }
-    /* 2. check input out of range (needs to be in range [0..n-1]) */
-    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
-    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
-        PORT_SetError(SEC_ERROR_INPUT_LEN);
-        rv = SECFailure;
-        goto cleanup;
-    }
-    /* 2 bis.  Represent message as integer in range [0..n-1] */
-    CHECK_MPI_OK( mp_read_unsigned_octets(&m, input, modLen) );
-    /* 3.  Compute c = m**e mod n */
-#ifdef USE_MPI_EXPT_D
-    /* XXX see which is faster */
-    if (MP_USED(&e) == 1) {
-	CHECK_MPI_OK( mp_exptmod_d(&m, MP_DIGIT(&e, 0), &n, &c) );
-    } else
-#endif
-    CHECK_MPI_OK( mp_exptmod(&m, &e, &n, &c) );
-    /* 4.  result c is ciphertext */
-    err = mp_to_fixlen_octets(&c, output, modLen);
-    if (err >= 0) err = MP_OKAY;
-cleanup:
-    mp_clear(&n);
-    mp_clear(&e);
-    mp_clear(&m);
-    mp_clear(&c);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
-**  RSA Private key operation (no CRT).
-*/
-static SECStatus 
-rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
-                      unsigned int modLen)
-{
-    mp_int d;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    MP_DIGITS(&d) = 0;
-    CHECK_MPI_OK( mp_init(&d) );
-    SECITEM_TO_MPINT(key->privateExponent, &d);
-    /* 1. m = c**d mod n */
-    CHECK_MPI_OK( mp_exptmod(c, &d, n, m) );
-cleanup:
-    mp_clear(&d);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
-**  RSA Private key operation using CRT.
-*/
-static SECStatus 
-rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c)
-{
-    mp_int p, q, d_p, d_q, qInv;
-    mp_int m1, m2, h, ctmp;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    MP_DIGITS(&p)    = 0;
-    MP_DIGITS(&q)    = 0;
-    MP_DIGITS(&d_p)  = 0;
-    MP_DIGITS(&d_q)  = 0;
-    MP_DIGITS(&qInv) = 0;
-    MP_DIGITS(&m1)   = 0;
-    MP_DIGITS(&m2)   = 0;
-    MP_DIGITS(&h)    = 0;
-    MP_DIGITS(&ctmp) = 0;
-    CHECK_MPI_OK( mp_init(&p)    );
-    CHECK_MPI_OK( mp_init(&q)    );
-    CHECK_MPI_OK( mp_init(&d_p)  );
-    CHECK_MPI_OK( mp_init(&d_q)  );
-    CHECK_MPI_OK( mp_init(&qInv) );
-    CHECK_MPI_OK( mp_init(&m1)   );
-    CHECK_MPI_OK( mp_init(&m2)   );
-    CHECK_MPI_OK( mp_init(&h)    );
-    CHECK_MPI_OK( mp_init(&ctmp) );
-    /* copy private key parameters into mp integers */
-    SECITEM_TO_MPINT(key->prime1,      &p);    /* p */
-    SECITEM_TO_MPINT(key->prime2,      &q);    /* q */
-    SECITEM_TO_MPINT(key->exponent1,   &d_p);  /* d_p  = d mod (p-1) */
-    SECITEM_TO_MPINT(key->exponent2,   &d_q);  /* d_q  = d mod (q-1) */
-    SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
-    /* 1. m1 = c**d_p mod p */
-    CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );
-    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) );
-    /* 2. m2 = c**d_q mod q */
-    CHECK_MPI_OK( mp_mod(c, &q, &ctmp) );
-    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) );
-    /* 3.  h = (m1 - m2) * qInv mod p */
-    CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
-    CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h)  );
-    /* 4.  m = m2 + h * q */
-    CHECK_MPI_OK( mp_mul(&h, &q, m) );
-    CHECK_MPI_OK( mp_add(m, &m2, m) );
-cleanup:
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&d_p);
-    mp_clear(&d_q);
-    mp_clear(&qInv);
-    mp_clear(&m1);
-    mp_clear(&m2);
-    mp_clear(&h);
-    mp_clear(&ctmp);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
-** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
-** "On the Importance of Eliminating Errors in Cryptographic Computations",
-** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
-**
-** As a defense against the attack, carry out the private key operation, 
-** followed up with a public key operation to invert the result.  
-** Verify that result against the input.
-*/
-static SECStatus 
-rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
-{
-    mp_int n, e, v;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    MP_DIGITS(&n) = 0;
-    MP_DIGITS(&e) = 0;
-    MP_DIGITS(&v) = 0;
-    CHECK_MPI_OK( mp_init(&n) );
-    CHECK_MPI_OK( mp_init(&e) );
-    CHECK_MPI_OK( mp_init(&v) );
-    CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
-    SECITEM_TO_MPINT(key->modulus,        &n);
-    SECITEM_TO_MPINT(key->publicExponent, &e);
-    /* Perform a public key operation v = m ** e mod n */
-    CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );
-    if (mp_cmp(&v, c) != 0) {
-	rv = SECFailure;
-    }
-cleanup:
-    mp_clear(&n);
-    mp_clear(&e);
-    mp_clear(&v);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-static PRCallOnceType coBPInit = { 0, 0, 0 };
-static PRStatus 
-init_blinding_params_list(void)
-{
-    blindingParamsList.lock = PZ_NewLock(nssILockOther);
-    if (!blindingParamsList.lock) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return PR_FAILURE;
-    }
-    PR_INIT_CLIST(&blindingParamsList.head);
-    return PR_SUCCESS;
-}
-
-static SECStatus
-generate_blinding_params(struct RSABlindingParamsStr *rsabp, 
-                         RSAPrivateKey *key, mp_int *n, unsigned int modLen)
-{
-    SECStatus rv = SECSuccess;
-    mp_int e, k;
-    mp_err err = MP_OKAY;
-    unsigned char *kb = NULL;
-    MP_DIGITS(&e) = 0;
-    MP_DIGITS(&k) = 0;
-    CHECK_MPI_OK( mp_init(&e) );
-    CHECK_MPI_OK( mp_init(&k) );
-    SECITEM_TO_MPINT(key->publicExponent, &e);
-    /* generate random k < n */
-    kb = PORT_Alloc(modLen);
-    if (!kb) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto cleanup;
-    }
-    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );
-    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );
-    /* k < n */
-    CHECK_MPI_OK( mp_mod(&k, n, &k) );
-    /* f = k**e mod n */
-    CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );
-    /* g = k**-1 mod n */
-    CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );
-    /* Initialize the counter for this (f, g) */
-    rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
-cleanup:
-    if (kb)
-	PORT_ZFree(kb, modLen);
-    mp_clear(&k);
-    mp_clear(&e);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-static SECStatus
-init_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,
-                     mp_int *n, unsigned int modLen)
-{
-    SECStatus rv = SECSuccess;
-    mp_err err = MP_OKAY;
-    MP_DIGITS(&rsabp->f) = 0;
-    MP_DIGITS(&rsabp->g) = 0;
-    /* initialize blinding parameters */
-    CHECK_MPI_OK( mp_init(&rsabp->f) );
-    CHECK_MPI_OK( mp_init(&rsabp->g) );
-    /* List elements are keyed using the modulus */
-    SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
-    CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
-    return SECSuccess;
-cleanup:
-    mp_clear(&rsabp->f);
-    mp_clear(&rsabp->g);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-static SECStatus
-get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
-                    mp_int *f, mp_int *g)
-{
-    SECStatus rv = SECSuccess;
-    mp_err err = MP_OKAY;
-    int cmp;
-    PRCList *el;
-    struct RSABlindingParamsStr *rsabp = NULL;
-    /* Init the list if neccessary (the init function is only called once!) */
-    if (blindingParamsList.lock == NULL) {
-	if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return SECFailure;
-	}
-    }
-    /* Acquire the list lock */
-    PZ_Lock(blindingParamsList.lock);
-    /* Walk the list looking for the private key */
-    for (el = PR_NEXT_LINK(&blindingParamsList.head);
-         el != &blindingParamsList.head;
-         el = PR_NEXT_LINK(el)) {
-	rsabp = (struct RSABlindingParamsStr *)el;
-	cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);
-	if (cmp == 0) {
-	    /* Check the usage counter for the parameters */
-	    if (--rsabp->counter <= 0) {
-		/* Regenerate the blinding parameters */
-		CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
-	    }
-	    /* Return the parameters */
-	    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
-	    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
-	    /* Now that the params are located, release the list lock. */
-	    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
-	    return SECSuccess;
-	} else if (cmp > 0) {
-	    /* The key is not in the list.  Break to param creation. */
-	    break;
-	}
-    }
-    /* At this point, the key is not in the list.  el should point to the
-    ** list element that this key should be inserted before.  NOTE: the list
-    ** lock is still held, so there cannot be a race condition here.
-    */
-    rsabp = (struct RSABlindingParamsStr *)
-              PORT_ZAlloc(sizeof(struct RSABlindingParamsStr));
-    if (!rsabp) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto cleanup;
-    }
-    /* Initialize the list pointer for the element */
-    PR_INIT_CLIST(&rsabp->link);
-    /* Initialize the blinding parameters 
-    ** This ties up the list lock while doing some heavy, element-specific
-    ** operations, but we don't want to insert the element until it is valid,
-    ** which requires computing the blinding params.  If this proves costly,
-    ** it could be done after the list lock is released, and then if it fails
-    ** the lock would have to be reobtained and the invalid element removed.
-    */
-    rv = init_blinding_params(rsabp, key, n, modLen);
-    if (rv != SECSuccess) {
-	PORT_ZFree(rsabp, sizeof(struct RSABlindingParamsStr));
-	goto cleanup;
-    }
-    /* Insert the new element into the list
-    ** If inserting in the middle of the list, el points to the link
-    ** to insert before.  Otherwise, the link needs to be appended to
-    ** the end of the list, which is the same as inserting before the
-    ** head (since el would have looped back to the head).
-    */
-    PR_INSERT_BEFORE(&rsabp->link, el);
-    /* Return the parameters */
-    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
-    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
-    /* Release the list lock */
-    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
-    return SECSuccess;
-cleanup:
-    /* It is possible to reach this after the lock is already released.
-    ** Ignore the error in that case.
-    */
-    PZ_Unlock(blindingParamsList.lock);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return SECFailure;
-}
-
-/*
-** Perform a raw private-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
-*/
-static SECStatus 
-rsa_PrivateKeyOp(RSAPrivateKey *key, 
-                 unsigned char *output, 
-                 const unsigned char *input,
-                 PRBool check)
-{
-    unsigned int modLen;
-    unsigned int offset;
-    SECStatus rv = SECSuccess;
-    mp_err err;
-    mp_int n, c, m;
-    mp_int f, g;
-    if (!key || !output || !input) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    /* check input out of range (needs to be in range [0..n-1]) */
-    modLen = rsa_modulusLen(&key->modulus);
-    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
-    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    MP_DIGITS(&n) = 0;
-    MP_DIGITS(&c) = 0;
-    MP_DIGITS(&m) = 0;
-    MP_DIGITS(&f) = 0;
-    MP_DIGITS(&g) = 0;
-    CHECK_MPI_OK( mp_init(&n) );
-    CHECK_MPI_OK( mp_init(&c) );
-    CHECK_MPI_OK( mp_init(&m) );
-    CHECK_MPI_OK( mp_init(&f) );
-    CHECK_MPI_OK( mp_init(&g) );
-    SECITEM_TO_MPINT(key->modulus, &n);
-    OCTETS_TO_MPINT(input, &c, modLen);
-    /* If blinding, compute pre-image of ciphertext by multiplying by
-    ** blinding factor
-    */
-    if (nssRSAUseBlinding) {
-	CHECK_SEC_OK( get_blinding_params(key, &n, modLen, &f, &g) );
-	/* c' = c*f mod n */
-	CHECK_MPI_OK( mp_mulmod(&c, &f, &n, &c) );
-    }
-    /* Do the private key operation m = c**d mod n */
-    if ( key->prime1.len      == 0 ||
-         key->prime2.len      == 0 ||
-         key->exponent1.len   == 0 ||
-         key->exponent2.len   == 0 ||
-         key->coefficient.len == 0) {
-	CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );
-    } else if (check) {
-	CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
-    } else {
-	CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );
-    }
-    /* If blinding, compute post-image of plaintext by multiplying by
-    ** blinding factor
-    */
-    if (nssRSAUseBlinding) {
-	/* m = m'*g mod n */
-	CHECK_MPI_OK( mp_mulmod(&m, &g, &n, &m) );
-    }
-    err = mp_to_fixlen_octets(&m, output, modLen);
-    if (err >= 0) err = MP_OKAY;
-cleanup:
-    mp_clear(&n);
-    mp_clear(&c);
-    mp_clear(&m);
-    mp_clear(&f);
-    mp_clear(&g);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-SECStatus 
-RSA_PrivateKeyOp(RSAPrivateKey *key, 
-                 unsigned char *output, 
-                 const unsigned char *input)
-{
-    return rsa_PrivateKeyOp(key, output, input, PR_FALSE);
-}
-
-SECStatus 
-RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key, 
-                              unsigned char *output, 
-                              const unsigned char *input)
-{
-    return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
-}
-
-static SECStatus
-swap_in_key_value(PRArenaPool *arena, mp_int *mpval, SECItem *buffer)
-{
-    int len;
-    mp_err err = MP_OKAY;
-    memset(buffer->data, 0, buffer->len);
-    len = mp_unsigned_octet_size(mpval);
-    if (len <= 0) return SECFailure;
-    if ((unsigned int)len <= buffer->len) {
-	/* The new value is no longer than the old buffer, so use it */
-	err = mp_to_unsigned_octets(mpval, buffer->data, len);
-	if (err >= 0) err = MP_OKAY;
-	buffer->len = len;
-    } else if (arena) {
-	/* The new value is longer, but working within an arena */
-	(void)SECITEM_AllocItem(arena, buffer, len);
-	err = mp_to_unsigned_octets(mpval, buffer->data, len);
-	if (err >= 0) err = MP_OKAY;
-    } else {
-	/* The new value is longer, no arena, can't handle this key */
-	return SECFailure;
-    }
-    return (err == MP_OKAY) ? SECSuccess : SECFailure;
-}
-
-SECStatus
-RSA_PrivateKeyCheck(RSAPrivateKey *key)
-{
-    mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
-    mp_err   err = MP_OKAY;
-    SECStatus rv = SECSuccess;
-    MP_DIGITS(&n)    = 0;
-    MP_DIGITS(&psub1)= 0;
-    MP_DIGITS(&qsub1)= 0;
-    MP_DIGITS(&e)    = 0;
-    MP_DIGITS(&d)    = 0;
-    MP_DIGITS(&d_p)  = 0;
-    MP_DIGITS(&d_q)  = 0;
-    MP_DIGITS(&qInv) = 0;
-    MP_DIGITS(&res)  = 0;
-    CHECK_MPI_OK( mp_init(&n)    );
-    CHECK_MPI_OK( mp_init(&p)    );
-    CHECK_MPI_OK( mp_init(&q)    );
-    CHECK_MPI_OK( mp_init(&psub1));
-    CHECK_MPI_OK( mp_init(&qsub1));
-    CHECK_MPI_OK( mp_init(&e)    );
-    CHECK_MPI_OK( mp_init(&d)    );
-    CHECK_MPI_OK( mp_init(&d_p)  );
-    CHECK_MPI_OK( mp_init(&d_q)  );
-    CHECK_MPI_OK( mp_init(&qInv) );
-    CHECK_MPI_OK( mp_init(&res)  );
-    SECITEM_TO_MPINT(key->modulus,         &n);
-    SECITEM_TO_MPINT(key->prime1,          &p);
-    SECITEM_TO_MPINT(key->prime2,          &q);
-    SECITEM_TO_MPINT(key->publicExponent,  &e);
-    SECITEM_TO_MPINT(key->privateExponent, &d);
-    SECITEM_TO_MPINT(key->exponent1,       &d_p);
-    SECITEM_TO_MPINT(key->exponent2,       &d_q);
-    SECITEM_TO_MPINT(key->coefficient,     &qInv);
-    /* p > q  */
-    if (mp_cmp(&p, &q) <= 0) {
-	/* mind the p's and q's (and d_p's and d_q's) */
-	SECItem tmp;
-	mp_exch(&p, &q);
-	mp_exch(&d_p,&d_q);
-	tmp = key->prime1;
-	key->prime1 = key->prime2;
-	key->prime2 = tmp;
-	tmp = key->exponent1;
-	key->exponent1 = key->exponent2;
-	key->exponent2 = tmp;
-    }
-#define VERIFY_MPI_EQUAL(m1, m2) \
-    if (mp_cmp(m1, m2) != 0) {   \
-	rv = SECFailure;         \
-	goto cleanup;            \
-    }
-#define VERIFY_MPI_EQUAL_1(m)    \
-    if (mp_cmp_d(m, 1) != 0) {   \
-	rv = SECFailure;         \
-	goto cleanup;            \
-    }
-    /*
-     * The following errors cannot be recovered from.
-     */
-    /* n == p * q */
-    CHECK_MPI_OK( mp_mul(&p, &q, &res) );
-    VERIFY_MPI_EQUAL(&res, &n);
-    /* gcd(e, p-1) == 1 */
-    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
-    CHECK_MPI_OK( mp_gcd(&e, &psub1, &res) );
-    VERIFY_MPI_EQUAL_1(&res);
-    /* gcd(e, q-1) == 1 */
-    CHECK_MPI_OK( mp_sub_d(&q, 1, &qsub1) );
-    CHECK_MPI_OK( mp_gcd(&e, &qsub1, &res) );
-    VERIFY_MPI_EQUAL_1(&res);
-    /* d*e == 1 mod p-1 */
-    CHECK_MPI_OK( mp_mulmod(&d, &e, &psub1, &res) );
-    VERIFY_MPI_EQUAL_1(&res);
-    /* d*e == 1 mod q-1 */
-    CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );
-    VERIFY_MPI_EQUAL_1(&res);
-    /*
-     * The following errors can be recovered from.
-     */
-    /* d_p == d mod p-1 */
-    CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
-    if (mp_cmp(&d_p, &res) != 0) {
-	/* swap in the correct value */
-	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent1) );
-    }
-    /* d_q == d mod q-1 */
-    CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
-    if (mp_cmp(&d_q, &res) != 0) {
-	/* swap in the correct value */
-	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent2) );
-    }
-    /* q * q**-1 == 1 mod p */
-    CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
-    if (mp_cmp_d(&res, 1) != 0) {
-	/* compute the correct value */
-	CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
-	CHECK_SEC_OK( swap_in_key_value(key->arena, &qInv, &key->coefficient) );
-    }
-cleanup:
-    mp_clear(&n);
-    mp_clear(&p);
-    mp_clear(&q);
-    mp_clear(&psub1);
-    mp_clear(&qsub1);
-    mp_clear(&e);
-    mp_clear(&d);
-    mp_clear(&d_p);
-    mp_clear(&d_q);
-    mp_clear(&qInv);
-    mp_clear(&res);
-    if (err) {
-	MP_TO_SEC_ERROR(err);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/* cleanup at shutdown */
-void RSA_Cleanup(void)
-{
-    if (!coBPInit.initialized)
-	return;
-
-    while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head))
-    {
-	struct RSABlindingParamsStr * rsabp = (struct RSABlindingParamsStr *)
-	    PR_LIST_HEAD(&blindingParamsList.head);
-	PR_REMOVE_LINK(&rsabp->link);
-	mp_clear(&rsabp->f);
-	mp_clear(&rsabp->g);
-	SECITEM_FreeItem(&rsabp->modulus,PR_FALSE);
-	PORT_Free(rsabp);
-    }
-
-    if (blindingParamsList.lock)
-    {
-	PZ_DestroyLock(blindingParamsList.lock);
-	blindingParamsList.lock = NULL;
-    }
-
-    coBPInit.initialized = 0;
-    coBPInit.inProgress = 0;
-    coBPInit.status = 0;
-}
-
-/*
- * need a central place for this function to free up all the memory that
- * free_bl may have allocated along the way. Currently only RSA does this,
- * so I've put it here for now.
- */
-void BL_Cleanup(void)
-{
-    RSA_Cleanup();
-}
diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h
deleted file mode 100644
index e343fb894..000000000
--- a/security/nss/lib/freebl/secmpi.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "mpi.h"
-
-#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
-
-#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
-
-#define OCTETS_TO_MPINT(oc, mp, len) \
-    CHECK_MPI_OK(mp_read_unsigned_octets((mp), oc, len))
-
-#define SECITEM_TO_MPINT(it, mp) \
-    CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
-
-#define MPINT_TO_SECITEM(mp, it, arena)                         \
-    SECITEM_AllocItem(arena, (it), mp_unsigned_octet_size(mp)); \
-    if ((it)->data == NULL) {err = MP_MEM; goto cleanup;}       \
-    err = mp_to_unsigned_octets(mp, (it)->data, (it)->len);     \
-    if (err < 0) goto cleanup; else err = MP_OKAY;
-
-#define MP_TO_SEC_ERROR(err)                                          \
-    switch (err) {                                                    \
-    case MP_MEM:    PORT_SetError(SEC_ERROR_NO_MEMORY);       break;  \
-    case MP_RANGE:  PORT_SetError(SEC_ERROR_BAD_DATA);        break;  \
-    case MP_BADARG: PORT_SetError(SEC_ERROR_INVALID_ARGS);    break;  \
-    default:        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); break;  \
-    }
diff --git a/security/nss/lib/freebl/secrng.h b/security/nss/lib/freebl/secrng.h
deleted file mode 100644
index d3e97c927..000000000
--- a/security/nss/lib/freebl/secrng.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECRNG_H_
-#define _SECRNG_H_
-/*
- * secrng.h - public data structures and prototypes for the secure random
- *	      number generator
- *
- * $Id$
- */
-
-/******************************************/
-/*
-** Random number generation. A cryptographically strong random number
-** generator.
-*/
-
-#include "blapi.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** The following 3 functions are provided by the security library
-** but are differently implemented for the UNIX, Mac and Win
-** versions
-*/
-
-/*
-** Get the "noisiest" information available on the system.
-** The amount of data returned depends on the system implementation.
-** It will not exceed maxbytes, but may be (much) less.
-** Returns number of noise bytes copied into buf, or zero if error.
-*/
-extern size_t RNG_GetNoise(void *buf, size_t maxbytes);
-
-/*
-** RNG_SystemInfoForRNG should be called before any use of SSL. It
-** gathers up the system specific information to help seed the
-** state of the global random number generator.
-*/
-extern void RNG_SystemInfoForRNG(void);
-
-/* 
-** Use the contents (and stat) of a file to help seed the
-** global random number generator.
-*/
-extern void RNG_FileForRNG(const char *filename);
-
-SEC_END_PROTOS
-
-#endif /* _SECRNG_H_ */
diff --git a/security/nss/lib/freebl/sha-fast-amd64-sun.s b/security/nss/lib/freebl/sha-fast-amd64-sun.s
deleted file mode 100644
index 7c43f554b..000000000
--- a/security/nss/lib/freebl/sha-fast-amd64-sun.s
+++ /dev/null
@@ -1,2142 +0,0 @@
-//* ***** BEGIN LICENSE BLOCK *****
-/ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-/ *
-/ * The contents of this file are subject to the Mozilla Public License Version
-/ * 1.1 (the "License"); you may not use this file except in compliance with
-/ * the License. You may obtain a copy of the License at
-/ * http://www.mozilla.org/MPL/
-/ *
-/ * Software distributed under the License is distributed on an "AS IS" basis,
-/ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-/ * for the specific language governing rights and limitations under the
-/ * License.
-/ *
-/ * The Original Code is SHA 180-1 Reference Implementation (Optimized).
-/ *
-/ * The Initial Developer of the Original Code is
-/ * Paul Kocher of Cryptography Research.
-/ * Portions created by the Initial Developer are Copyright (C) 1995-9
-/ * the Initial Developer. All Rights Reserved.
-/ *
-/ * Contributor(s):
-/ *
-/ * Alternatively, the contents of this file may be used under the terms of
-/ * either the GNU General Public License Version 2 or later (the "GPL"), or
-/ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-/ * in which case the provisions of the GPL or the LGPL are applicable instead
-/ * of those above. If you wish to allow use of your version of this file only
-/ * under the terms of either the GPL or the LGPL, and not to allow others to
-/ * use your version of this file under the terms of the MPL, indicate your
-/ * decision by deleting the provisions above and replace them with the notice
-/ * and other provisions required by the GPL or the LGPL. If you do not delete
-/ * the provisions above, a recipient may use your version of this file under
-/ * the terms of any one of the MPL, the GPL or the LGPL.
-/ *
-/ * ***** END LICENSE BLOCK ***** */
-
-	.file	"sha_fast.c"
-	.text
-	.align 16
-.globl SHA1_Begin
-	.type	SHA1_Begin, @function
-SHA1_Begin:
-.LFB4:
-	movl	$4023233417, %ecx
-	movl	$2562383102, %edx
-	movl	$3285377520, %eax
-	movq	$0, 64(%rdi)
-	movq	$1732584193, 72(%rdi)
-	movq	%rcx, 80(%rdi)
-	movq	%rdx, 88(%rdi)
-	movq	$271733878, 96(%rdi)
-	movq	%rax, 104(%rdi)
-	ret
-.LFE4:
-	.size	SHA1_Begin, .-SHA1_Begin
-	.align 16
-	.type	shaCompress, @function
-shaCompress:
-.LFB7:
-	pushq	%r15
-.LCFI0:
-	pushq	%r14
-.LCFI1:
-	pushq	%r13
-.LCFI2:
-	pushq	%r12
-.LCFI3:
-	movq	-88(%rdi), %r12
-	movq	-80(%rdi), %r10
-	movq	-72(%rdi), %r13
-	movq	-64(%rdi), %r8
-	pushq	%rbx
-.LCFI4:
-	movq	-56(%rdi), %rcx
-	movl	(%rsi), %eax
-	movl	%r12d, %edx
-	movq	%r13, %r9
-	roll	$5, %edx
-	movl	4(%rsi), %ebx
-	xorq	%r8, %r9 
-/APP
-	bswap %eax
-/NO_APP
-	andq	%r10, %r9
-	mov	%eax, %r15d
-	roll	$30, %r10d
-	movq	%r15, -48(%rdi)
-	xorq	%r8, %r9 
-	movq	-48(%rdi), %r14
-	addq	%r9, %rdx
-	movq	%r10, %rax
-	movl	%r12d, %r15d
-	addq	%rcx, %rdx
-	xorq	%r13, %rax 
-	roll	$30, %r15d
-	leaq	1518500249(%rdx,%r14), %rdx
-	andq	%r12, %rax
-	movq	%r15, %r12
-/APP
-	bswap %ebx
-/NO_APP
-	movl	%edx, %ecx
-	mov	%ebx, %r11d
-	xorq	%r13, %rax 
-	movq	%r11, -40(%rdi)
-	roll	$5, %ecx
-	movq	-40(%rdi), %r9
-	addq	%rax, %rcx
-	xorq	%r10, %r12 
-	movl	8(%rsi), %r14d
-	addq	%r8, %rcx
-	andq	%rdx, %r12
-	movl	%edx, %r11d
-	leaq	1518500249(%rcx,%r9), %rcx
-	xorq	%r10, %r12 
-	roll	$30, %r11d
-/APP
-	bswap %r14d
-/NO_APP
-	movl	%ecx, %r8d
-	mov	%r14d, %ebx
-	movl	12(%rsi), %r9d
-	movq	%rbx, -32(%rdi)
-	roll	$5, %r8d
-	movq	-32(%rdi), %rax
-	addq	%r12, %r8
-	movq	%r11, %r12
-	movl	%ecx, %ebx
-	addq	%r13, %r8
-	xorq	%r15, %r12 
-	roll	$30, %ebx
-	leaq	1518500249(%r8,%rax), %r8
-	andq	%rcx, %r12
-	movl	16(%rsi), %eax
-/APP
-	bswap %r9d
-/NO_APP
-	movl	%r8d, %edx
-	mov	%r9d, %r14d
-	xorq	%r15, %r12 
-	movq	%r14, -24(%rdi)
-	roll	$5, %edx
-	movq	-24(%rdi), %r13
-	addq	%r12, %rdx
-	movq	%rbx, %r12
-	movl	%r8d, %r14d
-	addq	%r10, %rdx
-	leaq	1518500249(%rdx,%r13), %rdx
-	movl	20(%rsi), %r13d
-/APP
-	bswap %eax
-/NO_APP
-	movl	%edx, %ecx
-	mov	%eax, %r9d
-	roll	$5, %ecx
-	xorq	%r11, %r12 
-	movq	%r9, -16(%rdi)
-	andq	%r8, %r12
-	movq	-16(%rdi), %r10
-	roll	$30, %r14d
-	xorq	%r11, %r12 
-	movq	%r14, %rax
-	movl	%edx, %r9d
-	addq	%r12, %rcx
-	xorq	%rbx, %rax 
-	roll	$30, %r9d
-	addq	%r15, %rcx
-	andq	%rdx, %rax
-	leaq	1518500249(%rcx,%r10), %rcx
-	xorq	%rbx, %rax 
-	movl	24(%rsi), %r10d
-/APP
-	bswap %r13d
-/NO_APP
-	movl	%ecx, %r8d
-	mov	%r13d, %r15d
-	movq	%r15, -8(%rdi)
-	roll	$5, %r8d
-	movq	-8(%rdi), %r12
-	addq	%rax, %r8
-	movl	%ecx, %r15d
-	addq	%r11, %r8
-	movq	%r9, %r11
-	roll	$30, %r15d
-	leaq	1518500249(%r8,%r12), %r8
-	xorq	%r14, %r11 
-	movl	28(%rsi), %r12d
-/APP
-	bswap %r10d
-/NO_APP
-	andq	%rcx, %r11
-	mov	%r10d, %r13d
-	movl	%r8d, %edx
-	movq	%r13, (%rdi)
-	xorq	%r14, %r11 
-	movq	(%rdi), %rax
-	roll	$5, %edx
-	movq	%r15, %r10
-	movl	%r8d, %r13d
-	addq	%r11, %rdx
-	xorq	%r9, %r10 
-	roll	$30, %r13d
-	addq	%rbx, %rdx
-	andq	%r8, %r10
-	leaq	1518500249(%rdx,%rax), %rdx
-	xorq	%r9, %r10 
-	movl	32(%rsi), %eax
-/APP
-	bswap %r12d
-/NO_APP
-	movl	%edx, %ecx
-	mov	%r12d, %ebx
-	movq	%rbx, 8(%rdi)
-	roll	$5, %ecx
-	movq	8(%rdi), %r11
-	addq	%r10, %rcx
-	movq	%r13, %r10
-	movl	%edx, %ebx
-	addq	%r14, %rcx
-	leaq	1518500249(%rcx,%r11), %rcx
-/APP
-	bswap %eax
-/NO_APP
-	movl	%ecx, %r8d
-	mov	%eax, %r12d
-	roll	$5, %r8d
-	xorq	%r15, %r10 
-	movq	%r12, 16(%rdi)
-	andq	%rdx, %r10
-	movq	16(%rdi), %r14
-	roll	$30, %ebx
-	xorq	%r15, %r10 
-	movq	%rbx, %rax
-	movl	36(%rsi), %r11d
-	addq	%r10, %r8
-	xorq	%r13, %rax 
-	movl	%ecx, %r12d
-	addq	%r9, %r8
-	andq	%rcx, %rax
-	roll	$30, %r12d
-	leaq	1518500249(%r8,%r14), %r8
-	xorq	%r13, %rax 
-	movl	40(%rsi), %r14d
-/APP
-	bswap %r11d
-/NO_APP
-	movl	%r8d, %edx
-	mov	%r11d, %r9d
-	movq	%r12, %r11
-	movq	%r9, 24(%rdi)
-	roll	$5, %edx
-	movq	24(%rdi), %r10
-	addq	%rax, %rdx
-	xorq	%rbx, %r11 
-	movl	%r8d, %r9d
-	addq	%r15, %rdx
-	andq	%r8, %r11
-	roll	$30, %r9d
-	leaq	1518500249(%rdx,%r10), %rdx
-	xorq	%rbx, %r11 
-	movl	44(%rsi), %r10d
-/APP
-	bswap %r14d
-/NO_APP
-	movl	%edx, %ecx
-	mov	%r14d, %r15d
-	movq	%r15, 32(%rdi)
-	roll	$5, %ecx
-	movq	32(%rdi), %rax
-	addq	%r11, %rcx
-	movq	%r9, %r11
-	movl	%edx, %r15d
-	addq	%r13, %rcx
-	xorq	%r12, %r11 
-	roll	$30, %r15d
-	leaq	1518500249(%rcx,%rax), %rcx
-	andq	%rdx, %r11
-	movl	48(%rsi), %eax
-/APP
-	bswap %r10d
-/NO_APP
-	movl	%ecx, %r8d
-	mov	%r10d, %r14d
-	xorq	%r12, %r11 
-	movq	%r14, 40(%rdi)
-	roll	$5, %r8d
-	movq	40(%rdi), %r13
-	addq	%r11, %r8
-	movq	%r15, %r10
-	movl	%ecx, %r14d
-	addq	%rbx, %r8
-	xorq	%r9, %r10 
-	leaq	1518500249(%r8,%r13), %r8
-	movl	52(%rsi), %r13d
-/APP
-	bswap %eax
-/NO_APP
-	movl	%r8d, %edx
-	mov	%eax, %ebx
-	roll	$5, %edx
-	andq	%rcx, %r10
-	movq	%rbx, 48(%rdi)
-	xorq	%r9, %r10 
-	movq	48(%rdi), %r11
-	roll	$30, %r14d
-	addq	%r10, %rdx
-	movq	%r14, %rax
-	movl	%r8d, %ebx
-	addq	%r12, %rdx
-	xorq	%r15, %rax 
-	roll	$30, %ebx
-	leaq	1518500249(%rdx,%r11), %rdx
-	andq	%r8, %rax
-	movl	56(%rsi), %r11d
-/APP
-	bswap %r13d
-/NO_APP
-	movl	%edx, %ecx
-	mov	%r13d, %r12d
-	xorq	%r15, %rax 
-	movq	%r12, 56(%rdi)
-	roll	$5, %ecx
-	movq	56(%rdi), %r10
-	addq	%rax, %rcx
-	movl	%edx, %r12d
-	addq	%r9, %rcx
-	movq	%rbx, %r9
-	roll	$30, %r12d
-	leaq	1518500249(%rcx,%r10), %rcx
-	xorq	%r14, %r9 
-	movl	60(%rsi), %r10d
-/APP
-	bswap %r11d
-/NO_APP
-	andq	%rdx, %r9
-	mov	%r11d, %r13d
-	movl	%ecx, %r8d
-	movq	%r13, 64(%rdi)
-	xorq	%r14, %r9 
-	movq	64(%rdi), %rax
-	roll	$5, %r8d
-	movq	%r12, %r11
-	movl	%ecx, %r13d
-	addq	%r9, %r8
-	xorq	%rbx, %r11 
-	roll	$30, %r13d
-	addq	%r15, %r8
-	andq	%rcx, %r11
-	leaq	1518500249(%r8,%rax), %r8
-	xorq	%rbx, %r11 
-/APP
-	bswap %r10d
-/NO_APP
-	movl	%r8d, %esi
-	mov	%r10d, %r15d
-	movq	%r15, 72(%rdi)
-	roll	$5, %esi
-	movq	72(%rdi), %r9
-	movq	56(%rdi), %r10
-	movq	16(%rdi), %rcx
-	addq	%r11, %rsi
-	movq	-32(%rdi), %rdx
-	addq	%r14, %rsi
-	movq	-48(%rdi), %rax
-	leaq	1518500249(%rsi,%r9), %r14
-	movq	%r13, %r11
-	movl	%r8d, %r15d
-	xorq	%rcx, %r10 
-	xorq	%rdx, %r10 
-	movl	%r14d, %ecx
-	xorl	%eax, %r10d
-	roll	%r10d
-	roll	$5, %ecx
-	xorq	%r12, %r11 
-	andq	%r8, %r11
-	movq	%r10, -48(%rdi)
-	movq	-48(%rdi), %r9
-	xorq	%r12, %r11 
-	roll	$30, %r15d
-	movl	%r14d, %r10d
-	addq	%r11, %rcx
-	movq	64(%rdi), %r11
-	movq	24(%rdi), %rdx
-	addq	%rbx, %rcx
-	movq	-24(%rdi), %rbx
-	movq	-40(%rdi), %rax
-	leaq	1518500249(%rcx,%r9), %rcx
-	movq	%r15, %r8
-	roll	$30, %r10d
-	xorq	%rdx, %r11 
-	xorq	%r13, %r8 
-	xorq	%rbx, %r11 
-	andq	%r14, %r8
-	movl	%ecx, %r9d
-	xorl	%eax, %r11d
-	xorq	%r13, %r8 
-	roll	$5, %r9d
-	roll	%r11d
-	addq	%r8, %r9
-	movq	%r10, %rax
-	movq	%r11, -40(%rdi)
-	movq	-40(%rdi), %rsi
-	addq	%r12, %r9
-	movq	72(%rdi), %rbx
-	movq	32(%rdi), %rdx
-	xorq	%r15, %rax 
-	movq	-16(%rdi), %r14
-	movq	-32(%rdi), %r12
-	andq	%rcx, %rax
-	leaq	1518500249(%r9,%rsi), %r9
-	xorq	%r15, %rax 
-	movl	%ecx, %r11d
-	xorq	%rdx, %rbx 
-	roll	$30, %r11d
-	xorq	%r14, %rbx 
-	movl	%r9d, %esi
-	xorl	%r12d, %ebx
-	roll	$5, %esi
-	roll	%ebx
-	addq	%rax, %rsi
-	movq	%rbx, -32(%rdi)
-	movq	-32(%rdi), %r8
-	addq	%r13, %rsi
-	movq	-48(%rdi), %r12
-	movq	40(%rdi), %rdx
-	movq	%r11, %r13
-	movq	-8(%rdi), %r14
-	movq	-24(%rdi), %rcx
-	movl	%r9d, %ebx
-	leaq	1518500249(%rsi,%r8), %rsi
-	xorq	%rdx, %r12 
-	xorq	%r14, %r12 
-	movl	%esi, %r8d
-	xorl	%ecx, %r12d
-	roll	%r12d
-	roll	$5, %r8d
-	xorq	%r10, %r13 
-	andq	%r9, %r13
-	movq	%r12, -24(%rdi)
-	movq	-24(%rdi), %rax
-	xorq	%r10, %r13 
-	roll	$30, %ebx
-	movl	%esi, %r12d
-	addq	%r13, %r8
-	xorq	%rbx, %rsi 
-	roll	$30, %r12d
-	addq	%r15, %r8
-	movq	-40(%rdi), %r15
-	movq	48(%rdi), %rdx
-	movq	(%rdi), %r14
-	movq	-16(%rdi), %r9
-	leaq	1518500249(%r8,%rax), %r13
-	xorq	%r11, %rsi 
-	xorq	%rdx, %r15 
-	movl	%r13d, %ecx
-	xorq	%r14, %r15 
-	roll	$5, %ecx
-	xorl	%r9d, %r15d
-	addq	%rsi, %rcx
-	roll	%r15d
-	addq	%r10, %rcx
-	movq	%r15, -16(%rdi)
-	movq	-16(%rdi), %rsi
-	movl	%r13d, %r15d
-	movq	-32(%rdi), %r14
-	movq	56(%rdi), %rax
-	xorq	%r12, %r13 
-	movq	8(%rdi), %rdx
-	movq	-8(%rdi), %r10
-	xorq	%rbx, %r13 
-	leaq	1859775393(%rcx,%rsi), %r9
-	roll	$30, %r15d
-	xorq	%rax, %r14 
-	xorq	%rdx, %r14 
-	movl	%r9d, %esi
-	xorl	%r10d, %r14d
-	roll	$5, %esi
-	roll	%r14d
-	addq	%r13, %rsi
-	movq	%r14, -8(%rdi)
-	movq	-8(%rdi), %r8
-	addq	%r11, %rsi
-	movq	-24(%rdi), %r13
-	movq	64(%rdi), %rax
-	movl	%r9d, %r14d
-	movq	16(%rdi), %rdx
-	movq	(%rdi), %r11
-	xorq	%r15, %r9 
-	leaq	1859775393(%rsi,%r8), %r10
-	xorq	%rax, %r13 
-	xorq	%rdx, %r13 
-	movl	%r10d, %r8d
-	xorl	%r11d, %r13d
-	roll	$5, %r8d
-	roll	%r13d
-	xorq	%r12, %r9 
-	roll	$30, %r14d
-	addq	%r9, %r8
-	movq	%r13, (%rdi)
-	movq	(%rdi), %rcx
-	addq	%rbx, %r8
-	movq	-16(%rdi), %rbx
-	movq	72(%rdi), %rax
-	movq	24(%rdi), %rdx
-	movq	8(%rdi), %r9
-	movl	%r10d, %r13d
-	leaq	1859775393(%r8,%rcx), %r11
-	xorq	%r14, %r10 
-	roll	$30, %r13d
-	xorq	%rax, %rbx 
-	xorq	%r15, %r10 
-	xorq	%rdx, %rbx 
-	movl	%r11d, %ecx
-	xorl	%r9d, %ebx
-	roll	$5, %ecx
-	roll	%ebx
-	addq	%r10, %rcx
-	movq	%rbx, 8(%rdi)
-	movq	8(%rdi), %rsi
-	addq	%r12, %rcx
-	movq	-8(%rdi), %r12
-	movq	-48(%rdi), %rax
-	movl	%r11d, %ebx
-	movq	32(%rdi), %rdx
-	movq	16(%rdi), %r9
-	xorq	%r13, %r11 
-	leaq	1859775393(%rcx,%rsi), %r10
-	xorq	%r14, %r11 
-	roll	$30, %ebx
-	xorq	%rax, %r12 
-	xorq	%rdx, %r12 
-	movl	%r10d, %esi
-	xorl	%r9d, %r12d
-	roll	$5, %esi
-	roll	%r12d
-	addq	%r11, %rsi
-	movq	%r12, 16(%rdi)
-	addq	%r15, %rsi
-	movq	16(%rdi), %r8
-	movq	(%rdi), %r15
-	movq	-40(%rdi), %rax
-	movl	%r10d, %r12d
-	movq	40(%rdi), %rdx
-	movq	24(%rdi), %r9
-	xorq	%rbx, %r10 
-	leaq	1859775393(%rsi,%r8), %r11
-	xorq	%r13, %r10 
-	xorq	%rax, %r15 
-	xorq	%rdx, %r15 
-	movl	%r11d, %r8d
-	xorl	%r9d, %r15d
-	roll	$5, %r8d
-	roll	%r15d
-	addq	%r10, %r8
-	movq	%r15, 24(%rdi)
-	movq	24(%rdi), %rcx
-	addq	%r14, %r8
-	movq	8(%rdi), %r14
-	movq	-32(%rdi), %rax
-	roll	$30, %r12d
-	movq	48(%rdi), %rdx
-	movq	32(%rdi), %r10
-	movl	%r11d, %r15d
-	leaq	1859775393(%r8,%rcx), %r9
-	xorq	%r12, %r11 
-	roll	$30, %r15d
-	xorq	%rax, %r14 
-	xorq	%rbx, %r11 
-	xorq	%rdx, %r14 
-	movl	%r9d, %ecx
-	xorl	%r10d, %r14d
-	roll	$5, %ecx
-	roll	%r14d
-	addq	%r11, %rcx
-	movq	%r14, 32(%rdi)
-	addq	%r13, %rcx
-	movq	32(%rdi), %rsi
-	movq	16(%rdi), %r13
-	movq	-24(%rdi), %rax
-	movl	%r9d, %r14d
-	movq	56(%rdi), %rdx
-	movq	40(%rdi), %r11
-	xorq	%r15, %r9 
-	leaq	1859775393(%rcx,%rsi), %r10
-	xorq	%r12, %r9 
-	roll	$30, %r14d
-	xorq	%rax, %r13 
-	xorq	%rdx, %r13 
-	movl	%r10d, %esi
-	xorl	%r11d, %r13d
-	roll	$5, %esi
-	roll	%r13d
-	addq	%r9, %rsi
-	movq	%r13, 40(%rdi)
-	movq	40(%rdi), %r8
-	addq	%rbx, %rsi
-	movq	24(%rdi), %rbx
-	movq	-16(%rdi), %rax
-	movl	%r10d, %r13d
-	movq	64(%rdi), %rdx
-	movq	48(%rdi), %r9
-	xorq	%r14, %r10 
-	leaq	1859775393(%rsi,%r8), %r11
-	xorq	%r15, %r10 
-	roll	$30, %r13d
-	xorq	%rax, %rbx 
-	xorq	%rdx, %rbx 
-	movl	%r11d, %r8d
-	xorl	%r9d, %ebx
-	roll	$5, %r8d
-	roll	%ebx
-	addq	%r10, %r8
-	movq	%rbx, 48(%rdi)
-	addq	%r12, %r8
-	movq	48(%rdi), %rcx
-	movq	32(%rdi), %r12
-	movq	-8(%rdi), %rax
-	movl	%r11d, %ebx
-	movq	72(%rdi), %rdx
-	movq	56(%rdi), %r9
-	leaq	1859775393(%r8,%rcx), %r10
-	xorq	%rax, %r12 
-	xorq	%rdx, %r12 
-	movl	%r10d, %ecx
-	xorl	%r9d, %r12d
-	xorq	%r13, %r11 
-	roll	$5, %ecx
-	xorq	%r14, %r11 
-	roll	%r12d
-	roll	$30, %ebx
-	addq	%r11, %rcx
-	movq	%r12, 56(%rdi)
-	movq	56(%rdi), %rsi
-	addq	%r15, %rcx
-	movq	40(%rdi), %r15
-	movq	(%rdi), %rax
-	movq	-48(%rdi), %rdx
-	movq	64(%rdi), %r9
-	movl	%r10d, %r12d
-	leaq	1859775393(%rcx,%rsi), %r11
-	xorq	%rbx, %r10 
-	roll	$30, %r12d
-	xorq	%rax, %r15 
-	xorq	%r13, %r10 
-	xorq	%rdx, %r15 
-	movl	%r11d, %esi
-	xorl	%r9d, %r15d
-	roll	$5, %esi
-	roll	%r15d
-	addq	%r10, %rsi
-	movq	%r15, 64(%rdi)
-	movq	64(%rdi), %r8
-	addq	%r14, %rsi
-	movq	48(%rdi), %r14
-	movq	8(%rdi), %rax
-	movl	%r11d, %r15d
-	movq	-40(%rdi), %rdx
-	movq	72(%rdi), %r10
-	xorq	%r12, %r11 
-	leaq	1859775393(%rsi,%r8), %r9
-	xorq	%rbx, %r11 
-	roll	$30, %r15d
-	xorq	%rax, %r14 
-	xorq	%rdx, %r14 
-	movl	%r9d, %r8d
-	xorl	%r10d, %r14d
-	roll	$5, %r8d
-	roll	%r14d
-	addq	%r11, %r8
-	movq	%r14, 72(%rdi)
-	addq	%r13, %r8
-	movq	72(%rdi), %rcx
-	movq	56(%rdi), %r13
-	movq	16(%rdi), %rax
-	movl	%r9d, %r14d
-	movq	-32(%rdi), %rdx
-	movq	-48(%rdi), %r11
-	leaq	1859775393(%r8,%rcx), %r10
-	xorq	%rax, %r13 
-	xorq	%rdx, %r13 
-	movl	%r10d, %ecx
-	xorl	%r11d, %r13d
-	roll	$5, %ecx
-	roll	%r13d
-	xorq	%r15, %r9 
-	roll	$30, %r14d
-	xorq	%r12, %r9 
-	movq	%r13, -48(%rdi)
-	movq	-48(%rdi), %rsi
-	addq	%r9, %rcx
-	movl	%r10d, %r13d
-	xorq	%r14, %r10 
-	addq	%rbx, %rcx
-	movq	64(%rdi), %rbx
-	movq	24(%rdi), %rax
-	movq	-24(%rdi), %rdx
-	leaq	1859775393(%rcx,%rsi), %r11
-	movq	-40(%rdi), %r9
-	xorq	%r15, %r10 
-	roll	$30, %r13d
-	xorq	%rax, %rbx 
-	movl	%r11d, %esi
-	xorq	%rdx, %rbx 
-	roll	$5, %esi
-	xorl	%r9d, %ebx
-	addq	%r10, %rsi
-	roll	%ebx
-	addq	%r12, %rsi
-	movq	%rbx, -40(%rdi)
-	movq	-40(%rdi), %r8
-	movl	%r11d, %ebx
-	movq	72(%rdi), %r12
-	movq	32(%rdi), %rax
-	xorq	%r13, %r11 
-	movq	-16(%rdi), %rdx
-	movq	-32(%rdi), %r9
-	xorq	%r14, %r11 
-	leaq	1859775393(%rsi,%r8), %r10
-	roll	$30, %ebx
-	xorq	%rax, %r12 
-	xorq	%rdx, %r12 
-	movl	%r10d, %r8d
-	xorl	%r9d, %r12d
-	roll	$5, %r8d
-	roll	%r12d
-	addq	%r11, %r8
-	movq	%r12, -32(%rdi)
-	movq	-32(%rdi), %rcx
-	addq	%r15, %r8
-	movq	-48(%rdi), %r15
-	movq	40(%rdi), %rax
-	movl	%r10d, %r12d
-	movq	-8(%rdi), %rdx
-	movq	-24(%rdi), %r9
-	xorq	%rbx, %r10 
-	leaq	1859775393(%r8,%rcx), %r11
-	xorq	%r13, %r10 
-	xorq	%rax, %r15 
-	xorq	%rdx, %r15 
-	movl	%r11d, %ecx
-	xorl	%r9d, %r15d
-	roll	$5, %ecx
-	roll	%r15d
-	addq	%r10, %rcx
-	addq	%r14, %rcx
-	movq	%r15, -24(%rdi)
-	movq	-24(%rdi), %rsi
-	movq	-40(%rdi), %r14
-	movq	48(%rdi), %rax
-	roll	$30, %r12d
-	movq	(%rdi), %rdx
-	movq	-16(%rdi), %r10
-	movl	%r11d, %r15d
-	leaq	1859775393(%rcx,%rsi), %r9
-	xorq	%r12, %r11 
-	roll	$30, %r15d
-	xorq	%rax, %r14 
-	xorq	%rbx, %r11 
-	xorq	%rdx, %r14 
-	movl	%r9d, %esi
-	xorl	%r10d, %r14d
-	roll	$5, %esi
-	roll	%r14d
-	addq	%r11, %rsi
-	movq	%r14, -16(%rdi)
-	movq	-16(%rdi), %r8
-	addq	%r13, %rsi
-	movq	-32(%rdi), %r11
-	movq	56(%rdi), %rax
-	movl	%r9d, %r14d
-	movq	8(%rdi), %rdx
-	movq	-8(%rdi), %r10
-	xorq	%r15, %r9 
-	leaq	1859775393(%rsi,%r8), %r13
-	xorq	%r12, %r9 
-	roll	$30, %r14d
-	xorq	%rax, %r11 
-	xorq	%rdx, %r11 
-	movl	%r13d, %r8d
-	xorl	%r10d, %r11d
-	roll	$5, %r8d
-	movl	%r13d, %r10d
-	roll	%r11d
-	addq	%r9, %r8
-	xorq	%r14, %r13 
-	movq	%r11, -8(%rdi)
-	addq	%rbx, %r8
-	movq	-8(%rdi), %rbx
-	movq	-24(%rdi), %r9
-	movq	64(%rdi), %rax
-	xorq	%r15, %r13 
-	movq	16(%rdi), %rdx
-	movq	(%rdi), %rcx
-	leaq	1859775393(%r8,%rbx), %r11
-	xorq	%rax, %r9 
-	xorq	%rdx, %r9 
-	movl	%r11d, %ebx
-	xorl	%ecx, %r9d
-	roll	$5, %ebx
-	roll	%r9d
-	addq	%r13, %rbx
-	movq	%r9, (%rdi)
-	movq	(%rdi), %rsi
-	addq	%r12, %rbx
-	movq	-16(%rdi), %r12
-	movq	72(%rdi), %r13
-	movl	%r11d, %r9d
-	leaq	1859775393(%rbx,%rsi), %rcx
-	movl	%r10d, %ebx
-	movq	24(%rdi), %r10
-	movq	8(%rdi), %rax
-	xorq	%r13, %r12 
-	roll	$30, %ebx
-	movl	%ecx, %esi
-	xorq	%r10, %r12 
-	xorq	%rbx, %r11 
-	roll	$5, %esi
-	xorl	%eax, %r12d
-	xorq	%r14, %r11 
-	roll	$30, %r9d
-	roll	%r12d
-	addq	%r11, %rsi
-	movq	%rcx, %rax
-	movq	%r12, 8(%rdi)
-	movq	8(%rdi), %rdx
-	addq	%r15, %rsi
-	movq	-8(%rdi), %r11
-	movq	-48(%rdi), %r13
-	movl	%ecx, %r12d
-	movq	32(%rdi), %r10
-	movq	16(%rdi), %r8
-	orq	%r9, %rcx
-	leaq	1859775393(%rsi,%rdx), %rsi
-	andq	%rbx, %rcx
-	andq	%r9, %rax
-	xorq	%r13, %r11 
-	orq	%rcx, %rax
-	roll	$30, %r12d
-	xorq	%r10, %r11 
-	movq	%rsi, %r10
-	xorl	%r8d, %r11d
-	movl	%esi, %r8d
-	andq	%r12, %r10
-	roll	%r11d
-	roll	$5, %r8d
-	movq	%r11, 16(%rdi)
-	addq	%rax, %r8
-	movq	16(%rdi), %r15
-	movq	(%rdi), %r13
-	movq	-40(%rdi), %rdx
-	addq	%r14, %r8
-	movq	40(%rdi), %r14
-	movq	24(%rdi), %rcx
-	movl	%esi, %r11d
-	addq	%r15, %r8
-	movl	$2400959708, %r15d
-	orq	%r12, %rsi
-	xorq	%rdx, %r13 
-	addq	%r15, %r8
-	andq	%r9, %rsi
-	xorq	%r14, %r13 
-	orq	%rsi, %r10
-	xorl	%ecx, %r13d
-	movl	%r8d, %ecx
-	roll	%r13d
-	roll	$5, %ecx
-	movq	%r13, 24(%rdi)
-	addq	%r10, %rcx
-	movq	24(%rdi), %rax
-	movq	8(%rdi), %r14
-	movq	-32(%rdi), %rdx
-	addq	%rbx, %rcx
-	movq	48(%rdi), %rbx
-	movq	32(%rdi), %rsi
-	roll	$30, %r11d
-	addq	%rax, %rcx
-	movl	%r8d, %r13d
-	movq	%r8, %r10
-	xorq	%rdx, %r14 
-	addq	%r15, %rcx
-	orq	%r11, %r8
-	xorq	%rbx, %r14 
-	andq	%r12, %r8
-	andq	%r11, %r10
-	xorl	%esi, %r14d
-	movl	%ecx, %esi
-	orq	%r8, %r10
-	roll	$5, %esi
-	roll	%r14d
-	roll	$30, %r13d
-	addq	%r10, %rsi
-	movq	%r14, 32(%rdi)
-	movq	32(%rdi), %rax
-	addq	%r9, %rsi
-	movq	16(%rdi), %r9
-	movq	-24(%rdi), %rdx
-	movq	56(%rdi), %rbx
-	movq	40(%rdi), %r8
-	movl	%ecx, %r14d
-	addq	%rax, %rsi
-	movq	%rcx, %r10
-	orq	%r13, %rcx
-	xorq	%rdx, %r9 
-	addq	%r15, %rsi
-	andq	%r11, %rcx
-	xorq	%rbx, %r9 
-	andq	%r13, %r10
-	roll	$30, %r14d
-	xorl	%r8d, %r9d
-	movl	%esi, %r8d
-	orq	%rcx, %r10
-	roll	%r9d
-	roll	$5, %r8d
-	movq	%r9, 40(%rdi)
-	addq	%r10, %r8
-	movq	40(%rdi), %rax
-	movq	24(%rdi), %r10
-	movq	-16(%rdi), %rdx
-	addq	%r12, %r8
-	movq	64(%rdi), %rbx
-	movq	48(%rdi), %rcx
-	movl	%esi, %r9d
-	addq	%rax, %r8
-	movq	%rsi, %r12
-	xorq	%rdx, %r10 
-	addq	%r15, %r8
-	xorq	%rbx, %r10 
-	orq	%r14, %rsi
-	andq	%r14, %r12
-	andq	%r13, %rsi
-	xorl	%ecx, %r10d
-	movl	%r8d, %ecx
-	orq	%rsi, %r12
-	roll	%r10d
-	roll	$5, %ecx
-	movq	%r10, 48(%rdi)
-	addq	%r12, %rcx
-	movq	48(%rdi), %rax
-	movq	32(%rdi), %r12
-	movq	-8(%rdi), %rdx
-	addq	%r11, %rcx
-	movq	72(%rdi), %rbx
-	movq	56(%rdi), %rsi
-	roll	$30, %r9d
-	addq	%rax, %rcx
-	movl	%r8d, %r10d
-	movq	%r8, %r11
-	xorq	%rdx, %r12 
-	addq	%r15, %rcx
-	orq	%r9, %r8
-	xorq	%rbx, %r12 
-	andq	%r14, %r8
-	andq	%r9, %r11
-	xorl	%esi, %r12d
-	movl	%ecx, %esi
-	orq	%r8, %r11
-	roll	%r12d
-	roll	$5, %esi
-	roll	$30, %r10d
-	movq	%r12, 56(%rdi)
-	addq	%r11, %rsi
-	movq	56(%rdi), %rax
-	movq	40(%rdi), %r11
-	movq	(%rdi), %rdx
-	addq	%r13, %rsi
-	movq	-48(%rdi), %rbx
-	movq	64(%rdi), %r8
-	movq	%rcx, %r13
-	addq	%rax, %rsi
-	andq	%r10, %r13
-	movl	%ecx, %r12d
-	xorq	%rdx, %r11 
-	addq	%r15, %rsi
-	xorq	%rbx, %r11 
-	xorl	%r8d, %r11d
-	movl	%esi, %r8d
-	roll	%r11d
-	roll	$5, %r8d
-	orq	%r10, %rcx
-	andq	%r9, %rcx
-	movq	%r11, 64(%rdi)
-	movq	64(%rdi), %rax
-	orq	%rcx, %r13
-	roll	$30, %r12d
-	movl	%esi, %r11d
-	addq	%r13, %r8
-	movq	48(%rdi), %r13
-	movq	8(%rdi), %rdx
-	movq	-40(%rdi), %rbx
-	addq	%r14, %r8
-	movq	72(%rdi), %rcx
-	addq	%rax, %r8
-	movq	%rsi, %r14
-	orq	%r12, %rsi
-	xorq	%rdx, %r13 
-	addq	%r15, %r8
-	andq	%r10, %rsi
-	xorq	%rbx, %r13 
-	andq	%r12, %r14
-	roll	$30, %r11d
-	xorl	%ecx, %r13d
-	movl	%r8d, %ecx
-	orq	%rsi, %r14
-	roll	%r13d
-	roll	$5, %ecx
-	movq	%r13, 72(%rdi)
-	addq	%r14, %rcx
-	movq	72(%rdi), %rax
-	movq	56(%rdi), %r14
-	movq	16(%rdi), %rdx
-	addq	%r9, %rcx
-	movq	-32(%rdi), %rbx
-	movq	-48(%rdi), %rsi
-	movl	%r8d, %r13d
-	addq	%rax, %rcx
-	movq	%r8, %r9
-	orq	%r11, %r8
-	xorq	%rdx, %r14 
-	addq	%r15, %rcx
-	andq	%r12, %r8
-	xorq	%rbx, %r14 
-	andq	%r11, %r9
-	xorl	%esi, %r14d
-	movl	%ecx, %esi
-	orq	%r8, %r9
-	roll	$5, %esi
-	roll	%r14d
-	addq	%r9, %rsi
-	movq	%r14, -48(%rdi)
-	movq	-48(%rdi), %rax
-	addq	%r10, %rsi
-	movq	64(%rdi), %r10
-	movq	24(%rdi), %rdx
-	movq	-24(%rdi), %rbx
-	movq	-40(%rdi), %r8
-	movl	%ecx, %r14d
-	addq	%rax, %rsi
-	roll	$30, %r13d
-	movq	%rcx, %r9
-	xorq	%rdx, %r10 
-	addq	%r15, %rsi
-	orq	%r13, %rcx
-	xorq	%rbx, %r10 
-	andq	%r11, %rcx
-	andq	%r13, %r9
-	xorl	%r8d, %r10d
-	movl	%esi, %r8d
-	orq	%rcx, %r9
-	roll	$5, %r8d
-	roll	%r10d
-	roll	$30, %r14d
-	addq	%r9, %r8
-	movq	%r10, -40(%rdi)
-	movq	-40(%rdi), %rax
-	addq	%r12, %r8
-	movq	72(%rdi), %r12
-	movq	32(%rdi), %rdx
-	movq	-16(%rdi), %rbx
-	movq	-32(%rdi), %rcx
-	movl	%esi, %r10d
-	addq	%rax, %r8
-	movq	%rsi, %r9
-	orq	%r14, %rsi
-	xorq	%rdx, %r12 
-	addq	%r15, %r8
-	andq	%r13, %rsi
-	xorq	%rbx, %r12 
-	andq	%r14, %r9
-	roll	$30, %r10d
-	xorl	%ecx, %r12d
-	movl	%r8d, %ecx
-	orq	%rsi, %r9
-	roll	$5, %ecx
-	roll	%r12d
-	addq	%r9, %rcx
-	movq	%r12, -32(%rdi)
-	movq	-32(%rdi), %rax
-	addq	%r11, %rcx
-	movq	-48(%rdi), %r11
-	movq	40(%rdi), %rdx
-	movq	-8(%rdi), %rbx
-	movq	-24(%rdi), %rsi
-	movl	%r8d, %r12d
-	addq	%rax, %rcx
-	movq	%r8, %r9
-	xorq	%rdx, %r11 
-	addq	%r15, %rcx
-	xorq	%rbx, %r11 
-	xorl	%esi, %r11d
-	orq	%r10, %r8
-	andq	%r10, %r9
-	andq	%r14, %r8
-	movl	%ecx, %esi
-	roll	%r11d
-	orq	%r8, %r9
-	roll	$5, %esi
-	movq	%r11, -24(%rdi)
-	addq	%r9, %rsi
-	movq	-24(%rdi), %rax
-	roll	$30, %r12d
-	addq	%r13, %rsi
-	movq	-40(%rdi), %r13
-	movq	48(%rdi), %rdx
-	movq	(%rdi), %rbx
-	movq	-16(%rdi), %r8
-	movl	%ecx, %r11d
-	addq	%rax, %rsi
-	movq	%rcx, %r9
-	orq	%r12, %rcx
-	xorq	%rdx, %r13 
-	addq	%r15, %rsi
-	andq	%r10, %rcx
-	xorq	%rbx, %r13 
-	andq	%r12, %r9
-	roll	$30, %r11d
-	xorl	%r8d, %r13d
-	movl	%esi, %r8d
-	orq	%rcx, %r9
-	roll	%r13d
-	roll	$5, %r8d
-	movq	%r13, -16(%rdi)
-	addq	%r9, %r8
-	movq	-16(%rdi), %rax
-	movq	-32(%rdi), %r9
-	movq	56(%rdi), %rdx
-	addq	%r14, %r8
-	movq	8(%rdi), %rcx
-	movq	-8(%rdi), %rbx
-	movl	%esi, %r13d
-	addq	%rax, %r8
-	movq	%rsi, %r14
-	orq	%r11, %rsi
-	xorq	%rdx, %r9 
-	addq	%r15, %r8
-	andq	%r11, %r14
-	xorq	%rcx, %r9 
-	xorl	%ebx, %r9d
-	movl	%r8d, %ebx
-	roll	%r9d
-	roll	$5, %ebx
-	andq	%r12, %rsi
-	orq	%rsi, %r14
-	movq	%r9, -8(%rdi)
-	movq	-8(%rdi), %rax
-	addq	%r14, %rbx
-	movq	-24(%rdi), %r14
-	movq	64(%rdi), %rdx
-	movq	16(%rdi), %rcx
-	addq	%r10, %rbx
-	movq	(%rdi), %rsi
-	roll	$30, %r13d
-	addq	%rax, %rbx
-	movl	%r8d, %r9d
-	xorq	%rdx, %r14 
-	addq	%r15, %rbx
-	movq	%r8, %r10
-	xorq	%rcx, %r14 
-	orq	%r13, %r8
-	andq	%r13, %r10
-	andq	%r11, %r8
-	xorl	%esi, %r14d
-	movl	%ebx, %esi
-	orq	%r8, %r10
-	roll	$5, %esi
-	roll	%r14d
-	addq	%r10, %rsi
-	movq	%r14, (%rdi)
-	movq	(%rdi), %rax
-	addq	%r12, %rsi
-	movq	-16(%rdi), %r12
-	movq	72(%rdi), %rdx
-	movq	24(%rdi), %rcx
-	movq	8(%rdi), %r8
-	roll	$30, %r9d
-	addq	%rax, %rsi
-	movl	%ebx, %r14d
-	movq	%rbx, %r10
-	xorq	%rdx, %r12 
-	addq	%r15, %rsi
-	orq	%r9, %rbx
-	xorq	%rcx, %r12 
-	andq	%r13, %rbx
-	andq	%r9, %r10
-	xorl	%r8d, %r12d
-	movl	%esi, %r8d
-	orq	%rbx, %r10
-	roll	%r12d
-	roll	$5, %r8d
-	movq	%r12, 8(%rdi)
-	movq	8(%rdi), %rax
-	addq	%r10, %r8
-	movq	-8(%rdi), %rbx
-	movq	-48(%rdi), %rdx
-	addq	%r11, %r8
-	movq	32(%rdi), %r11
-	movq	16(%rdi), %rcx
-	movl	%esi, %r12d
-	addq	%rax, %r8
-	movq	%rsi, %r10
-	addq	%r15, %r8
-	xorq	%rdx, %rbx 
-	roll	$30, %r14d
-	xorq	%r11, %rbx 
-	orq	%r14, %rsi
-	andq	%r14, %r10
-	xorl	%ecx, %ebx
-	andq	%r9, %rsi
-	movl	%r8d, %ecx
-	roll	%ebx
-	orq	%rsi, %r10
-	roll	$5, %ecx
-	movq	%rbx, 16(%rdi)
-	movq	16(%rdi), %rsi
-	addq	%r10, %rcx
-	movq	(%rdi), %r11
-	movq	-40(%rdi), %rax
-	addq	%r13, %rcx
-	movq	40(%rdi), %rdx
-	movq	24(%rdi), %r13
-	roll	$30, %r12d
-	addq	%rsi, %rcx
-	movl	%r8d, %ebx
-	movq	%r8, %r10
-	xorq	%rax, %r11 
-	addq	%r15, %rcx
-	orq	%r12, %r8
-	xorq	%rdx, %r11 
-	andq	%r14, %r8
-	andq	%r12, %r10
-	xorl	%r13d, %r11d
-	movl	%ecx, %r13d
-	orq	%r8, %r10
-	roll	%r11d
-	roll	$5, %r13d
-	roll	$30, %ebx
-	movq	%r11, 24(%rdi)
-	addq	%r10, %r13
-	movq	24(%rdi), %rsi
-	movq	8(%rdi), %r10
-	movq	-32(%rdi), %rax
-	addq	%r9, %r13
-	movq	48(%rdi), %rdx
-	movq	32(%rdi), %r8
-	movl	%ecx, %r11d
-	addq	%rsi, %r13
-	movq	%rcx, %r9
-	xorq	%rax, %r10 
-	addq	%r15, %r13
-	xorq	%rdx, %r10 
-	xorl	%r8d, %r10d
-	movl	%r13d, %r8d
-	roll	%r10d
-	orq	%rbx, %rcx
-	andq	%rbx, %r9
-	movq	%r10, 32(%rdi)
-	andq	%r12, %rcx
-	movl	%r13d, %r10d
-	orq	%rcx, %r9
-	roll	$5, %r10d
-	movq	32(%rdi), %rsi
-	addq	%r9, %r10
-	roll	$30, %r11d
-	movq	%r13, %rcx
-	addq	%r14, %r10
-	movq	16(%rdi), %r14
-	movq	-24(%rdi), %rax
-	movq	56(%rdi), %rdx
-	movq	40(%rdi), %r9
-	addq	%rsi, %r10
-	addq	%r15, %r10
-	orq	%r11, %r13
-	andq	%r11, %rcx
-	xorq	%rax, %r14 
-	andq	%rbx, %r13
-	xorq	%rdx, %r14 
-	orq	%r13, %rcx
-	xorl	%r9d, %r14d
-	movl	%r10d, %r9d
-	roll	%r14d
-	roll	$5, %r9d
-	movq	%r14, 40(%rdi)
-	movq	40(%rdi), %rsi
-	addq	%rcx, %r9
-	movq	24(%rdi), %r13
-	addq	%r12, %r9
-	movq	-16(%rdi), %r12
-	movq	64(%rdi), %rax
-	movl	%r10d, %r14d
-	addq	%rsi, %r9
-	movl	%r8d, %esi
-	addq	%r15, %r9
-	movq	48(%rdi), %r15
-	xorq	%r12, %r13 
-	roll	$30, %esi
-	xorq	%rax, %r13 
-	xorq	%rsi, %r10 
-	xorl	%r15d, %r13d
-	movl	%r9d, %r15d
-	xorq	%r11, %r10 
-	roll	$5, %r15d
-	roll	%r13d
-	addq	%r10, %r15
-	movq	%r13, 48(%rdi)
-	movq	48(%rdi), %r10
-	addq	%rbx, %r15
-	movq	32(%rdi), %rbx
-	movq	-8(%rdi), %r8
-	movq	72(%rdi), %rdx
-	movq	56(%rdi), %rcx
-	roll	$30, %r14d
-	addq	%r10, %r15
-	movl	$3395469782, %r10d
-	movl	%r9d, %r13d
-	xorq	%r8, %rbx 
-	addq	%r10, %r15
-	xorq	%r14, %r9 
-	xorq	%rdx, %rbx 
-	xorq	%rsi, %r9 
-	roll	$30, %r13d
-	xorl	%ecx, %ebx
-	movl	%r15d, %ecx
-	roll	%ebx
-	roll	$5, %ecx
-	movq	%rbx, 56(%rdi)
-	addq	%r9, %rcx
-	movq	56(%rdi), %r12
-	movq	40(%rdi), %r9
-	movq	(%rdi), %rax
-	addq	%r11, %rcx
-	movq	-48(%rdi), %r8
-	movq	64(%rdi), %r11
-	movl	%r15d, %ebx
-	addq	%r12, %rcx
-	xorq	%r13, %r15 
-	roll	$30, %ebx
-	xorq	%rax, %r9 
-	addq	%r10, %rcx
-	xorq	%r14, %r15 
-	xorq	%r8, %r9 
-	xorl	%r11d, %r9d
-	movl	%ecx, %r11d
-	roll	%r9d
-	roll	$5, %r11d
-	movq	%r9, 64(%rdi)
-	addq	%r15, %r11
-	movq	64(%rdi), %rdx
-	movq	48(%rdi), %r15
-	movq	8(%rdi), %r12
-	addq	%rsi, %r11
-	movq	-40(%rdi), %rax
-	movq	72(%rdi), %r8
-	movl	%ecx, %r9d
-	addq	%rdx, %r11
-	xorq	%r12, %r15 
-	addq	%r10, %r11
-	xorq	%rax, %r15 
-	xorl	%r8d, %r15d
-	movl	%r11d, %r8d
-	roll	%r15d
-	roll	$5, %r8d
-	xorq	%rbx, %rcx 
-	xorq	%r13, %rcx 
-	movq	%r15, 72(%rdi)
-	movq	72(%rdi), %rsi
-	addq	%rcx, %r8
-	movq	56(%rdi), %r12
-	movq	16(%rdi), %rcx
-	movq	-32(%rdi), %rdx
-	addq	%r14, %r8
-	movq	-48(%rdi), %r14
-	addq	%rsi, %r8
-	roll	$30, %r9d
-	movl	%r11d, %r15d
-	xorq	%rcx, %r12 
-	addq	%r10, %r8
-	xorq	%r9, %r11 
-	xorq	%rdx, %r12 
-	xorq	%rbx, %r11 
-	roll	$30, %r15d
-	xorl	%r14d, %r12d
-	movl	%r8d, %r14d
-	roll	$5, %r14d
-	roll	%r12d
-	addq	%r11, %r14
-	movq	%r12, -48(%rdi)
-	movq	-48(%rdi), %rax
-	addq	%r13, %r14
-	movq	64(%rdi), %r13
-	movq	24(%rdi), %rsi
-	movq	-24(%rdi), %rcx
-	movq	-40(%rdi), %r11
-	movl	%r8d, %r12d
-	addq	%rax, %r14
-	xorq	%r15, %r8 
-	roll	$30, %r12d
-	xorq	%rsi, %r13 
-	addq	%r10, %r14
-	xorq	%r9, %r8 
-	xorq	%rcx, %r13 
-	xorl	%r11d, %r13d
-	movl	%r14d, %r11d
-	roll	$5, %r11d
-	roll	%r13d
-	addq	%r8, %r11
-	movq	%r13, -40(%rdi)
-	movq	-40(%rdi), %rdx
-	addq	%rbx, %r11
-	movq	72(%rdi), %rbx
-	movq	32(%rdi), %rax
-	movq	-16(%rdi), %rsi
-	movq	-32(%rdi), %r8
-	movl	%r14d, %r13d
-	addq	%rdx, %r11
-	xorq	%rax, %rbx 
-	addq	%r10, %r11
-	xorq	%rsi, %rbx 
-	xorl	%r8d, %ebx
-	xorq	%r12, %r14 
-	movl	%r11d, %r8d
-	xorq	%r15, %r14 
-	roll	%ebx
-	roll	$5, %r8d
-	movq	%rbx, -32(%rdi)
-	addq	%r14, %r8
-	movq	-32(%rdi), %rcx
-	movq	-48(%rdi), %r14
-	movq	40(%rdi), %rdx
-	addq	%r9, %r8
-	movq	-8(%rdi), %rax
-	movq	-24(%rdi), %r9
-	roll	$30, %r13d
-	addq	%rcx, %r8
-	movl	%r11d, %ebx
-	xorq	%r13, %r11 
-	xorq	%rdx, %r14 
-	addq	%r10, %r8
-	xorq	%r12, %r11 
-	xorq	%rax, %r14 
-	roll	$30, %ebx
-	xorl	%r9d, %r14d
-	movl	%r8d, %r9d
-	roll	$5, %r9d
-	roll	%r14d
-	addq	%r11, %r9
-	movq	%r14, -24(%rdi)
-	movq	-24(%rdi), %rsi
-	addq	%r15, %r9
-	movq	-40(%rdi), %r15
-	movq	48(%rdi), %rcx
-	movq	(%rdi), %rdx
-	movq	-16(%rdi), %r11
-	movl	%r8d, %r14d
-	addq	%rsi, %r9
-	xorq	%rbx, %r8 
-	xorq	%rcx, %r15 
-	addq	%r10, %r9
-	xorq	%r13, %r8 
-	xorq	%rdx, %r15 
-	xorl	%r11d, %r15d
-	movl	%r9d, %r11d
-	roll	%r15d
-	roll	$5, %r11d
-	movq	%r15, -16(%rdi)
-	addq	%r8, %r11
-	movq	-16(%rdi), %rax
-	addq	%r12, %r11
-	movq	-32(%rdi), %r12
-	movq	56(%rdi), %rsi
-	movq	8(%rdi), %rcx
-	movq	-8(%rdi), %r8
-	movl	%r9d, %r15d
-	addq	%rax, %r11
-	addq	%r10, %r11
-	roll	$30, %r14d
-	xorq	%rsi, %r12 
-	xorq	%rcx, %r12 
-	xorq	%r14, %r9 
-	roll	$30, %r15d
-	xorl	%r8d, %r12d
-	movl	%r11d, %r8d
-	xorq	%rbx, %r9 
-	roll	$5, %r8d
-	roll	%r12d
-	addq	%r9, %r8
-	movq	%r12, -8(%rdi)
-	movq	-8(%rdi), %rdx
-	addq	%r13, %r8
-	movq	-24(%rdi), %r13
-	movq	64(%rdi), %rax
-	movq	16(%rdi), %rsi
-	movq	(%rdi), %rcx
-	movl	%r11d, %r12d
-	addq	%rdx, %r8
-	xorq	%r15, %r11 
-	roll	$30, %r12d
-	xorq	%rax, %r13 
-	addq	%r10, %r8
-	xorq	%r14, %r11 
-	xorq	%rsi, %r13 
-	xorl	%ecx, %r13d
-	movl	%r8d, %ecx
-	roll	$5, %ecx
-	roll	%r13d
-	addq	%r11, %rcx
-	movq	%r13, (%rdi)
-	movq	(%rdi), %r9
-	addq	%rbx, %rcx
-	movq	-16(%rdi), %rbx
-	movq	72(%rdi), %rdx
-	movq	24(%rdi), %rax
-	movq	8(%rdi), %rsi
-	movl	%r8d, %r13d
-	addq	%r9, %rcx
-	xorq	%r12, %r8 
-	xorq	%rdx, %rbx 
-	addq	%r10, %rcx
-	xorq	%r15, %r8 
-	xorq	%rax, %rbx 
-	xorl	%esi, %ebx
-	movl	%ecx, %esi
-	roll	$5, %esi
-	roll	%ebx
-	addq	%r8, %rsi
-	movq	%rbx, 8(%rdi)
-	movq	8(%rdi), %r11
-	addq	%r14, %rsi
-	movq	-8(%rdi), %r14
-	movq	-48(%rdi), %r9
-	movq	32(%rdi), %rdx
-	movq	16(%rdi), %r8
-	roll	$30, %r13d
-	addq	%r11, %rsi
-	movl	%ecx, %ebx
-	xorq	%r13, %rcx 
-	xorq	%r9, %r14 
-	addq	%r10, %rsi
-	xorq	%r12, %rcx 
-	xorq	%rdx, %r14 
-	roll	$30, %ebx
-	xorl	%r8d, %r14d
-	movl	%esi, %r8d
-	roll	$5, %r8d
-	roll	%r14d
-	addq	%rcx, %r8
-	movq	%r14, 16(%rdi)
-	movq	16(%rdi), %rax
-	addq	%r15, %r8
-	movq	(%rdi), %r15
-	movq	-40(%rdi), %r11
-	movq	40(%rdi), %r9
-	movq	24(%rdi), %rcx
-	movl	%esi, %r14d
-	addq	%rax, %r8
-	xorq	%rbx, %rsi 
-	roll	$30, %r14d
-	xorq	%r11, %r15 
-	addq	%r10, %r8
-	xorq	%r13, %rsi 
-	xorq	%r9, %r15 
-	xorl	%ecx, %r15d
-	movl	%r8d, %ecx
-	roll	%r15d
-	roll	$5, %ecx
-	movq	%r15, 24(%rdi)
-	addq	%rsi, %rcx
-	movq	24(%rdi), %rdx
-	movq	8(%rdi), %r11
-	movq	-32(%rdi), %rax
-	addq	%r12, %rcx
-	movq	48(%rdi), %r12
-	movq	32(%rdi), %rsi
-	movl	%r8d, %r15d
-	addq	%rdx, %rcx
-	xorq	%rax, %r11 
-	addq	%r10, %rcx
-	xorq	%r12, %r11 
-	xorl	%esi, %r11d
-	movl	%ecx, %esi
-	roll	%r11d
-	movq	%r11, 32(%rdi)
-	movl	%ecx, %r11d
-	movq	32(%rdi), %r9
-	roll	$5, %r11d
-	xorq	%r14, %r8 
-	movq	16(%rdi), %r12
-	xorq	%rbx, %r8 
-	movq	-24(%rdi), %rdx
-	movq	56(%rdi), %rax
-	addq	%r8, %r11
-	movq	40(%rdi), %r8
-	roll	$30, %r15d
-	addq	%r13, %r11
-	xorq	%r15, %rcx 
-	addq	%r9, %r11
-	xorq	%rdx, %r12 
-	xorq	%r14, %rcx 
-	addq	%r10, %r11
-	xorq	%rax, %r12 
-	xorl	%r8d, %r12d
-	movl	%r11d, %r8d
-	roll	$5, %r8d
-	roll	%r12d
-	addq	%rcx, %r8
-	movq	%r12, 40(%rdi)
-	movq	40(%rdi), %r13
-	addq	%rbx, %r8
-	movq	24(%rdi), %rbx
-	movq	-16(%rdi), %r9
-	movq	64(%rdi), %rdx
-	movq	48(%rdi), %rcx
-	movl	%r11d, %r12d
-	addq	%r13, %r8
-	movl	%esi, %r13d
-	roll	$30, %r12d
-	xorq	%r9, %rbx 
-	addq	%r10, %r8
-	roll	$30, %r13d
-	xorq	%rdx, %rbx 
-	xorq	%r13, %r11 
-	xorl	%ecx, %ebx
-	movl	%r8d, %ecx
-	xorq	%r15, %r11 
-	roll	%ebx
-	roll	$5, %ecx
-	movq	%rbx, 48(%rdi)
-	addq	%r11, %rcx
-	movq	48(%rdi), %rax
-	movq	32(%rdi), %r11
-	movq	-8(%rdi), %rsi
-	addq	%r14, %rcx
-	movq	72(%rdi), %r9
-	movq	56(%rdi), %r14
-	movl	%r8d, %ebx
-	addq	%rax, %rcx
-	xorq	%rsi, %r11 
-	addq	%r10, %rcx
-	xorq	%r9, %r11 
-	xorl	%r14d, %r11d
-	xorq	%r12, %r8 
-	movl	%ecx, %r14d
-	xorq	%r13, %r8 
-	roll	%r11d
-	roll	$5, %r14d
-	movq	%r11, 56(%rdi)
-	addq	%r8, %r14
-	movq	56(%rdi), %rdx
-	movq	40(%rdi), %r8
-	movq	(%rdi), %rax
-	addq	%r15, %r14
-	movq	-48(%rdi), %r15
-	movq	64(%rdi), %rsi
-	roll	$30, %ebx
-	addq	%rdx, %r14
-	movl	%ecx, %r11d
-	xorq	%rbx, %rcx 
-	xorq	%rax, %r8 
-	addq	%r10, %r14
-	xorq	%r12, %rcx 
-	xorq	%r15, %r8 
-	roll	$30, %r11d
-	xorl	%esi, %r8d
-	movl	%r14d, %esi
-	roll	%r8d
-	roll	$5, %esi
-	movq	%r8, 64(%rdi)
-	movq	64(%rdi), %r9
-	addq	%rcx, %rsi
-	movq	48(%rdi), %r15
-	movq	8(%rdi), %rcx
-	addq	%r13, %rsi
-	movq	-40(%rdi), %rdx
-	movq	72(%rdi), %rax
-	movl	%r14d, %r8d
-	addq	%r9, %rsi
-	xorq	%r11, %r14 
-	addq	%r10, %rsi
-	xorq	%rcx, %r15 
-	xorq	%rbx, %r14 
-	xorq	%rdx, %r15 
-	movl	%esi, %r13d
-	xorl	%eax, %r15d
-	roll	$5, %r13d
-	roll	%r15d
-	addq	%r14, %r13
-	movq	%r15, 72(%rdi)
-	addq	%r12, %r13
-	movq	72(%rdi), %r12
-	addq	%r12, %r13
-	addq	%r10, %r13
-	movq	-88(%rdi), %r10
-	roll	$30, %r8d
-	addq	%r13, %r10
-	movq	%r10, -88(%rdi)
-	movq	-80(%rdi), %r9
-	addq	%rsi, %r9
-	movq	%r9, -80(%rdi)
-	movq	-72(%rdi), %rcx
-	addq	%r8, %rcx
-	movq	%rcx, -72(%rdi)
-	movq	-64(%rdi), %rdx
-	addq	%r11, %rdx
-	movq	%rdx, -64(%rdi)
-	movq	-56(%rdi), %rax
-	addq	%rbx, %rax
-	popq	%rbx
-	popq	%r12
-	popq	%r13
-	popq	%r14
-	popq	%r15
-	movq	%rax, -56(%rdi)
-	ret
-.LFE7:
-	.size	shaCompress, .-shaCompress
-	.align 16
-.globl SHA1_Update
-	.type	SHA1_Update, @function
-SHA1_Update:
-.LFB5:
-	pushq	%rbp
-.LCFI5:
-	movq	%rsp, %rbp
-.LCFI6:
-	movq	%r13, -24(%rbp)
-.LCFI7:
-	movq	%r14, -16(%rbp)
-.LCFI8:
-	movl	%edx, %r13d
-	movq	%r15, -8(%rbp)
-.LCFI9:
-	movq	%rbx, -40(%rbp)
-.LCFI10:
-	movq	%rdi, %r15
-	movq	%r12, -32(%rbp)
-.LCFI11:
-	subq	$48, %rsp
-.LCFI12:
-	testl	%edx, %edx
-	movq	%rsi, %r14
-	je	.L243
-	movq	64(%rdi), %rdx
-	mov	%r13d, %ecx
-	leaq	(%rdx,%rcx), %rax
-	movq	%rax, 64(%rdi)
-	movl	%edx, %eax
-	andl	$63, %eax
-	movl	%eax, -44(%rbp)
-	jne	.L256
-.L245:
-	cmpl	$63, %r13d
-	jbe	.L253
-	leaq	160(%r15), %rbx
-	.align 16
-.L250:
-	movq	%r14, %rsi
-	subl	$64, %r13d
-	movq	%rbx, %rdi
-	call	shaCompress
-	addq	$64, %r14
-	cmpl	$63, %r13d
-	ja	.L250
-.L253:
-	testl	%r13d, %r13d
-	je	.L243
-	mov	%r13d, %edx
-	movq	%r14, %rsi
-	movq	%r15, %rdi
-	movq	-40(%rbp), %rbx
-	movq	-32(%rbp), %r12
-	movq	-24(%rbp), %r13
-	movq	-16(%rbp), %r14
-	movq	-8(%rbp), %r15
-	leave
-	jmp	memcpy@PLT
-	.align 16
-.L243:
-	movq	-40(%rbp), %rbx
-	movq	-32(%rbp), %r12
-	movq	-24(%rbp), %r13
-	movq	-16(%rbp), %r14
-	movq	-8(%rbp), %r15
-	leave
-	ret
-.L256:
-	movl	$64, %ebx
-	mov	%eax, %edi
-	subl	%eax, %ebx
-	cmpl	%ebx, %r13d
-	cmovb	%r13d, %ebx
-	addq	%r15, %rdi
-	mov	%ebx, %r12d
-	subl	%ebx, %r13d
-	movq	%r12, %rdx
-	addq	%r12, %r14
-	call	memcpy@PLT
-	addl	-44(%rbp), %ebx
-	andl	$63, %ebx
-	jne	.L245
-	leaq	160(%r15), %rdi
-	movq	%r15, %rsi
-	call	shaCompress
-	jmp	.L245
-.LFE5:
-	.size	SHA1_Update, .-SHA1_Update
-	.section	.rodata
-	.align 32
-	.type	bulk_pad.0, @object
-	.size	bulk_pad.0, 64
-bulk_pad.0:
-	.byte	-128
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.byte	0
-	.text
-	.align 16
-.globl SHA1_End
-	.type	SHA1_End, @function
-SHA1_End:
-.LFB6:
-	pushq	%rbp
-.LCFI13:
-	movq	%rsp, %rbp
-.LCFI14:
-	movq	%r12, -24(%rbp)
-.LCFI15:
-	movq	%r13, -16(%rbp)
-.LCFI16:
-	movq	%rsi, %r13
-	movq	%r14, -8(%rbp)
-.LCFI17:
-	movq	%rbx, -32(%rbp)
-.LCFI18:
-	subq	$32, %rsp
-.LCFI19:
-	movq	64(%rdi), %rbx
-	movq	%rdx, %r14
-	movl	$119, %edx
-	leaq	bulk_pad.0(%rip), %rsi
-	movq	%rdi, %r12
-	movl	%ebx, %r8d
-	salq	$3, %rbx
-	andl	$63, %r8d
-	subl	%r8d, %edx
-	andl	$63, %edx
-	incl	%edx
-	call	SHA1_Update@PLT
-	movq	%rbx, %rdi
-	movq	%r12, %rsi
-	shrq	$32, %rdi
-/APP
-	bswap %edi
-/NO_APP
-	movl	%edi, 56(%r12)
-	leaq	160(%r12), %rdi
-/APP
-	bswap %ebx
-/NO_APP
-	movl	%ebx, 60(%r12)
-	call	shaCompress
-	movl	72(%r12), %esi
-	movl	80(%r12), %ebx
-	movl	88(%r12), %ecx
-	movl	96(%r12), %edx
-	movl	104(%r12), %eax
-	movq	8(%rsp), %r12
-/APP
-	bswap %ebx
-	bswap %esi
-/NO_APP
-	movl	%ebx, 4(%r13)
-	movl	%esi, (%r13)
-/APP
-	bswap %ecx
-	bswap %edx
-/NO_APP
-	movl	%ecx, 8(%r13)
-	movl	%edx, 12(%r13)
-/APP
-	bswap %eax
-/NO_APP
-	movq	(%rsp), %rbx
-	movl	%eax, 16(%r13)
-	movl	$20, (%r14)
-	movq	16(%rsp), %r13
-	movq	24(%rsp), %r14
-	leave
-	ret
-.LFE6:
-	.size	SHA1_End, .-SHA1_End
-	.align 16
-.globl SHA1_NewContext
-	.type	SHA1_NewContext, @function
-SHA1_NewContext:
-.LFB8:
-	movl	$248, %edi
-	jmp	PORT_Alloc@PLT
-.LFE8:
-	.size	SHA1_NewContext, .-SHA1_NewContext
-	.align 16
-.globl SHA1_DestroyContext
-	.type	SHA1_DestroyContext, @function
-SHA1_DestroyContext:
-.LFB9:
-	pushq	%rbp
-.LCFI20:
-	movl	$248, %edx
-	movq	%rsp, %rbp
-.LCFI21:
-	movq	%rbx, -16(%rbp)
-.LCFI22:
-	movq	%r12, -8(%rbp)
-.LCFI23:
-	movl	%esi, %ebx
-	subq	$16, %rsp
-.LCFI24:
-	xorl	%esi, %esi
-	movq	%rdi, %r12
-	call	memset@PLT
-	testl	%ebx, %ebx
-	jne	.L268
-	movq	(%rsp), %rbx
-	movq	8(%rsp), %r12
-	leave
-	ret
-	.align 16
-.L268:
-	movq	%r12, %rdi
-	movq	(%rsp), %rbx
-	movq	8(%rsp), %r12
-	leave
-	jmp	PORT_Free@PLT
-.LFE9:
-	.size	SHA1_DestroyContext, .-SHA1_DestroyContext
-	.align 16
-.globl SHA1_HashBuf
-	.type	SHA1_HashBuf, @function
-SHA1_HashBuf:
-.LFB10:
-	pushq	%rbp
-.LCFI25:
-	movq	%rsp, %rbp
-.LCFI26:
-	movq	%rbx, -32(%rbp)
-.LCFI27:
-	leaq	-288(%rbp), %rbx
-	movq	%r12, -24(%rbp)
-.LCFI28:
-	movq	%r13, -16(%rbp)
-.LCFI29:
-	movq	%r14, -8(%rbp)
-.LCFI30:
-	movq	%rsi, %r13
-	subq	$304, %rsp
-.LCFI31:
-	movq	%rdi, %r14
-	movl	%edx, %r12d
-	movq	%rbx, %rdi
-	call	SHA1_Begin@PLT
-	movl	%r12d, %edx
-	movq	%r13, %rsi
-	movq	%rbx, %rdi
-	call	SHA1_Update@PLT
-	leaq	-292(%rbp), %rdx
-	movq	%r14, %rsi
-	movq	%rbx, %rdi
-	movl	$20, %ecx
-	call	SHA1_End@PLT
-	movq	-32(%rbp), %rbx
-	movq	-24(%rbp), %r12
-	xorl	%eax, %eax
-	movq	-16(%rbp), %r13
-	movq	-8(%rbp), %r14
-	leave
-	ret
-.LFE10:
-	.size	SHA1_HashBuf, .-SHA1_HashBuf
-	.align 16
-.globl SHA1_Hash
-	.type	SHA1_Hash, @function
-SHA1_Hash:
-.LFB11:
-	pushq	%rbp
-.LCFI32:
-	movq	%rsp, %rbp
-.LCFI33:
-	movq	%rbx, -16(%rbp)
-.LCFI34:
-	movq	%r12, -8(%rbp)
-.LCFI35:
-	movq	%rsi, %rbx
-	subq	$16, %rsp
-.LCFI36:
-	movq	%rdi, %r12
-	movq	%rsi, %rdi
-	call	strlen@PLT
-	movq	%rbx, %rsi
-	movq	%r12, %rdi
-	movq	(%rsp), %rbx
-	movq	8(%rsp), %r12
-	leave
-	movl	%eax, %edx
-	jmp	SHA1_HashBuf@PLT
-.LFE11:
-	.size	SHA1_Hash, .-SHA1_Hash
-	.align 16
-.globl SHA1_FlattenSize
-	.type	SHA1_FlattenSize, @function
-SHA1_FlattenSize:
-.LFB12:
-	movl	$248, %eax
-	ret
-.LFE12:
-	.size	SHA1_FlattenSize, .-SHA1_FlattenSize
-	.align 16
-.globl SHA1_Flatten
-	.type	SHA1_Flatten, @function
-SHA1_Flatten:
-.LFB13:
-	pushq	%rbp
-.LCFI37:
-	movq	%rsi, %rax
-	movl	$248, %edx
-	movq	%rdi, %rsi
-	movq	%rax, %rdi
-	movq	%rsp, %rbp
-.LCFI38:
-	call	memcpy@PLT
-	leave
-	xorl	%eax, %eax
-	ret
-.LFE13:
-	.size	SHA1_Flatten, .-SHA1_Flatten
-	.align 16
-.globl SHA1_Resurrect
-	.type	SHA1_Resurrect, @function
-SHA1_Resurrect:
-.LFB14:
-	pushq	%rbp
-.LCFI39:
-	movq	%rsp, %rbp
-.LCFI40:
-	movq	%rbx, -16(%rbp)
-.LCFI41:
-	movq	%r12, -8(%rbp)
-.LCFI42:
-	subq	$16, %rsp
-.LCFI43:
-	movq	%rdi, %r12
-	call	SHA1_NewContext@PLT
-	movq	%rax, %rbx
-	xorl	%eax, %eax
-	testq	%rbx, %rbx
-	je	.L273
-	movl	$248, %edx
-	movq	%r12, %rsi
-	movq	%rbx, %rdi
-	call	memcpy@PLT
-	movq	%rbx, %rax
-.L273:
-	movq	(%rsp), %rbx
-	movq	8(%rsp), %r12
-	leave
-	ret
-.LFE14:
-	.size	SHA1_Resurrect, .-SHA1_Resurrect
-	.align 16
-.globl SHA1_Clone
-	.type	SHA1_Clone, @function
-SHA1_Clone:
-.LFB15:
-	movl	$248, %edx
-	jmp	memcpy@PLT
-.LFE15:
-	.size	SHA1_Clone, .-SHA1_Clone
-	.align 16
-.globl SHA1_TraceState
-	.type	SHA1_TraceState, @function
-SHA1_TraceState:
-.LFB16:
-	movl	$-5992, %edi
-	jmp	PORT_SetError@PLT
-.LFE16:
-	.size	SHA1_TraceState, .-SHA1_TraceState
diff --git a/security/nss/lib/freebl/sha.c b/security/nss/lib/freebl/sha.c
deleted file mode 100644
index f7031d3d9..000000000
--- a/security/nss/lib/freebl/sha.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is SHA 180-1 Reference Implementation (Compact version).
- *
- * The Initial Developer of the Original Code is
- * Paul Kocher of Cryptography Research.
- * Portions created by the Initial Developer are Copyright (C) 1995-9
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "sha.h"
-
-static void shaHashBlock(SHA_CTX *ctx);
-
-void shaInit(SHA_CTX *ctx) {
-  int i;
-
-  ctx->lenW = 0;
-  ctx->sizeHi = ctx->sizeLo = 0;
-
-  /* Initialize H with the magic constants (see FIPS180 for constants)
-   */
-  ctx->H[0] = 0x67452301L;
-  ctx->H[1] = 0xefcdab89L;
-  ctx->H[2] = 0x98badcfeL;
-  ctx->H[3] = 0x10325476L;
-  ctx->H[4] = 0xc3d2e1f0L;
-
-  for (i = 0; i < 80; i++)
-    ctx->W[i] = 0;
-}
-
-
-void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len) {
-  int i;
-
-  /* Read the data into W and process blocks as they get full
-   */
-  for (i = 0; i < len; i++) {
-    ctx->W[ctx->lenW / 4] <<= 8;
-    ctx->W[ctx->lenW / 4] |= (unsigned long)dataIn[i];
-    if ((++ctx->lenW) % 64 == 0) {
-      shaHashBlock(ctx);
-      ctx->lenW = 0;
-    }
-    ctx->sizeLo += 8;
-    ctx->sizeHi += (ctx->sizeLo < 8);
-  }
-}
-
-
-void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]) {
-  unsigned char pad0x80 = 0x80;
-  unsigned char pad0x00 = 0x00;
-  unsigned char padlen[8];
-  int i;
-
-  /* Pad with a binary 1 (e.g. 0x80), then zeroes, then length
-   */
-  padlen[0] = (unsigned char)((ctx->sizeHi >> 24) & 255);
-  padlen[1] = (unsigned char)((ctx->sizeHi >> 16) & 255);
-  padlen[2] = (unsigned char)((ctx->sizeHi >> 8) & 255);
-  padlen[3] = (unsigned char)((ctx->sizeHi >> 0) & 255);
-  padlen[4] = (unsigned char)((ctx->sizeLo >> 24) & 255);
-  padlen[5] = (unsigned char)((ctx->sizeLo >> 16) & 255);
-  padlen[6] = (unsigned char)((ctx->sizeLo >> 8) & 255);
-  padlen[7] = (unsigned char)((ctx->sizeLo >> 0) & 255);
-  shaUpdate(ctx, &pad0x80, 1);
-  while (ctx->lenW != 56)
-    shaUpdate(ctx, &pad0x00, 1);
-  shaUpdate(ctx, padlen, 8);
-
-  /* Output hash
-   */
-  for (i = 0; i < 20; i++) {
-    hashout[i] = (unsigned char)(ctx->H[i / 4] >> 24);
-    ctx->H[i / 4] <<= 8;
-  }
-
-  /*
-   *  Re-initialize the context (also zeroizes contents)
-   */
-  shaInit(ctx);
-}
-
-
-void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]) {
-  SHA_CTX ctx;
-
-  shaInit(&ctx);
-  shaUpdate(&ctx, dataIn, len);
-  shaFinal(&ctx, hashout);
-}
-
-
-#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n))))
-
-static void shaHashBlock(SHA_CTX *ctx) {
-  int t;
-  unsigned long A,B,C,D,E,TEMP;
-
-  for (t = 16; t <= 79; t++)
-    ctx->W[t] =
-      SHA_ROTL(ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], 1);
-
-  A = ctx->H[0];
-  B = ctx->H[1];
-  C = ctx->H[2];
-  D = ctx->H[3];
-  E = ctx->H[4];
-
-  for (t = 0; t <= 19; t++) {
-    TEMP = SHA_ROTL(A,5) + (((C^D)&B)^D)     + E + ctx->W[t] + 0x5a827999L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 20; t <= 39; t++) {
-    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0x6ed9eba1L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 40; t <= 59; t++) {
-    TEMP = SHA_ROTL(A,5) + ((B&C)|(D&(B|C))) + E + ctx->W[t] + 0x8f1bbcdcL;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-  for (t = 60; t <= 79; t++) {
-    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0xca62c1d6L;
-    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
-  }
-
-  ctx->H[0] += A;
-  ctx->H[1] += B;
-  ctx->H[2] += C;
-  ctx->H[3] += D;
-  ctx->H[4] += E;
-}
-
diff --git a/security/nss/lib/freebl/sha.h b/security/nss/lib/freebl/sha.h
deleted file mode 100644
index f3fa37f99..000000000
--- a/security/nss/lib/freebl/sha.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is SHA 180-1 Header File.
- *
- * The Initial Developer of the Original Code is
- * Paul Kocher of Cryptography Research.
- * Portions created by the Initial Developer are Copyright (C) 1995-9
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-typedef struct {
-  unsigned long H[5];
-  unsigned long W[80];
-  int lenW;
-  unsigned long sizeHi,sizeLo;
-} SHA_CTX;
-
-
-void shaInit(SHA_CTX *ctx);
-void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len);
-void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]);
-void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]);
-
diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c
deleted file mode 100644
index 672aa9a0f..000000000
--- a/security/nss/lib/freebl/sha512.c
+++ /dev/null
@@ -1,1389 +0,0 @@
-/*
- * sha512.c - implementation of SHA256, SHA384 and SHA512
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2002
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "prcpucfg.h"
-#if defined(_X86_) || defined(SHA_NO_LONG_LONG)
-#define NOUNROLL512 1
-#undef HAVE_LONG_LONG
-#endif
-#include "prtypes.h"	/* for PRUintXX */
-#include "secport.h"	/* for PORT_XXX */
-#include "blapi.h"
-
-/* ============= Common constants and defines ======================= */
-
-#define W ctx->u.w
-#define B ctx->u.b
-#define H ctx->h
-
-#define SHR(x,n) (x >> n)
-#define SHL(x,n) (x << n)
-#define Ch(x,y,z)  ((x & y) ^ (~x & z))
-#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
-
-/* Padding used with all flavors of SHA */
-static const PRUint8 pad[240] = { 
-0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-   0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
-   /* compiler will fill the rest in with zeros */
-};
-
-/* ============= SHA256 implemenmtation ================================== */
-
-/* SHA-256 constants, K256. */
-static const PRUint32 K256[64] = {
-    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 
-    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
-    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 
-    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
-    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 
-    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
-    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 
-    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
-    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 
-    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
-    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 
-    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
-    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 
-    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
-    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 
-    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
-};
-
-/* SHA-256 initial hash values */
-static const PRUint32 H256[8] = {
-    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 
-    0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
-};
-
-struct SHA256ContextStr {
-    union {
-	PRUint32 w[64];	    /* message schedule, input buffer, plus 48 words */
-	PRUint8  b[256];
-    } u;
-    PRUint32 h[8];		/* 8 state variables */
-    PRUint32 sizeHi,sizeLo;	/* 64-bit count of hashed bytes. */
-};
-
-#if defined(_MSC_VER) && defined(_X86_)
-#ifndef FORCEINLINE
-#if (MSC_VER >= 1200)
-#define FORCEINLINE __forceinline
-#else
-#define FORCEINLINE __inline
-#endif
-#endif
-#define FASTCALL __fastcall
-
-static FORCEINLINE PRUint32 FASTCALL 
-swap4b(PRUint32 dwd) 
-{
-    __asm {
-    	mov   eax,dwd
-	bswap eax
-    }
-}
-
-#define SHA_HTONL(x) swap4b(x)
-#define BYTESWAP4(x)  x = SHA_HTONL(x)
-
-#elif defined(LINUX) && defined(_X86_)
-#undef  __OPTIMIZE__
-#define __OPTIMIZE__ 1
-#undef  __pentium__
-#define __pentium__ 1
-#include <byteswap.h>
-#define SHA_HTONL(x) bswap_32(x)
-#define BYTESWAP4(x)  x = SHA_HTONL(x)
-
-#else /* neither windows nor Linux PC */
-#define SWAP4MASK  0x00FF00FF
-#define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \
-                      ((t1 & SWAP4MASK) << 8) | ((t1 >> 8) & SWAP4MASK))
-#define BYTESWAP4(x)  x = SHA_HTONL(x)
-#endif
-
-#if defined(_MSC_VER) && defined(_X86_)
-#pragma intrinsic (_lrotr, _lrotl) 
-#define ROTR32(x,n) _lrotr(x,n)
-#define ROTL32(x,n) _lrotl(x,n)
-#else
-#define ROTR32(x,n) ((x >> n) | (x << ((8 * sizeof x) - n)))
-#define ROTL32(x,n) ((x << n) | (x >> ((8 * sizeof x) - n)))
-#endif
-
-/* Capitol Sigma and lower case sigma functions */
-#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x,22))
-#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x,25))
-#define s0(x) (t1 = x, ROTR32(t1, 7) ^ ROTR32(t1,18) ^ SHR(t1, 3))
-#define s1(x) (t2 = x, ROTR32(t2,17) ^ ROTR32(t2,19) ^ SHR(t2,10))
-
-SHA256Context *
-SHA256_NewContext(void)
-{
-    SHA256Context *ctx = PORT_New(SHA256Context);
-    return ctx;
-}
-
-void 
-SHA256_DestroyContext(SHA256Context *ctx, PRBool freeit)
-{
-    if (freeit) {
-        PORT_ZFree(ctx, sizeof *ctx);
-    }
-}
-
-void 
-SHA256_Begin(SHA256Context *ctx)
-{
-    memset(ctx, 0, sizeof *ctx);
-    memcpy(H, H256, sizeof H256);
-}
-
-static void
-SHA256_Compress(SHA256Context *ctx)
-{
-  {
-    register PRUint32 t1, t2;
-
-#if defined(IS_LITTLE_ENDIAN)
-    BYTESWAP4(W[0]);
-    BYTESWAP4(W[1]);
-    BYTESWAP4(W[2]);
-    BYTESWAP4(W[3]);
-    BYTESWAP4(W[4]);
-    BYTESWAP4(W[5]);
-    BYTESWAP4(W[6]);
-    BYTESWAP4(W[7]);
-    BYTESWAP4(W[8]);
-    BYTESWAP4(W[9]);
-    BYTESWAP4(W[10]);
-    BYTESWAP4(W[11]);
-    BYTESWAP4(W[12]);
-    BYTESWAP4(W[13]);
-    BYTESWAP4(W[14]);
-    BYTESWAP4(W[15]);
-#endif
-
-#define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
-
-    /* prepare the "message schedule"   */
-#ifdef NOUNROLL256
-    {
-	int t;
-	for (t = 16; t < 64; ++t) {
-	    INITW(t);
-	}
-    }
-#else
-    INITW(16);
-    INITW(17);
-    INITW(18);
-    INITW(19);
-
-    INITW(20);
-    INITW(21);
-    INITW(22);
-    INITW(23);
-    INITW(24);
-    INITW(25);
-    INITW(26);
-    INITW(27);
-    INITW(28);
-    INITW(29);
-
-    INITW(30);
-    INITW(31);
-    INITW(32);
-    INITW(33);
-    INITW(34);
-    INITW(35);
-    INITW(36);
-    INITW(37);
-    INITW(38);
-    INITW(39);
-
-    INITW(40);
-    INITW(41);
-    INITW(42);
-    INITW(43);
-    INITW(44);
-    INITW(45);
-    INITW(46);
-    INITW(47);
-    INITW(48);
-    INITW(49);
-
-    INITW(50);
-    INITW(51);
-    INITW(52);
-    INITW(53);
-    INITW(54);
-    INITW(55);
-    INITW(56);
-    INITW(57);
-    INITW(58);
-    INITW(59);
-
-    INITW(60);
-    INITW(61);
-    INITW(62);
-    INITW(63);
-
-#endif
-#undef INITW
-  }
-  {
-    PRUint32 a, b, c, d, e, f, g, h;
-
-    a = H[0];
-    b = H[1];
-    c = H[2];
-    d = H[3];
-    e = H[4];
-    f = H[5];
-    g = H[6];
-    h = H[7];
-
-#define ROUND(n,a,b,c,d,e,f,g,h) \
-    h += S1(e) + Ch(e,f,g) + K256[n] + W[n]; \
-    d += h; \
-    h += S0(a) + Maj(a,b,c); 
-
-#ifdef NOUNROLL256
-    {
-	int t;
-	for (t = 0; t < 64; t+= 8) {
-	    ROUND(t+0,a,b,c,d,e,f,g,h)
-	    ROUND(t+1,h,a,b,c,d,e,f,g)
-	    ROUND(t+2,g,h,a,b,c,d,e,f)
-	    ROUND(t+3,f,g,h,a,b,c,d,e)
-	    ROUND(t+4,e,f,g,h,a,b,c,d)
-	    ROUND(t+5,d,e,f,g,h,a,b,c)
-	    ROUND(t+6,c,d,e,f,g,h,a,b)
-	    ROUND(t+7,b,c,d,e,f,g,h,a)
-	}
-    }
-#else
-    ROUND( 0,a,b,c,d,e,f,g,h)
-    ROUND( 1,h,a,b,c,d,e,f,g)
-    ROUND( 2,g,h,a,b,c,d,e,f)
-    ROUND( 3,f,g,h,a,b,c,d,e)
-    ROUND( 4,e,f,g,h,a,b,c,d)
-    ROUND( 5,d,e,f,g,h,a,b,c)
-    ROUND( 6,c,d,e,f,g,h,a,b)
-    ROUND( 7,b,c,d,e,f,g,h,a)
-
-    ROUND( 8,a,b,c,d,e,f,g,h)
-    ROUND( 9,h,a,b,c,d,e,f,g)
-    ROUND(10,g,h,a,b,c,d,e,f)
-    ROUND(11,f,g,h,a,b,c,d,e)
-    ROUND(12,e,f,g,h,a,b,c,d)
-    ROUND(13,d,e,f,g,h,a,b,c)
-    ROUND(14,c,d,e,f,g,h,a,b)
-    ROUND(15,b,c,d,e,f,g,h,a)
-
-    ROUND(16,a,b,c,d,e,f,g,h)
-    ROUND(17,h,a,b,c,d,e,f,g)
-    ROUND(18,g,h,a,b,c,d,e,f)
-    ROUND(19,f,g,h,a,b,c,d,e)
-    ROUND(20,e,f,g,h,a,b,c,d)
-    ROUND(21,d,e,f,g,h,a,b,c)
-    ROUND(22,c,d,e,f,g,h,a,b)
-    ROUND(23,b,c,d,e,f,g,h,a)
-
-    ROUND(24,a,b,c,d,e,f,g,h)
-    ROUND(25,h,a,b,c,d,e,f,g)
-    ROUND(26,g,h,a,b,c,d,e,f)
-    ROUND(27,f,g,h,a,b,c,d,e)
-    ROUND(28,e,f,g,h,a,b,c,d)
-    ROUND(29,d,e,f,g,h,a,b,c)
-    ROUND(30,c,d,e,f,g,h,a,b)
-    ROUND(31,b,c,d,e,f,g,h,a)
-
-    ROUND(32,a,b,c,d,e,f,g,h)
-    ROUND(33,h,a,b,c,d,e,f,g)
-    ROUND(34,g,h,a,b,c,d,e,f)
-    ROUND(35,f,g,h,a,b,c,d,e)
-    ROUND(36,e,f,g,h,a,b,c,d)
-    ROUND(37,d,e,f,g,h,a,b,c)
-    ROUND(38,c,d,e,f,g,h,a,b)
-    ROUND(39,b,c,d,e,f,g,h,a)
-
-    ROUND(40,a,b,c,d,e,f,g,h)
-    ROUND(41,h,a,b,c,d,e,f,g)
-    ROUND(42,g,h,a,b,c,d,e,f)
-    ROUND(43,f,g,h,a,b,c,d,e)
-    ROUND(44,e,f,g,h,a,b,c,d)
-    ROUND(45,d,e,f,g,h,a,b,c)
-    ROUND(46,c,d,e,f,g,h,a,b)
-    ROUND(47,b,c,d,e,f,g,h,a)
-
-    ROUND(48,a,b,c,d,e,f,g,h)
-    ROUND(49,h,a,b,c,d,e,f,g)
-    ROUND(50,g,h,a,b,c,d,e,f)
-    ROUND(51,f,g,h,a,b,c,d,e)
-    ROUND(52,e,f,g,h,a,b,c,d)
-    ROUND(53,d,e,f,g,h,a,b,c)
-    ROUND(54,c,d,e,f,g,h,a,b)
-    ROUND(55,b,c,d,e,f,g,h,a)
-
-    ROUND(56,a,b,c,d,e,f,g,h)
-    ROUND(57,h,a,b,c,d,e,f,g)
-    ROUND(58,g,h,a,b,c,d,e,f)
-    ROUND(59,f,g,h,a,b,c,d,e)
-    ROUND(60,e,f,g,h,a,b,c,d)
-    ROUND(61,d,e,f,g,h,a,b,c)
-    ROUND(62,c,d,e,f,g,h,a,b)
-    ROUND(63,b,c,d,e,f,g,h,a)
-#endif
-
-    H[0] += a;
-    H[1] += b;
-    H[2] += c;
-    H[3] += d;
-    H[4] += e;
-    H[5] += f;
-    H[6] += g;
-    H[7] += h;
-  }
-#undef ROUND
-}
-
-#undef s0
-#undef s1
-#undef S0
-#undef S1
-
-void 
-SHA256_Update(SHA256Context *ctx, const unsigned char *input,
-		    unsigned int inputLen)
-{
-    unsigned int inBuf = ctx->sizeLo & 0x3f;
-    if (!inputLen)
-    	return;
-
-    /* Add inputLen into the count of bytes processed, before processing */
-    if ((ctx->sizeLo += inputLen) < inputLen)
-    	ctx->sizeHi++;
-
-    /* if data already in buffer, attemp to fill rest of buffer */
-    if (inBuf) {
-    	unsigned int todo = SHA256_BLOCK_LENGTH - inBuf;
-	if (inputLen < todo)
-	    todo = inputLen;
-	memcpy(B + inBuf, input, todo);
-	input    += todo;
-	inputLen -= todo;
-	if (inBuf + todo == SHA256_BLOCK_LENGTH)
-	    SHA256_Compress(ctx);
-    }
-
-    /* if enough data to fill one or more whole buffers, process them. */
-    while (inputLen >= SHA256_BLOCK_LENGTH) {
-    	memcpy(B, input, SHA256_BLOCK_LENGTH);
-	input    += SHA256_BLOCK_LENGTH;
-	inputLen -= SHA256_BLOCK_LENGTH;
-	SHA256_Compress(ctx);
-    }
-    /* if data left over, fill it into buffer */
-    if (inputLen) 
-    	memcpy(B, input, inputLen);
-}
-
-void 
-SHA256_End(SHA256Context *ctx, unsigned char *digest,
-           unsigned int *digestLen, unsigned int maxDigestLen)
-{
-    unsigned int inBuf = ctx->sizeLo & 0x3f;
-    unsigned int padLen = (inBuf < 56) ? (56 - inBuf) : (56 + 64 - inBuf);
-    PRUint32 hi, lo;
-#ifdef SWAP4MASK
-    PRUint32 t1;
-#endif
-
-    hi = (ctx->sizeHi << 3) | (ctx->sizeLo >> 29);
-    lo = (ctx->sizeLo << 3);
-
-    SHA256_Update(ctx, pad, padLen);
-
-#if defined(IS_LITTLE_ENDIAN)
-    W[14] = SHA_HTONL(hi);
-    W[15] = SHA_HTONL(lo);
-#else
-    W[14] = hi;
-    W[15] = lo;
-#endif
-    SHA256_Compress(ctx);
-
-    /* now output the answer */
-#if defined(IS_LITTLE_ENDIAN)
-    BYTESWAP4(H[0]);
-    BYTESWAP4(H[1]);
-    BYTESWAP4(H[2]);
-    BYTESWAP4(H[3]);
-    BYTESWAP4(H[4]);
-    BYTESWAP4(H[5]);
-    BYTESWAP4(H[6]);
-    BYTESWAP4(H[7]);
-#endif
-    padLen = PR_MIN(SHA256_LENGTH, maxDigestLen);
-    memcpy(digest, H, padLen);
-    if (digestLen)
-	*digestLen = padLen;
-}
-
-SECStatus 
-SHA256_HashBuf(unsigned char *dest, const unsigned char *src, 
-               uint32 src_length)
-{
-    SHA256Context ctx;
-    unsigned int outLen;
-
-    SHA256_Begin(&ctx);
-    SHA256_Update(&ctx, src, src_length);
-    SHA256_End(&ctx, dest, &outLen, SHA256_LENGTH);
-
-    return SECSuccess;
-}
-
-
-SECStatus 
-SHA256_Hash(unsigned char *dest, const char *src)
-{
-    return SHA256_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
-}
-
-
-void SHA256_TraceState(SHA256Context *ctx) { }
-
-unsigned int 
-SHA256_FlattenSize(SHA256Context *ctx)
-{
-    return sizeof *ctx;
-}
-
-SECStatus 
-SHA256_Flatten(SHA256Context *ctx,unsigned char *space)
-{
-    PORT_Memcpy(space, ctx, sizeof *ctx);
-    return SECSuccess;
-}
-
-SHA256Context * 
-SHA256_Resurrect(unsigned char *space, void *arg)
-{
-    SHA256Context *ctx = SHA256_NewContext();
-    if (ctx) 
-	PORT_Memcpy(ctx, space, sizeof *ctx);
-    return ctx;
-}
-
-void SHA256_Clone(SHA256Context *dest, SHA256Context *src) 
-{
-    memcpy(dest, src, sizeof *dest);
-}
-
-
-/* ======= SHA512 and SHA384 common constants and defines ================= */
-
-/* common #defines for SHA512 and SHA384 */
-#if defined(HAVE_LONG_LONG)
-#define ROTR64(x,n) ((x >> n) | (x << (64 - n)))
-#define ROTL64(x,n) ((x << n) | (x >> (64 - n)))
-
-#define S0(x) (ROTR64(x,28) ^ ROTR64(x,34) ^ ROTR64(x,39))
-#define S1(x) (ROTR64(x,14) ^ ROTR64(x,18) ^ ROTR64(x,41))
-#define s0(x) (t1 = x, ROTR64(t1, 1) ^ ROTR64(t1, 8) ^ SHR(t1,7))
-#define s1(x) (t2 = x, ROTR64(t2,19) ^ ROTR64(t2,61) ^ SHR(t2,6))
-
-#if PR_BYTES_PER_LONG == 8
-#define ULLC(hi,lo) 0x ## hi ## lo ## UL
-#elif defined(_MSC_VER)
-#define ULLC(hi,lo) 0x ## hi ## lo ## ui64
-#else
-#define ULLC(hi,lo) 0x ## hi ## lo ## ULL
-#endif
-
-#define SHA_MASK16 ULLC(0000FFFF,0000FFFF)
-#define SHA_MASK8  ULLC(00FF00FF,00FF00FF)
-#define SHA_HTONLL(x) (t1 = x, \
-  t1 = ((t1 & SHA_MASK8 ) <<  8) | ((t1 >>  8) & SHA_MASK8 ), \
-  t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16), \
-  (t1 >> 32) | (t1 << 32))
-#define BYTESWAP8(x)  x = SHA_HTONLL(x)
-
-#else /* no long long */
-
-#if defined(IS_LITTLE_ENDIAN)
-#define ULLC(hi,lo) { 0x ## lo ## U, 0x ## hi ## U }
-#else
-#define ULLC(hi,lo) { 0x ## hi ## U, 0x ## lo ## U }
-#endif
-
-#define SHA_HTONLL(x) ( BYTESWAP4(x.lo), BYTESWAP4(x.hi), \
-   x.hi ^= x.lo ^= x.hi ^= x.lo, x)
-#define BYTESWAP8(x)  do { PRUint32 tmp; BYTESWAP4(x.lo); BYTESWAP4(x.hi); \
-   tmp = x.lo; x.lo = x.hi; x.hi = tmp; } while (0)
-#endif
-
-/* SHA-384 and SHA-512 constants, K512. */
-static const PRUint64 K512[80] = {
-#if PR_BYTES_PER_LONG == 8
-     0x428a2f98d728ae22UL ,  0x7137449123ef65cdUL , 
-     0xb5c0fbcfec4d3b2fUL ,  0xe9b5dba58189dbbcUL ,
-     0x3956c25bf348b538UL ,  0x59f111f1b605d019UL , 
-     0x923f82a4af194f9bUL ,  0xab1c5ed5da6d8118UL ,
-     0xd807aa98a3030242UL ,  0x12835b0145706fbeUL , 
-     0x243185be4ee4b28cUL ,  0x550c7dc3d5ffb4e2UL ,
-     0x72be5d74f27b896fUL ,  0x80deb1fe3b1696b1UL , 
-     0x9bdc06a725c71235UL ,  0xc19bf174cf692694UL ,
-     0xe49b69c19ef14ad2UL ,  0xefbe4786384f25e3UL , 
-     0x0fc19dc68b8cd5b5UL ,  0x240ca1cc77ac9c65UL ,
-     0x2de92c6f592b0275UL ,  0x4a7484aa6ea6e483UL , 
-     0x5cb0a9dcbd41fbd4UL ,  0x76f988da831153b5UL ,
-     0x983e5152ee66dfabUL ,  0xa831c66d2db43210UL , 
-     0xb00327c898fb213fUL ,  0xbf597fc7beef0ee4UL ,
-     0xc6e00bf33da88fc2UL ,  0xd5a79147930aa725UL , 
-     0x06ca6351e003826fUL ,  0x142929670a0e6e70UL ,
-     0x27b70a8546d22ffcUL ,  0x2e1b21385c26c926UL , 
-     0x4d2c6dfc5ac42aedUL ,  0x53380d139d95b3dfUL ,
-     0x650a73548baf63deUL ,  0x766a0abb3c77b2a8UL , 
-     0x81c2c92e47edaee6UL ,  0x92722c851482353bUL ,
-     0xa2bfe8a14cf10364UL ,  0xa81a664bbc423001UL , 
-     0xc24b8b70d0f89791UL ,  0xc76c51a30654be30UL ,
-     0xd192e819d6ef5218UL ,  0xd69906245565a910UL , 
-     0xf40e35855771202aUL ,  0x106aa07032bbd1b8UL ,
-     0x19a4c116b8d2d0c8UL ,  0x1e376c085141ab53UL , 
-     0x2748774cdf8eeb99UL ,  0x34b0bcb5e19b48a8UL ,
-     0x391c0cb3c5c95a63UL ,  0x4ed8aa4ae3418acbUL , 
-     0x5b9cca4f7763e373UL ,  0x682e6ff3d6b2b8a3UL ,
-     0x748f82ee5defb2fcUL ,  0x78a5636f43172f60UL , 
-     0x84c87814a1f0ab72UL ,  0x8cc702081a6439ecUL ,
-     0x90befffa23631e28UL ,  0xa4506cebde82bde9UL , 
-     0xbef9a3f7b2c67915UL ,  0xc67178f2e372532bUL ,
-     0xca273eceea26619cUL ,  0xd186b8c721c0c207UL , 
-     0xeada7dd6cde0eb1eUL ,  0xf57d4f7fee6ed178UL ,
-     0x06f067aa72176fbaUL ,  0x0a637dc5a2c898a6UL , 
-     0x113f9804bef90daeUL ,  0x1b710b35131c471bUL ,
-     0x28db77f523047d84UL ,  0x32caab7b40c72493UL , 
-     0x3c9ebe0a15c9bebcUL ,  0x431d67c49c100d4cUL ,
-     0x4cc5d4becb3e42b6UL ,  0x597f299cfc657e2aUL , 
-     0x5fcb6fab3ad6faecUL ,  0x6c44198c4a475817UL 
-#else
-    ULLC(428a2f98,d728ae22), ULLC(71374491,23ef65cd), 
-    ULLC(b5c0fbcf,ec4d3b2f), ULLC(e9b5dba5,8189dbbc),
-    ULLC(3956c25b,f348b538), ULLC(59f111f1,b605d019), 
-    ULLC(923f82a4,af194f9b), ULLC(ab1c5ed5,da6d8118),
-    ULLC(d807aa98,a3030242), ULLC(12835b01,45706fbe), 
-    ULLC(243185be,4ee4b28c), ULLC(550c7dc3,d5ffb4e2),
-    ULLC(72be5d74,f27b896f), ULLC(80deb1fe,3b1696b1), 
-    ULLC(9bdc06a7,25c71235), ULLC(c19bf174,cf692694),
-    ULLC(e49b69c1,9ef14ad2), ULLC(efbe4786,384f25e3), 
-    ULLC(0fc19dc6,8b8cd5b5), ULLC(240ca1cc,77ac9c65),
-    ULLC(2de92c6f,592b0275), ULLC(4a7484aa,6ea6e483), 
-    ULLC(5cb0a9dc,bd41fbd4), ULLC(76f988da,831153b5),
-    ULLC(983e5152,ee66dfab), ULLC(a831c66d,2db43210), 
-    ULLC(b00327c8,98fb213f), ULLC(bf597fc7,beef0ee4),
-    ULLC(c6e00bf3,3da88fc2), ULLC(d5a79147,930aa725), 
-    ULLC(06ca6351,e003826f), ULLC(14292967,0a0e6e70),
-    ULLC(27b70a85,46d22ffc), ULLC(2e1b2138,5c26c926), 
-    ULLC(4d2c6dfc,5ac42aed), ULLC(53380d13,9d95b3df),
-    ULLC(650a7354,8baf63de), ULLC(766a0abb,3c77b2a8), 
-    ULLC(81c2c92e,47edaee6), ULLC(92722c85,1482353b),
-    ULLC(a2bfe8a1,4cf10364), ULLC(a81a664b,bc423001), 
-    ULLC(c24b8b70,d0f89791), ULLC(c76c51a3,0654be30),
-    ULLC(d192e819,d6ef5218), ULLC(d6990624,5565a910), 
-    ULLC(f40e3585,5771202a), ULLC(106aa070,32bbd1b8),
-    ULLC(19a4c116,b8d2d0c8), ULLC(1e376c08,5141ab53), 
-    ULLC(2748774c,df8eeb99), ULLC(34b0bcb5,e19b48a8),
-    ULLC(391c0cb3,c5c95a63), ULLC(4ed8aa4a,e3418acb), 
-    ULLC(5b9cca4f,7763e373), ULLC(682e6ff3,d6b2b8a3),
-    ULLC(748f82ee,5defb2fc), ULLC(78a5636f,43172f60), 
-    ULLC(84c87814,a1f0ab72), ULLC(8cc70208,1a6439ec),
-    ULLC(90befffa,23631e28), ULLC(a4506ceb,de82bde9), 
-    ULLC(bef9a3f7,b2c67915), ULLC(c67178f2,e372532b),
-    ULLC(ca273ece,ea26619c), ULLC(d186b8c7,21c0c207), 
-    ULLC(eada7dd6,cde0eb1e), ULLC(f57d4f7f,ee6ed178),
-    ULLC(06f067aa,72176fba), ULLC(0a637dc5,a2c898a6), 
-    ULLC(113f9804,bef90dae), ULLC(1b710b35,131c471b),
-    ULLC(28db77f5,23047d84), ULLC(32caab7b,40c72493), 
-    ULLC(3c9ebe0a,15c9bebc), ULLC(431d67c4,9c100d4c),
-    ULLC(4cc5d4be,cb3e42b6), ULLC(597f299c,fc657e2a), 
-    ULLC(5fcb6fab,3ad6faec), ULLC(6c44198c,4a475817)
-#endif
-};
-
-struct SHA512ContextStr {
-    union {
-	PRUint64 w[80];	    /* message schedule, input buffer, plus 64 words */
-	PRUint32 l[160];
-	PRUint8  b[640];
-    } u;
-    PRUint64 h[8];	    /* 8 state variables */
-    PRUint64 sizeLo;	    /* 64-bit count of hashed bytes. */
-};
-
-/* =========== SHA512 implementation ===================================== */
-
-/* SHA-512 initial hash values */
-static const PRUint64 H512[8] = {
-#if PR_BYTES_PER_LONG == 8
-     0x6a09e667f3bcc908UL ,  0xbb67ae8584caa73bUL , 
-     0x3c6ef372fe94f82bUL ,  0xa54ff53a5f1d36f1UL , 
-     0x510e527fade682d1UL ,  0x9b05688c2b3e6c1fUL , 
-     0x1f83d9abfb41bd6bUL ,  0x5be0cd19137e2179UL 
-#else
-    ULLC(6a09e667,f3bcc908), ULLC(bb67ae85,84caa73b), 
-    ULLC(3c6ef372,fe94f82b), ULLC(a54ff53a,5f1d36f1), 
-    ULLC(510e527f,ade682d1), ULLC(9b05688c,2b3e6c1f), 
-    ULLC(1f83d9ab,fb41bd6b), ULLC(5be0cd19,137e2179)
-#endif
-};
-
-
-SHA512Context *
-SHA512_NewContext(void)
-{
-    SHA512Context *ctx = PORT_New(SHA512Context);
-    return ctx;
-}
-
-void 
-SHA512_DestroyContext(SHA512Context *ctx, PRBool freeit)
-{
-    if (freeit) {
-        PORT_ZFree(ctx, sizeof *ctx);
-    }
-}
-
-void 
-SHA512_Begin(SHA512Context *ctx)
-{
-    memset(ctx, 0, sizeof *ctx);
-    memcpy(H, H512, sizeof H512);
-}
-
-#if defined(SHA512_TRACE)
-#if defined(HAVE_LONG_LONG)
-#define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %016lx, %s = %016lx\n", \
-			       n, #e, d, #a, h);
-#else
-#define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %08x%08x, %s = %08x%08x\n", \
-			       n, #e, d.hi, d.lo, #a, h.hi, h.lo);
-#endif
-#else
-#define DUMP(n,a,d,e,h)
-#endif
-
-#if defined(HAVE_LONG_LONG)
-
-#define ADDTO(x,y) y += x
-
-#define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
-
-#define ROUND(n,a,b,c,d,e,f,g,h) \
-    h += S1(e) + Ch(e,f,g) + K512[n] + W[n]; \
-    d += h; \
-    h += S0(a) + Maj(a,b,c); \
-    DUMP(n,a,d,e,h)
-
-#else /* use only 32-bit variables, and don't unroll loops */
-
-#undef  NOUNROLL512
-#define NOUNROLL512 1
-
-#define ADDTO(x,y) y.lo += x.lo; y.hi += x.hi + (x.lo > y.lo)
-
-#define ROTR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
-#define ROTR64A(x,n,lo,hi) (x.lo << (64-n) | x.hi >> (n-32))
-#define  SHR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
-
-/* Capitol Sigma and lower case sigma functions */
-#define s0lo(x) (ROTR64a(x,1,lo,hi) ^ ROTR64a(x,8,lo,hi) ^ SHR64a(x,7,lo,hi))
-#define s0hi(x) (ROTR64a(x,1,hi,lo) ^ ROTR64a(x,8,hi,lo) ^ (x.hi >> 7))
-
-#define s1lo(x) (ROTR64a(x,19,lo,hi) ^ ROTR64A(x,61,lo,hi) ^ SHR64a(x,6,lo,hi))
-#define s1hi(x) (ROTR64a(x,19,hi,lo) ^ ROTR64A(x,61,hi,lo) ^ (x.hi >> 6))
-
-#define S0lo(x)(ROTR64a(x,28,lo,hi) ^ ROTR64A(x,34,lo,hi) ^ ROTR64A(x,39,lo,hi))
-#define S0hi(x)(ROTR64a(x,28,hi,lo) ^ ROTR64A(x,34,hi,lo) ^ ROTR64A(x,39,hi,lo))
-
-#define S1lo(x)(ROTR64a(x,14,lo,hi) ^ ROTR64a(x,18,lo,hi) ^ ROTR64A(x,41,lo,hi))
-#define S1hi(x)(ROTR64a(x,14,hi,lo) ^ ROTR64a(x,18,hi,lo) ^ ROTR64A(x,41,hi,lo))
-
-/* 32-bit versions of Ch and Maj */
-#define Chxx(x,y,z,lo) ((x.lo & y.lo) ^ (~x.lo & z.lo))
-#define Majx(x,y,z,lo) ((x.lo & y.lo) ^ (x.lo & z.lo) ^ (y.lo & z.lo))
-
-#define INITW(t) \
-    do { \
-	PRUint32 lo, tm; \
-	PRUint32 cy = 0; \
-	lo = s1lo(W[t-2]); \
-	lo += (tm = W[t-7].lo);     if (lo < tm) cy++; \
-	lo += (tm = s0lo(W[t-15])); if (lo < tm) cy++; \
-	lo += (tm = W[t-16].lo);    if (lo < tm) cy++; \
-	W[t].lo = lo; \
-	W[t].hi = cy + s1hi(W[t-2]) + W[t-7].hi + s0hi(W[t-15]) + W[t-16].hi; \
-    } while (0)
-
-#define ROUND(n,a,b,c,d,e,f,g,h) \
-    { \
-	PRUint32 lo, tm, cy; \
-	lo  = S1lo(e); \
-	lo += (tm = Chxx(e,f,g,lo));    cy = (lo < tm); \
-	lo += (tm = K512[n].lo);	if (lo < tm) cy++; \
-	lo += (tm =    W[n].lo);	if (lo < tm) cy++; \
-	h.lo += lo;			if (h.lo < lo) cy++; \
-	h.hi += cy + S1hi(e) + Chxx(e,f,g,hi) + K512[n].hi + W[n].hi; \
-	d.lo += h.lo; \
-	d.hi += h.hi + (d.lo < h.lo); \
-	lo  = S0lo(a);  \
-	lo += (tm = Majx(a,b,c,lo));	cy = (lo < tm); \
-	h.lo += lo;			if (h.lo < lo) cy++; \
-	h.hi += cy + S0hi(a) + Majx(a,b,c,hi); \
-	DUMP(n,a,d,e,h) \
-    }
-#endif
-
-static void
-SHA512_Compress(SHA512Context *ctx)
-{
-#if defined(IS_LITTLE_ENDIAN)
-  {
-#if defined(HAVE_LONG_LONG)
-    PRUint64 t1;
-#else
-    PRUint32 t1;
-#endif
-    BYTESWAP8(W[0]);
-    BYTESWAP8(W[1]);
-    BYTESWAP8(W[2]);
-    BYTESWAP8(W[3]);
-    BYTESWAP8(W[4]);
-    BYTESWAP8(W[5]);
-    BYTESWAP8(W[6]);
-    BYTESWAP8(W[7]);
-    BYTESWAP8(W[8]);
-    BYTESWAP8(W[9]);
-    BYTESWAP8(W[10]);
-    BYTESWAP8(W[11]);
-    BYTESWAP8(W[12]);
-    BYTESWAP8(W[13]);
-    BYTESWAP8(W[14]);
-    BYTESWAP8(W[15]);
-  }
-#endif
-
-  {
-    PRUint64 t1, t2;
-#ifdef NOUNROLL512
-    {
-	/* prepare the "message schedule"   */
-	int t;
-	for (t = 16; t < 80; ++t) {
-	    INITW(t);
-	}
-    }
-#else
-    INITW(16);
-    INITW(17);
-    INITW(18);
-    INITW(19);
-
-    INITW(20);
-    INITW(21);
-    INITW(22);
-    INITW(23);
-    INITW(24);
-    INITW(25);
-    INITW(26);
-    INITW(27);
-    INITW(28);
-    INITW(29);
-
-    INITW(30);
-    INITW(31);
-    INITW(32);
-    INITW(33);
-    INITW(34);
-    INITW(35);
-    INITW(36);
-    INITW(37);
-    INITW(38);
-    INITW(39);
-
-    INITW(40);
-    INITW(41);
-    INITW(42);
-    INITW(43);
-    INITW(44);
-    INITW(45);
-    INITW(46);
-    INITW(47);
-    INITW(48);
-    INITW(49);
-
-    INITW(50);
-    INITW(51);
-    INITW(52);
-    INITW(53);
-    INITW(54);
-    INITW(55);
-    INITW(56);
-    INITW(57);
-    INITW(58);
-    INITW(59);
-
-    INITW(60);
-    INITW(61);
-    INITW(62);
-    INITW(63);
-    INITW(64);
-    INITW(65);
-    INITW(66);
-    INITW(67);
-    INITW(68);
-    INITW(69);
-
-    INITW(70);
-    INITW(71);
-    INITW(72);
-    INITW(73);
-    INITW(74);
-    INITW(75);
-    INITW(76);
-    INITW(77);
-    INITW(78);
-    INITW(79);
-#endif
-  }
-#ifdef SHA512_TRACE
-  {
-    int i;
-    for (i = 0; i < 80; ++i) {
-#ifdef HAVE_LONG_LONG
-	printf("W[%2d] = %016lx\n", i, W[i]);
-#else
-	printf("W[%2d] = %08x%08x\n", i, W[i].hi, W[i].lo);
-#endif
-    }
-  }
-#endif
-  {
-    PRUint64 a, b, c, d, e, f, g, h;
-
-    a = H[0];
-    b = H[1];
-    c = H[2];
-    d = H[3];
-    e = H[4];
-    f = H[5];
-    g = H[6];
-    h = H[7];
-
-#ifdef NOUNROLL512
-    {
-	int t;
-	for (t = 0; t < 80; t+= 8) {
-	    ROUND(t+0,a,b,c,d,e,f,g,h)
-	    ROUND(t+1,h,a,b,c,d,e,f,g)
-	    ROUND(t+2,g,h,a,b,c,d,e,f)
-	    ROUND(t+3,f,g,h,a,b,c,d,e)
-	    ROUND(t+4,e,f,g,h,a,b,c,d)
-	    ROUND(t+5,d,e,f,g,h,a,b,c)
-	    ROUND(t+6,c,d,e,f,g,h,a,b)
-	    ROUND(t+7,b,c,d,e,f,g,h,a)
-	}
-    }
-#else
-    ROUND( 0,a,b,c,d,e,f,g,h)
-    ROUND( 1,h,a,b,c,d,e,f,g)
-    ROUND( 2,g,h,a,b,c,d,e,f)
-    ROUND( 3,f,g,h,a,b,c,d,e)
-    ROUND( 4,e,f,g,h,a,b,c,d)
-    ROUND( 5,d,e,f,g,h,a,b,c)
-    ROUND( 6,c,d,e,f,g,h,a,b)
-    ROUND( 7,b,c,d,e,f,g,h,a)
-
-    ROUND( 8,a,b,c,d,e,f,g,h)
-    ROUND( 9,h,a,b,c,d,e,f,g)
-    ROUND(10,g,h,a,b,c,d,e,f)
-    ROUND(11,f,g,h,a,b,c,d,e)
-    ROUND(12,e,f,g,h,a,b,c,d)
-    ROUND(13,d,e,f,g,h,a,b,c)
-    ROUND(14,c,d,e,f,g,h,a,b)
-    ROUND(15,b,c,d,e,f,g,h,a)
-
-    ROUND(16,a,b,c,d,e,f,g,h)
-    ROUND(17,h,a,b,c,d,e,f,g)
-    ROUND(18,g,h,a,b,c,d,e,f)
-    ROUND(19,f,g,h,a,b,c,d,e)
-    ROUND(20,e,f,g,h,a,b,c,d)
-    ROUND(21,d,e,f,g,h,a,b,c)
-    ROUND(22,c,d,e,f,g,h,a,b)
-    ROUND(23,b,c,d,e,f,g,h,a)
-
-    ROUND(24,a,b,c,d,e,f,g,h)
-    ROUND(25,h,a,b,c,d,e,f,g)
-    ROUND(26,g,h,a,b,c,d,e,f)
-    ROUND(27,f,g,h,a,b,c,d,e)
-    ROUND(28,e,f,g,h,a,b,c,d)
-    ROUND(29,d,e,f,g,h,a,b,c)
-    ROUND(30,c,d,e,f,g,h,a,b)
-    ROUND(31,b,c,d,e,f,g,h,a)
-
-    ROUND(32,a,b,c,d,e,f,g,h)
-    ROUND(33,h,a,b,c,d,e,f,g)
-    ROUND(34,g,h,a,b,c,d,e,f)
-    ROUND(35,f,g,h,a,b,c,d,e)
-    ROUND(36,e,f,g,h,a,b,c,d)
-    ROUND(37,d,e,f,g,h,a,b,c)
-    ROUND(38,c,d,e,f,g,h,a,b)
-    ROUND(39,b,c,d,e,f,g,h,a)
-
-    ROUND(40,a,b,c,d,e,f,g,h)
-    ROUND(41,h,a,b,c,d,e,f,g)
-    ROUND(42,g,h,a,b,c,d,e,f)
-    ROUND(43,f,g,h,a,b,c,d,e)
-    ROUND(44,e,f,g,h,a,b,c,d)
-    ROUND(45,d,e,f,g,h,a,b,c)
-    ROUND(46,c,d,e,f,g,h,a,b)
-    ROUND(47,b,c,d,e,f,g,h,a)
-
-    ROUND(48,a,b,c,d,e,f,g,h)
-    ROUND(49,h,a,b,c,d,e,f,g)
-    ROUND(50,g,h,a,b,c,d,e,f)
-    ROUND(51,f,g,h,a,b,c,d,e)
-    ROUND(52,e,f,g,h,a,b,c,d)
-    ROUND(53,d,e,f,g,h,a,b,c)
-    ROUND(54,c,d,e,f,g,h,a,b)
-    ROUND(55,b,c,d,e,f,g,h,a)
-
-    ROUND(56,a,b,c,d,e,f,g,h)
-    ROUND(57,h,a,b,c,d,e,f,g)
-    ROUND(58,g,h,a,b,c,d,e,f)
-    ROUND(59,f,g,h,a,b,c,d,e)
-    ROUND(60,e,f,g,h,a,b,c,d)
-    ROUND(61,d,e,f,g,h,a,b,c)
-    ROUND(62,c,d,e,f,g,h,a,b)
-    ROUND(63,b,c,d,e,f,g,h,a)
-
-    ROUND(64,a,b,c,d,e,f,g,h)
-    ROUND(65,h,a,b,c,d,e,f,g)
-    ROUND(66,g,h,a,b,c,d,e,f)
-    ROUND(67,f,g,h,a,b,c,d,e)
-    ROUND(68,e,f,g,h,a,b,c,d)
-    ROUND(69,d,e,f,g,h,a,b,c)
-    ROUND(70,c,d,e,f,g,h,a,b)
-    ROUND(71,b,c,d,e,f,g,h,a)
-
-    ROUND(72,a,b,c,d,e,f,g,h)
-    ROUND(73,h,a,b,c,d,e,f,g)
-    ROUND(74,g,h,a,b,c,d,e,f)
-    ROUND(75,f,g,h,a,b,c,d,e)
-    ROUND(76,e,f,g,h,a,b,c,d)
-    ROUND(77,d,e,f,g,h,a,b,c)
-    ROUND(78,c,d,e,f,g,h,a,b)
-    ROUND(79,b,c,d,e,f,g,h,a)
-#endif
-
-    ADDTO(a,H[0]);
-    ADDTO(b,H[1]);
-    ADDTO(c,H[2]);
-    ADDTO(d,H[3]);
-    ADDTO(e,H[4]);
-    ADDTO(f,H[5]);
-    ADDTO(g,H[6]);
-    ADDTO(h,H[7]);
-  }
-}
-
-void 
-SHA512_Update(SHA512Context *ctx, const unsigned char *input,
-              unsigned int inputLen)
-{
-    unsigned int inBuf;
-    if (!inputLen)
-    	return;
-
-#if defined(HAVE_LONG_LONG)
-    inBuf = (unsigned int)ctx->sizeLo & 0x7f;
-    /* Add inputLen into the count of bytes processed, before processing */
-    ctx->sizeLo += inputLen;
-#else
-    inBuf = (unsigned int)ctx->sizeLo.lo & 0x7f;
-    ctx->sizeLo.lo += inputLen;
-    if (ctx->sizeLo.lo < inputLen) ctx->sizeLo.hi++;
-#endif
-
-    /* if data already in buffer, attemp to fill rest of buffer */
-    if (inBuf) {
-    	unsigned int todo = SHA512_BLOCK_LENGTH - inBuf;
-	if (inputLen < todo)
-	    todo = inputLen;
-	memcpy(B + inBuf, input, todo);
-	input    += todo;
-	inputLen -= todo;
-	if (inBuf + todo == SHA512_BLOCK_LENGTH)
-	    SHA512_Compress(ctx);
-    }
-
-    /* if enough data to fill one or more whole buffers, process them. */
-    while (inputLen >= SHA512_BLOCK_LENGTH) {
-    	memcpy(B, input, SHA512_BLOCK_LENGTH);
-	input    += SHA512_BLOCK_LENGTH;
-	inputLen -= SHA512_BLOCK_LENGTH;
-	SHA512_Compress(ctx);
-    }
-    /* if data left over, fill it into buffer */
-    if (inputLen) 
-    	memcpy(B, input, inputLen);
-}
-
-void 
-SHA512_End(SHA512Context *ctx, unsigned char *digest,
-           unsigned int *digestLen, unsigned int maxDigestLen)
-{
-#if defined(HAVE_LONG_LONG)
-    unsigned int inBuf  = (unsigned int)ctx->sizeLo & 0x7f;
-    unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
-    PRUint64 lo, t1;
-    lo = (ctx->sizeLo << 3);
-#else
-    unsigned int inBuf  = (unsigned int)ctx->sizeLo.lo & 0x7f;
-    unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
-    PRUint64 lo = ctx->sizeLo;
-    PRUint32 t1;
-    lo.lo <<= 3;
-#endif
-
-    SHA512_Update(ctx, pad, padLen);
-
-#if defined(HAVE_LONG_LONG)
-    W[14] = 0;
-#else
-    W[14].lo = 0;
-    W[14].hi = 0;
-#endif
-
-    W[15] = lo;
-#if defined(IS_LITTLE_ENDIAN)
-    BYTESWAP8(W[15]);
-#endif
-    SHA512_Compress(ctx);
-
-    /* now output the answer */
-#if defined(IS_LITTLE_ENDIAN)
-    BYTESWAP8(H[0]);
-    BYTESWAP8(H[1]);
-    BYTESWAP8(H[2]);
-    BYTESWAP8(H[3]);
-    BYTESWAP8(H[4]);
-    BYTESWAP8(H[5]);
-    BYTESWAP8(H[6]);
-    BYTESWAP8(H[7]);
-#endif
-    padLen = PR_MIN(SHA512_LENGTH, maxDigestLen);
-    memcpy(digest, H, padLen);
-    if (digestLen)
-	*digestLen = padLen;
-}
-
-SECStatus 
-SHA512_HashBuf(unsigned char *dest, const unsigned char *src, 
-               uint32 src_length)
-{
-    SHA512Context ctx;
-    unsigned int outLen;
-
-    SHA512_Begin(&ctx);
-    SHA512_Update(&ctx, src, src_length);
-    SHA512_End(&ctx, dest, &outLen, SHA512_LENGTH);
-
-    return SECSuccess;
-}
-
-
-SECStatus 
-SHA512_Hash(unsigned char *dest, const char *src)
-{
-    return SHA512_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
-}
-
-
-void SHA512_TraceState(SHA512Context *ctx) { }
-
-unsigned int 
-SHA512_FlattenSize(SHA512Context *ctx)
-{
-    return sizeof *ctx;
-}
-
-SECStatus 
-SHA512_Flatten(SHA512Context *ctx,unsigned char *space)
-{
-    PORT_Memcpy(space, ctx, sizeof *ctx);
-    return SECSuccess;
-}
-
-SHA512Context * 
-SHA512_Resurrect(unsigned char *space, void *arg)
-{
-    SHA512Context *ctx = SHA512_NewContext();
-    if (ctx) 
-	PORT_Memcpy(ctx, space, sizeof *ctx);
-    return ctx;
-}
-
-void SHA512_Clone(SHA512Context *dest, SHA512Context *src) 
-{
-    memcpy(dest, src, sizeof *dest);
-}
-
-/* ======================================================================= */
-/* SHA384 uses a SHA512Context as the real context. 
-** The only differences between SHA384 an SHA512 are:
-** a) the intialization values for the context, and
-** b) the number of bytes of data produced as output.
-*/
-
-/* SHA-384 initial hash values */
-static const PRUint64 H384[8] = {
-#if PR_BYTES_PER_LONG == 8
-     0xcbbb9d5dc1059ed8UL ,  0x629a292a367cd507UL , 
-     0x9159015a3070dd17UL ,  0x152fecd8f70e5939UL , 
-     0x67332667ffc00b31UL ,  0x8eb44a8768581511UL , 
-     0xdb0c2e0d64f98fa7UL ,  0x47b5481dbefa4fa4UL 
-#else
-    ULLC(cbbb9d5d,c1059ed8), ULLC(629a292a,367cd507), 
-    ULLC(9159015a,3070dd17), ULLC(152fecd8,f70e5939), 
-    ULLC(67332667,ffc00b31), ULLC(8eb44a87,68581511), 
-    ULLC(db0c2e0d,64f98fa7), ULLC(47b5481d,befa4fa4)
-#endif
-};
-
-SHA384Context *
-SHA384_NewContext(void)
-{
-    return SHA512_NewContext();
-}
-
-void 
-SHA384_DestroyContext(SHA384Context *ctx, PRBool freeit)
-{
-    SHA512_DestroyContext(ctx, freeit);
-}
-
-void 
-SHA384_Begin(SHA384Context *ctx)
-{
-    memset(ctx, 0, sizeof *ctx);
-    memcpy(H, H384, sizeof H384);
-}
-
-void 
-SHA384_Update(SHA384Context *ctx, const unsigned char *input,
-		    unsigned int inputLen)
-{
-    SHA512_Update(ctx, input, inputLen);
-}
-
-void 
-SHA384_End(SHA384Context *ctx, unsigned char *digest,
-		 unsigned int *digestLen, unsigned int maxDigestLen)
-{
-#define SHA_MIN(a,b) (a < b ? a : b)
-    unsigned int maxLen = SHA_MIN(maxDigestLen, SHA384_LENGTH);
-    SHA512_End(ctx, digest, digestLen, maxLen);
-}
-
-SECStatus 
-SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
-			  uint32 src_length)
-{
-    SHA512Context ctx;
-    unsigned int outLen;
-
-    SHA384_Begin(&ctx);
-    SHA512_Update(&ctx, src, src_length);
-    SHA512_End(&ctx, dest, &outLen, SHA384_LENGTH);
-
-    return SECSuccess;
-}
-
-SECStatus 
-SHA384_Hash(unsigned char *dest, const char *src)
-{
-    return SHA384_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
-}
-
-void SHA384_TraceState(SHA384Context *ctx) { }
-
-unsigned int 
-SHA384_FlattenSize(SHA384Context *ctx)
-{
-    return sizeof(SHA384Context);
-}
-
-SECStatus 
-SHA384_Flatten(SHA384Context *ctx,unsigned char *space)
-{
-    return SHA512_Flatten(ctx, space);
-}
-
-SHA384Context * 
-SHA384_Resurrect(unsigned char *space, void *arg)
-{
-    return SHA512_Resurrect(space, arg);
-}
-
-void SHA384_Clone(SHA384Context *dest, SHA384Context *src) 
-{
-    memcpy(dest, src, sizeof *dest);
-}
-
-/* ======================================================================= */
-#ifdef SELFTEST
-#include <stdio.h>
-
-static const char abc[] = { "abc" };
-static const char abcdbc[] = { 
-    "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
-};
-static const char abcdef[] = { 
-    "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
-    "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" 
-};
-
-void
-dumpHash32(const unsigned char *buf, unsigned int bufLen)
-{
-    unsigned int i;
-    for (i = 0; i < bufLen; i += 4) {
-	printf(" %02x%02x%02x%02x", buf[i], buf[i+1], buf[i+2], buf[i+3]);
-    }
-    printf("\n");
-}
-
-void test256(void)
-{
-    unsigned char outBuf[SHA256_LENGTH];
-
-    printf("SHA256, input = %s\n", abc);
-    SHA256_Hash(outBuf, abc);
-    dumpHash32(outBuf, sizeof outBuf);
-
-    printf("SHA256, input = %s\n", abcdbc);
-    SHA256_Hash(outBuf, abcdbc);
-    dumpHash32(outBuf, sizeof outBuf);
-}
-
-void
-dumpHash64(const unsigned char *buf, unsigned int bufLen)
-{
-    unsigned int i;
-    for (i = 0; i < bufLen; i += 8) {
-    	if (i % 32 == 0)
-	    printf("\n");
-	printf(" %02x%02x%02x%02x%02x%02x%02x%02x", 
-	       buf[i  ], buf[i+1], buf[i+2], buf[i+3],
-	       buf[i+4], buf[i+5], buf[i+6], buf[i+7]);
-    }
-    printf("\n");
-}
-
-void test512(void)
-{
-    unsigned char outBuf[SHA512_LENGTH];
-
-    printf("SHA512, input = %s\n", abc);
-    SHA512_Hash(outBuf, abc);
-    dumpHash64(outBuf, sizeof outBuf);
-
-    printf("SHA512, input = %s\n", abcdef);
-    SHA512_Hash(outBuf, abcdef);
-    dumpHash64(outBuf, sizeof outBuf);
-}
-
-void time512(void)
-{
-    unsigned char outBuf[SHA512_LENGTH];
-
-    SHA512_Hash(outBuf, abc);
-    SHA512_Hash(outBuf, abcdef);
-}
-
-void test384(void)
-{
-    unsigned char outBuf[SHA384_LENGTH];
-
-    printf("SHA384, input = %s\n", abc);
-    SHA384_Hash(outBuf, abc);
-    dumpHash64(outBuf, sizeof outBuf);
-
-    printf("SHA384, input = %s\n", abcdef);
-    SHA384_Hash(outBuf, abcdef);
-    dumpHash64(outBuf, sizeof outBuf);
-}
-
-int main (int argc, char *argv[], char *envp[])
-{
-    int i = 1;
-    if (argc > 1) {
-    	i = atoi(argv[1]);
-    }
-    if (i < 2) {
-	test256();
-	test512();
-	test384();
-    } else {
-    	while (i-- > 0) {
-	    time512();
-	}
-	printf("done\n");
-    }
-    return 0;
-}
-
-void *PORT_Alloc(size_t len) 		{ return malloc(len); }
-void PORT_Free(void *ptr)		{ free(ptr); }
-void PORT_ZFree(void *ptr, size_t len)  { memset(ptr, 0, len); free(ptr); }
-#endif
diff --git a/security/nss/lib/freebl/sha_fast.c b/security/nss/lib/freebl/sha_fast.c
deleted file mode 100644
index b59e3ce39..000000000
--- a/security/nss/lib/freebl/sha_fast.c
+++ /dev/null
@@ -1,472 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is SHA 180-1 Reference Implementation (Optimized).
- *
- * The Initial Developer of the Original Code is
- * Paul Kocher of Cryptography Research.
- * Portions created by the Initial Developer are Copyright (C) 1995-9
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include <memory.h>
-#include "blapi.h"
-#include "sha_fast.h"
-#include "prerror.h"
-
-#ifdef TRACING_SSL
-#include "ssl.h"
-#include "ssltrace.h"
-#endif
-
-static void shaCompress(volatile SHA_HW_t *X, const PRUint32 * datain);
-
-#define W u.w
-#define B u.b
-
-
-#define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
-#define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
-#define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
-#define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
-
-#define SHA_MIX(n,a,b,c)    XW(n) = SHA_ROTL(XW(a)^XW(b)^XW(c)^XW(n), 1)
-
-/*
- *  SHA: initialize context
- */
-void 
-SHA1_Begin(SHA1Context *ctx)
-{
-  ctx->size = 0;
-  /*
-   *  Initialize H with constants from FIPS180-1.
-   */
-  ctx->H[0] = 0x67452301L;
-  ctx->H[1] = 0xefcdab89L;
-  ctx->H[2] = 0x98badcfeL;
-  ctx->H[3] = 0x10325476L;
-  ctx->H[4] = 0xc3d2e1f0L;
-}
-
-/* Explanation of H array and index values:
- * The context's H array is actually the concatenation of two arrays 
- * defined by SHA1, the H array of state variables (5 elements),
- * and the W array of intermediate values, of which there are 16 elements.
- * The W array starts at H[5], that is W[0] is H[5].
- * Although these values are defined as 32-bit values, we use 64-bit
- * variables to hold them because the AMD64 stores 64 bit values in
- * memory MUCH faster than it stores any smaller values.
- *
- * Rather than passing the context structure to shaCompress, we pass
- * this combined array of H and W values.  We do not pass the address
- * of the first element of this array, but rather pass the address of an
- * element in the middle of the array, element X.  Presently X[0] is H[11].
- * So we pass the address of H[11] as the address of array X to shaCompress.
- * Then shaCompress accesses the members of the array using positive AND 
- * negative indexes.  
- *
- * Pictorially: (each element is 8 bytes)
- * H | H0 H1 H2 H3 H4 W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 Wa Wb Wc Wd We Wf |
- * X |-11-10 -9 -8 -7 -6 -5 -4 -3 -2 -1 X0 X1 X2 X3 X4 X5 X6 X7 X8 X9 |
- * 
- * The byte offset from X[0] to any member of H and W is always 
- * representable in a signed 8-bit value, which will be encoded 
- * as a single byte offset in the X86-64 instruction set.  
- * If we didn't pass the address of H[11], and instead passed the 
- * address of H[0], the offsets to elements H[16] and above would be
- * greater than 127, not representable in a signed 8-bit value, and the 
- * x86-64 instruction set would encode every such offset as a 32-bit 
- * signed number in each instruction that accessed element H[16] or 
- * higher.  This results in much bigger and slower code. 
- */
-#if !defined(SHA_PUT_W_IN_STACK)
-#define H2X 11 /* X[0] is H[11], and H[0] is X[-11] */
-#define W2X  6 /* X[0] is W[6],  and W[0] is X[-6]  */
-#else
-#define H2X 0
-#endif
-
-/*
- *  SHA: Add data to context.
- */
-void 
-SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len) 
-{
-  register unsigned int lenB;
-  register unsigned int togo;
-
-  if (!len)
-    return;
-
-  /* accumulate the byte count. */
-  lenB = (unsigned int)(ctx->size) & 63U;
-
-  ctx->size += len;
-
-  /*
-   *  Read the data into W and process blocks as they get full
-   */
-  if (lenB > 0) {
-    togo = 64U - lenB;
-    if (len < togo)
-      togo = len;
-    memcpy(ctx->B + lenB, dataIn, togo);
-    len    -= togo;
-    dataIn += togo;
-    lenB    = (lenB + togo) & 63U;
-    if (!lenB) {
-      shaCompress(&ctx->H[H2X], ctx->W);
-    }
-  }
-#if !defined(SHA_ALLOW_UNALIGNED_ACCESS)
-  if ((ptrdiff_t)dataIn % sizeof(PRUint32)) {
-    while (len >= 64U) {
-      memcpy(ctx->B, dataIn, 64);
-      len    -= 64U;
-      shaCompress(&ctx->H[H2X], ctx->W);
-      dataIn += 64U;
-    }
-  } else 
-#endif
-  {
-    while (len >= 64U) {
-      len    -= 64U;
-      shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
-      dataIn += 64U;
-    }
-  }
-  if (len) {
-    memcpy(ctx->B, dataIn, len);
-  }
-}
-
-
-/*
- *  SHA: Generate hash value from context
- */
-void 
-SHA1_End(SHA1Context *ctx, unsigned char *hashout,
-         unsigned int *pDigestLen, unsigned int maxDigestLen)
-{
-  register PRUint64 size;
-  register PRUint32 lenB;
-
-  static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
-          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
-#define tmp lenB
-
-  PORT_Assert (maxDigestLen >= SHA1_LENGTH);
-
-  /*
-   *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
-   */
-  size = ctx->size;
-
-  lenB = (PRUint32)size & 63;
-  SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
-  PORT_Assert(((PRUint32)ctx->size & 63) == 56);
-  /* Convert size from bytes to bits. */
-  size <<= 3;
-  ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
-  ctx->W[15] = SHA_HTONL((PRUint32)size);
-  shaCompress(&ctx->H[H2X], ctx->W);
-
-  /*
-   *  Output hash
-   */
-  SHA_STORE_RESULT;
-  *pDigestLen = SHA1_LENGTH;
-
-}
-
-#undef B
-#undef tmp
-/*
- *  SHA: Compression function, unrolled.
- *
- * Some operations in shaCompress are done as 5 groups of 16 operations.
- * Others are done as 4 groups of 20 operations.
- * The code below shows that structure.
- *
- * The functions that compute the new values of the 5 state variables
- * A-E are done in 4 groups of 20 operations (or you may also think
- * of them as being done in 16 groups of 5 operations).  They are
- * done by the SHA_RNDx macros below, in the right column.
- *
- * The functions that set the 16 values of the W array are done in 
- * 5 groups of 16 operations.  The first group is done by the 
- * LOAD macros below, the latter 4 groups are done by SHA_MIX below,
- * in the left column.
- *
- * gcc's optimizer observes that each member of the W array is assigned
- * a value 5 times in this code.  It reduces the number of store 
- * operations done to the W array in the context (that is, in the X array)
- * by creating a W array on the stack, and storing the W values there for 
- * the first 4 groups of operations on W, and storing the values in the 
- * context's W array only in the fifth group.  This is undesirable.
- * It is MUCH bigger code than simply using the context's W array, because 
- * all the offsets to the W array in the stack are 32-bit signed offsets, 
- * and it is no faster than storing the values in the context's W array. 
- *
- * The original code for sha_fast.c prevented this creation of a separate 
- * W array in the stack by creating a W array of 80 members, each of
- * whose elements is assigned only once. It also separated the computations
- * of the W array values and the computations of the values for the 5
- * state variables into two separate passes, W's, then A-E's so that the 
- * second pass could be done all in registers (except for accessing the W
- * array) on machines with fewer registers.  The method is suboptimal
- * for machines with enough registers to do it all in one pass, and it
- * necessitates using many instructions with 32-bit offsets.
- *
- * This code eliminates the separate W array on the stack by a completely
- * different means: by declaring the X array volatile.  This prevents
- * the optimizer from trying to reduce the use of the X array by the
- * creation of a MORE expensive W array on the stack. The result is
- * that all instructions use signed 8-bit offsets and not 32-bit offsets.
- *
- * The combination of this code and the -O3 optimizer flag on GCC 3.4.3
- * results in code that is 3 times faster than the previous NSS sha_fast
- * code on AMD64.
- */
-static void 
-shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf) 
-{
-  register SHA_HW_t A, B, C, D, E;
-
-#if defined(SHA_NEED_TMP_VARIABLE)
-  register PRUint32 tmp;
-#endif
-
-#if !defined(SHA_PUT_W_IN_STACK)
-#define XH(n) X[n-H2X]
-#define XW(n) X[n-W2X]
-#else
-  SHA_HW_t w_0, w_1, w_2, w_3, w_4, w_5, w_6, w_7,
-           w_8, w_9, w_10, w_11, w_12, w_13, w_14, w_15;
-#define XW(n) w_ ## n
-#define XH(n) X[n]
-#endif
-
-#define K0 0x5a827999L
-#define K1 0x6ed9eba1L
-#define K2 0x8f1bbcdcL
-#define K3 0xca62c1d6L
-
-#define SHA_RND1(a,b,c,d,e,n) \
-  a = SHA_ROTL(b,5)+SHA_F1(c,d,e)+a+XW(n)+K0; c=SHA_ROTL(c,30) 
-#define SHA_RND2(a,b,c,d,e,n) \
-  a = SHA_ROTL(b,5)+SHA_F2(c,d,e)+a+XW(n)+K1; c=SHA_ROTL(c,30) 
-#define SHA_RND3(a,b,c,d,e,n) \
-  a = SHA_ROTL(b,5)+SHA_F3(c,d,e)+a+XW(n)+K2; c=SHA_ROTL(c,30) 
-#define SHA_RND4(a,b,c,d,e,n) \
-  a = SHA_ROTL(b,5)+SHA_F4(c,d,e)+a+XW(n)+K3; c=SHA_ROTL(c,30) 
-
-#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
-
-  A = XH(0);
-  B = XH(1);
-  C = XH(2);
-  D = XH(3);
-  E = XH(4);
-
-  LOAD(0);		   SHA_RND1(E,A,B,C,D, 0);
-  LOAD(1);		   SHA_RND1(D,E,A,B,C, 1);
-  LOAD(2);		   SHA_RND1(C,D,E,A,B, 2);
-  LOAD(3);		   SHA_RND1(B,C,D,E,A, 3);
-  LOAD(4);		   SHA_RND1(A,B,C,D,E, 4);
-  LOAD(5);		   SHA_RND1(E,A,B,C,D, 5);
-  LOAD(6);		   SHA_RND1(D,E,A,B,C, 6);
-  LOAD(7);		   SHA_RND1(C,D,E,A,B, 7);
-  LOAD(8);		   SHA_RND1(B,C,D,E,A, 8);
-  LOAD(9);		   SHA_RND1(A,B,C,D,E, 9);
-  LOAD(10);		   SHA_RND1(E,A,B,C,D,10);
-  LOAD(11);		   SHA_RND1(D,E,A,B,C,11);
-  LOAD(12);		   SHA_RND1(C,D,E,A,B,12);
-  LOAD(13);		   SHA_RND1(B,C,D,E,A,13);
-  LOAD(14);		   SHA_RND1(A,B,C,D,E,14);
-  LOAD(15);		   SHA_RND1(E,A,B,C,D,15);
-
-  SHA_MIX( 0, 13,  8,  2); SHA_RND1(D,E,A,B,C, 0);
-  SHA_MIX( 1, 14,  9,  3); SHA_RND1(C,D,E,A,B, 1);
-  SHA_MIX( 2, 15, 10,  4); SHA_RND1(B,C,D,E,A, 2);
-  SHA_MIX( 3,  0, 11,  5); SHA_RND1(A,B,C,D,E, 3);
-
-  SHA_MIX( 4,  1, 12,  6); SHA_RND2(E,A,B,C,D, 4);
-  SHA_MIX( 5,  2, 13,  7); SHA_RND2(D,E,A,B,C, 5);
-  SHA_MIX( 6,  3, 14,  8); SHA_RND2(C,D,E,A,B, 6);
-  SHA_MIX( 7,  4, 15,  9); SHA_RND2(B,C,D,E,A, 7);
-  SHA_MIX( 8,  5,  0, 10); SHA_RND2(A,B,C,D,E, 8);
-  SHA_MIX( 9,  6,  1, 11); SHA_RND2(E,A,B,C,D, 9);
-  SHA_MIX(10,  7,  2, 12); SHA_RND2(D,E,A,B,C,10);
-  SHA_MIX(11,  8,  3, 13); SHA_RND2(C,D,E,A,B,11);
-  SHA_MIX(12,  9,  4, 14); SHA_RND2(B,C,D,E,A,12);
-  SHA_MIX(13, 10,  5, 15); SHA_RND2(A,B,C,D,E,13);
-  SHA_MIX(14, 11,  6,  0); SHA_RND2(E,A,B,C,D,14);
-  SHA_MIX(15, 12,  7,  1); SHA_RND2(D,E,A,B,C,15);
-
-  SHA_MIX( 0, 13,  8,  2); SHA_RND2(C,D,E,A,B, 0);
-  SHA_MIX( 1, 14,  9,  3); SHA_RND2(B,C,D,E,A, 1);
-  SHA_MIX( 2, 15, 10,  4); SHA_RND2(A,B,C,D,E, 2);
-  SHA_MIX( 3,  0, 11,  5); SHA_RND2(E,A,B,C,D, 3);
-  SHA_MIX( 4,  1, 12,  6); SHA_RND2(D,E,A,B,C, 4);
-  SHA_MIX( 5,  2, 13,  7); SHA_RND2(C,D,E,A,B, 5);
-  SHA_MIX( 6,  3, 14,  8); SHA_RND2(B,C,D,E,A, 6);
-  SHA_MIX( 7,  4, 15,  9); SHA_RND2(A,B,C,D,E, 7);
-
-  SHA_MIX( 8,  5,  0, 10); SHA_RND3(E,A,B,C,D, 8);
-  SHA_MIX( 9,  6,  1, 11); SHA_RND3(D,E,A,B,C, 9);
-  SHA_MIX(10,  7,  2, 12); SHA_RND3(C,D,E,A,B,10);
-  SHA_MIX(11,  8,  3, 13); SHA_RND3(B,C,D,E,A,11);
-  SHA_MIX(12,  9,  4, 14); SHA_RND3(A,B,C,D,E,12);
-  SHA_MIX(13, 10,  5, 15); SHA_RND3(E,A,B,C,D,13);
-  SHA_MIX(14, 11,  6,  0); SHA_RND3(D,E,A,B,C,14);
-  SHA_MIX(15, 12,  7,  1); SHA_RND3(C,D,E,A,B,15);
-
-  SHA_MIX( 0, 13,  8,  2); SHA_RND3(B,C,D,E,A, 0);
-  SHA_MIX( 1, 14,  9,  3); SHA_RND3(A,B,C,D,E, 1);
-  SHA_MIX( 2, 15, 10,  4); SHA_RND3(E,A,B,C,D, 2);
-  SHA_MIX( 3,  0, 11,  5); SHA_RND3(D,E,A,B,C, 3);
-  SHA_MIX( 4,  1, 12,  6); SHA_RND3(C,D,E,A,B, 4);
-  SHA_MIX( 5,  2, 13,  7); SHA_RND3(B,C,D,E,A, 5);
-  SHA_MIX( 6,  3, 14,  8); SHA_RND3(A,B,C,D,E, 6);
-  SHA_MIX( 7,  4, 15,  9); SHA_RND3(E,A,B,C,D, 7);
-  SHA_MIX( 8,  5,  0, 10); SHA_RND3(D,E,A,B,C, 8);
-  SHA_MIX( 9,  6,  1, 11); SHA_RND3(C,D,E,A,B, 9);
-  SHA_MIX(10,  7,  2, 12); SHA_RND3(B,C,D,E,A,10);
-  SHA_MIX(11,  8,  3, 13); SHA_RND3(A,B,C,D,E,11);
-
-  SHA_MIX(12,  9,  4, 14); SHA_RND4(E,A,B,C,D,12);
-  SHA_MIX(13, 10,  5, 15); SHA_RND4(D,E,A,B,C,13);
-  SHA_MIX(14, 11,  6,  0); SHA_RND4(C,D,E,A,B,14);
-  SHA_MIX(15, 12,  7,  1); SHA_RND4(B,C,D,E,A,15);
-
-  SHA_MIX( 0, 13,  8,  2); SHA_RND4(A,B,C,D,E, 0);
-  SHA_MIX( 1, 14,  9,  3); SHA_RND4(E,A,B,C,D, 1);
-  SHA_MIX( 2, 15, 10,  4); SHA_RND4(D,E,A,B,C, 2);
-  SHA_MIX( 3,  0, 11,  5); SHA_RND4(C,D,E,A,B, 3);
-  SHA_MIX( 4,  1, 12,  6); SHA_RND4(B,C,D,E,A, 4);
-  SHA_MIX( 5,  2, 13,  7); SHA_RND4(A,B,C,D,E, 5);
-  SHA_MIX( 6,  3, 14,  8); SHA_RND4(E,A,B,C,D, 6);
-  SHA_MIX( 7,  4, 15,  9); SHA_RND4(D,E,A,B,C, 7);
-  SHA_MIX( 8,  5,  0, 10); SHA_RND4(C,D,E,A,B, 8);
-  SHA_MIX( 9,  6,  1, 11); SHA_RND4(B,C,D,E,A, 9);
-  SHA_MIX(10,  7,  2, 12); SHA_RND4(A,B,C,D,E,10);
-  SHA_MIX(11,  8,  3, 13); SHA_RND4(E,A,B,C,D,11);
-  SHA_MIX(12,  9,  4, 14); SHA_RND4(D,E,A,B,C,12);
-  SHA_MIX(13, 10,  5, 15); SHA_RND4(C,D,E,A,B,13);
-  SHA_MIX(14, 11,  6,  0); SHA_RND4(B,C,D,E,A,14);
-  SHA_MIX(15, 12,  7,  1); SHA_RND4(A,B,C,D,E,15);
-
-  XH(0) += A;
-  XH(1) += B;
-  XH(2) += C;
-  XH(3) += D;
-  XH(4) += E;
-}
-
-/*************************************************************************
-** Code below this line added to make SHA code support BLAPI interface
-*/
-
-SHA1Context *
-SHA1_NewContext(void)
-{
-    SHA1Context *cx;
-
-    /* no need to ZNew, SHA1_Begin will init the context */
-    cx = PORT_New(SHA1Context);
-    return cx;
-}
-
-/* Zero and free the context */
-void
-SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
-{
-    memset(cx, 0, sizeof *cx);
-    if (freeit) {
-        PORT_Free(cx);
-    }
-}
-
-SECStatus
-SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
-{
-    SHA1Context ctx;
-    unsigned int outLen;
-
-    SHA1_Begin(&ctx);
-    SHA1_Update(&ctx, src, src_length);
-    SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
-    return SECSuccess;
-}
-
-/* Hash a null-terminated character string. */
-SECStatus
-SHA1_Hash(unsigned char *dest, const char *src)
-{
-    return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
-}
-
-/*
- * need to support save/restore state in pkcs11. Stores all the info necessary
- * for a structure into just a stream of bytes.
- */
-unsigned int
-SHA1_FlattenSize(SHA1Context *cx)
-{
-    return sizeof(SHA1Context);
-}
-
-SECStatus
-SHA1_Flatten(SHA1Context *cx,unsigned char *space)
-{
-    PORT_Memcpy(space,cx, sizeof(SHA1Context));
-    return SECSuccess;
-}
-
-SHA1Context *
-SHA1_Resurrect(unsigned char *space,void *arg)
-{
-    SHA1Context *cx = SHA1_NewContext();
-    if (cx == NULL) return NULL;
-
-    PORT_Memcpy(cx,space, sizeof(SHA1Context));
-    return cx;
-}
-
-void SHA1_Clone(SHA1Context *dest, SHA1Context *src) 
-{
-    memcpy(dest, src, sizeof *dest);
-}
-
-void
-SHA1_TraceState(SHA1Context *ctx)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-}
diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h
deleted file mode 100644
index 6243471b0..000000000
--- a/security/nss/lib/freebl/sha_fast.h
+++ /dev/null
@@ -1,178 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is SHA 180-1 Reference Implementation (Optimized).
- *
- * The Initial Developer of the Original Code is
- * Paul Kocher of Cryptography Research.
- * Portions created by the Initial Developer are Copyright (C) 1995-9
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SHA_FAST_H_
-#define _SHA_FAST_H_
-
-#include "prlong.h"
-
-#define SHA1_INPUT_LEN 64
-
-#if defined(IS_64) && !defined(__sparc) 
-typedef PRUint64 SHA_HW_t;
-#define SHA1_USING_64_BIT 1
-#else
-typedef PRUint32 SHA_HW_t;
-#endif
-
-struct SHA1ContextStr {
-  union {
-    PRUint32 w[16];		/* input buffer */
-    PRUint8  b[64];
-  } u;
-  PRUint64 size;          	/* count of hashed bytes. */
-  SHA_HW_t H[22];		/* 5 state variables, 16 tmp values, 1 extra */
-};
-
-#if defined(_MSC_VER) && defined(_X86_)
-#if defined(IS_LITTLE_ENDIAN) 
-#ifndef FORCEINLINE
-#if (_MSC_VER >= 1200)
-#define FORCEINLINE __forceinline
-#else
-#define FORCEINLINE __inline
-#endif /* _MSC_VER */
-#endif /* !defined FORCEINLINE */
-#define FASTCALL __fastcall
-
-static FORCEINLINE PRUint32 FASTCALL 
-swap4b(PRUint32 dwd) 
-{
-    __asm {
-    	mov   eax,dwd
-	bswap eax
-    }
-}
-
-#define SHA_HTONL(x) swap4b(x)
-#endif /* IS_LITTLE_ENDIAN */
-
-#pragma intrinsic (_lrotr, _lrotl) 
-#define SHA_ROTL(x,n) _lrotl(x,n)
-#define SHA_ROTL_IS_DEFINED 1
-#endif /* _MSC_VER && _X86_ */
-
-#if defined(__GNUC__) 
-/* __x86_64__  and __x86_64 are defined by GCC on x86_64 CPUs */
-
-#if defined( SHA1_USING_64_BIT )
-static __inline__ PRUint64 SHA_ROTL(PRUint64 x, PRUint32 n)
-{
-    PRUint32 t = (PRUint32)x;
-    return ((t << n) | (t >> (32 - n)));
-}
-#else 
-static __inline__ PRUint32 SHA_ROTL(PRUint32 t, PRUint32 n)
-{
-    return ((t << n) | (t >> (32 - n)));
-}
-#endif
-#define SHA_ROTL_IS_DEFINED 1
-
-#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
-static __inline__ PRUint32 swap4b(PRUint32 value)
-{
-    __asm__("bswap %0" : "+r" (value));
-    return (value);
-}
-#define SHA_HTONL(x) swap4b(x)
-#endif /* x86 family */
-
-#endif /* __GNUC__ */
-
-#if !defined(SHA_ROTL_IS_DEFINED)
-#define SHA_NEED_TMP_VARIABLE 1
-#define SHA_ROTL(X,n) (tmp = (X), ((tmp) << (n)) | ((tmp) >> (32-(n))))
-#endif
-
-#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) 
-#define SHA_ALLOW_UNALIGNED_ACCESS 1
-#endif
-
-#if !defined(SHA_HTONL)
-#define SHA_MASK      0x00FF00FF
-#if defined(IS_LITTLE_ENDIAN)
-#undef  SHA_NEED_TMP_VARIABLE 
-#define SHA_NEED_TMP_VARIABLE 1
-#define SHA_HTONL(x)  (tmp = (x), tmp = (tmp << 16) | (tmp >> 16), \
-                       ((tmp & SHA_MASK) << 8) | ((tmp >> 8) & SHA_MASK))
-#else
-#define SHA_HTONL(x)  (x)
-#endif
-#endif
-
-#define SHA_BYTESWAP(x) x = SHA_HTONL(x)
-
-#define SHA_STORE(n) ((PRUint32*)hashout)[n] = SHA_HTONL(ctx->H[n])
-#if defined(SHA_ALLOW_UNALIGNED_ACCESS)
-#define SHA_STORE_RESULT \
-  SHA_STORE(0); \
-  SHA_STORE(1); \
-  SHA_STORE(2); \
-  SHA_STORE(3); \
-  SHA_STORE(4);
-
-#elif defined(IS_LITTLE_ENDIAN) || defined( SHA1_USING_64_BIT )
-#define SHA_STORE_RESULT \
-  if (!((ptrdiff_t)hashout % sizeof(PRUint32))) { \
-    SHA_STORE(0); \
-    SHA_STORE(1); \
-    SHA_STORE(2); \
-    SHA_STORE(3); \
-    SHA_STORE(4); \
-  } else { \
-    ctx->u.w[0] = SHA_HTONL(ctx->H[0]); \
-    ctx->u.w[1] = SHA_HTONL(ctx->H[1]); \
-    ctx->u.w[2] = SHA_HTONL(ctx->H[2]); \
-    ctx->u.w[3] = SHA_HTONL(ctx->H[3]); \
-    ctx->u.w[4] = SHA_HTONL(ctx->H[4]); \
-    memcpy(hashout, ctx->u.w, SHA1_LENGTH); \
-  }
-
-#else
-#define SHA_STORE_RESULT \
-  if (!((ptrdiff_t)hashout % sizeof(PRUint32))) { \
-    SHA_STORE(0); \
-    SHA_STORE(1); \
-    SHA_STORE(2); \
-    SHA_STORE(3); \
-    SHA_STORE(4); \
-  } else { \
-    memcpy(hashout, ctx->H, SHA1_LENGTH); \
-  }
-#endif 
-
-#endif /* _SHA_FAST_H_ */
diff --git a/security/nss/lib/freebl/shsign.h b/security/nss/lib/freebl/shsign.h
deleted file mode 100644
index 0557bf8b3..000000000
--- a/security/nss/lib/freebl/shsign.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _SHSIGN_H_
-#define _SHSIGN_H_
-
-#define SGN_SUFFIX ".chk"
-#define  NSS_SIGN_CHK_MAGIC1 0xf1
-#define  NSS_SIGN_CHK_MAGIC2 0xc5
-#define  NSS_SIGN_CHK_MAJOR_VERSION 0x01
-#define  NSS_SIGN_CHK_MINOR_VERSION 0x02
-
-#endif /* _SHSIGN_H_ */
diff --git a/security/nss/lib/freebl/shvfy.c b/security/nss/lib/freebl/shvfy.c
deleted file mode 100644
index 5c5aad8b1..000000000
--- a/security/nss/lib/freebl/shvfy.c
+++ /dev/null
@@ -1,295 +0,0 @@
-
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "shsign.h"
-#include "prlink.h"
-#include "prio.h"
-#include "blapi.h"
-#include "seccomon.h"
-#include "stdio.h"
-#include "prmem.h"
-
-/* #define DEBUG_SHVERIFY 1 */
-
-static char *
-mkCheckFileName(const char *libName)
-{
-    int ln_len = PORT_Strlen(libName);
-    char *output = PORT_Alloc(ln_len+sizeof(SGN_SUFFIX));
-    int index = ln_len + 1 - sizeof("."SHLIB_SUFFIX);
-
-    if ((index > 0) &&
-        (PORT_Strncmp(&libName[index],
-                        "."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) {
-        ln_len = index;
-    }
-    PORT_Memcpy(output,libName,ln_len);
-    PORT_Memcpy(&output[ln_len],SGN_SUFFIX,sizeof(SGN_SUFFIX));
-    return output;
-}
-
-static int
-decodeInt(unsigned char *buf)
-{
-    return (buf[3]) | (buf[2] << 8) | (buf[1] << 16) | (buf[0] << 24);
-}
-
-static SECStatus
-readItem(PRFileDesc *fd, SECItem *item)
-{
-    unsigned char buf[4];
-    int bytesRead;
-
-
-    bytesRead = PR_Read(fd, buf, 4);
-    if (bytesRead != 4) {
-	return SECFailure;
-    }
-    item->len = decodeInt(buf);
-
-    item->data = PORT_Alloc(item->len);
-    if (item->data == NULL) {
-	item->len = 0;
-	return SECFailure;
-    }
-    bytesRead = PR_Read(fd, item->data, item->len);
-    if (bytesRead != item->len) {
-	PORT_Free(item->data);
-	item->data = NULL;
-	item->len = 0;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-PRBool
-BLAPI_SHVerify(const char *name, PRFuncPtr addr)
-{
-    /* find our shared library name */
-    char *shName = PR_GetLibraryFilePathname(name, addr);
-    char *checkName = NULL;
-    PRFileDesc *checkFD = NULL;
-    PRFileDesc *shFD = NULL;
-    SHA1Context *hashcx = NULL;
-    SECItem signature = { 0, NULL, 0 };
-    SECItem hash;
-    int bytesRead, offset;
-    SECStatus rv;
-    DSAPublicKey key;
-    int count;
-
-    PRBool result = PR_FALSE; /* if anything goes wrong,
-			       * the signature does not verify */
-    unsigned char buf[512];
-    unsigned char hashBuf[SHA1_LENGTH];
-
-    PORT_Memset(&key,0,sizeof(key));
-    hash.data = hashBuf;
-    hash.len = sizeof(hashBuf);
-
-    if (!shName) {
-	goto loser;
-    }
-
-    /* figure out the name of our check file */
-    checkName = mkCheckFileName(shName);
-    if (!checkName) {
-	goto loser;
-    }
-
-    /* open the check File */
-    checkFD = PR_Open(checkName, PR_RDONLY, 0);
-    if (checkFD == NULL) {
-#ifdef DEBUG_SHVERIFY
-        fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
-                checkName, (int)PR_GetError(), (int)PR_GetOSError());
-#endif /* DEBUG_SHVERIFY */
-	goto loser;
-    }
-
-    /* read and Verify the headerthe header */
-    bytesRead = PR_Read(checkFD, buf, 12);
-    if (bytesRead != 12) {
-	goto loser;
-    }
-    if ((buf[0] != NSS_SIGN_CHK_MAGIC1) || (buf[1] != NSS_SIGN_CHK_MAGIC2)) {
-	goto loser;
-    }
-    if ((buf[2] != NSS_SIGN_CHK_MAJOR_VERSION) || 
-				(buf[3] < NSS_SIGN_CHK_MINOR_VERSION)) {
-	goto loser;
-    }
-#ifdef notdef
-    if (decodeInt(&buf[8]) != CKK_DSA) {
-	goto loser;
-    }
-#endif
-
-    /* seek past any future header extensions */
-    offset = decodeInt(&buf[4]);
-    PR_Seek(checkFD, offset, PR_SEEK_SET);
-
-    /* read the key */
-    rv = readItem(checkFD,&key.params.prime);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = readItem(checkFD,&key.params.subPrime);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = readItem(checkFD,&key.params.base);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = readItem(checkFD,&key.publicValue);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    /* read the siganture */
-    rv = readItem(checkFD,&signature);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* done with the check file */
-    PR_Close(checkFD);
-    checkFD = NULL;
-
-    /* open our library file */
-    shFD = PR_Open(shName, PR_RDONLY, 0);
-    if (shFD == NULL) {
-#ifdef DEBUG_SHVERIFY
-        fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
-                shName, (int)PR_GetError(), (int)PR_GetOSError());
-#endif /* DEBUG_SHVERIFY */
-	goto loser;
-    }
-
-    /* hash our library file with SHA1 */
-    hashcx = SHA1_NewContext();
-    if (hashcx == NULL) {
-	goto loser;
-    }
-    SHA1_Begin(hashcx);
-
-    count = 0;
-    while ((bytesRead = PR_Read(shFD, buf, sizeof(buf))) > 0) {
-	SHA1_Update(hashcx, buf, bytesRead);
-	count += bytesRead;
-    }
-    PR_Close(shFD);
-    shFD = NULL;
-
-    SHA1_End(hashcx, hash.data, &hash.len, hash.len);
-
-
-    /* verify the hash against the check file */
-    if (DSA_VerifyDigest(&key, &signature, &hash) == SECSuccess) {
-	result = PR_TRUE;
-    }
-#ifdef DEBUG_SHVERIFY
-  {
-        int i,j;
-        fprintf(stderr,"File %s: %d bytes\n",shName, count);
-        fprintf(stderr,"  hash: %d bytes\n", hash.len);
-#define STEP 10
-        for (i=0; i < hash.len; i += STEP) {
-           fprintf(stderr,"   ");
-           for (j=0; j < STEP && (i+j) < hash.len; j++) {
-                fprintf(stderr," %02x", hash.data[i+j]);
-           }
-           fprintf(stderr,"\n");
-        }
-        fprintf(stderr,"  signature: %d bytes\n", signature.len);
-        for (i=0; i < signature.len; i += STEP) {
-           fprintf(stderr,"   ");
-           for (j=0; j < STEP && (i+j) < signature.len; j++) {
-                fprintf(stderr," %02x", signature.data[i+j]);
-           }
-           fprintf(stderr,"\n");
-        }
-	fprintf(stderr,"Verified : %s\n",result?"TRUE": "FALSE");
-    }
-#endif /* DEBUG_SHVERIFY */
-
-
-loser:
-    if (shName != NULL) {
-	PR_Free(shName);
-    }
-    if (checkName != NULL) {
-	PORT_Free(checkName);
-    }
-    if (checkFD != NULL) {
-	PR_Close(checkFD);
-    }
-    if (shFD != NULL) {
-	PR_Close(shFD);
-    }
-    if (hashcx != NULL) {
-	SHA1_DestroyContext(hashcx,PR_TRUE);
-    }
-    if (signature.data != NULL) {
-	PORT_Free(signature.data);
-    }
-    if (key.params.prime.data != NULL) {
-	PORT_Free(key.params.prime.data);
-    }
-    if (key.params.subPrime.data != NULL) {
-	PORT_Free(key.params.subPrime.data);
-    }
-    if (key.params.base.data != NULL) {
-	PORT_Free(key.params.base.data);
-    }
-    if (key.publicValue.data != NULL) {
-	PORT_Free(key.publicValue.data);
-    }
-
-    return result;
-}
-
-PRBool
-BLAPI_VerifySelf(const char *name)
-{
-    /* to separate shlib to verify if name is NULL */
-    if (name == NULL) {
-	return PR_TRUE;
-    }
-    return BLAPI_SHVerify(name, (PRFuncPtr) decodeInt);
-}
diff --git a/security/nss/lib/freebl/sysrand.c b/security/nss/lib/freebl/sysrand.c
deleted file mode 100644
index 3a8bf4ec8..000000000
--- a/security/nss/lib/freebl/sysrand.c
+++ /dev/null
@@ -1,49 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "seccomon.h"
-#if defined(XP_UNIX) || defined(XP_BEOS)
-#include "unix_rand.c"
-#endif
-#ifdef XP_WIN
-#include "win_rand.c"
-#endif
-#ifdef XP_MAC
-#include "mac_rand.c"
-#endif
-#ifdef XP_OS2
-#include "os2_rand.c"
-#endif
diff --git a/security/nss/lib/freebl/tlsprfalg.c b/security/nss/lib/freebl/tlsprfalg.c
deleted file mode 100644
index 05f3f0d76..000000000
--- a/security/nss/lib/freebl/tlsprfalg.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/* tlsprfalg.c - TLS Pseudo Random Function (PRF) implementation
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "sechash.h"
-#include "alghmac.h"
-#include "blapi.h"
-
-#define PHASH_STATE_MAX_LEN SHA1_LENGTH
-
-/* TLS P_hash function */
-static SECStatus
-sftk_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, 
-	SECItem *seed, SECItem *result, PRBool isFIPS)
-{
-    unsigned char state[PHASH_STATE_MAX_LEN];
-    unsigned char outbuf[PHASH_STATE_MAX_LEN];
-    unsigned int state_len = 0, label_len = 0, outbuf_len = 0, chunk_size;
-    unsigned int remaining;
-    unsigned char *res;
-    SECStatus status;
-    HMACContext *cx;
-    SECStatus rv = SECFailure;
-    const SECHashObject *hashObj = HASH_GetRawHashObject(hashType);
-
-    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
-    PORT_Assert((seed != NULL) && (seed->data != NULL));
-    PORT_Assert((result != NULL) && (result->data != NULL));
-
-    remaining = result->len;
-    res = result->data;
-
-    if (label != NULL)
-	label_len = PORT_Strlen(label);
-
-    cx = HMAC_Create(hashObj, secret->data, secret->len, isFIPS);
-    if (cx == NULL)
-	goto loser;
-
-    /* initialize the state = A(1) = HMAC_hash(secret, seed) */
-    HMAC_Begin(cx);
-    HMAC_Update(cx, (unsigned char *)label, label_len);
-    HMAC_Update(cx, seed->data, seed->len);
-    status = HMAC_Finish(cx, state, &state_len, sizeof(state));
-    if (status != SECSuccess)
-	goto loser;
-
-    /* generate a block at a time until we're done */
-    while (remaining > 0) {
-
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	if (label_len)
-	    HMAC_Update(cx, (unsigned char *)label, label_len);
-	HMAC_Update(cx, seed->data, seed->len);
-	status = HMAC_Finish(cx, outbuf, &outbuf_len, sizeof(outbuf));
-	if (status != SECSuccess)
-	    goto loser;
-
-        /* Update the state = A(i) = HMAC_hash(secret, A(i-1)) */
-	HMAC_Begin(cx); 
-	HMAC_Update(cx, state, state_len); 
-	status = HMAC_Finish(cx, state, &state_len, sizeof(state));
-	if (status != SECSuccess)
-	    goto loser;
-
-	chunk_size = PR_MIN(outbuf_len, remaining);
-	PORT_Memcpy(res, &outbuf, chunk_size);
-	res += chunk_size;
-	remaining -= chunk_size;
-    }
-
-    rv = SECSuccess;
-
-loser:
-    /* clear out state so it's not left on the stack */
-    if (cx) 
-    	HMAC_Destroy(cx, PR_TRUE);
-    PORT_Memset(state, 0, sizeof(state));
-    PORT_Memset(outbuf, 0, sizeof(outbuf));
-    return rv;
-}
-
-SECStatus
-TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
-         SECItem *result, PRBool isFIPS)
-{
-    SECStatus rv = SECFailure, status;
-    unsigned int i;
-    SECItem tmp = { siBuffer, NULL, 0};
-    SECItem S1;
-    SECItem S2;
-
-    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
-    PORT_Assert((seed != NULL) && (seed->data != NULL));
-    PORT_Assert((result != NULL) && (result->data != NULL));
-
-    S1.type = siBuffer;
-    S1.len  = (secret->len / 2) + (secret->len & 1);
-    S1.data = secret->data;
-
-    S2.type = siBuffer;
-    S2.len  = S1.len;
-    S2.data = secret->data + (secret->len - S2.len);
-
-    tmp.data = (unsigned char*)PORT_Alloc(result->len);
-    if (tmp.data == NULL)
-	goto loser;
-    tmp.len = result->len;
-
-    status = sftk_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = sftk_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS);
-    if (status != SECSuccess)
-	goto loser;
-
-    for (i = 0; i < result->len; i++)
-	result->data[i] ^= tmp.data[i];
-
-    rv = SECSuccess;
-
-loser:
-    if (tmp.data != NULL)
-	PORT_ZFree(tmp.data, tmp.len);
-    return rv;
-}
-
diff --git a/security/nss/lib/freebl/unix_rand.c b/security/nss/lib/freebl/unix_rand.c
deleted file mode 100644
index f61da8b29..000000000
--- a/security/nss/lib/freebl/unix_rand.c
+++ /dev/null
@@ -1,996 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-#include <unistd.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/time.h>
-#include <sys/wait.h>
-#include <sys/stat.h>
-#include <assert.h>
-#include "secrng.h"
-
-size_t RNG_FileUpdate(const char *fileName, size_t limit);
-
-/*
- * When copying data to the buffer we want the least signicant bytes
- * from the input since those bits are changing the fastest. The address
- * of least significant byte depends upon whether we are running on
- * a big-endian or little-endian machine.
- *
- * Does this mean the least signicant bytes are the most significant
- * to us? :-)
- */
-    
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
-    union endianness {
-	int32 i;
-	char c[4];
-    } u;
-
-    if (srclen <= dstlen) {
-	memcpy(dst, src, srclen);
-	return srclen;
-    }
-    u.i = 0x01020304;
-    if (u.c[0] == 0x01) {
-	/* big-endian case */
-	memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
-    } else {
-	/* little-endian case */
-	memcpy(dst, src, dstlen);
-    }
-    return dstlen;
-}
-
-#if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) \
-    || defined(NETBSD) || defined(NTO) || defined(DARWIN) || defined(OPENBSD)
-#include <sys/times.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    int ticks;
-    struct tms buffer;
-
-    ticks=times(&buffer);
-    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* 
-     * Is this really necessary?  Why not use rand48 or something?
-     */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-
-    si = sysconf(_SC_STREAM_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-
-    si = sysconf(_SC_OPEN_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif
-
-#if defined(__sun)
-#if defined(__svr4) || defined(SVR4)
-#include <sys/systeminfo.h>
-#include <sys/times.h>
-#include <wait.h>
-
-int gettimeofday(struct timeval *);
-int gethostname(char *, int);
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    hrtime_t t;
-    t = gethrtime();
-    if (t) {
-	return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-    }
-    return 0;
-}
-#else /* SunOS (Sun, but not SVR4) */
-
-extern long sysconf(int name);
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* This is not very good */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif
-#endif /* Sun */
-
-#if defined(__hpux)
-#include <sys/unistd.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-#if defined(__ia64)
-#include <ia64/sys/inline.h>
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    PRUint64 t;
-
-    t = _Asm_mov_from_ar(_AREG44);
-    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-}
-#else
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    extern int ret_cr16();
-    int cr16val;
-
-    cr16val = ret_cr16();
-    return CopyLowBits(buf, maxbytes, &cr16val, sizeof(cr16val));
-}
-#endif
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
-
-    /* This is not very good */
-    si = sysconf(_AES_OS_VERSION);
-    RNG_RandomUpdate(&si, sizeof(si));
-    si = sysconf(_SC_CPU_VERSION);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
-#endif /* HPUX */
-
-#if defined(OSF1)
-#include <sys/types.h>
-#include <sys/sysinfo.h>
-#include <sys/systeminfo.h>
-#include <c_asm.h>
-
-static void
-GiveSystemInfo(void)
-{
-    char buf[BUFSIZ];
-    int rv;
-    int off = 0;
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-/*
- * Use the "get the cycle counter" instruction on the alpha.
- * The low 32 bits completely turn over in less than a minute.
- * The high 32 bits are some non-counter gunk that changes sometimes.
- */
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    unsigned long t;
-
-    t = asm("rpcc %v0");
-    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-}
-
-#endif /* Alpha */
-
-#if defined(_IBMR2)
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    /* XXX haven't found any yet! */
-}
-#endif /* IBM R2 */
-
-#if defined(LINUX)
-#include <linux/kernel.h>
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    /* XXX sysinfo() does not seem be implemented anywhwere */
-#if 0
-    struct sysinfo si;
-    char hn[2000];
-    if (sysinfo(&si) == 0) {
-	RNG_RandomUpdate(&si, sizeof(si));
-    }
-#endif
-}
-#endif /* LINUX */
-
-#if defined(NCR)
-
-#include <sys/utsname.h>
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-#endif /* NCR */
-
-
-#if defined(sgi)
-#include <fcntl.h>
-#undef PRIVATE
-#include <sys/mman.h>
-#include <sys/syssgi.h>
-#include <sys/immu.h>
-#include <sys/systeminfo.h>
-#include <sys/utsname.h>
-#include <wait.h>
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[4096];
-
-    rv = syssgi(SGI_SYSID, &buf[0]);
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, MAXSYSIDSIZE);
-    }
-#ifdef SGI_RDUBLK
-    rv = syssgi(SGI_RDUBLK, getpid(), &buf[0], sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, sizeof(buf));
-    }
-#endif /* SGI_RDUBLK */
-    rv = syssgi(SGI_INVENT, SGI_INV_READ, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, sizeof(buf));
-    }
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-
-static size_t GetHighResClock(void *buf, size_t maxbuf)
-{
-    unsigned phys_addr, raddr, cycleval;
-    static volatile unsigned *iotimer_addr = NULL;
-    static int tries = 0;
-    static int cntr_size;
-    int mfd;
-    long s0[2];
-    struct timeval tv;
-
-#ifndef SGI_CYCLECNTR_SIZE
-#define SGI_CYCLECNTR_SIZE      165     /* Size user needs to use to read CC */
-#endif
-
-    if (iotimer_addr == NULL) {
-	if (tries++ > 1) {
-	    /* Don't keep trying if it didn't work */
-	    return 0;
-	}
-
-	/*
-	** For SGI machines we can use the cycle counter, if it has one,
-	** to generate some truly random numbers
-	*/
-	phys_addr = syssgi(SGI_QUERY_CYCLECNTR, &cycleval);
-	if (phys_addr) {
-	    int pgsz = getpagesize();
-	    int pgoffmask = pgsz - 1;
-
-	    raddr = phys_addr & ~pgoffmask;
-	    mfd = open("/dev/mmem", O_RDONLY);
-	    if (mfd < 0) {
-		return 0;
-	    }
-	    iotimer_addr = (unsigned *)
-		mmap(0, pgoffmask, PROT_READ, MAP_PRIVATE, mfd, (int)raddr);
-	    if (iotimer_addr == (void*)-1) {
-		close(mfd);
-		iotimer_addr = NULL;
-		return 0;
-	    }
-	    iotimer_addr = (unsigned*)
-		((__psint_t)iotimer_addr | (phys_addr & pgoffmask));
-	    /*
-	     * The file 'mfd' is purposefully not closed.
-	     */
-	    cntr_size = syssgi(SGI_CYCLECNTR_SIZE);
-	    if (cntr_size < 0) {
-		struct utsname utsinfo;
-
-		/* 
-		 * We must be executing on a 6.0 or earlier system, since the
-		 * SGI_CYCLECNTR_SIZE call is not supported.
-		 * 
-		 * The only pre-6.1 platforms with 64-bit counters are
-		 * IP19 and IP21 (Challenge, PowerChallenge, Onyx).
-		 */
-		uname(&utsinfo);
-		if (!strncmp(utsinfo.machine, "IP19", 4) ||
-		    !strncmp(utsinfo.machine, "IP21", 4))
-			cntr_size = 64;
-		else
-			cntr_size = 32;
-	    }
-	    cntr_size /= 8;	/* Convert from bits to bytes */
-	}
-    }
-
-    s0[0] = *iotimer_addr;
-    if (cntr_size > 4)
-	s0[1] = *(iotimer_addr + 1);
-    memcpy(buf, (char *)&s0[0], cntr_size);
-    return CopyLowBits(buf, maxbuf, &s0, cntr_size);
-}
-#endif
-
-#if defined(sony)
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* sony */
-
-#if defined(sinix)
-#include <sys/systeminfo.h>
-#include <sys/times.h>
-
-int gettimeofday(struct timeval *, struct timezone *);
-int gethostname(char *, int);
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    int ticks;
-    struct tms buffer;
-
-    ticks=times(&buffer);
-    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* sinix */
-
-#if defined(VMS)
-#include <c_asm.h>
-
-static void
-GiveSystemInfo(void)
-{
-    long si;
- 
-    /* 
-     * This is copied from the SCO/UNIXWARE etc section. And like the comment
-     * there says, what's the point? This isn't random, it generates the same
-     * stuff every time its run!
-     */
-    si = sysconf(_SC_CHILD_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
- 
-    si = sysconf(_SC_STREAM_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
- 
-    si = sysconf(_SC_OPEN_MAX);
-    RNG_RandomUpdate(&si, sizeof(si));
-}
- 
-/*
- * Use the "get the cycle counter" instruction on the alpha.
- * The low 32 bits completely turn over in less than a minute.
- * The high 32 bits are some non-counter gunk that changes sometimes.
- */
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    unsigned long t;
- 
-    t = asm("rpcc %v0");
-    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
-}
- 
-#endif /* VMS */
-
-#ifdef BEOS
-#include <be/kernel/OS.h>
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    bigtime_t bigtime; /* Actually an int64 */
-
-    bigtime = real_time_clock_usecs();
-    return CopyLowBits(buf, maxbytes, &bigtime, sizeof(bigtime));
-}
-
-static void
-GiveSystemInfo(void)
-{
-    system_info *info = NULL;
-    int32 val;                     
-    get_system_info(info);
-    if (info) {
-        val = info->boot_time;
-        RNG_RandomUpdate(&val, sizeof(val));
-        val = info->used_pages;
-        RNG_RandomUpdate(&val, sizeof(val));
-        val = info->used_ports;
-        RNG_RandomUpdate(&val, sizeof(val));
-        val = info->used_threads;
-        RNG_RandomUpdate(&val, sizeof(val));
-        val = info->used_teams;
-        RNG_RandomUpdate(&val, sizeof(val));
-    }
-}
-#endif /* BEOS */
-
-#if defined(nec_ews)
-#include <sys/systeminfo.h>
-
-#define getdtablesize() sysconf(_SC_OPEN_MAX)
-
-static size_t
-GetHighResClock(void *buf, size_t maxbytes)
-{
-    return 0;
-}
-
-static void
-GiveSystemInfo(void)
-{
-    int rv;
-    char buf[2000];
-
-    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
-    if (rv > 0) {
-	RNG_RandomUpdate(buf, rv);
-    }
-}
-#endif /* nec_ews */
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
-    struct timeval tv;
-    int n = 0;
-    int c;
-
-    n = GetHighResClock(buf, maxbytes);
-    maxbytes -= n;
-
-#if defined(__sun) && (defined(_svr4) || defined(SVR4)) || defined(sony)
-    (void)gettimeofday(&tv);
-#else
-    (void)gettimeofday(&tv, 0);
-#endif
-    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_usec, sizeof(tv.tv_usec));
-    n += c;
-    maxbytes -= c;
-    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_sec, sizeof(tv.tv_sec));
-    n += c;
-    return n;
-}
-
-#define SAFE_POPEN_MAXARGS	10	/* must be at least 2 */
-
-/*
- * safe_popen is static to this module and we know what arguments it is
- * called with. Note that this version only supports a single open child
- * process at any time.
- */
-static pid_t safe_popen_pid;
-static struct sigaction oldact;
-
-static FILE *
-safe_popen(char *cmd)
-{
-    int p[2], fd, argc;
-    pid_t pid;
-    char *argv[SAFE_POPEN_MAXARGS + 1];
-    FILE *fp;
-    static char blank[] = " \t";
-    static struct sigaction newact;
-
-    if (pipe(p) < 0)
-	return 0;
-
-    /* Setup signals so that SIGCHLD is ignored as we want to do waitpid */
-    newact.sa_handler = SIG_DFL;
-    newact.sa_flags = 0;
-    sigfillset(&newact.sa_mask);
-    sigaction (SIGCHLD, &newact, &oldact);
-
-    pid = fork();
-    switch (pid) {
-      case -1:
-	close(p[0]);
-	close(p[1]);
-	sigaction (SIGCHLD, &oldact, NULL);
-	return 0;
-
-      case 0:
-	/* dup write-side of pipe to stderr and stdout */
-	if (p[1] != 1) dup2(p[1], 1);
-	if (p[1] != 2) dup2(p[1], 2);
-	close(0);
-        {
-            int ndesc = getdtablesize();
-            for (fd = PR_MIN(65536, ndesc); --fd > 2; close(fd));
-        }
-
-	/* clean up environment in the child process */
-	putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc");
-	putenv("SHELL=/bin/sh");
-	putenv("IFS= \t");
-
-	/*
-	 * The caller may have passed us a string that is in text
-	 * space. It may be illegal to modify the string
-	 */
-	cmd = strdup(cmd);
-	/* format argv */
-	argv[0] = strtok(cmd, blank);
-	argc = 1;
-	while ((argv[argc] = strtok(0, blank)) != 0) {
-	    if (++argc == SAFE_POPEN_MAXARGS) {
-		argv[argc] = 0;
-		break;
-	    }
-	}
-
-	/* and away we go */
-	execvp(argv[0], argv);
-	exit(127);
-	break;
-
-      default:
-	close(p[1]);
-	fp = fdopen(p[0], "r");
-	if (fp == 0) {
-	    close(p[0]);
-	    sigaction (SIGCHLD, &oldact, NULL);
-	    return 0;
-	}
-	break;
-    }
-
-    /* non-zero means there's a cmd running */
-    safe_popen_pid = pid;
-    return fp;
-}
-
-static int
-safe_pclose(FILE *fp)
-{
-    pid_t pid;
-    int count, status;
-
-    if ((pid = safe_popen_pid) == 0)
-	return -1;
-    safe_popen_pid = 0;
-
-    /* if the child hasn't exited, kill it -- we're done with its output */
-    count = 0;
-    while (waitpid(pid, &status, WNOHANG) == 0) {
-    	if (kill(pid, SIGKILL) < 0 && errno == ESRCH)
-	    break;
-	if (++count == 1000)
-	    break;
-    }
-
-    /* Reset SIGCHLD signal hander before returning */
-    sigaction(SIGCHLD, &oldact, NULL);
-
-    fclose(fp);
-    return status;
-}
-
-
-#if !defined(VMS)
-
-#ifdef DARWIN
-#include <crt_externs.h>
-#endif
-
-void RNG_SystemInfoForRNG(void)
-{
-    FILE *fp;
-    char buf[BUFSIZ];
-    size_t bytes;
-    const char * const *cp;
-    char *randfile;
-#ifdef DARWIN
-    char **environ = *_NSGetEnviron();
-#else
-    extern char **environ;
-#endif
-#ifdef BEOS
-    static const char * const files[] = {
-	"/boot/var/swap",
-	"/boot/var/log/syslog",
-	"/boot/var/tmp",
-	"/boot/home/config/settings",
-	"/boot/home",
-	0
-    };
-#else
-    static const char * const files[] = {
-	"/etc/passwd",
-	"/etc/utmp",
-	"/tmp",
-	"/var/tmp",
-	"/usr/tmp",
-	0
-    };
-#endif
-
-#ifdef DO_PS
-For now it is considered that it is too expensive to run the ps command
-for the small amount of entropy it provides.
-#if defined(__sun) && (!defined(__svr4) && !defined(SVR4)) || defined(bsdi) || defined(LINUX)
-    static char ps_cmd[] = "ps aux";
-#else
-    static char ps_cmd[] = "ps -el";
-#endif
-#endif /* DO_PS */
-#if defined(BSDI)
-    static char netstat_ni_cmd[] = "netstat -nis";
-#else
-    static char netstat_ni_cmd[] = "netstat -ni";
-#endif
-
-    GiveSystemInfo();
-
-    bytes = RNG_GetNoise(buf, sizeof(buf));
-    RNG_RandomUpdate(buf, bytes);
-
-    /*
-     * Pass the C environment and the addresses of the pointers to the
-     * hash function. This makes the random number function depend on the
-     * execution environment of the user and on the platform the program
-     * is running on.
-     */
-    if (environ != NULL) {
-        cp = (const char * const *) environ;
-        while (*cp) {
-	    RNG_RandomUpdate(*cp, strlen(*cp));
-	    cp++;
-        }
-        RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
-    }
-
-    /* Give in system information */
-    if (gethostname(buf, sizeof(buf)) > 0) {
-	RNG_RandomUpdate(buf, strlen(buf));
-    }
-    GiveSystemInfo();
-
-    /* grab some data from system's PRNG before any other files. */
-    bytes = RNG_FileUpdate("/dev/urandom", 1024);
-
-    /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
-    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	RNG_FileForRNG(randfile);
-    }
-
-    /* pass other files through */
-    for (cp = files; *cp; cp++)
-	RNG_FileForRNG(*cp);
-
-/*
- * Bug 100447: On BSD/OS 4.2 and 4.3, we have problem calling safe_popen
- * in a pthreads environment.  Therefore, we call safe_popen last and on
- * BSD/OS we do not call safe_popen when we succeeded in getting data
- * from /dev/urandom.
- */
-
-#ifdef BSDI
-    if (bytes)
-        return;
-#endif
-
-#ifdef DO_PS
-    fp = safe_popen(ps_cmd);
-    if (fp != NULL) {
-	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
-	    RNG_RandomUpdate(buf, bytes);
-	safe_pclose(fp);
-    }
-#endif
-    fp = safe_popen(netstat_ni_cmd);
-    if (fp != NULL) {
-	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
-	    RNG_RandomUpdate(buf, bytes);
-	safe_pclose(fp);
-    }
-
-}
-#else
-void RNG_SystemInfoForRNG(void)
-{
-    FILE *fp;
-    char buf[BUFSIZ];
-    size_t bytes;
-    int extra;
-    char **cp;
-    extern char **environ;
-    char *randfile;
- 
-    GiveSystemInfo();
- 
-    bytes = RNG_GetNoise(buf, sizeof(buf));
-    RNG_RandomUpdate(buf, bytes);
- 
-    /*
-     * Pass the C environment and the addresses of the pointers to the
-     * hash function. This makes the random number function depend on the
-     * execution environment of the user and on the platform the program
-     * is running on.
-     */
-    cp = environ;
-    while (*cp) {
-	RNG_RandomUpdate(*cp, strlen(*cp));
-	cp++;
-    }
-    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
- 
-    /* Give in system information */
-    if (gethostname(buf, sizeof(buf)) > 0) {
-	RNG_RandomUpdate(buf, strlen(buf));
-    }
-    GiveSystemInfo();
- 
-    /* If the user points us to a random file, pass it through the rng */
-    randfile = getenv("NSRANDFILE");
-    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
-	RNG_FileForRNG(randfile);
-    }
-
-    /*
-    ** We need to generate at least 1024 bytes of seed data. Since we don't
-    ** do the file stuff for VMS, and because the environ list is so short
-    ** on VMS, we need to make sure we generate enough. So do another 1000
-    ** bytes to be sure.
-    */
-    extra = 1000;
-    while (extra > 0) {
-        cp = environ;
-        while (*cp) {
-	    int n = strlen(*cp);
-	    RNG_RandomUpdate(*cp, n);
-	    extra -= n;
-	    cp++;
-        }
-    }
-}
-#endif
-
-#define TOTAL_FILE_LIMIT 1000000	/* one million */
-
-size_t RNG_FileUpdate(const char *fileName, size_t limit)
-{
-    FILE *        file;
-    size_t        bytes;
-    size_t        fileBytes = 0;
-    struct stat   stat_buf;
-    unsigned char buffer[BUFSIZ];
-    static size_t totalFileBytes = 0;
-    
-    if (stat((char *)fileName, &stat_buf) < 0)
-	return fileBytes;
-    RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
-    
-    file = fopen((char *)fileName, "r");
-    if (file != NULL) {
-	while (limit > fileBytes) {
-	    bytes = PR_MIN(sizeof buffer, limit - fileBytes);
-	    bytes = fread(buffer, 1, bytes, file);
-	    if (bytes == 0) 
-		break;
-	    RNG_RandomUpdate(buffer, bytes);
-	    fileBytes      += bytes;
-	    totalFileBytes += bytes;
-	    /* after TOTAL_FILE_LIMIT has been reached, only read in first
-	    ** buffer of data from each subsequent file.
-	    */
-	    if (totalFileBytes > TOTAL_FILE_LIMIT) 
-		break;
-	}
-	fclose(file);
-    }
-    /*
-     * Pass yet another snapshot of our highest resolution clock into
-     * the hash function.
-     */
-    bytes = RNG_GetNoise(buffer, sizeof(buffer));
-    RNG_RandomUpdate(buffer, bytes);
-    return fileBytes;
-}
-
-void RNG_FileForRNG(const char *fileName)
-{
-    RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT);
-}
diff --git a/security/nss/lib/freebl/win_rand.c b/security/nss/lib/freebl/win_rand.c
deleted file mode 100644
index 20218b967..000000000
--- a/security/nss/lib/freebl/win_rand.c
+++ /dev/null
@@ -1,548 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secrng.h"
-#ifdef XP_WIN
-#include <windows.h>
-
-#if defined(_WIN32_WCE)
-#include <stdlib.h>	/* Win CE puts lots of stuff here. */
-#include "prprf.h"	/* for PR_snprintf */
-#else
-#include <time.h>
-#include <io.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#endif
-#include <stdio.h>
-
-#ifndef _WIN32
-#define VTD_Device_ID   5
-#define OP_OVERRIDE     _asm _emit 0x66
-#include <dos.h>
-#endif
-
-#include "prio.h"
-
-static PRInt32  filesToRead;
-static DWORD    totalFileBytes;
-static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
-static DWORD    dwNumFiles, dwReadEvery;
-
-static BOOL
-CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
-{
-#ifdef _WIN32
-    LARGE_INTEGER   liCount;
-
-    if (!QueryPerformanceCounter(&liCount))
-        return FALSE;
-
-    *lpdwHigh = liCount.u.HighPart;
-    *lpdwLow = liCount.u.LowPart;
-    return TRUE;
-
-#else   /* is WIN16 */
-    BOOL    bRetVal;
-    FARPROC lpAPI;
-    WORD    w1, w2, w3, w4;
-
-    // Get direct access to the VTD and query the current clock tick time
-    _asm {
-        xor   di, di
-        mov   es, di
-        mov   ax, 1684h
-        mov   bx, VTD_Device_ID
-        int   2fh
-        mov   ax, es
-        or    ax, di
-        jz    EnumerateFailed
-
-        ; VTD API is available. First store the API address (the address actually
-        ; contains an instruction that causes a fault, the fault handler then
-        ; makes the ring transition and calls the API in the VxD)
-        mov   word ptr lpAPI, di
-        mov   word ptr lpAPI+2, es
-        mov   ax, 100h      ; API function to VTD_Get_Real_Time
-;       call  dword ptr [lpAPI]
-        call  [lpAPI]
-
-        ; Result is in EDX:EAX which we will get 16-bits at a time
-        mov   w2, dx
-        OP_OVERRIDE
-        shr   dx,10h        ; really "shr edx, 16"
-        mov   w1, dx
-
-        mov   w4, ax
-        OP_OVERRIDE
-        shr   ax,10h        ; really "shr eax, 16"
-        mov   w3, ax
-
-        mov   bRetVal, 1    ; return TRUE
-        jmp   EnumerateExit
-
-      EnumerateFailed:
-        mov   bRetVal, 0    ; return FALSE
-
-      EnumerateExit:
-    }
-
-    *lpdwHigh = MAKELONG(w2, w1);
-    *lpdwLow = MAKELONG(w4, w3);
-
-    return bRetVal;
-#endif  /* is WIN16 */
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbuf)
-{
-    DWORD   dwHigh, dwLow, dwVal;
-    int     n = 0;
-    int     nBytes;
-
-    if (maxbuf <= 0)
-        return 0;
-
-    CurrentClockTickTime(&dwHigh, &dwLow);
-
-    // get the maximally changing bits first
-    nBytes = sizeof(dwLow) > maxbuf ? maxbuf : sizeof(dwLow);
-    memcpy((char *)buf, &dwLow, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-    nBytes = sizeof(dwHigh) > maxbuf ? maxbuf : sizeof(dwHigh);
-    memcpy(((char *)buf) + n, &dwHigh, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-    // get the number of milliseconds that have elapsed since Windows started
-    dwVal = GetTickCount();
-
-    nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
-    memcpy(((char *)buf) + n, &dwVal, nBytes);
-    n += nBytes;
-    maxbuf -= nBytes;
-
-    if (maxbuf <= 0)
-        return n;
-
-#if defined(_WIN32_WCE)
-    {
-    // get the number of milliseconds elapsed since Windows CE was started. 
-    DWORD  tickCount = GetTickCount();
-    nBytes = (sizeof tickCount) > maxbuf ? maxbuf : (sizeof tickCount);
-    memcpy(((char *)buf) + n, &tickCount, nBytes);
-    n += nBytes;
-    }
-#else
-    {
-    time_t  sTime;
-    // get the time in seconds since midnight Jan 1, 1970
-    time(&sTime);
-    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
-    memcpy(((char *)buf) + n, &sTime, nBytes);
-    n += nBytes;
-    }
-#endif
-
-    return n;
-}
-
-#if defined(_WIN32_WCE)
-static BOOL
-EnumSystemFilesWithNSPR(const char * dirName, 
-			BOOL recursive,
-                        PRInt32 (*func)(const char *))
-{
-    PRDir *      pDir;
-    PRDirEntry * pEntry;
-    BOOL         rv 		= FALSE;
-
-    pDir = PR_OpenDir(dirName);
-    if (!pDir)
-    	return rv;
-    while ((pEntry = PR_ReadDir(pDir, PR_SKIP_BOTH|PR_SKIP_HIDDEN)) != NULL) {
-	PRStatus    status;
-	PRInt32     count;
-	PRInt32     stop;
-	PRFileInfo  fileInfo;
-	char        szFileName[_MAX_PATH];
-
-        count = (PRInt32)PR_snprintf(szFileName, sizeof szFileName, "%s\\%s", 
-	                             dirName, PR_DirName(pEntry));
-	if (count < 1)
-	    continue;
-	status = PR_GetFileInfo(szFileName, &fileInfo);
-	if (status != PR_SUCCESS)
-	    continue;
-	if (fileInfo.type == PR_FILE_FILE) {
-	    stop = (*func)(szFileName);
-	    rv = TRUE;
-	    if (stop)
-	        break;
-	    continue;
-    	}
-	if (recursive && fileInfo.type == PR_FILE_DIRECTORY) {
-	    rv |= EnumSystemFilesWithNSPR(szFileName, recursive, func);
-	}
-    }
-    PR_CloseDir(pDir);
-    return rv;
-}
-#endif
-
-static BOOL
-EnumSystemFiles(PRInt32 (*func)(const char *))
-{
-#if defined(_WIN32_WCE)
-    BOOL rv = FALSE;
-    rv |= EnumSystemFilesWithNSPR("\\Windows\\Temporary Internet Files", TRUE, func);
-    rv |= EnumSystemFilesWithNSPR("\\Temp",    FALSE, func);
-    rv |= EnumSystemFilesWithNSPR("\\Windows", FALSE, func);
-    return rv;
-#else
-    int                 iStatus;
-    char                szSysDir[_MAX_PATH];
-    char                szFileName[_MAX_PATH];
-#ifdef _WIN32
-    struct _finddata_t  fdData;
-    long                lFindHandle;
-#else
-    struct _find_t  fdData;
-#endif
-
-    if (!GetSystemDirectory(szSysDir, sizeof(szSysDir)))
-        return FALSE;
-
-    // tack *.* on the end so we actually look for files. this will
-    // not overflow
-    strcpy(szFileName, szSysDir);
-    strcat(szFileName, "\\*.*");
-
-#ifdef _WIN32
-    lFindHandle = _findfirst(szFileName, &fdData);
-    if (lFindHandle == -1)
-        return FALSE;
-#else
-    if (_dos_findfirst(szFileName, _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0)
-        return FALSE;
-#endif
-
-    do {
-        // pass the full pathname to the callback
-        sprintf(szFileName, "%s\\%s", szSysDir, fdData.name);
-        (*func)(szFileName);
-
-#ifdef _WIN32
-        iStatus = _findnext(lFindHandle, &fdData);
-#else
-        iStatus = _dos_findnext(&fdData);
-#endif
-    } while (iStatus == 0);
-
-#ifdef _WIN32
-    _findclose(lFindHandle);
-#endif
-
-    return TRUE;
-#endif
-}
-
-static PRInt32
-CountFiles(const char *file)
-{
-    dwNumFiles++;
-    return 0;
-}
-
-static PRInt32
-ReadFiles(const char *file)
-{
-    if ((dwNumFiles % dwReadEvery) == 0) {
-	++filesToRead;
-    }
-    if (filesToRead) {
-	DWORD    prevFileBytes = totalFileBytes;
-        RNG_FileForRNG(file);
-	if (prevFileBytes < totalFileBytes) {
-	    --filesToRead;
-	}
-    }
-    dwNumFiles++;
-    return (totalFileBytes >= maxFileBytes);
-}
-
-static void
-ReadSystemFiles()
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read 10 files
-    filesToRead = 10;
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
-void RNG_SystemInfoForRNG(void)
-{
-    DWORD           dwVal;
-    char            buffer[256];
-    int             nBytes;
-#ifdef _WIN32
-    MEMORYSTATUS    sMem;
-    HANDLE          hVal;
-#if !defined(_WIN32_WCE)
-    DWORD           dwSerialNum;
-    DWORD           dwComponentLen;
-    DWORD           dwSysFlags;
-    char            volName[128];
-    DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
-#endif
-#else
-    int             iVal;
-    HTASK           hTask;
-    WORD            wDS, wCS;
-    LPSTR           lpszEnv;
-#endif
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-
-#ifdef _WIN32
-    sMem.dwLength = sizeof(sMem);
-    GlobalMemoryStatus(&sMem);                // assorted memory stats
-    RNG_RandomUpdate(&sMem, sizeof(sMem));
-#if !defined(_WIN32_WCE)
-    dwVal = GetLogicalDrives();
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
-#endif
-#else
-    dwVal = GetFreeSpace(0);
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    _asm    mov wDS, ds;
-    _asm    mov wCS, cs;
-    RNG_RandomUpdate(&wDS, sizeof(wDS));
-    RNG_RandomUpdate(&wCS, sizeof(wCS));
-#endif
-
-#ifdef _WIN32
-#if !defined(_WIN32_WCE)
-    dwVal = sizeof(buffer);
-    if (GetComputerName(buffer, &dwVal))
-        RNG_RandomUpdate(buffer, dwVal);
-#endif
-/* XXX This is code that got yanked because of NSPR20.  We should put it
- * back someday.
- */
-#ifdef notdef
-    {
-    POINT ptVal;
-    GetCursorPos(&ptVal);
-    RNG_RandomUpdate(&ptVal, sizeof(ptVal));
-    }
-
-    dwVal = GetQueueStatus(QS_ALLINPUT);      // high and low significant
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    {
-    HWND hWnd;
-    hWnd = GetClipboardOwner();               // 2 or 4 bytes
-    RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd));
-    }
-
-    {
-    UUID sUuid;
-    UuidCreate(&sUuid);                       // this will fail on machines with no ethernet
-    RNG_RandomUpdate(&sUuid, sizeof(sUuid));  // boards. shove the bits in regardless
-    }
-#endif
-
-    hVal = GetCurrentProcess();               // 4 byte handle of current task
-    RNG_RandomUpdate(&hVal, sizeof(hVal));
-
-    dwVal = GetCurrentProcessId();            // process ID (4 bytes)
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-#if !defined(_WIN32_WCE)
-    volName[0] = '\0';
-    buffer[0] = '\0';
-    GetVolumeInformation(NULL,
-                         volName,
-                         sizeof(volName),
-                         &dwSerialNum,
-                         &dwComponentLen,
-                         &dwSysFlags,
-                         buffer,
-                         sizeof(buffer));
-
-    RNG_RandomUpdate(volName,         strlen(volName));
-    RNG_RandomUpdate(&dwSerialNum,    sizeof(dwSerialNum));
-    RNG_RandomUpdate(&dwComponentLen, sizeof(dwComponentLen));
-    RNG_RandomUpdate(&dwSysFlags,     sizeof(dwSysFlags));
-    RNG_RandomUpdate(buffer,          strlen(buffer));
-
-    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) {
-        RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
-        RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
-        RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
-        RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
-    }
-#endif
-#else   /* is WIN16 */
-    hTask = GetCurrentTask();
-    RNG_RandomUpdate((void *)&hTask, sizeof(hTask));
-
-    iVal = GetNumTasks();
-    RNG_RandomUpdate(&iVal, sizeof(iVal));      // number of running tasks
-
-    lpszEnv = GetDOSEnvironment();
-    while (*lpszEnv != '\0') {
-        RNG_RandomUpdate(lpszEnv, strlen(lpszEnv));
-
-        lpszEnv += strlen(lpszEnv) + 1;
-    }
-#endif  /* is WIN16 */
-
-    // now let's do some files
-    ReadSystemFiles();
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-#if defined(_WIN32_WCE)
-void RNG_FileForRNG(const char *filename)
-{
-    PRFileDesc *    file;
-    int             nBytes;
-    PRFileInfo      infoBuf;
-    unsigned char   buffer[1024];
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&infoBuf, 0, sizeof infoBuf);
-
-    if (PR_GetFileInfo(filename, &infoBuf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&infoBuf, sizeof(infoBuf));
-
-    file = PR_Open(filename, PR_RDONLY, 0);
-    if (file != NULL) {
-        for (;;) {
-            PRInt32 bytes = PR_Read(file, buffer, sizeof buffer);
-
-            if (bytes <= 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        PR_Close(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-#else /* not WinCE */
-
-void RNG_FileForRNG(const char *filename)
-{
-    FILE*           file;
-    int             nBytes;
-    struct stat     stat_buf;
-    unsigned char   buffer[1024];
-
-   /* static DWORD    totalFileBytes = 0; */
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&stat_buf, 0, sizeof stat_buf);
-
-    if (stat((char *)filename, &stat_buf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-
-    file = fopen((char *)filename, "r");
-    if (file != NULL) {
-        for (;;) {
-            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
-
-            if (bytes == 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        fclose(file);
-    }
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-#endif  /* not WinCE */
-#endif  /* is XP_WIN */
diff --git a/security/nss/lib/jar/Makefile b/security/nss/lib/jar/Makefile
deleted file mode 100644
index e28a7d29f..000000000
--- a/security/nss/lib/jar/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/jar/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/jar/jar-ds.c b/security/nss/lib/jar/jar-ds.c
deleted file mode 100644
index e913902a1..000000000
--- a/security/nss/lib/jar/jar-ds.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "jar.h"
-
-/* These are old DS_* routines renamed to ZZ_* */
-
-ZZList *ZZ_NewList()
-  {
-  ZZList *list;
-
-  list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
-
-  if (list)
-    ZZ_InitList (list);
-
-  return list;
-  }
-
-ZZLink *ZZ_NewLink (JAR_Item *thing)
-  {
-  ZZLink *link;
-
-  link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
-
-  if (link)
-    link->thing = thing;
- 
-  return link;
-  }
-
-void ZZ_DestroyLink (ZZLink *link)
-  {
-  PORT_Free (link);
-  }
-
-void ZZ_DestroyList (ZZList *list)
-  {
-  PORT_Free (list);
-  }
diff --git a/security/nss/lib/jar/jar-ds.h b/security/nss/lib/jar/jar-ds.h
deleted file mode 100644
index cfd73f69f..000000000
--- a/security/nss/lib/jar/jar-ds.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __JAR_DS_h_
-#define __JAR_DS_h_
-
-/* Typedefs */
-typedef struct ZZLinkStr ZZLink;
-typedef struct ZZListStr ZZList;
-
-/*
-** Circular linked list. Each link contains a pointer to the object that
-** is actually in the list.
-*/ 
-struct ZZLinkStr 
-{
-    ZZLink *next;
-    ZZLink *prev;
-    JAR_Item *thing;
-};
-
-struct ZZListStr 
-{
-    ZZLink link;
-};
-
-#define ZZ_InitList(lst)	     \
-{				     \
-    (lst)->link.next = &(lst)->link; \
-    (lst)->link.prev = &(lst)->link; \
-    (lst)->link.thing = 0;	     \
-}
-
-#define ZZ_ListEmpty(lst) \
-    ((lst)->link.next == &(lst)->link)
-
-#define ZZ_ListHead(lst) \
-    ((lst)->link.next)
-
-#define ZZ_ListTail(lst) \
-    ((lst)->link.prev)
-
-#define ZZ_ListIterDone(lst,lnk) \
-    ((lnk) == &(lst)->link)
-
-#define ZZ_AppendLink(lst,lnk)	    \
-{				    \
-    (lnk)->next = &(lst)->link;	    \
-    (lnk)->prev = (lst)->link.prev; \
-    (lst)->link.prev->next = (lnk); \
-    (lst)->link.prev = (lnk);	    \
-}
-
-#define ZZ_InsertLink(lst,lnk)	    \
-{				    \
-    (lnk)->next = (lst)->link.next; \
-    (lnk)->prev = &(lst)->link;	    \
-    (lst)->link.next->prev = (lnk); \
-    (lst)->link.next = (lnk);	    \
-}
-
-#define ZZ_RemoveLink(lnk)	     \
-{				     \
-    (lnk)->next->prev = (lnk)->prev; \
-    (lnk)->prev->next = (lnk)->next; \
-    (lnk)->next = 0;		     \
-    (lnk)->prev = 0;		     \
-}
-
-extern ZZLink *ZZ_NewLink (JAR_Item *thing);
-extern void ZZ_DestroyLink (ZZLink *link);
-extern ZZList *ZZ_NewList (void);
-extern void ZZ_DestroyList (ZZList *list);
-
-
-#endif /* __JAR_DS_h_ */
diff --git a/security/nss/lib/jar/jar.c b/security/nss/lib/jar/jar.c
deleted file mode 100644
index d066e0bfd..000000000
--- a/security/nss/lib/jar/jar.c
+++ /dev/null
@@ -1,834 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JAR.C
- *
- *  Jarnature.
- *  Routines common to signing and validating.
- *
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-static void jar_destroy_list (ZZList *list);
-
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it);
-
-/*
- *  J A R _ n e w 
- *
- *  Create a new instantiation of a manifest representation.
- *  Use this as a token to any calls to this API.
- *
- */
-
-JAR *JAR_new (void)
-  {
-  JAR *jar;
-
-  if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
-    goto loser;
-
-  if ((jar->manifest = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->hashes = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->phy = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->metainfo = ZZ_NewList()) == NULL)
-    goto loser;
-
-  if ((jar->signers = ZZ_NewList()) == NULL)
-    goto loser;
-
-  return jar;
-
-loser:
-
-  if (jar)
-    {
-    if (jar->manifest)
-      ZZ_DestroyList (jar->manifest);
-
-    if (jar->hashes)
-      ZZ_DestroyList (jar->hashes);
-
-    if (jar->phy)
-      ZZ_DestroyList (jar->phy);
-
-    if (jar->metainfo)
-      ZZ_DestroyList (jar->metainfo);
-
-    if (jar->signers)
-      ZZ_DestroyList (jar->signers);
-
-    PORT_Free (jar);
-    }
-
-  return NULL;
-  }
-
-/* 
- *  J A R _ d e s t r o y
- *
- *  Godzilla.
- *
- */
-
-void PR_CALLBACK JAR_destroy (JAR *jar)
-  {
-  PORT_Assert( jar != NULL );
-
-  if (jar == NULL)
-    return;
-
-  if (jar->fp) JAR_FCLOSE ((PRFileDesc*)jar->fp);
-
-  if (jar->url)      PORT_Free (jar->url);
-  if (jar->filename) PORT_Free (jar->filename);
-
-  /* Free the linked list elements */
-
-  jar_destroy_list (jar->manifest);
-  ZZ_DestroyList (jar->manifest);
-
-  jar_destroy_list (jar->hashes);
-  ZZ_DestroyList (jar->hashes);
-
-  jar_destroy_list (jar->phy);
-  ZZ_DestroyList (jar->phy);
-
-  jar_destroy_list (jar->metainfo);
-  ZZ_DestroyList (jar->metainfo);
-
-  jar_destroy_list (jar->signers);
-  ZZ_DestroyList (jar->signers);
-
-  PORT_Free (jar);
-  }
-
-static void jar_destroy_list (ZZList *list)
-  {
-  ZZLink *link, *oldlink;
-
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-  JAR_Digest *dig;
-  JAR_Cert *fing;
-  JAR_Metainfo *met;
-  JAR_Signer *signer;
-
-  if (list && !ZZ_ListEmpty (list))
-    {
-    link = ZZ_ListHead (list);
-
-    while (!ZZ_ListIterDone (list, link))
-      {
-      it = link->thing;
-      if (!it) goto next;
-
-      if (it->pathname) PORT_Free (it->pathname);
- 
-      switch (it->type)
-        {
-        case jarTypeMeta:
-
-          met = (JAR_Metainfo *) it->data;
-          if (met)
-            {
-            if (met->header) PORT_Free (met->header);
-            if (met->info) PORT_Free (met->info);
-            PORT_Free (met);
-            }
-          break;
-
-	case jarTypePhy:
-
-          phy = (JAR_Physical *) it->data;
-          if (phy)
-            PORT_Free (phy);
-          break;
-
-        case jarTypeSign:
-
-          fing = (JAR_Cert *) it->data;
-          if (fing)
-            {
-            if (fing->cert)
-              CERT_DestroyCertificate (fing->cert);
-            if (fing->key)
-              PORT_Free (fing->key);
-            PORT_Free (fing);
-            }
-	  break;
-
-        case jarTypeSect:
-        case jarTypeMF:
-        case jarTypeSF:
-
-          dig = (JAR_Digest *) it->data;
-          if (dig)
-            {
-            PORT_Free (dig);
-            }
-          break;
-
-        case jarTypeOwner:
-
-          signer = (JAR_Signer *) it->data;
-
-          if (signer)
-            JAR_destroy_signer (signer);
-
-          break;
-
-        default:
-
-          /* PORT_Assert( 1 != 2 ); */
-          break;
-        }
-
-      PORT_Free (it);
-
-    next:
-
-      oldlink = link;
-      link = link->next;
-
-      ZZ_DestroyLink (oldlink);
-      }
-    }
-  }
-
-/*
- *  J A R _ g e t _ m e t a i n f o
- *
- *  Retrieve meta information from the manifest file.
- *  It doesn't matter whether it's from .MF or .SF, does it?
- *
- */
-
-int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length)
-  {
-  JAR_Item *it;
-
-  ZZLink *link;
-  ZZList *list;
-
-  JAR_Metainfo *met;
-
-  PORT_Assert( jar != NULL && header != NULL );
-
-  if (jar == NULL || header == NULL)
-    return JAR_ERR_PNF;
-
-  list = jar->metainfo;
-
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMeta)
-      {
-      if ((name && !it->pathname) || (!name && it->pathname))
-        continue;
-
-      if (name && it->pathname && strcmp (it->pathname, name))
-        continue;
-
-      met = (JAR_Metainfo *) it->data;
-
-      if (!PORT_Strcasecmp (met->header, header))
-        {
-        *info = PORT_Strdup (met->info);
-        *length = PORT_Strlen (met->info);
-        return 0;
-        }
-      }
-    }
-
-  return JAR_ERR_PNF;
-  }
-
-/*
- *  J A R _ f i n d
- *
- *  Establish the search pattern for use
- *  by JAR_find_next, to traverse the filenames
- *  or certificates in the JAR structure.
- *
- *  See jar.h for a description on how to use.
- *
- */
-
-JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type)
-  {
-  JAR_Context *ctx;
-
-  PORT_Assert( jar != NULL );
-
-  if (!jar)
-    return NULL;
-
-  ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
-
-  if (ctx == NULL)
-    return NULL;
-
-  ctx->jar = jar;
-
-  if (pattern)
-    {
-    if ((ctx->pattern = PORT_Strdup (pattern)) == NULL)
-      {
-      PORT_Free (ctx);
-      return NULL;
-      }
-    }
-
-  ctx->finding = type;
-
-  switch (type)
-    {
-    case jarTypeMF:     ctx->next = ZZ_ListHead (jar->hashes);
-                        break;
-
-    case jarTypeSF:
-    case jarTypeSign:   ctx->next = NULL;
-                        ctx->nextsign = ZZ_ListHead (jar->signers);
-                        break;
-
-    case jarTypeSect:   ctx->next = ZZ_ListHead (jar->manifest);
-                        break;
-
-    case jarTypePhy:    ctx->next = ZZ_ListHead (jar->phy);
-                        break;
-
-    case jarTypeOwner:  if (jar->signers)
-                          ctx->next = ZZ_ListHead (jar->signers);
-                        else
-                          ctx->next = NULL;
-                        break;
-
-    case jarTypeMeta:   ctx->next = ZZ_ListHead (jar->metainfo);
-                        break;
-
-    default:            PORT_Assert( 1 != 2);
-                        break;
-    }
-
-  return ctx;
-  }
-
-/*
- *  J A R _ f i n d _ e n d
- *
- *  Destroy the find iterator context.
- *
- */
-
-void JAR_find_end (JAR_Context *ctx)
-  {
-  PORT_Assert( ctx != NULL );
-
-  if (ctx)
-    {
-    if (ctx->pattern) 
-      PORT_Free (ctx->pattern);
-    PORT_Free (ctx);
-    }
-  }
-
-/*
- *  J A R _ f i n d _ n e x t
- *
- *  Return the next item of the given type
- *  from one of the JAR linked lists.
- *
- */
-
-int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
-  {
-  JAR *jar;
-  ZZList *list = NULL;
-
-  int finding;
-
-  JAR_Signer *signer = NULL;
-
-  PORT_Assert( ctx != NULL );
-  PORT_Assert( ctx->jar != NULL );
-
-  jar = ctx->jar;
-
-  /* Internally, convert jarTypeSign to jarTypeSF, and return
-     the actual attached certificate later */
-
-  finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
-
-  if (ctx->nextsign)
-    {
-      if (ZZ_ListIterDone (jar->signers, ctx->nextsign))
-       {
-       *it = NULL;
-       return -1;
-       }
-    PORT_Assert (ctx->nextsign->thing != NULL);
-    signer = (JAR_Signer*)ctx->nextsign->thing->data;
-    }
-
-
-  /* Find out which linked list to traverse. Then if
-     necessary, advance to the next linked list. */
-
-  while (1)
-    {
-    switch (finding)
-      {
-      case jarTypeSign:    /* not any more */
-                           PORT_Assert( finding != jarTypeSign );
-                           list = signer->certs;
-                           break;
-
-      case jarTypeSect:    list = jar->manifest;
-                           break;
-
-      case jarTypePhy:     list = jar->phy;
-                           break;
-
-      case jarTypeSF:      /* signer, not jar */
-                           PORT_Assert( signer != NULL );
-                           list = signer->sf;
-                           break;
-
-      case jarTypeMF:      list = jar->hashes;
-                           break;
-
-      case jarTypeOwner:   list = jar->signers;
-                           break;
-
-      case jarTypeMeta:    list = jar->metainfo;
-                           break;
-
-      default:             PORT_Assert( 1 != 2 );
-                           break;
-      }
-
-    if (list == NULL)
-      {
-      *it = NULL;
-      return -1;
-      }
-
-    /* When looping over lists of lists, advance
-       to the next signer. This is done when multiple
-       signers are possible. */
-
-    if (ZZ_ListIterDone (list, ctx->next))
-      {
-      if (ctx->nextsign && jar->signers) 
-        {
-        ctx->nextsign = ctx->nextsign->next;
-        if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) 
-          {
-          PORT_Assert (ctx->nextsign->thing != NULL);
-
-          signer = (JAR_Signer*)ctx->nextsign->thing->data;
-          PORT_Assert( signer != NULL );
-
-          ctx->next = NULL;
-          continue;
-          }
-        }
-      *it = NULL;
-      return -1;
-      }
-
-    /* if the signer changed, still need to fill
-       in the "next" link */
-
-    if (ctx->nextsign && ctx->next == NULL)
-      {
-      switch (finding)
-        {
-        case jarTypeSF:
-
-          ctx->next = ZZ_ListHead (signer->sf);
-          break;
-
-        case jarTypeSign:
-
-          ctx->next = ZZ_ListHead (signer->certs);
-          break;
-        }
-      }
-
-    PORT_Assert( ctx->next != NULL );
-
-
-    while (!ZZ_ListIterDone (list, ctx->next))
-      {
-      *it = ctx->next->thing;
-      ctx->next = ctx->next->next;
-
-      if (!it || !*it || (*it)->type != finding)
-        continue;
-
-      if (ctx->pattern && *ctx->pattern)
-        {
-        if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
-          continue;
-        }
-
-      /* We have a valid match. If this is a jarTypeSign
-         return the certificate instead.. */
-
-      if (ctx->finding == jarTypeSign)
-        {
-        JAR_Item *itt;
-
-        /* just the first one for now */
-        if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) 
-           {
-           *it = itt;
-           return 0;
-           }
-
-        continue;      
-        }
-
-      return 0;
-      }
-
-    } /* end while */
-  }
-
-static int jar_find_first_cert 
-    (JAR_Signer *signer, int type, JAR_Item **it)
-  {
-  ZZLink *link;
-  ZZList *list;
-
-  int status = JAR_ERR_PNF;
-
-  list = signer->certs;
-
-  *it = NULL;
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
-    }
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    if (link->thing->type == type)
-      {
-      *it = link->thing;
-      status = 0;
-      break;
-      }
-    }
-
-  return status;
-  }
-
-JAR_Signer *JAR_new_signer (void)
-  {
-  JAR_Signer *signer;
-
-  signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
-
-  if (signer == NULL)
-    goto loser;
-
-
-  /* certs */
-  signer->certs = ZZ_NewList();
-
-  if (signer->certs == NULL)
-    goto loser;
-
-
-  /* sf */
-  signer->sf = ZZ_NewList();
-
-  if (signer->sf == NULL)
-    goto loser;
-
-
-  return signer;
-
-
-loser:
-
-  if (signer)
-    {
-    if (signer->certs) 
-      ZZ_DestroyList (signer->certs);
-
-    if (signer->sf) 
-      ZZ_DestroyList (signer->sf);
-
-    PORT_Free (signer);
-    }
-
-  return NULL;
-  }
-
-void JAR_destroy_signer (JAR_Signer *signer)
-  {
-  if (signer)
-    {
-    if (signer->owner) PORT_Free (signer->owner);
-    if (signer->digest) PORT_Free (signer->digest);
-
-    jar_destroy_list (signer->sf);
-    ZZ_DestroyList (signer->sf);
-
-    jar_destroy_list (signer->certs);
-    ZZ_DestroyList (signer->certs);
-
-    PORT_Free (signer);
-    }
-  }
-
-JAR_Signer *jar_get_signer (JAR *jar, char *basename)
-  {
-  JAR_Item *it;
-  JAR_Context *ctx;
-
-  JAR_Signer *candidate;
-  JAR_Signer *signer = NULL;
-
-  ctx = JAR_find (jar, NULL, jarTypeOwner);
-
-  if (ctx == NULL)
-    return NULL;
-
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    candidate = (JAR_Signer *) it->data;
-    if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename))
-      {
-      signer = candidate;
-      break;
-      }
-    }
-
-  JAR_find_end (ctx);
-
-  return signer;
-  }
-
-/*
- *  J A R _ g e t _ f i l e n a m e
- *
- *  Returns the filename associated with
- *  a JAR structure.
- *
- */
-
-char *JAR_get_filename (JAR *jar)
-  {
-  return jar->filename;
-  }
-
-/*
- *  J A R _ g e t _ u r l
- *
- *  Returns the URL associated with
- *  a JAR structure. Nobody really uses this now.
- *
- */
-
-char *JAR_get_url (JAR *jar)
-  {
-  return jar->url;
-  }
-
-/*
- *  J A R _ s e t _ c a l l b a c k
- *
- *  Register some manner of callback function for this jar. 
- *
- */
-
-int JAR_set_callback (int type, JAR *jar, 
-      int (*fn) (int status, JAR *jar, 
-         const char *metafile, char *pathname, char *errortext))
-  {
-  if (type == JAR_CB_SIGNAL)
-    {
-    jar->signal = fn;
-    return 0;
-    }
-  else
-    return -1;
-  }
-
-/*
- *  Callbacks
- *
- */
-
-/* To return an error string */
-char *(*jar_fn_GetString) (int) = NULL;
-
-/* To return an MWContext for Java */
-void *(*jar_fn_FindSomeContext) (void) = NULL;
-
-/* To fabricate an MWContext for FE_GetPassword */
-void *(*jar_fn_GetInitContext) (void) = NULL;
-
-void
-JAR_init_callbacks
-     ( 
-     char *(*string_cb)(int), 
-     void *(*find_cx)(void), 
-     void *(*init_cx)(void) 
-     )
-  {
-  jar_fn_GetString = string_cb;
-  jar_fn_FindSomeContext = find_cx;
-  jar_fn_GetInitContext = init_cx;
-  }
-
-/*
- *  J A R _ g e t _ e r r o r
- *
- *  This is provided to map internal JAR errors to strings for
- *  the Java console. Also, a DLL may call this function if it does
- *  not have access to the XP_GetString function.
- *
- *  These strings aren't UI, since they are Java console only.
- *
- */
-
-char *JAR_get_error (int status)
-  { 
-  char *errstring = NULL;
-
-  switch (status)
-    {
-    case JAR_ERR_GENERAL:
-      errstring = "General JAR file error";
-      break;
-
-    case JAR_ERR_FNF:
-      errstring = "JAR file not found";
-      break;
-
-    case JAR_ERR_CORRUPT:
-      errstring = "Corrupt JAR file";
-      break;
-
-    case JAR_ERR_MEMORY:
-      errstring = "Out of memory";
-      break;
-
-    case JAR_ERR_DISK:
-      errstring = "Disk error (perhaps out of space)";
-      break;
-
-    case JAR_ERR_ORDER:
-      errstring = "Inconsistent files in META-INF directory";
-      break;
-
-    case JAR_ERR_SIG:
-      errstring = "Invalid digital signature file";
-      break;
-
-    case JAR_ERR_METADATA:
-      errstring = "JAR metadata failed verification";
-      break;
-
-    case JAR_ERR_ENTRY:
-      errstring = "No Manifest entry for this JAR entry";
-      break;
-
-    case JAR_ERR_HASH:
-      errstring = "Invalid Hash of this JAR entry";
-      break;
-
-    case JAR_ERR_PK7:
-      errstring = "Strange PKCS7 or RSA failure";
-      break;
-
-    case JAR_ERR_PNF:
-      errstring = "Path not found inside JAR file";
-      break;
-
-    default:
-      if (jar_fn_GetString)
-        {
-        errstring = jar_fn_GetString (status);
-        }
-      else
-        {
-        /* this is not a normal situation, and would only be
-           called in cases of improper initialization */
-
-        char *err;
-
-        err = (char*)PORT_Alloc (40);
-        if (err)
-          PR_snprintf (err, 39,  "Error %d\n", status);
-        else
-          err = "Error! Bad! Out of memory!";
-
-        return err;
-        }
-      break;
-    }
-
-  return errstring;
-  }
diff --git a/security/nss/lib/jar/jar.h b/security/nss/lib/jar/jar.h
deleted file mode 100644
index 23b76b9cf..000000000
--- a/security/nss/lib/jar/jar.h
+++ /dev/null
@@ -1,481 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __JAR_h_
-#define __JAR_h_
-
-/*
- *  In general, any functions that return pointers
- *  have memory owned by the caller.
- *
- */
-
-/* security includes */
-#include "cert.h"
-#include "hasht.h"
-
-/* nspr 2.0 includes */
-#include "prio.h"
-
-#ifndef ZHUGEP
-#ifdef XP_WIN16
-#define ZHUGEP __huge
-#else
-#define ZHUGEP
-#endif
-#endif
-
-#include <stdio.h>
-
-/* various types */
-
-typedef enum
-  {
-  jarTypeMF = 2,
-  jarTypeSF = 3,
-  jarTypeMeta = 6,
-  jarTypePhy = 7,
-  jarTypeSign = 10,
-  jarTypeSect = 11,
-  jarTypeOwner = 13
-  }
-jarType;
-
-/* void data in ZZList's contain JAR_Item type */
-
-typedef struct JAR_Item_
-  {
-  char *pathname;        /* relative. inside zip file */
-  jarType type;          /* various types */
-  size_t size;           /* size of data below */
-  void *data;            /* totally opaque */
-  }
-JAR_Item;
-
-
-/* hashes */
-
-typedef enum
-  {
-  jarHashNone = 0,
-  jarHashBad = 1,
-  jarHashPresent = 2
-  }
-jarHash;
-
-typedef struct JAR_Digest_
-  {
-  jarHash md5_status;
-  unsigned char md5 [MD5_LENGTH];
-  jarHash sha1_status;
-  unsigned char sha1 [SHA1_LENGTH];
-  }
-JAR_Digest;
-
-
-/* physical archive formats */
-
-typedef enum
-  {
-  jarArchGuess = 0,
-  jarArchNone = 1,
-  jarArchZip = 2,
-  jarArchTar = 3
-  }
-jarArch;
-
-
-#include "jar-ds.h"
-
-/* jar object */
-
-typedef struct JAR_
-  {
-  jarArch format;       /* physical archive format */ 
-  char *url;            /* Where it came from */
-  char *filename;       /* Disk location */
-  FILE *fp;             /* For multiple extractions */    /* JAR_FILE */
-
-  /* various linked lists */
-
-  ZZList *manifest;     /* Digests of MF sections */
-  ZZList *hashes;       /* Digests of actual signed files */
-  ZZList *phy;          /* Physical layout of JAR file */
-  ZZList *metainfo;     /* Global metainfo */
-
-  JAR_Digest *globalmeta;  /* digest of .MF global portion */
-
-  /* Below will change to a linked list to support multiple sigs */
-
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-
-  ZZList *signers;      /* the above, per signer */
-
-  /* Window context, very necessary for PKCS11 now */
-
-  void *mw;             /* MWContext window context */
-
-  /* Signal callback function */
-
-  int (*signal) (int status, struct JAR_ *jar, 
-     const char *metafile, char *pathname, char *errorstring);
-  }
-JAR;
-
-
-/*
- *  Iterator
- *
- *  Context for iterative operations. Certain operations
- *  require iterating multiple linked lists because of
- *  multiple signers. "nextsign" is used for this purpose.
- *
- */
-
-typedef struct JAR_Context_
-  {
-  JAR *jar;             /* Jar we are searching */
-  char *pattern;        /* Regular expression */
-  jarType finding;      /* Type of item to find */
-  ZZLink *next;         /* Next item in find */
-  ZZLink *nextsign;     /* Next signer, sometimes */
-  }
-JAR_Context;
-
-typedef struct JAR_Signer_
-  {
-  int pkcs7;            /* Enforced opaqueness */
-  int valid;            /* PKCS7 signature validated */
-  char *owner;          /* name of .RSA file */
-  JAR_Digest *digest;   /* of .SF file */
-  ZZList *sf;           /* Linked list of .SF file contents */
-  ZZList *certs;        /* Signing information */
-  }
-JAR_Signer;
-
-
-/* Meta informaton, or "policy", from the manifest file.
-   Right now just one tuple per JAR_Item. */
-
-typedef struct JAR_Metainfo_
-  {
-  char *header;
-  char *info;
-  }
-JAR_Metainfo;
-
-/* This should not be global */
-
-typedef struct JAR_Physical_
-  {
-  unsigned char compression;
-  unsigned long offset;
-  unsigned long length;
-  unsigned long uncompressed_length;
-#if defined(XP_UNIX) || defined(XP_BEOS)
-  uint16 mode;
-#endif
-  }
-JAR_Physical;
-
-typedef struct JAR_Cert_
-  {
-  size_t length;
-  void *key;
-  CERTCertificate *cert;
-  }
-JAR_Cert;
-
-
-/* certificate stuff */
-
-typedef enum
-  {
-  jarCertCompany = 1,
-  jarCertCA = 2,
-  jarCertSerial = 3,
-  jarCertExpires = 4,
-  jarCertNickname = 5,
-  jarCertFinger = 6,
-  jarCertJavaHack = 100
-  }
-jarCert;
-
-/* callback types */
-
-#define JAR_CB_SIGNAL	1
-
-
-/* 
- *  This is the base for the JAR error codes. It will
- *  change when these are incorporated into allxpstr.c,
- *  but right now they won't let me put them there.
- *
- */
-
-#ifndef SEC_ERR_BASE
-#define SEC_ERR_BASE		(-0x2000)
-#endif
- 
-#define JAR_BASE		SEC_ERR_BASE + 300
-
-/* Jar specific error definitions */
-
-#define JAR_ERR_GENERAL         (JAR_BASE + 1)
-#define JAR_ERR_FNF		(JAR_BASE + 2)
-#define JAR_ERR_CORRUPT		(JAR_BASE + 3)
-#define JAR_ERR_MEMORY		(JAR_BASE + 4)
-#define JAR_ERR_DISK		(JAR_BASE + 5)
-#define JAR_ERR_ORDER           (JAR_BASE + 6)
-#define JAR_ERR_SIG		(JAR_BASE + 7)
-#define JAR_ERR_METADATA        (JAR_BASE + 8)
-#define JAR_ERR_ENTRY		(JAR_BASE + 9)
-#define JAR_ERR_HASH		(JAR_BASE + 10)
-#define JAR_ERR_PK7		(JAR_BASE + 11)
-#define JAR_ERR_PNF		(JAR_BASE + 12)
-
-
-/*
- *  Birth and death 
- *
- */
-
-extern JAR *JAR_new (void);
-
-extern void PR_CALLBACK JAR_destroy (JAR *jar);
-
-extern char *JAR_get_error (int status);
-
-extern int JAR_set_callback (int type, JAR *jar, 
-  int (*fn) (int status, JAR *jar, 
-  const char *metafile, char *pathname, char *errortext));
-
-extern void JAR_init_callbacks
-  ( char *(*string_cb)(int), void *(*find_cx)(void), void *(*init_cx)(void) );
-
-/*
- *  JAR_set_context
- *
- *  PKCS11 may require a password to be entered by the user
- *  before any crypto routines may be called. This will require
- *  a window context if used from inside Mozilla.
- *
- *  Call this routine with your context before calling 
- *  verifying or signing. If you have no context, call with NULL
- *  and one will be chosen for you.
- *
- */
-
-int JAR_set_context (JAR *jar, void /*MWContext*/ *mw);
-
-/*
- *  Iterative operations
- *
- *  JAR_find sets up for repeated calls with JAR_find_next.
- *  I never liked findfirst and findnext, this is nicer.
- *
- *  Pattern contains a relative pathname to match inside the
- *  archive. It is currently assumed to be "*".
- *
- *  To use:
- *
- *     JAR_Item *item;
- *     JAR_find (jar, "*.class", jarTypeMF);
- *     while (JAR_find_next (jar, &item) >= 0) 
- *       { do stuff }
- *
- */
-
-
-/* Replacement functions with an external context */
-
-extern JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type);
-
-extern int JAR_find_next (JAR_Context *ctx, JAR_Item **it);
-
-extern void JAR_find_end (JAR_Context *ctx);
-
-
-/*
- *  Function to parse manifest file:
- *
- *  Many signatures may be attached to a single filename located
- *  inside the zip file. We only support one.
- *
- *  Several manifests may be included in the zip file. 
- *
- *  You must pass the MANIFEST.MF file before any .SF files.
- *
- *  Right now this returns a big ole list, privately in the jar structure.
- *  If you need to traverse it, use JAR_find if possible.
- *
- *  The path is needed to determine what type of binary signature is
- *  being passed, though it is technically not needed for manifest files.
- *
- *  When parsing an ASCII file, null terminate the ASCII raw_manifest
- *  prior to sending it, and indicate a length of 0. For binary digital
- *  signatures only, indicate the true length of the signature.
- *  (This is legacy behavior.)
- *
- *  You may free the manifest after parsing it.
- *
- */
-
-extern int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-       long length, const char *path, const char *url);
-
-/*
- *  Verify data (nonstreaming). The signature is actually
- *  checked by JAR_parse_manifest or JAR_pass_archive.
- *
- */
-
-extern JAR_Digest * PR_CALLBACK JAR_calculate_digest 
-    (void ZHUGEP *data, long length);
-
-extern int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig);
-
-extern int JAR_digest_file (char *filename, JAR_Digest *dig);
-
-/*
- *  Get attribute from certificate:
- *
- *  Returns any special signed attribute associated with this cert
- *  or signature (passed in "data"). Attributes jarCert*. Most of the time
- *  this will return a zero terminated string.
- *
- */
-
-extern int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-       void **result, unsigned long *length);
-
-/*
- *  Meta information
- *
- *  Currently, since this call does not support passing of an owner
- *  (certificate, or physical name of the .sf file), it is restricted to
- *  returning information located in the manifest.mf file. 
- *
- *  Meta information is a name/value pair inside the archive file. Here,
- *  the name is passed in *header and value returned in **info.
- *
- *  Pass a NULL as the name to retrieve metainfo from the global section.
- *
- *  Data is returned in **info, of size *length. The return value
- *  will indicate if no data was found.
- *
- */
-
-extern int JAR_get_metainfo
-    (JAR *jar, char *name, char *header, void **info, unsigned long *length);
-
-extern char *JAR_get_filename (JAR *jar);
-
-extern char *JAR_get_url (JAR *jar);
-
-/*
- *  Return an HTML mockup of a certificate or signature.
- *
- *  Returns a zero terminated ascii string
- *  in raw HTML format.
- *
- */
-
-extern char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result);
-
-/* save the certificate with this fingerprint in persistent
-   storage, somewhere, for retrieval in a future session when there 
-   is no corresponding JAR structure. */
-
-extern int PR_CALLBACK JAR_stash_cert
-        (JAR *jar, long keylen, void *key);
-
-/* retrieve a certificate presumably stashed with the above
-   function, but may be any certificate. Type is &CERTCertificate */
-
-void *JAR_fetch_cert (long length, void *key);
-
-/*
- *  New functions to handle archives alone
- *    (call JAR_new beforehand)
- *
- *  JAR_pass_archive acts much like parse_manifest. Certificates
- *  are returned in the JAR structure but as opaque data. When calling 
- *  JAR_verified_extract you still need to decide which of these 
- *  certificates to honor. 
- *
- *  Code to examine a JAR structure is in jarbert.c. You can obtain both 
- *  a list of filenames and certificates from traversing the linked list.
- *
- */
-
-extern int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url);
-
-/*
- * Same thing, but don't check signatures
- */
-extern int JAR_pass_archive_unverified
-    (JAR *jar, jarArch format, char *filename, const char *url);
-
-/*
- *  Extracts a relative pathname from the archive and places it
- *  in the filename specified. 
- * 
- *  Call JAR_set_nailed if you want to keep the file descriptors
- *  open between multiple calls to JAR_verify_extract.
- *
- */
-
-extern int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath);
-
-/*
- *  JAR_extract does no crypto checking. This can be used if you
- *  need to extract a manifest file or signature, etc.
- *
- */
-
-extern int JAR_extract
-    (JAR *jar, char *path, char *outpath);
-
-
-#endif /* __JAR_h_ */ 
diff --git a/security/nss/lib/jar/jarevil.c b/security/nss/lib/jar/jarevil.c
deleted file mode 100644
index 39f724200..000000000
--- a/security/nss/lib/jar/jarevil.c
+++ /dev/null
@@ -1,577 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JAREVIL
- *
- *  Wrappers to callback in the mozilla thread
- *
- *  Certificate code is unsafe when called outside the
- *  mozilla thread. These functions push an event on the
- *  queue to cause the cert function to run in that thread. 
- *
- */
-
-#include "nssrenam.h"
-#include "jar.h"
-#include "jarint.h"
-
-#include "jarevil.h"
-#include "certdb.h"
-
-/* from libevent.h */
-#ifdef MOZILLA_CLIENT_OLD
-typedef void (*ETVoidPtrFunc) (void * data);
-extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
-
-extern void *mozilla_event_queue;
-#endif
-
-
-/* Special macros facilitate running on Win 16 */
-#if defined(XP_WIN16)
-
-  /* 
-   * Allocate the data passed to the callback functions from the heap...
-   *
-   * This inter-thread structure cannot reside on a thread stack since the 
-   * thread's stack is swapped away with the thread under Win16...
-   */
-
- #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
-         type * pointer_var_name = PORT_ZAlloc (sizeof(type));               \
-         do {                                                                \
-           if (!pointer_var_name)                                            \
-             return (out_of_memory_return_value);                            \
-         } while (0)   /* and now a semicolon can follow :-) */
-
- #define FREE_IF_ALLOC_IS_USED(pointer_var_name) PORT_Free(pointer_var_name)
-
-#else /* not win 16... so we can alloc via auto variables */
-
- #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
-         type actual_structure_allocated_in_macro;                           \
-         type * pointer_var_name = &actual_structure_allocated_in_macro;     \
-         PORT_Memset (pointer_var_name, 0, sizeof (*pointer_var_name));      \
-         ((void) 0) /* and now a semicolon can follow  */
-
- #define FREE_IF_ALLOC_IS_USED(pointer_var_name) ((void) 0)
-
-#endif /* not Win 16 */
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_encode
- *
- *  Call SEC_PKCS7Encode inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_encode
-  {
-  int error;
-  SECStatus status;
-  SEC_PKCS7ContentInfo *cinfo;
-  SEC_PKCS7EncoderOutputCallback outputfn;
-  void *outputarg;
-  PK11SymKey *bulkkey;
-  SECKEYGetPasswordKey pwfn;
-  void *pwfnarg;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_encode_fn (void *data)
-  {
-  SECStatus status;
-  struct EVIL_encode *encode_data = (struct EVIL_encode *)data;
-
-  PORT_SetError (encode_data->error);
-
-  status = SEC_PKCS7Encode (encode_data->cinfo, encode_data->outputfn, 
-                            encode_data->outputarg, encode_data->bulkkey, 
-                            encode_data->pwfn, encode_data->pwfnarg);
-
-  encode_data->status = status;
-  encode_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_encode
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SEC_PKCS7EncoderOutputCallback  outputfn,
-      void *outputarg,
-      PK11SymKey *bulkkey,
-      SECKEYGetPasswordKey pwfn,
-      void *pwfnarg
-      )
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_encode, encode_data, SECFailure);
-
-  encode_data->error     = PORT_GetError();
-  encode_data->cinfo     = cinfo;
-  encode_data->outputfn  = outputfn;
-  encode_data->outputarg = outputarg;
-  encode_data->bulkkey   = bulkkey;
-  encode_data->pwfn      = pwfn;
-  encode_data->pwfnarg   = pwfnarg;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_encode_fn, encode_data);
-  else
-    jar_moz_encode_fn (encode_data);
-#else
-  jar_moz_encode_fn (encode_data);
-#endif
-
-  PORT_SetError (encode_data->error);
-  ret = encode_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(encode_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_verify
- *
- *  Call SEC_PKCS7VerifyDetachedSignature inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_verify
-  {
-  int error;
-  SECStatus status;
-  SEC_PKCS7ContentInfo *cinfo;
-  SECCertUsage certusage;
-  SECItem *detached_digest;
-  HASH_HashType digest_type;
-  PRBool keepcerts;
-  };
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_verify_fn (void *data)
-  {
-	PRBool result;
-  struct EVIL_verify *verify_data = (struct EVIL_verify *)data;
-
-  PORT_SetError (verify_data->error);
-
-  result = SEC_PKCS7VerifyDetachedSignature
-        (verify_data->cinfo, verify_data->certusage, verify_data->detached_digest, 
-         verify_data->digest_type, verify_data->keepcerts);
-	
-
-  verify_data->status = result==PR_TRUE ? SECSuccess : SECFailure;
-  verify_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_verify
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SECCertUsage certusage,
-      SECItem *detached_digest,
-      HASH_HashType digest_type,
-      PRBool keepcerts
-      )
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_verify, verify_data, SECFailure);
-
-  verify_data->error           = PORT_GetError();
-  verify_data->cinfo           = cinfo;
-  verify_data->certusage       = certusage;
-  verify_data->detached_digest = detached_digest;
-  verify_data->digest_type     = digest_type;
-  verify_data->keepcerts       = keepcerts;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_verify_fn, verify_data);
-  else
-    jar_moz_verify_fn (verify_data);
-#else
-  jar_moz_verify_fn (verify_data);
-#endif
-
-  PORT_SetError (verify_data->error);
-  ret = verify_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(verify_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_nickname
- *
- *  Call CERT_FindCertByNickname inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_nickname
-  {
-  int error;
-  CERTCertDBHandle *certdb;
-  char *nickname;
-  CERTCertificate *cert;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_nickname_fn (void *data)
-  {
-  CERTCertificate *cert;
-  struct EVIL_nickname *nickname_data = (struct EVIL_nickname *)data;
-
-  PORT_SetError (nickname_data->error);
-
-  cert = CERT_FindCertByNickname (nickname_data->certdb, nickname_data->nickname);
-
-  nickname_data->cert  = cert;
-  nickname_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_nickname (CERTCertDBHandle *certdb, char *nickname)
-  {
-  CERTCertificate *cert;
-  ALLOC_OR_DEFINE(struct EVIL_nickname, nickname_data, NULL );
-
-  nickname_data->error    = PORT_GetError();
-  nickname_data->certdb   = certdb;
-  nickname_data->nickname = nickname;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_nickname_fn, nickname_data);
-  else
-    jar_moz_nickname_fn (nickname_data);
-#else
-  jar_moz_nickname_fn (nickname_data);
-#endif
-
-  PORT_SetError (nickname_data->error);
-  cert = nickname_data->cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(nickname_data);
-  return cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_perm
- *
- *  Call CERT_AddTempCertToPerm inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_perm
-  {
-  int error;
-  SECStatus status;
-  CERTCertificate *cert;
-  char *nickname;
-  CERTCertTrust *trust;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_perm_fn (void *data)
-  {
-  SECStatus status;
-  struct EVIL_perm *perm_data = (struct EVIL_perm *)data;
-
-  PORT_SetError (perm_data->error);
-
-  status = CERT_AddTempCertToPerm (perm_data->cert, perm_data->nickname, perm_data->trust);
-
-  perm_data->status = status;
-  perm_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-SECStatus jar_moz_perm 
-    (CERTCertificate *cert, char *nickname, CERTCertTrust *trust)
-  {
-  SECStatus ret;
-  ALLOC_OR_DEFINE(struct EVIL_perm, perm_data, SECFailure);
-
-  perm_data->error    = PORT_GetError();
-  perm_data->cert     = cert;
-  perm_data->nickname = nickname;
-  perm_data->trust    = trust;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_perm_fn, perm_data);
-  else
-    jar_moz_perm_fn (perm_data);
-#else
-  jar_moz_perm_fn (perm_data);
-#endif
-
-  PORT_SetError (perm_data->error);
-  ret = perm_data->status;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(perm_data);
-  return ret;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_certkey
- *
- *  Call CERT_FindCertByKey inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_certkey
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertDBHandle *certdb;
-  CERTIssuerAndSN *seckey;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_certkey_fn (void *data)
-  {
-  CERTCertificate *cert;
-  struct EVIL_certkey *certkey_data = (struct EVIL_certkey *)data;
-
-  PORT_SetError (certkey_data->error);
-
-  cert=CERT_FindCertByIssuerAndSN(certkey_data->certdb, certkey_data->seckey);
-
-  certkey_data->cert = cert;
-  certkey_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_certkey (CERTCertDBHandle *certdb, 
-						CERTIssuerAndSN *seckey)
-  {
-  CERTCertificate *cert;
-  ALLOC_OR_DEFINE(struct EVIL_certkey, certkey_data, NULL);
-
-  certkey_data->error  = PORT_GetError();
-  certkey_data->certdb = certdb;
-  certkey_data->seckey = seckey;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_certkey_fn, certkey_data);
-  else
-    jar_moz_certkey_fn (certkey_data);
-#else
-  jar_moz_certkey_fn (certkey_data);
-#endif
-
-  PORT_SetError (certkey_data->error);
-  cert = certkey_data->cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(certkey_data);
-  return cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_issuer
- *
- *  Call CERT_FindCertIssuer inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_issuer
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertificate *issuer;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_issuer_fn (void *data)
-  {
-  CERTCertificate *issuer;
-  struct EVIL_issuer *issuer_data = (struct EVIL_issuer *)data;
-
-  PORT_SetError (issuer_data->error);
-
-  issuer = CERT_FindCertIssuer (issuer_data->cert, PR_Now(),
-				certUsageObjectSigner);
-
-  issuer_data->issuer = issuer;
-  issuer_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_issuer (CERTCertificate *cert)
-  {
-  CERTCertificate *issuer_cert;
-  ALLOC_OR_DEFINE(struct EVIL_issuer, issuer_data, NULL);
-
-  issuer_data->error = PORT_GetError();
-  issuer_data->cert  = cert;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_issuer_fn, issuer_data);
-  else
-    jar_moz_issuer_fn (issuer_data);
-#else
-  jar_moz_issuer_fn (issuer_data);
-#endif
-
-  PORT_SetError (issuer_data->error);
-  issuer_cert = issuer_data->issuer;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(issuer_data);
-  return issuer_cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
-
-/*
- *  JAR_MOZ_dup
- *
- *  Call CERT_DupCertificate inside
- *  the mozilla thread
- *
- */
-
-struct EVIL_dup
-  {
-  int error;
-  CERTCertificate *cert;
-  CERTCertificate *return_cert;
-  };
-
-
-/* This is called inside the mozilla thread */
-
-PR_STATIC_CALLBACK(void) jar_moz_dup_fn (void *data)
-  {
-  CERTCertificate *return_cert;
-  struct EVIL_dup *dup_data = (struct EVIL_dup *)data;
-
-  PORT_SetError (dup_data->error);
-
-  return_cert = CERT_DupCertificate (dup_data->cert);
-
-  dup_data->return_cert = return_cert;
-  dup_data->error = PORT_GetError();
-  }
-
-
-/* Wrapper for the ET_MOZ call */
- 
-CERTCertificate *jar_moz_dup (CERTCertificate *cert)
-  {
-  CERTCertificate *dup_cert;
-  ALLOC_OR_DEFINE(struct EVIL_dup, dup_data, NULL);
-
-  dup_data->error = PORT_GetError();
-  dup_data->cert  = cert;
-
-  /* Synchronously invoke the callback function on the mozilla thread. */
-#ifdef MOZILLA_CLIENT_OLD
-  if (mozilla_event_queue)
-    ET_moz_CallFunction (jar_moz_dup_fn, dup_data);
-  else
-    jar_moz_dup_fn (dup_data);
-#else
-  jar_moz_dup_fn (dup_data);
-#endif
-
-  PORT_SetError (dup_data->error);
-  dup_cert = dup_data->return_cert;
-
-  /* Free the data passed to the callback function... */
-  FREE_IF_ALLOC_IS_USED(dup_data);
-  return dup_cert;
-  }
-
-/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
diff --git a/security/nss/lib/jar/jarevil.h b/security/nss/lib/jar/jarevil.h
deleted file mode 100644
index 05128b3c4..000000000
--- a/security/nss/lib/jar/jarevil.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  jarevil.h
- *
- *  dot H file for calls to mozilla thread
- *  from within jarver.c 
- *
- */
-
-#include "certt.h"
-#include "secpkcs7.h"
-
-extern SECStatus jar_moz_encode
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SEC_PKCS7EncoderOutputCallback  outputfn,
-      void *outputarg,
-      PK11SymKey *bulkkey,
-      SECKEYGetPasswordKey pwfn,
-      void *pwfnarg
-      );
-
-extern SECStatus jar_moz_verify
-      (
-      SEC_PKCS7ContentInfo *cinfo,
-      SECCertUsage certusage,
-      SECItem *detached_digest,
-      HASH_HashType digest_type,
-      PRBool keepcerts
-      );
-
-extern CERTCertificate *jar_moz_nickname 
-   (CERTCertDBHandle *certdb, char *nickname);
-
-extern SECStatus jar_moz_perm 
-  (CERTCertificate *cert, char *nickname, CERTCertTrust *trust);
- 
-extern CERTCertificate *jar_moz_certkey 
-  (CERTCertDBHandle *certdb, CERTIssuerAndSN *seckey);
-
-extern CERTCertificate *jar_moz_issuer (CERTCertificate *cert);
-
-extern CERTCertificate *jar_moz_dup (CERTCertificate *cert);
-
diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c
deleted file mode 100644
index 598a3f38e..000000000
--- a/security/nss/lib/jar/jarfile.c
+++ /dev/null
@@ -1,1154 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARFILE
- *
- *  Parsing of a Jar file
- */
-
-#define JAR_SIZE 256
-
-#include "jar.h"
-
-#include "jarint.h"
-#include "jarfile.h"
-
-/* commercial compression */
-#include "jzlib.h"
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-#include "sys/stat.h"
-#endif
-
-#include "sechash.h"	/* for HASH_GetHashObject() */
-
-/* extracting */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp);
-
-static int jar_inflate_memory 
-   (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data);
-
-static int jar_physical_extraction 
-   (JAR_FILE fp, char *outpath, long offset, long length);
-
-static int jar_physical_inflate
-   (JAR_FILE fp, char *outpath, long offset, 
-         long length, unsigned int method);
-
-static int jar_verify_extract 
-   (JAR *jar, char *path, char *physical_path);
-
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname);
-
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp);
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext);
-
-
-/* indexing */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp);
-
-static int jar_listtar (JAR *jar, JAR_FILE fp);
-
-static int jar_listzip (JAR *jar, JAR_FILE fp);
-
-
-/* conversions */
-
-static int dosdate (char *date, char *s);
-
-static int dostime (char *time, char *s);
-
-static unsigned int xtoint (unsigned char *ii);
-
-static unsigned long xtolong (unsigned char *ll);
-
-static long atoo (char *s);
-
-/*
- *  J A R _ p a s s _ a r c h i v e
- *
- *  For use by naive clients. Slam an entire archive file
- *  into this function. We extract manifests, parse, index
- *  the archive file, and do whatever nastiness.
- *
- */
-
-int JAR_pass_archive
-    (JAR *jar, jarArch format, char *filename, const char *url)
-  {
-  JAR_FILE fp;
-  int status = 0;
-
-  if (filename == NULL)
-    return JAR_ERR_GENERAL;
-
-  if ((fp = JAR_FOPEN (filename, "rb")) != NULL)
-    {
-    if (format == jarArchGuess)
-      format = (jarArch)jar_guess_jar (filename, fp);
-
-    jar->format = format;
-    jar->url = url ? PORT_Strdup (url) : NULL;
-    jar->filename = PORT_Strdup (filename);
-
-    status = jar_gen_index (jar, format, fp);
-
-    if (status == 0)
-      status = jar_extract_manifests (jar, format, fp);
-
-    JAR_FCLOSE (fp);
-
-    if (status < 0)
-      return status;
-
-    /* people were expecting it this way */
-    return jar->valid;
-    }
-  else
-    {
-    /* file not found */
-    return JAR_ERR_FNF;
-    }
-  }
-
-/*
- *  J A R _ p a s s _ a r c h i v e _ u n v e r i f i e d
- *
- * Same as JAR_pass_archive, but doesn't parse signatures.
- *
- */
-int JAR_pass_archive_unverified
-        (JAR *jar, jarArch format, char *filename, const char *url)
-{
-        JAR_FILE fp;
-        int status = 0;
-
-        if (filename == NULL) {
-                return JAR_ERR_GENERAL;
-        }
-
-        if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
-                if (format == jarArchGuess) {
-                        format = (jarArch)jar_guess_jar (filename, fp);
-                }
-
-                jar->format = format;
-                jar->url = url ? PORT_Strdup (url) : NULL;
-                jar->filename = PORT_Strdup (filename);
-
-                status = jar_gen_index (jar, format, fp);
-
-                if (status == 0) {
-                        status = jar_extract_mf(jar, format, fp, "mf");
-                }
-
-                JAR_FCLOSE (fp);
-
-                if (status < 0) {
-                        return status;
-                }
-
-                /* people were expecting it this way */
-                return jar->valid;
-        } else {
-                /* file not found */
-                return JAR_ERR_FNF;
-        }
-}
-
-/*
- *  J A R _ v e r i f i e d _ e x t r a c t
- *
- *  Optimization: keep a file descriptor open
- *  inside the JAR structure, so we don't have to
- *  open the file 25 times to run java. 
- *
- */
-
-int JAR_verified_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int status;
-
-  status = JAR_extract (jar, path, outpath);
-
-  if (status >= 0)
-    return jar_verify_extract (jar, path, outpath);
-  else
-    return status;
-  }
-
-int JAR_extract
-    (JAR *jar, char *path, char *outpath)
-  {
-  int result;
-
-  JAR_Physical *phy;
-
-  if (jar->fp == NULL && jar->filename)
-    {
-    jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
-    }
-
-  if (jar->fp == NULL)
-    {
-    /* file not found */
-    return JAR_ERR_FNF;
-    }
-
-  phy = jar_get_physical (jar, path);
-
-  if (phy)
-    {
-    if (phy->compression != 0 && phy->compression != 8)
-      {
-      /* unsupported compression method */
-      result = JAR_ERR_CORRUPT;
-      }
-
-    if (phy->compression == 0)
-      {
-      result = jar_physical_extraction 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
-      }
-    else
-      {
-      result = jar_physical_inflate 
-         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length, 
-            (unsigned int) phy->compression);
-      }
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-    if (phy->mode)
-      chmod (outpath, 0400 | (mode_t) phy->mode);
-#endif
-    }
-  else
-    {
-    /* pathname not found in archive */
-    result = JAR_ERR_PNF;
-    }
-
-  return result;
-  }
-
-/* 
- *  p h y s i c a l _ e x t r a c t i o n
- *
- *  This needs to be done in chunks of say 32k, instead of
- *  in one bulk calloc. (Necessary under Win16 platform.)
- *  This is done for uncompressed entries only.
- *
- */
-
-#define CHUNK 32768
-
-static int jar_physical_extraction 
-     (JAR_FILE fp, char *outpath, long offset, long length)
-  {
-  JAR_FILE out;
-
-  char *buffer;
-  long at, chunk;
-
-  int status = 0;
-
-  buffer = (char *) PORT_ZAlloc (CHUNK);
-
-  if (buffer == NULL)
-    return JAR_ERR_MEMORY;
-
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
-
-    while (at < length)
-      {
-      chunk = (at + CHUNK <= length) ? CHUNK : length - at;
-
-      if (JAR_FREAD (fp, buffer, chunk) != chunk)
-        {
-        status = JAR_ERR_DISK;
-        break;
-        }
-
-      at += chunk;
-
-      if (JAR_FWRITE (out, buffer, chunk) < chunk)
-        {
-        /* most likely a disk full error */
-        status = JAR_ERR_DISK;
-        break;
-        }
-      }
-    JAR_FCLOSE (out);
-    }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (buffer);
-  return status;
-  }
-
-/*
- *  j a r _ p h y s i c a l _ i n f l a t e
- *
- *  Inflate a range of bytes in a file, writing the inflated
- *  result to "outpath". Chunk based.
- *
- */
-
-/* input and output chunks differ, assume 4x compression */
-
-#define ICHUNK 8192
-#define OCHUNK 32768
-
-static int jar_physical_inflate
-     (JAR_FILE fp, char *outpath, long offset, 
-          long length, unsigned int method)
-  {
-  z_stream zs;
-
-  JAR_FILE out;
-
-  long at, chunk;
-  char *inbuf, *outbuf;
-
-  int status = 0;
-
-  unsigned long prev_total, ochunk, tin;
-
-  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL)
-    return JAR_ERR_MEMORY;
-
-  if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
-    {
-    PORT_Free (inbuf);
-    return JAR_ERR_MEMORY;
-    }
-
-  PORT_Memset (&zs, 0, sizeof (zs));
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status != Z_OK)
-    return JAR_ERR_GENERAL;
-
-  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
-    {
-    at = 0;
-
-    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
-
-    while (at < length)
-      {
-      chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
-
-      if (JAR_FREAD (fp, inbuf, chunk) != chunk)
-        {
-        /* incomplete read */
-        return JAR_ERR_CORRUPT;
-        }
-
-      at += chunk;
-
-      zs.next_in = (Bytef *) inbuf;
-      zs.avail_in = chunk;
-      zs.avail_out = OCHUNK;
-
-      tin = zs.total_in;
-
-      while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
-        {
-        prev_total = zs.total_out;
-
-        zs.next_out = (Bytef *) outbuf;
-        zs.avail_out = OCHUNK;
-
-        status = inflate (&zs, Z_NO_FLUSH);
-
-        if (status != Z_OK && status != Z_STREAM_END)
-          {
-          /* error during decompression */
-          return JAR_ERR_CORRUPT;
-          }
-
-	ochunk = zs.total_out - prev_total;
-
-        if (JAR_FWRITE (out, outbuf, ochunk) < ochunk)
-          {
-          /* most likely a disk full error */
-          status = JAR_ERR_DISK;
-          break;
-          }
-
-        if (status == Z_STREAM_END)
-          break;
-        }
-      }
-
-    JAR_FCLOSE (out);
-    status = inflateEnd (&zs);
-    }
-  else
-    {
-    /* error opening output file */
-    status = JAR_ERR_DISK;
-    }
-
-  PORT_Free (inbuf);
-  PORT_Free (outbuf);
-
-  return status;
-  }
-
-/*
- *  j a r _ i n f l a t e _ m e m o r y
- *
- *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd, 
- *  and thus appears to operate inplace to the caller.
- *
- */
-
-static int jar_inflate_memory 
-     (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data)
-  {
-  int status;
-  z_stream zs;
-
-  long insz, outsz;
-
-  char *inbuf, *outbuf;
-
-  inbuf =  *data;
-  insz = *length;
-
-  outsz = expected_out_len;
-  outbuf = (char*)PORT_ZAlloc (outsz);
-
-  if (outbuf == NULL)
-    return JAR_ERR_MEMORY;
-
-  PORT_Memset (&zs, 0, sizeof (zs));
-
-  status = inflateInit2 (&zs, -MAX_WBITS);
-
-  if (status < 0)
-    {
-    /* error initializing zlib stream */
-    return JAR_ERR_GENERAL;
-    }
-
-  zs.next_in = (Bytef *) inbuf;
-  zs.next_out = (Bytef *) outbuf;
-
-  zs.avail_in = insz;
-  zs.avail_out = outsz;
-
-  status = inflate (&zs, Z_FINISH);
-
-  if (status != Z_OK && status != Z_STREAM_END)
-    {
-    /* error during deflation */
-    return JAR_ERR_GENERAL; 
-    }
-
-  status = inflateEnd (&zs);
-
-  if (status != Z_OK)
-    {
-    /* error during deflation */
-    return JAR_ERR_GENERAL;
-    }
-
-  PORT_Free (*data);
-
-  *data = outbuf;
-  *length = zs.total_out;
-
-  return 0;
-  }
-
-/*
- *  v e r i f y _ e x t r a c t
- *
- *  Validate signature on the freshly extracted file.
- *
- */
-
-static int jar_verify_extract (JAR *jar, char *path, char *physical_path)
-  {
-  int status;
-  JAR_Digest dig;
-
-  PORT_Memset (&dig, 0, sizeof (JAR_Digest));
-  status = JAR_digest_file (physical_path, &dig);
-
-  if (!status)
-    status = JAR_verify_digest (jar, path, &dig);
-
-  return status;
-  }
-
-/*
- *  g e t _ p h y s i c a l
- *
- *  Let's get physical.
- *  Obtains the offset and length of this file in the jar file.
- *
- */
-
-static JAR_Physical *jar_get_physical (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      phy = (JAR_Physical *) it->data;
-      return phy;
-      }
-    }
-
-  return NULL;
-  }
-
-/*
- *  j a r _ e x t r a c t _ m a n i f e s t s
- *
- *  Extract the manifest files and parse them,
- *  from an open archive file whose contents are known.
- *
- */
-
-static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int status;
-
-  if (format != jarArchZip && format != jarArchTar)
-    return JAR_ERR_CORRUPT;
-
-  if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
-    return status;
-
-  if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
-    return status;
-
-  return 0;
-  }
-
-/*
- *  j a r _ e x t r a c t _ m f
- *
- *  Extracts manifest files based on an extension, which 
- *  should be .MF, .SF, .RSA, etc. Order of the files is now no 
- *  longer important when zipping jar files.
- *
- */
-
-static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext)
-  {
-  JAR_Item *it;
-
-  JAR_Physical *phy;
-
-  ZZLink *link;
-  ZZList *list;
-
-  char *fn, *e;
-  char ZHUGEP *manifest;
-
-  long length;
-  int status, ret = 0, num;
-
-  list = jar->phy;
-
-  if (ZZ_ListEmpty (list))
-    return JAR_ERR_PNF;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypePhy 
-          && !PORT_Strncmp (it->pathname, "META-INF", 8))
-      {
-      phy = (JAR_Physical *) it->data;
-
-      if (PORT_Strlen (it->pathname) < 8)
-        continue;
-
-      fn = it->pathname + 8;
-      if (*fn == '/' || *fn == '\\') fn++;
-
-      if (*fn == 0)
-        {
-        /* just a directory entry */
-        continue;
-        }
-
-      /* skip to extension */
-      for (e = fn; *e && *e != '.'; e++)
-        /* yip */ ;
-
-      /* and skip dot */
-      if (*e == '.') e++;
-
-      if (PORT_Strcasecmp (ext, e))
-        {
-        /* not the right extension */
-        continue;
-        }
-
-      if (phy->length == 0)
-        {
-        /* manifest files cannot be zero length! */
-        return JAR_ERR_CORRUPT;
-        }
-
-      /* Read in the manifest and parse it */
-      /* FIX? Does this break on win16 for very very large manifest files? */
-
-#ifdef XP_WIN16
-      PORT_Assert( phy->length+1 < 0xFFFF );
-#endif
-
-      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
-      if (manifest)
-        {
-        JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
-        num = JAR_FREAD (fp, manifest, phy->length);
-
-        if (num != phy->length)
-          {
-          /* corrupt archive file */
-          return JAR_ERR_CORRUPT;
-          }
-
-        if (phy->compression == 8)
-          {
-          length = phy->length;
-
-          status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
-
-          if (status < 0)
-            return status;
-          }
-        else if (phy->compression)
-          {
-          /* unsupported compression method */
-          return JAR_ERR_CORRUPT;
-          }
-        else
-          length = phy->length;
-
-        status = JAR_parse_manifest 
-           (jar, manifest, length, it->pathname, "url");
-
-        PORT_Free (manifest);
-
-        if (status < 0 && ret == 0) ret = status;
-        }
-      else
-        return JAR_ERR_MEMORY;
-      }
-    else if (it->type == jarTypePhy)
-      {
-      /* ordinary file */
-      }
-    }
-
-  return ret;
-  }
-
-/*
- *  j a r _ g e n _ i n d e x
- *
- *  Generate an index for the various types of
- *  known archive files. Right now .ZIP and .TAR
- *
- */
-
-static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp)
-  {
-  int result = JAR_ERR_CORRUPT;
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
-
-  switch (format)
-    {
-    case jarArchZip:
-      result = jar_listzip (jar, fp);
-      break;
-
-    case jarArchTar:
-      result = jar_listtar (jar, fp);
-      break;
-
-    case jarArchGuess:
-    case jarArchNone:
-      return JAR_ERR_GENERAL;
-    }
-
-  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
-  return result;
-  }
-
-
-/*
- *  j a r _ l i s t z i p
- *
- *  List the physical contents of a Phil Katz 
- *  style .ZIP file into the JAR linked list.
- *
- */
-
-static int jar_listzip (JAR *jar, JAR_FILE fp)
-  {
-  int err = 0;
-
-  long pos = 0L;
-  char filename [JAR_SIZE];
-
-  char date [9], time [9];
-  char sig [4];
-
-  unsigned int compression;
-  unsigned int filename_len, extra_len;
-
-  struct ZipLocal *Local;
-  struct ZipCentral *Central;
-  struct ZipEnd *End;
-
-  /* phy things */
-
-  ZZLink  *ent;
-  JAR_Item *it;
-  JAR_Physical *phy;
-
-  Local = (struct ZipLocal *) PORT_ZAlloc (30);
-  Central = (struct ZipCentral *) PORT_ZAlloc (46);
-  End = (struct ZipEnd *) PORT_ZAlloc (22);
-
-  if (!Local || !Central || !End)
-    {
-    /* out of memory */
-    err = JAR_ERR_MEMORY;
-    goto loser;
-    }
-
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (JAR_FREAD (fp, (char *) sig, 4) != 4)
-      {
-      /* zip file ends prematurely */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
-
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (xtolong ((unsigned char *)sig) == LSIG)
-      {
-      JAR_FREAD (fp, (char *) Local, 30);
-
-      filename_len = xtoint ((unsigned char *) Local->filename_len);
-      extra_len = xtoint ((unsigned char *) Local->extrafield_len);
-
-      if (filename_len >= JAR_SIZE)
-        {
-        /* corrupt zip file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-      if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-        {
-        /* truncated archive file */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-      filename [filename_len] = 0;
-
-      /* Add this to our jar chain */
-
-      phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-      if (phy == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      /* We will index any file that comes our way, but when it comes
-         to actually extraction, compression must be 0 or 8 */
-
-      compression = xtoint ((unsigned char *) Local->method);
-      phy->compression = compression >= 0 && 
-              compression <= 255 ? compression : 222;
-
-      phy->offset = pos + 30 + filename_len + extra_len;
-      phy->length = xtolong ((unsigned char *) Local->size);
-      phy->uncompressed_length = xtolong((unsigned char *) Local->orglen);
-
-      dosdate (date, Local->date);
-      dostime (time, Local->time);
-
-      it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
-      if (it == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      it->pathname = PORT_Strdup (filename);
-
-      it->type = jarTypePhy;
-
-      it->data = (unsigned char *) phy;
-      it->size = sizeof (JAR_Physical);
-
-      ent = ZZ_NewLink (it);
-
-      if (ent == NULL)
-        {
-        err = JAR_ERR_MEMORY;
-        goto loser;
-        }
-
-      ZZ_AppendLink (jar->phy, ent);
- 
-      pos = phy->offset + phy->length;
-      }
-    else if (xtolong ( (unsigned char *)sig) == CSIG)
-      {
-      if (JAR_FREAD (fp, (char *) Central, 46) != 46)
-        {
-        /* apparently truncated archive */
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-      /* with unix we need to locate any bits from 
-         the protection mask in the external attributes. */
-        {
-        unsigned int attr;
-
-        /* determined empirically */
-        attr = Central->external_attributes [2];
-
-        if (attr)
-          {
-          /* we have to read the filename, again */
-
-          filename_len = xtoint ((unsigned char *) Central->filename_len);
-
-          if (filename_len >= JAR_SIZE)
-            {
-            /* corrupt in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          if (JAR_FREAD (fp, filename, filename_len) != filename_len)
-            {
-            /* truncated in central directory */
-            err = JAR_ERR_CORRUPT;
-            goto loser;
-            }
-
-          filename [filename_len] = 0;
-
-          /* look up this name again */
-          phy = jar_get_physical (jar, filename);
-
-          if (phy)
-            {
-            /* always allow access by self */
-            phy->mode = 0400 | attr;
-            }
-          }
-        }
-#endif
-
-      pos += 46 + xtoint ( (unsigned char *)Central->filename_len)
-                + xtoint ( (unsigned char *)Central->commentfield_len)
-                + xtoint ( (unsigned char *)Central->extrafield_len);
-      }
-    else if (xtolong ( (unsigned char *)sig) == ESIG)
-      {
-      if (JAR_FREAD (fp, (char *) End, 22) != 22)
-        {
-        err = JAR_ERR_CORRUPT;
-        goto loser;
-        }
-      else
-        break;
-      }
-    else
-      {
-      /* garbage in archive */
-      err = JAR_ERR_CORRUPT;
-      goto loser;
-      }
-    }
-
-loser:
-
-  if (Local) PORT_Free (Local);
-  if (Central) PORT_Free (Central);
-  if (End) PORT_Free (End);
-
-  return err;
-  }
-
-/*
- *  j a r _ l i s t t a r
- *
- *  List the physical contents of a Unix 
- *  .tar file into the JAR linked list.
- *
- */
-
-static int jar_listtar (JAR *jar, JAR_FILE fp)
-  {
-  long pos = 0L;
-
-  long sz, mode;
-  time_t when;
-  union TarEntry tarball;
-
-  char *s;
-
-  /* phy things */
-
-  JAR_Physical *phy;
-
-  while (1)
-    {
-    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
-
-    if (JAR_FREAD (fp, (char *) &tarball, 512) < 512)
-      break;
-
-    if (!*tarball.val.filename)
-      break;
-
-    when = atoo (tarball.val.time);
-    sz = atoo (tarball.val.size);
-    mode = atoo (tarball.val.mode);
-
-
-    /* Tag the end of filename */
-
-    s = tarball.val.filename;
-    while (*s && *s != ' ') s++;
-    *s = 0;
-
-
-    /* Add to our linked list */
-
-    phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
-
-    if (phy == NULL)
-      return JAR_ERR_MEMORY;
-
-    phy->compression = 0;
-    phy->offset = pos + 512;
-    phy->length = sz;
-
-    ADDITEM (jar->phy, jarTypePhy, 
-       tarball.val.filename, phy, sizeof (JAR_Physical));
-
-
-    /* Advance to next file entry */
-
-    sz += 511;
-    sz = (sz / 512) * 512;
-
-    pos += sz + 512;
-    }
-
-  return 0;
-  }
-
-/*
- *  d o s d a t e
- *
- *  Not used right now, but keep it in here because
- *  it will be needed. 
- *
- */
-
-static int dosdate (char *date, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
-
-  PR_snprintf (date, 9, "%02d-%02d-%02d",
-     ((num >> 5) & 0x0F), (num & 0x1F), ((num >> 9) + 80));
-
-  return 0;
-  }
-
-/*
- *  d o s t i m e
- *
- *  Not used right now, but keep it in here because
- *  it will be needed. 
- *
- */
-
-static int dostime (char *time, char *s)
-  {
-  int num = xtoint ( (unsigned char *)s);
-
-  PR_snprintf (time, 6, "%02d:%02d",
-     ((num >> 11) & 0x1F), ((num >> 5) & 0x3F));
-
-  return 0;
-  }
-
-/*
- *  x t o i n t
- *
- *  Converts a two byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static unsigned int xtoint (unsigned char *ii)
-  {
-  return (int) (ii [0]) | ((int) ii [1] << 8);
-  }
-
-/*
- *  x t o l o n g
- *
- *  Converts a four byte ugly endianed integer
- *  to our platform's integer.
- *
- */
-
-static unsigned long xtolong (unsigned char *ll)
-  {
-  unsigned long ret;
-
-  ret =  (
-         (((unsigned long) ll [0]) <<  0) |
-         (((unsigned long) ll [1]) <<  8) |
-         (((unsigned long) ll [2]) << 16) |
-         (((unsigned long) ll [3]) << 24)
-         );
-
-  return ret;
-  }
-
-/*
- *  a t o o
- *
- *  Ascii octal to decimal.
- *  Used for integer encoding inside tar files.
- *
- */
-
-static long atoo (char *s)
-  {
-  long num = 0L;
-
-  while (*s == ' ') s++;
-
-  while (*s >= '0' && *s <= '7')
-    {
-    num <<= 3;
-    num += *s++ - '0';
-    }
-
-  return num;
-  }
-
-/*
- *  g u e s s _ j a r
- *
- *  Try to guess what kind of JAR file this is.
- *  Maybe tar, maybe zip. Look in the file for magic
- *  or at its filename.
- *
- */
-
-static int jar_guess_jar (char *filename, JAR_FILE fp)
-  {
-  char *ext;
-
-  ext = filename + PORT_Strlen (filename) - 4;
-
-  if (!PORT_Strcmp (ext, ".tar"))
-    return jarArchTar;
-
-  return jarArchZip;
-  }
diff --git a/security/nss/lib/jar/jarfile.h b/security/nss/lib/jar/jarfile.h
deleted file mode 100644
index ce3ed3d37..000000000
--- a/security/nss/lib/jar/jarfile.h
+++ /dev/null
@@ -1,117 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARFILE.H
- * 
- *  Certain constants and structures for the archive format.
- *
- */
-
-/* ZIP */
-
-struct ZipLocal
-  {
-  char signature [4];
-  char word [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  };
-
-struct ZipCentral
-  {
-  char signature [4];
-  char version_made_by [2];
-  char version [2];
-  char bitflag [2];
-  char method [2];
-  char time [2];
-  char date [2];
-  char crc32 [4];
-  char size [4];
-  char orglen [4];
-  char filename_len [2];
-  char extrafield_len [2];
-  char commentfield_len [2];
-  char diskstart_number [2];
-  char internal_attributes [2];
-  char external_attributes [4];
-  char localhdr_offset [4];
-  };
-
-struct ZipEnd
-  {
-  char signature [4];
-  char disk_nr [2];
-  char start_central_dir [2];
-  char total_entries_disk [2];
-  char total_entries_archive [2];
-  char central_dir_size [4];
-  char offset_central_dir [4];
-  char commentfield_len [2];
-  };
-
-#define LSIG 0x04034B50l
-#define CSIG 0x02014B50l
-#define ESIG 0x06054B50l
-
-/* TAR */
-
-union TarEntry
-  {
-  struct header
-    {
-    char filename [100];
-    char mode [8];
-    char uid [8];
-    char gid [8];
-    char size [12];
-    char time [12];
-    char checksum [8];
-    char linkflag;
-    char linkname [100];
-    }
-  val;
-
-  char buffer [512];
-  };
diff --git a/security/nss/lib/jar/jarint.c b/security/nss/lib/jar/jarint.c
deleted file mode 100644
index a6245fe99..000000000
--- a/security/nss/lib/jar/jarint.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Internal libjar routines.
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-/*-----------------------------------------------------------------------
- * JAR_FOPEN_to_PR_Open
- * Translate JAR_FOPEN arguments to PR_Open arguments
- */
-PRFileDesc*
-JAR_FOPEN_to_PR_Open(const char* name, const char *mode)
-{
-
-	PRIntn	prflags=0, prmode=0;
-
-	/* Get read/write flags */
-	if(strchr(mode, 'r') && !strchr(mode, '+')) {
-		prflags |= PR_RDONLY;
-	} else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
-			!strchr(mode,'+') ) {
-		prflags |= PR_WRONLY;
-	} else {
-		prflags |= PR_RDWR;
-	}
-
-	/* Create a new file? */
-	if(strchr(mode, 'w') || strchr(mode, 'a')) {
-		prflags |= PR_CREATE_FILE;
-	}
-
-	/* Append? */
-	if(strchr(mode, 'a')) {
-		prflags |= PR_APPEND;
-	}
-
-	/* Truncate? */
-	if(strchr(mode, 'w')) {
-		prflags |= PR_TRUNCATE;
-	}
-
-	/* We can't do umask because it isn't XP.  Choose some default
-	   mode for created files */
-	prmode = 0755;
-
-	return PR_Open(name, prflags, prmode);
-}
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
deleted file mode 100644
index ee4310f05..000000000
--- a/security/nss/lib/jar/jarint.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* JAR internal routines */
-
-#include "nspr.h"
-
-/* definitely required */
-/*#include "certdb.h" */
-#include "key.h"
-#include "base64.h"
-
-extern CERTCertDBHandle *JAR_open_database (void);
-
-extern int JAR_close_database (CERTCertDBHandle *certdb);
-
-extern int jar_close_key_database (void *keydb);
-
-extern void *jar_open_key_database (void);
-
-extern JAR_Signer *JAR_new_signer (void);
-
-extern void JAR_destroy_signer (JAR_Signer *signer);
-
-extern JAR_Signer *jar_get_signer (JAR *jar, char *basename);
-
-extern int jar_append (ZZList *list, int type,
-   char *pathname, void *data, size_t size);
-
-/* Translate fopen mode arg to PR_Open flags and mode */
-PRFileDesc*
-JAR_FOPEN_to_PR_Open(const char *name, const char *mode);
-
-
-#define ADDITEM(list,type,pathname,data,size) \
-  { int err; err = jar_append (list, type, pathname, data, size); \
-    if (err < 0) return err; }
-
-/* Here is some ugliness in the event it is necessary to link
-   with NSPR 1.0 libraries, which do not include an FSEEK. It is 
-   difficult to fudge an FSEEK into 1.0 so we use stdio. */
-
-/* stdio */
-#if 0
-#define JAR_FILE FILE *
-#define JAR_FOPEN(fn,mode) fopen(fn,mode)
-#define JAR_FCLOSE fclose
-#define JAR_FSEEK fseek
-#define JAR_FREAD(fp,buf,siz) fread(buf,1,siz,fp)
-#define JAR_FWRITE(fp,buf,siz) fwrite(buf,1,siz,fp) 
-#endif
-
-#if 0
-/* nspr 1.0 suite */
-#define JAR_FILE PRFileHandle
-#define JAR_FOPEN(fn,mode) PR_OpenFile(fn,0,mode)
-#define JAR_FCLOSE PR_CLOSE
-#define JAR_FSEEK (no-equivalent)
-#define JAR_FREAD PR_READ
-#define JAR_FWRITE PR_WRITE
-#endif
-
-/* nspr 2.0 suite */
-#define JAR_FILE PRFileDesc *
-/* #define JAR_FOPEN(fn,mode) PR_Open(fn,0,0) */
-#define JAR_FOPEN(fn,mode) JAR_FOPEN_to_PR_Open(fn,mode)
-#define JAR_FCLOSE PR_Close
-#define JAR_FSEEK PR_Seek
-#define JAR_FREAD PR_Read
-#define JAR_FWRITE PR_Write
-
-#if 0
-/* nav XP suite, note argument order */
-#define JAR_FILE XP_File
-#define JAR_FOPEN(fn,mode) XP_FileOpen(fn,xpURL,mode)
-#define JAR_FCLOSE XP_FileClose
-#define JAR_FSEEK XP_FileSeek
-#define JAR_FREAD(fp,buf,siz) XP_FileRead(buf,siz,fp)
-#define JAR_FWRITE(fp,buf,siz) XP_FileWrite(buf,siz,fp)
-#endif
-
-int jar_create_pk7
-   (CERTCertDBHandle *certdb, void *keydb,
-       CERTCertificate *cert, char *password, JAR_FILE infp, 
-       JAR_FILE outfp);
-
diff --git a/security/nss/lib/jar/jarjart.c b/security/nss/lib/jar/jarjart.c
deleted file mode 100644
index 57641eea0..000000000
--- a/security/nss/lib/jar/jarjart.c
+++ /dev/null
@@ -1,360 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARJART
- *
- *  JAR functions used by Jartool
- */
-
-/* This allows manifest files above 64k to be
-   processed on non-win16 platforms */
-
-#include "jar.h"
-#include "jarint.h"
-#include "jarjart.h"
-#include "blapi.h"	/* JAR is supposed to be above the line!! */
-#include "pk11func.h"	/* PK11 wrapper funcs are all above the line. */
-#include "certdb.h"
-
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
-/*
- *  S O B _ l i s t _ c e r t s
- *
- *  Return a list of newline separated certificate nicknames
- *  (this function used by the Jartool)
- * 
- */
-
-static SECStatus jar_list_cert_callback 
-     (CERTCertificate *cert, SECItem *k, void *data)
-  {
-  char *name;
-  char **ugly_list;
-
-  int trusted;
-
-  ugly_list = (char **) data;
-
-  if (cert)
-    {
-    name = cert->nickname;
-
-    trusted = cert->trust->objectSigningFlags & CERTDB_USER;
-
-    /* Add this name or email to list */
-
-    if (name && trusted)
-      {
-      *ugly_list = (char*)PORT_Realloc
-           (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
-
-      if (*ugly_list)
-        {
-        if (**ugly_list)
-          PORT_Strcat (*ugly_list, "\n");
-
-        PORT_Strcat (*ugly_list, name);
-        }
-      }
-    }
-
-  return (SECSuccess);
-  }
-
-/*
- *  S O B _ J A R _ l i s t _ c e r t s
- *
- *  Return a linfeed separated ascii list of certificate
- *  nicknames for the Jartool.
- *
- */
-
-char *JAR_JAR_list_certs (void)
-  {
-  SECStatus status = SECFailure;
-  CERTCertDBHandle *certdb;
-  CERTCertList *certs;
-  CERTCertListNode *node;
-
-  char *ugly_list;
-
-  certdb = JAR_open_database();
-
-  /* a little something */
-  ugly_list = (char*)PORT_ZAlloc (16);
-
-  if (ugly_list)
-    {
-    *ugly_list = 0;
-
-    certs = PK11_ListCerts(PK11CertListUnique, NULL/* pwarg*/);
-    if (certs)
-      {
-	for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
-				node = CERT_LIST_NEXT(node))
-           {
-	    jar_list_cert_callback(node->cert, NULL, (void *)&ugly_list);
-	   }
-	CERT_DestroyCertList(certs);
-	status = SECSuccess;
-       }
-    }
-
-  JAR_close_database (certdb);
-
-  return (status != SECSuccess) ? NULL : ugly_list;
-  }
-
-int JAR_JAR_validate_archive (char *filename)
-  {
-  JAR *jar;
-  int status = -1;
-
-  jar = JAR_new();
-
-  if (jar)
-    {
-    status = JAR_pass_archive (jar, jarArchGuess, filename, "");
-
-    if (status == 0)
-      status = jar->valid;
-
-    JAR_destroy (jar);
-    }
-
-  return status;
-  }
-
-char *JAR_JAR_get_error (int status)
-  {
-  return JAR_get_error (status);
-  }
-
-/*
- *  S O B _ J A R _  h a s h
- *
- *  Hash algorithm interface for use by the Jartool. Since we really
- *  don't know the private sizes of the context, and Java does need to
- *  know this number, allocate 512 bytes for it.
- *
- *  In april 1997 hashes in this file were changed to call PKCS11,
- *  as FIPS requires that when a smartcard has failed validation, 
- *  hashes are not to be performed. But because of the difficulty of
- *  preserving pointer context between calls to the JAR_JAR hashing
- *  functions, the hash routines are called directly, though after
- *  checking to see if hashing is allowed.
- *
- */
-
-void *JAR_JAR_new_hash (int alg)
-  {
-  void *context;
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  context = PORT_ZAlloc (512);
-
-  if (context)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) context;
-               MD5_Begin (md5);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) context;
-               SHA1_Begin (sha1);
-               break;
-      }
-    }
-
-  return context;
-  }
-
-void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
-  {
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
-    return NULL;
-
-  if (length > 0)
-    {
-    switch (alg)
-      {
-      case 1:  /* MD5 */
-               md5 = (MD5Context *) cookie;
-               MD5_Update (md5, (unsigned char*)data, length);
-               break;
-
-      case 2:  /* SHA1 */
-               sha1 = (SHA1Context *) cookie;
-               SHA1_Update (sha1, (unsigned char*)data, length);
-               break;
-      }
-    }
-
-  return cookie;
-  }
-
-void *JAR_JAR_end_hash (int alg, void *cookie)
-  {
-  int length;
-  unsigned char *data;
-  char *ascii; 
-
-  MD5Context *md5;
-  SHA1Context *sha1;
-
-  unsigned int md5_length;
-  unsigned char md5_digest [MD5_LENGTH];
-
-  unsigned int sha1_length;
-  unsigned char sha1_digest [SHA1_LENGTH];
-
-  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
-
-  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1)) 
-    return NULL;
-
-  switch (alg)
-    {
-    case 1:  /* MD5 */
-
-             md5 = (MD5Context *) cookie;
-
-             MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
-             /* MD5_DestroyContext (md5, PR_TRUE); */
-
-             data = md5_digest;
-             length = md5_length;
-
-             break;
-
-    case 2:  /* SHA1 */
-
-             sha1 = (SHA1Context *) cookie;
-
-             SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
-             /* SHA1_DestroyContext (sha1, PR_TRUE); */
-
-             data = sha1_digest;
-             length = sha1_length;
-
-             break;
-
-    default: return NULL;
-    }
-
-  /* Instead of destroy context, since we created it */
-  /* PORT_Free (cookie); */
-
-  ascii = BTOA_DataToAscii(data, length);
-
-  return ascii ? PORT_Strdup (ascii) : NULL;
-  }
-
-/*
- *  S O B _ J A R _ s i g n _ a r c h i v e
- *
- *  A simple API to sign a JAR archive.
- *
- */
-
-int JAR_JAR_sign_archive 
-      (char *nickname, char *password, char *sf, char *outsig)
-  {
-  char *out_fn;
-
-  int status = JAR_ERR_GENERAL;
-  JAR_FILE sf_fp; 
-  JAR_FILE out_fp;
-
-  CERTCertDBHandle *certdb;
-  void *keydb;
-
-  CERTCertificate *cert;
-
-  /* open cert and key databases */
-
-  certdb = JAR_open_database();
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
-
-  keydb = jar_open_key_database();
-  if (keydb == NULL)
-    return JAR_ERR_GENERAL;
-
-  out_fn = PORT_Strdup (sf);
-
-  if (out_fn == NULL || PORT_Strlen (sf) < 5)
-    return JAR_ERR_GENERAL;
-
-  sf_fp = JAR_FOPEN (sf, "rb");
-  out_fp = JAR_FOPEN (outsig, "wb");
-
-  cert = CERT_FindCertByNickname (certdb, nickname);
-
-  if (cert && sf_fp && out_fp)
-    {
-    status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
-    }
-
-  /* remove password from prying eyes */
-  PORT_Memset (password, 0, PORT_Strlen (password));
-
-  JAR_FCLOSE (sf_fp);
-  JAR_FCLOSE (out_fp);
-
-  JAR_close_database (certdb);
-  jar_close_key_database (keydb);
-
-  return status;
-  }
diff --git a/security/nss/lib/jar/jarjart.h b/security/nss/lib/jar/jarjart.h
deleted file mode 100644
index 4bc700ad0..000000000
--- a/security/nss/lib/jar/jarjart.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  jarjart.h
- *
- *  Functions for the Jartool, which is written in Java and
- *  requires wrappers located elsewhere in the client.
- *
- *  Do not call these unless you are the Jartool, no matter
- *  how convenient they may appear.
- *
- */
-
-#ifndef _JARJART_H_
-#define _JARJART_H_
-
-/* return a list of certificate nicknames, separated by \n's */
-extern char *JAR_JAR_list_certs (void);
-
-/* validate archive, simple api */
-extern int JAR_JAR_validate_archive (char *filename);
-
-/* begin hash */
-extern void *JAR_JAR_new_hash (int alg);
-
-/* hash a streaming pile */
-extern void *JAR_JAR_hash (int alg, void *cookie, int length, void *data);
-
-/* end hash */
-extern void *JAR_JAR_end_hash (int alg, void *cookie);
-
-/* sign the archive (given an .SF file) with the given cert.
-   The password argument is a relic, PKCS11 now handles that. */
-
-extern int JAR_JAR_sign_archive 
-   (char *nickname, char *password, char *sf, char *outsig);
-
-/* convert status to text */
-extern char *JAR_JAR_get_error (int status);
-
-#endif
diff --git a/security/nss/lib/jar/jarnav.c b/security/nss/lib/jar/jarnav.c
deleted file mode 100644
index 58c67df67..000000000
--- a/security/nss/lib/jar/jarnav.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARNAV.C
- *
- *  JAR stuff needed for client only.
- *
- */
-
-#include "jar.h"
-#include "jarint.h"
-
-/* from proto.h */
-#ifdef MOZILLA_CLIENT_OLD
-extern MWContext *XP_FindSomeContext(void);
-#endif
-
-/* sigh */
-extern MWContext *FE_GetInitContext(void);
-
-/* To return an MWContext for Java */
-static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
-
-/* To fabricate an MWContext for FE_GetPassword */
-static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
-
-/*
- *  J A R _ i n i t
- *
- *  Initialize the JAR functions.
- * 
- */
-
-void JAR_init (void)
-  {
-#ifdef MOZILLA_CLIENT_OLD
-  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
-#else
-  JAR_init_callbacks (XP_GetString, NULL, NULL);
-#endif
-  }
-
-/*
- *  J A R _ s e t _ c o n t e x t
- *
- *  Set the jar window context for use by PKCS11, since
- *  it may be needed to prompt the user for a password.
- *
- */
-
-int JAR_set_context (JAR *jar, MWContext *mw)
-  {
-  if (mw)
-    {
-    jar->mw = mw;
-    }
-  else
-    {
-    /* jar->mw = XP_FindSomeContext(); */
-    jar->mw = NULL;
-
-    /*
-     * We can't find a context because we're in startup state and none
-     * exist yet. go get an FE_InitContext that only works at initialization
-     * time.
-     */
-
-    /* Turn on the mac when we get the FE_ function */
-    if (jar->mw == NULL)
-      {
-      jar->mw = jar_fn_GetInitContext();
-      }
-   }
-
-  return 0;
-  }
diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c
deleted file mode 100644
index 658b3b997..000000000
--- a/security/nss/lib/jar/jarsign.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARSIGN
- *
- *  Routines used in signing archives.
- */
-
-
-#define USE_MOZ_THREAD
-
-#include "jar.h"
-#include "jarint.h"
-
-#ifdef USE_MOZ_THREAD
-#include "jarevil.h"
-#endif
-
-#include "pk11func.h"
-#include "sechash.h"
-
-/* from libevent.h */
-typedef void (*ETVoidPtrFunc) (void * data);
-
-#ifdef MOZILLA_CLIENT_OLD
-
-extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
-
-/* from proto.h */
-/* extern MWContext *XP_FindSomeContext(void); */
-extern void *XP_FindSomeContext(void);
-
-#endif
-
-/* key database wrapper */
-
-/* static SECKEYKeyDBHandle *jar_open_key_database (void); */
-
-/* CHUNQ is our bite size */
-
-#define CHUNQ 64000
-#define FILECHUNQ 32768
-
-/*
- *  J A R _ c a l c u l a t e _ d i g e s t 
- *
- *  Quick calculation of a digest for
- *  the specified block of memory. Will calculate
- *  for all supported algorithms, now MD5.
- *
- *  This version supports huge pointers for WIN16.
- * 
- */
-
-JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
-  {
-  long chunq;
-  JAR_Digest *dig;
-
-  unsigned int md5_length, sha1_length;
-
-  PK11Context *md5  = 0;
-  PK11Context *sha1 = 0;
-
-  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
-
-  if (dig == NULL) 
-    {
-    /* out of memory allocating digest */
-    return NULL;
-    }
-
-#if defined(XP_WIN16)
-  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
-#endif
-
-  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
-  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
-
-  if (length >= 0) 
-    {
-    PK11_DigestBegin (md5);
-    PK11_DigestBegin (sha1);
-
-    do {
-       chunq = length;
-
-#ifdef XP_WIN16
-       if (length > CHUNQ) chunq = CHUNQ;
-
-       /*
-        *  If the block of data crosses one or more segment 
-        *  boundaries then only pass the chunk of data in the 
-        *  first segment.
-        * 
-        *  This allows the data to be treated as FAR by the
-        *  PK11_DigestOp(...) routine.
-        *
-        */
-
-       if (OFFSETOF(data) + chunq >= 0x10000) 
-         chunq = 0x10000 - OFFSETOF(data);
-#endif
-
-       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
-       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
-
-       length -= chunq;
-       data = ((char ZHUGEP *) data + chunq);
-       } 
-    while (length > 0);
-
-    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
-    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
-
-    PK11_DestroyContext (md5,  PR_TRUE);
-    PK11_DestroyContext (sha1, PR_TRUE);
-    }
-
-  return dig;
-  }
-
-/*
- *  J A R _ d i g e s t _ f i l e
- *
- *  Calculates the MD5 and SHA1 digests for a file 
- *  present on disk, and returns these in JAR_Digest struct.
- *
- */
-
-int JAR_digest_file (char *filename, JAR_Digest *dig)
-    {
-    JAR_FILE fp;
-
-    int num;
-    unsigned char *buf;
-
-    PK11Context *md5 = 0;
-    PK11Context *sha1 = 0;
-
-    unsigned int md5_length, sha1_length;
-
-    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
-    if (buf == NULL)
-      {
-      /* out of memory */
-      return JAR_ERR_MEMORY;
-      }
- 
-    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
-      {
-      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
-      PORT_Free (buf);
-      return JAR_ERR_FNF;
-      }
-
-    md5 = PK11_CreateDigestContext (SEC_OID_MD5);
-    sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
-
-    if (md5 == NULL || sha1 == NULL) 
-      {
-      /* can't generate digest contexts */
-      PORT_Free (buf);
-      JAR_FCLOSE (fp);
-      return JAR_ERR_GENERAL;
-      }
-
-    PK11_DigestBegin (md5);
-    PK11_DigestBegin (sha1);
-
-    while (1)
-      {
-      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
-        break;
-
-      PK11_DigestOp (md5, buf, num);
-      PK11_DigestOp (sha1, buf, num);
-      }
-
-    PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
-    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
-
-    PK11_DestroyContext (md5, PR_TRUE);
-    PK11_DestroyContext (sha1, PR_TRUE);
-
-    PORT_Free (buf);
-    JAR_FCLOSE (fp);
-
-    return 0;
-    }
-
-/*
- *  J A R _ o p e n _ k e y _ d a t a b a s e
- *
- */
-
-void* jar_open_key_database (void)
-  {
-    return NULL;
-  }
-
-int jar_close_key_database (void *keydb)
-  {
-  /* We never do close it */
-  return 0;
-  }
-
-
-/*
- *  j a r _ c r e a t e _ p k 7
- *
- */
-
-static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
-  {
-  JAR_FWRITE ((JAR_FILE) arg, buf, len);
-  }
-
-int jar_create_pk7 
-   (CERTCertDBHandle *certdb, void *keydb, 
-       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
-  {
-  int nb;
-  unsigned char buffer [4096], digestdata[32];
-  const SECHashObject *hashObj;
-  void *hashcx;
-  unsigned int len;
-
-  int status = 0;
-  char *errstring;
-
-  SECItem digest;
-  SEC_PKCS7ContentInfo *cinfo;
-  SECStatus rv;
-
-  void /*MWContext*/ *mw;
-
-  if (outfp == NULL || infp == NULL || cert == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* we sign with SHA */
-  hashObj = HASH_GetHashObject(HASH_AlgSHA1);
-
-  hashcx = (* hashObj->create)();
-  if (hashcx == NULL)
-    return JAR_ERR_GENERAL;
-
-  (* hashObj->begin)(hashcx);
-
-  while (1)
-    {
-    /* nspr2.0 doesn't support feof 
-       if (feof (infp)) break; */
-
-    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
-    if (nb == 0) 
-      {
-#if 0
-      if (ferror(infp)) 
-        {
-        /* PORT_SetError(SEC_ERROR_IO); */ /* FIX */
-	(* hashObj->destroy) (hashcx, PR_TRUE);
-	return JAR_ERR_GENERAL;
-        }
-#endif
-      /* eof */
-      break;
-      }
-    (* hashObj->update) (hashcx, buffer, nb);
-    }
-
-  (* hashObj->end) (hashcx, digestdata, &len, 32);
-  (* hashObj->destroy) (hashcx, PR_TRUE);
-
-  digest.data = digestdata;
-  digest.len = len;
-
-  /* signtool must use any old context it can find since it's
-     calling from inside javaland. */
-
-#ifdef MOZILLA_CLIENT_OLD
-  mw = XP_FindSomeContext();
-#else
-  mw = NULL;
-#endif
-
-  PORT_SetError (0);
-
-  cinfo = SEC_PKCS7CreateSignedData 
-             (cert, certUsageObjectSigner, NULL, 
-                SEC_OID_SHA1, &digest, NULL, (void *) mw);
-
-  if (cinfo == NULL)
-    return JAR_ERR_PK7;
-
-  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
-  if (rv != SECSuccess) 
-    {
-    status = PORT_GetError();
-    SEC_PKCS7DestroyContentInfo (cinfo);
-    return status;
-    }
-
-  /* Having this here forces signtool to always include
-     signing time. */
-
-  rv = SEC_PKCS7AddSigningTime (cinfo);
-  if (rv != SECSuccess)
-    {
-    /* don't check error */
-    }
-
-  PORT_SetError (0);
-
-#ifdef USE_MOZ_THREAD
-  /* if calling from mozilla */
-  rv = jar_moz_encode
-             (cinfo, jar_pk7_out, outfp, 
-                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
-#else
-  /* if calling from mozilla thread*/
-  rv = SEC_PKCS7Encode 
-             (cinfo, jar_pk7_out, outfp, 
-                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw):
-#endif
-
-  if (rv != SECSuccess)
-    status = PORT_GetError();
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  if (rv != SECSuccess)
-    {
-    errstring = JAR_get_error (status);
-    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
-    return status < 0 ? status : JAR_ERR_GENERAL;
-    }
-
-  return 0;
-  }
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
deleted file mode 100644
index e20c4ea39..000000000
--- a/security/nss/lib/jar/jarver.c
+++ /dev/null
@@ -1,2023 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- *  JARVER
- *
- *  Jarnature Parsing & Verification
- */
-
-#define USE_MOZ_THREAD
-
-#include "jar.h"
-#include "jarint.h"
-
-#ifdef USE_MOZ_THREAD
-#include "jarevil.h"
-#endif
-/*#include "cdbhdl.h" */
-#include "secder.h"
-
-/* to use huge pointers in win16 */
-
-#if !defined(XP_WIN16)
-#define xp_HUGE_MEMCPY PORT_Memcpy
-#define xp_HUGE_STRCPY PORT_Strcpy
-#define xp_HUGE_STRLEN PORT_Strlen
-#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
-#else
-#define xp_HUGE_MEMCPY hmemcpy
-int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len);
-size_t xp_HUGE_STRLEN (char ZHUGEP *s);
-char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from);
-#endif
-
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
-#define SZ 512
-
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length);
-
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len);
-
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
-
-static char ZHUGEP *jar_eat_line 
-     (int lines, int eating, char ZHUGEP *data, long *len);
-
-static JAR_Digest *jar_digest_section 
-     (char ZHUGEP *manifest, long length);
-
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
-
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
-
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
-
-static CERTCertificate *jar_get_certificate
-            (JAR *jar, long keylen, void *key, int *result);
-
-static char *jar_cert_element (char *name, char *tag, int occ);
-
-static char *jar_choose_nickname (CERTCertificate *cert);
-
-static char *jar_basename (const char *path);
-
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname);
-
-#ifdef DEBUG
-static int jar_insanity_check (char ZHUGEP *data, long length);
-#endif
-
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
-
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url);
-
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
-
-/*
- *  J A R _ p a r s e _ m a n i f e s t
- * 
- *  Pass manifest files to this function. They are
- *  decoded and placed into internal representations.
- * 
- *  Accepts both signature and manifest files. Use
- *  the same "jar" for both. 
- *
- */
-
-int JAR_parse_manifest 
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-
-#if defined(XP_WIN16)
-    PORT_Assert( !IsBadHugeReadPtr(raw_manifest, length) );
-#endif
-
-  /* fill in the path, if supplied. This is a the location
-     of the jar file on disk, if known */
-
-  if (jar->filename == NULL && path)
-    {
-    jar->filename = PORT_Strdup (path);
-    if (jar->filename == NULL)
-      return JAR_ERR_MEMORY;
-    }
-
-  /* fill in the URL, if supplied. This is the place
-     from which the jar file was retrieved. */
-
-  if (jar->url == NULL && url)
-    {
-    jar->url = PORT_Strdup (url);
-    if (jar->url == NULL)
-      return JAR_ERR_MEMORY;
-    }
-
-  /* Determine what kind of file this is from the META-INF 
-     directory. It could be MF, SF, or a binary RSA/DSA file */
-
-  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
-    {
-    return jar_parse_mf (jar, raw_manifest, length, path, url);
-    }
-  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
-    {
-    return jar_parse_sf (jar, raw_manifest, length, path, url);
-    }
-  else
-    {
-    /* This is probably a binary signature */
-    return jar_parse_sig (jar, path, raw_manifest, length);
-    }
-  }
-
-/*
- *  j a r _ p a r s e _ s i g
- *
- *  Pass some manner of RSA or DSA digital signature
- *  on, after checking to see if it comes at an appropriate state.
- *
- */
- 
-int jar_parse_sig
-    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
-  {
-  JAR_Signer *signer;
-  int status = JAR_ERR_ORDER;
-
-  if (length <= 128) 
-    {
-    /* signature is way too small */
-    return JAR_ERR_SIG;
-    }
-
-  /* make sure that MF and SF have already been processed */
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_ORDER;
-
-#if 0
-  /* XXX Turn this on to disable multiple signers */
-  if (jar->digest == NULL)
-    return JAR_ERR_ORDER;
-#endif
-
-  /* Determine whether or not this RSA file has
-     has an associated SF file */
-
-  if (path)
-    {
-    char *owner;
-    owner = jar_basename (path);
-
-    if (owner == NULL)
-      return JAR_ERR_MEMORY;
-
-    signer = jar_get_signer (jar, owner);
-
-    PORT_Free (owner);
-    }
-  else
-    signer = jar_get_signer (jar, "*");
-
-  if (signer == NULL)
-    return JAR_ERR_ORDER;
-
-
-  /* Do not pass a huge pointer to this function,
-     since the underlying security code is unaware. We will
-     never pass >64k through here. */
-
-  if (length > 64000)
-    {
-    /* this digital signature is way too big */
-    return JAR_ERR_SIG;
-    }
-
-#ifdef XP_WIN16
-  /*
-   * For Win16, copy the portion of the raw_buffer containing the digital 
-   * signature into another buffer...  This insures that the data will
-   * NOT cross a segment boundary.  Therefore, 
-   * jar_parse_digital_signature(...) does NOT need to deal with HUGE 
-   * pointers...
-   */
-
-    {
-    unsigned char *manifest_copy;
-
-    manifest_copy = (unsigned char *) PORT_ZAlloc (length);
-    if (manifest_copy)
-      {
-      xp_HUGE_MEMCPY (manifest_copy, raw_manifest, length);
-
-      status = jar_parse_digital_signature 
-                  (manifest_copy, signer, length, jar);
-
-      PORT_Free (manifest_copy);
-      }
-    else
-      {
-      /* out of memory */
-      return JAR_ERR_MEMORY;
-      }
-    }
-#else
-  /* don't expense unneeded calloc overhead on non-win16 */
-  status = jar_parse_digital_signature 
-                (raw_manifest, signer, length, jar);
-#endif
-
-  return status;
-  }
-
-/*
- *  j a r _ p a r s e _ m f
- *
- *  Parse the META-INF/manifest.mf file, whose
- *  information applies to all signers.
- *
- */
-
-int jar_parse_mf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  if (jar->globalmeta)
-    {
-    /* refuse a second manifest file, if passed for some reason */
-    return JAR_ERR_ORDER;
-    }
-
-
-  /* remember a digest for the global section */
-
-  jar->globalmeta = jar_digest_section (raw_manifest, length);
-
-  if (jar->globalmeta == NULL)
-    return JAR_ERR_MEMORY;
-
-
-  return jar_parse_any 
-    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
-  }
-
-/*
- *  j a r _ p a r s e _ s f
- *
- *  Parse META-INF/xxx.sf, a digitally signed file
- *  pointing to a subset of MF sections. 
- *
- */
-
-int jar_parse_sf
-    (JAR *jar, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  JAR_Signer *signer = NULL;
-  int status = JAR_ERR_MEMORY;
-
-  if (jar->globalmeta == NULL)
-    {
-    /* It is a requirement that the MF file be passed before the SF file */
-    return JAR_ERR_ORDER;
-    }
-
-  signer = JAR_new_signer();
-
-  if (signer == NULL)
-    goto loser;
-
-  if (path)
-    {
-    signer->owner = jar_basename (path);
-    if (signer->owner == NULL)
-      goto loser;
-    }
-
-
-  /* check for priors. When someone doctors a jar file
-     to contain identical path entries, prevent the second
-     one from affecting JAR functions */
-
-  if (jar_get_signer (jar, signer->owner))
-    {
-    /* someone is trying to spoof us */
-    status = JAR_ERR_ORDER;
-    goto loser;
-    }
-
-
-  /* remember its digest */
-
-  signer->digest = JAR_calculate_digest (raw_manifest, length);
-
-  if (signer->digest == NULL)
-    goto loser;
-
-  /* Add this signer to the jar */
-
-  ADDITEM (jar->signers, jarTypeOwner, 
-     signer->owner, signer, sizeof (JAR_Signer));
-
-
-  return jar_parse_any 
-    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
-
-loser:
-
-  if (signer)
-    JAR_destroy_signer (signer);
-
-  return status;
-  }
-
-/* 
- *  j a r _ p a r s e _ a n y
- *
- *  Parse a MF or SF manifest file. 
- *
- */
- 
-int jar_parse_any
-    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
-        long length, const char *path, const char *url)
-  {
-  int status;
-
-  long raw_len;
-
-  JAR_Digest *dig, *mfdig = NULL;
-
-  char line [SZ];
-  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
-
-  char *x_info;
-
-  char *sf_md5 = NULL, *sf_sha1 = NULL;
-
-  *x_name = 0;
-  *x_md5 = 0;
-  *x_sha = 0;
-
-  PORT_Assert( length > 0 );
-  raw_len = length;
-
-#ifdef DEBUG
-  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
-    return status;
-#endif
-
-
-  /* null terminate the first line */
-  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
-
-
-  /* skip over the preliminary section */
-  /* This is one section at the top of the file with global metainfo */
-
-  while (raw_len)
-    {
-    JAR_Metainfo *met;
-
-    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-    if (!*raw_manifest) break;
-
-    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-    if (met == NULL)
-      return JAR_ERR_MEMORY;
-
-    /* Parse out the header & info */
-
-    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-      {
-      /* almost certainly nonsense */
-      continue;
-      }
-
-    xp_HUGE_STRCPY (line, raw_manifest);
-    x_info = line;
-
-    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-      x_info++;
-
-    if (*x_info) *x_info++ = 0;
-
-    while (*x_info == ' ' || *x_info == '\t')
-      x_info++;
-
-    /* metainfo (name, value) pair is now (line, x_info) */
-
-    met->header = PORT_Strdup (line);
-    met->info = PORT_Strdup (x_info);
-
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->metainfo, jarTypeMeta, 
-         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
-      }
-
-    /* For SF files, this metadata may be the digests
-       of the MF file, still in the "met" structure. */
-
-    if (type == jarTypeSF)
-      {
-      if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        sf_md5 = (char *) met->info;
-
-      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
-        sf_sha1 = (char *) met->info;
-      }
-    }
-
-  if (type == jarTypeSF && jar->globalmeta)
-    {
-    /* this is a SF file which may contain a digest of the manifest.mf's 
-       global metainfo. */
-
-    int match = 0;
-    JAR_Digest *glob = jar->globalmeta;
-
-    if (sf_md5)
-      {
-      unsigned int md5_length;
-      unsigned char *md5_digest;
-
-      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
-      PORT_Assert( md5_length == MD5_LENGTH );
-
-      if (md5_length != MD5_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
-      }
-
-    if (sf_sha1 && match == 0)
-      {
-      unsigned int sha1_length;
-      unsigned char *sha1_digest;
-
-      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
-      PORT_Assert( sha1_length == SHA1_LENGTH );
-
-      if (sha1_length != SHA1_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
-      }
-
-    if (match != 0)
-      {
-      /* global digest doesn't match, SF file therefore invalid */
-      jar->valid = JAR_ERR_METADATA;
-      return JAR_ERR_METADATA;
-      }
-    }
-
-  /* done with top section of global data */
-
-
-  while (raw_len)
-    {
-    *x_md5 = 0;
-    *x_sha = 0;
-    *x_name = 0;
-
-
-    /* If this is a manifest file, attempt to get a digest of the following section, 
-       without damaging it. This digest will be saved later. */
-
-    if (type == jarTypeMF)
-      {
-      char ZHUGEP *sec;
-      long sec_len = raw_len;
-
-      if (!*raw_manifest || *raw_manifest == '\n')
-        {     
-        /* skip the blank line */ 
-        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
-        }
-      else
-        sec = raw_manifest;
-
-      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
-        {
-        if (type == jarTypeMF)
-          mfdig = jar_digest_section (sec, sec_len);
-        else
-          mfdig = NULL;
-        }
-      }
-
-
-    while (raw_len)
-      {
-      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
-      if (!*raw_manifest) break; /* blank line, done with this entry */
-
-      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
-        {
-        /* almost certainly nonsense */
-        continue;
-        }
-
-
-      /* Parse out the name/value pair */
-
-      xp_HUGE_STRCPY (line, raw_manifest);
-      x_info = line;
-
-      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
-        x_info++;
-
-      if (*x_info) *x_info++ = 0;
-
-      while (*x_info == ' ' || *x_info == '\t') 
-        x_info++;
-
-
-      if (!PORT_Strcasecmp (line, "Name"))
-        PORT_Strcpy (x_name, x_info);
-
-      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
-        PORT_Strcpy (x_md5, x_info);
-
-      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
-                  || !PORT_Strcasecmp (line, "SHA-Digest"))
-        {
-        PORT_Strcpy (x_sha, x_info);
-        }
-
-      /* Algorithm list is meta info we don't care about; keeping it out
-         of metadata saves significant space for large jar files */
-
-      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
-                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
-        {
-        continue;
-        }
-
-      /* Meta info is only collected for the manifest.mf file,
-         since the JAR_get_metainfo call does not support identity */
-
-      else if (type == jarTypeMF)
-        {
-        JAR_Metainfo *met;
-
-        /* this is meta-data */
-
-        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
-
-        if (met == NULL)
-          return JAR_ERR_MEMORY;
-
-        /* metainfo (name, value) pair is now (line, x_info) */
-
-        if ((met->header = PORT_Strdup (line)) == NULL)
-          return JAR_ERR_MEMORY;
-
-        if ((met->info = PORT_Strdup (x_info)) == NULL)
-          return JAR_ERR_MEMORY;
-
-        ADDITEM (jar->metainfo, jarTypeMeta, 
-           x_name, met, sizeof (JAR_Metainfo));
-        }
-      }
-
-	if(!x_name || !*x_name) {
-		/* Whatever that was, it wasn't an entry, because we didn't get a name.
-		 * We don't really have anything, so don't record this. */
-		continue;
-	}
-
-    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
-    if (dig == NULL)
-      return JAR_ERR_MEMORY;
-
-    if (*x_md5 ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
-      PORT_Assert( binary_length == MD5_LENGTH );
-
-      if (binary_length != MD5_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      memcpy (dig->md5, binary_digest, MD5_LENGTH);
-      dig->md5_status = jarHashPresent;
-      }
-
-    if (*x_sha ) 
-      {
-      unsigned int binary_length;
-      unsigned char *binary_digest;
-
-      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
-      PORT_Assert( binary_length == SHA1_LENGTH );
-
-      if (binary_length != SHA1_LENGTH)
-        return JAR_ERR_CORRUPT;
-
-      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
-      dig->sha1_status = jarHashPresent;
-      }
-
-    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
-
-
-    if (type == jarTypeMF)
-      {
-      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else if (type == jarTypeSF)
-      {
-      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
-      }
-    else
-      return JAR_ERR_ORDER;
-
-    /* we're placing these calculated digests of manifest.mf 
-       sections in a list where they can subsequently be forgotten */
-
-    if (type == jarTypeMF && mfdig)
-      {
-      ADDITEM (jar->manifest, jarTypeSect, 
-         x_name, mfdig, sizeof (JAR_Digest));
-
-      mfdig = NULL;
-      }
-
-
-    /* Retrieve our saved SHA1 digest from saved copy and check digests.
-       This is just comparing the digest of the MF section as indicated in
-       the SF file with the one we remembered from parsing the MF file */
-
-    if (type == jarTypeSF)
-      {
-      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
-        return status;
-      }
-    }
-
-  return 0;
-  }
-
-static int jar_internal_digest 
-     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
-  {
-  int cv;
-  int status;
-
-  JAR_Digest *savdig;
-
-  savdig = jar_get_mf_digest (jar, x_name);
-
-  if (savdig == NULL)
-    {
-    /* no .mf digest for this pathname */
-    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
-    if (status < 0) 
-      return 0; /* was continue; */
-    else 
-      return status;
-    }
-
-  /* check for md5 consistency */
-  if (dig->md5_status)
-    {
-    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
-    /* md5 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
-
-      /* bad hash, man */
-
-      dig->md5_status = jarHashBad;
-      savdig->md5_status = jarHashBad;
-
-      if (status < 0) 
-        return 0; /* was continue; */
-      else 
-        return status;
-      }
-    }
-
-  /* check for sha1 consistency */
-  if (dig->sha1_status)
-    {
-    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
-    /* sha1 hash of .mf file is not what expected */
-    if (cv) 
-      {
-      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
-
-      /* bad hash, man */
-
-      dig->sha1_status = jarHashBad;
-      savdig->sha1_status = jarHashBad;
-
-      if (status < 0)
-        return 0; /* was continue; */
-      else
-        return status;
-      }
-    }
-	return 0;
-  }
-
-#ifdef DEBUG
-/*
- *  j a r _ i n s a n i t y _ c h e c k
- *
- *  Check for illegal characters (or possibly so)
- *  in the manifest files, to detect potential memory
- *  corruption by our neighbors. Debug only, since
- *  not I18N safe.
- * 
- */
-
-static int jar_insanity_check (char ZHUGEP *data, long length)
-  {
-  int c;
-  long off;
-
-  for (off = 0; off < length; off++)
-    {
-    c = data [off];
-
-    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
-      continue;
-
-    return JAR_ERR_CORRUPT;
-    }
-
-  return 0;
-  }
-#endif
-
-/*
- *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
- *
- *  Parse an RSA or DSA (or perhaps other) digital signature.
- *  Right now everything is PKCS7.
- *
- */
-
-static int jar_parse_digital_signature 
-     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
-  {
-#if defined(XP_WIN16)
-  PORT_Assert( LOWORD(raw_manifest) + length < 0xFFFF );
-#endif
-  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
-  }
-
-/*
- *  j a r _ a d d _ c e r t
- * 
- *  Add information for the given certificate
- *  (or whatever) to the JAR linked list. A pointer
- *  is passed for some relevant reference, say
- *  for example the original certificate.
- *
- */
-
-static int jar_add_cert
-     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
-  {
-  JAR_Cert *fing;
-  unsigned char *keyData;
-
-  if (cert == NULL)
-    return JAR_ERR_ORDER;
-
-  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
-
-  if (fing == NULL)
-    goto loser;
-
-#ifdef USE_MOZ_THREAD
-  fing->cert = jar_moz_dup (cert);
-#else
-  fing->cert = CERT_DupCertificate (cert);
-#endif
-
-  /* get the certkey */
-
-  fing->length = cert->derIssuer.len + 2 + cert->serialNumber.len;
-
-  keyData = (unsigned char *) PORT_ZAlloc (fing->length);
-  fing->key = keyData;
-
-  if (fing->key == NULL)
-    goto loser;
-  keyData[0] = ((cert->derIssuer.len) >> 8) & 0xff;
-  keyData[1] = ((cert->derIssuer.len) & 0xff);
-  PORT_Memcpy (&keyData[2], cert->derIssuer.data, cert->derIssuer.len);
-  PORT_Memcpy (&keyData[2+cert->derIssuer.len], cert->serialNumber.data,
-						 cert->serialNumber.len);
-
-  ADDITEM (signer->certs, type, 
-    /* pathname */ NULL, fing, sizeof (JAR_Cert));
-
-  return 0;
-
-loser:
-
-  if (fing)
-    {
-    if (fing->cert) 
-      CERT_DestroyCertificate (fing->cert);
-
-    PORT_Free (fing);
-    }
-
-  return JAR_ERR_MEMORY;
-  }
-
-/*
- *  e a t _ l i n e 
- *
- *  Consume an ascii line from the top of a file kept
- *  in memory. This destroys the file in place. This function
- *  handles PC, Mac, and Unix style text files.
- *
- */
-
-static char ZHUGEP *jar_eat_line 
-    (int lines, int eating, char ZHUGEP *data, long *len)
-  {
-  char ZHUGEP *ret;
-
-  ret = data;
-  if (!*len) return ret;
-
-  /* Eat the requisite number of lines, if any; 
-     prior to terminating the current line with a 0. */
-
-  for (/* yip */ ; lines; lines--)
-    {
-    while (*data && *data != '\n')
-      data++;
-
-    /* After the CR, ok to eat one LF */
-
-    if (*data == '\n')
-      data++;
-
-    /* If there are zeros, we put them there */
-
-    while (*data == 0 && data - ret < *len)
-      data++;
-    }
-
-  *len -= data - ret;
-  ret = data;
-
-  if (eating)
-    {
-    /* Terminate this line with a 0 */ 
-
-    while (*data && *data != '\n' && *data != '\r')
-      data++;
-
-    /* In any case we are allowed to eat CR */
-
-    if (*data == '\r')
-      *data++ = 0;
-
-    /* After the CR, ok to eat one LF */
-
-    if (*data == '\n')
-      *data++ = 0;
-    }
-
-  return ret;
-  }
-
-/*
- *  j a r _ d i g e s t _ s e c t i o n
- *
- *  Return the digests of the next section of the manifest file.
- *  Does not damage the manifest file, unlike parse_manifest.
- * 
- */
-
-static JAR_Digest *jar_digest_section 
-    (char ZHUGEP *manifest, long length)
-  {
-  long global_len;
-  char ZHUGEP *global_end;
-
-  global_end = manifest;
-  global_len = length;
-
-  while (global_len)
-    {
-    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
-    if (*global_end == 0 || *global_end == '\n')
-      break;
-    }
-
-  return JAR_calculate_digest (manifest, global_end - manifest);
-  }
-
-/*
- *  J A R _ v e r i f y _ d i g e s t
- *
- *  Verifies that a precalculated digest matches the
- *  expected value in the manifest.
- *
- */
-
-int PR_CALLBACK JAR_verify_digest
-    (JAR *jar, const char *name, JAR_Digest *dig)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *shindig;
-
-  ZZLink *link;
-  ZZList *list;
-
-  int result1, result2;
-
-  list = jar->hashes;
-
-  result1 = result2 = 0;
-
-  if (jar->valid < 0)
-    {
-    /* signature not valid */
-    return JAR_ERR_SIG;
-    }
-
-  if (ZZ_ListEmpty (list))
-    {
-    /* empty list */
-    return JAR_ERR_PNF;
-    }
-
-  for (link = ZZ_ListHead (list); 
-       !ZZ_ListIterDone (list, link); 
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeMF 
-           && it->pathname && !PORT_Strcmp (it->pathname, name))
-      {
-      shindig = (JAR_Digest *) it->data;
-
-      if (shindig->md5_status)
-        {
-        if (shindig->md5_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
-        }
-
-      if (shindig->sha1_status)
-        {
-        if (shindig->sha1_status == jarHashBad)
-          return JAR_ERR_HASH;
-        else
-          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
-        }
-
-      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
-      }
-    }
-
-  return JAR_ERR_PNF;
-  }
-
-/* 
- *  J A R _ c e r t _ a t t r i b u t e
- *
- *  Return the named certificate attribute from the
- *  certificate specified by the given key.
- *
- */
-
-int PR_CALLBACK JAR_cert_attribute
-    (JAR *jar, jarCert attrib, long keylen, void *key, 
-        void **result, unsigned long *length)
-  {
-  int status = 0;
-  char *ret = NULL;
-
-  CERTCertificate *cert;
-
-  CERTCertDBHandle *certdb;
-
-  JAR_Digest *dig;
-  SECItem hexme;
-
-  *length = 0;
-
-  if (attrib == 0 || key == 0)
-    return JAR_ERR_GENERAL;
-
-  if (attrib == jarCertJavaHack)
-    {
-    cert = (CERTCertificate *) NULL;
-    certdb = JAR_open_database();
-
-    if (certdb)
-      {
-#ifdef USE_MOZ_THREAD
-      cert = jar_moz_nickname (certdb, (char*)key);
-#else
-      cert = CERT_FindCertByNickname (certdb, key);
-#endif
-
-      if (cert)
-        {
-        *length = cert->certKey.len;
-
-        *result = (void *) PORT_ZAlloc (*length);
-
-        if (*result)
-          PORT_Memcpy (*result, cert->certKey.data, *length);
-        else
-          return JAR_ERR_MEMORY;
-        }
-      JAR_close_database (certdb);
-      }
-
-    return cert ? 0 : JAR_ERR_GENERAL;
-    }
-
-  if (jar && jar->pkcs7 == 0)
-    return JAR_ERR_GENERAL;
-
-  cert = jar_get_certificate (jar, keylen, key, &status);
-
-  if (cert == NULL || status < 0)
-    return JAR_ERR_GENERAL;
-
-#define SEP " <br> "
-#define SEPLEN (PORT_Strlen(SEP))
-
-  switch (attrib)
-    {
-    case jarCertCompany:
-
-      ret = cert->subjectName;
-
-      /* This is pretty ugly looking but only used
-         here for this one purpose. */
-
-      if (ret)
-        {
-        int retlen = 0;
-
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
-
-	cer_cn  = CERT_GetCommonName (&cert->subject);
-        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->subject);
-        cer_l   = CERT_GetCountryName (&cert->subject);
-
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
-
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
-
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-      break;
-
-    case jarCertCA:
-
-      ret = cert->issuerName;
-
-      if (ret)
-        {
-        int retlen = 0;
-
-        char *cer_ou1, *cer_ou2, *cer_ou3;
-	char *cer_cn, *cer_e, *cer_o, *cer_l;
-
-        /* This is pretty ugly looking but only used
-           here for this one purpose. */
-
-	cer_cn  = CERT_GetCommonName (&cert->issuer);
-        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
-        cer_ou3 = jar_cert_element (ret, "OU=", 3);
-        cer_ou2 = jar_cert_element (ret, "OU=", 2);
-        cer_ou1 = jar_cert_element (ret, "OU=", 1);
-        cer_o   = CERT_GetOrgName (&cert->issuer);
-        cer_l   = CERT_GetCountryName (&cert->issuer);
-
-        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
-        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
-        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
-        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
-        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
-        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
-        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
-
-        ret = (char *) PORT_ZAlloc (1 + retlen);
-
-        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
-        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
-        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
-        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
-        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
-        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
-        if (cer_l)     PORT_Strcat (ret, cer_l);
-
-	/* return here to avoid unsightly memory leak */
-
-        *result = ret;
-        *length = PORT_Strlen (ret);
-
-        return 0;
-        }
-
-      break;
-
-    case jarCertSerial:
-
-      ret = CERT_Hexify (&cert->serialNumber, 1);
-      break;
-
-    case jarCertExpires:
-
-      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
-      break;
-
-    case jarCertNickname:
-
-      ret = jar_choose_nickname (cert);
-      break;
-
-    case jarCertFinger:
-
-      dig = JAR_calculate_digest 
-         ((char *) cert->derCert.data, cert->derCert.len);
-
-      if (dig)
-        {
-        hexme.len = sizeof (dig->md5);
-        hexme.data = dig->md5;
-        ret = CERT_Hexify (&hexme, 1);
-        }
-      break;
-
-    default:
-
-      return JAR_ERR_GENERAL;
-    }
-
-  *result = ret ? PORT_Strdup (ret) : NULL;
-  *length = ret ? PORT_Strlen (ret) : 0;
-
-  return 0;
-  }
-
-/* 
- *  j a r  _ c e r t _ e l e m e n t
- *
- *  Retrieve an element from an x400ish ascii
- *  designator, in a hackish sort of way. The right
- *  thing would probably be to sort AVATags.
- *
- */
-
-static char *jar_cert_element (char *name, char *tag, int occ)
-  {
-  if (name && tag)
-    {
-    char *s;
-    int found = 0;
-
-    while (occ--)
-      {
-      if (PORT_Strstr (name, tag))
-        {
-        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
-        found = 1;
-        }
-      else
-        {
-        name = PORT_Strstr (name, "=");
-        if (name == NULL) return NULL;
-        found = 0;
-        }
-      }
-
-    if (!found) return NULL;
-
-    /* must mangle only the copy */
-    name = PORT_Strdup (name);
-
-    /* advance to next equal */
-    for (s = name; *s && *s != '='; s++)
-      /* yip */ ;
-
-    /* back up to previous comma */
-    while (s > name && *s != ',') s--;
-
-    /* zap the whitespace and return */
-    *s = 0;
-    }
-
-  return name;
-  }
-
-/* 
- *  j a r _ c h o o s e _ n i c k n a m e
- *
- *  Attempt to determine a suitable nickname for
- *  a certificate with a computer-generated "tmpcertxxx" 
- *  nickname. It needs to be something a user can
- *  understand, so try a few things.
- *
- */
-
-static char *jar_choose_nickname (CERTCertificate *cert)
-  {
-  char *cert_cn;
-  char *cert_o;
-  char *cert_cn_o;
-
-  int cn_o_length;
-
-  /* is the existing name ok */
-
-  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
-    return PORT_Strdup (cert->nickname);
-
-  /* we have an ugly name here people */
-
-  /* Try the CN */
-  cert_cn = CERT_GetCommonName (&cert->subject);
-
-  if (cert_cn)
-    {
-    /* check for duplicate nickname */
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
-#else
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
-#endif
-      return cert_cn;
-
-    /* Try the CN plus O */
-    cert_o = CERT_GetOrgName (&cert->subject);
-
-    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
-    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
-
-    PR_snprintf (cert_cn_o, cn_o_length, 
-           "%s's %s Certificate", cert_cn, cert_o);
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
-#else
-    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
-#endif
-      return cert_cn;
-    }
-
-  /* If all that failed, use the ugly nickname */
-  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
-  }
-
-/*
- *  J A R _ c e r t _ h t m l 
- *
- *  Return an HTML representation of the certificate
- *  designated by the given fingerprint, in specified style.
- *
- *  JAR is optional, but supply it if you can in order
- *  to optimize.
- *
- */
-
-char *JAR_cert_html
-    (JAR *jar, int style, long keylen, void *key, int *result)
-  {
-#ifdef notdef
-  char *html;
-#endif
-  CERTCertificate *cert;
-
-  *result = -1;
-
-  if (style != 0)
-    return NULL;
-
-  cert = jar_get_certificate (jar, keylen, key, result);
-
-  if (cert == NULL || *result < 0)
-    return NULL;
-
-  *result = -1;
-
-   return NULL;
-
-#ifdef notdef
-  html = CERT_HTMLCertInfo (cert, /* show images */ PR_TRUE,
-		/*show issuer*/PR_TRUE);
-
-  if (html == NULL)
-    *result = -1;
-
-  return html;
-#endif
-  }
-
-/*
- *  J A R _ s t a s h _ c e r t
- *
- *  Stash the certificate pointed to by this
- *  fingerprint, in persistent storage somewhere.
- *
- */
-
-extern int PR_CALLBACK JAR_stash_cert
-    (JAR *jar, long keylen, void *key)
-  {
-  int result = 0;
-
-  char *nickname;
-  CERTCertTrust trust;
-
-  CERTCertDBHandle *certdb;
-  CERTCertificate *cert, *newcert;
-
-  cert = jar_get_certificate (jar, keylen, key, &result);
-
-  if (result < 0)
-    return result;
-
-  if (cert == NULL)
-    return JAR_ERR_GENERAL;
-
-  if ((certdb = JAR_open_database()) == NULL)
-    return JAR_ERR_GENERAL;
-
-  /* Attempt to give a name to the newish certificate */
-  nickname = jar_choose_nickname (cert);
-
-#ifdef USE_MOZ_THREAD
-  newcert = jar_moz_nickname (certdb, nickname);
-#else
-  newcert = CERT_FindCertByNickname (certdb, nickname);
-#endif
-
-  if (newcert && newcert->isperm) 
-    {
-    /* already in permanant database */
-    return 0;
-    }
-
-  if (newcert) cert = newcert;
-
-  /* FIX, since FindCert returns a bogus dbhandle
-     set it ourselves */
-
-  cert->dbhandle = certdb;
-
-#if 0
-  nickname = cert->subjectName;
-  if (nickname)
-    {
-    /* Not checking for a conflict here. But this should
-       be a new cert or it would have been found earlier. */
-
-    nickname = jar_cert_element (nickname, "CN=", 1);
-
-    if (SEC_CertNicknameConflict (nickname, cert->dbhandle))
-      {
-      /* conflict */
-      nickname = PORT_Realloc (&nickname, PORT_Strlen (nickname) + 3);
-
-      /* Beyond one copy, there are probably serious problems 
-         so we will stop at two rather than counting.. */
-
-      PORT_Strcat (nickname, " #2");
-      }
-    }
-#endif
-
-  if (nickname != NULL)
-    {
-    PORT_Memset ((void *) &trust, 0, sizeof(trust));
-
-#ifdef USE_MOZ_THREAD
-    if (jar_moz_perm (cert, nickname, &trust) != SECSuccess) 
-#else
-    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
-#endif
-      {
-      /* XXX might want to call PORT_GetError here */
-      result = JAR_ERR_GENERAL;
-      }
-    }
-
-  JAR_close_database (certdb);
-
-  return result;
-  }
-
-/*
- *  J A R _ f e t c h _ c e r t
- *
- *  Given an opaque identifier of a certificate, 
- *  return the full certificate.
- *
- * The new function, which retrieves by key.
- *
- */
-
-void *JAR_fetch_cert (long length, void *key)
-  {
-  CERTIssuerAndSN issuerSN;
-  CERTCertificate *cert = NULL;
-
-  CERTCertDBHandle *certdb;
-
-  certdb = JAR_open_database();
-
-  if (certdb)
-    {
-    unsigned char *keyData = (unsigned char *)key;
-    issuerSN.derIssuer.len = (keyData[0] << 8) + keyData[0];
-    issuerSN.derIssuer.data = &keyData[2];
-    issuerSN.serialNumber.len = length - (2 + issuerSN.derIssuer.len);
-    issuerSN.serialNumber.data = &keyData[2+issuerSN.derIssuer.len];
-
-#ifdef USE_MOZ_THREAD
-    cert = jar_moz_certkey (certdb, &issuerSN);
-#else
-    cert = CERT_FindCertByIssuerAndSN (certdb, &issuerSN);
-#endif
-
-    JAR_close_database (certdb);
-    }
-
-  return (void *) cert;
-  }
-
-/*
- *  j a r _ g e t _ m f _ d i g e s t
- *
- *  Retrieve a corresponding saved digest over a section
- *  of the main manifest file. 
- *
- */
-
-static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
-  {
-  JAR_Item *it;
-
-  JAR_Digest *dig;
-
-  ZZLink *link;
-  ZZList *list;
-
-  list = jar->manifest;
-
-  if (ZZ_ListEmpty (list))
-    return NULL;
-
-  for (link = ZZ_ListHead (list);
-       !ZZ_ListIterDone (list, link);
-       link = link->next)
-    {
-    it = link->thing;
-    if (it->type == jarTypeSect 
-          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
-      {
-      dig = (JAR_Digest *) it->data;
-      return dig;
-      }
-    }
-
-  return NULL;
-  }
-
-/*
- *  j a r _ b a s e n a m e
- *
- *  Return the basename -- leading components of path stripped off,
- *  extension ripped off -- of a path.
- *
- */
-
-static char *jar_basename (const char *path)
-  {
-  char *pith, *e, *basename, *ext;
-
-  if (path == NULL)
-    return PORT_Strdup ("");
-
-  pith = PORT_Strdup (path);
-
-  basename = pith;
-
-  while (1)
-    {
-    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
-      /* yip */ ;
-    if (*e) 
-      basename = ++e; 
-    else
-      break;
-    }
-
-  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
-    *ext = 0;
-
-  /* We already have the space allocated */
-  PORT_Strcpy (pith, basename);
-
-  return pith;
-  }
-
-/*
- *  + + + + + + + + + + + + + + +
- *
- *  CRYPTO ROUTINES FOR JAR
- *
- *  The following functions are the cryptographic 
- *  interface to PKCS7 for Jarnatures.
- *
- *  + + + + + + + + + + + + + + +
- *
- */
-
-/*
- *  j a r _ c a t c h _ b y t e s
- *
- *  In the event signatures contain enveloped data, it will show up here.
- *  But note that the lib/pkcs7 routines aren't ready for it.
- *
- */
-
-static void jar_catch_bytes
-     (void *arg, const char *buf, unsigned long len)
-  {
-  /* Actually this should never be called, since there is
-     presumably no data in the signature itself. */
-  }
-
-/*
- *  j a r _ v a l i d a t e _ p k c s 7
- *
- *  Validate (and decode, if necessary) a binary pkcs7
- *  signature in DER format.
- *
- */
-
-static int jar_validate_pkcs7 
-     (JAR *jar, JAR_Signer *signer, char *data, long length)
-  {
-  SECItem detdig;
-
-  SEC_PKCS7ContentInfo *cinfo = NULL;
-  SEC_PKCS7DecoderContext *dcx;
-
-  int status = 0;
-  char *errstring = NULL;
-
-  PORT_Assert( jar != NULL && signer != NULL );
-
-  if (jar == NULL || signer == NULL)
-    return JAR_ERR_ORDER;
-
-  signer->valid = JAR_ERR_SIG;
-
-  /* We need a context if we can get one */
-
-#ifdef MOZILLA_CLIENT_OLD
-  if (jar->mw == NULL) {
-    JAR_set_context (jar, NULL);
-  }
-#endif
-
-
-  dcx = SEC_PKCS7DecoderStart
-           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
-            NULL, NULL, NULL);
-
-  if (dcx == NULL) 
-    {
-    /* strange pkcs7 failure */
-    return JAR_ERR_PK7;
-    }
-
-  SEC_PKCS7DecoderUpdate (dcx, data, length);
-  cinfo = SEC_PKCS7DecoderFinish (dcx);
-
-  if (cinfo == NULL)
-    {
-    /* strange pkcs7 failure */
-    return JAR_ERR_PK7;
-    }
-
-  if (SEC_PKCS7ContentIsEncrypted (cinfo))
-    {
-    /* content was encrypted, fail */
-    return JAR_ERR_PK7;
-    }
-
-  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
-    {
-    /* content was not signed, fail */
-    return JAR_ERR_PK7;
-    }
-
-  PORT_SetError (0);
-
-  /* use SHA1 only */
-
-  detdig.len = SHA1_LENGTH;
-  detdig.data = signer->digest->sha1;
-
-#ifdef USE_MOZ_THREAD
-  if (jar_moz_verify
-        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
-		SECSuccess)
-#else
-  if (SEC_PKCS7VerifyDetachedSignature 
-        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
-		PR_TRUE)
-#endif
-    {
-    /* signature is valid */
-    signer->valid = 0;
-    jar_gather_signers (jar, signer, cinfo);
-    }
-  else
-    {
-    status = PORT_GetError();
-
-    PORT_Assert( status < 0 );
-    if (status >= 0) status = JAR_ERR_SIG;
-
-    jar->valid = status;
-    signer->valid = status;
-
-    errstring = JAR_get_error (status);
-    /*XP_TRACE(("JAR signature invalid (reason %d = %s)", status, errstring));*/
-    }
-
-  jar->pkcs7 = PR_TRUE;
-  signer->pkcs7 = PR_TRUE;
-
-  SEC_PKCS7DestroyContentInfo (cinfo);
-
-  return status;
-  }
-
-/*
- *  j a r _ g a t h e r _ s i g n e r s
- *
- *  Add the single signer of this signature to the
- *  certificate linked list.
- *
- */
-
-static int jar_gather_signers
-     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
-  {
-  int result;
-
-  CERTCertificate *cert;
-  CERTCertDBHandle *certdb;
-
-  SEC_PKCS7SignedData *sdp;
-  SEC_PKCS7SignerInfo **pksigners, *pksigner;
-
-  sdp = cinfo->content.signedData;
-
-  if (sdp == NULL)
-    return JAR_ERR_PK7;
-
-  pksigners = sdp->signerInfos;
-
-  /* permit exactly one signer */
-
-  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
-    return JAR_ERR_PK7;
-
-  pksigner = *pksigners;
-  cert = pksigner->cert;
-
-  if (cert == NULL)
-    return JAR_ERR_PK7;
-
-  certdb = JAR_open_database();
-
-  if (certdb == NULL)
-    return JAR_ERR_GENERAL;
-
-  result = jar_add_cert (jar, signer, jarTypeSign, cert);
-
-  JAR_close_database (certdb);
-
-  return result;
-  }
-
-/*
- *  j a r _ o p e n _ d a t a b a s e
- *
- *  Open the certificate database,
- *  for use by JAR functions.
- *
- */
-
-CERTCertDBHandle *JAR_open_database (void)
-  {
-  CERTCertDBHandle *certdb;
-
-  certdb = CERT_GetDefaultCertDB();
-
-  return certdb;
-  }
-
-/*
- *  j a r _ c l o s e _ d a t a b a s e
- *
- *  Close the certificate database.
- *  For use by JAR functions.
- *
- */
-
-int JAR_close_database (CERTCertDBHandle *certdb)
-  {
-#ifdef notdef
-  CERTCertDBHandle *defaultdb;
-
-  /* This really just retrieves the handle, nothing more */
-  defaultdb = CERT_GetDefaultCertDB();
-
-  /* If there is no default db, it means we opened 
-     the permanent database for some reason */
-
-  if (defaultdb == NULL && certdb != NULL)
-    CERT_ClosePermCertDB (certdb);
-#endif
-
-  return 0;
-  }
-
-/*
- *  j a r _ g e t _ c e r t i f i c a t e
- *
- *  Return the certificate referenced
- *  by a given fingerprint, or NULL if not found.
- *  Error code is returned in result.
- *
- */
-
-static CERTCertificate *jar_get_certificate
-      (JAR *jar, long keylen, void *key, int *result)
-  {
-  int found = 0;
-
-  JAR_Item *it;
-  JAR_Cert *fing = NULL;
-
-  JAR_Context *ctx;
-
-  if (jar == NULL) 
-    {
-    void *cert;
-    cert = JAR_fetch_cert (keylen, key);
-    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
-    return (CERTCertificate *) cert;
-    }
-
-  ctx = JAR_find (jar, NULL, jarTypeSign);
-
-  while (JAR_find_next (ctx, &it) >= 0)
-    {
-    fing = (JAR_Cert *) it->data;
-
-    if (keylen != fing->length)
-      continue;
-
-    PORT_Assert( keylen < 0xFFFF );
-    if (!PORT_Memcmp (fing->key, key, keylen))
-      {
-      found = 1;
-      break;
-      }
-    }
-
-  JAR_find_end (ctx);
-
-  if (found == 0)
-    {
-    *result = JAR_ERR_GENERAL;
-    return NULL;
-    }
-
-  PORT_Assert(fing != NULL);
-  *result = 0;
-  return fing->cert;
-  }
-
-/*
- *  j a r _ s i g n a l
- *
- *  Nonfatal errors come here to callback Java.
- *  
- */
-
-static int jar_signal 
-     (int status, JAR *jar, const char *metafile, char *pathname)
-  {
-  char *errstring;
-
-  errstring = JAR_get_error (status);
-
-  if (jar->signal)
-    {
-    (*jar->signal) (status, jar, metafile, pathname, errstring);
-    return 0;
-    }
-
-  return status;
-  }
-
-/*
- *  j a r _ a p p e n d
- *
- *  Tack on an element to one of a JAR's linked
- *  lists, with rudimentary error handling.
- *
- */
-
-int jar_append (ZZList *list, int type, 
-        char *pathname, void *data, size_t size)
-  {
-  JAR_Item *it;
-  ZZLink *entity;
-
-  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
-
-  if (it == NULL)
-    goto loser;
-
-  if (pathname)
-    {
-    it->pathname = PORT_Strdup (pathname);
-    if (it->pathname == NULL)
-      goto loser;
-    }
-
-  it->type = (jarType)type;
-  it->data = (unsigned char *) data;
-  it->size = size;
-
-  entity = ZZ_NewLink (it);
-
-  if (entity)
-    {
-    ZZ_AppendLink (list, entity);
-    return 0;
-    }
-
-loser:
-
-  if (it)
-    {
-    if (it->pathname) PORT_Free (it->pathname);
-    PORT_Free (it);
-    }
-
-  return JAR_ERR_MEMORY;
-  }
-
-/* 
- *  W I N 1 6   s t u f f
- *
- *  These functions possibly belong in xp_mem.c, they operate 
- *  on huge string pointers for win16.
- *
- */
-
-#if defined(XP_WIN16)
-int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len)
-  {
-  while (len--) 
-    {
-    char c1, c2;
-
-    c1 = *buf++;
-    c2 = *key++;
-
-    if (c1 >= 'a' && c1 <= 'z') c1 -= ('a' - 'A');
-    if (c2 >= 'a' && c2 <= 'z') c2 -= ('a' - 'A');
-
-    if (c1 != c2) 
-      return (c1 < c2) ? -1 : 1;
-    }
-  return 0;
-  }
-
-size_t xp_HUGE_STRLEN (char ZHUGEP *s)
-  {
-  size_t len = 0L;
-  while (*s++) len++;
-  return len;
-  }
-
-char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from)
-  {
-  char *ret = to;
-
-  while (*from)
-    *to++ = *from++;
-  *to = 0;
-
-  return ret;
-  }
-#endif
diff --git a/security/nss/lib/jar/jzconf.h b/security/nss/lib/jar/jzconf.h
deleted file mode 100644
index 278aaa5d5..000000000
--- a/security/nss/lib/jar/jzconf.h
+++ /dev/null
@@ -1,190 +0,0 @@
-/* zconf.h -- configuration of the zlib compression library
- * Copyright (C) 1995-1996 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-/* This file was modified since it was taken from the zlib distribution */
-/* $Id$ */
-
-#ifndef _ZCONF_H
-#define _ZCONF_H
-
-/*
- * If you *really* need a unique prefix for all types and library functions,
- * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
- */
-#ifdef Z_PREFIX
-#  define deflateInit_	z_deflateInit_
-#  define deflate	z_deflate
-#  define deflateEnd	z_deflateEnd
-#  define inflateInit_ 	z_inflateInit_
-#  define inflate	z_inflate
-#  define inflateEnd	z_inflateEnd
-#  define deflateInit2_	z_deflateInit2_
-#  define deflateSetDictionary z_deflateSetDictionary
-#  define deflateCopy	z_deflateCopy
-#  define deflateReset	z_deflateReset
-#  define deflateParams	z_deflateParams
-#  define inflateInit2_	z_inflateInit2_
-#  define inflateSetDictionary z_inflateSetDictionary
-#  define inflateSync	z_inflateSync
-#  define inflateReset	z_inflateReset
-#  define compress	z_compress
-#  define uncompress	z_uncompress
-#  define adler32	z_adler32
-#  define crc32		z_crc32
-#  define get_crc_table z_get_crc_table
-
-#  define Byte		z_Byte
-#  define uInt		z_uInt
-#  define uLong		z_uLong
-#  define Bytef	        z_Bytef
-#  define charf		z_charf
-#  define intf		z_intf
-#  define uIntf		z_uIntf
-#  define uLongf	z_uLongf
-#  define voidpf	z_voidpf
-#  define voidp		z_voidp
-#endif
-
-#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
-#  define WIN32
-#endif
-#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
-#  ifndef __32BIT__
-#    define __32BIT__
-#  endif
-#endif
-#if defined(__MSDOS__) && !defined(MSDOS)
-#  define MSDOS
-#endif
-
-/*
- * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
- * than 64k bytes at a time (needed on systems with 16-bit int).
- */
-#if defined(MSDOS) && !defined(__32BIT__)
-#  define MAXSEG_64K
-#endif
-#ifdef MSDOS
-#  define UNALIGNED_OK
-#endif
-
-#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32) || defined(XP_OS2))  && !defined(STDC)
-#  define STDC
-#endif
-#if (defined(__STDC__) || defined(__cplusplus)) && !defined(STDC)
-#  define STDC
-#endif
-
-#ifndef STDC
-#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
-#    define const
-#  endif
-#endif
-
-/* Some Mac compilers merge all .h files incorrectly: */
-#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
-#  define NO_DUMMY_DECL
-#endif
-
-/* Maximum value for memLevel in deflateInit2 */
-#ifndef MAX_MEM_LEVEL
-#  ifdef MAXSEG_64K
-#    define MAX_MEM_LEVEL 8
-#  else
-#    define MAX_MEM_LEVEL 9
-#  endif
-#endif
-
-/* Maximum value for windowBits in deflateInit2 and inflateInit2 */
-#ifndef MAX_WBITS
-#  define MAX_WBITS   15 /* 32K LZ77 window */
-#endif
-
-/* The memory requirements for deflate are (in bytes):
-            1 << (windowBits+2)   +  1 << (memLevel+9)
- that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
- plus a few kilobytes for small objects. For example, if you want to reduce
- the default memory requirements from 256K to 128K, compile with
-     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
- Of course this will generally degrade compression (there's no free lunch).
-
-   The memory requirements for inflate are (in bytes) 1 << windowBits
- that is, 32K for windowBits=15 (default value) plus a few kilobytes
- for small objects.
-*/
-
-                        /* Type declarations */
-
-#ifndef OF /* function prototypes */
-#  ifdef STDC
-#    define OF(args)  args
-#  else
-#    define OF(args)  ()
-#  endif
-#endif
-
-/* The following definitions for FAR are needed only for MSDOS mixed
- * model programming (small or medium model with some far allocations).
- * This was tested only with MSC; for other MSDOS compilers you may have
- * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
- * just define FAR to be empty.
- */
-#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
-   /* MSC small or medium model */
-#  define SMALL_MEDIUM
-#  ifdef _MSC_VER
-#    define FAR __far
-#  else
-#    define FAR far
-#  endif
-#endif
-#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
-#  ifndef __32BIT__
-#    define SMALL_MEDIUM
-#    define FAR __far
-#  endif
-#endif
-#ifndef FAR
-#   define FAR
-#endif
-
-typedef unsigned char  Byte;  /* 8 bits */
-typedef unsigned int   uInt;  /* 16 bits or more */
-typedef unsigned long  uLong; /* 32 bits or more */
-
-#if defined(__BORLANDC__) && defined(SMALL_MEDIUM)
-   /* Borland C/C++ ignores FAR inside typedef */
-#  define Bytef Byte FAR
-#else
-   typedef Byte  FAR Bytef;
-#endif
-typedef char  FAR charf;
-typedef int   FAR intf;
-typedef uInt  FAR uIntf;
-typedef uLong FAR uLongf;
-
-#ifdef STDC
-   typedef void FAR *voidpf;
-   typedef void     *voidp;
-#else
-   typedef Byte FAR *voidpf;
-   typedef Byte     *voidp;
-#endif
-
-#ifdef MOZILLA_CLIENT
-#include "prtypes.h"
-#else
-/* Compile with -DZLIB_DLL for Windows DLL support */
-#if (defined(_WINDOWS) || defined(WINDOWS)) && defined(ZLIB_DLL)
-#  include <windows.h>
-#  define EXPORT  WINAPI
-#else
-#  define EXPORT
-#endif
-
-#define PR_PUBLIC_API(type) type
-
-#endif /* MOZILLA_CLIENT */
-
-#endif /* _ZCONF_H */
diff --git a/security/nss/lib/jar/jzlib.h b/security/nss/lib/jar/jzlib.h
deleted file mode 100644
index dd5b4d8e9..000000000
--- a/security/nss/lib/jar/jzlib.h
+++ /dev/null
@@ -1,896 +0,0 @@
-/* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.0.4, Jul 24th, 1996.
-
-  Copyright (C) 1995-1996 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  gzip@prep.ai.mit.edu    madler@alumni.caltech.edu
-
-
-  The data format used by the zlib library is described by RFCs (Request for
-  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
-  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
-*/
-/* This file was modified since it was taken from the zlib distribution */
-
-#ifndef _ZLIB_H
-#define _ZLIB_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifdef MOZILLA_CLIENT
-#include "jzconf.h"
-#else
-#include "zconf.h"
-#endif
-
-#define ZLIB_VERSION "1.0.4"
-
-/* 
-     The 'zlib' compression library provides in-memory compression and
-  decompression functions, including integrity checks of the uncompressed
-  data.  This version of the library supports only one compression method
-  (deflation) but other algorithms may be added later and will have the same
-  stream interface.
-
-     For compression the application must provide the output buffer and
-  may optionally provide the input buffer for optimization. For decompression,
-  the application must provide the input buffer and may optionally provide
-  the output buffer for optimization.
-
-     Compression can be done in a single step if the buffers are large
-  enough (for example if an input file is mmap'ed), or can be done by
-  repeated calls of the compression function.  In the latter case, the
-  application must provide more input and/or consume the output
-  (providing more output space) before each call.
-
-     The library does not install any signal handler. It is recommended to
-  add at least a handler for SIGSEGV when decompressing; the library checks
-  the consistency of the input data whenever possible but may go nuts
-  for some forms of corrupted input.
-*/
-
-typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
-typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
-
-struct internal_state;
-
-typedef struct z_stream_s {
-    Bytef    *next_in;  /* next input byte */
-    uInt     avail_in;  /* number of bytes available at next_in */
-    uLong    total_in;  /* total nb of input bytes read so far */
-
-    Bytef    *next_out; /* next output byte should be put there */
-    uInt     avail_out; /* remaining free space at next_out */
-    uLong    total_out; /* total nb of bytes output so far */
-
-    char     *msg;      /* last error message, NULL if no error */
-    struct internal_state FAR *state; /* not visible by applications */
-
-    alloc_func zalloc;  /* used to allocate the internal state */
-    free_func  zfree;   /* used to free the internal state */
-    voidpf     opaque;  /* private data object passed to zalloc and zfree */
-
-    int     data_type;  /* best guess about the data type: ascii or binary */
-    uLong   adler;      /* adler32 value of the uncompressed data */
-    uLong   reserved;   /* reserved for future use */
-} z_stream;
-
-typedef z_stream FAR *z_streamp;
-
-/*
-   The application must update next_in and avail_in when avail_in has
-   dropped to zero. It must update next_out and avail_out when avail_out
-   has dropped to zero. The application must initialize zalloc, zfree and
-   opaque before calling the init function. All other fields are set by the
-   compression library and must not be updated by the application.
-
-   The opaque value provided by the application will be passed as the first
-   parameter for calls of zalloc and zfree. This can be useful for custom
-   memory management. The compression library attaches no meaning to the
-   opaque value.
-
-   zalloc must return Z_NULL if there is not enough memory for the object.
-   On 16-bit systems, the functions zalloc and zfree must be able to allocate
-   exactly 65536 bytes, but will not be required to allocate more than this
-   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
-   pointers returned by zalloc for objects of exactly 65536 bytes *must*
-   have their offset normalized to zero. The default allocation function
-   provided by this library ensures this (see zutil.c). To reduce memory
-   requirements and avoid any allocation of 64K objects, at the expense of
-   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
-
-   The fields total_in and total_out can be used for statistics or
-   progress reports. After compression, total_in holds the total size of
-   the uncompressed data and may be saved for use in the decompressor
-   (particularly if the decompressor wants to decompress everything in
-   a single step).
-*/
-
-                        /* constants */
-
-#define Z_NO_FLUSH      0
-#define Z_PARTIAL_FLUSH 1
-#define Z_SYNC_FLUSH    2
-#define Z_FULL_FLUSH    3
-#define Z_FINISH        4
-/* Allowed flush values; see deflate() below for details */
-
-#define Z_OK            0
-#define Z_STREAM_END    1
-#define Z_NEED_DICT     2
-#define Z_ERRNO        (-1)
-#define Z_STREAM_ERROR (-2)
-#define Z_DATA_ERROR   (-3)
-#define Z_MEM_ERROR    (-4)
-#define Z_BUF_ERROR    (-5)
-#define Z_VERSION_ERROR (-6)
-/* Return codes for the compression/decompression functions. Negative
- * values are errors, positive values are used for special but normal events.
- */
-
-#define Z_NO_COMPRESSION         0
-#define Z_BEST_SPEED             1
-#define Z_BEST_COMPRESSION       9
-#define Z_DEFAULT_COMPRESSION  (-1)
-/* compression levels */
-
-#define Z_FILTERED            1
-#define Z_HUFFMAN_ONLY        2
-#define Z_DEFAULT_STRATEGY    0
-/* compression strategy; see deflateInit2() below for details */
-
-#define Z_BINARY   0
-#define Z_ASCII    1
-#define Z_UNKNOWN  2
-/* Possible values of the data_type field */
-
-#define Z_DEFLATED   8
-/* The deflate compression method (the only one supported in this version) */
-
-#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
-
-#define zlib_version zlibVersion()
-/* for compatibility with versions < 1.0.2 */
-
-                        /* basic functions */
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern const char *) zlibVersion (void);
-#else
-extern const char * EXPORT zlibVersion OF((void));
-#endif
-/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
-   If the first character differs, the library code actually used is
-   not compatible with the zlib.h header file used by the application.
-   This check is automatically made by deflateInit and inflateInit.
- */
-
-/* 
-extern int EXPORT deflateInit OF((z_streamp strm, int level));
-
-     Initializes the internal stream state for compression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.
-   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
-   use default allocation functions.
-
-     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
-   1 gives best speed, 9 gives best compression, 0 gives no compression at
-   all (the input data is simply copied a block at a time).
-   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
-   compression (currently equivalent to level 6).
-
-     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
-   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
-   with the version assumed by the caller (ZLIB_VERSION).
-   msg is set to null if there is no error message.  deflateInit does not
-   perform any compression: this will be done by deflate().
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflate (z_streamp strm, int flush);
-#else
-extern int EXPORT deflate OF((z_streamp strm, int flush));
-#endif
-/*
-  Performs one or both of the following actions:
-
-  - Compress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in and avail_in are updated and
-    processing will resume at this point for the next call of deflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly. This action is forced if the parameter flush is non zero.
-    Forcing flush frequently degrades the compression ratio, so this parameter
-    should be set only when necessary (in interactive applications).
-    Some output may be provided even if flush is not set.
-
-  Before the call of deflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating avail_in or avail_out accordingly; avail_out
-  should never be zero before the call. The application can consume the
-  compressed output when it wants, for example when the output buffer is full
-  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
-  and with zero avail_out, it must be called again after making room in the
-  output buffer because there might be more output pending.
-
-    If the parameter flush is set to Z_PARTIAL_FLUSH, the current compression
-  block is terminated and flushed to the output buffer so that the
-  decompressor can get all input data available so far. For method 9, a future
-  variant on method 8, the current block will be flushed but not terminated.
-  Z_SYNC_FLUSH has the same effect as partial flush except that the compressed
-  output is byte aligned (the compressor can clear its internal bit buffer)
-  and the current block is always terminated; this can be useful if the
-  compressor has to be restarted from scratch after an interruption (in which
-  case the internal state of the compressor may be lost).
-    If flush is set to Z_FULL_FLUSH, the compression block is terminated, a
-  special marker is output and the compression dictionary is discarded; this
-  is useful to allow the decompressor to synchronize if one compressed block
-  has been damaged (see inflateSync below).  Flushing degrades compression and
-  so should be used only when necessary.  Using Z_FULL_FLUSH too often can
-  seriously degrade the compression. If deflate returns with avail_out == 0,
-  this function must be called again with the same value of the flush
-  parameter and more output space (updated avail_out), until the flush is
-  complete (deflate returns with non-zero avail_out).
-
-    If the parameter flush is set to Z_FINISH, pending input is processed,
-  pending output is flushed and deflate returns with Z_STREAM_END if there
-  was enough output space; if deflate returns with Z_OK, this function must be
-  called again with Z_FINISH and more output space (updated avail_out) but no
-  more input data, until it returns with Z_STREAM_END or an error. After
-  deflate has returned Z_STREAM_END, the only possible operations on the
-  stream are deflateReset or deflateEnd.
-  
-    Z_FINISH can be used immediately after deflateInit if all the compression
-  is to be done in a single step. In this case, avail_out must be at least
-  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
-  Z_STREAM_END, then it must be called again as described above.
-
-    deflate() may update data_type if it can make a good guess about
-  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
-  binary. This field is only for information purposes and does not affect
-  the compression algorithm in any manner.
-
-    deflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if all input has been
-  consumed and all output has been produced (only when flush is set to
-  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
-  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible.
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateEnd (z_streamp strm);
-#else
-extern int EXPORT deflateEnd OF((z_streamp strm));
-#endif
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
-   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
-   prematurely (some input or output was discarded). In the error case,
-   msg may be set but then points to a static string (which must not be
-   deallocated).
-*/
-
-
-/* 
-extern int EXPORT inflateInit OF((z_streamp strm));
-
-     Initializes the internal stream state for decompression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.  If
-   zalloc and zfree are set to Z_NULL, inflateInit updates them to use default
-   allocation functions.
-
-     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_VERSION_ERROR if the zlib library version is incompatible
-   with the version assumed by the caller.  msg is set to null if there is no
-   error message. inflateInit does not perform any decompression: this will be
-   done by inflate().
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflate (z_streamp strm, int flush);
-#else
-extern int EXPORT inflate OF((z_streamp strm, int flush));
-#endif
-/*
-  Performs one or both of the following actions:
-
-  - Decompress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in is updated and processing
-    will resume at this point for the next call of inflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly.  inflate() provides as much output as possible, until there
-    is no more input data or no more space in the output buffer (see below
-    about the flush parameter).
-
-  Before the call of inflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating the next_* and avail_* values accordingly.
-  The application can consume the uncompressed output when it wants, for
-  example when the output buffer is full (avail_out == 0), or after each
-  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
-  must be called again after making room in the output buffer because there
-  might be more output pending.
-
-    If the parameter flush is set to Z_PARTIAL_FLUSH, inflate flushes as much
-  output as possible to the output buffer. The flushing behavior of inflate is
-  not specified for values of the flush parameter other than Z_PARTIAL_FLUSH
-  and Z_FINISH, but the current implementation actually flushes as much output
-  as possible anyway.
-
-    inflate() should normally be called until it returns Z_STREAM_END or an
-  error. However if all decompression is to be performed in a single step
-  (a single call of inflate), the parameter flush should be set to
-  Z_FINISH. In this case all pending input is processed and all pending
-  output is flushed; avail_out must be large enough to hold all the
-  uncompressed data. (The size of the uncompressed data may have been saved
-  by the compressor for this purpose.) The next operation on this stream must
-  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
-  is never required, but can be used to inform inflate that a faster routine
-  may be used for the single inflate() call.
-
-    inflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if the end of the
-  compressed data has been reached and all uncompressed output has been
-  produced, Z_NEED_DICT if a preset dictionary is needed at this point (see
-  inflateSetDictionary below), Z_DATA_ERROR if the input data was corrupted,
-  Z_STREAM_ERROR if the stream structure was inconsistent (for example if
-  next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
-  Z_BUF_ERROR if no progress is possible or if there was not enough room in
-  the output buffer when Z_FINISH is used. In the Z_DATA_ERROR case, the
-  application may then call inflateSync to look for a good compression block.
-  In the Z_NEED_DICT case, strm->adler is set to the Adler32 value of the
-  dictionary chosen by the compressor.
-*/
-
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateEnd (z_streamp strm);
-#else
-extern int EXPORT inflateEnd OF((z_streamp strm));
-#endif
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
-   was inconsistent. In the error case, msg may be set but then points to a
-   static string (which must not be deallocated).
-*/
-
-                        /* Advanced functions */
-
-/*
-    The following functions are needed only in some special applications.
-*/
-
-/*   
-extern int EXPORT deflateInit2 OF((z_streamp strm,
-                                   int  level,
-                                   int  method,
-                                   int  windowBits,
-                                   int  memLevel,
-                                   int  strategy));
-
-     This is another version of deflateInit with more compression options. The
-   fields next_in, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The method parameter is the compression method. It must be Z_DEFLATED in
-   this version of the library. (Method 9 will allow a 64K history buffer and
-   partial block flushes.)
-
-     The windowBits parameter is the base two logarithm of the window size
-   (the size of the history buffer).  It should be in the range 8..15 for this
-   version of the library (the value 16 will be allowed for method 9). Larger
-   values of this parameter result in better compression at the expense of
-   memory usage. The default value is 15 if deflateInit is used instead.
-
-     The memLevel parameter specifies how much memory should be allocated
-   for the internal compression state. memLevel=1 uses minimum memory but
-   is slow and reduces compression ratio; memLevel=9 uses maximum memory
-   for optimal speed. The default value is 8. See zconf.h for total memory
-   usage as a function of windowBits and memLevel.
-
-     The strategy parameter is used to tune the compression algorithm. Use the
-   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
-   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
-   string match).  Filtered data consists mostly of small values with a
-   somewhat random distribution. In this case, the compression algorithm is
-   tuned to compress them better. The effect of Z_FILTERED is to force more
-   Huffman coding and less string matching; it is somewhat intermediate
-   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
-   the compression ratio but not the correctness of the compressed output even
-   if it is not set appropriately.
-
-     If next_in is not null, the library will use this buffer to hold also
-   some history information; the buffer must either hold the entire input
-   data, or have at least 1<<(windowBits+1) bytes and be writable. If next_in
-   is null, the library will allocate its own history buffer (and leave next_in
-   null). next_out need not be provided here but must be provided by the
-   application for the next call of deflate().
-
-     If the history buffer is provided by the application, next_in must
-   must never be changed by the application since the compressor maintains
-   information inside this buffer from call to call; the application
-   must provide more input only by increasing avail_in. next_in is always
-   reset by the library in this case.
-
-      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
-   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
-   an invalid method). msg is set to null if there is no error message.
-   deflateInit2 does not perform any compression: this will be done by
-   deflate(). 
-*/
-                            
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateSetDictionary (z_streamp strm,
-                                           const Bytef *dictionary,
-				           uInt  dictLength);
-#else
-extern int EXPORT deflateSetDictionary OF((z_streamp strm,
-                                           const Bytef *dictionary,
-				           uInt  dictLength));
-#endif
-/*
-     Initializes the compression dictionary (history buffer) from the given
-   byte sequence without producing any compressed output. This function must
-   be called immediately after deflateInit or deflateInit2, before any call
-   of deflate. The compressor and decompressor must use exactly the same
-   dictionary (see inflateSetDictionary).
-     The dictionary should consist of strings (byte sequences) that are likely
-   to be encountered later in the data to be compressed, with the most commonly
-   used strings preferably put towards the end of the dictionary. Using a
-   dictionary is most useful when the data to be compressed is short and
-   can be predicted with good accuracy; the data can then be compressed better
-   than with the default empty dictionary. In this version of the library,
-   only the last 32K bytes of the dictionary are used.
-     Upon return of this function, strm->adler is set to the Adler32 value
-   of the dictionary; the decompressor may later use this value to determine
-   which dictionary has been used by the compressor. (The Adler32 value
-   applies to the whole dictionary even if only a subset of the dictionary is
-   actually used by the compressor.)
-
-     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state
-   is inconsistent (for example if deflate has already been called for this
-   stream). deflateSetDictionary does not perform any compression: this will
-   be done by deflate(). 
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateCopy (z_streamp dest, z_streamp source);
-#else
-extern int EXPORT deflateCopy OF((z_streamp dest, z_streamp source));
-#endif
-/*
-     Sets the destination stream as a complete copy of the source stream.  If
-   the source stream is using an application-supplied history buffer, a new
-   buffer is allocated for the destination stream.  The compressed output
-   buffer is always application-supplied. It's the responsibility of the
-   application to provide the correct values of next_out and avail_out for the
-   next call of deflate.
-
-     This function can be useful when several compression strategies will be
-   tried, for example when there are several ways of pre-processing the input
-   data with a filter. The streams that will be discarded should then be freed
-   by calling deflateEnd.  Note that deflateCopy duplicates the internal
-   compression state which can be quite large, so this strategy is slow and
-   can consume lots of memory.
-
-     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
-   destination.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateReset (z_streamp strm);
-#else
-extern int EXPORT deflateReset OF((z_streamp strm));
-#endif
-/*
-     This function is equivalent to deflateEnd followed by deflateInit,
-   but does not free and reallocate all the internal compression state.
-   The stream will keep the same compression level and any other attributes
-   that may have been set by deflateInit2.
-
-      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateParams (z_streamp strm, int level, int strategy);
-#else
-extern int EXPORT deflateParams OF((z_streamp strm, int level, int strategy));
-#endif
-/*
-     Dynamically update the compression level and compression strategy.
-   This can be used to switch between compression and straight copy of
-   the input data, or to switch to a different kind of input data requiring
-   a different strategy. If the compression level is changed, the input
-   available so far is compressed with the old level (and may be flushed);
-   the new level will take effect only at the next call of deflate().
-
-     Before the call of deflateParams, the stream state must be set as for
-   a call of deflate(), since the currently available input may have to
-   be compressed and flushed. In particular, strm->avail_out must be non-zero.
-
-     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
-   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
-   if strm->avail_out was zero.
-*/
-
-/*   
-extern int EXPORT inflateInit2 OF((z_streamp strm,
-                                   int  windowBits));
-
-     This is another version of inflateInit with more compression options. The
-   fields next_out, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The windowBits parameter is the base two logarithm of the maximum window
-   size (the size of the history buffer).  It should be in the range 8..15 for
-   this version of the library (the value 16 will be allowed soon). The
-   default value is 15 if inflateInit is used instead. If a compressed stream
-   with a larger window size is given as input, inflate() will return with
-   the error code Z_DATA_ERROR instead of trying to allocate a larger window.
-
-     If next_out is not null, the library will use this buffer for the history
-   buffer; the buffer must either be large enough to hold the entire output
-   data, or have at least 1<<windowBits bytes.  If next_out is null, the
-   library will allocate its own buffer (and leave next_out null). next_in
-   need not be provided here but must be provided by the application for the
-   next call of inflate().
-
-     If the history buffer is provided by the application, next_out must
-   never be changed by the application since the decompressor maintains
-   history information inside this buffer from call to call; the application
-   can only reset next_out to the beginning of the history buffer when
-   avail_out is zero and all output has been consumed.
-
-      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
-   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
-   windowBits < 8). msg is set to null if there is no error message.
-   inflateInit2 does not perform any decompression: this will be done by
-   inflate().
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateSetDictionary (z_streamp strm,
-				           const Bytef *dictionary,
-					   uInt  dictLength);
-#else
-extern int EXPORT inflateSetDictionary OF((z_streamp strm,
-				           const Bytef *dictionary,
-					   uInt  dictLength));
-#endif
-/*
-     Initializes the decompression dictionary (history buffer) from the given
-   uncompressed byte sequence. This function must be called immediately after
-   a call of inflate if this call returned Z_NEED_DICT. The dictionary chosen
-   by the compressor can be determined from the Adler32 value returned by this
-   call of inflate. The compressor and decompressor must use exactly the same
-   dictionary (see deflateSetDictionary).
-
-     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
-   expected one (incorrect Adler32 value). inflateSetDictionary does not
-   perform any decompression: this will be done by subsequent calls of
-   inflate().
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateSync (z_streamp strm);
-#else
-extern int EXPORT inflateSync OF((z_streamp strm));
-#endif
-/* 
-    Skips invalid compressed data until the special marker (see deflate()
-  above) can be found, or until all available input is skipped. No output
-  is provided.
-
-    inflateSync returns Z_OK if the special marker has been found, Z_BUF_ERROR
-  if no more input was provided, Z_DATA_ERROR if no marker has been found,
-  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
-  case, the application may save the current current value of total_in which
-  indicates where valid compressed data was found. In the error case, the
-  application may repeatedly call inflateSync, providing more input each time,
-  until success or end of the input data.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) inflateReset (z_streamp strm);
-#else
-extern int EXPORT inflateReset OF((z_streamp strm));
-#endif
-/*
-     This function is equivalent to inflateEnd followed by inflateInit,
-   but does not free and reallocate all the internal decompression state.
-   The stream will keep attributes that may have been set by inflateInit2.
-
-      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-
-                        /* utility functions */
-
-/*
-     The following utility functions are implemented on top of the
-   basic stream-oriented functions. To simplify the interface, some
-   default options are assumed (compression level, window size,
-   standard memory allocation functions). The source code of these
-   utility functions can easily be modified if you need special options.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) compress (Bytef *dest,   uLongf *destLen,
-			       const Bytef *source, uLong sourceLen);
-#else
-extern int EXPORT compress OF((Bytef *dest,   uLongf *destLen,
-			       const Bytef *source, uLong sourceLen));
-#endif
-/*
-     Compresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be at least 0.1% larger than
-   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
-   compressed buffer.
-     This function can be used to compress a whole file at once if the
-   input file is mmap'ed.
-     compress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) uncompress (Bytef *dest,   uLongf *destLen,
-				 const Bytef *source, uLong sourceLen);
-#else
-extern int EXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
-				 const Bytef *source, uLong sourceLen));
-#endif
-/*
-     Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
-
-     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer, or Z_DATA_ERROR if the input data was corrupted.
-*/
-
-
-typedef voidp gzFile;
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern gzFile) gzopen  (const char *path, const char *mode);
-#else
-extern gzFile EXPORT gzopen  OF((const char *path, const char *mode));
-#endif
-/*
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb") but can also include a compression level
-   ("wb9").  gzopen can be used to read a file which is not in gzip format;
-   in this case gzread will directly read from the file without decompression.
-     gzopen returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern gzFile) gzdopen  (int fd, const char *mode);
-#else
-extern gzFile EXPORT gzdopen  OF((int fd, const char *mode));
-#endif
-/*
-     gzdopen() associates a gzFile with the file descriptor fd.  File
-   descriptors are obtained from calls like open, dup, creat, pipe or
-   fileno (in the file has been previously opened with fopen).
-   The mode parameter is as in gzopen.
-     The next call of gzclose on the returned gzFile will also close the
-   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
-   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
-     gzdopen returns NULL if there was insufficient memory to allocate
-   the (de)compression state.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzread  (gzFile file, voidp buf, unsigned len);
-#else
-extern int EXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
-#endif
-/*
-     Reads the given number of uncompressed bytes from the compressed file.
-   If the input file was not in gzip format, gzread copies the given number
-   of bytes into the buffer.
-     gzread returns the number of uncompressed bytes actually read (0 for
-   end of file, -1 for error). */
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzwrite (gzFile file, const voidp buf, unsigned len);
-#else
-extern int EXPORT    gzwrite OF((gzFile file, const voidp buf, unsigned len));
-#endif
-/*
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of uncompressed bytes actually written
-   (0 in case of error).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzflush (gzFile file, int flush);
-#else
-extern int EXPORT    gzflush OF((gzFile file, int flush));
-#endif
-/*
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function. The return value is the zlib
-   error number (see function gzerror below). gzflush returns Z_OK if
-   the flush parameter is Z_FINISH and all output could be flushed.
-     gzflush should be called only when strictly necessary because it can
-   degrade compression.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int)    gzclose (gzFile file);
-#else
-extern int EXPORT    gzclose OF((gzFile file));
-#endif
-/*
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state. The return value is the zlib
-   error number (see function gzerror below).
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern const char *) gzerror (gzFile file, int *errnum);
-#else
-extern const char * EXPORT gzerror OF((gzFile file, int *errnum));
-#endif
-/*
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-
-                        /* checksum functions */
-
-/*
-     These functions are not related to compression but are exported
-   anyway because they might be useful in applications using the
-   compression library.
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern uLong) adler32 (uLong adler, const Bytef *buf, uInt len);
-#else
-extern uLong EXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
-#endif
-
-/*
-     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
-   return the updated checksum. If buf is NULL, this function returns
-   the required initial value for the checksum.
-   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
-   much faster. Usage example:
-
-     uLong adler = adler32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       adler = adler32(adler, buffer, length);
-     }
-     if (adler != original_adler) error();
-*/
-
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern uLong) crc32   (uLong crc, const Bytef *buf, uInt len);
-#else
-extern uLong EXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
-#endif
-/*
-     Update a running crc with the bytes buf[0..len-1] and return the updated
-   crc. If buf is NULL, this function returns the required initial value
-   for the crc. Pre- and post-conditioning (one's complement) is performed
-   within this function so it shouldn't be done by the application.
-   Usage example:
-
-     uLong crc = crc32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       crc = crc32(crc, buffer, length);
-     }
-     if (crc != original_crc) error();
-*/
-
-
-                        /* various hacks, don't look :) */
-
-/* deflateInit and inflateInit are macros to allow checking the zlib version
- * and the compiler's view of z_stream:
- */
-#ifdef MOZILLA_CLIENT
-PR_PUBLIC_API(extern int) deflateInit_ (z_streamp strm, int level, const char *version, 
-					int stream_size);
-PR_PUBLIC_API(extern int) inflateInit_ (z_streamp strm, const char *version, 
-					int stream_size);
-PR_PUBLIC_API(extern int) deflateInit2_ (z_streamp strm, int  level, int  method, 
-					 int windowBits, int memLevel, int strategy, 
-					 const char *version, int stream_size);
-PR_PUBLIC_API(extern int) inflateInit2_ (z_streamp strm, int  windowBits, 
-					 const char *version, int stream_size);
-#else
-extern int EXPORT deflateInit_ OF((z_streamp strm, int level, const char *version, 
-				   int stream_size));
-extern int EXPORT inflateInit_ OF((z_streamp strm, const char *version, 
-				   int stream_size));
-extern int EXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method, 
-				    int windowBits, int memLevel, int strategy, 
-				    const char *version, int stream_size));
-extern int EXPORT inflateInit2_ OF((z_streamp strm, int  windowBits, 
-				    const char *version, int stream_size));
-#endif /* MOZILLA_CLIENT */
-
-
-#define deflateInit(strm, level) \
-        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit(strm) \
-        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
-#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
-        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
-		      (strategy),           ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit2(strm, windowBits) \
-        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
-
-#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
-    struct internal_state {int dummy;}; /* hack for buggy compilers */
-#endif
-
-uLongf *get_crc_table OF((void)); /* can be used by asm versions of crc32() */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _ZLIB_H */
diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn
deleted file mode 100644
index 57dbe1679..000000000
--- a/security/nss/lib/jar/manifest.mn
+++ /dev/null
@@ -1,58 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-MODULE = nss
-
-LIBRARY_NAME = jar
-
-CORE_DEPTH = ../../..
-
-CSRCS =	\
-	jarver.c \
-	jarsign.c \
-	jar.c \
-	jar-ds.c \
-	jarfile.c \
-	jarevil.c \
-	jarjart.c \
-	jarint.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-EXPORTS	 = jar.h jar-ds.h jarfile.h
-
-DEFINES = -DMOZILLA_CLIENT=1
diff --git a/security/nss/lib/manifest.mn b/security/nss/lib/manifest.mn
deleted file mode 100644
index 268ff0496..000000000
--- a/security/nss/lib/manifest.mn
+++ /dev/null
@@ -1,69 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../..
-DEPTH      = ../..
-
-#
-# organized by DLL
-#
-#  softoken and prereqs.
-#  stan (not a separate dll yet)
-#  nss base (traditional)
-#  ssl
-#  smime
-#  ckfw (builtins module)
-#  crmf jar (not dll's)
-DIRS =  util freebl softoken \
-	base asn1 dev pki pki1 \
-	certdb certhigh pk11wrap cryptohi nss \
-	ssl \
-	pkcs12 pkcs7 smime \
-	crmf jar \
-	ckfw      \
-	$(NULL)
-
-#  fortcrypt  is no longer built
-
-# NSS 4.0 build - pure stan libraries
-ifdef PURE_STAN_BUILD
-DIRS = base asn1 dev pki pki1
-endif
-
-#
-# these dirs are not built at the moment
-#
-#NOBUILD_DIRS = jar
diff --git a/security/nss/lib/nss/Makefile b/security/nss/lib/nss/Makefile
deleted file mode 100644
index 7e105530a..000000000
--- a/security/nss/lib/nss/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-include config.mk
-
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/nss/config.mk b/security/nss/lib/nss/config.mk
deleted file mode 100644
index 5cdb444e5..000000000
--- a/security/nss/lib/nss/config.mk
+++ /dev/null
@@ -1,133 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-# can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
-
-RES = $(OBJDIR)/$(LIBRARY_NAME).res
-RESNAME = $(LIBRARY_NAME).rc
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lsoftokn3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4\
-	$(NULL)
-else # ! NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	$(DIST)/lib/softokn3.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-else
-
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
-# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lsoftokn3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-endif
-
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-SHARED_LIBRARY_LIBS = \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(NULL)
-
-SHARED_LIBRARY_DIRS = \
-	../certhigh \
-	../cryptohi \
-	../pk11wrap \
-	../certdb \
-	../util \
-	../pki \
-	../dev \
-	../base \
-	$(NULL)
-
-
-ifeq ($(OS_TARGET),SunOS)
-ifeq ($(BUILD_SUN_PKG), 1)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-ifeq ($(USE_64), 1)
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
-else
-MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
-endif
-else
-MKSHLIB += -R '$$ORIGIN'
-endif
-endif
-
-
-ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
-ifndef NS_USE_GCC
-# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
-# but do not put it in the import library.  See bug 142575.
-DEFINES += -DWIN32_NSS3_DLL_COMPAT
-DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
-endif
-endif
diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn
deleted file mode 100644
index 6260fc7b9..000000000
--- a/security/nss/lib/nss/manifest.mn
+++ /dev/null
@@ -1,59 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	nssrenam.h \
-	$(NULL)
-
-EXPORTS = \
-	nss.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	nssinit.c \
-	nssver.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-MAPFILE = $(OBJDIR)/nss.def
-
-LIBRARY_NAME = nss
-LIBRARY_VERSION = 3
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
deleted file mode 100644
index b02dd61ef..000000000
--- a/security/nss/lib/nss/nss.def
+++ /dev/null
@@ -1,874 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
-;+#   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#	line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.  
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.  
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+NSS_3.2 {       # NSS 3.2 release
-;+    global:
-LIBRARY nss3	;-
-EXPORTS		;-
-ATOB_AsciiToData;
-BTOA_ConvertItemToAscii;
-BTOA_DataToAscii;
-CERT_AsciiToName;
-CERT_CertTimesValid;
-CERT_CheckCertValidTimes;
-CERT_CreateCertificateRequest;
-CERT_ChangeCertTrust;
-CERT_DecodeDERCrl;
-CERT_DestroyCertificateRequest;
-CERT_DestroyCertList;
-CERT_DestroyName;
-CERT_EnableOCSPChecking;
-CERT_FormatName;
-CERT_DestroyCertificate;
-CERT_DupCertificate;
-CERT_FreeDistNames;
-CERT_FreeNicknames;
-CERT_GetAVATag;
-CERT_GetCertEmailAddress;
-CERT_GetCertNicknames;
-CERT_GetCertIssuerAndSN;
-CERT_GetCertTrust;
-CERT_GetCertUid;
-CERT_GetCommonName;
-CERT_GetCountryName;
-CERT_GetDBContentVersion;
-CERT_GetDefaultCertDB;
-CERT_GetDomainComponentName;
-CERT_GetLocalityName;
-CERT_GetOrgName;
-CERT_GetOrgUnitName;
-CERT_GetSSLCACerts;
-CERT_GetSlopTime;
-CERT_GetStateName;
-CERT_ImportCAChain;
-CERT_NameToAscii;
-CERT_RFC1485_EscapeAndQuote;
-CERT_SetSlopTime;
-CERT_VerifyCertName;
-CERT_VerifyCertNow;
-DER_UTCDayToAscii;
-DER_UTCTimeToAscii;
-DER_GeneralizedTimeToTime;
-NSS_Init;
-NSS_Initialize;
-NSS_InitReadWrite;
-NSS_NoDB_Init;
-NSS_Shutdown;
-NSS_VersionCheck;
-PK11_Authenticate;
-PK11_ChangePW;
-PK11_CheckUserPassword;
-PK11_CipherOp;
-PK11_CloneContext;
-PK11_ConfigurePKCS11;
-PK11_CreateContextBySymKey;
-PK11_CreateDigestContext;
-PK11_DestroyContext;
-PK11_DestroyTokenObject;
-PK11_DigestBegin;
-PK11_DigestOp;
-PK11_DigestFinal;
-PK11_DoesMechanism;
-PK11_FindCertFromNickname;
-PK11_FindCertFromDERCert;
-PK11_FindCertByIssuerAndSN;
-PK11_FindKeyByAnyCert;
-PK11_FindKeyByDERCert;
-PK11_FindSlotByName;
-PK11_Finalize;
-PK11_FortezzaHasKEA;
-PK11_FreeSlot;
-PK11_FreeSlotList;
-PK11_FreeSymKey;
-PK11_GenerateKeyPair;
-PK11_GenerateRandom;
-PK11_GenerateNewParam;
-PK11_GetAllTokens;
-PK11_GetBlockSize;
-PK11_GetFirstSafe;
-PK11_GetInternalKeySlot;
-PK11_GetInternalSlot;
-PK11_GetSlotName;
-PK11_GetTokenName;
-PK11_HashBuf;
-PK11_IsFIPS;
-PK11_IsFriendly;
-PK11_IsInternal;
-PK11_IsHW;
-PK11_IsPresent;
-PK11_IsReadOnly;
-PK11_KeyGen;
-PK11_ListCerts;
-PK11_NeedLogin;
-PK11_RandomUpdate;
-PK11_SetPasswordFunc;
-PK11_SetSlotPWValues;
-PORT_Alloc;
-PORT_Free;
-PORT_GetError;
-PORT_SetError;
-PORT_SetUCS4_UTF8ConversionFunction;
-PORT_SetUCS2_UTF8ConversionFunction;
-PORT_SetUCS2_ASCIIConversionFunction;
-SECITEM_CopyItem;
-SECITEM_DupItem;
-SECITEM_FreeItem;
-SECITEM_ZfreeItem;
-SECKEY_ConvertToPublicKey;
-SECKEY_CopyPrivateKey;
-SECKEY_CreateSubjectPublicKeyInfo;
-SECKEY_DestroyPrivateKey;
-SECKEY_DestroySubjectPublicKeyInfo;
-SECMOD_IsModulePresent;
-SECOID_FindOIDTagDescription;
-SECOID_GetAlgorithmTag;
-SEC_DeletePermCertificate;
-SEC_DeletePermCRL;
-SEC_DerSignData;
-SEC_DestroyCrl;
-SEC_FindCrlByDERCert;
-SEC_FindCrlByName;
-SEC_LookupCrls;
-SEC_NewCrl;
-;+#
-;+# The following symbols are exported only to make libssl3.so work. 
-;+# These are still private!!!
-;+#
-__CERT_NewTempCertificate;
-__PK11_CreateContextByRawKey;
-__PK11_GetKeyData;
-__nss_InitLock;
-CERT_CertChainFromCert;
-CERT_DestroyCertificateList;
-CERT_DupCertList;
-CERT_ExtractPublicKey;
-CERT_FindCertByName;
-DER_Lengths;
-DSAU_DecodeDerSig;
-DSAU_EncodeDerSig;
-HASH_GetHashObject;
-NSSRWLock_Destroy;
-NSSRWLock_HaveWriteLock;
-NSSRWLock_LockRead;
-NSSRWLock_LockWrite;
-NSSRWLock_New;
-NSSRWLock_UnlockRead;
-NSSRWLock_UnlockWrite;
-NSS_PutEnv;
-PK11_Derive;
-PK11_DeriveWithFlags;
-PK11_DigestKey;
-PK11_FindBestKEAMatch;
-PK11_FindFixedKey;
-PK11_GenerateFortezzaIV;
-PK11_GetBestKeyLength;
-PK11_GetBestSlot;
-PK11_GetBestSlotMultiple;
-PK11_GetBestWrapMechanism;
-PK11_GetCurrentWrapIndex;
-PK11_GetMechanism;
-PK11_GetModuleID;
-PK11_GetPrivateModulusLen;
-PK11_GetSlotFromKey;
-PK11_GetSlotFromPrivateKey;
-PK11_GetSlotID;
-PK11_GetSlotSeries;
-PK11_GetTokenInfo;
-PK11_GetWindow;
-PK11_GetWrapKey;
-PK11_IVFromParam;
-PK11_MakeKEAPubKey;
-PK11_ParamFromIV;
-PK11_PubDecryptRaw;
-PK11_PubDerive;
-PK11_PubEncryptRaw;
-PK11_PubUnwrapSymKey;
-PK11_PubWrapSymKey;
-PK11_ReferenceSymKey;
-PK11_RestoreContext;
-PK11_SaveContext;
-PK11_SetFortezzaHack;
-PK11_SetWrapKey;
-PK11_Sign;
-PK11_SignatureLen;
-PK11_SymKeyFromHandle;
-PK11_TokenExists;
-PK11_UnwrapSymKey;
-PK11_UnwrapSymKeyWithFlags;
-PK11_Verify;
-PK11_VerifyKeyOK;
-PK11_WrapSymKey;
-PORT_ArenaAlloc;
-PORT_ArenaZAlloc;
-PORT_FreeArena;
-PORT_NewArena;
-PORT_Realloc;
-PORT_ZAlloc;
-PORT_ZFree;
-RSA_FormatBlock;
-SECITEM_CompareItem;
-SECKEY_CreateRSAPrivateKey;
-SECKEY_DestroyPublicKey;
-SECKEY_PublicKeyStrength;
-SECKEY_UpdateCertPQG;
-SECMOD_LookupSlot;
-SGN_Begin;
-SGN_DestroyContext;
-SGN_End;
-SGN_NewContext;
-SGN_Update;
-VFY_Begin;
-VFY_CreateContext;
-VFY_DestroyContext;
-VFY_End;
-VFY_Update;
-;+#
-;+# The following symbols are exported only to make libsmime3.so work. 
-;+# These are still private!!!
-;+#
-__CERT_ClosePermCertDB;
-__CERT_DecodeDERCertificate;
-__CERT_TraversePermCertsForNickname;
-__CERT_TraversePermCertsForSubject;
-__PBE_CreateContext;
-__PBE_DestroyContext;
-__PBE_GenerateBits;
-ATOB_ConvertAsciiToItem;
-CERT_AddCertToListTail;
-CERT_CertListFromCert;
-CERT_DestroyCertArray;
-CERT_FindCertByDERCert;
-CERT_FindCertByIssuerAndSN;
-CERT_FindSMimeProfile;
-CERT_ImportCerts;
-CERT_NewCertList;
-CERT_OpenCertDBFilename;
-CERT_SaveSMimeProfile;
-CERT_VerifyCert;
-DER_GetInteger;
-DER_TimeToUTCTime;
-DER_UTCTimeToTime;
-PK11_AlgtagToMechanism;
-PK11_BlockData;
-PK11_CreatePBEAlgorithmID;
-PK11_DestroyObject;
-PK11_ExportEncryptedPrivateKeyInfo;
-PK11_ExportPrivateKeyInfo;
-PK11_FindCertAndKeyByRecipientList;
-PK11_FindCertAndKeyByRecipientListNew;
-PK11_FindCertInSlot;
-PK11_FindPrivateKeyFromCert;
-PK11_FortezzaMapSig;
-PK11_GetKeyLength;
-PK11_GetKeyStrength;
-PK11_ImportCertForKeyToSlot;
-PK11_ImportEncryptedPrivateKeyInfo;
-PK11_ImportPrivateKeyInfo;
-PK11_MapPBEMechanismToCryptoMechanism;
-PK11_PBEKeyGen;
-PK11_ParamFromAlgid;
-PK11_ParamToAlgid;
-PK11_TraverseCertsForNicknameInSlot;
-PK11_TraverseCertsForSubjectInSlot;
-PORT_ArenaGrow;
-PORT_ArenaMark;
-PORT_ArenaRelease;
-PORT_ArenaStrdup;
-PORT_ArenaUnmark;
-PORT_UCS2_ASCIIConversion;
-PORT_UCS2_UTF8Conversion;
-SECITEM_AllocItem;
-SECKEY_CopyEncryptedPrivateKeyInfo;
-SECKEY_CopyPrivateKeyInfo;
-SECKEY_DestroyEncryptedPrivateKeyInfo;
-SECKEY_DestroyPrivateKeyInfo;
-SECOID_CompareAlgorithmID;
-SECOID_CopyAlgorithmID;
-SECOID_DestroyAlgorithmID;
-SECOID_FindOID;
-SECOID_FindOIDByTag;
-SECOID_FindOIDTag;
-SECOID_SetAlgorithmID;
-SEC_ASN1DecodeInteger;
-SEC_ASN1DecodeItem;
-SEC_ASN1DecoderClearFilterProc;
-SEC_ASN1DecoderClearNotifyProc;
-SEC_ASN1DecoderFinish;
-SEC_ASN1DecoderSetFilterProc;
-SEC_ASN1DecoderSetNotifyProc;
-SEC_ASN1DecoderStart;
-SEC_ASN1DecoderUpdate;
-SEC_ASN1Encode;
-SEC_ASN1EncodeInteger;
-SEC_ASN1EncodeItem;
-SEC_ASN1EncoderClearNotifyProc;
-SEC_ASN1EncoderClearStreaming;
-SEC_ASN1EncoderClearTakeFromBuf;
-SEC_ASN1EncoderFinish;
-SEC_ASN1EncoderSetNotifyProc;
-SEC_ASN1EncoderSetStreaming;
-SEC_ASN1EncoderSetTakeFromBuf;
-SEC_ASN1EncoderStart;
-SEC_ASN1EncoderUpdate;
-SEC_ASN1LengthLength;
-SEC_PKCS5GetCryptoAlgorithm;
-SEC_PKCS5GetKeyLength;
-SEC_PKCS5GetPBEAlgorithm;
-SEC_PKCS5IsAlgorithmPBEAlg;
-SEC_SignData;
-SGN_CompareDigestInfo;
-SGN_CopyDigestInfo;
-SGN_CreateDigestInfo;
-SGN_DestroyDigestInfo;
-SGN_Digest;
-VFY_VerifyData;
-VFY_VerifyDigest;
-;+#
-;+# Data objects
-;+#
-;+# Don't export these DATA symbols on Windows because they don't work right.
-;;CERT_CrlTemplate DATA ;
-;;CERT_SignedDataTemplate DATA ;
-;;CERT_CertificateTemplate DATA ;
-;;CERT_CertificateRequestTemplate DATA ;
-;;CERT_IssuerAndSNTemplate DATA ;
-;;CERT_SetOfSignedCrlTemplate DATA ;
-;;SECKEY_DSAPublicKeyTemplate DATA ;
-;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
-;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
-;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
-;;SECKEY_PrivateKeyInfoTemplate DATA ;
-;;SECKEY_RSAPublicKeyTemplate DATA ;
-;;SECOID_AlgorithmIDTemplate DATA ;
-;;SEC_AnyTemplate DATA ;
-;;SEC_BMPStringTemplate DATA ;
-;;SEC_BitStringTemplate DATA ;
-;;SEC_GeneralizedTimeTemplate DATA ;
-;;SEC_IA5StringTemplate DATA ;
-;;SEC_IntegerTemplate DATA ;
-;;SEC_ObjectIDTemplate DATA ;
-;;SEC_OctetStringTemplate DATA ;
-;;SEC_PointerToAnyTemplate DATA ;
-;;SEC_PointerToOctetStringTemplate DATA ;
-;;SEC_SetOfAnyTemplate DATA ;
-;;SEC_UTCTimeTemplate DATA ;
-;;sgn_DigestInfoTemplate DATA ;
-NSS_Get_CERT_CrlTemplate;
-NSS_Get_CERT_SignedDataTemplate;
-NSS_Get_CERT_CertificateTemplate;
-NSS_Get_CERT_CertificateRequestTemplate;
-NSS_Get_CERT_IssuerAndSNTemplate;
-NSS_Get_CERT_SetOfSignedCrlTemplate;
-NSS_Get_SECKEY_DSAPublicKeyTemplate;
-NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
-NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
-NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
-NSS_Get_SECKEY_PrivateKeyInfoTemplate;
-NSS_Get_SECKEY_RSAPublicKeyTemplate;
-NSS_Get_SECOID_AlgorithmIDTemplate;
-NSS_Get_SEC_AnyTemplate;
-NSS_Get_SEC_BMPStringTemplate;
-NSS_Get_SEC_BitStringTemplate;
-NSS_Get_SEC_GeneralizedTimeTemplate;
-NSS_Get_SEC_IA5StringTemplate;
-NSS_Get_SEC_IntegerTemplate;
-NSS_Get_SEC_ObjectIDTemplate;
-NSS_Get_SEC_OctetStringTemplate;
-NSS_Get_SEC_PointerToAnyTemplate;
-NSS_Get_SEC_PointerToOctetStringTemplate;
-NSS_Get_SEC_SetOfAnyTemplate;
-NSS_Get_SEC_UTCTimeTemplate;
-NSS_Get_sgn_DigestInfoTemplate;
-;+# commands
-CERT_DecodeBasicConstraintValue;
-CERT_DecodeOidSequence;
-CERT_DecodeUserNotice;
-CERT_DecodeCertificatePoliciesExtension;
-CERT_DestroyCertificatePoliciesExtension;
-CERT_FindCertByNicknameOrEmailAddr;
-CERT_FindCertByNickname;
-CERT_GenTime2FormattedAscii;
-CERT_Hexify;
-CERT_CompareName;
-PK11SDR_Encrypt;
-PK11SDR_Decrypt;
-NSSBase64Decoder_Create;
-NSSBase64Decoder_Destroy;
-NSSBase64Decoder_Update;
-NSSBase64Encoder_Create;
-NSSBase64Encoder_Destroy;
-NSSBase64Encoder_Update;
-;+#PK11_DoPassword;
-;+#PK11_FindKeyByKeyID;
-PK11_InitPin;
-PK11_NeedUserInit;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.2.1 {       # NSS 3.2.1 release
-;+    global:
-CERT_AddRDN;
-CERT_CreateRDN;
-CERT_CreateAVA;
-CERT_CreateName;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.3 { 	# NSS 3.3. release
-;+    global:
-CERT_CheckCertUsage;
-CERT_FindCertIssuer;
-PK11_GetModule;
-SECKEY_CreateDHPrivateKey;
-SECKEY_GetPublicKeyType;
-SECMOD_AddNewModule;
-;+#
-;+# The following symbols are exported only to make JSS work.
-;+# These are still private!!!
-;+#
-CERT_DisableOCSPChecking;
-CERT_DisableOCSPDefaultResponder;
-CERT_EnableOCSPDefaultResponder;
-CERT_GetCertTimes;
-CERT_ImportCAChainTrusted;
-CERT_ImportCRL;
-CERT_IsCACert;
-CERT_IsCADERCert;
-CERT_SetOCSPDefaultResponder;
-PBE_CreateContext;
-PBE_DestroyContext;
-PBE_GenerateBits;
-PK11_CheckSSOPassword;
-PK11_CopySymKeyForSigning;
-PK11_DeleteTokenCertAndKey;
-PK11_DEREncodePublicKey;
-PK11_ExtractKeyValue;
-PK11_FindCertsFromNickname;
-PK11_FindKeyByKeyID;
-PK11_GetIVLength;
-PK11_GetKeyData;
-PK11_GetKeyType;
-PK11_GetLowLevelKeyIDForCert;
-PK11_GetLowLevelKeyIDForPrivateKey;
-PK11_GetSlotPWValues;
-PK11_ImportCertForKey;
-PK11_ImportDERCertForKey;
-PK11_ImportDERPrivateKeyInfo;
-PK11_ImportSymKey;
-PK11_IsLoggedIn;
-PK11_KeyForDERCertExists;
-PK11_KeyForCertExists;
-PK11_ListPrivateKeysInSlot;
-PK11_ListCertsInSlot;
-PK11_Logout;
-PK11_NeedPWInit;
-PK11_MakeIDFromPubKey;
-PK11_PQG_DestroyParams;
-PK11_PQG_DestroyVerify;
-PK11_PQG_GetBaseFromParams;
-PK11_PQG_GetCounterFromVerify;
-PK11_PQG_GetHFromVerify;
-PK11_PQG_GetPrimeFromParams;
-PK11_PQG_GetSeedFromVerify;
-PK11_PQG_GetSubPrimeFromParams;
-PK11_PQG_NewParams;
-PK11_PQG_NewVerify;
-PK11_PQG_ParamGen;
-PK11_PQG_ParamGenSeedLen;
-PK11_PQG_VerifyParams;
-PK11_ReferenceSlot;
-PK11_SeedRandom;
-PK11_UnwrapPrivKey;
-PK11_VerifyRecover;
-PK11_WrapPrivKey;
-SEC_CertNicknameConflict;
-SEC_PKCS5GetIV;
-SECMOD_DeleteInternalModule;
-SECMOD_DestroyModule;
-SECMOD_GetDefaultModuleList;
-SECMOD_GetDefaultModuleListLock;
-SECMOD_GetInternalModule;
-SECMOD_GetReadLock;
-SECMOD_ReferenceModule;
-SECMOD_ReleaseReadLock;
-SECKEY_AddPrivateKeyToListTail;
-SECKEY_EncodeDERSubjectPublicKeyInfo;
-SECKEY_ExtractPublicKey;
-SECKEY_DestroyPrivateKeyList;
-SECKEY_GetPrivateKeyType;
-SECKEY_HashPassword;
-SECKEY_ImportDERPublicKey;
-SECKEY_NewPrivateKeyList;
-SECKEY_RemovePrivateKeyListNode;
-VFY_EndWithSignature;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.3.1 { 	# NSS 3.3.1 release
-;+    global:
-;+#
-;+# The following symbols are exported only to make libsmime3.so work. 
-;+# These are still private!!!
-;+#
-PK11_CreatePBEParams;
-PK11_DestroyPBEParams;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.4 { 	# NSS 3.4 release
-;+    global:
-SECMOD_AddNewModuleEx;
-SECMOD_DeleteModule;
-SECMOD_FreeModuleSpecList;
-SECMOD_GetModuleSpecList;
-SECMOD_LoadModule;
-SECMOD_LoadUserModule;
-SECMOD_UnloadUserModule;
-SECMOD_UpdateModule;
-;+# for PKCS #12
-PK11_RawPBEKeyGen;
-;+# for PSM
-__CERT_AddTempCertToPerm;
-CERT_AddOKDomainName;
-CERT_CopyName;
-CERT_CreateSubjectCertList;
-CERT_DecodeAVAValue;
-;+#CERT_DecodeCertFromPackage;
-CERT_DecodeGeneralName;
-CERT_DecodeTrustString;
-CERT_DerNameToAscii;
-CERT_EncodeGeneralName;
-CERT_FilterCertListByCANames;
-CERT_FilterCertListByUsage;
-CERT_FindCertExtension;
-CERT_FindKeyUsageExtension;
-CERT_FindUserCertByUsage;
-CERT_FindUserCertsByUsage;
-CERT_GetCertChainFromCert;
-CERT_GetOCSPAuthorityInfoAccessLocation;
-CERT_KeyFromDERCrl;
-CERT_MakeCANickname;
-CERT_NicknameStringsFromCertList;
-CERT_VerifySignedData;
-DER_Encode;
-HASH_Begin;
-HASH_Create;
-HASH_Destroy;
-HASH_End;
-HASH_ResultLen;
-HASH_Update;
-NSSBase64_DecodeBuffer;   # from Stan
-NSSBase64_EncodeItem;   # from Stan
-PK11_GetKeyGen;
-PK11_GetMinimumPwdLength;
-PK11_GetNextSafe;
-PK11_GetPadMechanism;
-PK11_GetSlotInfo;
-PK11_HasRootCerts;
-PK11_IsDisabled;
-PK11_LoadPrivKey;
-PK11_LogoutAll;
-PK11_MechanismToAlgtag;
-PK11_ResetToken;
-PK11_TraverseSlotCerts;
-SEC_ASN1Decode;
-SECKEY_CopySubjectPublicKeyInfo;
-SECMOD_CreateModule;
-SECMOD_FindModule;
-SECMOD_FindSlot;
-SECMOD_PubCipherFlagstoInternal;
-SECMOD_PubMechFlagstoInternal;
-;;CERT_NameTemplate DATA ;
-;;CERT_SubjectPublicKeyInfoTemplate DATA ;
-;;SEC_BooleanTemplate DATA ;
-;;SEC_NullTemplate DATA ;
-;;SEC_SignedCertificateTemplate DATA ;
-;;SEC_UTF8StringTemplate DATA ;
-NSS_Get_CERT_NameTemplate;
-NSS_Get_CERT_SubjectPublicKeyInfoTemplate;
-NSS_Get_SEC_BooleanTemplate;
-NSS_Get_SEC_NullTemplate;
-NSS_Get_SEC_SignedCertificateTemplate;
-NSS_Get_SEC_UTF8StringTemplate;
-;+# for JSS
-PK11_DeleteTokenPrivateKey;
-PK11_DeleteTokenPublicKey;
-PK11_DeleteTokenSymKey;
-PK11_GetNextSymKey;
-PK11_GetPQGParamsFromPrivateKey;
-PK11_GetPrivateKeyNickname;
-PK11_GetPublicKeyNickname;
-PK11_GetSymKeyNickname;
-PK11_ImportDERPrivateKeyInfoAndReturnKey;
-PK11_ImportPrivateKeyInfoAndReturnKey;
-PK11_ImportPublicKey;
-PK11_ImportSymKeyWithFlags;
-PK11_ListFixedKeysInSlot;
-PK11_ListPrivKeysInSlot;
-PK11_ListPublicKeysInSlot;
-PK11_ProtectedAuthenticationPath;
-PK11_SetPrivateKeyNickname;
-PK11_SetPublicKeyNickname;
-PK11_SetSymKeyNickname;
-SECKEY_DecodeDERSubjectPublicKeyInfo;
-SECKEY_DestroyPublicKeyList;
-;+# for debugging
-nss_DumpCertificateCacheInfo;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.5 { 	# cert creation APIs used by certutil
-;+    global:
-CERT_AddExtension;
-CERT_CopyRDN;
-CERT_CreateCertificate;
-CERT_CreateValidity;
-CERT_DestroyValidity;
-CERT_EncodeAndAddBitStrExtension;
-CERT_EncodeAuthKeyID;
-CERT_EncodeBasicConstraintValue;
-CERT_EncodeCRLDistributionPoints;
-CERT_FinishExtensions;
-CERT_StartCertExtensions;
-DER_AsciiToTime;
-PK11_ImportCert;
-PORT_Strdup;
-SECMOD_CanDeleteInternalModule;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.6 { 	# NSS 3.6 release
-;+    global:
-CERT_AddOCSPAcceptableResponses;
-CERT_CompleteCRLDecodeEntries;
-CERT_CreateOCSPCertID;
-CERT_CreateOCSPRequest;
-CERT_DecodeDERCrlWithFlags;
-CERT_DecodeOCSPResponse;
-CERT_DestroyOCSPCertID;
-CERT_DestroyOCSPRequest;
-CERT_EncodeOCSPRequest;
-CERT_FilterCertListForUserCerts;
-CERT_GetOCSPResponseStatus;
-CERT_GetOCSPStatusForCertID;
-CERT_IsUserCert;
-CERT_RemoveCertListNode;
-CERT_VerifyCACertForUsage;
-CERT_VerifyCertificate;
-CERT_VerifyCertificateNow;
-CERT_VerifyOCSPResponseSignature;
-PK11_ConvertSessionPrivKeyToTokenPrivKey;
-PK11_ConvertSessionSymKeyToTokenSymKey;
-PK11_GetModInfo;
-PK11_GetPBEIV;
-PK11_ImportCRL;
-PK11_ImportDERCert;
-PK11_PubUnwrapSymKeyWithFlags;
-PK11_SaveContextAlloc;
-PK11_TokenKeyGen;
-SEC_QuickDERDecodeItem;
-SECKEY_CopyPublicKey;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.7 { 	# NSS 3.7 release
-;+    global:
-CERT_CRLCacheRefreshIssuer;
-CERT_DestroyOCSPResponse;
-CERT_EncodeAltNameExtension;
-CERT_FindCertBySubjectKeyID;
-CERT_FindSubjectKeyIDExtension;
-CERT_GetFirstEmailAddress;
-CERT_GetNextEmailAddress;
-CERT_VerifySignedDataWithPublicKey;
-CERT_VerifySignedDataWithPublicKeyInfo;
-PK11_WaitForTokenEvent;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.7.1 { 	# NSS 3.7.1 release
-;+    global:
-PK11_TokenRefresh;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.8 { 	# NSS 3.8 release
-;+    global:
-CERT_IsRootDERCert;
-HASH_GetHashObjectByOidTag;
-HASH_GetHashTypeByOidTag;
-PK11_GetDefaultArray;
-PK11_GetDefaultFlags;
-PK11_GetDisabledReason;
-PK11_UpdateSlotAttribute;
-PK11_UserEnableSlot;
-PK11_UserDisableSlot;
-SECITEM_ItemsAreEqual;
-SECKEY_CreateECPrivateKey;
-SECKEY_PublicKeyStrengthInBits;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.9 { 	# NSS 3.9 release
-;+    global:
-CERT_DestroyOidSequence;
-CERT_GetOidString;
-;;CERT_TimeChoiceTemplate DATA ;
-DER_DecodeTimeChoice;
-DER_EncodeTimeChoice;
-DSAU_DecodeDerSigToLen;
-DSAU_EncodeDerSigWithLen;
-NSS_Get_CERT_TimeChoiceTemplate;
-PK11_DeriveWithFlagsPerm;
-PK11_ExportEncryptedPrivKeyInfo;
-PK11_FindSlotsByNames;
-PK11_GetSymKeyType;
-PK11_MoveSymKey;
-PK11_PubDeriveWithKDF;
-PK11_PubUnwrapSymKeyWithFlagsPerm;
-PK11_UnwrapSymKeyWithFlagsPerm;
-SECITEM_ArenaDupItem;
-SECMOD_GetDBModuleList;
-SECMOD_GetDeadModuleList;
-SEC_ASN1DecoderAbort;
-SEC_ASN1EncoderAbort;
-SEC_DupCrl;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.9.2 { 	# NSS 3.9.2 release
-;+    global:
-NSS_IsInitialized;
-PK11_DestroyGenericObject;
-PK11_DestroyGenericObjects;
-PK11_FindGenericObjects;
-PK11_GetNextGenericObject;
-PK11_GetPrevGenericObject;
-PK11_LinkGenericObject;
-PK11_ReadRawAttribute;
-PK11_UnlinkGenericObject;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.9.3 { 	# NSS 3.9.3 release
-;+    global:
-PK11_GetCertFromPrivateKey;
-PK11_PrivDecryptPKCS1;
-PK11_PubEncryptPKCS1;
-SECMOD_CancelWait;
-SECMOD_HasRemovableSlots;
-SECMOD_UpdateSlotList;
-SECMOD_WaitForAnyTokenEvent;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.10 { 	# NSS 3.10 release
-;+    global:
-CERT_CacheCRL;
-CERT_DecodeAltNameExtension;
-CERT_DecodeAuthInfoAccessExtension;
-CERT_DecodeAuthKeyID;
-CERT_DecodeCRLDistributionPoints;
-CERT_DecodeNameConstraintsExtension;
-CERT_DecodePrivKeyUsagePeriodExtension;
-CERT_DestroyUserNotice;
-CERT_FinishCertificateRequestAttributes;
-CERT_GetCertificateNames;
-CERT_GetCertificateRequestExtensions;
-CERT_GetNextGeneralName;
-CERT_GetNextNameConstraint;
-CERT_GetPrevGeneralName;
-CERT_GetPrevNameConstraint;
-CERT_MergeExtensions;
-CERT_StartCertificateRequestAttributes;
-CERT_StartCRLEntryExtensions;
-CERT_StartCRLExtensions;
-CERT_UncacheCRL;
-HASH_Clone;
-HASH_HashBuf;
-HASH_ResultLenByOidTag;
-HASH_ResultLenContext;
-SEC_GetSignatureAlgorithmOidTag;
-SECKEY_CacheStaticFlags;
-SECOID_AddEntry;
-;+#
-;+# Data objects
-;+#
-;+# Don't export these DATA symbols on Windows because they don't work right.
-;;CERT_SequenceOfCertExtensionTemplate DATA ;
-;;CERT_SignedCrlTemplate DATA ;
-NSS_Get_CERT_SequenceOfCertExtensionTemplate;
-NSS_Get_CERT_SignedCrlTemplate;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.10.2 { 	# NSS 3.10.2 release
-;+    global:
-PK11_TokenKeyGenWithFlags;
-PK11_GenerateKeyPairWithFlags;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.11 { 	# NSS 3.11 release
-;+    global:
-CERT_CompareValidityTimes;
-PK11_CopyTokenPrivKeyToSessionPrivKey;
-PK11_FreeSlotListElement;
-PK11_GenerateRandomOnSlot;
-PK11_GetSymKeyUserData;
-PK11_MapSignKeyType;
-PK11_SetSymKeyUserData;
-SECMOD_CloseUserDB;
-SECMOD_HasRootCerts;
-SECMOD_OpenUserDB;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
deleted file mode 100644
index 4aaa84d09..000000000
--- a/security/nss/lib/nss/nss.h
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * NSS utility functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __nss_h_
-#define __nss_h_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * NSS's major version, minor version, patch level, and whether
- * this is a beta release.
- *
- * The format of the version string should be
- *     "<major version>.<minor version>[.<patch level>] [<Beta>]"
- */
-#define NSS_VERSION  "3.11 Beta"
-#define NSS_VMAJOR   3
-#define NSS_VMINOR   11
-#define NSS_VPATCH   0
-#define NSS_BETA     PR_TRUE
-
-
-/*
- * Return a boolean that indicates whether the underlying library
- * will perform as the caller expects.
- *
- * The only argument is a string, which should be the verson
- * identifier of the NSS library. That string will be compared
- * against a string that represents the actual build version of
- * the NSS library.  It also invokes the version checking functions
- * of the dependent libraries such as NSPR.
- */
-extern PRBool NSS_VersionCheck(const char *importedVersion);
-
-/*
- * Open the Cert, Key, and Security Module databases, read only.
- * Initialize the Random Number Generator.
- * Does not initialize the cipher policies or enables.
- * Default policy settings disallow all ciphers.
- */
-extern SECStatus NSS_Init(const char *configdir);
-
-/*
- * Returns whether NSS has already been initialized or not.
- */
-extern PRBool NSS_IsInitialized(void);
-
-/*
- * Open the Cert, Key, and Security Module databases, read/write.
- * Initialize the Random Number Generator.
- * Does not initialize the cipher policies or enables.
- * Default policy settings disallow all ciphers.
- */
-extern SECStatus NSS_InitReadWrite(const char *configdir);
-
-/*
- * Open the Cert, Key, and Security Module databases, read/write.
- * Initialize the Random Number Generator.
- * Does not initialize the cipher policies or enables.
- * Default policy settings disallow all ciphers.
- *
- * This allows using application defined prefixes for the cert and key db's
- * and an alternate name for the secmod database. NOTE: In future releases,
- * the database prefixes my not necessarily map to database names.
- *
- * configdir - base directory where all the cert, key, and module datbases live.
- * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
- * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
- * secmodName - name of the security module database (usually "secmod.db").
- * flags - change the open options of NSS_Initialize as follows:
- * 	NSS_INIT_READONLY - Open the databases read only.
- * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
- * 			initialize the volatile certdb.
- * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
- *			initialize the 	PKCS #11 module.
- *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
- * 			databases cannot be opened.
- *      NSS_INIT_NOROOTINIT - Don't try to look for the root certs module
- *			automatically.
- *      NSS_INIT_OPTIMIZESPACE - Use smaller tables and caches.
- *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
- *                      thread-safe, ie. that support locking - either OS
- *                      locking or NSS-provided locks . If a PKCS#11
- *                      module isn't thread-safe, don't serialize its
- *                      calls; just don't load it instead. This is necessary
- *                      if another piece of code is using the same PKCS#11
- *                      modules that NSS is accessing without going through
- *                      NSS, for example the Java SunPKCS11 provider.
- *      NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
- *                      error when loading PKCS#11 modules. This is necessary
- *                      if another piece of code is using the same PKCS#11
- *                      modules that NSS is accessing without going through
- *                      NSS, for example Java SunPKCS11 provider.
- *      NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
- *                      PKCS#11 module. This may be necessary in order to
- *                      ensure continuous operation and proper shutdown
- *                      sequence if another piece of code is using the same
- *                      PKCS#11 modules that NSS is accessing without going
- *                      through NSS, for example Java SunPKCS11 provider.
- *                      The following limitation applies when this is set :
- *                      SECMOD_WaitForAnyTokenEvent will not use
- *                      C_WaitForSlotEvent, in order to prevent the need for
- *                      C_Finalize. This call will be emulated instead.
- *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
- *                      future to trigger better cooperation between PKCS#11
- *                      modules used by both NSS and the Java SunPKCS11
- *                      provider. This should occur after a new flag is defined
- *                      for C_Initialize by the PKCS#11 working group.
- *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
- *                      use both NSS and the Java SunPKCS11 provider.
- *
- * Also NOTE: This is not the recommended method for initializing NSS. 
- * The prefered method is NSS_init().
- */
-#define NSS_INIT_READONLY	0x1
-#define NSS_INIT_NOCERTDB	0x2
-#define NSS_INIT_NOMODDB	0x4
-#define NSS_INIT_FORCEOPEN	0x8
-#define NSS_INIT_NOROOTINIT     0x10
-#define NSS_INIT_OPTIMIZESPACE  0x20
-#define NSS_INIT_PK11THREADSAFE   0x40
-#define NSS_INIT_PK11RELOAD       0x80
-#define NSS_INIT_NOPK11FINALIZE   0x100
-#define NSS_INIT_RESERVED         0x200
-
-#define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \
-        NSS_INIT_PK11RELOAD | \
-        NSS_INIT_NOPK11FINALIZE | \
-        NSS_INIT_RESERVED
-
-#ifdef macintosh
-#define SECMOD_DB "Security Modules"
-#else
-#define SECMOD_DB "secmod.db"
-#endif
-
-extern SECStatus NSS_Initialize(const char *configdir, 
-	const char *certPrefix, const char *keyPrefix, 
-	const char *secmodName, PRUint32 flags);
-
-/*
- * initialize NSS without a creating cert db's, key db's, or secmod db's.
- */
-SECStatus NSS_NoDB_Init(const char *configdir);
-
-/* 
- * Close the Cert, Key databases.
- */
-extern SECStatus NSS_Shutdown(void);
-
-/*
- * set the PKCS #11 strings for the internal token.
- */
-void PK11_ConfigurePKCS11(const char *man, const char *libdes, 
-	const char *tokdes, const char *ptokdes, const char *slotdes, 
-	const char *pslotdes, const char *fslotdes, const char *fpslotdes,
-        int minPwd, int pwRequired);
-
-/*
- * Dump the contents of the certificate cache and the temporary cert store.
- * Use to detect leaked references of certs at shutdown time.
- */
-void nss_DumpCertificateCacheInfo(void);
-
-SEC_END_PROTOS
-
-#endif /* __nss_h_ */
diff --git a/security/nss/lib/nss/nss.rc b/security/nss/lib/nss/nss.rc
deleted file mode 100644
index be82dab75..000000000
--- a/security/nss/lib/nss/nss.rc
+++ /dev/null
@@ -1,101 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nss.h"
-#include <winver.h>
-
-#define MY_LIBNAME "nss"
-#define MY_FILEDESCRIPTION "NSS Base Library"
-
-#define STRINGIZE(x) #x
-#define STRINGIZE2(x) STRINGIZE(x)
-#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
deleted file mode 100644
index adf3efb04..000000000
--- a/security/nss/lib/nss/nssinit.c
+++ /dev/null
@@ -1,676 +0,0 @@
-/*
- * NSS utility functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <ctype.h>
-#include "seccomon.h"
-#include "prinit.h"
-#include "prprf.h"
-#include "prmem.h"
-#include "cert.h"
-#include "key.h"
-#include "ssl.h"
-#include "sslproto.h"
-#include "secmod.h"
-#include "secoid.h"
-#include "nss.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "nssbase.h"
-
-#include "pki3hack.h"
-#include "certi.h"
-#include "secmodi.h"
-
-/*
- * On Windows nss3.dll needs to export the symbol 'mktemp' to be
- * fully backward compatible with the nss3.dll in NSS 3.2.x and
- * 3.3.x.  This symbol was unintentionally exported and its
- * definition (in DBM) was moved from nss3.dll to softokn3.dll
- * in NSS 3.4.  See bug 142575.
- */
-#ifdef WIN32_NSS3_DLL_COMPAT
-#include <io.h>
-
-/* exported as 'mktemp' */
-char *
-nss_mktemp(char *path)
-{
-    return _mktemp(path);
-}
-#endif
-
-#define NSS_MAX_FLAG_SIZE  sizeof("readOnly")+sizeof("noCertDB")+ \
-	sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")+ \
-	sizeof ("optimizeSpace")
-#define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
-
-static char *
-nss_makeFlags(PRBool readOnly, PRBool noCertDB, 
-				PRBool noModDB, PRBool forceOpen, 
-				PRBool passwordRequired, PRBool optimizeSpace) 
-{
-    char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE);
-    PRBool first = PR_TRUE;
-
-    PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE);
-    if (readOnly) {
-        PORT_Strcat(flags,"readOnly");
-        first = PR_FALSE;
-    }
-    if (noCertDB) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"noCertDB");
-        first = PR_FALSE;
-    }
-    if (noModDB) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"noModDB");
-        first = PR_FALSE;
-    }
-    if (forceOpen) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"forceOpen");
-        first = PR_FALSE;
-    }
-    if (passwordRequired) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"passwordRequired");
-        first = PR_FALSE;
-    }
-    if (optimizeSpace) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"optimizeSpace");
-        first = PR_FALSE;
-    }
-    return flags;
-}
-
-/*
- * statics to remember the PKCS11_ConfigurePKCS11()
- * info.
- */
-static char * pk11_config_strings = NULL;
-static char * pk11_config_name = NULL;
-static PRBool pk11_password_required = PR_FALSE;
-
-/*
- * this is a legacy configuration function which used to be part of
- * the PKCS #11 internal token.
- */
-void
-PK11_ConfigurePKCS11(const char *man, const char *libdes, const char *tokdes,
-	const char *ptokdes, const char *slotdes, const char *pslotdes, 
-	const char *fslotdes, const char *fpslotdes, int minPwd, int pwRequired)
-{
-   char *strings = NULL;
-   char *newStrings;
-
-   /* make sure the internationalization was done correctly... */
-   strings = PR_smprintf("");
-   if (strings == NULL) return;
-
-    if (man) {
-        newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (libdes) {
-        newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-	if (pk11_config_name != NULL) {
-	    PORT_Free(pk11_config_name);
-	}
-	pk11_config_name = PORT_Strdup(libdes);
-    }
-   if (strings == NULL) return;
-
-    if (tokdes) {
-        newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
-								tokdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (ptokdes) {
-        newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (slotdes) {
-        newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
-								slotdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (pslotdes) {
-        newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (fslotdes) {
-        newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
-							strings,fslotdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    if (fpslotdes) {
-        newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
-							strings,fpslotdes);
-	PR_smprintf_free(strings);
-	strings = newStrings;
-    }
-   if (strings == NULL) return;
-
-    newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
-    PR_smprintf_free(strings);
-    strings = newStrings;
-   if (strings == NULL) return;
-
-    if (pk11_config_strings != NULL) {
-	PR_smprintf_free(pk11_config_strings);
-    }
-    pk11_config_strings = strings;
-    pk11_password_required = pwRequired;
-
-    return;
-}
-
-static char *
-nss_addEscape(const char *string, char quote)
-{
-    char *newString = 0;
-    int escapes = 0, size = 0;
-    const char *src;
-    char *dest;
-
-    for (src=string; *src ; src++) {
-	if ((*src == quote) || (*src == '\\')) escapes++;
-	size++;
-    }
-
-    newString = PORT_ZAlloc(escapes+size+1); 
-    if (newString == NULL) {
-	return NULL;
-    }
-
-    for (src=string, dest=newString; *src; src++,dest++) {
-	if ((*src == '\\') || (*src == quote)) {
-	    *dest++ = '\\';
-	}
-	*dest = *src;
-    }
-
-    return newString;
-}
-
-static char *
-nss_doubleEscape(const char *string)
-{
-    char *round1 = NULL;
-    char *retValue = NULL;
-    if (string == NULL) {
-	goto done;
-    }
-    round1 = nss_addEscape(string,'\'');
-    if (round1) {
-	retValue = nss_addEscape(round1,'"');
-	PORT_Free(round1);
-    }
-
-done:
-    if (retValue == NULL) {
-	retValue = PORT_Strdup("");
-    }
-    return retValue;
-}
-
-
-#ifndef XP_MAC
-/*
- * The following code is an attempt to automagically find the external root
- * module. NOTE: This code should be checked out on the MAC! There must be
- * some cross platform support out there to help out with this?
- * Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
- */
-
-static const char *dllname =
-#if defined(XP_WIN32) || defined(XP_OS2)
-	"nssckbi.dll";
-#elif defined(HPUX) && !defined(__ia64)  /* HP-UX PA-RISC */
-	"libnssckbi.sl";
-#elif defined(DARWIN)
-	"libnssckbi.dylib";
-#elif defined(XP_UNIX) || defined(XP_BEOS)
-	"libnssckbi.so";
-#elif defined(XP_MAC)
-	"NSS Builtin Root Certs";
-#else
-	#error "Uh! Oh! I don't know about this platform."
-#endif
-
-/* Should we have platform ifdefs here??? */
-#define FILE_SEP '/'
-
-static void nss_FindExternalRootPaths(const char *dbpath, const char* secmodprefix,
-                              char** retoldpath, char** retnewpath)
-{
-    char *path, *oldpath = NULL, *lastsep;
-    int len, path_len, secmod_len, dll_len;
-
-    path_len = PORT_Strlen(dbpath);
-    secmod_len = PORT_Strlen(secmodprefix);
-    dll_len = PORT_Strlen(dllname);
-    len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */
-
-    path = PORT_Alloc(len);
-    if (path == NULL) return;
-
-    /* back up to the top of the directory */
-    PORT_Memcpy(path,dbpath,path_len);
-    if (path[path_len-1] != FILE_SEP) {
-        path[path_len++] = FILE_SEP;
-    }
-    PORT_Strcpy(&path[path_len],dllname);
-    if (secmodprefix) {
-        lastsep = PORT_Strrchr(secmodprefix, FILE_SEP);
-        if (lastsep) {
-            int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */
-            oldpath = PORT_Alloc(len);
-            if (oldpath == NULL) {
-                PORT_Free(path);
-                return;
-            }
-            PORT_Memcpy(oldpath,path,path_len);
-            PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len);
-            PORT_Strcpy(&oldpath[path_len+secmoddir_len],dllname);
-        }
-    }
-    *retoldpath = oldpath;
-    *retnewpath = path;
-    return;
-}
-
-static void nss_FreeExternalRootPaths(char* oldpath, char* path)
-{
-    if (path) {
-        PORT_Free(path);
-    }
-    if (oldpath) {
-        PORT_Free(oldpath);
-    }
-}
-
-static void
-nss_FindExternalRoot(const char *dbpath, const char* secmodprefix)
-{
-	char *path = NULL;
-        char *oldpath = NULL;
-        PRBool hasrootcerts = PR_FALSE;
-
-        /*
-         * 'oldpath' is the external root path in NSS 3.3.x or older.
-         * For backward compatibility we try to load the root certs
-         * module with the old path first.
-         */
-        nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
-        if (oldpath) {
-            (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0);
-            hasrootcerts = SECMOD_HasRootCerts();
-        }
-        if (path && !hasrootcerts) {
-	    (void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
-        }
-        nss_FreeExternalRootPaths(oldpath, path);
-	return;
-}
-#endif
-
-/*
- * OK there are now lots of options here, lets go through them all:
- *
- * configdir - base directory where all the cert, key, and module datbases live.
- * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
- * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
- * secmodName - name of the security module database (usually "secmod.db").
- * readOnly - Boolean: true if the databases are to be openned read only.
- * nocertdb - Don't open the cert DB and key DB's, just initialize the 
- *			Volatile certdb.
- * nomoddb - Don't open the security module DB, just initialize the 
- *			PKCS #11 module.
- * forceOpen - Continue to force initializations even if the databases cannot
- * 			be opened.
- */
-
-static PRBool nss_IsInitted = PR_FALSE;
-
-extern SECStatus secoid_Init(void);
-
-static SECStatus
-nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
-		 const char *secmodName, PRBool readOnly, PRBool noCertDB, 
-			PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
-			PRBool optimizeSpace, PRBool noSingleThreadedModules,
-			PRBool allowAlreadyInitializedModules,
-			PRBool dontFinalizeModules)
-{
-    char *moduleSpec = NULL;
-    char *flags = NULL;
-    SECStatus rv = SECFailure;
-    char *lconfigdir = NULL;
-    char *lcertPrefix = NULL;
-    char *lkeyPrefix = NULL;
-    char *lsecmodName = NULL;
-
-    if (nss_IsInitted) {
-	return SECSuccess;
-    }
-
-    if (SECSuccess != InitCRLCache()) {
-        return SECFailure;
-    }
-
-    flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
-					pk11_password_required, optimizeSpace);
-    if (flags == NULL) return rv;
-
-    /*
-     * configdir is double nested, and Windows uses the same character
-     * for file seps as we use for escapes! (sigh).
-     */
-    lconfigdir = nss_doubleEscape(configdir);
-    if (lconfigdir == NULL) {
-	goto loser;
-    }
-    lcertPrefix = nss_doubleEscape(certPrefix);
-    if (lcertPrefix == NULL) {
-	goto loser;
-    }
-    lkeyPrefix = nss_doubleEscape(keyPrefix);
-    if (lkeyPrefix == NULL) {
-	goto loser;
-    }
-    lsecmodName = nss_doubleEscape(secmodName);
-    if (lsecmodName == NULL) {
-	goto loser;
-    }
-    if (noSingleThreadedModules || allowAlreadyInitializedModules ||
-        dontFinalizeModules) {
-        pk11_setGlobalOptions(noSingleThreadedModules,
-                              allowAlreadyInitializedModules,
-                              dontFinalizeModules);
-    }
-
-    moduleSpec = PR_smprintf("name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s %s\" NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
-		pk11_config_name ? pk11_config_name : NSS_DEFAULT_MOD_NAME,
-		lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
-		pk11_config_strings ? pk11_config_strings : "");
-
-loser:
-    PORT_Free(flags);
-    if (lconfigdir) PORT_Free(lconfigdir);
-    if (lcertPrefix) PORT_Free(lcertPrefix);
-    if (lkeyPrefix) PORT_Free(lkeyPrefix);
-    if (lsecmodName) PORT_Free(lsecmodName);
-
-    if (moduleSpec) {
-	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-	PR_smprintf_free(moduleSpec);
-	if (module) {
-	    if (module->loaded) rv=SECSuccess;
-	    SECMOD_DestroyModule(module);
-	}
-    }
-
-    if (rv == SECSuccess) {
-	if (secoid_Init() != SECSuccess) {
-	    return SECFailure;
-	}
-	if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
-	    return SECFailure;
-	}
-	CERT_SetDefaultCertDB((CERTCertDBHandle *)
-				STAN_GetDefaultTrustDomain());
-#ifndef XP_MAC
-	/* only servers need this. We currently do not have a mac server */
-	if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
-	    if (!SECMOD_HasRootCerts()) {
-		nss_FindExternalRoot(configdir, secmodName);
-	    }
-	}
-#endif
-	pk11sdr_Init();
-	cert_CreateSubjectKeyIDHashTable();
-	nss_IsInitted = PR_TRUE;
-    }
-    return rv;
-}
-
-
-SECStatus
-NSS_Init(const char *configdir)
-{
-    return nss_Init(configdir, "", "", SECMOD_DB, PR_TRUE, 
-		PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
-}
-
-SECStatus
-NSS_InitReadWrite(const char *configdir)
-{
-    return nss_Init(configdir, "", "", SECMOD_DB, PR_FALSE, 
-		PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
-}
-
-/*
- * OK there are now lots of options here, lets go through them all:
- *
- * configdir - base directory where all the cert, key, and module datbases live.
- * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
- * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
- * secmodName - name of the security module database (usually "secmod.db").
- * flags - change the open options of NSS_Initialize as follows:
- * 	NSS_INIT_READONLY - Open the databases read only.
- * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
- * 			initialize the volatile certdb.
- * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
- *			initialize the 	PKCS #11 module.
- *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
- * 			databases cannot be opened.
- *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
- *                      thread-safe, ie. that support locking - either OS
- *                      locking or NSS-provided locks . If a PKCS#11
- *                      module isn't thread-safe, don't serialize its
- *                      calls; just don't load it instead. This is necessary
- *                      if another piece of code is using the same PKCS#11
- *                      modules that NSS is accessing without going through
- *                      NSS, for example the Java SunPKCS11 provider.
- *      NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
- *                      error when loading PKCS#11 modules. This is necessary
- *                      if another piece of code is using the same PKCS#11
- *                      modules that NSS is accessing without going through
- *                      NSS, for example Java SunPKCS11 provider.
- *      NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
- *                      PKCS#11 module. This may be necessary in order to
- *                      ensure continuous operation and proper shutdown
- *                      sequence if another piece of code is using the same
- *                      PKCS#11 modules that NSS is accessing without going
- *                      through NSS, for example Java SunPKCS11 provider.
- *                      The following limitation applies when this is set :
- *                      SECMOD_WaitForAnyTokenEvent will not use
- *                      C_WaitForSlotEvent, in order to prevent the need for
- *                      C_Finalize. This call will be emulated instead.
- *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
- *                      future to trigger better cooperation between PKCS#11
- *                      modules used by both NSS and the Java SunPKCS11
- *                      provider. This should occur after a new flag is defined
- *                      for C_Initialize by the PKCS#11 working group.
- *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
- *                      use both NSS and the Java SunPKCS11 provider. 
- */
-SECStatus
-NSS_Initialize(const char *configdir, const char *certPrefix, 
-	const char *keyPrefix, const char *secmodName, PRUint32 flags)
-{
-    return nss_Init(configdir, certPrefix, keyPrefix, secmodName, 
-	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
-	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
-	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
-	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
-	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
-	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
-        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
-        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
-        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
-}
-
-/*
- * initialize NSS without a creating cert db's, key db's, or secmod db's.
- */
-SECStatus
-NSS_NoDB_Init(const char * configdir)
-{
-      return nss_Init("","","","",
-			PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,
-			PR_FALSE,PR_FALSE,PR_FALSE);
-}
-
-extern const NSSError NSS_ERROR_BUSY;
-
-SECStatus
-NSS_Shutdown(void)
-{
-    SECStatus rv;
-    PRStatus status;
-
-    ShutdownCRLCache();
-    SECOID_Shutdown();
-    status = STAN_Shutdown();
-    cert_DestroySubjectKeyIDHashTable();
-    rv = SECMOD_Shutdown();
-    pk11sdr_Shutdown();
-    if (status == PR_FAILURE) {
-	if (NSS_GetError() == NSS_ERROR_BUSY) {
-	    PORT_SetError(SEC_ERROR_BUSY);
-	}
-	rv = SECFailure;
-    }
-    nss_IsInitted = PR_FALSE;
-    return rv;
-}
-
-PRBool
-NSS_IsInitialized(void)
-{
-    return nss_IsInitted;
-}
-
-
-extern const char __nss_base_rcsid[];
-extern const char __nss_base_sccsid[];
-
-PRBool
-NSS_VersionCheck(const char *importedVersion)
-{
-    /*
-     * This is the secret handshake algorithm.
-     *
-     * This release has a simple version compatibility
-     * check algorithm.  This release is not backward
-     * compatible with previous major releases.  It is
-     * not compatible with future major, minor, or
-     * patch releases.
-     */
-    int vmajor = 0, vminor = 0, vpatch = 0;
-    const char *ptr = importedVersion;
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_base_rcsid[0] + __nss_base_sccsid[0]; 
-
-    while (isdigit(*ptr)) {
-        vmajor = 10 * vmajor + *ptr - '0';
-        ptr++;
-    }
-    if (*ptr == '.') {
-        ptr++;
-        while (isdigit(*ptr)) {
-            vminor = 10 * vminor + *ptr - '0';
-            ptr++;
-        }
-        if (*ptr == '.') {
-            ptr++;
-            while (isdigit(*ptr)) {
-                vpatch = 10 * vpatch + *ptr - '0';
-                ptr++;
-            }
-        }
-    }
-
-    if (vmajor != NSS_VMAJOR) {
-        return PR_FALSE;
-    }
-    if (vmajor == NSS_VMAJOR && vminor > NSS_VMINOR) {
-        return PR_FALSE;
-    }
-    if (vmajor == NSS_VMAJOR && vminor == NSS_VMINOR && vpatch > NSS_VPATCH) {
-        return PR_FALSE;
-    }
-    /* Check dependent libraries */
-    if (PR_VersionCheck(PR_VERSION) == PR_FALSE) {
-        return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-
diff --git a/security/nss/lib/nss/nssrenam.h b/security/nss/lib/nss/nssrenam.h
deleted file mode 100644
index bc9e4daf1..000000000
--- a/security/nss/lib/nss/nssrenam.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __nssrenam_h_
-#define __nssrenam_h_
-
-#define CERT_NewTempCertificate __CERT_NewTempCertificate
-#define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
-#define PK11_CreateContextByRawKey __PK11_CreateContextByRawKey
-#define PK11_GetKeyData __PK11_GetKeyData
-#define nss_InitLock __nss_InitLock
-#define CERT_ClosePermCertDB __CERT_ClosePermCertDB
-#define CERT_DecodeDERCertificate __CERT_DecodeDERCertificate
-#define CERT_TraversePermCertsForNickname __CERT_TraversePermCertsForNickname
-#define CERT_TraversePermCertsForSubject __CERT_TraversePermCertsForSubject
-#define PBE_CreateContext __PBE_CreateContext
-#define PBE_DestroyContext __PBE_DestroyContext
-#define PBE_GenerateBits __PBE_GenerateBits
-
-#endif /* __nssrenam_h_ */
diff --git a/security/nss/lib/nss/nssver.c b/security/nss/lib/nss/nssver.c
deleted file mode 100644
index 9d7f8136e..000000000
--- a/security/nss/lib/nss/nssver.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nss.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_base_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_base_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/pk11wrap/Makefile b/security/nss/lib/pk11wrap/Makefile
deleted file mode 100644
index 95766f79e..000000000
--- a/security/nss/lib/pk11wrap/Makefile
+++ /dev/null
@@ -1,103 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
--include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
-# pk11slot.c in 64-bit mode for unknown reasons.  A workaround is
-# to compile it with optimizations turned on.  (Bugzilla bug #63815)
-ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
-ifeq ($(USE_64),1)
-ifndef BUILD_OPT
-$(OBJDIR)/pk11slot.o: pk11slot.c
-	@$(MAKE_OBJDIR)
-	$(CC) -o $@ -c -O2 $(CFLAGS) $<
-endif
-endif
-endif
-
-# Bugzilla Bug 209827: disable optimization to work around what appears
-# to be a VACPP optimizer bug.
-ifdef XP_OS2_VACPP
-$(OBJDIR)/pk11skey.obj: pk11skey.c
-	@$(MAKE_OBJDIR)
-	$(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<)
-$(OBJDIR)/pk11slot.obj: pk11slot.c
-	@$(MAKE_OBJDIR)
-	$(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<)
-endif
diff --git a/security/nss/lib/pk11wrap/config.mk b/security/nss/lib/pk11wrap/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/pk11wrap/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/pk11wrap/debug_module.c b/security/nss/lib/pk11wrap/debug_module.c
deleted file mode 100644
index 3775f4ad1..000000000
--- a/security/nss/lib/pk11wrap/debug_module.c
+++ /dev/null
@@ -1,2212 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "prlog.h"
-#include <stdio.h>
-
-static PRLogModuleInfo *modlog = NULL;
-
-static CK_FUNCTION_LIST_PTR module_functions;
-
-static CK_FUNCTION_LIST debug_functions;
-
-static void print_final_statistics(void);
-
-/* The AIX 64-bit compiler chokes on large switch statements (see
- * bug #63815).  I tried the trick recommended there, using -O2 in
- * debug builds, and it didn't work.  Instead, I'll suppress some of
- * the verbose output and just dump values.
- */
-
-static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len)
-{
-#define SETA(attr) \
-    PR_snprintf(str, len, "%s", attr); break;
-    switch (atype) {
-#ifndef AIX_64BIT
-    case CKA_CLASS: SETA("CKA_CLASS");
-    case CKA_TOKEN: SETA("CKA_TOKEN");
-    case CKA_PRIVATE: SETA("CKA_PRIVATE");
-    case CKA_LABEL: SETA("CKA_LABEL");
-    case CKA_APPLICATION: SETA("CKA_APPLICATION");
-    case CKA_VALUE: SETA("CKA_VALUE");
-    case CKA_OBJECT_ID: SETA("CKA_OBJECT_ID");
-    case CKA_CERTIFICATE_TYPE: SETA("CKA_CERTIFICATE_TYPE");
-    case CKA_ISSUER: SETA("CKA_ISSUER");
-    case CKA_SERIAL_NUMBER: SETA("CKA_SERIAL_NUMBER");
-    case CKA_AC_ISSUER: SETA("CKA_AC_ISSUER");
-    case CKA_OWNER: SETA("CKA_OWNER");
-    case CKA_ATTR_TYPES: SETA("CKA_ATTR_TYPES");
-    case CKA_TRUSTED: SETA("CKA_TRUSTED");
-    case CKA_KEY_TYPE: SETA("CKA_KEY_TYPE");
-    case CKA_SUBJECT: SETA("CKA_SUBJECT");
-    case CKA_ID: SETA("CKA_ID");
-    case CKA_SENSITIVE: SETA("CKA_SENSITIVE");
-    case CKA_ENCRYPT: SETA("CKA_ENCRYPT");
-    case CKA_DECRYPT: SETA("CKA_DECRYPT");
-    case CKA_WRAP: SETA("CKA_WRAP");
-    case CKA_UNWRAP: SETA("CKA_UNWRAP");
-    case CKA_SIGN: SETA("CKA_SIGN");
-    case CKA_SIGN_RECOVER: SETA("CKA_SIGN_RECOVER");
-    case CKA_VERIFY: SETA("CKA_VERIFY");
-    case CKA_VERIFY_RECOVER: SETA("CKA_VERIFY_RECOVER");
-    case CKA_DERIVE: SETA("CKA_DERIVE");
-    case CKA_START_DATE: SETA("CKA_START_DATE");
-    case CKA_END_DATE: SETA("CKA_END_DATE");
-    case CKA_MODULUS: SETA("CKA_MODULUS");
-    case CKA_MODULUS_BITS: SETA("CKA_MODULUS_BITS");
-    case CKA_PUBLIC_EXPONENT: SETA("CKA_PUBLIC_EXPONENT");
-    case CKA_PRIVATE_EXPONENT: SETA("CKA_PRIVATE_EXPONENT");
-    case CKA_PRIME_1: SETA("CKA_PRIME_1");
-    case CKA_PRIME_2: SETA("CKA_PRIME_2");
-    case CKA_EXPONENT_1: SETA("CKA_EXPONENT_1");
-    case CKA_EXPONENT_2: SETA("CKA_EXPONENT_2");
-    case CKA_COEFFICIENT: SETA("CKA_COEFFICIENT");
-    case CKA_PRIME: SETA("CKA_PRIME");
-    case CKA_SUBPRIME: SETA("CKA_SUBPRIME");
-    case CKA_BASE: SETA("CKA_BASE");
-    case CKA_PRIME_BITS: SETA("CKA_PRIME_BITS");
-    case CKA_SUB_PRIME_BITS: SETA("CKA_SUB_PRIME_BITS");
-    case CKA_VALUE_BITS: SETA("CKA_VALUE_BITS");
-    case CKA_VALUE_LEN: SETA("CKA_VALUE_LEN");
-    case CKA_EXTRACTABLE: SETA("CKA_EXTRACTABLE");
-    case CKA_LOCAL: SETA("CKA_LOCAL");
-    case CKA_NEVER_EXTRACTABLE: SETA("CKA_NEVER_EXTRACTABLE");
-    case CKA_ALWAYS_SENSITIVE: SETA("CKA_ALWAYS_SENSITIVE");
-    case CKA_KEY_GEN_MECHANISM: SETA("CKA_KEY_GEN_MECHANISM");
-    case CKA_MODIFIABLE: SETA("CKA_MODIFIABLE");
-    case CKA_ECDSA_PARAMS: SETA("CKA_ECDSA_PARAMS");
-    case CKA_EC_POINT: SETA("CKA_EC_POINT");
-    case CKA_SECONDARY_AUTH: SETA("CKA_SECONDARY_AUTH");
-    case CKA_AUTH_PIN_FLAGS: SETA("CKA_AUTH_PIN_FLAGS");
-    case CKA_HW_FEATURE_TYPE: SETA("CKA_HW_FEATURE_TYPE");
-    case CKA_RESET_ON_INIT: SETA("CKA_RESET_ON_INIT");
-    case CKA_HAS_RESET: SETA("CKA_HAS_RESET");
-    case CKA_VENDOR_DEFINED: SETA("CKA_VENDOR_DEFINED");
-    case CKA_NETSCAPE_URL: SETA("CKA_NETSCAPE_URL");
-    case CKA_NETSCAPE_EMAIL: SETA("CKA_NETSCAPE_EMAIL");
-    case CKA_NETSCAPE_SMIME_INFO: SETA("CKA_NETSCAPE_SMIME_INFO");
-    case CKA_NETSCAPE_SMIME_TIMESTAMP: SETA("CKA_NETSCAPE_SMIME_TIMESTAMP");
-    case CKA_NETSCAPE_PKCS8_SALT: SETA("CKA_NETSCAPE_PKCS8_SALT");
-    case CKA_NETSCAPE_PASSWORD_CHECK: SETA("CKA_NETSCAPE_PASSWORD_CHECK");
-    case CKA_NETSCAPE_EXPIRES: SETA("CKA_NETSCAPE_EXPIRES");
-    case CKA_NETSCAPE_KRL: SETA("CKA_NETSCAPE_KRL");
-    case CKA_NETSCAPE_PQG_COUNTER: SETA("CKA_NETSCAPE_PQG_COUNTER");
-    case CKA_NETSCAPE_PQG_SEED: SETA("CKA_NETSCAPE_PQG_SEED");
-    case CKA_NETSCAPE_PQG_H: SETA("CKA_NETSCAPE_PQG_H");
-    case CKA_NETSCAPE_PQG_SEED_BITS: SETA("CKA_NETSCAPE_PQG_SEED_BITS");
-    case CKA_TRUST: SETA("CKA_TRUST");
-    case CKA_TRUST_DIGITAL_SIGNATURE: SETA("CKA_TRUST_DIGITAL_SIGNATURE");
-    case CKA_TRUST_NON_REPUDIATION: SETA("CKA_TRUST_NON_REPUDIATION");
-    case CKA_TRUST_KEY_ENCIPHERMENT: SETA("CKA_TRUST_KEY_ENCIPHERMENT");
-    case CKA_TRUST_DATA_ENCIPHERMENT: SETA("CKA_TRUST_DATA_ENCIPHERMENT");
-    case CKA_TRUST_KEY_AGREEMENT: SETA("CKA_TRUST_KEY_AGREEMENT");
-    case CKA_TRUST_KEY_CERT_SIGN: SETA("CKA_TRUST_KEY_CERT_SIGN");
-    case CKA_TRUST_CRL_SIGN: SETA("CKA_TRUST_CRL_SIGN");
-    case CKA_TRUST_SERVER_AUTH: SETA("CKA_TRUST_SERVER_AUTH");
-    case CKA_TRUST_CLIENT_AUTH: SETA("CKA_TRUST_CLIENT_AUTH");
-    case CKA_TRUST_CODE_SIGNING: SETA("CKA_TRUST_CODE_SIGNING");
-    case CKA_TRUST_EMAIL_PROTECTION: SETA("CKA_TRUST_EMAIL_PROTECTION");
-    case CKA_TRUST_IPSEC_END_SYSTEM: SETA("CKA_TRUST_IPSEC_END_SYSTEM");
-    case CKA_TRUST_IPSEC_TUNNEL: SETA("CKA_TRUST_IPSEC_TUNNEL");
-    case CKA_TRUST_IPSEC_USER: SETA("CKA_TRUST_IPSEC_USER");
-    case CKA_TRUST_TIME_STAMPING: SETA("CKA_TRUST_TIME_STAMPING");
-    case CKA_CERT_SHA1_HASH: SETA("CKA_CERT_SHA1_HASH");
-    case CKA_CERT_MD5_HASH: SETA("CKA_CERT_MD5_HASH");
-    case CKA_NETSCAPE_DB: SETA("CKA_NETSCAPE_DB");
-    case CKA_NETSCAPE_TRUST: SETA("CKA_NETSCAPE_TRUST");
-#endif
-    default: PR_snprintf(str, len, "0x%p", atype); break;
-    }
-}
-
-static void get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len)
-{
-#define SETO(objc) \
-    PR_snprintf(str, len, "%s", objc); break;
-    switch (objClass) {
-#ifndef AIX_64BIT
-    case CKO_DATA: SETO("CKO_DATA");
-    case CKO_CERTIFICATE: SETO("CKO_CERTIFICATE");
-    case CKO_PUBLIC_KEY: SETO("CKO_PUBLIC_KEY");
-    case CKO_PRIVATE_KEY: SETO("CKO_PRIVATE_KEY");
-    case CKO_SECRET_KEY: SETO("CKO_SECRET_KEY");
-    case CKO_HW_FEATURE: SETO("CKO_HW_FEATURE");
-    case CKO_DOMAIN_PARAMETERS: SETO("CKO_DOMAIN_PARAMETERS");
-    case CKO_NETSCAPE_CRL: SETO("CKO_NETSCAPE_CRL");
-    case CKO_NETSCAPE_SMIME: SETO("CKO_NETSCAPE_SMIME");
-    case CKO_NETSCAPE_TRUST: SETO("CKO_NETSCAPE_TRUST");
-    case CKO_NETSCAPE_BUILTIN_ROOT_LIST: SETO("CKO_NETSCAPE_BUILTIN_ROOT_LIST");
-#endif
-    default: PR_snprintf(str, len, "0x%p", objClass); break;
-    }
-}
-
-static void get_trust_val(CK_TRUST trust, char *str, int len)
-{
-#define SETT(objc) \
-    PR_snprintf(str, len, "%s", objc); break;
-    switch (trust) {
-#ifndef AIX_64BIT
-    case CKT_NETSCAPE_TRUSTED: SETT("CKT_NETSCAPE_TRUSTED");
-    case CKT_NETSCAPE_TRUSTED_DELEGATOR: SETT("CKT_NETSCAPE_TRUSTED_DELEGATOR");
-    case CKT_NETSCAPE_UNTRUSTED: SETT("CKT_NETSCAPE_UNTRUSTED");
-    case CKT_NETSCAPE_MUST_VERIFY: SETT("CKT_NETSCAPE_MUST_VERIFY");
-    case CKT_NETSCAPE_TRUST_UNKNOWN: SETT("CKT_NETSCAPE_TRUST_UNKNOWN");
-    case CKT_NETSCAPE_VALID: SETT("CKT_NETSCAPE_VALID");
-    case CKT_NETSCAPE_VALID_DELEGATOR: SETT("CKT_NETSCAPE_VALID_DELEGATOR");
-#endif
-    default: PR_snprintf(str, len, "0x%p", trust); break;
-    }
-}
-
-static void print_attr_value(CK_ATTRIBUTE_PTR attr)
-{
-    char atype[48];
-    char valstr[48];
-    int len;
-    get_attr_type_str(attr->type, atype, sizeof atype);
-    switch (attr->type) {
-    case CKA_TOKEN:
-    case CKA_PRIVATE:
-    case CKA_SENSITIVE:
-    case CKA_ENCRYPT:
-    case CKA_DECRYPT:
-    case CKA_WRAP:
-    case CKA_UNWRAP:
-    case CKA_SIGN:
-    case CKA_SIGN_RECOVER:
-    case CKA_VERIFY:
-    case CKA_VERIFY_RECOVER:
-    case CKA_DERIVE:
-    case CKA_EXTRACTABLE:
-    case CKA_LOCAL:
-    case CKA_NEVER_EXTRACTABLE:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_MODIFIABLE:
-	if (attr->ulValueLen > 0 && attr->pValue) {
-	    CK_BBOOL tf = *((CK_BBOOL *)attr->pValue);
-	    len = sizeof(valstr);
-	    PR_snprintf(valstr, len, "%s", tf ? "CK_TRUE" : "CK_FALSE");
-	    PR_LOG(modlog, 4, ("    %s = %s [%d]", 
-	           atype, valstr, attr->ulValueLen));
-	    break;
-	}
-    case CKA_CLASS:
-	if (attr->ulValueLen > 0 && attr->pValue) {
-	    CK_OBJECT_CLASS objClass = *((CK_OBJECT_CLASS *)attr->pValue);
-	    get_obj_class(objClass, valstr, sizeof valstr);
-	    PR_LOG(modlog, 4, ("    %s = %s [%d]", 
-	           atype, valstr, attr->ulValueLen));
-	    break;
-	}
-    case CKA_TRUST_SERVER_AUTH:
-    case CKA_TRUST_CLIENT_AUTH:
-    case CKA_TRUST_CODE_SIGNING:
-    case CKA_TRUST_EMAIL_PROTECTION:
-	if (attr->ulValueLen > 0 && attr->pValue) {
-	    CK_TRUST trust = *((CK_TRUST *)attr->pValue);
-	    get_trust_val(trust, valstr, sizeof valstr);
-	    PR_LOG(modlog, 4, ("    %s = %s [%d]", 
-	           atype, valstr, attr->ulValueLen));
-	    break;
-	}
-    case CKA_LABEL:
-    case CKA_NETSCAPE_EMAIL:
-    case CKA_NETSCAPE_URL:
-	if (attr->ulValueLen > 0 && attr->pValue) {
-	    len = PR_MIN(attr->ulValueLen + 1, sizeof valstr);
-	    PR_snprintf(valstr, len, "%s", attr->pValue);
-	    PR_LOG(modlog, 4, ("    %s = %s [%d]", 
-	           atype, valstr, attr->ulValueLen));
-	    break;
-	}
-    default:
-	PR_LOG(modlog, 4, ("    %s = 0x%p [%d]", 
-	       atype, attr->pValue, attr->ulValueLen));
-	break;
-    }
-}
-
-static void print_template(CK_ATTRIBUTE_PTR templ, CK_ULONG tlen)
-{
-    CK_ULONG i;
-    for (i=0; i<tlen; i++) {
-	print_attr_value(&templ[i]);
-    }
-}
-
-static void print_mechanism(CK_MECHANISM_PTR m)
-{
-    PR_LOG(modlog, 4, ("      mechanism = 0x%p", m->mechanism));
-}
-
-struct nssdbg_prof_str {
-    PRUint32 time;
-    PRUint32 calls;
-    char *function;
-};
-
-#define NSSDBG_DEFINE(func) { 0, 0, #func }
-
-struct nssdbg_prof_str nssdbg_prof_data[] = {
-#define FUNC_C_INITIALIZE 0
-    NSSDBG_DEFINE(C_Initialize),
-#define FUNC_C_FINALIZE 1
-    NSSDBG_DEFINE(C_Finalize),
-#define FUNC_C_GETINFO 2
-    NSSDBG_DEFINE(C_GetInfo),
-#define FUNC_C_GETFUNCITONLIST 3
-    NSSDBG_DEFINE(C_GetFunctionList),
-#define FUNC_C_GETSLOTLIST 4
-    NSSDBG_DEFINE(C_GetSlotList),
-#define FUNC_C_GETSLOTINFO 5
-    NSSDBG_DEFINE(C_GetSlotInfo),
-#define FUNC_C_GETTOKENINFO 6
-    NSSDBG_DEFINE(C_GetTokenInfo),
-#define FUNC_C_GETMECHANISMLIST 7
-    NSSDBG_DEFINE(C_GetMechanismList),
-#define FUNC_C_GETMECHANISMINFO 8
-    NSSDBG_DEFINE(C_GetMechanismInfo),
-#define FUNC_C_INITTOKEN 9
-    NSSDBG_DEFINE(C_InitToken),
-#define FUNC_C_INITPIN 10
-    NSSDBG_DEFINE(C_InitPIN),
-#define FUNC_C_SETPIN 11
-    NSSDBG_DEFINE(C_SetPIN),
-#define FUNC_C_OPENSESSION 12
-    NSSDBG_DEFINE(C_OpenSession),
-#define FUNC_C_CLOSESESSION 13
-    NSSDBG_DEFINE(C_CloseSession),
-#define FUNC_C_CLOSEALLSESSIONS 14
-    NSSDBG_DEFINE(C_CloseAllSessions),
-#define FUNC_C_GETSESSIONINFO 15
-    NSSDBG_DEFINE(C_GetSessionInfo),
-#define FUNC_C_GETOPERATIONSTATE 16
-    NSSDBG_DEFINE(C_GetOperationState),
-#define FUNC_C_SETOPERATIONSTATE 17
-    NSSDBG_DEFINE(C_SetOperationState),
-#define FUNC_C_LOGIN 18
-    NSSDBG_DEFINE(C_Login),
-#define FUNC_C_LOGOUT 19
-    NSSDBG_DEFINE(C_Logout),
-#define FUNC_C_CREATEOBJECT 20
-    NSSDBG_DEFINE(C_CreateObject),
-#define FUNC_C_COPYOBJECT 21
-    NSSDBG_DEFINE(C_CopyObject),
-#define FUNC_C_DESTROYOBJECT 22
-    NSSDBG_DEFINE(C_DestroyObject),
-#define FUNC_C_GETOBJECTSIZE  23
-    NSSDBG_DEFINE(C_GetObjectSize),
-#define FUNC_C_GETATTRIBUTEVALUE 24
-    NSSDBG_DEFINE(C_GetAttributeValue),
-#define FUNC_C_SETATTRIBUTEVALUE 25
-    NSSDBG_DEFINE(C_SetAttributeValue),
-#define FUNC_C_FINDOBJECTSINIT 26
-    NSSDBG_DEFINE(C_FindObjectsInit),
-#define FUNC_C_FINDOBJECTS 27
-    NSSDBG_DEFINE(C_FindObjects),
-#define FUNC_C_FINDOBJECTSFINAL 28
-    NSSDBG_DEFINE(C_FindObjectsFinal),
-#define FUNC_C_ENCRYPTINIT 29
-    NSSDBG_DEFINE(C_EncryptInit),
-#define FUNC_C_ENCRYPT 30
-    NSSDBG_DEFINE(C_Encrypt),
-#define FUNC_C_ENCRYPTUPDATE 31
-    NSSDBG_DEFINE(C_EncryptUpdate),
-#define FUNC_C_ENCRYPTFINAL 32
-    NSSDBG_DEFINE(C_EncryptFinal),
-#define FUNC_C_DECRYPTINIT 33
-    NSSDBG_DEFINE(C_DecryptInit),
-#define FUNC_C_DECRYPT 34
-    NSSDBG_DEFINE(C_Decrypt),
-#define FUNC_C_DECRYPTUPDATE 35
-    NSSDBG_DEFINE(C_DecryptUpdate),
-#define FUNC_C_DECRYPTFINAL 36
-    NSSDBG_DEFINE(C_DecryptFinal),
-#define FUNC_C_DIGESTINIT 37
-    NSSDBG_DEFINE(C_DigestInit),
-#define FUNC_C_DIGEST 38
-    NSSDBG_DEFINE(C_Digest),
-#define FUNC_C_DIGESTUPDATE 39
-    NSSDBG_DEFINE(C_DigestUpdate),
-#define FUNC_C_DIGESTKEY 40
-    NSSDBG_DEFINE(C_DigestKey),
-#define FUNC_C_DIGESTFINAL 41
-    NSSDBG_DEFINE(C_DigestFinal),
-#define FUNC_C_SIGNINIT 42
-    NSSDBG_DEFINE(C_SignInit),
-#define FUNC_C_SIGN 43
-    NSSDBG_DEFINE(C_Sign),
-#define FUNC_C_SIGNUPDATE 44
-    NSSDBG_DEFINE(C_SignUpdate),
-#define FUNC_C_SIGNFINAL 45
-    NSSDBG_DEFINE(C_SignFinal),
-#define FUNC_C_SIGNRECOVERINIT 46
-    NSSDBG_DEFINE(C_SignRecoverInit),
-#define FUNC_C_SIGNRECOVER 47
-    NSSDBG_DEFINE(C_SignRecover),
-#define FUNC_C_VERIFYINIT 48
-    NSSDBG_DEFINE(C_VerifyInit),
-#define FUNC_C_VERIFY 49
-    NSSDBG_DEFINE(C_Verify),
-#define FUNC_C_VERIFYUPDATE 50
-    NSSDBG_DEFINE(C_VerifyUpdate),
-#define FUNC_C_VERIFYFINAL 51
-    NSSDBG_DEFINE(C_VerifyFinal),
-#define FUNC_C_VERIFYRECOVERINIT 52
-    NSSDBG_DEFINE(C_VerifyRecoverInit),
-#define FUNC_C_VERIFYRECOVER 53
-    NSSDBG_DEFINE(C_VerifyRecover),
-#define FUNC_C_DIGESTENCRYPTUPDATE 54
-    NSSDBG_DEFINE(C_DigestEncryptUpdate),
-#define FUNC_C_DECRYPTDIGESTUPDATE 55
-    NSSDBG_DEFINE(C_DecryptDigestUpdate),
-#define FUNC_C_SIGNENCRYPTUPDATE 56
-    NSSDBG_DEFINE(C_SignEncryptUpdate),
-#define FUNC_C_DECRYPTVERIFYUPDATE 57
-    NSSDBG_DEFINE(C_DecryptVerifyUpdate),
-#define FUNC_C_GENERATEKEY 58
-    NSSDBG_DEFINE(C_GenerateKey),
-#define FUNC_C_GENERATEKEYPAIR 59
-    NSSDBG_DEFINE(C_GenerateKeyPair),
-#define FUNC_C_WRAPKEY 60
-    NSSDBG_DEFINE(C_WrapKey),
-#define FUNC_C_UNWRAPKEY 61
-    NSSDBG_DEFINE(C_UnWrapKey),
-#define FUNC_C_DERIVEKEY 62 
-    NSSDBG_DEFINE(C_DeriveKey),
-#define FUNC_C_SEEDRANDOM 63
-    NSSDBG_DEFINE(C_SeedRandom),
-#define FUNC_C_GENERATERANDOM 64
-    NSSDBG_DEFINE(C_GenerateRandom),
-#define FUNC_C_GETFUNCTIONSTATUS 65
-    NSSDBG_DEFINE(C_GetFunctionStatus),
-#define FUNC_C_CANCELFUNCTION 66
-    NSSDBG_DEFINE(C_CancelFunction),
-#define FUNC_C_WAITFORSLOTEVENT 67
-    NSSDBG_DEFINE(C_WaitForSlotEvent)
-};
-
-int nssdbg_prof_size = sizeof(nssdbg_prof_data)/sizeof(nssdbg_prof_data[0]);
-    
-
-static void nssdbg_finish_time(PRInt32 fun_number, PRIntervalTime start)
-{
-    PRIntervalTime ival;
-    PRIntervalTime end = PR_IntervalNow();
-
-    ival = end-start;
-    /* sigh, lie to PRAtomic add and say we are using signed values */
-    PR_AtomicAdd((PRInt32 *)&nssdbg_prof_data[fun_number].time, (PRInt32)ival);
-}
-
-static void nssdbg_start_time(PRInt32 fun_number, PRIntervalTime *start)
-{
-    PR_AtomicIncrement((PRInt32 *)&nssdbg_prof_data[fun_number].calls);
-    *start = PR_IntervalNow();
-}
-
-CK_RV NSSDBGC_Initialize(
-  CK_VOID_PTR pInitArgs
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Initialize"));
-    PR_LOG(modlog, 3, ("  pInitArgs = 0x%p", pInitArgs));
-    nssdbg_start_time(FUNC_C_INITIALIZE,&start);
-    rv = module_functions->C_Initialize(pInitArgs);
-    nssdbg_finish_time(FUNC_C_INITIALIZE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Finalize(
-  CK_VOID_PTR pReserved
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Finalize"));
-    PR_LOG(modlog, 3, ("  pReserved = 0x%p", pReserved));
-    nssdbg_start_time(FUNC_C_FINALIZE,&start);
-    rv = module_functions->C_Finalize(pReserved);
-    nssdbg_finish_time(FUNC_C_FINALIZE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetInfo(
-  CK_INFO_PTR pInfo
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetInfo"));
-    PR_LOG(modlog, 3, ("  pInfo = 0x%p", pInfo));
-    nssdbg_start_time(FUNC_C_GETINFO,&start);
-    rv = module_functions->C_GetInfo(pInfo);
-    nssdbg_finish_time(FUNC_C_GETINFO,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetFunctionList(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetFunctionList"));
-    PR_LOG(modlog, 3, ("  ppFunctionList = 0x%p", ppFunctionList));
-    nssdbg_start_time(FUNC_C_GETFUNCITONLIST,&start);
-    rv = module_functions->C_GetFunctionList(ppFunctionList);
-    nssdbg_finish_time(FUNC_C_GETFUNCITONLIST,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetSlotList(
-  CK_BBOOL       tokenPresent,
-  CK_SLOT_ID_PTR pSlotList,
-  CK_ULONG_PTR   pulCount
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    CK_ULONG i;
-    PR_LOG(modlog, 1, ("C_GetSlotList"));
-    PR_LOG(modlog, 3, ("  tokenPresent = 0x%x", tokenPresent));
-    PR_LOG(modlog, 3, ("  pSlotList = 0x%p", pSlotList));
-    PR_LOG(modlog, 3, ("  pulCount = 0x%p", pulCount));
-    nssdbg_start_time(FUNC_C_GETSLOTLIST,&start);
-    rv = module_functions->C_GetSlotList(tokenPresent,
-                                 pSlotList,
-                                 pulCount);
-    nssdbg_finish_time(FUNC_C_GETSLOTLIST,start);
-    PR_LOG(modlog, 4, ("  *pulCount = 0x%x", *pulCount));
-    if (pSlotList) {
-	for (i=0; i<*pulCount; i++) {
-	    PR_LOG(modlog, 4, ("  slotID[%d] = %x", i, pSlotList[i]));
-	}
-    }
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetSlotInfo(
-  CK_SLOT_ID       slotID,
-  CK_SLOT_INFO_PTR pInfo
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetSlotInfo"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  pInfo = 0x%p", pInfo));
-    nssdbg_start_time(FUNC_C_GETSLOTINFO,&start);
-    rv = module_functions->C_GetSlotInfo(slotID,
-                                 pInfo);
-    nssdbg_finish_time(FUNC_C_GETSLOTINFO,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetTokenInfo(
-  CK_SLOT_ID        slotID,
-  CK_TOKEN_INFO_PTR pInfo
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetTokenInfo"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  pInfo = 0x%p", pInfo));
-    nssdbg_start_time(FUNC_C_GETTOKENINFO,&start);
-    rv = module_functions->C_GetTokenInfo(slotID,
-                                 pInfo);
-    nssdbg_finish_time(FUNC_C_GETTOKENINFO,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetMechanismList(
-  CK_SLOT_ID            slotID,
-  CK_MECHANISM_TYPE_PTR pMechanismList,
-  CK_ULONG_PTR          pulCount
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetMechanismList"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  pMechanismList = 0x%p", pMechanismList));
-    PR_LOG(modlog, 3, ("  pulCount = 0x%p", pulCount));
-    nssdbg_start_time(FUNC_C_GETMECHANISMLIST,&start);
-    rv = module_functions->C_GetMechanismList(slotID,
-                                 pMechanismList,
-                                 pulCount);
-    nssdbg_finish_time(FUNC_C_GETMECHANISMLIST,start);
-    PR_LOG(modlog, 4, ("  *pulCount = 0x%x", *pulCount));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetMechanismInfo(
-  CK_SLOT_ID            slotID,
-  CK_MECHANISM_TYPE     type,
-  CK_MECHANISM_INFO_PTR pInfo
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetMechanismInfo"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  type = 0x%x", type));
-    PR_LOG(modlog, 3, ("  pInfo = 0x%p", pInfo));
-    nssdbg_start_time(FUNC_C_GETMECHANISMINFO,&start);
-    rv = module_functions->C_GetMechanismInfo(slotID,
-                                 type,
-                                 pInfo);
-    nssdbg_finish_time(FUNC_C_GETMECHANISMINFO,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_InitToken(
-  CK_SLOT_ID  slotID,
-  CK_CHAR_PTR pPin,
-  CK_ULONG    ulPinLen,
-  CK_CHAR_PTR pLabel
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_InitToken"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  pPin = 0x%p", pPin));
-    PR_LOG(modlog, 3, ("  ulPinLen = %d", ulPinLen));
-    PR_LOG(modlog, 3, ("  pLabel = 0x%p", pLabel));
-    nssdbg_start_time(FUNC_C_INITTOKEN,&start);
-    rv = module_functions->C_InitToken(slotID,
-                                 pPin,
-                                 ulPinLen,
-                                 pLabel);
-    nssdbg_finish_time(FUNC_C_INITTOKEN,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_InitPIN(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR       pPin,
-  CK_ULONG          ulPinLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_InitPIN"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPin = 0x%p", pPin));
-    PR_LOG(modlog, 3, ("  ulPinLen = %d", ulPinLen));
-    nssdbg_start_time(FUNC_C_INITPIN,&start);
-    rv = module_functions->C_InitPIN(hSession,
-                                 pPin,
-                                 ulPinLen);
-    nssdbg_finish_time(FUNC_C_INITPIN,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SetPIN(
-  CK_SESSION_HANDLE hSession,
-  CK_CHAR_PTR       pOldPin,
-  CK_ULONG          ulOldLen,
-  CK_CHAR_PTR       pNewPin,
-  CK_ULONG          ulNewLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SetPIN"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pOldPin = 0x%p", pOldPin));
-    PR_LOG(modlog, 3, ("  ulOldLen = %d", ulOldLen));
-    PR_LOG(modlog, 3, ("  pNewPin = 0x%p", pNewPin));
-    PR_LOG(modlog, 3, ("  ulNewLen = %d", ulNewLen));
-    nssdbg_start_time(FUNC_C_SETPIN,&start);
-    rv = module_functions->C_SetPIN(hSession,
-                                 pOldPin,
-                                 ulOldLen,
-                                 pNewPin,
-                                 ulNewLen);
-    nssdbg_finish_time(FUNC_C_SETPIN,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-static PRUint32 numOpenSessions = 0;
-static PRUint32 maxOpenSessions = 0;
-CK_RV NSSDBGC_OpenSession(
-  CK_SLOT_ID            slotID,
-  CK_FLAGS              flags,
-  CK_VOID_PTR           pApplication,
-  CK_NOTIFY             Notify,
-  CK_SESSION_HANDLE_PTR phSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_AtomicIncrement((PRInt32 *)&numOpenSessions);
-    maxOpenSessions = PR_MAX(numOpenSessions, maxOpenSessions);
-    PR_LOG(modlog, 1, ("C_OpenSession"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    PR_LOG(modlog, 3, ("  flags = 0x%x", flags));
-    PR_LOG(modlog, 3, ("  pApplication = 0x%p", pApplication));
-    PR_LOG(modlog, 3, ("  Notify = 0x%x", Notify));
-    PR_LOG(modlog, 3, ("  phSession = 0x%p", phSession));
-    nssdbg_start_time(FUNC_C_OPENSESSION,&start);
-    rv = module_functions->C_OpenSession(slotID,
-                                 flags,
-                                 pApplication,
-                                 Notify,
-                                 phSession);
-    nssdbg_finish_time(FUNC_C_OPENSESSION,start);
-    PR_LOG(modlog, 4, ("  *phSession = 0x%x", *phSession));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_CloseSession(
-  CK_SESSION_HANDLE hSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_AtomicDecrement((PRInt32 *)&numOpenSessions);
-    PR_LOG(modlog, 1, ("C_CloseSession"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_CLOSESESSION,&start);
-    rv = module_functions->C_CloseSession(hSession);
-    nssdbg_finish_time(FUNC_C_CLOSESESSION,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_CloseAllSessions(
-  CK_SLOT_ID slotID
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_CloseAllSessions"));
-    PR_LOG(modlog, 3, ("  slotID = 0x%x", slotID));
-    nssdbg_start_time(FUNC_C_CLOSEALLSESSIONS,&start);
-    rv = module_functions->C_CloseAllSessions(slotID);
-    nssdbg_finish_time(FUNC_C_CLOSEALLSESSIONS,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetSessionInfo(
-  CK_SESSION_HANDLE   hSession,
-  CK_SESSION_INFO_PTR pInfo
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetSessionInfo"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pInfo = 0x%p", pInfo));
-    nssdbg_start_time(FUNC_C_GETSESSIONINFO,&start);
-    rv = module_functions->C_GetSessionInfo(hSession,
-                                 pInfo);
-    nssdbg_finish_time(FUNC_C_GETSESSIONINFO,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetOperationState(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pOperationState,
-  CK_ULONG_PTR      pulOperationStateLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetOperationState"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pOperationState = 0x%p", pOperationState));
-    PR_LOG(modlog, 3, ("  pulOperationStateLen = 0x%p", pulOperationStateLen));
-    nssdbg_start_time(FUNC_C_GETOPERATIONSTATE,&start);
-    rv = module_functions->C_GetOperationState(hSession,
-                                 pOperationState,
-                                 pulOperationStateLen);
-    nssdbg_finish_time(FUNC_C_GETOPERATIONSTATE,start);
-    PR_LOG(modlog, 4, ("  *pulOperationStateLen = 0x%x", *pulOperationStateLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SetOperationState(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR      pOperationState,
-  CK_ULONG         ulOperationStateLen,
-  CK_OBJECT_HANDLE hEncryptionKey,
-  CK_OBJECT_HANDLE hAuthenticationKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SetOperationState"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pOperationState = 0x%p", pOperationState));
-    PR_LOG(modlog, 3, ("  ulOperationStateLen = %d", ulOperationStateLen));
-    PR_LOG(modlog, 3, ("  hEncryptionKey = 0x%x", hEncryptionKey));
-    PR_LOG(modlog, 3, ("  hAuthenticationKey = 0x%x", hAuthenticationKey));
-    nssdbg_start_time(FUNC_C_SETOPERATIONSTATE,&start);
-    rv = module_functions->C_SetOperationState(hSession,
-                                 pOperationState,
-                                 ulOperationStateLen,
-                                 hEncryptionKey,
-                                 hAuthenticationKey);
-    nssdbg_finish_time(FUNC_C_SETOPERATIONSTATE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Login(
-  CK_SESSION_HANDLE hSession,
-  CK_USER_TYPE      userType,
-  CK_CHAR_PTR       pPin,
-  CK_ULONG          ulPinLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Login"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  userType = 0x%x", userType));
-    PR_LOG(modlog, 3, ("  pPin = 0x%p", pPin));
-    PR_LOG(modlog, 3, ("  ulPinLen = %d", ulPinLen));
-    nssdbg_start_time(FUNC_C_LOGIN,&start);
-    rv = module_functions->C_Login(hSession,
-                                 userType,
-                                 pPin,
-                                 ulPinLen);
-    nssdbg_finish_time(FUNC_C_LOGIN,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Logout(
-  CK_SESSION_HANDLE hSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Logout"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_LOGOUT,&start);
-    rv = module_functions->C_Logout(hSession);
-    nssdbg_finish_time(FUNC_C_LOGOUT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_CreateObject(
-  CK_SESSION_HANDLE    hSession,
-  CK_ATTRIBUTE_PTR     pTemplate,
-  CK_ULONG             ulCount,
-  CK_OBJECT_HANDLE_PTR phObject
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_CreateObject"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    PR_LOG(modlog, 3, ("  phObject = 0x%p", phObject));
-    print_template(pTemplate, ulCount);
-    nssdbg_start_time(FUNC_C_CREATEOBJECT,&start);
-    rv = module_functions->C_CreateObject(hSession,
-                                 pTemplate,
-                                 ulCount,
-                                 phObject);
-    nssdbg_finish_time(FUNC_C_CREATEOBJECT,start);
-    PR_LOG(modlog, 4, ("  *phObject = 0x%x", *phObject));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_CopyObject(
-  CK_SESSION_HANDLE    hSession,
-  CK_OBJECT_HANDLE     hObject,
-  CK_ATTRIBUTE_PTR     pTemplate,
-  CK_ULONG             ulCount,
-  CK_OBJECT_HANDLE_PTR phNewObject
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_CopyObject"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  hObject = 0x%x", hObject));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    PR_LOG(modlog, 3, ("  phNewObject = 0x%p", phNewObject));
-    print_template(pTemplate, ulCount);
-    nssdbg_start_time(FUNC_C_COPYOBJECT,&start);
-    rv = module_functions->C_CopyObject(hSession,
-                                 hObject,
-                                 pTemplate,
-                                 ulCount,
-                                 phNewObject);
-    nssdbg_finish_time(FUNC_C_COPYOBJECT,start);
-    PR_LOG(modlog, 4, ("  *phNewObject = 0x%x", *phNewObject));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DestroyObject(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE  hObject
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DestroyObject"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  hObject = 0x%x", hObject));
-    nssdbg_start_time(FUNC_C_DESTROYOBJECT,&start);
-    rv = module_functions->C_DestroyObject(hSession,
-                                 hObject);
-    nssdbg_finish_time(FUNC_C_DESTROYOBJECT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetObjectSize(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE  hObject,
-  CK_ULONG_PTR      pulSize
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetObjectSize"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  hObject = 0x%x", hObject));
-    PR_LOG(modlog, 3, ("  pulSize = 0x%p", pulSize));
-    nssdbg_start_time(FUNC_C_GETOBJECTSIZE,&start);
-    rv = module_functions->C_GetObjectSize(hSession,
-                                 hObject,
-                                 pulSize);
-    nssdbg_finish_time(FUNC_C_GETOBJECTSIZE,start);
-    PR_LOG(modlog, 4, ("  *pulSize = 0x%x", *pulSize));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetAttributeValue(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE  hObject,
-  CK_ATTRIBUTE_PTR  pTemplate,
-  CK_ULONG          ulCount
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetAttributeValue"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  hObject = 0x%x", hObject));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    nssdbg_start_time(FUNC_C_GETATTRIBUTEVALUE,&start);
-    rv = module_functions->C_GetAttributeValue(hSession,
-                                 hObject,
-                                 pTemplate,
-                                 ulCount);
-    nssdbg_finish_time(FUNC_C_GETATTRIBUTEVALUE,start);
-    print_template(pTemplate, ulCount);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SetAttributeValue(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE  hObject,
-  CK_ATTRIBUTE_PTR  pTemplate,
-  CK_ULONG          ulCount
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SetAttributeValue"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  hObject = 0x%x", hObject));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    print_template(pTemplate, ulCount);
-    nssdbg_start_time(FUNC_C_SETATTRIBUTEVALUE,&start);
-    rv = module_functions->C_SetAttributeValue(hSession,
-                                 hObject,
-                                 pTemplate,
-                                 ulCount);
-    nssdbg_finish_time(FUNC_C_SETATTRIBUTEVALUE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_FindObjectsInit(
-  CK_SESSION_HANDLE hSession,
-  CK_ATTRIBUTE_PTR  pTemplate,
-  CK_ULONG          ulCount
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_FindObjectsInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    print_template(pTemplate, ulCount);
-    nssdbg_start_time(FUNC_C_FINDOBJECTSINIT,&start);
-    rv = module_functions->C_FindObjectsInit(hSession,
-                                 pTemplate,
-                                 ulCount);
-    nssdbg_finish_time(FUNC_C_FINDOBJECTSINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_FindObjects(
-  CK_SESSION_HANDLE    hSession,
-  CK_OBJECT_HANDLE_PTR phObject,
-  CK_ULONG             ulMaxObjectCount,
-  CK_ULONG_PTR         pulObjectCount
-)
-{
-    CK_RV rv;
-    CK_ULONG i;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_FindObjects"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  phObject = 0x%p", phObject));
-    PR_LOG(modlog, 3, ("  ulMaxObjectCount = %d", ulMaxObjectCount));
-    PR_LOG(modlog, 3, ("  pulObjectCount = 0x%p", pulObjectCount));
-    nssdbg_start_time(FUNC_C_FINDOBJECTS,&start);
-    rv = module_functions->C_FindObjects(hSession,
-                                 phObject,
-                                 ulMaxObjectCount,
-                                 pulObjectCount);
-    nssdbg_finish_time(FUNC_C_FINDOBJECTS,start);
-    PR_LOG(modlog, 4, ("  *pulObjectCount = 0x%x", *pulObjectCount));
-    for (i=0; i<*pulObjectCount; i++) {
-	PR_LOG(modlog, 4, ("  phObject[%d] = 0x%x", i, phObject[i]));
-    }
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_FindObjectsFinal(
-  CK_SESSION_HANDLE hSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_FindObjectsFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_FINDOBJECTSFINAL,&start);
-    rv = module_functions->C_FindObjectsFinal(hSession);
-    nssdbg_finish_time(FUNC_C_FINDOBJECTSFINAL,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_EncryptInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_EncryptInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_ENCRYPTINIT,&start);
-    rv = module_functions->C_EncryptInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_ENCRYPTINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Encrypt(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pData,
-  CK_ULONG          ulDataLen,
-  CK_BYTE_PTR       pEncryptedData,
-  CK_ULONG_PTR      pulEncryptedDataLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Encrypt"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  ulDataLen = %d", ulDataLen));
-    PR_LOG(modlog, 3, ("  pEncryptedData = 0x%p", pEncryptedData));
-    PR_LOG(modlog, 3, ("  pulEncryptedDataLen = 0x%p", pulEncryptedDataLen));
-    nssdbg_start_time(FUNC_C_ENCRYPT,&start);
-    rv = module_functions->C_Encrypt(hSession,
-                                 pData,
-                                 ulDataLen,
-                                 pEncryptedData,
-                                 pulEncryptedDataLen);
-    nssdbg_finish_time(FUNC_C_ENCRYPT,start);
-    PR_LOG(modlog, 4, ("  *pulEncryptedDataLen = 0x%x", *pulEncryptedDataLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_EncryptUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG_PTR      pulEncryptedPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_EncryptUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  pulEncryptedPartLen = 0x%p", pulEncryptedPartLen));
-    nssdbg_start_time(FUNC_C_ENCRYPTUPDATE,&start);
-    rv = module_functions->C_EncryptUpdate(hSession,
-                                 pPart,
-                                 ulPartLen,
-                                 pEncryptedPart,
-                                 pulEncryptedPartLen);
-    nssdbg_finish_time(FUNC_C_ENCRYPTUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulEncryptedPartLen = 0x%x", *pulEncryptedPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_EncryptFinal(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pLastEncryptedPart,
-  CK_ULONG_PTR      pulLastEncryptedPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_EncryptFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pLastEncryptedPart = 0x%p", pLastEncryptedPart));
-    PR_LOG(modlog, 3, ("  pulLastEncryptedPartLen = 0x%p", pulLastEncryptedPartLen));
-    nssdbg_start_time(FUNC_C_ENCRYPTFINAL,&start);
-    rv = module_functions->C_EncryptFinal(hSession,
-                                 pLastEncryptedPart,
-                                 pulLastEncryptedPartLen);
-    nssdbg_finish_time(FUNC_C_ENCRYPTFINAL,start);
-    PR_LOG(modlog, 4, ("  *pulLastEncryptedPartLen = 0x%x", *pulLastEncryptedPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DecryptInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DecryptInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_DECRYPTINIT,&start);
-    rv = module_functions->C_DecryptInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_DECRYPTINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Decrypt(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pEncryptedData,
-  CK_ULONG          ulEncryptedDataLen,
-  CK_BYTE_PTR       pData,
-  CK_ULONG_PTR      pulDataLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Decrypt"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pEncryptedData = 0x%p", pEncryptedData));
-    PR_LOG(modlog, 3, ("  ulEncryptedDataLen = %d", ulEncryptedDataLen));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  pulDataLen = 0x%p", pulDataLen));
-    nssdbg_start_time(FUNC_C_DECRYPT,&start);
-    rv = module_functions->C_Decrypt(hSession,
-                                 pEncryptedData,
-                                 ulEncryptedDataLen,
-                                 pData,
-                                 pulDataLen);
-    nssdbg_finish_time(FUNC_C_DECRYPT,start);
-    PR_LOG(modlog, 4, ("  *pulDataLen = 0x%x", *pulDataLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DecryptUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG          ulEncryptedPartLen,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG_PTR      pulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DecryptUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  ulEncryptedPartLen = %d", ulEncryptedPartLen));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  pulPartLen = 0x%p", pulPartLen));
-    nssdbg_start_time(FUNC_C_DECRYPTUPDATE,&start);
-    rv = module_functions->C_DecryptUpdate(hSession,
-                                 pEncryptedPart,
-                                 ulEncryptedPartLen,
-                                 pPart,
-                                 pulPartLen);
-    nssdbg_finish_time(FUNC_C_DECRYPTUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulPartLen = 0x%x", *pulPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DecryptFinal(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pLastPart,
-  CK_ULONG_PTR      pulLastPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DecryptFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pLastPart = 0x%p", pLastPart));
-    PR_LOG(modlog, 3, ("  pulLastPartLen = 0x%p", pulLastPartLen));
-    nssdbg_start_time(FUNC_C_DECRYPTFINAL,&start);
-    rv = module_functions->C_DecryptFinal(hSession,
-                                 pLastPart,
-                                 pulLastPartLen);
-    nssdbg_finish_time(FUNC_C_DECRYPTFINAL,start);
-    PR_LOG(modlog, 4, ("  *pulLastPartLen = 0x%x", *pulLastPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DigestInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DigestInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_DIGESTINIT,&start);
-    rv = module_functions->C_DigestInit(hSession,
-                                 pMechanism);
-    nssdbg_finish_time(FUNC_C_DIGESTINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Digest(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pData,
-  CK_ULONG          ulDataLen,
-  CK_BYTE_PTR       pDigest,
-  CK_ULONG_PTR      pulDigestLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Digest"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  ulDataLen = %d", ulDataLen));
-    PR_LOG(modlog, 3, ("  pDigest = 0x%p", pDigest));
-    PR_LOG(modlog, 3, ("  pulDigestLen = 0x%p", pulDigestLen));
-    nssdbg_start_time(FUNC_C_DIGEST,&start);
-    rv = module_functions->C_Digest(hSession,
-                                 pData,
-                                 ulDataLen,
-                                 pDigest,
-                                 pulDigestLen);
-    nssdbg_finish_time(FUNC_C_DIGEST,start);
-    PR_LOG(modlog, 4, ("  *pulDigestLen = 0x%x", *pulDigestLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DigestUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DigestUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    nssdbg_start_time(FUNC_C_DIGESTUPDATE,&start);
-    rv = module_functions->C_DigestUpdate(hSession,
-                                 pPart,
-                                 ulPartLen);
-    nssdbg_finish_time(FUNC_C_DIGESTUPDATE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DigestKey(
-  CK_SESSION_HANDLE hSession,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DigestKey"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_DIGESTKEY,&start);
-    rv = module_functions->C_DigestKey(hSession,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_DIGESTKEY,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DigestFinal(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pDigest,
-  CK_ULONG_PTR      pulDigestLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DigestFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pDigest = 0x%p", pDigest));
-    PR_LOG(modlog, 3, ("  pulDigestLen = 0x%p", pulDigestLen));
-    nssdbg_start_time(FUNC_C_DIGESTFINAL,&start);
-    rv = module_functions->C_DigestFinal(hSession,
-                                 pDigest,
-                                 pulDigestLen);
-    nssdbg_finish_time(FUNC_C_DIGESTFINAL,start);
-    PR_LOG(modlog, 4, ("  *pulDigestLen = 0x%x", *pulDigestLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_SIGNINIT,&start);
-    rv = module_functions->C_SignInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_SIGNINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Sign(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pData,
-  CK_ULONG          ulDataLen,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG_PTR      pulSignatureLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Sign"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  ulDataLen = %d", ulDataLen));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  pulSignatureLen = 0x%p", pulSignatureLen));
-    nssdbg_start_time(FUNC_C_SIGN,&start);
-    rv = module_functions->C_Sign(hSession,
-                                 pData,
-                                 ulDataLen,
-                                 pSignature,
-                                 pulSignatureLen);
-    nssdbg_finish_time(FUNC_C_SIGN,start);
-    PR_LOG(modlog, 4, ("  *pulSignatureLen = 0x%x", *pulSignatureLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    nssdbg_start_time(FUNC_C_SIGNUPDATE,&start);
-    rv = module_functions->C_SignUpdate(hSession,
-                                 pPart,
-                                 ulPartLen);
-    nssdbg_finish_time(FUNC_C_SIGNUPDATE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignFinal(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG_PTR      pulSignatureLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  pulSignatureLen = 0x%p", pulSignatureLen));
-    nssdbg_start_time(FUNC_C_SIGNFINAL,&start);
-    rv = module_functions->C_SignFinal(hSession,
-                                 pSignature,
-                                 pulSignatureLen);
-    nssdbg_finish_time(FUNC_C_SIGNFINAL,start);
-    PR_LOG(modlog, 4, ("  *pulSignatureLen = 0x%x", *pulSignatureLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignRecoverInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignRecoverInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_SIGNRECOVERINIT,&start);
-    rv = module_functions->C_SignRecoverInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_SIGNRECOVERINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignRecover(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pData,
-  CK_ULONG          ulDataLen,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG_PTR      pulSignatureLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignRecover"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  ulDataLen = %d", ulDataLen));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  pulSignatureLen = 0x%p", pulSignatureLen));
-    nssdbg_start_time(FUNC_C_SIGNRECOVER,&start);
-    rv = module_functions->C_SignRecover(hSession,
-                                 pData,
-                                 ulDataLen,
-                                 pSignature,
-                                 pulSignatureLen);
-    nssdbg_finish_time(FUNC_C_SIGNRECOVER,start);
-    PR_LOG(modlog, 4, ("  *pulSignatureLen = 0x%x", *pulSignatureLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_VerifyInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_VerifyInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_VERIFYINIT,&start);
-    rv = module_functions->C_VerifyInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_VERIFYINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_Verify(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pData,
-  CK_ULONG          ulDataLen,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG          ulSignatureLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_Verify"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  ulDataLen = %d", ulDataLen));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  ulSignatureLen = %d", ulSignatureLen));
-    nssdbg_start_time(FUNC_C_VERIFY,&start);
-    rv = module_functions->C_Verify(hSession,
-                                 pData,
-                                 ulDataLen,
-                                 pSignature,
-                                 ulSignatureLen);
-    nssdbg_finish_time(FUNC_C_VERIFY,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_VerifyUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_VerifyUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    nssdbg_start_time(FUNC_C_VERIFYUPDATE,&start);
-    rv = module_functions->C_VerifyUpdate(hSession,
-                                 pPart,
-                                 ulPartLen);
-    nssdbg_finish_time(FUNC_C_VERIFYUPDATE,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_VerifyFinal(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG          ulSignatureLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_VerifyFinal"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  ulSignatureLen = %d", ulSignatureLen));
-    nssdbg_start_time(FUNC_C_VERIFYFINAL,&start);
-    rv = module_functions->C_VerifyFinal(hSession,
-                                 pSignature,
-                                 ulSignatureLen);
-    nssdbg_finish_time(FUNC_C_VERIFYFINAL,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_VerifyRecoverInit(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_VerifyRecoverInit"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_VERIFYRECOVERINIT,&start);
-    rv = module_functions->C_VerifyRecoverInit(hSession,
-                                 pMechanism,
-                                 hKey);
-    nssdbg_finish_time(FUNC_C_VERIFYRECOVERINIT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_VerifyRecover(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pSignature,
-  CK_ULONG          ulSignatureLen,
-  CK_BYTE_PTR       pData,
-  CK_ULONG_PTR      pulDataLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_VerifyRecover"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pSignature = 0x%p", pSignature));
-    PR_LOG(modlog, 3, ("  ulSignatureLen = %d", ulSignatureLen));
-    PR_LOG(modlog, 3, ("  pData = 0x%p", pData));
-    PR_LOG(modlog, 3, ("  pulDataLen = 0x%p", pulDataLen));
-    nssdbg_start_time(FUNC_C_VERIFYRECOVER,&start);
-    rv = module_functions->C_VerifyRecover(hSession,
-                                 pSignature,
-                                 ulSignatureLen,
-                                 pData,
-                                 pulDataLen);
-    nssdbg_finish_time(FUNC_C_VERIFYRECOVER,start);
-    PR_LOG(modlog, 4, ("  *pulDataLen = 0x%x", *pulDataLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DigestEncryptUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG_PTR      pulEncryptedPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DigestEncryptUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  pulEncryptedPartLen = 0x%p", pulEncryptedPartLen));
-    nssdbg_start_time(FUNC_C_DIGESTENCRYPTUPDATE,&start);
-    rv = module_functions->C_DigestEncryptUpdate(hSession,
-                                 pPart,
-                                 ulPartLen,
-                                 pEncryptedPart,
-                                 pulEncryptedPartLen);
-    nssdbg_finish_time(FUNC_C_DIGESTENCRYPTUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulEncryptedPartLen = 0x%x", *pulEncryptedPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DecryptDigestUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG          ulEncryptedPartLen,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG_PTR      pulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DecryptDigestUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  ulEncryptedPartLen = %d", ulEncryptedPartLen));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  pulPartLen = 0x%p", pulPartLen));
-    nssdbg_start_time(FUNC_C_DECRYPTDIGESTUPDATE,&start);
-    rv = module_functions->C_DecryptDigestUpdate(hSession,
-                                 pEncryptedPart,
-                                 ulEncryptedPartLen,
-                                 pPart,
-                                 pulPartLen);
-    nssdbg_finish_time(FUNC_C_DECRYPTDIGESTUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulPartLen = 0x%x", *pulPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SignEncryptUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG          ulPartLen,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG_PTR      pulEncryptedPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SignEncryptUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  ulPartLen = %d", ulPartLen));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  pulEncryptedPartLen = 0x%p", pulEncryptedPartLen));
-    nssdbg_start_time(FUNC_C_SIGNENCRYPTUPDATE,&start);
-    rv = module_functions->C_SignEncryptUpdate(hSession,
-                                 pPart,
-                                 ulPartLen,
-                                 pEncryptedPart,
-                                 pulEncryptedPartLen);
-    nssdbg_finish_time(FUNC_C_SIGNENCRYPTUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulEncryptedPartLen = 0x%x", *pulEncryptedPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DecryptVerifyUpdate(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pEncryptedPart,
-  CK_ULONG          ulEncryptedPartLen,
-  CK_BYTE_PTR       pPart,
-  CK_ULONG_PTR      pulPartLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DecryptVerifyUpdate"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pEncryptedPart = 0x%p", pEncryptedPart));
-    PR_LOG(modlog, 3, ("  ulEncryptedPartLen = %d", ulEncryptedPartLen));
-    PR_LOG(modlog, 3, ("  pPart = 0x%p", pPart));
-    PR_LOG(modlog, 3, ("  pulPartLen = 0x%p", pulPartLen));
-    nssdbg_start_time(FUNC_C_DECRYPTVERIFYUPDATE,&start);
-    rv = module_functions->C_DecryptVerifyUpdate(hSession,
-                                 pEncryptedPart,
-                                 ulEncryptedPartLen,
-                                 pPart,
-                                 pulPartLen);
-    nssdbg_finish_time(FUNC_C_DECRYPTVERIFYUPDATE,start);
-    PR_LOG(modlog, 4, ("  *pulPartLen = 0x%x", *pulPartLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GenerateKey(
-  CK_SESSION_HANDLE    hSession,
-  CK_MECHANISM_PTR     pMechanism,
-  CK_ATTRIBUTE_PTR     pTemplate,
-  CK_ULONG             ulCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GenerateKey"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulCount = %d", ulCount));
-    PR_LOG(modlog, 3, ("  phKey = 0x%p", phKey));
-    print_template(pTemplate, ulCount);
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_GENERATEKEY,&start);
-    rv = module_functions->C_GenerateKey(hSession,
-                                 pMechanism,
-                                 pTemplate,
-                                 ulCount,
-                                 phKey);
-    nssdbg_finish_time(FUNC_C_GENERATEKEY,start);
-    PR_LOG(modlog, 4, ("  *phKey = 0x%x", *phKey));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GenerateKeyPair(
-  CK_SESSION_HANDLE    hSession,
-  CK_MECHANISM_PTR     pMechanism,
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,
-  CK_ULONG             ulPublicKeyAttributeCount,
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,
-  CK_ULONG             ulPrivateKeyAttributeCount,
-  CK_OBJECT_HANDLE_PTR phPublicKey,
-  CK_OBJECT_HANDLE_PTR phPrivateKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GenerateKeyPair"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  pPublicKeyTemplate = 0x%p", pPublicKeyTemplate));
-    PR_LOG(modlog, 3, ("  ulPublicKeyAttributeCount = %d", ulPublicKeyAttributeCount));
-    PR_LOG(modlog, 3, ("  pPrivateKeyTemplate = 0x%p", pPrivateKeyTemplate));
-    PR_LOG(modlog, 3, ("  ulPrivateKeyAttributeCount = %d", ulPrivateKeyAttributeCount));
-    PR_LOG(modlog, 3, ("  phPublicKey = 0x%p", phPublicKey));
-    PR_LOG(modlog, 3, ("  phPrivateKey = 0x%p", phPrivateKey));
-    print_template(pPublicKeyTemplate, ulPublicKeyAttributeCount);
-    print_template(pPrivateKeyTemplate, ulPrivateKeyAttributeCount);
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_GENERATEKEYPAIR,&start);
-    rv = module_functions->C_GenerateKeyPair(hSession,
-                                 pMechanism,
-                                 pPublicKeyTemplate,
-                                 ulPublicKeyAttributeCount,
-                                 pPrivateKeyTemplate,
-                                 ulPrivateKeyAttributeCount,
-                                 phPublicKey,
-                                 phPrivateKey);
-    nssdbg_finish_time(FUNC_C_GENERATEKEYPAIR,start);
-    PR_LOG(modlog, 4, ("  *phPublicKey = 0x%x", *phPublicKey));
-    PR_LOG(modlog, 4, ("  *phPrivateKey = 0x%x", *phPrivateKey));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_WrapKey(
-  CK_SESSION_HANDLE hSession,
-  CK_MECHANISM_PTR  pMechanism,
-  CK_OBJECT_HANDLE  hWrappingKey,
-  CK_OBJECT_HANDLE  hKey,
-  CK_BYTE_PTR       pWrappedKey,
-  CK_ULONG_PTR      pulWrappedKeyLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_WrapKey"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hWrappingKey = 0x%x", hWrappingKey));
-    PR_LOG(modlog, 3, ("  hKey = 0x%x", hKey));
-    PR_LOG(modlog, 3, ("  pWrappedKey = 0x%p", pWrappedKey));
-    PR_LOG(modlog, 3, ("  pulWrappedKeyLen = 0x%p", pulWrappedKeyLen));
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_WRAPKEY,&start);
-    rv = module_functions->C_WrapKey(hSession,
-                                 pMechanism,
-                                 hWrappingKey,
-                                 hKey,
-                                 pWrappedKey,
-                                 pulWrappedKeyLen);
-    nssdbg_finish_time(FUNC_C_WRAPKEY,start);
-    PR_LOG(modlog, 4, ("  *pulWrappedKeyLen = 0x%x", *pulWrappedKeyLen));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_UnwrapKey(
-  CK_SESSION_HANDLE    hSession,
-  CK_MECHANISM_PTR     pMechanism,
-  CK_OBJECT_HANDLE     hUnwrappingKey,
-  CK_BYTE_PTR          pWrappedKey,
-  CK_ULONG             ulWrappedKeyLen,
-  CK_ATTRIBUTE_PTR     pTemplate,
-  CK_ULONG             ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_UnwrapKey"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hUnwrappingKey = 0x%x", hUnwrappingKey));
-    PR_LOG(modlog, 3, ("  pWrappedKey = 0x%p", pWrappedKey));
-    PR_LOG(modlog, 3, ("  ulWrappedKeyLen = %d", ulWrappedKeyLen));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulAttributeCount = %d", ulAttributeCount));
-    PR_LOG(modlog, 3, ("  phKey = 0x%p", phKey));
-    print_template(pTemplate, ulAttributeCount);
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_UNWRAPKEY,&start);
-    rv = module_functions->C_UnwrapKey(hSession,
-                                 pMechanism,
-                                 hUnwrappingKey,
-                                 pWrappedKey,
-                                 ulWrappedKeyLen,
-                                 pTemplate,
-                                 ulAttributeCount,
-                                 phKey);
-    nssdbg_finish_time(FUNC_C_UNWRAPKEY,start);
-    PR_LOG(modlog, 4, ("  *phKey = 0x%x", *phKey));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_DeriveKey(
-  CK_SESSION_HANDLE    hSession,
-  CK_MECHANISM_PTR     pMechanism,
-  CK_OBJECT_HANDLE     hBaseKey,
-  CK_ATTRIBUTE_PTR     pTemplate,
-  CK_ULONG             ulAttributeCount,
-  CK_OBJECT_HANDLE_PTR phKey
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_DeriveKey"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pMechanism = 0x%p", pMechanism));
-    PR_LOG(modlog, 3, ("  hBaseKey = 0x%x", hBaseKey));
-    PR_LOG(modlog, 3, ("  pTemplate = 0x%p", pTemplate));
-    PR_LOG(modlog, 3, ("  ulAttributeCount = %d", ulAttributeCount));
-    PR_LOG(modlog, 3, ("  phKey = 0x%p", phKey));
-    print_template(pTemplate, ulAttributeCount);
-    print_mechanism(pMechanism);
-    nssdbg_start_time(FUNC_C_DERIVEKEY,&start);
-    rv = module_functions->C_DeriveKey(hSession,
-                                 pMechanism,
-                                 hBaseKey,
-                                 pTemplate,
-                                 ulAttributeCount,
-                                 phKey);
-    nssdbg_finish_time(FUNC_C_DERIVEKEY,start);
-    PR_LOG(modlog, 4, ("  *phKey = 0x%x", *phKey));
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_SeedRandom(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       pSeed,
-  CK_ULONG          ulSeedLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_SeedRandom"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  pSeed = 0x%p", pSeed));
-    PR_LOG(modlog, 3, ("  ulSeedLen = %d", ulSeedLen));
-    nssdbg_start_time(FUNC_C_SEEDRANDOM,&start);
-    rv = module_functions->C_SeedRandom(hSession,
-                                 pSeed,
-                                 ulSeedLen);
-    nssdbg_finish_time(FUNC_C_SEEDRANDOM,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GenerateRandom(
-  CK_SESSION_HANDLE hSession,
-  CK_BYTE_PTR       RandomData,
-  CK_ULONG          ulRandomLen
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GenerateRandom"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    PR_LOG(modlog, 3, ("  RandomData = 0x%p", RandomData));
-    PR_LOG(modlog, 3, ("  ulRandomLen = %d", ulRandomLen));
-    nssdbg_start_time(FUNC_C_GENERATERANDOM,&start);
-    rv = module_functions->C_GenerateRandom(hSession,
-                                 RandomData,
-                                 ulRandomLen);
-    nssdbg_finish_time(FUNC_C_GENERATERANDOM,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_GetFunctionStatus(
-  CK_SESSION_HANDLE hSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_GetFunctionStatus"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_GETFUNCTIONSTATUS,&start);
-    rv = module_functions->C_GetFunctionStatus(hSession);
-    nssdbg_finish_time(FUNC_C_GETFUNCTIONSTATUS,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_CancelFunction(
-  CK_SESSION_HANDLE hSession
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_CancelFunction"));
-    PR_LOG(modlog, 3, ("  hSession = 0x%x", hSession));
-    nssdbg_start_time(FUNC_C_CANCELFUNCTION,&start);
-    rv = module_functions->C_CancelFunction(hSession);
-    nssdbg_finish_time(FUNC_C_CANCELFUNCTION,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_RV NSSDBGC_WaitForSlotEvent(
-  CK_FLAGS       flags,
-  CK_SLOT_ID_PTR pSlot,
-  CK_VOID_PTR    pRserved
-)
-{
-    CK_RV rv;
-    PRIntervalTime start;
-    PR_LOG(modlog, 1, ("C_WaitForSlotEvent"));
-    PR_LOG(modlog, 3, ("  flags = 0x%x", flags));
-    PR_LOG(modlog, 3, ("  pSlot = 0x%p", pSlot));
-    PR_LOG(modlog, 3, ("  pRserved = 0x%p", pRserved));
-    nssdbg_start_time(FUNC_C_WAITFORSLOTEVENT,&start);
-    rv = module_functions->C_WaitForSlotEvent(flags,
-                                 pSlot,
-                                 pRserved);
-    nssdbg_finish_time(FUNC_C_WAITFORSLOTEVENT,start);
-    PR_LOG(modlog, 1, ("  rv = 0x%x\n", rv));
-    return rv;
-}
-
-CK_FUNCTION_LIST_PTR nss_InsertDeviceLog(
-  CK_FUNCTION_LIST_PTR devEPV
-)
-{
-    module_functions = devEPV;
-    modlog = PR_NewLogModule("nss_mod_log");
-    debug_functions.C_Initialize = NSSDBGC_Initialize;
-    debug_functions.C_Finalize = NSSDBGC_Finalize;
-    debug_functions.C_GetInfo = NSSDBGC_GetInfo;
-    debug_functions.C_GetFunctionList = NSSDBGC_GetFunctionList;
-    debug_functions.C_GetSlotList = NSSDBGC_GetSlotList;
-    debug_functions.C_GetSlotInfo = NSSDBGC_GetSlotInfo;
-    debug_functions.C_GetTokenInfo = NSSDBGC_GetTokenInfo;
-    debug_functions.C_GetMechanismList = NSSDBGC_GetMechanismList;
-    debug_functions.C_GetMechanismInfo = NSSDBGC_GetMechanismInfo;
-    debug_functions.C_InitToken = NSSDBGC_InitToken;
-    debug_functions.C_InitPIN = NSSDBGC_InitPIN;
-    debug_functions.C_SetPIN = NSSDBGC_SetPIN;
-    debug_functions.C_OpenSession = NSSDBGC_OpenSession;
-    debug_functions.C_CloseSession = NSSDBGC_CloseSession;
-    debug_functions.C_CloseAllSessions = NSSDBGC_CloseAllSessions;
-    debug_functions.C_GetSessionInfo = NSSDBGC_GetSessionInfo;
-    debug_functions.C_GetOperationState = NSSDBGC_GetOperationState;
-    debug_functions.C_SetOperationState = NSSDBGC_SetOperationState;
-    debug_functions.C_Login = NSSDBGC_Login;
-    debug_functions.C_Logout = NSSDBGC_Logout;
-    debug_functions.C_CreateObject = NSSDBGC_CreateObject;
-    debug_functions.C_CopyObject = NSSDBGC_CopyObject;
-    debug_functions.C_DestroyObject = NSSDBGC_DestroyObject;
-    debug_functions.C_GetObjectSize = NSSDBGC_GetObjectSize;
-    debug_functions.C_GetAttributeValue = NSSDBGC_GetAttributeValue;
-    debug_functions.C_SetAttributeValue = NSSDBGC_SetAttributeValue;
-    debug_functions.C_FindObjectsInit = NSSDBGC_FindObjectsInit;
-    debug_functions.C_FindObjects = NSSDBGC_FindObjects;
-    debug_functions.C_FindObjectsFinal = NSSDBGC_FindObjectsFinal;
-    debug_functions.C_EncryptInit = NSSDBGC_EncryptInit;
-    debug_functions.C_Encrypt = NSSDBGC_Encrypt;
-    debug_functions.C_EncryptUpdate = NSSDBGC_EncryptUpdate;
-    debug_functions.C_EncryptFinal = NSSDBGC_EncryptFinal;
-    debug_functions.C_DecryptInit = NSSDBGC_DecryptInit;
-    debug_functions.C_Decrypt = NSSDBGC_Decrypt;
-    debug_functions.C_DecryptUpdate = NSSDBGC_DecryptUpdate;
-    debug_functions.C_DecryptFinal = NSSDBGC_DecryptFinal;
-    debug_functions.C_DigestInit = NSSDBGC_DigestInit;
-    debug_functions.C_Digest = NSSDBGC_Digest;
-    debug_functions.C_DigestUpdate = NSSDBGC_DigestUpdate;
-    debug_functions.C_DigestKey = NSSDBGC_DigestKey;
-    debug_functions.C_DigestFinal = NSSDBGC_DigestFinal;
-    debug_functions.C_SignInit = NSSDBGC_SignInit;
-    debug_functions.C_Sign = NSSDBGC_Sign;
-    debug_functions.C_SignUpdate = NSSDBGC_SignUpdate;
-    debug_functions.C_SignFinal = NSSDBGC_SignFinal;
-    debug_functions.C_SignRecoverInit = NSSDBGC_SignRecoverInit;
-    debug_functions.C_SignRecover = NSSDBGC_SignRecover;
-    debug_functions.C_VerifyInit = NSSDBGC_VerifyInit;
-    debug_functions.C_Verify = NSSDBGC_Verify;
-    debug_functions.C_VerifyUpdate = NSSDBGC_VerifyUpdate;
-    debug_functions.C_VerifyFinal = NSSDBGC_VerifyFinal;
-    debug_functions.C_VerifyRecoverInit = NSSDBGC_VerifyRecoverInit;
-    debug_functions.C_VerifyRecover = NSSDBGC_VerifyRecover;
-    debug_functions.C_DigestEncryptUpdate = NSSDBGC_DigestEncryptUpdate;
-    debug_functions.C_DecryptDigestUpdate = NSSDBGC_DecryptDigestUpdate;
-    debug_functions.C_SignEncryptUpdate = NSSDBGC_SignEncryptUpdate;
-    debug_functions.C_DecryptVerifyUpdate = NSSDBGC_DecryptVerifyUpdate;
-    debug_functions.C_GenerateKey = NSSDBGC_GenerateKey;
-    debug_functions.C_GenerateKeyPair = NSSDBGC_GenerateKeyPair;
-    debug_functions.C_WrapKey = NSSDBGC_WrapKey;
-    debug_functions.C_UnwrapKey = NSSDBGC_UnwrapKey;
-    debug_functions.C_DeriveKey = NSSDBGC_DeriveKey;
-    debug_functions.C_SeedRandom = NSSDBGC_SeedRandom;
-    debug_functions.C_GenerateRandom = NSSDBGC_GenerateRandom;
-    debug_functions.C_GetFunctionStatus = NSSDBGC_GetFunctionStatus;
-    debug_functions.C_CancelFunction = NSSDBGC_CancelFunction;
-    debug_functions.C_WaitForSlotEvent = NSSDBGC_WaitForSlotEvent;
-    return &debug_functions;
-}
-
-/*
- * scale the time factor up accordingly.
- * This routine tries to keep at least 2 significant figures on output.
- *    If the time is 0, then indicate that with a 'z' for units.
- *    If the time is greater than 10 minutes, output the time in minutes.
- *    If the time is less than 10 minutes but greater than 10 seconds output 
- * the time in second.
- *    If the time is less than 10 seconds but greater than 10 milliseconds 
- * output * the time in millisecond.
- *    If the time is less than 10 milliseconds but greater than 0 ticks output 
- * the time in microsecond.
- *
- */
-static PRUint32 getPrintTime(PRIntervalTime time ,char **type)
-{
-	PRUint32 prTime;
-
-        /* detect a programming error by outputting 'bu' to the output stream
-	 * rather than crashing */
- 	*type = "bug";
-	if (time == 0) {
-	    *type = "z";
-	    return 0;
-	}
-
-	prTime = PR_IntervalToSeconds(time);
-
-	if (prTime >= 600) {
-	    *type="m";
-	    return prTime/60;
-	}
-        if (prTime >= 10) {
-	    *type="s";
-	    return prTime;
-	} 
-	prTime = PR_IntervalToMilliseconds(time);
-        if (prTime >= 10) {
-	    *type="ms";
-	    return prTime;
-	} 
- 	*type = "us";
-	return PR_IntervalToMicroseconds(time);
-}
-
-static void print_final_statistics(void)
-{
-    int total_calls = 0;
-    PRIntervalTime total_time = 0;
-    PRUint32 pr_total_time;
-    char *type;
-    char *fname;
-    FILE *outfile = NULL;
-    int i;
-
-    fname = PR_GetEnv("NSS_OUTPUT_FILE");
-    if (fname) {
-	/* need to add an optional process id to the filename */
-	outfile = fopen(fname,"w+");
-    }
-    if (!outfile) {
-	outfile = stdout;
-    }
-	
-
-    fprintf(outfile,"%-25s %10s %12s %12s %10s\n", "Function", "# Calls", 
-				"Time", "Avg.", "% Time");
-    fprintf(outfile,"\n");
-    for (i=0; i < nssdbg_prof_size; i++) {
-	total_calls += nssdbg_prof_data[i].calls;
-	total_time += nssdbg_prof_data[i].time;
-    }
-    for (i=0; i < nssdbg_prof_size; i++) {
-	PRIntervalTime time = nssdbg_prof_data[i].time;
-	PRUint32 usTime = PR_IntervalToMicroseconds(time);
-	PRUint32 prTime = 0;
-	PRUint32 calls = nssdbg_prof_data[i].calls;
-	/* don't print out functions that weren't even called */
-	if (calls == 0) {
-	    continue;
-	}
-
-	prTime = getPrintTime(time,&type);
-
-	fprintf(outfile,"%-25s %10d %10d%2s ", nssdbg_prof_data[i].function, 
-						calls, prTime, type);
-	/* for now always output the average in microseconds */
-	fprintf(outfile,"%10.2f%2s", (float)usTime / (float)calls, "us" );
-	fprintf(outfile,"%10.2f%%", ((float)time / (float)total_time) * 100);
-	fprintf(outfile,"\n");
-    }
-    fprintf(outfile,"\n");
-
-    pr_total_time = getPrintTime(total_time,&type);
-
-    fprintf(outfile,"%25s %10d %10d%2s\n", "Totals", total_calls, 
-							pr_total_time, type);
-    fprintf(outfile,"\n\nMaximum number of concurrent open sessions: %d\n\n",
-							 maxOpenSessions);
-    fflush (outfile);
-    if (outfile != stdout) {
-	fclose(outfile);
-    }
-}
-
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
deleted file mode 100644
index 6e1a816e3..000000000
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-#ifndef DEVM_H
-#include "devm.h"
-#endif /* DEVM_H */
-
-#include "pki3hack.h"
-#include "dev3hack.h"
-#include "pkim.h"
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#include "pk11func.h"
-#include "secmodti.h"
-
-NSS_IMPLEMENT nssSession *
-nssSession_ImportNSS3Session(NSSArena *arenaOpt,
-                             CK_SESSION_HANDLE session, 
-                             PZLock *lock, PRBool rw)
-{
-    nssSession *rvSession;
-    rvSession = nss_ZNEW(arenaOpt, nssSession);
-    rvSession->handle = session;
-    rvSession->lock = lock;
-    rvSession->ownLock = PR_FALSE;
-    rvSession->isRW = rw;
-    return rvSession;
-}
-
-NSS_IMPLEMENT nssSession *
-nssSlot_CreateSession
-(
-  NSSSlot *slot,
-  NSSArena *arenaOpt,
-  PRBool readWrite
-)
-{
-    nssSession *rvSession;
-    rvSession = nss_ZNEW(arenaOpt, nssSession);
-    if (!rvSession) {
-	return (nssSession *)NULL;
-    }
-    if (readWrite) {
-	rvSession->handle = PK11_GetRWSession(slot->pk11slot);
-	if (rvSession->handle == CK_INVALID_HANDLE) {
-	    nss_ZFreeIf(rvSession);
-	    return NULL;
-	}
-	rvSession->isRW = PR_TRUE;
-	rvSession->slot = slot;
-        /*
-         * The session doesn't need its own lock.  Here's why.
-         * 1. If we are reusing the default RW session of the slot,
-         *    the slot lock is already locked to protect the session.
-         * 2. If the module is not thread safe, the slot (or rather
-         *    module) lock is already locked.
-         * 3. If the module is thread safe and we are using a new
-         *    session, no higher-level lock has been locked and we
-         *    would need a lock for the new session.  However, the
-         *    NSS_3_4_CODE usage of the session is that it is always
-         *    used and destroyed within the same function and never
-         *    shared with another thread.
-         * So the session is either already protected by another
-         * lock or only used by one thread.
-         */
-        rvSession->lock = NULL;
-        rvSession->ownLock = PR_FALSE;
-	return rvSession;
-    } else {
-	return NULL;
-    }
-}
-
-NSS_IMPLEMENT PRStatus
-nssSession_Destroy
-(
-  nssSession *s
-)
-{
-    CK_RV ckrv = CKR_OK;
-    if (s) {
-	if (s->isRW) {
-	    PK11_RestoreROSession(s->slot->pk11slot, s->handle);
-	}
-	nss_ZFreeIf(s);
-    }
-    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
-}
-
-static NSSSlot *
-nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
-{
-    NSSSlot *rvSlot;
-    NSSArena *arena;
-    arena = nssArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    rvSlot = nss_ZNEW(arena, NSSSlot);
-    if (!rvSlot) {
-	nssArena_Destroy(arena);
-	return NULL;
-    }
-    rvSlot->base.refCount = 1;
-    rvSlot->base.lock = PZ_NewLock(nssILockOther);
-    rvSlot->base.arena = arena;
-    rvSlot->pk11slot = nss3slot;
-    rvSlot->epv = nss3slot->functionList;
-    rvSlot->slotID = nss3slot->slotID;
-    /* Grab the slot name from the PKCS#11 fixed-length buffer */
-    rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena);
-    rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
-    return rvSlot;
-}
-
-NSS_IMPLEMENT NSSToken *
-nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
-{
-    NSSToken *rvToken;
-    NSSArena *arena;
-    arena = nssArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    rvToken = nss_ZNEW(arena, NSSToken);
-    if (!rvToken) {
-	nssArena_Destroy(arena);
-	return NULL;
-    }
-    rvToken->base.refCount = 1;
-    rvToken->base.lock = PZ_NewLock(nssILockOther);
-    rvToken->base.arena = arena;
-    rvToken->pk11slot = nss3slot;
-    rvToken->epv = nss3slot->functionList;
-    rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena,
-                                                       nss3slot->session,
-                                                       nss3slot->sessionLock,
-                                                       nss3slot->defRWSession);
-    /* The above test was used in 3.4, for this cache have it always on */
-    if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) {
-	rvToken->cache = nssTokenObjectCache_Create(rvToken, 
-	                                            PR_TRUE, PR_TRUE, PR_TRUE);
-	if (!rvToken->cache) {
-	    nssArena_Destroy(arena);
-	    return (NSSToken *)NULL;
-	}
-    }
-    rvToken->trustDomain = td;
-    /* Grab the token name from the PKCS#11 fixed-length buffer */
-    rvToken->base.name = nssUTF8_Duplicate(nss3slot->token_name,td->arena);
-    rvToken->slot = nssSlot_CreateFromPK11SlotInfo(td, nss3slot);
-    rvToken->slot->token = rvToken;
-    rvToken->defaultSession->slot = rvToken->slot;
-    return rvToken;
-}
-
-NSS_IMPLEMENT void
-nssToken_UpdateName(NSSToken *token)
-{
-    if (!token) {
-	return;
-    }
-    token->base.name = nssUTF8_Duplicate(token->pk11slot->token_name,token->base.arena);
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsPermanent
-(
-  NSSSlot *slot
-)
-{
-    return slot->pk11slot->isPerm;
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsFriendly
-(
-  NSSSlot *slot
-)
-{
-    return PK11_IsFriendly(slot->pk11slot);
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_Refresh(NSSToken *token)
-{
-    PK11SlotInfo *nss3slot;
-
-    if (!token) {
-	return PR_SUCCESS;
-    }
-    nss3slot = token->pk11slot;
-    token->defaultSession = nssSession_ImportNSS3Session(token->slot->base.arena,
-                                                       nss3slot->session,
-                                                       nss3slot->sessionLock,
-                                                       nss3slot->defRWSession);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSlot_Refresh
-(
-  NSSSlot *slot
-)
-{
-    PK11SlotInfo *nss3slot = slot->pk11slot;
-    PRBool doit = PR_FALSE;
-    if (slot->token->base.name[0] == 0) {
-	doit = PR_TRUE;
-    }
-    if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
-	return PR_FAILURE;
-    }
-    if (doit) {
-	nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, 
-	                                      slot->token);
-    }
-    return nssToken_Refresh(slot->token);
-}
-
-NSS_IMPLEMENT PRStatus
-nssToken_GetTrustOrder
-(
-  NSSToken *tok
-)
-{
-    PK11SlotInfo *slot;
-    SECMODModule *module;
-    slot = tok->pk11slot;
-    module = PK11_GetModule(slot);
-    return module->trustOrder;
-}
-
-NSS_IMPLEMENT PRBool
-nssSlot_IsLoggedIn
-(
-  NSSSlot *slot
-)
-{
-    if (!slot->pk11slot->needLogin) {
-	return PR_TRUE;
-    }
-    return PK11_IsLoggedIn(slot->pk11slot, NULL);
-}
-
-
-NSSTrustDomain *
-nssToken_GetTrustDomain(NSSToken *token)
-{
-    return token->trustDomain;
-}
-
-NSS_EXTERN PRStatus
-nssTrustDomain_RemoveTokenCertsFromCache
-(
-  NSSTrustDomain *td,
-  NSSToken *token
-);
-
-NSS_IMPLEMENT PRStatus
-nssToken_NotifyCertsNotVisible
-(
-  NSSToken *tok
-)
-{
-    return nssTrustDomain_RemoveTokenCertsFromCache(tok->trustDomain, tok);
-}
-
diff --git a/security/nss/lib/pk11wrap/dev3hack.h b/security/nss/lib/pk11wrap/dev3hack.h
deleted file mode 100644
index 1bb2fac47..000000000
--- a/security/nss/lib/pk11wrap/dev3hack.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef DEVNSS3HACK_H
-#define DEVNSS3HACK_H
-
-#ifdef DEBUG
-static const char DEVNSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "cert.h"
-
-PR_BEGIN_EXTERN_C
-
-NSS_EXTERN NSSToken *
-nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot);
-
-NSS_EXTERN void
-nssToken_UpdateName(NSSToken *);
-
-NSS_EXTERN PRStatus
-nssToken_Refresh(NSSToken *);
-
-NSSTrustDomain *
-nssToken_GetTrustDomain(NSSToken *token);
-
-void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst);
-
-NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl);
-
-PR_END_EXTERN_C
-
-#endif /* DEVNSS3HACK_H */
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
deleted file mode 100644
index b0de09bec..000000000
--- a/security/nss/lib/pk11wrap/manifest.mn
+++ /dev/null
@@ -1,88 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	secmod.h \
-	secmodt.h \
-	secpkcs5.h \
-	pk11func.h \
-	pk11pub.h \
-	pk11priv.h \
-	pk11sdr.h \
-	pk11pqg.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	secmodi.h \
-	pk11init.h \
-	dev3hack.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	dev3hack.c \
-	pk11akey.c \
-	pk11auth.c \
-	pk11cert.c \
-	pk11cxt.c \
-	pk11err.c  \
-	pk11kea.c \
-	pk11list.c \
-	pk11load.c \
-	pk11mech.c \
-	pk11nobj.c \
-	pk11obj.c \
-	pk11pars.c \
-	pk11pbe.c \
-	pk11pk12.c \
-	pk11pqg.c \
-	pk11sdr.c \
-	pk11skey.c \
-	pk11slot.c \
-	pk11util.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = pk11wrap
-
-# only add module debugging in opt builds if DEBUG_PKCS11 is set
-ifdef DEBUG_PKCS11
-  DEFINES += -DDEBUG_MODULE
-endif
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
deleted file mode 100644
index a6189cf43..000000000
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ /dev/null
@@ -1,2085 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file contains functions to manage asymetric keys, (public and
- * private keys).
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "key.h"
-#include "secitem.h"
-#include "secasn1.h" 
-#include "secoid.h" 
-#include "secerr.h"
-#include "sslerr.h"
-#include "sechash.h"
-
-#include "secpkcs5.h"  
-#include "ec.h"
-
-/*
- * import a public key into the desired slot
- */
-CK_OBJECT_HANDLE
-PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, 
-								PRBool isToken)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
-    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-    CK_OBJECT_HANDLE objectID;
-    CK_ATTRIBUTE theTemplate[10];
-    CK_ATTRIBUTE *signedattr = NULL;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    int signedcount = 0;
-    int templateCount = 0;
-    SECStatus rv;
-
-    /* if we already have an object in the desired slot, use it */
-    if (!isToken && pubKey->pkcs11Slot == slot) {
-	return pubKey->pkcs11ID;
-    }
-
-    /* free the existing key */
-    if (pubKey->pkcs11Slot != NULL) {
-	PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
-	PK11_EnterSlotMonitor(oSlot);
-	(void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
-							pubKey->pkcs11ID);
-	PK11_ExitSlotMonitor(oSlot);
-	PK11_FreeSlot(oSlot);
-	pubKey->pkcs11Slot = NULL;
-    }
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
-						 sizeof(CK_BBOOL) ); attrs++;
-
-    /* now import the key */
-    {
-        switch (pubKey->keyType) {
-        case rsaKey:
-	    keyType = CKK_RSA;
-	    PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, 
-						sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
-					 pubKey->u.rsa.modulus.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-	     	pubKey->u.rsa.publicExponent.data,
-				 pubKey->u.rsa.publicExponent.len); attrs++;
-	    break;
-        case dsaKey:
-	    keyType = CKK_DSA;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dsa.params.prime.data,
-				pubKey->u.dsa.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data,
-				pubKey->u.dsa.params.subPrime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dsa.params.base.data,
-					pubKey->u.dsa.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dsa.publicValue.data, 
-					pubKey->u.dsa.publicValue.len); attrs++;
-	    break;
-	case fortezzaKey:
-	    keyType = CKK_DSA;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data,
-				pubKey->u.fortezza.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,
-				pubKey->u.fortezza.params.subPrime.data,
-				pubKey->u.fortezza.params.subPrime.len);attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.fortezza.params.base.data,
-				pubKey->u.fortezza.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, 
-				pubKey->u.fortezza.DSSKey.len); attrs++;
-            break;
-        case dhKey:
-	    keyType = CKK_DH;
-	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dh.prime.data,
-				pubKey->u.dh.prime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dh.base.data,
-					pubKey->u.dh.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dh.publicValue.data, 
-					pubKey->u.dh.publicValue.len); attrs++;
-	    break;
-        case ecKey:
-	    keyType = CKK_EC;
-	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
-	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
- 	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_EC_PARAMS, 
-		          pubKey->u.ec.DEREncodedParams.data,
-		          pubKey->u.ec.DEREncodedParams.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_EC_POINT, pubKey->u.ec.publicValue.data,
-			  pubKey->u.ec.publicValue.len); attrs++;
-	    break;
-	default:
-	    PORT_SetError( SEC_ERROR_BAD_KEY );
-	    return CK_INVALID_HANDLE;
-	}
-
-	templateCount = attrs - theTemplate;
-	signedcount = attrs - signedattr;
-	PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
-	for (attrs=signedattr; signedcount; attrs++, signedcount--) {
-		pk11_SignedToUnsigned(attrs);
-	} 
-        rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
-				 	templateCount, isToken, &objectID);
-	if ( rv != SECSuccess) {
-	    return CK_INVALID_HANDLE;
-	}
-    }
-
-    pubKey->pkcs11ID = objectID;
-    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-
-    return objectID;
-}
-
-/*
- * take an attribute and copy it into a secitem
- */
-static CK_RV
-pk11_Attr2SecItem(PRArenaPool *arena, CK_ATTRIBUTE *attr, SECItem *item) 
-{
-    item->data = NULL;
-
-    (void)SECITEM_AllocItem(arena, item, attr->ulValueLen);
-    if (item->data == NULL) {
-	return CKR_HOST_MEMORY;
-    } 
-    PORT_Memcpy(item->data, attr->pValue, item->len);
-    return CKR_OK;
-}
-
-/*
- * extract a public key from a slot and id
- */
-SECKEYPublicKey *
-PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id)
-{
-    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
-    PRArenaPool *arena;
-    PRArenaPool *tmp_arena;
-    SECKEYPublicKey *pubKey;
-    int templateCount = 0;
-    CK_KEY_TYPE pk11KeyType;
-    CK_RV crv;
-    CK_ATTRIBUTE template[8];
-    CK_ATTRIBUTE *attrs= template;
-    CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value;
-    CK_ATTRIBUTE *ecparams;
-
-    /* if we didn't know the key type, get it */
-    if (keyType== nullKey) {
-
-        pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE);
-	if (pk11KeyType ==  CK_UNAVAILABLE_INFORMATION) {
-	    return NULL;
-	}
-	switch (pk11KeyType) {
-	case CKK_RSA:
-	    keyType = rsaKey;
-	    break;
-	case CKK_DSA:
-	    keyType = dsaKey;
-	    break;
-	case CKK_DH:
-	    keyType = dhKey;
-	    break;
-	case CKK_EC:
-	    keyType = ecKey;
-	    break;
-	default:
-	    PORT_SetError( SEC_ERROR_BAD_KEY );
-	    return NULL;
-	}
-    }
-
-
-    /* now we need to create space for the public key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-    tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (tmp_arena == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-
-    pubKey = (SECKEYPublicKey *) 
-			PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubKey == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	PORT_FreeArena (tmp_arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubKey->arena = arena;
-    pubKey->keyType = keyType;
-    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-    pubKey->pkcs11ID = id;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, 
-						sizeof(keyClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, 
-						sizeof(pk11KeyType) ); attrs++;
-    switch (pubKey->keyType) {
-    case rsaKey:
-	modulus = attrs;
-	PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; 
-	exponent = attrs;
-	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; 
-
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent);
-	if (crv != CKR_OK) break;
-	break;
-    case dsaKey:
-	prime = attrs;
-	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
-	subprime = attrs;
-	PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; 
-	base = attrs;
-	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
-	value = attrs;
-	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue);
-	if (crv != CKR_OK) break;
-	break;
-    case dhKey:
-	prime = attrs;
-	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
-	base = attrs;
-	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
-	value =attrs;
-	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue);
-	if (crv != CKR_OK) break;
-	break;
-    case ecKey:
-	pubKey->u.ec.size = 0;
-	ecparams = attrs;
-	PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); attrs++; 
-	value =attrs;
-	PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); attrs++; 
-	templateCount = attrs - template;
-	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
-	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
-	if (crv != CKR_OK) break;
-
-	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) {
-	    crv = CKR_OBJECT_HANDLE_INVALID;
-	    break;
-	} 
-
-	crv = pk11_Attr2SecItem(arena,ecparams,
-	                        &pubKey->u.ec.DEREncodedParams);
-	if (crv != CKR_OK) break;
-	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.ec.publicValue);
-	if (crv != CKR_OK) break;
-	break;
-    case fortezzaKey:
-    case nullKey:
-    default:
-	crv = CKR_OBJECT_HANDLE_INVALID;
-	break;
-    }
-
-    PORT_FreeArena(tmp_arena,PR_FALSE);
-
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PK11_FreeSlot(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    return pubKey;
-}
-
-/*
- * Build a Private Key structure from raw PKCS #11 information.
- */
-SECKEYPrivateKey *
-PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
-			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
-{
-    PRArenaPool *arena;
-    SECKEYPrivateKey *privKey;
-    PRBool isPrivate;
-    SECStatus rv;
-
-    /* don't know? look it up */
-    if (keyType == nullKey) {
-	CK_KEY_TYPE pk11Type = CKK_RSA;
-
-	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
-	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
-	switch (pk11Type) {
-	case CKK_RSA: keyType = rsaKey; break;
-	case CKK_DSA: keyType = dsaKey; break;
-	case CKK_DH: keyType = dhKey; break;
-	case CKK_KEA: keyType = fortezzaKey; break;
-	case CKK_EC: keyType = ecKey; break;
-	default:
-		break;
-	}
-    }
-
-    /* if the key is private, make sure we are authenticated to the
-     * token before we try to use it */
-    isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE);
-    if (isPrivate) {
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
- 	if (rv != SECSuccess) {
- 	    return NULL;
- 	}
-    }
-
-    /* now we need to create space for the private key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return NULL;
-
-    privKey = (SECKEYPrivateKey *) 
-			PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
-    if (privKey == NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-
-    privKey->arena = arena;
-    privKey->keyType = keyType;
-    privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
-    privKey->pkcs11ID = privID;
-    privKey->pkcs11IsTemp = isTemp;
-    privKey->wincx = wincx;
-
-    return privKey;
-}
-
-
-PK11SlotInfo *
-PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    slot = PK11_ReferenceSlot(slot);
-    return slot;
-}
-
-/*
- * Get the modulus length for raw parsing
- */
-int
-PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
-{
-    CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_RV crv;
-    int length;
-
-    switch (key->keyType) {
-    case rsaKey:
-	crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    return -1;
-	}
-	length = theTemplate.ulValueLen;
-	if ( *(unsigned char *)theTemplate.pValue == 0) {
-	    length--;
-	}
-	if (theTemplate.pValue != NULL)
-	    PORT_Free(theTemplate.pValue);
-	return (int) length;
-	
-    case fortezzaKey:
-    case dsaKey:
-    case dhKey:
-    default:
-	break;
-    }
-    if (theTemplate.pValue != NULL)
-	PORT_Free(theTemplate.pValue);
-    PORT_SetError( SEC_ERROR_INVALID_KEY );
-    return -1;
-}
-
-
-
-/*
- * take a private key in one pkcs11 module and load it into another:
- *  NOTE: the source private key is a rare animal... it can't be sensitive.
- *  This is used to do a key gen using one pkcs11 module and storing the
- *  result into another.
- */
-static SECKEYPrivateKey *
-pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
-		SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) 
-{
-    CK_ATTRIBUTE privTemplate[] = {
-        /* class must be first */
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_KEY_TYPE, NULL, 0 },
-	{ CKA_ID, NULL, 0 },
-#ifdef notdef
-	{ CKA_LABEL, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-#endif
-	/* RSA */
-	{ CKA_MODULUS, NULL, 0 },
-	{ CKA_PRIVATE_EXPONENT, NULL, 0 },
-	{ CKA_PUBLIC_EXPONENT, NULL, 0 },
-	{ CKA_PRIME_1, NULL, 0 },
-	{ CKA_PRIME_2, NULL, 0 },
-	{ CKA_EXPONENT_1, NULL, 0 },
-	{ CKA_EXPONENT_2, NULL, 0 },
-	{ CKA_COEFFICIENT, NULL, 0 },
-	/* reserve space for the attributes that may be
-	 * specified in attrFlags */
-	{ CKA_TOKEN, NULL, 0 },
-	{ CKA_PRIVATE, NULL, 0 },
-	{ CKA_MODIFIABLE, NULL, 0 },
-	{ CKA_SENSITIVE, NULL, 0 },
-	{ CKA_EXTRACTABLE, NULL, 0 },
-#define NUM_RESERVED_ATTRS 5    /* number of reserved attributes above */
-    };
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_ATTRIBUTE *attrs = NULL, *ap;
-    const int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]);
-    PRArenaPool *arena;
-    CK_OBJECT_HANDLE objectID;
-    int i, count = 0;
-    int extra_count = 0;
-    CK_RV crv;
-    SECStatus rv;
-    PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
-
-    if (pk11_BadAttrFlags(attrFlags)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    for (i=0; i < templateSize; i++) {
-	if (privTemplate[i].type == CKA_MODULUS) {
-	    attrs= &privTemplate[i];
-	    count = i;
-	    break;
-	}
-    }
-    PORT_Assert(attrs != NULL);
-    if (attrs == NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-
-    ap = attrs;
-
-    switch (privKey->keyType) {
-    case rsaKey:
-	count = templateSize - NUM_RESERVED_ATTRS;
-	extra_count = count - (attrs - privTemplate);
-	break;
-    case dsaKey:
-	ap->type = CKA_PRIME; ap++; count++; extra_count++;
-	ap->type = CKA_SUBPRIME; ap++; count++; extra_count++;
-	ap->type = CKA_BASE; ap++; count++; extra_count++;
-	ap->type = CKA_VALUE; ap++; count++; extra_count++;
-	break;
-    case dhKey:
-	ap->type = CKA_PRIME; ap++; count++; extra_count++;
-	ap->type = CKA_BASE; ap++; count++; extra_count++;
-	ap->type = CKA_VALUE; ap++; count++; extra_count++;
-	break;
-    case ecKey:
-	ap->type = CKA_EC_PARAMS; ap++; count++; extra_count++;
-	ap->type = CKA_VALUE; ap++; count++; extra_count++;
-	break;
-     default:
-	count = 0;
-	extra_count = 0;
-	break;
-     }
-
-     if (count == 0) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-     }
-
-     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-     if (arena == NULL) return NULL;
-     /*
-      * read out the old attributes.
-      */
-     crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
-		privTemplate,count);
-     if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	PORT_FreeArena(arena, PR_TRUE);
-	return NULL;
-     }
-
-     /* Set token, private, modifiable, sensitive, and extractable */
-     count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count],
-					&cktrue, &ckfalse);
-
-     /* Not everyone can handle zero padded key values, give
-      * them the raw data as unsigned */
-     for (ap=attrs; extra_count; ap++, extra_count--) {
-	pk11_SignedToUnsigned(ap);
-     }
-
-     /* now Store the puppies */
-     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, 
-						count, token, &objectID);
-     PORT_FreeArena(arena, PR_TRUE);
-     if (rv != SECSuccess) {
-	return NULL;
-     }
-
-     /* try loading the public key */
-     if (pubKey) {
-	PK11_ImportPublicKey(slot, pubKey, token);
-	if (pubKey->pkcs11Slot) {
-	    PK11_FreeSlot(pubKey->pkcs11Slot);
-	    pubKey->pkcs11Slot = NULL;
-	    pubKey->pkcs11ID = CK_INVALID_HANDLE;
-	}
-     }
-
-     /* build new key structure */
-     return PK11_MakePrivKey(slot, privKey->keyType, !token, 
-						objectID, privKey->wincx);
-}
-
-static SECKEYPrivateKey *
-pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
-		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
-{
-    PK11AttrFlags attrFlags = 0;
-    if (token) {
-	attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
-    } else {
-	attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC);
-    }
-    if (sensitive) {
-	attrFlags |= PK11_ATTR_SENSITIVE;
-    } else {
-	attrFlags |= PK11_ATTR_INSENSITIVE;
-    }
-    return pk11_loadPrivKeyWithFlags(slot, privKey, pubKey, attrFlags);
-}
-
-/*
- * export this for PSM
- */
-SECKEYPrivateKey *
-PK11_LoadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
-		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
-{
-    return pk11_loadPrivKey(slot,privKey,pubKey,token,sensitive);
-}
-
-
-/*
- * Use the token to generate a key pair.
- */
-SECKEYPrivateKey *
-PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
-   void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx)
-{
-    /* we have to use these native types because when we call PKCS 11 modules
-     * we have to make sure that we are using the correct sizes for all the
-     * parameters. */
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_ULONG modulusBits;
-    CK_BYTE publicExponent[4];
-    CK_ATTRIBUTE privTemplate[] = {
-	{ CKA_SENSITIVE, NULL, 0},
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_PRIVATE,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_UNWRAP,  NULL, 0},
-	{ CKA_SIGN,  NULL, 0},
-	{ CKA_DECRYPT,  NULL, 0},
-	{ CKA_EXTRACTABLE, NULL, 0},
-	{ CKA_MODIFIABLE,  NULL, 0},
-    };
-    CK_ATTRIBUTE rsaPubTemplate[] = {
-	{ CKA_MODULUS_BITS, NULL, 0},
-	{ CKA_PUBLIC_EXPONENT, NULL, 0},
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_WRAP,  NULL, 0},
-	{ CKA_VERIFY,  NULL, 0},
-	{ CKA_VERIFY_RECOVER,  NULL, 0},
-	{ CKA_ENCRYPT,  NULL, 0},
-	{ CKA_MODIFIABLE,  NULL, 0},
-    };
-    CK_ATTRIBUTE dsaPubTemplate[] = {
-	{ CKA_PRIME, NULL, 0 },
-	{ CKA_SUBPRIME, NULL, 0 },
-	{ CKA_BASE, NULL, 0 },
-	{ CKA_TOKEN,  NULL, 0},
-	{ CKA_DERIVE,  NULL, 0},
-	{ CKA_WRAP,  NULL, 0},
-	{ CKA_VERIFY,  NULL, 0},
-	{ CKA_VERIFY_RECOVER,  NULL, 0},
-	{ CKA_ENCRYPT,  NULL, 0},
-	{ CKA_MODIFIABLE,  NULL, 0},
-    };
-    CK_ATTRIBUTE dhPubTemplate[] = {
-      { CKA_PRIME, NULL, 0 }, 
-      { CKA_BASE, NULL, 0 }, 
-      { CKA_TOKEN,  NULL, 0},
-      { CKA_DERIVE,  NULL, 0},
-      { CKA_WRAP,  NULL, 0},
-      { CKA_VERIFY,  NULL, 0},
-      { CKA_VERIFY_RECOVER,  NULL, 0},
-      { CKA_ENCRYPT,  NULL, 0},
-      { CKA_MODIFIABLE,  NULL, 0},
-    };
-    CK_ATTRIBUTE ecPubTemplate[] = {
-      { CKA_EC_PARAMS, NULL, 0 }, 
-      { CKA_TOKEN,  NULL, 0},
-      { CKA_DERIVE,  NULL, 0},
-      { CKA_WRAP,  NULL, 0},
-      { CKA_VERIFY,  NULL, 0},
-      { CKA_VERIFY_RECOVER,  NULL, 0},
-      { CKA_ENCRYPT,  NULL, 0},
-      { CKA_MODIFIABLE,  NULL, 0},
-    };
-    SECKEYECParams * ecParams;
-
-    /*CK_ULONG key_size = 0;*/
-    CK_ATTRIBUTE *pubTemplate;
-    int privCount = 0;
-    int pubCount = 0;
-    PK11RSAGenParams *rsaParams;
-    SECKEYPQGParams *dsaParams;
-    SECKEYDHParams * dhParams;
-    CK_MECHANISM mechanism;
-    CK_MECHANISM test_mech;
-    CK_SESSION_HANDLE session_handle;
-    CK_RV crv;
-    CK_OBJECT_HANDLE privID,pubID;
-    SECKEYPrivateKey *privKey;
-    KeyType keyType;
-    PRBool restore;
-    int peCount,i;
-    CK_ATTRIBUTE *attrs;
-    CK_ATTRIBUTE *privattrs;
-    SECItem *pubKeyIndex;
-    CK_ATTRIBUTE setTemplate;
-    CK_MECHANISM_INFO mechanism_info;
-    CK_OBJECT_CLASS keyClass;
-    SECItem *cka_id;
-    PRBool haslock = PR_FALSE;
-    PRBool pubIsToken = PR_FALSE;
-    PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
-    /* subset of attrFlags applicable to the public key */
-    PK11AttrFlags pubKeyAttrFlags = attrFlags &
-	(PK11_ATTR_TOKEN | PK11_ATTR_SESSION
-	| PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE);
-
-    if (pk11_BadAttrFlags(attrFlags)) {
-	PORT_SetError( SEC_ERROR_INVALID_ARGS );
-	return NULL;
-    }
-
-    PORT_Assert(slot != NULL);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE);
-	return NULL;
-    }
-
-    /* if our slot really doesn't do this mechanism, Generate the key
-     * in our internal token and write it out */
-    if (!PK11_DoesMechanism(slot,type)) {
-	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	/* don't loop forever looking for a slot */
-	if (slot == int_slot) {
-	    PK11_FreeSlot(int_slot);
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return NULL;
-	}
-
-	/* if there isn't a suitable slot, then we can't do the keygen */
-	if (int_slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-
-	/* generate the temporary key to load */
-	privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, 
-							PR_FALSE, wincx);
-	PK11_FreeSlot(int_slot);
-
-	/* if successful, load the temp key into the new token */
-	if (privKey != NULL) {
-	    SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot,
-						privKey,*pubKey,attrFlags);
-	    SECKEY_DestroyPrivateKey(privKey);
-	    if (newPrivKey == NULL) {
-		SECKEY_DestroyPublicKey(*pubKey);
-		*pubKey = NULL;
-	    }
-	    return newPrivKey;
-	}
-	return NULL;
-   }
-
-
-    mechanism.mechanism = type;
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-    test_mech.pParameter = NULL;
-    test_mech.ulParameterLen = 0;
-
-    /* set up the private key template */
-    privattrs = privTemplate;
-    privattrs += pk11_AttrFlagsToAttributes(attrFlags, privattrs,
-						&cktrue, &ckfalse);
-
-    /* set up the mechanism specific info */
-    switch (type) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    case CKM_RSA_X9_31_KEY_PAIR_GEN:
-	rsaParams = (PK11RSAGenParams *)param;
-	if (rsaParams->pe == 0) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return NULL;
-	}
-	modulusBits = rsaParams->keySizeInBits;
-	peCount = 0;
-
-	/* convert pe to a PKCS #11 string */
-	for (i=0; i < 4; i++) {
-	    if (peCount || (rsaParams->pe & 
-				((unsigned long)0xff000000L >> (i*8)))) {
-		publicExponent[peCount] = 
-				(CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff);
-		peCount++;
-	    }
-	}
-	PORT_Assert(peCount != 0);
-	attrs = rsaPubTemplate;
-	PK11_SETATTRS(attrs, CKA_MODULUS_BITS, 
-				&modulusBits, sizeof(modulusBits)); attrs++;
-	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-				publicExponent, peCount);attrs++;
-	pubTemplate = rsaPubTemplate;
-	keyType = rsaKey;
-	test_mech.mechanism = CKM_RSA_PKCS;
-	break;
-    case CKM_DSA_KEY_PAIR_GEN:
-	dsaParams = (SECKEYPQGParams *)param;
-	attrs = dsaPubTemplate;
-	PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
-				dsaParams->prime.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
-					dsaParams->subPrime.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
-						dsaParams->base.len); attrs++;
-	pubTemplate = dsaPubTemplate;
-	keyType = dsaKey;
-	test_mech.mechanism = CKM_DSA;
-	break;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-        dhParams = (SECKEYDHParams *)param;
-        attrs = dhPubTemplate;
-        PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
-                      dhParams->prime.len);   attrs++;
-        PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
-                      dhParams->base.len);    attrs++;
-        pubTemplate = dhPubTemplate;
-        keyType = dhKey;
-        test_mech.mechanism = CKM_DH_PKCS_DERIVE;
-	break;
-    case CKM_EC_KEY_PAIR_GEN:
-        ecParams = (SECKEYECParams *)param;
-        attrs = ecPubTemplate;
-        PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, 
-	              ecParams->len);   attrs++;
-        pubTemplate = ecPubTemplate;
-        keyType = ecKey;
-	/* XXX An EC key can be used for other mechanisms too such
-	 * as CKM_ECDSA and CKM_ECDSA_SHA1. How can we reflect
-	 * that in test_mech.mechanism so the CKA_SIGN, CKA_VERIFY
-	 * attributes are set correctly? 
-	 */
-        test_mech.mechanism = CKM_ECDH1_DERIVE;
-        break;
-    default:
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return NULL;
-    }
-
-    /* now query the slot to find out how "good" a key we can generate */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
-				test_mech.mechanism,&mechanism_info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
-	/* must be old module... guess what it should be... */
-	switch (test_mech.mechanism) {
-	case CKM_RSA_PKCS:
-		mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | 
-			CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);;
-		break;
-	case CKM_DSA:
-		mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
-		break;
-	case CKM_DH_PKCS_DERIVE:
-		mechanism_info.flags = CKF_DERIVE;
-		break;
-	case CKM_ECDH1_DERIVE:
-		mechanism_info.flags = CKF_DERIVE;
-		break;
-	case CKM_ECDSA:
-	case CKM_ECDSA_SHA1:
-		mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
-		break;
-	default:
-	       break;
-	}
-    }
-    /* set the public key attributes */
-    attrs += pk11_AttrFlagsToAttributes(pubKeyAttrFlags, attrs,
-						&cktrue, &ckfalse);
-    PK11_SETATTRS(attrs, CKA_DERIVE, 
-		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_WRAP, 
-		mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_VERIFY, 
-		mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, 
-		mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    PK11_SETATTRS(attrs, CKA_ENCRYPT, 
-		mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); attrs++;
-    /* set the private key attributes */
-    PK11_SETATTRS(privattrs, CKA_DERIVE, 
-		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_UNWRAP, 
-		mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_SIGN, 
-		mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-    PK11_SETATTRS(privattrs, CKA_DECRYPT, 
-		mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
-					 sizeof(CK_BBOOL)); privattrs++;
-
-    if (token) {
-	session_handle = PK11_GetRWSession(slot);
-	haslock = PK11_RWSessionHasLock(slot,session_handle);
-	restore = PR_TRUE;
-    } else {
-	session_handle = slot->session;
-	if (session_handle != CK_INVALID_SESSION)
-	    PK11_EnterSlotMonitor(slot);
-	restore = PR_FALSE;
-	haslock = PR_TRUE;
-    }
-
-    if (session_handle == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-    privCount = privattrs - privTemplate;
-    pubCount = attrs - pubTemplate;
-    crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
-	pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID);
-
-    if (crv != CKR_OK) {
-	if (restore)  {
-	    PK11_RestoreROSession(slot,session_handle);
-	} else PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    /* This locking code is dangerous and needs to be more thought
-     * out... the real problem is that we're holding the mutex open this long
-     */
-    if (haslock) { PK11_ExitSlotMonitor(slot); }
-
-    /* swap around the ID's for older PKCS #11 modules */
-    keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS);
-    if (keyClass != CKO_PUBLIC_KEY) {
-	CK_OBJECT_HANDLE tmp = pubID;
-	pubID = privID;
-	privID = tmp;
-    }
-
-    *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
-    if (*pubKey == NULL) {
-	if (restore)  {
-	    /* we may have to restore the mutex so it get's exited properly
-	     * in RestoreROSession */
-            if (haslock)  PK11_EnterSlotMonitor(slot); 
-	    PK11_RestoreROSession(slot,session_handle);
-	} 
-	PK11_DestroyObject(slot,pubID);
-	PK11_DestroyObject(slot,privID);
-	return NULL;
-    }
-
-    /* set the ID to the public key so we can find it again */
-    pubKeyIndex =  NULL;
-    switch (type) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    case CKM_RSA_X9_31_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.rsa.modulus;
-      break;
-    case CKM_DSA_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.dsa.publicValue;
-      break;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.dh.publicValue;
-      break;      
-    case CKM_EC_KEY_PAIR_GEN:
-      pubKeyIndex = &(*pubKey)->u.ec.publicValue;
-      break;      
-    }
-    PORT_Assert(pubKeyIndex != NULL);
-
-    cka_id = PK11_MakeIDFromPubKey(pubKeyIndex);
-    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
-
-    PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
-
-    if (haslock) { PK11_EnterSlotMonitor(slot); }
-    crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
-		&setTemplate, 1);
-   
-    if (crv == CKR_OK && pubIsToken) {
-    	crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
-		&setTemplate, 1);
-    }
-
-
-    if (restore) {
-	PK11_RestoreROSession(slot,session_handle);
-    } else {
-	PK11_ExitSlotMonitor(slot);
-    }
-    SECITEM_FreeItem(cka_id,PR_TRUE);
-
-
-    if (crv != CKR_OK) {
-	PK11_DestroyObject(slot,pubID);
-	PK11_DestroyObject(slot,privID);
-	PORT_SetError( PK11_MapError(crv) );
-	*pubKey = NULL;
-	return NULL;
-    }
-
-    privKey = PK11_MakePrivKey(slot,keyType,!token,privID,wincx);
-    if (privKey == NULL) {
-	SECKEY_DestroyPublicKey(*pubKey);
-	PK11_DestroyObject(slot,privID);
-	*pubKey = NULL;
-	return NULL;
-    }
-
-    return privKey;
-}
-
-/*
- * Use the token to generate a key pair.
- */
-SECKEYPrivateKey *
-PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
-   void *param, SECKEYPublicKey **pubKey, PRBool token, 
-					PRBool sensitive, void *wincx)
-{
-    PK11AttrFlags attrFlags = 0;
-
-    if (token) {
-	attrFlags |= PK11_ATTR_TOKEN;
-    } else {
-	attrFlags |= PK11_ATTR_SESSION;
-    }
-    if (sensitive) {
-	attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
-    } else {
-	attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
-    }
-    return PK11_GenerateKeyPairWithFlags(slot, type, param, pubKey,
-						attrFlags, wincx);
-}
-
-/* build a public KEA key from the public value */
-SECKEYPublicKey *
-PK11_MakeKEAPubKey(unsigned char *keyData,int length)
-{
-    SECKEYPublicKey *pubk;
-    SECItem pkData;
-    SECStatus rv;
-    PRArenaPool *arena;
-
-    pkData.data = keyData;
-    pkData.len = length;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	return NULL;
-
-    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
-    if (pubk == NULL) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-
-    pubk->arena = arena;
-    pubk->pkcs11Slot = 0;
-    pubk->pkcs11ID = CK_INVALID_HANDLE;
-    pubk->keyType = fortezzaKey;
-    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
-    if (rv != SECSuccess) {
-	PORT_FreeArena (arena, PR_FALSE);
-	return NULL;
-    }
-    return pubk;
-}
-
-SECStatus 
-PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
-			SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
-			SECItem *nickname, SECItem *publicValue, PRBool isPerm,
-			PRBool isPrivate, KeyType keyType, 
-			unsigned int keyUsage, void *wincx)
-{
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *pbe_param, crypto_param;
-    PK11SymKey *key = NULL;
-    SECStatus rv = SECSuccess;
-    CK_MECHANISM cryptoMech, pbeMech;
-    CK_RV crv;
-    SECKEYPrivateKey *privKey = NULL;
-    PRBool faulty3DES = PR_FALSE;
-    int usageCount = 0;
-    CK_KEY_TYPE key_type;
-    CK_ATTRIBUTE_TYPE *usage = NULL;
-    CK_ATTRIBUTE_TYPE rsaUsage[] = {
-		 CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
-    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
-    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
-    CK_ATTRIBUTE_TYPE ecUsage[] = { CKA_SIGN, CKA_DERIVE };
-    if((epki == NULL) || (pwitem == NULL))
-	return SECFailure;
-
-    crypto_param.data = NULL;
-
-    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
-					&epki->algorithm.algorithm));
-
-    switch (keyType) {
-    default:
-    case rsaKey:
-	key_type = CKK_RSA;
-	switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
-	case KU_KEY_ENCIPHERMENT:
-	    usage = rsaUsage;
-	    usageCount = 2;
-	    break;
-	case KU_DIGITAL_SIGNATURE:
-	    usage = &rsaUsage[2];
-	    usageCount = 2;
-	    break;
-	case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
-	case 0: /* default to everything */
-	    usage = rsaUsage;
-	    usageCount = 4;
-	    break;
-	}
-        break;
-    case dhKey:
-	key_type = CKK_DH;
-	usage = dhUsage;
-	usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
-	break;
-    case dsaKey:
-	key_type = CKK_DSA;
-	usage = dsaUsage;
-	usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
-	break;
-    case ecKey:
-	key_type = CKK_EC;
-	switch  (keyUsage & (KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) {
-	case KU_DIGITAL_SIGNATURE:
-	    usage = ecUsage;
-	    usageCount = 1;
-	    break;
-	case KU_KEY_AGREEMENT:
-	    usage = &ecUsage[1];
-	    usageCount = 1;
-	    break;
-	case KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT:
-	default: /* default to everything */
-	    usage = ecUsage;
-	    usageCount = 2;
-	    break;
-	}
-	break;	
-    }
-
-try_faulty_3des:
-    pbe_param = PK11_ParamFromAlgid(&epki->algorithm);
-
-    key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem, 
-							faulty3DES, wincx);
-    if((key == NULL) || (pbe_param == NULL)) {
-	rv = SECFailure;
-	goto done;
-    }
-
-    pbeMech.mechanism = mechanism;
-    pbeMech.pParameter = pbe_param->data;
-    pbeMech.ulParameterLen = pbe_param->len;
-
-    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
-					        pwitem, faulty3DES);
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto done;
-    }
-
-    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
-    crypto_param.data = (unsigned char*)cryptoMech.pParameter;
-    crypto_param.len = cryptoMech.ulParameterLen;
-
-    PORT_Assert(usage != NULL);
-    PORT_Assert(usageCount != 0);
-    privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism, 
-				 &crypto_param, &epki->encryptedData, 
-				 nickname, publicValue, isPerm, isPrivate,
-				 key_type, usage, usageCount, wincx);
-    if(privKey) {
-	SECKEY_DestroyPrivateKey(privKey);
-	privKey = NULL;
-	rv = SECSuccess;
-	goto done;
-    }
-
-    /* if we are unable to import the key and the mechanism is 
-     * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
-     * the encrypted blob was created with a buggy key generation method
-     * which is described in the PKCS 12 implementation notes.  So we
-     * need to try importing via that method.
-     */ 
-    if((mechanism == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
-	/* clean up after ourselves before redoing the key generation. */
-
-	PK11_FreeSymKey(key);
-	key = NULL;
-
-	if(pbe_param) {
-	    SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	    pbe_param = NULL;
-	}
-
-	if(crypto_param.data) {
-	    SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-	    crypto_param.data = NULL;
-	    cryptoMech.pParameter = NULL;
-	    crypto_param.len = cryptoMech.ulParameterLen = 0;
-	}
-
-	faulty3DES = PR_TRUE;
-	goto try_faulty_3des;
-    }
-
-    /* key import really did fail */
-    rv = SECFailure;
-
-done:
-    if(pbe_param != NULL) {
-	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    if(crypto_param.data != NULL) {
-	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-    }
-
-    if(key != NULL) {
-    	PK11_FreeSymKey(key);
-    }
-
-    return rv;
-}
-
-SECKEYPrivateKeyInfo *
-PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
-{
-    return NULL;
-}
-
-static int
-pk11_private_key_encrypt_buffer_length(SECKEYPrivateKey *key)
-				
-{
-    CK_ATTRIBUTE rsaTemplate = { CKA_MODULUS, NULL, 0 };
-    CK_ATTRIBUTE dsaTemplate = { CKA_PRIME, NULL, 0 };
-    /* XXX We should normally choose an attribute such that
-     * factor times its size is enough to hold the private key.
-     * For EC keys, we have no choice but to use CKA_EC_PARAMS,
-     * CKA_VALUE is not available for token keys. But for named
-     * curves, the number of bytes needed to represent the params
-     * is quite small so we bump up factor from 10 to 15.
-     */
-    CK_ATTRIBUTE ecTemplate = { CKA_EC_PARAMS, NULL, 0 };
-    CK_ATTRIBUTE_PTR pTemplate;
-    CK_RV crv;
-    int length;
-    int factor = 10;
-
-    if(!key) {
-	return -1;
-    }
-
-    switch (key->keyType) {
-	case rsaKey:
-	    pTemplate = &rsaTemplate;
-	    break;
-	case dsaKey:
-	case dhKey:
-	    pTemplate = &dsaTemplate;
-	    break;
-        case ecKey:
-	    pTemplate = &ecTemplate;
-	    factor = 15;
-	    break;
-	case fortezzaKey:
-	default:
-	    pTemplate = NULL;
-    }
-
-    if(!pTemplate) {
-	return -1;
-    }
-
-    crv = PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID, 
-								pTemplate, 1);
-    if(crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-
-    length = pTemplate->ulValueLen;
-    length *= factor;
-
-
-    if(pTemplate->pValue != NULL) {
-	PORT_Free(pTemplate->pValue);
-    }
-
-    return length;
-}
-
-SECKEYEncryptedPrivateKeyInfo * 
-PK11_ExportEncryptedPrivKeyInfo(
-   PK11SlotInfo     *slot,      /* optional, encrypt key in this slot */
-   SECOidTag         algTag,    /* encrypt key with this algorithm */
-   SECItem          *pwitem,    /* password for PBE encryption */
-   SECKEYPrivateKey *pk,        /* encrypt this private key */
-   int               iteration, /* interations for PBE alg */
-   void             *wincx)     /* context for password callback ? */
-{
-    SECKEYEncryptedPrivateKeyInfo *epki      = NULL;
-    PRArenaPool                   *arena     = NULL;
-    SECAlgorithmID                *algid;
-    SECItem                       *pbe_param = NULL;
-    PK11SymKey                    *key       = NULL;
-    SECStatus                      rv        = SECSuccess;
-    int                            encryptBufLen;
-    CK_RV                          crv;
-    CK_ULONG                       encBufLenPtr;
-    CK_MECHANISM_TYPE              mechanism;
-    CK_MECHANISM                   pbeMech;
-    CK_MECHANISM                   cryptoMech;
-    SECItem                        crypto_param;
-    SECItem                        encryptedKey = {siBuffer, NULL, 0};
-
-    if (!pwitem || !pk) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
-    if (algid == NULL) {
-	return NULL;
-    }
-
-    crypto_param.data = NULL;
-
-    arena = PORT_NewArena(2048);
-    if (arena)
-	epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo);
-    if(epki == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    epki->arena = arena;
-
-    mechanism = PK11_AlgtagToMechanism(algTag);
-    pbe_param = PK11_ParamFromAlgid(algid);
-    if (!pbe_param || mechanism == CKM_INVALID_MECHANISM) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pbeMech.mechanism = mechanism;
-    pbeMech.pParameter = pbe_param->data;
-    pbeMech.ulParameterLen = pbe_param->len;
-
-    /* if we didn't specify a slot, use the slot the private key was in */
-    if (!slot) {
-	slot = pk->pkcs11Slot;
-    }
-
-    /* if we specified a different slot, and the private key slot can do the
-     * pbe key gen, generate the key in the private key slot so we don't have 
-     * to move it later */
-    if (slot != pk->pkcs11Slot) {
-	if (PK11_DoesMechanism(pk->pkcs11Slot,mechanism)) {
-	    slot = pk->pkcs11Slot;
-	}
-    }
-    key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem, 
-							PR_FALSE, wincx);
-
-    if((key == NULL) || (pbe_param == NULL)) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
-						pwitem, PR_FALSE);
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
-    crypto_param.data = (unsigned char *)cryptoMech.pParameter;
-    crypto_param.len = cryptoMech.ulParameterLen;
-
-
-    encryptBufLen = pk11_private_key_encrypt_buffer_length(pk); 
-    if(encryptBufLen == -1) {
-	rv = SECFailure;
-	goto loser;
-    }
-    encryptedKey.len = (unsigned int)encryptBufLen;
-    encBufLenPtr = (CK_ULONG) encryptBufLen;
-    encryptedKey.data = (unsigned char *)PORT_ZAlloc(encryptedKey.len);
-    if(!encryptedKey.data) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* If the key isn't in the private key slot, move it */
-    if (key->slot != pk->pkcs11Slot) {
-	PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot,
-						key->type, CKA_WRAP, key);
-	if (newkey == NULL) {
-	    rv= SECFailure;
-	    goto loser;
-	}
-
-	/* free the old key and use the new key */
-	PK11_FreeSymKey(key);
-	key = newkey;
-    }
-	
-    /* we are extracting an encrypted privateKey structure.
-     * which needs to be freed along with the buffer into which it is
-     * returned.  eventually, we should retrieve an encrypted key using
-     * pkcs8/pkcs5.
-     */
-    PK11_EnterSlotMonitor(pk->pkcs11Slot);
-    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
-    		&cryptoMech, key->objectID, pk->pkcs11ID, encryptedKey.data, 
-		&encBufLenPtr); 
-    PK11_ExitSlotMonitor(pk->pkcs11Slot);
-    encryptedKey.len = (unsigned int) encBufLenPtr;
-    if(crv != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(!encryptedKey.len) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    rv = SECITEM_CopyItem(arena, &epki->encryptedData, &encryptedKey);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
-
-loser:
-    if(pbe_param != NULL) {
-	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    if(crypto_param.data != NULL) {
-	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
-	crypto_param.data = NULL;
-    }
-
-    if(key != NULL) {
-    	PK11_FreeSymKey(key);
-    }
-    SECOID_DestroyAlgorithmID(algid, PR_TRUE);
-
-    if(rv == SECFailure) {
-	if(arena != NULL) {
-	    PORT_FreeArena(arena, PR_TRUE);
-	}
-	epki = NULL;
-    }
-
-    return epki;
-}
-
-SECKEYEncryptedPrivateKeyInfo * 
-PK11_ExportEncryptedPrivateKeyInfo(
-   PK11SlotInfo    *slot,      /* optional, encrypt key in this slot */
-   SECOidTag        algTag,    /* encrypt key with this algorithm */
-   SECItem         *pwitem,    /* password for PBE encryption */
-   CERTCertificate *cert,      /* wrap priv key for this user cert */
-   int              iteration, /* interations for PBE alg */
-   void            *wincx)     /* context for password callback ? */
-{
-    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-    SECKEYPrivateKey              *pk   = PK11_FindKeyByAnyCert(cert, wincx);
-    if (pk != NULL) {
-	epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, 
-	                                       iteration, wincx);
-	SECKEY_DestroyPrivateKey(pk);
-    }
-    return epki;
-}
-
-SECItem*
-PK11_DEREncodePublicKey(SECKEYPublicKey *pubk)
-{
-    CERTSubjectPublicKeyInfo *spki=NULL;
-    SECItem *spkiDER = NULL;
-
-    if( pubk == NULL ) {
-        return NULL;
-    }
-
-    /* get the subjectpublickeyinfo */
-    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
-    if( spki == NULL ) {
-        goto finish;
-    }
-
-    /* DER-encode the subjectpublickeyinfo */
-    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
-                    CERT_SubjectPublicKeyInfoTemplate);
-
-finish:
-    return spkiDER;
-}
-
-char *
-PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey)
-{
-    return PK11_GetObjectNickname(privKey->pkcs11Slot,privKey->pkcs11ID);
-}
-
-char *
-PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey)
-{
-    return PK11_GetObjectNickname(pubKey->pkcs11Slot,pubKey->pkcs11ID);
-}
-
-SECStatus
-PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname)
-{
-    return PK11_SetObjectNickname(privKey->pkcs11Slot,
-					privKey->pkcs11ID,nickname);
-}
-
-SECStatus
-PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname)
-{
-    return PK11_SetObjectNickname(pubKey->pkcs11Slot,
-					pubKey->pkcs11ID,nickname);
-}
-
-SECKEYPQGParams *
-PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey)
-{
-    CK_ATTRIBUTE pTemplate[] = {
-	{ CKA_PRIME, NULL, 0 },
-	{ CKA_SUBPRIME, NULL, 0 },
-	{ CKA_BASE, NULL, 0 },
-    };
-    int pTemplateLen = sizeof(pTemplate)/sizeof(pTemplate[0]);
-    PRArenaPool *arena = NULL;
-    SECKEYPQGParams *params;
-    CK_RV crv;
-
-
-    arena = PORT_NewArena(2048);
-    if (arena == NULL) {
-	goto loser;
-    }
-    params=(SECKEYPQGParams *)PORT_ArenaZAlloc(arena,sizeof(SECKEYPQGParams));
-    if (params == NULL) {
-	goto loser;
-    }
-
-    crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, 
-						pTemplate, pTemplateLen);
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    params->arena = arena;
-    params->prime.data = pTemplate[0].pValue;
-    params->prime.len = pTemplate[0].ulValueLen;
-    params->subPrime.data = pTemplate[1].pValue;
-    params->subPrime.len = pTemplate[1].ulValueLen;
-    params->base.data = pTemplate[2].pValue;
-    params->base.len = pTemplate[2].ulValueLen;
-
-    return params;
-
-loser:
-    if (arena != NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-    }
-    return NULL;
-}
-
-SECKEYPrivateKey*
-PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
-				      SECKEYPrivateKey *privKey)
-{
-    CK_RV             crv;
-    CK_OBJECT_HANDLE  newKeyID;
-
-    static const CK_BBOOL     ckfalse = CK_FALSE;
-    static const CK_ATTRIBUTE template[1] = { 
-       { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse }
-    };
-
-    if (destSlot && destSlot != privKey->pkcs11Slot) {
-	SECKEYPrivateKey *newKey =
-	       pk11_loadPrivKey(destSlot, 
-				privKey, 
-			        NULL,     /* pubKey    */
-			        PR_FALSE, /* token     */
-			        PR_FALSE);/* sensitive */
-	if (newKey)
-	    return newKey;
-    }
-    destSlot = privKey->pkcs11Slot;
-    PK11_Authenticate(destSlot, PR_TRUE, privKey->wincx);
-    PK11_EnterSlotMonitor(destSlot);
-    crv = PK11_GETTAB(destSlot)->C_CopyObject(	destSlot->session, 
-						privKey->pkcs11ID,
-						(CK_ATTRIBUTE *)template, 
-						1, &newKeyID);
-    PK11_ExitSlotMonitor(destSlot);
-
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, 
-			    newKeyID, privKey->wincx);
-}
-
-SECKEYPrivateKey*
-PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx)
-{
-    PK11SlotInfo* slot = privk->pkcs11Slot;
-    CK_ATTRIBUTE template[1];
-    CK_ATTRIBUTE *attrs = template;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_RV crv;
-    CK_OBJECT_HANDLE newKeyID;
-    CK_SESSION_HANDLE rwsession;
-
-    PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++;
-
-    PK11_Authenticate(slot, PR_TRUE, wincx);
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-    crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, privk->pkcs11ID,
-        template, 1, &newKeyID);
-    PK11_RestoreROSession(slot, rwsession);
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        return NULL;
-    }
-
-    return PK11_MakePrivKey(slot, nullKey /*KeyType*/, PR_FALSE /*isTemp*/,
-        newKeyID, NULL /*wincx*/);
-}
-
-/*
- * destroy a private key if there are no matching certs.
- * this function also frees the privKey structure.
- */
-SECStatus
-PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force)
-{
-    CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey);
-
-    /* found a cert matching the private key?. */
-    if (!force  && cert != NULL) {
-	/* yes, don't delete the key */
-        CERT_DestroyCertificate(cert);
-	SECKEY_DestroyPrivateKey(privKey);
-	return SECWouldBlock;
-    }
-    /* now, then it's safe for the key to go away */
-    PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID);
-    SECKEY_DestroyPrivateKey(privKey);
-    return SECSuccess;
-}
-
-/*
- * destroy a private key if there are no matching certs.
- * this function also frees the privKey structure.
- */
-SECStatus
-PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey)
-{
-    /* now, then it's safe for the key to go away */
-    if (pubKey->pkcs11Slot == NULL) {
-	return SECFailure;
-    }
-    PK11_DestroyTokenObject(pubKey->pkcs11Slot,pubKey->pkcs11ID);
-    SECKEY_DestroyPublicKey(pubKey);
-    return SECSuccess;
-}
-
-/*
- * key call back structure.
- */
-typedef struct pk11KeyCallbackStr {
-	SECStatus (* callback)(SECKEYPrivateKey *,void *);
-	void *callbackArg;
-	void *wincx;
-} pk11KeyCallback;
-
-/*
- * callback to map Object Handles to Private Keys;
- */
-SECStatus
-pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg)
-{
-    SECStatus rv = SECSuccess;
-    SECKEYPrivateKey *privKey;
-    pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
-
-    privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx);
-
-    if (privKey == NULL) {
-	return SECFailure;
-    }
-
-    if (keycb && (keycb->callback)) {
-	rv = (*keycb->callback)(privKey,keycb->callbackArg);
-    }
-
-    SECKEY_DestroyPrivateKey(privKey);	    
-    return rv;
-}
-
-/***********************************************************************
- * PK11_TraversePrivateKeysInSlot
- *
- * Traverses all the private keys on a slot.
- *
- * INPUTS
- *      slot
- *          The PKCS #11 slot whose private keys you want to traverse.
- *      callback
- *          A callback function that will be called for each key.
- *      arg
- *          An argument that will be passed to the callback function.
- */
-SECStatus
-PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
-    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg)
-{
-    pk11KeyCallback perKeyCB;
-    pk11TraverseSlot perObjectCB;
-    CK_OBJECT_CLASS privkClass = CKO_PRIVATE_KEY;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_ATTRIBUTE theTemplate[2];
-    int templateSize = 2;
-
-    theTemplate[0].type = CKA_CLASS;
-    theTemplate[0].pValue = &privkClass;
-    theTemplate[0].ulValueLen = sizeof(privkClass);
-    theTemplate[1].type = CKA_TOKEN;
-    theTemplate[1].pValue = &ckTrue;
-    theTemplate[1].ulValueLen = sizeof(ckTrue);
-
-    if(slot==NULL) {
-        return SECSuccess;
-    }
-
-    perObjectCB.callback = pk11_DoKeys;
-    perObjectCB.callbackArg = &perKeyCB;
-    perObjectCB.findTemplate = theTemplate;
-    perObjectCB.templateCount = templateSize;
-    perKeyCB.callback = callback;
-    perKeyCB.callbackArg = arg;
-    perKeyCB.wincx = NULL;
-
-    return PK11_TraverseSlot(slot, &perObjectCB);
-}
-
-/*
- * return the private key with the given ID
- */
-CK_OBJECT_HANDLE
-pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID)
-{
-    CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 },
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-
-    PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey));
-
-    return pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-} 
-
-
-SECKEYPrivateKey *
-PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-    SECKEYPrivateKey *privKey;
-
-    keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID);
-    if (keyHandle == CK_INVALID_HANDLE) { 
-	return NULL;
-    }
-    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
-    return privKey;
-}
-
-/*
- * Generate a CKA_ID from the relevant public key data. The CKA_ID is generated
- * from the pubKeyData by SHA1_Hashing it to produce a smaller CKA_ID (to make
- * smart cards happy.
- */
-SECItem *
-PK11_MakeIDFromPubKey(SECItem *pubKeyData) 
-{
-    PK11Context *context;
-    SECItem *certCKA_ID;
-    SECStatus rv;
-
-    context = PK11_CreateDigestContext(SEC_OID_SHA1);
-    if (context == NULL) {
-	return NULL;
-    }
-
-    rv = PK11_DigestBegin(context);
-    if (rv == SECSuccess) {
-    	rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len);
-    }
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (certCKA_ID == NULL) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    certCKA_ID->len = SHA1_LENGTH;
-    certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len);
-    if (certCKA_ID->data == NULL) {
-	PORT_Free(certCKA_ID);
-	PK11_DestroyContext(context,PR_TRUE);
-        return NULL;
-    }
-
-    rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len,
-								SHA1_LENGTH);
-    PK11_DestroyContext(context,PR_TRUE);
-    if (rv != SECSuccess) {
-    	SECITEM_FreeItem(certCKA_ID,PR_TRUE);
-	return NULL;
-    }
-
-    return certCKA_ID;
-}
-
-SECItem *
-PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx)
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-    };
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    SECItem *item = NULL;
-    CK_RV crv;
-
-    crv = PK11_GetAttributes(NULL,key->pkcs11Slot,key->pkcs11ID,
-							theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    item = PORT_ZNew(SECItem);
-    if (item) {
-        item->data = (unsigned char*) theTemplate[0].pValue;
-        item->len = theTemplate[0].ulValueLen;
-    }
-
-loser:
-    return item;
-}
-
-SECItem *
-PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey)
-{
-    return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot,privKey->pkcs11ID);
-}
-
-static SECStatus
-privateKeyListCallback(SECKEYPrivateKey *key, void *arg)
-{
-    SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList*)arg;
-    return SECKEY_AddPrivateKeyToListTail(list, SECKEY_CopyPrivateKey(key));
-}
-
-SECKEYPrivateKeyList*
-PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot)
-{
-    SECStatus status;
-    SECKEYPrivateKeyList *keys;
-
-    keys = SECKEY_NewPrivateKeyList();
-    if(keys == NULL) return NULL;
-
-    status = PK11_TraversePrivateKeysInSlot(slot, privateKeyListCallback,
-		(void*)keys);
-
-    if( status != SECSuccess ) {
-	SECKEY_DestroyPrivateKeyList(keys);
-	keys = NULL;
-    }
-
-    return keys;
-}
-
-SECKEYPublicKeyList*
-PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname)
-{
-    CK_ATTRIBUTE findTemp[4];
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_OBJECT_CLASS keyclass = CKO_PUBLIC_KEY;
-    int tsize = 0;
-    int objCount = 0;
-    CK_OBJECT_HANDLE *key_ids;
-    SECKEYPublicKeyList *keys;
-    int i,len;
-
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
-    if (nickname) {
-	len = PORT_Strlen(nickname)-1;
-	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
-    }
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
-    if (key_ids == NULL) {
-	return NULL;
-    }
-    keys = SECKEY_NewPublicKeyList();
-    if (keys == NULL) {
-	PORT_Free(key_ids);
-    }
-
-    for (i=0; i < objCount ; i++) {
-	SECKEYPublicKey *pubKey = 
-				PK11_ExtractPublicKey(slot,nullKey,key_ids[i]);
-	if (pubKey) {
-	    SECKEY_AddPublicKeyToListTail(keys, pubKey);
-	}
-   }
-
-   PORT_Free(key_ids);
-   return keys;
-}
-
-SECKEYPrivateKeyList*
-PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
-{
-    CK_ATTRIBUTE findTemp[4];
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY;
-    int tsize = 0;
-    int objCount = 0;
-    CK_OBJECT_HANDLE *key_ids;
-    SECKEYPrivateKeyList *keys;
-    int i,len;
-
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
-    if (nickname) {
-	len = PORT_Strlen(nickname)-1;
-	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
-    }
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
-    if (key_ids == NULL) {
-	return NULL;
-    }
-    keys = SECKEY_NewPrivateKeyList();
-    if (keys == NULL) {
-	PORT_Free(key_ids);
-    }
-
-    for (i=0; i < objCount ; i++) {
-	SECKEYPrivateKey *privKey = 
-		PK11_MakePrivKey(slot,nullKey,PR_TRUE,key_ids[i],wincx);
-	SECKEY_AddPrivateKeyToListTail(keys, privKey);
-   }
-
-   PORT_Free(key_ids);
-   return keys;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11auth.c b/security/nss/lib/pk11wrap/pk11auth.c
deleted file mode 100644
index a9bc39943..000000000
--- a/security/nss/lib/pk11wrap/pk11auth.c
+++ /dev/null
@@ -1,760 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file deals with PKCS #11 passwords and authentication.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "secerr.h"
-
-#include "pkim.h" 
-
-
-/*************************************************************
- * local static and global data
- *************************************************************/
-/*
- * This structure keeps track of status that spans all the Slots.
- * NOTE: This is a global data structure. It semantics expect thread crosstalk
- * be very careful when you see it used. 
- *  It's major purpose in life is to allow the user to log in one PER 
- * Tranaction, even if a transaction spans threads. The problem is the user
- * may have to enter a password one just to be able to look at the 
- * personalities/certificates (s)he can use. Then if Auth every is one, they
- * may have to enter the password again to use the card. See PK11_StartTransac
- * and PK11_EndTransaction.
- */
-static struct PK11GlobalStruct {
-   int transaction;
-   PRBool inTransaction;
-   char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
-   PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
-   PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
-} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
- 
-/***********************************************************
- * Password Utilities
- ***********************************************************/
-/*
- * Check the user's password. Log into the card if it's correct.
- * succeed if the user is already logged in.
- */
-SECStatus
-pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
-{
-    int len = 0;
-    CK_RV crv;
-    SECStatus rv;
-    int64 currtime = PR_Now();
-
-    if (slot->protectedAuthPath) {
-	len = 0;
-	pw = NULL;
-    } else if (pw == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    } else {
-	len = PORT_Strlen(pw);
-    }
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-						(unsigned char *)pw,len);
-    slot->lastLoginCheck = 0;
-    PK11_ExitSlotMonitor(slot);
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	slot->authTransact = PK11_Global.transaction;
-    case CKR_USER_ALREADY_LOGGED_IN:
-	slot->authTime = currtime;
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    return rv;
-}
-
-/*
- * Check the user's password. Logout before hand to make sure that
- * we are really checking the password.
- */
-SECStatus
-PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw)
-{
-    int len = 0;
-    CK_RV crv;
-    SECStatus rv;
-    int64 currtime = PR_Now();
-
-    if (slot->protectedAuthPath) {
-	len = 0;
-	pw = NULL;
-    } else if (pw == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    } else {
-	len = PORT_Strlen(pw);
-    }
-
-    /* force a logout */
-    PK11_EnterSlotMonitor(slot);
-    PK11_GETTAB(slot)->C_Logout(slot->session);
-
-    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-					(unsigned char *)pw,len);
-    slot->lastLoginCheck = 0;
-    PK11_ExitSlotMonitor(slot);
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	slot->authTransact = PK11_Global.transaction;
-	slot->authTime = currtime;
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    return rv;
-}
-
-SECStatus
-PK11_Logout(PK11SlotInfo *slot)
-{
-    CK_RV crv;
-
-    /* force a logout */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_Logout(slot->session);
-    slot->lastLoginCheck = 0;
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return  SECSuccess;
-}
-
-/*
- * transaction stuff is for when we test for the need to do every
- * time auth to see if we already did it for this slot/transaction
- */
-void PK11_StartAuthTransaction(void)
-{
-PK11_Global.transaction++;
-PK11_Global.inTransaction = PR_TRUE;
-}
-
-void PK11_EndAuthTransaction(void)
-{
-PK11_Global.transaction++;
-PK11_Global.inTransaction = PR_FALSE;
-}
-
-/*
- * before we do a private key op, we check to see if we
- * need to reauthenticate.
- */
-void
-PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
-{
-    int askpw = slot->askpw;
-    PRBool NeedAuth = PR_FALSE;
-
-    if (!slot->needLogin) return;
-
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    askpw = def_slot->askpw;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-
-    /* timeouts are handled by isLoggedIn */
-    if (!PK11_IsLoggedIn(slot,wincx)) {
-	NeedAuth = PR_TRUE;
-    } else if (askpw == -1) {
-	if (!PK11_Global.inTransaction	||
-			 (PK11_Global.transaction != slot->authTransact)) {
-    	    PK11_EnterSlotMonitor(slot);
-	    PK11_GETTAB(slot)->C_Logout(slot->session);
-	    slot->lastLoginCheck = 0;
-    	    PK11_ExitSlotMonitor(slot);
-	    NeedAuth = PR_TRUE;
-	}
-    }
-    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
-}
-
-void
-PK11_SlotDBUpdate(PK11SlotInfo *slot)
-{
-    SECMOD_UpdateModule(slot->module);
-}
-
-/*
- * set new askpw and timeout values
- */
-void
-PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
-{
-        slot->askpw = askpw;
-        slot->timeout = timeout;
-        slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
-        PK11_SlotDBUpdate(slot);
-}
-
-/*
- * Get the askpw and timeout values for this slot
- */
-void
-PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
-{
-    *askpw = slot->askpw;
-    *timeout = slot->timeout;
-
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    *askpw = def_slot->askpw;
-	    *timeout = def_slot->timeout;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-}
-
-/*
- * Returns true if the token is needLogin and isn't logged in.
- * This function is used to determine if authentication is needed
- * before attempting a potentially privelleged operation.
- */
-PRBool
-pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx)
-{
-    return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
-}
-
-/*
- * make sure a slot is authenticated...
- * This function only does the authentication if it is needed.
- */
-SECStatus
-PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
-    if (pk11_LoginStillRequired(slot,wincx)) {
-	return PK11_DoPassword(slot,loadCerts,wincx);
-    }
-    return SECSuccess;
-}
-
-/*
- * Authenticate to "unfriendly" tokens (tokens which need to be logged
- * in to find the certs.
- */
-SECStatus
-pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
-{
-    SECStatus rv = SECSuccess;
-    if (!PK11_IsFriendly(slot)) {
-	rv = PK11_Authenticate(slot, loadCerts, wincx);
-    }
-    return rv;
-}
-
-
-/*
- * NOTE: this assumes that we are logged out of the card before hand
- */
-SECStatus
-PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
-{
-    CK_SESSION_HANDLE rwsession;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int len = 0;
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-    	return rv;
-    }
-
-    if (slot->protectedAuthPath) {
-	len = 0;
-	ssopw = NULL;
-    } else if (ssopw == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    } else {
-	len = PORT_Strlen(ssopw);
-    }
-
-    /* check the password */
-    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
-						(unsigned char *)ssopw,len);
-    slot->lastLoginCheck = 0;
-    switch (crv) {
-    /* if we're already logged in, we're good to go */
-    case CKR_OK:
-	rv = SECSuccess;
-	break;
-    case CKR_PIN_INCORRECT:
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
-	break;
-    default:
-	PORT_SetError(PK11_MapError(crv));
-	rv = SECFailure; /* some failure we can't fix by retrying */
-    }
-    PK11_GETTAB(slot)->C_Logout(rwsession);
-    slot->lastLoginCheck = 0;
-
-    /* release rwsession */
-    PK11_RestoreROSession(slot,rwsession);
-    return rv;
-}
-
-/*
- * make sure the password conforms to your token's requirements.
- */
-SECStatus
-PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
-{
-    int len = PORT_Strlen(pw);
-
-    if ((slot->minPassword > len) || (slot->maxPassword < len)) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * initialize a user PIN Value
- */
-SECStatus
-PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw)
-{
-    CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int len;
-    int ssolen;
-
-    if (userpw == NULL) userpw = "";
-    if (ssopw == NULL) ssopw = "";
-
-    len = PORT_Strlen(userpw);
-    ssolen = PORT_Strlen(ssopw);
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-	slot->lastLoginCheck = 0;
-    	return rv;
-    }
-
-    if (slot->protectedAuthPath) {
-	len = 0;
-	ssolen = 0;
-	ssopw = NULL;
-	userpw = NULL;
-    }
-
-    /* check the password */
-    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, 
-					  (unsigned char *)ssopw,ssolen);
-    slot->lastLoginCheck = 0;
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	goto done;
-    }
-
-    crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-    } else {
-    	rv = SECSuccess;
-    }
-
-done:
-    PK11_GETTAB(slot)->C_Logout(rwsession);
-    slot->lastLoginCheck = 0;
-    PK11_RestoreROSession(slot,rwsession);
-    if (rv == SECSuccess) {
-        /* update our view of the world */
-        PK11_InitToken(slot,PR_TRUE);
-	PK11_EnterSlotMonitor(slot);
-    	PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
-						(unsigned char *)userpw,len);
-	slot->lastLoginCheck = 0;
-	PK11_ExitSlotMonitor(slot);
-    }
-    return rv;
-}
-
-/*
- * Change an existing user password
- */
-SECStatus
-PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw)
-{
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    int newLen;
-    int oldLen;
-    CK_SESSION_HANDLE rwsession;
-
-    if (newpw == NULL) newpw = "";
-    if (oldpw == NULL) oldpw = "";
-    newLen = PORT_Strlen(newpw);
-    oldLen = PORT_Strlen(oldpw);
-
-    /* get a rwsession */
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-    	return rv;
-    }
-
-    crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
-		(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
-    if (crv == CKR_OK) {
-	rv = SECSuccess;
-    } else {
-	PORT_SetError(PK11_MapError(crv));
-    }
-
-    PK11_RestoreROSession(slot,rwsession);
-
-    /* update our view of the world */
-    PK11_InitToken(slot,PR_TRUE);
-    return rv;
-}
-
-static char *
-pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
-{
-    if (PK11_Global.getPass == NULL) return NULL;
-    return (*PK11_Global.getPass)(slot, retry, wincx);
-}
-
-void
-PK11_SetPasswordFunc(PK11PasswordFunc func)
-{
-    PK11_Global.getPass = func;
-}
-
-void
-PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
-{
-    PK11_Global.verifyPass = func;
-}
-
-void
-PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
-{
-    PK11_Global.isLoggedIn = func;
-}
-
-
-/*
- * authenticate to a slot. This loops until we can't recover, the user
- * gives up, or we succeed. If we're already logged in and this function
- * is called we will still prompt for a password, but we will probably
- * succeed no matter what the password was (depending on the implementation
- * of the PKCS 11 module.
- */
-SECStatus
-PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
-{
-    SECStatus rv = SECFailure;
-    char * password;
-    PRBool attempt = PR_FALSE;
-
-    if (PK11_NeedUserInit(slot)) {
-	PORT_SetError(SEC_ERROR_IO);
-	return SECFailure;
-    }
-
-
-    /*
-     * Central server type applications which control access to multiple
-     * slave applications to single crypto devices need to virtuallize the
-     * login state. This is done by a callback out of PK11_IsLoggedIn and
-     * here. If we are actually logged in, then we got here because the
-     * higher level code told us that the particular client application may
-     * still need to be logged in. If that is the case, we simply tell the
-     * server code that it should now verify the clients password and tell us
-     * the results.
-     */
-    if (PK11_IsLoggedIn(slot,NULL) && 
-    			(PK11_Global.verifyPass != NULL)) {
-	if (!PK11_Global.verifyPass(slot,wincx)) {
-	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	    return SECFailure;
-	}
-	return SECSuccess;
-    }
-
-    /* get the password. This can drop out of the while loop
-     * for the following reasons:
-     * 	(1) the user refused to enter a password. 
-     *			(return error to caller)
-     *	(2) the token user password is disabled [usually due to
-     *	   too many failed authentication attempts].
-     *			(return error to caller)
-     *	(3) the password was successful.
-     */
-    while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
-	/* if the token has a protectedAuthPath, the application may have
-         * already issued the C_Login as part of it's pk11_GetPassword call.
-         * In this case the application will tell us what the results were in 
-         * the password value (retry or the authentication was successful) so
-	 * we can skip our own C_Login call (which would force the token to
-	 * try to login again).
-	 * 
-	 * Applications that don't know about protectedAuthPath will return a 
-	 * password, which we will ignore and trigger the token to 
-	 * 'authenticate' itself anyway. Hopefully the blinking display on 
-	 * the reader, or the flashing light under the thumbprint reader will 
-	 * attract the user's attention */
-	attempt = PR_TRUE;
-	if (slot->protectedAuthPath) {
-	    /* application tried to authenticate and failed. it wants to try
-	     * again, continue looping */
-	    if (strcmp(password, PK11_PW_RETRY) == 0) {
-		rv = SECWouldBlock;
-		PORT_Free(password);
-		continue;
-	    }
-	    /* applicaton tried to authenticate and succeeded we're done */
-	    if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
-		rv = SECSuccess;
-		PORT_Free(password);
-		break;
-	    }
-	}
-	rv = pk11_CheckPassword(slot,password);
-	PORT_Memset(password, 0, PORT_Strlen(password));
-	PORT_Free(password);
-	if (rv != SECWouldBlock) break;
-    }
-    if (rv == SECSuccess) {
-	rv = pk11_CheckVerifyTest(slot);
-	if (!PK11_IsFriendly(slot)) {
-	    nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
-	                                      slot->nssToken);
-	}
-    } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-    return rv;
-}
-
-void PK11_LogoutAll(void)
-{
-    SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
-    SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
-    SECMODModuleList *mlp = NULL;
-    int i;
-
-    /* NSS is not initialized, there are not tokens to log out */
-    if (lock == NULL) {
-	return;
-    }
-
-    SECMOD_GetReadLock(lock);
-    /* find the number of entries */
-    for (mlp = modList; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11_Logout(mlp->module->slots[i]);
-	}
-    }
-
-    SECMOD_ReleaseReadLock(lock);
-}
-
-int
-PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
-{
-    return ((int)slot->minPassword);
-}
-
-/* Does this slot have a protected pin path? */
-PRBool
-PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
-{
-	return slot->protectedAuthPath;
-}
-
-/*
- * we can initialize the password if 1) The toke is not inited 
- * (need login == true and see need UserInit) or 2) the token has
- * a NULL password. (slot->needLogin = false & need user Init = false).
- */
-PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
-{
-    if (slot->needLogin && PK11_NeedUserInit(slot)) {
-	return PR_TRUE;
-    }
-    if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-PRBool PK11_NeedPWInit()
-{
-    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
-    PRBool ret = PK11_NeedPWInitForSlot(slot);
-
-    PK11_FreeSlot(slot);
-    return ret;
-}
-
-PRBool 
-pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, 
-						PRIntervalTime *retTime)
-{
-    PRIntervalTime time;
-
-    *retTime = time = PR_IntervalNow();
-    return (PRBool) (lastTime) && ((time-lastTime) < delayTime);
-}
-
-/*
- * Determine if the token is logged in. We have to actually query the token,
- * because it's state can change without intervention from us.
- */
-PRBool
-PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
-{
-    CK_SESSION_INFO sessionInfo;
-    int askpw = slot->askpw;
-    int timeout = slot->timeout;
-    CK_RV crv;
-    PRIntervalTime curTime;
-    static PRIntervalTime login_delay_time = 0;
-
-    if (login_delay_time == 0) {
-	login_delay_time = PR_SecondsToInterval(1);
-    }
-
-    /* If we don't have our own password default values, use the system
-     * ones */
-    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
-	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
-
-	if (def_slot) {
-	    askpw = def_slot->askpw;
-	    timeout = def_slot->timeout;
-	    PK11_FreeSlot(def_slot);
-	}
-    }
-
-    if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
-	(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
-
-
-    /* forget the password if we've been inactive too long */
-    if (askpw == 1) {
-	int64 currtime = PR_Now();
-	int64 result;
-	int64 mult;
-	
-	LL_I2L(result, timeout);
-	LL_I2L(mult, 60*1000*1000);
-	LL_MUL(result,result,mult);
-	LL_ADD(result, result, slot->authTime);
-	if (LL_CMP(result, <, currtime) ) {
-	    PK11_EnterSlotMonitor(slot);
-	    PK11_GETTAB(slot)->C_Logout(slot->session);
-	    slot->lastLoginCheck = 0;
-	    PK11_ExitSlotMonitor(slot);
-	} else {
-	    slot->authTime = currtime;
-	}
-    }
-
-    PK11_EnterSlotMonitor(slot);
-    if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) {
-	sessionInfo.state = slot->lastState;
-	crv = CKR_OK;
-    } else {
-	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
-	if (crv == CKR_OK) {
-	    slot->lastState = sessionInfo.state;
-	    slot->lastLoginCheck = curTime;
-	}
-    }
-    PK11_ExitSlotMonitor(slot);
-    /* if we can't get session info, something is really wrong */
-    if (crv != CKR_OK) {
-	slot->session = CK_INVALID_SESSION;
-	return PR_FALSE;
-    }
-
-    switch (sessionInfo.state) {
-    case CKS_RW_PUBLIC_SESSION:
-    case CKS_RO_PUBLIC_SESSION:
-    default:
-	break; /* fail */
-    case CKS_RW_USER_FUNCTIONS:
-    case CKS_RW_SO_FUNCTIONS:
-    case CKS_RO_USER_FUNCTIONS:
-	return PR_TRUE;
-    }
-    return PR_FALSE; 
-}
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
deleted file mode 100644
index 08c0af2db..000000000
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ /dev/null
@@ -1,2394 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file manages PKCS #11 instances of certificates.
- */
-
-#include "secport.h"
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "certi.h"
-#include "secitem.h"
-#include "key.h" 
-#include "secoid.h"
-#include "pkcs7t.h"
-#include "cmsreclist.h"
-
-#include "certdb.h"
-#include "secerr.h"
-#include "sslerr.h"
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "pki3hack.h"
-#include "dev3hack.h"
-
-#include "devm.h" 
-#include "nsspki.h"
-#include "pki.h"
-#include "pkim.h"
-#include "pkitm.h"
-#include "pkistore.h" /* to remove temp cert */
-#include "devt.h"
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-extern const NSSError NSS_ERROR_INVALID_CERTIFICATE;
-
-struct nss3_cert_cbstr {
-    SECStatus(* callback)(CERTCertificate*, void *);
-    nssList *cached;
-    void *arg;
-};
-
-/* Translate from NSSCertificate to CERTCertificate, then pass the latter
- * to a callback.
- */
-static PRStatus convert_cert(NSSCertificate *c, void *arg)
-{
-    CERTCertificate *nss3cert;
-    SECStatus secrv;
-    struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
-    /* 'c' is not adopted. caller will free it */
-    nss3cert = STAN_GetCERTCertificate(c);
-    if (!nss3cert) return PR_FAILURE;
-    secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg);
-    return (secrv) ? PR_FAILURE : PR_SUCCESS;
-}
-
-/*
- * build a cert nickname based on the token name and the label of the 
- * certificate If the label in NULL, build a label based on the ID.
- */
-static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); }
-#define MAX_CERT_ID 4
-#define DEFAULT_STRING "Cert ID "
-static char *
-pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label,
-			CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
-{
-    int prefixLen = PORT_Strlen(slot->token_name);
-    int suffixLen = 0;
-    char *suffix = NULL;
-    char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
-    char *next,*nickname;
-
-    if (cert_label && (cert_label->ulValueLen)) {
-	suffixLen = cert_label->ulValueLen;
-	suffix = (char*)cert_label->pValue;
-    } else if (key_label && (key_label->ulValueLen)) {
-	suffixLen = key_label->ulValueLen;
-	suffix = (char*)key_label->pValue;
-    } else if (cert_id && cert_id->ulValueLen > 0) {
-	int i,first = cert_id->ulValueLen - MAX_CERT_ID;
-	int offset = sizeof(DEFAULT_STRING);
-	char *idValue = (char *)cert_id->pValue;
-
-	PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
-	next = buildNew + offset;
-	if (first < 0) first = 0;
-	for (i=first; i < (int) cert_id->ulValueLen; i++) {
-		*next++ = toHex((idValue[i] >> 4) & 0xf);
-		*next++ = toHex(idValue[i] & 0xf);
-	}
-	*next++ = 0;
-	suffix = buildNew;
-	suffixLen = PORT_Strlen(buildNew);
-    } else {
-	PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
-	return NULL;
-    }
-
-    /* if is internal key slot, add code to skip the prefix!! */
-    next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
-    if (nickname == NULL) return NULL;
-
-    PORT_Memcpy(next,slot->token_name,prefixLen);
-    next += prefixLen;
-    *next++ = ':';
-    PORT_Memcpy(next,suffix,suffixLen);
-    next += suffixLen;
-    *next++ = 0;
-    return nickname;
-}
-
-PRBool
-PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
-						CK_OBJECT_HANDLE certID)
-{
-    CK_OBJECT_CLASS theClass;
-
-    if (slot == NULL) return PR_FALSE;
-    if (cert == NULL) return PR_FALSE;
-
-    theClass = CKO_PRIVATE_KEY;
-    if (pk11_LoginStillRequired(slot,NULL)) {
-	theClass = CKO_PUBLIC_KEY;
-    }
-    if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) {
-	return PR_TRUE;
-    }
-
-   if (theClass == CKO_PUBLIC_KEY) {
-	SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
-	CK_ATTRIBUTE theTemplate;
-
-	if (pubKey == NULL) {
-	   return PR_FALSE;
-	}
-
-	PK11_SETATTRS(&theTemplate,0,NULL,0);
-	switch (pubKey->keyType) {
-	case rsaKey:
-	    PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
-						pubKey->u.rsa.modulus.len);
-	    break;
-	case dsaKey:
-	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
-						pubKey->u.dsa.publicValue.len);
-	    break;
-	case dhKey:
-	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
-						pubKey->u.dh.publicValue.len);
-	    break;
-	case ecKey:
-	    PK11_SETATTRS(&theTemplate,CKA_EC_POINT, 
-			  pubKey->u.ec.publicValue.data,
-			  pubKey->u.ec.publicValue.len);
-	    break;
-	case keaKey:
-	case fortezzaKey:
-	case nullKey:
-	    /* fall through and return false */
-	    break;
-	}
-
-	if (theTemplate.ulValueLen == 0) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	    return PR_FALSE;
-	}
-	pk11_SignedToUnsigned(&theTemplate);
-	if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	    return PR_TRUE;
-	}
-	SECKEY_DestroyPublicKey(pubKey);
-    }
-    return PR_FALSE;
-}
-
-/*
- * Check out if a cert has ID of zero. This is a magic ID that tells
- * NSS that this cert may be an automagically trusted cert.
- * The Cert has to be self signed as well. That check is done elsewhere.
- *  
- */
-PRBool
-pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
-{
-    CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
-    PRBool isZero = PR_FALSE;
-    int i;
-    CK_RV crv;
-
-
-    crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
-    if (crv != CKR_OK) {
-	return isZero;
-    }
-
-    if (keyID.ulValueLen != 0) {
-	char *value = (char *)keyID.pValue;
-	isZero = PR_TRUE; /* ID exists, may be zero */
-	for (i=0; i < (int) keyID.ulValueLen; i++) {
-	    if (value[i] != 0) {
-		isZero = PR_FALSE; /* nope */
-		break;
-	    }
-	}
-    }
-    PORT_Free(keyID.pValue);
-    return isZero;
-
-}
-
-/*
- * Create an NSSCertificate from a slot/certID pair, return it as a
- * CERTCertificate.
- */
-static CERTCertificate
-*pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, 
-			CK_ATTRIBUTE *privateLabel, char **nickptr)
-{
-    NSSCertificate *c;
-    nssCryptokiObject *co;
-    nssPKIObject *pkio;
-    NSSToken *token;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-
-    /* Get the cryptoki object from the handle */
-    token = PK11Slot_GetNSSToken(slot);
-    co = nssCryptokiObject_Create(token, token->defaultSession, certID);
-    if (!co) {
-	return NULL;
-    }
-
-    /* Create a PKI object from the cryptoki instance */
-    pkio = nssPKIObject_Create(NULL, co, td, NULL);
-    if (!pkio) {
-	nssCryptokiObject_Destroy(co);
-	return NULL;
-    }
-
-    /* Create a certificate */
-    c = nssCertificate_Create(pkio);
-    if (!c) {
-	nssPKIObject_Destroy(pkio);
-	return NULL;
-    }
-
-    nssTrustDomain_AddCertsToCache(td, &c, 1);
-
-    /* Build the old-fashioned nickname */
-    if ((nickptr) && (co->label)) {
-	CK_ATTRIBUTE label, id;
-	label.type = CKA_LABEL;
-	label.pValue = co->label;
-	label.ulValueLen = PORT_Strlen(co->label);
-	id.type = CKA_ID;
-	id.pValue = c->id.data;
-	id.ulValueLen = c->id.size;
-	*nickptr = pk11_buildNickname(slot, &label, privateLabel, &id);
-    }
-    return STAN_GetCERTCertificateOrRelease(c);
-}
-
-/*
- * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
- * Must be a CertObject. This code does not explicitly checks that.
- */
-CERTCertificate *
-PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
-						CK_ATTRIBUTE *privateLabel)
-{
-    char * nickname = NULL;
-    CERTCertificate *cert = NULL;
-    CERTCertTrust *trust;
-    PRBool isFortezzaRootCA = PR_FALSE;
-    PRBool swapNickname = PR_FALSE;
-
-    cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
-    if (cert == NULL) goto loser;
-	
-    if (nickname) {
-	if (cert->nickname != NULL) {
-		cert->dbnickname = cert->nickname;
-	} 
-	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
-	PORT_Free(nickname);
-	nickname = NULL;
-	swapNickname = PR_TRUE;
-    }
-
-    /* remember where this cert came from.... If we have just looked
-     * it up from the database and it already has a slot, don't add a new
-     * one. */
-    if (cert->slot == NULL) {
-	cert->slot = PK11_ReferenceSlot(slot);
-	cert->pkcs11ID = certID;
-	cert->ownSlot = PR_TRUE;
-	cert->series = slot->series;
-    }
-
-    trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
-    if (trust == NULL) goto loser;
-    PORT_Memset(trust,0, sizeof(CERTCertTrust));
-    cert->trust = trust;
-
-    
-
-    if(! pk11_HandleTrustObject(slot, cert, trust) ) {
-	unsigned int type;
-
-	/* build some cert trust flags */
-	if (CERT_IsCACert(cert, &type)) {
-	    unsigned int trustflags = CERTDB_VALID_CA;
-	   
-	    /* Allow PKCS #11 modules to give us trusted CA's. We only accept
-	     * valid CA's which are self-signed here. They must have an object
-	     * ID of '0'.  */ 
-	    if (pk11_isID0(slot,certID) && 
-		SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
-							   == SECEqual) {
-		trustflags |= CERTDB_TRUSTED_CA;
-		/* is the slot a fortezza card? allow the user or
-		 * admin to turn on objectSigning, but don't turn
-		 * full trust on explicitly */
-		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
-		    trust->objectSigningFlags |= CERTDB_VALID_CA;
-		    isFortezzaRootCA = PR_TRUE;
-		}
-	    }
-	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
-		trust->sslFlags |= trustflags;
-	    }
-	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
-		trust->emailFlags |= trustflags;
-	    }
-	    if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
-					== NS_CERT_TYPE_OBJECT_SIGNING_CA) {
-		trust->objectSigningFlags |= trustflags;
-	    }
-	}
-    }
-
-    if (PK11_IsUserCert(slot,cert,certID)) {
-	trust->sslFlags |= CERTDB_USER;
-	trust->emailFlags |= CERTDB_USER;
-	/*    trust->objectSigningFlags |= CERTDB_USER; */
-    }
-
-    return cert;
-
-loser:
-    if (nickname) PORT_Free(nickname);
-    if (cert) CERT_DestroyCertificate(cert);
-    return NULL;
-}
-
-	
-/*
- * Build get a certificate from a private key
- */
-CERTCertificate *
-PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey)
-{
-    PK11SlotInfo *slot = privKey->pkcs11Slot;
-    CK_OBJECT_HANDLE handle = privKey->pkcs11ID;
-    CK_OBJECT_HANDLE certID = 
-		PK11_MatchItem(slot,handle,CKO_CERTIFICATE);
-    CERTCertificate *cert;
-
-    if (certID == CK_INVALID_HANDLE) {
-	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
-	return NULL;
-    }
-    cert = PK11_MakeCertFromHandle(slot,certID,NULL);
-    return (cert);
-
-}
-
-/*
- * delete a cert and it's private key (if no other certs are pointing to the
- * private key.
- */
-SECStatus
-PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx)
-{
-    SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
-    CK_OBJECT_HANDLE pubKey;
-    PK11SlotInfo *slot = NULL;
-
-    pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
-    if (privKey) {
-	/* For 3.4, utilize the generic cert delete function */
-	SEC_DeletePermCertificate(cert);
-	PK11_DeleteTokenPrivateKey(privKey, PR_FALSE);
-    }
-    if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { 
-    	PK11_DestroyTokenObject(slot,pubKey);
-        PK11_FreeSlot(slot);
-    }
-    return SECSuccess;
-}
-
-/*
- * cert callback structure
- */
-typedef struct pk11DoCertCallbackStr {
-	SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *);
-	SECStatus(* noslotcallback)(CERTCertificate*, void *);
-	SECStatus(* itemcallback)(CERTCertificate*, SECItem *, void *);
-	void *callbackArg;
-} pk11DoCertCallback;
-
-
-typedef struct pk11CertCallbackStr {
-	SECStatus(* callback)(CERTCertificate*,SECItem *,void *);
-	void *callbackArg;
-} pk11CertCallback;
-
-struct fake_der_cb_argstr
-{
-    SECStatus(* callback)(CERTCertificate*, SECItem *, void *);
-    void *arg;
-};
-
-static SECStatus fake_der_cb(CERTCertificate *c, void *a)
-{
-    struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a;
-    return (*fda->callback)(c, &c->derCert, fda->arg);
-}
-
-/*
- * Extract all the certs on a card from a slot.
- */
-SECStatus
-PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
-						void *arg, void *wincx) 
-{
-    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
-    struct fake_der_cb_argstr fda;
-    struct nss3_cert_cbstr pk11cb;
-
-    /* authenticate to the tokens first */
-    (void) pk11_TraverseAllSlots( NULL, NULL, wincx);
-
-    fda.callback = callback;
-    fda.arg = arg;
-    pk11cb.callback = fake_der_cb;
-    pk11cb.arg = &fda;
-    NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
-    return SECSuccess;
-}
-
-static void
-transfer_token_certs_to_collection(nssList *certList, NSSToken *token, 
-                                   nssPKIObjectCollection *collection)
-{
-    NSSCertificate **certs;
-    PRUint32 i, count;
-    NSSToken **tokens, **tp;
-    count = nssList_Count(certList);
-    if (count == 0) {
-	return;
-    }
-    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
-    if (!certs) {
-	return;
-    }
-    nssList_GetArray(certList, (void **)certs, count);
-    for (i=0; i<count; i++) {
-	tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL);
-	if (tokens) {
-	    for (tp = tokens; *tp; tp++) {
-		if (*tp == token) {
-		    nssPKIObjectCollection_AddObject(collection, 
-		                                     (nssPKIObject *)certs[i]);
-		}
-	    }
-	    nssTokenArray_Destroy(tokens);
-	}
-	CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i]));
-    }
-    nss_ZFreeIf(certs);
-}
-
-CERTCertificate *
-PK11_FindCertFromNickname(char *nickname, void *wincx) 
-{
-    PRStatus status;
-    CERTCertificate *rvCert = NULL;
-    NSSCertificate *cert = NULL;
-    NSSCertificate **certs = NULL;
-    static const NSSUsage usage = {PR_TRUE /* ... */ };
-    NSSToken *token;
-    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-    char *nickCopy;
-    char *delimit = NULL;
-    char *tokenName;
-
-    nickCopy = PORT_Strdup(nickname);
-    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
-	tokenName = nickCopy;
-	nickname = delimit + 1;
-	*delimit = '\0';
-	/* find token by name */
-	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
-	if (token) {
-		slot = PK11_ReferenceSlot(token->pk11slot);
-	}
-	*delimit = ':';
-    } else {
-	slot = PK11_GetInternalKeySlot();
-	token = PK11Slot_GetNSSToken(slot);
-    }
-    if (token) {
-	nssList *certList;
-	nssCryptokiObject **instances;
-	nssPKIObjectCollection *collection;
-	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	if (!PK11_IsPresent(slot)) {
-	    goto loser;
-	}
-   	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	collection = nssCertificateCollection_Create(defaultTD, NULL);
-	if (!collection) {
-	    goto loser;
-	}
-	certList = nssList_Create(NULL, PR_FALSE);
-	if (!certList) {
-	    nssPKIObjectCollection_Destroy(collection);
-	    goto loser;
-	}
-	(void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, 
-	                                                  nickname, 
-	                                                  certList);
-	transfer_token_certs_to_collection(certList, token, collection);
-	instances = nssToken_FindCertificatesByNickname(token,
-	                                                NULL,
-	                                                nickname,
-	                                                tokenOnly,
-	                                                0,
-	                                                &status);
-	nssPKIObjectCollection_AddInstances(collection, instances, 0);
-	nss_ZFreeIf(instances);
-	/* if it wasn't found, repeat the process for email address */
-	if (nssPKIObjectCollection_Count(collection) == 0 &&
-	    PORT_Strchr(nickname, '@') != NULL) 
-	{
-	    char* lowercaseName = CERT_FixupEmailAddr(nickname);
-	    if (lowercaseName) {
-		(void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, 
-								      lowercaseName, 
-								      certList);
-		transfer_token_certs_to_collection(certList, token, collection);
-		instances = nssToken_FindCertificatesByEmail(token,
-							     NULL,
-							     lowercaseName,
-							     tokenOnly,
-							     0,
-							     &status);
-		nssPKIObjectCollection_AddInstances(collection, instances, 0);
-		nss_ZFreeIf(instances);
-		PORT_Free(lowercaseName);
-	    }
-	}
-	certs = nssPKIObjectCollection_GetCertificates(collection, 
-	                                               NULL, 0, NULL);
-	nssPKIObjectCollection_Destroy(collection);
-	if (certs) {
-	    cert = nssCertificateArray_FindBestCertificate(certs, NULL, 
-	                                                   &usage, NULL);
-	    if (cert) {
-		rvCert = STAN_GetCERTCertificateOrRelease(cert);
-	    }
-	    nssCertificateArray_Destroy(certs);
-	}
-	nssList_Destroy(certList);
-    }
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    if (nickCopy) PORT_Free(nickCopy);
-    return rvCert;
-loser:
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    if (nickCopy) PORT_Free(nickCopy);
-    return NULL;
-}
-
-CERTCertList *
-PK11_FindCertsFromNickname(char *nickname, void *wincx) 
-{
-    char *nickCopy;
-    char *delimit = NULL;
-    char *tokenName;
-    int i;
-    CERTCertList *certList = NULL;
-    nssPKIObjectCollection *collection = NULL;
-    NSSCertificate **foundCerts = NULL;
-    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
-    NSSCertificate *c;
-    NSSToken *token;
-    PK11SlotInfo *slot;
-    SECStatus rv;
-
-    nickCopy = PORT_Strdup(nickname);
-    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
-	tokenName = nickCopy;
-	nickname = delimit + 1;
-	*delimit = '\0';
-	/* find token by name */
-	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
-	if (token) {
-	    slot = PK11_ReferenceSlot(token->pk11slot);
-	} else {
-	    slot = NULL;
-	}
-	*delimit = ':';
-    } else {
-	slot = PK11_GetInternalKeySlot();
-	token = PK11Slot_GetNSSToken(slot);
-    }
-    if (token) {
-	PRStatus status;
-	nssList *nameList;
-	nssCryptokiObject **instances;
-	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-   	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) {
-	    PK11_FreeSlot(slot);
-    	    if (nickCopy) PORT_Free(nickCopy);
-	    return NULL;
-	}
-	collection = nssCertificateCollection_Create(defaultTD, NULL);
-	if (!collection) {
-	    PK11_FreeSlot(slot);
-	    if (nickCopy) PORT_Free(nickCopy);
-	    return NULL;
-	}
-	nameList = nssList_Create(NULL, PR_FALSE);
-	if (!nameList) {
-	    PK11_FreeSlot(slot);
-	    if (nickCopy) PORT_Free(nickCopy);
-	    return NULL;
-	}
-	(void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
-	                                                  nickname, 
-	                                                  nameList);
-	transfer_token_certs_to_collection(nameList, token, collection);
-	instances = nssToken_FindCertificatesByNickname(token,
-	                                                NULL,
-	                                                nickname,
-	                                                tokenOnly,
-	                                                0,
-	                                                &status);
-	nssPKIObjectCollection_AddInstances(collection, instances, 0);
-	nss_ZFreeIf(instances);
-	nssList_Destroy(nameList);
-	foundCerts = nssPKIObjectCollection_GetCertificates(collection,
-	                                                    NULL, 0, NULL);
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    if (nickCopy) PORT_Free(nickCopy);
-    if (foundCerts) {
-	PRTime now = PR_Now();
-	certList = CERT_NewCertList();
-	for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
-	    CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c);
-	    /* c may be invalid after this, don't reference it */
-	    if (certCert) {
-	        /* CERT_AddCertToListSorted adopts certCert  */
-		CERT_AddCertToListSorted(certList, certCert,
-			CERT_SortCBValidity, &now);
-	    }
-	}
-	if (CERT_LIST_HEAD(certList) == NULL) {
-	    CERT_DestroyCertList(certList);
-	    certList = NULL;
-	}
-	/* all the certs have been adopted or freed, free the  raw array */
-	nss_ZFreeIf(foundCerts);
-    }
-    return certList;
-}
-
-/*
- * extract a key ID for a certificate...
- * NOTE: We call this function from PKCS11.c If we ever use
- * pkcs11 to extract the public key (we currently do not), this will break.
- */
-SECItem *
-PK11_GetPubIndexKeyID(CERTCertificate *cert) {
-    SECKEYPublicKey *pubk;
-    SECItem *newItem = NULL;
-
-    pubk = CERT_ExtractPublicKey(cert);
-    if (pubk == NULL) return NULL;
-
-    switch (pubk->keyType) {
-    case rsaKey:
-	newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
-	break;
-    case dsaKey:
-        newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
-	break;
-    case dhKey:
-        newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
-	break;
-    case ecKey:
-        newItem = SECITEM_DupItem(&pubk->u.ec.publicValue);
-	break;
-    case fortezzaKey:
-    default:
-	newItem = NULL; /* Fortezza Fix later... */
-    }
-    SECKEY_DestroyPublicKey(pubk);
-    /* make hash of it */
-    return newItem;
-}
-
-/*
- * generate a CKA_ID from a certificate.
- */
-SECItem *
-pk11_mkcertKeyID(CERTCertificate *cert) {
-    SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
-    SECItem *certCKA_ID;
-
-    if (pubKeyData == NULL) return NULL;
-    
-    certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
-    SECITEM_FreeItem(pubKeyData,PR_TRUE);
-    return certCKA_ID;
-}
-
-/*
- * Write the cert into the token.
- */
-SECStatus
-PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-		CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) 
-{
-    PRStatus status;
-    NSSCertificate *c;
-    nssCryptokiObject *keyobj, *certobj;
-    NSSToken *token = PK11Slot_GetNSSToken(slot);
-    SECItem *keyID = pk11_mkcertKeyID(cert);
-    char *emailAddr = NULL;
-
-    if (keyID == NULL) {
-	goto loser;
-    }
-
-    if (PK11_IsInternal(slot) && cert->emailAddr && cert->emailAddr[0]) {
-	emailAddr = cert->emailAddr;
-    }
-
-    /* need to get the cert as a stan cert */
-    if (cert->nssCertificate) {
-	c = cert->nssCertificate;
-    } else {
-	c = STAN_GetNSSCertificate(cert);
-    }
-
-    if (c->object.cryptoContext) {
-	/* Delete the temp instance */
-	NSSCryptoContext *cc = c->object.cryptoContext;
-	nssCertificateStore_Lock(cc->certStore);
-	nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
-	nssCertificateStore_Unlock(cc->certStore);
-	c->object.cryptoContext = NULL;
-	cert->istemp = PR_FALSE;
-	cert->isperm = PR_TRUE;
-    }
-
-    /* set the id for the cert */
-    nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data);
-    if (!c->id.data) {
-	goto loser;
-    }
-
-    if (key != CK_INVALID_HANDLE) {
-	/* create an object for the key, ... */
-	keyobj = nss_ZNEW(NULL, nssCryptokiObject);
-	if (!keyobj) {
-	    goto loser;
-	}
-	keyobj->token = nssToken_AddRef(token);
-	keyobj->handle = key;
-	keyobj->isTokenObject = PR_TRUE;
-
-	/* ... in order to set matching attributes for the key */
-	status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname, 
-	                                              &c->id, &c->subject);
-	nssCryptokiObject_Destroy(keyobj);
-	if (status != PR_SUCCESS) {
-	    goto loser;
-	}
-    }
-
-    /* do the token import */
-    certobj = nssToken_ImportCertificate(token, NULL,
-                                         NSSCertificateType_PKIX,
-                                         &c->id,
-                                         nickname,
-                                         &c->encoding,
-                                         &c->issuer,
-                                         &c->subject,
-                                         &c->serial,
-					 emailAddr,
-                                         PR_TRUE);
-    if (!certobj) {
-	if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) {
-	    PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-	    SECITEM_FreeItem(keyID,PR_TRUE);
-	    return SECFailure;
-	}
-	goto loser;
-    }
-    /* add the new instance to the cert, force an update of the
-     * CERTCertificate, and finish
-     */
-    nssPKIObject_AddInstance(&c->object, certobj);
-    nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
-    (void)STAN_ForceCERTCertificateUpdate(c);
-    SECITEM_FreeItem(keyID,PR_TRUE);
-    return SECSuccess;
-loser:
-    SECITEM_FreeItem(keyID,PR_TRUE);
-    PORT_SetError(SEC_ERROR_ADDING_CERT);
-    return SECFailure;
-}
-
-SECStatus
-PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
-		CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) {
-    CERTCertificate *cert;
-    SECStatus rv;
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                   derCert, NULL, PR_FALSE, PR_TRUE);
-    if (cert == NULL) return SECFailure;
-
-    rv = PK11_ImportCert(slot, cert, key, nickname, includeTrust);
-    CERT_DestroyCertificate (cert);
-    return rv;
-}
-
-/*
- * get a certificate handle, look at the cached handle first..
- */
-CK_OBJECT_HANDLE
-pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, 
-					CK_ATTRIBUTE *theTemplate,int tsize)
-{
-    CK_OBJECT_HANDLE certh;
-
-    if (cert->slot == slot) {
-	certh = cert->pkcs11ID;
-	if ((certh == CK_INVALID_HANDLE) ||
-			(cert->series != slot->series)) {
-    	     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-	     cert->pkcs11ID = certh;
-	     cert->series = slot->series;
-	}
-    } else {
-    	certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-    }
-    return certh;
-}
-
-/*
- * return the private key From a given Cert
- */
-SECKEYPrivateKey *
-PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
-								 void *wincx) {
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certh;
-    CK_OBJECT_HANDLE keyh;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
-						cert->derCert.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    if (certh == CK_INVALID_HANDLE) {
-	return NULL;
-    }
-    keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
-    if ((keyh == CK_INVALID_HANDLE) && 
-			(PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && 
-			pk11_LoginStillRequired(slot, wincx)) {
-	/* try it again authenticated */
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) {
-	    return NULL;
-	}
-	keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
-    }
-    if (keyh == CK_INVALID_HANDLE) { 
-	return NULL; 
-    }
-    return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
-} 
-
-/*
- * import a cert for a private key we have already generated. Set the label
- * on both to be the nickname. This is for the Key Gen, orphaned key case.
- */
-PK11SlotInfo *
-PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, 
-								void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    SECItem *keyID;
-    CK_OBJECT_HANDLE key;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    keyID = pk11_mkcertKeyID(cert);
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if ((keyID == NULL) || (list == NULL)) {
-	if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
-	if (list) PK11_FreeSlotList(list);
-    	return NULL;
-    }
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
-	if ((key == CK_INVALID_HANDLE) && 
-			(PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && 
-			pk11_LoginStillRequired(le->slot,wincx)) {
-	    /* authenticate and try again */
-	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-	    if (rv != SECSuccess) continue;
-	    key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
-	}
-	if (key != CK_INVALID_HANDLE) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    if (keyPtr) *keyPtr = key;
-	    break;
-	}
-    }
-
-    SECITEM_FreeItem(keyID,PR_TRUE);
-    PK11_FreeSlotList(list);
-    return slot;
-
-}
-/*
- * import a cert for a private key we have already generated. Set the label
- * on both to be the nickname. This is for the Key Gen, orphaned key case.
- */
-PK11SlotInfo *
-PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, 
-								void *wincx) {
-    CERTCertificate *cert;
-    PK11SlotInfo *slot = NULL;
-
-    /* letting this use go -- the only thing that the cert is used for is
-     * to get the ID attribute.
-     */
-    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-    if (cert == NULL) return NULL;
-
-    slot = PK11_KeyForCertExists(cert, keyPtr, wincx);
-    CERT_DestroyCertificate (cert);
-    return slot;
-}
-
-PK11SlotInfo *
-PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) {
-    PK11SlotInfo *slot = NULL;
-    CK_OBJECT_HANDLE key;
-
-    slot = PK11_KeyForCertExists(cert,&key,wincx);
-
-    if (slot) {
-	if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
-	    PK11_FreeSlot(slot);
-	    slot = NULL;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_ADDING_CERT);
-    }
-
-    return slot;
-}
-
-PK11SlotInfo *
-PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) {
-    CERTCertificate *cert;
-    PK11SlotInfo *slot = NULL;
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                   derCert, NULL, PR_FALSE, PR_TRUE);
-    if (cert == NULL) return NULL;
-
-    slot = PK11_ImportCertForKey(cert, nickname, wincx);
-    CERT_DestroyCertificate (cert);
-    return slot;
-}
-
-static CK_OBJECT_HANDLE
-pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, 
-		CK_ATTRIBUTE *searchTemplate, int count, void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    *slotPtr = NULL;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_HANDLE;
-    }
-
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) continue;
-
-	certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
-	if (certHandle != CK_INVALID_HANDLE) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    break;
-	}
-    }
-
-    PK11_FreeSlotList(list);
-
-    if (slot == NULL) {
-	return CK_INVALID_HANDLE;
-    }
-    *slotPtr = slot;
-    return certHandle;
-}
-
-CERTCertificate *
-PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, 
-				CERTIssuerAndSN *issuerSN, void *wincx)
-{
-    CERTCertificate *rvCert = NULL;
-    NSSCertificate *cert = NULL;
-    NSSDER issuer, serial;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    NSSToken *token = slot->nssToken;
-    nssSession *session;
-    nssCryptokiObject *instance = NULL;
-    nssPKIObject *object = NULL;
-    SECItem *derSerial;
-    PRStatus status;
-
-    /* Paranoia */
-    if (token == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-	return NULL;
-    }
-
-
-    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
-     * CERTIssuerAndSN that actually has the encoded value and pass that
-     * to PKCS#11 (and the crypto context).
-     */
-    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
-                                   &issuerSN->serialNumber,
-                                   SEC_IntegerTemplate);
-    if (!derSerial) {
-	return NULL;
-    }
-
-    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
-    NSSITEM_FROM_SECITEM(&serial, derSerial);
-
-    session = nssToken_GetDefaultSession(token);
-    if (!session) {
-	goto loser;
-    }
-
-    instance = nssToken_FindCertificateByIssuerAndSerialNumber(token,session,
-		&issuer, &serial, nssTokenSearchType_TokenForced, &status);
-
-    SECITEM_FreeItem(derSerial, PR_TRUE);
-
-    if (!instance) {
-	goto loser;
-    }
-    object = nssPKIObject_Create(NULL, instance, td, NULL);
-    if (!object) {
-	goto loser;
-    }
-    instance = NULL; /* adopted by the previous call */
-    cert = nssCertificate_Create(object);
-    if (!cert) {
-	goto loser;
-    }
-    object = NULL; /* adopted by the previous call */
-    nssTrustDomain_AddCertsToCache(td, &cert,1);
-    /* on failure, cert is freed below */
-    rvCert = STAN_GetCERTCertificate(cert);
-    if (!rvCert) {
-	goto loser;
-    }
-    return rvCert;
-
-loser:
-    if (instance) {
-	nssCryptokiObject_Destroy(instance);
-    }
-    if (object) {
-	nssPKIObject_Destroy(object);
-    }
-    if (cert) {
-	nssCertificate_Destroy(cert);
-    }
-    return NULL;
-}
-
-/*
- * We're looking for a cert which we have the private key for that's on the
- * list of recipients. This searches one slot.
- * this is the new version for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-static CERTCertificate *
-pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg)
-{
-    NSSCMSRecipient *ri = NULL;
-    int i;
-
-    for (i=0; (ri = recipientlist[i]) != NULL; i++) {
-	CERTCertificate *cert = NULL;
-	if (ri->kind == RLSubjKeyID) {
-	    SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
-	    if (derCert) {
-		cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
-		SECITEM_FreeItem(derCert, PR_TRUE);
-	    }
-	} else {
-	    cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, 
-						     pwarg);
-	}
-	if (cert) {
-	    /* this isn't our cert */
-	    if ((cert->trust == NULL) ||
-       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
-		 CERT_DestroyCertificate(cert);
-		continue;
-	    }
-	    ri->slot = PK11_ReferenceSlot(slot);
-	    *rlIndex = i;
-	    return cert;
-	}
-    }
-    *rlIndex = -1;
-    return NULL;
-}
-
-/*
- * This function is the same as above, but it searches all the slots.
- * this is the new version for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-static CERTCertificate *
-pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *wincx, int *rlIndex)
-{
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CERTCertificate *cert = NULL;
-    SECStatus rv;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_HANDLE;
-    }
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) continue;
-
-	cert = pk11_FindCertObjectByRecipientNew(le->slot, 
-					recipientlist, rlIndex, wincx);
-	if (cert)
-	    break;
-    }
-
-    PK11_FreeSlotList(list);
-
-    return cert;
-}
-
-/*
- * We're looking for a cert which we have the private key for that's on the
- * list of recipients. This searches one slot.
- */
-static CERTCertificate *
-pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
-	SEC_PKCS7RecipientInfo **recipientArray,
-	SEC_PKCS7RecipientInfo **rip, void *pwarg)
-{
-    SEC_PKCS7RecipientInfo *ri = NULL;
-    int i;
-
-    for (i=0; (ri = recipientArray[i]) != NULL; i++) {
-	CERTCertificate *cert;
-
-	cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, 
-								pwarg);
-        if (cert) {
-	    /* this isn't our cert */
-	    if ((cert->trust == NULL) ||
-       		((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
-		 CERT_DestroyCertificate(cert);
-		continue;
-	    }
-	    *rip = ri;
-	    return cert;
-	}
-
-    }
-    *rip = NULL;
-    return NULL;
-}
-
-/*
- * This function is the same as above, but it searches all the slots.
- */
-static CERTCertificate *
-pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, 
-	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
-							void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    CERTCertificate * cert = NULL;
-    PK11SlotInfo *slot = NULL;
-    SECStatus rv;
-
-    *slotPtr = NULL;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
-    if (list == NULL) {
-	if (list) PK11_FreeSlotList(list);
-    	return CK_INVALID_HANDLE;
-    }
-
-    *rip = NULL;
-
-    /* Look for the slot that holds the Key */
-    for (le = list->head ; le; le = le->next) {
-	rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) continue;
-
-	cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray, 
-							rip, wincx);
-	if (cert) {
-	    slot = PK11_ReferenceSlot(le->slot);
-	    break;
-	}
-    }
-
-    PK11_FreeSlotList(list);
-
-    if (slot == NULL) {
-	return NULL;
-    }
-    *slotPtr = slot;
-    PORT_Assert(cert != NULL);
-    return cert;
-}
-
-/*
- * We need to invert the search logic for PKCS 7 because if we search for
- * each cert on the list over all the slots, we wind up with lots of spurious
- * password prompts. This way we get only one password prompt per slot, at
- * the max, and most of the time we can find the cert, and only prompt for
- * the key...
- */
-CERTCertificate *
-PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, 
-	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
-				SECKEYPrivateKey**privKey, void *wincx)
-{
-    CERTCertificate *cert = NULL;
-
-    *privKey = NULL;
-    *slotPtr = NULL;
-    cert = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
-    if (!cert) {
-	return NULL;
-    }
-
-    *privKey = PK11_FindKeyByAnyCert(cert, wincx);
-    if (*privKey == NULL) {
-	goto loser;
-    }
-
-    return cert;
-loser:
-    if (cert) CERT_DestroyCertificate(cert);
-    if (*slotPtr) PK11_FreeSlot(*slotPtr);
-    *slotPtr = NULL;
-    return NULL;
-}
-
-static PRCallOnceType keyIDHashCallOnce;
-
-static PRStatus PR_CALLBACK
-pk11_keyIDHash_populate(void *wincx)
-{
-    CERTCertList     *certList;
-    CERTCertListNode *node = NULL;
-    SECItem           subjKeyID = {siBuffer, NULL, 0};
-
-    certList = PK11_ListCerts(PK11CertListUser, wincx);
-    if (!certList) {
-	return PR_FAILURE;
-    }
-
-    for (node = CERT_LIST_HEAD(certList);
-         !CERT_LIST_END(node, certList);
-         node = CERT_LIST_NEXT(node)) {
-	if (CERT_FindSubjectKeyIDExtension(node->cert, 
-	                                   &subjKeyID) == SECSuccess && 
-	    subjKeyID.data != NULL) {
-	    cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
-	    SECITEM_FreeItem(&subjKeyID, PR_FALSE);
-	}
-    }
-    CERT_DestroyCertList(certList);
-    return PR_SUCCESS;
-}
-
-/*
- * This is the new version of the above function for NSS SMIME code
- * this stuff should REALLY be in the SMIME code, but some things in here are not public
- * (they should be!)
- */
-int
-PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *wincx)
-{
-    CERTCertificate *cert;
-    NSSCMSRecipient *rl;
-    PRStatus rv;
-    int rlIndex;
-
-    rv = PR_CallOnceWithArg(&keyIDHashCallOnce, pk11_keyIDHash_populate, wincx);
-    if (rv != PR_SUCCESS)
-	return -1;
-
-    cert = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
-    if (!cert) {
-	return -1;
-    }
-
-    rl = recipientlist[rlIndex];
-
-    /* at this point, rl->slot is set */
-
-    rl->privkey = PK11_FindKeyByAnyCert(cert, wincx);
-    if (rl->privkey == NULL) {
-	goto loser;
-    }
-
-    /* make a cert from the cert handle */
-    rl->cert = cert;
-    return rlIndex;
-
-loser:
-    if (cert) CERT_DestroyCertificate(cert);
-    if (rl->slot) PK11_FreeSlot(rl->slot);
-    rl->slot = NULL;
-    return -1;
-}
-
-CERTCertificate *
-PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN,
-							 void *wincx)
-{
-    CERTCertificate *rvCert = NULL;
-    NSSCertificate *cert;
-    NSSDER issuer, serial;
-    NSSCryptoContext *cc;
-    SECItem *derSerial;
-
-    if (slotPtr) *slotPtr = NULL;
-
-    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
-     * CERTIssuerAndSN that actually has the encoded value and pass that
-     * to PKCS#11 (and the crypto context).
-     */
-    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
-                                   &issuerSN->serialNumber,
-                                   SEC_IntegerTemplate);
-    if (!derSerial) {
-	return NULL;
-    }
-
-    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
-    NSSITEM_FROM_SECITEM(&serial, derSerial);
-
-    cc = STAN_GetDefaultCryptoContext();
-    cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, 
-                                                                &issuer, 
-                                                                &serial);
-    if (cert) {
-	SECITEM_FreeItem(derSerial, PR_TRUE);
-	return STAN_GetCERTCertificateOrRelease(cert);
-    }
-
-    do {
-	/* free the old cert on retry. Associated slot was not present */
-	if (rvCert) {
-	    CERT_DestroyCertificate(rvCert);
-	    rvCert = NULL;
- 	}
-
-	cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber(
-                                                  STAN_GetDefaultTrustDomain(),
-                                                  &issuer,
-                                                  &serial);
-	if (!cert) {
-	    break;
-	}
-
-	rvCert = STAN_GetCERTCertificateOrRelease(cert);
-	if (rvCert == NULL) {
-	   break;
-	}
-
-	/* Check to see if the cert's token is still there */
-    } while (!PK11_IsPresent(rvCert->slot));
-
-    if (rvCert && slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot);
-
-    SECITEM_FreeItem(derSerial, PR_TRUE);
-    return rvCert;
-}
-
-CK_OBJECT_HANDLE
-PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_ATTRIBUTE searchTemplate	= { CKA_VALUE, NULL, 0 };
-    
-    PK11_SETATTRS(&searchTemplate, CKA_VALUE, cert->derCert.data,
-		  cert->derCert.len);
-
-    if (cert->slot) {
-	certHandle = pk11_getcerthandle(cert->slot,cert,&searchTemplate,1);
-	if (certHandle != CK_INVALID_HANDLE) {
-	    *pSlot = PK11_ReferenceSlot(cert->slot);
-	    return certHandle;
-	}
-    }
-
-    certHandle = pk11_FindCertObjectByTemplate(pSlot,&searchTemplate,1,wincx);
-    if (certHandle != CK_INVALID_HANDLE) {
-	if (cert->slot == NULL) {
-	    cert->slot = PK11_ReferenceSlot(*pSlot);
-	    cert->pkcs11ID = certHandle;
-	    cert->ownSlot = PR_TRUE;
-	    cert->series = cert->slot->series;
-	}
-    }
-
-    return(certHandle);
-}
-
-SECKEYPrivateKey *
-PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_HANDLE keyHandle;
-    PK11SlotInfo *slot = NULL;
-    SECKEYPrivateKey *privKey = NULL;
-    SECStatus rv;
-
-    certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
-    if (certHandle == CK_INVALID_HANDLE) {
-	 return NULL;
-    }
-    keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
-    if ((keyHandle == CK_INVALID_HANDLE) && 
-			(PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && 
-			pk11_LoginStillRequired(slot,wincx)) {
-	/* authenticate and try again */
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv == SECSuccess) {
-            keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
-	}
-    }
-    if (keyHandle != CK_INVALID_HANDLE) { 
-        privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
-    }
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    return privKey;
-}
-
-CK_OBJECT_HANDLE
-pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx)
-{
-    CK_OBJECT_HANDLE certHandle;
-    CK_OBJECT_HANDLE keyHandle;
-
-    certHandle = PK11_FindObjectForCert(cert, wincx, slot);
-    if (certHandle == CK_INVALID_HANDLE) {
-	 return CK_INVALID_HANDLE;
-    }
-    keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
-    if (keyHandle == CK_INVALID_HANDLE) { 
-	PK11_FreeSlot(*slot);
-	return CK_INVALID_HANDLE;
-    }
-    return keyHandle;
-}
-
-/*
- * find the number of certs in the slot with the same subject name
- */
-int
-PK11_NumberCertsForCertSubject(CERTCertificate *cert)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attr = theTemplate;
-   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-
-    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
-    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
-
-    if (cert->slot == NULL) {
-	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
-							PR_FALSE,PR_TRUE,NULL);
-	PK11SlotListElement *le;
-	int count = 0;
-
-	/* loop through all the fortezza tokens */
-	for (le = list->head; le; le = le->next) {
-	    count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
-	}
-	PK11_FreeSlotList(list);
-	return count;
-    }
-
-    return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
-}
-
-/*
- *  Walk all the certs with the same subject
- */
-SECStatus
-PK11_TraverseCertsForSubject(CERTCertificate *cert,
-        SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    if(!cert) {
-	return SECFailure;
-    }
-    if (cert->slot == NULL) {
-	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
-							PR_FALSE,PR_TRUE,NULL);
-	PK11SlotListElement *le;
-
-	/* loop through all the tokens */
-	for (le = list->head; le; le = le->next) {
-	    PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
-	}
-	PK11_FreeSlotList(list);
-	return SECSuccess;
-
-    }
-
-    return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
-}
-
-SECStatus
-PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSToken *token;
-    NSSDER subject;
-    NSSTrustDomain *td;
-    nssList *subjectList;
-    nssPKIObjectCollection *collection;
-    nssCryptokiObject **instances;
-    NSSCertificate **certs;
-    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-    td = STAN_GetDefaultTrustDomain();
-    NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
-    token = PK11Slot_GetNSSToken(slot);
-    if (!nssToken_IsPresent(token)) {
-	return SECSuccess;
-    }
-    collection = nssCertificateCollection_Create(td, NULL);
-    if (!collection) {
-	return SECFailure;
-    }
-    subjectList = nssList_Create(NULL, PR_FALSE);
-    if (!subjectList) {
-	nssPKIObjectCollection_Destroy(collection);
-	return SECFailure;
-    }
-    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, 
-                                                     subjectList);
-    transfer_token_certs_to_collection(subjectList, token, collection);
-    instances = nssToken_FindCertificatesBySubject(token, NULL,
-	                                           &subject, 
-	                                           tokenOnly, 0, &nssrv);
-    nssPKIObjectCollection_AddInstances(collection, instances, 0);
-    nss_ZFreeIf(instances);
-    nssList_Destroy(subjectList);
-    certs = nssPKIObjectCollection_GetCertificates(collection,
-                                                   NULL, 0, NULL);
-    nssPKIObjectCollection_Destroy(collection);
-    if (certs) {
-	CERTCertificate *oldie;
-	NSSCertificate **cp;
-	for (cp = certs; *cp; cp++) {
-	    oldie = STAN_GetCERTCertificate(*cp);
-	    if (!oldie) {
-		continue;
-	    }
-	    if ((*callback)(oldie, arg) != SECSuccess) {
-		nssrv = PR_FAILURE;
-		break;
-	    }
-	}
-	nssCertificateArray_Destroy(certs);
-    }
-    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
-}
-
-SECStatus
-PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    struct nss3_cert_cbstr pk11cb;
-    PRStatus nssrv = PR_SUCCESS;
-    NSSToken *token;
-    NSSTrustDomain *td;
-    NSSUTF8 *nick;
-    PRBool created = PR_FALSE;
-    nssCryptokiObject **instances;
-    nssPKIObjectCollection *collection = NULL;
-    NSSCertificate **certs;
-    nssList *nameList = NULL;
-    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-    pk11cb.callback = callback;
-    pk11cb.arg = arg;
-    token = PK11Slot_GetNSSToken(slot);
-    if (!nssToken_IsPresent(token)) {
-	return SECSuccess;
-    }
-    if (nickname->data[nickname->len-1] != '\0') {
-	nick = nssUTF8_Create(NULL, nssStringType_UTF8String, 
-	                      nickname->data, nickname->len);
-	created = PR_TRUE;
-    } else {
-	nick = (NSSUTF8 *)nickname->data;
-    }
-    td = STAN_GetDefaultTrustDomain();
-    collection = nssCertificateCollection_Create(td, NULL);
-    if (!collection) {
-	goto loser;
-    }
-    nameList = nssList_Create(NULL, PR_FALSE);
-    if (!nameList) {
-	goto loser;
-    }
-    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList);
-    transfer_token_certs_to_collection(nameList, token, collection);
-    instances = nssToken_FindCertificatesByNickname(token, NULL,
-	                                            nick,
-	                                            tokenOnly, 0, &nssrv);
-    nssPKIObjectCollection_AddInstances(collection, instances, 0);
-    nss_ZFreeIf(instances);
-    nssList_Destroy(nameList);
-    certs = nssPKIObjectCollection_GetCertificates(collection,
-                                                   NULL, 0, NULL);
-    nssPKIObjectCollection_Destroy(collection);
-    if (certs) {
-	CERTCertificate *oldie;
-	NSSCertificate **cp;
-	for (cp = certs; *cp; cp++) {
-	    oldie = STAN_GetCERTCertificate(*cp);
-	    if (!oldie) {
-		continue;
-	    }
-	    if ((*callback)(oldie, arg) != SECSuccess) {
-		nssrv = PR_FAILURE;
-		break;
-	    }
-	}
-	nssCertificateArray_Destroy(certs);
-    }
-    if (created) nss_ZFreeIf(nick);
-    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
-loser:
-    if (created) {
-	nss_ZFreeIf(nick);
-    }
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    if (nameList) {
-	nssList_Destroy(nameList);
-    }
-    return SECFailure;
-}
-
-SECStatus
-PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
-	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
-{
-    PRStatus nssrv;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    NSSToken *tok;
-    nssList *certList = NULL;
-    nssCryptokiObject **instances;
-    nssPKIObjectCollection *collection;
-    NSSCertificate **certs;
-    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-    tok = PK11Slot_GetNSSToken(slot);
-    if (!nssToken_IsPresent(tok)) {
-	return SECSuccess;
-    }
-    collection = nssCertificateCollection_Create(td, NULL);
-    if (!collection) {
-	return SECFailure;
-    }
-    certList = nssList_Create(NULL, PR_FALSE);
-    if (!certList) {
-	nssPKIObjectCollection_Destroy(collection);
-	return SECFailure;
-    }
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
-    transfer_token_certs_to_collection(certList, tok, collection);
-    instances = nssToken_FindCertificates(tok, NULL,
-                                          tokenOnly, 0, &nssrv);
-    nssPKIObjectCollection_AddInstances(collection, instances, 0);
-    nss_ZFreeIf(instances);
-    nssList_Destroy(certList);
-    certs = nssPKIObjectCollection_GetCertificates(collection,
-                                                   NULL, 0, NULL);
-    nssPKIObjectCollection_Destroy(collection);
-    if (certs) {
-	CERTCertificate *oldie;
-	NSSCertificate **cp;
-	for (cp = certs; *cp; cp++) {
-	    oldie = STAN_GetCERTCertificate(*cp);
-	    if (!oldie) {
-		continue;
-	    }
-	    if ((*callback)(oldie, arg) != SECSuccess) {
-		nssrv = PR_FAILURE;
-		break;
-	    }
-	}
-	nssCertificateArray_Destroy(certs);
-    }
-    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
-}
-
-/*
- * return the certificate associated with a derCert 
- */
-CERTCertificate *
-PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
-								 void *wincx)
-{
-    return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx);
-}
-
-CERTCertificate *
-PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert,
-								 void *wincx)
-
-{
-    NSSCertificate *c;
-    NSSDER derCert;
-    NSSToken *tok;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    SECStatus rv;
-
-    tok = PK11Slot_GetNSSToken(slot);
-    NSSITEM_FROM_SECITEM(&derCert, inDerCert);
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	PK11_FreeSlot(slot);
-	return NULL;
-    }
-    c = NSSTrustDomain_FindCertificateByEncodedCertificate(td, &derCert);
-    if (c) {
-	PRBool isToken = PR_FALSE;
-	NSSToken **tp;
-	NSSToken **tokens = nssPKIObject_GetTokens(&c->object, NULL);
-	if (tokens) {
-	    for (tp = tokens; *tp; tp++) {
-		if (*tp == tok) {
-		    isToken = PR_TRUE;
-		    break;
-		}
-	    }
-	    if (!isToken) {
-		NSSCertificate_Destroy(c);
-		c = NULL;
-	    }
-	    nssTokenArray_Destroy(tokens);
-	}
-    }
-    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
-} 
-
-/* mcgreer 3.4 -- nobody uses this, ignoring */
-/*
- * return the certificate associated with a derCert 
- */
-CERTCertificate *
-PK11_FindCertFromDERSubjectAndNickname(PK11SlotInfo *slot, 
-					CERTCertificate *cert, 
-					char *nickname, void *wincx)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_SUBJECT, NULL, 0 },
-	{ CKA_LABEL, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certh;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_SUBJECT, cert->derSubject.data, 
-						cert->derSubject.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_LABEL, nickname, PORT_Strlen(nickname));
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) return NULL;
-
-    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    if (certh == CK_INVALID_HANDLE) {
-	return NULL;
-    }
-
-    return PK11_MakeCertFromHandle(slot, certh, NULL);
-}
-
-/*
- * import a cert for a private key we have already generated. Set the label
- * on both to be the nickname.
- */
-static CK_OBJECT_HANDLE 
-pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-								void *wincx)
-{
-    SECItem *keyID;
-    CK_OBJECT_HANDLE key;
-    SECStatus rv;
-
-    if((slot == NULL) || (cert == NULL)) {
-	return CK_INVALID_HANDLE;
-    }
-
-    keyID = pk11_mkcertKeyID(cert);
-    if(keyID == NULL) {
-	return CK_INVALID_HANDLE;
-    }
-
-    key = pk11_FindPrivateKeyFromCertID(slot, keyID);
-    if ((key == CK_INVALID_HANDLE) && 
-			(PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && 
-			pk11_LoginStillRequired(slot,wincx)) {
-	/* authenticate and try again */
-	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) goto loser;
-	key = pk11_FindPrivateKeyFromCertID(slot, keyID);
-   }
-
-loser:
-    SECITEM_ZfreeItem(keyID, PR_TRUE);
-    return key;
-}
-
-SECKEYPrivateKey *
-PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
-								void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-
-    if((slot == NULL) || (cert == NULL)) {
-	return NULL;
-    }
-
-    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
-    if (keyHandle == CK_INVALID_HANDLE) {
-	return NULL;
-    }
-
-    return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
-}
-
-SECStatus
-PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, 
-						char *nickname, 
-						PRBool addCertUsage,void *wincx)
-{
-    CK_OBJECT_HANDLE keyHandle;
-
-    if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
-	return SECFailure;
-    }
-
-    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
-    if (keyHandle == CK_INVALID_HANDLE) {
-	return SECFailure;
-    }
-
-    return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
-}   
-
-
-/* remove when the real version comes out */
-#define SEC_OID_MISSI_KEA 300  /* until we have v3 stuff merged */
-PRBool
-KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
-
-    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
-        return PR_TRUE;
-    } else {
-	return PR_FALSE;
-    }
-}
-
-PRBool
-PK11_FortezzaHasKEA(CERTCertificate *cert) {
-   /* look at the subject and see if it is a KEA for MISSI key */
-   SECOidData *oid;
-
-   if ((cert->trust == NULL) ||
-       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
-       return PR_FALSE;
-   }
-
-   oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
-
-
-   return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
-		(oid->offset == SEC_OID_MISSI_KEA_DSS) ||
-				(oid->offset == SEC_OID_MISSI_KEA)) ;
-}
-
-/*
- * Find a kea cert on this slot that matches the domain of it's peer
- */
-static CERTCertificate
-*pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer)
-{
-    int i;
-    CERTCertificate *returnedCert = NULL;
-
-    for (i=0; i < slot->cert_count; i++) {
-	CERTCertificate *cert = slot->cert_array[i];
-
-	if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
-		returnedCert = CERT_DupCertificate(cert);
-		break;
-	}
-    }
-    return returnedCert;
-}
-
-/*
- * The following is a FORTEZZA only Certificate request. We call this when we
- * are doing a non-client auth SSL connection. We are only interested in the
- * fortezza slots, and we are only interested in certs that share the same root
- * key as the server.
- */
-CERTCertificate *
-PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
-{
-    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
-							PR_FALSE,PR_TRUE,wincx);
-    PK11SlotListElement *le;
-    CERTCertificate *returnedCert = NULL;
-    SECStatus rv;
-
-    /* loop through all the fortezza tokens */
-    for (le = keaList->head; le; le = le->next) {
-        rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
-        if (rv != SECSuccess) continue;
-	if (le->slot->session == CK_INVALID_SESSION) {
-	    continue;
-	}
-	returnedCert = pk11_GetKEAMate(le->slot,server);
-	if (returnedCert) break;
-    }
-    PK11_FreeSlotList(keaList);
-
-    return returnedCert;
-}
-
-/*
- * find a matched pair of kea certs to key exchange parameters from one 
- * fortezza card to another as necessary.
- */
-SECStatus
-PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
-	CERTCertificate **cert1, CERTCertificate **cert2)
-{
-    CERTCertificate *returnedCert = NULL;
-    int i;
-
-    for (i=0; i < slot1->cert_count; i++) {
-	CERTCertificate *cert = slot1->cert_array[i];
-
-	if (PK11_FortezzaHasKEA(cert)) {
-	    returnedCert = pk11_GetKEAMate(slot2,cert);
-	    if (returnedCert != NULL) {
-		*cert2 = returnedCert;
-		*cert1 = CERT_DupCertificate(cert);
-		return SECSuccess;
-	    }
-	}
-    }
-    return SECFailure;
-}
-
-/*
- * return the private key From a given Cert
- */
-CK_OBJECT_HANDLE
-PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-    SECStatus rv;
-
-    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
-						cert->derCert.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
-
-    /*
-     * issue the find
-     */
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	return CK_INVALID_HANDLE;
-    }
-
-    return pk11_getcerthandle(slot,cert,theTemplate,tsize);
-}
-
-SECItem *
-PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx)
-{
-    CK_OBJECT_HANDLE handle;
-    PK11SlotInfo *slot = NULL;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-    };
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    SECItem *item = NULL;
-    CK_RV crv;
-
-    handle = PK11_FindObjectForCert(cert,wincx,&slot);
-    if (handle == CK_INVALID_HANDLE) {
-	goto loser;
-    }
-
-    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    item = PORT_ZNew(SECItem);
-    if (item) {
-        item->data = (unsigned char*) theTemplate[0].pValue;
-        item->len = theTemplate[0].ulValueLen;
-    }
-
-loser:
-    PK11_FreeSlot(slot);
-    return item;
-}
-
-struct listCertsStr {
-    PK11CertListType type;
-    CERTCertList *certList;
-};
-
-static PRStatus
-pk11ListCertCallback(NSSCertificate *c, void *arg)
-{
-    struct listCertsStr *listCertP = (struct listCertsStr *)arg;
-    CERTCertificate *newCert = NULL;
-    PK11CertListType type = listCertP->type;
-    CERTCertList *certList = listCertP->certList;
-    PRBool isUnique = PR_FALSE;
-    PRBool isCA = PR_FALSE;
-    char *nickname = NULL;
-    unsigned int certType;
-
-    if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) ||
-        (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) {
-        /* only list one instance of each certificate, even if several exist */
-	isUnique = PR_TRUE;
-    }
-    if ((type == PK11CertListCA) || (type == PK11CertListRootUnique) ||
-        (type == PK11CertListCAUnique)) {
-	isCA = PR_TRUE;
-    }
-
-    /* if we want user certs and we don't have one skip this cert */
-    if ( ( (type == PK11CertListUser) || (type == PK11CertListUserUnique) ) && 
-		!NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
-	return PR_SUCCESS;
-    }
-
-    /* PK11CertListRootUnique means we want CA certs without a private key.
-     * This is for legacy app support . PK11CertListCAUnique should be used
-     * instead to get all CA certs, regardless of private key
-     */
-    if ((type == PK11CertListRootUnique) && 
-		NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) {
-	return PR_SUCCESS;
-    }
-
-    /* caller still owns the reference to 'c' */
-    newCert = STAN_GetCERTCertificate(c);
-    if (!newCert) {
-	return PR_SUCCESS;
-    }
-    /* if we want CA certs and it ain't one, skip it */
-    if( isCA  && (!CERT_IsCACert(newCert, &certType)) ) {
-	return PR_SUCCESS;
-    }
-    if (isUnique) {
-	CERT_DupCertificate(newCert);
-
-	nickname = STAN_GetCERTCertificateName(certList->arena, c);
-
-	/* put slot certs at the end */
-	if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
-	    CERT_AddCertToListTailWithData(certList,newCert,nickname);
-	} else {
-	    CERT_AddCertToListHeadWithData(certList,newCert,nickname);
-	}
-    } else {
-	/* add multiple instances to the cert list */
-	nssCryptokiObject **ip;
-	nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
-	if (!instances) {
-	    return PR_SUCCESS;
-	}
-	for (ip = instances; *ip; ip++) {
-	    nssCryptokiObject *instance = *ip;
-	    PK11SlotInfo *slot = instance->token->pk11slot;
-
-	    /* put the same CERTCertificate in the list for all instances */
-	    CERT_DupCertificate(newCert);
-
-	    nickname = STAN_GetCERTCertificateNameForInstance(
-			certList->arena, c, instance);
-
-	    /* put slot certs at the end */
-	    if (slot && !PK11_IsInternal(slot)) {
-		CERT_AddCertToListTailWithData(certList,newCert,nickname);
-	    } else {
-		CERT_AddCertToListHeadWithData(certList,newCert,nickname);
-	    }
-	}
-	nssCryptokiObjectArray_Destroy(instances);
-    }
-    return PR_SUCCESS;
-}
-
-
-CERTCertList *
-PK11_ListCerts(PK11CertListType type, void *pwarg)
-{
-    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
-    CERTCertList *certList = NULL;
-    struct listCertsStr listCerts;
-    certList = CERT_NewCertList();
-    listCerts.type = type;
-    listCerts.certList = certList;
-
-    /* authenticate to the slots */
-    (void) pk11_TraverseAllSlots( NULL, NULL, pwarg);
-    NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback,
-								 &listCerts);
-    return certList;
-}
-    
-SECItem *
-PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
-					CERTCertificate *cert, void *wincx)
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_VALUE, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE certHandle;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    PK11SlotInfo *slotRef = NULL;
-    SECItem *item;
-    SECStatus rv;
-
-    if (slot) {
-	PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
-						cert->derCert.len); attrs++;
- 
-	rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-	if (rv != SECSuccess) {
-	    return NULL;
-	}
-        certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize);
-    } else {
-    	certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
-	if (certHandle == CK_INVALID_HANDLE) {
-	   return pk11_mkcertKeyID(cert);
-	}
-	slot = slotRef;
-    }
-
-    if (certHandle == CK_INVALID_HANDLE) {
-	 return NULL;
-    }
-
-    item = pk11_GetLowLevelKeyFromHandle(slot,certHandle);
-    if (slotRef) PK11_FreeSlot(slotRef);
-    return item;
-}
-
-/* argument type for listCertsCallback */
-typedef struct {
-    CERTCertList *list;
-    PK11SlotInfo *slot;
-} ListCertsArg;
-
-static SECStatus
-listCertsCallback(CERTCertificate* cert, void*arg)
-{
-    ListCertsArg *cdata = (ListCertsArg*)arg;
-    char *nickname = NULL;
-    nssCryptokiObject *instance, **ci;
-    nssCryptokiObject **instances;
-    NSSCertificate *c = STAN_GetNSSCertificate(cert);
-
-    instances = nssPKIObject_GetInstances(&c->object);
-    instance = NULL;
-    for (ci = instances; *ci; ci++) {
-	if ((*ci)->token->pk11slot == cdata->slot) {
-	    instance = *ci;
-	    break;
-	}
-    }
-    PORT_Assert(instance != NULL);
-    if (!instance) {
-	nssCryptokiObjectArray_Destroy(instances);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-    nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena,
-	c, instance);
-    nssCryptokiObjectArray_Destroy(instances);
-
-    return CERT_AddCertToListTailWithData(cdata->list, 
-				CERT_DupCertificate(cert),nickname);
-}
-
-CERTCertList *
-PK11_ListCertsInSlot(PK11SlotInfo *slot)
-{
-    SECStatus status;
-    CERTCertList *certs;
-    ListCertsArg cdata;
-
-    certs = CERT_NewCertList();
-    if(certs == NULL) return NULL;
-    cdata.list = certs;
-    cdata.slot = slot;
-
-    status = PK11_TraverseCertsInSlot(slot, listCertsCallback,
-		&cdata);
-
-    if( status != SECSuccess ) {
-	CERT_DestroyCertList(certs);
-	certs = NULL;
-    }
-
-    return certs;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11cxt.c b/security/nss/lib/pk11wrap/pk11cxt.c
deleted file mode 100644
index 4428fda9b..000000000
--- a/security/nss/lib/pk11wrap/pk11cxt.c
+++ /dev/null
@@ -1,1062 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file PK11Contexts which are  used in multipart hashing, 
- * encryption/decryption, and signing/verication operations.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "nssilock.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "secoid.h" 
-#include "sechash.h"
-#include "secerr.h"
-
-static const SECItem pk11_null_params = { 0 };
-
-/**********************************************************************
- *
- *                   Now Deal with Crypto Contexts
- *
- **********************************************************************/
-
-/*
- * the monitors...
- */
-void
-PK11_EnterContextMonitor(PK11Context *cx) {
-    /* if we own the session and our slot is ThreadSafe, only monitor
-     * the Context */
-    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
-	/* Should this use monitors instead? */
-	PZ_Lock(cx->sessionLock);
-    } else {
-	PK11_EnterSlotMonitor(cx->slot);
-    }
-}
-
-void
-PK11_ExitContextMonitor(PK11Context *cx) {
-    /* if we own the session and our slot is ThreadSafe, only monitor
-     * the Context */
-    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
-	/* Should this use monitors instead? */
-	PZ_Unlock(cx->sessionLock);
-    } else {
-	PK11_ExitSlotMonitor(cx->slot);
-    }
-}
-
-/*
- * Free up a Cipher Context
- */
-void
-PK11_DestroyContext(PK11Context *context, PRBool freeit)
-{
-    pk11_CloseSession(context->slot,context->session,context->ownSession);
-    /* initialize the critical fields of the context */
-    if (context->savedData != NULL ) PORT_Free(context->savedData);
-    if (context->key) PK11_FreeSymKey(context->key);
-    if (context->param && context->param != &pk11_null_params)
-	SECITEM_FreeItem(context->param, PR_TRUE);
-    if (context->sessionLock) PZ_DestroyLock(context->sessionLock);
-    PK11_FreeSlot(context->slot);
-    if (freeit) PORT_Free(context);
-}
-
-/*
- * save the current context. Allocate Space if necessary.
- */
-static unsigned char *
-pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, 
-                       unsigned long *savedLength)
-{
-    CK_RV crv;
-
-    /* If buffer is NULL, this will get the length */
-    crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
-                                                          (CK_BYTE_PTR)buffer,
-                                                          savedLength);
-    if (!buffer || (crv == CKR_BUFFER_TOO_SMALL)) {
-	/* the given buffer wasn't big enough (or was NULL), but we 
-	 * have the length, so try again with a new buffer and the 
-	 * correct length
-	 */
-	unsigned long bufLen = *savedLength;
-	buffer = PORT_Alloc(bufLen);
-	if (buffer == NULL) {
-	    return (unsigned char *)NULL;
-	}
-	crv = PK11_GETTAB(context->slot)->C_GetOperationState(
-	                                                  context->session,
-                                                          (CK_BYTE_PTR)buffer,
-                                                          savedLength);
-	if (crv != CKR_OK) {
-	    PORT_ZFree(buffer, bufLen);
-	}
-    }
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return (unsigned char *)NULL;
-    }
-    return buffer;
-}
-
-void *
-pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
-{
-    return pk11_saveContextHelper(context, 
-                                  (unsigned char *)space, savedLength);
-}
-
-/*
- * restore the current context
- */
-SECStatus
-pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength)
-{
-    CK_RV crv;
-    CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID:
-			CK_INVALID_HANDLE;
-
-    PORT_Assert(space != NULL);
-    if (space == NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session,
-        (CK_BYTE_PTR)space, savedLength, objectID, 0);
-    if (crv != CKR_OK) {
-       PORT_SetError( PK11_MapError(crv));
-       return SECFailure;
-   }
-   return SECSuccess;
-}
-
-SECStatus pk11_Finalize(PK11Context *context);
-
-/*
- * Context initialization. Used by all flavors of CreateContext
- */
-static SECStatus 
-pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
-{
-    CK_RV crv;
-    PK11SymKey *symKey = context->key;
-    SECStatus rv = SECSuccess;
-
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_DECRYPT:
-	if (context->fortezzaHack) {
-	    CK_ULONG count = 0;;
-	    /* generate the IV for fortezza */
-	    crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
-				mech_info, symKey->objectID);
-	    if (crv != CKR_OK) break;
-	    PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-				NULL, &count);
-	}
-	crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
-				mech_info, symKey->objectID);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session,
-				mech_info);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        return SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    return rv;
-}
-
-
-/*
- * Common Helper Function do come up with a new context.
- */
-static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
-     PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey,
-							     SECItem *param)
-{
-    CK_MECHANISM mech_info;
-    PK11Context *context;
-    SECStatus rv;
-	
-    PORT_Assert(slot != NULL);
-    if (!slot) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    context = (PK11Context *) PORT_Alloc(sizeof(PK11Context));
-    if (context == NULL) {
-	return NULL;
-    }
-
-    /* now deal with the fortezza hack... the fortezza hack is an attempt
-     * to get around the issue of the card not allowing you to do a FORTEZZA
-     * LoadIV/Encrypt, which was added because such a combination could be
-     * use to circumvent the key escrow system. Unfortunately SSL needs to
-     * do this kind of operation, so in SSL we do a loadIV (to verify it),
-     * Then GenerateIV, and through away the first 8 bytes on either side
-     * of the connection.*/
-    context->fortezzaHack = PR_FALSE;
-    if (type == CKM_SKIPJACK_CBC64) {
-	if (symKey->origin == PK11_OriginFortezzaHack) {
-	    context->fortezzaHack = PR_TRUE;
-	}
-    }
-
-    /* initialize the critical fields of the context */
-    context->operation = operation;
-    context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
-    context->slot = PK11_ReferenceSlot(slot);
-    context->session = pk11_GetNewSession(slot,&context->ownSession);
-    context->cx = symKey ? symKey->cx : NULL;
-    /* get our session */
-    context->savedData = NULL;
-
-    /* save the parameters so that some digesting stuff can do multiple
-     * begins on a single context */
-    context->type = type;
-    if (param) {
-	if (param->len > 0) {
-	    context->param = SECITEM_DupItem(param);
-	} else {
-	    context->param = (SECItem *)&pk11_null_params;
-	}
-    } else {
-	context->param = NULL;
-    }
-    context->init = PR_FALSE;
-    context->sessionLock = PZ_NewLock(nssILockPK11cxt);
-    if ((context->param == NULL) || (context->sessionLock == NULL)) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-
-    mech_info.mechanism = type;
-    mech_info.pParameter = param->data;
-    mech_info.ulParameterLen = param->len;
-    PK11_EnterContextMonitor(context);
-    rv = pk11_context_init(context,&mech_info);
-    PK11_ExitContextMonitor(context);
-
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context,PR_TRUE);
-	return NULL;
-    }
-    context->init = PR_TRUE;
-    return context;
-}
-
-
-/*
- * put together the various PK11_Create_Context calls used by different
- * parts of libsec.
- */
-PK11Context *
-__PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
-						SECItem *param, void *wincx)
-{
-    PK11SymKey *symKey;
-    PK11Context *context;
-
-    /* first get a slot */
-    if (slot == NULL) {
-	slot = PK11_GetBestSlot(type,wincx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-    } else {
-	PK11_ReferenceSlot(slot);
-    }
-
-    /* now import the key */
-    symKey = PK11_ImportSymKey(slot, type, origin, operation,  key, wincx);
-    if (symKey == NULL) return NULL;
-
-    context = PK11_CreateContextBySymKey(type, operation, symKey, param);
-
-    PK11_FreeSymKey(symKey);
-    PK11_FreeSlot(slot);
-
-    return context;
-}
-
-PK11Context *
-PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
-						SECItem *param, void *wincx)
-{
-    return __PK11_CreateContextByRawKey(slot, type, origin, operation,
-                                        key, param, wincx);
-}
-
-
-/*
- * Create a context from a key. We really should make sure we aren't using
- * the same key in multiple session!
- */
-PK11Context *
-PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation,
-			PK11SymKey *symKey, SECItem *param)
-{
-    PK11SymKey *newKey;
-    PK11Context *context;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    newKey = pk11_ForceSlot(symKey,type,operation);
-    if (newKey == NULL) {
-	PK11_ReferenceSymKey(symKey);
-    } else {
-	symKey = newKey;
-    }
-
-
-    /* Context Adopts the symKey.... */
-    context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
-							     param);
-    PK11_FreeSymKey(symKey);
-    return context;
-}
-
-/*
- * Digest contexts don't need keys, but the do need to find a slot.
- * Macing should use PK11_CreateContextBySymKey.
- */
-PK11Context *
-PK11_CreateDigestContext(SECOidTag hashAlg)
-{
-    /* digesting has to work without authentication to the slot */
-    CK_MECHANISM_TYPE type;
-    PK11SlotInfo *slot;
-    PK11Context *context;
-    SECItem param;
-
-    type = PK11_AlgtagToMechanism(hashAlg);
-    slot = PK11_GetBestSlot(type, NULL);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-
-    /* maybe should really be PK11_GenerateNewParam?? */
-    param.data = NULL;
-    param.len = 0;
-    param.type = 0;
-
-    context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, &param);
-    PK11_FreeSlot(slot);
-    return context;
-}
-
-/*
- * create a new context which is the clone of the state of old context.
- */
-PK11Context * PK11_CloneContext(PK11Context *old)
-{
-     PK11Context *newcx;
-     PRBool needFree = PR_FALSE;
-     SECStatus rv = SECSuccess;
-     void *data;
-     unsigned long len;
-
-     newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
-						old->key, old->param);
-     if (newcx == NULL) return NULL;
-
-     /* now clone the save state. First we need to find the save state
-      * of the old session. If the old context owns it's session,
-      * the state needs to be saved, otherwise the state is in saveData. */
-     if (old->ownSession) {
-        PK11_EnterContextMonitor(old);
-	data=pk11_saveContext(old,NULL,&len);
-        PK11_ExitContextMonitor(old);
-	needFree = PR_TRUE;
-     } else {
-	data = old->savedData;
-	len = old->savedLength;
-     }
-
-     if (data == NULL) {
-	PK11_DestroyContext(newcx,PR_TRUE);
-	return NULL;
-     }
-
-     /* now copy that state into our new context. Again we have different
-      * work if the new context owns it's own session. If it does, we
-      * restore the state gathered above. If it doesn't, we copy the
-      * saveData pointer... */
-     if (newcx->ownSession) {
-        PK11_EnterContextMonitor(newcx);
-	rv = pk11_restoreContext(newcx,data,len);
-        PK11_ExitContextMonitor(newcx);
-     } else {
-	PORT_Assert(newcx->savedData != NULL);
-	if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(newcx->savedData,data,len);
-	    newcx->savedLength = len;
-	}
-    }
-
-    if (needFree) PORT_Free(data);
-
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(newcx,PR_TRUE);
-	return NULL;
-    }
-    return newcx;
-}
-
-/*
- * save the current context state into a variable. Required to make FORTEZZA
- * work.
- */
-SECStatus
-PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength)
-{
-    unsigned char * data = NULL;
-    CK_ULONG length = saveLength;
-
-    if (cx->ownSession) {
-        PK11_EnterContextMonitor(cx);
-	data = pk11_saveContextHelper(cx, save, &length);
-        PK11_ExitContextMonitor(cx);
-	if (data) *len = length;
-    } else if ((unsigned) saveLength >= cx->savedLength) {
-	data = (unsigned char*)cx->savedData;
-	if (cx->savedData) {
-	    PORT_Memcpy(save,cx->savedData,cx->savedLength);
-	}
-	*len = cx->savedLength;
-    }
-    if (data != NULL) {
-	if (cx->ownSession) {
-	    PORT_ZFree(data, length);
-	}
-	return SECSuccess;
-    } else {
-	return SECFailure;
-    }
-}
-
-/* same as above, but may allocate the return buffer. */
-unsigned char *
-PK11_SaveContextAlloc(PK11Context *cx,
-                      unsigned char *preAllocBuf, unsigned int pabLen,
-                      unsigned int *stateLen)
-{
-    unsigned char *stateBuf = NULL;
-    unsigned long length = (unsigned long)pabLen;
-
-    if (cx->ownSession) {
-        PK11_EnterContextMonitor(cx);
-	stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length);
-        PK11_ExitContextMonitor(cx);
-	*stateLen = (stateBuf != NULL) ? length : 0;
-    } else {
-	if (pabLen < cx->savedLength) {
-	    stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength);
-	    if (!stateBuf) {
-		return (unsigned char *)NULL;
-	    }
-	} else {
-	    stateBuf = preAllocBuf;
-	}
-	if (cx->savedData) {
-	    PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength);
-	}
-	*stateLen = cx->savedLength;
-    }
-    return stateBuf;
-}
-
-/*
- * restore the context state into a new running context. Also required for
- * FORTEZZA .
- */
-SECStatus
-PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len)
-{
-    SECStatus rv = SECSuccess;
-    if (cx->ownSession) {
-        PK11_EnterContextMonitor(cx);
-	pk11_Finalize(cx);
-	rv = pk11_restoreContext(cx,save,len);
-        PK11_ExitContextMonitor(cx);
-    } else {
-	PORT_Assert(cx->savedData != NULL);
-	if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    rv = SECFailure;
-	} else {
-	    PORT_Memcpy(cx->savedData,save,len);
-	    cx->savedLength = len;
-	}
-    }
-    return rv;
-}
-
-/*
- * This is  to get FIPS compliance until we can convert
- * libjar to use PK11_ hashing functions. It returns PR_FALSE
- * if we can't get a PK11 Context.
- */
-PRBool
-PK11_HashOK(SECOidTag algID) {
-    PK11Context *cx;
-
-    cx = PK11_CreateDigestContext(algID);
-    if (cx == NULL) return PR_FALSE;
-    PK11_DestroyContext(cx, PR_TRUE);
-    return PR_TRUE;
-}
-
-
-
-/*
- * start a new digesting or Mac'ing operation on this context
- */
-SECStatus PK11_DigestBegin(PK11Context *cx)
-{
-    CK_MECHANISM mech_info;
-    SECStatus rv;
-
-    if (cx->init == PR_TRUE) {
-	return SECSuccess;
-    }
-
-    /*
-     * make sure the old context is clear first
-     */
-    PK11_EnterContextMonitor(cx);
-    pk11_Finalize(cx);
-
-    mech_info.mechanism = cx->type;
-    mech_info.pParameter = cx->param->data;
-    mech_info.ulParameterLen = cx->param->len;
-    rv = pk11_context_init(cx,&mech_info);
-    PK11_ExitContextMonitor(cx);
-
-    if (rv != SECSuccess) {
-	return SECFailure;
-    }
-    cx->init = PR_TRUE;
-    return SECSuccess;
-}
-
-SECStatus
-PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
-								int32 len) {
-    PK11Context *context;
-    unsigned int max_length;
-    unsigned int out_length;
-    SECStatus rv;
-
-    /* len will be passed to PK11_DigestOp as unsigned. */
-    if (len < 0) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    context = PK11_CreateDigestContext(hashAlg);
-    if (context == NULL) return SECFailure;
-
-    rv = PK11_DigestBegin(context);
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context, PR_TRUE);
-	return rv;
-    }
-
-    rv = PK11_DigestOp(context, in, len);
-    if (rv != SECSuccess) {
-	PK11_DestroyContext(context, PR_TRUE);
-	return rv;
-    }
-
-    /* XXX This really should have been an argument to this function! */
-    max_length = HASH_ResultLenByOidTag(hashAlg);
-    PORT_Assert(max_length);
-    if (!max_length)
-    	max_length = HASH_LENGTH_MAX;
-
-    rv = PK11_DigestFinal(context,out,&out_length,max_length);
-    PK11_DestroyContext(context, PR_TRUE);
-    return rv;
-}
-
-
-/*
- * execute a bulk encryption operation
- */
-SECStatus
-PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
-				int maxout, unsigned char *in, int inlen)
-{
-    CK_RV crv = CKR_OK;
-    CK_ULONG length = maxout;
-    CK_ULONG offset =0;
-    SECStatus rv = SECSuccess;
-    unsigned char *saveOut = out;
-    unsigned char *allocOut = NULL;
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    /*
-     * The fortezza hack is to send 8 extra bytes on the first encrypted and
-     * loose them on the first decrypt.
-     */
-    if (context->fortezzaHack) {
-	unsigned char random[8];
-	if (context->operation == CKA_ENCRYPT) {
-	    PK11_ExitContextMonitor(context);
-	    rv = PK11_GenerateRandom(random,sizeof(random));
-    	    PK11_EnterContextMonitor(context);
-
-	    /* since we are offseting the output, we can't encrypt back into
-	     * the same buffer... allocate a temporary buffer just for this
-	     * call. */
-	    allocOut = out = (unsigned char*)PORT_Alloc(maxout);
-	    if (out == NULL) {
-		PK11_ExitContextMonitor(context);
-		return SECFailure;
-	    }
-	    crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
-		random,sizeof(random),out,&length);
-
-	    out += length;
-	    maxout -= length;
-	    offset = length;
-	} else if (context->operation == CKA_DECRYPT) {
-	    length = sizeof(random);
-	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
-		in,sizeof(random),random,&length);
-	    inlen -= length;
-	    in += length;
-	    context->fortezzaHack = PR_FALSE;
-	}
-    }
-
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	length = maxout;
-	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
-						in, inlen, out, &length);
-	length += offset;
-	break;
-    case CKA_DECRYPT:
-	length = maxout;
-	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
-						in, inlen, out, &length);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	*outlen = 0;
-        rv = SECFailure;
-    } else {
-    	*outlen = length;
-    }
-
-    if (context->fortezzaHack) {
-	if (context->operation == CKA_ENCRYPT) {
-	    PORT_Assert(allocOut);
-	    PORT_Memcpy(saveOut, allocOut, length);
-	    PORT_Free(allocOut);
-	}
-	context->fortezzaHack = PR_FALSE;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * execute a digest/signature operation
- */
-SECStatus
-PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) 
-{
-    CK_RV crv = CKR_OK;
-    SECStatus rv = SECSuccess;
-
-    if (!in) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    context->init = PR_FALSE;
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    switch (context->operation) {
-    /* also for MAC'ing */
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session,
-						     (unsigned char *)in, 
-						     inLen);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session,
-						       (unsigned char *)in, 
-						       inLen);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
-						       (unsigned char *)in, 
-						       inLen);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        rv = SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * Digest a key if possible./
- */
-SECStatus
-PK11_DigestKey(PK11Context *context, PK11SymKey *key)
-{
-    CK_RV crv = CKR_OK;
-    SECStatus rv = SECSuccess;
-    PK11SymKey *newKey = NULL;
-
-    if (!context || !key) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    if (context->slot != key->slot) {
-	newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key);
-    } else {
-	newKey = PK11_ReferenceSymKey(key);
-    }
-
-    context->init = PR_FALSE;
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-            PK11_FreeSymKey(newKey);
-	    return rv;
-	}
-    }
-
-
-    if (newKey == NULL) {
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	if (key->data.data) {
-	    crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
-					key->data.data,key->data.len);
-	}
-    } else {
-	crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session,
-							newKey->objectID);
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        rv = SECFailure;
-    }
-
-    /*
-     * handle session starvation case.. use our last session to multiplex
-     */
-    if (!context->ownSession) {
-	context->savedData = pk11_saveContext(context,context->savedData,
-				&context->savedLength);
-	if (context->savedData == NULL) rv = SECFailure;
-	
-	/* clear out out session for others to use */
-	pk11_Finalize(context);
-    }
-    PK11_ExitContextMonitor(context);
-    if (newKey) PK11_FreeSymKey(newKey);
-    return rv;
-}
-
-/*
- * externally callable version of the lowercase pk11_finalize().
- */
-SECStatus
-PK11_Finalize(PK11Context *context) {
-    SECStatus rv;
-
-    PK11_EnterContextMonitor(context);
-    rv = pk11_Finalize(context);
-    PK11_ExitContextMonitor(context);
-    return rv;
-}
-
-/*
- * clean up a cipher operation, so the session can be used by
- * someone new.
- */
-SECStatus
-pk11_Finalize(PK11Context *context)
-{
-    CK_ULONG count = 0;
-    CK_RV crv;
-    unsigned char stackBuf[256];
-    unsigned char *buffer = NULL;
-
-    if (!context->ownSession) {
-	return SECSuccess;
-    }
-
-finalize:
-    switch (context->operation) {
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-	                                               buffer, &count);
-	break;
-    case CKA_DECRYPT:
-	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
-	                                                 buffer, &count);
-	break;
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
-	                                            buffer, &count);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
-	                                              buffer, count);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
-	                                              buffer, &count);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-	if (buffer != stackBuf) {
-	    PORT_Free(buffer);
-	}
-	if (crv == CKR_OPERATION_NOT_INITIALIZED) {
-	    /* if there's no operation, it is finalized */
-	    return SECSuccess;
-	}
-        PORT_SetError( PK11_MapError(crv) );
-        return SECFailure;
-    }
-
-    /* try to finalize the session with a buffer */
-    if (buffer == NULL) { 
-	if (count <= sizeof stackBuf) {
-	    buffer = stackBuf;
-	} else {
-	    buffer = PORT_Alloc(count);
-	    if (buffer == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return SECFailure;
-	    }
-	}
-	goto finalize;
-    }
-    if (buffer != stackBuf) {
-	PORT_Free(buffer);
-    }
-    return SECSuccess;
-}
-
-/*
- *  Return the final digested or signed data...
- *  this routine can either take pre initialized data, or allocate data
- *  either out of an arena or out of the standard heap.
- */
-SECStatus
-PK11_DigestFinal(PK11Context *context,unsigned char *data, 
-			unsigned int *outLen, unsigned int length)
-{
-    CK_ULONG len;
-    CK_RV crv;
-    SECStatus rv;
-
-
-    /* if we ran out of session, we need to restore our previously stored
-     * state.
-     */
-    PK11_EnterContextMonitor(context);
-    if (!context->ownSession) {
-        rv = pk11_restoreContext(context,context->savedData,
-							context->savedLength);
-	if (rv != SECSuccess) {
-	    PK11_ExitContextMonitor(context);
-	    return rv;
-	}
-    }
-
-    len = length;
-    switch (context->operation) {
-    case CKA_SIGN:
-	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
-				data,&len);
-	break;
-    case CKA_VERIFY:
-	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
-				data,len);
-	break;
-    case CKA_DIGEST:
-	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
-				data,&len);
-	break;
-    case CKA_ENCRYPT:
-	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
-				data, &len);
-	break;
-    case CKA_DECRYPT:
-	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
-				data, &len);
-	break;
-    default:
-	crv = CKR_OPERATION_NOT_INITIALIZED;
-	break;
-    }
-    PK11_ExitContextMonitor(context);
-
-    *outLen = (unsigned int) len;
-    context->init = PR_FALSE; /* allow Begin to start up again */
-
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c
deleted file mode 100644
index a63475636..000000000
--- a/security/nss/lib/pk11wrap/pk11err.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* 
- * this file maps PKCS11 Errors into SECErrors
- *  This is an information reducing process, since most errors are reflected
- *  back to the user (the user doesn't care about invalid flags, or active
- *  operations). If any of these errors need more detail in the upper layers
- *  which call PK11 library functions, we can add more SEC_ERROR_XXX functions
- *  and change there mappings here.
- */
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-#ifdef PK11_ERROR_USE_ARRAY 
-
-/*
- * build a static array of entries...
- */
-static struct {
-	CK_RV pk11_error;
-	int   sec_error;
-} pk11_error_map = {
-#define MAPERROR(x,y) {x, y},
-
-#else
-
-/* the default is to use a big switch statement */
-int
-PK11_MapError(CK_RV rv) {
-
-	switch (rv) {
-#define MAPERROR(x,y) case x: return y;
-
-#endif
-
-/* the guts mapping */
-	MAPERROR(CKR_OK, 0)
-	MAPERROR(CKR_CANCEL, SEC_ERROR_IO)
-	MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY)
-	MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY)
-	MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */
-	MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_IO)
-	MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY)
-	MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_NO_EVENT, SEC_ERROR_NO_EVENT)
-	MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_OPERATION_NOT_INITIALIZED,SEC_ERROR_LIBRARY_FAILURE )
-	MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD)
-	MAPERROR(CKR_PIN_INVALID, SEC_ERROR_INVALID_PASSWORD)
-	MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_INVALID_PASSWORD)
-	MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */
-	MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE)
-	MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE)
-	MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA)
-	MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO)
-	MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY)
-	MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0)
-	MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_LIBRARY_FAILURE) /* XXXX */
-	MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN)
-	MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
-	MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE)
-	MAPERROR(CKR_NETSCAPE_CERTDB_FAILED, SEC_ERROR_BAD_DATABASE)
-	MAPERROR(CKR_NETSCAPE_KEYDB_FAILED, SEC_ERROR_BAD_DATABASE)
-	MAPERROR(CKR_CANT_LOCK, SEC_ERROR_INCOMPATIBLE_PKCS11)
-
-#ifdef PK11_ERROR_USE_ARRAY 
-};
-
-int
-PK11_MapError(CK_RV rv) {
-    int size = sizeof(pk11_error_map)/sizeof(pk11_error_map[0]);
-
-    for (i=0; i < size; i++) {
-	if (pk11_error_map[i].pk11_error == rv) {
-	    return pk11_error_map[i].sec_error;
-	}
-    }
-    return SEC_ERROR_IO;
- }
-
-
-#else
-
-    default:
-	break;
-    }
-    return SEC_ERROR_IO;
-}
-
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
deleted file mode 100644
index 087d094cf..000000000
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _PK11FUNC_H_
-#define _PK11FUNC_H_
-
-/*
- * the original pk11func.h had a mix of public and private functions.
- * continue to provide those for backward compatibility.
- */
-#include "pk11pub.h"
-#include "pk11priv.h"
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11init.h b/security/nss/lib/pk11wrap/pk11init.h
deleted file mode 100644
index d91a0d37f..000000000
--- a/security/nss/lib/pk11wrap/pk11init.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Internal header file included in pk11wrap dir, or in softoken
- */
-#ifndef _PK11_INIT_H_
-#define _PK11_INIT_H_ 1
-
-/* hold slot default flags until we initialize a slot. This structure is only
- * useful between the time we define a module (either by hand or from the
- * database) and the time the module is loaded. Not reference counted  */
-struct PK11PreSlotInfoStr {
-    CK_SLOT_ID slotID;  	/* slot these flags are for */
-    unsigned long defaultFlags; /* bit mask of default implementation this slot
-				 * provides */
-    int askpw;			/* slot specific password bits */
-    long timeout;		/* slot specific timeout value */
-    char hasRootCerts;		/* is this the root cert PKCS #11 module? */
-    char hasRootTrust;		/* is this the root cert PKCS #11 module? */
-};
-
-#endif /* _PK11_INIT_H_ 1 */
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
deleted file mode 100644
index a0db40729..000000000
--- a/security/nss/lib/pk11wrap/pk11kea.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file implements the Symkey wrapper and the PKCS context
- * Interfaces.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "nssilock.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "key.h"
-#include "secasn1.h"
-#include "sechash.h"
-#include "cert.h"
-#include "secerr.h"
-
-/*
- * find an RSA public key on a card
- */
-static CK_OBJECT_HANDLE
-pk11_FindRSAPubKey(PK11SlotInfo *slot)
-{
-    CK_KEY_TYPE key_type = CKK_RSA;
-    CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
-    CK_ATTRIBUTE theTemplate[2];
-    int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_ATTRIBUTE *attrs = theTemplate;
-
-    PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++;
-    PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++;
-    template_count = attrs - theTemplate;
-    PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
-
-    return pk11_FindObjectByTemplate(slot,theTemplate,template_count);
-}
-
-PK11SymKey *
-pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, 
-					PRBool isPerm, PK11SymKey *symKey)
-{
-    PK11SymKey *newSymKey = NULL;
-    SECStatus rv;
-    /* performance improvement can go here --- use a generated key at startup
-     * to generate a per token wrapping key. If it exists, use it, otherwise 
-     * do a full key exchange. */
-
-    /* find a common Key Exchange algorithm */
-    /* RSA */
-    if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && 
-				PK11_DoesMechanism(slot,CKM_RSA_PKCS)) {
-	CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
-	CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
-	SECKEYPublicKey *pubKey = NULL;
-	SECKEYPrivateKey *privKey = NULL;
-	SECItem wrapData;
-	unsigned int     symKeyLength = PK11_GetKeyLength(symKey);
-
-	wrapData.data = NULL;
-
-	/* find RSA Public Key on target */
-	pubKeyHandle = pk11_FindRSAPubKey(slot);
-	if (pubKeyHandle != CK_INVALID_HANDLE) {
-	    privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
-	}
-
-	/* if no key exists, generate a key pair */
-	if (privKeyHandle == CK_INVALID_HANDLE) {
-	    PK11RSAGenParams rsaParams;
-
-	    if (symKeyLength > 53) /* bytes */ {
-		/* we'd have to generate an RSA key pair > 512 bits long,
-		** and that's too costly.  Don't even try. 
-		*/
-		PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY );
-		goto rsa_failed;
-	    }
-	    rsaParams.keySizeInBits = 
-	        (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
-	    rsaParams.pe  = 0x10001;
-	    privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
-			    &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
-	} else {
-	    /* if keys exist, build SECKEY data structures for them */
-	    privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
-					symKey->cx);
-	    if (privKey != NULL) {
-    		pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
-		if (pubKey && pubKey->pkcs11Slot) {
-		    PK11_FreeSlot(pubKey->pkcs11Slot);
-		    pubKey->pkcs11Slot = NULL;
-		    pubKey->pkcs11ID = CK_INVALID_HANDLE;
-		}
-	    }
-	}
-	if (privKey == NULL) goto rsa_failed;
-	if (pubKey == NULL)  goto rsa_failed;
-
-        wrapData.len  = SECKEY_PublicKeyStrength(pubKey);
-        if (!wrapData.len) goto rsa_failed;
-        wrapData.data = PORT_Alloc(wrapData.len);
-        if (wrapData.data == NULL) goto rsa_failed;
-
-	/* now wrap the keys in and out */
-	rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
-	if (rv == SECSuccess) {
-	    newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey,
-			&wrapData,type,operation,symKeyLength,flags,isPerm);
-	}
-rsa_failed:
-	if (wrapData.data != NULL) PORT_Free(wrapData.data);
-	if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey);
-	if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey);
-
-	return  newSymKey;
-    }
-    /* KEA */
-    if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && 
-				PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
-	CERTCertificate *certSource = NULL;
-	CERTCertificate *certTarget = NULL;
-	SECKEYPublicKey *pubKeySource = NULL;
-	SECKEYPublicKey *pubKeyTarget = NULL;
-	SECKEYPrivateKey *privKeySource = NULL;
-	SECKEYPrivateKey *privKeyTarget = NULL;
-	PK11SymKey *tekSource = NULL;
-	PK11SymKey *tekTarget = NULL;
-	SECItem Ra,wrap;
-
-	/* can only exchange skipjack keys */
-	if ((type != CKM_SKIPJACK_CBC64) || (isPerm)) {
-    	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    goto kea_failed;
-	}
-
-	/* find a pair of certs we can use */
-	rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget);
-	if (rv != SECSuccess) goto kea_failed;
-
-	/* get all the key pairs */
-	pubKeyTarget = CERT_ExtractPublicKey(certSource);
-	pubKeySource = CERT_ExtractPublicKey(certTarget);
-	privKeySource = 
-		PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx);
-	privKeyTarget = 
-		PK11_FindKeyByDERCert(slot,certTarget,symKey->cx);
-
-	if ((pubKeySource == NULL) || (pubKeyTarget == NULL) ||
-	  (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed;
-
-	/* generate the wrapping TEK's */
-	Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */);
-	Ra.len = 128;
-	if (Ra.data == NULL) goto kea_failed;
-
-	tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL,
-		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
-	tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL,
-		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
-	PORT_Free(Ra.data);
-
-	if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; }
-
-	/* wrap the key out of Source into target */
-	wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */
-	wrap.len = 12;
-
-	/* paranoia to prevent infinite recursion on bugs */
-	PORT_Assert(tekSource->slot == symKey->slot);
-	if (tekSource->slot != symKey->slot) {
-    	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    goto kea_failed;
-	}
-
-	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap);
-	if (rv == SECSuccess) {
-	    newSymKey = PK11_UnwrapSymKeyWithFlags(tekTarget, 
-			CKM_SKIPJACK_WRAP, NULL,
-			&wrap, type, operation, flags, symKey->size);
-	}
-	PORT_Free(wrap.data);
-kea_failed:
-	if (certSource == NULL) CERT_DestroyCertificate(certSource);
-	if (certTarget == NULL) CERT_DestroyCertificate(certTarget);
-	if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource);
-	if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget);
-	if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource);
-	if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget);
-	if (tekSource == NULL) PK11_FreeSymKey(tekSource);
-	if (tekTarget == NULL) PK11_FreeSymKey(tekTarget);
-	return newSymKey;
-    }
-    PORT_SetError( SEC_ERROR_NO_MODULE );
-    return NULL;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11list.c b/security/nss/lib/pk11wrap/pk11list.c
deleted file mode 100644
index 24885b832..000000000
--- a/security/nss/lib/pk11wrap/pk11list.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Locking and queue management primatives
- *
- */
-
-#include "seccomon.h"
-#include "nssilock.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "nssrwlk.h"
-
-/*
- * create a new lock for a Module List
- */
-SECMODListLock *SECMOD_NewListLock()
-{
-    return NSSRWLock_New( 10, "moduleListLock");
-}
-
-/*
- * destroy the lock
- */
-void SECMOD_DestroyListLock(SECMODListLock *lock) 
-{
-    NSSRWLock_Destroy(lock);
-}
-
-
-/*
- * Lock the List for Read: NOTE: this assumes the reading isn't so common
- * the writing will be starved.
- */
-void SECMOD_GetReadLock(SECMODListLock *modLock) 
-{
-    NSSRWLock_LockRead(modLock);
-}
-
-/*
- * Release the Read lock
- */
-void SECMOD_ReleaseReadLock(SECMODListLock *modLock) 
-{
-    NSSRWLock_UnlockRead(modLock);
-}
-
-
-/*
- * lock the list for Write
- */
-void SECMOD_GetWriteLock(SECMODListLock *modLock) 
-{
-    NSSRWLock_LockWrite(modLock);
-}
-
-
-/*
- * Release the Write Lock: NOTE, this code is pretty inefficient if you have
- * lots of write collisions.
- */
-void SECMOD_ReleaseWriteLock(SECMODListLock *modLock) 
-{
-    NSSRWLock_UnlockWrite(modLock);
-}
-
-
-/*
- * must Hold the Write lock
- */
-void
-SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) 
-{
-    *parent = child->next;
-    child->next = NULL;
-}
-
-/*
- * if lock is not specified, it must already be held
- */
-void
-SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, 
-							SECMODListLock *lock) 
-{
-    if (lock) { SECMOD_GetWriteLock(lock); }
-
-    child->next = parent->next;
-    parent->next = child;
-
-   if (lock) { SECMOD_ReleaseWriteLock(lock); }
-}
-
-
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
deleted file mode 100644
index d0d305eb4..000000000
--- a/security/nss/lib/pk11wrap/pk11load.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * The following handles the loading, unloading and management of
- * various PCKS #11 modules
- */
-#include "seccomon.h"
-#include "pkcs11.h"
-#include "secmod.h"
-#include "prlink.h"
-#include "pk11func.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "nssilock.h"
-#include "secerr.h"
-
-extern void FC_GetFunctionList(void);
-extern void NSC_GetFunctionList(void);
-extern void NSC_ModuleDBFunc(void);
-
-#ifdef DEBUG
-#define DEBUG_MODULE 1
-#endif
-
-#ifdef DEBUG_MODULE
-static char *modToDBG = NULL;
-
-#include "debug_module.c"
-#endif
-
-/* build the PKCS #11 2.01 lock files */
-CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) {
-    *pmutex = (CK_VOID_PTR) PZ_NewLock(nssILockOther);
-    if ( *pmutex ) return CKR_OK;
-    return CKR_HOST_MEMORY;
-}
-
-CK_RV PR_CALLBACK secmodDestroyMutext(CK_VOID_PTR mutext) {
-    PZ_DestroyLock((PZLock *)mutext);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK secmodLockMutext(CK_VOID_PTR mutext) {
-    PZ_Lock((PZLock *)mutext);
-    return CKR_OK;
-}
-
-CK_RV PR_CALLBACK secmodUnlockMutext(CK_VOID_PTR mutext) {
-    PZ_Unlock((PZLock *)mutext);
-    return CKR_OK;
-}
-
-static SECMODModuleID  nextModuleID = 1;
-static const CK_C_INITIALIZE_ARGS secmodLockFunctions = {
-    secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, 
-    secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS|
-	CKF_OS_LOCKING_OK
-    ,NULL
-};
-
-static PRBool loadSingleThreadedModules = PR_TRUE;
-static PRBool enforceAlreadyInitializedError = PR_TRUE;
-static PRBool finalizeModules = PR_TRUE;
-
-/* set global options for NSS PKCS#11 module loader */
-SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules,
-                                PRBool allowAlreadyInitializedModules,
-                                PRBool dontFinalizeModules)
-{
-    if (noSingleThreadedModules) {
-        loadSingleThreadedModules = PR_FALSE;
-    } else {
-        loadSingleThreadedModules = PR_TRUE;
-    }
-    if (allowAlreadyInitializedModules) {
-        enforceAlreadyInitializedError = PR_FALSE;
-    } else {
-        enforceAlreadyInitializedError = PR_TRUE;
-    }
-    if (dontFinalizeModules) {
-        finalizeModules = PR_FALSE;
-    } else {
-        finalizeModules = PR_TRUE;
-    }
-    return SECSuccess;
-}
-
-PRBool pk11_getFinalizeModulesOption(void)
-{
-    return finalizeModules;
-}
-
-/*
- * collect the steps we need to initialize a module in a single function
- */
-SECStatus
-secmod_ModuleInit(SECMODModule *mod, PRBool* alreadyLoaded)
-{
-    CK_C_INITIALIZE_ARGS moduleArgs;
-    CK_VOID_PTR pInitArgs;
-    CK_RV crv;
-
-    if (!mod || !alreadyLoaded) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (mod->isThreadSafe == PR_FALSE) {
-	pInitArgs = NULL;
-    } else if (mod->libraryParams == NULL) {
-	pInitArgs = (void *) &secmodLockFunctions;
-    } else {
-	moduleArgs = secmodLockFunctions;
-	moduleArgs.LibraryParameters = (void *) mod->libraryParams;
-	pInitArgs = &moduleArgs;
-    }
-    crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs);
-    if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
-        (!enforceAlreadyInitializedError)) {
-        *alreadyLoaded = PR_TRUE;
-        return SECSuccess;
-    }
-    if (crv != CKR_OK) {
-	if (pInitArgs == NULL ||
-		crv == CKR_NETSCAPE_CERTDB_FAILED ||
-		crv == CKR_NETSCAPE_KEYDB_FAILED) {
-	    PORT_SetError(PK11_MapError(crv));
-	    return SECFailure;
-	}
-	if (!loadSingleThreadedModules) {
-	    PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
-	    return SECFailure;
-	}
-	mod->isThreadSafe = PR_FALSE;
-    	crv = PK11_GETTAB(mod)->C_Initialize(NULL);
-	if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
-	    (!enforceAlreadyInitializedError)) {
-	    *alreadyLoaded = PR_TRUE;
-	    return SECSuccess;
-	}
-    	if (crv != CKR_OK)  {
-	    PORT_SetError(PK11_MapError(crv));
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-/*
- * set the hasRootCerts flags in the module so it can be stored back
- * into the database.
- */
-void
-SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
-    PK11PreSlotInfo *psi = NULL;
-    int i;
-
-    if (slot->hasRootCerts) {
-	for (i=0; i < mod->slotInfoCount; i++) {
-	    if (slot->slotID == mod->slotInfo[i].slotID) {
-		psi = &mod->slotInfo[i];
-		break;
-	    }
-	}
-	if (psi == NULL) {
-	   /* allocate more slots */
-	   PK11PreSlotInfo *psi_list = (PK11PreSlotInfo *)
-		PORT_ArenaAlloc(mod->arena,
-			(mod->slotInfoCount+1)* sizeof(PK11PreSlotInfo));
-	   /* copy the old ones */
-	   if (mod->slotInfoCount > 0) {
-		PORT_Memcpy(psi_list,mod->slotInfo,
-				(mod->slotInfoCount)*sizeof(PK11PreSlotInfo));
-	   }
-	   /* assign psi to the last new slot */
-	   psi = &psi_list[mod->slotInfoCount];
-	   psi->slotID = slot->slotID;
-	   psi->askpw = 0;
-	   psi->timeout = 0;
-	   psi ->defaultFlags = 0;
-
-	   /* increment module count & store new list */
-	   mod->slotInfo = psi_list;
-	   mod->slotInfoCount++;
-	   
-	}
-	psi->hasRootCerts = 1;
-    }
-}
-
-/*
- * load a new module into our address space and initialize it.
- */
-SECStatus
-SECMOD_LoadPKCS11Module(SECMODModule *mod) {
-    PRLibrary *library = NULL;
-    CK_C_GetFunctionList entry = NULL;
-    char * full_name;
-    CK_INFO info;
-    CK_ULONG slotCount = 0;
-    SECStatus rv;
-    PRBool alreadyLoaded = PR_FALSE;
-
-    if (mod->loaded) return SECSuccess;
-
-    /* intenal modules get loaded from their internal list */
-    if (mod->internal) {
-	/* internal, statically get the C_GetFunctionList function */
-	if (mod->isFIPS) {
-	    entry = (CK_C_GetFunctionList) FC_GetFunctionList;
-	} else {
-	    entry = (CK_C_GetFunctionList) NSC_GetFunctionList;
-	}
-	if (mod->isModuleDB) {
-	    mod->moduleDBFunc = (void *) NSC_ModuleDBFunc;
-	}
-	if (mod->moduleDBOnly) {
-	    mod->loaded = PR_TRUE;
-	    return SECSuccess;
-	}
-    } else {
-	/* Not internal, load the DLL and look up C_GetFunctionList */
-	if (mod->dllName == NULL) {
-	    return SECFailure;
-	}
-
-#ifdef notdef
-	/* look up the library name */
-	full_name = PR_GetLibraryName(PR_GetLibraryPath(),mod->dllName);
-	if (full_name == NULL) {
-	    return SECFailure;
-	}
-#else
-	full_name = PORT_Strdup(mod->dllName);
-#endif
-
-	/* load the library. If this succeeds, then we have to remember to
-	 * unload the library if anything goes wrong from here on out...
-	 */
-	library = PR_LoadLibrary(full_name);
-	mod->library = (void *)library;
-	PORT_Free(full_name);
-	if (library == NULL) {
-	    return SECFailure;
-	}
-
-	/*
-	 * now we need to get the entry point to find the function pointers
-	 */
-	if (!mod->moduleDBOnly) {
-	    entry = (CK_C_GetFunctionList)
-			PR_FindSymbol(library, "C_GetFunctionList");
-	}
-	if (mod->isModuleDB) {
-	    mod->moduleDBFunc = (void *)
-			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
-	}
-	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
-	if (entry == NULL) {
-	    if (mod->isModuleDB) {
-		mod->loaded = PR_TRUE;
-		mod->moduleDBOnly = PR_TRUE;
-		return SECSuccess;
-	    }
-	    PR_UnloadLibrary(library);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * We need to get the function list
-     */
-    if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 
-								goto fail;
-
-#ifdef DEBUG_MODULE
-    if (PR_TRUE) {
-	modToDBG = PR_GetEnv("NSS_DEBUG_PKCS11_MODULE");
-	if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) {
-	    mod->functionList = (void *)nss_InsertDeviceLog(
-	                           (CK_FUNCTION_LIST_PTR)mod->functionList);
-	}
-    }
-#endif
-
-    mod->isThreadSafe = PR_TRUE;
-
-    /* Now we initialize the module */
-    rv = secmod_ModuleInit(mod, &alreadyLoaded);
-    if (rv != SECSuccess) {
-	goto fail;
-    }
-
-    /* check the version number */
-    if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) goto fail2;
-    if (info.cryptokiVersion.major != 2) goto fail2;
-    /* all 2.0 are a priori *not* thread safe */
-    if (info.cryptokiVersion.minor < 1) {
-        if (!loadSingleThreadedModules) {
-            PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
-            goto fail2;
-        } else {
-            mod->isThreadSafe = PR_FALSE;
-        }
-    }
-    mod->cryptokiVersion = info.cryptokiVersion;
-
-    /* If we don't have a common name, get it from the PKCS 11 module */
-    if ((mod->commonName == NULL) || (mod->commonName[0] == 0)) {
-	mod->commonName = PK11_MakeString(mod->arena,NULL,
-	   (char *)info.libraryDescription, sizeof(info.libraryDescription));
-	if (mod->commonName == NULL) goto fail2;
-    }
-    
-
-    /* initialize the Slots */
-    if (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &slotCount) == CKR_OK) {
-	CK_SLOT_ID *slotIDs;
-	int i;
-	CK_RV crv;
-
-	mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena,
-					sizeof(PK11SlotInfo *) * slotCount);
-	if (mod->slots == NULL) goto fail2;
-
-	slotIDs = (CK_SLOT_ID *) PORT_Alloc(sizeof(CK_SLOT_ID)*slotCount);
-	if (slotIDs == NULL) {
-	    goto fail2;
-	}  
-	crv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount);
-	if (crv != CKR_OK) {
-	    PORT_Free(slotIDs);
-	    goto fail2;
-	}
-
-	/* Initialize each slot */
-	for (i=0; i < (int)slotCount; i++) {
-	    mod->slots[i] = PK11_NewSlotInfo(mod);
-	    PK11_InitSlot(mod,slotIDs[i],mod->slots[i]);
-	    /* look down the slot info table */
-	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
-	    SECMOD_SetRootCerts(mod->slots[i],mod);
-	}
-	mod->slotCount = slotCount;
-	mod->slotInfoCount = 0;
-	PORT_Free(slotIDs);
-    }
-    
-    mod->loaded = PR_TRUE;
-    mod->moduleID = nextModuleID++;
-    return SECSuccess;
-fail2:
-    if (enforceAlreadyInitializedError || (!alreadyLoaded)) {
-        PK11_GETTAB(mod)->C_Finalize(NULL);
-    }
-fail:
-    mod->functionList = NULL;
-    if (library) PR_UnloadLibrary(library);
-    return SECFailure;
-}
-
-SECStatus
-SECMOD_UnloadModule(SECMODModule *mod) {
-    PRLibrary *library;
-
-    if (!mod->loaded) {
-	return SECFailure;
-    }
-    if (finalizeModules) {
-        if (!mod->moduleDBOnly) PK11_GETTAB(mod)->C_Finalize(NULL);
-    }
-    mod->moduleID = 0;
-    mod->loaded = PR_FALSE;
-    
-    /* do we want the semantics to allow unloading the internal library?
-     * if not, we should change this to SECFailure and move it above the
-     * mod->loaded = PR_FALSE; */
-    if (mod->internal) {
-	return SECSuccess;
-    }
-
-    library = (PRLibrary *)mod->library;
-    /* paranoia */
-    if (library == NULL) {
-	return SECFailure;
-    }
-
-    PR_UnloadLibrary(library);
-    return SECSuccess;
-}
-
-void
-nss_DumpModuleLog(void)
-{
-#ifdef DEBUG_MODULE
-    if (modToDBG) {
-	print_final_statistics();
-    }
-#endif
-}
diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c
deleted file mode 100644
index 1f8f2a372..000000000
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ /dev/null
@@ -1,1788 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file maps various PKCS #11 Mechanisms to related mechanisms, key
- * types, and ASN.1 encodings.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h" 
-#include "secoid.h"
-#include "secerr.h"
-
-/*************************************************************
- * local static and global data
- *************************************************************/
-
-/*
- * Tables used for Extended mechanism mapping (currently not used)
- */
-typedef struct {
-	CK_MECHANISM_TYPE keyGen;
-	CK_KEY_TYPE keyType;
-	CK_MECHANISM_TYPE type;
-	int blockSize;
-	int iv;
-} pk11MechanismData;
-	
-static pk11MechanismData pk11_default = 
-  { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 };
-static pk11MechanismData *pk11_MechanismTable = NULL;
-static int pk11_MechTableSize = 0;
-static int pk11_MechEntrySize = 0;
-
-/*
- * list of mechanisms we're willing to wrap secret keys with.
- * This list is ordered by preference.
- */
-CK_MECHANISM_TYPE wrapMechanismList[] = {
-    CKM_DES3_ECB,
-    CKM_CAST5_ECB,
-    CKM_AES_ECB,
-    CKM_CAST5_ECB,
-    CKM_DES_ECB,
-    CKM_KEY_WRAP_LYNKS,
-    CKM_IDEA_ECB,
-    CKM_CAST3_ECB,
-    CKM_CAST_ECB,
-    CKM_RC5_ECB,
-    CKM_RC2_ECB,
-    CKM_CDMF_ECB,
-    CKM_SKIPJACK_WRAP,
-};
-
-int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]);
-
-/*********************************************************************
- *       Mechanism Mapping functions
- *********************************************************************/
-
-/*
- * lookup an entry in the mechanism table. If none found, return the
- * default structure.
- */
-static pk11MechanismData *
-pk11_lookup(CK_MECHANISM_TYPE type)
-{
-    int i;
-    for (i=0; i < pk11_MechEntrySize; i++) {
-	if (pk11_MechanismTable[i].type == type) {
-	     return (&pk11_MechanismTable[i]);
-	}
-    }
-    return &pk11_default;
-}
-
-/*
- * find the best key wrap mechanism for this slot.
- */
-CK_MECHANISM_TYPE
-PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
-{
-    int i;
-    for (i=0; i < wrapMechanismCount; i++) {
-	if (PK11_DoesMechanism(slot,wrapMechanismList[i])) {
-	    return wrapMechanismList[i];
-	}
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-/*
- * NOTE: This is not thread safe. Called at init time, and when loading
- * a new Entry. It is reasonably safe as long as it is not re-entered
- * (readers will always see a consistant table)
- *
- * This routine is called to add entries to the mechanism table, once there,
- * they can not be removed.
- */
-void
-PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
-		 	CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize)
-{
-    int tableSize = pk11_MechTableSize;
-    int size = pk11_MechEntrySize;
-    int entry = size++;
-    pk11MechanismData *old = pk11_MechanismTable;
-    pk11MechanismData *newt = pk11_MechanismTable;
-
-	
-    if (size > tableSize) {
-	int oldTableSize = tableSize;
-	tableSize += 10;
-	newt = PORT_NewArray(pk11MechanismData, tableSize);
-	if (newt == NULL) return;
-
-	if (old) PORT_Memcpy(newt, old, oldTableSize*sizeof(*newt));
-    } else old = NULL;
-
-    newt[entry].type = type;
-    newt[entry].keyType = key;
-    newt[entry].keyGen = keyGen;
-    newt[entry].iv = ivLen;
-    newt[entry].blockSize = blockSize;
-
-    pk11_MechanismTable = newt;
-    pk11_MechTableSize = tableSize;
-    pk11_MechEntrySize = size;
-    if (old) PORT_Free(old);
-}
-
-/*
- * Get the key type needed for the given mechanism
- */
-CK_MECHANISM_TYPE
-PK11_GetKeyMechanism(CK_KEY_TYPE type)
-{
-    switch (type) {
-    case CKK_AES:
-	return CKM_AES_CBC;
-    case CKK_DES:
-	return CKM_DES_CBC;
-    case CKK_DES3:
-	return CKM_DES3_KEY_GEN;
-    case CKK_DES2:
-	return CKM_DES2_KEY_GEN;
-    case CKK_CDMF:
-	return CKM_CDMF_CBC;
-    case CKK_RC2:
-	return CKM_RC2_CBC;
-    case CKK_RC4:
-	return CKM_RC4;
-    case CKK_RC5:
-	return CKM_RC5_CBC;
-    case CKK_SKIPJACK:
-	return CKM_SKIPJACK_CBC64;
-    case CKK_BATON:
-	return CKM_BATON_CBC128;
-    case CKK_JUNIPER:
-	return CKM_JUNIPER_CBC128;
-    case CKK_IDEA:
-	return CKM_IDEA_CBC;
-    case CKK_CAST:
-	return CKM_CAST_CBC;
-    case CKK_CAST3:
-	return CKM_CAST3_CBC;
-    case CKK_CAST5:
-	return CKM_CAST5_CBC;
-    case CKK_RSA:
-	return CKM_RSA_PKCS;
-    case CKK_DSA:
-	return CKM_DSA;
-    case CKK_DH:
-	return CKM_DH_PKCS_DERIVE;
-    case CKK_KEA:
-	return CKM_KEA_KEY_DERIVE;
-    case CKK_EC:  /* CKK_ECDSA is deprecated */
-	return CKM_ECDSA;
-    case CKK_GENERIC_SECRET:
-    default:
-	return CKM_SHA_1_HMAC;
-    }
-}
-
-/*
- * Get the key type needed for the given mechanism
- */
-CK_MECHANISM_TYPE
-PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
-{
-    switch (type) {
-    case CKM_AES_ECB:
-    case CKM_AES_CBC:
-    case CKM_AES_MAC:
-    case CKM_AES_MAC_GENERAL:
-    case CKM_AES_CBC_PAD:
-    case CKM_AES_KEY_GEN:
-    case CKM_NETSCAPE_AES_KEY_WRAP:
-    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
-	return CKK_AES;
-    case CKM_DES_ECB:
-    case CKM_DES_CBC:
-    case CKM_DES_MAC:
-    case CKM_DES_MAC_GENERAL:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES_KEY_GEN:
-    case CKM_KEY_WRAP_LYNKS:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-	return CKK_DES;
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-    case CKM_DES3_MAC:
-    case CKM_DES3_MAC_GENERAL:
-    case CKM_DES3_CBC_PAD:
-	return (len == 16) ? CKK_DES2 : CKK_DES3;
-    case CKM_DES2_KEY_GEN:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-	return CKK_DES2;
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_DES3_KEY_GEN:
-	return CKK_DES3;
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-    case CKM_CDMF_MAC:
-    case CKM_CDMF_MAC_GENERAL:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CDMF_KEY_GEN:
-	return CKK_CDMF;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-    case CKM_RC2_MAC:
-    case CKM_RC2_MAC_GENERAL:
-    case CKM_RC2_CBC_PAD:
-    case CKM_RC2_KEY_GEN:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-	return CKK_RC2;
-    case CKM_RC4:
-    case CKM_RC4_KEY_GEN:
-	return CKK_RC4;
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-    case CKM_RC5_MAC:
-    case CKM_RC5_MAC_GENERAL:
-    case CKM_RC5_CBC_PAD:
-    case CKM_RC5_KEY_GEN:
-	return CKK_RC5;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_SKIPJACK_KEY_GEN:
-    case CKM_SKIPJACK_WRAP:
-    case CKM_SKIPJACK_PRIVATE_WRAP:
-	return CKK_SKIPJACK;
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_BATON_WRAP:
-    case CKM_BATON_KEY_GEN:
-	return CKK_BATON;
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-    case CKM_JUNIPER_WRAP:
-    case CKM_JUNIPER_KEY_GEN:
-	return CKK_JUNIPER;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-    case CKM_IDEA_MAC:
-    case CKM_IDEA_MAC_GENERAL:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_IDEA_KEY_GEN:
-	return CKK_IDEA;
-    case CKM_CAST_ECB:
-    case CKM_CAST_CBC:
-    case CKM_CAST_MAC:
-    case CKM_CAST_MAC_GENERAL:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST_KEY_GEN:
-    case CKM_PBE_MD5_CAST_CBC:
-	return CKK_CAST;
-    case CKM_CAST3_ECB:
-    case CKM_CAST3_CBC:
-    case CKM_CAST3_MAC:
-    case CKM_CAST3_MAC_GENERAL:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST3_KEY_GEN:
-    case CKM_PBE_MD5_CAST3_CBC:
-	return CKK_CAST3;
-    case CKM_CAST5_ECB:
-    case CKM_CAST5_CBC:
-    case CKM_CAST5_MAC:
-    case CKM_CAST5_MAC_GENERAL:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_CAST5_KEY_GEN:
-    case CKM_PBE_MD5_CAST5_CBC:
-	return CKK_CAST5;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_MD2_RSA_PKCS:
-    case CKM_MD5_RSA_PKCS:
-    case CKM_SHA1_RSA_PKCS:
-    case CKM_SHA256_RSA_PKCS:
-    case CKM_SHA384_RSA_PKCS:
-    case CKM_SHA512_RSA_PKCS:
-    case CKM_KEY_WRAP_SET_OAEP:
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    case CKM_RSA_X9_31_KEY_PAIR_GEN:
-	return CKK_RSA;
-    case CKM_DSA:
-    case CKM_DSA_SHA1:
-    case CKM_DSA_KEY_PAIR_GEN:
-	return CKK_DSA;
-    case CKM_DH_PKCS_DERIVE:
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-	return CKK_DH;
-    case CKM_KEA_KEY_DERIVE:
-    case CKM_KEA_KEY_PAIR_GEN:
-	return CKK_KEA;
-    case CKM_ECDSA:
-    case CKM_ECDSA_SHA1:
-    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
-    case CKM_ECDH1_DERIVE:
-	return CKK_EC;  /* CKK_ECDSA is deprecated */
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_GENERIC_SECRET_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_MASTER_KEY_DERIVE_DH:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-    case CKM_SHA_1_HMAC:
-    case CKM_SHA_1_HMAC_GENERAL:
-    case CKM_SHA256_HMAC:
-    case CKM_SHA256_HMAC_GENERAL:
-    case CKM_SHA384_HMAC:
-    case CKM_SHA384_HMAC_GENERAL:
-    case CKM_SHA512_HMAC:
-    case CKM_SHA512_HMAC_GENERAL:
-    case CKM_MD2_HMAC:
-    case CKM_MD2_HMAC_GENERAL:
-    case CKM_MD5_HMAC:
-    case CKM_MD5_HMAC_GENERAL:
-    case CKM_TLS_PRF_GENERAL:
-	return CKK_GENERIC_SECRET;
-    default:
-	return pk11_lookup(type)->keyType;
-    }
-}
-
-/*
- * Get the Key Gen Mechanism needed for the given 
- * crypto mechanism
- */
-CK_MECHANISM_TYPE
-PK11_GetKeyGen(CK_MECHANISM_TYPE type)
-{
-    return PK11_GetKeyGenWithSize(type, 0);
-}
-
-CK_MECHANISM_TYPE
-PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
-{
-    switch (type) {
-    case CKM_AES_ECB:
-    case CKM_AES_CBC:
-    case CKM_AES_MAC:
-    case CKM_AES_MAC_GENERAL:
-    case CKM_AES_CBC_PAD:
-    case CKM_AES_KEY_GEN:
-	return CKM_AES_KEY_GEN;
-    case CKM_DES_ECB:
-    case CKM_DES_CBC:
-    case CKM_DES_MAC:
-    case CKM_DES_MAC_GENERAL:
-    case CKM_KEY_WRAP_LYNKS:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES_KEY_GEN:
-	return CKM_DES_KEY_GEN;
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-    case CKM_DES3_MAC:
-    case CKM_DES3_MAC_GENERAL:
-    case CKM_DES3_CBC_PAD:
-	return (size == 16) ? CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN;
-    case CKM_DES3_KEY_GEN:
-	return CKM_DES3_KEY_GEN;
-    case CKM_DES2_KEY_GEN:
-	return CKM_DES2_KEY_GEN;
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-    case CKM_CDMF_MAC:
-    case CKM_CDMF_MAC_GENERAL:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CDMF_KEY_GEN:
-	return CKM_CDMF_KEY_GEN;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-    case CKM_RC2_MAC:
-    case CKM_RC2_MAC_GENERAL:
-    case CKM_RC2_CBC_PAD:
-    case CKM_RC2_KEY_GEN:
-	return CKM_RC2_KEY_GEN;
-    case CKM_RC4:
-    case CKM_RC4_KEY_GEN:
-	return CKM_RC4_KEY_GEN;
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-    case CKM_RC5_MAC:
-    case CKM_RC5_MAC_GENERAL:
-    case CKM_RC5_CBC_PAD:
-    case CKM_RC5_KEY_GEN:
-	return CKM_RC5_KEY_GEN;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_SKIPJACK_WRAP:
-    case CKM_SKIPJACK_KEY_GEN:
-	return CKM_SKIPJACK_KEY_GEN;
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_BATON_WRAP:
-    case CKM_BATON_KEY_GEN:
-	return CKM_BATON_KEY_GEN;
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-    case CKM_JUNIPER_WRAP:
-    case CKM_JUNIPER_KEY_GEN:
-	return CKM_JUNIPER_KEY_GEN;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-    case CKM_IDEA_MAC:
-    case CKM_IDEA_MAC_GENERAL:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_IDEA_KEY_GEN:
-	return CKM_IDEA_KEY_GEN;
-    case CKM_CAST_ECB:
-    case CKM_CAST_CBC:
-    case CKM_CAST_MAC:
-    case CKM_CAST_MAC_GENERAL:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST_KEY_GEN:
-	return CKM_CAST_KEY_GEN;
-    case CKM_CAST3_ECB:
-    case CKM_CAST3_CBC:
-    case CKM_CAST3_MAC:
-    case CKM_CAST3_MAC_GENERAL:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST3_KEY_GEN:
-	return CKM_CAST3_KEY_GEN;
-    case CKM_CAST5_ECB:
-    case CKM_CAST5_CBC:
-    case CKM_CAST5_MAC:
-    case CKM_CAST5_MAC_GENERAL:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_CAST5_KEY_GEN:
-	return CKM_CAST5_KEY_GEN;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_MD2_RSA_PKCS:
-    case CKM_MD5_RSA_PKCS:
-    case CKM_SHA1_RSA_PKCS:
-    case CKM_SHA256_RSA_PKCS:
-    case CKM_SHA384_RSA_PKCS:
-    case CKM_SHA512_RSA_PKCS:
-    case CKM_KEY_WRAP_SET_OAEP:
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-	return CKM_RSA_PKCS_KEY_PAIR_GEN;
-    case CKM_RSA_X9_31_KEY_PAIR_GEN:
-	return CKM_RSA_X9_31_KEY_PAIR_GEN;
-    case CKM_DSA:
-    case CKM_DSA_SHA1:
-    case CKM_DSA_KEY_PAIR_GEN:
-	return CKM_DSA_KEY_PAIR_GEN;
-    case CKM_DH_PKCS_DERIVE:
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-	return CKM_DH_PKCS_KEY_PAIR_GEN;
-    case CKM_KEA_KEY_DERIVE:
-    case CKM_KEA_KEY_PAIR_GEN:
-	return CKM_KEA_KEY_PAIR_GEN;
-    case CKM_ECDSA:
-    case CKM_ECDSA_SHA1:
-    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
-    case CKM_ECDH1_DERIVE:
-        return CKM_EC_KEY_PAIR_GEN; 
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	return CKM_SSL3_PRE_MASTER_KEY_GEN;
-    case CKM_SHA_1_HMAC:
-    case CKM_SHA_1_HMAC_GENERAL:
-    case CKM_SHA256_HMAC:
-    case CKM_SHA256_HMAC_GENERAL:
-    case CKM_SHA384_HMAC:
-    case CKM_SHA384_HMAC_GENERAL:
-    case CKM_SHA512_HMAC:
-    case CKM_SHA512_HMAC_GENERAL:
-    case CKM_MD2_HMAC:
-    case CKM_MD2_HMAC_GENERAL:
-    case CKM_MD5_HMAC:
-    case CKM_MD5_HMAC_GENERAL:
-    case CKM_TLS_PRF_GENERAL:
-    case CKM_GENERIC_SECRET_KEY_GEN:
-	return CKM_GENERIC_SECRET_KEY_GEN;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
-    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
-    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    	return type;
-    default:
-	return pk11_lookup(type)->keyGen;
-    }
-}
-
-/*
- * get the mechanism block size
- */
-int
-PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params)
-{
-    CK_RC5_PARAMS *rc5_params;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params;
-    switch (type) {
-    case CKM_RC5_ECB:
-	if ((params) && (params->data)) {
-	    rc5_params = (CK_RC5_PARAMS *) params->data;
-	    return (rc5_params->ulWordsize)*2;
-	}
-	return 8;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	if ((params) && (params->data)) {
-	    rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data;
-	    return (rc5_cbc_params->ulWordsize)*2;
-	}
-	return 8;
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RC2_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC2_CBC:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_RC2_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-	return 8;
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	return 4;
-    case CKM_AES_ECB:
-    case CKM_AES_CBC:
-    case CKM_AES_CBC_PAD:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	return 16;
-    case CKM_BATON_ECB96:
-	return 12;
-    case CKM_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return 0;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-	/*actually it's the modulus length of the key!*/
-	return -1;	/* failure */
-    default:
-	return pk11_lookup(type)->blockSize;
-    }
-}
-
-/*
- * get the iv length
- */
-int
-PK11_GetIVLength(CK_MECHANISM_TYPE type)
-{
-    switch (type) {
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RC2_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_SKIPJACK_WRAP:
-    case CKM_BATON_WRAP:
-    case CKM_RC5_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	return 0;
-    case CKM_RC2_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_RC5_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_RC2_CBC_PAD:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_RC5_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-	return 8;
-    case CKM_AES_CBC:
-    case CKM_AES_CBC_PAD:
-	return 16;
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	return 24;
-    case CKM_RC4:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_9796:
-    case CKM_RSA_X_509:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return 0;
-    default:
-	return pk11_lookup(type)->iv;
-    }
-}
-
-
-/* These next two utilities are here to help facilitate future
- * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
- * like SSL and S-MIME to automatically add them.
- */
-SECItem *
-PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv)
-{
-    CK_RC2_CBC_PARAMS *rc2_params = NULL;
-    CK_RC2_PARAMS *rc2_ecb_params = NULL;
-    CK_RC5_PARAMS *rc5_params = NULL;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL;
-    SECItem *param;
-
-    param = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (param == NULL) return NULL;
-    param->data = NULL;
-    param->len = 0;
-    param->type = 0;
-    switch (type) {
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-    case CKM_RSA_9796:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC4:
-	break;
-    case CKM_RC2_ECB:
-	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
-	if (rc2_ecb_params == NULL) break;
-	/*  Maybe we should pass the key size in too to get this value? */
-	*rc2_ecb_params = 128;
-	param->data = (unsigned char *) rc2_ecb_params;
-	param->len = sizeof(CK_RC2_PARAMS);
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
-	if (rc2_params == NULL) break;
-	/* Maybe we should pass the key size in too to get this value? */
-	rc2_params->ulEffectiveBits = 128;
-	if (iv && iv->data)
-	    PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv));
-	param->data = (unsigned char *) rc2_params;
-	param->len = sizeof(CK_RC2_CBC_PARAMS);
-	break;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
-		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0));
-	if (rc5_cbc_params == NULL) break;
-	if (iv && iv->data) {
-	    rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) 
-						+ sizeof(CK_RC5_CBC_PARAMS);
-	    PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len);
-	    rc5_cbc_params->ulIvLen = iv->len;
-	    rc5_cbc_params->ulWordsize = iv->len/2;
-	} else {
-	    rc5_cbc_params->ulWordsize = 4;
-	    rc5_cbc_params->pIv = NULL;
-	    rc5_cbc_params->ulIvLen = iv->len;
-	}
-	rc5_cbc_params->ulRounds = 16;
-	param->data = (unsigned char *) rc5_cbc_params;
-	param->len = sizeof(CK_RC5_CBC_PARAMS);
-	break;
-    case CKM_RC5_ECB:
-	rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
-	if (rc5_params == NULL) break;
-	if (iv && iv->data && iv->len) {
-	    rc5_params->ulWordsize = iv->len/2;
-	} else {
-	    rc5_params->ulWordsize = 4;
-	}
-	rc5_params->ulRounds = 16;
-	param->data = (unsigned char *) rc5_params;
-	param->len = sizeof(CK_RC5_PARAMS);
-	break;
-    case CKM_AES_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_AES_CBC_PAD:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	if ((iv == NULL) || (iv->data == NULL)) break;
-	param->data = (unsigned char*)PORT_Alloc(iv->len);
-	if (param->data != NULL) {
-	    PORT_Memcpy(param->data,iv->data,iv->len);
-	    param->len = iv->len;
-	}
-	break;
-     /* unknown mechanism, pass IV in if it's there */
-     default:
-	if (pk11_lookup(type)->iv == 0) {
-	    break;
-	}
-	if ((iv == NULL) || (iv->data == NULL)) {
-	    break;
-	}
-	param->data = (unsigned char*)PORT_Alloc(iv->len);
-	if (param->data != NULL) {
-	    PORT_Memcpy(param->data,iv->data,iv->len);
-	    param->len = iv->len;
-	}
-	break;
-     }
-     return param;
-}
-
-unsigned char *
-PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
-{
-    CK_RC2_CBC_PARAMS *rc2_params;
-    CK_RC5_CBC_PARAMS *rc5_cbc_params;
-
-    *len = 0;
-    switch (type) {
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-    case CKM_RSA_9796:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-    case CKM_RC4:
-	return NULL;
-    case CKM_RC2_ECB:
-	return NULL;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
-        *len = sizeof(rc2_params->iv);
-	return &rc2_params->iv[0];
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data;
-	*len = rc5_cbc_params->ulIvLen;
-	return rc5_cbc_params->pIv;
-    case CKM_AES_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	break;
-     /* unknown mechanism, pass IV in if it's there */
-     default:
-	break;
-     }
-     if (param->data) {
-	*len = param->len;
-     }
-     return param->data;
-}
-
-typedef struct sec_rc5cbcParameterStr {
-    SECItem version;
-    SECItem rounds;
-    SECItem blockSizeInBits;
-    SECItem iv;
-} sec_rc5cbcParameter;
-
-static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc5cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,version) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,rounds) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc5cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,version) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,rounds) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(sec_rc5cbcParameter,iv) },
-    { 0 }
-};
-
-typedef struct sec_rc2cbcParameterStr {
-    SECItem rc2ParameterVersion;
-    SECItem iv;
-} sec_rc2cbcParameter;
-
-static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc2cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
-    { SEC_ASN1_OCTET_STRING,
-          offsetof(sec_rc2cbcParameter,iv) },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = {
-    { SEC_ASN1_SEQUENCE,
-          0, NULL, sizeof(sec_rc2cbcParameter) },
-    { SEC_ASN1_INTEGER,
-          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
-    { 0 }
-};
-
-/* S/MIME picked id values to represent differnt keysizes */
-/* I do have a formula, but it ain't pretty, and it only works because you
- * can always match three points to a parabola:) */
-static unsigned char  rc2_map(SECItem *version)
-{
-    long x;
-
-    x = DER_GetInteger(version);
-    
-    switch (x) {
-        case 58: return 128;
-        case 120: return 64;
-        case 160: return 40;
-    }
-    return 128; 
-}
-
-static unsigned long  rc2_unmap(unsigned long x)
-{
-    switch (x) {
-        case 128: return 58;
-        case 64: return 120;
-        case 40: return 160;
-    }
-    return 58; 
-}
-
-
-
-/* Generate a mechaism param from a type, and iv. */
-SECItem *
-PK11_ParamFromAlgid(SECAlgorithmID *algid)
-{
-    CK_RC2_CBC_PARAMS * rc2_cbc_params = NULL;
-    CK_RC2_PARAMS *     rc2_ecb_params = NULL;
-    CK_RC5_CBC_PARAMS * rc5_cbc_params = NULL;
-    CK_RC5_PARAMS *     rc5_ecb_params = NULL;
-    PRArenaPool *       arena          = NULL;
-    SECItem *           mech           = NULL;
-    SECOidTag           algtag;
-    SECStatus           rv;
-    CK_MECHANISM_TYPE   type;
-    /* initialize these to prevent UMRs in the ASN1 decoder. */
-    SECItem             iv  =   {siBuffer, NULL, 0};
-    sec_rc2cbcParameter rc2 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0} };
-    sec_rc5cbcParameter rc5 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0},
-                                {siBuffer, NULL, 0}, {siBuffer, NULL, 0} };
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-    type = PK11_AlgtagToMechanism(algtag);
-
-    mech = PORT_New(SECItem);
-    if (mech == NULL) {
-    	return NULL;
-    }
-    mech->type = siBuffer;
-    mech->data = NULL;
-    mech->len  = 0;
-
-    arena = PORT_NewArena(1024);
-    if (!arena) {
-    	goto loser;
-    }
-
-    /* handle the complicated cases */
-    switch (type) {
-    case CKM_RC2_ECB:
-        rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2ecb_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    goto loser;
-	}
-	rc2_ecb_params = PORT_New(CK_RC2_PARAMS);
-	if (rc2_ecb_params == NULL) {
-	    goto loser;
-	}
-	*rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion);
-	mech->data = (unsigned char *) rc2_ecb_params;
-	mech->len  = sizeof *rc2_ecb_params;
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-        rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2cbc_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    goto loser;
-	}
-	rc2_cbc_params = PORT_New(CK_RC2_CBC_PARAMS);
-	if (rc2_cbc_params == NULL) {
-	    goto loser;
-	}
-	mech->data = (unsigned char *) rc2_cbc_params;
-	mech->len  = sizeof *rc2_cbc_params;
-	rc2_cbc_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
-	if (rc2.iv.len != sizeof rc2_cbc_params->iv) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    goto loser;
-	}
-	PORT_Memcpy(rc2_cbc_params->iv, rc2.iv.data, rc2.iv.len);
-	break;
-    case CKM_RC5_ECB:
-        rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5ecb_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    goto loser;
-	}
-	rc5_ecb_params = PORT_New(CK_RC5_PARAMS);
-	if (rc5_ecb_params == NULL) {
-	    goto loser;
-	}
-	rc5_ecb_params->ulRounds   = DER_GetInteger(&rc5.rounds);
-	rc5_ecb_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
-	mech->data = (unsigned char *) rc5_ecb_params;
-	mech->len = sizeof *rc5_ecb_params;
-	break;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-        rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5cbc_parameter_template,
-							&(algid->parameters));
-	if (rv != SECSuccess) { 
-	    goto loser;
-	}
-	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
-		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len);
-	if (rc5_cbc_params == NULL) {
-	    goto loser;
-	}
-	mech->data = (unsigned char *) rc5_cbc_params;
-	mech->len = sizeof *rc5_cbc_params;
-	rc5_cbc_params->ulRounds   = DER_GetInteger(&rc5.rounds);
-	rc5_cbc_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
-        rc5_cbc_params->pIv        = ((CK_BYTE_PTR)rc5_cbc_params)
-						+ sizeof(CK_RC5_CBC_PARAMS);
-        rc5_cbc_params->ulIvLen    = rc5.iv.len;
-	PORT_Memcpy(rc5_cbc_params->pIv, rc5.iv.data, rc5.iv.len);
-	break;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	rv = pbe_PK11AlgidToParam(algid,mech);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	break;
-    case CKM_RC4:
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	break;
-
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    break;
-	}
-	/* FALL THROUGH */
-    case CKM_AES_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_AES_CBC_PAD:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	/* simple cases are simply octet string encoded IVs */
-	rv = SEC_ASN1DecodeItem(arena, &iv, SEC_OctetStringTemplate, 
-					    &(algid->parameters));
-	if (rv != SECSuccess || iv.data == NULL) {
-	    goto loser;
-	}
-	/* XXX Should be some IV length sanity check here. */
-	mech->data = (unsigned char*)PORT_Alloc(iv.len);
-	if (mech->data == NULL) {
-	    goto loser;
-	}
-	PORT_Memcpy(mech->data, iv.data, iv.len);
-	mech->len = iv.len;
-	break;
-    }
-    PORT_FreeArena(arena, PR_FALSE);
-    return mech;
-
-loser:
-    if (arena)
-    	PORT_FreeArena(arena, PR_FALSE);
-    SECITEM_FreeItem(mech,PR_TRUE);
-    return NULL;
-}
-
-/*
- * Generate an IV for the given mechanism 
- */
-static SECStatus
-pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
-    int iv_size = PK11_GetIVLength(type);
-    SECStatus rv;
-
-    iv->len = iv_size;
-    if (iv_size == 0) { 
-	iv->data = NULL;
-	return SECSuccess;
-    }
-
-    iv->data = (unsigned char *) PORT_Alloc(iv_size);
-    if (iv->data == NULL) {
-	iv->len = 0;
-	return SECFailure;
-    }
-
-    rv = PK11_GenerateRandom(iv->data,iv->len);
-    if (rv != SECSuccess) {
-	PORT_Free(iv->data);
-	iv->data = NULL; iv->len = 0;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-/*
- * create a new paramter block from the passed in MECHANISM and the
- * key. Use Netscape's S/MIME Rules for the New param block.
- */
-SECItem *
-PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { 
-    CK_RC2_CBC_PARAMS *rc2_params;
-    CK_RC2_PARAMS *rc2_ecb_params;
-    SECItem *mech;
-    SECItem iv;
-    SECStatus rv;
-
-
-    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
-    if (mech == NULL) return NULL;
-
-    rv = SECSuccess;
-    mech->type = siBuffer;
-    switch (type) {
-    case CKM_RC4:
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	mech->data = NULL;
-	mech->len = 0;
-	break;
-    case CKM_RC2_ECB:
-	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
-	if (rc2_ecb_params == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
-	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
-	*rc2_ecb_params = PK11_GetKeyLength(key)*8;
-	mech->data = (unsigned char *) rc2_ecb_params;
-	mech->len = sizeof(CK_RC2_PARAMS);
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
-	if (rc2_params == NULL) {
-	    PORT_Free(iv.data);
-	    rv = SECFailure;
-	    break;
-	}
-	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
-	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
-	rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8;
-	if (iv.data)
-	    PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
-	mech->data = (unsigned char *) rc2_params;
-	mech->len = sizeof(CK_RC2_CBC_PARAMS);
-	PORT_Free(iv.data);
-	break;
-    case CKM_RC5_ECB:
-        PORT_Free(mech);
-	return PK11_ParamFromIV(type,NULL);
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-        PORT_Free(mech);
-	return PK11_ParamFromIV(type,&iv);
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    mech->data = NULL;
-	    mech->len = 0;
-	    break;
-	}
-    case CKM_AES_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	rv = pk11_GenIV(type,&iv);
-	if (rv != SECSuccess) {
-	    break;
-	}
-	mech->data = (unsigned char*)PORT_Alloc(iv.len);
-	if (mech->data == NULL) {
-	    PORT_Free(iv.data);
-	    rv = SECFailure;
-	    break;
-	}
-	PORT_Memcpy(mech->data,iv.data,iv.len);
-	mech->len = iv.len;
-        PORT_Free(iv.data);
-	break;
-    }
-    if (rv !=  SECSuccess) {
-	SECITEM_FreeItem(mech,PR_TRUE);
-	return NULL;
-    }
-    return mech;
-
-}
-
-#define RC5_V10 0x10
-
-/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */
-SECStatus
-PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, 
-				PRArenaPool *arena, SECAlgorithmID *algid) {
-    CK_RC2_CBC_PARAMS *rc2_params;
-    sec_rc2cbcParameter rc2;
-    CK_RC5_CBC_PARAMS *rc5_params;
-    sec_rc5cbcParameter rc5;
-    CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag);
-    SECItem *newParams = NULL;
-    SECStatus rv = SECFailure;
-    unsigned long rc2version;
-
-    rv = SECSuccess;
-    switch (type) {
-    case CKM_RC4:
-    case CKM_AES_ECB:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_IDEA_ECB:
-    case CKM_CDMF_ECB:
-    case CKM_CAST_ECB:
-    case CKM_CAST3_ECB:
-    case CKM_CAST5_ECB:
-	newParams = NULL;
-	rv = SECSuccess;
-	break;
-    case CKM_RC2_ECB:
-	break;
-    case CKM_RC2_CBC:
-    case CKM_RC2_CBC_PAD:
-	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
-	rc2version = rc2_unmap(rc2_params->ulEffectiveBits);
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion),
-					   rc2version) == NULL)
-	    break;
-	rc2.iv.data = rc2_params->iv;
-	rc2.iv.len = sizeof(rc2_params->iv);
-	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2,
-                                         sec_rc2cbc_parameter_template);
-        PORT_Free(rc2.rc2ParameterVersion.data);
-	if (newParams == NULL)
-	    break;
-	rv = SECSuccess;
-	break;
-
-    case CKM_RC5_ECB: /* well not really... */
-	break;
-    case CKM_RC5_CBC:
-    case CKM_RC5_CBC_PAD:
-	rc5_params = (CK_RC5_CBC_PARAMS *)param->data;
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL)
-	    break;
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, 
-					rc5_params->ulWordsize*8) == NULL) {
-            PORT_Free(rc5.version.data);
-	    break;
-	}
-	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, 
-					rc5_params->ulWordsize*8) == NULL) {
-            PORT_Free(rc5.blockSizeInBits.data);
-            PORT_Free(rc5.version.data);
-	    break;
-	}
-	rc5.iv.data = rc5_params->pIv;
-	rc5.iv.len = rc5_params->ulIvLen;
-	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5,
-                                         sec_rc5cbc_parameter_template);
-        PORT_Free(rc5.version.data);
-        PORT_Free(rc5.blockSizeInBits.data);
-        PORT_Free(rc5.rounds.data);
-	if (newParams == NULL)
-	    break;
-	rv = SECSuccess;
-	break;
-    case CKM_PBE_MD2_DES_CBC:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_SHA1_RC4_128:
-	return PBE_PK11ParamToAlgid(algTag, param, arena, algid);
-    default:
-	if (pk11_lookup(type)->iv == 0) {
-	    rv = SECSuccess;
-	    newParams = NULL;
-	    break;
-	}
-    case CKM_AES_CBC:
-    case CKM_DES_CBC:
-    case CKM_DES3_CBC:
-    case CKM_IDEA_CBC:
-    case CKM_CDMF_CBC:
-    case CKM_CAST_CBC:
-    case CKM_CAST3_CBC:
-    case CKM_CAST5_CBC:
-    case CKM_DES_CBC_PAD:
-    case CKM_DES3_CBC_PAD:
-    case CKM_IDEA_CBC_PAD:
-    case CKM_CDMF_CBC_PAD:
-    case CKM_CAST_CBC_PAD:
-    case CKM_CAST3_CBC_PAD:
-    case CKM_CAST5_CBC_PAD:
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-    case CKM_BATON_ECB128:
-    case CKM_BATON_ECB96:
-    case CKM_BATON_CBC128:
-    case CKM_BATON_COUNTER:
-    case CKM_BATON_SHUFFLE:
-    case CKM_JUNIPER_ECB128:
-    case CKM_JUNIPER_CBC128:
-    case CKM_JUNIPER_COUNTER:
-    case CKM_JUNIPER_SHUFFLE:
-	newParams = SEC_ASN1EncodeItem(NULL,NULL,param,
-						SEC_OctetStringTemplate);
-	rv = SECSuccess;
-	break;
-    }
-
-    if (rv !=  SECSuccess) {
-	if (newParams) SECITEM_FreeItem(newParams,PR_TRUE);
-	return rv;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams);
-    SECITEM_FreeItem(newParams,PR_TRUE);
-    return rv;
-}
-
-/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
- * map OID's directly into the PKCS #11 mechanism we want to call. We find
- * this mapping in our standard OID table */
-CK_MECHANISM_TYPE
-PK11_AlgtagToMechanism(SECOidTag algTag) {
-    SECOidData *oid = SECOID_FindOIDByTag(algTag);
-
-    if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
-    return CKM_INVALID_MECHANISM;
-}
-
-/* turn a mechanism into an oid. */
-SECOidTag
-PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) {
-    SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type);
-
-    if (oid) return oid->offset;
-    return SEC_OID_UNKNOWN;
-}
-
-/* Determine appropriate blocking mechanism, used when wrapping private keys
- * which require PKCS padding.  If the mechanism does not map to a padding
- * mechanism, we simply return the mechanism.
- */
-CK_MECHANISM_TYPE
-PK11_GetPadMechanism(CK_MECHANISM_TYPE type) {
-    switch(type) {
-	case CKM_AES_CBC:
-	    return CKM_AES_CBC_PAD;
-	case CKM_DES_CBC:
-	    return CKM_DES_CBC_PAD;
-	case CKM_DES3_CBC:
-	    return CKM_DES3_CBC_PAD;
-	case CKM_RC2_CBC:
-	    return CKM_RC2_CBC_PAD;
-	case CKM_CDMF_CBC:
-	    return CKM_CDMF_CBC_PAD;
-	case CKM_CAST_CBC:
-	    return CKM_CAST_CBC_PAD;
-	case CKM_CAST3_CBC:
-	    return CKM_CAST3_CBC_PAD;
-	case CKM_CAST5_CBC:
-	    return CKM_CAST5_CBC_PAD;
-	case CKM_RC5_CBC:
-	    return CKM_RC5_CBC_PAD; 
-	case CKM_IDEA_CBC:
-	    return CKM_IDEA_CBC_PAD; 
-	default:
-	    break;
-    }
-
-    return type;
-}
-	    
-static PRBool
-pk11_isAllZero(unsigned char *data,int len) {
-    while (len--) {
-	if (*data++) {
-	    return PR_FALSE;
-	}
-    }
-    return PR_TRUE;
-}
-
-CK_RV
-PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, 
-				      CK_MECHANISM_PTR pCryptoMechanism,
-				      SECItem *pbe_pwd, PRBool faulty3DES)
-{
-    int iv_len = 0;
-    CK_PBE_PARAMS_PTR pPBEparams;
-    CK_RC2_CBC_PARAMS_PTR rc2_params;
-    CK_ULONG rc2_key_len;
-
-    if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) {
-	return CKR_HOST_MEMORY;
-    }
-
-    pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
-    iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);
-
-    if (iv_len) {
-	if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) {
-	    SECItem param;
-	    PK11SymKey *symKey;
-	    PK11SlotInfo *intSlot = PK11_GetInternalSlot();
-
-	    if (intSlot == NULL) {
-		return CKR_DEVICE_ERROR;
-	    }
-
-	    param.data = pPBEMechanism->pParameter;
-	    param.len = pPBEMechanism->ulParameterLen;
-
-	    symKey = PK11_RawPBEKeyGen(intSlot,
-		pPBEMechanism->mechanism, &param, pbe_pwd, faulty3DES, NULL);
-	    PK11_FreeSlot(intSlot);
-	    if (symKey== NULL) {
-		return CKR_DEVICE_ERROR; /* sigh */
-	    }
-	    PK11_FreeSymKey(symKey);
-	}
-    }
-
-    switch(pPBEMechanism->mechanism) {
-	case CKM_PBE_MD2_DES_CBC:
-	case CKM_PBE_MD5_DES_CBC:
-	case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-	    pCryptoMechanism->mechanism = CKM_DES_CBC;
-	    goto have_crypto_mechanism;
-	case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-	case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-	case CKM_PBE_SHA1_DES3_EDE_CBC:
-	case CKM_PBE_SHA1_DES2_EDE_CBC:
-	    pCryptoMechanism->mechanism = CKM_DES3_CBC;
-have_crypto_mechanism:
-	    pCryptoMechanism->pParameter = PORT_Alloc(iv_len);
-	    pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len;
-	    if(pCryptoMechanism->pParameter == NULL) {
-		return CKR_HOST_MEMORY;
-	    }
-	    PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter),
-			(unsigned char *)(pPBEparams->pInitVector),
-			iv_len);
-	    break;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-	case CKM_PBE_SHA1_RC4_40:
-	case CKM_PBE_SHA1_RC4_128:
-	    pCryptoMechanism->mechanism = CKM_RC4;
-	    pCryptoMechanism->ulParameterLen = 0;
-	    pCryptoMechanism->pParameter = CK_NULL_PTR;
-	    break;
-	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-	case CKM_PBE_SHA1_RC2_40_CBC:
-	    rc2_key_len = 40;
-	    goto have_key_len;
-	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-	    rc2_key_len = 128;
-have_key_len:
-	    pCryptoMechanism->mechanism = CKM_RC2_CBC;
-	    pCryptoMechanism->ulParameterLen = (CK_ULONG)
-						sizeof(CK_RC2_CBC_PARAMS);
-	    pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR)
-				PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS));
-	    if(pCryptoMechanism->pParameter == NULL) {
-		return CKR_HOST_MEMORY;
-	    }
-	    rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter;
-	    PORT_Memcpy((unsigned char *)rc2_params->iv,
-	    		(unsigned char *)pPBEparams->pInitVector,
-	    		iv_len);
-	    rc2_params->ulEffectiveBits = rc2_key_len;
-	    break;
-	default:
-	    return CKR_MECHANISM_INVALID;
-    }
-
-    return CKR_OK;
-}
-
-/* Make a Key type to an appropriate signing/verification mechanism */
-CK_MECHANISM_TYPE
-PK11_MapSignKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-	return CKM_RSA_PKCS;
-    case fortezzaKey:
-    case dsaKey:
-	return CKM_DSA;
-    case ecKey:
-	return CKM_ECDSA;
-    case dhKey:
-    default:
-	break;
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-CK_MECHANISM_TYPE
-pk11_mapWrapKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-	return CKM_RSA_PKCS;
-    /* Add fortezza?? */
-    default:
-	break;
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-SECOidTag 
-PK11_FortezzaMapSig(SECOidTag algTag)
-{
-    switch (algTag) {
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_DSS:
-    case SEC_OID_MISSI_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-	return SEC_OID_ANSIX9_DSA_SIGNATURE;
-    default:
-	break;
-    }
-    return algTag;
-}
diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c
deleted file mode 100644
index db9aa6ba9..000000000
--- a/security/nss/lib/pk11wrap/pk11nobj.c
+++ /dev/null
@@ -1,805 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file manages Netscape specific PKCS #11 objects (CRLs, Trust objects,
- * etc).
- */
-
-#include "secport.h"
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "cert.h"
-#include "certi.h" 
-#include "secitem.h"
-#include "sechash.h" 
-#include "secoid.h"
-
-#include "certdb.h" 
-#include "secerr.h"
-#include "sslerr.h"
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "pki3hack.h"
-#include "dev3hack.h" 
-
-#include "devm.h" 
-#include "pki.h"
-#include "pkim.h" 
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-CK_TRUST
-pk11_GetTrustField(PK11SlotInfo *slot, PRArenaPool *arena, 
-                   CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type)
-{
-  CK_TRUST rv = 0;
-  SECItem item;
-
-  item.data = NULL;
-  item.len = 0;
-
-  if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) {
-    PORT_Assert(item.len == sizeof(CK_TRUST));
-    PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST));
-    /* Damn, is there an endian problem here? */
-    return rv;
-  }
-
-  return 0;
-}
-
-PRBool
-pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust)
-{
-  PRArenaPool *arena;
-
-  CK_ATTRIBUTE tobjTemplate[] = {
-    { CKA_CLASS, NULL, 0 },
-    { CKA_CERT_SHA1_HASH, NULL, 0 },
-  };
-
-  CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
-  CK_OBJECT_HANDLE tobjID;
-  unsigned char sha1_hash[SHA1_LENGTH];
-
-  CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth;
-
-  PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
-
-  PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc));
-  PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, 
-                SHA1_LENGTH);
-
-  tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, 
-                                     sizeof(tobjTemplate)/sizeof(tobjTemplate[0]));
-  if( CK_INVALID_HANDLE == tobjID ) {
-    return PR_FALSE;
-  }
-
-  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  if( NULL == arena ) return PR_FALSE;
-
-  /* Unfortunately, it seems that PK11_GetAttributes doesn't deal
-   * well with nonexistant attributes.  I guess we have to check 
-   * the trust info fields one at a time.
-   */
-
-  /* We could verify CKA_CERT_HASH here */
-
-  /* We could verify CKA_EXPIRES here */
-
-
-  /* "Purpose" trust information */
-  serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH);
-  clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH);
-  codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING);
-  emailProtection = pk11_GetTrustField(slot, arena, tobjID, 
-						CKA_TRUST_EMAIL_PROTECTION);
-  /* Here's where the fun logic happens.  We have to map back from the 
-   * key usage, extended key usage, purpose, and possibly other trust values 
-   * into the old trust-flags bits.  */
-
-  /* First implementation: keep it simple for testing.  We can study what other
-   * mappings would be appropriate and add them later.. fgmr 20000724 */
-
-  if ( serverAuth ==  CKT_NETSCAPE_TRUSTED ) {
-    trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
-  }
-
-  if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
-    trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 
-							CERTDB_NS_TRUSTED_CA;
-  }
-  if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
-    trust->sslFlags |=  CERTDB_TRUSTED_CLIENT_CA ;
-  }
-
-  if ( emailProtection == CKT_NETSCAPE_TRUSTED ) {
-    trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
-  }
-
-  if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
-    trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
-  }
-
-  if( codeSigning == CKT_NETSCAPE_TRUSTED ) {
-    trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
-  }
-
-  if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
-    trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
-  }
-
-  /* There's certainly a lot more logic that can go here.. */
-
-  PORT_FreeArena(arena, PR_FALSE);
-
-  return PR_TRUE;
-}
-
-static SECStatus
-pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
-{
-    SECItem derCrl;
-    CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
-    CERTCrlNode *new_node = NULL;
-    CK_ATTRIBUTE fetchCrl[3] = {
-	 { CKA_VALUE, NULL, 0},
-	 { CKA_NETSCAPE_KRL, NULL, 0},
-	 { CKA_NETSCAPE_URL, NULL, 0},
-    };
-    const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-
-    crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
-    if (CKR_OK != crv) {
-	PORT_SetError(PK11_MapError(crv));
-	goto loser;
-    }
-
-    if (!fetchCrl[1].pValue) {
-	PORT_SetError(SEC_ERROR_CRL_INVALID);
-	goto loser;
-    }
-
-    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
-    if (new_node == NULL) {
-        goto loser;
-    }
-
-    if (*((CK_BBOOL *)fetchCrl[1].pValue))
-        new_node->type = SEC_KRL_TYPE;
-    else
-        new_node->type = SEC_CRL_TYPE;
-
-    derCrl.type = siBuffer;
-    derCrl.data = (unsigned char *)fetchCrl[0].pValue;
-    derCrl.len = fetchCrl[0].ulValueLen;
-    new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
-    if (new_node->crl == NULL) {
-	goto loser;
-    }
-
-    if (fetchCrl[2].pValue) {
-        int nnlen = fetchCrl[2].ulValueLen;
-        new_node->crl->url  = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
-        if ( !new_node->crl->url ) {
-            goto loser;
-        }
-        PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
-        new_node->crl->url[nnlen] = 0;
-    } else {
-        new_node->crl->url = NULL;
-    }
-
-
-    new_node->next = NULL;
-    if (head->last) {
-        head->last->next = new_node;
-        head->last = new_node;
-    } else {
-        head->first = head->last = new_node;
-    }
-    rv = SECSuccess;
-
-loser:
-    return(rv);
-}
-
-/*
- * Return a list of all the CRLs .
- * CRLs are allocated in the list's arena.
- */
-SECStatus
-PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) {
-    pk11TraverseSlot creater;
-    CK_ATTRIBUTE theTemplate[2];
-    CK_ATTRIBUTE *attrs;
-    CK_OBJECT_CLASS certClass = CKO_NETSCAPE_CRL;
-    CK_BBOOL isKrl = CK_FALSE;
-
-    attrs = theTemplate;
-    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
-    if (type != -1) {
-	isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE);
-        PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++;
-    }
-
-    creater.callback = pk11_CollectCrls;
-    creater.callbackArg = (void *) nodes;
-    creater.findTemplate = theTemplate;
-    creater.templateCount = (attrs - theTemplate);
-
-    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx);
-}
-
-struct crlOptionsStr {
-    CERTCrlHeadNode* head;
-    PRInt32 decodeOptions;
-};
-
-typedef struct crlOptionsStr crlOptions;
-
-static SECStatus
-pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID,
-                          void *arg)
-{
-    SECItem* derCrl = NULL;
-    crlOptions* options = (crlOptions*) arg;
-    CERTCrlHeadNode *head = options->head;
-    CERTCrlNode *new_node = NULL;
-    CK_ATTRIBUTE fetchCrl[3] = {
-	 { CKA_VALUE, NULL, 0},
-	 { CKA_NETSCAPE_KRL, NULL, 0},
-	 { CKA_NETSCAPE_URL, NULL, 0},
-    };
-    const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-    PRBool adopted = PR_FALSE; /* whether the CRL adopted the DER memory
-                                  successfully */
-    int i;
-
-    crv = PK11_GetAttributes(NULL,slot,crlID,fetchCrl,fetchCrlSize);
-    if (CKR_OK != crv) {
-	PORT_SetError(PK11_MapError(crv));
-	goto loser;
-    }
-
-    if (!fetchCrl[1].pValue) {
-        /* reject KRLs */
-	PORT_SetError(SEC_ERROR_CRL_INVALID);
-	goto loser;
-    }
-
-    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena,
-                                              sizeof(CERTCrlNode));
-    if (new_node == NULL) {
-        goto loser;
-    }
-
-    new_node->type = SEC_CRL_TYPE;
-
-    derCrl = SECITEM_AllocItem(NULL, NULL, 0);
-    if (!derCrl) {
-        goto loser;
-    }
-    derCrl->type = siBuffer;
-    derCrl->data = (unsigned char *)fetchCrl[0].pValue;
-    derCrl->len = fetchCrl[0].ulValueLen;
-    new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl,new_node->type,
-                                               options->decodeOptions);
-    if (new_node->crl == NULL) {
-	goto loser;
-    }    
-    adopted = PR_TRUE; /* now that the CRL has adopted the DER memory,
-                          we won't need to free it upon exit */
-
-    if (fetchCrl[2].pValue && fetchCrl[2].ulValueLen) {
-        /* copy the URL if there is one */
-        int nnlen = fetchCrl[2].ulValueLen;
-        new_node->crl->url  = (char *)PORT_ArenaAlloc(new_node->crl->arena,
-                                                      nnlen+1);
-        if ( !new_node->crl->url ) {
-            goto loser;
-        }
-        PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
-        new_node->crl->url[nnlen] = 0;
-    } else {
-        new_node->crl->url = NULL;
-    }
-
-    new_node->next = NULL;
-    if (head->last) {
-        head->last->next = new_node;
-        head->last = new_node;
-    } else {
-        head->first = head->last = new_node;
-    }
-    rv = SECSuccess;
-    new_node->crl->slot = PK11_ReferenceSlot(slot);
-    new_node->crl->pkcs11ID = crlID;
-
-loser:
-    /* free attributes that weren't adopted by the CRL */
-    for (i=1;i<fetchCrlSize;i++) {
-        if (fetchCrl[i].pValue) {
-            PORT_Free(fetchCrl[i].pValue);
-        }
-    }
-    /* free the DER if the CRL object didn't adopt it */
-    if (fetchCrl[0].pValue && PR_FALSE == adopted) {
-        PORT_Free(fetchCrl[0].pValue);
-    }
-    if (derCrl && !adopted) {
-        /* clear the data fields, which we already took care of above */
-        derCrl->data = NULL;
-        derCrl->len = 0;
-        /* free the memory for the SECItem structure itself */
-        SECITEM_FreeItem(derCrl, PR_TRUE);
-    }
-    return(rv);
-}
-
-/*
- * Return a list of CRLs matching specified issuer and type
- * CRLs are not allocated in the list's arena, but rather in their own,
- * arena, so that they can be used individually in the CRL cache .
- * CRLs are always partially decoded for efficiency.
- */
-SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer,
-                            void *wincx)
-{
-    pk11TraverseSlot creater;
-    CK_ATTRIBUTE theTemplate[2];
-    CK_ATTRIBUTE *attrs;
-    CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
-    crlOptions options;
-
-    attrs = theTemplate;
-    PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
-
-    options.head = nodes;
-
-    /* - do a partial decoding - we don't need to decode the entries while
-       fetching
-       - don't copy the DER for optimal performance - CRL can be very large
-       - have the CRL objects adopt the DER, so SEC_DestroyCrl will free it
-       - keep bad CRL objects. The CRL cache is interested in them, for
-         security purposes. Bad CRL objects are a sign of something amiss.
-    */
-
-    options.decodeOptions = CRL_DECODE_SKIP_ENTRIES | CRL_DECODE_DONT_COPY_DER |
-                            CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_KEEP_BAD_CRL;
-    if (issuer)
-    {
-        PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); attrs++;
-    }
-
-    creater.callback = pk11_RetrieveCrlsCallback;
-    creater.callbackArg = (void *) &options;
-    creater.findTemplate = theTemplate;
-    creater.templateCount = (attrs - theTemplate);
-
-    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx);
-}
-
-/*
- * return the crl associated with a derSubjectName 
- */
-SECItem *
-PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
-					 SECItem *name, int type, char **url)
-{
-    NSSCRL **crls, **crlp, *crl;
-    NSSDER subject;
-    SECItem *rvItem;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    NSSITEM_FROM_SECITEM(&subject, name);
-    if (*slot) {
-	nssCryptokiObject **instances;
-	nssPKIObjectCollection *collection;
-	nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	NSSToken *token = PK11Slot_GetNSSToken(*slot);
-	collection = nssCRLCollection_Create(td, NULL);
-	if (!collection) {
-	    return NULL;
-	}
-	instances = nssToken_FindCRLsBySubject(token, NULL, &subject, 
-	                                       tokenOnly, 0, NULL);
-	nssPKIObjectCollection_AddInstances(collection, instances, 0);
-	nss_ZFreeIf(instances);
-	crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
-	nssPKIObjectCollection_Destroy(collection);
-    } else {
-	crls = nssTrustDomain_FindCRLsBySubject(td, &subject);
-    }
-    if ((!crls) || (*crls == NULL)) {
-	if (crls) {
-	    nssCRLArray_Destroy(crls);
-	}
-	if (NSS_GetError() == NSS_ERROR_NOT_FOUND) {
-	    PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
-	}
-	return NULL;
-    }
-    crl = NULL;
-    for (crlp = crls; *crlp; crlp++) {
-	if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) ||
-	    ((*crlp)->isKRL && type != SEC_CRL_TYPE)) 
-	{
-	    crl = nssCRL_AddRef(*crlp);
-	    break;
-	}
-    }
-    nssCRLArray_Destroy(crls);
-    if (!crl) { 
-	/* CRL collection was found, but no interesting CRL's were on it.
-	 * Not an error */
-	PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
-	return NULL;
-    }
-    if (crl->url) {
-	*url = PORT_Strdup(crl->url);
-	if (!*url) {
-	    nssCRL_Destroy(crl);
-	    return NULL;
-	}
-    } else {
-	*url = NULL;
-    }
-    rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size);
-    if (!rvItem) {
-	PORT_Free(*url);
-	nssCRL_Destroy(crl);
-	return NULL;
-    }
-    memcpy(rvItem->data, crl->encoding.data, crl->encoding.size);
-    *slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot);
-    *crlHandle = crl->object.instances[0]->handle;
-    nssCRL_Destroy(crl);
-    return rvItem;
-}
-
-CK_OBJECT_HANDLE
-PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, 
-							char *url, int type)
-{
-    NSSItem derCRL, derSubject;
-    NSSToken *token = PK11Slot_GetNSSToken(slot);
-    nssCryptokiObject *object;
-    PRBool isKRL = (type == SEC_CRL_TYPE) ? PR_FALSE : PR_TRUE;
-    CK_OBJECT_HANDLE rvH;
-
-    NSSITEM_FROM_SECITEM(&derSubject, name);
-    NSSITEM_FROM_SECITEM(&derCRL, crl);
-
-    object = nssToken_ImportCRL(token, NULL, 
-                                &derSubject, &derCRL, isKRL, url, PR_TRUE);
-
-    if (object) {
-	rvH = object->handle;
-	nssCryptokiObject_Destroy(object);
-    } else {
-	rvH = CK_INVALID_HANDLE;
-    }
-    return rvH;
-}
-
-
-/*
- * delete a crl.
- */
-SECStatus
-SEC_DeletePermCRL(CERTSignedCrl *crl)
-{
-    PRStatus status;
-    NSSToken *token;
-    nssCryptokiObject *object;
-    PK11SlotInfo *slot = crl->slot;
-
-    if (slot == NULL) {
-        PORT_Assert(slot);
-	/* shouldn't happen */
-	PORT_SetError( SEC_ERROR_CRL_INVALID);
-	return SECFailure;
-    }
-    token = PK11Slot_GetNSSToken(slot);
-
-    object = nss_ZNEW(NULL, nssCryptokiObject);
-    object->token = nssToken_AddRef(token);
-    object->handle = crl->pkcs11ID;
-    object->isTokenObject = PR_TRUE;
-
-    status = nssToken_DeleteStoredObject(object);
-
-    nssCryptokiObject_Destroy(object);
-    return (status == PR_SUCCESS) ? SECSuccess : SECFailure;
-}
-
-/*
- * return the certificate associated with a derCert 
- */
-SECItem *
-PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
-				 SECItem *name, SECItem **profileTime)
-{
-    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_SUBJECT, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
-    };
-    CK_ATTRIBUTE smimeData[] =  {
-	{ CKA_SUBJECT, NULL, 0 },
-	{ CKA_VALUE, NULL, 0 },
-    };
-    /* if you change the array, change the variable below as well */
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    CK_RV crv;
-    SECItem *emailProfile = NULL;
-
-    if (!emailAddr || !emailAddr[0]) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); 
-								    attrs++;
-
-    if (*slot) {
-    	smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
-    } else {
-	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
-							PR_FALSE,PR_TRUE,NULL);
-	PK11SlotListElement *le;
-
-	/* loop through all the slots */
-	for (le = list->head; le; le = le->next) {
-	    smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
-	    if (smimeh != CK_INVALID_HANDLE) {
-		*slot = PK11_ReferenceSlot(le->slot);
-		break;
-	    }
-	}
-	PK11_FreeSlotList(list);
-    }
-    
-    if (smimeh == CK_INVALID_HANDLE) {
-	PORT_SetError(SEC_ERROR_NO_KRL);
-	return NULL;
-    }
-
-    if (profileTime) {
-    	PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0);
-    } 
-    
-    crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError (crv));
-	goto loser;
-    }
-
-    if (!profileTime) {
-	SECItem profileSubject;
-
-	profileSubject.data = (unsigned char*) smimeData[0].pValue;
-	profileSubject.len = smimeData[0].ulValueLen;
-	if (!SECITEM_ItemsAreEqual(&profileSubject,name)) {
-	    goto loser;
-	}
-    }
-
-    emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
-    if (emailProfile == NULL) {
-	goto loser;
-    }
-
-    emailProfile->data = (unsigned char*) smimeData[1].pValue;
-    emailProfile->len = smimeData[1].ulValueLen;
-
-    if (profileTime) {
-	*profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
-	if (*profileTime) {
-	    (*profileTime)->data = (unsigned char*) smimeData[0].pValue;
-	    (*profileTime)->len = smimeData[0].ulValueLen;
-	}
-    }
-
-loser:
-    if (emailProfile == NULL) {
-	if (smimeData[1].pValue) {
-	    PORT_Free(smimeData[1].pValue);
-	}
-    }
-    if (profileTime == NULL || *profileTime == NULL) {
-	if (smimeData[0].pValue) {
-	    PORT_Free(smimeData[0].pValue);
-	}
-    }
-    return emailProfile;
-}
-
-
-SECStatus
-PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
-				 SECItem *emailProfile,  SECItem *profileTime)
-{
-    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
-    CK_BBOOL ck_true = CK_TRUE;
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_TOKEN, NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 },
-	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
-	{ CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 },
-	{ CKA_VALUE, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    int realSize = 0;
-    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
-    CK_ATTRIBUTE *attrs = theTemplate;
-    CK_SESSION_HANDLE rwsession;
-    PK11SlotInfo *free_slot = NULL;
-    CK_RV crv;
-#ifdef DEBUG
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-#endif
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
-    PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++;
-    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, 
-				emailAddr, PORT_Strlen(emailAddr)+1); attrs++;
-    if (profileTime) {
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data,
-	                                            profileTime->len); attrs++;
-	PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data,
-	                                            emailProfile->len); attrs++;
-    }
-    realSize = attrs - theTemplate;
-    PORT_Assert (realSize <= tsize);
-
-    if (slot == NULL) {
-	free_slot = slot = PK11_GetInternalKeySlot();
-	/* we need to free the key slot in the end!!! */
-    }
-
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-	PORT_SetError(SEC_ERROR_READ_ONLY);
-	if (free_slot) {
-	    PK11_FreeSlot(free_slot);
-	}
-	return SECFailure;
-    }
-
-    crv = PK11_GETTAB(slot)->
-                        C_CreateObject(rwsession,theTemplate,realSize,&smimeh);
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-    }
-
-    PK11_RestoreROSession(slot,rwsession);
-
-    if (free_slot) {
-	PK11_FreeSlot(free_slot);
-    }
-    return SECSuccess;
-}
-
-
-CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url,
-                  CERTSignedCrl *newCrl, SECItem *derCrl, int type);
-
-/* import the CRL into the token */
-
-CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
-    int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena,
-    PRInt32 decodeoptions)
-{
-    CERTSignedCrl *newCrl, *crl;
-    SECStatus rv;
-    CERTCertificate *caCert = NULL;
-
-    newCrl = crl = NULL;
-
-    do {
-        newCrl = CERT_DecodeDERCrlWithFlags(arena, derCRL, type,
-                                            decodeoptions);
-        if (newCrl == NULL) {
-            if (type == SEC_CRL_TYPE) {
-                /* only promote error when the error code is too generic */
-                if (PORT_GetError () == SEC_ERROR_BAD_DER)
-                    PORT_SetError(SEC_ERROR_CRL_INVALID);
-	        } else {
-                PORT_SetError(SEC_ERROR_KRL_INVALID);
-            }
-            break;		
-        }
-
-        if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
-            CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
-            PR_ASSERT(handle != NULL);
-            caCert = CERT_FindCertByName (handle,
-                                          &newCrl->crl.derName);
-            if (caCert == NULL) {
-                PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
-                break;
-            }
-
-            /* If caCert is a v3 certificate, make sure that it can be used for
-               crl signing purpose */
-            rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
-            if (rv != SECSuccess) {
-                break;
-            }
-
-            rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
-                                       PR_Now(), wincx);
-            if (rv != SECSuccess) {
-                if (type == SEC_CRL_TYPE) {
-                    PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
-                } else {
-                    PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
-                }
-                break;
-            }
-        }
-
-	crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
-
-    } while (0);
-
-    if (crl == NULL) {
-	SEC_DestroyCrl (newCrl);
-    }
-    if (caCert) {
-        CERT_DestroyCertificate(caCert);
-    }
-    return (crl);
-}
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
deleted file mode 100644
index 65b47ef96..000000000
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ /dev/null
@@ -1,1695 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file manages object type indepentent functions.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "key.h" 
-#include "secitem.h"
-#include "secerr.h"
-#include "sslerr.h"
-
-#define PK11_SEARCH_CHUNKSIZE 10
-
-/*
- * Build a block big enough to hold the data
- */
-SECItem *
-PK11_BlockData(SECItem *data,unsigned long size) {
-    SECItem *newData;
-
-    newData = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    if (newData == NULL) return NULL;
-
-    newData->len = (data->len + (size-1))/size;
-    newData->len *= size;
-
-    newData->data = (unsigned char *) PORT_ZAlloc(newData->len); 
-    if (newData->data == NULL) {
-	PORT_Free(newData);
-	return NULL;
-    }
-    PORT_Memset(newData->data,newData->len-data->len,newData->len); 
-    PORT_Memcpy(newData->data,data->data,data->len);
-    return newData;
-}
-
-
-SECStatus
-PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-    CK_SESSION_HANDLE rwsession;
-
-    
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-    	return SECFailure;
-    }
-
-    crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object);
-    if (crv != CKR_OK) {
-	rv = SECFailure;
-	PORT_SetError(PK11_MapError(crv));
-    }
-    PK11_RestoreROSession(slot,rwsession);
-    return rv;
-}
-
-/*
- * Read in a single attribute into a SECItem. Allocate space for it with 
- * PORT_Alloc unless an arena is supplied. In the latter case use the arena
- * to allocate the space.
- */
-SECStatus
-PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-	 CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) {
-    CK_ATTRIBUTE attr = { 0, NULL, 0 };
-    CK_RV crv;
-
-    attr.type = type;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    if (arena) {
-    	attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen);
-    } else {
-    	attr.pValue = PORT_Alloc(attr.ulValueLen);
-    }
-    if (attr.pValue == NULL) {
-	PK11_ExitSlotMonitor(slot);
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	if (!arena) PORT_Free(attr.pValue);
-	return SECFailure;
-    }
-
-    result->data = (unsigned char*)attr.pValue;
-    result->len = attr.ulValueLen;
-
-    return SECSuccess;
-}
-
-/*
- * Read in a single attribute into As a Ulong. 
- */
-CK_ULONG
-PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-	 CK_ATTRIBUTE_TYPE type) {
-    CK_ATTRIBUTE attr;
-    CK_ULONG value = CK_UNAVAILABLE_INFORMATION;
-    CK_RV crv;
-
-    PK11_SETATTRS(&attr,type,&value,sizeof(value));
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-    }
-    return value;
-}
-
-/*
- * check to see if a bool has been set.
- */
-CK_BBOOL
-PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-				                      CK_ATTRIBUTE_TYPE type )
-{
-    CK_BBOOL ckvalue = CK_FALSE;
-    CK_ATTRIBUTE theTemplate;
-    CK_RV crv;
-
-    /* Prepare to retrieve the attribute. */
-    PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
-
-    /* Retrieve attribute value. */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
-                                                    &theTemplate, 1 );
-    PK11_ExitSlotMonitor(slot);
-    if( crv != CKR_OK ) {
-        PORT_SetError( PK11_MapError( crv ) );
-        return CK_FALSE;
-    }
-
-    return ckvalue;
-}
-
-/*
- * returns a full list of attributes. Allocate space for them. If an arena is
- * provided, allocate space out of the arena.
- */
-CK_RV
-PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
-			CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count)
-{
-    int i;
-    /* make pedantic happy... note that it's only used arena != NULL */ 
-    void *mark = NULL; 
-    CK_RV crv;
-    PORT_Assert(slot->session != CK_INVALID_SESSION);
-    if (slot->session == CK_INVALID_SESSION)
-	return CKR_SESSION_HANDLE_INVALID;
-
-    /*
-     * first get all the lengths of the parameters.
-     */
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	return crv;
-    }
-
-    if (arena) {
-    	mark = PORT_ArenaMark(arena);
-	if (mark == NULL) return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * now allocate space to store the results.
-     */
-    for (i=0; i < count; i++) {
-	if (arena) {
-	    attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen);
-	    if (attr[i].pValue == NULL) {
-		/* arena failures, just release the mark */
-		PORT_ArenaRelease(arena,mark);
-		PK11_ExitSlotMonitor(slot);
-		return CKR_HOST_MEMORY;
-	    }
-	} else {
-	    attr[i].pValue = PORT_Alloc(attr[i].ulValueLen);
-	    if (attr[i].pValue == NULL) {
-		/* Separate malloc failures, loop to release what we have 
-		 * so far */
-		int j;
-		for (j= 0; j < i; j++) { 
-		    PORT_Free(attr[j].pValue);
-		    /* don't give the caller pointers to freed memory */
-		    attr[j].pValue = NULL; 
-		}
-		PK11_ExitSlotMonitor(slot);
-		return CKR_HOST_MEMORY;
-	    }
-	}
-    }
-
-    /*
-     * finally get the results.
-     */
-    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	if (arena) {
-	    PORT_ArenaRelease(arena,mark);
-	} else {
-	    for (i= 0; i < count; i++) {
-		PORT_Free(attr[i].pValue);
-		/* don't give the caller pointers to freed memory */
-		attr[i].pValue = NULL;
-	    }
-	}
-    } else if (arena && mark) {
-	PORT_ArenaUnmark(arena,mark);
-    }
-    return crv;
-}
-
-PRBool
-PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
-{
-    return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
-}
-
-char *
-PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) 
-{
-    char *nickname = NULL;
-    SECItem result;
-    SECStatus rv;
-
-    rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-    nickname = PORT_ZAlloc(result.len+1);
-    if (nickname == NULL) {
-	PORT_Free(result.data);
-	return NULL;
-    }
-    PORT_Memcpy(nickname, result.data, result.len);
-    PORT_Free(result.data);
-    return nickname;
-}
-
-SECStatus
-PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
-						const char *nickname) 
-{
-    int len = PORT_Strlen(nickname);
-    CK_ATTRIBUTE setTemplate;
-    CK_RV crv;
-    CK_SESSION_HANDLE rwsession;
-
-    if (len < 0) {
-	return SECFailure;
-    }
-
-    PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len);
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-    	PORT_SetError(SEC_ERROR_BAD_DATA);
-    	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id,
-			&setTemplate, 1);
-    PK11_RestoreROSession(slot, rwsession);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * strip leading zero's from key material
- */
-void
-pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) {
-    char *ptr = (char *)attrib->pValue;
-    unsigned long len = attrib->ulValueLen;
-
-    while (len && (*ptr == 0)) {
-	len--;
-	ptr++;
-    }
-    attrib->pValue = ptr;
-    attrib->ulValueLen = len;
-}
-
-/*
- * get a new session on a slot. If we run out of session, use the slot's
- * 'exclusive' session. In this case owner becomes false.
- */
-CK_SESSION_HANDLE
-pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner)
-{
-    CK_SESSION_HANDLE session;
-    *owner =  PR_TRUE;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, 
-			slot,pk11_notify,&session) != CKR_OK) {
-	*owner = PR_FALSE;
-	session = slot->session;
-    }
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-
-    return session;
-}
-
-void
-pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner)
-{
-    if (!owner) return;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    (void) PK11_GETTAB(slot)->C_CloseSession(session);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-}
-
-
-SECStatus
-PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
-				CK_ATTRIBUTE *theTemplate, int count, 
-				PRBool token, CK_OBJECT_HANDLE *objectID)
-{
-	CK_SESSION_HANDLE rwsession;
-	CK_RV crv;
-	SECStatus rv = SECSuccess;
-
-	rwsession = session;
-	if (token) {
-	    rwsession =  PK11_GetRWSession(slot);
-	} else if (rwsession == CK_INVALID_SESSION) {
-	    rwsession =  slot->session;
-	    if (rwsession != CK_INVALID_SESSION)
-		PK11_EnterSlotMonitor(slot);
-	}
-	if (rwsession == CK_INVALID_SESSION) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate,
-							count,objectID);
-	if(crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    rv = SECFailure;
-	}
-	if (token) {
-	    PK11_RestoreROSession(slot, rwsession);
-	} else if (session == CK_INVALID_SESSION) {
-	    PK11_ExitSlotMonitor(slot);
-        }
-
-	return rv;
-}
-
-
-/* This function may add a maximum of 9 attributes. */
-unsigned int
-pk11_OpFlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue)
-{
-
-    const static CK_ATTRIBUTE_TYPE attrTypes[12] = {
-	CKA_ENCRYPT,      CKA_DECRYPT, 0 /* DIGEST */,     CKA_SIGN,
-	CKA_SIGN_RECOVER, CKA_VERIFY,  CKA_VERIFY_RECOVER, 0 /* GEN */,
-	0 /* GEN PAIR */, CKA_WRAP,    CKA_UNWRAP,         CKA_DERIVE 
-    };
-
-    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
-          CK_ATTRIBUTE      *attr	= attrs;
-          CK_FLAGS          test	= CKF_ENCRYPT;
-
-
-    PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS));
-    flags &= CKF_KEY_OPERATION_FLAGS;
-
-    for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) {
-    	if (test & flags) {
-	    flags ^= test;
-	    PR_ASSERT(*pType);
-	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
-	    ++attr;
-	}
-    }
-    return (attr - attrs);
-}
-
-/*
- * Check for conflicting flags, for example, if both PK11_ATTR_PRIVATE
- * and PK11_ATTR_PUBLIC are set.
- */
-PRBool
-pk11_BadAttrFlags(PK11AttrFlags attrFlags)
-{
-    PK11AttrFlags trueFlags = attrFlags & 0x55555555;
-    PK11AttrFlags falseFlags = (attrFlags >> 1) & 0x55555555;
-    return ((trueFlags & falseFlags) != 0);
-}
-
-/*
- * This function may add a maximum of 5 attributes.
- * The caller must make sure the attribute flags don't have conflicts.
- */
-unsigned int
-pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags, CK_ATTRIBUTE *attrs,
-				CK_BBOOL *ckTrue, CK_BBOOL *ckFalse)
-{
-    const static CK_ATTRIBUTE_TYPE attrTypes[5] = {
-	CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_SENSITIVE,
-	CKA_EXTRACTABLE
-    };
-
-    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
-          CK_ATTRIBUTE      *attr	= attrs;
-          PK11AttrFlags      test	= PK11_ATTR_TOKEN;
-
-    PR_ASSERT(!pk11_BadAttrFlags(attrFlags));
-
-    /* we test two related bitflags in each iteration */
-    for (; attrFlags && test <= PK11_ATTR_EXTRACTABLE; test <<= 2, ++pType) {
-    	if (test & attrFlags) {
-	    attrFlags ^= test;
-	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
-	    ++attr;
-	} else if ((test << 1) & attrFlags) {
-	    attrFlags ^= (test << 1);
-	    PK11_SETATTRS(attr, *pType, ckFalse, sizeof *ckFalse); 
-	    ++attr;
-	}
-    }
-    return (attr - attrs);
-}
-
-/*
- * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually
- * set up a signature to get the signaure length.
- */
-static int
-pk11_backupGetSignLength(SECKEYPrivateKey *key)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-    unsigned char h_data[20]  = { 0 };
-    unsigned char buf[20]; /* obviously to small */
-    CK_ULONG smallLen = sizeof(buf);
-
-    mech.mechanism = PK11_MapSignKeyType(key->keyType);
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-    len = 0;
-    crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data),
-					NULL, &len);
-    /* now call C_Sign with too small a buffer to clear the session state */
-    (void) PK11_GETTAB(slot)->
-			C_Sign(session,h_data,sizeof(h_data),buf,&smallLen);
-	
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return -1;
-    }
-    return len;
-}
-
-/*
- * get the length of a signature object based on the key
- */
-int
-PK11_SignatureLen(SECKEYPrivateKey *key)
-{
-    int val;
-    CK_ATTRIBUTE theTemplate = { CKA_EC_PARAMS, NULL, 0 };
-    SECItem params = {siBuffer, NULL, 0};
-    int length; 
-
-    switch (key->keyType) {
-    case rsaKey:
-	val = PK11_GetPrivateModulusLen(key);
-	if (val == -1) {
-	    return pk11_backupGetSignLength(key);
-	}
-	return (unsigned long) val;
-	
-    case fortezzaKey:
-    case dsaKey:
-	return 40;
-    case ecKey:
-	if (PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID,
-			       &theTemplate, 1) == CKR_OK) {
-	    if (theTemplate.pValue != NULL) {
-	        params.len = theTemplate.ulValueLen;
-		params.data = (unsigned char *) theTemplate.pValue;
-	        length = SECKEY_ECParamsToKeySize(&params);
-	        PORT_Free(theTemplate.pValue);
-	    }
-	    length = ((length + 7)/8) * 2;
-	    return length;
-	}
-	break;
-    default:
-	break;
-    }
-    PORT_SetError( SEC_ERROR_INVALID_KEY );
-    return 0;
-}
-
-/*
- * copy a key (or any other object) on a token
- */
-CK_OBJECT_HANDLE
-PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject)
-{
-    CK_OBJECT_HANDLE destObject;
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0,
-				&destObject);
-    PK11_ExitSlotMonitor(slot);
-    if (crv == CKR_OK) return destObject;
-    PORT_SetError( PK11_MapError(crv) );
-    return CK_INVALID_HANDLE;
-}
-
-PRBool
-pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs,
-						CK_ATTRIBUTE_TYPE target)
-{
-    for (; numAttrs > 0; ++attr, --numAttrs) {
-    	if (attr->type == target)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-	
-/*
- * Recover the Signed data. We need this because our old verify can't
- * figure out which hash algorithm to use until we decryptted this.
- */
-SECStatus
-PK11_VerifyRecover(SECKEYPublicKey *key,
-			 	SECItem *sig, SECItem *dsig, void *wincx)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_OBJECT_HANDLE id = key->pkcs11ID;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-
-    mech.mechanism = PK11_MapSignKeyType(key->keyType);
-
-    if (slot == NULL) {
-	slot = PK11_GetBestSlot(mech.mechanism,wincx);
-	if (slot == NULL) {
-	    	PORT_SetError( SEC_ERROR_NO_MODULE );
-		return SECFailure;
-	}
-	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-    } else {
-	PK11_ReferenceSlot(slot);
-    }
-
-    if (id == CK_INVALID_HANDLE) {
-	PK11_FreeSlot(slot);
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	PK11_FreeSlot(slot);
-	return SECFailure;
-    }
-    len = dsig->len;
-    crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data,
-						sig->len, dsig->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    dsig->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	PK11_FreeSlot(slot);
-	return SECFailure;
-    }
-    PK11_FreeSlot(slot);
-    return SECSuccess;
-}
-
-/*
- * verify a signature from its hash.
- */
-SECStatus
-PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_OBJECT_HANDLE id = key->pkcs11ID;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    mech.mechanism = PK11_MapSignKeyType(key->keyType);
-
-    if (slot == NULL) {
-	slot = PK11_GetBestSlot(mech.mechanism,wincx);
-       
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return SECFailure;
-	}
-	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-            
-    } else {
-	PK11_ReferenceSlot(slot);
-    }
-
-    if (id == CK_INVALID_HANDLE) {
-	PK11_FreeSlot(slot);
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PK11_FreeSlot(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Verify(session,hash->data,
-					hash->len, sig->data, sig->len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    PK11_FreeSlot(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * sign a hash. The algorithm is determined by the key.
- */
-SECStatus
-PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_MECHANISM mech = {0, NULL, 0 };
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_ULONG len;
-    CK_RV crv;
-
-    mech.mechanism = PK11_MapSignKeyType(key->keyType);
-
-    if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
-	PK11_HandlePasswordCheck(slot, key->wincx);
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    len = sig->len;
-    crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
-					hash->len, sig->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    sig->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
- * RSA keys, or they'll fail. We do the checks up front. If anyone comes
- * up with a meaning for rawdecrypt for any other public key operation,
- * then we need to move this check into some of PK11_PubDecrypt callers,
- * (namely SSL 2.0).
- */
-static SECStatus
-pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen, CK_MECHANISM_PTR mech)
-{
-    PK11SlotInfo *slot = key->pkcs11Slot;
-    CK_ULONG out = maxLen;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    if (key->keyType != rsaKey) {
-	PORT_SetError( SEC_ERROR_INVALID_KEY );
-	return SECFailure;
-    }
-
-    /* Why do we do a PK11_handle check here? for simple
-     * decryption? .. because the user may have asked for 'ask always'
-     * and this is a private key operation. In practice, thought, it's mute
-     * since only servers wind up using this function */
-    if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) {
-	PK11_HandlePasswordCheck(slot, key->wincx);
-    }
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    *outLen = out;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen)
-{
-    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
-    return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
-}
-
-SECStatus
-PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen)
-{
-    CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
-    return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
-}
-
-static SECStatus
-pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-		    unsigned char *data, unsigned dataLen, 
-		    CK_MECHANISM_PTR mech, void *wincx)
-{
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE id;
-    CK_ULONG out;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    if (!key || key->keyType != rsaKey) {
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-    out = SECKEY_PublicKeyStrength(key);
-
-    slot = PK11_GetBestSlot(mech->mechanism, wincx);
-    if (slot == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return SECFailure;
-    }
-
-    id = PK11_ImportPublicKey(slot,key,PR_FALSE);
-
-    if (id == CK_INVALID_HANDLE) {
-	PK11_FreeSlot(slot);
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PK11_FreeSlot(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    PK11_FreeSlot(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus
-PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-		unsigned char *data, unsigned dataLen, void *wincx)
-{
-    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
-    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
-}
-
-SECStatus
-PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
-		unsigned char *data, unsigned dataLen, void *wincx)
-{
-    CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
-    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
-}
-
-SECKEYPrivateKey *
-PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
-		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
-		   SECItem *wrappedKey, SECItem *label, 
-		   SECItem *idValue, PRBool perm, PRBool sensitive,
-		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage,
-		   int usageCount, void *wincx)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
-    CK_ATTRIBUTE keyTemplate[15] ;
-    int templateCount = 0;
-    CK_OBJECT_HANDLE privKeyID;
-    CK_MECHANISM mechanism;
-    CK_ATTRIBUTE *attrs = keyTemplate;
-    SECItem *param_free = NULL, *ck_id;
-    CK_RV crv;
-    CK_SESSION_HANDLE rwsession;
-    PK11SymKey *newKey = NULL;
-    int i;
-
-    if(!slot || !wrappedKey || !idValue) {
-	/* SET AN ERROR!!! */
-	return NULL;
-    }
-
-    ck_id = PK11_MakeIDFromPubKey(idValue);
-    if(!ck_id) {
-	return NULL;
-    }
-
-    PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse,
-					 sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
-    PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
-					 sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse,
-					sizeof(cktrue)); attrs++;
-    PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++;
-    PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++;
-    for (i=0; i < usageCount; i++) {
-    	PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++;
-    }
-
-    if (PK11_IsInternal(slot)) {
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, 
-		      idValue->len); attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) );
-
-    mechanism.mechanism = wrapType;
-    if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL);
-    if(param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    if (wrappingKey->slot != slot) {
-	newKey = pk11_CopyToSlot(slot,wrapType,CKA_WRAP,wrappingKey);
-    } else {
-	newKey = PK11_ReferenceSymKey(wrappingKey);
-    }
-
-    if (newKey) {
-	if (perm) {
-	    /* Get RW Session will either lock the monitor if necessary, 
-	     *  or return a thread safe session handle, or fail. */ 
-	    rwsession = PK11_GetRWSession(slot);
-	} else {
-	    rwsession = slot->session;
-	    if (rwsession != CK_INVALID_SESSION) 
-		PK11_EnterSlotMonitor(slot);
-	}
-	if (rwsession == CK_INVALID_SESSION) {
-	    PK11_FreeSymKey(newKey);
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return NULL;
-	}
-	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
-					 newKey->objectID,
-					 wrappedKey->data, 
-					 wrappedKey->len, keyTemplate, 
-					 templateCount, &privKeyID);
-
-	if (perm) {
-	    PK11_RestoreROSession(slot, rwsession);
-	} else {
-	    PK11_ExitSlotMonitor(slot);
-	}
-	PK11_FreeSymKey(newKey);
-    } else {
-	crv = CKR_FUNCTION_NOT_SUPPORTED;
-    }
-
-    if(ck_id) {
-	SECITEM_FreeItem(ck_id, PR_TRUE);
-	ck_id = NULL;
-    }
-
-    if (crv != CKR_OK) {
-	/* we couldn't unwrap the key, use the internal module to do the
-	 * unwrap, then load the new key into the token */
-	 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	if (int_slot && (slot != int_slot)) {
-	    SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot,
-			wrappingKey, wrapType, param, wrappedKey, label,
-			idValue, PR_FALSE, PR_FALSE, 
-			keyType, usage, usageCount, wincx);
-	    if (privKey) {
-		SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,privKey,
-						NULL,perm,sensitive);
-		SECKEY_DestroyPrivateKey(privKey);
-		PK11_FreeSlot(int_slot);
-		return newPrivKey;
-	    }
-	}
-	if (int_slot) PK11_FreeSlot(int_slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
-}
-
-/*
- * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey
- * The strategy is to get both keys to reside in the same slot,
- * one that can perform the desired crypto mechanism and then
- * call C_WrapKey after all the setup has taken place.
- */
-SECStatus
-PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, 
-		 SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, 
-		 SECItem *param, SECItem *wrappedKey, void *wincx)
-{
-    PK11SlotInfo     *privSlot   = privKey->pkcs11Slot; /* The slot where
-							 * the private key
-							 * we are going to
-							 * wrap lives.
-							 */
-    PK11SymKey       *newSymKey  = NULL;
-    SECKEYPrivateKey *newPrivKey = NULL;
-    SECItem          *param_free = NULL;
-    CK_ULONG          len        = wrappedKey->len;
-    CK_MECHANISM      mech;
-    CK_RV             crv;
-
-    if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) {
-        /* Figure out a slot that does the mechanism and try to import
-	 * the private key onto that slot.
-	 */
-        PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	privSlot = int_slot; /* The private key has a new home */
-	newPrivKey = PK11_LoadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE);
-	/* newPrivKey has allocated its own reference to the slot, so it's
-	 * safe until we destroy newPrivkey.
-	 */
-	PK11_FreeSlot(int_slot);
-	if (newPrivKey == NULL) {
-	    return SECFailure;
-	}
-	privKey = newPrivKey;
-    }
-
-    if (privSlot != wrappingKey->slot) {
-        newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, 
-				     wrappingKey);
-	wrappingKey = newSymKey;
-    }
-
-    if (wrappingKey == NULL) {
-        if (newPrivKey) {
-		SECKEY_DestroyPrivateKey(newPrivKey);
-	}
-	return SECFailure;
-    }
-    mech.mechanism = wrapType;
-    if (!param) {
-        param = param_free = PK11_ParamFromIV(wrapType, NULL);
-    }
-    if (param) {
-        mech.pParameter     = param->data;
-	mech.ulParameterLen = param->len;
-    } else {
-        mech.pParameter     = NULL;
-	mech.ulParameterLen = 0;
-    }
-
-    PK11_EnterSlotMonitor(privSlot);
-    crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, 
-					   wrappingKey->objectID, 
-					   privKey->pkcs11ID,
-					   wrappedKey->data, &len);
-    PK11_ExitSlotMonitor(privSlot);
-
-    if (newSymKey) {
-        PK11_FreeSymKey(newSymKey);
-    }
-    if (newPrivKey) {
-        SECKEY_DestroyPrivateKey(newPrivKey);
-    }
-    if (param_free) {
-	SECITEM_FreeItem(param_free,PR_TRUE);
-    }
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-
-    wrappedKey->len = len;
-    return SECSuccess;
-}
-
-/*
- * return a linked, non-circular list of generic objects. 
- * If you are only interested
- * in one object, just use the first object in the list. To find the
- * rest of the list use PK11_GetNextGenericObject() to return the next object.
- *
- * You can walk the list with the following code:
- *    firstObj = PK11_FindGenericObjects(slot, objClass);
- *    for (thisObj=firstObj; thisObj; 
- *				thisObj=PK11_GetNextGenericObject(thisObj)) {
- *	/* operate on thisObj */
-/*    }
- *
- * If you want a particular object from the list...
- *    firstObj = PK11_FindGenericObjects(slot, objClass);
- *    for (thisObj=firstObj; thisObj; 
- *                             thisObj=PK11_GetNextGenericObject(thisObj)) {
- * 	if (isMyObj(thisObj)) {
- *	    if ( thisObj == firstObj) {
- *              /* NOTE: firstObj could be NULL at this point */
-/*		firstObj = PK11_GetNextGenericObject(thsObj); 
- *	    }
- *	    PK11_UnlinkGenericObject(thisObj);
- *          myObj = thisObj;
- *          break;
- *    }
- *
- *   PK11_DestroyGenericObjects(firstObj);
- *
- *    /* use myObj */
-/*   PK11_DestroyGenericObject(myObj);
- */
-PK11GenericObject *
-PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass)
-{
-    CK_ATTRIBUTE template[1];
-    CK_ATTRIBUTE *attrs = template;
-    CK_OBJECT_HANDLE *objectIDs = NULL;
-    PK11GenericObject *lastObj = NULL, *obj;
-    PK11GenericObject *firstObj = NULL;
-    int i, count = 0;
-
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
-
-    objectIDs = pk11_FindObjectsByTemplate(slot,template,1,&count);
-    if (objectIDs == NULL) {
-	return NULL;
-    }
-
-    /* where we connect our object once we've created it.. */
-    for (i=0; i < count; i++) {
-	obj = PORT_New(PK11GenericObject);
-	if ( !obj ) {
-	    PK11_DestroyGenericObjects(firstObj);
-	    PORT_Free(objectIDs);
-	    return NULL;
-	}
-	/* initialize it */	
-	obj->slot = PK11_ReferenceSlot(slot);
-	obj->objectID = objectIDs[i];
-	obj->next = NULL;
-	obj->prev = NULL;
-
-	/* link it in */
-	if (firstObj == NULL) {
-	    firstObj = obj;
-	} else {
-	    PK11_LinkGenericObject(lastObj, obj);
-	}
-	lastObj = obj;
-    }
-    PORT_Free(objectIDs);
-    return firstObj;
-}
-
-/*
- * get the Next Object in the list.
- */
-PK11GenericObject *
-PK11_GetNextGenericObject(PK11GenericObject *object)
-{
-    return object->next;
-}
-
-PK11GenericObject *
-PK11_GetPrevGenericObject(PK11GenericObject *object)
-{
-    return object->prev;
-}
-
-/*
- * Link a single object into a new list.
- * if the object is already in another list, remove it first.
- */
-SECStatus
-PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object)
-{
-    PK11_UnlinkGenericObject(object);
-    object->prev = list;
-    object->next = list->next;
-    list->next = object;
-    if (object->next != NULL) {
-	object->next->prev = object;
-    }
-   return SECSuccess;
-}
-
-/*
- * remove an object from the list. If the object isn't already in
- * a list unlink becomes a noop.
- */
-SECStatus
-PK11_UnlinkGenericObject(PK11GenericObject *object)
-{
-    if (object->prev != NULL) {
-	object->prev->next = object->next;
-    }
-    if (object->next != NULL) {
-	object->next->prev = object->prev;
-    }
-
-    object->next = NULL;
-    object->prev = NULL;
-    return SECSuccess;
-}
-
-/*
- * This function removes a single object from the list and destroys it.
- * For an already unlinked object there is no difference between
- * PK11_DestroyGenericObject and PK11_DestroyGenericObjects
- */
-SECStatus 
-PK11_DestroyGenericObject(PK11GenericObject *object)
-{
-    if (object == NULL) {
-	return SECSuccess;
-    }
-
-    PK11_UnlinkGenericObject(object);
-    if (object->slot) {
-	PK11_FreeSlot(object->slot);
-    }
-    PORT_Free(object);
-    return SECSuccess;
-}
-
-/*
- * walk down a link list of generic objects destroying them.
- * This will destroy all objects in a list that the object is linked into.
- * (the list is traversed in both directions).
- */
-SECStatus 
-PK11_DestroyGenericObjects(PK11GenericObject *objects)
-{
-    PK11GenericObject *nextObject;
-    PK11GenericObject *prevObject = objects->prev;
- 
-    if (objects == NULL) {
-	return SECSuccess;
-    }
-
-    nextObject = objects->next;
-    prevObject = objects->prev;
-
-    /* delete all the objects after it in the list */
-    for (; objects;  objects = nextObject) {
-	nextObject = objects->next;
-	PK11_DestroyGenericObject(objects);
-    }
-    /* delete all the objects before it in the list */
-    for (objects = prevObject; objects;  objects = nextObject) {
-	prevObject = objects->prev;
-	PK11_DestroyGenericObject(objects);
-    }
-    return SECSuccess;
-}
-
-
-SECStatus
-PK11_ReadRawAttribute(PK11ObjectType objType, void *objSpec, 
-				CK_ATTRIBUTE_TYPE attrType, SECItem *item)
-{
-    PK11SlotInfo *slot = NULL;
-    CK_OBJECT_HANDLE handle;
-
-    switch (objType) {
-    case PK11_TypeGeneric:
-	slot = ((PK11GenericObject *)objSpec)->slot;
-	handle = ((PK11GenericObject *)objSpec)->objectID;
-	break;
-    case PK11_TypePrivKey:
-	slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot;
-	handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID;
-	break;
-    case PK11_TypePubKey:
-	slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot;
-	handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID;
-	break;
-    case PK11_TypeSymKey:
-	slot = ((PK11SymKey *)objSpec)->slot;
-	handle = ((PK11SymKey *)objSpec)->objectID;
-	break;
-    case PK11_TypeCert: /* don't handle cert case for now */
-    default:
-	break;
-    }
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE);
-	return SECFailure;
-    }
-
-    return PK11_ReadAttribute(slot, handle, attrType, NULL, item);
-}
-
-
-/*
- * return the object handle that matches the template
- */
-CK_OBJECT_HANDLE
-pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize)
-{
-    CK_OBJECT_HANDLE object;
-    CK_RV crv;
-    CK_ULONG objectCount;
-
-    /*
-     * issue the find
-     */
-    PK11_EnterSlotMonitor(slot);
-    crv=PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, theTemplate, tsize);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return CK_INVALID_HANDLE;
-    }
-
-    crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount);
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-    if ((crv != CKR_OK) || (objectCount < 1)) {
-	/* shouldn't use SSL_ERROR... here */
-	PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) :
-						  SSL_ERROR_NO_CERTIFICATE);
-	return CK_INVALID_HANDLE;
-    }
-
-    /* blow up if the PKCS #11 module returns us and invalid object handle */
-    PORT_Assert(object != CK_INVALID_HANDLE);
-    return object;
-} 
-
-/*
- * return all the object handles that matches the template
- */
-CK_OBJECT_HANDLE *
-pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
-		CK_ATTRIBUTE *findTemplate,int findCount,int *object_count) {
-    CK_OBJECT_HANDLE *objID = NULL;
-    CK_ULONG returned_count = 0;
-    CK_RV crv;
-
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, findTemplate, 
-								findCount);
-    if (crv != CKR_OK) {
-	PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	*object_count = -1;
-	return NULL;
-    }
-
-
-    /*
-     * collect all the Matching Objects
-     */
-    do {
-	CK_OBJECT_HANDLE *oldObjID = objID;
-
-	if (objID == NULL) {
-    	    objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)*
-				(*object_count+ PK11_SEARCH_CHUNKSIZE));
-	} else {
-    	    objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID,
-		sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE));
-	}
-
-	if (objID == NULL) {
-	    if (oldObjID) PORT_Free(oldObjID);
-	    break;
-	}
-    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
-		&objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    PORT_Free(objID);
-	    objID = NULL;
-	    break;
-    	}
-	*object_count += returned_count;
-    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
-
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-
-    if (objID && (*object_count == 0)) {
-	PORT_Free(objID);
-	return NULL;
-    }
-    if (objID == NULL) *object_count = -1;
-    return objID;
-}
-/*
- * given a PKCS #11 object, match it's peer based on the KeyID. searchID
- * is typically a privateKey or a certificate while the peer is the opposite
- */
-CK_OBJECT_HANDLE
-PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID,
-				 		CK_OBJECT_CLASS matchclass)
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-	{ CKA_CLASS, NULL, 0 }
-    };
-    /* if you change the array, change the variable below as well */
-    CK_ATTRIBUTE *keyclass = &theTemplate[1];
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    /* if you change the array, change the variable below as well */
-    CK_OBJECT_HANDLE peerID;
-    CK_OBJECT_HANDLE parent;
-    PRArenaPool *arena;
-    CK_RV crv;
-
-    /* now we need to create space for the public key */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) return CK_INVALID_HANDLE;
-
-    crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize);
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PORT_SetError( PK11_MapError(crv) );
-	return CK_INVALID_HANDLE;
-    }
-
-    if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) {
-	PORT_FreeArena(arena,PR_FALSE);
-	PORT_SetError(SEC_ERROR_BAD_KEY);
-	return CK_INVALID_HANDLE;
-     }
-	
-	
-
-    /*
-     * issue the find
-     */
-    parent = *(CK_OBJECT_CLASS *)(keyclass->pValue);
-    *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass;
-
-    peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
-    PORT_FreeArena(arena,PR_FALSE);
-
-    return peerID;
-}
-
-/*
- * count the number of objects that match the template.
- */
-int
-PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, 
-							int templateCount)
-{
-    CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE];
-    int object_count = 0;
-    CK_ULONG returned_count = 0;
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session,
-					findTemplate, templateCount);
-    if (crv != CKR_OK) {
-        PK11_ExitSlotMonitor(slot);
-	PORT_SetError( PK11_MapError(crv) );
-	return 0;
-    }
-
-    /*
-     * collect all the Matching Objects
-     */
-    do {
-    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
-				objID,PK11_SEARCH_CHUNKSIZE,&returned_count);
-	if (crv != CKR_OK) {
-	    PORT_SetError( PK11_MapError(crv) );
-	    break;
-    	}
-	object_count += returned_count;
-    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
-
-    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
-    PK11_ExitSlotMonitor(slot);
-    return object_count;
-}
-
-/*
- * Traverse all the objects in a given slot.
- */
-SECStatus
-PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
-{
-    int i;
-    CK_OBJECT_HANDLE *objID = NULL;
-    int object_count = 0;
-    pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
-
-    objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
-		slotcb->templateCount,&object_count);
-
-    /*Actually this isn't a failure... there just were no objs to be found*/
-    if (object_count == 0) {
-	return SECSuccess;
-    }
-
-    if (objID == NULL) {
-	return SECFailure;
-    }
-
-    for (i=0; i < object_count; i++) {
-	(*slotcb->callback)(slot,objID[i],slotcb->callbackArg);
-    }
-    PORT_Free(objID);
-    return SECSuccess;
-}
-
-/*
- * Traverse all the objects in all slots.
- */
-SECStatus
-pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
-						void *arg,void *wincx) {
-    PK11SlotList *list;
-    PK11SlotListElement *le;
-    SECStatus rv;
-
-    /* get them all! */
-    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,wincx);
-    if (list == NULL) return SECFailure;
-
-    /* look at each slot and authenticate as necessary */
-    for (le = list->head ; le; le = le->next) {
-	rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx);
-	if (rv != SECSuccess) {
-	    continue;
-	}
-	if (callback) {
-	    (*callback)(le->slot,arg);
-	}
-    }
-
-    PK11_FreeSlotList(list);
-
-    return SECSuccess;
-}
-
-CK_OBJECT_HANDLE *
-PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr,
-		CK_OBJECT_CLASS objclass, int *returnCount, void *wincx)
-{
-    char *tokenName;
-    char *delimit;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE *objID;
-    CK_ATTRIBUTE findTemplate[] = {
-	 { CKA_LABEL, NULL, 0},
-	 { CKA_CLASS, NULL, 0},
-    };
-    int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]);
-    SECStatus rv;
-    PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass));
-
-    *slotptr = slot = NULL;
-    *returnCount = 0;
-    /* first find the slot associated with this nickname */
-    if ((delimit = PORT_Strchr(nickname,':')) != NULL) {
-	int len = delimit - nickname;
-	tokenName = (char*)PORT_Alloc(len+1);
-	PORT_Memcpy(tokenName,nickname,len);
-	tokenName[len] = 0;
-
-        slot = *slotptr = PK11_FindSlotByName(tokenName);
-        PORT_Free(tokenName);
-	/* if we couldn't find a slot, assume the nickname is an internal cert
-	 * with no proceding slot name */
-	if (slot == NULL) {
-		slot = *slotptr = PK11_GetInternalKeySlot();
-	} else {
-		nickname = delimit+1;
-	}
-    } else {
-	*slotptr = slot = PK11_GetInternalKeySlot();
-    }
-    if (slot == NULL) {
-        return CK_INVALID_HANDLE;
-    }
-
-    rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
-    if (rv != SECSuccess) {
-	PK11_FreeSlot(slot);
-	*slotptr = NULL;
-	return CK_INVALID_HANDLE;
-    }
-
-    findTemplate[0].pValue = nickname;
-    findTemplate[0].ulValueLen = PORT_Strlen(nickname);
-    objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount);
-    if (objID == NULL) {
-	/* PKCS #11 isn't clear on whether or not the NULL is
-	 * stored in the template.... try the find again with the
-	 * full null terminated string. */
-    	findTemplate[0].ulValueLen += 1;
-        objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,
-								returnCount);
-	if (objID == NULL) {
-	    /* Well that's the best we can do. It's just not here */
-	    /* what about faked nicknames? */
-	    PK11_FreeSlot(slot);
-	    *slotptr = NULL;
-	    *returnCount = 0;
-	}
-    }
-
-    return objID;
-}
-
-SECItem *
-pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) 
-{
-    CK_ATTRIBUTE theTemplate[] = {
-	{ CKA_ID, NULL, 0 },
-    };
-    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
-    CK_RV crv;
-    SECItem *item;
-
-    item = SECITEM_AllocItem(NULL, NULL, 0);
-
-    if (item == NULL) {
-	return NULL;
-    }
-
-    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
-    if (crv != CKR_OK) {
-	SECITEM_FreeItem(item,PR_TRUE);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    item->data = (unsigned char*) theTemplate[0].pValue;
-    item->len =theTemplate[0].ulValueLen;
-
-    return item;
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
deleted file mode 100644
index 8644cdccc..000000000
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ /dev/null
@@ -1,427 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * The following handles the loading, unloading and management of
- * various PCKS #11 modules
- */
-
-#include <ctype.h>
-#include "pkcs11.h"
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pki3hack.h"
-#include "secerr.h"
-   
-#include "pk11pars.h" 
-
-/* create a new module */
-static  SECMODModule *
-secmod_NewModule(void)
-{
-    SECMODModule *newMod;
-    PRArenaPool *arena;
-
-
-    /* create an arena in which dllName and commonName can be
-     * allocated.
-     */
-    arena = PORT_NewArena(512);
-    if (arena == NULL) {
-	return NULL;
-    }
-
-    newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
-    if (newMod == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    /*
-     * initialize of the fields of the module
-     */
-    newMod->arena = arena;
-    newMod->internal = PR_FALSE;
-    newMod->loaded = PR_FALSE;
-    newMod->isFIPS = PR_FALSE;
-    newMod->dllName = NULL;
-    newMod->commonName = NULL;
-    newMod->library = NULL;
-    newMod->functionList = NULL;
-    newMod->slotCount = 0;
-    newMod->slots = NULL;
-    newMod->slotInfo = NULL;
-    newMod->slotInfoCount = 0;
-    newMod->refCount = 1;
-    newMod->ssl[0] = 0;
-    newMod->ssl[1] = 0;
-    newMod->libraryParams = NULL;
-    newMod->moduleDBFunc = NULL;
-    newMod->parent = NULL;
-    newMod->isCritical = PR_FALSE;
-    newMod->isModuleDB = PR_FALSE;
-    newMod->moduleDBOnly = PR_FALSE;
-    newMod->trustOrder = 0;
-    newMod->cipherOrder = 0;
-    newMod->evControlMask = 0;
-    newMod->refLock = PZ_NewLock(nssILockRefLock);
-    if (newMod->refLock == NULL) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    return newMod;
-    
-}
-
-/*
- * for 3.4 we continue to use the old SECMODModule structure
- */
-SECMODModule *
-SECMOD_CreateModule(const char *library, const char *moduleName, 
-				const char *parameters, const char *nss)
-{
-    SECMODModule *mod = secmod_NewModule();
-    char *slotParams,*ciphers;
-    /* pk11pars.h still does not have const char * interfaces */
-    char *nssc = (char *)nss;
-    if (mod == NULL) return NULL;
-
-    mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
-    if (library) {
-	mod->dllName = PORT_ArenaStrdup(mod->arena,library);
-    }
-    /* new field */
-    if (parameters) {
-	mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
-    }
-    mod->internal   = secmod_argHasFlag("flags","internal",nssc);
-    mod->isFIPS     = secmod_argHasFlag("flags","FIPS",nssc);
-    mod->isCritical = secmod_argHasFlag("flags","critical",nssc);
-    slotParams      = secmod_argGetParamValue("slotParams",nssc);
-    mod->slotInfo   = secmod_argParseSlotInfo(mod->arena,slotParams,
-							&mod->slotInfoCount);
-    if (slotParams) PORT_Free(slotParams);
-    /* new field */
-    mod->trustOrder  = secmod_argReadLong("trustOrder",nssc,
-						SECMOD_DEFAULT_TRUST_ORDER,NULL);
-    /* new field */
-    mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
-						SECMOD_DEFAULT_CIPHER_ORDER,NULL);
-    /* new field */
-    mod->isModuleDB   = secmod_argHasFlag("flags","moduleDB",nssc);
-    mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
-    if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
-
-    ciphers = secmod_argGetParamValue("ciphers",nssc);
-    secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
-    if (ciphers) PORT_Free(ciphers);
-
-    secmod_PrivateModuleCount++;
-
-    return mod;
-}
-
-static char *
-secmod_mkModuleSpec(SECMODModule * module)
-{
-    char *nss = NULL, *modSpec = NULL, **slotStrings = NULL;
-    int slotCount, i, si;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-
-    /* allocate target slot info strings */
-    slotCount = 0;
-
-    SECMOD_GetReadLock(moduleLock);
-    if (module->slotCount) {
-	for (i=0; i < module->slotCount; i++) {
-	    if (module->slots[i]->defaultFlags !=0) {
-		slotCount++;
-	    }
-	}
-    } else {
-	slotCount = module->slotInfoCount;
-    }
-
-    slotStrings = (char **)PORT_ZAlloc(slotCount*sizeof(char *));
-    if (slotStrings == NULL) {
-        SECMOD_ReleaseReadLock(moduleLock);
-	goto loser;
-    }
-
-
-    /* build the slot info strings */
-    if (module->slotCount) {
-	for (i=0, si= 0; i < module->slotCount; i++) {
-	    if (module->slots[i]->defaultFlags) {
-		PORT_Assert(si < slotCount);
-		if (si >= slotCount) break;
-		slotStrings[si] = secmod_mkSlotString(module->slots[i]->slotID,
-			module->slots[i]->defaultFlags,
-			module->slots[i]->timeout,
-			module->slots[i]->askpw,
-			module->slots[i]->hasRootCerts,
-			module->slots[i]->hasRootTrust);
-		si++;
-	    }
-	}
-     } else {
-	for (i=0; i < slotCount; i++) {
-		slotStrings[i] = secmod_mkSlotString(module->slotInfo[i].slotID,
-			module->slotInfo[i].defaultFlags,
-			module->slotInfo[i].timeout,
-			module->slotInfo[i].askpw,
-			module->slotInfo[i].hasRootCerts,
-			module->slotInfo[i].hasRootTrust);
-	}
-    }
-
-    SECMOD_ReleaseReadLock(moduleLock);
-    nss = secmod_mkNSS(slotStrings,slotCount,module->internal, module->isFIPS,
-		       module->isModuleDB, module->moduleDBOnly, 
-		       module->isCritical, module->trustOrder,
-		       module->cipherOrder,module->ssl[0],module->ssl[1]);
-    modSpec= secmod_mkNewModuleSpec(module->dllName,module->commonName,
-						module->libraryParams,nss);
-    PORT_Free(slotStrings);
-    PR_smprintf_free(nss);
-loser:
-    return (modSpec);
-}
-    
-
-char **
-SECMOD_GetModuleSpecList(SECMODModule *module)
-{
-    SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
-    if (func) {
-	return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND,
-		module->libraryParams,NULL);
-    }
-    return NULL;
-}
-
-SECStatus
-SECMOD_AddPermDB(SECMODModule *module)
-{
-    SECMODModuleDBFunc func;
-    char *moduleSpec;
-    char **retString;
-
-    if (module->parent == NULL) return SECFailure;
-
-    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
-    if (func) {
-	moduleSpec = secmod_mkModuleSpec(module);
-	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD,
-		module->parent->libraryParams,moduleSpec);
-	PORT_Free(moduleSpec);
-	if (retString != NULL) return SECSuccess;
-    }
-    return SECFailure;
-}
-
-SECStatus
-SECMOD_DeletePermDB(SECMODModule *module)
-{
-    SECMODModuleDBFunc func;
-    char *moduleSpec;
-    char **retString;
-
-    if (module->parent == NULL) return SECFailure;
-
-    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
-    if (func) {
-	moduleSpec = secmod_mkModuleSpec(module);
-	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL,
-		module->parent->libraryParams,moduleSpec);
-	PORT_Free(moduleSpec);
-	if (retString != NULL) return SECSuccess;
-    }
-    return SECFailure;
-}
-
-SECStatus
-SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList)
-{
-    SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
-    char **retString;
-    if (func) {
-	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE,
-		module->libraryParams,moduleSpecList);
-	if (retString != NULL) return SECSuccess;
-    }
-    return SECFailure;
-}
-
-/*
- * load a PKCS#11 module but do not add it to the default NSS trust domain
- */
-SECMODModule *
-SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
-{
-    char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL;
-    SECStatus status;
-    SECMODModule *module = NULL;
-    SECStatus rv;
-
-    /* initialize the underlying module structures */
-    SECMOD_Init();
-
-    status = secmod_argParseModuleSpec(modulespec, &library, &moduleName, 
-							&parameters, &nss);
-    if (status != SECSuccess) {
-	goto loser;
-    }
-
-    module = SECMOD_CreateModule(library, moduleName, parameters, nss);
-    if (library) PORT_Free(library);
-    if (moduleName) PORT_Free(moduleName);
-    if (parameters) PORT_Free(parameters);
-    if (nss) PORT_Free(nss);
-    if (!module) {
-	goto loser;
-    }
-    if (parent) {
-    	module->parent = SECMOD_ReferenceModule(parent);
-    }
-
-    /* load it */
-    rv = SECMOD_LoadPKCS11Module(module);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    if (recurse && module->isModuleDB) {
-	char ** moduleSpecList;
-	PORT_SetError(0);
-
-	moduleSpecList = SECMOD_GetModuleSpecList(module);
-	if (moduleSpecList) {
-	    char **index;
-
-	    for (index = moduleSpecList; *index; index++) {
-		SECMODModule *child;
-		child = SECMOD_LoadModule(*index,module,PR_TRUE);
-		if (!child) break;
-		if (child->isCritical && !child->loaded) {
-		    int err = PORT_GetError();
-		    if (!err)  
-			err = SEC_ERROR_NO_MODULE;
-		    SECMOD_DestroyModule(child);
-		    PORT_SetError(err);
-		    rv = SECFailure;
-		    break;
-		}
-		SECMOD_DestroyModule(child);
-	    }
-	    SECMOD_FreeModuleSpecList(module,moduleSpecList);
-	} else {
-	    if (!PORT_GetError())
-		PORT_SetError(SEC_ERROR_NO_MODULE);
-	    rv = SECFailure;
-	}
-    }
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-
-    /* inherit the reference */
-    if (!module->moduleDBOnly) {
-	SECMOD_AddModuleToList(module);
-    } else {
-	SECMOD_AddModuleToDBOnlyList(module);
-    }
-   
-    /* handle any additional work here */
-    return module;
-
-loser:
-    if (module) {
-	if (module->loaded) {
-	    SECMOD_UnloadModule(module);
-	}
-	SECMOD_AddModuleToUnloadList(module);
-    }
-    return module;
-}
-
-/*
- * load a PKCS#11 module and add it to the default NSS trust domain
- */
-SECMODModule *
-SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse)
-{
-    SECStatus rv = SECSuccess;
-    SECMODModule * newmod = SECMOD_LoadModule(modulespec, parent, recurse);
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-
-    if (newmod) {
-	SECMOD_GetReadLock(moduleLock);
-        rv = STAN_AddModuleToDefaultTrustDomain(newmod);
-	SECMOD_ReleaseReadLock(moduleLock);
-        if (SECSuccess != rv) {
-            SECMOD_DestroyModule(newmod);
-            return NULL;
-        }
-    }
-    return newmod;
-}
-
-/*
- * remove the PKCS#11 module from the default NSS trust domain, call
- * C_Finalize, and destroy the module structure
- */
-SECStatus SECMOD_UnloadUserModule(SECMODModule *mod)
-{
-    SECStatus rv = SECSuccess;
-    int atype = 0;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    if (!mod) {
-        return SECFailure;
-    }
-
-    SECMOD_GetReadLock(moduleLock);
-    rv = STAN_RemoveModuleFromDefaultTrustDomain(mod);
-    SECMOD_ReleaseReadLock(moduleLock);
-    if (SECSuccess != rv) {
-        return SECFailure;
-    }
-    return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE);
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
deleted file mode 100644
index 1234af856..000000000
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ /dev/null
@@ -1,844 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "secport.h"
-#include "hasht.h"
-#include "pkcs11t.h"
-#include "sechash.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "secoid.h"
-#include "secerr.h"
-#include "secmod.h"
-#include "pk11func.h"
-#include "secpkcs5.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "key.h"
-
-typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
-struct SEC_PKCS5PBEParameterStr {
-    PRArenaPool *poolp;
-    SECItem     salt;           /* octet string */
-    SECItem     iteration;      /* integer */
-};
-
-
-/* template for PKCS 5 PBE Parameter.  This template has been expanded
- * based upon the additions in PKCS 12.  This should eventually be moved
- * if RSA updates PKCS 5.
- */
-const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(SEC_PKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, 
-	offsetof(SEC_PKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER,
-	offsetof(SEC_PKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] =
-{   
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-/* maps crypto algorithm from PBE algorithm.
- */
-SECOidTag 
-SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid)
-{
-
-    SECOidTag algorithm;
-
-    if(algid == NULL)
-	return SEC_OID_UNKNOWN;
-
-    algorithm = SECOID_GetAlgorithmTag(algid);
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	    return SEC_OID_DES_EDE3_CBC;
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	    return SEC_OID_DES_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return SEC_OID_RC2_CBC;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	    return SEC_OID_RC4;
-	default:
-	    break;
-    }
-
-    return SEC_OID_UNKNOWN;
-}
-
-/* check to see if an oid is a pbe algorithm
- */ 
-PRBool 
-SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid)
-{
-    return (PRBool)(SEC_PKCS5GetCryptoAlgorithm(algid) != SEC_OID_UNKNOWN);
-}
-
-/* maps PBE algorithm from crypto algorithm, assumes SHA1 hashing.
- */
-SECOidTag 
-SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen)
-{
-    switch(algTag)
-    {
-	case SEC_OID_DES_EDE3_CBC:
-	    switch(keyLen) {
-		case 168:
-		case 192:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
-		case 128:
-		case 92:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
-		default:
-		    break;
-	    }
-	    break;
-	case SEC_OID_DES_CBC:
-	    return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
-	case SEC_OID_RC2_CBC:
-	    switch(keyLen) {
-		case 40:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-		case 128:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-		default:
-		    break;
-	    }
-	    break;
-	case SEC_OID_RC4:
-	    switch(keyLen) {
-		case 40:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
-		case 128:
-		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
-		default:
-		    break;
-	    }
-	    break;
-	default:
-	    break;
-    }
-
-    return SEC_OID_UNKNOWN;
-}
-
-
-/* get the key length needed for the PBE algorithm
- */
-
-int 
-SEC_PKCS5GetKeyLength(SECAlgorithmID *algid)
-{
-
-    SECOidTag algorithm;
-
-    if(algid == NULL)
-	return SEC_OID_UNKNOWN;
-
-    algorithm = SECOID_GetAlgorithmTag(algid);
-
-    switch(algorithm)
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	    return 24;
-	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-	    return 8;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return 5;
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	    return 16;
-	default:
-	    break;
-    }
-    return -1;
-}
-
-
-/* the V2 algorithms only encode the salt, there is no iteration
- * count so we need a check for V2 algorithm parameters.
- */
-static PRBool
-sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm)
-{
-    switch(algorithm) 
-    {
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	    return PR_TRUE;
-	default:
-	    break;
-    }
-
-    return PR_FALSE;
-}
-/* destroy a pbe parameter.  it assumes that the parameter was 
- * generated using the appropriate create function and therefor
- * contains an arena pool.
- */
-static void 
-sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param)
-{
-    if(pbe_param != NULL)
-	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
-}
-
-/* creates a PBE parameter based on the PBE algorithm.  the only required
- * parameters are algorithm and interation.  the return is a PBE parameter
- * which conforms to PKCS 5 parameter unless an extended parameter is needed.
- * this is primarily if keyLen and a variable key length algorithm are
- * specified.
- *   salt -  if null, a salt will be generated from random bytes.
- *   iteration - number of iterations to perform hashing.
- *   keyLen - only used in variable key length algorithms
- *   iv - if null, the IV will be generated based on PKCS 5 when needed.
- *   params - optional, currently unsupported additional parameters.
- * once a parameter is allocated, it should be destroyed calling 
- * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter.
- */
-#define DEFAULT_SALT_LENGTH 16
-static SEC_PKCS5PBEParameter *
-sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, 
-			SECItem *salt, 
-			int iteration)
-{
-    PRArenaPool *poolp = NULL;
-    SEC_PKCS5PBEParameter *pbe_param = NULL;
-    SECStatus rv= SECSuccess; 
-    void *dummy = NULL;
-
-    if(iteration < 0) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(poolp == NULL)
-	return NULL;
-
-    pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp,
-	sizeof(SEC_PKCS5PBEParameter));
-    if(!pbe_param) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	return NULL;
-    }
-
-    pbe_param->poolp = poolp;
-
-    rv = SECFailure;
-    if (salt && salt->data) {
-    	rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt);
-    } else {
-	/* sigh, the old interface generated salt on the fly, so we have to
-	 * preserve the semantics */
-	pbe_param->salt.len = DEFAULT_SALT_LENGTH;
-	pbe_param->salt.data = PORT_ArenaZAlloc(poolp,DEFAULT_SALT_LENGTH);
-	if (pbe_param->salt.data) {
-	   rv = PK11_GenerateRandom(pbe_param->salt.data,DEFAULT_SALT_LENGTH);
-	}
-    }
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	return NULL;
-    }
-
-    /* encode the integer */
-    dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, 
-		iteration);
-    rv = (dummy) ? SECSuccess : SECFailure;
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-
-    return pbe_param;
-}
-
-/* creates a algorithm ID containing the PBE algorithm and appropriate
- * parameters.  the required parameter is the algorithm.  if salt is
- * not specified, it is generated randomly.  if IV is specified, it overrides
- * the PKCS 5 generation of the IV.  
- *
- * the returned SECAlgorithmID should be destroyed using 
- * SECOID_DestroyAlgorithmID
- */
-SECAlgorithmID *
-SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, 
-			   SECItem *salt, 
-			   int iteration)
-{
-    PRArenaPool *poolp = NULL;
-    SECAlgorithmID *algid, *ret_algid;
-    SECItem der_param;
-    SECStatus rv = SECFailure;
-    SEC_PKCS5PBEParameter *pbe_param;
-
-    if(iteration <= 0) {
-	return NULL;
-    }
-
-    der_param.data = NULL;
-    der_param.len = 0;
-
-    /* generate the parameter */
-    pbe_param = sec_pkcs5_create_pbe_parameter(algorithm, salt, iteration);
-    if(!pbe_param) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(!poolp) {
-	sec_pkcs5_destroy_pbe_param(pbe_param);
-	return NULL;
-    }
-
-    /* generate the algorithm id */
-    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
-    if(algid != NULL) {
-	void *dummy;
-	if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
-	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
-					SEC_PKCS5PBEParameterTemplate);
-	} else {
-	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
-	    				SEC_V2PKCS12PBEParameterTemplate);
-	}
-	
-	if(dummy) {
-	    rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param);
-	}
-    }
-
-    ret_algid = NULL;
-    if(algid != NULL) {
-	ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
-	if(ret_algid != NULL) {
-	    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
-	    if(rv != SECSuccess) {
-		SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
-		ret_algid = NULL;
-	    }
-	}
-    }
-	
-    if(poolp != NULL) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	algid = NULL;
-    }
-
-    sec_pkcs5_destroy_pbe_param(pbe_param);
-
-    return ret_algid;
-}
-
-SECStatus
-pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech)
-{
-    CK_PBE_PARAMS *pbe_params = NULL;
-    SEC_PKCS5PBEParameter p5_param;
-    SECItem *salt = NULL;
-    SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
-    PRArenaPool *arena = NULL;
-    SECStatus rv = SECFailure;
-    int iv_len;
-    
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm));
-    if (iv_len < 0) {
-	goto loser;
-    }
-
-    if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
-        rv = SEC_ASN1DecodeItem(arena, &p5_param,
-			 SEC_V2PKCS12PBEParameterTemplate, &algid->parameters);
-    } else {
-        rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, 
-						&algid->parameters);
-    }
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-        
-    salt = &p5_param.salt;
-
-    pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)+
-						salt->len+iv_len);
-    if (pbe_params == NULL) {
-	goto loser;
-    }
-
-    /* get salt */
-    pbe_params->pSalt = ((CK_CHAR_PTR) pbe_params)+sizeof(CK_PBE_PARAMS);
-    if (iv_len) {
-	pbe_params->pInitVector = ((CK_CHAR_PTR) pbe_params)+
-					sizeof(CK_PBE_PARAMS)+salt->len;
-    }
-    PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
-    pbe_params->ulSaltLen = (CK_ULONG) salt->len;
-
-    /* get iteration count */
-    pbe_params->ulIteration = (CK_ULONG) DER_GetInteger(&p5_param.iteration);
-
-    /* copy into the mechanism sec item */
-    mech->data = (unsigned char *)pbe_params;
-    mech->len = sizeof(*pbe_params);
-    if (arena) {
-	PORT_FreeArena(arena,PR_TRUE);
-    }
-    return SECSuccess;
-
-loser:
-    if (pbe_params) {
-	PORT_Free(pbe_params);
-    }
-    if (arena) {
-	PORT_FreeArena(arena,PR_TRUE);
-    }
-    return SECFailure;
-}
-
-SECStatus
-PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PRArenaPool *arena, 
-		     SECAlgorithmID *algId)
-{
-    CK_PBE_PARAMS *pbe_param;
-    SECItem pbeSalt;
-    SECAlgorithmID *pbeAlgID = NULL;
-    SECStatus rv;
-
-    if(!param || !algId) {
-	return SECFailure;
-    }
-
-    pbe_param = (CK_PBE_PARAMS *)param->data;
-    pbeSalt.data = (unsigned char *)pbe_param->pSalt;
-    pbeSalt.len = pbe_param->ulSaltLen;
-    pbeAlgID = SEC_PKCS5CreateAlgorithmID(algTag, &pbeSalt, 
-					  (int)pbe_param->ulIteration);
-    if(!pbeAlgID) {
-	return SECFailure;
-    }
-
-    rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID);
-    SECOID_DestroyAlgorithmID(pbeAlgID, PR_TRUE);
-    return rv;
-}
-
-PBEBitGenContext *
-PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
-	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
-	unsigned int iterations)
-{
-    SECItem *context = NULL;
-    SECItem mechItem;
-    CK_PBE_PARAMS pbe_params;
-    CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
-    PK11SlotInfo *slot;
-    PK11SymKey *symKey = NULL;
-    unsigned char ivData[8];
-    
-
-    /* use the purpose to select the low level keygen algorithm */
-    switch (bitGenPurpose) {
-    case pbeBitGenIntegrityKey:
-	switch (hashAlgorithm) {
-	case SEC_OID_SHA1:
-	    mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC;
-	    break;
-	case SEC_OID_MD2:
-	    mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
-	    break;
-	case SEC_OID_MD5:
-	    mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;
-	    break;
-	default:
-	    break;
-	}
-	break;
-    case pbeBitGenCipherIV:
-	if (bitsNeeded > 64) {
-	    break;
-	}
-	if (hashAlgorithm != SEC_OID_SHA1) {
-	    break;
-	}
-	mechanism = CKM_PBE_SHA1_DES3_EDE_CBC;
-	break;
-    case pbeBitGenCipherKey:
-	if (hashAlgorithm != SEC_OID_SHA1) {
-	    break;
-	}
-	switch (bitsNeeded) {
-	case 40:
-	    mechanism = CKM_PBE_SHA1_RC4_40;
-	    break;
-	case 128:
-	    mechanism = CKM_PBE_SHA1_RC4_128;
-	    break;
-	default:
-	    break;
-	}
-    case pbeBitGenIDNull:
-	break;
-    }
-
-    if (mechanism == CKM_INVALID_MECHANISM) {
-	/* we should set an error, but this is a depricated function, and
-	 * we are keeping bug for bug compatibility;)... */
-	    return NULL;
-    } 
-
-    pbe_params.pInitVector = ivData;
-    pbe_params.pPassword = pwitem->data;
-    pbe_params.ulPasswordLen = pwitem->len;
-    pbe_params.pSalt = salt->data;
-    pbe_params.ulSaltLen = salt->len;
-    pbe_params.ulIteration = iterations;
-    mechItem.data = (unsigned char *) &pbe_params;
-    mechItem.len = sizeof(pbe_params);
-
-
-    slot = PK11_GetInternalSlot();
-    symKey = PK11_RawPBEKeyGen(slot,mechanism,
-					&mechItem, pwitem, PR_FALSE, NULL);
-    PK11_FreeSlot(slot);
-    if (symKey != NULL) {
-	if (bitGenPurpose == pbeBitGenCipherIV) {
-	    /* NOTE: this assumes that bitsNeeded is a multiple of 8! */
-	    SECItem ivItem;
-
-	    ivItem.data = ivData;
-	    ivItem.len = bitsNeeded/8;
-	    context = SECITEM_DupItem(&ivItem);
-	} else {
-	    SECItem *keyData;
-	    PK11_ExtractKeyValue(symKey);
-	    keyData = PK11_GetKeyData(symKey);
-
-	    /* assert bitsNeeded with length? */
-	    if (keyData) {
-	    	context = SECITEM_DupItem(keyData);
-	    }
-	}
-	PK11_FreeSymKey(symKey);
-    }
-
-    return (PBEBitGenContext *)context;
-}
-
-SECItem *
-PBE_GenerateBits(PBEBitGenContext *context)
-{
-    return (SECItem *)context;
-}
-
-void
-PBE_DestroyContext(PBEBitGenContext *context)
-{
-    SECITEM_FreeItem((SECItem *)context,PR_TRUE);
-}
-
-SECItem *
-SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES)
-{
-    SECItem mechItem;
-    SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
-    CK_PBE_PARAMS *pbe_params;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *iv = NULL;
-    SECStatus rv;
-    int iv_len;
-    PK11SlotInfo *slot;
-    PK11SymKey *symKey;
-
-    rv = pbe_PK11AlgidToParam(algid,&mechItem);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-    mechanism = PK11_AlgtagToMechanism(algorithm);
-    iv_len = PK11_GetIVLength(mechanism);
-    pbe_params = (CK_PBE_PARAMS_PTR)mechItem.data;
-
-    slot = PK11_GetInternalSlot();
-    symKey = PK11_RawPBEKeyGen(slot,mechanism,
-					&mechItem, pwitem, faulty3DES,NULL);
-    PK11_FreeSlot(slot);
-
-    if (symKey) {
-	SECItem tmp;
-
-	tmp.data = pbe_params->pInitVector;
-	tmp.len = iv_len;
-	iv = SECITEM_DupItem(&tmp);
-        PK11_FreeSymKey(symKey);
-    }
-
-    if (mechItem.data) {
-	PORT_ZFree(mechItem.data,mechItem.len);
-    }
-
-    return iv;
-}
-
-/*
- * Subs from nss 3.x that are depricated
- */
-PBEBitGenContext *
-__PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
-	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
-	unsigned int iterations)
-{
-    PORT_Assert("__PBE_CreateContext is Depricated" == NULL);
-    return NULL;
-}
-
-SECItem *
-__PBE_GenerateBits(PBEBitGenContext *context)
-{
-    PORT_Assert("__PBE_GenerateBits is Depricated" == NULL);
-    return NULL;
-}
-
-void
-__PBE_DestroyContext(PBEBitGenContext *context)
-{
-    PORT_Assert("__PBE_DestroyContext is Depricated" == NULL);
-}
-
-SECStatus
-RSA_FormatBlock(SECItem *result, unsigned modulusLen,
-                int blockType, SECItem *data)
-{
-    PORT_Assert("RSA_FormatBlock is Depricated" == NULL);
-    return SECFailure;
-}
-
-/****************************************************************************
- *
- * Now Do The PBE Functions Here...
- *
- ****************************************************************************/
-
-static void
-pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params)
-{
-    if (pbe_params) {
-	if (pbe_params->pPassword)
-	    PORT_ZFree(pbe_params->pPassword, PR_FALSE);
-	if (pbe_params->pSalt)
-	    PORT_ZFree(pbe_params->pSalt, PR_FALSE);
-	PORT_ZFree(pbe_params, PR_TRUE);
-    }
-}
-
-SECItem * 
-PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations)
-{
-    CK_PBE_PARAMS *pbe_params = NULL;
-    SECItem *paramRV = NULL;
-    pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS));
-    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwd->len);
-    if (pbe_params->pPassword != NULL) {
-	PORT_Memcpy(pbe_params->pPassword, pwd->data, pwd->len);
-	pbe_params->ulPasswordLen = pwd->len;
-    } else goto loser;
-    pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len);
-    if (pbe_params->pSalt != NULL) {
-	PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
-	pbe_params->ulSaltLen = salt->len;
-    } else goto loser;
-    pbe_params->ulIteration = (CK_ULONG)iterations;
-    paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS));
-    paramRV->data = (unsigned char *)pbe_params;
-    return paramRV;
-loser:
-    pk11_destroy_ck_pbe_params(pbe_params);
-    return NULL;
-}
-
-void
-PK11_DestroyPBEParams(SECItem *params)
-{
-    pk11_destroy_ck_pbe_params((CK_PBE_PARAMS *)params->data);
-}
-
-SECAlgorithmID *
-PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
-{
-    SECAlgorithmID *algid = NULL;
-    algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, iteration);
-    return algid;
-}
-
-PK11SymKey *
-PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech,
-			 SECItem *pwitem, PRBool faulty3DES, void *wincx)
-{
-    /* pbe stuff */
-    CK_PBE_PARAMS *pbe_params;
-    PK11SymKey *symKey;
-
-    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
-	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
-    }
-    if(mech == NULL) {
-	return NULL;
-    }
-
-    pbe_params = (CK_PBE_PARAMS *)mech->data;
-    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwitem->len);
-    if(pbe_params->pPassword != NULL) {
-	PORT_Memcpy(pbe_params->pPassword, pwitem->data, pwitem->len);
-	pbe_params->ulPasswordLen = pwitem->len;
-    } else {
-	SECITEM_ZfreeItem(mech, PR_TRUE);
-	return NULL;
-    }
-
-    symKey = PK11_KeyGen(slot, type, mech, 0, wincx);
-
-    PORT_ZFree(pbe_params->pPassword, pwitem->len);
-    pbe_params->pPassword = NULL;
-    pbe_params->ulPasswordLen = 0;
-    return symKey;
-}
-
-PK11SymKey *
-PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
-	       					PRBool faulty3DES, void *wincx)
-{
-    /* pbe stuff */
-    CK_MECHANISM_TYPE type;
-    SECItem *mech;
-    PK11SymKey *symKey;
-
-    mech = PK11_ParamFromAlgid(algid);
-    type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
-    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
-	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
-    }
-    if(mech == NULL) {
-	return NULL;
-    }
-    symKey = PK11_RawPBEKeyGen(slot, type, mech, pwitem, faulty3DES, wincx);
-
-    SECITEM_ZfreeItem(mech, PR_TRUE);
-    return symKey;
-}
-
-SECItem *
-PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem)
-{
-    /* pbe stuff */
-    CK_MECHANISM_TYPE type;
-    SECItem *mech;
-    PK11SymKey *symKey;
-    PK11SlotInfo *slot = PK11_GetInternalSlot();
-    int iv_len = 0;
-    CK_PBE_PARAMS_PTR pPBEparams;
-    SECItem src;
-    SECItem *iv;
-
-
-    mech = PK11_ParamFromAlgid(algid);
-    type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
-    if(mech == NULL) {
-	return NULL;
-    }
-    symKey = PK11_RawPBEKeyGen(slot, type, mech, pwitem, PR_FALSE, NULL);
-    PK11_FreeSlot(slot);
-    if (symKey == NULL) {
-	SECITEM_ZfreeItem(mech, PR_TRUE);
-	return NULL;
-    }
-    PK11_FreeSymKey(symKey);
-    pPBEparams = (CK_PBE_PARAMS_PTR)mech->data;
-    iv_len = PK11_GetIVLength(type);
-
-    src.data = (unsigned char *)pPBEparams->pInitVector;
-    src.len = iv_len;
-    iv = SECITEM_DupItem(&src);
-
-    SECITEM_ZfreeItem(mech, PR_TRUE);
-    return iv;
-}
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
deleted file mode 100644
index 35a4cbc07..000000000
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ /dev/null
@@ -1,558 +0,0 @@
-
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file PKCS #12 fuctions that should really be moved to the
- * PKCS #12 directory, however we can't do that in a point release
- * because that will break binary compatibility, so we keep them here for now.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "key.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "secerr.h"
-
-
-
-/* These data structures should move to a common .h file shared between the
- * wrappers and the pkcs 12 code. */
-
-/*
-** RSA Raw Private Key structures
-*/
-
-/* member names from PKCS#1, section 7.2 */
-struct SECKEYRSAPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem version;
-    SECItem modulus;
-    SECItem publicExponent;
-    SECItem privateExponent;
-    SECItem prime1;
-    SECItem prime2;
-    SECItem exponent1;
-    SECItem exponent2;
-    SECItem coefficient;
-};
-typedef struct SECKEYRSAPrivateKeyStr SECKEYRSAPrivateKey;
-
-
-/*
-** DSA Raw Private Key structures
-*/
-
-struct SECKEYDSAPrivateKeyStr {
-    SECKEYPQGParams params;
-    SECItem privateValue;
-};
-typedef struct SECKEYDSAPrivateKeyStr SECKEYDSAPrivateKey;
-
-/*
-** Diffie-Hellman Raw Private Key structures
-** Structure member names suggested by PKCS#3.
-*/
-struct SECKEYDHPrivateKeyStr {
-    PRArenaPool * arena;
-    SECItem prime;
-    SECItem base;
-    SECItem privateValue;
-};
-typedef struct SECKEYDHPrivateKeyStr SECKEYDHPrivateKey;
-
-/*
-** raw private key object
-*/
-struct SECKEYRawPrivateKeyStr {
-    PLArenaPool *arena;
-    KeyType keyType;
-    union {
-        SECKEYRSAPrivateKey rsa;
-        SECKEYDSAPrivateKey dsa;
-        SECKEYDHPrivateKey  dh;
-    } u;
-};
-typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey;
-
-
-/* ASN1 Templates for new decoder/encoder */
-/*
- * Attribute value for PKCS8 entries (static?)
- */
-const SEC_ASN1Template SECKEY_AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-        0, NULL, sizeof(SECKEYAttribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SECKEYAttribute, attrType) },
-    { SEC_ASN1_SET_OF, offsetof(SECKEYAttribute, attrValue),
-        SEC_AnyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_SetOfAttributeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SECKEY_AttributeTemplate },
-};
-
-const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPrivateKeyInfo) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYPrivateKeyInfo,version) },
-    { SEC_ASN1_INLINE, offsetof(SECKEYPrivateKeyInfo,algorithm),
-        SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPrivateKeyInfo,privateKey) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-        offsetof(SECKEYPrivateKeyInfo,attributes),
-        SECKEY_SetOfAttributeTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SECKEY_PrivateKeyInfoTemplate }
-};
-
-const SEC_ASN1Template SECKEY_RSAPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.version) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.modulus) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.publicExponent) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.privateExponent) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime1) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime2) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent1) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent2) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.coefficient) },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dsa.privateValue) },
-};
-
-const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.privateValue) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.base) },
-    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.prime) },
-};
-
-const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-        0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
-    { SEC_ASN1_INLINE,
-        offsetof(SECKEYEncryptedPrivateKeyInfo,algorithm),
-        SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-        offsetof(SECKEYEncryptedPrivateKeyInfo,encryptedData) },
-    { 0 }
-};
-
-const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[] = {
-        { SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_EncryptedPrivateKeyInfoTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PrivateKeyInfoTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToPrivateKeyInfoTemplate)
-
-/*
- * See bugzilla bug 125359
- * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
- * all of the templates above that en/decode into integers must be converted
- * from ASN.1's signed integer type.  This is done by marking either the
- * source or destination (encoding or decoding, respectively) type as
- * siUnsignedInteger.
- */
-
-static void
-prepare_rsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
-{
-    key->u.rsa.modulus.type = siUnsignedInteger;
-    key->u.rsa.publicExponent.type = siUnsignedInteger;
-    key->u.rsa.privateExponent.type = siUnsignedInteger;
-    key->u.rsa.prime1.type = siUnsignedInteger;
-    key->u.rsa.prime2.type = siUnsignedInteger;
-    key->u.rsa.exponent1.type = siUnsignedInteger;
-    key->u.rsa.exponent2.type = siUnsignedInteger;
-    key->u.rsa.coefficient.type = siUnsignedInteger;
-}
-
-static void
-prepare_dsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
-{
-    key->u.dsa.privateValue.type = siUnsignedInteger;
-    key->u.dsa.params.prime.type = siUnsignedInteger;
-    key->u.dsa.params.subPrime.type = siUnsignedInteger;
-    key->u.dsa.params.base.type = siUnsignedInteger;
-}
-
-static void
-prepare_dh_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
-{
-    key->u.dh.privateValue.type = siUnsignedInteger;
-    key->u.dh.prime.type = siUnsignedInteger;
-    key->u.dh.base.type = siUnsignedInteger;
-}
-
-
-SECStatus
-PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
-{
-    return PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, derPKI,
-	nickname, publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
-}
-
-SECStatus
-PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey** privk,
-	void *wincx) 
-{
-    SECKEYPrivateKeyInfo *pki = NULL;
-    PRArenaPool *temparena = NULL;
-    SECStatus rv = SECFailure;
-
-    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo);
-    pki->arena = temparena;
-
-    rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
-		derPKI);
-    if( rv != SECSuccess ) {
-	goto finish;
-    }
-
-    rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
-		publicValue, isPerm, isPrivate, keyUsage, privk, wincx);
-
-finish:
-    if( pki != NULL ) {
-	/* this zeroes the key and frees the arena */
-	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
-    }
-    return rv;
-}
-        
-SECStatus
-PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk,
-	void *wincx) 
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
-    CK_KEY_TYPE keyType = CKK_RSA;
-    CK_OBJECT_HANDLE objectID;
-    CK_ATTRIBUTE theTemplate[20];
-    int templateCount = 0;
-    SECStatus rv = SECFailure;
-    PRArenaPool *arena;
-    CK_ATTRIBUTE *attrs;
-    CK_ATTRIBUTE *signedattr = NULL;
-    int signedcount = 0;
-    CK_ATTRIBUTE *ap;
-    SECItem *ck_id = NULL;
-
-    arena = PORT_NewArena(2048);
-    if(!arena) {
-	return SECFailure;
-    }
-
-    attrs = theTemplate;
-
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, 
-						sizeof(CK_BBOOL) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, 
-						sizeof(CK_BBOOL) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
-						 sizeof(CK_BBOOL) ); attrs++;
-
-    switch (lpk->keyType) {
-    case rsaKey:
-	    keyType = CKK_RSA;
-	    PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? 
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, 
-				(keyUsage & KU_DIGITAL_SIGNATURE) ? 
-				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
-	    ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    if (nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; 
-	    } 
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
-						lpk->u.rsa.modulus.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
-	     			lpk->u.rsa.publicExponent.data,
-				lpk->u.rsa.publicExponent.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, 
-	     			lpk->u.rsa.privateExponent.data,
-				lpk->u.rsa.privateExponent.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIME_1, 
-	     			lpk->u.rsa.prime1.data,
-				lpk->u.rsa.prime1.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_PRIME_2, 
-	     			lpk->u.rsa.prime2.data,
-				lpk->u.rsa.prime2.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_EXPONENT_1, 
-	     			lpk->u.rsa.exponent1.data,
-				lpk->u.rsa.exponent1.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_EXPONENT_2, 
-	     			lpk->u.rsa.exponent2.data,
-				lpk->u.rsa.exponent2.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_COEFFICIENT, 
-	     			lpk->u.rsa.coefficient.data,
-				lpk->u.rsa.coefficient.len); attrs++;
-	    break;
-    case dsaKey:
-	    keyType = CKK_DSA;
-	    /* To make our intenal PKCS #11 module work correctly with 
-	     * our database, we need to pass in the public key value for 
-	     * this dsa key. We have a netscape only CKA_ value to do this.
-	     * Only send it to internal slots */
-	    if( publicValue == NULL ) {
-		goto loser;
-	    }
-	    if (PK11_IsInternal(slot)) {
-	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
-				publicValue->data, publicValue->len); attrs++;
-	    }
-	    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    if(nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
-		attrs++; 
-	    } 
-	    ck_id = PK11_MakeIDFromPubKey(publicValue);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dsa.params.prime.data,
-				lpk->u.dsa.params.prime.len); attrs++;
-	    PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
-				lpk->u.dsa.params.subPrime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dsa.params.base.data,
-					lpk->u.dsa.params.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dsa.privateValue.data, 
-					lpk->u.dsa.privateValue.len); attrs++;
-	    break;
-     case dhKey:
-	    keyType = CKK_DH;
-	    /* To make our intenal PKCS #11 module work correctly with 
-	     * our database, we need to pass in the public key value for 
-	     * this dh key. We have a netscape only CKA_ value to do this.
-	     * Only send it to internal slots */
-	    if (PK11_IsInternal(slot)) {
-	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
-				publicValue->data, publicValue->len); attrs++;
-	    }
-	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
-	    if(nickname) {
-		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
-		attrs++; 
-	    } 
-	    ck_id = PK11_MakeIDFromPubKey(publicValue);
-	    if (ck_id == NULL) {
-		goto loser;
-	    }
-	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
-	    signedattr = attrs;
-	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dh.prime.data,
-				lpk->u.dh.prime.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dh.base.data,
-					lpk->u.dh.base.len); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dh.privateValue.data, 
-					lpk->u.dh.privateValue.len); attrs++;
-	    break;
-	/* what about fortezza??? */
-    default:
-	    PORT_SetError(SEC_ERROR_BAD_KEY);
-	    goto loser;
-    }
-    templateCount = attrs - theTemplate;
-    PORT_Assert(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
-    PORT_Assert(signedattr != NULL);
-    signedcount = attrs - signedattr;
-
-    for (ap=signedattr; signedcount; ap++, signedcount--) {
-	pk11_SignedToUnsigned(ap);
-    }
-
-    rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
-			theTemplate, templateCount, isPerm, &objectID);
-
-    /* create and return a SECKEYPrivateKey */
-    if( rv == SECSuccess && privk != NULL) {
-	*privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx);
-	if( *privk == NULL ) {
-	    rv = SECFailure;
-	}
-    }
-loser:
-    if (ck_id) {
-	SECITEM_ZfreeItem(ck_id, PR_TRUE);
-    }
-    return rv;
-}
-
-SECStatus
-PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
-{
-    return PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue,
-	isPerm, isPrivate, keyUsage, NULL, wincx);
-}
-
-SECStatus
-PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
-	SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue,
-	PRBool isPerm, PRBool isPrivate, unsigned int keyUsage,
-	SECKEYPrivateKey **privk, void *wincx) 
-{
-    CK_KEY_TYPE keyType = CKK_RSA;
-    SECStatus rv = SECFailure;
-    SECKEYRawPrivateKey *lpk = NULL;
-    const SEC_ASN1Template *keyTemplate, *paramTemplate;
-    void *paramDest = NULL;
-    PRArenaPool *arena;
-
-    arena = PORT_NewArena(2048);
-    if(!arena) {
-	return SECFailure;
-    }
-
-    /* need to change this to use RSA/DSA keys */
-    lpk = (SECKEYRawPrivateKey *)PORT_ArenaZAlloc(arena,
-						  sizeof(SECKEYRawPrivateKey));
-    if(lpk == NULL) {
-	goto loser;
-    }
-    lpk->arena = arena;
-
-    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    prepare_rsa_priv_key_export_for_asn1(lpk);
-	    keyTemplate = SECKEY_RSAPrivateKeyExportTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = rsaKey;
-	    keyType = CKK_RSA;
-	    break;
-	case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	    prepare_dsa_priv_key_export_for_asn1(lpk);
-	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
-	    paramTemplate = SECKEY_PQGParamsTemplate;
-	    paramDest = &(lpk->u.dsa.params);
-	    lpk->keyType = dsaKey;
-	    keyType = CKK_DSA;
-	    break;
-	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	    if(!publicValue) {
-		goto loser;
-	    }
-	    prepare_dh_priv_key_export_for_asn1(lpk);
-	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = dhKey;
-	    keyType = CKK_DH;
-	    break;
-
-	default:
-	    keyTemplate   = NULL;
-	    paramTemplate = NULL;
-	    paramDest     = NULL;
-	    break;
-    }
-
-    if(!keyTemplate) {
-	goto loser;
-    }
-
-    /* decode the private key and any algorithm parameters */
-    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-    if(paramDest && paramTemplate) {
-	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
-				 &(pki->algorithm.parameters));
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    rv = PK11_ImportAndReturnPrivateKey(slot,lpk,nickname,publicValue, isPerm, 
-	isPrivate,  keyUsage, privk, wincx);
-
-
-loser:
-    if (lpk!= NULL) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    return rv;
-}
-
-SECStatus
-PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
-{
-    return PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
-	publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
-
-}
-
diff --git a/security/nss/lib/pk11wrap/pk11pqg.c b/security/nss/lib/pk11wrap/pk11pqg.c
deleted file mode 100644
index 62afc7756..000000000
--- a/security/nss/lib/pk11wrap/pk11pqg.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* Thse functions are stub functions which will get replaced with calls through
- * PKCS #11.
- */
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11t.h"
-#include "pk11pqg.h"
-#include "pqgutil.h"
-#include "secerr.h"
-
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of P specified by j.  Length of h will match length of P.
- * Length of SEED in bytes specified in seedBytes.
- * seedBbytes must be in the range [20..255] or an error will result.
- */
-extern SECStatus
-PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes,
-				 PQGParams **pParams, PQGVerify **pVfy)
-{
-    PK11SlotInfo *slot = NULL;
-    CK_ATTRIBUTE genTemplate[5];
-    CK_ATTRIBUTE *attrs = genTemplate;
-    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
-    CK_MECHANISM mechanism;
-    CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
-    CK_RV crv;
-    CK_ATTRIBUTE pTemplate[] = {
-	{ CKA_PRIME, NULL, 0 },
-	{ CKA_SUBPRIME, NULL, 0 },
-	{ CKA_BASE, NULL, 0 },
-    };
-    CK_ATTRIBUTE vTemplate[] = {
-	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
-	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
-	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
-    };
-    int pTemplateCount = sizeof(pTemplate)/sizeof(pTemplate[0]);
-    int vTemplateCount = sizeof(vTemplate)/sizeof(vTemplate[0]);
-    PRArenaPool *parena = NULL;
-    PRArenaPool *varena = NULL;
-    PQGParams *params = NULL;
-    PQGVerify *verify = NULL;
-    CK_ULONG primeBits = PQG_INDEX_TO_PBITS(j);
-    CK_ULONG seedBits = seedBytes*8;
-
-    *pParams = NULL;
-    *pVfy =  NULL;
-
-    if (primeBits == (CK_ULONG)-1) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto loser;
-    }
-    PK11_SETATTRS(attrs, CKA_PRIME_BITS,&primeBits,sizeof(primeBits)); attrs++;
-    if (seedBits != 0) {
-    	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS, 
-					&seedBits, sizeof(seedBits)); attrs++;
-    }
-    count = attrs - genTemplate;
-    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
-
-    slot = PK11_GetInternalSlot();
-    if (slot == NULL) {
-	/* set error */
-	goto loser;
-    }
-
-    /* Initialize the Key Gen Mechanism */
-    mechanism.mechanism = CKM_DSA_PARAMETER_GEN;
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GenerateKey(slot->session,
-			 &mechanism, genTemplate, count, &objectID);
-    PK11_ExitSlotMonitor(slot);
-
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-    parena = PORT_NewArena(60);
-    crv = PK11_GetAttributes(parena, slot, objectID, pTemplate, pTemplateCount);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-
-    params = (PQGParams *)PORT_ArenaAlloc(parena,sizeof(PQGParams));
-    if (params == NULL) {
-	goto loser;
-    }
-
-    /* fill in Params */
-    params->arena = parena;
-    params->prime.type = siUnsignedInteger;
-    params->prime.data = pTemplate[0].pValue;
-    params->prime.len = pTemplate[0].ulValueLen;
-    params->subPrime.type = siUnsignedInteger;
-    params->subPrime.data = pTemplate[1].pValue;
-    params->subPrime.len = pTemplate[1].ulValueLen;
-    params->base.type = siUnsignedInteger;
-    params->base.data = pTemplate[2].pValue;
-    params->base.len = pTemplate[2].ulValueLen;
-
-
-    varena = PORT_NewArena(60);
-    crv = PK11_GetAttributes(varena, slot, objectID, vTemplate, vTemplateCount);
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	goto loser;
-    }
-
-
-    verify = (PQGVerify *)PORT_ArenaAlloc(varena,sizeof(PQGVerify));
-    if (verify == NULL) {
-	goto loser;
-    }
-    /* fill in Params */
-    verify->arena = varena;
-    verify->counter = (unsigned int)(*(CK_ULONG*)vTemplate[0].pValue);
-    verify->seed.type = siUnsignedInteger;
-    verify->seed.data = vTemplate[1].pValue;
-    verify->seed.len = vTemplate[1].ulValueLen;
-    verify->h.type = siUnsignedInteger;
-    verify->h.data = vTemplate[2].pValue;
-    verify->h.len = vTemplate[2].ulValueLen;
-
-    PK11_DestroyObject(slot,objectID);
-    PK11_FreeSlot(slot);
-
-    *pParams = params;
-    *pVfy =  verify;
-
-    return SECSuccess;
-
-loser:
-    if (objectID != CK_INVALID_HANDLE) {
-	PK11_DestroyObject(slot,objectID);
-    }
-    if (parena != NULL) {
-	PORT_FreeArena(parena,PR_FALSE);
-    }
-    if (varena != NULL) {
-	PORT_FreeArena(varena,PR_FALSE);
-    }
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    return SECFailure;
-}
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of seed and length of h both equal length of P. 
- * All lengths are specified by "j", according to the table above.
- */
-extern SECStatus
-PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
-{
-    return PK11_PQG_ParamGenSeedLen(j, 0, pParams, pVfy);
-}
-
-/*  Test PQGParams for validity as DSS PQG values.
- *  If vfy is non-NULL, test PQGParams to make sure they were generated
- *       using the specified seed, counter, and h values.
- *
- *  Return value indicates whether Verification operation ran succesfully
- *  to completion, but does not indicate if PQGParams are valid or not.
- *  If return value is SECSuccess, then *pResult has these meanings:
- *       SECSuccess: PQGParams are valid.
- *       SECFailure: PQGParams are invalid.
- */
-
-extern SECStatus
-PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
-							SECStatus *result)
-{
-    CK_ATTRIBUTE keyTempl[] = {
-	{ CKA_CLASS, NULL, 0 },
-	{ CKA_KEY_TYPE, NULL, 0 },
-	{ CKA_PRIME, NULL, 0 },
-	{ CKA_SUBPRIME, NULL, 0 },
-	{ CKA_BASE, NULL, 0 },
-	{ CKA_TOKEN, NULL, 0 },
-	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
-	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
-	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
-    };
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_OBJECT_CLASS class = CKO_KG_PARAMETERS;
-    CK_KEY_TYPE keyType = CKK_DSA;
-    SECStatus rv = SECSuccess;
-    PK11SlotInfo *slot;
-    int keyCount;
-    CK_OBJECT_HANDLE objectID;
-    CK_ULONG counter;
-    CK_RV crv;
-
-    attrs = keyTempl;
-    PK11_SETATTRS(attrs, CKA_CLASS, &class, sizeof(class)); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
-    PK11_SETATTRS(attrs, CKA_PRIME, params->prime.data, 
-						params->prime.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_SUBPRIME, params->subPrime.data, 
-						params->subPrime.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_BASE,params->base.data,params->base.len); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse)); attrs++;
-    if (vfy) {
-	counter = vfy->counter;
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER, 
-			&counter, sizeof(counter)); attrs++;
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED, 
-			vfy->seed.data, vfy->seed.len); attrs++;
-	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H, 
-			vfy->h.data, vfy->h.len); attrs++;
-    }
-
-    keyCount = attrs - keyTempl;
-    PORT_Assert(keyCount <= sizeof(keyTempl)/sizeof(keyTempl[0]));
-
-
-    slot = PK11_GetInternalSlot();
-    if (slot == NULL) {
-	return SECFailure;
-    }
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount, 
-								&objectID);
-    PK11_ExitSlotMonitor(slot);
-
-    /* throw away the keys, we only wanted the return code */
-    PK11_DestroyObject(slot,objectID);
-    PK11_FreeSlot(slot);
-
-    *result = SECSuccess;
-    if (crv == CKR_ATTRIBUTE_VALUE_INVALID) {
-	*result = SECFailure;
-    } else if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	rv = SECFailure;
-    }
-    return rv;
-
-}
-
-
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-extern void 
-PK11_PQG_DestroyParams(PQGParams *params) {
-     PQG_DestroyParams(params);
-     return;
-}
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-extern void
-PK11_PQG_DestroyVerify(PQGVerify *vfy) {
-    PQG_DestroyVerify(vfy);
-    return;
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGParams *
-PK11_PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
-                                 		const SECItem * base) {
-    return PQG_NewParams(prime, subPrime, base);
-}
-
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus 
-PK11_PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime) {
-    return PQG_GetPrimeFromParams(params, prime);
-}
-
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus
-PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime) {
-    return PQG_GetSubPrimeFromParams(params, subPrime);
-}
-
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-extern SECStatus 
-PK11_PQG_GetBaseFromParams(const PQGParams *params, SECItem *base) {
-    return PQG_GetBaseFromParams(params, base);
-}
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGVerify *
-PK11_PQG_NewVerify(unsigned int counter, const SECItem * seed, 
-							const SECItem * h) {
-    return PQG_NewVerify(counter, seed, h);
-}
-
-
-/**************************************************************************
- * Returns "counter" value from the PQGVerify.
- **************************************************************************/
-extern unsigned int 
-PK11_PQG_GetCounterFromVerify(const PQGVerify *verify) {
-    return PQG_GetCounterFromVerify(verify);
-}
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-extern SECStatus 
-PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed) {
-    return PQG_GetSeedFromVerify(verify, seed);
-}
-
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-extern SECStatus 
-PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h) {
-    return PQG_GetHFromVerify(verify, h);
-}
diff --git a/security/nss/lib/pk11wrap/pk11pqg.h b/security/nss/lib/pk11wrap/pk11pqg.h
deleted file mode 100644
index b7ad303f7..000000000
--- a/security/nss/lib/pk11wrap/pk11pqg.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* Thse functions are stub functions which will get replaced with calls through
- * PKCS #11.
- */
-
-#ifndef _PK11PQG_H_
-#define  _PK11PQG_H_ 1
-
-#include "blapit.h"
-
-SEC_BEGIN_PROTOS
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of seed and length of h both equal length of P. 
- * All lengths are specified by "j", according to the table above.
- */
-extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, 
-							PQGVerify **pVfy);
-
-/* Generate PQGParams and PQGVerify structs.
- * Length of P specified by j.  Length of h will match length of P.
- * Length of SEED in bytes specified in seedBytes.
- * seedBbytes must be in the range [20..255] or an error will result.
- */
-extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, 
-	unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy);
-
-/*  Test PQGParams for validity as DSS PQG values.
- *  If vfy is non-NULL, test PQGParams to make sure they were generated
- *       using the specified seed, counter, and h values.
- *
- *  Return value indicates whether Verification operation ran succesfully
- *  to completion, but does not indicate if PQGParams are valid or not.
- *  If return value is SECSuccess, then *pResult has these meanings:
- *       SECSuccess: PQGParams are valid.
- *       SECFailure: PQGParams are invalid.
- *
- * Verify the following 12 facts about PQG counter SEED g and h
- * 1.  Q is 160 bits long.
- * 2.  P is one of the 9 valid lengths.
- * 3.  G < P
- * 4.  P % Q == 1
- * 5.  Q is prime
- * 6.  P is prime
- * Steps 7-12 are done only if the optional PQGVerify is supplied.
- * 7.  counter < 4096
- * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
- * 9.  Q generated from SEED matches Q in PQGParams.
- * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
- * 11. 1 < h < P-1
- * 12. G generated from h matches G in PQGParams.
- */
-
-extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params, 
-                                    const PQGVerify *vfy, SECStatus *result);
-extern void PK11_PQG_DestroyParams(PQGParams *params);
-extern void PK11_PQG_DestroyVerify(PQGVerify *vfy);
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGParams * PK11_PQG_NewParams(const SECItem * prime, const 
-				SECItem * subPrime, const SECItem * base);
-
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params, 
-							SECItem * prime);
-
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, 
-							SECItem * subPrime);
-
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params, 
-							SECItem *base);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGVerify * PK11_PQG_NewVerify(unsigned int counter, 
-				const SECItem * seed, const SECItem * h);
-
-
-/**************************************************************************
- * Returns "counter" value from the PQGVerify.
- **************************************************************************/
-extern unsigned int PK11_PQG_GetCounterFromVerify(const PQGVerify *verify);
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, 
-							SECItem *seed);
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h
deleted file mode 100644
index 6d0b012b0..000000000
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ /dev/null
@@ -1,226 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _PK11PRIV_H_
-#define _PK11PRIV_H_
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "keyt.h"
-#include "certt.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "seccomon.h"
-#include "pkcs7t.h"
-#include "cmsreclist.h"
-
-/*
- * These are the private NSS functions. They are not exported by nss.def, and
- * are not callable outside nss3.dll. 
- */
-
-SEC_BEGIN_PROTOS
-
-/************************************************************
- * Generic Slot Lists Management
- ************************************************************/
-PK11SlotList * PK11_NewSlotList(void);
-PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
-						PRBool needRW,void *wincx);
-SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
-SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
-PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
-							PK11SlotInfo *slot);
-PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
-
-/************************************************************
- * Generic Slot Management
- ************************************************************/
-CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
-SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-         CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
-CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-         CK_ATTRIBUTE_TYPE type);
-char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
-								int stringLen);
-int PK11_MapError(CK_RV error);
-CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
-void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
-PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
-					 CK_SESSION_HANDLE session_handle);
-PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
-void PK11_EnterSlotMonitor(PK11SlotInfo *);
-void PK11_ExitSlotMonitor(PK11SlotInfo *);
-void PK11_CleanKeyList(PK11SlotInfo *slot);
-
-
-/************************************************************
- *  Slot Password Management
- ************************************************************/
-SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
-SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
-void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
-void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
-void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
-
-/************************************************************
- * Manage the built-In Slot Lists
- ************************************************************/
-SECStatus PK11_InitSlotLists(void);
-void PK11_DestroySlotLists(void);
-PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
-void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
-void PK11_ClearSlotList(PK11SlotInfo *slot);
-
-
-/******************************************************************
- *           Slot initialization
- ******************************************************************/
-PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
-  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
-PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
-SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
-SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
-void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
-PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
-SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
-
-/*********************************************************************
- *       Mechanism Mapping functions
- *********************************************************************/
-void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
-		 	CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
-CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
-CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);
-
-/**********************************************************************
- *                   Symetric, Public, and Private Keys 
- **********************************************************************/
-/* Key Generation specialized for SDR (fixed DES3 key) */
-PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
-SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
-					 CK_OBJECT_HANDLE id);
-CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
-					void *wincx, PK11SlotInfo **pSlot);
-PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
-
-/**********************************************************************
- *                   Certs
- **********************************************************************/
-SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
-    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
-SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
-CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
-	PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, 
-								void *wincx);
-CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
-						CK_OBJECT_CLASS o_class); 
-CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
-			       CK_OBJECT_HANDLE id,
-			       CK_ATTRIBUTE_TYPE type );
-CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
-			 CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
-int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
-SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, 
-	SECStatus(*callback)(CERTCertificate *, void *), void *arg);
-CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, 
-					  SECItem *derCert, void *wincx);
-CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
-					PK11SlotInfo *slot, 
-					CERTCertificate *cert, char *nickname,
-					void *wincx);
-SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
-   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
-SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
-       SECStatus(* callback)(CERTCertificate*, void *), void *arg);
-SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
-
-
-/**********************************************************************
- *                   Crypto Contexts
- **********************************************************************/
-PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, 
-    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
-			 	SECItem *key, SECItem *param, void *wincx);
-PRBool PK11_HashOK(SECOidTag hashAlg);
-
-
-/**********************************************************************
- * Functions which are  depricated....
- **********************************************************************/
-
-SECItem *
-PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
-					SECItem *derName, int type, char **url);
-
-CK_OBJECT_HANDLE
-PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, 
-				SECItem *name, char *url, int type);
-
-SECItem *
-PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
-					SECItem **profileTime);
-SECStatus
-PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
-			SECItem *emailProfile, SECItem *profileTime);
-
-PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
-
-char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
-SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
-						const char *nickname) ;
-
-
-/* private */
-SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
-	void *cbArg, void *pwArg);
-
-/* fetch multiple CRLs for a specific issuer */
-SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer,
-                                   void *wincx);
-
-/* set global options for NSS PKCS#11 module loader */
-SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules,
-                                PRBool allowAlreadyInitializedModules,
-                                PRBool dontFinalizeModules);
-
-/* return whether NSS is allowed to call C_Finalize */
-PRBool pk11_getFinalizeModulesOption(void);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
deleted file mode 100644
index 8a933cc93..000000000
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ /dev/null
@@ -1,700 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _PK11PUB_H_
-#define _PK11PUB_H_
-#include "plarena.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "keyt.h"
-#include "certt.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "seccomon.h"
-#include "pkcs7t.h"
-#include "cmsreclist.h"
-
-/*
- * Exported PK11 wrap functions.
- */
-
-SEC_BEGIN_PROTOS
-
-/************************************************************
- * Generic Slot Lists Management
- ************************************************************/
-void PK11_FreeSlotList(PK11SlotList *list);
-SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le);
-PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
-PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, 
-				PK11SlotListElement *le, PRBool restart);
-
-/************************************************************
- * Generic Slot Management
- ************************************************************/
-PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
-void PK11_FreeSlot(PK11SlotInfo *slot);
-SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
-SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
-PK11SlotInfo *PK11_GetInternalKeySlot(void);
-PK11SlotInfo *PK11_GetInternalSlot(void);
-SECStatus PK11_Logout(PK11SlotInfo *slot);
-void PK11_LogoutAll(void);
-
-
-/************************************************************
- *  Slot Password Management
- ************************************************************/
-void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
-void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
-SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
-SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
-PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
-SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
-SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
-void PK11_SetPasswordFunc(PK11PasswordFunc func);
-int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
-SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
-SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
-SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
-
-
-/******************************************************************
- *           Slot info functions
- ******************************************************************/
-PK11SlotInfo *PK11_FindSlotByName(const char *name);
-/******************************************************************
- * PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
- * more criteria : dllName, slotName and tokenName . In addition, if
- * presentOnly is set , only slots with a token inserted will be
- * returned.
- ******************************************************************/
-PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
-        const char* slotName, const char* tokenName, PRBool presentOnly);
-PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
-PRBool PK11_IsInternal(PK11SlotInfo *slot);
-char * PK11_GetTokenName(PK11SlotInfo *slot);
-char * PK11_GetSlotName(PK11SlotInfo *slot);
-PRBool PK11_NeedLogin(PK11SlotInfo *slot);
-PRBool PK11_IsFriendly(PK11SlotInfo *slot);
-PRBool PK11_IsHW(PK11SlotInfo *slot);
-PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
-PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
-int PK11_GetSlotSeries(PK11SlotInfo *slot);
-int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
-unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
-CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
-SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
-SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
-SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
-PRBool PK11_IsDisabled(PK11SlotInfo *slot);
-PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
-PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
-/* Prevents the slot from being used, and set disable reason to user-disable */
-/* NOTE: Mechanisms that were ON continue to stay ON */
-/*       Therefore, when the slot is enabled, it will remember */
-/*       what mechanisms needs to be turned on */
-PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
-/* Allow all mechanisms that are ON before UserDisableSlot() */
-/* was called to be available again */
-PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
-/*
- * wait for a specific slot event.
- * event is a specific event to wait for. Currently only 
- *    PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
- * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
- * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
- * pollInterval is a suggested pulling interval value. '0' means use the 
- *  default. Future implementations that don't poll may ignore this value.
- * series is the current series for the last slot. This should be the series 
- *  value for the slot the last time you read persistant information from the
- *  slot. For instance, if you publish a cert from the slot, you should obtain
- *  the slot series at that time. Then PK11_WaitForTokenEvent can detect a 
- *  a change in the slot between the time you publish and the time 
- *  PK11_WaitForTokenEvent is called, elliminating potential race conditions.
- *
- * The current status that is returned is:
- *   PK11TokenNotRemovable - always returned for any non-removable token.
- *   PK11TokenPresent - returned when the token is present and we are waiting
- *     on a PK11TokenPresentEvent. Then next event to look for is a 
- *     PK11TokenChangeOrRemovalEvent.
- *   PK11TokenChanged - returned when the old token has been removed and a new
- *     token ad been inserted, and we are waiting for a 
- *     PK11TokenChangeOrRemovalEvent. The next event to look for is another
- *     PK11TokenChangeOrRemovalEvent.
- *   PK11TokenRemoved - returned when the token is not present and we are 
- *     waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for 
- *     is a PK11TokenPresentEvent.
- */
-PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
-	PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
-
-PRBool PK11_NeedPWInit(void);
-PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
-SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
-PRBool PK11_IsFIPS(void);
-SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
-
-/*********************************************************************
- *            Slot mapping utility functions.
- *********************************************************************/
-PRBool PK11_IsPresent(PK11SlotInfo *slot);
-PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
-PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
-					PRBool loadCerts, void *wincx);
-PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
-							void *wincx);
-PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
-CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
-int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
-/*
- * Open a new database using the softoken. The caller is responsible for making
- * sure the module spec is correct and usable. The caller should ask for one
- * new database per call if the caller wants to get meaningful information
- * about the new database.
- *
- * moduleSpec is the same data that you would pass to softoken at
- * initialization time under the 'tokens' options. For example, if you were
- * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
- * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
- * module spec here. The slot ID will be calculated for you by
- * SECMOD_OpenUserDB().
- *
- * Typical parameters here are configdir, tokenDescription and flags.
- *
- * a Full list is below:
- *
- *
- *  configDir - The location of the databases for this token. If configDir is
- *         not specified, and noCertDB and noKeyDB is not specified, the load
- *         will fail.
- *   certPrefix - Cert prefix for this token.
- *   keyPrefix - Prefix for the key database for this token. (if not specified,
- *         certPrefix will be used).
- *   tokenDescription - The label value for this token returned in the
- *         CK_TOKEN_INFO structure with an internationalize string (UTF8).
- *         This value will be truncated at 32 bytes (no NULL, partial UTF8
- *         characters dropped). You should specify a user friendly name here
- *         as this is the value the token will be refered to in most
- *         application UI's. You should make sure tokenDescription is unique.
- *   slotDescription - The slotDescription value for this token returned
- *         in the CK_SLOT_INFO structure with an internationalize string
- *         (UTF8). This value will be truncated at 64 bytes (no NULL, partial
- *         UTF8 characters dropped). This name will not change after the
- *         database is closed. It should have some number to make this unique.
- *   minPWLen - minimum password length for this token.
- *   flags - comma separated list of flag values, parsed case-insensitive.
- *         Valid flags are:
- *              readOnly - Databases should be opened read only.
- *              noCertDB - Don't try to open a certificate database.
- *              noKeyDB - Don't try to open a key database.
- *              forceOpen - Don't fail to initialize the token if the
- *                databases could not be opened.
- *              passwordRequired - zero length passwords are not acceptable
- *                (valid only if there is a keyDB).
- *              optimizeSpace - allocate smaller hash tables and lock tables.
- *                When this flag is not specified, Softoken will allocate
- *                large tables to prevent lock contention.
- */
-PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
-SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
-
-/*********************************************************************
- *       Mechanism Mapping functions
- *********************************************************************/
-CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
-CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
-int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
-int PK11_GetIVLength(CK_MECHANISM_TYPE type);
-SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
-unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
-SECItem * PK11_BlockData(SECItem *data,unsigned long size);
-
-/* PKCS #11 to DER mapping functions */
-SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
-SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
-CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
-SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
-SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
-SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
-                                   PRArenaPool *arena, SECAlgorithmID *algid);
-SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
-SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len);
-SECStatus PK11_RandomUpdate(void *data, size_t bytes);
-SECStatus PK11_GenerateRandom(unsigned char *data,int len);
-CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
-					    CK_MECHANISM_PTR pCryptoMechanism,
-					    SECItem *pbe_pwd, PRBool bad3DES);
-CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
-CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType);
-
-/**********************************************************************
- *                   Symetric, Public, and Private Keys 
- **********************************************************************/
-void PK11_FreeSymKey(PK11SymKey *key);
-PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
-PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-    PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
-PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, 
-    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, 
-    SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
-PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
-    PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, 
-    PRBool owner, void *wincx);
-PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
-			      CK_MECHANISM_TYPE type,int series, void *wincx);
-/*
- * This function is not thread-safe.  It can only be called when only
- * one thread has a reference to wrapKey.
- */
-void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
-CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
-CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, 
-				SECKEYPublicKey *pubKey, PRBool isToken);
-PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-				SECItem *param,	int keySize,void *wincx);
-PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-				SECItem *param, int keySize, SECItem *keyid,
-				PRBool isToken, void *wincx);
-PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot,
-				CK_MECHANISM_TYPE type, SECItem *param,
-				int keySize, SECItem *keyid, CK_FLAGS opFlags,
-				PK11AttrFlags attrFlags, void *wincx);
-PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
-								void *wincx);
-PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
-CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
-
-/*
- * PK11_SetSymKeyUserData
- *   sets generic user data on keys (usually a pointer to a data structure)
- * that can later be retrieved by PK11_GetSymKeyUserData().
- *    symKey - key where data will be set.
- *    data - data to be set.
- *    freefunc - function used to free the data.
- * Setting user data on symKeys with existing user data already set will cause 
- * the existing user data to be freed before the new user data is set.
- * Freeing user data is done by calling the user specified freefunc. 
- * If freefunc is NULL, the user data is assumed to be global or static an 
- * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the 
- * effect of freeing any existing user data, and clearing the user data 
- * pointer. If user data exists when the symKey is finally freed, that 
- * data will be freed with freefunc.
- *
- * Applications should only use this function on keys which the application
- * has created directly, as there is only one user data value per key.
- */
-void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, 
-                                 PK11FreeDataFunc freefunc);
-/* PK11_GetSymKeyUserData 
- *   retrieves generic user data which was set on a key by 
- * PK11_SetSymKeyUserData.
- *    symKey - key with data to be fetched
- *
- * If no data exists, or the data has been cleared, PK11_GetSymKeyUserData
- * will return NULL. Returned data is still owned and managed by the SymKey,
- * the caller should not free the data.
- *
- */
-void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
-
-SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
-				PK11SymKey *symKey, SECItem *wrappedKey);
-SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
-	 PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
-/* move a key to 'slot' optionally set the key attributes according to either
- * operation or the  flags and making the key permanent at the same time.
- * If the key is moved to the same slot, operation and flags values are 
- * currently ignored */
-PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, 
-			CK_FLAGS flags, PRBool  perm, PK11SymKey *symKey);
-/*
- * derive a new key from the base key.
- *  PK11_Derive returns a key which can do exactly one operation, and is
- * ephemeral (session key).
- *  PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
- * CKF_ flags to enable more than one operation.
- *  PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
- *  (optionally) make the key permanent (token key).
- */
-PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
-   			SECItem *param, CK_MECHANISM_TYPE target, 
-		        CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, 
-	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
-	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
-PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, 
-	CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_FLAGS flags, PRBool isPerm);
-
-PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, 
- SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
- CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-		 CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
-PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey, 
- SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
- CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-		 CK_ATTRIBUTE_TYPE operation, int keySize,
-		 CK_ULONG kdf, SECItem *sharedData, void *wincx);
-
-/*
- * unwrap a new key with a symetric key.
- *  PK11_Unwrap returns a key which can do exactly one operation, and is
- * ephemeral (session key).
- *  PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
- * CKF_ flags to enable more than one operation.
- *  PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
- *  (optionally) make the key permanent (token key).
- */
-PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, 
-	CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,  
-	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, 
-	CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
-	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
-	CK_FLAGS flags);
-PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, 
-	CK_MECHANISM_TYPE wrapType,
-        SECItem *param, SECItem *wrappedKey, 
-	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	 int keySize, CK_FLAGS flags, PRBool isPerm);
-
-/*
- * unwrap a new key with a private key.
- *  PK11_PubUnwrap returns a key which can do exactly one operation, and is
- * ephemeral (session key).
- *  PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can 
- * use * CKF_ flags to enable more than one operation, and optionally make 
- * the key permanent (token key).
- */
-PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
-	 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
-PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, 
-	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
-	  CK_ATTRIBUTE_TYPE operation, int keySize,
-	  CK_FLAGS flags, PRBool isPerm);
-PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
-						SECItem *keyID, void *wincx);
-SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
-SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
-SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
-SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
-SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
-		SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
-					PRBool token, PRBool sensitive);
-char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
-char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
-char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
-SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
-SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
-							const char *nickname);
-SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
-							const char *nickname);
-
-/* size to hold key in bytes */
-unsigned int PK11_GetKeyLength(PK11SymKey *key);
-/* size of actual secret parts of key in bits */
-/* algid is because RC4 strength is determined by the effective bits as well
- * as the key bits */
-unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
-SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
-SECItem * PK11_GetKeyData(PK11SymKey *symKey);
-PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
-void *PK11_GetWindow(PK11SymKey *symKey);
-/*
- * The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags.
- * These flags apply to the private key.  The PK11_ATTR_TOKEN,
- * PK11_ATTR_SESSION, PK11_ATTR_MODIFIABLE, and PK11_ATTR_UNMODIFIABLE
- * flags also apply to the public key.
- */
-SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,
-   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
-		 	    PK11AttrFlags attrFlags, void *wincx);
-SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
-   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
-		 	    PRBool isPerm, PRBool isSensitive, void *wincx);
-SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
-				 	CERTCertificate *cert, void *wincx);
-SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
-SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
-				       void *wincx);
-int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); 
-
-/* note: despite the name, this function takes a private key. */
-SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
-   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
-#define PK11_PrivDecryptRaw PK11_PubDecryptRaw
-/* The encrypt function that complements the above decrypt function. */
-SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-                unsigned char *data, unsigned dataLen, void *wincx);
-
-SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data,
-   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
-/* The encrypt function that complements the above decrypt function. */
-SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
-                unsigned char *data, unsigned dataLen, void *wincx);
-
-SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
-		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
-		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
-		unsigned int usage, void *wincx);
-SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
-		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
-		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
-		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
-SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, 
-		SECItem *derPKI, SECItem *nickname,
-		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
-		unsigned int usage, void *wincx);
-SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
-		SECItem *derPKI, SECItem *nickname,
-		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
-		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
-SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
-		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
-		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
-		PRBool isPrivate, KeyType type, 
-		unsigned int usage, void *wincx);
-SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
-		CERTCertificate *cert, void *wincx);
-SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
-		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
-		SECKEYPrivateKey *pk, int iteration, void *wincx);
-SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
-		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
-		CERTCertificate *cert, int iteration, void *wincx);
-SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, 
-					CERTCertificate *cert, void *wincx);
-SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
-SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
-PRBool PK11_VerifyKeyOK(PK11SymKey *key);
-SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, 
-		PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-		SECItem *param, SECItem *wrappedKey, SECItem *label, 
-		SECItem *publicValue, PRBool token, PRBool sensitive,
-		CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
-		void *wincx);
-SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
-			   SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
-			   SECItem *param, SECItem *wrappedKey, void *wincx);
-SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
-PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
-	CK_MECHANISM_TYPE mech);
-SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
-						 char *nickname, void *wincx);
-SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
-							char *nickname);
-SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
-/* depricated */
-SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
-
-PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
-	void *wincx);
-SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
-	SECKEYPrivateKey *privk, void* wincx);
-SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot,
-				      SECKEYPrivateKey *privKey);
-
-/**********************************************************************
- *                   Certs
- **********************************************************************/
-SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
-SECStatus PK11_TraverseSlotCerts(
-     SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
-                                                void *arg, void *wincx);
-CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
-CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
-CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
-SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
-                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
-SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
-                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
-PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
-								void *wincx);
-PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
-								void *wincx);
-PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
-					CK_OBJECT_HANDLE *keyPtr, void *wincx);
-PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
-					CK_OBJECT_HANDLE *keyPtr, void *wincx);
-CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
-					CERTIssuerAndSN *sn, void *wincx);
-CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
-	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
-				SECKEYPrivateKey**privKey, void *wincx);
-int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
-				void *wincx);
-SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
-	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
-	void *arg);
-CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
-					  CERTCertificate *cert, void *wincx);
-SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
-					char *nickname, PRBool addUsage,
-					void *wincx);
-CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
-PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
-CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
-				     void *wincx);
-SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
-	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
-	void *arg);
-CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
-CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
-CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
-    int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions);
-
-/**********************************************************************
- *                   Sign/Verify 
- **********************************************************************/
-int PK11_SignatureLen(SECKEYPrivateKey *key);
-PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
-SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
-SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
-						 SECItem *dsig, void * wincx);
-SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
-						SECItem *hash, void *wincx);
-
-
-
-/**********************************************************************
- *                   Crypto Contexts
- **********************************************************************/
-void PK11_DestroyContext(PK11Context *context, PRBool freeit);
-PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
-	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
-PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
-PK11Context *PK11_CloneContext(PK11Context *old);
-SECStatus PK11_DigestBegin(PK11Context *cx);
-/*
- * The output buffer 'out' must be big enough to hold the output of
- * the hash algorithm 'hashAlg'.
- */
-SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
-					int32 len);
-SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
-                        unsigned len);
-SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
-				int maxout, unsigned char *in, int inlen);
-SECStatus PK11_Finalize(PK11Context *context);
-SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
-				unsigned int *outLen, unsigned int length);
-SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
-						int *len, int saveLength);
-
-/* Save the context's state, with possible allocation.
- * The caller may supply an already allocated buffer in preAllocBuf,
- * with length pabLen.  If the buffer is large enough for the context's
- * state, it will receive the state.
- * If the buffer is not large enough (or NULL), then a new buffer will
- * be allocated with PORT_Alloc.
- * In either case, the state will be returned as a buffer, and the length
- * of the state will be given in *stateLen.
- */
-unsigned char *
-PK11_SaveContextAlloc(PK11Context *cx,
-                      unsigned char *preAllocBuf, unsigned int pabLen,
-                      unsigned int *stateLen);
-
-SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
-SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
-void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
-
-
-/**********************************************************************
- *                   PBE functions 
- **********************************************************************/
-
-/* This function creates PBE parameters from the given inputs.  The result
- * can be used to create a password integrity key for PKCS#12, by sending
- * the return value to PK11_KeyGen along with the appropriate mechanism.
- */
-SECItem * 
-PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
-
-/* free params created above (can be called after keygen is done */
-void PK11_DestroyPBEParams(SECItem *params);
-
-SECAlgorithmID *
-PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
-PK11SymKey *
-PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid,  SECItem *pwitem,
-	       PRBool faulty3DES, void *wincx);
-PK11SymKey *
-PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
-		SECItem *pwitem, PRBool faulty3DES, void *wincx);
-SECItem *
-PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
-
-/**********************************************************************
- * Functions to manage secmod flags
- **********************************************************************/
-PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
-							PRBool );
-
-/**********************************************************************
- * Functions to look at PKCS #11 dependent data
- **********************************************************************/
-PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, 
-						CK_OBJECT_CLASS objClass);
-PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
-PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
-SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
-SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
-				 PK11GenericObject *object);
-SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
-SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
-SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object, 
-				CK_ATTRIBUTE_TYPE attr, SECItem *item);
-
-
-/**********************************************************************
- * New fucntions which are already depricated....
- **********************************************************************/
-SECItem *
-PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
-					CERTCertificate *cert, void *pwarg);
-SECItem *
-PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
-
-PRBool SECMOD_HasRootCerts(void);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c
deleted file mode 100644
index 2360c2b56..000000000
--- a/security/nss/lib/pk11wrap/pk11sdr.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   thayes@netscape.com
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "seccomon.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "pk11sdr.h"
-
-/*
- * Data structure and template for encoding the result of an SDR operation
- *  This is temporary.  It should include the algorithm ID of the encryption mechanism
- */
-struct SDRResult
-{
-  SECItem keyid;
-  SECAlgorithmID alg;
-  SECItem data;
-};
-typedef struct SDRResult SDRResult;
-
-static SEC_ASN1Template template[] = {
-  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
-  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
-  { SEC_ASN1_INLINE, offsetof(SDRResult, alg), SECOID_AlgorithmIDTemplate },
-  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
-  { 0 }
-};
-
-static unsigned char keyID[] = {
-  0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
-};
-
-static SECItem keyIDItem = {
-  0,
-  keyID,
-  sizeof keyID
-};
-
-/* local utility function for padding an incoming data block
- * to the mechanism block size.
- */
-static SECStatus
-padBlock(SECItem *data, int blockSize, SECItem *result)
-{
-  SECStatus rv = SECSuccess;
-  int padLength;
-  unsigned int i;
-
-  result->data = 0;
-  result->len = 0;
-
-  /* This algorithm always adds to the block (to indicate the number
-   * of pad bytes).  So allocate a block large enough.
-   */
-  padLength = blockSize - (data->len % blockSize);
-  result->len = data->len + padLength;
-  result->data = (unsigned char *)PORT_Alloc(result->len);
-
-  /* Copy the data */
-  PORT_Memcpy(result->data, data->data, data->len);
-
-  /* Add the pad values */
-  for(i = data->len; i < result->len; i++)
-    result->data[i] = (unsigned char)padLength;
-
-  return rv;
-}
-
-static SECStatus
-unpadBlock(SECItem *data, int blockSize, SECItem *result)
-{
-  SECStatus rv = SECSuccess;
-  int padLength;
-
-  result->data = 0;
-  result->len = 0;
-
-  /* Remove the padding from the end if the input data */
-  if (data->len == 0 || data->len % blockSize  != 0) { rv = SECFailure; goto loser; }
-
-  padLength = data->data[data->len-1];
-  if (padLength > blockSize) { rv = SECFailure; goto loser; }
-
-  result->len = data->len - padLength;
-  result->data = (unsigned char *)PORT_Alloc(result->len);
-  if (!result->data) { rv = SECFailure; goto loser; }
-
-  PORT_Memcpy(result->data, data->data, result->len);
-
-loser:
-  return rv;
-}
-
-static PRLock *pk11sdrLock = NULL;
-
-void
-pk11sdr_Init (void)
-{
-   pk11sdrLock = PR_NewLock();
-}
-
-void
-pk11sdr_Shutdown(void)
-{
-    if (pk11sdrLock) {
-	PR_DestroyLock(pk11sdrLock);
-	pk11sdrLock = NULL;
-    }
-}
-
-/*
- * PK11SDR_Encrypt
- *  Encrypt a block of data using the symmetric key identified.  The result
- *  is an ASN.1 (DER) encoded block of keyid, params and data.
- */
-SECStatus
-PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx)
-{
-  SECStatus rv = SECSuccess;
-  PK11SlotInfo *slot = 0;
-  PK11SymKey *key = 0;
-  SECItem *params = 0;
-  PK11Context *ctx = 0;
-  CK_MECHANISM_TYPE type;
-  SDRResult sdrResult;
-  SECItem paddedData;
-  SECItem *pKeyID;
-  PLArenaPool *arena = 0;
-
-  /* Initialize */
-  paddedData.len = 0;
-  paddedData.data = 0;
-
-  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-  if (!arena) { rv = SECFailure; goto loser; }
-
-  /* 1. Locate the requested keyid, or the default key (which has a keyid)
-   * 2. Create an encryption context
-   * 3. Encrypt
-   * 4. Encode the results (using ASN.1)
-   */
-
-  slot = PK11_GetInternalKeySlot();
-  if (!slot) { rv = SECFailure; goto loser; }
-
-  /* Use triple-DES */
-  type = CKM_DES3_CBC;
-
-  /*
-   * Login to the internal token before we look for the key, otherwise we
-   * won't find it.
-   */
-  rv = PK11_Authenticate(slot, PR_TRUE, cx);
-  if (rv != SECSuccess) goto loser;
-
-  /* Find the key to use */
-  pKeyID = keyid;
-  if (pKeyID->len == 0) {
-	  pKeyID = &keyIDItem;  /* Use default value */
-
-	  /* put in a course lock to prevent a race between not finding the 
-	   * key and creating  one.
-	   */
-
-	  if (pk11sdrLock) PR_Lock(pk11sdrLock);
-
-	  /* Try to find the key */
-	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
-	  
-	  /* If the default key doesn't exist yet, try to create it */
-	  if (!key) key = PK11_GenDES3TokenKey(slot, pKeyID, cx);
-	  if (pk11sdrLock) PR_Unlock(pk11sdrLock);
-  } else {
-	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
-  }
-
-  if (!key) { rv = SECFailure; goto loser; }
-
-  params = PK11_GenerateNewParam(type, key);
-  if (!params) { rv = SECFailure; goto loser; }
-
-  ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params);
-  if (!ctx) { rv = SECFailure; goto loser; }
-
-  rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData);
-  if (rv != SECSuccess) goto loser;
-
-  sdrResult.data.len = paddedData.len;
-  sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len);
-
-  rv = PK11_CipherOp(ctx, sdrResult.data.data, (int*)&sdrResult.data.len, sdrResult.data.len,
-                     paddedData.data, paddedData.len);
-  if (rv != SECSuccess) goto loser;
-
-  PK11_Finalize(ctx);
-
-  sdrResult.keyid = *pKeyID;
-
-  rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg);
-  if (rv != SECSuccess) goto loser;
-
-  if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { rv = SECFailure; goto loser; }
-
-loser:
-  SECITEM_ZfreeItem(&paddedData, PR_FALSE);
-  if (arena) PORT_FreeArena(arena, PR_TRUE);
-  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
-  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
-  if (key) PK11_FreeSymKey(key);
-  if (slot) PK11_FreeSlot(slot);
-
-  return rv;
-}
-
-/*
- * PK11SDR_Decrypt
- *  Decrypt a block of data produced by PK11SDR_Encrypt.  The key used is identified
- *  by the keyid field within the input.
- */
-SECStatus
-PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx)
-{
-  SECStatus rv = SECSuccess;
-  PK11SlotInfo *slot = 0;
-  PK11SymKey *key = 0;
-  PK11Context *ctx = 0;
-  CK_MECHANISM_TYPE type;
-  SDRResult sdrResult;
-  SECItem *params = 0;
-  SECItem paddedResult;
-  PLArenaPool *arena = 0;
-
-  paddedResult.len = 0;
-  paddedResult.data = 0;
-
-  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-  if (!arena) { rv = SECFailure; goto loser; }
-
-  /* Decode the incoming data */
-  memset(&sdrResult, 0, sizeof sdrResult);
-  rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data);
-  if (rv != SECSuccess) goto loser;  /* Invalid format */
-
-  /* Find the slot and key for the given keyid */
-  slot = PK11_GetInternalKeySlot();
-  if (!slot) { rv = SECFailure; goto loser; }
-
-  rv = PK11_Authenticate(slot, PR_TRUE, cx);
-  if (rv != SECSuccess) goto loser;
-
-  /* Use triple-DES (Should look up the algorithm) */
-  type = CKM_DES3_CBC;
-  key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx);
-  if (!key) { rv = SECFailure; goto loser; }
-
-  /* Get the parameter values from the data */
-  params = PK11_ParamFromAlgid(&sdrResult.alg);
-  if (!params) { rv = SECFailure; goto loser; }
-
-  ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params);
-  if (!ctx) { rv = SECFailure; goto loser; }
-
-  paddedResult.len = sdrResult.data.len;
-  paddedResult.data = PORT_ArenaAlloc(arena, paddedResult.len);
-
-  rv = PK11_CipherOp(ctx, paddedResult.data, (int*)&paddedResult.len, paddedResult.len,
-                     sdrResult.data.data, sdrResult.data.len);
-  if (rv != SECSuccess) goto loser;
-
-  PK11_Finalize(ctx);
-
-  /* Remove the padding */
-  rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result);
-  if (rv) goto loser;
-
-loser:
-  /* SECITEM_ZfreeItem(&paddedResult, PR_FALSE); */
-  if (arena) PORT_FreeArena(arena, PR_TRUE);
-  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
-  if (key) PK11_FreeSymKey(key);
-  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
-  if (slot) PK11_FreeSlot(slot);
-
-  return rv;
-}
diff --git a/security/nss/lib/pk11wrap/pk11sdr.h b/security/nss/lib/pk11wrap/pk11sdr.h
deleted file mode 100644
index 488bd7d99..000000000
--- a/security/nss/lib/pk11wrap/pk11sdr.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _PK11SDR_H_
-#define _PK11SDR_H_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
- *
- */
-SECStatus
-PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
-
-/*
- * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
- */
-SECStatus
-PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
deleted file mode 100644
index ce5cbd811..000000000
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ /dev/null
@@ -1,2167 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file implements the Symkey wrapper and the PKCS context
- * Interfaces.
- */
-
-#include "seccomon.h"
-#include "secmod.h"
-#include "nssilock.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secerr.h"
-
-/* forward static declarations. */
-static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
-	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
-	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
-	unsigned int numAttrs, PRBool isPerm);
-
-static void
-pk11_EnterKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
-	PK11_EnterSlotMonitor(symKey->slot);
-}
-
-static void
-pk11_ExitKeyMonitor(PK11SymKey *symKey) {
-    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
-    	PK11_ExitSlotMonitor(symKey->slot);
-}
-
-/*
- * pk11_getKeyFromList returns a symKey that has a session (if needSession
- * was specified), or explicitly does not have a session (if needSession
- * was not specified).
- */
-static PK11SymKey *
-pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession) {
-    PK11SymKey *symKey = NULL;
-
-    PZ_Lock(slot->freeListLock);
-    /* own session list are symkeys with sessions that the symkey owns.
-     * 'most' symkeys will own their own session. */
-    if (needSession) {
-	if (slot->freeSymKeysWithSessionHead) {
-    	    symKey = slot->freeSymKeysWithSessionHead;
-	    slot->freeSymKeysWithSessionHead = symKey->next;
-	    slot->keyCount--;
-	}
-    }
-    /* if we don't need a symkey with its own session, or we couldn't find
-     * one on the owner list, get one from the non-owner free list. */
-    if (!symKey) {
-	if (slot->freeSymKeysHead) {
-    	    symKey = slot->freeSymKeysHead;
-	    slot->freeSymKeysHead = symKey->next;
-	    slot->keyCount--;
-	}
-    }
-    PZ_Unlock(slot->freeListLock);
-    if (symKey) {
-	symKey->next = NULL;
-	if (!needSession) {
-	    return symKey;
-	}
-	/* if we are getting an owner key, make sure we have a valid session.
-         * session could be invalid if the token has been removed or because
-         * we got it from the non-owner free list */
-	if ((symKey->series != slot->series) || 
-			 (symKey->session == CK_INVALID_SESSION)) {
-	    symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner);
-	}
-	PORT_Assert(symKey->session != CK_INVALID_SESSION);
-	if (symKey->session != CK_INVALID_SESSION)
-	    return symKey;
-	PK11_FreeSymKey(symKey);
-	/* if we are here, we need a session, but couldn't get one, it's 
-	 * unlikely we pk11_GetNewSession will succeed if we call it a second
-	 * time. */
-	return NULL;
-    }
-
-    symKey = PORT_New(PK11SymKey);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->next = NULL;
-    if (needSession) {
-	symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
-	PORT_Assert(symKey->session != CK_INVALID_SESSION);
-        if (symKey->session == CK_INVALID_SESSION) {
-	    PK11_FreeSymKey(symKey);
-	    symKey = NULL;
-	}
-    } else {
-	symKey->session = CK_INVALID_SESSION;
-    }
-    return symKey;
-}
-
-/* Caller MUST hold slot->freeListLock (or ref count == 0?) !! */
-void
-PK11_CleanKeyList(PK11SlotInfo *slot)
-{
-    PK11SymKey *symKey = NULL;
-
-    while (slot->freeSymKeysWithSessionHead) {
-    	symKey = slot->freeSymKeysWithSessionHead;
-	slot->freeSymKeysWithSessionHead = symKey->next;
-	pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
-	PORT_Free(symKey);
-    }
-    while (slot->freeSymKeysHead) {
-    	symKey = slot->freeSymKeysHead;
-	slot->freeSymKeysHead = symKey->next;
-	pk11_CloseSession(slot, symKey->session, symKey->sessionOwner);
-	PORT_Free(symKey);
-    }
-    return;
-}
-
-/*
- * create a symetric key:
- *      Slot is the slot to create the key in.
- *      type is the mechanism type 
- *      owner is does this symKey structure own it's object handle (rare
- *        that this is false).
- *      needSession means the returned symKey will return with a valid session
- *        allocated already.
- */
-static PK11SymKey *
-pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
-		  PRBool owner, PRBool needSession, void *wincx)
-{
-
-    PK11SymKey *symKey = pk11_getKeyFromList(slot, needSession);
-
-    if (symKey == NULL) {
-	return NULL;
-    }
-    /* if needSession was specified, make sure we have a valid session.
-     * callers which specify needSession as false should do their own
-     * check of the session before returning the symKey */
-    if (needSession && symKey->session == CK_INVALID_SESSION) {
-    	PK11_FreeSymKey(symKey);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-
-    symKey->type = type;
-    symKey->data.type = siBuffer;
-    symKey->data.data = NULL;
-    symKey->data.len = 0;
-    symKey->owner = owner;
-    symKey->objectID = CK_INVALID_HANDLE;
-    symKey->slot = slot;
-    symKey->series = slot->series;
-    symKey->cx = wincx;
-    symKey->size = 0;
-    symKey->refCount = 1;
-    symKey->origin = PK11_OriginNULL;
-    symKey->parent = NULL;
-    symKey->freeFunc = NULL;
-    symKey->userData = NULL;
-    PK11_ReferenceSlot(slot);
-    return symKey;
-}
-
-/*
- * destroy a symetric key
- */
-void
-PK11_FreeSymKey(PK11SymKey *symKey)
-{
-    PK11SlotInfo *slot;
-    PRBool freeit = PR_TRUE;
-
-    if (PR_AtomicDecrement(&symKey->refCount) == 0) {
-	PK11SymKey *parent = symKey->parent;
-
-	symKey->parent = NULL;
-	if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) {
-	    pk11_EnterKeyMonitor(symKey);
-	    (void) PK11_GETTAB(symKey->slot)->
-		C_DestroyObject(symKey->session, symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	}
-	if (symKey->data.data) {
-	    PORT_Memset(symKey->data.data, 0, symKey->data.len);
-	    PORT_Free(symKey->data.data);
-	}
-	/* free any existing data */
-	if (symKey->userData && symKey->freeFunc) {
-	    (*symKey->freeFunc)(symKey->userData);
-	}
-        slot = symKey->slot;
-        PZ_Lock(slot->freeListLock);
-	if (slot->keyCount < slot->maxKeyCount) {
-	    /* 
-             * freeSymkeysWithSessionHead contain a list of reusable
-	     *  SymKey structures with valid sessions.
-	     *    sessionOwner must be true.
-             *    session must be valid.
-             * freeSymKeysHead contain a list of SymKey structures without
-             *  valid session.
-             *    session must be CK_INVALID_SESSION.
-	     *    though sessionOwner is false, callers should not depend on
-	     *    this fact.
-	     */
-	    if (symKey->sessionOwner) {
-		PORT_Assert (symKey->session != CK_INVALID_SESSION);
-		symKey->next = slot->freeSymKeysWithSessionHead;
-		slot->freeSymKeysWithSessionHead = symKey;
-	    } else {
-		symKey->session = CK_INVALID_SESSION;
-		symKey->next = slot->freeSymKeysHead;
-		slot->freeSymKeysHead = symKey;
-	    }
-	    slot->keyCount++;
-	    symKey->slot = NULL;
-	    freeit = PR_FALSE;
-        }
-	PZ_Unlock(slot->freeListLock);
-        if (freeit) {
-	    pk11_CloseSession(symKey->slot, symKey->session,
-							symKey->sessionOwner);
-	    PORT_Free(symKey);
-	}
-	PK11_FreeSlot(slot);
-
-	if (parent) {
-	    PK11_FreeSymKey(parent);
-	}
-    }
-}
-
-PK11SymKey *
-PK11_ReferenceSymKey(PK11SymKey *symKey)
-{
-    PR_AtomicIncrement(&symKey->refCount);
-    return symKey;
-}
-
-/*
- * Accessors
- */
-CK_MECHANISM_TYPE
-PK11_GetMechanism(PK11SymKey *symKey)
-{
-    return symKey->type;
-}
-
-/*
- * return the slot associated with a symetric key
- */
-PK11SlotInfo *
-PK11_GetSlotFromKey(PK11SymKey *symKey)
-{
-    return PK11_ReferenceSlot(symKey->slot);
-}
-
-CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *symKey)
-{
-    return PK11_GetKeyType(symKey->type,symKey->size);
-}
-
-PK11SymKey *
-PK11_GetNextSymKey(PK11SymKey *symKey)
-{
-    return symKey ? symKey->next : NULL;
-}
-
-char *
-PK11_GetSymKeyNickname(PK11SymKey *symKey)
-{
-    return PK11_GetObjectNickname(symKey->slot,symKey->objectID);
-}
-
-SECStatus
-PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname)
-{
-    return PK11_SetObjectNickname(symKey->slot,symKey->objectID,nickname);
-}
-
-void *
-PK11_GetSymKeyUserData(PK11SymKey *symKey)
-{
-    return symKey->userData;
-}
-
-void
-PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, 
-                                              PK11FreeDataFunc freeFunc)
-{
-    /* free any existing data */
-    if (symKey->userData && symKey->freeFunc) {
-	(*symKey->freeFunc)(symKey->userData);
-    }
-    symKey->userData = userData;
-    symKey->freeFunc = freeFunc;
-    return;
-}
-
-/*
- * turn key handle into an appropriate key object
- */
-PK11SymKey *
-PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
-    CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
-{
-    PK11SymKey *symKey;
-    PRBool needSession = !(owner && parent);
-
-    if (keyID == CK_INVALID_HANDLE) {
-	return NULL;
-    }
-
-    symKey = pk11_CreateSymKey(slot, type, owner, needSession, wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->objectID = keyID;
-    symKey->origin = origin;
-
-    /* adopt the parent's session */
-    /* This is only used by SSL. What we really want here is a session
-     * structure with a ref count so  the session goes away only after all the
-     * keys do. */
-    if (!needSession) {
-	symKey->sessionOwner = PR_FALSE;
-	symKey->session = parent->session;
-	symKey->parent = PK11_ReferenceSymKey(parent);
-        /* This is the only case where pk11_CreateSymKey does not explicitly
-	 * check symKey->session. We need to assert here to make sure.
-	 * the session isn't invalid. */
-	PORT_Assert(parent->session != CK_INVALID_SESSION);
-	if (parent->session == CK_INVALID_SESSION) {
-	    PK11_FreeSymKey(symKey);
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return NULL;
-	}
-    }
-
-    return symKey;
-}
-
-/*
- * turn key handle into an appropriate key object
- */
-PK11SymKey *
-PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
-						    int series, void *wincx)
-{
-    PK11SymKey *symKey = NULL;
-
-    if (slot->series != series) return NULL;
-    if (slot->refKeys[wrap] == CK_INVALID_HANDLE) return NULL;
-    if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism;
-
-    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
-		 slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx);
-    return symKey;
-}
-
-/*
- * This function is not thread-safe because it sets wrapKey->sessionOwner
- * without using a lock or atomic routine.  It can only be called when
- * only one thread has a reference to wrapKey.
- */
-void
-PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
-{
-    /* save the handle and mechanism for the wrapping key */
-    /* mark the key and session as not owned by us to they don't get freed
-     * when the key goes way... that lets us reuse the key later */
-    slot->refKeys[wrap] = wrapKey->objectID;
-    wrapKey->owner = PR_FALSE;
-    wrapKey->sessionOwner = PR_FALSE;
-    slot->wrapMechanism = wrapKey->type;
-}
-
-
-/*
- * figure out if a key is still valid or if it is stale.
- */
-PRBool
-PK11_VerifyKeyOK(PK11SymKey *key) {
-    if (!PK11_IsPresent(key->slot)) {
-	return PR_FALSE;
-    }
-    return (PRBool)(key->series == key->slot->series);
-}
-
-static PK11SymKey *
-pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-                  PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate,
-		  unsigned int templateCount, SECItem *key, void *wincx)
-{
-    PK11SymKey *    symKey;
-    SECStatus	    rv;
-
-    symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->size = key->len;
-
-    PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len);
-    templateCount++;
-
-    if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) {
-	PK11_FreeSymKey(symKey);
-	return NULL;
-    }
-
-    symKey->origin = origin;
-
-    /* import the keys */
-    rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
-		 	templateCount, isToken, &symKey->objectID);
-    if ( rv != SECSuccess) {
-	PK11_FreeSymKey(symKey);
-	return NULL;
-    }
-
-    return symKey;
-}
-
-/*
- * turn key bits into an appropriate key object
- */
-PK11SymKey *
-PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx)
-{
-    PK11SymKey *    symKey;
-    unsigned int    templateCount = 0;
-    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
-    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
-    CK_ATTRIBUTE    keyTemplate[5];
-    CK_ATTRIBUTE *  attrs 	= keyTemplate;
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-    keyType = PK11_GetKeyType(type,key->len);
-    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE, 
-				keyTemplate, templateCount, key, wincx);
-    return symKey;
-}
-
-
-/*
- * turn key bits into an appropriate key object
- */
-PK11SymKey *
-PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
-     CK_FLAGS flags, PRBool isPerm, void *wincx)
-{
-    PK11SymKey *    symKey;
-    unsigned int    templateCount = 0;
-    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
-    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *  attrs 	= keyTemplate;
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
-    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
-    if (isPerm) {
-	PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue) ); attrs++;
-	/* sigh some tokens think CKA_PRIVATE = false is a reasonable 
-	 * default for secret keys */
-	PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue) ); attrs++;
-    }
-    attrs += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
-    if ((operation != CKA_FLAGS_ONLY) &&
-    	 !pk11_FindAttrInTemplate(keyTemplate, attrs-keyTemplate, operation)) {
-        PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue)); attrs++;
-    }
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-    keyType = PK11_GetKeyType(type,key->len);
-    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, isPerm,
-				 keyTemplate, templateCount, key, wincx);
-    if (symKey && isPerm) {
-	symKey->owner = PR_FALSE;
-    }
-    return symKey;
-}
-
-
-PK11SymKey *
-PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
-								void *wincx)
-{
-    CK_ATTRIBUTE findTemp[4];
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
-    int tsize = 0;
-    CK_OBJECT_HANDLE key_id;
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
-    if (keyID) {
-        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
-    }
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize);
-    if (key_id == CK_INVALID_HANDLE) {
-	return NULL;
-    }
-    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
-		 				PR_FALSE, wincx);
-}
-
-PK11SymKey *
-PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
-{
-    CK_ATTRIBUTE findTemp[4];
-    CK_ATTRIBUTE *attrs;
-    CK_BBOOL ckTrue = CK_TRUE;
-    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
-    int tsize = 0;
-    int objCount = 0;
-    CK_OBJECT_HANDLE *key_ids;
-    PK11SymKey *nextKey = NULL;
-    PK11SymKey *topKey = NULL;
-    int i,len;
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
-    if (nickname) {
-	len = PORT_Strlen(nickname);
-	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
-    }
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
-    if (key_ids == NULL) {
-	return NULL;
-    }
-
-    for (i=0; i < objCount ; i++) {
-	SECItem typeData;
-	CK_KEY_TYPE type = CKK_GENERIC_SECRET;
-        SECStatus rv = PK11_ReadAttribute(slot, key_ids[i], 
-						CKA_KEY_TYPE, NULL, &typeData);
-	if (rv == SECSuccess) {
-	    if (typeData.len == sizeof(CK_KEY_TYPE)) {
-	    	type = *(CK_KEY_TYPE *)typeData.data;
-	    }
-	    PORT_Free(typeData.data);
-	}
-	nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, 
-		PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx);
-	if (nextKey) {
-	    nextKey->next = topKey;
-	    topKey = nextKey;
-	}
-   }
-   PORT_Free(key_ids);
-   return topKey;
-}
-
-void *
-PK11_GetWindow(PK11SymKey *key)
-{
-   return key->cx;
-}
-    
-
-/*
- * extract a symetric key value. NOTE: if the key is sensitive, we will
- * not be able to do this operation. This function is used to move
- * keys from one token to another */
-SECStatus
-PK11_ExtractKeyValue(PK11SymKey *symKey)
-{
-    SECStatus rv;
-
-    if (symKey->data.data != NULL) {
-	if (symKey->size == 0) {
-	   symKey->size = symKey->data.len;
-	}
-	return SECSuccess;
-    }
-
-    if (symKey->slot == NULL) {
-	PORT_SetError( SEC_ERROR_INVALID_KEY );
-	return SECFailure;
-    }
-
-    rv = PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL,
-				&symKey->data);
-    if (rv == SECSuccess) {
-	symKey->size = symKey->data.len;
-    }
-    return rv;
-}
-
-SECStatus
-PK11_DeleteTokenSymKey(PK11SymKey *symKey)
-{
-    if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) {
-	return SECFailure;
-    }
-    PK11_DestroyTokenObject(symKey->slot,symKey->objectID);
-    symKey->objectID = CK_INVALID_HANDLE;
-    return SECSuccess;
-}
-
-SECItem *
-__PK11_GetKeyData(PK11SymKey *symKey)
-{
-    return &symKey->data;
-}
-
-SECItem *
-PK11_GetKeyData(PK11SymKey *symKey)
-{
-    return __PK11_GetKeyData(symKey);
-}
-
-/* return the keylength if possible.  '0' if not */
-unsigned int
-PK11_GetKeyLength(PK11SymKey *key)
-{
-    CK_KEY_TYPE keyType;
-
-    if (key->size != 0) return key->size;
-
-    /* First try to figure out the key length from its type */
-    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
-    switch (keyType) {
-      case CKK_DES: key->size = 8; break;
-      case CKK_DES2: key->size = 16; break;
-      case CKK_DES3: key->size = 24; break;
-      case CKK_SKIPJACK: key->size = 10; break;
-      case CKK_BATON: key->size = 20; break;
-      case CKK_JUNIPER: key->size = 20; break;
-      case CKK_GENERIC_SECRET:
-	if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
-	    key->size=48;
-	}
-	break;
-      default: break;
-    }
-   if( key->size != 0 ) return key->size;
-
-   if (key->data.data == NULL) {
-	PK11_ExtractKeyValue(key);
-   }
-   /* key is probably secret. Look up its length */
-   /*  this is new PKCS #11 version 2.0 functionality. */
-   if (key->size == 0) {
-	CK_ULONG keyLength;
-
-	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
-	if (keyLength != CK_UNAVAILABLE_INFORMATION) {
-	    key->size = (unsigned int)keyLength;
-	}
-    }
-
-   return key->size;
-}
-
-/* return the strength of a key. This is different from length in that
- * 1) it returns the size in bits, and 2) it returns only the secret portions
- * of the key minus any checksums or parity.
- */
-unsigned int
-PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) 
-{
-     int size=0;
-     CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */
-     SECItem *param = NULL; /* RC2 only */
-     CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */
-     unsigned int effectiveBits = 0; /* RC2 ONLY */
-
-     switch (PK11_GetKeyType(key->type,0)) {
-     case CKK_CDMF:
-	return 40;
-     case CKK_DES:
-	return 56;
-     case CKK_DES3:
-     case CKK_DES2:
-	size = PK11_GetKeyLength(key);
-	if (size == 16) {
-	   /* double des */
-	   return 112; /* 16*7 */
-	}
-	return 168;
-    /*
-     * RC2 has is different than other ciphers in that it allows the user
-     * to deprecating keysize while still requiring all the bits for the 
-     * original key. The info
-     * on what the effective key strength is in the parameter for the key.
-     * In S/MIME this parameter is stored in the DER encoded algid. In Our 
-     * other uses of RC2, effectiveBits == keyBits, so this code functions
-     * correctly without an algid.
-     */
-    case CKK_RC2:
-	/* if no algid was provided, fall through to default */
-        if (!algid) {
-	    break; 
-	}
-	/* verify that the algid is for RC2 */
-	mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
-	if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
-	    break;
-	}
-
-	/* now get effective bits from the algorithm ID. */
-	param = PK11_ParamFromAlgid(algid);
-	/* if we couldn't get memory just use key length */
-	if (param == NULL) {
-	    break;
-	}
-
-	rc2_params = (CK_RC2_CBC_PARAMS *) param->data;
-	/* paranoia... shouldn't happen */
-	PORT_Assert(param->data != NULL);
-	if (param->data == NULL) {
-	    SECITEM_FreeItem(param,PR_TRUE);
-	    break;
-	}
-	effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
-	SECITEM_FreeItem(param,PR_TRUE);
-	param = NULL; rc2_params=NULL; /* paranoia */
-
-	/* we have effective bits, is and allocated memory is free, now
-	 * we need to return the smaller of effective bits and keysize */
-	size = PK11_GetKeyLength(key);
-	if ((unsigned int)size*8 > effectiveBits) {
-	    return effectiveBits;
-	}
-
-	return size*8; /* the actual key is smaller, the strength can't be
-			* greater than the actual key size */
-	
-    default:
-	break;
-    }
-    return PK11_GetKeyLength(key) * 8;
-}
-
-/*
- * The next three utilities are to deal with the fact that a given operation
- * may be a multi-slot affair. This creates a new key object that is copied
- * into the new slot.
- */
-PK11SymKey *
-pk11_CopyToSlotPerm(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
-	 	CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, 
-		PRBool isPerm, PK11SymKey *symKey)
-{
-    SECStatus rv;
-    PK11SymKey *newKey = NULL;
-
-    /* Extract the raw key data if possible */
-    if (symKey->data.data == NULL) {
-	rv = PK11_ExtractKeyValue(symKey);
-	/* KEY is sensitive, we're try key exchanging it. */
-	if (rv != SECSuccess) {
-	    return pk11_KeyExchange(slot, type, operation, 
-						flags, isPerm, symKey);
-	}
-    }
-
-    newKey = PK11_ImportSymKeyWithFlags(slot,  type, symKey->origin,
-	operation, &symKey->data, flags, isPerm, symKey->cx);
-    if (newKey == NULL) {
-	newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey);
-    }
-    return newKey;
-}
-
-PK11SymKey *
-pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
-	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
-{
-   return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey);
-}
-
-/*
- * Make sure the slot we are in the correct slot for the operation
- */
-PK11SymKey *
-pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type,
-						CK_ATTRIBUTE_TYPE operation)
-{
-    PK11SlotInfo *slot = symKey->slot;
-    PK11SymKey *newKey = NULL;
-
-    if ((slot== NULL) || !PK11_DoesMechanism(slot,type)) {
-	slot = PK11_GetBestSlot(type,symKey->cx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-	newKey = pk11_CopyToSlot(slot, type, operation, symKey);
-	PK11_FreeSlot(slot);
-    }
-    return newKey;
-}
-
-PK11SymKey *
-PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, 
-			CK_FLAGS flags, PRBool  perm, PK11SymKey *symKey)
-{
-    if (symKey->slot == slot) {
-	if (perm) {
-	   return PK11_ConvertSessionSymKeyToTokenSymKey(symKey,symKey->cx);
-	} else {
-	   return PK11_ReferenceSymKey(symKey);
-	}
-    }
-    
-    return pk11_CopyToSlotPerm(slot, symKey->type, 
-					operation, flags, perm, symKey);
-}
-
-
-/*
- * Use the token to generate a key. keySize must be 'zero' for fixed key
- * length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
- * to be added to the template for the key. PKCS #11 modules fail if you
- * specify the CKA_VALUE_LEN attribute for keys with fixed length.
- * NOTE: this means to generate a DES2 key from this interface you must
- * specify CKM_DES2_KEY_GEN as the mechanism directly; specifying
- * CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work.
- *
- * CK_FLAGS flags: key operation flags
- * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
- */
-PK11SymKey *
-PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-    SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags,
-    PK11AttrFlags attrFlags, void *wincx)
-{
-    PK11SymKey *symKey;
-    CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *attrs = genTemplate;
-    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
-    CK_SESSION_HANDLE session;
-    CK_MECHANISM mechanism;
-    CK_RV crv;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_ULONG ck_key_size;       /* only used for variable-length keys */
-    PRBool isToken = ((attrFlags & PK11_ATTR_TOKEN) != 0);
-
-    if (pk11_BadAttrFlags(attrFlags)) {
-	PORT_SetError( SEC_ERROR_INVALID_ARGS );
-	return NULL;
-    }
-
-    if (keySize != 0) {
-        ck_key_size = keySize; /* Convert to PK11 type */
-
-        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); 
-							attrs++;
-    }
-
-    /* Include key id value if provided */
-    if (keyid) {
-        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
-    }
-
-    attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
-    attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);
-
-    count = attrs - genTemplate;
-    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
-
-    /* find a slot to generate the key into */
-    /* Only do slot management if this is not a token key */
-    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) {
-        PK11SlotInfo *bestSlot;
-
-        bestSlot = PK11_GetBestSlot(type,wincx);
-        if (bestSlot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    return NULL;
-	}
-
-        symKey = pk11_CreateSymKey(bestSlot, type, !isToken, PR_TRUE, wincx);
-
-        PK11_FreeSlot(bestSlot);
-    } else {
-	symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx);
-    }
-    if (symKey == NULL) return NULL;
-
-    symKey->size = keySize;
-    symKey->origin = PK11_OriginGenerated;
-
-    /* Initialize the Key Gen Mechanism */
-    mechanism.mechanism = PK11_GetKeyGenWithSize(type, keySize);
-    if (mechanism.mechanism == CKM_FAKE_RANDOM) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-
-    /* Set the parameters for the key gen if provided */
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    }
-
-    /* Get session and perform locking */
-    if (isToken) {
-	PK11_Authenticate(symKey->slot,PR_TRUE,wincx);
-	/* Should always be original slot */
-        session = PK11_GetRWSession(symKey->slot);  
-	symKey->owner = PR_FALSE;
-    } else {
-        session = symKey->session;
-	if (session != CK_INVALID_SESSION) 
-	    pk11_EnterKeyMonitor(symKey);
-    }
-    if (session == CK_INVALID_SESSION) {
-	PK11_FreeSymKey(symKey);
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-
-    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
-			 &mechanism, genTemplate, count, &symKey->objectID);
-
-    /* Release lock and session */
-    if (isToken) {
-        PK11_RestoreROSession(symKey->slot, session);
-    } else {
-        pk11_ExitKeyMonitor(symKey);
-    }
-
-    if (crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	PORT_SetError( PK11_MapError(crv) );
-	return NULL;
-    }
-
-    return symKey;
-}
-
-/*
- * Use the token to generate a key. keySize must be 'zero' for fixed key
- * length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
- * to be added to the template for the key. PKCS #11 modules fail if you
- * specify the CKA_VALUE_LEN attribute for keys with fixed length.
- * NOTE: this means to generate a DES2 key from this interface you must
- * specify CKM_DES2_KEY_GEN as the mechanism directly; specifying
- * CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work.
- */
-PK11SymKey *
-PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
-    int keySize, SECItem *keyid, PRBool isToken, void *wincx)
-{
-    PK11SymKey *symKey;
-    PRBool weird = PR_FALSE;   /* hack for fortezza */
-    CK_FLAGS opFlags = CKF_SIGN;
-    PK11AttrFlags attrFlags = 0;
-
-    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
-	weird = PR_TRUE;
-	keySize = 0;
-    }
-
-    opFlags |= weird ? CKF_DECRYPT : CKF_ENCRYPT;
-
-    if (isToken) {
-	attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
-    }
-
-    symKey = PK11_TokenKeyGenWithFlags(slot, type, param, keySize, keyid,
-						opFlags, attrFlags, wincx);
-    if (symKey && weird) {
-	PK11_SetFortezzaHack(symKey);
-    }
-
-    return symKey;
-}
-
-PK11SymKey *
-PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
-						int keySize, void *wincx)
-{
-    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
-}
-
-/* --- */
-PK11SymKey *
-PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx)
-{
-  return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx);
-}
-
-PK11SymKey*
-PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx)
-{
-    PK11SlotInfo* slot = symk->slot;
-    CK_ATTRIBUTE template[1];
-    CK_ATTRIBUTE *attrs = template;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_RV crv;
-    CK_OBJECT_HANDLE newKeyID;
-    CK_SESSION_HANDLE rwsession;
-
-    PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++;
-
-    PK11_Authenticate(slot, PR_TRUE, wincx);
-    rwsession = PK11_GetRWSession(slot);
-    if (rwsession == CK_INVALID_SESSION) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-	return NULL;
-    }
-    crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, symk->objectID,
-        template, 1, &newKeyID);
-    PK11_RestoreROSession(slot, rwsession);
-
-    if (crv != CKR_OK) {
-        PORT_SetError( PK11_MapError(crv) );
-        return NULL;
-    }
-
-    return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin,
-        symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
-}
-
-/*
- * This function does a straight public key wrap (which only RSA can do).
- * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
- * Diffie-Hellman Ciphers. */
-SECStatus
-PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
-				PK11SymKey *symKey, SECItem *wrappedKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len =  wrappedKey->len;
-    PK11SymKey *newKey = NULL;
-    CK_OBJECT_HANDLE id;
-    CK_MECHANISM mechanism;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT);
-    if (newKey != NULL) {
-	symKey = newKey;
-    }
-
-    if ((symKey == NULL) || (symKey->slot == NULL)) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return SECFailure;
-    }
-
-    slot = symKey->slot;
-    mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
-    mechanism.pParameter = NULL;
-    mechanism.ulParameterLen = 0;
-
-    id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
-    if (id == CK_INVALID_HANDLE) {
-	if (newKey) {
-	    PK11_FreeSymKey(newKey);
-	}
-	return SECFailure;   /* Error code has been set. */
-    }
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism,
-		id,symKey->objectID,wrappedKey->data,&len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (newKey) {
-	PK11_FreeSymKey(newKey);
-    }
-
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    wrappedKey->len = len;
-    return SECSuccess;
-} 
-
-/*
- * this little function uses the Encrypt function to wrap a key, just in
- * case we have problems with the wrap implementation for a token.
- */
-static SECStatus
-pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
-			 SECItem *inKey, SECItem *outKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len;
-    SECItem *data;
-    CK_MECHANISM mech;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-
-    slot = wrappingKey->slot;
-    /* use NULL IV's for wrapping */
-    mech.mechanism = type;
-    if (param) {
-	mech.pParameter = param->data;
-	mech.ulParameterLen = param->len;
-    } else {
-	mech.pParameter = NULL;
-	mech.ulParameterLen = 0;
-    }
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,
-							wrappingKey->objectID);
-    if (crv != CKR_OK) {
-        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-        pk11_CloseSession(slot,session,owner);
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-
-    /* keys are almost always aligned, but if we get this far,
-     * we've gone above and beyond anyway... */
-    data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param));
-    if (data == NULL) {
-        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-        pk11_CloseSession(slot,session,owner);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    len = outKey->len;
-    crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len,
-							   outKey->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    SECITEM_FreeItem(data,PR_TRUE);
-    outKey->len = len;
-    if (crv != CKR_OK) {
-	PORT_SetError( PK11_MapError(crv) );
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * This function does a symetric based wrap.
- */
-SECStatus
-PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, 
-	PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey)
-{
-    PK11SlotInfo *slot;
-    CK_ULONG len = wrappedKey->len;
-    PK11SymKey *newKey = NULL;
-    SECItem *param_save = NULL;
-    CK_MECHANISM mechanism;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* if this slot doesn't support the mechanism, go to a slot that does */
-    /* Force symKey and wrappingKey into the same slot */
-    if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) {
-	/* first try copying the wrapping Key to the symKey slot */
-	if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) {
-	    newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey);
-	}
-	/* Nope, try it the other way */
-	if (newKey == NULL) {
-	    if (wrappingKey->slot) {
-	        newKey = pk11_CopyToSlot(wrappingKey->slot,
-					symKey->type, CKA_ENCRYPT, symKey);
-	    }
-	    /* just not playing... one last thing, can we get symKey's data?
-	     * If it's possible, we it should already be in the 
-	     * symKey->data.data pointer because pk11_CopyToSlot would have
-	     * tried to put it there. */
-	    if (newKey == NULL) {
-		/* Can't get symKey's data: Game Over */
-		if (symKey->data.data == NULL) {
-		    PORT_SetError( SEC_ERROR_NO_MODULE );
-		    return SECFailure;
-		}
-		if (param == NULL) {
-		    param_save = param = PK11_ParamFromIV(type,NULL);
-		}
-		rv = pk11_HandWrap(wrappingKey, param, type,
-						&symKey->data,wrappedKey);
-		if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
-		return rv;
-	    }
-	    /* we successfully moved the sym Key */
-	    symKey = newKey;
-	} else {
-	    /* we successfully moved the wrapping Key */
-	    wrappingKey = newKey;
-	}
-    }
-
-    /* at this point both keys are in the same token */
-    slot = wrappingKey->slot;
-    mechanism.mechanism = type;
-    /* use NULL IV's for wrapping */
-    if (param == NULL) {
-    	param_save = param = PK11_ParamFromIV(type,NULL);
-    }
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    len = wrappedKey->len;
-
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
-		 wrappingKey->objectID, symKey->objectID, 
-						wrappedKey->data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    rv = SECSuccess;
-    if (crv != CKR_OK) {
-	/* can't wrap it? try hand wrapping it... */
-	do {
-	    if (symKey->data.data == NULL) {
-		rv = PK11_ExtractKeyValue(symKey);
-		if (rv != SECSuccess) break;
-	    }
-	    rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
-								 wrappedKey);
-	} while (PR_FALSE);
-    } else {
-        wrappedKey->len = len;
-    }
-    if (newKey) PK11_FreeSymKey(newKey);
-    if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
-    return rv;
-} 
-
-/*
- * This Generates a new key based on a symetricKey
- */
-PK11SymKey *
-PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, 
-             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
-	     int keySize)
-{
-    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
-				   keySize, NULL, 0, PR_FALSE);
-}
-
-
-PK11SymKey *
-PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_FLAGS flags)
-{
-    CK_BBOOL        ckTrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    unsigned int    templateCount;
-
-    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
-    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
-		  keySize, keyTemplate, templateCount, PR_FALSE);
-}
-
-PK11SymKey *
-PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_FLAGS flags, PRBool isPerm)
-{
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE    *attrs;
-    unsigned int    templateCount = 0;
-
-    attrs = keyTemplate;
-    if (isPerm) {
-        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
-    }
-    templateCount = attrs - keyTemplate;
-    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
-    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
-				   keySize, keyTemplate, templateCount, isPerm);
-}
-
-static PK11SymKey *
-pk11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
-	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-	int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs,
-							 PRBool isPerm)
-{
-    PK11SlotInfo *  slot	= baseKey->slot;
-    PK11SymKey *    symKey;
-    PK11SymKey *    newBaseKey	= NULL;
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_ULONG        valueLen	= 0;
-    CK_MECHANISM    mechanism; 
-    CK_RV           crv;
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *  attrs	= keyTemplate;
-    CK_SESSION_HANDLE session;
-    unsigned int    templateCount;
-
-    if (numAttrs > MAX_TEMPL_ATTRS) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* first copy caller attributes in. */
-    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
-    	*attrs++ = *userAttr++;
-    }
-
-    /* We only add the following attributes to the template if the caller
-    ** didn't already supply them.
-    */
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
-	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
-	keyType = PK11_GetKeyType(target, keySize);
-	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
-	attrs++;
-    }
-    if (keySize > 0 &&
-    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
-	valueLen = (CK_ULONG)keySize;
-	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
-	attrs++;
-    }
-    if ((operation != CKA_FLAGS_ONLY) &&
-	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
-	PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
-
-    /* move the key to a slot that can do the function */
-    if (!PK11_DoesMechanism(slot,derive)) {
-	/* get a new base key & slot */
-	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
-
-	if (newSlot == NULL) return NULL;
-
-        newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, 
-				     baseKey);
-	PK11_FreeSlot(newSlot);
-	if (newBaseKey == NULL) 
-	    return NULL;	
-	baseKey = newBaseKey;
-	slot = baseKey->slot;
-    }
-
-
-    /* get our key Structure */
-    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, baseKey->cx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->size = keySize;
-
-    mechanism.mechanism = derive;
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-    symKey->origin=PK11_OriginDerive;
-
-    if (isPerm) {
-	session =  PK11_GetRWSession(slot);
-    } else {
-        pk11_EnterKeyMonitor(symKey);
-	session = symKey->session;
-    }
-    if (session == CK_INVALID_SESSION) {
-	if (!isPerm)
-	    pk11_ExitKeyMonitor(symKey);
-	crv = CKR_SESSION_HANDLE_INVALID;
-    } else {
-	crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism,
-	     baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
-	if (isPerm) {
-	    PK11_RestoreROSession(slot, session);
-	} else {
-	    pk11_ExitKeyMonitor(symKey);
-	}
-    }
-    if (newBaseKey) 
-    	PK11_FreeSymKey(newBaseKey);
-    if (crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	return NULL;
-    }
-    return symKey;
-}
-
-/*
- * This Generates a wrapping key based on a privateKey, publicKey, and two
- * random numbers. For Mail usage RandomB should be NULL. In the Sender's
- * case RandomA is generate, outherwize it is passed.
- */
-static unsigned char *rb_email = NULL;
-
-PK11SymKey *
-PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
-   PRBool isSender, SECItem *randomA, SECItem *randomB, 
-    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-			CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx)
-{
-    PK11SlotInfo *slot = privKey->pkcs11Slot;
-    CK_MECHANISM mechanism;
-    PK11SymKey *symKey;
-    CK_RV crv;
-
-
-    if (rb_email == NULL) {
-	rb_email = PORT_ZAlloc(128);
-	if (rb_email == NULL) {
-	    return NULL;
-	}
-	rb_email[127] = 1;
-    }
-
-    /* get our key Structure */
-    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->origin = PK11_OriginDerive;
-
-    switch (privKey->keyType) {
-    case rsaKey:
-    case nullKey:
-	PORT_SetError(SEC_ERROR_BAD_KEY);
-	break;
-    case dsaKey:
-    case keaKey:
-    case fortezzaKey:
-	{
-	    CK_KEA_DERIVE_PARAMS param;
-	    param.isSender = (CK_BBOOL) isSender;
-	    param.ulRandomLen = randomA->len;
-	    param.pRandomA = randomA->data;
-	    param.pRandomB = rb_email;
-	    if (randomB)
-		 param.pRandomB = randomB->data;
-	    if (pubKey->keyType == fortezzaKey) {
-		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
-		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
-	    } else {
-		/* assert type == keaKey */
-		/* XXX change to match key key types */
-		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
-		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
-	    }
-
-	    mechanism.mechanism = derive;
-	    mechanism.pParameter = &param;
-	    mechanism.ulParameterLen = sizeof(param);
-
-	    /* get a new symKey structure */
-	    pk11_EnterKeyMonitor(symKey);
-	    crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
-			privKey->pkcs11ID, NULL, 0, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-	break;
-    case dhKey:
-	{
-	    CK_BBOOL cktrue = CK_TRUE;
-	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
-	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-	    CK_ULONG key_size = 0;
-	    CK_ATTRIBUTE keyTemplate[4];
-	    int templateCount;
-	    CK_ATTRIBUTE *attrs = keyTemplate;
-
-	    if (pubKey->keyType != dhKey) {
-		PORT_SetError(SEC_ERROR_BAD_KEY);
-		break;
-	    }
-
-	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
-	    attrs++;
-	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
-	    attrs++;
-	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
-	    attrs++;
-	    templateCount =  attrs - keyTemplate;
-	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-	    keyType = PK11_GetKeyType(target,keySize);
-	    key_size = keySize;
-	    symKey->size = keySize;
-	    if (key_size == 0) templateCount--;
-
-	    mechanism.mechanism = derive;
-
-	    /* we can undefine these when we define diffie-helman keys */
-	    mechanism.pParameter = pubKey->u.dh.publicValue.data; 
-	    mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;
-		
-	    pk11_EnterKeyMonitor(symKey);
-	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
-	     privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-	break;
-    case ecKey:
-        {
-	    CK_BBOOL cktrue = CK_TRUE;
-	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
-	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-	    CK_ULONG key_size = 0;
-	    CK_ATTRIBUTE keyTemplate[4];
-	    int templateCount;
-	    CK_ATTRIBUTE *attrs = keyTemplate;
-	    CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;
-
-	    if (pubKey->keyType != ecKey) {
-		PORT_SetError(SEC_ERROR_BAD_KEY);
-		break;
-	    }
-
-	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
-	    attrs++;
-	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
-	    attrs++;
-	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
-	    attrs++;
-	    templateCount =  attrs - keyTemplate;
-	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-	    keyType = PK11_GetKeyType(target,keySize);
-	    key_size = keySize;
-	    symKey->size = keySize;
-	    if (key_size == 0) templateCount--;
-
-	    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); 
-	    mechParams->kdf = CKD_SHA1_KDF;
-	    mechParams->ulSharedDataLen = 0;
-	    mechParams->pSharedData = NULL;
-	    mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
-	    mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
-
-	    mechanism.mechanism = derive;
-	    mechanism.pParameter = mechParams;
-	    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
-
-	    pk11_EnterKeyMonitor(symKey);
-	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
-		&mechanism, privKey->pkcs11ID, keyTemplate, 
-		templateCount, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-
-	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
-
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-   }
-
-   PK11_FreeSymKey(symKey);
-   return NULL;
-}
-
-PK11SymKey *
-PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
-	PRBool isSender, SECItem *randomA, SECItem *randomB, 
-	CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
-	CK_ATTRIBUTE_TYPE operation, int keySize,
-	CK_ULONG kdf, SECItem *sharedData, void *wincx)
-{
-    PK11SlotInfo *slot = privKey->pkcs11Slot;
-    PK11SymKey *symKey;
-    CK_MECHANISM mechanism;
-    CK_RV crv;
-
-    /* get our key Structure */
-    symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
-    if (symKey == NULL) {
-	return NULL;
-    }
-
-    symKey->origin = PK11_OriginDerive;
-
-    switch (privKey->keyType) {
-    case rsaKey:
-    case nullKey:
-    case dsaKey:
-    case keaKey:
-    case fortezzaKey:
-    case dhKey:
-	PK11_FreeSymKey(symKey);
-	return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB,
-		derive, target, operation, keySize, wincx);
-    case ecKey:
-        {
-	    CK_BBOOL cktrue = CK_TRUE;
-	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
-	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-	    CK_ULONG key_size = 0;
-	    CK_ATTRIBUTE keyTemplate[4];
-	    int templateCount;
-	    CK_ATTRIBUTE *attrs = keyTemplate;
-	    CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;
-
-	    if (pubKey->keyType != ecKey) {
-		PORT_SetError(SEC_ERROR_BAD_KEY);
-		break;
-	    }
-
-	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
-	    attrs++;
-	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
-	    attrs++;
-	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
-	    attrs++;
-	    templateCount =  attrs - keyTemplate;
-	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-	    keyType = PK11_GetKeyType(target,keySize);
-	    key_size = keySize;
-	    symKey->size = keySize;
-	    if (key_size == 0) templateCount--;
-
-	    mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS);
-	    if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) {
-		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-		break;
-	    }
-	    mechParams->kdf = kdf;
-	    if (sharedData == NULL) {
-		mechParams->ulSharedDataLen = 0;
-		mechParams->pSharedData = NULL;
-	    } else {
-		mechParams->ulSharedDataLen = sharedData->len;
-		mechParams->pSharedData = sharedData->data;
-	    }
-	    mechParams->ulPublicDataLen =  pubKey->u.ec.publicValue.len;
-	    mechParams->pPublicData =  pubKey->u.ec.publicValue.data;
-
-	    mechanism.mechanism = derive;
-	    mechanism.pParameter = mechParams;
-	    mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS);
-
-	    pk11_EnterKeyMonitor(symKey);
-	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, 
-		&mechanism, privKey->pkcs11ID, keyTemplate, 
-		templateCount, &symKey->objectID);
-	    pk11_ExitKeyMonitor(symKey);
-
-	    PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS));
-
-	    if (crv == CKR_OK) return symKey;
-	    PORT_SetError( PK11_MapError(crv) );
-	}
-   }
-
-   PK11_FreeSymKey(symKey);
-   return NULL;
-}
-
-/*
- * this little function uses the Decrypt function to unwrap a key, just in
- * case we are having problem with unwrap. NOTE: The key size may
- * not be preserved properly for some algorithms!
- */
-static PK11SymKey *
-pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
-                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, 
-		CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, 
-		int key_size, void * wincx, CK_RV *crvp, PRBool isPerm)
-{
-    CK_ULONG len;
-    SECItem outKey;
-    PK11SymKey *symKey;
-    CK_RV crv;
-    PRBool owner = PR_TRUE;
-    CK_SESSION_HANDLE session;
-
-    /* remove any VALUE_LEN parameters */
-    if (keyTemplate[templateCount-1].type == CKA_VALUE_LEN) {
-        templateCount--;
-    }
-
-    /* keys are almost always aligned, but if we get this far,
-     * we've gone above and beyond anyway... */
-    outKey.data = (unsigned char*)PORT_Alloc(inKey->len);
-    if (outKey.data == NULL) {
-	PORT_SetError( SEC_ERROR_NO_MEMORY );
-	if (crvp) *crvp = CKR_HOST_MEMORY;
-	return NULL;
-    }
-    len = inKey->len;
-
-    /* use NULL IV's for wrapping */
-    session = pk11_GetNewSession(slot,&owner);
-    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey);
-    if (crv != CKR_OK) {
-	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-	pk11_CloseSession(slot,session,owner);
-	PORT_Free(outKey.data);
-	PORT_SetError( PK11_MapError(crv) );
-	if (crvp) *crvp =crv;
-	return NULL;
-    }
-    crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len,
-							   outKey.data, &len);
-    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
-    pk11_CloseSession(slot,session,owner);
-    if (crv != CKR_OK) {
-	PORT_Free(outKey.data);
-	PORT_SetError( PK11_MapError(crv) );
-	if (crvp) *crvp =crv;
-	return NULL;
-    }
-
-    outKey.len = (key_size == 0) ? len : key_size;
-    outKey.type = siBuffer;
-
-    if (PK11_DoesMechanism(slot,target)) {
-	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
-	                                    isPerm, keyTemplate, 
-					    templateCount, &outKey, wincx);
-    } else {
-	slot = PK11_GetBestSlot(target,wincx);
-	if (slot == NULL) {
-	    PORT_SetError( SEC_ERROR_NO_MODULE );
-	    PORT_Free(outKey.data);
-	    if (crvp) *crvp = CKR_DEVICE_ERROR; 
-	    return NULL;
-	}
-	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
-	                                    isPerm, keyTemplate,
-					    templateCount, &outKey, wincx);
-	PK11_FreeSlot(slot);
-    }
-    PORT_Free(outKey.data);
-
-    if (crvp) *crvp = symKey? CKR_OK : CKR_DEVICE_ERROR; 
-    return symKey;
-}
-
-/*
- * The wrap/unwrap function is pretty much the same for private and
- * public keys. It's just getting the Object ID and slot right. This is
- * the combined unwrap function.
- */
-static PK11SymKey *
-pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
-    CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
-    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
-    void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm)
-{
-    PK11SymKey *    symKey;
-    SECItem *       param_free	= NULL;
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_ULONG        valueLen	= 0;
-    CK_MECHANISM    mechanism;
-    CK_SESSION_HANDLE rwsession;
-    CK_RV           crv;
-    CK_MECHANISM_INFO mechanism_info;
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE *  attrs	= keyTemplate;
-    unsigned int    templateCount;
-
-    if (numAttrs > MAX_TEMPL_ATTRS) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-    /* first copy caller attributes in. */
-    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
-    	*attrs++ = *userAttr++;
-    }
-
-    /* We only add the following attributes to the template if the caller
-    ** didn't already supply them.
-    */
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
-	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
-	attrs++;
-    }
-    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
-	keyType = PK11_GetKeyType(target, keySize);
-	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
-	attrs++;
-    }
-    if ((operation != CKA_FLAGS_ONLY) &&
-	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
-	PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
-    }
-
-    /*
-     * must be last in case we need to use this template to import the key
-     */
-    if (keySize > 0 &&
-    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
-	valueLen = (CK_ULONG)keySize;
-	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
-	attrs++;
-    }
-
-    templateCount = attrs - keyTemplate;
-    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
-
-
-    /* find out if we can do wrap directly. Because the RSA case if *very*
-     * common, cache the results for it. */
-    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
-	mechanism_info.flags = slot->RSAInfoFlags;
-    } else {
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType,
-				 &mechanism_info);
-    	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    	if (crv != CKR_OK) {
-	     mechanism_info.flags = 0;
-    	}
-        if (wrapType == CKM_RSA_PKCS) {
-	    slot->RSAInfoFlags = mechanism_info.flags;
-	    slot->hasRSAInfo = PR_TRUE;
-	}
-    }
-
-    /* initialize the mechanism structure */
-    mechanism.mechanism = wrapType;
-    /* use NULL IV's for wrapping */
-    if (param == NULL) 
-	param = param_free = PK11_ParamFromIV(wrapType,NULL);
-    if (param) {
-	mechanism.pParameter = param->data;
-	mechanism.ulParameterLen = param->len;
-    } else {
-	mechanism.pParameter = NULL;
-	mechanism.ulParameterLen = 0;
-    }
-
-    if ((mechanism_info.flags & CKF_DECRYPT)  
-				&& !PK11_DoesMechanism(slot,target)) {
-	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
-	                         target, keyTemplate, templateCount, keySize, 
-				 wincx, &crv, isPerm);
-	if (symKey) {
-	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-	    return symKey;
-	}
-	/*
-	 * if the RSA OP simply failed, don't try to unwrap again 
-	 * with this module.
-	 */
-	if (crv == CKR_DEVICE_ERROR){
-	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-	    return NULL;
-	}
-	/* fall through, maybe they incorrectly set CKF_DECRYPT */
-    }
-
-    /* get our key Structure */
-    symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, wincx);
-    if (symKey == NULL) {
-	if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-	return NULL;
-    }
-
-    symKey->size = keySize;
-    symKey->origin = PK11_OriginUnwrap;
-
-    if (isPerm) {
-	rwsession = PK11_GetRWSession(slot);
-    } else {
-        pk11_EnterKeyMonitor(symKey);
-	rwsession = symKey->session;
-    }
-    PORT_Assert(rwsession != CK_INVALID_SESSION);
-    if (rwsession == CK_INVALID_SESSION) 
-    	crv = CKR_SESSION_HANDLE_INVALID;
-    else
-	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession,&mechanism,wrappingKey,
-		wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, 
-							  &symKey->objectID);
-    if (isPerm) {
-	if (rwsession != CK_INVALID_SESSION)
-	    PK11_RestoreROSession(slot, rwsession);
-    } else {
-        pk11_ExitKeyMonitor(symKey);
-    }
-    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
-    if (crv != CKR_OK) {
-	PK11_FreeSymKey(symKey);
-	symKey = NULL;
-	if (crv != CKR_DEVICE_ERROR) {
-	    /* try hand Unwrapping */
-	    symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
-				     target, keyTemplate, templateCount,
-				     keySize, wincx, NULL, isPerm);
-	}
-   }
-
-   return symKey;
-}
-
-/* use a symetric key to unwrap another symetric key */
-PK11SymKey *
-PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-                   SECItem *param, SECItem *wrappedKey, 
-		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-		   int keySize)
-{
-    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
-		    wrapType, param, wrappedKey, target, operation, keySize, 
-		    wrappingKey->cx, NULL, 0, PR_FALSE);
-}
-
-/* use a symetric key to unwrap another symetric key */
-PK11SymKey *
-PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
-                   SECItem *param, SECItem *wrappedKey, 
-		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-		   int keySize, CK_FLAGS flags)
-{
-    CK_BBOOL        ckTrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    unsigned int    templateCount;
-
-    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
-    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
-		    wrapType, param, wrappedKey, target, operation, keySize, 
-		    wrappingKey->cx, keyTemplate, templateCount, PR_FALSE);
-}
-
-PK11SymKey *
-PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, 
-		   CK_MECHANISM_TYPE wrapType,
-                   SECItem *param, SECItem *wrappedKey, 
-		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
-		   int keySize, CK_FLAGS flags, PRBool isPerm)
-{
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE    *attrs;
-    unsigned int    templateCount;
-
-    attrs = keyTemplate;
-    if (isPerm) {
-        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
-    }
-    templateCount = attrs-keyTemplate;
-    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
-
-    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
-		    wrapType, param, wrappedKey, target, operation, keySize, 
-		    wrappingKey->cx, keyTemplate, templateCount, isPerm);
-}
-
-
-/* unwrap a symetric key with a private key. */
-PK11SymKey *
-PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
-	  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
-{
-    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
-    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
-
-    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
-	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
-    }
-    
-    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
-	wrapType, NULL, wrappedKey, target, operation, keySize, 
-	wrappingKey->wincx, NULL, 0, PR_FALSE);
-}
-
-/* unwrap a symetric key with a private key. */
-PK11SymKey *
-PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey, 
-	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
-	  CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags)
-{
-    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
-    CK_BBOOL        ckTrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    unsigned int    templateCount;
-    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
-
-    templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue);
-
-    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
-	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
-    }
-    
-    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
-	wrapType, NULL, wrappedKey, target, operation, keySize, 
-	wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE);
-}
-
-PK11SymKey *
-PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, 
-	  SECItem *wrappedKey, CK_MECHANISM_TYPE target, 
-	  CK_ATTRIBUTE_TYPE operation, int keySize,
-	  CK_FLAGS flags, PRBool isPerm)
-{
-    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
-    CK_BBOOL        cktrue	= CK_TRUE; 
-    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
-    CK_ATTRIBUTE    *attrs;
-    unsigned int    templateCount;
-    PK11SlotInfo    *slot = wrappingKey->pkcs11Slot;
-
-    attrs = keyTemplate;
-    if (isPerm) {
-        PK11_SETATTRS(attrs, CKA_TOKEN,  &cktrue, sizeof(CK_BBOOL)); attrs++;
-    }
-    templateCount = attrs-keyTemplate;
-
-    templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
-
-    if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) {
-	PK11_HandlePasswordCheck(slot,wrappingKey->wincx);
-    }
-    
-    return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
-	wrapType, NULL, wrappedKey, target, operation, keySize, 
-	wrappingKey->wincx, keyTemplate, templateCount, isPerm);
-}
-
-PK11SymKey*
-PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
-{
-    CK_RV crv;
-    CK_ATTRIBUTE setTemplate;
-    CK_BBOOL ckTrue = CK_TRUE; 
-    PK11SlotInfo *slot = originalKey->slot;
-
-    /* first just try to set this key up for signing */
-    PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue));
-    pk11_EnterKeyMonitor(originalKey);
-    crv = PK11_GETTAB(slot)-> C_SetAttributeValue(originalKey->session, 
-				originalKey->objectID, &setTemplate, 1);
-    pk11_ExitKeyMonitor(originalKey);
-    if (crv == CKR_OK) {
-	return PK11_ReferenceSymKey(originalKey);
-    }
-
-    /* nope, doesn't like it, use the pk11 copy object command */
-    return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey);
-}
-    
-void   
-PK11_SetFortezzaHack(PK11SymKey *symKey) { 
-   symKey->origin = PK11_OriginFortezzaHack;
-}
-
-/*
- * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
- * working. This function simply gets a valid IV for the keys.
- */
-SECStatus
-PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len)
-{
-    CK_MECHANISM mech_info;
-    CK_ULONG count = 0;
-    CK_RV crv;
-    SECStatus rv = SECFailure;
-
-    mech_info.mechanism = CKM_SKIPJACK_CBC64;
-    mech_info.pParameter = iv;
-    mech_info.ulParameterLen = len;
-
-    /* generate the IV for fortezza */
-    PK11_EnterSlotMonitor(symKey->slot);
-    crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session,
-				&mech_info, symKey->objectID);
-    if (crv == CKR_OK) {
-	PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, 
-								NULL, &count);
-	rv = SECSuccess;
-    }
-    PK11_ExitSlotMonitor(symKey->slot);
-    return rv;
-}
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
deleted file mode 100644
index a92fbf7df..000000000
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ /dev/null
@@ -1,2298 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Deal with PKCS #11 Slots.
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "nssilock.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pkcs11t.h"
-#include "pk11func.h"
-#include "secitem.h"
-#include "secerr.h"
-
-#include "dev.h" 
-#include "dev3hack.h" 
-#include "pkim.h"
-
-
-/*************************************************************
- * local static and global data
- *************************************************************/
-
-/*
- * This array helps parsing between names, mechanisms, and flags.
- * to make the config files understand more entries, add them
- * to this table. (NOTE: we need function to export this table and it's size)
- */
-PK11DefaultArrayEntry PK11_DefaultArray[] = {
-	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
-	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
-	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
-	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
-	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
-	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
-	{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
-	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
-	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
-	{ "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
-/*	{ "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
-	{ "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
-	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
-	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
-	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
-	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
-	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
-	{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
-	{ "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
-};
-const int num_pk11_default_mechanisms = 
-                sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
-
-PK11DefaultArrayEntry *
-PK11_GetDefaultArray(int *size)
-{
-    if (size) {
-	*size = num_pk11_default_mechanisms;
-    }
-    return PK11_DefaultArray;
-}
-
-/*
- * These  slotlists are lists of modules which provide default support for
- *  a given algorithm or mechanism.
- */
-static PK11SlotList pk11_aesSlotList,
-    pk11_desSlotList,
-    pk11_rc4SlotList,
-    pk11_rc2SlotList,
-    pk11_rc5SlotList,
-    pk11_sha1SlotList,
-    pk11_md5SlotList,
-    pk11_md2SlotList,
-    pk11_rsaSlotList,
-    pk11_dsaSlotList,
-    pk11_dhSlotList,
-    pk11_ecSlotList,
-    pk11_ideaSlotList,
-    pk11_sslSlotList,
-    pk11_tlsSlotList,
-    pk11_randomSlotList,
-    pk11_sha256SlotList,
-    pk11_sha512SlotList;	/* slots do SHA512 and SHA384 */
-
-/************************************************************
- * Generic Slot List and Slot List element manipulations
- ************************************************************/
-
-/*
- * allocate a new list 
- */
-PK11SlotList *
-PK11_NewSlotList(void)
-{
-    PK11SlotList *list;
- 
-    list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
-    if (list == NULL) return NULL;
-    list->head = NULL;
-    list->tail = NULL;
-    list->lock = PZ_NewLock(nssILockList);
-    if (list->lock == NULL) {
-	PORT_Free(list);
-	return NULL;
-    }
-
-    return list;
-}
-
-/*
- * free a list element when all the references go away.
- */
-SECStatus
-PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le)
-{
-    PRBool freeit = PR_FALSE;
-
-    if (list == NULL || le == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    PZ_Lock(list->lock);
-    if (le->refCount-- == 1) {
-	freeit = PR_TRUE;
-    }
-    PZ_Unlock(list->lock);
-    if (freeit) {
-    	PK11_FreeSlot(le->slot);
-	PORT_Free(le);
-    }
-    return SECSuccess;
-}
-
-static void
-pk11_FreeSlotListStatic(PK11SlotList *list)
-{
-    PK11SlotListElement *le, *next ;
-    if (list == NULL) return;
-
-    for (le = list->head ; le; le = next) {
-	next = le->next;
-	PK11_FreeSlotListElement(list,le);
-    }
-    if (list->lock) {
-    	PZ_DestroyLock(list->lock);
-    }
-    list->lock = NULL;
-    list->head = NULL;
-}
-
-/*
- * if we are freeing the list, we must be the only ones with a pointer
- * to the list.
- */
-void
-PK11_FreeSlotList(PK11SlotList *list)
-{
-    pk11_FreeSlotListStatic(list);
-    PORT_Free(list);
-}
-
-/*
- * add a slot to a list
- */
-SECStatus
-PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
-{
-    PK11SlotListElement *le;
-
-    le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
-    if (le == NULL) return SECFailure;
-
-    le->slot = PK11_ReferenceSlot(slot);
-    le->prev = NULL;
-    le->refCount = 1;
-    PZ_Lock(list->lock);
-    if (list->head) list->head->prev = le; else list->tail = le;
-    le->next = list->head;
-    list->head = le;
-    PZ_Unlock(list->lock);
-
-    return SECSuccess;
-}
-
-/*
- * remove a slot entry from the list
- */
-SECStatus
-PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
-{
-    PZ_Lock(list->lock);
-    if (le->prev) le->prev->next = le->next; else list->head = le->next;
-    if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
-    le->next = le->prev = NULL;
-    PZ_Unlock(list->lock);
-    PK11_FreeSlotListElement(list,le);
-    return SECSuccess;
-}
-
-/*
- * Move a list to the end of the target list. NOTE: There is no locking
- * here... This assumes BOTH lists are private copy lists.
- */
-SECStatus
-PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
-{
-    if (src->head == NULL) return SECSuccess;
-
-    if (target->tail == NULL) {
-	target->head = src->head;
-    } else {
-	target->tail->next = src->head;
-    }
-    src->head->prev = target->tail;
-    target->tail = src->tail;
-    src->head = src->tail = NULL;
-    return SECSuccess;
-}
-
-/*
- * get an element from the list with a reference. You must own the list.
- */
-PK11SlotListElement *
-PK11_GetFirstRef(PK11SlotList *list)
-{
-    PK11SlotListElement *le;
-
-    le = list->head;
-    if (le != NULL) (le)->refCount++;
-    return le;
-}
-
-/*
- * get the next element from the list with a reference. You must own the list.
- */
-PK11SlotListElement *
-PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
-{
-    PK11SlotListElement *new_le;
-    new_le = le->next;
-    if (new_le) new_le->refCount++;
-    PK11_FreeSlotListElement(list,le);
-    return new_le;
-}
-
-/*
- * get an element safely from the list. This just makes sure that if
- * this element is not deleted while we deal with it.
- */
-PK11SlotListElement *
-PK11_GetFirstSafe(PK11SlotList *list)
-{
-    PK11SlotListElement *le;
-
-    PZ_Lock(list->lock);
-    le = list->head;
-    if (le != NULL) (le)->refCount++;
-    PZ_Unlock(list->lock);
-    return le;
-}
-
-/*
- * NOTE: if this element gets deleted, we can no longer safely traverse using
- * it's pointers. We can either terminate the loop, or restart from the
- * beginning. This is controlled by the restart option.
- */
-PK11SlotListElement *
-PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
-{
-    PK11SlotListElement *new_le;
-    PZ_Lock(list->lock);
-    new_le = le->next;
-    if (le->next == NULL) {
-	/* if the prev and next fields are NULL then either this element
-	 * has been removed and we need to walk the list again (if restart
-	 * is true) or this was the only element on the list */
-	if ((le->prev == NULL) && restart &&  (list->head != le)) {
-	    new_le = list->head;
-	}
-    }
-    if (new_le) new_le->refCount++;
-    PZ_Unlock(list->lock);
-    PK11_FreeSlotListElement(list,le);
-    return new_le;
-}
-
-
-/*
- * Find the element that holds this slot
- */
-PK11SlotListElement *
-PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
-{
-    PK11SlotListElement *le;
-
-    for (le = PK11_GetFirstSafe(list); le;
-			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
-	if (le->slot == slot) return le;
-    }
-    return NULL;
-}
-
-/************************************************************
- * Generic Slot Utilities
- ************************************************************/
-/*
- * Create a new slot structure
- */
-PK11SlotInfo *
-PK11_NewSlotInfo(SECMODModule *mod)
-{
-    PK11SlotInfo *slot;
-
-    slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
-    if (slot == NULL) return slot;
-
-    slot->sessionLock = mod->isThreadSafe ?
-	PZ_NewLock(nssILockSession) : mod->refLock;
-    if (slot->sessionLock == NULL) {
-	PORT_Free(slot);
-	return slot;
-    }
-    slot->freeListLock = PZ_NewLock(nssILockFreelist);
-    if (slot->freeListLock == NULL) {
-	if (mod->isThreadSafe) {
-	    PZ_DestroyLock(slot->sessionLock);
-	}
-	PORT_Free(slot);
-	return slot;
-    }
-    slot->freeSymKeysWithSessionHead = NULL;
-    slot->freeSymKeysHead = NULL;
-    slot->keyCount = 0;
-    slot->maxKeyCount = 0;
-    slot->functionList = NULL;
-    slot->needTest = PR_TRUE;
-    slot->isPerm = PR_FALSE;
-    slot->isHW = PR_FALSE;
-    slot->isInternal = PR_FALSE;
-    slot->isThreadSafe = PR_FALSE;
-    slot->disabled = PR_FALSE;
-    slot->series = 1;
-    slot->wrapKey = 0;
-    slot->wrapMechanism = CKM_INVALID_MECHANISM;
-    slot->refKeys[0] = CK_INVALID_HANDLE;
-    slot->reason = PK11_DIS_NONE;
-    slot->readOnly = PR_TRUE;
-    slot->needLogin = PR_FALSE;
-    slot->hasRandom = PR_FALSE;
-    slot->defRWSession = PR_FALSE;
-    slot->protectedAuthPath = PR_FALSE;
-    slot->flags = 0;
-    slot->session = CK_INVALID_SESSION;
-    slot->slotID = 0;
-    slot->defaultFlags = 0;
-    slot->refCount = 1;
-    slot->askpw = 0;
-    slot->timeout = 0;
-    slot->mechanismList = NULL;
-    slot->mechanismCount = 0;
-    slot->cert_array = NULL;
-    slot->cert_count = 0;
-    slot->slot_name[0] = 0;
-    slot->token_name[0] = 0;
-    PORT_Memset(slot->serial,' ',sizeof(slot->serial));
-    slot->module = NULL;
-    slot->authTransact = 0;
-    slot->authTime = LL_ZERO;
-    slot->minPassword = 0;
-    slot->maxPassword = 0;
-    slot->hasRootCerts = PR_FALSE;
-    slot->nssToken = NULL;
-    return slot;
-}
-    
-/* create a new reference to a slot so it doesn't go away */
-PK11SlotInfo *
-PK11_ReferenceSlot(PK11SlotInfo *slot)
-{
-    PR_AtomicIncrement(&slot->refCount);
-    return slot;
-}
-
-/* Destroy all info on a slot we have built up */
-void
-PK11_DestroySlot(PK11SlotInfo *slot)
-{
-   /* free up the cached keys and sessions */
-   PK11_CleanKeyList(slot);
-   
-   /* free up all the sessions on this slot */
-   if (slot->functionList) {
-	PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
-   }
-
-   if (slot->mechanismList) {
-	PORT_Free(slot->mechanismList);
-   }
-   if (slot->isThreadSafe && slot->sessionLock) {
-	PZ_DestroyLock(slot->sessionLock);
-   }
-   slot->sessionLock = NULL;
-   if (slot->freeListLock) {
-	PZ_DestroyLock(slot->freeListLock);
-	slot->freeListLock = NULL;
-   }
-
-   /* finally Tell our parent module that we've gone away so it can unload */
-   if (slot->module) {
-	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
-   }
-
-   /* ok, well not quit finally... now we free the memory */
-   PORT_Free(slot);
-}
-
-
-/* We're all done with the slot, free it */
-void
-PK11_FreeSlot(PK11SlotInfo *slot)
-{
-    if (PR_AtomicDecrement(&slot->refCount) == 0) {
-	PK11_DestroySlot(slot);
-    }
-}
-
-void
-PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
-    PZ_Lock(slot->sessionLock);
-}
-
-void
-PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
-    PZ_Unlock(slot->sessionLock);
-}
-
-/***********************************************************
- * Functions to find specific slots.
- ***********************************************************/
-PRBool
-SECMOD_HasRootCerts(void)
-{
-   SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-   int i;
-   PRBool found = PR_FALSE;
-
-   /* work through all the slots */
-   SECMOD_GetReadLock(moduleLock);
-   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-	    if (PK11_IsPresent(tmpSlot)) {
-		if (tmpSlot->hasRootCerts) {
-		    found = PR_TRUE;
-		    break;
-		}
-	    }
-	}
-	if (found) break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    return found;
-}
-
-/***********************************************************
- * Functions to find specific slots.
- ***********************************************************/
-PK11SlotList *
-PK11_FindSlotsByNames(const char *dllName, const char* slotName,
-                        const char* tokenName, PRBool presentOnly)
-{
-    SECMODModuleList *mlp;
-    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    int i;
-    PK11SlotList* slotList = NULL;
-    PRUint32 slotcount = 0;
-    SECStatus rv = SECSuccess;
-
-    slotList = PK11_NewSlotList();
-    if (!slotList) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return NULL;
-    }
-
-    if ( ((NULL == dllName) || (0 == *dllName)) &&
-        ((NULL == slotName) || (0 == *slotName)) &&
-        ((NULL == tokenName) || (0 == *tokenName)) ) {
-        /* default to softoken */
-        PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot());
-        return slotList;
-    }
-
-    /* work through all the slots */
-    SECMOD_GetReadLock(moduleLock);
-    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
-        PORT_Assert(mlp->module);
-        if (!mlp->module) {
-            rv = SECFailure;
-            break;
-        }
-        if ((!dllName) || (mlp->module->dllName &&
-            (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) {
-            for (i=0; i < mlp->module->slotCount; i++) {
-                PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i]:NULL);
-                PORT_Assert(tmpSlot);
-                if (!tmpSlot) {
-                    rv = SECFailure;
-                    break;
-                }
-                if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) &&
-                    ( (!tokenName) || (tmpSlot->token_name &&
-                    (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) &&
-                    ( (!slotName) || (tmpSlot->slot_name &&
-                    (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) {
-                    PK11SlotInfo* slot = PK11_ReferenceSlot(tmpSlot);
-                    if (slot) {
-                        PK11_AddSlotToList(slotList, slot);
-                        slotcount++;
-                    }
-                }
-            }
-        }
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if ( (0 == slotcount) || (SECFailure == rv) ) {
-        PORT_SetError(SEC_ERROR_NO_TOKEN);
-        PK11_FreeSlotList(slotList);
-        slotList = NULL;
-    }
-
-    if (SECFailure == rv) {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    }
-
-    return slotList;
-}
-
-PK11SlotInfo *
-PK11_FindSlotByName(const char *name)
-{
-   SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-   int i;
-   PK11SlotInfo *slot = NULL;
-
-   if ((name == NULL) || (*name == 0)) {
-	return PK11_GetInternalKeySlot();
-   }
-
-   /* work through all the slots */
-   SECMOD_GetReadLock(moduleLock);
-   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-	    if (PK11_IsPresent(tmpSlot)) {
-		if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
-		    slot = PK11_ReferenceSlot(tmpSlot);
-		    break;
-		}
-	    }
-	}
-	if (slot != NULL) break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-
-    return slot;
-}
-
-
-PK11SlotInfo *
-PK11_FindSlotBySerial(char *serial)
-{
-   SECMODModuleList *mlp;
-   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-   int i;
-   PK11SlotInfo *slot = NULL;
-
-   /* work through all the slots */
-   SECMOD_GetReadLock(moduleLock);
-   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-	    if (PK11_IsPresent(tmpSlot)) {
-		if (PORT_Memcmp(tmpSlot->serial,serial,
-					sizeof(tmpSlot->serial)) == 0) {
-		    slot = PK11_ReferenceSlot(tmpSlot);
-		    break;
-		}
-	    }
-	}
-	if (slot != NULL) break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-
-    return slot;
-}
-
-/*
- * notification stub. If we ever get interested in any events that
- * the pkcs11 functions may pass back to use, we can catch them here...
- * currently pdata is a slotinfo structure.
- */
-CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
-							 CK_VOID_PTR pdata)
-{
-    return CKR_OK;
-}
-
-/*
- * grab a new RW session
- * !!! has a side effect of grabbing the Monitor if either the slot's default
- * session is RW or the slot is not thread safe. Monitor is release in function
- * below
- */
-CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
-{
-    CK_SESSION_HANDLE rwsession;
-    CK_RV crv;
-    PRBool haveMonitor = PR_FALSE;
-
-    if (!slot->isThreadSafe || slot->defRWSession) {
-    	PK11_EnterSlotMonitor(slot);
-	haveMonitor = PR_TRUE;
-    }
-    if (slot->defRWSession) {
-	PORT_Assert(slot->session != CK_INVALID_SESSION);
-	if (slot->session != CK_INVALID_SESSION) 
-	    return slot->session;
-    }
-
-    crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-				CKF_RW_SESSION|CKF_SERIAL_SESSION,
-				  	  slot, pk11_notify,&rwsession);
-    PORT_Assert(rwsession != CK_INVALID_SESSION || crv != CKR_OK);
-    if (crv != CKR_OK || rwsession == CK_INVALID_SESSION) {
-	if (crv == CKR_OK) 
-	    crv = CKR_DEVICE_ERROR;
-	if (haveMonitor)
-	    PK11_ExitSlotMonitor(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return CK_INVALID_SESSION;
-    }
-    if (slot->defRWSession) { /* we have the monitor */
-    	slot->session = rwsession;
-    }
-    return rwsession;
-}
-
-PRBool
-PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) 
-{
-    PRBool hasLock;
-    hasLock = (PRBool)(!slot->isThreadSafe || 
-    	      (slot->defRWSession && slot->session != CK_INVALID_SESSION));
-    return hasLock;
-}
-
-static PRBool
-pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
-{
-    PRBool isDefault;
-    isDefault = (PRBool)(slot->session == rwsession &&
-    	                 slot->defRWSession && 
-			 slot->session != CK_INVALID_SESSION);
-    return isDefault;
-}
-
-/*
- * close the rwsession and restore our readonly session
- * !!! has a side effect of releasing the Monitor if either the slot's default
- * session is RW or the slot is not thread safe.
- */
-void
-PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
-{
-    PORT_Assert(rwsession != CK_INVALID_SESSION);
-    if (rwsession != CK_INVALID_SESSION) {
-    	PRBool doExit = PK11_RWSessionHasLock(slot, rwsession);
-	if (!pk11_RWSessionIsDefault(slot, rwsession))
-	    PK11_GETTAB(slot)->C_CloseSession(rwsession);
-	if (doExit)
-	    PK11_ExitSlotMonitor(slot);
-    }
-}
-
-/************************************************************
- * Manage the built-In Slot Lists
- ************************************************************/
-
-/* Init the static built int slot list (should actually integrate
- * with PK11_NewSlotList */
-static void
-pk11_InitSlotListStatic(PK11SlotList *list)
-{
-    list->lock = PZ_NewLock(nssILockList);
-    list->head = NULL;
-}
-
-
-/* initialize the system slotlists */
-SECStatus
-PK11_InitSlotLists(void)
-{
-    pk11_InitSlotListStatic(&pk11_aesSlotList);
-    pk11_InitSlotListStatic(&pk11_desSlotList);
-    pk11_InitSlotListStatic(&pk11_rc4SlotList);
-    pk11_InitSlotListStatic(&pk11_rc2SlotList);
-    pk11_InitSlotListStatic(&pk11_rc5SlotList);
-    pk11_InitSlotListStatic(&pk11_md5SlotList);
-    pk11_InitSlotListStatic(&pk11_md2SlotList);
-    pk11_InitSlotListStatic(&pk11_sha1SlotList);
-    pk11_InitSlotListStatic(&pk11_rsaSlotList);
-    pk11_InitSlotListStatic(&pk11_dsaSlotList);
-    pk11_InitSlotListStatic(&pk11_dhSlotList);
-    pk11_InitSlotListStatic(&pk11_ecSlotList);
-    pk11_InitSlotListStatic(&pk11_ideaSlotList);
-    pk11_InitSlotListStatic(&pk11_sslSlotList);
-    pk11_InitSlotListStatic(&pk11_tlsSlotList);
-    pk11_InitSlotListStatic(&pk11_randomSlotList);
-    pk11_InitSlotListStatic(&pk11_sha256SlotList);
-    pk11_InitSlotListStatic(&pk11_sha512SlotList);
-    return SECSuccess;
-}
-
-void
-PK11_DestroySlotLists(void)
-{
-    pk11_FreeSlotListStatic(&pk11_aesSlotList);
-    pk11_FreeSlotListStatic(&pk11_desSlotList);
-    pk11_FreeSlotListStatic(&pk11_rc4SlotList);
-    pk11_FreeSlotListStatic(&pk11_rc2SlotList);
-    pk11_FreeSlotListStatic(&pk11_rc5SlotList);
-    pk11_FreeSlotListStatic(&pk11_md5SlotList);
-    pk11_FreeSlotListStatic(&pk11_md2SlotList);
-    pk11_FreeSlotListStatic(&pk11_sha1SlotList);
-    pk11_FreeSlotListStatic(&pk11_rsaSlotList);
-    pk11_FreeSlotListStatic(&pk11_dsaSlotList);
-    pk11_FreeSlotListStatic(&pk11_dhSlotList);
-    pk11_FreeSlotListStatic(&pk11_ecSlotList);
-    pk11_FreeSlotListStatic(&pk11_ideaSlotList);
-    pk11_FreeSlotListStatic(&pk11_sslSlotList);
-    pk11_FreeSlotListStatic(&pk11_tlsSlotList);
-    pk11_FreeSlotListStatic(&pk11_randomSlotList);
-    pk11_FreeSlotListStatic(&pk11_sha256SlotList);
-    pk11_FreeSlotListStatic(&pk11_sha512SlotList);
-    return;
-}
-
-/* return a system slot list based on mechanism */
-PK11SlotList *
-PK11_GetSlotList(CK_MECHANISM_TYPE type)
-{
-/* XXX a workaround for Bugzilla bug #55267 */
-#if defined(HPUX) && defined(__LP64__)
-    if (CKM_INVALID_MECHANISM == type)
-        return NULL;
-#endif
-    switch (type) {
-    case CKM_AES_CBC:
-    case CKM_AES_ECB:
-	return &pk11_aesSlotList;
-    case CKM_DES_CBC:
-    case CKM_DES_ECB:
-    case CKM_DES3_ECB:
-    case CKM_DES3_CBC:
-	return &pk11_desSlotList;
-    case CKM_RC4:
-	return &pk11_rc4SlotList;
-    case CKM_RC5_CBC:
-	return &pk11_rc5SlotList;
-    case CKM_SHA_1:
-	return &pk11_sha1SlotList;
-    case CKM_SHA256:
-	return &pk11_sha256SlotList;
-    case CKM_SHA384:
-    case CKM_SHA512:
-	return &pk11_sha512SlotList;
-    case CKM_MD5:
-	return &pk11_md5SlotList;
-    case CKM_MD2:
-	return &pk11_md2SlotList;
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-	return &pk11_rc2SlotList;
-    case CKM_RSA_PKCS:
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-    case CKM_RSA_X_509:
-	return &pk11_rsaSlotList;
-    case CKM_DSA:
-	return &pk11_dsaSlotList;
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-    case CKM_DH_PKCS_DERIVE:
-	return &pk11_dhSlotList;
-    case CKM_ECDSA:
-    case CKM_ECDSA_SHA1:
-    case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
-    case CKM_ECDH1_DERIVE:
-	return &pk11_ecSlotList;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_SHA1_MAC:
-    case CKM_SSL3_MD5_MAC:
-	return &pk11_sslSlotList;
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	return &pk11_tlsSlotList;
-    case CKM_IDEA_CBC:
-    case CKM_IDEA_ECB:
-	return &pk11_ideaSlotList;
-    case CKM_FAKE_RANDOM:
-	return &pk11_randomSlotList;
-    }
-    return NULL;
-}
-
-/*
- * load the static SlotInfo structures used to select a PKCS11 slot.
- * preSlotInfo has a list of all the default flags for the slots on this
- * module.
- */
-void
-PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
-{
-    int i;
-
-    for (i=0; i < count; i++) {
-	if (psi[i].slotID == slot->slotID)
-	    break;
-    }
-
-    if (i == count) return;
-
-    slot->defaultFlags = psi[i].defaultFlags;
-    slot->askpw = psi[i].askpw;
-    slot->timeout = psi[i].timeout;
-    slot->hasRootCerts = psi[i].hasRootCerts;
-
-    /* if the slot is already disabled, don't load them into the
-     * default slot lists. We get here so we can save the default
-     * list value. */
-    if (slot->disabled) return;
-
-    /* if the user has disabled us, don't load us in */
-    if (slot->defaultFlags & PK11_DISABLE_FLAG) {
-	slot->disabled = PR_TRUE;
-	slot->reason = PK11_DIS_USER_SELECTED;
-	/* free up sessions and things?? */
-	return;
-    }
-
-    for (i=0; i < num_pk11_default_mechanisms; i++) {
-	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
-	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
-	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
-
-	    if (slotList) PK11_AddSlotToList(slotList,slot);
-	}
-    }
-
-    return;
-}
-
-
-/*
- * update a slot to its new attribute according to the slot list
- * returns: SECSuccess if nothing to do or add/delete is successful
- */
-SECStatus
-PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
-                        PRBool add)  
-                        /* add: PR_TRUE if want to turn on */
-{
-    SECStatus result = SECSuccess;
-    PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
-
-    if (add) { /* trying to turn on a mechanism */
-                 
-        /* turn on the default flag in the slot */
-        slot->defaultFlags |= entry->flag;
-        
-        /* add this slot to the list */
-        if (slotList!=NULL)
-            result = PK11_AddSlotToList(slotList, slot);
-        
-    } else { /* trying to turn off */
-            
-        /* turn OFF the flag in the slot */ 
-        slot->defaultFlags &= ~entry->flag;
-        
-        if (slotList) {
-            /* find the element in the list & delete it */
-            PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
-
-            /* remove the slot from the list */
-            if (le)
-                result = PK11_DeleteSlotFromList(slotList, le);
-        }
-    }
-    return result;
-}
-
-/*
- * clear a slot off of all of it's default list
- */
-void
-PK11_ClearSlotList(PK11SlotInfo *slot)
-{
-    int i;
-
-    if (slot->disabled) return;
-    if (slot->defaultFlags == 0) return;
-
-    for (i=0; i < num_pk11_default_mechanisms; i++) {
-	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
-	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
-	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
-	    PK11SlotListElement *le = NULL;
-
-	    if (slotList) le = PK11_FindSlotElement(slotList,slot);
-
-	    if (le) {
-		PK11_DeleteSlotFromList(slotList,le);
-		PK11_FreeSlotListElement(slotList,le);
-	    }
-	}
-    }
-}
-
-
-/******************************************************************
- *           Slot initialization
- ******************************************************************/
-/*
- * turn a PKCS11 Static Label into a string
- */
-char *
-PK11_MakeString(PRArenaPool *arena,char *space,
-					char *staticString,int stringLen)
-{
-	int i;
-	char *newString;
-	for(i=(stringLen-1); i >= 0; i--) {
-	  if (staticString[i] != ' ') break;
-	}
-	/* move i to point to the last space */
-	i++;
-	if (arena) {
-	    newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
-	} else if (space) {
-	    newString = space;
-	} else {
-	    newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
-	}
-	if (newString == NULL) return NULL;
-
-	if (i) PORT_Memcpy(newString,staticString, i);
-	newString[i] = 0;
-
-	return newString;
-}
-
-/*
- * verify that slot implements Mechanism mech properly by checking against
- * our internal implementation
- */
-PRBool
-PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
-  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv)
-{
-    PK11Context *test = NULL, *reference = NULL;
-    PK11SymKey *symKey = NULL, *testKey = NULL;
-    SECItem *param = NULL;
-    unsigned char encTest[8];
-    unsigned char encRef[8];
-    int outLenTest,outLenRef;
-    int key_size = 0;
-    PRBool verify = PR_FALSE;
-    SECStatus rv;
-
-    if ((mech == CKM_RC2_CBC) || (mech == CKM_RC2_ECB) || (mech == CKM_RC4)) {
-	key_size = 16;
-    }
-
-    /* initialize the mechanism parameter */
-    param = PK11_ParamFromIV(mech,iv);
-    if (param == NULL) goto loser;
-
-    /* load the keys and contexts */
-    symKey = PK11_KeyGen(intern,mech,NULL, key_size, NULL);
-    if (symKey == NULL) goto loser;
-
-    reference = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symKey, param);
-    if (reference == NULL) goto loser;
-
-    testKey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, symKey);
-    if (testKey == NULL) goto loser;
-
-    test = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, testKey, param);
-    if (test == NULL) goto loser;
-    SECITEM_FreeItem(param,PR_TRUE); param = NULL;
-
-    /* encrypt the test data */
-    rv = PK11_CipherOp(test,encTest,&outLenTest,sizeof(encTest),
-							data->data,data->len);
-    if (rv != SECSuccess) goto loser;
-    rv = PK11_CipherOp(reference,encRef,&outLenRef,sizeof(encRef),
-							data->data,data->len);
-    if (rv != SECSuccess) goto loser;
-
-    PK11_DestroyContext(reference,PR_TRUE); reference = NULL;
-    PK11_DestroyContext(test,PR_TRUE); test = NULL;
-
-    if (outLenTest != outLenRef) goto loser;
-    if (PORT_Memcmp(encTest, encRef, outLenTest) != 0) goto loser;
-
-    verify = PR_TRUE;
-
-loser:
-    if (test) PK11_DestroyContext(test,PR_TRUE);
-    if (symKey) PK11_FreeSymKey(symKey);
-    if (testKey) PK11_FreeSymKey(testKey);
-    if (reference) PK11_DestroyContext(reference,PR_TRUE);
-    if (param) SECITEM_FreeItem(param,PR_TRUE);
-
-    return verify;
-}
-
-/*
- * this code verifies that the advertised mechanisms are what they
- * seem to be.
- */
-#define MAX_MECH_LIST_SIZE 30	/* we only know of about 30 odd mechanisms */
-PRBool
-PK11_VerifySlotMechanisms(PK11SlotInfo *slot)
-{
-    CK_MECHANISM_TYPE mechListArray[MAX_MECH_LIST_SIZE];
-    CK_MECHANISM_TYPE *mechList = mechListArray;
-    static SECItem data;
-    static SECItem iv;
-    static unsigned char dataV[8];
-    static unsigned char ivV[8];
-    static PRBool generated = PR_FALSE;
-    CK_ULONG count;
-    int i;
-    CK_RV crv;
-
-    PRBool alloced = PR_FALSE;
-    PK11SlotInfo *intern = PK11_GetInternalSlot();
-
-    /* if we couldn't initialize an internal module, 
-     * we can't check external ones */
-    if (intern == NULL) return PR_FALSE;
-
-    /* first get the count of mechanisms */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PK11_FreeSlot(intern);
-	return PR_FALSE;
-    }
-
-
-    /* don't blow up just because the card supports more mechanisms than
-     * we know about, just alloc space for them */
-    if (count > MAX_MECH_LIST_SIZE) {
-    	mechList = (CK_MECHANISM_TYPE *)
-			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
-	alloced = PR_TRUE;
-	if (mechList == NULL) {
-	    PK11_FreeSlot(intern);
-	    return PR_FALSE;
-	}
-    }
-    /* get the list */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv =PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, mechList, &count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	if (alloced) PORT_Free(mechList);
-	PK11_FreeSlot(intern);
-	return PR_FALSE;
-    }
-
-    if (!generated) {
-	data.data = dataV;
-	data.len = sizeof(dataV);
-	iv.data = ivV;
-	iv.len = sizeof(ivV);
-	/* ok, this is a cheat, we know our internal random number generater
-	 * is thread safe */
-	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
-							data.data, data.len);
-	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
-							iv.data, iv.len);
-    }
-    for (i=0; i < (int) count; i++) {
-	switch (mechList[i]) {
-	case CKM_DES_CBC:
-	case CKM_DES_ECB:
-	case CKM_RC4:
-	case CKM_RC2_CBC:
-	case CKM_RC2_ECB:
-	    if (!PK11_VerifyMechanism(slot,intern,mechList[i],&data,&iv)){
-		if (alloced) PORT_Free(mechList);
-    		PK11_FreeSlot(intern);
-		return PR_FALSE;
-	    }
-	}
-    }
-    if (alloced) PORT_Free(mechList);
-    PK11_FreeSlot(intern);
-    return PR_TRUE;
-}
-
-/*
- * See if we need to run the verify test, do so if necessary. If we fail,
- * disable the slot.
- */    
-SECStatus
-pk11_CheckVerifyTest(PK11SlotInfo *slot)
-{
-    PK11_EnterSlotMonitor(slot);
-    if (slot->needTest) {
-	slot->needTest = PR_FALSE; 
-    	PK11_ExitSlotMonitor(slot);
-	if (!PK11_VerifySlotMechanisms(slot)) {
-	    (void)PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	    PK11_ClearSlotList(slot);
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_TOKEN_VERIFY_FAILED;
-	    slot->needTest = PR_TRUE;
-	    PORT_SetError(SEC_ERROR_IO);
-	    return SECFailure;
-	}
-    } else {
-    	PK11_ExitSlotMonitor(slot);
-    }
-    return SECSuccess;
-}
-
-/*
- * Reads in the slots mechanism list for later use
- */
-SECStatus
-PK11_ReadMechanismList(PK11SlotInfo *slot)
-{
-    CK_ULONG count;
-    CK_RV crv;
-    PRUint32 i;
-
-    if (slot->mechanismList) {
-	PORT_Free(slot->mechanismList);
-	slot->mechanismList = NULL;
-    }
-    slot->mechanismCount = 0;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
-    if (crv != CKR_OK) {
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-
-    slot->mechanismList = (CK_MECHANISM_TYPE *)
-			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
-    if (slot->mechanismList == NULL) {
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return SECFailure;
-    }
-    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
-						slot->mechanismList, &count);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_Free(slot->mechanismList);
-	slot->mechanismList = NULL;
-	PORT_SetError(PK11_MapError(crv));
-	return SECSuccess;
-    }
-    slot->mechanismCount = count;
-    PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
-
-    for (i=0; i < count; i++) {
-	CK_MECHANISM_TYPE mech = slot->mechanismList[i];
-	if (mech < 0x7ff) {
-	    slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
-	}
-    }
-    return SECSuccess;
-}
-
-/*
- * initialize a new token
- * unlike initialize slot, this can be called multiple times in the lifetime
- * of NSS. It reads the information associated with a card or token,
- * that is not going to change unless the card or token changes.
- */
-SECStatus
-PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
-{
-    CK_TOKEN_INFO tokenInfo;
-    CK_RV crv;
-    char *tmp;
-    SECStatus rv;
-
-    /* set the slot flags to the current token values */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-
-    /* set the slot flags to the current token values */
-    slot->series++; /* allow other objects to detect that the 
-		      * slot is different */
-    slot->flags = tokenInfo.flags;
-    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
-    slot->protectedAuthPath =
-    		((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
-	 						? PR_TRUE : PR_FALSE);
-    slot->lastLoginCheck = 0;
-    slot->lastState = 0;
-    /* on some platforms Active Card incorrectly sets the 
-     * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
-    if (slot->isActiveCard) {
-	slot->protectedAuthPath = PR_FALSE;
-    }
-    tmp = PK11_MakeString(NULL,slot->token_name,
-			(char *)tokenInfo.label, sizeof(tokenInfo.label));
-    slot->minPassword = tokenInfo.ulMinPinLen;
-    slot->maxPassword = tokenInfo.ulMaxPinLen;
-    PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
-
-    nssToken_UpdateName(slot->nssToken);
-
-    slot->defRWSession = (PRBool)((!slot->readOnly) && 
-					(tokenInfo.ulMaxSessionCount == 1));
-    rv = PK11_ReadMechanismList(slot);
-    if (rv != SECSuccess) return rv;
-
-    slot->hasRSAInfo = PR_FALSE;
-    slot->RSAInfoFlags = 0;
-
-    /* initialize the maxKeyCount value */
-    if (tokenInfo.ulMaxSessionCount == 0) {
-	slot->maxKeyCount = 800; /* should be #define or a config param */
-    } else if (tokenInfo.ulMaxSessionCount < 20) {
-	/* don't have enough sessions to keep that many keys around */
-	slot->maxKeyCount = 0;
-    } else {
-	slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
-    }
-
-    /* Make sure our session handle is valid */
-    if (slot->session == CK_INVALID_SESSION) {
-	/* we know we don't have a valid session, go get one */
-	CK_SESSION_HANDLE session;
-
-	/* session should be Readonly, serial */
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-				  slot,pk11_notify,&session);
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	if (crv != CKR_OK) {
-	    PORT_SetError(PK11_MapError(crv));
-	    return SECFailure;
-	}
-	slot->session = session;
-    } else {
-	/* The session we have may be defunct (the token associated with it)
-	 * has been removed   */
-	CK_SESSION_INFO sessionInfo;
-
-	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
-        if (crv == CKR_DEVICE_ERROR) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    crv = CKR_SESSION_CLOSED;
-	}
-	if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
-	    crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-					slot,pk11_notify,&slot->session);
-	    if (crv != CKR_OK) {
-	        PORT_SetError(PK11_MapError(crv));
-		slot->session = CK_INVALID_SESSION;
-		if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-		return SECFailure;
-	    }
-	}
-	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    }
-
-    nssToken_Refresh(slot->nssToken);
-
-    if (!(slot->needLogin)) {
-	return pk11_CheckVerifyTest(slot);
-    }
-
-
-    if (!(slot->isInternal) && (slot->hasRandom)) {
-	/* if this slot has a random number generater, use it to add entropy
-	 * to the internal slot. */
-	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
-
-	if (int_slot) {
-	    unsigned char random_bytes[32];
-
-	    /* if this slot can issue random numbers, get some entropy from
-	     * that random number generater and give it to our internal token.
-	     */
-	    PK11_EnterSlotMonitor(slot);
-	    crv = PK11_GETTAB(slot)->C_GenerateRandom
-			(slot->session,random_bytes, sizeof(random_bytes));
-	    PK11_ExitSlotMonitor(slot);
-	    if (crv == CKR_OK) {
-	        PK11_EnterSlotMonitor(int_slot);
-		PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
-					random_bytes, sizeof(random_bytes));
-	        PK11_ExitSlotMonitor(int_slot);
-	    }
-
-	    /* Now return the favor and send entropy to the token's random 
-	     * number generater */
-	    PK11_EnterSlotMonitor(int_slot);
-	    crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
-					random_bytes, sizeof(random_bytes));
-	    PK11_ExitSlotMonitor(int_slot);
-	    if (crv == CKR_OK) {
-	        PK11_EnterSlotMonitor(slot);
-		PK11_GETTAB(slot)->C_SeedRandom(slot->session,
-					random_bytes, sizeof(random_bytes));
-	        PK11_ExitSlotMonitor(slot);
-	    }
-	    PK11_FreeSlot(int_slot);
-	}
-    }
-
-	
-    return SECSuccess;
-}
-
-/*
- * initialize a new token
- * unlike initialize slot, this can be called multiple times in the lifetime
- * of NSS. It reads the information associated with a card or token,
- * that is not going to change unless the card or token changes.
- */
-SECStatus
-PK11_TokenRefresh(PK11SlotInfo *slot)
-{
-    CK_TOKEN_INFO tokenInfo;
-    CK_RV crv;
-
-    /* set the slot flags to the current token values */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-
-    slot->flags = tokenInfo.flags;
-    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
-							PR_TRUE : PR_FALSE);
-    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
-    slot->protectedAuthPath =
-    		((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
-	 						? PR_TRUE : PR_FALSE);
-    /* on some platforms Active Card incorrectly sets the 
-     * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
-    if (slot->isActiveCard) {
-	slot->protectedAuthPath = PR_FALSE;
-    }
-    return SECSuccess;
-}
-
-static PRBool
-pk11_isRootSlot(PK11SlotInfo *slot) 
-{
-    CK_ATTRIBUTE findTemp[1];
-    CK_ATTRIBUTE *attrs;
-    CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-    int tsize;
-    CK_OBJECT_HANDLE handle;
-
-    attrs = findTemp;
-    PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++;
-    tsize = attrs - findTemp;
-    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
-
-    handle = pk11_FindObjectByTemplate(slot,findTemp,tsize);
-    if (handle == CK_INVALID_HANDLE) {
-	return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/*
- * Initialize the slot :
- * This initialization code is called on each slot a module supports when
- * it is loaded. It does the bringup initialization. The difference between
- * this and InitToken is Init slot does those one time initialization stuff,
- * usually associated with the reader, while InitToken may get called multiple
- * times as tokens are removed and re-inserted.
- */
-void
-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
-{
-    SECStatus rv;
-    char *tmp;
-    CK_SLOT_INFO slotInfo;
-
-    slot->functionList = mod->functionList;
-    slot->isInternal = mod->internal;
-    slot->slotID = slotID;
-    slot->isThreadSafe = mod->isThreadSafe;
-    slot->hasRSAInfo = PR_FALSE;
-    
-    if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
-	slot->disabled = PR_TRUE;
-	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
-	return;
-    }
-
-    /* test to make sure claimed mechanism work */
-    slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
-    slot->module = mod; /* NOTE: we don't make a reference here because
-			 * modules have references to their slots. This
-			 * works because modules keep implicit references
-			 * from their slots, and won't unload and disappear
-			 * until all their slots have been freed */
-    tmp = PK11_MakeString(NULL,slot->slot_name,
-	 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
-    slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
-#define ACTIVE_CARD "ActivCard SA"
-    slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID,
-				ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0);
-    if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
-	slot->isPerm = PR_TRUE;
-	/* permanment slots must have the token present always */
-	if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
-	    return; /* nothing else to do */
-	}
-    }
-    /* if the token is present, initialize it */
-    if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
-	rv = PK11_InitToken(slot,PR_TRUE);
-	/* the only hard failures are on permanent devices, or function
-	 * verify failures... function verify failures are already handled
-	 * by tokenInit */
-	if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
-	    slot->disabled = PR_TRUE;
-	    slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
-	}
-    }
-    if (pk11_isRootSlot(slot)) {
-	if (!slot->hasRootCerts) {
-	    slot->module->trustOrder = 100;
-	}
-	slot->hasRootCerts= PR_TRUE;
-    }
-}
-
-	
-
-/*********************************************************************
- *            Slot mapping utility functions.
- *********************************************************************/
-
-/*
- * determine if the token is present. If the token is present, make sure
- * we have a valid session handle. Also set the value of needLogin 
- * appropriately.
- */
-static PRBool
-pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
-{
-    CK_SLOT_INFO slotInfo;
-    CK_SESSION_INFO sessionInfo;
-    CK_RV crv;
-
-    /* disabled slots are never present */
-    if (slot->disabled) {
-	return PR_FALSE;
-    }
-
-    /* permanent slots are always present */
-    if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
-	return PR_TRUE;
-    }
-
-    if (slot->nssToken) {
-	return nssToken_IsPresent(slot->nssToken);
-    }
-
-    /* removable slots have a flag that says they are present */
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
-        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return PR_FALSE;
-    }
-    if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
-	/* if the slot is no longer present, close the session */
-	if (slot->session != CK_INVALID_SESSION) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	}
-        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-	return PR_FALSE;
-    }
-
-    /* use the session Info to determine if the card has been removed and then
-     * re-inserted */
-    if (slot->session != CK_INVALID_SESSION) {
-	if (slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
-	if (crv != CKR_OK) {
-	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
-	    slot->session = CK_INVALID_SESSION;
-	}
-        if (slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    }
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-
-    /* card has not been removed, current token info is correct */
-    if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
-
-    /* initialize the token info state */
-    if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/*
- * old version of the routine
- */
-PRBool
-PK11_IsPresent(PK11SlotInfo *slot) {
-   return pk11_IsPresentCertLoad(slot,PR_TRUE);
-}
-
-/* is the slot disabled? */
-PRBool
-PK11_IsDisabled(PK11SlotInfo *slot)
-{
-    return slot->disabled;
-}
-
-/* and why? */
-PK11DisableReasons
-PK11_GetDisabledReason(PK11SlotInfo *slot)
-{
-    return slot->reason;
-}
-
-/* returns PR_TRUE if successfully disable the slot */
-/* returns PR_FALSE otherwise */
-PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
-
-    slot->defaultFlags |= PK11_DISABLE_FLAG;
-    slot->disabled = PR_TRUE;
-    slot->reason = PK11_DIS_USER_SELECTED;
-    
-    return PR_TRUE;
-}
-
-PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
-
-    slot->defaultFlags &= ~PK11_DISABLE_FLAG;
-    slot->disabled = PR_FALSE;
-    slot->reason = PK11_DIS_NONE;
-    return PR_TRUE;
-}
-
-PRBool PK11_HasRootCerts(PK11SlotInfo *slot) {
-    return slot->hasRootCerts;
-}
-
-/* Get the module this slot is attached to */
-SECMODModule *
-PK11_GetModule(PK11SlotInfo *slot)
-{
-	return slot->module;
-}
-
-/* return the default flags of a slot */
-unsigned long
-PK11_GetDefaultFlags(PK11SlotInfo *slot)
-{
-	return slot->defaultFlags;
-}
-
-/*
- * The following wrapper functions allow us to export an opaque slot
- * function to the rest of libsec and the world... */
-PRBool
-PK11_IsReadOnly(PK11SlotInfo *slot)
-{
-    return slot->readOnly;
-}
-
-PRBool
-PK11_IsHW(PK11SlotInfo *slot)
-{
-    return slot->isHW;
-}
-
-PRBool
-PK11_IsInternal(PK11SlotInfo *slot)
-{
-    return slot->isInternal;
-}
-
-PRBool
-PK11_NeedLogin(PK11SlotInfo *slot)
-{
-    return slot->needLogin;
-}
-
-PRBool
-PK11_IsFriendly(PK11SlotInfo *slot)
-{
-    /* internal slot always has public readable certs */
-    return (PRBool)(slot->isInternal || 
-		    ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == 
-		     SECMOD_FRIENDLY_FLAG));
-}
-
-char *
-PK11_GetTokenName(PK11SlotInfo *slot)
-{
-     return slot->token_name;
-}
-
-char *
-PK11_GetSlotName(PK11SlotInfo *slot)
-{
-     return slot->slot_name;
-}
-
-int
-PK11_GetSlotSeries(PK11SlotInfo *slot)
-{
-    return slot->series;
-}
-
-int
-PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
-{
-    return slot->wrapKey;
-}
-
-CK_SLOT_ID
-PK11_GetSlotID(PK11SlotInfo *slot)
-{
-    return slot->slotID;
-}
-
-SECMODModuleID
-PK11_GetModuleID(PK11SlotInfo *slot)
-{
-    return slot->module->moduleID;
-}
-
-static void
-pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size)
-{
-    CK_CHAR *walk = buffer;
-    CK_CHAR *end = buffer + buffer_size;
-
-    /* find the NULL */
-    while (walk < end && *walk != '\0') {
-	walk++;
-    }
-
-    /* clear out the buffer */
-    while (walk < end) {
-	*walk++ = ' ';
-    }
-}
-
-/* return the slot info structure */
-SECStatus
-PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
-{
-    CK_RV crv;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    /*
-     * some buggy drivers do not fill the buffer completely, 
-     * erase the buffer first
-     */
-    PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription));
-    PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
-    crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
-    pk11_zeroTerminatedToBlankPadded(info->slotDescription,
-					sizeof(info->slotDescription));
-    pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
-					sizeof(info->manufacturerID));
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*  return the token info structure */
-SECStatus
-PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
-{
-    CK_RV crv;
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    /*
-     * some buggy drivers do not fill the buffer completely, 
-     * erase the buffer first
-     */
-    PORT_Memset(info->label,' ',sizeof(info->label));
-    PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
-    PORT_Memset(info->model,' ',sizeof(info->model));
-    PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber));
-    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
-    pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label));
-    pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
-					sizeof(info->manufacturerID));
-    pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model));
-    pk11_zeroTerminatedToBlankPadded(info->serialNumber,
-					sizeof(info->serialNumber));
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Find out if we need to initialize the user's pin */
-PRBool
-PK11_NeedUserInit(PK11SlotInfo *slot)
-{
-    PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED) 
-					== 0);
-
-    if (needUserInit) {
-	CK_TOKEN_INFO info;
-	SECStatus rv;
-
-	/* see if token has been initialized off line */
-	rv = PK11_GetTokenInfo(slot, &info);
-	if (rv == SECSuccess) {
-	    slot->flags = info.flags;
-	}
-    }
-    return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
-}
-
-/* get the internal key slot. FIPS has only one slot for both key slots and
- * default slots */
-PK11SlotInfo *
-PK11_GetInternalKeySlot(void)
-{
-    SECMODModule *mod = SECMOD_GetInternalModule();
-    PORT_Assert(mod != NULL);
-    if (!mod) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-    return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
-}
-
-/* get the internal default slot */
-PK11SlotInfo *
-PK11_GetInternalSlot(void) 
-{
-    SECMODModule * mod = SECMOD_GetInternalModule();
-    PORT_Assert(mod != NULL);
-    if (!mod) {
-	PORT_SetError( SEC_ERROR_NO_MODULE );
-	return NULL;
-    }
-    return PK11_ReferenceSlot(mod->slots[0]);
-}
-
-/*
- * check if a given slot supports the requested mechanism
- */
-PRBool
-PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
-{
-    int i;
-
-    /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
-     * tell us we're looking form someone that has implemented get
-     * random bits */
-    if (type == CKM_FAKE_RANDOM) {
-	return slot->hasRandom;
-    }
-
-    /* for most mechanism, bypass the linear lookup */
-    if (type < 0x7ff) {
-	return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8)))  ?
-		PR_TRUE : PR_FALSE;
-    }
-	   
-    for (i=0; i < (int) slot->mechanismCount; i++) {
-	if (slot->mechanismList[i] == type) return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * Return true if a token that can do the desired mechanism exists.
- * This allows us to have hardware tokens that can do function XYZ magically
- * allow SSL Ciphers to appear if they are plugged in.
- */
-PRBool
-PK11_TokenExists(CK_MECHANISM_TYPE type)
-{
-    SECMODModuleList *mlp;
-    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    PK11SlotInfo *slot;
-    PRBool found = PR_FALSE;
-    int i;
-
-    /* we only need to know if there is a token that does this mechanism.
-     * check the internal module first because it's fast, and supports 
-     * almost everything. */
-    slot = PK11_GetInternalSlot();
-    if (slot) {
-    	found = PK11_DoesMechanism(slot,type);
-	PK11_FreeSlot(slot);
-    }
-    if (found) return PR_TRUE; /* bypass getting module locks */
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    slot = mlp->module->slots[i];
-	    if (PK11_IsPresent(slot)) {
-		if (PK11_DoesMechanism(slot,type)) {
-		    found = PR_TRUE;
-		    break;
-		}
-	    }
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-    return found;
-}
-
-/*
- * get all the currently available tokens in a list.
- * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
- * get all the tokens. Make sure tokens that need authentication are put at
- * the end of this list.
- */
-PK11SlotList *
-PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, 
-                  void *wincx)
-{
-    PK11SlotList *     list         = PK11_NewSlotList();
-    PK11SlotList *     loginList    = PK11_NewSlotList();
-    PK11SlotList *     friendlyList = PK11_NewSlotList();
-    SECMODModuleList * mlp;
-    SECMODModuleList * modules      = SECMOD_GetDefaultModuleList();
-    SECMODListLock *   moduleLock   = SECMOD_GetDefaultModuleListLock();
-    int                i;
-#if defined( XP_WIN32 ) 
-    int                j            = 0;
-    PRInt32            waste[16];
-#endif
-
-    if ((list == NULL)  || (loginList == NULL) || (friendlyList == NULL)) {
-	if (list) PK11_FreeSlotList(list);
-	if (loginList) PK11_FreeSlotList(loginList);
-	if (friendlyList) PK11_FreeSlotList(friendlyList);
-	return NULL;
-    }
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-
-#if defined( XP_WIN32 ) 
-	/* This is works around some horrible cache/page thrashing problems 
-	** on Win32.  Without this, this loop can take up to 6 seconds at 
-	** 100% CPU on a Pentium-Pro 200.  The thing this changes is to 
-	** increase the size of the stack frame and modify it.  
-	** Moving the loop code itself seems to have no effect.
-	** Dunno why this combination makes a difference, but it does.
-	*/
-	waste[ j & 0xf] = j++; 
-#endif
-
-	for (i = 0; i < mlp->module->slotCount; i++) {
-	    PK11SlotInfo *slot = mlp->module->slots[i];
-
-	    if (pk11_IsPresentCertLoad(slot, loadCerts)) {
-		if (needRW &&  slot->readOnly) continue;
-		if ((type == CKM_INVALID_MECHANISM) 
-					|| PK11_DoesMechanism(slot, type)) {
-		    if (pk11_LoginStillRequired(slot,wincx)) {
-			if (PK11_IsFriendly(slot)) {
-			    PK11_AddSlotToList(friendlyList, slot);
-			} else {
-			    PK11_AddSlotToList(loginList, slot);
-			}
-		    } else {
-			PK11_AddSlotToList(list, slot);
-		    }
-		}
-	    }
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    PK11_MoveListToList(list,friendlyList);
-    PK11_FreeSlotList(friendlyList);
-    PK11_MoveListToList(list,loginList);
-    PK11_FreeSlotList(loginList);
-
-    return list;
-}
-
-/*
- * NOTE: This routine is working from a private List generated by 
- * PK11_GetAllTokens. That is why it does not need to lock.
- */
-PK11SlotList *
-PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
-{
-    PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
-    PK11SlotListElement *le, *next ;
-    SECStatus rv;
-
-    if (list == NULL) return list;
-
-    for (le = list->head ; le; le = next) {
-	next = le->next; /* save the pointer here in case we have to 
-			  * free the element later */
-        rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
-	if (rv != SECSuccess) {
-	    PK11_DeleteSlotFromList(list,le);
-	    continue;
-	}
-    }
-    return list;
-}
-
-
-/*
- * find the best slot which supports the given
- * Mechanism. In normal cases this should grab the first slot on the list
- * with no fuss.
- */
-PK11SlotInfo *
-PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
-{
-    PK11SlotList *list = NULL;
-    PK11SlotListElement *le ;
-    PK11SlotInfo *slot = NULL;
-    PRBool freeit = PR_FALSE;
-    PRBool listNeedLogin = PR_FALSE;
-    int i;
-    SECStatus rv;
-
-    list = PK11_GetSlotList(type[0]);
-
-    if ((list == NULL) || (list->head == NULL)) {
-	/* We need to look up all the tokens for the mechanism */
-	list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
-	freeit = PR_TRUE;
-    }
-
-    /* no one can do it! */
-    if (list == NULL) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-	return NULL;
-    }
-
-    PORT_SetError(0);
-
-
-    listNeedLogin = PR_FALSE;
-    for (i=0; i < mech_count; i++) {
-	if ((type[i] != CKM_FAKE_RANDOM) && 
-	    (type[i] != CKM_SHA_1) &&
-	    (type[i] != CKM_SHA256) &&
-	    (type[i] != CKM_SHA384) &&
-	    (type[i] != CKM_SHA512) &&
-	    (type[i] != CKM_MD5) && 
-	    (type[i] != CKM_MD2)) {
-	    listNeedLogin = PR_TRUE;
-	    break;
-	}
-    }
-
-    for (le = PK11_GetFirstSafe(list); le;
-			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
-	if (PK11_IsPresent(le->slot)) {
-	    PRBool doExit = PR_FALSE;
-	    for (i=0; i < mech_count; i++) {
-	    	if (!PK11_DoesMechanism(le->slot,type[i])) {
-		    doExit = PR_TRUE;
-		    break;
-		}
-	    }
-	    if (doExit) continue;
-	      
-	    if (listNeedLogin && le->slot->needLogin) {
-		rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
-		if (rv != SECSuccess) continue;
-	    }
-	    slot = le->slot;
-	    PK11_ReferenceSlot(slot);
-	    PK11_FreeSlotListElement(list,le);
-	    if (freeit) { PK11_FreeSlotList(list); }
-	    return slot;
-	}
-    }
-    if (freeit) { PK11_FreeSlotList(list); }
-    if (PORT_GetError() == 0) {
-	PORT_SetError(SEC_ERROR_NO_TOKEN);
-    }
-    return NULL;
-}
-
-/* original get best slot now calls the multiple version with only one type */
-PK11SlotInfo *
-PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
-{
-    return PK11_GetBestSlotMultiple(&type, 1, wincx);
-}
-
-int
-PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
-{
-    CK_MECHANISM_INFO mechanism_info;
-    CK_RV crv;
-
-    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
-                               mechanism,&mechanism_info);
-    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) return 0;
-
-    if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) 
-		return 0;
-    return mechanism_info.ulMaxKeySize;
-}
-
-SECStatus
-PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
-    CK_RV crv;
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-SECStatus
-PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) {
-    CK_RV crv;
-
-    if (!slot->isInternal) PK11_EnterSlotMonitor(slot);
-    crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, 
-							(CK_ULONG)len);
-    if (!slot->isInternal) PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return  SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
-** If that's not the internal slot, then it also attempts to update the
-** internal slot.
-** The return value indicates if the INTERNAL slot was updated OK.
-*/
-SECStatus
-PK11_RandomUpdate(void *data, size_t bytes)
-{
-    PK11SlotInfo *slot;
-    PRBool        bestIsInternal;
-    SECStatus     status;
-
-    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
-    if (slot == NULL) {
-	slot = PK11_GetInternalSlot();
-	if (!slot)
-	    return SECFailure;
-    }
-
-    bestIsInternal = PK11_IsInternal(slot);
-    status = PK11_SeedRandom(slot, data, bytes);
-    PK11_FreeSlot(slot);
-
-    if (!bestIsInternal) {
-    	/* do internal slot, too. */
-    	slot = PK11_GetInternalSlot();	/* can't fail */
-	status = PK11_SeedRandom(slot, data, bytes);
-	PK11_FreeSlot(slot);
-    }
-    return status;
-}
-
-
-SECStatus
-PK11_GenerateRandom(unsigned char *data,int len) {
-    PK11SlotInfo *slot;
-    SECStatus rv;
-
-    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
-    if (slot == NULL) return SECFailure;
-
-    rv = PK11_GenerateRandomOnSlot(slot, data, len);
-    PK11_FreeSlot(slot);
-    return rv;
-}
-
-/*
- * Reset the token to it's initial state. For the internal module, this will
- * Purge your keydb, and reset your cert db certs to USER_INIT.
- */
-SECStatus 
-PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
-{
-    unsigned char tokenName[32];
-    int tokenNameLen;
-    CK_RV crv;
-
-    /* reconstruct the token name */
-    tokenNameLen = PORT_Strlen(slot->token_name);
-    if (tokenNameLen > sizeof(tokenName)) {
-	tokenNameLen = sizeof(tokenName);
-    }
-
-    PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
-    if (tokenNameLen < sizeof(tokenName)) {
-	PORT_Memset(&tokenName[tokenNameLen],' ',
-					 sizeof(tokenName)-tokenNameLen);
-    }
-
-    /* initialize the token */    
-    PK11_EnterSlotMonitor(slot);
-
-    /* first shutdown the token. Existing sessions will get closed here */
-    PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
-    slot->session = CK_INVALID_SESSION;
-
-    /* now re-init the token */ 
-    crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
-	(unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
-
-    /* finally bring the token back up */
-    PK11_InitToken(slot,PR_TRUE);
-    PK11_ExitSlotMonitor(slot);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
-	                                      slot->nssToken);
-    return SECSuccess;
-}
-void
-PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) 
-{
-    sl->nssToken = nsst;
-}
-
-NSSToken *
-PK11Slot_GetNSSToken(PK11SlotInfo *sl) 
-{
-    return sl->nssToken;
-}
-
-/*
- * wait for a token to change it's state. The application passes in the expected
- * new state in event. 
- */
-PK11TokenStatus
-PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, 
-	PRIntervalTime timeout, PRIntervalTime latency, int series)
-{
-   PRIntervalTime first_time = 0;
-   PRBool first_time_set = PR_FALSE;
-   PRBool waitForRemoval;
-
-   if (slot->isPerm) {
-	return PK11TokenNotRemovable;
-   }
-   if (latency == 0) {
-	latency = PR_SecondsToInterval(5);
-   }
-   waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent);
-
-   if (series == 0) {
-	series = PK11_GetSlotSeries(slot);
-   }
-   while (PK11_IsPresent(slot) == waitForRemoval ) {
-	PRIntervalTime interval;
-
-	if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
-	    return PK11TokenChanged;
-	}
-	if (timeout == PR_INTERVAL_NO_WAIT) {
-	    return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
-	}
-	if (timeout != PR_INTERVAL_NO_TIMEOUT ) {
-	    interval = PR_IntervalNow();
-	    if (!first_time_set) {
-		first_time = interval;
-		first_time_set = PR_TRUE;
-	    }
-	    if ((interval-first_time) > timeout) {
-		return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
-	    }
-	}
-	PR_Sleep(latency);
-   }
-   return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
-}
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
deleted file mode 100644
index e4edaf2e6..000000000
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ /dev/null
@@ -1,1440 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Initialize the PCKS 11 subsystem
- */
-#include "seccomon.h"
-#include "secmod.h"
-#include "nssilock.h"
-#include "secmodi.h"
-#include "secmodti.h"
-#include "pk11func.h"
-#include "pki3hack.h"
-#include "secerr.h"
-#include "dev.h"
-#include "pkcs11ni.h"
-
-/* these are for displaying error messages */
-
-static  SECMODModuleList *modules = NULL;
-static  SECMODModuleList *modulesDB = NULL;
-static  SECMODModuleList *modulesUnload = NULL;
-static  SECMODModule *internalModule = NULL;
-static  SECMODModule *defaultDBModule = NULL;
-static  SECMODModule *pendingModule = NULL;
-static SECMODListLock *moduleLock = NULL;
-
-int secmod_PrivateModuleCount = 0;
-
-extern PK11DefaultArrayEntry PK11_DefaultArray[];
-extern int num_pk11_default_mechanisms;
-
-
-void
-SECMOD_Init() 
-{
-    /* don't initialize twice */
-    if (moduleLock) return;
-
-    moduleLock = SECMOD_NewListLock();
-    PK11_InitSlotLists();
-}
-
-
-SECStatus
-SECMOD_Shutdown() 
-{
-    /* destroy the lock */
-    if (moduleLock) {
-	SECMOD_DestroyListLock(moduleLock);
-	moduleLock = NULL;
-    }
-    /* free the internal module */
-    if (internalModule) {
-	SECMOD_DestroyModule(internalModule);
-	internalModule = NULL;
-    }
-
-    /* free the default database module */
-    if (defaultDBModule) {
-	SECMOD_DestroyModule(defaultDBModule);
-	defaultDBModule = NULL;
-    }
-	
-    /* destroy the list */
-    if (modules) {
-	SECMOD_DestroyModuleList(modules);
-	modules = NULL;
-    }
-   
-    if (modulesDB) {
-	SECMOD_DestroyModuleList(modulesDB);
-	modulesDB = NULL;
-    }
-
-    if (modulesUnload) {
-	SECMOD_DestroyModuleList(modulesUnload);
-	modulesUnload = NULL;
-    }
-
-    /* make all the slots and the lists go away */
-    PK11_DestroySlotLists();
-
-    nss_DumpModuleLog();
-
-#ifdef DEBUG
-    if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
-	PORT_Assert(secmod_PrivateModuleCount == 0);
-    }
-#endif
-    if (secmod_PrivateModuleCount) {
-    	PORT_SetError(SEC_ERROR_BUSY);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-/*
- * retrieve the internal module
- */
-SECMODModule *
-SECMOD_GetInternalModule(void)
-{
-   return internalModule;
-}
-
-
-SECStatus
-secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule)
-{
-    SECMODModuleList *mlp, *newListElement, *last = NULL;
-
-    newListElement = SECMOD_NewModuleListElement();
-    if (newListElement == NULL) {
-	return SECFailure;
-    }
-
-    newListElement->module = SECMOD_ReferenceModule(newModule);
-
-    SECMOD_GetWriteLock(moduleLock);
-    /* Added it to the end (This is very inefficient, but Adding a module
-     * on the fly should happen maybe 2-3 times through the life this program
-     * on a given computer, and this list should be *SHORT*. */
-    for(mlp = *moduleList; mlp != NULL; mlp = mlp->next) {
-	last = mlp;
-    }
-
-    if (last == NULL) {
-	*moduleList = newListElement;
-    } else {
-	SECMOD_AddList(last,newListElement,NULL);
-    }
-    SECMOD_ReleaseWriteLock(moduleLock);
-    return SECSuccess;
-}
-
-SECStatus
-SECMOD_AddModuleToList(SECMODModule *newModule)
-{
-    if (newModule->internal && !internalModule) {
-	internalModule = SECMOD_ReferenceModule(newModule);
-    }
-    return secmod_AddModuleToList(&modules,newModule);
-}
-
-SECStatus
-SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule)
-{
-    if (defaultDBModule == NULL) {
-	defaultDBModule = SECMOD_ReferenceModule(newModule);
-    }
-    return secmod_AddModuleToList(&modulesDB,newModule);
-}
-
-SECStatus
-SECMOD_AddModuleToUnloadList(SECMODModule *newModule)
-{
-    return secmod_AddModuleToList(&modulesUnload,newModule);
-}
-
-/*
- * get the list of PKCS11 modules that are available.
- */
-SECMODModuleList * SECMOD_GetDefaultModuleList() { return modules; }
-SECMODModuleList *SECMOD_GetDeadModuleList() { return modulesUnload; }
-SECMODModuleList *SECMOD_GetDBModuleList() { return modulesDB; }
-
-/*
- * This lock protects the global module lists.
- * it also protects changes to the slot array (module->slots[]) and slot count 
- * (module->slotCount) in each module. It is a read/write lock with multiple 
- * readers or one writer. Writes are uncommon. 
- * Because of legacy considerations protection of the slot array and count is 
- * only necessary in applications if the application calls 
- * SECMOD_UpdateSlotList() or SECMOD_WaitForAnyTokenEvent(), though all new
- * applications are encouraged to acquire this lock when reading the
- * slot array information directly.
- */
-SECMODListLock *SECMOD_GetDefaultModuleListLock() { return moduleLock; }
-
-
-
-/*
- * find a module by name, and add a reference to it.
- * return that module.
- */
-SECMODModule *
-SECMOD_FindModule(const char *name)
-{
-    SECMODModuleList *mlp;
-    SECMODModule *module = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    module = mlp->module;
-	    SECMOD_ReferenceModule(module);
-	    break;
-	}
-    }
-    if (module) {
-	goto found;
-    }
-    for(mlp = modulesUnload; mlp != NULL; mlp = mlp->next) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    module = mlp->module;
-	    SECMOD_ReferenceModule(module);
-	    break;
-	}
-    }
-
-found:
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    return module;
-}
-
-/*
- * find a module by ID, and add a reference to it.
- * return that module.
- */
-SECMODModule *
-SECMOD_FindModuleByID(SECMODModuleID id) 
-{
-    SECMODModuleList *mlp;
-    SECMODModule *module = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
-	if (id == mlp->module->moduleID) {
-	    module = mlp->module;
-	    SECMOD_ReferenceModule(module);
-	    break;
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-    if (module == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MODULE);
-    }
-    return module;
-}
-
-/*
- * Find the Slot based on ID and the module.
- */
-PK11SlotInfo *
-SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID)
-{
-    int i;
-    PK11SlotInfo *slot = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for (i=0; i < module->slotCount; i++) {
-	PK11SlotInfo *cSlot = module->slots[i];
-
-	if (cSlot->slotID == slotID) {
-	    slot = PK11_ReferenceSlot(cSlot);
-	    break;
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (slot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
-    }
-    return slot;
-}
-
-/*
- * lookup the Slot module based on it's module ID and slot ID.
- */
-PK11SlotInfo *
-SECMOD_LookupSlot(SECMODModuleID moduleID,CK_SLOT_ID slotID) 
-{
-    SECMODModule *module;
-    PK11SlotInfo *slot;
-
-    module = SECMOD_FindModuleByID(moduleID);
-    if (module == NULL) return NULL;
-
-    slot = SECMOD_FindSlotByID(module, slotID);
-    SECMOD_DestroyModule(module);
-    return slot;
-}
-
-
-/*
- * find a module by name or module pointer and delete it off the module list.
- * optionally remove it from secmod.db.
- */
-SECStatus
-SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, 
-						int *type, PRBool permdb) 
-{
-    SECMODModuleList *mlp;
-    SECMODModuleList **mlpp;
-    SECStatus rv = SECFailure;
-
-    *type = SECMOD_EXTERNAL;
-
-    SECMOD_GetWriteLock(moduleLock);
-    for (mlpp = &modules,mlp = modules; 
-				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
-	if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
-							mod == mlp->module) {
-	    /* don't delete the internal module */
-	    if (!mlp->module->internal) {
-		SECMOD_RemoveList(mlpp,mlp);
-		/* delete it after we release the lock */
-		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
-	    } else if (mlp->module->isFIPS) {
-		*type = SECMOD_FIPS;
-	    } else {
-		*type = SECMOD_INTERNAL;
-	    }
-	    break;
-	}
-    }
-    if (mlp) {
-	goto found;
-    }
-    /* not on the internal list, check the unload list */
-    for (mlpp = &modulesUnload,mlp = modulesUnload; 
-				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
-	if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) ||
-							mod == mlp->module) {
-	    /* don't delete the internal module */
-	    if (!mlp->module->internal) {
-		SECMOD_RemoveList(mlpp,mlp);
-		rv = SECSuccess;
-	    } else if (mlp->module->isFIPS) {
-		*type = SECMOD_FIPS;
-	    } else {
-		*type = SECMOD_INTERNAL;
-	    }
-	    break;
-	}
-    }
-found:
-    SECMOD_ReleaseWriteLock(moduleLock);
-
-
-    if (rv == SECSuccess) {
-	if (permdb) {
- 	    SECMOD_DeletePermDB(mlp->module);
-	}
-	SECMOD_DestroyModuleListElement(mlp);
-    }
-    return rv;
-}
-
-/*
- * find a module by name and delete it off the module list
- */
-SECStatus
-SECMOD_DeleteModule(const char *name, int *type) 
-{
-    return SECMOD_DeleteModuleEx(name, NULL, type, PR_TRUE);
-}
-
-/*
- * find a module by name and delete it off the module list
- */
-SECStatus
-SECMOD_DeleteInternalModule(const char *name) 
-{
-    SECMODModuleList *mlp;
-    SECMODModuleList **mlpp;
-    SECStatus rv = SECFailure;
-
-    if (pendingModule) {
-	PORT_SetError(SEC_ERROR_MODULE_STUCK);
-	return rv;
-    }
-
-    SECMOD_GetWriteLock(moduleLock);
-    for(mlpp = &modules,mlp = modules; 
-				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
-	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
-	    /* don't delete the internal module */
-	    if (mlp->module->internal) {
-		SECMOD_RemoveList(mlpp,mlp);
-		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
-	    } 
-	    break;
-	}
-    }
-    SECMOD_ReleaseWriteLock(moduleLock);
-
-    if (rv == SECSuccess) {
-	SECMODModule *newModule,*oldModule;
-
-	if (mlp->module->isFIPS) {
-    	    newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME,
-				NULL, SECMOD_INT_FLAGS);
-	} else {
-    	    newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME,
-				NULL, SECMOD_FIPS_FLAGS);
-	}
-	if (newModule) {
-	    newModule->libraryParams = 
-	     PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
-	    rv = SECMOD_AddModule(newModule);
-	    if (rv != SECSuccess) {
-		SECMOD_DestroyModule(newModule);
-		newModule = NULL;
-	    }
-	}
-	if (newModule == NULL) {
-	    SECMODModuleList *last = NULL,*mlp2;
-	   /* we're in pretty deep trouble if this happens...Security
-	    * not going to work well... try to put the old module back on
-	    * the list */
-	   SECMOD_GetWriteLock(moduleLock);
-	   for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) {
-		last = mlp2;
-	   }
-
-	   if (last == NULL) {
-		modules = mlp;
-	   } else {
-		SECMOD_AddList(last,mlp,NULL);
-	   }
-	   SECMOD_ReleaseWriteLock(moduleLock);
-	   return SECFailure; 
-	}
-	pendingModule = oldModule = internalModule;
-	internalModule = NULL;
-	SECMOD_DestroyModule(oldModule);
- 	SECMOD_DeletePermDB(mlp->module);
-	SECMOD_DestroyModuleListElement(mlp);
-	internalModule = newModule; /* adopt the module */
-    }
-    return rv;
-}
-
-SECStatus
-SECMOD_AddModule(SECMODModule *newModule) 
-{
-    SECStatus rv;
-    SECMODModule *oldModule;
-
-    /* Test if a module w/ the same name already exists */
-    /* and return SECWouldBlock if so. */
-    /* We should probably add a new return value such as */
-    /* SECDublicateModule, but to minimize ripples, I'll */
-    /* give SECWouldBlock a new meaning */
-    if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
-	SECMOD_DestroyModule(oldModule);
-        return SECWouldBlock;
-        /* module already exists. */
-    }
-
-    rv = SECMOD_LoadPKCS11Module(newModule);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    if (newModule->parent == NULL) {
-	newModule->parent = SECMOD_ReferenceModule(defaultDBModule);
-    }
-
-    SECMOD_AddPermDB(newModule);
-    SECMOD_AddModuleToList(newModule);
-
-    rv = STAN_AddModuleToDefaultTrustDomain(newModule);
-
-    return rv;
-}
-
-PK11SlotInfo *
-SECMOD_FindSlot(SECMODModule *module,const char *name) 
-{
-    int i;
-    char *string;
-    PK11SlotInfo *retSlot = NULL;
-
-    SECMOD_GetReadLock(moduleLock);
-    for (i=0; i < module->slotCount; i++) {
-	PK11SlotInfo *slot = module->slots[i];
-
-	if (PK11_IsPresent(slot)) {
-	    string = PK11_GetTokenName(slot);
-	} else {
-	    string = PK11_GetSlotName(slot);
-	}
-	if (PORT_Strcmp(name,string) == 0) {
-	    retSlot = PK11_ReferenceSlot(slot);
-	    break;
-	}
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-
-    if (retSlot == NULL) {
-	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
-    }
-    return retSlot;
-}
-
-SECStatus
-PK11_GetModInfo(SECMODModule *mod,CK_INFO *info)
-{
-    CK_RV crv;
-
-    if (mod->functionList == NULL) return SECFailure;
-    crv = PK11_GETTAB(mod)->C_GetInfo(info);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-    }	
-    return (crv == CKR_OK) ? SECSuccess : SECFailure;
-}
-
-/* Determine if we have the FIP's module loaded as the default
- * module to trigger other bogus FIPS requirements in PKCS #12 and
- * SSL
- */
-PRBool
-PK11_IsFIPS(void)
-{
-    SECMODModule *mod = SECMOD_GetInternalModule();
-
-    if (mod && mod->internal) {
-	return mod->isFIPS;
-    }
-
-    return PR_FALSE;
-}
-
-/* combines NewModule() & AddModule */
-/* give a string for the module name & the full-path for the dll, */
-/* installs the PKCS11 module & update registry */
-SECStatus 
-SECMOD_AddNewModuleEx(const char* moduleName, const char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags,
-                              char* modparms, char* nssparms)
-{
-    SECMODModule *module;
-    SECStatus result = SECFailure;
-    int s,i;
-    PK11SlotInfo* slot;
-
-    PR_SetErrorText(0, NULL);
-
-    module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms);
-
-    if (module == NULL) {
-	return result;
-    }
-
-    if (module->dllName != NULL) {
-        if (module->dllName[0] != 0) {
-            result = SECMOD_AddModule(module);
-            if (result == SECSuccess) {
-                /* turn on SSL cipher enable flags */
-                module->ssl[0] = cipherEnableFlags;
-
- 		SECMOD_GetReadLock(moduleLock);
-                /* check each slot to turn on appropriate mechanisms */
-                for (s = 0; s < module->slotCount; s++) {
-                    slot = (module->slots)[s];
-                    /* for each possible mechanism */
-                    for (i=0; i < num_pk11_default_mechanisms; i++) {
-                        /* we are told to turn it on by default ? */
-			PRBool add = 
-			 (PK11_DefaultArray[i].flag & defaultMechanismFlags) ?
-						PR_TRUE: PR_FALSE;
-                        result = PK11_UpdateSlotAttribute(slot, 
-					&(PK11_DefaultArray[i]),  add);
-                    } /* for each mechanism */
-                    /* disable each slot if the defaultFlags say so */
-                    if (defaultMechanismFlags & PK11_DISABLE_FLAG) {
-                        PK11_UserDisableSlot(slot);
-                    }
-                } /* for each slot of this module */
- 		SECMOD_ReleaseReadLock(moduleLock);
-
-                /* delete and re-add module in order to save changes 
-		 * to the module */
-		result = SECMOD_UpdateModule(module);
-            }
-        }
-    }
-    SECMOD_DestroyModule(module);
-    return result;
-}
-
-SECStatus 
-SECMOD_AddNewModule(const char* moduleName, const char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags)
-{
-    return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags,
-                  cipherEnableFlags, 
-                  NULL, NULL); /* don't pass module or nss params */
-}
-
-SECStatus 
-SECMOD_UpdateModule(SECMODModule *module)
-{
-    SECStatus result;
-
-    result = SECMOD_DeletePermDB(module);
-                
-    if (result == SECSuccess) {          
-	result = SECMOD_AddPermDB(module);
-    }
-    return result;
-}
-
-/* Public & Internal(Security Library)  representation of
- * encryption mechanism flags conversion */
-
-/* Currently, the only difference is that internal representation 
- * puts RANDOM_FLAG at bit 31 (Most-significant bit), but
- * public representation puts this bit at bit 28
- */
-unsigned long 
-SECMOD_PubMechFlagstoInternal(unsigned long publicFlags)
-{
-    unsigned long internalFlags = publicFlags;
-
-    if (publicFlags & PUBLIC_MECH_RANDOM_FLAG) {
-        internalFlags &= ~PUBLIC_MECH_RANDOM_FLAG;
-        internalFlags |= SECMOD_RANDOM_FLAG;
-    }
-    return internalFlags;
-}
-
-unsigned long 
-SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) 
-{
-    unsigned long publicFlags = internalFlags;
-
-    if (internalFlags & SECMOD_RANDOM_FLAG) {
-        publicFlags &= ~SECMOD_RANDOM_FLAG;
-        publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
-    }
-    return publicFlags;
-}
-
-
-/* Public & Internal(Security Library)  representation of */
-/* cipher flags conversion */
-/* Note: currently they are just stubs */
-unsigned long 
-SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) 
-{
-    return publicFlags;
-}
-
-unsigned long 
-SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) 
-{
-    return internalFlags;
-}
-
-/* Funtion reports true if module of modType is installed/configured */
-PRBool 
-SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
-{
-    PRBool result = PR_FALSE;
-    SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
-    SECMOD_GetReadLock(moduleLock);
-
-
-    for ( ; mods != NULL; mods = mods->next) {
-        if (mods->module->ssl[0] & 
-		SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) {
-            result = PR_TRUE;
-        }
-    }
-
-    SECMOD_ReleaseReadLock(moduleLock);
-    return result;
-}
-
-/* create a new ModuleListElement */
-SECMODModuleList *SECMOD_NewModuleListElement(void) 
-{
-    SECMODModuleList *newModList;
-
-    newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
-    if (newModList) {
-	newModList->next = NULL;
-	newModList->module = NULL;
-    }
-    return newModList;
-}
-
-/*
- * make a new reference to a module so It doesn't go away on us
- */
-SECMODModule *
-SECMOD_ReferenceModule(SECMODModule *module) 
-{
-    PZ_Lock(module->refLock);
-    PORT_Assert(module->refCount > 0);
-
-    module->refCount++;
-    PZ_Unlock(module->refLock);
-    return module;
-}
-
-
-/* destroy an existing module */
-void
-SECMOD_DestroyModule(SECMODModule *module) 
-{
-    PRBool willfree = PR_FALSE;
-    int slotCount;
-    int i;
-
-    PZ_Lock(module->refLock);
-    if (module->refCount-- == 1) {
-	willfree = PR_TRUE;
-    }
-    PORT_Assert(willfree || (module->refCount > 0));
-    PZ_Unlock(module->refLock);
-
-    if (!willfree) {
-	return;
-    }
-   
-    if (module->parent != NULL) {
-	SECMODModule *parent = module->parent;
-	/* paranoia, don't loop forever if the modules are looped */
-	module->parent = NULL;
-	SECMOD_DestroyModule(parent);
-    }
-
-    /* slots can't really disappear until our module starts freeing them,
-     * so this check is safe */
-    slotCount = module->slotCount;
-    if (slotCount == 0) {
-	SECMOD_SlotDestroyModule(module,PR_FALSE);
-	return;
-    }
-
-    /* now free all out slots, when they are done, they will cause the
-     * module to disappear altogether */
-    for (i=0 ; i < slotCount; i++) {
-	if (!module->slots[i]->disabled) {
-		PK11_ClearSlotList(module->slots[i]);
-	}
-	PK11_FreeSlot(module->slots[i]);
-    }
-    /* WARNING: once the last slot has been freed is it possible (even likely)
-     * that module is no more... touching it now is a good way to go south */
-}
-
-
-/* we can only get here if we've destroyed the module, or some one has
- * erroneously freed a slot that wasn't referenced. */
-void
-SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) 
-{
-    PRBool willfree = PR_FALSE;
-    if (fromSlot) {
-        PORT_Assert(module->refCount == 0);
-	PZ_Lock(module->refLock);
-	if (module->slotCount-- == 1) {
-	    willfree = PR_TRUE;
-	}
-	PORT_Assert(willfree || (module->slotCount > 0));
-	PZ_Unlock(module->refLock);
-        if (!willfree) return;
-    }
-
-    if (module == pendingModule) {
-	pendingModule = NULL;
-    }
-
-    if (module->loaded) {
-	SECMOD_UnloadModule(module);
-    }
-    PZ_DestroyLock(module->refLock);
-    PORT_FreeArena(module->arena,PR_FALSE);
-    secmod_PrivateModuleCount--;
-}
-
-/* destroy a list element
- * this destroys a single element, and returns the next element
- * on the chain. It makes it easy to implement for loops to delete
- * the chain. It also make deleting a single element easy */
-SECMODModuleList *
-SECMOD_DestroyModuleListElement(SECMODModuleList *element) 
-{
-    SECMODModuleList *next = element->next;
-
-    if (element->module) {
-	SECMOD_DestroyModule(element->module);
-	element->module = NULL;
-    }
-    PORT_Free(element);
-    return next;
-}
-
-
-/*
- * Destroy an entire module list
- */
-void
-SECMOD_DestroyModuleList(SECMODModuleList *list) 
-{
-    SECMODModuleList *lp;
-
-    for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
-}
-
-PRBool
-SECMOD_CanDeleteInternalModule(void)
-{
-    return (PRBool) (pendingModule == NULL);
-}
-
-/*
- * check to see if the module has added new slots. PKCS 11 v2.20 allows for
- * modules to add new slots, but never remove them. Slots cannot be added 
- * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
- * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
- * grow on the caller. It is permissible for the slots to increase between
- * successive calls with NULL to get the size.
- */
-SECStatus
-SECMOD_UpdateSlotList(SECMODModule *mod)
-{
-    CK_RV crv;
-    CK_ULONG count;
-    CK_ULONG i, oldCount;
-    PRBool freeRef = PR_FALSE;
-    void *mark = NULL;
-    CK_ULONG *slotIDs = NULL;
-    PK11SlotInfo **newSlots = NULL;
-    PK11SlotInfo **oldSlots = NULL;
-
-    /* C_GetSlotList is not a session function, make sure 
-     * calls are serialized */
-    PZ_Lock(mod->refLock);
-    freeRef = PR_TRUE;
-    /* see if the number of slots have changed */
-    crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	goto loser;
-    }
-    /* nothing new, blow out early, we want this function to be quick
-     * and cheap in the normal case  */
-    if (count == mod->slotCount) {
- 	PZ_Unlock(mod->refLock);
-	return SECSuccess;
-    }
-    if (count < (CK_ULONG)mod->slotCount) {
-	/* shouldn't happen with a properly functioning PKCS #11 module */
-	PORT_SetError( SEC_ERROR_INCOMPATIBLE_PKCS11 );
-	goto loser;
-    }
-
-    /* get the new slot list */
-    slotIDs = PORT_NewArray(CK_SLOT_ID, count);
-    if (slotIDs == NULL) {
-	goto loser;
-    }
-
-    crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, slotIDs, &count);
-    if (crv != CKR_OK) {
-	PORT_SetError(PK11_MapError(crv));
-	goto loser;
-    }
-    freeRef = PR_FALSE;
-    PZ_Unlock(mod->refLock);
-    mark = PORT_ArenaMark(mod->arena);
-    if (mark == NULL) {
-	goto loser;
-    }
-    newSlots = PORT_ArenaZNewArray(mod->arena,PK11SlotInfo *,count);
-
-    /* walk down the new slot ID list returned from the module. We keep
-     * the old slots which match a returned ID, and we initialize the new 
-     * slots. */
-    for (i=0; i < count; i++) {
-	PK11SlotInfo *slot = SECMOD_FindSlotByID(mod,slotIDs[i]);
-
-	if (!slot) {
-	    /* we have a new slot create a new slot data structure */
-	    slot = PK11_NewSlotInfo(mod);
-	    if (!slot) {
-		goto loser;
-	    }
-	    PK11_InitSlot(mod, slotIDs[i], slot);
-	    STAN_InitTokenForSlotInfo(NULL, slot);
-	}
-	newSlots[i] = slot;
-    }
-    STAN_ResetTokenInterator(NULL);
-    PORT_Free(slotIDs);
-    slotIDs = NULL;
-    PORT_ArenaUnmark(mod->arena, mark);
-
-    /* until this point we're still using the old slot list. Now we update
-     * module slot list. We update the slots (array) first then the count, 
-     * since we've already guarrenteed that count has increased (just in case 
-     * someone is looking at the slots field of  module without holding the 
-     * moduleLock */
-    SECMOD_GetWriteLock(moduleLock);
-    oldCount =mod->slotCount;
-    oldSlots = mod->slots;
-    mod->slots = newSlots; /* typical arena 'leak'... old mod->slots is
-			    * allocated out of the module arena and won't
-			    * be freed until the module is freed */
-    mod->slotCount = count;
-    SECMOD_ReleaseWriteLock(moduleLock);
-    /* free our old references before forgetting about oldSlot*/
-    for (i=0; i < oldCount; i++) {
-	PK11_FreeSlot(oldSlots[i]);
-    }
-    return SECSuccess;
-
-loser:
-    if (freeRef) {
-	PZ_Unlock(mod->refLock);
-    }
-    if (slotIDs) {
-	PORT_Free(slotIDs);
-    }
-    /* free all the slots we allocated. newSlots are part of the
-     * mod arena. NOTE: the newSlots array contain both new and old
-     * slots, but we kept a reference to the old slots when we built the new
-     * array, so we need to free all the slots in newSlots array. */
-    if (newSlots) {
-	for (i=0; i < count; i++) {
-	    if (newSlots[i] == NULL) {
-		break; /* hit the last one */
-	    }
-	    PK11_FreeSlot(newSlots[i]);
-	}
-    }
-    /* must come after freeing newSlots */
-    if (mark) {
- 	PORT_ArenaRelease(mod->arena, mark);
-    }
-    return SECFailure;
-}
-
-/*
- * this handles modules that do not support C_WaitForSlotEvent().
- * The internal flags are stored. Note that C_WaitForSlotEvent() does not
- * have a timeout, so we don't have one for handleWaitForSlotEvent() either.
- */
-PK11SlotInfo *
-secmod_HandleWaitForSlotEvent(SECMODModule *mod,  unsigned long flags,
-						PRIntervalTime latency)
-{
-    PRBool removableSlotsFound = PR_FALSE;
-    int i;
-    int error = SEC_ERROR_NO_EVENT;
-
-    PZ_Lock(mod->refLock);
-    if (mod->evControlMask & SECMOD_END_WAIT) {
-	mod->evControlMask &= ~SECMOD_END_WAIT;
-	PZ_Unlock(mod->refLock);
-	PORT_SetError(SEC_ERROR_NO_EVENT);
-	return NULL;
-    }
-    mod->evControlMask |= SECMOD_WAIT_SIMULATED_EVENT;
-    while (mod->evControlMask & SECMOD_WAIT_SIMULATED_EVENT) {
-	PZ_Unlock(mod->refLock);
-	/* now is a good time to see if new slots have been added */
-	SECMOD_UpdateSlotList(mod);
-
-	/* loop through all the slots on a module */
-	SECMOD_GetReadLock(moduleLock);
-	for (i=0; i < mod->slotCount; i++) {
-	    PK11SlotInfo *slot = mod->slots[i];
-	    uint16 series;
-	    PRBool present;
-
-	    /* perm modules do not change */
-	    if (slot->isPerm) {
-		continue;
-	    }
-	    removableSlotsFound = PR_TRUE;
-	    /* simulate the PKCS #11 module flags. are the flags different
-	     * from the last time we called? */
-	    series = slot->series;
-	    present = PK11_IsPresent(slot);
-	    if ((slot->flagSeries != series) || (slot->flagState != present)) {
-		slot->flagState = present;
-		slot->flagSeries = series;
-		SECMOD_ReleaseReadLock(moduleLock);
-		PZ_Lock(mod->refLock);
-		mod->evControlMask &= ~SECMOD_END_WAIT;
-		PZ_Unlock(mod->refLock);
-		return PK11_ReferenceSlot(slot);
-	    }
-	}
-	SECMOD_ReleaseReadLock(moduleLock);
-	/* if everything was perm modules, don't lock up forever */
-	if (!removableSlotsFound) {
-	    error =SEC_ERROR_NO_SLOT_SELECTED;
-	    PZ_Lock(mod->refLock);
-	    break;
-	}
-	if (flags & CKF_DONT_BLOCK) {
-	    PZ_Lock(mod->refLock);
-	    break;
-	}
-	PR_Sleep(latency);
- 	PZ_Lock(mod->refLock);
-    }
-    mod->evControlMask &= ~SECMOD_END_WAIT;
-    PZ_Unlock(mod->refLock);
-    PORT_SetError(error);
-    return NULL;
-}
-
-/*
- * this function waits for a token event on any slot of a given module
- * This function should not be called from more than one thread of the
- * same process (though other threads can make other library calls
- * on this module while this call is blocked).
- */
-PK11SlotInfo *
-SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags,
-						 PRIntervalTime latency)
-{
-    CK_SLOT_ID id;
-    CK_RV crv;
-    PK11SlotInfo *slot;
-
-    if (!pk11_getFinalizeModulesOption() ||
-        ((mod->cryptokiVersion.major == 2) &&
-         (mod->cryptokiVersion.minor < 1))) { 
-        /* if we are sharing the module with other software in our
-         * address space, we can't reliably use C_WaitForSlotEvent(),
-         * and if the module is version 2.0, C_WaitForSlotEvent() doesn't
-         * exist */
-	return secmod_HandleWaitForSlotEvent(mod, flags, latency);
-    }
-    /* first the the PKCS #11 call */
-    PZ_Lock(mod->refLock);
-    if (mod->evControlMask & SECMOD_END_WAIT) {
-	goto end_wait;
-    }
-    mod->evControlMask |= SECMOD_WAIT_PKCS11_EVENT;
-    PZ_Unlock(mod->refLock);
-    crv = PK11_GETTAB(mod)->C_WaitForSlotEvent(flags, &id, NULL);
-    PZ_Lock(mod->refLock);
-    mod->evControlMask &= ~SECMOD_WAIT_PKCS11_EVENT;
-    /* if we are in end wait, short circuit now, don't even risk
-     * going into secmod_HandleWaitForSlotEvent */
-    if (mod->evControlMask & SECMOD_END_WAIT) {
-	goto end_wait;
-    }
-    PZ_Unlock(mod->refLock);
-    if (crv == CKR_FUNCTION_NOT_SUPPORTED) {
-	/* module doesn't support that call, simulate it */
-	return secmod_HandleWaitForSlotEvent(mod, flags, latency);
-    }
-    if (crv != CKR_OK) {
-	/* we can get this error if finalize was called while we were
-	 * still running. This is the only way to force a C_WaitForSlotEvent()
-	 * to return in PKCS #11. In this case, just return that there
-	 * was no event. */
-	if (crv == CKR_CRYPTOKI_NOT_INITIALIZED) {
-	    PORT_SetError(SEC_ERROR_NO_EVENT);
-	} else {
-	    PORT_SetError(PK11_MapError(crv));
-	}
-	return NULL;
-    }
-    slot = SECMOD_FindSlotByID(mod, id);
-    if (slot == NULL) {
-	/* possibly a new slot that was added? */
-	SECMOD_UpdateSlotList(mod);
-	slot = SECMOD_FindSlotByID(mod, id);
-    }
-    /* if we are in the delay period for the "isPresent" call, reset
-     * the delay since we know things have probably changed... */
-    if (slot && slot->nssToken && slot->nssToken->slot) {
-	nssSlot_ResetDelay(slot->nssToken->slot);
-    }
-    return slot;
-
-    /* must be called with the lock on. */
-end_wait:
-    mod->evControlMask &= ~SECMOD_END_WAIT;
-    PZ_Unlock(mod->refLock);
-    PORT_SetError(SEC_ERROR_NO_EVENT);
-    return NULL;
-}
-
-/*
- * This function "wakes up" WaitForAnyTokenEvent. It's a pretty drastic
- * function, possibly bringing down the pkcs #11 module in question. This
- * should be OK because 1) it does reinitialize, and 2) it should only be
- * called when we are on our way to tear the whole system down anyway.
- */
-SECStatus
-SECMOD_CancelWait(SECMODModule *mod)
-{
-    unsigned long controlMask = mod->evControlMask;
-    SECStatus rv = SECSuccess;
-    CK_RV crv;
-
-    PZ_Lock(mod->refLock);
-    mod->evControlMask |= SECMOD_END_WAIT;
-    controlMask = mod->evControlMask;
-    if (controlMask & SECMOD_WAIT_PKCS11_EVENT) {
-        if (!pk11_getFinalizeModulesOption()) {
-            /* can't get here unless pk11_getFinalizeModulesOption is set */
-            PORT_Assert(0);
-            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-            rv = SECFailure;
-            goto loser;
-        }
-	/* NOTE: this call will drop all transient keys, in progress
-	 * operations, and any authentication. This is the only documented
-	 * way to get WaitForSlotEvent to return. Also note: for non-thread
-	 * safe tokens, we need to hold the module lock, this is not yet at
-	 * system shutdown/startup time, so we need to protect these calls */
-	crv = PK11_GETTAB(mod)->C_Finalize(NULL);
-	/* ok, we slammed the module down, now we need to reinit it in case
-	 * we intend to use it again */
-	if (CKR_OK == crv) {
-            PRBool alreadyLoaded;
-	    secmod_ModuleInit(mod, &alreadyLoaded);
-	} else {
-	    /* Finalized failed for some reason,  notify the application
-	     * so maybe it has a prayer of recovering... */
-	    PORT_SetError(PK11_MapError(crv));
-	    rv = SECFailure;
-	}
-    } else if (controlMask & SECMOD_WAIT_SIMULATED_EVENT) {
-	mod->evControlMask &= ~SECMOD_WAIT_SIMULATED_EVENT; 
-				/* Simulated events will eventually timeout
-				 * and wake up in the loop */
-    }
-loser:
-    PZ_Unlock(mod->refLock);
-    return rv;
-}
-
-/*
- * check to see if the module has removable slots that we may need to
- * watch for.
- */
-PRBool
-SECMOD_HasRemovableSlots(SECMODModule *mod)
-{
-    int i;
-    PRBool ret = PR_FALSE;
-
-    SECMOD_GetReadLock(moduleLock);
-    for (i=0; i < mod->slotCount; i++) {
-	PK11SlotInfo *slot = mod->slots[i];
-	/* perm modules are not inserted or removed */
-	if (slot->isPerm) {
-	    continue;
-	}
-	ret = PR_TRUE;
-	break;
-    }
-    SECMOD_ReleaseReadLock(moduleLock);
-    return ret;
-}
-
-/*
- * helper function to actually create and destroy user defined slots
- */
-static SECStatus
-secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec)
-{
-    PK11SlotInfo *slot = PK11_GetInternalSlot();
-    CK_OBJECT_HANDLE dummy;
-    CK_ATTRIBUTE template[2] ;
-    CK_ATTRIBUTE *attrs = template;
-    SECStatus rv;
-    CK_RV crv;
-
-    PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
-    PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC , (unsigned char *)sendSpec,
-					 strlen(sendSpec)+1); attrs++;
-
-    PORT_Assert(attrs-template <= 2);
-
-
-    PK11_EnterSlotMonitor(slot);
-    crv = PK11_CreateNewObject(slot, slot->session,
-	template, attrs-template, PR_FALSE, &dummy);
-    PK11_ExitSlotMonitor(slot);
-
-    if (crv != CKR_OK) {
-	PK11_FreeSlot(slot);
-	PORT_SetError(PK11_MapError(crv));
-	return SECFailure;
-    }
-    rv = SECMOD_UpdateSlotList(slot->module);
-    PK11_FreeSlot(slot);
-    return rv;
-}
-
-/*
- * add escapes to protect quote characters...
- */
-static char *
-nss_addEscape(const char *string, char quote)
-{
-    char *newString = 0;
-    int escapes = 0, size = 0;
-    const char *src;
-    char *dest;
-
-    for (src=string; *src ; src++) {
-        if ((*src == quote) || (*src == '\\')) escapes++;
-        size++;
-    }
-
-    newString = PORT_ZAlloc(escapes+size+1);
-    if (newString == NULL) {
-        return NULL;
-    }
-
-    for (src=string, dest=newString; *src; src++,dest++) {
-        if ((*src == '\\') || (*src == quote)) {
-            *dest++ = '\\';
-        }
-        *dest = *src;
-    }
-
-    return newString;
-}
-
-static char *
-nss_doubleEscape(const char *string)
-{
-    char *round1 = NULL;
-    char *retValue = NULL;
-    if (string == NULL) {
-        goto done;
-    }
-    round1 = nss_addEscape(string,'>');
-    if (round1) {
-        retValue = nss_addEscape(round1,']');
-        PORT_Free(round1);
-    }
-
-done:
-    if (retValue == NULL) {
-        retValue = PORT_Strdup("");
-    }
-    return retValue;
-}
-
-/*
- * Open a new database using the softoken. The caller is responsible for making
- * sure the module spec is correct and usable. The caller should ask for one
- * new database per call if the caller wants to get meaningful information 
- * about the new database.
- *
- * moduleSpec is the same data that you would pass to softoken at 
- * initialization time under the 'tokens' options. For example, if you were
- * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']>
- * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your
- * module spec here. The slot ID will be calculated for you by 
- * SECMOD_OpenUserDB().
- *
- * Typical parameters here are configdir, tokenDescription and flags.
- *
- * a Full list is below:
- *
- *
- *  configDir - The location of the databases for this token. If configDir is 
- *         not specified, and noCertDB and noKeyDB is not specified, the load
- *         will fail.
- *   certPrefix - Cert prefix for this token.
- *   keyPrefix - Prefix for the key database for this token. (if not specified,
- *         certPrefix will be used).
- *   tokenDescription - The label value for this token returned in the 
- *         CK_TOKEN_INFO structure with an internationalize string (UTF8). 
- *         This value will be truncated at 32 bytes (no NULL, partial UTF8 
- *         characters dropped). You should specify a user friendly name here
- *         as this is the value the token will be refered to in most 
- *         application UI's. You should make sure tokenDescription is unique.
- *   slotDescription - The slotDescription value for this token returned 
- *         in the CK_SLOT_INFO structure with an internationalize string 
- *         (UTF8). This value will be truncated at 64 bytes (no NULL, partial 
- *         UTF8 characters dropped). This name will not change after the 
- *         database is closed. It should have some number to make this unique.
- *   minPWLen - minimum password length for this token.
- *   flags - comma separated list of flag values, parsed case-insensitive.
- *         Valid flags are:
- *              readOnly - Databases should be opened read only.
- *              noCertDB - Don't try to open a certificate database.
- *              noKeyDB - Don't try to open a key database.
- *              forceOpen - Don't fail to initialize the token if the 
- *                databases could not be opened.
- *              passwordRequired - zero length passwords are not acceptable 
- *                (valid only if there is a keyDB).
- *              optimizeSpace - allocate smaller hash tables and lock tables.
- *                When this flag is not specified, Softoken will allocate 
- *                large tables to prevent lock contention. 
- */
-PK11SlotInfo *
-SECMOD_OpenUserDB(const char *moduleSpec)
-{
-    CK_SLOT_ID slotID = 0;
-    char *escSpec;
-    char *sendSpec;
-    SECStatus rv;
-    SECMODModule *mod;
-    CK_SLOT_ID i, minSlotID, maxSlotID;
-    PRBool found = PR_FALSE;
-
-    if (moduleSpec == NULL) {
-	return NULL;
-    }
-
-    /* NOTE: unlike most PK11 function, this does not return a reference
-     * to the module */
-    mod = SECMOD_GetInternalModule();
-    if (!mod) {
-	/* shouldn't happen */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-
-    /* look for a free slot id on the internal module */
-    if (mod->isFIPS) {
-	minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
-	maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
-    } else {
-	minSlotID = SFTK_MIN_USER_SLOT_ID;
-	maxSlotID = SFTK_MAX_USER_SLOT_ID;
-    }
-    for (i=minSlotID; i < maxSlotID; i++) {
-	PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, i);
-	if (slot) {
-	    PRBool present = PK11_IsPresent(slot);
-	    PK11_FreeSlot(slot);
-	    if (present) {
-		continue;
-	    }
-	    /* not present means it's available */
-	}
-	/* it doesn't exist or isn't present, it's available */
-	slotID = i;
-	found = PR_TRUE;
-	break;
-    }
-
-    if (!found) {
-	/* this could happen if we try to open too many slots */
-	PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
-	return NULL;
-    }
-
-    /* we've found the slot, now build the moduleSpec */
-
-    escSpec = nss_doubleEscape(moduleSpec);
-    if (escSpec == NULL) {
-	return NULL;
-    }
-    sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
-    PORT_Free(escSpec);
-
-    if (sendSpec == NULL) {
-	/* PR_smprintf does not set no memory error */
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    rv = secmod_UserDBOp(CKO_NETSCAPE_NEWSLOT, sendSpec);
-    PR_smprintf_free(sendSpec);
-    if (rv != SECSuccess) {
-	return NULL;
-    }
-
-    return SECMOD_FindSlotByID(mod, slotID);
-}
-
-/*
- * close an already opened user database. NOTE: the database must be
- * in the internal token, and must be one created with SECMOD_OpenUserDB().
- * Once the database is closed, the slot will remain as an empty slot
- * until it's used again with SECMOD_OpenUserDB().
- */
-SECStatus
-SECMOD_CloseUserDB(PK11SlotInfo *slot)
-{
-    SECStatus rv;
-    char *sendSpec;
-
-    if (!slot->isInternal) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    
-    sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID);
-    if (sendSpec == NULL) {
-	/* PR_smprintf does not set no memory error */
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    rv = secmod_UserDBOp(CKO_NETSCAPE_DELSLOT, sendSpec);
-    PR_smprintf_free(sendSpec);
-    return rv;
-}
diff --git a/security/nss/lib/pk11wrap/secmod.h b/security/nss/lib/pk11wrap/secmod.h
deleted file mode 100644
index 83545f5e3..000000000
--- a/security/nss/lib/pk11wrap/secmod.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _SECMOD_H_
-#define _SEDMOD_H_
-#include "seccomon.h"
-#include "secmodt.h"
-#include "prinrval.h"
-
-/* These mechanisms flags are visible to all other libraries. */
-/* They must be converted to internal SECMOD_*_FLAG */
-/* if used inside the functions of the security library */
-#define PUBLIC_MECH_RSA_FLAG         0x00000001ul
-#define PUBLIC_MECH_DSA_FLAG         0x00000002ul
-#define PUBLIC_MECH_RC2_FLAG         0x00000004ul
-#define PUBLIC_MECH_RC4_FLAG         0x00000008ul
-#define PUBLIC_MECH_DES_FLAG         0x00000010ul
-#define PUBLIC_MECH_DH_FLAG          0x00000020ul
-#define PUBLIC_MECH_FORTEZZA_FLAG    0x00000040ul
-#define PUBLIC_MECH_RC5_FLAG         0x00000080ul
-#define PUBLIC_MECH_SHA1_FLAG        0x00000100ul
-#define PUBLIC_MECH_MD5_FLAG         0x00000200ul
-#define PUBLIC_MECH_MD2_FLAG         0x00000400ul
-#define PUBLIC_MECH_SSL_FLAG         0x00000800ul
-#define PUBLIC_MECH_TLS_FLAG         0x00001000ul
-
-#define PUBLIC_MECH_RANDOM_FLAG      0x08000000ul
-#define PUBLIC_MECH_FRIENDLY_FLAG    0x10000000ul
-#define PUBLIC_OWN_PW_DEFAULTS       0X20000000ul
-#define PUBLIC_DISABLE_FLAG          0x40000000ul
-
-/* warning: reserved means reserved */
-#define PUBLIC_MECH_RESERVED_FLAGS   0x87FFE000ul
-
-/* These cipher flags are visible to all other libraries, */
-/* But they must be converted before used in functions */
-/* withing the security module */
-#define PUBLIC_CIPHER_FORTEZZA_FLAG  0x00000001ul
-
-/* warning: reserved means reserved */
-#define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul
-
-SEC_BEGIN_PROTOS
-
-/*
- * the following functions are going to be depricated in NSS 4.0 in
- * favor of the new stan functions.
- */
-
-/* Initialization */
-extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
-							PRBool recurse);
-
-extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec,SECMODModule *parent,
-							PRBool recurse);
-
-SECStatus SECMOD_UnloadUserModule(SECMODModule *mod);
-
-SECMODModule * SECMOD_CreateModule(const char *lib, const char *name,
-					const char *param, const char *nss);
-
-
-/* Module Management */
-char **SECMOD_GetModuleSpecList(SECMODModule *module);
-SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module,char **moduleSpecList);
-
- 
-/* protoypes */
-/* Get a list of active PKCS #11 modules */
-extern SECMODModuleList *SECMOD_GetDefaultModuleList(void); 
-/* Get a list of defined but not loaded PKCS #11 modules */
-extern SECMODModuleList *SECMOD_GetDeadModuleList(void);
-/* Get a list of Modules which define PKCS #11 modules to load */
-extern SECMODModuleList *SECMOD_GetDBModuleList(void);
-
-/* lock to protect all three module lists above */
-extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
-
-extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
-
-/* lock management */
-extern void SECMOD_GetReadLock(SECMODListLock *);
-extern void SECMOD_ReleaseReadLock(SECMODListLock *);
-
-/* Operate on modules by name */
-extern SECMODModule *SECMOD_FindModule(const char *name);
-extern SECStatus SECMOD_DeleteModule(const char *name, int *type);
-extern SECStatus SECMOD_DeleteInternalModule(const char *name);
-extern PRBool SECMOD_CanDeleteInternalModule(void);
-extern SECStatus SECMOD_AddNewModule(const char* moduleName, 
-			      const char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags);
-extern SECStatus SECMOD_AddNewModuleEx(const char* moduleName,
-			      const char* dllPath,
-                              unsigned long defaultMechanismFlags,
-                              unsigned long cipherEnableFlags,
-                              char* modparms,
-                              char* nssparms);
-
-/* database/memory management */
-extern SECMODModule *SECMOD_GetInternalModule(void);
-extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
-extern void SECMOD_DestroyModule(SECMODModule *module);
-extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
-							unsigned long slotID);
-extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,const char *name);
-
-/* Funtion reports true if at least one of the modules */
-/* of modType has been installed */
-PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
-
-/* Functions used to convert between internal & public representation
- * of Mechanism Flags and Cipher Enable Flags */
-extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
-extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
-
-PRBool SECMOD_HasRemovableSlots(SECMODModule *mod);
-PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, 
-				unsigned long flags, PRIntervalTime latency);
-/*
- * Warning: the SECMOD_CancelWait function is highly destructive, potentially 
- * finalizing  the module 'mod' (causing inprogress operations to fail, 
- * and session key material to disappear). It should only be called when 
- * shutting down  the module. 
- */
-SECStatus SECMOD_CancelWait(SECMODModule *mod);
-/*
- * check to see if the module has added new slots. PKCS 11 v2.20 allows for
- * modules to add new slots, but never remove them. Slots not be added between 
- * a call to C_GetSlotLlist(Flag, NULL, &count) and the corresponding
- * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
- * grow on the caller. It is permissible for the slots to increase between
- * corresponding calls with NULL to get the size.
- */
-SECStatus SECMOD_UpdateSlotList(SECMODModule *mod);
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
deleted file mode 100644
index 1e3a6aebd..000000000
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Internal header file included only by files in pkcs11 dir, or in
- * pkcs11 specific client and server files.
- */
-#ifndef _SECMODI_H_
-#define _SECMODI_H_ 1
-#include "pkcs11.h"
-#include "nssilock.h"
-#include "mcom_db.h"
-#include "secoidt.h"
-#include "secdert.h"
-#include "certt.h"
-#include "secmodt.h"
-#include "keyt.h"
-
-SEC_BEGIN_PROTOS
-
-/* proto-types */
-extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
-extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
-extern SECStatus SECMOD_Shutdown(void);
-void nss_DumpModuleLog(void);
-
-extern int secmod_PrivateModuleCount;
-
-extern void SECMOD_Init(void);
-SECStatus secmod_ModuleInit(SECMODModule *mod, PRBool* alreadyLoaded);
-
-/* list managment */
-extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule);
-extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule);
-extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule);
-extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
-extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
-extern SECMODListLock *SECMOD_NewListLock(void);
-extern void SECMOD_DestroyListLock(SECMODListLock *);
-extern void SECMOD_GetWriteLock(SECMODListLock *);
-extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
-
-/* Operate on modules by name */
-extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
-
-/* database/memory management */
-extern SECMODModuleList *SECMOD_NewModuleListElement(void);
-extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
-extern void SECMOD_DestroyModuleList(SECMODModuleList *);
-extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
-SECStatus SECMOD_DeleteModuleEx(const char * name, SECMODModule *mod, int *type, PRBool permdb);
-
-extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
-extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
-
-/* Library functions */
-SECStatus SECMOD_LoadPKCS11Module(SECMODModule *);
-SECStatus SECMOD_UnloadModule(SECMODModule *);
-void SECMOD_SetInternalModule(SECMODModule *);
-
-void SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot);
-CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
-                                                         CK_VOID_PTR pdata);
-void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib);
-CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
-					CK_ATTRIBUTE *inTemplate,int tsize);
-CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
-			CK_ATTRIBUTE *inTemplate,int tsize, int *objCount);
-SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
-				 PK11DefaultArrayEntry *entry, PRBool add);
-
-#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
-                               CK_ATTRIBUTE *theTemplate, int count,
-                                PRBool token, CK_OBJECT_HANDLE *objectID);
-
-SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech);
-SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, 
-				PRArenaPool *arena, SECAlgorithmID *algId);
-
-extern void pk11sdr_Init(void);
-extern void pk11sdr_Shutdown(void);
-
-/*
- * Private to pk11wrap.
- */
-
-PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);
-CK_SESSION_HANDLE pk11_GetNewSession(PK11SlotInfo *slot, PRBool *owner);
-void pk11_CloseSession(PK11SlotInfo *slot, CK_SESSION_HANDLE sess, PRBool own);
-PK11SymKey *pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type,
-						CK_ATTRIBUTE_TYPE operation);
-/* Convert key operation flags to PKCS #11 attributes. */
-unsigned int pk11_OpFlagsToAttributes(CK_FLAGS flags, 
-				CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue);
-/* Check for bad (conflicting) attribute flags */
-PRBool pk11_BadAttrFlags(PK11AttrFlags attrFlags);
-/* Convert key attribute flags to PKCS #11 attributes. */
-unsigned int pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags,
-		CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue, CK_BBOOL *ckFalse);
-PRBool pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs,
-					CK_ATTRIBUTE_TYPE target);
-
-CK_MECHANISM_TYPE pk11_mapWrapKeyType(KeyType keyType);
-PK11SymKey *pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-		CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, PRBool isPerm,
-						PK11SymKey *symKey);
-
-PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert,
-							 CERTCertTrust *trust);
-CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert(CERTCertificate *cert,
-					 PK11SlotInfo **slot, void *wincx);
-SECStatus pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts,
-							void *wincx);
-int PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate,
-						int templateCount);
-SECItem *pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, 
-						CK_OBJECT_HANDLE handle);
-SECStatus PK11_TraverseSlot(PK11SlotInfo *slot, void *arg);
-CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, 
-							SECItem *keyID);
-SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
-			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
-SEC_END_PROTOS
-
-#endif
-
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
deleted file mode 100644
index a6f7b180f..000000000
--- a/security/nss/lib/pk11wrap/secmodt.h
+++ /dev/null
@@ -1,465 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _SECMODT_H_
-#define _SECMODT_H_ 1
-
-#include "nssrwlkt.h"
-#include "nssilckt.h"
-#include "secoid.h"
-#include "secasn1.h"
-#include "pkcs11t.h"
-
-/* find a better home for these... */
-extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
-extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
-extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
-extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
-
-/* PKCS11 needs to be included */
-typedef struct SECMODModuleStr SECMODModule;
-typedef struct SECMODModuleListStr SECMODModuleList;
-typedef NSSRWLock SECMODListLock;
-typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
-typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
-typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
-typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
-typedef struct PK11SlotListStr PK11SlotList;
-typedef struct PK11SlotListElementStr PK11SlotListElement;
-typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
-typedef unsigned long SECMODModuleID;
-typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
-typedef struct PK11GenericObjectStr PK11GenericObject;
-typedef void (*PK11FreeDataFunc)(void *);
-
-struct SECMODModuleStr {
-    PRArenaPool	*arena;
-    PRBool	internal;	/* true of internally linked modules, false
-				 * for the loaded modules */
-    PRBool	loaded;		/* Set to true if module has been loaded */
-    PRBool	isFIPS;		/* Set to true if module is finst internal */
-    char	*dllName;	/* name of the shared library which implements
-				 * this module */
-    char	*commonName;	/* name of the module to display to the user */
-    void	*library;	/* pointer to the library. opaque. used only by
-				 * pk11load.c */
-    void	*functionList; /* The PKCS #11 function table */
-    PZLock	*refLock;	/* only used pk11db.c */
-    int		refCount;	/* Module reference count */
-    PK11SlotInfo **slots;	/* array of slot points attached to this mod*/
-    int		slotCount;	/* count of slot in above array */
-    PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
-    int		slotInfoCount;  /* count */
-    SECMODModuleID moduleID;	/* ID so we can find this module again */
-    PRBool	isThreadSafe;
-    unsigned long ssl[2];	/* SSL cipher enable flags */
-    char	*libraryParams;  /* Module specific parameters */
-    void *moduleDBFunc; /* function to return module configuration data*/
-    SECMODModule *parent;	/* module that loaded us */
-    PRBool	isCritical;	/* This module must load successfully */
-    PRBool	isModuleDB;	/* this module has lists of PKCS #11 modules */
-    PRBool	moduleDBOnly;	/* this module only has lists of PKCS #11 modules */
-    int		trustOrder;	/* order for this module's certificate trust rollup */
-    int		cipherOrder;	/* order for cipher operations */
-    unsigned long evControlMask; /* control the running and shutdown of slot
-				  * events (SECMOD_WaitForAnyTokenEvent) */
-    CK_VERSION  cryptokiVersion; /* version of this library */
-};
-
-/* evControlMask flags */
-/*
- * These bits tell the current state of a SECMOD_WaitForAnyTokenEvent.
- *
- * SECMOD_WAIT_PKCS11_EVENT - we're waiting in the PKCS #11 module in
- *  C_WaitForSlotEvent().
- * SECMOD_WAIT_SIMULATED_EVENT - we're waiting in the NSS simulation code
- *  which polls for token insertion and removal events.
- * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is
- *  waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent
- *  should return immediately to it's caller.
- */ 
-#define SECMOD_END_WAIT 	    0x01
-#define SECMOD_WAIT_SIMULATED_EVENT 0x02 
-#define SECMOD_WAIT_PKCS11_EVENT    0x04
-
-struct SECMODModuleListStr {
-    SECMODModuleList	*next;
-    SECMODModule	*module;
-};
-
-struct PK11SlotListStr {
-    PK11SlotListElement *head;
-    PK11SlotListElement *tail;
-    PZLock *lock;
-};
-
-struct PK11SlotListElementStr {
-    PK11SlotListElement *next;
-    PK11SlotListElement *prev;
-    PK11SlotInfo *slot;
-    int refCount;
-};
-
-struct PK11RSAGenParamsStr {
-    int keySizeInBits;
-    unsigned long pe;
-};
-
-typedef enum {
-     PK11CertListUnique = 0,     /* get one instance of all certs */
-     PK11CertListUser = 1,       /* get all instances of user certs */
-     PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key.
-                                  * deprecated. Use PK11CertListCAUnique
-                                  */
-     PK11CertListCA = 3,         /* get all instances of CA certs */
-     PK11CertListCAUnique = 4,   /* get one instance of CA certs */
-     PK11CertListUserUnique = 5, /* get one instance of user certs */
-     PK11CertListAll = 6         /* get all instances of all certs */
-} PK11CertListType;
-
-/*
- * Entry into the Array which lists all the legal bits for the default flags
- * in the slot, their definition, and the PKCS #11 mechanism the represent
- * Always Statically allocated. 
- */
-struct PK11DefaultArrayEntryStr {
-    char *name;
-    unsigned long flag;
-    unsigned long mechanism; /* this is a long so we don't include the 
-			      * whole pkcs 11 world to use this header */
-};
-
-
-#define SECMOD_RSA_FLAG 	0x00000001L
-#define SECMOD_DSA_FLAG 	0x00000002L
-#define SECMOD_RC2_FLAG 	0x00000004L
-#define SECMOD_RC4_FLAG 	0x00000008L
-#define SECMOD_DES_FLAG 	0x00000010L
-#define SECMOD_DH_FLAG	 	0x00000020L
-#define SECMOD_FORTEZZA_FLAG	0x00000040L
-#define SECMOD_RC5_FLAG		0x00000080L
-#define SECMOD_SHA1_FLAG	0x00000100L
-#define SECMOD_MD5_FLAG		0x00000200L
-#define SECMOD_MD2_FLAG		0x00000400L
-#define SECMOD_SSL_FLAG		0x00000800L
-#define SECMOD_TLS_FLAG		0x00001000L
-#define SECMOD_AES_FLAG 	0x00002000L
-#define SECMOD_SHA256_FLAG	0x00004000L
-#define SECMOD_SHA512_FLAG	0x00008000L	/* also for SHA384 */
-/* reserved bit for future, do not use */
-#define SECMOD_RESERVED_FLAG    0X08000000L
-#define SECMOD_FRIENDLY_FLAG	0x10000000L
-#define SECMOD_RANDOM_FLAG	0x80000000L
-
-/* need to make SECMOD and PK11 prefixes consistant. */
-#define PK11_OWN_PW_DEFAULTS 0x20000000L
-#define PK11_DISABLE_FLAG    0x40000000L
-
-/* FAKE PKCS #11 defines */
-#define CKM_FAKE_RANDOM       0x80000efeL
-#define CKM_INVALID_MECHANISM 0xffffffffL
-#define CKA_DIGEST            0x81000000L
-#define CKA_FLAGS_ONLY        0 /* CKA_CLASS */
-
-/*
- * PK11AttrFlags
- *
- * A 32-bit bitmask of PK11_ATTR_XXX flags
- */
-typedef PRUint32 PK11AttrFlags;
-
-/*
- * PK11_ATTR_XXX
- *
- * The following PK11_ATTR_XXX bitflags are used to specify
- * PKCS #11 object attributes that have Boolean values.  Some NSS
- * functions have a "PK11AttrFlags attrFlags" parameter whose value
- * is the logical OR of these bitflags.  NSS use these bitflags on
- * private keys or secret keys.  Some of these bitflags also apply
- * to the public keys associated with the private keys.
- *
- * For each PKCS #11 object attribute, we need two bitflags to
- * specify not only "true" and "false" but also "default".  For
- * example, PK11_ATTR_PRIVATE and PK11_ATTR_PUBLIC control the
- * CKA_PRIVATE attribute.  If PK11_ATTR_PRIVATE is set, we add
- *     { CKA_PRIVATE, &cktrue, sizeof(CK_BBOOL) }
- * to the template.  If PK11_ATTR_PUBLIC is set, we add
- *     { CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL) }
- * to the template.  If neither flag is set, we don't add any
- * CKA_PRIVATE entry to the template.
- */
-
-/*
- * Attributes for PKCS #11 storage objects, which include not only
- * keys but also certificates and domain parameters.
- */
-
-/*
- * PK11_ATTR_TOKEN
- * PK11_ATTR_SESSION
- *
- * These two flags determine whether the object is a token or
- * session object.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_TOKEN flag is set, the object is a token
- * object.  If the PK11_ATTR_SESSION flag is set, the object is
- * a session object.  If neither flag is set, the object is *by
- * default* a session object.
- *
- * These two flags specify the value of the PKCS #11 CKA_TOKEN
- * attribute.
- */
-#define PK11_ATTR_TOKEN         0x00000001L
-#define PK11_ATTR_SESSION       0x00000002L
-
-/*
- * PK11_ATTR_PRIVATE
- * PK11_ATTR_PUBLIC
- *
- * These two flags determine whether the object is a private or
- * public object.  A user may not access a private object until the
- * user has authenticated to the token.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_PRIVATE flag is set, the object is a private
- * object.  If the PK11_ATTR_PUBLIC flag is set, the object is a
- * public object.  If neither flag is set, it is token-specific
- * whether the object is private or public.
- *
- * These two flags specify the value of the PKCS #11 CKA_PRIVATE
- * attribute.  NSS only uses this attribute on private and secret
- * keys, so public keys created by NSS get the token-specific
- * default value of the CKA_PRIVATE attribute.
- */
-#define PK11_ATTR_PRIVATE       0x00000004L
-#define PK11_ATTR_PUBLIC        0x00000008L
-
-/*
- * PK11_ATTR_MODIFIABLE
- * PK11_ATTR_UNMODIFIABLE
- *
- * These two flags determine whether the object is modifiable or
- * read-only.
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_MODIFIABLE flag is set, the object can be
- * modified.  If the PK11_ATTR_UNMODIFIABLE flag is set, the object
- * is read-only.  If neither flag is set, the object is *by default*
- * modifiable.
- *
- * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE
- * attribute.
- */
-#define PK11_ATTR_MODIFIABLE    0x00000010L
-#define PK11_ATTR_UNMODIFIABLE  0x00000020L
-
-/* Attributes for PKCS #11 key objects. */
-
-/*
- * PK11_ATTR_SENSITIVE
- * PK11_ATTR_INSENSITIVE
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_SENSITIVE flag is set, the key is sensitive.
- * If the PK11_ATTR_INSENSITIVE flag is set, the key is not
- * sensitive.  If neither flag is set, it is token-specific whether
- * the key is sensitive or not.
- *
- * If a key is sensitive, certain attributes of the key cannot be
- * revealed in plaintext outside the token.
- *
- * This flag specifies the value of the PKCS #11 CKA_SENSITIVE
- * attribute.  Although the default value of the CKA_SENSITIVE
- * attribute for secret keys is CK_FALSE per PKCS #11, some FIPS
- * tokens set the default value to CK_TRUE because only CK_TRUE
- * is allowed.  So in practice the default value of this attribute
- * is token-specific, hence the need for two bitflags.
- */
-#define PK11_ATTR_SENSITIVE     0x00000040L
-#define PK11_ATTR_INSENSITIVE   0x00000080L
-
-/*
- * PK11_ATTR_EXTRACTABLE
- * PK11_ATTR_UNEXTRACTABLE
- *
- * These two flags are related and cannot both be set.
- * If the PK11_ATTR_EXTRACTABLE flag is set, the key is extractable
- * and can be wrapped.  If the PK11_ATTR_UNEXTRACTABLE flag is set,
- * the key is not extractable, and certain attributes of the key
- * cannot be revealed in plaintext outside the token (just like a
- * sensitive key).  If neither flag is set, it is token-specific
- * whether the key is extractable or not.
- *
- * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE
- * attribute.
- */
-#define PK11_ATTR_EXTRACTABLE   0x00000100L
-#define PK11_ATTR_UNEXTRACTABLE 0x00000200L
-
-/* Cryptographic module types */
-#define SECMOD_EXTERNAL	0	/* external module */
-#define SECMOD_INTERNAL 1	/* internal default module */
-#define SECMOD_FIPS	2	/* internal fips module */
-
-/* default module configuration strings */
-#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512]"
-
-#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
-"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
-
-#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
-#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
-#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
-#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
-
-/*
- * What is the origin of a given Key. Normally this doesn't matter, but
- * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
- * hack.
- */
-typedef enum {
-    PK11_OriginNULL = 0,	/* There is not key, it's a null SymKey */
-    PK11_OriginDerive = 1,	/* Key was derived from some other key */
-    PK11_OriginGenerated = 2,	/* Key was generated (also PBE keys) */
-    PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
-    PK11_OriginUnwrap = 4	/* Key was unwrapped or decrypted */
-} PK11Origin;
-
-/* PKCS #11 disable reasons */
-typedef enum {
-    PK11_DIS_NONE = 0,
-    PK11_DIS_USER_SELECTED = 1,
-    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
-    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
-    PK11_DIS_TOKEN_NOT_PRESENT = 4
-} PK11DisableReasons;
-
-/* types of PKCS #11 objects */
-typedef enum {
-   PK11_TypeGeneric = 0,
-   PK11_TypePrivKey = 1,
-   PK11_TypePubKey = 2,
-   PK11_TypeCert = 3,
-   PK11_TypeSymKey = 4
-} PK11ObjectType;
-
-
-
-/* function pointer type for password callback function.
- * This type is passed in to PK11_SetPasswordFunc() 
- */
-typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
-typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
-typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
-
-/*
- * Special strings the password callback function can return only if
- * the slot is an protected auth path slot.
- */ 
-#define PK11_PW_RETRY		"RETRY"	/* an failed attempt to authenticate
-					 * has already been made, just retry
-					 * the operation */
-#define PK11_PW_AUTHENTICATED	"AUTH"  /* a successful attempt to authenticate
-					 * has completed. Continue without
-					 * another call to C_Login */
-/* All other non-null values mean that that NSS could call C_Login to force
- * the authentication. The following define is to aid applications in 
- * documenting that is what it's trying to do */
-#define PK11_PW_TRY		"TRY"   /* Default: a prompt has been presented
-					 * to the user, initiate a C_Login
-					 * to authenticate the token */
-
-/*
- * PKCS #11 key structures
- */
-
-/*
-** Attributes
-*/
-struct SECKEYAttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-typedef struct SECKEYAttributeStr SECKEYAttribute;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID algorithm;
-    SECItem privateKey;
-    SECKEYAttribute **attributes;
-};
-typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct SECKEYEncryptedPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem encryptedData;
-};
-typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
-
-/*
- * token removal detection
- */
-typedef enum {
-   PK11TokenNotRemovable = 0,
-   PK11TokenPresent = 1,
-   PK11TokenChanged = 2,
-   PK11TokenRemoved = 3
-} PK11TokenStatus;
-
-typedef enum {
-   PK11TokenRemovedOrChangedEvent = 0,
-   PK11TokenPresentEvent = 1
-} PK11TokenEvent;
-
-/*
- * CRL Import Flags
- */
-#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
-#define CRL_IMPORT_BYPASS_CHECKS   0x00000001
-
-#endif /*_SECMODT_H_ */
diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h
deleted file mode 100644
index 328a07130..000000000
--- a/security/nss/lib/pk11wrap/secmodti.h
+++ /dev/null
@@ -1,223 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Internal header file included only by files in pkcs11 dir, or in
- * pkcs11 specific client and server files.
- */
-
-#ifndef  _SECMODTI_H_
-#define  _SECMODTI_H_ 1
-#include "prmon.h"
-#include "prtypes.h"
-#include "nssilckt.h"
-#include "pk11init.h"
-#include "secmodt.h"
-#include "pkcs11t.h"
-
-#ifndef NSS_3_4_CODE
-#define NSS_3_4_CODE
-#endif /* NSS_3_4_CODE */
-#include "nssdevt.h"
-
-/* internal data structures */
-
-/* Traverse slots callback */
-typedef struct pk11TraverseSlotStr {
-    SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *);
-    void *callbackArg;
-    CK_ATTRIBUTE *findTemplate;
-    int templateCount;
-} pk11TraverseSlot;
-
-
-/* represent a pkcs#11 slot reference counted. */
-struct PK11SlotInfoStr {
-    /* the PKCS11 function list for this slot */
-    void *functionList;
-    SECMODModule *module; /* our parent module */
-    /* Boolean to indicate the current state of this slot */
-    PRBool needTest;	/* Has this slot been tested for Export complience */
-    PRBool isPerm;	/* is this slot a permanment device */
-    PRBool isHW;	/* is this slot a hardware device */
-    PRBool isInternal;  /* is this slot one of our internal PKCS #11 devices */
-    PRBool disabled;	/* is this slot disabled... */
-    PK11DisableReasons reason; 	/* Why this slot is disabled */
-    PRBool readOnly;	/* is the token in this slot read-only */
-    PRBool needLogin;	/* does the token of the type that needs 
-			 * authentication (still true even if token is logged 
-			 * in) */
-    PRBool hasRandom;   /* can this token generated random numbers */
-    PRBool defRWSession; /* is the default session RW (we open our default 
-			  * session rw if the token can only handle one session
-			  * at a time. */
-    PRBool isThreadSafe; /* copied from the module */
-    /* The actual flags (many of which are distilled into the above PRBools) */
-    CK_FLAGS flags;      /* flags from PKCS #11 token Info */
-    /* a default session handle to do quick and dirty functions */
-    CK_SESSION_HANDLE session; 
-    PZLock *sessionLock; /* lock for this session */
-    /* our ID */
-    CK_SLOT_ID slotID;
-    /* persistant flags saved from startup to startup */
-    unsigned long defaultFlags;
-    /* keep track of who is using us so we don't accidently get freed while
-     * still in use */
-    PRInt32 refCount;    /* to be in/decremented by atomic calls ONLY! */
-    PZLock *freeListLock;
-    PK11SymKey *freeSymKeysWithSessionHead;
-    PK11SymKey *freeSymKeysHead;
-    int keyCount;
-    int maxKeyCount;
-    /* Password control functions for this slot. many of these are only
-     * active if the appropriate flag is on in defaultFlags */
-    int askpw;		/* what our password options are */
-    int timeout;	/* If we're ask_timeout, what is our timeout time is 
-			 * seconds */
-    int authTransact;   /* allow multiple authentications off one password if
-		         * they are all part of the same transaction */
-    int64 authTime;     /* when were we last authenticated */
-    int minPassword;	/* smallest legal password */
-    int maxPassword;	/* largest legal password */
-    uint16 series;	/* break up the slot info into various groups of 
-			 * inserted tokens so that keys and certs can be
-			 * invalidated */
-    uint16 flagSeries;	/* record the last series for the last event
-                         * returned for this slot */
-    PRBool flagState;	/* record the state of the last event returned for this
-			 * slot. */
-    uint16 wrapKey;	/* current wrapping key for SSL master secrets */
-    CK_MECHANISM_TYPE wrapMechanism;
-			/* current wrapping mechanism for current wrapKey */
-    CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
-    CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
-				       * token */
-    int mechanismCount;
-    /* cache the certificates stored on the token of this slot */
-    CERTCertificate **cert_array;
-    int array_size;
-    int cert_count;
-    char serial[16];
-    /* since these are odd sizes, keep them last. They are odd sizes to 
-     * allow them to become null terminated strings */
-    char slot_name[65];
-    char token_name[33];
-    PRBool hasRootCerts;
-    PRBool hasRootTrust;
-    PRBool hasRSAInfo;
-    CK_FLAGS RSAInfoFlags;
-    PRBool protectedAuthPath;
-    PRBool isActiveCard;
-    PRIntervalTime lastLoginCheck;
-    unsigned int lastState;
-    /* for Stan */
-    NSSToken *nssToken;
-    /* fast mechanism lookup */
-    char mechanismBits[256];
-};
-
-/* Symetric Key structure. Reference Counted */
-struct PK11SymKeyStr {
-    CK_MECHANISM_TYPE type;	/* type of operation this key was created for*/
-    CK_OBJECT_HANDLE  objectID; /* object id of this key in the slot */
-    PK11SlotInfo      *slot;    /* Slot this key is loaded into */
-    void	      *cx;	/* window context in case we need to loggin */
-    PK11SymKey	      *next;
-    PRBool	      owner;
-    SECItem	      data;	/* raw key data if available */
-    CK_SESSION_HANDLE session;
-    PRBool	      sessionOwner;
-    PRInt32	      refCount;	/* number of references to this key */
-    int		      size;	/* key size in bytes */
-    PK11Origin	      origin;	/* where this key came from 
-                                 * (see def in secmodt.h) */
-    PK11SymKey        *parent;  /* potential owner key of the session */
-    uint16 series;		/* break up the slot info into various groups 
-				 * of inserted tokens so that keys and certs 
-				 * can be invalidated */
-    void *userData;		/* random data the application can attach to
-                                 * this key */
-    PK11FreeDataFunc freeFunc;	/* function to free the user data */
-};
-
-
-/*
- * hold a hash, encryption or signing context for multi-part operations.
- * hold enough information so that multiple contexts can be interleaved
- * if necessary. ... Not RefCounted.
- */
-struct PK11ContextStr {
-    CK_ATTRIBUTE_TYPE	operation; /* type of operation this context is doing
-				    * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */
-    PK11SymKey  	*key;	   /* symetric key used in this context */
-    PK11SlotInfo	*slot;	   /* slot this context is operationing on */
-    CK_SESSION_HANDLE	session;   /* session this context is using */
-    PZLock		*sessionLock; /* lock before accessing a PKCS #11 
-				       * session */
-    PRBool		ownSession;/* do we own the session? */
-    void 		*cx;	   /* window context in case we need to loggin*/
-    void		*savedData;/* save data when we are multiplexing on a
-				    * single context */
-    unsigned long	savedLength; /* length of the saved context */
-    SECItem		*param;	    /* mechanism parameters used to build this
-								context */
-    PRBool		init;	    /* has this contexted been initialized */
-    CK_MECHANISM_TYPE	type;	    /* what is the PKCS #11 this context is
-				     * representing (usually what algorithm is
-				     * being used (CKM_RSA_PKCS, CKM_DES,
-				     * CKM_SHA, etc.*/
-    PRBool		fortezzaHack; /*Fortezza SSL has some special
-				       * non-standard semantics*/
-};
-
-/*
- * structure to hold a pointer to a unique PKCS #11 object 
- * (pointer to the slot and the object id).
- */
-struct PK11GenericObjectStr {
-    PK11GenericObject *prev;
-    PK11GenericObject *next;
-    PK11SlotInfo *slot;
-    CK_OBJECT_HANDLE objectID;
-};
-
-
-#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
-
-/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
-#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
-
-
-#endif /* _SECMODTI_H_ */
diff --git a/security/nss/lib/pk11wrap/secpkcs5.h b/security/nss/lib/pk11wrap/secpkcs5.h
deleted file mode 100644
index ddf3aa82e..000000000
--- a/security/nss/lib/pk11wrap/secpkcs5.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _SECPKCS5_H_
-#define _SECPKCS5_H_
-#include "seccomon.h"
-#include "secmodt.h"
-
-/* used for V2 PKCS 12 Draft Spec */
-typedef enum {
-    pbeBitGenIDNull = 0,
-    pbeBitGenCipherKey = 0x01,
-    pbeBitGenCipherIV = 0x02,
-    pbeBitGenIntegrityKey = 0x03
-} PBEBitGenID;
-
-typedef struct PBEBitGenContextStr PBEBitGenContext;
-
-SEC_BEGIN_PROTOS
-
-SECAlgorithmID *
-SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, SECItem *salt, int iteration);
-
-/* Get the initialization vector.  The password is passed in, hashing
- * is performed, and the initialization vector is returned.
- *  algid is a pointer to a PBE algorithm ID
- *  pwitem is the password
- * If an error occurs or the algorithm id is not a PBE algrithm,
- * NULL is returned.  Otherwise, the iv is returned in a secitem.
- */
-SECItem *
-SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
-
-SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
-PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
-SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
-int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
-
-/**********************************************************************
- * Deprecated PBE fucntions.  Use the PBE functions in pk11func.h
- * instead.
- **********************************************************************/
-
-PBEBitGenContext *
-PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
-        SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
-        unsigned int iterations);
-
-void
-PBE_DestroyContext(PBEBitGenContext *context);
-
-
-SECItem *
-PBE_GenerateBits(PBEBitGenContext *context);
-
-SEC_END_PROTOS
-
-#endif /* _SECPKS5_H_ */
diff --git a/security/nss/lib/pkcs12/Makefile b/security/nss/lib/pkcs12/Makefile
deleted file mode 100644
index 09182f0ea..000000000
--- a/security/nss/lib/pkcs12/Makefile
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/pkcs12/config.mk b/security/nss/lib/pkcs12/config.mk
deleted file mode 100644
index 9554ab4a5..000000000
--- a/security/nss/lib/pkcs12/config.mk
+++ /dev/null
@@ -1,48 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn
deleted file mode 100644
index af76ca2ed..000000000
--- a/security/nss/lib/pkcs12/manifest.mn
+++ /dev/null
@@ -1,62 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	pkcs12t.h \
-	pkcs12.h \
-	p12plcy.h \
-	p12.h \
-	p12t.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	p12local.c \
-	p12creat.c \
-	p12dec.c \
-	p12plcy.c \
-	p12tmpl.c \
-	p12e.c \
-	p12d.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = pkcs12
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
deleted file mode 100644
index 6eb6ecfed..000000000
--- a/security/nss/lib/pkcs12/p12.h
+++ /dev/null
@@ -1,208 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _P12_H_
-#define _P12_H_
-
-#include "secoid.h"
-#include "key.h"
-#include "secpkcs7.h"
-#include "p12t.h"
-
-typedef int (PR_CALLBACK * PKCS12OpenFunction)(void *arg);
-typedef int (PR_CALLBACK * PKCS12ReadFunction)(void *arg,
-                                               unsigned char *buffer, 
-                                               unsigned int *lenRead,
-                                               unsigned int maxLen);
-typedef int (PR_CALLBACK * PKCS12WriteFunction)(void *arg,
-                                                unsigned char *buffer, 
-                                                unsigned int *bufLen,
-                                                unsigned int *lenWritten);
-typedef int (PR_CALLBACK * PKCS12CloseFunction)(void *arg);
-typedef SECStatus (PR_CALLBACK * PKCS12UnicodeConvertFunction)(
-                                 PRArenaPool *arena,
-                                 SECItem *dest, SECItem *src,
-                                 PRBool toUnicode,
-                                 PRBool swapBytes);
-typedef void (PR_CALLBACK * SEC_PKCS12EncoderOutputCallback)(
-                            void *arg, const char *buf,
-                            unsigned long len);
-typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)(
-                            void *arg, const char *buf,
-                            unsigned long len);
-typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)(
-                                 SECItem *old_nickname,
-                                 PRBool *cancel,
-                                 void *arg);
-
-
-
-
-typedef SECStatus (PR_CALLBACK *digestOpenFn)(void *arg, PRBool readData);
-typedef SECStatus (PR_CALLBACK *digestCloseFn)(void *arg, PRBool removeFile);
-typedef int (PR_CALLBACK *digestIOFn)(void *arg, unsigned char *buf, 
-                                      unsigned long len);
-
-typedef struct SEC_PKCS12ExportContextStr SEC_PKCS12ExportContext;
-typedef struct SEC_PKCS12SafeInfoStr SEC_PKCS12SafeInfo;
-typedef struct SEC_PKCS12DecoderContextStr SEC_PKCS12DecoderContext;
-typedef struct SEC_PKCS12DecoderItemStr SEC_PKCS12DecoderItem;
-
-struct sec_PKCS12PasswordModeInfo {
-    SECItem	*password;
-    SECOidTag	algorithm;
-};
-
-struct sec_PKCS12PublicKeyModeInfo {
-    CERTCertificate	*cert;
-    CERTCertDBHandle *certDb;
-    SECOidTag	algorithm;
-    int keySize;
-};
-
-struct SEC_PKCS12DecoderItemStr {
-    SECItem *der;
-    SECOidTag type;
-    PRBool hasKey;
-    SECItem *friendlyName;      /* UTF-8 string */
-};
-    
-
-SEC_BEGIN_PROTOS
-
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
-				    CERTCertDBHandle *certDb,
-				    CERTCertificate *signer,
-				    CERTCertificate **recipients,
-				    SECOidTag algorithm, int keysize);
-
-extern SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
-				 SECItem *pwitem, SECOidTag privAlg);
-
-extern SEC_PKCS12SafeInfo *
-SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt);
-
-extern SECStatus
-SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-			       SECItem *pwitem, SECOidTag integAlg);
-extern SECStatus
-SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-				CERTCertificate *cert, CERTCertDBHandle *certDb,
-				SECOidTag algorithm, int keySize);
-
-extern SEC_PKCS12ExportContext *
-SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
-			      PK11SlotInfo *slot, void *wincx);
-
-extern SECStatus
-SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, 
-		  SEC_PKCS12SafeInfo *safe, void *nestedDest,
-		  CERTCertificate *cert, CERTCertDBHandle *certDb,
-		  SECItem *keyId, PRBool includeCertChain);
-
-extern SECStatus
-SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, 
-			SEC_PKCS12SafeInfo *safe, 
-			void *nestedDest, CERTCertificate *cert,
-			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
-			SECItem *keyId, SECItem *nickName);
-
-extern SECStatus
-SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, 
-			CERTCertificate *cert, CERTCertDBHandle *certDb,
-			void *keySafe, void *keyNestedDest, 
-			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm);
-
-extern SECStatus
-SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, SECItem *derCert,
-			void *keySafe, void *keyNestedDest, 
-			SECKEYEncryptedPrivateKeyInfo *epki, char *nickname);
-
-extern void *
-SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
-				   void *baseSafe, void *nestedDest);
-
-extern SECStatus
-SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
-		 SEC_PKCS12EncoderOutputCallback output, void *outputarg);
-
-extern void
-SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12exp);
-
-extern SEC_PKCS12DecoderContext *
-SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
-		       digestOpenFn dOpen, digestCloseFn dClose,
-		       digestIOFn dRead, digestIOFn dWrite, void *dArg);
-
-extern SECStatus
-SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
-                		   SECPKCS12TargetTokenCAs tokenCAs);
-
-extern SECStatus
-SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, unsigned char *data,
-			unsigned long len);
-
-extern void
-SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx);
-
-extern SECStatus
-SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx);
-
-extern SECStatus
-SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
-			      SEC_PKCS12NicknameCollisionCallback nicknameCb);
-
-extern SECStatus
-SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);
-
-CERTCertList *
-SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx);
-
-SECStatus
-SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx);
-
-SECStatus
-SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
-                             const SEC_PKCS12DecoderItem **ipp);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pkcs12/p12creat.c b/security/nss/lib/pkcs12/p12creat.c
deleted file mode 100644
index 29b0892f3..000000000
--- a/security/nss/lib/pkcs12/p12creat.c
+++ /dev/null
@@ -1,254 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "pkcs12.h"
-#include "secitem.h"
-#include "secport.h"
-#include "secder.h"
-#include "secoid.h"
-#include "p12local.h"
-#include "secerr.h"
-
-
-/* allocate space for a PFX structure and set up initial
- * arena pool.  pfx structure is cleared and a pointer to
- * the new structure is returned.
- */
-SEC_PKCS12PFXItem *
-sec_pkcs12_new_pfx(void)
-{
-    SEC_PKCS12PFXItem   *pfx = NULL;
-    PRArenaPool     *poolp = NULL;
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);	/* XXX Different size? */
-    if(poolp == NULL)
-	goto loser;
-
-    pfx = (SEC_PKCS12PFXItem *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12PFXItem));
-    if(pfx == NULL)
-	goto loser;
-    pfx->poolp = poolp;
-
-    return pfx;
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    return NULL;
-}
-
-/* allocate space for a PFX structure and set up initial
- * arena pool.  pfx structure is cleared and a pointer to
- * the new structure is returned.
- */
-SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_new_asafe(PRArenaPool *poolp)
-{
-    SEC_PKCS12AuthenticatedSafe  *asafe = NULL;
-    void *mark;
-
-    mark = PORT_ArenaMark(poolp);
-    asafe = (SEC_PKCS12AuthenticatedSafe *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12AuthenticatedSafe));
-    if(asafe == NULL)
-	goto loser;
-    asafe->poolp = poolp;
-    PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS7ContentInfo));
-
-    PORT_ArenaUnmark(poolp, mark);
-    return asafe;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/* create a safe contents structure with a list of
- * length 0 with the first element being NULL 
- */
-SEC_PKCS12SafeContents *
-sec_pkcs12_create_safe_contents(PRArenaPool *poolp)
-{
-    SEC_PKCS12SafeContents *safe;
-    void *mark;
-
-    if(poolp == NULL)
-	return NULL;
-
-    /* allocate structure */
-    mark = PORT_ArenaMark(poolp);
-    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12SafeContents));
-    if(safe == NULL)
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* init list */
-    safe->contents = (SEC_PKCS12SafeBag**)PORT_ArenaZAlloc(poolp, 
-						  sizeof(SEC_PKCS12SafeBag *));
-    if(safe->contents == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-    safe->contents[0] = NULL;
-    safe->poolp       = poolp;
-    safe->safe_size   = 0;
-    PORT_ArenaUnmark(poolp, mark);
-    return safe;
-}
-
-/* create a new external bag which is appended onto the list
- * of bags in baggage.  the bag is created in the same arena
- * as baggage
- */
-SEC_PKCS12BaggageItem *
-sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage)
-{
-    void *dummy, *mark;
-    SEC_PKCS12BaggageItem *bag;
-
-    if(luggage == NULL) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(luggage->poolp);
-
-    /* allocate space for null terminated bag list */
-    if(luggage->bags == NULL) {
-	luggage->bags=(SEC_PKCS12BaggageItem**)PORT_ArenaZAlloc(luggage->poolp, 
-					sizeof(SEC_PKCS12BaggageItem *));
-	if(luggage->bags == NULL) {
-	    goto loser;
-	}
-	luggage->luggage_size = 0;
-    }
-
-    /* grow the list */    
-    dummy = PORT_ArenaGrow(luggage->poolp, luggage->bags,
-    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 1),
-    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 2));
-    if(dummy == NULL) {
-	goto loser;
-    }
-    luggage->bags = (SEC_PKCS12BaggageItem**)dummy;
-
-    luggage->bags[luggage->luggage_size] = 
-    		(SEC_PKCS12BaggageItem *)PORT_ArenaZAlloc(luggage->poolp,
-    							sizeof(SEC_PKCS12BaggageItem));
-    if(luggage->bags[luggage->luggage_size] == NULL) {
-	goto loser;
-    }
-
-    /* create new bag and append it to the end */
-    bag = luggage->bags[luggage->luggage_size];
-    bag->espvks = (SEC_PKCS12ESPVKItem **)PORT_ArenaZAlloc(
-    						luggage->poolp,
-    						sizeof(SEC_PKCS12ESPVKItem *));
-    bag->unencSecrets = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(
-    						luggage->poolp,
-    						sizeof(SEC_PKCS12SafeBag *));
-    if((bag->espvks == NULL) || (bag->unencSecrets == NULL)) {
-	goto loser;
-    }
-
-    bag->poolp = luggage->poolp;
-    luggage->luggage_size++;
-    luggage->bags[luggage->luggage_size] = NULL;
-    bag->espvks[0] = NULL;
-    bag->unencSecrets[0] = NULL;
-    bag->nEspvks = bag->nSecrets = 0;
-
-    PORT_ArenaUnmark(luggage->poolp, mark);
-    return bag;
-
-loser:
-    PORT_ArenaRelease(luggage->poolp, mark);
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return NULL;
-}
-
-/* creates a baggage witha NULL terminated 0 length list */
-SEC_PKCS12Baggage *
-sec_pkcs12_create_baggage(PRArenaPool *poolp)
-{
-    SEC_PKCS12Baggage *luggage;
-    void *mark;
-
-    if(poolp == NULL)
-	return NULL;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* allocate bag */
-    luggage = (SEC_PKCS12Baggage *)PORT_ArenaZAlloc(poolp, 
-	sizeof(SEC_PKCS12Baggage));
-    if(luggage == NULL)
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* init list */
-    luggage->bags = (SEC_PKCS12BaggageItem **)PORT_ArenaZAlloc(poolp,
-    					sizeof(SEC_PKCS12BaggageItem *));
-    if(luggage->bags == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    luggage->bags[0] = NULL;
-    luggage->luggage_size = 0;
-    luggage->poolp = poolp;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return luggage;
-}
-
-/* free pfx structure and associated items in the arena */
-void 
-SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx)
-{
-    if (pfx != NULL && pfx->poolp != NULL)
-    {
-	PORT_FreeArena(pfx->poolp, PR_TRUE);
-    }
-}
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
deleted file mode 100644
index 2d4d29cae..000000000
--- a/security/nss/lib/pkcs12/p12d.c
+++ /dev/null
@@ -1,3473 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "nssrenam.h"
-#include "p12t.h"
-#include "p12.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12plcy.h"
-#include "p12local.h"
-#include "secder.h"
-#include "secport.h"
-
-#include "certdb.h"
-
-#include "prcpucfg.h"
-
-typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext;
-
-/* Opaque structure for decoding SafeContents.  These are used
- * for each authenticated safe as well as any nested safe contents.
- */
-struct sec_PKCS12SafeContentsContextStr {
-    /* the parent decoder context */
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* memory arena to allocate space from */
-    PRArenaPool *arena;
-
-    /* decoder context and destination for decoding safe contents */
-    SEC_ASN1DecoderContext *safeContentsDcx;
-    sec_PKCS12SafeContents safeContents;
-
-    /* information for decoding safe bags within the safe contents.
-     * these variables are updated for each safe bag decoded.
-     */
-    SEC_ASN1DecoderContext *currentSafeBagDcx;
-    sec_PKCS12SafeBag *currentSafeBag;
-    PRBool skipCurrentSafeBag;
-
-    /* if the safe contents is nested, the parent is pointed to here. */
-    sec_PKCS12SafeContentsContext *nestedCtx;
-};
-
-/* opaque decoder context structure.  information for decoding a pkcs 12
- * PDU are stored here as well as decoding pointers for intermediary 
- * structures which are part of the PKCS 12 PDU.  Upon a successful
- * decode, the safe bags containing certificates and keys encountered.
- */  
-struct SEC_PKCS12DecoderContextStr {
-    PRArenaPool *arena;
-    PK11SlotInfo *slot;
-    void *wincx;
-    PRBool error;
-    int errorValue;
-
-    /* password */
-    SECItem *pwitem;
-
-    /* used for decoding the PFX structure */
-    SEC_ASN1DecoderContext *pfxDcx;
-    sec_PKCS12PFXItem pfx;
-
-    /* safe bags found during decoding */  
-    sec_PKCS12SafeBag **safeBags;
-    unsigned int safeBagCount;
-
-    /* state variables for decoding authenticated safes. */
-    SEC_PKCS7DecoderContext *currentASafeP7Dcx;
-    SEC_ASN1DecoderContext *aSafeDcx;
-    SEC_PKCS7DecoderContext *aSafeP7Dcx;
-    sec_PKCS12AuthenticatedSafe authSafe;
-    SEC_PKCS7ContentInfo *aSafeCinfo;
-    sec_PKCS12SafeContents safeContents;
-
-    /* safe contents info */
-    unsigned int safeContentsCnt;
-    sec_PKCS12SafeContentsContext **safeContentsList;
-
-    /* HMAC info */
-    sec_PKCS12MacData	macData;
-    SEC_ASN1DecoderContext *hmacDcx;
-
-    /* routines for reading back the data to be hmac'd */
-    digestOpenFn dOpen;
-    digestCloseFn dClose;
-    digestIOFn dRead, dWrite;
-    void *dArg;
-
-    /* helper functions */
-    SECKEYGetPasswordKey pwfn;
-    void *pwfnarg;
-    PRBool swapUnicodeBytes;
-
-    /* import information */
-    PRBool bagsVerified;
-
-    /* buffer management for the default callbacks implementation */
-    void        *buffer;      /* storage area */
-    PRInt32     filesize;     /* actual data size */
-    PRInt32     allocated;    /* total buffer size allocated */
-    PRInt32     currentpos;   /* position counter */
-    SECPKCS12TargetTokenCAs tokenCAs;
-    sec_PKCS12SafeBag **keyList;/* used by ...IterateNext() */
-    unsigned int iteration;
-    SEC_PKCS12DecoderItem decitem;
-};
-
-
-/* make sure that the PFX version being decoded is a version
- * which we support.
- */
-static PRBool
-sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx)
-{
-    /* if no version, assume it is not supported */
-    if(pfx->version.len == 0) {
-	return PR_FALSE;
-    }
-
-    if(DER_GetInteger(&pfx->version) > SEC_PKCS12_VERSION) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/* retrieve the key for decrypting the safe contents */ 
-static PK11SymKey *
-sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
-{
-    SEC_PKCS12DecoderContext *p12dcx =
-	(SEC_PKCS12DecoderContext *) arg;
-    PK11SlotInfo *slot;
-    PK11SymKey *bulkKey;
-
-    if(!p12dcx) {
-	return NULL;
-    }
-
-    /* if no slot specified, use the internal key slot */
-    if(p12dcx->slot) {
-	slot = PK11_ReferenceSlot(p12dcx->slot);
-    } else {
-	slot = PK11_GetInternalKeySlot();
-    }
-
-    bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, 
-						PR_FALSE, p12dcx->wincx);
-    /* some tokens can't generate PBE keys on their own, generate the
-     * key in the internal slot, and let the Import code deal with it,
-     * (if the slot can't generate PBEs, then we need to use the internal
-     * slot anyway to unwrap). */
-    if (!bulkKey && !PK11_IsInternal(slot)) {
-	PK11_FreeSlot(slot);
-	slot = PK11_GetInternalKeySlot();
-	bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, 
-						PR_FALSE, p12dcx->wincx);
-    }
-    PK11_FreeSlot(slot);
-
-    /* set the password data on the key */
-    if (bulkKey) {
-        PK11_SetSymKeyUserData(bulkKey,p12dcx->pwitem, NULL);
-    }
-
-
-    return bulkKey;
-}
-
-/* XXX this needs to be modified to handle enveloped data.  most
- * likely, it should mirror the routines for SMIME in that regard.
- */
-static PRBool
-sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, 
-				      PK11SymKey *bulkkey)
-{
-    PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid);
-
-    if(!decryptionAllowed) {
-	return PR_FALSE;
-    }
-
-    return PR_TRUE;
-}
-
-/* when we encounter a new safe bag during the decoding, we need
- * to allocate space for the bag to be decoded to and set the 
- * state variables appropriately.  all of the safe bags are allocated
- * in a buffer in the outer SEC_PKCS12DecoderContext, however,
- * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext
- * for the current bag.
- */
-static SECStatus
-sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext 
-						*safeContentsCtx)
-{
-    void *mark = NULL;
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* make sure that the structures are defined, and there has
-     * not been an error in the decoding 
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    p12dcx = safeContentsCtx->p12dcx;
-    mark = PORT_ArenaMark(p12dcx->arena);
-
-    /* allocate a new safe bag, if bags already exist, grow the 
-     * list of bags, otherwise allocate a new list.  the list is
-     * NULL terminated.
-     */
-    if(p12dcx->safeBagCount) {
-	p12dcx->safeBags = 
-	    (sec_PKCS12SafeBag**)PORT_ArenaGrow(p12dcx->arena,p12dcx->safeBags,
-			(p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-			(p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-    } else {
-	p12dcx->safeBags = (sec_PKCS12SafeBag**)PORT_ArenaZAlloc(p12dcx->arena,
-					    2 * sizeof(sec_PKCS12SafeBag *));
-    }
-    if(!p12dcx->safeBags) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* append the bag to the end of the list and update the reference
-     * in the safeContentsCtx.
-     */
-    p12dcx->safeBags[p12dcx->safeBagCount] = 
-        (sec_PKCS12SafeBag*)PORT_ArenaZAlloc(p12dcx->arena,
-					     sizeof(sec_PKCS12SafeBag));
-    safeContentsCtx->currentSafeBag = p12dcx->safeBags[p12dcx->safeBagCount];
-    p12dcx->safeBags[++p12dcx->safeBagCount] = NULL;
-    if(!safeContentsCtx->currentSafeBag) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot;
-    safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem;
-    safeContentsCtx->currentSafeBag->swapUnicodeBytes = 
-				safeContentsCtx->p12dcx->swapUnicodeBytes;
-    safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena;
-    safeContentsCtx->currentSafeBag->tokenCAs = 
-				safeContentsCtx->p12dcx->tokenCAs;
-
-    PORT_ArenaUnmark(p12dcx->arena, mark);
-    return SECSuccess;
-
-loser:
-
-    /* if an error occurred, release the memory and set the error flag
-     * the only possible errors triggered by this function are memory 
-     * related.
-     */
-    if(mark) {
-	PORT_ArenaRelease(p12dcx->arena, mark);
-    }
-
-    p12dcx->error = PR_TRUE;
-    return SECFailure;
-}
-
-/* A wrapper for updating the ASN1 context in which a safeBag is
- * being decoded.  This function is called as a callback from
- * secasn1d when decoding SafeContents structures.
- */
-static void
-sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
-				   unsigned long len, int depth, 
-				   SEC_ASN1EncodingPart data_kind)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* make sure that we are not skipping the current safeBag,
-     * and that there are no errors.  If so, just return rather
-     * than continuing to process.
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error 
-		|| safeContentsCtx->skipCurrentSafeBag) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagDcx, data, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* set the error, and finish the decoder context.  because there 
-     * is not a way of returning an error message, it may be worth
-     * while to do a check higher up and finish any decoding contexts
-     * that are still open.
-     */
-    p12dcx->error = PR_TRUE;
-    SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-    safeContentsCtx->currentSafeBagDcx = NULL;
-    return;
-}
-
-/* forward declarations of functions that are used when decoding
- * safeContents bags which are nested and when decoding the 
- * authenticatedSafes.
- */
-static SECStatus
-sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
-							*safeContentsCtx);
-static SECStatus
-sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
-							*safeContentsCtx);
-static void
-sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
-				   unsigned long len, int depth, 
-				   SEC_ASN1EncodingPart data_kind);
-
-/* notify function for decoding safeBags.  This function is
- * used to filter safeBag types which are not supported,
- * initiate the decoding of nested safe contents, and decode
- * safeBags in general.  this function is set when the decoder
- * context for the safeBag is first created.
- */
-static void
-sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before,
-				   void *dest, int real_depth)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    sec_PKCS12SafeBag *bag;
-    PRBool after;
-
-    /* if an error is encountered, return */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* to make things more readable */
-    if(before)
-	after = PR_FALSE;
-    else 
-	after = PR_TRUE;
-
-    /* have we determined the safeBagType yet? */
-    bag = safeContentsCtx->currentSafeBag;
-    if(bag->bagTypeTag == NULL) {
-	if(after && (dest == &(bag->safeBagType))) {
-	    bag->bagTypeTag = SECOID_FindOID(&(bag->safeBagType));
-	    if(bag->bagTypeTag == NULL) {
-		p12dcx->error = PR_TRUE;
-		p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	    }
-	}
-	return;
-    }
-
-    /* process the safeBag depending on it's type.  those
-     * which we do not support, are ignored.  we start a decoding
-     * context for a nested safeContents.
-     */
-    switch(bag->bagTypeTag->offset) {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    /* if we are just starting to decode the safeContents, initialize
-	     * a new safeContentsCtx to process it.
-	     */
-	    if(before && (dest == &(bag->safeBagContent))) {
-		sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx);
-	    } else if(after && (dest == &(bag->safeBagContent))) {
-		/* clean up the nested decoding */
-		sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx);
-	    }
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	default:
-	    /* skip any safe bag types we don't understand or handle */
-	    safeContentsCtx->skipCurrentSafeBag = PR_TRUE;
-	    break;
-    }
-
-    return;
-}
-
-/* notify function for decoding safe contents.  each entry in the
- * safe contents is a safeBag which needs to be allocated and
- * the decoding context initialized at the beginning and then
- * the context needs to be closed and finished at the end.
- *
- * this function is set when the safeContents decode context is
- * initialized.
- */
-static void
-sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before,
-					void *dest, int real_depth)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext*)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* if there is an error we don't want to continue processing,
-     * just return and keep going.
-     */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* if we are done with the current safeBag, then we need to
-     * finish the context and set the state variables appropriately.
-     */
-    if(!before) {
-	SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
-	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-	safeContentsCtx->currentSafeBagDcx = NULL;
-	safeContentsCtx->skipCurrentSafeBag = PR_FALSE;
-    } else {
-	/* we are starting a new safe bag.  we need to allocate space
-	 * for the bag and initialize the decoding context.
-	 */
-	rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-	/* set up the decoder context */
-	safeContentsCtx->currentSafeBagDcx = SEC_ASN1DecoderStart(p12dcx->arena,
-						safeContentsCtx->currentSafeBag,
-						sec_PKCS12SafeBagTemplate);
-	if(!safeContentsCtx->currentSafeBagDcx) {
-	    p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-
-	/* set the notify and filter procs so that the safe bag
-	 * data gets sent to the proper location when decoding.
-	 */
-	SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->currentSafeBagDcx, 
-				 sec_pkcs12_decoder_safe_bag_notify, 
-				 safeContentsCtx);
-	SEC_ASN1DecoderSetFilterProc(safeContentsCtx->safeContentsDcx, 
-				 sec_pkcs12_decoder_safe_bag_update, 
-				 safeContentsCtx, PR_TRUE);
-    }
-
-    return;
-
-loser:
-    /* in the event of an error, we want to close the decoding
-     * context and clear the filter and notify procedures.
-     */
-    p12dcx->error = PR_TRUE;
-
-    if(safeContentsCtx->currentSafeBagDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
-	safeContentsCtx->currentSafeBagDcx = NULL;
-    }
-
-    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->safeContentsDcx);
-    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
-
-    return;
-}
-
-/* initialize the safeContents for decoding.  this routine
- * is used for authenticatedSafes as well as nested safeContents.
- */
-static sec_PKCS12SafeContentsContext *
-sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx,
-					     PRBool nestedSafe)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = NULL;
-    const SEC_ASN1Template *theTemplate;
-
-    if(!p12dcx || p12dcx->error) {
-	return NULL;
-    }
-
-    /* allocate a new safeContents list or grow the existing list and
-     * append the new safeContents onto the end.
-     */
-    if(!p12dcx->safeContentsCnt) {
-	p12dcx->safeContentsList = 
-	    (sec_PKCS12SafeContentsContext**)PORT_ArenaZAlloc(p12dcx->arena, 
-	       			 sizeof(sec_PKCS12SafeContentsContext *));
-    } else {
-	p12dcx->safeContentsList = 
-	   (sec_PKCS12SafeContentsContext **) PORT_ArenaGrow(p12dcx->arena,
-			p12dcx->safeContentsList,
-			(p12dcx->safeContentsCnt * 
-				sizeof(sec_PKCS12SafeContentsContext *)),
-			(1 + p12dcx->safeContentsCnt * 
-				sizeof(sec_PKCS12SafeContentsContext *)));
-    }
-    if(!p12dcx->safeContentsList) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    p12dcx->safeContentsList[p12dcx->safeContentsCnt] = 
-        (sec_PKCS12SafeContentsContext*)PORT_ArenaZAlloc(
-					p12dcx->arena,
-					sizeof(sec_PKCS12SafeContentsContext));
-    p12dcx->safeContentsList[p12dcx->safeContentsCnt+1] = NULL;
-    if(!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* set up the state variables */
-    safeContentsCtx = p12dcx->safeContentsList[p12dcx->safeContentsCnt];
-    p12dcx->safeContentsCnt++;
-    safeContentsCtx->p12dcx = p12dcx;
-    safeContentsCtx->arena = p12dcx->arena;
-
-    /* begin the decoding -- the template is based on whether we are
-     * decoding a nested safeContents or not.
-     */
-    if(nestedSafe == PR_TRUE) {
-	theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate;
-    } else {
-	theTemplate = sec_PKCS12SafeContentsDecodeTemplate;
-    }
-
-    /* start the decoder context */
-    safeContentsCtx->safeContentsDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
-					&safeContentsCtx->safeContents,
-					theTemplate);
-	
-    if(!safeContentsCtx->safeContentsDcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* set the safeContents notify procedure to look for
-     * and start the decode of safeBags.
-     */
-    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->safeContentsDcx, 
-				sec_pkcs12_decoder_safe_contents_notify,
-				safeContentsCtx);
-
-    return safeContentsCtx;
-
-loser:
-    /* in the case of an error, we want to finish the decoder
-     * context and set the error flag.
-     */
-    if(safeContentsCtx && safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-
-    p12dcx->error = PR_TRUE;
-
-    return NULL;
-}
-
-/* wrapper for updating safeContents.  this is set as the filter of
- * safeBag when there is a nested safeContents.
- */
-static void
-sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf,
-					  unsigned long len, int depth,
-					  SEC_ASN1EncodingPart data_kind)
-{
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    /* check for an error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-			|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-
-    /* no need to update if no data sent in */
-    if(!len || !buf) {
-	return;
-    }
-
-    /* update the decoding context */
-    p12dcx = safeContentsCtx->p12dcx;
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* handle any errors.  If a decoding context is open, close it. */
-    p12dcx->error = PR_TRUE;
-    if(safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-}
-
-/* whenever a new safeContentsSafeBag is encountered, we need
- * to init a safeContentsContext.  
- */
-static SECStatus  
-sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
-							*safeContentsCtx)
-{
-    /* check for an error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    safeContentsCtx->nestedCtx = sec_pkcs12_decoder_safe_contents_init_decode(
-						safeContentsCtx->p12dcx,
-						PR_TRUE);
-    if(!safeContentsCtx->nestedCtx) {
-	return SECFailure;
-    }
-
-    /* set up new filter proc */
-    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx,
-				 sec_pkcs12_decoder_safe_contents_notify,
-				 safeContentsCtx->nestedCtx);
-    SEC_ASN1DecoderSetFilterProc(safeContentsCtx->currentSafeBagDcx,
-				 sec_pkcs12_decoder_nested_safe_contents_update,
-				 safeContentsCtx->nestedCtx, PR_TRUE);
-
-    return SECSuccess;
-}
-
-/* when the safeContents is done decoding, we need to reset the
- * proper filter and notify procs and close the decoding context 
- */
-static SECStatus
-sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
-							*safeContentsCtx)
-{
-    /* check for error */
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
-		safeContentsCtx->p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* clean up */	
-    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->currentSafeBagDcx);
-    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx);
-    SEC_ASN1DecoderFinish(safeContentsCtx->nestedCtx->safeContentsDcx);
-    safeContentsCtx->nestedCtx->safeContentsDcx = NULL;
-    safeContentsCtx->nestedCtx = NULL;
-
-    return SECSuccess;
-}
-
-/* wrapper for updating safeContents.  This is used when decoding
- * the nested safeContents and any authenticatedSafes.
- */
-static void
-sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
-					  unsigned long len)
-{
-    SECStatus rv;
-    sec_PKCS12SafeContentsContext *safeContentsCtx = 
-        (sec_PKCS12SafeContentsContext *)arg;
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    /* check for error */  
-    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
-		|| safeContentsCtx->p12dcx->error) {
-	return;
-    }
-    p12dcx = safeContentsCtx->p12dcx;
-
-    /* update the decoder */
-    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
-    if(rv != SECSuccess) {
-	/* if we fail while trying to decode a 'safe', it's probably because
-	 * we didn't have the correct password. */
-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx,SEC_ERROR_BAD_PASSWORD);
-	goto loser;
-    }
-
-    return;
-
-loser:
-    /* set the error and finish the context */
-    p12dcx->error = PR_TRUE;
-    if(safeContentsCtx->safeContentsDcx) {
-	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
-	safeContentsCtx->safeContentsDcx = NULL;
-    }
-
-    return;
-}
-
-/* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate
- */
-static void
-sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data,
-				  unsigned long len, int depth,
-				  SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg;
-
-    SEC_PKCS7DecoderUpdate(p7dcx, data, len);
-}
-
-/* notify function for decoding aSafes.  at the beginning,
- * of an authenticatedSafe, we start a decode of a safeContents.
- * at the end, we clean up the safeContents decoder context and
- * reset state variables 
- */
-static void
-sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, 
-			       int real_depth)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    sec_PKCS12SafeContentsContext *safeContentsCtx;
-
-    /* make sure no error occurred. */
-    p12dcx = (SEC_PKCS12DecoderContext *)arg;
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    if(before) {
-
-	/* init a new safeContentsContext */
-	safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx, 
-								PR_FALSE);
-	if(!safeContentsCtx) {
-	    goto loser;
-	}
-
-	/* initiate the PKCS7ContentInfo decode */
-	p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart(
-				sec_pkcs12_decoder_safe_contents_callback,
-				safeContentsCtx, 
-				p12dcx->pwfn, p12dcx->pwfnarg,
-				sec_pkcs12_decoder_get_decrypt_key, p12dcx,
-				sec_pkcs12_decoder_decryption_allowed);
-	if(!p12dcx->currentASafeP7Dcx) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-	SEC_ASN1DecoderSetFilterProc(p12dcx->aSafeDcx, 
-				     sec_pkcs12_decoder_wrap_p7_update,
-				     p12dcx->currentASafeP7Dcx, PR_TRUE);
-    }
-
-    if(!before) {
-	/* if one is being decoded, finish the decode */
-	if(p12dcx->currentASafeP7Dcx != NULL) {
-	    if(!SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx)) {
-		p12dcx->currentASafeP7Dcx = NULL;
-		p12dcx->errorValue = PORT_GetError();
-		goto loser;
-	    }
-	    p12dcx->currentASafeP7Dcx = NULL;
-	}
-	p12dcx->currentASafeP7Dcx = NULL;
-    }
-
-
-    return;
-
-loser:
-    /* set the error flag */
-    p12dcx->error = PR_TRUE;
-    return;
-}
-
-/* wrapper for updating asafes decoding context.  this function
- * writes data being decoded to disk, so that a mac can be computed
- * later.  
- */
-static void
-sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf, 
-				  unsigned long len)
-{
-    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    /* update the context */
-    rv = SEC_ASN1DecoderUpdate(p12dcx->aSafeDcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->error = (PRBool)SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-
-    /* if we are writing to a file, write out the new information */
-    if(p12dcx->dWrite) {
-	unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg, 	
-						   (unsigned char *)buf, len);
-	if(writeLen != len) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-    }
-
-    return;
-
-loser:
-    /* set the error flag */
-    p12dcx->error = PR_TRUE;
-    SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-    p12dcx->aSafeDcx = NULL;
-
-    return;
-}
-   
-/* start the decode of an authenticatedSafe contentInfo.
- */ 
-static SECStatus
-sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* start the decode context */
-    p12dcx->aSafeDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
-    					&p12dcx->authSafe,
-    					sec_PKCS12AuthenticatedSafeTemplate);
-    if(!p12dcx->aSafeDcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-   	goto loser;
-    }
-
-    /* set the notify function */
-    SEC_ASN1DecoderSetNotifyProc(p12dcx->aSafeDcx,
-    				 sec_pkcs12_decoder_asafes_notify, p12dcx);
-
-    /* begin the authSafe decoder context */
-    p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart(
-    				sec_pkcs12_decoder_asafes_callback, p12dcx,
-    				p12dcx->pwfn, p12dcx->pwfnarg, NULL, NULL, NULL);
-    if(!p12dcx->aSafeP7Dcx) {
-	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
-	goto loser;
-    }
-  
-    /* open the temp file for writing, if the filter functions were set */ 
-    if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE) 
-				!= SECSuccess) {
-	p12dcx->errorValue = PORT_GetError();
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-    p12dcx->error = PR_TRUE;
-
-    if(p12dcx->aSafeDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-	p12dcx->aSafeDcx = NULL;
-    } 
-
-    if(p12dcx->aSafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-	p12dcx->aSafeP7Dcx = NULL;
-    }
-
-    return SECFailure;
-}
-
-/* wrapper for updating the safeContents.  this function is used as
- * a filter for the pfx when decoding the authenticated safes 
- */
-static void 
-sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf,
-				      unsigned long len, int depth,
-				      SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    SECStatus rv;
-
-    p12dcx = (SEC_PKCS12DecoderContext*)arg;
-    if(!p12dcx || p12dcx->error) {
-	return;
-    }
-
-    /* update the safeContents decoder */
-    rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	goto loser;
-    }
-
-    return;
-
-loser:
-
-    /* did we find an error?  if so, close the context and set the 
-     * error flag.
-     */
-    SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-    p12dcx->aSafeP7Dcx = NULL;
-    p12dcx->error = PR_TRUE;
-}
-
-/* notify procedure used while decoding the pfx.  When we encounter
- * the authSafes, we want to trigger the decoding of authSafes as well
- * as when we encounter the macData, trigger the decoding of it.  we do
- * this because we we are streaming the decoder and not decoding in place.
- * the pfx which is the destination, only has the version decoded into it.
- */
-static void 
-sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest,
-				   int real_depth)
-{
-    SECStatus rv;
-    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext*)arg;
-
-    /* if an error occurrs, clear the notifyProc and the filterProc 
-     * and continue. 
-     */
-    if(p12dcx->error) {
-	SEC_ASN1DecoderClearNotifyProc(p12dcx->pfxDcx);
-	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
-	return;
-    }
-
-    if(before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
-
-	/* we want to make sure this is a version we support */
-	if(!sec_pkcs12_proper_version(&p12dcx->pfx)) {
-	    p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
-	    goto loser;
-	}
-
-	/* start the decode of the aSafes cinfo... */
-	rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx);
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-	/* set the filter proc to update the authenticated safes. */
-	SEC_ASN1DecoderSetFilterProc(p12dcx->pfxDcx,
-				     sec_pkcs12_decode_asafes_cinfo_update,
-				     p12dcx, PR_TRUE);
-    }
-
-    if(!before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
-
-	/* we are done decoding the authenticatedSafes, so we need to 
-	 * finish the decoderContext and clear the filter proc
-	 * and close the hmac callback, if present
-	 */
-	p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-	p12dcx->aSafeP7Dcx = NULL;
-	if(!p12dcx->aSafeCinfo) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
-	if(p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE) 
-				!= SECSuccess)) {
-	    p12dcx->errorValue = PORT_GetError();
-	    goto loser;
-	}
-
-    }
-
-    return;
-
-loser:
-    p12dcx->error = PR_TRUE;
-}
-
-/*  default implementations of the open/close/read/write functions for
-    SEC_PKCS12DecoderStart 
-*/
-
-#define DEFAULT_TEMP_SIZE 4096
-
-static SECStatus
-p12u_DigestOpen(void *arg, PRBool readData)
-{
-    SEC_PKCS12DecoderContext* p12cxt = arg;
-
-    p12cxt->currentpos = 0;
-
-    if (PR_FALSE == readData) {
-        /* allocate an initial buffer */
-        p12cxt->filesize = 0;
-        p12cxt->allocated = DEFAULT_TEMP_SIZE;
-        p12cxt->buffer = PORT_Alloc(DEFAULT_TEMP_SIZE);
-        PR_ASSERT(p12cxt->buffer);
-    }
-    else
-    {
-        PR_ASSERT(p12cxt->buffer);
-        if (!p12cxt->buffer) {
-            return SECFailure; /* no data to read */
-        }
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-p12u_DigestClose(void *arg, PRBool removeFile)
-{
-    SEC_PKCS12DecoderContext* p12cxt = arg;
-
-    PR_ASSERT(p12cxt);
-    if (!p12cxt) {
-        return SECFailure;
-    }
-    p12cxt->currentpos = 0;
-
-    if (PR_TRUE == removeFile) {
-        PR_ASSERT(p12cxt->buffer);
-        if (!p12cxt->buffer) {
-            return SECFailure;
-        }
-        if (p12cxt->buffer) {
-            PORT_Free(p12cxt->buffer);
-            p12cxt->buffer = NULL;
-            p12cxt->allocated = 0;
-            p12cxt->filesize = 0;
-        }
-    }
-
-    return SECSuccess;
-}
-
-static int
-p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len)
-{
-    int toread = len;
-    SEC_PKCS12DecoderContext* p12cxt = arg;
-
-    if(!buf || len == 0 || !p12cxt->buffer) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return -1;
-    }
-
-    if ((p12cxt->filesize - p12cxt->currentpos) < (long)len) {
-        /* trying to read past the end of the buffer */
-        toread = p12cxt->filesize - p12cxt->currentpos;
-    }
-    memcpy(buf, (char*)p12cxt->buffer + p12cxt->currentpos, toread);
-    p12cxt->currentpos += toread;
-    return toread;
-}
-
-static int
-p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len)
-{
-    SEC_PKCS12DecoderContext* p12cxt = arg;
-
-    if(!buf || len == 0) {
-        return -1;
-    }
-
-    if (p12cxt->currentpos+(long)len > p12cxt->filesize) {
-        p12cxt->filesize = p12cxt->currentpos + len;
-    }
-    else {
-        p12cxt->filesize += len;
-    }
-    if (p12cxt->filesize > p12cxt->allocated) {
-        void* newbuffer;
-        size_t newsize = p12cxt->filesize + DEFAULT_TEMP_SIZE;
-        newbuffer  = PORT_Realloc(p12cxt->buffer, newsize);
-        if (NULL == newbuffer) {
-            return -1; /* can't extend the buffer */
-        }
-        p12cxt->buffer = newbuffer;
-        p12cxt->allocated = newsize;
-    }
-    PR_ASSERT(p12cxt->buffer);
-    memcpy((char*)p12cxt->buffer + p12cxt->currentpos, buf, len);
-    p12cxt->currentpos += len;
-    return len;
-}
-
-/* SEC_PKCS12DecoderStart
- *	Creates a decoder context for decoding a PKCS 12 PDU objct.
- *	This function sets up the initial decoding context for the
- *	PFX and sets the needed state variables.
- *
- *	pwitem - the password for the hMac and any encoded safes.
- *		 this should be changed to take a callback which retrieves
- *		 the password.  it may be possible for different safes to
- *		 have different passwords.  also, the password is already
- *		 in unicode.  it should probably be converted down below via
- *		 a unicode conversion callback.
- *	slot - the slot to import the dataa into should multiple slots 
- *		 be supported based on key type and cert type?
- *	dOpen, dClose, dRead, dWrite - digest routines for writing data
- *		 to a file so it could be read back and the hmack recomputed
- *		 and verified.  doesn't seem to be away for both encoding
- *		 and decoding to be single pass, thus the need for these
- *		 routines.
- *	dArg - the argument for dOpen, etc.
- *
- *      if NULL == dOpen == dClose == dRead == dWrite == dArg, then default
- *      implementations using a memory buffer are used
- *
- *	This function returns the decoder context, if it was successful.
- *	Otherwise, null is returned.
- */
-SEC_PKCS12DecoderContext *
-SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
-		       digestOpenFn dOpen, digestCloseFn dClose, 
-		       digestIOFn dRead, digestIOFn dWrite, void *dArg)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-    PRArenaPool *arena;
-
-    arena = PORT_NewArena(2048); /* different size? */
-    if(!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* allocate the decoder context and set the state variables */
-    p12dcx = (SEC_PKCS12DecoderContext*)PORT_ArenaZAlloc(arena, sizeof(SEC_PKCS12DecoderContext));
-    if(!p12dcx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    if (!dOpen && !dClose && !dRead && !dWrite && !dArg) {
-        /* use default implementations */
-        dOpen = p12u_DigestOpen;
-        dClose = p12u_DigestClose;
-        dRead = p12u_DigestRead;
-        dWrite = p12u_DigestWrite;
-        dArg = (void*)p12dcx;
-    }
-
-    p12dcx->arena = arena;
-    p12dcx->pwitem = pwitem;
-    p12dcx->slot = (slot ? PK11_ReferenceSlot(slot) 
-						: PK11_GetInternalKeySlot());
-    p12dcx->wincx = wincx;
-    p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
-#ifdef IS_LITTLE_ENDIAN
-    p12dcx->swapUnicodeBytes = PR_TRUE;
-#else
-    p12dcx->swapUnicodeBytes = PR_FALSE;
-#endif
-    p12dcx->errorValue = 0;
-    p12dcx->error = PR_FALSE;
-
-    /* start the decoding of the PFX and set the notify proc
-     * for the PFX item.
-     */
-    p12dcx->pfxDcx = SEC_ASN1DecoderStart(p12dcx->arena, &p12dcx->pfx,
-    					  sec_PKCS12PFXItemTemplate);
-    if(!p12dcx->pfxDcx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY); 
-	PK11_FreeSlot(p12dcx->slot);
-	goto loser;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc(p12dcx->pfxDcx, 
-				 sec_pkcs12_decoder_pfx_notify_proc,
-    				 p12dcx); 
-    
-    /* set up digest functions */
-    p12dcx->dOpen = dOpen;
-    p12dcx->dWrite = dWrite;
-    p12dcx->dClose = dClose;
-    p12dcx->dRead = dRead;
-    p12dcx->dArg = dArg;
-    
-    p12dcx->keyList = NULL;
-    p12dcx->decitem.type = 0;
-    p12dcx->decitem.der = NULL;
-    p12dcx->decitem.hasKey = PR_FALSE;
-    p12dcx->decitem.friendlyName = NULL;
-    p12dcx->iteration = 0;
-
-    return p12dcx;
-
-loser:
-    PORT_FreeArena(arena, PR_TRUE);
-    return NULL;
-}
-
-SECStatus
-SEC_PKCS12DecoderSetTargetTokenCAs(SEC_PKCS12DecoderContext *p12dcx,
-		SECPKCS12TargetTokenCAs tokenCAs)
-{
-    if (!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-    p12dcx->tokenCAs = tokenCAs;
-    return SECSuccess;
-}
-
-
-/* SEC_PKCS12DecoderUpdate 
- *	Streaming update sending more data to the decoder.  If 
- *	an error occurs, SECFailure is returned.
- *
- *	p12dcx - the decoder context 
- *	data, len - the data buffer and length of data to send to 
- *		the update functions.
- */
-SECStatus
-SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx,
-			unsigned char *data, unsigned long len)
-{
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    /* update the PFX decoder context */
-    rv = SEC_ASN1DecoderUpdate(p12dcx->pfxDcx, (const char *)data, len);
-    if(rv != SECSuccess) {
-	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-
-    p12dcx->error = PR_TRUE;
-    return SECFailure;
-}
-
-/* This should be a nice sized buffer for reading in data (potentially large 
-** amounts) to be MACed.  It should be MUCH larger than HASH_LENGTH_MAX.
-*/
-#define IN_BUF_LEN	1024
-#ifdef DEBUG
-static const char bufferEnd[] = { "BufferEnd" } ;
-#endif
-#define FUDGE 128 /* must be as large as bufferEnd or more. */
-
-/* verify the hmac by reading the data from the temporary file
- * using the routines specified when the decodingContext was 
- * created and return SECSuccess if the hmac matches.
- */
-static SECStatus
-sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
-{
-    PK11Context *     pk11cx = NULL;
-    PK11SymKey *      symKey = NULL;
-    SECItem *         params = NULL;
-    unsigned char *   buf;
-    SECStatus         rv     = SECFailure;
-    SECStatus         lrv;
-    unsigned int      bufLen;
-    int               iteration;
-    int               bytesRead;
-    SECOidTag         algtag;
-    SECItem           hmacRes;
-    SECItem           ignore = {0};
-    CK_MECHANISM_TYPE integrityMech;
-    
-    if(!p12dcx || p12dcx->error) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    buf = (unsigned char *)PORT_Alloc(IN_BUF_LEN + FUDGE);
-    if (!buf)
-    	return SECFailure;  /* error code has been set. */
-
-#ifdef DEBUG
-    memcpy(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd);
-#endif
-
-    /* generate hmac key */
-    if(p12dcx->macData.iter.data) {
-	iteration = (int)DER_GetInteger(&p12dcx->macData.iter);
-    } else {
-	iteration = 1;
-    }
-
-    params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem,
-                                  iteration);
-
-    algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm);
-    switch (algtag) {
-    case SEC_OID_SHA1:
-	integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
-    case SEC_OID_MD5:
-	integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
-    case SEC_OID_MD2:
-	integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
-    default:
-	goto loser;
-    }
-
-    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
-    PK11_DestroyPBEParams(params);
-    params = NULL;
-    if (!symKey) goto loser;
-    /* init hmac */
-    pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag),
-                                        CKA_SIGN, symKey, &ignore);
-    if(!pk11cx) {
-	goto loser;
-    }
-    lrv = PK11_DigestBegin(pk11cx);
-    if (lrv == SECFailure ) {
-	goto loser;
-    }
-
-    /* try to open the data for readback */
-    if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) 
-			!= SECSuccess)) {
-	goto loser;
-    }
-
-    /* read the data back IN_BUF_LEN bytes at a time and recompute
-     * the hmac.  if fewer bytes are read than are requested, it is
-     * assumed that the end of file has been reached. if bytesRead
-     * is returned as -1, then an error occured reading from the 
-     * file.
-     */
-    do {
-	bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN);
-	if (bytesRead < 0) {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_READ);
-	    goto loser;
-	}
-	PORT_Assert(bytesRead <= IN_BUF_LEN);
-	PORT_Assert(!memcmp(buf + IN_BUF_LEN, bufferEnd, sizeof bufferEnd));
-
-	if (bytesRead > IN_BUF_LEN) {
-	    /* dRead callback overflowed buffer. */
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    goto loser;
-	}
-
-	if (bytesRead) {
-	    lrv = PK11_DigestOp(pk11cx, buf, bytesRead);
-	    if (lrv == SECFailure) {
-		goto loser;
-	    }
-    	}
-    } while (bytesRead == IN_BUF_LEN);
-
-    /* finish the hmac context */
-    lrv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
-    if (lrv == SECFailure ) {
-	goto loser;
-    }
-
-    hmacRes.data = buf;
-    hmacRes.len = bufLen;
-
-    /* is the hmac computed the same as the hmac which was decoded? */
-    rv = SECSuccess;
-    if(SECITEM_CompareItem(&hmacRes, &p12dcx->macData.safeMac.digest) 
-			!= SECEqual) {
-	PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-	rv = SECFailure;
-    }
-
-loser:
-    /* close the file and remove it */
-    if(p12dcx->dClose) {
-	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
-    }
-
-    if(pk11cx) {
-	PK11_DestroyContext(pk11cx, PR_TRUE);
-    }
-    if (params) {
-	PK11_DestroyPBEParams(params);
-    }
-    if (symKey) {
-	PK11_FreeSymKey(symKey);
-    }
-    PORT_ZFree(buf, IN_BUF_LEN + FUDGE);
-
-    return rv;
-}
-
-/* SEC_PKCS12DecoderVerify
- * 	Verify the macData or the signature of the decoded PKCS 12 PDU.
- *	If the signature or the macData do not match, SECFailure is
- *	returned.
- *
- * 	p12dcx - the decoder context 
- */
-SECStatus
-SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
-{
-    SECStatus rv = SECSuccess;
-
-    /* make sure that no errors have occured... */
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    rv = SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
-    p12dcx->pfxDcx = NULL;
-    if(rv != SECSuccess) {
-	return rv;
-    }
-
-    /* check the signature or the mac depending on the type of
-     * integrity used.
-     */
-    if(p12dcx->pfx.encodedMacData.len) {
-	rv = SEC_ASN1DecodeItem(p12dcx->arena, &p12dcx->macData,
-				sec_PKCS12MacDataTemplate,
-				&p12dcx->pfx.encodedMacData);
-	if(rv == SECSuccess) {
-	    return sec_pkcs12_decoder_verify_mac(p12dcx);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	if(SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner,
-				    PR_FALSE)) {
-	    return SECSuccess;
-	} else {
-	    PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-	}
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12DecoderFinish
- *	Free any open ASN1 or PKCS7 decoder contexts and then
- *	free the arena pool which everything should be allocated
- *	from.  This function should be called upon completion of
- *	decoding and installing of a pfx pdu.  This should be
- *	called even if an error occurs.
- *
- *	p12dcx - the decoder context
- */
-void
-SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx) {
-	return;
-    }
-
-    if(p12dcx->pfxDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
-	p12dcx->pfxDcx = NULL;
-    }
-
-    if(p12dcx->aSafeDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
-	p12dcx->aSafeDcx = NULL;
-    }
-
-    if(p12dcx->currentASafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
-	p12dcx->currentASafeP7Dcx = NULL;
-    }
-
-    if(p12dcx->aSafeP7Dcx) {
-	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
-    }
-
-    if(p12dcx->hmacDcx) {
-	SEC_ASN1DecoderFinish(p12dcx->hmacDcx);
-	p12dcx->hmacDcx = NULL;
-    }
-    
-    if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
-        SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
-    }
-    if (p12dcx->decitem.friendlyName != NULL) {
-        SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
-    }
-
-    if(p12dcx->slot) {
-	PK11_FreeSlot(p12dcx->slot);
-	p12dcx->slot = NULL;
-    }
-
-    if(p12dcx->arena) {
-	PORT_FreeArena(p12dcx->arena, PR_TRUE);
-    }
-}
-
-static SECStatus
-sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag,
-			       SECOidTag attributeType,
-			       SECItem *attrValue)
-{
-    int i = 0;
-    SECOidData *oid;
-
-    if(!bag || !attrValue) {
-	return SECFailure;
-    }
-
-    oid = SECOID_FindOIDByTag(attributeType);
-    if(!oid) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    if(!bag->attribs) {
-	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
-					sizeof(sec_PKCS12Attribute *) * 2);
-    } else {
-	while(bag->attribs[i]) i++;
-	bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
-				      bag->attribs, 
-				      (i + 1) * sizeof(sec_PKCS12Attribute *),
-				      (i + 2) * sizeof(sec_PKCS12Attribute *));
-    }
-
-    if(!bag->attribs) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-    if(!bag->attribs) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i]->attrValue = (SECItem**)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(SECItem *) * 2);
-    if(!bag->attribs[i]->attrValue) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    bag->attribs[i+1] = NULL;
-    bag->attribs[i]->attrValue[0] = attrValue;
-    bag->attribs[i]->attrValue[1] = NULL;
-
-    if(SECITEM_CopyItem(bag->arena, &bag->attribs[i]->attrType, &oid->oid)
-			!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-static SECItem *
-sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag,
-			       SECOidTag attributeType)
-{
-    int i = 0;
-
-    if(!bag->attribs) {
-	return NULL;
-    }
-
-    while(bag->attribs[i] != NULL) {
-	if(SECOID_FindOIDTag(&bag->attribs[i]->attrType) 
-			== attributeType) {
-	    return bag->attribs[i]->attrValue[0];
-	}
-	i++;
-    }
-
-    return NULL;
-}
-
-/* For now, this function will merely remove any ":"
- * in the nickname which the PK11 functions may have
- * placed there.  This will keep dual certs from appearing
- * twice under "Your" certificates when imported onto smart
- * cards.  Once with the name "Slot:Cert" and another with
- * the nickname "Slot:Slot:Cert"
- */
-static void
-sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick)
-{
-    char *nickname;
-    char *delimit;
-    int delimitlen;
- 
-    nickname = (char*)nick->data; /*Mac breaks without this type cast*/
-    if ((delimit = PORT_Strchr(nickname, ':')) != NULL) {
-        char *slotName;
-	int slotNameLen;
-
-	slotNameLen = delimit-nickname;
-	slotName = PORT_NewArray(char, (slotNameLen+1));
-	PORT_Assert(slotName);
-	if (slotName == NULL) {
-	  /* What else can we do?*/
-	  return;
-	}
-	PORT_Memcpy(slotName, nickname, slotNameLen);
-	slotName[slotNameLen] = '\0';
-	if (PORT_Strcmp(PK11_GetTokenName(slot), slotName) == 0) {
-	  delimitlen = PORT_Strlen(delimit+1);
-	  PORT_Memmove(nickname, delimit+1, delimitlen+1);
-	  nick->len = delimitlen;
-	}
-	PORT_Free(slotName);
-    }
- 
-}
-
-static SECItem *
-sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag)
-{
-    SECItem *src, *dest;
-
-    if(!bag) {
-	bag->problem = PR_TRUE;
-	bag->error = SEC_ERROR_NO_MEMORY;
-	return NULL;
-    }
-
-    src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
-    if(!src) {
-	return NULL;
-    }
-
-    dest = (SECItem*)PORT_ZAlloc(sizeof(SECItem));
-    if(!dest) { 
-	goto loser;
-    }
-    if(!sec_pkcs12_convert_item_to_unicode(NULL, dest, src, PR_FALSE, 
-				PR_FALSE, PR_FALSE)) {
-	goto loser;
-    }
-
-    sec_pkcs12_sanitize_nickname(bag->slot, dest);
-
-    return dest;
-
-loser:
-    if(dest) {
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-
-    bag->problem = PR_TRUE;
-    bag->error = PORT_GetError();
-    return NULL;
-}
-
-static SECStatus
-sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name)
-{
-    int i = 0;
-    sec_PKCS12Attribute *attr = NULL;
-    SECOidData *oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_FRIENDLY_NAME);
-
-    if(!bag || !bag->arena || !name) {
-	return SECFailure;
-    }
-	
-    if(!bag->attribs) {
-	if(!oid) {
-	    goto loser;
-	}
-
-	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
-					     sizeof(sec_PKCS12Attribute *)*2);
-	if(!bag->attribs) {
-	    goto loser;
-	}
-	bag->attribs[0] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-	if(!bag->attribs[0]) {
-	    goto loser;
-	}
-	bag->attribs[1] = NULL;
-
-	attr = bag->attribs[0];
-	if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
-			!= SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	while(bag->attribs[i]) {
-	    if(SECOID_FindOIDTag(&bag->attribs[i]->attrType)
-			== SEC_OID_PKCS9_FRIENDLY_NAME) {
-		attr = bag->attribs[i];
-		goto have_attrib;
-		
-	    }
-	    i++;
-	}
-	if(!attr) {
-	    bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
-								  bag->attribs,
-					(i+1) * sizeof(sec_PKCS12Attribute *),
-					(i+2) * sizeof(sec_PKCS12Attribute *));
-	    if(!bag->attribs) {
-		goto loser;
-	    }
-	    bag->attribs[i] = 
-	        (sec_PKCS12Attribute *)PORT_ArenaZAlloc(bag->arena, 
-						  sizeof(sec_PKCS12Attribute));
-	    if(!bag->attribs[i]) {
-		goto loser;
-	    }
-	    bag->attribs[i+1] = NULL;
-	    attr = bag->attribs[i];
-	    if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
-				!= SECSuccess) {
-		goto loser;
-	    }
-	}
-    }
-have_attrib:
-    PORT_Assert(attr);
-    if(!attr->attrValue) {
-	attr->attrValue = (SECItem **)PORT_ArenaZAlloc(bag->arena, 
-						       sizeof(SECItem *) * 2);
-	if(!attr->attrValue) {
-	    goto loser;
-	}
-	attr->attrValue[0] = (SECItem*)PORT_ArenaZAlloc(bag->arena, 
-							sizeof(SECItem));
-	if(!attr->attrValue[0]) {
-	    goto loser;
-	}
-	attr->attrValue[1] = NULL;
-    }
-
-    name->len = PORT_Strlen((char *)name->data);
-    if(!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0],
-				name, PR_FALSE, PR_FALSE, PR_TRUE)) {
-	goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-    bag->problem = PR_TRUE;
-    bag->error = SEC_ERROR_NO_MEMORY;
-    return SECFailure;
-}
-	
-static SECStatus
-sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) 
-{
-    int i = 0;
-    SECKEYPrivateKeyInfo *pki = NULL;
-
-    if(!key) {
-	return SECFailure;
-    }
-
-    /* if the bag does *not* contain an unencrypted PrivateKeyInfo 
-     * then we cannot convert the attributes.  We are propagating
-     * attributes within the PrivateKeyInfo to the SafeBag level.
-     */
-    if(SECOID_FindOIDTag(&(key->safeBagType)) != 
-			SEC_OID_PKCS12_V1_KEY_BAG_ID) {
-	return SECSuccess;
-    }
-
-    pki = key->safeBagContent.pkcs8KeyBag;
-
-    if(!pki || !pki->attributes) {
-	return SECSuccess;
-    }
-
-    while(pki->attributes[i]) {
-	SECItem *attrValue = NULL;
-
-	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
-			SEC_OID_PKCS9_LOCAL_KEY_ID) {
-	    attrValue = sec_pkcs12_get_attribute_value(key, 
-						 SEC_OID_PKCS9_LOCAL_KEY_ID);
-	    if(!attrValue) {
-		if(sec_pkcs12_decoder_set_attribute_value(key, 
-					SEC_OID_PKCS9_LOCAL_KEY_ID,
-					pki->attributes[i]->attrValue[0])
-					!= SECSuccess) {
-		    key->problem = PR_TRUE;
-		    key->error = SEC_ERROR_NO_MEMORY;
-		    return SECFailure;
-		}
-	    }
-	}
-
-	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
-			SEC_OID_PKCS9_FRIENDLY_NAME) {
-	    attrValue = sec_pkcs12_get_attribute_value(key, 
-						SEC_OID_PKCS9_FRIENDLY_NAME);
-	    if(!attrValue) {
-		if(sec_pkcs12_decoder_set_attribute_value(key, 
-					SEC_OID_PKCS9_FRIENDLY_NAME,
-					pki->attributes[i]->attrValue[0])
-					!= SECSuccess) {
-		    key->problem = PR_TRUE;
-		    key->error = SEC_ERROR_NO_MEMORY;
-		    return SECFailure;
-		}
-	    }
-	}
-
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-/* retrieve the nickname for the certificate bag.  first look
- * in the cert bag, otherwise get it from the key.
- */
-static SECItem *
-sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
-				 sec_PKCS12SafeBag *key, 
-				 void *wincx)
-{
-    SECItem *nickname;
-
-    if(!cert) {
-	return NULL;
-    }
-
-    nickname = sec_pkcs12_get_nickname(cert);
-    if(nickname) {
-	return nickname;
-    }
-
-    if(key) {
-	nickname = sec_pkcs12_get_nickname(key);
-	
-        if(nickname && sec_pkcs12_set_nickname(cert, nickname)
-			!= SECSuccess) {
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    cert->problem = PR_TRUE;
-	    if(nickname) { 
-		SECITEM_ZfreeItem(nickname, PR_TRUE);
-	    }
-	    return NULL;
-	}
-    }
-
-    return nickname;
-}
-
-/* set the nickname for the certificate */
-static SECStatus
-sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, 
-				 sec_PKCS12SafeBag *key, 
-				 SECItem *nickname, 
-				 void *wincx)
-{
-    if(!nickname || !cert) {
-	return SECFailure;
-    }
-
-    if(sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) {
-	cert->error = SEC_ERROR_NO_MEMORY;
-	cert->problem = PR_TRUE;
-	return SECFailure;
-    }
-
-    if(key) {
-	if(sec_pkcs12_set_nickname(key, nickname) != SECSuccess) {
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    cert->problem = PR_TRUE;
-	    return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-/* retrieve the DER cert from the cert bag */
-static SECItem *
-sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) 
-{
-    if(!cert) {
-	return NULL;
-    }
-
-    if(SECOID_FindOIDTag(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-	return NULL;
-    }
-
-    /* only support X509 certs not SDSI */
-    if(SECOID_FindOIDTag(&cert->safeBagContent.certBag->bagID) 
-			!= SEC_OID_PKCS9_X509_CERT) {
-	return NULL;
-    }
-			
-    return SECITEM_DupItem(&(cert->safeBagContent.certBag->value.x509Cert));
-}
-
-struct certNickInfo {
-    PRArenaPool *arena;
-    unsigned int nNicks;
-    SECItem **nickList;
-    unsigned int error;
-};
-
-/* callback for traversing certificates to gather the nicknames 
- * used in a particular traversal.  for instance, when using
- * CERT_TraversePermCertsForSubject, gather the nicknames and
- * store them in the certNickInfo for a particular DN.
- * 
- * this handles the case where multiple nicknames are allowed
- * for the same dn, which is not currently allowed, but may be
- * in the future.
- */ 
-static SECStatus
-gatherNicknames(CERTCertificate *cert, void *arg)
-{
-    struct certNickInfo *nickArg = (struct certNickInfo *)arg;
-    SECItem tempNick;
-    unsigned int i;
-
-    if(!cert || !nickArg || nickArg->error) {
-	return SECFailure;
-    }
-
-    if(!cert->nickname) {
-	return SECSuccess;
-    }
-
-    tempNick.data = (unsigned char *)cert->nickname;
-    tempNick.len = PORT_Strlen(cert->nickname) + 1;
-
-    /* do we already have the nickname in the list? */
-    if(nickArg->nNicks > 0) {
-
-	/* nicknames have been encountered, but there is no list -- bad */
-	if(!nickArg->nickList) {
-	    nickArg->error = SEC_ERROR_NO_MEMORY;
-	    return SECFailure;
-	}
-
-	for(i = 0; i < nickArg->nNicks; i++) {
-	    if(SECITEM_CompareItem(nickArg->nickList[i], &tempNick) 
-				== SECEqual) {
-		return SECSuccess;
-	    }
-	}
-    }
-
-    /* add the nickname to the list */
-    if(nickArg->nNicks == 0) {
-	nickArg->nickList = (SECItem **)PORT_ArenaZAlloc(nickArg->arena, 
-					     2 * sizeof(SECItem *));
-    } else {
-	nickArg->nickList = (SECItem **)PORT_ArenaGrow(nickArg->arena,
-				nickArg->nickList, 
-				(nickArg->nNicks + 1) * sizeof(SECItem *),
-				(nickArg->nNicks + 2) * sizeof(SECItem *));
-    }
-    if(!nickArg->nickList) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    nickArg->nickList[nickArg->nNicks] = 
-        (SECItem *)PORT_ArenaZAlloc(nickArg->arena, sizeof(SECItem));
-    if(!nickArg->nickList[nickArg->nNicks]) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-    
-
-    if(SECITEM_CopyItem(nickArg->arena, nickArg->nickList[nickArg->nNicks],
-			&tempNick) != SECSuccess) {
-	nickArg->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    nickArg->nNicks++;
-
-    return SECSuccess;
-}
-
-/* traverses the certs in the data base or in the token for the
- * DN to see if any certs currently have a nickname set.
- * If so, return it. 
- */
-static SECItem *
-sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx)
-{
-    struct certNickInfo *nickArg = NULL;
-    SECItem *derCert, *returnDn = NULL;
-    PRArenaPool *arena = NULL;
-    CERTCertificate *tempCert;
-
-    if(!cert) {
-	return NULL;
-    }
-
-    derCert = sec_pkcs12_get_der_cert(cert);
-    if(!derCert) {
-	return NULL;
-    }
-
-    tempCert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
-    if(!tempCert) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    arena = PORT_NewArena(1024);
-    if(!arena) {
-	returnDn = NULL;
-	goto loser;
-    }
-    nickArg = (struct certNickInfo *)PORT_ArenaZAlloc(arena, 
-						 sizeof(struct certNickInfo));
-    if(!nickArg) {
-	returnDn = NULL;
-	goto loser;
-    }
-    nickArg->error = 0;
-    nickArg->nNicks = 0;
-    nickArg->nickList = NULL;
-    nickArg->arena = arena;
-
-    /* if the token is local, first traverse the cert database 
-     * then traverse the token.
-     */
-    if(PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames,
-			(void *)nickArg) != SECSuccess) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    if(nickArg->error) {
-	/* XXX do we want to set the error? */
-	returnDn = NULL;
-	goto loser;
-    }
-		
-    if(nickArg->nNicks == 0) {
-	returnDn = NULL;
-	goto loser;
-    }
-
-    /* set it to the first name, for now.  handle multiple names? */
-    returnDn = SECITEM_DupItem(nickArg->nickList[0]);
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    if(tempCert) {
-	CERT_DestroyCertificate(tempCert);
-    }
-
-    if(derCert) {
-	SECITEM_FreeItem(derCert, PR_TRUE);
-    }
-
-    return (returnDn);
-}
-
-/* counts certificates found for a given traversal function */
-static SECStatus
-countCertificate(CERTCertificate *cert, void *arg)
-{
-    unsigned int *nCerts = (unsigned int *)arg;
-
-    if(!cert || !arg) {
-	return SECFailure;
-    }
-
-    (*nCerts)++;
-    return SECSuccess;
-}
-
-static PRBool
-sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot)
-{
-    unsigned int nCerts = 0;
-
-    if(!nickname || !slot) {
-	return PR_TRUE;
-    }
-
-    /* we want to check the local database first if we are importing to it */
-    PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate, 
-					(void *)&nCerts);
-    if(nCerts) return PR_TRUE;
-
-    return PR_FALSE;
-}
-
-/* validate cert nickname such that there is a one-to-one relation
- * between nicknames and dn's.  we want to enforce the case that the
- * nickname is non-NULL and that there is only one nickname per DN.
- * 
- * if there is a problem with a nickname or the nickname is not present, 
- * the user will be prompted for it.
- */
-static void
-sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
-				sec_PKCS12SafeBag *key,
-				SEC_PKCS12NicknameCollisionCallback nicknameCb,
-				void *wincx)
-{
-    SECItem *certNickname, *existingDNNick;
-    PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
-    SECItem *newNickname = NULL;
-
-    if(!cert || !cert->hasKey) {
-	return;
-    }
-
-    if(!nicknameCb) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    if(cert->hasKey && !key) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx);
-    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx);
-
-    /* nickname is already used w/ this dn, so it is safe to return */
-    if(certNickname && existingDNNick &&
-		SECITEM_CompareItem(certNickname, existingDNNick) == SECEqual) {
-	goto loser;
-    }
-
-    /* nickname not set in pkcs 12 bags, but a nick is already used for
-     * this dn.  set the nicks in the p12 bags and finish.
-     */
-    if(existingDNNick) {
-	if(sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx)
-			!= SECSuccess) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	}
-	goto loser;
-    }
-
-    /* at this point, we have a certificate for which the DN is not located
-     * on the token.  the nickname specified may or may not be NULL.  if it
-     * is not null, we need to make sure that there are no other certificates
-     * with this nickname in the token for it to be valid.  this imposes a 
-     * one to one relationship between DN and nickname.  
-     *
-     * if the nickname is null, we need the user to enter a nickname for
-     * the certificate.
-     *
-     * once we have a nickname, we make sure that the nickname is unique
-     * for the DN.  if it is not, the user is reprompted to enter a new 
-     * nickname.  
-     *
-     * in order to exit this loop, the nickname entered is either unique
-     * or the user hits cancel and the certificate is not imported.
-     */
-    setNickname = PR_FALSE;
-    while(1) {
-	if(certNickname && certNickname->data) {
-	    /* we will use the nickname so long as no other certs have the
-	     * same nickname.  and the nickname is not NULL.
-	     */		
-	    if(!sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
-		if(setNickname) {
-		    if(sec_pkcs12_set_nickname_for_cert(cert, key, certNickname,
-					wincx) != SECSuccess) {
-			cert->problem = PR_TRUE;
-			cert->error = SEC_ERROR_NO_MEMORY;
-		    }
-		}
-		goto loser;
-	    }
-	}
-
-	setNickname = PR_FALSE;
-	newNickname = (*nicknameCb)(certNickname, &cancel, wincx);
-	if(cancel) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_USER_CANCELLED;
-	    goto loser;
-	}
-
-	if(!newNickname) {
-	    cert->problem = PR_TRUE;
-	    cert->error = SEC_ERROR_NO_MEMORY;
-	    goto loser;
-	}
-
-	/* at this point we have a new nickname, if we have an existing
-	 * certNickname, we need to free it and assign the new nickname
-	 * to it to avoid a memory leak.  happy?
-	 */
-	if(certNickname) {
-	    SECITEM_ZfreeItem(certNickname, PR_TRUE);
-	    certNickname = NULL;
-	}
-
-	certNickname = newNickname;
-	setNickname = PR_TRUE;
-	/* go back and recheck the new nickname */
-    }
-
-loser:
-    if(certNickname) {
-	SECITEM_ZfreeItem(certNickname, PR_TRUE);
-    }
-
-    if(existingDNNick) {
-	SECITEM_ZfreeItem(existingDNNick, PR_TRUE);
-    }
-}
-
-static void 
-sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
-			 sec_PKCS12SafeBag *key,
-			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
-			 void *wincx)
-{
-    CERTCertificate *leafCert;
-
-    if(!cert) {
-	return;
-    }
-    
-    cert->validated = PR_TRUE;
-
-    if(!nicknameCb) {
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	cert->noInstall = PR_TRUE;
-	return;
-    }
-
-    if(!cert->safeBagContent.certBag) {
-	cert->noInstall = PR_TRUE;
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
-	return;
-    }
-
-    cert->noInstall = PR_FALSE;
-    cert->unused = PR_FALSE;
-    cert->problem = PR_FALSE;
-    cert->error = 0;
-
-    leafCert = CERT_DecodeDERCertificate(
-	 &cert->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
-    if(!leafCert) {
-	cert->noInstall = PR_TRUE;
-	cert->problem = PR_TRUE;
-	cert->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    CERT_DestroyCertificate(leafCert);
-
-    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, wincx);
-}
-
-static void
-sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key,
-				void *wincx)
-{
-    CERTCertificate *leafCert;
-    SECKEYPrivateKey *privk;
-
-    if(!key) {
-	return;
-    }
-
-    key->validated = PR_TRUE;
-
-    if(!cert) {
-	key->problem = PR_TRUE;
-	key->noInstall = PR_TRUE;
-	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-	return;
-    }
-
-    leafCert = CERT_DecodeDERCertificate(
-	&(cert->safeBagContent.certBag->value.x509Cert), PR_FALSE, NULL);
-    if(!leafCert) {
-	key->problem = PR_TRUE;
-	key->noInstall = PR_TRUE;
-	key->error = SEC_ERROR_NO_MEMORY;
-	return;
-    }
-
-    privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx);
-    if(!privk) {
-	privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx);
-    }
- 
-    if(privk) {
-	SECKEY_DestroyPrivateKey(privk);
-	key->noInstall = PR_TRUE;
-    } 
-
-    CERT_DestroyCertificate(leafCert);
-}
-
-static SECStatus
-sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx)
-{
-    SECItem *derCert, *nickName;
-    char *nickData = NULL;
-    PRBool isIntermediateCA;
-    SECStatus rv;
-
-    if(!cert) {
-	return SECFailure;
-    }
-
-    if(cert->problem || cert->noInstall || cert->installed) {
-	return SECSuccess;
-    }
-
-    derCert = &cert->safeBagContent.certBag->value.x509Cert;
-
-    PORT_Assert(!cert->problem && !cert->noInstall);
-
-    nickName = sec_pkcs12_get_nickname(cert);
-    if(nickName) {
-	nickData = (char *)nickName->data;
-    }
-
-    isIntermediateCA = CERT_IsCADERCert(derCert, NULL) && 
-						!CERT_IsRootDERCert(derCert);
-
-    if(keyExists) {
-	CERTCertificate *newCert;
-
-	newCert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-	                                  derCert, NULL, PR_FALSE, PR_FALSE);
-	if(!newCert) {
-	     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
-	     cert->error = PORT_GetError();
-	     cert->problem = PR_TRUE;
-	     return SECFailure;
-	}
-
-	rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData, 
-					 PR_TRUE, wincx);
-	CERT_DestroyCertificate(newCert);
-    } else if ((cert->tokenCAs == SECPKCS12TargetTokenNoCAs) || 
-     ((cert->tokenCAs == SECPKCS12TargetTokenIntermediateCAs) && 
-							!isIntermediateCA)) {
-	SECItem *certList[2];
-	certList[0] = derCert;
-	certList[1] = NULL;
-	
-	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
-			     1, certList, NULL, PR_TRUE, PR_FALSE, nickData);
-    } else {
-	rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE,
-							nickData, PR_FALSE);
-    }
-
-    cert->installed = PR_TRUE;
-    if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
-    return rv;
-}
-
-static SECStatus
-sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECItem *publicValue, 
-			KeyType keyType, unsigned int keyUsage, void *wincx)
-{
-    SECStatus rv;
-    SECItem *nickName;
-
-    if(!key) {
-	return SECFailure;
-    }
-
-    if(key->problem || key->noInstall) {
-	return SECSuccess;
-    }
-
-    nickName = sec_pkcs12_get_nickname(key);
-
-    switch(SECOID_FindOIDTag(&key->safeBagType))
-    {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    rv = PK11_ImportPrivateKeyInfo(key->slot, 
-			  key->safeBagContent.pkcs8KeyBag, 
-			  nickName, publicValue, PR_TRUE, PR_TRUE,
-			  keyUsage,  wincx);
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
-					key->safeBagContent.pkcs8ShroudedKeyBag,
-					key->pwitem, nickName, publicValue, 
-					PR_TRUE, PR_TRUE, keyType, keyUsage,
-					wincx);
-	    break;
-	default:
-	    key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
-	    key->problem = PR_TRUE;
-	    if(nickName) {
-		SECITEM_ZfreeItem(nickName, PR_TRUE);
-	    }
-	    return SECFailure;
-    }
-
-    key->installed = PR_TRUE;
-
-    if(nickName) {
-	SECITEM_ZfreeItem(nickName, PR_TRUE);
-    }
-					
-    if(rv != SECSuccess) {
-	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-	key->problem = PR_TRUE;
-    } else {
-	key->installed = PR_TRUE;
-    }
-
-    return rv;
-}
-
-static SECStatus
-sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList, 
-				sec_PKCS12SafeBag *bag)
-{
-    int i = 0;
-
-    if(!bagList || !bag) {
-	return SECFailure;
-    }
-
-    if(!(*bagList)) {
-	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(bag->arena, 
-				      sizeof(sec_PKCS12SafeBag *) * 2);
-    } else {
-	while((*bagList)[i]) i++;
-	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaGrow(bag->arena, *bagList,
-				sizeof(sec_PKCS12SafeBag *) * (i + 1),
-				sizeof(sec_PKCS12SafeBag *) * (i + 2));
-    }
-
-    if(!(*bagList)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    (*bagList)[i] = bag;
-    (*bagList)[i+1] = NULL;
-
-    return SECSuccess;
-}
-
-static sec_PKCS12SafeBag **
-sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags, sec_PKCS12SafeBag *key ) 
-{
-    sec_PKCS12SafeBag **certList = NULL;
-    SECItem *keyId;
-    int i;
-
-    if(!safeBags || !safeBags[0]) {
-	return NULL;
-    }
-
-    keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID);
-    if(!keyId) {
-	return NULL;
-    }
-
-    i = 0;
-    certList = NULL;
-    while(safeBags[i]) {
-	if(SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
-				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-	    SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i],
-						SEC_OID_PKCS9_LOCAL_KEY_ID);
-
-	    if(certKeyId && (SECITEM_CompareItem(certKeyId, keyId) 
-				== SECEqual)) {
-		if(sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i])
-				!= SECSuccess) {
-		    return NULL;
-		}
-	    }
-	}
-	i++;
-    }
-
-    return certList;
-}
-
-CERTCertList *
-SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx)
-{
-    CERTCertList *certList = NULL;
-    sec_PKCS12SafeBag **safeBags = p12dcx->safeBags;
-    int i;
-
-    if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) {
-	return NULL;
-    }
-
-    safeBags = p12dcx->safeBags;
-    i = 0;
-    certList = CERT_NewCertList();
-
-    if (certList == NULL) {
-	 return NULL;
-    }
-
-    while(safeBags[i]) {
-	if (SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
-				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
-		SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]) ;
-		CERTCertificate *tempCert = NULL;
-
-		if (derCert == NULL) continue;
-    		tempCert=CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-		                                 derCert, NULL, 
-		                                 PR_FALSE, PR_TRUE);
-
-		if (tempCert) {
-		    CERT_AddCertToListTail(certList,tempCert);
-		}
-		SECITEM_FreeItem(derCert,PR_TRUE);
-	}
-	i++;
-    }
-
-    return certList;
-}
-static sec_PKCS12SafeBag **
-sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags)
-{
-    int i;
-    sec_PKCS12SafeBag **keyList = NULL;
-    SECOidTag bagType;
-
-    if(!safeBags || !safeBags[0]) {
-	return NULL;
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
-	switch(bagType) {
-	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		if(sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i])
-				!= SECSuccess) {
-		    return NULL;
-		}
-		break;
-	    default:
-		break;
-	}
-	i++;
-    }
-
-    return keyList;
-}
-
-static SECStatus 
-sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, 
-			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
-			 void *wincx)
-{
-    sec_PKCS12SafeBag **keyList;
-    int i;
-
-    if(!safeBags || !nicknameCb) {
-	return SECFailure;
-    }
-
-    if(!safeBags[0]) {
-	return SECSuccess;
-    }
-
-    keyList = sec_pkcs12_get_key_bags(safeBags);
-    if(keyList) {
-	i = 0;
-
-	while(keyList[i]) {
-	    sec_PKCS12SafeBag **certList = sec_pkcs12_find_certs_for_key(
-							safeBags, keyList[i]);
-	    if(certList) {
-		int j = 0;
-
-		if(SECOID_FindOIDTag(&(keyList[i]->safeBagType)) == 
-					SEC_OID_PKCS12_V1_KEY_BAG_ID) {
-		    /* if it is an unencrypted private key then make sure
-		     * the attributes are propageted to the appropriate 
-		     * level 
-		     */
-		    if(sec_pkcs12_get_key_info(keyList[i]) != SECSuccess) {
-			keyList[i]->problem = PR_TRUE;
-			keyList[i]->error = SEC_ERROR_NO_MEMORY;
-			return SECFailure;
-		     }
-		}
-	
-		sec_pkcs12_validate_key_by_cert(certList[0], keyList[i], wincx);
-		while(certList[j]) {
-		    certList[j]->hasKey = PR_TRUE;
-		    if(keyList[i]->problem) {
-			certList[j]->problem = PR_TRUE;
-			certList[j]->error = keyList[i]->error;
-		    } else {
-			sec_pkcs12_validate_cert(certList[j], keyList[i],
-						 nicknameCb, wincx);
-			if(certList[j]->problem) {
-			    keyList[i]->problem = certList[j]->problem;
-			    keyList[i]->error = certList[j]->error;
-			}
-		    }
-		    j++;
-		}
-	    }
-
-	    i++;
-	}
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	if(!safeBags[i]->validated) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safeBags[i]->safeBagType);
-
-	    switch(bagType) {
-		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-		    sec_pkcs12_validate_cert(safeBags[i], NULL, nicknameCb, 
-					     wincx);
-		    break;
-		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		    safeBags[i]->noInstall = PR_TRUE;
-		    safeBags[i]->problem = PR_TRUE;	
-		    safeBags[i]->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-		    break;
-		default:
-		    safeBags[i]->noInstall = PR_TRUE;
-	    }
-	}
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
-			      SEC_PKCS12NicknameCollisionCallback nicknameCb)
-{
-    SECStatus rv;
-    int i, noInstallCnt, probCnt, bagCnt, errorVal = 0;
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx);
-    if(rv == SECSuccess) {
-	p12dcx->bagsVerified = PR_TRUE;
-    }
-
-    noInstallCnt = probCnt = bagCnt = 0;
-    i = 0;
-    while(p12dcx->safeBags[i]) {
-	bagCnt++;
-	if(p12dcx->safeBags[i]->noInstall) noInstallCnt++;
-	if(p12dcx->safeBags[i]->problem) {
-	    probCnt++;
-	    errorVal = p12dcx->safeBags[i]->error;
-	}
-	i++;
-    }
-
-    if(bagCnt == noInstallCnt) {
-	PORT_SetError(SEC_ERROR_PKCS12_DUPLICATE_DATA);
-	return SECFailure;
-    }
-
-    if(probCnt) {
-	PORT_SetError(errorVal);
-	return SECFailure;
-    }
-
-    return rv;
-}
-
-static SECItem *
-sec_pkcs12_get_public_value_and_type(sec_PKCS12SafeBag *certBag,
-					KeyType *type, unsigned int *usage)
-{
-    SECKEYPublicKey *pubKey = NULL;
-    CERTCertificate *cert = NULL;
-    SECItem *pubValue;
-
-    *type = nullKey;
-    *usage = 0;
-
-    if(!certBag) {
-	return NULL;
-    }
-
-    cert = CERT_DecodeDERCertificate(
-	 &certBag->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
-    if(!cert) {
-	return NULL;
-    }
-
-    *usage = cert->keyUsage;
-    pubKey = CERT_ExtractPublicKey(cert);
-    CERT_DestroyCertificate(cert);
-    if(!pubKey) {
-	return NULL;
-    }
-
-    *type = pubKey->keyType;
-    switch(pubKey->keyType) {
-	case dsaKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.dsa.publicValue);
-	    break;
-	case dhKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.dh.publicValue);
-	    break;
-	case rsaKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.rsa.modulus);
-	    break;
-        case ecKey:
-	    pubValue = SECITEM_DupItem(&pubKey->u.ec.publicValue);
-	    break;
-	default:
-	    pubValue = NULL;
-    }
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    return pubValue;
-}
-
-static SECStatus 
-sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, 
-			void *wincx)
-{
-    sec_PKCS12SafeBag **keyList, **certList;
-    int i;
-
-    if(!safeBags) {
-	return SECFailure;
-    }
-
-    if(!safeBags[0]) {
-	return SECSuccess;
-    }
-
-    keyList = sec_pkcs12_get_key_bags(safeBags);
-    if(keyList) {
-	i = 0;
-
-	while(keyList[i]) {
-	    SECStatus rv;
-	    SECItem *publicValue = NULL;
-	    KeyType keyType;
-	    unsigned int keyUsage;
-
-	    if(keyList[i]->problem) {
-		goto next_key_bag;
-	    }
-
-	    certList = sec_pkcs12_find_certs_for_key(safeBags,
-						     keyList[i]);
-	    if(certList) {
-		publicValue = sec_pkcs12_get_public_value_and_type(certList[0],
-							&keyType, &keyUsage);
-	    }
-	    rv = sec_pkcs12_add_key(keyList[i], publicValue, keyType, keyUsage,
-									wincx);
-	    if(publicValue) {
-		SECITEM_FreeItem(publicValue, PR_TRUE);
-	    }
-	    if(rv != SECSuccess) {
-		PORT_SetError(keyList[i]->error);
-		return SECFailure;
-	    }
-
-	    if(certList) {
-		int j = 0;
-
-		while(certList[j]) {
-		    SECStatus certRv;
-
-		    if(rv != SECSuccess) {
-			certList[j]->problem = keyList[i]->problem;
-			certList[j]->error = keyList[i]->error;	
-			certList[j]->noInstall = PR_TRUE;
-			goto next_cert_bag;
-		    }
-
-		    certRv = sec_pkcs12_add_cert(certList[j], 
-						 certList[j]->hasKey, wincx);
-		    if(certRv != SECSuccess) {
-			keyList[i]->problem = certList[j]->problem;
-			keyList[i]->error = certList[j]->error;
-			PORT_SetError(certList[j]->error);
-			return SECFailure;
-		    }
-next_cert_bag:
-		    j++;
-		}
-	    }
-
-next_key_bag:
-	    i++;
-	}
-    }
-
-    i = 0;
-    while(safeBags[i]) {
-	if(!safeBags[i]->installed) {
-	    SECStatus rv;
-	    SECOidTag bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
-
-	    switch(bagType) {
-		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-		    rv = sec_pkcs12_add_cert(safeBags[i], safeBags[i]->hasKey,
-					     wincx);
-		    if(rv != SECSuccess) {
-			PORT_SetError(safeBags[i]->error);
-			return SECFailure;
-		    }
-		    break;
-		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-		default:
-		    break;
-	    }
-	}
-	i++;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(!p12dcx->bagsVerified) {
-	return SECFailure;
-    }
-
-    return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
-}
-
-PRBool
-sec_pkcs12_bagHasKey(SEC_PKCS12DecoderContext *p12dcx, sec_PKCS12SafeBag *bag)
-{
-    int i;
-    SECItem *keyId;
-    SECItem *certKeyId;
-
-    certKeyId = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_LOCAL_KEY_ID);
-    if (certKeyId == NULL) {
-        return PR_FALSE;
-    }
-            
-    for (i=0; p12dcx->keyList && p12dcx->keyList[i]; i++) {
-        keyId = sec_pkcs12_get_attribute_value(p12dcx->keyList[i],
-                                                SEC_OID_PKCS9_LOCAL_KEY_ID);
-        if(!keyId) {
-            continue;
-        }
-        if(SECITEM_CompareItem(certKeyId, keyId) == SECEqual) {
-            return PR_TRUE;
-        }
-    }
-    return PR_FALSE;
-}
-
-SECItem *
-sec_pkcs12_get_friendlyName(sec_PKCS12SafeBag *bag)
-{
-    SECItem *friendlyName;
-    SECItem *tempnm;
-    
-    tempnm = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
-    friendlyName = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if (friendlyName) {
-        if (!sec_pkcs12_convert_item_to_unicode(NULL, friendlyName,
-                                   tempnm, PR_TRUE, PR_FALSE, PR_FALSE)) {
-            SECITEM_FreeItem(friendlyName, PR_TRUE);
-            friendlyName = NULL;
-        }
-    }
-    return friendlyName;
-}
-
-/* Following two functions provide access to selected portions of the safe bags.
- * Iteration is implemented per decoder context and may be accessed after
- * SEC_PKCS12DecoderVerify() returns success.
- * When ...DecoderIterateNext() returns SUCCESS a decoder item has been returned
- * where item.type is always set; item.friendlyName is set if it is non-null;
- * item.der, item.hasKey are set only for SEC_OID_PKCS12_V1_CERT_BAG_ID items.
- * ...DecoderIterateNext() returns FAILURE when the list is exhausted or when
- * arguments are invalid; PORT_GetError() is 0 at end-of-list.
- * Caller has read-only access to decoder items. Any SECItems generated are
- * owned by the decoder context and are freed by ...DecoderFinish().
- */
-SECStatus
-SEC_PKCS12DecoderIterateInit(SEC_PKCS12DecoderContext *p12dcx)
-{
-    if(!p12dcx || p12dcx->error) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    p12dcx->iteration = 0;
-    return SECSuccess;
-}
-
-SECStatus
-SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx,
-                             const SEC_PKCS12DecoderItem **ipp)
-{
-    sec_PKCS12SafeBag *bag;
-    
-    if(!p12dcx || p12dcx->error) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) {
-        SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE);
-    }
-    if (p12dcx->decitem.friendlyName != NULL) {
-        SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE);
-    }
-    p12dcx->decitem.type = 0;
-    p12dcx->decitem.der = NULL;
-    p12dcx->decitem.friendlyName = NULL;
-    p12dcx->decitem.hasKey = PR_FALSE;
-    *ipp = NULL;
-    if (p12dcx->keyList == NULL) {
-        p12dcx->keyList = sec_pkcs12_get_key_bags(p12dcx->safeBags);
-    }
-
-    
-    for (; p12dcx->iteration < p12dcx->safeBagCount; p12dcx->iteration++) {
-        bag = p12dcx->safeBags[p12dcx->iteration];
- 	if(bag == NULL || bag->problem) {
-            continue;
-        }
-        p12dcx->decitem.type = SECOID_FindOIDTag(&(bag->safeBagType));
-        switch(p12dcx->decitem.type) {
-            case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-                p12dcx->decitem.der = sec_pkcs12_get_der_cert(bag);
-                p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
-                p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag);
-                break;
-            case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-            case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-                p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag);
-                break;
-            default:
-                /* return these even though we don't expect them */
-                break;
-            case SEC_OID_UNKNOWN:
-                /* ignore these */
-                continue;
-        }
-        *ipp = &p12dcx->decitem;
-        p12dcx->iteration++;
-        break;  /* end for() */
-    }
-    
-    PORT_SetError(0);       /* end-of-list is SECFailure with no PORT error */
-    return ((p12dcx->decitem.type == 0) ? SECFailure : SECSuccess);
-}
-
-static SECStatus
-sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx,
-					 sec_PKCS12SafeBag *bag)
-{
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(!p12dcx->safeBagCount) {
-	p12dcx->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
-					    sizeof(sec_PKCS12SafeBag *) * 2);
-    } else {
-	p12dcx->safeBags = 
-	  (sec_PKCS12SafeBag **)PORT_ArenaGrow(p12dcx->arena, p12dcx->safeBags,
-		     (p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-		     (p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-    }
-
-    if(!p12dcx->safeBags) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    p12dcx->safeBags[p12dcx->safeBagCount] = bag;
-    p12dcx->safeBags[p12dcx->safeBagCount+1] = NULL;
-    p12dcx->safeBagCount++;
-
-    return SECSuccess;
-}
-
-static sec_PKCS12SafeBag *
-sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx,
-				   void *key, PRBool isEspvk)
-{
-    sec_PKCS12SafeBag *keyBag;
-    SECOidData *oid;
-    SECOidTag keyTag;
-    SECItem *keyID, *nickName, *newNickName;
-
-    if(!p12dcx || p12dcx->error || !key) {
-	return NULL;
-    }
-
-    newNickName =(SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
-    keyBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-						   sizeof(sec_PKCS12SafeBag));
-    if(!keyBag || !newNickName) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
-    keyBag->slot = p12dcx->slot;
-    keyBag->arena = p12dcx->arena;
-    keyBag->pwitem = p12dcx->pwitem;
-    keyBag->tokenCAs = p12dcx->tokenCAs;
-    keyBag->oldBagType = PR_TRUE;
-
-    keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID :
-			 SEC_OID_PKCS12_V1_KEY_BAG_ID;
-    oid = SECOID_FindOIDByTag(keyTag);
-    if(!oid) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(SECITEM_CopyItem(p12dcx->arena, &keyBag->safeBagType, &oid->oid) 
-			!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(isEspvk) {
-	SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key;
-	keyBag->safeBagContent.pkcs8ShroudedKeyBag  = 
-					espvk->espvkCipherText.pkcs8KeyShroud;
-	nickName = &(espvk->espvkData.uniNickName); 
-	if(!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) {
-	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	    return NULL;
-	}
-	keyID = &espvk->espvkData.assocCerts[0]->digest;
-    } else {
-	SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key;
-	keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data;
-	nickName= &(pk->pvkData.uniNickName);
-	if(!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) {
-	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	    return NULL;
-	}
-	keyID = &pk->pvkData.assocCerts[0]->digest;
-    }
-
-    if(nickName->len) {
-	if(nickName->len >= 2) {
-	    if(nickName->data[0] && nickName->data[1]) {
-		if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
-					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    return NULL;
-		}
-		nickName = newNickName;
-	    } else if(nickName->data[0] && !nickName->data[1]) {
-		unsigned int j = 0;
-		unsigned char t;
-		for(j = 0; j < nickName->len; j+=2) {
-		    t = nickName->data[j+1];
-		    nickName->data[j+1] = nickName->data[j];
-		    nickName->data[j] = t;
-		}
-	    }
-	} else {
-	    if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
-					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return NULL;
-	    }
-	    nickName = newNickName;
-	}
-    }
-
-    if(sec_pkcs12_decoder_set_attribute_value(keyBag,
-					      SEC_OID_PKCS9_FRIENDLY_NAME,
-					      nickName) != SECSuccess) {
-	return NULL;
-    }
-	
-    if(sec_pkcs12_decoder_set_attribute_value(keyBag,SEC_OID_PKCS9_LOCAL_KEY_ID,
-					keyID) != SECSuccess) {
-	return NULL;
-    }
-
-    return keyBag;
-}
-
-static sec_PKCS12SafeBag *
-sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx,
-			       SECItem *derCert)
-{
-    sec_PKCS12SafeBag *certBag;
-    SECOidData *oid;
-    SGNDigestInfo *digest;
-    SECItem *keyId;
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error || !derCert) {
-	return NULL;
-    }
-
-    keyId = (SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
-    if(!keyId) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    digest = sec_pkcs12_compute_thumbprint(derCert);
-    if(!digest) {
-	return NULL;
-    }
-
-    rv = SECITEM_CopyItem(p12dcx->arena, keyId, &digest->digest);
-    SGN_DestroyDigestInfo(digest);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    oid = SECOID_FindOIDByTag(SEC_OID_PKCS12_V1_CERT_BAG_ID);
-    certBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-						    sizeof(sec_PKCS12SafeBag));
-    if(!certBag || !oid || (SECITEM_CopyItem(p12dcx->arena, 
-			&certBag->safeBagType, &oid->oid) != SECSuccess)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    certBag->slot = p12dcx->slot;
-    certBag->pwitem = p12dcx->pwitem;
-    certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
-    certBag->arena = p12dcx->arena;
-    certBag->tokenCAs = p12dcx->tokenCAs;
-
-    oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_X509_CERT);
-    certBag->safeBagContent.certBag = 
-        (sec_PKCS12CertBag *)PORT_ArenaZAlloc(p12dcx->arena, 
-					      sizeof(sec_PKCS12CertBag));
-    if(!certBag->safeBagContent.certBag || !oid ||
-			(SECITEM_CopyItem(p12dcx->arena, 
-				 &certBag->safeBagContent.certBag->bagID,
-				 &oid->oid) != SECSuccess)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-      
-    if(SECITEM_CopyItem(p12dcx->arena, 
-			 &(certBag->safeBagContent.certBag->value.x509Cert),
-			 derCert) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    if(sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-					keyId) != SECSuccess) {
-	return NULL;
-    }
-
-    return certBag;
-}
-
-static sec_PKCS12SafeBag **
-sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx,
-				    SEC_PKCS12CertAndCRL *oldCert)
-{
-    sec_PKCS12SafeBag **certList;
-    SECItem **derCertList;
-    int i, j;
-
-    if(!p12dcx || p12dcx->error || !oldCert) {
-	return NULL;
-    }
-
-    derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL);
-    if(!derCertList) {
-	return NULL;
-    }
-
-    i = 0;
-    while(derCertList[i]) i++;
-
-    certList = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
-				(i + 1) * sizeof(sec_PKCS12SafeBag *));
-    if(!certList) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    for(j = 0; j < i; j++) {
-	certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]);
-	if(!certList[j]) {
-	    return NULL;
-	}
-    }
-
-    return certList;
-}   
-
-static SECStatus
-sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx,
-					     void *oldKey, PRBool isEspvk,
-					     SEC_PKCS12SafeContents *safe,
-					     SEC_PKCS12Baggage *baggage)
-{
-    sec_PKCS12SafeBag *key, **certList;
-    SEC_PKCS12CertAndCRL *oldCert;
-    SEC_PKCS12PVKSupportingData *pvkData;
-    int i;
-    SECItem *keyName;
-
-    if(!p12dcx || !oldKey) {
-	return SECFailure;
-    }
-
-    if(isEspvk) {
-	pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData;
-    } else {
-	pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData;
-    }
-
-    if(!pvkData->assocCerts || !pvkData->assocCerts[0]) {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return SECFailure;
-    }
-
-    oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage, 
-				     SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL,
-				     pvkData->assocCerts[0]);
-    if(!oldCert) {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return SECFailure;
-    }
-	
-    key = sec_pkcs12_decoder_convert_old_key(p12dcx,oldKey, isEspvk);
-    certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert);
-    if(!key || !certList) {
-	return SECFailure;
-    }
-
-    if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) {
-	return SECFailure;
-    }
-
-    keyName = sec_pkcs12_get_nickname(key);
-    if(!keyName) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while(certList[i]) {
-	if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i]) 
-				!= SECSuccess) {
-	    return SECFailure;
-	}
-	i++;
-    }
-
-    certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key);
-    if(!certList) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while(certList[i] != 0) {
-	if(sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) {
-	    return SECFailure;
-	}
-	i++;
-    }
-				
-    return SECSuccess;
-}
-	
-static SECStatus
-sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx,
-					    SEC_PKCS12SafeContents *safe,
-					    SEC_PKCS12Baggage *baggage)
-{
-    SECStatus rv;
-
-    if(!p12dcx || p12dcx->error) {
-	return SECFailure;
-    }
-
-    if(safe && safe->contents) {
-	int i = 0;
-	while(safe->contents[i] != NULL) {
-	    if(SECOID_FindOIDTag(&safe->contents[i]->safeBagType) 
-				== SEC_OID_PKCS12_KEY_BAG_ID) {
-		int j = 0;
-		SEC_PKCS12PrivateKeyBag *privBag = 
-					safe->contents[i]->safeContent.keyBag;
-		
-		while(privBag->privateKeys[j] != NULL) {
-		    SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j];
-		    rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx,pk,
-						PR_FALSE, safe, baggage);
-		    if(rv != SECSuccess) {
-			goto loser;
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-
-    if(baggage && baggage->bags) {
-	int i = 0;
-	while(baggage->bags[i] != NULL) {
-	    SEC_PKCS12BaggageItem *bag = baggage->bags[i];
-	    int j = 0;
-
-	    if(!bag->espvks) {
-		i++;
-		continue;
-	    }
-
-	    while(bag->espvks[j] != NULL) {
-		SEC_PKCS12ESPVKItem *espvk = bag->espvks[j];
-		rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk,
-							PR_TRUE, safe, baggage);
-		if(rv != SECSuccess) {
-		    goto loser;
-		}
-		j++;
-	    }
-	    i++;
-	}
-    }
-
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-SEC_PKCS12DecoderContext *
-sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot, 
-			      PRBool swapUnicode, SECItem *pwitem,
-			      void *wincx, SEC_PKCS12SafeContents *safe,
-			      SEC_PKCS12Baggage *baggage)
-{
-    SEC_PKCS12DecoderContext *p12dcx;
-
-    if(!arena || !slot || !pwitem) {
-	return NULL;
-    }
-
-    if(!safe && !baggage) {
-	return NULL;
-    }
-
-    p12dcx = (SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc(arena, 
-					    sizeof(SEC_PKCS12DecoderContext));
-    if(!p12dcx) {
-	return NULL;
-    }
-
-    p12dcx->arena = arena;
-    p12dcx->slot = PK11_ReferenceSlot(slot);
-    p12dcx->wincx = wincx;
-    p12dcx->error = PR_FALSE;
-    p12dcx->swapUnicodeBytes = swapUnicode; 
-    p12dcx->pwitem = pwitem;
-    p12dcx->tokenCAs = SECPKCS12TargetTokenNoCAs;
-    
-    if(sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage) 
-				!= SECSuccess) {
-	p12dcx->error = PR_TRUE;
-	return NULL;
-    }
-
-    return p12dcx;
-}
diff --git a/security/nss/lib/pkcs12/p12dec.c b/security/nss/lib/pkcs12/p12dec.c
deleted file mode 100644
index 8124a01ed..000000000
--- a/security/nss/lib/pkcs12/p12dec.c
+++ /dev/null
@@ -1,696 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "pkcs12.h"
-#include "plarena.h"
-#include "secpkcs7.h"
-#include "p12local.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secport.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "secerr.h"
-#include "cert.h"
-#include "certdb.h"
-#include "p12plcy.h"
-#include "p12.h" 
-#include "secpkcs5.h" 
-
-/* PFX extraction and validation routines */
-
-/* decode the DER encoded PFX item.  if unable to decode, check to see if it
- * is an older PFX item.  If that fails, assume the file was not a valid
- * pfx file.
- * the returned pfx structure should be destroyed using SEC_PKCS12DestroyPFX
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_decode_pfx(SECItem *der_pfx)
-{
-    SEC_PKCS12PFXItem *pfx;
-    SECStatus rv;
-
-    if(der_pfx == NULL) {
-	return NULL;
-    }
-
-    /* allocate the space for a new PFX item */
-    pfx = sec_pkcs12_new_pfx();
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate, 
-    			    der_pfx);
-
-    /* if a failure occurred, check for older version...
-     * we also get rid of the old pfx structure, because we don't
-     * know where it failed and what data in may contain
-     */
-    if(rv != SECSuccess) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = sec_pkcs12_new_pfx();
-	if(pfx == NULL) {
-	    return NULL;
-	}
-	rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate_OLD, 
-				der_pfx);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_PKCS12_DECODING_PFX);
-	    PORT_FreeArena(pfx->poolp, PR_TRUE);
-	    return NULL;
-	}
-	pfx->old = PR_TRUE;
-	SGN_CopyDigestInfo(pfx->poolp, &pfx->macData.safeMac, &pfx->old_safeMac);
-	SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, &pfx->old_macSalt);
-    } else {
-	pfx->old = PR_FALSE;
-    }
-
-    /* convert bit string from bits to bytes */
-    pfx->macData.macSalt.len /= 8;
-
-    return pfx;
-}
-
-/* validate the integrity MAC used in the PFX.  The MAC is generated
- * per the PKCS 12 document.  If the MAC is incorrect, it is most likely
- * due to an invalid password.
- * pwitem is the integrity password
- * pfx is the decoded pfx item
- */
-static PRBool 
-sec_pkcs12_check_pfx_mac(SEC_PKCS12PFXItem *pfx,
-			 SECItem *pwitem)
-{
-    SECItem *key = NULL, *mac = NULL, *data = NULL;
-    SECItem *vpwd = NULL;
-    SECOidTag algorithm;
-    PRBool ret = PR_FALSE;
-
-    if(pfx == NULL) {
-	return PR_FALSE;
-    }
-
-    algorithm = SECOID_GetAlgorithmTag(&pfx->macData.safeMac.digestAlgorithm);
-    switch(algorithm) {
-	/* only SHA1 hashing supported as a MACing algorithm */
-	case SEC_OID_SHA1:
-	    if(pfx->old == PR_FALSE) {
-		pfx->swapUnicode = PR_FALSE;
-	    }
-
-recheckUnicodePassword:
-	    vpwd = sec_pkcs12_create_virtual_password(pwitem, 
-	    					&pfx->macData.macSalt, 
-						pfx->swapUnicode);
-	    if(vpwd == NULL) {
-		return PR_FALSE;
-	    }
-
-	    key = sec_pkcs12_generate_key_from_password(algorithm,
-						&pfx->macData.macSalt, 
-						(pfx->old ? pwitem : vpwd));
-	    /* free vpwd only for newer PFX */
-	    if(vpwd) {
-		SECITEM_ZfreeItem(vpwd, PR_TRUE);
-	    }
-	    if(key == NULL) {
-		return PR_FALSE;
-	    }
-
-	    data = SEC_PKCS7GetContent(&pfx->authSafe);
-	    if(data == NULL) {
-		break;
-	    }
-
-	    /* check MAC */
-	    mac = sec_pkcs12_generate_mac(key, data, pfx->old);
-	    ret = PR_TRUE;
-	    if(mac) {
-		SECItem *safeMac = &pfx->macData.safeMac.digest;
-		if(SECITEM_CompareItem(mac, safeMac) != SECEqual) {
-
-		    /* if we encounter an invalid mac, lets invert the
-		     * password in case of unicode changes 
-		     */
-		    if(((!pfx->old) && pfx->swapUnicode) || (pfx->old)){
-			PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
-			ret = PR_FALSE;
-		    } else {
-			SECITEM_ZfreeItem(mac, PR_TRUE);
-			pfx->swapUnicode = PR_TRUE;
-			goto recheckUnicodePassword;
-		    }
-		} 
-		SECITEM_ZfreeItem(mac, PR_TRUE);
-	    } else {
-		ret = PR_FALSE;
-	    }
-	    break;
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM);
-	    ret = PR_FALSE;
-	    break;
-    }
-
-    /* let success fall through */
-    if(key != NULL)
-	SECITEM_ZfreeItem(key, PR_TRUE);
-
-    return ret;
-}
-
-/* check the validity of the pfx structure.  we currently only support
- * password integrity mode, so we check the MAC.
- */
-static PRBool 
-sec_pkcs12_validate_pfx(SEC_PKCS12PFXItem *pfx, 
-			SECItem *pwitem)
-{
-    SECOidTag contentType;
-
-    contentType = SEC_PKCS7ContentType(&pfx->authSafe);
-    switch(contentType)
-    {
-	case SEC_OID_PKCS7_DATA:
-	    return sec_pkcs12_check_pfx_mac(pfx, pwitem);
-	    break;
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
-	    break;
-    }
-
-    return PR_FALSE;
-}
-
-/* decode and return the valid PFX.  if the PFX item is not valid,
- * NULL is returned.
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_get_pfx(SECItem *pfx_data, 
-		   SECItem *pwitem)
-{
-    SEC_PKCS12PFXItem *pfx;
-    PRBool valid_pfx;
-
-    if((pfx_data == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    pfx = sec_pkcs12_decode_pfx(pfx_data);
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    valid_pfx = sec_pkcs12_validate_pfx(pfx, pwitem);
-    if(valid_pfx != PR_TRUE) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = NULL;
-    }
-
-    return pfx;
-}
-
-/* authenticated safe decoding, validation, and access routines
- */
-
-/* convert dogbert beta 3 authenticated safe structure to a post
- * beta three structure, so that we don't have to change more routines.
- */
-static SECStatus
-sec_pkcs12_convert_old_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    SEC_PKCS12Baggage *baggage;
-    SEC_PKCS12BaggageItem *bag;
-    SECStatus rv = SECSuccess;
-
-    if(asafe->old_baggage.espvks == NULL) {
-	/* XXX should the ASN1 engine produce a single NULL element list
-	 * rather than setting the pointer to NULL?  
-	 * There is no need to return an error -- assume that the list
-	 * was empty.
-	 */
-	return SECSuccess;
-    }
-
-    baggage = sec_pkcs12_create_baggage(asafe->poolp);
-    if(!baggage) {
-	return SECFailure;
-    }
-    bag = sec_pkcs12_create_external_bag(baggage);
-    if(!bag) {
-	return SECFailure;
-    }
-
-    PORT_Memcpy(&asafe->baggage, baggage, sizeof(SEC_PKCS12Baggage));
-
-    /* if there are shrouded keys, append them to the bag */
-    rv = SECSuccess;
-    if(asafe->old_baggage.espvks[0] != NULL) {
-	int nEspvk = 0;
-	rv = SECSuccess;
-	while((asafe->old_baggage.espvks[nEspvk] != NULL) && 
-		(rv == SECSuccess)) {
-	    rv = sec_pkcs12_append_shrouded_key(bag, 
-	    				asafe->old_baggage.espvks[nEspvk]);
-	    nEspvk++;
-	}
-    }
-
-    return rv;
-}    
-
-/* decodes the authenticated safe item.  a return of NULL indicates
- * an error.  however, the error will have occured either in memory
- * allocation or in decoding the authenticated safe.
- *
- * if an old PFX item has been found, we want to convert the
- * old authenticated safe to the new one.
- */
-static SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_decode_authenticated_safe(SEC_PKCS12PFXItem *pfx) 
-{
-    SECItem *der_asafe = NULL;
-    SEC_PKCS12AuthenticatedSafe *asafe = NULL;
-    SECStatus rv;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    der_asafe = SEC_PKCS7GetContent(&pfx->authSafe);
-    if(der_asafe == NULL) {
-	/* XXX set error ? */
-	goto loser;
-    }
-
-    asafe = sec_pkcs12_new_asafe(pfx->poolp);
-    if(asafe == NULL) {
-	goto loser;
-    }
-
-    if(pfx->old == PR_FALSE) {
-	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
-			 	SEC_PKCS12AuthenticatedSafeTemplate, 
-			 	der_asafe);
-	asafe->old = PR_FALSE;
-	asafe->swapUnicode = pfx->swapUnicode;
-    } else {
-	/* handle beta exported files */
-	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
-				SEC_PKCS12AuthenticatedSafeTemplate_OLD,
-				der_asafe);
-	asafe->safe = &(asafe->old_safe);
-	rv = sec_pkcs12_convert_old_auth_safe(asafe);
-	asafe->old = PR_TRUE;
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    asafe->poolp = pfx->poolp;
-    
-    return asafe;
-
-loser:
-    return NULL;
-}
-
-/* validates the safe within the authenticated safe item.  
- * in order to be valid:
- *  1.  the privacy salt must be present
- *  2.  the encryption algorithm must be supported (including
- *	export policy)
- * PR_FALSE indicates an error, PR_TRUE indicates a valid safe
- */
-static PRBool 
-sec_pkcs12_validate_encrypted_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    PRBool valid = PR_FALSE;
-    SECAlgorithmID *algid;
-
-    if(asafe == NULL) {
-	return PR_FALSE;
-    }
-
-    /* if mode is password privacy, then privacySalt is assumed
-     * to be non-zero.
-     */
-    if(asafe->privacySalt.len != 0) {
-	valid = PR_TRUE;
-	asafe->privacySalt.len /= 8;
-    } else {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	return PR_FALSE;
-    }
-
-    /* until spec changes, content will have between 2 and 8 bytes depending
-     * upon the algorithm used if certs are unencrypted...
-     * also want to support case where content is empty -- which we produce 
-     */ 
-    if(SEC_PKCS7IsContentEmpty(asafe->safe, 8) == PR_TRUE) {
-	asafe->emptySafe = PR_TRUE;
-	return PR_TRUE;
-    }
-
-    asafe->emptySafe = PR_FALSE;
-
-    /* make sure that a pbe algorithm is being used */
-    algid = SEC_PKCS7GetEncryptionAlgorithm(asafe->safe);
-    if(algid != NULL) {
-	if(SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	    valid = SEC_PKCS12DecryptionAllowed(algid);
-
-	    if(valid == PR_FALSE) {
-		PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	    }
-	} else {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
-	    valid = PR_FALSE;
-	}
-    } else {
-	valid = PR_FALSE;
-	PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
-    }
-
-    return valid;
-}
-
-/* validates authenticates safe:
- *  1.  checks that the version is supported
- *  2.  checks that only password privacy mode is used (currently)
- *  3.  further, makes sure safe has appropriate policies per above function
- * PR_FALSE indicates failure.
- */
-static PRBool 
-sec_pkcs12_validate_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    PRBool valid = PR_TRUE;
-    SECOidTag safe_type;
-    int version;
-
-    if(asafe == NULL) {
-	return PR_FALSE;
-    }
-
-    /* check version, since it is default it may not be present.
-     * therefore, assume ok
-     */
-    if((asafe->version.len > 0) && (asafe->old == PR_FALSE)) {
-	version = DER_GetInteger(&asafe->version);
-	if(version > SEC_PKCS12_PFX_VERSION) {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION);
-	    return PR_FALSE;
-	}
-    }
-
-    /* validate password mode is being used */
-    safe_type = SEC_PKCS7ContentType(asafe->safe);
-    switch(safe_type)
-    {
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    valid = sec_pkcs12_validate_encrypted_safe(asafe);
-	    break;
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	default:
-	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
-	    valid = PR_FALSE;
-	    break;
-    }
-
-    return valid;
-}
-
-/* retrieves the authenticated safe item from the PFX item
- *  before returning the authenticated safe, the validity of the
- *  authenticated safe is checked and if valid, returned.
- * a return of NULL indicates that an error occured.
- */
-static SEC_PKCS12AuthenticatedSafe *
-sec_pkcs12_get_auth_safe(SEC_PKCS12PFXItem *pfx)
-{
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    PRBool valid_safe;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    asafe = sec_pkcs12_decode_authenticated_safe(pfx);
-    if(asafe == NULL) {
-	return NULL;
-    }
-
-    valid_safe = sec_pkcs12_validate_auth_safe(asafe);
-    if(valid_safe != PR_TRUE) {
-	asafe = NULL;
-    } else if(asafe) {
-	asafe->baggage.poolp = asafe->poolp;
-    }
-
-    return asafe;
-}
-
-/* decrypts the authenticated safe.
- * a return of anything but SECSuccess indicates an error.  the
- * password is not known to be valid until the call to the 
- * function sec_pkcs12_get_safe_contents.  If decoding the safe
- * fails, it is assumed the password was incorrect and the error
- * is set then.  any failure here is assumed to be due to 
- * internal problems in SEC_PKCS7DecryptContents or below.
- */
-static SECStatus
-sec_pkcs12_decrypt_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe, 
-			     SECItem *pwitem,
-			     void *wincx)
-{
-    SECStatus rv = SECFailure;
-    SECItem *vpwd = NULL;
-
-    if((asafe == NULL) || (pwitem == NULL)) {
-	return SECFailure;
-    }
-
-    if(asafe->old == PR_FALSE) {
-	vpwd = sec_pkcs12_create_virtual_password(pwitem, &asafe->privacySalt,
-						 asafe->swapUnicode);
-	if(vpwd == NULL) {
-	    return SECFailure;
-	}
-    }
-
-    rv = SEC_PKCS7DecryptContents(asafe->poolp, asafe->safe, 
-    				  (asafe->old ? pwitem : vpwd), wincx);
-
-    if(asafe->old == PR_FALSE) {
-	SECITEM_ZfreeItem(vpwd, PR_TRUE);
-    }
-
-    return rv;
-}
-
-/* extract the safe from the authenticated safe.
- *  if we are unable to decode the safe, then it is likely that the 
- *  safe has not been decrypted or the password used to decrypt
- *  the safe was invalid.  we assume that the password was invalid and
- *  set an error accordingly.
- * a return of NULL indicates that an error occurred.
- */
-static SEC_PKCS12SafeContents *
-sec_pkcs12_get_safe_contents(SEC_PKCS12AuthenticatedSafe *asafe)
-{
-    SECItem *src = NULL;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SECStatus rv = SECFailure;
-
-    if(asafe == NULL) {
-	return NULL;
-    }
-
-    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(asafe->poolp, 
-	    					sizeof(SEC_PKCS12SafeContents));
-    if(safe == NULL) {
-	return NULL;
-    }
-    safe->poolp = asafe->poolp;
-    safe->old = asafe->old;
-    safe->swapUnicode = asafe->swapUnicode;
-
-    src = SEC_PKCS7GetContent(asafe->safe);
-    if(src != NULL) {
-	const SEC_ASN1Template *theTemplate;
-	if(asafe->old != PR_TRUE) {
-	    theTemplate = SEC_PKCS12SafeContentsTemplate;
-	} else {
-	    theTemplate = SEC_PKCS12SafeContentsTemplate_OLD;
-	}
-
-	rv = SEC_ASN1DecodeItem(asafe->poolp, safe, theTemplate, src);
-
-	/* if we could not decode the item, password was probably invalid */
-	if(rv != SECSuccess) {
-	    safe = NULL;
-	    PORT_SetError(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
-	rv = SECFailure;
-    }
-
-    return safe;
-}
-
-/* import PFX item 
- * der_pfx is the der encoded pfx structure
- * pbef and pbearg are the integrity/encryption password call back
- * ncCall is the nickname collision calllback
- * slot is the destination token
- * wincx window handler
- *
- * on error, error code set and SECFailure returned 
- */
-SECStatus
-SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
-		 SEC_PKCS12NicknameCollisionCallback ncCall,
-		 PK11SlotInfo *slot,
-		 void *wincx)
-{
-    SEC_PKCS12PFXItem *pfx;
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    SEC_PKCS12SafeContents *safe_contents = NULL;
-    SECStatus rv;
-
-    if(!der_pfx || !pwitem || !slot) {
-	return SECFailure;
-    }
-
-    /* decode and validate each section */
-    rv = SECFailure;
-
-    pfx = sec_pkcs12_get_pfx(der_pfx, pwitem);
-    if(pfx != NULL) {
-	asafe = sec_pkcs12_get_auth_safe(pfx);
-	if(asafe != NULL) {
-
-	    /* decrypt safe -- only if not empty */
-	    if(asafe->emptySafe != PR_TRUE) {
-		rv = sec_pkcs12_decrypt_auth_safe(asafe, pwitem, wincx);
-		if(rv == SECSuccess) {
-		    safe_contents = sec_pkcs12_get_safe_contents(asafe);
-		    if(safe_contents == NULL) {
-			rv = SECFailure;
-		    }
-		}
-	    } else {
-		safe_contents = sec_pkcs12_create_safe_contents(asafe->poolp);
-		safe_contents->swapUnicode = pfx->swapUnicode;
-		if(safe_contents == NULL) {
-		    rv = SECFailure;
-		} else {
-		    rv = SECSuccess;
-		}
-	    }
-
-	    /* get safe contents and begin import */
-	    if(rv == SECSuccess) {
-		SEC_PKCS12DecoderContext *p12dcx;
-
-		p12dcx = sec_PKCS12ConvertOldSafeToNew(pfx->poolp, slot,
-					pfx->swapUnicode,
-					pwitem, wincx, safe_contents,
-					&asafe->baggage);
-		if(!p12dcx) {
-		    rv = SECFailure;
-		    goto loser;
-		}
-
-		if(SEC_PKCS12DecoderValidateBags(p12dcx, ncCall) 
-				!= SECSuccess) {
-		    rv = SECFailure;
-		    goto loser;
-		}
-
-		rv = SEC_PKCS12DecoderImportBags(p12dcx);
-	    }
-
-	}
-    }
-
-loser:
-
-    if(pfx) {
-	SEC_PKCS12DestroyPFX(pfx);
-    }
-
-    return rv;
-}
-
-PRBool 
-SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength)
-{
-    int lengthLength;
-
-    PRBool valid = PR_FALSE;
-
-    if(buf == NULL) {
-	return PR_FALSE;
-    }
-
-    /* check for constructed sequence identifier tag */
-    if(*buf == (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) {
-	totalLength--;   /* header byte taken care of */
-	buf++;
-
-	lengthLength = (long int)SEC_ASN1LengthLength(totalLength - 1);
-	if(totalLength > 0x7f) {
-	    lengthLength--;
-	    *buf &= 0x7f;  /* remove bit 8 indicator */
-	    if((*buf - (char)lengthLength) == 0) {
-		valid = PR_TRUE;
-	    }
-	} else {
-	    lengthLength--;
-	    if((*buf - (char)lengthLength) == 0) {
-		valid = PR_TRUE;
-	    }
-	}
-    }
-
-    return valid;
-}
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
deleted file mode 100644
index f0fbbcb2e..000000000
--- a/security/nss/lib/pkcs12/p12e.c
+++ /dev/null
@@ -1,2368 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrenam.h"
-#include "p12t.h"
-#include "p12.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12plcy.h"
-#include "p12local.h"
-#include "prcpucfg.h"
-
-/*
-** This PKCS12 file encoder uses numerous nested ASN.1 and PKCS7 encoder
-** contexts.  It can be difficult to keep straight.  Here's a picture:
-**
-**  "outer"  ASN.1 encoder.  The output goes to the library caller's CB.
-**  "middle" PKCS7 encoder.  Feeds    the "outer" ASN.1 encoder.
-**  "middle" ASN1  encoder.  Encodes  the encrypted aSafes. 
-**                           Feeds    the "middle" P7 encoder above.
-**  "inner"  PKCS7 encoder.  Encrypts the "authenticated Safes" (aSafes)
-**                           Feeds    the "middle" ASN.1 encoder above.
-**  "inner"  ASN.1 encoder.  Encodes  the unencrypted aSafes.  
-**                           Feeds    the "inner" P7 enocder above.
-**
-** Buffering has been added at each point where the output of an ASN.1
-** encoder feeds the input of a PKCS7 encoder.
-*/
-
-/*********************************
- * Output buffer object, used to buffer output from ASN.1 encoder
- * before passing data on down to the next PKCS7 encoder.
- *********************************/
-
-#define PK12_OUTPUT_BUFFER_SIZE  8192
-
-struct sec_pkcs12OutputBufferStr {
-    SEC_PKCS7EncoderContext * p7eCx;
-    PK11Context             * hmacCx;
-    unsigned int              numBytes;
-    unsigned int              bufBytes;
-             char             buf[PK12_OUTPUT_BUFFER_SIZE];
-};
-typedef struct sec_pkcs12OutputBufferStr sec_pkcs12OutputBuffer;
-
-/*********************************
- * Structures used in exporting the PKCS 12 blob
- *********************************/
-
-/* A SafeInfo is used for each ContentInfo which makes up the
- * sequence of safes in the AuthenticatedSafe portion of the
- * PFX structure.
- */
-struct SEC_PKCS12SafeInfoStr {
-    PRArenaPool *arena;
-
-    /* information for setting up password encryption */
-    SECItem pwitem;
-    SECOidTag algorithm;
-    PK11SymKey *encryptionKey;
-
-    /* how many items have been stored in this safe,
-     * we will skip any safe which does not contain any
-     * items
-      */
-    unsigned int itemCount;
-
-    /* the content info for the safe */
-    SEC_PKCS7ContentInfo *cinfo;
-
-    sec_PKCS12SafeContents *safe;
-};
-
-/* An opaque structure which contains information needed for exporting
- * certificates and keys through PKCS 12.
- */
-struct SEC_PKCS12ExportContextStr {
-    PRArenaPool *arena;
-    PK11SlotInfo *slot;
-    void *wincx;
-
-    /* integrity information */
-    PRBool integrityEnabled;
-    PRBool	pwdIntegrity;
-    union {
-	struct sec_PKCS12PasswordModeInfo pwdInfo;
-	struct sec_PKCS12PublicKeyModeInfo pubkeyInfo;
-    } integrityInfo; 
-
-    /* helper functions */
-    /* retrieve the password call back */
-    SECKEYGetPasswordKey pwfn;
-    void *pwfnarg;
-
-    /* safe contents bags */
-    SEC_PKCS12SafeInfo **safeInfos;
-    unsigned int safeInfoCount;
-
-    /* the sequence of safes */
-    sec_PKCS12AuthenticatedSafe authSafe;
-
-    /* information needing deletion */
-    CERTCertificate **certList;
-};
-
-/* structures for passing information to encoder callbacks when processing
- * data through the ASN1 engine.
- */
-struct sec_pkcs12_encoder_output {
-    SEC_PKCS12EncoderOutputCallback outputfn;
-    void *outputarg;
-};
-
-struct sec_pkcs12_hmac_and_output_info {
-    void *arg;
-    struct sec_pkcs12_encoder_output output;
-};
-
-/* An encoder context which is used for the actual encoding
- * portion of PKCS 12. 
- */
-typedef struct sec_PKCS12EncoderContextStr {
-    PRArenaPool *arena;
-    SEC_PKCS12ExportContext *p12exp;
-    PK11SymKey *encryptionKey;
-
-    /* encoder information - this is set up based on whether 
-     * password based or public key pased privacy is being used
-     */
-    SEC_ASN1EncoderContext *outerA1ecx;
-    union {
-	struct sec_pkcs12_hmac_and_output_info hmacAndOutputInfo;
-	struct sec_pkcs12_encoder_output       encOutput;
-    } output;
-
-    /* structures for encoding of PFX and MAC */
-    sec_PKCS12PFXItem        pfx;
-    sec_PKCS12MacData        mac;
-
-    /* authenticated safe encoding tracking information */
-    SEC_PKCS7ContentInfo    *aSafeCinfo;
-    SEC_PKCS7EncoderContext *middleP7ecx;
-    SEC_ASN1EncoderContext  *middleA1ecx;
-    unsigned int             currentSafe;
-
-    /* hmac context */
-    PK11Context             *hmacCx;
-
-    /* output buffers */
-    sec_pkcs12OutputBuffer  middleBuf;
-    sec_pkcs12OutputBuffer  innerBuf;
-
-} sec_PKCS12EncoderContext;
-
-
-/*********************************
- * Export setup routines
- *********************************/
-
-/* SEC_PKCS12CreateExportContext 
- *   Creates an export context and sets the unicode and password retrieval
- *   callbacks.  This is the first call which must be made when exporting
- *   a PKCS 12 blob.
- *
- * pwfn, pwfnarg - password retrieval callback and argument.  these are
- * 		   required for password-authentication mode.
- */
-SEC_PKCS12ExportContext *
-SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
-			      PK11SlotInfo *slot, void *wincx)
-{
-    PRArenaPool *arena = NULL;
-    SEC_PKCS12ExportContext *p12ctxt = NULL;
-
-    /* allocate the arena and create the context */
-    arena = PORT_NewArena(4096);
-    if(!arena) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p12ctxt = (SEC_PKCS12ExportContext *)PORT_ArenaZAlloc(arena, 
-					sizeof(SEC_PKCS12ExportContext));
-    if(!p12ctxt) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* password callback for key retrieval */
-    p12ctxt->pwfn = pwfn;
-    p12ctxt->pwfnarg = pwfnarg;
-
-    p12ctxt->integrityEnabled = PR_FALSE;
-    p12ctxt->arena = arena;
-    p12ctxt->wincx = wincx;
-    p12ctxt->slot = (slot) ? PK11_ReferenceSlot(slot) : PK11_GetInternalSlot();
-
-    return p12ctxt;
-
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    return NULL;
-}
-
-/* 
- * Adding integrity mode
- */
-
-/* SEC_PKCS12AddPasswordIntegrity 
- *	Add password integrity to the exported data.  If an integrity method
- *	has already been set, then return an error.
- *	
- *	p12ctxt - the export context
- * 	pwitem - the password for integrity mode
- *	integAlg - the integrity algorithm to use for authentication.
- */
-SECStatus
-SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-			       SECItem *pwitem, SECOidTag integAlg) 
-{			       
-    if(!p12ctxt || p12ctxt->integrityEnabled) {
-	return SECFailure;
-    }
-   
-    /* set up integrity information */
-    p12ctxt->pwdIntegrity = PR_TRUE;
-    p12ctxt->integrityInfo.pwdInfo.password = 
-        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
-    if(!p12ctxt->integrityInfo.pwdInfo.password) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, 
-			p12ctxt->integrityInfo.pwdInfo.password, pwitem)
-		!= SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    p12ctxt->integrityInfo.pwdInfo.algorithm = integAlg;
-    p12ctxt->integrityEnabled = PR_TRUE;
-
-    return SECSuccess;
-}
-
-/* SEC_PKCS12AddPublicKeyIntegrity
- *	Add public key integrity to the exported data.  If an integrity method
- *	has already been set, then return an error.  The certificate must be
- *	allowed to be used as a signing cert.
- *	
- *	p12ctxt - the export context
- *	cert - signer certificate
- *	certDb - the certificate database
- *	algorithm - signing algorithm
- *	keySize - size of the signing key (?)
- */
-SECStatus
-SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
-				CERTCertificate *cert, CERTCertDBHandle *certDb,
-				SECOidTag algorithm, int keySize)
-{
-    if(!p12ctxt) {
-	return SECFailure;
-    }
-    
-    p12ctxt->integrityInfo.pubkeyInfo.cert = cert;
-    p12ctxt->integrityInfo.pubkeyInfo.certDb = certDb;
-    p12ctxt->integrityInfo.pubkeyInfo.algorithm = algorithm;
-    p12ctxt->integrityInfo.pubkeyInfo.keySize = keySize;
-    p12ctxt->integrityEnabled = PR_TRUE;
-
-    return SECSuccess;
-}
-
-
-/*
- * Adding safes - encrypted (password/public key) or unencrypted
- *	Each of the safe creation routines return an opaque pointer which
- *	are later passed into the routines for exporting certificates and
- *	keys.
- */
-
-/* append the newly created safeInfo to list of safeInfos in the export
- * context.  
- */
-static SECStatus
-sec_pkcs12_append_safe_info(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *info)
-{
-    void *mark = NULL, *dummy1 = NULL, *dummy2 = NULL;
-
-    if(!p12ctxt || !info) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* if no safeInfos have been set, create the list, otherwise expand it. */
-    if(!p12ctxt->safeInfoCount) {
-	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)PORT_ArenaZAlloc(p12ctxt->arena, 
-					      2 * sizeof(SEC_PKCS12SafeInfo *));
-	dummy1 = p12ctxt->safeInfos;
-	p12ctxt->authSafe.encodedSafes = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
-					2 * sizeof(SECItem *));
-	dummy2 = p12ctxt->authSafe.encodedSafes;
-    } else {
-	dummy1 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->safeInfos, 
-			       (p12ctxt->safeInfoCount + 1) * sizeof(SEC_PKCS12SafeInfo *),
-			       (p12ctxt->safeInfoCount + 2) * sizeof(SEC_PKCS12SafeInfo *));
-	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)dummy1;
-	dummy2 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->authSafe.encodedSafes, 
-			       (p12ctxt->authSafe.safeCount + 1) * sizeof(SECItem *),
-			       (p12ctxt->authSafe.safeCount + 2) * sizeof(SECItem *));
-	p12ctxt->authSafe.encodedSafes = (SECItem**)dummy2;
-    }
-    if(!dummy1 || !dummy2) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* append the new safeInfo and null terminate the list */
-    p12ctxt->safeInfos[p12ctxt->safeInfoCount] = info;
-    p12ctxt->safeInfos[++p12ctxt->safeInfoCount] = NULL;
-    p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount] = 
-        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
-    if(!p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount]) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    p12ctxt->authSafe.encodedSafes[++p12ctxt->authSafe.safeCount] = NULL;
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return SECFailure;
-}
-
-/* SEC_PKCS12CreatePasswordPrivSafe
- *	Create a password privacy safe to store exported information in.
- *
- * 	p12ctxt - export context
- *	pwitem - password for encryption
- *	privAlg - pbe algorithm through which encryption is done.
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
-				 SECItem *pwitem, SECOidTag privAlg)
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-    PK11SlotInfo *slot = NULL;
-    SECAlgorithmID *algId;
-    SECItem uniPwitem = {siBuffer, NULL, 0};
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    /* allocate the safe info */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-
-    /* create the encrypted safe */
-    safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, 
-    						   p12ctxt->pwfnarg);
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    safeInfo->arena = p12ctxt->arena;
-
-    /* convert the password to unicode */ 
-    if(!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
-					       PR_TRUE, PR_TRUE, PR_TRUE)) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* generate the encryption key */
-    slot = PK11_ReferenceSlot(p12ctxt->slot);
-    if(!slot) {
-	slot = PK11_GetInternalKeySlot();
-	if(!slot) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    }
-
-    algId = SEC_PKCS7GetEncryptionAlgorithm(safeInfo->cinfo);
-    safeInfo->encryptionKey = PK11_PBEKeyGen(slot, algId, &uniPwitem, 
-					     PR_FALSE, p12ctxt->wincx);
-    if(!safeInfo->encryptionKey) {
-	goto loser;
-    }
-
-    safeInfo->arena = p12ctxt->arena;
-    safeInfo->safe = NULL;
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    if(uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    return safeInfo;
-
-loser:
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-    }
-
-    if(uniPwitem.data) {
-	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/* SEC_PKCS12CreateUnencryptedSafe 
- *	Creates an unencrypted safe within the export context.
- *
- *	p12ctxt - the export context 
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt)
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    /* create the safe info */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    					      sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-
-    /* create the safe content */
-    safeInfo->cinfo = SEC_PKCS7CreateData();
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return safeInfo;
-
-loser:
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/* SEC_PKCS12CreatePubKeyEncryptedSafe
- *	Creates a safe which is protected by public key encryption.  
- *
- *	p12ctxt - the export context
- *	certDb - the certificate database
- *	signer - the signer's certificate
- *	recipients - the list of recipient certificates.
- *	algorithm - the encryption algorithm to use
- *	keysize - the algorithms key size (?)
- */
-SEC_PKCS12SafeInfo *
-SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
-				    CERTCertDBHandle *certDb,
-				    CERTCertificate *signer,
-				    CERTCertificate **recipients,
-				    SECOidTag algorithm, int keysize) 
-{
-    SEC_PKCS12SafeInfo *safeInfo = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt || !signer || !recipients || !(*recipients)) {
-	return NULL;
-    }
-
-    /* allocate the safeInfo */
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						      sizeof(SEC_PKCS12SafeInfo));
-    if(!safeInfo) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeInfo->itemCount = 0;
-    safeInfo->arena = p12ctxt->arena;
-
-    /* create the enveloped content info using certUsageEmailSigner currently.
-     * XXX We need to eventually use something other than certUsageEmailSigner
-     */
-    safeInfo->cinfo = SEC_PKCS7CreateEnvelopedData(signer, certUsageEmailSigner,
-					certDb, algorithm, keysize, 
-					p12ctxt->pwfn, p12ctxt->pwfnarg);
-    if(!safeInfo->cinfo) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* add recipients */
-    if(recipients) {
-	unsigned int i = 0;
-	while(recipients[i] != NULL) {
-	    SECStatus rv = SEC_PKCS7AddRecipient(safeInfo->cinfo, recipients[i],
-					       certUsageEmailRecipient, certDb);
-	    if(rv != SECSuccess) {
-		goto loser;
-	    }
-	    i++;
-	}
-    }
-
-    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return safeInfo;
-
-loser:
-    if(safeInfo->cinfo) {
-	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
-	safeInfo->cinfo = NULL;
-    }
-
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-} 
-
-/*********************************
- * Routines to handle the exporting of the keys and certificates
- *********************************/
-
-/* creates a safe contents which safeBags will be appended to */
-sec_PKCS12SafeContents *
-sec_PKCS12CreateSafeContents(PRArenaPool *arena)
-{
-    sec_PKCS12SafeContents *safeContents;
-
-    if(arena == NULL) {
-	return NULL; 
-    }
-
-    /* create the safe contents */
-    safeContents = (sec_PKCS12SafeContents *)PORT_ArenaZAlloc(arena,
-					    sizeof(sec_PKCS12SafeContents));
-    if(!safeContents) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* set up the internal contents info */
-    safeContents->safeBags = NULL;
-    safeContents->arena = arena;
-    safeContents->bagCount = 0;
-
-    return safeContents;
-
-loser:
-    return NULL;
-}   
-
-/* appends a safe bag to a safeContents using the specified arena. 
- */
-SECStatus
-sec_pkcs12_append_bag_to_safe_contents(PRArenaPool *arena, 
-				       sec_PKCS12SafeContents *safeContents,
-				       sec_PKCS12SafeBag *safeBag)
-{
-    void *mark = NULL, *dummy = NULL;
-
-    if(!arena || !safeBag || !safeContents) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    if(!mark) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* allocate space for the list, or reallocate to increase space */
-    if(!safeContents->safeBags) {
-	safeContents->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(arena, 
-						(2 * sizeof(sec_PKCS12SafeBag *)));
-	dummy = safeContents->safeBags;
-	safeContents->bagCount = 0;
-    } else {
-	dummy = PORT_ArenaGrow(arena, safeContents->safeBags, 
-			(safeContents->bagCount + 1) * sizeof(sec_PKCS12SafeBag *),
-			(safeContents->bagCount + 2) * sizeof(sec_PKCS12SafeBag *));
-	safeContents->safeBags = (sec_PKCS12SafeBag **)dummy;
-    }
-
-    if(!dummy) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* append the bag at the end and null terminate the list */
-    safeContents->safeBags[safeContents->bagCount++] = safeBag;
-    safeContents->safeBags[safeContents->bagCount] = NULL;
-
-    PORT_ArenaUnmark(arena, mark);
-
-    return SECSuccess;
-}
-
-/* appends a safeBag to a specific safeInfo.
- */
-SECStatus
-sec_pkcs12_append_bag(SEC_PKCS12ExportContext *p12ctxt, 
-		      SEC_PKCS12SafeInfo *safeInfo, sec_PKCS12SafeBag *safeBag)
-{
-    sec_PKCS12SafeContents *dest;
-    SECStatus rv = SECFailure;
-
-    if(!p12ctxt || !safeBag || !safeInfo) {
-	return SECFailure;
-    }
-
-    if(!safeInfo->safe) {
-	safeInfo->safe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
-	if(!safeInfo->safe) {
-	    return SECFailure;
-	}
-    }
-
-    dest = safeInfo->safe;
-    rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, dest, safeBag);
-    if(rv == SECSuccess) {
-	safeInfo->itemCount++;
-    }
-    
-    return rv;
-} 
-
-/* Creates a safeBag of the specified type, and if bagData is specified,
- * the contents are set.  The contents could be set later by the calling
- * routine.
- */
-sec_PKCS12SafeBag *
-sec_PKCS12CreateSafeBag(SEC_PKCS12ExportContext *p12ctxt, SECOidTag bagType, 
-			void *bagData)
-{
-    sec_PKCS12SafeBag *safeBag;
-    PRBool setName = PR_TRUE;
-    void *mark = NULL;
-    SECStatus rv = SECSuccess;
-    SECOidData *oidData = NULL;
-
-    if(!p12ctxt) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-    if(!mark) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    safeBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    						    sizeof(sec_PKCS12SafeBag));
-    if(!safeBag) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* set the bags content based upon bag type */
-    switch(bagType) {
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    safeBag->safeBagContent.pkcs8KeyBag =
-	        (SECKEYPrivateKeyInfo *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	    safeBag->safeBagContent.certBag = (sec_PKCS12CertBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	    safeBag->safeBagContent.crlBag = (sec_PKCS12CRLBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	    safeBag->safeBagContent.secretBag = (sec_PKCS12SecretBag *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    safeBag->safeBagContent.pkcs8ShroudedKeyBag = 
-	        (SECKEYEncryptedPrivateKeyInfo *)bagData;
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    safeBag->safeBagContent.safeContents = 
-	        (sec_PKCS12SafeContents *)bagData;
-	    setName = PR_FALSE;
-	    break;
-	default:
-	    goto loser;
-    }
-
-    oidData = SECOID_FindOIDByTag(bagType);
-    if(oidData) {
-	rv = SECITEM_CopyItem(p12ctxt->arena, &safeBag->safeBagType, &oidData->oid);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    } else {
-	goto loser;
-    }
-    
-    safeBag->arena = p12ctxt->arena;
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-
-    return safeBag;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return NULL;
-}
-
-/* Creates a new certificate bag and returns a pointer to it.  If an error
- * occurs NULL is returned.
- */
-sec_PKCS12CertBag *
-sec_PKCS12NewCertBag(PRArenaPool *arena, SECOidTag certType)
-{
-    sec_PKCS12CertBag *certBag = NULL;
-    SECOidData *bagType = NULL;
-    SECStatus rv;
-    void *mark = NULL;
-
-    if(!arena) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    certBag = (sec_PKCS12CertBag *)PORT_ArenaZAlloc(arena, 
-    						    sizeof(sec_PKCS12CertBag));
-    if(!certBag) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    bagType = SECOID_FindOIDByTag(certType);
-    if(!bagType) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(arena, &certBag->bagID, &bagType->oid);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-	
-    PORT_ArenaUnmark(arena, mark);
-    return certBag;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-/* Creates a new CRL bag and returns a pointer to it.  If an error
- * occurs NULL is returned.
- */
-sec_PKCS12CRLBag *
-sec_PKCS12NewCRLBag(PRArenaPool *arena, SECOidTag crlType)
-{
-    sec_PKCS12CRLBag *crlBag = NULL;
-    SECOidData *bagType = NULL;
-    SECStatus rv;
-    void *mark = NULL;
-
-    if(!arena) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(arena);
-    crlBag = (sec_PKCS12CRLBag *)PORT_ArenaZAlloc(arena, 
-    						  sizeof(sec_PKCS12CRLBag));
-    if(!crlBag) {
-	PORT_ArenaRelease(arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    bagType = SECOID_FindOIDByTag(crlType);
-    if(!bagType) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(arena, &crlBag->bagID, &bagType->oid);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-	
-    PORT_ArenaUnmark(arena, mark);
-    return crlBag;
-
-loser:
-    PORT_ArenaRelease(arena, mark);
-    return NULL;
-}
-
-/* sec_PKCS12AddAttributeToBag
- * adds an attribute to a safeBag.  currently, the only attributes supported
- * are those which are specified within PKCS 12.  
- *
- *	p12ctxt - the export context 
- *	safeBag - the safeBag to which attributes are appended
- *	attrType - the attribute type
- * 	attrData - the attribute data
- */
-SECStatus
-sec_PKCS12AddAttributeToBag(SEC_PKCS12ExportContext *p12ctxt, 
-			    sec_PKCS12SafeBag *safeBag, SECOidTag attrType,
-			    SECItem *attrData)
-{
-    sec_PKCS12Attribute *attribute;
-    void *mark = NULL, *dummy = NULL;
-    SECOidData *oiddata = NULL;
-    SECItem unicodeName = { siBuffer, NULL, 0};
-    void *src = NULL;
-    unsigned int nItems = 0;
-    SECStatus rv;
-
-    if(!safeBag || !p12ctxt) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(safeBag->arena);
-
-    /* allocate the attribute */
-    attribute = (sec_PKCS12Attribute *)PORT_ArenaZAlloc(safeBag->arena, 
-    						sizeof(sec_PKCS12Attribute));
-    if(!attribute) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* set up the attribute */
-    oiddata = SECOID_FindOIDByTag(attrType);
-    if(!oiddata) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    if(SECITEM_CopyItem(p12ctxt->arena, &attribute->attrType, &oiddata->oid) !=
-    		SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    nItems = 1;
-    switch(attrType) {
-	case SEC_OID_PKCS9_LOCAL_KEY_ID:
-	    {
-		src = attrData;
-		break;
-	    }
-	case SEC_OID_PKCS9_FRIENDLY_NAME:
-	    {
-		if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, 
-					&unicodeName, attrData, PR_FALSE, 
-					PR_FALSE, PR_TRUE)) {
-		    goto loser;
-		}
-		src = &unicodeName;
-		break;
-	    }
-	default:
-	    goto loser;
-    }
-
-    /* append the attribute to the attribute value list  */
-    attribute->attrValue = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
-    					    ((nItems + 1) * sizeof(SECItem *)));
-    if(!attribute->attrValue) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* XXX this will need to be changed if attributes requiring more than
-     * one element are ever used.
-     */
-    attribute->attrValue[0] = (SECItem *)PORT_ArenaZAlloc(p12ctxt->arena, 
-    							  sizeof(SECItem));
-    if(!attribute->attrValue[0]) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    attribute->attrValue[1] = NULL;
-
-    rv = SECITEM_CopyItem(p12ctxt->arena, attribute->attrValue[0], 
-			  (SECItem*)src);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* append the attribute to the safeBag attributes */
-    if(safeBag->nAttribs) {
-	dummy = PORT_ArenaGrow(p12ctxt->arena, safeBag->attribs, 
-			((safeBag->nAttribs + 1) * sizeof(sec_PKCS12Attribute *)),
-			((safeBag->nAttribs + 2) * sizeof(sec_PKCS12Attribute *)));
-	safeBag->attribs = (sec_PKCS12Attribute **)dummy;
-    } else {
-	safeBag->attribs = (sec_PKCS12Attribute **)PORT_ArenaZAlloc(p12ctxt->arena, 
-						2 * sizeof(sec_PKCS12Attribute *));
-	dummy = safeBag->attribs;
-    }
-    if(!dummy) {
-	goto loser;
-    }
-
-    safeBag->attribs[safeBag->nAttribs] = attribute;
-    safeBag->attribs[++safeBag->nAttribs] = NULL;
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12AddCert
- * 	Adds a certificate to the data being exported.  
- *
- *	p12ctxt - the export context
- *	safe - the safeInfo to which the certificate is placed 
- *	nestedDest - if the cert is to be placed within a nested safeContents then,
- *		     this value is to be specified with the destination
- *	cert - the cert to export
- *	certDb - the certificate database handle
- *	keyId - a unique identifier to associate a certificate/key pair
- *	includeCertChain - PR_TRUE if the certificate chain is to be included.
- */
-SECStatus
-SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
-		  void *nestedDest, CERTCertificate *cert, 
-		  CERTCertDBHandle *certDb, SECItem *keyId,
-		  PRBool includeCertChain)
-{
-    sec_PKCS12CertBag *certBag;
-    sec_PKCS12SafeBag *safeBag;
-    void *mark;
-    SECStatus rv;
-    SECItem nick = {siBuffer, NULL,0};
-
-    if(!p12ctxt || !cert) {
-	return SECFailure;
-    }
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* allocate the cert bag */
-    certBag = sec_PKCS12NewCertBag(p12ctxt->arena, 
-    				   SEC_OID_PKCS9_X509_CERT);
-    if(!certBag) {
-	goto loser;
-    }
-
-    if(SECITEM_CopyItem(p12ctxt->arena, &certBag->value.x509Cert, 
-    			&cert->derCert) != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* if the cert chain is to be included, we should only be exporting
-     * the cert from our internal database.
-     */
-    if(includeCertChain) {
-	CERTCertificateList *certList = CERT_CertChainFromCert(cert,
-							       certUsageSSLClient,
-							       PR_TRUE);
-	unsigned int count = 0;
-	if(!certList) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/* add cert chain */
-	for(count = 0; count < (unsigned int)certList->len; count++) {
-	    if(SECITEM_CompareItem(&certList->certs[count], &cert->derCert)
-	    			!= SECEqual) {
-	    	CERTCertificate *tempCert;
-
-		/* decode the certificate */
-		/* XXX
-		 * This was rather silly.  The chain is constructed above
-		 * by finding all of the CERTCertificate's in the database.
-		 * Then the chain is put into a CERTCertificateList, which only
-		 * contains the DER.  Finally, the DER was decoded, and the
-		 * decoded cert was sent recursively back to this function.
-		 * Beyond being inefficent, this causes data loss (specifically,
-		 * the nickname).  Instead, for 3.4, we'll do a lookup by the
-		 * DER, which should return the cached entry.
-		 */
-		tempCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
-		                                  &certList->certs[count]);
-	    	if(!tempCert) {
-		    CERT_DestroyCertificateList(certList);
-		    goto loser;
-		}
-
-		/* add the certificate */
-	    	if(SEC_PKCS12AddCert(p12ctxt, safe, nestedDest, tempCert,
-				 certDb, NULL, PR_FALSE) != SECSuccess) {
-		    CERT_DestroyCertificate(tempCert);
-		    CERT_DestroyCertificateList(certList);
-		    goto loser;
-		}
-		CERT_DestroyCertificate(tempCert);
-	    }
-	}
-	CERT_DestroyCertificateList(certList);
-    }
-
-    /* if the certificate has a nickname, we will set the friendly name
-     * to that.
-     */
-    if(cert->nickname) {
-        if (cert->slot && !PK11_IsInternal(cert->slot)) {
-	  /*
-	   * The cert is coming off of an external token, 
-	   * let's strip the token name from the nickname
-	   * and only add what comes after the colon as the
-	   * nickname. -javi
-	   */
-	    char *delimit;
-	    
-	    delimit = PORT_Strchr(cert->nickname,':');
-	    if (delimit == NULL) {
-	        nick.data = (unsigned char *)cert->nickname;
-		nick.len = PORT_Strlen(cert->nickname);
-	    } else {
-	        delimit++;
-	        nick.data = (unsigned char *)PORT_ArenaStrdup(p12ctxt->arena,
-							      delimit);
-		nick.len = PORT_Strlen(delimit);
-	    }
-	} else {
-	    nick.data = (unsigned char *)cert->nickname;
-	    nick.len = PORT_Strlen(cert->nickname);
-	}
-    }
-
-    safeBag = sec_PKCS12CreateSafeBag(p12ctxt, SEC_OID_PKCS12_V1_CERT_BAG_ID, 
-    				      certBag);
-    if(!safeBag) {
-	goto loser;
-    }
-
-    /* add the friendly name and keyId attributes, if necessary */
-    if(nick.data) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, &nick) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    /* append the cert safeBag */
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					  (sec_PKCS12SafeContents*)nestedDest, 
-					   safeBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, safeBag);
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    if(mark) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    }
-
-    return SECFailure;
-}
-
-/* SEC_PKCS12AddEncryptedKey
- *	Extracts the key associated with a particular certificate and exports
- *	it.
- *
- *	p12ctxt - the export context 
- *	safe - the safeInfo to place the key in
- *	nestedDest - the nested safeContents to place a key
- *	cert - the certificate which the key belongs to
- *	shroudKey - encrypt the private key for export.  This value should 
- *		always be true.  lower level code will not allow the export
- *		of unencrypted private keys.
- *	algorithm - the algorithm with which to encrypt the private key
- *	pwitem - the password to encrypted the private key with
- *	keyId - the keyID attribute
- *	nickName - the nickname attribute
- */
-static SECStatus
-SEC_PKCS12AddEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-		SECKEYEncryptedPrivateKeyInfo *epki, SEC_PKCS12SafeInfo *safe,
-		void *nestedDest, SECItem *keyId, SECItem *nickName)
-{
-    void *mark;
-    void *keyItem;
-    SECOidTag keyType;
-    SECStatus rv = SECFailure;
-    sec_PKCS12SafeBag *returnBag;
-
-    if(!p12ctxt || !safe || !epki) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
-				sizeof(SECKEYEncryptedPrivateKeyInfo));
-    if(!keyItem) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
-					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
-					epki);
-    keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-	
-    /* create the safe bag and set any attributes */
-    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
-    if(!returnBag) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(nickName) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
-	                               SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					   (sec_PKCS12SafeContents*)nestedDest,
-					   returnBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
-    }
-
-loser:
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    } else {
-	PORT_ArenaUnmark(p12ctxt->arena, mark);
-    }
-
-    return rv;
-}
-
-/* SEC_PKCS12AddKeyForCert
- *	Extracts the key associated with a particular certificate and exports
- *	it.
- *
- *	p12ctxt - the export context 
- *	safe - the safeInfo to place the key in
- *	nestedDest - the nested safeContents to place a key
- *	cert - the certificate which the key belongs to
- *	shroudKey - encrypt the private key for export.  This value should 
- *		always be true.  lower level code will not allow the export
- *		of unencrypted private keys.
- *	algorithm - the algorithm with which to encrypt the private key
- *	pwitem - the password to encrypt the private key with
- *	keyId - the keyID attribute
- *	nickName - the nickname attribute
- */
-SECStatus
-SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
-			void *nestedDest, CERTCertificate *cert,
-			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
-			SECItem *keyId, SECItem *nickName)
-{
-    void *mark;
-    void *keyItem;
-    SECOidTag keyType;
-    SECStatus rv = SECFailure;
-    SECItem nickname = {siBuffer,NULL,0}, uniPwitem = {siBuffer, NULL, 0};
-    sec_PKCS12SafeBag *returnBag;
-
-    if(!p12ctxt || !cert || !safe) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* retrieve the key based upon the type that it is and 
-     * specify the type of safeBag to store the key in
-     */	   
-    if(!shroudKey) {
-
-	/* extract the key unencrypted.  this will most likely go away */
-	SECKEYPrivateKeyInfo *pki = PK11_ExportPrivateKeyInfo(cert, 
-							      p12ctxt->wincx);
-	if(!pki) {
-	    PORT_ArenaRelease(p12ctxt->arena, mark);
-	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	    return SECFailure;
-	}   
-	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECKEYPrivateKeyInfo));
-	if(!keyItem) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	rv = SECKEY_CopyPrivateKeyInfo(p12ctxt->arena, 
-				       (SECKEYPrivateKeyInfo *)keyItem, pki);
-	keyType = SEC_OID_PKCS12_V1_KEY_BAG_ID;
-	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
-    } else {
-
-	/* extract the key encrypted */
-	SECKEYEncryptedPrivateKeyInfo *epki = NULL;
-	PK11SlotInfo *slot = NULL;
-
-	if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
-				 pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/* we want to make sure to take the key out of the key slot */
-	if(PK11_IsInternal(p12ctxt->slot)) {
-	    slot = PK11_GetInternalKeySlot();
-	} else {
-	    slot = PK11_ReferenceSlot(p12ctxt->slot);
-	}
-
-	epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, 
-						  &uniPwitem, cert, 1, 
-						  p12ctxt->wincx);
-	PK11_FreeSlot(slot);
-	
-	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
-				  sizeof(SECKEYEncryptedPrivateKeyInfo));
-	if(!keyItem) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	if(!epki) {
-	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	    return SECFailure;
-	}   
-	rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
-					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
-					epki);
-	keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
-	SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
-    }
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-	
-    /* if no nickname specified, let's see if the certificate has a 
-     * nickname.
-     */					  
-    if(!nickName) {
-	if(cert->nickname) {
-	    nickname.data = (unsigned char *)cert->nickname;
-	    nickname.len = PORT_Strlen(cert->nickname);
-	    nickName = &nickname;
-	}
-    }
-
-    /* create the safe bag and set any attributes */
-    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
-    if(!returnBag) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(nickName) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
-				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
-				       != SECSuccess) {
-	    goto loser;
-	}
-    }
-	   
-    if(keyId) {
-	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
-				       keyId) != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena,
-					  (sec_PKCS12SafeContents*)nestedDest, 
-					  returnBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
-    }
-
-loser:
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-    } else {
-	PORT_ArenaUnmark(p12ctxt->arena, mark);
-    }
-
-    return rv;
-}
-
-/* SEC_PKCS12AddCertAndEncryptedKey
- *	Add a certificate and key pair to be exported.
- *
- *	p12ctxt - the export context 
- * 	certSafe - the safeInfo where the cert is stored
- *	certNestedDest - the nested safeContents to store the cert
- *	keySafe - the safeInfo where the key is stored
- *	keyNestedDest - the nested safeContents to store the key
- *	shroudKey - extract the private key encrypted?
- *	pwitem - the password with which the key is encrypted
- *	algorithm - the algorithm with which the key is encrypted
- */
-SECStatus
-SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
-		void *certSafe, void *certNestedDest, 
-		SECItem *derCert, void *keySafe, 
-		void *keyNestedDest, SECKEYEncryptedPrivateKeyInfo *epki,
-		char *nickname)
-{		
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *digest = NULL;
-    void *mark = NULL;
-    CERTCertificate *cert;
-    SECItem nick = {siBuffer, NULL,0}, *nickPtr = NULL; 
-
-    if(!p12ctxt || !certSafe || !keySafe || !derCert) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                   derCert, NULL, PR_FALSE, PR_FALSE);
-    if(!cert) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-    cert->nickname = nickname;
-
-    /* generate the thumbprint of the cert to use as a keyId */
-    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
-    if(!digest) {
-	CERT_DestroyCertificate(cert);
-	return SECFailure;
-    }
-
-    /* add the certificate */
-    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
-			   certNestedDest, cert, NULL,
-    			   &digest->digest, PR_FALSE);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    if(nickname) {
-	nick.data = (unsigned char *)nickname;
-	nick.len = PORT_Strlen(nickname);
-	nickPtr = &nick;
-    } else {
-	nickPtr = NULL;
-    }
-
-    /* add the key */
-    rv = SEC_PKCS12AddEncryptedKey(p12ctxt, epki, (SEC_PKCS12SafeInfo*)keySafe,
-				   keyNestedDest, &digest->digest, nickPtr );
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SGN_DestroyDigestInfo(digest);
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    SGN_DestroyDigestInfo(digest);
-    CERT_DestroyCertificate(cert);
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    
-    return SECFailure; 
-}
-
-/* SEC_PKCS12AddCertAndKey
- *	Add a certificate and key pair to be exported.
- *
- *	p12ctxt - the export context 
- * 	certSafe - the safeInfo where the cert is stored
- *	certNestedDest - the nested safeContents to store the cert
- *	keySafe - the safeInfo where the key is stored
- *	keyNestedDest - the nested safeContents to store the key
- *	shroudKey - extract the private key encrypted?
- *	pwitem - the password with which the key is encrypted
- *	algorithm - the algorithm with which the key is encrypted
- */
-SECStatus
-SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
-			void *certSafe, void *certNestedDest, 
-			CERTCertificate *cert, CERTCertDBHandle *certDb,
-			void *keySafe, void *keyNestedDest, 
-			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm)
-{		
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *digest = NULL;
-    void *mark = NULL;
-
-    if(!p12ctxt || !certSafe || !keySafe || !cert) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    /* generate the thumbprint of the cert to use as a keyId */
-    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
-    if(!digest) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	return SECFailure;
-    }
-
-    /* add the certificate */
-    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
-			   (SEC_PKCS12SafeInfo*)certNestedDest, cert, certDb,
-    			   &digest->digest, PR_TRUE);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* add the key */
-    rv = SEC_PKCS12AddKeyForCert(p12ctxt, (SEC_PKCS12SafeInfo*)keySafe, 
-				 keyNestedDest, cert, 
-    				 shroudKey, algorithm, pwitem, 
-    				 &digest->digest, NULL );
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SGN_DestroyDigestInfo(digest);
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return SECSuccess;
-
-loser:
-    SGN_DestroyDigestInfo(digest);
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    
-    return SECFailure; 
-}
-
-/* SEC_PKCS12CreateNestedSafeContents
- * 	Allows nesting of safe contents to be implemented.  No limit imposed on 
- *	depth.  
- *
- *	p12ctxt - the export context 
- *	baseSafe - the base safeInfo 
- *	nestedDest - a parent safeContents (?)
- */
-void *
-SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
-				   void *baseSafe, void *nestedDest)
-{
-    sec_PKCS12SafeContents *newSafe;
-    sec_PKCS12SafeBag *safeContentsBag;
-    void *mark;
-    SECStatus rv;
-
-    if(!p12ctxt || !baseSafe) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(p12ctxt->arena);
-
-    newSafe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
-    if(!newSafe) {
-	PORT_ArenaRelease(p12ctxt->arena, mark);
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* create the safeContents safeBag */
-    safeContentsBag = sec_PKCS12CreateSafeBag(p12ctxt, 
-					SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
-					newSafe);
-    if(!safeContentsBag) {
-	goto loser;
-    }
-
-    /* append the safeContents to the appropriate area */
-    if(nestedDest) {
-	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
-					   (sec_PKCS12SafeContents*)nestedDest,
-					   safeContentsBag);
-    } else {
-	rv = sec_pkcs12_append_bag(p12ctxt, (SEC_PKCS12SafeInfo*)baseSafe, 
-				   safeContentsBag);
-    }
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12ctxt->arena, mark);
-    return newSafe;
-
-loser:
-    PORT_ArenaRelease(p12ctxt->arena, mark);
-    return NULL;
-}
-
-/*********************************
- * Encoding routines
- *********************************/
-
-/* set up the encoder context based on information in the export context
- * and return the newly allocated enocoder context.  A return of NULL 
- * indicates an error occurred. 
- */
-sec_PKCS12EncoderContext *
-sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
-{
-    sec_PKCS12EncoderContext *p12enc = NULL;
-    unsigned int i, nonEmptyCnt;
-    SECStatus rv;
-    SECItem ignore = {0};
-    void *mark;
-
-    if(!p12exp || !p12exp->safeInfos) {
-	return NULL;
-    }
-
-    /* check for any empty safes and skip them */
-    i = nonEmptyCnt = 0;
-    while(p12exp->safeInfos[i]) {
-	if(p12exp->safeInfos[i]->itemCount) {
-	    nonEmptyCnt++;
-	}
-	i++;
-    }
-    if(nonEmptyCnt == 0) {
-	return NULL;
-    }
-    p12exp->authSafe.encodedSafes[nonEmptyCnt] = NULL;
-
-    /* allocate the encoder context */
-    mark = PORT_ArenaMark(p12exp->arena);
-    p12enc = PORT_ArenaZNew(p12exp->arena, sec_PKCS12EncoderContext);
-    if(!p12enc) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p12enc->arena = p12exp->arena;
-    p12enc->p12exp = p12exp;
-
-    /* set up the PFX version and information */
-    PORT_Memset(&p12enc->pfx, 0, sizeof(sec_PKCS12PFXItem));
-    if(!SEC_ASN1EncodeInteger(p12exp->arena, &(p12enc->pfx.version), 
-    			      SEC_PKCS12_VERSION) ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    	goto loser;
-    }
-
-    /* set up the authenticated safe content info based on the 
-     * type of integrity being used.  this should be changed to
-     * enforce integrity mode, but will not be implemented until
-     * it is confirmed that integrity must be in place
-     */
-    if(p12exp->integrityEnabled && !p12exp->pwdIntegrity) {
-	SECStatus rv;
-
-	/* create public key integrity mode */
-	p12enc->aSafeCinfo = SEC_PKCS7CreateSignedData(
-				p12exp->integrityInfo.pubkeyInfo.cert,
-				certUsageEmailSigner,
-				p12exp->integrityInfo.pubkeyInfo.certDb,
-				p12exp->integrityInfo.pubkeyInfo.algorithm,
-				NULL,
-				p12exp->pwfn,
-				p12exp->pwfnarg);
-	if(!p12enc->aSafeCinfo) {
-	    goto loser;
-	}
-	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
-	    goto loser;
-	}
-	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
-	PORT_Assert(rv == SECSuccess);
-    } else {
-	p12enc->aSafeCinfo = SEC_PKCS7CreateData();
-
-	/* init password pased integrity mode */
-	if(p12exp->integrityEnabled) {
-	    SECItem  pwd = {siBuffer,NULL, 0};
-	    SECItem *salt = sec_pkcs12_generate_salt();
-	    PK11SymKey *symKey;
-	    SECItem *params;
-	    CK_MECHANISM_TYPE integrityMech;
-	    CK_MECHANISM_TYPE hmacMech;
-
-	    /* zero out macData and set values */
-	    PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData));
-
-	    if(!salt) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    if(SECITEM_CopyItem(p12exp->arena, &(p12enc->mac.macSalt), salt) 
-			!= SECSuccess) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }   
-
-	    /* generate HMAC key */
-	    if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, 
-			p12exp->integrityInfo.pwdInfo.password, PR_TRUE, 
-			PR_TRUE, PR_TRUE)) {
-		goto loser;
-	    }
-
-	    params = PK11_CreatePBEParams(salt, &pwd, 1);
-	    SECITEM_ZfreeItem(salt, PR_TRUE);
-	    SECITEM_ZfreeItem(&pwd, PR_FALSE);
-
-	    switch (p12exp->integrityInfo.pwdInfo.algorithm) {
-	    case SEC_OID_SHA1:
-		integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
-	    case SEC_OID_MD5:
-		integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
-	    case SEC_OID_MD2:
-		integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
-	    default:
-		goto loser;
-	    }
-
-	    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
-	    PK11_DestroyPBEParams(params);
-	    if(!symKey) {
-		goto loser;
-	    }
-
-	    /* initialize hmac */
-	    /* XXX NBB, why is this mech different than the one above? */
-	    hmacMech =  sec_pkcs12_algtag_to_mech( 
-	                              p12exp->integrityInfo.pwdInfo.algorithm);
-
-	    p12enc->hmacCx = PK11_CreateContextBySymKey( hmacMech, CKA_SIGN, 
-	                                                 symKey, &ignore);
-
-	    PK11_FreeSymKey(symKey);
-	    if(!p12enc->hmacCx) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    rv = PK11_DigestBegin(p12enc->hmacCx);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-    }
-
-    if(!p12enc->aSafeCinfo) {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(p12exp->arena, mark);
-
-    return p12enc;
-
-loser:
-    if(p12enc) {
-	if(p12enc->aSafeCinfo) {
-	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
-	}
-	if(p12enc->hmacCx) {
-	    PK11_DestroyContext(p12enc->hmacCx, PR_TRUE);
-	}
-    }
-    if (p12exp->arena != NULL)
-	PORT_ArenaRelease(p12exp->arena, mark);
-
-    return NULL;
-}
-
-/* The outermost ASN.1 encoder calls this function for output.
-** This function calls back to the library caller's output routine,
-** which typically writes to a PKCS12 file.
- */
-static void
-sec_P12A1OutputCB_Outer(void *arg, const char *buf, unsigned long len,
-		       int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct sec_pkcs12_encoder_output *output;
-
-    output = (struct sec_pkcs12_encoder_output*)arg;
-    (* output->outputfn)(output->outputarg, buf, len);
-}
-
-/* The "middle" and "inner" ASN.1 encoders call this function to output. 
-** This function does HMACing, if appropriate, and then buffers the data.
-** The buffered data is eventually passed down to the underlying PKCS7 encoder.
- */
-static void
-sec_P12A1OutputCB_HmacP7Update(void *arg, const char *buf,
-			       unsigned long        len, 
-			       int                  depth,
-			       SEC_ASN1EncodingPart data_kind)
-{
-    sec_pkcs12OutputBuffer *  bufcx = (sec_pkcs12OutputBuffer *)arg;
-
-    if(!buf || !len) 
-	return;
-
-    if (bufcx->hmacCx) {
-	PK11_DigestOp(bufcx->hmacCx, (unsigned char *)buf, len);
-    }
-
-    /* buffer */
-    if (bufcx->numBytes > 0) {
-	int toCopy;
-	if (len + bufcx->numBytes <= bufcx->bufBytes) {
-	    memcpy(bufcx->buf + bufcx->numBytes, buf, len);
-	    bufcx->numBytes += len;
-	    if (bufcx->numBytes < bufcx->bufBytes) 
-	    	return;
-	    SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->bufBytes);
-	    bufcx->numBytes = 0;
-	    return;
-	} 
-	toCopy = bufcx->bufBytes - bufcx->numBytes;
-	memcpy(bufcx->buf + bufcx->numBytes, buf, toCopy);
-	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->bufBytes);
-	bufcx->numBytes = 0;
-	len -= toCopy;
-	buf += toCopy;
-    } 
-    /* buffer is presently empty */
-    if (len >= bufcx->bufBytes) {
-	/* Just pass it through */
-	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, buf, len);
-    } else {
-	/* copy it all into the buffer, and return */
-	memcpy(bufcx->buf, buf, len);
-	bufcx->numBytes = len;
-    }
-}
-
-void
-sec_FlushPkcs12OutputBuffer( sec_pkcs12OutputBuffer *  bufcx)
-{
-    if (bufcx->numBytes > 0) {
-	SEC_PKCS7EncoderUpdate(bufcx->p7eCx, bufcx->buf, bufcx->numBytes);
-	bufcx->numBytes = 0;
-    }
-}
-
-/* Feeds the output of a PKCS7 encoder into the next outward ASN.1 encoder.
-** This function is used by both the inner and middle PCS7 encoders.
-*/
-static void
-sec_P12P7OutputCB_CallA1Update(void *arg, const char *buf, unsigned long len)
-{
-    SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext*)arg;
-
-    if (!buf || !len) 
-    	return;
-
-    SEC_ASN1EncoderUpdate(cx, buf, len);
-}
-
-
-/* this function encodes content infos which are part of the
- * sequence of content infos labeled AuthenticatedSafes 
- */
-static SECStatus 
-sec_pkcs12_encoder_asafe_process(sec_PKCS12EncoderContext *p12ecx)
-{
-    SEC_PKCS7EncoderContext *innerP7ecx;
-    SEC_PKCS7ContentInfo    *cinfo;
-    PK11SymKey              *bulkKey      = NULL;
-    SEC_ASN1EncoderContext  *innerA1ecx   = NULL;
-    SECStatus                rv           = SECSuccess;
-
-    if(p12ecx->currentSafe < p12ecx->p12exp->authSafe.safeCount) {
-	SEC_PKCS12SafeInfo *safeInfo;
-	SECOidTag cinfoType;
-
-	safeInfo = p12ecx->p12exp->safeInfos[p12ecx->currentSafe];
-
-	/* skip empty safes */
-	if(safeInfo->itemCount == 0) {
-	    return SECSuccess;
-	}
-
-	cinfo = safeInfo->cinfo;
-	cinfoType = SEC_PKCS7ContentType(cinfo);
-
-	/* determine the safe type and set the appropriate argument */
-	switch(cinfoType) {
-	    case SEC_OID_PKCS7_DATA:
-	    case SEC_OID_PKCS7_ENVELOPED_DATA:
-		break;
-	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-		bulkKey = safeInfo->encryptionKey;
-		PK11_SetSymKeyUserData(bulkKey, &safeInfo->pwitem, NULL);
-		break;
-	    default:
-		return SECFailure;
-
-	}
-
-	/* start the PKCS7 encoder */
-	innerP7ecx = SEC_PKCS7EncoderStart(cinfo, 
-				  sec_P12P7OutputCB_CallA1Update,
-				  p12ecx->middleA1ecx, bulkKey);
-	if(!innerP7ecx) {
-	    goto loser;
-	}
-
-	/* encode safe contents */
-	p12ecx->innerBuf.p7eCx    = innerP7ecx;
-	p12ecx->innerBuf.hmacCx   = NULL;
-	p12ecx->innerBuf.numBytes = 0;
-	p12ecx->innerBuf.bufBytes = sizeof p12ecx->innerBuf.buf;
-
-	innerA1ecx = SEC_ASN1EncoderStart(safeInfo->safe, 
-	                           sec_PKCS12SafeContentsTemplate,
-				   sec_P12A1OutputCB_HmacP7Update, 
-				   &p12ecx->innerBuf);
-	if(!innerA1ecx) {
-	    goto loser;
-	}   
-	rv = SEC_ASN1EncoderUpdate(innerA1ecx, NULL, 0);
-	SEC_ASN1EncoderFinish(innerA1ecx);
-	sec_FlushPkcs12OutputBuffer( &p12ecx->innerBuf);
-	innerA1ecx = NULL;
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-
-
-	/* finish up safe content info */
-	rv = SEC_PKCS7EncoderFinish(innerP7ecx, p12ecx->p12exp->pwfn, 
-				    p12ecx->p12exp->pwfnarg);
-    }
-    memset(&p12ecx->innerBuf, 0, sizeof p12ecx->innerBuf);
-    return SECSuccess;
-
-loser:
-    if(innerP7ecx) {
-	SEC_PKCS7EncoderFinish(innerP7ecx, p12ecx->p12exp->pwfn, 
-			       p12ecx->p12exp->pwfnarg);
-    }
-
-    if(innerA1ecx) {
-	SEC_ASN1EncoderFinish(innerA1ecx);
-    }
-    memset(&p12ecx->innerBuf, 0, sizeof p12ecx->innerBuf);
-    return SECFailure;
-}
-
-/* finish the HMAC and encode the macData so that it can be
- * encoded.
- */
-static SECStatus
-sec_Pkcs12FinishMac(sec_PKCS12EncoderContext *p12ecx)
-{
-    SECItem hmac = { siBuffer, NULL, 0 };
-    SECStatus rv;
-    SGNDigestInfo *di = NULL;
-    void *dummy;
-
-    if(!p12ecx) {
-	return SECFailure;
-    }
-
-    /* make sure we are using password integrity mode */
-    if(!p12ecx->p12exp->integrityEnabled) {
-	return SECSuccess;
-    }
-
-    if(!p12ecx->p12exp->pwdIntegrity) {
-	return SECSuccess;
-    }
-
-    /* finish the hmac */
-    hmac.data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
-    if(!hmac.data) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    rv = PK11_DigestFinal(p12ecx->hmacCx, hmac.data, &hmac.len, SHA1_LENGTH);
-
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* create the digest info */
-    di = SGN_CreateDigestInfo(p12ecx->p12exp->integrityInfo.pwdInfo.algorithm,
-    			      hmac.data, hmac.len);
-    if(!di) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SGN_CopyDigestInfo(p12ecx->arena, &p12ecx->mac.safeMac, di);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* encode the mac data */
-    dummy = SEC_ASN1EncodeItem(p12ecx->arena, &p12ecx->pfx.encodedMacData, 
-    			    &p12ecx->mac, sec_PKCS12MacDataTemplate);
-    if(!dummy) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-    }
-
-loser:
-    if(di) {
-	SGN_DestroyDigestInfo(di);
-    }
-    if(hmac.data) {
-	SECITEM_ZfreeItem(&hmac, PR_FALSE);
-    }
-    PK11_DestroyContext(p12ecx->hmacCx, PR_TRUE);
-    p12ecx->hmacCx = NULL;
-
-    return rv;
-}
-
-/* pfx notify function for ASN1 encoder.  
- * We want to stop encoding once we reach the authenticated safe.  
- * At that point, the encoder will be updated via streaming
- * as the authenticated safe is  encoded. 
- */
-static void
-sec_pkcs12_encoder_pfx_notify(void *arg, PRBool before, void *dest, int real_depth)
-{
-    sec_PKCS12EncoderContext *p12ecx;
-
-    if(!before) {
-	return;
-    }
-
-    /* look for authenticated safe */
-    p12ecx = (sec_PKCS12EncoderContext*)arg;
-    if(dest != &p12ecx->pfx.encodedAuthSafe) {
-	return;
-    }
-
-    SEC_ASN1EncoderSetTakeFromBuf(p12ecx->outerA1ecx);
-    SEC_ASN1EncoderSetStreaming(p12ecx->outerA1ecx);
-    SEC_ASN1EncoderClearNotifyProc(p12ecx->outerA1ecx);
-}
-
-/* SEC_PKCS12Encode
- *	Encodes the PFX item and returns it to the output function, via
- *	callback.  the output function must be capable of multiple updates.
- *	
- *	p12exp - the export context 
- *	output - the output function callback, will be called more than once,
- *		 must be able to accept streaming data.
- *	outputarg - argument for the output callback.
- */
-SECStatus
-SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
-		 SEC_PKCS12EncoderOutputCallback output, void *outputarg)
-{
-    sec_PKCS12EncoderContext *p12enc;
-    struct sec_pkcs12_encoder_output outInfo;
-    SECStatus rv;
-
-    if(!p12exp || !output) {
-	return SECFailure;
-    }
-
-    /* get the encoder context */
-    p12enc = sec_pkcs12_encoder_start_context(p12exp);
-    if(!p12enc) {
-	return SECFailure;
-    }
-
-    outInfo.outputfn = output;
-    outInfo.outputarg = outputarg;
-
-    /* set up PFX encoder, the "outer" encoder.  Set it for streaming */
-    p12enc->outerA1ecx = SEC_ASN1EncoderStart(&p12enc->pfx, 
-                                       sec_PKCS12PFXItemTemplate,
-				       sec_P12A1OutputCB_Outer, 
-				       &outInfo);
-    if(!p12enc->outerA1ecx) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-    SEC_ASN1EncoderSetStreaming(p12enc->outerA1ecx);
-    SEC_ASN1EncoderSetNotifyProc(p12enc->outerA1ecx, 
-                                 sec_pkcs12_encoder_pfx_notify, p12enc);
-    rv = SEC_ASN1EncoderUpdate(p12enc->outerA1ecx, NULL, 0);
-    if(rv != SECSuccess) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* set up asafe cinfo - the output of the encoder feeds the PFX encoder */
-    p12enc->middleP7ecx = SEC_PKCS7EncoderStart(p12enc->aSafeCinfo, 
-				       sec_P12P7OutputCB_CallA1Update,
-				       p12enc->outerA1ecx, NULL);
-    if(!p12enc->middleP7ecx) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    /* encode asafe */
-    p12enc->middleBuf.p7eCx    = p12enc->middleP7ecx;
-    p12enc->middleBuf.hmacCx   = NULL;
-    p12enc->middleBuf.numBytes = 0;
-    p12enc->middleBuf.bufBytes = sizeof p12enc->middleBuf.buf;
-
-    /* Setup the "inner ASN.1 encoder for Authenticated Safes.  */
-    if(p12enc->p12exp->integrityEnabled && 
-       p12enc->p12exp->pwdIntegrity) {
-	p12enc->middleBuf.hmacCx = p12enc->hmacCx;
-    }
-    p12enc->middleA1ecx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
-			    sec_PKCS12AuthenticatedSafeTemplate,
-			    sec_P12A1OutputCB_HmacP7Update,
-			    &p12enc->middleBuf);
-    if(!p12enc->middleA1ecx) {
-	rv = SECFailure;
-	goto loser;
-    }
-    SEC_ASN1EncoderSetStreaming(p12enc->middleA1ecx);
-    SEC_ASN1EncoderSetTakeFromBuf(p12enc->middleA1ecx); 
-	
-    /* encode each of the safes */			 
-    while(p12enc->currentSafe != p12enc->p12exp->safeInfoCount) {
-	sec_pkcs12_encoder_asafe_process(p12enc);
-	p12enc->currentSafe++;
-    }
-    SEC_ASN1EncoderClearTakeFromBuf(p12enc->middleA1ecx);
-    SEC_ASN1EncoderClearStreaming(p12enc->middleA1ecx);
-    SEC_ASN1EncoderUpdate(p12enc->middleA1ecx, NULL, 0);
-    SEC_ASN1EncoderFinish(p12enc->middleA1ecx);
-
-    sec_FlushPkcs12OutputBuffer( &p12enc->middleBuf);
-
-    /* finish the encoding of the authenticated safes */
-    rv = SEC_PKCS7EncoderFinish(p12enc->middleP7ecx, p12exp->pwfn, 
-    				p12exp->pwfnarg);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    SEC_ASN1EncoderClearTakeFromBuf(p12enc->outerA1ecx);
-    SEC_ASN1EncoderClearStreaming(p12enc->outerA1ecx);
-
-    /* update the mac, if necessary */
-    rv = sec_Pkcs12FinishMac(p12enc);
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-   
-    /* finish encoding the pfx */ 
-    rv = SEC_ASN1EncoderUpdate(p12enc->outerA1ecx, NULL, 0);
-
-    SEC_ASN1EncoderFinish(p12enc->outerA1ecx);
-
-loser:
-    return rv;
-}
-
-void
-SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12ecx)
-{
-    int i = 0;
-
-    if(!p12ecx) {
-	return;
-    }
-
-    if(p12ecx->safeInfos) {
-	i = 0;
-	while(p12ecx->safeInfos[i] != NULL) {
-	    if(p12ecx->safeInfos[i]->encryptionKey) {
-		PK11_FreeSymKey(p12ecx->safeInfos[i]->encryptionKey);
-	    }
-	    if(p12ecx->safeInfos[i]->cinfo) {
-		SEC_PKCS7DestroyContentInfo(p12ecx->safeInfos[i]->cinfo);
-	    }
-	    i++;
-	}
-    }
-
-    PK11_FreeSlot(p12ecx->slot);
-
-    PORT_FreeArena(p12ecx->arena, PR_TRUE);
-}
-
-
-/*********************************
- * All-in-one routines for exporting certificates 
- *********************************/
-struct inPlaceEncodeInfo {
-    PRBool error;
-    SECItem outItem;
-};
-
-static void 
-sec_pkcs12_in_place_encoder_output(void *arg, const char *buf, unsigned long len)
-{
-    struct inPlaceEncodeInfo *outInfo = (struct inPlaceEncodeInfo*)arg;
-
-    if(!outInfo || !len || outInfo->error) {
-	return;
-    }
-
-    if(!outInfo->outItem.data) {
-	outInfo->outItem.data = (unsigned char*)PORT_ZAlloc(len);
-	outInfo->outItem.len = 0;
-    } else {
-	if(!PORT_Realloc(&(outInfo->outItem.data), (outInfo->outItem.len + len))) {
-	    SECITEM_ZfreeItem(&(outInfo->outItem), PR_FALSE);
-	    outInfo->outItem.data = NULL;
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    outInfo->error = PR_TRUE;
-	    return;
-	}
-    }
-
-    PORT_Memcpy(&(outInfo->outItem.data[outInfo->outItem.len]), buf, len);
-    outInfo->outItem.len += len;
-
-    return;
-}
-
-/*
- * SEC_PKCS12ExportCertifcateAndKeyUsingPassword
- *	Exports a certificate/key pair using password-based encryption and
- *	authentication.
- *
- * pwfn, pwfnarg - password function and argument for the key database
- * cert - the certificate to export
- * certDb - certificate database
- * pwitem - the password to use
- * shroudKey - encrypt the key externally, 
- * keyShroudAlg - encryption algorithm for key
- * encryptionAlg - the algorithm with which data is encrypted
- * integrityAlg - the algorithm for integrity
- */
-SECItem *
-SEC_PKCS12ExportCertificateAndKeyUsingPassword(
-				SECKEYGetPasswordKey pwfn, void *pwfnarg,
-				CERTCertificate *cert, PK11SlotInfo *slot,
-				CERTCertDBHandle *certDb, SECItem *pwitem,
-				PRBool shroudKey, SECOidTag shroudAlg,
-				PRBool encryptCert, SECOidTag certEncAlg,
-				SECOidTag integrityAlg, void *wincx)
-{
-    struct inPlaceEncodeInfo outInfo;
-    SEC_PKCS12ExportContext *p12ecx = NULL;
-    SEC_PKCS12SafeInfo *keySafe, *certSafe;
-    SECItem *returnItem = NULL;
-
-    if(!cert || !pwitem || !slot) {
-	return NULL;
-    }
-
-    outInfo.error = PR_FALSE;
-    outInfo.outItem.data = NULL;
-    outInfo.outItem.len = 0;
-
-    p12ecx = SEC_PKCS12CreateExportContext(pwfn, pwfnarg, slot, wincx);
-    if(!p12ecx) {
-	return NULL;
-    }
-
-    /* set up cert safe */
-    if(encryptCert) {
-	certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certEncAlg);
-    } else {
-	certSafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
-    }
-    if(!certSafe) {
-	goto loser;
-    }
-
-    /* set up key safe */
-    if(shroudKey) {
-	keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
-    } else {
-	keySafe = certSafe;
-    }
-    if(!keySafe) {
-	goto loser;
-    }
-
-    /* add integrity mode */
-    if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, integrityAlg) 
-		!= SECSuccess) {
-	goto loser;
-    }
-
-    /* add cert and key pair */
-    if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert, certDb, 
-			       keySafe, NULL, shroudKey, pwitem, shroudAlg)
-		!= SECSuccess) {
-	goto loser;
-    }
-
-    /* encode the puppy */
-    if(SEC_PKCS12Encode(p12ecx, sec_pkcs12_in_place_encoder_output, &outInfo)
-		!= SECSuccess) {
-	goto loser;
-    }
-    if(outInfo.error) {
-	goto loser;
-    }
-
-    SEC_PKCS12DestroyExportContext(p12ecx);
-	
-    returnItem = SECITEM_DupItem(&outInfo.outItem);
-    SECITEM_ZfreeItem(&outInfo.outItem, PR_FALSE);
-
-    return returnItem;
-
-loser:
-    if(outInfo.outItem.data) {
-	SECITEM_ZfreeItem(&(outInfo.outItem), PR_TRUE);
-    }
-
-    if(p12ecx) {
-	SEC_PKCS12DestroyExportContext(p12ecx);
-    }
-
-    return NULL;
-}
-
-
diff --git a/security/nss/lib/pkcs12/p12exp.c b/security/nss/lib/pkcs12/p12exp.c
deleted file mode 100644
index b9ae89241..000000000
--- a/security/nss/lib/pkcs12/p12exp.c
+++ /dev/null
@@ -1,1410 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "pkcs12.h"
-#include "p12local.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "p12plcy.h"
-
-/* release the memory taken up by the list of nicknames */
-static void
-sec_pkcs12_destroy_nickname_list(SECItem **nicknames)
-{
-    int i = 0;
-
-    if(nicknames == NULL) {
-	return;
-    }
-
-    while(nicknames[i] != NULL) {
-	SECITEM_FreeItem(nicknames[i], PR_FALSE);
-	i++;
-    }
-
-    PORT_Free(nicknames);
-}
-   
-/* release the memory taken up by the list of certificates */ 
-static void
-sec_pkcs12_destroy_certificate_list(CERTCertificate **ref_certs)
-{
-    int i = 0;
-
-    if(ref_certs == NULL) {
-	return;
-    }
-
-    while(ref_certs[i] != NULL) {
-	CERT_DestroyCertificate(ref_certs[i]);
-	i++;
-    }
-}
-
-static void
-sec_pkcs12_destroy_cinfos_for_cert_bags(SEC_PKCS12CertAndCRLBag *certBag)
-{
-    int j = 0;
-    j = 0;
-    while(certBag->certAndCRLs[j] != NULL) {
-	SECOidTag certType = SECOID_FindOIDTag(&certBag->certAndCRLs[j]->BagID);
-	if(certType == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
-	    SEC_PKCS12X509CertCRL *x509;
-	    x509 = certBag->certAndCRLs[j]->value.x509;
-	    SEC_PKCS7DestroyContentInfo(&x509->certOrCRL);
-	}
-	j++;
-    }
-}
-
-/* destroy all content infos since they were not allocated in common
- * pool
- */
-static void
-sec_pkcs12_destroy_cert_content_infos(SEC_PKCS12SafeContents *safe,
-				      SEC_PKCS12Baggage *baggage)
-{
-    int i, j;
-
-    if((safe != NULL) && (safe->contents != NULL)) {
-	i = 0;
-	while(safe->contents[i] != NULL) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
-	    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
-		SEC_PKCS12CertAndCRLBag *certBag;
-		certBag = safe->contents[i]->safeContent.certAndCRLBag;
-		sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
-	    }
-	    i++;
-	}
-    }
-
-    if((baggage != NULL) && (baggage->bags != NULL)) {
-	i = 0;
-	while(baggage->bags[i] != NULL) { 
-	    if(baggage->bags[i]->unencSecrets != NULL) {
-		j = 0;
-		while(baggage->bags[i]->unencSecrets[j] != NULL) {
-		    SECOidTag bagType;
-		    bagType = SECOID_FindOIDTag(&baggage->bags[i]->unencSecrets[j]->safeBagType);
-		    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
-			SEC_PKCS12CertAndCRLBag *certBag;
-			certBag = baggage->bags[i]->unencSecrets[j]->safeContent.certAndCRLBag;
-			sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-}
-
-/* convert the nickname list from a NULL termincated Char list
- * to a NULL terminated SECItem list
- */
-static SECItem **
-sec_pkcs12_convert_nickname_list(char **nicknames)
-{
-    SECItem **nicks;
-    int i, j;
-    PRBool error = PR_FALSE;
-
-    if(nicknames == NULL) {
-	return NULL;
-    }
-
-    i = j = 0;
-    while(nicknames[i] != NULL) {
-	i++;
-    }
-
-    /* allocate the space and copy the data */	
-    nicks = (SECItem **)PORT_ZAlloc(sizeof(SECItem *) * (i + 1));
-    if(nicks != NULL) {
-	for(j = 0; ((j < i) && (error == PR_FALSE)); j++) {
-	    nicks[j] = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	    if(nicks[j] != NULL) {
-		nicks[j]->data = 
-		    (unsigned char *)PORT_ZAlloc(PORT_Strlen(nicknames[j])+1);
-		if(nicks[j]->data != NULL) {
-		    nicks[j]->len = PORT_Strlen(nicknames[j]);
-		    PORT_Memcpy(nicks[j]->data, nicknames[j], nicks[j]->len);
-		    nicks[j]->data[nicks[j]->len] = 0;
-		} else {
-		    error = PR_TRUE;
-		}
-	    } else {
-	       error = PR_TRUE;
-	    }
-	}
-    }
-
-    if(error == PR_TRUE) {
-        for(i = 0; i < j; i++) { 
-	    SECITEM_FreeItem(nicks[i], PR_TRUE);
-	}
-	PORT_Free(nicks);
-	nicks = NULL;
-    }
-
-    return nicks;
-}
-
-/* package the certificate add_cert into PKCS12 structures,
- * retrieve the certificate chain for the cert and return
- * the packaged contents.
- * poolp -- common memory pool;
- * add_cert -- certificate to package up
- * nickname for the certificate 
- * a return of NULL indicates an error
- */
-static SEC_PKCS12CertAndCRL *
-sec_pkcs12_get_cert(PRArenaPool *poolp,
-		       CERTCertificate *add_cert, 
-		       SECItem *nickname)
-{
-    SEC_PKCS12CertAndCRL *cert;
-    SEC_PKCS7ContentInfo *cinfo;
-    SGNDigestInfo *t_di;
-    void *mark;
-    SECStatus rv;
-
-    if((poolp == NULL) || (add_cert == NULL) || (nickname == NULL)) {
-    	return NULL;
-    }
-    mark = PORT_ArenaMark(poolp);
-
-    cert = sec_pkcs12_new_cert_crl(poolp, SEC_OID_PKCS12_X509_CERT_CRL_BAG);
-    if(cert != NULL) {
-
-	/* copy the nickname */
-	rv = SECITEM_CopyItem(poolp, &cert->nickname, nickname);
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    cert = NULL;
-	} else {
-
-	    /* package the certificate and cert chain into a NULL signer
-	     * PKCS 7 SignedData content Info and prepare it for encoding 
-	     * since we cannot use DER_ANY_TEMPLATE
-	     */
-	    cinfo = SEC_PKCS7CreateCertsOnly(add_cert, PR_TRUE, NULL);
-	    rv = SEC_PKCS7PrepareForEncode(cinfo, NULL, NULL, NULL);
-
-	    /* thumbprint the certificate */
-	    if((cinfo != NULL) && (rv == SECSuccess))
-	    {
-		PORT_Memcpy(&cert->value.x509->certOrCRL, cinfo, sizeof(*cinfo));
-		t_di = sec_pkcs12_compute_thumbprint(&add_cert->derCert);
-		if(t_di != NULL)
-		{
-		    /* test */
-		    rv = SGN_CopyDigestInfo(poolp, &cert->value.x509->thumbprint,
-		    			    t_di);
-		    if(rv != SECSuccess) {
-			cert = NULL;
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    }
-		    SGN_DestroyDigestInfo(t_di);
-		}
-		else
-		    cert = NULL;
-	    }
-	}
-    }
-
-    if (cert == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return cert;
-}
-
-/* package the private key associated with the certificate and 
- * return the appropriate PKCS 12 structure 
- * poolp common memory pool
- * nickname key nickname
- * cert -- cert to look up
- * wincx -- window handle 
- * an error is indicated by a return of NULL
- */
-static SEC_PKCS12PrivateKey *
-sec_pkcs12_get_private_key(PRArenaPool *poolp,
-			   SECItem *nickname,
-			   CERTCertificate *cert,
-			   void *wincx)
-{
-    SECKEYPrivateKeyInfo *pki;
-    SEC_PKCS12PrivateKey *pk;
-    SECStatus rv;
-    void *mark;
-
-    if((poolp == NULL) || (nickname == NULL)) {
-	return NULL;
-    }
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* retrieve key from the data base */
-    pki = PK11_ExportPrivateKeyInfo(nickname, cert, wincx);
-    if(pki == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	return NULL;
-    }
-
-    pk = (SEC_PKCS12PrivateKey *)PORT_ArenaZAlloc(poolp,
-						  sizeof(SEC_PKCS12PrivateKey));
-    if(pk != NULL) {
-	rv = sec_pkcs12_init_pvk_data(poolp, &pk->pvkData);
-
-	if(rv == SECSuccess) {
-	    /* copy the key into poolp memory space */
-	    rv = SECKEY_CopyPrivateKeyInfo(poolp, &pk->pkcs8data, pki);
-	    if(rv == SECSuccess) {
-		rv = SECITEM_CopyItem(poolp, &pk->pvkData.nickname, nickname);
-	    }
-	}
-
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    pk = NULL;
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY); 
-    }
-
-    /* destroy private key, zeroing out data */
-    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
-    if (pk == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return pk;
-}
-
-/* get a shrouded key item associated with a certificate
- * return the appropriate PKCS 12 structure 
- * poolp common memory pool
- * nickname key nickname
- * cert -- cert to look up
- * wincx -- window handle 
- * an error is indicated by a return of NULL
- */
-static SEC_PKCS12ESPVKItem *
-sec_pkcs12_get_shrouded_key(PRArenaPool *poolp,
-			    SECItem *nickname,
-			    CERTCertificate *cert,
-			    SECOidTag algorithm, 
-			    SECItem *pwitem,
-			    PKCS12UnicodeConvertFunction unicodeFn,
-			    void *wincx)
-{
-    SECKEYEncryptedPrivateKeyInfo *epki;
-    SEC_PKCS12ESPVKItem *pk;
-    void *mark;
-    SECStatus rv;
-    PK11SlotInfo *slot = NULL;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-
-    if((poolp == NULL) || (nickname == NULL))
-	return NULL;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* use internal key slot */
-    slot = PK11_GetInternalKeySlot();
-
-    /* retrieve encrypted prviate key */
-    epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, pwitem, 
-    					      nickname, cert, 1, 0, NULL);
-    PK11_FreeSlot(slot);
-    if(epki == NULL) {
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-    /* create a private key and store the data into the poolp memory space */
-    pk = sec_pkcs12_create_espvk(poolp, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING);
-    if(pk != NULL) {
-	rv = sec_pkcs12_init_pvk_data(poolp, &pk->espvkData);
-	rv = SECITEM_CopyItem(poolp, &pk->espvkData.nickname, nickname);
-	pk->espvkCipherText.pkcs8KeyShroud = 
-	    (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp,
-					sizeof(SECKEYEncryptedPrivateKeyInfo));
-	if((pk->espvkCipherText.pkcs8KeyShroud != NULL)  && (rv == SECSuccess)) {
-	    rv = SECKEY_CopyEncryptedPrivateKeyInfo(poolp, 
-					pk->espvkCipherText.pkcs8KeyShroud, epki);
-	    if(rv == SECSuccess) {
-		rv = (*unicodeFn)(poolp, &pk->espvkData.uniNickName, nickname, 
-				  PR_TRUE, swapUnicodeBytes);
-	    }
-	}
-
-	if(rv != SECSuccess) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    pk = NULL;
-	}
-    }
-
-    SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
-    if(pk == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-	
-    return pk;
-}
-
-/* add a thumbprint to a private key associated certs list 
- * pvk is the area where the list is stored
- * thumb is the thumbprint to copy
- * a return of SECFailure indicates an error 
- */
-static SECStatus 
-sec_pkcs12_add_thumbprint(SEC_PKCS12PVKSupportingData *pvk,
-			  SGNDigestInfo *thumb)
-{
-    SGNDigestInfo **thumb_list = NULL;
-    int nthumbs, size;
-    void *mark, *dummy;
-    SECStatus rv = SECFailure;
-
-    if((pvk == NULL) || (thumb == NULL)) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(pvk->poolp);
-
-    thumb_list = pvk->assocCerts;
-    nthumbs = pvk->nThumbs;
-
-    /* allocate list space needed -- either growing or allocating 
-     * list must be NULL terminated 
-     */
-    size = sizeof(SGNDigestInfo *);
-    dummy = PORT_ArenaGrow(pvk->poolp, thumb_list, (size * (nthumbs + 1)),
-    			   (size * (nthumbs + 2)));
-    thumb_list = dummy;
-    if(dummy != NULL) {
-	thumb_list[nthumbs] = (SGNDigestInfo *)PORT_ArenaZAlloc(pvk->poolp, 
-						sizeof(SGNDigestInfo));
-	if(thumb_list[nthumbs] != NULL) {
-	    SGN_CopyDigestInfo(pvk->poolp, thumb_list[nthumbs], thumb);
-	    nthumbs += 1;
-	    thumb_list[nthumbs] = 0;
-	} else {
-	    dummy = NULL;
-	}
-    }
-
-    if(dummy == NULL) {
-    	PORT_ArenaRelease(pvk->poolp, mark);
-	return SECFailure;
-    } 
-
-    pvk->assocCerts = thumb_list;
-    pvk->nThumbs = nthumbs;
-
-    PORT_ArenaUnmark(pvk->poolp, mark);
-    return SECSuccess;
-}
-
-/* search the list of shrouded keys in the baggage for the desired
- * name.  return a pointer to the item.  a return of NULL indicates
- * that no match was present or that an error occurred.
- */
-static SEC_PKCS12ESPVKItem *
-sec_pkcs12_get_espvk_by_name(SEC_PKCS12Baggage *luggage, 
-			     SECItem *name)
-{
-    PRBool found = PR_FALSE;
-    SEC_PKCS12ESPVKItem *espvk = NULL;
-    int i, j;
-    SECComparison rv = SECEqual;
-    SECItem *t_name;
-    SEC_PKCS12BaggageItem *bag;
-
-    if((luggage == NULL) || (name == NULL)) {
-	return NULL;
-    }
-
-    i = 0;
-    while((found == PR_FALSE) && (i < luggage->luggage_size)) {
-	j = 0;
-	bag = luggage->bags[i];
-	while((found == PR_FALSE) && (j < bag->nEspvks)) {
-	    espvk = bag->espvks[j];
-	    if(espvk->poolp == NULL) {
-		espvk->poolp = luggage->poolp;
-	    }
-	    t_name = SECITEM_DupItem(&espvk->espvkData.nickname);
-	    if(t_name != NULL) {
-		rv = SECITEM_CompareItem(name, t_name);
-		if(rv == SECEqual) {
-		    found = PR_TRUE;
-		}
-		SECITEM_FreeItem(t_name, PR_TRUE);
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return NULL;
-	    }
-	    j++;
-	}
-	i++;
-    }
-
-    if(found != PR_TRUE) {
-	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
-	return NULL;
-    }
-
-    return espvk;
-}
-
-/* locates a certificate and copies the thumbprint to the
- * appropriate private key
- */
-static SECStatus 
-sec_pkcs12_propagate_thumbprints(SECItem **nicknames,
-				 CERTCertificate **ref_certs,
-				 SEC_PKCS12SafeContents *safe,
-				 SEC_PKCS12Baggage *baggage)
-{
-    SEC_PKCS12CertAndCRL *cert;
-    SEC_PKCS12PrivateKey *key;
-    SEC_PKCS12ESPVKItem *espvk;
-    int i;
-    PRBool error = PR_FALSE;
-    SECStatus rv = SECFailure;
-
-    if((nicknames == NULL) || (safe == NULL)) {
-	return SECFailure;
-    }
-
-    i = 0;
-    while((nicknames[i] != NULL) && (error == PR_FALSE)) {
-	/* process all certs */
-	cert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
-					SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
-					nicknames[i], NULL);
-	if(cert != NULL) {
-	    /* locate key and copy thumbprint */
-	    key = (SEC_PKCS12PrivateKey *)sec_pkcs12_find_object(safe, baggage,
-	    				SEC_OID_PKCS12_KEY_BAG_ID,
-	    				nicknames[i], NULL);
-	    if(key != NULL) {
-		key->pvkData.poolp = key->poolp;
-		rv = sec_pkcs12_add_thumbprint(&key->pvkData, 
-			&cert->value.x509->thumbprint);
-		if(rv == SECFailure)
-		    error = PR_TRUE;  /* XXX Set error? */
-	    }
-
-	    /* look in the baggage as well...*/
-	    if((baggage != NULL) && (error == PR_FALSE)) {
-		espvk = sec_pkcs12_get_espvk_by_name(baggage, nicknames[i]);
-		if(espvk != NULL) {
-		    espvk->espvkData.poolp = espvk->poolp;
-		    rv = sec_pkcs12_add_thumbprint(&espvk->espvkData,
-			&cert->value.x509->thumbprint);
-		    if(rv == SECFailure)
-			error = PR_TRUE;  /* XXX Set error? */
-		}
-	    }
-	}
-	i++;
-    }
-
-    if(error == PR_TRUE) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/* append a safe bag to the end of the safe contents list */
-SECStatus 
-sec_pkcs12_append_safe_bag(SEC_PKCS12SafeContents *safe,
-			   SEC_PKCS12SafeBag *bag)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (safe == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(safe->poolp);
-
-    size = (safe->safe_size * sizeof(SEC_PKCS12SafeBag *));
-    
-    if(safe->safe_size > 0) {
-	dummy = (SEC_PKCS12SafeBag **)PORT_ArenaGrow(safe->poolp, 
-	    				safe->contents, 
-	    				size, 
-	    				(size + sizeof(SEC_PKCS12SafeBag *)));
-	safe->contents = dummy;
-    } else {
-	safe->contents = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(safe->poolp, 
-	    (2 * sizeof(SEC_PKCS12SafeBag *)));
-	dummy = safe->contents;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    safe->contents[safe->safe_size] = bag;
-    safe->safe_size++;
-    safe->contents[safe->safe_size] = NULL;
-
-    PORT_ArenaUnmark(safe->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(safe->poolp, mark);
-    return SECFailure;
-}
-
-/* append a certificate onto the end of a cert bag */
-static SECStatus 
-sec_pkcs12_append_cert_to_bag(PRArenaPool *arena,
-			      SEC_PKCS12SafeBag *safebag,
-			      CERTCertificate *cert,
-			      SECItem *nickname)
-{
-    int size;
-    void *dummy = NULL, *mark = NULL;
-    SEC_PKCS12CertAndCRL *p12cert;
-    SEC_PKCS12CertAndCRLBag *bag;
-
-    if((arena == NULL) || (safebag == NULL) || 
-    	(cert == NULL) || (nickname == NULL)) {
-	return SECFailure;
-    }
-
-    bag = safebag->safeContent.certAndCRLBag;
-    if(bag == NULL) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(arena);
-
-    p12cert = sec_pkcs12_get_cert(arena, cert, nickname);
-    if(p12cert == NULL) {
-	PORT_ArenaRelease(bag->poolp, mark);
-	return SECFailure;
-    }
-
-    size = bag->bag_size * sizeof(SEC_PKCS12CertAndCRL *);
-    if(bag->bag_size > 0) {
-	dummy = (SEC_PKCS12CertAndCRL **)PORT_ArenaGrow(bag->poolp,
-	    bag->certAndCRLs, size, size + sizeof(SEC_PKCS12CertAndCRL *));
-	bag->certAndCRLs = dummy;
-    } else {
-	bag->certAndCRLs = (SEC_PKCS12CertAndCRL **)PORT_ArenaZAlloc(bag->poolp,
-	    (2 * sizeof(SEC_PKCS12CertAndCRL *)));
-	dummy = bag->certAndCRLs;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->certAndCRLs[bag->bag_size] = p12cert;
-    bag->bag_size++;
-    bag->certAndCRLs[bag->bag_size] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* append a key onto the end of a list of keys in a key bag */
-SECStatus 
-sec_pkcs12_append_key_to_bag(SEC_PKCS12SafeBag *safebag,
-			     SEC_PKCS12PrivateKey *pk)
-{
-    void *mark, *dummy;
-    SEC_PKCS12PrivateKeyBag *bag;
-    int size;
-
-    if((safebag == NULL) || (pk == NULL))
-	return SECFailure;
-
-    bag = safebag->safeContent.keyBag;
-    if(bag == NULL) {
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    size = (bag->bag_size * sizeof(SEC_PKCS12PrivateKey *));
-
-    if(bag->bag_size > 0) {
-	dummy = (SEC_PKCS12PrivateKey **)PORT_ArenaGrow(bag->poolp,
-					bag->privateKeys, 
-					size, 
-					size + sizeof(SEC_PKCS12PrivateKey *));
-	bag->privateKeys = dummy;
-    } else {
-	bag->privateKeys = (SEC_PKCS12PrivateKey **)PORT_ArenaZAlloc(bag->poolp,
-	    (2 * sizeof(SEC_PKCS12PrivateKey *)));
-	dummy = bag->privateKeys;
-    }
-
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->privateKeys[bag->bag_size] = pk;
-    bag->bag_size++;
-    bag->privateKeys[bag->bag_size] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    /* XXX Free memory? */
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* append a safe bag to the baggage area */
-static SECStatus 
-sec_pkcs12_append_unshrouded_bag(SEC_PKCS12BaggageItem *bag,
-				 SEC_PKCS12SafeBag *u_bag)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (u_bag == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    /* dump things into the first bag */
-    size = (bag->nSecrets + 1) * sizeof(SEC_PKCS12SafeBag *);
-    dummy = PORT_ArenaGrow(bag->poolp,
-	    		bag->unencSecrets, size, 
-	    		size + sizeof(SEC_PKCS12SafeBag *));
-    bag->unencSecrets = dummy;
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->unencSecrets[bag->nSecrets] = u_bag;
-    bag->nSecrets++;
-    bag->unencSecrets[bag->nSecrets] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* gather up all certificates and keys and package them up
- * in the safe, baggage, or both.
- * nicknames is the list of nicknames and corresponding certs in ref_certs
- * ref_certs a null terminated list of certificates
- * rSafe, rBaggage -- return areas for safe and baggage
- * shroud_keys -- store keys externally
- * pwitem -- password for computing integrity mac and encrypting contents
- * wincx -- window handle
- *
- * if a failure occurs, an error is set and SECFailure returned.
- */
-static SECStatus
-sec_pkcs12_package_certs_and_keys(SECItem **nicknames,
-				  CERTCertificate **ref_certs,
-				  PRBool unencryptedCerts,
-				  SEC_PKCS12SafeContents **rSafe,
-				  SEC_PKCS12Baggage **rBaggage,
-				  PRBool shroud_keys, 
-				  SECOidTag shroud_alg,
-				  SECItem *pwitem,
-				  PKCS12UnicodeConvertFunction unicodeFn,
-				  void *wincx)
-{
-    PRArenaPool *permArena;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SEC_PKCS12Baggage *baggage = NULL;
-
-    SECStatus rv = SECFailure;
-    PRBool problem = PR_FALSE;
-
-    SEC_PKCS12ESPVKItem *espvk = NULL;
-    SEC_PKCS12PrivateKey *pk = NULL;
-    CERTCertificate *add_cert = NULL;
-    SEC_PKCS12SafeBag *certbag = NULL, *keybag = NULL;
-    SEC_PKCS12BaggageItem *external_bag = NULL;
-    int ncerts = 0, nkeys = 0;
-    int i;
-
-    if((nicknames == NULL) || (rSafe == NULL) || (rBaggage == NULL)) {
-	return SECFailure;
-    }
-	
-    *rBaggage = baggage;
-    *rSafe = safe;
-
-    permArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permArena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-     }
-
-    /* allocate structures */
-    safe = sec_pkcs12_create_safe_contents(permArena);
-    if(safe == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    certbag = sec_pkcs12_create_safe_bag(permArena, 
-					 SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID);
-    if(certbag == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(shroud_keys != PR_TRUE) {
-	keybag = sec_pkcs12_create_safe_bag(permArena, 
-					    SEC_OID_PKCS12_KEY_BAG_ID);
-	if(keybag == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    }
-
-    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
-	baggage = sec_pkcs12_create_baggage(permArena);
-    	if(baggage == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	external_bag = sec_pkcs12_create_external_bag(baggage);
-    }
-
-    /* package keys and certs */
-    i = 0;
-    while((nicknames[i] != NULL) && (problem == PR_FALSE)) {
-	if(ref_certs[i] != NULL) {
-	    /* append cert to bag o certs */
-	    rv = sec_pkcs12_append_cert_to_bag(permArena, certbag, 
-	    				       ref_certs[i],
-	    				       nicknames[i]);
-	    if(rv == SECFailure) {
-		problem = PR_FALSE;
-	    } else {
-		ncerts++;
-	    }
-
-	    if(rv == SECSuccess) {
-		/* package up them keys */
-		if(shroud_keys == PR_TRUE) {
-	    	    espvk = sec_pkcs12_get_shrouded_key(permArena, 
-							nicknames[i],
-	    	    					ref_certs[i],
-							shroud_alg, 
-							pwitem, unicodeFn,
-							wincx);
-		    if(espvk != NULL) {
-			rv = sec_pkcs12_append_shrouded_key(external_bag, espvk);
-			SECITEM_CopyItem(permArena, &espvk->derCert,
-					 &ref_certs[i]->derCert);
-		    } else {
-			rv = SECFailure;
-		    }
-		} else {
-		    pk = sec_pkcs12_get_private_key(permArena, nicknames[i], 
-		    				    ref_certs[i], wincx);
-		    if(pk != NULL) {
-			rv = sec_pkcs12_append_key_to_bag(keybag, pk);
-			SECITEM_CopyItem(permArena, &espvk->derCert,
-					 &ref_certs[i]->derCert);
-		    } else {
-			rv = SECFailure;
-		    }
-		}
-	
-		if(rv == SECFailure) {
-		    problem = PR_TRUE;
-		} else {
-		    nkeys++;
-		}
-	    }
-	} else {
-	    /* handle only keys here ? */
-	    problem = PR_TRUE;
-	}
-	i++;
-    }
-
-    /* let success fall through */
-loser:
-    if(problem == PR_FALSE) {
-	/* if we have certs, we want to append the cert bag to the 
-	 * appropriate area 
-	 */
-	if(ncerts > 0) {
-	    if(unencryptedCerts != PR_TRUE) {
-		rv = sec_pkcs12_append_safe_bag(safe, certbag);
-	    } else {
-		rv = sec_pkcs12_append_unshrouded_bag(external_bag, certbag);
-	    }
-	} else {
-	    rv = SECSuccess;
-	}
-
-	/* append key bag, if they are stored in safe contents */
-	if((rv == SECSuccess) && (shroud_keys == PR_FALSE) && (nkeys > 0)) {
-	    rv = sec_pkcs12_append_safe_bag(safe, keybag);
-	}
-    } else {
-	rv = SECFailure;
-    }
-
-    /* if baggage not used, NULLify it */
-    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
-	if(((unencryptedCerts == PR_TRUE) && (ncerts == 0)) &&
-	   ((shroud_keys == PR_TRUE) && (nkeys == 0)))
-		baggage = NULL;
-    } else {
-	baggage = NULL;
-    }
-
-    if((problem == PR_TRUE) || (rv == SECFailure)) {
-	PORT_FreeArena(permArena, PR_TRUE);
-	rv = SECFailure;
-	baggage = NULL;
-	safe = NULL;
-    }
-
-    *rBaggage = baggage;
-    *rSafe = safe;
-
-    return rv;
-}
-
-/* DER encode the safe contents and return a SECItem.  if an error
- * occurs, NULL is returned.
- */
-static SECItem *
-sec_pkcs12_encode_safe_contents(SEC_PKCS12SafeContents *safe)
-{
-    SECItem *dsafe = NULL, *tsafe;
-    void *dummy = NULL;
-    PRArenaPool *arena;
-
-    if(safe == NULL) {
-	return NULL;
-    }
-
-/*    rv = sec_pkcs12_prepare_for_der_code_safe(safe, PR_TRUE);
-    if(rv != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }*/
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(arena == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    tsafe = (SECItem *)PORT_ArenaZAlloc(arena, sizeof(SECItem));
-    if(tsafe != NULL) {
-	dummy = SEC_ASN1EncodeItem(arena, tsafe, safe, 
-	    SEC_PKCS12SafeContentsTemplate);
-	if(dummy != NULL) {
-	    dsafe = SECITEM_DupItem(tsafe);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(arena, PR_TRUE);
-
-    return dsafe;
-}
-
-/* prepare the authenicated safe for encoding and encode it.  
- *   baggage is copied to the appropriate area, safe is encoded and
- *   encrypted.  the version and transport mode are set on the asafe.
- *   the whole ball of wax is then der encoded and packaged up into
- *   data content info 
- * safe -- container of certs and keys, is encrypted.
- * baggage -- container of certs and keys, keys assumed to be encrypted by 
- *    another method, certs are in the clear
- * algorithm -- algorithm by which to encrypt safe
- * pwitem -- password for encryption
- * wincx - window handle
- *
- * return of NULL is an error condition.
- */
-static SEC_PKCS7ContentInfo *
-sec_pkcs12_get_auth_safe(SEC_PKCS12SafeContents *safe, 
-			 SEC_PKCS12Baggage *baggage,  
-			 SECOidTag algorithm, 
-			 SECItem *pwitem,
-			 PKCS12UnicodeConvertFunction unicodeFn,
-			 void *wincx)
-{
-    SECItem *src = NULL, *dest = NULL, *psalt = NULL;
-    PRArenaPool *poolp;
-    SEC_PKCS12AuthenticatedSafe *asafe;
-    SEC_PKCS7ContentInfo *safe_cinfo = NULL;
-    SEC_PKCS7ContentInfo *asafe_cinfo = NULL;
-    void *dummy;
-    SECStatus rv = SECSuccess;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-    
-    if(((safe != NULL) && (pwitem == NULL)) && (baggage == NULL))
-	return NULL;
-
-    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(poolp == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    /* prepare authenticated safe for encode */
-    asafe = sec_pkcs12_new_asafe(poolp);
-    if(asafe != NULL) {
-
-	/* set version */
-	dummy = SEC_ASN1EncodeInteger(asafe->poolp, &asafe->version,
-				      SEC_PKCS12_PFX_VERSION);
-	if(dummy == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* generate the privacy salt used to create virtual pwd */
-	psalt = sec_pkcs12_generate_salt();
-	if(psalt != NULL) {
-	    rv = SECITEM_CopyItem(asafe->poolp, &asafe->privacySalt,
-				  psalt);
-	    if(rv == SECSuccess) {
-		asafe->privacySalt.len *= 8;
-	    } 
-	    else {
-		SECITEM_ZfreeItem(psalt, PR_TRUE);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	} 
-
-	if((psalt == NULL) || (rv == SECFailure)) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* package up safe contents */
-	if(safe != NULL) 
-	{
-	    safe_cinfo = SEC_PKCS7CreateEncryptedData(algorithm, NULL, wincx);
-	    if((safe_cinfo != NULL) && (safe->safe_size > 0)) {
-		/* encode the safe and encrypt the contents of the 
-		 * content info
-		 */
-		src = sec_pkcs12_encode_safe_contents(safe);
-
-		if(src != NULL) {
-		    rv = SEC_PKCS7SetContent(safe_cinfo, (char *)src->data, src->len);
-		    SECITEM_ZfreeItem(src, PR_TRUE);
-		    if(rv == SECSuccess) {
-			SECItem *vpwd;
-			vpwd = sec_pkcs12_create_virtual_password(pwitem, psalt,
-						unicodeFn, swapUnicodeBytes);
-			if(vpwd != NULL) {
-			    rv = SEC_PKCS7EncryptContents(NULL, safe_cinfo,
-							  vpwd, wincx);
-			    SECITEM_ZfreeItem(vpwd, PR_TRUE);
-			} else {
-			    rv = SECFailure;
-			    PORT_SetError(SEC_ERROR_NO_MEMORY);
-			}
-		    } else {
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-		    }
-		} else {
-		    rv = SECFailure;
-		}
-	    } else if(safe->safe_size > 0) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    } else {
-	    	/* case where there is NULL content in the safe contents */
-		rv = SEC_PKCS7SetContent(safe_cinfo, NULL, 0);
-		if(rv != SECFailure) {
-		    PORT_SetError(SEC_ERROR_NO_MEMORY);
-		}
-	    }
-
-	    if(rv != SECSuccess) {
-		SEC_PKCS7DestroyContentInfo(safe_cinfo);
-		safe_cinfo = NULL;
-		goto loser;
-	    }
-
-	    asafe->safe = safe_cinfo;	
-	    /*
-	    PORT_Memcpy(&asafe->safe, safe_cinfo, sizeof(*safe_cinfo));
-	    */
-	}
-
-	/* copy the baggage to the authenticated safe baggage if present */
-	if(baggage != NULL) {
-	    PORT_Memcpy(&asafe->baggage, baggage, sizeof(*baggage));
-	}
-
-	/* encode authenticated safe and store it in a Data content info */
-	dest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem));
-	if(dest != NULL) {
-	    dummy = SEC_ASN1EncodeItem(poolp, dest, asafe, 
-				SEC_PKCS12AuthenticatedSafeTemplate);
-	    if(dummy != NULL) {
-		asafe_cinfo = SEC_PKCS7CreateData();
-		if(asafe_cinfo != NULL) {
-		    rv = SEC_PKCS7SetContent(asafe_cinfo, 
-					 	(char *)dest->data, 
-						dest->len);
-		    if(rv != SECSuccess) {
-			PORT_SetError(SEC_ERROR_NO_MEMORY);
-			SEC_PKCS7DestroyContentInfo(asafe_cinfo);
-			asafe_cinfo = NULL;
-		    }
-		}
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		rv = SECFailure;
-	    }
-	}
-    }
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    if(safe_cinfo != NULL) {
-    	SEC_PKCS7DestroyContentInfo(safe_cinfo);
-    }
-    if(psalt != NULL) {
-	SECITEM_ZfreeItem(psalt, PR_TRUE);
-    }
-
-    if(rv == SECFailure) {
-	return NULL;
-    }
-	
-    return asafe_cinfo;
-}
-
-/* generates the PFX and computes the mac on the authenticated safe 
- * NULL implies an error
- */
-static SEC_PKCS12PFXItem *
-sec_pkcs12_get_pfx(SEC_PKCS7ContentInfo *cinfo, 
-		   PRBool do_mac, 
-		   SECItem *pwitem, PKCS12UnicodeConvertFunction unicodeFn)
-{
-    SECItem *dest = NULL, *mac = NULL, *salt = NULL, *key = NULL;
-    SEC_PKCS12PFXItem *pfx;
-    SECStatus rv = SECFailure;
-    SGNDigestInfo *di;
-    SECItem *vpwd;
-    PRBool swapUnicodeBytes = PR_FALSE;
-
-#ifdef IS_LITTLE_ENDIAN
-    swapUnicodeBytes = PR_TRUE;
-#endif
-
-    if((cinfo == NULL) || ((do_mac == PR_TRUE) && (pwitem == NULL))) {
-	return NULL;
-    }
-
-    /* allocate new pfx structure */
-    pfx = sec_pkcs12_new_pfx();
-    if(pfx == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    PORT_Memcpy(&pfx->authSafe, cinfo, sizeof(*cinfo));
-    if(do_mac == PR_TRUE) {
-
-    	/* salt for computing mac */
-	salt = sec_pkcs12_generate_salt();
-	if(salt != NULL) {
-	    rv = SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, salt);
-	    pfx->macData.macSalt.len *= 8;
-
-	    vpwd = sec_pkcs12_create_virtual_password(pwitem, salt,
-						unicodeFn, swapUnicodeBytes);
-	    if(vpwd == NULL) {
-		rv = SECFailure;
-		key = NULL;
-	    } else {
-		key = sec_pkcs12_generate_key_from_password(SEC_OID_SHA1,
-							salt, vpwd);
-		SECITEM_ZfreeItem(vpwd, PR_TRUE);
-	    }
-
-	    if((key != NULL) && (rv == SECSuccess)) {
-		dest = SEC_PKCS7GetContent(cinfo);
-		if(dest != NULL) {
-
-		    /* compute mac on data -- for password integrity mode */
-		    mac = sec_pkcs12_generate_mac(key, dest, PR_FALSE);
-		    if(mac != NULL) {
-			di = SGN_CreateDigestInfo(SEC_OID_SHA1, 
-			    			  mac->data, mac->len);
-			if(di != NULL) {
-			    rv = SGN_CopyDigestInfo(pfx->poolp, 
-						    &pfx->macData.safeMac, di);
-			    SGN_DestroyDigestInfo(di);
-			} else {
-			    PORT_SetError(SEC_ERROR_NO_MEMORY);
-			}
-			SECITEM_ZfreeItem(mac, PR_TRUE);
-		    }
-		} else {
-		    rv = SECFailure;
-		}
-	    } else {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		rv = SECFailure;
-	    }
-
-	    if(key != NULL) {
-		SECITEM_ZfreeItem(key, PR_TRUE);
-	    }
-	    SECITEM_ZfreeItem(salt, PR_TRUE);
-	}
-    }
-
-    if(rv == SECFailure) {
-	SEC_PKCS12DestroyPFX(pfx);
-	pfx = NULL;
-    }
-
-    return pfx;
-}
-
-/* der encode the pfx */
-static SECItem *
-sec_pkcs12_encode_pfx(SEC_PKCS12PFXItem *pfx)
-{
-    SECItem *dest;
-    void *dummy;
-
-    if(pfx == NULL) {
-	return NULL;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    dummy = SEC_ASN1EncodeItem(NULL, dest, pfx, SEC_PKCS12PFXItemTemplate);
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    return dest;
-}
-
-SECItem *
-SEC_PKCS12GetPFX(char **nicknames,
-		 CERTCertificate **ref_certs,
-		 PRBool shroud_keys, 
-		 SEC_PKCS5GetPBEPassword pbef, 
-		 void *pbearg,
-		 PKCS12UnicodeConvertFunction unicodeFn,
-		 void *wincx)
-{
-    SECItem **nicks = NULL;
-    SEC_PKCS12PFXItem *pfx = NULL;
-    SEC_PKCS12Baggage *baggage = NULL;
-    SEC_PKCS12SafeContents *safe = NULL;
-    SEC_PKCS7ContentInfo *cinfo = NULL;
-    SECStatus rv = SECFailure;
-    SECItem *dest = NULL, *pwitem = NULL;
-    PRBool problem = PR_FALSE;
-    PRBool unencryptedCerts;
-    SECOidTag shroud_alg, safe_alg;
-
-    /* how should we encrypt certs ? */
-    unencryptedCerts = !SEC_PKCS12IsEncryptionAllowed();
-    if(!unencryptedCerts) {
-	safe_alg = SEC_PKCS12GetPreferredEncryptionAlgorithm();
-	if(safe_alg == SEC_OID_UNKNOWN) {
-	    safe_alg = SEC_PKCS12GetStrongestAllowedAlgorithm();
-	}
-	if(safe_alg == SEC_OID_UNKNOWN) {
-	    unencryptedCerts = PR_TRUE;
-	    /* for export where no encryption is allowed, we still need
-	     * to encrypt the NULL contents per the spec.  encrypted info
-	     * is known plaintext, so it shouldn't be a problem.
-	     */
-	    safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-	}
-    } else {
-	/* for export where no encryption is allowed, we still need
-	 * to encrypt the NULL contents per the spec.  encrypted info
-	 * is known plaintext, so it shouldn't be a problem.
-	 */
-	safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-    }
-
-    /* keys are always stored with triple DES */
-    shroud_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-
-    /* check for FIPS, if so, do not encrypt certs */
-    if(PK11_IsFIPS() && !unencryptedCerts) {
-	unencryptedCerts = PR_TRUE;
-    }
-
-    if((nicknames == NULL) || (pbef == NULL) || (ref_certs == NULL)) {
-	problem = PR_TRUE;
-	goto loser;
-    }
-
-
-    /* get password */
-    pwitem = (*pbef)(pbearg);
-    if(pwitem == NULL) {
-	problem = PR_TRUE;
-	goto loser;
-    }
-    nicks = sec_pkcs12_convert_nickname_list(nicknames);
-
-    /* get safe and baggage */
-    rv = sec_pkcs12_package_certs_and_keys(nicks, ref_certs, unencryptedCerts,
-    					   &safe, &baggage, shroud_keys,
-    					   shroud_alg, pwitem, unicodeFn, wincx);
-    if(rv == SECFailure) {
-	problem = PR_TRUE;
-    }
-
-    if((safe != NULL) && (problem == PR_FALSE)) {
-	/* copy thumbprints */
-	rv = sec_pkcs12_propagate_thumbprints(nicks, ref_certs, safe, baggage);
-
-	/* package everything up into AuthenticatedSafe */
-	cinfo = sec_pkcs12_get_auth_safe(safe, baggage, 
-					 safe_alg, pwitem, unicodeFn, wincx);
-
-	sec_pkcs12_destroy_cert_content_infos(safe, baggage);
-
-	/* get the pfx and mac it */
-	if(cinfo != NULL) {
-	    pfx = sec_pkcs12_get_pfx(cinfo, PR_TRUE, pwitem, unicodeFn);
-	    if(pfx != NULL) {
-		dest = sec_pkcs12_encode_pfx(pfx);
-		SEC_PKCS12DestroyPFX(pfx);
-	    }
-	    SEC_PKCS7DestroyContentInfo(cinfo);
-	}
-
-	if(safe != NULL) {
-	    PORT_FreeArena(safe->poolp, PR_TRUE);
-	}
-    } else {
-	if(safe != NULL) {
-	    PORT_FreeArena(safe->poolp, PR_TRUE);
-	}
-    }
-
-loser:
-    if(nicks != NULL) {
-	sec_pkcs12_destroy_nickname_list(nicks);
-    }
-
-    if(ref_certs != NULL) {
-	sec_pkcs12_destroy_certificate_list(ref_certs);
-    }
-
-    if(pwitem != NULL) {
-	SECITEM_ZfreeItem(pwitem, PR_TRUE);
-    }
-
-    if(problem == PR_TRUE) {
-	dest = NULL;
-    }
-
-    return dest;
-}
diff --git a/security/nss/lib/pkcs12/p12local.c b/security/nss/lib/pkcs12/p12local.c
deleted file mode 100644
index 346038333..000000000
--- a/security/nss/lib/pkcs12/p12local.c
+++ /dev/null
@@ -1,1371 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrenam.h"
-#include "pkcs12.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "seccomon.h"
-#include "secoid.h"
-#include "sechash.h"
-#include "secitem.h"
-#include "secerr.h"
-#include "pk11func.h"
-#include "p12local.h"
-#include "p12.h"
-
-#define SALT_LENGTH	16
-
-SEC_ASN1_MKSUB(SECKEY_PrivateKeyInfoTemplate)
-SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
-
-CK_MECHANISM_TYPE
-sec_pkcs12_algtag_to_mech(SECOidTag algtag)
-{
-    switch (algtag) {
-    case SEC_OID_MD2:
-	return CKM_MD2_HMAC;
-    case SEC_OID_MD5:
-	return CKM_MD5_HMAC;
-    case SEC_OID_SHA1:
-	return CKM_SHA_1_HMAC;
-    case SEC_OID_SHA256:
-	return CKM_SHA256_HMAC;
-    case SEC_OID_SHA384:
-	return CKM_SHA384_HMAC;
-    case SEC_OID_SHA512:
-	return CKM_SHA512_HMAC;
-    default:
-	break;
-    }
-    return CKM_INVALID_MECHANISM;
-}
-
-/* helper functions */
-/* returns proper bag type template based upon object type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type_old(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12SafeBag *safebag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = safebag->safeBagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&safebag->safeBagType);
-	safebag->safeBagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12KeyBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD;
-	    break;
-        case SEC_OID_PKCS12_SECRET_BAG_ID:
-	    theTemplate = SEC_PointerToPKCS12SecretBagTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12SafeBag *safebag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = safebag->safeBagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&safebag->safeBagType);
-	safebag->safeBagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    theTemplate = SEC_PKCS12PrivateKeyBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    theTemplate = SEC_PKCS12CertAndCRLBagTemplate;
-	    break;
-        case SEC_OID_PKCS12_SECRET_BAG_ID:
-	    theTemplate = SEC_PKCS12SecretBagTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-/* returns proper cert crl template based upon type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type_old(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12CertAndCRL *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
-    oiddata = certbag->BagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&certbag->BagID);
-	certbag->BagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
-	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate_OLD;
-	    break;
-	case SEC_OID_PKCS12_SDSI_CERT_BAG:
-	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12CertAndCRL *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
-    oiddata = certbag->BagTypeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&certbag->BagID);
-	certbag->BagTypeTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
-	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate;
-	    break;
-	case SEC_OID_PKCS12_SDSI_CERT_BAG:
-	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
-	    break;
-    }
-    return theTemplate;
-}
-
-/* returns appropriate shroud template based on object type tag */
-const SEC_ASN1Template *
-sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS12ESPVKItem *espvk;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    espvk = (SEC_PKCS12ESPVKItem*)src_or_dest;
-    oiddata = espvk->espvkTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&espvk->espvkOID);
- 	espvk->espvkTag = oiddata;
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_PKCS8_KEY_SHROUDING:
-	   theTemplate = 
-		SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
-	    break;
-    }
-    return theTemplate;
-}
-
-/* generate SALT  placing it into the character array passed in.
- * it is assumed that salt_dest is an array of appropriate size
- * XXX We might want to generate our own random context
- */
-SECItem *
-sec_pkcs12_generate_salt(void)
-{
-    SECItem *salt;
-
-    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(salt == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * 
-					      SALT_LENGTH);
-    salt->len = SALT_LENGTH;
-    if(salt->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	SECITEM_ZfreeItem(salt, PR_TRUE);
-	return NULL;
-    }
-
-    PK11_GenerateRandom(salt->data, salt->len);
-
-    return salt;
-}
-
-/* generate KEYS -- as per PKCS12 section 7.  
- * only used for MAC
- */
-SECItem *
-sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
-				      SECItem *salt, 
-				      SECItem *password) 
-{
-    unsigned char *pre_hash=NULL;
-    unsigned char *hash_dest=NULL;
-    SECStatus res;
-    PRArenaPool *poolp;
-    SECItem *key = NULL;
-    int key_len = 0;
-
-    if((salt == NULL) || (password == NULL)) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(poolp == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    pre_hash = (unsigned char *)PORT_ArenaZAlloc(poolp, sizeof(char) * 
-						 (salt->len+password->len));
-    if(pre_hash == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    hash_dest = (unsigned char *)PORT_ArenaZAlloc(poolp, 
-					sizeof(unsigned char) * SHA1_LENGTH);
-    if(hash_dest == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    PORT_Memcpy(pre_hash, salt->data, salt->len);
-    /* handle password of 0 length case */
-    if(password->len > 0) {
-	PORT_Memcpy(&(pre_hash[salt->len]), password->data, password->len);
-    }
-
-    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, pre_hash, 
-                       (salt->len+password->len));
-    if(res == SECFailure) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    switch(algorithm) {
-	case SEC_OID_SHA1:
-	    if(key_len == 0)
-		key_len = 16;
-	    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	    if(key == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) 
-						     * key_len);
-	    if(key->data == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    key->len = key_len;
-	    PORT_Memcpy(key->data, &hash_dest[SHA1_LENGTH-key->len], key->len);
-	    break;
-	default:
-	    goto loser;
-	    break;
-    }
-
-    PORT_FreeArena(poolp, PR_TRUE);
-    return key;
-
-loser:
-    PORT_FreeArena(poolp, PR_TRUE);
-    if(key != NULL) {
-	SECITEM_ZfreeItem(key, PR_TRUE);
-    }
-    return NULL;
-}
-
-/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
- * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
- * because it is not known how long the message actually is.  String
- * manipulation routines will not necessarily work because msg may have
- * imbedded NULLs
- */
-static SECItem *
-sec_pkcs12_generate_old_mac(SECItem *key, 
-			    SECItem *msg)
-{
-    SECStatus res;
-    PRArenaPool *temparena = NULL;
-    unsigned char *hash_dest=NULL, *hash_src1=NULL, *hash_src2 = NULL;
-    int i;
-    SECItem *mac = NULL;
-
-    if((key == NULL) || (msg == NULL))
-        goto loser;
-
-    /* allocate return item */
-    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(mac == NULL)
-    	return NULL;
-    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
-    	* SHA1_LENGTH);
-    mac->len = SHA1_LENGTH;
-    if(mac->data == NULL)
-	goto loser;
-
-    /* allocate temporary items */
-    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(temparena == NULL)
-	goto loser;
-
-    hash_src1 = (unsigned char *)PORT_ArenaZAlloc(temparena,
-    	sizeof(unsigned char) * (16+msg->len));
-    if(hash_src1 == NULL)
-        goto loser;
-
-    hash_src2 = (unsigned char *)PORT_ArenaZAlloc(temparena,
-   	sizeof(unsigned char) * (SHA1_LENGTH+16));
-    if(hash_src2 == NULL)
-        goto loser;
-
-    hash_dest = (unsigned char *)PORT_ArenaZAlloc(temparena, 
-   	sizeof(unsigned char) * SHA1_LENGTH);
-    if(hash_dest == NULL)
-        goto loser;
-
-    /* perform mac'ing as per PKCS 12 */
-
-    /* first round of hashing */
-    for(i = 0; i < 16; i++)
-	hash_src1[i] = key->data[i] ^ 0x36;
-    PORT_Memcpy(&(hash_src1[16]), msg->data, msg->len);
-    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, hash_src1, (16+msg->len));
-    if(res == SECFailure)
-	goto loser;
-
-    /* second round of hashing */
-    for(i = 0; i < 16; i++)
-	hash_src2[i] = key->data[i] ^ 0x5c;
-    PORT_Memcpy(&(hash_src2[16]), hash_dest, SHA1_LENGTH);
-    res = PK11_HashBuf(SEC_OID_SHA1, mac->data, hash_src2, SHA1_LENGTH+16);
-    if(res == SECFailure)
-	goto loser;
-
-    PORT_FreeArena(temparena, PR_TRUE);
-    return mac;
-
-loser:
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-    if(mac != NULL)
-	SECITEM_ZfreeItem(mac, PR_TRUE);
-    return NULL;
-}
-
-/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
- * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
- * because it is not known how long the message actually is.  String
- * manipulation routines will not necessarily work because msg may have
- * imbedded NULLs
- */
-SECItem *
-sec_pkcs12_generate_mac(SECItem *key, 
-			SECItem *msg,
-			PRBool old_method)
-{
-    SECStatus res = SECFailure;
-    SECItem *mac = NULL;
-    PK11Context *pk11cx = NULL;    
-    SECItem ignore = {0};
-
-    if((key == NULL) || (msg == NULL)) {
-	return NULL;
-    }
-
-    if(old_method == PR_TRUE) {
-	return sec_pkcs12_generate_old_mac(key, msg);
-    }
-
-    /* allocate return item */
-    mac = SECITEM_AllocItem(NULL, NULL, SHA1_LENGTH);
-    if (mac == NULL) {
-	return NULL;
-    }
-
-    pk11cx = PK11_CreateContextByRawKey(NULL, CKM_SHA_1_HMAC, PK11_OriginDerive,
-                                        CKA_SIGN, key, &ignore, NULL);
-    if (pk11cx == NULL) {
-	goto loser;
-    }
-
-    res = PK11_DigestBegin(pk11cx);
-    if (res == SECFailure) {
-	goto loser;
-    }
-
-    res = PK11_DigestOp(pk11cx, msg->data, msg->len);
-    if (res == SECFailure) {
-	goto loser;
-    }
-
-    res = PK11_DigestFinal(pk11cx, mac->data, &mac->len, SHA1_LENGTH);
-    if (res == SECFailure) {
-	goto loser;
-    }
-
-    PK11_DestroyContext(pk11cx, PR_TRUE);
-    pk11cx = NULL;
-
-loser:
-
-    if(res != SECSuccess) {
-	SECITEM_ZfreeItem(mac, PR_TRUE);
-	mac = NULL;
-	if (pk11cx) {
-	    PK11_DestroyContext(pk11cx, PR_TRUE);
-	}
-    }
-
-    return mac;
-}
-
-/* compute the thumbprint of the DER cert and create a digest info
- * to store it in and return the digest info.
- * a return of NULL indicates an error.
- */
-SGNDigestInfo *
-sec_pkcs12_compute_thumbprint(SECItem *der_cert)
-{
-    SGNDigestInfo *thumb = NULL;
-    SECItem digest;
-    PRArenaPool *temparena = NULL;
-    SECStatus rv = SECFailure;
-
-    if(der_cert == NULL)
-	return NULL;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(temparena == NULL) {
-	return NULL;
-    }
-
-    digest.data = (unsigned char *)PORT_ArenaZAlloc(temparena,
-						    sizeof(unsigned char) * 
-						    SHA1_LENGTH);
-    /* digest data and create digest info */
-    if(digest.data != NULL) {
-	digest.len = SHA1_LENGTH;
-	rv = PK11_HashBuf(SEC_OID_SHA1, digest.data, der_cert->data, 
-	                  der_cert->len);
-	if(rv == SECSuccess) {
-	    thumb = SGN_CreateDigestInfo(SEC_OID_SHA1, 
-					 digest.data, 
-					 digest.len);
-	} else {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	}
-    } else {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    PORT_FreeArena(temparena, PR_TRUE);
-
-    return thumb;
-}
-
-/* create a virtual password per PKCS 12, the password is converted
- * to unicode, the salt is prepended to it, and then the whole thing
- * is returned */
-SECItem *
-sec_pkcs12_create_virtual_password(SECItem *password, SECItem *salt,
-				   PRBool swap)
-{
-    SECItem uniPwd = {siBuffer, NULL,0}, *retPwd = NULL;
-
-    if((password == NULL) || (salt == NULL)) {
-	return NULL;
-    }
-
-    if(password->len == 0) {
-	uniPwd.data = (unsigned char*)PORT_ZAlloc(2);
-	uniPwd.len = 2;
-	if(!uniPwd.data) {
-	    return NULL;
-	}
-    } else {
-	uniPwd.data = (unsigned char*)PORT_ZAlloc(password->len * 3);
-	uniPwd.len = password->len * 3;
-	if(!PORT_UCS2_ASCIIConversion(PR_TRUE, password->data, password->len,
-				uniPwd.data, uniPwd.len, &uniPwd.len, swap)) {
-	    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-	    return NULL;
-	}
-    }
-
-    retPwd = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(retPwd == NULL) {
-	goto loser;
-    }
-
-    /* allocate space and copy proper data */
-    retPwd->len = uniPwd.len + salt->len;
-    retPwd->data = (unsigned char *)PORT_Alloc(retPwd->len);
-    if(retPwd->data == NULL) {
-	PORT_Free(retPwd);
-	goto loser;
-    }
-
-    PORT_Memcpy(retPwd->data, salt->data, salt->len);
-    PORT_Memcpy((retPwd->data + salt->len), uniPwd.data, uniPwd.len);
-
-    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-
-    return retPwd;
-
-loser:
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
-    return NULL;
-}
-
-/* appends a shrouded key to a key bag.  this is used for exporting
- * to store externally wrapped keys.  it is used when importing to convert
- * old items to new
- */
-SECStatus 
-sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
-				SEC_PKCS12ESPVKItem *espvk)
-{
-    int size;
-    void *mark = NULL, *dummy = NULL;
-
-    if((bag == NULL) || (espvk == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(bag->poolp);
-
-    /* grow the list */
-    size = (bag->nEspvks + 1) * sizeof(SEC_PKCS12ESPVKItem *);
-    dummy = (SEC_PKCS12ESPVKItem **)PORT_ArenaGrow(bag->poolp,
-	    				bag->espvks, size, 
-	    				size + sizeof(SEC_PKCS12ESPVKItem *));
-    bag->espvks = (SEC_PKCS12ESPVKItem**)dummy;
-    if(dummy == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    bag->espvks[bag->nEspvks] = espvk;
-    bag->nEspvks++;
-    bag->espvks[bag->nEspvks] = NULL;
-
-    PORT_ArenaUnmark(bag->poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(bag->poolp, mark);
-    return SECFailure;
-}
-
-/* search a certificate list for a nickname, a thumbprint, or both
- * within a certificate bag.  if the certificate could not be
- * found or an error occurs, NULL is returned;
- */
-static SEC_PKCS12CertAndCRL *
-sec_pkcs12_find_cert_in_certbag(SEC_PKCS12CertAndCRLBag *certbag,
-				SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
-    int i, j;
-
-    if((certbag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }
-
-    if(thumbprint && nickname) {
-	search_both = PR_TRUE;
-    }
-
-    if(nickname) {
-	search_nickname = PR_TRUE;
-    }
-
-search_again:  
-    i = 0;
-    while(certbag->certAndCRLs[i] != NULL) {
-	SEC_PKCS12CertAndCRL *cert = certbag->certAndCRLs[i];
-
-	if(SECOID_FindOIDTag(&cert->BagID) == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
-
-	    /* check nicknames */
-	    if(search_nickname) {
-		if(SECITEM_CompareItem(nickname, &cert->nickname) == SECEqual) {
-		    return cert;
-		}
-	    } else {
-	    /* check thumbprints */
-		SECItem **derCertList;
-
-		/* get pointer to certificate list, does not need to
-		 * be freed since it is within the arena which will
-		 * be freed later.
-		 */
-		derCertList = SEC_PKCS7GetCertificateList(&cert->value.x509->certOrCRL);
-		j = 0;
-		if(derCertList != NULL) {
-		    while(derCertList[j] != NULL) {
-			SECComparison eq;
-			SGNDigestInfo *di;
-			di = sec_pkcs12_compute_thumbprint(derCertList[j]);
-			if(di) {
-			    eq = SGN_CompareDigestInfo(thumbprint, di);
-			    SGN_DestroyDigestInfo(di);
-			    if(eq == SECEqual) {
-				/* copy the derCert for later reference */
-				cert->value.x509->derLeafCert = derCertList[j];
-				return cert;
-			    }
-			} else {
-			    /* an error occurred */
-			    return NULL;
-			}
-			j++;
-		    }
-		}
-	    }
-	}
-
-	i++;
-    }
-
-    if(search_both) {
-	search_both = PR_FALSE;
-	search_nickname = PR_FALSE;
-	goto search_again;
-    }
-
-    return NULL;
-}
-
-/* search a key list for a nickname, a thumbprint, or both
- * within a key bag.  if the key could not be
- * found or an error occurs, NULL is returned;
- */
-static SEC_PKCS12PrivateKey *
-sec_pkcs12_find_key_in_keybag(SEC_PKCS12PrivateKeyBag *keybag,
-			      SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
-    int i, j;
-
-    if((keybag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }
-
-    if(keybag->privateKeys == NULL) {
-	return NULL;
-    }
-
-    if(thumbprint && nickname) {
-	search_both = PR_TRUE;
-    }
-
-    if(nickname) {
-	search_nickname = PR_TRUE;
-    }
-
-search_again:  
-    i = 0;
-    while(keybag->privateKeys[i] != NULL) {
-	SEC_PKCS12PrivateKey *key = keybag->privateKeys[i];
-
-	/* check nicknames */
-	if(search_nickname) {
-	    if(SECITEM_CompareItem(nickname, &key->pvkData.nickname) == SECEqual) {
-		return key;
-	    }
-	} else {
-	    /* check digests */
-	    SGNDigestInfo **assocCerts = key->pvkData.assocCerts;
-	    if((assocCerts == NULL) || (assocCerts[0] == NULL)) {
-		return NULL;
-	    }
-
-	    j = 0;
-	    while(assocCerts[j] != NULL) {
-		SECComparison eq;
-		eq = SGN_CompareDigestInfo(thumbprint, assocCerts[j]);
-		if(eq == SECEqual) {
-		    return key;
-		}
-		j++;
-	    }
-	}
-	i++;
-    }
-
-    if(search_both) {
-	search_both = PR_FALSE;
-	search_nickname = PR_FALSE;
-	goto search_again;
-    }
-
-    return NULL;
-}
-
-/* seach the safe first then try the baggage bag 
- *  safe and bag contain certs and keys to search
- *  objType is the object type to look for
- *  bagType is the type of bag that was found by sec_pkcs12_find_object
- *  index is the entity in safe->safeContents or bag->unencSecrets which
- *    is being searched
- *  nickname and thumbprint are the search criteria
- * 
- * a return of null indicates no match
- */
-static void *
-sec_pkcs12_try_find(SEC_PKCS12SafeContents *safe,
-		  SEC_PKCS12BaggageItem *bag,
-		  SECOidTag objType, SECOidTag bagType, int index,
-		  SECItem *nickname, SGNDigestInfo *thumbprint)
-{
-    PRBool searchSafe;
-    int i = index;
-
-    if((safe == NULL) && (bag == NULL)) {
-	return NULL;
-    }
-
-    searchSafe = (safe == NULL ? PR_FALSE : PR_TRUE);
-    switch(objType) {
-	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
-	    if(objType == bagType) {
-		SEC_PKCS12CertAndCRLBag *certBag;
-
-		if(searchSafe) {
-		    certBag = safe->contents[i]->safeContent.certAndCRLBag;
-		} else {
-		    certBag = bag->unencSecrets[i]->safeContent.certAndCRLBag;
-		}
-		return sec_pkcs12_find_cert_in_certbag(certBag, nickname, 
-							thumbprint);
-	    }
-	    break;
-	case SEC_OID_PKCS12_KEY_BAG_ID:
-	    if(objType == bagType) {
-		SEC_PKCS12PrivateKeyBag *keyBag;
-
-		if(searchSafe) {
-		    keyBag = safe->contents[i]->safeContent.keyBag;
-		} else {
-		    keyBag = bag->unencSecrets[i]->safeContent.keyBag;
-		}
-		return sec_pkcs12_find_key_in_keybag(keyBag, nickname, 
-							 thumbprint);
-	    }
-	    break;
-	default:
-	    break;
-    }
-
-    return NULL;
-}
-
-/* searches both the baggage and the safe areas looking for
- * object of specified type matching either the nickname or the 
- * thumbprint specified.
- *
- * safe and baggage store certs and keys
- * objType is the OID for the bag type to be searched:
- *   SEC_OID_PKCS12_KEY_BAG_ID, or 
- *   SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
- * nickname and thumbprint are the search criteria
- * 
- * if no match found, NULL returned and error set
- */
-void *
-sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
-			SEC_PKCS12Baggage *baggage,
-			SECOidTag objType,
-			SECItem *nickname,
-			SGNDigestInfo *thumbprint)
-{
-    int i, j;
-    void *retItem;
-   
-    if(((safe == NULL) && (thumbprint == NULL)) ||
-       ((nickname == NULL) && (thumbprint == NULL))) {
-	return NULL;
-    }    
-
-    i = 0;
-    if((safe != NULL) && (safe->contents != NULL)) {
-	while(safe->contents[i] != NULL) {
-	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
-	    retItem = sec_pkcs12_try_find(safe, NULL, objType, bagType, i,
-	    				  nickname, thumbprint);
-	    if(retItem != NULL) {
-		return retItem;
-	    }
-	    i++;
-	}
-    }
-
-    if((baggage != NULL) && (baggage->bags != NULL)) {
-	i = 0;
-	while(baggage->bags[i] != NULL) {
-	    SEC_PKCS12BaggageItem *xbag = baggage->bags[i];
-	    j = 0;
-	    if(xbag->unencSecrets != NULL) {
-		while(xbag->unencSecrets[j] != NULL) {
-		    SECOidTag bagType;
-		    bagType = SECOID_FindOIDTag(&xbag->unencSecrets[j]->safeBagType);
-		    retItem = sec_pkcs12_try_find(NULL, xbag, objType, bagType,
-		    				  j, nickname, thumbprint);
-		    if(retItem != NULL) {
-			return retItem;
-		    }
-		    j++;
-		}
-	    }
-	    i++;
-	}
-    }
-
-    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
-    return NULL;
-}
-
-/* this function converts a password to unicode and encures that the 
- * required double 0 byte be placed at the end of the string
- */
-PRBool
-sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
-				   SECItem *src, PRBool zeroTerm,
-				   PRBool asciiConvert, PRBool toUnicode)
-{
-    PRBool success = PR_FALSE;
-    if(!src || !dest) {
-	return PR_FALSE;
-    }
-
-    dest->len = src->len * 3 + 2;
-    if(arena) {
-	dest->data = (unsigned char*)PORT_ArenaZAlloc(arena, dest->len);
-    } else {
-	dest->data = (unsigned char*)PORT_ZAlloc(dest->len);
-    }
-
-    if(!dest->data) {
-	dest->len = 0;
-	return PR_FALSE;
-    }
-
-    if(!asciiConvert) {
-	success = PORT_UCS2_UTF8Conversion(toUnicode, src->data, src->len, dest->data,
-					   dest->len, &dest->len);
-    } else {
-#ifndef IS_LITTLE_ENDIAN
-	PRBool swapUnicode = PR_FALSE;
-#else
-	PRBool swapUnicode = PR_TRUE;
-#endif
-	success = PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len, dest->data,
-					    dest->len, &dest->len, swapUnicode);
-    }
-
-    if(!success) {
-	if(!arena) {
-	    PORT_Free(dest->data);
-	    dest->data = NULL;
-	    dest->len = 0;
-	}
-	return PR_FALSE;
-    }
-
-    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
-	if(dest->len + 2 > 3 * src->len) {
-	    if(arena) {
-		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
-						     dest->data, dest->len,
-						     dest->len + 2);
-	    } else {
-		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
-							  dest->len + 2);
-	    }
-
-	    if(!dest->data) {
-		return PR_FALSE;
-	    }
-	}
-	dest->len += 2;
-	dest->data[dest->len-1] = dest->data[dest->len-2] = 0;
-    }
-
-    return PR_TRUE;
-}
-
-/* pkcs 12 templates */
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
-    sec_pkcs12_choose_shroud_type;
-
-const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12SafeBag, derSafeContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12CertAndCRL, derValue) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CodedCertBagTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
-	SEC_PKCS12PVKSupportingDataTemplate_OLD },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
-	&sec_pkcs12_shroud_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
-	SEC_PKCS12PVKSupportingDataTemplate },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
-	&sec_pkcs12_shroud_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKAdditionalDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKAdditionalData) },
-    { SEC_ASN1_OBJECT_ID, 
-	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalType) },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
-        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
-	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
-    { SEC_ASN1_PRINTABLE_STRING, 
-	offsetof(SEC_PKCS12PVKSupportingData, nickname) },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
-        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
-	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
-    { SEC_ASN1_BMP_STRING, 
-	offsetof(SEC_PKCS12PVKSupportingData, uniNickName) },
-    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageItemTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12BaggageItem) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, espvks),
-	SEC_PKCS12ESPVKItemTemplate },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
-	SEC_PKCS12SafeBagTemplate },
-    /*{ SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
-	SEC_PKCS12CodedSafeBagTemplate }, */
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage, bags),
-	SEC_PKCS12BaggageItemTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage_OLD, espvks),
-	SEC_PKCS12ESPVKItemTemplate_OLD },
-};
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser =
-	sec_pkcs12_choose_bag_type;
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser_old =
-	sec_pkcs12_choose_bag_type_old;
-
-const SEC_ASN1Template SEC_PKCS12SafeBagTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0,
-        offsetof(SEC_PKCS12SafeBag, safeContent),
-	&sec_pkcs12_bag_chooser_old },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER,
-        offsetof(SEC_PKCS12SafeBag, safeContent),
-	&sec_pkcs12_bag_chooser },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BMP_STRING,
-	offsetof(SEC_PKCS12SafeBag, uniSafeBagName) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[] =
-{
-    { SEC_ASN1_SET_OF,
-	offsetof(SEC_PKCS12SafeContents, contents),
-	SEC_PKCS12SafeBagTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[] =
-{
-    { SEC_ASN1_SET_OF,
-	offsetof(SEC_PKCS12SafeContents, contents),
-	SEC_PKCS12SafeBagTemplate }  /* here */
-};
-
-const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKey) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pvkData),
-	SEC_PKCS12PVKSupportingDataTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
-        offsetof(SEC_PKCS12PrivateKey, pkcs8data),
-	SEC_ASN1_SUB(SECKEY_PrivateKeyInfoTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKeyBag) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PrivateKeyBag, privateKeys),
-	SEC_PKCS12PrivateKeyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
-	sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , 
-        offsetof(SEC_PKCS12X509CertCRL, thumbprint),
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
-    { SEC_ASN1_IA5_STRING, offsetof(SEC_PKCS12SDSICert, value) },
-    { 0 }
-};
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser_old =
-	sec_pkcs12_choose_cert_crl_type_old;
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser =
-	sec_pkcs12_choose_cert_crl_type;
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof(SEC_PKCS12CertAndCRL, value),
-	&sec_pkcs12_cert_crl_chooser_old },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
-    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12CertAndCRL, value),
-	&sec_pkcs12_cert_crl_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CertAndCRLTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRLBag) },
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
-	SEC_PKCS12CertAndCRLTemplate_OLD },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SecretAdditional) },
-    { SEC_ASN1_OBJECT_ID,
-	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalType) },
-    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT,
-	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
-    { SEC_ASN1_BMP_STRING, offsetof(SEC_PKCS12Secret, uniSecretName) },
-    { SEC_ASN1_ANY, offsetof(SEC_PKCS12Secret, value) },
-    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12Secret, secretAdditional),
-	SEC_PKCS12SecretAdditionalTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[] = 
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
-    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(SEC_PKCS12SecretItem, secret), SEC_PKCS12SecretTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(SEC_PKCS12SecretItem, subFolder), SEC_PKCS12SafeBagTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[] =
-{
-    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12SecretBag, secrets),
-	SEC_PKCS12SecretItemTemplate },
-};
-
-const SEC_ASN1Template SEC_PKCS12MacDataTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(SEC_PKCS12MacData, safeMac),
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { SEC_ASN1_BIT_STRING, offsetof(SEC_PKCS12MacData, macSalt) },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12PFXItem, macData), SEC_PKCS12MacDataTemplate },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(SEC_PKCS12PFXItem, authSafe), 
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
-	offsetof(SEC_PKCS12PFXItem, old_safeMac), 
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING,
-	offsetof(SEC_PKCS12PFXItem, old_macSalt) },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-	offsetof(SEC_PKCS12PFXItem, authSafe), 
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OBJECT_ID,
-	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL,
-	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SET_OF, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, baggage.bags), 
-	SEC_PKCS12BaggageItemTemplate },
-    { SEC_ASN1_POINTER,
-	offsetof(SEC_PKCS12AuthenticatedSafe, safe),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[] =
-{
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
-	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
-    { SEC_ASN1_BIT_STRING,
-	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-    	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(SEC_PKCS12AuthenticatedSafe, old_baggage), 
-	SEC_PKCS12BaggageTemplate_OLD },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	offsetof(SEC_PKCS12AuthenticatedSafe, old_safe),
-	sec_PKCS7ContentInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12PrivateKeyBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12SecretBagTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate_OLD }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate }
-};
-
-const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[] =
-{
-    { SEC_ASN1_POINTER, 0, SEC_PKCS12SDSICertTemplate }
-};
-
-
diff --git a/security/nss/lib/pkcs12/p12local.h b/security/nss/lib/pkcs12/p12local.h
deleted file mode 100644
index 0c4bd594d..000000000
--- a/security/nss/lib/pkcs12/p12local.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _P12LOCAL_H_
-#define _P12LOCAL_H_
-
-#include "plarena.h"
-#include "secoidt.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "certt.h"
-#include "secpkcs7.h"
-#include "pkcs12.h"
-#include "p12.h"
-
-/* helper functions */
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding);
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding);
-extern const SEC_ASN1Template *
-sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding);
-extern SECItem *sec_pkcs12_generate_salt(void);
-extern SECItem *sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
-	SECItem *salt, SECItem *password);
-extern SECItem *sec_pkcs12_generate_mac(SECItem *key, SECItem *msg, 
-					PRBool old_method);
-extern SGNDigestInfo *sec_pkcs12_compute_thumbprint(SECItem *der_cert);
-extern SECItem *sec_pkcs12_create_virtual_password(SECItem *password, 
-			SECItem *salt, PRBool swapUnicodeBytes);
-extern SECStatus sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
-						 SEC_PKCS12ESPVKItem *espvk);
-extern void *sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
-				SEC_PKCS12Baggage *baggage, SECOidTag objType,
-				SECItem *nickname, SGNDigestInfo *thumbprint);
-extern PRBool sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
-						 SECItem *src, PRBool zeroTerm,
-						 PRBool asciiConvert, PRBool toUnicode);
-extern CK_MECHANISM_TYPE sec_pkcs12_algtag_to_mech(SECOidTag algtag);
-
-/* create functions */
-extern SEC_PKCS12PFXItem *sec_pkcs12_new_pfx(void);
-extern SEC_PKCS12SafeContents *sec_pkcs12_create_safe_contents(
-	PRArenaPool *poolp);
-extern SEC_PKCS12Baggage *sec_pkcs12_create_baggage(PRArenaPool *poolp);
-extern SEC_PKCS12BaggageItem *sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage);
-extern void SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx);
-extern SEC_PKCS12AuthenticatedSafe *sec_pkcs12_new_asafe(PRArenaPool *poolp);
-
-/* conversion from old to new */
-extern SEC_PKCS12DecoderContext *
-sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot,
-			      PRBool swapUnicode, SECItem *pwitem,
-			      void *wincx, SEC_PKCS12SafeContents *safe,
-			      SEC_PKCS12Baggage *baggage);
-	
-#endif
diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c
deleted file mode 100644
index ae3ab0b51..000000000
--- a/security/nss/lib/pkcs12/p12plcy.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#include "p12plcy.h"
-#include "secoid.h"
-#include "secport.h"
-#include "secpkcs5.h" 
-
-#define PKCS12_NULL  0x0000
-
-typedef struct pkcs12SuiteMapStr {
-    SECOidTag		algTag;
-    unsigned int	keyLengthBits;	/* in bits */
-    unsigned long	suite;
-    PRBool 		allowed;
-    PRBool		preferred;
-} pkcs12SuiteMap;
-
-static pkcs12SuiteMap pkcs12SuiteMaps[] = {
-    { SEC_OID_RC4,		40,	PKCS12_RC4_40,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_RC4,	       128,	PKCS12_RC4_128,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_RC2_CBC,		40,	PKCS12_RC2_CBC_40,	PR_FALSE,	PR_TRUE},
-    { SEC_OID_RC2_CBC,	       128,	PKCS12_RC2_CBC_128,	PR_FALSE,	PR_FALSE},
-    { SEC_OID_DES_CBC,		64,	PKCS12_DES_56,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_DES_EDE3_CBC,    192,	PKCS12_DES_EDE3_168,	PR_FALSE,	PR_FALSE},
-    { SEC_OID_UNKNOWN,		 0,	PKCS12_NULL,		PR_FALSE,	PR_FALSE},
-    { SEC_OID_UNKNOWN,		 0,	0L,			PR_FALSE,	PR_FALSE}
-};
-
-/* determine if algid is an algorithm which is allowed */
-PRBool 
-SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid)
-{
-    unsigned int keyLengthBits;
-    SECOidTag algId;
-    int i;
-   
-    algId = SEC_PKCS5GetCryptoAlgorithm(algid);
-    if(algId == SEC_OID_UNKNOWN) {
-	return PR_FALSE;
-    }
-    
-    keyLengthBits = (unsigned int)(SEC_PKCS5GetKeyLength(algid) * 8);
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].algTag == algId) && 
-	   (pkcs12SuiteMaps[i].keyLengthBits == keyLengthBits)) {
-
-	    return pkcs12SuiteMaps[i].allowed;
-	}
-	i++;
-    }
-
-    return PR_FALSE;
-}
-
-/* is any encryption allowed? */
-PRBool
-SEC_PKCS12IsEncryptionAllowed(void)
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if(pkcs12SuiteMaps[i].allowed == PR_TRUE) {
-	    return PR_TRUE;
-	} 
-	i++;
-    }
-
-    return PR_FALSE;
-}
-
-/* get the preferred algorithm.
- */
-SECOidTag
-SEC_PKCS12GetPreferredEncryptionAlgorithm(void)
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].preferred == PR_TRUE) && 
-	   (pkcs12SuiteMaps[i].allowed == PR_TRUE)) {
-	    return SEC_PKCS5GetPBEAlgorithm(pkcs12SuiteMaps[i].algTag,
-	    				    pkcs12SuiteMaps[i].keyLengthBits);
-	}
-	i++;
-    }
-
-    return SEC_OID_UNKNOWN;
-}
-
-/* return the strongest algorithm allowed */
-SECOidTag
-SEC_PKCS12GetStrongestAllowedAlgorithm(void)
-{
-    int i, keyLengthBits = 0;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
-	if((pkcs12SuiteMaps[i].allowed == PR_TRUE) && 
-	   (pkcs12SuiteMaps[i].keyLengthBits > (unsigned int)keyLengthBits) &&
-	   (pkcs12SuiteMaps[i].algTag != SEC_OID_RC4)) {
-	    algorithm = pkcs12SuiteMaps[i].algTag;
-	    keyLengthBits = pkcs12SuiteMaps[i].keyLengthBits;
-	}
-	i++;
-    }
-
-    if(algorithm == SEC_OID_UNKNOWN) {
-	return SEC_OID_UNKNOWN;
-    }
-
-    return SEC_PKCS5GetPBEAlgorithm(algorithm, keyLengthBits);
-}
-
-SECStatus
-SEC_PKCS12EnableCipher(long which, int on) 
-{
-    int i;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].suite != 0L) {
-	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
-	    if(on) {
-		pkcs12SuiteMaps[i].allowed = PR_TRUE;
-	    } else {
-		pkcs12SuiteMaps[i].allowed = PR_FALSE;
-	    }
-	    return SECSuccess;
-	}
-	i++;
-    }
-
-    return SECFailure;
-}
-
-SECStatus
-SEC_PKCS12SetPreferredCipher(long which, int on)
-{
-    int i;
-    PRBool turnedOff = PR_FALSE;
-    PRBool turnedOn = PR_FALSE;
-
-    i = 0;
-    while(pkcs12SuiteMaps[i].suite != 0L) {
-	if(pkcs12SuiteMaps[i].preferred == PR_TRUE) {
-	    pkcs12SuiteMaps[i].preferred = PR_FALSE;
-	    turnedOff = PR_TRUE;
-	}
-	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
-	    pkcs12SuiteMaps[i].preferred = PR_TRUE;
-	    turnedOn = PR_TRUE;
-	}
-	i++;
-    }
-
-    if((turnedOn) && (turnedOff)) {
-	return SECSuccess;
-    }
-
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/pkcs12/p12plcy.h b/security/nss/lib/pkcs12/p12plcy.h
deleted file mode 100644
index 586aea342..000000000
--- a/security/nss/lib/pkcs12/p12plcy.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _P12PLCY_H_
-#define _P12PLCY_H_
-
-#include "secoid.h"
-#include "ciferfam.h"
-
-SEC_BEGIN_PROTOS
-
-/* for the algid specified, can we decrypt it ? */
-extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid);
-
-/* is encryption allowed? */
-extern PRBool SEC_PKCS12IsEncryptionAllowed(void);
-
-/* get the preferred encryption algorithm */
-extern SECOidTag SEC_PKCS12GetPreferredEncryptionAlgorithm(void);
-
-/* get the stronget crypto allowed (based on order in the table */
-extern SECOidTag SEC_PKCS12GetStrongestAllowedAlgorithm(void);
-
-/* enable a cipher for encryption/decryption */
-extern SECStatus SEC_PKCS12EnableCipher(long which, int on);
-
-/* return the preferred cipher for encryption */
-extern SECStatus SEC_PKCS12SetPreferredCipher(long which, int on);
-
-SEC_END_PROTOS
-#endif
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
deleted file mode 100644
index 11a3bb558..000000000
--- a/security/nss/lib/pkcs12/p12t.h
+++ /dev/null
@@ -1,187 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _P12T_H_
-#define _P12T_H_
-
-#include "secoid.h"
-#include "key.h"
-#include "pkcs11.h"
-#include "secpkcs7.h"
-#include "secdig.h"	/* for SGNDigestInfo */
-#include "pkcs12t.h"
-
-#define SEC_PKCS12_VERSION	3
-
-/* structure declarations */
-typedef struct sec_PKCS12PFXItemStr sec_PKCS12PFXItem;
-typedef struct sec_PKCS12MacDataStr sec_PKCS12MacData;
-typedef struct sec_PKCS12AuthenticatedSafeStr sec_PKCS12AuthenticatedSafe;
-typedef struct sec_PKCS12SafeContentsStr sec_PKCS12SafeContents;
-typedef struct sec_PKCS12SafeBagStr sec_PKCS12SafeBag;
-typedef struct sec_PKCS12PKCS8ShroudedKeyBagStr sec_PKCS12PKCS8ShroudedKeyBag;
-typedef struct sec_PKCS12CertBagStr sec_PKCS12CertBag;
-typedef struct sec_PKCS12CRLBagStr sec_PKCS12CRLBag;
-typedef struct sec_PKCS12SecretBag sec_PKCS12SecretBag;
-typedef struct sec_PKCS12AttributeStr sec_PKCS12Attribute;
-
-struct sec_PKCS12CertBagStr {
-    /* what type of cert is stored? */
-    SECItem bagID;
-
-    /* certificate information */
-    union {
-	SECItem x509Cert;
-	SECItem SDSICert;
-    } value;
-};
-
-struct sec_PKCS12CRLBagStr {
-    /* what type of cert is stored? */
-    SECItem bagID;
-
-    /* certificate information */
-    union {
-	SECItem x509CRL;
-    } value;
-};
-
-struct sec_PKCS12SecretBag {
-    /* what type of secret? */
-    SECItem secretType;
-
-    /* secret information.  ssshhhh be vewy vewy quiet. */
-    SECItem secretContent;
-};
-
-struct sec_PKCS12AttributeStr {
-    SECItem attrType;
-    SECItem **attrValue;
-};
-
-struct sec_PKCS12SafeBagStr {
-
-    /* What type of bag are we using? */
-    SECItem safeBagType;
-
-    /* Dependent upon the type of bag being used. */
-    union {
-	SECKEYPrivateKeyInfo *pkcs8KeyBag;
-	SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
-	sec_PKCS12CertBag *certBag;
-	sec_PKCS12CRLBag *crlBag;
-	sec_PKCS12SecretBag *secretBag;
-	sec_PKCS12SafeContents *safeContents;
-    } safeBagContent;
-
-    sec_PKCS12Attribute **attribs;
-
-    /* used locally */
-    SECOidData *bagTypeTag;
-    PRArenaPool *arena;
-    unsigned int nAttribs;
-
-    /* used for validation/importing */
-    PRBool problem, noInstall, validated, hasKey, unused, installed;
-    int error;
-
-    PRBool swapUnicodeBytes;
-    PK11SlotInfo *slot;
-    SECItem *pwitem;
-    PRBool oldBagType;
-    SECPKCS12TargetTokenCAs tokenCAs;
-};
-    
-struct sec_PKCS12SafeContentsStr {
-    sec_PKCS12SafeBag **safeBags;
-    SECItem **encodedSafeBags;
-    
-    /* used locally */
-    PRArenaPool *arena;
-    unsigned int bagCount;
-};
-
-struct sec_PKCS12MacDataStr {
-    SGNDigestInfo safeMac;
-    SECItem macSalt;
-    SECItem iter;
-};
-
-struct sec_PKCS12PFXItemStr {
-
-    SECItem version;
-
-    /* Content type will either be Data (password integrity mode)
-     * or signedData (public-key integrity mode)
-     */
-    SEC_PKCS7ContentInfo *authSafe;
-    SECItem encodedAuthSafe;
-
-    /* Only present in password integrity mode */
-    sec_PKCS12MacData macData;
-    SECItem encodedMacData;
-};
-
-struct sec_PKCS12AuthenticatedSafeStr {
-    /* Content type will either be encryptedData (password privacy mode)
-     * or envelopedData (public-key privacy mode)
-     */
-    SEC_PKCS7ContentInfo **safes;
-    SECItem **encodedSafes;
-
-    /* used locally */
-    unsigned int safeCount;
-    SECItem dummySafe;
-};
-
-extern const SEC_ASN1Template sec_PKCS12PFXItemTemplate[];
-extern const SEC_ASN1Template sec_PKCS12MacDataTemplate[];
-extern const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12CertBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12CRLBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[];
-extern const SEC_ASN1Template sec_PKCS12AttributeTemplate[];
-extern const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[];
-extern const SEC_ASN1Template sec_PKCS12SafeBagTemplate[];
-
-#endif
diff --git a/security/nss/lib/pkcs12/p12tmpl.c b/security/nss/lib/pkcs12/p12tmpl.c
deleted file mode 100644
index 9b0f3ddba..000000000
--- a/security/nss/lib/pkcs12/p12tmpl.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plarena.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "seccomon.h"
-#include "secport.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "secasn1.h"
-#include "p12t.h"
-
-SEC_ASN1_MKSUB(SEC_AnyTemplate)
-SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12SafeBag *safeBag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    safeBag = (sec_PKCS12SafeBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&safeBag->safeBagType);
-    if(oiddata == NULL) {
-	return SEC_ASN1_GET(SEC_AnyTemplate);
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
-	    theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
-	    break;
-	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToCertBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToCRLBagTemplate;
-	    break;
-        case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
-	    theTemplate = sec_PKCS12PointerToSecretBagTemplate;
-	    break;
-	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-	    theTemplate = 
-	        SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
-	    break;
-	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
-	    if(encoding) {
-		theTemplate = sec_PKCS12PointerToSafeContentsTemplate;
-	    } else {
-		theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	    }
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_crl_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12CRLBag *crlbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    crlbag = (sec_PKCS12CRLBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&crlbag->bagID);
-    if(oiddata == NULL) {
-	return SEC_ASN1_GET(SEC_AnyTemplate);
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	case SEC_OID_PKCS9_X509_CRL:
-	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_cert_bag_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12CertBag *certbag;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    certbag = (sec_PKCS12CertBag*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&certbag->bagID);
-    if(oiddata == NULL) {
-	return SEC_ASN1_GET(SEC_AnyTemplate);
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	case SEC_OID_PKCS9_X509_CERT:
-	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
-	    break;
-	case SEC_OID_PKCS9_SDSI_CERT:
-	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
-	    break;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1Template *
-sec_pkcs12_choose_attr_type(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    sec_PKCS12Attribute *attr;
-    SECOidData *oiddata;
-
-    if (src_or_dest == NULL) {
-	return NULL;
-    }
-
-    attr = (sec_PKCS12Attribute*)src_or_dest;
-
-    oiddata = SECOID_FindOID(&attr->attrType);
-    if(oiddata == NULL) {
-	return SEC_ASN1_GET(SEC_AnyTemplate);
-    }
-
-    switch (oiddata->offset) {
-	default:
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	case SEC_OID_PKCS9_FRIENDLY_NAME:
-	    theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
-	    break;
-	case SEC_OID_PKCS9_LOCAL_KEY_ID:
-	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
-	    break;
-	case SEC_OID_PKCS12_KEY_USAGE:
-	    theTemplate = SEC_ASN1_GET(SEC_BitStringTemplate);
-	    break;
-    }
-
-    return theTemplate;
-}
-
-
-const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, sec_PKCS7ContentInfoTemplate }
-};
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_crl_bag_chooser =
-    sec_pkcs12_choose_crl_bag_type;
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_bag_chooser =
-    sec_pkcs12_choose_cert_bag_type;
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_safe_bag_chooser =
-    sec_pkcs12_choose_safe_bag_type;
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs12_attr_chooser =
-    sec_pkcs12_choose_attr_type;
-
-const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12CertBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12CRLBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12SecretBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[] = {
-    { SEC_ASN1_POINTER, 0, sec_PKCS12SafeContentsTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12PFXItemTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
-	sizeof(sec_PKCS12PFXItem) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
-	offsetof(sec_PKCS12PFXItem, version) },
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12PFXItem, encodedAuthSafe) },
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM,
-	offsetof(sec_PKCS12PFXItem, encodedMacData) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12MacDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12MacData) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(sec_PKCS12MacData, safeMac),
-	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
-    { SEC_ASN1_OCTET_STRING, offsetof(sec_PKCS12MacData, macSalt) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, offsetof(sec_PKCS12MacData, iter) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
-	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), 
-	SEC_ASN1_SUB(SEC_AnyTemplate) }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
-	sizeof(sec_PKCS12SafeBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SafeBag, safeBagType) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED |
-	SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-	offsetof(sec_PKCS12SafeBag, safeBagContent), 
-	&sec_pkcs12_safe_bag_chooser },
-    { SEC_ASN1_SET_OF | SEC_ASN1_OPTIONAL, offsetof(sec_PKCS12SafeBag, attribs),
-	sec_PKCS12AttributeTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
-	offsetof(sec_PKCS12SafeContents, safeBags),
-	sec_PKCS12SafeBagTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12SequenceOfAnyTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 0,
-	SEC_ASN1_SUB(SEC_AnyTemplate) }
-};
-
-const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
-	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
-	sec_PKCS12SequenceOfAnyTemplate }
-};
-
-const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
-	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
-	SEC_ASN1_SUB(SEC_AnyTemplate) }
-};
-
-const SEC_ASN1Template sec_PKCS12CRLBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CRLBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CRLBag, bagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER, 
-	offsetof(sec_PKCS12CRLBag, value), &sec_pkcs12_crl_bag_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12CertBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CertBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CertBag, bagID) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
-	SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(sec_PKCS12CertBag, value), &sec_pkcs12_cert_bag_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12SecretBagTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12SecretBag) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SecretBag, secretType) },
-    { SEC_ASN1_ANY, offsetof(sec_PKCS12SecretBag, secretContent) },
-    { 0 }
-};
-
-const SEC_ASN1Template sec_PKCS12AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12Attribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12Attribute, attrType) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_DYNAMIC, 
-	offsetof(sec_PKCS12Attribute, attrValue),
-	&sec_pkcs12_attr_chooser },
-    { 0 }
-};
diff --git a/security/nss/lib/pkcs12/pkcs12.h b/security/nss/lib/pkcs12/pkcs12.h
deleted file mode 100644
index e84a69f6b..000000000
--- a/security/nss/lib/pkcs12/pkcs12.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-
-#ifndef _PKCS12_H_
-#define _PKCS12_H_
-
-#include "pkcs12t.h"
-#include "p12.h"
-
-SEC_BEGIN_PROTOS
-
-typedef SECItem * (* SEC_PKCS12GetPassword)(void *arg);
-
-/* Decode functions */
-/* Import a PFX item.  
- *	der_pfx is the der-encoded pfx item to import.
- *	pbef, and pbefarg are used to retrieve passwords for the HMAC,
- *	    and any passwords needed for passing to PKCS5 encryption 
- *	    routines.
- *	algorithm is the algorithm by which private keys are stored in
- *	    the key database.  this could be a specific algorithm or could
- *	    be based on a global setting.
- *	slot is the slot to where the certificates will be placed.  if NULL,
- *	    the internal key slot is used.
- * If the process is successful, a SECSuccess is returned, otherwise
- * a failure occurred.
- */ 
-SECStatus
-SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
-		 SEC_PKCS12NicknameCollisionCallback ncCall,
-		 PK11SlotInfo *slot, void *wincx);
-
-/* check the first two bytes of a file to make sure that it matches
- * the desired header for a PKCS 12 file
- */
-PRBool SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
deleted file mode 100644
index 45206f4e9..000000000
--- a/security/nss/lib/pkcs12/pkcs12t.h
+++ /dev/null
@@ -1,398 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _PKCS12T_H_
-#define _PKCS12T_H_
-
-#include "seccomon.h"
-#include "secoid.h"
-#include "cert.h"
-#include "key.h"
-#include "plarena.h"
-#include "secpkcs7.h"
-#include "secdig.h"	/* for SGNDigestInfo */
-
-typedef enum {
-  SECPKCS12TargetTokenNoCAs,		/* CA get loaded intothe fixed token,
-					 * User certs go to target token */
-  SECPKCS12TargetTokenIntermediateCAs,  /* User certs and intermediates go to
-					 * target token, root certs got to
-					 * fixed token */
-  SECPKCS12TargetTokenAllCAs		/* All certs go to target token */
-} SECPKCS12TargetTokenCAs;
-
-/* PKCS12 Structures */
-typedef struct SEC_PKCS12PFXItemStr SEC_PKCS12PFXItem;
-typedef struct SEC_PKCS12MacDataStr SEC_PKCS12MacData;
-typedef struct SEC_PKCS12AuthenticatedSafeStr SEC_PKCS12AuthenticatedSafe;
-typedef struct SEC_PKCS12BaggageItemStr SEC_PKCS12BaggageItem;
-typedef struct SEC_PKCS12BaggageStr SEC_PKCS12Baggage;
-typedef struct SEC_PKCS12Baggage_OLDStr SEC_PKCS12Baggage_OLD;
-typedef struct SEC_PKCS12ESPVKItemStr SEC_PKCS12ESPVKItem;
-typedef struct SEC_PKCS12PVKSupportingDataStr SEC_PKCS12PVKSupportingData;
-typedef struct SEC_PKCS12PVKAdditionalDataStr SEC_PKCS12PVKAdditionalData;
-typedef struct SEC_PKCS12SafeContentsStr SEC_PKCS12SafeContents;
-typedef struct SEC_PKCS12SafeBagStr SEC_PKCS12SafeBag;
-typedef struct SEC_PKCS12PrivateKeyStr SEC_PKCS12PrivateKey;
-typedef struct SEC_PKCS12PrivateKeyBagStr SEC_PKCS12PrivateKeyBag;
-typedef struct SEC_PKCS12CertAndCRLBagStr SEC_PKCS12CertAndCRLBag;
-typedef struct SEC_PKCS12CertAndCRLStr SEC_PKCS12CertAndCRL;
-typedef struct SEC_PKCS12X509CertCRLStr SEC_PKCS12X509CertCRL;
-typedef struct SEC_PKCS12SDSICertStr SEC_PKCS12SDSICert;
-typedef struct SEC_PKCS12SecretStr SEC_PKCS12Secret;
-typedef struct SEC_PKCS12SecretAdditionalStr SEC_PKCS12SecretAdditional;
-typedef struct SEC_PKCS12SecretItemStr SEC_PKCS12SecretItem;
-typedef struct SEC_PKCS12SecretBagStr SEC_PKCS12SecretBag;
-
-typedef SECItem *(* SEC_PKCS12PasswordFunc)(SECItem *args);
-
-/* PKCS12 types */
-
-/* stores shrouded keys */
-struct SEC_PKCS12BaggageStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12BaggageItem **bags;
-
-    int luggage_size;		/* used locally */
-};
-
-/* additional data to be associated with keys.	currently there
- * is nothing defined to be stored here.  allows future expansion.
- */
-struct SEC_PKCS12PVKAdditionalDataStr
-{
-    PRArenaPool	*poolp;
-    SECOidData	*pvkAdditionalTypeTag;	/* used locally */
-    SECItem     pvkAdditionalType;
-    SECItem     pvkAdditionalContent;
-};
-
-/* cert and other supporting data for private keys.  used
- * for both shrouded and non-shrouded keys.
- */
-struct SEC_PKCS12PVKSupportingDataStr
-{
-    PRArenaPool		*poolp;
-    SGNDigestInfo 	**assocCerts;
-    SECItem		regenerable;
-    SECItem         	nickname;
-    SEC_PKCS12PVKAdditionalData     pvkAdditional;
-    SECItem		pvkAdditionalDER;
-
-    SECItem		uniNickName;
-    /* used locally */
-    int			nThumbs;
-};
-
-/* shrouded key structure.  supports only pkcs8 shrouding
- * currently.
- */
-struct SEC_PKCS12ESPVKItemStr
-{
-    PRArenaPool *poolp;		/* used locally */
-    SECOidData	*espvkTag;	/* used locally */
-    SECItem	espvkOID;
-    SEC_PKCS12PVKSupportingData espvkData;
-    union
-    {
-	SECKEYEncryptedPrivateKeyInfo *pkcs8KeyShroud;
-    } espvkCipherText;
-
-    PRBool duplicate;	/* used locally */
-    PRBool problem_cert; 	/* used locally */
-    PRBool single_cert;		/* used locally */
-    int nCerts;			/* used locally */
-    SECItem derCert;		/* used locally */
-};
-
-/* generic bag store for the safe.  safeBagType identifies
- * the type of bag stored.
- */
-struct SEC_PKCS12SafeBagStr
-{
-    PRArenaPool *poolp;
-    SECOidData	*safeBagTypeTag;	/* used locally */
-    SECItem     safeBagType;
-    union
-    {
-	SEC_PKCS12PrivateKeyBag	*keyBag;
-	SEC_PKCS12CertAndCRLBag *certAndCRLBag;
-	SEC_PKCS12SecretBag     *secretBag;
-    } safeContent;
-
-    SECItem	derSafeContent;
-    SECItem 	safeBagName;
-
-    SECItem	uniSafeBagName;
-};
-
-/* stores private keys and certificates in a list.  each safebag
- * has an ID identifying the type of content stored.
- */
-struct SEC_PKCS12SafeContentsStr
-{
-    PRArenaPool     	*poolp;
-    SEC_PKCS12SafeBag	**contents;
-
-    /* used for tracking purposes */
-    int safe_size;
-    PRBool old;
-    PRBool swapUnicode;
-    PRBool possibleSwapUnicode;
-};
-
-/* private key structure which holds encrypted private key and
- * supporting data including nickname and certificate thumbprint.
- */
-struct SEC_PKCS12PrivateKeyStr
-{
-    PRArenaPool *poolp;
-    SEC_PKCS12PVKSupportingData pvkData;
-    SECKEYPrivateKeyInfo	pkcs8data;   /* borrowed from PKCS 8 */
-
-    PRBool duplicate;	/* used locally */
-    PRBool problem_cert;/* used locally */
-    PRBool single_cert;	/* used locally */
-    int nCerts;		/* used locally */
-    SECItem derCert;	/* used locally */
-};
-
-/* private key bag, holds a (null terminated) list of private key
- * structures.
- */
-struct SEC_PKCS12PrivateKeyBagStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12PrivateKey 	**privateKeys;
-
-    int bag_size;	/* used locally */
-};
-
-/* container to hold certificates.  currently supports x509
- * and sdsi certificates
- */
-struct SEC_PKCS12CertAndCRLStr
-{
-    PRArenaPool     *poolp;
-    SECOidData	    *BagTypeTag;    /* used locally */
-    SECItem         BagID;
-    union
-    {
-    	SEC_PKCS12X509CertCRL	*x509;
-    	SEC_PKCS12SDSICert	*sdsi;
-    } value;
-
-    SECItem derValue;
-    SECItem nickname;		/* used locally */
-    PRBool duplicate;		/* used locally */
-};
-
-/* x509 certificate structure.	typically holds the der encoding
- * of the x509 certificate.  thumbprint contains a digest of the
- * certificate
- */
-struct SEC_PKCS12X509CertCRLStr
-{
-    PRArenaPool     		*poolp;
-    SEC_PKCS7ContentInfo	certOrCRL;
-    SGNDigestInfo		thumbprint;
-
-    SECItem *derLeafCert;	/* used locally */
-};
-
-/* sdsi certificate structure.	typically holds the der encoding
- * of the sdsi certificate.  thumbprint contains a digest of the
- * certificate
- */
-struct SEC_PKCS12SDSICertStr
-{
-    PRArenaPool     *poolp;
-    SECItem         value;
-    SGNDigestInfo   thumbprint;
-};
-
-/* contains a null terminated list of certs and crls */
-struct SEC_PKCS12CertAndCRLBagStr
-{
-    PRArenaPool     		*poolp;
-    SEC_PKCS12CertAndCRL	**certAndCRLs;
-
-    int bag_size;	/* used locally */
-};
-
-/* additional secret information.  currently no information
- * stored in this structure.
- */
-struct SEC_PKCS12SecretAdditionalStr
-{
-    PRArenaPool     *poolp;
-    SECOidData	    *secretTypeTag;         /* used locally */
-    SECItem         secretAdditionalType;
-    SECItem         secretAdditionalContent;
-};
-
-/* secrets container.  this will be used to contain currently
- * unspecified secrets.  (it's a secret)
- */
-struct SEC_PKCS12SecretStr
-{
-    PRArenaPool     *poolp;
-    SECItem	secretName;
-    SECItem	value;
-    SEC_PKCS12SecretAdditional	secretAdditional;
-
-    SECItem	uniSecretName;
-};
-
-struct SEC_PKCS12SecretItemStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12Secret	secret;
-    SEC_PKCS12SafeBag	subFolder;
-};    
-
-/* a bag of secrets.  holds a null terminated list of secrets.
- */
-struct SEC_PKCS12SecretBagStr
-{
-    PRArenaPool     	*poolp;
-    SEC_PKCS12SecretItem	**secrets;
-
-    int bag_size;	/* used locally */
-};
-
-struct SEC_PKCS12MacDataStr
-{
-    SGNDigestInfo	safeMac;
-    SECItem		macSalt;
-};
-
-/* outer transfer unit */
-struct SEC_PKCS12PFXItemStr
-{
-    PRArenaPool		*poolp;
-    SEC_PKCS12MacData	macData;
-    SEC_PKCS7ContentInfo	authSafe; 
-
-    /* for compatibility with beta */
-    PRBool		old;
-    SGNDigestInfo 	old_safeMac;
-    SECItem		old_macSalt;
-
-    /* compatibility between platforms for unicode swapping */
-    PRBool		swapUnicode;
-};
-
-struct SEC_PKCS12BaggageItemStr {
-    PRArenaPool	    *poolp;
-    SEC_PKCS12ESPVKItem	**espvks;
-    SEC_PKCS12SafeBag	**unencSecrets;
-
-    int nEspvks;
-    int nSecrets; 
-};
-    
-/* stores shrouded keys */
-struct SEC_PKCS12Baggage_OLDStr
-{
-    PRArenaPool     *poolp;
-    SEC_PKCS12ESPVKItem **espvks;
-
-    int luggage_size;		/* used locally */
-};
-
-/* authenticated safe, stores certs, keys, and shrouded keys */
-struct SEC_PKCS12AuthenticatedSafeStr
-{
-    PRArenaPool     *poolp;
-    SECItem         version;
-    SECOidData	    *transportTypeTag;	/* local not part of encoding*/
-    SECItem         transportMode;
-    SECItem         privacySalt;
-    SEC_PKCS12Baggage	  baggage;
-    SEC_PKCS7ContentInfo  *safe;
-
-    /* used for beta compatibility */
-    PRBool old;
-    PRBool emptySafe;
-    SEC_PKCS12Baggage_OLD old_baggage;
-    SEC_PKCS7ContentInfo old_safe;
-    PRBool swapUnicode;
-};
-#define SEC_PKCS12_PFX_VERSION		1		/* what we create */
-
-
-
-/* PKCS 12 Templates */
-extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12MacDataTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKAdditionalTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[];
-extern const SEC_ASN1Template SGN_DigestInfoTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[];
-extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[];
-extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[];
-#endif
diff --git a/security/nss/lib/pkcs7/Makefile b/security/nss/lib/pkcs7/Makefile
deleted file mode 100644
index 3bc1a719a..000000000
--- a/security/nss/lib/pkcs7/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c
deleted file mode 100644
index 4887d26b8..000000000
--- a/security/nss/lib/pkcs7/certread.c
+++ /dev/null
@@ -1,558 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrenam.h"
-#include "cert.h"
-#include "secpkcs7.h"
-#include "base64.h"
-#include "secitem.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secerr.h"
-
-SEC_ASN1_MKSUB(SEC_AnyTemplate)
-
-SECStatus
-SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
-{
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
-    SECStatus rv;
-    SECItem **certs;
-    int count;
-
-    contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
-	goto loser;
-    }
-
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
-	goto loser;
-    }
-
-    certs = contentInfo->content.signedData->rawCerts;
-    if ( certs ) {
-	count = 0;
-	
-	while ( *certs ) {
-	    count++;
-	    certs++;
-	}
-	rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
-    }
-    
-    rv = SECSuccess;
-    
-    goto done;
-loser:
-    rv = SECFailure;
-    
-done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
-    }
-
-    return(rv);
-}
-
-const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
-};
-
-SECStatus
-SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
-{
-    SECStatus rv;
-    SECItem **certs;
-    int count;
-    SECItem **rawCerts = NULL;
-    PRArenaPool *arena;
-    SEC_PKCS7ContentInfo *contentInfo = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return SECFailure;
-    }
-
-    contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL, 
-				      NULL, NULL);
-    if ( contentInfo == NULL ) {
-	goto loser;
-    }
-
-    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
-	goto loser;
-    }
-
-
-    rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
-		    contentInfo->content.data);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    certs = rawCerts;
-    if ( certs ) {
-	count = 0;
-	
-	while ( *certs ) {
-	    count++;
-	    certs++;
-	}
-	rv = (* f)(arg, rawCerts, count);
-    }
-    
-    rv = SECSuccess;
-    
-    goto done;
-loser:
-    rv = SECFailure;
-    
-done:
-    if ( contentInfo ) {
-	SEC_PKCS7DestroyContentInfo(contentInfo);
-    }
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(rv);
-}
-
-CERTCertificate *
-CERT_ConvertAndDecodeCertificate(char *certstr)
-{
-    CERTCertificate *cert;
-    SECStatus rv;
-    SECItem der;
-
-    rv = ATOB_ConvertAsciiToItem(&der, certstr);
-    if (rv != SECSuccess)
-	return NULL;
-
-    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
-                                   &der, NULL, PR_FALSE, PR_TRUE);
-
-    PORT_Free(der.data);
-    return cert;
-}
-
-#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
-#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
-
-#define CERTIFICATE_TYPE_STRING "certificate"
-#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
-
-CERTPackageType
-CERT_CertPackageType(SECItem *package, SECItem *certitem)
-{
-    unsigned char *cp;
-    unsigned int seqLen, seqLenLen;
-    SECItem oiditem;
-    SECOidData *oiddata;
-    CERTPackageType type = certPackageNone;
-    
-    cp = package->data;
-
-    /* is a DER encoded certificate of some type? */
-    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
-	cp++;
-	
-	if ( *cp & 0x80) {
-	    /* Multibyte length */
-	    seqLenLen = cp[0] & 0x7f;
-	    
-	    switch (seqLenLen) {
-	      case 4:
-		seqLen = ((unsigned long)cp[1]<<24) |
-		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
-		break;
-	      case 3:
-		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
-		break;
-	      case 2:
-		seqLen = (cp[1]<<8) | cp[2];
-		break;
-	      case 1:
-		seqLen = cp[1];
-		break;
-	      default:
-		/* indefinite length */
-		seqLen = 0;
-	    }
-	    cp += ( seqLenLen + 1 );
-
-	} else {
-	    seqLenLen = 0;
-	    seqLen = *cp;
-	    cp++;
-	}
-
-	/* check entire length if definite length */
-	if ( seqLen || seqLenLen ) {
-	    if ( package->len != ( seqLen + seqLenLen + 2 ) ) {
-		/* not a DER package */
-		return(type);
-	    }
-	}
-	
-	/* check the type string */
-	/* netscape wrapped DER cert */
-	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
-	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
-	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
-	    
-	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
-
-	    /* it had better be a certificate by now!! */
-	    if ( certitem ) {
-		certitem->data = cp;
-		certitem->len = package->len -
-		    ( cp - (unsigned char *)package->data );
-	    }
-	    type = certPackageNSCertWrap;
-	    
-	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
-	    /* XXX - assume DER encoding of OID len!! */
-	    oiditem.len = cp[1];
-	    oiditem.data = (unsigned char *)&cp[2];
-	    oiddata = SECOID_FindOID(&oiditem);
-	    if ( oiddata == NULL ) {
-		/* failure */
-		return(type);
-	    }
-
-	    if ( certitem ) {
-		certitem->data = package->data;
-		certitem->len = package->len;
-	    }
-	    
-	    switch ( oiddata->offset ) {
-	      case SEC_OID_PKCS7_SIGNED_DATA:
-		type = certPackagePKCS7;
-		break;
-	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
-		type = certPackageNSCertSeq;
-		break;
-	      default:
-		break;
-	    }
-	    
-	} else {
-	    /* it had better be a certificate by now!! */
-	    if ( certitem ) {
-		certitem->data = package->data;
-		certitem->len = package->len;
-	    }
-	    
-	    type = certPackageCert;
-	}
-    }
-
-    return(type);
-}
-
-/*
- * read an old style ascii or binary certificate chain
- */
-SECStatus
-CERT_DecodeCertPackage(char *certbuf,
-		       int certlen,
-		       CERTImportCertificateFunc f,
-		       void *arg)
-{
-    unsigned char *cp;
-    unsigned char *bincert = NULL;
-    char *         ascCert = NULL;
-    SECStatus      rv;
-    
-    if ( certbuf == NULL ) {
-	return(SECFailure);
-    }
-    
-    cp = (unsigned char *)certbuf;
-
-    /* is a DER encoded certificate of some type? */
-    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
-	SECItem certitem;
-	SECItem *pcertitem = &certitem;
-	int seqLen, seqLenLen;
-
-	cp++;
-	
-	if ( *cp & 0x80) {
-	    /* Multibyte length */
-	    seqLenLen = cp[0] & 0x7f;
-	    
-	    switch (seqLenLen) {
-	      case 4:
-		seqLen = ((unsigned long)cp[1]<<24) |
-		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
-		break;
-	      case 3:
-		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
-		break;
-	      case 2:
-		seqLen = (cp[1]<<8) | cp[2];
-		break;
-	      case 1:
-		seqLen = cp[1];
-		break;
-	      default:
-		/* indefinite length */
-		seqLen = 0;
-	    }
-	    cp += ( seqLenLen + 1 );
-
-	} else {
-	    seqLenLen = 0;
-	    seqLen = *cp;
-	    cp++;
-	}
-
-	/* check entire length if definite length */
-	if ( seqLen || seqLenLen ) {
-	    if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
-		if (certlen > ( seqLen + seqLenLen + 2 ))
-		    PORT_SetError(SEC_ERROR_EXTRA_INPUT);
-		else 
-		    PORT_SetError(SEC_ERROR_INPUT_LEN);
-		goto notder;
-	    }
-	}
-	
-	/* check the type string */
-	/* netscape wrapped DER cert */
-	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
-	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
-	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
-	    
-	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
-
-	    /* it had better be a certificate by now!! */
-	    certitem.data = cp;
-	    certitem.len = certlen - ( cp - (unsigned char *)certbuf );
-	    
-	    rv = (* f)(arg, &pcertitem, 1);
-	    
-	    return(rv);
-	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
-	    SECOidData *oiddata;
-	    SECItem oiditem;
-	    /* XXX - assume DER encoding of OID len!! */
-	    oiditem.len = cp[1];
-	    oiditem.data = (unsigned char *)&cp[2];
-	    oiddata = SECOID_FindOID(&oiditem);
-	    if ( oiddata == NULL ) {
-		return(SECFailure);
-	    }
-
-	    certitem.data = (unsigned char*)certbuf;
-	    certitem.len = certlen;
-	    
-	    switch ( oiddata->offset ) {
-	      case SEC_OID_PKCS7_SIGNED_DATA:
-		return(SEC_ReadPKCS7Certs(&certitem, f, arg));
-		break;
-	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
-		return(SEC_ReadCertSequence(&certitem, f, arg));
-		break;
-	      default:
-		break;
-	    }
-	    
-	} else {
-	    /* it had better be a certificate by now!! */
-	    certitem.data = (unsigned char*)certbuf;
-	    certitem.len = certlen;
-	    
-	    rv = (* f)(arg, &pcertitem, 1);
-	    return(rv);
-	}
-    }
-
-    /* now look for a netscape base64 ascii encoded cert */
-notder:
-  {
-    unsigned char *certbegin = NULL; 
-    unsigned char *certend   = NULL;
-    char          *pc;
-    int cl;
-
-    /* Convert the ASCII data into a nul-terminated string */
-    ascCert = (char *)PORT_Alloc(certlen + 1);
-    if (!ascCert) {
-        rv = SECFailure;
-	goto loser;
-    }
-
-    PORT_Memcpy(ascCert, certbuf, certlen);
-    ascCert[certlen] = '\0';
-
-    pc = PORT_Strchr(ascCert, '\n');  /* find an EOL */
-    if (!pc) { /* maybe this is a MAC file */
-	pc = ascCert;
-	while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
-	    *pc++ = '\n';
-	}
-    }
-
-    cp = (unsigned char *)ascCert;
-    cl = certlen;
-
-    /* find the beginning marker */
-    while ( cl > sizeof(NS_CERT_HEADER) ) {
-	if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
-			     sizeof(NS_CERT_HEADER)-1) ) {
-	    cp = cp + sizeof(NS_CERT_HEADER);
-	    certbegin = cp;
-	    break;
-	}
-	
-	/* skip to next eol */
-	do {
-	    cp++;
-	    cl--;
-	} while ( ( *cp != '\n') && cl );
-
-	/* skip all blank lines */
-	while ( ( *cp == '\n') && cl ) {
-	    cp++;
-	    cl--;
-	}
-    }
-
-    if ( certbegin ) {
-	/* find the ending marker */
-	while ( cl > sizeof(NS_CERT_TRAILER) ) {
-	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
-				 sizeof(NS_CERT_TRAILER)-1) ) {
-		certend = (unsigned char *)cp;
-		break;
-	    }
-
-	    /* skip to next eol */
-	    do {
-		cp++;
-		cl--;
-	    } while ( ( *cp != '\n') && cl );
-
-	    /* skip all blank lines */
-	    while ( ( *cp == '\n') && cl ) {
-		cp++;
-		cl--;
-	    }
-	}
-    }
-
-    if ( certbegin && certend ) {
-	unsigned int binLen;
-
-	*certend = 0;
-	/* convert to binary */
-	bincert = ATOB_AsciiToData(certbegin, &binLen);
-	if (!bincert) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* now recurse to decode the binary */
-	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
-	
-    } else {
-	rv = SECFailure;
-    }
-  }
-
-loser:
-
-    if ( bincert ) {
-	PORT_Free(bincert);
-    }
-
-    if ( ascCert ) {
-	PORT_Free(ascCert);
-    }
-
-    return(rv);
-}
-
-typedef struct {
-    PRArenaPool *arena;
-    SECItem cert;
-} collect_args;
-
-static SECStatus
-collect_certs(void *arg, SECItem **certs, int numcerts)
-{
-    SECStatus rv;
-    collect_args *collectArgs;
-    
-    collectArgs = (collect_args *)arg;
-    
-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
-
-    return(rv);
-}
-
-
-/*
- * read an old style ascii or binary certificate
- */
-CERTCertificate *
-CERT_DecodeCertFromPackage(char *certbuf, int certlen)
-{
-    collect_args collectArgs;
-    SECStatus rv;
-    CERTCertificate *cert = NULL;
-    
-    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
-				(void *)&collectArgs);
-    if ( rv == SECSuccess ) {
-	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-	                               &collectArgs.cert, NULL, 
-	                               PR_FALSE, PR_TRUE);
-    }
-    
-    PORT_FreeArena(collectArgs.arena, PR_FALSE);
-    
-    return(cert);
-}
diff --git a/security/nss/lib/pkcs7/config.mk b/security/nss/lib/pkcs7/config.mk
deleted file mode 100644
index 7ade98fc1..000000000
--- a/security/nss/lib/pkcs7/config.mk
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn
deleted file mode 100644
index 429d9ac1c..000000000
--- a/security/nss/lib/pkcs7/manifest.mn
+++ /dev/null
@@ -1,64 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	secmime.h \
-	secpkcs7.h \
-	pkcs7t.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	p7local.h \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = \
-	certread.c \
-	p7common.c \
-	p7create.c \
-	p7decode.c \
-	p7encode.c \
-	p7local.c  \
-	secmime.c  \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = pkcs7
diff --git a/security/nss/lib/pkcs7/p7common.c b/security/nss/lib/pkcs7/p7common.c
deleted file mode 100644
index 02f058a25..000000000
--- a/security/nss/lib/pkcs7/p7common.c
+++ /dev/null
@@ -1,750 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * PKCS7 implementation -- the exported parts that are used whether
- * creating or decoding.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-
-/*
- * Find out (saving pointer to lookup result for future reference)
- * and return the inner content type.
- */
-SECOidTag
-SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return cinfo->contentTypeTag->offset;
-}
-
-
-/*
- * Destroy a PKCS7 contentInfo and all of its sub-pieces.
- */
-void
-SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    CERTCertificate **certs;
-    CERTCertificateList **certlists;
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7RecipientInfo **recipientinfos;
-
-    PORT_Assert (cinfo->refCount > 0);
-    if (cinfo->refCount <= 0)
-	return;
-
-    cinfo->refCount--;
-    if (cinfo->refCount > 0)
-	return;
-
-    certs = NULL;
-    certlists = NULL;
-    recipientinfos = NULL;
-    signerinfos = NULL;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *edp;
-
-	    edp = cinfo->content.envelopedData;
-	    if (edp != NULL) {
-		recipientinfos = edp->recipientInfos;
-	    }
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    if (sdp != NULL) {
-		certs = sdp->certs;
-		certlists = sdp->certLists;
-		signerinfos = sdp->signerInfos;
-	    }
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    if (saedp != NULL) {
-		certs = saedp->certs;
-		certlists = saedp->certLists;
-		recipientinfos = saedp->recipientInfos;
-		signerinfos = saedp->signerInfos;
-		if (saedp->sigKey != NULL)
-		    PK11_FreeSymKey (saedp->sigKey);
-	    }
-	}
-	break;
-      default:
-	/* XXX Anything else that needs to be "manually" freed/destroyed? */
-	break;
-    }
-
-    if (certs != NULL) {
-	CERTCertificate *cert;
-
-	while ((cert = *certs++) != NULL) {
-	    CERT_DestroyCertificate (cert);
-	}
-    }
-
-    if (certlists != NULL) {
-	CERTCertificateList *certlist;
-
-	while ((certlist = *certlists++) != NULL) {
-	    CERT_DestroyCertificateList (certlist);
-	}
-    }
-
-    if (recipientinfos != NULL) {
-	SEC_PKCS7RecipientInfo *ri;
-
-	while ((ri = *recipientinfos++) != NULL) {
-	    if (ri->cert != NULL)
-		CERT_DestroyCertificate (ri->cert);
-	}
-    }
-
-    if (signerinfos != NULL) {
-	SEC_PKCS7SignerInfo *si;
-
-	while ((si = *signerinfos++) != NULL) {
-	    if (si->cert != NULL)
-		CERT_DestroyCertificate (si->cert);
-	    if (si->certList != NULL)
-		CERT_DestroyCertificateList (si->certList);
-	}
-    }
-
-    if (cinfo->poolp != NULL) {
-	PORT_FreeArena (cinfo->poolp, PR_FALSE);	/* XXX clear it? */
-    }
-}
-
-
-/*
- * Return a copy of the given contentInfo.  The copy may be virtual
- * or may be real -- either way, the result needs to be passed to
- * SEC_PKCS7DestroyContentInfo later (as does the original).
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *cinfo)
-{
-    if (cinfo == NULL)
-	return NULL;
-
-    PORT_Assert (cinfo->refCount > 0);
-
-    if (cinfo->created) {
-	/*
-	 * Want to do a real copy of these; otherwise subsequent
-	 * changes made to either copy are likely to be a surprise.
-	 * XXX I suspect that this will not actually be called for yet,
-	 * which is why the assert, so to notice if it is...
-	 */
-	PORT_Assert (0);
-	/*
-	 * XXX Create a new pool here, and copy everything from
-	 * within.  For cert stuff, need to call the appropriate
-	 * copy functions, etc.
-	 */
-    }
-
-    cinfo->refCount++;
-    return cinfo;
-}
-
-
-/*
- * Return a pointer to the actual content.  In the case of those types
- * which are encrypted, this returns the *plain* content.
- * XXX Needs revisiting if/when we handle nested encrypted types.
- */
-SECItem *
-SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_DATA:
-	return cinfo->content.data;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	{
-	    SEC_PKCS7DigestedData *digd;
-
-	    digd = cinfo->content.digestedData;
-	    if (digd == NULL)
-		break;
-	    return SEC_PKCS7GetContent (&(digd->contentInfo));
-	}
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encd;
-
-	    encd = cinfo->content.encryptedData;
-	    if (encd == NULL)
-		break;
-	    return &(encd->encContentInfo.plainContent);
-	}
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envd;
-
-	    envd = cinfo->content.envelopedData;
-	    if (envd == NULL)
-		break;
-	    return &(envd->encContentInfo.plainContent);
-	}
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sigd;
-
-	    sigd = cinfo->content.signedData;
-	    if (sigd == NULL)
-		break;
-	    return SEC_PKCS7GetContent (&(sigd->contentInfo));
-	}
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saed;
-
-	    saed = cinfo->content.signedAndEnvelopedData;
-	    if (saed == NULL)
-		break;
-	    return &(saed->encContentInfo.plainContent);
-	}
-      default:
-	PORT_Assert(0);
-	break;
-    }
-
-    return NULL;
-}
-
-
-/*
- * XXX Fix the placement and formatting of the
- * following routines (i.e. make them consistent with the rest of
- * the pkcs7 code -- I think some/many belong in other files and
- * they all need a formatting/style rehaul)
- */
-
-/* retrieve the algorithm identifier for encrypted data.  
- * the identifier returned is a copy of the algorithm identifier
- * in the content info and needs to be freed after being used.
- *
- *   cinfo is the content info for which to retrieve the
- *     encryption algorithm.
- *
- * if the content info is not encrypted data or an error 
- * occurs NULL is returned.
- */
-SECAlgorithmID *
-SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo)
-{
-  SECAlgorithmID *alg = 0;
-  switch (SEC_PKCS7ContentType(cinfo))
-    {
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      alg = &cinfo->content.encryptedData->encContentInfo.contentEncAlg;
-      break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-      alg = &cinfo->content.envelopedData->encContentInfo.contentEncAlg;
-      break;
-    case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-      alg = &cinfo->content.signedAndEnvelopedData
-	->encContentInfo.contentEncAlg;
-      break;
-    default:
-      alg = 0;
-      break;
-    }
-
-    return alg;
-}
-
-/* set the content of the content info.  For data content infos,
- * the data is set.  For encrytped content infos, the plainContent
- * is set, and is expected to be encrypted later.
- *  
- * cinfo is the content info where the data will be set
- *
- * buf is a buffer of the data to set
- *
- * len is the length of the data being set.
- *
- * in the event of an error, SECFailure is returned.  SECSuccess 
- * indicates the content was successfully set.
- */
-SECStatus 
-SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
-		    const char *buf, 
-		    unsigned long len)
-{
-    SECOidTag cinfo_type;
-    SECStatus rv;
-    SECItem content;
-    SECOidData *contentTypeTag = NULL;
-
-    content.data = (unsigned char *)buf;
-    content.len = len;
-
-    cinfo_type = SEC_PKCS7ContentType(cinfo);
-
-    /* set inner content */
-    switch(cinfo_type)
-    {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    if(content.len > 0) {
-		/* we "leak" the old content here, but as it's all in the pool */
-		/* it does not really matter */
-
-		/* create content item if necessary */
-		if (cinfo->content.signedData->contentInfo.content.data == NULL)
-		    cinfo->content.signedData->contentInfo.content.data = SECITEM_AllocItem(cinfo->poolp, NULL, 0);
-		rv = SECITEM_CopyItem(cinfo->poolp, 
-			cinfo->content.signedData->contentInfo.content.data,
-			&content);
-	    } else {
-		cinfo->content.signedData->contentInfo.content.data->data = NULL;
-		cinfo->content.signedData->contentInfo.content.data->len = 0;
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    /* XXX this forces the inner content type to be "data" */
-	    /* do we really want to override without asking or reason? */
-	    contentTypeTag = SECOID_FindOIDByTag(SEC_OID_PKCS7_DATA);
-	    if(contentTypeTag == NULL)
-		goto loser;
-	    rv = SECITEM_CopyItem(cinfo->poolp, 
-		&(cinfo->content.encryptedData->encContentInfo.contentType),
-		&(contentTypeTag->oid));
-	    if(rv == SECFailure)
-		goto loser;
-	    if(content.len > 0) {
-		rv = SECITEM_CopyItem(cinfo->poolp, 
-			&(cinfo->content.encryptedData->encContentInfo.plainContent),
-			&content);
-	    } else {
-		cinfo->content.encryptedData->encContentInfo.plainContent.data = NULL;
-		cinfo->content.encryptedData->encContentInfo.encContent.data = NULL;
-		cinfo->content.encryptedData->encContentInfo.plainContent.len = 0;
-		cinfo->content.encryptedData->encContentInfo.encContent.len = 0;
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    break;
-	case SEC_OID_PKCS7_DATA:
-	    cinfo->content.data = (SECItem *)PORT_ArenaZAlloc(cinfo->poolp,
-		sizeof(SECItem));
-	    if(cinfo->content.data == NULL)
-		goto loser;
-	    if(content.len > 0) {
-		rv = SECITEM_CopyItem(cinfo->poolp,
-			cinfo->content.data, &content);
-	    } else {
-	    	/* handle case with NULL content */
-		rv = SECSuccess;
-	    }
-	    if(rv == SECFailure)
-		goto loser;
-	    break;
-	default:
-	    goto loser;
-    }
-
-    return SECSuccess;
-
-loser:
-	
-    return SECFailure;
-}
-
-/* the content of an encrypted data content info is encrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "plainContent" field of the content info.
- *
- * cinfo is the content info to encrypt
- *
- * key is the key with which to perform the encryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-SECStatus 
-SEC_PKCS7EncryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo,
-			 SECItem *key,
-			 void *wincx)
-{
-    SECAlgorithmID *algid 	= NULL;
-    SECItem *       result 	= NULL;
-    SECItem *       src;
-    SECItem *       dest;
-    SECItem *       blocked_data = NULL;
-    void *          mark;
-    void *          cx;
-    PK11SymKey *    eKey 	= NULL;
-    PK11SlotInfo *  slot 	= NULL;
-
-    CK_MECHANISM    pbeMech;
-    CK_MECHANISM    cryptoMech;
-    int             bs;
-    SECOidTag       algtag;
-    SECStatus       rv 		= SECFailure;
-    SECItem         c_param;
-
-    if((cinfo == NULL) || (key == NULL))
-	return SECFailure;
-
-    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
-	return SECFailure;
-
-    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
-    if(algid == NULL)
-	return SECFailure;
-
-    if(poolp == NULL)
-	poolp = cinfo->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-    
-    src = &cinfo->content.encryptedData->encContentInfo.plainContent;
-    dest = &cinfo->content.encryptedData->encContentInfo.encContent;
-    algtag = SECOID_GetAlgorithmTag(algid);
-    c_param.data = NULL;
-    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
-    dest->len = (src->len + 64);
-    if(dest->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    slot = PK11_GetInternalKeySlot();
-    if(slot == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-    result = PK11_ParamFromAlgid(algid);
-    if (result == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pbeMech.pParameter = result->data;
-    pbeMech.ulParameterLen = result->len;
-
-    eKey = PK11_RawPBEKeyGen(slot, pbeMech.mechanism, result, key, PR_FALSE,
-								 wincx);
-    if(eKey == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key, 
-			PR_FALSE) != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    c_param.data = (unsigned char *)cryptoMech.pParameter;
-    c_param.len = cryptoMech.ulParameterLen;
-
-    /* block according to PKCS 8 */
-    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
-    rv = SECSuccess;
-    if(bs) {
-	char pad_char;
-	pad_char = (char)(bs - (src->len % bs));
-	if(src->len % bs) {
-	    rv = SECSuccess;
-	    blocked_data = PK11_BlockData(src, bs);
-	    if(blocked_data) {
-		PORT_Memset((blocked_data->data + blocked_data->len - (int)pad_char), 
-			    pad_char, (int)pad_char);
-	    } else {
-		rv = SECFailure;
-		goto loser;
-	    }
-	} else {
-	    blocked_data = SECITEM_DupItem(src);
-	    if(blocked_data) {
-		blocked_data->data = (unsigned char*)PORT_Realloc(
-						  blocked_data->data,
-						  blocked_data->len + bs);
-		if(blocked_data->data) {
-		    blocked_data->len += bs;
-		    PORT_Memset((blocked_data->data + src->len), (char)bs, bs);
-		} else {
-		    rv = SECFailure;
-		    goto loser;
-		}
-	    } else {
-		rv = SECFailure;
-		goto loser;
-	    }
-	 }
-    } else {
-	blocked_data = SECITEM_DupItem(src);
-	if(!blocked_data) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-    }
-
-    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_ENCRYPT,
-		    		    eKey, &c_param);
-    if(cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
-		       (int)(src->len + 64), blocked_data->data, 
-		       (int)blocked_data->len);
-    PK11_DestroyContext((PK11Context*)cx, PR_TRUE);
-
-loser:
-    /* let success fall through */
-    if(blocked_data != NULL)
-	SECITEM_ZfreeItem(blocked_data, PR_TRUE);
-
-    if(result != NULL)
-	SECITEM_ZfreeItem(result, PR_TRUE);
-
-    if(rv == SECFailure)
-	PORT_ArenaRelease(poolp, mark);
-    else 
-	PORT_ArenaUnmark(poolp, mark);
-
-    if(eKey != NULL)
-	PK11_FreeSymKey(eKey);
-
-    if(slot != NULL)
-	PK11_FreeSlot(slot);
-
-    if(c_param.data != NULL) 
-	SECITEM_ZfreeItem(&c_param, PR_FALSE);
-	
-    return rv;
-}
-
-/* the content of an encrypted data content info is decrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "encContent" field of the content info.
- *
- * cinfo is the content info to decrypt
- *
- * key is the key with which to perform the decryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-SECStatus 
-SEC_PKCS7DecryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo,
-			 SECItem *key,
-			 void *wincx)
-{
-    SECAlgorithmID *algid = NULL;
-    SECOidTag algtag;
-    SECStatus rv = SECFailure;
-    SECItem *result = NULL, *dest, *src;
-    void *mark;
-
-    PK11SymKey *eKey = NULL;
-    PK11SlotInfo *slot = NULL;
-    CK_MECHANISM pbeMech, cryptoMech;
-    void *cx;
-    SECItem c_param;
-    int bs;
-
-    if((cinfo == NULL) || (key == NULL))
-	return SECFailure;
-
-    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
-	return SECFailure;
-
-    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
-    if(algid == NULL)
-	return SECFailure;
-
-    if(poolp == NULL)
-	poolp = cinfo->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-    
-    src = &cinfo->content.encryptedData->encContentInfo.encContent;
-    dest = &cinfo->content.encryptedData->encContentInfo.plainContent;
-    algtag = SECOID_GetAlgorithmTag(algid);
-    c_param.data = NULL;
-    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
-    dest->len = (src->len + 64);
-    if(dest->data == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    slot = PK11_GetInternalKeySlot();
-    if(slot == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-    result = PK11_ParamFromAlgid(algid);
-    if (result == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    pbeMech.pParameter = result->data;
-    pbeMech.ulParameterLen = result->len;
-    eKey = PK11_RawPBEKeyGen(slot,pbeMech.mechanism,result,key,PR_FALSE,wincx);
-    if(eKey == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key,
-			PR_FALSE) != CKR_OK) {
-	rv = SECFailure;
-	goto loser;
-    }
-    c_param.data = (unsigned char *)cryptoMech.pParameter;
-    c_param.len = cryptoMech.ulParameterLen;
-
-    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_DECRYPT,
-		    		    eKey, &c_param);
-    if(cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
-		       (int)(src->len + 64), src->data, (int)src->len);
-    PK11_DestroyContext((PK11Context *)cx, PR_TRUE);
-
-    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
-    if(bs) {
-	/* check for proper badding in block algorithms.  this assumes
-	 * RC2 cbc or a DES cbc variant.  and the padding is thus defined
-	 */
-	if(((int)dest->data[dest->len-1] <= bs) && 
-	   ((int)dest->data[dest->len-1] > 0)) {
-	    dest->len -= (int)dest->data[dest->len-1];
-	} else {
-	    rv = SECFailure;
-	    /* set an error ? */
-	}
-    } 
-
-loser:
-    /* let success fall through */
-    if(result != NULL)
-	SECITEM_ZfreeItem(result, PR_TRUE);
-
-    if(rv == SECFailure)
-	PORT_ArenaRelease(poolp, mark);
-    else
-	PORT_ArenaUnmark(poolp, mark);
-
-    if(eKey != NULL)
-	PK11_FreeSymKey(eKey);
-
-    if(slot != NULL)
-	PK11_FreeSlot(slot);
-
-    if(c_param.data != NULL) 
-	SECITEM_ZfreeItem(&c_param, PR_FALSE);
-	
-    return rv;
-}
-
-SECItem **
-SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo)
-{
-    switch(SEC_PKCS7ContentType(cinfo))
-    {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    return cinfo->content.signedData->rawCerts;
-	    break;
-	default:
-	    return NULL;
-	    break;
-    }
-}
-
-
-int
-SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo)
-{
-  if (cinfo->contentTypeTag->offset == SEC_OID_PKCS7_ENVELOPED_DATA)
-    return cinfo->content.envelopedData->encContentInfo.keysize;
-  else
-    return 0;
-}
-
diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c
deleted file mode 100644
index f49871ca3..000000000
--- a/security/nss/lib/pkcs7/p7create.c
+++ /dev/null
@@ -1,1323 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * PKCS7 creation.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "secder.h"
-
-static SECStatus
-sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp,
-			     SECOidTag kind, PRBool detached)
-{
-    void *thing;
-    int version;
-    SECItem *versionp;
-    SECStatus rv;
-
-    PORT_Assert (cinfo != NULL && poolp != NULL);
-    if (cinfo == NULL || poolp == NULL)
-	return SECFailure;
-
-    cinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
-    PORT_Assert (cinfo->contentTypeTag
-		 && cinfo->contentTypeTag->offset == kind);
-
-    rv = SECITEM_CopyItem (poolp, &(cinfo->contentType),
-			   &(cinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return rv;
-
-    if (detached)
-	return SECSuccess;
-
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SECItem));
-	cinfo->content.data = (SECItem*)thing;
-	versionp = NULL;
-	version = -1;
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7DigestedData));
-	cinfo->content.digestedData = (SEC_PKCS7DigestedData*)thing;
-	versionp = &(cinfo->content.digestedData->version);
-	version = SEC_PKCS7_DIGESTED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EncryptedData));
-	cinfo->content.encryptedData = (SEC_PKCS7EncryptedData*)thing;
-	versionp = &(cinfo->content.encryptedData->version);
-	version = SEC_PKCS7_ENCRYPTED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EnvelopedData));
-	cinfo->content.envelopedData = 
-	  (SEC_PKCS7EnvelopedData*)thing;
-	versionp = &(cinfo->content.envelopedData->version);
-	version = SEC_PKCS7_ENVELOPED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7SignedData));
-	cinfo->content.signedData = 
-	  (SEC_PKCS7SignedData*)thing;
-	versionp = &(cinfo->content.signedData->version);
-	version = SEC_PKCS7_SIGNED_DATA_VERSION;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	thing = PORT_ArenaZAlloc(poolp,sizeof(SEC_PKCS7SignedAndEnvelopedData));
-	cinfo->content.signedAndEnvelopedData = 
-	  (SEC_PKCS7SignedAndEnvelopedData*)thing;
-	versionp = &(cinfo->content.signedAndEnvelopedData->version);
-	version = SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION;
-	break;
-    }
-
-    if (thing == NULL)
-	return SECFailure;
-
-    if (versionp != NULL) {
-	SECItem *dummy;
-
-	PORT_Assert (version >= 0);
-	dummy = SEC_ASN1EncodeInteger (poolp, versionp, version);
-	if (dummy == NULL)
-	    return SECFailure;
-	PORT_Assert (dummy == versionp);
-    }
-
-    return SECSuccess;
-}
-
-
-static SEC_PKCS7ContentInfo *
-sec_pkcs7_create_content_info (SECOidTag kind, PRBool detached,
-			       SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    PRArenaPool *poolp;
-    SECStatus rv;
-
-    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (poolp == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
-    if (cinfo == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cinfo->poolp = poolp;
-    cinfo->pwfn = pwfn;
-    cinfo->pwfn_arg = pwfn_arg;
-    cinfo->created = PR_TRUE;
-    cinfo->refCount = 1;
-
-    rv = sec_pkcs7_init_content_info (cinfo, poolp, kind, detached);
-    if (rv != SECSuccess) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Add a signer to a PKCS7 thing, verifying the signature cert first.
- * Any error returns SECFailure.
- *
- * XXX Right now this only adds the *first* signer.  It fails if you try
- * to add a second one -- this needs to be fixed.
- */
-static SECStatus
-sec_pkcs7_add_signer (SEC_PKCS7ContentInfo *cinfo,
-		      CERTCertificate *     cert,
-		      SECCertUsage          certusage,
-		      CERTCertDBHandle *    certdb,
-		      SECOidTag             digestalgtag,
-		      SECItem *             digestdata)
-{
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos, ***signerinfosp;
-    SECAlgorithmID      *digestalg,  **digestalgs,  ***digestalgsp;
-    SECItem             *digest,     **digests,     ***digestsp;
-    SECItem *            dummy;
-    void *               mark;
-    SECStatus            rv;
-    SECOidTag            kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    digestalgsp = &(sdp->digestAlgorithms);
-	    digestsp = &(sdp->digests);
-	    signerinfosp = &(sdp->signerInfos);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    digestalgsp = &(saedp->digestAlgorithms);
-	    digestsp = &(saedp->digests);
-	    signerinfosp = &(saedp->signerInfos);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    /*
-     * XXX I think that CERT_VerifyCert should do this if *it* is passed
-     * a NULL database.
-     */
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL)
-	    return SECFailure;		/* XXX set an error? */
-    }
-
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/* XXX Did CERT_VerifyCert set an error? */
-	return SECFailure;
-    }
-
-    /*
-     * XXX This is the check that we do not already have a signer.
-     * This is not what we really want -- we want to allow this
-     * and *add* the new signer.
-     */
-    PORT_Assert (*signerinfosp == NULL
-		 && *digestalgsp == NULL && *digestsp == NULL);
-    if (*signerinfosp != NULL || *digestalgsp != NULL || *digestsp != NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    signerinfo = (SEC_PKCS7SignerInfo*)PORT_ArenaZAlloc (cinfo->poolp, 
-						  sizeof(SEC_PKCS7SignerInfo));
-    if (signerinfo == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &signerinfo->version,
-				   SEC_PKCS7_SIGNER_INFO_VERSION);
-    if (dummy == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    PORT_Assert (dummy == &signerinfo->version);
-
-    signerinfo->cert = CERT_DupCertificate (cert);
-    if (signerinfo->cert == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    signerinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
-    if (signerinfo->issuerAndSN == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    rv = SECOID_SetAlgorithmID (cinfo->poolp, &signerinfo->digestAlg,
-				digestalgtag, NULL);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    /*
-     * Okay, now signerinfo is all set.  We just need to put it and its
-     * companions (another copy of the digest algorithm, and the digest
-     * itself if given) into the main structure.
-     *
-     * XXX If we are handling more than one signer, the following code
-     * needs to look through the digest algorithms already specified
-     * and see if the same one is there already.  If it is, it does not
-     * need to be added again.  Also, if it is there *and* the digest
-     * is not null, then the digest given should match the digest already
-     * specified -- if not, that is an error.  Finally, the new signerinfo
-     * should be *added* to the set already found.
-     */
-
-    signerinfos = (SEC_PKCS7SignerInfo**)PORT_ArenaAlloc (cinfo->poolp,
-				   2 * sizeof(SEC_PKCS7SignerInfo *));
-    if (signerinfos == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    signerinfos[0] = signerinfo;
-    signerinfos[1] = NULL;
-
-    digestalg = PORT_ArenaZAlloc (cinfo->poolp, sizeof(SECAlgorithmID));
-    digestalgs = PORT_ArenaAlloc (cinfo->poolp, 2 * sizeof(SECAlgorithmID *));
-    if (digestalg == NULL || digestalgs == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    rv = SECOID_SetAlgorithmID (cinfo->poolp, digestalg, digestalgtag, NULL);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    digestalgs[0] = digestalg;
-    digestalgs[1] = NULL;
-
-    if (digestdata != NULL) {
-	digest = (SECItem*)PORT_ArenaAlloc (cinfo->poolp, sizeof(SECItem));
-	digests = (SECItem**)PORT_ArenaAlloc (cinfo->poolp, 
-					      2 * sizeof(SECItem *));
-	if (digest == NULL || digests == NULL) {
-	    PORT_ArenaRelease (cinfo->poolp, mark);
-	    return SECFailure;
-	}
-	rv = SECITEM_CopyItem (cinfo->poolp, digest, digestdata);
-	if (rv != SECSuccess) {
-	    PORT_ArenaRelease (cinfo->poolp, mark);
-	    return SECFailure;
-	}
-	digests[0] = digest;
-	digests[1] = NULL;
-    } else {
-	digests = NULL;
-    }
-
-    *signerinfosp = signerinfos;
-    *digestalgsp = digestalgs;
-    *digestsp = digests;
-
-    PORT_ArenaUnmark(cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Helper function for creating an empty signedData.
- */
-static SEC_PKCS7ContentInfo *
-sec_pkcs7_create_signed_data (SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7SignedData *sigd;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_SIGNED_DATA, PR_FALSE,
-					   pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    sigd = cinfo->content.signedData;
-    PORT_Assert (sigd != NULL);
-
-    /*
-     * XXX Might we want to allow content types other than data?
-     * If so, via what interface?
-     */
-    rv = sec_pkcs7_init_content_info (&(sigd->contentInfo), cinfo->poolp,
-				      SEC_OID_PKCS7_DATA, PR_TRUE);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Start a PKCS7 signing context.
- *
- * "cert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "signing" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * The return value can be passed to functions which add things to
- * it like attributes, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateSignedData (CERTCertificate *cert,
-			   SECCertUsage certusage,
-			   CERTCertDBHandle *certdb,
-			   SECOidTag digestalg,
-			   SECItem *digest,
- 			   SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_signed_data (pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    rv = sec_pkcs7_add_signer (cinfo, cert, certusage, certdb,
-			       digestalg, digest);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-static SEC_PKCS7Attribute *
-sec_pkcs7_create_attribute (PRArenaPool *poolp, SECOidTag oidtag,
-			    SECItem *value, PRBool encoded)
-{
-    SEC_PKCS7Attribute *attr;
-    SECItem **values;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-    mark = PORT_ArenaMark (poolp);
-
-    attr = (SEC_PKCS7Attribute*)PORT_ArenaAlloc (poolp, 
-						 sizeof(SEC_PKCS7Attribute));
-    if (attr == NULL)
-	goto loser;
-
-    attr->typeTag = SECOID_FindOIDByTag (oidtag);
-    if (attr->typeTag == NULL)
-	goto loser;
-
-    if (SECITEM_CopyItem (poolp, &(attr->type),
-			  &(attr->typeTag->oid)) != SECSuccess)
-	goto loser;
-
-    values = (SECItem**)PORT_ArenaAlloc (poolp, 2 * sizeof(SECItem *));
-    if (values == NULL)
-	goto loser;
-
-    if (value != NULL) {
-	SECItem *copy;
-
-	copy = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
-	if (copy == NULL)
-	    goto loser;
-
-	if (SECITEM_CopyItem (poolp, copy, value) != SECSuccess)
-	    goto loser;
-
-	value = copy;
-    }
-
-    values[0] = value;
-    values[1] = NULL;
-    attr->values = values;
-    attr->encoded = encoded;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return attr;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return NULL;
-}
-
-
-static SECStatus
-sec_pkcs7_add_attribute (SEC_PKCS7ContentInfo *cinfo,
-			 SEC_PKCS7Attribute ***attrsp,
-			 SEC_PKCS7Attribute *attr)
-{
-    SEC_PKCS7Attribute **attrs;
-    SECItem *ct_value;
-    void *mark;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    attrs = *attrsp;
-    if (attrs != NULL) {
-	int count;
-
-	/*
-	 * We already have some attributes, and just need to add this
-	 * new one.
-	 */
-
-	/*
-	 * We should already have the *required* attributes, which were
-	 * created/added at the same time the first attribute was added.
-	 */
-	PORT_Assert (sec_PKCS7FindAttribute (attrs,
-					     SEC_OID_PKCS9_CONTENT_TYPE,
-					     PR_FALSE) != NULL);
-	PORT_Assert (sec_PKCS7FindAttribute (attrs,
-					     SEC_OID_PKCS9_MESSAGE_DIGEST,
-					     PR_FALSE) != NULL);
-
-	for (count = 0; attrs[count] != NULL; count++)
-	    ;
-	attrs = (SEC_PKCS7Attribute**)PORT_ArenaGrow (cinfo->poolp, attrs,
-				(count + 1) * sizeof(SEC_PKCS7Attribute *),
-				(count + 2) * sizeof(SEC_PKCS7Attribute *));
-	if (attrs == NULL)
-	    return SECFailure;
-
-	attrs[count] = attr;
-	attrs[count+1] = NULL;
-	*attrsp = attrs;
-
-	return SECSuccess;
-    }
-
-    /*
-     * This is the first time an attribute is going in.
-     * We need to create and add the required attributes, and then
-     * we will also add in the one our caller gave us.
-     */
-
-    /*
-     * There are 2 required attributes, plus the one our caller wants
-     * to add, plus we always end with a NULL one.  Thus, four slots.
-     */
-    attrs = (SEC_PKCS7Attribute**)PORT_ArenaAlloc (cinfo->poolp, 
-					   4 * sizeof(SEC_PKCS7Attribute *));
-    if (attrs == NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    /*
-     * First required attribute is the content type of the data
-     * being signed.
-     */
-    ct_value = &(cinfo->content.signedData->contentInfo.contentType);
-    attrs[0] = sec_pkcs7_create_attribute (cinfo->poolp,
-					   SEC_OID_PKCS9_CONTENT_TYPE,
-					   ct_value, PR_FALSE);
-    /*
-     * Second required attribute is the message digest of the data
-     * being signed; we leave the value NULL for now (just create
-     * the place for it to go), and the encoder will fill it in later.
-     */
-    attrs[1] = sec_pkcs7_create_attribute (cinfo->poolp,
-					   SEC_OID_PKCS9_MESSAGE_DIGEST,
-					   NULL, PR_FALSE);
-    if (attrs[0] == NULL || attrs[1] == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure; 
-    }
-
-    attrs[2] = attr;
-    attrs[3] = NULL;
-    *attrsp = attrs;
-
-    PORT_ArenaUnmark (cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Add the signing time to the authenticated (i.e. signed) attributes
- * of "cinfo".  This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will either do
- * nothing or replace an old signing time with a newer one.
- *
- * XXX This will probably just shove the current time into "cinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-SECStatus
-SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-    SECItem stime;
-    SECStatus rv;
-    int si;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /* There has to be a signer, or it makes no sense. */
-    if (signerinfos == NULL || signerinfos[0] == NULL)
-	return SECFailure;
-
-    rv = DER_EncodeTimeChoice(NULL, &stime, PR_Now());
-    if (rv != SECSuccess)
-	return rv;
-
-    attr = sec_pkcs7_create_attribute (cinfo->poolp,
-				       SEC_OID_PKCS9_SIGNING_TIME,
-				       &stime, PR_FALSE);
-    SECITEM_FreeItem (&stime, PR_FALSE);
-
-    if (attr == NULL)
-	return SECFailure;
-
-    rv = SECSuccess;
-    for (si = 0; signerinfos[si] != NULL; si++) {
-	SEC_PKCS7Attribute *oattr;
-
-	oattr = sec_PKCS7FindAttribute (signerinfos[si]->authAttr,
-					SEC_OID_PKCS9_SIGNING_TIME, PR_FALSE);
-	PORT_Assert (oattr == NULL);
-	if (oattr != NULL)
-	    continue;	/* XXX or would it be better to replace it? */
-
-	rv = sec_pkcs7_add_attribute (cinfo, &(signerinfos[si]->authAttr),
-				      attr);
-	if (rv != SECSuccess)
-	    break;	/* could try to continue, but may as well give up now */
-    }
-
-    return rv;
-}
-
-
-/*
- * Add the specified attribute to the authenticated (i.e. signed) attributes
- * of "cinfo" -- "oidtag" describes the attribute and "value" is the
- * value to be associated with it.  NOTE! "value" must already be encoded;
- * no interpretation of "oidtag" is done.  Also, it is assumed that this
- * signedData has only one signer -- if we ever need to add attributes
- * when there is more than one signature, we need a way to specify *which*
- * signature should get the attribute.
- *
- * XXX Technically, a signed attribute can have multiple values; if/when
- * we ever need to support an attribute which takes multiple values, we
- * either need to change this interface or create an AddSignedAttributeValue
- * which can be called subsequently, and would then append a value.
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-SECStatus
-SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
-			     SECOidTag oidtag,
-			     SECItem *value)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-
-    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return SECFailure;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /*
-     * No signature or more than one means no deal.
-     */
-    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
-	return SECFailure;
-
-    attr = sec_pkcs7_create_attribute (cinfo->poolp, oidtag, value, PR_TRUE);
-    if (attr == NULL)
-	return SECFailure;
-
-    return sec_pkcs7_add_attribute (cinfo, &(signerinfos[0]->authAttr), attr);
-}
- 
-
-/*
- * Mark that the signer certificates and their issuing chain should
- * be included in the encoded data.  This is expected to be used
- * in outgoing signed messages for email (S/MIME).
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
-			   CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	signerinfos = cinfo->content.signedData->signerInfos;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    if (signerinfos == NULL)		/* no signer, no certs? */
-	return SECFailure;		/* XXX set an error? */
-
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL) {
-	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
-	    return SECFailure;
-	}
-    }
-
-    /* XXX Should it be an error if we find no signerinfo or no certs? */
-    while ((signerinfo = *signerinfos++) != NULL) {
-	if (signerinfo->cert != NULL)
-	    /* get the cert chain.  don't send the root to avoid contamination
-	     * of old clients with a new root that they don't trust
-	     */
-	    signerinfo->certList = CERT_CertChainFromCert (signerinfo->cert,
-							   certUsageEmailSigner,
-							   PR_FALSE);
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * Helper function to add a certificate chain for inclusion in the
- * bag of certificates in a signedData.
- */
-static SECStatus
-sec_pkcs7_add_cert_chain (SEC_PKCS7ContentInfo *cinfo,
-			  CERTCertificate *cert,
-			  CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    CERTCertificateList *certlist, **certlists, ***certlistsp;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certlistsp = &(sdp->certLists);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certlistsp = &(saedp->certLists);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL) {
-	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
-	    return SECFailure;
-	}
-    }
-
-    certlist = CERT_CertChainFromCert (cert, certUsageEmailSigner, PR_FALSE);
-    if (certlist == NULL)
-	return SECFailure;
-
-    certlists = *certlistsp;
-    if (certlists == NULL) {
-	count = 0;
-	certlists = (CERTCertificateList**)PORT_ArenaAlloc (cinfo->poolp,
-				     2 * sizeof(CERTCertificateList *));
-    } else {
-	for (count = 0; certlists[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	certlists = (CERTCertificateList**)PORT_ArenaGrow (cinfo->poolp, 
-				 certlists,
-				(count + 1) * sizeof(CERTCertificateList *),
-				(count + 2) * sizeof(CERTCertificateList *));
-    }
-
-    if (certlists == NULL) {
-	CERT_DestroyCertificateList (certlist);
-	return SECFailure;
-    }
-
-    certlists[count] = certlist;
-    certlists[count + 1] = NULL;
-
-    *certlistsp = certlists;
-
-    return SECSuccess;
-}
-
-
-/*
- * Helper function to add a certificate for inclusion in the bag of
- * certificates in a signedData.
- */
-static SECStatus
-sec_pkcs7_add_certificate (SEC_PKCS7ContentInfo *cinfo,
-			   CERTCertificate *cert)
-{
-    SECOidTag kind;
-    CERTCertificate **certs, ***certsp;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certsp = &(sdp->certs);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certsp = &(saedp->certs);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    cert = CERT_DupCertificate (cert);
-    if (cert == NULL)
-	return SECFailure;
-
-    certs = *certsp;
-    if (certs == NULL) {
-	count = 0;
-	certs = (CERTCertificate**)PORT_ArenaAlloc (cinfo->poolp, 
-					      2 * sizeof(CERTCertificate *));
-    } else {
-	for (count = 0; certs[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	certs = (CERTCertificate**)PORT_ArenaGrow (cinfo->poolp, certs,
-				(count + 1) * sizeof(CERTCertificate *),
-				(count + 2) * sizeof(CERTCertificate *));
-    }
-
-    if (certs == NULL) {
-	CERT_DestroyCertificate (cert);
-	return SECFailure;
-    }
-
-    certs[count] = cert;
-    certs[count + 1] = NULL;
-
-    *certsp = certs;
-
-    return SECSuccess;
-}
-
-
-/*
- * Create a PKCS7 certs-only container.
- *
- * "cert" is the (first) cert that will be included.
- *
- * "include_chain" specifies whether the entire chain for "cert" should
- * be included.
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL in when "include_chain" is false, or when meaning
- * use the default database.
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
-			  PRBool include_chain,
-			  CERTCertDBHandle *certdb)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_signed_data (NULL, NULL);
-    if (cinfo == NULL)
-	return NULL;
-
-    if (include_chain)
-	rv = sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
-    else
-	rv = sec_pkcs7_add_certificate (cinfo, cert);
-
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Add "cert" and its entire chain to the set of certs included in "cinfo".
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
-		       CERTCertificate *cert,
-		       CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    if (kind != SEC_OID_PKCS7_SIGNED_DATA
-	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
-	return SECFailure;		/* XXX set an error? */
-
-    return sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
-}
-
-
-/*
- * Add "cert" to the set of certs included in "cinfo".
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-SECStatus
-SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, CERTCertificate *cert)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    if (kind != SEC_OID_PKCS7_SIGNED_DATA
-	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
-	return SECFailure;		/* XXX set an error? */
-
-    return sec_pkcs7_add_certificate (cinfo, cert);
-}
-
-
-static SECStatus
-sec_pkcs7_init_encrypted_content_info (SEC_PKCS7EncryptedContentInfo *enccinfo,
-				       PRArenaPool *poolp,
-				       SECOidTag kind, PRBool detached,
-				       SECOidTag encalg, int keysize)
-{
-    SECStatus rv;
-
-    PORT_Assert (enccinfo != NULL && poolp != NULL);
-    if (enccinfo == NULL || poolp == NULL)
-	return SECFailure;
-
-    /*
-     * XXX Some day we may want to allow for other kinds.  That needs
-     * more work and modifications to the creation interface, etc.
-     * For now, allow but notice callers who pass in other kinds.
-     * They are responsible for creating the inner type and encoding,
-     * if it is other than DATA.
-     */
-    PORT_Assert (kind == SEC_OID_PKCS7_DATA);
-
-    enccinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
-    PORT_Assert (enccinfo->contentTypeTag
-	       && enccinfo->contentTypeTag->offset == kind);
-
-    rv = SECITEM_CopyItem (poolp, &(enccinfo->contentType),
-			   &(enccinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return rv;
-
-    /* Save keysize and algorithm for later. */
-    enccinfo->keysize = keysize;
-    enccinfo->encalg = encalg;
-
-    return SECSuccess;
-}
-
-
-/*
- * Add a recipient to a PKCS7 thing, verifying their cert first.
- * Any error returns SECFailure.
- */
-static SECStatus
-sec_pkcs7_add_recipient (SEC_PKCS7ContentInfo *cinfo,
-			 CERTCertificate *cert,
-			 SECCertUsage certusage,
-			 CERTCertDBHandle *certdb)
-{
-    SECOidTag kind;
-    SEC_PKCS7RecipientInfo *recipientinfo, **recipientinfos, ***recipientinfosp;
-    SECItem *dummy;
-    void *mark;
-    int count;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *edp;
-
-	    edp = cinfo->content.envelopedData;
-	    recipientinfosp = &(edp->recipientInfos);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    recipientinfosp = &(saedp->recipientInfos);
-	}
-	break;
-      default:
-	return SECFailure;		/* XXX set an error? */
-    }
-
-    /*
-     * XXX I think that CERT_VerifyCert should do this if *it* is passed
-     * a NULL database.
-     */
-    if (certdb == NULL) {
-	certdb = CERT_GetDefaultCertDB();
-	if (certdb == NULL)
-	    return SECFailure;		/* XXX set an error? */
-    }
-
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/* XXX Did CERT_VerifyCert set an error? */
-	return SECFailure;
-    }
-
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    recipientinfo = (SEC_PKCS7RecipientInfo*)PORT_ArenaZAlloc (cinfo->poolp,
-				      sizeof(SEC_PKCS7RecipientInfo));
-    if (recipientinfo == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &recipientinfo->version,
-				   SEC_PKCS7_RECIPIENT_INFO_VERSION);
-    if (dummy == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-    PORT_Assert (dummy == &recipientinfo->version);
-
-    recipientinfo->cert = CERT_DupCertificate (cert);
-    if (recipientinfo->cert == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    recipientinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
-    if (recipientinfo->issuerAndSN == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    /*
-     * Okay, now recipientinfo is all set.  We just need to put it into
-     * the main structure.
-     *
-     * If this is the first recipient, allocate a new recipientinfos array;
-     * otherwise, reallocate the array, making room for the new entry.
-     */
-    recipientinfos = *recipientinfosp;
-    if (recipientinfos == NULL) {
-	count = 0;
-	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaAlloc (
-					  cinfo->poolp,
-					  2 * sizeof(SEC_PKCS7RecipientInfo *));
-    } else {
-	for (count = 0; recipientinfos[count] != NULL; count++)
-	    ;
-	PORT_Assert (count);	/* should be at least one already */
-	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaGrow (
-				 cinfo->poolp, recipientinfos,
-				(count + 1) * sizeof(SEC_PKCS7RecipientInfo *),
-				(count + 2) * sizeof(SEC_PKCS7RecipientInfo *));
-    }
-
-    if (recipientinfos == NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-	return SECFailure;
-    }
-
-    recipientinfos[count] = recipientinfo;
-    recipientinfos[count + 1] = NULL;
-
-    *recipientinfosp = recipientinfos;
-
-    PORT_ArenaUnmark (cinfo->poolp, mark);
-    return SECSuccess;
-}
-
-
-/*
- * Start a PKCS7 enveloping context.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- *
- * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
- *
- * "keysize" specifies the bulk encryption key size, in bits.
- *
- * The return value can be passed to functions which add things to
- * it like more recipients, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
-			      SECCertUsage certusage,
-			      CERTCertDBHandle *certdb,
-			      SECOidTag encalg,
-			      int keysize,
- 			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7EnvelopedData *envd;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENVELOPED_DATA,
-					   PR_FALSE, pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    rv = sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    envd = cinfo->content.envelopedData;
-    PORT_Assert (envd != NULL);
-
-    /*
-     * XXX Might we want to allow content types other than data?
-     * If so, via what interface?
-     */
-    rv = sec_pkcs7_init_encrypted_content_info (&(envd->encContentInfo),
-						cinfo->poolp,
-						SEC_OID_PKCS7_DATA, PR_FALSE,
-						encalg, keysize);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    /* XXX Anything more to do here? */
-
-    return cinfo;
-}
-
-
-/*
- * Add another recipient to an encrypted message.
- *
- * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- */
-SECStatus
-SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
-		       CERTCertificate *cert,
-		       SECCertUsage certusage,
-		       CERTCertDBHandle *certdb)
-{
-    return sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
-}
-
-
-/*
- * Create an empty PKCS7 data content info.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateData (void)
-{
-    return sec_pkcs7_create_content_info (SEC_OID_PKCS7_DATA, PR_FALSE,
-					  NULL, NULL);
-}
-
-
-/*
- * Create an empty PKCS7 encrypted content info.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
-			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECAlgorithmID *algid;
-    SEC_PKCS7EncryptedData *enc_data;
-    SECStatus rv;
-
-    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENCRYPTED_DATA, 
-					   PR_FALSE, pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    enc_data = cinfo->content.encryptedData;
-    algid = &(enc_data->encContentInfo.contentEncAlg);
-
-    switch (algorithm) {
-      case SEC_OID_RC2_CBC:
-      case SEC_OID_DES_EDE3_CBC:
-      case SEC_OID_DES_CBC:
-	rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL);
-	break;
-      default:
-	{
-	    /*
-	     * Assume password-based-encryption.  At least, try that.
-	     */
-	    SECAlgorithmID *pbe_algid;
-	    pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL);
-	    if (pbe_algid == NULL) {
-		rv = SECFailure;
-	    } else {
-		rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid);
-		SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
-	    }
-	}
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    rv = sec_pkcs7_init_encrypted_content_info (&(enc_data->encContentInfo),
-						cinfo->poolp,
-						SEC_OID_PKCS7_DATA, PR_FALSE,
-						algorithm, keysize);
-    if (rv != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    return cinfo;
-}
-
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
deleted file mode 100644
index 37a0c5b40..000000000
--- a/security/nss/lib/pkcs7/p7decode.c
+++ /dev/null
@@ -1,2062 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * PKCS7 decoding, verification.
- *
- * $Id$
- */
-
-#include "nssrenam.h"
-
-#include "p7local.h"
-
-#include "cert.h"
-				/* XXX do not want to have to include */
-#include "certdb.h"		/* certdb.h -- the trust stuff needed by */
-     				/* the add certificate code needs to get */
-                           	/* rewritten/abstracted and then this */
-      				/* include should be removed! */
-/*#include "cdbhdl.h" */
-#include "cryptohi.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-#include "secder.h"
-#include "secpkcs5.h"
-
-struct sec_pkcs7_decoder_worker {
-    int depth;
-    int digcnt;
-    void **digcxs;
-    const SECHashObject **digobjs;
-    sec_PKCS7CipherObject *decryptobj;
-    PRBool saw_contents;
-};
-
-struct SEC_PKCS7DecoderContextStr {
-    SEC_ASN1DecoderContext *dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7DecoderContentCallback cb;
-    void *cb_arg;
-    SECKEYGetPasswordKey pwfn;
-    void *pwfn_arg;
-    struct sec_pkcs7_decoder_worker worker;
-    PRArenaPool *tmp_poolp;
-    int error;
-    SEC_PKCS7GetDecryptKeyCallback dkcb;
-    void *dkcb_arg;
-    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb;
-};
-
-/*
- * Handle one worker, decrypting and digesting the data as necessary.
- *
- * XXX If/when we support nested contents, this probably needs to be
- * revised somewhat to get passed the content-info (which unfortunately
- * can be two different types depending on whether it is encrypted or not)
- * corresponding to the given worker.
- */
-static void
-sec_pkcs7_decoder_work_data (SEC_PKCS7DecoderContext *p7dcx,
-			     struct sec_pkcs7_decoder_worker *worker,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-    int i;
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /*
-     * Decrypt this chunk.
-     *
-     * XXX If we get an error, we do not want to do the digest or callback,
-     * but we want to keep decoding.  Or maybe we want to stop decoding
-     * altogether if there is a callback, because obviously we are not
-     * sending the data back and they want to know that.
-     */
-    if (worker->decryptobj != NULL) {
-	/* XXX the following lengths should all be longs? */
-	unsigned int inlen;	/* length of data being decrypted */
-	unsigned int outlen;	/* length of decrypted data */
-	unsigned int buflen;	/* length available for decrypted data */
-	SECItem *plain;
-
-	inlen = len;
-	buflen = sec_PKCS7DecryptLength (worker->decryptobj, inlen, final);
-	if (buflen == 0) {
-	    if (inlen == 0)	/* no input and no output */
-		return;
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Decrypt.
-	     */
-	    rv = sec_PKCS7Decrypt (worker->decryptobj, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (rv != SECSuccess) {
-		p7dcx->error = PORT_GetError();
-		return;		/* XXX indicate error? */
-	    }
-	    return;
-	}
-
-	if (p7dcx->cb != NULL) {
-	    buf = (unsigned char *) PORT_Alloc (buflen);
-	    plain = NULL;
-	} else {
-	    unsigned long oldlen;
-
-	    /*
-	     * XXX This assumes one level of content only.
-	     * See comment above about nested content types.
-	     * XXX Also, it should work for signedAndEnvelopedData, too!
-	     */
-	    plain = &(p7dcx->cinfo->
-			content.envelopedData->encContentInfo.plainContent);
-
-	    oldlen = plain->len;
-	    if (oldlen == 0) {
-		buf = (unsigned char*)PORT_ArenaAlloc (p7dcx->cinfo->poolp, 
-						       buflen);
-	    } else {
-		buf = (unsigned char*)PORT_ArenaGrow (p7dcx->cinfo->poolp, 
-				      plain->data,
-				      oldlen, oldlen + buflen);
-		if (buf != NULL)
-		    buf += oldlen;
-	    }
-	    plain->data = buf;
-	}
-	if (buf == NULL) {
-	    p7dcx->error = SEC_ERROR_NO_MEMORY;
-	    return;		/* XXX indicate error? */
-	}
-	rv = sec_PKCS7Decrypt (worker->decryptobj, buf, &outlen, buflen,
-			       data, inlen, final);
-	if (rv != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    return;		/* XXX indicate error? */
-	}
-	if (plain != NULL) {
-	    PORT_Assert (final || outlen == buflen);
-	    plain->len += outlen;
-	}
-	data = buf;
-	len = outlen;
-    }
-
-    /*
-     * Update the running digests.
-     */
-    if (len) {
-	for (i = 0; i < worker->digcnt; i++) {
-	    (* worker->digobjs[i]->update) (worker->digcxs[i], data, len);
-	}
-    }
-
-    /*
-     * Pass back the contents bytes, and free the temporary buffer.
-     */
-    if (p7dcx->cb != NULL) {
-	if (len)
-	    (* p7dcx->cb) (p7dcx->cb_arg, (const char *)data, len);
-	if (worker->decryptobj != NULL) {
-	    PORT_Assert (buf != NULL);
-	    PORT_Free (buf);
-	}
-    }
-}
-
-static void
-sec_pkcs7_decoder_filter (void *arg, const char *data, unsigned long len,
-			  int depth, SEC_ASN1EncodingPart data_kind)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    struct sec_pkcs7_decoder_worker *worker;
-
-    /*
-     * Since we do not handle any nested contents, the only bytes we
-     * are really interested in are the actual contents bytes (not
-     * the identifier, length, or end-of-contents bytes).  If we were
-     * handling nested types we would probably need to do something
-     * smarter based on depth and data_kind.
-     */
-    if (data_kind != SEC_ASN1_Contents)
-	return;
-
-    /*
-     * The ASN.1 decoder should not even call us with a length of 0.
-     * Just being paranoid.
-     */
-    PORT_Assert (len);
-    if (len == 0)
-	return;
-
-    p7dcx = (SEC_PKCS7DecoderContext*)arg;
-
-    /*
-     * Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would start with the first worker and loop over them.
-     */
-    worker = &(p7dcx->worker);
-
-    worker->saw_contents = PR_TRUE;
-
-    sec_pkcs7_decoder_work_data (p7dcx, worker,
-				 (const unsigned char *) data, len, PR_FALSE);
-}
-
-
-/*
- * Create digest contexts for each algorithm in "digestalgs".
- * No algorithms is not an error, we just do not do anything.
- * An error (like trouble allocating memory), marks the error
- * in "p7dcx" and returns SECFailure, which means that our caller
- * should just give up altogether.
- */
-static SECStatus
-sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
-				 SECAlgorithmID **digestalgs)
-{
-    int i, digcnt;
-
-    if (digestalgs == NULL)
-	return SECSuccess;
-
-    /*
-     * Count the algorithms.
-     */
-    digcnt = 0;
-    while (digestalgs[digcnt] != NULL)
-	digcnt++;
-
-    /*
-     * No algorithms means no work to do.
-     * Just act as if there were no algorithms specified.
-     */
-    if (digcnt == 0)
-	return SECSuccess;
-
-    p7dcx->worker.digcxs = (void**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
-					    digcnt * sizeof (void *));
-    p7dcx->worker.digobjs = (const SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
-					     digcnt * sizeof (SECHashObject *));
-    if (p7dcx->worker.digcxs == NULL || p7dcx->worker.digobjs == NULL) {
-	p7dcx->error = SEC_ERROR_NO_MEMORY;
-	return SECFailure;
-    }
-
-    p7dcx->worker.depth = depth;
-    p7dcx->worker.digcnt = 0;
-
-    /*
-     * Create a digest context for each algorithm.
-     */
-    for (i = 0; i < digcnt; i++) {
-	SECAlgorithmID *     algid  = digestalgs[i];
-	SECOidTag            oidTag = SECOID_FindOIDTag(&(algid->algorithm));
-	const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
-	void *digcx;
-
-	/*
-	 * Skip any algorithm we do not even recognize; obviously,
-	 * this could be a problem, but if it is critical then the
-	 * result will just be that the signature does not verify.
-	 * We do not necessarily want to error out here, because
-	 * the particular algorithm may not actually be important,
-	 * but we cannot know that until later.
-	 */
-	if (digobj == NULL) {
-	    p7dcx->worker.digcnt--;
-	    continue;
-	}
-
-	digcx = (* digobj->create)();
-	if (digcx != NULL) {
-	    (* digobj->begin) (digcx);
-	    p7dcx->worker.digobjs[p7dcx->worker.digcnt] = digobj;
-	    p7dcx->worker.digcxs[p7dcx->worker.digcnt] = digcx;
-	    p7dcx->worker.digcnt++;
-	}
-    }
-
-    if (p7dcx->worker.digcnt != 0)
-	SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-				      sec_pkcs7_decoder_filter,
-				      p7dcx,
-				      (PRBool)(p7dcx->cb != NULL));
-    return SECSuccess;
-}
-
-
-/*
- * Close out all of the digest contexts, storing the results in "digestsp".
- */
-static SECStatus
-sec_pkcs7_decoder_finish_digests (SEC_PKCS7DecoderContext *p7dcx,
-				  PRArenaPool *poolp,
-				  SECItem ***digestsp)
-{
-    struct sec_pkcs7_decoder_worker *worker;
-    const SECHashObject *digobj;
-    void *digcx;
-    SECItem **digests, *digest;
-    int i;
-    void *mark;
-
-    /*
-     * XXX Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would want to find the last worker in the chain.
-     */
-    worker = &(p7dcx->worker);
-
-    /*
-     * If no digests, then we have nothing to do.
-     */
-    if (worker->digcnt == 0)
-	return SECSuccess;
-
-    /*
-     * No matter what happens after this, we want to stop filtering.
-     * XXX If we handle nested contents, we only want to stop filtering
-     * if we are finishing off the *last* worker.
-     */
-    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-
-    /*
-     * If we ended up with no contents, just destroy each
-     * digest context -- they are meaningless and potentially
-     * confusing, because their presence would imply some content
-     * was digested.
-     */
-    if (! worker->saw_contents) {
-	for (i = 0; i < worker->digcnt; i++) {
-	    digcx = worker->digcxs[i];
-	    digobj = worker->digobjs[i];
-	    (* digobj->destroy) (digcx, PR_TRUE);
-	}
-	return SECSuccess;
-    }
-
-    mark = PORT_ArenaMark (poolp);
-
-    /*
-     * Close out each digest context, saving digest away.
-     */
-    digests = 
-      (SECItem**)PORT_ArenaAlloc (poolp,(worker->digcnt+1)*sizeof(SECItem *));
-    digest = (SECItem*)PORT_ArenaAlloc (poolp, worker->digcnt*sizeof(SECItem));
-    if (digests == NULL || digest == NULL) {
-	p7dcx->error = PORT_GetError();
-	PORT_ArenaRelease (poolp, mark);
-	return SECFailure;
-    }
-
-    for (i = 0; i < worker->digcnt; i++, digest++) {
-	digcx = worker->digcxs[i];
-	digobj = worker->digobjs[i];
-
-	digest->data = (unsigned char*)PORT_ArenaAlloc (poolp, digobj->length);
-	if (digest->data == NULL) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_ArenaRelease (poolp, mark);
-	    return SECFailure;
-	}
-
-	digest->len = digobj->length;
-	(* digobj->end) (digcx, digest->data, &(digest->len), digest->len);
-	(* digobj->destroy) (digcx, PR_TRUE);
-
-	digests[i] = digest;
-    }
-    digests[i] = NULL;
-    *digestsp = digests;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-}
-
-/*
- * XXX Need comment explaining following helper function (which is used
- * by sec_pkcs7_decoder_start_decrypt).
- */
-extern const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[];
-
-static PK11SymKey *
-sec_pkcs7_decoder_get_recipient_key (SEC_PKCS7DecoderContext *p7dcx,
-				     SEC_PKCS7RecipientInfo **recipientinfos,
-				     SEC_PKCS7EncryptedContentInfo *enccinfo)
-{
-    SEC_PKCS7RecipientInfo *ri;
-    CERTCertificate *cert = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    PK11SymKey *bulkkey;
-    SECOidTag keyalgtag, bulkalgtag, encalgtag;
-    PK11SlotInfo *slot;
-    int bulkLength = 0;
-
-    if (recipientinfos == NULL || recipientinfos[0] == NULL) {
-	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
-	goto no_key_found;
-    }
-
-    cert = PK11_FindCertAndKeyByRecipientList(&slot,recipientinfos,&ri,
-						&privkey, p7dcx->pwfn_arg);
-    if (cert == NULL) {
-	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
-	goto no_key_found;
-    }
-
-    ri->cert = cert;		/* so we can find it later */
-    PORT_Assert(privkey != NULL);
-
-    keyalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    encalgtag = SECOID_GetAlgorithmTag (&(ri->keyEncAlg));
-    if ((encalgtag != SEC_OID_NETSCAPE_SMIME_KEA) && (keyalgtag != encalgtag)) {
-	p7dcx->error = SEC_ERROR_PKCS7_KEYALG_MISMATCH;
-	goto no_key_found;
-    }
-    bulkalgtag = SECOID_GetAlgorithmTag (&(enccinfo->contentEncAlg));
-
-    switch (encalgtag) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	bulkkey = PK11_PubUnwrapSymKey (privkey, &ri->encKey,
-					PK11_AlgtagToMechanism (bulkalgtag),
-					CKA_DECRYPT, 0);
-	if (bulkkey == NULL) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_SetError(0);
-	    goto no_key_found;
-	}
-	break;
-	/* ### mwelch -- KEA */ 
-        case SEC_OID_NETSCAPE_SMIME_KEA:
-	  {
-	      SECStatus err;
-	      CK_MECHANISM_TYPE bulkType;
-	      PK11SymKey *tek;
-	      SECKEYPublicKey *senderPubKey;
-	      SEC_PKCS7SMIMEKEAParameters   keaParams;
-
-	      (void) memset(&keaParams, 0, sizeof(keaParams));
-
-	      /* Decode the KEA algorithm parameters. */
-	      err = SEC_ASN1DecodeItem(NULL,
-				       &keaParams,
-				       SEC_SMIMEKEAParamTemplateAllParams,
-				       &(ri->keyEncAlg.parameters));
-	      if (err != SECSuccess)
-	      {
-		  p7dcx->error = err;
-		  PORT_SetError(0);
-		  goto no_key_found;
-	      }
-	  
-
-	      /* We just got key data, no key structure. So, we
-		 create one. */
-	     senderPubKey = 
-		  PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-				     keaParams.originatorKEAKey.len);
-	     if (senderPubKey == NULL)
-	     {
-		    p7dcx->error = PORT_GetError();
-		    PORT_SetError(0);
-		    goto no_key_found;
-	     }
-	      
-	     /* Generate the TEK (token exchange key) which we use
-	         to unwrap the bulk encryption key. */
-	     tek = PK11_PubDerive(privkey, senderPubKey, 
-				   PR_FALSE,
-				   &keaParams.originatorRA,
-				   NULL,
-				   CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-				   CKA_WRAP, 0, p7dcx->pwfn_arg);
-	     SECKEY_DestroyPublicKey(senderPubKey);
-	      
-	     if (tek == NULL)
-	     {
-		  p7dcx->error = PORT_GetError();
-		  PORT_SetError(0);
-		  goto no_key_found;
-	     }
-	      
-	      /* Now that we have the TEK, unwrap the bulk key
-	         with which to decrypt the message. We have to
-		 do one of two different things depending on 
-		 whether Skipjack was used for bulk encryption 
-		 of the message. */
-	      bulkType = PK11_AlgtagToMechanism (bulkalgtag);
-	      switch(bulkType)
-	      {
-	      case CKM_SKIPJACK_CBC64:
-	      case CKM_SKIPJACK_ECB64:
-	      case CKM_SKIPJACK_OFB64:
-	      case CKM_SKIPJACK_CFB64:
-	      case CKM_SKIPJACK_CFB32:
-	      case CKM_SKIPJACK_CFB16:
-	      case CKM_SKIPJACK_CFB8:
-		  /* Skipjack is being used as the bulk encryption algorithm.*/
-		  /* Unwrap the bulk key. */
-		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP,
-					      NULL, &ri->encKey, 
-					      CKM_SKIPJACK_CBC64, 
-					      CKA_DECRYPT, 0);
-		  break;
-	      default:
-		  /* Skipjack was not used for bulk encryption of this
-		     message. Use Skipjack CBC64, with the nonSkipjackIV
-		     part of the KEA key parameters, to decrypt 
-		     the bulk key. If we got a parameter indicating that the
-		     bulk key size is different than the encrypted key size,
-		     pass in the real key size. */
-		  
-		  /* Check for specified bulk key length (unspecified implies
-		     that the bulk key length is the same as encrypted length) */
-		  if (keaParams.bulkKeySize.len > 0)
-		  {
-		      p7dcx->error = SEC_ASN1DecodeItem(NULL, &bulkLength,
-					SEC_ASN1_GET(SEC_IntegerTemplate),
-					&keaParams.bulkKeySize);
-		  }
-		  
-		  if (p7dcx->error != SECSuccess)
-		      goto no_key_found;
-		  
-		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64,
-					      &keaParams.nonSkipjackIV, 
-					      &ri->encKey,
-					      bulkType,
-					      CKA_DECRYPT, bulkLength);
-	      }
-	      
-	      
-	      if (bulkkey == NULL)
-	      {
-		  p7dcx->error = PORT_GetError();
-		  PORT_SetError(0);
-		  goto no_key_found;
-	      }
-	      break;
-	  }
-      default:
-	p7dcx->error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	goto no_key_found;
-    }
-
-    return bulkkey;
-
-no_key_found:
-    if (privkey != NULL)
-	SECKEY_DestroyPrivateKey (privkey);
-
-    return NULL;
-}
- 
-/*
- * XXX The following comment is old -- the function used to only handle
- * EnvelopedData or SignedAndEnvelopedData but now handles EncryptedData
- * as well (and it had all of the code of the helper function above
- * built into it), though the comment was left as is.  Fix it...
- *
- * We are just about to decode the content of an EnvelopedData.
- * Set up a decryption context so we can decrypt as we go.
- * Presumably we are one of the recipients listed in "recipientinfos".
- * (XXX And if we are not, or if we have trouble, what should we do?
- *  It would be nice to let the decoding still work.  Maybe it should
- *  be an error if there is a content callback, but not an error otherwise?)
- * The encryption key and related information can be found in "enccinfo".
- */
-static SECStatus
-sec_pkcs7_decoder_start_decrypt (SEC_PKCS7DecoderContext *p7dcx, int depth,
-				 SEC_PKCS7RecipientInfo **recipientinfos,
-				 SEC_PKCS7EncryptedContentInfo *enccinfo,
-				 PK11SymKey **copy_key_for_signature)
-{
-    PK11SymKey *bulkkey = NULL;
-    sec_PKCS7CipherObject *decryptobj;
-
-    /*
-     * If a callback is supplied to retrieve the encryption key, 
-     * for instance, for Encrypted Content infos, then retrieve
-     * the bulkkey from the callback.  Otherwise, assume that
-     * we are processing Enveloped or SignedAndEnveloped data
-     * content infos.
-     *
-     * XXX Put an assert here?
-     */
-    if (SEC_PKCS7ContentType(p7dcx->cinfo) == SEC_OID_PKCS7_ENCRYPTED_DATA) {
-	if (p7dcx->dkcb != NULL) {
-	    bulkkey = (*p7dcx->dkcb)(p7dcx->dkcb_arg, 
-				     &(enccinfo->contentEncAlg));
-	}
-	enccinfo->keysize = 0;
-    } else {
-	bulkkey = sec_pkcs7_decoder_get_recipient_key (p7dcx, recipientinfos, 
-						       enccinfo);
-	if (bulkkey == NULL) goto no_decryption;
-	enccinfo->keysize = PK11_GetKeyStrength(bulkkey, 
-						&(enccinfo->contentEncAlg));
-
-    }
-
-    /*
-     * XXX I think following should set error in p7dcx and clear set error
-     * (as used to be done here, or as is done in get_receipient_key above.
-     */
-    if(bulkkey == NULL) {
-	goto no_decryption;
-    }
-    
-    /* 
-     * We want to make sure decryption is allowed.  This is done via
-     * a callback specified in SEC_PKCS7DecoderStart().
-     */
-    if (p7dcx->decrypt_allowed_cb) {
-	if ((*p7dcx->decrypt_allowed_cb) (&(enccinfo->contentEncAlg), 
-					  bulkkey) == PR_FALSE) {
-	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
-	    goto no_decryption;
-	}
-    } else {
-	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
-	    goto no_decryption;
-    }
-
-    /*
-     * When decrypting a signedAndEnvelopedData, the signature also has
-     * to be decrypted with the bulk encryption key; to avoid having to
-     * get it all over again later (and do another potentially expensive
-     * RSA operation), copy it for later signature verification to use.
-     */
-    if (copy_key_for_signature != NULL)
-	*copy_key_for_signature = PK11_ReferenceSymKey (bulkkey);
-
-    /*
-     * Now we have the bulk encryption key (in bulkkey) and the
-     * the algorithm (in enccinfo->contentEncAlg).  Using those,
-     * create a decryption context.
-     */
-    decryptobj = sec_PKCS7CreateDecryptObject (bulkkey,
-					       &(enccinfo->contentEncAlg));
-
-    /*
-     * We are done with (this) bulkkey now.
-     */
-    PK11_FreeSymKey (bulkkey);
-
-    if (decryptobj == NULL) {
-	p7dcx->error = PORT_GetError();
-	PORT_SetError(0);
-	goto no_decryption;
-    }
-
-    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-				  sec_pkcs7_decoder_filter,
-				  p7dcx,
-				  (PRBool)(p7dcx->cb != NULL));
-
-    p7dcx->worker.depth = depth;
-    p7dcx->worker.decryptobj = decryptobj;
-
-    return SECSuccess;
-
-no_decryption:
-    /*
-     * For some reason (error set already, if appropriate), we cannot
-     * decrypt the content.  I am not sure what exactly is the right
-     * thing to do here; in some cases we want to just stop, and in
-     * others we want to let the decoding finish even though we cannot
-     * decrypt the content.  My current thinking is that if the caller
-     * set up a content callback, then they are really interested in
-     * getting (decrypted) content, and if they cannot they will want
-     * to know about it.  However, if no callback was specified, then
-     * maybe it is not important that the decryption failed.
-     */
-    if (p7dcx->cb != NULL)
-	return SECFailure;
-    else
-	return SECSuccess;	/* Let the decoding continue. */
-}
-
-
-static SECStatus
-sec_pkcs7_decoder_finish_decrypt (SEC_PKCS7DecoderContext *p7dcx,
-				  PRArenaPool *poolp,
-				  SEC_PKCS7EncryptedContentInfo *enccinfo)
-{
-    struct sec_pkcs7_decoder_worker *worker;
-
-    /*
-     * XXX Handling nested contents would mean that there is a chain
-     * of workers -- one per each level of content.  The following
-     * would want to find the last worker in the chain.
-     */
-    worker = &(p7dcx->worker);
-
-    /*
-     * If no decryption context, then we have nothing to do.
-     */
-    if (worker->decryptobj == NULL)
-	return SECSuccess;
-
-    /*
-     * No matter what happens after this, we want to stop filtering.
-     * XXX If we handle nested contents, we only want to stop filtering
-     * if we are finishing off the *last* worker.
-     */
-    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-
-    /*
-     * Handle the last block.
-     */
-    sec_pkcs7_decoder_work_data (p7dcx, worker, NULL, 0, PR_TRUE);
-
-    /*
-     * All done, destroy it.
-     */
-    sec_PKCS7DestroyDecryptObject (worker->decryptobj);
-    worker->decryptobj = NULL;
-
-    return SECSuccess;
-}
-
-
-static void
-sec_pkcs7_decoder_notify (void *arg, PRBool before, void *dest, int depth)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SEC_PKCS7SignedData *sigd;
-    SEC_PKCS7EnvelopedData *envd;
-    SEC_PKCS7SignedAndEnvelopedData *saed;
-    SEC_PKCS7EncryptedData *encd;
-    SEC_PKCS7DigestedData *digd;
-    PRBool after;
-    SECStatus rv;
-
-    /*
-     * Just to make the code easier to read, create an "after" variable
-     * that is equivalent to "not before".
-     * (This used to be just the statement "after = !before", but that
-     * causes a warning on the mac; to avoid that, we do it the long way.)
-     */
-    if (before)
-	after = PR_FALSE;
-    else
-	after = PR_TRUE;
-
-    p7dcx = (SEC_PKCS7DecoderContext*)arg;
-    cinfo = p7dcx->cinfo;
-
-    if (cinfo->contentTypeTag == NULL) {
-	if (after && dest == &(cinfo->contentType))
-	    cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-	return;
-    }
-
-    switch (cinfo->contentTypeTag->offset) {
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	sigd = cinfo->content.signedData;
-	if (sigd == NULL)
-	    break;
-
-	if (sigd->contentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(sigd->contentInfo.contentType))
-		sigd->contentInfo.contentTypeTag =
-			SECOID_FindOID(&(sigd->contentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * We only set up a filtering digest if the content is
-	 * plain DATA; anything else needs more work because a
-	 * second pass is required to produce a DER encoding from
-	 * an input that can be BER encoded.  (This is a requirement
-	 * of PKCS7 that is unfortunate, but there you have it.)
-	 *
-	 * XXX Also, since we stop here if this is not DATA, the
-	 * inner content is not getting processed at all.  Someday
-	 * we may want to fix that.
-	 */
-	if (sigd->contentInfo.contentTypeTag->offset != SEC_OID_PKCS7_DATA) {
-	    /* XXX Set an error in p7dcx->error */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a digest context
-	 * for each digest algorithm listed, and start a filter which
-	 * will run all of the contents bytes through that digest.
-	 */
-	if (before && dest == &(sigd->contentInfo.content)) {
-	    rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
-						  sigd->digestAlgorithms);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * XXX To handle nested types, here is where we would want
-	 * to check for inner boundaries that need handling.
-	 */
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(sigd->contentInfo.content)) {
-	    /*
-	     * Close out the digest contexts.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
-						     &(sigd->digests));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	envd = cinfo->content.envelopedData;
-	if (envd == NULL)
-	    break;
-
-	if (envd->encContentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(envd->encContentInfo.contentType))
-		envd->encContentInfo.contentTypeTag =
-			SECOID_FindOID(&(envd->encContentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a decryption
-	 * context, and start a filter which will run all of the
-	 * contents bytes through it to determine the plain content.
-	 */
-	if (before && dest == &(envd->encContentInfo.encContent)) {
-	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
-						  envd->recipientInfos,
-						  &(envd->encContentInfo),
-						  NULL);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(envd->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption context.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(envd->encContentInfo));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	saed = cinfo->content.signedAndEnvelopedData;
-	if (saed == NULL)
-	    break;
-
-	if (saed->encContentInfo.contentTypeTag == NULL) {
-	    if (after && dest == &(saed->encContentInfo.contentType))
-		saed->encContentInfo.contentTypeTag =
-			SECOID_FindOID(&(saed->encContentInfo.contentType));
-	    break;
-	}
-
-	/*
-	 * Just before the content, we want to set up a decryption
-	 * context *and* digest contexts, and start a filter which
-	 * will run all of the contents bytes through both.
-	 */
-	if (before && dest == &(saed->encContentInfo.encContent)) {
-	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
-						  saed->recipientInfos,
-						  &(saed->encContentInfo),
-						  &(saed->sigKey));
-	    if (rv == SECSuccess)
-		rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
-						      saed->digestAlgorithms);
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(saed->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption and digests contexts.
-	     * We ignore any errors because we are stopping anyway;
-	     * the error status left behind in p7dcx will be seen by
-	     * outer functions.
-	     *
-	     * Note that the decrypt stuff must be called first;
-	     * it may have a last buffer to do which in turn has
-	     * to be added to the digest.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(saed->encContentInfo));
-	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
-						     &(saed->digests));
-
-	    /*
-	     * XXX To handle nested contents, we would need to remove
-	     * the worker from the chain (and free it).
-	     */
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	digd = cinfo->content.digestedData;
-	
-	/* 
-	 * XXX Want to do the digest or not?  Maybe future enhancement...
-	 */
-	if (before && dest == &(digd->contentInfo.content.data)) {
-	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx, sec_pkcs7_decoder_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(digd->contentInfo.content.data)) {
-	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	encd = cinfo->content.encryptedData;
-
-	/*
-	 * XXX If the decryption key callback is set, we want to start
-	 * the decryption.  If the callback is not set, we will treat the
-	 * content as plain data, since we do not have the key.
-	 *
-	 * Is this the proper thing to do?
-	 */
-	if (before && dest == &(encd->encContentInfo.encContent)) {
-	    /*
-	     * Start the encryption process if the decryption key callback
-	     * is present.  Otherwise, treat the content like plain data.
-	     */
-	    rv = SECSuccess;
-	    if (p7dcx->dkcb != NULL) {
-		rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth, NULL,
-						      &(encd->encContentInfo),
-						      NULL);
-	    }
-
-	    if (rv != SECSuccess)
-		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-		
-	    break;
-	}
-
-	/*
-	 * Are we done?
-	 */
-	if (after && dest == &(encd->encContentInfo.encContent)) {
-	    /*
-	     * Close out the decryption context.  We ignore any error
-	     * because we are stopping anyway; the error status left
-	     * behind in p7dcx will be seen by outer functions.
-	     */
-	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
-						     &(encd->encContentInfo));
-
-	    /*
-	     * Stop notify.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	}
-	break;
-
-      case SEC_OID_PKCS7_DATA:
-	/*
-	 * If a output callback has been specified, we want to set the filter
-	 * to call the callback.  This is taken care of in 
-	 * sec_pkcs7_decoder_start_decrypt() or 
-	 * sec_pkcs7_decoder_start_digests() for the other content types.
-	 */ 
-	
-	if (before && dest == &(cinfo->content.data)) {
-
-	    /* 
-	     * Set the filter proc up.
-	     */
-	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
-					  sec_pkcs7_decoder_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	if (after && dest == &(cinfo->content.data)) {
-	    /*
-	     * Time to clean up after ourself, stop the Notify and Filter
-	     * procedures.
-	     */
-	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
-	}
-	break;
-
-      default:
-	SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
-	break;
-    }
-}
-
-
-SEC_PKCS7DecoderContext *
-SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		      void *decrypt_key_cb_arg,
-		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-    SEC_ASN1DecoderContext *dcx;
-    SEC_PKCS7ContentInfo *cinfo;
-    PRArenaPool *poolp;
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
-    if (cinfo == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cinfo->poolp = poolp;
-    cinfo->pwfn = pwfn;
-    cinfo->pwfn_arg = pwfn_arg;
-    cinfo->created = PR_FALSE;
-    cinfo->refCount = 1;
-
-    p7dcx = 
-      (SEC_PKCS7DecoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7DecoderContext));
-    if (p7dcx == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    p7dcx->tmp_poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (p7dcx->tmp_poolp == NULL) {
-	PORT_Free (p7dcx);
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    dcx = SEC_ASN1DecoderStart (poolp, cinfo, sec_PKCS7ContentInfoTemplate);
-    if (dcx == NULL) {
-	PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
-	PORT_Free (p7dcx);
-	PORT_FreeArena (poolp, PR_FALSE);
-	return NULL;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc (dcx, sec_pkcs7_decoder_notify, p7dcx);
-
-    p7dcx->dcx = dcx;
-    p7dcx->cinfo = cinfo;
-    p7dcx->cb = cb;
-    p7dcx->cb_arg = cb_arg;
-    p7dcx->pwfn = pwfn;
-    p7dcx->pwfn_arg = pwfn_arg;
-    p7dcx->dkcb = decrypt_key_cb;
-    p7dcx->dkcb_arg = decrypt_key_cb_arg;
-    p7dcx->decrypt_allowed_cb = decrypt_allowed_cb;
-
-    return p7dcx;
-}
-
-
-/*
- * Do the next chunk of PKCS7 decoding.  If there is a problem, set
- * an error and return a failure status.  Note that in the case of
- * an error, this routine is still prepared to be called again and
- * again in case that is the easiest route for our caller to take.
- * We simply detect it and do not do anything except keep setting
- * that error in case our caller has not noticed it yet...
- */
-SECStatus
-SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
-		       const char *buf, unsigned long len)
-{
-    if (p7dcx->cinfo != NULL && p7dcx->dcx != NULL) { 
-	PORT_Assert (p7dcx->error == 0);
-	if (p7dcx->error == 0) {
-	    if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
-		p7dcx->error = PORT_GetError();
-		PORT_Assert (p7dcx->error);
-		if (p7dcx->error == 0)
-		    p7dcx->error = -1;
-	    }
-	}
-    }
-
-    if (p7dcx->error) {
-	if (p7dcx->dcx != NULL) {
-	    (void) SEC_ASN1DecoderFinish (p7dcx->dcx);
-	    p7dcx->dcx = NULL;
-	}
-	if (p7dcx->cinfo != NULL) {
-	    SEC_PKCS7DestroyContentInfo (p7dcx->cinfo);
-	    p7dcx->cinfo = NULL;
-	}
-	PORT_SetError (p7dcx->error);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-SEC_PKCS7ContentInfo *
-SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-
-    cinfo = p7dcx->cinfo;
-    if (p7dcx->dcx != NULL) {
-	if (SEC_ASN1DecoderFinish (p7dcx->dcx) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    cinfo = NULL;
-	}
-    }
-    /* free any NSS data structures */
-    if (p7dcx->worker.decryptobj) {
-        sec_PKCS7DestroyDecryptObject (p7dcx->worker.decryptobj);
-    }
-    PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
-    PORT_Free (p7dcx);
-    return cinfo;
-}
-
-
-SEC_PKCS7ContentInfo *
-SEC_PKCS7DecodeItem(SECItem *p7item,
-		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		    void *decrypt_key_cb_arg,
-		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
-{
-    SEC_PKCS7DecoderContext *p7dcx;
-
-    p7dcx = SEC_PKCS7DecoderStart(cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb,
-				  decrypt_key_cb_arg, decrypt_allowed_cb);
-    (void) SEC_PKCS7DecoderUpdate(p7dcx, (char *) p7item->data, p7item->len);
-    return SEC_PKCS7DecoderFinish(p7dcx);
-}
-
-/*
- * Abort the ASN.1 stream. Used by pkcs 12
- */
-void
-SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error)
-{
-    PORT_Assert(p7dcx);
-    SEC_ASN1DecoderAbort(p7dcx->dcx, error);
-}
-
-
-/*
- * If the thing contains any certs or crls return true; false otherwise.
- */
-PRBool
-SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    SECItem **certs;
-    CERTSignedCrl **crls;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	certs = cinfo->content.signedData->rawCerts;
-	crls = cinfo->content.signedData->crls;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	certs = cinfo->content.signedAndEnvelopedData->rawCerts;
-	crls = cinfo->content.signedAndEnvelopedData->crls;
-	break;
-    }
-
-    /*
-     * I know this could be collapsed, but I was in a mood to be explicit.
-     */
-    if (certs != NULL && certs[0] != NULL)
-	return PR_TRUE;
-    else if (crls != NULL && crls[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-/* return the content length...could use GetContent, however we
- * need the encrypted content length 
- */
-PRBool
-SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen)
-{
-    SECItem *item = NULL;
-
-    if(cinfo == NULL) {
-	return PR_TRUE;
-    }
-
-    switch(SEC_PKCS7ContentType(cinfo)) 
-    {
-	case SEC_OID_PKCS7_DATA:
-	    item = cinfo->content.data;
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    item = &cinfo->content.encryptedData->encContentInfo.encContent;
-	    break;
-	default:
-	    /* add other types */
-	    return PR_FALSE;
-    }
-
-    if(!item) {
-	return PR_TRUE;
-    } else if(item->len <= minLen) {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
-
-
-PRBool
-SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	return PR_TRUE;
-    }
-}
-
-
-/*
- * If the PKCS7 content has a signature (not just *could* have a signature)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-PRBool
-SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo **signerinfos;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return PR_FALSE;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	signerinfos = cinfo->content.signedData->signerInfos;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
-	break;
-    }
-
-    /*
-     * I know this could be collapsed; but I kind of think it will get
-     * more complicated before I am finished, so...
-     */
-    if (signerinfos != NULL && signerinfos[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-
-/*
- * SEC_PKCS7ContentVerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The digest was either calculated earlier (and is stored in the
- *	contentInfo itself) or is passed in via "detached_digest".
- *
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- *
- * XXX Each place which returns PR_FALSE should be sure to have a good
- * error set for inspection by the caller.  Alternatively, we could create
- * an enumeration of success and each type of failure and return that
- * instead of a boolean.  For now, the default in a bad situation is to
- * set the error to SEC_ERROR_PKCS7_BAD_SIGNATURE.  But this should be
- * reviewed; better (more specific) errors should be possible (to distinguish
- * a signature failure from a badly-formed pkcs7 signedData, for example).
- * Some of the errors should probably just be SEC_ERROR_BAD_SIGNATURE,
- * but that has a less helpful error string associated with it right now;
- * if/when that changes, review and change these as needed.
- *
- * XXX This is broken wrt signedAndEnvelopedData.  In that case, the
- * message digest is doubly encrypted -- first encrypted with the signer
- * private key but then again encrypted with the bulk encryption key used
- * to encrypt the content.  So before we can pass the digest to VerifyDigest,
- * we need to decrypt it with the bulk encryption key.  Also, in this case,
- * there should be NO authenticatedAttributes (signerinfo->authAttr should
- * be NULL).
- */
-static PRBool
-sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
-			   SECCertUsage certusage,
-			   SECItem *detached_digest,
-			   HASH_HashType digest_type,
-			   PRBool keepcerts)
-{
-    SECAlgorithmID **digestalgs, *bulkid;
-    SECItem *digest;
-    SECItem **digests;
-    SECItem **rawcerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
-    CERTCertificate *cert, **certs;
-    PRBool goodsig;
-    CERTCertDBHandle *certdb, *defaultdb; 
-    SECOidData *algiddata;
-    int i, certcount;
-    SECKEYPublicKey *publickey;
-    SECItem *content_type;
-    PK11SymKey *sigkey;
-    SECItem *encoded_stime;
-    int64 stime;
-    SECStatus rv;
-
-    /*
-     * Everything needed in order to "goto done" safely.
-     */
-    goodsig = PR_FALSE;
-    certcount = 0;
-    cert = NULL;
-    certs = NULL;
-    certdb = NULL;
-    defaultdb = CERT_GetDefaultCertDB();
-    publickey = NULL;
-
-    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    PORT_Assert (cinfo->contentTypeTag != NULL);
-
-    switch (cinfo->contentTypeTag->offset) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	/* Could only get here if SEC_PKCS7ContentIsSigned is broken. */
-	PORT_Assert (0);
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    digestalgs = sdp->digestAlgorithms;
-	    digests = sdp->digests;
-	    rawcerts = sdp->rawCerts;
-	    crls = sdp->crls;
-	    signerinfos = sdp->signerInfos;
-	    content_type = &(sdp->contentInfo.contentType);
-	    sigkey = NULL;
-	    bulkid = NULL;
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    digestalgs = saedp->digestAlgorithms;
-	    digests = saedp->digests;
-	    rawcerts = saedp->rawCerts;
-	    crls = saedp->crls;
-	    signerinfos = saedp->signerInfos;
-	    content_type = &(saedp->encContentInfo.contentType);
-	    sigkey = saedp->sigKey;
-	    bulkid = &(saedp->encContentInfo.contentEncAlg);
-	}
-	break;
-    }
-
-    if ((signerinfos == NULL) || (signerinfos[0] == NULL)) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    /*
-     * XXX Need to handle multiple signatures; checking them is easy,
-     * but what should be the semantics here (like, return value)?
-     */
-    if (signerinfos[1] != NULL) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    signerinfo = signerinfos[0];
-
-    /*
-     * XXX I would like to just pass the issuerAndSN, along with the rawcerts
-     * and crls, to some function that did all of this certificate stuff
-     * (open/close the database if necessary, verifying the certs, etc.)
-     * and gave me back a cert pointer if all was good.
-     */
-    certdb = defaultdb;
-    if (certdb == NULL) {
-	goto done;
-    }
-
-    certcount = 0;
-    if (rawcerts != NULL) {
-	for (; rawcerts[certcount] != NULL; certcount++) {
-	    /* just counting */
-	}
-    }
-
-    /*
-     * Note that the result of this is that each cert in "certs"
-     * needs to be destroyed.
-     */
-    rv = CERT_ImportCerts(certdb, certusage, certcount, rawcerts, &certs,
-			  keepcerts, PR_FALSE, NULL);
-    if ( rv != SECSuccess ) {
-	goto done;
-    }
-
-    /*
-     * This cert will also need to be freed, but since we save it
-     * in signerinfo for later, we do not want to destroy it when
-     * we leave this function -- we let the clean-up of the entire
-     * cinfo structure later do the destroy of this cert.
-     */
-    cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->issuerAndSN);
-    if (cert == NULL) {
-	goto done;
-    }
-
-    signerinfo->cert = cert;
-
-    /*
-     * Get and convert the signing time; if available, it will be used
-     * both on the cert verification and for importing the sender
-     * email profile.
-     */
-    encoded_stime = SEC_PKCS7GetSigningTime (cinfo);
-    if (encoded_stime != NULL) {
-	if (DER_DecodeTimeChoice (&stime, encoded_stime) != SECSuccess)
-	    encoded_stime = NULL;	/* conversion failed, so pretend none */
-    }
-
-    /*
-     * XXX  This uses the signing time, if available.  Additionally, we
-     * might want to, if there is no signing time, get the message time
-     * from the mail header itself, and use that.  That would require
-     * a change to our interface though, and for S/MIME callers to pass
-     * in a time (and for non-S/MIME callers to pass in nothing, or
-     * maybe make them pass in the current time, always?).
-     */
-    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
-			 encoded_stime != NULL ? stime : PR_Now(),
-			 cinfo->pwfn_arg, NULL) != SECSuccess)
-	{
-	/*
-	 * XXX Give the user an option to check the signature anyway?
-	 * If we want to do this, need to give a way to leave and display
-	 * some dialog and get the answer and come back through (or do
-	 * the rest of what we do below elsewhere, maybe by putting it
-	 * in a function that we call below and could call from a dialog
-	 * finish handler).
-	 */
-	goto savecert;
-    }
-
-    publickey = CERT_ExtractPublicKey (cert);
-    if (publickey == NULL)
-	goto done;
-
-    /*
-     * XXX No!  If digests is empty, see if we can create it now by
-     * digesting the contents.  This is necessary if we want to allow
-     * somebody to do a simple decode (without filtering, etc.) and
-     * then later call us here to do the verification.
-     * OR, we can just specify that the interface to this routine
-     * *requires* that the digest(s) be done before calling and either
-     * stashed in the struct itself or passed in explicitly (as would
-     * be done for detached contents).
-     */
-    if ((digests == NULL || digests[0] == NULL)
-	&& (detached_digest == NULL || detached_digest->data == NULL))
-	goto done;
-
-    /*
-     * Find and confirm digest algorithm.
-     */
-    algiddata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-
-    if (detached_digest != NULL) {
-	HASH_HashType found_type = HASH_GetHashTypeByOidTag(algiddata->offset);
-	unsigned int hashLen     = HASH_ResultLen(digest_type);
-
-	if (digest_type != found_type || 
-	    digest_type == HASH_AlgNULL || 
-	    detached_digest->len != hashLen) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	digest = detached_digest;
-    } else {
-	PORT_Assert (digestalgs != NULL && digestalgs[0] != NULL);
-	if (digestalgs == NULL || digestalgs[0] == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * pick digest matching signerinfo->digestAlg from digests
-	 */
-	if (algiddata == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	for (i = 0; digestalgs[i] != NULL; i++) {
-	    if (SECOID_FindOID (&(digestalgs[i]->algorithm)) == algiddata)
-		break;
-	}
-	if (digestalgs[i] == NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	digest = digests[i];
-    }
-
-    /*
-     * XXX This may not be the right set of algorithms to check.
-     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
-     * would do the right thing (and set an error if it could not);
-     * then additional algorithms could be handled by that code
-     * and we would Just Work.  So this check should just be removed,
-     * but not until the VFY code is better at setting errors.
-     */
-    algiddata = SECOID_FindOID (&(signerinfo->digestEncAlg.algorithm));
-    if (algiddata == NULL ||
-	((algiddata->offset != SEC_OID_PKCS1_RSA_ENCRYPTION) &&
-	 (algiddata->offset != SEC_OID_ANSIX962_EC_PUBLIC_KEY) &&
-	 (algiddata->offset != SEC_OID_ANSIX9_DSA_SIGNATURE))) {
-	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	goto done;
-    }
-
-    if (signerinfo->authAttr != NULL) {
-	SEC_PKCS7Attribute *attr;
-	SECItem *value;
-	SECItem encoded_attrs;
-
-	/*
-	 * We have a sigkey only for signedAndEnvelopedData, which is
-	 * not supposed to have any authenticated attributes.
-	 */
-	if (sigkey != NULL) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * PKCS #7 says that if there are any authenticated attributes,
-	 * then there must be one for content type which matches the
-	 * content type of the content being signed, and there must
-	 * be one for message digest which matches our message digest.
-	 * So check these things first.
-	 * XXX Might be nice to have a compare-attribute-value function
-	 * which could collapse the following nicely.
-	 */
-	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-				       SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
-	value = sec_PKCS7AttributeValue (attr);
-	if (value == NULL || value->len != content_type->len) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	if (PORT_Memcmp (value->data, content_type->data, value->len) != 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-				       SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
-	value = sec_PKCS7AttributeValue (attr);
-	if (value == NULL || value->len != digest->len) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-	if (PORT_Memcmp (value->data, digest->data, value->len) != 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * Okay, we met the constraints of the basic attributes.
-	 * Now check the signature, which is based on a digest of
-	 * the DER-encoded authenticated attributes.  So, first we
-	 * encode and then we digest/verify.
-	 */
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-	if (sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
-				       &(signerinfo->authAttr)) == NULL)
-	    goto done;
-
-	if (encoded_attrs.data == NULL || encoded_attrs.len == 0) {
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	/*
-	 * XXX the 5th (algid) argument should be the signature algorithm.
-	 * See sec_pkcs7_pick_sign_alg in p7encode.c.
-	 */
-	goodsig = (PRBool)(VFY_VerifyData (encoded_attrs.data, 
-				   encoded_attrs.len,
-				   publickey, &(signerinfo->encDigest),
-				   SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-				   cinfo->pwfn_arg) == SECSuccess);
-	PORT_Free (encoded_attrs.data);
-    } else {
-	SECItem *sig;
-	SECItem holder;
-	SECStatus rv;
-
-	/*
-	 * No authenticated attributes.
-	 * The signature is based on the plain message digest.
-	 */
-
-	sig = &(signerinfo->encDigest);
-	if (sig->len == 0) {		/* bad signature */
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-	    goto done;
-	}
-
-	if (sigkey != NULL) {
-	    sec_PKCS7CipherObject *decryptobj;
-	    unsigned int buflen;
-
-	    /*
-	     * For signedAndEnvelopedData, we first must decrypt the encrypted
-	     * digest with the bulk encryption key.  The result is the normal
-	     * encrypted digest (aka the signature).
-	     */
-	    decryptobj = sec_PKCS7CreateDecryptObject (sigkey, bulkid);
-	    if (decryptobj == NULL)
-		goto done;
-
-	    buflen = sec_PKCS7DecryptLength (decryptobj, sig->len, PR_TRUE);
-	    PORT_Assert (buflen);
-	    if (buflen == 0) {		/* something is wrong */
-		sec_PKCS7DestroyDecryptObject (decryptobj);
-		goto done;
-	    }
-
-	    holder.data = (unsigned char*)PORT_Alloc (buflen);
-	    if (holder.data == NULL) {
-		sec_PKCS7DestroyDecryptObject (decryptobj);
-		goto done;
-	    }
-
-	    rv = sec_PKCS7Decrypt (decryptobj, holder.data, &holder.len, buflen,
-				   sig->data, sig->len, PR_TRUE);
-	    sec_PKCS7DestroyDecryptObject (decryptobj);
-	    if (rv != SECSuccess) {
-		goto done;
-	    }
-
-	    sig = &holder;
-	}
-
-	/*
-	 * XXX the 4th (algid) argument should be the signature algorithm.
-	 * See sec_pkcs7_pick_sign_alg in p7encode.c.
-	 */
-	goodsig = (PRBool)(VFY_VerifyDigest (digest, publickey, sig,
-				     SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
-				     cinfo->pwfn_arg)
-		   == SECSuccess);
-
-	if (sigkey != NULL) {
-	    PORT_Assert (sig == &holder);
-	    PORT_ZFree (holder.data, holder.len);
-	}
-    }
-
-    if (! goodsig) {
-	/*
-	 * XXX Change the generic error into our specific one, because
-	 * in that case we get a better explanation out of the Security
-	 * Advisor.  This is really a bug in our error strings (the
-	 * "generic" error has a lousy/wrong message associated with it
-	 * which assumes the signature verification was done for the
-	 * purposes of checking the issuer signature on a certificate)
-	 * but this is at least an easy workaround and/or in the
-	 * Security Advisor, which specifically checks for the error
-	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
-	 * in that case but does not similarly check for
-	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
-	 * probably say the wrong thing in the case that it *was* the
-	 * certificate signature check that failed during the cert
-	 * verification done above.  Our error handling is really a mess.
-	 */
-	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
-	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    }
-
-savecert:
-    /*
-     * Only save the smime profile if we are checking an email message and
-     * the cert has an email address in it.
-     */
-    if ( cert->emailAddr && cert->emailAddr[0] &&
-	( ( certusage == certUsageEmailSigner ) ||
-	 ( certusage == certUsageEmailRecipient ) ) ) {
-	SECItem *profile = NULL;
-	int save_error;
-
-	/*
-	 * Remember the current error set because we do not care about
-	 * anything set by the functions we are about to call.
-	 */
-	save_error = PORT_GetError();
-
-	if (goodsig && (signerinfo->authAttr != NULL)) {
-	    /*
-	     * If the signature is good, then we can save the S/MIME profile,
-	     * if we have one.
-	     */
-	    SEC_PKCS7Attribute *attr;
-
-	    attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-					   SEC_OID_PKCS9_SMIME_CAPABILITIES,
-					   PR_TRUE);
-	    profile = sec_PKCS7AttributeValue (attr);
-	}
-
-	rv = CERT_SaveSMimeProfile (cert, profile, encoded_stime);
-
-	/*
-	 * Restore the saved error in case the calls above set a new
-	 * one that we do not actually care about.
-	 */
-	PORT_SetError (save_error);
-
-	/*
-	 * XXX Failure is not indicated anywhere -- the signature
-	 * verification itself is unaffected by whether or not the
-	 * profile was successfully saved.
-	 */
-    }
-	
-
-done:
-
-    /*
-     * See comment above about why we do not want to destroy cert
-     * itself here.
-     */
-
-    if (certs != NULL)
-	CERT_DestroyCertArray (certs, certcount);
-
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    return goodsig;
-}
-
-/*
- * SEC_PKCS7VerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-PRBool
-SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
-			 SECCertUsage certusage,
-			 PRBool keepcerts)
-{
-    return sec_pkcs7_verify_signature (cinfo, certusage,
-				       NULL, HASH_AlgNULL, keepcerts);
-}
-
-/*
- * SEC_PKCS7VerifyDetachedSignature
- *	Look at a PKCS7 contentInfo and check if the signature matches
- *	a passed-in digest (calculated, supposedly, from detached contents).
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-PRBool
-SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
-				 SECCertUsage certusage,
-				 SECItem *detached_digest,
-				 HASH_HashType digest_type,
-				 PRBool keepcerts)
-{
-    return sec_pkcs7_verify_signature (cinfo, certusage,
-				       detached_digest, digest_type,
-				       keepcerts);
-}
-
-
-/*
- * Return the asked-for portion of the name of the signer of a PKCS7
- * signed object.
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A NULL return value is an error.
- */
-
-#define sec_common_name 1
-#define sec_email_address 2
-
-static char *
-sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
-{
-    SECOidTag kind;
-    SEC_PKCS7SignerInfo **signerinfos;
-    CERTCertificate *signercert;
-    char *container;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	PORT_Assert (0);
-	return NULL;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    signerinfos = sdp->signerInfos;
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    signerinfos = saedp->signerInfos;
-	}
-	break;
-    }
-
-    if (signerinfos == NULL || signerinfos[0] == NULL)
-	return NULL;
-
-    signercert = signerinfos[0]->cert;
-
-    /*
-     * No cert there; see if we can find one by calling verify ourselves.
-     */
-    if (signercert == NULL) {
-	/*
-	 * The cert usage does not matter in this case, because we do not
-	 * actually care about the verification itself, but we have to pick
-	 * some valid usage to pass in.
-	 */
-	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
-					   NULL, HASH_AlgNULL, PR_FALSE);
-	signercert = signerinfos[0]->cert;
-	if (signercert == NULL)
-	    return NULL;
-    }
-
-    switch (selector) {
-      case sec_common_name:
-	container = CERT_GetCommonName (&signercert->subject);
-	break;
-      case sec_email_address:
-	if(signercert->emailAddr && signercert->emailAddr[0]) {
-	    container = PORT_Strdup(signercert->emailAddr);
-	} else {
-	    container = NULL;
-	}
-	break;
-      default:
-	PORT_Assert (0);
-	container = NULL;
-	break;
-    }
-
-    return container;
-}
-
-char *
-SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo)
-{
-    return sec_pkcs7_get_signer_cert_info(cinfo, sec_common_name);
-}
-
-char *
-SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo)
-{
-    return sec_pkcs7_get_signer_cert_info(cinfo, sec_email_address);
-}
-
-
-/*
- * Return the signing time, in UTCTime format, of a PKCS7 contentInfo.
- */
-SECItem *
-SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo)
-{
-    SEC_PKCS7SignerInfo **signerinfos;
-    SEC_PKCS7Attribute *attr;
-
-    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	return NULL;
-
-    signerinfos = cinfo->content.signedData->signerInfos;
-
-    /*
-     * No signature, or more than one, means no deal.
-     */
-    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
-	return NULL;
-
-    attr = sec_PKCS7FindAttribute (signerinfos[0]->authAttr,
-				   SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
-    return sec_PKCS7AttributeValue (attr);
-}
diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c
deleted file mode 100644
index 2ef105598..000000000
--- a/security/nss/lib/pkcs7/p7encode.c
+++ /dev/null
@@ -1,1342 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * PKCS7 encoding.
- *
- * $Id$
- */
-
-#include "nssrenam.h"
-
-#include "p7local.h"
-
-#include "cert.h"
-#include "cryptohi.h"
-#include "keyhi.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "sechash.h"	/* for HASH_GetHashObject() */
-
-struct sec_pkcs7_encoder_output {
-    SEC_PKCS7EncoderOutputCallback outputfn;
-    void *outputarg;
-};
-
-struct SEC_PKCS7EncoderContextStr {
-    SEC_ASN1EncoderContext *ecx;
-    SEC_PKCS7ContentInfo *cinfo;
-    struct sec_pkcs7_encoder_output output;
-    sec_PKCS7CipherObject *encryptobj;
-    const SECHashObject *digestobj;
-    void *digestcx;
-};
-
-
-/*
- * The little output function that the ASN.1 encoder calls to hand
- * us bytes which we in turn hand back to our caller (via the callback
- * they gave us).
- */
-static void
-sec_pkcs7_encoder_out(void *arg, const char *buf, unsigned long len,
-		      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct sec_pkcs7_encoder_output *output;
-
-    output = (struct sec_pkcs7_encoder_output*)arg;
-    output->outputfn (output->outputarg, buf, len);
-}
-
-static sec_PKCS7CipherObject *
-sec_pkcs7_encoder_start_encrypt (SEC_PKCS7ContentInfo *cinfo,
-						 PK11SymKey *orig_bulkkey)
-{
-    SECOidTag kind;
-    sec_PKCS7CipherObject *encryptobj;
-    SEC_PKCS7RecipientInfo **recipientinfos, *ri;
-    SEC_PKCS7EncryptedContentInfo *enccinfo;
-    SEC_PKCS7SMIMEKEAParameters   keaParams;
-    SECKEYPublicKey *publickey = NULL;
-    SECKEYPrivateKey *ourPrivKey = NULL;
-    PK11SymKey  *bulkkey;
-    void *mark, *wincx;
-    int i;
-    PRArenaPool *arena = NULL;
-
-    /* Get the context in case we need it below. */
-    wincx = cinfo->pwfn_arg;
-
-    /* Clear keaParams, since cleanup code checks the lengths */
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	recipientinfos = NULL;
-	enccinfo = NULL;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encdp;
-
-	    /* To do EncryptedData we *must* be given a bulk key. */
-	    PORT_Assert (orig_bulkkey != NULL);
-	    if (orig_bulkkey == NULL) {
-		/* XXX error? */
-		return NULL;
-	    }
-
-	    encdp = cinfo->content.encryptedData;
-	    recipientinfos = NULL;
-	    enccinfo = &(encdp->encContentInfo);
-	}
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envdp;
-
-	    envdp = cinfo->content.envelopedData;
-	    recipientinfos = envdp->recipientInfos;
-	    enccinfo = &(envdp->encContentInfo);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    recipientinfos = saedp->recipientInfos;
-	    enccinfo = &(saedp->encContentInfo);
-	}
-	break;
-    }
-
-    if (enccinfo == NULL)
-	return NULL;
-
-    bulkkey = orig_bulkkey;
-    if (bulkkey == NULL) {
-	CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(enccinfo->encalg);
-	PK11SlotInfo *slot;
-
-
-	slot = PK11_GetBestSlot(type,cinfo->pwfn_arg);
-	if (slot == NULL) {
-	    return NULL;
-	}
-	bulkkey = PK11_KeyGen(slot,type,NULL, enccinfo->keysize/8,
-			      cinfo->pwfn_arg);
-	PK11_FreeSlot(slot);
-	if (bulkkey == NULL) {
-	    return NULL;
-	}
-    }
-
-    encryptobj = NULL;
-    mark = PORT_ArenaMark (cinfo->poolp);
-
-    /*
-     * Encrypt the bulk key with the public key of each recipient.
-     */
-    for (i = 0; recipientinfos && (ri = recipientinfos[i]) != NULL; i++) {
-	CERTCertificate *cert;
-	SECOidTag certalgtag, encalgtag;
-	SECStatus rv;
-	int data_len;
-	SECItem *params = NULL;
-
-	cert = ri->cert;
-	PORT_Assert (cert != NULL);
-	if (cert == NULL)
-	    continue;
-
-	/*
-	 * XXX Want an interface that takes a cert and some data and
-	 * fills in an algorithmID and encrypts the data with the public
-	 * key from the cert.  Or, give me two interfaces -- one which
-	 * gets the algorithm tag from a cert (I should not have to go
-	 * down into the subjectPublicKeyInfo myself) and another which
-	 * takes a public key and algorithm tag and data and encrypts
-	 * the data.  Or something like that.  The point is that all
-	 * of the following hardwired RSA and KEA stuff should be done
-	 * elsewhere.
-	 */
-
-	certalgtag=SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-
-	switch (certalgtag) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    encalgtag = certalgtag;
-	    publickey = CERT_ExtractPublicKey (cert);
-	    if (publickey == NULL) goto loser;
-		
-	    data_len = SECKEY_PublicKeyStrength(publickey);
-	    ri->encKey.data = 
-	        (unsigned char*)PORT_ArenaAlloc(cinfo->poolp ,data_len);
-	    ri->encKey.len = data_len;
-	    if (ri->encKey.data == NULL) goto loser;
-
-	    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(certalgtag),publickey,
-				bulkkey,&ri->encKey);
-
-	    SECKEY_DestroyPublicKey(publickey);
-	    publickey = NULL;
-	    if (rv != SECSuccess) goto loser;
-	    params = NULL; /* paranoia */
-	    break;
-	/* ### mwelch -- KEA */ 
-      case SEC_OID_MISSI_KEA_DSS_OLD:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_KEA:
-	    {
-#define SMIME_FORTEZZA_RA_LENGTH 128
-#define SMIME_FORTEZZA_IV_LENGTH 24
-#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
-		SECStatus err;
-		PK11SymKey *tek;
-		CERTCertificate *ourCert;
-		SECKEYPublicKey *ourPubKey;
-		SECKEATemplateSelector whichKEA = SECKEAInvalid;
-
-		/* We really want to show our KEA tag as the
-		   key exchange algorithm tag. */
-		encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
-
-		/* Get the public key of the recipient. */
-		publickey = CERT_ExtractPublicKey(cert);
-		if (publickey == NULL) goto loser;
-
-		/* Find our own cert, and extract its keys. */
-		ourCert = PK11_FindBestKEAMatch(cert,wincx);
-		if (ourCert == NULL) goto loser;
-
-		arena = PORT_NewArena(1024);
-		if (arena == NULL) goto loser;
-
-		ourPubKey = CERT_ExtractPublicKey(ourCert);
-		if (ourPubKey == NULL)
-		{
-		    CERT_DestroyCertificate(ourCert);
-		    goto loser;
-		}
-
-		/* While we're here, copy the public key into the outgoing
-		 * KEA parameters. */
-		SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey),
-				 &(ourPubKey->u.fortezza.KEAKey));
-		SECKEY_DestroyPublicKey(ourPubKey);
-		ourPubKey = NULL;
-
-		/* Extract our private key in order to derive the 
-		 * KEA key. */
-		ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
-		CERT_DestroyCertificate(ourCert); /* we're done with this */
-		if (!ourPrivKey) goto loser;
-
-		/* Prepare raItem with 128 bytes (filled with zeros). */
-		keaParams.originatorRA.data = 
-		  (unsigned char*)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
-		keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
-
-
-		/* Generate the TEK (token exchange key) which we use
-		 * to wrap the bulk encryption key. (raItem) will be
-		 * filled with a random seed which we need to send to
-		 * the recipient. */
-		tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-				     &keaParams.originatorRA, NULL,
-				     CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-				     CKA_WRAP, 0, wincx);
-
-		    SECKEY_DestroyPublicKey(publickey);
-		    SECKEY_DestroyPrivateKey(ourPrivKey);
-		    publickey = NULL;
-		    ourPrivKey = NULL;
-		
-		if (!tek)
-		    goto loser;
-
-		ri->encKey.data = (unsigned char*)PORT_ArenaAlloc(cinfo->poolp,
-						  SMIME_FORTEZZA_MAX_KEY_SIZE);
-		ri->encKey.len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-		if (ri->encKey.data == NULL)
-		{
-		    PK11_FreeSymKey(tek);
-		    goto loser;
-		}
-
-		/* Wrap the bulk key. What we do with the resulting data
-		   depends on whether we're using Skipjack to wrap the key. */
-		switch(PK11_AlgtagToMechanism(enccinfo->encalg))
-		{
-		case CKM_SKIPJACK_CBC64:
-		case CKM_SKIPJACK_ECB64:
-		case CKM_SKIPJACK_OFB64:
-		case CKM_SKIPJACK_CFB64:
-		case CKM_SKIPJACK_CFB32:
-		case CKM_SKIPJACK_CFB16:
-		case CKM_SKIPJACK_CFB8:
-		    /* do SKIPJACK, we use the wrap mechanism */
-		    err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, 
-				      tek, bulkkey, &ri->encKey);
-		    whichKEA = SECKEAUsesSkipjack;
-		    break;
-		default:
-		    /* Not SKIPJACK, we encrypt the raw key data */
-		    keaParams.nonSkipjackIV .data = 
-		      (unsigned char*)PORT_ArenaAlloc(arena,
-						     SMIME_FORTEZZA_IV_LENGTH);
-		    keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
-		    err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64,
-					  &keaParams.nonSkipjackIV, 
-				          tek, bulkkey, &ri->encKey);
-		    if (err != SECSuccess)
-			goto loser;
-
-		    if (ri->encKey.len != PK11_GetKeyLength(bulkkey))
-		    {
-			/* The size of the encrypted key is not the same as
-			   that of the original bulk key, presumably due to
-			   padding. Encode and store the real size of the
-			   bulk key. */
-			if (SEC_ASN1EncodeInteger(arena, 
-						  &keaParams.bulkKeySize,
-						  PK11_GetKeyLength(bulkkey))
-			    == NULL)
-			    err = (SECStatus)PORT_GetError();
-			else
-			    /* use full template for encoding */
-			    whichKEA = SECKEAUsesNonSkipjackWithPaddedEncKey;
-		    }
-		    else
-			/* enc key length == bulk key length */
-			whichKEA = SECKEAUsesNonSkipjack; 
-		    break;
-		}
-
-		PK11_FreeSymKey(tek);
-		if (err != SECSuccess)
-		    goto loser;
-
-		PORT_Assert( whichKEA != SECKEAInvalid);
-
-		/* Encode the KEA parameters into the recipient info. */
-		params = SEC_ASN1EncodeItem(arena,NULL, &keaParams, 
-				      sec_pkcs7_get_kea_template(whichKEA));
-		if (params == NULL) goto loser;
-		break;
-	    }
-	default:
-	    PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
-	    goto loser;
-	}
-
-	rv = SECOID_SetAlgorithmID(cinfo->poolp, &ri->keyEncAlg, encalgtag, 
-			params);
-	if (rv != SECSuccess)
-	    goto loser;
-	if (arena) PORT_FreeArena(arena,PR_FALSE);
-	arena = NULL;
-    }
-
-    encryptobj = sec_PKCS7CreateEncryptObject (cinfo->poolp, bulkkey,
-					       enccinfo->encalg,
-					       &(enccinfo->contentEncAlg));
-    if (encryptobj != NULL) {
-	PORT_ArenaUnmark (cinfo->poolp, mark);
-	mark = NULL;		/* good one; do not want to release */
-    }
-    /* fallthru */
-
-loser:
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (publickey) {
-        SECKEY_DestroyPublicKey(publickey);
-    }
-    if (ourPrivKey) {
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    }
-    if (mark != NULL) {
-	PORT_ArenaRelease (cinfo->poolp, mark);
-    }
-    if (orig_bulkkey == NULL) {
-	if (bulkkey) PK11_FreeSymKey(bulkkey);
-    }
-
-    return encryptobj;
-}
-
-
-static void
-sec_pkcs7_encoder_notify (void *arg, PRBool before, void *dest, int depth)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SEC_PKCS7ContentInfo *cinfo;
-    SECOidTag kind;
-    PRBool before_content;
-
-    /*
-     * We want to notice just before the content field.  After fields are
-     * not interesting to us.
-     */
-    if (!before)
-	return;
-
-    p7ecx = (SEC_PKCS7EncoderContext*)arg;
-    cinfo = p7ecx->cinfo;
-
-    before_content = PR_FALSE;
-
-    /*
-     * Watch for the content field, at which point we want to instruct
-     * the ASN.1 encoder to start taking bytes from the buffer.
-     *
-     * XXX The following assumes the inner content type is data;
-     * if/when we want to handle fully nested types, this will have
-     * to recurse until reaching the innermost data content.
-     */
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	if (dest == &(cinfo->content.data))
-	    before_content = PR_TRUE;
-	break;
-
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	{
-	    SEC_PKCS7DigestedData *digd;
-
-	    digd = cinfo->content.digestedData;
-	    if (digd == NULL)
-		break;
-
-	    if (dest == &(digd->contentInfo.content))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	{
-	    SEC_PKCS7EncryptedData *encd;
-
-	    encd = cinfo->content.encryptedData;
-	    if (encd == NULL)
-		break;
-
-	    if (dest == &(encd->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7EnvelopedData *envd;
-
-	    envd = cinfo->content.envelopedData;
-	    if (envd == NULL)
-		break;
-
-	    if (dest == &(envd->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sigd;
-
-	    sigd = cinfo->content.signedData;
-	    if (sigd == NULL)
-		break;
-
-	    if (dest == &(sigd->contentInfo.content))
-		before_content = PR_TRUE;
-	}
-	break;
-
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saed;
-
-	    saed = cinfo->content.signedAndEnvelopedData;
-	    if (saed == NULL)
-		break;
-
-	    if (dest == &(saed->encContentInfo.encContent))
-		before_content = PR_TRUE;
-	}
-	break;
-    }
-
-    if (before_content) {
-	/*
-	 * This will cause the next SEC_ASN1EncoderUpdate to take the
-	 * contents bytes from the passed-in buffer.
-	 */
-	SEC_ASN1EncoderSetTakeFromBuf (p7ecx->ecx);
-	/*
-	 * And that is all we needed this notify function for.
-	 */
-	SEC_ASN1EncoderClearNotifyProc (p7ecx->ecx);
-    }
-}
-
-
-static SEC_PKCS7EncoderContext *
-sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo,
-				  PK11SymKey *bulkkey)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECOidTag kind;
-    PRBool encrypt;
-    SECItem **digests;
-    SECAlgorithmID *digestalg, **digestalgs;
-
-    p7ecx = 
-      (SEC_PKCS7EncoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7EncoderContext));
-    if (p7ecx == NULL)
-	return NULL;
-
-    digests = NULL;
-    digestalg = NULL;
-    digestalgs = NULL;
-    encrypt = PR_FALSE;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	digestalg = &(cinfo->content.digestedData->digestAlg);
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	digests = cinfo->content.signedData->digests;
-	digestalgs = cinfo->content.signedData->digestAlgorithms;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	encrypt = PR_TRUE;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	digests = cinfo->content.signedAndEnvelopedData->digests;
-	digestalgs = cinfo->content.signedAndEnvelopedData->digestAlgorithms;
-	encrypt = PR_TRUE;
-	break;
-    }
-
-    if (encrypt) {
-	p7ecx->encryptobj = sec_pkcs7_encoder_start_encrypt (cinfo, bulkkey);
-	if (p7ecx->encryptobj == NULL) {
-	    PORT_Free (p7ecx);
-	    return NULL;
-	}
-    }
-
-    if (digestalgs != NULL) {
-	if (digests != NULL) {
-	    /* digests already created (probably for detached data) */
-	    digestalg = NULL;
-	} else {
-	    /*
-	     * XXX Some day we should handle multiple digests; for now,
-	     * assume only one will be done.
-	     */
-	    PORT_Assert (digestalgs[0] != NULL && digestalgs[1] == NULL);
-	    digestalg = digestalgs[0];
-	}
-    }
-
-    if (digestalg != NULL) {
-	SECOidTag  oidTag = SECOID_FindOIDTag(&(digestalg->algorithm));
-
-	p7ecx->digestobj = HASH_GetHashObjectByOidTag(oidTag);
-	if (p7ecx->digestobj != NULL) {
-	    p7ecx->digestcx = (* p7ecx->digestobj->create) ();
-	    if (p7ecx->digestcx == NULL)
-		p7ecx->digestobj = NULL;
-	    else
-		(* p7ecx->digestobj->begin) (p7ecx->digestcx);
-	}
-	if (p7ecx->digestobj == NULL) {
-	    if (p7ecx->encryptobj != NULL)
-		sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
-	    PORT_Free (p7ecx);
-	    return NULL;
-	}
-    }
-
-    p7ecx->cinfo = cinfo;
-    return p7ecx;
-}
-
-
-SEC_PKCS7EncoderContext *
-SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
-		       SEC_PKCS7EncoderOutputCallback outputfn,
-		       void *outputarg,
-		       PK11SymKey *bulkkey)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECStatus rv;
-
-    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
-    if (p7ecx == NULL)
-	return NULL;
-
-    p7ecx->output.outputfn = outputfn;
-    p7ecx->output.outputarg = outputarg;
-
-    /*
-     * Initialize the BER encoder.
-     */
-    p7ecx->ecx = SEC_ASN1EncoderStart (cinfo, sec_PKCS7ContentInfoTemplate,
-				       sec_pkcs7_encoder_out, &(p7ecx->output));
-    if (p7ecx->ecx == NULL) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    /*
-     * Indicate that we are streaming.  We will be streaming until we
-     * get past the contents bytes.
-     */
-    SEC_ASN1EncoderSetStreaming (p7ecx->ecx);
-
-    /*
-     * The notify function will watch for the contents field.
-     */
-    SEC_ASN1EncoderSetNotifyProc (p7ecx->ecx, sec_pkcs7_encoder_notify, p7ecx);
-
-    /*
-     * This will encode everything up to the content bytes.  (The notify
-     * function will then cause the encoding to stop there.)  Then our
-     * caller can start passing contents bytes to our Update, which we
-     * will pass along.
-     */
-    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
-    if (rv != SECSuccess) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    return p7ecx;
-}
-
-
-/*
- * XXX If/when we support nested contents, this needs to be revised.
- */
-static SECStatus
-sec_pkcs7_encoder_work_data (SEC_PKCS7EncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-
-
-    rv = SECSuccess;		/* may as well be optimistic */
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /*
-     * Update the running digest.
-     * XXX This needs modification if/when we handle multiple digests.
-     */
-    if (len && p7ecx->digestobj != NULL) {
-	(* p7ecx->digestobj->update) (p7ecx->digestcx, data, len);
-    }
-
-    /*
-     * Encrypt this chunk.
-     */
-    if (p7ecx->encryptobj != NULL) {
-	/* XXX the following lengths should all be longs? */
-	unsigned int inlen;	/* length of data being encrypted */
-	unsigned int outlen;	/* length of encrypted data */
-	unsigned int buflen;	/* length available for encrypted data */
-
-	inlen = len;
-	buflen = sec_PKCS7EncryptLength (p7ecx->encryptobj, inlen, final);
-	if (buflen == 0) {
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Encrypt.
-	     */
-	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (final) {
-		len = 0;
-		goto done;
-	    }
-	    return rv;
-	}
-
-	if (dest != NULL)
-	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cinfo->poolp, buflen);
-	else
-	    buf = (unsigned char*)PORT_Alloc (buflen);
-
-	if (buf == NULL) {
-	    rv = SECFailure;
-	} else {
-	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, buf, &outlen, buflen,
-				   data, inlen, final);
-	    data = buf;
-	    len = outlen;
-	}
-	if (rv != SECSuccess) {
-	    if (final)
-		goto done;
-	    return rv;
-	}
-    }
-
-    if (p7ecx->ecx != NULL) {
-	/*
-	 * Encode the contents bytes.
-	 */
-	if(len) {
-	    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, (const char *)data, len);
-	}
-    }
-
-done:
-    if (p7ecx->encryptobj != NULL) {
-	if (final)
-	    sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
-	if (dest != NULL) {
-	    dest->data = buf;
-	    dest->len = len;
-	} else if (buf != NULL) {
-	    PORT_Free (buf);
-	}
-    }
-
-    if (final && p7ecx->digestobj != NULL) {
-	SECItem *digest, **digests, ***digestsp;
-	unsigned char *digdata;
-	SECOidTag kind;
-
-	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
-	switch (kind) {
-	  default:
-	    PORT_Assert (0);
-	    return SECFailure;
-	  case SEC_OID_PKCS7_DIGESTED_DATA:
-	    digest = &(p7ecx->cinfo->content.digestedData->digest);
-	    digestsp = NULL;
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_DATA:
-	    digest = NULL;
-	    digestsp = &(p7ecx->cinfo->content.signedData->digests);
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	    digest = NULL;
-	    digestsp = &(p7ecx->cinfo->content.signedAndEnvelopedData->digests);
-	    break;
-	}
-
-	digdata = (unsigned char*)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
-				   p7ecx->digestobj->length);
-	if (digdata == NULL)
-	    return SECFailure;
-
-	if (digestsp != NULL) {
-	    PORT_Assert (digest == NULL);
-
-	    digest = (SECItem*)PORT_ArenaAlloc (p7ecx->cinfo->poolp, 
-						sizeof(SECItem));
-	    digests = (SECItem**)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
-				       2 * sizeof(SECItem *));
-	    if (digests == NULL || digest == NULL)
-		return SECFailure;
-
-	    digests[0] = digest;
-	    digests[1] = NULL;
-
-	    *digestsp = digests;
-	}
-
-	PORT_Assert (digest != NULL);
-
-	digest->data = digdata;
-	digest->len = p7ecx->digestobj->length;
-
-	(* p7ecx->digestobj->end) (p7ecx->digestcx, digest->data,
-				   &(digest->len), digest->len);
-	(* p7ecx->digestobj->destroy) (p7ecx->digestcx, PR_TRUE);
-    }
-
-    return rv;
-}
-
-
-SECStatus
-SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
-			const char *data, unsigned long len)
-{
-    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
-    return sec_pkcs7_encoder_work_data (p7ecx, NULL,
-					(const unsigned char *)data, len,
-					PR_FALSE);
-}
-
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-static SECOidTag
-sec_pkcs7_pick_sign_alg (SECOidTag hashalg, SECOidTag encalg)
-{
-    switch (encalg) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	switch (hashalg) {
-	  case SEC_OID_MD2:
-	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_MD5:
-	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA1:
-	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA256:
-	    return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA384:
-	    return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA512:
-	    return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      default:
-	break;
-    }
-
-    return encalg;		/* maybe it is already the right algid */
-}
-
-
-static SECStatus
-sec_pkcs7_encoder_sig_and_certs (SEC_PKCS7ContentInfo *cinfo,
-				 SECKEYGetPasswordKey pwfn, void *pwfnarg)
-{
-    SECOidTag kind;
-    CERTCertificate **certs;
-    CERTCertificateList **certlists;
-    SECAlgorithmID **digestalgs;
-    SECItem **digests;
-    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
-    SECItem **rawcerts, ***rawcertsp;
-    PRArenaPool *poolp;
-    int certcount;
-    int ci, cli, rci, si;
-
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-      case SEC_OID_PKCS7_DATA:
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	certs = NULL;
-	certlists = NULL;
-	digestalgs = NULL;
-	digests = NULL;
-	signerinfos = NULL;
-	rawcertsp = NULL;
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	{
-	    SEC_PKCS7SignedData *sdp;
-
-	    sdp = cinfo->content.signedData;
-	    certs = sdp->certs;
-	    certlists = sdp->certLists;
-	    digestalgs = sdp->digestAlgorithms;
-	    digests = sdp->digests;
-	    signerinfos = sdp->signerInfos;
-	    rawcertsp = &(sdp->rawCerts);
-	}
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	{
-	    SEC_PKCS7SignedAndEnvelopedData *saedp;
-
-	    saedp = cinfo->content.signedAndEnvelopedData;
-	    certs = saedp->certs;
-	    certlists = saedp->certLists;
-	    digestalgs = saedp->digestAlgorithms;
-	    digests = saedp->digests;
-	    signerinfos = saedp->signerInfos;
-	    rawcertsp = &(saedp->rawCerts);
-	}
-	break;
-    }
-
-    if (certs == NULL && certlists == NULL && signerinfos == NULL)
-	return SECSuccess;		/* nothing for us to do! */
-
-    poolp = cinfo->poolp;
-    certcount = 0;
-
-    if (signerinfos != NULL) {
-	SECOidTag digestalgtag;
-	int di;
-	SECStatus rv;
-	CERTCertificate *cert;
-	SECKEYPrivateKey *privkey;
-	SECItem signature;
-	SECOidTag signalgtag;
-
-	PORT_Assert (digestalgs != NULL && digests != NULL);
-
-	/*
-	 * If one fails, we bail right then.  If we want to continue and
-	 * try to do subsequent signatures, this loop, and the departures
-	 * from it, will need to be reworked.
-	 */
-	for (si = 0; signerinfos[si] != NULL; si++) {
-
-	    signerinfo = signerinfos[si];
-
-	    /* find right digest */
-	    digestalgtag = SECOID_GetAlgorithmTag (&(signerinfo->digestAlg));
-	    for (di = 0; digestalgs[di] != NULL; di++) {
-		/* XXX Should I be comparing more than the tag? */
-		if (digestalgtag == SECOID_GetAlgorithmTag (digestalgs[di]))
-		    break;
-	    }
-	    if (digestalgs[di] == NULL) {
-		/* XXX oops; do what? set an error? */
-		return SECFailure;
-	    }
-	    PORT_Assert (digests[di] != NULL);
-
-	    cert = signerinfo->cert;
-	    privkey = PK11_FindKeyByAnyCert (cert, pwfnarg);
-	    if (privkey == NULL)
-		return SECFailure;
-
-	    /*
-	     * XXX I think there should be a cert-level interface for this,
-	     * so that I do not have to know about subjectPublicKeyInfo...
-	     */
-	    signalgtag = SECOID_GetAlgorithmTag (&(cert->subjectPublicKeyInfo.algorithm));
-
-	    /* Fortezza MISSI have weird signature formats.  Map them
-	     * to standard DSA formats */
-	    signalgtag = PK11_FortezzaMapSig(signalgtag);
-
-	    if (signerinfo->authAttr != NULL) {
-		SEC_PKCS7Attribute *attr;
-		SECItem encoded_attrs;
-		SECItem *dummy;
-
-		/*
-		 * First, find and fill in the message digest attribute.
-		 */
-		attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
-					       SEC_OID_PKCS9_MESSAGE_DIGEST,
-					       PR_TRUE);
-		PORT_Assert (attr != NULL);
-		if (attr == NULL) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		/*
-		 * XXX The second half of the following assertion prevents
-		 * the encoder from being called twice on the same content.
-		 * Either just remove the second half the assertion, or
-		 * change the code to check if the value already there is
-		 * the same as digests[di], whichever seems more right.
-		 */
-		PORT_Assert (attr->values != NULL && attr->values[0] == NULL);
-		attr->values[0] = digests[di];
-
-		/*
-		 * Before encoding, reorder the attributes so that when they
-		 * are encoded, they will be conforming DER, which is required
-		 * to have a specific order and that is what must be used for
-		 * the hash/signature.  We do this here, rather than building
-		 * it into EncodeAttributes, because we do not want to do
-		 * such reordering on incoming messages (which also uses
-		 * EncodeAttributes) or our old signatures (and other "broken"
-		 * implementations) will not verify.  So, we want to guarantee
-		 * that we send out good DER encodings of attributes, but not
-		 * to expect to receive them.
-		 */
-		rv = sec_PKCS7ReorderAttributes (signerinfo->authAttr);
-		if (rv != SECSuccess) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		encoded_attrs.data = NULL;
-		encoded_attrs.len = 0;
-		dummy = sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
-						   &(signerinfo->authAttr));
-		if (dummy == NULL) {
-		    SECKEY_DestroyPrivateKey (privkey);
-		    return SECFailure;
-		}
-
-		rv = SEC_SignData (&signature,
-				   encoded_attrs.data, encoded_attrs.len,
-				   privkey,
-				   sec_pkcs7_pick_sign_alg (digestalgtag,
-							    signalgtag));
-		SECITEM_FreeItem (&encoded_attrs, PR_FALSE);
-	    } else {
-		rv = SGN_Digest (privkey, digestalgtag, &signature,
-				 digests[di]);
-	    }
-
-	    SECKEY_DestroyPrivateKey (privkey);
-
-	    if (rv != SECSuccess)
-		return rv;
-
-	    rv = SECITEM_CopyItem (poolp, &(signerinfo->encDigest), &signature);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    SECITEM_FreeItem (&signature, PR_FALSE);
-
-	    rv = SECOID_SetAlgorithmID (poolp, &(signerinfo->digestEncAlg),
-					signalgtag, NULL);
-	    if (rv != SECSuccess)
-		return SECFailure;
-
-	    /*
-	     * Count the cert chain for this signer.
-	     */
-	    if (signerinfo->certList != NULL)
-		certcount += signerinfo->certList->len;
-	}
-    }
-
-    if (certs != NULL) {
-	for (ci = 0; certs[ci] != NULL; ci++)
-	    certcount++;
-    }
-
-    if (certlists != NULL) {
-	for (cli = 0; certlists[cli] != NULL; cli++)
-	    certcount += certlists[cli]->len;
-    }
-
-    if (certcount == 0)
-	return SECSuccess;		/* signing done; no certs */
-
-    /*
-     * Combine all of the certs and cert chains into rawcerts.
-     * Note: certcount is an upper bound; we may not need that many slots
-     * but we will allocate anyway to avoid having to do another pass.
-     * (The temporary space saving is not worth it.)
-     */
-    rawcerts = (SECItem**)PORT_ArenaAlloc (poolp, 
-					(certcount + 1) * sizeof(SECItem *));
-    if (rawcerts == NULL)
-	return SECFailure;
-
-    /*
-     * XXX Want to check for duplicates and not add *any* cert that is
-     * already in the set.  This will be more important when we start
-     * dealing with larger sets of certs, dual-key certs (signing and
-     * encryption), etc.  For the time being we can slide by...
-     */
-    rci = 0;
-    if (signerinfos != NULL) {
-	for (si = 0; signerinfos[si] != NULL; si++) {
-	    signerinfo = signerinfos[si];
-	    for (ci = 0; ci < signerinfo->certList->len; ci++)
-		rawcerts[rci++] = &(signerinfo->certList->certs[ci]);
-	}
-
-    }
-
-    if (certs != NULL) {
-	for (ci = 0; certs[ci] != NULL; ci++)
-	    rawcerts[rci++] = &(certs[ci]->derCert);
-    }
-
-    if (certlists != NULL) {
-	for (cli = 0; certlists[cli] != NULL; cli++) {
-	    for (ci = 0; ci < certlists[cli]->len; ci++)
-		rawcerts[rci++] = &(certlists[cli]->certs[ci]);
-	}
-    }
-
-    rawcerts[rci] = NULL;
-    *rawcertsp = rawcerts;
-
-    return SECSuccess;
-}
-
-
-SECStatus
-SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
-			SECKEYGetPasswordKey pwfn, void *pwfnarg)
-{
-    SECStatus rv;
-
-    /*
-     * Flush out any remaining data.
-     */
-    rv = sec_pkcs7_encoder_work_data (p7ecx, NULL, NULL, 0, PR_TRUE);
-
-    /*
-     * Turn off streaming stuff.
-     */
-    SEC_ASN1EncoderClearTakeFromBuf (p7ecx->ecx);
-    SEC_ASN1EncoderClearStreaming (p7ecx->ecx);
-
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = sec_pkcs7_encoder_sig_and_certs (p7ecx->cinfo, pwfn, pwfnarg);
-    if (rv != SECSuccess)
-	goto loser;
-
-    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
-
-loser:
-    SEC_ASN1EncoderFinish (p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-/*
- * Abort the ASN.1 stream. Used by pkcs 12
- */
-void
-SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7ecx, int error)
-{
-    PORT_Assert(p7ecx);
-    SEC_ASN1EncoderAbort(p7ecx->ecx, error);
-}
-
-/*
- * After this routine is called, the entire PKCS7 contentInfo is ready
- * to be encoded.  This is used internally, but can also be called from
- * elsewhere for those who want to be able to just have pointers to
- * the ASN1 template for pkcs7 contentInfo built into their own encodings.
- */
-SECStatus
-SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
-			   PK11SymKey *bulkkey,
-			   SECKEYGetPasswordKey pwfn,
-			   void *pwfnarg)
-{
-    SEC_PKCS7EncoderContext *p7ecx;
-    SECItem *content, *enc_content;
-    SECStatus rv;
-
-    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
-    if (p7ecx == NULL)
-	return SECFailure;
-
-    content = SEC_PKCS7GetContent (cinfo);
-
-    if (p7ecx->encryptobj != NULL) {
-	SECOidTag kind;
-	SEC_PKCS7EncryptedContentInfo *enccinfo;
-
-	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
-	switch (kind) {
-	  default:
-	    PORT_Assert (0);
-	    rv = SECFailure;
-	    goto loser;
-	  case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.encryptedData->encContentInfo);
-	    break;
-	  case SEC_OID_PKCS7_ENVELOPED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.envelopedData->encContentInfo);
-	    break;
-	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	    enccinfo = &(p7ecx->cinfo->content.signedAndEnvelopedData->encContentInfo);
-	    break;
-	}
-	enc_content = &(enccinfo->encContent);
-    } else {
-	enc_content = NULL;
-    }
-
-    if (content != NULL && content->data != NULL && content->len) {
-	rv = sec_pkcs7_encoder_work_data (p7ecx, enc_content,
-					  content->data, content->len, PR_TRUE);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    rv = sec_pkcs7_encoder_sig_and_certs (cinfo, pwfn, pwfnarg);
-
-loser:
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-SECStatus
-SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
-		 SEC_PKCS7EncoderOutputCallback outputfn,
-		 void *outputarg,
-		 PK11SymKey *bulkkey,
-		 SECKEYGetPasswordKey pwfn,
-		 void *pwfnarg)
-{
-    SECStatus rv;
-
-    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
-    if (rv == SECSuccess) {
-	struct sec_pkcs7_encoder_output outputcx;
-
-	outputcx.outputfn = outputfn;
-	outputcx.outputarg = outputarg;
-
-	rv = SEC_ASN1Encode (cinfo, sec_PKCS7ContentInfoTemplate,
-			     sec_pkcs7_encoder_out, &outputcx);
-    }
-
-    return rv;
-}
-
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).  The output, rather than
- * being passed to an output function as is done above, is all put
- * into a SECItem.
- *
- * "pool" specifies a pool from which to allocate the result.
- * It can be NULL, in which case memory is allocated generically.
- *
- * "dest" specifies a SECItem in which to put the result data.
- * It can be NULL, in which case the entire item is allocated, too.
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-SECItem *
-SEC_PKCS7EncodeItem (PRArenaPool *pool,
-		     SECItem *dest,
-		     SEC_PKCS7ContentInfo *cinfo,
-		     PK11SymKey *bulkkey,
-		     SECKEYGetPasswordKey pwfn,
-		     void *pwfnarg)
-{
-    SECStatus rv;
-
-    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
-    if (rv != SECSuccess)
-	return NULL;
-
-    return SEC_ASN1EncodeItem (pool, dest, cinfo, sec_PKCS7ContentInfoTemplate);
-}
-
diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
deleted file mode 100644
index b7f79b696..000000000
--- a/security/nss/lib/pkcs7/p7local.c
+++ /dev/null
@@ -1,1451 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support routines for PKCS7 implementation, none of which are exported.
- * This file should only contain things that are needed by both the
- * encoding/creation side *and* the decoding/decryption side.  Anything
- * else should be static routines in the appropriate file.
- *
- * $Id$
- */
-
-#include "p7local.h"
-
-#include "cryptohi.h" 
-#include "secasn1.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secpkcs5.h"
-#include "secerr.h"
-
-/*
- * -------------------------------------------------------------------
- * Cipher stuff.
- */
-
-typedef SECStatus (*sec_pkcs7_cipher_function) (void *,
-						unsigned char *,
-						unsigned *,
-						unsigned int,
-						const unsigned char *,
-						unsigned int);
-typedef SECStatus (*sec_pkcs7_cipher_destroy) (void *, PRBool);
-
-#define BLOCK_SIZE 4096
-
-struct sec_pkcs7_cipher_object {
-    void *cx;
-    sec_pkcs7_cipher_function doit;
-    sec_pkcs7_cipher_destroy destroy;
-    PRBool encrypt;
-    int block_size;
-    int pad_size;
-    int pending_count;
-    unsigned char pending_buf[BLOCK_SIZE];
-};
-
-SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
-SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
-SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
-SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
-
-/*
- * Create a cipher object to do decryption,  based on the given bulk
- * encryption key and algorithm identifier (which may include an iv).
- *
- * XXX This interface, or one similar, would be really nice available
- * in general...  I tried to keep the pkcs7-specific stuff (mostly
- * having to do with padding) out of here.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function below (for starting up encryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-sec_PKCS7CipherObject *
-sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid)
-{
-    sec_PKCS7CipherObject *result;
-    SECOidTag algtag;
-    void *ciphercx;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *param;
-    PK11SlotInfo *slot;
-
-    result = (struct sec_pkcs7_cipher_object*)
-      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
-    if (result == NULL)
-	return NULL;
-
-    ciphercx = NULL;
-    algtag = SECOID_GetAlgorithmTag (algid);
-
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams, *pwitem;
-
-	pwitem = (SECItem *)PK11_GetSymKeyUserData(key);
-	if (!pwitem) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    PORT_Free(result);
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	if(!param) {
-	     PORT_Free(result);
-	     return NULL;
-	}
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	param = PK11_ParamFromAlgid(algid);
-	if (param == NULL) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-    }
-
-    result->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
-    PK11_FreeSlot(slot);
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (ciphercx == NULL) {
-	PORT_Free (result);
-	return NULL;
-    }
-
-    result->cx = ciphercx;
-    result->doit =  (sec_pkcs7_cipher_function) PK11_CipherOp;
-    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
-    result->encrypt = PR_FALSE;
-    result->pending_count = 0;
-
-    return result;
-}
-
-/*
- * Create a cipher object to do encryption, based on the given bulk
- * encryption key and algorithm tag.  Fill in the algorithm identifier
- * (which may include an iv) appropriately.
- *
- * XXX This interface, or one similar, would be really nice available
- * in general...  I tried to keep the pkcs7-specific stuff (mostly
- * having to do with padding) out of here.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function above (for starting up decryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-sec_PKCS7CipherObject *
-sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
-			      SECOidTag algtag, SECAlgorithmID *algid)
-{
-    sec_PKCS7CipherObject *result;
-    void *ciphercx;
-    SECItem *param;
-    SECStatus rv;
-    CK_MECHANISM_TYPE mechanism;
-    PRBool needToEncodeAlgid = PR_FALSE;
-    PK11SlotInfo *slot;
-
-    result = (struct sec_pkcs7_cipher_object*)
-	      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
-    if (result == NULL)
-	return NULL;
-
-    ciphercx = NULL;
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams, *pwitem;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	pwitem = (SECItem *)PK11_GetSymKeyUserData(key);
-	if (!pwitem) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if(!pbeParams) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-	if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
-							 PR_FALSE) != CKR_OK) {
-	    PORT_Free(result);
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-	if(!param) {
-	     PORT_Free(result);
-	     return NULL;
-	}
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	param = PK11_GenerateNewParam(mechanism,key);
-	if (param == NULL) {
-	    PORT_Free(result);
-	    return NULL;
-	}
-	needToEncodeAlgid = PR_TRUE;
-    }
-
-    result->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
-    PK11_FreeSlot(slot);
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, 
-    					  key, param);
-    if (ciphercx == NULL) {
-	PORT_Free (result);
-        SECITEM_FreeItem(param,PR_TRUE);
-	return NULL;
-    }
-
-    /*
-     * These are placed after the CreateContextBySymKey() because some
-     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
-     * Don't move it from here.
-     */
-    if (needToEncodeAlgid) {
-	rv = PK11_ParamToAlgid(algtag,param,poolp,algid);
-	if(rv != SECSuccess) {
-	    return NULL;
-	}
-    }
-    SECITEM_FreeItem(param,PR_TRUE);
-
-    result->cx = ciphercx;
-    result->doit = (sec_pkcs7_cipher_function) PK11_CipherOp;
-    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
-    result->encrypt = PR_TRUE;
-    result->pending_count = 0;
-
-    return result;
-}
-
-
-/*
- * Destroy the cipher object.
- */
-static void
-sec_pkcs7_destroy_cipher (sec_PKCS7CipherObject *obj)
-{
-    (* obj->destroy) (obj->cx, PR_TRUE);
-    PORT_Free (obj);
-}
-
-void
-sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj)
-{
-    PORT_Assert (obj != NULL);
-    if (obj == NULL)
-	return;
-    PORT_Assert (! obj->encrypt);
-    sec_pkcs7_destroy_cipher (obj);
-}
-
-void
-sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj)
-{
-    PORT_Assert (obj != NULL);
-    if (obj == NULL)
-	return;
-    PORT_Assert (obj->encrypt);
-    sec_pkcs7_destroy_cipher (obj);
-}
-
-
-/*
- * XXX I think all of the following lengths should be longs instead
- * of ints, but our current crypto interface uses ints, so I did too.
- */
-
-
-/*
- * What will be the output length of the next call to decrypt?
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- *
- * Note that this can return zero, which does not mean that the decrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent decrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
-			PRBool final)
-{
-    int blocks, block_size;
-
-    PORT_Assert (! obj->encrypt);
-
-    block_size = obj->block_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we will always use up all of the pending
-     * bytes plus all of the input bytes, *but*, there will be padding
-     * at the end and we cannot predict how many bytes of padding we
-     * will end up removing.  The amount given here is actually known
-     * to be at least 1 byte too long (because we know we will have
-     * at least 1 byte of padding), but seemed clearer/better to me.
-     */
-    if (final)
-	return obj->pending_count + input_len;
-
-    /*
-     * Okay, this amount is exactly what we will output on the
-     * next cipher operation.  We will always hang onto the last
-     * 1 - block_size bytes for non-final operations.  That is,
-     * we will do as many complete blocks as we can *except* the
-     * last block (complete or partial).  (This is because until
-     * we know we are at the end, we cannot know when to interpret
-     * and removing the padding byte(s), which are guaranteed to
-     * be there.)
-     */
-    blocks = (obj->pending_count + input_len - 1) / block_size;
-    return blocks * block_size;
-}
-
-/*
- * What will be the output length of the next call to encrypt?
- * Result can be used to perform memory allocations.
- *
- * Note that this can return zero, which does not mean that the encrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent encrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
-			PRBool final)
-{
-    int blocks, block_size;
-    int pad_size;
-
-    PORT_Assert (obj->encrypt);
-
-    block_size = obj->block_size;
-    pad_size = obj->pad_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we only send out what we need for
-     * remaining bytes plus the padding.  (There is always padding,
-     * so even if we have an exact number of blocks as input, we
-     * will add another full block that is just padding.)
-     */
-    if (final) {
-	if (pad_size == 0) {
-    	    return obj->pending_count + input_len;
-	} else {
-    	    blocks = (obj->pending_count + input_len) / pad_size;
-	    blocks++;
-	    return blocks*pad_size;
-	}
-    }
-
-    /*
-     * Now, count the number of complete blocks of data we have.
-     */
-    blocks = (obj->pending_count + input_len) / block_size;
-
-
-    return blocks * block_size;
-}
-
-
-/*
- * Decrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateDecryptObject.
- * When "final" is true, this is the last of the data to be decrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the decryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "obj".
- * We also need to determine which bytes are padding, and remove
- * them from the output.  We can only do this step when we know we
- * have the final block of data.  PKCS #7 specifies that the padding
- * used for a block cipher is a string of bytes, each of whose value is
- * the same as the length of the padding, and that all data is padded.
- * (Even data that starts out with an exact multiple of blocks gets
- * added to it another block, all of which is padding.)
- */ 
-SECStatus
-sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (! obj->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = sec_PKCS7DecryptLength (obj, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    /*
-     * hardware encryption does not like small decryption sizes here, so we
-     * allow both blocking and padding.
-     */
-    bsize = obj->block_size;
-    padsize = obj->pad_size;
-
-    /*
-     * When no blocking or padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = obj->pending_count;
-    pbuf = obj->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we have at most a whole block and this is not our last call,
-	 * then we are done for now.  (We do not try to decrypt a lone
-	 * single block because we cannot interpret the padding bytes
-	 * until we know we are handling the very last block of all input.)
-	 */
-	if (input_len == 0 && !final) {
-	    obj->pending_count = pcount;
-	    if (output_len_p)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * Given the logic above, we expect to have a full block by now.
-	 * If we do not, there is something wrong, either with our own
-	 * logic or with (length of) the data given to us.
-	 */
-	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
-	if ((padsize != 0) && (pcount % padsize) != 0) {
-	    PORT_Assert (final);	
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	/*
-	 * Decrypt the block.
-	 */
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == pcount);
-
-	/*
-	 * Account for the bytes now in output.
-	 */
-	max_output_len -= ofraglen;
-	output_len += ofraglen;
-	output += ofraglen;
-    }
-
-    /*
-     * If this is our last call, we expect to have an exact number of
-     * blocks left to be decrypted; we will decrypt them all.
-     * 
-     * If not our last call, we always save between 1 and bsize bytes
-     * until next time.  (We must do this because we cannot be sure
-     * that none of the decrypted bytes are padding bytes until we
-     * have at least another whole block of data.  You cannot tell by
-     * looking -- the data could be anything -- you can only tell by
-     * context, knowing you are looking at the last block.)  We could
-     * decrypt a whole block now but it is easier if we just treat it
-     * the same way we treat partial block bytes.
-     */
-    if (final) {
-	if (padsize) {
-	    blocks = input_len / padsize;
-	    ifraglen = blocks * padsize;
-	} else ifraglen = input_len;
-	PORT_Assert (ifraglen == input_len);
-
-	if (ifraglen != input_len) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-    } else {
-	blocks = (input_len - 1) / bsize;
-	ifraglen = blocks * bsize;
-	PORT_Assert (ifraglen < input_len);
-
-	pcount = input_len - ifraglen;
-	PORT_Memcpy (pbuf, input + ifraglen, pcount);
-	obj->pending_count = pcount;
-    }
-
-    if (ifraglen) {
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    input, ifraglen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ifraglen == ofraglen);
-	if (ifraglen != ofraglen) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-
-	output_len += ofraglen;
-    } else {
-	ofraglen = 0;
-    }
-
-    /*
-     * If we just did our very last block, "remove" the padding by
-     * adjusting the output length.
-     */
-    if (final && (padsize != 0)) {
-	unsigned int padlen = *(output + ofraglen - 1);
-	PORT_Assert (padlen > 0 && padlen <= padsize);
-	if (padlen == 0 || padlen > padsize) {
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	output_len -= padlen;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * Encrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateEncryptObject.
- * When "final" is true, this is the last of the data to be encrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the encryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "obj".
- * We also need to add padding bytes at the end.  PKCS #7 specifies
- * that the padding used for a block cipher is a string of bytes,
- * each of whose value is the same as the length of the padding,
- * and that all data is padded.  (Even data that starts out with
- * an exact multiple of blocks gets added to it another block,
- * all of which is padding.)
- *
- * XXX I would kind of like to combine this with the function above
- * which does decryption, since they have a lot in common.  But the
- * tricky parts about padding and filling blocks would be much
- * harder to read that way, so I left them separate.  At least for
- * now until it is clear that they are right.
- */ 
-SECStatus
-sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, padlen, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (obj->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = sec_PKCS7EncryptLength (obj, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    bsize = obj->block_size;
-    padsize = obj->pad_size;
-
-    /*
-     * When no blocking and padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = obj->pending_count;
-    pbuf = obj->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we do not have a full block and we know we will be
-	 * called again, then we are done for now.
-	 */
-	if (pcount < bsize && !final) {
-	    obj->pending_count = pcount;
-	    if (output_len_p != NULL)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * If we have a whole block available, encrypt it.
-	 */
-	if ((padsize == 0) || (pcount % padsize) == 0) {
-	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-				pbuf, pcount);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ofraglen == pcount);
-
-	    /*
-	     * Account for the bytes now in output.
-	     */
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-
-	    pcount = 0;
-	}
-    }
-
-    if (input_len) {
-	PORT_Assert (pcount == 0);
-
-	blocks = input_len / bsize;
-	ifraglen = blocks * bsize;
-
-	if (ifraglen) {
-	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-				input, ifraglen);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ifraglen == ofraglen);
-
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-	}
-
-	pcount = input_len - ifraglen;
-	PORT_Assert (pcount < bsize);
-	if (pcount)
-	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
-    }
-
-    if (final) {
-	padlen = padsize - (pcount % padsize);
-	PORT_Memset (pbuf + pcount, padlen, padlen);
-	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount+padlen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7EncryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == (pcount+padlen));
-	output_len += ofraglen;
-    } else {
-	obj->pending_count = pcount;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * End of cipher stuff.
- * -------------------------------------------------------------------
- */
-
-
-/*
- * -------------------------------------------------------------------
- * XXX The following Attribute stuff really belongs elsewhere.
- * The Attribute type is *not* part of pkcs7 but rather X.501.
- * But for now, since PKCS7 is the only customer of attributes,
- * we define them here.  Once there is a use outside of PKCS7,
- * then change the attribute types and functions from internal
- * to external naming convention, and move them elsewhere!
- */
-
-/*
- * Look through a set of attributes and find one that matches the
- * specified object ID.  If "only" is true, then make sure that
- * there is not more than one attribute of the same type.  Otherwise,
- * just return the first one found. (XXX Does anybody really want
- * that first-found behavior?  It was like that when I found it...)
- */
-SEC_PKCS7Attribute *
-sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs, SECOidTag oidtag,
-			PRBool only)
-{
-    SECOidData *oid;
-    SEC_PKCS7Attribute *attr1, *attr2;
-
-    if (attrs == NULL)
-	return NULL;
-
-    oid = SECOID_FindOIDByTag(oidtag);
-    if (oid == NULL)
-	return NULL;
-
-    while ((attr1 = *attrs++) != NULL) {
-	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr1 == NULL)
-	return NULL;
-
-    if (!only)
-	return attr1;
-
-    while ((attr2 = *attrs++) != NULL) {
-	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr2 != NULL)
-	return NULL;
-
-    return attr1;
-}
-
-
-/*
- * Return the single attribute value, doing some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-SECItem *
-sec_PKCS7AttributeValue(SEC_PKCS7Attribute *attr)
-{
-    SECItem *value;
-
-    if (attr == NULL)
-	return NULL;
-
-    value = attr->values[0];
-
-    if (value == NULL || value->data == NULL || value->len == 0)
-	return NULL;
-
-    if (attr->values[1] != NULL)
-	return NULL;
-
-    return value;
-}
-
-static const SEC_ASN1Template *
-sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-
-    SEC_PKCS7Attribute *attribute;
-    SECOidData *oiddata;
-    PRBool encoded;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    attribute = (SEC_PKCS7Attribute*)src_or_dest;
-
-    if (encoding && attribute->encoded)
-	return SEC_ASN1_GET(SEC_AnyTemplate);
-
-    oiddata = attribute->typeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&attribute->type);
-	attribute->typeTag = oiddata;
-    }
-
-    if (oiddata == NULL) {
-	encoded = PR_TRUE;
-	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-    } else {
-	switch (oiddata->offset) {
-	  default:
-	    encoded = PR_TRUE;
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	  case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	  case SEC_OID_RFC1274_MAIL:
-	  case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
-	    break;
-	  case SEC_OID_PKCS9_CONTENT_TYPE:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
-	    break;
-	  case SEC_OID_PKCS9_MESSAGE_DIGEST:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
-	    break;
-	  case SEC_OID_PKCS9_SIGNING_TIME:
-	    encoded = PR_FALSE;
-            theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate);
-	    break;
-	  /* XXX Want other types here, too */
-	}
-    }
-
-    if (encoding) {
-	/*
-	 * If we are encoding and we think we have an already-encoded value,
-	 * then the code which initialized this attribute should have set
-	 * the "encoded" property to true (and we would have returned early,
-	 * up above).  No devastating error, but that code should be fixed.
-	 * (It could indicate that the resulting encoded bytes are wrong.)
-	 */
-	PORT_Assert (!encoded);
-    } else {
-	/*
-	 * We are decoding; record whether the resulting value is
-	 * still encoded or not.
-	 */
-	attribute->encoded = encoded;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1TemplateChooserPtr sec_attr_chooser
-	= sec_attr_choose_attr_value_template;
-
-static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7Attribute) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7Attribute,type) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7Attribute,values),
-	  &sec_attr_chooser },
-    { 0 }
-};
-
-static const SEC_ASN1Template sec_pkcs7_set_of_attribute_template[] = {
-    { SEC_ASN1_SET_OF, 0, sec_pkcs7_attribute_template },
-};
-
-/*
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in p7encode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-SECItem *
-sec_PKCS7EncodeAttributes (PRArenaPool *poolp, SECItem *dest, void *src)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, src,
-			       sec_pkcs7_set_of_attribute_template);
-}
-
-/*
- * Make sure that the order of the attributes guarantees valid DER
- * (which must be in lexigraphically ascending order for a SET OF);
- * if reordering is necessary it will be done in place (in attrs).
- */
-SECStatus
-sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs)
-{
-    PRArenaPool *poolp;
-    int num_attrs, i, pass, besti;
-    unsigned int j;
-    SECItem **enc_attrs;
-    SEC_PKCS7Attribute **new_attrs;
-
-    /*
-     * I think we should not be called with NULL.  But if we are,
-     * call it a success anyway, because the order *is* okay.
-     */
-    PORT_Assert (attrs != NULL);
-    if (attrs == NULL)
-	return SECSuccess;
-
-    /*
-     * Count how many attributes we are dealing with here.
-     */
-    num_attrs = 0;
-    while (attrs[num_attrs] != NULL)
-	num_attrs++;
-
-    /*
-     * Again, I think we should have some attributes here.
-     * But if we do not, or if there is only one, then call it
-     * a success because it also already has a fine order.
-     */
-    PORT_Assert (num_attrs);
-    if (num_attrs == 0 || num_attrs == 1)
-	return SECSuccess;
-
-    /*
-     * Allocate an arena for us to work with, so it is easy to
-     * clean up all of the memory (fairly small pieces, really).
-     */
-    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
-    if (poolp == NULL)
-	return SECFailure;		/* no memory; nothing we can do... */
-
-    /*
-     * Allocate arrays to hold the individual encodings which we will use
-     * for comparisons and the reordered attributes as they are sorted.
-     */
-    enc_attrs=(SECItem**)PORT_ArenaZAlloc(poolp, num_attrs*sizeof(SECItem *));
-    new_attrs = (SEC_PKCS7Attribute**)PORT_ArenaZAlloc (poolp,
-				  num_attrs * sizeof(SEC_PKCS7Attribute *));
-    if (enc_attrs == NULL || new_attrs == NULL) {
-	PORT_FreeArena (poolp, PR_FALSE);
-	return SECFailure;
-    }
-
-    /*
-     * DER encode each individual attribute.
-     */
-    for (i = 0; i < num_attrs; i++) {
-	enc_attrs[i] = SEC_ASN1EncodeItem (poolp, NULL, attrs[i],
-					   sec_pkcs7_attribute_template);
-	if (enc_attrs[i] == NULL) {
-	    PORT_FreeArena (poolp, PR_FALSE);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * Now compare and sort them; this is not the most efficient sorting
-     * method, but it is just fine for the problem at hand, because the
-     * number of attributes is (always) going to be small.
-     */
-    for (pass = 0; pass < num_attrs; pass++) {
-	/*
-	 * Find the first not-yet-accepted attribute.  (Once one is
-	 * sorted into the other array, it is cleared from enc_attrs.)
-	 */
-	for (i = 0; i < num_attrs; i++) {
-	    if (enc_attrs[i] != NULL)
-		break;
-	}
-	PORT_Assert (i < num_attrs);
-	besti = i;
-
-	/*
-	 * Find the lowest (lexigraphically) encoding.  One that is
-	 * shorter than all the rest is known to be "less" because each
-	 * attribute is of the same type (a SEQUENCE) and so thus the
-	 * first octet of each is the same, and the second octet is
-	 * the length (or the length of the length with the high bit
-	 * set, followed by the length, which also works out to always
-	 * order the shorter first).  Two (or more) that have the
-	 * same length need to be compared byte by byte until a mismatch
-	 * is found.
-	 */
-	for (i = besti + 1; i < num_attrs; i++) {
-	    if (enc_attrs[i] == NULL)	/* slot already handled */
-		continue;
-
-	    if (enc_attrs[i]->len != enc_attrs[besti]->len) {
-		if (enc_attrs[i]->len < enc_attrs[besti]->len)
-		    besti = i;
-		continue;
-	    }
-
-	    for (j = 0; j < enc_attrs[i]->len; j++) {
-		if (enc_attrs[i]->data[j] < enc_attrs[besti]->data[j]) {
-		    besti = i;
-		    break;
-		}
-	    }
-
-	    /*
-	     * For this not to be true, we would have to have encountered	
-	     * two *identical* attributes, which I think we should not see.
-	     * So assert if it happens, but even if it does, let it go
-	     * through; the ordering of the two does not matter.
-	     */
-	    PORT_Assert (j < enc_attrs[i]->len);
-	}
-
-	/*
-	 * Now we have found the next-lowest one; copy it over and
-	 * remove it from enc_attrs.
-	 */
-	new_attrs[pass] = attrs[besti];
-	enc_attrs[besti] = NULL;
-    }
-
-    /*
-     * Now new_attrs has the attributes in the order we want;
-     * copy them back into the attrs array we started with.
-     */
-    for (i = 0; i < num_attrs; i++)
-	attrs[i] = new_attrs[i];
-
-    PORT_FreeArena (poolp, PR_FALSE);
-    return SECSuccess;
-}
-
-/*
- * End of attribute stuff.
- * -------------------------------------------------------------------
- */
-
-
-/*
- * Templates and stuff.  Keep these at the end of the file.
- */
-
-/* forward declaration */
-static const SEC_ASN1Template *
-sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding);
-
-static const SEC_ASN1TemplateChooserPtr sec_pkcs7_chooser
-	= sec_pkcs7_choose_content_template;
-
-const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7ContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7ContentInfo,contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7ContentInfo,content),
-	  &sec_pkcs7_chooser },
-    { 0 }
-};
-
-/* XXX These names should change from external to internal convention. */
-
-static const SEC_ASN1Template SEC_PKCS7SignerInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SignerInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignerInfo,version) },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7SignerInfo,issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7SignerInfo,digestAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(SEC_PKCS7SignerInfo,authAttr),
-	  sec_pkcs7_set_of_attribute_template },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7SignerInfo,digestEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SignerInfo,encDigest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(SEC_PKCS7SignerInfo,unAuthAttr),
-	  sec_pkcs7_set_of_attribute_template },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7SignedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7SignedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignedData,version) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7SignedData,digestAlgorithms),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignedData,contentInfo),
-	  sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(SEC_PKCS7SignedData,rawCerts),
-	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
-      SEC_ASN1_XTRN | 1,
-	  offsetof(SEC_PKCS7SignedData,crls),
-	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedData,signerInfos),
-	  SEC_PKCS7SignerInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7SignedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7RecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7RecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7RecipientInfo,version) },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7RecipientInfo,issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7RecipientInfo,keyEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7RecipientInfo,encKey) },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EncryptedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EncryptedContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,contentType) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,contentEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(SEC_PKCS7EncryptedContentInfo,encContent),
-	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7EnvelopedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7EnvelopedData,recipientInfos),
-	  SEC_PKCS7RecipientInfoTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7EnvelopedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7EnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7EnvelopedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7SignedAndEnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7SignedAndEnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,version) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,recipientInfos),
-	  SEC_PKCS7RecipientInfoTemplate },
-    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,digestAlgorithms),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,rawCerts),
-	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 1,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,crls),
-	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(SEC_PKCS7SignedAndEnvelopedData,signerInfos),
-	  SEC_PKCS7SignerInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template
-SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedAndEnvelopedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7DigestedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7DigestedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7DigestedData,version) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(SEC_PKCS7DigestedData,digestAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7DigestedData,contentInfo),
-	  sec_PKCS7ContentInfoTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7DigestedData,digest) },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7DigestedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7DigestedDataTemplate }
-};
-
-static const SEC_ASN1Template SEC_PKCS7EncryptedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(SEC_PKCS7EncryptedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(SEC_PKCS7EncryptedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SEC_PKCS7EncryptedData,encContentInfo),
-	  SEC_PKCS7EncryptedContentInfoTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template SEC_PointerToPKCS7EncryptedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PKCS7EncryptedDataTemplate }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ 0 }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateNoSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
-	{ 0 }
-};
-
-const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(SEC_PKCS7SMIMEKEAParameters,bulkKeySize) },
-	{ 0 }
-};
-
-const SEC_ASN1Template*
-sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate)
-{
-	const SEC_ASN1Template *returnVal = NULL;
-
-	switch(whichTemplate)
-	{
-	case SECKEAUsesNonSkipjack:
-		returnVal = SEC_SMIMEKEAParamTemplateNoSkipjack;
-		break;
-	case SECKEAUsesSkipjack:
-		returnVal = SEC_SMIMEKEAParamTemplateSkipjack;
-		break;
-	case SECKEAUsesNonSkipjackWithPaddedEncKey:
-	default:
-		returnVal = SEC_SMIMEKEAParamTemplateAllParams;
-		break;
-	}
-	return returnVal;
-}
-	
-static const SEC_ASN1Template *
-sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    SEC_PKCS7ContentInfo *cinfo;
-    SECOidTag kind;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    cinfo = (SEC_PKCS7ContentInfo*)src_or_dest;
-    kind = SEC_PKCS7ContentType (cinfo);
-    switch (kind) {
-      default:
-	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	break;
-      case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	theTemplate = SEC_PointerToPKCS7SignedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_ENVELOPED_DATA:
-	theTemplate = SEC_PointerToPKCS7EnvelopedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
-	theTemplate = SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	theTemplate = SEC_PointerToPKCS7DigestedDataTemplate;
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	theTemplate = SEC_PointerToPKCS7EncryptedDataTemplate;
-	break;
-    }
-    return theTemplate;
-}
-
-/*
- * End of templates.  Do not add stuff after this; put new code
- * up above the start of the template definitions.
- */
diff --git a/security/nss/lib/pkcs7/p7local.h b/security/nss/lib/pkcs7/p7local.h
deleted file mode 100644
index 2647d5f6e..000000000
--- a/security/nss/lib/pkcs7/p7local.h
+++ /dev/null
@@ -1,179 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support routines for PKCS7 implementation, none of which are exported.
- * This file should only contain things that are needed by both the
- * encoding/creation side *and* the decoding/decryption side.  Anything
- * else should just be static routines in the appropriate file.
- *
- * Do not export this file!  If something in here is really needed outside
- * of pkcs7 code, first try to add a PKCS7 interface which will do it for
- * you.  If that has a problem, then just move out what you need, changing
- * its name as appropriate!
- *
- * $Id$
- */
-
-#ifndef _P7LOCAL_H_
-#define _P7LOCAL_H_
-
-#include "secpkcs7.h"
-#include "secasn1t.h"
-
-extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
-
-/* opaque objects */
-typedef struct sec_pkcs7_cipher_object sec_PKCS7CipherObject;
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Look through a set of attributes and find one that matches the
- * specified object ID.  If "only" is true, then make sure that
- * there is not more than one attribute of the same type.  Otherwise,
- * just return the first one found. (XXX Does anybody really want
- * that first-found behavior?  It was like that when I found it...)
- */
-extern SEC_PKCS7Attribute *sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs,
-						   SECOidTag oidtag,
-						   PRBool only);
-/*
- * Return the single attribute value, doing some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-extern SECItem *sec_PKCS7AttributeValue (SEC_PKCS7Attribute *attr);
-
-/*
- * Encode a set of attributes (found in "src").
- */
-extern SECItem *sec_PKCS7EncodeAttributes (PRArenaPool *poolp,
-					   SECItem *dest, void *src);
-
-/*
- * Make sure that the order of the attributes guarantees valid DER
- * (which must be in lexigraphically ascending order for a SET OF);
- * if reordering is necessary it will be done in place (in attrs).
- */
-extern SECStatus sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs);
-
-
-/*
- * Create a context for decrypting, based on the given key and algorithm.
- */
-extern sec_PKCS7CipherObject *
-sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid);
-
-/*
- * Create a context for encrypting, based on the given key and algorithm,
- * and fill in the algorithm id.
- */
-extern sec_PKCS7CipherObject *
-sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
-			      SECOidTag algtag, SECAlgorithmID *algid);
-
-/*
- * Destroy the given decryption or encryption object.
- */
-extern void sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj);
-extern void sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj);
-
-/*
- * What will be the output length of the next call to encrypt/decrypt?
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and the cipher block size).
- *
- * Note that this can return zero, which does not mean that the cipher
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent cipher operation, as no output bytes
- * will be stored.
- */
-extern unsigned int sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj,
-					    unsigned int input_len,
-					    PRBool final);
-extern unsigned int sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj,
-					    unsigned int input_len,
-					    PRBool final);
-
-/*
- * Decrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateDecryptObject.
- * When "final" is true, this is the last of the data to be decrypted.
- */ 
-extern SECStatus sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj,
-				   unsigned char *output,
-				   unsigned int *output_len_p,
-				   unsigned int max_output_len,
-				   const unsigned char *input,
-				   unsigned int input_len,
-				   PRBool final);
-
-/*
- * Encrypt a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "obj" is the return value from sec_PKCS7CreateEncryptObject.
- * When "final" is true, this is the last of the data to be encrypted.
- */ 
-extern SECStatus sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj,
-				   unsigned char *output,
-				   unsigned int *output_len_p,
-				   unsigned int max_output_len,
-				   const unsigned char *input,
-				   unsigned int input_len,
-				   PRBool final);
-
-/* return the correct kea template based on the template selector. skipjack
- * does not have the extra IV.
- */
-const SEC_ASN1Template * 
-sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _P7LOCAL_H_ */
diff --git a/security/nss/lib/pkcs7/pkcs7t.h b/security/nss/lib/pkcs7/pkcs7t.h
deleted file mode 100644
index 49730351b..000000000
--- a/security/nss/lib/pkcs7/pkcs7t.h
+++ /dev/null
@@ -1,299 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Header for pkcs7 types.
- *
- * $Id$
- */
-
-#ifndef _PKCS7T_H_
-#define _PKCS7T_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "certt.h"
-#include "secmodt.h"
-
-/* Opaque objects */
-typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
-typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
-
-/* legacy defines that haven't been active for years */
-typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
-
-
-/* Non-opaque objects.  NOTE, though: I want them to be treated as
- * opaque as much as possible.  If I could hide them completely,
- * I would.  (I tried, but ran into trouble that was taking me too
- * much time to get out of.)  I still intend to try to do so.
- * In fact, the only type that "outsiders" should even *name* is
- * SEC_PKCS7ContentInfo, and they should not reference its fields.
- */
-/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
- * This is because when we search the recipient list for the cert and key we
- * want, we need to invert the order of the loops we used to have. The old
- * loops were:
- *
- *  For each recipient {
- *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
- *       [which unrolls to... ]
- *       For each slot {
- *            Log into slot;
- *            search slot for cert;
- *      }
- *  }
- *
- *  the new loop searchs all the recipients at once on a slot. this allows
- *  PKCS #11 to order slots in such a way that logout slots don't get checked
- *  if we can find the cert on a logged in slot. This eliminates lots of
- *  spurious password prompts when smart cards are installed... so why this
- *  comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
- *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
- *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
- *  function.
- */
-typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
-typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
-typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
-typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
-typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
-		SEC_PKCS7SignedAndEnvelopedData;
-typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
-typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
-typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
-typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
-typedef struct SEC_PKCS7SMIMEKEAParametersStr SEC_PKCS7SMIMEKEAParameters;
-/*
- * The following is not actually a PKCS7 type, but for now it is only
- * used by PKCS7, so we have adopted it.  If someone else *ever* needs
- * it, its name should be changed and it should be moved out of here.
- * Do not dare to use it without doing so!
- */
-typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
-
-struct SEC_PKCS7ContentInfoStr {
-    PRArenaPool *poolp;			/* local; not part of encoding */
-    PRBool created;			/* local; not part of encoding */
-    int refCount;			/* local; not part of encoding */
-    SECOidData *contentTypeTag;		/* local; not part of encoding */
-    SECKEYGetPasswordKey pwfn;		/* local; not part of encoding */
-    void *pwfn_arg;			/* local; not part of encoding */
-    SECItem contentType;
-    union {
-	SECItem				*data;
-	SEC_PKCS7DigestedData		*digestedData;
-	SEC_PKCS7EncryptedData		*encryptedData;
-	SEC_PKCS7EnvelopedData		*envelopedData;
-	SEC_PKCS7SignedData		*signedData;
-	SEC_PKCS7SignedAndEnvelopedData	*signedAndEnvelopedData;
-    } content;
-};
-
-struct SEC_PKCS7SignedDataStr {
-    SECItem version;
-    SECAlgorithmID **digestAlgorithms;
-    SEC_PKCS7ContentInfo contentInfo;
-    SECItem **rawCerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerInfos;
-    SECItem **digests;			/* local; not part of encoding */
-    CERTCertificate **certs;		/* local; not part of encoding */
-    CERTCertificateList **certLists;	/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNED_DATA_VERSION		1	/* what we *create* */
-
-struct SEC_PKCS7EncryptedContentInfoStr {
-    SECOidData *contentTypeTag;		/* local; not part of encoding */
-    SECItem contentType;
-    SECAlgorithmID contentEncAlg;
-    SECItem encContent;
-    SECItem plainContent;		/* local; not part of encoding */
-					/* bytes not encrypted, but encoded */
-    int keysize;			/* local; not part of encoding */
-					/* size of bulk encryption key
-					 * (only used by creation code) */
-    SECOidTag encalg;			/* local; not part of encoding */
-					/* oid tag of encryption algorithm
-					 * (only used by creation code) */
-};
-
-struct SEC_PKCS7EnvelopedDataStr {
-    SECItem version;
-    SEC_PKCS7RecipientInfo **recipientInfos;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-};
-#define SEC_PKCS7_ENVELOPED_DATA_VERSION	0	/* what we *create* */
-
-struct SEC_PKCS7SignedAndEnvelopedDataStr {
-    SECItem version;
-    SEC_PKCS7RecipientInfo **recipientInfos;
-    SECAlgorithmID **digestAlgorithms;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-    SECItem **rawCerts;
-    CERTSignedCrl **crls;
-    SEC_PKCS7SignerInfo **signerInfos;
-    SECItem **digests;			/* local; not part of encoding */
-    CERTCertificate **certs;		/* local; not part of encoding */
-    CERTCertificateList **certLists;	/* local; not part of encoding */
-    PK11SymKey *sigKey;			/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1	/* what we *create* */
-
-struct SEC_PKCS7SignerInfoStr {
-    SECItem version;
-    CERTIssuerAndSN *issuerAndSN;
-    SECAlgorithmID digestAlg;
-    SEC_PKCS7Attribute **authAttr;
-    SECAlgorithmID digestEncAlg;
-    SECItem encDigest;
-    SEC_PKCS7Attribute **unAuthAttr;
-    CERTCertificate *cert;		/* local; not part of encoding */
-    CERTCertificateList *certList;	/* local; not part of encoding */
-};
-#define SEC_PKCS7_SIGNER_INFO_VERSION		1	/* what we *create* */
-
-struct SEC_PKCS7RecipientInfoStr {
-    SECItem version;
-    CERTIssuerAndSN *issuerAndSN;
-    SECAlgorithmID keyEncAlg;
-    SECItem encKey;
-    CERTCertificate *cert;		/* local; not part of encoding */
-};
-#define SEC_PKCS7_RECIPIENT_INFO_VERSION	0	/* what we *create* */
-
-struct SEC_PKCS7DigestedDataStr {
-    SECItem version;
-    SECAlgorithmID digestAlg;
-    SEC_PKCS7ContentInfo contentInfo;
-    SECItem digest;
-};
-#define SEC_PKCS7_DIGESTED_DATA_VERSION		0	/* what we *create* */
-
-struct SEC_PKCS7EncryptedDataStr {
-    SECItem version;
-    SEC_PKCS7EncryptedContentInfo encContentInfo;
-};
-#define SEC_PKCS7_ENCRYPTED_DATA_VERSION	0	/* what we *create* */
-
-/*
- * See comment above about this type not really belonging to PKCS7.
- */
-struct SEC_PKCS7AttributeStr {
-    /* The following fields make up an encoded Attribute: */
-    SECItem type;
-    SECItem **values;	/* data may or may not be encoded */
-    /* The following fields are not part of an encoded Attribute: */
-    SECOidData *typeTag;
-    PRBool encoded;	/* when true, values are encoded */
-};
-
-/* An enumerated type used to select templates based on the encryption
-   scenario and data specifics. */
-typedef enum
-{
-	SECKEAInvalid = -1,
-	SECKEAUsesSkipjack = 0,
-	SECKEAUsesNonSkipjack = 1,
-	SECKEAUsesNonSkipjackWithPaddedEncKey = 2
-} SECKEATemplateSelector;
-
-/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
-                but I cannot think of a more appropriate place at this time. */
-struct SEC_PKCS7SMIMEKEAParametersStr {
-	SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
-	SECItem originatorRA;		/* random number generated by sender */
-	SECItem nonSkipjackIV;		/* init'n vector for SkipjackCBC64
-					   decryption of KEA key if Skipjack
-					   is not the bulk algorithm used on
-					   the message */
-	SECItem bulkKeySize;		/* if Skipjack is not the bulk
-					   algorithm used on the message,
-					   and the size of the bulk encryption
-					   key is not the same as that of
-					   originatorKEAKey (due to padding
-					   perhaps), this field will contain
-					   the real size of the bulk encryption
-					   key. */
-};
-
-/*
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
- * If specified, this is where the content bytes (only) will be "sent"
- * as they are recovered during the decoding.
- *
- * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (* SEC_PKCS7DecoderContentCallback)(void *arg,
-						 const char *buf,
-						 unsigned long len);
-
-/*
- * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
- * This is where the encoded bytes will be "sent".
- *
- * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (* SEC_PKCS7EncoderOutputCallback)(void *arg,
-						const char *buf,
-						unsigned long len);
-
-
-/*
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
- * to retrieve the decryption key.  This function is inteded to be
- * used for EncryptedData content info's which do not have a key available
- * in a certificate, etc.
- */
-typedef PK11SymKey * (* SEC_PKCS7GetDecryptKeyCallback)(void *arg, 
-							SECAlgorithmID *algid);
-
-/* 
- * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
- * This function in intended to be used to verify that decrypting a
- * particular crypto algorithm is allowed.  Content types which do not
- * require decryption will not need the callback.  If the callback
- * is not specified for content types which require decryption, the
- * decryption will be disallowed.
- */
-typedef PRBool (* SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,  
-						      PK11SymKey *bulkkey);
-
-#endif /* _PKCS7T_H_ */
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
deleted file mode 100644
index e113cbdf2..000000000
--- a/security/nss/lib/pkcs7/secmime.c
+++ /dev/null
@@ -1,904 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Stuff specific to S/MIME policy and interoperability.
- * Depends on PKCS7, but there should be no dependency the other way around.
- *
- * $Id$
- */
-
-#include "secmime.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
-#include "secasn1.h"
-#include "secitem.h"
-#include "cert.h"
-#include "key.h"
-#include "secerr.h"
-
-typedef struct smime_cipher_map_struct {
-    unsigned long cipher;
-    SECOidTag algtag;
-    SECItem *parms;
-} smime_cipher_map;
-
-/*
- * These are macros because I think some subsequent parameters,
- * like those for RC5, will want to use them, too, separately.
- */
-#define SMIME_DER_INTVAL_16	SEC_ASN1_INTEGER, 0x01, 0x10
-#define SMIME_DER_INTVAL_40	SEC_ASN1_INTEGER, 0x01, 0x28
-#define SMIME_DER_INTVAL_64	SEC_ASN1_INTEGER, 0x01, 0x40
-#define SMIME_DER_INTVAL_128	SEC_ASN1_INTEGER, 0x02, 0x00, 0x80
-
-#ifdef SMIME_DOES_RC5	/* will be needed; quiet unused warning for now */
-static unsigned char smime_int16[] = { SMIME_DER_INTVAL_16 };
-#endif
-static unsigned char smime_int40[] = { SMIME_DER_INTVAL_40 };
-static unsigned char smime_int64[] = { SMIME_DER_INTVAL_64 };
-static unsigned char smime_int128[] = { SMIME_DER_INTVAL_128 };
-
-static SECItem smime_rc2p40 = { siBuffer, smime_int40, sizeof(smime_int40) };
-static SECItem smime_rc2p64 = { siBuffer, smime_int64, sizeof(smime_int64) };
-static SECItem smime_rc2p128 = { siBuffer, smime_int128, sizeof(smime_int128) };
-
-static smime_cipher_map smime_cipher_maps[] = {
-    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&smime_rc2p40 },
-    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&smime_rc2p64 },
-    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&smime_rc2p128 },
-#ifdef SMIME_DOES_RC5
-    { SMIME_RC5PAD_64_16_40,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p40 },
-    { SMIME_RC5PAD_64_16_64,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p64 },
-    { SMIME_RC5PAD_64_16_128,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p128 },
-#endif
-    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL },
-    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL },
-    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL}
-};
-
-/*
- * Note, the following value really just needs to be an upper bound
- * on the ciphers.
- */
-static const int smime_symmetric_count = sizeof(smime_cipher_maps)
-					 / sizeof(smime_cipher_map);
-
-static unsigned long *smime_prefs, *smime_newprefs;
-static int smime_current_pref_index = 0;
-static PRBool smime_prefs_complete = PR_FALSE;
-static PRBool smime_prefs_changed = PR_TRUE;
-
-static unsigned long smime_policy_bits = 0;
-
-
-static int
-smime_mapi_by_cipher (unsigned long cipher)
-{
-    int i;
-
-    for (i = 0; i < smime_symmetric_count; i++) {
-	if (smime_cipher_maps[i].cipher == cipher)
-	    break;
-    }
-
-    if (i == smime_symmetric_count)
-	return -1;
-
-    return i;
-}
-
-
-/*
- * this function locally records the user's preference
- */
-SECStatus 
-SECMIME_EnableCipher(long which, int on)
-{
-    unsigned long mask;
-
-    if (smime_newprefs == NULL || smime_prefs_complete) {
-	/*
-	 * This is either the very first time, or we are starting over.
-	 */
-	smime_newprefs = (unsigned long*)PORT_ZAlloc (smime_symmetric_count
-				      * sizeof(*smime_newprefs));
-	if (smime_newprefs == NULL)
-	    return SECFailure;
-	smime_current_pref_index = 0;
-	smime_prefs_complete = PR_FALSE;
-    }
-
-    mask = which & CIPHER_FAMILYID_MASK;
-    if (mask == CIPHER_FAMILYID_MASK) {
-    	/*
-	 * This call signifies that all preferences have been set.
-	 * Move "newprefs" over, after checking first whether or
-	 * not the new ones are different from the old ones.
-	 */
-	if (smime_prefs != NULL) {
-	    if (PORT_Memcmp (smime_prefs, smime_newprefs,
-			     smime_symmetric_count * sizeof(*smime_prefs)) == 0)
-		smime_prefs_changed = PR_FALSE;
-	    else
-		smime_prefs_changed = PR_TRUE;
-	    PORT_Free (smime_prefs);
-	}
-
-	smime_prefs = smime_newprefs;
-	smime_prefs_complete = PR_TRUE;
-	return SECSuccess;
-    }
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    if (on) {
-	PORT_Assert (smime_current_pref_index < smime_symmetric_count);
-	if (smime_current_pref_index >= smime_symmetric_count) {
-	    /* XXX set an error! */
-	    return SECFailure;
-	}
-
-	smime_newprefs[smime_current_pref_index++] = which;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * this function locally records the export policy
- */
-SECStatus 
-SECMIME_SetPolicy(long which, int on)
-{
-    unsigned long mask;
-
-    PORT_Assert ((which & CIPHER_FAMILYID_MASK) == CIPHER_FAMILYID_SMIME);
-    if ((which & CIPHER_FAMILYID_MASK) != CIPHER_FAMILYID_SMIME) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    which &= ~CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (which < 32);	/* bits in the long */
-    if (which >= 32) {
-	/* XXX set an error! */
-    	return SECFailure;
-    }
-
-    mask = 1UL << which;
-
-    if (on) {
-    	smime_policy_bits |= mask;
-    } else {
-    	smime_policy_bits &= ~mask;
-    }
-
-    return SECSuccess;
-}
-
-
-/*
- * Based on the given algorithm (including its parameters, in some cases!)
- * and the given key (may or may not be inspected, depending on the
- * algorithm), find the appropriate policy algorithm specification
- * and return it.  If no match can be made, -1 is returned.
- */
-static long
-smime_policy_algorithm (SECAlgorithmID *algid, PK11SymKey *key)
-{
-    SECOidTag algtag;
-
-    algtag = SECOID_GetAlgorithmTag (algid);
-    switch (algtag) {
-      case SEC_OID_RC2_CBC:
-	{
-	    unsigned int keylen_bits;
-
-	    keylen_bits = PK11_GetKeyStrength (key, algid);
-	    switch (keylen_bits) {
-	      case 40:
-		return SMIME_RC2_CBC_40;
-	      case 64:
-		return SMIME_RC2_CBC_64;
-	      case 128:
-		return SMIME_RC2_CBC_128;
-	      default:
-		break;
-	    }
-	}
-	break;
-      case SEC_OID_DES_CBC:
-	return SMIME_DES_CBC_56;
-      case SEC_OID_DES_EDE3_CBC:
-	return SMIME_DES_EDE3_168;
-      case SEC_OID_FORTEZZA_SKIPJACK:
-	return SMIME_FORTEZZA;
-#ifdef SMIME_DOES_RC5
-      case SEC_OID_RC5_CBC_PAD:
-	PORT_Assert (0);	/* XXX need to pull out parameters and match */
-	break;
-#endif
-      default:
-	break;
-    }
-
-    return -1;
-}
-
-
-static PRBool
-smime_cipher_allowed (unsigned long which)
-{
-    unsigned long mask;
-
-    which &= ~CIPHER_FAMILYID_MASK;
-    PORT_Assert (which < 32);	/* bits per long (min) */
-    if (which >= 32)
-	return PR_FALSE;
-
-    mask = 1UL << which;
-    if ((mask & smime_policy_bits) == 0)
-	return PR_FALSE;
-
-    return PR_TRUE;
-}
-
-
-PRBool
-SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
-{
-    long which;
-
-    which = smime_policy_algorithm (algid, key);
-    if (which < 0)
-	return PR_FALSE;
-
-    return smime_cipher_allowed ((unsigned long)which);
-}
-
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-PRBool
-SECMIME_EncryptionPossible (void)
-{
-    if (smime_policy_bits != 0)
-	return PR_TRUE;
-
-    return PR_FALSE;
-}
-
-
-/*
- * XXX Would like the "parameters" field to be a SECItem *, but the
- * encoder is having trouble with optional pointers to an ANY.  Maybe
- * once that is fixed, can change this back...
- */
-typedef struct smime_capability_struct {
-    unsigned long cipher;	/* local; not part of encoding */
-    SECOidTag capIDTag;		/* local; not part of encoding */
-    SECItem capabilityID;
-    SECItem parameters;
-} smime_capability;
-
-static const SEC_ASN1Template smime_capability_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(smime_capability) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(smime_capability,capabilityID), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(smime_capability,parameters), },
-    { 0, }
-};
-
-static const SEC_ASN1Template smime_capabilities_template[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, smime_capability_template }
-};
-
-
-
-static void
-smime_fill_capability (smime_capability *cap)
-{
-    unsigned long cipher;
-    SECOidTag algtag;
-    int i;
-
-    algtag = SECOID_FindOIDTag (&(cap->capabilityID));
-
-    for (i = 0; i < smime_symmetric_count; i++) {
-	if (smime_cipher_maps[i].algtag != algtag)
-	    continue;
-	/*
-	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
-	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
-	 * use that here instead of all of the following comparison code.
-	 */
-	if (cap->parameters.data != NULL) {
-	    if (smime_cipher_maps[i].parms == NULL)
-		continue;
-	    if (cap->parameters.len != smime_cipher_maps[i].parms->len)
-		continue;
-	    if (PORT_Memcmp (cap->parameters.data,
-			     smime_cipher_maps[i].parms->data,
-			     cap->parameters.len) == 0)
-		break;
-	} else if (smime_cipher_maps[i].parms == NULL) {
-	    break;
-	}
-    }
-
-    if (i == smime_symmetric_count)
-	cipher = 0;
-    else
-	cipher = smime_cipher_maps[i].cipher;
-
-    cap->cipher = cipher;
-    cap->capIDTag = algtag;
-}
-
-
-static long
-smime_choose_cipher (CERTCertificate *scert, CERTCertificate **rcerts)
-{
-    PRArenaPool *poolp;
-    long chosen_cipher;
-    int *cipher_abilities;
-    int *cipher_votes;
-    int strong_mapi;
-    int rcount, mapi, max, i;
-	PRBool isFortezza = PK11_FortezzaHasKEA(scert);
-
-    if (smime_policy_bits == 0) {
-	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	return -1;
-    }
-
-    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	goto done;
-
-    cipher_abilities = (int*)PORT_ArenaZAlloc (poolp,
-					 smime_symmetric_count * sizeof(int));
-    if (cipher_abilities == NULL)
-	goto done;
-
-    cipher_votes = (int*)PORT_ArenaZAlloc (poolp,
-				     smime_symmetric_count * sizeof(int));
-    if (cipher_votes == NULL)
-	goto done;
-
-    /*
-     * XXX Should have a #define somewhere which specifies default
-     * strong cipher.  (Or better, a way to configure, which would
-     * take Fortezza into account as well.)
-     */
-
-    /* If the user has the Fortezza preference turned on, make
-     *  that the strong cipher. Otherwise, use triple-DES. */
-    strong_mapi = -1;
-    if (isFortezza) {
-	for(i=0;i < smime_current_pref_index && strong_mapi < 0;i++)
-	{
-	    if (smime_prefs[i] == SMIME_FORTEZZA)
-		strong_mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
-	}
-    }
-
-    if (strong_mapi == -1)
-	strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
-
-    PORT_Assert (strong_mapi >= 0);
-
-    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
-	SECItem *profile;
-	smime_capability **caps;
-	int capi, pref;
-	SECStatus dstat;
-
-	pref = smime_symmetric_count;
-	profile = CERT_FindSMimeProfile (rcerts[rcount]);
-	if (profile != NULL && profile->data != NULL && profile->len > 0) {
-	    caps = NULL;
-	    dstat = SEC_QuickDERDecodeItem (poolp, &caps,
-					smime_capabilities_template,
-					profile);
-	    if (dstat == SECSuccess && caps != NULL) {
-		for (capi = 0; caps[capi] != NULL; capi++) {
-		    smime_fill_capability (caps[capi]);
-		    mapi = smime_mapi_by_cipher (caps[capi]->cipher);
-		    if (mapi >= 0) {
-			cipher_abilities[mapi]++;
-			cipher_votes[mapi] += pref;
-			--pref;
-		    }
-		}
-	    }
-	} else {
-	    SECKEYPublicKey *key;
-	    unsigned int pklen_bits;
-
-	    /*
-	     * XXX This is probably only good for RSA keys.  What I would
-	     * really like is a function to just say;  Is the public key in
-	     * this cert an export-length key?  Then I would not have to
-	     * know things like the value 512, or the kind of key, or what
-	     * a subjectPublicKeyInfo is, etc.
-	     */
-	    key = CERT_ExtractPublicKey (rcerts[rcount]);
-	    if (key != NULL) {
-		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
-		SECKEY_DestroyPublicKey (key);
-
-		if (pklen_bits > 512) {
-		    cipher_abilities[strong_mapi]++;
-		    cipher_votes[strong_mapi] += pref;
-		}
-	    }
-	}
-	if (profile != NULL)
-	    SECITEM_FreeItem (profile, PR_TRUE);
-    }
-
-    max = 0;
-    for (mapi = 0; mapi < smime_symmetric_count; mapi++) {
-	if (cipher_abilities[mapi] != rcount)
-	    continue;
-	if (! smime_cipher_allowed (smime_cipher_maps[mapi].cipher))
-	    continue;
-	if (!isFortezza  && (smime_cipher_maps[mapi].cipher == SMIME_FORTEZZA))
-		continue;
-	if (cipher_votes[mapi] > max) {
-	    chosen_cipher = smime_cipher_maps[mapi].cipher;
-	    max = cipher_votes[mapi];
-	} /* XXX else if a tie, let scert break it? */
-    }
-
-done:
-    if (poolp != NULL)
-	PORT_FreeArena (poolp, PR_FALSE);
-
-    return chosen_cipher;
-}
-
-
-/*
- * XXX This is a hack for now to satisfy our current interface.
- * Eventually, with more parameters needing to be specified, just
- * looking up the keysize is not going to be sufficient.
- */
-static int
-smime_keysize_by_cipher (unsigned long which)
-{
-    int keysize;
-
-    switch (which) {
-      case SMIME_RC2_CBC_40:
-	keysize = 40;
-	break;
-      case SMIME_RC2_CBC_64:
-	keysize = 64;
-	break;
-      case SMIME_RC2_CBC_128:
-	keysize = 128;
-	break;
-#ifdef SMIME_DOES_RC5
-      case SMIME_RC5PAD_64_16_40:
-      case SMIME_RC5PAD_64_16_64:
-      case SMIME_RC5PAD_64_16_128:
-	/* XXX See comment above; keysize is not enough... */
-	PORT_Assert (0);
-	PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
-	keysize = -1;
-	break;
-#endif
-      case SMIME_DES_CBC_56:
-      case SMIME_DES_EDE3_168:
-      case SMIME_FORTEZZA:
-	/*
-	 * These are special; since the key size is fixed, we actually
-	 * want to *avoid* specifying a key size.
-	 */
-	keysize = 0;
-	break;
-      default:
-	keysize = -1;
-	break;
-    }
-
-    return keysize;
-}
-
-
-/*
- * Start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-SEC_PKCS7ContentInfo *
-SECMIME_CreateEncrypted(CERTCertificate *scert,
-			CERTCertificate **rcerts,
-			CERTCertDBHandle *certdb,
-			SECKEYGetPasswordKey pwfn,
-			void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    long cipher;
-    SECOidTag encalg;
-    int keysize;
-    int mapi, rci;
-
-    cipher = smime_choose_cipher (scert, rcerts);
-    if (cipher < 0)
-	return NULL;
-
-    mapi = smime_mapi_by_cipher (cipher);
-    if (mapi < 0)
-	return NULL;
-
-    /*
-     * XXX This is stretching it -- CreateEnvelopedData should probably
-     * take a cipher itself of some sort, because we cannot know what the
-     * future will bring in terms of parameters for each type of algorithm.
-     * For example, just an algorithm and keysize is *not* sufficient to
-     * fully specify the usage of RC5 (which also needs to know rounds and
-     * block size).  Work this out into a better API!
-     */
-    encalg = smime_cipher_maps[mapi].algtag;
-    keysize = smime_keysize_by_cipher (cipher);
-    if (keysize < 0)
-	return NULL;
-
-    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
-					  certdb, encalg, keysize,
-					  pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    for (rci = 0; rcerts[rci] != NULL; rci++) {
-	if (rcerts[rci] == scert)
-	    continue;
-	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
-				   NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-
-    return cinfo;
-}
-
-
-static smime_capability **smime_capabilities;
-static SECItem *smime_encoded_caps;
-static PRBool lastUsedFortezza;
-
-
-static SECStatus
-smime_init_caps (PRBool isFortezza)
-{
-    smime_capability *cap;
-    smime_cipher_map *map;
-    SECOidData *oiddata;
-    SECStatus rv;
-    int i, capIndex;
-
-    if (smime_encoded_caps != NULL 
-	&& (! smime_prefs_changed) 
-	&& lastUsedFortezza == isFortezza)
-	return SECSuccess;
-
-    if (smime_encoded_caps != NULL) {
-	SECITEM_FreeItem (smime_encoded_caps, PR_TRUE);
-	smime_encoded_caps = NULL;
-    }
-
-    if (smime_capabilities == NULL) {
-	smime_capabilities = (smime_capability**)PORT_ZAlloc (
-					  (smime_symmetric_count + 1)
-					  * sizeof(smime_capability *));
-	if (smime_capabilities == NULL)
-	    return SECFailure;
-    }
-
-    rv = SECFailure;
-
-    /* 
-       The process of creating the encoded PKCS7 cipher capability list
-       involves two basic steps: 
-
-       (a) Convert our internal representation of cipher preferences 
-           (smime_prefs) into an array containing cipher OIDs and 
-	   parameter data (smime_capabilities). This step is
-	   performed here.
-
-       (b) Encode, using ASN.1, the cipher information in 
-           smime_capabilities, leaving the encoded result in 
-	   smime_encoded_caps.
-
-       (In the process of performing (a), Lisa put in some optimizations
-       which allow us to avoid needlessly re-populating elements in 
-       smime_capabilities as we walk through smime_prefs.)
-
-       We want to use separate loop variables for smime_prefs and
-       smime_capabilities because in the case where the Skipjack cipher 
-       is turned on in the prefs, but where we don't want to include 
-       Skipjack in the encoded capabilities (presumably due to using a 
-       non-fortezza cert when sending a message), we want to avoid creating
-       an empty element in smime_capabilities. This would otherwise cause 
-       the encoding step to produce an empty set, since Skipjack happens 
-       to be the first cipher in smime_prefs, if it is turned on.
-    */
-    for (i = 0, capIndex = 0; i < smime_current_pref_index; i++, capIndex++) {
-	int mapi;
-
-	/* Get the next cipher preference in smime_prefs. */
-	mapi = smime_mapi_by_cipher (smime_prefs[i]);
-	if (mapi < 0)
-	    break;
-
-	/* Find the corresponding entry in the cipher map. */
-	PORT_Assert (mapi < smime_symmetric_count);
-	map = &(smime_cipher_maps[mapi]);
-
-	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
-	   capabilities. (We advertise all capabilities if we have a 
-	   Fortezza cert.) */
-	if ((!isFortezza) && (map->cipher == SMIME_FORTEZZA))
-	{
-	    capIndex--; /* we want to visit the same caps index entry next time */
-	    continue;
-	}
-
-	/*
-	 * Convert the next preference found in smime_prefs into an
-	 * smime_capability.
-	 */
-
-	cap = smime_capabilities[capIndex];
-	if (cap == NULL) {
-	    cap = (smime_capability*)PORT_ZAlloc (sizeof(smime_capability));
-	    if (cap == NULL)
-		break;
-	    smime_capabilities[capIndex] = cap;
-	} else if (cap->cipher == smime_prefs[i]) {
-	    continue;		/* no change to this one */
-	}
-
-	cap->capIDTag = map->algtag;
-	oiddata = SECOID_FindOIDByTag (map->algtag);
-	if (oiddata == NULL)
-	    break;
-
-	if (cap->capabilityID.data != NULL) {
-	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
-	    cap->capabilityID.data = NULL;
-	    cap->capabilityID.len = 0;
-	}
-
-	rv = SECITEM_CopyItem (NULL, &(cap->capabilityID), &(oiddata->oid));
-	if (rv != SECSuccess)
-	    break;
-
-	if (map->parms == NULL) {
-	    cap->parameters.data = NULL;
-	    cap->parameters.len = 0;
-	} else {
-	    cap->parameters.data = map->parms->data;
-	    cap->parameters.len = map->parms->len;
-	}
-
-	cap->cipher = smime_prefs[i];
-    }
-
-    if (i != smime_current_pref_index)
-	return rv;
-
-    while (capIndex < smime_symmetric_count) {
-	cap = smime_capabilities[capIndex];
-	if (cap != NULL) {
-	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
-	    PORT_Free (cap);
-	}
-	smime_capabilities[capIndex] = NULL;
-	capIndex++;
-    }
-    smime_capabilities[capIndex] = NULL;
-
-    smime_encoded_caps = SEC_ASN1EncodeItem (NULL, NULL, &smime_capabilities,
-					     smime_capabilities_template);
-    if (smime_encoded_caps == NULL)
-	return SECFailure;
-
-    lastUsedFortezza = isFortezza;
-
-    return SECSuccess;
-}
-
-
-static SECStatus
-smime_add_profile (CERTCertificate *cert, SEC_PKCS7ContentInfo *cinfo)
-{
-    PRBool isFortezza = PR_FALSE;
-
-    PORT_Assert (smime_prefs_complete);
-    if (! smime_prefs_complete)
-	return SECFailure;
-
-    /* See if the sender's cert specifies Fortezza key exchange. */
-    if (cert != NULL)
-	isFortezza = PK11_FortezzaHasKEA(cert);
-
-    /* For that matter, if capabilities haven't been initialized yet,
-       do so now. */
-    if (isFortezza != lastUsedFortezza || smime_encoded_caps == NULL || smime_prefs_changed) {
-	SECStatus rv;
-
-	rv = smime_init_caps(isFortezza);
-	if (rv != SECSuccess)
-	    return rv;
-
-	PORT_Assert (smime_encoded_caps != NULL);
-    }
-
-    return SEC_PKCS7AddSignedAttribute (cinfo, SEC_OID_PKCS9_SMIME_CAPABILITIES,
-					smime_encoded_caps);
-}
-
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "ecert" is the signer's encryption cert.  If it is different from
- * scert, then it will be included in the signed message so that the
- * recipient can save it for future encryptions.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-
-SEC_PKCS7ContentInfo *
-SECMIME_CreateSigned (CERTCertificate *scert,
-		      CERTCertificate *ecert,
-		      CERTCertDBHandle *certdb,
-		      SECOidTag digestalg,
-		      SECItem *digest,
-		      SECKEYGetPasswordKey pwfn,
-		      void *pwfn_arg)
-{
-    SEC_PKCS7ContentInfo *cinfo;
-    SECStatus rv;
-
-    /* See note in header comment above about digestalg. */
-    /* Doesn't explain this. PORT_Assert (digestalg == SEC_OID_SHA1); */
-
-    cinfo = SEC_PKCS7CreateSignedData (scert, certUsageEmailSigner,
-				       certdb, digestalg, digest,
-				       pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    if (SEC_PKCS7IncludeCertChain (cinfo, NULL) != SECSuccess) {
-	SEC_PKCS7DestroyContentInfo (cinfo);
-	return NULL;
-    }
-
-    /* if the encryption cert and the signing cert differ, then include
-     * the encryption cert too.
-     */
-    /* it is ok to compare the pointers since we ref count, and the same
-     * cert will always have the same pointer
-     */
-    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
-	rv = SEC_PKCS7AddCertificate(cinfo, ecert);
-	if ( rv != SECSuccess ) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-    /*
-     * Add the signing time.  But if it fails for some reason,
-     * may as well not give up altogether -- just assert.
-     */
-    rv = SEC_PKCS7AddSigningTime (cinfo);
-    PORT_Assert (rv == SECSuccess);
-
-    /*
-     * Add the email profile.  Again, if it fails for some reason,
-     * may as well not give up altogether -- just assert.
-     */
-    rv = smime_add_profile (ecert, cinfo);
-    PORT_Assert (rv == SECSuccess);
-
-    return cinfo;
-}
diff --git a/security/nss/lib/pkcs7/secmime.h b/security/nss/lib/pkcs7/secmime.h
deleted file mode 100644
index fece45f23..000000000
--- a/security/nss/lib/pkcs7/secmime.h
+++ /dev/null
@@ -1,195 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Header file for routines specific to S/MIME.  Keep things that are pure
- * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
- *
- * $Id$
- */
-
-#ifndef _SECMIME_H_
-#define _SECMIME_H_ 1
-
-#include "secpkcs7.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Initialize the local recording of the user S/MIME cipher preferences.
- * This function is called once for each cipher, the order being
- * important (first call records greatest preference, and so on).
- * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
- * If the function is called again after that, it is assumed that
- * the preferences are being reset, and the old preferences are
- * discarded.
- *
- * XXX This is for a particular user, and right now the storage is
- * XXX local, static.  The preference should be stored elsewhere to allow
- * XXX for multiple uses of one library?  How does SSL handle this;
- * XXX it has something similar?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.  (It is not necessary to call the function for
- *    ciphers that are disabled, however, as that is the default.)
- *
- * If the cipher preference is successfully recorded, SECSuccess
- * is returned.  Otherwise SECFailure is returned.  The only errors
- * are due to failure allocating memory or bad parameters/calls:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX (function is being called more times than there
- *		are known/expected ciphers)
- */
-extern SECStatus SECMIME_EnableCipher(long which, int on);
-
-/*
- * Initialize the local recording of the S/MIME policy.
- * This function is called to enable/disable a particular cipher.
- * (S/MIME encryption or decryption using a particular cipher is only
- * allowed if that cipher is currently enabled.)  At startup, all S/MIME
- * ciphers are disabled.  From that point, this function can be called
- * to enable a cipher -- it is not necessary to call this to disable
- * a cipher unless that cipher was previously, explicitly enabled via
- * this function.
- *
- * XXX This is for a the current module, I think, so local, static storage
- * XXX is okay.  Is that correct, or could multiple uses of the same
- * XXX library expect to operate under different policies?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.
- *
- * If the cipher is successfully enabled/disabled, SECSuccess is
- * returned.  Otherwise SECFailure is returned.  The only errors
- * are due to bad parameters:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX ("which" exceeds expected maximum cipher; this is
- *		really an internal error)
- */
-extern SECStatus SECMIME_SetPolicy(long which, int on);
-
-/*
- * Does the current policy allow S/MIME decryption of this particular
- * algorithm and keysize?
- */
-extern PRBool SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-extern PRBool SECMIME_EncryptionPossible(void);
-
-/*
- * Start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SECMIME_CreateEncrypted(CERTCertificate *scert,
-						     CERTCertificate **rcerts,
-						     CERTCertDBHandle *certdb,
-						     SECKEYGetPasswordKey pwfn,
-						     void *pwfn_arg);
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm.  (It should be SEC_OID_SHA1;
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SECMIME_CreateSigned(CERTCertificate *scert,
-						  CERTCertificate *ecert,
-						  CERTCertDBHandle *certdb,
-						  SECOidTag digestalg,
-						  SECItem *digest,
-						  SECKEYGetPasswordKey pwfn,
-						  void *pwfn_arg);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
deleted file mode 100644
index ef454ba82..000000000
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ /dev/null
@@ -1,626 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Interface to the PKCS7 implementation.
- *
- * $Id$
- */
-
-#ifndef _SECPKCS7_H_
-#define _SECPKCS7_H_
-
-#include "seccomon.h"
-
-#include "secoidt.h"
-#include "certt.h"
-#include "keyt.h"
-#include "hasht.h"
-#include "pkcs7t.h"
-
-extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/************************************************************************
- *	Miscellaneous
- ************************************************************************/
-
-/*
- * Returns the content type of the given contentInfo.
- */
-extern SECOidTag SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Destroy a PKCS7 contentInfo and all of its sub-pieces.
- */
-extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
-
-/*
- * Copy a PKCS7 contentInfo.  A Destroy is needed on *each* copy.
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
-
-/*
- * Return a pointer to the actual content.  In the case of those types
- * which are encrypted, this returns the *plain* content.
- */
-extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo);
-
-/************************************************************************
- *	PKCS7 Decoding, Verification, etc..
- ************************************************************************/
-
-extern SEC_PKCS7DecoderContext *
-SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
-		      void *callback_arg,
-		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		      void *decrypt_key_cb_arg,
-		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
-
-extern SECStatus
-SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
-		       const char *buf, unsigned long len);
-
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
-
-
-/*  Abort the underlying ASN.1 stream & set an error  */
-void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error);
-
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7DecodeItem(SECItem *p7item,
-		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
-		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
-		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
-		    void *decrypt_key_cb_arg,
-		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
-
-extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
-
-/* checks to see if the contents of the content info is
- * empty.  it so, PR_TRUE is returned.  PR_FALSE, otherwise.
- *
- * minLen is used to specify a minimum size.  if content size <= minLen,
- * content is assumed empty.
- */
-extern PRBool 
-SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen); 
-
-extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * If the PKCS7 content has a signature (not just *could* have a signature)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * SEC_PKCS7VerifySignature
- *	Look at a PKCS7 contentInfo and check if the signature is good.
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
-				       SECCertUsage certusage,
-				       PRBool keepcerts);
-
-/*
- * SEC_PKCS7VerifyDetachedSignature
- *	Look at a PKCS7 contentInfo and check if the signature matches
- *	a passed-in digest (calculated, supposedly, from detached contents).
- *	The verification checks that the signing cert is valid and trusted
- *	for the purpose specified by "certusage".
- *
- *	In addition, if "keepcerts" is true, add any new certificates found
- *	into our local database.
- */
-extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
-					       SECCertUsage certusage,
-					       SECItem *detached_digest,
-					       HASH_HashType digest_type,
-					       PRBool keepcerts);
-
-/*
- * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
- *      The passed-in contentInfo is espected to be Signed, and these
- *      functions return the specified portion of the full signer name.
- *
- *      Returns a pointer to allocated memory, which must be freed.
- *      A NULL return value is an error.
- */
-extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo);
-extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
- */
-extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo);
-
-
-/************************************************************************
- *	PKCS7 Creation and Encoding.
- ************************************************************************/
-
-/*
- * Start a PKCS7 signing context.
- *
- * "cert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "signing" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * The return value can be passed to functions which add things to
- * it like attributes, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateSignedData (CERTCertificate *cert,
-			   SECCertUsage certusage,
-			   CERTCertDBHandle *certdb,
-			   SECOidTag digestalg,
-			   SECItem *digest,
-		           SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * Create a PKCS7 certs-only container.
- *
- * "cert" is the (first) cert that will be included.
- *
- * "include_chain" specifies whether the entire chain for "cert" should
- * be included.
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL in when "include_chain" is false, or when meaning
- * use the default database.
- *
- * More certs and chains can be added via AddCertficate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
-			  PRBool include_chain,
-			  CERTCertDBHandle *certdb);
-
-/*
- * Start a PKCS7 enveloping context.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- *
- * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
- *
- * "keysize" specifies the bulk encryption key size, in bits.
- *
- * The return value can be passed to functions which add things to
- * it like more recipients, then eventually to SEC_PKCS7Encode() or to
- * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
- * SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
-			      SECCertUsage certusage,
-			      CERTCertDBHandle *certdb,
-			      SECOidTag encalg,
-			      int keysize,
-		              SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * XXX There will be a similar routine for creating signedAndEnvelopedData.
- * But its parameters will be different and I have no plans to implement
- * it any time soon because we have no current need for it.
- */
-
-/*
- * Create an empty PKCS7 data content info.
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData (void);
-
-/*
- * Create an empty PKCS7 encrypted content info.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern SEC_PKCS7ContentInfo *
-SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
-			      SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
-/*
- * All of the following things return SECStatus to signal success or failure.
- * Failure should have a more specific error status available via
- * PORT_GetError()/XP_GetError().
- */
-
-/*
- * Add the specified attribute to the authenticated (i.e. signed) attributes
- * of "cinfo" -- "oidtag" describes the attribute and "value" is the
- * value to be associated with it.  NOTE! "value" must already be encoded;
- * no interpretation of "oidtag" is done.  Also, it is assumed that this
- * signedData has only one signer -- if we ever need to add attributes
- * when there is more than one signature, we need a way to specify *which*
- * signature should get the attribute.
- *
- * XXX Technically, a signed attribute can have multiple values; if/when
- * we ever need to support an attribute which takes multiple values, we
- * either need to change this interface or create an AddSignedAttributeValue
- * which can be called subsequently, and would then append a value.
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-extern SECStatus SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
-					      SECOidTag oidtag,
-					      SECItem *value);
-
-/*
- * Add "cert" and its entire chain to the set of certs included in "cinfo".
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
-					CERTCertificate *cert,
-					CERTCertDBHandle *certdb);
-
-/*
- * Add "cert" to the set of certs included in "cinfo".
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo,
-					  CERTCertificate *cert);
-
-/*
- * Add another recipient to an encrypted message.
- *
- * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- *
- * "cert" is the cert for the recipient.  It will be checked for validity.
- *
- * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
- * XXX Maybe SECCertUsage should be split so that our caller just says
- * "email" and *we* add the "recipient" part -- otherwise our caller
- * could be lying about the usage; we do not want to allow encryption
- * certs for signing or vice versa.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- */
-extern SECStatus SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
-					CERTCertificate *cert,
-					SECCertUsage certusage,
-					CERTCertDBHandle *certdb);
-
-/*
- * Add the signing time to the authenticated (i.e. signed) attributes
- * of "cinfo".  This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will either do
- * nothing or replace an old signing time with a newer one.
- *
- * XXX This will probably just shove the current time into "cinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- *
- * "cinfo" should be of type signedData (the only kind of pkcs7 data
- * that is allowed authenticated attributes); SECFailure will be returned
- * if it is not.
- */
-extern SECStatus SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Add the signer's symmetric capabilities to the authenticated
- * (i.e. signed) attributes of "cinfo".  This is expected to be
- * included in outgoing signed messages for email (S/MIME).
- *
- * This can only be added once; a second call will return SECFailure.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
-
-/*
- * Mark that the signer's certificate and its issuing chain should
- * be included in the encoded data.  This is expected to be used
- * in outgoing signed messages for email (S/MIME).
- *
- * "certdb" is the cert database to use for finding the chain.
- * It can be NULL, meaning use the default database.
- *
- * "cinfo" should be of type signedData or signedAndEnvelopedData;
- * SECFailure will be returned if it is not.
- */
-extern SECStatus SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
-					    CERTCertDBHandle *certdb);
-
-
-/*
- * Set the content; it will be included and also hashed and/or encrypted
- * as appropriate.  This is for in-memory content (expected to be "small")
- * that will be included in the PKCS7 object.  All others should stream the
- * content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
- *
- * "buf" points to data of length "len"; it will be copied.
- */
-extern SECStatus SEC_PKCS7SetContent (SEC_PKCS7ContentInfo *cinfo,
-				      const char *buf, unsigned long len);
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECStatus SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
-				  SEC_PKCS7EncoderOutputCallback outputfn,
-				  void *outputarg,
-				  PK11SymKey *bulkkey,
-				  SECKEYGetPasswordKey pwfn,
-				  void *pwfnarg);
-
-/*
- * Encode a PKCS7 object, in one shot.  All necessary components
- * of the object must already be specified.  Either the data has
- * already been included (via SetContent), or the data is detached,
- * or there is no data at all (certs-only).  The output, rather than
- * being passed to an output function as is done above, is all put
- * into a SECItem.
- *
- * "pool" specifies a pool from which to allocate the result.
- * It can be NULL, in which case memory is allocated generically.
- *
- * "dest" specifies a SECItem in which to put the result data.
- * It can be NULL, in which case the entire item is allocated, too.
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * "pwfn" is a callback for getting the password which protects the
- * private key of the signer.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECItem *SEC_PKCS7EncodeItem (PRArenaPool *pool,
-				     SECItem *dest,
-				     SEC_PKCS7ContentInfo *cinfo,
-				     PK11SymKey *bulkkey,
-				     SECKEYGetPasswordKey pwfn,
-				     void *pwfnarg);
-
-/*
- * For those who want to simply point to the pkcs7 contentInfo ASN.1
- * template, and *not* call the encoding functions directly, the
- * following function can be used -- after it is called, the entire
- * PKCS7 contentInfo is ready to be encoded.
- */
-extern SECStatus SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
-					    PK11SymKey *bulkkey,
-					    SECKEYGetPasswordKey pwfn,
-					    void *pwfnarg);
-
-/*
- * Start the process of encoding a PKCS7 object.  The first part of
- * the encoded object will be passed to the output function right away;
- * after that it is expected that SEC_PKCS7EncoderUpdate will be called,
- * streaming in the actual content that is getting included as well as
- * signed or encrypted (or both).
- *
- * "cinfo" specifies the object to be encoded.
- *
- * "outputfn" is where the encoded bytes will be passed.
- *
- * "outputarg" is an opaque argument to the above callback.
- *
- * "bulkkey" specifies the bulk encryption key to use.   This argument
- * can be NULL if no encryption is being done, or if the bulk key should
- * be generated internally (usually the case for EnvelopedData but never
- * for EncryptedData, which *must* provide a bulk encryption key).
- *
- * Returns an object to be passed to EncoderUpdate and EncoderFinish.
- */
-extern SEC_PKCS7EncoderContext *
-SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
-		       SEC_PKCS7EncoderOutputCallback outputfn,
-		       void *outputarg,
-		       PK11SymKey *bulkkey);
-
-/*
- * Encode more contents, hashing and/or encrypting along the way.
- */
-extern SECStatus SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
-					 const char *buf,
-					 unsigned long len);
-
-/*
- * No more contents; finish the signature creation, if appropriate,
- * and then the encoding.
- *
- * "pwfn" is a callback for getting the password which protects the
- * signer's private key.  This argument can be NULL if it is known
- * that no signing is going to be done.
- *
- * "pwfnarg" is an opaque argument to the above callback.
- */
-extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
-					 SECKEYGetPasswordKey pwfn,
-					 void *pwfnarg);
-
-/*  Abort the underlying ASN.1 stream & set an error  */
-void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error);
-
-/* retrieve the algorithm ID used to encrypt the content info
- * for encrypted and enveloped data.  The SECAlgorithmID pointer
- * returned needs to be freed as it is a copy of the algorithm
- * id in the content info.
- */ 
-extern SECAlgorithmID *
-SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo); 
-
-/* the content of an encrypted data content info is encrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "plainContent" field of the content info.
- *
- * cinfo is the content info to encrypt
- *
- * key is the key with which to perform the encryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-extern SECStatus 
-SEC_PKCS7EncryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo, 
-			 SECItem *key,
-			 void *wincx); 
-	
-/* the content of an encrypted data content info is decrypted.
- * it is assumed that for encrypted data, that the data has already
- * been set and is in the "encContent" field of the content info.
- *
- * cinfo is the content info to decrypt
- *
- * key is the key with which to perform the decryption.  if the
- *     algorithm is a password based encryption algorithm, the
- *     key is actually a password which will be processed per
- *     PKCS #5.
- * 
- * in the event of an error, SECFailure is returned.  SECSuccess
- * indicates a success.
- */
-extern SECStatus 
-SEC_PKCS7DecryptContents(PRArenaPool *poolp,
-			 SEC_PKCS7ContentInfo *cinfo, 
-			 SECItem *key,
-			 void *wincx); 
-
-/* retrieve the certificate list from the content info.  the list
- * is a pointer to the list in the content info.  this should not
- * be deleted or freed in any way short of calling 
- * SEC_PKCS7DestroyContentInfo
- */
-extern SECItem **
-SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
-
-/* Returns the key length (in bits) of the algorithm used to encrypt
-   this object.  Returns 0 if it's not encrypted, or the key length is
-   irrelevant. */
-extern int 
-SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
- 
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECPKCS7_H_ */
diff --git a/security/nss/lib/pki/Makefile b/security/nss/lib/pki/Makefile
deleted file mode 100644
index 2d25c00f2..000000000
--- a/security/nss/lib/pki/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-export:: private_export
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
deleted file mode 100644
index ee47361cd..000000000
--- a/security/nss/lib/pki/asymmkey.c
+++ /dev/null
@@ -1,434 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-NSS_IMPLEMENT PRStatus
-NSSPrivateKey_Destroy (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSPrivateKey_DeleteStoredObject (
-  NSSPrivateKey *vk,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRUint32
-NSSPrivateKey_GetSignatureLength (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return -1;
-}
-
-NSS_IMPLEMENT PRUint32
-NSSPrivateKey_GetPrivateModulusLength (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return -1;
-}
-
-NSS_IMPLEMENT PRBool
-NSSPrivateKey_IsStillPresent (
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FALSE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPrivateKey_Encode (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *ap,
-  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSPrivateKey_GetTrustDomain (
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSPrivateKey_GetToken (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSlot *
-NSSPrivateKey_GetSlot (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSModule *
-NSSPrivateKey_GetModule (
-  NSSPrivateKey *vk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPrivateKey_Decrypt (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPrivateKey_Sign (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPrivateKey_SignRecover (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSPrivateKey_UnwrapSymmetricKey (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSPrivateKey_DeriveSymmetricKey (
-  NSSPrivateKey *vk,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPublicKey *
-NSSPrivateKey_FindPublicKey (
-  NSSPrivateKey *vk
-  /* { don't need the callback here, right? } */
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSPrivateKey_CreateCryptoContext (
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSPrivateKey_FindCertificates (
-  NSSPrivateKey *vk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSPrivateKey_FindBestCertificate (
-  NSSPrivateKey *vk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSPublicKey_Destroy (
-  NSSPublicKey *bk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSPublicKey_DeleteStoredObject (
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPublicKey_Encode (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *ap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSPublicKey_GetTrustDomain (
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSPublicKey_GetToken (
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSlot *
-NSSPublicKey_GetSlot (
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSModule *
-NSSPublicKey_GetModule (
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPublicKey_Encrypt (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSPublicKey_Verify (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPublicKey_VerifyRecover (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSPublicKey_WrapSymmetricKey (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSPublicKey_CreateCryptoContext (
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSPublicKey_FindCertificates (
-  NSSPublicKey *bk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSPublicKey_FindBestCertificate (
-  NSSPublicKey *bk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPrivateKey *
-NSSPublicKey_FindPrivateKey (
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
diff --git a/security/nss/lib/pki/certdecode.c b/security/nss/lib/pki/certdecode.c
deleted file mode 100644
index 282188b22..000000000
--- a/security/nss/lib/pki/certdecode.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifdef NSS_3_4_CODE
-/* This is defined in pki3hack.c */
-NSS_EXTERN nssDecodedCert *
-nssDecodedPKIXCertificate_Create (
-  NSSArena *arenaOpt,
-  NSSDER *encoding
-);
-
-NSS_IMPLEMENT PRStatus
-nssDecodedPKIXCertificate_Destroy (
-  nssDecodedCert *dc
-);
-#else /* NSS_4_0_CODE */
-/* This is where 4.0 PKIX code will handle the decoding */
-static nssDecodedCert *
-nssDecodedPKIXCertificate_Create (
-  NSSArena *arenaOpt,
-  NSSDER *encoding
-)
-{
-    return (nssDecodedCert *)NULL;
-}
-
-static PRStatus
-nssDecodedPKIXCertificate_Destroy (
-  nssDecodedCert *dc
-)
-{
-    return PR_FAILURE;
-}
-#endif /* not NSS_3_4_CODE */
-
-NSS_IMPLEMENT nssDecodedCert *
-nssDecodedCert_Create (
-  NSSArena *arenaOpt,
-  NSSDER *encoding,
-  NSSCertificateType type
-)
-{
-    nssDecodedCert *rvDC = NULL;
-    switch(type) {
-    case NSSCertificateType_PKIX:
-	rvDC = nssDecodedPKIXCertificate_Create(arenaOpt, encoding);
-	break;
-    default:
-#if 0
-	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-#endif
-	return (nssDecodedCert *)NULL;
-    }
-    return rvDC;
-}
-
-NSS_IMPLEMENT PRStatus
-nssDecodedCert_Destroy (
-  nssDecodedCert *dc
-)
-{
-    if (!dc) {
-	return PR_FAILURE;
-    }
-    switch(dc->type) {
-    case NSSCertificateType_PKIX:
-	return nssDecodedPKIXCertificate_Destroy(dc);
-    default:
-#if 0
-	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-#endif
-	break;
-    }
-    return PR_FAILURE;
-}
-
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
deleted file mode 100644
index 3abca38c1..000000000
--- a/security/nss/lib/pki/certificate.c
+++ /dev/null
@@ -1,1154 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#include "pkistore.h"
-
-#ifdef NSS_3_4_CODE
-#include "pki3hack.h"
-#include "pk11func.h"
-#include "hasht.h"
-#endif
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-/* Creates a certificate from a base object */
-NSS_IMPLEMENT NSSCertificate *
-nssCertificate_Create (
-  nssPKIObject *object
-)
-{
-    PRStatus status;
-    NSSCertificate *rvCert;
-    /* mark? */
-    NSSArena *arena = object->arena;
-    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
-    rvCert = nss_ZNEW(arena, NSSCertificate);
-    if (!rvCert) {
-	return (NSSCertificate *)NULL;
-    }
-    rvCert->object = *object;
-    /* XXX should choose instance based on some criteria */
-    status = nssCryptokiCertificate_GetAttributes(object->instances[0],
-                                                  NULL,  /* XXX sessionOpt */
-                                                  arena,
-                                                  &rvCert->type,
-                                                  &rvCert->id,
-                                                  &rvCert->encoding,
-                                                  &rvCert->issuer,
-                                                  &rvCert->serial,
-                                                  &rvCert->subject);
-    if (status != PR_SUCCESS) {
-	return (NSSCertificate *)NULL;
-    }
-    /* all certs need an encoding value */
-    if (rvCert->encoding.data == NULL) {
-	return (NSSCertificate *)NULL;
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssCertificate_AddRef (
-  NSSCertificate *c
-)
-{
-    if (c) {
-	nssPKIObject_AddRef(&c->object);
-    }
-    return c;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCertificate_Destroy (
-  NSSCertificate *c
-)
-{
-    if (c) {
-	PRUint32 i;
-	nssDecodedCert *dc = c->decoding;
-	NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-	NSSCryptoContext *cc = c->object.cryptoContext;
-
-	PR_ASSERT(c->object.refCount > 0);
-
-	/* --- LOCK storage --- */
-	if (cc) {
-	    nssCertificateStore_Lock(cc->certStore);
-	} else {
-	    nssTrustDomain_LockCertCache(td);
-	}
-	if (PR_AtomicDecrement(&c->object.refCount) == 0) {
-	    /* --- remove cert and UNLOCK storage --- */
-	    if (cc) {
-		nssCertificateStore_RemoveCertLOCKED(cc->certStore, c);
-		nssCertificateStore_Unlock(cc->certStore);
-	    } else {
-		nssTrustDomain_RemoveCertFromCacheLOCKED(td, c);
-		nssTrustDomain_UnlockCertCache(td);
-	    }
-	    /* free cert data */
-	    for (i=0; i<c->object.numInstances; i++) {
-		nssCryptokiObject_Destroy(c->object.instances[i]);
-	    }
-	    PZ_DestroyLock(c->object.lock);
-	    nssArena_Destroy(c->object.arena);
-	    nssDecodedCert_Destroy(dc);
-	} else {
-	    /* --- UNLOCK storage --- */
-	    if (cc) {
-		nssCertificateStore_Unlock(cc->certStore);
-	    } else {
-		nssTrustDomain_UnlockCertCache(td);
-	    }
-	}
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCertificate_Destroy (
-  NSSCertificate *c
-)
-{
-    return nssCertificate_Destroy(c);
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCertificate_GetEncoding (
-  NSSCertificate *c
-)
-{
-    if (c->encoding.size > 0 && c->encoding.data) {
-	return &c->encoding;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCertificate_GetIssuer (
-  NSSCertificate *c
-)
-{
-    if (c->issuer.size > 0 && c->issuer.data) {
-	return &c->issuer;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCertificate_GetSerialNumber (
-  NSSCertificate *c
-)
-{
-    if (c->serial.size > 0 && c->serial.data) {
-	return &c->serial;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCertificate_GetSubject (
-  NSSCertificate *c
-)
-{
-    if (c->subject.size > 0 && c->subject.data) {
-	return &c->subject;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssCertificate_GetNickname (
-  NSSCertificate *c,
-  NSSToken *tokenOpt
-)
-{
-    return nssPKIObject_GetNicknameForToken(&c->object, tokenOpt);
-}
-
-NSS_IMPLEMENT NSSASCII7 *
-nssCertificate_GetEmailAddress (
-  NSSCertificate *c
-)
-{
-    return c->email;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCertificate_DeleteStoredObject (
-  NSSCertificate *c,
-  NSSCallback *uhh
-)
-{
-    return nssPKIObject_DeleteStoredObject(&c->object, uhh, PR_TRUE);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCertificate_Validate (
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT void ** /* void *[] */
-NSSCertificate_ValidateCompletely (
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt, /* NULL for none */
-  void **rvOpt, /* NULL for allocate */
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt /* NULL for heap */
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCertificate_ValidateAndDiscoverUsagesAndPolicies (
-  NSSCertificate *c,
-  NSSTime **notBeforeOutOpt,
-  NSSTime **notAfterOutOpt,
-  void *allowedUsages,
-  void *disallowedUsages,
-  void *allowedPolicies,
-  void *disallowedPolicies,
-  /* more args.. work on this fgmr */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSDER *
-NSSCertificate_Encode (
-  NSSCertificate *c,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    /* Item, DER, BER are all typedefs now... */
-    return nssItem_Duplicate((NSSItem *)&c->encoding, arenaOpt, rvOpt);
-}
-
-NSS_IMPLEMENT nssDecodedCert *
-nssCertificate_GetDecoding (
-  NSSCertificate *c
-)
-{
-    /* There is a race in assigning c->decoding.  
-    ** This is a workaround.  Bugzilla bug 225525.
-    */
-    if (!c->decoding) {
-	nssDecodedCert * deco =
-	    nssDecodedCert_Create(NULL, &c->encoding, c->type);
-	/* Once this race is fixed, an assertion should be put 
-	** here to detect any regressions. 
-    	PORT_Assert(!c->decoding); 
-	*/
-	if (!c->decoding) {
-	    /* we won the race. Use our copy. */
-	    c->decoding = deco;
-        } else {
-	    /* we lost the race.  discard deco. */
-	    nssDecodedCert_Destroy(deco);
-	}
-    }
-    return c->decoding;
-}
-
-static NSSCertificate **
-filter_subject_certs_for_id (
-  NSSCertificate **subjectCerts, 
-  void *id
-)
-{
-    NSSCertificate **si;
-    nssDecodedCert *dcp;
-    int nextOpenSlot = 0;
-    int i;
-    nssCertIDMatch matchLevel = nssCertIDMatch_Unknown;
-    nssCertIDMatch match;
-
-    /* walk the subject certs */
-    for (si = subjectCerts; *si; si++) {
-	dcp = nssCertificate_GetDecoding(*si);
-	if (!dcp) {
-	    NSSCertificate_Destroy(*si);
-	    continue;
-	}
-	match = dcp->matchIdentifier(dcp, id);
-	switch (match) {
-	case nssCertIDMatch_Yes:
-	    if (matchLevel == nssCertIDMatch_Unknown) {
-		/* we have non-definitive matches, forget them */
-		for (i = 0; i < nextOpenSlot; i++) {
-		    NSSCertificate_Destroy(subjectCerts[i]);
-		    subjectCerts[i] = NULL;
-		}
-		nextOpenSlot = 0;
-		/* only keep definitive matches from now on */
-		matchLevel = nssCertIDMatch_Yes;
-	    }
-	    /* keep the cert */
-	    subjectCerts[nextOpenSlot++] = *si;
-	    break;
-	case nssCertIDMatch_Unknown:
-	    if (matchLevel == nssCertIDMatch_Unknown) {
-		/* only have non-definitive matches so far, keep it */
-		subjectCerts[nextOpenSlot++] = *si;
-		break;
-	    }
-	    /* else fall through, we have a definitive match already */
-	case nssCertIDMatch_No:
-	default:
-	    NSSCertificate_Destroy(*si);
-	    *si = NULL;
-	}
-    }
-    subjectCerts[nextOpenSlot] = NULL;
-    return subjectCerts;
-}
-
-static NSSCertificate **
-filter_certs_for_valid_issuers (
-  NSSCertificate **certs
-)
-{
-    NSSCertificate **cp;
-    nssDecodedCert *dcp;
-    int nextOpenSlot = 0;
-
-    for (cp = certs; *cp; cp++) {
-	dcp = nssCertificate_GetDecoding(*cp);
-	if (dcp && dcp->isValidIssuer(dcp)) {
-	    certs[nextOpenSlot++] = *cp;
-	} else {
-	    NSSCertificate_Destroy(*cp);
-	}
-    }
-    certs[nextOpenSlot] = NULL;
-    return certs;
-}
-
-static NSSCertificate *
-find_cert_issuer (
-  NSSCertificate *c,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *cc
-)
-{
-    NSSArena *arena;
-    NSSCertificate **certs = NULL;
-    NSSCertificate **ccIssuers = NULL;
-    NSSCertificate **tdIssuers = NULL;
-    NSSCertificate *issuer = NULL;
-
-    if (!cc)
-	cc = c->object.cryptoContext;
-    if (!td)
-	td = NSSCertificate_GetTrustDomain(c);
-    arena = nssArena_Create();
-    if (!arena) {
-	return (NSSCertificate *)NULL;
-    }
-    if (cc) {
-	ccIssuers = nssCryptoContext_FindCertificatesBySubject(cc,
-	                                                       &c->issuer,
-	                                                       NULL,
-	                                                       0,
-	                                                       arena);
-    }
-    if (td)
-	tdIssuers = nssTrustDomain_FindCertificatesBySubject(td,
-                                                         &c->issuer,
-                                                         NULL,
-                                                         0,
-                                                         arena);
-    certs = nssCertificateArray_Join(ccIssuers, tdIssuers);
-    if (certs) {
-	nssDecodedCert *dc = NULL;
-	void *issuerID = NULL;
-	dc = nssCertificate_GetDecoding(c);
-	if (dc) {
-	    issuerID = dc->getIssuerIdentifier(dc);
-	}
-	/* XXX review based on CERT_FindCertIssuer
-	 * this function is not using the authCertIssuer field as a fallback
-	 * if authority key id does not exist
-	 */
-	if (issuerID) {
-	    certs = filter_subject_certs_for_id(certs, issuerID);
-	}
-	certs = filter_certs_for_valid_issuers(certs);
-	issuer = nssCertificateArray_FindBestCertificate(certs,
-	                                                 timeOpt,
-	                                                 usage,
-	                                                 policiesOpt);
-	nssCertificateArray_Destroy(certs);
-    }
-    nssArena_Destroy(arena);
-    return issuer;
-}
-
-/* This function returns the built chain, as far as it gets,
-** even if/when it fails to find an issuer, and returns PR_FAILURE
-*/
-NSS_IMPLEMENT NSSCertificate **
-nssCertificate_BuildChain (
-  NSSCertificate *c,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit,
-  NSSArena *arenaOpt,
-  PRStatus *statusOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *cc 
-)
-{
-    NSSCertificate **rvChain = NULL;
-    NSSUsage issuerUsage = *usage;
-    nssPKIObjectCollection *collection = NULL;
-    PRUint32  rvCount = 0;
-    PRStatus  st;
-    PRStatus  ret = PR_SUCCESS;
-
-    if (!td)
-	td = NSSCertificate_GetTrustDomain(c);
-    if (!td || !c || !cc) 
-	goto loser;
-#ifdef NSS_3_4_CODE
-    /* bump the usage up to CA level */
-    issuerUsage.nss3lookingForCA = PR_TRUE;
-#endif
-    collection = nssCertificateCollection_Create(td, NULL);
-    if (!collection)
-	goto loser;
-    st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c);
-    if (st != PR_SUCCESS)
-    	goto loser;
-    /* XXX This breaks code for which NSS_3_4_CODE is not defined (pure
-     *     4.0 builds).  That won't affect the tip.  But be careful
-     *     when merging 4.0!!!
-     */
-    for (rvCount = 1; (!rvLimit || rvCount < rvLimit); ++rvCount) {
-#ifdef NSS_3_4_CODE
-	CERTCertificate *cCert = STAN_GetCERTCertificate(c);
-	if (cCert->isRoot) {
-	    /* not including the issuer of the self-signed cert, which is,
-	     * of course, itself
-	     */
-	    break;
-	}
-#endif
-	c = find_cert_issuer(c, timeOpt, &issuerUsage, policiesOpt, td, cc);
-	if (!c) {
-	    ret = PR_FAILURE;
-	    break;
-	}
-	st = nssPKIObjectCollection_AddObject(collection, (nssPKIObject *)c);
-	nssCertificate_Destroy(c); /* collection has it */
-	if (st != PR_SUCCESS)
-	    goto loser;
-    }
-    rvChain = nssPKIObjectCollection_GetCertificates(collection, 
-                                                     rvOpt, 
-                                                     rvLimit, 
-                                                     arenaOpt);
-    if (rvChain) {
-	nssPKIObjectCollection_Destroy(collection);
-	if (statusOpt) 
-	    *statusOpt = ret;
-	if (ret != PR_SUCCESS)
-	    nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
-	return rvChain;
-    }
-
-loser:
-    if (collection)
-	nssPKIObjectCollection_Destroy(collection);
-    if (statusOpt) 
-	*statusOpt = PR_FAILURE;
-    nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
-    return rvChain;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCertificate_BuildChain (
-  NSSCertificate *c,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt,
-  PRStatus *statusOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *cc 
-)
-{
-    return nssCertificate_BuildChain(c, timeOpt, usage, policiesOpt,
-                                     rvOpt, rvLimit, arenaOpt, statusOpt,
-				     td, cc);
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-nssCertificate_GetCryptoContext (
-  NSSCertificate *c
-)
-{
-    return c->object.cryptoContext;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-nssCertificate_GetTrustDomain (
-  NSSCertificate *c
-)
-{
-    return c->object.trustDomain;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSCertificate_GetTrustDomain (
-  NSSCertificate *c
-)
-{
-    return nssCertificate_GetTrustDomain(c);
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSCertificate_GetToken (
-  NSSCertificate *c,
-  PRStatus *statusOpt
-)
-{
-    return (NSSToken *)NULL;
-}
-
-NSS_IMPLEMENT NSSSlot *
-NSSCertificate_GetSlot (
-  NSSCertificate *c,
-  PRStatus *statusOpt
-)
-{
-    return (NSSSlot *)NULL;
-}
-
-NSS_IMPLEMENT NSSModule *
-NSSCertificate_GetModule (
-  NSSCertificate *c,
-  PRStatus *statusOpt
-)
-{
-    return (NSSModule *)NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCertificate_Encrypt (
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCertificate_Verify (
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCertificate_VerifyRecover (
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCertificate_WrapSymmetricKey (
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSCertificate_CreateCryptoContext (
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh  
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPublicKey *
-NSSCertificate_GetPublicKey (
-  NSSCertificate *c
-)
-{
-#if 0
-    CK_ATTRIBUTE pubktemplate[] = {
-	{ CKA_CLASS,   NULL, 0 },
-	{ CKA_ID,      NULL, 0 },
-	{ CKA_SUBJECT, NULL, 0 }
-    };
-    PRStatus nssrv;
-    CK_ULONG count = sizeof(pubktemplate) / sizeof(pubktemplate[0]);
-    NSS_CK_SET_ATTRIBUTE_ITEM(pubktemplate, 0, &g_ck_class_pubkey);
-    if (c->id.size > 0) {
-	/* CKA_ID */
-	NSS_CK_ITEM_TO_ATTRIBUTE(&c->id, &pubktemplate[1]);
-    } else {
-	/* failure, yes? */
-	return (NSSPublicKey *)NULL;
-    }
-    if (c->subject.size > 0) {
-	/* CKA_SUBJECT */
-	NSS_CK_ITEM_TO_ATTRIBUTE(&c->subject, &pubktemplate[2]);
-    } else {
-	/* failure, yes? */
-	return (NSSPublicKey *)NULL;
-    }
-    /* Try the cert's token first */
-    if (c->token) {
-	nssrv = nssToken_FindObjectByTemplate(c->token, pubktemplate, count);
-    }
-#endif
-    /* Try all other key tokens */
-    return (NSSPublicKey *)NULL;
-}
-
-NSS_IMPLEMENT NSSPrivateKey *
-NSSCertificate_FindPrivateKey (
-  NSSCertificate *c,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRBool
-NSSCertificate_IsPrivateKeyAvailable (
-  NSSCertificate *c,
-  NSSCallback *uhh,
-  PRStatus *statusOpt
-)
-{
-    PRBool isUser = PR_FALSE;
-    nssCryptokiObject **ip;
-    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
-    if (!instances) {
-	return PR_FALSE;
-    }
-    for (ip = instances; *ip; ip++) {
-	nssCryptokiObject *instance = *ip;
-	if (nssToken_IsPrivateKeyAvailable(instance->token, c, instance)) {
-	    isUser = PR_TRUE;
-	}
-    }
-    nssCryptokiObjectArray_Destroy(instances);
-    return isUser;
-}
-
-/* sort the subject cert list from newest to oldest */
-PRIntn
-nssCertificate_SubjectListSort (
-  void *v1,
-  void *v2
-)
-{
-    NSSCertificate *c1 = (NSSCertificate *)v1;
-    NSSCertificate *c2 = (NSSCertificate *)v2;
-    nssDecodedCert *dc1 = nssCertificate_GetDecoding(c1);
-    nssDecodedCert *dc2 = nssCertificate_GetDecoding(c2);
-    if (!dc1) {
-	return dc2 ? 1 : 0;
-    } else if (!dc2) {
-	return -1;
-    } else {
-	return dc1->isNewerThan(dc1, dc2) ? -1 : 1;
-    }
-}
-
-NSS_IMPLEMENT PRBool
-NSSUserCertificate_IsStillPresent (
-  NSSUserCertificate *uc,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FALSE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSUserCertificate_Decrypt (
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSUserCertificate_Sign (
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSUserCertificate_SignRecover (
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSUserCertificate_UnwrapSymmetricKey (
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSUserCertificate_DeriveSymmetricKey (
-  NSSUserCertificate *uc, /* provides private key */
-  NSSCertificate *c, /* provides public key */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssSMIMEProfile_Create (
-  NSSCertificate *cert,
-  NSSItem *profileTime,
-  NSSItem *profileData
-)
-{
-    NSSArena *arena;
-    nssSMIMEProfile *rvProfile;
-    nssPKIObject *object;
-    NSSTrustDomain *td = nssCertificate_GetTrustDomain(cert);
-    NSSCryptoContext *cc = nssCertificate_GetCryptoContext(cert);
-    arena = nssArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    object = nssPKIObject_Create(arena, NULL, td, cc);
-    if (!object) {
-	goto loser;
-    }
-    rvProfile = nss_ZNEW(arena, nssSMIMEProfile);
-    if (!rvProfile) {
-	goto loser;
-    }
-    rvProfile->object = *object;
-    rvProfile->certificate = cert;
-    rvProfile->email = nssUTF8_Duplicate(cert->email, arena);
-    rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL);
-    if (profileTime) {
-	rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL);
-    }
-    if (profileData) {
-	rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL);
-    }
-    return rvProfile;
-loser:
-    nssPKIObject_Destroy(object);
-    return (nssSMIMEProfile *)NULL;
-}
-
-/* execute a callback function on all members of a cert list */
-NSS_EXTERN PRStatus
-nssCertificateList_DoCallback (
-  nssList *certList, 
-  PRStatus (* callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    nssListIterator *certs;
-    NSSCertificate *cert;
-    PRStatus nssrv;
-    certs = nssList_CreateIterator(certList);
-    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
-         cert != (NSSCertificate *)NULL;
-         cert  = (NSSCertificate *)nssListIterator_Next(certs))
-    {
-	nssrv = (*callback)(cert, arg);
-    }
-    nssListIterator_Finish(certs);
-    nssListIterator_Destroy(certs);
-    return PR_SUCCESS;
-}
-
-static PRStatus add_ref_callback(NSSCertificate *c, void *a)
-{
-    nssCertificate_AddRef(c);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT void
-nssCertificateList_AddReferences (
-  nssList *certList
-)
-{
-    (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL);
-}
-
-NSS_IMPLEMENT NSSTrust *
-nssTrust_Create (
-  nssPKIObject *object,
-  NSSItem *certData
-)
-{
-    PRStatus status;
-    PRUint32 i;
-    PRUint32 lastTrustOrder, myTrustOrder;
-    unsigned char sha1_hashcmp[SHA1_LENGTH];
-    unsigned char sha1_hashin[SHA1_LENGTH];
-    NSSItem sha1_hash;
-    NSSTrust *rvt;
-    nssCryptokiObject *instance;
-    nssTrustLevel serverAuth, clientAuth, codeSigning, emailProtection;
-    SECStatus rv; /* Should be stan flavor */
-    PRBool stepUp;
-
-    lastTrustOrder = 1<<16; /* just make it big */
-    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
-    rvt = nss_ZNEW(object->arena, NSSTrust);
-    if (!rvt) {
-	return (NSSTrust *)NULL;
-    }
-    rvt->object = *object;
-
-    /* should be stan flavor of Hashbuf */
-    rv = PK11_HashBuf(SEC_OID_SHA1,sha1_hashcmp,certData->data,certData->size);
-    if (rv != SECSuccess) {
-	return (NSSTrust *)NULL;
-    }
-    sha1_hash.data = sha1_hashin;
-    sha1_hash.size = sizeof (sha1_hashin);
-    /* trust has to peek into the base object members */
-    PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	instance = object->instances[i];
-	myTrustOrder = nssToken_GetTrustOrder(instance->token);
-	status = nssCryptokiTrust_GetAttributes(instance, NULL,
-						&sha1_hash,
-	                                        &serverAuth,
-	                                        &clientAuth,
-	                                        &codeSigning,
-	                                        &emailProtection,
-	                                        &stepUp);
-	if (status != PR_SUCCESS) {
-	    PZ_Unlock(object->lock);
-	    return (NSSTrust *)NULL;
-	}
-	if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) {
-	    PZ_Unlock(object->lock);
-	    return (NSSTrust *)NULL;
-	}
-	if (rvt->serverAuth == nssTrustLevel_Unknown ||
-	    myTrustOrder < lastTrustOrder) 
-	{
-	    rvt->serverAuth = serverAuth;
-	}
-	if (rvt->clientAuth == nssTrustLevel_Unknown ||
-	    myTrustOrder < lastTrustOrder) 
-	{
-	    rvt->clientAuth = clientAuth;
-	}
-	if (rvt->emailProtection == nssTrustLevel_Unknown ||
-	    myTrustOrder < lastTrustOrder) 
-	{
-	    rvt->emailProtection = emailProtection;
-	}
-	if (rvt->codeSigning == nssTrustLevel_Unknown ||
-	    myTrustOrder < lastTrustOrder) 
-	{
-	    rvt->codeSigning = codeSigning;
-	}
-	rvt->stepUpApproved = stepUp;
-	lastTrustOrder = myTrustOrder;
-    }
-    PZ_Unlock(object->lock);
-    return rvt;
-}
-
-NSS_IMPLEMENT NSSTrust *
-nssTrust_AddRef (
-  NSSTrust *trust
-)
-{
-    if (trust) {
-	nssPKIObject_AddRef(&trust->object);
-    }
-    return trust;
-}
-
-NSS_IMPLEMENT PRStatus
-nssTrust_Destroy (
-  NSSTrust *trust
-)
-{
-    if (trust) {
-	(void)nssPKIObject_Destroy(&trust->object);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssSMIMEProfile_AddRef (
-  nssSMIMEProfile *profile
-)
-{
-    if (profile) {
-	nssPKIObject_AddRef(&profile->object);
-    }
-    return profile;
-}
-
-NSS_IMPLEMENT PRStatus
-nssSMIMEProfile_Destroy (
-  nssSMIMEProfile *profile
-)
-{
-    if (profile) {
-	(void)nssPKIObject_Destroy(&profile->object);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT NSSCRL *
-nssCRL_Create (
-  nssPKIObject *object
-)
-{
-    PRStatus status;
-    NSSCRL *rvCRL;
-    NSSArena *arena = object->arena;
-    PR_ASSERT(object->instances != NULL && object->numInstances > 0);
-    rvCRL = nss_ZNEW(arena, NSSCRL);
-    if (!rvCRL) {
-	return (NSSCRL *)NULL;
-    }
-    rvCRL->object = *object;
-    /* XXX should choose instance based on some criteria */
-    status = nssCryptokiCRL_GetAttributes(object->instances[0],
-                                          NULL,  /* XXX sessionOpt */
-                                          arena,
-                                          &rvCRL->encoding,
-                                          NULL, /* subject */
-                                          NULL, /* class */
-                                          &rvCRL->url,
-                                          &rvCRL->isKRL);
-    if (status != PR_SUCCESS) {
-	return (NSSCRL *)NULL;
-    }
-    return rvCRL;
-}
-
-NSS_IMPLEMENT NSSCRL *
-nssCRL_AddRef (
-  NSSCRL *crl
-)
-{
-    if (crl) {
-	nssPKIObject_AddRef(&crl->object);
-    }
-    return crl;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCRL_Destroy (
-  NSSCRL *crl
-)
-{
-    if (crl) {
-	(void)nssPKIObject_Destroy(&crl->object);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCRL_DeleteStoredObject (
-  NSSCRL *crl,
-  NSSCallback *uhh
-)
-{
-    return nssPKIObject_DeleteStoredObject(&crl->object, uhh, PR_TRUE);
-}
-
-NSS_IMPLEMENT NSSDER *
-nssCRL_GetEncoding (
-  NSSCRL *crl
-)
-{
-    if (crl->encoding.data != NULL && crl->encoding.size > 0) {
-	return &crl->encoding;
-    } else {
-	return (NSSDER *)NULL;
-    }
-}
diff --git a/security/nss/lib/pki/config.mk b/security/nss/lib/pki/config.mk
deleted file mode 100644
index f4e5b965b..000000000
--- a/security/nss/lib/pki/config.mk
+++ /dev/null
@@ -1,52 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
deleted file mode 100644
index 6b8a724c3..000000000
--- a/security/nss/lib/pki/cryptocontext.c
+++ /dev/null
@@ -1,1006 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef PKISTORE_H
-#include "pkistore.h"
-#endif /* PKISTORE_H */
-
-#include "pki1t.h"
-
-#ifdef PURE_STAN_BUILD
-struct NSSCryptoContextStr
-{
-    PRInt32 refCount;
-    NSSArena *arena;
-    NSSTrustDomain *td;
-    NSSToken *token;
-    nssSession *session;
-    nssCertificateStore *certStore;
-};
-#endif
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-NSS_IMPLEMENT NSSCryptoContext *
-nssCryptoContext_Create (
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-)
-{
-    NSSArena *arena;
-    NSSCryptoContext *rvCC;
-    arena = NSSArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    rvCC = nss_ZNEW(arena, NSSCryptoContext);
-    if (!rvCC) {
-	return NULL;
-    }
-    rvCC->td = td;
-    rvCC->arena = arena;
-    return rvCC;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_Destroy (
-  NSSCryptoContext *cc
-)
-{
-    PRStatus status = PR_SUCCESS;
-    if (cc->certStore) {
-	status = nssCertificateStore_Destroy(cc->certStore);
-	if (status == PR_FAILURE) {
-	    return status;
-	}
-    }
-    nssArena_Destroy(cc->arena);
-    return status;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_SetDefaultCallback (
-  NSSCryptoContext *td,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSCallback *
-NSSCryptoContext_GetDefaultCallback (
-  NSSCryptoContext *td,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSCryptoContext_GetTrustDomain (
-  NSSCryptoContext *td
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_ImportCertificate (
-  NSSCryptoContext *cc,
-  NSSCertificate *c
-)
-{
-    PRStatus nssrv;
-    if (!cc->certStore) {
-	cc->certStore = nssCertificateStore_Create(cc->arena);
-	if (!cc->certStore) {
-	    return PR_FAILURE;
-	}
-    }
-    nssrv = nssCertificateStore_Add(cc->certStore, c);
-    if (nssrv == PR_SUCCESS) {
-	c->object.cryptoContext = cc;
-    }
-    return nssrv;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_ImportPKIXCertificate (
-  NSSCryptoContext *cc,
-  struct NSSPKIXCertificateStr *pc
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_ImportEncodedCertificate (
-  NSSCryptoContext *cc,
-  NSSBER *ber
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_ImportEncodedPKIXCertificateChain (
-  NSSCryptoContext *cc,
-  NSSBER *ber
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptoContext_ImportTrust (
-  NSSCryptoContext *cc,
-  NSSTrust *trust
-)
-{
-    PRStatus nssrv;
-    if (!cc->certStore) {
-	cc->certStore = nssCertificateStore_Create(cc->arena);
-	if (!cc->certStore) {
-	    return PR_FAILURE;
-	}
-    }
-    nssrv = nssCertificateStore_AddTrust(cc->certStore, trust);
-#if 0
-    if (nssrv == PR_SUCCESS) {
-	trust->object.cryptoContext = cc;
-    }
-#endif
-    return nssrv;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCryptoContext_ImportSMIMEProfile (
-  NSSCryptoContext *cc,
-  nssSMIMEProfile *profile
-)
-{
-    PRStatus nssrv;
-    if (!cc->certStore) {
-	cc->certStore = nssCertificateStore_Create(cc->arena);
-	if (!cc->certStore) {
-	    return PR_FAILURE;
-	}
-    }
-    nssrv = nssCertificateStore_AddSMIMEProfile(cc->certStore, profile);
-#if 0
-    if (nssrv == PR_SUCCESS) {
-	profile->object.cryptoContext = cc;
-    }
-#endif
-    return nssrv;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNickname (
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-)
-{
-    NSSCertificate **certs;
-    NSSCertificate *rvCert = NULL;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    certs = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
-                                                           name,
-                                                           NULL, 0, NULL);
-    if (certs) {
-	rvCert = nssCertificateArray_FindBestCertificate(certs,
-	                                                 timeOpt,
-	                                                 usage,
-	                                                 policiesOpt);
-	nssCertificateArray_Destroy(certs);
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindCertificatesByNickname (
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvCerts;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    rvCerts = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
-                                                             name,
-                                                             rvOpt,
-                                                             maximumOpt,
-                                                             arenaOpt);
-    return rvCerts;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindCertificateByIssuerAndSerialNumber (
-  NSSCryptoContext *cc,
-  NSSDER *issuer,
-  NSSDER *serialNumber
-)
-{
-    if (!cc->certStore) {
-	return NULL;
-    }
-    return nssCertificateStore_FindCertificateByIssuerAndSerialNumber(
-                                                               cc->certStore,
-                                                               issuer,
-                                                               serialNumber);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestCertificateBySubject (
-  NSSCryptoContext *cc,
-  NSSDER *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    NSSCertificate **certs;
-    NSSCertificate *rvCert = NULL;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    certs = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
-                                                          subject,
-                                                          NULL, 0, NULL);
-    if (certs) {
-	rvCert = nssCertificateArray_FindBestCertificate(certs,
-	                                                 timeOpt,
-	                                                 usage,
-	                                                 policiesOpt);
-	nssCertificateArray_Destroy(certs);
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssCryptoContext_FindCertificatesBySubject (
-  NSSCryptoContext *cc,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvCerts;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    rvCerts = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
-                                                            subject,
-                                                            rvOpt,
-                                                            maximumOpt,
-                                                            arenaOpt);
-    return rvCerts;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindCertificatesBySubject (
-  NSSCryptoContext *cc,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    return nssCryptoContext_FindCertificatesBySubject(cc, subject,
-                                                      rvOpt, maximumOpt,
-                                                      arenaOpt);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNameComponents (
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindCertificatesByNameComponents (
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindCertificateByEncodedCertificate (
-  NSSCryptoContext *cc,
-  NSSBER *encodedCertificate
-)
-{
-    if (!cc->certStore) {
-	return NULL;
-    }
-    return nssCertificateStore_FindCertificateByEncodedCertificate(
-                                                           cc->certStore,
-                                                           encodedCertificate);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestCertificateByEmail (
-  NSSCryptoContext *cc,
-  NSSASCII7 *email,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    NSSCertificate **certs;
-    NSSCertificate *rvCert = NULL;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    certs = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
-                                                        email,
-                                                        NULL, 0, NULL);
-    if (certs) {
-	rvCert = nssCertificateArray_FindBestCertificate(certs,
-	                                                 timeOpt,
-	                                                 usage,
-	                                                 policiesOpt);
-	nssCertificateArray_Destroy(certs);
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindCertificatesByEmail (
-  NSSCryptoContext *cc,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvCerts;
-    if (!cc->certStore) {
-	return NULL;
-    }
-    rvCerts = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
-                                                          email,
-                                                          rvOpt,
-                                                          maximumOpt,
-                                                          arenaOpt);
-    return rvCerts;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindCertificateByOCSPHash (
-  NSSCryptoContext *cc,
-  NSSItem *hash
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestUserCertificate (
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindUserCertificates (
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForSSLClientAuth (
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSCryptoContext_FindUserCertificatesForSSLClientAuth (
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForEmailSigning (
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSCryptoContext_FindUserCertificatesForEmailSigning (
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSTrust *
-nssCryptoContext_FindTrustForCertificate (
-  NSSCryptoContext *cc,
-  NSSCertificate *cert
-)
-{
-    if (!cc->certStore) {
-	return NULL;
-    }
-    return nssCertificateStore_FindTrustForCertificate(cc->certStore, cert);
-}
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssCryptoContext_FindSMIMEProfileForCertificate (
-  NSSCryptoContext *cc,
-  NSSCertificate *cert
-)
-{
-    if (!cc->certStore) {
-	return NULL;
-    }
-    return nssCertificateStore_FindSMIMEProfileForCertificate(cc->certStore, 
-                                                              cert);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_GenerateKeyPair (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKey (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKeyFromPassword (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID (
-  NSSCryptoContext *cc,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-struct token_session_str {
-    NSSToken *token;
-    nssSession *session;
-};
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_Decrypt (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginDecrypt (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_ContinueDecrypt (
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishDecrypt (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_Sign (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginSign (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_ContinueSign (
-  NSSCryptoContext *cc,
-  NSSItem *data
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishSign (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_SignRecover (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginSignRecover (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_ContinueSignRecover (
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishSignRecover (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSCryptoContext_UnwrapSymmetricKey (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSCryptoContext_DeriveSymmetricKey (
-  NSSCryptoContext *cc,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_Encrypt (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginEncrypt (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_ContinueEncrypt (
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishEncrypt (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_Verify (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginVerify (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_ContinueVerify (
-  NSSCryptoContext *cc,
-  NSSItem *data
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_FinishVerify (
-  NSSCryptoContext *cc
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_VerifyRecover (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginVerifyRecover (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_ContinueVerifyRecover (
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishVerifyRecover (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_WrapSymmetricKey (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_Digest (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    return nssToken_Digest(cc->token, cc->session, apOpt, 
-                           data, rvOpt, arenaOpt);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_BeginDigest (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-)
-{
-    return nssToken_BeginDigest(cc->token, cc->session, apOpt);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSCryptoContext_ContinueDigest (
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *item
-)
-{
-	/*
-    NSSAlgorithmAndParameters *ap;
-    ap = (apOpt) ? apOpt : cc->ap;
-    */
-	/* why apOpt?  can't change it at this point... */
-    return nssToken_ContinueDigest(cc->token, cc->session, item);
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSCryptoContext_FinishDigest (
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    return nssToken_FinishDigest(cc->token, cc->session, rvOpt, arenaOpt);
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSCryptoContext_Clone (
-  NSSCryptoContext *cc
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
diff --git a/security/nss/lib/pki/doc/standiag.png b/security/nss/lib/pki/doc/standiag.png
deleted file mode 100644
index fe1aca389..000000000
--- a/security/nss/lib/pki/doc/standiag.png
+++ /dev/null
diff --git a/security/nss/lib/pki/doc/standoc.html b/security/nss/lib/pki/doc/standoc.html
deleted file mode 100644
index 8cc067588..000000000
--- a/security/nss/lib/pki/doc/standoc.html
+++ /dev/null
@@ -1,474 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-<head>
-<!-- ***** BEGIN LICENSE BLOCK *****
-   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
-   -
-   - The contents of this file are subject to the Mozilla Public License Version
-   - 1.1 (the "License"); you may not use this file except in compliance with
-   - the License. You may obtain a copy of the License at
-   - http://www.mozilla.org/MPL/
-   -
-   - Software distributed under the License is distributed on an "AS IS" basis,
-   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-   - for the specific language governing rights and limitations under the
-   - License.
-   -
-   - The Original Code is the Netscape security libraries.
-   -
-   - The Initial Developer of the Original Code is
-   - Netscape Communications Corporation.
-   - Portions created by the Initial Developer are Copyright (C) 1994-2000
-   - the Initial Developer. All Rights Reserved.
-   -
-   - Contributor(s):
-   -
-   - Alternatively, the contents of this file may be used under the terms of
-   - either the GNU General Public License Version 2 or later (the "GPL"), or
-   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-   - in which case the provisions of the GPL or the LGPL are applicable instead
-   - of those above. If you wish to allow use of your version of this file only
-   - under the terms of either the GPL or the LGPL, and not to allow others to
-   - use your version of this file under the terms of the MPL, indicate your
-   - decision by deleting the provisions above and replace them with the notice
-   - and other provisions required by the GPL or the LGPL. If you do not delete
-   - the provisions above, a recipient may use your version of this file under
-   - the terms of any one of the MPL, the GPL or the LGPL.
-   -
-   - ***** END LICENSE BLOCK ***** -->
-                                                                        
-                              
-  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
-  <title>Stan Design - Work In Progress</title>
-</head>
-  <body>
- <br>
-               This is a working document for progress on Stan design/development.<br>
- <br>
-        Current <a href="#build">build</a>
-       and <a href="#test">test</a>
-        instructions.<br>
- <br>
-                      The current set of Stan libraries.<br>
- <a href="#asn1">asn1</a>
- <br>
- <a href="#base">base</a>
- <br>
- <a href="#ckfw">ckfw</a>
- <br>
- <a href="#dev">dev</a>
- <br>
- <a href="#pki">pki</a>
- <br>
- <a href="#pki1">pki1</a>
- <br>
- <a href="#pkix">pkix</a>
- <br>
- <br>
-                     "Public" types below (those available to consumers of
- NSS)   begin    with   "NSS".  &nbsp;"Protected" types (those only available
- within   NSS)   begin   with  "nss".<br>
- <br>
-        Open issues appears as numbered indents.<br>
- <br>
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="asn1"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/asn1/">
-           ASN.1</a>
- </h3>
-                          ASN.1 encoder/decoder wrapping around the current 
- ASN.1    implementation.<br>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASN1EncodingType">  NSSASN1EncodingType</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Item">nssASN1Item</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Template">nssASN1Template</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1ChooseTemplateFunction">
-                     nssASN1ChooseTemplateFunction</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Encoder">nssASN1Encoder</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Decoder">nssASN1Decoder</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncodingPart">  nssASN1EncodingPart</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1NotifyFunction">
-       nssASN1NotifyFunction</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncoderWriteFunction">
-                     nssASN1EncoderWriteFunction</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1DecoderFilterFunction">
-                     nssASN1DecoderFilterFunction</a>
- <br>
- <br>
- 
-<hr width="100%" size="2" align="Left"> 
-<h3><a name="base"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/base/">
-       Base</a>
- </h3>
-                          Set of base utilities for Stan implementation.
-&nbsp;These       are   all   fairly straightforward, except for nssPointerTracker.<br>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSError">NSSError</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSArena">NSSArena</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSItem">NSSItem</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBER">NSSBER</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSDER">NSSDER</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBitString">NSSBitString</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUTF8">NSSUTF8</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASCII7">NSSASCII7</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssArenaMark">nssArenaMark</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssPointerTracker">nssPointerTracker</a>
- <br>
-          This is intended for debug builds only.<br>
- 
-<ol>
-   <li>Ignored for now.<br>
-   </li>
- 
-</ol>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssStringType">nssStringType</a>
- <br>
- <br>
-          Suggested additions:<br>
- 
-<ol>
-   <li>nssList - A list that optionally uses a lock. &nbsp;This list  would 
-   manage the currently loaded modules in a trust domain, etc.</li>
-   
-  <ul>
-     <li>SECMODListLock kept track of the number of waiting threads.  &nbsp;Will 
-  this be needed in the trust domain?</li>
-   
-  </ul>
- 
-</ol>
- <br>
- 
-<hr width="100%" size="2" align="Left"> 
-<h3><a name="ckfw"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/">
-  CKFW</a>
- </h3>
-                     The cryptoki framework, used for building cryptoki tokens. 
-   &nbsp;This      needs  to be described in a separate document showing how
-   to set up a  token    using  CKFW. &nbsp;This code only relates to tokens,
-   so it is not  relevant    here.<br>
- <br>
- <br>
- 
-<hr width="100%" size="2" align="Left"> 
-<h3><a name="dev"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/dev/"> 
- Device</a>
- </h3>
-                          Defines cryptoki devices used in NSS. &nbsp;This
- is  not   part  of the exposed API. &nbsp;It is a low-level API allowing
-NSS to manage   cryptoki  devices.<br>
- <br>
-         The relationship is like this:<br>
- <br>
-         libpki --&gt; libdev --&gt; cryptoki<br>
- <br>
-         As an example,<br>
- <br>
-         NSSTrustDomain_FindCertificate --&gt; NSSToken_FindCertificate --&gt;
-   C_FindObjects<br>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSModule">NSSModule</a>
- <br>
-                     Replaces the SECMOD API. &nbsp;The module manages a
-PRLibrary       that   holds  a cryptoki implementation via a number of slots.
-&nbsp;The      API should   provide  the ability  to Load and Unload a module,
-Login  and    Logout to the   module (through its slots), and to locate a
-particular   slot/token.<br>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSlot">NSSSlot</a>
- <br>
-                     This and NSSToken combine to replace the PK11 API parts
-  that   relate    to  slot  and token management. &nbsp;The slot API should
-  provide   the ability   to Login/Logout   to a slot, check the login status,
-  determine    basic configuration    information   about the slot, and modify
-  the password    settings.<br>
- 
-<ol>
-   <li>Should slots also maintain a default session? &nbsp;This session would 
- be used for slot management calls (sections 9.5 and9.6 of PKCS#11). &nbsp;Or 
- is the token session sufficient (this would not work if C_GetTokenInfo and 
- C_InitToken need to be wrapped in a threadsafe session).<br>
-   </li>
- 
-</ol>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSToken">NSSToken</a>
- <br>
-                     Fills in the gaps left by NSSSlot. &nbsp;Much of the 
-cryptoki     API   is  directed   towards slots.  &nbsp;However,   some  functionality
-   clearly belongs with a token type. &nbsp;For  example,   a certificate
- lives  on a token, not a slot, so one would expect  a function   NSSToken_FindCertificate.
-    &nbsp;Thus functions that deal with  importing/exporting   an object
-and    performing  actual cryptographic operations  belong here.<br>
- 
-<ol>
-   <li>The   distinction  between a slot and a token is not clear. &nbsp;Most 
-   functions take  a slotID   as an argument,  even though it is obvious that
-     the event   is intended to occur on a token. &nbsp;That leaves various
-   possibilities:</li>
-   
-  <ol>
-     <li>Implement the API entirely as NSSToken. &nbsp;If the token  is not 
-  present, some calls will simply fail.</li>
-     <li>Divide the API between NSSToken and NSSSlot, as described  above. 
-&nbsp;NSSSlot  would handle cryptoki calls specified as "slot management",
-  while NSSToken  handles actual token operations.</li>
-     <li>Others?</li>
-   
-  </ol>
-   <li>Session management. &nbsp;Tokens needs a threadsafe session handle 
- to perform operations. &nbsp;CryptoContexts are meant to provide such sessions, 
- but other objects will need access to token functions as well (examples: 
-the TrustDomain_Find functions, _Login, _Logout, and others that do not exist 
- such as NSSToken_ChangePassword). &nbsp;For those functions, the token could 
- maintain a default session. &nbsp;Thus all NSSToken API functions would take
- sessionOpt as an argument. &nbsp;If the caller is going to provide a session,
- it sends an NSSSession there, otherwise it sends NULL and the default session
- is utilized.<br>
-   </li>
- 
-</ol>
-      Proposed:<br>
-    NSSSession<br>
-    Wraps a Cryptoki session. &nbsp;Created from a slot. &nbsp;Used to manage
-  sessions for crypto contexts. &nbsp;Has a lock field, which locks the session
-  if the slot is not threadsafe.<br>
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="pki"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/"> 
-   PKI</a>
- </h3>
-                          The NSS PKI library.<br>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">NSS</a>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">Certificate</a>
- <br>
- 
-<ol>
-   <li>The API leaves open the possibility of NSSCertificate meaning  various 
- certificate types, not just X.509. &nbsp;The way to keep open this  possibility 
- is to keep only generally useful information in the NSSCertificate  type. 
-&nbsp;Examples would be the certificate encoding, label, trust (obtained
- from cryptoki calls), an email address, etc. &nbsp;Some type of generic
-reference  should be kept to the decoded certificate, which would then be
-accessed by  a type-specific API (e.g., NSSX509_GetSubjectName).</li>
- 
-</ol>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUserCertificate">NSSUserCertificate</a>
- <br>
- 
-<ol>
-   <li>Should this be a typedef of NSSCertificate?&nbsp; This implies  that 
- any function that requires an   NSSUserCertificate   would fail when  called 
- with a certificate lacking a private key. </li>
- 
-</ol>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPrivateKey">NSSPrivateKey</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPublicKey">NSSPublicKey</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSymmetricKey">NSSSymmetricKey</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTrustDomain">NSSTrustDomain</a>
- <br>
-                    A trust domain is "the field in which certificates may
- be  validated."       &nbsp;It  is a collection of modules capable of performing 
-  cryptographic      operations  and storing certs and keys. &nbsp;This collection 
-  is managed     by NSS in a manner opaque to the consumer. &nbsp;The slots 
-  will have various      orderings determining which has preference for a 
-given  operation. &nbsp;For      example, the trust domain may order the storage
- of user certificates one    way, and the storage of email certificates in
- another way [is that a good    example?].<br>
- <br>
- 
-<ol>
-   <li>           How will ordering work? &nbsp;We already have the  suggestion 
-      that  there be two kinds of ordering: storage and search.  &nbsp;How 
-will     they be  constructed/managed? &nbsp;Do we want to expose  access 
-to a token     that overrides  this ordering (i.e., the download of  updated 
-root certs   may  need to override  storage order)</li>
-   <li>How are certs cached? &nbsp;Nelson wonders what it means   to   Stan 
-    when a cert does not live on a token yet. &nbsp;Bob, Terry, and    I discussed
-    this. &nbsp;My conclusion is that there should be a type,  separate 
-from   NSSCertificate,  that holds the decoded cert parts (e.g.,   NSSX509Certificate,
-    or to avoid confusion, NSSX509DecodedParts). &nbsp;NSSCertificate   would
-  keep  a handle to this type, so that it only needs to decode the  cert
-once.   &nbsp;The  NSSTrustDomain would keep a hash table of cached certs, 
-some of  which may  not live on a token yet (i.e., they are only NSSX509DecodedParts). 
-     &nbsp;This  cache could be accessed in the same way the temp db was, 
-and    when the cert  is ready to be moved onto a token a call to NSSTrustDomain_ImportCertificate 
-       is made. &nbsp;Note    that this is essentially the same as CERT_TempCertToPerm.</li>
-   
-  <ul>
-     <li>The hashtable in lib/base (copied from ckfw/hash.c) uses the identity 
-hash. &nbsp;Therefore, in a hash of certificates, the key is the certificate 
-pointer itself. &nbsp;One possibility is to store the decoded cert (NSSX509DecodedParts 
-above) as the value in the {key, value} pair. &nbsp;When a cert is decoded, 
-the cert pointer and decoding pointer are added to the hash. &nbsp;Subsequent 
-lookups have access to one or both of these pointers. &nbsp;This keeps NSSCertificate 
-separate from its decoding, while providing a way to locate it.</li>
-   
-  </ul>
-   <li>The API is designed to keep token details hidden from the user.  &nbsp;However, 
- it has already been realized that PSM and CMS may need special  access to 
-tokens. &nbsp;Is this part of the TrustDomain API, or should PSM  and CMS 
-be allowed to use "friend" headers from the Token API?</li>
-   <li>Do we want to allow traversal via NSSTrustDomain_TraverseXXXX?<br>
-   </li>
- 
-</ol>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCryptoContext"><br>
-                   NSSCryptoContext</a>
- <br>
-    Analgous to a Cryptoki session. &nbsp;Manages session objects only.<br>
-  <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTime">NSSTime</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUsage">NSSUsage</a>
- <br>
- 
-<ol>
-   <li>       See Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#187">
-               comments</a>
-              .</li>
- 
-</ol>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPolicies">NSSPolicies</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSAlgorithmAndParameters">
-                      NSSAlgorithmAndParameters</a>
- <br>
- 
-<ol>
-   <li>       Again, Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#215">
-               comments</a>
-              . &nbsp;The old NSS code had various types related to  algorithms 
-    running around in it. &nbsp;We had SECOidTag, SECAlgorithmID,   SECItem's
-     for parameters, CK_MECHANISM for cryptoki, etc. &nbsp;This type   should
-    be  able to encapsulate all of those.</li>
- 
-</ol>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCallback">NSSCallback</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOperations">NSSOperations</a>
- <br>
- <br>
- <br>
- 
-<hr width="100%" size="2"><br>
- <br>
- A diagram to suggest a possible TrustDomain architecture.<br>
- <br>
- <img src="./standiag.png" alt="Trust Domain Diagram" width="748" height="367">
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="pki1"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki1/">
-    PKI1</a>
- </h3>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOID">NSSOID</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSATAV">NSSATAV</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDN">NSSRDN</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDNSeq">NSSRDNSeq</a>
- <br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSName">NSSName</a>
- <br>
-            NSSNameChoice<br>
-            NSSGeneralName<br>
-            NSSGeneralNameChoice<br>
-            NSSOtherName<br>
-            NSSRFC822Name<br>
-            NSSDNSName<br>
-            NSSX400Address<br>
-            NSSEdiParityAddress<br>
-            NSSURI<br>
-            NSSIPAddress<br>
-            NSSRegisteredID<br>
-            NSSGeneralNameSeq<br>
- <a href="http://lxr.mozilla.org/mozilla/ident?i=nssAttributeTypeAliasTable">
-            nssAttributeTypeAliasTable</a>
- <br>
- <br>
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="pkix"></a>
- <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pkix/">
-       PKIX&nbsp;</a>
- </h3>
-           There is a plethora of PKIX related types here.<br>
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="build"></a>
-        Building Stan</h3>
- <br>
-       From nss/lib, run "make BUILD_STAN=1"<br>
- <br>
- 
-<hr width="100%" size="2" align="Left"><br>
- 
-<h3><a name="test"></a>
-       Testing Stan</h3>
-       A&nbsp;new command line tool, pkiutil, has been created to use only
- the   Stan API. &nbsp;It depends on a new library, cmdlib, meant to replace
- the   old secutil library. &nbsp;The old library had code used by products
- that   needed to be integrated into the main library codebase somehow. &nbsp;The
-   goal of the new cmdlib is to have functionality needed strictly for NSS
- tools.<br>
- <br>
-       How to build:<br>
- 
-<ol>
-   <li>cd nss/cmd/cmdlib; make</li>
-   <li>cd ../pkiutil; make</li>
- 
-</ol>
-       pkiutil will give detailed help with either "pkiutil -?" or "pkiutil 
- --help".<br>
- <br>
-      So far, the only available test is to list certs on the builtins token. 
-  &nbsp;Copy "libnssckbi.so" (or whatever it is) to cmd/pkiutil. &nbsp;Then 
-  run "pkiutil -L" or "pkiutil --list". &nbsp;The list of certificate nicknames 
-  should be displayed.<br>
- <br>
- <br>
- 
-</body>
-</html>
diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn
deleted file mode 100644
index 9a5aacdf0..000000000
--- a/security/nss/lib/pki/manifest.mn
+++ /dev/null
@@ -1,75 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-PRIVATE_EXPORTS = \
-	pki.h      \
-	pkit.h     \
-	nsspkit.h  \
-	nsspki.h   \
-	$(NULL)
-
-EXPORTS =	   \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS =		        \
-	asymmkey.c      \
-	certificate.c   \
-	cryptocontext.c \
-	symmkey.c       \
-	trustdomain.c   \
-	tdcache.c       \
-	certdecode.c    \
-	pkistore.c      \
-	pkibase.c       \
-	$(NULL)
-
-ifndef PURE_STAN_BUILD
-CSRCS += pki3hack.c
-PRIVATE_EXPORTS += pkistore.h pki3hack.h pkitm.h pkim.h
-#DEFINES = -DNSS_3_4_CODE -DDEBUG_CACHE
-DEFINES = -DNSS_3_4_CODE
-endif
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nsspki
-LIBRARY_VERSION = 3
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
deleted file mode 100644
index f50433620..000000000
--- a/security/nss/lib/pki/nsspki.h
+++ /dev/null
@@ -1,3195 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSPKI_H
-#define NSSPKI_H
-
-#ifdef DEBUG
-static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nsspki.h
- *
- * This file prototypes the methods of the top-level PKI objects.
- */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-#ifndef NSSPKI1_H
-#include "nsspki1.h"
-#endif /* NSSPKI1_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A note about interfaces
- *
- * Although these APIs are specified in C, a language which does
- * not have fancy support for abstract interfaces, this library
- * was designed from an object-oriented perspective.  It may be
- * useful to consider the standard interfaces which went into
- * the writing of these APIs.
- *
- * Basic operations on all objects:
- *  Destroy -- free a pointer to an object
- *  DeleteStoredObject -- delete an object permanently
- *
- * Public Key cryptographic operations:
- *  Encrypt
- *  Verify
- *  VerifyRecover
- *  Wrap
- *  Derive
- *
- * Private Key cryptographic operations:
- *  IsStillPresent
- *  Decrypt
- *  Sign
- *  SignRecover
- *  Unwrap
- *  Derive
- *
- * Symmetric Key cryptographic operations:
- *  IsStillPresent
- *  Encrypt
- *  Decrypt
- *  Sign
- *  SignRecover
- *  Verify
- *  VerifyRecover
- *  Wrap
- *  Unwrap
- *  Derive
- *
- */
-
-/*
- * NSSCertificate
- *
- * These things can do crypto ops like public keys, except that the trust, 
- * usage, and other constraints are checked.  These objects are "high-level,"
- * so trust, usages, etc. are in the form we throw around (client auth,
- * email signing, etc.).  Remember that theoretically another implementation
- * (think PGP) could be beneath this object.
- */
-
-/*
- * NSSCertificate_Destroy
- *
- * Free a pointer to a certificate object.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Destroy
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_DeleteStoredObject
- *
- * Permanently remove this certificate from storage.  If this is the
- * only (remaining) certificate corresponding to a private key, 
- * public key, and/or other object; then that object (those objects)
- * are deleted too.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_DeleteStoredObject
-(
-  NSSCertificate *c,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_Validate
- *
- * Verify that this certificate is trusted, for the specified usage(s), 
- * at the specified time, {word word} the specified policies.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Validate
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSCertificate_ValidateCompletely
- *
- * Verify that this certificate is trusted.  The difference between
- * this and the previous call is that NSSCertificate_Validate merely
- * returns success or failure with an appropriate error stack.
- * However, there may be (and often are) multiple problems with a
- * certificate.  This routine returns an array of errors, specifying
- * every problem.
- */
-
-/* 
- * Return value must be an array of objects, each of which has
- * an NSSError, and any corresponding certificate (in the chain)
- * and/or policy.
- */
-
-NSS_EXTERN void ** /* void *[] */
-NSSCertificate_ValidateCompletely
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt, /* NULL for none */
-  void **rvOpt, /* NULL for allocate */
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt /* NULL for heap */
-);
-
-/*
- * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
- *
- * Returns PR_SUCCESS if the certificate is valid for at least something.
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
-(
-  NSSCertificate *c,
-  NSSTime **notBeforeOutOpt,
-  NSSTime **notAfterOutOpt,
-  void *allowedUsages,
-  void *disallowedUsages,
-  void *allowedPolicies,
-  void *disallowedPolicies,
-  /* more args.. work on this fgmr */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_Encode
- *
- */
-
-NSS_EXTERN NSSDER *
-NSSCertificate_Encode
-(
-  NSSCertificate *c,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_BuildChain
- *
- * This routine returns NSSCertificate *'s for each certificate
- * in the "chain" starting from the specified one up to and
- * including the root.  The zeroth element in the array is the
- * specified ("leaf") certificate.
- *
- * If statusOpt is supplied, and is returned as PR_FAILURE, possible
- * error values are:
- *
- * NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND - the chain is incomplete
- *
- */
-
-extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
-
-NSS_EXTERN NSSCertificate **
-NSSCertificate_BuildChain
-(
-  NSSCertificate *c,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt,
-  PRStatus *statusOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *cc 
-);
-
-/*
- * NSSCertificate_GetTrustDomain
- *
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSCertificate_GetTrustDomain
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSCertificate_GetToken
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSCertificate_GetSlot
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSCertificate_GetModule
-(
-  NSSCertificate *c,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCertificate_Encrypt
- *
- * Encrypt a single chunk of data with the public key corresponding to
- * this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_Encrypt
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCertificate_Verify
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_VerifyRecover
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_WrapSymmetricKey
- *
- * This method tries very hard to to succeed, even in situations 
- * involving sensitive keys and multiple modules.
- * { relyea: want to add verbiage? }
- */
-
-NSS_EXTERN NSSItem *
-NSSCertificate_WrapSymmetricKey
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCertificate_CreateCryptoContext
- *
- * Create a crypto context, in this certificate's trust domain, with this
- * as the distinguished certificate.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSCertificate_CreateCryptoContext
-(
-  NSSCertificate *c,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh  
-);
-
-/*
- * NSSCertificate_GetPublicKey
- *
- * Returns the public key corresponding to this certificate.
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSCertificate_GetPublicKey
-(
-  NSSCertificate *c
-);
-
-/*
- * NSSCertificate_FindPrivateKey
- *
- * Finds and returns the private key corresponding to this certificate,
- * if it is available.
- *
- * { Should this hang off of NSSUserCertificate? }
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSCertificate_FindPrivateKey
-(
-  NSSCertificate *c,
-  NSSCallback *uhh
-);
-
-/*
- * NSSCertificate_IsPrivateKeyAvailable
- *
- * Returns success if the private key corresponding to this certificate
- * is available to be used.
- *
- * { Should *this* hang off of NSSUserCertificate?? }
- */
-
-NSS_EXTERN PRBool
-NSSCertificate_IsPrivateKeyAvailable
-(
-  NSSCertificate *c,
-  NSSCallback *uhh,
-  PRStatus *statusOpt
-);
-
-/*
- * If we make NSSUserCertificate not a typedef of NSSCertificate, 
- * then we'll need implementations of the following:
- *
- *  NSSUserCertificate_Destroy
- *  NSSUserCertificate_DeleteStoredObject
- *  NSSUserCertificate_Validate
- *  NSSUserCertificate_ValidateCompletely
- *  NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
- *  NSSUserCertificate_Encode
- *  NSSUserCertificate_BuildChain
- *  NSSUserCertificate_GetTrustDomain
- *  NSSUserCertificate_GetToken
- *  NSSUserCertificate_GetSlot
- *  NSSUserCertificate_GetModule
- *  NSSUserCertificate_GetCryptoContext
- *  NSSUserCertificate_GetPublicKey
- */
-
-/*
- * NSSUserCertificate_IsStillPresent
- *
- * Verify that if this certificate lives on a token, that the token
- * is still present and the certificate still exists.  This is a
- * lightweight call which should be used whenever it should be
- * verified that the user hasn't perhaps popped out his or her
- * token and strolled away.
- */
-
-NSS_EXTERN PRBool
-NSSUserCertificate_IsStillPresent
-(
-  NSSUserCertificate *uc,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSUserCertificate_Decrypt
- *
- * Decrypt a single chunk of data with the private key corresponding
- * to this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_Decrypt
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_Sign
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSUserCertificate_SignRecover
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSUserCertificate_UnwrapSymmetricKey
-(
-  NSSUserCertificate *uc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSUserCertificate_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSUserCertificate_DeriveSymmetricKey
-(
-  NSSUserCertificate *uc, /* provides private key */
-  NSSCertificate *c, /* provides public key */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/* filter-certs function(s) */
-
-/**
- ** fgmr -- trust objects
- **/
-
-/*
- * NSSPrivateKey
- *
- */
-
-/*
- * NSSPrivateKey_Destroy
- *
- * Free a pointer to a private key object.
- */
-
-NSS_EXTERN PRStatus
-NSSPrivateKey_Destroy
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_DeleteStoredObject
- *
- * Permanently remove this object, and any related objects (such as the
- * certificates corresponding to this key).
- */
-
-NSS_EXTERN PRStatus
-NSSPrivateKey_DeleteStoredObject
-(
-  NSSPrivateKey *vk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_GetSignatureLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSPrivateKey_GetSignatureLength
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetPrivateModulusLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSPrivateKey_GetPrivateModulusLength
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_IsStillPresent
- *
- */
-
-NSS_EXTERN PRBool
-NSSPrivateKey_IsStillPresent
-(
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPrivateKey_Encode
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Encode
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *ap,
-  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSPrivateKey_GetTrustDomain
-(
-  NSSPrivateKey *vk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPrivateKey_GetToken
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSPrivateKey_GetToken
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetSlot
- *
- */
-
-NSS_EXTERN NSSSlot *
-NSSPrivateKey_GetSlot
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_GetModule
- *
- */
-
-NSS_EXTERN NSSModule *
-NSSPrivateKey_GetModule
-(
-  NSSPrivateKey *vk
-);
-
-/*
- * NSSPrivateKey_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Decrypt
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_Sign
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPrivateKey_SignRecover
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSPrivateKey_UnwrapSymmetricKey
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSPrivateKey_DeriveSymmetricKey
-(
-  NSSPrivateKey *vk,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_FindPublicKey
- *
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSPrivateKey_FindPublicKey
-(
-  NSSPrivateKey *vk
-  /* { don't need the callback here, right? } */
-);
-
-/*
- * NSSPrivateKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain,
- * with this as the distinguished private key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSPrivateKey_CreateCryptoContext
-(
-  NSSPrivateKey *vk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPrivateKey_FindCertificates
- *
- * Note that there may be more than one certificate for this
- * private key.  { FilterCertificates function to further
- * reduce the list. }
- */
-
-NSS_EXTERN NSSCertificate **
-NSSPrivateKey_FindCertificates
-(
-  NSSPrivateKey *vk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_FindBestCertificate
- *
- * The parameters for this function will depend on what the users
- * need.  This is just a starting point.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSPrivateKey_FindBestCertificate
-(
-  NSSPrivateKey *vk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSPublicKey
- *
- * Once you generate, find, or derive one of these, you can use it
- * to perform (simple) cryptographic operations.  Though there may
- * be certificates associated with these public keys, they are not
- * verified.
- */
-
-/*
- * NSSPublicKey_Destroy
- *
- * Free a pointer to a public key object.
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_Destroy
-(
-  NSSPublicKey *bk
-);
-
-/*
- * NSSPublicKey_DeleteStoredObject
- *
- * Permanently remove this object, and any related objects (such as the
- * corresponding private keys and certificates).
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_DeleteStoredObject
-(
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_Encode
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_Encode
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *ap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSPublicKey_GetTrustDomain
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSPublicKey_GetToken
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSPublicKey_GetSlot
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSPublicKey_GetModule
-(
-  NSSPublicKey *bk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSPublicKey_Encrypt
- *
- * Encrypt a single chunk of data with the public key corresponding to
- * this certificate.
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_Encrypt
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSPublicKey_Verify
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_VerifyRecover
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSPublicKey_WrapSymmetricKey
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPublicKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain, with this
- * as the distinguished public key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSPublicKey_CreateCryptoContext
-(
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSPublicKey_FindCertificates
- *
- * Note that there may be more than one certificate for this
- * public key.  The current implementation may not find every
- * last certificate available for this public key: that would
- * involve trolling e.g. huge ldap databases, which will be
- * grossly inefficient and not generally useful.
- * { FilterCertificates function to further reduce the list }
- */
-
-NSS_EXTERN NSSCertificate **
-NSSPublicKey_FindCertificates
-(
-  NSSPublicKey *bk,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSPrivateKey_FindBestCertificate
- *
- * The parameters for this function will depend on what the users
- * need.  This is just a starting point.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSPublicKey_FindBestCertificate
-(
-  NSSPublicKey *bk,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSPublicKey_FindPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSPublicKey_FindPrivateKey
-(
-  NSSPublicKey *bk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey
- *
- */
-
-/*
- * NSSSymmetricKey_Destroy
- *
- * Free a pointer to a symmetric key object.
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_Destroy
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_DeleteStoredObject
- *
- * Permanently remove this object.
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_DeleteStoredObject
-(
-  NSSSymmetricKey *mk,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_GetKeyLength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSSymmetricKey_GetKeyLength
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_GetKeyStrength
- *
- */
-
-NSS_EXTERN PRUint32
-NSSSymmetricKey_GetKeyStrength
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_IsStillPresent
- *
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_IsStillPresent
-(
-  NSSSymmetricKey *mk
-);
-
-/*
- * NSSSymmetricKey_GetTrustDomain
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSSymmetricKey_GetTrustDomain
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetToken
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSToken *
-NSSSymmetricKey_GetToken
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetSlot
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSSlot *
-NSSSymmetricKey_GetSlot
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_GetModule
- *
- * There doesn't have to be one.
- */
-
-NSS_EXTERN NSSModule *
-NSSSymmetricKey_GetModule
-(
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSSymmetricKey_Encrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Encrypt
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Decrypt
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_Sign
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_SignRecover
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSSymmetricKey_Verify
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_VerifyRecover
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_WrapSymmetricKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_WrapPrivateKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSSymmetricKey_WrapPrivateKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPrivateKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSSymmetricKey_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSSymmetricKey_UnwrapSymmetricKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_UnwrapPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSSymmetricKey_UnwrapPrivateKey
-(
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSUTF8 *labelOpt,
-  NSSItem *keyIDOpt,
-  PRBool persistant,
-  PRBool sensitive,
-  NSSToken *destinationOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSSymmetricKey_DeriveSymmetricKey
-(
-  NSSSymmetricKey *originalKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-);
-
-/*
- * NSSSymmetricKey_CreateCryptoContext
- *
- * Create a crypto context, in this key's trust domain,
- * with this as the distinguished symmetric key.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSSymmetricKey_CreateCryptoContext
-(
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-);
-
-/*
- * NSSTrustDomain
- *
- */
-
-/*
- * NSSTrustDomain_Create
- *
- * This creates a trust domain, optionally with an initial cryptoki
- * module.  If the module name is not null, the module is loaded if
- * needed (using the uriOpt argument), and initialized with the
- * opaqueOpt argument.  If mumble mumble priority settings, then
- * module-specification objects in the module can cause the loading
- * and initialization of further modules.
- *
- * The uriOpt is defined to take a URI.  At present, we only
- * support file: URLs pointing to platform-native shared libraries.
- * However, by specifying this as a URI, this keeps open the 
- * possibility of supporting other, possibly remote, resources.
- *
- * The "reserved" arguments is held for when we figure out the
- * module priority stuff.
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSTrustDomain_Create
-(
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-);
-
-/*
- * NSSTrustDomain_Destroy
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Destroy
-(
-  NSSTrustDomain *td
-);
-
-/*
- * NSSTrustDomain_SetDefaultCallback
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_SetDefaultCallback
-(
-  NSSTrustDomain *td,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-);
-
-/*
- * NSSTrustDomain_GetDefaultCallback
- *
- */
-
-NSS_EXTERN NSSCallback *
-NSSTrustDomain_GetDefaultCallback
-(
-  NSSTrustDomain *td,
-  PRStatus *statusOpt
-);
-
-/*
- * Default policies?
- * Default usage?
- * Default time, for completeness?
- */
-
-/*
- * NSSTrustDomain_LoadModule
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_LoadModule
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-);
-
-/*
- * NSSTrustDomain_AddModule
- * NSSTrustDomain_AddSlot
- * NSSTrustDomain_UnloadModule
- * Managing modules, slots, tokens; priorities;
- * Traversing all of the above
- * this needs more work
- */
-
-/*
- * NSSTrustDomain_DisableToken
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_DisableToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError why
-);
-
-/*
- * NSSTrustDomain_EnableToken
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_EnableToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token
-);
-
-/*
- * NSSTrustDomain_IsTokenEnabled
- *
- * If disabled, "why" is always on the error stack.
- * The optional argument is just for convenience.
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_IsTokenEnabled
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError *whyOpt
-);
-
-/*
- * NSSTrustDomain_FindSlotByName
- *
- */
-
-NSS_EXTERN NSSSlot *
-NSSTrustDomain_FindSlotByName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-);
-
-/*
- * NSSTrustDomain_FindTokenByName
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenByName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *tokenName
-);
-
-/*
- * NSSTrustDomain_FindTokenBySlotName
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenBySlotName
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-);
-
-/*
- * NSSTrustDomain_FindBestTokenForAlgorithm
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindTokenForAlgorithm
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-);
-
-/*
- * NSSTrustDomain_FindBestTokenForAlgorithms
- *
- */
-
-NSS_EXTERN NSSToken *
-NSSTrustDomain_FindBestTokenForAlgorithms
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithms[], /* may be null-terminated */
-  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
-);
-
-/*
- * NSSTrustDomain_Login
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Login
-(
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_Logout
- *
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_Logout
-(
-  NSSTrustDomain *td
-);
-
-/* Importing things */
-
-/*
- * NSSTrustDomain_ImportCertificate
- *
- * The implementation will pull some data out of the certificate
- * (e.g. e-mail address) for use in pkcs#11 object attributes.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportCertificate
-(
-  NSSTrustDomain *td,
-  NSSCertificate *c
-);
-
-/*
- * NSSTrustDomain_ImportPKIXCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportPKIXCertificate
-(
-  NSSTrustDomain *td,
-  /* declared as a struct until these "data types" are defined */
-  struct NSSPKIXCertificateStr *pc
-);
-
-/*
- * NSSTrustDomain_ImportEncodedCertificate
- *
- * Imports any type of certificate we support.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_ImportEncodedCertificate
-(
-  NSSTrustDomain *td,
-  NSSBER *ber
-);
-
-/*
- * NSSTrustDomain_ImportEncodedCertificateChain
- *
- * If you just want the leaf, pass in a maximum of one.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_ImportEncodedCertificateChain
-(
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_ImportEncodedPrivateKey
- *
- */
-
-NSS_EXTERN NSSPrivateKey *
-NSSTrustDomain_ImportEncodedPrivateKey
-(
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSItem *passwordOpt, /* NULL will cause a callback */
-  NSSCallback *uhhOpt,
-  NSSToken *destination
-);
-
-/*
- * NSSTrustDomain_ImportEncodedPublicKey
- *
- */
-
-NSS_EXTERN NSSPublicKey *
-NSSTrustDomain_ImportEncodedPublicKey
-(
-  NSSTrustDomain *td,
-  NSSBER *ber
-);
-
-/* Other importations: S/MIME capabilities */
-
-/*
- * NSSTrustDomain_FindBestCertificateByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNickname
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesByNickname
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
-(
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serialNumber
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
- *
- * Theoretically, this should never happen.  However, some companies
- * we know have issued duplicate certificates with the same issuer
- * and serial number.  Do we just ignore them?  I'm thinking yes.
- */
-
-/*
- * NSSTrustDomain_FindBestCertificateBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateBySubject
-(
-  NSSTrustDomain *td,
-  NSSDER /*NSSUTF8*/ *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesBySubject
-(
-  NSSTrustDomain *td,
-  NSSDER /*NSSUTF8*/ *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestCertificateByNameComponents
- *
- * This call does try several tricks, including a pseudo pkcs#11 
- * attribute for the ldap module to try as a query.  Eventually
- * this call falls back to a traversal if that's what's required.
- * It will search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNameComponents
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByNameComponents
- *
- * This call, too, tries several tricks.  It will stop on the first
- * attempt that generates results, so it won't e.g. traverse the
- * entire ldap database.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesByNameComponents
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByEncodedCertificate
-(
-  NSSTrustDomain *td,
-  NSSBER *encodedCertificate
-);
-
-/*
- * NSSTrustDomain_FindBestCertificateByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByEmail
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificatesByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindCertificatesByEmail
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindCertificateByOCSPHash
- *
- * There can be only one.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindCertificateByOCSPHash
-(
-  NSSTrustDomain *td,
-  NSSItem *hash
-);
-
-/*
- * NSSTrustDomain_TraverseCertificates
- *
- * This function descends from one in older versions of NSS which
- * traverses the certs in the permanent database.  That function
- * was used to implement selection routines, but was directly
- * available too.  Trust domains are going to contain a lot more
- * certs now (e.g., an ldap server), so we'd really like to
- * discourage traversal.  Thus for now, this is commented out.
- * If it's needed, let's look at the situation more closely to
- * find out what the actual requirements are.
- */
- 
-/* For now, adding this function.  This may only be for debugging
- * purposes.
- * Perhaps some equivalent function, on a specified token, will be
- * needed in a "friend" header file?
- */
-NSS_EXTERN PRStatus *
-NSSTrustDomain_TraverseCertificates
-(
-  NSSTrustDomain *td,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-);
-
-/*
- * NSSTrustDomain_FindBestUserCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificate
-(
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificates
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificates
-(
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificatesForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForSSLClientAuth
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSTrustDomain_FindBestUserCertificateForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForEmailSigning
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSTrustDomain_FindUserCertificatesForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForEmailSigning
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
- * routines.
- */
-
-/* Private Keys */
-
-/*
- * NSSTrustDomain_GenerateKeyPair
- *
- * Creates persistant objects.  If you want session objects, use
- * NSSCryptoContext_GenerateKeyPair.  The destination token is where
- * the keys are stored.  If that token can do the required math, then
- * that's where the keys are generated too.  Otherwise, the keys are
- * generated elsewhere and moved to that token.
- */
-
-NSS_EXTERN PRStatus
-NSSTrustDomain_GenerateKeyPair
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_TraversePrivateKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSTrustDomain_TraversePrivateKeys
- * (
- *   NSSTrustDomain *td,
- *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
- *   void *arg
- * );
- */
-
-/* Symmetric Keys */
-
-/*
- * NSSTrustDomain_GenerateSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKey
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_GenerateSymmetricKeyFromPassword
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKeyFromPassword
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_FindSymmetricKeyByAlgorithm
- *
- * Is this still needed?
- * 
- * NSS_EXTERN NSSSymmetricKey *
- * NSSTrustDomain_FindSymmetricKeyByAlgorithm
- * (
- *   NSSTrustDomain *td,
- *   NSSOID *algorithm,
- *   NSSCallback *uhhOpt
- * );
- */
-
-/*
- * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_TraverseSymmetricKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSTrustDomain_TraverseSymmetricKeys
- * (
- *   NSSTrustDomain *td,
- *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
- *   void *arg
- * );
- */
-
-/*
- * NSSTrustDomain_CreateCryptoContext
- *
- * If a callback object is specified, it becomes the for the crypto
- * context; otherwise, this trust domain's default (if any) is
- * inherited.
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContext
-(
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSTrustDomain_CreateCryptoContextForAlgorithm
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithm
-(
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-);
-
-/*
- * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
-(
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap
-);
-
-/* find/traverse other objects, e.g. s/mime profiles */
-
-/*
- * NSSCryptoContext
- *
- * A crypto context is sort of a short-term snapshot of a trust domain,
- * used for the life of "one crypto operation."  You can also think of
- * it as a "temporary database."
- * 
- * Just about all of the things you can do with a trust domain -- importing
- * or creating certs, keys, etc. -- can be done with a crypto context.
- * The difference is that the objects will be temporary ("session") objects.
- * 
- * Also, if the context was created for a key, cert, and/or algorithm; or
- * if such objects have been "associated" with the context, then the context
- * can do everything the keys can, like crypto operations.
- * 
- * And finally, because it keeps the state of the crypto operations, it
- * can do streaming crypto ops.
- */
-
-/*
- * NSSTrustDomain_Destroy
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_Destroy
-(
-  NSSCryptoContext *cc
-);
-
-/* establishing a default callback */
-
-/*
- * NSSCryptoContext_SetDefaultCallback
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_SetDefaultCallback
-(
-  NSSCryptoContext *cc,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-);
-
-/*
- * NSSCryptoContext_GetDefaultCallback
- *
- */
-
-NSS_EXTERN NSSCallback *
-NSSCryptoContext_GetDefaultCallback
-(
-  NSSCryptoContext *cc,
-  PRStatus *statusOpt
-);
-
-/*
- * NSSCryptoContext_GetTrustDomain
- *
- */
-
-NSS_EXTERN NSSTrustDomain *
-NSSCryptoContext_GetTrustDomain
-(
-  NSSCryptoContext *cc
-);
-
-/* AddModule, etc: should we allow "temporary" changes here? */
-/* DisableToken, etc: ditto */
-/* Ordering of tokens? */
-/* Finding slots+token etc. */
-/* login+logout */
-
-/* Importing things */
-
-/*
- * NSSCryptoContext_ImportCertificate
- *
- * If there's not a "distinguished certificate" for this context, this
- * sets the specified one to be it.
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ImportCertificate
-(
-  NSSCryptoContext *cc,
-  NSSCertificate *c
-);
-
-/*
- * NSSCryptoContext_ImportPKIXCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_ImportPKIXCertificate
-(
-  NSSCryptoContext *cc,
-  struct NSSPKIXCertificateStr *pc
-);
-
-/*
- * NSSCryptoContext_ImportEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_ImportEncodedCertificate
-(
-  NSSCryptoContext *cc,
-  NSSBER *ber
-);
-
-/*
- * NSSCryptoContext_ImportEncodedPKIXCertificateChain
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ImportEncodedPKIXCertificateChain
-(
-  NSSCryptoContext *cc,
-  NSSBER *ber
-);
-
-/* Other importations: S/MIME capabilities
- */
-
-/*
- * NSSCryptoContext_FindBestCertificateByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNickname
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByNickname
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesByNickname
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
-(
-  NSSCryptoContext *cc,
-  NSSDER *issuer,
-  NSSDER *serialNumber
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateBySubject
-(
-  NSSCryptoContext *cc,
-  NSSDER /*NSSUTF8*/ *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificatesBySubject
- *
- * This does not search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesBySubject
-(
-  NSSCryptoContext *cc,
-  NSSDER /*NSSUTF8*/ *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateByNameComponents
- *
- * This call does try several tricks, including a pseudo pkcs#11 
- * attribute for the ldap module to try as a query.  Eventually
- * this call falls back to a traversal if that's what's required.
- * It will search through alternate names hidden in extensions.
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByNameComponents
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByNameComponents
- *
- * This call, too, tries several tricks.  It will stop on the first
- * attempt that generates results, so it won't e.g. traverse the
- * entire ldap database.
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesByNameComponents
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByEncodedCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByEncodedCertificate
-(
-  NSSCryptoContext *cc,
-  NSSBER *encodedCertificate
-);
-
-/*
- * NSSCryptoContext_FindBestCertificateByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestCertificateByEmail
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *email,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificatesByEmail
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindCertificatesByEmail
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindCertificateByOCSPHash
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindCertificateByOCSPHash
-(
-  NSSCryptoContext *cc,
-  NSSItem *hash
-);
-
-/*
- * NSSCryptoContext_TraverseCertificates
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraverseCertificates
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSCertificate *c, void *arg),
- *   void *arg
- * );
- */
-
-/*
- * NSSCryptoContext_FindBestUserCertificate
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificate
-(
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificates
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindUserCertificates
-(
-  NSSCryptoContext *cc,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificatesForSSLClientAuth
- *
- */
-
-NSS_EXTERN NSSCertificate **
-NSSCryptoContext_FindUserCertificatesForSSLClientAuth
-(
-  NSSCryptoContext *cc,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FindBestUserCertificateForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindBestUserCertificateForEmailSigning
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-);
-
-/*
- * NSSCryptoContext_FindUserCertificatesForEmailSigning
- *
- */
-
-NSS_EXTERN NSSCertificate *
-NSSCryptoContext_FindUserCertificatesForEmailSigning
-(
-  NSSCryptoContext *cc,
-  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-);
-
-/* Private Keys */
-
-/*
- * NSSCryptoContext_GenerateKeyPair
- *
- * Creates session objects.  If you want persistant objects, use
- * NSSTrustDomain_GenerateKeyPair.  The destination token is where
- * the keys are stored.  If that token can do the required math, then
- * that's where the keys are generated too.  Otherwise, the keys are
- * generated elsewhere and moved to that token.
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_GenerateKeyPair
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_TraversePrivateKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraversePrivateKeys
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
- *   void *arg
- * );
- */
-
-/* Symmetric Keys */
-
-/*
- * NSSCryptoContext_GenerateSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_GenerateSymmetricKeyFromPassword
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_GenerateSymmetricKeyFromPassword
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_FindSymmetricKeyByAlgorithm
- *
- * 
- * NSS_EXTERN NSSSymmetricKey *
- * NSSCryptoContext_FindSymmetricKeyByType
- * (
- *   NSSCryptoContext *cc,
- *   NSSOID *type,
- *   NSSCallback *uhhOpt
- * );
- */
-
-/*
- * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
-(
-  NSSCryptoContext *cc,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_TraverseSymmetricKeys
- *
- * 
- * NSS_EXTERN PRStatus *
- * NSSCryptoContext_TraverseSymmetricKeys
- * (
- *   NSSCryptoContext *cc,
- *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
- *   void *arg
- * );
- */
-
-/* Crypto ops on distinguished keys */
-
-/*
- * NSSCryptoContext_Decrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Decrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginDecrypt
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueDecrypt
- *
- */
-
-/*
- * NSSItem semantics:
- *
- *   If rvOpt is NULL, a new NSSItem and buffer are allocated.
- *   If rvOpt is not null, but the buffer pointer is null,
- *     then rvOpt is returned but a new buffer is allocated.
- *     In this case, if the length value is not zero, then
- *     no more than that much space will be allocated.
- *   If rvOpt is not null and the buffer pointer is not null,
- *     then that buffer is re-used.  No more than the buffer
- *     length value will be used; if it's not enough, an
- *     error is returned.  If less is used, the number is
- *     adjusted downwards.
- *
- *  Note that although this is short of some ideal "Item"
- *  definition, we can usually tell how big these buffers
- *  have to be.
- *
- *  Feedback is requested; and earlier is better than later.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishDecrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishDecrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Sign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Sign
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginSign
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginSign
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueSign
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ContinueSign
-(
-  NSSCryptoContext *cc,
-  NSSItem *data
-);
-
-/*
- * NSSCryptoContext_FinishSign
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishSign
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_SignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_SignRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginSignRecover
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueSignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishSignRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishSignRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_UnwrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_UnwrapSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_DeriveSymmetricKey
- *
- */
-
-NSS_EXTERN NSSSymmetricKey *
-NSSCryptoContext_DeriveSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSPublicKey *bk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt, /* zero for best allowed */
-  NSSOperations operations,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_Encrypt
- *
- * Encrypt a single chunk of data with the distinguished public key
- * of this crypto context.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Encrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginEncrypt
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueEncrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishEncrypt
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishEncrypt
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Verify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_Verify
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_BeginVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginVerify
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ContinueVerify
-(
-  NSSCryptoContext *cc,
-  NSSItem *data
-);
-
-/*
- * NSSCryptoContext_FinishVerify
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_FinishVerify
-(
-  NSSCryptoContext *cc
-);
-
-/*
- * NSSCryptoContext_VerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_VerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginVerifyRecover
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueVerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_ContinueVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *data,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_FinishVerifyRecover
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishVerifyRecover
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_WrapSymmetricKey
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_WrapSymmetricKey
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_Digest
- *
- * Digest a single chunk of data with the distinguished digest key
- * of this crypto context.
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_Digest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhhOpt,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSCryptoContext_BeginDigest
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_BeginDigest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhhOpt
-);
-
-/*
- * NSSCryptoContext_ContinueDigest
- *
- */
-
-NSS_EXTERN PRStatus
-NSSCryptoContext_ContinueDigest
-(
-  NSSCryptoContext *cc,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *item
-);
-
-/*
- * NSSCryptoContext_FinishDigest
- *
- */
-
-NSS_EXTERN NSSItem *
-NSSCryptoContext_FinishDigest
-(
-  NSSCryptoContext *cc,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * tbd: Combination ops
- */
-
-/*
- * NSSCryptoContext_Clone
- *
- */
-
-NSS_EXTERN NSSCryptoContext *
-NSSCryptoContext_Clone
-(
-  NSSCryptoContext *cc
-);
-
-/*
- * NSSCryptoContext_Save
- * NSSCryptoContext_Restore
- *
- * We need to be able to save and restore the state of contexts.
- * Perhaps a mark-and-release mechanism would be better?
- */
-
-/*
- * ..._SignTBSCertificate
- *
- * This requires feedback from the cert server team.
- */
-
-/*
- * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
- * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
- *
- * These will be helper functions which get the trust object for a cert,
- * and then call the corresponding function(s) on it.
- *
- * PKIX trust objects will have methods to manipulate the low-level trust
- * bits (which are based on key usage and extended key usage), and also the
- * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
- *
- * Other types of trust objects (if any) might have different low-level
- * representations, but hopefully high-level concepts would map.
- *
- * Only these high-level general routines would be promoted to the
- * general certificate level here.  Hence the {xxx} above would be things
- * like "EmailSigning."
- *
- *
- * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
- * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
- *
- * I want to hold off on any general trust object until we've investigated
- * other models more thoroughly.
- */
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKI_H */
diff --git a/security/nss/lib/pki/nsspkit.h b/security/nss/lib/pki/nsspkit.h
deleted file mode 100644
index 71c69956d..000000000
--- a/security/nss/lib/pki/nsspkit.h
+++ /dev/null
@@ -1,274 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSPKIT_H
-#define NSSPKIT_H
-
-#ifdef DEBUG
-static const char NSSPKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nsspkit.h
- *
- * This file defines the types of the top-level PKI objects.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSCertificate
- *
- * This is the public representation of a Certificate.  The certificate
- * may be one found on a smartcard or other token, one decoded from data
- * received as part of a protocol, one constructed from constituent
- * parts, etc.  Usually it is associated with ("in") a trust domain; as
- * it can be verified only within a trust domain.  The underlying type
- * of certificate may be of any supported standard, e.g. PKIX, PGP, etc.
- *
- * People speak of "verifying (with) the server's, or correspondant's, 
- * certificate"; for simple operations we support that simplification
- * by implementing public-key crypto operations as methods on this type.
- */
-
-struct NSSCertificateStr;
-typedef struct NSSCertificateStr NSSCertificate;
-
-/*
- * NSSUserCertificate
- *
- * A ``User'' certificate is one for which the private key is available.
- * People speak of "using my certificate to sign my email" and "using
- * my certificate to authenticate to (or login to) the server"; for
- * simple operations, we support that simplification by implementing
- * private-key crypto operations as methods on this type.
- *
- * The current design only weakly distinguishes between certificates
- * and user certificates: as far as the compiler goes they're 
- * interchangable; debug libraries only have one common pointer-tracker;
- * etc.  However, attempts to do private-key operations on a certificate
- * for which the private key is not available will fail.
- *
- * Open design question: should these types be more firmly separated?
- */
-
-typedef NSSCertificate NSSUserCertificate;
-
-/*
- * NSSPrivateKey
- *
- * This is the public representation of a Private Key.  In general,
- * the actual value of the key is not available, but operations may
- * be performed with it.
- */
-
-struct NSSPrivateKeyStr;
-typedef struct NSSPrivateKeyStr NSSPrivateKey;
-
-/*
- * NSSPublicKey
- *
- */
-
-struct NSSPublicKeyStr;
-typedef struct NSSPublicKeyStr NSSPublicKey;
-
-/*
- * NSSSymmetricKey
- *
- */
-
-struct NSSSymmetricKeyStr;
-typedef struct NSSSymmetricKeyStr NSSSymmetricKey;
-
-/*
- * NSSTrustDomain
- *
- * A Trust Domain is the field in which certificates may be validated.
- * A trust domain will generally have one or more cryptographic modules
- * open; these modules perform the cryptographic operations, and 
- * provide the basic "root" trust information from which the trust in
- * a specific certificate or key depends.
- *
- * A client program, or a simple server, would typically have one
- * trust domain.  A server supporting multiple "virtual servers" might
- * have a separate trust domain for each virtual server.  The separate
- * trust domains might share some modules (e.g., a hardware crypto
- * accelerator) but not others (e.g., the tokens storing the different
- * servers' private keys, or the databases with each server's trusted
- * root certificates).
- *
- * This object descends from the "permananet database" in the old code.
- */
-
-struct NSSTrustDomainStr;
-typedef struct NSSTrustDomainStr NSSTrustDomain;
-
-/*
- * NSSCryptoContext
- *
- * A Crypto Context is a short-term, "helper" object which is used
- * for the lifetime of one ongoing "crypto operation."  Such an
- * operation may be the creation of a signed message, the use of an
- * TLS socket connection, etc.  Each crypto context is "in" a
- * specific trust domain, and it may have associated with it a
- * distinguished certificate, public key, private key, and/or
- * symmetric key.  It can also temporarily hold and use temporary
- * data (e.g. intermediate certificates) which is not stored
- * permanently in the trust domain.
- *
- * In OO terms, this interface inherits interfaces from the trust
- * domain, the certificates, and the keys.  It also provides
- * streaming crypto operations.
- *
- * This object descends from the "temporary database" concept in the
- * old code, but it has changed a lot as a result of what we've 
- * learned.
- */
-
-typedef struct NSSCryptoContextStr NSSCryptoContext;
-
-/*
- * fgmr others
- */
-
-/* 
- * NSSTime
- *
- * Unfortunately, we need an "exceptional" value to indicate
- * an error upon return, or "no value" on input.  Note that zero
- * is a perfectly valid value for both time_t and PRTime.
- *
- * If we were to create a "range" object, with two times for
- * Not Before and Not After, we would have an obvious place for
- * the somewhat arbitrary logic involved in comparing them.
- *
- * Failing that, let's have an NSSTime_CompareRanges function.
- */
-
-struct NSSTimeStr;
-typedef struct NSSTimeStr NSSTime;
-
-struct NSSTrustStr;
-typedef struct NSSTrustStr NSSTrust;
-
-/*
- * NSSUsage
- *
- * This is trickier than originally planned; I'll write up a
- * doc on it.
- *
- * We'd still like nsspki.h to have a list of common usages,
- * e.g.:
- *
- *  extern const NSSUsage *NSSUsage_ClientAuth;
- *  extern const NSSUsage *NSSUsage_ServerAuth;
- *  extern const NSSUsage *NSSUsage_SignEmail;
- *  extern const NSSUsage *NSSUsage_EncryptEmail;
- *  etc.
- */
-
-struct NSSUsageStr;
-typedef struct NSSUsageStr NSSUsage;
-
-/*
- * NSSPolicies
- *
- * Placeholder, for now.
- */
-
-struct NSSPoliciesStr;
-typedef struct NSSPoliciesStr NSSPolicies;
-
-/*
- * NSSAlgorithmAndParameters
- *
- * Algorithm is an OID
- * Parameters depend on the algorithm
- */
-
-struct NSSAlgorithmAndParametersStr;
-typedef struct NSSAlgorithmAndParametersStr NSSAlgorithmAndParameters;
-
-/*
- * NSSCallback
- *
- * At minimum, a "challenge" method and a closure argument.
- * Usually the challenge will just be prompting for a password.
- * How OO do we want to make it?
- */
-
-typedef struct NSSCallbackStr NSSCallback;
-
-struct NSSCallbackStr {
-    /* Prompt for a password to initialize a slot.  */
-    PRStatus (* getInitPW)(NSSUTF8 *slotName, void *arg, 
-                           NSSUTF8 **ssoPW, NSSUTF8 **userPW); 
-    /* Prompt for oldPW and newPW in order to change the 
-     * password on a slot.  
-     */
-    PRStatus (* getNewPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
-                          NSSUTF8 **oldPW, NSSUTF8 **newPW); 
-    /* Prompt for slot password.  */
-    PRStatus (* getPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
-                       NSSUTF8 **password); 
-    void *arg;
-};
-
-/* set errors - user cancelled, ... */
-
-typedef PRUint32 NSSOperations;
-/* 1) Do we want these to be preprocessor definitions or constants? */
-/* 2) What is the correct and complete list? */
-
-#define NSSOperations_ENCRYPT           0x0001
-#define NSSOperations_DECRYPT           0x0002
-#define NSSOperations_WRAP              0x0004
-#define NSSOperations_UNWRAP            0x0008
-#define NSSOperations_SIGN              0x0010
-#define NSSOperations_SIGN_RECOVER      0x0020
-#define NSSOperations_VERIFY            0x0040
-#define NSSOperations_VERIFY_RECOVER    0x0080
-
-struct NSSPKIXCertificateStr;
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKIT_H */
diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h
deleted file mode 100644
index c705b7206..000000000
--- a/security/nss/lib/pki/pki.h
+++ /dev/null
@@ -1,248 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKI_H
-#define PKI_H
-
-#ifdef DEBUG
-static const char PKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-PR_BEGIN_EXTERN_C
-
-NSS_EXTERN NSSCallback *
-nssTrustDomain_GetDefaultCallback
-(
-  NSSTrustDomain *td,
-  PRStatus *statusOpt
-);
-
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_FindCertificatesBySubject
-(
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSTrust *
-nssTrustDomain_FindTrustForCertificate
-(
-  NSSTrustDomain *td,
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSCertificate *
-nssCertificate_AddRef
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN PRStatus
-nssCertificate_Destroy
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSDER *
-nssCertificate_GetEncoding
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSDER *
-nssCertificate_GetIssuer
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSDER *
-nssCertificate_GetSerialNumber
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSDER *
-nssCertificate_GetSubject
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN NSSUTF8 *
-nssCertificate_GetNickname
-(
-  NSSCertificate *c,
-  NSSToken *tokenOpt
-);
-
-NSS_EXTERN NSSASCII7 *
-nssCertificate_GetEmailAddress
-(
-  NSSCertificate *c
-);
-
-NSS_EXTERN PRBool
-nssCertificate_IssuerAndSerialEqual
-(
-  NSSCertificate *c1,
-  NSSCertificate *c2
-);
-
-NSS_EXTERN NSSPrivateKey *
-nssPrivateKey_AddRef
-(
-  NSSPrivateKey *vk
-);
-
-NSS_EXTERN PRStatus
-nssPrivateKey_Destroy
-(
-  NSSPrivateKey *vk
-);
-
-NSS_EXTERN NSSItem *
-nssPrivateKey_GetID
-(
-  NSSPrivateKey *vk
-);
-
-NSS_EXTERN NSSUTF8 *
-nssPrivateKey_GetNickname
-(
-  NSSPrivateKey *vk,
-  NSSToken *tokenOpt
-);
-
-NSS_EXTERN PRStatus
-nssPublicKey_Destroy
-(
-  NSSPublicKey *bk
-);
-
-NSS_EXTERN NSSItem *
-nssPublicKey_GetID
-(
-  NSSPublicKey *vk
-);
-
-NSS_EXTERN NSSCertificate **
-nssCryptoContext_FindCertificatesBySubject
-(
-  NSSCryptoContext *cc,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/* putting here for now, needs more thought */
-NSS_EXTERN PRStatus
-nssCryptoContext_ImportTrust
-(
-  NSSCryptoContext *cc,
-  NSSTrust *trust
-);
-
-NSS_EXTERN NSSTrust *
-nssCryptoContext_FindTrustForCertificate
-(
-  NSSCryptoContext *cc,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN PRStatus
-nssCryptoContext_ImportSMIMEProfile
-(
-  NSSCryptoContext *cc,
-  nssSMIMEProfile *profile
-);
-
-NSS_EXTERN nssSMIMEProfile *
-nssCryptoContext_FindSMIMEProfileForCertificate
-(
-  NSSCryptoContext *cc,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN NSSTrust *
-nssTrust_AddRef
-(
-  NSSTrust *trust
-);
-
-NSS_EXTERN PRStatus
-nssTrust_Destroy
-(
-  NSSTrust *trust
-);
-
-NSS_EXTERN nssSMIMEProfile *
-nssSMIMEProfile_AddRef
-(
-  nssSMIMEProfile *profile
-);
-
-NSS_EXTERN PRStatus
-nssSMIMEProfile_Destroy
-(
-  nssSMIMEProfile *profile
-);
-
-NSS_EXTERN nssSMIMEProfile *
-nssSMIMEProfile_Create
-(
-  NSSCertificate *cert,
-  NSSItem *profileTime,
-  NSSItem *profileData
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKI_H */
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
deleted file mode 100644
index bbbeb5d4b..000000000
--- a/security/nss/lib/pki/pki3hack.c
+++ /dev/null
@@ -1,1228 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
- */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef PKI_H
-#include "pki.h"
-#endif /* PKI_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#ifndef DEVNSS3HACK_H
-#include "dev3hack.h"
-#endif /* DEVNSS3HACK_H */
-
-#ifndef PKINSS3HACK_H
-#include "pki3hack.h"
-#endif /* PKINSS3HACK_H */
-
-#include "secitem.h"
-#include "certdb.h"
-#include "certt.h"
-#include "cert.h"
-#include "pk11func.h"
-#include "pkistore.h"
-#include "secmod.h"
-#include "nssrwlk.h"
-
-NSSTrustDomain *g_default_trust_domain = NULL;
-
-NSSCryptoContext *g_default_crypto_context = NULL;
-
-NSSTrustDomain *
-STAN_GetDefaultTrustDomain()
-{
-    return g_default_trust_domain;
-}
-
-NSSCryptoContext *
-STAN_GetDefaultCryptoContext()
-{
-    return g_default_crypto_context;
-}
-
-extern const NSSError NSS_ERROR_ALREADY_INITIALIZED;
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-NSS_IMPLEMENT PRStatus
-STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot)
-{
-    NSSToken *token;
-    if (!td) {
-	td = g_default_trust_domain;
-    }
-    token = nssToken_CreateFromPK11SlotInfo(td, slot);
-    PK11Slot_SetNSSToken(slot, token);
-    NSSRWLock_LockWrite(td->tokensLock);
-    nssList_Add(td->tokenList, token);
-    NSSRWLock_UnlockWrite(td->tokensLock);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-STAN_ResetTokenInterator(NSSTrustDomain *td)
-{
-    if (!td) {
-	td = g_default_trust_domain;
-    }
-    NSSRWLock_LockWrite(td->tokensLock);
-    nssListIterator_Destroy(td->tokens);
-    td->tokens = nssList_CreateIterator(td->tokenList);
-    NSSRWLock_UnlockWrite(td->tokensLock);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-STAN_LoadDefaultNSS3TrustDomain (
-  void
-)
-{
-    NSSTrustDomain *td;
-    SECMODModuleList *mlp;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    int i;
-
-    if (g_default_trust_domain || g_default_crypto_context) {
-	/* Stan is already initialized or a previous shutdown failed. */
-	nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
-	return PR_FAILURE;
-    }
-    td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
-    if (!td) {
-	return PR_FAILURE;
-    }
-    /*
-     * Deadlock warning: we should never acquire the moduleLock while
-     * we hold the tokensLock. We can use the NSSRWLock Rank feature to
-     * guarrentee this. tokensLock have a higher rank than module lock.
-     */
-    SECMOD_GetReadLock(moduleLock);
-    NSSRWLock_LockWrite(td->tokensLock);
-    td->tokenList = nssList_Create(td->arena, PR_TRUE);
-    for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
-	for (i=0; i < mlp->module->slotCount; i++) {
-	    STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
-	}
-    }
-    td->tokens = nssList_CreateIterator(td->tokenList);
-    NSSRWLock_UnlockWrite(td->tokensLock);
-    SECMOD_ReleaseReadLock(moduleLock);
-    g_default_trust_domain = td;
-    g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
-    return PR_SUCCESS;
-}
-
-/*
- * must be called holding the ModuleListLock (either read or write).
- */
-NSS_IMPLEMENT SECStatus
-STAN_AddModuleToDefaultTrustDomain (
-  SECMODModule *module
-)
-{
-    NSSTrustDomain *td;
-    int i;
-    td = STAN_GetDefaultTrustDomain();
-    for (i=0; i<module->slotCount; i++) {
-	STAN_InitTokenForSlotInfo(td, module->slots[i]);
-    }
-    STAN_ResetTokenInterator(td);
-    return SECSuccess;
-}
-
-/*
- * must be called holding the ModuleListLock (either read or write).
- */
-NSS_IMPLEMENT SECStatus
-STAN_RemoveModuleFromDefaultTrustDomain (
-  SECMODModule *module
-)
-{
-    NSSToken *token;
-    NSSTrustDomain *td;
-    int i;
-    td = STAN_GetDefaultTrustDomain();
-    NSSRWLock_LockWrite(td->tokensLock);
-    for (i=0; i<module->slotCount; i++) {
-	token = PK11Slot_GetNSSToken(module->slots[i]);
-	if (token) {
-	    nssToken_NotifyCertsNotVisible(token);
-	    nssList_Remove(td->tokenList, token);
-	    PK11Slot_SetNSSToken(module->slots[i], NULL);
-	    nssToken_Destroy(token);
- 	}
-    }
-    nssListIterator_Destroy(td->tokens);
-    td->tokens = nssList_CreateIterator(td->tokenList);
-    NSSRWLock_UnlockWrite(td->tokensLock);
-    return SECSuccess;
-}
-
-NSS_IMPLEMENT PRStatus
-STAN_Shutdown()
-{
-    PRStatus status = PR_SUCCESS;
-    if (g_default_trust_domain) {
-	if (NSSTrustDomain_Destroy(g_default_trust_domain) == PR_SUCCESS) {
-	    g_default_trust_domain = NULL;
-	} else {
-	    status = PR_FAILURE;
-	}
-    }
-    if (g_default_crypto_context) {
-	if (NSSCryptoContext_Destroy(g_default_crypto_context) == PR_SUCCESS) {
-	    g_default_crypto_context = NULL;
-	} else {
-	    status = PR_FAILURE;
-	}
-    }
-    return status;
-}
-
-/* this function should not be a hack; it will be needed in 4.0 (rename) */
-NSS_IMPLEMENT NSSItem *
-STAN_GetCertIdentifierFromDER(NSSArena *arenaOpt, NSSDER *der)
-{
-    NSSItem *rvKey;
-    SECItem secDER;
-    SECItem secKey = { 0 };
-    SECStatus secrv;
-    PRArenaPool *arena;
-
-    SECITEM_FROM_NSSITEM(&secDER, der);
-
-    /* nss3 call uses nss3 arena's */
-    arena = PORT_NewArena(256);
-    if (!arena) {
-	return NULL;
-    }
-    secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
-    if (secrv != SECSuccess) {
-	return NULL;
-    }
-    rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
-    PORT_FreeArena(arena,PR_FALSE);
-    return rvKey;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
-                                     NSSDER *issuer, NSSDER *serial)
-{
-    SECStatus secrv;
-    SECItem derCert;
-    SECItem derIssuer = { 0 };
-    SECItem derSerial = { 0 };
-    SECITEM_FROM_NSSITEM(&derCert, der);
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	PORT_Free(derSerial.data);
-	return PR_FAILURE;
-    }
-    (void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
-    PORT_Free(derSerial.data);
-    PORT_Free(derIssuer.data);
-    return PR_SUCCESS;
-}
-
-static NSSItem *
-nss3certificate_getIdentifier(nssDecodedCert *dc)
-{
-    NSSItem *rvID;
-    CERTCertificate *c = (CERTCertificate *)dc->data;
-    rvID = nssItem_Create(NULL, NULL, c->certKey.len, c->certKey.data);
-    return rvID;
-}
-
-static void *
-nss3certificate_getIssuerIdentifier(nssDecodedCert *dc)
-{
-    CERTCertificate *c = (CERTCertificate *)dc->data;
-    return (void *)c->authKeyID;
-}
-
-static nssCertIDMatch
-nss3certificate_matchIdentifier(nssDecodedCert *dc, void *id)
-{
-    CERTCertificate *c = (CERTCertificate *)dc->data;
-    CERTAuthKeyID *authKeyID = (CERTAuthKeyID *)id;
-    SECItem skid;
-    nssCertIDMatch match = nssCertIDMatch_Unknown;
-
-    /* keyIdentifier */
-    if (authKeyID->keyID.len > 0) {
-	if (CERT_FindSubjectKeyIDExtension(c, &skid) == SECSuccess) {
-	    PRBool skiEqual;
-	    skiEqual = SECITEM_ItemsAreEqual(&authKeyID->keyID, &skid);
-	    PORT_Free(skid.data);
-	    if (skiEqual) {
-		/* change the state to positive match, but keep going */
-		match = nssCertIDMatch_Yes;
-	    } else {
-		/* exit immediately on failure */
-		return nssCertIDMatch_No;
-	    }
-	} /* else fall through */
-    }
-
-    /* issuer/serial (treated as pair) */
-    if (authKeyID->authCertIssuer) {
-	SECItem *caName = NULL;
-	SECItem *caSN = &authKeyID->authCertSerialNumber;
-
-	caName = (SECItem *)CERT_GetGeneralNameByType(
-	                                        authKeyID->authCertIssuer,
-						certDirectoryName, PR_TRUE);
-	if (caName == NULL) {
-	    /* this is some kind of error, so treat it as unknown */
-	    return nssCertIDMatch_Unknown;
-	}
-	if (SECITEM_ItemsAreEqual(&c->derIssuer, caName) &&
-	    SECITEM_ItemsAreEqual(&c->serialNumber, caSN)) 
-	{
-	    /* change the state to positive match, but keep going */
-	    match = nssCertIDMatch_Yes;
-	} else {
-	    /* exit immediately on failure */
-	    return nssCertIDMatch_No;
-	}
-    }
-
-    /* If the issued cert has a keyIdentifier field with a value, but
-     * this issuer cert does not have a subjectKeyID extension, and
-     * the issuer/serial number fields of the authKeyID extension
-     * are empty, the state will be Unknown.  Otherwise it should have
-     * been set to Yes.
-     */
-    return match;
-}
-
-static PRBool
-nss3certificate_isValidIssuer(nssDecodedCert *dc)
-{
-    CERTCertificate *c = (CERTCertificate *)dc->data;
-    unsigned int ignore;
-    return CERT_IsCACert(c, &ignore);
-}
-
-static NSSUsage *
-nss3certificate_getUsage(nssDecodedCert *dc)
-{
-    /* CERTCertificate *c = (CERTCertificate *)dc->data; */
-    return NULL;
-}
-
-static PRBool 
-nss3certificate_isValidAtTime(nssDecodedCert *dc, NSSTime *time)
-{
-    SECCertTimeValidity validity;
-    CERTCertificate *c = (CERTCertificate *)dc->data;
-    validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
-    if (validity == secCertTimeValid) {
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-static PRBool 
-nss3certificate_isNewerThan(nssDecodedCert *dc, nssDecodedCert *cmpdc)
-{
-    /* I know this isn't right, but this is glue code anyway */
-    if (cmpdc->type == dc->type) {
-	CERTCertificate *certa = (CERTCertificate *)dc->data;
-	CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
-	return CERT_IsNewer(certa, certb);
-    }
-    return PR_FALSE;
-}
-
-/* CERT_FilterCertListByUsage */
-static PRBool
-nss3certificate_matchUsage(nssDecodedCert *dc, const NSSUsage *usage)
-{
-    CERTCertificate *cc;
-    unsigned int requiredKeyUsage = 0;
-    unsigned int requiredCertType = 0;
-    SECStatus secrv;
-    PRBool match;
-    PRBool ca;
-
-    /* This is for NSS 3.3 functions that do not specify a usage */
-    if (usage->anyUsage) {
-	return PR_TRUE;
-    }
-    ca = usage->nss3lookingForCA;
-    secrv = CERT_KeyUsageAndTypeForCertUsage(usage->nss3usage, ca,
-                                             &requiredKeyUsage,
-                                             &requiredCertType);
-    if (secrv != SECSuccess) {
-	return PR_FALSE;
-    }
-    cc = (CERTCertificate *)dc->data;
-    secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
-    match = (PRBool)(secrv == SECSuccess);
-    if (match) {
-	unsigned int certType = 0;
-	if (ca) {
-	    (void)CERT_IsCACert(cc, &certType);
-	} else {
-	    certType = cc->nsCertType;
-	}
-	if (!(certType & requiredCertType)) {
-	    match = PR_FALSE;
-	}
-    }
-    return match;
-}
-
-static NSSASCII7 *
-nss3certificate_getEmailAddress(nssDecodedCert *dc)
-{
-    CERTCertificate *cc = (CERTCertificate *)dc->data;
-    return (cc && cc->emailAddr && cc->emailAddr[0])
-	    ? (NSSASCII7 *)cc->emailAddr : NULL;
-}
-
-static PRStatus
-nss3certificate_getDERSerialNumber(nssDecodedCert *dc, 
-                                   NSSDER *serial, NSSArena *arena)
-{
-    CERTCertificate *cc = (CERTCertificate *)dc->data;
-    SECItem derSerial = { 0 };
-    SECStatus secrv;
-    secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
-    if (secrv == SECSuccess) {
-	(void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
-	PORT_Free(derSerial.data);
-	return PR_SUCCESS;
-    }
-    return PR_FAILURE;
-}
-
-/* Returns NULL if "encoding" cannot be decoded. */
-NSS_IMPLEMENT nssDecodedCert *
-nssDecodedPKIXCertificate_Create (
-  NSSArena *arenaOpt,
-  NSSDER *encoding
-)
-{
-    nssDecodedCert  *rvDC = NULL;
-    CERTCertificate *cert;
-    SECItem          secDER;
-
-    SECITEM_FROM_NSSITEM(&secDER, encoding);
-    cert = CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
-    if (cert) {
-	rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
-	if (rvDC) {
-	    rvDC->type                = NSSCertificateType_PKIX;
-	    rvDC->data                = (void *)cert;
-	    rvDC->getIdentifier       = nss3certificate_getIdentifier;
-	    rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
-	    rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
-	    rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
-	    rvDC->getUsage            = nss3certificate_getUsage;
-	    rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
-	    rvDC->isNewerThan         = nss3certificate_isNewerThan;
-	    rvDC->matchUsage          = nss3certificate_matchUsage;
-	    rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
-	    rvDC->getDERSerialNumber  = nss3certificate_getDERSerialNumber;
-	} else {
-	    CERT_DestroyCertificate(cert);
-	}
-    }
-    return rvDC;
-}
-
-static nssDecodedCert *
-create_decoded_pkix_cert_from_nss3cert (
-  NSSArena *arenaOpt,
-  CERTCertificate *cc
-)
-{
-    nssDecodedCert *rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
-    if (rvDC) {
-	rvDC->type                = NSSCertificateType_PKIX;
-	rvDC->data                = (void *)cc;
-	rvDC->getIdentifier       = nss3certificate_getIdentifier;
-	rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
-	rvDC->matchIdentifier     = nss3certificate_matchIdentifier;
-	rvDC->isValidIssuer       = nss3certificate_isValidIssuer;
-	rvDC->getUsage            = nss3certificate_getUsage;
-	rvDC->isValidAtTime       = nss3certificate_isValidAtTime;
-	rvDC->isNewerThan         = nss3certificate_isNewerThan;
-	rvDC->matchUsage          = nss3certificate_matchUsage;
-	rvDC->getEmailAddress     = nss3certificate_getEmailAddress;
-    }
-    return rvDC;
-}
-
-NSS_IMPLEMENT PRStatus
-nssDecodedPKIXCertificate_Destroy (
-  nssDecodedCert *dc
-)
-{
-    CERTCertificate *cert = (CERTCertificate *)dc->data;
-
-    /* The decoder may only be half initialized (the case where we find we 
-     * could not decode the certificate). In this case, there is not cert to
-     * free, just free the dc structure. */
-    if (cert) {
-	PRBool freeSlot = cert->ownSlot;
-	PK11SlotInfo *slot = cert->slot;
-	PRArenaPool *arena  = cert->arena;
-	/* zero cert before freeing. Any stale references to this cert
-	 * after this point will probably cause an exception.  */
-	PORT_Memset(cert, 0, sizeof *cert);
-	/* free the arena that contains the cert. */
-	PORT_FreeArena(arena, PR_FALSE);
-	if (slot && freeSlot) {
-	    PK11_FreeSlot(slot);
-	}
-    }
-    nss_ZFreeIf(dc);
-    return PR_SUCCESS;
-}
-
-/* see pk11cert.c:pk11_HandleTrustObject */
-static unsigned int
-get_nss3trust_from_nss4trust(CK_TRUST t)
-{
-    unsigned int rt = 0;
-    if (t == nssTrustLevel_Trusted) {
-	rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
-    }
-    if (t == nssTrustLevel_TrustedDelegator) {
-	rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
-    }
-    if (t == nssTrustLevel_Valid) {
-	rt |= CERTDB_VALID_PEER;
-    }
-    if (t == nssTrustLevel_ValidDelegator) {
-	rt |= CERTDB_VALID_CA;
-    }
-    return rt;
-}
-
-static CERTCertTrust *
-cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
-{
-    CERTCertTrust *rvTrust;
-    unsigned int client;
-    if (!t) {
-	return NULL;
-    }
-    rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
-    if (!rvTrust) return NULL;
-    rvTrust->sslFlags = get_nss3trust_from_nss4trust(t->serverAuth);
-    client = get_nss3trust_from_nss4trust(t->clientAuth);
-    if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
-	client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
-	rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
-    }
-    rvTrust->sslFlags |= client;
-    rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
-    rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
-    /* The cert is a valid step-up cert (in addition to/lieu of trust above */
-    if (t->stepUpApproved) {
-	rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
-    }
-    return rvTrust;
-}
-
-CERTCertTrust * 
-nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
-{
-    CERTCertTrust *rvTrust = NULL;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    NSSTrust *t;
-    t = nssTrustDomain_FindTrustForCertificate(td, c);
-    if (t) {
-	rvTrust = cert_trust_from_stan_trust(t, cc->arena);
-	if (!rvTrust) {
-	    nssTrust_Destroy(t);
-	    return NULL;
-	}
-	nssTrust_Destroy(t);
-    } else {
-	rvTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
-	if (!rvTrust) {
-	    return NULL;
-	}
-	memset(rvTrust, 0, sizeof(*rvTrust));
-    }
-    if (NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) {
-	rvTrust->sslFlags |= CERTDB_USER;
-	rvTrust->emailFlags |= CERTDB_USER;
-	rvTrust->objectSigningFlags |= CERTDB_USER;
-    }
-    return rvTrust;
-}
-
-static nssCryptokiInstance *
-get_cert_instance(NSSCertificate *c)
-{
-    nssCryptokiObject *instance, **ci;
-    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
-    if (!instances) {
-	return NULL;
-    }
-    instance = NULL;
-    for (ci = instances; *ci; ci++) {
-	if (!instance) {
-	    instance = nssCryptokiObject_Clone(*ci);
-	} else {
-	    /* This only really works for two instances...  But 3.4 can't
-	     * handle more anyway.  The logic is, if there are multiple
-	     * instances, prefer the one that is not internal (e.g., on
-	     * a hardware device.
-	     */
-	    if (PK11_IsInternal(instance->token->pk11slot)) {
-		nssCryptokiObject_Destroy(instance);
-		instance = nssCryptokiObject_Clone(*ci);
-	    }
-	}
-    }
-    nssCryptokiObjectArray_Destroy(instances);
-    return instance;
-}
-
-char * 
-STAN_GetCERTCertificateNameForInstance (
-  PLArenaPool *arenaOpt,
-  NSSCertificate *c,
-  nssCryptokiInstance *instance
-)
-{
-    NSSCryptoContext *context = c->object.cryptoContext;
-    PRStatus nssrv;
-    int nicklen, tokenlen, len;
-    NSSUTF8 *tokenName = NULL;
-    NSSUTF8 *stanNick = NULL;
-    char *nickname = NULL;
-    char *nick;
-
-    if (instance) {
-	stanNick = instance->label;
-    } else if (context) {
-	stanNick = c->object.tempName;
-    }
-    if (stanNick) {
-	/* fill other fields needed by NSS3 functions using CERTCertificate */
-	if (instance && !PK11_IsInternal(instance->token->pk11slot)) {
-	    tokenName = nssToken_GetName(instance->token);
-	    tokenlen = nssUTF8_Size(tokenName, &nssrv);
-	} else {
-	/* don't use token name for internal slot; 3.3 didn't */
-	    tokenlen = 0;
-	}
-	nicklen = nssUTF8_Size(stanNick, &nssrv);
-	len = tokenlen + nicklen;
-	if (arenaOpt) {
-	    nickname = PORT_ArenaAlloc(arenaOpt, len);
-	} else {
-	    nickname = PORT_Alloc(len);
-	}
-	nick = nickname;
-	if (tokenName) {
-	    memcpy(nick, tokenName, tokenlen-1);
-	    nick += tokenlen-1;
-	    *nick++ = ':';
-	}
-	memcpy(nick, stanNick, nicklen-1);
-	nickname[len-1] = '\0';
-    }
-    return nickname;
-}
-
-char * 
-STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c)
-{
-    nssCryptokiInstance *instance = get_cert_instance(c);
-    return STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance);
-}
-
-static void
-fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced)
-{
-    NSSTrust *nssTrust;
-    NSSCryptoContext *context = c->object.cryptoContext;
-    nssCryptokiInstance *instance = get_cert_instance(c);
-    NSSUTF8 *stanNick = NULL;
-    if (instance) {
-	stanNick = instance->label;
-    } else if (context) {
-	stanNick = c->object.tempName;
-    }
-    /* fill other fields needed by NSS3 functions using CERTCertificate */
-    if ((!cc->nickname && stanNick) || forced) {
-	PRStatus nssrv;
-	int nicklen, tokenlen, len;
-	NSSUTF8 *tokenName = NULL;
-	char *nick;
-	if (instance && !PK11_IsInternal(instance->token->pk11slot)) {
-	    tokenName = nssToken_GetName(instance->token);
-	    tokenlen = nssUTF8_Size(tokenName, &nssrv);
-	} else {
-	    /* don't use token name for internal slot; 3.3 didn't */
-	    tokenlen = 0;
-	}
-	if (stanNick) {
-	    nicklen = nssUTF8_Size(stanNick, &nssrv);
-	    len = tokenlen + nicklen;
-	    cc->nickname = PORT_ArenaAlloc(cc->arena, len);
-	    nick = cc->nickname;
-	    if (tokenName) {
-		memcpy(nick, tokenName, tokenlen-1);
-		nick += tokenlen-1;
-		*nick++ = ':';
-	    }
-	    memcpy(nick, stanNick, nicklen-1);
-	    cc->nickname[len-1] = '\0';
-	} else {
-	    cc->nickname = NULL;
-	}
-    }
-    if (context) {
-	/* trust */
-	nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
-	if (nssTrust) {
-	    cc->trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
-	    nssTrust_Destroy(nssTrust);
-	}
-    } else if (instance) {
-	/* slot */
-	if (cc->slot != instance->token->pk11slot) {
-	    if (cc->slot) {
-		PK11_FreeSlot(cc->slot);
-	    }
-	    cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
-	}
-	cc->ownSlot = PR_TRUE;
-	/* pkcs11ID */
-	cc->pkcs11ID = instance->handle;
-	/* trust */
-	cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-	nssCryptokiObject_Destroy(instance);
-    } 
-    /* database handle is now the trust domain */
-    cc->dbhandle = c->object.trustDomain;
-    /* subjectList ? */
-    /* istemp and isperm are supported in NSS 3.4 */
-    cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
-    cc->isperm = PR_TRUE;  /* by default */
-    /* pointer back */
-    cc->nssCertificate = c;
-}
-
-static CERTCertificate *
-stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
-{
-    nssDecodedCert *dc = c->decoding;
-    CERTCertificate *cc;
-
-    /* There is a race in assigning c->decoding.  
-    ** This is a workaround.  Bugzilla bug 225525.
-    */
-    if (!dc) {
-	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
-	if (!dc) 
-	    return NULL;
-	cc = (CERTCertificate *)dc->data;
-	PORT_Assert(cc); /* software error */
-	if (!cc) {
-	    nssDecodedPKIXCertificate_Destroy(dc);
-	    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-	    return NULL;
-	}
-	/* Once this race is fixed, an assertion should be put 
-	** here to detect any regressions. 
-    	PORT_Assert(!c->decoding); 
-	*/
-	if (!c->decoding) {
-	    c->decoding = dc;
-	} else { 
-	    /* Reduce the leaks here, until the race is fixed.  */
-	    nssDecodedPKIXCertificate_Destroy(dc);
-	    dc = c->decoding;
-	}
-    }
-    cc = (CERTCertificate *)dc->data;
-    PORT_Assert(cc);
-    /* When c->decoding is non-NULL on input, but dc->data is
-     * NULL, we don't destroy dc because some other errant 
-     * code allocated it .
-     */
-    if (cc) {
-	if (!cc->nssCertificate || forceUpdate) {
-	    fill_CERTCertificateFields(c, cc, forceUpdate);
-	} else if (!cc->trust && !c->object.cryptoContext) {
-	    /* if it's a perm cert, it might have been stored before the
-	     * trust, so look for the trust again.  But a temp cert can be
-	     * ignored.
-	     */
-	    cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-	}
-    }
-    return cc;
-}
-
-NSS_IMPLEMENT CERTCertificate *
-STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
-{
-    if (c->decoding) {
-	return stan_GetCERTCertificate(c, PR_TRUE);
-    }
-    return NULL;
-}
-
-NSS_IMPLEMENT CERTCertificate *
-STAN_GetCERTCertificate(NSSCertificate *c)
-{
-    return stan_GetCERTCertificate(c, PR_FALSE);
-}
-/*
- * many callers of STAN_GetCERTCertificate() intend that
- * the CERTCertificate returned inherits the reference to the 
- * NSSCertificate. For these callers it's convenient to have 
- * this function 'own' the reference and either return a valid 
- * CERTCertificate structure which inherits the reference or 
- * destroy the reference to NSSCertificate and returns NULL.
- */
-NSS_IMPLEMENT CERTCertificate *
-STAN_GetCERTCertificateOrRelease(NSSCertificate *c)
-{
-    CERTCertificate *nss3cert = stan_GetCERTCertificate(c, PR_FALSE);
-    if (!nss3cert) {
-	nssCertificate_Destroy(c);
-    }
-    return nss3cert;
-}
-
-static nssTrustLevel
-get_stan_trust(unsigned int t, PRBool isClientAuth) 
-{
-    if (isClientAuth) {
-	if (t & CERTDB_TRUSTED_CLIENT_CA) {
-	    return nssTrustLevel_TrustedDelegator;
-	}
-    } else {
-	if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
-	    return nssTrustLevel_TrustedDelegator;
-	}
-    }
-    if (t & CERTDB_TRUSTED) {
-	return nssTrustLevel_Trusted;
-    }
-    if (t & CERTDB_VALID_CA) {
-	return nssTrustLevel_ValidDelegator;
-    }
-    if (t & CERTDB_VALID_PEER) {
-	return nssTrustLevel_Valid;
-    }
-    return nssTrustLevel_NotTrusted;
-}
-
-NSS_EXTERN NSSCertificate *
-STAN_GetNSSCertificate(CERTCertificate *cc)
-{
-    NSSCertificate *c;
-    nssCryptokiInstance *instance;
-    nssPKIObject *pkiob;
-    NSSArena *arena;
-    c = cc->nssCertificate;
-    if (c) {
-    	return c;
-    }
-    /* i don't think this should happen.  but if it can, need to create
-     * NSSCertificate from CERTCertificate values here.  */
-    /* Yup, it can happen. */
-    arena = NSSArena_Create();
-    if (!arena) {
-	return NULL;
-    }
-    c = nss_ZNEW(arena, NSSCertificate);
-    if (!c) {
-	nssArena_Destroy(arena);
-	return NULL;
-    }
-    NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
-    c->type = NSSCertificateType_PKIX;
-    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL);
-    if (!pkiob) {
-	nssArena_Destroy(arena);
-	return NULL;
-    }
-    c->object = *pkiob;
-    nssItem_Create(arena,
-                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
-    nssItem_Create(arena,
-                   &c->subject, cc->derSubject.len, cc->derSubject.data);
-    if (PR_TRUE) {
-	/* CERTCertificate stores serial numbers decoded.  I need the DER
-	* here.  sigh.
-	*/
-	SECItem derSerial;
-	SECStatus secrv;
-	secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
-	if (secrv == SECFailure) {
-	    nssArena_Destroy(arena);
-	    return NULL;
-	}
-	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
-	PORT_Free(derSerial.data);
-    }
-    if (cc->emailAddr && cc->emailAddr[0]) {
-        c->email = nssUTF8_Create(arena,
-                                  nssStringType_PrintableString,
-                                  (NSSUTF8 *)cc->emailAddr,
-                                  PORT_Strlen(cc->emailAddr));
-    }
-    if (cc->slot) {
-	instance = nss_ZNEW(arena, nssCryptokiInstance);
-	instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
-	instance->handle = cc->pkcs11ID;
-	instance->isTokenObject = PR_TRUE;
-	if (cc->nickname) {
-	    instance->label = nssUTF8_Create(arena,
-	                                     nssStringType_UTF8String,
-	                                     (NSSUTF8 *)cc->nickname,
-	                                     PORT_Strlen(cc->nickname));
-	}
-	nssPKIObject_AddInstance(&c->object, instance);
-    }
-    c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
-    cc->nssCertificate = c;
-    return c;
-}
-
-static NSSToken*
-stan_GetTrustToken (
-  NSSCertificate *c
-)
-{
-    NSSToken *ttok = NULL;
-    NSSToken *rtok = NULL;
-    NSSToken *tok = NULL;
-    nssCryptokiObject **ip;
-    nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object);
-    if (!instances) {
-	return PR_FALSE;
-    }
-    for (ip = instances; *ip; ip++) {
-	nssCryptokiObject *instance = *ip;
-        nssCryptokiObject *to = 
-		nssToken_FindTrustForCertificate(instance->token, NULL,
-		&c->encoding, &c->issuer, &c->serial, 
-		nssTokenSearchType_TokenOnly);
-	NSSToken *ctok = instance->token;
-	PRBool ro = PK11_IsReadOnly(ctok->pk11slot);
-
-	if (to) {
-	    nssCryptokiObject_Destroy(to);
-	    ttok = ctok;
- 	    if (!ro) {
-		break;
-	    }
-	} else {
-	    if (!rtok && ro) {
-		rtok = ctok;
-	    } 
-	    if (!tok && !ro) {
-		tok = ctok;
-	    }
-	}
-    }
-    nssCryptokiObjectArray_Destroy(instances);
-    return ttok ? ttok : (tok ? tok : rtok);
-}
-
-NSS_EXTERN PRStatus
-STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
-{
-    PRStatus nssrv;
-    NSSCertificate *c = STAN_GetNSSCertificate(cc);
-    NSSToken *tok;
-    NSSTrustDomain *td;
-    NSSTrust *nssTrust;
-    NSSArena *arena;
-    CERTCertTrust *oldTrust;
-    nssListIterator *tokens;
-    PRBool moving_object;
-    nssCryptokiObject *newInstance;
-    nssPKIObject *pkiob;
-    oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
-    if (oldTrust) {
-	if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
-	    /* ... and the new trust is no different, done) */
-	    return PR_SUCCESS;
-	} else {
-	    /* take over memory already allocated in cc's arena */
-	    cc->trust = oldTrust;
-	}
-    } else {
-	cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
-    }
-    memcpy(cc->trust, trust, sizeof(CERTCertTrust));
-    /* Set the NSSCerticate's trust */
-    arena = nssArena_Create();
-    if (!arena) return PR_FAILURE;
-    nssTrust = nss_ZNEW(arena, NSSTrust);
-    pkiob = nssPKIObject_Create(arena, NULL, cc->dbhandle, NULL);
-    if (!pkiob) {
-	nssArena_Destroy(arena);
-	return PR_FAILURE;
-    }
-    nssTrust->object = *pkiob;
-    nssTrust->certificate = c;
-    nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
-    nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
-    nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
-    nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
-    nssTrust->stepUpApproved = 
-                    (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
-    if (c->object.cryptoContext != NULL) {
-	/* The cert is in a context, set the trust there */
-	NSSCryptoContext *cc = c->object.cryptoContext;
-	nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
-	if (nssrv != PR_SUCCESS) {
-	    goto done;
-	}
-	if (c->object.numInstances == 0) {
-	    /* The context is the only instance, finished */
-	    goto done;
-	}
-    }
-    td = STAN_GetDefaultTrustDomain();
-    tok = stan_GetTrustToken(c);
-    moving_object = PR_FALSE;
-    if (tok && PK11_IsReadOnly(tok->pk11slot))  {
-	NSSRWLock_LockRead(td->tokensLock);
-	tokens = nssList_CreateIterator(td->tokenList);
-	if (!tokens) {
-	    nssrv = PR_FAILURE;
-	    NSSRWLock_UnlockRead(td->tokensLock);
-	    goto done;
-	}
-	for (tok  = (NSSToken *)nssListIterator_Start(tokens);
-	     tok != (NSSToken *)NULL;
-	     tok  = (NSSToken *)nssListIterator_Next(tokens))
-	{
-	    if (!PK11_IsReadOnly(tok->pk11slot)) break;
-	}
-	nssListIterator_Finish(tokens);
-	nssListIterator_Destroy(tokens);
-	NSSRWLock_UnlockRead(td->tokensLock);
-	moving_object = PR_TRUE;
-    } 
-    if (tok) {
-	if (moving_object) {
-	    /* this is kind of hacky.  the softoken needs the cert
-	     * object in order to store trust.  forcing it to be perm
-	     */
-	    NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
-	    NSSASCII7 *email = NULL;
-
-	    if (PK11_IsInternal(tok->pk11slot)) {
-		email = c->email;
-	    }
-	    newInstance = nssToken_ImportCertificate(tok, NULL,
-	                                             NSSCertificateType_PKIX,
-	                                             &c->id,
-	                                             nickname,
-	                                             &c->encoding,
-	                                             &c->issuer,
-	                                             &c->subject,
-	                                             &c->serial,
-						     email,
-	                                             PR_TRUE);
-	    if (!newInstance) {
-		nssrv = PR_FAILURE;
-		goto done;
-	    }
-	    nssPKIObject_AddInstance(&c->object, newInstance);
-	}
-	newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
-	                                   &c->issuer, &c->serial,
-	                                   nssTrust->serverAuth,
-	                                   nssTrust->clientAuth,
-	                                   nssTrust->codeSigning,
-	                                   nssTrust->emailProtection,
-	                                   nssTrust->stepUpApproved, PR_TRUE);
-	/* If the selected token can't handle trust, dump the trust on 
-	 * the internal token */
-	if (!newInstance && !PK11_IsInternal(tok->pk11slot)) {
-	    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
-	    NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
-	    NSSASCII7 *email = c->email;
-	    tok = PK11Slot_GetNSSToken(slot);
-	    PK11_FreeSlot(slot);
-	
-	    newInstance = nssToken_ImportCertificate(tok, NULL,
-	                                             NSSCertificateType_PKIX,
-	                                             &c->id,
-	                                             nickname,
-	                                             &c->encoding,
-	                                             &c->issuer,
-	                                             &c->subject,
-	                                             &c->serial,
-						     email,
-	                                             PR_TRUE);
-	    if (!newInstance) {
-		nssrv = PR_FAILURE;
-		goto done;
-	    }
-	    nssPKIObject_AddInstance(&c->object, newInstance);
-	    newInstance = nssToken_ImportTrust(tok, NULL, &c->encoding,
-	                                   &c->issuer, &c->serial,
-	                                   nssTrust->serverAuth,
-	                                   nssTrust->clientAuth,
-	                                   nssTrust->codeSigning,
-	                                   nssTrust->emailProtection,
-	                                   nssTrust->stepUpApproved, PR_TRUE);
-	}
-	if (newInstance) {
-	    nssCryptokiObject_Destroy(newInstance);
-	    nssrv = PR_SUCCESS;
-	} else {
-	    nssrv = PR_FAILURE;
-	}
-    } else {
-	nssrv = PR_FAILURE;
-    }
-done:
-    (void)nssTrust_Destroy(nssTrust);
-    return nssrv;
-}
-
-/* CERT_TraversePermCertsForSubject */
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_TraverseCertificatesBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSArena *tmpArena;
-    NSSCertificate **subjectCerts;
-    NSSCertificate *c;
-    PRIntn i;
-    tmpArena = NSSArena_Create();
-    subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
-                                                            0, tmpArena);
-    if (subjectCerts) {
-	for (i=0, c = subjectCerts[i]; c; i++) {
-	    nssrv = callback(c, arg);
-	    if (nssrv != PR_SUCCESS) break;
-	}
-    }
-    nssArena_Destroy(tmpArena);
-    return nssrv;
-}
-
-/* CERT_TraversePermCertsForNickname */
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_TraverseCertificatesByNickname (
-  NSSTrustDomain *td,
-  NSSUTF8 *nickname,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    NSSArena *tmpArena;
-    NSSCertificate **nickCerts;
-    NSSCertificate *c;
-    PRIntn i;
-    tmpArena = NSSArena_Create();
-    nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
-                                                          0, tmpArena);
-    if (nickCerts) {
-	for (i=0, c = nickCerts[i]; c; i++) {
-	    nssrv = callback(c, arg);
-	    if (nssrv != PR_SUCCESS) break;
-	}
-    }
-    nssArena_Destroy(tmpArena);
-    return nssrv;
-}
-
-static void cert_dump_iter(const void *k, void *v, void *a)
-{
-    NSSCertificate *c = (NSSCertificate *)k;
-    CERTCertificate *cert = STAN_GetCERTCertificate(c);
-    printf("[%2d] \"%s\"\n", c->object.refCount, cert->subjectName);
-}
-
-void
-nss_DumpCertificateCacheInfo()
-{
-    NSSTrustDomain *td;
-    NSSCryptoContext *cc;
-    td = STAN_GetDefaultTrustDomain();
-    cc = STAN_GetDefaultCryptoContext();
-    printf("\n\nCertificates in the cache:\n");
-    nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
-    printf("\n\nCertificates in the temporary store:\n");
-    if (cc->certStore) {
-	nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
-    }
-}
-
diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h
deleted file mode 100644
index 4e28f7dae..000000000
--- a/security/nss/lib/pki/pki3hack.h
+++ /dev/null
@@ -1,197 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKINSS3HACK_H
-#define PKINSS3HACK_H
-
-#ifdef DEBUG
-static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-#ifndef DEVT_H
-#include "devt.h"
-#endif /* DEVT_H */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-#include "base.h"
-
-#include "cert.h"
-
-PR_BEGIN_EXTERN_C
-
-#define NSSITEM_FROM_SECITEM(nssit, secit)  \
-    (nssit)->data = (void *)(secit)->data;  \
-    (nssit)->size = (PRUint32)(secit)->len;
-
-#define SECITEM_FROM_NSSITEM(secit, nssit)          \
-    (secit)->data = (unsigned char *)(nssit)->data; \
-    (secit)->len  = (unsigned int)(nssit)->size;
-
-NSS_EXTERN NSSTrustDomain *
-STAN_GetDefaultTrustDomain();
-
-NSS_EXTERN NSSCryptoContext *
-STAN_GetDefaultCryptoContext();
-
-NSS_EXTERN PRStatus
-STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot);
-
-NSS_EXTERN PRStatus
-STAN_ResetTokenInterator(NSSTrustDomain *td);
-
-NSS_EXTERN PRStatus
-STAN_LoadDefaultNSS3TrustDomain(void);
-
-NSS_EXTERN PRStatus
-STAN_Shutdown();
-
-NSS_EXTERN SECStatus
-STAN_AddModuleToDefaultTrustDomain(SECMODModule *module);
-
-NSS_EXTERN SECStatus
-STAN_RemoveModuleFromDefaultTrustDomain(SECMODModule *module);
-
-NSS_EXTERN CERTCertificate *
-STAN_ForceCERTCertificateUpdate(NSSCertificate *c);
-
-NSS_EXTERN CERTCertificate *
-STAN_GetCERTCertificate(NSSCertificate *c);
-
-NSS_EXTERN CERTCertificate *
-STAN_GetCERTCertificateOrRelease(NSSCertificate *c);
-
-NSS_EXTERN NSSCertificate *
-STAN_GetNSSCertificate(CERTCertificate *c);
-
-NSS_EXTERN CERTCertTrust * 
-nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc);
-
-NSS_EXTERN PRStatus
-STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);
-
-NSS_EXTERN PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
-                                     NSSDER *issuer, NSSDER *serial);
-
-NSS_EXTERN char *
-STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c);
-
-NSS_EXTERN char *
-STAN_GetCERTCertificateNameForInstance(PLArenaPool *arenaOpt,
-                                       NSSCertificate *c,
-                                       nssCryptokiInstance *instance);
-
-/* exposing this */
-NSS_EXTERN NSSCertificate *
-NSSCertificate_Create
-(
-  NSSArena *arenaOpt
-);
-
-/* This function is being put here because it is a hack for 
- * PK11_FindCertFromNickname.
- */
-NSS_EXTERN NSSCertificate *
-nssTrustDomain_FindBestCertificateByNicknameForToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSUTF8 *name,
-  NSSTime *timeOpt, /* NULL for "now" */
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt /* NULL for none */
-);
-
-/* This function is being put here because it is a hack for 
- * PK11_FindCertsFromNickname.
- */
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_FindCertificatesByNicknameForToken
-(
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-);
-
-/* CERT_TraversePermCertsForSubject */
-NSS_EXTERN PRStatus
-nssTrustDomain_TraverseCertificatesBySubject
-(
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-);
-
-/* CERT_TraversePermCertsForNickname */
-NSS_EXTERN PRStatus
-nssTrustDomain_TraverseCertificatesByNickname
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nickname,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-);
-
-/* SEC_TraversePermCerts */
-NSS_EXTERN PRStatus
-nssTrustDomain_TraverseCertificates
-(
-  NSSTrustDomain *td,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-);
-
-/* CERT_AddTempCertToPerm */
-NSS_EXTERN PRStatus
-nssTrustDomain_AddTempCertToPerm
-(
-  NSSCertificate *c
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKINSS3HACK_H */
diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c
deleted file mode 100644
index deef58b52..000000000
--- a/security/nss/lib/pki/pkibase.c
+++ /dev/null
@@ -1,1452 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifdef NSS_3_4_CODE
-#include "pki3hack.h"
-#endif
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-NSS_IMPLEMENT nssPKIObject *
-nssPKIObject_Create (
-  NSSArena *arenaOpt,
-  nssCryptokiObject *instanceOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *cc
-)
-{
-    NSSArena *arena;
-    nssArenaMark *mark = NULL;
-    nssPKIObject *object;
-    if (arenaOpt) {
-	arena = arenaOpt;
-	mark = nssArena_Mark(arena);
-    } else {
-	arena = nssArena_Create();
-	if (!arena) {
-	    return (nssPKIObject *)NULL;
-	}
-    }
-    object = nss_ZNEW(arena, nssPKIObject);
-    if (!object) {
-	goto loser;
-    }
-    object->arena = arena;
-    object->trustDomain = td; /* XXX */
-    object->cryptoContext = cc;
-    object->lock = PZ_NewLock(nssILockOther);
-    if (!object->lock) {
-	goto loser;
-    }
-    if (instanceOpt) {
-	if (nssPKIObject_AddInstance(object, instanceOpt) != PR_SUCCESS) {
-	    goto loser;
-	}
-    }
-    PR_AtomicIncrement(&object->refCount);
-    if (mark) {
-	nssArena_Unmark(arena, mark);
-    }
-    return object;
-loser:
-    if (mark) {
-	nssArena_Release(arena, mark);
-    } else {
-	nssArena_Destroy(arena);
-    }
-    return (nssPKIObject *)NULL;
-}
-
-NSS_IMPLEMENT PRBool
-nssPKIObject_Destroy (
-  nssPKIObject *object
-)
-{
-    PRUint32 i;
-    PR_ASSERT(object->refCount > 0);
-    if (PR_AtomicDecrement(&object->refCount) == 0) {
-	for (i=0; i<object->numInstances; i++) {
-	    nssCryptokiObject_Destroy(object->instances[i]);
-	}
-	PZ_DestroyLock(object->lock);
-	nssArena_Destroy(object->arena);
-	return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-NSS_IMPLEMENT nssPKIObject *
-nssPKIObject_AddRef (
-  nssPKIObject *object
-)
-{
-    PR_AtomicIncrement(&object->refCount);
-    return object;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObject_AddInstance (
-  nssPKIObject *object,
-  nssCryptokiObject *instance
-)
-{
-    PZ_Lock(object->lock);
-    if (object->numInstances == 0) {
-	object->instances = nss_ZNEWARRAY(object->arena,
-	                                  nssCryptokiObject *,
-	                                  object->numInstances + 1);
-    } else {
-	PRUint32 i;
-	for (i=0; i<object->numInstances; i++) {
-	    if (nssCryptokiObject_Equal(object->instances[i], instance)) {
-		PZ_Unlock(object->lock);
-		if (instance->label) {
-		    if (!object->instances[i]->label ||
-		        !nssUTF8_Equal(instance->label,
-		                       object->instances[i]->label, NULL))
-		    {
-			/* Either the old instance did not have a label,
-			 * or the label has changed.
-			 */
-			nss_ZFreeIf(object->instances[i]->label);
-			object->instances[i]->label = instance->label;
-			instance->label = NULL;
-		    }
-		} else if (object->instances[i]->label) {
-		    /* The old label was removed */
-		    nss_ZFreeIf(object->instances[i]->label);
-		    object->instances[i]->label = NULL;
-		}
-		nssCryptokiObject_Destroy(instance);
-		return PR_SUCCESS;
-	    }
-	}
-	object->instances = nss_ZREALLOCARRAY(object->instances,
-	                                      nssCryptokiObject *,
-	                                      object->numInstances + 1);
-    }
-    if (!object->instances) {
-	PZ_Unlock(object->lock);
-	return PR_FAILURE;
-    }
-    object->instances[object->numInstances++] = instance;
-    PZ_Unlock(object->lock);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRBool
-nssPKIObject_HasInstance (
-  nssPKIObject *object,
-  nssCryptokiObject *instance
-)
-{
-    PRUint32 i;
-    PRBool hasIt = PR_FALSE;;
-    PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	if (nssCryptokiObject_Equal(object->instances[i], instance)) {
-	    hasIt = PR_TRUE;
-	    break;
-	}
-    }
-    PZ_Unlock(object->lock);
-    return hasIt;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObject_RemoveInstanceForToken (
-  nssPKIObject *object,
-  NSSToken *token
-)
-{
-    PRUint32 i;
-    nssCryptokiObject *instanceToRemove = NULL;
-    PZ_Lock(object->lock);
-    if (object->numInstances == 0) {
-	PZ_Unlock(object->lock);
-	return PR_SUCCESS;
-    }
-    for (i=0; i<object->numInstances; i++) {
-	if (object->instances[i]->token == token) {
-	    instanceToRemove = object->instances[i];
-	    object->instances[i] = object->instances[object->numInstances-1];
-	    object->instances[object->numInstances-1] = NULL;
-	    break;
-	}
-    }
-    if (--object->numInstances > 0) {
-	nssCryptokiObject **instances = nss_ZREALLOCARRAY(object->instances,
-	                                      nssCryptokiObject *,
-	                                      object->numInstances);
-	if (instances) {
-	    object->instances = instances;
-	}
-    } else {
-	nss_ZFreeIf(object->instances);
-    }
-    nssCryptokiObject_Destroy(instanceToRemove);
-    PZ_Unlock(object->lock);
-    return PR_SUCCESS;
-}
-
-/* this needs more thought on what will happen when there are multiple
- * instances
- */
-NSS_IMPLEMENT PRStatus
-nssPKIObject_DeleteStoredObject (
-  nssPKIObject *object,
-  NSSCallback *uhh,
-  PRBool isFriendly
-)
-{
-    PRUint32 i, numNotDestroyed;
-    PRStatus status = PR_SUCCESS;
-#ifndef NSS_3_4_CODE
-    NSSTrustDomain *td = object->trustDomain;
-    NSSCallback *pwcb = uhh ?  /* is this optional? */
-                        uhh : 
-                        nssTrustDomain_GetDefaultCallback(td, NULL);
-#endif
-    numNotDestroyed = 0;
-    PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	nssCryptokiObject *instance = object->instances[i];
-#ifndef NSS_3_4_CODE
-	NSSSlot *slot = nssToken_GetSlot(instance->token);
-	/* If both the operation and the slot are friendly, login is
-	 * not required.  If either or both are not friendly, it is
-	 * required.
-	 */
-	if (!(isFriendly && nssSlot_IsFriendly(slot))) {
-	    status = nssSlot_Login(slot, pwcb);
-	    nssSlot_Destroy(slot);
-	    if (status == PR_SUCCESS) {
-		/* XXX this should be fixed to understand read-only tokens,
-		 * for now, to handle the builtins, just make the attempt.
-		 */
-		status = nssToken_DeleteStoredObject(instance);
-	    }
-	}
-#else
-	status = nssToken_DeleteStoredObject(instance);
-#endif
-	object->instances[i] = NULL;
-	if (status == PR_SUCCESS) {
-	    nssCryptokiObject_Destroy(instance);
-	} else {
-	    object->instances[numNotDestroyed++] = instance;
-	}
-    }
-    if (numNotDestroyed == 0) {
-	nss_ZFreeIf(object->instances);
-	object->numInstances = 0;
-    } else {
-	object->numInstances = numNotDestroyed;
-    }
-    PZ_Unlock(object->lock);
-    return status;
-}
-
-NSS_IMPLEMENT NSSToken **
-nssPKIObject_GetTokens (
-  nssPKIObject *object,
-  PRStatus *statusOpt
-)
-{
-    NSSToken **tokens = NULL;
-    PZ_Lock(object->lock);
-    if (object->numInstances > 0) {
-	tokens = nss_ZNEWARRAY(NULL, NSSToken *, object->numInstances + 1);
-	if (tokens) {
-	    PRUint32 i;
-	    for (i=0; i<object->numInstances; i++) {
-		tokens[i] = nssToken_AddRef(object->instances[i]->token);
-	    }
-	}
-    }
-    PZ_Unlock(object->lock);
-    if (statusOpt) *statusOpt = PR_SUCCESS; /* until more logic here */
-    return tokens;
-}
-
-NSS_IMPLEMENT NSSUTF8 *
-nssPKIObject_GetNicknameForToken (
-  nssPKIObject *object,
-  NSSToken *tokenOpt
-)
-{
-    PRUint32 i;
-    NSSUTF8 *nickname = NULL;
-    PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	if ((!tokenOpt && object->instances[i]->label) ||
-	    (object->instances[i]->token == tokenOpt)) 
-	{
-            /* XXX should be copy? safe as long as caller has reference */
-	    nickname = object->instances[i]->label; 
-	    break;
-	}
-    }
-    PZ_Unlock(object->lock);
-    return nickname;
-}
-
-#ifdef NSS_3_4_CODE
-NSS_IMPLEMENT nssCryptokiObject **
-nssPKIObject_GetInstances (
-  nssPKIObject *object
-)
-{
-    nssCryptokiObject **instances = NULL;
-    PRUint32 i;
-    if (object->numInstances == 0) {
-	return (nssCryptokiObject **)NULL;
-    }
-    PZ_Lock(object->lock);
-    instances = nss_ZNEWARRAY(NULL, nssCryptokiObject *, 
-                              object->numInstances + 1);
-    if (instances) {
-	for (i=0; i<object->numInstances; i++) {
-	    instances[i] = nssCryptokiObject_Clone(object->instances[i]);
-	}
-    }
-    PZ_Unlock(object->lock);
-    return instances;
-}
-#endif
-
-NSS_IMPLEMENT void
-nssCertificateArray_Destroy (
-  NSSCertificate **certs
-)
-{
-    if (certs) {
-	NSSCertificate **certp;
-	for (certp = certs; *certp; certp++) {
-#ifdef NSS_3_4_CODE
-	    if ((*certp)->decoding) {
-		CERTCertificate *cc = STAN_GetCERTCertificate(*certp);
-		if (cc) {
-		    CERT_DestroyCertificate(cc);
-		}
-		continue;
-	    }
-#endif
-	    nssCertificate_Destroy(*certp);
-	}
-	nss_ZFreeIf(certs);
-    }
-}
-
-NSS_IMPLEMENT void
-NSSCertificateArray_Destroy (
-  NSSCertificate **certs
-)
-{
-    nssCertificateArray_Destroy(certs);
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssCertificateArray_Join (
-  NSSCertificate **certs1,
-  NSSCertificate **certs2
-)
-{
-    if (certs1 && certs2) {
-	NSSCertificate **certs, **cp;
-	PRUint32 count = 0;
-	PRUint32 count1 = 0;
-	cp = certs1;
-	while (*cp++) count1++;
-	count = count1;
-	cp = certs2;
-	while (*cp++) count++;
-	certs = nss_ZREALLOCARRAY(certs1, NSSCertificate *, count + 1);
-	if (!certs) {
-	    nss_ZFreeIf(certs1);
-	    nss_ZFreeIf(certs2);
-	    return (NSSCertificate **)NULL;
-	}
-	for (cp = certs2; *cp; cp++, count1++) {
-	    certs[count1] = *cp;
-	}
-	nss_ZFreeIf(certs2);
-	return certs;
-    } else if (certs1) {
-	return certs1;
-    } else {
-	return certs2;
-    }
-}
-
-NSS_IMPLEMENT NSSCertificate * 
-nssCertificateArray_FindBestCertificate (
-  NSSCertificate **certs, 
-  NSSTime *timeOpt,
-  const NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    NSSCertificate *bestCert = NULL;
-    NSSTime *time, sTime;
-    PRBool haveUsageMatch = PR_FALSE;
-    PRBool thisCertMatches;
-
-    if (timeOpt) {
-	time = timeOpt;
-    } else {
-	NSSTime_Now(&sTime);
-	time = &sTime;
-    }
-    if (!certs) {
-	return (NSSCertificate *)NULL;
-    }
-    for (; *certs; certs++) {
-	nssDecodedCert *dc, *bestdc;
-	NSSCertificate *c = *certs;
-	dc = nssCertificate_GetDecoding(c);
-	if (!dc) continue;
-	thisCertMatches = dc->matchUsage(dc, usage);
-	if (!bestCert) {
-	    /* always take the first cert, but remember whether or not
-	     * the usage matched 
-	     */
-	    bestCert = nssCertificate_AddRef(c);
-	    haveUsageMatch = thisCertMatches;
-	    continue;
-	} else {
-	    if (haveUsageMatch && !thisCertMatches) {
-		/* if already have a cert for this usage, and if this cert 
-		 * doesn't have the correct usage, continue
-		 */
-		continue;
-	    } else if (!haveUsageMatch && thisCertMatches) {
-		/* this one does match usage, replace the other */
-		nssCertificate_Destroy(bestCert);
-		bestCert = nssCertificate_AddRef(c);
-		haveUsageMatch = PR_TRUE;
-		continue;
-	    }
-	    /* this cert match as well as any cert we've found so far, 
-	     * defer to time/policies 
-	     * */
-	}
-	bestdc = nssCertificate_GetDecoding(bestCert);
-	/* time */
-	if (bestdc->isValidAtTime(bestdc, time)) {
-	    /* The current best cert is valid at time */
-	    if (!dc->isValidAtTime(dc, time)) {
-		/* If the new cert isn't valid at time, it's not better */
-		continue;
-	    }
-	} else {
-	    /* The current best cert is not valid at time */
-	    if (dc->isValidAtTime(dc, time)) {
-		/* If the new cert is valid at time, it's better */
-		nssCertificate_Destroy(bestCert);
-		bestCert = nssCertificate_AddRef(c);
-	    }
-	}
-	/* either they are both valid at time, or neither valid; 
-	 * take the newer one
-	 */
-	if (!bestdc->isNewerThan(bestdc, dc)) {
-	    nssCertificate_Destroy(bestCert);
-	    bestCert = nssCertificate_AddRef(c);
-	}
-	/* policies */
-	/* XXX later -- defer to policies */
-    }
-    return bestCert;
-}
-
-NSS_IMPLEMENT PRStatus
-nssCertificateArray_Traverse (
-  NSSCertificate **certs,
-  PRStatus (* callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    PRStatus status = PR_SUCCESS;
-    if (certs) {
-	NSSCertificate **certp;
-	for (certp = certs; *certp; certp++) {
-	    status = (*callback)(*certp, arg);
-	    if (status != PR_SUCCESS) {
-		break;
-	    }
-	}
-    }
-    return status;
-}
-
-
-NSS_IMPLEMENT void
-nssCRLArray_Destroy (
-  NSSCRL **crls
-)
-{
-    if (crls) {
-	NSSCRL **crlp;
-	for (crlp = crls; *crlp; crlp++) {
-	    nssCRL_Destroy(*crlp);
-	}
-	nss_ZFreeIf(crls);
-    }
-}
-
-/*
- * Object collections
- */
-
-typedef enum
-{
-  pkiObjectType_Certificate = 0,
-  pkiObjectType_CRL = 1,
-  pkiObjectType_PrivateKey = 2,
-  pkiObjectType_PublicKey = 3
-} pkiObjectType;
-
-/* Each object is defined by a set of items that uniquely identify it.
- * Here are the uid sets:
- *
- * NSSCertificate ==>  { issuer, serial }
- * NSSPrivateKey
- *         (RSA) ==> { modulus, public exponent }
- *
- */
-#define MAX_ITEMS_FOR_UID 2
-
-/* pkiObjectCollectionNode
- *
- * A node in the collection is the set of unique identifiers for a single
- * object, along with either the actual object or a proto-object.
- */
-typedef struct
-{
-  PRCList link;
-  PRBool haveObject;
-  nssPKIObject *object;
-  NSSItem uid[MAX_ITEMS_FOR_UID];
-} 
-pkiObjectCollectionNode;
-
-/* nssPKIObjectCollection
- *
- * The collection is the set of all objects, plus the interfaces needed
- * to manage the objects.
- *
- */
-struct nssPKIObjectCollectionStr
-{
-  NSSArena *arena;
-  NSSTrustDomain *td;
-  NSSCryptoContext *cc;
-  PRCList head; /* list of pkiObjectCollectionNode's */
-  PRUint32 size;
-  pkiObjectType objectType;
-  void           (*      destroyObject)(nssPKIObject *o);
-  PRStatus       (*   getUIDFromObject)(nssPKIObject *o, NSSItem *uid);
-  PRStatus       (* getUIDFromInstance)(nssCryptokiObject *co, NSSItem *uid, 
-                                        NSSArena *arena);
-  nssPKIObject * (*       createObject)(nssPKIObject *o);
-};
-
-static nssPKIObjectCollection *
-nssPKIObjectCollection_Create (
-  NSSTrustDomain *td,
-  NSSCryptoContext *ccOpt
-)
-{
-    NSSArena *arena;
-    nssPKIObjectCollection *rvCollection = NULL;
-    arena = nssArena_Create();
-    if (!arena) {
-	return (nssPKIObjectCollection *)NULL;
-    }
-    rvCollection = nss_ZNEW(arena, nssPKIObjectCollection);
-    if (!rvCollection) {
-	goto loser;
-    }
-    PR_INIT_CLIST(&rvCollection->head);
-    rvCollection->arena = arena;
-    rvCollection->td = td; /* XXX */
-    rvCollection->cc = ccOpt;
-    return rvCollection;
-loser:
-    nssArena_Destroy(arena);
-    return (nssPKIObjectCollection *)NULL;
-}
-
-NSS_IMPLEMENT void
-nssPKIObjectCollection_Destroy (
-  nssPKIObjectCollection *collection
-)
-{
-    if (collection) {
-	PRCList *link;
-	pkiObjectCollectionNode *node;
-	/* first destroy any objects in the collection */
-	link = PR_NEXT_LINK(&collection->head);
-	while (link != &collection->head) {
-	    node = (pkiObjectCollectionNode *)link;
-	    if (node->haveObject) {
-		(*collection->destroyObject)(node->object);
-	    } else {
-		nssPKIObject_Destroy(node->object);
-	    }
-	    link = PR_NEXT_LINK(link);
-	}
-	/* then destroy it */
-	nssArena_Destroy(collection->arena);
-    }
-}
-
-NSS_IMPLEMENT PRUint32
-nssPKIObjectCollection_Count (
-  nssPKIObjectCollection *collection
-)
-{
-    return collection->size;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObjectCollection_AddObject (
-  nssPKIObjectCollection *collection,
-  nssPKIObject *object
-)
-{
-    pkiObjectCollectionNode *node;
-    node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
-    if (!node) {
-	return PR_FAILURE;
-    }
-    node->haveObject = PR_TRUE;
-    node->object = nssPKIObject_AddRef(object);
-    (*collection->getUIDFromObject)(object, node->uid);
-    PR_INIT_CLIST(&node->link);
-    PR_INSERT_BEFORE(&node->link, &collection->head);
-    collection->size++;
-    return PR_SUCCESS;
-}
-
-static pkiObjectCollectionNode *
-find_instance_in_collection (
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject *instance
-)
-{
-    PRCList *link;
-    pkiObjectCollectionNode *node;
-    link = PR_NEXT_LINK(&collection->head);
-    while (link != &collection->head) {
-	node = (pkiObjectCollectionNode *)link;
-	if (nssPKIObject_HasInstance(node->object, instance)) {
-	    return node;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    return (pkiObjectCollectionNode *)NULL;
-}
-
-static pkiObjectCollectionNode *
-find_object_in_collection (
-  nssPKIObjectCollection *collection,
-  NSSItem *uid
-)
-{
-    PRUint32 i;
-    PRStatus status;
-    PRCList *link;
-    pkiObjectCollectionNode *node;
-    link = PR_NEXT_LINK(&collection->head);
-    while (link != &collection->head) {
-	node = (pkiObjectCollectionNode *)link;
-	for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
-	    if (!nssItem_Equal(&node->uid[i], &uid[i], &status)) {
-		break;
-	    }
-	}
-	if (i == MAX_ITEMS_FOR_UID) {
-	    return node;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    return (pkiObjectCollectionNode *)NULL;
-}
-
-static pkiObjectCollectionNode *
-add_object_instance (
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject *instance,
-  PRBool *foundIt
-)
-{
-    PRUint32 i;
-    PRStatus status;
-    pkiObjectCollectionNode *node;
-    nssArenaMark *mark = NULL;
-    NSSItem uid[MAX_ITEMS_FOR_UID];
-    nsslibc_memset(uid, 0, sizeof uid);
-    /* The list is traversed twice, first (here) looking to match the
-     * { token, handle } tuple, and if that is not found, below a search
-     * for unique identifier is done.  Here, a match means this exact object
-     * instance is already in the collection, and we have nothing to do.
-     */
-    *foundIt = PR_FALSE;
-    node = find_instance_in_collection(collection, instance);
-    if (node) {
-	/* The collection is assumed to take over the instance.  Since we
-	 * are not using it, it must be destroyed.
-	 */
-	nssCryptokiObject_Destroy(instance);
-	*foundIt = PR_TRUE;
-	return node;
-    }
-    mark = nssArena_Mark(collection->arena);
-    if (!mark) {
-	goto loser;
-    }
-    status = (*collection->getUIDFromInstance)(instance, uid, 
-                                               collection->arena);
-    if (status != PR_SUCCESS) {
-	goto loser;
-    }
-    /* Search for unique identifier.  A match here means the object exists 
-     * in the collection, but does not have this instance, so the instance 
-     * needs to be added.
-     */
-    node = find_object_in_collection(collection, uid);
-    if (node) {
-	/* This is a object with multiple instances */
-	status = nssPKIObject_AddInstance(node->object, instance);
-    } else {
-	/* This is a completely new object.  Create a node for it. */
-	node = nss_ZNEW(collection->arena, pkiObjectCollectionNode);
-	if (!node) {
-	    goto loser;
-	}
-	node->object = nssPKIObject_Create(NULL, instance, 
-	                                   collection->td, collection->cc);
-	if (!node->object) {
-	    goto loser;
-	}
-	for (i=0; i<MAX_ITEMS_FOR_UID; i++) {
-	    node->uid[i] = uid[i];
-	}
-	node->haveObject = PR_FALSE;
-	PR_INIT_CLIST(&node->link);
-	PR_INSERT_BEFORE(&node->link, &collection->head);
-	collection->size++;
-	status = PR_SUCCESS;
-    }
-    nssArena_Unmark(collection->arena, mark);
-    return node;
-loser:
-    if (mark) {
-	nssArena_Release(collection->arena, mark);
-    }
-    nssCryptokiObject_Destroy(instance);
-    return (pkiObjectCollectionNode *)NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObjectCollection_AddInstances (
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject **instances,
-  PRUint32 numInstances
-)
-{
-    PRStatus status = PR_SUCCESS;
-    PRUint32 i = 0;
-    PRBool foundIt;
-    pkiObjectCollectionNode *node;
-    if (instances) {
-	for (; *instances; instances++, i++) {
-	    if (numInstances > 0 && i == numInstances) {
-		break;
-	    }
-	    if (status == PR_SUCCESS) {
-		node = add_object_instance(collection, *instances, &foundIt);
-		if (node == NULL) {
-		    /* add_object_instance freed the current instance */
-		    /* free the remaining instances */
-		    status = PR_FAILURE;
-		}
-	    } else {
-		nssCryptokiObject_Destroy(*instances);
-	    }
-	}
-    }
-    return status;
-}
-
-static void
-nssPKIObjectCollection_RemoveNode (
-   nssPKIObjectCollection *collection,
-   pkiObjectCollectionNode *node
-)
-{
-    PR_REMOVE_LINK(&node->link); 
-    collection->size--;
-}
-
-static PRStatus
-nssPKIObjectCollection_GetObjects (
-  nssPKIObjectCollection *collection,
-  nssPKIObject **rvObjects,
-  PRUint32 rvSize
-)
-{
-    PRUint32 i = 0;
-    PRCList *link = PR_NEXT_LINK(&collection->head);
-    pkiObjectCollectionNode *node;
-    int error=0;
-    while ((i < rvSize) && (link != &collection->head)) {
-	node = (pkiObjectCollectionNode *)link;
-	if (!node->haveObject) {
-	    /* Convert the proto-object to an object */
-	    node->object = (*collection->createObject)(node->object);
-	    if (!node->object) {
-		link = PR_NEXT_LINK(link);
-		/*remove bogus object from list*/
-		nssPKIObjectCollection_RemoveNode(collection,node);
-		error++;
-		continue;
-	    }
-	    node->haveObject = PR_TRUE;
-	}
-	rvObjects[i++] = nssPKIObject_AddRef(node->object);
-	link = PR_NEXT_LINK(link);
-    }
-    if (!error && *rvObjects == NULL) {
-	nss_SetError(NSS_ERROR_NOT_FOUND);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObjectCollection_Traverse (
-  nssPKIObjectCollection *collection,
-  nssPKIObjectCallback *callback
-)
-{
-    PRStatus status;
-    PRCList *link = PR_NEXT_LINK(&collection->head);
-    pkiObjectCollectionNode *node;
-    while (link != &collection->head) {
-	node = (pkiObjectCollectionNode *)link;
-	if (!node->haveObject) {
-	    node->object = (*collection->createObject)(node->object);
-	    if (!node->object) {
-		link = PR_NEXT_LINK(link);
-		/*remove bogus object from list*/
-		nssPKIObjectCollection_RemoveNode(collection,node);
-		continue;
-	    }
-	    node->haveObject = PR_TRUE;
-	}
-	switch (collection->objectType) {
-	case pkiObjectType_Certificate: 
-	    status = (*callback->func.cert)((NSSCertificate *)node->object, 
-	                                    callback->arg);
-	    break;
-	case pkiObjectType_CRL: 
-	    status = (*callback->func.crl)((NSSCRL *)node->object, 
-	                                   callback->arg);
-	    break;
-	case pkiObjectType_PrivateKey: 
-	    status = (*callback->func.pvkey)((NSSPrivateKey *)node->object, 
-	                                     callback->arg);
-	    break;
-	case pkiObjectType_PublicKey: 
-	    status = (*callback->func.pbkey)((NSSPublicKey *)node->object, 
-	                                     callback->arg);
-	    break;
-	}
-	link = PR_NEXT_LINK(link);
-    }
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssPKIObjectCollection_AddInstanceAsObject (
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject *instance
-)
-{
-    pkiObjectCollectionNode *node;
-    PRBool foundIt;
-    node = add_object_instance(collection, instance, &foundIt);
-    if (node == NULL) {
-	return PR_FAILURE;
-    }
-    if (!node->haveObject) {
-	node->object = (*collection->createObject)(node->object);
-	if (!node->object) {
-	    /*remove bogus object from list*/
-	    nssPKIObjectCollection_RemoveNode(collection,node);
-	    return PR_FAILURE;
-	}
-	node->haveObject = PR_TRUE;
-    }
-#ifdef NSS_3_4_CODE
-    else if (!foundIt) {
-	/* The instance was added to a pre-existing node.  This
-	 * function is *only* being used for certificates, and having
-	 * multiple instances of certs in 3.X requires updating the
-	 * CERTCertificate.
-	 * But only do it if it was a new instance!!!  If the same instance
-	 * is encountered, we set *foundIt to true.  Detect that here and
-	 * ignore it.
-	 */
-	STAN_ForceCERTCertificateUpdate((NSSCertificate *)node->object);
-    }
-#endif
-    return PR_SUCCESS;
-}
-
-/*
- * Certificate collections
- */
-
-static void
-cert_destroyObject(nssPKIObject *o)
-{
-    NSSCertificate *c = (NSSCertificate *)o;
-#ifdef NSS_3_4_CODE
-    if (c->decoding) {
-	CERTCertificate *cc = STAN_GetCERTCertificate(c);
-	if (cc) {
-	    CERT_DestroyCertificate(cc);
-	    return;
-	} /* else destroy it as NSSCertificate below */
-    }
-#endif
-    nssCertificate_Destroy(c);
-}
-
-static PRStatus
-cert_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
-{
-    NSSCertificate *c = (NSSCertificate *)o;
-#ifdef NSS_3_4_CODE
-    /* The builtins are still returning decoded serial numbers.  Until
-     * this compatibility issue is resolved, use the full DER of the
-     * cert to uniquely identify it.
-     */
-    NSSDER *derCert;
-    derCert = nssCertificate_GetEncoding(c);
-    uid[0].data = NULL; uid[0].size = 0;
-    uid[1].data = NULL; uid[1].size = 0;
-    if (derCert != NULL) {
-	uid[0] = *derCert;
-    }
-#else
-    NSSDER *issuer, *serial;
-    issuer = nssCertificate_GetIssuer(c);
-    serial = nssCertificate_GetSerialNumber(c);
-    uid[0] = *issuer;
-    uid[1] = *serial;
-#endif /* NSS_3_4_CODE */
-    return PR_SUCCESS;
-}
-
-static PRStatus
-cert_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
-                        NSSArena *arena)
-{
-#ifdef NSS_3_4_CODE
-    /* The builtins are still returning decoded serial numbers.  Until
-     * this compatibility issue is resolved, use the full DER of the
-     * cert to uniquely identify it.
-     */
-    uid[1].data = NULL; uid[1].size = 0;
-    return nssCryptokiCertificate_GetAttributes(instance,
-                                                NULL,  /* XXX sessionOpt */
-                                                arena, /* arena    */
-                                                NULL,  /* type     */
-                                                NULL,  /* id       */
-                                                &uid[0], /* encoding */
-                                                NULL,  /* issuer   */
-                                                NULL,  /* serial   */
-                                                NULL);  /* subject  */
-#else
-    return nssCryptokiCertificate_GetAttributes(instance,
-                                                NULL,  /* XXX sessionOpt */
-                                                arena, /* arena    */
-                                                NULL,  /* type     */
-                                                NULL,  /* id       */
-                                                NULL,  /* encoding */
-                                                &uid[0], /* issuer */
-                                                &uid[1], /* serial */
-                                                NULL);  /* subject  */
-#endif /* NSS_3_4_CODE */
-}
-
-static nssPKIObject *
-cert_createObject(nssPKIObject *o)
-{
-    NSSCertificate *cert;
-    cert = nssCertificate_Create(o);
-#ifdef NSS_3_4_CODE
-/*    if (STAN_GetCERTCertificate(cert) == NULL) {
-	nssCertificate_Destroy(cert);
-	return (nssPKIObject *)NULL;
-    } */
-    /* In 3.4, have to maintain uniqueness of cert pointers by caching all
-     * certs.  Cache the cert here, before returning.  If it is already
-     * cached, take the cached entry.
-     */
-    {
-	NSSTrustDomain *td = o->trustDomain;
-	nssTrustDomain_AddCertsToCache(td, &cert, 1);
-    }
-#endif
-    return (nssPKIObject *)cert;
-}
-
-NSS_IMPLEMENT nssPKIObjectCollection *
-nssCertificateCollection_Create (
-  NSSTrustDomain *td,
-  NSSCertificate **certsOpt
-)
-{
-    PRStatus status;
-    nssPKIObjectCollection *collection;
-    collection = nssPKIObjectCollection_Create(td, NULL);
-    collection->objectType = pkiObjectType_Certificate;
-    collection->destroyObject = cert_destroyObject;
-    collection->getUIDFromObject = cert_getUIDFromObject;
-    collection->getUIDFromInstance = cert_getUIDFromInstance;
-    collection->createObject = cert_createObject;
-    if (certsOpt) {
-	for (; *certsOpt; certsOpt++) {
-	    nssPKIObject *object = (nssPKIObject *)(*certsOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, object);
-	}
-    }
-    return collection;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssPKIObjectCollection_GetCertificates (
-  nssPKIObjectCollection *collection,
-  NSSCertificate **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 rvSize;
-    PRBool allocated = PR_FALSE;
-    if (collection->size == 0) {
-	return (NSSCertificate **)NULL;
-    }
-    if (maximumOpt == 0) {
-	rvSize = collection->size;
-    } else {
-	rvSize = PR_MIN(collection->size, maximumOpt);
-    }
-    if (!rvOpt) {
-	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, rvSize + 1);
-	if (!rvOpt) {
-	    return (NSSCertificate **)NULL;
-	}
-	allocated = PR_TRUE;
-    }
-    status = nssPKIObjectCollection_GetObjects(collection, 
-                                               (nssPKIObject **)rvOpt, 
-                                               rvSize);
-    if (status != PR_SUCCESS) {
-	if (allocated) {
-	    nss_ZFreeIf(rvOpt);
-	}
-	return (NSSCertificate **)NULL;
-    }
-    return rvOpt;
-}
-
-/*
- * CRL/KRL collections
- */
-
-static void
-crl_destroyObject(nssPKIObject *o)
-{
-    NSSCRL *crl = (NSSCRL *)o;
-    nssCRL_Destroy(crl);
-}
-
-static PRStatus
-crl_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
-{
-    NSSCRL *crl = (NSSCRL *)o;
-    NSSDER *encoding;
-    encoding = nssCRL_GetEncoding(crl);
-    uid[0] = *encoding;
-    uid[1].data = NULL; uid[1].size = 0;
-    return PR_SUCCESS;
-}
-
-static PRStatus
-crl_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
-                       NSSArena *arena)
-{
-    return nssCryptokiCRL_GetAttributes(instance,
-                                        NULL,    /* XXX sessionOpt */
-                                        arena,   /* arena    */
-                                        &uid[0], /* encoding */
-                                        NULL,    /* subject  */
-                                        NULL,    /* class    */
-                                        NULL,    /* url      */
-                                        NULL);   /* isKRL    */
-}
-
-static nssPKIObject *
-crl_createObject(nssPKIObject *o)
-{
-    return (nssPKIObject *)nssCRL_Create(o);
-}
-
-NSS_IMPLEMENT nssPKIObjectCollection *
-nssCRLCollection_Create (
-  NSSTrustDomain *td,
-  NSSCRL **crlsOpt
-)
-{
-    PRStatus status;
-    nssPKIObjectCollection *collection;
-    collection = nssPKIObjectCollection_Create(td, NULL);
-    collection->objectType = pkiObjectType_CRL;
-    collection->destroyObject = crl_destroyObject;
-    collection->getUIDFromObject = crl_getUIDFromObject;
-    collection->getUIDFromInstance = crl_getUIDFromInstance;
-    collection->createObject = crl_createObject;
-    if (crlsOpt) {
-	for (; *crlsOpt; crlsOpt++) {
-	    nssPKIObject *object = (nssPKIObject *)(*crlsOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, object);
-	}
-    }
-    return collection;
-}
-
-NSS_IMPLEMENT NSSCRL **
-nssPKIObjectCollection_GetCRLs (
-  nssPKIObjectCollection *collection,
-  NSSCRL **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 rvSize;
-    PRBool allocated = PR_FALSE;
-    if (collection->size == 0) {
-	return (NSSCRL **)NULL;
-    }
-    if (maximumOpt == 0) {
-	rvSize = collection->size;
-    } else {
-	rvSize = PR_MIN(collection->size, maximumOpt);
-    }
-    if (!rvOpt) {
-	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSCRL *, rvSize + 1);
-	if (!rvOpt) {
-	    return (NSSCRL **)NULL;
-	}
-	allocated = PR_TRUE;
-    }
-    status = nssPKIObjectCollection_GetObjects(collection, 
-                                               (nssPKIObject **)rvOpt, 
-                                               rvSize);
-    if (status != PR_SUCCESS) {
-	if (allocated) {
-	    nss_ZFreeIf(rvOpt);
-	}
-	return (NSSCRL **)NULL;
-    }
-    return rvOpt;
-}
-
-#ifdef PURE_STAN_BUILD
-/*
- * PrivateKey collections
- */
-
-static void
-privkey_destroyObject(nssPKIObject *o)
-{
-    NSSPrivateKey *pvk = (NSSPrivateKey *)o;
-    nssPrivateKey_Destroy(pvk);
-}
-
-static PRStatus
-privkey_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
-{
-    NSSPrivateKey *pvk = (NSSPrivateKey *)o;
-    NSSItem *id;
-    id = nssPrivateKey_GetID(pvk);
-    uid[0] = *id;
-    return PR_SUCCESS;
-}
-
-static PRStatus
-privkey_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
-                           NSSArena *arena)
-{
-    return nssCryptokiPrivateKey_GetAttributes(instance,
-                                               NULL,  /* XXX sessionOpt */
-                                               arena,
-                                               NULL, /* type */
-                                               &uid[0]);
-}
-
-static nssPKIObject *
-privkey_createObject(nssPKIObject *o)
-{
-    NSSPrivateKey *pvk;
-    pvk = nssPrivateKey_Create(o);
-    return (nssPKIObject *)pvk;
-}
-
-NSS_IMPLEMENT nssPKIObjectCollection *
-nssPrivateKeyCollection_Create (
-  NSSTrustDomain *td,
-  NSSPrivateKey **pvkOpt
-)
-{
-    PRStatus status;
-    nssPKIObjectCollection *collection;
-    collection = nssPKIObjectCollection_Create(td, NULL);
-    collection->objectType = pkiObjectType_PrivateKey;
-    collection->destroyObject = privkey_destroyObject;
-    collection->getUIDFromObject = privkey_getUIDFromObject;
-    collection->getUIDFromInstance = privkey_getUIDFromInstance;
-    collection->createObject = privkey_createObject;
-    if (pvkOpt) {
-	for (; *pvkOpt; pvkOpt++) {
-	    nssPKIObject *o = (nssPKIObject *)(*pvkOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, o);
-	}
-    }
-    return collection;
-}
-
-NSS_IMPLEMENT NSSPrivateKey **
-nssPKIObjectCollection_GetPrivateKeys (
-  nssPKIObjectCollection *collection,
-  NSSPrivateKey **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 rvSize;
-    PRBool allocated = PR_FALSE;
-    if (collection->size == 0) {
-	return (NSSPrivateKey **)NULL;
-    }
-    if (maximumOpt == 0) {
-	rvSize = collection->size;
-    } else {
-	rvSize = PR_MIN(collection->size, maximumOpt);
-    }
-    if (!rvOpt) {
-	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSPrivateKey *, rvSize + 1);
-	if (!rvOpt) {
-	    return (NSSPrivateKey **)NULL;
-	}
-	allocated = PR_TRUE;
-    }
-    status = nssPKIObjectCollection_GetObjects(collection, 
-                                               (nssPKIObject **)rvOpt, 
-                                               rvSize);
-    if (status != PR_SUCCESS) {
-	if (allocated) {
-	    nss_ZFreeIf(rvOpt);
-	}
-	return (NSSPrivateKey **)NULL;
-    }
-    return rvOpt;
-}
-
-/*
- * PublicKey collections
- */
-
-static void
-pubkey_destroyObject(nssPKIObject *o)
-{
-    NSSPublicKey *pubk = (NSSPublicKey *)o;
-    nssPublicKey_Destroy(pubk);
-}
-
-static PRStatus
-pubkey_getUIDFromObject(nssPKIObject *o, NSSItem *uid)
-{
-    NSSPublicKey *pubk = (NSSPublicKey *)o;
-    NSSItem *id;
-    id = nssPublicKey_GetID(pubk);
-    uid[0] = *id;
-    return PR_SUCCESS;
-}
-
-static PRStatus
-pubkey_getUIDFromInstance(nssCryptokiObject *instance, NSSItem *uid, 
-                          NSSArena *arena)
-{
-    return nssCryptokiPublicKey_GetAttributes(instance,
-                                              NULL,  /* XXX sessionOpt */
-                                              arena,
-                                              NULL, /* type */
-                                              &uid[0]);
-}
-
-static nssPKIObject *
-pubkey_createObject(nssPKIObject *o)
-{
-    NSSPublicKey *pubk;
-    pubk = nssPublicKey_Create(o);
-    return (nssPKIObject *)pubk;
-}
-
-NSS_IMPLEMENT nssPKIObjectCollection *
-nssPublicKeyCollection_Create (
-  NSSTrustDomain *td,
-  NSSPublicKey **pubkOpt
-)
-{
-    PRStatus status;
-    nssPKIObjectCollection *collection;
-    collection = nssPKIObjectCollection_Create(td, NULL);
-    collection->objectType = pkiObjectType_PublicKey;
-    collection->destroyObject = pubkey_destroyObject;
-    collection->getUIDFromObject = pubkey_getUIDFromObject;
-    collection->getUIDFromInstance = pubkey_getUIDFromInstance;
-    collection->createObject = pubkey_createObject;
-    if (pubkOpt) {
-	for (; *pubkOpt; pubkOpt++) {
-	    nssPKIObject *o = (nssPKIObject *)(*pubkOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, o);
-	}
-    }
-    return collection;
-}
-
-NSS_IMPLEMENT NSSPublicKey **
-nssPKIObjectCollection_GetPublicKeys (
-  nssPKIObjectCollection *collection,
-  NSSPublicKey **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 rvSize;
-    PRBool allocated = PR_FALSE;
-    if (collection->size == 0) {
-	return (NSSPublicKey **)NULL;
-    }
-    if (maximumOpt == 0) {
-	rvSize = collection->size;
-    } else {
-	rvSize = PR_MIN(collection->size, maximumOpt);
-    }
-    if (!rvOpt) {
-	rvOpt = nss_ZNEWARRAY(arenaOpt, NSSPublicKey *, rvSize + 1);
-	if (!rvOpt) {
-	    return (NSSPublicKey **)NULL;
-	}
-	allocated = PR_TRUE;
-    }
-    status = nssPKIObjectCollection_GetObjects(collection, 
-                                               (nssPKIObject **)rvOpt, 
-                                               rvSize);
-    if (status != PR_SUCCESS) {
-	if (allocated) {
-	    nss_ZFreeIf(rvOpt);
-	}
-	return (NSSPublicKey **)NULL;
-    }
-    return rvOpt;
-}
-#endif /* PURE_STAN_BUILD */
-
-/* how bad would it be to have a static now sitting around, updated whenever
- * this was called?  would avoid repeated allocs...
- */
-NSS_IMPLEMENT NSSTime *
-NSSTime_Now (
-  NSSTime *timeOpt
-)
-{
-    return NSSTime_SetPRTime(timeOpt, PR_Now());
-}
-
-NSS_IMPLEMENT NSSTime *
-NSSTime_SetPRTime (
-  NSSTime *timeOpt,
-  PRTime prTime
-)
-{
-    NSSTime *rvTime;
-    rvTime = (timeOpt) ? timeOpt : nss_ZNEW(NULL, NSSTime);
-    rvTime->prTime = prTime;
-    return rvTime;
-}
-
-NSS_IMPLEMENT PRTime
-NSSTime_GetPRTime (
-  NSSTime *time
-)
-{
-  return time->prTime;
-}
-
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
deleted file mode 100644
index 5fad8a13f..000000000
--- a/security/nss/lib/pki/pkim.h
+++ /dev/null
@@ -1,726 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKIM_H
-#define PKIM_H
-
-#ifdef DEBUG
-static const char PKIM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifndef PKI_H
-#include "pki.h"
-#endif /* PKI_H */
-
-#ifndef PKITM_H
-#include "pkitm.h"
-#endif /* PKITM_H */
-
-PR_BEGIN_EXTERN_C
-
-/* nssPKIObject
- *
- * This is the base object class, common to all PKI objects defined in
- * in this module.  Each object can be safely 'casted' to an nssPKIObject,
- * then passed to these methods.
- *
- * nssPKIObject_Create
- * nssPKIObject_Destroy
- * nssPKIObject_AddRef
- * nssPKIObject_AddInstance
- * nssPKIObject_HasInstance
- * nssPKIObject_GetTokens
- * nssPKIObject_GetNicknameForToken
- * nssPKIObject_RemoveInstanceForToken
- * nssPKIObject_DeleteStoredObject
- */
-
-/* nssPKIObject_Create
- *
- * A generic PKI object.  It must live in a trust domain.  It may be
- * initialized with a token instance, or alternatively in a crypto context.
- */
-NSS_EXTERN nssPKIObject *
-nssPKIObject_Create
-(
-  NSSArena *arenaOpt,
-  nssCryptokiObject *instanceOpt,
-  NSSTrustDomain *td,
-  NSSCryptoContext *ccOpt
-);
-
-/* nssPKIObject_AddRef
- */
-NSS_EXTERN nssPKIObject *
-nssPKIObject_AddRef
-(
-  nssPKIObject *object
-);
-
-/* nssPKIObject_Destroy
- *
- * Returns true if object was destroyed.  This notifies the subclass that
- * all references are gone and it should delete any members it owns.
- */
-NSS_EXTERN PRBool
-nssPKIObject_Destroy
-(
-  nssPKIObject *object
-);
-
-/* nssPKIObject_AddInstance
- *
- * Add a token instance to the object, if it does not have it already.
- */
-NSS_EXTERN PRStatus
-nssPKIObject_AddInstance
-(
-  nssPKIObject *object,
-  nssCryptokiObject *instance
-);
-
-/* nssPKIObject_HasInstance
- *
- * Query the object for a token instance.
- */
-NSS_EXTERN PRBool
-nssPKIObject_HasInstance
-(
-  nssPKIObject *object,
-  nssCryptokiObject *instance
-);
-
-/* nssPKIObject_GetTokens
- *
- * Get all tokens which have an instance of the object.
- */
-NSS_EXTERN NSSToken **
-nssPKIObject_GetTokens
-(
-  nssPKIObject *object,
-  PRStatus *statusOpt
-);
-
-/* nssPKIObject_GetNicknameForToken
- *
- * tokenOpt == NULL means take the first available, otherwise return the
- * nickname for the specified token.
- */
-NSS_EXTERN NSSUTF8 *
-nssPKIObject_GetNicknameForToken
-(
-  nssPKIObject *object,
-  NSSToken *tokenOpt
-);
-
-/* nssPKIObject_RemoveInstanceForToken
- *
- * Remove the instance of the object on the specified token.
- */
-NSS_EXTERN PRStatus
-nssPKIObject_RemoveInstanceForToken
-(
-  nssPKIObject *object,
-  NSSToken *token
-);
-
-/* nssPKIObject_DeleteStoredObject
- *
- * Delete all token instances of the object, as well as any crypto context
- * instances (TODO).  If any of the instances are read-only, or if the
- * removal fails, the object will keep those instances.  'isFriendly' refers
- * to the object -- can this object be removed from a friendly token without
- * login?  For example, certificates are friendly, private keys are not.
- * Note that if the token is not friendly, authentication will be required
- * regardless of the value of 'isFriendly'.
- */
-NSS_EXTERN PRStatus
-nssPKIObject_DeleteStoredObject
-(
-  nssPKIObject *object,
-  NSSCallback *uhh,
-  PRBool isFriendly
-);
-
-#ifdef NSS_3_4_CODE
-NSS_EXTERN nssCryptokiObject **
-nssPKIObject_GetInstances
-(
-  nssPKIObject *object
-);
-#endif
-
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_FindCertificatesByID
-(
-  NSSTrustDomain *td,
-  NSSItem *id,
-  NSSCertificate **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSCRL **
-nssTrustDomain_FindCRLsBySubject
-(
-  NSSTrustDomain *td,
-  NSSDER *subject
-);
-
-/* module-private nsspki methods */
-
-NSS_EXTERN NSSCryptoContext *
-nssCryptoContext_Create
-(
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-);
-
-/* XXX for the collection */
-NSS_EXTERN NSSCertificate *
-nssCertificate_Create
-(
-  nssPKIObject *object
-);
-
-NSS_EXTERN PRStatus
-nssCertificate_SetCertTrust
-(
-  NSSCertificate *c,
-  NSSTrust *trust
-);
-
-NSS_EXTERN nssDecodedCert *
-nssCertificate_GetDecoding
-(
-  NSSCertificate *c
-);
-
-extern PRIntn
-nssCertificate_SubjectListSort
-(
-  void *v1,
-  void *v2
-);
-
-NSS_EXTERN nssDecodedCert *
-nssDecodedCert_Create
-(
-  NSSArena *arenaOpt,
-  NSSDER *encoding,
-  NSSCertificateType type
-);
-
-NSS_EXTERN PRStatus
-nssDecodedCert_Destroy
-(
-  nssDecodedCert *dc
-);
-
-NSS_EXTERN NSSTrust *
-nssTrust_Create
-(
-  nssPKIObject *object,
-  NSSItem *certData
-);
-
-NSS_EXTERN NSSCRL *
-nssCRL_Create
-(
-  nssPKIObject *object
-);
-
-NSS_EXTERN NSSCRL *
-nssCRL_AddRef
-(
-  NSSCRL *crl
-);
-
-NSS_EXTERN PRStatus
-nssCRL_Destroy
-(
-  NSSCRL *crl
-);
-
-NSS_EXTERN PRStatus
-nssCRL_DeleteStoredObject
-(
-  NSSCRL *crl,
-  NSSCallback *uhh
-);
-
-NSS_EXTERN NSSPrivateKey *
-nssPrivateKey_Create
-(
-  nssPKIObject *o
-);
-
-NSS_EXTERN NSSDER *
-nssCRL_GetEncoding
-(
-  NSSCRL *crl
-);
-
-NSS_EXTERN NSSPublicKey *
-nssPublicKey_Create
-(
-  nssPKIObject *object
-);
-
-/* nssCertificateArray
- *
- * These are being thrown around a lot, might as well group together some
- * functionality.
- *
- * nssCertificateArray_Destroy
- * nssCertificateArray_Join
- * nssCertificateArray_FindBestCertificate
- * nssCertificateArray_Traverse
- */
-
-/* nssCertificateArray_Destroy
- *
- * Will destroy the array and the certs within it.  If the array was created
- * in an arena, will *not* (of course) destroy the arena.  However, is safe
- * to call this method on an arena-allocated array.
- */
-NSS_EXTERN void
-nssCertificateArray_Destroy
-(
-  NSSCertificate **certs
-);
-
-/* nssCertificateArray_Join
- *
- * Join two arrays into one.  The two arrays, certs1 and certs2, should
- * be considered invalid after a call to this function (they may be destroyed
- * as part of the join).  certs1 and/or certs2 may be NULL.  Safe to
- * call with arrays allocated in an arena, the result will also be in the
- * arena.
- */
-NSS_EXTERN NSSCertificate **
-nssCertificateArray_Join
-(
-  NSSCertificate **certs1,
-  NSSCertificate **certs2
-);
-
-/* nssCertificateArray_FindBestCertificate
- *
- * Use the usual { time, usage, policies } to find the best cert in the
- * array.
- */
-NSS_EXTERN NSSCertificate * 
-nssCertificateArray_FindBestCertificate
-(
-  NSSCertificate **certs, 
-  NSSTime *timeOpt,
-  const NSSUsage *usage,
-  NSSPolicies *policiesOpt
-);
-
-/* nssCertificateArray_Traverse
- *
- * Do the callback for each cert, terminate the traversal if the callback
- * fails.
- */
-NSS_EXTERN PRStatus
-nssCertificateArray_Traverse
-(
-  NSSCertificate **certs,
-  PRStatus (* callback)(NSSCertificate *c, void *arg),
-  void *arg
-);
-
-NSS_EXTERN void
-nssCRLArray_Destroy
-(
-  NSSCRL **crls
-);
-
-/* nssPKIObjectCollection
- *
- * This is a handy way to group objects together and perform operations
- * on them.  It can also handle "proto-objects"-- references to
- * objects instances on tokens, where the actual object hasn't 
- * been formed yet.
- *
- * nssCertificateCollection_Create
- * nssPrivateKeyCollection_Create
- * nssPublicKeyCollection_Create
- *
- * If this was a language that provided for inheritance, each type would
- * inherit all of the following methods.  Instead, there is only one
- * type (nssPKIObjectCollection), shared among all.  This may cause
- * confusion; an alternative would be to define all of the methods
- * for each subtype (nssCertificateCollection_Destroy, ...), but that doesn't
- * seem worth the code bloat..  It is left up to the caller to remember 
- * what type of collection he/she is dealing with.
- *
- * nssPKIObjectCollection_Destroy
- * nssPKIObjectCollection_Count
- * nssPKIObjectCollection_AddObject
- * nssPKIObjectCollection_AddInstances
- * nssPKIObjectCollection_Traverse
- *
- * Back to type-specific methods.
- *
- * nssPKIObjectCollection_GetCertificates
- * nssPKIObjectCollection_GetCRLs
- * nssPKIObjectCollection_GetPrivateKeys
- * nssPKIObjectCollection_GetPublicKeys
- */
-
-/* nssCertificateCollection_Create
- *
- * Create a collection of certificates in the specified trust domain.
- * Optionally provide a starting set of certs.
- */
-NSS_EXTERN nssPKIObjectCollection *
-nssCertificateCollection_Create
-(
-  NSSTrustDomain *td,
-  NSSCertificate **certsOpt
-);
-
-/* nssCRLCollection_Create
- *
- * Create a collection of CRLs/KRLs in the specified trust domain.
- * Optionally provide a starting set of CRLs.
- */
-NSS_EXTERN nssPKIObjectCollection *
-nssCRLCollection_Create
-(
-  NSSTrustDomain *td,
-  NSSCRL **crlsOpt
-);
-
-/* nssPrivateKeyCollection_Create
- *
- * Create a collection of private keys in the specified trust domain.
- * Optionally provide a starting set of keys.
- */
-NSS_EXTERN nssPKIObjectCollection *
-nssPrivateKeyCollection_Create
-(
-  NSSTrustDomain *td,
-  NSSPrivateKey **pvkOpt
-);
-
-/* nssPublicKeyCollection_Create
- *
- * Create a collection of public keys in the specified trust domain.
- * Optionally provide a starting set of keys.
- */
-NSS_EXTERN nssPKIObjectCollection *
-nssPublicKeyCollection_Create
-(
-  NSSTrustDomain *td,
-  NSSPublicKey **pvkOpt
-);
-
-/* nssPKIObjectCollection_Destroy
- */
-NSS_EXTERN void
-nssPKIObjectCollection_Destroy
-(
-  nssPKIObjectCollection *collection
-);
-
-/* nssPKIObjectCollection_Count
- */
-NSS_EXTERN PRUint32
-nssPKIObjectCollection_Count
-(
-  nssPKIObjectCollection *collection
-);
-
-NSS_EXTERN PRStatus
-nssPKIObjectCollection_AddObject
-(
-  nssPKIObjectCollection *collection,
-  nssPKIObject *object
-);
-
-/* nssPKIObjectCollection_AddInstances
- *
- * Add a set of object instances to the collection.  The instances
- * will be sorted into any existing certs/proto-certs that may be in
- * the collection.  The instances will be absorbed by the collection,
- * the array should not be used after this call (except to free it).
- *
- * Failure means the collection is in an invalid state.
- *
- * numInstances = 0 means the array is NULL-terminated
- */
-NSS_EXTERN PRStatus
-nssPKIObjectCollection_AddInstances
-(
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject **instances,
-  PRUint32 numInstances
-);
-
-/* nssPKIObjectCollection_Traverse
- */
-NSS_EXTERN PRStatus
-nssPKIObjectCollection_Traverse
-(
-  nssPKIObjectCollection *collection,
-  nssPKIObjectCallback *callback
-);
-
-/* This function is being added for NSS 3.5.  It corresponds to the function
- * nssToken_TraverseCertificates.  The idea is to use the collection during
- * a traversal, creating certs each time a new instance is added for which
- * a cert does not already exist.
- */
-NSS_EXTERN PRStatus
-nssPKIObjectCollection_AddInstanceAsObject
-(
-  nssPKIObjectCollection *collection,
-  nssCryptokiObject *instance
-);
-
-/* nssPKIObjectCollection_GetCertificates
- *
- * Get all of the certificates in the collection. 
- */
-NSS_EXTERN NSSCertificate **
-nssPKIObjectCollection_GetCertificates
-(
-  nssPKIObjectCollection *collection,
-  NSSCertificate **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSCRL **
-nssPKIObjectCollection_GetCRLs
-(
-  nssPKIObjectCollection *collection,
-  NSSCRL **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSPrivateKey **
-nssPKIObjectCollection_GetPrivateKeys
-(
-  nssPKIObjectCollection *collection,
-  NSSPrivateKey **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSPublicKey **
-nssPKIObjectCollection_GetPublicKeys
-(
-  nssPKIObjectCollection *collection,
-  NSSPublicKey **rvOpt,
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSTime *
-NSSTime_Now
-(
-  NSSTime *timeOpt
-);
-
-NSS_EXTERN NSSTime *
-NSSTime_SetPRTime
-(
-  NSSTime *timeOpt,
-  PRTime prTime
-);
-
-NSS_EXTERN PRTime
-NSSTime_GetPRTime
-(
-  NSSTime *time
-);
-
-NSS_EXTERN nssHash *
-nssHash_CreateCertificate
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
-
-/* 3.4 Certificate cache routines */
-
-NSS_EXTERN PRStatus
-nssTrustDomain_InitializeCache
-(
-  NSSTrustDomain *td,
-  PRUint32 cacheSize
-);
-
-NSS_EXTERN PRStatus
-nssTrustDomain_AddCertsToCache
-(
-  NSSTrustDomain *td,
-  NSSCertificate **certs,
-  PRUint32 numCerts
-);
-
-NSS_EXTERN void
-nssTrustDomain_RemoveCertFromCacheLOCKED (
-  NSSTrustDomain *td,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN void
-nssTrustDomain_LockCertCache (
-  NSSTrustDomain *td
-);
-
-NSS_EXTERN void
-nssTrustDomain_UnlockCertCache (
-  NSSTrustDomain *td
-);
-
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_DestroyCache
-(
-  NSSTrustDomain *td
-);
-
-/* 
- * Remove all certs for the given token from the cache.  This is
- * needed if the token is removed.
- */
-NSS_EXTERN PRStatus
-nssTrustDomain_RemoveTokenCertsFromCache
-(
-  NSSTrustDomain *td,
-  NSSToken *token
-);
-
-NSS_EXTERN PRStatus
-nssTrustDomain_UpdateCachedTokenCerts
-(
-  NSSTrustDomain *td,
-  NSSToken *token
-);
-
-/*
- * Find all cached certs with this nickname (label).
- */
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_GetCertsForNicknameFromCache
-(
-  NSSTrustDomain *td,
-  NSSUTF8 *nickname,
-  nssList *certListOpt
-);
-
-/*
- * Find all cached certs with this email address.
- */
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_GetCertsForEmailAddressFromCache
-(
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  nssList *certListOpt
-);
-
-/*
- * Find all cached certs with this subject.
- */
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_GetCertsForSubjectFromCache
-(
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  nssList *certListOpt
-);
-
-/*
- * Look for a specific cert in the cache.
- */
-NSS_EXTERN NSSCertificate *
-nssTrustDomain_GetCertForIssuerAndSNFromCache
-(
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serialNum
-);
-
-/*
- * Look for a specific cert in the cache.
- */
-NSS_EXTERN NSSCertificate *
-nssTrustDomain_GetCertByDERFromCache
-(
-  NSSTrustDomain *td,
-  NSSDER *der
-);
-
-/* Get all certs from the cache */
-/* XXX this is being included to make some old-style calls word, not to
- *     say we should keep it
- */
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_GetCertsFromCache
-(
-  NSSTrustDomain *td,
-  nssList *certListOpt
-);
-
-NSS_EXTERN void
-nssTrustDomain_DumpCacheInfo
-(
-  NSSTrustDomain *td,
-  void (* cert_dump_iter)(const void *, void *, void *),
-  void *arg
-);
-
-NSS_EXTERN void
-nssCertificateList_AddReferences
-(
-  nssList *certList
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKIM_H */
diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c
deleted file mode 100644
index ed35c9749..000000000
--- a/security/nss/lib/pki/pkistore.c
+++ /dev/null
@@ -1,706 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef PKI_H
-#include "pki.h"
-#endif /* PKI_H */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifndef PKISTORE_H
-#include "pkistore.h"
-#endif /* PKISTORE_H */
-
-#ifdef NSS_3_4_CODE
-#include "cert.h"
-#endif
-
-/* 
- * Certificate Store
- *
- * This differs from the cache in that it is a true storage facility.  Items
- * stay in until they are explicitly removed.  It is only used by crypto
- * contexts at this time, but may be more generally useful...
- *
- */
-
-struct nssCertificateStoreStr 
-{
-    PRBool i_alloced_arena;
-    NSSArena *arena;
-    PZLock *lock;
-    nssHash *subject;
-    nssHash *issuer_and_serial;
-};
-
-typedef struct certificate_hash_entry_str certificate_hash_entry;
-
-struct certificate_hash_entry_str
-{
-    NSSCertificate *cert;
-    NSSTrust *trust;
-    nssSMIMEProfile *profile;
-};
-
-NSS_IMPLEMENT nssCertificateStore *
-nssCertificateStore_Create (
-  NSSArena *arenaOpt
-)
-{
-    NSSArena *arena;
-    nssCertificateStore *store;
-    PRBool i_alloced_arena;
-    if (arenaOpt) {
-	arena = arenaOpt;
-	i_alloced_arena = PR_FALSE;
-    } else {
-	arena = nssArena_Create();
-	if (!arena) {
-	    return NULL;
-	}
-	i_alloced_arena = PR_TRUE;
-    }
-    store = nss_ZNEW(arena, nssCertificateStore);
-    if (!store) {
-	goto loser;
-    }
-    store->lock = PZ_NewLock(nssILockOther);
-    if (!store->lock) {
-	goto loser;
-    }
-    /* Create the issuer/serial --> {cert, trust, S/MIME profile } hash */
-    store->issuer_and_serial = nssHash_CreateCertificate(arena, 0);
-    if (!store->issuer_and_serial) {
-	goto loser;
-    }
-    /* Create the subject DER --> subject list hash */
-    store->subject = nssHash_CreateItem(arena, 0);
-    if (!store->subject) {
-	goto loser;
-    }
-    store->arena = arena;
-    store->i_alloced_arena = i_alloced_arena;
-    return store;
-loser:
-    if (store) {
-	if (store->lock) {
-	    PZ_DestroyLock(store->lock);
-	}
-	if (store->issuer_and_serial) {
-	    nssHash_Destroy(store->issuer_and_serial);
-	}
-	if (store->subject) {
-	    nssHash_Destroy(store->subject);
-	}
-    }
-    if (i_alloced_arena) {
-	nssArena_Destroy(arena);
-    }
-    return NULL;
-}
-
-extern const NSSError NSS_ERROR_BUSY;
-
-NSS_IMPLEMENT PRStatus
-nssCertificateStore_Destroy (
-  nssCertificateStore *store
-)
-{
-    if (nssHash_Count(store->issuer_and_serial) > 0) {
-	nss_SetError(NSS_ERROR_BUSY);
-	return PR_FAILURE;
-    }
-    PZ_DestroyLock(store->lock);
-    nssHash_Destroy(store->issuer_and_serial);
-    nssHash_Destroy(store->subject);
-    if (store->i_alloced_arena) {
-	nssArena_Destroy(store->arena);
-    } else {
-	nss_ZFreeIf(store);
-    }
-    return PR_SUCCESS;
-}
-
-static PRStatus
-add_certificate_entry (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    PRStatus nssrv;
-    certificate_hash_entry *entry;
-    entry = nss_ZNEW(cert->object.arena, certificate_hash_entry);
-    if (!entry) {
-	return PR_FAILURE;
-    }
-    entry->cert = cert;
-    nssrv = nssHash_Add(store->issuer_and_serial, cert, entry);
-    if (nssrv != PR_SUCCESS) {
-	nss_ZFreeIf(entry);
-    }
-    return nssrv;
-}
-
-static PRStatus
-add_subject_entry (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    PRStatus nssrv;
-    nssList *subjectList;
-    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
-    if (subjectList) {
-	/* The subject is already in, add this cert to the list */
-	nssrv = nssList_AddUnique(subjectList, cert);
-    } else {
-	/* Create a new subject list for the subject */
-	subjectList = nssList_Create(NULL, PR_FALSE);
-	if (!subjectList) {
-	    return PR_FAILURE;
-	}
-	nssList_SetSortFunction(subjectList, nssCertificate_SubjectListSort);
-	/* Add the cert entry to this list of subjects */
-	nssrv = nssList_Add(subjectList, cert);
-	if (nssrv != PR_SUCCESS) {
-	    return nssrv;
-	}
-	/* Add the subject list to the cache */
-	nssrv = nssHash_Add(store->subject, &cert->subject, subjectList);
-    }
-    return nssrv;
-}
-
-/* declared below */
-static void
-remove_certificate_entry (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-);
-
-NSS_IMPLEMENT PRStatus
-nssCertificateStore_Add (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    PRStatus nssrv;
-    PZ_Lock(store->lock);
-    if (nssHash_Exists(store->issuer_and_serial, cert)) {
-	PZ_Unlock(store->lock);
-	return PR_SUCCESS;
-    }
-    nssrv = add_certificate_entry(store, cert);
-    if (nssrv == PR_SUCCESS) {
-	nssrv = add_subject_entry(store, cert);
-	if (nssrv == PR_FAILURE) {
-	    remove_certificate_entry(store, cert);
-	}
-    }
-    PZ_Unlock(store->lock);
-    return nssrv;
-}
-
-static void
-remove_certificate_entry (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    certificate_hash_entry *entry;
-    entry = (certificate_hash_entry *)
-                             nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry) {
-	nssHash_Remove(store->issuer_and_serial, cert);
-	if (entry->trust) {
-	    nssTrust_Destroy(entry->trust);
-	}
-	if (entry->profile) {
-	    nssSMIMEProfile_Destroy(entry->profile);
-	}
-	nss_ZFreeIf(entry);
-    }
-}
-
-static void
-remove_subject_entry (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    nssList *subjectList;
-    /* Get the subject list for the cert's subject */
-    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
-    if (subjectList) {
-	/* Remove the cert from the subject hash */
-	nssList_Remove(subjectList, cert);
-	nssHash_Remove(store->subject, &cert->subject);
-	if (nssList_Count(subjectList) == 0) {
-	    nssList_Destroy(subjectList);
-	} else {
-	    /* The cert being released may have keyed the subject entry.
-	     * Since there are still subject certs around, get another and
-	     * rekey the entry just in case.
-	     */
-	    NSSCertificate *subjectCert;
-	    (void)nssList_GetArray(subjectList, (void **)&subjectCert, 1);
-	    nssHash_Add(store->subject, &subjectCert->subject, subjectList);
-	}
-    }
-}
-
-NSS_IMPLEMENT void
-nssCertificateStore_RemoveCertLOCKED (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    certificate_hash_entry *entry;
-    entry = (certificate_hash_entry *)
-                              nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry && entry->cert == cert) {
-	remove_certificate_entry(store, cert);
-	remove_subject_entry(store, cert);
-    }
-}
-
-NSS_IMPLEMENT void
-nssCertificateStore_Lock (
-  nssCertificateStore *store
-)
-{
-    PZ_Lock(store->lock);
-}
-
-NSS_IMPLEMENT void
-nssCertificateStore_Unlock (
-  nssCertificateStore *store
-)
-{
-    PZ_Unlock(store->lock);
-}
-
-static NSSCertificate **
-get_array_from_list (
-  nssList *certList,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRUint32 count;
-    NSSCertificate **rvArray = NULL;
-    count = nssList_Count(certList);
-    if (count == 0) {
-	return NULL;
-    }
-    if (maximumOpt > 0) {
-	count = PR_MIN(maximumOpt, count);
-    }
-    if (rvOpt) {
-	nssList_GetArray(certList, (void **)rvOpt, count);
-    } else {
-	rvArray = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, count + 1);
-	if (rvArray) {
-	    nssList_GetArray(certList, (void **)rvArray, count);
-	}
-    }
-    return rvArray;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssCertificateStore_FindCertificatesBySubject (
-  nssCertificateStore *store,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    nssList *subjectList;
-    PZ_Lock(store->lock);
-    subjectList = (nssList *)nssHash_Lookup(store->subject, subject);
-    if (subjectList) {
-	nssCertificateList_AddReferences(subjectList);
-	rvArray = get_array_from_list(subjectList, 
-	                              rvOpt, maximumOpt, arenaOpt);
-    }
-    PZ_Unlock(store->lock);
-    return rvArray;
-}
-
-/* Because only subject indexing is implemented, all other lookups require
- * full traversal (unfortunately, PLHashTable doesn't allow you to exit
- * early from the enumeration).  The assumptions are that 1) lookups by 
- * fields other than subject will be rare, and 2) the hash will not have
- * a large number of entries.  These assumptions will be tested.
- *
- * XXX
- * For NSS 3.4, it is worth consideration to do all forms of indexing,
- * because the only crypto context is global and persistent.
- */
-
-struct nickname_template_str
-{
-    NSSUTF8 *nickname;
-    nssList *subjectList;
-};
-
-static void match_nickname(const void *k, void *v, void *a)
-{
-    PRStatus nssrv;
-    NSSCertificate *c;
-    NSSUTF8 *nickname;
-    nssList *subjectList = (nssList *)v;
-    struct nickname_template_str *nt = (struct nickname_template_str *)a;
-    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
-    nickname = nssCertificate_GetNickname(c, NULL);
-    if (nssrv == PR_SUCCESS && nickname &&
-         nssUTF8_Equal(nickname, nt->nickname, &nssrv)) 
-    {
-	nt->subjectList = subjectList;
-    }
-}
-
-/*
- * Find all cached certs with this label.
- */
-NSS_IMPLEMENT NSSCertificate **
-nssCertificateStore_FindCertificatesByNickname (
-  nssCertificateStore *store,
-  NSSUTF8 *nickname,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    struct nickname_template_str nt;
-    nt.nickname = nickname;
-    nt.subjectList = NULL;
-    PZ_Lock(store->lock);
-    nssHash_Iterate(store->subject, match_nickname, &nt);
-    if (nt.subjectList) {
-	nssCertificateList_AddReferences(nt.subjectList);
-	rvArray = get_array_from_list(nt.subjectList, 
-	                              rvOpt, maximumOpt, arenaOpt);
-    }
-    PZ_Unlock(store->lock);
-    return rvArray;
-}
-
-struct email_template_str
-{
-    NSSASCII7 *email;
-    nssList *emailList;
-};
-
-static void match_email(const void *k, void *v, void *a)
-{
-    PRStatus nssrv;
-    NSSCertificate *c;
-    nssList *subjectList = (nssList *)v;
-    struct email_template_str *et = (struct email_template_str *)a;
-    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
-    if (nssrv == PR_SUCCESS && 
-         nssUTF8_Equal(c->email, et->email, &nssrv)) 
-    {
-	nssListIterator *iter = nssList_CreateIterator(subjectList);
-	if (iter) {
-	    for (c  = (NSSCertificate *)nssListIterator_Start(iter);
-	         c != (NSSCertificate *)NULL;
-	         c  = (NSSCertificate *)nssListIterator_Next(iter))
-	    {
-		nssList_Add(et->emailList, c);
-	    }
-	    nssListIterator_Finish(iter);
-	    nssListIterator_Destroy(iter);
-	}
-    }
-}
-
-/*
- * Find all cached certs with this email address.
- */
-NSS_IMPLEMENT NSSCertificate **
-nssCertificateStore_FindCertificatesByEmail (
-  nssCertificateStore *store,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    struct email_template_str et;
-    et.email = email;
-    et.emailList = nssList_Create(NULL, PR_FALSE);
-    if (!et.emailList) {
-	return NULL;
-    }
-    PZ_Lock(store->lock);
-    nssHash_Iterate(store->subject, match_email, &et);
-    if (et.emailList) {
-	/* get references before leaving the store's lock protection */
-	nssCertificateList_AddReferences(et.emailList);
-    }
-    PZ_Unlock(store->lock);
-    if (et.emailList) {
-	rvArray = get_array_from_list(et.emailList, 
-	                              rvOpt, maximumOpt, arenaOpt);
-	nssList_Destroy(et.emailList);
-    }
-    return rvArray;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssCertificateStore_FindCertificateByIssuerAndSerialNumber (
-  nssCertificateStore *store,
-  NSSDER *issuer,
-  NSSDER *serial
-)
-{
-    certificate_hash_entry *entry;
-    NSSCertificate index;
-    NSSCertificate *rvCert = NULL;
-    index.issuer = *issuer;
-    index.serial = *serial;
-    PZ_Lock(store->lock);
-    entry = (certificate_hash_entry *)
-                           nssHash_Lookup(store->issuer_and_serial, &index);
-    if (entry) {
-	rvCert = nssCertificate_AddRef(entry->cert);
-    }
-    PZ_Unlock(store->lock);
-    return rvCert;
-}
-
-#ifdef NSS_3_4_CODE
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	PORT_Free(derIssuer.data);
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-#endif
-
-NSS_IMPLEMENT NSSCertificate *
-nssCertificateStore_FindCertificateByEncodedCertificate (
-  nssCertificateStore *store,
-  NSSDER *encoding
-)
-{
-    PRStatus nssrv = PR_FAILURE;
-    NSSDER issuer, serial;
-    NSSCertificate *rvCert = NULL;
-#ifdef NSS_3_4_CODE
-    nssrv = issuer_and_serial_from_encoding(encoding, &issuer, &serial);
-#endif
-    if (nssrv != PR_SUCCESS) {
-	return NULL;
-    }
-    rvCert = nssCertificateStore_FindCertificateByIssuerAndSerialNumber(store, 
-                                                                     &issuer, 
-                                                                     &serial);
-#ifdef NSS_3_4_CODE
-    PORT_Free(issuer.data);
-    PORT_Free(serial.data);
-#endif
-    return rvCert;
-}
-
-NSS_EXTERN PRStatus
-nssCertificateStore_AddTrust (
-  nssCertificateStore *store,
-  NSSTrust *trust
-)
-{
-    NSSCertificate *cert;
-    certificate_hash_entry *entry;
-    cert = trust->certificate;
-    PZ_Lock(store->lock);
-    entry = (certificate_hash_entry *)
-                              nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry) {
-	entry->trust = nssTrust_AddRef(trust);
-    }
-    PZ_Unlock(store->lock);
-    return (entry) ? PR_SUCCESS : PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSTrust *
-nssCertificateStore_FindTrustForCertificate (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    certificate_hash_entry *entry;
-    NSSTrust *rvTrust = NULL;
-    PZ_Lock(store->lock);
-    entry = (certificate_hash_entry *)
-                              nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry && entry->trust) {
-	rvTrust = nssTrust_AddRef(entry->trust);
-    }
-    PZ_Unlock(store->lock);
-    return rvTrust;
-}
-
-NSS_EXTERN PRStatus
-nssCertificateStore_AddSMIMEProfile (
-  nssCertificateStore *store,
-  nssSMIMEProfile *profile
-)
-{
-    NSSCertificate *cert;
-    certificate_hash_entry *entry;
-    cert = profile->certificate;
-    PZ_Lock(store->lock);
-    entry = (certificate_hash_entry *)
-                              nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry) {
-	entry->profile = nssSMIMEProfile_AddRef(profile);
-    }
-    PZ_Unlock(store->lock);
-    return (entry) ? PR_SUCCESS : PR_FAILURE;
-}
-
-NSS_IMPLEMENT nssSMIMEProfile *
-nssCertificateStore_FindSMIMEProfileForCertificate (
-  nssCertificateStore *store,
-  NSSCertificate *cert
-)
-{
-    certificate_hash_entry *entry;
-    nssSMIMEProfile *rvProfile = NULL;
-    PZ_Lock(store->lock);
-    entry = (certificate_hash_entry *)
-                              nssHash_Lookup(store->issuer_and_serial, cert);
-    if (entry && entry->profile) {
-	rvProfile = nssSMIMEProfile_AddRef(entry->profile);
-    }
-    PZ_Unlock(store->lock);
-    return rvProfile;
-}
-
-/* XXX this is also used by cache and should be somewhere else */
-
-static PLHashNumber
-nss_certificate_hash (
-  const void *key
-)
-{
-    unsigned int i;
-    PLHashNumber h;
-    NSSCertificate *c = (NSSCertificate *)key;
-    h = 0;
-    for (i=0; i<c->issuer.size; i++)
-	h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->issuer.data)[i];
-    for (i=0; i<c->serial.size; i++)
-	h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->serial.data)[i];
-    return h;
-}
-
-static int
-nss_compare_certs(const void *v1, const void *v2)
-{
-    PRStatus ignore;
-    NSSCertificate *c1 = (NSSCertificate *)v1;
-    NSSCertificate *c2 = (NSSCertificate *)v2;
-    return (int)(nssItem_Equal(&c1->issuer, &c2->issuer, &ignore) &&
-                 nssItem_Equal(&c1->serial, &c2->serial, &ignore));
-}
-
-NSS_IMPLEMENT nssHash *
-nssHash_CreateCertificate (
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
-{
-    return nssHash_Create(arenaOpt, 
-                          numBuckets, 
-                          nss_certificate_hash, 
-                          nss_compare_certs, 
-                          PL_CompareValues);
-}
-
-NSS_IMPLEMENT void
-nssCertificateStore_DumpStoreInfo (
-  nssCertificateStore *store,
-  void (* cert_dump_iter)(const void *, void *, void *),
-  void *arg
-)
-{
-    PZ_Lock(store->lock);
-    nssHash_Iterate(store->issuer_and_serial, cert_dump_iter, arg);
-    PZ_Unlock(store->lock);
-}
-
diff --git a/security/nss/lib/pki/pkistore.h b/security/nss/lib/pki/pkistore.h
deleted file mode 100644
index d2f222a1c..000000000
--- a/security/nss/lib/pki/pkistore.h
+++ /dev/null
@@ -1,191 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKISTORE_H
-#define PKISTORE_H
-
-#ifdef DEBUG
-static const char PKISTORE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-PR_BEGIN_EXTERN_C
-
-/* 
- * PKI Stores
- *
- * This is a set of routines for managing local stores of PKI objects.
- * Currently, the only application is in crypto contexts, where the
- * certificate store is used.  In the future, methods should be added
- * here for storing local references to keys.
- */
-
-/* 
- * nssCertificateStore
- *
- * Manages local store of certificate, trust, and S/MIME profile objects.
- * Within a crypto context, mappings of cert to trust and cert to S/MIME
- * profile are always 1-1.  Therefore, it is reasonable to store all objects
- * in a single collection, indexed by the certificate.
- */
-
-NSS_EXTERN nssCertificateStore *
-nssCertificateStore_Create
-(
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN PRStatus
-nssCertificateStore_Destroy
-(
-  nssCertificateStore *store
-);
-
-NSS_EXTERN PRStatus
-nssCertificateStore_Add
-(
-  nssCertificateStore *store,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN void
-nssCertificateStore_RemoveCertLOCKED
-(
-  nssCertificateStore *store,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN void
-nssCertificateStore_Lock (
-  nssCertificateStore *store
-);
-
-NSS_EXTERN void
-nssCertificateStore_Unlock (
-  nssCertificateStore *store
-);
-
-NSS_EXTERN NSSCertificate **
-nssCertificateStore_FindCertificatesBySubject
-(
-  nssCertificateStore *store,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSCertificate **
-nssCertificateStore_FindCertificatesByNickname
-(
-  nssCertificateStore *store,
-  NSSUTF8 *nickname,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSCertificate **
-nssCertificateStore_FindCertificatesByEmail
-(
-  nssCertificateStore *store,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-);
-
-NSS_EXTERN NSSCertificate *
-nssCertificateStore_FindCertificateByIssuerAndSerialNumber
-(
-  nssCertificateStore *store,
-  NSSDER *issuer,
-  NSSDER *serial
-);
-
-NSS_EXTERN NSSCertificate *
-nssCertificateStore_FindCertificateByEncodedCertificate
-(
-  nssCertificateStore *store,
-  NSSDER *encoding
-);
-
-NSS_EXTERN PRStatus
-nssCertificateStore_AddTrust
-(
-  nssCertificateStore *store,
-  NSSTrust *trust
-);
-
-NSS_EXTERN NSSTrust *
-nssCertificateStore_FindTrustForCertificate
-(
-  nssCertificateStore *store,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN PRStatus
-nssCertificateStore_AddSMIMEProfile
-(
-  nssCertificateStore *store,
-  nssSMIMEProfile *profile
-);
-
-NSS_EXTERN nssSMIMEProfile *
-nssCertificateStore_FindSMIMEProfileForCertificate
-(
-  nssCertificateStore *store,
-  NSSCertificate *cert
-);
-
-NSS_EXTERN void
-nssCertificateStore_DumpStoreInfo
-(
-  nssCertificateStore *store,
-  void (* cert_dump_iter)(const void *, void *, void *),
-  void *arg
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKISTORE_H */
diff --git a/security/nss/lib/pki/pkit.h b/security/nss/lib/pki/pkit.h
deleted file mode 100644
index fb04cbaed..000000000
--- a/security/nss/lib/pki/pkit.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKIT_H
-#define PKIT_H
-
-#ifdef DEBUG
-static const char PKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * pkit.h
- *
- * This file contains definitions for the types of the top-level PKI objects.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifdef NSS_3_4_CODE
-#include "certt.h"
-#include "pkcs11t.h"
-#endif /* NSS_3_4_CODE */
-
-#ifndef NSSPKIT_H
-#include "nsspkit.h"
-#endif /* NSSPKIT_H */
-
-#ifndef NSSDEVT_H
-#include "nssdevt.h"
-#endif /* NSSDEVT_H */
-
-#ifndef DEVT_H
-#include "devt.h"
-#endif /* DEVT_H */
-
-#ifndef nssrwlkt_h__
-#include "nssrwlkt.h"
-#endif /* nssrwlkt_h__ */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A note on ephemeral certs
- *
- * The key objects defined here can only be created on tokens, and can only
- * exist on tokens.  Therefore, any instance of a key object must have
- * a corresponding cryptoki instance.  OTOH, certificates created in 
- * crypto contexts need not be stored as session objects on the token.
- * There are good performance reasons for not doing so.  The certificate
- * and trust objects have been defined with a cryptoContext field to
- * allow for ephemeral certs, which may have a single instance in a crypto
- * context along with any number (including zero) of cryptoki instances.
- * Since contexts may not share objects, there can be only one context
- * for each object.
- */
-
-/* nssPKIObject
- *
- * This is the base object class, common to all PKI objects defined in
- * nsspkit.h
- */
-struct nssPKIObjectStr 
-{
-    /* The arena for all object memory */
-    NSSArena *arena;
-    /* Atomically incremented/decremented reference counting */
-    PRInt32 refCount;
-    /* lock protects the array of nssCryptokiInstance's of the object */
-    PZLock *lock;
-    /* XXX with LRU cache, this cannot be guaranteed up-to-date.  It cannot
-     * be compared against the update level of the trust domain, since it is
-     * also affected by import/export.  Where is this array needed?
-     */
-    nssCryptokiObject **instances;
-    PRUint32 numInstances;
-    /* The object must live in a trust domain */
-    NSSTrustDomain *trustDomain;
-    /* The object may live in a crypto context */
-    NSSCryptoContext *cryptoContext;
-    /* XXX added so temp certs can have nickname, think more ... */
-    NSSUTF8 *tempName;
-};
-
-typedef struct nssDecodedCertStr nssDecodedCert;
-
-typedef struct nssCertificateStoreStr nssCertificateStore;
-
-/* How wide is the scope of this? */
-typedef struct nssSMIMEProfileStr nssSMIMEProfile;
-
-typedef struct nssPKIObjectStr nssPKIObject;
-
-struct NSSTrustStr 
-{
-    nssPKIObject object;
-    NSSCertificate *certificate;
-    nssTrustLevel serverAuth;
-    nssTrustLevel clientAuth;
-    nssTrustLevel emailProtection;
-    nssTrustLevel codeSigning;
-    PRBool stepUpApproved;
-};
-
-struct nssSMIMEProfileStr
-{
-    nssPKIObject object;
-    NSSCertificate *certificate;
-    NSSASCII7 *email;
-    NSSDER *subject;
-    NSSItem *profileTime;
-    NSSItem *profileData;
-};
-
-struct NSSCertificateStr
-{
-    nssPKIObject object;
-    NSSCertificateType type;
-    NSSItem id;
-    NSSBER encoding;
-    NSSDER issuer;
-    NSSDER subject;
-    NSSDER serial;
-    NSSASCII7 *email;
-    nssDecodedCert *decoding;
-};
-
-struct NSSPrivateKeyStr;
-
-struct NSSPublicKeyStr;
-
-struct NSSSymmetricKeyStr;
-
-typedef struct nssTDCertificateCacheStr nssTDCertificateCache;
-
-struct NSSTrustDomainStr {
-    PRInt32 refCount;
-    NSSArena *arena;
-    NSSCallback *defaultCallback;
-    nssList *tokenList;
-    nssListIterator *tokens;
-    nssTDCertificateCache *cache;
-    NSSRWLock *tokensLock;
-#ifdef NSS_3_4_CODE
-    void *spkDigestInfo;
-    CERTStatusConfig *statusConfig;
-#endif
-};
-
-struct NSSCryptoContextStr
-{
-    PRInt32 refCount;
-    NSSArena *arena;
-    NSSTrustDomain *td;
-    NSSToken *token;
-    nssSession *session;
-    nssCertificateStore *certStore;
-};
-
-struct NSSTimeStr {
-    PRTime prTime;
-};
-
-struct NSSCRLStr {
-  nssPKIObject object;
-  NSSDER encoding;
-  NSSUTF8 *url;
-  PRBool isKRL;
-};
-
-typedef struct NSSCRLStr NSSCRL;
-
-struct NSSPoliciesStr;
-
-struct NSSAlgorithmAndParametersStr;
-
-struct NSSPKIXCertificateStr;
-
-PR_END_EXTERN_C
-
-#endif /* PKIT_H */
diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h
deleted file mode 100644
index 7530809de..000000000
--- a/security/nss/lib/pki/pkitm.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKITM_H
-#define PKITM_H
-
-#ifdef DEBUG
-static const char PKITM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * pkitm.h
- *
- * This file contains PKI-module specific types.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-PR_BEGIN_EXTERN_C
-
-typedef enum nssCertIDMatchEnum {
-  nssCertIDMatch_Yes = 0,
-  nssCertIDMatch_No = 1,
-  nssCertIDMatch_Unknown = 2
-} nssCertIDMatch;
-
-/*
- * nssDecodedCert
- *
- * This is an interface to allow the PKI module access to certificate
- * information that can only be found by decoding.  The interface is
- * generic, allowing each certificate type its own way of providing
- * the information
- */
-struct nssDecodedCertStr {
-    NSSCertificateType type;
-    void *data;
-    /* returns the unique identifier for the cert */
-    NSSItem *  (*getIdentifier)(nssDecodedCert *dc);
-    /* returns the unique identifier for this cert's issuer */
-    void *     (*getIssuerIdentifier)(nssDecodedCert *dc);
-    /* is id the identifier for this cert? */
-    nssCertIDMatch (*matchIdentifier)(nssDecodedCert *dc, void *id);
-    /* is this cert a valid CA cert? */
-    PRBool     (*isValidIssuer)(nssDecodedCert *dc);
-    /* returns the cert usage */
-    NSSUsage * (*getUsage)(nssDecodedCert *dc);
-    /* is time within the validity period of the cert? */
-    PRBool     (*isValidAtTime)(nssDecodedCert *dc, NSSTime *time);
-    /* is the validity period of this cert newer than cmpdc? */
-    PRBool     (*isNewerThan)(nssDecodedCert *dc, nssDecodedCert *cmpdc);
-    /* does the usage for this cert match the requested usage? */
-    PRBool     (*matchUsage)(nssDecodedCert *dc, const NSSUsage *usage);
-    /* extract the email address */
-    NSSASCII7 *(*getEmailAddress)(nssDecodedCert *dc);
-    /* extract the DER-encoded serial number */
-    PRStatus   (*getDERSerialNumber)(nssDecodedCert *dc,
-                                     NSSDER *derSerial, NSSArena *arena);
-};
-
-struct NSSUsageStr {
-    PRBool anyUsage;
-#ifdef NSS_3_4_CODE
-    SECCertUsage nss3usage;
-    PRBool nss3lookingForCA;
-#endif
-};
-
-typedef struct nssPKIObjectCollectionStr nssPKIObjectCollection;
-
-typedef struct
-{
-  union {
-    PRStatus (*  cert)(NSSCertificate *c, void *arg);
-    PRStatus (*   crl)(NSSCRL       *crl, void *arg);
-    PRStatus (* pvkey)(NSSPrivateKey *vk, void *arg);
-    PRStatus (* pbkey)(NSSPublicKey *bk, void *arg);
-  } func;
-  void *arg;
-} nssPKIObjectCallback;
-
-PR_END_EXTERN_C
-
-#endif /* PKITM_H */
diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symmkey.c
deleted file mode 100644
index 0806e588b..000000000
--- a/security/nss/lib/pki/symmkey.c
+++ /dev/null
@@ -1,300 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-NSS_IMPLEMENT PRStatus
-NSSSymmetricKey_Destroy (
-  NSSSymmetricKey *mk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSSymmetricKey_DeleteStoredObject (
-  NSSSymmetricKey *mk,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRUint32
-NSSSymmetricKey_GetKeyLength (
-  NSSSymmetricKey *mk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return -1;
-}
-
-NSS_IMPLEMENT PRUint32
-NSSSymmetricKey_GetKeyStrength (
-  NSSSymmetricKey *mk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return -1;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSSymmetricKey_IsStillPresent (
-  NSSSymmetricKey *mk
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSSymmetricKey_GetTrustDomain (
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSSymmetricKey_GetToken (
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSlot *
-NSSSymmetricKey_GetSlot (
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSModule *
-NSSSymmetricKey_GetModule (
-  NSSSymmetricKey *mk,
-  PRStatus *statusOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_Encrypt (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_Decrypt (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *encryptedData,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_Sign (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_SignRecover (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSSymmetricKey_Verify (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *data,
-  NSSItem *signature,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_VerifyRecover (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *signature,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_WrapSymmetricKey (
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSSymmetricKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSItem *
-NSSSymmetricKey_WrapPrivateKey (
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPrivateKey *keyToWrap,
-  NSSCallback *uhh,
-  NSSItem *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSSymmetricKey_UnwrapSymmetricKey (
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPrivateKey *
-NSSSymmetricKey_UnwrapPrivateKey (
-  NSSSymmetricKey *wrappingKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSItem *wrappedKey,
-  NSSUTF8 *labelOpt,
-  NSSItem *keyIDOpt,
-  PRBool persistant,
-  PRBool sensitive,
-  NSSToken *destinationOpt,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSSymmetricKey_DeriveSymmetricKey (
-  NSSSymmetricKey *originalKey,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSOID *target,
-  PRUint32 keySizeOpt,
-  NSSOperations operations,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSSymmetricKey_CreateCryptoContext (
-  NSSSymmetricKey *mk,
-  NSSAlgorithmAndParameters *apOpt,
-  NSSCallback *uhh
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c
deleted file mode 100644
index 90727d011..000000000
--- a/security/nss/lib/pki/tdcache.c
+++ /dev/null
@@ -1,1177 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef PKIT_H
-#include "pkit.h"
-#endif /* PKIT_H */
-
-#ifndef NSSPKI_H
-#include "nsspki.h"
-#endif /* NSSPKI_H */
-
-#ifndef PKI_H
-#include "pki.h"
-#endif /* PKI_H */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifdef NSS_3_4_CODE
-#include "cert.h"
-#include "dev.h"
-#include "pki3hack.h"
-#endif
-
-#ifdef DEBUG_CACHE
-static PRLogModuleInfo *s_log = NULL;
-#endif
-
-#ifdef DEBUG_CACHE
-static void log_item_dump(const char *msg, NSSItem *it)
-{
-    char buf[33];
-    int i, j;
-    for (i=0; i<10 && i<it->size; i++) {
-	sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[i]);
-    }
-    if (it->size>10) {
-	sprintf(&buf[2*i], "..");
-	i += 1;
-	for (j=it->size-1; i<=16 && j>10; i++, j--) {
-	    sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[j]);
-	}
-    }
-    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg, buf));
-}
-#endif
-
-#ifdef DEBUG_CACHE
-static void log_cert_ref(const char *msg, NSSCertificate *c)
-{
-    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg,
-                           (c->nickname) ? c->nickname : c->email));
-    log_item_dump("\tserial", &c->serial);
-    log_item_dump("\tsubject", &c->subject);
-}
-#endif
-
-/* Certificate cache routines */
-
-/* XXX
- * Locking is not handled well at all.  A single, global lock with sub-locks
- * in the collection types.  Cleanup needed.
- */
-
-/* should it live in its own arena? */
-struct nssTDCertificateCacheStr 
-{
-    PZLock *lock;
-    NSSArena *arena;
-    nssHash *issuerAndSN;
-    nssHash *subject;
-    nssHash *nickname;
-    nssHash *email;
-};
-
-struct cache_entry_str 
-{
-    union {
-	NSSCertificate *cert;
-	nssList *list;
-	void *value;
-    } entry;
-    PRUint32 hits;
-    PRTime lastHit;
-    NSSArena *arena;
-    NSSUTF8 *nickname;
-};
-
-typedef struct cache_entry_str cache_entry;
-
-static cache_entry *
-new_cache_entry(NSSArena *arena, void *value, PRBool ownArena)
-{
-    cache_entry *ce = nss_ZNEW(arena, cache_entry);
-    if (ce) {
-	ce->entry.value = value;
-	ce->hits = 1;
-	ce->lastHit = PR_Now();
-	if (ownArena) {
-	    ce->arena = arena;
-	}
-	ce->nickname = NULL;
-    }
-    return ce;
-}
-
-/* this should not be exposed in a header, but is here to keep the above
- * types/functions static
- */
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_InitializeCache (
-  NSSTrustDomain *td,
-  PRUint32 cacheSize
-)
-{
-    NSSArena *arena;
-    nssTDCertificateCache *cache = td->cache;
-#ifdef DEBUG_CACHE
-    s_log = PR_NewLogModule("nss_cache");
-    PR_ASSERT(s_log);
-#endif
-    PR_ASSERT(!cache);
-    arena = nssArena_Create();
-    if (!arena) {
-	return PR_FAILURE;
-    }
-    cache = nss_ZNEW(arena, nssTDCertificateCache);
-    if (!cache) {
-	nssArena_Destroy(arena);
-	return PR_FAILURE;
-    }
-    cache->lock = PZ_NewLock(nssILockCache);
-    if (!cache->lock) {
-	nssArena_Destroy(arena);
-	return PR_FAILURE;
-    }
-    /* Create the issuer and serial DER --> certificate hash */
-    cache->issuerAndSN = nssHash_CreateCertificate(arena, cacheSize);
-    if (!cache->issuerAndSN) {
-	goto loser;
-    }
-    /* Create the subject DER --> subject list hash */
-    cache->subject = nssHash_CreateItem(arena, cacheSize);
-    if (!cache->subject) {
-	goto loser;
-    }
-    /* Create the nickname --> subject list hash */
-    cache->nickname = nssHash_CreateString(arena, cacheSize);
-    if (!cache->nickname) {
-	goto loser;
-    }
-    /* Create the email --> list of subject lists hash */
-    cache->email = nssHash_CreateString(arena, cacheSize);
-    if (!cache->email) {
-	goto loser;
-    }
-    cache->arena = arena;
-    td->cache = cache;
-#ifdef DEBUG_CACHE
-    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialized."));
-#endif
-    return PR_SUCCESS;
-loser:
-    PZ_DestroyLock(cache->lock);
-    nssArena_Destroy(arena);
-    td->cache = NULL;
-#ifdef DEBUG_CACHE
-    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialization failed."));
-#endif
-    return PR_FAILURE;
-}
-
-/* The entries of the hashtable are currently dependent on the certificate(s)
- * that produced them.  That is, the entries will be freed when the cert is
- * released from the cache.  If there are certs in the cache at any time,
- * including shutdown, the hash table entries will hold memory.  In order for
- * clean shutdown, it is necessary for there to be no certs in the cache.
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-extern const NSSError NSS_ERROR_BUSY;
-
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_DestroyCache (
-  NSSTrustDomain *td
-)
-{
-    if (!td->cache) {
-	nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-	return PR_FAILURE;
-    }
-    if (nssHash_Count(td->cache->issuerAndSN) > 0) {
-	nss_SetError(NSS_ERROR_BUSY);
-	return PR_FAILURE;
-    }
-    PZ_DestroyLock(td->cache->lock);
-    nssHash_Destroy(td->cache->issuerAndSN);
-    nssHash_Destroy(td->cache->subject);
-    nssHash_Destroy(td->cache->nickname);
-    nssHash_Destroy(td->cache->email);
-    nssArena_Destroy(td->cache->arena);
-    td->cache = NULL;
-#ifdef DEBUG_CACHE
-    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache destroyed."));
-#endif
-    return PR_SUCCESS;
-}
-
-static PRStatus
-remove_issuer_and_serial_entry (
-  nssTDCertificateCache *cache,
-  NSSCertificate *cert
-)
-{
-    /* Remove the cert from the issuer/serial hash */
-    nssHash_Remove(cache->issuerAndSN, cert);
-#ifdef DEBUG_CACHE
-    log_cert_ref("removed issuer/sn", cert);
-#endif
-    return PR_SUCCESS;
-}
-
-static PRStatus
-remove_subject_entry (
-  nssTDCertificateCache *cache,
-  NSSCertificate *cert,
-  nssList **subjectList,
-  NSSUTF8 **nickname,
-  NSSArena **arena
-)
-{
-    PRStatus nssrv;
-    cache_entry *ce;
-    *subjectList = NULL;
-    *arena = NULL;
-    /* Get the subject list for the cert's subject */
-    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
-    if (ce) {
-	/* Remove the cert from the subject hash */
-	nssList_Remove(ce->entry.list, cert);
-	*subjectList = ce->entry.list;
-	*nickname = ce->nickname;
-	*arena = ce->arena;
-	nssrv = PR_SUCCESS;
-#ifdef DEBUG_CACHE
-	log_cert_ref("removed cert", cert);
-	log_item_dump("from subject list", &cert->subject);
-#endif
-    } else {
-	nssrv = PR_FAILURE;
-    }
-    return nssrv;
-}
-
-static PRStatus
-remove_nickname_entry (
-  nssTDCertificateCache *cache,
-  NSSUTF8 *nickname,
-  nssList *subjectList
-)
-{
-    PRStatus nssrv;
-    if (nickname) {
-	nssHash_Remove(cache->nickname, nickname);
-	nssrv = PR_SUCCESS;
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("removed nickname %s", nickname));
-#endif
-    } else {
-	nssrv = PR_FAILURE;
-    }
-    return nssrv;
-}
-
-static PRStatus
-remove_email_entry (
-  nssTDCertificateCache *cache,
-  NSSCertificate *cert,
-  nssList *subjectList
-)
-{
-    PRStatus nssrv = PR_FAILURE;
-    cache_entry *ce;
-    /* Find the subject list in the email hash */
-    if (cert->email) {
-	ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
-	if (ce) {
-	    nssList *subjects = ce->entry.list;
-	    /* Remove the subject list from the email hash */
-	    nssList_Remove(subjects, subjectList);
-#ifdef DEBUG_CACHE
-	    log_item_dump("removed subject list", &cert->subject);
-	    PR_LOG(s_log, PR_LOG_DEBUG, ("for email %s", cert->email));
-#endif
-	    if (nssList_Count(subjects) == 0) {
-		/* No more subject lists for email, delete list and
-		* remove hash entry
-		*/
-		(void)nssList_Destroy(subjects);
-		nssHash_Remove(cache->email, cert->email);
-		/* there are no entries left for this address, free space
-		 * used for email entries
-		 */
-		nssArena_Destroy(ce->arena);
-#ifdef DEBUG_CACHE
-		PR_LOG(s_log, PR_LOG_DEBUG, ("removed email %s", cert->email));
-#endif
-	    }
-	    nssrv = PR_SUCCESS;
-	}
-    }
-    return nssrv;
-}
-
-NSS_IMPLEMENT void
-nssTrustDomain_RemoveCertFromCacheLOCKED (
-  NSSTrustDomain *td,
-  NSSCertificate *cert
-)
-{
-    nssList *subjectList;
-    cache_entry *ce;
-    NSSArena *arena;
-    NSSUTF8 *nickname;
-
-#ifdef DEBUG_CACHE
-    log_cert_ref("attempt to remove cert", cert);
-#endif
-    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
-    if (!ce || ce->entry.cert != cert) {
-	/* If it's not in the cache, or a different cert is (this is really
-	 * for safety reasons, though it shouldn't happen), do nothing 
-	 */
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("but it wasn't in the cache"));
-#endif
-	return;
-    }
-    (void)remove_issuer_and_serial_entry(td->cache, cert);
-    (void)remove_subject_entry(td->cache, cert, &subjectList, 
-                               &nickname, &arena);
-    if (nssList_Count(subjectList) == 0) {
-	(void)remove_nickname_entry(td->cache, nickname, subjectList);
-	(void)remove_email_entry(td->cache, cert, subjectList);
-	(void)nssList_Destroy(subjectList);
-	nssHash_Remove(td->cache->subject, &cert->subject);
-	/* there are no entries left for this subject, free the space used
-	 * for both the nickname and subject entries
-	 */
-	if (arena) {
-	    nssArena_Destroy(arena);
-	}
-    }
-}
-
-NSS_IMPLEMENT void
-nssTrustDomain_LockCertCache (
-  NSSTrustDomain *td
-)
-{
-    PZ_Lock(td->cache->lock);
-}
-
-NSS_IMPLEMENT void
-nssTrustDomain_UnlockCertCache (
-  NSSTrustDomain *td
-)
-{
-    PZ_Unlock(td->cache->lock);
-}
-
-struct token_cert_dtor {
-    NSSToken *token;
-    nssTDCertificateCache *cache;
-    NSSCertificate **certs;
-    PRUint32 numCerts, arrSize;
-};
-
-static void 
-remove_token_certs(const void *k, void *v, void *a)
-{
-    NSSCertificate *c = (NSSCertificate *)k;
-    nssPKIObject *object = &c->object;
-    struct token_cert_dtor *dtor = a;
-    PRUint32 i;
-    PZ_Lock(object->lock);
-    for (i=0; i<object->numInstances; i++) {
-	if (object->instances[i]->token == dtor->token) {
-	    nssCryptokiObject_Destroy(object->instances[i]);
-	    object->instances[i] = object->instances[object->numInstances-1];
-	    object->instances[object->numInstances-1] = NULL;
-	    object->numInstances--;
-	    dtor->certs[dtor->numCerts++] = c;
-	    if (dtor->numCerts == dtor->arrSize) {
-		dtor->arrSize *= 2;
-		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
-		                                NSSCertificate *,
-		                                dtor->arrSize);
-	    }
-	    break;
-	}
-    }
-    PZ_Unlock(object->lock);
-    return;
-}
-
-/* 
- * Remove all certs for the given token from the cache.  This is
- * needed if the token is removed. 
- */
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_RemoveTokenCertsFromCache (
-  NSSTrustDomain *td,
-  NSSToken *token
-)
-{
-    NSSCertificate **certs;
-    PRUint32 i, arrSize = 10;
-    struct token_cert_dtor dtor;
-    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
-    if (!certs) {
-	return PR_FAILURE;
-    }
-    dtor.cache = td->cache;
-    dtor.token = token;
-    dtor.certs = certs;
-    dtor.numCerts = 0;
-    dtor.arrSize = arrSize;
-    PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor);
-    for (i=0; i<dtor.numCerts; i++) {
-	if (dtor.certs[i]->object.numInstances == 0) {
-	    nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
-	    dtor.certs[i] = NULL;  /* skip this cert in the second for loop */
-	}
-    }
-    PZ_Unlock(td->cache->lock);
-    for (i=0; i<dtor.numCerts; i++) {
-	if (dtor.certs[i]) {
-	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
-	}
-    }
-    nss_ZFreeIf(dtor.certs);
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_UpdateCachedTokenCerts (
-  NSSTrustDomain *td,
-  NSSToken *token
-)
-{
-    NSSCertificate **cp, **cached = NULL;
-    nssList *certList;
-    PRUint32 count;
-    certList = nssList_Create(NULL, PR_FALSE);
-    if (!certList) return PR_FAILURE;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
-    count = nssList_Count(certList);
-    if (count > 0) {
-	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
-	if (!cached) {
-	    return PR_FAILURE;
-	}
-	nssList_GetArray(certList, (void **)cached, count);
-	nssList_Destroy(certList);
-	for (cp = cached; *cp; cp++) {
-	    nssCryptokiObject *instance;
-	    NSSCertificate *c = *cp;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
-	                                                       token,
-                                                               NULL,
-                                                               &c->issuer,
-                                                               &c->serial,
-                                                               tokenOnly,
-                                                               NULL);
-	    if (instance) {
-		nssPKIObject_AddInstance(&c->object, instance);
-		STAN_ForceCERTCertificateUpdate(c);
-	    }
-	}
-	nssCertificateArray_Destroy(cached);
-    }
-    return PR_SUCCESS;
-}
-
-static PRStatus
-add_issuer_and_serial_entry (
-  NSSArena *arena,
-  nssTDCertificateCache *cache, 
-  NSSCertificate *cert
-)
-{
-    cache_entry *ce;
-    ce = new_cache_entry(arena, (void *)cert, PR_FALSE);
-#ifdef DEBUG_CACHE
-    log_cert_ref("added to issuer/sn", cert);
-#endif
-    return nssHash_Add(cache->issuerAndSN, cert, (void *)ce);
-}
-
-static PRStatus
-add_subject_entry (
-  NSSArena *arena,
-  nssTDCertificateCache *cache, 
-  NSSCertificate *cert,
-  NSSUTF8 *nickname,
-  nssList **subjectList
-)
-{
-    PRStatus nssrv;
-    nssList *list;
-    cache_entry *ce;
-    *subjectList = NULL;  /* this is only set if a new one is created */
-    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-	/* The subject is already in, add this cert to the list */
-	nssrv = nssList_AddUnique(ce->entry.list, cert);
-#ifdef DEBUG_CACHE
-	log_cert_ref("added to existing subject list", cert);
-#endif
-    } else {
-	NSSDER *subject;
-	/* Create a new subject list for the subject */
-	list = nssList_Create(arena, PR_FALSE);
-	if (!list) {
-	    return PR_FAILURE;
-	}
-	ce = new_cache_entry(arena, (void *)list, PR_TRUE);
-	if (!ce) {
-	    return PR_FAILURE;
-	}
-	if (nickname) {
-	    ce->nickname = nssUTF8_Duplicate(nickname, arena);
-	}
-	nssList_SetSortFunction(list, nssCertificate_SubjectListSort);
-	/* Add the cert entry to this list of subjects */
-	nssrv = nssList_AddUnique(list, cert);
-	if (nssrv != PR_SUCCESS) {
-	    return nssrv;
-	}
-	/* Add the subject list to the cache */
-	subject = nssItem_Duplicate(&cert->subject, arena, NULL);
-	if (!subject) {
-	    return PR_FAILURE;
-	}
-	nssrv = nssHash_Add(cache->subject, subject, ce);
-	if (nssrv != PR_SUCCESS) {
-	    return nssrv;
-	}
-	*subjectList = list;
-#ifdef DEBUG_CACHE
-	log_cert_ref("created subject list", cert);
-#endif
-    }
-    return nssrv;
-}
-
-static PRStatus
-add_nickname_entry (
-  NSSArena *arena,
-  nssTDCertificateCache *cache, 
-  NSSUTF8 *certNickname,
-  nssList *subjectList
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    cache_entry *ce;
-    ce = (cache_entry *)nssHash_Lookup(cache->nickname, certNickname);
-    if (ce) {
-	/* This is a collision.  A nickname entry already exists for this
-	 * subject, but a subject entry didn't.  This would imply there are
-	 * two subjects using the same nickname, which is not allowed.
-	 */
-	return PR_FAILURE;
-    } else {
-	NSSUTF8 *nickname;
-	ce = new_cache_entry(arena, subjectList, PR_FALSE);
-	if (!ce) {
-	    return PR_FAILURE;
-	}
-	nickname = nssUTF8_Duplicate(certNickname, arena);
-	if (!nickname) {
-	    return PR_FAILURE;
-	}
-	nssrv = nssHash_Add(cache->nickname, nickname, ce);
-#ifdef DEBUG_CACHE
-	log_cert_ref("created nickname for", cert);
-#endif
-    }
-    return nssrv;
-}
-
-static PRStatus
-add_email_entry (
-  nssTDCertificateCache *cache, 
-  NSSCertificate *cert,
-  nssList *subjectList
-)
-{
-    PRStatus nssrv = PR_SUCCESS;
-    nssList *subjects;
-    cache_entry *ce;
-    ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
-    if (ce) {
-	/* Already have an entry for this email address, but not subject */
-	subjects = ce->entry.list;
-	nssrv = nssList_AddUnique(subjects, subjectList);
-	ce->hits++;
-	ce->lastHit = PR_Now();
-#ifdef DEBUG_CACHE
-	log_cert_ref("added subject to email for", cert);
-#endif
-    } else {
-	NSSASCII7 *email;
-	NSSArena *arena;
-	arena = nssArena_Create();
-	if (!arena) {
-	    return PR_FAILURE;
-	}
-	/* Create a new list of subject lists, add this subject */
-	subjects = nssList_Create(arena, PR_TRUE);
-	if (!subjects) {
-	    nssArena_Destroy(arena);
-	    return PR_FAILURE;
-	}
-	/* Add the new subject to the list */
-	nssrv = nssList_AddUnique(subjects, subjectList);
-	if (nssrv != PR_SUCCESS) {
-	    nssArena_Destroy(arena);
-	    return nssrv;
-	}
-	/* Add the new entry to the cache */
-	ce = new_cache_entry(arena, (void *)subjects, PR_TRUE);
-	if (!ce) {
-	    nssArena_Destroy(arena);
-	    return PR_FAILURE;
-	}
-	email = nssUTF8_Duplicate(cert->email, arena);
-	if (!email) {
-	    nssArena_Destroy(arena);
-	    return PR_FAILURE;
-	}
-	nssrv = nssHash_Add(cache->email, email, ce);
-	if (nssrv != PR_SUCCESS) {
-	    nssArena_Destroy(arena);
-	    return nssrv;
-	}
-#ifdef DEBUG_CACHE
-	log_cert_ref("created email for", cert);
-#endif
-    }
-    return nssrv;
-}
-
-extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
-
-static void
-remove_object_instances (
-  nssPKIObject *object,
-  nssCryptokiObject **instances,
-  int numInstances
-)
-{
-    int i;
-
-    for (i = 0; i < numInstances; i++) {
-	nssPKIObject_RemoveInstanceForToken(object, instances[i]->token);
-    }
-}
-
-static SECStatus
-merge_object_instances (
-  nssPKIObject *to,
-  nssPKIObject *from
-)
-{
-    nssCryptokiObject **instances, **ci;
-    int i;
-    SECStatus rv = SECSuccess;
-
-    instances = nssPKIObject_GetInstances(from);
-    if (instances == NULL) {
-	return SECFailure;
-    }
-    for (ci = instances, i = 0; *ci; ci++, i++) {
-	nssCryptokiObject *instance = nssCryptokiObject_Clone(*ci);
-	if (instance) {
-	    if (nssPKIObject_AddInstance(to, instance) == SECSuccess) {
-		continue;
-	    }
-	    nssCryptokiObject_Destroy(instance);
-	}
-	remove_object_instances(to, instances, i);
-	rv = SECFailure;
-	break;
-    }
-    nssCryptokiObjectArray_Destroy(instances);
-    return rv;
-}
-
-static NSSCertificate *
-add_cert_to_cache (
-  NSSTrustDomain *td, 
-  NSSCertificate *cert
-)
-{
-    NSSArena *arena = NULL;
-    nssList *subjectList = NULL;
-    PRStatus nssrv;
-    PRUint32 added = 0;
-    cache_entry *ce;
-    NSSCertificate *rvCert = NULL;
-    NSSUTF8 *certNickname = nssCertificate_GetNickname(cert, NULL);
-
-    PZ_Lock(td->cache->lock);
-    /* If it exists in the issuer/serial hash, it's already in all */
-    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-	rvCert = nssCertificate_AddRef(ce->entry.cert);
-#ifdef DEBUG_CACHE
-	log_cert_ref("attempted to add cert already in cache", cert);
-#endif
-	PZ_Unlock(td->cache->lock);
-	/* collision - somebody else already added the cert
-	 * to the cache before this thread got around to it.
-	 */
-	/* merge the instances of the cert */
-	if (merge_object_instances(&rvCert->object, &cert->object)
-							!= SECSuccess) {
-	    nssCertificate_Destroy(rvCert);
-	    return NULL;
-	}
-	STAN_ForceCERTCertificateUpdate(rvCert);
-	nssCertificate_Destroy(cert);
-	return rvCert;
-    }
-    /* create a new cache entry for this cert within the cert's arena*/
-    nssrv = add_issuer_and_serial_entry(cert->object.arena, td->cache, cert);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    added++;
-    /* create an arena for the nickname and subject entries */
-    arena = nssArena_Create();
-    if (!arena) {
-	goto loser;
-    }
-    /* create a new subject list for this cert, or add to existing */
-    nssrv = add_subject_entry(arena, td->cache, cert, 
-						certNickname, &subjectList);
-    if (nssrv != PR_SUCCESS) {
-	goto loser;
-    }
-    added++;
-    /* If a new subject entry was created, also need nickname and/or email */
-    if (subjectList != NULL) {
-	PRBool handle = PR_FALSE;
-	if (certNickname) {
-	    nssrv = add_nickname_entry(arena, td->cache, 
-						certNickname, subjectList);
-	    if (nssrv != PR_SUCCESS) {
-		goto loser;
-	    }
-	    handle = PR_TRUE;
-	    added++;
-	}
-	if (cert->email) {
-	    nssrv = add_email_entry(td->cache, cert, subjectList);
-	    if (nssrv != PR_SUCCESS) {
-		goto loser;
-	    }
-	    handle = PR_TRUE;
-	    added += 2;
-	}
-#ifdef nodef
-	/* I think either a nickname or email address must be associated
-	 * with the cert.  However, certs are passed to NewTemp without
-	 * either.  This worked in the old code, so it must work now.
-	 */
-	if (!handle) {
-	    /* Require either nickname or email handle */
-	    nssrv = PR_FAILURE;
-	    goto loser;
-	}
-#endif
-    }
-    rvCert = cert;
-    PZ_Unlock(td->cache->lock);
-    return rvCert;
-loser:
-    /* Remove any handles that have been created */
-    subjectList = NULL;
-    if (added >= 1) {
-	(void)remove_issuer_and_serial_entry(td->cache, cert);
-    }
-    if (added >= 2) {
-	(void)remove_subject_entry(td->cache, cert, &subjectList, 
-						&certNickname, &arena);
-    }
-    if (added == 3 || added == 5) {
-	(void)remove_nickname_entry(td->cache, certNickname, subjectList);
-    }
-    if (added >= 4) {
-	(void)remove_email_entry(td->cache, cert, subjectList);
-    }
-    if (subjectList) {
-	nssHash_Remove(td->cache->subject, &cert->subject);
-	nssList_Destroy(subjectList);
-    }
-    if (arena) {
-	nssArena_Destroy(arena);
-    }
-    PZ_Unlock(td->cache->lock);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-nssTrustDomain_AddCertsToCache (
-  NSSTrustDomain *td,
-  NSSCertificate **certs,
-  PRUint32 numCerts
-)
-{
-    PRUint32 i;
-    NSSCertificate *c;
-    for (i=0; i<numCerts && certs[i]; i++) {
-	c = add_cert_to_cache(td, certs[i]);
-	if (c == NULL) {
-	    return PR_FAILURE;
-	} else {
-	    certs[i] = c;
-	}
-    }
-    return PR_SUCCESS;
-}
-
-static NSSCertificate **
-collect_subject_certs (
-  nssList *subjectList,
-  nssList *rvCertListOpt
-)
-{
-    NSSCertificate *c;
-    NSSCertificate **rvArray = NULL;
-    PRUint32 count;
-    nssCertificateList_AddReferences(subjectList);
-    if (rvCertListOpt) {
-	nssListIterator *iter = nssList_CreateIterator(subjectList);
-	for (c  = (NSSCertificate *)nssListIterator_Start(iter);
-	     c != (NSSCertificate *)NULL;
-	     c  = (NSSCertificate *)nssListIterator_Next(iter)) {
-	    nssList_Add(rvCertListOpt, c);
-	}
-	nssListIterator_Finish(iter);
-	nssListIterator_Destroy(iter);
-    } else {
-	count = nssList_Count(subjectList);
-	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
-	if (!rvArray) {
-	    return (NSSCertificate **)NULL;
-	}
-	nssList_GetArray(subjectList, (void **)rvArray, count);
-    }
-    return rvArray;
-}
-
-/*
- * Find all cached certs with this subject.
- */
-NSS_IMPLEMENT NSSCertificate **
-nssTrustDomain_GetCertsForSubjectFromCache (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  nssList *certListOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    cache_entry *ce;
-#ifdef DEBUG_CACHE
-    log_item_dump("looking for cert by subject", subject);
-#endif
-    PZ_Lock(td->cache->lock);
-    ce = (cache_entry *)nssHash_Lookup(td->cache->subject, subject);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
-#endif
-	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
-    }
-    PZ_Unlock(td->cache->lock);
-    return rvArray;
-}
-
-/*
- * Find all cached certs with this label.
- */
-NSS_IMPLEMENT NSSCertificate **
-nssTrustDomain_GetCertsForNicknameFromCache (
-  NSSTrustDomain *td,
-  NSSUTF8 *nickname,
-  nssList *certListOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    cache_entry *ce;
-#ifdef DEBUG_CACHE
-    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by nick %s", nickname));
-#endif
-    PZ_Lock(td->cache->lock);
-    ce = (cache_entry *)nssHash_Lookup(td->cache->nickname, nickname);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
-#endif
-	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
-    }
-    PZ_Unlock(td->cache->lock);
-    return rvArray;
-}
-
-/*
- * Find all cached certs with this email address.
- */
-NSS_IMPLEMENT NSSCertificate **
-nssTrustDomain_GetCertsForEmailAddressFromCache (
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  nssList *certListOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    cache_entry *ce;
-    nssList *collectList = NULL;
-    nssListIterator *iter = NULL;
-    nssList *subjectList;
-#ifdef DEBUG_CACHE
-    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by email %s", email));
-#endif
-    PZ_Lock(td->cache->lock);
-    ce = (cache_entry *)nssHash_Lookup(td->cache->email, email);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
-#endif
-	/* loop over subject lists and get refs for certs */
-	if (certListOpt) {
-	    collectList = certListOpt;
-	} else {
-	    collectList = nssList_Create(NULL, PR_FALSE);
-	    if (!collectList) {
-		PZ_Unlock(td->cache->lock);
-		return NULL;
-	    }
-	}
-	iter = nssList_CreateIterator(ce->entry.list);
-	if (!iter) {
-	    PZ_Unlock(td->cache->lock);
-	    if (!certListOpt) {
-		nssList_Destroy(collectList);
-	    }
-	    return NULL;
-	}
-	for (subjectList  = (nssList *)nssListIterator_Start(iter);
-	     subjectList != (nssList *)NULL;
-	     subjectList  = (nssList *)nssListIterator_Next(iter)) {
-	    (void)collect_subject_certs(subjectList, collectList);
-	}
-	nssListIterator_Finish(iter);
-	nssListIterator_Destroy(iter);
-    }
-    PZ_Unlock(td->cache->lock);
-    if (!certListOpt && collectList) {
-	PRUint32 count = nssList_Count(collectList);
-	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
-	if (rvArray) {
-	    nssList_GetArray(collectList, (void **)rvArray, count);
-	}
-	nssList_Destroy(collectList);
-    }
-    return rvArray;
-}
-
-/*
- * Look for a specific cert in the cache
- */
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_GetCertForIssuerAndSNFromCache (
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serial
-)
-{
-    NSSCertificate certkey;
-    NSSCertificate *rvCert = NULL;
-    cache_entry *ce;
-    certkey.issuer.data = issuer->data;
-    certkey.issuer.size = issuer->size;
-    certkey.serial.data = serial->data;
-    certkey.serial.size = serial->size;
-#ifdef DEBUG_CACHE
-    log_item_dump("looking for cert by issuer/sn, issuer", issuer);
-    log_item_dump("                               serial", serial);
-#endif
-    PZ_Lock(td->cache->lock);
-    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, &certkey);
-    if (ce) {
-	ce->hits++;
-	ce->lastHit = PR_Now();
-	rvCert = nssCertificate_AddRef(ce->entry.cert);
-#ifdef DEBUG_CACHE
-	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
-#endif
-    }
-    PZ_Unlock(td->cache->lock);
-    return rvCert;
-}
-
-#ifdef NSS_3_4_CODE
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-#endif
-
-/*
- * Look for a specific cert in the cache
- */
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_GetCertByDERFromCache (
-  NSSTrustDomain *td,
-  NSSDER *der
-)
-{
-    PRStatus nssrv = PR_FAILURE;
-    NSSDER issuer, serial;
-    NSSCertificate *rvCert;
-#ifdef NSS_3_4_CODE
-    nssrv = issuer_and_serial_from_encoding(der, &issuer, &serial);
-#endif
-    if (nssrv != PR_SUCCESS) {
-	return NULL;
-    }
-#ifdef DEBUG_CACHE
-    log_item_dump("looking for cert by DER", der);
-#endif
-    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, 
-                                                           &issuer, &serial);
-#ifdef NSS_3_4_CODE
-    PORT_Free(issuer.data);
-    PORT_Free(serial.data);
-#endif
-    return rvCert;
-}
-
-static void cert_iter(const void *k, void *v, void *a)
-{
-    nssList *certList = (nssList *)a;
-    NSSCertificate *c = (NSSCertificate *)k;
-    nssList_Add(certList, nssCertificate_AddRef(c));
-}
-
-NSS_EXTERN NSSCertificate **
-nssTrustDomain_GetCertsFromCache (
-  NSSTrustDomain *td,
-  nssList *certListOpt
-)
-{
-    NSSCertificate **rvArray = NULL;
-    nssList *certList;
-    if (certListOpt) {
-	certList = certListOpt;
-    } else {
-	certList = nssList_Create(NULL, PR_FALSE);
-    }
-    PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
-    PZ_Unlock(td->cache->lock);
-    if (!certListOpt) {
-	PRUint32 count = nssList_Count(certList);
-	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
-	nssList_GetArray(certList, (void **)rvArray, count);
-	/* array takes the references */
-	nssList_Destroy(certList);
-    }
-    return rvArray;
-}
-
-NSS_IMPLEMENT void
-nssTrustDomain_DumpCacheInfo (
-  NSSTrustDomain *td,
-  void (* cert_dump_iter)(const void *, void *, void *),
-  void *arg
-)
-{
-    PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, cert_dump_iter, arg);
-    PZ_Unlock(td->cache->lock);
-}
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
deleted file mode 100644
index 0ecb8846d..000000000
--- a/security/nss/lib/pki/trustdomain.c
+++ /dev/null
@@ -1,1403 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef DEV_H
-#include "dev.h"
-#endif /* DEV_H */
-
-#ifndef PKIM_H
-#include "pkim.h"
-#endif /* PKIM_H */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-#ifdef NSS_3_4_CODE
-#include "cert.h"
-#include "pki3hack.h"
-#endif
-
-#include "nssrwlk.h"
-
-#define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
-
-#ifdef PURE_STAN_BUILD
-struct NSSTrustDomainStr {
-    PRInt32 refCount;
-    NSSArena *arena;
-    NSSCallback *defaultCallback;
-    struct {
-	nssSlotList *forCerts;
-	nssSlotList *forCiphers;
-	nssSlotList *forTrust;
-    } slots;
-    nssCertificateCache *cache;
-};
-#endif
-
-extern const NSSError NSS_ERROR_NOT_FOUND;
-
-typedef PRUint32 nssUpdateLevel;
-
-NSS_IMPLEMENT NSSTrustDomain *
-NSSTrustDomain_Create (
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-)
-{
-    NSSArena *arena;
-    NSSTrustDomain *rvTD;
-    arena = NSSArena_Create();
-    if(!arena) {
-	return (NSSTrustDomain *)NULL;
-    }
-    rvTD = nss_ZNEW(arena, NSSTrustDomain);
-    if (!rvTD) {
-	goto loser;
-    }
-    /* protect the token list and the token iterator */
-    rvTD->tokensLock = NSSRWLock_New(100, "tokens");
-    if (!rvTD->tokensLock) {
-	goto loser;
-    }
-    nssTrustDomain_InitializeCache(rvTD, NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE);
-    rvTD->arena = arena;
-    rvTD->refCount = 1;
-#ifdef NSS_3_4_CODE
-    rvTD->statusConfig = NULL;
-#endif
-    return rvTD;
-loser:
-    if (rvTD && rvTD->tokensLock) {
-	NSSRWLock_Destroy(rvTD->tokensLock);
-    }
-    nssArena_Destroy(arena);
-    return (NSSTrustDomain *)NULL;
-}
-
-static void
-token_destructor(void *t)
-{
-    NSSToken *tok = (NSSToken *)t;
-    /* in 3.4, also destroy the slot (managed separately) */
-    (void)nssSlot_Destroy(tok->slot);
-    nssToken_Destroy(tok);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_Destroy (
-  NSSTrustDomain *td
-)
-{
-    PRStatus status = PR_SUCCESS;
-    if (--td->refCount == 0) {
-	/* Destroy each token in the list of tokens */
-	if (td->tokens) {
-	    nssListIterator_Destroy(td->tokens);
-	    nssList_Clear(td->tokenList, token_destructor);
-	    nssList_Destroy(td->tokenList);
-	}
-	NSSRWLock_Destroy(td->tokensLock);
-	status = nssTrustDomain_DestroyCache(td);
-	if (status == PR_FAILURE) {
-	    return status;
-	}
-	/* Destroy the trust domain */
-	nssArena_Destroy(td->arena);
-    }
-    return status;
-}
-
-/* XXX uses tokens until slot list is in place */
-static NSSSlot **
-nssTrustDomain_GetActiveSlots (
-  NSSTrustDomain *td,
-  nssUpdateLevel *updateLevel
-)
-{
-    PRUint32 count;
-    NSSSlot **slots = NULL;
-    NSSToken **tp, **tokens;
-    *updateLevel = 1;
-    NSSRWLock_LockRead(td->tokensLock);
-    count = nssList_Count(td->tokenList);
-    tokens = nss_ZNEWARRAY(NULL, NSSToken *, count + 1);
-    if (!tokens) {
-	NSSRWLock_UnlockRead(td->tokensLock);
-	return NULL;
-    }
-    slots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1);
-    if (!slots) {
-	NSSRWLock_UnlockRead(td->tokensLock);
-	nss_ZFreeIf(tokens);
-	return NULL;
-    }
-    nssList_GetArray(td->tokenList, (void **)tokens, count);
-    NSSRWLock_UnlockRead(td->tokensLock);
-    count = 0;
-    for (tp = tokens; *tp; tp++) {
-	slots[count++] = nssToken_GetSlot(*tp);
-    }
-    nss_ZFreeIf(tokens);
-    return slots;
-}
-
-/* XXX */
-static nssSession *
-nssTrustDomain_GetSessionForToken (
-  NSSTrustDomain *td,
-  NSSToken *token
-)
-{
-    return nssToken_GetDefaultSession(token);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_SetDefaultCallback (
-  NSSTrustDomain *td,
-  NSSCallback *newCallback,
-  NSSCallback **oldCallbackOpt
-)
-{
-    if (oldCallbackOpt) {
-	*oldCallbackOpt = td->defaultCallback;
-    }
-    td->defaultCallback = newCallback;
-    return PR_SUCCESS;
-}
-
-NSS_IMPLEMENT NSSCallback *
-nssTrustDomain_GetDefaultCallback (
-  NSSTrustDomain *td,
-  PRStatus *statusOpt
-)
-{
-    if (statusOpt) {
-	*statusOpt = PR_SUCCESS;
-    }
-    return td->defaultCallback;
-}
-
-NSS_IMPLEMENT NSSCallback *
-NSSTrustDomain_GetDefaultCallback (
-  NSSTrustDomain *td,
-  PRStatus *statusOpt
-)
-{
-    return nssTrustDomain_GetDefaultCallback(td, statusOpt);
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_LoadModule (
-  NSSTrustDomain *td,
-  NSSUTF8 *moduleOpt,
-  NSSUTF8 *uriOpt,
-  NSSUTF8 *opaqueOpt,
-  void *reserved
-)
-{
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_DisableToken (
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError why
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_EnableToken (
-  NSSTrustDomain *td,
-  NSSToken *token
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_IsTokenEnabled (
-  NSSTrustDomain *td,
-  NSSToken *token,
-  NSSError *whyOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSSlot *
-NSSTrustDomain_FindSlotByName (
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSTrustDomain_FindTokenByName (
-  NSSTrustDomain *td,
-  NSSUTF8 *tokenName
-)
-{
-    PRStatus nssrv;
-    NSSUTF8 *myName;
-    NSSToken *tok = NULL;
-    NSSRWLock_LockRead(td->tokensLock);
-    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
-         tok != (NSSToken *)NULL;
-         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
-    {
-	if (nssToken_IsPresent(tok)) {
-	    myName = nssToken_GetName(tok);
-	    if (nssUTF8_Equal(tokenName, myName, &nssrv)) break;
-	}
-    }
-    nssListIterator_Finish(td->tokens);
-    NSSRWLock_UnlockRead(td->tokensLock);
-    return tok;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSTrustDomain_FindTokenBySlotName (
-  NSSTrustDomain *td,
-  NSSUTF8 *slotName
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSTrustDomain_FindTokenForAlgorithm (
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSToken *
-NSSTrustDomain_FindBestTokenForAlgorithms (
-  NSSTrustDomain *td,
-  NSSOID *algorithms[], /* may be null-terminated */
-  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_Login (
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_Logout (
-  NSSTrustDomain *td
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_ImportCertificate (
-  NSSTrustDomain *td,
-  NSSCertificate *c
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_ImportPKIXCertificate (
-  NSSTrustDomain *td,
-  /* declared as a struct until these "data types" are defined */
-  struct NSSPKIXCertificateStr *pc
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_ImportEncodedCertificate (
-  NSSTrustDomain *td,
-  NSSBER *ber
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_ImportEncodedCertificateChain (
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPrivateKey *
-NSSTrustDomain_ImportEncodedPrivateKey (
-  NSSTrustDomain *td,
-  NSSBER *ber,
-  NSSItem *passwordOpt, /* NULL will cause a callback */
-  NSSCallback *uhhOpt,
-  NSSToken *destination
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSPublicKey *
-NSSTrustDomain_ImportEncodedPublicKey (
-  NSSTrustDomain *td,
-  NSSBER *ber
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-static NSSCertificate **
-get_certs_from_list(nssList *list)
-{
-    PRUint32 count = nssList_Count(list);
-    NSSCertificate **certs = NULL;
-    if (count > 0) {
-	certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
-	if (certs) {
-	    nssList_GetArray(list, (void **)certs, count);
-	}
-    }
-    return certs;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssTrustDomain_FindCertificatesByNickname (
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 numRemaining;
-    NSSToken *token = NULL;
-    NSSSlot **slots = NULL;
-    NSSSlot **slotp;
-    NSSCertificate **rvCerts = NULL;
-    nssPKIObjectCollection *collection = NULL;
-    nssUpdateLevel updateLevel;
-    nssList *nameList;
-    /* First, grab from the cache */
-    nameList = nssList_Create(NULL, PR_FALSE);
-    if (!nameList) {
-	return NULL;
-    }
-    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, name, nameList);
-    rvCerts = get_certs_from_list(nameList);
-    /* initialize the collection of token certificates with the set of
-     * cached certs (if any).
-     */
-    collection = nssCertificateCollection_Create(td, rvCerts);
-    nssCertificateArray_Destroy(rvCerts);
-    nssList_Destroy(nameList);
-    if (!collection) {
-	return (NSSCertificate **)NULL;
-    }
-    /* obtain the current set of active slots in the trust domain */
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    /* iterate over the slots */
-    numRemaining = maximumOpt;
-    for (slotp = slots; *slotp; slotp++) {
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssCryptokiObject **instances;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    instances = nssToken_FindCertificatesByNickname(token,
-	                                                    session,
-	                                                    name,
-	                                                    tokenOnly,
-	                                                    numRemaining,
-	                                                    &status);
-	    nssToken_Destroy(token);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	    if (instances) {
-		status = nssPKIObjectCollection_AddInstances(collection, 
-		                                             instances, 0);
-		nss_ZFreeIf(instances);
-		if (status != PR_SUCCESS) {
-		    goto loser;
-		}
-		if (maximumOpt > 0) {
-	            PRUint32 count;
-	            count = nssPKIObjectCollection_Count(collection);
-		    numRemaining = maximumOpt - count;
-		    if (numRemaining == 0) break;
-		}
-	    }
-	}
-    }
-    /* Grab the certs collected in the search. */
-    rvCerts = nssPKIObjectCollection_GetCertificates(collection,
-                                                     rvOpt, maximumOpt,
-                                                     arenaOpt);
-    /* clean up */
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return rvCerts;
-loser:
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    return (NSSCertificate **)NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindCertificatesByNickname (
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    return nssTrustDomain_FindCertificatesByNickname(td,
-                                                     name,
-                                                     rvOpt,
-                                                     maximumOpt,
-                                                     arenaOpt);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_FindBestCertificateByNickname (
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    NSSCertificate **nicknameCerts;
-    NSSCertificate *rvCert = NULL;
-    nicknameCerts = nssTrustDomain_FindCertificatesByNickname(td, name,
-                                                              NULL,
-                                                              0,
-                                                              NULL);
-    if (nicknameCerts) {
-	rvCert = nssCertificateArray_FindBestCertificate(nicknameCerts,
-                                                         timeOpt,
-                                                         usage,
-                                                         policiesOpt);
-	nssCertificateArray_Destroy(nicknameCerts);
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNickname (
-  NSSTrustDomain *td,
-  NSSUTF8 *name,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    return nssTrustDomain_FindBestCertificateByNickname(td,
-                                                        name,
-                                                        timeOpt,
-                                                        usage,
-                                                        policiesOpt);
-}
-
-NSS_IMPLEMENT NSSCertificate **
-nssTrustDomain_FindCertificatesBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    PRStatus status;
-    PRUint32 numRemaining;
-    NSSToken *token = NULL;
-    NSSSlot **slots = NULL;
-    NSSSlot **slotp;
-    NSSCertificate **rvCerts = NULL;
-    nssPKIObjectCollection *collection = NULL;
-    nssUpdateLevel updateLevel;
-    nssList *subjectList;
-    /* look in cache */
-    subjectList = nssList_Create(NULL, PR_FALSE);
-    if (!subjectList) {
-	return NULL;
-    }
-    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, subject, subjectList);
-    rvCerts = get_certs_from_list(subjectList);
-    collection = nssCertificateCollection_Create(td, rvCerts);
-    nssCertificateArray_Destroy(rvCerts);
-    nssList_Destroy(subjectList);
-    if (!collection) {
-	return (NSSCertificate **)NULL;
-    }
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    numRemaining = maximumOpt;
-    for (slotp = slots; *slotp; slotp++) {
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssCryptokiObject **instances;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    instances = nssToken_FindCertificatesBySubject(token,
-	                                                   session,
-	                                                   subject,
-	                                                   tokenOnly,
-	                                                   numRemaining,
-	                                                   &status);
-	    nssToken_Destroy(token);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	    if (instances) {
-		status = nssPKIObjectCollection_AddInstances(collection, 
-		                                             instances, 0);
-		nss_ZFreeIf(instances);
-		if (status != PR_SUCCESS) {
-		    goto loser;
-		}
-		if (maximumOpt > 0) {
-		    PRUint32 count;
-		    count = nssPKIObjectCollection_Count(collection);
-		    numRemaining = maximumOpt - count;
-		    if (numRemaining == 0) break;
-		}
-	    }
-	}
-    }
-    rvCerts = nssPKIObjectCollection_GetCertificates(collection,
-                                                     rvOpt, maximumOpt,
-                                                     arenaOpt);
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return rvCerts;
-loser:
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    return (NSSCertificate **)NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindCertificatesBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt,
-  NSSArena *arenaOpt
-)
-{
-    return nssTrustDomain_FindCertificatesBySubject(td, 
-                                                    subject,
-                                                    rvOpt,
-                                                    maximumOpt,
-                                                    arenaOpt);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_FindBestCertificateBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    NSSCertificate **subjectCerts;
-    NSSCertificate *rvCert = NULL;
-    subjectCerts = nssTrustDomain_FindCertificatesBySubject(td, subject,
-                                                            NULL,
-                                                            0,
-                                                            NULL);
-    if (subjectCerts) {
-	rvCert = nssCertificateArray_FindBestCertificate(subjectCerts,
-                                                         timeOpt,
-                                                         usage,
-                                                         policiesOpt);
-	nssCertificateArray_Destroy(subjectCerts);
-    }
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestCertificateBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    return nssTrustDomain_FindBestCertificateBySubject(td,
-                                                       subject,
-                                                       timeOpt,
-                                                       usage,
-                                                       policiesOpt);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestCertificateByNameComponents (
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindCertificatesByNameComponents (
-  NSSTrustDomain *td,
-  NSSUTF8 *nameComponents,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_FindCertificateByIssuerAndSerialNumber (
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serial
-)
-{
-    PRStatus status;
-    NSSToken *token = NULL;
-    NSSSlot **slots = NULL;
-    NSSSlot **slotp;
-    NSSCertificate *rvCert = NULL;
-    nssPKIObjectCollection *collection = NULL;
-    nssUpdateLevel updateLevel;
-    /* see if this search is already cached */
-    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
-                                                           issuer, 
-                                                           serial);
-    if (rvCert) {
-	return rvCert;
-    }
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    for (slotp = slots; *slotp; slotp++) {
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssCryptokiObject *instance;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
-	                                                            token,
-	                                                            session,
-	                                                            issuer,
-	                                                            serial,
-	                                                            tokenOnly,
-	                                                            &status);
-	    nssToken_Destroy(token);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	    if (instance) {
-		if (!collection) {
-		    collection = nssCertificateCollection_Create(td, NULL);
-		    if (!collection) {
-			goto loser;
-		    }
-		}
-		nssPKIObjectCollection_AddInstances(collection, 
-		                                    &instance, 1);
-	    }
-	}
-    }
-    if (collection) {
-	(void)nssPKIObjectCollection_GetCertificates(collection, 
-	                                             &rvCert, 1, NULL);
-	if (!rvCert) {
-	    goto loser;
-	}
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    nssSlotArray_Destroy(slots);
-    return rvCert;
-loser:
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    return (NSSCertificate *)NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindCertificateByIssuerAndSerialNumber (
-  NSSTrustDomain *td,
-  NSSDER *issuer,
-  NSSDER *serial
-)
-{
-    return nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
-                                                                 issuer,
-                                                                 serial);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-nssTrustDomain_FindCertificateByEncodedCertificate (
-  NSSTrustDomain *td,
-  NSSBER *ber
-)
-{
-    PRStatus status;
-    NSSCertificate *rvCert = NULL;
-    NSSDER issuer = { 0 };
-    NSSDER serial = { 0 };
-    NSSArena *arena = nssArena_Create();
-    if (!arena) {
-	return (NSSCertificate *)NULL;
-    }
-    /* XXX this is not generic...  will any cert crack into issuer/serial? */
-    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, arena, &issuer, &serial);
-    if (status != PR_SUCCESS) {
-	goto finish;
-    }
-    rvCert = nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
-                                                                   &issuer,
-                                                                   &serial);
-finish:
-    nssArena_Destroy(arena);
-    return rvCert;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindCertificateByEncodedCertificate (
-  NSSTrustDomain *td,
-  NSSBER *ber
-)
-{
-    return nssTrustDomain_FindCertificateByEncodedCertificate(td, ber);
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestCertificateByEmail (
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    return 0;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindCertificatesByEmail (
-  NSSTrustDomain *td,
-  NSSASCII7 *email,
-  NSSCertificate *rvOpt[],
-  PRUint32 maximumOpt, /* 0 for no max */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindCertificateByOCSPHash (
-  NSSTrustDomain *td,
-  NSSItem *hash
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestUserCertificate (
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usage,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindUserCertificates (
-  NSSTrustDomain *td,
-  NSSTime *timeOpt,
-  NSSUsage *usageOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForSSLClientAuth (
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForSSLClientAuth (
-  NSSTrustDomain *td,
-  NSSUTF8 *sslHostOpt,
-  NSSDER *rootCAsOpt[], /* null pointer for none */
-  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate *
-NSSTrustDomain_FindBestUserCertificateForEmailSigning (
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCertificate **
-NSSTrustDomain_FindUserCertificatesForEmailSigning (
-  NSSTrustDomain *td,
-  NSSASCII7 *signerOpt,
-  NSSASCII7 *recipientOpt,
-  /* anything more here? */
-  NSSAlgorithmAndParameters *apOpt,
-  NSSPolicies *policiesOpt,
-  NSSCertificate **rvOpt,
-  PRUint32 rvLimit, /* zero for no limit */
-  NSSArena *arenaOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-static PRStatus
-collector(nssCryptokiObject *instance, void *arg)
-{
-    nssPKIObjectCollection *collection = (nssPKIObjectCollection *)arg;
-    return nssPKIObjectCollection_AddInstanceAsObject(collection, instance);
-}
-
-NSS_IMPLEMENT PRStatus *
-NSSTrustDomain_TraverseCertificates (
-  NSSTrustDomain *td,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    PRStatus status;
-    NSSToken *token = NULL;
-    NSSSlot **slots = NULL;
-    NSSSlot **slotp;
-    nssPKIObjectCollection *collection = NULL;
-    nssPKIObjectCallback pkiCallback;
-    nssUpdateLevel updateLevel;
-    NSSCertificate **cached = NULL;
-    nssList *certList;
-
-    certList = nssList_Create(NULL, PR_FALSE);
-    if (!certList) return NULL;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
-    cached = get_certs_from_list(certList);
-    collection = nssCertificateCollection_Create(td, cached);
-    nssCertificateArray_Destroy(cached);
-    nssList_Destroy(certList);
-    if (!collection) {
-	return (PRStatus *)NULL;
-    }
-    /* obtain the current set of active slots in the trust domain */
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    /* iterate over the slots */
-    for (slotp = slots; *slotp; slotp++) {
-	/* get the token for the slot, if present */
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    /* get a session for the token */
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    /* perform the traversal */
-	    status = nssToken_TraverseCertificates(token,
-	                                           session,
-	                                           tokenOnly,
-	                                           collector,
-	                                           collection);
-	    nssToken_Destroy(token);
-	}
-    }
-
-    /* Traverse the collection */
-    pkiCallback.func.cert = callback;
-    pkiCallback.arg = arg;
-    status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
-    /* clean up */
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return NULL;
-loser:
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    return NULL;
-}
-
-#ifdef notdef
-/*
- * search for Public and Private keys first
- */
-NSS_IMPLEMENT PRStatus *
-NSSTrustDomain_TraverseUserCertificates (
-  NSSTrustDomain *td,
-  PRStatus (*callback)(NSSCertificate *c, void *arg),
-  void *arg
-)
-{
-    PRStatus status;
-    NSSToken *token = NULL;
-    NSSSlot **slots = NULL;
-    NSSSlot **slotp;
-    nssPKIObjectCollection *collection = NULL;
-    nssPKIObjectCallback pkiCallback;
-    nssUpdateLevel updateLevel;
-    NSSCertificate **cached = NULL;
-    nssList *certList;
-    certList = nssList_Create(NULL, PR_FALSE);
-    if (!certList) return NULL;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
-    cached = get_certs_from_list(certList);
-    collection = nssCertificateCollection_Create(td, cached);
-    nssCertificateArray_Destroy(cached);
-    nssList_Destroy(certList);
-    if (!collection) {
-	return (PRStatus *)NULL;
-    }
-    /* obtain the current set of active slots in the trust domain */
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    /* iterate over the slots */
-    for (slotp = slots; *slotp; slotp++) {
-	/* get the token for the slot, if present */
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssCryptokiObject **instances;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    /* get a session for the token */
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    /* perform the traversal */
-	    if (!isLoggedIn(tok)) {
-	    	instances = nssToken_FindPublicKeys(token,
-	                                          session,
-	                                          tokenOnly,
-	                                          0, &status);
-	    } else {
-	    	instances = nssToken_FindPrivateKeys(token,
-	                                          session,
-	                                          tokenOnly,
-	                                          0, &status);
-	    }
-	    nssToken_Destroy(token);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	    /* add the found certificates to the collection */
-	    status = nssPKIObjectCollection_AddInstances(collection, 
-	                                                 instances, 0);
-	    nss_ZFreeIf(instances);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	}
-    }
-    status = nssPKIObjectCollection_MatchCerts(collection);
-    if (status != PR_SUCCESS) {
-	goto loser;
-    }
-    /* Traverse the collection */
-    pkiCallback.func.cert = callback;
-    pkiCallback.arg = arg;
-    status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
-    /* clean up */
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return NULL;
-loser:
-    if (slots) {
-	nssSlotArray_Destroy(slots);
-    }
-    if (collection) {
-	nssPKIObjectCollection_Destroy(collection);
-    }
-    return NULL;
-}
-#endif
-
-NSS_IMPLEMENT NSSTrust *
-nssTrustDomain_FindTrustForCertificate (
-  NSSTrustDomain *td,
-  NSSCertificate *c
-)
-{
-    PRStatus status;
-    NSSSlot **slots;
-    NSSSlot **slotp;
-    NSSToken *token;
-    nssCryptokiObject *to = NULL;
-    nssPKIObject *pkio = NULL;
-    NSSTrust *rvt = NULL;
-    nssUpdateLevel updateLevel;
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	return (NSSTrust *)NULL;
-    }
-    for (slotp = slots; *slotp; slotp++) {
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    to = nssToken_FindTrustForCertificate(token, NULL, 
-	                                          &c->encoding,
-	                                          &c->issuer,
-	                                          &c->serial,
-	                                      nssTokenSearchType_TokenOnly);
-	    if (to) {
-		if (!pkio) {
-		    pkio = nssPKIObject_Create(NULL, to, td, NULL);
-		    if (!pkio) {
-			nssToken_Destroy(token);
-			nssCryptokiObject_Destroy(to);
-			goto loser;
-		    }
-		} else {
-		    status = nssPKIObject_AddInstance(pkio, to);
-		    if (status != PR_SUCCESS) {
-			nssToken_Destroy(token);
-			nssCryptokiObject_Destroy(to);
-			goto loser;
-		    }
-		}
-	    }
-	    nssToken_Destroy(token);
-	}
-    }
-    if (pkio) {
-	rvt = nssTrust_Create(pkio, &c->encoding);
-	if (!rvt) {
-	    goto loser;
-	}
-    }
-    nssSlotArray_Destroy(slots);
-    return rvt;
-loser:
-    nssSlotArray_Destroy(slots);
-    if (pkio) {
-	nssPKIObject_Destroy(pkio);
-    }
-    return (NSSTrust *)NULL;
-}
-
-NSS_IMPLEMENT NSSCRL **
-nssTrustDomain_FindCRLsBySubject (
-  NSSTrustDomain *td,
-  NSSDER *subject
-)
-{
-    PRStatus status;
-    NSSSlot **slots;
-    NSSSlot **slotp;
-    NSSToken *token;
-    nssUpdateLevel updateLevel;
-    nssPKIObjectCollection *collection;
-    NSSCRL **rvCRLs = NULL;
-    collection = nssCRLCollection_Create(td, NULL);
-    if (!collection) {
-	return (NSSCRL **)NULL;
-    }
-    slots = nssTrustDomain_GetActiveSlots(td, &updateLevel);
-    if (!slots) {
-	goto loser;
-    }
-    for (slotp = slots; *slotp; slotp++) {
-	token = nssSlot_GetToken(*slotp);
-	if (token) {
-	    nssSession *session;
-	    nssCryptokiObject **instances;
-	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-	    /* get a session for the token */
-	    session = nssTrustDomain_GetSessionForToken(td, token);
-	    if (!session) {
-		nssToken_Destroy(token);
-		goto loser;
-	    }
-	    /* perform the traversal */
-	    instances = nssToken_FindCRLsBySubject(token, session, subject,
-	                                           tokenOnly, 0, &status);
-	    nssToken_Destroy(token);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	    /* add the found CRL's to the collection */
-	    status = nssPKIObjectCollection_AddInstances(collection, 
-	                                                 instances, 0);
-	    nss_ZFreeIf(instances);
-	    if (status != PR_SUCCESS) {
-		goto loser;
-	    }
-	}
-    }
-    rvCRLs = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return rvCRLs;
-loser:
-    nssPKIObjectCollection_Destroy(collection);
-    nssSlotArray_Destroy(slots);
-    return (NSSCRL **)NULL;
-}
-
-NSS_IMPLEMENT PRStatus
-NSSTrustDomain_GenerateKeyPair (
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSPrivateKey **pvkOpt,
-  NSSPublicKey **pbkOpt,
-  PRBool privateKeyIsSensitive,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKey (
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  PRUint32 keysize,
-  NSSToken *destination,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSTrustDomain_GenerateSymmetricKeyFromPassword (
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap,
-  NSSUTF8 *passwordOpt, /* if null, prompt */
-  NSSToken *destinationOpt,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSSymmetricKey *
-NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID (
-  NSSTrustDomain *td,
-  NSSOID *algorithm,
-  NSSItem *keyID,
-  NSSCallback *uhhOpt
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-nssTrustDomain_CreateCryptoContext (
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-)
-{
-    return nssCryptoContext_Create(td, uhhOpt);
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContext (
-  NSSTrustDomain *td,
-  NSSCallback *uhhOpt
-)
-{
-    return nssTrustDomain_CreateCryptoContext(td, uhhOpt);
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithm (
-  NSSTrustDomain *td,
-  NSSOID *algorithm
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
-NSS_IMPLEMENT NSSCryptoContext *
-NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters (
-  NSSTrustDomain *td,
-  NSSAlgorithmAndParameters *ap
-)
-{
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return NULL;
-}
-
diff --git a/security/nss/lib/pki1/Makefile b/security/nss/lib/pki1/Makefile
deleted file mode 100644
index 6bef6dda1..000000000
--- a/security/nss/lib/pki1/Makefile
+++ /dev/null
@@ -1,50 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# Generate oiddata.h and oiddata.c.
-oidgen: oidgen.perl oids.txt
-	rm -f oiddata.c oiddata.h
-	perl oidgen.perl oiddata.c oiddata.h oids.txt
-
-export::  private_export 
-
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
deleted file mode 100644
index ca59d764f..000000000
--- a/security/nss/lib/pki1/atav.c
+++ /dev/null
@@ -1,1824 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * atav.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * AttributeTypeAndValue.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * AttributeTypeAndValue
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  AttributeTypeAndValue           ::=     SEQUENCE {
- *          type            ATTRIBUTE.&id ({SupportedAttributes}),
- *          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type})}
- *  
- *  -- ATTRIBUTE information object class specification
- *  --  Note: This has been greatly simplified for PKIX !!
- *  
- *  ATTRIBUTE               ::=     CLASS {
- *          &Type,
- *          &id                     OBJECT IDENTIFIER UNIQUE }
- *  WITH SYNTAX {
- *          WITH SYNTAX &Type ID &id }
- *  
- * What this means is that the "type" of the value is determined by
- * the value of the oid.  If we hide the structure, our accessors
- * can (at least in debug builds) assert value semantics beyond what
- * the compiler can provide.  Since these things are only used in
- * RelativeDistinguishedNames, and since RDNs always contain a SET
- * of these things, we don't lose anything by hiding the structure
- * (and its size).
- */
-
-struct NSSATAVStr {
-  NSSBER ber;
-  const NSSOID *oid;
-  NSSUTF8 *value;
-  nssStringType stringForm;
-};
-
-/*
- * NSSATAV
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSATAV_CreateFromBER   -- constructor
- *  NSSATAV_CreateFromUTF8  -- constructor
- *  NSSATAV_Create          -- constructor
- *
- *  NSSATAV_Destroy
- *  NSSATAV_GetDEREncoding
- *  NSSATAV_GetUTF8Encoding
- *  NSSATAV_GetType
- *  NSSATAV_GetValue
- *  NSSATAV_Compare
- *  NSSATAV_Duplicate
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssATAV_CreateFromBER   -- constructor
- *  nssATAV_CreateFromUTF8  -- constructor
- *  nssATAV_Create          -- constructor
- *
- *  nssATAV_Destroy
- *  nssATAV_GetDEREncoding
- *  nssATAV_GetUTF8Encoding
- *  nssATAV_GetType
- *  nssATAV_GetValue
- *  nssATAV_Compare
- *  nssATAV_Duplicate
- *
- * In debug builds, the following non-public call is also available:
- *
- *  nssATAV_verifyPointer
- */
-
-/*
- * NSSATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berATAV
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-
-  if( (void *)NULL == berATAV->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_CreateFromBER(arenaOpt, berATAV);
-}
-
-/*
- * NSSATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringATAV
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /*
-   * NSSUTF8s can be created by the user,
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSUTF8 *)NULL == stringATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_CreateFromUTF8(arenaOpt, stringATAV);
-}
-
-/*
- * NSSATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (const void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Create(arenaOpt, oid, data, length);
-}
-
-/*
- * NSSATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-NSSATAV_Destroy
-(
-  NSSATAV *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Destroy(atav);
-}
-
-/*
- * NSSATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_IMPLEMENT NSSDER *
-NSSATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetDEREncoding(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetUTF8Encoding(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_IMPLEMENT const NSSOID *
-NSSATAV_GetType
-(
-  NSSATAV *atav
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetType(atav);
-}
-
-/*
- * NSSATAV_GetValue
- *
- * This routine returns a string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-NSSATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_GetValue(atav, arenaOpt);
-}
-
-/*
- * NSSATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_IMPLEMENT PRStatus
-NSSATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
-    return PR_FAILURE;
-  }
-
-  if( (PRBool *)NULL == equalp ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Compare(atav1, atav2, equalp);
-}
-
-/*
- * NSSATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_IMPLEMENT NSSATAV *
-NSSATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssATAV_Duplicate(atav, arenaOpt);
-}
-
-/*
- * The pointer-tracking code
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker atav_pointer_tracker;
-
-static PRStatus
-atav_add_pointer
-(
-  const NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-atav_remove_pointer
-(
-  const NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSATAV object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILRUE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_verifyPointer
-(
-  NSSATAV *atav
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&atav_pointer_tracker, atav);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ATAV);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-typedef struct {
-  NSSBER oid;
-  NSSBER value;
-} atav_holder;
-
-static const nssASN1Template nss_atav_template[] = {
-  { nssASN1_SEQUENCE, 0, NULL, sizeof(atav_holder) },
-  { nssASN1_OBJECT_ID, nsslibc_offsetof(atav_holder, oid), NULL, 0 },
-  { nssASN1_ANY, nsslibc_offsetof(atav_holder, value), NULL, 0 },
-  { 0, 0, NULL, 0 }
-};
-
-/*
- * There are several common attributes, with well-known type aliases
- * and value semantics.  This table lists the ones we recognize.
- */
-
-struct nss_attribute_data_str {
-  const NSSOID **oid;
-  nssStringType stringType;
-  PRUint32 minStringLength;
-  PRUint32 maxStringLength; /* zero for no limit */
-};
-
-static const struct nss_attribute_data_str nss_attribute_data[] = {
-  { &NSS_OID_X520_NAME,                     
-    nssStringType_DirectoryString, 1, 32768 },
-  { &NSS_OID_X520_COMMON_NAME,              
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_X520_SURNAME,                  
-    nssStringType_DirectoryString, 1,    40 },
-  { &NSS_OID_X520_GIVEN_NAME,               
-    nssStringType_DirectoryString, 1,    16 },
-  { &NSS_OID_X520_INITIALS,                 
-    nssStringType_DirectoryString, 1,     5 },
-  { &NSS_OID_X520_GENERATION_QUALIFIER,     
-    nssStringType_DirectoryString, 1,     3 },
-  { &NSS_OID_X520_DN_QUALIFIER,             
-    nssStringType_PrintableString, 1,     0 },
-  { &NSS_OID_X520_COUNTRY_NAME,             
-    nssStringType_PrintableString, 2,     2 },
-  { &NSS_OID_X520_LOCALITY_NAME,            
-    nssStringType_DirectoryString, 1,   128 },
-  { &NSS_OID_X520_STATE_OR_PROVINCE_NAME,   
-    nssStringType_DirectoryString, 1,   128 },
-  { &NSS_OID_X520_ORGANIZATION_NAME,        
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 
-    nssStringType_DirectoryString, 1,
-    /*
-     * Note, draft #11 defines both "32" and "64" for this maximum,
-     * in two separate places.  Until it's settled, "conservative
-     * in what you send."  We're always liberal in what we accept.
-     */
-                                         32 },
-  { &NSS_OID_X520_TITLE,                    
-    nssStringType_DirectoryString, 1,    64 },
-  { &NSS_OID_RFC1274_EMAIL,                 
-    nssStringType_PHGString,       1,   128 }
-};
-
-PRUint32 nss_attribute_data_quantity = 
-  (sizeof(nss_attribute_data)/sizeof(nss_attribute_data[0]));
-
-static nssStringType
-nss_attr_underlying_string_form
-(
-  nssStringType type,
-  void *data
-)
-{
-  if( nssStringType_DirectoryString == type ) {
-    PRUint8 tag = *(PRUint8 *)data;
-    switch( tag & nssASN1_TAGNUM_MASK ) {
-    case 20:
-      /*
-       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
-       * below) but is T61 a suitable value for "Latin-1"?
-       */
-      return nssStringType_TeletexString;
-    case 19:
-      return nssStringType_PrintableString;
-    case 28:
-      return nssStringType_UniversalString;
-    case 30:
-      return nssStringType_BMPString;
-    case 12:
-      return nssStringType_UTF8String;
-    default:
-      return nssStringType_Unknown;
-    }
-  }
-
-  return type;
-}
-    
-
-/*
- * This routine decodes the attribute value, in a type-specific way.
- *
- */
-
-static NSSUTF8 *
-nss_attr_to_utf8
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  NSSItem *item,
-  nssStringType *stringForm
-)
-{
-  NSSUTF8 *rv = (NSSUTF8 *)NULL;
-  PRUint32 i;
-  const struct nss_attribute_data_str *which = 
-    (struct nss_attribute_data_str *)NULL;
-  PRUint32 len = 0;
-
-  for( i = 0; i < nss_attribute_data_quantity; i++ ) {
-    if( *(nss_attribute_data[ i ].oid) == oid ) {
-      which = &nss_attribute_data[i];
-      break;
-    }
-  }
-
-  if( (struct nss_attribute_data_str *)NULL == which ) {
-    /* Unknown OID.  Encode it as hex. */
-    PRUint8 *c;
-    PRUint8 *d = (PRUint8 *)item->data;
-    PRUint32 amt = item->size;
-
-    if( item->size >= 0x7FFFFFFF ) {
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSUTF8 *)NULL;
-    }
-
-    len = 1 + (item->size * 2) + 1; /* '#' + hex + '\0' */
-    rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
-    if( (NSSUTF8 *)NULL == rv ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    c = (PRUint8 *)rv;
-    *c++ = '#'; /* XXX fgmr check this */
-    while( amt > 0 ) {
-      static char hex[16] = "0123456789ABCDEF";
-      *c++ = hex[ ((*d) & 0xf0) >> 4 ];
-      *c++ = hex[ ((*d) & 0x0f)      ];
-    }
-
-    /* *c = '\0'; nss_ZAlloc, remember */
-
-    *stringForm = nssStringType_Unknown; /* force exact comparison */
-  } else {
-    PRStatus status;
-    rv = nssUTF8_CreateFromBER(arenaOpt, which->stringType, 
-                               (NSSBER *)item);
-
-    if( (NSSUTF8 *)NULL == rv ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    len = nssUTF8_Length(rv, &status);
-    if( PR_SUCCESS != status || len == 0 ) {
-      nss_ZFreeIf(rv);
-      return (NSSUTF8 *)NULL;
-    }
-
-    *stringForm = nss_attr_underlying_string_form(which->stringType,
-                                                  item->data);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  const NSSBER *berATAV
-)
-{
-  atav_holder holder;
-  PRStatus status;
-  NSSATAV *rv;
-
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berATAV ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-
-  if( (void *)NULL == berATAV->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  status = nssASN1_DecodeBER(arenaOpt, &holder, 
-                             nss_atav_template, berATAV);
-  if( PR_SUCCESS != status ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    nss_ZFreeIf(holder.oid.data);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = nssOID_CreateFromBER(&holder.oid);
-  if( (NSSOID *)NULL == rv->oid ) {
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.oid.data);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  nss_ZFreeIf(holder.oid.data);
-
-  rv->ber.data = nss_ZAlloc(arenaOpt, berATAV->size);
-  if( (void *)NULL == rv->ber.data ) {
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.size = berATAV->size;
-  (void)nsslibc_memcpy(rv->ber.data, berATAV->data, berATAV->size);
-
-  rv->value = nss_attr_to_utf8(arenaOpt, rv->oid, &holder.value,
-                               &rv->stringForm);
-  if( (NSSUTF8 *)NULL == rv->value ) {
-    nss_ZFreeIf(rv->ber.data);
-    nss_ZFreeIf(rv);
-    nss_ZFreeIf(holder.value.data);
-    return (NSSATAV *)NULL;
-  }
-
-  nss_ZFreeIf(holder.value.data);
-
-#ifdef DEBUG
-  if( PR_SUCCESS != atav_add_pointer(rv) ) {
-    nss_ZFreeIf(rv->ber.data);
-    nss_ZFreeIf(rv->value);
-    nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-static PRBool
-nss_atav_utf8_string_is_hex
-(
-  const NSSUTF8 *s
-)
-{
-  /* All hex digits are ASCII, so this works */
-  PRUint8 *p = (PRUint8 *)s;
-
-  for( ; (PRUint8)0 != *p; p++ ) {
-    if( (('0' <= *p) && (*p <= '9')) ||
-        (('A' <= *p) && (*p <= 'F')) ||
-        (('a' <= *p) && (*p <= 'f')) ) {
-      continue;
-    } else {
-      return PR_FALSE;
-    }
-  }
-
-  return PR_TRUE;
-}
-
-static NSSUTF8
-nss_atav_fromhex
-(
-  NSSUTF8 *d
-)
-{
-  NSSUTF8 rv;
-
-  if( d[0] <= '9' ) {
-    rv = (d[0] - '0') * 16;
-  } else if( d[0] >= 'a' ) {
-    rv = (d[0] - 'a' + 10) * 16;
-  } else {
-    rv = (d[0] - 'A' + 10);
-  }
-
-  if( d[1] <= '9' ) {
-    rv += (d[1] - '0');
-  } else if( d[1] >= 'a' ) {
-    rv += (d[1] - 'a' + 10);
-  } else {
-    rv += (d[1] - 'A' + 10);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  const NSSUTF8 *stringATAV
-)
-{
-  char *c;
-  NSSUTF8 *type;
-  NSSUTF8 *value;
-  PRUint32 i;
-  const NSSOID *oid = (NSSOID *)NULL;
-  NSSATAV *rv;
-  NSSItem xitem;
-
-  xitem.data = (void *)NULL;
-
-  for( c = (char *)stringATAV; '\0' != *c; c++ ) {
-    if( '=' == *c ) {
-#ifdef PEDANTIC
-      /*
-       * Theoretically, one could have an '=' in an 
-       * attribute string alias.  We don't, yet, though.
-       */
-      if( (char *)stringATAV == c ) {
-        nss_SetError(NSS_ERROR_INVALID_STRING);
-        return (NSSATAV *)NULL;
-      } else {
-        if( '\\' == c[-1] ) {
-          continue;
-        }
-      }
-#endif /* PEDANTIC */
-      break;
-    }
-  }
-
-  if( '\0' == *c ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSATAV *)NULL;
-  } else {
-    c++;
-    value = (NSSUTF8 *)c;
-  }
-
-  i = ((NSSUTF8 *)c - stringATAV);
-  type = (NSSUTF8 *)nss_ZAlloc((NSSArena *)NULL, i);
-  if( (NSSUTF8 *)NULL == type ) {
-    return (NSSATAV *)NULL;
-  }
-
-  (void)nsslibc_memcpy(type, stringATAV, i-1);
-
-  c = (char *)stringATAV;
-  if( (('0' <= *c) && (*c <= '9')) || ('#' == *c) ) {
-    oid = nssOID_CreateFromUTF8(type);
-    if( (NSSOID *)NULL == oid ) {
-      nss_ZFreeIf(type);
-      return (NSSATAV *)NULL;
-    }
-  } else {
-    for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
-      PRStatus status;
-      const nssAttributeTypeAliasTable *e = &nss_attribute_type_aliases[i];
-      PRBool match = nssUTF8_CaseIgnoreMatch(type, e->alias, &status);
-      if( PR_SUCCESS != status ) {
-        nss_ZFreeIf(type);
-        return (NSSATAV *)NULL;
-      }
-      if( PR_TRUE == match ) {
-        oid = *(e->oid);
-        break;
-      }
-    }
-
-    if( (NSSOID *)NULL == oid ) {
-      nss_ZFreeIf(type);
-      nss_SetError(NSS_ERROR_UNKNOWN_ATTRIBUTE);
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  nss_ZFreeIf(type);
-  type = (NSSUTF8 *)NULL;
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = oid;
-
-  if( '#' == *value ) { /* XXX fgmr.. was it '#'?  or backslash? */
-    PRUint32 size;
-    PRUint32 len;
-    NSSUTF8 *c;
-    NSSUTF8 *d;
-    PRStatus status;
-    /* It's in hex */
-
-    value++;
-    if( PR_TRUE != nss_atav_utf8_string_is_hex(value) ) {
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    size = nssUTF8_Size(value, &status);
-    if( PR_SUCCESS != status ) {
-      /* 
-       * Only returns an error on bad pointer (nope) or string
-       * too long.  The defined limits for known attributes are
-       * small enough to fit in PRUint32, and when undefined we
-       * get to apply our own practical limits.  Ergo, I say the 
-       * string is invalid.
-       */
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    if( ((size-1) & 1) ) {
-      /* odd length */
-      (void)nss_ZFreeIf(rv);
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      return (NSSATAV *)NULL;
-    }
-
-    len = (size-1)/2;
-
-    rv->value = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
-    if( (NSSUTF8 *)NULL == rv->value ) {
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    xitem.size = len;
-    xitem.data = (void *)rv->value;
-
-    for( c = rv->value, d = value; len--; c++, d += 2 ) {
-      *c = nss_atav_fromhex(d);
-    }
-
-    *c = 0;
-  } else {
-    PRStatus status;
-    PRUint32 i, len;
-    PRUint8 *s;
-
-    /*
-     * XXX fgmr-- okay, this is a little wasteful, and should
-     * probably be abstracted out a bit.  Later.
-     */
-
-    rv->value = nssUTF8_Duplicate(value, arenaOpt);
-    if( (NSSUTF8 *)NULL == rv->value ) {
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    len = nssUTF8_Size(rv->value, &status);
-    if( PR_SUCCESS != status ) {
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    s = (PRUint8 *)rv->value;
-    for( i = 0; i < len; i++ ) {
-      if( '\\' == s[i] ) {
-        (void)nsslibc_memcpy(&s[i], &s[i+1], len-i-1);
-      }
-    }
-  }
-
-  /* Now just BER-encode the baby and we're through.. */
-  {
-    const struct nss_attribute_data_str *which = 
-      (struct nss_attribute_data_str *)NULL;
-    PRUint32 i;
-    NSSArena *a;
-    NSSDER *oidder;
-    NSSItem *vitem;
-    atav_holder ah;
-    NSSDER *status;
-
-    for( i = 0; i < nss_attribute_data_quantity; i++ ) {
-      if( *(nss_attribute_data[ i ].oid) == rv->oid ) {
-        which = &nss_attribute_data[i];
-        break;
-      }
-    }
-
-    a = NSSArena_Create();
-    if( (NSSArena *)NULL == a ) {
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    oidder = nssOID_GetDEREncoding(rv->oid, (NSSDER *)NULL, a);
-    if( (NSSDER *)NULL == oidder ) {
-      (void)NSSArena_Destroy(a);
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    if( (struct nss_attribute_data_str *)NULL == which ) {
-      /*
-       * We'll just have to take the user data as an octet stream.
-       */
-      if( (void *)NULL == xitem.data ) {
-        /*
-         * This means that an ATTR entry has been added to oids.txt,
-         * but no corresponding entry has been added to the array
-         * ns_attribute_data[] above.
-         */
-        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      vitem = nssASN1_EncodeItem(a, (NSSDER *)NULL, &xitem, 
-                                 nssASN1Template_OctetString, NSSASN1DER);
-      if( (NSSItem *)NULL == vitem ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      rv->stringForm = nssStringType_Unknown;
-    } else {
-      PRUint32 length = 0;
-      PRStatus stat;
-      
-      length = nssUTF8_Length(rv->value, &stat);
-      if( PR_SUCCESS != stat ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      if( ((0 != which->minStringLength) && 
-           (length < which->minStringLength)) ||
-          ((0 != which->maxStringLength) &&
-           (length > which->maxStringLength)) ) {
-        nss_SetError(NSS_ERROR_INVALID_STRING);
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      vitem = nssUTF8_GetDEREncoding(a, which->stringType, rv->value);
-      if( (NSSItem *)NULL == vitem ) {
-        (void)NSSArena_Destroy(a);
-        (void)nss_ZFreeIf(rv->value);
-        (void)nss_ZFreeIf(rv);
-        return (NSSATAV *)NULL;
-      }
-
-      if( nssStringType_DirectoryString == which->stringType ) {
-        rv->stringForm = nssStringType_UTF8String;
-      } else {
-        rv->stringForm = which->stringType;
-      }
-    }
-
-    ah.oid = *oidder;
-    ah.value = *vitem;
-
-    status = nssASN1_EncodeItem(arenaOpt, &rv->ber, &ah, 
-                                nss_atav_template, NSSASN1DER);
-
-    if( (NSSDER *)NULL == status ) {
-      (void)NSSArena_Destroy(a);
-      (void)nss_ZFreeIf(rv->value);
-      (void)nss_ZFreeIf(rv);
-      return (NSSATAV *)NULL;
-    }
-
-    (void)NSSArena_Destroy(a);
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-)
-{
-#ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (const void *)NULL == data ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSATAV *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /* XXX fgmr-- oops, forgot this one */
-  return (NSSATAV *)NULL;
-}
-
-/*
- * nssATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_Destroy
-(
-  NSSATAV *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* NSSDEBUG */
-
-  (void)nss_ZFreeIf(atav->ber.data);
-  (void)nss_ZFreeIf(atav->value);
-
-#ifdef DEBUG
-  if( PR_SUCCESS != atav_remove_pointer(atav) ) {
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  return PR_SUCCESS;
-}
-
-/*
- * nssATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_IMPLEMENT NSSDER *
-nssATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSDER *rv;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSDER *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arenaOpt, NSSDER);
-  if( (NSSDER *)NULL == rv ) {
-    return (NSSDER *)NULL;
-  }
-
-  rv->data = nss_ZAlloc(arenaOpt, atav->ber.size);
-  if( (void *)NULL == rv->data ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = atav->ber.size;
-  if( NULL == nsslibc_memcpy(rv->data, atav->ber.data, rv->size) ) {
-    (void)nss_ZFreeIf(rv->data);
-    (void)nss_ZFreeIf(rv);
-    return (NSSDER *)NULL;
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint32 i;
-  const NSSUTF8 *alias = (NSSUTF8 *)NULL;
-  NSSUTF8 *oid;
-  NSSUTF8 *value;
-  PRUint32 oidlen;
-  PRUint32 valuelen;
-  PRUint32 totallen;
-  PRStatus status;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
-    if( *(nss_attribute_type_aliases[i].oid) == atav->oid ) {
-      alias = nss_attribute_type_aliases[i].alias;
-      break;
-    }
-  }
-
-  if( (NSSUTF8 *)NULL == alias ) {
-    oid = nssOID_GetUTF8Encoding(atav->oid, (NSSArena *)NULL);
-    if( (NSSUTF8 *)NULL == oid ) {
-      return (NSSUTF8 *)NULL;
-    }
-
-    oidlen = nssUTF8_Size(oid, &status);
-    if( PR_SUCCESS != status ) {
-      (void)nss_ZFreeIf(oid);
-      return (NSSUTF8 *)NULL;
-    }
-  } else {
-    oidlen = nssUTF8_Size(alias, &status);
-    if( PR_SUCCESS != status ) {
-      return (NSSUTF8 *)NULL;
-    }
-    oid = (NSSUTF8 *)NULL;
-  }
-
-  value = nssATAV_GetValue(atav, (NSSArena *)NULL);
-  if( (NSSUTF8 *)NULL == value ) {
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  valuelen = nssUTF8_Size(value, &status);
-  if( PR_SUCCESS != status ) {
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  totallen = oidlen + valuelen - 1 + 1;
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, totallen);
-  if( (NSSUTF8 *)NULL == rv ) {
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSUTF8 *)NULL == alias ) {
-    if( (void *)NULL == nsslibc_memcpy(rv, oid, oidlen-1) ) {
-      (void)nss_ZFreeIf(rv);
-      (void)nss_ZFreeIf(value);
-      (void)nss_ZFreeIf(oid);
-      return (NSSUTF8 *)NULL;
-    }
-  } else {
-    if( (void *)NULL == nsslibc_memcpy(rv, alias, oidlen-1) ) {
-      (void)nss_ZFreeIf(rv);
-      (void)nss_ZFreeIf(value);
-      return (NSSUTF8 *)NULL;
-    }
-  }
-
-  rv[ oidlen-1 ] = '=';
-
-  if( (void *)NULL == nsslibc_memcpy(&rv[oidlen], value, valuelen) ) {
-    (void)nss_ZFreeIf(rv);
-    (void)nss_ZFreeIf(value);
-    (void)nss_ZFreeIf(oid);
-    return (NSSUTF8 *)NULL;
-  }
-
-  return rv;
-}
-
-/*
- * nssATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  A valid NSSOID pointer upon success
- */
-
-NSS_IMPLEMENT const NSSOID *
-nssATAV_GetType
-(
-  NSSATAV *atav
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSOID *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return atav->oid;
-}
-
-/*
- * nssATAV_GetValue
- *
- * This routine returns a NSSUTF8 string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error upon the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_IMPLEMENT NSSUTF8 *
-nssATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return nssUTF8_Duplicate(atav->value, arenaOpt);
-}
-
-/*
- * nssATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_IMPLEMENT PRStatus
-nssATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-)
-{
-  nssStringType comparison;
-  PRUint32 len1;
-  PRUint32 len2;
-  PRStatus status;
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
-    return PR_FAILURE;
-  }
-
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
-    return PR_FAILURE;
-  }
-
-  if( (PRBool *)NULL == equalp ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FAILURE;
-  }
-#endif /* DEBUG */
-
-  if( atav1->oid != atav2->oid ) {
-    *equalp = PR_FALSE;
-    return PR_SUCCESS;
-  }
-
-  if( atav1->stringForm != atav2->stringForm ) {
-    if( (nssStringType_PrintableString == atav1->stringForm) ||
-        (nssStringType_PrintableString == atav2->stringForm) ) {
-      comparison = nssStringType_PrintableString;
-    } else if( (nssStringType_PHGString == atav1->stringForm) ||
-               (nssStringType_PHGString == atav2->stringForm) ) {
-      comparison = nssStringType_PHGString;
-    } else {
-      comparison = atav1->stringForm;
-    }
-  } else {
-    comparison = atav1->stringForm;
-  }
-
-  switch( comparison ) {
-  case nssStringType_DirectoryString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return PR_FAILURE;
-  case nssStringType_TeletexString:
-    break;
-  case nssStringType_PrintableString:
-    *equalp = nssUTF8_PrintableMatch(atav1->value, atav2->value, &status);
-    return status;
-    /* Case-insensitive, with whitespace reduction */
-    break;
-  case nssStringType_UniversalString:
-    break;
-  case nssStringType_BMPString:
-    break;
-  case nssStringType_GeneralString:
-    /* what to do here? */
-    break;
-  case nssStringType_UTF8String:
-    break;
-  case nssStringType_PHGString:
-    /* Case-insensitive (XXX fgmr, actually see draft-11 pg. 21) */
-    *equalp = nssUTF8_CaseIgnoreMatch(atav1->value, atav2->value, &status);
-    return status;
-  case nssStringType_Unknown:
-    break;
-  }
-  
-  len1 = nssUTF8_Size(atav1->value, &status);
-  if( PR_SUCCESS != status ) {
-    return PR_FAILURE;
-  }
-
-  len2 = nssUTF8_Size(atav2->value, &status);
-  if( PR_SUCCESS != status ) {
-    return PR_FAILURE;
-  }
-
-  if( len1 != len2 ) {
-    *equalp = PR_FALSE;
-    return PR_SUCCESS;
-  }
-
-  *equalp = nsslibc_memequal(atav1->value, atav2->value, len1, &status);
-  return status;
-}
-
-
-/*
- * nssATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_IMPLEMENT NSSATAV *
-nssATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-)
-{
-  NSSATAV *rv;
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
-    return (NSSATAV *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSATAV *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  rv = nss_ZNEW(arenaOpt, NSSATAV);
-  if( (NSSATAV *)NULL == rv ) {
-    return (NSSATAV *)NULL;
-  }
-
-  rv->oid = atav->oid;
-  rv->stringForm = atav->stringForm;
-  rv->value = nssUTF8_Duplicate(atav->value, arenaOpt);
-  if( (NSSUTF8 *)NULL == rv->value ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.data = nss_ZAlloc(arenaOpt, atav->ber.size);
-  if( (void *)NULL == rv->ber.data ) {
-    (void)nss_ZFreeIf(rv->value);
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  rv->ber.size = atav->ber.size;
-  if( NULL == nsslibc_memcpy(rv->ber.data, atav->ber.data, 
-                                   atav->ber.size) ) {
-    (void)nss_ZFreeIf(rv->ber.data);
-    (void)nss_ZFreeIf(rv->value);
-    (void)nss_ZFreeIf(rv);
-    return (NSSATAV *)NULL;
-  }
-
-  return rv;
-}
diff --git a/security/nss/lib/pki1/config.mk b/security/nss/lib/pki1/config.mk
deleted file mode 100644
index 3f8d47e04..000000000
--- a/security/nss/lib/pki1/config.mk
+++ /dev/null
@@ -1,51 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = 
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
diff --git a/security/nss/lib/pki1/genname.c b/security/nss/lib/pki1/genname.c
deleted file mode 100644
index 1ef37a3f0..000000000
--- a/security/nss/lib/pki1/genname.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * genname.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * GeneralName.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * GeneralName
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  GeneralName ::= CHOICE {
- *          otherName                   [0] INSTANCE OF OTHER-NAME,
- *          rfc822Name                  [1] IA5String,
- *          dNSName                     [2] IA5String,
- *          x400Address                 [3] ORAddress,
- *          directoryName               [4] Name,
- *          ediPartyName                [5] EDIPartyName,
- *          uniformResourceIdentifier   [6] IA5String,
- *          iPAddress                   [7] OCTET STRING,
- *          registeredID                [8] OBJECT IDENTIFIER }
- *  
- *  OTHER-NAME ::= TYPE-IDENTIFIER
- *  
- *  EDIPartyName ::= SEQUENCE {
- *          nameAssigner        [0] DirectoryString {ub-name} OPTIONAL,
- *          partyName           [1] DirectoryString {ub-name} }
- *
- */
-
-struct nssGeneralNameStr {
-  NSSGeneralNameChoice choice;
-  union {
-    /* OTHER-NAME otherName */
-    NSSUTF8 *rfc822Name;
-    NSSUTF8 *dNSName;
-    /* ORAddress x400Address */
-    NSSName *directoryName;
-    /* EDIPartyName ediPartyName */
-    NSSUTF8 *uniformResourceIdentifier;
-    NSSItem *iPAddress;
-    NSSOID *registeredID;
-  } u;
-};
diff --git a/security/nss/lib/pki1/gnseq.c b/security/nss/lib/pki1/gnseq.c
deleted file mode 100644
index 20bfd9c65..000000000
--- a/security/nss/lib/pki1/gnseq.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * gnseq.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * GeneralNames (note the ending 's').
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * GeneralNames (or, as we call it, GeneralNameSeq)
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * A GeneralNames is simply an (ordered) sequence of General Names.
- * The seqSize variable is  "helper" kept for simplicity.
- */
-
-struct nssGeneralNameSeqStr {
-  PRUint32 seqSize;
-  NSSGeneralName **generalNames;
-};
diff --git a/security/nss/lib/pki1/manifest.mn b/security/nss/lib/pki1/manifest.mn
deleted file mode 100644
index a1fb003a8..000000000
--- a/security/nss/lib/pki1/manifest.mn
+++ /dev/null
@@ -1,69 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
-
-CORE_DEPTH = ../../..
-
-# In 4.0, move nss*.h back to EXPORTS
-PRIVATE_EXPORTS = \
-	oiddata.h \
-	pki1.h	  \
-	pki1t.h	  \
-	nsspki1.h  \
-	nsspki1t.h \
-	$(NULL)
-
-EXPORTS =	   \
-	$(NULL)
-
-MODULE = nss
-
-CSRCS = $(NULL)
-xCSRCS =	  \
-	atav.c	  \
-	genname.c \
-	gnseq.c	  \
-	name.c	  \
-	oid.c	  \
-	oiddata.c \
-	rdn.c	  \
-	rdnseq.c  \
-	$(NULL)
-
-REQUIRES = nspr
-
-#LIBRARY_NAME = pki1
diff --git a/security/nss/lib/pki1/name.c b/security/nss/lib/pki1/name.c
deleted file mode 100644
index 9e255d5d7..000000000
--- a/security/nss/lib/pki1/name.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * name.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * Name.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * Name
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  -- naming data types --
- *  
- *  Name            ::=     CHOICE { -- only one possibility for now --
- *                                          rdnSequence  RDNSequence }
- *
- * A name is basically a union of the possible names.  At the moment,
- * there is only one type of name: an RDNSequence.
- */
-
-struct nssNameStr {
-  PRUint32 tagPlaceHolder;
-  union {
-    NSSRDNSeq *rdnSequence;
-  } n;
-};
-
diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h
deleted file mode 100644
index 117a48dba..000000000
--- a/security/nss/lib/pki1/nsspki1.h
+++ /dev/null
@@ -1,2872 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSPKI1_H
-#define NSSPKI1_H
-
-#ifdef DEBUG
-static const char NSSPKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nsspki1.h
- *
- * This file contains the prototypes of the public NSS routines 
- * dealing with the PKIX part-1 definitions.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-#ifndef OIDDATA_H
-#include "oiddata.h"
-#endif /* OIDDATA_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSOID
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSOID_CreateFromBER   -- constructor
- *  NSSOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  NSSOID_GetDEREncoding
- *  NSSOID_GetUTF8Encoding
- */
-
-extern const NSSOID *NSS_OID_UNKNOWN;
-
-/*
- * NSSOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromBER
-(
-  NSSBER *berOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_STRING;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-NSSOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSATAV_CreateFromBER   -- constructor
- *  NSSATAV_CreateFromUTF8  -- constructor
- *  NSSATAV_Create          -- constructor
- *
- *  NSSATAV_Destroy
- *  NSSATAV_GetDEREncoding
- *  NSSATAV_GetUTF8Encoding
- *  NSSATAV_GetType
- *  NSSATAV_GetValue
- *  NSSATAV_Compare
- *  NSSATAV_Duplicate
- */
-
-/*
- * NSSATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *derATAV
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringATAV
-);
-
-extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
-extern const NSSError NSS_ERROR_INVALID_STRING;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-);
-
-extern const NSSError NSS_ERROR_INVALID_ARENA;
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_INVALID_POINTER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSATAV_Destroy
-(
-  NSSATAV *atav
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-
-/*
- * NSSATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_EXTERN NSSDER *
-NSSATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_EXTERN const NSSOID *
-NSSATAV_GetType
-(
-  NSSATAV *atav
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-
-/*
- * NSSATAV_GetValue
- *
- * This routine returns an NSSItem containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
-
-/*
- * NSSATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_ATAV;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * NSSRDN
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSRDN_CreateFromBER   -- constructor
- *  NSSRDN_CreateFromUTF8  -- constructor
- *  NSSRDN_Create          -- constructor
- *  NSSRDN_CreateSimple    -- constructor
- *
- *  NSSRDN_Destroy
- *  NSSRDN_GetDEREncoding
- *  NSSRDN_GetUTF8Encoding
- *  NSSRDN_AddATAV
- *  NSSRDN_GetATAVCount
- *  NSSRDN_GetATAV
- *  NSSRDN_GetSimpleATAV
- *  NSSRDN_Compare
- *  NSSRDN_Duplicate
- */
-
-/*
- * NSSRDN_CreateFromBER
- *
- * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
- * RDN.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDN
-);
-
-/*
- * NSSRDN_CreateFromUTF8
- *
- * This routine creates an NSSRDN by decoding an UTF8 string 
- * consisting of either a single ATAV in the "equals" format, e.g., 
- * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
- * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDN
-);
-
-/*
- * NSSRDN_Create
- *
- * This routine creates an NSSRDN from one or more NSSATAVs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_Create
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav1,
-  ...
-);
-
-/*
- * NSSRDN_CreateSimple
- *
- * This routine creates a simple NSSRDN from a single NSSATAV.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_CreateSimple
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav
-);
-
-/*
- * NSSRDN_Destroy
- *
- * This routine will destroy an RDN object.  It should eventually be
- * called on all RDNs created without an arena.  While it is not 
- * necessary to call it on RDNs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_Destroy
-(
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDN_GetDEREncoding
- *
- * This routine will DER-encode an RDN object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDN
- */
-
-NSS_EXTERN NSSDER *
-NSSRDN_GetDEREncoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDN.  A simple (one-ATAV) RDN will be simply
- * the string representation of that ATAV; a non-simple RDN will be in
- * parenthesised form.  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * null upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSRDN_GetUTF8Encoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_AddATAV
- *
- * This routine adds an ATAV to the set of ATAVs in the specified RDN.
- * Remember that RDNs consist of an unordered set of ATAVs.  If the
- * RDN was created with a non-null arena argument, that same arena
- * will be used for any additional required memory.  If the RDN was 
- * created with a NULL arena argument, any additional memory will
- * be obtained from the heap.  This routine returns a PRStatus value;
- * it will return PR_SUCCESS upon success, and upon failure it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_AddATAV
-(
-  NSSRDN *rdn,
-  NSSATAV *atav
-);
-
-/*
- * NSSRDN_GetATAVCount
- *
- * This routine returns the cardinality of the set of ATAVs within
- * the specified RDN.  This routine may return 0 upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSRDN_GetATAVCount
-(
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDN_GetATAV
- *
- * This routine returns a pointer to an ATAV that is a member of
- * the set of ATAVs within the specified RDN.  While the set of
- * ATAVs within an RDN is unordered, this routine will return
- * distinct values for distinct values of 'i' as long as the RDN
- * is not changed in any way.  The RDN may be changed by calling
- * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
- * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
- * The caller owns the ATAV the pointer to which is returned.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSRDN_GetATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSRDN_GetSimpleATAV
- *
- * Most RDNs are actually very simple, with a single ATAV.  This 
- * routine will return the single ATAV from such an RDN.  The caller
- * owns the ATAV the pointer to which is returned.  If the optional
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, including the case where
- * the set of ATAVs in the RDN is nonsingular.  Upon error, this
- * routine will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_RDN_NOT_SIMPLE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-NSSRDN_GetSimpleATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDN_Compare
- *
- * This routine compares two RDNs for equality.  For two RDNs to be
- * equal, they must have the same number of ATAVs, and every ATAV in
- * one must be equal to an ATAV in the other.  (Note that the sets
- * of ATAVs are unordered.)  The result of the comparison will be
- * stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool.  This routine may return PR_FAILURE
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSRDN_Compare
-(
-  NSSRDN *rdn1,
-  NSSRDN *rdn2,
-  PRBool *equalp
-);
-
-/*
- * NSSRDN_Duplicate
- *
- * This routine duplicates the specified RDN.  If the optional arena
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new RDN
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDN_Duplicate
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSRDNSeq_CreateFromBER   -- constructor
- *  NSSRDNSeq_CreateFromUTF8  -- constructor
- *  NSSRDNSeq_Create          -- constructor
- *
- *  NSSRDNSeq_Destroy
- *  NSSRDNSeq_GetDEREncoding
- *  NSSRDNSeq_GetUTF8Encoding
- *  NSSRDNSeq_AppendRDN
- *  NSSRDNSeq_GetRDNCount
- *  NSSRDNSeq_GetRDN
- *  NSSRDNSeq_Compare
- *  NSSRDNSeq_Duplicate
- */
-
-/*
- * NSSRDNSeq_CreateFromBER
- *
- * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
- * sequence of RDNs.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDNSeq
-);
-
-/*
- * NSSRDNSeq_CreateFromUTF8
- *
- * This routine creates an NSSRDNSeq by decoding a UTF8 string
- * consisting of a comma-separated sequence of RDNs, such as
- * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDNSeq
-);
-
-/*
- * NSSRDNSeq_Create
- *
- * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  NULL upon error
- *  A pointero to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSRDN *rdn1,
-  ...
-);
-
-/*
- * NSSRDNSeq_Destroy
- *
- * This routine will destroy an RDNSeq object.  It should eventually 
- * be called on all RDNSeqs created without an arena.  While it is not
- * necessary to call it on RDNSeqs created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_Destroy
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * NSSRDNSeq_GetDEREncoding
- *
- * This routine will DER-encode an RDNSeq object.  If the optional 
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return null upon error, in which case it will have
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDNSeq
- */
-
-NSS_EXTERN NSSDER *
-NSSRDNSeq_GetDEREncoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDNSeq as a comma-separated sequence of RDNs.  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSRDNSeq_GetUTF8Encoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq_AppendRDN
- *
- * This routine appends an RDN to the end of the existing RDN 
- * sequence.  If the RDNSeq was created with a non-null arena 
- * argument, that same arena will be used for any additional required
- * memory.  If the RDNSeq was created with a NULL arena argument, any
- * additional memory will be obtained from the heap.  This routine
- * returns a PRStatus value; it will return PR_SUCCESS upon success,
- * and upon failure it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_AppendRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSRDN *rdn
-);
-
-/*
- * NSSRDNSeq_GetRDNCount
- *
- * This routine returns the cardinality of the sequence of RDNs within
- * the specified RDNSeq.  This routine may return 0 upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSRDNSeq_GetRDNCount
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * NSSRDNSeq_GetRDN
- *
- * This routine returns a pointer to the i'th RDN in the sequence of
- * RDNs that make up the specified RDNSeq.  The sequence begins with
- * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
- * is on the range [0,c) where c is the cardinality returned from
- * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
- * is returned.  If the optional arena argument is non-null, the memory
- * used will be obtained from that areana; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.  Note that the 
- * usual string representation of RDN Sequences is from last to first.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDN
- */
-
-NSS_EXTERN NSSRDN *
-NSSRDNSeq_GetRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSRDNSeq_Compare
- *
- * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
- * be equal, they must have the same number of RDNs, and each RDN in
- * one sequence must be equal to the corresponding RDN in the other
- * sequence.  The result of the comparison will be stored at the
- * location pointed to by the "equalp" variable, which must point to a
- * valid PRBool.  This routine may return PR_FAILURE upon error, in
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSRDNSeq_Compare
-(
-  NSSRDNSeq *rdnseq1,
-  NSSRDNSeq *rdnseq2,
-  PRBool *equalp
-);
-
-/*
- * NSSRDNSeq_Duplicate
- *
- * This routine duplicates the specified RDNSeq.  If the optional arena
- * argument is non-null, the memory required will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new RDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSRDNSeq_Duplicate
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName
- *
- * The public "methods" regarding this "object" are:
- *
- * NSSName_CreateFromBER   -- constructor
- * NSSName_CreateFromUTF8  -- constructor
- * NSSName_Create          -- constructor
- *
- * NSSName_Destroy
- * NSSName_GetDEREncoding
- * NSSName_GetUTF8Encoding
- * NSSName_GetChoice
- * NSSName_GetRDNSequence
- * NSSName_GetSpecifiedChoice
- * NSSName_Compare
- * NSSName_Duplicate
- *
- * NSSName_GetUID
- * NSSName_GetEmail
- * NSSName_GetCommonName
- * NSSName_GetOrganization
- * NSSName_GetOrganizationalUnits
- * NSSName_GetStateOrProvince
- * NSSName_GetLocality
- * NSSName_GetCountry
- * NSSName_GetAttribute
- */
-
-/*
- * NSSName_CreateFromBER
- *
- * This routine creates an NSSName by decoding a BER- or DER-encoded 
- * (directory) Name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may
- * return NULL upon error, in which case it will have created an error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berName
-);
-
-/*
- * NSSName_CreateFromUTF8
- *
- * This routine creates an NSSName by decoding a UTF8 string 
- * consisting of the string representation of one of the choices of 
- * (directory) names.  Currently the only choice is an RDNSeq.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  The routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringName
-);
-
-/*
- * NSSName_Create
- *
- * This routine creates an NSSName with the specified choice of
- * underlying name types.  The value of the choice variable must be
- * one of the values of the NSSNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                     Type
- *   ========================   ===========
- *   NSSNameChoiceRdnSequence   NSSRDNSeq *
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-NSSName_Create
-(
-  NSSArena *arenaOpt,
-  NSSNameChoice choice,
-  void *arg
-);
-
-/*
- * NSSName_Destroy
- *
- * This routine will destroy a Name object.  It should eventually be
- * called on all Names created without an arena.  While it is not
- * necessary to call it on Names created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSName_Destroy
-(
-  NSSName *name
-);
-
-/*
- * NSSName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSName
- */
-
-NSS_EXTERN NSSDER *
-NSSName_GetDEREncoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the Name in the format specified by the 
- * underlying name choice.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSName_GetUTF8Encoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetChoice
- *
- * This routine returns the type of the choice underlying the specified
- * name.  The return value will be a member of the NSSNameChoice 
- * enumeration.  This routine may return NSSNameChoiceInvalid upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  NSSNameChoiceInvalid upon error
- *  An other member of the NSSNameChoice enumeration upon success
- */
-
-NSS_EXTERN NSSNameChoice
-NSSName_GetChoice
-(
-  NSSName *name
-);
-
-/*
- * NSSName_GetRDNSequence
- *
- * If the choice underlying the specified NSSName is that of an 
- * RDNSequence, this routine will return a pointer to that RDN
- * sequence.  Otherwise, this routine will place an error on the
- * error stack, and return NULL.  If the optional arena argument is
- * non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The
- * caller owns the returned pointer.  This routine may return NULL
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-NSSName_GetRDNSequence
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSName matches the specified
- * choice, a caller-owned pointer to that underlying object will be
- * returned.  Otherwise, an error will be placed on the error stack and
- * NULL will be returned.  If the optional arena argument is non-null, 
- * the memory required will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  The caller owns the returned
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-NSSName_GetSpecifiedChoice
-(
-  NSSName *name,
-  NSSNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_Compare
- *
- * This routine compares two Names for equality.  For two Names to be
- * equal, they must have the same choice of underlying types, and the
- * underlying values must be equal.  The result of the comparison will
- * be stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool. This routine may return PR_FAILURE
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSName_Compare
-(
-  NSSName *name1,
-  NSSName *name2,
-  PRBool *equalp
-);
-
-/*
- * NSSName_Duplicate
- *
- * This routine duplicates the specified nssname.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSName
- */
-
-NSS_EXTERN NSSName *
-NSSName_Duplicate
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a UID attribute, the UID will be the value of 
- * that attribute.  Note that no UID attribute is defined in either 
- * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
- * defines the type as a caseIgnoreString.  We'll return a Directory 
- * String.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetUID
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing either a PKIX email address or a PKCS#9 email
- * address, the result will be the value of that attribute.  If the
- * optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
-NSSName_GetEmail
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a PKIX Common Name, the result will be that name.  If 
- * the optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetCommonName
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified name, if the choices and content of the name permit.  
- * If Name consists of a Sequence of Relative Distinguished names 
- * containing a PKIX Organization, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetOrganization
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified name, if the choices and content of 
- * the name permit.  If the Name consists of a Sequence of Relative 
- * Distinguished Names containing one or more organisational units,
- * the result will be the values of those attributes.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-NSSName_GetOrganizationalUnits
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a state or province, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetStateOrProvince
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetLocality
- *
- * This routine will attempt to derive a locality name from the 
- * specified name, if the choices and content of the name permit.  If
- * the Name consists of a Sequence of Relative Distinguished names
- * containing a Locality, the result will be the value of that 
- * attribute.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetLocality
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a Country, the result will be the value of
- * that attribute..  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have created an 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-NSSName_GetCountry
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSName_GetAttribute
- *
- * If the specified name consists of a Sequence of Relative 
- * Distinguished Names containing an attribute with the specified 
- * type, and the actual value of that attribute may be expressed 
- * with a Directory String, then the value of that attribute will 
- * be returned as a Directory String.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSName_GetAttribute
-(
-  NSSName *name,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName
- *
- * The public "methods" regarding this "object" are:
- *
- * NSSGeneralName_CreateFromBER   -- constructor
- * NSSGeneralName_CreateFromUTF8  -- constructor
- * NSSGeneralName_Create          -- constructor
- *
- * NSSGeneralName_Destroy
- * NSSGeneralName_GetDEREncoding
- * NSSGeneralName_GetUTF8Encoding
- * NSSGeneralName_GetChoice
- * NSSGeneralName_GetOtherName
- * NSSGeneralName_GetRfc822Name
- * NSSGeneralName_GetDNSName
- * NSSGeneralName_GetX400Address
- * NSSGeneralName_GetDirectoryName
- * NSSGeneralName_GetEdiPartyName
- * NSSGeneralName_GetUniformResourceIdentifier
- * NSSGeneralName_GetIPAddress
- * NSSGeneralName_GetRegisteredID
- * NSSGeneralName_GetSpecifiedChoice
- * NSSGeneralName_Compare
- * NSSGeneralName_Duplicate
- *
- * NSSGeneralName_GetUID
- * NSSGeneralName_GetEmail
- * NSSGeneralName_GetCommonName
- * NSSGeneralName_GetOrganization
- * NSSGeneralName_GetOrganizationalUnits
- * NSSGeneralName_GetStateOrProvince
- * NSSGeneralName_GetLocality
- * NSSGeneralName_GetCountry
- * NSSGeneralName_GetAttribute
- */
-
-/*
- * NSSGeneralName_CreateFromBER
- *
- * This routine creates an NSSGeneralName by decoding a BER- or DER-
- * encoded general name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralName
-);
-
-/*
- * NSSGeneralName_CreateFromUTF8
- *
- * This routine creates an NSSGeneralName by decoding a UTF8 string
- * consisting of the string representation of one of the choices of
- * general names.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.  The routine may return NULL upon
- * error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringGeneralName
-);
-
-/*
- * NSSGeneralName_Create
- *
- * This routine creates an NSSGeneralName with the specified choice of
- * underlying name types.  The value of the choice variable must be one
- * of the values of the NSSGeneralNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                                         Type
- *   ============================================   =========
- *   NSSGeneralNameChoiceOtherName
- *   NSSGeneralNameChoiceRfc822Name
- *   NSSGeneralNameChoiceDNSName
- *   NSSGeneralNameChoiceX400Address
- *   NSSGeneralNameChoiceDirectoryName              NSSName *
- *   NSSGeneralNameChoiceEdiPartyName
- *   NSSGeneralNameChoiceUniformResourceIdentifier
- *   NSSGeneralNameChoiceIPAddress
- *   NSSGeneralNameChoiceRegisteredID
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one fo the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_Create
-(
-  NSSGeneralNameChoice choice,
-  void *arg
-);
-
-/*
- * NSSGeneralName_Destroy
- * 
- * This routine will destroy a General Name object.  It should 
- * eventually be called on all General Names created without an arena.
- * While it is not necessary to call it on General Names created within
- * an arena, it is not an error to do so.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS. If 
- * usuccessful, it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralName_Destroy
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralName
- */
-
-NSS_EXTERN NSSDER *
-NSSGeneralName_GetDEREncoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the General Name in the format specified by the
- * underlying name choice.  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSGeneralName_GetUTF8Encoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetChoice
- *
- * This routine returns the type of choice underlying the specified 
- * general name.  The return value will be a member of the 
- * NSSGeneralNameChoice enumeration.  This routine may return 
- * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NSSGeneralNameChoiceInvalid upon error
- *  An other member of the NSSGeneralNameChoice enumeration 
- */
-
-NSS_EXTERN NSSGeneralNameChoice
-NSSGeneralName_GetChoice
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralName_GetOtherName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * Other Name, this routine will return a pointer to that Other name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSOtherName
- */
-
-NSS_EXTERN NSSOtherName *
-NSSGeneralName_GetOtherName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetRfc822Name
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * RFC 822 Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRFC822Name
- */
-
-NSS_EXTERN NSSRFC822Name *
-NSSGeneralName_GetRfc822Name
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetDNSName
- *
- * If the choice underlying the specified NSSGeneralName is that of a 
- * DNS Name, this routine will return a pointer to that DNS name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSDNSName
- */
-
-NSS_EXTERN NSSDNSName *
-NSSGeneralName_GetDNSName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetX400Address
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * X.400 Address, this routine will return a pointer to that Address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSX400Address
- */
-
-NSS_EXTERN NSSX400Address *
-NSSGeneralName_GetX400Address
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetDirectoryName
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * (directory) Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSName
- */
-
-NSS_EXTERN NSSName *
-NSSGeneralName_GetName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetEdiPartyName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * EDI Party Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSEdiPartyName
- */
-
-NSS_EXTERN NSSEdiPartyName *
-NSSGeneralName_GetEdiPartyName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUniformResourceIdentifier
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * URI, this routine will return a pointer to that URI.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSURI
- */
-
-NSS_EXTERN NSSURI *
-NSSGeneralName_GetUniformResourceIdentifier
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetIPAddress
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * IP Address , this routine will return a pointer to that address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSIPAddress
- */
-
-NSS_EXTERN NSSIPAddress *
-NSSGeneralName_GetIPAddress
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetRegisteredID
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * Registered ID, this routine will return a pointer to that ID.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRegisteredID
- */
-
-NSS_EXTERN NSSRegisteredID *
-NSSGeneralName_GetRegisteredID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSGeneralName matches the
- * specified choice, a caller-owned pointer to that underlying object
- * will be returned.  Otherwise, an error will be placed on the error
- * stack and NULL will be returned.  If the optional arena argument
- * is non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The caller
- * owns the returned pointer.  This routine may return NULL upon 
- * error, in which caes it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-NSSGeneralName_GetSpecifiedChoice
-(
-  NSSGeneralName *generalName,
-  NSSGeneralNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_Compare
- * 
- * This routine compares two General Names for equality.  For two 
- * General Names to be equal, they must have the same choice of
- * underlying types, and the underlying values must be equal.  The
- * result of the comparison will be stored at the location pointed
- * to by the "equalp" variable, which must point to a valid PRBool.
- * This routine may return PR_FAILURE upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following value:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralName_Compare
-(
-  NSSGeneralName *generalName1,
-  NSSGeneralName *generalName2,
-  PRBool *equalp
-);
-
-/*
- * NSSGeneralName_Duplicate
- *
- * This routine duplicates the specified General Name.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSGeneralName
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralName_Duplicate
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished Names containing a UID
- * attribute, the UID will be the value of that attribute.  Note
- * that no UID attribute is defined in either PKIX or PKCS#9; 
- * rather, this seems to derive from RFC 1274, which defines the
- * type as a caseIgnoreString.  We'll return a Directory String.
- * If the optional arena argument is non-null, the memory used
- * will be obtained from that arena; otherwise, the memory will be
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetUID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing either
- * a PKIX email address or a PKCS#9 email address, the result will
- * be the value of that attribute.  If the General Name is an RFC 822
- * Name, the result will be the string form of that name.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
-NSSGeneralName_GetEmail
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a PKIX
- * Common Name, the result will be that name.  If the optional arena 
- * argument is non-null, the memory used will be obtained from that 
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetCommonName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing an
- * Organization, the result will be the value of that attribute.  
- * If the optional arena argument is non-null, the memory used will 
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetOrganization
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified general name, if the choices and 
- * content of the name permit.  If the General Name is a (directory) 
- * Name consisting of a Sequence of Relative Distinguished names 
- * containing one or more organisational units, the result will 
- * consist of those units.  If the optional arena  argument is non-
- * null, the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-NSSGeneralName_GetOrganizationalUnits
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a state or 
- * province, the result will be the value of that attribute.  If the 
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetStateOrProvince
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetLocality
- *
- * This routine will attempt to derive a locality name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a Locality, 
- * the result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetLocality
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified general name, if the choices and content of the name 
- * permit.  If the General Name is a (directory) Name consisting of a
- * Sequence of Relative Distinguished names containing a Country, the 
- * result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-NSSGeneralName_GetCountry
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralName_GetAttribute
- *
- * If the specified general name is a (directory) name consisting
- * of a Sequence of Relative Distinguished Names containing an 
- * attribute with the specified type, and the actual value of that
- * attribute may be expressed with a Directory String, then the
- * value of that attribute will be returned as a Directory String.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-NSSGeneralName_GetAttribute
-(
-  NSSGeneralName *generalName,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSGeneralNameSeq_CreateFromBER   -- constructor
- *  NSSGeneralNameSeq_Create          -- constructor
- *
- *  NSSGeneralNameSeq_Destroy
- *  NSSGeneralNameSeq_GetDEREncoding
- *  NSSGeneralNameSeq_AppendGeneralName
- *  NSSGeneralNameSeq_GetGeneralNameCount
- *  NSSGeneralNameSeq_GetGeneralName
- *  NSSGeneralNameSeq_Compare
- *  NSSGeneralnameSeq_Duplicate
- */
-
-/*
- * NSSGeneralNameSeq_CreateFromBER
- *
- * This routine creates a general name sequence by decoding a BER-
- * or DER-encoded GeneralNames.  If the optional arena argument is
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_Create
- *
- * This routine creates an NSSGeneralNameSeq from one or more General
- * Names.  The final argument to this routine must be NULL.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSGeneralName *generalName1,
-  ...
-);
-
-/*
- * NSSGeneralNameSeq_Destroy
- *
- * This routine will destroy an NSSGeneralNameSeq object.  It should
- * eventually be called on all NSSGeneralNameSeqs created without an
- * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
- * created within an arena, it is not an error to do so.  This routine
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will create an error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_Destroy
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_GetDEREncoding
- *
- * This routine will DER-encode an NSSGeneralNameSeq object.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return null upon error, in which
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralNameSeq
- */
-
-NSS_EXTERN NSSDER *
-NSSGeneralNameSeq_GetDEREncoding
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq_AppendGeneralName
- *
- * This routine appends a General Name to the end of the existing
- * General Name Sequence.  If the sequence was created with a non-null
- * arena argument, that same arena will be used for any additional
- * required memory.  If the sequence was created with a NULL arena
- * argument, any additional memory will be obtained from the heap.
- * This routine returns a PRStatus value; it will return PR_SUCCESS
- * upon success, and upon failure it will create an error stack and 
- * return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure.
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_AppendGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSGeneralName *generalName
-);
-
-/*
- * NSSGeneralNameSeq_GetGeneralNameCount
- *
- * This routine returns the cardinality of the specified General name
- * Sequence.  This routine may return 0 upon error, in which case it
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value;
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-NSSGeneralNameSeq_GetGeneralNameCount
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * NSSGeneralNameSeq_GetGeneralName
- *
- * This routine returns a pointer to the i'th General Name in the 
- * specified General Name Sequence.  The value of the variable 'i' is
- * on the range [0,c) where c is the cardinality returned from 
- * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
- * Name the pointer to which is returned.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have 
- * created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to a General Name.
- */
-
-NSS_EXTERN NSSGeneralName *
-NSSGeneralNameSeq_GetGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * NSSGeneralNameSeq_Compare
- *
- * This routine compares two General Name Sequences for equality.  For
- * two General Name Sequences to be equal, they must have the same
- * cardinality, and each General Name in one sequence must be equal to
- * the corresponding General Name in the other.  The result of the
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-NSSGeneralNameSeq_Compare
-(
-  NSSGeneralNameSeq *generalNameSeq1,
-  NSSGeneralNameSeq *generalNameSeq2,
-  PRBool *equalp
-);
-
-/*
- * NSSGeneralNameSeq_Duplicate
- *
- * This routine duplicates the specified sequence of general names.  If
- * the optional arena argument is non-null, the memory required will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new General Name Sequence.
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-NSSGeneralNameSeq_Duplicate
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* NSSPT1M_H */
diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h
deleted file mode 100644
index 3ebf1e548..000000000
--- a/security/nss/lib/pki1/nsspki1t.h
+++ /dev/null
@@ -1,205 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSPKI1T_H
-#define NSSPKI1T_H
-
-#ifdef DEBUG
-static const char NSSPKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * nsspki1t.h
- *
- * This file contains the public type definitions for the PKIX part-1
- * objects.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * OBJECT IDENTIFIER
- *
- * This is the basic OID that crops up everywhere.
- */
-
-struct NSSOIDStr;
-typedef struct NSSOIDStr NSSOID;
-
-/*
- * AttributeTypeAndValue
- *
- * This structure contains an attribute type (indicated by an OID), 
- * and the type-specific value.  RelativeDistinguishedNamess consist
- * of a set of these.  These are distinct from Attributes (which have
- * SET of values), from AttributeDescriptions (which have qualifiers
- * on the types), and from AttributeValueAssertions (which assert a
- * a value comparison under some matching rule).
- */
-
-struct NSSATAVStr;
-typedef struct NSSATAVStr NSSATAV;
-
-/*
- * RelativeDistinguishedName
- *
- * This structure contains an unordered set of AttributeTypeAndValue 
- * objects.  RDNs are used to distinguish a set of objects underneath 
- * a common object.
- *
- * Often, a single ATAV is sufficient to make a unique distinction.
- * For example, if a company assigns its people unique uid values,
- * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
- * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
- * needed.  For example, if a company needed to distinguish between
- * two Smiths by specifying their corporate divisions, then in the
- * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
- * set of ATAVs forms the RDN.
- */
-
-struct NSSRDNStr;
-typedef struct NSSRDNStr NSSRDN;
-
-/*
- * RDNSequence
- *
- * This structure contains a sequence of RelativeDistinguishedName
- * objects.
- */
-
-struct NSSRDNSeqStr;
-typedef struct NSSRDNSeqStr NSSRDNSeq;
-
-/*
- * Name
- *
- * This structure contains a union of the possible name formats,
- * which at the moment is limited to an RDNSequence.
- */
-
-struct NSSNameStr;
-typedef struct NSSNameStr NSSName;
-
-/*
- * NameChoice
- *
- * This enumeration is used to specify choice within a name.
- */
-
-enum NSSNameChoiceEnum {
-  NSSNameChoiceInvalid = -1,
-  NSSNameChoiceRdnSequence
-};
-typedef enum NSSNameChoiceEnum NSSNameChoice;
-
-/*
- * GeneralName
- *
- * This structure contains a union of the possible general names,
- * of which there are several.
- */
-
-struct NSSGeneralNameStr;
-typedef struct NSSGeneralNameStr NSSGeneralName;
-
-/*
- * GeneralNameChoice
- *
- * This enumerates the possible general name types.
- */
-
-enum NSSGeneralNameChoiceEnum {
-  NSSGeneralNameChoiceInvalid = -1,
-  NSSGeneralNameChoiceOtherName = 0,
-  NSSGeneralNameChoiceRfc822Name = 1,
-  NSSGeneralNameChoiceDNSName = 2,
-  NSSGeneralNameChoiceX400Address = 3,
-  NSSGeneralNameChoiceDirectoryName = 4,
-  NSSGeneralNameChoiceEdiPartyName = 5,
-  NSSGeneralNameChoiceUniformResourceIdentifier = 6,
-  NSSGeneralNameChoiceIPAddress = 7,
-  NSSGeneralNameChoiceRegisteredID = 8
-};
-typedef enum NSSGeneralNameChoiceEnum NSSGeneralNameChoice;
-
-/*
- * The "other" types of general names.
- */
-
-struct NSSOtherNameStr;
-typedef struct NSSOtherNameStr NSSOtherName;
-
-struct NSSRFC822NameStr;
-typedef struct NSSRFC822NameStr NSSRFC822Name;
-
-struct NSSDNSNameStr;
-typedef struct NSSDNSNameStr NSSDNSName;
-
-struct NSSX400AddressStr;
-typedef struct NSSX400AddressStr NSSX400Address;
-
-struct NSSEdiPartyNameStr;
-typedef struct NSSEdiPartyNameStr NSSEdiPartyName;
-
-struct NSSURIStr;
-typedef struct NSSURIStr NSSURI;
-
-struct NSSIPAddressStr;
-typedef struct NSSIPAddressStr NSSIPAddress;
-
-struct NSSRegisteredIDStr;
-typedef struct NSSRegisteredIDStr NSSRegisteredID;
-
-/*
- * GeneralNameSeq
- *
- * This structure contains a sequence of GeneralName objects.
- * Note that the PKIX documents refer to this as "GeneralNames,"
- * which differs from "GeneralName" by only one letter.  To
- * try to reduce confusion, we expand the name slightly to
- * "GeneralNameSeq."
- */
-
-struct NSSGeneralNameSeqStr;
-typedef struct NSSGeneralNameSeqStr NSSGeneralNameSeq;
-
-PR_END_EXTERN_C
-
-#endif /* NSSPKI1T_H */
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
deleted file mode 100644
index d032f1eb2..000000000
--- a/security/nss/lib/pki1/oid.c
+++ /dev/null
@@ -1,1618 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * oid.c
- *
- * This file contains the implementation of the basic OID routines.
- */
-
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-#include "plhash.h"
-#include "plstr.h"
-
-/*
- * NSSOID
- *
- * The public "methods" regarding this "object" are:
- *
- *  NSSOID_CreateFromBER   -- constructor
- *  NSSOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  NSSOID_GetDEREncoding
- *  NSSOID_GetUTF8Encoding
-
- * The non-public "methods" regarding this "object" are:
- *
- *  nssOID_CreateFromBER   -- constructor
- *  nssOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  nssOID_GetDEREncoding
- *  nssOID_GetUTF8Encoding
- *
- * In debug builds, the following non-public calls are also available:
- *
- *  nssOID_verifyPointer
- *  nssOID_getExplanation
- *  nssOID_getTaggedUTF8
- */
-
-const NSSOID *NSS_OID_UNKNOWN = (NSSOID *)NULL;
-
-/*
- * First, the public "wrappers"
- */
-
-/*
- * NSSOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NULL upon error, in which case it 
- * will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromBER
-(
-  NSSBER *berOid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  /* 
-   * NSSBERs can be created by the user, 
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSBER *)NULL == berOid ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-
-  if( (void *)NULL == berOid->data ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-  
-  return nssOID_CreateFromBER(berOid);
-}
-
-/*
- * NSSOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NULL
- * upon error, in which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-NSSOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  /*
-   * NSSUTF8s can be created by the user,
-   * so no pointer-tracking can be checked.
-   */
-
-  if( (NSSUTF8 *)NULL == stringOid ) {
-    nss_SetError(NSS_ERROR_INVALID_UTF8);
-    return (NSSOID *)NULL;
-  }
-#endif /* DEBUG */
-
-  return nssOID_CreateFromUTF8(stringOid);
-}
-
-/*
- * NSSOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have created an error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-NSSOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt);
-}
-
-/*
- * NSSOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have created an
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-NSSOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  nss_ClearErrorStack();
-
-#ifdef DEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return nssOID_GetUTF8Encoding(oid, arenaOpt);
-}
-
-/*
- * Next, some internal bookkeeping; including the OID "tag" table 
- * and the debug-version pointer tracker.
- */
-
-/*
- * For implementation reasons (so NSSOIDs can be compared with ==),
- * we hash all NSSOIDs.  This is the hash table.
- */
-
-static PLHashTable *oid_hash_table;
-
-/*
- * And this is its lock.
- */
-
-static PZLock *oid_hash_lock;
-
-/*
- * This is the hash function.  We simply XOR the encoded form with
- * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
- * routine is left as an excercise for the more mathematically
- * inclined student.
- */
-
-static PLHashNumber PR_CALLBACK
-oid_hash
-(
-  const void *key
-)
-{
-  const NSSItem *item = (const NSSItem *)key;
-  PLHashNumber rv = 0;
-
-  PRUint8 *data = (PRUint8 *)item->data;
-  PRUint32 i;
-  PRUint8 *rvc = (PRUint8 *)&rv;
-
-  for( i = 0; i < item->size; i++ ) {
-    rvc[ i % sizeof(rv) ] ^= *data;
-    data++;
-  }
-
-  return rv;
-}
-
-/*
- * This is the key-compare function.  It simply does a lexical
- * comparison on the encoded OID form.  This does not result in
- * quite the same ordering as the "sequence of numbers" order,
- * but heck it's only used internally by the hash table anyway.
- */
-
-static PRIntn PR_CALLBACK
-oid_hash_compare
-(
-  const void *k1,
-  const void *k2
-)
-{
-  PRIntn rv;
-
-  const NSSItem *i1 = (const NSSItem *)k1;
-  const NSSItem *i2 = (const NSSItem *)k2;
-
-  PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
-
-  rv = (PRIntn)nsslibc_memequal(i1->data, i2->data, size, (PRStatus *)NULL);
-  if( 0 == rv ) {
-    rv = i1->size - i2->size;
-  }
-
-  return !rv;
-}
-
-/*
- * The pointer-tracking code
- */
-
-#ifdef DEBUG
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static nssPointerTracker oid_pointer_tracker;
-
-static PRStatus
-oid_add_pointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
-
-  rv = nssPointerTracker_add(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
-
-    return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-#if defined(CAN_DELETE_OIDS)
-/*
- * We actually don't define NSSOID deletion, since we keep OIDs
- * in a hash table for easy comparison.  Were we to, this is
- * what the pointer-removal function would look like.
- */
-
-static PRStatus
-oid_remove_pointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
-}
-#endif /* CAN_DELETE_OIDS */
-
-#endif /* DEBUG */
-
-/*
- * All dynamically-added OIDs get their memory from one statically-
- * declared arena here, merely so that any cleanup code will have
- * an easier time of it.
- */
-
-static NSSArena *oid_arena;
-
-/*
- * This is the call-once function which initializes the hashtable.
- * It creates it, then prepopulates it with all of the builtin OIDs.
- * It also creates the aforementioned NSSArena.
- */
-
-static PRStatus PR_CALLBACK
-oid_once_func
-(
-  void
-)
-{
-  PRUint32 i;
-  
-  /* Initialize the arena */
-  oid_arena = nssArena_Create();
-  if( (NSSArena *)NULL == oid_arena ) {
-    goto loser;
-  }
-
-  /* Create the hash table lock */
-  oid_hash_lock = PZ_NewLock(nssILockOID);
-  if( (PZLock *)NULL == oid_hash_lock ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-  /* Create the hash table */
-  oid_hash_table = PL_NewHashTable(0, oid_hash, oid_hash_compare,
-                                   PL_CompareValues, 
-                                   (PLHashAllocOps *)0,
-                                   (void *)0);
-  if( (PLHashTable *)NULL == oid_hash_table ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-  /* And populate it with all the builtins */
-  for( i = 0; i < nss_builtin_oid_count; i++ ) {
-    NSSOID *oid = (NSSOID *)&nss_builtin_oids[i];
-    PLHashEntry *e = PL_HashTableAdd(oid_hash_table, &oid->data, oid);
-    if( (PLHashEntry *)NULL == e ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      goto loser;
-    }
-
-#ifdef DEBUG
-    if( PR_SUCCESS != oid_add_pointer(oid) ) {
-      goto loser;
-    }
-#endif /* DEBUG */
-  }
-
-  return PR_SUCCESS;
-
- loser:
-  if( (PLHashTable *)NULL != oid_hash_table ) {
-    PL_HashTableDestroy(oid_hash_table);
-    oid_hash_table = (PLHashTable *)NULL;
-  }
-
-  if( (PZLock *)NULL != oid_hash_lock ) {
-    PZ_DestroyLock(oid_hash_lock);
-    oid_hash_lock = (PZLock *)NULL;
-  }
-
-  if( (NSSArena *)NULL != oid_arena ) {
-    (void)nssArena_Destroy(oid_arena);
-    oid_arena = (NSSArena *)NULL;
-  }
-
-  return PR_FAILURE;
-}
-
-/*
- * This is NSPR's once-block.
- */
-
-static PRCallOnceType oid_call_once;
-
-/*
- * And this is our multiply-callable internal init routine, which
- * will call-once our call-once function.
- */
-
-static PRStatus
-oid_init
-(
-  void
-)
-{
-  return PR_CallOnce(&oid_call_once, oid_once_func);
-}
-
-#ifdef DEBUG
-
-/*
- * nssOID_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSOID object, 
- * this routine will return PR_SUCCESS.  Otherwise, it will put an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-NSS_EXTERN PRStatus
-nssOID_verifyPointer
-(
-  const NSSOID *oid
-)
-{
-  PRStatus rv;
-
-  rv = oid_init();
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return PR_FAILURE;
-  }
-
-  rv = nssPointerTracker_verify(&oid_pointer_tracker, oid);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_NSSOID);
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-#endif /* DEBUG */
-
-/*
- * oid_sanity_check_ber
- *
- * This routine merely applies some sanity-checking to the BER-encoded
- * OID.
- */
-
-static PRStatus
-oid_sanity_check_ber
-(
-  NSSBER *berOid
-)
-{
-  PRUint32 i;
-  PRUint8 *data = (PRUint8 *)berOid->data;
-
-  /*
-   * The size must be longer than zero bytes.
-   */
-
-  if( berOid->size <= 0 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * In general, we can't preclude any number from showing up
-   * someday.  We could probably guess that top-level numbers
-   * won't get very big (beyond the current ccitt(0), iso(1),
-   * or joint-ccitt-iso(2)).  However, keep in mind that the
-   * encoding rules wrap the first two numbers together, as
-   *
-   *     (first * 40) + second
-   *
-   * Also, it is noted in the specs that this implies that the
-   * second number won't go above forty.
-   *
-   * 128 encodes 3.8, which seems pretty safe for now.  Let's
-   * check that the first byte is less than that.
-   *
-   * XXX This is a "soft check" -- we may want to exclude it.
-   */
-
-  if( data[0] >= 0x80 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * In a normalised format, leading 0x80s will never show up.
-   * This means that no 0x80 will be preceeded by the final
-   * byte of a sequence, which would naturaly be less than 0x80.
-   * Our internal encoding for the single-digit OIDs uses 0x80,
-   * but the only places we use them (loading the builtin table,
-   * and adding a UTF8-encoded OID) bypass this check.
-   */
-
-  for( i = 1; i < berOid->size; i++ ) {
-    if( (0x80 == data[i]) && (data[i-1] < 0x80) ) {
-      return PR_FAILURE;
-    }
-  }
-
-  /*
-   * The high bit of each octet indicates that following octets
-   * are included in the current number.  Thus the last byte can't
-   * have the high bit set.
-   */
-
-  if( data[ berOid->size-1 ] >= 0x80 ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Other than that, any byte sequence is legit.
-   */
-  return PR_SUCCESS;
-}
-
-/*
- * nssOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NULL upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromBER
-(
-  NSSBER *berOid
-)
-{
-  NSSOID *rv;
-  PLHashEntry *e;
-  
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSOID *)NULL;
-  }
-
-  if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) {
-    nss_SetError(NSS_ERROR_INVALID_BER);
-    return (NSSOID *)NULL;
-  }
-
-  /*
-   * Does it exist?
-   */
-  PZ_Lock(oid_hash_lock);
-  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, berOid);
-  (void)PZ_Unlock(oid_hash_lock);
-  if( (NSSOID *)NULL != rv ) {
-    /* Found it! */
-    return rv;
-  }
-
-  /*
-   * Doesn't exist-- create it.
-   */
-  rv = nss_ZNEW(oid_arena, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.data = nss_ZAlloc(oid_arena, berOid->size);
-  if( (void *)NULL == rv->data.data ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.size = berOid->size;
-  nsslibc_memcpy(rv->data.data, berOid->data, berOid->size);
-
-#ifdef DEBUG
-  rv->tag = "<runtime>";
-  rv->expl = "(OID registered at runtime)";
-#endif /* DEBUG */
-
-  PZ_Lock(oid_hash_lock);
-  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
-  (void)PZ_Unlock(oid_hash_lock);
-  if( (PLHashEntry *)NULL == e ) {
-    nss_ZFreeIf(rv->data.data);
-    nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSOID *)NULL;
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = oid_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PZ_Lock(oid_hash_lock);
-      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
-      (void)PZ_Unlock(oid_hash_lock);
-      (void)nss_ZFreeIf(rv->data.data);
-      (void)nss_ZFreeIf(rv);
-      return (NSSOID *)NULL;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-}
-
-/*
- * oid_sanity_check_utf8
- *
- * This routine merely applies some sanity-checking to the 
- * UTF8-encoded OID.
- */
-
-static PRStatus
-oid_sanity_check_utf8
-(
-  NSSUTF8 *s
-)
-{
-  /*
-   * It may begin with an octothorpe, which we skip.
-   */
-
-  if( '#' == *s ) {
-    s++;
-  }
-
-  /*
-   * It begins with a number
-   */
-
-  if( (*s < '0') || (*s > '9') ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * First number is only one digit long
-   *
-   * XXX This is a "soft check" -- we may want to exclude it
-   */
-
-  if( (s[1] != '.') && (s[1] != '\0') ) {
-    return PR_FAILURE;
-  }
-
-  /*
-   * Every character is either a digit or a period
-   */
-
-  for( ; '\0' != *s; s++ ) {
-    if( ('.' != *s) && ((*s < '0') || (*s > '9')) ) {
-      return PR_FAILURE;
-    }
-
-    /* No two consecutive periods */
-    if( ('.' == *s) && ('.' == s[1]) ) {
-      return PR_FAILURE;
-    }
-  }
-
-  /*
-   * The last character isn't a period
-   */
-
-  if( '.' == *--s ) {
-    return PR_FAILURE;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRUint32
-oid_encode_number
-(
-  PRUint32 n,
-  PRUint8 *dp,
-  PRUint32 nb
-)
-{
-  PRUint32 a[5];
-  PRUint32 i;
-  PRUint32 rv;
-
-  a[0] = (n >> 28) & 0x7f;
-  a[1] = (n >> 21) & 0x7f;
-  a[2] = (n >> 14) & 0x7f;
-  a[3] = (n >>  7) & 0x7f;
-  a[4] =  n        & 0x7f;
-
-  for( i = 0; i < 5; i++ ) {
-    if( 0 != a[i] ) {
-      break;
-    }
-  }
-
-  if( 5 == i ) {
-    i--;
-  }
-
-  rv = 5-i;
-  if( rv > nb ) {
-    return rv;
-  }
-
-  for( ; i < 4; i++ ) {
-    *dp = 0x80 | a[i];
-    dp++;
-  }
-
-  *dp = a[4];
-
-  return rv;
-}
-
-/*
- * oid_encode_huge
- *
- * This routine will convert a huge decimal number into the DER 
- * encoding for oid numbers.  It is not limited to numbers that will
- * fit into some wordsize, like oid_encode_number.  But it's not
- * necessarily very fast, either.  This is here in case some joker
- * throws us an ASCII oid like 1.2.3.99999999999999999999999999.
- */
-
-static PRUint32
-oid_encode_huge
-(
-  NSSUTF8 *s,
-  NSSUTF8 *e,
-  PRUint8 *dp,
-  PRUint32 nb
-)
-{
-  PRUint32 slen = (e-s);
-  PRUint32 blen = (slen+1)/2;
-  PRUint8 *st = (PRUint8 *)NULL;
-  PRUint8 *bd = (PRUint8 *)NULL;
-  PRUint32 i;
-  PRUint32 bitno;
-  PRUint8 *last;
-  PRUint8 *first;
-  PRUint32 byteno;
-  PRUint8 mask;
-
-  /* We'll be munging the data, so duplicate it */
-  st = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, slen);
-  if( (PRUint8 *)NULL == st ) {
-    return 0;
-  }
-
-  /* Don't know ahead of time exactly how long we'll need */
-  bd = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, blen);
-  if( (PRUint8 *)NULL == bd ) {
-    (void)nss_ZFreeIf(st);
-    return 0;
-  }
-
-  /* Copy the original, and convert ASCII to numbers */
-  for( i = 0; i < slen; i++ ) {
-    st[i] = (PRUint8)(s[i] - '0');
-  }
-
-  last = &st[slen-1];
-  first = &st[0];
-
-  /*
-   * The way we create the binary version is by looking at it 
-   * bit by bit.  Start with the least significant bit.  If the
-   * number is odd, set that bit.  Halve the number (with integer
-   * division), and go to the next least significant bit.  Keep 
-   * going until the number goes to zero.
-   */
-  for( bitno = 0; ; bitno++ ) {
-    PRUint8 *d;
-
-    byteno = bitno/7;
-    mask = (PRUint8)(1 << (bitno%7));
-
-    /* Skip leading zeroes */
-    for( ; first < last; first ++ ) {
-      if( 0 != *first ) {
-        break;
-      }
-    }
-
-    /* Down to one number and it's a zero?  Done. */
-    if( (first == last) && (0 == *last) ) {
-      break;
-    }
-
-    /* Last digit is odd?  Set the bit */
-    if( *last & 1 ) {
-      bd[ byteno ] |= mask;
-    }
-
-
-    /* 
-     * Divide the number in half.  This is just a matter
-     * of going from the least significant digit upwards,
-     * halving each one.  If any digit is odd (other than
-     * the last, which has already been handled), add five
-     * to the digit to its right.
-     */
-    *last /= 2;
-
-    for( d = &last[-1]; d >= first; d-- ) {
-      if( *d & 1 ) {
-        d[1] += 5;
-      }
-
-      *d /= 2;
-    }
-  }
-
-  /* Is there room to write the encoded data? */
-  if( (byteno+1) > nb ) {
-    return (byteno+1);
-  }
-
-  /* Trim any leading zero that crept in there */
-  for( ; byteno > 0; byteno-- ) {
-    if( 0 != bd[ byteno ] ) {
-      break;
-    }
-  }
-
-  /* Copy all but the last, marking the "continue" bit */
-  for( i = 0; i < byteno; i++ ) {
-    dp[i] = bd[ byteno-i ] | 0x80;
-  }
-  /* And the last with the "continue" bit clear */
-  dp[byteno] = bd[0];
-
-  (void)nss_ZFreeIf(bd);
-  (void)nss_ZFreeIf(st);
-  return (byteno+1);
-}
-
-/*
- * oid_encode_string
- *
- * This routine converts a dotted-number OID into a DER-encoded
- * one.  It assumes we've already sanity-checked the string.
- */
-
-extern const NSSError NSS_ERROR_INTERNAL_ERROR;
-
-static NSSOID *
-oid_encode_string
-(
-  NSSUTF8 *s
-)
-{
-  PRUint32 nn = 0; /* number of numbers */
-  PRUint32 nb = 0; /* number of bytes (estimated) */
-  NSSUTF8 *t;
-  PRUint32 nd = 0; /* number of digits */
-  NSSOID *rv;
-  PRUint8 *dp;
-  PRUint32 a, b;
-  PRUint32 inc;
-
-  /* Dump any octothorpe */
-  if( '#' == *s ) {
-    s++;
-  }
-
-  /* Count up the bytes needed */
-  for( t = s; '\0' != *t; t++ ) {
-    if( '.' == *t ) {
-      nb += (nd+1)/2; /* errs on the big side */
-      nd = 0;
-      nn++;
-    } else {
-      nd++;
-    }
-  }
-  nb += (nd+1)/2;
-  nn++;
-
-  if( 1 == nn ) {
-    /*
-     * We have our own "denormalised" encoding for these,
-     * which is only used internally.
-     */
-    nb++;
-  }
-
-  /* 
-   * Allocate.  Note that we don't use the oid_arena here.. this is
-   * because there really isn't a "free()" for stuff allocated out of
-   * arenas (at least with the current implementation), so this would
-   * keep using up memory each time a UTF8-encoded OID were added.
-   * If need be (if this is the first time this oid has been seen),
-   * we'll copy it.
-   */
-  rv = nss_ZNEW((NSSArena *)NULL, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    return (NSSOID *)NULL;
-  }
-
-  rv->data.data = nss_ZAlloc((NSSArena *)NULL, nb);
-  if( (void *)NULL == rv->data.data ) {
-    (void)nss_ZFreeIf(rv);
-    return (NSSOID *)NULL;
-  }
-
-  dp = (PRUint8 *)rv->data.data;
-
-  a = atoi(s);
-
-  if( 1 == nn ) {
-    dp[0] = '\x80';
-    inc = oid_encode_number(a, &dp[1], nb-1);
-    if( inc >= nb ) {
-      goto loser;
-    }
-  } else {
-    for( t = s; '.' != *t; t++ ) {
-      ;
-    }
-
-    t++;
-    b = atoi(t);
-    inc = oid_encode_number(a*40+b, dp, nb);
-    if( inc > nb ) {
-      goto loser;
-    }
-    dp += inc;
-    nb -= inc;
-    nn -= 2;
-
-    while( nn-- > 0 ) {
-      NSSUTF8 *u;
-
-      for( ; '.' != *t; t++ ) {
-        ;
-      }
-
-      t++;
-
-      for( u = t; ('\0' != *u) && ('.' != *u); u++ ) {
-        ;
-      }
-
-      if( (u-t > 9) ) {
-        /* In the billions.  Rats. */
-        inc = oid_encode_huge(t, u, dp, nb);
-      } else {
-        b = atoi(t);
-        inc = oid_encode_number(b, dp, nb);
-      }
-
-      if( inc > nb ) {
-        goto loser;
-      }
-      dp += inc;
-      nb -= inc;
-    }
-  }
-
-  return rv;
-
- loser:
-  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  return (NSSOID *)NULL;
-}
-
-/*
- * nssOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NULL
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_STRING
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-)
-{
-  NSSOID *rv = (NSSOID *)NULL;
-  NSSOID *candidate = (NSSOID *)NULL;
-  PLHashEntry *e;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSOID *)NULL;
-  }
-
-  if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) {
-    nss_SetError(NSS_ERROR_INVALID_STRING);
-    return (NSSOID *)NULL;
-  }
-
-  candidate = oid_encode_string(stringOid);
-  if( (NSSOID *)NULL == candidate ) {
-    /* Internal error only */
-    return rv;
-  }
-
-  /*
-   * Does it exist?
-   */
-  PZ_Lock(oid_hash_lock);
-  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, &candidate->data);
-  (void)PZ_Unlock(oid_hash_lock);
-  if( (NSSOID *)NULL != rv ) {
-    /* Already exists.  Delete my copy and return the original. */
-    (void)nss_ZFreeIf(candidate->data.data);
-    (void)nss_ZFreeIf(candidate);
-    return rv;
-  }
-
-  /* 
-   * Nope.  Add it.  Remember to allocate it out of the oid arena.
-   */
-
-  rv = nss_ZNEW(oid_arena, NSSOID);
-  if( (NSSOID *)NULL == rv ) {
-    goto loser;
-  }
-
-  rv->data.data = nss_ZAlloc(oid_arena, candidate->data.size);
-  if( (void *)NULL == rv->data.data ) {
-    goto loser;
-  }
-
-  rv->data.size = candidate->data.size;
-  nsslibc_memcpy(rv->data.data, candidate->data.data, rv->data.size);
-
-  (void)nss_ZFreeIf(candidate->data.data);
-  (void)nss_ZFreeIf(candidate);
-
-#ifdef DEBUG
-  rv->tag = "<runtime>";
-  rv->expl = "(OID registered at runtime)";
-#endif /* DEBUG */
-
-  PZ_Lock(oid_hash_lock);
-  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
-  (void)PZ_Unlock(oid_hash_lock);
-  if( (PLHashEntry *)NULL == e ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    goto loser;
-  }
-
-#ifdef DEBUG
-  {
-    PRStatus st;
-    st = oid_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PZ_Lock(oid_hash_lock);
-      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
-      (void)PZ_Unlock(oid_hash_lock);
-      goto loser;
-    }
-  }
-#endif /* DEBUG */
-
-  return rv;
-
- loser:
-  if( (NSSOID *)NULL != candidate ) {
-    (void)nss_ZFreeIf(candidate->data.data);
-  }
-  (void)nss_ZFreeIf(candidate);
-
-  if( (NSSOID *)NULL != rv ) {
-    (void)nss_ZFreeIf(rv->data.data);
-  }
-  (void)nss_ZFreeIf(rv);
-
-  return (NSSOID *)NULL;
-}
-
-/*
- * nssOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-nssOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-)
-{
-  const NSSItem *it;
-  NSSDER *rv;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSDER *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSDER *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSDER *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  it = &oid->data;
-
-  if( (NSSDER *)NULL == rvOpt ) {
-    rv = nss_ZNEW(arenaOpt, NSSDER);
-    if( (NSSDER *)NULL == rv ) {
-      return (NSSDER *)NULL;
-    }
-  } else {
-    rv = rvOpt;
-  }
-
-  rv->data = nss_ZAlloc(arenaOpt, it->size);
-  if( (void *)NULL == rv->data ) {
-    if( rv != rvOpt ) {
-      (void)nss_ZFreeIf(rv);
-    }
-    return (NSSDER *)NULL;
-  }
-
-  rv->size = it->size;
-  nsslibc_memcpy(rv->data, it->data, it->size);
-
-  return rv;
-}
-
-/*
- * nssOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_OID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-nssOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  PRUint8 *end;
-  PRUint8 *d;
-  PRUint8 *e;
-  char *a;
-  char *b;
-  PRUint32 len;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  a = (char *)NULL;
-
-  /* d will point to the next sequence of bytes to decode */
-  d = (PRUint8 *)oid->data.data;
-  /* end points to one past the legitimate data */
-  end = &d[ oid->data.size ];
-
-#ifdef NSSDEBUG
-  /*
-   * Guarantee that the for(e=d;e<end;e++) loop below will
-   * terminate.  Our BER sanity-checking code above will prevent
-   * such a BER from being registered, so the only other way one
-   * might show up is if our dotted-decimal encoder above screws
-   * up or our generated list is wrong.  So I'll wrap it with
-   * #ifdef NSSDEBUG and #endif.
-   */
-  if( end[-1] & 0x80 ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  /*
-   * Check for our pseudo-encoded single-digit OIDs
-   */
-  if( (*d == 0x80) && (2 == oid->data.size) ) {
-    /* Funky encoding.  The second byte is the number */
-    a = PR_smprintf("%lu", (PRUint32)d[1]);
-    if( (char *)NULL == a ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-    goto done;
-  }
-
-  for( ; d < end; d = &e[1] ) {
-    
-    for( e = d; e < end; e++ ) {
-      if( 0 == (*e & 0x80) ) {
-        break;
-      }
-    }
-    
-    if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
-      /* More than a 32-bit number */
-    } else {
-      PRUint32 n = 0;
-      
-      switch( e-d ) {
-      case 4:
-        n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
-      case 3:
-        n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
-      case 2:
-        n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
-      case 1:
-        n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
-      case 0:
-        n |= ((PRUint32)(e[-0] & 0x7f))      ;
-      }
-      
-      if( (char *)NULL == a ) {
-        /* This is the first number.. decompose it */
-        PRUint32 one = (n/40), two = (n%40);
-        
-        a = PR_smprintf("%lu.%lu", one, two);
-        if( (char *)NULL == a ) {
-          nss_SetError(NSS_ERROR_NO_MEMORY);
-          return (NSSUTF8 *)NULL;
-        }
-      } else {
-        b = PR_smprintf("%s.%lu", a, n);
-        if( (char *)NULL == b ) {
-          PR_smprintf_free(a);
-          nss_SetError(NSS_ERROR_NO_MEMORY);
-          return (NSSUTF8 *)NULL;
-        }
-        
-        PR_smprintf_free(a);
-        a = b;
-      }
-    }
-  }
-
- done:
-  /*
-   * Even if arenaOpt is NULL, we have to copy the data so that
-   * it'll be freed with the right version of free: ours, not
-   * PR_smprintf_free's.
-   */
-  len = PL_strlen(a);
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
-  if( (NSSUTF8 *)NULL == rv ) {
-    PR_smprintf_free(a);
-    return (NSSUTF8 *)NULL;
-  }
-
-  nsslibc_memcpy(rv, a, len);
-  PR_smprintf_free(a);
-
-  return rv;
-}
-
-/*
- * nssOID_getExplanation
- *
- * This method is only present in debug builds.
- *
- * This routine will return a static pointer to a UTF8-encoded string
- * describing (in English) the specified OID.  The memory pointed to
- * by the return value is not owned by the caller, and should not be
- * freed or modified.  Note that explanations are only provided for
- * the OIDs built into the NSS library; there is no way to specify an
- * explanation for dynamically created OIDs.  This routine is intended
- * only for use in debugging tools such as "derdump."  This routine
- * may return null upon error, in which case it will have placed an
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  NULL upon error
- *  A static pointer to a readonly, non-caller-owned UTF8-encoded
- *    string explaining the specified OID.
- */
-
-#ifdef DEBUG
-NSS_EXTERN const NSSUTF8 *
-nssOID_getExplanation
-(
-  NSSOID *oid
-)
-{
-  if( PR_SUCCESS != oid_init() ) {
-    return (const NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* NSSDEBUG */
-
-  return oid->expl;
-}
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getTaggedUTF8
- *
- * This method is only present in debug builds.
- *
- * This routine will return a pointer to a caller-owned UTF8-encoded
- * string containing a tagged encoding of the specified OID.  Note
- * that OID (component) tags are only provided for the OIDs built 
- * into the NSS library; there is no way to specify tags for 
- * dynamically created OIDs.  This routine is intended for use in
- * debugging tools such as "derdump."   If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return return null upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the tagged encoding of
- *      this NSSOID
- */
-
-#ifdef DEBUG
-NSS_EXTERN NSSUTF8 *
-nssOID_getTaggedUTF8
-(
-  NSSOID *oid,
-  NSSArena *arenaOpt
-)
-{
-  NSSUTF8 *rv;
-  char *raw;
-  char *c;
-  char *a = (char *)NULL;
-  char *b;
-  PRBool done = PR_FALSE;
-  PRUint32 len;
-
-  if( PR_SUCCESS != oid_init() ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-#ifdef NSSDEBUG
-  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
-    }
-  }
-#endif /* NSSDEBUG */
-
-  a = PR_smprintf("{");
-  if( (char *)NULL == a ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-
-  /*
-   * What I'm doing here is getting the text version of the OID,
-   * e.g. 1.2.12.92, then looking up each set of leading numbers
-   * as oids.. e.g. "1," then "1.2," then "1.2.12," etc.  Each of
-   * those will have the leaf tag, and I just build up the string.
-   * I never said this was the most efficient way of doing it,
-   * but hey it's a debug-build thing, and I'm getting really tired
-   * of writing this stupid low-level PKI code.
-   */
-
-  /* I know it's all ASCII, so I can use char */
-  raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL);
-  if( (char *)NULL == raw ) {
-    return (NSSUTF8 *)NULL;
-  }
-
-  for( c = raw; !done; c++ ) {
-    NSSOID *lead;
-    char *lastdot;
-
-    for( ; '.' != *c; c++ ) {
-      if( '\0' == *c ) {
-        done = PR_TRUE;
-        break;
-      }
-    }
-
-    *c = '\0';
-    lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw);
-    if( (NSSOID *)NULL == lead ) {
-      PR_smprintf_free(a);
-      nss_ZFreeIf(raw);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-
-    lastdot = PL_strrchr(raw, '.');
-    if( (char *)NULL == lastdot ) {
-      lastdot = raw;
-    }
-
-    b = PR_smprintf("%s %s(%s) ", a, lead->tag, &lastdot[1]);
-    if( (char *)NULL == b ) {
-      PR_smprintf_free(a);
-      nss_ZFreeIf(raw);
-      /* drop the OID reference on the floor */
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (NSSUTF8 *)NULL;
-    }
-
-    PR_smprintf_free(a);
-    a = b;
-
-    if( !done ) {
-      *c = '.';
-    }
-  }
-
-  nss_ZFreeIf(raw);
-
-  b = PR_smprintf("%s }", a);
-  if( (char *)NULL == b ) {
-    PR_smprintf_free(a);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-
-  len = PL_strlen(b);
-  
-  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
-  if( (NSSUTF8 *)NULL == rv ) {
-    PR_smprintf_free(b);
-    return (NSSUTF8 *)NULL;
-  }
-
-  nsslibc_memcpy(rv, b, len);
-  PR_smprintf_free(b);
-
-  return rv;
-}
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
diff --git a/security/nss/lib/pki1/oiddata.c b/security/nss/lib/pki1/oiddata.c
deleted file mode 100644
index c044ad8a8..000000000
--- a/security/nss/lib/pki1/oiddata.c
+++ /dev/null
@@ -1,2937 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-const NSSOID nss_builtin_oids[] = {
-  {
-#ifdef DEBUG
-    "ccitt",
-    "ITU-T",
-#endif /* DEBUG */
-    { "\x80\x00", 2 }
-  },
-  {
-#ifdef DEBUG
-    "recommendation",
-    "ITU-T Recommendation",
-#endif /* DEBUG */
-    { "\x00", 1 }
-  },
-  {
-#ifdef DEBUG
-    "question",
-    "ITU-T Question",
-#endif /* DEBUG */
-    { "\x01", 1 }
-  },
-  {
-#ifdef DEBUG
-    "administration",
-    "ITU-T Administration",
-#endif /* DEBUG */
-    { "\x02", 1 }
-  },
-  {
-#ifdef DEBUG
-    "network-operator",
-    "ITU-T Network Operator",
-#endif /* DEBUG */
-    { "\x03", 1 }
-  },
-  {
-#ifdef DEBUG
-    "identified-organization",
-    "ITU-T Identified Organization",
-#endif /* DEBUG */
-    { "\x04", 1 }
-  },
-  {
-#ifdef DEBUG
-    "data",
-    "RFC Data",
-#endif /* DEBUG */
-    { "\x09", 1 }
-  },
-  {
-#ifdef DEBUG
-    "pss",
-    "PSS British Telecom X.25 Network",
-#endif /* DEBUG */
-    { "\x09\x92\x26", 3 }
-  },
-  {
-#ifdef DEBUG
-    "ucl",
-    "RFC 1274 UCL Data networks",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c", 7 }
-  },
-  {
-#ifdef DEBUG
-    "pilot",
-    "RFC 1274 pilot",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64", 8 }
-  },
-  {
-#ifdef DEBUG
-    "attributeType",
-    "RFC 1274 Attribute Type",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "uid",
-    "RFC 1274 User Id",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "mail",
-    "RFC 1274 E-mail Addres",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x03", 10 }
-  },
-  {
-#ifdef DEBUG
-    "dc",
-    "RFC 2247 Domain Component",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x19", 10 }
-  },
-  {
-#ifdef DEBUG
-    "attributeSyntax",
-    "RFC 1274 Attribute Syntax",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "iA5StringSyntax",
-    "RFC 1274 IA5 String Attribute Syntax",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x04", 10 }
-  },
-  {
-#ifdef DEBUG
-    "caseIgnoreIA5StringSyntax",
-    "RFC 1274 Case-Ignore IA5 String Attribute Syntax",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x05", 10 }
-  },
-  {
-#ifdef DEBUG
-    "objectClass",
-    "RFC 1274 Object Class",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "groups",
-    "RFC 1274 Groups",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x0a", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ucl",
-    "RFC 1327 ucl",
-#endif /* DEBUG */
-    { "\x09\x92\x26\x86\xe8\xc4\xb5\xbe\x2c", 9 }
-  },
-  {
-#ifdef DEBUG
-    "iso",
-    "ISO",
-#endif /* DEBUG */
-    { "\x80\x01", 2 }
-  },
-  {
-#ifdef DEBUG
-    "standard",
-    "ISO Standard",
-#endif /* DEBUG */
-    { "\x28", 1 }
-  },
-  {
-#ifdef DEBUG
-    "registration-authority",
-    "ISO Registration Authority",
-#endif /* DEBUG */
-    { "\x29", 1 }
-  },
-  {
-#ifdef DEBUG
-    "member-body",
-    "ISO Member Body",
-#endif /* DEBUG */
-    { "\x2a", 1 }
-  },
-  {
-#ifdef DEBUG
-    "australia",
-    "Australia (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x24", 2 }
-  },
-  {
-#ifdef DEBUG
-    "taiwan",
-    "Taiwan (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x81\x1e", 3 }
-  },
-  {
-#ifdef DEBUG
-    "ireland",
-    "Ireland (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x82\x74", 3 }
-  },
-  {
-#ifdef DEBUG
-    "norway",
-    "Norway (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x84\x42", 3 }
-  },
-  {
-#ifdef DEBUG
-    "sweden",
-    "Sweden (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x85\x70", 3 }
-  },
-  {
-#ifdef DEBUG
-    "great-britain",
-    "Great Britain (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x86\x3a", 3 }
-  },
-  {
-#ifdef DEBUG
-    "us",
-    "United States (ISO)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48", 3 }
-  },
-  {
-#ifdef DEBUG
-    "organization",
-    "US (ISO) organization",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x01", 4 }
-  },
-  {
-#ifdef DEBUG
-    "ansi-z30-50",
-    "ANSI Z39.50",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x13", 5 }
-  },
-  {
-#ifdef DEBUG
-    "dicom",
-    "DICOM",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x18", 5 }
-  },
-  {
-#ifdef DEBUG
-    "ieee-1224",
-    "IEEE 1224",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x21", 5 }
-  },
-  {
-#ifdef DEBUG
-    "ieee-802-10",
-    "IEEE 802.10",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x26", 5 }
-  },
-  {
-#ifdef DEBUG
-    "ieee-802-11",
-    "IEEE 802.11",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x34", 5 }
-  },
-  {
-#ifdef DEBUG
-    "x9-57",
-    "ANSI X9.57",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38", 5 }
-  },
-  {
-#ifdef DEBUG
-    "holdInstruction",
-    "ANSI X9.57 Hold Instruction",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x02", 6 }
-  },
-  {
-#ifdef DEBUG
-    "id-holdinstruction-none",
-    "ANSI X9.57 Hold Instruction: None",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x02\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-holdinstruction-callissuer",
-    "ANSI X9.57 Hold Instruction: Call Issuer",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x02\x02", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-holdinstruction-reject",
-    "ANSI X9.57 Hold Instruction: Reject",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x02\x03", 7 }
-  },
-  {
-#ifdef DEBUG
-    "x9algorithm",
-    "ANSI X9.57 Algorithm",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x04", 6 }
-  },
-  {
-#ifdef DEBUG
-    "id-dsa",
-    "ANSI X9.57 DSA Signature",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x04\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-dsa-with-sha1",
-    "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x38\x04\x03", 7 }
-  },
-  {
-#ifdef DEBUG
-    "x942",
-    "ANSI X9.42",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x3e", 5 }
-  },
-  {
-#ifdef DEBUG
-    "algorithm",
-    "ANSI X9.42 Algorithm",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x3e\x02", 6 }
-  },
-  {
-#ifdef DEBUG
-    "dhpublicnumber",
-    "Diffie-Hellman Public Key Algorithm",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\xce\x3e\x02\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "entrust",
-    "Entrust Technologies",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf6\x7d", 6 }
-  },
-  {
-#ifdef DEBUG
-    "rsadsi",
-    "RSA Data Security Inc.",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d", 6 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs",
-    "PKCS",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-1",
-    "PKCS #1",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "rsaEncryption",
-    "PKCS #1 RSA Encryption",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "md2WithRSAEncryption",
-    "PKCS #1 MD2 With RSA Encryption",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "md4WithRSAEncryption",
-    "PKCS #1 MD4 With RSA Encryption",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "md5WithRSAEncryption",
-    "PKCS #1 MD5 With RSA Encryption",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "sha1WithRSAEncryption",
-    "PKCS #1 SHA-1 With RSA Encryption",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-5",
-    "PKCS #5",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithMD2AndDES-CBC",
-    "PKCS #5 Password Based Encryption With MD2 and DES-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithMD5AndDES-CBC",
-    "PKCS #5 Password Based Encryption With MD5 and DES-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1AndDES-CBC",
-    "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x0a", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-7",
-    "PKCS #7",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07", 8 }
-  },
-  {
-#ifdef DEBUG
-    "data",
-    "PKCS #7 Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "signedData",
-    "PKCS #7 Signed Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "envelopedData",
-    "PKCS #7 Enveloped Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "signedAndEnvelopedData",
-    "PKCS #7 Signed and Enveloped Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "digestedData",
-    "PKCS #7 Digested Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "encryptedData",
-    "PKCS #7 Encrypted Data",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x06", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-9",
-    "PKCS #9",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09", 8 }
-  },
-  {
-#ifdef DEBUG
-    "emailAddress",
-    "PKCS #9 Email Address",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "unstructuredName",
-    "PKCS #9 Unstructured Name",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "contentType",
-    "PKCS #9 Content Type",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "messageDigest",
-    "PKCS #9 Message Digest",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "signingTime",
-    "PKCS #9 Signing Time",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "counterSignature",
-    "PKCS #9 Counter Signature",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x06", 9 }
-  },
-  {
-#ifdef DEBUG
-    "challengePassword",
-    "PKCS #9 Challenge Password",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x07", 9 }
-  },
-  {
-#ifdef DEBUG
-    "unstructuredAddress",
-    "PKCS #9 Unstructured Address",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x08", 9 }
-  },
-  {
-#ifdef DEBUG
-    "extendedCertificateAttributes",
-    "PKCS #9 Extended Certificate Attributes",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x09", 9 }
-  },
-  {
-#ifdef DEBUG
-    "sMIMECapabilities",
-    "PKCS #9 S/MIME Capabilities",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x0f", 9 }
-  },
-  {
-#ifdef DEBUG
-    "friendlyName",
-    "PKCS #9 Friendly Name",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x14", 9 }
-  },
-  {
-#ifdef DEBUG
-    "localKeyID",
-    "PKCS #9 Local Key ID",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x15", 9 }
-  },
-  {
-#ifdef DEBUG
-    "certTypes",
-    "PKCS #9 Certificate Types",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16", 9 }
-  },
-  {
-#ifdef DEBUG
-    "x509Certificate",
-    "PKCS #9 Certificate Type = X.509",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "sdsiCertificate",
-    "PKCS #9 Certificate Type = SDSI",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "crlTypes",
-    "PKCS #9 Certificate Revocation List Types",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17", 9 }
-  },
-  {
-#ifdef DEBUG
-    "x509Crl",
-    "PKCS #9 CRL Type = X.509",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12",
-    "PKCS #12",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c", 8 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12PbeIds",
-    "PKCS #12 Password Based Encryption IDs",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And128BitRC4",
-    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And40BitRC4",
-    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And3-KeyTripleDES-CBC",
-    "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x03", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And2-KeyTripleDES-CBC",
-    "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x04", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And128BitRC2-CBC",
-    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x05", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSHA1And40BitRC2-CBC",
-    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x06", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12EspvkIds",
-    "PKCS #12 ESPVK IDs",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs8-key-shrouding",
-    "PKCS #12 Key Shrouding",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "draft1Pkcs-12Bag-ids",
-    "Draft 1.0 PKCS #12 Bag IDs",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "keyBag",
-    "Draft 1.0 PKCS #12 Key Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "certAndCRLBagId",
-    "Draft 1.0 PKCS #12 Cert and CRL Bag ID",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "secretBagId",
-    "Draft 1.0 PKCS #12 Secret Bag ID",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x03", 10 }
-  },
-  {
-#ifdef DEBUG
-    "safeContentsId",
-    "Draft 1.0 PKCS #12 Safe Contents Bag ID",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x04", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-8ShroudedKeyBagId",
-    "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x05", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12CertBagIds",
-    "PKCS #12 Certificate Bag IDs",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "x509CertCRLBagId",
-    "PKCS #12 X.509 Certificate and CRL Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "SDSICertBagID",
-    "PKCS #12 SDSI Certificate Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12Oids",
-    "PKCS #12 OIDs (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12PbeIds",
-    "PKCS #12 OIDs PBE IDs (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1And128BitRC4",
-    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x01", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1And40BitRC4",
-    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x02", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1AndTripleDES-CBC",
-    "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x03", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1And128BitRC2-CBC",
-    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x04", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pbeWithSha1And40BitRC2-CBC",
-    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x05", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12EnvelopingIds",
-    "PKCS #12 OIDs Enveloping IDs (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "rsaEncryptionWith128BitRC4",
-    "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x01", 11 }
-  },
-  {
-#ifdef DEBUG
-    "rsaEncryptionWith40BitRC4",
-    "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x02", 11 }
-  },
-  {
-#ifdef DEBUG
-    "rsaEncryptionWithTripleDES",
-    "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x03", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12SignatureIds",
-    "PKCS #12 OIDs Signature IDs (XXX)",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03", 10 }
-  },
-  {
-#ifdef DEBUG
-    "rsaSignatureWithSHA1Digest",
-    "PKCS #12 OIDs RSA Signature with SHA-1 Digest",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03\x01", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12Version1",
-    "PKCS #12 Version 1",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a", 9 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-12BagIds",
-    "PKCS #12 Bag IDs",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "keyBag",
-    "PKCS #12 Key Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x01", 11 }
-  },
-  {
-#ifdef DEBUG
-    "pkcs-8ShroudedKeyBag",
-    "PKCS #12 PKCS #8-shrouded Key Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x02", 11 }
-  },
-  {
-#ifdef DEBUG
-    "certBag",
-    "PKCS #12 Certificate Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x03", 11 }
-  },
-  {
-#ifdef DEBUG
-    "crlBag",
-    "PKCS #12 CRL Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x04", 11 }
-  },
-  {
-#ifdef DEBUG
-    "secretBag",
-    "PKCS #12 Secret Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x05", 11 }
-  },
-  {
-#ifdef DEBUG
-    "safeContentsBag",
-    "PKCS #12 Safe Contents Bag",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x06", 11 }
-  },
-  {
-#ifdef DEBUG
-    "digest",
-    "RSA digest algorithm",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x02", 7 }
-  },
-  {
-#ifdef DEBUG
-    "md2",
-    "MD2",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x02\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "md4",
-    "MD4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x02\x04", 8 }
-  },
-  {
-#ifdef DEBUG
-    "md5",
-    "MD5",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x02\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "cipher",
-    "RSA cipher algorithm",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x03", 7 }
-  },
-  {
-#ifdef DEBUG
-    "rc2cbc",
-    "RC2-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x03\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "rc4",
-    "RC4",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x03\x04", 8 }
-  },
-  {
-#ifdef DEBUG
-    "desede3cbc",
-    "DES-EDE3-CBC",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x03\x07", 8 }
-  },
-  {
-#ifdef DEBUG
-    "rc5cbcpad",
-    "RC5-CBCPad",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x0d\x03\x09", 8 }
-  },
-  {
-#ifdef DEBUG
-    "microsoft",
-    "Microsoft",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x14", 6 }
-  },
-  {
-#ifdef DEBUG
-    "columbia-university",
-    "Columbia University",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x18", 6 }
-  },
-  {
-#ifdef DEBUG
-    "unisys",
-    "Unisys",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x24", 6 }
-  },
-  {
-#ifdef DEBUG
-    "xapia",
-    "XAPIA",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf7\x7a", 6 }
-  },
-  {
-#ifdef DEBUG
-    "wordperfect",
-    "WordPerfect",
-#endif /* DEBUG */
-    { "\x2a\x86\x48\x86\xf8\x23", 6 }
-  },
-  {
-#ifdef DEBUG
-    "identified-organization",
-    "ISO identified organizations",
-#endif /* DEBUG */
-    { "\x2b", 1 }
-  },
-  {
-#ifdef DEBUG
-    "us-dod",
-    "United States Department of Defense",
-#endif /* DEBUG */
-    { "\x2b\x06", 2 }
-  },
-  {
-#ifdef DEBUG
-    "internet",
-    "The Internet",
-#endif /* DEBUG */
-    { "\x2b\x06\x01", 3 }
-  },
-  {
-#ifdef DEBUG
-    "directory",
-    "Internet: Directory",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x01", 4 }
-  },
-  {
-#ifdef DEBUG
-    "management",
-    "Internet: Management",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x02", 4 }
-  },
-  {
-#ifdef DEBUG
-    "experimental",
-    "Internet: Experimental",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x03", 4 }
-  },
-  {
-#ifdef DEBUG
-    "private",
-    "Internet: Private",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x04", 4 }
-  },
-  {
-#ifdef DEBUG
-    "security",
-    "Internet: Security",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05", 4 }
-  },
-  {
-#ifdef DEBUG
-    "",
-    "",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05", 5 }
-  },
-  {
-#ifdef DEBUG
-    "id-pkix",
-    "Public Key Infrastructure",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07", 6 }
-  },
-  {
-#ifdef DEBUG
-    "PKIX1Explicit88",
-    "RFC 2459 Explicitly Tagged Module, 1988 Syntax",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x00\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "PKIXImplicit88",
-    "RFC 2459 Implicitly Tagged Module, 1988 Syntax",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x00\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "PKIXExplicit93",
-    "RFC 2459 Explicitly Tagged Module, 1993 Syntax",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x00\x03", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-pe",
-    "PKIX Private Certificate Extensions",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-pe-authorityInfoAccess",
-    "Certificate Authority Information Access",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x01\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-qt",
-    "PKIX Policy Qualifier Types",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x02", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-qt-cps",
-    "PKIX CPS Pointer Qualifier",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x02\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-qt-unotice",
-    "PKIX User Notice Qualifier",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x02\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp",
-    "PKIX Key Purpose",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-serverAuth",
-    "TLS Web Server Authentication Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-clientAuth",
-    "TLS Web Client Authentication Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-codeSigning",
-    "Code Signing Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x03", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-emailProtection",
-    "E-Mail Protection Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x04", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-ipsecEndSystem",
-    "IPSEC End System Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-ipsecTunnel",
-    "IPSEC Tunnel Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x06", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-ipsecUser",
-    "IPSEC User Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x07", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-kp-timeStamping",
-    "Time Stamping Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x08", 8 }
-  },
-  {
-#ifdef DEBUG
-    "ocsp-responder",
-    "OCSP Responder Certificate",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x03\x09", 8 }
-  },
-  {
-#ifdef DEBUG
-    "pkix-id-pkix",
-    "",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07", 7 }
-  },
-  {
-#ifdef DEBUG
-    "pkix-id-pkip",
-    "",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "pkix-id-regctrl",
-    "CRMF Registration Control",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "regtoken",
-    "CRMF Registration Control, Registration Token",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "authenticator",
-    "CRMF Registration Control, Registration Authenticator",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkipubinfo",
-    "CRMF Registration Control, PKI Publication Info",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x03", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pki-arch-options",
-    "CRMF Registration Control, PKI Archive Options",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x04", 10 }
-  },
-  {
-#ifdef DEBUG
-    "old-cert-id",
-    "CRMF Registration Control, Old Certificate ID",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x05", 10 }
-  },
-  {
-#ifdef DEBUG
-    "protocol-encryption-key",
-    "CRMF Registration Control, Protocol Encryption Key",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x06", 10 }
-  },
-  {
-#ifdef DEBUG
-    "pkix-id-reginfo",
-    "CRMF Registration Info",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "utf8-pairs",
-    "CRMF Registration Info, UTF8 Pairs",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "cert-request",
-    "CRMF Registration Info, Certificate Request",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x02", 10 }
-  },
-  {
-#ifdef DEBUG
-    "id-ad",
-    "PKIX Access Descriptors",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-ad-ocsp",
-    "PKIX Online Certificate Status Protocol",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "basic-response",
-    "OCSP Basic Response",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "nonce-extension",
-    "OCSP Nonce Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "response",
-    "OCSP Response Types Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "crl",
-    "OCSP CRL Reference Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "no-check",
-    "OCSP No Check Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "archive-cutoff",
-    "OCSP Archive Cutoff Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x06", 9 }
-  },
-  {
-#ifdef DEBUG
-    "service-locator",
-    "OCSP Service Locator Extension",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x07", 9 }
-  },
-  {
-#ifdef DEBUG
-    "id-ad-caIssuers",
-    "Certificate Authority Issuers",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x05\x05\x07\x30\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "snmpv2",
-    "Internet: SNMPv2",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x06", 4 }
-  },
-  {
-#ifdef DEBUG
-    "mail",
-    "Internet: mail",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x07", 4 }
-  },
-  {
-#ifdef DEBUG
-    "mime-mhs",
-    "Internet: mail MIME mhs",
-#endif /* DEBUG */
-    { "\x2b\x06\x01\x07\x01", 5 }
-  },
-  {
-#ifdef DEBUG
-    "ecma",
-    "European Computers Manufacturing Association",
-#endif /* DEBUG */
-    { "\x2b\x0c", 2 }
-  },
-  {
-#ifdef DEBUG
-    "oiw",
-    "Open Systems Implementors Workshop",
-#endif /* DEBUG */
-    { "\x2b\x0e", 2 }
-  },
-  {
-#ifdef DEBUG
-    "secsig",
-    "Open Systems Implementors Workshop Security Special Interest Group",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03", 3 }
-  },
-  {
-#ifdef DEBUG
-    "oIWSECSIGAlgorithmObjectIdentifiers",
-    "OIW SECSIG Algorithm OIDs",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x01", 4 }
-  },
-  {
-#ifdef DEBUG
-    "algorithm",
-    "OIW SECSIG Algorithm",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02", 4 }
-  },
-  {
-#ifdef DEBUG
-    "desecb",
-    "DES-ECB",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x06", 5 }
-  },
-  {
-#ifdef DEBUG
-    "descbc",
-    "DES-CBC",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x07", 5 }
-  },
-  {
-#ifdef DEBUG
-    "desofb",
-    "DES-OFB",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x08", 5 }
-  },
-  {
-#ifdef DEBUG
-    "descfb",
-    "DES-CFB",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x09", 5 }
-  },
-  {
-#ifdef DEBUG
-    "desmac",
-    "DES-MAC",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x0a", 5 }
-  },
-  {
-#ifdef DEBUG
-    "isoSHAWithRSASignature",
-    "ISO SHA with RSA Signature",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x0f", 5 }
-  },
-  {
-#ifdef DEBUG
-    "desede",
-    "DES-EDE",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x11", 5 }
-  },
-  {
-#ifdef DEBUG
-    "sha1",
-    "SHA-1",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x1a", 5 }
-  },
-  {
-#ifdef DEBUG
-    "bogusDSASignatureWithSHA1Digest",
-    "Forgezza DSA Signature with SHA-1 Digest",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x02\x1b", 5 }
-  },
-  {
-#ifdef DEBUG
-    "authentication-mechanism",
-    "OIW SECSIG Authentication Mechanisms",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x03", 4 }
-  },
-  {
-#ifdef DEBUG
-    "security-attribute",
-    "OIW SECSIG Security Attributes",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x04", 4 }
-  },
-  {
-#ifdef DEBUG
-    "document-definition",
-    "OIW SECSIG Document Definitions used in security",
-#endif /* DEBUG */
-    { "\x2b\x0e\x03\x05", 4 }
-  },
-  {
-#ifdef DEBUG
-    "directory-services-sig",
-    "OIW directory services sig",
-#endif /* DEBUG */
-    { "\x2b\x0e\x07", 3 }
-  },
-  {
-#ifdef DEBUG
-    "ewos",
-    "European Workshop on Open Systems",
-#endif /* DEBUG */
-    { "\x2b\x10", 2 }
-  },
-  {
-#ifdef DEBUG
-    "osf",
-    "Open Software Foundation",
-#endif /* DEBUG */
-    { "\x2b\x16", 2 }
-  },
-  {
-#ifdef DEBUG
-    "nordunet",
-    "Nordunet",
-#endif /* DEBUG */
-    { "\x2b\x17", 2 }
-  },
-  {
-#ifdef DEBUG
-    "nato-id-org",
-    "NATO identified organisation",
-#endif /* DEBUG */
-    { "\x2b\x1a", 2 }
-  },
-  {
-#ifdef DEBUG
-    "teletrust",
-    "Teletrust",
-#endif /* DEBUG */
-    { "\x2b\x24", 2 }
-  },
-  {
-#ifdef DEBUG
-    "smpte",
-    "Society of Motion Picture and Television Engineers",
-#endif /* DEBUG */
-    { "\x2b\x34", 2 }
-  },
-  {
-#ifdef DEBUG
-    "sita",
-    "Societe Internationale de Telecommunications Aeronautiques",
-#endif /* DEBUG */
-    { "\x2b\x45", 2 }
-  },
-  {
-#ifdef DEBUG
-    "iana",
-    "Internet Assigned Numbers Authority",
-#endif /* DEBUG */
-    { "\x2b\x5a", 2 }
-  },
-  {
-#ifdef DEBUG
-    "thawte",
-    "Thawte",
-#endif /* DEBUG */
-    { "\x2b\x65", 2 }
-  },
-  {
-#ifdef DEBUG
-    "joint-iso-ccitt",
-    "Joint ISO/ITU-T assignment",
-#endif /* DEBUG */
-    { "\x80\x02", 2 }
-  },
-  {
-#ifdef DEBUG
-    "presentation",
-    "Joint ISO/ITU-T Presentation",
-#endif /* DEBUG */
-    { "\x50", 1 }
-  },
-  {
-#ifdef DEBUG
-    "asn-1",
-    "Abstract Syntax Notation One",
-#endif /* DEBUG */
-    { "\x51", 1 }
-  },
-  {
-#ifdef DEBUG
-    "acse",
-    "Association Control",
-#endif /* DEBUG */
-    { "\x52", 1 }
-  },
-  {
-#ifdef DEBUG
-    "rtse",
-    "Reliable Transfer",
-#endif /* DEBUG */
-    { "\x53", 1 }
-  },
-  {
-#ifdef DEBUG
-    "rose",
-    "Remote Operations",
-#endif /* DEBUG */
-    { "\x54", 1 }
-  },
-  {
-#ifdef DEBUG
-    "x500",
-    "Directory",
-#endif /* DEBUG */
-    { "\x55", 1 }
-  },
-  {
-#ifdef DEBUG
-    "modules",
-    "X.500 modules",
-#endif /* DEBUG */
-    { "\x55\x01", 2 }
-  },
-  {
-#ifdef DEBUG
-    "service-environment",
-    "X.500 service environment",
-#endif /* DEBUG */
-    { "\x55\x02", 2 }
-  },
-  {
-#ifdef DEBUG
-    "application-context",
-    "X.500 application context",
-#endif /* DEBUG */
-    { "\x55\x03", 2 }
-  },
-  {
-#ifdef DEBUG
-    "id-at",
-    "X.520 attribute types",
-#endif /* DEBUG */
-    { "\x55\x04", 2 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-commonName",
-    "X.520 Common Name",
-#endif /* DEBUG */
-    { "\x55\x04\x03", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-surname",
-    "X.520 Surname",
-#endif /* DEBUG */
-    { "\x55\x04\x04", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-countryName",
-    "X.520 Country Name",
-#endif /* DEBUG */
-    { "\x55\x04\x06", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-localityName",
-    "X.520 Locality Name",
-#endif /* DEBUG */
-    { "\x55\x04\x07", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-stateOrProvinceName",
-    "X.520 State or Province Name",
-#endif /* DEBUG */
-    { "\x55\x04\x08", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-organizationName",
-    "X.520 Organization Name",
-#endif /* DEBUG */
-    { "\x55\x04\x0a", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-organizationalUnitName",
-    "X.520 Organizational Unit Name",
-#endif /* DEBUG */
-    { "\x55\x04\x0b", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-title",
-    "X.520 Title",
-#endif /* DEBUG */
-    { "\x55\x04\x0c", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-name",
-    "X.520 Name",
-#endif /* DEBUG */
-    { "\x55\x04\x29", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-givenName",
-    "X.520 Given Name",
-#endif /* DEBUG */
-    { "\x55\x04\x2a", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-initials",
-    "X.520 Initials",
-#endif /* DEBUG */
-    { "\x55\x04\x2b", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-generationQualifier",
-    "X.520 Generation Qualifier",
-#endif /* DEBUG */
-    { "\x55\x04\x2c", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-at-dnQualifier",
-    "X.520 DN Qualifier",
-#endif /* DEBUG */
-    { "\x55\x04\x2e", 3 }
-  },
-  {
-#ifdef DEBUG
-    "attribute-syntax",
-    "X.500 attribute syntaxes",
-#endif /* DEBUG */
-    { "\x55\x05", 2 }
-  },
-  {
-#ifdef DEBUG
-    "object-classes",
-    "X.500 standard object classes",
-#endif /* DEBUG */
-    { "\x55\x06", 2 }
-  },
-  {
-#ifdef DEBUG
-    "attribute-set",
-    "X.500 attribute sets",
-#endif /* DEBUG */
-    { "\x55\x07", 2 }
-  },
-  {
-#ifdef DEBUG
-    "algorithms",
-    "X.500-defined algorithms",
-#endif /* DEBUG */
-    { "\x55\x08", 2 }
-  },
-  {
-#ifdef DEBUG
-    "encryption",
-    "X.500-defined encryption algorithms",
-#endif /* DEBUG */
-    { "\x55\x08\x01", 3 }
-  },
-  {
-#ifdef DEBUG
-    "rsa",
-    "RSA Encryption Algorithm",
-#endif /* DEBUG */
-    { "\x55\x08\x01\x01", 4 }
-  },
-  {
-#ifdef DEBUG
-    "abstract-syntax",
-    "X.500 abstract syntaxes",
-#endif /* DEBUG */
-    { "\x55\x09", 2 }
-  },
-  {
-#ifdef DEBUG
-    "operational-attribute",
-    "DSA Operational Attributes",
-#endif /* DEBUG */
-    { "\x55\x0c", 2 }
-  },
-  {
-#ifdef DEBUG
-    "matching-rule",
-    "Matching Rule",
-#endif /* DEBUG */
-    { "\x55\x0d", 2 }
-  },
-  {
-#ifdef DEBUG
-    "knowledge-matching-rule",
-    "X.500 knowledge Matching Rules",
-#endif /* DEBUG */
-    { "\x55\x0e", 2 }
-  },
-  {
-#ifdef DEBUG
-    "name-form",
-    "X.500 name forms",
-#endif /* DEBUG */
-    { "\x55\x0f", 2 }
-  },
-  {
-#ifdef DEBUG
-    "group",
-    "X.500 groups",
-#endif /* DEBUG */
-    { "\x55\x10", 2 }
-  },
-  {
-#ifdef DEBUG
-    "subentry",
-    "X.500 subentry",
-#endif /* DEBUG */
-    { "\x55\x11", 2 }
-  },
-  {
-#ifdef DEBUG
-    "operational-attribute-type",
-    "X.500 operational attribute type",
-#endif /* DEBUG */
-    { "\x55\x12", 2 }
-  },
-  {
-#ifdef DEBUG
-    "operational-binding",
-    "X.500 operational binding",
-#endif /* DEBUG */
-    { "\x55\x13", 2 }
-  },
-  {
-#ifdef DEBUG
-    "schema-object-class",
-    "X.500 schema Object class",
-#endif /* DEBUG */
-    { "\x55\x14", 2 }
-  },
-  {
-#ifdef DEBUG
-    "schema-operational-attribute",
-    "X.500 schema operational attributes",
-#endif /* DEBUG */
-    { "\x55\x15", 2 }
-  },
-  {
-#ifdef DEBUG
-    "administrative-role",
-    "X.500 administrative roles",
-#endif /* DEBUG */
-    { "\x55\x17", 2 }
-  },
-  {
-#ifdef DEBUG
-    "access-control-attribute",
-    "X.500 access control attribute",
-#endif /* DEBUG */
-    { "\x55\x18", 2 }
-  },
-  {
-#ifdef DEBUG
-    "ros",
-    "X.500 ros object",
-#endif /* DEBUG */
-    { "\x55\x19", 2 }
-  },
-  {
-#ifdef DEBUG
-    "contract",
-    "X.500 contract",
-#endif /* DEBUG */
-    { "\x55\x1a", 2 }
-  },
-  {
-#ifdef DEBUG
-    "package",
-    "X.500 package",
-#endif /* DEBUG */
-    { "\x55\x1b", 2 }
-  },
-  {
-#ifdef DEBUG
-    "access-control-schema",
-    "X.500 access control schema",
-#endif /* DEBUG */
-    { "\x55\x1c", 2 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce",
-    "X.500 Certificate Extension",
-#endif /* DEBUG */
-    { "\x55\x1d", 2 }
-  },
-  {
-#ifdef DEBUG
-    "subject-directory-attributes",
-    "Certificate Subject Directory Attributes",
-#endif /* DEBUG */
-    { "\x55\x1d\x05", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-subjectDirectoryAttributes",
-    "Certificate Subject Directory Attributes",
-#endif /* DEBUG */
-    { "\x55\x1d\x09", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-subjectKeyIdentifier",
-    "Certificate Subject Key ID",
-#endif /* DEBUG */
-    { "\x55\x1d\x0e", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-keyUsage",
-    "Certificate Key Usage",
-#endif /* DEBUG */
-    { "\x55\x1d\x0f", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-privateKeyUsagePeriod",
-    "Certificate Private Key Usage Period",
-#endif /* DEBUG */
-    { "\x55\x1d\x10", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-subjectAltName",
-    "Certificate Subject Alternate Name",
-#endif /* DEBUG */
-    { "\x55\x1d\x11", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-issuerAltName",
-    "Certificate Issuer Alternate Name",
-#endif /* DEBUG */
-    { "\x55\x1d\x12", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-basicConstraints",
-    "Certificate Basic Constraints",
-#endif /* DEBUG */
-    { "\x55\x1d\x13", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-cRLNumber",
-    "CRL Number",
-#endif /* DEBUG */
-    { "\x55\x1d\x14", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-cRLReasons",
-    "CRL Reason Code",
-#endif /* DEBUG */
-    { "\x55\x1d\x15", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-holdInstructionCode",
-    "Hold Instruction Code",
-#endif /* DEBUG */
-    { "\x55\x1d\x17", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-invalidityDate",
-    "Invalidity Date",
-#endif /* DEBUG */
-    { "\x55\x1d\x18", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-deltaCRLIndicator",
-    "Delta CRL Indicator",
-#endif /* DEBUG */
-    { "\x55\x1d\x1b", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-issuingDistributionPoint",
-    "Issuing Distribution Point",
-#endif /* DEBUG */
-    { "\x55\x1d\x1c", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-certificateIssuer",
-    "Certificate Issuer",
-#endif /* DEBUG */
-    { "\x55\x1d\x1d", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-nameConstraints",
-    "Certificate Name Constraints",
-#endif /* DEBUG */
-    { "\x55\x1d\x1e", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-cRLDistributionPoints",
-    "CRL Distribution Points",
-#endif /* DEBUG */
-    { "\x55\x1d\x1f", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-certificatePolicies",
-    "Certificate Policies",
-#endif /* DEBUG */
-    { "\x55\x1d\x20", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-policyMappings",
-    "Certificate Policy Mappings",
-#endif /* DEBUG */
-    { "\x55\x1d\x21", 3 }
-  },
-  {
-#ifdef DEBUG
-    "policy-constraints",
-    "Certificate Policy Constraints (old)",
-#endif /* DEBUG */
-    { "\x55\x1d\x22", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-authorityKeyIdentifier",
-    "Certificate Authority Key Identifier",
-#endif /* DEBUG */
-    { "\x55\x1d\x23", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-policyConstraints",
-    "Certificate Policy Constraints",
-#endif /* DEBUG */
-    { "\x55\x1d\x24", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-ce-extKeyUsage",
-    "Extended Key Usage",
-#endif /* DEBUG */
-    { "\x55\x1d\x25", 3 }
-  },
-  {
-#ifdef DEBUG
-    "id-mgt",
-    "X.500 Management Object",
-#endif /* DEBUG */
-    { "\x55\x1e", 2 }
-  },
-  {
-#ifdef DEBUG
-    "x400",
-    "X.400 MHS",
-#endif /* DEBUG */
-    { "\x56", 1 }
-  },
-  {
-#ifdef DEBUG
-    "ccr",
-    "Committment, Concurrency and Recovery",
-#endif /* DEBUG */
-    { "\x57", 1 }
-  },
-  {
-#ifdef DEBUG
-    "oda",
-    "Office Document Architecture",
-#endif /* DEBUG */
-    { "\x58", 1 }
-  },
-  {
-#ifdef DEBUG
-    "osi-management",
-    "OSI management",
-#endif /* DEBUG */
-    { "\x59", 1 }
-  },
-  {
-#ifdef DEBUG
-    "tp",
-    "Transaction Processing",
-#endif /* DEBUG */
-    { "\x5a", 1 }
-  },
-  {
-#ifdef DEBUG
-    "dor",
-    "Distinguished Object Reference",
-#endif /* DEBUG */
-    { "\x5b", 1 }
-  },
-  {
-#ifdef DEBUG
-    "rdt",
-    "Referenced Data Transfer",
-#endif /* DEBUG */
-    { "\x5c", 1 }
-  },
-  {
-#ifdef DEBUG
-    "nlm",
-    "Network Layer Management",
-#endif /* DEBUG */
-    { "\x5d", 1 }
-  },
-  {
-#ifdef DEBUG
-    "tlm",
-    "Transport Layer Management",
-#endif /* DEBUG */
-    { "\x5e", 1 }
-  },
-  {
-#ifdef DEBUG
-    "llm",
-    "Link Layer Management",
-#endif /* DEBUG */
-    { "\x5f", 1 }
-  },
-  {
-#ifdef DEBUG
-    "country",
-    "Country Assignments",
-#endif /* DEBUG */
-    { "\x60", 1 }
-  },
-  {
-#ifdef DEBUG
-    "canada",
-    "Canada",
-#endif /* DEBUG */
-    { "\x60\x7c", 2 }
-  },
-  {
-#ifdef DEBUG
-    "taiwan",
-    "Taiwan",
-#endif /* DEBUG */
-    { "\x60\x81\x1e", 3 }
-  },
-  {
-#ifdef DEBUG
-    "norway",
-    "Norway",
-#endif /* DEBUG */
-    { "\x60\x84\x42", 3 }
-  },
-  {
-#ifdef DEBUG
-    "switzerland",
-    "Switzerland",
-#endif /* DEBUG */
-    { "\x60\x85\x74", 3 }
-  },
-  {
-#ifdef DEBUG
-    "us",
-    "United States",
-#endif /* DEBUG */
-    { "\x60\x86\x48", 3 }
-  },
-  {
-#ifdef DEBUG
-    "us-company",
-    "United States Company",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01", 4 }
-  },
-  {
-#ifdef DEBUG
-    "us-government",
-    "United States Government (1.101)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65", 5 }
-  },
-  {
-#ifdef DEBUG
-    "us-dod",
-    "United States Department of Defense",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02", 6 }
-  },
-  {
-#ifdef DEBUG
-    "id-infosec",
-    "US DOD Infosec",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "id-modules",
-    "US DOD Infosec modules",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x00", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-algorithms",
-    "US DOD Infosec algorithms (MISSI)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "old-dss",
-    "MISSI DSS Algorithm (Old)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "skipjack-cbc-64",
-    "Skipjack CBC64",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "kea",
-    "MISSI KEA Algorithm",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0a", 9 }
-  },
-  {
-#ifdef DEBUG
-    "old-kea-dss",
-    "MISSI KEA and DSS Algorithm (Old)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0c", 9 }
-  },
-  {
-#ifdef DEBUG
-    "dss",
-    "MISSI DSS Algorithm",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x13", 9 }
-  },
-  {
-#ifdef DEBUG
-    "kea-dss",
-    "MISSI KEA and DSS Algorithm",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x14", 9 }
-  },
-  {
-#ifdef DEBUG
-    "alt-kea",
-    "MISSI Alternate KEA Algorithm",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x01\x16", 9 }
-  },
-  {
-#ifdef DEBUG
-    "id-formats",
-    "US DOD Infosec formats",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-policy",
-    "US DOD Infosec policy",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x03", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-object-classes",
-    "US DOD Infosec object classes",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x04", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-attributes",
-    "US DOD Infosec attributes",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "id-attribute-syntax",
-    "US DOD Infosec attribute syntax",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x65\x02\x01\x06", 8 }
-  },
-  {
-#ifdef DEBUG
-    "netscape",
-    "Netscape Communications Corp.",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42", 7 }
-  },
-  {
-#ifdef DEBUG
-    "cert-ext",
-    "Netscape Cert Extensions",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "cert-type",
-    "Certificate Type",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "base-url",
-    "Certificate Extension Base URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "revocation-url",
-    "Certificate Revocation URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ca-revocation-url",
-    "Certificate Authority Revocation URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ca-crl-download-url",
-    "Certificate Authority CRL Download URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ca-cert-url",
-    "Certificate Authority Certificate Download URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x06", 9 }
-  },
-  {
-#ifdef DEBUG
-    "renewal-url",
-    "Certificate Renewal URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x07", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ca-policy-url",
-    "Certificate Authority Policy URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x08", 9 }
-  },
-  {
-#ifdef DEBUG
-    "homepage-url",
-    "Certificate Homepage URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x09", 9 }
-  },
-  {
-#ifdef DEBUG
-    "entity-logo",
-    "Certificate Entity Logo",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0a", 9 }
-  },
-  {
-#ifdef DEBUG
-    "user-picture",
-    "Certificate User Picture",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0b", 9 }
-  },
-  {
-#ifdef DEBUG
-    "ssl-server-name",
-    "Certificate SSL Server Name",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0c", 9 }
-  },
-  {
-#ifdef DEBUG
-    "comment",
-    "Certificate Comment",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0d", 9 }
-  },
-  {
-#ifdef DEBUG
-    "thayes",
-    "",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0e", 9 }
-  },
-  {
-#ifdef DEBUG
-    "data-type",
-    "Netscape Data Types",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02", 8 }
-  },
-  {
-#ifdef DEBUG
-    "gif",
-    "image/gif",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "jpeg",
-    "image/jpeg",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x02", 9 }
-  },
-  {
-#ifdef DEBUG
-    "url",
-    "URL",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x03", 9 }
-  },
-  {
-#ifdef DEBUG
-    "html",
-    "text/html",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x04", 9 }
-  },
-  {
-#ifdef DEBUG
-    "cert-sequence",
-    "Certificate Sequence",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x05", 9 }
-  },
-  {
-#ifdef DEBUG
-    "directory",
-    "Netscape Directory",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x03", 8 }
-  },
-  {
-#ifdef DEBUG
-    "policy",
-    "Netscape Policy Type OIDs",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x04", 8 }
-  },
-  {
-#ifdef DEBUG
-    "export-approved",
-    "Strong Crypto Export Approved",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x04\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "cert-server",
-    "Netscape Certificate Server",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x05", 8 }
-  },
-  {
-#ifdef DEBUG
-    "",
-    "",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "recovery-request",
-    "Netscape Cert Server Recovery Request",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "algs",
-    "Netscape algorithm OIDs",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x06", 8 }
-  },
-  {
-#ifdef DEBUG
-    "smime-kea",
-    "Netscape S/MIME KEA",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x06\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "name-components",
-    "Netscape Name Components",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x07", 8 }
-  },
-  {
-#ifdef DEBUG
-    "nickname",
-    "Netscape Nickname",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x42\x07\x01", 9 }
-  },
-  {
-#ifdef DEBUG
-    "verisign",
-    "Verisign",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x45", 7 }
-  },
-  {
-#ifdef DEBUG
-    "",
-    "",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x45\x01", 8 }
-  },
-  {
-#ifdef DEBUG
-    "",
-    "",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07", 9 }
-  },
-  {
-#ifdef DEBUG
-    "",
-    "",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01", 10 }
-  },
-  {
-#ifdef DEBUG
-    "verisign-user-notices",
-    "Verisign User Notices",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01\x01", 11 }
-  },
-  {
-#ifdef DEBUG
-    "us-government",
-    "US Government (101)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x65", 4 }
-  },
-  {
-#ifdef DEBUG
-    "us-government2",
-    "US Government (102)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\x66", 4 }
-  },
-  {
-#ifdef DEBUG
-    "old-netscape",
-    "Netscape Communications Corp. (Old)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a", 5 }
-  },
-  {
-#ifdef DEBUG
-    "ns-cert-ext",
-    "Netscape Cert Extensions (Old NS)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x01", 6 }
-  },
-  {
-#ifdef DEBUG
-    "netscape-ok",
-    "Netscape says this cert is ok (Old NS)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x01\x01", 7 }
-  },
-  {
-#ifdef DEBUG
-    "issuer-logo",
-    "Certificate Issuer Logo (Old NS)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x01\x02", 7 }
-  },
-  {
-#ifdef DEBUG
-    "subject-logo",
-    "Certificate Subject Logo (Old NS)",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x01\x03", 7 }
-  },
-  {
-#ifdef DEBUG
-    "ns-file-type",
-    "Netscape File Type",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x02", 6 }
-  },
-  {
-#ifdef DEBUG
-    "ns-image-type",
-    "Netscape Image Type",
-#endif /* DEBUG */
-    { "\x60\x86\x48\xd8\x6a\x03", 6 }
-  },
-  {
-#ifdef DEBUG
-    "registration-procedures",
-    "Registration procedures",
-#endif /* DEBUG */
-    { "\x61", 1 }
-  },
-  {
-#ifdef DEBUG
-    "physical-layer-management",
-    "Physical layer Management",
-#endif /* DEBUG */
-    { "\x62", 1 }
-  },
-  {
-#ifdef DEBUG
-    "mheg",
-    "MHEG",
-#endif /* DEBUG */
-    { "\x63", 1 }
-  },
-  {
-#ifdef DEBUG
-    "guls",
-    "Generic Upper Layer Security",
-#endif /* DEBUG */
-    { "\x64", 1 }
-  },
-  {
-#ifdef DEBUG
-    "tls",
-    "Transport Layer Security Protocol",
-#endif /* DEBUG */
-    { "\x65", 1 }
-  },
-  {
-#ifdef DEBUG
-    "nls",
-    "Network Layer Security Protocol",
-#endif /* DEBUG */
-    { "\x66", 1 }
-  },
-  {
-#ifdef DEBUG
-    "organization",
-    "International organizations",
-#endif /* DEBUG */
-    { "\x67", 1 }
-  }
-};
-
-const PRUint32 nss_builtin_oid_count = 379;
-
-const NSSOID *NSS_OID_RFC1274_UID = (NSSOID *)&nss_builtin_oids[11];
-const NSSOID *NSS_OID_RFC1274_EMAIL = (NSSOID *)&nss_builtin_oids[12];
-const NSSOID *NSS_OID_RFC2247_DC = (NSSOID *)&nss_builtin_oids[13];
-const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[43];
-const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[44];
-const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY = (NSSOID *)&nss_builtin_oids[47];
-const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[52];
-const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[53];
-const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[54];
-const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[55];
-const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[56];
-const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[58];
-const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[59];
-const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[60];
-const NSSOID *NSS_OID_PKCS7 = (NSSOID *)&nss_builtin_oids[61];
-const NSSOID *NSS_OID_PKCS7_DATA = (NSSOID *)&nss_builtin_oids[62];
-const NSSOID *NSS_OID_PKCS7_SIGNED_DATA = (NSSOID *)&nss_builtin_oids[63];
-const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[64];
-const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[65];
-const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA = (NSSOID *)&nss_builtin_oids[66];
-const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA = (NSSOID *)&nss_builtin_oids[67];
-const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS = (NSSOID *)&nss_builtin_oids[69];
-const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME = (NSSOID *)&nss_builtin_oids[70];
-const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE = (NSSOID *)&nss_builtin_oids[71];
-const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST = (NSSOID *)&nss_builtin_oids[72];
-const NSSOID *NSS_OID_PKCS9_SIGNING_TIME = (NSSOID *)&nss_builtin_oids[73];
-const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE = (NSSOID *)&nss_builtin_oids[74];
-const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD = (NSSOID *)&nss_builtin_oids[75];
-const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS = (NSSOID *)&nss_builtin_oids[76];
-const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[77];
-const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES = (NSSOID *)&nss_builtin_oids[78];
-const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME = (NSSOID *)&nss_builtin_oids[79];
-const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID = (NSSOID *)&nss_builtin_oids[80];
-const NSSOID *NSS_OID_PKCS9_X509_CERT = (NSSOID *)&nss_builtin_oids[82];
-const NSSOID *NSS_OID_PKCS9_SDSI_CERT = (NSSOID *)&nss_builtin_oids[83];
-const NSSOID *NSS_OID_PKCS9_X509_CRL = (NSSOID *)&nss_builtin_oids[85];
-const NSSOID *NSS_OID_PKCS12 = (NSSOID *)&nss_builtin_oids[86];
-const NSSOID *NSS_OID_PKCS12_PBE_IDS = (NSSOID *)&nss_builtin_oids[87];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = (NSSOID *)&nss_builtin_oids[88];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = (NSSOID *)&nss_builtin_oids[89];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[90];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[91];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[92];
-const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[93];
-const NSSOID *NSS_OID_PKCS12_KEY_BAG = (NSSOID *)&nss_builtin_oids[120];
-const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG = (NSSOID *)&nss_builtin_oids[121];
-const NSSOID *NSS_OID_PKCS12_CERT_BAG = (NSSOID *)&nss_builtin_oids[122];
-const NSSOID *NSS_OID_PKCS12_CRL_BAG = (NSSOID *)&nss_builtin_oids[123];
-const NSSOID *NSS_OID_PKCS12_SECRET_BAG = (NSSOID *)&nss_builtin_oids[124];
-const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG = (NSSOID *)&nss_builtin_oids[125];
-const NSSOID *NSS_OID_MD2 = (NSSOID *)&nss_builtin_oids[127];
-const NSSOID *NSS_OID_MD4 = (NSSOID *)&nss_builtin_oids[128];
-const NSSOID *NSS_OID_MD5 = (NSSOID *)&nss_builtin_oids[129];
-const NSSOID *NSS_OID_RC2_CBC = (NSSOID *)&nss_builtin_oids[131];
-const NSSOID *NSS_OID_RC4 = (NSSOID *)&nss_builtin_oids[132];
-const NSSOID *NSS_OID_DES_EDE3_CBC = (NSSOID *)&nss_builtin_oids[133];
-const NSSOID *NSS_OID_RC5_CBC_PAD = (NSSOID *)&nss_builtin_oids[134];
-const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS = (NSSOID *)&nss_builtin_oids[154];
-const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER = (NSSOID *)&nss_builtin_oids[156];
-const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER = (NSSOID *)&nss_builtin_oids[157];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH = (NSSOID *)&nss_builtin_oids[159];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH = (NSSOID *)&nss_builtin_oids[160];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN = (NSSOID *)&nss_builtin_oids[161];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION = (NSSOID *)&nss_builtin_oids[162];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM = (NSSOID *)&nss_builtin_oids[163];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = (NSSOID *)&nss_builtin_oids[164];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER = (NSSOID *)&nss_builtin_oids[165];
-const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP = (NSSOID *)&nss_builtin_oids[166];
-const NSSOID *NSS_OID_OCSP_RESPONDER = (NSSOID *)&nss_builtin_oids[167];
-const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN = (NSSOID *)&nss_builtin_oids[171];
-const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR = (NSSOID *)&nss_builtin_oids[172];
-const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO = (NSSOID *)&nss_builtin_oids[173];
-const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = (NSSOID *)&nss_builtin_oids[174];
-const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID = (NSSOID *)&nss_builtin_oids[175];
-const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = (NSSOID *)&nss_builtin_oids[176];
-const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS = (NSSOID *)&nss_builtin_oids[178];
-const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST = (NSSOID *)&nss_builtin_oids[179];
-const NSSOID *NSS_OID_OID_PKIX_OCSP = (NSSOID *)&nss_builtin_oids[181];
-const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE = (NSSOID *)&nss_builtin_oids[182];
-const NSSOID *NSS_OID_PKIX_OCSP_NONCE = (NSSOID *)&nss_builtin_oids[183];
-const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE = (NSSOID *)&nss_builtin_oids[184];
-const NSSOID *NSS_OID_PKIX_OCSP_CRL = (NSSOID *)&nss_builtin_oids[185];
-const NSSOID *NSS_OID_X509_OCSP_NO_CHECK = (NSSOID *)&nss_builtin_oids[186];
-const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF = (NSSOID *)&nss_builtin_oids[187];
-const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR = (NSSOID *)&nss_builtin_oids[188];
-const NSSOID *NSS_OID_DES_ECB = (NSSOID *)&nss_builtin_oids[198];
-const NSSOID *NSS_OID_DES_CBC = (NSSOID *)&nss_builtin_oids[199];
-const NSSOID *NSS_OID_DES_OFB = (NSSOID *)&nss_builtin_oids[200];
-const NSSOID *NSS_OID_DES_CFB = (NSSOID *)&nss_builtin_oids[201];
-const NSSOID *NSS_OID_DES_MAC = (NSSOID *)&nss_builtin_oids[202];
-const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[203];
-const NSSOID *NSS_OID_DES_EDE = (NSSOID *)&nss_builtin_oids[204];
-const NSSOID *NSS_OID_SHA1 = (NSSOID *)&nss_builtin_oids[205];
-const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[206];
-const NSSOID *NSS_OID_X520_COMMON_NAME = (NSSOID *)&nss_builtin_oids[231];
-const NSSOID *NSS_OID_X520_SURNAME = (NSSOID *)&nss_builtin_oids[232];
-const NSSOID *NSS_OID_X520_COUNTRY_NAME = (NSSOID *)&nss_builtin_oids[233];
-const NSSOID *NSS_OID_X520_LOCALITY_NAME = (NSSOID *)&nss_builtin_oids[234];
-const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME = (NSSOID *)&nss_builtin_oids[235];
-const NSSOID *NSS_OID_X520_ORGANIZATION_NAME = (NSSOID *)&nss_builtin_oids[236];
-const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME = (NSSOID *)&nss_builtin_oids[237];
-const NSSOID *NSS_OID_X520_TITLE = (NSSOID *)&nss_builtin_oids[238];
-const NSSOID *NSS_OID_X520_NAME = (NSSOID *)&nss_builtin_oids[239];
-const NSSOID *NSS_OID_X520_GIVEN_NAME = (NSSOID *)&nss_builtin_oids[240];
-const NSSOID *NSS_OID_X520_INITIALS = (NSSOID *)&nss_builtin_oids[241];
-const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER = (NSSOID *)&nss_builtin_oids[242];
-const NSSOID *NSS_OID_X520_DN_QUALIFIER = (NSSOID *)&nss_builtin_oids[243];
-const NSSOID *NSS_OID_X500_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[249];
-const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR = (NSSOID *)&nss_builtin_oids[268];
-const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[269];
-const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID = (NSSOID *)&nss_builtin_oids[270];
-const NSSOID *NSS_OID_X509_KEY_USAGE = (NSSOID *)&nss_builtin_oids[271];
-const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD = (NSSOID *)&nss_builtin_oids[272];
-const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME = (NSSOID *)&nss_builtin_oids[273];
-const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME = (NSSOID *)&nss_builtin_oids[274];
-const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[275];
-const NSSOID *NSS_OID_X509_CRL_NUMBER = (NSSOID *)&nss_builtin_oids[276];
-const NSSOID *NSS_OID_X509_REASON_CODE = (NSSOID *)&nss_builtin_oids[277];
-const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE = (NSSOID *)&nss_builtin_oids[278];
-const NSSOID *NSS_OID_X509_INVALID_DATE = (NSSOID *)&nss_builtin_oids[279];
-const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR = (NSSOID *)&nss_builtin_oids[280];
-const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT = (NSSOID *)&nss_builtin_oids[281];
-const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER = (NSSOID *)&nss_builtin_oids[282];
-const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[283];
-const NSSOID *NSS_OID_X509_CRL_DIST_POINTS = (NSSOID *)&nss_builtin_oids[284];
-const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES = (NSSOID *)&nss_builtin_oids[285];
-const NSSOID *NSS_OID_X509_POLICY_MAPPINGS = (NSSOID *)&nss_builtin_oids[286];
-const NSSOID *NSS_OID_X509_AUTH_KEY_ID = (NSSOID *)&nss_builtin_oids[288];
-const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[289];
-const NSSOID *NSS_OID_X509_EXT_KEY_USAGE = (NSSOID *)&nss_builtin_oids[290];
-const NSSOID *NSS_OID_MISSI_DSS_OLD = (NSSOID *)&nss_builtin_oids[314];
-const NSSOID *NSS_OID_FORTEZZA_SKIPJACK = (NSSOID *)&nss_builtin_oids[315];
-const NSSOID *NSS_OID_MISSI_KEA = (NSSOID *)&nss_builtin_oids[316];
-const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD = (NSSOID *)&nss_builtin_oids[317];
-const NSSOID *NSS_OID_MISSI_DSS = (NSSOID *)&nss_builtin_oids[318];
-const NSSOID *NSS_OID_MISSI_KEA_DSS = (NSSOID *)&nss_builtin_oids[319];
-const NSSOID *NSS_OID_MISSI_ALT_KEY = (NSSOID *)&nss_builtin_oids[320];
-const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE = (NSSOID *)&nss_builtin_oids[328];
-const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL = (NSSOID *)&nss_builtin_oids[329];
-const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[330];
-const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[331];
-const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL = (NSSOID *)&nss_builtin_oids[332];
-const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL = (NSSOID *)&nss_builtin_oids[333];
-const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL = (NSSOID *)&nss_builtin_oids[334];
-const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL = (NSSOID *)&nss_builtin_oids[335];
-const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL = (NSSOID *)&nss_builtin_oids[336];
-const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO = (NSSOID *)&nss_builtin_oids[337];
-const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE = (NSSOID *)&nss_builtin_oids[338];
-const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME = (NSSOID *)&nss_builtin_oids[339];
-const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT = (NSSOID *)&nss_builtin_oids[340];
-const NSSOID *NSS_OID_NS_CERT_EXT_THAYES = (NSSOID *)&nss_builtin_oids[341];
-const NSSOID *NSS_OID_NS_TYPE_GIF = (NSSOID *)&nss_builtin_oids[343];
-const NSSOID *NSS_OID_NS_TYPE_JPEG = (NSSOID *)&nss_builtin_oids[344];
-const NSSOID *NSS_OID_NS_TYPE_URL = (NSSOID *)&nss_builtin_oids[345];
-const NSSOID *NSS_OID_NS_TYPE_HTML = (NSSOID *)&nss_builtin_oids[346];
-const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE = (NSSOID *)&nss_builtin_oids[347];
-const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED = (NSSOID *)&nss_builtin_oids[350];
-const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST = (NSSOID *)&nss_builtin_oids[353];
-const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA = (NSSOID *)&nss_builtin_oids[355];
-const NSSOID *NSS_OID_NETSCAPE_NICKNAME = (NSSOID *)&nss_builtin_oids[357];
-const NSSOID *NSS_OID_VERISIGN_USER_NOTICES = (NSSOID *)&nss_builtin_oids[362];
-const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK = (NSSOID *)&nss_builtin_oids[367];
-const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO = (NSSOID *)&nss_builtin_oids[368];
-const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO = (NSSOID *)&nss_builtin_oids[369];
-
-const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {
-  {
-    "uid",
-    &NSS_OID_RFC1274_UID
-  },
-  {
-    "mail",
-    &NSS_OID_RFC1274_EMAIL
-  },
-  {
-    "dc",
-    &NSS_OID_RFC2247_DC
-  },
-  {
-    "cn",
-    &NSS_OID_X520_COMMON_NAME
-  },
-  {
-    "sn",
-    &NSS_OID_X520_SURNAME
-  },
-  {
-    "c",
-    &NSS_OID_X520_COUNTRY_NAME
-  },
-  {
-    "l",
-    &NSS_OID_X520_LOCALITY_NAME
-  },
-  {
-    "s",
-    &NSS_OID_X520_STATE_OR_PROVINCE_NAME
-  },
-  {
-    "o",
-    &NSS_OID_X520_ORGANIZATION_NAME
-  },
-  {
-    "ou",
-    &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
-  },
-  {
-    "title",
-    &NSS_OID_X520_TITLE
-  },
-  {
-    "name",
-    &NSS_OID_X520_NAME
-  },
-  {
-    "givenName",
-    &NSS_OID_X520_GIVEN_NAME
-  },
-  {
-    "initials",
-    &NSS_OID_X520_INITIALS
-  },
-  {
-    "generationQualifier",
-    &NSS_OID_X520_GENERATION_QUALIFIER
-  },
-  {
-    "dnQualifier",
-    &NSS_OID_X520_DN_QUALIFIER
-  }
-};
-
-const PRUint32 nss_attribute_type_alias_count = 16;
-
diff --git a/security/nss/lib/pki1/oiddata.h b/security/nss/lib/pki1/oiddata.h
deleted file mode 100644
index bb48bdfa3..000000000
--- a/security/nss/lib/pki1/oiddata.h
+++ /dev/null
@@ -1,214 +0,0 @@
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef OIDDATA_H
-#define OIDDATA_H
-
-#ifdef DEBUG
-static const char OIDDATA_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ ; @(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-extern const NSSOID *NSS_OID_RFC1274_UID;
-extern const NSSOID *NSS_OID_RFC1274_EMAIL;
-extern const NSSOID *NSS_OID_RFC2247_DC;
-extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE;
-extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-extern const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY;
-extern const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC;
-extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC;
-extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
-extern const NSSOID *NSS_OID_PKCS7;
-extern const NSSOID *NSS_OID_PKCS7_DATA;
-extern const NSSOID *NSS_OID_PKCS7_SIGNED_DATA;
-extern const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA;
-extern const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA;
-extern const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA;
-extern const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA;
-extern const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS;
-extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME;
-extern const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE;
-extern const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST;
-extern const NSSOID *NSS_OID_PKCS9_SIGNING_TIME;
-extern const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE;
-extern const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD;
-extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS;
-extern const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES;
-extern const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES;
-extern const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME;
-extern const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID;
-extern const NSSOID *NSS_OID_PKCS9_X509_CERT;
-extern const NSSOID *NSS_OID_PKCS9_SDSI_CERT;
-extern const NSSOID *NSS_OID_PKCS9_X509_CRL;
-extern const NSSOID *NSS_OID_PKCS12;
-extern const NSSOID *NSS_OID_PKCS12_PBE_IDS;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
-extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
-extern const NSSOID *NSS_OID_PKCS12_KEY_BAG;
-extern const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG;
-extern const NSSOID *NSS_OID_PKCS12_CERT_BAG;
-extern const NSSOID *NSS_OID_PKCS12_CRL_BAG;
-extern const NSSOID *NSS_OID_PKCS12_SECRET_BAG;
-extern const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG;
-extern const NSSOID *NSS_OID_MD2;
-extern const NSSOID *NSS_OID_MD4;
-extern const NSSOID *NSS_OID_MD5;
-extern const NSSOID *NSS_OID_RC2_CBC;
-extern const NSSOID *NSS_OID_RC4;
-extern const NSSOID *NSS_OID_DES_EDE3_CBC;
-extern const NSSOID *NSS_OID_RC5_CBC_PAD;
-extern const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS;
-extern const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER;
-extern const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER;
-extern const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP;
-extern const NSSOID *NSS_OID_OCSP_RESPONDER;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID;
-extern const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
-extern const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS;
-extern const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST;
-extern const NSSOID *NSS_OID_OID_PKIX_OCSP;
-extern const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE;
-extern const NSSOID *NSS_OID_PKIX_OCSP_NONCE;
-extern const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE;
-extern const NSSOID *NSS_OID_PKIX_OCSP_CRL;
-extern const NSSOID *NSS_OID_X509_OCSP_NO_CHECK;
-extern const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF;
-extern const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR;
-extern const NSSOID *NSS_OID_DES_ECB;
-extern const NSSOID *NSS_OID_DES_CBC;
-extern const NSSOID *NSS_OID_DES_OFB;
-extern const NSSOID *NSS_OID_DES_CFB;
-extern const NSSOID *NSS_OID_DES_MAC;
-extern const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE;
-extern const NSSOID *NSS_OID_DES_EDE;
-extern const NSSOID *NSS_OID_SHA1;
-extern const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-extern const NSSOID *NSS_OID_X520_COMMON_NAME;
-extern const NSSOID *NSS_OID_X520_SURNAME;
-extern const NSSOID *NSS_OID_X520_COUNTRY_NAME;
-extern const NSSOID *NSS_OID_X520_LOCALITY_NAME;
-extern const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME;
-extern const NSSOID *NSS_OID_X520_ORGANIZATION_NAME;
-extern const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME;
-extern const NSSOID *NSS_OID_X520_TITLE;
-extern const NSSOID *NSS_OID_X520_NAME;
-extern const NSSOID *NSS_OID_X520_GIVEN_NAME;
-extern const NSSOID *NSS_OID_X520_INITIALS;
-extern const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER;
-extern const NSSOID *NSS_OID_X520_DN_QUALIFIER;
-extern const NSSOID *NSS_OID_X500_RSA_ENCRYPTION;
-extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR;
-extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES;
-extern const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID;
-extern const NSSOID *NSS_OID_X509_KEY_USAGE;
-extern const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD;
-extern const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME;
-extern const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME;
-extern const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS;
-extern const NSSOID *NSS_OID_X509_CRL_NUMBER;
-extern const NSSOID *NSS_OID_X509_REASON_CODE;
-extern const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE;
-extern const NSSOID *NSS_OID_X509_INVALID_DATE;
-extern const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR;
-extern const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT;
-extern const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER;
-extern const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS;
-extern const NSSOID *NSS_OID_X509_CRL_DIST_POINTS;
-extern const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES;
-extern const NSSOID *NSS_OID_X509_POLICY_MAPPINGS;
-extern const NSSOID *NSS_OID_X509_AUTH_KEY_ID;
-extern const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS;
-extern const NSSOID *NSS_OID_X509_EXT_KEY_USAGE;
-extern const NSSOID *NSS_OID_MISSI_DSS_OLD;
-extern const NSSOID *NSS_OID_FORTEZZA_SKIPJACK;
-extern const NSSOID *NSS_OID_MISSI_KEA;
-extern const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD;
-extern const NSSOID *NSS_OID_MISSI_DSS;
-extern const NSSOID *NSS_OID_MISSI_KEA_DSS;
-extern const NSSOID *NSS_OID_MISSI_ALT_KEY;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_THAYES;
-extern const NSSOID *NSS_OID_NS_TYPE_GIF;
-extern const NSSOID *NSS_OID_NS_TYPE_JPEG;
-extern const NSSOID *NSS_OID_NS_TYPE_URL;
-extern const NSSOID *NSS_OID_NS_TYPE_HTML;
-extern const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE;
-extern const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED;
-extern const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST;
-extern const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA;
-extern const NSSOID *NSS_OID_NETSCAPE_NICKNAME;
-extern const NSSOID *NSS_OID_VERISIGN_USER_NOTICES;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO;
-extern const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO;
-
-#endif /* OIDDATA_H */
diff --git a/security/nss/lib/pki1/oidgen.perl b/security/nss/lib/pki1/oidgen.perl
deleted file mode 100755
index 3b6abc2ed..000000000
--- a/security/nss/lib/pki1/oidgen.perl
+++ /dev/null
@@ -1,318 +0,0 @@
-#!perl
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$';
-$cfile = shift;
-$hfile = shift;
-$count = -1;
-while(<>) {
-  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
-  next if (/^\s*$/);
-
-  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
-  $name = $1;
-  $value = $2;
-  # This is certainly not the best way to dequote the data.
-  $value =~ s/"//g;
-
-  if( $name =~ "OID" ) {
-    $count++;
-    $x[$count]{$name} = $value;
-    $enc = encodeoid($value);
-    $x[$count]{" encoding"} = escapeoid($enc);
-    $x[$count]{" encoding length"} = length($enc);
-  } else {
-    if( $count < 0 ) {
-      $g{$name} = $value;
-    } else {
-      $x[$count]{$name} = $value;
-    }
-  }
-}
-
-# dodump();
-
-doprint($cfile,$hfile);
-
-sub dodump {
-for( $i = 0; $i <= $count; $i++ ) {
-  print "number $i:\n";
-  %y = %{$x[$i]};
-  while(($n,$v) = each(%y)) {
-    print "\t$n ==> $v\n";
-  }
-}
-}
-
-sub doprint {
-open(CFILE, "> $cfile") || die "Can't open $cfile: $!"; 
-open(HFILE, "> $hfile") || die "Can't open $hfile: $!";
-
-print CFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-const NSSOID nss_builtin_oids[] = {
-EOD
-    ;
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  print CFILE "  {\n";
-  print CFILE "#ifdef DEBUG\n";
-  print CFILE "    \"$y{TAG}\",\n";
-  print CFILE "    \"$y{EXPL}\",\n";
-  print CFILE "#endif /* DEBUG */\n";
-  print CFILE "    { \"", $y{" encoding"};
-  print CFILE "\", ", $y{" encoding length"}, " }\n";
-
-  if( $i == $count ) {
-    print CFILE "  }\n";
-  } else {
-    print CFILE "  },\n";
-  }
-}
-
-print CFILE "};\n\n";
-
-print CFILE "const PRUint32 nss_builtin_oid_count = ", ($count+1), ";\n\n";
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{NAME}) ) {
-    print CFILE "const NSSOID *$y{NAME} = (NSSOID *)&nss_builtin_oids[$i];\n";
-  }
-}
-
-print CFILE "\n";
-
-$attrcount = -1;
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{ATTR}) ) {
-    if( defined($y{NAME}) ) {
-      $attrcount++;
-      $attr[$attrcount]{ATTR} = $y{ATTR};
-      $attr[$attrcount]{NAME} = $y{NAME};
-    } else {
-      warn "Attribute $y{ATTR} has no name, and will be omitted!";
-    }
-  }
-}
-
-print CFILE "const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {\n";
-
-for( $i = 0; $i <= $attrcount; $i++ ) {
-  %y = %{$attr[$i]};
-  print CFILE "  {\n";
-  print CFILE "    \"$y{ATTR}\",\n";
-  print CFILE "    &$y{NAME}\n";
-
-  if( $i == $attrcount ) {
-    print CFILE "  }\n";
-  } else {
-    print CFILE "  },\n";
-  }
-}
-
-print CFILE "};\n\n";
-
-print CFILE "const PRUint32 nss_attribute_type_alias_count = ", ($attrcount+1), ";\n\n";
-
-print HFILE <<EOD
-/* THIS IS A GENERATED FILE */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef OIDDATA_H
-#define OIDDATA_H
-
-#ifdef DEBUG
-static const char OIDDATA_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
-#endif /* DEBUG */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-EOD
-    ;
-
-for( $i = 0; $i <= $count; $i++ ) {
-  %y = %{$x[$i]};
-  if( defined($y{NAME}) ) {
-    print HFILE "extern const NSSOID *$y{NAME};\n";
-  }
-}
-
-print HFILE <<EOD
-
-#endif /* OIDDATA_H */
-EOD
-    ;
-
-close CFILE;
-close HFILE;
-}
-
-sub encodenum {
-    my $v = $_[0];
-    my @d;
-    my $i;
-    my $rv = "";
-
-    while( $v > 128 ) {
-        push @d, ($v % 128);
-        $v /= 128;
-    };
-    push @d, ($v%128);
-
-    for( $i = @d-1; $i > 0; $i-- ) {
-        $rv = $rv . chr(128 + $d[$i]);
-    }
-
-    $rv = $rv . chr($d[0]);
-
-    return $rv;
-}
-
-sub encodeoid {
-    my @o = split(/\./, $_[0]);
-    my $rv = "";
-    my $i;
-
-    if( @o < 2 ) {
-        # NSS's special "illegal" encoding
-        return chr(128) . encodenum($o[0]);
-    }
-
-    $rv = encodenum($o[0] * 40 + $o[1]);
-    shift @o; shift @o;
-
-    foreach $i (@o) {
-        $rv = $rv . encodenum($i);
-    }
-
-    return $rv;
-}
-
-sub escapeoid {
-  my @v = unpack("C*", $_[0]);
-  my $a;
-  my $rv = "";
-
-  foreach $a (@v) {
-    $rv = $rv . sprintf("\\x%02x", $a);
-  }
-
-  return $rv;
-}
diff --git a/security/nss/lib/pki1/oids.txt b/security/nss/lib/pki1/oids.txt
deleted file mode 100644
index 216ca6e99..000000000
--- a/security/nss/lib/pki1/oids.txt
+++ /dev/null
@@ -1,2119 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile$ $Revision$ $Date$"
-
-# Fields
-#  OID  -- the OID data itself, in dotted-number format
-#  TAG  -- the unofficial but common name.  e.g., when written like
-#          { joint-iso-ccitt(2) country(16) US(840) company(1) netscape(113730) }
-#          those words ("joint-iso-ccitt," "country," etc.) are the tags.
-#  EXPL -- a textual explanation, that should stand by itself
-#  NAME -- the name we use in our code.  If no NAME is given, it won't be included
-#
-# Additionally, some sets of OIDs map to some other spaces.. 
-# additional fields capture that data:
-#
-#  CKM  -- the corresponding Cryptoki Mechanism, if any
-#  CKK  -- the corresponding Cryptoki Key type, if any
-#  ATTR -- the UTF-8 attribute type encoding, if applicable
-#          it should be in the standard presentation style (e.g., lowercase),
-#          already-escaped a la RFC 2253 if necessary (which would only
-#          be necessary if some idiot defined an attribute with, say,
-#          an equals sign in it)
-#  CERT_EXTENSION -- SUPPORTED or UNSUPPORTED certificate extension, if applicable
-
-# Top of the OID tree -- see http://www.alvestrand.no/objectid/top.html
-# 
-OID 0
-TAG ccitt               # ITU-T used to be called CCITT
-EXPL "ITU-T"
-
-# See X.208 Annex C for an explanation of the OIDs below ccitt/itu-t
-
-OID 0.0
-TAG recommendation
-EXPL "ITU-T Recommendation"
-
-OID 0.1
-TAG question
-EXPL "ITU-T Question"
-
-OID 0.2
-TAG administration
-EXPL "ITU-T Administration"
-
-OID 0.3
-TAG network-operator
-EXPL "ITU-T Network Operator"
-
-OID 0.4
-TAG identified-organization
-EXPL "ITU-T Identified Organization"
-
-OID 0.9           # used in some RFCs (unofficial!)
-TAG data
-EXPL "RFC Data"
-
-OID 0.9.2342
-TAG pss
-EXPL "PSS British Telecom X.25 Network"
-
-OID 0.9.2342.19200300
-TAG ucl
-EXPL "RFC 1274 UCL Data networks"
-
-OID 0.9.2342.19200300.100
-TAG pilot
-EXPL "RFC 1274 pilot"
-
-OID 0.9.2342.19200300.100.1
-TAG attributeType
-EXPL "RFC 1274 Attribute Type"
-
-OID 0.9.2342.19200300.100.1.1
-TAG uid
-EXPL "RFC 1274 User Id"
-NAME NSS_OID_RFC1274_UID
-ATTR "uid"
-
-OID 0.9.2342.19200300.100.1.3
-TAG mail
-EXPL "RFC 1274 E-mail Addres"
-NAME NSS_OID_RFC1274_EMAIL
-ATTR "mail" # XXX fgmr
-
-OID 0.9.2342.19200300.100.1.25
-TAG dc
-EXPL "RFC 2247 Domain Component"
-NAME NSS_OID_RFC2247_DC
-ATTR "dc"
-
-OID 0.9.2342.19200300.100.3
-TAG attributeSyntax
-EXPL "RFC 1274 Attribute Syntax"
-
-OID 0.9.2342.19200300.100.3.4
-TAG iA5StringSyntax
-EXPL "RFC 1274 IA5 String Attribute Syntax"
-
-OID 0.9.2342.19200300.100.3.5
-TAG caseIgnoreIA5StringSyntax
-EXPL "RFC 1274 Case-Ignore IA5 String Attribute Syntax"
-
-OID 0.9.2342.19200300.100.4
-TAG objectClass
-EXPL "RFC 1274 Object Class"
-
-OID 0.9.2342.19200300.100.10
-TAG groups
-EXPL "RFC 1274 Groups"
-
-OID 0.9.2342.234219200300 
-TAG ucl
-EXPL "RFC 1327 ucl"
-
-OID 1
-TAG iso
-EXPL "ISO"
-
-# See X.208 Annex B for an explanation of the OIDs below iso
-
-OID 1.0
-TAG standard
-EXPL "ISO Standard"
-
-OID 1.1
-TAG registration-authority
-EXPL "ISO Registration Authority"
-
-OID 1.2
-TAG member-body
-EXPL "ISO Member Body"
-
-OID 1.2.36
-TAG australia
-EXPL "Australia (ISO)"
-
-OID 1.2.158
-TAG taiwan
-EXPL "Taiwan (ISO)"
-
-OID 1.2.372 
-TAG ireland
-EXPL "Ireland (ISO)"
-
-OID 1.2.578 
-TAG norway
-EXPL "Norway (ISO)"
-
-OID 1.2.752 
-TAG sweden
-EXPL "Sweden (ISO)"
-
-OID 1.2.826 
-TAG great-britain
-EXPL "Great Britain (ISO)"
-
-OID 1.2.840
-TAG us
-EXPL "United States (ISO)"
-
-OID 1.2.840.1 
-TAG organization
-EXPL "US (ISO) organization"
-
-OID 1.2.840.10003
-TAG ansi-z30-50
-EXPL "ANSI Z39.50"
-
-OID 1.2.840.10008
-TAG dicom
-EXPL "DICOM"
-
-OID 1.2.840.10017
-TAG ieee-1224
-EXPL "IEEE 1224"
-
-OID 1.2.840.10022
-TAG ieee-802-10
-EXPL "IEEE 802.10"
-
-OID 1.2.840.10036
-TAG ieee-802-11
-EXPL "IEEE 802.11"
-
-OID 1.2.840.10040
-TAG x9-57
-EXPL "ANSI X9.57"
-
-# RFC 2459:
-#
-# holdInstruction OBJECT IDENTIFIER ::=
-#           {iso(1) member-body(2) us(840) x9cm(10040) 2}
-#
-# Note that the appendices of RFC 2459 define the (wrong) value
-# of 2.2.840.10040.2 for this oid.
-OID 1.2.840.10040.2
-TAG holdInstruction
-EXPL "ANSI X9.57 Hold Instruction"
-
-# RFC 2459:
-#
-# id-holdinstruction-none OBJECT IDENTIFIER  ::=
-#                 {holdInstruction 1} -- deprecated
-OID 1.2.840.10040.2.1
-TAG id-holdinstruction-none
-EXPL "ANSI X9.57 Hold Instruction: None"
-
-# RFC 2459:
-#
-# id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
-#                 {holdInstruction 2}
-OID 1.2.840.10040.2.2
-TAG id-holdinstruction-callissuer
-EXPL "ANSI X9.57 Hold Instruction: Call Issuer"
-
-# RFC 2459:
-#
-# id-holdinstruction-reject OBJECT IDENTIFIER ::=
-#                 {holdInstruction 3}
-OID 1.2.840.10040.2.3
-TAG id-holdinstruction-reject
-EXPL "ANSI X9.57 Hold Instruction: Reject"
-
-OID 1.2.840.10040.4
-TAG x9algorithm
-EXPL "ANSI X9.57 Algorithm"
-
-# RFC 2459:
-#
-# id-dsa OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
-OID 1.2.840.10040.4.1
-TAG id-dsa
-EXPL "ANSI X9.57 DSA Signature"
-NAME NSS_OID_ANSIX9_DSA_SIGNATURE
-CKM CKM_DSA
-CKK CKK_DSA
-
-# RFC 2459:
-#
-# id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
-#      iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
-OID 1.2.840.10040.4.3
-TAG id-dsa-with-sha1
-EXPL "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest"
-NAME NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST
-CKM CKM_DSA_SHA1
-
-OID 1.2.840.10046
-TAG x942
-EXPL "ANSI X9.42"
-
-OID 1.2.840.10046.2
-TAG algorithm
-EXPL "ANSI X9.42 Algorithm"
-
-# RFC 2459:
-#
-# dhpublicnumber OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
-OID 1.2.840.10046.2.1
-TAG dhpublicnumber
-EXPL "Diffie-Hellman Public Key Algorithm"
-NAME NSS_OID_X942_DIFFIE_HELMAN_KEY
-CKM CKM_DH_PKCS_DERIVE
-CKK CKK_DH
-
-OID 1.2.840.113533
-TAG entrust
-EXPL "Entrust Technologies"
-
-OID 1.2.840.113549 
-TAG rsadsi
-EXPL "RSA Data Security Inc."
-
-OID 1.2.840.113549.1 
-# http://www.rsa.com/rsalabs/pubs/PKCS/
-TAG pkcs
-EXPL "PKCS"
-
-# RFC 2459:
-#
-# pkcs-1 OBJECT IDENTIFIER ::= {
-#      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
-OID 1.2.840.113549.1.1
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
-TAG pkcs-1
-EXPL "PKCS #1"
-
-# RFC 2459:
-#
-# rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }
-OID 1.2.840.113549.1.1.1
-TAG rsaEncryption
-EXPL "PKCS #1 RSA Encryption"
-NAME NSS_OID_PKCS1_RSA_ENCRYPTION
-CKM CKM_RSA_PKCS
-CKK CKK_RSA
-
-# RFC 2459:
-#
-# md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }
-OID 1.2.840.113549.1.1.2 
-TAG md2WithRSAEncryption
-EXPL "PKCS #1 MD2 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION
-CKM CKM_MD2_RSA_PKCS
-
-OID 1.2.840.113549.1.1.3 
-TAG md4WithRSAEncryption
-EXPL "PKCS #1 MD4 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION
-# No CKM!
-
-# RFC 2459:
-#
-# md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }
-OID 1.2.840.113549.1.1.4 
-TAG md5WithRSAEncryption
-EXPL "PKCS #1 MD5 With RSA Encryption"      
-NAME NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
-CKM CKM_MD5_RSA_PKCS
-
-# RFC 2459:
-#
-# sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }
-OID 1.2.840.113549.1.1.5 
-TAG sha1WithRSAEncryption
-EXPL "PKCS #1 SHA-1 With RSA Encryption"    
-NAME NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION
-CKM CKM_SHA1_RSA_PKCS
-
-OID 1.2.840.113549.1.5 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
-TAG pkcs-5
-EXPL "PKCS #5"
-
-OID 1.2.840.113549.1.5.1 
-TAG pbeWithMD2AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With MD2 and DES-CBC"     
-NAME NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC
-CKM CKM_PBE_MD2_DES_CBC
-
-OID 1.2.840.113549.1.5.3 
-TAG pbeWithMD5AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With MD5 and DES-CBC"     
-NAME NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC
-CKM CKM_PBE_MD5_DES_CBC
-
-OID 1.2.840.113549.1.5.10 
-TAG pbeWithSha1AndDES-CBC
-EXPL "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC"   
-NAME NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_DES_CBC
-
-OID 1.2.840.113549.1.7 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc
-TAG pkcs-7
-EXPL "PKCS #7"
-NAME NSS_OID_PKCS7
-
-OID 1.2.840.113549.1.7.1
-TAG data
-EXPL "PKCS #7 Data"
-NAME NSS_OID_PKCS7_DATA
-
-OID 1.2.840.113549.1.7.2 
-TAG signedData
-EXPL "PKCS #7 Signed Data"
-NAME NSS_OID_PKCS7_SIGNED_DATA
-
-OID 1.2.840.113549.1.7.3 
-TAG envelopedData
-EXPL "PKCS #7 Enveloped Data"
-NAME NSS_OID_PKCS7_ENVELOPED_DATA
-
-OID 1.2.840.113549.1.7.4 
-TAG signedAndEnvelopedData
-EXPL "PKCS #7 Signed and Enveloped Data"
-NAME NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA
-
-OID 1.2.840.113549.1.7.5 
-TAG digestedData
-EXPL "PKCS #7 Digested Data"
-NAME NSS_OID_PKCS7_DIGESTED_DATA
-
-OID 1.2.840.113549.1.7.6 
-TAG encryptedData
-EXPL "PKCS #7 Encrypted Data"
-NAME NSS_OID_PKCS7_ENCRYPTED_DATA
-
-# RFC 2459:
-#
-# pkcs-9 OBJECT IDENTIFIER ::=
-#        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
-OID 1.2.840.113549.1.9 
-# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-9.asc
-TAG pkcs-9
-EXPL "PKCS #9"
-
-# RFC 2459:
-#
-# emailAddress AttributeType      ::= { pkcs-9 1 }
-OID 1.2.840.113549.1.9.1
-TAG emailAddress
-EXPL "PKCS #9 Email Address"
-NAME NSS_OID_PKCS9_EMAIL_ADDRESS
-
-OID 1.2.840.113549.1.9.2 
-TAG unstructuredName
-EXPL "PKCS #9 Unstructured Name"
-NAME NSS_OID_PKCS9_UNSTRUCTURED_NAME
-
-OID 1.2.840.113549.1.9.3 
-TAG contentType
-EXPL "PKCS #9 Content Type"
-NAME NSS_OID_PKCS9_CONTENT_TYPE
-
-OID 1.2.840.113549.1.9.4 
-TAG messageDigest
-EXPL "PKCS #9 Message Digest"
-NAME NSS_OID_PKCS9_MESSAGE_DIGEST
-
-OID 1.2.840.113549.1.9.5 
-TAG signingTime
-EXPL "PKCS #9 Signing Time"
-NAME NSS_OID_PKCS9_SIGNING_TIME
-
-OID 1.2.840.113549.1.9.6 
-TAG counterSignature
-EXPL "PKCS #9 Counter Signature"
-NAME NSS_OID_PKCS9_COUNTER_SIGNATURE
-
-OID 1.2.840.113549.1.9.7 
-TAG challengePassword
-EXPL "PKCS #9 Challenge Password"
-NAME NSS_OID_PKCS9_CHALLENGE_PASSWORD
-
-OID 1.2.840.113549.1.9.8 
-TAG unstructuredAddress
-EXPL "PKCS #9 Unstructured Address"
-NAME NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS
-
-OID 1.2.840.113549.1.9.9 
-TAG extendedCertificateAttributes
-EXPL "PKCS #9 Extended Certificate Attributes"
-NAME NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES
-
-OID 1.2.840.113549.1.9.15 
-TAG sMIMECapabilities
-EXPL "PKCS #9 S/MIME Capabilities"
-NAME NSS_OID_PKCS9_SMIME_CAPABILITIES
-
-OID 1.2.840.113549.1.9.20
-TAG friendlyName
-EXPL "PKCS #9 Friendly Name"
-NAME NSS_OID_PKCS9_FRIENDLY_NAME
-
-OID 1.2.840.113549.1.9.21
-TAG localKeyID
-EXPL "PKCS #9 Local Key ID"
-NAME NSS_OID_PKCS9_LOCAL_KEY_ID
-
-OID 1.2.840.113549.1.9.22 
-TAG certTypes
-EXPL "PKCS #9 Certificate Types"
-
-OID 1.2.840.113549.1.9.22.1
-TAG x509Certificate
-EXPL "PKCS #9 Certificate Type = X.509"
-NAME NSS_OID_PKCS9_X509_CERT
-
-OID 1.2.840.113549.1.9.22.2
-TAG sdsiCertificate
-EXPL "PKCS #9 Certificate Type = SDSI"
-NAME NSS_OID_PKCS9_SDSI_CERT
-
-OID 1.2.840.113549.1.9.23 
-TAG crlTypes
-EXPL "PKCS #9 Certificate Revocation List Types"
-
-OID 1.2.840.113549.1.9.23.1
-TAG x509Crl
-EXPL "PKCS #9 CRL Type = X.509"
-NAME NSS_OID_PKCS9_X509_CRL
-
-OID 1.2.840.113549.1.12
-# http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-12.html
-# NOTE -- PKCS #12                          multiple contradictory
-#         documents exist.  Somebody go figure out the canonical
-#         OID list, keeping in mind backwards-compatability..
-TAG pkcs-12
-EXPL "PKCS #12"
-NAME NSS_OID_PKCS12
-
-OID 1.2.840.113549.1.12.1 
-TAG pkcs-12PbeIds
-EXPL "PKCS #12 Password Based Encryption IDs"
-NAME NSS_OID_PKCS12_PBE_IDS
-# We called it SEC_OID_PKCS12_MODE_IDS
-
-OID 1.2.840.113549.1.12.1.1
-TAG pbeWithSHA1And128BitRC4
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.1.2
-TAG pbeWithSHA1And40BitRC4
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.1.3
-TAG pbeWithSHA1And3-KeyTripleDES-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.1.4
-TAG pbeWithSHA1And2-KeyTripleDES-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC
-CKM CKM_PBE_SHA1_DES2_EDE_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.1.5
-TAG pbeWithSHA1And128BitRC2-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.1.6
-TAG pbeWithSHA1And40BitRC2-CBC
-EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC"
-NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.2 
-TAG pkcs-12EspvkIds
-EXPL "PKCS #12 ESPVK IDs"
-# We called it SEC_OID_PKCS12_ESPVK_IDS
-
-OID 1.2.840.113549.1.12.2.1
-TAG pkcs8-key-shrouding
-EXPL "PKCS #12 Key Shrouding"
-# We called it SEC_OID_PKCS12_PKCS8_KEY_SHROUDING
-
-OID 1.2.840.113549.1.12.3 
-TAG draft1Pkcs-12Bag-ids
-EXPL "Draft 1.0 PKCS #12 Bag IDs"
-# We called it SEC_OID_PKCS12_BAG_IDS
-
-OID 1.2.840.113549.1.12.3.1
-TAG keyBag
-EXPL "Draft 1.0 PKCS #12 Key Bag"
-# We called it SEC_OID_PKCS12_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.3.2
-TAG certAndCRLBagId
-EXPL "Draft 1.0 PKCS #12 Cert and CRL Bag ID"
-# We called it SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
-
-OID 1.2.840.113549.1.12.3.3
-TAG secretBagId
-EXPL "Draft 1.0 PKCS #12 Secret Bag ID"
-# We called it SEC_OID_PKCS12_SECRET_BAG_ID
-
-OID 1.2.840.113549.1.12.3.4
-TAG safeContentsId
-EXPL "Draft 1.0 PKCS #12 Safe Contents Bag ID"
-# We called it SEC_OID_PKCS12_SAFE_CONTENTS_ID
-
-OID 1.2.840.113549.1.12.3.5
-TAG pkcs-8ShroudedKeyBagId
-EXPL "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID"
-# We called it SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.4 
-TAG pkcs-12CertBagIds
-EXPL "PKCS #12 Certificate Bag IDs"
-# We called it SEC_OID_PKCS12_CERT_BAG_IDS
-
-OID 1.2.840.113549.1.12.4.1
-TAG x509CertCRLBagId
-EXPL "PKCS #12 X.509 Certificate and CRL Bag"
-# We called it SEC_OID_PKCS12_X509_CERT_CRL_BAG
-
-OID 1.2.840.113549.1.12.4.2
-TAG SDSICertBagID
-EXPL "PKCS #12 SDSI Certificate Bag"
-# We called it SEC_OID_PKCS12_SDSI_CERT_BAG
-
-OID 1.2.840.113549.1.12.5 
-TAG pkcs-12Oids
-EXPL "PKCS #12 OIDs (XXX)"
-# We called it SEC_OID_PKCS12_OIDS
-
-OID 1.2.840.113549.1.12.5.1 
-TAG pkcs-12PbeIds
-EXPL "PKCS #12 OIDs PBE IDs (XXX)"
-# We called it SEC_OID_PKCS12_PBE_IDS
-
-OID 1.2.840.113549.1.12.5.1.1
-TAG pbeWithSha1And128BitRC4
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.1.2
-TAG pbeWithSha1And40BitRC4
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.1.3
-TAG pbeWithSha1AndTripleDES-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC
-
-OID 1.2.840.113549.1.12.5.1.4
-TAG pbeWithSha1And128BitRC2-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.5.1.5
-TAG pbeWithSha1And40BitRC2-CBC
-EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)"
-CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
-# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
-
-OID 1.2.840.113549.1.12.5.2 
-TAG pkcs-12EnvelopingIds
-EXPL "PKCS #12 OIDs Enveloping IDs (XXX)"
-# We called it SEC_OID_PKCS12_ENVELOPING_IDS
-
-OID 1.2.840.113549.1.12.5.2.1
-TAG rsaEncryptionWith128BitRC4
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.2.2
-TAG rsaEncryptionWith40BitRC4
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4
-
-OID 1.2.840.113549.1.12.5.2.3
-TAG rsaEncryptionWithTripleDES
-EXPL "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES"
-# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES
-
-OID 1.2.840.113549.1.12.5.3 
-TAG pkcs-12SignatureIds
-EXPL "PKCS #12 OIDs Signature IDs (XXX)"
-# We called it SEC_OID_PKCS12_SIGNATURE_IDS
-
-OID 1.2.840.113549.1.12.5.3.1
-TAG rsaSignatureWithSHA1Digest
-EXPL "PKCS #12 OIDs RSA Signature with SHA-1 Digest"
-# We called it SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST
-
-OID 1.2.840.113549.1.12.10 
-TAG pkcs-12Version1
-EXPL "PKCS #12 Version 1"
-
-OID 1.2.840.113549.1.12.10.1
-TAG pkcs-12BagIds
-EXPL "PKCS #12 Bag IDs"
-
-OID 1.2.840.113549.1.12.10.1.1
-TAG keyBag
-EXPL "PKCS #12 Key Bag"
-NAME NSS_OID_PKCS12_KEY_BAG
-# We called it SEC_OID_PKCS12_V1_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.2
-TAG pkcs-8ShroudedKeyBag
-EXPL "PKCS #12 PKCS #8-shrouded Key Bag"
-NAME NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG
-# We called it SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.3
-TAG certBag
-EXPL "PKCS #12 Certificate Bag"
-NAME NSS_OID_PKCS12_CERT_BAG
-# We called it SEC_OID_PKCS12_V1_CERT_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.4
-TAG crlBag
-EXPL "PKCS #12 CRL Bag"
-NAME NSS_OID_PKCS12_CRL_BAG
-# We called it SEC_OID_PKCS12_V1_CRL_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.5
-TAG secretBag
-EXPL "PKCS #12 Secret Bag"
-NAME NSS_OID_PKCS12_SECRET_BAG
-# We called it SEC_OID_PKCS12_V1_SECRET_BAG_ID
-
-OID 1.2.840.113549.1.12.10.1.6
-TAG safeContentsBag
-EXPL "PKCS #12 Safe Contents Bag"
-NAME NSS_OID_PKCS12_SAFE_CONTENTS_BAG
-# We called it SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID
-
-OID 1.2.840.113549.2
-TAG digest
-EXPL "RSA digest algorithm"
-
-OID 1.2.840.113549.2.2 
-TAG md2
-EXPL "MD2"
-NAME NSS_OID_MD2
-CKM CKM_MD2
-
-OID 1.2.840.113549.2.4 
-TAG md4
-EXPL "MD4"
-NAME NSS_OID_MD4
-# No CKM
-
-OID 1.2.840.113549.2.5
-TAG md5
-EXPL "MD5"
-NAME NSS_OID_MD5
-CKM CKM_MD5
-
-OID 1.2.840.113549.3 
-TAG cipher
-EXPL "RSA cipher algorithm"
-
-OID 1.2.840.113549.3.2 
-TAG rc2cbc
-EXPL "RC2-CBC"
-NAME NSS_OID_RC2_CBC
-CKM_RC2_CBC
-
-OID 1.2.840.113549.3.4 
-TAG rc4
-EXPL "RC4"
-NAME NSS_OID_RC4
-CKM CKM_RC4
-
-OID 1.2.840.113549.3.7 
-TAG desede3cbc
-EXPL "DES-EDE3-CBC"
-NAME NSS_OID_DES_EDE3_CBC
-CKM CKM_DES3_CBC
-
-OID 1.2.840.113549.3.9 
-TAG rc5cbcpad
-EXPL "RC5-CBCPad"
-NAME NSS_OID_RC5_CBC_PAD
-CKM CKM_RC5_CBC
-
-OID 1.2.840.113556
-TAG microsoft
-EXPL "Microsoft"
-
-OID 1.2.840.113560
-TAG columbia-university
-EXPL "Columbia University"
-
-OID 1.2.840.113572
-TAG unisys
-EXPL "Unisys"
-
-OID 1.2.840.113658
-TAG xapia
-EXPL "XAPIA"
-
-OID 1.2.840.113699
-TAG wordperfect
-EXPL "WordPerfect"
-
-OID 1.3
-TAG identified-organization
-EXPL "ISO identified organizations"
-
-OID 1.3.6
-TAG us-dod
-EXPL "United States Department of Defense"
-
-OID 1.3.6.1 
-TAG internet  # See RFC 1065
-EXPL "The Internet"
-
-OID 1.3.6.1.1
-TAG directory
-EXPL "Internet: Directory"
-
-OID 1.3.6.1.2
-TAG management
-EXPL "Internet: Management"
-
-OID 1.3.6.1.3
-TAG experimental
-EXPL "Internet: Experimental"
-
-OID 1.3.6.1.4
-TAG private
-EXPL "Internet: Private"
-
-OID 1.3.6.1.5
-TAG security
-EXPL "Internet: Security"
-
-OID 1.3.6.1.5.5
-
-# RFC 2459:
-#
-# id-pkix  OBJECT IDENTIFIER  ::=
-#          { iso(1) identified-organization(3) dod(6) internet(1)
-#                     security(5) mechanisms(5) pkix(7) }
-OID 1.3.6.1.5.5.7 
-TAG id-pkix
-EXPL "Public Key Infrastructure"
-
-# RFC 2459:
-#
-# PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1)
-#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
-OID 1.3.6.1.5.5.7.0.1
-TAG PKIX1Explicit88
-EXPL "RFC 2459 Explicitly Tagged Module, 1988 Syntax"
-
-# RFC 2459:
-#
-# PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
-#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
-OID 1.3.6.1.5.5.7.0.2
-TAG PKIXImplicit88
-EXPL "RFC 2459 Implicitly Tagged Module, 1988 Syntax"
-
-# RFC 2459:
-#
-# PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
-#    security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
-OID 1.3.6.1.5.5.7.0.3
-TAG PKIXExplicit93
-EXPL "RFC 2459 Explicitly Tagged Module, 1993 Syntax"
-
-# RFC 2459:
-#
-# id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
-#         -- arc for private certificate extensions
-OID 1.3.6.1.5.5.7.1 
-TAG id-pe
-EXPL "PKIX Private Certificate Extensions"
-
-# RFC 2459:
-#
-# id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
-OID 1.3.6.1.5.5.7.1.1
-TAG id-pe-authorityInfoAccess
-EXPL "Certificate Authority Information Access"
-NAME NSS_OID_X509_AUTH_INFO_ACCESS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
-#         -- arc for policy qualifier types
-OID 1.3.6.1.5.5.7.2 
-TAG id-qt
-EXPL "PKIX Policy Qualifier Types"
-
-# RFC 2459:
-#
-# id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
-#         -- OID for CPS qualifier
-OID 1.3.6.1.5.5.7.2.1
-TAG id-qt-cps
-EXPL "PKIX CPS Pointer Qualifier"
-NAME NSS_OID_PKIX_CPS_POINTER_QUALIFIER
-
-# RFC 2459:
-#
-# id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
-#         -- OID for user notice qualifier
-OID 1.3.6.1.5.5.7.2.2
-TAG id-qt-unotice
-EXPL "PKIX User Notice Qualifier"
-NAME NSS_OID_PKIX_USER_NOTICE_QUALIFIER
-
-# RFC 2459:
-#
-# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
-#         -- arc for extended key purpose OIDS
-OID 1.3.6.1.5.5.7.3 
-TAG id-kp
-EXPL "PKIX Key Purpose"
-
-# RFC 2459:
-#
-# id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
-OID 1.3.6.1.5.5.7.3.1
-TAG id-kp-serverAuth
-EXPL "TLS Web Server Authentication Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_SERVER_AUTH
-
-# RFC 2459:
-#
-# id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
-OID 1.3.6.1.5.5.7.3.2
-TAG id-kp-clientAuth
-EXPL "TLS Web Client Authentication Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH
-
-# RFC 2459:
-#
-# id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
-OID 1.3.6.1.5.5.7.3.3
-TAG id-kp-codeSigning
-EXPL "Code Signing Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_CODE_SIGN
-
-# RFC 2459:
-#
-# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
-OID 1.3.6.1.5.5.7.3.4
-TAG id-kp-emailProtection
-EXPL "E-Mail Protection Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION
-
-# RFC 2459:
-#
-# id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
-OID 1.3.6.1.5.5.7.3.5
-TAG id-kp-ipsecEndSystem
-EXPL "IPSEC End System Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM
-
-# RFC 2459:
-#
-# id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
-OID 1.3.6.1.5.5.7.3.6
-TAG id-kp-ipsecTunnel
-EXPL "IPSEC Tunnel Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL
-
-# RFC 2459:
-#
-# id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
-OID 1.3.6.1.5.5.7.3.7
-TAG id-kp-ipsecUser
-EXPL "IPSEC User Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_IPSEC_USER
-
-# RFC 2459:
-#
-# id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
-OID 1.3.6.1.5.5.7.3.8
-TAG id-kp-timeStamping
-EXPL "Time Stamping Certificate"
-NAME NSS_OID_EXT_KEY_USAGE_TIME_STAMP
-
-OID 1.3.6.1.5.5.7.3.9
-TAG ocsp-responder
-EXPL "OCSP Responder Certificate"
-NAME NSS_OID_OCSP_RESPONDER
-
-OID 1.3.6.1.5.5.7.7 
-TAG pkix-id-pkix
-
-OID 1.3.6.1.5.5.7.7.5 
-TAG pkix-id-pkip
-
-OID 1.3.6.1.5.5.7.7.5.1 
-TAG pkix-id-regctrl
-EXPL "CRMF Registration Control"
-
-OID 1.3.6.1.5.5.7.7.5.1.1
-TAG regtoken
-EXPL "CRMF Registration Control, Registration Token"
-NAME NSS_OID_PKIX_REGCTRL_REGTOKEN
-
-OID 1.3.6.1.5.5.7.7.5.1.2
-TAG authenticator
-EXPL "CRMF Registration Control, Registration Authenticator"
-NAME NSS_OID_PKIX_REGCTRL_AUTHENTICATOR
-
-OID 1.3.6.1.5.5.7.7.5.1.3
-TAG pkipubinfo
-EXPL "CRMF Registration Control, PKI Publication Info"
-NAME NSS_OID_PKIX_REGCTRL_PKIPUBINFO
-
-OID 1.3.6.1.5.5.7.7.5.1.4
-TAG pki-arch-options
-EXPL "CRMF Registration Control, PKI Archive Options"
-NAME NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS
-
-OID 1.3.6.1.5.5.7.7.5.1.5
-TAG old-cert-id
-EXPL "CRMF Registration Control, Old Certificate ID"
-NAME NSS_OID_PKIX_REGCTRL_OLD_CERT_ID
-
-OID 1.3.6.1.5.5.7.7.5.1.6
-TAG protocol-encryption-key
-EXPL "CRMF Registration Control, Protocol Encryption Key"
-NAME NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY
-
-OID 1.3.6.1.5.5.7.7.5.2 
-TAG pkix-id-reginfo
-EXPL "CRMF Registration Info"
-
-OID 1.3.6.1.5.5.7.7.5.2.1
-TAG utf8-pairs
-EXPL "CRMF Registration Info, UTF8 Pairs"
-NAME NSS_OID_PKIX_REGINFO_UTF8_PAIRS
-
-OID 1.3.6.1.5.5.7.7.5.2.2
-TAG cert-request
-EXPL "CRMF Registration Info, Certificate Request"
-NAME NSS_OID_PKIX_REGINFO_CERT_REQUEST
-
-# RFC 2549:
-#
-# id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
-#         -- arc for access descriptors
-OID 1.3.6.1.5.5.7.48 
-TAG id-ad
-EXPL "PKIX Access Descriptors"
-
-# RFC 2549:
-#
-# id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
-OID 1.3.6.1.5.5.7.48.1
-TAG id-ad-ocsp
-EXPL "PKIX Online Certificate Status Protocol"
-NAME NSS_OID_OID_PKIX_OCSP
-
-OID 1.3.6.1.5.5.7.48.1.1
-TAG basic-response
-EXPL "OCSP Basic Response"
-NAME NSS_OID_PKIX_OCSP_BASIC_RESPONSE
-
-OID 1.3.6.1.5.5.7.48.1.2
-TAG nonce-extension
-EXPL "OCSP Nonce Extension"
-NAME NSS_OID_PKIX_OCSP_NONCE
-
-OID 1.3.6.1.5.5.7.48.1.3
-TAG response
-EXPL "OCSP Response Types Extension"
-NAME NSS_OID_PKIX_OCSP_RESPONSE
-
-OID 1.3.6.1.5.5.7.48.1.4
-TAG crl
-EXPL "OCSP CRL Reference Extension"
-NAME NSS_OID_PKIX_OCSP_CRL
-
-OID 1.3.6.1.5.5.7.48.1.5
-TAG no-check
-EXPL "OCSP No Check Extension"
-NAME NSS_OID_X509_OCSP_NO_CHECK  # X509_... ?
-
-OID 1.3.6.1.5.5.7.48.1.6
-TAG archive-cutoff
-EXPL "OCSP Archive Cutoff Extension"
-NAME NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF
-
-OID 1.3.6.1.5.5.7.48.1.7
-TAG service-locator
-EXPL "OCSP Service Locator Extension"
-NAME NSS_OID_PKIX_OCSP_SERVICE_LOCATOR
-
-# RFC 2549:
-#
-# id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
-OID 1.3.6.1.5.5.7.48.2
-TAG id-ad-caIssuers
-EXPL "Certificate Authority Issuers"
-
-OID 1.3.6.1.6
-TAG snmpv2
-EXPL "Internet: SNMPv2"
-
-OID 1.3.6.1.7
-TAG mail
-EXPL "Internet: mail"
-
-OID 1.3.6.1.7.1
-TAG mime-mhs
-EXPL "Internet: mail MIME mhs"
-
-OID 1.3.12 
-TAG ecma
-EXPL "European Computers Manufacturing Association"
-
-OID 1.3.14
-TAG oiw
-EXPL "Open Systems Implementors Workshop"
-
-OID 1.3.14.3 secsig
-TAG secsig
-EXPL "Open Systems Implementors Workshop Security Special Interest Group"
-
-OID 1.3.14.3.1
-TAG oIWSECSIGAlgorithmObjectIdentifiers
-EXPL "OIW SECSIG Algorithm OIDs"
-
-OID 1.3.14.3.2 
-TAG algorithm
-EXPL "OIW SECSIG Algorithm"
-
-OID 1.3.14.3.2.6 
-TAG desecb
-EXPL "DES-ECB"
-NAME NSS_OID_DES_ECB
-CKM CKM_DES_ECB
-
-OID 1.3.14.3.2.7
-TAG descbc
-EXPL "DES-CBC"
-NAME NSS_OID_DES_CBC
-CKM CKM_DES_CBC
-
-OID 1.3.14.3.2.8
-TAG desofb
-EXPL "DES-OFB"
-NAME NSS_OID_DES_OFB
-# No CKM..
-
-OID 1.3.14.3.2.9 
-TAG descfb
-EXPL "DES-CFB"
-NAME NSS_OID_DES_CFB
-# No CKM..
-
-OID 1.3.14.3.2.10
-TAG desmac
-EXPL "DES-MAC"
-NAME NSS_OID_DES_MAC
-CKM CKM_DES_MAC
-
-OID 1.3.14.3.2.15 
-TAG isoSHAWithRSASignature
-EXPL "ISO SHA with RSA Signature"
-NAME NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE
-# No CKM..
-
-OID 1.3.14.3.2.17 
-TAG desede
-EXPL "DES-EDE"
-NAME NSS_OID_DES_EDE
-# No CKM..
-
-OID 1.3.14.3.2.26 
-TAG sha1
-EXPL "SHA-1"
-NAME NSS_OID_SHA1
-CKM CKM_SHA_1
-
-OID 1.3.14.3.2.27
-TAG bogusDSASignatureWithSHA1Digest
-EXPL "Forgezza DSA Signature with SHA-1 Digest"
-NAME NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST
-CKM CKM_DSA_SHA1
-
-OID 1.3.14.3.3
-TAG authentication-mechanism
-EXPL "OIW SECSIG Authentication Mechanisms"
-
-OID 1.3.14.3.4
-TAG security-attribute
-EXPL "OIW SECSIG Security Attributes"
-
-OID 1.3.14.3.5
-TAG document-definition
-EXPL "OIW SECSIG Document Definitions used in security"
-
-OID 1.3.14.7
-TAG directory-services-sig
-EXPL "OIW directory services sig"
-
-OID 1.3.16
-TAG ewos
-EXPL "European Workshop on Open Systems"
-
-OID 1.3.22
-TAG osf
-EXPL "Open Software Foundation"
-
-OID 1.3.23
-TAG nordunet
-EXPL "Nordunet"
-
-OID 1.3.26
-TAG nato-id-org
-EXPL "NATO identified organisation"
-
-OID 1.3.36
-TAG teletrust
-EXPL "Teletrust"
-
-OID 1.3.52
-TAG smpte
-EXPL "Society of Motion Picture and Television Engineers"
-
-OID 1.3.69
-TAG sita
-EXPL "Societe Internationale de Telecommunications Aeronautiques"
-
-OID 1.3.90
-TAG iana
-EXPL "Internet Assigned Numbers Authority"
-
-OID 1.3.101 
-TAG thawte
-EXPL "Thawte"
-
-OID 2 
-TAG joint-iso-ccitt
-EXPL "Joint ISO/ITU-T assignment"
-
-OID 2.0
-TAG presentation
-EXPL "Joint ISO/ITU-T Presentation"
-
-OID 2.1
-TAG asn-1
-EXPL "Abstract Syntax Notation One"
-
-OID 2.2
-TAG acse
-EXPL "Association Control"
-
-OID 2.3
-TAG rtse
-EXPL "Reliable Transfer"
-
-OID 2.4
-TAG rose
-EXPL "Remote Operations"
-
-OID 2.5
-TAG x500
-EXPL "Directory"
-
-OID 2.5.1
-TAG modules
-EXPL "X.500 modules"
-
-OID 2.5.2
-TAG service-environment
-EXPL "X.500 service environment"
-
-OID 2.5.3
-TAG application-context
-EXPL "X.500 application context"
-
-# RFC 2459:
-#
-# id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
-OID 2.5.4
-TAG id-at
-EXPL "X.520 attribute types"
-
-# RFC 2459:
-#
-# id-at-commonName        AttributeType   ::=     {id-at 3}
-OID 2.5.4.3
-TAG id-at-commonName
-EXPL "X.520 Common Name"
-NAME NSS_OID_X520_COMMON_NAME
-ATTR "cn"
-
-# RFC 2459:
-#
-# id-at-surname           AttributeType   ::=     {id-at 4}
-OID 2.5.4.4
-TAG id-at-surname
-EXPL "X.520 Surname"
-NAME NSS_OID_X520_SURNAME
-ATTR "sn"
-
-# RFC 2459:
-#
-# id-at-countryName       AttributeType   ::=     {id-at 6}
-OID 2.5.4.6
-TAG id-at-countryName
-EXPL "X.520 Country Name"
-NAME NSS_OID_X520_COUNTRY_NAME
-ATTR "c"
-
-# RFC 2459:
-#
-# id-at-localityName      AttributeType   ::=     {id-at 7}
-OID 2.5.4.7
-TAG id-at-localityName
-EXPL "X.520 Locality Name"
-NAME NSS_OID_X520_LOCALITY_NAME
-ATTR "l"
-
-# RFC 2459:
-#
-# id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
-OID 2.5.4.8
-TAG id-at-stateOrProvinceName
-EXPL "X.520 State or Province Name"
-NAME NSS_OID_X520_STATE_OR_PROVINCE_NAME
-ATTR "s"
-
-# RFC 2459:
-#
-# id-at-organizationName          AttributeType   ::=     {id-at 10}
-OID 2.5.4.10
-TAG id-at-organizationName
-EXPL "X.520 Organization Name"
-NAME NSS_OID_X520_ORGANIZATION_NAME
-ATTR "o"
-
-# RFC 2459:
-#
-# id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
-OID 2.5.4.11
-TAG id-at-organizationalUnitName
-EXPL "X.520 Organizational Unit Name"
-NAME NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
-ATTR "ou"
-
-# RFC 2459:
-#
-# id-at-title     AttributeType   ::=     {id-at 12}
-OID 2.5.4.12
-TAG id-at-title
-EXPL "X.520 Title"
-NAME NSS_OID_X520_TITLE
-ATTR "title"
-
-# RFC 2459:
-#
-# id-at-name              AttributeType   ::=     {id-at 41}
-OID 2.5.4.41
-TAG id-at-name
-EXPL "X.520 Name"
-NAME NSS_OID_X520_NAME
-ATTR "name"
-
-# RFC 2459:
-#
-# id-at-givenName         AttributeType   ::=     {id-at 42}
-OID 2.5.4.42
-TAG id-at-givenName
-EXPL "X.520 Given Name"
-NAME NSS_OID_X520_GIVEN_NAME
-ATTR "givenName"
-
-# RFC 2459:
-#
-# id-at-initials          AttributeType   ::=     {id-at 43}
-OID 2.5.4.43
-TAG id-at-initials
-EXPL "X.520 Initials"
-NAME NSS_OID_X520_INITIALS
-ATTR "initials"
-
-# RFC 2459:
-#
-# id-at-generationQualifier       AttributeType   ::=     {id-at 44}
-OID 2.5.4.44
-TAG id-at-generationQualifier
-EXPL "X.520 Generation Qualifier"
-NAME NSS_OID_X520_GENERATION_QUALIFIER
-ATTR "generationQualifier"
-
-# RFC 2459:
-#
-# id-at-dnQualifier       AttributeType   ::=     {id-at 46}
-OID 2.5.4.46
-TAG id-at-dnQualifier
-EXPL "X.520 DN Qualifier"
-NAME NSS_OID_X520_DN_QUALIFIER
-ATTR "dnQualifier"
-
-OID 2.5.5
-TAG attribute-syntax
-EXPL "X.500 attribute syntaxes"
-
-OID 2.5.6
-TAG object-classes
-EXPL "X.500 standard object classes"
-
-OID 2.5.7
-TAG attribute-set
-EXPL "X.500 attribute sets"
-
-OID 2.5.8
-TAG algorithms
-EXPL "X.500-defined algorithms"
-
-OID 2.5.8.1 
-TAG encryption
-EXPL "X.500-defined encryption algorithms"
-
-OID 2.5.8.1.1 
-TAG rsa
-EXPL "RSA Encryption Algorithm"
-NAME NSS_OID_X500_RSA_ENCRYPTION
-CKM CKM_RSA_X_509
-
-OID 2.5.9
-TAG abstract-syntax
-EXPL "X.500 abstract syntaxes"
-
-OID 2.5.12
-TAG operational-attribute
-EXPL "DSA Operational Attributes"
-
-OID 2.5.13
-TAG matching-rule
-EXPL "Matching Rule"
-
-OID 2.5.14
-TAG knowledge-matching-rule
-EXPL "X.500 knowledge Matching Rules"
-
-OID 2.5.15
-TAG name-form
-EXPL "X.500 name forms"
-
-OID 2.5.16
-TAG group
-EXPL "X.500 groups"
-
-OID 2.5.17
-TAG subentry
-EXPL "X.500 subentry"
-
-OID 2.5.18
-TAG operational-attribute-type
-EXPL "X.500 operational attribute type"
-
-OID 2.5.19
-TAG operational-binding
-EXPL "X.500 operational binding"
-
-OID 2.5.20
-TAG schema-object-class
-EXPL "X.500 schema Object class"
-
-OID 2.5.21
-TAG schema-operational-attribute
-EXPL "X.500 schema operational attributes"
-
-OID 2.5.23
-TAG administrative-role
-EXPL "X.500 administrative roles"
-
-OID 2.5.24
-TAG access-control-attribute
-EXPL "X.500 access control attribute"
-
-OID 2.5.25
-TAG ros
-EXPL "X.500 ros object"
-
-OID 2.5.26
-TAG contract
-EXPL "X.500 contract"
-
-OID 2.5.27
-TAG package
-EXPL "X.500 package"
-
-OID 2.5.28
-TAG access-control-schema
-EXPL "X.500 access control schema"
-
-# RFC 2459:
-#
-# id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}
-OID 2.5.29
-TAG id-ce
-EXPL "X.500 Certificate Extension"
-
-OID 2.5.29.5
-TAG subject-directory-attributes
-EXPL "Certificate Subject Directory Attributes"
-NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTR
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }
-OID 2.5.29.9
-TAG id-ce-subjectDirectoryAttributes
-EXPL "Certificate Subject Directory Attributes"
-NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
-OID 2.5.29.14
-TAG id-ce-subjectKeyIdentifier
-EXPL "Certificate Subject Key ID"
-NAME NSS_OID_X509_SUBJECT_KEY_ID
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
-OID 2.5.29.15
-TAG id-ce-keyUsage
-EXPL "Certificate Key Usage"
-NAME NSS_OID_X509_KEY_USAGE
-CERT_EXTENSION SUPPORTED
-# We called it PKCS12_KEY_USAGE
-
-# RFC 2459:
-#
-# id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }
-OID 2.5.29.16
-TAG id-ce-privateKeyUsagePeriod
-EXPL "Certificate Private Key Usage Period"
-NAME NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
-OID 2.5.29.17
-TAG id-ce-subjectAltName
-EXPL "Certificate Subject Alternate Name"
-NAME NSS_OID_X509_SUBJECT_ALT_NAME
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
-OID 2.5.29.18
-TAG id-ce-issuerAltName
-EXPL "Certificate Issuer Alternate Name"
-NAME NSS_OID_X509_ISSUER_ALT_NAME
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
-OID 2.5.29.19
-TAG id-ce-basicConstraints
-EXPL "Certificate Basic Constraints"
-NAME NSS_OID_X509_BASIC_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
-OID 2.5.29.20
-TAG id-ce-cRLNumber
-EXPL "CRL Number"
-NAME NSS_OID_X509_CRL_NUMBER
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
-OID 2.5.29.21
-TAG id-ce-cRLReasons
-EXPL "CRL Reason Code"
-NAME NSS_OID_X509_REASON_CODE
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
-OID 2.5.29.23
-TAG id-ce-holdInstructionCode
-EXPL "Hold Instruction Code"
-NAME NSS_OID_X509_HOLD_INSTRUCTION_CODE
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
-OID 2.5.29.24
-TAG id-ce-invalidityDate
-EXPL "Invalid Date"
-NAME NSS_OID_X509_INVALID_DATE
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
-OID 2.5.29.27
-TAG id-ce-deltaCRLIndicator
-EXPL "Delta CRL Indicator"
-NAME NSS_OID_X509_DELTA_CRL_INDICATOR
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
-OID 2.5.29.28
-TAG id-ce-issuingDistributionPoint
-EXPL "Issuing Distribution Point"
-NAME NSS_OID_X509_ISSUING_DISTRIBUTION_POINT
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
-OID 2.5.29.29
-TAG id-ce-certificateIssuer
-EXPL "Certificate Issuer"
-NAME NSS_OID_X509_CERTIFICATE_ISSUER
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
-OID 2.5.29.30
-TAG id-ce-nameConstraints
-EXPL "Certificate Name Constraints"
-NAME NSS_OID_X509_NAME_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
-OID 2.5.29.31
-TAG id-ce-cRLDistributionPoints
-EXPL "CRL Distribution Points"
-NAME NSS_OID_X509_CRL_DIST_POINTS
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
-OID 2.5.29.32
-TAG id-ce-certificatePolicies
-EXPL "Certificate Policies"
-NAME NSS_OID_X509_CERTIFICATE_POLICIES
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
-OID 2.5.29.33
-TAG id-ce-policyMappings
-EXPL "Certificate Policy Mappings"
-NAME NSS_OID_X509_POLICY_MAPPINGS
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.5.29.34
-TAG policy-constraints
-EXPL "Certificate Policy Constraints (old)"
-CERT_EXTENSION UNSUPPORTED
-
-# RFC 2459:
-#
-# id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
-OID 2.5.29.35
-TAG id-ce-authorityKeyIdentifier
-EXPL "Certificate Authority Key Identifier"
-NAME NSS_OID_X509_AUTH_KEY_ID
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
-OID 2.5.29.36
-TAG id-ce-policyConstraints
-EXPL "Certificate Policy Constraints"
-NAME NSS_OID_X509_POLICY_CONSTRAINTS
-CERT_EXTENSION SUPPORTED
-
-# RFC 2459:
-#
-# id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
-OID 2.5.29.37
-TAG id-ce-extKeyUsage
-EXPL "Extended Key Usage"
-NAME NSS_OID_X509_EXT_KEY_USAGE
-CERT_EXTENSION SUPPORTED
-
-OID 2.5.30
-TAG id-mgt
-EXPL "X.500 Management Object"
-
-OID 2.6
-TAG x400
-EXPL "X.400 MHS"
-
-OID 2.7
-TAG ccr
-EXPL "Committment, Concurrency and Recovery"
-
-OID 2.8
-TAG oda
-EXPL "Office Document Architecture"
-
-OID 2.9
-TAG osi-management
-EXPL "OSI management"
-
-OID 2.10
-TAG tp
-EXPL "Transaction Processing"
-
-OID 2.11
-TAG dor
-EXPL "Distinguished Object Reference"
-
-OID 2.12
-TAG rdt
-EXPL "Referenced Data Transfer"
-
-OID 2.13
-TAG nlm
-EXPL "Network Layer Management"
-
-OID 2.14
-TAG tlm
-EXPL "Transport Layer Management"
-
-OID 2.15
-TAG llm
-EXPL "Link Layer Management"
-
-OID 2.16
-TAG country
-EXPL "Country Assignments"
-
-OID 2.16.124 
-TAG canada
-EXPL "Canada"
-
-OID 2.16.158
-TAG taiwan
-EXPL "Taiwan"
-
-OID 2.16.578 
-TAG norway
-EXPL "Norway"
-
-OID 2.16.756 
-TAG switzerland
-EXPL "Switzerland"
-
-OID 2.16.840 
-TAG us
-EXPL "United States"
-
-OID 2.16.840.1 
-TAG us-company
-EXPL "United States Company"
-
-OID 2.16.840.1.101 
-TAG us-government
-EXPL "United States Government (1.101)"
-
-OID 2.16.840.1.101.2 
-TAG us-dod
-EXPL "United States Department of Defense"
-
-OID 2.16.840.1.101.2.1 
-TAG id-infosec
-EXPL "US DOD Infosec"
-
-OID 2.16.840.1.101.2.1.0 
-TAG id-modules
-EXPL "US DOD Infosec modules"
-
-OID 2.16.840.1.101.2.1.1 
-TAG id-algorithms
-EXPL "US DOD Infosec algorithms (MISSI)"
-
-OID 2.16.840.1.101.2.1.1.2  
-TAG old-dss
-EXPL "MISSI DSS Algorithm (Old)"
-NAME NSS_OID_MISSI_DSS_OLD
-
-# This is labeled as "### mwelch temporary"
-# Is it official?? XXX fgmr
-OID 2.16.840.1.101.2.1.1.4
-TAG skipjack-cbc-64
-EXPL "Skipjack CBC64"
-NAME NSS_OID_FORTEZZA_SKIPJACK
-CKM CKM_SKIPJACK_CBC64
-
-OID 2.16.840.1.101.2.1.1.10
-TAG kea
-EXPL "MISSI KEA Algorithm"
-NAME NSS_OID_MISSI_KEA
-
-OID 2.16.840.1.101.2.1.1.12
-TAG old-kea-dss
-EXPL "MISSI KEA and DSS Algorithm (Old)"
-NAME NSS_OID_MISSI_KEA_DSS_OLD
-
-OID 2.16.840.1.101.2.1.1.19
-TAG dss
-EXPL "MISSI DSS Algorithm"
-NAME NSS_OID_MISSI_DSS
-
-OID 2.16.840.1.101.2.1.1.20
-TAG kea-dss
-EXPL "MISSI KEA and DSS Algorithm"
-NAME NSS_OID_MISSI_KEA_DSS
-
-OID 2.16.840.1.101.2.1.1.22
-TAG alt-kea
-EXPL "MISSI Alternate KEA Algorithm"
-NAME NSS_OID_MISSI_ALT_KEY
-
-OID 2.16.840.1.101.2.1.2 
-TAG id-formats
-EXPL "US DOD Infosec formats"
-
-OID 2.16.840.1.101.2.1.3 
-TAG id-policy
-EXPL "US DOD Infosec policy"
-
-OID 2.16.840.1.101.2.1.4 
-TAG id-object-classes
-EXPL "US DOD Infosec object classes"
-
-OID 2.16.840.1.101.2.1.5 
-TAG id-attributes
-EXPL "US DOD Infosec attributes"
-
-OID 2.16.840.1.101.2.1.6 
-TAG id-attribute-syntax
-EXPL "US DOD Infosec attribute syntax"
-
-OID 2.16.840.1.113730 
-# The Netscape OID space
-TAG netscape
-EXPL "Netscape Communications Corp."
-
-OID 2.16.840.1.113730.1
-TAG cert-ext
-EXPL "Netscape Cert Extensions"
-
-OID 2.16.840.1.113730.1.1
-TAG cert-type
-EXPL "Certificate Type"
-NAME NSS_OID_NS_CERT_EXT_CERT_TYPE
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.2
-TAG base-url
-EXPL "Certificate Extension Base URL"
-NAME NSS_OID_NS_CERT_EXT_BASE_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.3
-TAG revocation-url
-EXPL "Certificate Revocation URL"
-NAME NSS_OID_NS_CERT_EXT_REVOCATION_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.4
-TAG ca-revocation-url
-EXPL "Certificate Authority Revocation URL"
-NAME NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.5
-TAG ca-crl-download-url
-EXPL "Certificate Authority CRL Download URL"
-NAME NSS_OID_NS_CERT_EXT_CA_CRL_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.6
-TAG ca-cert-url
-EXPL "Certificate Authority Certificate Download URL"
-NAME NSS_OID_NS_CERT_EXT_CA_CERT_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.7
-TAG renewal-url
-EXPL "Certificate Renewal URL"
-NAME NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.8
-TAG ca-policy-url
-EXPL "Certificate Authority Policy URL"
-NAME NSS_OID_NS_CERT_EXT_CA_POLICY_URL
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.9
-TAG homepage-url
-EXPL "Certificate Homepage URL"
-NAME NSS_OID_NS_CERT_EXT_HOMEPAGE_URL
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.10
-TAG entity-logo
-EXPL "Certificate Entity Logo"
-NAME NSS_OID_NS_CERT_EXT_ENTITY_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.11
-TAG user-picture
-EXPL "Certificate User Picture"
-NAME NSS_OID_NS_CERT_EXT_USER_PICTURE
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.1.12
-TAG ssl-server-name
-EXPL "Certificate SSL Server Name"
-NAME NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.13
-TAG comment
-EXPL "Certificate Comment"
-NAME NSS_OID_NS_CERT_EXT_COMMENT
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.1.14
-TAG thayes
-EXPL ""
-NAME NSS_OID_NS_CERT_EXT_THAYES
-CERT_EXTENSION SUPPORTED
-
-OID 2.16.840.1.113730.2
-TAG data-type
-EXPL "Netscape Data Types"
-
-OID 2.16.840.1.113730.2.1 
-TAG gif
-EXPL "image/gif"
-NAME NSS_OID_NS_TYPE_GIF
-
-OID 2.16.840.1.113730.2.2 
-TAG jpeg
-EXPL "image/jpeg"
-NAME NSS_OID_NS_TYPE_JPEG
-
-OID 2.16.840.1.113730.2.3 
-TAG url
-EXPL "URL"
-NAME NSS_OID_NS_TYPE_URL
-
-OID 2.16.840.1.113730.2.4 
-TAG html
-EXPL "text/html"
-NAME NSS_OID_NS_TYPE_HTML
-
-OID 2.16.840.1.113730.2.5 
-TAG cert-sequence
-EXPL "Certificate Sequence"
-NAME NSS_OID_NS_TYPE_CERT_SEQUENCE
-
-OID 2.16.840.1.113730.3
-# The Netscape Directory OID space
-TAG directory
-EXPL "Netscape Directory"
-
-OID 2.16.840.1.113730.4
-TAG policy
-EXPL "Netscape Policy Type OIDs"
-
-OID 2.16.840.1.113730.4.1
-TAG export-approved
-EXPL "Strong Crypto Export Approved"
-NAME NSS_OID_NS_KEY_USAGE_GOVT_APPROVED
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.1.113730.5
-TAG cert-server
-EXPL "Netscape Certificate Server"
-
-OID 2.16.840.1.113730.5.1
-
-OID 2.16.840.1.113730.5.1.1
-TAG recovery-request
-EXPL "Netscape Cert Server Recovery Request"
-NAME NSS_OID_NETSCAPE_RECOVERY_REQUEST
-
-OID 2.16.840.1.113730.6
-TAG algs
-EXPL "Netscape algorithm OIDs"
-
-OID 2.16.840.1.113730.6.1
-TAG smime-kea
-EXPL "Netscape S/MIME KEA"
-NAME NSS_OID_NETSCAPE_SMIME_KEA
-
-OID 2.16.840.1.113730.7
-TAG name-components
-EXPL "Netscape Name Components"
-
-OID 2.16.840.1.113730.7.1
-TAG nickname
-EXPL "Netscape Nickname"
-NAME NSS_OID_NETSCAPE_NICKNAME
-
-OID 2.16.840.1.113733 
-TAG verisign
-EXPL "Verisign"
-
-OID 2.16.840.1.113733.1
-
-OID 2.16.840.1.113733.1.7
-
-OID 2.16.840.1.113733.1.7.1
-
-OID 2.16.840.1.113733.1.7.1.1
-TAG verisign-user-notices
-EXPL "Verisign User Notices"
-NAME NSS_OID_VERISIGN_USER_NOTICES
-
-OID 2.16.840.101 
-TAG us-government
-EXPL "US Government (101)"
-
-OID 2.16.840.102 
-TAG us-government2
-EXPL "US Government (102)"
- 
-OID 2.16.840.11370 
-TAG old-netscape
-EXPL "Netscape Communications Corp. (Old)"
-
-OID 2.16.840.11370.1 
-TAG ns-cert-ext
-EXPL "Netscape Cert Extensions (Old NS)"
-
-OID 2.16.840.11370.1.1 
-TAG netscape-ok
-EXPL "Netscape says this cert is ok (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_NETSCAPE_OK
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.1.2
-TAG issuer-logo
-EXPL "Certificate Issuer Logo (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_ISSUER_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.1.3
-TAG subject-logo
-EXPL "Certificate Subject Logo (Old NS)"
-NAME NSS_OID_NS_CERT_EXT_SUBJECT_LOGO
-CERT_EXTENSION UNSUPPORTED
-
-OID 2.16.840.11370.2 
-TAG ns-file-type
-EXPL "Netscape File Type"
-
-OID 2.16.840.11370.3 
-TAG ns-image-type
-EXPL "Netscape Image Type"
-
-OID 2.17
-TAG registration-procedures
-EXPL "Registration procedures"
-
-OID 2.18
-TAG physical-layer-management
-EXPL "Physical layer Management"
-
-OID 2.19
-TAG mheg
-EXPL "MHEG"
-
-OID 2.20
-TAG guls
-EXPL "Generic Upper Layer Security"
-
-OID 2.21
-TAG tls
-EXPL "Transport Layer Security Protocol"
-
-OID 2.22
-TAG nls
-EXPL "Network Layer Security Protocol"
-
-OID 2.23
-TAG organization
-EXPL "International organizations"
diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h
deleted file mode 100644
index c0f8b75c0..000000000
--- a/security/nss/lib/pki1/pki1.h
+++ /dev/null
@@ -1,3037 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKI1_H
-#define PKI1_H
-
-#ifdef DEBUG
-static const char PKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * pki1.h
- *
- * This file contains the prototypes to the non-public NSS routines
- * relating to the PKIX part-1 objects.
- */
-
-#ifndef PKI1T_H
-#include "pki1t.h"
-#endif /* PKI1T_H */
-
-#ifndef NSSPKI1_H
-#include "nsspki1.h"
-#endif /* NSSPKI1_H */
-
-PR_BEGIN_EXTERN_C
-
-extern const NSSOID nss_builtin_oids[];
-extern const PRUint32 nss_builtin_oid_count;
-
-extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
-extern const PRUint32 nss_attribute_type_alias_count;
-
-/*
- * NSSOID
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssOID_CreateFromBER   -- constructor
- *  nssOID_CreateFromUTF8  -- constructor
- *  (there is no explicit destructor)
- * 
- *  nssOID_GetDEREncoding
- *  nssOID_GetUTF8Encoding
- *
- * In debug builds, the following non-public calls are also available:
- *
- *  nssOID_verifyPointer
- *  nssOID_getExplanation
- *  nssOID_getTaggedUTF8
- */
-
-/*
- * nssOID_CreateFromBER
- *
- * This routine creates an NSSOID by decoding a BER- or DER-encoded
- * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromBER
-(
-  NSSBER *berOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_BER;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssOID_CreateFromUTF8
- *
- * This routine creates an NSSOID by decoding a UTF8 string 
- * representation of an OID in dotted-number format.  The string may 
- * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An NSSOID upon success
- */
-
-NSS_EXTERN NSSOID *
-nssOID_CreateFromUTF8
-(
-  NSSUTF8 *stringOid
-);
-
-extern const NSSError NSS_ERROR_INVALID_UTF8;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-
-/*
- * nssOID_GetDEREncoding
- *
- * This routine returns the DER encoding of the specified NSSOID.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return return null upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSOID
- */
-
-NSS_EXTERN NSSDER *
-nssOID_GetDEREncoding
-(
-  const NSSOID *oid,
-  NSSDER *rvOpt,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssOID_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing the dotted-number 
- * encoding of the specified NSSOID.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return null upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the dotted-digit encoding of 
- *      this NSSOID
- */
-
-NSS_EXTERN NSSUTF8 *
-nssOID_GetUTF8Encoding
-(
-  const NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssOID_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid poitner to an NSSOID object, 
- * this routine will return PR_SUCCESS.  Otherwise, it will put an 
- * error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssOID_verifyPointer
-(
-  const NSSOID *oid
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getExplanation
- *
- * This method is only present in debug builds.
- *
- * This routine will return a static pointer to a UTF8-encoded string
- * describing (in English) the specified OID.  The memory pointed to
- * by the return value is not owned by the caller, and should not be
- * freed or modified.  Note that explanations are only provided for
- * the OIDs built into the NSS library; there is no way to specify an
- * explanation for dynamically created OIDs.  This routine is intended
- * only for use in debugging tools such as "derdump."  This routine
- * may return null upon error, in which case it will have placed an
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSOID
- *
- * Return value:
- *  NULL upon error
- *  A static pointer to a readonly, non-caller-owned UTF8-encoded
- *    string explaining the specified OID.
- */
-
-#ifdef DEBUG
-NSS_EXTERN const NSSUTF8 *
-nssOID_getExplanation
-(
-  NSSOID *oid
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-#endif /* DEBUG */
-
-/*
- * nssOID_getTaggedUTF8
- *
- * This method is only present in debug builds.
- *
- * This routine will return a pointer to a caller-owned UTF8-encoded
- * string containing a tagged encoding of the specified OID.  Note
- * that OID (component) tags are only provided for the OIDs built 
- * into the NSS library; there is no way to specify tags for 
- * dynamically created OIDs.  This routine is intended for use in
- * debugging tools such as "derdump."   If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return return null upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the tagged encoding of
- *      this NSSOID
- */
-
-#ifdef DEBUG
-NSS_EXTERN NSSUTF8 *
-nssOID_getTaggedUTF8
-(
-  NSSOID *oid,
-  NSSArena *arenaOpt
-);
-
-extern const NSSError NSS_ERROR_INVALID_NSSOID;
-extern const NSSError NSS_ERROR_NO_MEMORY;
-#endif /* DEBUG */
-
-/*
- * NSSATAV
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssATAV_CreateFromBER   -- constructor
- *  nssATAV_CreateFromUTF8  -- constructor
- *  nssATAV_Create          -- constructor
- *
- *  nssATAV_Destroy
- *  nssATAV_GetDEREncoding
- *  nssATAV_GetUTF8Encoding
- *  nssATAV_GetType
- *  nssATAV_GetValue
- *  nssATAV_Compare
- *  nssATAV_Duplicate
- *
- * In debug builds, the following non-public call is also available:
- *
- *  nssATAV_verifyPointer
- */
-
-/*
- * nssATAV_CreateFromBER
- * 
- * This routine creates an NSSATAV by decoding a BER- or DER-encoded
- * ATAV.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  const NSSBER *berATAV
-);
-
-/*
- * nssATAV_CreateFromUTF8
- *
- * This routine creates an NSSATAV by decoding a UTF8 string in the
- * "equals" format, e.g., "c=US."  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  const NSSUTF8 *stringATAV
-);
-
-/*
- * nssATAV_Create
- *
- * This routine creates an NSSATAV from the specified NSSOID and the
- * specified data. If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.If the specified data length is zero, 
- * the data is assumed to be terminated by first zero byte; this allows 
- * UTF8 strings to be easily specified.  This routine may return NULL 
- * upon error, in which case it will have set an error on the error 
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ARENA
- *  NSS_ERROR_INVALID_NSSOID
- *  NSS_ERROR_INVALID_POINTER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSATAV upon success
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_Create
-(
-  NSSArena *arenaOpt,
-  const NSSOID *oid,
-  const void *data,
-  PRUint32 length
-);
-
-/*
- * nssATAV_Destroy
- *
- * This routine will destroy an ATAV object.  It should eventually be
- * called on all ATAVs created without an arena.  While it is not 
- * necessary to call it on ATAVs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssATAV_Destroy
-(
-  NSSATAV *atav
-);
-
-/*
- * nssATAV_GetDEREncoding
- *
- * This routine will DER-encode an ATAV object. If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSATAV
- */
-
-NSS_EXTERN NSSDER *
-nssATAV_GetDEREncoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string containing the "equals" encoding of the 
- *      ATAV
- */
-
-NSS_EXTERN NSSUTF8 *
-nssATAV_GetUTF8Encoding
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_GetType
- *
- * This routine returns the NSSOID corresponding to the attribute type
- * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NSS_OID_UNKNOWN upon error
- *  An element of enum NSSOIDenum upon success
- */
-
-NSS_EXTERN const NSSOID *
-nssATAV_GetType
-(
-  NSSATAV *atav
-);
-
-/*
- * nssATAV_GetValue
- *
- * This routine returns a string containing the attribute value
- * in the specified ATAV.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error upon the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSItem containing the attribute value.
- */
-
-NSS_EXTERN NSSUTF8 *
-nssATAV_GetValue
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_Compare
- *
- * This routine compares two ATAVs for equality.  For two ATAVs to be
- * equal, the attribute types must be the same, and the attribute 
- * values must have equal length and contents.  The result of the 
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssATAV_Compare
-(
-  NSSATAV *atav1,
-  NSSATAV *atav2,
-  PRBool *equalp
-);
-
-/*
- * nssATAV_Duplicate
- *
- * This routine duplicates the specified ATAV.  If the optional arena 
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new ATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssATAV_Duplicate
-(
-  NSSATAV *atav,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssATAV_verifyPointer
- *
- * This method is only present in debug builds.
- *
- * If the specified pointer is a valid pointer to an NSSATAV object,
- * this routine will return PR_SUCCESS.  Otherwise, it will put an
- * error on the error stack and return PR_FAILRUE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NSSATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS if the pointer is valid
- *  PR_FAILURE if it isn't
- */
-
-#ifdef DEBUG
-NSS_EXTERN PRStatus
-nssATAV_verifyPointer
-(
-  NSSATAV *atav
-);
-#endif /* DEBUG */
-
-/*
- * NSSRDN
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssRDN_CreateFromBER   -- constructor
- *  nssRDN_CreateFromUTF8  -- constructor
- *  nssRDN_Create          -- constructor
- *  nssRDN_CreateSimple    -- constructor
- *
- *  nssRDN_Destroy
- *  nssRDN_GetDEREncoding
- *  nssRDN_GetUTF8Encoding
- *  nssRDN_AddATAV
- *  nssRDN_GetATAVCount
- *  nssRDN_GetATAV
- *  nssRDN_GetSimpleATAV
- *  nssRDN_Compare
- *  nssRDN_Duplicate
- */
-
-/*
- * nssRDN_CreateFromBER
- *
- * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
- * RDN.  If the optional arena argument is non-null, the memory used 
- * will be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error, 
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDN
-);
-
-/*
- * nssRDN_CreateFromUTF8
- *
- * This routine creates an NSSRDN by decoding an UTF8 string 
- * consisting of either a single ATAV in the "equals" format, e.g., 
- * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
- * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error on the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDN
-);
-
-/*
- * nssRDN_Create
- *
- * This routine creates an NSSRDN from one or more NSSATAVs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_Create
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav1,
-  ...
-);
-
-/*
- * nssRDN_CreateSimple
- *
- * This routine creates a simple NSSRDN from a single NSSATAV.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_ATAV
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDN upon success
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_CreateSimple
-(
-  NSSArena *arenaOpt,
-  NSSATAV *atav
-);
-
-/*
- * nssRDN_Destroy
- *
- * This routine will destroy an RDN object.  It should eventually be
- * called on all RDNs created without an arena.  While it is not 
- * necessary to call it on RDNs created within an arena, it is not an
- * error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssRDN_Destroy
-(
-  NSSRDN *rdn
-);
-
-/*
- * nssRDN_GetDEREncoding
- *
- * This routine will DER-encode an RDN object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDN
- */
-
-NSS_EXTERN NSSDER *
-nssRDN_GetDEREncoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDN.  A simple (one-ATAV) RDN will be simply
- * the string representation of that ATAV; a non-simple RDN will be in
- * parenthesised form.  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * null upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssRDN_GetUTF8Encoding
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_AddATAV
- *
- * This routine adds an ATAV to the set of ATAVs in the specified RDN.
- * Remember that RDNs consist of an unordered set of ATAVs.  If the
- * RDN was created with a non-null arena argument, that same arena
- * will be used for any additional required memory.  If the RDN was 
- * created with a NULL arena argument, any additional memory will
- * be obtained from the heap.  This routine returns a PRStatus value;
- * it will return PR_SUCCESS upon success, and upon failure it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ATAV
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssRDN_AddATAV
-(
-  NSSRDN *rdn,
-  NSSATAV *atav
-);
-
-/*
- * nssRDN_GetATAVCount
- *
- * This routine returns the cardinality of the set of ATAVs within
- * the specified RDN.  This routine may return 0 upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssRDN_GetATAVCount
-(
-  NSSRDN *rdn
-);
-
-/*
- * nssRDN_GetATAV
- *
- * This routine returns a pointer to an ATAV that is a member of
- * the set of ATAVs within the specified RDN.  While the set of
- * ATAVs within an RDN is unordered, this routine will return
- * distinct values for distinct values of 'i' as long as the RDN
- * is not changed in any way.  The RDN may be changed by calling
- * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
- * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
- * The caller owns the ATAV the pointer to which is returned.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssRDN_GetATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssRDN_GetSimpleATAV
- *
- * Most RDNs are actually very simple, with a single ATAV.  This 
- * routine will return the single ATAV from such an RDN.  The caller
- * owns the ATAV the pointer to which is returned.  If the optional
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, including the case where
- * the set of ATAVs in the RDN is nonsingular.  Upon error, this
- * routine will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_RDN_NOT_SIMPLE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSATAV
- */
-
-NSS_EXTERN NSSATAV *
-nssRDN_GetSimpleATAV
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDN_Compare
- *
- * This routine compares two RDNs for equality.  For two RDNs to be
- * equal, they must have the same number of ATAVs, and every ATAV in
- * one must be equal to an ATAV in the other.  (Note that the sets
- * of ATAVs are unordered.)  The result of the comparison will be
- * stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool.  This routine may return PR_FAILURE
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssRDN_Compare
-(
-  NSSRDN *rdn1,
-  NSSRDN *rdn2,
-  PRBool *equalp
-);
-
-/*
- * nssRDN_Duplicate
- *
- * This routine duplicates the specified RDN.  If the optional arena
- * argument is non-null, the memory required will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return NULL upon error, in which case it will have
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL on error
- *  A pointer to a new RDN
- */
-
-NSS_EXTERN NSSRDN *
-nssRDN_Duplicate
-(
-  NSSRDN *rdn,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSRDNSeq
- *
- * The non-public "methods" regarding this "object" are:
- *
- *  nssRDNSeq_CreateFromBER   -- constructor
- *  nssRDNSeq_CreateFromUTF8  -- constructor
- *  nssRDNSeq_Create          -- constructor
- *
- *  nssRDNSeq_Destroy
- *  nssRDNSeq_GetDEREncoding
- *  nssRDNSeq_GetUTF8Encoding
- *  nssRDNSeq_AppendRDN
- *  nssRDNSeq_GetRDNCount
- *  nssRDNSeq_GetRDN
- *  nssRDNSeq_Compare
- *  nssRDNSeq_Duplicate
- *
- *  nssRDNSeq_EvaluateUTF8 -- not an object method
- */
-
-/*
- * nssRDNSeq_CreateFromBER
- *
- * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
- * sequence of RDNs.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berRDNSeq
-);
-
-/*
- * nssRDNSeq_CreateFromUTF8
- *
- * This routine creates an NSSRDNSeq by decoding a UTF8 string
- * consisting of a comma-separated sequence of RDNs, such as
- * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_UNKNOWN_ATTRIBUTE
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringRDNSeq
-);
-
-/*
- * nssRDNSeq_Create
- *
- * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
- * final argument to this routine must be NULL.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_RDN
- *
- * Return value:
- *  NULL upon error
- *  A pointero to an NSSRDNSeq upon success
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSRDN *rdn1,
-  ...
-);
-
-/*
- * nssRDNSeq_Destroy
- *
- * This routine will destroy an RDNSeq object.  It should eventually 
- * be called on all RDNSeqs created without an arena.  While it is not
- * necessary to call it on RDNSeqs created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_Destroy
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * nssRDNSeq_GetDEREncoding
- *
- * This routine will DER-encode an RDNSeq object.  If the optional 
- * arena argument is non-null, the memory used will be obtained from
- * that arena; otherwise, the memory will be obtained from the heap.
- * This routine may return null upon error, in which case it will have
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSRDNSeq
- */
-
-NSS_EXTERN NSSDER *
-nssRDNSeq_GetDEREncoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the RDNSeq as a comma-separated sequence of RDNs.  
- * If the optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return null upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssRDNSeq_GetUTF8Encoding
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_AppendRDN
- *
- * This routine appends an RDN to the end of the existing RDN 
- * sequence.  If the RDNSeq was created with a non-null arena 
- * argument, that same arena will be used for any additional required
- * memory.  If the RDNSeq was created with a NULL arena argument, any
- * additional memory will be obtained from the heap.  This routine
- * returns a PRStatus value; it will return PR_SUCCESS upon success,
- * and upon failure it will set an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_RDN
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_AppendRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSRDN *rdn
-);
-
-/*
- * nssRDNSeq_GetRDNCount
- *
- * This routine returns the cardinality of the sequence of RDNs within
- * the specified RDNSeq.  This routine may return 0 upon error, in 
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *
- * Return value:
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssRDNSeq_GetRDNCount
-(
-  NSSRDNSeq *rdnseq
-);
-
-/*
- * nssRDNSeq_GetRDN
- *
- * This routine returns a pointer to the i'th RDN in the sequence of
- * RDNs that make up the specified RDNSeq.  The sequence begins with
- * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
- * is on the range [0,c) where c is the cardinality returned from
- * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
- * is returned.  If the optional arena argument is non-null, the memory
- * used will be obtained from that areana; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error upon the error stack.  Note
- * that the usual UTF8 representation of RDN Sequences is from last
- * to first.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDN
- */
-
-NSS_EXTERN NSSRDN *
-nssRDNSeq_GetRDN
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssRDNSeq_Compare
- *
- * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
- * be equal, they must have the same number of RDNs, and each RDN in
- * one sequence must be equal to the corresponding RDN in the other
- * sequence.  The result of the comparison will be stored at the
- * location pointed to by the "equalp" variable, which must point to a
- * valid PRBool.  This routine may return PR_FAILURE upon error, in
- * which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssRDNSeq_Compare
-(
-  NSSRDNSeq *rdnseq1,
-  NSSRDNSeq *rdnseq2,
-  PRBool *equalp
-);
-
-/*
- * nssRDNSeq_Duplicate
- *
- * This routine duplicates the specified RDNSeq.  If the optional arena
- * argument is non-null, the memory required will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have 
- * placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_RDNSEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new RDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssRDNSeq_Duplicate
-(
-  NSSRDNSeq *rdnseq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssRDNSeq_EvaluateUTF8
- *
- * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
- * string contains the string representation of an RDNSeq.  This 
- * routine is used by the (directory) Name routines 
- * nssName_CreateFromUTF8 and nssName_EvaluateUTF8 to determine which
- * choice of directory name the string may encode.  This routine may 
- * return PR_FALSE upon error, but it subsumes that condition under the
- * general "string does not evaluate as an RDNSeq" state, and does not
- * set an error on the error stack.
- *
- * Return value:
- *  PR_TRUE if the string represents an RDNSeq
- *  PR_FALSE if otherwise
- */
-
-NSS_EXTERN PRBool
-nssRDNSeq_EvaluateUTF8
-(
-  NSSUTF8 *str
-);
-
-/*
- * NSSName
- *
- * The non-public "methods" regarding this "object" are:
- *
- * nssName_CreateFromBER   -- constructor
- * nssName_CreateFromUTF8  -- constructor
- * nssName_Create          -- constructor
- *
- * nssName_Destroy
- * nssName_GetDEREncoding
- * nssName_GetUTF8Encoding
- * nssName_GetChoice
- * nssName_GetRDNSequence
- * nssName_GetSpecifiedChoice
- * nssName_Compare
- * nssName_Duplicate
- *
- * nssName_GetUID
- * nssName_GetEmail
- * nssName_GetCommonName
- * nssName_GetOrganization
- * nssName_GetOrganizationalUnits
- * nssName_GetStateOrProvince
- * nssName_GetLocality
- * nssName_GetCountry
- * nssName_GetAttribute
- *
- * nssName_EvaluateUTF8 -- not an object method
- */
-
-/*
- * nssName_CreateFromBER
- *
- * This routine creates an NSSName by decoding a BER- or DER-encoded 
- * (directory) Name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may
- * return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berName
-);
-
-/*
- * nssName_CreateFromUTF8
- *
- * This routine creates an NSSName by decoding a UTF8 string 
- * consisting of the string representation of one of the choices of 
- * (directory) names.  Currently the only choice is an RDNSeq.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  The routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringName
-);
-
-/*
- * nssName_Create
- *
- * This routine creates an NSSName with the specified choice of
- * underlying name types.  The value of the choice variable must be
- * one of the values of the NSSNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                     Type
- *   ========================   ===========
- *   NSSNameChoiceRdnSequence   NSSRDNSeq *
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSName upon success
- */
-
-NSS_EXTERN NSSName *
-nssName_Create
-(
-  NSSArena *arenaOpt,
-  NSSNameChoice choice,
-  void *arg
-);
-
-/*
- * nssName_Destroy
- *
- * This routine will destroy a Name object.  It should eventually be
- * called on all Names created without an arena.  While it is not
- * necessary to call it on Names created within an arena, it is not
- * an error to do so.  This routine returns a PRStatus value; if
- * successful, it will return PR_SUCCESS.  If unsuccessful, it will
- * set an error on the error stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssName_Destroy
-(
-  NSSName *name
-);
-
-/*
- * nssName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSName
- */
-
-NSS_EXTERN NSSDER *
-nssName_GetDEREncoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the Name in the format specified by the 
- * underlying name choice.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to the UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssName_GetUTF8Encoding
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetChoice
- *
- * This routine returns the type of the choice underlying the specified
- * name.  The return value will be a member of the NSSNameChoice 
- * enumeration.  This routine may return NSSNameChoiceInvalid upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *
- * Return value:
- *  NSSNameChoiceInvalid upon error
- *  An other member of the NSSNameChoice enumeration upon success
- */
-
-NSS_EXTERN NSSNameChoice
-nssName_GetChoice
-(
-  NSSName *name
-);
-
-/*
- * nssName_GetRDNSequence
- *
- * If the choice underlying the specified NSSName is that of an 
- * RDNSequence, this routine will return a pointer to that RDN
- * sequence.  Otherwise, this routine will place an error on the
- * error stack, and return NULL.  If the optional arena argument is
- * non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The
- * caller owns the returned pointer.  This routine may return NULL
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRDNSeq
- */
-
-NSS_EXTERN NSSRDNSeq *
-nssName_GetRDNSequence
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSName matches the specified
- * choice, a caller-owned pointer to that underlying object will be
- * returned.  Otherwise, an error will be placed on the error stack and
- * NULL will be returned.  If the optional arena argument is non-null, 
- * the memory required will be obtained from that arena; otherwise, the
- * memory will be obtained from the heap.  The caller owns the returned
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-nssName_GetSpecifiedChoice
-(
-  NSSName *name,
-  NSSNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_Compare
- *
- * This routine compares two Names for equality.  For two Names to be
- * equal, they must have the same choice of underlying types, and the
- * underlying values must be equal.  The result of the comparison will
- * be stored at the location pointed to by the "equalp" variable, which
- * must point to a valid PRBool. This routine may return PR_FAILURE
- * upon error, in which case it will have set an error on the error
- * stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE on error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssName_Compare
-(
-  NSSName *name1,
-  NSSName *name2,
-  PRBool *equalp
-);
-
-/*
- * nssName_Duplicate
- *
- * This routine duplicates the specified nssname.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it
- * will have placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSName
- */
-
-NSS_EXTERN NSSName *
-nssName_Duplicate
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a UID attribute, the UID will be the value of 
- * that attribute.  Note that no UID attribute is defined in either 
- * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
- * defines the type as a caseIgnoreString.  We'll return a Directory 
- * String.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetUID
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing either a PKIX email address or a PKCS#9 email
- * address, the result will be the value of that attribute.  If the
- * optional arena argument is non-null, the memory used will be
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
-nssName_GetEmail
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified name, if the choices and content of the name permit.  
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a PKIX Common Name, the result will be that name.  If 
- * the optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetCommonName
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified name, if the choices and content of the name permit.  
- * If Name consists of a Sequence of Relative Distinguished names 
- * containing a PKIX Organization, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetOrganization
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified name, if the choices and content of 
- * the name permit.  If the Name consists of a Sequence of Relative 
- * Distinguished Names containing one or more organisational units,
- * the result will be the values of those attributes.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-nssName_GetOrganizationalUnits
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished Names
- * containing a state or province, the result will be the value of 
- * that attribute.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetStateOrProvince
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetLocality
- *
- * This routine will attempt to derive a locality name from the 
- * specified name, if the choices and content of the name permit.  If
- * the Name consists of a Sequence of Relative Distinguished names
- * containing a Locality, the result will be the value of that 
- * attribute.  If the optional arena argument is non-null, the memory 
- * used will be obtained from that arena; otherwise, the memory will 
- * be obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetLocality
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified name, if the choices and content of the name permit.
- * If the Name consists of a Sequence of Relative Distinguished 
- * Names containing a Country, the result will be the value of
- * that attribute..  If the optional arena argument is non-null, 
- * the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-nssName_GetCountry
-(
-  NSSName *name,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_GetAttribute
- *
- * If the specified name consists of a Sequence of Relative 
- * Distinguished Names containing an attribute with the specified 
- * type, and the actual value of that attribute may be expressed 
- * with a Directory String, then the value of that attribute will 
- * be returned as a Directory String.  If the optional arena argument 
- * is non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine 
- * may return NULL upon error, in which case it will have set an error 
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssName_GetAttribute
-(
-  NSSName *name,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssName_EvaluateUTF8
- *
- * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
- * string contains the string representation of an NSSName.  This 
- * routine is used by the GeneralName routine 
- * nssGeneralName_CreateFromUTF8 to determine which choice of
- * general name the string may encode.  This routine may return 
- * PR_FALSE upon error, but it subsumes that condition under the 
- * general "string does not evaluate as a Name" state, and does not
- * set an error on the error stack.
- * 
- * Return value:
- *  PR_TRUE if the string represents a Name
- *  PR_FALSE otherwise
- */
-
-NSS_EXTERN PRBool
-nssName_EvaluateUTF8
-(
-  NSSUTF8 *str
-);
-
-/*
- * NSSGeneralName
- *
- * The non-public "methods" regarding this "object" are:
- *
- * nssGeneralName_CreateFromBER   -- constructor
- * nssGeneralName_CreateFromUTF8  -- constructor
- * nssGeneralName_Create          -- constructor
- *
- * nssGeneralName_Destroy
- * nssGeneralName_GetDEREncoding
- * nssGeneralName_GetUTF8Encoding
- * nssGeneralName_GetChoice
- * nssGeneralName_GetOtherName
- * nssGeneralName_GetRfc822Name
- * nssGeneralName_GetDNSName
- * nssGeneralName_GetX400Address
- * nssGeneralName_GetDirectoryName
- * nssGeneralName_GetEdiPartyName
- * nssGeneralName_GetUniformResourceIdentifier
- * nssGeneralName_GetIPAddress
- * nssGeneralName_GetRegisteredID
- * nssGeneralName_GetSpecifiedChoice
- * nssGeneralName_Compare
- * nssGeneralName_Duplicate
- *
- * nssGeneralName_GetUID
- * nssGeneralName_GetEmail
- * nssGeneralName_GetCommonName
- * nssGeneralName_GetOrganization
- * nssGeneralName_GetOrganizationalUnits
- * nssGeneralName_GetStateOrProvince
- * nssGeneralName_GetLocality
- * nssGeneralName_GetCountry
- * nssGeneralName_GetAttribute
- */
-
-/*
- * nssGeneralName_CreateFromBER
- *
- * This routine creates an NSSGeneralName by decoding a BER- or DER-
- * encoded general name.  If the optional arena argument is non-null,
- * the memory used will be obtained from that arena; otherwise, the 
- * memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralName
-);
-
-/*
- * nssGeneralName_CreateFromUTF8
- *
- * This routine creates an NSSGeneralName by decoding a UTF8 string
- * consisting of the string representation of one of the choices of
- * general names.  If the optional arena argument is non-null, the 
- * memory used will be obtained from that arena; otherwise, the memory
- * will be obtained from the heap.  The routine may return NULL upon
- * error, in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_UTF8
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_CreateFromUTF8
-(
-  NSSArena *arenaOpt,
-  NSSUTF8 *stringGeneralName
-);
-
-/*
- * nssGeneralName_Create
- *
- * This routine creates an NSSGeneralName with the specified choice of
- * underlying name types.  The value of the choice variable must be one
- * of the values of the NSSGeneralNameChoice enumeration, and the type
- * of the arg variable must be as specified in the following table:
- *
- *   Choice                                         Type
- *   ============================================   =========
- *   NSSGeneralNameChoiceOtherName
- *   NSSGeneralNameChoiceRfc822Name
- *   NSSGeneralNameChoiceDNSName
- *   NSSGeneralNameChoiceX400Address
- *   NSSGeneralNameChoiceDirectoryName              NSSName *
- *   NSSGeneralNameChoiceEdiPartyName
- *   NSSGeneralNameChoiceUniformResourceIdentifier
- *   NSSGeneralNameChoiceIPAddress
- *   NSSGeneralNameChoiceRegisteredID
- *
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one fo the following values:
- *  NSS_ERROR_INVALID_CHOICE
- *  NSS_ERROR_INVALID_ARGUMENT
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralName upon success
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_Create
-(
-  NSSGeneralNameChoice choice,
-  void *arg
-);
-
-/*
- * nssGeneralName_Destroy
- * 
- * This routine will destroy a General Name object.  It should 
- * eventually be called on all General Names created without an arena.
- * While it is not necessary to call it on General Names created within
- * an arena, it is not an error to do so.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS. If 
- * usuccessful, it will set an error on the error stack and return 
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  PR_FAILURE upon failure
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssGeneralName_Destroy
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralName_GetDEREncoding
- *
- * This routine will DER-encode a name object.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return null upon error, in which case it will have set
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralName
- */
-
-NSS_EXTERN NSSDER *
-nssGeneralName_GetDEREncoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUTF8Encoding
- *
- * This routine returns a UTF8 string containing a string 
- * representation of the General Name in the format specified by the
- * underlying name choice.  If the optional arena argument is 
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 string
- */
-
-NSS_EXTERN NSSUTF8 *
-nssGeneralName_GetUTF8Encoding
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetChoice
- *
- * This routine returns the type of choice underlying the specified 
- * general name.  The return value will be a member of the 
- * NSSGeneralNameChoice enumeration.  This routine may return 
- * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NSSGeneralNameChoiceInvalid upon error
- *  An other member of the NSSGeneralNameChoice enumeration 
- */
-
-NSS_EXTERN NSSGeneralNameChoice
-nssGeneralName_GetChoice
-(
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralName_GetOtherName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * Other Name, this routine will return a pointer to that Other name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSOtherName
- */
-
-NSS_EXTERN NSSOtherName *
-nssGeneralName_GetOtherName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetRfc822Name
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * RFC 822 Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRFC822Name
- */
-
-NSS_EXTERN NSSRFC822Name *
-nssGeneralName_GetRfc822Name
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetDNSName
- *
- * If the choice underlying the specified NSSGeneralName is that of a 
- * DNS Name, this routine will return a pointer to that DNS name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSDNSName
- */
-
-NSS_EXTERN NSSDNSName *
-nssGeneralName_GetDNSName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetX400Address
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * X.400 Address, this routine will return a pointer to that Address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSX400Address
- */
-
-NSS_EXTERN NSSX400Address *
-nssGeneralName_GetX400Address
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetDirectoryName
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * (directory) Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSName
- */
-
-NSS_EXTERN NSSName *
-nssGeneralName_GetName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetEdiPartyName
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * EDI Party Name, this routine will return a pointer to that name.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSEdiPartyName
- */
-
-NSS_EXTERN NSSEdiPartyName *
-nssGeneralName_GetEdiPartyName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUniformResourceIdentifier
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * URI, this routine will return a pointer to that URI.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSURI
- */
-
-NSS_EXTERN NSSURI *
-nssGeneralName_GetUniformResourceIdentifier
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetIPAddress
- *
- * If the choice underlying the specified NSSGeneralName is that of an
- * IP Address , this routine will return a pointer to that address.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSIPAddress
- */
-
-NSS_EXTERN NSSIPAddress *
-nssGeneralName_GetIPAddress
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetRegisteredID
- *
- * If the choice underlying the specified NSSGeneralName is that of a
- * Registered ID, this routine will return a pointer to that ID.
- * Otherwise, this routine will place an error on the error stack, and
- * return NULL.  If the optional arena argument is non-null, the memory
- * required will be obtained from that arena; otherwise, the memory 
- * will be obtained from the heap.  The caller owns the returned 
- * pointer.  This routine may return NULL upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to an NSSRegisteredID
- */
-
-NSS_EXTERN NSSRegisteredID *
-nssGeneralName_GetRegisteredID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetSpecifiedChoice
- *
- * If the choice underlying the specified NSSGeneralName matches the
- * specified choice, a caller-owned pointer to that underlying object
- * will be returned.  Otherwise, an error will be placed on the error
- * stack and NULL will be returned.  If the optional arena argument
- * is non-null, the memory required will be obtained from that arena;
- * otherwise, the memory will be obtained from the heap.  The caller
- * owns the returned pointer.  This routine may return NULL upon 
- * error, in which caes it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_WRONG_CHOICE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer, which must be typecast
- */
-
-NSS_EXTERN void *
-nssGeneralName_GetSpecifiedChoice
-(
-  NSSGeneralName *generalName,
-  NSSGeneralNameChoice choice,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_Compare
- * 
- * This routine compares two General Names for equality.  For two 
- * General Names to be equal, they must have the same choice of
- * underlying types, and the underlying values must be equal.  The
- * result of the comparison will be stored at the location pointed
- * to by the "equalp" variable, which must point to a valid PRBool.
- * This routine may return PR_FAILURE upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following value:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssGeneralName_Compare
-(
-  NSSGeneralName *generalName1,
-  NSSGeneralName *generalName2,
-  PRBool *equalp
-);
-
-/*
- * nssGeneralName_Duplicate
- *
- * This routine duplicates the specified General Name.  If the optional
- * arena argument is non-null, the memory required will be obtained
- * from that arena; otherwise, the memory will be obtained from the
- * heap.  This routine may return NULL upon error, in which case it 
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new NSSGeneralName
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralName_Duplicate
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetUID
- *
- * This routine will attempt to derive a user identifier from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished Names containing a UID
- * attribute, the UID will be the value of that attribute.  Note
- * that no UID attribute is defined in either PKIX or PKCS#9; 
- * rather, this seems to derive from RFC 1274, which defines the
- * type as a caseIgnoreString.  We'll return a Directory String.
- * If the optional arena argument is non-null, the memory used
- * will be obtained from that arena; otherwise, the memory will be
- * obtained from the heap.  This routine may return NULL upon error,
- * in which case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_UID
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String.
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetUID
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetEmail
- *
- * This routine will attempt to derive an email address from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing either
- * a PKIX email address or a PKCS#9 email address, the result will
- * be the value of that attribute.  If the General Name is an RFC 822
- * Name, the result will be the string form of that name.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_EMAIL
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
-nssGeneralName_GetEmail
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetCommonName
- *
- * This routine will attempt to derive a common name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a PKIX
- * Common Name, the result will be that name.  If the optional arena 
- * argument is non-null, the memory used will be obtained from that 
- * arena; otherwise, the memory will be obtained from the heap.  This 
- * routine may return NULL upon error, in which case it will have set 
- * an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COMMON_NAME
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetCommonName
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetOrganization
- *
- * This routine will attempt to derive an organisation name from the
- * specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing an
- * Organization, the result will be the value of that attribute.  
- * If the optional arena argument is non-null, the memory used will 
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATION
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetOrganization
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetOrganizationalUnits
- *
- * This routine will attempt to derive a sequence of organisational 
- * unit names from the specified general name, if the choices and 
- * content of the name permit.  If the General Name is a (directory) 
- * Name consisting of a Sequence of Relative Distinguished names 
- * containing one or more organisational units, the result will 
- * consist of those units.  If the optional arena  argument is non-
- * null, the memory used will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may return 
- * NULL upon error, in which case it will have set an error on the 
- * error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a null-terminated array of UTF8 Strings
- */
-
-NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
-nssGeneralName_GetOrganizationalUnits
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetStateOrProvince
- *
- * This routine will attempt to derive a state or province name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a state or 
- * province, the result will be the value of that attribute.  If the 
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_STATE_OR_PROVINCE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetStateOrProvince
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetLocality
- *
- * This routine will attempt to derive a locality name from 
- * the specified general name, if the choices and content of the name
- * permit.  If the General Name is a (directory) Name consisting
- * of a Sequence of Relative Distinguished names containing a Locality, 
- * the result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_LOCALITY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetLocality
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetCountry
- *
- * This routine will attempt to derive a country name from the 
- * specified general name, if the choices and content of the name 
- * permit.  If the General Name is a (directory) Name consisting of a
- * Sequence of Relative Distinguished names containing a Country, the 
- * result will be the value of that attribute.  If the optional 
- * arena argument is non-null, the memory used will be obtained from 
- * that arena; otherwise, the memory will be obtained from the heap.  
- * This routine may return NULL upon error, in which case it will have 
- * set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_COUNTRY
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
-nssGeneralName_GetCountry
-(
-  NSSGeneralName *generalName,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralName_GetAttribute
- *
- * If the specified general name is a (directory) name consisting
- * of a Sequence of Relative Distinguished Names containing an 
- * attribute with the specified type, and the actual value of that
- * attribute may be expressed with a Directory String, then the
- * value of that attribute will be returned as a Directory String.
- * If the optional arena argument is non-null, the memory used will
- * be obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_ATTRIBUTE
- *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a UTF8 String
- */
-
-NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
-nssGeneralName_GetAttribute
-(
-  NSSGeneralName *generalName,
-  NSSOID *attribute,
-  NSSArena *arenaOpt
-);
-
-/*
- * NSSGeneralNameSeq
- *
- * The public "methods" regarding this "object" are:
- *
- *  nssGeneralNameSeq_CreateFromBER   -- constructor
- *  nssGeneralNameSeq_Create          -- constructor
- *
- *  nssGeneralNameSeq_Destroy
- *  nssGeneralNameSeq_GetDEREncoding
- *  nssGeneralNameSeq_AppendGeneralName
- *  nssGeneralNameSeq_GetGeneralNameCount
- *  nssGeneralNameSeq_GetGeneralName
- *  nssGeneralNameSeq_Compare
- *  nssGeneralnameSeq_Duplicate
- */
-
-/*
- * nssGeneralNameSeq_CreateFromBER
- *
- * This routine creates a general name sequence by decoding a BER-
- * or DER-encoded GeneralNames.  If the optional arena argument is
- * non-null, the memory used will be obtained from that arena; 
- * otherwise, the memory will be obtained from the heap.  This routine
- * may return NULL upon error, in which case it will have set an error
- * on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_BER
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_CreateFromBER
-(
-  NSSArena *arenaOpt,
-  NSSBER *berGeneralNameSeq
-);
-
-/*
- * nssGeneralNameSeq_Create
- *
- * This routine creates an NSSGeneralNameSeq from one or more General
- * Names.  The final argument to this routine must be NULL.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_NO_MEMORY
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *
- * Return value:
- *  NULL upon error
- *  A pointer to an NSSGeneralNameSeq upon success
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_Create
-(
-  NSSArena *arenaOpt,
-  NSSGeneralName *generalName1,
-  ...
-);
-
-/*
- * nssGeneralNameSeq_Destroy
- *
- * This routine will destroy an NSSGeneralNameSeq object.  It should
- * eventually be called on all NSSGeneralNameSeqs created without an
- * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
- * created within an arena, it is not an error to do so.  This routine
- * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return
- * PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon success
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_Destroy
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * nssGeneralNameSeq_GetDEREncoding
- *
- * This routine will DER-encode an NSSGeneralNameSeq object.  If the
- * optional arena argument is non-null, the memory used will be 
- * obtained from that arena; otherwise, the memory will be obtained
- * from the heap.  This routine may return null upon error, in which
- * case it will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  The DER encoding of this NSSGeneralNameSeq
- */
-
-NSS_EXTERN NSSDER *
-nssGeneralNameSeq_GetDEREncoding
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-/*
- * nssGeneralNameSeq_AppendGeneralName
- *
- * This routine appends a General Name to the end of the existing
- * General Name Sequence.  If the sequence was created with a non-null
- * arena argument, that same arena will be used for any additional
- * required memory.  If the sequence was created with a NULL arena
- * argument, any additional memory will be obtained from the heap.
- * This routine returns a PRStatus value; it will return PR_SUCCESS
- * upon success, and upon failure it will set an error on the error
- * stack and return PR_FAILURE.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_GENERAL_NAME
- *  NSS_ERROR_NO_MEMORY
- * 
- * Return value:
- *  PR_SUCCESS upon success
- *  PR_FAILURE upon failure.
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_AppendGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSGeneralName *generalName
-);
-
-/*
- * nssGeneralNameSeq_GetGeneralNameCount
- *
- * This routine returns the cardinality of the specified General name
- * Sequence.  This routine may return 0 upon error, in which case it
- * will have set an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *
- * Return value;
- *  0 upon error
- *  A positive number upon success
- */
-
-NSS_EXTERN PRUint32
-nssGeneralNameSeq_GetGeneralNameCount
-(
-  NSSGeneralNameSeq *generalNameSeq
-);
-
-/*
- * nssGeneralNameSeq_GetGeneralName
- *
- * This routine returns a pointer to the i'th General Name in the 
- * specified General Name Sequence.  The value of the variable 'i' is
- * on the range [0,c) where c is the cardinality returned from 
- * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
- * Name the pointer to which is returned.  If the optional arena
- * argument is non-null, the memory used will be obtained from that
- * arena; otherwise, the memory will be obtained from the heap.  This
- * routine may return NULL upon error, in which case it will have set
- * an error upon the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_VALUE_OUT_OF_RANGE
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A caller-owned pointer to a General Name.
- */
-
-NSS_EXTERN NSSGeneralName *
-nssGeneralNameSeq_GetGeneralName
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt,
-  PRUint32 i
-);
-
-/*
- * nssGeneralNameSeq_Compare
- *
- * This routine compares two General Name Sequences for equality.  For
- * two General Name Sequences to be equal, they must have the same
- * cardinality, and each General Name in one sequence must be equal to
- * the corresponding General Name in the other.  The result of the
- * comparison will be stored at the location pointed to by the "equalp"
- * variable, which must point to a valid PRBool.  This routine may 
- * return PR_FAILURE upon error, in which case it will have set an 
- * error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_INVALID_ARGUMENT
- *
- * Return value:
- *  PR_FAILURE upon error
- *  PR_SUCCESS upon a successful comparison (equal or not)
- */
-
-NSS_EXTERN PRStatus
-nssGeneralNameSeq_Compare
-(
-  NSSGeneralNameSeq *generalNameSeq1,
-  NSSGeneralNameSeq *generalNameSeq2,
-  PRBool *equalp
-);
-
-/*
- * nssGeneralNameSeq_Duplicate
- *
- * This routine duplicates the specified sequence of general names.  If
- * the optional arena argument is non-null, the memory required will be
- * obtained from that arena; otherwise, the memory will be obtained 
- * from the heap.  This routine may return NULL upon error, in which 
- * case it will have placed an error on the error stack.
- *
- * The error may be one of the following values:
- *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
- *  NSS_ERROR_NO_MEMORY
- *
- * Return value:
- *  NULL upon error
- *  A pointer to a new General Name Sequence.
- */
-
-NSS_EXTERN NSSGeneralNameSeq *
-nssGeneralNameSeq_Duplicate
-(
-  NSSGeneralNameSeq *generalNameSeq,
-  NSSArena *arenaOpt
-);
-
-PR_END_EXTERN_C
-
-#endif /* PKI1_H */
diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h
deleted file mode 100644
index 21366a3b2..000000000
--- a/security/nss/lib/pki1/pki1t.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef PKI1T_H
-#define PKI1T_H
-
-#ifdef DEBUG
-static const char PKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * pki1t.h
- *
- * This file contains definitions for the types used in the PKIX part-1
- * code, but not available publicly.
- */
-
-#ifndef BASET_H
-#include "baset.h"
-#endif /* BASET_H */
-
-#ifndef NSSPKI1T_H
-#include "nsspki1t.h"
-#endif /* NSSPKI1T_H */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * NSSOID
- *
- * This structure is used to hold our internal table of built-in OID
- * data.  The fields are as follows:
- *
- *  NSSItem     data -- this is the actual DER-encoded multinumber oid
- *  const char *expl -- this explains the derivation, and is checked
- *                      in a unit test.  While the field always exists,
- *                      it is only populated or used in debug builds.
- *
- */
-
-struct NSSOIDStr {
-#ifdef DEBUG
-  const NSSUTF8 *tag;
-  const NSSUTF8 *expl;
-#endif /* DEBUG */
-  NSSItem data;
-};
-
-/*
- * nssAttributeTypeAliasTable
- *
- * Attribute types are passed around as oids (at least in the X.500
- * and PKI worlds, as opposed to ldap).  However, when written as 
- * strings they usually have well-known aliases, e.g., "ou" or "c."
- *
- * This type defines a table, populated in the generated oiddata.c
- * file, of the aliases we recognize.
- *
- * The fields are as follows:
- *
- *  NSSUTF8 *alias -- a well-known string alias for an oid
- *  NSSOID  *oid   -- the oid to which the alias corresponds
- *
- */
-
-struct nssAttributeTypeAliasTableStr {
-  const NSSUTF8 *alias;
-  const NSSOID **oid;
-};
-typedef struct nssAttributeTypeAliasTableStr nssAttributeTypeAliasTable;
-
-PR_END_EXTERN_C
-
-#endif /* PKI1T_H */
diff --git a/security/nss/lib/pki1/rdn.c b/security/nss/lib/pki1/rdn.c
deleted file mode 100644
index 96fdbfacb..000000000
--- a/security/nss/lib/pki1/rdn.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * rdn.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * RelativeDistinguishedName.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * RelativeDistinguishedName
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  RelativeDistinguishedName       ::=
- *                  SET SIZE (1 .. MAX) OF AttributeTypeAndValue
- *
- * An RDN is merely an (unordered) set of ATAV's.  The setSize (that's
- * a noun, not a verb) variable is a "helper" variable kept for
- * convenience.
- */
-
-struct nssRDNStr {
-  PRUint32 setSize;
-  NSSATAV **atavs;
-};
diff --git a/security/nss/lib/pki1/rdnseq.c b/security/nss/lib/pki1/rdnseq.c
deleted file mode 100644
index af2da2b37..000000000
--- a/security/nss/lib/pki1/rdnseq.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * rdnseq.c
- *
- * This file contains the implementation of the PKIX part-1 object
- * RDNSequence.
- */
-
-#ifndef NSSBASE_H
-#include "nssbase.h"
-#endif /* NSSBASE_H */
-
-#ifndef ASN1_H
-#include "asn1.h"
-#endif /* ASN1_H */
-
-#ifndef PKI1_H
-#include "pki1.h"
-#endif /* PKI1_H */
-
-/*
- * RDNSequence
- *
- * From draft-ietf-pkix-ipki-part1-10:
- *
- *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
- *
- * An RDNSequence is simply an (ordered) sequence of RDN's.  The 
- * seqSize variable is a "helper" kept for simplicity.
- */
-
-struct nssRDNSeqStr {
-  PRUint32 seqSize;
-  NSSRDN **rdns;
-};
diff --git a/security/nss/lib/smime/Makefile b/security/nss/lib/smime/Makefile
deleted file mode 100644
index 3bc1a719a..000000000
--- a/security/nss/lib/smime/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
deleted file mode 100644
index 034f1ae6c..000000000
--- a/security/nss/lib/smime/cms.h
+++ /dev/null
@@ -1,1141 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Interfaces of the CMS implementation.
- *
- * $Id$
- */
-
-#ifndef _CMS_H_
-#define _CMS_H_
-
-#include "seccomon.h"
-
-#include "secoidt.h"
-#include "certt.h"
-#include "keyt.h"
-#include "hasht.h"
-#include "cmst.h"
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/************************************************************************
- * cmsdecode.c - CMS decoding
- ************************************************************************/
-
-/*
- * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
- *
- * "poolp" - pointer to arena for message, or NULL if new pool should be created
- * "cb", "cb_arg" - callback function and argument for delivery of inner content
- *                  inner content will be stored in the message if cb is NULL.
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- */
-extern NSSCMSDecoderContext *
-NSS_CMSDecoder_Start(PRArenaPool *poolp,
-		      NSSCMSContentCallback cb, void *cb_arg,
-		      PK11PasswordFunc pwfn, void *pwfn_arg,
-		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
-
-/*
- * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
- */
-extern SECStatus
-NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len);
-
-/*
- * NSS_CMSDecoder_Cancel - cancel a decoding process
- */
-extern void
-NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx);
-
-/*
- * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
- */
-extern NSSCMSMessage *
-NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx);
-
-/*
- * NSS_CMSMessage_CreateFromDER - decode a CMS message from DER encoded data
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
-		    NSSCMSContentCallback cb, void *cb_arg,
-		    PK11PasswordFunc pwfn, void *pwfn_arg,
-		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
-
-/************************************************************************
- * cmsencode.c - CMS encoding
- ************************************************************************/
-
-/*
- * NSS_CMSEncoder_Start - set up encoding of a CMS message
- *
- * "cmsg" - message to encode
- * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
- *                           will not be called if NULL.
- * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
- * "destpoolp" - pool to allocate DER-encoded output in
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-extern NSSCMSEncoderContext *
-NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
-			NSSCMSContentCallback outputfn, void *outputarg,
-			SECItem *dest, PLArenaPool *destpoolp,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
-
-/*
- * NSS_CMSEncoder_Update - take content data delivery from the user
- *
- * "p7ecx" - encoder context
- * "data" - content data
- * "len" - length of content data
- */
-extern SECStatus
-NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
-
-/*
- * NSS_CMSEncoder_Cancel - stop all encoding
- */
-extern SECStatus
-NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx);
-
-/*
- * NSS_CMSEncoder_Finish - signal the end of data
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-extern SECStatus
-NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx);
-
-/************************************************************************
- * cmsmessage.c - CMS message object
- ************************************************************************/
-
-/*
- * NSS_CMSMessage_Create - create a CMS message object
- *
- * "poolp" - arena to allocate memory from, or NULL if new arena should be created
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_Create(PLArenaPool *poolp);
-
-/*
- * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
- *
- * "cmsg" - message object
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- *
- * used internally.
- */
-extern void
-NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
-
-/*
- * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
- */
-extern void
-NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_Copy - return a copy of the given message. 
- *
- * The copy may be virtual or may be real -- either way, the result needs
- * to be passed to NSS_CMSMessage_Destroy later (as does the original).
- */
-extern NSSCMSMessage *
-NSS_CMSMessage_Copy(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
- */
-extern PLArenaPool *
-NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg);
-
-/*
- * Return a pointer to the actual content. 
- * In the case of those types which are encrypted, this returns the *plain* content.
- * In case of nested contentInfos, this descends and retrieves the innermost content.
- */
-extern SECItem *
-NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
- *
- * CMS data content objects do not count.
- */
-extern int
-NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_ContentLevel - find content level #n
- *
- * CMS data content objects do not count.
- */
-extern NSSCMSContentInfo *
-NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n);
-
-/*
- * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
- */
-extern PRBool
-NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
- */
-extern PRBool
-NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
- *
- * If the CMS message has a SignedData with a signature (not just a SignedData)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-extern PRBool
-NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg);
-
-/*
- * NSS_CMSMessage_IsContentEmpty - see if content is empty
- *
- * returns PR_TRUE is innermost content length is < minLen
- * XXX need the encrypted content length (why?)
- */
-extern PRBool
-NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen);
-
-/************************************************************************
- * cmscinfo.c - CMS contentInfo methods
- ************************************************************************/
-
-/*
- * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
- */
-extern void
-NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
- */
-extern NSSCMSContentInfo *
-NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_SetContent - set cinfo's content type & content to CMS object
- */
-extern SECStatus
-NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr);
-
-/*
- * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetType
- *   set cinfo's content type & content to CMS object
- */
-extern SECStatus
-NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSContentInfo_GetContent - get pointer to inner content
- *
- * needs to be casted...
- */
-extern void *
-NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo);
-
-/* 
- * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
- *
- * this is typically only called by NSS_CMSMessage_GetContent()
- */
-extern SECItem *
-NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
- * for future reference) and return the inner content type.
- */
-extern SECOidTag
-NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo);
-
-extern SECItem *
-NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
- * for future reference) and return the content encryption algorithm tag.
- */
-extern SECOidTag
-NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo);
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
- */
-extern SECAlgorithmID *
-NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECOidTag bulkalgtag, SECItem *parameters, int keysize);
-
-extern SECStatus
-NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECAlgorithmID *algid, int keysize);
-
-extern void
-NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey);
-
-extern PK11SymKey *
-NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo);
-
-extern int
-NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo);
-
-/************************************************************************
- * cmsutil.c - CMS misc utility functions
- ************************************************************************/
-
-/*
- * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
- *
- * make sure that the order of the objects guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in objs).
- */
-extern SECStatus
-NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2);
-
-/*
- * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
- *  sort arrays of SECItems containing DER
- */
-extern int
-NSS_CMSUtil_DERCompare(void *a, void *b);
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algid - algorithmid of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-extern int
-NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid);
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algiddata - id of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-extern int
-NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag);
-
-extern const SECHashObject *
-NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid);
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-extern SECOidTag
-NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg);
-
-extern const SEC_ASN1Template *
-NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type);
-
-extern size_t
-NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type);
-
-extern NSSCMSContentInfo *
-NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type);
-
-extern const char *
-NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs);
-
-/************************************************************************
- * cmssigdata.c - CMS signedData methods
- ************************************************************************/
-
-extern NSSCMSSignedData *
-NSS_CMSSignedData_Create(NSSCMSMessage *cmsg);
-
-extern void
-NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
- *     before start of encoding.
- *
- * In detail:
- *  - find out about the right value to put into sigd->version
- *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
- *         in the signerinfos).
- *         If we happen to have a pre-set list of algorithms (and digest values!), we
- *         check if we have all the signerinfos' algorithms. If not, this is an error.
- */
-extern SECStatus
-NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - create the signatures in all the SignerInfos
- *
- * Please note that nothing is done to the Certificates and CRLs in the message - this
- * is entirely the responsibility of our callers.
- */
-extern SECStatus
-NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the decoder.
- */
-extern SECStatus
-NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
- *     after all decoding is finished.
- */
-extern SECStatus
-NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd);
-
-/* 
- * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
- */
-extern NSSCMSSignerInfo **
-NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd);
-
-extern int
-NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd);
-
-extern NSSCMSSignerInfo *
-NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i);
-
-/* 
- * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
- */
-extern SECAlgorithmID **
-NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd);
-
-/* 
- * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
- */
-extern SECItem **
-NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
-				SECCertUsage certusage, PRBool keepcerts);
-
-/*
- * NSS_CMSSignedData_HasDigests - see if we have digests in place
- */
-extern PRBool
-NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd);
-
-/*
- * NSS_CMSSignedData_VerifySignerInfo - check a signature.
- *
- * The digests were either calculated during decoding (and are stored in the
- * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
- *
- * The verification checks if the signing cert is valid and has a trusted chain
- * for the purpose specified by "certusage".
- */
-extern SECStatus
-NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb,
-				    SECCertUsage certusage);
-
-/*
- * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
-*/
-extern SECStatus
-NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
-                                  CERTCertDBHandle *certdb, 
-                                  SECCertUsage usage);
-
-extern SECStatus
-NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist);
-
-/*
- * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
- */
-extern SECStatus
-NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert);
-
-extern SECStatus
-NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
-
-extern PRBool
-NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd);
-
-extern SECStatus
-NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
-				NSSCMSSignerInfo *signerinfo);
-
-extern SECStatus
-NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
-				SECAlgorithmID **digestalgs,
-				SECItem **digests);
-
-extern SECStatus
-NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digestdata);
-
-extern SECStatus
-NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
-				NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digest);
-
-extern SECItem *
-NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag);
-
-/*
- * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
- *
- * cert          - base certificates that will be included
- * include_chain - if true, include the complete cert chain for cert
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- */
-extern NSSCMSSignedData *
-NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain);
-
-/************************************************************************
- * cmssiginfo.c - signerinfo methods
- ************************************************************************/
-
-extern NSSCMSSignerInfo *
-NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag);
-extern NSSCMSSignerInfo *
-NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
-
-/*
- * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
- */
-extern void
-NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si);
-
-/*
- * NSS_CMSSignerInfo_Sign - sign something
- *
- */
-extern SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
-
-extern SECStatus
-NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
-			    SECCertUsage certusage);
-
-/*
- * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
- *
- * Just verifies the signature. The assumption is that verification of the certificate
- * is done already.
- */
-extern SECStatus
-NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
-
-extern NSSCMSVerificationStatus
-NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo);
-
-extern SECOidData *
-NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo);
-
-extern SECOidTag
-NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo);
-
-extern int
-NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo);
-
-extern CERTCertificateList *
-NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
- *				      in UTCTime format, of a CMS signerInfo.
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to XXXX (what?)
- * A return value of NULL is an error.
- */
-extern SECStatus
-NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime);
-
-/*
- * Return the signing cert of a CMS signerInfo.
- *
- * the certs in the enclosing SignedData must have been imported already
- */
-extern CERTCertificate *
-NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb);
-
-/*
- * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed with PORT_Free.
- * A return value of NULL is an error.
- */
-extern char *
-NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo);
-
-/*
- * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-extern char *
-NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo);
-
-/*
- * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
- * unauthenticated attributes of "signerinfo". 
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
-
-/* 
- * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will do nothing.
- *
- * XXX This will probably just shove the current time into "signerinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t);
-
-/*
- * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo".
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME).
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo".
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
-
-/*
- * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME),
- * if compatibility with Microsoft mail clients is wanted.
- */
-SECStatus
-NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
-
-/* 
- * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
- */
-extern SECStatus
-NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
-				    SECOidTag digestalg, CERTCertificate signingcert);
-
-/*
- * XXXX the following needs to be done in the S/MIME layer code
- * after signature of a signerinfo is verified
- */
-extern SECStatus
-NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo);
-
-/*
- * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
- */
-extern SECStatus
-NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage);
-
-/************************************************************************
- * cmsenvdata.c - CMS envelopedData methods
- ************************************************************************/
-
-/*
- * NSS_CMSEnvelopedData_Create - create an enveloped data message
- */
-extern NSSCMSEnvelopedData *
-NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
-
-/*
- * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
- */
-extern void
-NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp);
-
-/*
- * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
- *
- * rip must be created on the same pool as edp - this is not enforced, though.
- */
-extern SECStatus
-NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip);
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
- *
- * at this point, we need
- * - recipientinfos set up with recipient's certificates
- * - a content encryption algorithm (if none, 3DES will be used)
- *
- * this function will generate a random content encryption key (aka bulk key),
- * initialize the recipientinfos with certificate identification and wrap the bulk key
- * using the proper algorithm for every certificiate.
- * it will finally set the bulk algorithm and key so that the encode step can find it.
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
- * derive bulk key & set up our contentinfo
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd);
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
- */
-extern SECStatus
-NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd);
-
-
-/************************************************************************
- * cmsrecinfo.c - CMS recipientInfo methods
- ************************************************************************/
-
-/*
- * NSS_CMSRecipientInfo_Create - create a recipientinfo
- *
- * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
- * the certificate is supposed to have been verified by the caller
- */
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert);
-
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage   *cmsg, 
-                                         SECItem         *subjKeyID,
-                                         SECKEYPublicKey *pubKey);
-
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, 
-                                                 CERTCertificate *cert);
-
-/*
- * NSS_CMSRecipientInfo_CreateNew - create a blank recipientinfo for 
- * applications which want to encode their own CMS structures and
- * key exchange types.
- */
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg);
-
-/*
- * NSS_CMSRecipientInfo_CreateFromDER - create a recipientinfo  from partially
- * decoded DER data for applications which want to encode their own CMS 
- * structures and key exchange types.
- */
-extern NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg);
-
-extern void
-NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri);
-
-/*
- * NSS_CMSRecipientInfo_GetCertAndKey - retrieve the cert and key from the
- * recipientInfo struct. If retcert or retkey are NULL, the cert or 
- * key (respectively) would not be returned). This function is a no-op if both 
- * retcert and retkey are NULL. Caller inherits ownership of the cert and key
- * he requested (and is responsible to free them).
- */
-SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri,
-   CERTCertificate** retcert, SECKEYPrivateKey** retkey);
-
-extern int
-NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri);
-
-extern SECItem *
-NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex);
-
-/*
- * NSS_CMSRecipientInfo_Encode - encode an NSS_CMSRecipientInfo as ASN.1
- */
-SECStatus NSS_CMSRecipientInfo_Encode(PRArenaPool* poolp,
-                                      const NSSCMSRecipientInfo *src,
-                                      SECItem* returned);
-
-extern SECOidTag
-NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri);
-
-extern SECStatus
-NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag);
-
-extern PK11SymKey *
-NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
-		CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag);
-
-/************************************************************************
- * cmsencdata.c - CMS encryptedData methods
- ************************************************************************/
-/*
- * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * "keysize" is the key size.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-extern NSSCMSEncryptedData *
-NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
-
-/*
- * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
- */
-extern void
-NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the correct version value.
- *  - get the encryption key
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
- */
-extern SECStatus
-NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd);
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
- */
-extern SECStatus
-NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd);
-
-/************************************************************************
- * cmsdigdata.c - CMS encryptedData methods
- ************************************************************************/
-/*
- * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
- *
- * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
- * digestAlg is passed as parameter
- * contentInfo must be filled by the user
- * digest will be calculated while encoding
- */
-extern NSSCMSDigestedData *
-NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg);
-
-/*
- * NSS_CMSDigestedData_Destroy - destroy a digestedData object
- */
-extern void
-NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
- */
-extern NSSCMSContentInfo *
-NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the right version number. The contentInfo's content type must be set up already.
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-extern SECStatus
-NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd);
-
-/*
- * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
- *
- * In detail:
- *  - check the digests for equality
- */
-extern SECStatus
-NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd);
-
-/************************************************************************
- * cmsdigest.c - digestion routines
- ************************************************************************/
-
-/*
- * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
- *  digest algorithms in "digestalgs" in parallel.
- */
-extern NSSCMSDigestContext *
-NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs);
-
-/*
- * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
- *  only one algorithm.
- */
-extern NSSCMSDigestContext *
-NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg);
-
-/*
- * NSS_CMSDigestContext_Update - feed more data into the digest machine
- */
-extern void
-NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len);
-
-/*
- * NSS_CMSDigestContext_Cancel - cancel digesting operation
- */
-extern void
-NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx);
-
-/*
- * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
- *  into an array of SECItems (allocated on poolp)
- */
-extern SECStatus
-NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem ***digestsp);
-
-/*
- * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
- *  but for one digest.
- */
-extern SECStatus
-NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
-			    SECItem *digest);
-
-/************************************************************************
- * 
- ************************************************************************/
-
-/* shortcuts for basic use */
-
-/*
- * NSS_CMSDEREncode - DER Encode a CMS message, with input being
- *                    the plaintext message and derOut being the output,
- *                    stored in arena's pool.
- */
-extern SECStatus
-NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
-                 PLArenaPool *arena);
-
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _CMS_H_ */
diff --git a/security/nss/lib/smime/cmsarray.c b/security/nss/lib/smime/cmsarray.c
deleted file mode 100644
index 7f331c82a..000000000
--- a/security/nss/lib/smime/cmsarray.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS array functions.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secerr.h"
-
-/*
- * ARRAY FUNCTIONS
- *
- * In NSS, arrays are rather primitive arrays of pointers.
- * Makes it easy to walk the array, but hard to count elements
- * and manage the storage.
- *
- * This is a feeble attempt to encapsulate the functionality
- * and get rid of hundreds of lines of similar code
- */
-
-/*
- * NSS_CMSArray_Alloc - allocate an array in an arena
- *
- * This allocates space for the array of pointers
- */
-void **
-NSS_CMSArray_Alloc(PRArenaPool *poolp, int n)
-{
-    return (void **)PORT_ArenaZAlloc(poolp, n * sizeof(void *));
-}
-
-/*
- * NSS_CMSArray_Add - add an element to the end of an array
- *
- * The array of pointers is either created (if array was empty before) or grown.
- */
-SECStatus
-NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj)
-{
-    void **p;
-    int n;
-    void **dest;
-
-    PORT_Assert(array != NULL);
-    if (array == NULL)
-	return SECFailure;
-
-    if (*array == NULL) {
-	dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *));
-	n = 0;
-    } else {
-	n = 0; p = *array;
-	while (*p++)
-	    n++;
-	dest = (void **)PORT_ArenaGrow (poolp, 
-			      *array,
-			      (n + 1) * sizeof(void *),
-			      (n + 2) * sizeof(void *));
-    }
-
-    if (dest == NULL)
-	return SECFailure;
-
-    dest[n] = obj;
-    dest[n+1] = NULL;
-    *array = dest;
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSArray_IsEmpty - check if array is empty
- */
-PRBool
-NSS_CMSArray_IsEmpty(void **array)
-{
-    return (array == NULL || array[0] == NULL);
-}
-
-/*
- * NSS_CMSArray_Count - count number of elements in array
- */
-int
-NSS_CMSArray_Count(void **array)
-{
-    int n = 0;
-
-    if (array == NULL)
-	return 0;
-
-    while (*array++ != NULL)
-	n++;
-
-    return n;
-}
-
-/*
- * NSS_CMSArray_Sort - sort an array in place
- *
- * If "secondary" or "tertiary are not NULL, it must be arrays with the same
- *  number of elements as "primary". The same reordering will get applied to it.
- *
- * "compare" is a function that returns 
- *  < 0 when the first element is less than the second
- *  = 0 when the first element is equal to the second
- *  > 0 when the first element is greater than the second
- * to acheive ascending ordering.
- */
-void
-NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary)
-{
-    int n, i, limit, lastxchg;
-    void *tmp;
-
-    n = NSS_CMSArray_Count(primary);
-
-    PORT_Assert(secondary == NULL || NSS_CMSArray_Count(secondary) == n);
-    PORT_Assert(tertiary == NULL || NSS_CMSArray_Count(tertiary) == n);
-    
-    if (n <= 1)	/* ordering is fine */
-	return;
-    
-    /* yes, ladies and gentlemen, it's BUBBLE SORT TIME! */
-    limit = n - 1;
-    while (1) {
-	lastxchg = 0;
-	for (i = 0; i < limit; i++) {
-	    if ((*compare)(primary[i], primary[i+1]) > 0) {
-		/* exchange the neighbours */
-		tmp = primary[i+1];
-		primary[i+1] = primary[i];
-		primary[i] = tmp;
-		if (secondary) {		/* secondary array? */
-		    tmp = secondary[i+1];	/* exchange there as well */
-		    secondary[i+1] = secondary[i];
-		    secondary[i] = tmp;
-		}
-		if (tertiary) {			/* tertiary array? */
-		    tmp = tertiary[i+1];	/* exchange there as well */
-		    tertiary[i+1] = tertiary[i];
-		    tertiary[i] = tmp;
-		}
-		lastxchg = i+1;	/* index of the last element bubbled up */
-	    }
-	}
-	if (lastxchg == 0)	/* no exchanges, so array is sorted */
-	    break;		/* we're done */
-	limit = lastxchg;	/* array is sorted up to [limit] */
-    }
-}
-
-#if 0
-
-/* array iterator stuff... not used */
-
-typedef void **NSSCMSArrayIterator;
-
-/* iterator */
-NSSCMSArrayIterator
-NSS_CMSArray_First(void **array)
-{
-    if (array == NULL || array[0] == NULL)
-	return NULL;
-    return (NSSCMSArrayIterator)&(array[0]);
-}
-
-void *
-NSS_CMSArray_Obj(NSSCMSArrayIterator iter)
-{
-    void **p = (void **)iter;
-
-    return *iter;	/* which is NULL if we are at the end of the array */
-}
-
-NSSCMSArrayIterator
-NSS_CMSArray_Next(NSSCMSArrayIterator iter)
-{
-    void **p = (void **)iter;
-
-    return (NSSCMSArrayIterator)(p + 1);
-}
-
-#endif
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
deleted file mode 100644
index 93d206e90..000000000
--- a/security/nss/lib/smime/cmsasn1.c
+++ /dev/null
@@ -1,578 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS ASN.1 templates
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];
-
-SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
-SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
-SEC_ASN1_MKSUB(SEC_BitStringTemplate)
-SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
-SEC_ASN1_MKSUB(SEC_PointerToOctetStringTemplate)
-SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
-
-/* -----------------------------------------------------------------------------
- * MESSAGE
- * (uses NSSCMSContentInfo)
- */
-
-/* forward declaration */
-static const SEC_ASN1Template *
-nss_cms_choose_content_template(void *src_or_dest, PRBool encoding);
-
-static const SEC_ASN1TemplateChooserPtr nss_cms_chooser
-	= nss_cms_choose_content_template;
-
-const SEC_ASN1Template NSSCMSMessageTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSMessage) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSMessage,contentInfo.contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
-     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSMessage,contentInfo.content),
-	  &nss_cms_chooser },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSS_PointerToCMSMessageTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSMessageTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * ENCAPSULATED & ENCRYPTED CONTENTINFO
- * (both use a NSSCMSContentInfo)
- */
-static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSContentInfo,contentType) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM |
-	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSContentInfo) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSContentInfo,contentType) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSContentInfo,contentEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | 
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSContentInfo,rawContent),
-	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * SIGNED DATA
- */
-
-const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
-
-const SEC_ASN1Template NSSCMSSignedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSSignedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSSignedData,version) },
-    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSSignedData,digestAlgorithms),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignedData,contentInfo),
-	  NSSCMSEncapsulatedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSSignedData,rawCerts),
-	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 1,
-	  offsetof(NSSCMSSignedData,crls),
-	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
-    { SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSSignedData,signerInfos),
-	  NSSCMSSignerInfoTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSSignedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSSignedDataTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * signeridentifier
- */
-
-static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSSignerIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSSignerIdentifier) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSSignerIdentifier,id.subjectKeyID),
-	  SEC_ASN1_SUB(SEC_OctetStringTemplate) ,
-	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSSignerIdentifier,id.issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
-	  NSSCMSRecipientID_IssuerSN },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * signerinfo
- */
-
-const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSignerInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSSignerInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSSignerInfo,signerIdentifier),
-	  NSSCMSSignerIdentifierTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSSignerInfo,digestAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSSignerInfo,authAttr),
-	  nss_cms_set_of_attribute_template },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSSignerInfo,digestEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSignerInfo,encDigest) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSSignerInfo,unAuthAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * ENVELOPED DATA
- */
-
-static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSOriginatorInfo) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSOriginatorInfo,rawCerts),
-	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 1,
-	  offsetof(NSSCMSOriginatorInfo,crls),
-	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
-    { 0 }
-};
-
-const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-
-const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSEnvelopedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSEnvelopedData,version) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSEnvelopedData,originatorInfo),
-	  NSSCMSOriginatorInfoTemplate },
-    { SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSEnvelopedData,recipientInfos),
-	  NSSCMSRecipientInfoTemplate },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSEnvelopedData,contentInfo),
-	  NSSCMSEncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSEnvelopedData,unprotectedAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSEnvelopedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSEnvelopedDataTemplate }
-};
-
-/* here come the 15 gazillion templates for all the v3 varieties of RecipientInfo */
-
-/* -----------------------------------------------------------------------------
- * key transport recipient info
- */
-
-static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSRecipientIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSRecipientIdentifier) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 0,
-	  offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID),
-	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
-	  NSSCMSRecipientID_SubjectKeyID },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
-	  NSSCMSRecipientID_IssuerSN },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKeyTransRecipientInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier),
-	  NSSCMSRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKeyTransRecipientInfo,encKey) },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * key agreement recipient info
- */
-
-static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSOriginatorPublicKey) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSOriginatorPublicKey,publicKey),
-	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL,
-	  sizeof(NSSCMSOriginatorIdentifierOrKey) },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
-	  NSSCMSOriginatorIDOrKey_IssuerSN },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
-      SEC_ASN1_XTRN | 1,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID),
-	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
-	  NSSCMSOriginatorIDOrKey_SubjectKeyID },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey),
-	  NSSCMSOriginatorPublicKeyTemplate,
-	  NSSCMSOriginatorIDOrKey_OriginatorPublicKey },
-    { 0 }
-};
-
-const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,subjectKeyIdentifier) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,date) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSRecipientKeyIdentifier,other) },
-    { 0 }
-};
-
-
-static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL,
-	  sizeof(NSSCMSKeyAgreeRecipientIdentifier) },
-    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
-	  NSSCMSKeyAgreeRecipientID_IssuerSN },
-    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier),
-	  NSSCMSRecipientKeyIdentifierTemplate,
-	  NSSCMSKeyAgreeRecipientID_RKeyID },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSRecipientEncryptedKey) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier),
-	  NSSCMSKeyAgreeRecipientIdentifierTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSRecipientEncryptedKey,encKey),
-	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,version) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey),
-	  NSSCMSOriginatorIdentifierOrKeyTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,ukm),
-	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_SEQUENCE_OF,
-	  offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys),
-	  NSSCMSRecipientEncryptedKeyTemplate },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * KEK recipient info
- */
-
-static const SEC_ASN1Template NSSCMSKEKIdentifierTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKEKIdentifier) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,keyIdentifier) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,date) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKIdentifier,other) },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSKEKRecipientInfo) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSKEKRecipientInfo,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSKEKRecipientInfo,kekIdentifier),
-	  NSSCMSKEKIdentifierTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSKEKRecipientInfo,keyEncAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSKEKRecipientInfo,encKey) },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- * recipient info
- */
-const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSCMSRecipientInfo,recipientInfoType), NULL,
-	  sizeof(NSSCMSRecipientInfo) },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSRecipientInfo,ri.keyAgreeRecipientInfo),
-	  NSSCMSKeyAgreeRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KeyAgree },
-    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
-	  offsetof(NSSCMSRecipientInfo,ri.kekRecipientInfo),
-	  NSSCMSKEKRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KEK },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSRecipientInfo,ri.keyTransRecipientInfo),
-	  NSSCMSKeyTransRecipientInfoTemplate,
-	  NSSCMSRecipientInfoID_KeyTrans },
-    { 0 }
-};
-
-/* -----------------------------------------------------------------------------
- *
- */
-
-const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSDigestedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSDigestedData,version) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(NSSCMSDigestedData,digestAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSDigestedData,contentInfo),
-	  NSSCMSEncapsulatedContentInfoTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSDigestedData,digest) },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSDigestedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSDigestedDataTemplate }
-};
-
-const SEC_ASN1Template NSSCMSEncryptedDataTemplate[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
-	  0, NULL, sizeof(NSSCMSEncryptedData) },
-    { SEC_ASN1_INTEGER,
-	  offsetof(NSSCMSEncryptedData,version) },
-    { SEC_ASN1_INLINE,
-	  offsetof(NSSCMSEncryptedData,contentInfo),
-	  NSSCMSEncryptedContentInfoTemplate },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSCMSEncryptedData,unprotectedAttr),
-	  nss_cms_set_of_attribute_template },
-    { 0 }
-};
-
-const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSEncryptedDataTemplate }
-};
-
-/* -----------------------------------------------------------------------------
- * FORTEZZA KEA
- */
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ 0 }
-};
-
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateNoSkipjack[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
-	{ 0 }
-};
-
-const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[] = {
-	{ SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
-	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
-	{ SEC_ASN1_OCTET_STRING,
-	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
-	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
-	  offsetof(NSSCMSSMIMEKEAParameters,bulkKeySize) },
-	{ 0 }
-};
-
-const SEC_ASN1Template *
-nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate)
-{
-	const SEC_ASN1Template *returnVal = NULL;
-
-	switch(whichTemplate)
-	{
-	case NSSCMSKEAUsesNonSkipjack:
-		returnVal = NSS_SMIMEKEAParamTemplateNoSkipjack;
-		break;
-	case NSSCMSKEAUsesSkipjack:
-		returnVal = NSS_SMIMEKEAParamTemplateSkipjack;
-		break;
-	case NSSCMSKEAUsesNonSkipjackWithPaddedEncKey:
-	default:
-		returnVal = NSS_SMIMEKEAParamTemplateAllParams;
-		break;
-	}
-	return returnVal;
-}
-
-/* -----------------------------------------------------------------------------
- *
- */
-static const SEC_ASN1Template *
-nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    NSSCMSContentInfo *cinfo;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    cinfo = (NSSCMSContentInfo *)src_or_dest;
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    default:
-	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
-	break;
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	theTemplate = NSS_PointerToCMSSignedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	theTemplate = NSS_PointerToCMSEnvelopedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	theTemplate = NSS_PointerToCMSDigestedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	theTemplate = NSS_PointerToCMSEncryptedDataTemplate;
-	break;
-    }
-    return theTemplate;
-}
diff --git a/security/nss/lib/smime/cmsattr.c b/security/nss/lib/smime/cmsattr.c
deleted file mode 100644
index 26d9dbb78..000000000
--- a/security/nss/lib/smime/cmsattr.c
+++ /dev/null
@@ -1,461 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS attributes.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-/*
- * -------------------------------------------------------------------
- * XXX The following Attribute stuff really belongs elsewhere.
- * The Attribute type is *not* part of CMS but rather X.501.
- * But for now, since CMS is the only customer of attributes,
- * we define them here.  Once there is a use outside of CMS,
- * then change the attribute types and functions from internal
- * to external naming convention, and move them elsewhere!
- */
-
-
-/*
- * NSS_CMSAttribute_Create - create an attribute
- *
- * if value is NULL, the attribute won't have a value. It can be added later
- * with NSS_CMSAttribute_AddValue.
- */
-NSSCMSAttribute *
-NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded)
-{
-    NSSCMSAttribute *attr;
-    SECItem *copiedvalue;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-
-    mark = PORT_ArenaMark (poolp);
-
-    attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute));
-    if (attr == NULL)
-	goto loser;
-
-    attr->typeTag = SECOID_FindOIDByTag(oidtag);
-    if (attr->typeTag == NULL)
-	goto loser;
-
-    if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
-	goto loser;
-
-    if (value != NULL) {
-	if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL)
-	    goto loser;
-
-	if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
-	    goto loser;
-    }
-
-    attr->encoded = encoded;
-
-    PORT_ArenaUnmark (poolp, mark);
-
-    return attr;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSAttribute_AddValue - add another value to an attribute
- */
-SECStatus
-NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value)
-{
-    SECItem *copiedvalue;
-    void *mark;
-
-    PORT_Assert (poolp != NULL);
-
-    mark = PORT_ArenaMark(poolp);
-
-    if (value == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto loser;
-    }
-
-    if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL)
-	goto loser;
-
-    if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_Assert (mark != NULL);
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSAttribute_GetType - return the OID tag
- */
-SECOidTag
-NSS_CMSAttribute_GetType(NSSCMSAttribute *attr)
-{
-    SECOidData *typetag;
-
-    typetag = SECOID_FindOID(&(attr->type));
-    if (typetag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return typetag->offset;
-}
-
-/*
- * NSS_CMSAttribute_GetValue - return the first attribute value
- *
- * We do some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-SECItem *
-NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr)
-{
-    SECItem *value;
-
-    if (attr == NULL)
-	return NULL;
-
-    value = attr->values[0];
-
-    if (value == NULL || value->data == NULL || value->len == 0)
-	return NULL;
-
-    if (attr->values[1] != NULL)
-	return NULL;
-
-    return value;
-}
-
-/*
- * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
- */
-PRBool
-NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av)
-{
-    SECItem *value;
-    
-    if (attr == NULL)
-	return PR_FALSE;
-
-    value = NSS_CMSAttribute_GetValue(attr);
-
-    return (value != NULL && value->len == av->len &&
-	PORT_Memcmp (value->data, av->data, value->len) == 0);
-}
-
-/*
- * templates and functions for separate ASN.1 encoding of attributes
- *
- * used in NSS_CMSAttributeArray_Reorder
- */
-
-/*
- * helper function for dynamic template determination of the attribute value
- */
-static const SEC_ASN1Template *
-cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
-{
-    const SEC_ASN1Template *theTemplate;
-    NSSCMSAttribute *attribute;
-    SECOidData *oiddata;
-    PRBool encoded;
-
-    PORT_Assert (src_or_dest != NULL);
-    if (src_or_dest == NULL)
-	return NULL;
-
-    attribute = (NSSCMSAttribute *)src_or_dest;
-
-    if (encoding && (!attribute->values || !attribute->values[0] ||
-        attribute->encoded)) {
-        /* we're encoding, and the attribute has no value or the attribute
-         * value is already encoded. */
-        return SEC_ASN1_GET(SEC_AnyTemplate);
-    }
-
-    /* get attribute's typeTag */
-    oiddata = attribute->typeTag;
-    if (oiddata == NULL) {
-	oiddata = SECOID_FindOID(&attribute->type);
-	attribute->typeTag = oiddata;
-    }
-
-    if (oiddata == NULL) {
-	/* still no OID tag? OID is unknown then. en/decode value as ANY. */
-	encoded = PR_TRUE;
-	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-    } else {
-	switch (oiddata->offset) {
-	case SEC_OID_PKCS9_SMIME_CAPABILITIES:
-	case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE:
-	    /* these guys need to stay DER-encoded */
-	default:
-	    /* same goes for OIDs that are not handled here */
-	    encoded = PR_TRUE;
-	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-	    break;
-	    /* otherwise choose proper template */
-	case SEC_OID_PKCS9_EMAIL_ADDRESS:
-	case SEC_OID_RFC1274_MAIL:
-	case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
-	    break;
-	case SEC_OID_PKCS9_CONTENT_TYPE:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
-	    break;
-	case SEC_OID_PKCS9_MESSAGE_DIGEST:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
-	    break;
-	case SEC_OID_PKCS9_SIGNING_TIME:
-	    encoded = PR_FALSE;
-	    theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate);
-	    break;
-	  /* XXX Want other types here, too */
-	}
-    }
-
-    if (encoding) {
-	/*
-	 * If we are encoding and we think we have an already-encoded value,
-	 * then the code which initialized this attribute should have set
-	 * the "encoded" property to true (and we would have returned early,
-	 * up above).  No devastating error, but that code should be fixed.
-	 * (It could indicate that the resulting encoded bytes are wrong.)
-	 */
-	PORT_Assert (!encoded);
-    } else {
-	/*
-	 * We are decoding; record whether the resulting value is
-	 * still encoded or not.
-	 */
-	attribute->encoded = encoded;
-    }
-    return theTemplate;
-}
-
-static const SEC_ASN1TemplateChooserPtr cms_attr_chooser
-	= cms_attr_choose_attr_value_template;
-
-const SEC_ASN1Template nss_cms_attribute_template[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSCMSAttribute) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSCMSAttribute,type) },
-    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
-	  offsetof(NSSCMSAttribute,values),
-	  &cms_attr_chooser },
-    { 0 }
-};
-
-const SEC_ASN1Template nss_cms_set_of_attribute_template[] = {
-    { SEC_ASN1_SET_OF, 0, nss_cms_attribute_template },
-};
-
-/* =============================================================================
- * Attribute Array methods
- */
-
-/*
- * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
- *
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-SECItem *
-NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template);
-}
-
-/*
- * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
- *
- * make sure that the order of the attributes guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in attrs).
- */
-SECStatus
-NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs)
-{
-    return NSS_CMSArray_SortByDER((void **)attrs, nss_cms_attribute_template, NULL);
-}
-
-/*
- * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
- * find one that matches the specified object ID.
- *
- * If "only" is true, then make sure that there is not more than one attribute
- * of the same type.  Otherwise, just return the first one found. (XXX Does
- * anybody really want that first-found behavior?  It was like that when I found it...)
- */
-NSSCMSAttribute *
-NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only)
-{
-    SECOidData *oid;
-    NSSCMSAttribute *attr1, *attr2;
-
-    if (attrs == NULL)
-	return NULL;
-
-    oid = SECOID_FindOIDByTag(oidtag);
-    if (oid == NULL)
-	return NULL;
-
-    while ((attr1 = *attrs++) != NULL) {
-	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr1 == NULL)
-	return NULL;
-
-    if (!only)
-	return attr1;
-
-    while ((attr2 = *attrs++) != NULL) {
-	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
-							    oid->oid.data,
-							    oid->oid.len) == 0)
-	    break;
-    }
-
-    if (attr2 != NULL)
-	return NULL;
-
-    return attr1;
-}
-
-/*
- * NSS_CMSAttributeArray_AddAttr - add an attribute to an
- * array of attributes. 
- */
-SECStatus
-NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr)
-{
-    NSSCMSAttribute *oattr;
-    void *mark;
-    SECOidTag type;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* find oidtag of attr */
-    type = NSS_CMSAttribute_GetType(attr);
-
-    /* see if we have one already */
-    oattr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
-    PORT_Assert (oattr == NULL);
-    if (oattr != NULL)
-	goto loser;	/* XXX or would it be better to replace it? */
-
-    /* no, shove it in */
-    if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
- */
-SECStatus
-NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded)
-{
-    NSSCMSAttribute *attr;
-    void *mark;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* see if we have one already */
-    attr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
-    if (attr == NULL) {
-	/* not found? create one! */
-	attr = NSS_CMSAttribute_Create(poolp, type, value, encoded);
-	if (attr == NULL)
-	    goto loser;
-	/* and add it to the list */
-	if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
-	    goto loser;
-    } else {
-	/* found, shove it in */
-	/* XXX we need a decent memory model @#$#$!#!!! */
-	attr->values[0] = value;
-	attr->encoded = encoded;
-    }
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
deleted file mode 100644
index 1129ea33e..000000000
--- a/security/nss/lib/smime/cmscinfo.c
+++ /dev/null
@@ -1,360 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS contentInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSContentInfo_Create - create a content info
- *
- * version is set in the _Finalize procedures for each content type
- */
-
-/*
- * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
- */
-void
-NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
-{
-    SECOidTag kind;
-
-    kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    switch (kind) {
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData);
-	break;
-      case SEC_OID_PKCS7_SIGNED_DATA:
-	NSS_CMSSignedData_Destroy(cinfo->content.signedData);
-	break;
-      case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData);
-	break;
-      case SEC_OID_PKCS7_DIGESTED_DATA:
-	NSS_CMSDigestedData_Destroy(cinfo->content.digestedData);
-	break;
-      default:
-	/* XXX Anything else that needs to be "manually" freed/destroyed? */
-	break;
-    }
-    if (cinfo->digcx) {
-	/* must destroy digest objects */
-	NSS_CMSDigestContext_Cancel(cinfo->digcx);
-	cinfo->digcx = NULL;
-    }
-    if (cinfo->bulkkey)
-	PK11_FreeSymKey(cinfo->bulkkey);
-
-    if (cinfo->ciphcx) {
-	NSS_CMSCipherContext_Destroy(cinfo->ciphcx);
-	cinfo->ciphcx = NULL;
-    }
-    
-    /* we live in a pool, so no need to worry about storage */
-}
-
-/*
- * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
- */
-NSSCMSContentInfo *
-NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
-{
-    void * ptr                  = NULL;
-    NSSCMSContentInfo * ccinfo  = NULL;
-    SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    switch (tag) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	ptr    = (void *)cinfo->content.signedData;
-	ccinfo = &(cinfo->content.signedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	ptr    = (void *)cinfo->content.envelopedData;
-	ccinfo = &(cinfo->content.envelopedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	ptr    = (void *)cinfo->content.digestedData;
-	ccinfo = &(cinfo->content.digestedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	ptr    = (void *)cinfo->content.encryptedData;
-	ccinfo = &(cinfo->content.encryptedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_DATA:
-    default:
-	break;
-    }
-    return (ptr ? ccinfo : NULL);
-}
-
-/*
- * NSS_CMSContentInfo_SetContent - set content type & content
- */
-SECStatus
-NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr)
-{
-    SECStatus rv;
-
-    cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
-    if (cinfo->contentTypeTag == NULL)
-	return SECFailure;
-    
-    /* do not copy the oid, just create a reference */
-    rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
-	return SECFailure;
-
-    cinfo->content.pointer = ptr;
-
-    if (type != SEC_OID_PKCS7_DATA) {
-	/* as we always have some inner data,
-	 * we need to set it to something, just to fool the encoder enough to work on it
-	 * and get us into nss_cms_encoder_notify at that point */
-	cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
-	if (cinfo->rawContent == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return SECFailure;
-	}
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetContent
- */
-
-/*
- * data == NULL -> pass in data via NSS_CMSEncoder_Update
- * data != NULL -> take this data
- */
-SECStatus
-NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached)
-{
-    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
-	return SECFailure;
-    cinfo->rawContent = (detached) ? 
-			    NULL : (data) ? 
-				data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_SIGNED_DATA, (void *)sigd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENVELOPED_DATA, (void *)envd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DIGESTED_DATA, (void *)digd);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd)
-{
-    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd);
-}
-
-/*
- * NSS_CMSContentInfo_GetContent - get pointer to inner content
- *
- * needs to be casted...
- */
-void *
-NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
-{
-    SECOidTag tag = (cinfo && cinfo->contentTypeTag) 
-	                ? cinfo->contentTypeTag->offset 
-	                : SEC_OID_UNKNOWN;
-    switch (tag) {
-    case SEC_OID_PKCS7_DATA:
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	return cinfo->content.pointer;
-    default:
-	return NULL;
-    }
-}
-
-/* 
- * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
- *
- * this is typically only called by NSS_CMSMessage_GetContent()
- */
-SECItem *
-NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
-{
-    NSSCMSContentInfo *ccinfo;
-    SECOidTag          tag;
-    SECItem           *pItem = NULL;
-
-    tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    switch (tag) {
-    case SEC_OID_PKCS7_DATA:
-	/* end of recursion - every message has to have a data cinfo */
-	pItem = cinfo->content.data; 
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
-	if (ccinfo != NULL)
-	    pItem = NSS_CMSContentInfo_GetContent(ccinfo);
-	break;
-    default:
-	PORT_Assert(0);
-	break;
-    }
-    return pItem;
-}
-
-/*
- * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
- * for future reference) and return the inner content type.
- */
-SECOidTag
-NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return cinfo->contentTypeTag->offset;
-}
-
-SECItem *
-NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentTypeTag == NULL)
-	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
-
-    if (cinfo->contentTypeTag == NULL)
-	return NULL;
-
-    return &(cinfo->contentTypeTag->oid);
-}
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
- * for future reference) and return the content encryption algorithm tag.
- */
-SECOidTag
-NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
-	cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
-
-    return cinfo->contentEncAlgTag;
-}
-
-/*
- * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
- */
-SECAlgorithmID *
-NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
-{
-    return &(cinfo->contentEncAlg);
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECOidTag bulkalgtag, SECItem *parameters, int keysize)
-{
-    SECStatus rv;
-
-    rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
-    if (rv != SECSuccess)
-	return SECFailure;
-    cinfo->keysize = keysize;
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
-				    SECAlgorithmID *algid, int keysize)
-{
-    SECStatus rv;
-
-    rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
-    if (rv != SECSuccess)
-	return SECFailure;
-    if (keysize >= 0)
-	cinfo->keysize = keysize;
-    return SECSuccess;
-}
-
-void
-NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
-{
-    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
-    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
-}
-
-PK11SymKey *
-NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
-{
-    if (cinfo->bulkkey == NULL)
-	return NULL;
-
-    return PK11_ReferenceSymKey(cinfo->bulkkey);
-}
-
-int
-NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
-{
-    return cinfo->keysize;
-}
diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
deleted file mode 100644
index 00042937a..000000000
--- a/security/nss/lib/smime/cmscipher.c
+++ /dev/null
@@ -1,788 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Encryption/decryption routines for CMS implementation, none of which are exported.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "secpkcs5.h"
-
-/*
- * -------------------------------------------------------------------
- * Cipher stuff.
- */
-
-typedef SECStatus (*nss_cms_cipher_function) (void *, unsigned char *, unsigned int *,
-					unsigned int, const unsigned char *, unsigned int);
-typedef SECStatus (*nss_cms_cipher_destroy) (void *, PRBool);
-
-#define BLOCK_SIZE 4096
-
-struct NSSCMSCipherContextStr {
-    void *		cx;			/* PK11 cipher context */
-    nss_cms_cipher_function doit;
-    nss_cms_cipher_destroy destroy;
-    PRBool		encrypt;		/* encrypt / decrypt switch */
-    int			block_size;		/* block & pad sizes for cipher */
-    int			pad_size;
-    int			pending_count;		/* pending data (not yet en/decrypted */
-    unsigned char	pending_buf[BLOCK_SIZE];/* because of blocking */
-};
-
-/*
- * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
- * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function below (for starting up encryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-NSSCMSCipherContext *
-NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid)
-{
-    NSSCMSCipherContext *cc;
-    void *ciphercx;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem *param;
-    PK11SlotInfo *slot;
-    SECOidTag algtag;
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-
-    /* set param and mechanism */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams, *pwitem;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	pwitem = PK11_GetSymKeyUserData(key);
-	if (!pwitem) 
-	    return NULL;
-
-	/* find correct PK11 mechanism and parameters to initialize pbeMech */
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams)
-	    return NULL;
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-
-	/* now map pbeMech to cryptoMech */
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	/* and use it to initialize param & mechanism */
-	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
-	     return NULL;
-
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	if ((param = PK11_ParamFromAlgid(algid)) == NULL)
-	    return NULL;
-    }
-
-    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
-    if (cc == NULL) {
-	SECITEM_FreeItem(param,PR_TRUE);
-	return NULL;
-    }
-
-    /* figure out pad and block sizes */
-    cc->pad_size = PK11_GetBlockSize(mechanism, param);
-    slot = PK11_GetSlotFromKey(key);
-    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
-    PK11_FreeSlot(slot);
-
-    /* create PK11 cipher context */
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (ciphercx == NULL) {
-	PORT_Free (cc);
-	return NULL;
-    }
-
-    cc->cx = ciphercx;
-    cc->doit =  (nss_cms_cipher_function) PK11_CipherOp;
-    cc->destroy = (nss_cms_cipher_destroy) PK11_DestroyContext;
-    cc->encrypt = PR_FALSE;
-    cc->pending_count = 0;
-
-    return cc;
-}
-
-/*
- * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
- * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
- * identifier (which may include an iv) appropriately.
- *
- * XXX Once both are working, it might be nice to combine this and the
- * function above (for starting up decryption) into one routine, and just
- * have two simple cover functions which call it. 
- */
-NSSCMSCipherContext *
-NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid)
-{
-    NSSCMSCipherContext *cc;
-    void *ciphercx;
-    SECItem *param;
-    SECStatus rv;
-    CK_MECHANISM_TYPE mechanism;
-    PK11SlotInfo *slot;
-    PRBool needToEncodeAlgid = PR_FALSE;
-    SECOidTag algtag = SECOID_GetAlgorithmTag(algid);
-
-    /* set param and mechanism */
-    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
-	CK_MECHANISM pbeMech, cryptoMech;
-	SECItem *pbeParams, *pwitem;
-
-	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
-	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
-
-	pwitem = PK11_GetSymKeyUserData(key);
-	if (!pwitem) 
-	    return NULL;
-
-	/* find correct PK11 mechanism and parameters to initialize pbeMech */
-	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
-	pbeParams = PK11_ParamFromAlgid(algid);
-	if (!pbeParams)
-	    return NULL;
-	pbeMech.pParameter = pbeParams->data;
-	pbeMech.ulParameterLen = pbeParams->len;
-
-	/* now map pbeMech to cryptoMech */
-	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
-						  PR_FALSE) != CKR_OK) { 
-	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-	    return NULL;
-	}
-	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
-
-	/* and use it to initialize param & mechanism */
-	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
-	    return NULL;
-
-	param->data = (unsigned char *)cryptoMech.pParameter;
-	param->len = cryptoMech.ulParameterLen;
-	mechanism = cryptoMech.mechanism;
-    } else {
-	mechanism = PK11_AlgtagToMechanism(algtag);
-	if ((param = PK11_GenerateNewParam(mechanism, key)) == NULL)
-	    return NULL;
-	needToEncodeAlgid = PR_TRUE;
-    }
-
-    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
-    if (cc == NULL)
-	return NULL;
-
-    /* now find pad and block sizes for our mechanism */
-    cc->pad_size = PK11_GetBlockSize(mechanism,param);
-    slot = PK11_GetSlotFromKey(key);
-    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
-    PK11_FreeSlot(slot);
-
-    /* and here we go, creating a PK11 cipher context */
-    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, key, param);
-    if (ciphercx == NULL) {
-	PORT_Free(cc);
-	cc = NULL;
-	goto loser;
-    }
-
-    /*
-     * These are placed after the CreateContextBySymKey() because some
-     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
-     * Don't move it from here.
-     * XXX is that right? the purpose of this is to get the correct algid
-     *     containing the IVs etc. for encoding. this means we need to set this up
-     *     BEFORE encoding the algid in the contentInfo, right?
-     */
-    if (needToEncodeAlgid) {
-	rv = PK11_ParamToAlgid(algtag, param, poolp, algid);
-	if(rv != SECSuccess) {
-	    PORT_Free(cc);
-	    cc = NULL;
-	    goto loser;
-	}
-    }
-
-    cc->cx = ciphercx;
-    cc->doit = (nss_cms_cipher_function)PK11_CipherOp;
-    cc->destroy = (nss_cms_cipher_destroy)PK11_DestroyContext;
-    cc->encrypt = PR_TRUE;
-    cc->pending_count = 0;
-
-loser:
-    SECITEM_FreeItem(param, PR_TRUE);
-
-    return cc;
-}
-
-void
-NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc)
-{
-    PORT_Assert(cc != NULL);
-    if (cc == NULL)
-	return;
-    (*cc->destroy)(cc->cx, PR_TRUE);
-    PORT_Free(cc);
-}
-
-/*
- * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- *
- * Note that this can return zero, which does not mean that the decrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent decrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
-{
-    int blocks, block_size;
-
-    PORT_Assert (! cc->encrypt);
-
-    block_size = cc->block_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we will always use up all of the pending
-     * bytes plus all of the input bytes, *but*, there will be padding
-     * at the end and we cannot predict how many bytes of padding we
-     * will end up removing.  The amount given here is actually known
-     * to be at least 1 byte too long (because we know we will have
-     * at least 1 byte of padding), but seemed clearer/better to me.
-     */
-    if (final)
-	return cc->pending_count + input_len;
-
-    /*
-     * Okay, this amount is exactly what we will output on the
-     * next cipher operation.  We will always hang onto the last
-     * 1 - block_size bytes for non-final operations.  That is,
-     * we will do as many complete blocks as we can *except* the
-     * last block (complete or partial).  (This is because until
-     * we know we are at the end, we cannot know when to interpret
-     * and removing the padding byte(s), which are guaranteed to
-     * be there.)
-     */
-    blocks = (cc->pending_count + input_len - 1) / block_size;
-    return blocks * block_size;
-}
-
-/*
- * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.
- *
- * Note that this can return zero, which does not mean that the encrypt
- * operation can be skipped!  (It simply means that there are not enough
- * bytes to make up an entire block; the bytes will be reserved until
- * there are enough to encrypt/decrypt at least one block.)  However,
- * if zero is returned it *does* mean that no output buffer need be
- * passed in to the subsequent encrypt operation, as no output bytes
- * will be stored.
- */
-unsigned int
-NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
-{
-    int blocks, block_size;
-    int pad_size;
-
-    PORT_Assert (cc->encrypt);
-
-    block_size = cc->block_size;
-    pad_size = cc->pad_size;
-
-    /*
-     * If this is not a block cipher, then we always have the same
-     * number of output bytes as we had input bytes.
-     */
-    if (block_size == 0)
-	return input_len;
-
-    /*
-     * On the final call, we only send out what we need for
-     * remaining bytes plus the padding.  (There is always padding,
-     * so even if we have an exact number of blocks as input, we
-     * will add another full block that is just padding.)
-     */
-    if (final) {
-	if (pad_size == 0) {
-    	    return cc->pending_count + input_len;
-	} else {
-    	    blocks = (cc->pending_count + input_len) / pad_size;
-	    blocks++;
-	    return blocks*pad_size;
-	}
-    }
-
-    /*
-     * Now, count the number of complete blocks of data we have.
-     */
-    blocks = (cc->pending_count + input_len) / block_size;
-
-
-    return blocks * block_size;
-}
-
-
-/*
- * NSS_CMSCipherContext_Decrypt - do the decryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Decrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
- * When "final" is true, this is the last of the data to be decrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the decryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "cc".
- * We also need to determine which bytes are padding, and remove
- * them from the output.  We can only do this step when we know we
- * have the final block of data.  PKCS #7 specifies that the padding
- * used for a block cipher is a string of bytes, each of whose value is
- * the same as the length of the padding, and that all data is padded.
- * (Even data that starts out with an exact multiple of blocks gets
- * added to it another block, all of which is padding.)
- */ 
-SECStatus
-NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (! cc->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = NSS_CMSCipherContext_DecryptLength(cc, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    /*
-     * hardware encryption does not like small decryption sizes here, so we
-     * allow both blocking and padding.
-     */
-    bsize = cc->block_size;
-    padsize = cc->pad_size;
-
-    /*
-     * When no blocking or padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (* cc->doit) (cc->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = cc->pending_count;
-    pbuf = cc->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we have at most a whole block and this is not our last call,
-	 * then we are done for now.  (We do not try to decrypt a lone
-	 * single block because we cannot interpret the padding bytes
-	 * until we know we are handling the very last block of all input.)
-	 */
-	if (input_len == 0 && !final) {
-	    cc->pending_count = pcount;
-	    if (output_len_p)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * Given the logic above, we expect to have a full block by now.
-	 * If we do not, there is something wrong, either with our own
-	 * logic or with (length of) the data given to us.
-	 */
-	if ((padsize != 0) && (pcount % padsize) != 0) {
-	    PORT_Assert (final);	
-	    PORT_SetError (SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	/*
-	 * Decrypt the block.
-	 */
-	rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then NSS_CMSCipherContext_DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert(ofraglen == pcount);
-
-	/*
-	 * Account for the bytes now in output.
-	 */
-	max_output_len -= ofraglen;
-	output_len += ofraglen;
-	output += ofraglen;
-    }
-
-    /*
-     * If this is our last call, we expect to have an exact number of
-     * blocks left to be decrypted; we will decrypt them all.
-     * 
-     * If not our last call, we always save between 1 and bsize bytes
-     * until next time.  (We must do this because we cannot be sure
-     * that none of the decrypted bytes are padding bytes until we
-     * have at least another whole block of data.  You cannot tell by
-     * looking -- the data could be anything -- you can only tell by
-     * context, knowing you are looking at the last block.)  We could
-     * decrypt a whole block now but it is easier if we just treat it
-     * the same way we treat partial block bytes.
-     */
-    if (final) {
-	if (padsize) {
-	    blocks = input_len / padsize;
-	    ifraglen = blocks * padsize;
-	} else ifraglen = input_len;
-	PORT_Assert (ifraglen == input_len);
-
-	if (ifraglen != input_len) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-    } else {
-	blocks = (input_len - 1) / bsize;
-	ifraglen = blocks * bsize;
-	PORT_Assert (ifraglen < input_len);
-
-	pcount = input_len - ifraglen;
-	PORT_Memcpy (pbuf, input + ifraglen, pcount);
-	cc->pending_count = pcount;
-    }
-
-    if (ifraglen) {
-	rv = (* cc->doit)(cc->cx, output, &ofraglen, max_output_len,
-			    input, ifraglen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7DecryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ifraglen == ofraglen);
-	if (ifraglen != ofraglen) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-
-	output_len += ofraglen;
-    } else {
-	ofraglen = 0;
-    }
-
-    /*
-     * If we just did our very last block, "remove" the padding by
-     * adjusting the output length.
-     */
-    if (final && (padsize != 0)) {
-	unsigned int padlen = *(output + ofraglen - 1);
-
-	if (padlen == 0 || padlen > padsize) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return SECFailure;
-	}
-	output_len -= padlen;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSCipherContext_Encrypt - do the encryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Encrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
- * When "final" is true, this is the last of the data to be encrypted.
- *
- * This is much more complicated than it sounds when the cipher is
- * a block-type, meaning that the encryption function will only
- * operate on whole blocks.  But our caller is operating stream-wise,
- * and can pass in any number of bytes.  So we need to keep track
- * of block boundaries.  We save excess bytes between calls in "cc".
- * We also need to add padding bytes at the end.  PKCS #7 specifies
- * that the padding used for a block cipher is a string of bytes,
- * each of whose value is the same as the length of the padding,
- * and that all data is padded.  (Even data that starts out with
- * an exact multiple of blocks gets added to it another block,
- * all of which is padding.)
- *
- * XXX I would kind of like to combine this with the function above
- * which does decryption, since they have a lot in common.  But the
- * tricky parts about padding and filling blocks would be much
- * harder to read that way, so I left them separate.  At least for
- * now until it is clear that they are right.
- */ 
-SECStatus
-NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final)
-{
-    int blocks, bsize, padlen, pcount, padsize;
-    unsigned int max_needed, ifraglen, ofraglen, output_len;
-    unsigned char *pbuf;
-    SECStatus rv;
-
-    PORT_Assert (cc->encrypt);
-
-    /*
-     * Check that we have enough room for the output.  Our caller should
-     * already handle this; failure is really an internal error (i.e. bug).
-     */
-    max_needed = NSS_CMSCipherContext_EncryptLength (cc, input_len, final);
-    PORT_Assert (max_output_len >= max_needed);
-    if (max_output_len < max_needed) {
-	/* PORT_SetError (XXX); */
-	return SECFailure;
-    }
-
-    bsize = cc->block_size;
-    padsize = cc->pad_size;
-
-    /*
-     * When no blocking and padding work to do, we can simply call the
-     * cipher function and we are done.
-     */
-    if (bsize == 0) {
-	return (*cc->doit)(cc->cx, output, output_len_p, max_output_len,
-			      input, input_len);
-    }
-
-    pcount = cc->pending_count;
-    pbuf = cc->pending_buf;
-
-    output_len = 0;
-
-    if (pcount) {
-	/*
-	 * Try to fill in an entire block, starting with the bytes
-	 * we already have saved away.
-	 */
-	while (input_len && pcount < bsize) {
-	    pbuf[pcount++] = *input++;
-	    input_len--;
-	}
-	/*
-	 * If we do not have a full block and we know we will be
-	 * called again, then we are done for now.
-	 */
-	if (pcount < bsize && !final) {
-	    cc->pending_count = pcount;
-	    if (output_len_p != NULL)
-		*output_len_p = 0;
-	    return SECSuccess;
-	}
-	/*
-	 * If we have a whole block available, encrypt it.
-	 */
-	if ((padsize == 0) || (pcount % padsize) == 0) {
-	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-				pbuf, pcount);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ofraglen == pcount);
-
-	    /*
-	     * Account for the bytes now in output.
-	     */
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-
-	    pcount = 0;
-	}
-    }
-
-    if (input_len) {
-	PORT_Assert (pcount == 0);
-
-	blocks = input_len / bsize;
-	ifraglen = blocks * bsize;
-
-	if (ifraglen) {
-	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-				input, ifraglen);
-	    if (rv != SECSuccess)
-		return rv;
-
-	    /*
-	     * For now anyway, all of our ciphers have the same number of
-	     * bytes of output as they do input.  If this ever becomes untrue,
-	     * then sec_PKCS7EncryptLength needs to be made smarter!
-	     */
-	    PORT_Assert (ifraglen == ofraglen);
-
-	    max_output_len -= ofraglen;
-	    output_len += ofraglen;
-	    output += ofraglen;
-	}
-
-	pcount = input_len - ifraglen;
-	PORT_Assert (pcount < bsize);
-	if (pcount)
-	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
-    }
-
-    if (final) {
-	padlen = padsize - (pcount % padsize);
-	PORT_Memset (pbuf + pcount, padlen, padlen);
-	rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
-			    pbuf, pcount+padlen);
-	if (rv != SECSuccess)
-	    return rv;
-
-	/*
-	 * For now anyway, all of our ciphers have the same number of
-	 * bytes of output as they do input.  If this ever becomes untrue,
-	 * then sec_PKCS7EncryptLength needs to be made smarter!
-	 */
-	PORT_Assert (ofraglen == (pcount+padlen));
-	output_len += ofraglen;
-    } else {
-	cc->pending_count = pcount;
-    }
-
-    PORT_Assert (output_len_p != NULL || output_len == 0);
-    if (output_len_p != NULL)
-	*output_len_p = output_len;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
deleted file mode 100644
index 585371701..000000000
--- a/security/nss/lib/smime/cmsdecode.c
+++ /dev/null
@@ -1,742 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS decoding.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "prtime.h"
-#include "secerr.h"
-
-struct NSSCMSDecoderContextStr {
-    SEC_ASN1DecoderContext *	dcx;		/* ASN.1 decoder context */
-    NSSCMSMessage *		cmsg;		/* backpointer to the root message */
-    SECOidTag			type;		/* type of message */
-    NSSCMSContent		content;	/* pointer to message */
-    NSSCMSDecoderContext *	childp7dcx;	/* inner CMS decoder context */
-    PRBool			saw_contents;
-    int				error;
-    NSSCMSContentCallback	cb;
-    void *			cb_arg;
-};
-
-struct NSSCMSDecoderDataStr {
-    SECItem data; 	/* must be first */
-    unsigned int totalBufferSize;
-};
-
-typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData;
-
-static void      nss_cms_decoder_update_filter (void *arg, const char *data, 
-                 unsigned long len, int depth, SEC_ASN1EncodingPart data_kind);
-static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
-static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
-static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
-static void      nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
-		 const unsigned char *data, unsigned long len, PRBool final);
-static NSSCMSDecoderData *nss_cms_create_decoder_data(PRArenaPool *poolp);
-
-extern const SEC_ASN1Template NSSCMSMessageTemplate[];
-
-static NSSCMSDecoderData *
-nss_cms_create_decoder_data(PRArenaPool *poolp)
-{
-    NSSCMSDecoderData *decoderData = NULL;
-
-    decoderData = (NSSCMSDecoderData *)
-			PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData));
-    if (!decoderData) {
-	return NULL;
-    }
-    decoderData->data.data = NULL;
-    decoderData->data.len = 0;
-    decoderData->totalBufferSize = 0;
-    return decoderData;
-}
-
-/* 
- * nss_cms_decoder_notify -
- *  this is the driver of the decoding process. It gets called by the ASN.1
- *  decoder before and after an object is decoded.
- *  at various points in the decoding process, we intercept to set up and do
- *  further processing.
- */
-static void
-nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
-{
-    NSSCMSDecoderContext *p7dcx;
-    NSSCMSContentInfo *rootcinfo, *cinfo;
-    PRBool after = !before;
-
-    p7dcx = (NSSCMSDecoderContext *)arg;
-    rootcinfo = &(p7dcx->cmsg->contentInfo);
-
-    /* XXX error handling: need to set p7dcx->error */
-
-#ifdef CMSDEBUG 
-    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
-#endif
-
-    /* so what are we working on right now? */
-    switch (p7dcx->type) {
-    case SEC_OID_UNKNOWN:
-	/*
-	 * right now, we are still decoding the OUTER (root) cinfo
-	 * As soon as we know the inner content type, set up the info,
-	 * but NO inner decoder or filter. The root decoder handles the first
-	 * level children by itself - only for encapsulated contents (which
-	 * are encoded as DER inside of an OCTET STRING) we need to set up a
-	 * child decoder...
-	 */
-	if (after && dest == &(rootcinfo->contentType)) {
-	    p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
-	    p7dcx->content = rootcinfo->content;	
-	    /* is this ready already ? need to alloc? */
-	    /* XXX yes we need to alloc -- continue here */
-	}
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* this can only happen if the outermost cinfo has DATA in it */
-	/* otherwise, we handle this type implicitely in the inner decoders */
-
-	if (before && dest == &(rootcinfo->content)) {
-	    /* cause the filter to put the data in the right place... 
-	    ** We want the ASN.1 decoder to deliver the decoded bytes to us 
-	    ** from now on 
-	    */
-	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
-					  nss_cms_decoder_update_filter,
-					  p7dcx,
-					  (PRBool)(p7dcx->cb != NULL));
-	    break;
-	}
-
-	if (after && dest == &(rootcinfo->content.data)) {
-	    /* remove the filter */
-	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
-	}
-	break;
-
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-
-	if (before && dest == &(rootcinfo->content))
-	    break;     /* we're not there yet */
-
-	if (p7dcx->content.pointer == NULL)
-	    p7dcx->content = rootcinfo->content;
-
-	/* get this data type's inner contentInfo */
-	cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, 
-	                                      p7dcx->type);
-
-	if (before && dest == &(cinfo->contentType)) {
-	    /* at this point, set up the &%$&$ back pointer */
-	    /* we cannot do it later, because the content itself is optional! */
-	    /* please give me C++ */
-	    switch (p7dcx->type) {
-	    case SEC_OID_PKCS7_SIGNED_DATA:
-		p7dcx->content.signedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_DIGESTED_DATA:
-		p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_ENVELOPED_DATA:
-		p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
-		break;
-	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-		p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
-		break;
-	    default:
-		PORT_Assert(0);
-		break;
-	    }
-	}
-
-	if (before && dest == &(cinfo->rawContent)) {
-	    /* we want the ASN.1 decoder to deliver the decoded bytes to us 
-	    ** from now on 
-	    */
-	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, 
-	                                 nss_cms_decoder_update_filter, 
-					 p7dcx, (PRBool)(p7dcx->cb != NULL));
-
-
-	    /* we're right in front of the data */
-	    if (nss_cms_before_data(p7dcx) != SECSuccess) {
-		SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);	
-		/* stop all processing */
-		p7dcx->error = PORT_GetError();
-	    }
-	}
-	if (after && dest == &(cinfo->rawContent)) {
-	    /* we're right after of the data */
-	    if (nss_cms_after_data(p7dcx) != SECSuccess)
-		p7dcx->error = PORT_GetError();
-
-	    /* we don't need to see the contents anymore */
-	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
-	}
-	break;
-
-#if 0 /* NIH */
-    case SEC_OID_PKCS7_AUTHENTICATED_DATA:
-#endif
-    default:
-	/* unsupported or unknown message type - fail  gracefully */
-	p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
-	break;
-    }
-}
-
-/*
- * nss_cms_before_data - set up the current encoder to receive data
- */
-static SECStatus
-nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
-{
-    SECStatus rv;
-    SECOidTag childtype;
-    PLArenaPool *poolp;
-    NSSCMSDecoderContext *childp7dcx;
-    NSSCMSContentInfo *cinfo;
-    const SEC_ASN1Template *template;
-    void *mark = NULL;
-    size_t size;
-    
-    poolp = p7dcx->cmsg->poolp;
-
-    /* call _Decode_BeforeData handlers */
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* we're decoding a signedData, so set up the digests */
-	rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	/* we're encoding a digestedData, so set up the digest */
-	rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Decode_BeforeData(
-	                             p7dcx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Decode_BeforeData(
-	                             p7dcx->content.encryptedData);
-	break;
-    default:
-	return SECFailure;
-    }
-    if (rv != SECSuccess)
-	return SECFailure;
-
-    /* ok, now we have a pointer to cinfo */
-    /* find out what kind of data is encapsulated */
-    
-    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-    if (childtype == SEC_OID_PKCS7_DATA) {
-	cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp);
-	if (cinfo->content.pointer == NULL)
-	    /* set memory error */
-	    return SECFailure;
-
-	p7dcx->childp7dcx = NULL;
-	return SECSuccess;
-    }
-
-    /* set up inner decoder */
-
-    if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
-	return SECFailure;
-
-    childp7dcx = PORT_ZNew(NSSCMSDecoderContext);
-    if (childp7dcx == NULL)
-	return SECFailure;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* allocate space for the stuff we're creating */
-    size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
-    childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
-    if (childp7dcx->content.pointer == NULL)
-	goto loser;
-
-    /* start the child decoder */
-    childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, 
-                                           template);
-    if (childp7dcx->dcx == NULL)
-	goto loser;
-
-    /* the new decoder needs to notify, too */
-    SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, 
-                                 childp7dcx);
-
-    /* tell the parent decoder that it needs to feed us the content data */
-    p7dcx->childp7dcx = childp7dcx;
-
-    childp7dcx->type = childtype;	/* our type */
-
-    childp7dcx->cmsg = p7dcx->cmsg;	/* backpointer to root message */
-
-    /* should the child decoder encounter real data, 
-    ** it must give it to the caller 
-    */
-    childp7dcx->cb = p7dcx->cb;
-    childp7dcx->cb_arg = p7dcx->cb_arg;
-
-    /* now set up the parent to hand decoded data to the next level decoder */
-    p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
-    p7dcx->cb_arg = childp7dcx;
-
-    PORT_ArenaUnmark(poolp, mark);
-
-    return SECSuccess;
-
-loser:
-    if (mark)
-	PORT_ArenaRelease(poolp, mark);
-    if (childp7dcx)
-	PORT_Free(childp7dcx);
-    p7dcx->childp7dcx = NULL;
-    return SECFailure;
-}
-
-static SECStatus
-nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
-{
-    NSSCMSDecoderContext *childp7dcx;
-    SECStatus rv = SECFailure;
-
-    /* Handle last block. This is necessary to flush out the last bytes
-     * of a possibly incomplete block */
-    nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);
-
-    /* finish any "inner" decoders - there's no more data coming... */
-    if (p7dcx->childp7dcx != NULL) {
-	childp7dcx = p7dcx->childp7dcx;
-	if (childp7dcx->dcx != NULL) {
-	    if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
-		/* do what? free content? */
-		rv = SECFailure;
-	    } else {
-		rv = nss_cms_after_end(childp7dcx);
-	    }
-	    if (rv != SECSuccess)
-		goto done;
-	}
-	PORT_Free(p7dcx->childp7dcx);
-	p7dcx->childp7dcx = NULL;
-    }
-
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* this will finish the digests and verify */
-	rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Decode_AfterData(
-	                            p7dcx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Decode_AfterData(
-	                           p7dcx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Decode_AfterData(
-	                            p7dcx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* do nothing */
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-done:
-    return rv;
-}
-
-static SECStatus
-nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
-{
-    SECStatus rv = SECSuccess;
-
-    switch (p7dcx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	if (p7dcx->content.signedData)
-	    rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	if (p7dcx->content.envelopedData)
-	    rv = NSS_CMSEnvelopedData_Decode_AfterEnd(
-	                               p7dcx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	if (p7dcx->content.digestedData)
-	    rv = NSS_CMSDigestedData_Decode_AfterEnd(
-	                              p7dcx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	if (p7dcx->content.encryptedData)
-	    rv = NSS_CMSEncryptedData_Decode_AfterEnd(
-	                               p7dcx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	break;
-    default:
-	rv = SECFailure;	/* we should not have got that far... */
-	break;
-    }
-    return rv;
-}
-
-/*
- * nss_cms_decoder_work_data - handle decoded data bytes.
- *
- * This function either decrypts the data if needed, and/or calculates digests
- * on it, then either stores it or passes it on to the next level decoder.
- */
-static void
-nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
-			     const unsigned char *data, unsigned long len,
-			     PRBool final)
-{
-    NSSCMSContentInfo *cinfo;
-    unsigned char *buf = NULL;
-    unsigned char *dest;
-    unsigned int offset;
-    SECStatus rv;
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
-
-    if (cinfo->ciphcx != NULL) {
-	/*
-	 * we are decrypting.
-	 * 
-	 * XXX If we get an error, we do not want to do the digest or callback,
-	 * but we want to keep decoding.  Or maybe we want to stop decoding
-	 * altogether if there is a callback, because obviously we are not
-	 * sending the data back and they want to know that.
-	 */
-
-	unsigned int outlen = 0;	/* length of decrypted data */
-	unsigned int buflen;		/* length available for decrypted data */
-
-	/* find out about the length of decrypted data */
-	buflen = NSS_CMSCipherContext_DecryptLength(cinfo->ciphcx, len, final);
-
-	/*
-	 * it might happen that we did not provide enough data for a full
-	 * block (decryption unit), and that there is no output available
-	 */
-
-	/* no output available, AND no input? */
-	if (buflen == 0 && len == 0)
-	    goto loser;	/* bail out */
-
-	/*
-	 * have inner decoder: pass the data on (means inner content type is NOT data)
-	 * no inner decoder: we have DATA in here: either call callback or store
-	 */
-	if (buflen != 0) {
-	    /* there will be some output - need to make room for it */
-	    /* allocate buffer from the heap */
-	    buf = (unsigned char *)PORT_Alloc(buflen);
-	    if (buf == NULL) {
-		p7dcx->error = SEC_ERROR_NO_MEMORY;
-		goto loser;
-	    }
-	}
-
-	/*
-	 * decrypt incoming data
-	 * buf can still be NULL here (and buflen == 0) here if we don't expect
-	 * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
-	 * keep track of incoming data
-	 */
-	rv = NSS_CMSCipherContext_Decrypt(cinfo->ciphcx, buf, &outlen, buflen,
-			       data, len, final);
-	if (rv != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    goto loser;
-	}
-
-	PORT_Assert (final || outlen == buflen);
-	
-	/* swap decrypted data in */
-	data = buf;
-	len = outlen;
-    }
-
-    if (len == 0)
-	goto done;		/* nothing more to do */
-
-    /*
-     * Update the running digests with plaintext bytes (if we need to).
-     */
-    if (cinfo->digcx)
-	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
-
-    /* at this point, we have the plain decoded & decrypted data 
-    ** which is either more encoded DER (which we need to hand to the child 
-    ** decoder) or data we need to hand back to our caller 
-    */
-
-    /* pass the content back to our caller or */
-    /* feed our freshly decrypted and decoded data into child decoder */
-    if (p7dcx->cb != NULL) {
-	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
-    }
-#if 1
-    else
-#endif
-    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
-	/* store it in "inner" data item as well */
-	/* find the DATA item in the encapsulated cinfo and store it there */
-	NSSCMSDecoderData *decoderData = 
-				(NSSCMSDecoderData *)cinfo->content.pointer;
-	SECItem *dataItem = &decoderData->data;
-
-	offset = dataItem->len;
-	if (dataItem->len+len > decoderData->totalBufferSize) {
-	    int needLen = (dataItem->len+len) * 2;
-	    dest = (unsigned char *)
-				PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
-	    if (dest == NULL) {
-		p7dcx->error = SEC_ERROR_NO_MEMORY;
-		goto loser;
-	    }
-
-	    if (dataItem->len) {
-		PORT_Memcpy(dest, dataItem->data, dataItem->len);
-	    }
-	    decoderData->totalBufferSize = needLen;
-	    dataItem->data = dest;
-	}
-
-	/* copy it in */
-	PORT_Memcpy(dataItem->data + offset, data, len);
-	dataItem->len += len;
-    }
-
-done:
-loser:
-    if (buf)
-	PORT_Free (buf);
-}
-
-/*
- * nss_cms_decoder_update_filter - process ASN.1 data
- *
- * once we have set up a filter in nss_cms_decoder_notify(),
- * all data processed by the ASN.1 decoder is also passed through here.
- * we pass the content bytes (as opposed to length and tag bytes) on to
- * nss_cms_decoder_work_data().
- */
-static void
-nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
-			  int depth, SEC_ASN1EncodingPart data_kind)
-{
-    NSSCMSDecoderContext *p7dcx;
-
-    PORT_Assert (len);	/* paranoia */
-    if (len == 0)
-	return;
-
-    p7dcx = (NSSCMSDecoderContext*)arg;
-
-    p7dcx->saw_contents = PR_TRUE;
-
-    /* pass on the content bytes only */
-    if (data_kind == SEC_ASN1_Contents)
-	nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, 
-	                          PR_FALSE);
-}
-
-/*
- * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
- *
- * "poolp" - pointer to arena for message, or NULL if new pool should be created
- * "cb", "cb_arg" - callback function and argument for delivery of inner content
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- */
-NSSCMSDecoderContext *
-NSS_CMSDecoder_Start(PRArenaPool *poolp,
-		      NSSCMSContentCallback cb, void *cb_arg,
-		      PK11PasswordFunc pwfn, void *pwfn_arg,
-		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, 
-		      void *decrypt_key_cb_arg)
-{
-    NSSCMSDecoderContext *p7dcx;
-    NSSCMSMessage *cmsg;
-
-    cmsg = NSS_CMSMessage_Create(poolp);
-    if (cmsg == NULL)
-	return NULL;
-
-    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, 
-                                     decrypt_key_cb_arg, NULL, NULL);
-
-    p7dcx = PORT_ZNew(NSSCMSDecoderContext);
-    if (p7dcx == NULL) {
-	NSS_CMSMessage_Destroy(cmsg);
-	return NULL;
-    }
-
-    p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
-    if (p7dcx->dcx == NULL) {
-	PORT_Free (p7dcx);
-	NSS_CMSMessage_Destroy(cmsg);
-	return NULL;
-    }
-
-    SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx);
-
-    p7dcx->cmsg = cmsg;
-    p7dcx->type = SEC_OID_UNKNOWN;
-
-    p7dcx->cb = cb;
-    p7dcx->cb_arg = cb_arg;
-
-    return p7dcx;
-}
-
-/*
- * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
- */
-SECStatus
-NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, 
-                      unsigned long len)
-{
-    SECStatus rv;
-    if (p7dcx->dcx != NULL && p7dcx->error == 0) {	
-    	/* if error is set already, don't bother */
-	rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len);
-	if (rv != SECSuccess) {
-	    p7dcx->error = PORT_GetError();
-	    PORT_Assert (p7dcx->error);
-	    if (p7dcx->error == 0)
-		p7dcx->error = -1;
-	}
-    }
-
-    if (p7dcx->error == 0)
-	return SECSuccess;
-
-    /* there has been a problem, let's finish the decoder */
-    if (p7dcx->dcx != NULL) {
-	(void) SEC_ASN1DecoderFinish (p7dcx->dcx);
-	p7dcx->dcx = NULL;
-    }
-    PORT_SetError (p7dcx->error);
-
-    return SECFailure;
-}
-
-/*
- * NSS_CMSDecoder_Cancel - stop decoding in case of error
- */
-void
-NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
-{
-    /* XXXX what about inner decoders? running digests? decryption? */
-    /* XXXX there's a leak here! */
-    NSS_CMSMessage_Destroy(p7dcx->cmsg);
-    (void)SEC_ASN1DecoderFinish(p7dcx->dcx);
-    PORT_Free(p7dcx);
-}
-
-/*
- * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
- */
-NSSCMSMessage *
-NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
-{
-    NSSCMSMessage *cmsg;
-
-    cmsg = p7dcx->cmsg;
-
-    if (p7dcx->dcx == NULL || 
-        SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
-	nss_cms_after_end(p7dcx) != SECSuccess)
-    {
-	NSS_CMSMessage_Destroy(cmsg);	/* get rid of pool if it's ours */
-	cmsg = NULL;
-    }
-
-    PORT_Free(p7dcx);
-    return cmsg;
-}
-
-NSSCMSMessage *
-NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
-		    NSSCMSContentCallback cb, void *cb_arg,
-		    PK11PasswordFunc pwfn, void *pwfn_arg,
-		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, 
-		    void *decrypt_key_cb_arg)
-{
-    NSSCMSDecoderContext *p7dcx;
-
-    /* first arg(poolp) == NULL => create our own pool */
-    p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, 
-                                 decrypt_key_cb, decrypt_key_cb_arg);
-    NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
-    return NSS_CMSDecoder_Finish(p7dcx);
-}
-
diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c
deleted file mode 100644
index e3eb4159d..000000000
--- a/security/nss/lib/smime/cmsdigdata.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS digestedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "secitem.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
- *
- * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
- * digestAlg is passed as parameter
- * contentInfo must be filled by the user
- * digest will be calculated while encoding
- */
-NSSCMSDigestedData *
-NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg)
-{
-    void *mark;
-    NSSCMSDigestedData *digd;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    digd = (NSSCMSDigestedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSDigestedData));
-    if (digd == NULL)
-	goto loser;
-
-    digd->cmsg = cmsg;
-
-    if (SECOID_CopyAlgorithmID (poolp, &(digd->digestAlg), digestalg) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return digd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSDigestedData_Destroy - destroy a digestedData object
- */
-void
-NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
-{
-    /* everything's in a pool, so don't worry about the storage */
-    NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
-    return;
-}
-
-/*
- * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd)
-{
-    return &(digd->contentInfo);
-}
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the right version number. The contentInfo's content type must be set up already.
- */
-SECStatus
-NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
-{
-    unsigned long version;
-    SECItem *dummy;
-
-    version = NSS_CMS_DIGESTED_DATA_VERSION_DATA;
-    if (NSS_CMSContentInfo_GetContentTypeTag(&(digd->contentInfo)) != SEC_OID_PKCS7_DATA)
-	version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP;
-
-    dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version);
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-SECStatus
-NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd)
-{
-    /* set up the digests */
-    if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) {
-	/* if digest is already there, do nothing */
-	digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
-	if (digd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-SECStatus
-NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
-{
-    SECStatus rv = SECSuccess;
-    /* did we have digest calculation going on? */
-    if (digd->contentInfo.digcx) {
-	rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
-				               digd->cmsg->poolp, 
-					       &(digd->digest));
-	/* error has been set by NSS_CMSDigestContext_FinishSingle */
-	digd->contentInfo.digcx = NULL;
-    }
-
-    return rv;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
- *     before the encapsulated data is passed through the encoder.
- *
- * In detail:
- *  - set up the digests if necessary
- */
-SECStatus
-NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd)
-{
-    /* is there a digest algorithm yet? */
-    if (digd->digestAlg.algorithm.len == 0)
-	return SECFailure;
-
-    digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
-    if (digd->contentInfo.digcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - finish the digests
- */
-SECStatus
-NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd)
-{
-    SECStatus rv = SECSuccess;
-    /* did we have digest calculation going on? */
-    if (digd->contentInfo.digcx) {
-	rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
-				               digd->cmsg->poolp, 
-					       &(digd->cdigest));
-	/* error has been set by NSS_CMSDigestContext_FinishSingle */
-	digd->contentInfo.digcx = NULL;
-    }
-
-    return rv;
-}
-
-/*
- * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
- *
- * In detail:
- *  - check the digests for equality
- */
-SECStatus
-NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd)
-{
-    /* did we have digest calculation going on? */
-    if (digd->cdigest.len != 0) {
-	/* XXX comparision btw digest & cdigest */
-	/* XXX set status */
-	/* TODO!!!! */
-    }
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
deleted file mode 100644
index e0e923a77..000000000
--- a/security/nss/lib/smime/cmsdigest.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS digesting.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-/*  #define CMS_FIND_LEAK_MULTIPLE 1 */
-#ifdef CMS_FIND_LEAK_MULTIPLE
-static int stop_on_err = 1;
-static int global_num_digests = 0;
-#endif
-
-struct digestPairStr { 
-    const SECHashObject * digobj;
-    void *                digcx;
-};
-typedef struct digestPairStr digestPair;
-
-struct NSSCMSDigestContextStr {
-    PRBool		saw_contents;
-    PLArenaPool *       pool;
-    int			digcnt;
-    digestPair  *       digPairs;
-};
-
-
-/*
- * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
- *  digest algorithms in "digestalgs" in parallel.
- */
-NSSCMSDigestContext *
-NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs)
-{
-    PLArenaPool *        pool;
-    NSSCMSDigestContext *cmsdigcx;
-    int digcnt;
-    int i;
-
-#ifdef CMS_FIND_LEAK_MULTIPLE
-    PORT_Assert(global_num_digests == 0 || !stop_on_err);
-#endif
-
-    digcnt = (digestalgs == NULL) ? 0 : NSS_CMSArray_Count((void **)digestalgs);
-    /* It's OK if digcnt is zero.  We have to allow this for "certs only"
-    ** messages.
-    */
-    pool = PORT_NewArena(2048);
-    if (!pool)
-    	return NULL;
-
-    cmsdigcx = PORT_ArenaNew(pool, NSSCMSDigestContext);
-    if (cmsdigcx == NULL)
-	goto loser;
-
-    cmsdigcx->saw_contents = PR_FALSE;
-    cmsdigcx->pool   = pool;
-    cmsdigcx->digcnt = digcnt;
-
-    cmsdigcx->digPairs = PORT_ArenaZNewArray(pool, digestPair, digcnt);
-    if (cmsdigcx->digPairs == NULL) {
-	goto loser;
-    }
-
-    /*
-     * Create a digest object context for each algorithm.
-     */
-    for (i = 0; i < digcnt; i++) {
-	const SECHashObject *digobj;
-	void *digcx;
-
-	digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]);
-	/*
-	 * Skip any algorithm we do not even recognize; obviously,
-	 * this could be a problem, but if it is critical then the
-	 * result will just be that the signature does not verify.
-	 * We do not necessarily want to error out here, because
-	 * the particular algorithm may not actually be important,
-	 * but we cannot know that until later.
-	 */
-	if (digobj == NULL)
-	    continue;
-
-	digcx = (*digobj->create)();
-	if (digcx != NULL) {
-	    (*digobj->begin) (digcx);
-	    cmsdigcx->digPairs[i].digobj = digobj;
-	    cmsdigcx->digPairs[i].digcx  = digcx;
-#ifdef CMS_FIND_LEAK_MULTIPLE
-	    global_num_digests++;
-#endif
-	}
-    }
-    return cmsdigcx;
-
-loser:
-    /* no digest objects have been created, or need to be destroyed. */
-    if (pool) {
-    	PORT_FreeArena(pool, PR_FALSE);
-    }
-    return NULL;
-}
-
-/*
- * NSS_CMSDigestContext_StartSingle - same as 
- * NSS_CMSDigestContext_StartMultiple, but only one algorithm.
- */
-NSSCMSDigestContext *
-NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg)
-{
-    SECAlgorithmID *digestalgs[] = { NULL, NULL };		/* fake array */
-
-    digestalgs[0] = digestalg;
-    return NSS_CMSDigestContext_StartMultiple(digestalgs);
-}
-
-/*
- * NSS_CMSDigestContext_Update - feed more data into the digest machine
- */
-void
-NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, 
-                            const unsigned char *data, int len)
-{
-    int i;
-    digestPair *pair = cmsdigcx->digPairs;
-
-    cmsdigcx->saw_contents = PR_TRUE;
-
-    for (i = 0; i < cmsdigcx->digcnt; i++, pair++) {
-	if (pair->digcx) {
-	    (*pair->digobj->update)(pair->digcx, data, len);
-    	}
-    }
-}
-
-/*
- * NSS_CMSDigestContext_Cancel - cancel digesting operation
- */
-void
-NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx)
-{
-    int i;
-    digestPair *pair = cmsdigcx->digPairs;
-
-    for (i = 0; i < cmsdigcx->digcnt; i++, pair++) {
-	if (pair->digcx) {
-	    (*pair->digobj->destroy)(pair->digcx, PR_TRUE);
-#ifdef CMS_FIND_LEAK_MULTIPLE
-	    --global_num_digests;
-#endif
-    	}
-    }
-#ifdef CMS_FIND_LEAK_MULTIPLE
-    PORT_Assert(global_num_digests == 0 || !stop_on_err);
-#endif
-    PORT_FreeArena(cmsdigcx->pool, PR_FALSE);
-}
-
-/*
- * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
- *  into an array of SECItems (allocated on poolp)
- */
-SECStatus
-NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, 
-                                    PLArenaPool *poolp,
-			            SECItem ***digestsp)
-{
-    SECItem **  digests = NULL;
-    digestPair *pair;
-    void *      mark;
-    int         i;
-    SECStatus   rv;
-
-    /* no contents? do not finish digests */
-    if (digestsp == NULL || !cmsdigcx->saw_contents) {
-	rv = SECSuccess;
-	goto cleanup;
-    }
-
-    mark = PORT_ArenaMark (poolp);
-
-    /* allocate digest array & SECItems on arena */
-    digests = PORT_ArenaNewArray( poolp, SECItem *, cmsdigcx->digcnt + 1);
-
-    rv = ((digests == NULL) ? SECFailure : SECSuccess);
-    pair = cmsdigcx->digPairs;
-    for (i = 0; rv == SECSuccess && i < cmsdigcx->digcnt; i++, pair++) {
-	SECItem digest;
-	unsigned char hash[HASH_LENGTH_MAX];
-
-	if (!pair->digcx) {
-	    digests[i] = NULL;
-	    continue;
-	}
-
-	digest.type = siBuffer;
-	digest.data = hash;
-	digest.len  = pair->digobj->length;
-	(* pair->digobj->end)(pair->digcx, hash, &digest.len, digest.len);
-	digests[i] = SECITEM_ArenaDupItem(poolp, &digest);
-	if (!digests[i]) {
-	    rv = SECFailure;
-	}
-    }
-    digests[i] = NULL;
-    if (rv == SECSuccess) {
-	PORT_ArenaUnmark(poolp, mark);
-    } else
-	PORT_ArenaRelease(poolp, mark);
-
-cleanup:
-    NSS_CMSDigestContext_Cancel(cmsdigcx);
-    /* Don't change the caller's digests pointer if we have no digests.
-    **  NSS_CMSSignedData_Encode_AfterData depends on this behavior.
-    */
-    if (rv == SECSuccess && digestsp && digests) {
-	*digestsp = digests;
-    }
-    return rv;
-}
-
-/*
- * NSS_CMSDigestContext_FinishSingle - same as 
- * NSS_CMSDigestContext_FinishMultiple, but for one digest.
- */
-SECStatus
-NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, 
-                                  PLArenaPool *poolp,
-			          SECItem *digest)
-{
-    SECStatus rv = SECFailure;
-    SECItem **dp;
-    PLArenaPool *arena = NULL;
-
-    if ((arena = PORT_NewArena(1024)) == NULL)
-	goto loser;
-
-    /* get the digests into arena, then copy the first digest into poolp */
-    rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp);
-    if (rv == SECSuccess) {
-	/* now copy it into poolp */
-	rv = SECITEM_CopyItem(poolp, digest, dp[0]);
-    }
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_FALSE);
-
-    return rv;
-}
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
deleted file mode 100644
index 0bcbb680a..000000000
--- a/security/nss/lib/smime/cmsencdata.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS encryptedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "secpkcs5.h"
-
-/*
- * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
- *
- * "algorithm" specifies the bulk encryption algorithm to use.
- * "keysize" is the key size.
- * 
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-NSSCMSEncryptedData *
-NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
-{
-    void *mark;
-    NSSCMSEncryptedData *encd;
-    PLArenaPool *poolp;
-    SECAlgorithmID *pbe_algid;
-    SECStatus rv;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    encd = (NSSCMSEncryptedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEncryptedData));
-    if (encd == NULL)
-	goto loser;
-
-    encd->cmsg = cmsg;
-
-    /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */
-
-    switch (algorithm) {
-    /* XXX hmmm... hardcoded algorithms? */
-    case SEC_OID_RC2_CBC:
-    case SEC_OID_DES_EDE3_CBC:
-    case SEC_OID_DES_CBC:
-	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), algorithm, NULL, keysize);
-	break;
-    default:
-	/* Assume password-based-encryption.  At least, try that. */
-	pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL);
-	if (pbe_algid == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, &(encd->contentInfo), pbe_algid, keysize);
-	SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
-	break;
-    }
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return encd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
- */
-void
-NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
-{
-    /* everything's in a pool, so don't worry about the storage */
-    NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
-    return;
-}
-
-/*
- * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd)
-{
-    return &(encd->contentInfo);
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
- *     before encoding begins.
- *
- * In particular:
- *  - set the correct version value.
- *  - get the encryption key
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd)
-{
-    int version;
-    PK11SymKey *bulkkey = NULL;
-    SECItem *dummy;
-    NSSCMSContentInfo *cinfo = &(encd->contentInfo);
-
-    if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr))
-	version = NSS_CMS_ENCRYPTED_DATA_VERSION;
-    else
-	version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR;
-    
-    dummy = SEC_ASN1EncodeInteger (encd->cmsg->poolp, &(encd->version), version);
-    if (dummy == NULL)
-	return SECFailure;
-
-    /* now get content encryption key (bulk key) by using our cmsg callback */
-    if (encd->cmsg->decrypt_key_cb)
-	bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, 
-		    NSS_CMSContentInfo_GetContentEncAlg(cinfo));
-    if (bulkkey == NULL)
-	return SECFailure;
-
-    /* store the bulk key in the contentInfo so that the encoder can find it */
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-    PK11_FreeSymKey (bulkkey);
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
-{
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey;
-    SECAlgorithmID *algid;
-
-    cinfo = &(encd->contentInfo);
-
-    /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */
-    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
-    if (bulkkey == NULL)
-	return SECFailure;
-    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-    if (algid == NULL)
-	return SECFailure;
-
-    /* this may modify algid (with IVs generated in a token).
-     * it is therefore essential that algid is a pointer to the "real" contentEncAlg,
-     * not just to a copy */
-    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
-    PK11_FreeSymKey(bulkkey);
-    if (cinfo->ciphcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
- */
-SECStatus
-NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
-{
-    if (encd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
-	encd->contentInfo.ciphcx = NULL;
-    }
-
-    /* nothing to do after data */
-    return SECSuccess;
-}
-
-
-/*
- * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd)
-{
-    PK11SymKey *bulkkey = NULL;
-    NSSCMSContentInfo *cinfo;
-    SECAlgorithmID *bulkalg;
-    SECStatus rv = SECFailure;
-
-    cinfo = &(encd->contentInfo);
-
-    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-
-    if (encd->cmsg->decrypt_key_cb == NULL)	/* no callback? no key../ */
-	goto loser;
-
-    bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, bulkalg);
-    if (bulkkey == NULL)
-	/* no success finding a bulk key */
-	goto loser;
-
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
-    if (cinfo->ciphcx == NULL)
-	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
-
-
-    /* we are done with (this) bulkkey now. */
-    PK11_FreeSymKey(bulkkey);
-
-    rv = SECSuccess;
-
-loser:
-    return rv;
-}
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
-{
-    if (encd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
-	encd->contentInfo.ciphcx = NULL;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
- */
-SECStatus
-NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd)
-{
-    /* apply final touches */
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
deleted file mode 100644
index 34e097cf2..000000000
--- a/security/nss/lib/smime/cmsencode.c
+++ /dev/null
@@ -1,745 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS encoding.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-struct nss_cms_encoder_output {
-    NSSCMSContentCallback outputfn;
-    void *outputarg;
-    PLArenaPool *destpoolp;
-    SECItem *dest;
-};
-
-struct NSSCMSEncoderContextStr {
-    SEC_ASN1EncoderContext *	ecx;		/* ASN.1 encoder context */
-    PRBool			ecxupdated;	/* true if data was handed in */
-    NSSCMSMessage *		cmsg;		/* pointer to the root message */
-    SECOidTag			type;		/* type tag of the current content */
-    NSSCMSContent		content;	/* pointer to current content */
-    struct nss_cms_encoder_output output;	/* output function */
-    int				error;		/* error code */
-    NSSCMSEncoderContext *	childp7ecx;	/* link to child encoder context */
-};
-
-static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx);
-static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx);
-static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
-static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final, PRBool innermost);
-
-extern const SEC_ASN1Template NSSCMSMessageTemplate[];
-
-/*
- * The little output function that the ASN.1 encoder calls to hand
- * us bytes which we in turn hand back to our caller (via the callback
- * they gave us).
- */
-static void
-nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,
-		      int depth, SEC_ASN1EncodingPart data_kind)
-{
-    struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg;
-    unsigned char *dest;
-    unsigned long offset;
-
-#ifdef CMSDEBUG
-    int i;
-
-    fprintf(stderr, "kind = %d, depth = %d, len = %d\n", data_kind, depth, len);
-    for (i=0; i < len; i++) {
-	fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");
-    }
-    if ((i % 16) != 0)
-	fprintf(stderr, "\n");
-#endif
-
-    if (output->outputfn != NULL)
-	/* call output callback with DER data */
-	output->outputfn(output->outputarg, buf, len);
-
-    if (output->dest != NULL) {
-	/* store DER data in SECItem */
-	offset = output->dest->len;
-	if (offset == 0) {
-	    dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len);
-	} else {
-	    dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, 
-				  output->dest->data,
-				  output->dest->len,
-				  output->dest->len + len);
-	}
-	if (dest == NULL)
-	    /* oops */
-	    return;
-
-	output->dest->data = dest;
-	output->dest->len += len;
-
-	/* copy it in */
-	PORT_Memcpy(output->dest->data + offset, buf, len);
-    }
-}
-
-/*
- * nss_cms_encoder_notify - ASN.1 encoder callback
- *
- * this function is called by the ASN.1 encoder before and after the encoding of
- * every object. here, it is used to keep track of data structures, set up
- * encryption and/or digesting and possibly set up child encoders.
- */
-static void
-nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
-{
-    NSSCMSEncoderContext *p7ecx;
-    NSSCMSContentInfo *rootcinfo, *cinfo;
-    PRBool after = !before;
-    PLArenaPool *poolp;
-    SECOidTag childtype;
-    SECItem *item;
-
-    p7ecx = (NSSCMSEncoderContext *)arg;
-    PORT_Assert(p7ecx != NULL);
-
-    rootcinfo = &(p7ecx->cmsg->contentInfo);
-    poolp = p7ecx->cmsg->poolp;
-
-#ifdef CMSDEBUG
-    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
-#endif
-
-    /*
-     * Watch for the content field, at which point we want to instruct
-     * the ASN.1 encoder to start taking bytes from the buffer.
-     */
-    switch (p7ecx->type) {
-    default:
-    case SEC_OID_UNKNOWN:
-	/* we're still in the root message */
-	if (after && dest == &(rootcinfo->contentType)) {
-	    /* got the content type OID now - so find out the type tag */
-	    p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
-	    /* set up a pointer to our current content */
-	    p7ecx->content = rootcinfo->content;
-	}
-	break;
-
-    case SEC_OID_PKCS7_DATA:
-	if (before && dest == &(rootcinfo->rawContent)) {
-	    /* just set up encoder to grab from user - no encryption or digesting */
-	    if ((item = rootcinfo->content.data) != NULL)
-		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
-	    else
-		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
-	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
-	}
-	break;
-
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-
-	/* when we know what the content is, we encode happily until we reach the inner content */
-	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-	if (after && dest == &(cinfo->contentType)) {
-	    /* we're right before encoding the data (if we have some or not) */
-	    /* (for encrypted data, we're right before the contentEncAlg which may change */
-	    /*  in nss_cms_before_data because of IV calculation when setting up encryption) */
-	    if (nss_cms_before_data(p7ecx) != SECSuccess)
-		p7ecx->error = PORT_GetError();
-	}
-	if (before && dest == &(cinfo->rawContent)) {
-	    if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL)
-		/* we have data - feed it in */
-		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
-	    else
-		/* else try to get it from user */
-		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
-	}
-	if (after && dest == &(cinfo->rawContent)) {
-	    if (nss_cms_after_data(p7ecx) != SECSuccess)
-		p7ecx->error = PORT_GetError();
-	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
-	}
-	break;
-    }
-}
-
-/*
- * nss_cms_before_data - setup the current encoder to receive data
- */
-static SECStatus
-nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv;
-    SECOidTag childtype;
-    NSSCMSContentInfo *cinfo;
-    PLArenaPool *poolp;
-    NSSCMSEncoderContext *childp7ecx;
-    const SEC_ASN1Template *template;
-
-    poolp = p7ecx->cmsg->poolp;
-
-    /* call _Encode_BeforeData handlers */
-    switch (p7ecx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* we're encoding a signedData, so set up the digests */
-	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	/* we're encoding a digestedData, so set up the digest */
-	rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);
-	break;
-    default:
-	rv = SECFailure;
-    }
-    if (rv != SECSuccess)
-	return SECFailure;
-
-    /* ok, now we have a pointer to cinfo */
-    /* find out what kind of data is encapsulated */
-    
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-
-    switch (childtype) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-#if 0
-    case SEC_OID_PKCS7_DATA:		/* XXX here also??? maybe yes! */
-#endif
-	/* in these cases, we need to set up a child encoder! */
-	/* create new encoder context */
-	childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
-	if (childp7ecx == NULL)
-	    return SECFailure;
-
-	/* the CHILD encoder needs to hand its encoded data to the CURRENT encoder
-	 * (which will encrypt and/or digest it)
-	 * this needs to route back into our update function
-	 * which finds the lowest encoding context & encrypts and computes digests */
-	childp7ecx->type = childtype;
-	childp7ecx->content = cinfo->content;
-	/* use the non-recursive update function here, of course */
-	childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update;
-	childp7ecx->output.outputarg = p7ecx;
-	childp7ecx->output.destpoolp = NULL;
-	childp7ecx->output.dest = NULL;
-	childp7ecx->cmsg = p7ecx->cmsg;
-
-	template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);
-	if (template == NULL)
-	    goto loser;		/* cannot happen */
-
-	/* now initialize the data for encoding the first third */
-	switch (childp7ecx->type) {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
-	    break;
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	    rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
-	    break;
-	case SEC_OID_PKCS7_DIGESTED_DATA:
-	    rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
-	    break;
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
-	    break;
-	case SEC_OID_PKCS7_DATA:
-	    rv = SECSuccess;
-	    break;
-	default:
-	    PORT_Assert(0);
-	    break;
-	}
-	if (rv != SECSuccess)
-	    goto loser;
-
-	/*
-	 * Initialize the BER encoder.
-	 */
-	childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template,
-					   nss_cms_encoder_out, &(childp7ecx->output));
-	if (childp7ecx->ecx == NULL)
-	    goto loser;
-
-	childp7ecx->ecxupdated = PR_FALSE;
-
-	/*
-	 * Indicate that we are streaming.  We will be streaming until we
-	 * get past the contents bytes.
-	 */
-	SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
-
-	/*
-	 * The notify function will watch for the contents field.
-	 */
-	SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);
-
-	/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */
-	/* encoding process - we'll do that from the update function instead */
-	/* otherwise we'd be encoding data from a call of the notify function of the */
-	/* parent encoder (which would not work) */
-
-	/* this will kick off the encoding process & encode everything up to the content bytes,
-	 * at which point the notify function sets streaming mode (and possibly creates
-	 * another child encoder). */
-	if (SEC_ASN1EncoderUpdate(childp7ecx->ecx, NULL, 0) != SECSuccess)
-	    goto loser;
-
-	p7ecx->childp7ecx = childp7ecx;
-	break;
-
-    case SEC_OID_PKCS7_DATA:
-	p7ecx->childp7ecx = NULL;
-	break;
-    default:
-	/* we do not know this type */
-	p7ecx->error = SEC_ERROR_BAD_DER;
-	break;
-    }
-
-    return SECSuccess;
-
-loser:
-    if (childp7ecx) {
-	if (childp7ecx->ecx)
-	    SEC_ASN1EncoderFinish(childp7ecx->ecx);
-	PORT_Free(childp7ecx);
-    }
-    return SECFailure;
-}
-
-static SECStatus
-nss_cms_after_data(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv = SECFailure;
-
-    switch (p7ecx->type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	/* this will finish the digests and sign */
-	rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);
-	break;
-    case SEC_OID_PKCS7_DATA:
-	/* do nothing */
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-    return rv;
-}
-
-/*
- * nss_cms_encoder_work_data - process incoming data
- *
- * (from the user or the next encoding layer)
- * Here, we need to digest and/or encrypt, then pass it on
- */
-static SECStatus
-nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
-			     const unsigned char *data, unsigned long len,
-			     PRBool final, PRBool innermost)
-{
-    unsigned char *buf = NULL;
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-
-    rv = SECSuccess;		/* may as well be optimistic */
-
-    /*
-     * We should really have data to process, or we should be trying
-     * to finish/flush the last block.  (This is an overly paranoid
-     * check since all callers are in this file and simple inspection
-     * proves they do it right.  But it could find a bug in future
-     * modifications/development, that is why it is here.)
-     */
-    PORT_Assert ((data != NULL && len) || final);
-
-    /* we got data (either from the caller, or from a lower level encoder) */
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-
-    /* Update the running digest. */
-    if (len && cinfo->digcx != NULL)
-	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
-
-    /* Encrypt this chunk. */
-    if (cinfo->ciphcx != NULL) {
-	unsigned int inlen;	/* length of data being encrypted */
-	unsigned int outlen;	/* length of encrypted data */
-	unsigned int buflen;	/* length available for encrypted data */
-
-	inlen = len;
-	buflen = NSS_CMSCipherContext_EncryptLength(cinfo->ciphcx, inlen, final);
-	if (buflen == 0) {
-	    /*
-	     * No output is expected, but the input data may be buffered
-	     * so we still have to call Encrypt.
-	     */
-	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, NULL, NULL, 0,
-				   data, inlen, final);
-	    if (final) {
-		len = 0;
-		goto done;
-	    }
-	    return rv;
-	}
-
-	if (dest != NULL)
-	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen);
-	else
-	    buf = (unsigned char*)PORT_Alloc(buflen);
-
-	if (buf == NULL) {
-	    rv = SECFailure;
-	} else {
-	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, buf, &outlen, buflen,
-				   data, inlen, final);
-	    data = buf;
-	    len = outlen;
-	}
-	if (rv != SECSuccess)
-	    /* encryption or malloc failed? */
-	    return rv;
-    }
-
-
-    /*
-     * at this point (data,len) has everything we'd like to give to the CURRENT encoder
-     * (which will encode it, then hand it back to the user or the parent encoder)
-     * We don't encode the data if we're innermost and we're told not to include the data
-     */
-    if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != NULL))
-	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);
-
-done:
-
-    if (cinfo->ciphcx != NULL) {
-	if (dest != NULL) {
-	    dest->data = buf;
-	    dest->len = len;
-	} else if (buf != NULL) {
-	    PORT_Free (buf);
-	}
-    }
-    return rv;
-}
-
-/*
- * nss_cms_encoder_update - deliver encoded data to the next higher level
- *
- * no recursion here because we REALLY want to end up at the next higher encoder!
- */
-static SECStatus
-nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
-{
-    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
-    return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE);
-}
-
-/*
- * NSS_CMSEncoder_Start - set up encoding of a CMS message
- *
- * "cmsg" - message to encode
- * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
- *                           will not be called if NULL.
- * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
- * "destpoolp" - pool to allocate DER-encoded output in
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-NSSCMSEncoderContext *
-NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
-			NSSCMSContentCallback outputfn, void *outputarg,
-			SECItem *dest, PLArenaPool *destpoolp,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
-{
-    NSSCMSEncoderContext *p7ecx;
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-
-    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
-					detached_digestalgs, detached_digests);
-
-    p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
-    if (p7ecx == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    p7ecx->cmsg = cmsg;
-    p7ecx->output.outputfn = outputfn;
-    p7ecx->output.outputarg = outputarg;
-    p7ecx->output.dest = dest;
-    p7ecx->output.destpoolp = destpoolp;
-    p7ecx->type = SEC_OID_UNKNOWN;
-
-    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-
-    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
-	break;
-    default:
-	rv = SECFailure;
-	break;
-    }
-    if (rv != SECSuccess)
-	return NULL;
-
-    /* Initialize the BER encoder.
-     * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */
-    p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate,
-				       nss_cms_encoder_out, &(p7ecx->output));
-    if (p7ecx->ecx == NULL) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-    p7ecx->ecxupdated = PR_FALSE;
-
-    /*
-     * Indicate that we are streaming.  We will be streaming until we
-     * get past the contents bytes.
-     */
-    SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
-
-    /*
-     * The notify function will watch for the contents field.
-     */
-    SEC_ASN1EncoderSetNotifyProc(p7ecx->ecx, nss_cms_encoder_notify, p7ecx);
-
-    /* this will kick off the encoding process & encode everything up to the content bytes,
-     * at which point the notify function sets streaming mode (and possibly creates
-     * a child encoder). */
-    if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {
-	PORT_Free (p7ecx);
-	return NULL;
-    }
-
-    return p7ecx;
-}
-
-/*
- * NSS_CMSEncoder_Update - take content data delivery from the user
- *
- * "p7ecx" - encoder context
- * "data" - content data
- * "len" - length of content data
- *
- * need to find the lowest level (and call SEC_ASN1EncoderUpdate on the way down),
- * then hand the data to the work_data fn
- */
-SECStatus
-NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
-{
-    SECStatus rv;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag childtype;
-
-    if (p7ecx->error)
-	return SECFailure;
-
-    /* hand data to the innermost decoder */
-    if (p7ecx->childp7ecx) {
-	/* recursion here */
-	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
-    } else {
-	/* we are at innermost decoder */
-	/* find out about our inner content type - must be data */
-	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-	if (childtype != SEC_OID_PKCS7_DATA)
-	    return SECFailure;
-	/* and we must not have preset data */
-	if (cinfo->content.data != NULL)
-	    return SECFailure;
-
-	/*  hand it the data so it can encode it (let DER trickle up the chain) */
-	rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE);
-    }
-    return rv;
-}
-
-/*
- * NSS_CMSEncoder_Cancel - stop all encoding
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-SECStatus
-NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv = SECFailure;
-
-    /* XXX do this right! */
-
-    /*
-     * Finish any inner decoders before us so that all the encoded data is flushed
-     * This basically finishes all the decoders from the innermost to the outermost.
-     * Finishing an inner decoder may result in data being updated to the outer decoder
-     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
-     */
-    if (p7ecx->childp7ecx) {
-	rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
-	/* remember rv for now */
-    }
-
-    /*
-     * On the way back up, there will be no more data (if we had an
-     * inner encoder, it is done now!)
-     * Flush out any remaining data and/or finish digests.
-     */
-    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
-    if (rv != SECSuccess)
-	goto loser;
-
-    p7ecx->childp7ecx = NULL;
-
-    /* kick the encoder back into working mode again.
-     * We turn off streaming stuff (which will cause the encoder to continue
-     * encoding happily, now that we have all the data (like digests) ready for it).
-     */
-    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
-    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
-
-    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
-    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
-
-loser:
-    SEC_ASN1EncoderFinish(p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
-
-/*
- * NSS_CMSEncoder_Finish - signal the end of data
- *
- * we need to walk down the chain of encoders and the finish them from the innermost out
- */
-SECStatus
-NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
-{
-    SECStatus rv = SECFailure;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag childtype;
-
-    /*
-     * Finish any inner decoders before us so that all the encoded data is flushed
-     * This basically finishes all the decoders from the innermost to the outermost.
-     * Finishing an inner decoder may result in data being updated to the outer decoder
-     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
-     */
-    if (p7ecx->childp7ecx) {
-	rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /*
-     * On the way back up, there will be no more data (if we had an
-     * inner encoder, it is done now!)
-     * Flush out any remaining data and/or finish digests.
-     */
-    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
-    if (rv != SECSuccess)
-	goto loser;
-
-    p7ecx->childp7ecx = NULL;
-
-    /* find out about our inner content type - must be data */
-    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
-    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
-    if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
-	SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
-	/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
-	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
-    }
-
-    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
-
-    if (p7ecx->error)
-	rv = SECFailure;
-
-loser:
-    SEC_ASN1EncoderFinish(p7ecx->ecx);
-    PORT_Free (p7ecx);
-    return rv;
-}
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
deleted file mode 100644
index c575a995e..000000000
--- a/security/nss/lib/smime/cmsenvdata.c
+++ /dev/null
@@ -1,421 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS envelopedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "secpkcs5.h"
-
-/*
- * NSS_CMSEnvelopedData_Create - create an enveloped data message
- */
-NSSCMSEnvelopedData *
-NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
-{
-    void *mark;
-    NSSCMSEnvelopedData *envd;
-    PLArenaPool *poolp;
-    SECStatus rv;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    envd = (NSSCMSEnvelopedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEnvelopedData));
-    if (envd == NULL)
-	goto loser;
-
-    envd->cmsg = cmsg;
-
-    /* version is set in NSS_CMSEnvelopedData_Encode_BeforeStart() */
-
-    rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), algorithm, NULL, keysize);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return envd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
- */
-void
-NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp)
-{
-    NSSCMSRecipientInfo **recipientinfos;
-    NSSCMSRecipientInfo *ri;
-
-    if (edp == NULL)
-	return;
-
-    recipientinfos = edp->recipientInfos;
-    if (recipientinfos == NULL)
-	return;
-
-    while ((ri = *recipientinfos++) != NULL)
-	NSS_CMSRecipientInfo_Destroy(ri);
-
-   NSS_CMSContentInfo_Destroy(&(edp->contentInfo));
-
-}
-
-/*
- * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
- */
-NSSCMSContentInfo *
-NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd)
-{
-    return &(envd->contentInfo);
-}
-
-/*
- * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
- *
- * rip must be created on the same pool as edp - this is not enforced, though.
- */
-SECStatus
-NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip)
-{
-    void *mark;
-    SECStatus rv;
-
-    /* XXX compare pools, if not same, copy rip into edp's pool */
-
-    PR_ASSERT(edp != NULL);
-    PR_ASSERT(rip != NULL);
-
-    mark = PORT_ArenaMark(edp->cmsg->poolp);
-
-    rv = NSS_CMSArray_Add(edp->cmsg->poolp, (void ***)&(edp->recipientInfos), (void *)rip);
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(edp->cmsg->poolp, mark);
-	return SECFailure;
-    }
-
-    PORT_ArenaUnmark (edp->cmsg->poolp, mark);
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
- *
- * at this point, we need
- * - recipientinfos set up with recipient's certificates
- * - a content encryption algorithm (if none, 3DES will be used)
- *
- * this function will generate a random content encryption key (aka bulk key),
- * initialize the recipientinfos with certificate identification and wrap the bulk key
- * using the proper algorithm for every certificiate.
- * it will finally set the bulk algorithm and key so that the encode step can find it.
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
-{
-    int version;
-    NSSCMSRecipientInfo **recipientinfos;
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey = NULL;
-    SECOidTag bulkalgtag;
-    CK_MECHANISM_TYPE type;
-    PK11SlotInfo *slot;
-    SECStatus rv;
-    SECItem *dummy;
-    PLArenaPool *poolp;
-    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-    void *mark = NULL;
-    int i;
-
-    poolp = envd->cmsg->poolp;
-    cinfo = &(envd->contentInfo);
-
-    recipientinfos = envd->recipientInfos;
-    if (recipientinfos == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("Cannot find recipientinfos to encode.");
-#endif
-	goto loser;
-    }
-
-    version = NSS_CMS_ENVELOPED_DATA_VERSION_REG;
-    if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) {
-	version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
-    } else {
-	for (i = 0; recipientinfos[i] != NULL; i++) {
-	    if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) {
-		version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
-		break;
-	    }
-	}
-    }
-    dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version);
-    if (dummy == NULL)
-	goto loser;
-
-    /* now we need to have a proper content encryption algorithm
-     * on the SMIME level, we would figure one out by looking at SMIME capabilities
-     * we cannot do that on our level, so if none is set already, we'll just go
-     * with one of the mandatory algorithms (3DES) */
-    if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) {
-	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168);
-	if (rv != SECSuccess)
-	    goto loser;
-	bulkalgtag = SEC_OID_DES_EDE3_CBC;
-    } 
-
-    /* generate a random bulk key suitable for content encryption alg */
-    type = PK11_AlgtagToMechanism(bulkalgtag);
-    slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg);
-    if (slot == NULL)
-	goto loser;	/* error has been set by PK11_GetBestSlot */
-
-    /* this is expensive... */
-    bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg);
-    PK11_FreeSlot(slot);
-    if (bulkkey == NULL)
-	goto loser;	/* error has been set by PK11_KeyGen */
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* Encrypt the bulk key with the public key of each recipient.  */
-    for (i = 0; recipientinfos[i] != NULL; i++) {
-	rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag);
-	if (rv != SECSuccess)
-	    goto loser;	/* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */
-	    		/* could be: alg not supported etc. */
-    }
-
-    /* the recipientinfos are all finished. now sort them by DER for SET OF encoding */
-    rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL);
-    if (rv != SECSuccess)
-	goto loser;	/* error has been set by NSS_CMSArray_SortByDER */
-
-    /* store the bulk key in the contentInfo so that the encoder can find it */
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    PORT_ArenaUnmark(poolp, mark);
-
-    PK11_FreeSymKey(bulkkey);
-
-    return SECSuccess;
-
-loser:
-    if (mark != NULL)
-	PORT_ArenaRelease (poolp, mark);
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-
-    return SECFailure;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
- *
- * it is essential that this is called before the contentEncAlg is encoded, because
- * setting up the encryption may generate IVs and thus change it!
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
-{
-    NSSCMSContentInfo *cinfo;
-    PK11SymKey *bulkkey;
-    SECAlgorithmID *algid;
-
-    cinfo = &(envd->contentInfo);
-
-    /* find bulkkey and algorithm - must have been set by NSS_CMSEnvelopedData_Encode_BeforeStart */
-    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
-    if (bulkkey == NULL)
-	return SECFailure;
-    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-    if (algid == NULL)
-	return SECFailure;
-
-    /* this may modify algid (with IVs generated in a token).
-     * it is essential that algid is a pointer to the contentEncAlg data, not a
-     * pointer to a copy! */
-    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
-    PK11_FreeSymKey(bulkkey);
-    if (cinfo->ciphcx == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
- */
-SECStatus
-NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd)
-{
-    if (envd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
-	envd->contentInfo.ciphcx = NULL;
-    }
-
-    /* nothing else to do after data */
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
- * derive bulk key & set up our contentinfo
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
-{
-    NSSCMSRecipientInfo *ri;
-    PK11SymKey *bulkkey = NULL;
-    SECOidTag bulkalgtag;
-    SECAlgorithmID *bulkalg;
-    SECStatus rv = SECFailure;
-    NSSCMSContentInfo *cinfo;
-    NSSCMSRecipient **recipient_list = NULL;
-    NSSCMSRecipient *recipient;
-    int rlIndex;
-
-    if (NSS_CMSArray_Count((void **)envd->recipientInfos) == 0) {
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("No recipient data in envelope.");
-#endif
-	goto loser;
-    }
-
-    /* look if one of OUR cert's issuerSN is on the list of recipients, and if so,  */
-    /* get the cert and private key for it right away */
-    recipient_list = nss_cms_recipient_list_create(envd->recipientInfos);
-    if (recipient_list == NULL)
-	goto loser;
-
-    /* what about multiple recipientInfos that match?
-     * especially if, for some reason, we could not produce a bulk key with the first match?!
-     * we could loop & feed partial recipient_list to PK11_FindCertAndKeyByRecipientList...
-     * maybe later... */
-    rlIndex = PK11_FindCertAndKeyByRecipientListNew(recipient_list, envd->cmsg->pwfn_arg);
-
-    /* if that fails, then we're not an intended recipient and cannot decrypt */
-    if (rlIndex < 0) {
-	PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT);
-#if 0
-	PORT_SetErrorString("Cannot decrypt data because proper key cannot be found.");
-#endif
-	goto loser;
-    }
-
-    recipient = recipient_list[rlIndex];
-    if (!recipient->cert || !recipient->privkey) {
-	/* XXX should set an error code ?!? */
-	goto loser;
-    }
-    /* get a pointer to "our" recipientinfo */
-    ri = envd->recipientInfos[recipient->riIndex];
-
-    cinfo = &(envd->contentInfo);
-    bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
-    if (bulkalgtag == SEC_OID_UNKNOWN) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-    } else 
-	bulkkey = 
-	    NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex,
-						    recipient->cert,
-						    recipient->privkey,
-						    bulkalgtag);
-    if (bulkkey == NULL) {
-	/* no success finding a bulk key */
-	goto loser;
-    }
-
-    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
-
-    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
-
-    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
-    if (cinfo->ciphcx == NULL)
-	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
-
-
-    rv = SECSuccess;
-
-loser:
-    if (bulkkey)
-	PK11_FreeSymKey(bulkkey);
-    if (recipient_list != NULL)
-	nss_cms_recipient_list_destroy(recipient_list);
-    return rv;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd)
-{
-    if (envd && envd->contentInfo.ciphcx) {
-	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
-	envd->contentInfo.ciphcx = NULL;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
- */
-SECStatus
-NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd)
-{
-    /* apply final touches */
-    return SECSuccess;
-}
-
diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h
deleted file mode 100644
index 666eeb033..000000000
--- a/security/nss/lib/smime/cmslocal.h
+++ /dev/null
@@ -1,346 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support routines for CMS implementation, none of which are exported.
- *
- * Do not export this file!  If something in here is really needed outside
- * of smime code, first try to add a CMS interface which will do it for
- * you.  If that has a problem, then just move out what you need, changing
- * its name as appropriate!
- *
- * $Id$
- */
-
-#ifndef _CMSLOCAL_H_
-#define _CMSLOCAL_H_
-
-#include "cms.h"
-#include "cmsreclist.h"
-#include "secasn1t.h"
-
-extern const SEC_ASN1Template NSSCMSContentInfoTemplate[];
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/***********************************************************************
- * cmscipher.c - en/decryption routines
- ***********************************************************************/
-
-/*
- * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
- * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
- */
-extern NSSCMSCipherContext *
-NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid);
-
-/*
- * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
- * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
- * identifier (which may include an iv) appropriately.
- */
-extern NSSCMSCipherContext *
-NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid);
-
-extern void
-NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc);
-
-/*
- * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.  Note that the amount
- * is exactly accurate only when not doing a block cipher or when final
- * is false, otherwise it is an upper bound on the amount because until
- * we see the data we do not know how many padding bytes there are
- * (always between 1 and bsize).
- */
-extern unsigned int
-NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
-
-/*
- * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
- *
- * cc - the cipher context
- * input_len - number of bytes used as input
- * final - true if this is the final chunk of data
- *
- * Result can be used to perform memory allocations.
- */
-extern unsigned int
-NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
-
-/*
- * NSS_CMSCipherContext_Decrypt - do the decryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Decrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the decrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
- * When "final" is true, this is the last of the data to be decrypted.
- */ 
-extern SECStatus
-NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final);
-
-/*
- * NSS_CMSCipherContext_Encrypt - do the encryption
- *
- * cc - the cipher context
- * output - buffer for decrypted result bytes
- * output_len_p - number of bytes in output
- * max_output_len - upper bound on bytes to put into output
- * input - pointer to input bytes
- * input_len - number of input bytes
- * final - true if this is the final chunk of data
- *
- * Encrypts a given length of input buffer (starting at "input" and
- * containing "input_len" bytes), placing the encrypted bytes in
- * "output" and storing the output length in "*output_len_p".
- * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
- * When "final" is true, this is the last of the data to be encrypted.
- */ 
-extern SECStatus
-NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
-		  unsigned int *output_len_p, unsigned int max_output_len,
-		  const unsigned char *input, unsigned int input_len,
-		  PRBool final);
-
-/************************************************************************
- * cmspubkey.c - public key operations
- ************************************************************************/
-
-/*
- * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
- *
- * this function takes a symmetric key and encrypts it using an RSA public key
- * according to PKCS#1 and RFC2633 (S/MIME)
- */
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert,
-                              PK11SymKey *key,
-                              SECItem *encKey);
-
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp,
-                                    SECKEYPublicKey *publickey,
-                                    PK11SymKey *bulkkey, SECItem *encKey);
-
-/*
- * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
- *
- * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
- * key handle. Please note that the actual unwrapped key data may not be allowed to leave
- * a hardware token...
- */
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
-
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg);
-
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey,
-			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
-
-extern SECStatus
-NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
-			SECItem *originatorPubKey);
-
-extern PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
-			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
-
-/************************************************************************
- * cmsreclist.c - recipient list stuff
- ************************************************************************/
-extern NSSCMSRecipient **nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos);
-extern void nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list);
-extern NSSCMSRecipientEncryptedKey *NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp);
-
-/************************************************************************
- * cmsarray.c - misc array functions
- ************************************************************************/
-/*
- * NSS_CMSArray_Alloc - allocate an array in an arena
- */
-extern void **
-NSS_CMSArray_Alloc(PRArenaPool *poolp, int n);
-
-/*
- * NSS_CMSArray_Add - add an element to the end of an array
- */
-extern SECStatus
-NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj);
-
-/*
- * NSS_CMSArray_IsEmpty - check if array is empty
- */
-extern PRBool
-NSS_CMSArray_IsEmpty(void **array);
-
-/*
- * NSS_CMSArray_Count - count number of elements in array
- */
-extern int
-NSS_CMSArray_Count(void **array);
-
-/*
- * NSS_CMSArray_Sort - sort an array ascending, in place
- *
- * If "secondary" is not NULL, the same reordering gets applied to it.
- * If "tertiary" is not NULL, the same reordering gets applied to it.
- * "compare" is a function that returns 
- *  < 0 when the first element is less than the second
- *  = 0 when the first element is equal to the second
- *  > 0 when the first element is greater than the second
- */
-extern void
-NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary);
-
-/************************************************************************
- * cmsattr.c - misc attribute functions
- ************************************************************************/
-/*
- * NSS_CMSAttribute_Create - create an attribute
- *
- * if value is NULL, the attribute won't have a value. It can be added later
- * with NSS_CMSAttribute_AddValue.
- */
-extern NSSCMSAttribute *
-NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded);
-
-/*
- * NSS_CMSAttribute_AddValue - add another value to an attribute
- */
-extern SECStatus
-NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value);
-
-/*
- * NSS_CMSAttribute_GetType - return the OID tag
- */
-extern SECOidTag
-NSS_CMSAttribute_GetType(NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttribute_GetValue - return the first attribute value
- *
- * We do some sanity checking first:
- * - Multiple values are *not* expected.
- * - Empty values are *not* expected.
- */
-extern SECItem *
-NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
- */
-extern PRBool
-NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av);
-
-/*
- * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
- *
- * If you are wondering why this routine does not reorder the attributes
- * first, and might be tempted to make it do so, see the comment by the
- * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
- * and think long and hard about the implications of making it always
- * do the reordering.)
- */
-extern SECItem *
-NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest);
-
-/*
- * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
- *
- * make sure that the order of the attributes guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in attrs).
- */
-extern SECStatus
-NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs);
-
-/*
- * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
- * find one that matches the specified object ID.
- *
- * If "only" is true, then make sure that there is not more than one attribute
- * of the same type.  Otherwise, just return the first one found. (XXX Does
- * anybody really want that first-found behavior?  It was like that when I found it...)
- */
-extern NSSCMSAttribute *
-NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only);
-
-/*
- * NSS_CMSAttributeArray_AddAttr - add an attribute to an
- * array of attributes. 
- */
-extern SECStatus
-NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr);
-
-/*
- * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
- */
-extern SECStatus
-NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded);
-
-/*
- * NSS_CMSSignedData_AddTempCertificate - add temporary certificate references.
- * They may be needed for signature verification on the data, for example.
- */
-extern SECStatus
-NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _CMSLOCAL_H_ */
diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c
deleted file mode 100644
index 1b3d69c74..000000000
--- a/security/nss/lib/smime/cmsmessage.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS message methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/*
- * NSS_CMSMessage_Create - create a CMS message object
- *
- * "poolp" - arena to allocate memory from, or NULL if new arena should be created
- */
-NSSCMSMessage *
-NSS_CMSMessage_Create(PLArenaPool *poolp)
-{
-    void *mark = NULL;
-    NSSCMSMessage *cmsg;
-    PRBool poolp_is_ours = PR_FALSE;
-
-    if (poolp == NULL) {
-	poolp = PORT_NewArena (1024);           /* XXX what is right value? */
-	if (poolp == NULL)
-	    return NULL;
-	poolp_is_ours = PR_TRUE;
-    } 
-
-    if (!poolp_is_ours)
-	mark = PORT_ArenaMark(poolp);
-
-    cmsg = (NSSCMSMessage *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSMessage));
-    if (cmsg == NULL) {
-	if (!poolp_is_ours) {
-	    if (mark) {
-		PORT_ArenaRelease(poolp, mark);
-	    }
-	} else
-	    PORT_FreeArena(poolp, PR_FALSE);
-	return NULL;
-    }
-
-    cmsg->poolp = poolp;
-    cmsg->poolp_is_ours = poolp_is_ours;
-    cmsg->refCount = 1;
-
-    if (mark)
-	PORT_ArenaUnmark(poolp, mark);
-
-    return cmsg;
-}
-
-/*
- * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
- *
- * "cmsg" - message object
- * "pwfn", pwfn_arg" - callback function for getting token password
- * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
- * "detached_digestalgs", "detached_digests" - digests from detached content
- */
-void
-NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
-			PK11PasswordFunc pwfn, void *pwfn_arg,
-			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
-			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
-{
-    if (pwfn)
-	PK11_SetPasswordFunc(pwfn);
-    cmsg->pwfn_arg = pwfn_arg;
-    cmsg->decrypt_key_cb = decrypt_key_cb;
-    cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
-    cmsg->detached_digestalgs = detached_digestalgs;
-    cmsg->detached_digests = detached_digests;
-}
-
-/*
- * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
- */
-void
-NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
-{
-    PORT_Assert (cmsg->refCount > 0);
-    if (cmsg->refCount <= 0)	/* oops */
-	return;
-
-    cmsg->refCount--;		/* thread safety? */
-    if (cmsg->refCount > 0)
-	return;
-
-    NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
-
-    /* if poolp is not NULL, cmsg is the owner of its arena */
-    if (cmsg->poolp_is_ours)
-	PORT_FreeArena (cmsg->poolp, PR_FALSE);	/* XXX clear it? */
-}
-
-/*
- * NSS_CMSMessage_Copy - return a copy of the given message. 
- *
- * The copy may be virtual or may be real -- either way, the result needs
- * to be passed to NSS_CMSMessage_Destroy later (as does the original).
- */
-NSSCMSMessage *
-NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
-{
-    if (cmsg == NULL)
-	return NULL;
-
-    PORT_Assert (cmsg->refCount > 0);
-
-    cmsg->refCount++; /* XXX chrisk thread safety? */
-    return cmsg;
-}
-
-/*
- * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
- */
-PLArenaPool *
-NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
-{
-    return cmsg->poolp;
-}
-
-/*
- * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
- */
-NSSCMSContentInfo *
-NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
-{
-    return &(cmsg->contentInfo);
-}
-
-/*
- * Return a pointer to the actual content. 
- * In the case of those types which are encrypted, this returns the *plain* content.
- * In case of nested contentInfos, this descends and retrieves the innermost content.
- */
-SECItem *
-NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
-{
-    /* this is a shortcut */
-    NSSCMSContentInfo * cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
-    SECItem           * pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
-    return pItem;
-}
-
-/*
- * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
- *
- * CMS data content objects do not count.
- */
-int
-NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
-{
-    int count = 0;
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; ) {
-	count++;
-	cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
-    }
-    return count;
-}
-
-/*
- * NSS_CMSMessage_ContentLevel - find content level #n
- *
- * CMS data content objects do not count.
- */
-NSSCMSContentInfo *
-NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
-{
-    int count = 0;
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
-	count++;
-    }
-
-    return cinfo;
-}
-
-/*
- * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
- */
-PRBool
-NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* descend into CMS message */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
-	if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
-	    continue;	/* next level */
-	
-	if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
- */
-PRBool
-NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
-    {
-	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-	case SEC_OID_PKCS7_ENVELOPED_DATA:
-	case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	    return PR_TRUE;
-	default:
-	    break;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
- *
- * If the CMS message has a SignedData with a signature (not just a SignedData)
- * return true; false otherwise.  This can/should be called before calling
- * VerifySignature, which will always indicate failure if no signature is
- * present, but that does not mean there even was a signature!
- * Note that the content itself can be empty (detached content was sent
- * another way); it is the presence of the signature that matters.
- */
-PRBool
-NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
-{
-    NSSCMSContentInfo *cinfo;
-
-    /* walk down the chain of contentinfos */
-    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
-    {
-	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
-	case SEC_OID_PKCS7_SIGNED_DATA:
-	    if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
-		return PR_TRUE;
-	    break;
-	default:
-	    break;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * NSS_CMSMessage_IsContentEmpty - see if content is empty
- *
- * returns PR_TRUE is innermost content length is < minLen
- * XXX need the encrypted content length (why?)
- */
-PRBool
-NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
-{
-    SECItem *item = NULL;
-
-    if (cmsg == NULL)
-	return PR_TRUE;
-
-    item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
-
-    if (!item) {
-	return PR_TRUE;
-    } else if(item->len <= minLen) {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
deleted file mode 100644
index 144dd789d..000000000
--- a/security/nss/lib/smime/cmspubkey.c
+++ /dev/null
@@ -1,565 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS public key crypto
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-/* ====== RSA ======================================================================= */
-
-/*
- * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
- *
- * this function takes a symmetric key and encrypts it using an RSA public key
- * according to PKCS#1 and RFC2633 (S/MIME)
- */
-SECStatus
-NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, 
-                              PK11SymKey *bulkkey,
-                              SECItem *encKey)
-{
-    SECStatus rv;
-    SECKEYPublicKey *publickey;
-
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL)
-	return SECFailure;
-
-    rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, publickey, bulkkey, encKey);
-    SECKEY_DestroyPublicKey(publickey);
-    return rv;
-}
-
-SECStatus
-NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, 
-                                    SECKEYPublicKey *publickey, 
-                                    PK11SymKey *bulkkey, SECItem *encKey)
-{
-    SECStatus rv;
-    int data_len;
-    KeyType keyType;
-    void *mark = NULL;
-
-
-    mark = PORT_ArenaMark(poolp);
-    if (!mark)
-	goto loser;
-
-    /* sanity check */
-    keyType = SECKEY_GetPublicKeyType(publickey);
-    PORT_Assert(keyType == rsaKey);
-    if (keyType != rsaKey) {
-	goto loser;
-    }
-    /* allocate memory for the encrypted key */
-    data_len = SECKEY_PublicKeyStrength(publickey);	/* block size (assumed to be > keylen) */
-    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
-    encKey->len = data_len;
-    if (encKey->data == NULL)
-	goto loser;
-
-    /* encrypt the key now */
-    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(SEC_OID_PKCS1_RSA_ENCRYPTION),
-				publickey, bulkkey, encKey);
-
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    if (mark) {
-	PORT_ArenaRelease(poolp, mark);
-    }
-    return SECFailure;
-}
-
-/*
- * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
- *
- * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
- * key handle. Please note that the actual unwrapped key data may not be allowed to leave
- * a hardware token...
- */
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag)
-{
-    /* that's easy */
-    CK_MECHANISM_TYPE target;
-    PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN);
-    target = PK11_AlgtagToMechanism(bulkalgtag);
-    if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return NULL;
-    }
-    return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0);
-}
-
-/* ====== MISSI (Fortezza) ========================================================== */
-
-extern const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[];
-
-SECStatus
-NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
-			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg)
-{
-    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
-    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
-    SECStatus rv = SECFailure;
-    SECItem *params = NULL;
-    SECStatus err;
-    PK11SymKey *tek;
-    CERTCertificate *ourCert;
-    SECKEYPublicKey *ourPubKey, *publickey = NULL;
-    SECKEYPrivateKey *ourPrivKey = NULL;
-    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
-    NSSCMSSMIMEKEAParameters keaParams;
-    PLArenaPool *arena = NULL;
-    extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
-
-    /* Clear keaParams, since cleanup code checks the lengths */
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
-		certalgtag == SEC_OID_MISSI_KEA_DSS ||
-		certalgtag == SEC_OID_MISSI_KEA);
-
-#define SMIME_FORTEZZA_RA_LENGTH 128
-#define SMIME_FORTEZZA_IV_LENGTH 24
-#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
-
-    /* We really want to show our KEA tag as the key exchange algorithm tag. */
-    encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
-
-    /* Get the public key of the recipient. */
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL) goto loser;
-
-    /* Find our own cert, and extract its keys. */
-    ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
-    if (ourCert == NULL) goto loser;
-
-    arena = PORT_NewArena(1024);
-    if (arena == NULL)
-	goto loser;
-
-    ourPubKey = CERT_ExtractPublicKey(ourCert);
-    if (ourPubKey == NULL) {
-	CERT_DestroyCertificate(ourCert);
-	goto loser;
-    }
-
-    /* While we're here, copy the public key into the outgoing
-     * KEA parameters. */
-    SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
-    SECKEY_DestroyPublicKey(ourPubKey);
-    ourPubKey = NULL;
-
-    /* Extract our private key in order to derive the KEA key. */
-    ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
-    CERT_DestroyCertificate(ourCert); /* we're done with this */
-    if (!ourPrivKey)
-	goto loser;
-
-    /* Prepare raItem with 128 bytes (filled with zeros). */
-    keaParams.originatorRA.data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
-    keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
-
-    /* Generate the TEK (token exchange key) which we use
-     * to wrap the bulk encryption key. (keaparams.originatorRA) will be
-     * filled with a random seed which we need to send to
-     * the recipient. (user keying material in RFC2630/DSA speak) */
-    tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0,  pwfn_arg);
-
-    SECKEY_DestroyPublicKey(publickey);
-    SECKEY_DestroyPrivateKey(ourPrivKey);
-    publickey = NULL;
-    ourPrivKey = NULL;
-    
-    if (!tek)
-	goto loser;
-
-    /* allocate space for the wrapped key data */
-    encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
-    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-    if (encKey->data == NULL) {
-	PK11_FreeSymKey(tek);
-	goto loser;
-    }
-
-    /* Wrap the bulk key. What we do with the resulting data
-       depends on whether we're using Skipjack to wrap the key. */
-    switch (PK11_AlgtagToMechanism(symalgtag)) {
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
-	err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    default:
-	/* Not SKIPJACK, we encrypt the raw key data */
-	keaParams.nonSkipjackIV.data = 
-	  (unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
-	keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
-	err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
-	if (err != SECSuccess)
-	    goto loser;
-
-	if (encKey->len != PK11_GetKeyLength(bulkkey)) {
-	    /* The size of the encrypted key is not the same as
-	       that of the original bulk key, presumably due to
-	       padding. Encode and store the real size of the
-	       bulk key. */
-	    if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
-		err = (SECStatus)PORT_GetError();
-	    else
-		/* use full template for encoding */
-		whichKEA = NSSCMSKEAUsesNonSkipjackWithPaddedEncKey;
-	}
-	else
-	    /* enc key length == bulk key length */
-	    whichKEA = NSSCMSKEAUsesNonSkipjack; 
-	break;
-    }
-
-    PK11_FreeSymKey(tek);
-
-    if (err != SECSuccess)
-	goto loser;
-
-    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
-
-    /* Encode the KEA parameters into the recipient info. */
-    params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
-    if (params == NULL)
-	goto loser;
-
-    /* pass back the algorithm params */
-    *pparams = params;
-
-    rv = SECSuccess;
-
-loser:
-    if (arena)
-	PORT_FreeArena(arena, PR_FALSE);
-    if (publickey)
-        SECKEY_DestroyPublicKey(publickey);
-    if (ourPrivKey)
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    return rv;
-}
-
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
-{
-    /* fortezza: do a key exchange */
-    SECStatus err;
-    CK_MECHANISM_TYPE bulkType;
-    PK11SymKey *tek;
-    SECKEYPublicKey *originatorPubKey;
-    NSSCMSSMIMEKEAParameters keaParams;
-    PK11SymKey *bulkkey;
-    int bulkLength;
-
-    (void) memset(&keaParams, 0, sizeof(keaParams));
-
-    /* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
-       All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
-
-    /* Decode the KEA algorithm parameters. */
-    err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
-			     &(keyEncAlg->parameters));
-    if (err != SECSuccess)
-	goto loser;
-
-    /* get originator's public key */
-   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-			   keaParams.originatorKEAKey.len);
-   if (originatorPubKey == NULL)
-	  goto loser;
-    
-   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
-      The Derive function generates a shared secret and combines it with the originatorRA
-      data to come up with an unique session key */
-   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, pwfn_arg);
-   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
-   if (tek == NULL)
-	goto loser;
-    
-    /* Now that we have the TEK, unwrap the bulk key
-       with which to decrypt the message. We have to
-       do one of two different things depending on 
-       whether Skipjack was used for *bulk* encryption 
-       of the message. */
-    bulkType = PK11_AlgtagToMechanism(bulkalgtag);
-    switch (bulkType) {
-    case CKM_SKIPJACK_CBC64:
-    case CKM_SKIPJACK_ECB64:
-    case CKM_SKIPJACK_OFB64:
-    case CKM_SKIPJACK_CFB64:
-    case CKM_SKIPJACK_CFB32:
-    case CKM_SKIPJACK_CFB16:
-    case CKM_SKIPJACK_CFB8:
-	/* Skipjack is being used as the bulk encryption algorithm.*/
-	/* Unwrap the bulk key. */
-	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
-				    encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-	break;
-    default:
-	/* Skipjack was not used for bulk encryption of this
-	   message. Use Skipjack CBC64, with the nonSkipjackIV
-	   part of the KEA key parameters, to decrypt 
-	   the bulk key. If the optional parameter bulkKeySize is present,
-	   bulk key size is different than the encrypted key size */
-	if (keaParams.bulkKeySize.len > 0) {
-	    err = SEC_ASN1DecodeItem(NULL, &bulkLength,
-				     SEC_ASN1_GET(SEC_IntegerTemplate),
-				     &keaParams.bulkKeySize);
-	    if (err != SECSuccess)
-		goto loser;
-	}
-	
-	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, 
-				    encKey, bulkType, CKA_DECRYPT, bulkLength);
-	break;
-    }
-    return bulkkey;
-loser:
-    return NULL;
-}
-
-/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
-
-SECStatus
-NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
-			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
-			SECItem *pubKey)
-{
-#if 0 /* not yet done */
-    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
-    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
-    SECStatus rv;
-    SECItem *params = NULL;
-    int data_len;
-    SECStatus err;
-    PK11SymKey *tek;
-    CERTCertificate *ourCert;
-    SECKEYPublicKey *ourPubKey;
-    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
-
-    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-    PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
-
-    /* We really want to show our KEA tag as the key exchange algorithm tag. */
-    encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
-
-    /* Get the public key of the recipient. */
-    publickey = CERT_ExtractPublicKey(cert);
-    if (publickey == NULL) goto loser;
-
-    /* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
-    /* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
-    if (ourCert == NULL) goto loser;
-
-    arena = PORT_NewArena(1024);
-    if (arena == NULL) goto loser;
-
-    /* While we're here, extract the key pair's public key data and copy it into */
-    /* the outgoing parameters. */
-    /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
-    if (ourPubKey == NULL)
-    {
-	goto loser;
-    }
-    SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
-    SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
-    ourPubKey = NULL;
-
-    /* Extract our private key in order to derive the KEA key. */
-    ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
-    CERT_DestroyCertificate(ourCert); /* we're done with this */
-    if (!ourPrivKey) goto loser;
-
-    /* If ukm desired, prepare it - allocate enough space (filled with zeros). */
-    if (ukm) {
-	ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
-	ukm->len = /* XXXX */;
-    }
-
-    /* Generate the KEK (key exchange key) according to RFC2631 which we use
-     * to wrap the bulk encryption key. */
-    kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
-			 ukm, NULL,
-			 /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, wincx);
-
-    SECKEY_DestroyPublicKey(publickey);
-    SECKEY_DestroyPrivateKey(ourPrivKey);
-    publickey = NULL;
-    ourPrivKey = NULL;
-    
-    if (!kek)
-	goto loser;
-
-    /* allocate space for the encrypted CEK (bulk key) */
-    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
-    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
-
-    if (encKey->data == NULL)
-    {
-	PK11_FreeSymKey(kek);
-	goto loser;
-    }
-
-
-    /* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
-    /* bulk encryption algorithm */
-    switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
-    {
-    case /* XXXX */CKM_SKIPJACK_CFB8:
-	err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    case /* XXXX */CKM_SKIPJACK_CFB8:
-	err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
-	whichKEA = NSSCMSKEAUsesSkipjack;
-	break;
-    default:
-	/* XXXX what do we do here? Neither RC2 nor 3DES... */
-        err = SECFailure;
-        /* set error */
-	break;
-    }
-
-    PK11_FreeSymKey(kek);	/* we do not need the KEK anymore */
-    if (err != SECSuccess)
-	goto loser;
-
-    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
-
-    /* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
-    /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
-    params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
-    if (params == NULL)
-	goto loser;
-
-    /* now set keyEncAlg */
-    rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* XXXXXXX this is not right yet */
-loser:
-    if (arena) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (publickey) {
-        SECKEY_DestroyPublicKey(publickey);
-    }
-    if (ourPrivKey) {
-        SECKEY_DestroyPrivateKey(ourPrivKey);
-    }
-#endif
-    return SECFailure;
-}
-
-PK11SymKey *
-NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
-{
-#if 0 /* not yet done */
-    SECStatus err;
-    CK_MECHANISM_TYPE bulkType;
-    PK11SymKey *tek;
-    SECKEYPublicKey *originatorPubKey;
-    NSSCMSSMIMEKEAParameters keaParams;
-
-   /* XXXX get originator's public key */
-   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
-			   keaParams.originatorKEAKey.len);
-   if (originatorPubKey == NULL)
-      goto loser;
-    
-   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
-      The Derive function generates a shared secret and combines it with the originatorRA
-      data to come up with an unique session key */
-   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
-			 &keaParams.originatorRA, NULL,
-			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
-			 CKA_WRAP, 0, pwfn_arg);
-   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
-   if (tek == NULL)
-	goto loser;
-    
-    /* Now that we have the TEK, unwrap the bulk key
-       with which to decrypt the message. */
-    /* Skipjack is being used as the bulk encryption algorithm.*/
-    /* Unwrap the bulk key. */
-    bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
-				encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
-
-    return bulkkey;
-
-loser:
-#endif
-    return NULL;
-}
-
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
deleted file mode 100644
index 07236adc1..000000000
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ /dev/null
@@ -1,743 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS recipientInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-PRBool
-nss_cmsrecipientinfo_usessubjectkeyid(NSSCMSRecipientInfo *ri)
-{
-    if (ri->recipientInfoType == NSSCMSRecipientInfoID_KeyTrans) {
-	NSSCMSRecipientIdentifier *rid;
-	rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
-	if (rid->identifierType == NSSCMSRecipientID_SubjectKeyID) {
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * NOTE: fakeContent marks CMSMessage structure which is only used as a carrier
- * of pwfn_arg and arena pools. In an ideal world, NSSCMSMessage would not have
- * been exported, and we would have added an ordinary enum to handle this 
- * check. Unfortunatly wo don't have that luxury so we are overloading the
- * contentTypeTag field. NO code should every try to interpret this content tag
- * as a real OID tag, or use any fields other than pwfn_arg or poolp of this 
- * CMSMessage for that matter */
-static const SECOidData fakeContent;
-NSSCMSRecipientInfo *
-nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, NSSCMSRecipientIDSelector type,
-                            CERTCertificate *cert, SECKEYPublicKey *pubKey, 
-                            SECItem *subjKeyID, void* pwfn_arg, SECItem* DERinput)
-{
-    NSSCMSRecipientInfo *ri;
-    void *mark;
-    SECOidTag certalgtag;
-    SECStatus rv = SECSuccess;
-    NSSCMSRecipientEncryptedKey *rek;
-    NSSCMSOriginatorIdentifierOrKey *oiok;
-    unsigned long version;
-    SECItem *dummy;
-    PLArenaPool *poolp;
-    CERTSubjectPublicKeyInfo *spki, *freeSpki = NULL;
-    NSSCMSRecipientIdentifier *rid;
-    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-
-    if (!cmsg) {
-	/* a CMSMessage wasn't supplied, create a fake one to hold the pwfunc
-	 * and a private arena pool */
-	cmsg = NSS_CMSMessage_Create(NULL);
-        cmsg->pwfn_arg = pwfn_arg;
-	/* mark it as a special cms message */
-	cmsg->contentInfo.contentTypeTag = &fakeContent;
-    }
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    ri = (NSSCMSRecipientInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientInfo));
-    if (ri == NULL)
-	goto loser;
-
-    ri->cmsg = cmsg;
-
-    if (DERinput) {
-        /* decode everything from DER */
-        SECItem newinput;
-        SECStatus rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
-        if (SECSuccess != rv)
-            goto loser;
-        rv = SEC_QuickDERDecodeItem(poolp, ri, NSSCMSRecipientInfoTemplate, &newinput);
-        if (SECSuccess != rv)
-            goto loser;
-    }
-
-    switch (type) {
-        case NSSCMSRecipientID_IssuerSN:
-        {
-            ri->cert = CERT_DupCertificate(cert);
-            if (NULL == ri->cert)
-                goto loser;
-            spki = &(cert->subjectPublicKeyInfo);
-            break;
-        }
-        
-        case NSSCMSRecipientID_SubjectKeyID:
-        {
-            PORT_Assert(pubKey);
-            spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
-            break;
-        }
-
-	case NSSCMSRecipientID_BrandNew:
-	    goto done;
-	    break;
-
-        default:
-            /* unkown type */
-            goto loser;
-            break;
-    }
-
-    certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
-
-    rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
-    switch (certalgtag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
-	rid->identifierType = type;
-	if (type == NSSCMSRecipientID_IssuerSN) {
-	    rid->id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
-	    if (rid->id.issuerAndSN == NULL) {
-	      break;
-	    }
-	} else if (type == NSSCMSRecipientID_SubjectKeyID){
-	    NSSCMSKeyTransRecipientInfoEx *riExtra;
-
-	    rid->id.subjectKeyID = PORT_ArenaNew(poolp, SECItem);
-	    if (rid->id.subjectKeyID == NULL) {
-		rv = SECFailure;
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		break;
-	    } 
-	    SECITEM_CopyItem(poolp, rid->id.subjectKeyID, subjKeyID);
-	    if (rid->id.subjectKeyID->data == NULL) {
-		rv = SECFailure;
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		break;
-	    }
-	    riExtra = &ri->ri.keyTransRecipientInfoEx;
-	    riExtra->version = 0;
-	    riExtra->pubKey = SECKEY_CopyPublicKey(pubKey);
-	    if (riExtra->pubKey == NULL) {
-		rv = SECFailure;
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		break;
-	    }
-	} else {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-	break;
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_KEA:
-	PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
-	if (type != NSSCMSRecipientID_IssuerSN) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* backward compatibility - this is not really a keytrans operation */
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
-	/* hardcoded issuerSN choice for now */
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
-	ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	break;
-    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
-	PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
-	if (type != NSSCMSRecipientID_IssuerSN) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* a key agreement op */
-	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree;
-
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-	/* we do not support the case where multiple recipients 
-	 * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys
-	 * in this case, we would need to walk all the recipientInfos, take the
-	 * ones that do KeyAgreement algorithms and join them, algorithm by algorithm
-	 * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */
-
-	/* only epheremal-static Diffie-Hellman is supported for now
-	 * this is the only form of key agreement that provides potential anonymity
-	 * of the sender, plus we do not have to include certs in the message */
-
-	/* force single recipientEncryptedKey for now */
-	if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	/* hardcoded IssuerSN choice for now */
-	rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN;
-	if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
-
-	/* see RFC2630 12.3.1.1 */
-	oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey;
-
-	rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys,
-				    (void *)rek);
-
-	break;
-    default:
-	/* other algorithms not supported yet */
-	/* NOTE that we do not support any KEK algorithm */
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv == SECFailure)
-	goto loser;
-
-    /* set version */
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN)
-	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN;
-	else
-	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY;
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version),
-						NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* NOTE: this cannot happen as long as we do not support any KEK algorithm */
-	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version),
-						NSS_CMS_KEK_RECIPIENT_INFO_VERSION);
-	if (dummy == NULL)
-	    goto loser;
-	break;
-    
-    }
-
-done:
-    PORT_ArenaUnmark (poolp, mark);
-    if (freeSpki)
-      SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
-    return ri;
-
-loser:
-    if (freeSpki) {
-      SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
-    }
-    PORT_ArenaRelease (poolp, mark);
-    if (cmsg->contentInfo.contentTypeTag == &fakeContent) {
-	NSS_CMSMessage_Destroy(cmsg);
-    }
-    return NULL;
-}
-
-/*
- * NSS_CMSRecipientInfo_Create - create a recipientinfo
- *
- * we currently do not create KeyAgreement recipientinfos with multiple 
- * recipientEncryptedKeys the certificate is supposed to have been 
- * verified by the caller
- */
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert)
-{
-    return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_IssuerSN, cert, 
-                                       NULL, NULL, NULL, NULL);
-}
-
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg)
-{
-    return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, 
-                                       NULL, NULL, pwfn_arg, NULL);
-}
-
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg)
-{
-    return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, 
-                                       NULL, NULL, pwfn_arg, input);
-}
-
-
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage   *cmsg, 
-                                     SECItem         *subjKeyID,
-                                     SECKEYPublicKey *pubKey)
-{
-    return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_SubjectKeyID, 
-                                       NULL, pubKey, subjKeyID, NULL, NULL);
-}
-
-NSSCMSRecipientInfo *
-NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg,
-                                             CERTCertificate *cert)
-{
-    SECKEYPublicKey *pubKey = NULL;
-    SECItem subjKeyID = {siBuffer, NULL, 0};
-    NSSCMSRecipientInfo *retVal = NULL;
-
-    if (!cmsg || !cert) {
-	return NULL;
-    }
-    pubKey = CERT_ExtractPublicKey(cert);
-    if (!pubKey) {
-	goto done;
-    }
-    if (CERT_FindSubjectKeyIDExtension(cert, &subjKeyID) != SECSuccess ||
-        subjKeyID.data == NULL) {
-	goto done;
-    }
-    retVal = NSS_CMSRecipientInfo_CreateWithSubjKeyID(cmsg, &subjKeyID, pubKey);
-done:
-    if (pubKey)
-	SECKEY_DestroyPublicKey(pubKey);
-
-    if (subjKeyID.data)
-	SECITEM_FreeItem(&subjKeyID, PR_FALSE);
-
-    return retVal;
-}
-
-void
-NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri)
-{
-    if (!ri) {
-        return;
-    }
-    /* version was allocated on the pool, so no need to destroy it */
-    /* issuerAndSN was allocated on the pool, so no need to destroy it */
-    if (ri->cert != NULL)
-	CERT_DestroyCertificate(ri->cert);
-
-    if (nss_cmsrecipientinfo_usessubjectkeyid(ri)) {
-	NSSCMSKeyTransRecipientInfoEx *extra;
-	extra = &ri->ri.keyTransRecipientInfoEx;
-	if (extra->pubKey)
-	    SECKEY_DestroyPublicKey(extra->pubKey);
-    }
-    if (ri->cmsg && ri->cmsg->contentInfo.contentTypeTag == &fakeContent) {
-	NSS_CMSMessage_Destroy(ri->cmsg);
-    }
-
-    /* we're done. */
-}
-
-int
-NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
-{
-    unsigned long version;
-    SECItem *versionitem = NULL;
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	/* ignore subIndex */
-	versionitem = &(ri->ri.keyTransRecipientInfo.version);
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* ignore subIndex */
-	versionitem = &(ri->ri.kekRecipientInfo.version);
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	versionitem = &(ri->ri.keyAgreeRecipientInfo.version);
-	break;
-    }
-
-    PORT_Assert(versionitem);
-    if (versionitem == NULL) 
-	return 0;
-
-    /* always take apart the SECItem */
-    if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess)
-	return 0;
-    else
-	return (int)version;
-}
-
-SECItem *
-NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
-{
-    SECItem *enckey = NULL;
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	/* ignore subIndex */
-	enckey = &(ri->ri.keyTransRecipientInfo.encKey);
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	/* ignore subIndex */
-	enckey = &(ri->ri.kekRecipientInfo.encKey);
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
-	break;
-    }
-    return enckey;
-}
-
-
-SECOidTag
-NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
-{
-    SECOidTag encalgtag = SEC_OID_UNKNOWN; /* an invalid encryption alg */
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
-	break;
-    }
-    return encalgtag;
-}
-
-SECStatus
-NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, 
-                                 SECOidTag bulkalgtag)
-{
-    CERTCertificate *cert;
-    SECOidTag certalgtag;
-    SECStatus rv = SECSuccess;
-    SECItem *params = NULL;
-    NSSCMSRecipientEncryptedKey *rek;
-    NSSCMSOriginatorIdentifierOrKey *oiok;
-    CERTSubjectPublicKeyInfo *spki, *freeSpki = NULL;
-    PLArenaPool *poolp;
-    NSSCMSKeyTransRecipientInfoEx *extra = NULL;
-    PRBool usesSubjKeyID;
-
-    poolp = ri->cmsg->poolp;
-    cert = ri->cert;
-    usesSubjKeyID = nss_cmsrecipientinfo_usessubjectkeyid(ri);
-    if (cert) {
-	spki = &cert->subjectPublicKeyInfo;
-	certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
-    } else if (usesSubjKeyID) {
-	extra = &ri->ri.keyTransRecipientInfoEx;
-	/* sanity check */
-	PORT_Assert(extra->pubKey);
-	if (!extra->pubKey) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(extra->pubKey);
-	certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    } else {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* XXX set ri->recipientInfoType to the proper value here */
-    /* or should we look if it's been set already ? */
-
-    certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    switch (certalgtag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	/* wrap the symkey */
-	if (cert) {
-	    rv = NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, 
-	                         &ri->ri.keyTransRecipientInfo.encKey);
- 	    if (rv != SECSuccess)
-		break;
-	} else if (usesSubjKeyID) {
-	    PORT_Assert(extra != NULL);
-	    rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, extra->pubKey,
-	                         bulkkey, &ri->ri.keyTransRecipientInfo.encKey);
- 	    if (rv != SECSuccess)
-		break;
-	}
-
-	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
-	break;
-    case SEC_OID_MISSI_KEA_DSS_OLD:
-    case SEC_OID_MISSI_KEA_DSS:
-    case SEC_OID_MISSI_KEA:
-	rv = NSS_CMSUtil_EncryptSymKey_MISSI(poolp, cert, bulkkey,
-					bulkalgtag,
-					&ri->ri.keyTransRecipientInfo.encKey,
-					&params, ri->cmsg->pwfn_arg);
-	if (rv != SECSuccess)
-	    break;
-
-	/* here, we DO need to pass the params to the wrap function because, with
-	 * RSA, there is no funny stuff going on with generation of IV vectors or so */
-	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
-	break;
-    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
-	rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
-	if (rek == NULL) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
-	PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey);
-
-	/* see RFC2630 12.3.1.1 */
-	if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
-				    SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
-	    rv = SECFailure;
-	    break;
-	}
-
-	/* this will generate a key pair, compute the shared secret, */
-	/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
-	/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
-	rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
-					&rek->encKey,
-					&ri->ri.keyAgreeRecipientInfo.ukm,
-					&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
-					&oiok->id.originatorPublicKey.publicKey);
-
-	break;
-    default:
-	/* other algorithms not supported yet */
-	/* NOTE that we do not support any KEK algorithm */
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	rv = SECFailure;
-	break;
-    }
-    if (freeSpki)
-	SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
-
-    return rv;
-}
-
-PK11SymKey *
-NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, 
-	CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag)
-{
-    PK11SymKey *bulkkey = NULL;
-    SECAlgorithmID *encalg;
-    SECOidTag encalgtag;
-    SECItem *enckey;
-    int error;
-
-    ri->cert = CERT_DupCertificate(cert);
-        	/* mark the recipientInfo so we can find it later */
-
-    switch (ri->recipientInfoType) {
-    case NSSCMSRecipientInfoID_KeyTrans:
-	encalg = &(ri->ri.keyTransRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */
-	switch (encalgtag) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    /* RSA encryption algorithm: */
-	    /* get the symmetric (bulk) key by unwrapping it using our private key */
-	    bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
-	    break;
-	case SEC_OID_NETSCAPE_SMIME_KEA:
-	    /* FORTEZZA key exchange algorithm */
-	    /* the supplemental data is in the parameters of encalg */
-	    bulkkey = NSS_CMSUtil_DecryptSymKey_MISSI(privkey, enckey, encalg, bulkalgtag, ri->cmsg->pwfn_arg);
-	    break;
-	default:
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    goto loser;
-	}
-	break;
-    case NSSCMSRecipientInfoID_KeyAgree:
-	encalg = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
-	switch (encalgtag) {
-	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-	    /* Diffie-Helman key exchange */
-	    /* XXX not yet implemented */
-	    /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
-	    /* we support ephemeral-static DH only, so if the recipientinfo */
-	    /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
-	    /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
-	    /* content encryption key using a Unwrap op */
-	    /* the derive operation has to generate the key using the algorithm in RFC2631 */
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    break;
-	default:
-	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	    goto loser;
-	}
-	break;
-    case NSSCMSRecipientInfoID_KEK:
-	encalg = &(ri->ri.kekRecipientInfo.keyEncAlg);
-	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
-	enckey = &(ri->ri.kekRecipientInfo.encKey);
-	/* not supported yet */
-	error = SEC_ERROR_UNSUPPORTED_KEYALG;
-	goto loser;
-	break;
-    }
-    /* XXXX continue here */
-    return bulkkey;
-
-loser:
-    return NULL;
-}
-
-SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri,
-                                             CERTCertificate** retcert,
-                                             SECKEYPrivateKey** retkey)
-{
-    CERTCertificate* cert = NULL;
-    NSSCMSRecipient** recipients = NULL;
-    NSSCMSRecipientInfo* recipientInfos[2];
-    SECStatus rv = SECSuccess;
-    SECKEYPrivateKey* key = NULL;
-
-    if (!ri)
-        return SECFailure;
-    
-    if (!retcert && !retkey) {
-        /* nothing requested, nothing found, success */
-        return SECSuccess;
-    }
-
-    if (retcert) {
-        *retcert = NULL;
-    }
-    if (retkey) {
-        *retkey = NULL;
-    }
-
-    if (ri->cert) {
-        cert = CERT_DupCertificate(ri->cert);
-        if (!cert) {
-            rv = SECFailure;
-        }
-    }
-    if (SECSuccess == rv && !cert) {
-        /* we don't have the cert, we have to look for it */
-        /* first build an NSS_CMSRecipient */
-        recipientInfos[0] = ri;
-        recipientInfos[1] = NULL;
-
-        recipients = nss_cms_recipient_list_create(recipientInfos);
-        if (recipients) {
-            /* now look for the cert and key */
-            if (0 == PK11_FindCertAndKeyByRecipientListNew(recipients,
-                ri->cmsg->pwfn_arg)) {
-                cert = CERT_DupCertificate(recipients[0]->cert);
-                key = SECKEY_CopyPrivateKey(recipients[0]->privkey);
-            } else {
-                rv = SECFailure;
-            }
-
-            nss_cms_recipient_list_destroy(recipients);
-        }
-        else {
-            rv = SECFailure;
-        }            
-    } else if (SECSuccess == rv && cert && retkey) {
-        /* we have the cert, we just need the key now */
-        key = PK11_FindPrivateKeyFromCert(cert->slot, cert, ri->cmsg->pwfn_arg);
-    }
-    if (retcert) {
-        *retcert = cert;
-    } else {
-        if (cert) {
-            CERT_DestroyCertificate(cert);
-        }
-    }
-    if (retkey) {
-        *retkey = key;
-    } else {
-        if (key) {
-            SECKEY_DestroyPrivateKey(key);
-        }
-    }
-
-    return rv;
-}
-
-SECStatus NSS_CMSRecipientInfo_Encode(PRArenaPool* poolp,
-                                      const NSSCMSRecipientInfo *src,
-                                      SECItem* returned)
-{
-    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
-    SECStatus rv = SECFailure;
-    if (!src || !returned) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    } else if (SEC_ASN1EncodeItem(poolp, returned, src,
-        NSSCMSRecipientInfoTemplate))   {
-        rv = SECSuccess;
-    }
-    return rv;
-}
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
deleted file mode 100644
index 34e31d582..000000000
--- a/security/nss/lib/smime/cmsreclist.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS recipient list functions
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-static int
-nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipient **recipient_list)
-{
-    int count = 0;
-    int rlindex = 0;
-    int i, j;
-    NSSCMSRecipient *rle;
-    NSSCMSRecipientInfo *ri;
-    NSSCMSRecipientEncryptedKey *rek;
-
-    for (i = 0; recipientinfos[i] != NULL; i++) {
-	ri = recipientinfos[i];
-	switch (ri->recipientInfoType) {
-	case NSSCMSRecipientInfoID_KeyTrans:
-	    if (recipient_list) {
-		/* alloc one & fill it out */
-		rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
-		if (rle == NULL)
-		    return -1;
-		
-		rle->riIndex = i;
-		rle->subIndex = -1;
-		switch (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType) {
-		case NSSCMSRecipientID_IssuerSN:
-		    rle->kind = RLIssuerSN;
-		    rle->id.issuerAndSN = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN;
-		    break;
-		case NSSCMSRecipientID_SubjectKeyID:
-		    rle->kind = RLSubjKeyID;
-		    rle->id.subjectKeyID = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.subjectKeyID;
-		    break;
-		default:
-		    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		    return -1;
-		}
-		recipient_list[rlindex++] = rle;
-	    } else {
-		count++;
-	    }
-	    break;
-	case NSSCMSRecipientInfoID_KeyAgree:
-	    if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL)
-		break;
-	    for (j=0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) {
-		if (recipient_list) {
-		    rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j];
-		    /* alloc one & fill it out */
-		    rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
-		    if (rle == NULL)
-			return -1;
-		    
-		    rle->riIndex = i;
-		    rle->subIndex = j;
-		    switch (rek->recipientIdentifier.identifierType) {
-		    case NSSCMSKeyAgreeRecipientID_IssuerSN:
-			rle->kind = RLIssuerSN;
-			rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN;
-			break;
-		    case NSSCMSKeyAgreeRecipientID_RKeyID:
-			rle->kind = RLSubjKeyID;
-			rle->id.subjectKeyID = rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier;
-			break;
-		    }
-		    recipient_list[rlindex++] = rle;
-		} else {
-		    count++;
-		}
-	    }
-	    break;
-	case NSSCMSRecipientInfoID_KEK:
-	    /* KEK is not implemented */
-	    break;
-	}
-    }
-    /* if we have a recipient list, we return on success (-1, above, on failure) */
-    /* otherwise, we return the count. */
-    if (recipient_list) {
-	recipient_list[rlindex] = NULL;
-	return 0;
-    } else {
-	return count;
-    }
-}
-
-NSSCMSRecipient **
-nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos)
-{
-    int count, rv;
-    NSSCMSRecipient **recipient_list;
-
-    /* count the number of recipient identifiers */
-    count = nss_cms_recipients_traverse(recipientinfos, NULL);
-    if (count <= 0) {
-	/* no recipients? */
-	PORT_SetError(SEC_ERROR_BAD_DATA);
-#if 0
-	PORT_SetErrorString("Cannot find recipient data in envelope.");
-#endif
-	return NULL;
-    }
-
-    /* allocate an array of pointers */
-    recipient_list = (NSSCMSRecipient **)
-		    PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *));
-    if (recipient_list == NULL)
-	return NULL;
-
-    /* now fill in the recipient_list */
-    rv = nss_cms_recipients_traverse(recipientinfos, recipient_list);
-    if (rv < 0) {
-	nss_cms_recipient_list_destroy(recipient_list);
-	return NULL;
-    }
-    return recipient_list;
-}
-
-void
-nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list)
-{
-    int i;
-    NSSCMSRecipient *recipient;
-
-    for (i=0; recipient_list[i] != NULL; i++) {
-	recipient = recipient_list[i];
-	if (recipient->cert)
-	    CERT_DestroyCertificate(recipient->cert);
-	if (recipient->privkey)
-	    SECKEY_DestroyPrivateKey(recipient->privkey);
-	if (recipient->slot)
-	    PK11_FreeSlot(recipient->slot);
-	PORT_Free(recipient);
-    }
-    PORT_Free(recipient_list);
-}
-
-NSSCMSRecipientEncryptedKey *
-NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp)
-{
-    return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientEncryptedKey));
-}
diff --git a/security/nss/lib/smime/cmsreclist.h b/security/nss/lib/smime/cmsreclist.h
deleted file mode 100644
index ba3f39eda..000000000
--- a/security/nss/lib/smime/cmsreclist.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * $Id$
- */
-
-#ifndef _CMSRECLIST_H
-#define _CMSRECLIST_H
-
-struct NSSCMSRecipientStr {
-    int				riIndex;	/* this recipient's index in recipientInfo array */
-    int				subIndex;	/* index into recipientEncryptedKeys */
-						/* (only in NSSCMSKeyAgreeRecipientInfoStr) */
-    enum {RLIssuerSN=0, RLSubjKeyID=1} kind;	/* for conversion recipientinfos -> recipientlist */
-    union {
-	CERTIssuerAndSN *	issuerAndSN;
-	SECItem *		subjectKeyID;
-    } id;
-
-    /* result data (filled out for each recipient that's us) */
-    CERTCertificate *		cert;
-    SECKEYPrivateKey *		privkey;
-    PK11SlotInfo *		slot;
-};
-
-typedef struct NSSCMSRecipientStr NSSCMSRecipient;
-
-#endif /* _CMSRECLIST_H */
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
deleted file mode 100644
index 0ba771d65..000000000
--- a/security/nss/lib/smime/cmssigdata.c
+++ /dev/null
@@ -1,1146 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS signedData methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-/*#include "cdbhdl.h"*/
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-
-NSSCMSSignedData *
-NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
-{
-    void *mark;
-    NSSCMSSignedData *sigd;
-    PLArenaPool *poolp;
-
-    if (!cmsg) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
-    if (sigd == NULL)
-	goto loser;
-
-    sigd->cmsg = cmsg;
-
-    /* signerInfos, certs, certlists, crls are all empty */
-    /* version is set in NSS_CMSSignedData_Finalize() */
-
-    PORT_ArenaUnmark(poolp, mark);
-    return sigd;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-void
-NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
-{
-    CERTCertificate **certs, **tempCerts, *cert;
-    CERTCertificateList **certlists, *certlist;
-    NSSCMSSignerInfo **signerinfos, *si;
-
-    if (sigd == NULL)
-	return;
-
-    certs = sigd->certs;
-    tempCerts = sigd->tempCerts;
-    certlists = sigd->certLists;
-    signerinfos = sigd->signerInfos;
-
-    if (certs != NULL) {
-	while ((cert = *certs++) != NULL)
-	    CERT_DestroyCertificate (cert);
-    }
-
-    if (tempCerts != NULL) {
-	while ((cert = *tempCerts++) != NULL)
-	    CERT_DestroyCertificate (cert);
-    }
-
-    if (certlists != NULL) {
-	while ((certlist = *certlists++) != NULL)
-	    CERT_DestroyCertificateList (certlist);
-    }
-
-    if (signerinfos != NULL) {
-	while ((si = *signerinfos++) != NULL)
-	    NSS_CMSSignerInfo_Destroy(si);
-    }
-
-    /* everything's in a pool, so don't worry about the storage */
-   NSS_CMSContentInfo_Destroy(&(sigd->contentInfo));
-
-}
-
-/*
- * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
- *     before start of encoding.
- *
- * In detail:
- *  - find out about the right value to put into sigd->version
- *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
- *         in the signerinfos).
- *         If we happen to have a pre-set list of algorithms (and digest values!), we
- *         check if we have all the signerinfos' algorithms. If not, this is an error.
- */
-SECStatus
-NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo *signerinfo;
-    SECOidTag digestalgtag;
-    SECItem *dummy;
-    int version;
-    SECStatus rv;
-    PRBool haveDigests = PR_FALSE;
-    int n, i;
-    PLArenaPool *poolp;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    poolp = sigd->cmsg->poolp;
-
-    /* we assume that we have precomputed digests if there is a list of algorithms, and */
-    /* a chunk of data for each of those algorithms */
-    if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
-	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
-	    if (sigd->digests[i] == NULL)
-		break;
-	}
-	if (sigd->digestAlgorithms[i] == NULL)	/* reached the end of the array? */
-	    haveDigests = PR_TRUE;		/* yes: we must have all the digests */
-    }
-	    
-    version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
-
-    /* RFC2630 5.1 "version is the syntax version number..." */
-    if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
-	version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
-
-    /* prepare all the SignerInfos (there may be none) */
-    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
-	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
-
-	/* RFC2630 5.1 "version is the syntax version number..." */
-	if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
-	    version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
-	
-	/* collect digestAlgorithms from SignerInfos */
-	/* (we need to know which algorithms we have when the content comes in) */
-	/* do not overwrite any existing digestAlgorithms (and digest) */
-	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-	if (n < 0 && haveDigests) {
-	    /* oops, there is a digestalg we do not have a digest for */
-	    /* but we were supposed to have all the digests already... */
-	    goto loser;
-	} else if (n < 0) {
-	    /* add the digestAlgorithm & a NULL digest */
-	    rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
-	    if (rv != SECSuccess)
-		goto loser;
-	} else {
-	    /* found it, nothing to do */
-	}
-    }
-
-    dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
-    if (dummy == NULL)
-	return SECFailure;
-
-    /* this is a SET OF, so we need to sort them guys */
-    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, 
-                                SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
-				(void **)sigd->digests);
-    if (rv != SECSuccess)
-	return SECFailure;
-    
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    /* set up the digests */
-    if (sigd->digests && sigd->digests[0]) {
-	sigd->contentInfo.digcx = NULL; /* don't attempt to make new ones. */
-    } else if (sigd->digestAlgorithms != NULL) {
-	sigd->contentInfo.digcx = 
-	        NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
-	if (sigd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
- *     after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- *  - create the signatures in all the SignerInfos
- *
- * Please note that nothing is done to the Certificates and CRLs in the message - this
- * is entirely the responsibility of our callers.
- */
-SECStatus
-NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo **signerinfos, *signerinfo;
-    NSSCMSContentInfo *cinfo;
-    SECOidTag digestalgtag;
-    SECStatus ret = SECFailure;
-    SECStatus rv;
-    SECItem *contentType;
-    int certcount;
-    int i, ci, cli, n, rci, si;
-    PLArenaPool *poolp;
-    CERTCertificateList *certlist;
-    extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    poolp = sigd->cmsg->poolp;
-    cinfo = &(sigd->contentInfo);
-
-    /* did we have digest calculation going on? */
-    if (cinfo->digcx) {
-	rv = NSS_CMSDigestContext_FinishMultiple(cinfo->digcx, poolp, 
-	                                         &(sigd->digests));
-	/* error has been set by NSS_CMSDigestContext_FinishMultiple */
-	cinfo->digcx = NULL;
-	if (rv != SECSuccess)
-	    goto loser;		
-    }
-
-    signerinfos = sigd->signerInfos;
-    certcount = 0;
-
-    /* prepare all the SignerInfos (there may be none) */
-    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
-	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
-
-	/* find correct digest for this signerinfo */
-	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-	if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
-	    /* oops - digest not found */
-	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
-	    goto loser;
-	}
-
-	/* XXX if our content is anything else but data, we need to force the
-	 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
-	 * collection...") */
-
-	/* pass contentType here as we want a contentType attribute */
-	if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
-	    goto loser;
-
-	/* sign the thing */
-	rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	/* while we're at it, count number of certs in certLists */
-	certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
-	if (certlist)
-	    certcount += certlist->len;
-    }
-
-    /* this is a SET OF, so we need to sort them guys */
-    rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * now prepare certs & crls
-     */
-
-    /* count the rest of the certs */
-    if (sigd->certs != NULL) {
-	for (ci = 0; sigd->certs[ci] != NULL; ci++)
-	    certcount++;
-    }
-
-    if (sigd->certLists != NULL) {
-	for (cli = 0; sigd->certLists[cli] != NULL; cli++)
-	    certcount += sigd->certLists[cli]->len;
-    }
-
-    if (certcount == 0) {
-	sigd->rawCerts = NULL;
-    } else {
-	/*
-	 * Combine all of the certs and cert chains into rawcerts.
-	 * Note: certcount is an upper bound; we may not need that many slots
-	 * but we will allocate anyway to avoid having to do another pass.
-	 * (The temporary space saving is not worth it.)
-	 *
-	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
-	 *  SetOfDERcertficates implementation
-	 */
-	sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
-	if (sigd->rawCerts == NULL)
-	    return SECFailure;
-
-	/*
-	 * XXX Want to check for duplicates and not add *any* cert that is
-	 * already in the set.  This will be more important when we start
-	 * dealing with larger sets of certs, dual-key certs (signing and
-	 * encryption), etc.  For the time being we can slide by...
-	 *
-	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
-	 *  SetOfDERcertficates implementation
-	 */
-	rci = 0;
-	if (signerinfos != NULL) {
-	    for (si = 0; signerinfos[si] != NULL; si++) {
-		signerinfo = signerinfos[si];
-		for (ci = 0; ci < signerinfo->certList->len; ci++)
-		    sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
-	    }
-	}
-
-	if (sigd->certs != NULL) {
-	    for (ci = 0; sigd->certs[ci] != NULL; ci++)
-		sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
-	}
-
-	if (sigd->certLists != NULL) {
-	    for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
-		for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
-		    sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
-	    }
-	}
-
-	sigd->rawCerts[rci] = NULL;
-
-	/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
-	NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
-    }
-
-    ret = SECSuccess;
-
-loser:
-    return ret;
-}
-
-SECStatus
-NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-    /* set up the digests */
-    if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
-	/* if digests are already there, do nothing */
-	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
-	if (sigd->contentInfo.digcx == NULL)
-	    return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a 
- *   SignedData after all the encapsulated data was passed through the decoder.
- */
-SECStatus
-NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
-{
-    SECStatus rv = SECSuccess;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* did we have digest calculation going on? */
-    if (sigd->contentInfo.digcx) {
-	rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.digcx, 
-				       sigd->cmsg->poolp, &(sigd->digests));
-	/* error set by NSS_CMSDigestContext_FinishMultiple */
-	sigd->contentInfo.digcx = NULL;
-    }
-    return rv;
-}
-
-/*
- * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
- *     after all decoding is finished.
- */
-SECStatus
-NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
-{
-    NSSCMSSignerInfo **signerinfos = NULL;
-    int i;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* set cmsg for all the signerinfos */
-    signerinfos = sigd->signerInfos;
-
-    /* set cmsg for all the signerinfos */
-    if (signerinfos) {
-	for (i = 0; signerinfos[i] != NULL; i++)
-	    signerinfos[i]->cmsg = sigd->cmsg;
-    }
-
-    return SECSuccess;
-}
-
-/* 
- * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
- */
-NSSCMSSignerInfo **
-NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-    return sigd->signerInfos;
-}
-
-int
-NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return 0;
-    }
-    return NSS_CMSArray_Count((void **)sigd->signerInfos);
-}
-
-NSSCMSSignerInfo *
-NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-    return sigd->signerInfos[i];
-}
-
-/* 
- * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
- */
-SECAlgorithmID **
-NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-    return sigd->digestAlgorithms;
-}
-
-/*
- * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
- */
-NSSCMSContentInfo *
-NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-    return &(sigd->contentInfo);
-}
-
-/* 
- * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
- */
-SECItem **
-NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-    return sigd->rawCerts;
-}
-
-SECStatus
-NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
-				SECCertUsage certusage, PRBool keepcerts)
-{
-    int certcount;
-    CERTCertificate **certArray = NULL;
-    CERTCertList *certList = NULL;
-    CERTCertListNode *node;
-    SECStatus rv;
-    SECItem **rawArray;
-    int i;
-    PRTime now;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
-
-    /* get the certs in the temp DB */
-    rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, 
-			 &certArray, PR_FALSE, PR_FALSE, NULL);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* save the certs so they don't get destroyed */
-    for (i=0; i < certcount; i++) {
-	CERTCertificate *cert = certArray[i];
-	if (cert)
-            NSS_CMSSignedData_AddTempCertificate(sigd, cert);
-    }
-
-    if (!keepcerts) {
-	goto done;
-    }
-
-    /* build a CertList for filtering */
-    certList = CERT_NewCertList();
-    if (certList == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    for (i=0; i < certcount; i++) {
-	CERTCertificate *cert = certArray[i];
-	if (cert)
-	    cert = CERT_DupCertificate(cert);
-	if (cert)
-	    CERT_AddCertToListTail(certList,cert);
-    }
-
-    /* filter out the certs we don't want */
-    rv = CERT_FilterCertListByUsage(certList,certusage, PR_FALSE);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* go down the remaining list of certs and verify that they have
-     * valid chains, then import them.
-     */
-    now = PR_Now();
-    for (node = CERT_LIST_HEAD(certList) ; !CERT_LIST_END(node,certList);
-						node= CERT_LIST_NEXT(node)) {
-	CERTCertificateList *certChain;
-
-	if (CERT_VerifyCert(certdb, node->cert, 
-		PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) {
-	    continue;
-	}
-
-	certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE);
-	if (!certChain) {
-	    continue;
-	}
-
-	/*
-	 * CertChain returns an array of SECItems, import expects an array of
-	 * SECItem pointers. Create the SECItem Pointers from the array of
-	 * SECItems.
- 	 */
-	rawArray = (SECItem **)PORT_Alloc(certChain->len*sizeof (SECItem *));
-	if (!rawArray) {
-	    CERT_DestroyCertificateList(certChain);
-	    continue;
-	}
-	for (i=0; i < certChain->len; i++) {
-	    rawArray[i] = &certChain->certs[i];
-	}
-	(void )CERT_ImportCerts(certdb, certusage, certChain->len, 
-			rawArray,  NULL, keepcerts, PR_FALSE, NULL);
-	PORT_Free(rawArray);
-	CERT_DestroyCertificateList(certChain);
-    }
-
-    rv = SECSuccess;
-
-    /* XXX CRL handling */
-
-done:
-    if (sigd->signerInfos != NULL) {
-	/* fill in all signerinfo's certs */
-	for (i = 0; sigd->signerInfos[i] != NULL; i++)
-	    (void)NSS_CMSSignerInfo_GetSigningCertificate(
-						sigd->signerInfos[i], certdb);
-    }
-
-loser:
-    /* now free everything */
-    if (certArray) {
-	CERT_DestroyCertArray(certArray,certcount);
-    }
-    if (certList) {
-	CERT_DestroyCertList(certList);
-    }
-
-    return rv;
-}
-
-/*
- * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
- *     of external signatures!
- */
-
-/*
- * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
- *
- * The digests were either calculated during decoding (and are stored in the
- * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
- *
- * The verification checks if the signing cert is valid and has a trusted chain
- * for the purpose specified by "certusage".
- */
-SECStatus
-NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, 
-			    CERTCertDBHandle *certdb, SECCertUsage certusage)
-{
-    NSSCMSSignerInfo *signerinfo;
-    NSSCMSContentInfo *cinfo;
-    SECOidData *algiddata;
-    SECItem *contentType, *digest;
-    SECOidTag oidTag;
-    SECStatus rv;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    cinfo = &(sigd->contentInfo);
-
-    signerinfo = sigd->signerInfos[i];
-
-    /* verify certificate */
-    rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage);
-    if (rv != SECSuccess)
-	return rv; /* error is set */
-
-    /* find digest and contentType for signerinfo */
-    algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
-    oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN;
-    digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag);
-    /* NULL digest is acceptable. */
-    contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
-    /* NULL contentType is acceptable. */
-
-    /* now verify signature */
-    rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
-    return rv;
-}
-
-/*
- * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
- */
-SECStatus
-NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
-                                  CERTCertDBHandle *certdb, 
-                                  SECCertUsage usage)
-{
-    CERTCertificate *cert;
-    SECStatus rv = SECSuccess;
-    int i;
-    int count;
-    PRTime now;
-
-    if (!sigd || !certdb || !sigd->rawCerts) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    count = NSS_CMSArray_Count((void**)sigd->rawCerts);
-    now = PR_Now();
-    for (i=0; i < count; i++) {
-	if (sigd->certs && sigd->certs[i]) {
-	    cert = CERT_DupCertificate(sigd->certs[i]);
-	} else {
-	    cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
-	    if (!cert) {
-		rv = SECFailure;
-		break;
-	    }
-	}
-	rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, 
-                              NULL, NULL);
-	CERT_DestroyCertificate(cert);
-    }
-
-    return rv;
-}
-
-/*
- * NSS_CMSSignedData_HasDigests - see if we have digests in place
- */
-PRBool
-NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return PR_FALSE;
-    }
-    return (sigd->digests != NULL);
-}
-
-SECStatus
-NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
-{
-    SECStatus rv;
-
-    if (!sigd || !certlist) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
-    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
-
-    return rv;
-}
-
-/*
- * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
- */
-SECStatus
-NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
-{
-    CERTCertificateList *certlist;
-    SECCertUsage usage;
-    SECStatus rv;
-
-    usage = certUsageEmailSigner;
-
-    if (!sigd || !cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    /* do not include root */
-    certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
-    if (certlist == NULL)
-	return SECFailure;
-
-    rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
-
-    return rv;
-}
-
-extern SECStatus
-NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
-{
-    CERTCertificate *c;
-    SECStatus rv;
-
-    if (!sigd || !cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    c = CERT_DupCertificate(cert);
-    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c);
-    return rv;
-}
-
-SECStatus
-NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
-{
-    CERTCertificate *c;
-    SECStatus rv;
-
-    if (!sigd || !cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    c = CERT_DupCertificate(cert);
-    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
-    return rv;
-}
-
-PRBool
-NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
-{
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return PR_FALSE;
-    }
-    if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
-	return PR_TRUE;
-    else if (sigd->crls != NULL && sigd->crls[0] != NULL)
-	return PR_TRUE;
-    else
-	return PR_FALSE;
-}
-
-SECStatus
-NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
-				NSSCMSSignerInfo *signerinfo)
-{
-    void *mark;
-    SECStatus rv;
-    SECOidTag digestalgtag;
-    PLArenaPool *poolp;
-
-    if (!sigd || !signerinfo) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    poolp = sigd->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* add signerinfo */
-    rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * add empty digest
-     * Empty because we don't have it yet. Either it gets created during encoding
-     * (if the data is present) or has to be set externally.
-     * XXX maybe pass it in optionally?
-     */
-    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-    rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * The last thing to get consistency would be adding the digest.
-     */
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/*
- * NSS_CMSSignedData_SetDigests - set a signedData's digests member
- *
- * "digestalgs" - array of digest algorithm IDs
- * "digests"    - array of digests corresponding to the digest algorithms
- */
-SECStatus
-NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
-				SECAlgorithmID **digestalgs,
-				SECItem **digests)
-{
-    int cnt, i, idx;
-
-    if (!sigd || !digestalgs || !digests) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (sigd->digestAlgorithms == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* we assume that the digests array is just not there yet */
-    PORT_Assert(sigd->digests == NULL);
-    if (sigd->digests != NULL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-
-    /* now allocate one (same size as digestAlgorithms) */
-    cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
-    sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
-    if (sigd->digests == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
-	/* try to find the sigd's i'th digest algorithm in the array we passed in */
-	idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
-	if (idx < 0) {
-	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
-	    return SECFailure;
-	}
-	if (!digests[idx]) {
-	    /* We have no digest for this algorithm, probably because it is 
-	    ** unrecognized or unsupported.  We'll ignore this here.  If this 
-	    ** digest is needed later, an error will be be generated then.
-	    */
-	    continue;
-	}
-
-	/* found it - now set it */
-	if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
-	    SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
-	{
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus
-NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digestdata)
-{
-    SECItem *digest = NULL;
-    PLArenaPool *poolp;
-    void *mark;
-    int n, cnt;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    poolp = sigd->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-   
-    if (digestdata) {
-        digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem));
-
-	/* copy digestdata item to arena (in case we have it and are not only making room) */
-	if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
-	    goto loser;
-    }
-
-    /* now allocate one (same size as digestAlgorithms) */
-    if (sigd->digests == NULL) {
-        cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
-        sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
-        if (sigd->digests == NULL) {
-	        PORT_SetError(SEC_ERROR_NO_MEMORY);
-	        return SECFailure;
-        }
-    }
-
-    n = -1;
-    if (sigd->digestAlgorithms != NULL)
-	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
-    /* if not found, add a digest */
-    if (n < 0) {
-	if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
-	    goto loser;
-    } else {
-	/* replace NULL pointer with digest item (and leak previous value) */
-	sigd->digests[n] = digest;
-    }
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
-				NSSCMSSignedData *sigd,
-				SECOidTag digestalgtag,
-				SECItem *digest)
-{
-    SECAlgorithmID *digestalg;
-    void *mark;
-
-    if (!sigd || !poolp) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    mark = PORT_ArenaMark(poolp);
-
-    digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
-    if (digestalg == NULL)
-	goto loser;
-
-    if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
-	goto loser;
-
-    if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
-	/* even if digest is NULL, add dummy to have same-size array */
-	NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
-    {
-	goto loser;
-    }
-
-    PORT_ArenaUnmark(poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return SECFailure;
-}
-
-/* XXX This function doesn't set the error code on failure. */
-SECItem *
-NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
-{
-    int n;
-
-    if (!sigd) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) {
-        PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
-	return NULL;
-    }
-
-    n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
-    return (n < 0) ? NULL : sigd->digests[n];
-}
-
-/* =============================================================================
- * Misc. utility functions
- */
-
-/*
- * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
- *
- * cert          - base certificates that will be included
- * include_chain - if true, include the complete cert chain for cert
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- *
- * XXXX CRLs
- */
-NSSCMSSignedData *
-NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
-{
-    NSSCMSSignedData *sigd;
-    void *mark;
-    PLArenaPool *poolp;
-    SECStatus rv;
-
-    if (!cmsg || !cert) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-
-    poolp = cmsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    sigd = NSS_CMSSignedData_Create(cmsg);
-    if (sigd == NULL)
-	goto loser;
-
-    /* no signerinfos, thus no digestAlgorithms */
-
-    /* but certs */
-    if (include_chain) {
-	rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
-    } else {
-	rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
-    }
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* RFC2630 5.2 sez:
-     * In the degenerate case where there are no signers, the
-     * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
-     * case, the content type within the EncapsulatedContentInfo value being
-     * "signed" should be id-data (as defined in section 4), and the content
-     * field of the EncapsulatedContentInfo value should be omitted.
-     */
-    rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
-    if (rv != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return sigd;
-
-loser:
-    if (sigd)
-	NSS_CMSSignedData_Destroy(sigd);
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/* TODO:
- * NSS_CMSSignerInfo_GetReceiptRequest()
- * NSS_CMSSignedData_HasReceiptRequest()
- * easy way to iterate over signers
- */
-
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
deleted file mode 100644
index 675040b66..000000000
--- a/security/nss/lib/smime/cmssiginfo.c
+++ /dev/null
@@ -1,1037 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS signerInfo methods.
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-#include "secder.h"
-#include "cryptohi.h"
-
-#include "smime.h"
-
-/* =============================================================================
- * SIGNERINFO
- */
-NSSCMSSignerInfo *
-nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
-	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
-	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag);
-
-NSSCMSSignerInfo *
-NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, 
-	SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
-{
-    return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_SubjectKeyID, NULL, subjKeyID, pubKey, signingKey, digestalgtag); 
-}
-
-NSSCMSSignerInfo *
-NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag)
-{
-    return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_IssuerSN, cert, NULL, NULL, NULL, digestalgtag); 
-}
-
-NSSCMSSignerInfo *
-nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, 
-	CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, 
-	SECKEYPrivateKey *signingKey, SECOidTag digestalgtag)
-{
-    void *mark;
-    NSSCMSSignerInfo *signerinfo;
-    int version;
-    PLArenaPool *poolp;
-
-    poolp = cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    signerinfo = (NSSCMSSignerInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignerInfo));
-    if (signerinfo == NULL) {
-	PORT_ArenaRelease(poolp, mark);
-	return NULL;
-    }
-
-
-    signerinfo->cmsg = cmsg;
-
-    switch(type) {
-    case NSSCMSSignerID_IssuerSN:
-        signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN;
-        if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL)
-	    goto loser;
-        if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL)
-	    goto loser;
-        break;
-    case NSSCMSSignerID_SubjectKeyID:
-        signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_SubjectKeyID;
-        PORT_Assert(subjKeyID);
-        if (!subjKeyID)
-            goto loser;
-
-        signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SECItem);
-        SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID,
-                         subjKeyID);
-        signerinfo->signingKey = SECKEY_CopyPrivateKey(signingKey);
-        if (!signerinfo->signingKey)
-            goto loser;
-        signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey);
-        if (!signerinfo->pubKey)
-            goto loser;
-        break;
-    default:
-        goto loser;
-    }
-
-    /* set version right now */
-    version = NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN;
-    /* RFC2630 5.3 "version is the syntax version number. If the .... " */
-    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID)
-	version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY;
-    (void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version);
-
-    if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark(poolp, mark);
-    return signerinfo;
-
-loser:
-    PORT_ArenaRelease(poolp, mark);
-    return NULL;
-}
-
-/*
- * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
- */
-void
-NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
-{
-    if (si->cert != NULL)
-	CERT_DestroyCertificate(si->cert);
-
-    if (si->certList != NULL) 
-	CERT_DestroyCertificateList(si->certList);
-
-    /* XXX storage ??? */
-}
-
-/*
- * NSS_CMSSignerInfo_Sign - sign something
- *
- */
-SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
-{
-    CERTCertificate *cert;
-    SECKEYPrivateKey *privkey = NULL;
-    SECOidTag digestalgtag;
-    SECOidTag pubkAlgTag;
-    SECItem signature = { 0 };
-    SECStatus rv;
-    PLArenaPool *poolp, *tmppoolp;
-    SECAlgorithmID *algID, freeAlgID;
-    CERTSubjectPublicKeyInfo *spki;
-
-    PORT_Assert (digest != NULL);
-
-    poolp = signerinfo->cmsg->poolp;
-
-    switch (signerinfo->signerIdentifier.identifierType) {
-    case NSSCMSSignerID_IssuerSN:
-        cert = signerinfo->cert;
-
-        if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
-	    goto loser;
-        algID = &cert->subjectPublicKeyInfo.algorithm;
-        break;
-    case NSSCMSSignerID_SubjectKeyID:
-        privkey = signerinfo->signingKey;
-        signerinfo->signingKey = NULL;
-        spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey);
-        SECKEY_DestroyPublicKey(signerinfo->pubKey);
-        signerinfo->pubKey = NULL;
-        SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm);
-        SECKEY_DestroySubjectPublicKeyInfo(spki); 
-        algID = &freeAlgID;
-        break;
-    default:
-        goto loser;
-    }
-    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-    /*
-     * XXX I think there should be a cert-level interface for this,
-     * so that I do not have to know about subjectPublicKeyInfo...
-     */
-    pubkAlgTag = SECOID_GetAlgorithmTag(algID);
-    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID) {
-      SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
-    }
-
-    /* Fortezza MISSI have weird signature formats.  
-     * Map them to standard DSA formats 
-     */
-    pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
-
-    if (signerinfo->authAttr != NULL) {
-	SECOidTag signAlgTag;
-	SECItem encoded_attrs;
-
-	/* find and fill in the message digest attribute. */
-	rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), 
-	                       SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
-	if (rv != SECSuccess)
-	    goto loser;
-
-	if (contentType != NULL) {
-	    /* if the caller wants us to, find and fill in the content type attribute. */
-	    rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), 
-	                    SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
-	    if (rv != SECSuccess)
-		goto loser;
-	}
-
-	if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-
-	/*
-	 * Before encoding, reorder the attributes so that when they
-	 * are encoded, they will be conforming DER, which is required
-	 * to have a specific order and that is what must be used for
-	 * the hash/signature.  We do this here, rather than building
-	 * it into EncodeAttributes, because we do not want to do
-	 * such reordering on incoming messages (which also uses
-	 * EncodeAttributes) or our old signatures (and other "broken"
-	 * implementations) will not verify.  So, we want to guarantee
-	 * that we send out good DER encodings of attributes, but not
-	 * to expect to receive them.
-	 */
-	if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess)
-	    goto loser;
-
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-	if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), 
-	                &encoded_attrs) == NULL)
-	    goto loser;
-
-	signAlgTag = NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, pubkAlgTag);
-	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, 
-	                  privkey, signAlgTag);
-	PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
-    } else {
-	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
-    }
-    SECKEY_DestroyPrivateKey(privkey);
-    privkey = NULL;
-
-    if (rv != SECSuccess)
-	goto loser;
-
-    if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) 
-          != SECSuccess)
-	goto loser;
-
-    SECITEM_FreeItem(&signature, PR_FALSE);
-
-    if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag, 
-                              NULL) != SECSuccess)
-	goto loser;
-
-    return SECSuccess;
-
-loser:
-    if (signature.len != 0)
-	SECITEM_FreeItem (&signature, PR_FALSE);
-    if (privkey)
-	SECKEY_DestroyPrivateKey(privkey);
-    return SECFailure;
-}
-
-SECStatus
-NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
-			    SECCertUsage certusage)
-{
-    CERTCertificate *cert;
-    int64 stime;
-
-    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb)) == NULL) {
-	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound;
-	return SECFailure;
-    }
-
-    /*
-     * Get and convert the signing time; if available, it will be used
-     * both on the cert verification and for importing the sender
-     * email profile.
-     */
-    if (NSS_CMSSignerInfo_GetSigningTime (signerinfo, &stime) != SECSuccess)
-	stime = PR_Now(); /* not found or conversion failed, so check against now */
-    
-    /*
-     * XXX  This uses the signing time, if available.  Additionally, we
-     * might want to, if there is no signing time, get the message time
-     * from the mail header itself, and use that.  That would require
-     * a change to our interface though, and for S/MIME callers to pass
-     * in a time (and for non-S/MIME callers to pass in nothing, or
-     * maybe make them pass in the current time, always?).
-     */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, 
-                        signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted;
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/*
- * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
- *
- * Just verifies the signature. The assumption is that verification of 
- * the certificate is done already.
- */
-SECStatus
-NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, 
-                         SECItem *digest,               /* may be NULL */
-                         SECItem *contentType)          /* may be NULL */
-{
-    SECKEYPublicKey *publickey = NULL;
-    NSSCMSAttribute *attr;
-    SECItem encoded_attrs;
-    CERTCertificate *cert;
-    NSSCMSVerificationStatus vs = NSSCMSVS_Unverified;
-    PLArenaPool *poolp;
-    SECOidTag    digestalgtag;
-    SECOidTag    pubkAlgTag;
-    SECOidTag    signAlgTag;
-
-    if (signerinfo == NULL)
-	return SECFailure;
-
-    /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL 
-    ** and cert has not been verified 
-    */
-    cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, NULL);
-    if (cert == NULL) {
-	vs = NSSCMSVS_SigningCertNotFound;
-	goto loser;
-    }
-
-    if ((publickey = CERT_ExtractPublicKey(cert)) == NULL) {
-	vs = NSSCMSVS_ProcessingError;
-	goto loser;
-    }
-
-    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
-
-    /*
-     * XXX This may not be the right set of algorithms to check.
-     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
-     * would do the right thing (and set an error if it could not);
-     * then additional algorithms could be handled by that code
-     * and we would Just Work.  So this check should just be removed,
-     * but not until the VFY code is better at setting errors.
-     */
-    pubkAlgTag = SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg));
-    switch (pubkAlgTag) {
-    case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    case SEC_OID_ANSIX9_DSA_SIGNATURE:
-    case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-    case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-    case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-    case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	/* ok */
-	break;
-    case SEC_OID_UNKNOWN:
-	vs = NSSCMSVS_SignatureAlgorithmUnknown;
-	goto loser;
-    default:
-	vs = NSSCMSVS_SignatureAlgorithmUnsupported;
-	goto loser;
-    }
-
-    signAlgTag = NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, pubkAlgTag);
-
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
-	if (contentType) {
-	    /*
-	     * Check content type
-	     *
-	     * RFC2630 sez that if there are any authenticated attributes,
-	     * then there must be one for content type which matches the
-	     * content type of the content being signed, and there must
-	     * be one for message digest which matches our message digest.
-	     * So check these things first.
-	     */
-	    attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-					SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
-	    if (attr == NULL) {
-		vs = NSSCMSVS_MalformedSignature;
-		goto loser;
-	    }
-		
-	    if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) {
-		vs = NSSCMSVS_MalformedSignature;
-		goto loser;
-	    }
-	}
-
-	/*
-	 * Check digest
-	 */
-	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, 
-	                              SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
-	if (attr == NULL) {
-	    vs = NSSCMSVS_MalformedSignature;
-	    goto loser;
-	}
-	if (!digest || 
-	    NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) {
-	    vs = NSSCMSVS_DigestMismatch;
-	    goto loser;
-	}
-
-	if ((poolp = PORT_NewArena (1024)) == NULL) {
-	    vs = NSSCMSVS_ProcessingError;
-	    goto loser;
-	}
-
-	/*
-	 * Check signature
-	 *
-	 * The signature is based on a digest of the DER-encoded authenticated
-	 * attributes.  So, first we encode and then we digest/verify.
-	 * we trust the decoder to have the attributes in the right (sorted) 
-	 * order
-	 */
-	encoded_attrs.data = NULL;
-	encoded_attrs.len = 0;
-
-	if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), 
-	                                 &encoded_attrs) == NULL ||
-		encoded_attrs.data == NULL || encoded_attrs.len == 0) {
-	    vs = NSSCMSVS_ProcessingError;
-	    goto loser;
-	}
-
-	vs = (VFY_VerifyData (encoded_attrs.data, encoded_attrs.len,
-			publickey, &(signerinfo->encDigest), signAlgTag,
-			signerinfo->cmsg->pwfn_arg) != SECSuccess) 
-			? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
-
-	PORT_FreeArena(poolp, PR_FALSE);  /* awkward memory management :-( */
-
-    } else {
-	SECItem *sig;
-
-	/* No authenticated attributes. 
-	** The signature is based on the plain message digest. 
-	*/
-	sig = &(signerinfo->encDigest);
-	if (sig->len == 0)
-	    goto loser;
-
-	vs = (!digest || 
-	      VFY_VerifyDigest(digest, publickey, sig, signAlgTag,
-			signerinfo->cmsg->pwfn_arg) != SECSuccess) 
-			? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
-    }
-
-    if (vs == NSSCMSVS_BadSignature) {
-	/*
-	 * XXX Change the generic error into our specific one, because
-	 * in that case we get a better explanation out of the Security
-	 * Advisor.  This is really a bug in our error strings (the
-	 * "generic" error has a lousy/wrong message associated with it
-	 * which assumes the signature verification was done for the
-	 * purposes of checking the issuer signature on a certificate)
-	 * but this is at least an easy workaround and/or in the
-	 * Security Advisor, which specifically checks for the error
-	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
-	 * in that case but does not similarly check for
-	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
-	 * probably say the wrong thing in the case that it *was* the
-	 * certificate signature check that failed during the cert
-	 * verification done above.  Our error handling is really a mess.
-	 */
-	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
-	    PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    }
-
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    signerinfo->verificationStatus = vs;
-
-    return (vs == NSSCMSVS_GoodSignature) ? SECSuccess : SECFailure;
-
-loser:
-    if (publickey != NULL)
-	SECKEY_DestroyPublicKey (publickey);
-
-    signerinfo->verificationStatus = vs;
-
-    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
-    return SECFailure;
-}
-
-NSSCMSVerificationStatus
-NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo)
-{
-    return signerinfo->verificationStatus;
-}
-
-SECOidData *
-NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo)
-{
-    return SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-}
-
-SECOidTag
-NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo)
-{
-    SECOidData *algdata;
-
-    if (!signerinfo) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SEC_OID_UNKNOWN;
-    }
-
-    algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
-    if (algdata != NULL)
-	return algdata->offset;
-    else
-	return SEC_OID_UNKNOWN;
-}
-
-CERTCertificateList *
-NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo)
-{
-    return signerinfo->certList;
-}
-
-int
-NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo)
-{
-    unsigned long version;
-
-    /* always take apart the SECItem */
-    if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess)
-	return 0;
-    else
-	return (int)version;
-}
-
-/*
- * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
- *				      in UTCTime or GeneralizedTime format,
- *                                    of a CMS signerInfo.
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to XXXX (what?)
- * A return value of NULL is an error.
- */
-SECStatus
-NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime)
-{
-    NSSCMSAttribute *attr;
-    SECItem *value;
-
-    if (sinfo == NULL)
-	return SECFailure;
-
-    if (sinfo->signingTime != 0) {
-	*stime = sinfo->signingTime;	/* cached copy */
-	return SECSuccess;
-    }
-
-    attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
-    /* XXXX multi-valued attributes NIH */
-    if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL)
-	return SECFailure;
-    if (DER_DecodeTimeChoice(stime, value) != SECSuccess)
-	return SECFailure;
-    sinfo->signingTime = *stime;	/* make cached copy */
-    return SECSuccess;
-}
-
-/*
- * Return the signing cert of a CMS signerInfo.
- *
- * the certs in the enclosing SignedData must have been imported already
- */
-CERTCertificate *
-NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb)
-{
-    CERTCertificate *cert;
-    NSSCMSSignerIdentifier *sid;
-
-    if (signerinfo->cert != NULL)
-	return signerinfo->cert;
-
-    /* no certdb, and cert hasn't been set yet? */
-    if (certdb == NULL)
-	return NULL;
-
-    /*
-     * This cert will also need to be freed, but since we save it
-     * in signerinfo for later, we do not want to destroy it when
-     * we leave this function -- we let the clean-up of the entire
-     * cinfo structure later do the destroy of this cert.
-     */
-    sid = &signerinfo->signerIdentifier;
-    switch (sid->identifierType) {
-    case NSSCMSSignerID_IssuerSN:
-	cert = CERT_FindCertByIssuerAndSN(certdb, sid->id.issuerAndSN);
-	break;
-    case NSSCMSSignerID_SubjectKeyID:
-	cert = CERT_FindCertBySubjectKeyID(certdb, sid->id.subjectKeyID);
-	break;
-    default:
-	cert = NULL;
-	break;
-    }
-
-    /* cert can be NULL at that point */
-    signerinfo->cert = cert;	/* earmark it */
-
-    return cert;
-}
-
-/*
- * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed with PORT_Free.
- * A return value of NULL is an error.
- */
-char *
-NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo)
-{
-    CERTCertificate *signercert;
-
-    /* will fail if cert is not verified */
-    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
-	return NULL;
-
-    return (CERT_GetCommonName(&signercert->subject));
-}
-
-/*
- * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
- *
- * sinfo - signerInfo data for this signer
- *
- * Returns a pointer to allocated memory, which must be freed.
- * A return value of NULL is an error.
- */
-char *
-NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo)
-{
-    CERTCertificate *signercert;
-
-    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
-	return NULL;
-
-    if (!signercert->emailAddr || !signercert->emailAddr[0])
-	return NULL;
-
-    return (PORT_Strdup(signercert->emailAddr));
-}
-
-/*
- * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- */
-SECStatus
-NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
-{
-    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr);
-}
-
-/*
- * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
- * unauthenticated attributes of "signerinfo". 
- */
-SECStatus
-NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
-{
-    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr);
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME) but is likely useful in other situations.
- *
- * This should only be added once; a second call will do nothing.
- *
- * XXX This will probably just shove the current time into "signerinfo"
- * but it will not actually get signed until the entire item is
- * processed for encoding.  Is this (expected to be small) delay okay?
- */
-SECStatus
-NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t)
-{
-    NSSCMSAttribute *attr;
-    SECItem stime;
-    void *mark;
-    PLArenaPool *poolp;
-
-    poolp = signerinfo->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    /* create new signing time attribute */
-    if (DER_EncodeTimeChoice(NULL, &stime, t) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) {
-	SECITEM_FreeItem (&stime, PR_FALSE);
-	goto loser;
-    }
-
-    SECITEM_FreeItem (&stime, PR_FALSE);
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed
- * messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo)
-{
-    NSSCMSAttribute *attr;
-    SECItem *smimecaps = NULL;
-    void *mark;
-    PLArenaPool *poolp;
-
-    poolp = signerinfo->cmsg->poolp;
-
-    mark = PORT_ArenaMark(poolp);
-
-    smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
-    if (smimecaps == NULL)
-	goto loser;
-
-    /* create new signing time attribute */
-    if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps,
-			    PK11_FortezzaHasKEA(signerinfo->cert)) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
-	goto loser;
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo". 
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME).
- */
-SECStatus
-NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
-{
-    NSSCMSAttribute *attr;
-    SECItem *smimeekp = NULL;
-    void *mark;
-    PLArenaPool *poolp;
-
-    /* verify this cert for encryption */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	return SECFailure;
-    }
-
-    poolp = signerinfo->cmsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
-    if (smimeekp == NULL)
-	goto loser;
-
-    /* create new signing time attribute */
-    if (NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
-	goto loser;
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
- * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
- *
- * This is expected to be included in outgoing signed messages for email (S/MIME),
- * if compatibility with Microsoft mail clients is wanted.
- */
-SECStatus
-NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
-{
-    NSSCMSAttribute *attr;
-    SECItem *smimeekp = NULL;
-    void *mark;
-    PLArenaPool *poolp;
-
-    /* verify this cert for encryption */
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	return SECFailure;
-    }
-
-    poolp = signerinfo->cmsg->poolp;
-    mark = PORT_ArenaMark(poolp);
-
-    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
-    if (smimeekp == NULL)
-	goto loser;
-
-    /* create new signing time attribute */
-    if (NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
-	goto loser;
-
-    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
-	goto loser;
-
-    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
-	goto loser;
-
-    PORT_ArenaUnmark (poolp, mark);
-    return SECSuccess;
-
-loser:
-    PORT_ArenaRelease (poolp, mark);
-    return SECFailure;
-}
-
-/* 
- * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
- *
- * 1. digest the DER-encoded signature value of the original signerinfo
- * 2. create new signerinfo with correct version, sid, digestAlg
- * 3. add message-digest authAttr, but NO content-type
- * 4. sign the authAttrs
- * 5. DER-encode the new signerInfo
- * 6. add the whole thing to original signerInfo's unAuthAttrs
- *    as a SEC_OID_PKCS9_COUNTER_SIGNATURE attribute
- *
- * XXXX give back the new signerinfo?
- */
-SECStatus
-NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
-				    SECOidTag digestalg, CERTCertificate signingcert)
-{
-    /* XXXX TBD XXXX */
-    return SECFailure;
-}
-
-/*
- * XXXX the following needs to be done in the S/MIME layer code
- * after signature of a signerinfo is verified
- */
-SECStatus
-NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
-{
-    CERTCertificate *cert = NULL;
-    SECItem *profile = NULL;
-    NSSCMSAttribute *attr;
-    SECItem *stime = NULL;
-    SECItem *ekp;
-    CERTCertDBHandle *certdb;
-    int save_error;
-    SECStatus rv;
-    PRBool must_free_cert = PR_FALSE;
-
-    certdb = CERT_GetDefaultCertDB();
-
-    /* sanity check - see if verification status is ok (unverified does not count...) */
-    if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature)
-	return SECFailure;
-
-    /* find preferred encryption cert */
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) &&
-	(attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-			       SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
-    { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */
-	ekp = NSS_CMSAttribute_GetValue(attr);
-	if (ekp == NULL)
-	    return SECFailure;
-
-	/* we assume that all certs coming with the message have been imported to the */
-	/* temporary database */
-	cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp);
-	if (cert == NULL)
-	    return SECFailure;
-	must_free_cert = PR_TRUE;
-    }
-
-    if (cert == NULL) {
-	/* no preferred cert found?
-	 * find the cert the signerinfo is signed with instead */
-	cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
-	if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0])
-	    return SECFailure;
-    }
-
-    /* verify this cert for encryption (has been verified for signing so far) */
-    /* don't verify this cert for encryption. It may just be a signing cert.
-     * that's OK, we can still save the S/MIME profile. The encryption cert
-     * should have already been saved */
-#ifdef notdef
-    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
-	if (must_free_cert)
-	    CERT_DestroyCertificate(cert);
-	return SECFailure;
-    }
-#endif
-
-    /* XXX store encryption cert permanently? */
-
-    /*
-     * Remember the current error set because we do not care about
-     * anything set by the functions we are about to call.
-     */
-    save_error = PORT_GetError();
-
-    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
-	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-				       SEC_OID_PKCS9_SMIME_CAPABILITIES,
-				       PR_TRUE);
-	profile = NSS_CMSAttribute_GetValue(attr);
-	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
-				       SEC_OID_PKCS9_SIGNING_TIME,
-				       PR_TRUE);
-	stime = NSS_CMSAttribute_GetValue(attr);
-    }
-
-    rv = CERT_SaveSMimeProfile (cert, profile, stime);
-    if (must_free_cert)
-	CERT_DestroyCertificate(cert);
-
-    /*
-     * Restore the saved error in case the calls above set a new
-     * one that we do not actually care about.
-     */
-    PORT_SetError (save_error);
-
-    return rv;
-}
-
-/*
- * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
- */
-SECStatus
-NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage)
-{
-    if (signerinfo->cert == NULL)
-	return SECFailure;
-
-    /* don't leak if we get called twice */
-    if (signerinfo->certList != NULL) {
-	CERT_DestroyCertificateList(signerinfo->certList);
-	signerinfo->certList = NULL;
-    }
-
-    switch (cm) {
-    case NSSCMSCM_None:
-	signerinfo->certList = NULL;
-	break;
-    case NSSCMSCM_CertOnly:
-	signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
-	break;
-    case NSSCMSCM_CertChain:
-	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
-	break;
-    case NSSCMSCM_CertChainWithRoot:
-	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
-	break;
-    }
-
-    if (cm != NSSCMSCM_None && signerinfo->certList == NULL)
-	return SECFailure;
-    
-    return SECSuccess;
-}
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
deleted file mode 100644
index 82f24da14..000000000
--- a/security/nss/lib/smime/cmst.h
+++ /dev/null
@@ -1,534 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Header for CMS types.
- *
- * $Id$
- */
-
-#ifndef _CMST_H_
-#define _CMST_H_
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "certt.h"
-#include "secmodt.h"
-#include "secmodt.h"
-
-#include "plarena.h"
-
-/* Non-opaque objects.  NOTE, though: I want them to be treated as
- * opaque as much as possible.  If I could hide them completely,
- * I would.  (I tried, but ran into trouble that was taking me too
- * much time to get out of.)  I still intend to try to do so.
- * In fact, the only type that "outsiders" should even *name* is
- * NSSCMSMessage, and they should not reference its fields.
- */
-/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
- * This is because when we search the recipient list for the cert and key we
- * want, we need to invert the order of the loops we used to have. The old
- * loops were:
- *
- *  For each recipient {
- *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
- *       [which unrolls to... ]
- *       For each slot {
- *            Log into slot;
- *            search slot for cert;
- *      }
- *  }
- *
- *  the new loop searchs all the recipients at once on a slot. this allows
- *  PKCS #11 to order slots in such a way that logout slots don't get checked
- *  if we can find the cert on a logged in slot. This eliminates lots of
- *  spurious password prompts when smart cards are installed... so why this
- *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
- *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
- *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
- *  function.
- */
-
-typedef struct NSSCMSMessageStr NSSCMSMessage;
-
-typedef union NSSCMSContentUnion NSSCMSContent;
-typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
-
-typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
-typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
-typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
-
-typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
-typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
-typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
-
-typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
-typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
-
-typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
-
-typedef struct NSSCMSAttributeStr NSSCMSAttribute;
-
-typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
-typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
-
-typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
-typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
-
-/*
- * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
- * If specified, this is where the content bytes (only) will be "sent"
- * as they are recovered during the decoding.
- * And:
- * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
- * This is where the DER-encoded bytes will be "sent".
- *
- * XXX Should just combine this with NSSCMSEncoderContentCallback type
- * and use a simpler, common name.
- */
-typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
-
-/*
- * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
- * to retrieve the decryption key.  This function is intended to be
- * used for EncryptedData content info's which do not have a key available
- * in a certificate, etc.
- */
-typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
-
-
-/* =============================================================================
- * ENCAPSULATED CONTENTINFO & CONTENTINFO
- */
-
-union NSSCMSContentUnion {
-    /* either unstructured */
-    SECItem *			data;
-    /* or structured data */
-    NSSCMSDigestedData *	digestedData;
-    NSSCMSEncryptedData	*	encryptedData;
-    NSSCMSEnvelopedData	*	envelopedData;
-    NSSCMSSignedData *		signedData;
-    /* or anonymous pointer to something */
-    void *			pointer;
-};
-
-struct NSSCMSContentInfoStr {
-    SECItem			contentType;
-    NSSCMSContent		content;
-    /* --------- local; not part of encoding --------- */
-    SECOidData *		contentTypeTag;	
-
-    /* additional info for encryptedData and envelopedData */
-    /* we waste this space for signedData and digestedData. sue me. */
-
-    SECAlgorithmID		contentEncAlg;
-    SECItem *			rawContent;		/* encrypted DER, optional */
-							/* XXXX bytes not encrypted, but encoded? */
-    /* --------- local; not part of encoding --------- */
-    PK11SymKey *		bulkkey;		/* bulk encryption key */
-    int				keysize;		/* size of bulk encryption key
-							 * (only used by creation code) */
-    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
-							 * (only used by creation code) */
-    NSSCMSCipherContext		*ciphcx;		/* context for en/decryption going on */
-    NSSCMSDigestContext		*digcx;			/* context for digesting going on */
-};
-
-/* =============================================================================
- * MESSAGE
- */
-
-struct NSSCMSMessageStr {
-    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
-    /* --------- local; not part of encoding --------- */
-    PLArenaPool *	poolp;
-    PRBool		poolp_is_ours;
-    int			refCount;
-    /* properties of the "inner" data */
-    SECAlgorithmID **	detached_digestalgs;
-    SECItem **		detached_digests;
-    void *		pwfn_arg;
-    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
-    void *		decrypt_key_cb_arg;
-};
-
-/* =============================================================================
- * SIGNEDDATA
- */
-
-struct NSSCMSSignedDataStr {
-    SECItem			version;
-    SECAlgorithmID **		digestAlgorithms;
-    NSSCMSContentInfo		contentInfo;
-    SECItem **			rawCerts;
-    CERTSignedCrl **		crls;
-    NSSCMSSignerInfo **		signerInfos;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    SECItem **			digests;
-    CERTCertificate **		certs;
-    CERTCertificateList **	certLists;
-    CERTCertificate **          tempCerts;              /* temporary certs, needed
-                                                         * for example for signature
-                                                         * verification */
-};
-#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
-#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */
-
-typedef enum {
-    NSSCMSVS_Unverified = 0,
-    NSSCMSVS_GoodSignature = 1,
-    NSSCMSVS_BadSignature = 2,
-    NSSCMSVS_DigestMismatch = 3,
-    NSSCMSVS_SigningCertNotFound = 4,
-    NSSCMSVS_SigningCertNotTrusted = 5,
-    NSSCMSVS_SignatureAlgorithmUnknown = 6,
-    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
-    NSSCMSVS_MalformedSignature = 8,
-    NSSCMSVS_ProcessingError = 9
-} NSSCMSVerificationStatus;
-
-typedef enum {
-    NSSCMSSignerID_IssuerSN = 0,
-    NSSCMSSignerID_SubjectKeyID = 1
-} NSSCMSSignerIDSelector;
-
-struct NSSCMSSignerIdentifierStr {
-    NSSCMSSignerIDSelector identifierType;
-    union {
-	CERTIssuerAndSN *issuerAndSN;
-	SECItem *subjectKeyID;
-    } id;
-};
-
-struct NSSCMSSignerInfoStr {
-    SECItem			version;
-    NSSCMSSignerIdentifier	signerIdentifier;
-    SECAlgorithmID		digestAlg;
-    NSSCMSAttribute **		authAttr;
-    SECAlgorithmID		digestEncAlg;
-    SECItem			encDigest;
-    NSSCMSAttribute **		unAuthAttr;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    CERTCertificate *		cert;
-    CERTCertificateList *	certList;
-    PRTime			signingTime;
-    NSSCMSVerificationStatus	verificationStatus;
-    SECKEYPrivateKey *          signingKey; /* Used if we're using subjKeyID*/
-    SECKEYPublicKey *           pubKey;
-};
-#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
-#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */
-
-typedef enum {
-    NSSCMSCM_None = 0,
-    NSSCMSCM_CertOnly = 1,
-    NSSCMSCM_CertChain = 2,
-    NSSCMSCM_CertChainWithRoot = 3
-} NSSCMSCertChainMode;
-
-/* =============================================================================
- * ENVELOPED DATA
- */
-struct NSSCMSEnvelopedDataStr {
-    SECItem			version;
-    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
-    NSSCMSRecipientInfo **	recipientInfos;
-    NSSCMSContentInfo		contentInfo;
-    NSSCMSAttribute **		unprotectedAttr;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-};
-#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
-#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */
-
-struct NSSCMSOriginatorInfoStr {
-    SECItem **			rawCerts;
-    CERTSignedCrl **		crls;
-    /* --------- local; not part of encoding --------- */
-    CERTCertificate **		certs;
-};
-
-/* -----------------------------------------------------------------------------
- * key transport recipient info
- */
-typedef enum {
-    NSSCMSRecipientID_IssuerSN = 0,
-    NSSCMSRecipientID_SubjectKeyID = 1,
-    NSSCMSRecipientID_BrandNew = 2
-} NSSCMSRecipientIDSelector;
-
-struct NSSCMSRecipientIdentifierStr {
-    NSSCMSRecipientIDSelector	identifierType;
-    union {
-	CERTIssuerAndSN		*issuerAndSN;
-	SECItem 		*subjectKeyID;
-    } id;
-};
-typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
-
-struct NSSCMSKeyTransRecipientInfoStr {
-    SECItem			version;
-    NSSCMSRecipientIdentifier	recipientIdentifier;
-    SECAlgorithmID		keyEncAlg;
-    SECItem			encKey;
-};
-typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
-
-/*
- * View comments before NSSCMSRecipientInfoStr for purpose of this
- * structure.
- */
-struct NSSCMSKeyTransRecipientInfoExStr {
-    NSSCMSKeyTransRecipientInfo recipientInfo;
-    int version;  /* version of this structure (0) */
-    SECKEYPublicKey *pubKey;
-};
-
-typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
-
-#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
-#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * key agreement recipient info
- */
-struct NSSCMSOriginatorPublicKeyStr {
-    SECAlgorithmID			algorithmIdentifier;
-    SECItem				publicKey;			/* bit string! */
-};
-typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
-
-typedef enum {
-    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
-    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
-    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
-} NSSCMSOriginatorIDOrKeySelector;
-
-struct NSSCMSOriginatorIdentifierOrKeyStr {
-    NSSCMSOriginatorIDOrKeySelector identifierType;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
-	SECItem				*subjectKeyID;		/* static-static */
-	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
-    } id;
-};
-typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
-
-struct NSSCMSRecipientKeyIdentifierStr {
-    SECItem *				subjectKeyIdentifier;
-    SECItem *				date;			/* optional */
-    SECItem *				other;			/* optional */
-};
-typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
-
-typedef enum {
-    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
-    NSSCMSKeyAgreeRecipientID_RKeyID = 1
-} NSSCMSKeyAgreeRecipientIDSelector;
-
-struct NSSCMSKeyAgreeRecipientIdentifierStr {
-    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;
-	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
-    } id;
-};
-typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
-
-struct NSSCMSRecipientEncryptedKeyStr {
-    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
-    SECItem				encKey;
-};
-typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
-
-struct NSSCMSKeyAgreeRecipientInfoStr {
-    SECItem				version;
-    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
-    SECItem *				ukm;				/* optional */
-    SECAlgorithmID			keyEncAlg;
-    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
-};
-typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
-
-#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * KEK recipient info
- */
-struct NSSCMSKEKIdentifierStr {
-    SECItem			keyIdentifier;
-    SECItem *			date;			/* optional */
-    SECItem *			other;			/* optional */
-};
-typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
-
-struct NSSCMSKEKRecipientInfoStr {
-    SECItem			version;
-    NSSCMSKEKIdentifier		kekIdentifier;
-    SECAlgorithmID		keyEncAlg;
-    SECItem			encKey;
-};
-typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
-
-#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */
-
-/* -----------------------------------------------------------------------------
- * recipient info
- */
-
-typedef enum {
-    NSSCMSRecipientInfoID_KeyTrans = 0,
-    NSSCMSRecipientInfoID_KeyAgree = 1,
-    NSSCMSRecipientInfoID_KEK = 2
-} NSSCMSRecipientInfoIDSelector;
-
-/*
- * In order to preserve backwards binary compatibility when implementing
- * creation of Recipient Info's that uses subjectKeyID in the 
- * keyTransRecipientInfo we need to stash a public key pointer in this
- * structure somewhere.  We figured out that NSSCMSKeyTransRecipientInfo
- * is the smallest member of the ri union.  We're in luck since that's
- * the very structure that would need to use the public key. So we created
- * a new structure NSSCMSKeyTransRecipientInfoEx which has a member 
- * NSSCMSKeyTransRecipientInfo as the first member followed by a version
- * and a public key pointer.  This way we can keep backwards compatibility
- * without changing the size of this structure.
- *
- * BTW, size of structure:
- * NSSCMSKeyTransRecipientInfo:  9 ints, 4 pointers
- * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
- * NSSCMSKEKRecipientInfo:      10 ints, 7 pointers
- *
- * The new structure:
- * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
- *                                1 int, 1 pointer
- */
-
-struct NSSCMSRecipientInfoStr {
-    NSSCMSRecipientInfoIDSelector recipientInfoType;
-    union {
-	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
-	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
-	NSSCMSKEKRecipientInfo kekRecipientInfo;
-	NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
-    } ri;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;			/* back pointer to message */
-    CERTCertificate *		cert;			/* recipient's certificate */
-};
-
-/* =============================================================================
- * DIGESTED DATA
- */
-struct NSSCMSDigestedDataStr {
-    SECItem			version;
-    SECAlgorithmID		digestAlg;
-    NSSCMSContentInfo		contentInfo;
-    SECItem			digest;
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;		/* back pointer */
-    SECItem			cdigest;	/* calculated digest */
-};
-#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
-#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */
-
-/* =============================================================================
- * ENCRYPTED DATA
- */
-struct NSSCMSEncryptedDataStr {
-    SECItem			version;
-    NSSCMSContentInfo		contentInfo;
-    NSSCMSAttribute **		unprotectedAttr;	/* optional */
-    /* --------- local; not part of encoding --------- */
-    NSSCMSMessage *		cmsg;		/* back pointer */
-};
-#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
-#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */
-
-/* =============================================================================
- * FORTEZZA KEA
- */
-
-/* An enumerated type used to select templates based on the encryption
-   scenario and data specifics. */
-typedef enum {
-    NSSCMSKEAInvalid = -1,
-    NSSCMSKEAUsesSkipjack = 0,
-    NSSCMSKEAUsesNonSkipjack = 1,
-    NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
-} NSSCMSKEATemplateSelector;
-
-/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
-                but I cannot think of a more appropriate place at this time. */
-struct NSSCMSSMIMEKEAParametersStr {
-    SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
-    SECItem originatorRA;	/* random number generated by sender */
-    SECItem nonSkipjackIV;	/* init'n vector for SkipjackCBC64
-			           decryption of KEA key if Skipjack
-				   is not the bulk algorithm used on
-				   the message */
-    SECItem bulkKeySize;	/* if Skipjack is not the bulk
-			           algorithm used on the message,
-				   and the size of the bulk encryption
-				   key is not the same as that of
-				   originatorKEAKey (due to padding
-				   perhaps), this field will contain
-				   the real size of the bulk encryption
-				   key. */
-};
-
-/*
- * *****************************************************************************
- * *****************************************************************************
- * *****************************************************************************
- */
-
-/*
- * See comment above about this type not really belonging to CMS.
- */
-struct NSSCMSAttributeStr {
-    /* The following fields make up an encoded Attribute: */
-    SECItem			type;
-    SECItem **			values;	/* data may or may not be encoded */
-    /* The following fields are not part of an encoded Attribute: */
-    SECOidData *		typeTag;
-    PRBool			encoded;	/* when true, values are encoded */
-};
-
-#endif /* _CMST_H_ */
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
deleted file mode 100644
index 1765655bb..000000000
--- a/security/nss/lib/smime/cmsutil.c
+++ /dev/null
@@ -1,401 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * CMS miscellaneous utility functions.
- *
- * $Id$
- */
-
-#include "nssrenam.h"
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "secerr.h"
-#include "sechash.h"
-
-/*
- * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
- *
- * make sure that the order of the objects guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in objs).
- */
-SECStatus
-NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2)
-{
-    PRArenaPool *poolp;
-    int num_objs;
-    SECItem **enc_objs;
-    SECStatus rv = SECFailure;
-    int i;
-
-    if (objs == NULL)					/* already sorted */
-	return SECSuccess;
-
-    num_objs = NSS_CMSArray_Count((void **)objs);
-    if (num_objs == 0 || num_objs == 1)		/* already sorted. */
-	return SECSuccess;
-
-    poolp = PORT_NewArena (1024);	/* arena for temporaries */
-    if (poolp == NULL)
-	return SECFailure;		/* no memory; nothing we can do... */
-
-    /*
-     * Allocate arrays to hold the individual encodings which we will use
-     * for comparisons and the reordered attributes as they are sorted.
-     */
-    enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *));
-    if (enc_objs == NULL)
-	goto loser;
-
-    /* DER encode each individual object. */
-    for (i = 0; i < num_objs; i++) {
-	enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
-	if (enc_objs[i] == NULL)
-	    goto loser;
-    }
-    enc_objs[num_objs] = NULL;
-
-    /* now compare and sort objs by the order of enc_objs */
-    NSS_CMSArray_Sort((void **)enc_objs, NSS_CMSUtil_DERCompare, objs, objs2);
-
-    rv = SECSuccess;
-
-loser:
-    PORT_FreeArena (poolp, PR_FALSE);
-    return rv;
-}
-
-/*
- * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
- *  sort arrays of SECItems containing DER
- */
-int
-NSS_CMSUtil_DERCompare(void *a, void *b)
-{
-    SECItem *der1 = (SECItem *)a;
-    SECItem *der2 = (SECItem *)b;
-    unsigned int j;
-
-    /*
-     * Find the lowest (lexigraphically) encoding.  One that is
-     * shorter than all the rest is known to be "less" because each
-     * attribute is of the same type (a SEQUENCE) and so thus the
-     * first octet of each is the same, and the second octet is
-     * the length (or the length of the length with the high bit
-     * set, followed by the length, which also works out to always
-     * order the shorter first).  Two (or more) that have the
-     * same length need to be compared byte by byte until a mismatch
-     * is found.
-     */
-    if (der1->len != der2->len)
-	return (der1->len < der2->len) ? -1 : 1;
-
-    for (j = 0; j < der1->len; j++) {
-	if (der1->data[j] == der2->data[j])
-	    continue;
-	return (der1->data[j] < der2->data[j]) ? -1 : 1;
-    }
-    return 0;
-}
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algid - algorithmid of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-int
-NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
-{
-    int i;
-
-    if (algorithmArray == NULL || algorithmArray[0] == NULL)
-	return -1;
-
-    for (i = 0; algorithmArray[i] != NULL; i++) {
-	if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
-	    break;	/* bingo */
-    }
-
-    if (algorithmArray[i] == NULL)
-	return -1;	/* not found */
-
-    return i;
-}
-
-/*
- * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of 
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algtag - algorithm tag of algorithm to pick
- *
- * Returns:
- *  An integer containing the index of the algorithm in the array or -1 if 
- *  algorithm was not found.
- */
-int
-NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, 
-                                 SECOidTag algtag)
-{
-    SECOidData *algid;
-    int i = -1;
-
-    if (algorithmArray == NULL || algorithmArray[0] == NULL)
-	return i;
-
-#ifdef ORDER_N_SQUARED
-    for (i = 0; algorithmArray[i] != NULL; i++) {
-	algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
-	if (algid->offset == algtag)
-	    break;	/* bingo */
-    }
-#else
-    algid = SECOID_FindOIDByTag(algtag);
-    if (!algid) 
-    	return i;
-    for (i = 0; algorithmArray[i] != NULL; i++) {
-	if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
-	    break;	/* bingo */
-    }
-#endif
-
-    if (algorithmArray[i] == NULL)
-	return -1;	/* not found */
-
-    return i;
-}
-
-const SECHashObject *
-NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid)
-{
-    SECOidTag oidTag = SECOID_FindOIDTag(&(algid->algorithm));
-    const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
-
-    return digobj;
-}
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-SECOidTag
-NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
-{
-    switch (encalg) {
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	switch (hashalg) {
-	  case SEC_OID_MD2:
-	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_MD5:
-	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA1:
-	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA256:
-	    return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA384:
-	    return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
-	  case SEC_OID_SHA512:
-	    return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-      case SEC_OID_MISSI_KEA_DSS:
-      case SEC_OID_MISSI_DSS:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	switch (hashalg) {
-	  case SEC_OID_SHA1:
-	    return SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-	  default:
-	    return SEC_OID_UNKNOWN;
-	}
-      default:
-	break;
-    }
-
-    return encalg;		/* maybe it is already the right algid */
-}
-
-const SEC_ASN1Template *
-NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type)
-{
-    const SEC_ASN1Template *template;
-    extern const SEC_ASN1Template NSSCMSSignedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSEncryptedDataTemplate[];
-    extern const SEC_ASN1Template NSSCMSDigestedDataTemplate[];
-
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	template = NSSCMSSignedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	template = NSSCMSEnvelopedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	template = NSSCMSEncryptedDataTemplate;
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	template = NSSCMSDigestedDataTemplate;
-	break;
-    default:
-    case SEC_OID_PKCS7_DATA:
-	template = NULL;
-	break;
-    }
-    return template;
-}
-
-size_t
-NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type)
-{
-    size_t size;
-
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	size = sizeof(NSSCMSSignedData);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	size = sizeof(NSSCMSEnvelopedData);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	size = sizeof(NSSCMSEncryptedData);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	size = sizeof(NSSCMSDigestedData);
-	break;
-    default:
-    case SEC_OID_PKCS7_DATA:
-	size = 0;
-	break;
-    }
-    return size;
-}
-
-NSSCMSContentInfo *
-NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type)
-{
-    NSSCMSContent c;
-    NSSCMSContentInfo *cinfo = NULL;
-
-    if (!msg)
-	return cinfo;
-    c.pointer = msg;
-    switch (type) {
-    case SEC_OID_PKCS7_SIGNED_DATA:
-	cinfo = &(c.signedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENVELOPED_DATA:
-	cinfo = &(c.envelopedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_ENCRYPTED_DATA:
-	cinfo = &(c.encryptedData->contentInfo);
-	break;
-    case SEC_OID_PKCS7_DIGESTED_DATA:
-	cinfo = &(c.digestedData->contentInfo);
-	break;
-    default:
-	cinfo = NULL;
-    }
-    return cinfo;
-}
-
-const char *
-NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs)
-{
-    switch (vs) {
-    case NSSCMSVS_Unverified:			return "Unverified";
-    case NSSCMSVS_GoodSignature:		return "GoodSignature";
-    case NSSCMSVS_BadSignature:			return "BadSignature";
-    case NSSCMSVS_DigestMismatch:		return "DigestMismatch";
-    case NSSCMSVS_SigningCertNotFound:		return "SigningCertNotFound";
-    case NSSCMSVS_SigningCertNotTrusted:	return "SigningCertNotTrusted";
-    case NSSCMSVS_SignatureAlgorithmUnknown:	return "SignatureAlgorithmUnknown";
-    case NSSCMSVS_SignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
-    case NSSCMSVS_MalformedSignature:		return "MalformedSignature";
-    case NSSCMSVS_ProcessingError:		return "ProcessingError";
-    default:					return "Unknown";
-    }
-}
-
-SECStatus
-NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
-                 PLArenaPool *arena)
-{
-    NSSCMSEncoderContext *ecx;
-    SECStatus rv = SECSuccess;
-    if (!cmsg || !derOut || !arena) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    ecx = NSS_CMSEncoder_Start(cmsg, 0, 0, derOut, arena, 0, 0, 0, 0, 0, 0);
-    if (!ecx) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
-    }
-    if (input) {
-	rv = NSS_CMSEncoder_Update(ecx, (const char*)input->data, input->len);
-	if (rv) {
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	}
-    }
-    rv |= NSS_CMSEncoder_Finish(ecx);
-    if (rv) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    }
-    return rv;
-}
diff --git a/security/nss/lib/smime/config.mk b/security/nss/lib/smime/config.mk
deleted file mode 100644
index 236dd375b..000000000
--- a/security/nss/lib/smime/config.mk
+++ /dev/null
@@ -1,99 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-RELEASE_LIBS = $(TARGETS)
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
-
-RES = $(OBJDIR)/smime.res
-RESNAME = smime.rc
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lnss3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else # ! NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	$(DIST)/lib/nss3.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-else
-
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lnss3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-ifeq ($(OS_ARCH), Darwin)
-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
-endif
-
-endif
-
-
-SHARED_LIBRARY_LIBS = \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(NULL)
-
-SHARED_LIBRARY_DIRS = \
-	../pkcs12 \
-	../pkcs7 \
-	$(NULL)
-
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn
deleted file mode 100644
index d0b4db607..000000000
--- a/security/nss/lib/smime/manifest.mn
+++ /dev/null
@@ -1,81 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	cms.h \
-	cmst.h \
-	smime.h \
-	cmsreclist.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	cmslocal.h \
-	$(NULL)
-
-MODULE = nss
-MAPFILE = $(OBJDIR)/smime.def
-
-CSRCS = \
-	cmsarray.c \
-	cmsasn1.c \
-	cmsattr.c \
-	cmscinfo.c \
-	cmscipher.c \
-	cmsdecode.c \
-	cmsdigdata.c \
-	cmsdigest.c \
-	cmsencdata.c \
-	cmsencode.c \
-	cmsenvdata.c \
-	cmsmessage.c \
-	cmspubkey.c \
-	cmsrecinfo.c \
-	cmsreclist.c \
-	cmssigdata.c \
-	cmssiginfo.c \
-	cmsutil.c \
-	smimemessage.c \
-	smimeutil.c \
-	smimever.c \
-	$(NULL)
-
-REQUIRES = dbm
-
-LIBRARY_NAME = smime
-LIBRARY_VERSION = 3
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
deleted file mode 100644
index 91e77c61a..000000000
--- a/security/nss/lib/smime/smime.def
+++ /dev/null
@@ -1,268 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#	line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.  
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.  
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSS_3.2 {               # NSS 3.2 release
-;+    global:
-LIBRARY smime3 ;-
-EXPORTS	;-
-NSS_CMSContentInfo_GetBulkKey;
-NSS_CMSContentInfo_GetBulkKeySize;
-NSS_CMSContentInfo_GetContent;
-NSS_CMSContentInfo_GetContentEncAlgTag;
-NSS_CMSContentInfo_GetContentTypeTag;
-NSS_CMSContentInfo_SetBulkKey;
-NSS_CMSContentInfo_SetContent;
-NSS_CMSContentInfo_SetContentEncAlg;
-NSS_CMSContentInfo_SetContent_Data;
-NSS_CMSContentInfo_SetContent_DigestedData;
-NSS_CMSContentInfo_SetContent_EncryptedData;
-NSS_CMSContentInfo_SetContent_EnvelopedData;
-NSS_CMSContentInfo_SetContent_SignedData;
-NSS_CMSDEREncode;
-NSS_CMSDecoder_Cancel;
-NSS_CMSDecoder_Finish;
-NSS_CMSDecoder_Start;
-NSS_CMSDecoder_Update;
-NSS_CMSDigestContext_Cancel;
-NSS_CMSDigestContext_FinishMultiple;
-NSS_CMSDigestContext_FinishSingle;
-NSS_CMSDigestContext_StartMultiple;
-NSS_CMSDigestContext_StartSingle;
-NSS_CMSDigestContext_Update;
-NSS_CMSDigestedData_Create;
-NSS_CMSDigestedData_Destroy;
-NSS_CMSDigestedData_GetContentInfo;
-NSS_CMSEncoder_Cancel;
-NSS_CMSEncoder_Finish;
-NSS_CMSEncoder_Start;
-NSS_CMSEncoder_Update;
-NSS_CMSEncryptedData_Create;
-NSS_CMSEncryptedData_Destroy;
-NSS_CMSEncryptedData_GetContentInfo;
-NSS_CMSEnvelopedData_AddRecipient;
-NSS_CMSEnvelopedData_Create;
-NSS_CMSEnvelopedData_Destroy;
-NSS_CMSEnvelopedData_GetContentInfo;
-NSS_CMSMessage_ContentLevel;
-NSS_CMSMessage_ContentLevelCount;
-NSS_CMSMessage_Copy;
-NSS_CMSMessage_Create;
-NSS_CMSMessage_CreateFromDER;
-NSS_CMSMessage_Destroy;
-NSS_CMSMessage_GetContent;
-NSS_CMSMessage_GetContentInfo;
-NSS_CMSRecipientInfo_Create;
-NSS_CMSRecipientInfo_Destroy;
-NSS_CMSSignedData_AddCertChain;
-NSS_CMSSignedData_AddCertList;
-NSS_CMSSignedData_AddCertificate;
-NSS_CMSSignedData_AddDigest;
-NSS_CMSSignedData_AddSignerInfo;
-NSS_CMSSignedData_Create;
-NSS_CMSSignedData_CreateCertsOnly;
-NSS_CMSSignedData_Destroy;
-NSS_CMSSignedData_GetContentInfo;
-NSS_CMSSignedData_GetDigestAlgs;
-NSS_CMSSignedData_GetSignerInfo;
-NSS_CMSSignedData_HasDigests;
-NSS_CMSSignedData_ImportCerts;
-NSS_CMSSignedData_SetDigests;
-NSS_CMSSignedData_SignerInfoCount;
-NSS_CMSSignedData_VerifyCertsOnly;
-NSS_CMSSignedData_VerifySignerInfo;
-NSS_CMSSignerInfo_AddSMIMECaps;
-NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs;
-NSS_CMSSignerInfo_AddSigningTime;
-NSS_CMSSignerInfo_Create;
-NSS_CMSSignerInfo_Destroy;
-NSS_CMSSignerInfo_GetCertList;
-NSS_CMSSignerInfo_GetSignerCommonName;
-NSS_CMSSignerInfo_GetSignerEmailAddress;
-NSS_CMSSignerInfo_GetSigningCertificate;
-NSS_CMSSignerInfo_GetSigningTime;
-NSS_CMSSignerInfo_GetVerificationStatus;
-NSS_CMSSignerInfo_GetVersion;
-NSS_CMSSignerInfo_IncludeCerts;
-NSS_CMSUtil_VerificationStatusToString;
-NSS_SMIMEUtil_FindBulkAlgForRecipients;
-CERT_DecodeCertPackage;
-SEC_PKCS7AddRecipient;
-SEC_PKCS7AddSigningTime;
-SEC_PKCS7ContentType;
-SEC_PKCS7CreateData;
-SEC_PKCS7CreateEncryptedData;
-SEC_PKCS7CreateEnvelopedData;
-SEC_PKCS7CreateSignedData;
-SEC_PKCS7DecodeItem;
-SEC_PKCS7DecoderFinish;
-SEC_PKCS7DecoderStart;
-SEC_PKCS7DecoderUpdate;
-SEC_PKCS7DecryptContents;
-SEC_PKCS7DestroyContentInfo;
-SEC_PKCS7EncoderFinish;
-SEC_PKCS7EncoderStart;
-SEC_PKCS7EncoderUpdate;
-SEC_PKCS7GetCertificateList;
-SEC_PKCS7GetContent;
-SEC_PKCS7GetEncryptionAlgorithm;
-SEC_PKCS7IncludeCertChain;
-SEC_PKCS7IsContentEmpty;
-SEC_PKCS7VerifySignature;
-SEC_PKCS12AddCertAndKey;
-SEC_PKCS12AddPasswordIntegrity;
-SEC_PKCS12CreateExportContext;
-SEC_PKCS12CreatePasswordPrivSafe;
-SEC_PKCS12CreateUnencryptedSafe;
-SEC_PKCS12EnableCipher;
-SEC_PKCS12Encode;
-SEC_PKCS12DecoderImportBags;
-SEC_PKCS12DecoderFinish;
-SEC_PKCS12DecoderStart;
-SEC_PKCS12DecoderUpdate;
-SEC_PKCS12DecoderValidateBags;
-SEC_PKCS12DecoderVerify;
-SEC_PKCS12DestroyExportContext;
-SEC_PKCS12IsEncryptionAllowed;
-SEC_PKCS12SetPreferredCipher;
-;+    local:
-;+        *;
-;+};
-;+NSS_3.2.1 {               # NSS 3.2.1 release
-;+    global:
-NSSSMIME_VersionCheck;
-;+    local:
-;+        *;
-;+};
-;+NSS_3.3 {     # NSS 3.3 release
-;+    global:
-SEC_PKCS7AddCertificate;
-SEC_PKCS7CreateCertsOnly;
-SEC_PKCS7Encode;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.4 {     # NSS 3.4 release
-;+    global:
-CERT_DecodeCertFromPackage;
-NSS_CMSMessage_IsSigned;
-NSS_CMSSignedData_SetDigestValue;
-NSS_SMIMESignerInfo_SaveSMIMEProfile;
-SEC_PKCS12DecoderGetCerts;
-SEC_PKCS7ContainsCertsOrCrls;
-SEC_PKCS7ContentIsEncrypted;
-SEC_PKCS7ContentIsSigned;
-SEC_PKCS7CopyContentInfo;
-SEC_PKCS7GetSignerCommonName;
-SEC_PKCS7GetSignerEmailAddress;
-SEC_PKCS7GetSigningTime;
-SEC_PKCS7SetContent;
-SEC_PKCS7VerifyDetachedSignature;
-SECMIME_DecryptionAllowed;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.4.1 {     # NSS 3.4.1 release
-;+    global:
-NSS_CMSMessage_IsEncrypted;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.6 {     # NSS 3.6 release
-;+    global:
-NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs;
-NSS_CMSSignerInfo_CreateWithSubjKeyID;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.7 {     # NSS 3.7 release
-;+    global:
-NSS_CMSRecipientInfo_CreateWithSubjKeyID;
-NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.7.2 {   # NSS 3.7.2 release
-;+    global:
-NSS_CMSRecipientInfo_WrapBulkKey;
-NSS_CMSRecipientInfo_UnwrapBulkKey;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.8 {   # NSS 3.8 release
-;+    global:
-NSS_CMSRecipientInfo_CreateNew;
-NSS_CMSRecipientInfo_CreateFromDER;
-NSS_CMSRecipientInfo_Encode;
-NSS_CMSRecipientInfo_GetCertAndKey;
-SEC_PKCS12DecoderSetTargetTokenCAs;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.9 {   # NSS 3.9 release
-;+    global:
-SEC_PKCS7DecoderAbort;
-SEC_PKCS7EncoderAbort;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.9.3 {   # NSS 3.9.3 release
-;+    global:
-CERT_ConvertAndDecodeCertificate;
-SEC_PKCS7EncodeItem;
-;+    local:
-;+       *;
-;+};
-;+NSS_3.10 {   # NSS 3.10 release
-;+    global:
-SEC_PKCS12DecoderIterateInit;
-SEC_PKCS12DecoderIterateNext;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
deleted file mode 100644
index 5fc659023..000000000
--- a/security/nss/lib/smime/smime.h
+++ /dev/null
@@ -1,156 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Header file for routines specific to S/MIME.  Keep things that are pure
- * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
- *
- * $Id$
- */
-
-#ifndef _SECMIME_H_
-#define _SECMIME_H_ 1
-
-#include "cms.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * Initialize the local recording of the user S/MIME cipher preferences.
- * This function is called once for each cipher, the order being
- * important (first call records greatest preference, and so on).
- * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
- * If the function is called again after that, it is assumed that
- * the preferences are being reset, and the old preferences are
- * discarded.
- *
- * XXX This is for a particular user, and right now the storage is
- * XXX local, static.  The preference should be stored elsewhere to allow
- * XXX for multiple uses of one library?  How does SSL handle this;
- * XXX it has something similar?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.  (It is not necessary to call the function for
- *    ciphers that are disabled, however, as that is the default.)
- *
- * If the cipher preference is successfully recorded, SECSuccess
- * is returned.  Otherwise SECFailure is returned.  The only errors
- * are due to failure allocating memory or bad parameters/calls:
- *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
- *	SEC_ERROR_XXX (function is being called more times than there
- *		are known/expected ciphers)
- */
-extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
-
-/*
- * Initialize the local recording of the S/MIME policy.
- * This function is called to allow/disallow a particular cipher.
- *
- * XXX This is for a the current module, I think, so local, static storage
- * XXX is okay.  Is that correct, or could multiple uses of the same
- * XXX library expect to operate under different policies?
- *
- *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
- *    for example SMIME_DES_CBC_56).
- *  - If "on" is non-zero then the named cipher is enabled, otherwise
- *    it is disabled.
- */
-extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on);
-
-/*
- * Does the current policy allow S/MIME decryption of this particular
- * algorithm and keysize?
- */
-extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
-
-/*
- * Does the current policy allow *any* S/MIME encryption (or decryption)?
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-extern PRBool NSS_SMIMEUtil_EncryptionPossible(void);
-
-/*
- * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value
- *
- * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
- * S/MIME capabilities attribute value.
- */
-extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers);
-
-/*
- * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
- */
-extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
-
-/*
- * NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
- */
-extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
-
-/*
- * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
- *          attribute
- */
-extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp);
-
-/*
- * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
- */
-extern SECStatus
-NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize);
-
-/************************************************************************/
-SEC_END_PROTOS
-
-#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/smime/smime.rc b/security/nss/lib/smime/smime.rc
deleted file mode 100644
index 05fb11bfa..000000000
--- a/security/nss/lib/smime/smime.rc
+++ /dev/null
@@ -1,101 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nss.h"
-#include <winver.h>
-
-#define MY_LIBNAME "smime"
-#define MY_FILEDESCRIPTION "NSS S/MIME Library"
-
-#define STRINGIZE(x) #x
-#define STRINGIZE2(x) STRINGIZE(x)
-#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
deleted file mode 100644
index 76e709332..000000000
--- a/security/nss/lib/smime/smimemessage.c
+++ /dev/null
@@ -1,218 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * SMIME message methods
- *
- * $Id$
- */
-
-#include "cmslocal.h"
-#include "smime.h"
-
-#include "cert.h"
-#include "key.h"
-#include "secasn1.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "prtime.h"
-#include "secerr.h"
-
-
-#if 0
-/*
- * NSS_SMIMEMessage_CreateEncrypted - start an S/MIME encrypting context.
- *
- * "scert" is the cert for the sender.  It will be checked for validity.
- * "rcerts" are the certs for the recipients.  They will also be checked.
- *
- * "certdb" is the cert database to use for verifying the certs.
- * It can be NULL if a default database is available (like in the client).
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-NSSCMSMessage *
-NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert,
-			CERTCertificate **rcerts,
-			CERTCertDBHandle *certdb,
-			PK11PasswordFunc pwfn,
-			void *pwfn_arg)
-{
-    NSSCMSMessage *cmsg;
-    long cipher;
-    SECOidTag encalg;
-    int keysize;
-    int mapi, rci;
-
-    cipher = smime_choose_cipher (scert, rcerts);
-    if (cipher < 0)
-	return NULL;
-
-    mapi = smime_mapi_by_cipher (cipher);
-    if (mapi < 0)
-	return NULL;
-
-    /*
-     * XXX This is stretching it -- CreateEnvelopedData should probably
-     * take a cipher itself of some sort, because we cannot know what the
-     * future will bring in terms of parameters for each type of algorithm.
-     * For example, just an algorithm and keysize is *not* sufficient to
-     * fully specify the usage of RC5 (which also needs to know rounds and
-     * block size).  Work this out into a better API!
-     */
-    encalg = smime_cipher_map[mapi].algtag;
-    keysize = smime_keysize_by_cipher (cipher);
-    if (keysize < 0)
-	return NULL;
-
-    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
-					  certdb, encalg, keysize,
-					  pwfn, pwfn_arg);
-    if (cinfo == NULL)
-	return NULL;
-
-    for (rci = 0; rcerts[rci] != NULL; rci++) {
-	if (rcerts[rci] == scert)
-	    continue;
-	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
-				   NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo (cinfo);
-	    return NULL;
-	}
-    }
-
-    return cinfo;
-}
-
-
-/*
- * Start an S/MIME signing context.
- *
- * "scert" is the cert that will be used to sign the data.  It will be
- * checked for validity.
- *
- * "ecert" is the signer's encryption cert.  If it is different from
- * scert, then it will be included in the signed message so that the
- * recipient can save it for future encryptions.
- *
- * "certdb" is the cert database to use for verifying the cert.
- * It can be NULL if a default database is available (like in the client).
- * 
- * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
- * XXX There should be SECMIME functions for hashing, or the hashing should
- * be built into this interface, which we would like because we would
- * support more smartcards that way, and then this argument should go away.)
- *
- * "digest" is the actual digest of the data.  It must be provided in
- * the case of detached data or NULL if the content will be included.
- *
- * This function already does all of the stuff specific to S/MIME protocol
- * and local policy; the return value just needs to be passed to
- * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
- * and finally to SEC_PKCS7DestroyContentInfo().
- *
- * An error results in a return value of NULL and an error set.
- * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
- */
-
-NSSCMSMessage *
-NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert,
-		      CERTCertificate *ecert,
-		      CERTCertDBHandle *certdb,
-		      SECOidTag digestalgtag,
-		      SECItem *digest,
-		      PK11PasswordFunc pwfn,
-		      void *pwfn_arg)
-{
-    NSSCMSMessage *cmsg;
-    NSSCMSSignedData *sigd;
-    NSSCMSSignerInfo *signerinfo;
-
-    /* See note in header comment above about digestalg. */
-    /* Doesn't explain this.  PORT_Assert (digestalgtag == SEC_OID_SHA1); */
-
-    cmsg = NSS_CMSMessage_Create(NULL);
-    if (cmsg == NULL)
-	return NULL;
-
-    sigd = NSS_CMSSignedData_Create(cmsg);
-    if (sigd == NULL)
-	goto loser;
-
-    /* create just one signerinfo */
-    signerinfo = NSS_CMSSignerInfo_Create(cmsg, scert, digestalgtag);
-    if (signerinfo == NULL)
-	goto loser;
-
-    /* Add the signing time to the signerinfo.  */
-    if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess)
-	goto loser;
-    
-    /* and add the SMIME profile */
-    if (NSS_SMIMESignerInfo_AddSMIMEProfile(signerinfo, scert) != SECSuccess)
-	goto loser;
-
-    /* now add the signerinfo to the signeddata */
-    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess)
-	goto loser;
-
-    /* include the signing cert and its entire chain */
-    /* note that there are no checks for duplicate certs in place, as all the */
-    /* essential data structures (like set of certificate) are not there */
-    if (NSS_CMSSignedData_AddCertChain(sigd, scert) != SECSuccess)
-	goto loser;
-
-    /* If the encryption cert and the signing cert differ, then include
-     * the encryption cert too. */
-    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
-	if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess)
-	    goto loser;
-    }
-
-    return cmsg;
-loser:
-    if (cmsg)
-	NSS_CMSMessage_Destroy(cmsg);
-    return NULL;
-}
-#endif
diff --git a/security/nss/lib/smime/smimesym.c b/security/nss/lib/smime/smimesym.c
deleted file mode 100644
index e7bb771e5..000000000
--- a/security/nss/lib/smime/smimesym.c
+++ /dev/null
@@ -1,8 +0,0 @@
-extern void SEC_PKCS7DecodeItem();
-extern void SEC_PKCS7DestroyContentInfo();
-
-smime_CMDExports() {
-	SEC_PKCS7DecodeItem();
-	SEC_PKCS7DestroyContentInfo();
-}
-
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
deleted file mode 100644
index 6fb10ec07..000000000
--- a/security/nss/lib/smime/smimeutil.c
+++ /dev/null
@@ -1,784 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Stuff specific to S/MIME policy and interoperability.
- *
- * $Id$
- */
-
-#include "secmime.h"
-#include "secoid.h"
-#include "pk11func.h"
-#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
-#include "secasn1.h"
-#include "secitem.h"
-#include "cert.h"
-#include "key.h"
-#include "secerr.h"
-#include "cms.h"
-#include "nss.h"
-
-SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
-SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
-SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
-
-/* various integer's ASN.1 encoding */
-static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 };
-static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 };
-static unsigned char asn1_int128[] = { SEC_ASN1_INTEGER, 0x02, 0x00, 0x80 };
-
-/* RC2 algorithm parameters (used in smime_cipher_map) */
-static SECItem param_int40 = { siBuffer, asn1_int40, sizeof(asn1_int40) };
-static SECItem param_int64 = { siBuffer, asn1_int64, sizeof(asn1_int64) };
-static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) };
-
-/*
- * XXX Would like the "parameters" field to be a SECItem *, but the
- * encoder is having trouble with optional pointers to an ANY.  Maybe
- * once that is fixed, can change this back...
- */
-typedef struct {
-    SECItem capabilityID;
-    SECItem parameters;
-    long cipher;		/* optimization */
-} NSSSMIMECapability;
-
-static const SEC_ASN1Template NSSSMIMECapabilityTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(NSSSMIMECapability) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(NSSSMIMECapability,capabilityID), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(NSSSMIMECapability,parameters), },
-    { 0, }
-};
-
-static const SEC_ASN1Template NSSSMIMECapabilitiesTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, NSSSMIMECapabilityTemplate }
-};
-
-/*
- * NSSSMIMEEncryptionKeyPreference - if we find one of these, it needs to prompt us
- *  to store this and only this certificate permanently for the sender email address.
- */
-typedef enum {
-    NSSSMIMEEncryptionKeyPref_IssuerSN,
-    NSSSMIMEEncryptionKeyPref_RKeyID,
-    NSSSMIMEEncryptionKeyPref_SubjectKeyID
-} NSSSMIMEEncryptionKeyPrefSelector;
-
-typedef struct {
-    NSSSMIMEEncryptionKeyPrefSelector selector;
-    union {
-	CERTIssuerAndSN			*issuerAndSN;
-	NSSCMSRecipientKeyIdentifier	*recipientKeyID;
-	SECItem				*subjectKeyID;
-    } id;
-} NSSSMIMEEncryptionKeyPreference;
-
-extern const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[];
-
-static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
-    { SEC_ASN1_CHOICE,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
-	  sizeof(NSSSMIMEEncryptionKeyPreference) },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
-	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
-	  NSSSMIMEEncryptionKeyPref_IssuerSN },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
-	  NSSCMSRecipientKeyIdentifierTemplate,
-	  NSSSMIMEEncryptionKeyPref_IssuerSN },
-    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
-	  offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
-	  SEC_ASN1_SUB(SEC_OctetStringTemplate),
-	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
-    { 0, }
-};
-
-/* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */
-typedef struct {
-    unsigned long cipher;
-    SECOidTag algtag;
-    SECItem *parms;
-    PRBool enabled;	/* in the user's preferences */
-    PRBool allowed;	/* per export policy */
-} smime_cipher_map_entry;
-
-/* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */
-static smime_cipher_map_entry smime_cipher_map[] = {
-/*    cipher			algtag			parms		enabled  allowed */
-/*    ---------------------------------------------------------------------------------- */
-    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&param_int40,	PR_TRUE, PR_TRUE },
-    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL,		PR_TRUE, PR_TRUE },
-    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&param_int64,	PR_TRUE, PR_TRUE },
-    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&param_int128,	PR_TRUE, PR_TRUE },
-    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL,		PR_TRUE, PR_TRUE },
-    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL,	PR_TRUE, PR_TRUE }
-};
-static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry);
-
-/*
- * smime_mapi_by_cipher - find index into smime_cipher_map by cipher
- */
-static int
-smime_mapi_by_cipher(unsigned long cipher)
-{
-    int i;
-
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].cipher == cipher)
-	    return i;	/* bingo */
-    }
-    return -1;		/* should not happen if we're consistent, right? */
-}
-
-/*
- * NSS_SMIME_EnableCipher - this function locally records the user's preference
- */
-SECStatus 
-NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on)
-{
-    unsigned long mask;
-    int mapi;
-
-    mask = which & CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME)
-	/* XXX set an error! */
-    	return SECFailure;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	/* XXX set an error */
-	return SECFailure;
-
-    /* do we try to turn on a forbidden cipher? */
-    if (!smime_cipher_map[mapi].allowed && on) {
-	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
-	return SECFailure;
-    }
-
-    if (smime_cipher_map[mapi].enabled != on)
-	smime_cipher_map[mapi].enabled = on;
-
-    return SECSuccess;
-}
-
-
-/*
- * this function locally records the export policy
- */
-SECStatus 
-NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on)
-{
-    unsigned long mask;
-    int mapi;
-
-    mask = which & CIPHER_FAMILYID_MASK;
-
-    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
-    if (mask != CIPHER_FAMILYID_SMIME)
-	/* XXX set an error! */
-    	return SECFailure;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	/* XXX set an error */
-	return SECFailure;
-
-    if (smime_cipher_map[mapi].allowed != on)
-	smime_cipher_map[mapi].allowed = on;
-
-    return SECSuccess;
-}
-
-/*
- * Based on the given algorithm (including its parameters, in some cases!)
- * and the given key (may or may not be inspected, depending on the
- * algorithm), find the appropriate policy algorithm specification
- * and return it.  If no match can be made, -1 is returned.
- */
-static SECStatus
-nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, unsigned long *cipher)
-{
-    SECOidTag algtag;
-    unsigned int keylen_bits;
-    unsigned long c;
-
-    algtag = SECOID_GetAlgorithmTag(algid);
-    switch (algtag) {
-    case SEC_OID_RC2_CBC:
-	keylen_bits = PK11_GetKeyStrength(key, algid);
-	switch (keylen_bits) {
-	case 40:
-	    c = SMIME_RC2_CBC_40;
-	    break;
-	case 64:
-	    c = SMIME_RC2_CBC_64;
-	    break;
-	case 128:
-	    c = SMIME_RC2_CBC_128;
-	    break;
-	default:
-	    return SECFailure;
-	}
-	break;
-    case SEC_OID_DES_CBC:
-	c = SMIME_DES_CBC_56;
-	break;
-    case SEC_OID_DES_EDE3_CBC:
-	c = SMIME_DES_EDE3_168;
-	break;
-    case SEC_OID_FORTEZZA_SKIPJACK:
-	c = SMIME_FORTEZZA;
-	break;
-    default:
-	return SECFailure;
-    }
-    *cipher = c;
-    return SECSuccess;
-}
-
-static PRBool
-nss_smime_cipher_allowed(unsigned long which)
-{
-    int mapi;
-
-    mapi = smime_mapi_by_cipher(which);
-    if (mapi < 0)
-	return PR_FALSE;
-    return smime_cipher_map[mapi].allowed;
-}
-
-PRBool
-NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
-{
-    unsigned long which;
-
-    if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess)
-	return PR_FALSE;
-
-    return nss_smime_cipher_allowed(which);
-}
-
-
-/*
- * NSS_SMIME_EncryptionPossible - check if any encryption is allowed
- *
- * This tells whether or not *any* S/MIME encryption can be done,
- * according to policy.  Callers may use this to do nicer user interface
- * (say, greying out a checkbox so a user does not even try to encrypt
- * a message when they are not allowed to) or for any reason they want
- * to check whether S/MIME encryption (or decryption, for that matter)
- * may be done.
- *
- * It takes no arguments.  The return value is a simple boolean:
- *   PR_TRUE means encryption (or decryption) is *possible*
- *	(but may still fail due to other reasons, like because we cannot
- *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
- *   PR_FALSE means encryption (or decryption) is not permitted
- *
- * There are no errors from this routine.
- */
-PRBool
-NSS_SMIMEUtil_EncryptionPossible(void)
-{
-    int i;
-
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].allowed)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-
-static int
-nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap)
-{
-    int i;
-    SECOidTag capIDTag;
-
-    /* we need the OIDTag here */
-    capIDTag = SECOID_FindOIDTag(&(cap->capabilityID));
-
-    /* go over all the SMIME ciphers we know and see if we find a match */
-    for (i = 0; i < smime_cipher_map_count; i++) {
-	if (smime_cipher_map[i].algtag != capIDTag)
-	    continue;
-	/*
-	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
-	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
-	 * use that here instead of all of the following comparison code.
-	 */
-	if (cap->parameters.data == NULL && smime_cipher_map[i].parms == NULL)
-	    break;	/* both empty: bingo */
-
-	if (cap->parameters.data != NULL && smime_cipher_map[i].parms != NULL &&
-	    cap->parameters.len == smime_cipher_map[i].parms->len &&
-	    PORT_Memcmp (cap->parameters.data, smime_cipher_map[i].parms->data,
-			     cap->parameters.len) == 0)
-	{
-	    break;	/* both not empty, same length & equal content: bingo */
-	}
-    }
-
-    if (i == smime_cipher_map_count)
-	return 0;				/* no match found */
-    else
-	return smime_cipher_map[i].cipher;	/* match found, point to cipher */
-}
-
-/*
- * smime_choose_cipher - choose a cipher that works for all the recipients
- *
- * "scert"  - sender's certificate
- * "rcerts" - recipient's certificates
- */
-static long
-smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
-{
-    PRArenaPool *poolp;
-    long cipher;
-    long chosen_cipher;
-    int *cipher_abilities;
-    int *cipher_votes;
-    int weak_mapi;
-    int strong_mapi;
-    int rcount, mapi, max, i;
-    PRBool scert_is_fortezza = (scert == NULL) ? PR_FALSE : PK11_FortezzaHasKEA(scert);
-
-    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
-    weak_mapi = smime_mapi_by_cipher(chosen_cipher);
-
-    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
-    if (poolp == NULL)
-	goto done;
-
-    cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
-    cipher_votes     = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
-    if (cipher_votes == NULL || cipher_abilities == NULL)
-	goto done;
-
-    /* If the user has the Fortezza preference turned on, make
-     *  that the strong cipher. Otherwise, use triple-DES. */
-    strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
-    if (scert_is_fortezza) {
-	mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
-	if (mapi >= 0 && smime_cipher_map[mapi].enabled)
-	    strong_mapi = mapi;
-    }
-
-    /* walk all the recipient's certs */
-    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
-	SECItem *profile;
-	NSSSMIMECapability **caps;
-	int pref;
-
-	/* the first cipher that matches in the user's SMIME profile gets
-	 * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1
-	 * and so on. If every cipher matches, the last one gets 1 (one) vote */
-	pref = smime_cipher_map_count;
-
-	/* find recipient's SMIME profile */
-	profile = CERT_FindSMimeProfile(rcerts[rcount]);
-
-	if (profile != NULL && profile->data != NULL && profile->len > 0) {
-	    /* we have a profile (still DER-encoded) */
-	    caps = NULL;
-	    /* decode it */
-	    if (SEC_QuickDERDecodeItem(poolp, &caps,
-                    NSSSMIMECapabilitiesTemplate, profile) == SECSuccess &&
-		    caps != NULL)
-	    {
-		/* walk the SMIME capabilities for this recipient */
-		for (i = 0; caps[i] != NULL; i++) {
-		    cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]);
-		    mapi = smime_mapi_by_cipher(cipher);
-		    if (mapi >= 0) {
-			/* found the cipher */
-			cipher_abilities[mapi]++;
-			cipher_votes[mapi] += pref;
-			--pref;
-		    }
-		}
-	    }
-	} else {
-	    /* no profile found - so we can only assume that the user can do
-	     * the mandatory algorithms which is RC2-40 (weak crypto) and 3DES (strong crypto) */
-	    SECKEYPublicKey *key;
-	    unsigned int pklen_bits;
-
-	    /*
-	     * if recipient's public key length is > 512, vote for a strong cipher
-	     * please not that the side effect of this is that if only one recipient
-	     * has an export-level public key, the strong cipher is disabled.
-	     *
-	     * XXX This is probably only good for RSA keys.  What I would
-	     * really like is a function to just say;  Is the public key in
-	     * this cert an export-length key?  Then I would not have to
-	     * know things like the value 512, or the kind of key, or what
-	     * a subjectPublicKeyInfo is, etc.
-	     */
-	    key = CERT_ExtractPublicKey(rcerts[rcount]);
-	    pklen_bits = 0;
-	    if (key != NULL) {
-		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
-		SECKEY_DestroyPublicKey (key);
-	    }
-
-	    if (pklen_bits > 512) {
-		/* cast votes for the strong algorithm */
-		cipher_abilities[strong_mapi]++;
-		cipher_votes[strong_mapi] += pref;
-		pref--;
-	    } 
-
-	    /* always cast (possibly less) votes for the weak algorithm */
-	    cipher_abilities[weak_mapi]++;
-	    cipher_votes[weak_mapi] += pref;
-	}
-	if (profile != NULL)
-	    SECITEM_FreeItem(profile, PR_TRUE);
-    }
-
-    /* find cipher that is agreeable by all recipients and that has the most votes */
-    max = 0;
-    for (mapi = 0; mapi < smime_cipher_map_count; mapi++) {
-	/* if not all of the recipients can do this, forget it */
-	if (cipher_abilities[mapi] != rcount)
-	    continue;
-	/* if cipher is not enabled or not allowed by policy, forget it */
-	if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed)
-	    continue;
-	/* if we're not doing fortezza, but the cipher is fortezza, forget it */
-	if (!scert_is_fortezza  && (smime_cipher_map[mapi].cipher == SMIME_FORTEZZA))
-	    continue;
-	/* now see if this one has more votes than the last best one */
-	if (cipher_votes[mapi] >= max) {
-	    /* if equal number of votes, prefer the ones further down in the list */
-	    /* with the expectation that these are higher rated ciphers */
-	    chosen_cipher = smime_cipher_map[mapi].cipher;
-	    max = cipher_votes[mapi];
-	}
-    }
-    /* if no common cipher was found, chosen_cipher stays at the default */
-
-done:
-    if (poolp != NULL)
-	PORT_FreeArena (poolp, PR_FALSE);
-
-    return chosen_cipher;
-}
-
-/*
- * XXX This is a hack for now to satisfy our current interface.
- * Eventually, with more parameters needing to be specified, just
- * looking up the keysize is not going to be sufficient.
- */
-static int
-smime_keysize_by_cipher (unsigned long which)
-{
-    int keysize;
-
-    switch (which) {
-      case SMIME_RC2_CBC_40:
-	keysize = 40;
-	break;
-      case SMIME_RC2_CBC_64:
-	keysize = 64;
-	break;
-      case SMIME_RC2_CBC_128:
-	keysize = 128;
-	break;
-      case SMIME_DES_CBC_56:
-      case SMIME_DES_EDE3_168:
-      case SMIME_FORTEZZA:
-	/*
-	 * These are special; since the key size is fixed, we actually
-	 * want to *avoid* specifying a key size.
-	 */
-	keysize = 0;
-	break;
-      default:
-	keysize = -1;
-	break;
-    }
-
-    return keysize;
-}
-
-/*
- * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
- *
- * it would be great for UI purposes if there would be a way to find out which recipients
- * prevented a strong cipher from being used...
- */
-SECStatus
-NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize)
-{
-    unsigned long cipher;
-    int mapi;
-
-    cipher = smime_choose_cipher(NULL, rcerts);
-    mapi = smime_mapi_by_cipher(cipher);
-
-    *bulkalgtag = smime_cipher_map[mapi].algtag;
-    *keysize = smime_keysize_by_cipher(smime_cipher_map[mapi].cipher);
-
-    return SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
- *
- * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
- * S/MIME capabilities attribute value.
- *
- * XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
- * symmetric ciphers, NO signature algorithms or key encipherment algorithms.
- *
- * "poolp" - arena pool to create the S/MIME capabilities data on
- * "dest" - SECItem to put the data in
- * "includeFortezzaCiphers" - PR_TRUE if fortezza ciphers should be included
- */
-SECStatus
-NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers)
-{
-    NSSSMIMECapability *cap;
-    NSSSMIMECapability **smime_capabilities;
-    smime_cipher_map_entry *map;
-    SECOidData *oiddata;
-    SECItem *dummy;
-    int i, capIndex;
-
-    /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
-    /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
-    smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
-				      * sizeof(NSSSMIMECapability *));
-    if (smime_capabilities == NULL)
-	return SECFailure;
-
-    capIndex = 0;
-
-    /* Add all the symmetric ciphers
-     * We walk the cipher list backwards, as it is ordered by increasing strength,
-     * we prefer the stronger cipher over a weaker one, and we have to list the
-     * preferred algorithm first */
-    for (i = smime_cipher_map_count - 1; i >= 0; i--) {
-	/* Find the corresponding entry in the cipher map. */
-	map = &(smime_cipher_map[i]);
-	if (!map->enabled)
-	    continue;
-
-	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
-	   capabilities. (We advertise all capabilities if we have a 
-	   Fortezza cert.) */
-	if ((!includeFortezzaCiphers) && (map->cipher == SMIME_FORTEZZA))
-	    continue;
-
-	/* get next SMIME capability */
-	cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
-	if (cap == NULL)
-	    break;
-	smime_capabilities[capIndex++] = cap;
-
-	oiddata = SECOID_FindOIDByTag(map->algtag);
-	if (oiddata == NULL)
-	    break;
-
-	cap->capabilityID.data = oiddata->oid.data;
-	cap->capabilityID.len = oiddata->oid.len;
-	cap->parameters.data = map->parms ? map->parms->data : NULL;
-	cap->parameters.len = map->parms ? map->parms->len : 0;
-	cap->cipher = smime_cipher_map[i].cipher;
-    }
-
-    /* XXX add signature algorithms */
-    /* XXX add key encipherment algorithms */
-
-    smime_capabilities[capIndex] = NULL;	/* last one - now encode */
-    dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
-
-    /* now that we have the proper encoded SMIMECapabilities (or not),
-     * free the work data */
-    for (i = 0; smime_capabilities[i] != NULL; i++)
-	PORT_Free(smime_capabilities[i]);
-    PORT_Free(smime_capabilities);
-
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
- *
- * "poolp" - arena pool to create the attr value on
- * "dest" - SECItem to put the data in
- * "cert" - certificate that should be marked as preferred encryption key
- *          cert is expected to have been verified for EmailRecipient usage.
- */
-SECStatus
-NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
-{
-    NSSSMIMEEncryptionKeyPreference ekp;
-    SECItem *dummy = NULL;
-    PLArenaPool *tmppoolp = NULL;
-
-    if (cert == NULL)
-	goto loser;
-
-    tmppoolp = PORT_NewArena(1024);
-    if (tmppoolp == NULL)
-	goto loser;
-
-    /* XXX hardcoded IssuerSN choice for now */
-    ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
-    ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
-    if (ekp.id.issuerAndSN == NULL)
-	goto loser;
-
-    dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
-
-loser:
-    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
-
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
- *
- * "poolp" - arena pool to create the attr value on
- * "dest" - SECItem to put the data in
- * "cert" - certificate that should be marked as preferred encryption key
- *          cert is expected to have been verified for EmailRecipient usage.
- */
-SECStatus
-NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
-{
-    SECItem *dummy = NULL;
-    PLArenaPool *tmppoolp = NULL;
-    CERTIssuerAndSN *isn;
-
-    if (cert == NULL)
-	goto loser;
-
-    tmppoolp = PORT_NewArena(1024);
-    if (tmppoolp == NULL)
-	goto loser;
-
-    isn = CERT_GetCertIssuerAndSN(tmppoolp, cert);
-    if (isn == NULL)
-	goto loser;
-
-    dummy = SEC_ASN1EncodeItem(poolp, dest, isn, SEC_ASN1_GET(CERT_IssuerAndSNTemplate));
-
-loser:
-    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
-
-    return (dummy == NULL) ? SECFailure : SECSuccess;
-}
-
-/*
- * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference -
- *				find cert marked by EncryptionKeyPreference attribute
- *
- * "certdb" - handle for the cert database to look in
- * "DERekp" - DER-encoded value of S/MIME Encryption Key Preference attribute
- *
- * if certificate is supposed to be found among the message's included certificates,
- * they are assumed to have been imported already.
- */
-CERTCertificate *
-NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp)
-{
-    PLArenaPool *tmppoolp = NULL;
-    CERTCertificate *cert = NULL;
-    NSSSMIMEEncryptionKeyPreference ekp;
-
-    tmppoolp = PORT_NewArena(1024);
-    if (tmppoolp == NULL)
-	return NULL;
-
-    /* decode DERekp */
-    if (SEC_QuickDERDecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template,
-                               DERekp) != SECSuccess)
-	goto loser;
-
-    /* find cert */
-    switch (ekp.selector) {
-    case NSSSMIMEEncryptionKeyPref_IssuerSN:
-	cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN);
-	break;
-    case NSSSMIMEEncryptionKeyPref_RKeyID:
-    case NSSSMIMEEncryptionKeyPref_SubjectKeyID:
-	/* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */
-	break;
-    default:
-	PORT_Assert(0);
-    }
-loser:
-    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
-
-    return cert;
-}
-
-extern const char __nss_smime_rcsid[];
-extern const char __nss_smime_sccsid[];
-
-PRBool
-NSSSMIME_VersionCheck(const char *importedVersion)
-{
-    /*
-     * This is the secret handshake algorithm.
-     *
-     * This release has a simple version compatibility
-     * check algorithm.  This release is not backward
-     * compatible with previous major releases.  It is
-     * not compatible with future major, minor, or
-     * patch releases.
-     */
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_smime_rcsid[0] + __nss_smime_sccsid[0]; 
-
-    return NSS_VersionCheck(importedVersion);
-}
-
diff --git a/security/nss/lib/smime/smimever.c b/security/nss/lib/smime/smimever.c
deleted file mode 100644
index df838e30a..000000000
--- a/security/nss/lib/smime/smimever.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nss.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_smime_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_smime_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile
deleted file mode 100644
index c13355052..000000000
--- a/security/nss/lib/softoken/Makefile
+++ /dev/null
@@ -1,95 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
-# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
-# pkcs11c.c in 64-bit mode for unknown reasons.  A workaround is
-# to compile it with optimizations turned on.  (Bugzilla bug #63815)
-ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
-ifeq ($(USE_64),1)
-ifndef BUILD_OPT
-$(OBJDIR)/pkcs11.o: pkcs11.c
-	@$(MAKE_OBJDIR)
-	$(CC) -o $@ -c -O2 $(CFLAGS) $<
-$(OBJDIR)/pkcs11c.o: pkcs11c.c
-	@$(MAKE_OBJDIR)
-	$(CC) -o $@ -c -O2 $(CFLAGS) $<
-endif
-endif
-endif
diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h
deleted file mode 100644
index 238a48669..000000000
--- a/security/nss/lib/softoken/cdbhdl.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * cdbhdl.h - certificate database handle
- *   private to the certdb module
- *
- * $Id$
- */
-#ifndef _CDBHDL_H_
-#define _CDBHDL_H_
-
-#include "nspr.h"
-#include "mcom_db.h"
-#include "pcertt.h"
-#include "prtypes.h"
-
-/*
- * Handle structure for open certificate databases
- */
-struct NSSLOWCERTCertDBHandleStr {
-    DB *permCertDB;
-    PZMonitor *dbMon;
-    PRBool dbVerify;
-    PRInt32  ref; /* reference count */
-};
-
-#define nsslowcert_reference(x) (PR_AtomicIncrement(&(x)->ref) , (x))
-
-#ifdef DBM_USING_NSPR
-#define NO_RDONLY	PR_RDONLY
-#define NO_RDWR		PR_RDWR
-#define NO_CREATE	(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
-#else
-#define NO_RDONLY	O_RDONLY
-#define NO_RDWR		O_RDWR
-#define NO_CREATE	(O_RDWR | O_CREAT | O_TRUNC)
-#endif
-
-typedef DB * (*rdbfunc)(const char *appName, const char *prefix, 
-				const char *type, int flags);
-typedef int (*rdbstatusfunc)(void);
-
-#define RDB_FAIL 1
-#define RDB_RETRY 2
-
-DB * rdbopen(const char *appName, const char *prefix, 
-				const char *type, int flags, int *status);
-
-DB *dbsopen (const char *dbname , int flags, int mode, DBTYPE type, 
-						const void * appData);
-SECStatus db_Copy(DB *dest,DB *src);
-int db_BeginTransaction(DB *db);
-int db_FinishTransaction(DB *db, PRBool abort);
-int db_InitComplete(DB *db);
-
-#endif
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
deleted file mode 100644
index 2e097c8a5..000000000
--- a/security/nss/lib/softoken/config.mk
+++ /dev/null
@@ -1,101 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
-
-EXTRA_LIBS += \
-	$(CRYPTOLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
-	$(NULL)
-
-# can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
-
-RES = $(OBJDIR)/$(LIBRARY_NAME).res
-RESNAME = $(LIBRARY_NAME).rc
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else # ! NS_USE_GCC
-
-EXTRA_SHARED_LIBS += \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-else
-
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
-# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
-EXTRA_SHARED_LIBS += \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-endif
-
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-endif
-
-ifeq ($(OS_TARGET),WINCE)
-DEFINES += -DDBM_USING_NSPR
-endif
-
-# indicates dependency on freebl static lib
-$(SHARED_LIBRARY): $(CRYPTOLIB)
diff --git a/security/nss/lib/softoken/dbinit.c b/security/nss/lib/softoken/dbinit.c
deleted file mode 100644
index 2b7f81a73..000000000
--- a/security/nss/lib/softoken/dbinit.c
+++ /dev/null
@@ -1,449 +0,0 @@
-/*
- * NSS utility functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <ctype.h>
-#include "seccomon.h"
-#include "prinit.h"
-#include "prprf.h"
-#include "prmem.h"
-#include "pratom.h"
-#include "pcertt.h"
-#include "lowkeyi.h"
-#include "pcert.h"
-#include "cdbhdl.h"
-#include "keydbi.h"
-#include "pkcs11i.h"
-
-static char *
-sftk_certdb_name_cb(void *arg, int dbVersion)
-{
-    const char *configdir = (const char *)arg;
-    const char *dbver;
-    char *smpname = NULL;
-    char *dbname = NULL;
-
-    switch (dbVersion) {
-      case 8:
-	dbver = "8";
-	break;
-      case 7:
-	dbver = "7";
-	break;
-      case 6:
-	dbver = "6";
-	break;
-      case 5:
-	dbver = "5";
-	break;
-      case 4:
-      default:
-	dbver = "";
-	break;
-    }
-
-    /* make sure we return something allocated with PORT_ so we have properly
-     * matched frees at the end */
-    smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
-    if (smpname) {
-	dbname = PORT_Strdup(smpname);
-	PR_smprintf_free(smpname);
-    }
-    return dbname;
-}
-    
-static char *
-sftk_keydb_name_cb(void *arg, int dbVersion)
-{
-    const char *configdir = (const char *)arg;
-    const char *dbver;
-    char *smpname = NULL;
-    char *dbname = NULL;
-    
-    switch (dbVersion) {
-      case 4:
-	dbver = "4";
-	break;
-      case 3:
-	dbver = "3";
-	break;
-      case 1:
-	dbver = "1";
-	break;
-      case 2:
-      default:
-	dbver = "";
-	break;
-    }
-
-    smpname = PR_smprintf(KEY_DB_FMT, configdir, dbver);
-    if (smpname) {
-	dbname = PORT_Strdup(smpname);
-	PR_smprintf_free(smpname);
-    }
-    return dbname;
-}
-
-const char *
-sftk_EvaluateConfigDir(const char *configdir,char **appName)
-{
-    if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS)-1) == 0) {
-	char *cdir;
-
-	*appName = PORT_Strdup(configdir+sizeof(MULTIACCESS)-1);
-	if (*appName == NULL) {
-	    return configdir;
-	}
-	cdir = *appName;
-	while (*cdir && *cdir != ':') {
-	    cdir++;
-	}
-	if (*cdir == ':') {
-	   *cdir = 0;
-	   cdir++;
-	}
-	configdir = cdir;
-    }
-    return configdir;
-}
-
-static CK_RV
-sftk_OpenCertDB(const char * configdir, const char *prefix, PRBool readOnly,
-    					    NSSLOWCERTCertDBHandle **certdbPtr)
-{
-    NSSLOWCERTCertDBHandle *certdb = NULL;
-    CK_RV        crv = CKR_NETSCAPE_CERTDB_FAILED;
-    SECStatus    rv;
-    char * name = NULL;
-    char * appName = NULL;
-
-    if (prefix == NULL) {
-	prefix = "";
-    }
-
-    configdir = sftk_EvaluateConfigDir(configdir, &appName);
-
-    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);
-    if (name == NULL) goto loser;
-
-    certdb = (NSSLOWCERTCertDBHandle*)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle));
-    if (certdb == NULL) 
-    	goto loser;
-
-    certdb->ref = 1;
-/* fix when we get the DB in */
-    rv = nsslowcert_OpenCertDB(certdb, readOnly, appName, prefix,
-				sftk_certdb_name_cb, (void *)name, PR_FALSE);
-    if (rv == SECSuccess) {
-	crv = CKR_OK;
-	*certdbPtr = certdb;
-	certdb = NULL;
-    }
-loser: 
-    if (certdb) PR_Free(certdb);
-    if (name) PR_smprintf_free(name);
-    if (appName) PORT_Free(appName);
-    return crv;
-}
-
-static CK_RV
-sftk_OpenKeyDB(const char * configdir, const char *prefix, PRBool readOnly,
-    						NSSLOWKEYDBHandle **keydbPtr)
-{
-    NSSLOWKEYDBHandle *keydb;
-    char * name = NULL;
-    char * appName = NULL;
-
-    if (prefix == NULL) {
-	prefix = "";
-    }
-    configdir = sftk_EvaluateConfigDir(configdir, &appName);
-
-    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);	
-    if (name == NULL) 
-	return CKR_HOST_MEMORY;
-    keydb = nsslowkey_OpenKeyDB(readOnly, appName, prefix, 
-					sftk_keydb_name_cb, (void *)name);
-    PR_smprintf_free(name);
-    if (appName) PORT_Free(appName);
-    if (keydb == NULL)
-	return CKR_NETSCAPE_KEYDB_FAILED;
-    *keydbPtr = keydb;
-
-    return CKR_OK;
-}
-
-
-/*
- * OK there are now lots of options here, lets go through them all:
- *
- * configdir - base directory where all the cert, key, and module datbases live.
- * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
- * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
- * secmodName - name of the security module database (usually "secmod.db").
- * readOnly - Boolean: true if the databases are to be openned read only.
- * nocertdb - Don't open the cert DB and key DB's, just initialize the 
- *			Volatile certdb.
- * nomoddb - Don't open the security module DB, just initialize the 
- *			PKCS #11 module.
- * forceOpen - Continue to force initializations even if the databases cannot
- * 			be opened.
- */
-CK_RV
-sftk_DBInit(const char *configdir, const char *certPrefix, 
-	    const char *keyPrefix, PRBool readOnly, 
-	    PRBool noCertDB, PRBool noKeyDB, PRBool forceOpen,
-	    NSSLOWCERTCertDBHandle **certdbPtr, NSSLOWKEYDBHandle **keydbPtr)
-{
-    CK_RV crv = CKR_OK;
-
-
-    if (!noCertDB) {
-	crv = sftk_OpenCertDB(configdir, certPrefix, readOnly, certdbPtr);
-	if (crv != CKR_OK) {
-	    if (!forceOpen) goto loser;
-	    crv = CKR_OK;
-	}
-    }
-    if (!noKeyDB) {
-
-	crv = sftk_OpenKeyDB(configdir, keyPrefix, readOnly, keydbPtr);
-	if (crv != CKR_OK) {
-	    if (!forceOpen) goto loser;
-	    crv = CKR_OK;
-	}
-    }
-
-
-loser:
-    return crv;
-}
-
-NSSLOWCERTCertDBHandle *
-sftk_getCertDB(SFTKSlot *slot)
-{
-    NSSLOWCERTCertDBHandle *certHandle;
-
-    PZ_Lock(slot->slotLock);
-    certHandle = slot->certDB;
-    if (certHandle) {
-	PR_AtomicIncrement(&certHandle->ref);
-    }
-    PZ_Unlock(slot->slotLock);
-    return certHandle;
-}
-
-NSSLOWKEYDBHandle *
-sftk_getKeyDB(SFTKSlot *slot)
-{
-    NSSLOWKEYDBHandle *keyHandle;
-
-    PZ_Lock(slot->slotLock);
-    keyHandle = slot->keyDB;
-    if (keyHandle) {
-	PR_AtomicIncrement(&keyHandle->ref);
-    }
-    PZ_Unlock(slot->slotLock);
-    return keyHandle;
-}
-
-void
-sftk_freeCertDB(NSSLOWCERTCertDBHandle *certHandle)
-{
-   PRInt32 ref = PR_AtomicDecrement(&certHandle->ref);
-   if (ref == 0) {
-	nsslowcert_ClosePermCertDB(certHandle);
-   }
-}
-
-void
-sftk_freeKeyDB(NSSLOWKEYDBHandle *keyHandle)
-{
-   PRInt32 ref = PR_AtomicDecrement(&keyHandle->ref);
-   if (ref == 0) {
-	nsslowkey_CloseKeyDB(keyHandle);
-   }
-}
-   
-
-static int rdbmapflags(int flags);
-static rdbfunc sftk_rdbfunc = NULL;
-static rdbstatusfunc sftk_rdbstatusfunc = NULL;
-
-/* NOTE: SHLIB_SUFFIX is defined on the command line */
-#define RDBLIB SHLIB_PREFIX"rdb."SHLIB_SUFFIX
-
-DB * rdbopen(const char *appName, const char *prefix, 
-			const char *type, int flags, int *status)
-{
-    PRLibrary *lib;
-    DB *db;
-
-    if (sftk_rdbfunc) {
-	db = (*sftk_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
-	if (!db && status && sftk_rdbstatusfunc) {
-	    *status = (*sftk_rdbstatusfunc)();
-	}
-	return db;
-    }
-
-    /*
-     * try to open the library.
-     */
-    lib = PR_LoadLibrary(RDBLIB);
-
-    if (!lib) {
-	return NULL;
-    }
-
-    /* get the entry points */
-    sftk_rdbstatusfunc = (rdbstatusfunc) PR_FindSymbol(lib,"rdbstatus");
-    sftk_rdbfunc = (rdbfunc) PR_FindSymbol(lib,"rdbopen");
-    if (sftk_rdbfunc) {
-	db = (*sftk_rdbfunc)(appName,prefix,type,rdbmapflags(flags));
-	if (!db && status && sftk_rdbstatusfunc) {
-	    *status = (*sftk_rdbstatusfunc)();
-	}
-	return db;
-    }
-
-    /* couldn't find the entry point, unload the library and fail */
-    PR_UnloadLibrary(lib);
-    return NULL;
-}
-
-/*
- * the following data structures are from rdb.h.
- */
-struct RDBStr {
-    DB	db;
-    int (*xactstart)(DB *db);
-    int (*xactdone)(DB *db, PRBool abort);
-    int version;
-    int (*dbinitcomplete)(DB *db);
-};
-
-#define DB_RDB ((DBTYPE) 0xff)
-#define RDB_RDONLY	1
-#define RDB_RDWR 	2
-#define RDB_CREATE      4
-
-static int
-rdbmapflags(int flags) {
-   switch (flags) {
-   case NO_RDONLY:
-	return RDB_RDONLY;
-   case NO_RDWR:
-	return RDB_RDWR;
-   case NO_CREATE:
-	return RDB_CREATE;
-   default:
-	break;
-   }
-   return 0;
-}
-
-
-PRBool
-db_IsRDB(DB *db)
-{
-    return (PRBool) db->type == DB_RDB;
-}
-
-int
-db_BeginTransaction(DB *db)
-{
-    struct RDBStr *rdb = (struct RDBStr *)db;
-    if (db->type != DB_RDB) {
-	return 0;
-    }
-
-    return rdb->xactstart(db);
-}
-
-int
-db_FinishTransaction(DB *db, PRBool abort)
-{
-    struct RDBStr *rdb = (struct RDBStr *)db;
-    if (db->type != DB_RDB) {
-	return 0;
-    }
-
-    return rdb->xactdone(db, abort);
-}
-
-int
-db_InitComplete(DB *db)
-{
-    struct RDBStr *rdb = (struct RDBStr *)db;
-    if (db->type != DB_RDB) {
-	return 0;
-    }
-    /* we should have addes a version number to the RDBS structure. Since we
-     * didn't, we detect that we have and 'extended' structure if the rdbstatus
-     * func exists */
-    if (!sftk_rdbstatusfunc) {
-	return 0;
-    }
-
-    return rdb->dbinitcomplete(db);
-}
-
-
-
-SECStatus
-db_Copy(DB *dest,DB *src)
-{
-    int ret;
-    DBT key,data;
-    ret = (*src->seq)(src, &key, &data, R_FIRST);
-    if (ret)  {
-	return SECSuccess;
-    }
-
-    do {
-	(void)(*dest->put)(dest,&key,&data, R_NOOVERWRITE);
-    } while ( (*src->seq)(src, &key, &data, R_NEXT) == 0);
-    (void)(*dest->sync)(dest,0);
-
-    return SECSuccess;
-}
-
diff --git a/security/nss/lib/softoken/dbmshim.c b/security/nss/lib/softoken/dbmshim.c
deleted file mode 100644
index 04c291d7f..000000000
--- a/security/nss/lib/softoken/dbmshim.c
+++ /dev/null
@@ -1,664 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Berkeley DB 1.85 Shim code to handle blobs.
- *
- * $Id$
- */
-#include "mcom_db.h"
-#include "secitem.h"
-#include "secder.h"
-#include "prprf.h"
-#include "cdbhdl.h"
-
-/* Call to SFTK_FreeSlot below */
-
-#include "pcertt.h"
-#include "secasn1.h"
-#include "secerr.h"
-#include "nssb64.h"
-#include "blapi.h"
-#include "sechash.h"
-
-#include "pkcs11i.h"
-
-/*
- *   Blob block:
- *   Byte 0   CERTDB Version           -+                       -+
- *   Byte 1   certDBEntryTypeBlob       |  BLOB_HEAD_LEN         |
- *   Byte 2   flags (always '0');       |                        |
- *   Byte 3   reserved (always '0');   -+                        |
- *   Byte 4   LSB length                | <--BLOB_LENGTH_START   | BLOB_BUF_LEN
- *   Byte 5       .                     |                        |
- *   Byte 6       .                     | BLOB_LENGTH_LEN        |
- *   Byte 7   MSB length                |                        |
- *   Byte 8   blob_filename   -+       -+  <-- BLOB_NAME_START   |
- *   Byte 9       .            | BLOB_NAME_LEN                   |
- *     .          .            |                                 |
- *   Byte 37      .           -+                                -+
- */
-#define DBS_BLOCK_SIZE (16*1024) /* 16 k */
-#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */
-#define DBS_CACHE_SIZE	DBS_BLOCK_SIZE*8
-#define ROUNDDIV(x,y) (x+(y-1))/y
-#define BLOB_HEAD_LEN 4
-#define BLOB_LENGTH_START BLOB_HEAD_LEN
-#define BLOB_LENGTH_LEN 4
-#define BLOB_NAME_START BLOB_LENGTH_START+BLOB_LENGTH_LEN
-#define BLOB_NAME_LEN 1+ROUNDDIV(SHA1_LENGTH,3)*4+1
-#define BLOB_BUF_LEN BLOB_HEAD_LEN+BLOB_LENGTH_LEN+BLOB_NAME_LEN
-
-/* a Shim data structure. This data structure has a db built into it. */
-typedef struct DBSStr DBS;
-
-struct DBSStr {
-    DB db;
-    char *blobdir;
-    int mode;
-    PRBool readOnly;
-    PRFileMap *dbs_mapfile;
-    unsigned char *dbs_addr;
-    PRUint32 dbs_len;
-    char staticBlobArea[BLOB_BUF_LEN];
-};
-    
-    
-
-/*
- * return true if the Datablock contains a blobtype
- */
-static PRBool
-dbs_IsBlob(DBT *blobData)
-{
-    unsigned char *addr = (unsigned char *)blobData->data;
-    if (blobData->size < BLOB_BUF_LEN) {
-	return PR_FALSE;
-    }
-    return addr && ((certDBEntryType) addr[1] == certDBEntryTypeBlob);
-}
-
-/*
- * extract the filename in the blob of the real data set.
- * This value is not malloced (does not need to be freed by the caller.
- */
-static const char *
-dbs_getBlobFileName(DBT *blobData)
-{
-    char *addr = (char *)blobData->data;
-
-    return &addr[BLOB_NAME_START];
-}
-
-/*
- * extract the size of the actual blob from the blob record
- */
-static PRUint32
-dbs_getBlobSize(DBT *blobData)
-{
-    unsigned char *addr = (unsigned char *)blobData->data;
-
-    return (PRUint32)(addr[BLOB_LENGTH_START+3] << 24) | 
-			(addr[BLOB_LENGTH_START+2] << 16) | 
-			(addr[BLOB_LENGTH_START+1] << 8) | 
-			addr[BLOB_LENGTH_START];
-}
-
-
-/* We are using base64 data for the filename, but base64 data can include a
- * '/' which is interpreted as a path separator on  many platforms. Replace it
- * with an inocuous '-'. We don't need to convert back because we never actual
- * decode the filename.
- */
-
-static void
-dbs_replaceSlash(char *cp, int len)
-{
-   while (len--) {
-	if (*cp == '/') *cp = '-';
-	cp++;
-   }
-}
-
-/*
- * create a blob record from a key, data and return it in blobData.
- * NOTE: The data element is static data (keeping with the dbm model).
- */
-static void
-dbs_mkBlob(DBS *dbsp,const DBT *key, const DBT *data, DBT *blobData)
-{
-   unsigned char sha1_data[SHA1_LENGTH];
-   char *b = dbsp->staticBlobArea;
-   PRUint32 length = data->size;
-   SECItem sha1Item;
-
-   b[0] = CERT_DB_FILE_VERSION; /* certdb version number */
-   b[1] = (char) certDBEntryTypeBlob; /* type */
-   b[2] = 0; /* flags */
-   b[3] = 0; /* reserved */
-   b[BLOB_LENGTH_START] = length & 0xff;
-   b[BLOB_LENGTH_START+1] = (length >> 8) & 0xff;
-   b[BLOB_LENGTH_START+2] = (length >> 16) & 0xff;
-   b[BLOB_LENGTH_START+3] = (length >> 24) & 0xff;
-   sha1Item.data = sha1_data;
-   sha1Item.len = SHA1_LENGTH;
-   SHA1_HashBuf(sha1_data,key->data,key->size);
-   b[BLOB_NAME_START]='b'; /* Make sure we start with a alpha */
-   NSSBase64_EncodeItem(NULL,&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1,&sha1Item);
-   b[BLOB_BUF_LEN-1] = 0;
-   dbs_replaceSlash(&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1);
-   blobData->data = b;
-   blobData->size = BLOB_BUF_LEN;
-   return;
-}
-   
-
-/*
- * construct a path to the actual blob. The string returned must be
- * freed by the caller with PR_smprintf_free.
- *
- * Note: this file does lots of consistancy checks on the DBT. The
- * routines that call this depend on these checks, so they don't worry
- * about them (success of this routine implies a good blobdata record).
- */ 
-static char *
-dbs_getBlobFilePath(char *blobdir,DBT *blobData)
-{
-    const char *name;
-
-    if (blobdir == NULL) {
-	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
-	return NULL;
-    }
-    if (!dbs_IsBlob(blobData)) {
-	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
-	return NULL;
-    }
-    name = dbs_getBlobFileName(blobData);
-    if (!name || *name == 0) {
-	PR_SetError(SEC_ERROR_BAD_DATABASE,0);
-	return NULL;
-    }
-    return  PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name);
-}
-
-/*
- * Delete a blob file pointed to by the blob record.
- */
-static void
-dbs_removeBlob(DBS *dbsp, DBT *blobData)
-{
-    char *file;
-
-    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
-    if (!file) {
-	return;
-    }
-    PR_Delete(file);
-    PR_smprintf_free(file);
-}
-
-/*
- * Directory modes are slightly different, the 'x' bit needs to be on to
- * access them. Copy all the read bits to 'x' bits
- */
-static int
-dbs_DirMode(int mode)
-{
-  int x_bits = (mode >> 2) &  0111;
-  return mode | x_bits;
-}
-
-/*
- * write a data blob to it's file. blobdData is the blob record that will be
- * stored in the database. data is the actual data to go out on disk.
- */
-static int
-dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data)
-{
-    char *file = NULL;
-    PRFileDesc *filed;
-    PRStatus status;
-    int len;
-    int error = 0;
-
-    file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
-    if (!file) {
-	goto loser;
-    }
-    if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
-	status = PR_MkDir(dbsp->blobdir,dbs_DirMode(mode));
-	if (status != PR_SUCCESS) {
-	    goto loser;
-	}
-    }
-    filed = PR_OpenFile(file,PR_CREATE_FILE|PR_TRUNCATE|PR_WRONLY, mode);
-    if (filed == NULL) {
-	error = PR_GetError();
-	goto loser;
-    }
-    len = PR_Write(filed,data->data,data->size);
-    error = PR_GetError();
-    PR_Close(filed);
-    if (len < (int)data->size) {
-	goto loser;
-    }
-    PR_smprintf_free(file);
-    return 0;
-
-loser:
-    if (file) {
-	PR_Delete(file);
-	PR_smprintf_free(file);
-    }
-    /* don't let close or delete reset the error */
-    PR_SetError(error,0);
-    return -1;
-}
-
-
-/*
- * we need to keep a address map in memory between calls to DBM.
- * remember what we have mapped can close it when we get another dbm
- * call. 
- *
- * NOTE: Not all platforms support mapped files. This code is designed to
- * detect this at runtime. If map files aren't supported the OS will indicate
- * this by failing the PR_Memmap call. In this case we emulate mapped files
- * by just reading in the file into regular memory. We signal this state by
- * making dbs_mapfile NULL and dbs_addr non-NULL.
- */
-
-static void
-dbs_freemap(DBS *dbsp)
-{
-    if (dbsp->dbs_mapfile) {
-	PR_MemUnmap(dbsp->dbs_addr,dbsp->dbs_len);
-	PR_CloseFileMap(dbsp->dbs_mapfile);
-	dbsp->dbs_mapfile = NULL;
-	dbsp->dbs_addr = NULL;
-	dbsp->dbs_len = 0;
-    } else if (dbsp->dbs_addr) {
-	PORT_Free(dbsp->dbs_addr);
-	dbsp->dbs_addr = NULL;
-	dbsp->dbs_len = 0;
-    }
-    return;
-}
-
-static void
-dbs_setmap(DBS *dbsp, PRFileMap *mapfile, unsigned char *addr, PRUint32 len)
-{
-    dbsp->dbs_mapfile = mapfile;
-    dbsp->dbs_addr = addr;
-    dbsp->dbs_len = len;
-}
-
-/*
- * platforms that cannot map the file need to read it into a temp buffer.
- */
-static unsigned char *
-dbs_EmulateMap(PRFileDesc *filed, int len)
-{
-    unsigned char *addr;
-    PRInt32 dataRead;
-
-    addr = PORT_Alloc(len);
-    if (addr == NULL) {
-	return NULL;
-    }
-
-    dataRead = PR_Read(filed,addr,len);
-    if (dataRead != len) {
-	PORT_Free(addr);
-	if (dataRead > 0) {
-	    /* PR_Read didn't set an error, we need to */
-	    PR_SetError(SEC_ERROR_BAD_DATABASE,0);
-	}
-	return NULL;
-    }
-
-    return addr;
-}
-
-
-/*
- * pull a database record off the disk
- * data points to the blob record on input and the real record (if we could
- * read it) on output. if there is an error data is not modified.
- */
-static int
-dbs_readBlob(DBS *dbsp, DBT *data)
-{
-    char *file = NULL;
-    PRFileDesc *filed = NULL;
-    PRFileMap *mapfile = NULL;
-    unsigned char *addr = NULL;
-    int error;
-    int len = -1;
-
-    file = dbs_getBlobFilePath(dbsp->blobdir, data);
-    if (!file) {
-	goto loser;
-    }
-    filed = PR_OpenFile(file,PR_RDONLY,0);
-    PR_smprintf_free(file); file = NULL;
-    if (filed == NULL) {
-	goto loser;
-    }
-
-    len = dbs_getBlobSize(data);
-    mapfile = PR_CreateFileMap(filed, len, PR_PROT_READONLY);
-    if (mapfile == NULL) {
-	 /* USE PR_GetError instead of PORT_GetError here
-	  * because we are getting the error from PR_xxx
-	  * function */
-	if (PR_GetError() != PR_NOT_IMPLEMENTED_ERROR) {
-	    goto loser;
-	}
-	addr = dbs_EmulateMap(filed, len);
-    } else {
-	addr = PR_MemMap(mapfile, 0, len);
-    }
-    if (addr == NULL) {
-	goto loser;
-    }
-    PR_Close(filed);
-    dbs_setmap(dbsp,mapfile,addr,len);
-
-    data->data = addr;
-    data->size = len;
-    return 0;
-
-loser:
-    /* preserve the error code */
-    error = PR_GetError();
-    if (addr) {
-	if (mapfile) {
-	    PORT_Assert(len != -1);
-	    PR_MemUnmap(addr,len);
-	} else {
-	    PORT_Free(addr);
-	}
-    }
-    if (mapfile) {
-	PR_CloseFileMap(mapfile);
-    }
-    if (filed) {
-	PR_Close(filed);
-    }
-    PR_SetError(error,0);
-    return -1;
-}
-
-/*
- * actual DBM shims
- */
-static int
-dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags)
-{
-    int ret;
-    DBS *dbsp = (DBS *)dbs;
-    DB *db = (DB *)dbs->internal;
-    
-
-    dbs_freemap(dbsp);
-    
-    ret = (* db->get)(db, key, data, flags);
-    if ((ret == 0) && dbs_IsBlob(data)) {
-	ret = dbs_readBlob(dbsp,data);
-    }
-
-    return(ret);
-}
-
-static int
-dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags)
-{
-    DBT blob;
-    int ret = 0;
-    DBS *dbsp = (DBS *)dbs;
-    DB *db = (DB *)dbs->internal;
-
-    dbs_freemap(dbsp);
-
-    /* If the db is readonly, just pass the data down to rdb and let it fail */
-    if (!dbsp->readOnly) {
-	DBT oldData;
-	int ret1;
-
-	/* make sure the current record is deleted if it's a blob */
-	ret1 = (*db->get)(db,key,&oldData,0);
-        if ((ret1 == 0) && flags == R_NOOVERWRITE) {
-	    /* let DBM return the error to maintain consistancy */
-	    return (* db->put)(db, key, data, flags);
-	}
-	if ((ret1 == 0) && dbs_IsBlob(&oldData)) {
-	    dbs_removeBlob(dbsp, &oldData);
-	}
-
-	if (data->size > DBS_MAX_ENTRY_SIZE) {
-	    dbs_mkBlob(dbsp,key,data,&blob);
-	    ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data);
-	    data = &blob;
-	}
-    }
-
-    if (ret == 0) {
-	ret = (* db->put)(db, key, data, flags);
-    }
-    return(ret);
-}
-
-static int
-dbs_sync(const DB *dbs, unsigned int flags)
-{
-    DB *db = (DB *)dbs->internal;
-    DBS *dbsp = (DBS *)dbs;
-
-    dbs_freemap(dbsp);
-
-    return (* db->sync)(db, flags);
-}
-
-static int
-dbs_del(const DB *dbs, const DBT *key, unsigned int flags)
-{
-    int ret;
-    DBS *dbsp = (DBS *)dbs;
-    DB *db = (DB *)dbs->internal;
-
-    dbs_freemap(dbsp);
-
-    if (!dbsp->readOnly) {
-	DBT oldData;
-	ret = (*db->get)(db,key,&oldData,0);
-	if ((ret == 0) && dbs_IsBlob(&oldData)) {
-	    dbs_removeBlob(dbsp,&oldData);
-	}
-    }
-
-    return (* db->del)(db, key, flags);
-}
-
-static int
-dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags)
-{
-    int ret;
-    DBS *dbsp = (DBS *)dbs;
-    DB *db = (DB *)dbs->internal;
-    
-    dbs_freemap(dbsp);
-    
-    ret = (* db->seq)(db, key, data, flags);
-    if ((ret == 0) && dbs_IsBlob(data)) {
-	/* don't return a blob read as an error so traversals keep going */
-	(void) dbs_readBlob(dbsp,data);
-    }
-
-    return(ret);
-}
-
-static int
-dbs_close(DB *dbs)
-{
-    DBS *dbsp = (DBS *)dbs;
-    DB *db = (DB *)dbs->internal;
-    int ret;
-
-    dbs_freemap(dbsp);
-    ret = (* db->close)(db);
-    PORT_Free(dbsp->blobdir);
-    PORT_Free(dbsp);
-    return ret;
-}
-
-static int
-dbs_fd(const DB *dbs)
-{
-    DB *db = (DB *)dbs->internal;
-
-    return (* db->fd)(db);
-}
-
-/*
- * the naming convention we use is
- * change the .xxx into .dir. (for nss it's always .db);
- * if no .extension exists or is equal to .dir, add a .dir 
- * the returned data must be freed.
- */
-#define DIRSUFFIX ".dir"
-static char *
-dbs_mkBlobDirName(const char *dbname)
-{
-    int dbname_len = PORT_Strlen(dbname);
-    int dbname_end = dbname_len;
-    const char *cp;
-    char *blobDir = NULL;
-
-    /* scan back from the end looking for either a directory separator, a '.',
-     * or the end of the string. NOTE: Windows should check for both separators
-     * here. For now this is safe because we know NSS always uses a '.'
-     */
-    for (cp = &dbname[dbname_len]; 
-		(cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR) ;
-			cp--)
-	/* Empty */ ;
-    if (*cp == '.') {
-	dbname_end = cp - dbname;
-	if (PORT_Strcmp(cp,DIRSUFFIX) == 0) {
-	    dbname_end = dbname_len;
-	}
-    }
-    blobDir = PORT_ZAlloc(dbname_end+sizeof(DIRSUFFIX));
-    if (blobDir == NULL) {
-	return NULL;
-    }
-    PORT_Memcpy(blobDir,dbname,dbname_end);
-    PORT_Memcpy(&blobDir[dbname_end],DIRSUFFIX,sizeof(DIRSUFFIX));
-    return blobDir;
-}
-
-#define DBM_DEFAULT 0
-static const HASHINFO dbs_hashInfo = {
-	DBS_BLOCK_SIZE,		/* bucket size, must be greater than = to
-				 * or maximum entry size (+ header)
-				 * we allow before blobing */
-	DBM_DEFAULT,		/* Fill Factor */
-	DBM_DEFAULT,		/* number of elements */
-	DBS_CACHE_SIZE,		/* cache size */
-	DBM_DEFAULT,		/* hash function */
-	DBM_DEFAULT,		/* byte order */
-};
-
-/*
- * the open function. NOTE: this is the only exposed function in this file.
- * everything else is called through the function table pointer.
- */
-DB *
-dbsopen(const char *dbname, int flags, int mode, DBTYPE type,
-							 const void *userData)
-{
-    DB *db = NULL,*dbs = NULL;
-    DBS *dbsp = NULL;
-
-    /* NOTE: we are overriding userData with dbs_hashInfo. since all known
-     * callers pass 0, this is ok, otherwise we should merge the two */
-
-    dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS));
-    if (!dbsp) {
-	return NULL;
-    }
-    dbs = &dbsp->db;
-
-    dbsp->blobdir=dbs_mkBlobDirName(dbname);
-    if (dbsp->blobdir == NULL) {
-	goto loser;
-    }
-    dbsp->mode = mode;
-    dbsp->readOnly = (PRBool)(flags == NO_RDONLY);
-    dbsp->dbs_mapfile = NULL;
-    dbsp->dbs_addr = NULL;
-    dbsp->dbs_len = 0;
-
-    /* the real dbm call */
-    db = dbopen(dbname, flags, mode, type, &dbs_hashInfo);
-    if (db == NULL) {
-	goto loser;
-    }
-    dbs->internal = (void *) db;
-    dbs->type = type;
-    dbs->close = dbs_close;
-    dbs->get = dbs_get;
-    dbs->del = dbs_del;
-    dbs->put = dbs_put;
-    dbs->seq = dbs_seq;
-    dbs->sync = dbs_sync;
-    dbs->fd = dbs_fd;
-
-    return dbs;
-loser:
-    if (db) {
-	(*db->close)(db);
-    }
-    if (dbsp && dbsp->blobdir) {
-	PORT_Free(dbsp->blobdir);
-    }
-    if (dbsp) {
-	PORT_Free(dbsp);
-    }
-    return NULL;
-}
diff --git a/security/nss/lib/softoken/ecdecode.c b/security/nss/lib/softoken/ecdecode.c
deleted file mode 100644
index e649ff899..000000000
--- a/security/nss/lib/softoken/ecdecode.c
+++ /dev/null
@@ -1,687 +0,0 @@
-/*
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Elliptic Curve Cryptography library.
- *
- * The Initial Developer of the Original Code is
- * Sun Microsystems, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2003
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef NSS_ENABLE_ECC
-
-#include "blapi.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secerr.h"
-#include "ec.h"
-#include "ecl-curve.h"
-
-#define CHECK_OK(func) if (func == NULL) goto cleanup
-#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
-
-/* Initializes a SECItem from a hexadecimal string */
-static SECItem *
-hexString2SECItem(PRArenaPool *arena, SECItem *item, const char *str)
-{
-    int i = 0;
-    int byteval = 0;
-    int tmp = PORT_Strlen(str);
-
-    if ((tmp % 2) != 0) return NULL;
-    
-    item->data = (unsigned char *) PORT_ArenaAlloc(arena, tmp/2);
-    if (item->data == NULL) return NULL;
-    item->len = tmp/2;
-
-    while (str[i]) {
-        if ((str[i] >= '0') && (str[i] <= '9'))
-	    tmp = str[i] - '0';
-	else if ((str[i] >= 'a') && (str[i] <= 'f'))
-	    tmp = str[i] - 'a' + 10;
-	else if ((str[i] >= 'A') && (str[i] <= 'F'))
-	    tmp = str[i] - 'A' + 10;
-	else
-	    return NULL;
-
-	byteval = byteval * 16 + tmp;
-	if ((i % 2) != 0) {
-	    item->data[i/2] = byteval;
-	    byteval = 0;
-	}
-	i++;
-    }
-
-    return item;
-}
-
-/* Copy all of the fields from srcParams into dstParams
- */
-SECStatus
-EC_CopyParams(PRArenaPool *arena, ECParams *dstParams,
-	      const ECParams *srcParams)
-{
-    SECStatus rv = SECFailure;
-
-    dstParams->arena = arena;
-    dstParams->type = srcParams->type;
-    dstParams->fieldID.size = srcParams->fieldID.size;
-    dstParams->fieldID.type = srcParams->fieldID.type;
-    if (srcParams->fieldID.type == ec_field_GFp) {
-	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.prime,
-	    &srcParams->fieldID.u.prime));
-    } else {
-	CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->fieldID.u.poly,
-	    &srcParams->fieldID.u.poly));
-    }
-    dstParams->fieldID.k1 = srcParams->fieldID.k1;
-    dstParams->fieldID.k2 = srcParams->fieldID.k2;
-    dstParams->fieldID.k3 = srcParams->fieldID.k3;
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.a,
-	&srcParams->curve.a));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.b,
-	&srcParams->curve.b));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curve.seed,
-	&srcParams->curve.seed));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->base,
-	&srcParams->base));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->order,
-	&srcParams->order));
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->DEREncoding,
-	&srcParams->DEREncoding));
-	dstParams->name = srcParams->name;
-    CHECK_SEC_OK(SECITEM_CopyItem(arena, &dstParams->curveOID,
- 	&srcParams->curveOID));
-    dstParams->cofactor = srcParams->cofactor;
-
-    return SECSuccess;
-
-cleanup:
-    return SECFailure;
-}
-
-SECStatus
-EC_FillParams(PRArenaPool *arena, const SECItem *encodedParams, 
-    ECParams *params)
-{
-    SECOidTag tag;
-    SECItem oid = { siBuffer, NULL, 0};
-    const ECCurveParams *curveParams;
-    char genenc[2 + 2 * 2 * MAX_ECKEY_LEN];
-
-#if EC_DEBUG
-    int i;
-
-    printf("Encoded params in EC_DecodeParams: ");
-    for (i = 0; i < encodedParams->len; i++) {
-	    printf("%02x:", encodedParams->data[i]);
-    }
-    printf("\n");
-#endif
-
-    if ((encodedParams->len != ANSI_X962_CURVE_OID_TOTAL_LEN) &&
-	(encodedParams->len != SECG_CURVE_OID_TOTAL_LEN)) {
-	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	    return SECFailure;
-    };
-
-    oid.len = encodedParams->len - 2;
-    oid.data = encodedParams->data + 2;
-    if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
-	((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { 
-	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	    return SECFailure;
-    }
-
-    params->arena = arena;
-    params->cofactor = 0;
-    params->type = ec_params_named;
-    params->name = ECCurve_noName;
-
-    /* For named curves, fill out curveOID */
-    params->curveOID.len = oid.len;
-    params->curveOID.data = (unsigned char *) PORT_ArenaAlloc(arena, oid.len);
-    if (params->curveOID.data == NULL) goto cleanup;
-    memcpy(params->curveOID.data, oid.data, oid.len);
-
-#if EC_DEBUG
-    printf("Curve: %s\n", SECOID_FindOIDTagDescription(tag));
-#endif
-
-    switch (tag) {
-
-#define GF2M_POPULATE \
-	if ((params->name < ECCurve_noName) || \
-	    (params->name > ECCurve_pastLastCurve)) goto cleanup; \
-	CHECK_OK(curveParams); \
-	params->fieldID.size = curveParams->size; \
-	params->fieldID.type = ec_field_GF2m; \
-	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.poly, \
-	    curveParams->irr)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->curve.a, \
-	    curveParams->curvea)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->curve.b, \
-	    curveParams->curveb)); \
-	genenc[0] = '0'; \
-	genenc[1] = '4'; \
-	genenc[2] = '\0'; \
-	CHECK_OK(strcat(genenc, curveParams->genx)); \
-	CHECK_OK(strcat(genenc, curveParams->geny)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->base, \
-	    genenc)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->order, \
-	    curveParams->order)); \
-	params->cofactor = curveParams->cofactor;
-
-    case SEC_OID_ANSIX962_EC_C2PNB163V1:
-	/* Populate params for c2pnb163v1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB163V1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB163V2:
-	/* Populate params for c2pnb163v2 */
-	params->name = ECCurve_X9_62_CHAR2_PNB163V2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB163V3:
-	/* Populate params for c2pnb163v3 */
-	params->name = ECCurve_X9_62_CHAR2_PNB163V3;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB176V1:
-	/* Populate params for c2pnb176v1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB176V1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB191V1:
-	/* Populate params for c2tnb191v1 */
-	params->name = ECCurve_X9_62_CHAR2_TNB191V1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB191V2:
-	/* Populate params for c2tnb191v2 */
-	params->name = ECCurve_X9_62_CHAR2_TNB191V2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB191V3:
-	/* Populate params for c2tnb191v3 */
-	params->name = ECCurve_X9_62_CHAR2_TNB191V3;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB208W1:
-	/* Populate params for c2pnb208w1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB208W1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB239V1:
-	/* Populate params for c2tnb239v1 */
-	params->name = ECCurve_X9_62_CHAR2_TNB239V1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB239V2:
-	/* Populate params for c2tnb239v2 */
-	params->name = ECCurve_X9_62_CHAR2_TNB239V2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB239V3:
-	/* Populate params for c2tnb239v3 */
-	params->name = ECCurve_X9_62_CHAR2_TNB239V3;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB272W1:
-	/* Populate params for c2pnb272w1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB272W1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB304W1:
-	/* Populate params for c2pnb304w1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB304W1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB359V1:
-	/* Populate params for c2tnb359v1 */
-	params->name = ECCurve_X9_62_CHAR2_TNB359V1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2PNB368W1:
-	/* Populate params for c2pnb368w1 */
-	params->name = ECCurve_X9_62_CHAR2_PNB368W1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_C2TNB431R1:
-	/* Populate params for c2tnb431r1 */
-	params->name = ECCurve_X9_62_CHAR2_TNB431R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-	
-    case SEC_OID_SECG_EC_SECT113R1:
-	/* Populate params for sect113r1 */
-	params->name = ECCurve_SECG_CHAR2_113R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT113R2:
-	/* Populate params for sect113r2 */
-	params->name = ECCurve_SECG_CHAR2_113R2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT131R1:
-	/* Populate params for sect131r1 */
-	params->name = ECCurve_SECG_CHAR2_131R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT131R2:
-	/* Populate params for sect131r2 */
-	params->name = ECCurve_SECG_CHAR2_131R2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT163K1:
-	/* Populate params for sect163k1
-	 * (the NIST K-163 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_163K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT163R1:
-	/* Populate params for sect163r1 */
-	params->name = ECCurve_SECG_CHAR2_163R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT163R2:
-	/* Populate params for sect163r2
-	 * (the NIST B-163 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_163R2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT193R1:
-	/* Populate params for sect193r1 */
-	params->name = ECCurve_SECG_CHAR2_193R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT193R2:
-	/* Populate params for sect193r2 */
-	params->name = ECCurve_SECG_CHAR2_193R2;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT233K1:
-	/* Populate params for sect233k1
-	 * (the NIST K-233 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_233K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT233R1:
-	/* Populate params for sect233r1
-	 * (the NIST B-233 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_233R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT239K1:
-	/* Populate params for sect239k1 */
-	params->name = ECCurve_SECG_CHAR2_239K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT283K1:
-        /* Populate params for sect283k1
-	 * (the NIST K-283 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_283K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT283R1:
-	/* Populate params for sect283r1
-	 * (the NIST B-283 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_283R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT409K1:
-	/* Populate params for sect409k1
-	 * (the NIST K-409 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_409K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT409R1:
-	/* Populate params for sect409r1
-	 * (the NIST B-409 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_409R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT571K1:
-	/* Populate params for sect571k1
-	 * (the NIST K-571 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_571K1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECT571R1:
-	/* Populate params for sect571r1
-	 * (the NIST B-571 curve)
-	 */
-	params->name = ECCurve_SECG_CHAR2_571R1;
-	curveParams = ecCurve_map[params->name];
-	GF2M_POPULATE
-	break;
-
-#define GFP_POPULATE \
-	if ((params->name < ECCurve_noName) || \
-	    (params->name > ECCurve_pastLastCurve)) goto cleanup; \
-	CHECK_OK(curveParams); \
-	params->fieldID.size = curveParams->size; \
-	params->fieldID.type = ec_field_GFp; \
-	CHECK_OK(hexString2SECItem(params->arena, &params->fieldID.u.prime, \
-	    curveParams->irr)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->curve.a, \
-	    curveParams->curvea)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->curve.b, \
-	    curveParams->curveb)); \
-	genenc[0] = '0'; \
-	genenc[1] = '4'; \
-	genenc[2] = '\0'; \
-	CHECK_OK(strcat(genenc, curveParams->genx)); \
-	CHECK_OK(strcat(genenc, curveParams->geny)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->base, \
-	    genenc)); \
-	CHECK_OK(hexString2SECItem(params->arena, &params->order, \
-	    curveParams->order)); \
-	params->cofactor = curveParams->cofactor;
-
-    case SEC_OID_ANSIX962_EC_PRIME192V1:
-	/* Populate params for prime192v1 aka secp192r1 
-	 * (the NIST P-192 curve)
-	 */
-	params->name = ECCurve_X9_62_PRIME_192V1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_PRIME192V2:
-	/* Populate params for prime192v2 */
-	params->name = ECCurve_X9_62_PRIME_192V2;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_PRIME192V3:
-	/* Populate params for prime192v3 */
-	params->name = ECCurve_X9_62_PRIME_192V3;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-	
-    case SEC_OID_ANSIX962_EC_PRIME239V1:
-	/* Populate params for prime239v1 */
-	params->name = ECCurve_X9_62_PRIME_239V1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_PRIME239V2:
-	/* Populate params for prime239v2 */
-	params->name = ECCurve_X9_62_PRIME_239V2;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_PRIME239V3:
-	/* Populate params for prime239v3 */
-	params->name = ECCurve_X9_62_PRIME_239V3;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_ANSIX962_EC_PRIME256V1:
-	/* Populate params for prime256v1 aka secp256r1
-	 * (the NIST P-256 curve)
-	 */
-	params->name = ECCurve_X9_62_PRIME_256V1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP112R1:
-        /* Populate params for secp112r1 */
-	params->name = ECCurve_SECG_PRIME_112R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP112R2:
-        /* Populate params for secp112r2 */
-	params->name = ECCurve_SECG_PRIME_112R2;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP128R1:
-        /* Populate params for secp128r1 */
-	params->name = ECCurve_SECG_PRIME_128R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP128R2:
-        /* Populate params for secp128r2 */
-	params->name = ECCurve_SECG_PRIME_128R2;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-	
-    case SEC_OID_SECG_EC_SECP160K1:
-        /* Populate params for secp160k1 */
-	params->name = ECCurve_SECG_PRIME_160K1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP160R1:
-        /* Populate params for secp160r1 */
-	params->name = ECCurve_SECG_PRIME_160R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP160R2:
-	/* Populate params for secp160r1 */
-	params->name = ECCurve_SECG_PRIME_160R2;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP192K1:
-	/* Populate params for secp192k1 */
-	params->name = ECCurve_SECG_PRIME_192K1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP224K1:
-	/* Populate params for secp224k1 */
-	params->name = ECCurve_SECG_PRIME_224K1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP224R1:
-	/* Populate params for secp224r1 
-	 * (the NIST P-224 curve)
-	 */
-	params->name = ECCurve_SECG_PRIME_224R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP256K1:
-	/* Populate params for secp256k1 */
-	params->name = ECCurve_SECG_PRIME_256K1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP384R1:
-	/* Populate params for secp384r1
-	 * (the NIST P-384 curve)
-	 */
-	params->name = ECCurve_SECG_PRIME_384R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    case SEC_OID_SECG_EC_SECP521R1:
-	/* Populate params for secp521r1 
-	 * (the NIST P-521 curve)
-	 */
-	params->name = ECCurve_SECG_PRIME_521R1;
-	curveParams = ecCurve_map[params->name];
-	GFP_POPULATE
-	break;
-
-    default:
-	break;
-    };
-
-cleanup:
-    if (!params->cofactor) {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-#if EC_DEBUG
-	printf("Unrecognized curve, returning NULL params\n");
-#endif
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams)
-{
-    PRArenaPool *arena;
-    ECParams *params;
-    SECStatus rv = SECFailure;
-
-    /* Initialize an arena for the ECParams structure */
-    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
-	return SECFailure;
-
-    params = (ECParams *)PORT_ArenaZAlloc(arena, sizeof(ECParams));
-    if (!params) {
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-
-    /* Copy the encoded params */
-    SECITEM_AllocItem(arena, &(params->DEREncoding),
-	encodedParams->len);
-    memcpy(params->DEREncoding.data, encodedParams->data, encodedParams->len);
-
-    /* Fill out the rest of the ECParams structure based on 
-     * the encoded params 
-     */
-    rv = EC_FillParams(arena, encodedParams, params);
-    if (rv == SECFailure) {
-	PORT_FreeArena(arena, PR_TRUE);	
-	return SECFailure;
-    } else {
-	*ecparams = params;;
-	return SECSuccess;
-    }
-}
-
-#endif /* NSS_ENABLE_ECC */
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
deleted file mode 100644
index acee77676..000000000
--- a/security/nss/lib/softoken/fipstest.c
+++ /dev/null
@@ -1,1494 +0,0 @@
-/*
- * PKCS #11 FIPS Power-Up Self Test.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
-                        /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
-                        /*              and DSA.                         */
-#include "seccomon.h"   /* Required for RSA and DSA. */
-#include "lowkeyi.h"     /* Required for RSA and DSA. */
-#include "pkcs11.h"     /* Required for PKCS #11. */
-#include "secerr.h"
-
-/* FIPS preprocessor directives for RC2-ECB and RC2-CBC.        */
-#define FIPS_RC2_KEY_LENGTH                      5  /*  40-bits */
-#define FIPS_RC2_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_RC2_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for RC4.                        */
-#define FIPS_RC4_KEY_LENGTH                      5  /*  40-bits */
-#define FIPS_RC4_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_RC4_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for DES-ECB and DES-CBC.        */
-#define FIPS_DES_ENCRYPT_LENGTH                  8  /*  64-bits */
-#define FIPS_DES_DECRYPT_LENGTH                  8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for DES3-CBC and DES3-ECB.      */
-#define FIPS_DES3_ENCRYPT_LENGTH                 8  /*  64-bits */
-#define FIPS_DES3_DECRYPT_LENGTH                 8  /*  64-bits */
-
-
-/* FIPS preprocessor directives for AES-ECB and AES-CBC.        */
-#define FIPS_AES_BLOCK_SIZE                     16  /* 128-bits */
-#define FIPS_AES_ENCRYPT_LENGTH                 16  /* 128-bits */
-#define FIPS_AES_DECRYPT_LENGTH                 16  /* 128-bits */
-#define FIPS_AES_128_KEY_SIZE                   16  /* 128-bits */
-#define FIPS_AES_192_KEY_SIZE                   24  /* 192-bits */
-#define FIPS_AES_256_KEY_SIZE                   32  /* 256-bits */
-
-
-/* FIPS preprocessor directives for message digests             */
-#define FIPS_KNOWN_HASH_MESSAGE_LENGTH          64  /* 512-bits */
-
-
-/* FIPS preprocessor directives for RSA.                        */
-#define FIPS_RSA_TYPE                           siBuffer
-#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH          1  /*   8-bits */
-#define FIPS_RSA_PRIVATE_VERSION_LENGTH          1  /*   8-bits */
-#define FIPS_RSA_MESSAGE_LENGTH                 16  /* 128-bits */
-#define FIPS_RSA_COEFFICIENT_LENGTH             32  /* 256-bits */
-#define FIPS_RSA_PRIME0_LENGTH                  33  /* 264-bits */
-#define FIPS_RSA_PRIME1_LENGTH                  33  /* 264-bits */
-#define FIPS_RSA_EXPONENT0_LENGTH               33  /* 264-bits */
-#define FIPS_RSA_EXPONENT1_LENGTH               33  /* 264-bits */
-#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        64  /* 512-bits */
-#define FIPS_RSA_ENCRYPT_LENGTH                 64  /* 512-bits */
-#define FIPS_RSA_DECRYPT_LENGTH                 64  /* 512-bits */
-#define FIPS_RSA_CRYPTO_LENGTH                  64  /* 512-bits */
-#define FIPS_RSA_SIGNATURE_LENGTH               64  /* 512-bits */
-#define FIPS_RSA_MODULUS_LENGTH                 65  /* 520-bits */
-
-
-/* FIPS preprocessor directives for DSA.                        */
-#define FIPS_DSA_TYPE                           siBuffer
-#define FIPS_DSA_DIGEST_LENGTH                  20  /* 160-bits */
-#define FIPS_DSA_SUBPRIME_LENGTH                20  /* 160-bits */
-#define FIPS_DSA_SIGNATURE_LENGTH               40  /* 320-bits */
-#define FIPS_DSA_PRIME_LENGTH                   64  /* 512-bits */
-#define FIPS_DSA_BASE_LENGTH                    64  /* 512-bits */
-
-static CK_RV
-sftk_fips_RC2_PowerUpSelfTest( void )
-{
-    /* RC2 Known Key (40-bits). */
-    static const PRUint8 rc2_known_key[] = { "RSARC" };
-
-    /* RC2-CBC Known Initialization Vector (64-bits). */
-    static const PRUint8 rc2_cbc_known_initialization_vector[] = {"Security"};
-
-    /* RC2 Known Plaintext (64-bits). */
-    static const PRUint8 rc2_ecb_known_plaintext[] = {"Netscape"};
-    static const PRUint8 rc2_cbc_known_plaintext[] = {"Netscape"};
-
-    /* RC2 Known Ciphertext (64-bits). */
-    static const PRUint8 rc2_ecb_known_ciphertext[] = {
-				  0x1a,0x71,0x33,0x54,0x8d,0x5c,0xd2,0x30};
-    static const PRUint8 rc2_cbc_known_ciphertext[] = {
-				  0xff,0x41,0xdb,0x94,0x8a,0x4c,0x33,0xb3};
-
-    /* RC2 variables. */
-    PRUint8        rc2_computed_ciphertext[FIPS_RC2_ENCRYPT_LENGTH];
-    PRUint8        rc2_computed_plaintext[FIPS_RC2_DECRYPT_LENGTH];
-    RC2Context *   rc2_context;
-    unsigned int   rc2_bytes_encrypted;
-    unsigned int   rc2_bytes_decrypted;
-    SECStatus      rc2_status;
-
-
-    /******************************************************/
-    /* RC2-ECB Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     NULL, NSS_RC2,
-                                     FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
-                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
-                              rc2_ecb_known_plaintext,
-                              FIPS_RC2_DECRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_ecb_known_ciphertext,
-                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-ECB Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     NULL, NSS_RC2,
-                                     FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
-                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
-                              rc2_ecb_known_ciphertext,
-                              FIPS_RC2_ENCRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
-                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-CBC Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     rc2_cbc_known_initialization_vector,
-                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
-                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
-                              rc2_cbc_known_plaintext,
-                              FIPS_RC2_DECRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_cbc_known_ciphertext,
-                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* RC2-CBC Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
-                                     rc2_cbc_known_initialization_vector,
-                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
-
-    if( rc2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
-                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
-                              rc2_cbc_known_ciphertext,
-                              FIPS_RC2_ENCRYPT_LENGTH );
-
-    RC2_DestroyContext( rc2_context, PR_TRUE );
-
-    if( ( rc2_status != SECSuccess ) ||
-        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
-                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-sftk_fips_RC4_PowerUpSelfTest( void )
-{
-    /* RC4 Known Key (40-bits). */
-    static const PRUint8 rc4_known_key[] = { "RSARC" };
-
-    /* RC4 Known Plaintext (64-bits). */
-    static const PRUint8 rc4_known_plaintext[] = { "Netscape" };
-
-    /* RC4 Known Ciphertext (64-bits). */
-    static const PRUint8 rc4_known_ciphertext[] = {
-				0x29,0x33,0xc7,0x9a,0x9d,0x6c,0x09,0xdd};
-
-    /* RC4 variables. */
-    PRUint8        rc4_computed_ciphertext[FIPS_RC4_ENCRYPT_LENGTH];
-    PRUint8        rc4_computed_plaintext[FIPS_RC4_DECRYPT_LENGTH];
-    RC4Context *   rc4_context;
-    unsigned int   rc4_bytes_encrypted;
-    unsigned int   rc4_bytes_decrypted;
-    SECStatus      rc4_status;
-
-
-    /**************************************************/
-    /* RC4 Single-Round Known Answer Encryption Test: */
-    /**************************************************/
-
-    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
-
-    if( rc4_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc4_status = RC4_Encrypt( rc4_context, rc4_computed_ciphertext,
-                              &rc4_bytes_encrypted, FIPS_RC4_ENCRYPT_LENGTH,
-                              rc4_known_plaintext, FIPS_RC4_DECRYPT_LENGTH );
-
-    RC4_DestroyContext( rc4_context, PR_TRUE );
-
-    if( ( rc4_status != SECSuccess ) ||
-        ( rc4_bytes_encrypted != FIPS_RC4_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc4_computed_ciphertext, rc4_known_ciphertext,
-                       FIPS_RC4_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /**************************************************/
-    /* RC4 Single-Round Known Answer Decryption Test: */
-    /**************************************************/
-
-    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
-
-    if( rc4_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    rc4_status = RC4_Decrypt( rc4_context, rc4_computed_plaintext,
-                              &rc4_bytes_decrypted, FIPS_RC4_DECRYPT_LENGTH,
-                              rc4_known_ciphertext, FIPS_RC4_ENCRYPT_LENGTH );
-
-    RC4_DestroyContext( rc4_context, PR_TRUE );
-
-    if( ( rc4_status != SECSuccess ) ||
-        ( rc4_bytes_decrypted != FIPS_RC4_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( rc4_computed_plaintext, rc4_known_plaintext,
-                       FIPS_RC4_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-sftk_fips_DES_PowerUpSelfTest( void )
-{
-    /* DES Known Key (56-bits). */
-    static const PRUint8 des_known_key[] = { "ANSI DES" };
-
-    /* DES-CBC Known Initialization Vector (64-bits). */
-    static const PRUint8 des_cbc_known_initialization_vector[] = { "Security" };
-
-    /* DES Known Plaintext (64-bits). */
-    static const PRUint8 des_ecb_known_plaintext[] = { "Netscape" };
-    static const PRUint8 des_cbc_known_plaintext[] = { "Netscape" };
-
-    /* DES Known Ciphertext (64-bits). */
-    static const PRUint8 des_ecb_known_ciphertext[] = {
-			       0x26,0x14,0xe9,0xc3,0x28,0x80,0x50,0xb0};
-    static const PRUint8 des_cbc_known_ciphertext[]  = {
-			       0x5e,0x95,0x94,0x5d,0x76,0xa2,0xd3,0x7d};
-
-    /* DES variables. */
-    PRUint8        des_computed_ciphertext[FIPS_DES_ENCRYPT_LENGTH];
-    PRUint8        des_computed_plaintext[FIPS_DES_DECRYPT_LENGTH];
-    DESContext *   des_context;
-    unsigned int   des_bytes_encrypted;
-    unsigned int   des_bytes_decrypted;
-    SECStatus      des_status;
-
-
-    /******************************************************/
-    /* DES-ECB Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_TRUE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
-                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
-                              des_ecb_known_plaintext,
-                              FIPS_DES_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_ciphertext, des_ecb_known_ciphertext,
-                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-ECB Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_FALSE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Decrypt( des_context, des_computed_plaintext,
-                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
-                              des_ecb_known_ciphertext,
-                              FIPS_DES_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_plaintext, des_ecb_known_plaintext,
-                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-CBC Single-Round Known Answer Encryption Test. */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key,
-                                     des_cbc_known_initialization_vector,
-                                     NSS_DES_CBC, PR_TRUE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
-                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
-                              des_cbc_known_plaintext,
-                              FIPS_DES_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_ciphertext, des_cbc_known_ciphertext,
-                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* DES-CBC Single-Round Known Answer Decryption Test. */
-    /******************************************************/
-
-    des_context = DES_CreateContext( des_known_key,
-                                     des_cbc_known_initialization_vector,
-                                     NSS_DES_CBC, PR_FALSE );
-
-    if( des_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des_status = DES_Decrypt( des_context, des_computed_plaintext,
-                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
-                              des_cbc_known_ciphertext,
-                              FIPS_DES_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des_context, PR_TRUE );
-
-    if( ( des_status != SECSuccess ) ||
-        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des_computed_plaintext, des_cbc_known_plaintext,
-                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-sftk_fips_DES3_PowerUpSelfTest( void )
-{
-    /* DES3 Known Key (56-bits). */
-    static const PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" };
-
-    /* DES3-CBC Known Initialization Vector (64-bits). */
-    static const PRUint8 des3_cbc_known_initialization_vector[] = { "Security" };
-
-    /* DES3 Known Plaintext (64-bits). */
-    static const PRUint8 des3_ecb_known_plaintext[] = { "Netscape" };
-    static const PRUint8 des3_cbc_known_plaintext[] = { "Netscape" };
-
-    /* DES3 Known Ciphertext (64-bits). */
-    static const PRUint8 des3_ecb_known_ciphertext[] = {
-			   0x55,0x8e,0xad,0x3c,0xee,0x49,0x69,0xbe};
-    static const PRUint8 des3_cbc_known_ciphertext[] = {
-			   0x43,0xdc,0x6a,0xc1,0xaf,0xa6,0x32,0xf5};
-
-    /* DES3 variables. */
-    PRUint8        des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH];
-    PRUint8        des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH];
-    DESContext *   des3_context;
-    unsigned int   des3_bytes_encrypted;
-    unsigned int   des3_bytes_decrypted;
-    SECStatus      des3_status;
-
-
-    /*******************************************************/
-    /* DES3-ECB Single-Round Known Answer Encryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key, NULL,
-                                     NSS_DES_EDE3, PR_TRUE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
-                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
-                               des3_ecb_known_plaintext,
-                               FIPS_DES3_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_ciphertext, des3_ecb_known_ciphertext,
-                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-ECB Single-Round Known Answer Decryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key, NULL,
-                                     NSS_DES_EDE3, PR_FALSE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
-                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
-                               des3_ecb_known_ciphertext,
-                               FIPS_DES3_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_plaintext, des3_ecb_known_plaintext,
-                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-CBC Single-Round Known Answer Encryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key,
-                                      des3_cbc_known_initialization_vector,
-                                      NSS_DES_EDE3_CBC, PR_TRUE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
-                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
-                               des3_cbc_known_plaintext,
-                               FIPS_DES3_DECRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_ciphertext, des3_cbc_known_ciphertext,
-                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /*******************************************************/
-    /* DES3-CBC Single-Round Known Answer Decryption Test. */
-    /*******************************************************/
-
-    des3_context = DES_CreateContext( des3_known_key,
-                                      des3_cbc_known_initialization_vector,
-                                      NSS_DES_EDE3_CBC, PR_FALSE );
-
-    if( des3_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
-                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
-                               des3_cbc_known_ciphertext,
-                               FIPS_DES3_ENCRYPT_LENGTH );
-
-    DES_DestroyContext( des3_context, PR_TRUE );
-
-    if( ( des3_status != SECSuccess ) ||
-        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( des3_computed_plaintext, des3_cbc_known_plaintext,
-                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-/* AES self-test for 128-bit, 192-bit, or 256-bit key sizes*/
-static CK_RV
-sftk_fips_AES_PowerUpSelfTest( int aes_key_size )
-{
-    /* AES Known Key (up to 256-bits). */
-    static const PRUint8 aes_known_key[] = 
-        { "AES-128 RIJNDAELLEADNJIR 821-SEA" };
-
-    /* AES-CBC Known Initialization Vector (128-bits). */
-    static const PRUint8 aes_cbc_known_initialization_vector[] = 
-        { "SecurityytiruceS" };
-
-    /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */
-    static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" };
-
-    /* AES Known Ciphertext (128-bit key). */
-    static const PRUint8 aes_ecb128_known_ciphertext[] = {
-        0x3c,0xa5,0x96,0xf3,0x34,0x6a,0x96,0xc1,
-        0x03,0x88,0x16,0x7b,0x20,0xbf,0x35,0x47 };
-
-    static const PRUint8 aes_cbc128_known_ciphertext[]  = {
-        0xcf,0x15,0x1d,0x4f,0x96,0xe4,0x4f,0x63,
-        0x15,0x54,0x14,0x1d,0x4e,0xd8,0xd5,0xea };
-
-    /* AES Known Ciphertext (192-bit key). */
-    static const PRUint8 aes_ecb192_known_ciphertext[] = { 
-        0xa0,0x18,0x62,0xed,0x88,0x19,0xcb,0x62,
-        0x88,0x1d,0x4d,0xfe,0x84,0x02,0x89,0x0e };
-
-    static const PRUint8 aes_cbc192_known_ciphertext[]  = { 
-        0x83,0xf7,0xa4,0x76,0xd1,0x6f,0x07,0xbe,
-        0x07,0xbc,0x43,0x2f,0x6d,0xad,0x29,0xe1 };
-
-    /* AES Known Ciphertext (256-bit key). */
-    static const PRUint8 aes_ecb256_known_ciphertext[] = { 
-        0xdb,0xa6,0x52,0x01,0x8a,0x70,0xae,0x66,
-        0x3a,0x99,0xd8,0x95,0x7f,0xfb,0x01,0x67 };
-    
-    static const PRUint8 aes_cbc256_known_ciphertext[]  = { 
-        0x37,0xea,0x07,0x06,0x31,0x1c,0x59,0x27,
-        0xc5,0xc5,0x68,0x71,0x6e,0x34,0x40,0x16 };
-
-    const PRUint8 *aes_ecb_known_ciphertext =
-        ( aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext :
-        ( aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext :
-                                aes_ecb256_known_ciphertext;
-
-    const PRUint8 *aes_cbc_known_ciphertext =
-        ( aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext :
-        ( aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext :
-                                aes_cbc256_known_ciphertext;
-
-    /* AES variables. */
-    PRUint8        aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH];
-    PRUint8        aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH];
-    AESContext *   aes_context;
-    unsigned int   aes_bytes_encrypted;
-    unsigned int   aes_bytes_decrypted;
-    SECStatus      aes_status;
-
-    /*check if aes_key_size is 128, 192, or 256 bits */
-    if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && 
-        (aes_key_size != FIPS_AES_192_KEY_SIZE) && 
-        (aes_key_size != FIPS_AES_256_KEY_SIZE)) 
-            return( CKR_DEVICE_ERROR );
-
-    /******************************************************/
-    /* AES-ECB Single-Round Known Answer Encryption Test: */
-    /******************************************************/
-
-    aes_context = AES_CreateContext( aes_known_key, NULL, NSS_AES, PR_TRUE,
-                                     aes_key_size, FIPS_AES_BLOCK_SIZE );
-
-    if( aes_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    aes_status = AES_Encrypt( aes_context, aes_computed_ciphertext,
-                              &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH,
-                              aes_known_plaintext,
-                              FIPS_AES_DECRYPT_LENGTH );
-    
-    AES_DestroyContext( aes_context, PR_TRUE );
-
-    if( ( aes_status != SECSuccess ) ||
-        ( aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( aes_computed_ciphertext, aes_ecb_known_ciphertext,
-                       FIPS_AES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* AES-ECB Single-Round Known Answer Decryption Test: */
-    /******************************************************/
-
-    aes_context = AES_CreateContext( aes_known_key, NULL, NSS_AES, PR_FALSE,
-                                     aes_key_size, FIPS_AES_BLOCK_SIZE );
-
-    if( aes_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    aes_status = AES_Decrypt( aes_context, aes_computed_plaintext,
-                              &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH,
-                              aes_ecb_known_ciphertext,
-                              FIPS_AES_ENCRYPT_LENGTH );
-
-    AES_DestroyContext( aes_context, PR_TRUE );
-
-    if( ( aes_status != SECSuccess ) ||         
-        ( aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( aes_computed_plaintext, aes_known_plaintext,
-                       FIPS_AES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* AES-CBC Single-Round Known Answer Encryption Test. */
-    /******************************************************/
-
-    aes_context = AES_CreateContext( aes_known_key,
-                                     aes_cbc_known_initialization_vector,
-                                     NSS_AES_CBC, PR_TRUE, aes_key_size, 
-                                     FIPS_AES_BLOCK_SIZE );
-
-    if( aes_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    aes_status = AES_Encrypt( aes_context, aes_computed_ciphertext,
-                              &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH,
-                              aes_known_plaintext,
-                              FIPS_AES_DECRYPT_LENGTH );
-
-    AES_DestroyContext( aes_context, PR_TRUE );
-
-    if( ( aes_status != SECSuccess ) ||
-        ( aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH ) ||
-        ( PORT_Memcmp( aes_computed_ciphertext, aes_cbc_known_ciphertext,
-                       FIPS_AES_ENCRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-
-    /******************************************************/
-    /* AES-CBC Single-Round Known Answer Decryption Test. */
-    /******************************************************/
-
-    aes_context = AES_CreateContext( aes_known_key,
-                                     aes_cbc_known_initialization_vector,
-                                     NSS_AES_CBC, PR_FALSE, aes_key_size, 
-                                     FIPS_AES_BLOCK_SIZE );
-
-    if( aes_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    aes_status = AES_Decrypt( aes_context, aes_computed_plaintext,
-                              &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH,
-                              aes_cbc_known_ciphertext,
-                              FIPS_AES_ENCRYPT_LENGTH );
-
-    AES_DestroyContext( aes_context, PR_TRUE );
-
-    if( ( aes_status != SECSuccess ) ||
-        ( aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH ) ||
-        ( PORT_Memcmp( aes_computed_plaintext, aes_known_plaintext,
-                       FIPS_AES_DECRYPT_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-/* Known Hash Message (512-bits).  Used for all hashes (incl. SHA-N [N>1]). */
-static const PRUint8 known_hash_message[] = {
-  "The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
-
-
-static CK_RV
-sftk_fips_MD2_PowerUpSelfTest( void )
-{
-    /* MD2 Known Digest Message (128-bits). */
-    static const PRUint8 md2_known_digest[]  = {
-                                   0x41,0x5a,0x12,0xb2,0x3f,0x28,0x97,0x17,
-                                   0x0c,0x71,0x4e,0xcc,0x40,0xc8,0x1d,0x1b};
-
-    /* MD2 variables. */
-    MD2Context * md2_context;
-    unsigned int md2_bytes_hashed;
-    PRUint8      md2_computed_digest[MD2_LENGTH];
-
-
-    /***********************************************/
-    /* MD2 Single-Round Known Answer Hashing Test. */
-    /***********************************************/
-
-    md2_context = MD2_NewContext();
-
-    if( md2_context == NULL )
-        return( CKR_HOST_MEMORY );
-
-    MD2_Begin( md2_context );
-
-    MD2_Update( md2_context, known_hash_message,
-                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
-
-    MD2_End( md2_context, md2_computed_digest, &md2_bytes_hashed, MD2_LENGTH );
-
-    MD2_DestroyContext( md2_context , PR_TRUE );
-    
-    if( ( md2_bytes_hashed != MD2_LENGTH ) ||
-        ( PORT_Memcmp( md2_computed_digest, md2_known_digest,
-                       MD2_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-sftk_fips_MD5_PowerUpSelfTest( void )
-{
-    /* MD5 Known Digest Message (128-bits). */
-    static const PRUint8 md5_known_digest[]  = {
-				   0x25,0xc8,0xc0,0x10,0xc5,0x6e,0x68,0x28,
-				   0x28,0xa4,0xa5,0xd2,0x98,0x9a,0xea,0x2d};
-
-    /* MD5 variables. */
-    PRUint8        md5_computed_digest[MD5_LENGTH];
-    SECStatus      md5_status;
-
-
-    /***********************************************/
-    /* MD5 Single-Round Known Answer Hashing Test. */
-    /***********************************************/
-
-    md5_status = MD5_HashBuf( md5_computed_digest, known_hash_message,
-                              FIPS_KNOWN_HASH_MESSAGE_LENGTH );
-
-    if( ( md5_status != SECSuccess ) ||
-        ( PORT_Memcmp( md5_computed_digest, md5_known_digest,
-                       MD5_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-/****************************************************/
-/* Single Round HMAC SHA-X test                     */
-/****************************************************/
-static SECStatus
-sftk_fips_HMAC(unsigned char *hmac_computed,
-               const PRUint8 *secret_key,
-               unsigned int secret_key_length,
-               const PRUint8 *message,
-               unsigned int message_length,
-               HASH_HashType hashAlg )
-{
-    SECStatus hmac_status = SECFailure;
-    HMACContext *cx = NULL;
-    SECHashObject *hashObj = NULL;
-    unsigned int bytes_hashed = 0;
-
-    hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg);
- 
-    if (!hashObj) 
-        return( SECFailure );
-
-    cx = HMAC_Create(hashObj, secret_key, 
-                     secret_key_length, 
-                     PR_TRUE);  /* PR_TRUE for in FIPS mode */
-
-    if (cx == NULL) 
-        return( SECFailure );
-
-    HMAC_Begin(cx);
-    HMAC_Update(cx, message, message_length);
-    hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, 
-                              hashObj->length);
-
-    HMAC_Destroy(cx, PR_TRUE);
-
-    return( hmac_status );
-}
-
-static CK_RV
-sftk_fips_HMAC_PowerUpSelfTest( void )
-{
-    static const PRUint8 HMAC_known_secret_key[] = {
-                         "Firefox and ThunderBird are awesome!"};
-
-    static const PRUint8 HMAC_known_secret_key_length 
-                         = sizeof HMAC_known_secret_key;
-
-    /* known SHA1 hmac (20 bytes) */
-    static const PRUint8 known_SHA1_hmac[] = {
-        0xd5, 0x85, 0xf6, 0x5b, 0x39, 0xfa, 0xb9, 0x05, 
-        0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 
-        0x5d, 0x0e, 0x1e, 0x11};
-
-    /* known SHA256 hmac (32 bytes) */
-    static const PRUint8 known_SHA256_hmac[] = {
-        0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, 
-        0xe2, 0x46, 0x4b, 0x92, 0x22, 0x14, 0x22, 0xe0, 
-        0x1b, 0x92, 0x8a, 0x0c, 0xfe, 0xf5, 0x49, 0xe9, 
-        0xa7, 0x1b, 0x56, 0x7d, 0x1d, 0x29, 0x40, 0x48};        
-
-    /* known SHA384 hmac (48 bytes) */
-    static const PRUint8 known_SHA384_hmac[] = {
-        0xcd, 0x56, 0x14, 0xec, 0x05, 0x53, 0x06, 0x2b,
-        0x7e, 0x9c, 0x8a, 0x18, 0x5e, 0xea, 0xf3, 0x91,
-        0x33, 0xfb, 0x64, 0xf6, 0xe3, 0x9f, 0x89, 0x0b,
-        0xaf, 0xbe, 0x83, 0x4d, 0x3f, 0x3c, 0x43, 0x4d,
-        0x4a, 0x0c, 0x56, 0x98, 0xf8, 0xca, 0xb4, 0xaa,
-        0x9a, 0xf4, 0x0a, 0xaf, 0x4f, 0x69, 0xca, 0x87};
-
-    /* known SHA512 hmac (64 bytes) */
-    static const PRUint8 known_SHA512_hmac[] = {
-        0xf6, 0x0e, 0x97, 0x12, 0x00, 0x67, 0x6e, 0xb9,
-        0x0c, 0xb2, 0x63, 0xf0, 0x60, 0xac, 0x75, 0x62,
-        0x70, 0x95, 0x2a, 0x52, 0x22, 0xee, 0xdd, 0xd2,
-        0x71, 0xb1, 0xe8, 0x26, 0x33, 0xd3, 0x13, 0x27,
-        0xcb, 0xff, 0x44, 0xef, 0x87, 0x97, 0x16, 0xfb,
-        0xd3, 0x0b, 0x48, 0xbe, 0x12, 0x4e, 0xda, 0xb1,
-        0x89, 0x90, 0xfb, 0x06, 0x0c, 0xbe, 0xe5, 0xc4,
-        0xff, 0x24, 0x37, 0x3d, 0xc7, 0xe4, 0xe4, 0x37};
-
-    SECStatus    hmac_status;
-    PRUint8      hmac_computed[HASH_LENGTH_MAX]; 
-
-    /***************************************************/
-    /* HMAC SHA-1 Single-Round Known Answer HMAC Test. */
-    /***************************************************/
-
-    hmac_status = sftk_fips_HMAC(hmac_computed, 
-                                 HMAC_known_secret_key,
-                                 HMAC_known_secret_key_length,
-                                 known_hash_message,
-                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
-                                 HASH_AlgSHA1); 
-
-    if( ( hmac_status != SECSuccess ) || 
-        ( PORT_Memcmp( hmac_computed, known_SHA1_hmac,
-                       SHA1_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* HMAC SHA-256 Single-Round Known Answer Test.    */
-    /***************************************************/
-
-    hmac_status = sftk_fips_HMAC(hmac_computed, 
-                                 HMAC_known_secret_key,
-                                 HMAC_known_secret_key_length,
-                                 known_hash_message,
-                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
-                                 HASH_AlgSHA256); 
-
-    if( ( hmac_status != SECSuccess ) || 
-        ( PORT_Memcmp( hmac_computed, known_SHA256_hmac,
-                       SHA256_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* HMAC SHA-384 Single-Round Known Answer Test.    */
-    /***************************************************/
-
-    hmac_status = sftk_fips_HMAC(hmac_computed,
-                                 HMAC_known_secret_key,
-                                 HMAC_known_secret_key_length,
-                                 known_hash_message,
-                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
-                                 HASH_AlgSHA384);
-
-    if( ( hmac_status != SECSuccess ) ||
-        ( PORT_Memcmp( hmac_computed, known_SHA384_hmac,
-                       SHA384_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* HMAC SHA-512 Single-Round Known Answer Test.    */
-    /***************************************************/
-
-    hmac_status = sftk_fips_HMAC(hmac_computed,
-                                 HMAC_known_secret_key,
-                                 HMAC_known_secret_key_length,
-                                 known_hash_message,
-                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
-                                 HASH_AlgSHA512);
-
-    if( ( hmac_status != SECSuccess ) ||
-        ( PORT_Memcmp( hmac_computed, known_SHA512_hmac,
-                       SHA512_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-static CK_RV
-sftk_fips_SHA_PowerUpSelfTest( void )
-{
-    /* SHA-1 Known Digest Message (160-bits). */
-    static const PRUint8 sha1_known_digest[] = {
-			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
-			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
-			       0xe0,0x68,0x47,0x7a};
-
-    /* SHA-256 Known Digest Message (256-bits). */
-    static const PRUint8 sha256_known_digest[] = {
-        0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
-        0x11,0xd4,0x0b,0xdc,0xce,0x35,0x14,0x8d,
-        0xf2,0xdd,0xaf,0xaf,0xcf,0xb7,0x87,0xe9,
-        0x96,0xa5,0xd2,0x83,0x62,0x46,0x56,0x79};
- 
-    /* SHA-384 Known Digest Message (384-bits). */
-    static const PRUint8 sha384_known_digest[] = {
-        0x11,0xfe,0x1c,0x00,0x89,0x48,0xde,0xb3,
-        0x99,0xee,0x1c,0x18,0xb4,0x10,0xfb,0xfe,
-        0xe3,0xa8,0x2c,0xf3,0x04,0xb0,0x2f,0xc8,
-        0xa3,0xc4,0x5e,0xea,0x7e,0x60,0x48,0x7b,
-        0xce,0x2c,0x62,0xf7,0xbc,0xa7,0xe8,0xa3,
-        0xcf,0x24,0xce,0x9c,0xe2,0x8b,0x09,0x72};
-
-    /* SHA-512 Known Digest Message (512-bits). */
-    static const PRUint8 sha512_known_digest[] = {
-        0xc8,0xb3,0x27,0xf9,0x0b,0x24,0xc8,0xbf,
-        0x4c,0xba,0x33,0x54,0xf2,0x31,0xbf,0xdb,
-        0xab,0xfd,0xb3,0x15,0xd7,0xfa,0x48,0x99,
-        0x07,0x60,0x0f,0x57,0x41,0x1a,0xdd,0x28,
-        0x12,0x55,0x25,0xac,0xba,0x3a,0x99,0x12,
-        0x2c,0x7a,0x8f,0x75,0x3a,0xe1,0x06,0x6f,
-        0x30,0x31,0xc9,0x33,0xc6,0x1b,0x90,0x1a,
-        0x6c,0x98,0x9a,0x87,0xd0,0xb2,0xf8,0x07};
-
-    /* SHA-X variables. */
-    PRUint8        sha_computed_digest[HASH_LENGTH_MAX];
-    SECStatus      sha_status;
-
-    /*************************************************/
-    /* SHA-1 Single-Round Known Answer Hashing Test. */
-    /*************************************************/
-
-    sha_status = SHA1_HashBuf( sha_computed_digest, known_hash_message,
-                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
- 
-    if( ( sha_status != SECSuccess ) ||
-        ( PORT_Memcmp( sha_computed_digest, sha1_known_digest,
-                       SHA1_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* SHA-256 Single-Round Known Answer Hashing Test. */
-    /***************************************************/
-
-    sha_status = SHA256_HashBuf( sha_computed_digest, known_hash_message,
-                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
-
-    if( ( sha_status != SECSuccess ) ||
-        ( PORT_Memcmp( sha_computed_digest, sha256_known_digest,
-                       SHA256_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* SHA-384 Single-Round Known Answer Hashing Test. */
-    /***************************************************/
-
-    sha_status = SHA384_HashBuf( sha_computed_digest, known_hash_message,
-                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
-
-    if( ( sha_status != SECSuccess ) ||
-        ( PORT_Memcmp( sha_computed_digest, sha384_known_digest,
-                       SHA384_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    /***************************************************/
-    /* SHA-512 Single-Round Known Answer Hashing Test. */
-    /***************************************************/
-
-    sha_status = SHA512_HashBuf( sha_computed_digest, known_hash_message,
-                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
-
-    if( ( sha_status != SECSuccess ) ||
-        ( PORT_Memcmp( sha_computed_digest, sha512_known_digest,
-                       SHA512_LENGTH ) != 0 ) )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-}
-
-
-static CK_RV
-sftk_fips_RSA_PowerUpSelfTest( void )
-{
-    /* RSA Known Modulus used in both Public/Private Key Values (520-bits). */
-    static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
-                                 0x00,0xa1,0xe9,0x5e,0x66,0x88,0xe2,0xf2,
-                                 0x2b,0xe7,0x70,0x36,0x33,0xbc,0xeb,0x55,
-                                 0x55,0xf1,0x60,0x18,0x3c,0xfb,0xd2,0x79,
-                                 0xf6,0xc4,0xb8,0x09,0xe3,0x12,0xf6,0x63,
-                                 0x6d,0xc7,0x8e,0x19,0xc0,0x0e,0x10,0x78,
-                                 0xc1,0xfe,0x2a,0x41,0x74,0x2d,0xf7,0xc4,
-                                 0x69,0xa7,0x3c,0xbc,0x8a,0xc8,0x31,0x2b,
-                                 0x4f,0x60,0xf0,0xf1,0xec,0x5a,0x29,0xec,
-                                 0x6b};
-
-    /* RSA Known Public Key Values (8-bits). */
-    static const PRUint8 rsa_public_exponent[] = { 0x03 };
-
-    /* RSA Known Private Key Values (version                 is   8-bits), */
-    /*                              (private exponent        is 512-bits), */
-    /*                              (private prime0          is 264-bits), */
-    /*                              (private prime1          is 264-bits), */
-    /*                              (private prime exponent0 is 264-bits), */
-    /*                              (private prime exponent1 is 264-bits), */
-    /*                          and (private coefficient     is 256-bits). */
-    static const PRUint8 rsa_version[] = { 0x00 };
-    static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
-				  0x6b,0xf0,0xe9,0x99,0xb0,0x97,0x4c,0x1d,
-				  0x44,0xf5,0x79,0x77,0xd3,0x47,0x8e,0x39,
-				  0x4b,0x95,0x65,0x7d,0xfd,0x36,0xfb,0xf9,
-				  0xd8,0x7a,0xb1,0x42,0x0c,0xa4,0x42,0x48,
-				  0x20,0x1c,0x6b,0x7d,0x5d,0xa3,0x58,0xd6,
-				  0x95,0xd6,0x41,0xe3,0xd6,0x73,0xad,0xdb,
-				  0x3b,0x89,0x00,0x8a,0xcd,0x1d,0xb9,0x06,
-				  0xac,0xac,0x0e,0x02,0x72,0x1c,0xf8,0xab };
-    static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH]   = {
-				      0x00,0xd2,0x2c,0x9d,0xef,0x7c,0x8f,0x58,
-				      0x93,0x19,0xa1,0x77,0x0e,0x38,0x3e,0x85,
-				      0xb4,0xaf,0xcc,0x99,0xa5,0x43,0xbf,0x97,
-				      0xdc,0x46,0xb8,0x3f,0x6e,0x85,0x18,0x00,
-				      0x81};
-    static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH]   = {
-				      0x00,0xc5,0x36,0xda,0x94,0x85,0x0c,0x1a,
-				      0xed,0x03,0xc7,0x67,0x90,0x34,0x0b,0xb9,
-				      0xec,0x1e,0x22,0xa2,0x15,0x50,0xc4,0xfd,
-				      0xe9,0x17,0x36,0x9d,0x7a,0x29,0xe6,0x76,
-				      0xeb};
-    static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
-					 0x00,0x8c,0x1d,0xbe,0x9f,0xa8,
-					 0x5f,0x90,0x62,0x11,0x16,0x4f,
-					 0x5e,0xd0,0x29,0xae,0x78,0x75,
-					 0x33,0x11,0x18,0xd7,0xd5,0x0f,
-					 0xe8,0x2f,0x25,0x7f,0x9f,0x03,
-					 0x65,0x55,0xab};
-    static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
-					 0x00,0x83,0x79,0xe7,0x0d,0xae,
-					 0x08,0x11,0xf3,0x57,0xda,0x45,
-					 0x0a,0xcd,0x5d,0x26,0x9d,0x69,
-					 0x6c,0x6c,0x0e,0x35,0xd8,0xa9,
-					 0x46,0x0f,0x79,0xbe,0x51,0x71,
-					 0x44,0x4f,0x47};
-    static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
-					 0x54,0x8d,0xb8,0xdc,0x8b,0xde,0xbb,
-					 0x08,0xc9,0x67,0xb7,0xa9,0x5f,0xa5,
-					 0xc4,0x5e,0x67,0xaa,0xfe,0x1a,0x08,
-					 0xeb,0x48,0x43,0xcb,0xb0,0xb9,0x38,
-					 0x3a,0x31,0x39,0xde};
-
-
-    /* RSA Known Plaintext (512-bits). */
-    static const PRUint8 rsa_known_plaintext[] = {
-                                         "Known plaintext utilized for RSA"
-                                         " Encryption and Decryption test." };
-
-    /* RSA Known Ciphertext (512-bits). */
-    static const PRUint8 rsa_known_ciphertext[] = {
-				      0x12,0x80,0x3a,0x53,0xee,0x93,0x81,0xa5,
-				      0xf7,0x40,0xc5,0xb1,0xef,0xd9,0x27,0xaf,
-				      0xef,0x4b,0x87,0x44,0x00,0xd0,0xda,0xcf,
-				      0x10,0x57,0x4c,0xd5,0xc3,0xed,0x84,0xdc,
-				      0x74,0x03,0x19,0x69,0x2c,0xd6,0x54,0x3e,
-				      0xd2,0xe3,0x90,0xb6,0x67,0x91,0x2f,0x1f,
-				      0x54,0x13,0x99,0x00,0x0b,0xfd,0x52,0x7f,
-				      0xd8,0xc6,0xdb,0x8a,0xfe,0x06,0xf3,0xb1};
-
-    /* RSA Known Message (128-bits). */
-    static const PRUint8 rsa_known_message[]  = { "Netscape Forever" };
-
-    /* RSA Known Signed Hash (512-bits). */
-    static const PRUint8 rsa_known_signature[] = {
-				     0x27,0x23,0xa6,0x71,0x57,0xc8,0x70,0x5f,
-				     0x70,0x0e,0x06,0x7b,0x96,0x6a,0xaa,0x41,
-				     0x6e,0xab,0x67,0x4b,0x5f,0x76,0xc4,0x53,
-				     0x23,0xd7,0x57,0x7a,0x3a,0xbc,0x4c,0x27,
-				     0x65,0xca,0xde,0x9f,0xd3,0x1d,0xa4,0x5a,
-				     0xf9,0x8f,0xb2,0x05,0xa3,0x86,0xf9,0x66,
-				     0x55,0x4c,0x68,0x50,0x66,0xa4,0xe9,0x17,
-				     0x45,0x11,0xb8,0x1a,0xfc,0xbc,0x79,0x3b};
-
-
-    static const RSAPublicKey    bl_public_key = { NULL, 
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,         FIPS_RSA_MODULUS_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
-    };
-    static const RSAPrivateKey   bl_private_key = { NULL,
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_version,          FIPS_RSA_PRIVATE_VERSION_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,          FIPS_RSA_MODULUS_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,  FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent, FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0,           FIPS_RSA_PRIME0_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1,           FIPS_RSA_PRIME1_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0,        FIPS_RSA_EXPONENT0_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1,        FIPS_RSA_EXPONENT1_LENGTH },
-      { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient,      FIPS_RSA_COEFFICIENT_LENGTH }
-    };
-
-    /* RSA variables. */
-#ifdef CREATE_TEMP_ARENAS
-    PLArenaPool *         rsa_public_arena;
-    PLArenaPool *         rsa_private_arena;
-#endif
-    NSSLOWKEYPublicKey *  rsa_public_key;
-    NSSLOWKEYPrivateKey * rsa_private_key;
-    unsigned int          rsa_bytes_signed;
-    SECStatus             rsa_status;
-
-    NSSLOWKEYPublicKey    low_public_key   = { NULL, NSSLOWKEYRSAKey, };
-    NSSLOWKEYPrivateKey   low_private_key  = { NULL, NSSLOWKEYRSAKey, };
-    PRUint8               rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH];
-    PRUint8               rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH];
-    PRUint8               rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
-
-    /****************************************/
-    /* Compose RSA Public/Private Key Pair. */
-    /****************************************/
-
-    low_public_key.u.rsa  = bl_public_key;
-    low_private_key.u.rsa = bl_private_key;
-
-    rsa_public_key  = &low_public_key;
-    rsa_private_key = &low_private_key;
-
-#ifdef CREATE_TEMP_ARENAS
-    /* Create some space for the RSA public key. */
-    rsa_public_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
-
-    if( rsa_public_arena == NULL ) {
-        PORT_SetError( SEC_ERROR_NO_MEMORY );
-        return( CKR_HOST_MEMORY );
-    }
-
-    /* Create some space for the RSA private key. */
-    rsa_private_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
-
-    if( rsa_private_arena == NULL ) {
-        PORT_FreeArena( rsa_public_arena, PR_TRUE );
-        PORT_SetError( SEC_ERROR_NO_MEMORY );
-        return( CKR_HOST_MEMORY );
-    }
-
-    rsa_public_key->arena = rsa_public_arena;
-    rsa_private_key->arena = rsa_private_arena;
-#endif
-
-    /**************************************************/
-    /* RSA Single-Round Known Answer Encryption Test. */
-    /**************************************************/
-
-    /* Perform RSA Public Key Encryption. */
-    rsa_status = RSA_PublicKeyOp(&rsa_public_key->u.rsa, 
-                                 rsa_computed_ciphertext, rsa_known_plaintext);
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( PORT_Memcmp( rsa_computed_ciphertext, rsa_known_ciphertext,
-                       FIPS_RSA_ENCRYPT_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-    /**************************************************/
-    /* RSA Single-Round Known Answer Decryption Test. */
-    /**************************************************/
-
-    /* Perform RSA Private Key Decryption. */
-    rsa_status = RSA_PrivateKeyOp(&rsa_private_key->u.rsa, 
-                                  rsa_computed_plaintext, rsa_known_ciphertext);
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext,
-                       FIPS_RSA_DECRYPT_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-
-    /*************************************************/
-    /* RSA Single-Round Known Answer Signature Test. */
-    /*************************************************/
-
-    /* Perform RSA signature with the RSA private key. */
-    rsa_status = RSA_Sign( rsa_private_key, rsa_computed_signature,
-                           &rsa_bytes_signed,
-                           FIPS_RSA_SIGNATURE_LENGTH, 
-                           (unsigned char *)rsa_known_message,
-                           FIPS_RSA_MESSAGE_LENGTH );
-
-    if( ( rsa_status != SECSuccess ) ||
-        ( rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH ) ||
-        ( PORT_Memcmp( rsa_computed_signature, rsa_known_signature,
-                       FIPS_RSA_SIGNATURE_LENGTH ) != 0 ) )
-        goto rsa_loser;
-
-
-    /****************************************************/
-    /* RSA Single-Round Known Answer Verification Test. */
-    /****************************************************/
-
-    /* Perform RSA verification with the RSA public key. */
-    rsa_status = RSA_CheckSign( rsa_public_key,
-                                rsa_computed_signature,
-                                FIPS_RSA_SIGNATURE_LENGTH,
-                                (unsigned char *)rsa_known_message,
-                                FIPS_RSA_MESSAGE_LENGTH );
-
-    if( rsa_status != SECSuccess )
-        goto rsa_loser;
-
-    /* Dispose of all RSA key material. */
-    nsslowkey_DestroyPublicKey( rsa_public_key );
-    nsslowkey_DestroyPrivateKey( rsa_private_key );
-
-    return( CKR_OK );
-
-
-rsa_loser:
-
-    nsslowkey_DestroyPublicKey( rsa_public_key );
-    nsslowkey_DestroyPrivateKey( rsa_private_key );
-
-    return( CKR_DEVICE_ERROR );
-}
-
-
-static CK_RV
-sftk_fips_DSA_PowerUpSelfTest( void )
-{
-    /* DSA Known P (512-bits), Q (160-bits), and G (512-bits) Values. */
-    static const PRUint8 dsa_P[] = {
-                           0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
-                           0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
-                           0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
-                           0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
-                           0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
-                           0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
-                           0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
-                           0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91};
-    static const PRUint8 dsa_Q[] = {
-                           0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
-                           0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
-                           0xda,0xce,0x91,0x5f};
-    static const PRUint8 dsa_G[] = {
-                           0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
-                           0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
-                           0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
-                           0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
-                           0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
-                           0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
-                           0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
-                           0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02};
-
-    /* DSA Known Random Values (known random key block       is 160-bits)  */
-    /*                     and (known random signature block is 160-bits). */
-    static const PRUint8 dsa_known_random_key_block[] = {
-                                                      "Mozilla Rules World!"};
-    static const PRUint8 dsa_known_random_signature_block[] = {
-                                                      "Random DSA Signature"};
-
-    /* DSA Known Digest (160-bits) */
-    static const PRUint8 dsa_known_digest[] = { "DSA Signature Digest" };
-
-    /* DSA Known Signature (320-bits). */
-    static const PRUint8 dsa_known_signature[] = {
-			     0x39,0x0d,0x84,0xb1,0xf7,0x52,0x89,0xba,
-			     0xec,0x1e,0xa8,0xe2,0x00,0x8e,0x37,0x8f,
-			     0xc2,0xf5,0xf8,0x70,0x11,0xa8,0xc7,0x02,
-			     0x0e,0x75,0xcf,0x6b,0x54,0x4a,0x52,0xe8,
-			     0xd8,0x6d,0x4a,0xe8,0xee,0x56,0x8e,0x59};
-
-    /* DSA variables. */
-    DSAPrivateKey *        dsa_private_key;
-    SECStatus              dsa_status;
-    SECItem                dsa_signature_item;
-    SECItem                dsa_digest_item;
-    DSAPublicKey           dsa_public_key;
-    PRUint8                dsa_computed_signature[FIPS_DSA_SIGNATURE_LENGTH];
-    static const PQGParams dsa_pqg = { NULL,
-			    { FIPS_DSA_TYPE, (unsigned char *)dsa_P, FIPS_DSA_PRIME_LENGTH },
-			    { FIPS_DSA_TYPE, (unsigned char *)dsa_Q, FIPS_DSA_SUBPRIME_LENGTH },
-			    { FIPS_DSA_TYPE, (unsigned char *)dsa_G, FIPS_DSA_BASE_LENGTH }};
-
-    /*******************************************/
-    /* Generate a DSA public/private key pair. */
-    /*******************************************/
-
-    /* Generate a DSA public/private key pair. */
-
-    dsa_status = DSA_NewKeyFromSeed(&dsa_pqg, dsa_known_random_key_block,
-                                    &dsa_private_key);
-
-    if( dsa_status != SECSuccess )
-	return( CKR_HOST_MEMORY );
-
-    /* construct public key from private key. */
-    dsa_public_key.params      = dsa_private_key->params;
-    dsa_public_key.publicValue = dsa_private_key->publicValue;
-
-    /*************************************************/
-    /* DSA Single-Round Known Answer Signature Test. */
-    /*************************************************/
-
-    dsa_signature_item.data = dsa_computed_signature;
-    dsa_signature_item.len  = sizeof dsa_computed_signature;
-
-    dsa_digest_item.data    = (unsigned char *)dsa_known_digest;
-    dsa_digest_item.len     = SHA1_LENGTH;
-
-    /* Perform DSA signature process. */
-    dsa_status = DSA_SignDigestWithSeed( dsa_private_key, 
-                                         &dsa_signature_item,
-					 &dsa_digest_item,
-					 dsa_known_random_signature_block );
-
-    if( ( dsa_status != SECSuccess ) ||
-        ( dsa_signature_item.len != FIPS_DSA_SIGNATURE_LENGTH ) ||
-        ( PORT_Memcmp( dsa_computed_signature, dsa_known_signature,
-                       FIPS_DSA_SIGNATURE_LENGTH ) != 0 ) ) {
-        dsa_status = SECFailure;
-    } else {
-
-    /****************************************************/
-    /* DSA Single-Round Known Answer Verification Test. */
-    /****************************************************/
-
-    /* Perform DSA verification process. */
-    dsa_status = DSA_VerifyDigest( &dsa_public_key, 
-                                   &dsa_signature_item,
-				   &dsa_digest_item);
-    }
-
-    PORT_FreeArena(dsa_private_key->params.arena, PR_TRUE);
-    /* Don't free public key, it uses same arena as private key */
-
-    /* Verify DSA signature. */
-    if( dsa_status != SECSuccess )
-        return( CKR_DEVICE_ERROR );
-
-    return( CKR_OK );
-
-
-}
-
-
-CK_RV
-sftk_fipsPowerUpSelfTest( void )
-{
-    CK_RV rv;
-
-    /* RC2 Power-Up SelfTest(s). */
-    rv = sftk_fips_RC2_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* RC4 Power-Up SelfTest(s). */
-    rv = sftk_fips_RC4_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DES Power-Up SelfTest(s). */
-    rv = sftk_fips_DES_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DES3 Power-Up SelfTest(s). */
-    rv = sftk_fips_DES3_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
- 
-    /* AES Power-Up SelfTest(s) for 128-bit key. */
-    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_128_KEY_SIZE);
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* AES Power-Up SelfTest(s) for 192-bit key. */
-    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_192_KEY_SIZE);
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* AES Power-Up SelfTest(s) for 256-bit key. */
-    rv = sftk_fips_AES_PowerUpSelfTest(FIPS_AES_256_KEY_SIZE);
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* MD2 Power-Up SelfTest(s). */
-    rv = sftk_fips_MD2_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* MD5 Power-Up SelfTest(s). */
-    rv = sftk_fips_MD5_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* SHA-X Power-Up SelfTest(s). */
-    rv = sftk_fips_SHA_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* HMAC SHA-X Power-Up SelfTest(s). */
-    rv = sftk_fips_HMAC_PowerUpSelfTest();
- 
-    if( rv != CKR_OK )
-        return rv;
-
-    /* RSA Power-Up SelfTest(s). */
-    rv = sftk_fips_RSA_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* DSA Power-Up SelfTest(s). */
-    rv = sftk_fips_DSA_PowerUpSelfTest();
-
-    if( rv != CKR_OK )
-        return rv;
-
-    /* Passed Power-Up SelfTest(s). */
-    return( CKR_OK );
-}
-
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
deleted file mode 100644
index 9ef144cb8..000000000
--- a/security/nss/lib/softoken/fipstokn.c
+++ /dev/null
@@ -1,1102 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login
- *   (unless you've enabled FIPS). It supports Public Key ops, and all they
- *   bulk ciphers and hashes. It can also support Private Key ops for imported
- *   Private keys. It does not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "softoken.h"
-#include "lowkeyi.h"
-#include "pcert.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-
-#include <ctype.h>
-
-
-/*
- * ******************** Password Utilities *******************************
- */
-static PRBool isLoggedIn = PR_FALSE;
-static PRBool fatalError = PR_FALSE;
-
-/*
- * This function returns
- *   - CKR_PIN_INVALID if the password/PIN is not a legal UTF8 string
- *   - CKR_PIN_LEN_RANGE if the password/PIN is too short or does not
- *     consist of characters from three or more character classes.
- *   - CKR_OK otherwise
- *
- * The minimum password/PIN length is FIPS_MIN_PIN Unicode characters.
- * We define five character classes: digits (0-9), ASCII lowercase letters,
- * ASCII uppercase letters, ASCII non-alphanumeric characters (such as
- * space and punctuation marks), and non-ASCII characters.  If an ASCII
- * uppercase letter is the first character of the password/PIN, the
- * uppercase letter is not counted toward its character class.  Similarly,
- * if a digit is the last character of the password/PIN, the digit is not
- * counted toward its character class.
- *
- * Although NSC_SetPIN and NSC_InitPIN already do the maximum and minimum
- * password/PIN length checks, they check the length in bytes as opposed
- * to characters.  To meet the minimum password/PIN guessing probability
- * requirements in FIPS 140-2, we need to check the length in characters.
- */
-static CK_RV sftk_newPinCheck(CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
-    unsigned int i;
-    int nchar = 0;      /* number of characters */
-    int ntrail = 0;     /* number of trailing bytes to follow */
-    int ndigit = 0;     /* number of decimal digits */
-    int nlower = 0;     /* number of ASCII lowercase letters */
-    int nupper = 0;     /* number of ASCII uppercase letters */
-    int nnonalnum = 0;  /* number of ASCII non-alphanumeric characters */
-    int nnonascii = 0;  /* number of non-ASCII characters */
-    int nclass;         /* number of character classes */
-
-    for (i = 0; i < ulPinLen; i++) {
-	unsigned int byte = pPin[i];
-
-	if (ntrail) {
-	    if ((byte & 0xc0) != 0x80) {
-		/* illegal */
-		nchar = -1;
-		break;
-	    }
-	    if (--ntrail == 0) {
-		nchar++;
-		nnonascii++;
-	    }
-	    continue;
-	}
-	if ((byte & 0x80) == 0x00) {
-	    /* single-byte (ASCII) character */
-	    nchar++;
-	    if (isdigit(byte)) {
-		if (i < ulPinLen - 1) {
-		    ndigit++;
-		}
-	    } else if (islower(byte)) {
-		nlower++;
-	    } else if (isupper(byte)) {
-		if (i > 0) {
-		    nupper++;
-		}
-	    } else {
-		nnonalnum++;
-	    }
-	} else if ((byte & 0xe0) == 0xc0) {
-	    /* leading byte of two-byte character */
-	    ntrail = 1;
-	} else if ((byte & 0xf0) == 0xe0) {
-	    /* leading byte of three-byte character */
-	    ntrail = 2;
-	} else if ((byte & 0xf8) == 0xf0) {
-	    /* leading byte of four-byte character */
-	    ntrail = 3;
-	} else {
-	    /* illegal */
-	    nchar = -1;
-	    break;
-	}
-    }
-    if (nchar == -1) {
-	/* illegal UTF8 string */
-	return CKR_PIN_INVALID;
-    }
-    if (nchar < FIPS_MIN_PIN) {
-	return CKR_PIN_LEN_RANGE;
-    }
-    nclass = (ndigit != 0) + (nlower != 0) + (nupper != 0) +
-	     (nnonalnum != 0) + (nnonascii != 0);
-    if (nclass < 3) {
-	return CKR_PIN_LEN_RANGE;
-    }
-    return CKR_OK;
-}
-
-
-/* FIPS required checks before any useful cryptographic services */
-static CK_RV sftk_fipsCheck(void) {
-    if (isLoggedIn != PR_TRUE) 
-	return CKR_USER_NOT_LOGGED_IN;
-    if (fatalError) 
-	return CKR_DEVICE_ERROR;
-    return CKR_OK;
-}
-
-
-#define SFTK_FIPSCHECK() \
-    CK_RV rv; \
-    if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
-
-#define SFTK_FIPSFATALCHECK() \
-    if (fatalError) return CKR_DEVICE_ERROR;
-
-
-/* grab an attribute out of a raw template */
-void *
-fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate, 
-				CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
-{
-    int i;
-
-    for (i=0; i < (int) ulCount; i++) {
-	if (pTemplate[i].type == type) {
-	    return pTemplate[i].pValue;
-	}
-    }
-    return NULL;
-}
-
-
-#define __PASTE(x,y)	x##y
-
-/* ------------- forward declare all the NSC_ functions ------------- */
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS,name)
-#define CK_NEED_ARG_LIST 1
-
-#include "pkcs11f.h"
-
-/* ------------- forward declare all the FIPS functions ------------- */
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F,name)
-#define CK_NEED_ARG_LIST 1
-
-#include "pkcs11f.h"
-
-/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
-static CK_FUNCTION_LIST sftk_fipsTable = {
-    { 1, 10 },
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(F,name),
-
-
-#include "pkcs11f.h"
-
-};
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-static CK_RV
-fips_login_if_key_object(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
-    CK_RV rv;
-    CK_OBJECT_CLASS objClass;
-    CK_ATTRIBUTE class; 
-    class.type = CKA_CLASS;
-    class.pValue = &objClass;
-    class.ulValueLen = sizeof(objClass);
-    rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
-    if (rv == CKR_OK) {
-	if ((objClass == CKO_PRIVATE_KEY) || (objClass == CKO_SECRET_KEY)) {
-	    rv = sftk_fipsCheck();
-	}
-    }
-    return rv;
-}
-
-
-/**********************************************************************
- *
- *     Start of PKCS 11 functions 
- *
- **********************************************************************/
-/* return the function list */
-CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
-    *pFunctionList = &sftk_fipsTable;
-    return CKR_OK;
-}
-
-/* sigh global so pkcs11 can read it */
-PRBool nsf_init = PR_FALSE;
-
-/* FC_Initialize initializes the PKCS #11 library. */
-CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
-    CK_RV crv;
-
-    if (nsf_init) {
-	return CKR_CRYPTOKI_ALREADY_INITIALIZED;
-    }
-
-    crv = nsc_CommonInitialize(pReserved, PR_TRUE);
-
-    /* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/
-    if (crv != CKR_OK) {
-	fatalError = PR_TRUE;
-	return crv;
-    }
-
-    fatalError = PR_FALSE; /* any error has been reset */
-
-    crv = sftk_fipsPowerUpSelfTest();
-    if (crv != CKR_OK) {
-        nsc_CommonFinalize(NULL, PR_TRUE);
-	fatalError = PR_TRUE;
-	return crv;
-    }
-    nsf_init = PR_TRUE;
-
-    return CKR_OK;
-}
-
-/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
-CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
-   CK_RV crv;
-   if (!nsf_init) {
-      return CKR_OK;
-   }
-   crv = nsc_CommonFinalize (pReserved, PR_TRUE);
-   nsf_init = (PRBool) !(crv == CKR_OK);
-   return crv;
-}
-
-
-/* FC_GetInfo returns general information about PKCS #11. */
-CK_RV  FC_GetInfo(CK_INFO_PTR pInfo) {
-    return NSC_GetInfo(pInfo);
-}
-
-/* FC_GetSlotList obtains a list of slots in the system. */
-CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
-	 		CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
-    return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount,
-							 NSC_FIPS_MODULE);
-}
-	
-/* FC_GetSlotInfo obtains information about a particular slot in the system. */
-CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
-
-    CK_RV crv;
-
-    crv = NSC_GetSlotInfo(slotID,pInfo);
-    if (crv != CKR_OK) {
-	return crv;
-    }
-
-    return CKR_OK;
-}
-
-
-/*FC_GetTokenInfo obtains information about a particular token in the system.*/
- CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
-    CK_RV crv;
-
-    crv = NSC_GetTokenInfo(slotID,pInfo);
-    pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED;
-    return crv;
-
-}
-
-
-
-/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
- CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
-	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
-    SFTK_FIPSFATALCHECK();
-    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
-    /* FIPS Slot supports all functions */
-    return NSC_GetMechanismList(slotID,pMechanismList,pusCount);
-}
-
-
-/* FC_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
- CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-    					CK_MECHANISM_INFO_PTR pInfo) {
-    SFTK_FIPSFATALCHECK();
-    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
-    /* FIPS Slot supports all functions */
-    return NSC_GetMechanismInfo(slotID,type,pInfo);
-}
-
-
-/* FC_InitToken initializes a token. */
- CK_RV FC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
- 				CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
-    return NSC_InitToken(slotID,pPin,usPinLen,pLabel);
-}
-
-
-/* FC_InitPIN initializes the normal user's PIN. */
- CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
-    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    if ((rv = sftk_newPinCheck(pPin,ulPinLen)) != CKR_OK) return rv;
-    return NSC_InitPIN(hSession,pPin,ulPinLen);
-}
-
-
-/* FC_SetPIN modifies the PIN of user that is currently logged in. */
-/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
- CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-    CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
-    CK_RV rv;
-    if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
-    if ((rv = sftk_newPinCheck(pNewPin,usNewLen)) != CKR_OK) return rv;
-    return NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
-}
-
-/* FC_OpenSession opens a session between an application and a token. */
- CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
-   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
-}
-
-
-/* FC_CloseSession closes a session between an application and a token. */
- CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
-    return NSC_CloseSession(hSession);
-}
-
-
-/* FC_CloseAllSessions closes all sessions with a token. */
- CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
-    return NSC_CloseAllSessions (slotID);
-}
-
-
-/* FC_GetSessionInfo obtains information about the session. */
- CK_RV FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
-						CK_SESSION_INFO_PTR pInfo) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-
-    rv = NSC_GetSessionInfo(hSession,pInfo);
-    if (rv == CKR_OK) {
-	if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
-		pInfo->state = CKS_RO_USER_FUNCTIONS;
-	}
-	if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
-		pInfo->state = CKS_RW_USER_FUNCTIONS;
-	}
-    }
-    return rv;
-}
-
-/* FC_Login logs a user into a token. */
- CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
-				    CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = NSC_Login(hSession,userType,pPin,usPinLen);
-    if (rv == CKR_OK)
-	isLoggedIn = PR_TRUE;
-    else if (rv == CKR_USER_ALREADY_LOGGED_IN)
-    {
-	isLoggedIn = PR_TRUE;
-
-	/* Provide FIPS PUB 140-1 power-up self-tests on demand. */
-	rv = sftk_fipsPowerUpSelfTest();
-	if (rv == CKR_OK)
-		return CKR_USER_ALREADY_LOGGED_IN;
-	else
-		fatalError = PR_TRUE;
-    }
-    return rv;
-}
-
-/* FC_Logout logs a user out from a token. */
- CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
-    SFTK_FIPSCHECK();
- 
-    rv = NSC_Logout(hSession);
-    isLoggedIn = PR_FALSE;
-    return rv;
-}
-
-
-/* FC_CreateObject creates a new object. */
- CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
-		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
-					CK_OBJECT_HANDLE_PTR phObject) {
-    CK_OBJECT_CLASS * classptr;
-    SFTK_FIPSCHECK();
-    classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
-    if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
-
-    /* FIPS can't create keys from raw key material */
-    if ((*classptr == CKO_SECRET_KEY) || (*classptr == CKO_PRIVATE_KEY)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    return NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
-}
-
-
-
-
-
-/* FC_CopyObject copies an object, creating a new object for the copy. */
- CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
-       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-					CK_OBJECT_HANDLE_PTR phNewObject) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = fips_login_if_key_object(hSession, hObject);
-    if (rv != CKR_OK) {
-	return rv;
-    }
-    return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject);
-}
-
-
-/* FC_DestroyObject destroys an object. */
- CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
-		 				CK_OBJECT_HANDLE hObject) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = fips_login_if_key_object(hSession, hObject);
-    if (rv != CKR_OK) {
-	return rv;
-    }
-    return NSC_DestroyObject(hSession,hObject);
-}
-
-
-/* FC_GetObjectSize gets the size of an object in bytes. */
- CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
-    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = fips_login_if_key_object(hSession, hObject);
-    if (rv != CKR_OK) {
-	return rv;
-    }
-    return NSC_GetObjectSize(hSession, hObject, pusSize);
-}
-
-
-/* FC_GetAttributeValue obtains the value of one or more object attributes. */
- CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = fips_login_if_key_object(hSession, hObject);
-    if (rv != CKR_OK) {
-	return rv;
-    }
-    return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount);
-}
-
-
-/* FC_SetAttributeValue modifies the value of one or more object attributes */
- CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    CK_RV rv;
-    SFTK_FIPSFATALCHECK();
-    rv = fips_login_if_key_object(hSession, hObject);
-    if (rv != CKR_OK) {
-	return rv;
-    }
-    return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount);
-}
-
-
-
-/* FC_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
- CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
-    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    /* let publically readable object be found */
-    unsigned int i;
-    CK_RV rv;
-    PRBool needLogin = PR_FALSE;
-
-    SFTK_FIPSFATALCHECK();
-
-    for (i=0; i < usCount; i++) {
-	CK_OBJECT_CLASS class;
-	if (pTemplate[i].type != CKA_CLASS) {
-	    continue;
-	}
-	if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
-	    continue;
-	}
-	if (pTemplate[i].pValue == NULL) {
-	    continue;
-	}
-	class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
-	if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
-	    needLogin = PR_TRUE;
-	    break;
-	}
-    }
-    if (needLogin) {
-	if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
-    }
-    return NSC_FindObjectsInit(hSession,pTemplate,usCount);
-}
-
-
-/* FC_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
- CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
-    					CK_ULONG_PTR pusObjectCount) {
-    /* let publically readable object be found */
-    SFTK_FIPSFATALCHECK();
-    return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
-    							pusObjectCount);
-}
-
-
-/*
- ************** Crypto Functions:     Encrypt ************************
- */
-
-/* FC_EncryptInit initializes an encryption operation. */
- CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_EncryptInit(hSession,pMechanism,hKey);
-}
-
-/* FC_Encrypt encrypts single-part data. */
- CK_RV FC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    		CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
-					 CK_ULONG_PTR pusEncryptedDataLen) {
-    SFTK_FIPSCHECK();
-    return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
-							pusEncryptedDataLen);
-}
-
-
-/* FC_EncryptUpdate continues a multiple-part encryption operation. */
- CK_RV FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,	
-					CK_ULONG_PTR pusEncryptedPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
-						pusEncryptedPartLen);
-}
-
-
-/* FC_EncryptFinal finishes a multiple-part encryption operation. */
- CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
-
-    SFTK_FIPSCHECK();
-    return NSC_EncryptFinal(hSession,pLastEncryptedPart,
-						pusLastEncryptedPartLen);
-}
-
-/*
- ************** Crypto Functions:     Decrypt ************************
- */
-
-
-/* FC_DecryptInit initializes a decryption operation. */
- CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_DecryptInit(hSession,pMechanism,hKey);
-}
-
-/* FC_Decrypt decrypts encrypted data in a single part. */
- CK_RV FC_Decrypt(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
-    						CK_ULONG_PTR pusDataLen) {
-    SFTK_FIPSCHECK();
-    return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
-    								pusDataLen);
-}
-
-
-/* FC_DecryptUpdate continues a multiple-part decryption operation. */
- CK_RV FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
-    				CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
-    							pPart,pusPartLen);
-}
-
-
-/* FC_DecryptFinal finishes a multiple-part decryption operation. */
- CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
-}
-
-
-/*
- ************** Crypto Functions:     Digest (HASH)  ************************
- */
-
-/* FC_DigestInit initializes a message-digesting operation. */
- CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
-    					CK_MECHANISM_PTR pMechanism) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_DigestInit(hSession, pMechanism);
-}
-
-
-/* FC_Digest digests data in a single part. */
- CK_RV FC_Digest(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pusDigestLen) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
-}
-
-
-/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
- CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-					    CK_ULONG usPartLen) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_DigestUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
- CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pusDigestLen) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
-}
-
-
-/*
- ************** Crypto Functions:     Sign  ************************
- */
-
-/* FC_SignInit initializes a signature (private key encryption) operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_SignInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_Sign(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
-    					CK_ULONG_PTR pusSignatureLen) {
-    SFTK_FIPSCHECK();
-    return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
-}
-
-
-/* FC_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    							CK_ULONG usPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_SignUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
- CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
-					    CK_ULONG_PTR pusSignatureLen) {
-    SFTK_FIPSCHECK();
-    return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     Sign Recover  ************************
- */
-/* FC_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
- CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_SignRecoverInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
- CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-  CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
-    SFTK_FIPSCHECK();
-    return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     verify  ************************
- */
-
-/* FC_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
- CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
-			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_VerifyInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
-    /* make sure we're legal */
-    SFTK_FIPSCHECK();
-    return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
-}
-
-
-/* FC_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
- CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-						CK_ULONG usPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_VerifyUpdate(hSession,pPart,usPartLen);
-}
-
-
-/* FC_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
- CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
-			CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
-    SFTK_FIPSCHECK();
-    return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     Verify  Recover ************************
- */
-
-/* FC_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
- CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
-			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
-}
-
-
-/* FC_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
- CK_RV FC_VerifyRecover(CK_SESSION_HANDLE hSession,
-		 CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
-    				CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
-    SFTK_FIPSCHECK();
-    return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
-								pusDataLen);
-}
-
-/*
- **************************** Key Functions:  ************************
- */
-
-/* FC_GenerateKey generates a secret key, creating a new key object. */
- CK_RV FC_GenerateKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
-    						CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    SFTK_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-
-    return NSC_GenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey);
-}
-
-
-/* FC_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
- CK_RV FC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
-					CK_OBJECT_HANDLE_PTR phPrivateKey) {
-    CK_BBOOL *boolptr;
-    CK_RV crv;
-
-    SFTK_FIPSCHECK();
-
-    /* all private keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pPrivateKeyTemplate, 
-				usPrivateKeyAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    crv = NSC_GenerateKeyPair (hSession,pMechanism,pPublicKeyTemplate,
-    		usPublicKeyAttributeCount,pPrivateKeyTemplate,
-		usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
-    if (crv == CKR_GENERAL_ERROR) {
-	/* pairwise consistency check failed. */
-	fatalError = PR_TRUE;
-    }
-    return crv;
-}
-
-
-/* FC_WrapKey wraps (i.e., encrypts) a key. */
- CK_RV FC_WrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
-    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
-					 CK_ULONG_PTR pusWrappedKeyLen) {
-    SFTK_FIPSCHECK();
-    return NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
-							pusWrappedKeyLen);
-}
-
-
-/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
- CK_RV FC_UnwrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
-    CK_BYTE_PTR pWrappedKey, CK_ULONG usWrappedKeyLen,
-    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount,
-						 CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    SFTK_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
-					usAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    return NSC_UnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
-			usWrappedKeyLen,pTemplate,usAttributeCount,phKey);
-}
-
-
-/* FC_DeriveKey derives a key from a base key, creating a new key object. */
- CK_RV FC_DeriveKey( CK_SESSION_HANDLE hSession,
-	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
-	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount, 
-						CK_OBJECT_HANDLE_PTR phKey) {
-    CK_BBOOL *boolptr;
-
-    SFTK_FIPSCHECK();
-
-    /* all secret keys must be sensitive, if the upper level code tries to say
-     * otherwise, reject it. */
-    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
-					usAttributeCount, CKA_SENSITIVE);
-    if (boolptr != NULL) {
-	if (!(*boolptr)) {
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-    }
-    return NSC_DeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
-			usAttributeCount, phKey);
-}
-
-/*
- **************************** Radom Functions:  ************************
- */
-
-/* FC_SeedRandom mixes additional seed material into the token's random number 
- * generator. */
- CK_RV FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-    CK_ULONG usSeedLen) {
-    CK_RV crv;
-
-    SFTK_FIPSFATALCHECK();
-    crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
-    if (crv != CKR_OK) {
-	fatalError = PR_TRUE;
-    }
-    return crv;
-}
-
-
-/* FC_GenerateRandom generates random data. */
- CK_RV FC_GenerateRandom(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR	pRandomData, CK_ULONG usRandomLen) {
-    CK_RV crv;
-
-    SFTK_FIPSFATALCHECK();
-    crv = NSC_GenerateRandom(hSession,pRandomData,usRandomLen);
-    if (crv != CKR_OK) {
-	fatalError = PR_TRUE;
-    }
-    return crv;
-}
-
-
-/* FC_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
- CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
-    SFTK_FIPSCHECK();
-    return NSC_GetFunctionStatus(hSession);
-}
-
-
-/* FC_CancelFunction cancels a function running in parallel */
- CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
-    SFTK_FIPSCHECK();
-    return NSC_CancelFunction(hSession);
-}
-
-/*
- ****************************  Version 1.1 Functions:  ************************
- */
-
-/* FC_GetOperationState saves the state of the cryptographic 
- *operation in a session. */
-CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
-}
-
-
-/* FC_SetOperationState restores the state of the cryptographic operation 
- * in a session. */
-CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
-        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
-    SFTK_FIPSFATALCHECK();
-    return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
-        				hEncryptionKey,hAuthenticationKey);
-}
-
-/* FC_FindObjectsFinal finishes a search for token and session objects. */
-CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
-    /* let publically readable object be found */
-    SFTK_FIPSFATALCHECK();
-    return NSC_FindObjectsFinal(hSession);
-}
-
-
-/* Dual-function cryptographic operations */
-
-/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
- * operation. */
-CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen) {
-    SFTK_FIPSCHECK();
-    return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
-					 pulEncryptedPartLen);
-}
-
-
-/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting 
- * operation. */
-CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
-     CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
-    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen) {
-
-    SFTK_FIPSCHECK();
-    return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
-    				pPart,pulPartLen);
-}
-
-/* FC_SignEncryptUpdate continues a multiple-part signing and encryption 
- * operation. */
-CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen) {
-
-    SFTK_FIPSCHECK();
-    return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
-					 pulEncryptedPartLen);
-}
-
-/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify 
- * operation. */
-CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
-				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen) {
-
-    SFTK_FIPSCHECK();
-    return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen, 
-				pData,pulDataLen);
-}
-
-
-/* FC_DigestKey continues a multi-part message-digesting operation,
- * by digesting the value of a secret key as part of the data already digested.
- */
-CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
-    SFTK_FIPSCHECK();
-    return NSC_DigestKey(hSession,hKey);
-}
-
-
-CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-							 CK_VOID_PTR pReserved)
-{
-    return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
-}
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
deleted file mode 100644
index 2f685a5a6..000000000
--- a/security/nss/lib/softoken/keydb.c
+++ /dev/null
@@ -1,2885 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "lowkeyi.h"
-#include "seccomon.h"
-#include "sechash.h"
-#include "secder.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "blapi.h"
-#include "secitem.h"
-#include "pcert.h"
-#include "mcom_db.h"
-#include "lowpbe.h"
-#include "secerr.h"
-#include "cdbhdl.h"
-#include "nsslocks.h"
-
-#include "keydbi.h"
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus EC_FillParams(PRArenaPool *arena, 
-			       const SECItem *encodedParams, 
-			       ECParams *params);
-#endif
-
-/*
- * Record keys for keydb
- */
-#define SALT_STRING "global-salt"
-#define VERSION_STRING "Version"
-#define KEYDB_PW_CHECK_STRING	"password-check"
-#define KEYDB_PW_CHECK_LEN	14
-#define KEYDB_FAKE_PW_CHECK_STRING	"fake-password-check"
-#define KEYDB_FAKE_PW_CHECK_LEN	19
-
-/* Size of the global salt for key database */
-#define SALT_LENGTH     16
-
-const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(NSSLOWKEYAttribute) },
-    { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
-    { SEC_ASN1_SET_OF, offsetof(NSSLOWKEYAttribute, attrValue), 
-	SEC_AnyTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
-};
-/* ASN1 Templates for new decoder/encoder */
-const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
-    { SEC_ASN1_INTEGER,
-	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
-    { SEC_ASN1_INLINE,
-	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
-	offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
-	nsslowkey_SetOfAttributeTemplate },
-    { 0 }
-};
-
-const SEC_ASN1Template nsslowkey_PointerToPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_POINTER, 0, nsslowkey_PrivateKeyInfoTemplate }
-};
-
-const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) },
-    { SEC_ASN1_INLINE,
-	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,algorithm),
-	SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,encryptedData) },
-    { 0 }
-};
-
-const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = {
-	{ SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate }
-};
-
-
-/* ====== Default key databse encryption algorithm ====== */
-
-static SECOidTag defaultKeyDBAlg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
-
-/*
- * Default algorithm for encrypting data in the key database
- */
-SECOidTag
-nsslowkey_GetDefaultKeyDBAlg(void)
-{
-    return(defaultKeyDBAlg);
-}
-
-void
-nsslowkey_SetDefaultKeyDBAlg(SECOidTag alg)
-{
-    defaultKeyDBAlg = alg;
-
-    return;
-}
-
-static void
-sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey)
-{
-    if ( dbkey && dbkey->arena ) {
-	PORT_FreeArena(dbkey->arena, PR_FALSE);
-    }
-}
-
-static void
-free_dbt(DBT *dbt)
-{
-    if ( dbt ) {
-	PORT_Free(dbt->data);
-	PORT_Free(dbt);
-    }
-    
-    return;
-}
-
-static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
-		     unsigned int flags);
-static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
-		     unsigned int flags);
-static int keydb_Sync(NSSLOWKEYDBHandle *db, unsigned int flags);
-static int keydb_Del(NSSLOWKEYDBHandle *db, DBT *key, unsigned int flags);
-static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, 
-		     unsigned int flags);
-static void keydb_Close(NSSLOWKEYDBHandle *db);
-
-static void
-keydb_InitLocks(NSSLOWKEYDBHandle *handle) 
-{
-    if (handle->lock == NULL) {
-	nss_InitLock(&handle->lock, nssILockKeyDB);
-    }
-
-    return;
-}
-
-static void
-keydb_DestroyLocks(NSSLOWKEYDBHandle *handle)
-{
-    if (handle->lock != NULL) {
-	PZ_DestroyLock(handle->lock);
-	handle->lock = NULL;
-    }
-
-    return;
-}
-
-/*
- * format of key database entries for version 3 of database:
- *	byte offset	field
- *	-----------	-----
- *	0		version
- *	1		salt-len
- *	2		nn-len
- *	3..		salt-data
- *	...		nickname
- *	...		encrypted-key-data
- */
-static DBT *
-encode_dbkey(NSSLOWKEYDBKey *dbkey,unsigned char version)
-{
-    DBT *bufitem = NULL;
-    unsigned char *buf;
-    int nnlen;
-    char *nn;
-    
-    bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT));
-    if ( bufitem == NULL ) {
-	goto loser;
-    }
-    
-    if ( dbkey->nickname ) {
-	nn = dbkey->nickname;
-	nnlen = PORT_Strlen(nn) + 1;
-    } else {
-	nn = "";
-	nnlen = 1;
-    }
-    
-    /* compute the length of the record */
-    /* 1 + 1 + 1 == version number header + salt length + nn len */
-    bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1;
-    
-    bufitem->data = (void *)PORT_ZAlloc(bufitem->size);
-    if ( bufitem->data == NULL ) {
-	goto loser;
-    }
-
-    buf = (unsigned char *)bufitem->data;
-    
-    /* set version number */
-    buf[0] = version;
-
-    /* set length of salt */
-    PORT_Assert(dbkey->salt.len < 256);
-    buf[1] = dbkey->salt.len;
-
-    /* set length of nickname */
-    PORT_Assert(nnlen < 256);
-    buf[2] = nnlen;
-
-    /* copy salt */
-    PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len);
-
-    /* copy nickname */
-    PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen);
-
-    /* copy encrypted key */
-    PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data,
-	      dbkey->derPK.len);
-    
-    return(bufitem);
-    
-loser:
-    if ( bufitem ) {
-	free_dbt(bufitem);
-    }
-    
-    return(NULL);
-}
-
-static NSSLOWKEYDBKey *
-decode_dbkey(DBT *bufitem, int expectedVersion)
-{
-    NSSLOWKEYDBKey *dbkey;
-    PLArenaPool *arena = NULL;
-    unsigned char *buf;
-    int version;
-    int keyoff;
-    int nnlen;
-    int saltoff;
-    
-    buf = (unsigned char *)bufitem->data;
-
-    version = buf[0];
-    
-    if ( version != expectedVersion ) {
-	goto loser;
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
-    if ( dbkey == NULL ) {
-	goto loser;
-    }
-
-    dbkey->arena = arena;
-    dbkey->salt.data = NULL;
-    dbkey->derPK.data = NULL;
-    
-    dbkey->salt.len = buf[1];
-    dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len);
-    if ( dbkey->salt.data == NULL ) {
-	goto loser;
-    }
-
-    saltoff = 2;
-    keyoff = 2 + dbkey->salt.len;
-    
-    if ( expectedVersion >= 3 ) {
-	nnlen = buf[2];
-	if ( nnlen ) {
-	    dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1);
-	    if ( dbkey->nickname ) {
-		PORT_Memcpy(dbkey->nickname, &buf[keyoff+1], nnlen);
-	    }
-	}
-	keyoff += ( nnlen + 1 );
-	saltoff = 3;
-    }
-
-    PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len);
-    
-    dbkey->derPK.len = bufitem->size - keyoff;
-    dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena,dbkey->derPK.len);
-    if ( dbkey->derPK.data == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len);
-    
-    return(dbkey);
-    
-loser:
-
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-static NSSLOWKEYDBKey *
-get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index)
-{
-    NSSLOWKEYDBKey *dbkey;
-    DBT entry;
-    int ret;
-    
-    /* get it from the database */
-    ret = keydb_Get(handle, index, &entry, 0);
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return NULL;
-    }
-
-    /* set up dbkey struct */
-
-    dbkey = decode_dbkey(&entry, handle->version);
-
-    return(dbkey);
-}
-
-static SECStatus
-put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool update)
-{
-    DBT *keydata = NULL;
-    int status;
-    
-    keydata = encode_dbkey(dbkey, handle->version);
-    if ( keydata == NULL ) {
-	goto loser;
-    }
-    
-    /* put it in the database */
-    if ( update ) {
-	status = keydb_Put(handle, index, keydata, 0);
-    } else {
-	status = keydb_Put(handle, index, keydata, R_NOOVERWRITE);
-    }
-    
-    if ( status ) {
-	goto loser;
-    }
-
-    /* sync the database */
-    status = keydb_Sync(handle, 0);
-    if ( status ) {
-	goto loser;
-    }
-
-    free_dbt(keydata);
-    return(SECSuccess);
-
-loser:
-    if ( keydata ) {
-	free_dbt(keydata);
-    }
-    
-    return(SECFailure);
-}
-
-SECStatus
-nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
-		 SECStatus (* keyfunc)(DBT *k, DBT *d, void *pdata),
-		 void *udata )
-{
-    DBT data;
-    DBT key;
-    SECStatus status;
-    int ret;
-
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    ret = keydb_Seq(handle, &key, &data, R_FIRST);
-    if ( ret ) {
-	return(SECFailure);
-    }
-    
-    do {
-	/* skip version record */
-	if ( data.size > 1 ) {
-	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
-		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-
-	    /* skip password check */
-	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
-		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
-				 KEYDB_PW_CHECK_LEN) == 0 ) {
-		    continue;
-		}
-	    }
-	    
-	    status = (* keyfunc)(&key, &data, udata);
-	    if (status != SECSuccess) {
-		return(status);
-	    }
-	}
-    } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 );
-
-    return(SECSuccess);
-}
-
-typedef struct keyNode {
-    struct keyNode *next;
-    DBT key;
-} keyNode;
-
-typedef struct {
-    PLArenaPool *arena;
-    keyNode *head;
-} keyList;
-
-static SECStatus
-sec_add_key_to_list(DBT *key, DBT *data, void *arg)
-{
-    keyList *keylist;
-    keyNode *node;
-    void *keydata;
-    
-    keylist = (keyList *)arg;
-
-    /* allocate the node struct */
-    node = (keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode));
-    if ( node == NULL ) {
-	return(SECFailure);
-    }
-    
-    /* allocate room for key data */
-    keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
-    if ( keydata == NULL ) {
-	return(SECFailure);
-    }
-
-    /* link node into list */
-    node->next = keylist->head;
-    keylist->head = node;
-
-    /* copy key into node */
-    PORT_Memcpy(keydata, key->data, key->size);
-    node->key.size = key->size;
-    node->key.data = keydata;
-    
-    return(SECSuccess);
-}
-
-static SECItem *
-decodeKeyDBGlobalSalt(DBT *saltData)
-{
-    SECItem *saltitem;
-    
-    saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if ( saltitem == NULL ) {
-	return(NULL);
-    }
-    
-    saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
-    if ( saltitem->data == NULL ) {
-	PORT_Free(saltitem);
-	return(NULL);
-    }
-    
-    saltitem->len = saltData->size;
-    PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
-    
-    return(saltitem);
-}
-
-static SECItem *
-GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle)
-{
-    DBT saltKey;
-    DBT saltData;
-    int ret;
-    
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    ret = keydb_Get(handle, &saltKey, &saltData, 0);
-    if ( ret ) {
-	return(NULL);
-    }
-
-    return(decodeKeyDBGlobalSalt(&saltData));
-}
-
-static SECStatus
-StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle)
-{
-    DBT saltKey;
-    DBT saltData;
-    int status;
-    
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    saltData.data = (void *)handle->global_salt->data;
-    saltData.size = handle->global_salt->len;
-
-    /* put global salt into the database now */
-    status = keydb_Put(handle, &saltKey, &saltData, 0);
-    if ( status ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-static SECStatus
-makeGlobalVersion(NSSLOWKEYDBHandle *handle)
-{
-    unsigned char version;
-    DBT versionData;
-    DBT versionKey;
-    int status;
-    
-    version = NSSLOWKEY_DB_FILE_VERSION;
-    versionData.data = &version;
-    versionData.size = 1;
-    versionKey.data = VERSION_STRING;
-    versionKey.size = sizeof(VERSION_STRING)-1;
-		
-    /* put version string into the database now */
-    status = keydb_Put(handle, &versionKey, &versionData, 0);
-    if ( status ) {
-	return(SECFailure);
-    }
-    handle->version = version;
-
-    return(SECSuccess);
-}
-
-
-static SECStatus
-makeGlobalSalt(NSSLOWKEYDBHandle *handle)
-{
-    DBT saltKey;
-    DBT saltData;
-    unsigned char saltbuf[16];
-    int status;
-    
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    saltData.data = (void *)saltbuf;
-    saltData.size = sizeof(saltbuf);
-    RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
-
-    /* put global salt into the database now */
-    status = keydb_Put(handle, &saltKey, &saltData, 0);
-    if ( status ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-static SECStatus
-ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
-		       SECItem *oldpwitem, SECItem *newpwitem,
-		       SECOidTag new_algorithm);
-/*
- * Second pass of updating the key db.  This time we have a password.
- */
-static SECStatus
-nsslowkey_UpdateKeyDBPass2(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
-{
-    SECStatus rv;
-    
-    rv = ChangeKeyDBPasswordAlg(handle, pwitem, pwitem,
-			     nsslowkey_GetDefaultKeyDBAlg());
-    
-    return(rv);
-}
-
-static SECStatus
-encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
-		   SECItem *encCheck);
-
-static unsigned char
-nsslowkey_version(NSSLOWKEYDBHandle *handle)
-{
-    DBT versionKey;
-    DBT versionData;
-    int ret;
-    versionKey.data = VERSION_STRING;
-    versionKey.size = sizeof(VERSION_STRING)-1;
-
-    if (handle->db == NULL) {
-	return 255;
-    }
-
-    /* lookup version string in database */
-    ret = keydb_Get( handle, &versionKey, &versionData, 0 );
-
-    /* error accessing the database */
-    if ( ret < 0 ) {
-	return 255;
-    }
-
-    if ( ret >= 1 ) {
-	return 0;
-    }
-    return *( (unsigned char *)versionData.data);
-}
-
-static PRBool
-seckey_HasAServerKey(NSSLOWKEYDBHandle *handle)
-{
-    DBT key;
-    DBT data;
-    int ret;
-    PRBool found = PR_FALSE;
-
-    ret = keydb_Seq(handle, &key, &data, R_FIRST);
-    if ( ret ) {
-	return PR_FALSE;
-    }
-    
-    do {
-	/* skip version record */
-	if ( data.size > 1 ) {
-	    /* skip salt */
-	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
-		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-	    /* skip pw check entry */
-	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
-		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, 
-						KEYDB_PW_CHECK_LEN) == 0 ) {
-		    continue;
-		}
-	    }
-
-	    /* keys stored by nickname will have 0 as the last byte of the
-	     * db key.  Other keys must be stored by modulus.  We will not
-	     * update those because they are left over from a keygen that
-	     * never resulted in a cert.
-	     */
-	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
-		continue;
-	    }
-
-	    if (PORT_Strcmp(key.data,"Server-Key") == 0) {
-		found = PR_TRUE;
-	        break;
-	    }
-	    
-	}
-    } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 );
-
-    return found;
-}
-
-/* forward declare local create function */
-static NSSLOWKEYDBHandle * nsslowkey_NewHandle(DB *dbHandle);
-
-/*
- * currently updates key database from v2 to v3
- */
-static SECStatus
-nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle)
-{
-    SECStatus rv;
-    DBT checkKey;
-    DBT checkData;
-    DBT saltKey;
-    DBT saltData;
-    DBT key;
-    DBT data;
-    unsigned char version;
-    SECItem *rc4key = NULL;
-    NSSLOWKEYDBKey *dbkey = NULL;
-    NSSLOWKEYDBHandle *update = NULL;
-    SECItem *oldSalt = NULL;
-    int ret;
-    SECItem checkitem;
-
-    if ( handle->updatedb == NULL ) {
-	return SECSuccess;
-    }
-
-    /* create a full DB Handle for our update so we 
-     * can use the correct locks for the db primatives */
-    update = nsslowkey_NewHandle(handle->updatedb);
-    if ( update == NULL) {
-	return SECSuccess;
-    }
-
-    /* update has now inherited the database handle */
-    handle->updatedb = NULL;
-
-    /*
-     * check the version record
-     */
-    version = nsslowkey_version(update);
-    if (version != 2) {
-	goto done;
-    }
-
-    saltKey.data = SALT_STRING;
-    saltKey.size = sizeof(SALT_STRING) - 1;
-
-    ret = keydb_Get(update, &saltKey, &saltData, 0);
-    if ( ret ) {
-	/* no salt in old db, so it is corrupted */
-	goto done;
-    }
-
-    oldSalt = decodeKeyDBGlobalSalt(&saltData);
-    if ( oldSalt == NULL ) {
-	/* bad salt in old db, so it is corrupted */
-	goto done;
-    }
-
-    /*
-     * look for a pw check entry
-     */
-    checkKey.data = KEYDB_PW_CHECK_STRING;
-    checkKey.size = KEYDB_PW_CHECK_LEN;
-    
-    ret = keydb_Get(update, &checkKey, &checkData, 0 );
-    if (ret) {
-	/*
-	 * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must
-	 * be an old server database, and it does have a password associated
-	 * with it. Put a fake entry in so we can identify this db when we do
-	 * get the password for it.
-	 */
-	if (seckey_HasAServerKey(update)) {
-	    DBT fcheckKey;
-	    DBT fcheckData;
-
-	    /*
-	     * include a fake string
-	     */
-	    fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING;
-	    fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN;
-	    fcheckData.data = "1";
-	    fcheckData.size = 1;
-	    /* put global salt into the new database now */
-	    ret = keydb_Put( handle, &saltKey, &saltData, 0);
-	    if ( ret ) {
-		goto done;
-	    }
-	    ret = keydb_Put( handle, &fcheckKey, &fcheckData, 0);
-	    if ( ret ) {
-		goto done;
-	    }
-	} else {
-	    goto done;
-	}
-    } else {
-	/* put global salt into the new database now */
-	ret = keydb_Put( handle, &saltKey, &saltData, 0);
-	if ( ret ) {
-	    goto done;
-	}
-
-	dbkey = decode_dbkey(&checkData, 2);
-	if ( dbkey == NULL ) {
-	    goto done;
-	}
-	checkitem = dbkey->derPK;
-	dbkey->derPK.data = NULL;
-    
-	/* format the new pw check entry */
-	rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem);
-	if ( rv != SECSuccess ) {
-	    goto done;
-	}
-
-	rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE);
-	if ( rv != SECSuccess ) {
-	    goto done;
-	}
-
-	/* free the dbkey */
-	sec_destroy_dbkey(dbkey);
-	dbkey = NULL;
-    }
-    
-    
-    /* now traverse the database */
-    ret = keydb_Seq(update, &key, &data, R_FIRST);
-    if ( ret ) {
-	goto done;
-    }
-    
-    do {
-	/* skip version record */
-	if ( data.size > 1 ) {
-	    /* skip salt */
-	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
-		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-	    /* skip pw check entry */
-	    if ( key.size == checkKey.size ) {
-		if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) {
-		    continue;
-		}
-	    }
-
-	    /* keys stored by nickname will have 0 as the last byte of the
-	     * db key.  Other keys must be stored by modulus.  We will not
-	     * update those because they are left over from a keygen that
-	     * never resulted in a cert.
-	     */
-	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
-		continue;
-	    }
-	    
-	    dbkey = decode_dbkey(&data, 2);
-	    if ( dbkey == NULL ) {
-		continue;
-	    }
-
-	    /* This puts the key into the new database with the same
-	     * index (nickname) that it had before.  The second pass
-	     * of the update will have the password.  It will decrypt
-	     * and re-encrypt the entries using a new algorithm.
-	     */
-	    dbkey->nickname = (char *)key.data;
-	    rv = put_dbkey(handle, &key, dbkey, PR_FALSE);
-	    dbkey->nickname = NULL;
-
-	    sec_destroy_dbkey(dbkey);
-	}
-    } while ( keydb_Seq(update, &key, &data, R_NEXT) == 0 );
-
-    dbkey = NULL;
-
-done:
-    /* sync the database */
-    ret = keydb_Sync(handle, 0);
-
-    nsslowkey_CloseKeyDB(update);
-    
-    if ( rc4key ) {
-	SECITEM_FreeItem(rc4key, PR_TRUE);
-    }
-    
-    if ( oldSalt ) {
-	SECITEM_FreeItem(oldSalt, PR_TRUE);
-    }
-    
-    if ( dbkey ) {
-	sec_destroy_dbkey(dbkey);
-    }
-
-    return(SECSuccess);
-}
-
-static SECStatus
-openNewDB(const char *appName, const char *prefix, const char *dbname, 
-	NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg)
-{
-    SECStatus rv = SECFailure;
-    int status = RDB_FAIL;
-    char *updname = NULL;
-    DB *updatedb = NULL;
-    PRBool updated = PR_FALSE;
-    int ret;
-
-    if (appName) {
-	handle->db = rdbopen( appName, prefix, "key", NO_CREATE, &status);
-    } else {
-	handle->db = dbopen( dbname, NO_CREATE, 0600, DB_HASH, 0 );
-    }
-    /* if create fails then we lose */
-    if ( handle->db == NULL ) {
-	return (status == RDB_RETRY) ? SECWouldBlock: SECFailure;
-    }
-
-    rv = db_BeginTransaction(handle->db);
-    if (rv != SECSuccess) {
-	db_InitComplete(handle->db);
-	return rv;
-    }
-
-    /* force a transactional read, which will verify that one and only one
-     * process attempts the update. */
-    if (nsslowkey_version(handle) == NSSLOWKEY_DB_FILE_VERSION) {
-	/* someone else has already updated the database for us */
-	db_FinishTransaction(handle->db, PR_FALSE);
-	db_InitComplete(handle->db);
-	return SECSuccess;
-    }
-
-    /*
-     * if we are creating a multiaccess database, see if there is a
-     * local database we can update from.
-     */
-    if (appName) {
-        NSSLOWKEYDBHandle *updateHandle = nsslowkey_NewHandle(updatedb);
-	updatedb = dbopen( dbname, NO_RDONLY, 0600, DB_HASH, 0 );
-	if (!updatedb) {
-	    goto noupdate;
-	}
-
-	/* nsslowkey_version needs a full handle because it calls
-         * the kdb_Get() function, which needs to lock.
-         */
-        updateHandle = nsslowkey_NewHandle(updatedb);
-	if (!updateHandle) {
-	    updatedb->close(updatedb);
-	    goto noupdate;
-	}
-
-	handle->version = nsslowkey_version(updateHandle);
-	if (handle->version != NSSLOWKEY_DB_FILE_VERSION) {
-	    nsslowkey_CloseKeyDB(updateHandle);
-	    goto noupdate;
-	}
-
-	/* copy the new DB from the old one */
-	db_Copy(handle->db, updatedb);
-	nsslowkey_CloseKeyDB(updateHandle);
-	db_FinishTransaction(handle->db,PR_FALSE);
-	db_InitComplete(handle->db);
-	return SECSuccess;
-    }
-noupdate:
-
-    /* update the version number */
-    rv = makeGlobalVersion(handle);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /*
-     * try to update from v2 db
-     */
-    updname = (*namecb)(cbarg, 2);
-    if ( updname != NULL ) {
-	handle->updatedb = dbopen( updname, NO_RDONLY, 0600, DB_HASH, 0 );
-        PORT_Free( updname );
-
-	if ( handle->updatedb ) {
-	    /*
-	     * Try to update the db using a null password.  If the db
-	     * doesn't have a password, then this will work.  If it does
-	     * have a password, then this will fail and we will do the
-	     * update later
-	     */
-	    rv = nsslowkey_UpdateKeyDBPass1(handle);
-	    if ( rv == SECSuccess ) {
-		updated = PR_TRUE;
-	    }
-	}
-	    
-    }
-
-    /* we are using the old salt if we updated from an old db */
-    if ( ! updated ) {
-	rv = makeGlobalSalt(handle);
-	if ( rv != SECSuccess ) {
-	   goto loser;
-	}
-    }
-	
-    /* sync the database */
-    ret = keydb_Sync(handle, 0);
-    if ( ret ) {
-	rv = SECFailure;
-	goto loser;
-    }
-    rv = SECSuccess;
-
-loser:
-    db_FinishTransaction(handle->db, rv != SECSuccess);
-    db_InitComplete(handle->db);
-    return rv;
-}
-
-
-static DB *
-openOldDB(const char *appName, const char *prefix, const char *dbname, 
-					PRBool openflags) {
-    DB *db = NULL;
-
-    if (appName) {
-	db = rdbopen( appName, prefix, "key", openflags, NULL);
-    } else {
-	db = dbopen( dbname, openflags, 0600, DB_HASH, 0 );
-    }
-
-    return db;
-}
-
-/* check for correct version number */
-static PRBool
-verifyVersion(NSSLOWKEYDBHandle *handle)
-{
-    int version = nsslowkey_version(handle);
-
-    handle->version = version;
-    if (version != NSSLOWKEY_DB_FILE_VERSION ) {
-	if (handle->db) {
-	    keydb_Close(handle);
-	    handle->db = NULL;
-	}
-    }
-    return handle->db != NULL;
-}
-
-static NSSLOWKEYDBHandle *
-nsslowkey_NewHandle(DB *dbHandle)
-{
-    NSSLOWKEYDBHandle *handle;
-    handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc (sizeof(NSSLOWKEYDBHandle));
-    if (handle == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    handle->appname = NULL;
-    handle->dbname = NULL;
-    handle->global_salt = NULL;
-    handle->updatedb = NULL;
-    handle->db = dbHandle;
-    handle->ref = 1;
-
-    keydb_InitLocks(handle);
-    return handle;
-}
-
-NSSLOWKEYDBHandle *
-nsslowkey_OpenKeyDB(PRBool readOnly, const char *appName, const char *prefix,
-				NSSLOWKEYDBNameFunc namecb, void *cbarg)
-{
-    NSSLOWKEYDBHandle *handle = NULL;
-    SECStatus rv;
-    int openflags;
-    char *dbname = NULL;
-
-
-    handle = nsslowkey_NewHandle(NULL);
-
-    openflags = readOnly ? NO_RDONLY : NO_RDWR;
-
-
-    dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION);
-    if ( dbname == NULL ) {
-	goto loser;
-    }
-    handle->appname = appName ? PORT_Strdup(appName) : NULL ;
-    handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : 
-			(prefix ? PORT_Strdup(prefix) : NULL);
-    handle->readOnly = readOnly;
-
-
-
-    handle->db = openOldDB(appName, prefix, dbname, openflags);
-    if (handle->db) {
-	verifyVersion(handle);
-	if (handle->version == 255) {
-	    goto loser;
-	}
-    }
-
-    /* if first open fails, try to create a new DB */
-    if ( handle->db == NULL ) {
-	if ( readOnly ) {
-	    goto loser;
-	}
-
-	rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg);
-	/* two processes started to initialize the database at the same time.
-	 * The multiprocess code blocked the second one, then had it retry to
-	 * see if it can just open the database normally */
-	if (rv == SECWouldBlock) {
-	    handle->db = openOldDB(appName,prefix,dbname, openflags);
-	    verifyVersion(handle);
-	    if (handle->db == NULL) {
-		goto loser;
-	    }
-	} else if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    handle->global_salt = GetKeyDBGlobalSalt(handle);
-    if ( dbname )
-        PORT_Free( dbname );
-    return handle;
-
-loser:
-
-    if ( dbname )
-        PORT_Free( dbname );
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    nsslowkey_CloseKeyDB(handle);
-    return NULL;
-}
-
-/*
- * Close the database
- */
-void
-nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle)
-{
-    if (handle != NULL) {
-	if (handle->db != NULL) {
-	    keydb_Close(handle);
-	}
-	if (handle->updatedb) {
-	    handle->updatedb->close(handle->updatedb);
-        }
-	if (handle->dbname) PORT_Free(handle->dbname);
-	if (handle->appname) PORT_Free(handle->appname);
-	if (handle->global_salt) {
-	    SECITEM_FreeItem(handle->global_salt,PR_TRUE);
-	}
-	keydb_DestroyLocks(handle);
-	    
-	PORT_Free(handle);
-    }
-}
-
-/* Get the key database version */
-int
-nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle)
-{
-    PORT_Assert(handle != NULL);
-
-    return handle->version;
-}
-
-/*
- * Delete a private key that was stored in the database
- */
-SECStatus
-nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, SECItem *pubkey)
-{
-    DBT namekey;
-    int ret;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* set up db key and data */
-    namekey.data = pubkey->data;
-    namekey.size = pubkey->len;
-
-    /* delete it from the database */
-    ret = keydb_Del(handle, &namekey, 0);
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* sync the database */
-    ret = keydb_Sync(handle, 0);
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Store a key in the database, indexed by its public key modulus.(value!)
- */
-SECStatus
-nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
-			   NSSLOWKEYPrivateKey *privkey,
-			   SECItem *pubKeyData,
-			   char *nickname,
-			   SECItem *arg)
-{
-    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
-	     nickname, arg, nsslowkey_GetDefaultKeyDBAlg(),PR_FALSE);
-}
-
-SECStatus
-nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, 
-			   NSSLOWKEYPrivateKey *privkey,
-			   SECItem *pubKeyData,
-			   char *nickname,
-			   SECItem *arg)
-{
-    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
-	     nickname, arg, nsslowkey_GetDefaultKeyDBAlg(),PR_TRUE);
-}
-
-/* see if the symetric CKA_ID already Exists.
- */
-PRBool
-nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id)
-{
-    DBT namekey;
-    DBT dummy;
-    int status;
-
-    namekey.data = (char *)id->data;
-    namekey.size = id->len;
-    status = keydb_Get(handle, &namekey, &dummy, 0);
-    if ( status ) {
-	return PR_FALSE;
-    }
-    
-    return PR_TRUE;
-}
-
-/* see if the public key for this cert is in the database filed
- * by modulus
- */
-PRBool
-nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cert)
-{
-    NSSLOWKEYPublicKey *pubkey = NULL;
-    DBT namekey;
-    DBT dummy;
-    int status;
-    
-    /* get cert's public key */
-    pubkey = nsslowcert_ExtractPublicKey(cert);
-    if ( pubkey == NULL ) {
-	return PR_FALSE;
-    }
-
-    /* TNH - make key from NSSLOWKEYPublicKey */
-    switch (pubkey->keyType) {
-      case NSSLOWKEYRSAKey:
-	namekey.data = pubkey->u.rsa.modulus.data;
-	namekey.size = pubkey->u.rsa.modulus.len;
-	break;
-      case NSSLOWKEYDSAKey:
-	namekey.data = pubkey->u.dsa.publicValue.data;
-	namekey.size = pubkey->u.dsa.publicValue.len;
-	break;
-      case NSSLOWKEYDHKey:
-	namekey.data = pubkey->u.dh.publicValue.data;
-	namekey.size = pubkey->u.dh.publicValue.len;
-	break;
-#ifdef NSS_ENABLE_ECC
-      case NSSLOWKEYECKey:
-	namekey.data = pubkey->u.ec.publicValue.data;
-	namekey.size = pubkey->u.ec.publicValue.len;
-	break;
-#endif /* NSS_ENABLE_ECC */
-      default:
-	/* XXX We don't do Fortezza or DH yet. */
-	return PR_FALSE;
-    }
-
-    if (handle->version != 3) {
-	unsigned char buf[SHA1_LENGTH];
-	SHA1_HashBuf(buf,namekey.data,namekey.size);
-	/* NOTE: don't use pubkey after this! it's now thrashed */
-	PORT_Memcpy(namekey.data,buf,sizeof(buf));
-	namekey.size = sizeof(buf);
-    }
-
-    status = keydb_Get(handle, &namekey, &dummy, 0);
-    /* some databases have the key stored as a signed value */
-    if (status) {
-	unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size+1);
-	if (buf) {
-	    PORT_Memcpy(&buf[1], namekey.data, namekey.size);
-	    buf[0] = 0;
-	    namekey.data = buf;
-	    namekey.size ++;
-    	    status = keydb_Get(handle, &namekey, &dummy, 0);
-	    PORT_Free(buf);
-	}
-    }
-    nsslowkey_DestroyPublicKey(pubkey);
-    if ( status ) {
-	return PR_FALSE;
-    }
-    
-    return PR_TRUE;
-}
-
-/*
- * check to see if the user has a password
- */
-SECStatus
-nsslowkey_HasKeyDBPassword(NSSLOWKEYDBHandle *handle)
-{
-    DBT checkkey, checkdata;
-    int ret;
-
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    checkkey.data = KEYDB_PW_CHECK_STRING;
-    checkkey.size = KEYDB_PW_CHECK_LEN;
-    
-    ret = keydb_Get(handle, &checkkey, &checkdata, 0 );
-    if ( ret ) {
-	/* see if this was an updated DB first */
-	checkkey.data = KEYDB_FAKE_PW_CHECK_STRING;
-	checkkey.size = KEYDB_FAKE_PW_CHECK_LEN;
-	ret = keydb_Get(handle, &checkkey, &checkdata, 0 );
-    	if ( ret ) {
-	    return(SECFailure);
-	}
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * Set up the password checker in the key database.
- * This is done by encrypting a known plaintext with the user's key.
- */
-SECStatus
-nsslowkey_SetKeyDBPassword(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
-{
-    return nsslowkey_SetKeyDBPasswordAlg(handle, pwitem,
-				      nsslowkey_GetDefaultKeyDBAlg());
-}
-
-static SECStatus
-HashPassword(unsigned char *hashresult, char *pw, SECItem *salt)
-{
-    SHA1Context *cx;
-    unsigned int outlen;
-    cx = SHA1_NewContext();
-    if ( cx == NULL ) {
-	return(SECFailure);
-    }
-    
-    SHA1_Begin(cx);
-    if ( ( salt != NULL ) && ( salt->data != NULL ) ) {
-	SHA1_Update(cx, salt->data, salt->len);
-    }
-    
-    SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw));
-    SHA1_End(cx, hashresult, &outlen, SHA1_LENGTH);
-    
-    SHA1_DestroyContext(cx, PR_TRUE);
-    
-    return(SECSuccess);
-}
-
-SECItem *
-nsslowkey_HashPassword(char *pw, SECItem *salt)
-{
-    SECItem *pwitem;
-    SECStatus rv;
-    
-    pwitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if ( pwitem == NULL ) {
-	return(NULL);
-    }
-    pwitem->len = SHA1_LENGTH;
-    pwitem->data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
-    if ( pwitem->data == NULL ) {
-	PORT_Free(pwitem);
-	return(NULL);
-    }
-    if ( pw ) {
-	rv = HashPassword(pwitem->data, pw, salt);
-	if ( rv != SECSuccess ) {
-	    SECITEM_ZfreeItem(pwitem, PR_TRUE);
-	    return(NULL);
-	}
-    }
-    
-    return(pwitem);
-}
-
-/* Derive the actual password value for the database from a pw string */
-SECItem *
-nsslowkey_DeriveKeyDBPassword(NSSLOWKEYDBHandle *keydb, char *pw)
-{
-    PORT_Assert(keydb != NULL);
-    PORT_Assert(pw != NULL);
-    if (keydb == NULL || pw == NULL) return(NULL);
-
-    return nsslowkey_HashPassword(pw, keydb->global_salt);
-}
-
-#if 0
-/* Appears obsolete - TNH */
-/* get the algorithm with which a private key
- * is encrypted.
- */
-SECOidTag 
-seckey_get_private_key_algorithm(NSSLOWKEYDBHandle *keydb, DBT *index)   
-{
-    NSSLOWKEYDBKey *dbkey = NULL;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
-    PLArenaPool *poolp = NULL;
-    SECStatus rv;
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(poolp == NULL)
-	return (SECOidTag)SECFailure;  /* TNH - this is bad */
-
-    dbkey = get_dbkey(keydb, index);
-    if(dbkey == NULL)
-	return (SECOidTag)SECFailure;
-
-    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp, 
-	sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
-    if(epki == NULL)
-	goto loser;
-    rv = SEC_ASN1DecodeItem(poolp, epki, 
-	nsslowkey_EncryptedPrivateKeyInfoTemplate, &dbkey->derPK);
-    if(rv == SECFailure)
-	goto loser;
-
-    algorithm = SECOID_GetAlgorithmTag(&epki->algorithm);
-
-    /* let success fall through */
-loser:
-    if(poolp != NULL)
-	PORT_FreeArena(poolp, PR_TRUE);\
-    if(dbkey != NULL)
-	sec_destroy_dbkey(dbkey);
-
-    return algorithm;
-}
-#endif
-	
-/*
- * Derive an RC4 key from a password key and a salt.  This
- * was the method to used to encrypt keys in the version 2?
- * database
- */
-SECItem *
-seckey_create_rc4_key(SECItem *pwitem, SECItem *salt)
-{
-    MD5Context *md5 = NULL;
-    unsigned int part;
-    SECStatus rv = SECFailure;
-    SECItem *key = NULL;
-
-    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(key != NULL)
-    {
-	key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-		MD5_LENGTH);
-	key->len = MD5_LENGTH;
-	if(key->data != NULL)
-	{
-	    md5 = MD5_NewContext();
-	    if ( md5 != NULL ) 
-	    {
-		MD5_Begin(md5);
-		MD5_Update(md5, salt->data, salt->len);
-		MD5_Update(md5, pwitem->data, pwitem->len);
-		MD5_End(md5, key->data, &part, MD5_LENGTH);
-		MD5_DestroyContext(md5, PR_TRUE);
-		rv = SECSuccess;
-	    }
-	}
-	
-	if(rv != SECSuccess)
-	{
-	    SECITEM_FreeItem(key, PR_TRUE);
-	    key = NULL;
-	}
-    }
-
-    return key;
-}
-
-SECItem *
-seckey_create_rc4_salt(void)
-{
-    SECItem *salt = NULL;
-    SECStatus rv = SECFailure;
-
-    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(salt == NULL)
-	return NULL;
-
-    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	SALT_LENGTH);
-    if(salt->data != NULL)
-    {
-	salt->len = SALT_LENGTH;
-	RNG_GenerateGlobalRandomBytes(salt->data, salt->len);
-	rv = SECSuccess;
-    }
-	
-    if(rv == SECFailure)
-    {
-	SECITEM_FreeItem(salt, PR_TRUE);
-	salt = NULL;
-    }
-
-    return salt;
-}
-
-SECItem *
-seckey_rc4_decode(SECItem *key, SECItem *src)
-{
-    SECItem *dest = NULL;
-    RC4Context *ctxt = NULL;
-    SECStatus rv = SECFailure;
-
-    if((key == NULL) || (src == NULL))
-	return NULL;
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest == NULL)
-	return NULL;
-
-    dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	(src->len + 64));  /* TNH - padding? */
-    if(dest->data != NULL)
-    {
-	ctxt = RC4_CreateContext(key->data, key->len);
-	if(ctxt != NULL)
-	{
-	    rv = RC4_Decrypt(ctxt, dest->data, &dest->len,
-		    src->len + 64, src->data, src->len);
-	    RC4_DestroyContext(ctxt, PR_TRUE);
-	}
-    }
-
-    if(rv == SECFailure)
-	if(dest != NULL)
-	{
-	    SECITEM_FreeItem(dest, PR_TRUE);
-	    dest = NULL;
-	}
-
-    return dest;
-}
-
-
-#ifdef EC_DEBUG
-#define SEC_PRINT(str1, str2, num, sitem) \
-    printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
-            str1, str2, num, sitem->len); \
-    for (i = 0; i < sitem->len; i++) { \
-	    printf("%02x:", sitem->data[i]); \
-    } \
-    printf("\n") 
-#else
-#define SEC_PRINT(a, b, c, d) 
-#endif /* EC_DEBUG */
-
-/* TNH - keydb is unused */
-/* TNH - the pwitem should be the derived key for RC4 */
-NSSLOWKEYEncryptedPrivateKeyInfo *
-seckey_encrypt_private_key(
-        NSSLOWKEYPrivateKey *pk, SECItem *pwitem, NSSLOWKEYDBHandle *keydb,
-	SECOidTag algorithm, SECItem **salt)
-{
-    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
-    NSSLOWKEYPrivateKeyInfo *pki = NULL;
-    SECStatus rv = SECFailure;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *der_item = NULL;
-    NSSPKCS5PBEParameter *param = NULL;
-    SECItem *dummy = NULL, *dest = NULL;
-    SECAlgorithmID *algid;
-#ifdef NSS_ENABLE_ECC
-    SECItem *fordebug = NULL;
-    int savelen;
-    int i;
-#endif
-
-    *salt = NULL;
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permarena == NULL)
-	return NULL;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(temparena == NULL)
-	goto loser;
-
-    /* allocate structures */
-    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(permarena,
-	sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
-    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
-	sizeof(NSSLOWKEYPrivateKeyInfo));
-    der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem));
-    if((epki == NULL) || (pki == NULL) || (der_item == NULL))
-	goto loser;
-
-    epki->arena = permarena;
-
-    /* setup private key info */
-    dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), 
-	NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
-    if(dummy == NULL)
-	goto loser;
-
-    /* Encode the key, and set the algorithm (with params) */
-    switch (pk->keyType) {
-      case NSSLOWKEYRSAKey:
-        prepare_low_rsa_priv_key_for_asn1(pk);
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, 
-				   nsslowkey_RSAPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), 
-				   SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	
-	break;
-      case NSSLOWKEYDSAKey:
-        prepare_low_dsa_priv_key_for_asn1(pk);
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_DSAPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-        prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
-	dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
-				   nsslowkey_PQGParamsTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
-				   SEC_OID_ANSIX9_DSA_SIGNATURE, dummy);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	
-	break;
-      case NSSLOWKEYDHKey:
-        prepare_low_dh_priv_key_for_asn1(pk);
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_DHPrivateKeyTemplate);
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
-				   SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	break;
-#ifdef NSS_ENABLE_ECC
-      case NSSLOWKEYECKey:
-	prepare_low_ec_priv_key_for_asn1(pk);
-	/* Public value is encoded as a bit string so adjust length
-	 * to be in bits before ASN encoding and readjust 
-	 * immediately after.
-	 *
-	 * Since the SECG specification recommends not including the
-	 * parameters as part of ECPrivateKey, we zero out the curveOID
-	 * length before encoding and restore it later.
-	 */
-	pk->u.ec.publicValue.len <<= 3;
-	savelen = pk->u.ec.ecParams.curveOID.len;
-	pk->u.ec.ecParams.curveOID.len = 0;
-	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_ECPrivateKeyTemplate);
-	pk->u.ec.ecParams.curveOID.len = savelen;
-	pk->u.ec.publicValue.len >>= 3;
-
-	if (dummy == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	dummy = &pk->u.ec.ecParams.DEREncoding;
-
-	/* At this point dummy should contain the encoded params */
-	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
-				   SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy);
-
-	if (rv == SECFailure) {
-	    goto loser;
-	}
-	
-	fordebug = &(pki->privateKey);
-	SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", 
-		  pk->keyType, fordebug);
-
-	break;
-#endif /* NSS_ENABLE_ECC */
-      default:
-	/* We don't support DH or Fortezza private keys yet */
-	PORT_Assert(PR_FALSE);
-	break;
-    }
-
-    /* setup encrypted private key info */
-    dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
-	nsslowkey_PrivateKeyInfoTemplate);
-
-    SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", 
-	      pk->keyType, der_item);
-
-    if(dummy == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SECFailure; /* assume failure */
-    *salt = seckey_create_rc4_salt();
-    if (*salt == NULL) {
-	goto loser;
-    }
-
-    param = nsspkcs5_NewParam(algorithm,*salt,1);
-    if (param == NULL) {
-	goto loser;
-    }
-
-    dest = nsspkcs5_CipherData(param, pwitem, der_item, PR_TRUE, NULL);
-    if (dest == NULL) {
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(permarena, &epki->encryptedData, dest);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    algid = nsspkcs5_CreateAlgorithmID(permarena, algorithm, param);
-    if (algid == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SECOID_CopyAlgorithmID(permarena, &epki->algorithm, algid);
-    SECOID_DestroyAlgorithmID(algid, PR_TRUE);
-
-loser:
-    if(dest != NULL)
-	SECITEM_FreeItem(dest, PR_TRUE);
-
-    if(param != NULL)
-       nsspkcs5_DestroyPBEParameter(param);
-
-    /* let success fall through */
-
-    if(rv == SECFailure)
-    {
-	PORT_FreeArena(permarena, PR_TRUE);
-	epki = NULL;
-	if(*salt != NULL)
-	    SECITEM_FreeItem(*salt, PR_TRUE);
-    }
-
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-
-    return epki;
-}
-
-static SECStatus 
-seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SECItem *pwitem,
-		       NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update,
-		       SECOidTag algorithm)
-{
-    NSSLOWKEYDBKey *dbkey = NULL;
-    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *dummy = NULL;
-    SECItem *salt = NULL;
-    SECStatus rv = SECFailure;
-
-    if((keydb == NULL) || (index == NULL) || (pwitem == NULL) ||
-	(pk == NULL))
-	return SECFailure;
-	
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(permarena == NULL)
-	return SECFailure;
-
-    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(permarena, sizeof(NSSLOWKEYDBKey));
-    if(dbkey == NULL)
-	goto loser;
-    dbkey->arena = permarena;
-    dbkey->nickname = nickname;
-
-    /* TNH - for RC4, the salt should be created here */
-	
-    epki = seckey_encrypt_private_key(pk, pwitem, keydb, algorithm, &salt);
-    if(epki == NULL)
-	goto loser;
-    temparena = epki->arena;
-
-    if(salt != NULL)
-    {
-	rv = SECITEM_CopyItem(permarena, &(dbkey->salt), salt);
-	SECITEM_ZfreeItem(salt, PR_TRUE);
-    }
-
-    dummy = SEC_ASN1EncodeItem(permarena, &(dbkey->derPK), epki, 
-	nsslowkey_EncryptedPrivateKeyInfoTemplate);
-    if(dummy == NULL)
-	rv = SECFailure;
-    else
-	rv = put_dbkey(keydb, index, dbkey, update);
-
-    /* let success fall through */
-loser:
-    if(rv != SECSuccess)
-	if(permarena != NULL)
-	    PORT_FreeArena(permarena, PR_TRUE);
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-
-    return rv;
-}
-
-/*
- * Store a key in the database, indexed by its public key modulus.
- * Note that the nickname is optional.  It was only used by keyutil.
- */
-SECStatus
-nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
-			      NSSLOWKEYPrivateKey *privkey,
-			      SECItem *pubKeyData,
-			      char *nickname,
-			      SECItem *pwitem,
-			      SECOidTag algorithm,
-                              PRBool update)
-{
-    DBT namekey;
-    SECStatus rv;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(SECFailure);
-    }
-
-    /* set up db key and data */
-    namekey.data = pubKeyData->data;
-    namekey.size = pubKeyData->len;
-
-    /* encrypt the private key */
-    rv = seckey_put_private_key(handle, &namekey, pwitem, privkey, nickname,
-				update, algorithm);
-    
-    return(rv);
-}
-
-NSSLOWKEYPrivateKey *
-seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki,
-			   SECItem *pwitem)
-{
-    NSSLOWKEYPrivateKey *pk = NULL;
-    NSSLOWKEYPrivateKeyInfo *pki = NULL;
-    SECStatus rv = SECFailure;
-    SECOidTag algorithm;
-    PLArenaPool *temparena = NULL, *permarena = NULL;
-    SECItem *salt = NULL, *dest = NULL, *key = NULL;
-    NSSPKCS5PBEParameter *param;
-#ifdef NSS_ENABLE_ECC
-    ECPrivateKey *ecpriv;
-    SECItem *fordebug = NULL;
-    int i;
-#endif
-
-    if((epki == NULL) || (pwitem == NULL))
-	goto loser;
-
-    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if((temparena == NULL) || (permarena == NULL))
-	goto loser;
-
-    /* allocate temporary items */
-    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
-	sizeof(NSSLOWKEYPrivateKeyInfo));
-
-    /* allocate permanent arena items */
-    pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena,
-	sizeof(NSSLOWKEYPrivateKey));
-
-    if((pk == NULL) || (pki == NULL))
-	goto loser;
-
-    pk->arena = permarena;
-	
-    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    salt = SECITEM_DupItem(&epki->algorithm.parameters);
-	    if(salt != NULL)
-	    {
-		key = seckey_create_rc4_key(pwitem, salt);
-		if(key != NULL)
-		{
-		    dest = seckey_rc4_decode(key, &epki->encryptedData);
-		}
-	    }	
-	    if(salt != NULL)
-		SECITEM_ZfreeItem(salt, PR_TRUE);
-	    if(key != NULL)
-		SECITEM_ZfreeItem(key, PR_TRUE);
-	    break;
-	default:
-	    /* we depend on the fact that if this key was encoded with
-	     * DES, that the pw was also encoded with DES, so we don't have
-	     * to do the update here, the password code will handle it. */
-	    param = nsspkcs5_AlgidToParam(&epki->algorithm);
-	    if (param == NULL) {
-		break;
-	    }
-	    dest = nsspkcs5_CipherData(param, pwitem, &epki->encryptedData, 
-							PR_FALSE, NULL);
-	    nsspkcs5_DestroyPBEParameter(param);
-	    break;
-    }
-
-    if(dest != NULL)
-    {
-        SECItem newPrivateKey;
-        SECItem newAlgParms;
-
-        SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1,
-		  dest);
-
-	rv = SEC_QuickDERDecodeItem(temparena, pki, 
-	    nsslowkey_PrivateKeyInfoTemplate, dest);
-	if(rv == SECSuccess)
-	{
-	    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	      case SEC_OID_X500_RSA_ENCRYPTION:
-	      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-		pk->keyType = NSSLOWKEYRSAKey;
-		prepare_low_rsa_priv_key_for_asn1(pk);
-                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
-                    &pki->privateKey) ) break;
-		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_RSAPrivateKeyTemplate,
-					&newPrivateKey);
-		break;
-	      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-		pk->keyType = NSSLOWKEYDSAKey;
-		prepare_low_dsa_priv_key_for_asn1(pk);
-                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
-                    &pki->privateKey) ) break;
-		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_DSAPrivateKeyTemplate,
-					&newPrivateKey);
-		if (rv != SECSuccess)
-		    goto loser;
-		prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
-                if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms,
-                    &pki->algorithm.parameters) ) break;
-		rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params,
-					nsslowkey_PQGParamsTemplate,
-					&newAlgParms);
-		break;
-	      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-		pk->keyType = NSSLOWKEYDHKey;
-		prepare_low_dh_priv_key_for_asn1(pk);
-                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
-                    &pki->privateKey) ) break;
-		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_DHPrivateKeyTemplate,
-					&newPrivateKey);
-		break;
-#ifdef NSS_ENABLE_ECC
-	      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-		pk->keyType = NSSLOWKEYECKey;
-		prepare_low_ec_priv_key_for_asn1(pk);
-
-		fordebug = &pki->privateKey;
-		SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", 
-			  pk->keyType, fordebug);
-                if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
-                    &pki->privateKey) ) break;
-		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_ECPrivateKeyTemplate,
-					&newPrivateKey);
-		if (rv != SECSuccess)
-		    goto loser;
-
-		prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams);
-
-		rv = SECITEM_CopyItem(permarena, 
-		    &pk->u.ec.ecParams.DEREncoding, 
-		    &pki->algorithm.parameters);
-
-		if (rv != SECSuccess)
-		    goto loser;
-
-		/* Fill out the rest of EC params */
-		rv = EC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding,
-				   &pk->u.ec.ecParams);
-
-		/* 
-		 * NOTE: Encoding of the publicValue is optional
-		 * so we need to be able to regenerate the publicValue
-		 * from the base point and the private key.
-		 *
-		 * XXX This part of the code needs more testing.
-		 */
-		if (pk->u.ec.publicValue.len == 0) {
-		    rv = EC_NewKeyFromSeed(&pk->u.ec.ecParams, 
-				      &ecpriv, pk->u.ec.privateValue.data,
-				      pk->u.ec.privateValue.len);
-		    if (rv == SECSuccess) {
-			SECITEM_CopyItem(permarena, &pk->u.ec.publicValue,
-					 &(ecpriv->publicValue));
-			PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
-		    }
-		} else {
-		    /* If publicValue was filled as part of DER decoding,
-		     * change length in bits to length in bytes.
-		     */
-		    pk->u.ec.publicValue.len >>= 3;
-		}
-
-		break;
-#endif /* NSS_ENABLE_ECC */
-	      default:
-		rv = SECFailure;
-		break;
-	    }
-	}
-	else if(PORT_GetError() == SEC_ERROR_BAD_DER)
-	{
-	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-	    goto loser;
-	}
-    }
-
-    /* let success fall through */
-loser:
-    if(temparena != NULL)
-	PORT_FreeArena(temparena, PR_TRUE);
-    if(dest != NULL)
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-
-    if(rv != SECSuccess)
-    {
-	if(permarena != NULL)
-	    PORT_FreeArena(permarena, PR_TRUE);
-	pk = NULL;
-    }
-
-    return pk;
-}
-
-static NSSLOWKEYPrivateKey *
-seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SECItem *pwitem)
-{
-    NSSLOWKEYPrivateKey *pk = NULL;
-    NSSLOWKEYEncryptedPrivateKeyInfo *epki;
-    PLArenaPool *temparena = NULL;
-    SECStatus rv;
-    SECOidTag algorithm;
-
-    if( ( dbkey == NULL ) || ( pwitem == NULL ) ) {
-	return NULL;
-    }
-
-    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(temparena == NULL) {
-	return NULL;
-    }
-
-    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)
-	PORT_ArenaZAlloc(temparena, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
-
-    if(epki == NULL) {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(temparena, epki,
-			    nsslowkey_EncryptedPrivateKeyInfoTemplate,
-			    &(dbkey->derPK)); 
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-
-    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
-    switch(algorithm)
-    {
-      case SEC_OID_RC4:
-	/* TNH - this code should derive the actual RC4 key from salt and
-           pwitem */
-	rv = SECITEM_CopyItem(temparena, &(epki->algorithm.parameters),
-			      &(dbkey->salt));
-	break;
-      default:
-	break;
-    }
-
-    pk = seckey_decrypt_private_key(epki, pwitem);
-
-    /* let success fall through */
-loser:
-
-    PORT_FreeArena(temparena, PR_TRUE);
-    return pk;
-}
-
-NSSLOWKEYPrivateKey *
-seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname,
-		       SECItem *pwitem)
-{
-    NSSLOWKEYDBKey *dbkey = NULL;
-    NSSLOWKEYPrivateKey *pk = NULL;
-
-    if( ( keydb == NULL ) || ( index == NULL ) || ( pwitem == NULL ) ) {
-	return NULL;
-    }
-
-    dbkey = get_dbkey(keydb, index);
-    if(dbkey == NULL) {
-	goto loser;
-    }
-    
-    if ( nickname ) {
-	if ( dbkey->nickname && ( dbkey->nickname[0] != 0 ) ) {
-	    *nickname = PORT_Strdup(dbkey->nickname);
-	} else {
-	    *nickname = NULL;
-	}
-    }
-    
-    pk = seckey_decode_encrypted_private_key(dbkey, pwitem);
-    
-    /* let success fall through */
-loser:
-
-    if ( dbkey != NULL ) {
-	sec_destroy_dbkey(dbkey);
-    }
-
-    return pk;
-}
-
-/*
- * used by pkcs11 to import keys into it's object format... In the future
- * we really need a better way to tie in...
- */
-NSSLOWKEYPrivateKey *
-nsslowkey_DecryptKey(DBT *key, SECItem *pwitem,
-					 NSSLOWKEYDBHandle *handle) {
-    return seckey_get_private_key(handle,key,NULL,pwitem);
-}
-
-/*
- * Find a key in the database, indexed by its public key modulus
- * This is used to find keys that have been stored before their
- * certificate arrives.  Once the certificate arrives the key
- * is looked up by the public modulus in the certificate, and the
- * re-stored by its nickname.
- */
-NSSLOWKEYPrivateKey *
-nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
-			  				 SECItem *pwitem)
-{
-    DBT namekey;
-    NSSLOWKEYPrivateKey *pk = NULL;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return NULL;
-    }
-
-    /* set up db key */
-    namekey.data = modulus->data;
-    namekey.size = modulus->len;
-
-    pk = seckey_get_private_key(handle, &namekey, NULL, pwitem);
-    
-    /* no need to free dbkey, since its on the stack, and the data it
-     * points to is owned by the database
-     */
-    return(pk);
-}
-
-char *
-nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, 
-					SECItem *modulus, SECItem *pwitem)
-{
-    DBT namekey;
-    NSSLOWKEYPrivateKey *pk = NULL;
-    char *nickname = NULL;
-
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return NULL;
-    }
-
-    /* set up db key */
-    namekey.data = modulus->data;
-    namekey.size = modulus->len;
-
-    pk = seckey_get_private_key(handle, &namekey, &nickname, pwitem);
-    if (pk) {
-	nsslowkey_DestroyPrivateKey(pk);
-    }
-    
-    /* no need to free dbkey, since its on the stack, and the data it
-     * points to is owned by the database
-     */
-    return(nickname);
-}
-/* ===== ENCODING ROUTINES ===== */
-
-static SECStatus
-encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
-		   SECItem *encCheck)
-{
-    SECOidData *oidData;
-    SECStatus rv;
-    
-    oidData = SECOID_FindOIDByTag(alg);
-    if ( oidData == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    entry->len = 1 + oidData->oid.len + encCheck->len;
-    if ( arena ) {
-	entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
-    } else {
-	entry->data = (unsigned char *)PORT_Alloc(entry->len);
-    }
-    
-    if ( entry->data == NULL ) {
-	goto loser;
-    }
-	
-    /* first length of oid */
-    entry->data[0] = (unsigned char)oidData->oid.len;
-    /* next oid itself */
-    PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
-    /* finally the encrypted check string */
-    PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data,
-		encCheck->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Set up the password checker in the key database.
- * This is done by encrypting a known plaintext with the user's key.
- */
-SECStatus
-nsslowkey_SetKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle, 
-			   SECItem *pwitem, SECOidTag algorithm)
-{
-    DBT checkkey;
-    NSSPKCS5PBEParameter *param = NULL;
-    SECStatus rv = SECFailure;
-    NSSLOWKEYDBKey *dbkey = NULL;
-    PLArenaPool *arena;
-    SECItem *salt = NULL;
-    SECItem *dest = NULL, test_key;
-    
-    if (handle == NULL) {
-	return(SECFailure);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
-    if ( dbkey == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    dbkey->arena = arena;
-
-    /* encrypt key */
-    checkkey.data = test_key.data = (unsigned char *)KEYDB_PW_CHECK_STRING;
-    checkkey.size = test_key.len = KEYDB_PW_CHECK_LEN;
-
-    salt = seckey_create_rc4_salt();
-    if(salt == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    param = nsspkcs5_NewParam(algorithm, salt, 1);
-    if (param == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    dest = nsspkcs5_CipherData(param, pwitem, &test_key, PR_TRUE, NULL);
-    if (dest == NULL)
-    {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = SECITEM_CopyItem(arena, &dbkey->salt, salt);
-    if (rv == SECFailure) {
-	goto loser;
-    }
-   
-    rv = encodePWCheckEntry(arena, &dbkey->derPK, algorithm, dest);
-	
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-	
-    rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE);
-    
-    /* let success fall through */
-loser: 
-    if ( arena != NULL ) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-    
-    if ( dest != NULL ) {
-	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-    
-    if ( salt != NULL ) {
-	SECITEM_ZfreeItem(salt, PR_TRUE);
-    }
-
-    if (param != NULL) {
-	nsspkcs5_DestroyPBEParameter(param);
-    }
-	
-    return(rv);
-}
-
-static SECStatus
-seckey_CheckKeyDB1Password(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
-{
-    SECStatus rv = SECFailure;
-    keyList keylist;
-    keyNode *node = NULL;
-    NSSLOWKEYPrivateKey *privkey = NULL;
-
-
-    /*
-     * first find a key
-     */
-
-    /* traverse the database, collecting the keys of all records */
-    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( keylist.arena == NULL ) 
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(SECFailure);
-    }
-    keylist.head = NULL;
-    
-    /* TNH - TraverseKeys should not be public, since it exposes
-       the underlying DBT data type. */
-    rv = nsslowkey_TraverseKeys(handle, sec_add_key_to_list, (void *)&keylist);
-    if ( rv != SECSuccess ) 
-	goto done;
-
-    /* just get the first key from the list */
-    node = keylist.head;
-
-    /* no private keys, accept any password */
-    if (node == NULL) {
-	rv = SECSuccess;
-	goto done;
-    }
-    privkey = seckey_get_private_key(handle, &node->key, NULL, pwitem);
-    if (privkey == NULL) {
-	 rv = SECFailure;
-	 goto done;
-    }
-
-    /* if we can decrypt the private key, then we had the correct password */
-    rv = SECSuccess;
-    nsslowkey_DestroyPrivateKey(privkey);
-
-done:
-
-    /* free the arena */
-    if ( keylist.arena ) {
-	PORT_FreeArena(keylist.arena, PR_FALSE);
-    }
-    
-    return(rv);
-}
-
-/*
- * check to see if the user has typed the right password
- */
-SECStatus
-nsslowkey_CheckKeyDBPassword(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
-{
-    DBT checkkey;
-    DBT checkdata;
-    NSSPKCS5PBEParameter *param = NULL;
-    SECStatus rv = SECFailure;
-    NSSLOWKEYDBKey *dbkey = NULL;
-    SECItem *key = NULL;
-    SECItem *dest = NULL;
-    SECOidTag algorithm;
-    SECItem oid;
-    SECItem encstring;
-    PRBool update = PR_FALSE;
-    int ret;
-    
-    if (handle == NULL) {
-	goto loser;
-    }
-
-    checkkey.data = KEYDB_PW_CHECK_STRING;
-    checkkey.size = KEYDB_PW_CHECK_LEN;
-    
-    dbkey = get_dbkey(handle, &checkkey);
-    
-    if ( dbkey == NULL ) {
-	checkkey.data = KEYDB_FAKE_PW_CHECK_STRING;
-	checkkey.size = KEYDB_FAKE_PW_CHECK_LEN;
-	ret = keydb_Get(handle, &checkkey, &checkdata, 0 );
-	if (ret) {
-	    goto loser;
-	}
-	/* if we have the fake PW_CHECK, then try to decode the key
-	 * rather than the pwcheck item.
-	 */
-	rv = seckey_CheckKeyDB1Password(handle,pwitem);
-	if (rv == SECSuccess) {
-	    /* OK we have enough to complete our conversion */
-	    nsslowkey_UpdateKeyDBPass2(handle,pwitem);
-	}
-	return rv;
-    }
-
-    /* build the oid item */
-    oid.len = dbkey->derPK.data[0];
-    oid.data = &dbkey->derPK.data[1];
-    
-    /* make sure entry is the correct length
-     * since we are probably using a block cipher, the block will be
-     * padded, so we may get a bit more than the exact size we need.
-     */
-    if ( dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len ) ) {
-	goto loser;
-    }
-
-    /* find the algorithm tag */
-    algorithm = SECOID_FindOIDTag(&oid);
-
-    /* make a secitem of the encrypted check string */
-    encstring.len = dbkey->derPK.len - ( oid.len + 1 );
-    encstring.data = &dbkey->derPK.data[oid.len+1];
-    encstring.type = 0;
-    
-    switch(algorithm)
-    {
-	case SEC_OID_RC4:
-	    key = seckey_create_rc4_key(pwitem, &dbkey->salt);
-	    if(key != NULL) {
-		dest = seckey_rc4_decode(key, &encstring);
-		SECITEM_FreeItem(key, PR_TRUE);
-	    }
-	    break;
-	default:
-	    param = nsspkcs5_NewParam(algorithm, &dbkey->salt, 1);
-	    if (param != NULL) {
-                /* Decrypt - this function implements a workaround for
-                 * a previous coding error.  It will decrypt values using
-                 * DES rather than 3DES, if the initial try at 3DES
-                 * decryption fails.  In this case, the update flag is
-                 * set to TRUE.  This indication is used later to force
-                 * an update of the database to "real" 3DES encryption.
-                 */
-		dest = nsspkcs5_CipherData(param, pwitem, 
-					   &encstring, PR_FALSE, &update);
-		nsspkcs5_DestroyPBEParameter(param);
-	    }	
-	    break;
-    }
-
-    if(dest == NULL) {
-	goto loser;
-    }
-
-    if ((dest->len == KEYDB_PW_CHECK_LEN) &&
-	(PORT_Memcmp(dest->data, 
-		     KEYDB_PW_CHECK_STRING, KEYDB_PW_CHECK_LEN) == 0)) {
-	rv = SECSuccess;
-	/* we succeeded */
-	if ( algorithm == SEC_OID_RC4 ) {
-	    /* partially updated database */
-	    nsslowkey_UpdateKeyDBPass2(handle, pwitem);
-	}
-        /* Force an update of the password to remove the incorrect DES
-         * encryption (see the note above)
-         */
-	if (update && 
-	     (algorithm == SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC)) {
-	    /* data base was encoded with DES not triple des, fix it */
-	    nsslowkey_UpdateKeyDBPass2(handle,pwitem);
-	}
-    }
-			
-loser:
-    sec_destroy_dbkey(dbkey);
-    if(dest != NULL) {
-    	SECITEM_ZfreeItem(dest, PR_TRUE);
-    }
-
-    return(rv);
-}
-
-/*
- *  Change the database password and/or algorithm.  This internal
- *  routine does not check the old password.  That must be done by 
- *  the caller.
- */
-static SECStatus
-ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
-		       SECItem *oldpwitem, SECItem *newpwitem,
-		       SECOidTag new_algorithm)
-{
-    SECStatus rv;
-    keyList keylist;
-    keyNode *node = NULL;
-    NSSLOWKEYPrivateKey *privkey = NULL;
-    char *nickname;
-    DBT newkey;
-    int ret;
-
-    /* traverse the database, collecting the keys of all records */
-    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( keylist.arena == NULL ) 
-    {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(SECFailure);
-    }
-    keylist.head = NULL;
-
-    rv = db_BeginTransaction(handle->db);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    
-    /* TNH - TraverseKeys should not be public, since it exposes
-       the underlying DBT data type. */
-    rv = nsslowkey_TraverseKeys(handle, sec_add_key_to_list, (void *)&keylist);
-    if ( rv != SECSuccess ) 
-	goto loser;
-
-    /* walk the list, re-encrypting each entry */
-    node = keylist.head;
-    while ( node != NULL ) 
-    {
-	privkey = seckey_get_private_key(handle, &node->key, &nickname,
-					 oldpwitem);
-	
-	if (privkey == NULL) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* delete the old record */
-	ret = keydb_Del(handle, &node->key, 0);
-	if ( ret ) {
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-	
-	/* get the public key, which we use as the database index */
-
-	switch (privkey->keyType) {
-	  case NSSLOWKEYRSAKey:
-	    newkey.data = privkey->u.rsa.modulus.data;
-	    newkey.size = privkey->u.rsa.modulus.len;
-	    break;
-	  case NSSLOWKEYDSAKey:
-	    newkey.data = privkey->u.dsa.publicValue.data;
-	    newkey.size = privkey->u.dsa.publicValue.len;
-	    break;
-	  case NSSLOWKEYDHKey:
-	    newkey.data = privkey->u.dh.publicValue.data;
-	    newkey.size = privkey->u.dh.publicValue.len;
-	    break;
-#ifdef NSS_ENABLE_ECC
-	  case NSSLOWKEYECKey:
-	    newkey.data = privkey->u.ec.publicValue.data;
-	    newkey.size = privkey->u.ec.publicValue.len;
-	    break;
-#endif /* NSS_ENABLE_ECC */
-	  default:
-	    /* should we continue here and loose the key? */
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	rv = seckey_put_private_key(handle, &newkey, newpwitem, privkey,
-				    nickname, PR_TRUE, new_algorithm);
-	
-	if ( rv != SECSuccess ) 
-	{
-	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	/* next node */
-	node = node->next;
-    }
-
-    rv = nsslowkey_SetKeyDBPasswordAlg(handle, newpwitem, new_algorithm);
-
-loser:
-
-    db_FinishTransaction(handle->db,rv != SECSuccess);
-
-    /* free the arena */
-    if ( keylist.arena ) {
-	PORT_FreeArena(keylist.arena, PR_FALSE);
-    }
-    
-    return(rv);
-}
-
-/*
- * Re-encrypt the entire key database with a new password.
- * NOTE: The really  should create a new database rather than doing it
- * in place in the original
- */
-SECStatus
-nsslowkey_ChangeKeyDBPassword(NSSLOWKEYDBHandle *handle,
-			      SECItem *oldpwitem, SECItem *newpwitem)
-{
-    SECStatus rv;
-    
-    if (handle == NULL) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	rv = SECFailure;
-	goto loser;
-    }
-
-    rv = nsslowkey_CheckKeyDBPassword(handle, oldpwitem);
-    if ( rv != SECSuccess ) {
-	return(SECFailure);  /* return rv? */
-    }
-
-    rv = ChangeKeyDBPasswordAlg(handle, oldpwitem, newpwitem, 
-				nsslowkey_GetDefaultKeyDBAlg());
-
-loser:
-    return(rv);
-}
-    
-
-#define MAX_DB_SIZE 0xffff 
-/*
- * Clear out all the keys in the existing database
- */
-SECStatus
-nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle)
-{
-    SECStatus rv;
-    int ret;
-    int errors = 0;
-
-    if ( handle->db == NULL ) {
-	return(SECSuccess);
-    }
-
-    if (handle->readOnly) {
-	/* set an error code */
-	return SECFailure;
-     }
-
-    if (handle->appname == NULL && handle->dbname == NULL) {
-	return SECFailure;
-    }
-
-    keydb_Close(handle);
-    if (handle->appname) {
-	handle->db= 
-	    rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL);
-    } else {
-	handle->db = dbopen( handle->dbname, NO_CREATE, 0600, DB_HASH, 0 );
-    }
-    if (handle->db == NULL) {
-	/* set an error code */
-	return SECFailure;
-    }
-    
-    rv = makeGlobalVersion(handle);
-    if ( rv != SECSuccess ) {
-	errors++;
-	goto done;
-    }
-
-    if (handle->global_salt) {
-	rv = StoreKeyDBGlobalSalt(handle);
-    } else {
-	rv = makeGlobalSalt(handle);
-	if ( rv == SECSuccess ) {
-	    handle->global_salt = GetKeyDBGlobalSalt(handle);
-	}
-    }
-    if ( rv != SECSuccess ) {
-	errors++;
-    }
-
-done:
-    /* sync the database */
-    ret = keydb_Sync(handle, 0);
-    db_InitComplete(handle->db);
-
-    return (errors == 0 ? SECSuccess : SECFailure);
-}
-
-static int
-keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-    
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-
-    ret = (* db->get)(db, key, data, flags);
-
-    prstat = PZ_Unlock(kdbLock);
-
-    return(ret);
-}
-
-static int
-keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret = 0;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-
-    ret = (* db->put)(db, key, data, flags);
-    
-    prstat = PZ_Unlock(kdbLock);
-
-    return(ret);
-}
-
-static int
-keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-
-    ret = (* db->sync)(db, flags);
-    
-    prstat = PZ_Unlock(kdbLock);
-
-    return(ret);
-}
-
-static int
-keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-
-    ret = (* db->del)(db, key, flags);
-    
-    prstat = PZ_Unlock(kdbLock);
-
-    return(ret);
-}
-
-static int
-keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-    
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-    
-    ret = (* db->seq)(db, key, data, flags);
-
-    prstat = PZ_Unlock(kdbLock);
-
-    return(ret);
-}
-
-static void
-keydb_Close(NSSLOWKEYDBHandle *kdb)
-{
-    PRStatus prstat;
-    PRLock *kdbLock = kdb->lock;
-    DB *db = kdb->db;
-
-    PORT_Assert(kdbLock != NULL);
-    PZ_Lock(kdbLock);
-
-    (* db->close)(db);
-    
-    prstat = PZ_Unlock(kdbLock);
-
-    return;
-}
-
diff --git a/security/nss/lib/softoken/keydbi.h b/security/nss/lib/softoken/keydbi.h
deleted file mode 100644
index f7f427266..000000000
--- a/security/nss/lib/softoken/keydbi.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * private.h - Private data structures for the software token library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _KEYDBI_H_
-#define _KEYDBI_H_
-
-#include "nspr.h"
-#include "seccomon.h"
-#include "mcom_db.h"
-
-/*
- * Handle structure for open key databases
- */
-struct NSSLOWKEYDBHandleStr {
-    DB *db;
-    DB *updatedb;		/* used when updating an old version */
-    SECItem *global_salt;	/* password hashing salt for this db */
-    int version;		/* version of the database */
-    char *appname;		/* multiaccess app name */
-    char *dbname;		/* name of the openned DB */
-    PRBool readOnly;		/* is the DB read only */
-    PRLock *lock;
-    PRInt32 ref;		/* reference count */
-};
-
-/*
-** Typedef for callback for traversing key database.
-**      "key" is the key used to index the data in the database (nickname)
-**      "data" is the key data
-**      "pdata" is the user's data 
-*/
-typedef SECStatus (* NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
-
-
-SEC_BEGIN_PROTOS
-
-/*
-** Traverse the entire key database, and pass the nicknames and keys to a 
-** user supplied function.
-**      "f" is the user function to call for each key
-**      "udata" is the user's data, which is passed through to "f"
-*/
-extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
-				NSSLOWKEYTraverseKeysFunc f,
-				void *udata);
-
-SEC_END_PROTOS
-
-#endif /* _KEYDBI_H_ */
diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c
deleted file mode 100644
index cb048307d..000000000
--- a/security/nss/lib/softoken/lowcert.c
+++ /dev/null
@@ -1,646 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Certificate handling code
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secder.h"
-#include "nssilock.h"
-#include "prmon.h"
-#include "prtime.h"
-#include "lowkeyi.h"
-#include "pcert.h"
-#include "secasn1.h"
-#include "secoid.h"
-#include "secerr.h"
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus EC_FillParams(PRArenaPool *arena, 
-			       const SECItem *encodedParams,
-			       ECParams *params);
-#endif
-
-static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) },
-    { SEC_ASN1_INLINE, offsetof(NSSLOWCERTSubjectPublicKeyInfo,algorithm),
-          SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_BIT_STRING,
-          offsetof(NSSLOWCERTSubjectPublicKeyInfo,subjectPublicKey), },
-    { 0, }
-};
-
-static const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.modulus), },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.publicExponent), },
-    { 0, }
-};
-static const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dsa.publicValue), },
-    { 0, }
-};
-static const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dh.publicValue), },
-    { 0, }
-};
-
-/*
- * See bugzilla bug 125359
- * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
- * all of the templates above that en/decode into integers must be converted
- * from ASN.1's signed integer type.  This is done by marking either the
- * source or destination (encoding or decoding, respectively) type as
- * siUnsignedInteger.
- */
-
-static void
-prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
-{
-    pubk->u.rsa.modulus.type = siUnsignedInteger;
-    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
-}
-
-static void
-prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
-{
-    pubk->u.dsa.publicValue.type = siUnsignedInteger;
-    pubk->u.dsa.params.prime.type = siUnsignedInteger;
-    pubk->u.dsa.params.subPrime.type = siUnsignedInteger;
-    pubk->u.dsa.params.base.type = siUnsignedInteger;
-}
-
-static void
-prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
-{
-    pubk->u.dh.prime.type = siUnsignedInteger;
-    pubk->u.dh.base.type = siUnsignedInteger;
-    pubk->u.dh.publicValue.type = siUnsignedInteger;
-}
-
-/*
- * Allow use of default cert database, so that apps(such as mozilla) don't
- * have to pass the handle all over the place.
- */
-static NSSLOWCERTCertDBHandle *default_pcert_db_handle = 0;
-
-void
-nsslowcert_SetDefaultCertDB(NSSLOWCERTCertDBHandle *handle)
-{
-    default_pcert_db_handle = handle;
-    
-    return;
-}
-
-NSSLOWCERTCertDBHandle *
-nsslowcert_GetDefaultCertDB(void)
-{
-    return(default_pcert_db_handle);
-}
-
-/*
- * simple cert decoder to avoid the cost of asn1 engine
- */ 
-static unsigned char *
-nsslowcert_dataStart(unsigned char *buf, unsigned int length, 
-			unsigned int *data_length, PRBool includeTag,
-                        unsigned char* rettag) {
-    unsigned char tag;
-    unsigned int used_length= 0;
-
-    tag = buf[used_length++];
-
-    if (rettag) {
-        *rettag = tag;
-    }
-
-    /* blow out when we come to the end */
-    if (tag == 0) {
-	return NULL;
-    }
-
-    *data_length = buf[used_length++];
-
-    if (*data_length&0x80) {
-	int  len_count = *data_length & 0x7f;
-
-	*data_length = 0;
-
-	while (len_count-- > 0) {
-	    *data_length = (*data_length << 8) | buf[used_length++];
-	} 
-    }
-
-    if (*data_length > (length-used_length) ) {
-	*data_length = length-used_length;
-	return NULL;
-    }
-    if (includeTag) *data_length += used_length;
-
-    return (buf + (includeTag ? 0 : used_length));	
-}
-
-static void SetTimeType(SECItem* item, unsigned char tagtype)
-{
-    switch (tagtype) {
-        case SEC_ASN1_UTC_TIME:
-            item->type = siUTCTime;
-            break;
-
-        case SEC_ASN1_GENERALIZED_TIME:
-            item->type = siGeneralizedTime;
-            break;
-
-        default:
-            PORT_Assert(0);
-            break;
-    }
-}
-
-static int
-nsslowcert_GetValidityFields(unsigned char *buf,int buf_length,
-	SECItem *notBefore, SECItem *notAfter)
-{
-    unsigned char tagtype;
-    notBefore->data = nsslowcert_dataStart(buf,buf_length,
-						&notBefore->len,PR_FALSE, &tagtype);
-    if (notBefore->data == NULL) return SECFailure;
-    SetTimeType(notBefore, tagtype);
-    buf_length -= (notBefore->data-buf) + notBefore->len;
-    buf = notBefore->data + notBefore->len;
-    notAfter->data = nsslowcert_dataStart(buf,buf_length,
-						&notAfter->len,PR_FALSE, &tagtype);
-    if (notAfter->data == NULL) return SECFailure;
-    SetTimeType(notAfter, tagtype);
-    return SECSuccess;
-}
-
-static int
-nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
-	SECItem *issuer, SECItem *serial, SECItem *derSN, SECItem *subject,
-	SECItem *valid, SECItem *subjkey)
-{
-    unsigned char *buf;
-    unsigned int buf_length;
-    unsigned char *dummy;
-    unsigned int dummylen;
-
-    /* get past the signature wrap */
-    buf = nsslowcert_dataStart(cert,cert_length,&buf_length,PR_FALSE, NULL);
-    if (buf == NULL) return SECFailure;
-    /* get into the raw cert data */
-    buf = nsslowcert_dataStart(buf,buf_length,&buf_length,PR_FALSE, NULL);
-    if (buf == NULL) return SECFailure;
-    /* skip past any optional version number */
-    if ((buf[0] & 0xa0) == 0xa0) {
-	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
-	if (dummy == NULL) return SECFailure;
-	buf_length -= (dummy-buf) + dummylen;
-	buf = dummy + dummylen;
-    }
-    /* serial number */
-    if (derSN) {
-	derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL);
-    }
-    serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL);
-    if (serial->data == NULL) return SECFailure;
-    buf_length -= (serial->data-buf) + serial->len;
-    buf = serial->data + serial->len;
-    /* skip the OID */
-    dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
-    if (dummy == NULL) return SECFailure;
-    buf_length -= (dummy-buf) + dummylen;
-    buf = dummy + dummylen;
-    /* issuer */
-    issuer->data = nsslowcert_dataStart(buf,buf_length,&issuer->len,PR_TRUE, NULL);
-    if (issuer->data == NULL) return SECFailure;
-    buf_length -= (issuer->data-buf) + issuer->len;
-    buf = issuer->data + issuer->len;
-
-    /* only wanted issuer/SN */
-    if (valid == NULL) {
-	return SECSuccess;
-    }
-    /* validity */
-    valid->data = nsslowcert_dataStart(buf,buf_length,&valid->len,PR_FALSE, NULL);
-    if (valid->data == NULL) return SECFailure;
-    buf_length -= (valid->data-buf) + valid->len;
-    buf = valid->data + valid->len;
-    /*subject */
-    subject->data=nsslowcert_dataStart(buf,buf_length,&subject->len,PR_TRUE, NULL);
-    if (subject->data == NULL) return SECFailure;
-    buf_length -= (subject->data-buf) + subject->len;
-    buf = subject->data + subject->len;
-    /* subject  key info */
-    subjkey->data=nsslowcert_dataStart(buf,buf_length,&subjkey->len,PR_TRUE, NULL);
-    if (subjkey->data == NULL) return SECFailure;
-    buf_length -= (subjkey->data-buf) + subjkey->len;
-    buf = subjkey->data + subjkey->len;
-    return SECSuccess;
-}
-
-SECStatus
-nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
-{
-    int rv;
-    NSSLOWCERTValidity validity;
-
-    rv = nsslowcert_GetValidityFields(c->validity.data,c->validity.len,
-				&validity.notBefore,&validity.notAfter);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-    
-    /* convert DER not-before time */
-    rv = DER_DecodeTimeChoice(notBefore, &validity.notBefore);
-    if (rv) {
-        return(SECFailure);
-    }
-    
-    /* convert DER not-after time */
-    rv = DER_DecodeTimeChoice(notAfter, &validity.notAfter);
-    if (rv) {
-        return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-/*
- * is certa newer than certb?  If one is expired, pick the other one.
- */
-PRBool
-nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
-{
-    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
-    SECStatus rv;
-    PRBool newerbefore, newerafter;
-    
-    rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
-    if ( rv != SECSuccess ) {
-	return(PR_FALSE);
-    }
-    
-    rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
-    if ( rv != SECSuccess ) {
-	return(PR_TRUE);
-    }
-
-    newerbefore = PR_FALSE;
-    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
-	newerbefore = PR_TRUE;
-    }
-
-    newerafter = PR_FALSE;
-    if ( LL_CMP(notAfterA, >, notAfterB) ) {
-	newerafter = PR_TRUE;
-    }
-    
-    if ( newerbefore && newerafter ) {
-	return(PR_TRUE);
-    }
-    
-    if ( ( !newerbefore ) && ( !newerafter ) ) {
-	return(PR_FALSE);
-    }
-
-    /* get current time */
-    now = PR_Now();
-
-    if ( newerbefore ) {
-	/* cert A was issued after cert B, but expires sooner */
-	/* if A is expired, then pick B */
-	if ( LL_CMP(notAfterA, <, now ) ) {
-	    return(PR_FALSE);
-	}
-	return(PR_TRUE);
-    } else {
-	/* cert B was issued after cert A, but expires sooner */
-	/* if B is expired, then pick A */
-	if ( LL_CMP(notAfterB, <, now ) ) {
-	    return(PR_TRUE);
-	}
-	return(PR_FALSE);
-    }
-}
-
-#define SOFT_DEFAULT_CHUNKSIZE 2048
-
-static SECStatus
-nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, 
-			      SECItem *issuer, SECItem *sn, SECItem *key)
-{
-    unsigned int len = sn->len + issuer->len;
-
-    if (!arena) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	goto loser;
-    }
-    key->data = (unsigned char*)PORT_ArenaAlloc(arena, len);
-    if ( !key->data ) {
-	goto loser;
-    }
-
-    key->len = len;
-    /* copy the serialNumber */
-    PORT_Memcpy(key->data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space,
-	int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key)
-{
-    unsigned int len = sn->len + issuer->len;
-
-    key->data = pkcs11_allocStaticData(len, space, spaceLen);
-    if ( !key->data ) {
-	goto loser;
-    }
-
-    key->len = len;
-    /* copy the serialNumber */
-    PORT_Memcpy(key->data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-
-
-/*
- * take a DER certificate and decode it into a certificate structure
- */
-NSSLOWCERTCertificate *
-nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname)
-{
-    NSSLOWCERTCertificate *cert;
-    int rv;
-
-    /* allocate the certificate structure */
-    cert = nsslowcert_CreateCert();
-    
-    if ( !cert ) {
-	goto loser;
-    }
-    
-	/* point to passed in DER data */
-    cert->derCert = *derSignedCert;
-    cert->nickname = NULL;
-    cert->certKey.data = NULL;
-    cert->referenceCount = 1;
-
-    /* decode the certificate info */
-    rv = nsslowcert_GetCertFields(cert->derCert.data, cert->derCert.len,
-	&cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject,
-	&cert->validity, &cert->derSubjKeyInfo);
-
-    /* cert->subjectKeyID;	 x509v3 subject key identifier */
-    cert->subjectKeyID.data = NULL;
-    cert->subjectKeyID.len = 0;
-    cert->dbEntry = NULL;
-    cert ->trust = NULL;
-    cert ->dbhandle = NULL;
-
-    /* generate and save the database key for the cert */
-    rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace,
-		sizeof(cert->certKeySpace), &cert->derIssuer, 
-		&cert->serialNumber, &cert->certKey);
-    if ( rv ) {
-	goto loser;
-    }
-
-    /* set the nickname */
-    if ( nickname == NULL ) {
-	cert->nickname = NULL;
-    } else {
-	/* copy and install the nickname */
-	cert->nickname = pkcs11_copyNickname(nickname,cert->nicknameSpace,
-				sizeof(cert->nicknameSpace));
-    }
-
-#ifdef FIXME
-    /* initialize the subjectKeyID */
-    rv = cert_GetKeyID(cert);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* set the email address */
-    cert->emailAddr = CERT_GetCertificateEmailAddress(cert);
-    
-#endif
-    
-    cert->referenceCount = 1;
-    
-    return(cert);
-    
-loser:
-    if (cert) {
-	nsslowcert_DestroyCertificate(cert);
-    }
-    
-    return(0);
-}
-
-char *
-nsslowcert_FixupEmailAddr(char *emailAddr)
-{
-    char *retaddr;
-    char *str;
-
-    if ( emailAddr == NULL ) {
-	return(NULL);
-    }
-    
-    /* copy the string */
-    str = retaddr = PORT_Strdup(emailAddr);
-    if ( str == NULL ) {
-	return(NULL);
-    }
-    
-    /* make it lower case */
-    while ( *str ) {
-	*str = tolower( *str );
-	str++;
-    }
-    
-    return(retaddr);
-}
-
-
-/*
- * Generate a database key, based on serial number and issuer, from a
- * DER certificate.
- */
-SECStatus
-nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
-{
-    int rv;
-    NSSLOWCERTCertKey certkey;
-
-    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));    
-
-    rv = nsslowcert_GetCertFields(derCert->data, derCert->len,
-	&certkey.derIssuer, &certkey.serialNumber, NULL, NULL, NULL, NULL);
-
-    if ( rv ) {
-	goto loser;
-    }
-
-    return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
-				   &certkey.serialNumber, key));
-loser:
-    return(SECFailure);
-}
-
-NSSLOWKEYPublicKey *
-nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
-{
-    NSSLOWCERTSubjectPublicKeyInfo spki;
-    NSSLOWKEYPublicKey *pubk;
-    SECItem os;
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECOidTag tag;
-    SECItem newDerSubjKeyInfo;
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-        return NULL;
-
-    pubk = (NSSLOWKEYPublicKey *) 
-		PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey));
-    if (pubk == NULL) {
-        PORT_FreeArena (arena, PR_FALSE);
-        return NULL;
-    }
-
-    pubk->arena = arena;
-    PORT_Memset(&spki,0,sizeof(spki));
-
-    /* copy the DER into the arena, since Quick DER returns data that points
-       into the DER input, which may get freed by the caller */
-    rv = SECITEM_CopyItem(arena, &newDerSubjKeyInfo, &cert->derSubjKeyInfo);
-    if ( rv != SECSuccess ) {
-        PORT_FreeArena (arena, PR_FALSE);
-        return NULL;
-    }
-
-    /* we haven't bothered decoding the spki struct yet, do it now */
-    rv = SEC_QuickDERDecodeItem(arena, &spki, 
-		nsslowcert_SubjectPublicKeyInfoTemplate, &newDerSubjKeyInfo);
-    if (rv != SECSuccess) {
- 	PORT_FreeArena (arena, PR_FALSE);
- 	return NULL;
-    }
-
-    /* Convert bit string length from bits to bytes */
-    os = spki.subjectPublicKey;
-    DER_ConvertBitString (&os);
-
-    tag = SECOID_GetAlgorithmTag(&spki.algorithm);
-    switch ( tag ) {
-      case SEC_OID_X500_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-        pubk->keyType = NSSLOWKEYRSAKey;
-        prepare_low_rsa_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(arena, pubk, 
-				nsslowcert_RSAPublicKeyTemplate, &os);
-        if (rv == SECSuccess)
-            return pubk;
-        break;
-      case SEC_OID_ANSIX9_DSA_SIGNATURE:
-        pubk->keyType = NSSLOWKEYDSAKey;
-        prepare_low_dsa_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(arena, pubk,
-				 nsslowcert_DSAPublicKeyTemplate, &os);
-        if (rv == SECSuccess) return pubk;
-        break;
-      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-        pubk->keyType = NSSLOWKEYDHKey;
-        prepare_low_dh_pub_key_for_asn1(pubk);
-        rv = SEC_QuickDERDecodeItem(arena, pubk,
-				 nsslowcert_DHPublicKeyTemplate, &os);
-        if (rv == SECSuccess) return pubk;
-        break;
-#ifdef NSS_ENABLE_ECC
-      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-        pubk->keyType = NSSLOWKEYECKey;
-	/* Since PKCS#11 directly takes the DER encoding of EC params
-	 * and public value, we don't need any decoding here.
-	 */
-        rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding, 
-	    &spki.algorithm.parameters);
-        if ( rv != SECSuccess )
-            break;	
-
-	/* Fill out the rest of the ecParams structure 
-	 * based on the encoded params
-	 */
-	if (EC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
-	    &pubk->u.ec.ecParams) != SECSuccess) 
-	    break;
-
-        rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
-	if (rv == SECSuccess) return pubk;
-        break;
-#endif /* NSS_ENABLE_ECC */
-      default:
-        rv = SECFailure;
-        break;
-    }
-
-    nsslowkey_DestroyPublicKey (pubk);
-    return NULL;
-}
-
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
deleted file mode 100644
index fb6e30fdc..000000000
--- a/security/nss/lib/softoken/lowkey.c
+++ /dev/null
@@ -1,492 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "lowkeyi.h"
-#include "secoid.h"
-#include "secitem.h"
-#include "secder.h"
-#include "base64.h"
-#include "secasn1.h"
-#include "pcert.h"
-#include "secerr.h"
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus EC_CopyParams(PRArenaPool *arena, 
-			       ECParams *dstParams,
-			       const ECParams *srcParams);
-#endif
-
-const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
-    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
-    { 0, }
-};
-
-const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
-    { 0 }                                                                     
-};                                                                            
-
-
-const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
-    { 0, }
-};
-
-const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
-};
-
-const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
-    { 0, }
-};
-
-#ifdef NSS_ENABLE_ECC
-
-/* XXX This is just a placeholder for later when we support
- * generic curves and need full-blown support for parsing EC
- * parameters. For now, we only support named curves in which
- * EC params are simply encoded as an object ID and we don't
- * use nsslowkey_ECParamsTemplate.
- */
-const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
-    { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
-    { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
-    { 0, }
-};
-
-
-/* NOTE: The SECG specification allows the private key structure
- * to contain curve parameters but recommends that they be stored
- * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
- * instead.
- */
-const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
-    { SEC_ASN1_OCTET_STRING, 
-      offsetof(NSSLOWKEYPrivateKey,u.ec.privateValue) },
-    /* XXX The following template works for now since we only
-     * support named curves for which the parameters are
-     * encoded as an object ID. When we support generic curves,
-     * we'll need to define nsslowkey_ECParamsTemplate
-     */
-#if 1
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams.curveOID), 
-      SEC_ObjectIDTemplate }, 
-#else
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
-      offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
-      nsslowkey_ECParamsTemplate }, 
-#endif
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
-      SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
-      offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
-      SEC_BitStringTemplate }, 
-    { 0, }
-};
-#endif /* NSS_ENABLE_ECC */
-/*
- * See bugzilla bug 125359
- * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
- * all of the templates above that en/decode into integers must be converted
- * from ASN.1's signed integer type.  This is done by marking either the
- * source or destination (encoding or decoding, respectively) type as
- * siUnsignedInteger.
- */
-
-void
-prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.rsa.modulus.type = siUnsignedInteger;
-    key->u.rsa.publicExponent.type = siUnsignedInteger;
-    key->u.rsa.privateExponent.type = siUnsignedInteger;
-    key->u.rsa.prime1.type = siUnsignedInteger;
-    key->u.rsa.prime2.type = siUnsignedInteger;
-    key->u.rsa.exponent1.type = siUnsignedInteger;
-    key->u.rsa.exponent2.type = siUnsignedInteger;
-    key->u.rsa.coefficient.type = siUnsignedInteger;
-}
-
-void
-prepare_low_pqg_params_for_asn1(PQGParams *params)
-{
-    params->prime.type = siUnsignedInteger;
-    params->subPrime.type = siUnsignedInteger;
-    params->base.type = siUnsignedInteger;
-}
-
-void
-prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.dsa.publicValue.type = siUnsignedInteger;
-    key->u.dsa.privateValue.type = siUnsignedInteger;
-    key->u.dsa.params.prime.type = siUnsignedInteger;
-    key->u.dsa.params.subPrime.type = siUnsignedInteger;
-    key->u.dsa.params.base.type = siUnsignedInteger;
-}
-
-void
-prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.dsa.privateValue.type = siUnsignedInteger;
-}
-
-void
-prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.dh.prime.type = siUnsignedInteger;
-    key->u.dh.base.type = siUnsignedInteger;
-    key->u.dh.publicValue.type = siUnsignedInteger;
-    key->u.dh.privateValue.type = siUnsignedInteger;
-}
-
-#ifdef NSS_ENABLE_ECC
-void
-prepare_low_ecparams_for_asn1(ECParams *params)
-{
-    params->DEREncoding.type = siUnsignedInteger;
-    params->curveOID.type = siUnsignedInteger;
-}
-
-void
-prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.ec.version.type = siUnsignedInteger;
-    key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
-    key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
-    key->u.ec.privateValue.type = siUnsignedInteger;
-    key->u.ec.publicValue.type = siUnsignedInteger;
-}
-#endif /* NSS_ENABLE_ECC */
-
-void
-nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
-{
-    if (privk && privk->arena) {
-	PORT_FreeArena(privk->arena, PR_TRUE);
-    }
-}
-
-void
-nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
-{
-    if (pubk && pubk->arena) {
-	PORT_FreeArena(pubk->arena, PR_FALSE);
-    }
-}
-unsigned
-nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
-{
-    unsigned char b0;
-
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
-
-    switch (pubk->keyType) {
-    case NSSLOWKEYRSAKey:
-    	b0 = pubk->u.rsa.modulus.data[0];
-    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
-
-unsigned
-nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
-{
-
-    unsigned char b0;
-
-    switch (privk->keyType) {
-    case NSSLOWKEYRSAKey:
-	b0 = privk->u.rsa.modulus.data[0];
-	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
-
-NSSLOWKEYPublicKey *
-nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
-{
-    NSSLOWKEYPublicKey *pubk;
-    PLArenaPool *arena;
-
-
-    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-        PORT_SetError (SEC_ERROR_NO_MEMORY);
-        return NULL;
-    }
-
-    switch(privk->keyType) {
-      case NSSLOWKEYRSAKey:
-      case NSSLOWKEYNullKey:
-	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						sizeof (NSSLOWKEYPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
-				  &privk->u.rsa.modulus);
-	    if (rv == SECSuccess) {
-		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
-				       &privk->u.rsa.publicExponent);
-		if (rv == SECSuccess)
-		    return pubk;
-	    }
-	    nsslowkey_DestroyPublicKey (pubk);
-	} else {
-	    PORT_SetError (SEC_ERROR_NO_MEMORY);
-	}
-	break;
-      case NSSLOWKEYDSAKey:
-	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						    sizeof(NSSLOWKEYPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
-				  &privk->u.dsa.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
-				  &privk->u.dsa.params.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
-				  &privk->u.dsa.params.subPrime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
-				  &privk->u.dsa.params.base);
-	    if (rv == SECSuccess) return pubk;
-	}
-	break;
-      case NSSLOWKEYDHKey:
-	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						    sizeof(NSSLOWKEYPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
-				  &privk->u.dh.publicValue);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
-				  &privk->u.dh.prime);
-	    if (rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
-				  &privk->u.dh.base);
-	    if (rv == SECSuccess) return pubk;
-	}
-	break;
-#ifdef NSS_ENABLE_ECC
-      case NSSLOWKEYECKey:
-	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
-						    sizeof(NSSLOWKEYPublicKey));
-	if (pubk != NULL) {
-	    SECStatus rv;
-
-	    pubk->arena = arena;
-	    pubk->keyType = privk->keyType;
-	    rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
-				  &privk->u.ec.publicValue);
-	    if (rv != SECSuccess) break;
-	    pubk->u.ec.ecParams.arena = arena;
-	    /* Copy the rest of the params */
-	    rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
-			       &(privk->u.ec.ecParams));
-	    if (rv == SECSuccess) return pubk;
-	}
-	break;
-#endif /* NSS_ENABLE_ECC */
-	/* No Fortezza in Low Key implementations (Fortezza keys aren't
-	 * stored in our data base */
-    default:
-	break;
-    }
-
-    PORT_FreeArena (arena, PR_FALSE);
-    return NULL;
-}
-
-NSSLOWKEYPrivateKey *
-nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
-{
-    NSSLOWKEYPrivateKey *returnKey = NULL;
-    SECStatus rv = SECFailure;
-    PLArenaPool *poolp;
-
-    if(!privKey) {
-	return NULL;
-    }
-
-    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(!poolp) {
-	return NULL;
-    }
-
-    returnKey = (NSSLOWKEYPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey));
-    if(!returnKey) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    returnKey->keyType = privKey->keyType;
-    returnKey->arena = poolp;
-
-    switch(privKey->keyType) {
-	case NSSLOWKEYRSAKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), 
-	    				&(privKey->u.rsa.modulus));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), 
-	    				&(privKey->u.rsa.version));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), 
-	    				&(privKey->u.rsa.publicExponent));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), 
-	    				&(privKey->u.rsa.privateExponent));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), 
-	    				&(privKey->u.rsa.prime1));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), 
-	    				&(privKey->u.rsa.prime2));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), 
-	    				&(privKey->u.rsa.exponent1));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), 
-	    				&(privKey->u.rsa.exponent2));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), 
-	    				&(privKey->u.rsa.coefficient));
-	    if(rv != SECSuccess) break;
-	    break;
-	case NSSLOWKEYDSAKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
-	    				&(privKey->u.dsa.publicValue));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
-	    				&(privKey->u.dsa.privateValue));
-	    if(rv != SECSuccess) break;
-	    returnKey->u.dsa.params.arena = poolp;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
-					&(privKey->u.dsa.params.prime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
-					&(privKey->u.dsa.params.subPrime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
-					&(privKey->u.dsa.params.base));
-	    if(rv != SECSuccess) break;
-	    break;
-	case NSSLOWKEYDHKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
-	    				&(privKey->u.dh.publicValue));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
-	    				&(privKey->u.dh.privateValue));
-	    if(rv != SECSuccess) break;
-	    returnKey->u.dsa.params.arena = poolp;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
-					&(privKey->u.dh.prime));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
-					&(privKey->u.dh.base));
-	    if(rv != SECSuccess) break;
-	    break;
-#ifdef NSS_ENABLE_ECC
-	case NSSLOWKEYECKey:
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
-	    				&(privKey->u.ec.version));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
-	    				&(privKey->u.ec.publicValue));
-	    if(rv != SECSuccess) break;
-	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue),
-	    				&(privKey->u.ec.privateValue));
-	    if(rv != SECSuccess) break;
-	    returnKey->u.ec.ecParams.arena = poolp;
-	    /* Copy the rest of the params */
-	    rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
-			       &(privKey->u.ec.ecParams));
-	    if (rv != SECSuccess) break;
-	    break;
-#endif /* NSS_ENABLE_ECC */
-	default:
-	    rv = SECFailure;
-    }
-
-loser:
-
-    if(rv != SECSuccess) {
-	PORT_FreeArena(poolp, PR_TRUE);
-	returnKey = NULL;
-    }
-
-    return returnKey;
-}
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
deleted file mode 100644
index b32a0f0af..000000000
--- a/security/nss/lib/softoken/lowkeyi.h
+++ /dev/null
@@ -1,274 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _LOWKEYI_H_
-#define _LOWKEYI_H_
-
-#include "prtypes.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "pcertt.h"
-#include "lowkeyti.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * See bugzilla bug 125359
- * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
- * all of the templates above that en/decode into integers must be converted
- * from ASN.1's signed integer type.  This is done by marking either the
- * source or destination (encoding or decoding, respectively) type as
- * siUnsignedInteger.
- */
-extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
-extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifdef NSS_ENABLE_ECC
-extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_ENABLE_ECC */
-
-typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
-    
-/*
-** Open a key database.
-*/
-extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
-					   const char *domain,
-					   const char *prefix,
-					   NSSLOWKEYDBNameFunc namecb,
-					   void *cbarg);
-
-
-/*
- * Clear out all the keys in the existing database
- */
-extern SECStatus nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle);
-
-/*
-** Close the specified key database.
-*/
-extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle);
-
-/*
- * Get the version number of the database
- */
-extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle);
-
-/*
-** Support a default key database.
-*/
-extern void nsslowkey_SetDefaultKeyDB(NSSLOWKEYDBHandle *handle);
-extern NSSLOWKEYDBHandle *nsslowkey_GetDefaultKeyDB(void);
-
-/* set the alg id of the key encryption algorithm */
-extern void nsslowkey_SetDefaultKeyDBAlg(SECOidTag alg);
-
-/*
- * given a password and salt, produce a hash of the password
- */
-extern SECItem *nsslowkey_HashPassword(char *pw, SECItem *salt);
-
-/*
- * Derive the actual password value for a key database from the
- * password string value.  The derivation uses global salt value
- * stored in the key database.
- */
-extern SECItem *
-nsslowkey_DeriveKeyDBPassword(NSSLOWKEYDBHandle *handle, char *pw);
-
-/*
-** Delete a key from the database
-*/
-extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, 
-				  SECItem *pubkey);
-
-/*
-** Store a key in the database, indexed by its public key modulus.
-**	"pk" is the private key to store
-**	"f" is a the callback function for getting the password
-**	"arg" is the argument for the callback
-*/
-extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
-					    NSSLOWKEYPrivateKey *pk,
-					    SECItem *pubKeyData,
-					    char *nickname,
-					    SECItem *arg);
-
-/* does the key for this cert exist in the database filed by modulus */
-extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle,
-					 NSSLOWCERTCertificate *cert);
-/* does a key with this ID already exist? */
-extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id);
-
-
-extern SECStatus nsslowkey_HasKeyDBPassword(NSSLOWKEYDBHandle *handle);
-extern SECStatus nsslowkey_SetKeyDBPassword(NSSLOWKEYDBHandle *handle,
-				     SECItem *pwitem);
-extern SECStatus nsslowkey_CheckKeyDBPassword(NSSLOWKEYDBHandle *handle,
-					   SECItem *pwitem);
-extern SECStatus nsslowkey_ChangeKeyDBPassword(NSSLOWKEYDBHandle *handle,
-					    SECItem *oldpwitem,
-					    SECItem *newpwitem);
-
-/*
-** Destroy a private key object.
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
-
-/*
-** Destroy a public key object.
-**	"key" the object
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
-
-/*
-** Return the modulus length of "pubKey".
-*/
-extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
-
-
-/*
-** Return the modulus length of "privKey".
-*/
-extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
-
-
-/*
-** Convert a low private key "privateKey" into a public low key
-*/
-extern NSSLOWKEYPublicKey 
-		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
-
-/*
- * Set the Key Database password.
- *   handle is a handle to the key database
- *   pwitem is the new password
- *   algorithm is the algorithm by which the key database 
- *   	password is to be encrypted.
- * On failure, SECFailure is returned, otherwise SECSuccess is 
- * returned.
- */
-extern SECStatus 
-nsslowkey_SetKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
-			SECItem *pwitem, 
-			SECOidTag algorithm);
-
-/* Check the key database password.
- *   handle is a handle to the key database
- *   pwitem is the suspect password
- *   algorithm is the algorithm by which the key database 
- *   	password is to be encrypted.
- * The password is checked against plaintext to see if it is the
- * actual password.  If it is not, SECFailure is returned.
- */
-extern SECStatus 
-nsslowkey_CheckKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
-				SECItem *pwitem, 
-				SECOidTag algorithm);
-
-/* Change the key database password and/or algorithm by which
- * the password is stored with.  
- *   handle is a handle to the key database
- *   old_pwitem is the current password
- *   new_pwitem is the new password
- *   old_algorithm is the algorithm by which the key database 
- *   	password is currently encrypted.
- *   new_algorithm is the algorithm with which the new password
- *      is to be encrypted.
- * A return of anything but SECSuccess indicates failure.
- */
-extern SECStatus 
-nsslowkey_ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
-			      SECItem *oldpwitem, SECItem *newpwitem,
-			      SECOidTag old_algorithm);
-
-SECStatus
-nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
-                           NSSLOWKEYPrivateKey *privkey,
-                           SECItem *pubKeyData,
-                           char *nickname,
-                           SECItem *arg);
-
-/* Store key by modulus and specify an encryption algorithm to use.
- *   handle is the pointer to the key database,
- *   privkey is the private key to be stored,
- *   f and arg are the function and arguments to the callback
- *       to get a password,
- *   algorithm is the algorithm which the privKey is to be stored.
- * A return of anything but SECSuccess indicates failure.
- */
-extern SECStatus 
-nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
-			      NSSLOWKEYPrivateKey *privkey, 
-			      SECItem *pubKeyData,
-			      char *nickname,
-			      SECItem *arg,
-			      SECOidTag algorithm,
-                              PRBool update); 
-
-/* Find key by modulus.  This function is the inverse of store key
- * by modulus.  An attempt to locate the key with "modulus" is 
- * performed.  If the key is found, the private key is returned,
- * else NULL is returned.
- *   modulus is the modulus to locate
- */
-extern NSSLOWKEYPrivateKey *
-nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, 
-			  SECItem *arg);
-
-extern char *
-nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
-                                        SECItem *modulus, SECItem *pwitem);
-
-
-/* Make a copy of a low private key in it's own arena.
- * a return of NULL indicates an error.
- */
-extern NSSLOWKEYPrivateKey *
-nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
-
-
-SEC_END_PROTOS
-
-#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
deleted file mode 100644
index 5423bdb7a..000000000
--- a/security/nss/lib/softoken/lowkeyti.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _LOWKEYTI_H_
-#define _LOWKEYTI_H_ 1
-
-#include "blapit.h"
-#include "prtypes.h"
-#include "plarena.h"
-#include "secitem.h"
-#include "secasn1t.h"
-#include "secoidt.h"
-/*#include "secmodt.h"
-#include "pkcs11t.h" */
-
-
-/*
- * a key in/for the data base
- */
-struct NSSLOWKEYDBKeyStr {
-    PLArenaPool *arena;
-    int version;
-    char *nickname;
-    SECItem salt;
-    SECItem derPK;
-};
-typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey;
-
-typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
-
-#ifdef NSS_USE_KEY4_DB
-#define NSSLOWKEY_DB_FILE_VERSION 4
-#else
-#define NSSLOWKEY_DB_FILE_VERSION 3
-#endif
-
-#define NSSLOWKEY_VERSION	    0	/* what we *create* */
-
-/*
-** Typedef for callback to get a password "key".
-*/
-extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
-extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
-extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
-#ifdef NSS_ENABLE_ECC
-#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
-extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
-extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_ENABLE_ECC */
-
-extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
-extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
-
-/*
- * PKCS #8 attributes
- */
-struct NSSLOWKEYAttributeStr {
-    SECItem attrType;
-    SECItem *attrValue;
-};
-typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
-
-/*
-** A PKCS#8 private key info object
-*/
-struct NSSLOWKEYPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECItem version;
-    SECAlgorithmID algorithm;
-    SECItem privateKey;
-    NSSLOWKEYAttribute **attributes;
-};
-typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
-#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
-
-/*
-** A PKCS#8 private key info object
-*/
-struct NSSLOWKEYEncryptedPrivateKeyInfoStr {
-    PLArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem encryptedData;
-};
-typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo;
-
-
-typedef enum { 
-    NSSLOWKEYNullKey = 0, 
-    NSSLOWKEYRSAKey = 1, 
-    NSSLOWKEYDSAKey = 2, 
-    NSSLOWKEYDHKey = 4,
-    NSSLOWKEYECKey = 5
-} NSSLOWKEYType;
-
-/*
-** An RSA public key object.
-*/
-struct NSSLOWKEYPublicKeyStr {
-    PLArenaPool *arena;
-    NSSLOWKEYType keyType ;
-    union {
-        RSAPublicKey rsa;
-	DSAPublicKey dsa;
-	DHPublicKey  dh;
-	ECPublicKey  ec;
-    } u;
-};
-typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
-
-/*
-** Low Level private key object
-** This is only used by the raw Crypto engines (crypto), keydb (keydb),
-** and PKCS #11. Everyone else uses the high level key structure.
-*/
-struct NSSLOWKEYPrivateKeyStr {
-    PLArenaPool *arena;
-    NSSLOWKEYType keyType;
-    union {
-        RSAPrivateKey rsa;
-	DSAPrivateKey dsa;
-	DHPrivateKey  dh;
-	ECPrivateKey  ec;
-    } u;
-};
-typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
-
-#endif	/* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
deleted file mode 100644
index 81a0cb06b..000000000
--- a/security/nss/lib/softoken/lowpbe.c
+++ /dev/null
@@ -1,1185 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "secport.h"
-#include "hasht.h"
-#include "pkcs11t.h"
-#include "blapi.h"
-#include "hasht.h"
-#include "secasn1.h"
-#include "secder.h"
-#include "lowpbe.h"
-#include "secoid.h"
-#include "alghmac.h"
-#include "softoken.h"
-#include "secerr.h"
-
-/* template for PKCS 5 PBE Parameter.  This template has been expanded
- * based upon the additions in PKCS 12.  This should eventually be moved
- * if RSA updates PKCS 5.
- */
-static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] =
-{
-    { SEC_ASN1_SEQUENCE, 
-	0, NULL, sizeof(NSSPKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, 
-	offsetof(NSSPKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER,
-	offsetof(NSSPKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] =
-{   
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
-    { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
-    { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
-    { 0 }
-};
-
-SECStatus
-nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest,
-					 unsigned char *src, int len)
-{
-    void *ctx;
-    unsigned int retLen;
-
-    ctx = hashObj->create();
-    if(ctx == NULL) {
-	return SECFailure;
-    }
-    hashObj->begin(ctx);
-    hashObj->update(ctx, src, len);
-    hashObj->end(ctx, dest, &retLen, hashObj->length);
-    hashObj->destroy(ctx, PR_TRUE);
-    return SECSuccess;
-}
-
-/* generate bits using any hash
- */
-static SECItem *
-nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd, 
-						int iter, PRBool faulty3DES) 
-{
-    SECItem *hash = NULL, *pre_hash = NULL;
-    SECStatus rv = SECFailure;
-
-    if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
-	return NULL;
-    }
-	
-    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-
-    if((hash != NULL) && (pre_hash != NULL)) {
-	int i, ph_len;
-
-	ph_len = hashObj->length;
-	if((salt->len + pwd->len) > hashObj->length) {
-	    ph_len = salt->len + pwd->len;
-	}
-
-	rv = SECFailure;
-
-	/* allocate buffers */
-	hash->len = hashObj->length;
-	hash->data = (unsigned char *)PORT_ZAlloc(hash->len);
-	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
-
-	/* in pbeSHA1TripleDESCBC there was an allocation error that made
-	 * it into the caller.  We do not want to propagate those errors
-	 * further, so we are doing it correctly, but reading the old method.
-	 */
-	if (faulty3DES) {
-	    pre_hash->len = ph_len;
-	} else {
-	    pre_hash->len = salt->len + pwd->len;
-	}
-
-	/* preform hash */
-	if ((hash->data != NULL) && (pre_hash->data != NULL)) {
-	    rv = SECSuccess;
-	    /* check for 0 length password */
-	    if(pwd->len > 0) {
-		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
-	    }
-	    if(salt->len > 0) {
-		PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
-	    }
-	    for(i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
-		rv = nsspkcs5_HashBuf(hashObj, hash->data, 
-					pre_hash->data, pre_hash->len);
-		if(rv != SECFailure) {
-		    pre_hash->len = hashObj->length;
-		    PORT_Memcpy(pre_hash->data, hash->data, hashObj->length);
-		}
-	    }
-	}
-    }
-
-    if(pre_hash != NULL) {
-	SECITEM_FreeItem(pre_hash, PR_TRUE);
-    }
-
-    if((rv != SECSuccess) && (hash != NULL)) {
-	SECITEM_FreeItem(hash, PR_TRUE);
-	hash = NULL;
-    }
-
-    return hash;
-}
-
-/* this bit generation routine is described in PKCS 12 and the proposed
- * extensions to PKCS 5.  an initial hash is generated following the
- * instructions laid out in PKCS 5.  If the number of bits generated is
- * insufficient, then the method discussed in the proposed extensions to
- * PKCS 5 in PKCS 12 are used.  This extension makes use of the HMAC
- * function.  And the P_Hash function from the TLS standard.
- */
-static SECItem *
-nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param,
-				SECItem *init_hash, unsigned int bytes_needed)
-{
-    SECItem *ret_bits = NULL;
-    int hash_size = 0;
-    unsigned int i;
-    unsigned int hash_iter;
-    unsigned int dig_len;
-    SECStatus rv = SECFailure;
-    unsigned char *state = NULL;
-    unsigned int state_len;
-    HMACContext *cx = NULL;
-
-    hash_size = hashObj->length;
-    hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size;
-
-    /* allocate return buffer */
-    ret_bits = (SECItem  *)PORT_ZAlloc(sizeof(SECItem));
-    if(ret_bits == NULL)
-	return NULL;
-    ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
-    ret_bits->len = (hash_iter * hash_size);
-    if(ret_bits->data == NULL) {
-	PORT_Free(ret_bits);
-	return NULL;
-    }
-
-    /* allocate intermediate hash buffer.  8 is for the 8 bytes of
-     * data which are added based on iteration number 
-     */
-
-    if ((unsigned int)hash_size > pbe_param->salt.len) {
-	state_len = hash_size;
-    } else {
-	state_len = pbe_param->salt.len;
-    }
-    state = (unsigned char *)PORT_ZAlloc(state_len);
-    if(state == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-    if(pbe_param->salt.len > 0) {
-	PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
-    }
-
-    cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE);
-    if (cx == NULL) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    for(i = 0; i < hash_iter; i++) { 
-
-	/* generate output bits */
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
-	rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
-			 &dig_len, hash_size);
-	if (rv != SECSuccess)
-	    goto loser;
-	PORT_Assert((unsigned int)hash_size == dig_len);
-
-	/* generate new state */
-	HMAC_Begin(cx);
-	HMAC_Update(cx, state, state_len);
-	rv = HMAC_Finish(cx, state, &state_len, state_len);
-	if (rv != SECSuccess)
-	    goto loser;
-	PORT_Assert(state_len == dig_len);
-    }
-
-loser:
-    if (state != NULL)
-	PORT_ZFree(state, state_len);
-    HMAC_Destroy(cx, PR_TRUE);
-
-    if(rv != SECSuccess) {
-	SECITEM_ZfreeItem(ret_bits, PR_TRUE);
-	ret_bits = NULL;
-    }
-
-    return ret_bits;
-}
-
-/* generate bits for the key and iv determination.  if enough bits
- * are not generated using PKCS 5, then we need to generate more bits
- * based on the extension proposed in PKCS 12
- */
-static SECItem *
-nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj,
-	 NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES)
-{
-    SECItem * hash 		= NULL;
-    SECItem * newHash 		= NULL;
-    int       bytes_needed;
-    int       bytes_available;
-    
-    bytes_needed = pbe_param->ivLen + pbe_param->keyLen;
-    bytes_available = hashObj->length;
-    
-    hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem, 
-						pbe_param->iter, faulty3DES);
-
-    if(hash == NULL) {
-	return NULL;
-    }
-
-    if(bytes_needed <= bytes_available) {
-	return hash;
-    } 
-
-    newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed);
-    if (hash != newHash)
-	SECITEM_FreeItem(hash, PR_TRUE);
-    return newHash;
-}
-
-#ifdef PBKDF2
-
-/*
- * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS
- */
-/*
- * We This is safe because hLen for all our
- * HMAC algorithms are multiples of 4.
- */
-static void
-xorbytes(unsigned char *dest, unsigned char *src, int len)
-{
-#ifdef PARANOIA
-    while (len--) {
-    	*dest = *dest ^ *src;
-	dest++;
-	src++;
-    }
-#else
-    PRUInt32 dest32 = (PRUInt32 *)dest;
-    PRUInt32 src32 = (PRUInt32 *)dest;
-    while (len -= sizeof(PRUInt32)) {
-    	*dest32 = *dest32 ^ *src32;
-	dest++;
-	src++;
-    }
-#endif
-}
-
-static SECStatus
-nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
-			int iterations, unsigned int i, unsigned char *T)
-{
-    int j;
-    HMACContext *cx = NULL;
-    unsigned int hLen = hashObject->length
-    SECStatus rv = SECFailure;
-    unsigned char *last = NULL;
-    int lastLength = salt->len + 4;
-
-    cx=HMAC_Create(hashobj,pwitem->data,pwitem->len,PR_TRUE);
-    if (cx == NULL) {
-	goto loser;
-    }
-    PORT_Memset(T,0,hLen);
-    realLastLength= MAX(lastLength,hLen);
-    last = PORT_Alloc(realLastLength);
-    if (last == NULL) {
-	goto loser;
-    }
-    PORT_Memcpy(last,salt.data,salt.len);
-    last[salt->len  ] = (i >> 24) & 0xff;
-    last[salt->len+1] = (i >> 16) & 0xff;
-    last[salt->len+2] = (i >> 8) & 0xff;
-    last[salt->len+3] =    i  & 0xff;
-
-    /* NOTE: we need at least one iteration to return success! */
-    for (j=0; j < interations; j++) {
-	rv =HMAC_Begin(cx);
-	if (rv !=SECSuccess) {
-	   break;
-	}
-	HMAC_Update(cx,last,lastLength);
-	rv =HMAC_Finish(cx,last,&lastLength,hLen);
-	if (rv !=SECSuccess) {
-	   break;
-	}
-	do_xor(T,last,hLen);
-    }
-loser:
-    if (cx) {
-	HMAC_DestroyContext(cx, PR_TRUE);
-    }
-    if (last) {
-	PORT_ZFree(last,reaLastLength);
-    }
-    return rv;
-}
-
-static SECItem *
-nsspkcs5_PBKFD2(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param, 
-							SECItem *pwitem)
-{
-    unsigned int dkLen = bytesNeeded;
-    unsigned int hLen = hashObject->length
-    unsigned int l = (dkLen+hLen-1) / hLen;
-    unsigned char *rp;
-    SECItem *result;
-    SECItem *salt = pbe_param->salt;
-    int interations = pbe_param->iter;
-    int bytesNeeded = pbe_param->keyLen;
-
-    result = SECITEM_AllocItem(NULL,NULL,l*hLen);
-    if (result == NULL) {
-	return NULL;
-    }
-
-    T = PORT_Alloc(hLen);
-    if (T == NULL) {
-	goto loser;
-    }
-
-    for (i=0,rp=results->data; i < l ; i++, rp +=hLen) {
-	rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
-	if (rv != SECSuccess) {
-	    break;
-	}
-	PORT_Memcpy(rp,T,hLen);
-    }
-
-loser:
-    if (T) {
-	PORT_ZFree(T);
-    }
-    if (rv != SECSuccess) {
-	SECITEM_FreeITEM(result,PR_TRUE);
-	result = NULL;
-    } else {
-	result->len = dkLen;
-    }
-	
-    return result;
-}
-#endif
-
-#define HMAC_BUFFER 64
-#define NSSPBE_ROUNDUP(x,y) ((((x)+((y)-1))/(y))*(y))
-#define NSSPBE_MIN(x,y) ((x) < (y) ? (x) : (y))
-/*
- * This is the extended PBE function defined by the final PKCS #12 spec.
- */
-static SECItem *
-nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, 
-		   NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
-		   PBEBitGenID bitGenPurpose, unsigned int bytesNeeded)
-{
-    PRArenaPool *arena = NULL;
-    unsigned int SLen,PLen;
-    unsigned int hashLength = hashObject->length;
-    unsigned char *S, *P;
-    SECItem *A = NULL, B, D, I;
-    SECItem *salt = &pbe_param->salt;
-    unsigned int c,i = 0;
-    unsigned int hashLen;
-    int iter;
-    unsigned char *iterBuf;
-    void *hash = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if(!arena) {
-	return NULL;
-    }
-
-    /* how many hash object lengths are needed */
-    c = (bytesNeeded + (hashLength-1))/hashLength;
-
-    /* initialize our buffers */
-    D.len = HMAC_BUFFER;
-    /* B and D are the same length, use one alloc go get both */
-    D.data = (unsigned char*)PORT_ArenaZAlloc(arena, D.len*2);
-    B.len = D.len;
-    B.data = D.data + D.len;
-
-    /* if all goes well, A will be returned, so don't use our temp arena */
-    A = SECITEM_AllocItem(NULL,NULL,c*hashLength);
-    if (A == NULL) {
-	goto loser;
-    }
-    
-    SLen = NSSPBE_ROUNDUP(salt->len,HMAC_BUFFER);
-    PLen = NSSPBE_ROUNDUP(pwitem->len,HMAC_BUFFER);
-    I.len = SLen+PLen;
-    I.data = (unsigned char*)PORT_ArenaZAlloc(arena, I.len);
-    if (I.data == NULL) {
-	goto loser;
-    }
-
-    /* S & P are only used to initialize I */
-    S = I.data;
-    P = S + SLen;
-
-    PORT_Memset(D.data, (char)bitGenPurpose, D.len);
-    if (SLen) {
-	for (i=0; i < SLen; i += salt->len) {
-	    PORT_Memcpy(S+i, salt->data, NSSPBE_MIN(SLen-i,salt->len));
-	}
-    } 
-    if (PLen) {
-	for (i=0; i < PLen; i += pwitem->len) {
-	    PORT_Memcpy(P+i, pwitem->data, NSSPBE_MIN(PLen-i,pwitem->len));
-	}
-    } 
-
-    iterBuf = (unsigned char*)PORT_ArenaZAlloc(arena,hashLength);
-    if (iterBuf == NULL) {
-	goto loser;
-    }
-
-    hash = hashObject->create();
-    if(!hash) {
-	goto loser;
-    }
-    /* calculate the PBE now */
-    for(i = 0; i < c; i++) {
-	int Bidx;	/* must be signed or the for loop won't terminate */
-	unsigned int k, j;
-	unsigned char *Ai = A->data+i*hashLength;
-
-
-	for(iter = 0; iter < pbe_param->iter; iter++) {
-	    hashObject->begin(hash);
-
-	    if (iter) {
-		hashObject->update(hash, iterBuf, hashLen);
-	    } else {
-		hashObject->update(hash, D.data, D.len);
-		hashObject->update(hash, I.data, I.len); 
-	    }
-
-	    hashObject->end(hash, iterBuf, &hashLen, hashObject->length);
-	    if(hashLen != hashObject->length) {
-		break;
-	    }
-	}
-
-	PORT_Memcpy(Ai, iterBuf, hashLength);
-	for (Bidx = 0; Bidx < B.len; Bidx += hashLength) {
-	    PORT_Memcpy(B.data+Bidx,iterBuf,NSSPBE_MIN(B.len-Bidx,hashLength));
-	}
-
-	k = I.len/B.len;
-	for(j = 0; j < k; j++) {
-	    unsigned int q, carryBit;
-	    unsigned char *Ij = I.data + j*B.len;
-
-	    /* (Ij = Ij+B+1) */
-	    for (Bidx = (B.len-1), q=1, carryBit=0; Bidx >= 0; Bidx--,q=0) {
-		q += (unsigned int)Ij[Bidx];
-		q += (unsigned int)B.data[Bidx];
-		q += carryBit;
-
-		carryBit = (q > 0xff);
-		Ij[Bidx] = (unsigned char)(q & 0xff);
-	    }
-	}
-    }
-loser:
-    if (hash) {
-    	hashObject->destroy(hash, PR_TRUE);
-    }
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    /* if i != c, then we didn't complete the loop above and must of failed
-     * somwhere along the way */
-    if (i != c) {
-	SECITEM_ZfreeItem(A,PR_TRUE);
-	A = NULL;
-    } else {
-    	A->len = bytesNeeded;
-    }
-    
-    return A;
-}
-
-/*
- * generate key as per PKCS 5
- */
-SECItem *
-nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
-		      SECItem *iv, PRBool faulty3DES)
-{
-    SECItem *hash = NULL, *key = NULL;
-    const SECHashObject *hashObj;
-    PRBool getIV = PR_FALSE;
-
-    if((pbe_param == NULL) || (pwitem == NULL)) {
-	return NULL;
-    }
-
-    key = SECITEM_AllocItem(NULL,NULL,pbe_param->keyLen);
-    if (key == NULL) {
-	return NULL;
-    }
-
-    if ((pbe_param->ivLen) && (iv->data == NULL)) {
-	getIV = PR_TRUE;
-    	iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen);
-    	if (iv->data == NULL) {
-	    goto loser;
-	}
-	iv->len = pbe_param->ivLen;
-    }
-
-    hashObj = HASH_GetRawHashObject(pbe_param->hashType);
-    switch (pbe_param->pbeType) {
-    case NSSPKCS5_PBKDF1:
-	hash = nsspkcs5_PBKDF1Extended(hashObj,pbe_param,pwitem,faulty3DES);
-	if (hash == NULL) {
-	    goto loser;
-	}
-	PORT_Assert(hash->len >= key->len+iv->len);
-	if (getIV) {
-	    PORT_Memcpy(iv->data, hash->data+(hash->len - iv->len),iv->len);
-	}
-    	break;
-#ifdef PBKDF2
-    case NSSPKCS5_PBKDF2:
-	hash = nsspkcs5_PBKDF2(hashObj,pbe_param,pwitem);
-	PORT_Assert(!getIV);
-    	break;
-#endif
-    case NSSPKCS5_PKCS12_V2:
-	if (getIV) {
-	    hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
-						pbeBitGenCipherIV,iv->len);
-	    if (hash == NULL) {
-		goto loser;
-	    }
-	    PORT_Memcpy(iv->data,hash->data,iv->len);
-	    SECITEM_ZfreeItem(hash,PR_TRUE);
-	    hash = NULL;
-	}
-	hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
-						pbe_param->keyID,key->len);
-    default:
-	break;
-    }
-
-    if (hash == NULL) {
-	goto loser;
-    }
-
-    if (pbe_param->is2KeyDES) {
-	PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
-	PORT_Memcpy(&(key->data[(key->len  * 2) / 3]), key->data,
-		    key->len / 3);
-    } else {
-	PORT_Memcpy(key->data, hash->data, key->len);
-    }
-
-    SECITEM_FreeItem(hash, PR_TRUE);
-    return key;
-
-loser:
-    if (getIV && iv->data) {
-	PORT_ZFree(iv->data,iv->len);
-	iv->data = NULL;
-    }
-
-    SECITEM_ZfreeItem(key, PR_TRUE);
-    return NULL;
-}
-
-static SECStatus
-nsspkcs5_FillInParam(SECOidTag algorithm, NSSPKCS5PBEParameter *pbe_param)
-{
-    PRBool skipType = PR_FALSE;
-
-    pbe_param->keyLen = 5;
-    pbe_param->ivLen = 8;
-    pbe_param->hashType = HASH_AlgSHA1;
-    pbe_param->pbeType = NSSPKCS5_PBKDF1;
-    pbe_param->encAlg = SEC_OID_RC2_CBC;
-    pbe_param->is2KeyDES = PR_FALSE;
-    switch(algorithm) {
-    /* DES3 Algorithms */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-	pbe_param->is2KeyDES = PR_TRUE;
-	/* fall through */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
-	/* fall through */
-    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-	pbe_param->keyLen = 24;
-	pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
-	break;
-
-    /* DES Algorithms */
-    case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-    	pbe_param->hashType = HASH_AlgMD2;
-	goto finish_des;
-    case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-    	pbe_param->hashType = HASH_AlgMD5;
-	/* fall through */
-    case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-finish_des:
-	pbe_param->keyLen = 8;
-	pbe_param->encAlg =  SEC_OID_DES_CBC;
-	break;
-
-    /* RC2 Algorithms */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	pbe_param->keyLen = 16;
-	/* fall through */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
-	break;
-    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-	pbe_param->keyLen = 16;
-	/* fall through */
-    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-	break;
-
-    /* RC4 algorithms */
-    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	skipType = PR_TRUE;
-	/* fall through */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-	pbe_param->keyLen = 16;
-	/* fall through */
-    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-	if (!skipType) {
-    	    pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
-	}
-	/* fall through */
-    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-        pbe_param->ivLen = 0;
-        pbe_param->encAlg =  SEC_OID_RC4;
-        break;
-    default:
-        return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/* decode the algid and generate a PKCS 5 parameter from it
- */
-NSSPKCS5PBEParameter *
-nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator)
-{
-    PRArenaPool *arena = NULL;
-    NSSPKCS5PBEParameter *pbe_param = NULL;
-    SECStatus rv = SECFailure;
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (arena == NULL)
-	return NULL;
-
-    /* allocate memory for the parameter */
-    pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, 
-	sizeof(NSSPKCS5PBEParameter));
-
-    if (pbe_param == NULL) {
-	goto loser;
-    }
-
-    pbe_param->poolp = arena;
-
-    rv = nsspkcs5_FillInParam(alg, pbe_param);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    pbe_param->iter = iterator;
-    if (salt) {
-	rv = SECITEM_CopyItem(arena,&pbe_param->salt,salt);
-    }
-
-    /* default key gen */
-    pbe_param->keyID = pbeBitGenCipherKey;
-
-loser:
-    if (rv != SECSuccess) {
-	PORT_FreeArena(arena, PR_TRUE);
-	pbe_param = NULL;
-    }
-
-    return pbe_param;
-}
-
-/* decode the algid and generate a PKCS 5 parameter from it
- */
-NSSPKCS5PBEParameter *
-nsspkcs5_AlgidToParam(SECAlgorithmID *algid)
-{
-    NSSPKCS5PBEParameter *pbe_param = NULL;
-    SECOidTag algorithm;
-    SECStatus rv = SECFailure;
-
-    if (algid == NULL) {
-	return NULL;
-    }
-
-    algorithm = SECOID_GetAlgorithmTag(algid);
-    if (algorithm == SEC_OID_UNKNOWN) {
-	goto loser;
-    }
-
-    pbe_param = nsspkcs5_NewParam(algorithm, NULL, 1);
-    if (pbe_param == NULL) {
-	goto loser;
-    }
-
-    /* decode parameter */
-    rv = SECFailure;
-    switch (pbe_param->pbeType) {
-    case NSSPKCS5_PBKDF1:
-	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
-	    NSSPKCS5PBEParameterTemplate, &algid->parameters);
-	break;
-    case NSSPKCS5_PKCS12_V2:
-	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
-		NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters);
-	break;
-    case NSSPKCS5_PBKDF2:
-	break;
-    }
-
-loser:
-    if (rv == SECSuccess) {
-    	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
-    } else {
-	nsspkcs5_DestroyPBEParameter(pbe_param);
-	pbe_param = NULL;
-    }
-
-    return pbe_param;
-}
-
-/* destroy a pbe parameter.  it assumes that the parameter was 
- * generated using the appropriate create function and therefor
- * contains an arena pool.
- */
-void 
-nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param)
-{
-    if (pbe_param != NULL) {
-	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
-    }
-}
-
-
-/* crypto routines */
-/* perform DES encryption and decryption.  these routines are called
- * by nsspkcs5_CipherData.  In the case of an error, NULL is returned.
- */
-static SECItem *
-sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, 
-								PRBool encrypt)
-{
-    SECItem *dest;
-    SECItem *dup_src;
-    SECStatus rv = SECFailure;
-    int pad;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL))
-	return NULL;
-
-    dup_src = SECITEM_DupItem(src);
-    if(dup_src == NULL) {
-	return NULL;
-    }
-
-    if(encrypt != PR_FALSE) {
-	void *dummy;
-
-	dummy = DES_PadBuffer(NULL, dup_src->data, 
-	    dup_src->len, &dup_src->len);
-	if(dummy == NULL) {
-	    SECITEM_FreeItem(dup_src, PR_TRUE);
-	    return NULL;
-	}
-	dup_src->data = (unsigned char*)dummy;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	/* allocate with over flow */
-	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
-	if(dest->data != NULL) {
-	    DESContext *ctxt;
-	    ctxt = DES_CreateContext(key->data, iv->data, 
-			(triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), 
-			encrypt);
-	
-	    if(ctxt != NULL) {
-		rv = (encrypt ? DES_Encrypt : DES_Decrypt)(
-			ctxt, dest->data, &dest->len,
-			dup_src->len + 64, dup_src->data, dup_src->len);
-
-		/* remove padding -- assumes 64 bit blocks */
-		if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
-		    pad = dest->data[dest->len-1];
-		    if((pad > 0) && (pad <= 8)) {
-			if(dest->data[dest->len-pad] != pad) {
-			    rv = SECFailure;
-			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			} else {
-			    dest->len -= pad;
-			}
-		    } else {
-			rv = SECFailure;
-			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-		    }
-		}
-		DES_DestroyContext(ctxt, PR_TRUE);
-	    }
-	}
-    }
-
-    if(rv == SECFailure) {
-	if(dest != NULL) {
-	    SECITEM_FreeItem(dest, PR_TRUE);
-	}
-	dest = NULL;
-    }
-
-    if(dup_src != NULL) {
-	SECITEM_FreeItem(dup_src, PR_TRUE);
-    }
-
-    return dest;
-}
-
-/* perform rc2 encryption/decryption if an error occurs, NULL is returned
- */
-static SECItem *
-sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy, 
-								PRBool encrypt)
-{
-    SECItem *dest;
-    SECItem *dup_src;
-    SECStatus rv = SECFailure;
-    int pad;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL)) {
-	return NULL;
-    }
-
-    dup_src = SECITEM_DupItem(src);
-    if(dup_src == NULL) {
-	return NULL;
-    }
-
-    if(encrypt != PR_FALSE) {
-	void *dummy;
-
-	dummy = DES_PadBuffer(NULL, dup_src->data, 
-			      dup_src->len, &dup_src->len);
-	if(dummy == NULL) {
-	    SECITEM_FreeItem(dup_src, PR_TRUE);
-	    return NULL;
-	}
-	dup_src->data = (unsigned char*)dummy;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
-	if(dest->data != NULL) {
-	    RC2Context *ctxt;
-
-	    ctxt = RC2_CreateContext(key->data, key->len, iv->data,
-					 	NSS_RC2_CBC, key->len);
-
-	    if(ctxt != NULL) {
-		rv = (encrypt ? RC2_Encrypt: RC2_Decrypt)(
-			ctxt, dest->data, &dest->len,
-			dup_src->len + 64, dup_src->data, dup_src->len);
-
-		/* assumes 8 byte blocks  -- remove padding */	
-		if((rv == SECSuccess) && (encrypt != PR_TRUE)) {
-		    pad = dest->data[dest->len-1];
-		    if((pad > 0) && (pad <= 8)) {
-			if(dest->data[dest->len-pad] != pad) {
-			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			    rv = SECFailure;
-			} else {
-			    dest->len -= pad;
-			}
-		    } else {
-			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
-			rv = SECFailure;
-		    }
-		}
-
-	    }
-	}
-    }
-
-    if((rv != SECSuccess) && (dest != NULL)) {
-	SECITEM_FreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    if(dup_src != NULL) {
-	SECITEM_FreeItem(dup_src, PR_TRUE);
-    }
-
-    return dest;
-}
-
-/* perform rc4 encryption and decryption */
-static SECItem *
-sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op,
-								 PRBool encrypt)
-{
-    SECItem *dest;
-    SECStatus rv = SECFailure;
-
-    if((src == NULL) || (key == NULL) || (iv == NULL)) {
-	return NULL;
-    }
-
-    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(dest != NULL) {
-	dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
-	    (src->len + 64));
-	if(dest->data != NULL) {
-	    RC4Context *ctxt;
-
-	    ctxt = RC4_CreateContext(key->data, key->len);
-	    if(ctxt) { 
-		rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)(
-				ctxt, dest->data, &dest->len,
-				src->len + 64, src->data, src->len);
-		RC4_DestroyContext(ctxt, PR_TRUE);
-	    }
-	}
-    }
-
-    if((rv != SECSuccess) && (dest)) {
-	SECITEM_FreeItem(dest, PR_TRUE);
-	dest = NULL;
-    }
-
-    return dest;
-}
-/* function pointer template for crypto functions */
-typedef SECItem *(* pkcs5_crypto_func)(SECItem *key, SECItem *iv,
-                                         SECItem *src, PRBool op1, PRBool op2);
-
-/* performs the cipher operation on the src and returns the result.
- * if an error occurs, NULL is returned. 
- *
- * a null length password is allowed.  this corresponds to encrypting
- * the data with ust the salt.
- */
-/* change this to use PKCS 11? */
-SECItem *
-nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
-		    SECItem *src, PRBool encrypt, PRBool *update)
-{
-    SECItem *key = NULL, iv;
-    SECItem *dest = NULL;
-    PRBool tripleDES = PR_TRUE;
-    pkcs5_crypto_func cryptof;
-
-    iv.data = NULL;
-
-    if (update) { 
-        *update = PR_FALSE;
-    }
-
-    if ((pwitem == NULL) || (src == NULL)) {
-	return NULL;
-    }
-
-    /* get key, and iv */
-    key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE);
-    if(key == NULL) {
-	return NULL;
-    }
-
-    switch(pbe_param->encAlg) {
-    case SEC_OID_DES_EDE3_CBC:
-	cryptof = sec_pkcs5_des;
-	tripleDES = PR_TRUE;
-	break;
-    case SEC_OID_DES_CBC:
-	cryptof = sec_pkcs5_des;
-	tripleDES = PR_FALSE;
-	break;
-    case SEC_OID_RC2_CBC:
-	cryptof = sec_pkcs5_rc2;
-	break;
-    case SEC_OID_RC4:
-	cryptof = sec_pkcs5_rc4;
-	break;
-    default:
-	cryptof = NULL;
-	break;
-    }
-
-    if (cryptof == NULL) {
-	goto loser;
-    }
-
-    dest = (*cryptof)(key, &iv, src, tripleDES, encrypt);
-    /* 
-     * it's possible for some keys and keydb's to claim to
-     * be triple des when they're really des. In this case
-     * we simply try des. If des works we set the update flag
-     * so the key db knows it needs to update all it's entries.
-     *  The case can only happen on decrypted of a 
-     *  SEC_OID_DES_EDE3_CBD.
-     */
-    if ((dest == NULL) && (encrypt == PR_FALSE) && 
-				(pbe_param->encAlg == SEC_OID_DES_EDE3_CBC)) {
-	dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt);
-	if (update && (dest != NULL)) *update = PR_TRUE;
-    }
-
-loser:
-    if (key != NULL) {
-	SECITEM_ZfreeItem(key, PR_TRUE);
-    }
-    if (iv.data != NULL) {
-	SECITEM_ZfreeItem(&iv, PR_FALSE);
-    }
-
-    return dest;
-}
-
-/* creates a algorithm ID containing the PBE algorithm and appropriate
- * parameters.  the required parameter is the algorithm.  if salt is
- * not specified, it is generated randomly.  if IV is specified, it overrides
- * the PKCS 5 generation of the IV.  
- *
- * the returned SECAlgorithmID should be destroyed using 
- * SECOID_DestroyAlgorithmID
- */
-SECAlgorithmID *
-nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
-					NSSPKCS5PBEParameter *pbe_param)
-{
-    SECAlgorithmID *algid, *ret_algid = NULL;
-    SECItem der_param;
-    SECStatus rv = SECFailure;
-    void *dummy = NULL;
-
-    if (arena == NULL) {
-	return NULL;
-    }
-
-    der_param.data = NULL;
-    der_param.len = 0;
-
-    /* generate the algorithm id */
-    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID));
-    if (algid == NULL) {
-	goto loser;
-    }
-
-    if (pbe_param->iteration.data == NULL) {
-	dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,&pbe_param->iteration,
-								pbe_param->iter);
-	if (dummy == NULL) {
-	    goto loser;
-	}
-    }
-    switch (pbe_param->pbeType) {
-    case NSSPKCS5_PBKDF1:
-	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
-					NSSPKCS5PBEParameterTemplate);
-	break;
-    case NSSPKCS5_PKCS12_V2:
-	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
-	    				NSSPKCS5PKCS12V2PBEParameterTemplate);
-	break;
-    default:
-	break;
-    }
-
-    if (dummy == NULL) {
-	goto loser;
-    }
-	
-    rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
-    if (ret_algid == NULL) {
-	goto loser;
-    }
-
-    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
-    if (rv != SECSuccess) {
-	SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
-	ret_algid = NULL;
-    }
-
-loser:	
-
-    return ret_algid;
-}
diff --git a/security/nss/lib/softoken/lowpbe.h b/security/nss/lib/softoken/lowpbe.h
deleted file mode 100644
index 32e1e1169..000000000
--- a/security/nss/lib/softoken/lowpbe.h
+++ /dev/null
@@ -1,135 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECPKCS5_H_
-#define _SECPKCS5_H_
-
-#include "plarena.h"
-#include "secitem.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "hasht.h"
-
-typedef SECItem * (* SEC_PKCS5GetPBEPassword)(void *arg);
-
-/* used for V2 PKCS 12 Draft Spec */ 
-typedef enum {
-    pbeBitGenIDNull = 0,
-    pbeBitGenCipherKey = 0x01,
-    pbeBitGenCipherIV = 0x02,
-    pbeBitGenIntegrityKey = 0x03
-} PBEBitGenID;
-
-typedef enum {
-    NSSPKCS5_PBKDF1 = 0,
-    NSSPKCS5_PBKDF2 = 1,
-    NSSPKCS5_PKCS12_V2 = 2
-} NSSPKCS5PBEType;
-
-typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter;
-
-struct NSSPKCS5PBEParameterStr {
-    PRArenaPool *poolp;
-    SECItem	salt;		/* octet string */
-    SECItem	iteration;	/* integer */
-
-    /* used locally */
-    int		iter;
-    int 	keyLen;
-    int		ivLen;
-    HASH_HashType hashType;
-    NSSPKCS5PBEType pbeType;
-    PBEBitGenID	keyID;
-    SECOidTag	encAlg;
-    PRBool	is2KeyDES;
-};
-
-
-SEC_BEGIN_PROTOS
-/* Create a PKCS5 Algorithm ID
- * The algorithm ID is set up using the PKCS #5 parameter structure
- *  algorithm is the PBE algorithm ID for the desired algorithm
- *  pbe is a pbe param block with all the info needed to create the 
- *   algorithm id.
- * If an error occurs or the algorithm specified is not supported 
- * or is not a password based encryption algorithm, NULL is returned.
- * Otherwise, a pointer to the algorithm id is returned.
- */
-extern SECAlgorithmID *
-nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
-						NSSPKCS5PBEParameter *pbe);
-
-/*
- * Convert an Algorithm ID to a PBE Param.
- * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
- * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
- */
-NSSPKCS5PBEParameter *
-nsspkcs5_AlgidToParam(SECAlgorithmID *algid);
-
-/*
- * Convert an Algorithm ID to a PBE Param.
- * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
- * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
- */
-NSSPKCS5PBEParameter *
-nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator);
-
-
-/* Encrypt/Decrypt data using password based encryption.  
- *  algid is the PBE algorithm identifier,
- *  pwitem is the password,
- *  src is the source for encryption/decryption,
- *  encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
- * The key and iv are generated based upon PKCS #5 then the src
- * is either encrypted or decrypted.  If an error occurs, NULL
- * is returned, otherwise the ciphered contents is returned.
- */
-extern SECItem *
-nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem,
-		    SECItem *src, PRBool encrypt, PRBool *update);
-
-extern SECItem *
-nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem,
-		    			SECItem *iv, PRBool faulty3DES);
-
-/* Destroys PBE parameter */
-extern void
-nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
deleted file mode 100644
index 52d1f75cd..000000000
--- a/security/nss/lib/softoken/manifest.mn
+++ /dev/null
@@ -1,88 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-REQUIRES = dbm
-
-LIBRARY_NAME = softokn
-LIBRARY_VERSION = 3
-MAPFILE = $(OBJDIR)/softokn.def
-
-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
-
-
-EXPORTS = \
-	pkcs11.h \
-	pkcs11f.h \
-	pkcs11p.h \
-	pkcs11t.h \
-	pkcs11n.h \
-	pkcs11u.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	pk11pars.h \
-	pkcs11ni.h \
-	$(NULL)
-
-CSRCS = \
-	dbinit.c \
-	dbmshim.c \
-	ecdecode.c \
-	fipstest.c \
-	fipstokn.c \
-	keydb.c    \
-	lowcert.c  \
-	lowkey.c   \
-	lowpbe.c   \
-	padbuf.c   \
-	pcertdb.c \
-	pk11db.c \
-	pkcs11.c   \
-	pkcs11c.c  \
-	pkcs11u.c  \
-	rsawrapr.c  \
-	softkver.c  \
-	tlsprf.c   \
-	$(NULL)
-
-ifdef NSS_ENABLE_ECC
-DEFINES += -DNSS_ENABLE_ECC
-endif
-
diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c
deleted file mode 100644
index c37a0469e..000000000
--- a/security/nss/lib/softoken/padbuf.c
+++ /dev/null
@@ -1,80 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "blapit.h"
-#include "secport.h"
-#include "secerr.h"
-
-/*
- * Prepare a buffer for DES encryption, growing to the appropriate boundary,
- * filling with the appropriate padding.
- *
- * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
- * we assume (and use) XP memory (re)allocation.
- */
-unsigned char *
-DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
-	      unsigned int *outlen)
-{
-    unsigned char *outbuf;
-    unsigned int   des_len;
-    unsigned int   i;
-    unsigned char  des_pad_len;
-
-    /*
-     * We need from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
-     * The extra bytes contain the value of the length of the padding:
-     * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
-     */
-    des_len = (inlen + DES_KEY_LENGTH) & ~(DES_KEY_LENGTH - 1);
-
-    if (arena != NULL) {
-	outbuf = (unsigned char*)PORT_ArenaGrow (arena, inbuf, inlen, des_len);
-    } else {
-	outbuf = (unsigned char*)PORT_Realloc (inbuf, des_len);
-    }
-
-    if (outbuf == NULL) {
-	PORT_SetError (SEC_ERROR_NO_MEMORY);
-	return NULL;
-    }
-
-    des_pad_len = des_len - inlen;
-    for (i = inlen; i < des_len; i++)
-	outbuf[i] = des_pad_len;
-
-    *outlen = des_len;
-    return outbuf;
-}
diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h
deleted file mode 100644
index a808373d8..000000000
--- a/security/nss/lib/softoken/pcert.h
+++ /dev/null
@@ -1,249 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _PCERTDB_H_
-#define _PCERTDB_H_
-
-#include "plarena.h"
-#include "prlong.h"
-#include "pcertt.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Add a DER encoded certificate to the permanent database.
-**	"derCert" is the DER encoded certificate.
-**	"nickname" is the nickname to use for the cert
-**	"trust" is the trust parameters for the cert
-*/
-SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, 
-			NSSLOWCERTCertificate *cert,
-				char *nickname, NSSLOWCERTCertTrust *trust);
-SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
-				NSSLOWCERTCertificate *cert, char *nickname);
-
-SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
-
-typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert,
-                                                   SECItem *k, void *pdata);
-/*
-** Traverse the entire permanent database, and pass the certs off to a
-** user supplied function.
-**	"certfunc" is the user function to call for each certificate
-**	"udata" is the user's data, which is passed through to "certfunc"
-*/
-SECStatus
-nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
-		      PermCertCallback certfunc,
-		      void *udata );
-
-PRBool
-nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
-
-certDBEntryRevocation *
-nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle,
-					 SECItem *crlKey, PRBool isKRL);
-
-SECStatus
-nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle,SECItem *derName,
-								PRBool isKRL);
-SECStatus
-nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl ,
-				SECItem *derKey, char *url, PRBool isKRL);
-
-NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
-NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
-
-NSSLOWCERTCertificate *
-nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
-                        char *nickname, PRBool isperm, PRBool copyDER);
-NSSLOWCERTCertificate *
-nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
-void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
-void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust);
-
-/*
- * Lookup a certificate in the databases without locking
- *	"certKey" is the database key to look for
- *
- * XXX - this should be internal, but pkcs 11 needs to call it during a
- * traversal.
- */
-NSSLOWCERTCertificate *
-nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
-
-/*
- * Lookup trust for a certificate in the databases without locking
- *	"certKey" is the database key to look for
- *
- * XXX - this should be internal, but pkcs 11 needs to call it during a
- * traversal.
- */
-NSSLOWCERTTrust *
-nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
-
-/*
-** Generate a certificate key from the issuer and serialnumber, then look it
-** up in the database.  Return the cert if found.
-**	"issuerAndSN" is the issuer and serial number to look for
-*/
-extern NSSLOWCERTCertificate *
-nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
-
-/*
-** Generate a certificate key from the issuer and serialnumber, then look it
-** up in the database.  Return the cert if found.
-**	"issuerAndSN" is the issuer and serial number to look for
-*/
-extern NSSLOWCERTTrust *
-nsslowcert_FindTrustByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
-
-/*
-** Find a certificate in the database by a DER encoded certificate
-**	"derCert" is the DER encoded certificate
-*/
-extern NSSLOWCERTCertificate *
-nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
-
-/* convert an email address to lower case */
-char *nsslowcert_FixupEmailAddr(char *emailAddr);
-
-/*
-** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
-**      "derSignedCert" is the DER encoded signed certificate
-**      "copyDER" is true if the DER should be copied, false if the
-**              existing copy should be referenced
-**      "nickname" is the nickname to use in the database.  If it is NULL
-**              then a temporary nickname is generated.
-*/
-extern NSSLOWCERTCertificate *
-nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, char *nickname);
-
-SECStatus
-nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
-
-certDBEntrySMime *
-nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle,
-							 char *emailAddr);
-void
-nsslowcert_DestroyDBEntry(certDBEntry *entry);
-
-SECStatus
-nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
-		const char *domain, const char *prefix,
-                NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
-
-void
-nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
-
-/*
- * is certa newer than certb?  If one is expired, pick the other one.
- */
-PRBool
-nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
-
-
-SECStatus
-nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
-		      certDBEntryType type,
-		      SECStatus (* callback)(SECItem *data, SECItem *key,
-					    certDBEntryType type, void *pdata),
-		      void *udata );
-SECStatus
-nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
-				 SECItem *derSubject,
-				 NSSLOWCERTCertCallback cb, void *cbarg);
-int
-nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
-							 SECItem *derSubject);
-SECStatus
-nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
-	 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
-
-int
-nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
-							char *nickname);
-SECStatus
-nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
-					 NSSLOWCERTCertTrust *trust);
-
-SECStatus
-nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
-	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
-
-/*
- * Change the trust attributes of a certificate and make them permanent
- * in the database.
- */
-SECStatus
-nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
-	  	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
-
-PRBool
-nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle);
-
-void
-nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value);
-
-PRBool
-nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust);
-
-void
-nsslowcert_DestroyFreeLists(void);
-
-void
-nsslowcert_DestroyGlobalLocks(void);
-
-void
-pkcs11_freeNickname(char *nickname, char *space);
-
-char *
-pkcs11_copyNickname(char *nickname, char *space, int spaceLen);
-
-void
-pkcs11_freeStaticData(unsigned char *data, unsigned char *space);
-
-unsigned char *
-pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen);
-
-unsigned char *
-pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space,
-						int spaceLen);
-NSSLOWCERTCertificate *
-nsslowcert_CreateCert(void);
-SEC_END_PROTOS
-
- #endif /* _PCERTDB_H_ */
diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c
deleted file mode 100644
index 4a7706378..000000000
--- a/security/nss/lib/softoken/pcertdb.c
+++ /dev/null
@@ -1,5370 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Permanent Certificate database handling code 
- *
- * $Id$
- */
-#include "prtime.h"
-
-#include "lowkeyti.h"
-#include "pcert.h"
-#include "mcom_db.h"
-#include "pcert.h"
-#include "secitem.h"
-#include "secder.h"
-
-/* Call to SFTK_FreeSlot below */
-
-#include "secasn1.h"
-#include "secerr.h"
-#include "nssilock.h"
-#include "prmon.h"
-#include "nsslocks.h"
-#include "base64.h"
-#include "sechash.h"
-#include "plhash.h"
-
-#include "cdbhdl.h"
-#include "pkcs11i.h"
-
-/* forward declaration */
-NSSLOWCERTCertificate *
-nsslowcert_FindCertByDERCertNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
-static SECStatus
-nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, 
-	char *emailAddr, SECItem *derSubject, SECItem *emailProfile, 
-							SECItem *profileTime);
-static SECStatus
-nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
-    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust);
-static SECStatus
-nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
-			SECItem *crlKey, char *url, PRBool isKRL);
-
-static NSSLOWCERTCertificate *certListHead = NULL;
-static NSSLOWCERTTrust *trustListHead = NULL;
-static certDBEntryCert *entryListHead = NULL;
-static int certListCount = 0;
-static int trustListCount = 0;
-static int entryListCount = 0;
-#define MAX_CERT_LIST_COUNT 10
-#define MAX_TRUST_LIST_COUNT 10
-#define MAX_ENTRY_LIST_COUNT 10
-
-/*
- * the following functions are wrappers for the db library that implement
- * a global lock to make the database thread safe.
- */
-static PZLock *dbLock = NULL;
-
-void
-certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle)
-{
-    if (dbLock == NULL) {
-	nss_InitLock(&dbLock, nssILockCertDB);
-	PORT_Assert(dbLock != NULL);
-    }
-
-    return;
-}
-
-/*
- * Acquire the global lock on the cert database.
- * This lock is currently used for the following operations:
- *	adding or deleting a cert to either the temp or perm databases
- *	converting a temp to perm or perm to temp
- *	changing (maybe just adding!?) the trust of a cert
- *      chaning the DB status checking Configuration
- */
-static void
-nsslowcert_LockDB(NSSLOWCERTCertDBHandle *handle)
-{
-    PZ_EnterMonitor(handle->dbMon);
-    return;
-}
-
-/*
- * Free the global cert database lock.
- */
-static void
-nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle)
-{
-    PRStatus prstat;
-    
-    prstat = PZ_ExitMonitor(handle->dbMon);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-    
-    return;
-}
-
-static PZLock *certRefCountLock = NULL;
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-static void
-nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
-{
-    if ( certRefCountLock == NULL ) {
-	nss_InitLock(&certRefCountLock, nssILockRefLock);
-	PORT_Assert(certRefCountLock != NULL);
-    }
-    
-    PZ_Lock(certRefCountLock);
-    return;
-}
-
-/*
- * Free the cert reference count lock
- */
-static void
-nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certRefCountLock != NULL);
-    
-    prstat = PZ_Unlock(certRefCountLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-static PZLock *certTrustLock = NULL;
-
-/*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void
-nsslowcert_LockCertTrust(NSSLOWCERTCertificate *cert)
-{
-    if ( certTrustLock == NULL ) {
-	nss_InitLock(&certTrustLock, nssILockCertDB);
-	PORT_Assert(certTrustLock != NULL);
-    }
-    
-    PZ_Lock(certTrustLock);
-    return;
-}
-
-/*
- * Free the cert trust lock
- */
-void
-nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
-{
-    PRStatus prstat;
-
-    PORT_Assert(certTrustLock != NULL);
-    
-    prstat = PZ_Unlock(certTrustLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-static PZLock *freeListLock = NULL;
-
-/*
- * Acquire the cert reference count lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-static void
-nsslowcert_LockFreeList(void)
-{
-    if ( freeListLock == NULL ) {
-	nss_InitLock(&freeListLock, nssILockRefLock);
-	PORT_Assert(freeListLock != NULL);
-    }
-    
-    PZ_Lock(freeListLock);
-    return;
-}
-
-/*
- * Free the cert reference count lock
- */
-static void
-nsslowcert_UnlockFreeList(void)
-{
-    PRStatus prstat;
-
-    PORT_Assert(freeListLock != NULL);
-    
-    prstat = PZ_Unlock(freeListLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
-}
-
-NSSLOWCERTCertificate *
-nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
-{
-    if (c) {
-	nsslowcert_LockCertRefCount(c);
-	++c->referenceCount;
-	nsslowcert_UnlockCertRefCount(c);
-    }
-    return c;
-}
-
-static int
-certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-
-    ret = (* db->get)(db, key, data, flags);
-
-    prstat = PZ_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret = 0;
-
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-
-    ret = (* db->put)(db, key, data, flags);
-    
-    prstat = PZ_Unlock(dbLock);
-
-    return(ret);
-}
-
-static int
-certdb_Sync(DB *db, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-
-    ret = (* db->sync)(db, flags);
-    
-    prstat = PZ_Unlock(dbLock);
-
-    return(ret);
-}
-
-#define DB_NOT_FOUND -30991  /* from DBM 3.2 */
-static int
-certdb_Del(DB *db, DBT *key, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-
-    ret = (* db->del)(db, key, flags);
-    
-    prstat = PZ_Unlock(dbLock);
-
-    /* don't fail if the record is already deleted */
-    if (ret == DB_NOT_FOUND) {
-	ret = 0;
-    }
-
-    return(ret);
-}
-
-static int
-certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
-{
-    PRStatus prstat;
-    int ret;
-    
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-    
-    ret = (* db->seq)(db, key, data, flags);
-
-    prstat = PZ_Unlock(dbLock);
-
-    return(ret);
-}
-
-static void
-certdb_Close(DB *db)
-{
-    PRStatus prstat;
-
-    PORT_Assert(dbLock != NULL);
-    PZ_Lock(dbLock);
-
-    (* db->close)(db);
-    
-    prstat = PZ_Unlock(dbLock);
-
-    return;
-}
-
-void
-pkcs11_freeNickname(char *nickname, char *space)
-{
-    if (nickname && nickname != space) {
-	PORT_Free(nickname);
-    }
-}
-
-char *
-pkcs11_copyNickname(char *nickname,char *space, int spaceLen)
-{
-    int len;
-    char *copy = NULL;
-
-    len = PORT_Strlen(nickname)+1;
-    if (len <= spaceLen) {
-	copy = space;
-	PORT_Memcpy(copy,nickname,len);
-    } else {
-	copy = PORT_Strdup(nickname);
-    }
-
-    return copy;
-}
-
-void
-pkcs11_freeStaticData (unsigned char *data, unsigned char *space)
-{
-    if (data && data != space) {
-	PORT_Free(data);
-    }
-}
-
-unsigned char *
-pkcs11_allocStaticData(int len, unsigned char *space, int spaceLen)
-{
-    unsigned char *data = NULL;
-
-    if (len <= spaceLen) {
-	data = space;
-    } else {
-	data = (unsigned char *) PORT_Alloc(len);
-    }
-
-    return data;
-}
-
-unsigned char *
-pkcs11_copyStaticData(unsigned char *data, int len, 
-					unsigned char *space, int spaceLen)
-{
-    unsigned char *copy = pkcs11_allocStaticData(len, space, spaceLen);
-    if (copy) {
-	PORT_Memcpy(copy,data,len);
-    }
-
-    return copy;
-}
-
-/*
- * destroy a database entry
- */
-static void
-DestroyDBEntry(certDBEntry *entry)
-{
-    PRArenaPool *arena = entry->common.arena;
-
-    /* must be one of our certDBEntry from the free list */
-    if (arena == NULL) {
-	certDBEntryCert *certEntry;
-	if ( entry->common.type != certDBEntryTypeCert) {
-	    return;
-	}
-	certEntry = (certDBEntryCert *)entry;
-
-	pkcs11_freeStaticData(certEntry->derCert.data, certEntry->derCertSpace);
-	pkcs11_freeNickname(certEntry->nickname, certEntry->nicknameSpace);
-
-	nsslowcert_LockFreeList();
-	if (entryListCount > MAX_ENTRY_LIST_COUNT) {
-	    PORT_Free(certEntry);
-	} else {
-	    entryListCount++;
-	    PORT_Memset(certEntry, 0, sizeof( *certEntry));
-	    certEntry->next = entryListHead;
-	    entryListHead = certEntry;
-	}
-	nsslowcert_UnlockFreeList();
-	return;
-    }
-
-
-    /* Zero out the entry struct, so that any further attempts to use it
-     * will cause an exception (e.g. null pointer reference). */
-    PORT_Memset(&entry->common, 0, sizeof entry->common);
-    PORT_FreeArena(arena, PR_FALSE);
-
-    return;
-}
-
-/* forward references */
-static void nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert);
-
-static SECStatus
-DeleteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey)
-{
-    DBT key;
-    int ret;
-
-    /* init the database key */
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)type;
-
-    /* delete entry from database */
-    ret = certdb_Del(handle->permCertDB, &key, 0 );
-    if ( ret != 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-    if ( ret ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-ReadDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
-	    SECItem *dbkey, SECItem *dbentry, PRArenaPool *arena)
-{
-    DBT data, key;
-    int ret;
-    unsigned char *buf;
-    
-    /* init the database key */
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)entry->type;
-
-    /* read entry from database */
-    ret = certdb_Get(handle->permCertDB, &key, &data, 0 );
-    if ( ret != 0 ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* validate the entry */
-    if ( data.size < SEC_DB_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    buf = (unsigned char *)data.data;
-    /* version 7 has the same schema, we may be using a v7 db if we openned
-     * the databases readonly. */
-    if (!((buf[0] == (unsigned char)CERT_DB_FILE_VERSION) 
-		|| (buf[0] == (unsigned char) CERT_DB_V7_FILE_VERSION))) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    if ( buf[1] != (unsigned char)entry->type ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    /* copy out header information */
-    entry->version = (unsigned int)buf[0];
-    entry->type = (certDBEntryType)buf[1];
-    entry->flags = (unsigned int)buf[2];
-    
-    /* format body of entry for return to caller */
-    dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN;
-    if ( dbentry->len ) {
-	if (arena) {
-	    dbentry->data = (unsigned char *)
-				PORT_ArenaAlloc(arena, dbentry->len);
-	    if ( dbentry->data == NULL ) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-    
-	    PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN],
-		  dbentry->len);
-	} else {
-	    dbentry->data = &buf[SEC_DB_ENTRY_HEADER_LEN];
-	}
-    } else {
-	dbentry->data = NULL;
-    }
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/**
- ** Implement low level database access
- **/
-static SECStatus
-WriteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
-	     SECItem *dbkey, SECItem *dbentry)
-{
-    int ret;
-    DBT data, key;
-    unsigned char *buf;
-    
-    data.data = dbentry->data;
-    data.size = dbentry->len;
-    
-    buf = (unsigned char*)data.data;
-    
-    buf[0] = (unsigned char)entry->version;
-    buf[1] = (unsigned char)entry->type;
-    buf[2] = (unsigned char)entry->flags;
-    
-    key.data = dbkey->data;
-    key.size = dbkey->len;
-    
-    dbkey->data[0] = (unsigned char)entry->type;
-
-    /* put the record into the database now */
-    ret = certdb_Put(handle->permCertDB, &key, &data, 0);
-
-    if ( ret != 0 ) {
-	goto loser;
-    }
-
-    ret = certdb_Sync( handle->permCertDB, 0 );
-    
-    if ( ret ) {
-	goto loser;
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * encode a database cert record
- */
-static SECStatus
-EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem)
-{
-    unsigned int nnlen;
-    unsigned char *buf;
-    char *nn;
-    char zbuf = 0;
-    
-    if ( entry->nickname ) {
-	nn = entry->nickname;
-    } else {
-	nn = &zbuf;
-    }
-    nnlen = PORT_Strlen(nn) + 1;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN +
-	SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
-    buf[1] = entry->trust.sslFlags & 0xff;
-    buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
-    buf[3] = entry->trust.emailFlags & 0xff;
-    buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
-    buf[5] = entry->trust.objectSigningFlags & 0xff;
-    buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
-    buf[7] = entry->derCert.len & 0xff;
-    buf[8] = ( nnlen >> 8 ) & 0xff;
-    buf[9] = nnlen & 0xff;
-    
-    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
-	      entry->derCert.len);
-
-    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
-	      nn, nnlen);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * encode a database key for a cert record
- */
-static SECStatus
-EncodeDBCertKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
-{
-    unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN;
-    if (arena) {
-	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
-    } else {
-	if (dbkey->len < len) {
-	    dbkey->data = (unsigned char *)PORT_Alloc(len);
-	}
-    }
-    dbkey->len = len;
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
-	      certKey->data, certKey->len);
-    dbkey->data[0] = certDBEntryTypeCert;
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-EncodeDBGenericKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, 
-				certDBEntryType entryType)
-{
-    /*
-     * we only allow _one_ KRL key!
-     */
-    if (entryType == certDBEntryTypeKeyRevocation) {
-	dbkey->len = SEC_DB_KEY_HEADER_LEN;
- 	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-	if ( dbkey->data == NULL ) {
-	    goto loser;
-	}
-        dbkey->data[0] = (unsigned char) entryType;
-        return(SECSuccess);
-    }
-    
-
-    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
-	      certKey->data, certKey->len);
-    dbkey->data[0] = (unsigned char) entryType;
-
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
-{
-    unsigned int nnlen;
-    unsigned int headerlen;
-    int lenoff;
-
-    /* allow updates of old versions of the database */
-    switch ( entry->common.version ) {
-      case 5:
-	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-      case 6:
-	/* should not get here */
-	PORT_Assert(0);
-	headerlen = DB_CERT_V6_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-      case 7:
-      case 8:
-	headerlen = DB_CERT_ENTRY_HEADER_LEN;
-	lenoff = 6;
-	break;
-      default:
-	/* better not get here */
-	PORT_Assert(0);
-	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
-	lenoff = 3;
-	break;
-    }
-    
-    /* is record long enough for header? */
-    if ( dbentry->len < headerlen ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->derCert.len = ( ( dbentry->data[lenoff] << 8 ) |
-			  dbentry->data[lenoff+1] );
-    nnlen = ( ( dbentry->data[lenoff+2] << 8 ) | dbentry->data[lenoff+3] );
-    if ( ( entry->derCert.len + nnlen + headerlen )
-	!= dbentry->len) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the dercert */
-
-    entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen],
-	entry->derCert.len,entry->derCertSpace,sizeof(entry->derCertSpace));
-    if ( entry->derCert.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* copy the nickname */
-    if ( nnlen > 1 ) {
-	entry->nickname = (char *)pkcs11_copyStaticData(
-			&dbentry->data[headerlen+entry->derCert.len], nnlen,
-			(unsigned char *)entry->nicknameSpace, 
-			sizeof(entry->nicknameSpace));
-	if ( entry->nickname == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-    } else {
-	entry->nickname = NULL;
-    }
-    
-    if ( entry->common.version < 7 ) {
-	/* allow updates of v5 db */
-	entry->trust.sslFlags = dbentry->data[0];
-	entry->trust.emailFlags = dbentry->data[1];
-	entry->trust.objectSigningFlags = dbentry->data[2];
-    } else {
-	entry->trust.sslFlags = ( dbentry->data[0] << 8 ) | dbentry->data[1];
-	entry->trust.emailFlags = ( dbentry->data[2] << 8 ) | dbentry->data[3];
-	entry->trust.objectSigningFlags =
-	    ( dbentry->data[4] << 8 ) | dbentry->data[5];
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-
-/*
- * Create a new certDBEntryCert from existing data
- */
-static certDBEntryCert *
-NewDBCertEntry(SECItem *derCert, char *nickname,
-	       NSSLOWCERTCertTrust *trust, int flags)
-{
-    certDBEntryCert *entry;
-    PRArenaPool *arena = NULL;
-    int nnlen;
-    
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	goto loser;
-    }
-	
-    entry = (certDBEntryCert *)PORT_ArenaZAlloc(arena, sizeof(certDBEntryCert));
-
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    /* fill in the dbCert */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeCert;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-    
-    if ( trust ) {
-	entry->trust = *trust;
-    }
-
-    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len);
-    if ( !entry->derCert.data ) {
-	goto loser;
-    }
-    entry->derCert.len = derCert->len;
-    PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len);
-    
-    nnlen = ( nickname ? strlen(nickname) + 1 : 0 );
-    
-    if ( nnlen ) {
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->nickname ) {
-	    goto loser;
-	}
-	PORT_Memcpy(entry->nickname, nickname, nnlen);
-	
-    } else {
-	entry->nickname = 0;
-    }
-
-    return(entry);
-
-loser:
-    
-    /* allocation error, free arena and return */
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-/*
- * Decode a version 4 DBCert from the byte stream database format
- * and construct a current database entry struct
- */
-static certDBEntryCert *
-DecodeV4DBCertEntry(unsigned char *buf, int len)
-{
-    certDBEntryCert *entry;
-    int certlen;
-    int nnlen;
-    PRArenaPool *arena;
-    
-    /* make sure length is at least long enough for the header */
-    if ( len < DBCERT_V4_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(0);
-    }
-
-    /* get other lengths */
-    certlen = buf[3] << 8 | buf[4];
-    nnlen = buf[5] << 8 | buf[6];
-    
-    /* make sure DB entry is the right size */
-    if ( ( certlen + nnlen + DBCERT_V4_HEADER_LEN ) != len ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	return(0);
-    }
-
-    /* allocate arena */
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return(0);
-    }
-	
-    /* allocate structure and members */
-    entry = (certDBEntryCert *)  PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
-
-    if ( !entry ) {
-	goto loser;
-    }
-
-    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen);
-    if ( !entry->derCert.data ) {
-	goto loser;
-    }
-    entry->derCert.len = certlen;
-    
-    if ( nnlen ) {
-	entry->nickname = (char *) PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->nickname ) {
-	    goto loser;
-	}
-    } else {
-	entry->nickname = 0;
-    }
-
-    entry->common.arena = arena;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.type = certDBEntryTypeCert;
-    entry->common.flags = 0;
-    entry->trust.sslFlags = buf[0];
-    entry->trust.emailFlags = buf[1];
-    entry->trust.objectSigningFlags = buf[2];
-
-    PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen);
-    PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen);
-
-    if (PORT_Strcmp(entry->nickname,"Server-Cert") == 0) {
-	entry->trust.sslFlags |= CERTDB_USER;
-    }
-
-    return(entry);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-/*
- * Encode a Certificate database entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBCertEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECItem tmpitem;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBCertEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* get the database key and format it */
-    rv = nsslowcert_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-
-/*
- * delete a certificate entry
- */
-static SECStatus
-DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
-{
-    SECItem dbkey;
-    SECStatus rv;
-
-    dbkey.data= NULL;
-    dbkey.len = 0;
-
-    rv = EncodeDBCertKey(certKey, NULL, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    if (dbkey.data) {
-	PORT_Free(dbkey.data);
-    }
-    return(SECSuccess);
-
-loser:
-    if (dbkey.data) {
-	PORT_Free(dbkey.data);
-    }
-    return(SECFailure);
-}
-
-static certDBEntryCert *
-CreateCertEntry(void)
-{
-    certDBEntryCert *entry;
-
-    nsslowcert_LockFreeList();
-    entry = entryListHead;
-    if (entry) {
-	entryListCount--;
-	entryListHead = entry->next;
-    }
-    PORT_Assert(entryListCount >= 0);
-    nsslowcert_UnlockFreeList();
-    if (entry) {
-	return entry;
-    }
-
-    return PORT_ZAlloc(sizeof(certDBEntryCert));
-}
-
-static void
-DestroyCertEntryFreeList(void)
-{
-    certDBEntryCert *entry;
-
-    nsslowcert_LockFreeList();
-    while (NULL != (entry = entryListHead)) {
-	entryListCount--;
-	entryListHead = entry->next;
-	PORT_Free(entry);
-    }
-    PORT_Assert(!entryListCount);
-    entryListCount = 0;
-    nsslowcert_UnlockFreeList();
-}
-
-/*
- * Read a certificate entry
- */
-static certDBEntryCert *
-ReadDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
-{
-    certDBEntryCert *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    unsigned char buf[512];
-
-    dbkey.data = buf;
-    dbkey.len = sizeof(buf);
-
-    entry = CreateCertEntry();
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = NULL;
-    entry->common.type = certDBEntryTypeCert;
-
-    rv = EncodeDBCertKey(certKey, NULL, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBCertEntry(entry, &dbentry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    pkcs11_freeStaticData(dbkey.data,buf);    
-    dbkey.data = NULL;
-    return(entry);
-    
-loser:
-    pkcs11_freeStaticData(dbkey.data,buf);    
-    dbkey.data = NULL;
-    if ( entry ) {
-	
-    }
-    DestroyDBEntry((certDBEntry *)entry);
-    
-    return(NULL);
-}
-
-/*
- * encode a database cert record
- */
-static SECStatus
-EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbitem)
-{
-    unsigned int nnlen = 0;
-    unsigned char *buf;
-  
-    if (entry->url) {  
-	nnlen = PORT_Strlen(entry->url) + 1;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->derCrl.len + nnlen 
-		+ SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
-    buf[1] = entry->derCrl.len & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
-    
-    PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
-	      entry->derCrl.len);
-
-    if (nnlen != 0) {
-	PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
-	      entry->url, nnlen);
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
-{
-    unsigned int nnlen;
-    
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_CRL_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN )
-	!= dbentry->len) {
-      /* CRL entry is greater than 64 K. Hack to make this continue to work */
-      if (dbentry->len >= (0xffff - DB_CRL_ENTRY_HEADER_LEN) - nnlen) {
-          entry->derCrl.len = 
-                      (dbentry->len - DB_CRL_ENTRY_HEADER_LEN) - nnlen;
-      } else {
-          PORT_SetError(SEC_ERROR_BAD_DATABASE);
-          goto loser;
-      }    
-    }
-    
-    /* copy the dercert */
-    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-							 entry->derCrl.len);
-    if ( entry->derCrl.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
-	      entry->derCrl.len);
-
-    /* copy the url */
-    entry->url = NULL;
-    if (nnlen != 0) {
-	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
-	if ( entry->url == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->url,
-	      &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
-	      nnlen);
-    }
-    
-    return(SECSuccess);
-loser:
-    return(SECFailure);
-}
-
-/*
- * Create a new certDBEntryRevocation from existing data
- */
-static certDBEntryRevocation *
-NewDBCrlEntry(SECItem *derCrl, char * url, certDBEntryType crlType, int flags)
-{
-    certDBEntryRevocation *entry;
-    PRArenaPool *arena = NULL;
-    int nnlen;
-    
-    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
-    if ( !arena ) {
-	goto loser;
-    }
-	
-    entry = (certDBEntryRevocation*)
-			PORT_ArenaZAlloc(arena, sizeof(certDBEntryRevocation));
-
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    /* fill in the dbRevolcation */
-    entry->common.arena = arena;
-    entry->common.type = crlType;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-    
-
-    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len);
-    if ( !entry->derCrl.data ) {
-	goto loser;
-    }
-
-    if (url) {
-	nnlen = PORT_Strlen(url) + 1;
-	entry->url  = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( !entry->url ) {
-	    goto loser;
-	}
-	PORT_Memcpy(entry->url, url, nnlen);
-    } else {
-	entry->url = NULL;
-    }
-
-	
-    entry->derCrl.len = derCrl->len;
-    PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len);
-
-    return(entry);
-
-loser:
-    
-    /* allocation error, free arena and return */
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    return(0);
-}
-
-
-static SECStatus
-WriteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry,
-				SECItem *crlKey )
-{
-    SECItem dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECItem encodedEntry;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = EncodeDBGenericKey(crlKey, tmparena, &dbkey, entry->common.type);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-/*
- * delete a crl entry
- */
-static SECStatus
-DeleteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, 
-						certDBEntryType crlType)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, crlType, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a certificate entry
- */
-static certDBEntryRevocation *
-ReadDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey,
-						certDBEntryType crlType)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryRevocation *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryRevocation *)
-			PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = crlType;
-
-    rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBCrlEntry(entry, &dbentry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-void
-nsslowcert_DestroyDBEntry(certDBEntry *entry)
-{
-    DestroyDBEntry(entry);
-    return;
-}
-
-/*
- * Encode a database nickname record
- */
-static SECStatus
-EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
-		      SECItem *dbitem)
-{
-    unsigned char *buf;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
-	SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    
-    PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
-	      entry->subjectName.len);
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a nickname record
- */
-static SECStatus
-EncodeDBNicknameKey(char *nickname, PRArenaPool *arena,
-		    SECItem *dbkey)
-{
-    unsigned int nnlen;
-    
-    nnlen = PORT_Strlen(nickname) + 1; /* includes null */
-
-    /* now get the database key and format it */
-    dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
-    dbkey->data[0] = certDBEntryTypeNickname;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry,
-                      char *nickname)
-{
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    if (( entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN ) !=
-	dbentry->len ){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the certkey */
-    entry->subjectName.data =
-	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					 entry->subjectName.len);
-    if ( entry->subjectName.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->subjectName.data,
-	      &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN],
-	      entry->subjectName.len);
-    entry->subjectName.type = siBuffer;
-    
-    entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, 
-                                              PORT_Strlen(nickname)+1);
-    if ( entry->nickname ) {
-	PORT_Strcpy(entry->nickname, nickname);
-    }
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new nickname entry
- */
-static certDBEntryNickname *
-NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntryNickname *entry;
-    int nnlen;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
-						 sizeof(certDBEntryNickname));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeNickname;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the nickname */
-    nnlen = PORT_Strlen(nickname) + 1;
-    
-    entry->nickname = (char*)PORT_ArenaAlloc(arena, nnlen);
-    if ( entry->nickname == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(entry->nickname, nickname, nnlen);
-    
-    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a nickname entry
- */
-static SECStatus
-DeleteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    SECItem dbkey;
-    
-    if ( nickname == NULL ) {
-	return(SECSuccess);
-    }
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(nickname, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a nickname entry
- */
-static certDBEntryNickname *
-ReadDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryNickname *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
-						 sizeof(certDBEntryNickname));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeNickname;
-
-    rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    rv = DecodeDBNicknameEntry(entry, &dbentry, nickname);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a nickname entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryNickname *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-SECStatus
-EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena,
-		   SECItem *dbitem)
-{
-    unsigned char *buf;
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = entry->subjectName.len + entry->smimeOptions.len +
-	entry->optionsDate.len +
-	DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
-    buf[1] = entry->subjectName.len & 0xff;
-    buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
-    buf[3] = entry->smimeOptions.len & 0xff;
-    buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
-    buf[5] = entry->optionsDate.len & 0xff;
-
-    /* if no smime options, then there should not be an options date either */
-    PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
-		    ( entry->optionsDate.len != 0 ) ) );
-    
-    PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
-	      entry->subjectName.len);
-    if ( entry->smimeOptions.len ) {
-	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN+entry->subjectName.len],
-		    entry->smimeOptions.data,
-		    entry->smimeOptions.len);
-	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len +
-			 entry->smimeOptions.len],
-		    entry->optionsDate.data,
-		    entry->optionsDate.len);
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a SMIME record
- */
-static SECStatus
-EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena,
-		 SECItem *dbkey)
-{
-    unsigned int addrlen;
-    
-    addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
-
-    /* now get the database key and format it */
-    dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
-    dbkey->data[0] = certDBEntryTypeSMimeProfile;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Decode a database SMIME record
- */
-static SECStatus
-DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
-{
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_SMIME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* is database entry correct length? */
-    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    entry->smimeOptions.len = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    entry->optionsDate.len = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    if (( entry->subjectName.len + entry->smimeOptions.len +
-	 entry->optionsDate.len + DB_SMIME_ENTRY_HEADER_LEN ) != dbentry->len){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    /* copy the subject name */
-    entry->subjectName.data =
-	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					 entry->subjectName.len);
-    if ( entry->subjectName.data == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    PORT_Memcpy(entry->subjectName.data,
-	      &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN],
-	      entry->subjectName.len);
-
-    /* copy the smime options */
-    if ( entry->smimeOptions.len ) {
-	entry->smimeOptions.data =
-	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					     entry->smimeOptions.len);
-	if ( entry->smimeOptions.data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->smimeOptions.data,
-		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
-				   entry->subjectName.len],
-		    entry->smimeOptions.len);
-    }
-    if ( entry->optionsDate.len ) {
-	entry->optionsDate.data =
-	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
-					     entry->optionsDate.len);
-	if ( entry->optionsDate.data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->optionsDate.data,
-		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
-				   entry->subjectName.len +
-				   entry->smimeOptions.len],
-		    entry->optionsDate.len);
-    }
-
-    /* both options and options date must either exist or not exist */
-    if ( ( ( entry->optionsDate.len == 0 ) ||
-	  ( entry->smimeOptions.len == 0 ) ) &&
-	entry->smimeOptions.len != entry->optionsDate.len ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena,
-						PORT_Strlen(emailAddr)+1);
-    if ( entry->emailAddr ) {
-	PORT_Strcpy(entry->emailAddr, emailAddr);
-    }
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new SMIME entry
- */
-static certDBEntrySMime *
-NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions,
-		SECItem *optionsDate, unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntrySMime *entry;
-    int addrlen;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySMime));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSMimeProfile;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the email addr */
-    addrlen = PORT_Strlen(emailAddr) + 1;
-    
-    entry->emailAddr = (char*)PORT_ArenaAlloc(arena, addrlen);
-    if ( entry->emailAddr == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Memcpy(entry->emailAddr, emailAddr, addrlen);
-    
-    /* copy the subject name */
-    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* copy the smime options */
-    if ( smimeOptions ) {
-	rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(optionsDate == NULL);
-	entry->smimeOptions.data = NULL;
-	entry->smimeOptions.len = 0;
-    }
-
-    /* copy the options date */
-    if ( optionsDate ) {
-	rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(smimeOptions == NULL);
-	entry->optionsDate.data = NULL;
-	entry->optionsDate.len = 0;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a SMIME entry
- */
-static SECStatus
-DeleteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
-{
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    SECItem dbkey;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read a SMIME entry
- */
-certDBEntrySMime *
-nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntrySMime *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySMime));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSMimeProfile;
-
-    rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry.len < DB_SMIME_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-
-    rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a SMIME entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySMime *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-/*
- * Encode a database subject record
- */
-static SECStatus
-EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
-		     SECItem *dbitem)
-{
-    unsigned char *buf;
-    int len;
-    unsigned int ncerts;
-    unsigned int i;
-    unsigned char *tmpbuf;
-    unsigned int nnlen = 0;
-    unsigned int eaddrslen = 0;
-    int keyidoff;
-    SECItem *certKeys;
-    SECItem *keyIDs;
-    
-    if ( entry->nickname ) {
-	nnlen = PORT_Strlen(entry->nickname) + 1;
-    }
-    if ( entry->emailAddrs ) {
-	eaddrslen = 2;
-	for (i=0; i < entry->nemailAddrs; i++) {
-	    eaddrslen += PORT_Strlen(entry->emailAddrs[i]) + 1 + 2;
-	}
-    }
-
-    ncerts = entry->ncerts;
-    
-    /* compute the length of the entry */
-    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen ;
-    len = keyidoff + 4 * ncerts + eaddrslen;
-    for ( i = 0; i < ncerts; i++ ) {
-	len += entry->certKeys[i].len;
-	len += entry->keyIDs[i].len;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
-    if ( dbitem->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* fill in database record */
-    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    buf[0] = ( ncerts >> 8 ) & 0xff;
-    buf[1] = ncerts & 0xff;
-    buf[2] = ( nnlen >> 8 ) & 0xff;
-    buf[3] = nnlen & 0xff;
-    /* v7 email field is NULL in v8 */
-    buf[4] = 0;
-    buf[5] = 0;
-
-    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
-    
-    for ( i = 0; i < ncerts; i++ ) {
-
-	certKeys = entry->certKeys;
-	keyIDs = entry->keyIDs;
-
-	buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
-	buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
-	buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
-    }
-    
-    /* temp pointer used to stuff certkeys and keyids into the buffer */
-    tmpbuf = &buf[keyidoff+ncerts*4];
-
-    for ( i = 0; i < ncerts; i++ ) {
-	certKeys = entry->certKeys;
-	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
-	tmpbuf = tmpbuf + certKeys[i].len;
-    }
-    
-    for ( i = 0; i < ncerts; i++ ) {
-	keyIDs = entry->keyIDs;
-	PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
-	tmpbuf = tmpbuf + keyIDs[i].len;
-    }
-
-    if (entry->emailAddrs) {
-	tmpbuf[0] =  (entry->nemailAddrs >> 8) & 0xff;
-	tmpbuf[1] =  entry->nemailAddrs  & 0xff;
-	tmpbuf += 2;
-	for (i=0; i < entry->nemailAddrs; i++) {
-	    int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1;
-	    tmpbuf[0] =  (nameLen >> 8) & 0xff;
-	    tmpbuf[1] =  nameLen & 0xff;
-	    tmpbuf += 2;
-	    PORT_Memcpy(tmpbuf,entry->emailAddrs[i],nameLen);
-	    tmpbuf +=nameLen;
-	}
-    }
-
-    PORT_Assert(tmpbuf == &buf[len]);
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * Encode a database key for a subject record
- */
-static SECStatus
-EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
-		   SECItem *dbkey)
-{
-    dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
-    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
-    if ( dbkey->data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
-	      derSubject->len);
-    dbkey->data[0] = certDBEntryTypeSubject;
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-static SECStatus
-DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
-		     SECItem *derSubject)
-{
-    unsigned int ncerts;
-    PRArenaPool *arena;
-    unsigned int len, itemlen;
-    unsigned char *tmpbuf;
-    unsigned char *end;
-    unsigned int i;
-    SECStatus rv;
-    unsigned int keyidoff;
-    unsigned int nnlen, eaddrlen;
-    unsigned int stdlen;
-    
-    arena = entry->common.arena;
-
-    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* is record long enough for header? */
-    if ( dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN ) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
-    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
-    eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
-    stdlen = ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    if ( dbentry->len < stdlen) {
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
-						 sizeof(SECItem) * ncerts);
-    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
-					       sizeof(SECItem) * ncerts);
-
-    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    if ( nnlen > 1 ) { /* null terminator is stored */
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( entry->nickname == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->nickname,
-		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN],
-		    nnlen);
-    } else {
-	entry->nickname = NULL;
-    }
-
-    /* if we have an old style email entry, there is only one */    
-    entry->nemailAddrs = 0;
-    if ( eaddrlen > 1 ) { /* null terminator is stored */
-	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
-	if ( entry->emailAddrs == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	entry->emailAddrs[0] = (char *)PORT_ArenaAlloc(arena, eaddrlen);
-	if ( entry->emailAddrs[0] == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->emailAddrs[0],
-		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen],
-		    eaddrlen);
-	 entry->nemailAddrs = 1;
-    } else {
-	entry->emailAddrs = NULL;
-    }
-    
-    /* collect the lengths of the certKeys and keyIDs, and total the
-     * overall length.
-     */
-    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
-    len = keyidoff + 4 * ncerts;
-
-    tmpbuf = &dbentry->data[0];
-    
-    for ( i = 0; i < ncerts; i++ ) {
-
-	itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
-	len += itemlen;
-	entry->certKeys[i].len = itemlen;
-
-	itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
-	    tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
-	len += itemlen;
-	entry->keyIDs[i].len = itemlen;
-    }
-    
-    /* is database entry correct length? */
-    if ( len > dbentry->len ){
-	PORT_SetError(SEC_ERROR_BAD_DATABASE);
-	goto loser;
-    }
-    
-    tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
-    for ( i = 0; i < ncerts; i++ ) {
-	entry->certKeys[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
-	if ( entry->certKeys[i].data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
-	tmpbuf = &tmpbuf[entry->certKeys[i].len];
-    }
-
-    for ( i = 0; i < ncerts; i++ ) {
-	entry->keyIDs[i].data =
-	    (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
-	if ( entry->keyIDs[i].data == NULL ) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
-	tmpbuf = &tmpbuf[entry->keyIDs[i].len];
-    }
-
-    end = &dbentry->data[dbentry->len];
-    if ((eaddrlen == 0) && (tmpbuf+1 < end)) {
-	/* read in the additional email addresses */
-	entry->nemailAddrs = tmpbuf[0] << 8 | tmpbuf[1];
-	tmpbuf += 2;
-	entry->emailAddrs = (char **)
-		PORT_ArenaAlloc(arena, entry->nemailAddrs * sizeof(char *));
-	if (entry->emailAddrs == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    goto loser;
-	}
-	for (i=0; i < entry->nemailAddrs; i++) {
-	    int nameLen;
-	    if (tmpbuf + 2 > end) {
-		goto loser;
-	    }
-
-	    nameLen = tmpbuf[0] << 8 | tmpbuf[1];
-	    entry->emailAddrs[i] = PORT_ArenaAlloc(arena,nameLen);
-	    if (entry->emailAddrs == NULL) {
-	        PORT_SetError(SEC_ERROR_NO_MEMORY);
-	        goto loser;
-	    }
-	    if (tmpbuf + (nameLen+2) > end) {
-		goto loser;
-	    }
-	    PORT_Memcpy(entry->emailAddrs[i],&tmpbuf[2],nameLen);
-	    tmpbuf += 2 + nameLen;
-	}
-    }
-    
-    
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new subject entry with a single cert
- */
-static certDBEntrySubject *
-NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
-		  SECItem *keyID, char *nickname, char *emailAddr,
-		  unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntrySubject *entry;
-    SECStatus rv;
-    unsigned int nnlen;
-    unsigned int eaddrlen;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
-						  sizeof(certDBEntrySubject));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    /* init common fields */
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSubject;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    /* copy the subject */
-    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    entry->ncerts = 1;
-    entry->nemailAddrs = 0;
-    /* copy nickname */
-    if ( nickname && ( *nickname != '\0' ) ) {
-	nnlen = PORT_Strlen(nickname) + 1;
-	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
-	if ( entry->nickname == NULL ) {
-	    goto loser;
-	}
-						  
-	PORT_Memcpy(entry->nickname, nickname, nnlen);
-    } else {
-	entry->nickname = NULL;
-    }
-    
-    /* copy email addr */
-    if ( emailAddr && ( *emailAddr != '\0' ) ) {
-	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
-	if ( emailAddr == NULL ) {
-	    entry->emailAddrs = NULL;
-	    goto loser;
-	}
-	
-	eaddrlen = PORT_Strlen(emailAddr) + 1;
-	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
-	if ( entry->emailAddrs == NULL ) {
-	    PORT_Free(emailAddr);
-	    goto loser;
-	}
-	entry->emailAddrs[0] = PORT_ArenaStrdup(arena,emailAddr);
-	if (entry->emailAddrs[0]) {
-	    entry->nemailAddrs = 1;
-	} 
-	
-	PORT_Free(emailAddr);
-    } else {
-	entry->emailAddrs = NULL;
-    }
-    
-    /* allocate space for certKeys and keyIDs */
-    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
-	goto loser;
-    }
-
-    /* copy the certKey and keyID */
-    rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * delete a subject entry
- */
-static SECStatus
-DeleteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
-{
-    SECItem dbkey;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectKey(derSubject, arena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(SECFailure);
-}
-
-/*
- * Read the subject entry
- */
-static certDBEntrySubject *
-ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntrySubject *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntrySubject));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeSubject;
-
-    rv = EncodeDBSubjectKey(derSubject, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-
-    rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject);
-    if ( rv == SECFailure ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Encode a subject name entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySubject *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-    
-}
-
-typedef enum { nsslowcert_remove, nsslowcert_add } nsslowcertUpdateType;
-
-static SECStatus
-nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, 
-	SECItem *derSubject, char *emailAddr, nsslowcertUpdateType updateType)
-{
-    certDBEntrySubject *entry = NULL;
-    int index = -1, i;
-    SECStatus rv;
-   
-    if (emailAddr) { 
-	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
-	if (emailAddr == NULL) {
-	    return SECFailure;
-	}
-    } else {
-	return SECSuccess;
-    }
-
-    entry = ReadDBSubjectEntry(dbhandle,derSubject);    
-    if (entry == NULL) {
-	goto loser;
-    } 
-
-    if ( entry->emailAddrs ) {
-	for (i=0; i < (int)(entry->nemailAddrs); i++) {
-	    if (PORT_Strcmp(entry->emailAddrs[i],emailAddr) == 0) {
-		index = i;
-	    }
-	}
-    }
-
-
-    if (updateType == nsslowcert_remove) {
-	if (index == -1) {
-	    return SECSuccess;
-	}
-
-	entry->nemailAddrs--;
-	for (i=index; i < (int)(entry->nemailAddrs); i++) {
-	   entry->emailAddrs[i] = entry->emailAddrs[i+1];
-	}
-    } else {
-	char **newAddrs = NULL;
-	if (index != -1) {
-	    return SECSuccess;
-	}
-	newAddrs = (char **)PORT_ArenaAlloc(entry->common.arena,
-		(entry->nemailAddrs+1)* sizeof(char *));
-	if (!newAddrs) {
-	    goto loser;
-	}
-	for (i=0; i < (int)(entry->nemailAddrs); i++) {
-	   newAddrs[i] = entry->emailAddrs[i];
-	}
-	newAddrs[entry->nemailAddrs] = 
-			PORT_ArenaStrdup(entry->common.arena,emailAddr);
-	if (!newAddrs[entry->nemailAddrs]) {
-	   goto loser;
-	}
-	entry->emailAddrs = newAddrs;
-	entry->nemailAddrs++;
-    }
-	
-    /* delete the subject entry */
-    DeleteDBSubjectEntry(dbhandle, derSubject);
-
-    /* write the new one */
-    rv = WriteDBSubjectEntry(dbhandle, entry);
-    if ( rv != SECSuccess ) {
-	    goto loser;
-    }
-
-    DestroyDBEntry((certDBEntry *)entry);
-    if (emailAddr) PORT_Free(emailAddr);
-    return(SECSuccess);
-
-loser:
-    if (entry) DestroyDBEntry((certDBEntry *)entry);
-    if (emailAddr) PORT_Free(emailAddr);
-    return(SECFailure);
-}
-
-/*
- * writes a nickname to an existing subject entry that does not currently
- * have one
- */
-static SECStatus
-AddNicknameToSubject(NSSLOWCERTCertDBHandle *dbhandle,
-			NSSLOWCERTCertificate *cert, char *nickname)
-{
-    certDBEntrySubject *entry;
-    SECStatus rv;
-    
-    if ( nickname == NULL ) {
-	return(SECFailure);
-    }
-    
-    entry = ReadDBSubjectEntry(dbhandle,&cert->derSubject);
-    PORT_Assert(entry != NULL);
-    if ( entry == NULL ) {
-	goto loser;
-    }
-    
-    PORT_Assert(entry->nickname == NULL);
-    if ( entry->nickname != NULL ) {
-	goto loser;
-    }
-    
-    entry->nickname = (nickname) ? 
-			PORT_ArenaStrdup(entry->common.arena, nickname) : NULL;
-    
-    if ( entry->nickname == NULL ) {
-	goto loser;
-    }
-	
-    /* delete the subject entry */
-    DeleteDBSubjectEntry(dbhandle, &cert->derSubject);
-
-    /* write the new one */
-    rv = WriteDBSubjectEntry(dbhandle, entry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
-}
-
-/*
- * create a new version entry
- */
-static certDBEntryVersion *
-NewDBVersionEntry(unsigned int flags)
-{
-    PRArenaPool *arena = NULL;
-    certDBEntryVersion *entry;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
-					       sizeof(certDBEntryVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeVersion;
-    entry->common.version = CERT_DB_FILE_VERSION;
-    entry->common.flags = flags;
-
-    return(entry);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-/*
- * Read the version entry
- */
-static certDBEntryVersion *
-ReadDBVersionEntry(NSSLOWCERTCertDBHandle *handle)
-{
-    PRArenaPool *arena = NULL;
-    PRArenaPool *tmparena = NULL;
-    certDBEntryVersion *entry;
-    SECItem dbkey;
-    SECItem dbentry;
-    SECStatus rv;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
-						sizeof(certDBEntryVersion));
-    if ( entry == NULL ) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    entry->common.arena = arena;
-    entry->common.type = certDBEntryTypeVersion;
-
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
-	      SEC_DB_VERSION_KEY_LEN);
-
-    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(entry);
-    
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(NULL);
-}
-
-
-/*
- * Encode a version entry into byte stream suitable for
- * the database
- */
-static SECStatus
-WriteDBVersionEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryVersion *entry)
-{
-    SECItem dbitem, dbkey;
-    PRArenaPool *tmparena = NULL;
-    SECStatus rv;
-    
-    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( tmparena == NULL ) {
-	goto loser;
-    }
-    
-    /* allocate space for encoded database record, including space
-     * for low level header
-     */
-    dbitem.len = SEC_DB_ENTRY_HEADER_LEN;
-    
-    dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
-    if ( dbitem.data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	goto loser;
-    }
-    
-    /* now get the database key and format it */
-    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
-    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
-    if ( dbkey.data == NULL ) {
-	goto loser;
-    }
-    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
-	      SEC_DB_VERSION_KEY_LEN);
-
-    /* now write it to the database */
-    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    PORT_FreeArena(tmparena, PR_FALSE);
-    return(SECSuccess);
-
-loser:
-    if ( tmparena ) {
-	PORT_FreeArena(tmparena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * cert is no longer a perm cert, but will remain a temp cert
- */
-static SECStatus
-RemovePermSubjectNode(NSSLOWCERTCertificate *cert)
-{
-    certDBEntrySubject *entry;
-    unsigned int i;
-    SECStatus rv;
-    
-    entry = ReadDBSubjectEntry(cert->dbhandle,&cert->derSubject);
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-
-    PORT_Assert(entry->ncerts);
-    rv = SECFailure;
-    
-    if ( entry->ncerts > 1 ) {
-	for ( i = 0; i < entry->ncerts; i++ ) {
-	    if ( SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) ==
-		SECEqual ) {
-		/* copy rest of list forward one entry */
-		for ( i = i + 1; i < entry->ncerts; i++ ) {
-		    entry->certKeys[i-1] = entry->certKeys[i];
-		    entry->keyIDs[i-1] = entry->keyIDs[i];
-		}
-		entry->ncerts--;
-		DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-		rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-		break;
-	    }
-	}
-    } else {
-	/* no entries left, delete the perm entry in the DB */
-	if ( entry->emailAddrs ) {
-	    /* if the subject had an email record, then delete it too */
-	    for (i=0; i < entry->nemailAddrs; i++) {
-		DeleteDBSMimeEntry(cert->dbhandle, entry->emailAddrs[i]);
-	    }
-	}
-	if ( entry->nickname ) {
-	    DeleteDBNicknameEntry(cert->dbhandle, entry->nickname);
-	}
-	
-	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-    }
-    DestroyDBEntry((certDBEntry *)entry);
-
-    return(rv);
-}
-
-/*
- * add a cert to the perm subject list
- */
-static SECStatus
-AddPermSubjectNode(certDBEntrySubject *entry, NSSLOWCERTCertificate *cert, 
-								char *nickname)
-{
-    SECItem *newCertKeys, *newKeyIDs;
-    unsigned int i, new_i;
-    SECStatus rv;
-    NSSLOWCERTCertificate *cmpcert;
-    unsigned int nnlen;
-    unsigned int ncerts;
-    PRBool added = PR_FALSE;
-
-    PORT_Assert(entry);    
-    ncerts = entry->ncerts;
-	
-    if ( nickname && entry->nickname ) {
-	/* nicknames must be the same */
-	PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0);
-    }
-
-    if ( ( entry->nickname == NULL ) && ( nickname != NULL ) ) {
-	/* copy nickname into the entry */
-	nnlen = PORT_Strlen(nickname) + 1;
-	entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena,nnlen);
-	if ( entry->nickname == NULL ) {
-	    return(SECFailure);
-	}
-	PORT_Memcpy(entry->nickname, nickname, nnlen);
-    }
-	
-    /* a DB entry already exists, so add this cert */
-    newCertKeys = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
-					 sizeof(SECItem) * ( ncerts + 1 ) );
-    newKeyIDs = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
-					 sizeof(SECItem) * ( ncerts + 1 ) );
-
-    if ( ( newCertKeys == NULL ) || ( newKeyIDs == NULL ) ) {
-	    return(SECFailure);
-    }
-
-    for ( i = 0, new_i=0; i < ncerts; i++ ) {
-	cmpcert = nsslowcert_FindCertByKey(cert->dbhandle,
-						  &entry->certKeys[i]);
-	/* The entry has been corrupted, remove it from the list */
-	if (!cmpcert) {
-	    continue;
-	}
-
-	if ( nsslowcert_IsNewer(cert, cmpcert) ) {
-	    /* insert before cmpcert */
-	    rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[new_i],
-				      &cert->certKey);
-	    if ( rv != SECSuccess ) {
-		return(SECFailure);
-	    }
-	    rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[new_i],
-				      &cert->subjectKeyID);
-	    if ( rv != SECSuccess ) {
-		return(SECFailure);
-	    }
-	    new_i++;
-	    /* copy the rest of the entry */
-	    for ( ; i < ncerts; i++ ,new_i++) {
-		newCertKeys[new_i] = entry->certKeys[i];
-		newKeyIDs[new_i] = entry->keyIDs[i];
-	    }
-
-	    /* update certKeys and keyIDs */
-	    entry->certKeys = newCertKeys;
-	    entry->keyIDs = newKeyIDs;
-		
-	    /* set new count value */
-	    entry->ncerts = new_i;
-	    added = PR_TRUE;
-	    break;
-	}
-	/* copy this cert entry */
-	newCertKeys[new_i] = entry->certKeys[i];
-	newKeyIDs[new_i] = entry->keyIDs[i];
-	new_i++; /* only increment if we copied the entries */
-    }
-
-    if ( !added ) {
-	/* insert new one at end */
-	rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[new_i],
-				  &cert->certKey);
-	if ( rv != SECSuccess ) {
-	    return(SECFailure);
-	}
-	rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[new_i],
-				  &cert->subjectKeyID);
-	if ( rv != SECSuccess ) {
-	    return(SECFailure);
-	}
-	new_i++;
-
-	/* update certKeys and keyIDs */
-	entry->certKeys = newCertKeys;
-	entry->keyIDs = newKeyIDs;
-		
-	/* increment count */
-	entry->ncerts = new_i;
-    }
-    DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
-    rv = WriteDBSubjectEntry(cert->dbhandle, entry);
-    return(rv);
-}
-
-
-SECStatus
-nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
-				 SECItem *derSubject,
-				 NSSLOWCERTCertCallback cb, void *cbarg)
-{
-    certDBEntrySubject *entry;
-    unsigned int i;
-    NSSLOWCERTCertificate *cert;
-    SECStatus rv = SECSuccess;
-    
-    entry = ReadDBSubjectEntry(handle, derSubject);
-
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-    
-    for( i = 0; i < entry->ncerts; i++ ) {
-	cert = nsslowcert_FindCertByKey(handle, &entry->certKeys[i]);
-	if (!cert) {
-	    continue;
-	}
-	rv = (* cb)(cert, cbarg);
-	nsslowcert_DestroyCertificate(cert);
-	if ( rv == SECFailure ) {
-	    break;
-	}
-    }
-
-    DestroyDBEntry((certDBEntry *)entry);
-
-    return(rv);
-}
-
-int
-nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
-							 SECItem *derSubject)
-{
-    certDBEntrySubject *entry;
-    int ret;
-    
-    entry = ReadDBSubjectEntry(handle, derSubject);
-
-    if ( entry == NULL ) {
-	return(SECFailure);
-    }
-
-    ret = entry->ncerts;
-    
-    DestroyDBEntry((certDBEntry *)entry);
-    
-    return(ret);
-}
-
-SECStatus
-nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
-		 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg)
-{
-    certDBEntryNickname *nnentry = NULL;
-    certDBEntrySMime *smentry = NULL;
-    SECStatus rv;
-    SECItem *derSubject = NULL;
-    
-    nnentry = ReadDBNicknameEntry(handle, nickname);
-    if ( nnentry ) {
-	derSubject = &nnentry->subjectName;
-    } else {
-	smentry = nsslowcert_ReadDBSMimeEntry(handle, nickname);
-	if ( smentry ) {
-	    derSubject = &smentry->subjectName;
-	}
-    }
-    
-    if ( derSubject ) {
-	rv = nsslowcert_TraversePermCertsForSubject(handle, derSubject,
-					      cb, cbarg);
-    } else {
-	rv = SECFailure;
-    }
-
-    if ( nnentry ) {
-	DestroyDBEntry((certDBEntry *)nnentry);
-    }
-    if ( smentry ) {
-	DestroyDBEntry((certDBEntry *)smentry);
-    }
-    
-    return(rv);
-}
-
-int
-nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
-								char *nickname)
-{
-    certDBEntryNickname *entry;
-    int ret;
-    
-    entry = ReadDBNicknameEntry(handle, nickname);
-    
-    if ( entry ) {
-	ret = nsslowcert_NumPermCertsForSubject(handle, &entry->subjectName);
-	DestroyDBEntry((certDBEntry *)entry);
-    } else {
-	ret = 0;
-    }
-    return(ret);
-}
-
-/*
- * add a nickname to a cert that doesn't have one
- */
-static SECStatus
-AddNicknameToPermCert(NSSLOWCERTCertDBHandle *dbhandle,
-				NSSLOWCERTCertificate *cert, char *nickname)
-{
-    certDBEntryCert *entry;
-    int rv;
-
-    entry = cert->dbEntry;
-    PORT_Assert(entry != NULL);
-    if ( entry == NULL ) {
-	goto loser;
-    }
-
-    pkcs11_freeNickname(entry->nickname,entry->nicknameSpace);
-    entry->nickname = NULL;
-    entry->nickname = pkcs11_copyNickname(nickname,entry->nicknameSpace,
-					sizeof(entry->nicknameSpace));
-
-    rv = WriteDBCertEntry(dbhandle, entry);
-    if ( rv ) {
-	goto loser;
-    }
-
-    pkcs11_freeNickname(cert->nickname,cert->nicknameSpace);
-    cert->nickname = NULL;
-    cert->nickname = pkcs11_copyNickname(nickname,cert->nicknameSpace,
-					sizeof(cert->nicknameSpace));
-
-    return(SECSuccess);
-    
-loser:
-    return(SECFailure);
-}
-
-/*
- * add a nickname to a cert that is already in the perm database, but doesn't
- * have one yet (it is probably an e-mail cert).
- */
-SECStatus
-nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
-				NSSLOWCERTCertificate *cert, char *nickname)
-{
-    SECStatus rv = SECFailure;
-    certDBEntrySubject *entry = NULL;
-    certDBEntryNickname *nicknameEntry = NULL;
-    
-    nsslowcert_LockDB(dbhandle);
-
-    entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject);
-    if (entry == NULL) goto loser;
-
-    if ( entry->nickname == NULL ) {
-
-	/* no nickname for subject */
-	rv = AddNicknameToSubject(dbhandle, cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	rv = AddNicknameToPermCert(dbhandle, cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
-	if ( nicknameEntry == NULL ) {
-	    goto loser;
-	}
-    
-	rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	/* subject already has a nickname */
-	rv = AddNicknameToPermCert(dbhandle, cert, entry->nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-	/* make sure nickname entry exists. If the database was corrupted,
-	 * we may have lost the nickname entry. Add it back now  */
-	nicknameEntry = ReadDBNicknameEntry(dbhandle, entry->nickname);
-	if (nicknameEntry == NULL ) {
-	    nicknameEntry = NewDBNicknameEntry(entry->nickname, 
-							&cert->derSubject, 0);
-	    if ( nicknameEntry == NULL ) {
-		goto loser;
-	    }
-    
-	    rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
-	    if ( rv != SECSuccess ) {
-		goto loser;
-	    }
-	}
-    }
-    rv = SECSuccess;
-
-loser:
-    if (entry) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    if (nicknameEntry) {
-	DestroyDBEntry((certDBEntry *)nicknameEntry);
-    }
-    nsslowcert_UnlockDB(dbhandle);
-    return(rv);
-}
-
-static certDBEntryCert *
-AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
-		char *nickname, NSSLOWCERTCertTrust *trust)
-{
-    certDBEntryCert *certEntry = NULL;
-    certDBEntryNickname *nicknameEntry = NULL;
-    certDBEntrySubject *subjectEntry = NULL;
-    int state = 0;
-    SECStatus rv;
-    PRBool donnentry = PR_FALSE;
-
-    if ( nickname ) {
-	donnentry = PR_TRUE;
-    }
-
-    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
-	
-    if ( subjectEntry && subjectEntry->nickname ) {
-	donnentry = PR_FALSE;
-	nickname = subjectEntry->nickname;
-    }
-    
-    certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0);
-    if ( certEntry == NULL ) {
-	goto loser;
-    }
-    
-    if ( donnentry ) {
-	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
-	if ( nicknameEntry == NULL ) {
-	    goto loser;
-	}
-    }
-    
-    rv = WriteDBCertEntry(handle, certEntry);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    state = 1;
-    
-    if ( nicknameEntry ) {
-	rv = WriteDBNicknameEntry(handle, nicknameEntry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    state = 2;
-
-    /* "Change" handles if necessary */
-    if (cert->dbhandle) {
-	sftk_freeCertDB(cert->dbhandle);
-    }
-    cert->dbhandle = nsslowcert_reference(handle);
-    
-    /* add to or create new subject entry */
-    if ( subjectEntry ) {
-	/* REWRITE BASED ON SUBJECT ENTRY */
-	rv = AddPermSubjectNode(subjectEntry, cert, nickname);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    } else {
-	/* make a new subject entry - this case is only used when updating
-	 * an old version of the database.  This is OK because the oldnickname
-	 * db format didn't allow multiple certs with the same subject.
-	 */
-	/* where does subjectKeyID and certKey come from? */
-	subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
-					 &cert->subjectKeyID, nickname,
-					 NULL, 0);
-	if ( subjectEntry == NULL ) {
-	    goto loser;
-	}
-	rv = WriteDBSubjectEntry(handle, subjectEntry);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    state = 3;
-    
-    if ( nicknameEntry ) {
-	DestroyDBEntry((certDBEntry *)nicknameEntry);
-    }
-    
-    if ( subjectEntry ) {
-	DestroyDBEntry((certDBEntry *)subjectEntry);
-    }
-
-    return(certEntry);
-
-loser:
-    /* don't leave partial entry in the database */
-    if ( state > 0 ) {
-	rv = DeleteDBCertEntry(handle, &cert->certKey);
-    }
-    if ( ( state > 1 ) && donnentry ) {
-	rv = DeleteDBNicknameEntry(handle, nickname);
-    }
-    if ( state > 2 ) {
-	rv = DeleteDBSubjectEntry(handle, &cert->derSubject);
-    }
-    if ( certEntry ) {
-	DestroyDBEntry((certDBEntry *)certEntry);
-    }
-    if ( nicknameEntry ) {
-	DestroyDBEntry((certDBEntry *)nicknameEntry);
-    }
-    if ( subjectEntry ) {
-	DestroyDBEntry((certDBEntry *)subjectEntry);
-    }
-
-    return(NULL);
-}
-
-/* forward declaration */
-static SECStatus
-UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb);
-
-/*
- * version 8 uses the same schema as version 7. The only differences are
- * 1) version 8 db uses the blob shim to store data entries > 32k.
- * 2) version 8 db sets the db block size to 32k.
- * both of these are dealt with by the handle.
- */
-
-static SECStatus
-UpdateV8DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
-{
-    return UpdateV7DB(handle,updatedb);
-}
-
-
-/*
- * we could just blindly sequence through reading key data pairs and writing
- * them back out, but some cert.db's have gotten quite large and may have some
- * subtle corruption problems, so instead we cycle through the certs and
- * CRL's and S/MIME profiles and rebuild our subject lists from those records.
- */
-static SECStatus
-UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
-{
-    DBT key, data;
-    int ret;
-    NSSLOWCERTCertificate *cert;
-    PRBool isKRL = PR_FALSE;
-    certDBEntryType entryType;
-    SECItem dbEntry, dbKey;
-    certDBEntryRevocation crlEntry;
-    certDBEntryCert certEntry;
-    certDBEntrySMime smimeEntry;
-    SECStatus rv;
-
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-    
-    do {
-	unsigned char *dataBuf = (unsigned char *)data.data;
-	unsigned char *keyBuf = (unsigned char *)key.data;
-	dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
-	dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
- 	entryType = (certDBEntryType) keyBuf[0];
-	dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
-	dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
-	if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
-	    continue;
-	}
-
-	switch (entryType) {
-	/* these entries will get regenerated as we read the 
-	 * rest of the data from the database */
-	case certDBEntryTypeVersion:
-	case certDBEntryTypeSubject:
-	case certDBEntryTypeContentVersion:
-	case certDBEntryTypeNickname:
-	/* smime profiles need entries created after the certs have
-         * been imported, loop over them in a second run */
-	case certDBEntryTypeSMimeProfile:
-	    break;
-
-	case certDBEntryTypeCert:
-	    /* decode Entry */
-    	    certEntry.common.version = (unsigned int)dataBuf[0];
-	    certEntry.common.type = entryType;
-	    certEntry.common.flags = (unsigned int)dataBuf[2];
-	    rv = DecodeDBCertEntry(&certEntry,&dbEntry);
-	    if (rv != SECSuccess) {
-		break;
-	    }
-	    /* should we check for existing duplicates? */
-	    cert = nsslowcert_DecodeDERCertificate(&certEntry.derCert, 
-						certEntry.nickname);
-	    if (cert) {
-		nsslowcert_UpdatePermCert(handle, cert, certEntry.nickname,
-					 		&certEntry.trust);
-		nsslowcert_DestroyCertificate(cert);
-	    }
-	    /* free any data the decode may have allocated. */
-	    pkcs11_freeStaticData(certEntry.derCert.data, 
-						certEntry.derCertSpace);
-	    pkcs11_freeNickname(certEntry.nickname, certEntry.nicknameSpace);
-	    break;
-
-	case certDBEntryTypeKeyRevocation:
-	    isKRL = PR_TRUE;
-	    /* fall through */
-	case certDBEntryTypeRevocation:
-    	    crlEntry.common.version = (unsigned int)dataBuf[0];
-	    crlEntry.common.type = entryType;
-	    crlEntry.common.flags = (unsigned int)dataBuf[2];
-	    crlEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	    if (crlEntry.common.arena == NULL) {
-		break;
-	    }
-	    rv = DecodeDBCrlEntry(&crlEntry,&dbEntry);
-	    if (rv != SECSuccess) {
-		break;
-	    }
-	    nsslowcert_UpdateCrl(handle, &crlEntry.derCrl, &dbKey, 
-						crlEntry.url, isKRL);
-	    /* free data allocated by the decode */
-	    PORT_FreeArena(crlEntry.common.arena, PR_FALSE);
-	    crlEntry.common.arena = NULL;
-	    break;
-
-	default:
-	    break;
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    /* now loop again updating just the SMimeProfile. */
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-    
-    do {
-	unsigned char *dataBuf = (unsigned char *)data.data;
-	unsigned char *keyBuf = (unsigned char *)key.data;
-	dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
-	dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
- 	entryType = (certDBEntryType) keyBuf[0];
-	if (entryType != certDBEntryTypeSMimeProfile) {
-	    continue;
-	}
-	dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
-	dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
-	if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
-	    continue;
-	}
-        smimeEntry.common.version = (unsigned int)dataBuf[0];
-	smimeEntry.common.type = entryType;
-	smimeEntry.common.flags = (unsigned int)dataBuf[2];
-	smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	/* decode entry */
-	rv = DecodeDBSMimeEntry(&smimeEntry,&dbEntry,(char *)dbKey.data);
-	if (rv == SECSuccess) {
-	    nsslowcert_UpdateSMimeProfile(handle, smimeEntry.emailAddr,
-		&smimeEntry.subjectName, &smimeEntry.smimeOptions,
-						 &smimeEntry.optionsDate);
-	}
-	PORT_FreeArena(smimeEntry.common.arena, PR_FALSE);
-	smimeEntry.common.arena = NULL;
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    (* updatedb->close)(updatedb);
-
-    /* a database update is a good time to go back and verify the integrity of
-     * the keys and certs */
-    handle->dbVerify = PR_TRUE; 
-    return(SECSuccess);
-}
-
-/*
- * NOTE - Version 6 DB did not go out to the real world in a release,
- * so we can remove this function in a later release.
- */
-static SECStatus
-UpdateV6DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
-{
-    int ret;
-    DBT key, data;
-    unsigned char *buf, *tmpbuf = NULL;
-    certDBEntryType type;
-    certDBEntryNickname *nnEntry = NULL;
-    certDBEntrySubject *subjectEntry = NULL;
-    certDBEntrySMime *emailEntry = NULL;
-    char *nickname;
-    char *emailAddr;
-    SECStatus rv;
-    
-    /*
-     * Sequence through the old database and copy all of the entries
-     * to the new database.  Subject name entries will have the new
-     * fields inserted into them (with zero length).
-     */
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( data.size >= 3 ) {
-	    if ( buf[0] == 6 ) { /* version number */
-		type = (certDBEntryType)buf[1];
-		if ( type == certDBEntryTypeSubject ) {
-		    /* expando subjecto entrieo */
-		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4);
-		    if ( tmpbuf ) {
-			/* copy header stuff */
-			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2);
-			/* insert 4 more bytes of zero'd header */
-			PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2],
-				    0, 4);
-			/* copy rest of the data */
-			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
-				    &buf[SEC_DB_ENTRY_HEADER_LEN + 2],
-				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 2));
-
-			data.data = (void *)tmpbuf;
-			data.size += 4;
-			buf = tmpbuf;
-		    }
-		} else if ( type == certDBEntryTypeCert ) {
-		    /* expando certo entrieo */
-		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3);
-		    if ( tmpbuf ) {
-			/* copy header stuff */
-			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN);
-
-			/* copy trust flage, setting msb's to 0 */
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+1] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN];
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+2] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+3] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN+1];
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+4] = 0;
-			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+5] =
-			    buf[SEC_DB_ENTRY_HEADER_LEN+2];
-			
-			/* copy rest of the data */
-			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
-				    &buf[SEC_DB_ENTRY_HEADER_LEN + 3],
-				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 3));
-
-			data.data = (void *)tmpbuf;
-			data.size += 3;
-			buf = tmpbuf;
-		    }
-
-		}
-
-		/* update the record version number */
-		buf[0] = CERT_DB_FILE_VERSION;
-
-		/* copy to the new database */
-		ret = certdb_Put(handle->permCertDB, &key, &data, 0);
-		if ( tmpbuf ) {
-		    PORT_Free(tmpbuf);
-		    tmpbuf = NULL;
-		}
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( data.size >= 3 ) {
-	    if ( buf[0] == CERT_DB_FILE_VERSION ) { /* version number */
-		type = (certDBEntryType)buf[1];
-		if ( type == certDBEntryTypeNickname ) {
-		    nickname = &((char *)key.data)[1];
-
-		    /* get the matching nickname entry in the new DB */
-		    nnEntry = ReadDBNicknameEntry(handle, nickname);
-		    if ( nnEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    /* find the subject entry pointed to by nickname */
-		    subjectEntry = ReadDBSubjectEntry(handle,
-						      &nnEntry->subjectName);
-		    if ( subjectEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    subjectEntry->nickname =
-			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
-						key.size - 1);
-		    if ( subjectEntry->nickname ) {
-			PORT_Memcpy(subjectEntry->nickname, nickname,
-				    key.size - 1);
-			rv = WriteDBSubjectEntry(handle, subjectEntry);
-		    }
-		} else if ( type == certDBEntryTypeSMimeProfile ) {
-		    emailAddr = &((char *)key.data)[1];
-
-		    /* get the matching smime entry in the new DB */
-		    emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr);
-		    if ( emailEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    /* find the subject entry pointed to by nickname */
-		    subjectEntry = ReadDBSubjectEntry(handle,
-						      &emailEntry->subjectName);
-		    if ( subjectEntry == NULL ) {
-			goto endloop;
-		    }
-		    
-		    subjectEntry->emailAddrs = (char **)
-				PORT_ArenaAlloc(subjectEntry->common.arena,
-						sizeof(char *));
-		    if ( subjectEntry->emailAddrs ) {
-			subjectEntry->emailAddrs[0] =
-			     (char *)PORT_ArenaAlloc(subjectEntry->common.arena,
-						key.size - 1);
-			if ( subjectEntry->emailAddrs[0] ) {
-			    PORT_Memcpy(subjectEntry->emailAddrs[0], emailAddr,
-				    key.size - 1);
-			    subjectEntry->nemailAddrs = 1;
-			    rv = WriteDBSubjectEntry(handle, subjectEntry);
-			}
-		    }
-		}
-		
-endloop:
-		if ( subjectEntry ) {
-		    DestroyDBEntry((certDBEntry *)subjectEntry);
-		    subjectEntry = NULL;
-		}
-		if ( nnEntry ) {
-		    DestroyDBEntry((certDBEntry *)nnEntry);
-		    nnEntry = NULL;
-		}
-		if ( emailEntry ) {
-		    DestroyDBEntry((certDBEntry *)emailEntry);
-		    emailEntry = NULL;
-		}
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    ret = certdb_Sync(handle->permCertDB, 0);
-
-    (* updatedb->close)(updatedb);
-    return(SECSuccess);
-}
-
-
-static SECStatus
-updateV5Callback(NSSLOWCERTCertificate *cert, SECItem *k, void *pdata)
-{
-    NSSLOWCERTCertDBHandle *handle;
-    certDBEntryCert *entry;
-    NSSLOWCERTCertTrust *trust;
-    
-    handle = (NSSLOWCERTCertDBHandle *)pdata;
-    trust = &cert->dbEntry->trust;
-
-    /* SSL user certs can be used for email if they have an email addr */
-    if ( cert->emailAddr && ( trust->sslFlags & CERTDB_USER ) &&
-	( trust->emailFlags == 0 ) ) {
-	trust->emailFlags = CERTDB_USER;
-    }
-    /* servers didn't set the user flags on the server cert.. */
-    if (PORT_Strcmp(cert->dbEntry->nickname,"Server-Cert") == 0) {
-	trust->sslFlags |= CERTDB_USER;
-    }
-    
-    entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname,
-			    &cert->dbEntry->trust);
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    
-    return(SECSuccess);
-}
-
-static SECStatus
-UpdateV5DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
-{
-    NSSLOWCERTCertDBHandle updatehandle;
-    SECStatus rv;
-    
-    updatehandle.permCertDB = updatedb;
-    updatehandle.dbMon = PZ_NewMonitor(nssILockCertDB);
-    
-    rv = nsslowcert_TraversePermCerts(&updatehandle, updateV5Callback,
-			       (void *)handle);
-    
-    PZ_DestroyMonitor(updatehandle.dbMon);
-
-    (* updatedb->close)(updatedb);
-    return(SECSuccess);
-}
-
-static PRBool
-isV4DB(DB *db) {
-    DBT key,data;
-    int ret;
-
-    key.data = "Version";
-    key.size = 7;
-
-    ret = (*db->get)(db, &key, &data, 0);
-    if (ret) {
-	return PR_FALSE;
-    }
-
-    if ((data.size == 1) && (*(unsigned char *)data.data <= 4))  {
-	return PR_TRUE;
-    }
-
-    return PR_FALSE;
-}
-
-static SECStatus
-UpdateV4DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
-{
-    DBT key, data;
-    certDBEntryCert *entry, *entry2;
-    int ret;
-    PRArenaPool *arena = NULL;
-    NSSLOWCERTCertificate *cert;
-
-    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return(SECFailure);
-    }
-    
-    do {
-	if ( data.size != 1 ) { /* skip version number */
-
-	    /* decode the old DB entry */
-	    entry = (certDBEntryCert *)
-		DecodeV4DBCertEntry((unsigned char*)data.data, data.size);
-	    
-	    if ( entry ) {
-		cert = nsslowcert_DecodeDERCertificate(&entry->derCert, 
-						 entry->nickname);
-
-		if ( cert != NULL ) {
-		    /* add to new database */
-		    entry2 = AddCertToPermDB(handle, cert, entry->nickname,
-					     &entry->trust);
-		    
-		    nsslowcert_DestroyCertificate(cert);
-		    if ( entry2 ) {
-			DestroyDBEntry((certDBEntry *)entry2);
-		    }
-		}
-		DestroyDBEntry((certDBEntry *)entry);
-	    }
-	}
-    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
-
-    PORT_FreeArena(arena, PR_FALSE);
-    (* updatedb->close)(updatedb);
-    return(SECSuccess);
-}
-
-
-/*
- * return true if a database key conflict exists
- */
-PRBool
-nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle)
-{
-    SECStatus rv;
-    DBT tmpdata;
-    DBT namekey;
-    int ret;
-    SECItem keyitem;
-    PRArenaPool *arena = NULL;
-    SECItem derKey;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-
-    /* get the db key of the cert */
-    rv = nsslowcert_KeyFromDERCert(arena, derCert, &derKey);
-    if ( rv != SECSuccess ) {
-        goto loser;
-    }
-
-    rv = EncodeDBCertKey(&derKey, arena, &keyitem);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    namekey.data = keyitem.data;
-    namekey.size = keyitem.len;
-    
-    ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
-    if ( ret == 0 ) {
-	goto loser;
-    }
-
-    PORT_FreeArena(arena, PR_FALSE);
-    
-    return(PR_FALSE);
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return(PR_TRUE);
-}
-
-/*
- * return true if a nickname conflict exists
- * NOTE: caller must have already made sure that this exact cert
- * doesn't exist in the DB
- */
-static PRBool
-nsslowcert_CertNicknameConflict(char *nickname, SECItem *derSubject,
-			 NSSLOWCERTCertDBHandle *handle)
-{
-    PRBool rv;
-    certDBEntryNickname *entry;
-    
-    if ( nickname == NULL ) {
-	return(PR_FALSE);
-    }
-    
-    entry = ReadDBNicknameEntry(handle, nickname);
-
-    if ( entry == NULL ) {
-	/* no entry for this nickname, so no conflict */
-	return(PR_FALSE);
-    }
-
-    rv = PR_TRUE;
-    if ( SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual ) {
-	/* if subject names are the same, then no conflict */
-	rv = PR_FALSE;
-    }
-
-    DestroyDBEntry((certDBEntry *)entry);
-    return(rv);
-}
-
-#ifdef DBM_USING_NSPR
-#define NO_RDONLY	PR_RDONLY
-#define NO_RDWR		PR_RDWR
-#define NO_CREATE	(PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
-#else
-#define NO_RDONLY	O_RDONLY
-#define NO_RDWR		O_RDWR
-#define NO_CREATE	(O_RDWR | O_CREAT | O_TRUNC)
-#endif
-
-/*
- * open an old database that needs to be updated
- */
-static DB *
-nsslowcert_openolddb(NSSLOWCERTDBNameFunc namecb, void *cbarg, int version)
-{
-    char * tmpname;
-    DB *updatedb = NULL;
-
-    tmpname = (* namecb)(cbarg, version);	/* get v6 db name */
-    if ( tmpname ) {
-	updatedb = dbopen( tmpname, NO_RDONLY, 0600, DB_HASH, 0 );
-	PORT_Free(tmpname);
-    }
-    return updatedb;
-}
-
-static SECStatus
-openNewCertDB(const char *appName, const char *prefix, const char *certdbname, 
-    NSSLOWCERTCertDBHandle *handle, NSSLOWCERTDBNameFunc namecb, void *cbarg)
-{
-    SECStatus rv;
-    certDBEntryVersion *versionEntry = NULL;
-    DB *updatedb = NULL;
-    int status = RDB_FAIL;
-
-    if (appName) {
-	handle->permCertDB=rdbopen( appName, prefix, "cert", NO_CREATE, &status);
-    } else {
-	handle->permCertDB=dbsopen(certdbname, NO_CREATE, 0600, DB_HASH, 0);
-    }
-
-    /* if create fails then we lose */
-    if ( handle->permCertDB == 0 ) {
-	return status == RDB_RETRY ? SECWouldBlock : SECFailure;
-    }
-
-    rv = db_BeginTransaction(handle->permCertDB);
-    if (rv != SECSuccess) {
-	db_InitComplete(handle->permCertDB);
-	return SECFailure;
-    }
-
-    /* Verify version number; */
-    versionEntry = NewDBVersionEntry(0);
-    if ( versionEntry == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-	
-    rv = WriteDBVersionEntry(handle, versionEntry);
-
-    DestroyDBEntry((certDBEntry *)versionEntry);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* rv must already be Success here because of previous if statement */
-    /* try to upgrade old db here */
-    if (appName &&
-       (updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0)) != NULL) {
-	rv = UpdateV8DB(handle, updatedb);
-    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,7)) != NULL) {
-	rv = UpdateV7DB(handle, updatedb);
-    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,6)) != NULL) {
-	rv = UpdateV6DB(handle, updatedb);
-    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,5)) != NULL) {
-	rv = UpdateV5DB(handle, updatedb);
-    } else if ((updatedb = nsslowcert_openolddb(namecb,cbarg,4)) != NULL) {
-	/* NES has v5 format db's with v4 db names! */
-	if (isV4DB(updatedb)) {
-	    rv = UpdateV4DB(handle,updatedb);
-	} else {
-	    rv = UpdateV5DB(handle,updatedb);
-	}
-    }
-
-
-loser:
-    db_FinishTransaction(handle->permCertDB,rv != SECSuccess);
-    db_InitComplete(handle->permCertDB);
-    return rv;
-}
-
-static int
-nsslowcert_GetVersionNumber( NSSLOWCERTCertDBHandle *handle)
-{
-    certDBEntryVersion *versionEntry = NULL;
-    int version = 0;
-
-    versionEntry = ReadDBVersionEntry(handle); 
-    if ( versionEntry == NULL ) {
-	return 0;
-    }
-    version = versionEntry->common.version;
-    DestroyDBEntry((certDBEntry *)versionEntry);
-    return version;
-}
-
-/*
- * Open the certificate database and index databases.  Create them if
- * they are not there or bad.
- */
-static SECStatus
-nsslowcert_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
-		   		const char *appName, const char *prefix,
-				NSSLOWCERTDBNameFunc namecb, void *cbarg)
-{
-    SECStatus rv;
-    int openflags;
-    char *certdbname;
-    int version = 0;
-    
-    certdbname = (* namecb)(cbarg, CERT_DB_FILE_VERSION);
-    if ( certdbname == NULL ) {
-	return(SECFailure);
-    }
-
-    openflags = readOnly ? NO_RDONLY : NO_RDWR;
-
-    /*
-     * first open the permanent file based database.
-     */
-    if (appName) {
-	handle->permCertDB = rdbopen( appName, prefix, "cert", openflags, NULL);
-    } else {
-	handle->permCertDB = dbsopen( certdbname, openflags, 0600, DB_HASH, 0 );
-    }
-
-    /* check for correct version number */
-    if ( handle->permCertDB ) {
-	version = nsslowcert_GetVersionNumber(handle);
-	if ((version != CERT_DB_FILE_VERSION) &&
-		!(appName && version == CERT_DB_V7_FILE_VERSION)) {
-	    goto loser;
-	}
-    } else if ( readOnly ) {
-	/* don't create if readonly */
-	    /* Try openning a version 7 database */
-	    handle->permCertDB = nsslowcert_openolddb(namecb,cbarg, 7);
-	    if (!handle->permCertDB) {
-		goto loser;
-	    }
-	    if (nsslowcert_GetVersionNumber(handle) != 7) {
-		goto loser;
-	    }
-    } else {
-        /* if first open fails, try to create a new DB */
-	rv = openNewCertDB(appName,prefix,certdbname,handle,namecb,cbarg);
-	if (rv == SECWouldBlock) {
-	    /* only the rdb version can fail with wouldblock */
-	    handle->permCertDB = 
-			rdbopen( appName, prefix, "cert", openflags, NULL);
-
-	    /* check for correct version number */
-	    if ( !handle->permCertDB ) {
-		goto loser;
-	    }
-	    version = nsslowcert_GetVersionNumber(handle);
-	    if ((version != CERT_DB_FILE_VERSION) &&
-		!(appName && version == CERT_DB_V7_FILE_VERSION)) {
-		goto loser;
-	    }
-	} else if (rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    PORT_Free(certdbname);
-    
-    return (SECSuccess);
-    
-loser:
-
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    
-    if ( handle->permCertDB ) {
-	certdb_Close(handle->permCertDB);
-	handle->permCertDB = 0;
-    }
-
-    PORT_Free(certdbname);
-
-    return(SECFailure);
-}
-
-/*
- * delete all DB records associated with a particular certificate
- */
-static SECStatus
-DeletePermCert(NSSLOWCERTCertificate *cert)
-{
-    SECStatus rv;
-    SECStatus ret;
-
-    ret = SECSuccess;
-    
-    rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey);
-    if ( rv != SECSuccess ) {
-	ret = SECFailure;
-    }
-    
-    rv = RemovePermSubjectNode(cert);
-
-
-    return(ret);
-}
-
-/*
- * Delete a certificate from the permanent database.
- */
-SECStatus
-nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
-{
-    SECStatus rv;
-    
-    nsslowcert_LockDB(cert->dbhandle);
-
-    rv = db_BeginTransaction(cert->dbhandle->permCertDB);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    /* delete the records from the permanent database */
-    rv = DeletePermCert(cert);
-
-    /* get rid of dbcert and stuff pointing to it */
-    DestroyDBEntry((certDBEntry *)cert->dbEntry);
-    cert->dbEntry = NULL;
-    cert->trust = NULL;
-
-    db_FinishTransaction(cert->dbhandle->permCertDB,rv != SECSuccess);
-loser:
-	
-    nsslowcert_UnlockDB(cert->dbhandle);
-    return(rv);
-}
-
-/*
- * Traverse all of the entries in the database of a particular type
- * call the given function for each one.
- */
-SECStatus
-nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
-		      certDBEntryType type,
-		      SECStatus (* callback)(SECItem *data, SECItem *key,
-					    certDBEntryType type, void *pdata),
-		      void *udata )
-{
-    DBT data;
-    DBT key;
-    SECStatus rv;
-    int ret;
-    SECItem dataitem;
-    SECItem keyitem;
-    unsigned char *buf;
-    unsigned char *keybuf;
-    
-    ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
-
-    if ( ret ) {
-	return(SECFailure);
-    }
-    
-    do {
-	buf = (unsigned char *)data.data;
-	
-	if ( buf[1] == (unsigned char)type ) {
-	    dataitem.len = data.size;
-	    dataitem.data = buf;
-            dataitem.type = siBuffer;
-	    keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
-	    keybuf = (unsigned char *)key.data;
-	    keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
-            keyitem.type = siBuffer;
-	    
-	    rv = (* callback)(&dataitem, &keyitem, type, udata);
-	    if ( rv != SECSuccess ) {
-		return(rv);
-	    }
-	}
-    } while ( certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0 );
-
-    return(SECSuccess);
-}
-/*
- * Decode a certificate and enter it into the temporary certificate database.
- * Deal with nicknames correctly
- *
- * This is the private entry point.
- */
-static NSSLOWCERTCertificate *
-DecodeACert(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
-{
-    NSSLOWCERTCertificate *cert = NULL;
-    
-    cert = nsslowcert_DecodeDERCertificate(&entry->derCert, entry->nickname );
-    
-    if ( cert == NULL ) {
-	goto loser;
-    }
-
-    cert->dbhandle = nsslowcert_reference(handle);
-    cert->dbEntry = entry;
-    cert->trust = &entry->trust;
-
-    return(cert);
-
-loser:
-    return(0);
-}
-
-static NSSLOWCERTTrust *
-CreateTrust(void)
-{
-    NSSLOWCERTTrust *trust = NULL;
-
-    nsslowcert_LockFreeList();
-    trust = trustListHead;
-    if (trust) {
-	trustListCount--;
-	trustListHead = trust->next;
-    }
-    PORT_Assert(trustListCount >= 0);
-    nsslowcert_UnlockFreeList();
-    if (trust) {
-	return trust;
-    }
-
-    return PORT_ZAlloc(sizeof(NSSLOWCERTTrust));
-}
-
-static void
-DestroyTrustFreeList(void)
-{
-    NSSLOWCERTTrust *trust;
-
-    nsslowcert_LockFreeList();
-    while (NULL != (trust = trustListHead)) {
-	trustListCount--;
-	trustListHead = trust->next;
-	PORT_Free(trust);
-    }
-    PORT_Assert(!trustListCount);
-    trustListCount = 0;
-    nsslowcert_UnlockFreeList();
-}
-
-static NSSLOWCERTTrust * 
-DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry, 
-                 SECItem *dbKey)
-{
-    NSSLOWCERTTrust *trust = CreateTrust();
-    if (trust == NULL) {
-	return trust;
-    }
-    trust->dbhandle = nsslowcert_reference(handle);
-    trust->dbEntry = entry;
-    trust->dbKey.data = pkcs11_copyStaticData(dbKey->data,dbKey->len,
-				trust->dbKeySpace, sizeof(trust->dbKeySpace));
-    if (!trust->dbKey.data) {
-	PORT_Free(trust);
-	return NULL;
-    }
-    trust->dbKey.len = dbKey->len;
- 
-    trust->trust = &entry->trust;
-    trust->derCert = &entry->derCert;
-
-    return(trust);
-}
-
-typedef struct {
-    PermCertCallback certfunc;
-    NSSLOWCERTCertDBHandle *handle;
-    void *data;
-} PermCertCallbackState;
-
-/*
- * traversal callback to decode certs and call callers callback
- */
-static SECStatus
-certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data)
-{
-    PermCertCallbackState *mystate;
-    SECStatus rv;
-    certDBEntryCert *entry;
-    SECItem entryitem;
-    NSSLOWCERTCertificate *cert;
-    PRArenaPool *arena = NULL;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
-    mystate = (PermCertCallbackState *)data;
-    entry->common.version = (unsigned int)dbdata->data[0];
-    entry->common.type = (certDBEntryType)dbdata->data[1];
-    entry->common.flags = (unsigned int)dbdata->data[2];
-    entry->common.arena = arena;
-    
-    entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
-    entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
-    
-    rv = DecodeDBCertEntry(entry, &entryitem);
-    if (rv != SECSuccess ) {
-	goto loser;
-    }
-    entry->derCert.type = siBuffer;
-   
-    /* note: Entry is 'inheritted'.  */
-    cert = DecodeACert(mystate->handle, entry);
-
-    rv = (* mystate->certfunc)(cert, dbkey, mystate->data);
-
-    /* arena stored in entry destroyed by nsslowcert_DestroyCertificate */
-    nsslowcert_DestroyCertificateNoLocking(cert);
-
-    return(rv);
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return(SECFailure);
-}
-
-/*
- * Traverse all of the certificates in the permanent database and
- * call the given function for each one; expect the caller to have lock.
- */
-static SECStatus
-TraversePermCertsNoLocking(NSSLOWCERTCertDBHandle *handle,
-			   SECStatus (* certfunc)(NSSLOWCERTCertificate *cert,
-						  SECItem *k,
-						  void *pdata),
-			   void *udata )
-{
-    SECStatus rv;
-    PermCertCallbackState mystate;
-
-    mystate.certfunc = certfunc;
-    mystate.handle = handle;
-    mystate.data = udata;
-    rv = nsslowcert_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback,
-			       (void *)&mystate);
-    
-    return(rv);
-}
-
-/*
- * Traverse all of the certificates in the permanent database and
- * call the given function for each one.
- */
-SECStatus
-nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
-		      SECStatus (* certfunc)(NSSLOWCERTCertificate *cert, SECItem *k,
-					    void *pdata),
-		      void *udata )
-{
-    SECStatus rv;
-
-    nsslowcert_LockDB(handle);
-    rv = TraversePermCertsNoLocking(handle, certfunc, udata);
-    nsslowcert_UnlockDB(handle);
-    
-    return(rv);
-}
-
-
-
-/*
- * Close the database
- */
-void
-nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle)
-{
-    if ( handle ) {
-	if ( handle->permCertDB ) {
-	    certdb_Close( handle->permCertDB );
-	    handle->permCertDB = NULL;
-	}
-	if (handle->dbMon) {
-    	    PZ_DestroyMonitor(handle->dbMon);
-	    handle->dbMon = NULL;
-	}
-    }
-    return;
-}
-
-/*
- * Get the trust attributes from a certificate
- */
-SECStatus
-nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
-{
-    SECStatus rv;
-    
-    nsslowcert_LockCertTrust(cert);
-    
-    if ( cert->trust == NULL ) {
-	rv = SECFailure;
-    } else {
-	*trust = *cert->trust;
-	rv = SECSuccess;
-    }
-    
-    nsslowcert_UnlockCertTrust(cert);
-    return(rv);
-}
-
-/*
- * Change the trust attributes of a certificate and make them permanent
- * in the database.
- */
-SECStatus
-nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
-	 	 	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
-{
-    certDBEntryCert *entry;
-    int rv;
-    SECStatus ret;
-    
-    nsslowcert_LockDB(handle);
-    nsslowcert_LockCertTrust(cert);
-    /* only set the trust on permanent certs */
-    if ( cert->trust == NULL ) {
-	ret = SECFailure;
-	goto done;
-    }
-
-    *cert->trust = *trust;
-    if ( cert->dbEntry == NULL ) {
-	ret = SECSuccess; /* not in permanent database */
-	goto done;
-    }
-    
-    entry = cert->dbEntry;
-    entry->trust = *trust;
-    
-    rv = WriteDBCertEntry(handle, entry);
-    if ( rv ) {
-	ret = SECFailure;
-	goto done;
-    }
-
-    ret = SECSuccess;
-    
-done:
-    nsslowcert_UnlockCertTrust(cert);
-    nsslowcert_UnlockDB(handle);
-    return(ret);
-}
-
-
-static SECStatus
-nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
-    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
-{
-    char *oldnn;
-    certDBEntryCert *entry;
-    PRBool conflict;
-    SECStatus ret;
-
-    PORT_Assert(!cert->dbEntry);
-
-    /* don't add a conflicting nickname */
-    conflict = nsslowcert_CertNicknameConflict(nickname, &cert->derSubject,
-					dbhandle);
-    if ( conflict ) {
-	ret = SECFailure;
-	goto done;
-    }
-    
-    /* save old nickname so that we can delete it */
-    oldnn = cert->nickname;
-
-    entry = AddCertToPermDB(dbhandle, cert, nickname, trust);
-    
-    if ( entry == NULL ) {
-	ret = SECFailure;
-	goto done;
-    }
-
-    pkcs11_freeNickname(oldnn,cert->nicknameSpace);
-    
-    cert->nickname = (entry->nickname) ? pkcs11_copyNickname(entry->nickname,
-		cert->nicknameSpace, sizeof(cert->nicknameSpace)) : NULL;
-    cert->trust = &entry->trust;
-    cert->dbEntry = entry;
-    
-    ret = SECSuccess;
-done:
-    return(ret);
-}
-
-SECStatus
-nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
-    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
-{
-    SECStatus ret;
-    SECStatus rv;
-
-    nsslowcert_LockDB(dbhandle);
-    rv = db_BeginTransaction(dbhandle->permCertDB);
-    if (rv != SECSuccess) {
-	nsslowcert_UnlockDB(dbhandle);
-	return SECFailure;
-    }
-
-    ret = nsslowcert_UpdatePermCert(dbhandle, cert, nickname, trust);
-    
-    db_FinishTransaction(dbhandle->permCertDB, ret != SECSuccess);
-    nsslowcert_UnlockDB(dbhandle);
-    return(ret);
-}
-
-/*
- * Open the certificate database and index databases.  Create them if
- * they are not there or bad.
- */
-SECStatus
-nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
-	        const char *appName, const char *prefix,
-		NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile)
-{
-    int rv;
-
-    certdb_InitDBLock(handle);
-    
-    handle->dbMon = PZ_NewMonitor(nssILockCertDB);
-    PORT_Assert(handle->dbMon != NULL);
-    handle->dbVerify = PR_FALSE;
-
-    rv = nsslowcert_OpenPermCertDB(handle, readOnly, appName, prefix, 
-							namecb, cbarg);
-    if ( rv ) {
-	goto loser;
-    }
-
-    return (SECSuccess);
-    
-loser:
-
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-    return(SECFailure);
-}
-
-PRBool
-nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle)
-{
-    if (!handle) return PR_FALSE;
-    return handle->dbVerify;
-}
-
-void
-nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value)
-{
-    handle->dbVerify = value;
-}
-
-
-/*
- * Lookup a certificate in the databases.
- */
-static NSSLOWCERTCertificate *
-FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
-{
-    NSSLOWCERTCertificate *cert = NULL;
-    certDBEntryCert *entry;
-    PRBool locked = PR_FALSE;
-    
-    if ( lockdb ) {
-	locked = PR_TRUE;
-	nsslowcert_LockDB(handle);
-    }
-	
-    /* find in perm database */
-    entry = ReadDBCertEntry(handle, certKey);
-	
-    if ( entry == NULL ) {
- 	goto loser;
-    }
-  
-    /* inherit entry */  
-    cert = DecodeACert(handle, entry);
-
-loser:
-    if (cert == NULL) {
-	if (entry) {
-	    DestroyDBEntry((certDBEntry *)entry);
-	}
-    }
-
-    if ( locked ) {
-	nsslowcert_UnlockDB(handle);
-    }
-    
-    return(cert);
-}
-
-/*
- * Lookup a certificate in the databases.
- */
-static NSSLOWCERTTrust *
-FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
-{
-    NSSLOWCERTTrust *trust = NULL;
-    certDBEntryCert *entry;
-    PRBool locked = PR_FALSE;
-    
-    if ( lockdb ) {
-	locked = PR_TRUE;
-	nsslowcert_LockDB(handle);
-    }
-	
-    /* find in perm database */
-    entry = ReadDBCertEntry(handle, certKey);
-	
-    if ( entry == NULL ) {
- 	goto loser;
-    }
-
-    if (!nsslowcert_hasTrust(&entry->trust)) {
-	goto loser;
-    }
-  
-    /* inherit entry */  
-    trust = DecodeTrustEntry(handle, entry, certKey);
-
-loser:
-    if (trust == NULL) {
-	if (entry) {
-	    DestroyDBEntry((certDBEntry *)entry);
-	}
-    }
-
-    if ( locked ) {
-	nsslowcert_UnlockDB(handle);
-    }
-    
-    return(trust);
-}
-
-/*
- * Lookup a certificate in the databases without locking
- */
-NSSLOWCERTCertificate *
-nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
-{
-    return(FindCertByKey(handle, certKey, PR_FALSE));
-}
-
-/*
- * Lookup a trust object in the databases without locking
- */
-NSSLOWCERTTrust *
-nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
-{
-    return(FindTrustByKey(handle, certKey, PR_FALSE));
-}
-
-/*
- * Generate a key from an issuerAndSerialNumber, and find the
- * associated cert in the database.
- */
-NSSLOWCERTCertificate *
-nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN)
-{
-    SECItem certKey;
-    SECItem *sn = &issuerAndSN->serialNumber;
-    SECItem *issuer = &issuerAndSN->derIssuer;
-    NSSLOWCERTCertificate *cert;
-    int data_left = sn->len-1;
-    int data_len = sn->len;
-    int index = 0;
-
-    /* automatically detect DER encoded serial numbers and remove the der
-     * encoding since the database expects unencoded data. 
-     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
-    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
-	/* remove the der encoding of the serial number before generating the
-	 * key.. */
-	data_left = sn->len-2;
-	data_len = sn->data[1];
-	index = 2;
-
-	/* extended length ? (not very likely for a serial number) */
-	if (data_len & 0x80) {
-	    int len_count = data_len & 0x7f;
-
-	    data_len = 0;
-	    data_left -= len_count;
-	    if (data_left > 0) {
-		while (len_count --) {
-		    data_len = (data_len << 8) | sn->data[index++];
-		}
-	    } 
-	}
-	/* XXX leaving any leading zeros on the serial number for backwards
-	 * compatibility
-	 */
-	/* not a valid der, must be just an unlucky serial number value */
-	if (data_len != data_left) {
-	    data_len = sn->len;
-	    index = 0;
-	}
-    }
-
-    certKey.type = 0;
-    certKey.data = (unsigned char*)PORT_Alloc(sn->len + issuer->len);
-    certKey.len = data_len + issuer->len;
-    
-    if ( certKey.data == NULL ) {
-	return(0);
-    }
-
-    /* first try the serial number as hand-decoded above*/
-    /* copy the serialNumber */
-    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
-
-    /* copy the issuer */
-    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
-
-    cert = nsslowcert_FindCertByKey(handle, &certKey);
-    if (cert) {
-	PORT_Free(certKey.data);
-	return (cert);
-    }
-
-    /* didn't find it, try by der encoded serial number */
-    /* copy the serialNumber */
-    PORT_Memcpy(certKey.data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
-    certKey.len = sn->len + issuer->len;
-
-    cert = nsslowcert_FindCertByKey(handle, &certKey);
-    
-    PORT_Free(certKey.data);
-    
-    return(cert);
-}
-
-/*
- * Generate a key from an issuerAndSerialNumber, and find the
- * associated cert in the database.
- */
-NSSLOWCERTTrust *
-nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, 
-					NSSLOWCERTIssuerAndSN *issuerAndSN)
-{
-    SECItem certKey;
-    SECItem *sn = &issuerAndSN->serialNumber;
-    SECItem *issuer = &issuerAndSN->derIssuer;
-    NSSLOWCERTTrust *trust;
-    unsigned char keyBuf[512];
-    int data_left = sn->len-1;
-    int data_len = sn->len;
-    int index = 0;
-    int len;
-
-    /* automatically detect DER encoded serial numbers and remove the der
-     * encoding since the database expects unencoded data. 
-     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
-    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
-	/* remove the der encoding of the serial number before generating the
-	 * key.. */
-	data_left = sn->len-2;
-	data_len = sn->data[1];
-	index = 2;
-
-	/* extended length ? (not very likely for a serial number) */
-	if (data_len & 0x80) {
-	    int len_count = data_len & 0x7f;
-
-	    data_len = 0;
-	    data_left -= len_count;
-	    if (data_left > 0) {
-		while (len_count --) {
-		    data_len = (data_len << 8) | sn->data[index++];
-		}
-	    } 
-	}
-	/* XXX leaving any leading zeros on the serial number for backwards
-	 * compatibility
-	 */
-	/* not a valid der, must be just an unlucky serial number value */
-	if (data_len != data_left) {
-	    data_len = sn->len;
-	    index = 0;
-	}
-    }
-
-    certKey.type = 0;
-    certKey.len = data_len + issuer->len;
-    len = sn->len + issuer->len;
-    if (len > sizeof (keyBuf)) {
-	certKey.data = (unsigned char*)PORT_Alloc(len);
-    } else {
-	certKey.data = keyBuf;
-    }
-    
-    if ( certKey.data == NULL ) {
-	return(0);
-    }
-
-    /* first try the serial number as hand-decoded above*/
-    /* copy the serialNumber */
-    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
-
-    /* copy the issuer */
-    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
-
-    trust = nsslowcert_FindTrustByKey(handle, &certKey);
-    if (trust) {
-	pkcs11_freeStaticData(certKey.data, keyBuf);
-	return (trust);
-    }
-
-    if (index == 0) {
-	pkcs11_freeStaticData(certKey.data, keyBuf);
-	return NULL;
-    }
-
-    /* didn't find it, try by der encoded serial number */
-    /* copy the serialNumber */
-    PORT_Memcpy(certKey.data, sn->data, sn->len);
-
-    /* copy the issuer */
-    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
-    certKey.len = sn->len + issuer->len;
-
-    trust = nsslowcert_FindTrustByKey(handle, &certKey);
-    
-    pkcs11_freeStaticData(certKey.data, keyBuf);
-    
-    return(trust);
-}
-
-/*
- * look for the given DER certificate in the database
- */
-NSSLOWCERTCertificate *
-nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert)
-{
-    PRArenaPool *arena;
-    SECItem certKey;
-    SECStatus rv;
-    NSSLOWCERTCertificate *cert = NULL;
-    
-    /* create a scratch arena */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	return(NULL);
-    }
-    
-    /* extract the database key from the cert */
-    rv = nsslowcert_KeyFromDERCert(arena, derCert, &certKey);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-
-    /* find the certificate */
-    cert = nsslowcert_FindCertByKey(handle, &certKey);
-    
-loser:
-    PORT_FreeArena(arena, PR_FALSE);
-    return(cert);
-}
-
-static void
-DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb)
-{
-    int refCount;
-    NSSLOWCERTCertDBHandle *handle;
-    
-    if ( cert ) {
-
-	handle = cert->dbhandle;
-
-	/*
-	 * handle may be NULL, for example if the cert was created with
-	 * nsslowcert_DecodeDERCertificate.
-	 */
-	if ( lockdb && handle ) {
-	    nsslowcert_LockDB(handle);
-	    /* keep a reference until we unlock, so handle won't disappear
-	     * before we are through with it */
-	    nsslowcert_reference(handle);
-	}
-
-        nsslowcert_LockCertRefCount(cert);
-	PORT_Assert(cert->referenceCount > 0);
-	refCount = --cert->referenceCount;
-        nsslowcert_UnlockCertRefCount(cert);
-
-	if ( ( refCount == 0 ) ) {
-	    certDBEntryCert *entry  = cert->dbEntry;
-
-	    if ( entry ) {
-		DestroyDBEntry((certDBEntry *)entry);
-            }
-
-	    pkcs11_freeNickname(cert->nickname,cert->nicknameSpace);
-	    pkcs11_freeStaticData(cert->certKey.data,cert->certKeySpace);
-	    cert->certKey.data = NULL;
-	    cert->nickname = NULL;
-
-	    /* zero cert before freeing. Any stale references to this cert
-	     * after this point will probably cause an exception.  */
-	    PORT_Memset(cert, 0, sizeof *cert);
-
-	    /* use reflock to protect the free list */
-	    nsslowcert_LockFreeList();
-	    if (certListCount > MAX_CERT_LIST_COUNT) {
-		PORT_Free(cert);
-	    } else {
-		certListCount++;
-		cert->next = certListHead;
-		certListHead = cert;
-	    }
-	    nsslowcert_UnlockFreeList();
-	    if (handle) {
-	        sftk_freeCertDB(handle);
-	    }
-		
-	    cert = NULL;
-        }
-	if ( lockdb && handle ) {
-	    nsslowcert_UnlockDB(handle);
-	    sftk_freeCertDB(handle);
-	}
-    }
-
-    return;
-}
-
-NSSLOWCERTCertificate *
-nsslowcert_CreateCert(void)
-{
-    NSSLOWCERTCertificate *cert;
-    nsslowcert_LockFreeList();
-    cert = certListHead;
-    if (cert) {
-	certListHead = cert->next;
-	certListCount--;
-    }
-    PORT_Assert(certListCount >= 0);
-    nsslowcert_UnlockFreeList();
-    if (cert) {
-	return cert;
-    }
-    return (NSSLOWCERTCertificate *) PORT_ZAlloc(sizeof(NSSLOWCERTCertificate));
-}
-
-static void
-DestroyCertFreeList(void)
-{
-    NSSLOWCERTCertificate *cert;
-
-    nsslowcert_LockFreeList();
-    while (NULL != (cert = certListHead)) {
-	certListCount--;
-	certListHead = cert->next;
-	PORT_Free(cert);
-    }
-    PORT_Assert(!certListCount);
-    certListCount = 0;
-    nsslowcert_UnlockFreeList();
-}
-
-void
-nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust)
-{
-    certDBEntryCert *entry  = trust->dbEntry;
-
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    pkcs11_freeStaticData(trust->dbKey.data,trust->dbKeySpace);
-    PORT_Memset(trust, 0, sizeof(*trust));
-
-    nsslowcert_LockFreeList();
-    if (trustListCount > MAX_TRUST_LIST_COUNT) {
-	PORT_Free(trust);
-    } else {
-	trustListCount++;
-	trust->next = trustListHead;
-	trustListHead = trust;
-    }
-    nsslowcert_UnlockFreeList();
-
-    return;
-}
-
-void
-nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert)
-{
-    DestroyCertificate(cert, PR_TRUE);
-    return;
-}
-
-static void
-nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert)
-{
-    DestroyCertificate(cert, PR_FALSE);
-    return;
-}
-
-/*
- * Lookup a CRL in the databases. We mirror the same fast caching data base
- *  caching stuff used by certificates....?
- */
-certDBEntryRevocation *
-nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, 
-						SECItem *crlKey, PRBool isKRL)
-{
-    SECItem keyitem;
-    DBT key;
-    SECStatus rv;
-    PRArenaPool *arena = NULL;
-    certDBEntryRevocation *entry = NULL;
-    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
-					: certDBEntryTypeRevocation;
-    
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;
-    }
-    
-    rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType);
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    
-    key.data = keyitem.data;
-    key.size = keyitem.len;
-
-    /* find in perm database */
-    entry = ReadDBCrlEntry(handle, crlKey, crlType);
-	
-    if ( entry == NULL ) {
-	goto loser;
-    }
-
-loser:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    
-    return entry;
-}
-
-/*
- * replace the existing URL in the data base with a new one
- */
-static SECStatus
-nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
-			SECItem *crlKey, char *url, PRBool isKRL)
-{
-    SECStatus rv = SECFailure;
-    certDBEntryRevocation *entry = NULL;
-    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
-					: certDBEntryTypeRevocation;
-    DeleteDBCrlEntry(handle, crlKey, crlType);
-
-    /* Write the new entry into the data base */
-    entry = NewDBCrlEntry(derCrl, url, crlType, 0);
-    if (entry == NULL) goto done;
-
-    rv = WriteDBCrlEntry(handle, entry, crlKey);
-    if (rv != SECSuccess) goto done;
-
-done:
-    if (entry) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    return rv;
-}
-
-SECStatus
-nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
-			SECItem *crlKey, char *url, PRBool isKRL)
-{
-    SECStatus rv;
-
-    rv = db_BeginTransaction(handle->permCertDB);
-    if (rv != SECSuccess) {
-	return SECFailure;
-    }
-    rv = nsslowcert_UpdateCrl(handle, derCrl, crlKey, url, isKRL);
-
-    db_FinishTransaction(handle->permCertDB, rv != SECSuccess);
-    return rv;
-}
-
-SECStatus
-nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, SECItem *derName,
-								 PRBool isKRL)
-{
-    SECStatus rv;
-    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
-					: certDBEntryTypeRevocation;
-    rv = db_BeginTransaction(handle->permCertDB);
-    if (rv != SECSuccess) {
-	return SECFailure;
-    }
-    
-    rv = DeleteDBCrlEntry(handle, derName, crlType);
-    if (rv != SECSuccess) goto done;
-  
-done:
-    db_FinishTransaction(handle->permCertDB, rv != SECSuccess);
-    return rv;
-}
-
-
-PRBool
-nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
-{
-    if (trust == NULL) {
-	return PR_FALSE;
-    }
-    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && 
-		(trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && 
-			(trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
-}
-
-/*
- * This function has the logic that decides if another person's cert and
- * email profile from an S/MIME message should be saved.  It can deal with
- * the case when there is no profile.
- */
-static SECStatus
-nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, 
-	char *emailAddr, SECItem *derSubject, SECItem *emailProfile, 
-							SECItem *profileTime)
-{
-    certDBEntrySMime *entry = NULL;
-    SECStatus rv = SECFailure;;
-
-
-    /* find our existing entry */
-    entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr);
-
-    if ( entry ) {
-	/* keep our old db entry consistant for old applications. */
-	if (!SECITEM_ItemsAreEqual(derSubject, &entry->subjectName)) {
-	    nsslowcert_UpdateSubjectEmailAddr(dbhandle, &entry->subjectName, 
-				emailAddr, nsslowcert_remove);
-	} 
-	DestroyDBEntry((certDBEntry *)entry);
-	entry = NULL;
-    }
-
-    /* now save the entry */
-    entry = NewDBSMimeEntry(emailAddr, derSubject, emailProfile,
-				profileTime, 0);
-    if ( entry == NULL ) {
-	rv = SECFailure;
-	goto loser;
-    }
-
-    nsslowcert_LockDB(dbhandle);
-
-    rv = DeleteDBSMimeEntry(dbhandle, emailAddr);
-    /* if delete fails, try to write new entry anyway... */
-
-    /* link subject entry back here */
-    rv = nsslowcert_UpdateSubjectEmailAddr(dbhandle, derSubject, emailAddr,
-					nsslowcert_add);
-    if ( rv != SECSuccess ) {
-	    nsslowcert_UnlockDB(dbhandle);
-	    goto loser;
-    }
-	
-    rv = WriteDBSMimeEntry(dbhandle, entry);
-    if ( rv != SECSuccess ) {
-	    nsslowcert_UnlockDB(dbhandle);
-	    goto loser;
-    }
-
-    nsslowcert_UnlockDB(dbhandle);
-
-    rv = SECSuccess;
-    
-loser:
-    if ( entry ) {
-	DestroyDBEntry((certDBEntry *)entry);
-    }
-    return(rv);
-}
-
-SECStatus
-nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
-	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
-{
-    SECStatus rv = SECFailure;;
-
-    rv = db_BeginTransaction(dbhandle->permCertDB);
-    if (rv != SECSuccess) {
-	return SECFailure;
-    }
-
-    rv = nsslowcert_UpdateSMimeProfile(dbhandle, emailAddr, 
-	 derSubject, emailProfile, profileTime);
-    
-    db_FinishTransaction(dbhandle->permCertDB, rv != SECSuccess);
-    return(rv);
-}
-
-/* If the freeListLock doesn't exist when this function is called,
-** this function will create it, use it 3 times, and delete it.
-*/
-void
-nsslowcert_DestroyFreeLists(void)
-{
-    DestroyCertEntryFreeList();
-    DestroyTrustFreeList();
-    DestroyCertFreeList();
-    PZ_DestroyLock(freeListLock);
-    freeListLock = NULL;
-}
-
-void
-nsslowcert_DestroyGlobalLocks(void)
-{
-    if (dbLock) {
-	PZ_DestroyLock(dbLock);
-	dbLock = NULL;
-    }
-    if (certRefCountLock) {
-	PZ_DestroyLock(certRefCountLock);
-	certRefCountLock = NULL;
-    }
-    if (certTrustLock) {
-	PZ_DestroyLock(certTrustLock);
-	certTrustLock = NULL;
-    }
-}
-
diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h
deleted file mode 100644
index e805950e1..000000000
--- a/security/nss/lib/softoken/pcertt.h
+++ /dev/null
@@ -1,446 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * certt.h - public data structures for the certificate library
- *
- * $Id$
- */
-#ifndef _PCERTT_H_
-#define _PCERTT_H_
-
-#include "prclist.h"
-#include "pkcs11t.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "plarena.h"
-#include "prcvar.h"
-#include "nssilock.h"
-#include "prio.h"
-#include "prmon.h"
-
-/* Non-opaque objects */
-typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
-typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
-
-typedef struct NSSLOWCERTTrustStr                      NSSLOWCERTTrust;
-typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
-typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
-typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
-typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
-typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
-typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
-typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
-
-/*
-** An X.509 validity object
-*/
-struct NSSLOWCERTValidityStr {
-    PRArenaPool *arena;
-    SECItem notBefore;
-    SECItem notAfter;
-};
-
-/*
- * A serial number and issuer name, which is used as a database key
- */
-struct NSSLOWCERTCertKeyStr {
-    SECItem serialNumber;
-    SECItem derIssuer;
-};
-
-/*
-** A signed data object. Used to implement the "signed" macro used
-** in the X.500 specs.
-*/
-struct NSSLOWCERTSignedDataStr {
-    SECItem data;
-    SECAlgorithmID signatureAlgorithm;
-    SECItem signature;
-};
-
-/*
-** An X.509 subject-public-key-info object
-*/
-struct NSSLOWCERTSubjectPublicKeyInfoStr {
-    PRArenaPool *arena;
-    SECAlgorithmID algorithm;
-    SECItem subjectPublicKey;
-};
-
-typedef struct _certDBEntryCert certDBEntryCert;
-typedef struct _certDBEntryRevocation certDBEntryRevocation;
-
-struct NSSLOWCERTCertTrustStr {
-    unsigned int sslFlags;
-    unsigned int emailFlags;
-    unsigned int objectSigningFlags;
-};
-
-/*
-** PKCS11 Trust representation
-*/
-struct NSSLOWCERTTrustStr {
-    NSSLOWCERTTrust *next;
-    NSSLOWCERTCertDBHandle *dbhandle;
-    SECItem dbKey;			/* database key for this cert */
-    certDBEntryCert *dbEntry;		/* database entry struct */
-    NSSLOWCERTCertTrust *trust;
-    SECItem *derCert;			/* original DER for the cert */
-    unsigned char dbKeySpace[512];
-};
-
-/*
-** An X.509 certificate object (the unsigned form)
-*/
-struct NSSLOWCERTCertificateStr {
-    /* the arena is used to allocate any data structures that have the same
-     * lifetime as the cert.  This is all stuff that hangs off of the cert
-     * structure, and is all freed at the same time.  I is used when the
-     * cert is decoded, destroyed, and at some times when it changes
-     * state
-     */
-    NSSLOWCERTCertificate *next;
-    NSSLOWCERTCertDBHandle *dbhandle;
-
-    SECItem derCert;			/* original DER for the cert */
-    SECItem derIssuer;			/* DER for issuer name */
-    SECItem derSN;
-    SECItem serialNumber;
-    SECItem derSubject;			/* DER for subject name */
-    SECItem derSubjKeyInfo;
-    NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
-    SECItem certKey;			/* database key for this cert */
-    SECItem validity;
-    certDBEntryCert *dbEntry;		/* database entry struct */
-    SECItem subjectKeyID;	/* x509v3 subject key identifier */
-    char *nickname;
-    char *emailAddr;
-    NSSLOWCERTCertTrust *trust;
-
-    /* the reference count is modified whenever someone looks up, dups
-     * or destroys a certificate
-     */
-    int referenceCount;
-
-    char nicknameSpace[200];
-    unsigned char certKeySpace[512];
-};
-
-#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
-#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
-#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
-
-#define SEC_CRL_VERSION_1		0	/* default */
-#define SEC_CRL_VERSION_2		1	/* v2 extensions */
-
-struct NSSLOWCERTIssuerAndSNStr {
-    SECItem derIssuer;
-    SECItem serialNumber;
-};
-
-typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
-
-/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
-/* callback to return database name based on version number */
-typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
-
-/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
-
-#include "secasn1t.h"	/* way down here because I expect template stuff to
-			 * move out of here anyway */
-
-/*
- * Certificate Database related definitions and data structures
- */
-
-/* version number of certificate database */
-#define CERT_DB_FILE_VERSION		8
-#define CERT_DB_V7_FILE_VERSION		7
-#define CERT_DB_CONTENT_VERSION		2
-
-#define SEC_DB_ENTRY_HEADER_LEN		3
-#define SEC_DB_KEY_HEADER_LEN		1
-
-/* All database entries have this form:
- * 	
- *	byte offset	field
- *	-----------	-----
- *	0		version
- *	1		type
- *	2		flags
- */
-
-/* database entry types */
-typedef enum {
-    certDBEntryTypeVersion = 0,
-    certDBEntryTypeCert = 1,
-    certDBEntryTypeNickname = 2,
-    certDBEntryTypeSubject = 3,
-    certDBEntryTypeRevocation = 4,
-    certDBEntryTypeKeyRevocation = 5,
-    certDBEntryTypeSMimeProfile = 6,
-    certDBEntryTypeContentVersion = 7,
-    certDBEntryTypeBlob = 8
-} certDBEntryType;
-
-typedef struct {
-    certDBEntryType type;
-    unsigned int version;
-    unsigned int flags;
-    PRArenaPool *arena;
-} certDBEntryCommon;
-
-/*
- * Certificate entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		sslFlags-msb
- *	1		sslFlags-lsb
- *	2		emailFlags-msb
- *	3		emailFlags-lsb
- *	4		objectSigningFlags-msb
- *	5		objectSigningFlags-lsb
- *	6		derCert-len-msb
- *	7		derCert-len-lsb
- *	8		nickname-len-msb
- *	9		nickname-len-lsb
- *	...		derCert
- *	...		nickname
- *
- * NOTE: the nickname string as stored in the database is null terminated,
- *		in other words, the last byte of the db entry is always 0
- *		if a nickname is present.
- * NOTE: if nickname is not present, then nickname-len-msb and
- *		nickname-len-lsb will both be zero.
- */
-struct _certDBEntryCert {
-    certDBEntryCommon common;
-    certDBEntryCert *next;
-    NSSLOWCERTCertTrust trust;
-    SECItem derCert;
-    char *nickname;
-    char nicknameSpace[200];
-    unsigned char derCertSpace[2048];
-};
-
-/*
- * Certificate Nickname entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		subjectname-len-msb
- *	1	        subjectname-len-lsb
- *	2...		subjectname
- *
- * The database key for this type of entry is a nickname string
- * The "subjectname" value is the DER encoded DN of the identity
- *   that matches this nickname.
- */
-typedef struct {
-    certDBEntryCommon common;
-    char *nickname;
-    SECItem subjectName;
-} certDBEntryNickname;
-
-#define DB_NICKNAME_ENTRY_HEADER_LEN 2
-
-/*
- * Certificate Subject entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		ncerts-msb
- *	1		ncerts-lsb
- *	2		nickname-msb
- *	3		nickname-lsb
- *	4		emailAddr-msb
- *	5		emailAddr-lsb
- *	...		nickname
- *	...		emailAddr
- *	...+2*i		certkey-len-msb
- *	...+1+2*i       certkey-len-lsb
- *	...+2*ncerts+2*i keyid-len-msb
- *	...+1+2*ncerts+2*i keyid-len-lsb
- *	...		certkeys
- *	...		keyids
- *
- * The database key for this type of entry is the DER encoded subject name
- * The "certkey" value is an array of  certificate database lookup keys that
- *   points to the database entries for the certificates that matche
- *   this subject.
- *
- */
-typedef struct _certDBEntrySubject {
-    certDBEntryCommon common;
-    SECItem derSubject;
-    unsigned int ncerts;
-    char *nickname;
-    SECItem *certKeys;
-    SECItem *keyIDs;
-    char **emailAddrs;
-    unsigned int nemailAddrs;
-} certDBEntrySubject;
-
-#define DB_SUBJECT_ENTRY_HEADER_LEN 6
-
-/*
- * Certificate SMIME profile entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		subjectname-len-msb
- *	1	        subjectname-len-lsb
- *	2		smimeoptions-len-msb
- *	3		smimeoptions-len-lsb
- *	4		options-date-len-msb
- *	5		options-date-len-lsb
- *	6...		subjectname
- *	...		smimeoptions
- *	...		options-date
- *
- * The database key for this type of entry is the email address string
- * The "subjectname" value is the DER encoded DN of the identity
- *   that matches this nickname.
- * The "smimeoptions" value is a string that represents the algorithm
- *   capabilities on the remote user.
- * The "options-date" is the date that the smime options value was created.
- *   This is generally the signing time of the signed message that contained
- *   the options.  It is a UTCTime value.
- */
-typedef struct {
-    certDBEntryCommon common;
-    char *emailAddr;
-    SECItem subjectName;
-    SECItem smimeOptions;
-    SECItem optionsDate;
-} certDBEntrySMime;
-
-#define DB_SMIME_ENTRY_HEADER_LEN 6
-
-/*
- * Crl/krl entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		derCert-len-msb
- *	1		derCert-len-lsb
- *	2		url-len-msb
- *	3		url-len-lsb
- *	...		derCert
- *	...		url
- *
- * NOTE: the url string as stored in the database is null terminated,
- *		in other words, the last byte of the db entry is always 0
- *		if a nickname is present. 
- * NOTE: if url is not present, then url-len-msb and
- *		url-len-lsb will both be zero.
- */
-#define DB_CRL_ENTRY_HEADER_LEN	4
-struct _certDBEntryRevocation {
-    certDBEntryCommon common;
-    SECItem	derCrl;
-    char	*url;	/* where to load the crl from */
-};
-
-/*
- * Database Version Entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	only the low level header...
- *
- * The database key for this type of entry is the string "Version"
- */
-typedef struct {
-    certDBEntryCommon common;
-} certDBEntryVersion;
-
-#define SEC_DB_VERSION_KEY "Version"
-#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
-
-/*
- * Database Content Version Entry:
- *
- *	byte offset	field
- *	-----------	-----
- *	0		contentVersion
- *
- * The database key for this type of entry is the string "ContentVersion"
- */
-typedef struct {
-    certDBEntryCommon common;
-    char contentVersion;
-} certDBEntryContentVersion;
-
-#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
-#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
-
-typedef union {
-    certDBEntryCommon common;
-    certDBEntryVersion version;
-    certDBEntryCert cert;
-    certDBEntryNickname nickname;
-    certDBEntrySubject subject;
-    certDBEntryRevocation revocation;
-} certDBEntry;
-
-/* length of the fixed part of a database entry */
-#define DBCERT_V4_HEADER_LEN	7
-#define DB_CERT_V5_ENTRY_HEADER_LEN	7
-#define DB_CERT_V6_ENTRY_HEADER_LEN	7
-#define DB_CERT_ENTRY_HEADER_LEN	10
-
-/* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
-#define CERTDB_TRUSTED		(1<<1)
-#define CERTDB_SEND_WARN	(1<<2)
-#define CERTDB_VALID_CA		(1<<3)
-#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
-#define CERTDB_NS_TRUSTED_CA	(1<<5)
-#define CERTDB_USER		(1<<6)
-#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
-#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
-#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
-#define CERTDB_NOT_TRUSTED	(1<<10) /* explicitly don't trust this cert */
-#define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
-
-/* bits not affected by the CKO_NETSCAPE_TRUST object */
-#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
-        CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
-                                        CERTDB_GOVT_APPROVED_CA)
-
-#endif /* _PCERTT_H_ */
diff --git a/security/nss/lib/softoken/pk11db.c b/security/nss/lib/softoken/pk11db.c
deleted file mode 100644
index c60e87780..000000000
--- a/security/nss/lib/softoken/pk11db.c
+++ /dev/null
@@ -1,1019 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* 
- *  The following code handles the storage of PKCS 11 modules used by the
- * NSS. This file is written to abstract away how the modules are
- * stored so we can deside that later.
- */
-
-#include "pk11pars.h"
-#include "pkcs11i.h"
-#include "mcom_db.h"
-#include "cdbhdl.h"
-#include "secerr.h"
-
-#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
-
-static void
-secmod_parseTokenFlags(char *tmp, sftk_token_parameters *parsed) { 
-    parsed->readOnly = secmod_argHasFlag("flags","readOnly",tmp);
-    parsed->noCertDB = secmod_argHasFlag("flags","noCertDB",tmp);
-    parsed->noKeyDB = secmod_argHasFlag("flags","noKeyDB",tmp);
-    parsed->forceOpen = secmod_argHasFlag("flags","forceOpen",tmp);
-    parsed->pwRequired = secmod_argHasFlag("flags","passwordRequired",tmp);
-    parsed->optimizeSpace = secmod_argHasFlag("flags","optimizeSpace",tmp);
-    return;
-}
-
-static void
-secmod_parseFlags(char *tmp, sftk_parameters *parsed) { 
-    parsed->noModDB = secmod_argHasFlag("flags","noModDB",tmp);
-    parsed->readOnly = secmod_argHasFlag("flags","readOnly",tmp);
-    /* keep legacy interface working */
-    parsed->noCertDB = secmod_argHasFlag("flags","noCertDB",tmp);
-    parsed->forceOpen = secmod_argHasFlag("flags","forceOpen",tmp);
-    parsed->pwRequired = secmod_argHasFlag("flags","passwordRequired",tmp);
-    parsed->optimizeSpace = secmod_argHasFlag("flags","optimizeSpace",tmp);
-    return;
-}
-
-CK_RV
-secmod_parseTokenParameters(char *param, sftk_token_parameters *parsed) 
-{
-    int next;
-    char *tmp;
-    char *index;
-    index = secmod_argStrip(param);
-
-    while (*index) {
-	SECMOD_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->certPrefix,"certPrefix=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->keyPrefix,"keyPrefix=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->tokdes,"tokenDescription=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->slotdes,"slotDescription=",;)
-	SECMOD_HANDLE_STRING_ARG(index,tmp,"minPWLen=", 
-			if(tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); })
-	SECMOD_HANDLE_STRING_ARG(index,tmp,"flags=", 
-	   if(tmp) { secmod_parseTokenFlags(param,parsed); PORT_Free(tmp); })
-	SECMOD_HANDLE_FINAL_ARG(index)
-   }
-   return CKR_OK;
-}
-
-static void
-secmod_parseTokens(char *tokenParams, sftk_parameters *parsed)
-{
-    char *tokenIndex;
-    sftk_token_parameters *tokens = NULL;
-    int i=0,count = 0,next;
-
-    if ((tokenParams == NULL) || (*tokenParams == 0))  return;
-
-    /* first count the number of slots */
-    for (tokenIndex = secmod_argStrip(tokenParams); *tokenIndex;
-	 tokenIndex = secmod_argStrip(secmod_argSkipParameter(tokenIndex))) {
-	count++;
-    }
-
-    /* get the data structures */
-    tokens = (sftk_token_parameters *) 
-			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
-    if (tokens == NULL) return;
-
-    for (tokenIndex = secmod_argStrip(tokenParams), i = 0;
-					*tokenIndex && i < count ; i++ ) {
-	char *name;
-	name = secmod_argGetName(tokenIndex,&next);
-	tokenIndex += next;
-
-	tokens[i].slotID = secmod_argDecodeNumber(name);
-        tokens[i].readOnly = PR_FALSE;
-	tokens[i].noCertDB = PR_FALSE;
-	tokens[i].noKeyDB = PR_FALSE;
-	if (!secmod_argIsBlank(*tokenIndex)) {
-	    char *args = secmod_argFetchValue(tokenIndex,&next);
-	    tokenIndex += next;
-	    if (args) {
-		secmod_parseTokenParameters(args,&tokens[i]);
-		PORT_Free(args);
-	    }
-	}
-	if (name) PORT_Free(name);
-	tokenIndex = secmod_argStrip(tokenIndex);
-    }
-    parsed->token_count = i;
-    parsed->tokens = tokens;
-    return; 
-}
-
-CK_RV
-secmod_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS) 
-{
-    int next;
-    char *tmp;
-    char *index;
-    char *certPrefix = NULL, *keyPrefix = NULL;
-    char *tokdes = NULL, *ptokdes = NULL;
-    char *slotdes = NULL, *pslotdes = NULL;
-    char *fslotdes = NULL, *fpslotdes = NULL;
-    char *minPW = NULL;
-    index = secmod_argStrip(param);
-
-    PORT_Memset(parsed, 0, sizeof(sftk_parameters));
-
-    while (*index) {
-	SECMOD_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->secmodName,"secmod=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->man,"manufacturerID=",;)
-	SECMOD_HANDLE_STRING_ARG(index,parsed->libdes,"libraryDescription=",;)
-	/* constructed values, used so legacy interfaces still work */
-	SECMOD_HANDLE_STRING_ARG(index,certPrefix,"certPrefix=",;)
-        SECMOD_HANDLE_STRING_ARG(index,keyPrefix,"keyPrefix=",;)
-        SECMOD_HANDLE_STRING_ARG(index,tokdes,"cryptoTokenDescription=",;)
-        SECMOD_HANDLE_STRING_ARG(index,ptokdes,"dbTokenDescription=",;)
-        SECMOD_HANDLE_STRING_ARG(index,slotdes,"cryptoSlotDescription=",;)
-        SECMOD_HANDLE_STRING_ARG(index,pslotdes,"dbSlotDescription=",;)
-        SECMOD_HANDLE_STRING_ARG(index,fslotdes,"FIPSSlotDescription=",;)
-        SECMOD_HANDLE_STRING_ARG(index,fpslotdes,"FIPSTokenDescription=",;)
-	SECMOD_HANDLE_STRING_ARG(index,minPW,"minPWLen=",;)
-
-	SECMOD_HANDLE_STRING_ARG(index,tmp,"flags=", 
-		if(tmp) { secmod_parseFlags(param,parsed); PORT_Free(tmp); })
-	SECMOD_HANDLE_STRING_ARG(index,tmp,"tokens=", 
-		if(tmp) { secmod_parseTokens(tmp,parsed); PORT_Free(tmp); })
-	SECMOD_HANDLE_FINAL_ARG(index)
-    }
-    if (parsed->tokens == NULL) {
-	int  count = isFIPS ? 1 : 2;
-	int  index = count-1;
-	sftk_token_parameters *tokens = NULL;
-
-	tokens = (sftk_token_parameters *) 
-			PORT_ZAlloc(count*sizeof(sftk_token_parameters));
-	if (tokens == NULL) {
-	    goto loser;
-	}
-	parsed->tokens = tokens;
-    	parsed->token_count = count;
-	tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
-	tokens[index].certPrefix = certPrefix;
-	tokens[index].keyPrefix = keyPrefix;
-	tokens[index].minPW = minPW ? atoi(minPW) : 0;
-	tokens[index].readOnly = parsed->readOnly;
-	tokens[index].noCertDB = parsed->noCertDB;
-	tokens[index].noKeyDB = parsed->noCertDB;
-	tokens[index].forceOpen = parsed->forceOpen;
-	tokens[index].pwRequired = parsed->pwRequired;
-	tokens[index].optimizeSpace = parsed->optimizeSpace;
-	tokens[0].optimizeSpace = parsed->optimizeSpace;
-	certPrefix = NULL;
-	keyPrefix = NULL;
-	if (isFIPS) {
-	    tokens[index].tokdes = fslotdes;
-	    tokens[index].slotdes = fpslotdes;
-	    fslotdes = NULL;
-	    fpslotdes = NULL;
-	} else {
-	    tokens[index].tokdes = ptokdes;
-	    tokens[index].slotdes = pslotdes;
-	    tokens[0].slotID = NETSCAPE_SLOT_ID;
-	    tokens[0].tokdes = tokdes;
-	    tokens[0].slotdes = slotdes;
-	    tokens[0].noCertDB = PR_TRUE;
-	    tokens[0].noKeyDB = PR_TRUE;
-	    ptokdes = NULL;
-	    pslotdes = NULL;
-	    tokdes = NULL;
-	    slotdes = NULL;
-	}
-    }
-
-loser:
-    FREE_CLEAR(certPrefix);
-    FREE_CLEAR(keyPrefix);
-    FREE_CLEAR(tokdes);
-    FREE_CLEAR(ptokdes);
-    FREE_CLEAR(slotdes);
-    FREE_CLEAR(pslotdes);
-    FREE_CLEAR(fslotdes);
-    FREE_CLEAR(fpslotdes);
-    FREE_CLEAR(minPW);
-    return CKR_OK;
-}
-
-void
-secmod_freeParams(sftk_parameters *params)
-{
-    int i;
-
-    for (i=0; i < params->token_count; i++) {
-	FREE_CLEAR(params->tokens[i].configdir);
-	FREE_CLEAR(params->tokens[i].certPrefix);
-	FREE_CLEAR(params->tokens[i].keyPrefix);
-	FREE_CLEAR(params->tokens[i].tokdes);
-	FREE_CLEAR(params->tokens[i].slotdes);
-    }
-
-    FREE_CLEAR(params->configdir);
-    FREE_CLEAR(params->secmodName);
-    FREE_CLEAR(params->man);
-    FREE_CLEAR(params->libdes); 
-    FREE_CLEAR(params->tokens);
-}
-
-
-char *
-secmod_getSecmodName(char *param, char **appName, char **filename,PRBool *rw)
-{
-    int next;
-    char *configdir = NULL;
-    char *secmodName = NULL;
-    char *value = NULL;
-    char *save_params = param;
-    const char *lconfigdir;
-    param = secmod_argStrip(param);
-	
-
-    while (*param) {
-	SECMOD_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
-	SECMOD_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
-	SECMOD_HANDLE_FINAL_ARG(param)
-   }
-
-   *rw = PR_TRUE;
-   if (secmod_argHasFlag("flags","readOnly",save_params) ||
-	secmod_argHasFlag("flags","noModDB",save_params)) *rw = PR_FALSE;
-
-   if (!secmodName || *secmodName == '\0') {
-	if (secmodName) PORT_Free(secmodName);
-	secmodName = PORT_Strdup(SECMOD_DB);
-   }
-   *filename = secmodName;
-
-   lconfigdir = sftk_EvaluateConfigDir(configdir, appName);
-
-   if (lconfigdir) {
-	value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
-   } else {
-	value = PR_smprintf("%s",secmodName);
-   }
-   if (configdir) PORT_Free(configdir);
-   return value;
-}
-
-/* Construct a database key for a given module */
-static SECStatus secmod_MakeKey(DBT *key, char * module) {
-    int len = 0;
-    char *commonName;
-
-    commonName = secmod_argGetParamValue("name",module);
-    if (commonName == NULL) {
-	commonName = secmod_argGetParamValue("library",module);
-    }
-    if (commonName == NULL) return SECFailure;
-    len = PORT_Strlen(commonName);
-    key->data = commonName;
-    key->size = len;
-    return SECSuccess;
-}
-
-/* free out constructed database key */
-static void 
-secmod_FreeKey(DBT *key) 
-{
-    if (key->data) {
-	PORT_Free(key->data);
-    }
-    key->data = NULL;
-    key->size = 0;
-}
-
-typedef struct secmodDataStr secmodData;
-typedef struct secmodSlotDataStr secmodSlotData;
-struct secmodDataStr {
-    unsigned char major;
-    unsigned char minor;
-    unsigned char nameStart[2];
-    unsigned char slotOffset[2];
-    unsigned char internal;
-    unsigned char fips;
-    unsigned char ssl[8];
-    unsigned char trustOrder[4];
-    unsigned char cipherOrder[4];
-    unsigned char reserved1;
-    unsigned char isModuleDB;
-    unsigned char isModuleDBOnly;
-    unsigned char isCritical;
-    unsigned char reserved[4];
-    unsigned char names[6];	/* enough space for the length fields */
-};
-
-struct secmodSlotDataStr {
-    unsigned char slotID[4];
-    unsigned char defaultFlags[4];
-    unsigned char timeout[4];
-    unsigned char askpw;
-    unsigned char hasRootCerts;
-    unsigned char reserved[18]; /* this makes it a round 32 bytes */
-};
-
-#define SECMOD_DB_VERSION_MAJOR 0
-#define SECMOD_DB_VERSION_MINOR 6
-#define SECMOD_DB_EXT1_VERSION_MAJOR 0
-#define SECMOD_DB_EXT1_VERSION_MINOR 6
-#define SECMOD_DB_NOUI_VERSION_MAJOR 0
-#define SECMOD_DB_NOUI_VERSION_MINOR 4
-
-#define SECMOD_PUTSHORT(dest,src) \
-	(dest)[1] = (unsigned char) ((src)&0xff); \
-	(dest)[0] = (unsigned char) (((src) >> 8) & 0xff);
-#define SECMOD_PUTLONG(dest,src) \
-	(dest)[3] = (unsigned char) ((src)&0xff); \
-	(dest)[2] = (unsigned char) (((src) >> 8) & 0xff); \
-	(dest)[1] = (unsigned char) (((src) >> 16) & 0xff); \
-	(dest)[0] = (unsigned char) (((src) >> 24) & 0xff);
-#define SECMOD_GETSHORT(src) \
-	((unsigned short) (((src)[0] << 8) | (src)[1]))
-#define SECMOD_GETLONG(src) \
-	((unsigned long) (( (unsigned long) (src)[0] << 24) | \
-			( (unsigned long) (src)[1] << 16)  | \
-			( (unsigned long) (src)[2] << 8) | \
-			(unsigned long) (src)[3]))
-
-/*
- * build a data base entry from a module 
- */
-static SECStatus 
-secmod_EncodeData(DBT *data, char * module) 
-{
-    secmodData *encoded = NULL;
-    secmodSlotData *slot;
-    unsigned char *dataPtr;
-    unsigned short len, len2 = 0, len3 = 0;
-    int count = 0;
-    unsigned short offset;
-    int dataLen, i;
-    unsigned long order;
-    unsigned long  ssl[2];
-    char *commonName = NULL , *dllName = NULL, *param = NULL, *nss = NULL;
-    char *slotParams, *ciphers;
-    PK11PreSlotInfo *slotInfo = NULL;
-    SECStatus rv = SECFailure;
-
-    rv = secmod_argParseModuleSpec(module,&dllName,&commonName,&param,&nss);
-    if (rv != SECSuccess) return rv;
-    rv = SECFailure;
-
-    if (commonName == NULL) {
-	/* set error */
-	goto loser;
-    }
-
-    len = PORT_Strlen(commonName);
-    if (dllName) {
-    	len2 = PORT_Strlen(dllName);
-    }
-    if (param) {
-	len3 = PORT_Strlen(param);
-    }
-
-    slotParams = secmod_argGetParamValue("slotParams",nss); 
-    slotInfo = secmod_argParseSlotInfo(NULL,slotParams,&count);
-    if (slotParams) PORT_Free(slotParams);
-
-    if (count && slotInfo == NULL) {
-	/* set error */
-	goto loser;
-    }
-
-    dataLen = sizeof(secmodData) + len + len2 + len3 + sizeof(unsigned short) +
-				 count*sizeof(secmodSlotData);
-
-    data->data = (unsigned char *) PORT_ZAlloc(dataLen);
-    encoded = (secmodData *)data->data;
-    dataPtr = (unsigned char *) data->data;
-    data->size = dataLen;
-
-    if (encoded == NULL) {
-	/* set error */
-	goto loser;
-    }
-
-    encoded->major = SECMOD_DB_VERSION_MAJOR;
-    encoded->minor = SECMOD_DB_VERSION_MINOR;
-    encoded->internal = (unsigned char) 
-			(secmod_argHasFlag("flags","internal",nss) ? 1 : 0);
-    encoded->fips = (unsigned char) 
-			(secmod_argHasFlag("flags","FIPS",nss) ? 1 : 0);
-    encoded->isModuleDB = (unsigned char) 
-			(secmod_argHasFlag("flags","isModuleDB",nss) ? 1 : 0);
-    encoded->isModuleDBOnly = (unsigned char) 
-		    (secmod_argHasFlag("flags","isModuleDBOnly",nss) ? 1 : 0);
-    encoded->isCritical = (unsigned char) 
-			(secmod_argHasFlag("flags","critical",nss) ? 1 : 0);
-
-    order = secmod_argReadLong("trustOrder", nss, SECMOD_DEFAULT_TRUST_ORDER, 
-                               NULL);
-    SECMOD_PUTLONG(encoded->trustOrder,order);
-    order = secmod_argReadLong("cipherOrder", nss, SECMOD_DEFAULT_CIPHER_ORDER, 
-                               NULL);
-    SECMOD_PUTLONG(encoded->cipherOrder,order);
-
-   
-    ciphers = secmod_argGetParamValue("ciphers",nss); 
-    secmod_argSetNewCipherFlags(&ssl[0], ciphers);
-    SECMOD_PUTLONG(encoded->ssl,ssl[0]);
-    SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]);
-    if (ciphers) PORT_Free(ciphers);
-
-    offset = (unsigned short) &(((secmodData *)0)->names[0]);
-    SECMOD_PUTSHORT(encoded->nameStart,offset);
-    offset = offset + len + len2 + len3 + 3*sizeof(unsigned short);
-    SECMOD_PUTSHORT(encoded->slotOffset,offset);
-
-
-    SECMOD_PUTSHORT(&dataPtr[offset],((unsigned short)count));
-    slot = (secmodSlotData *)(dataPtr+offset+sizeof(unsigned short));
-
-    offset = 0;
-    SECMOD_PUTSHORT(encoded->names,len);
-    offset += sizeof(unsigned short);
-    PORT_Memcpy(&encoded->names[offset],commonName,len);
-    offset += len;
-
-
-    SECMOD_PUTSHORT(&encoded->names[offset],len2);
-    offset += sizeof(unsigned short);
-    if (len2) PORT_Memcpy(&encoded->names[offset],dllName,len2);
-    offset += len2;
-
-    SECMOD_PUTSHORT(&encoded->names[offset],len3);
-    offset += sizeof(unsigned short);
-    if (len3) PORT_Memcpy(&encoded->names[offset],param,len3);
-    offset += len3;
-
-    if (count) {
-	for (i=0; i < count; i++) {
-	    SECMOD_PUTLONG(slot[i].slotID, slotInfo[i].slotID);
-	    SECMOD_PUTLONG(slot[i].defaultFlags,
-					slotInfo[i].defaultFlags);
-	    SECMOD_PUTLONG(slot[i].timeout,slotInfo[i].timeout);
-	    slot[i].askpw = slotInfo[i].askpw;
-	    slot[i].hasRootCerts = slotInfo[i].hasRootCerts;
-	    PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
-	}
-    }
-    rv = SECSuccess;
-
-loser:
-    if (commonName) PORT_Free(commonName);
-    if (dllName) PORT_Free(dllName);
-    if (param) PORT_Free(param);
-    if (slotInfo) PORT_Free(slotInfo);
-    if (nss) PORT_Free(nss);
-    return rv;
-
-}
-
-static void 
-secmod_FreeData(DBT *data)
-{
-    if (data->data) {
-	PORT_Free(data->data);
-    }
-}
-
-static void
-secmod_FreeSlotStrings(char **slotStrings, int count)
-{
-    int i;
-
-    for (i=0; i < count; i++) {
-	if (slotStrings[i]) {
-	    PR_smprintf_free(slotStrings[i]);
-	    slotStrings[i] = NULL;
-	}
-    }
-}
-
-/*
- * build a module from the data base entry.
- */
-static char *
-secmod_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
-{
-    secmodData *encoded;
-    secmodSlotData *slots;
-    PLArenaPool *arena;
-    char *commonName 		= NULL;
-    char *dllName    		= NULL;
-    char *parameters 		= NULL;
-    char *nss;
-    char *moduleSpec;
-    char **slotStrings 		= NULL;
-    unsigned char *names;
-    unsigned long slotCount;
-    unsigned long ssl0		=0;
-    unsigned long ssl1		=0;
-    unsigned long slotID;
-    unsigned long defaultFlags;
-    unsigned long timeout;
-    unsigned long trustOrder	=SECMOD_DEFAULT_TRUST_ORDER;
-    unsigned long cipherOrder	=SECMOD_DEFAULT_CIPHER_ORDER;
-    unsigned short len;
-    unsigned short namesOffset  = 0;	/* start of the names block */
-    unsigned long namesRunningOffset;	/* offset to name we are 
-					 * currently processing */
-    unsigned short slotOffset;
-    PRBool isOldVersion  	= PR_FALSE;
-    PRBool internal;
-    PRBool isFIPS;
-    PRBool isModuleDB    	=PR_FALSE;
-    PRBool isModuleDBOnly	=PR_FALSE;
-    PRBool extended      	=PR_FALSE;
-    int i;
-
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (arena == NULL) 
-    	return NULL;
-
-#define CHECK_SIZE(x) \
-    if ((unsigned int) data->size < (unsigned int)(x)) goto db_loser
-
-    /* -------------------------------------------------------------
-    ** Process the buffer header, which is the secmodData struct. 
-    ** It may be an old or new version.  Check the length for each. 
-    */
-
-    CHECK_SIZE( offsetof(secmodData, trustOrder[0]) );
-
-    encoded = (secmodData *)data->data;
-
-    internal = (encoded->internal != 0) ? PR_TRUE: PR_FALSE;
-    isFIPS   = (encoded->fips     != 0) ? PR_TRUE: PR_FALSE;
-
-    if (retInternal)
-	*retInternal = internal;
-    if (internal) {
-	parameters = PORT_ArenaStrdup(arena,defParams);
-	if (parameters == NULL) 
-	    goto loser;
-    }
-    if (internal && (encoded->major == SECMOD_DB_NOUI_VERSION_MAJOR) &&
- 	(encoded->minor <= SECMOD_DB_NOUI_VERSION_MINOR)) {
-	isOldVersion = PR_TRUE;
-    }
-    if ((encoded->major == SECMOD_DB_EXT1_VERSION_MAJOR) &&
-	(encoded->minor >= SECMOD_DB_EXT1_VERSION_MINOR)) {
-	CHECK_SIZE( sizeof(secmodData));
-	trustOrder     = SECMOD_GETLONG(encoded->trustOrder);
-	cipherOrder    = SECMOD_GETLONG(encoded->cipherOrder);
-	isModuleDB     = (encoded->isModuleDB != 0) ? PR_TRUE: PR_FALSE;
-	isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE: PR_FALSE;
-	extended       = PR_TRUE;
-    } 
-    if (internal && !extended) {
-	trustOrder = 0;
-	cipherOrder = 100;
-    }
-    /* decode SSL cipher enable flags */
-    ssl0 = SECMOD_GETLONG(encoded->ssl);
-    ssl1 = SECMOD_GETLONG(encoded->ssl + 4);
-
-    slotOffset  = SECMOD_GETSHORT(encoded->slotOffset);
-    namesOffset = SECMOD_GETSHORT(encoded->nameStart);
-
-
-    /*--------------------------------------------------------------
-    ** Now process the variable length set of names.                
-    ** The names have this structure:
-    ** struct {
-    **     BYTE  commonNameLen[ 2 ];
-    **     BYTE  commonName   [ commonNameLen ];
-    **     BTTE  libNameLen   [ 2 ];
-    **     BYTE  libName      [ libNameLen ];
-    ** If it is "extended" it also has these members:
-    **     BYTE  initStringLen[ 2 ];
-    **     BYTE  initString   [ initStringLen ];
-    ** }
-    */
-
-    namesRunningOffset = namesOffset;
-    /* copy the module's common name */
-    CHECK_SIZE( namesRunningOffset + 2);
-    names = (unsigned char *)data->data;
-    len   = SECMOD_GETSHORT(names+namesRunningOffset);
-
-    CHECK_SIZE( namesRunningOffset + 2 + len);
-    commonName = (char*)PORT_ArenaAlloc(arena,len+1);
-    if (commonName == NULL) 
-	goto loser;
-    PORT_Memcpy(commonName, names + namesRunningOffset + 2, len);
-    commonName[len] = 0;
-    namesRunningOffset += len + 2;
-
-    /* copy the module's shared library file name. */
-    CHECK_SIZE( namesRunningOffset + 2);
-    len = SECMOD_GETSHORT(names + namesRunningOffset);
-    if (len) {
-	CHECK_SIZE( namesRunningOffset + 2 + len);
-	dllName = (char*)PORT_ArenaAlloc(arena,len + 1);
-	if (dllName == NULL) 
-	    goto loser;
-	PORT_Memcpy(dllName, names + namesRunningOffset + 2, len);
-	dllName[len] = 0;
-    }
-    namesRunningOffset += len + 2;
-
-    /* copy the module's initialization string, if present. */
-    if (!internal && extended) {
-	CHECK_SIZE( namesRunningOffset + 2);
-	len = SECMOD_GETSHORT(names+namesRunningOffset);
-	if (len) {
-	    CHECK_SIZE( namesRunningOffset + 2 + len );
-	    parameters = (char*)PORT_ArenaAlloc(arena,len + 1);
-	    if (parameters == NULL) 
-		goto loser;
-	    PORT_Memcpy(parameters,names + namesRunningOffset + 2, len);
-	    parameters[len] = 0;
-	}
-	namesRunningOffset += len + 2;
-    }
-
-    /* 
-     * Consistency check: Make sure the slot and names blocks don't
-     * overlap. These blocks can occur in any order, so this check is made 
-     * in 2 parts. First we check the case where the slot block starts 
-     * after the name block. Later, when we have the slot block length,
-     * we check the case where slot block starts before the name block.
-     * NOTE: in most cases any overlap will likely be detected by invalid 
-     * data read from the blocks, but it's better to find out sooner 
-     * than later.
-     */
-    if (slotOffset >= namesOffset) { /* slot block starts after name block */
-	if (slotOffset < namesRunningOffset) {
-	    goto db_loser;
-	}
-    }
-
-    /* ------------------------------------------------------------------
-    ** Part 3, process the slot table.
-    ** This part has this structure:
-    ** struct {
-    **     BYTE slotCount [ 2 ];
-    **     secmodSlotData [ slotCount ];
-    ** {
-    */
-
-    CHECK_SIZE( slotOffset + 2 );
-    slotCount = SECMOD_GETSHORT((unsigned char *)data->data + slotOffset);
-
-    /* 
-     * Consistency check: Part 2. We now have the slot block length, we can 
-     * check the case where the slotblock procedes the name block.
-     */
-    if (slotOffset < namesOffset) { /* slot block starts before name block */
-	if (namesOffset < slotOffset + 2 + slotCount*sizeof(secmodSlotData)) {
-	    goto db_loser;
-	}
-    }
-
-    CHECK_SIZE( (slotOffset + 2 + slotCount * sizeof(secmodSlotData)));
-    slots = (secmodSlotData *) ((unsigned char *)data->data + slotOffset + 2);
-
-    /*  slotCount; */
-    slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));
-    if (slotStrings == NULL)
-	goto loser;
-    for (i=0; i < (int) slotCount; i++, slots++) {
-	PRBool hasRootCerts	=PR_FALSE;
-	PRBool hasRootTrust	=PR_FALSE;
-	slotID       = SECMOD_GETLONG(slots->slotID);
-	defaultFlags = SECMOD_GETLONG(slots->defaultFlags);
-	timeout      = SECMOD_GETLONG(slots->timeout);
-	hasRootCerts = slots->hasRootCerts;
-	if (isOldVersion && internal && (slotID != 2)) {
-		unsigned long internalFlags=
-			secmod_argSlotFlags("slotFlags",SECMOD_SLOT_FLAGS);
-		defaultFlags |= internalFlags;
-	}
-	if (hasRootCerts && !extended) {
-	    trustOrder = 100;
-	}
-
-	slotStrings[i] = secmod_mkSlotString(slotID, defaultFlags, timeout, 
-	                                   (unsigned char)slots->askpw, 
-	                                   hasRootCerts, hasRootTrust);
-	if (slotStrings[i] == NULL) {
-	    secmod_FreeSlotStrings(slotStrings,i);
-	    goto loser;
-	}
-    }
-
-    nss = secmod_mkNSS(slotStrings, slotCount, internal, isFIPS, isModuleDB, 
-		     isModuleDBOnly, internal, trustOrder, cipherOrder, 
-		     ssl0, ssl1);
-    secmod_FreeSlotStrings(slotStrings,slotCount);
-    /* it's permissible (and normal) for nss to be NULL. it simply means
-     * there are no NSS specific parameters in the database */
-    moduleSpec = secmod_mkNewModuleSpec(dllName,commonName,parameters,nss);
-    PR_smprintf_free(nss);
-    PORT_FreeArena(arena,PR_TRUE);
-    return moduleSpec;
-
-db_loser:
-    PORT_SetError(SEC_ERROR_BAD_DATABASE);
-loser:
-    PORT_FreeArena(arena,PR_TRUE);
-    return NULL;
-}
-
-
-
-static DB *
-secmod_OpenDB(const char *appName, const char *filename, const char *dbName, 
-				PRBool readOnly, PRBool update)
-{
-    DB *pkcs11db = NULL;
-
-
-    if (appName) {
-	char *secname = PORT_Strdup(filename);
-	int len = strlen(secname);
-	int status = RDB_FAIL;
-
-	if (len >= 3 && PORT_Strcmp(&secname[len-3],".db") == 0) {
-	   secname[len-3] = 0;
-	}
-    	pkcs11db=
-	   rdbopen(appName, "", secname, readOnly ? NO_RDONLY:NO_RDWR, NULL);
-	if (update && !pkcs11db) {
-	    DB *updatedb;
-
-    	    pkcs11db = rdbopen(appName, "", secname, NO_CREATE, &status);
-	    if (!pkcs11db) {
-		if (status == RDB_RETRY) {
- 		    pkcs11db= rdbopen(appName, "", secname, 
-					readOnly ? NO_RDONLY:NO_RDWR, NULL);
-		}
-		PORT_Free(secname);
-		return pkcs11db;
-	    }
-	    updatedb = dbopen(dbName, NO_RDONLY, 0600, DB_HASH, 0);
-	    if (updatedb) {
-		db_Copy(pkcs11db,updatedb);
-		(*updatedb->close)(updatedb);
-	    } else {
-		(*pkcs11db->close)(pkcs11db);
-		PORT_Free(secname);
-		return NULL;
-	   }
-	}
-	PORT_Free(secname);
-	return pkcs11db;
-    }
-  
-    /* I'm sure we should do more checks here sometime... */
-    pkcs11db = dbopen(dbName, readOnly ? NO_RDONLY : NO_RDWR, 0600, DB_HASH, 0);
-
-    /* didn't exist? create it */
-    if (pkcs11db == NULL) {
-	 if (readOnly) 
-	     return NULL;
-
-	 pkcs11db = dbopen( dbName, NO_CREATE, 0600, DB_HASH, 0 );
-	 if (pkcs11db) 
-	     (* pkcs11db->sync)(pkcs11db, 0);
-    }
-    return pkcs11db;
-}
-
-static void 
-secmod_CloseDB(DB *pkcs11db) 
-{
-     (*pkcs11db->close)(pkcs11db);
-}
-
-static char *
-secmod_addEscape(const char *string, char quote)
-{
-    char *newString = 0;
-    int escapes = 0, size = 0;
-    const char *src;
-    char *dest;
-
-    for (src=string; *src ; src++) {
-	if ((*src == quote) || (*src == '\\')) escapes++;
-	size++;
-    }
-
-    newString = PORT_ZAlloc(escapes+size+1); 
-    if (newString == NULL) {
-	return NULL;
-    }
-
-    for (src=string, dest=newString; *src; src++,dest++) {
-	if ((*src == '\\') || (*src == quote)) {
-	    *dest++ = '\\';
-	}
-	*dest = *src;
-    }
-
-    return newString;
-}
-
-#define SECMOD_STEP 10
-#define SFTK_DEFAULT_INTERNAL_INIT "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"%s\" NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})\""
-/*
- * Read all the existing modules in
- */
-char **
-secmod_ReadPermDB(const char *appName, const char *filename,
-				const char *dbname, char *params, PRBool rw)
-{
-    DBT key,data;
-    int ret;
-    DB *pkcs11db = NULL;
-    char **moduleList = NULL;
-    int moduleCount = 1;
-    int useCount = SECMOD_STEP;
-
-    moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
-    if (moduleList == NULL) return NULL;
-
-    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_TRUE,rw);
-    if (pkcs11db == NULL) goto done;
-
-    /* read and parse the file or data base */
-    ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
-    if (ret)  goto done;
-
-
-    do {
-	char *moduleString;
-	PRBool internal = PR_FALSE;
-	if ((moduleCount+1) >= useCount) {
-	    useCount += SECMOD_STEP;
-	    moduleList = 
-		(char **)PORT_Realloc(moduleList,useCount*sizeof(char *));
-	    if (moduleList == NULL) goto done;
-	    PORT_Memset(&moduleList[moduleCount+1],0,
-						sizeof(char *)*SECMOD_STEP);
-	}
-	moduleString = secmod_DecodeData(params,&data,&internal);
-	if (internal) {
-	    moduleList[0] = moduleString;
-	} else {
-	    moduleList[moduleCount] = moduleString;
-	    moduleCount++;
-	}
-    } while ( (*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
-
-done:
-    if (!moduleList[0]) {
-	char * newparams = secmod_addEscape(params,'"');
-	if (newparams) {
-	    moduleList[0] = PR_smprintf(SFTK_DEFAULT_INTERNAL_INIT,newparams,
-						SECMOD_SLOT_FLAGS);
-	    PORT_Free(newparams);
-	}
-    }
-    /* deal with trust cert db here */
-
-    if (pkcs11db) {
-	secmod_CloseDB(pkcs11db);
-    } else if (moduleList[0] && rw) {
-	secmod_AddPermDB(appName,filename,dbname,moduleList[0], rw) ;
-    }
-    if (!moduleList[0]) {
-	PORT_Free(moduleList);
-	moduleList = NULL;
-    }
-    return moduleList;
-}
-
-SECStatus
-secmod_ReleasePermDBData(const char *appName, const char *filename, 
-			const char *dbname, char **moduleSpecList, PRBool rw)
-{
-    if (moduleSpecList) {
-	char **index;
-	for(index = moduleSpecList; *index; index++) {
-	    PR_smprintf_free(*index);
-	}
-	PORT_Free(moduleSpecList);
-    }
-    return SECSuccess;
-}
-
-/*
- * Delete a module from the Data Base
- */
-SECStatus
-secmod_DeletePermDB(const char *appName, const char *filename, 
-			const char *dbname, char *args, PRBool rw)
-{
-    DBT key;
-    SECStatus rv = SECFailure;
-    DB *pkcs11db = NULL;
-    int ret;
-
-    if (!rw) return SECFailure;
-
-    /* make sure we have a db handle */
-    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
-    if (pkcs11db == NULL) {
-	return SECFailure;
-    }
-
-    rv = secmod_MakeKey(&key,args);
-    if (rv != SECSuccess) goto done;
-    rv = SECFailure;
-    ret = (*pkcs11db->del)(pkcs11db, &key, 0);
-    secmod_FreeKey(&key);
-    if (ret != 0) goto done;
-
-
-    ret = (*pkcs11db->sync)(pkcs11db, 0);
-    if (ret == 0) rv = SECSuccess;
-
-done:
-    secmod_CloseDB(pkcs11db);
-    return rv;
-}
-
-/*
- * Add a module to the Data base 
- */
-SECStatus
-secmod_AddPermDB(const char *appName, const char *filename, 
-			const char *dbname, char *module, PRBool rw)
-{
-    DBT key,data;
-    SECStatus rv = SECFailure;
-    DB *pkcs11db = NULL;
-    int ret;
-
-
-    if (!rw) return SECFailure;
-
-    /* make sure we have a db handle */
-    pkcs11db = secmod_OpenDB(appName,filename,dbname,PR_FALSE,PR_FALSE);
-    if (pkcs11db == NULL) {
-	return SECFailure;
-    }
-
-    rv = secmod_MakeKey(&key,module);
-    if (rv != SECSuccess) goto done;
-    rv = secmod_EncodeData(&data,module);
-    if (rv != SECSuccess) {
-	secmod_FreeKey(&key);
-	goto done;
-    }
-    rv = SECFailure;
-    ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
-    secmod_FreeKey(&key);
-    secmod_FreeData(&data);
-    if (ret != 0) goto done;
-
-    ret = (*pkcs11db->sync)(pkcs11db, 0);
-    if (ret == 0) rv = SECSuccess;
-
-done:
-    secmod_CloseDB(pkcs11db);
-    return rv;
-}
diff --git a/security/nss/lib/softoken/pk11pars.h b/security/nss/lib/softoken/pk11pars.h
deleted file mode 100644
index ebb1d1b2b..000000000
--- a/security/nss/lib/softoken/pk11pars.h
+++ /dev/null
@@ -1,869 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * The following handles the loading, unloading and management of
- * various PCKS #11 modules
- */
-
-
-/*
- * this header file contains routines for parsing PKCS #11 module spec
- * strings. It contains 'C' code and should only be included in one module.
- * Currently it is included in both softoken and the wrapper.
- */
-#include <ctype.h>
-#include "pkcs11.h"
-#include "seccomon.h"
-#include "prprf.h"
-#include "secmodt.h"
-#include "pk11init.h"
-
-#define SECMOD_ARG_LIBRARY_PARAMETER "library="
-#define SECMOD_ARG_NAME_PARAMETER "name="
-#define SECMOD_ARG_MODULE_PARAMETER "parameters="
-#define SECMOD_ARG_NSS_PARAMETER "NSS="
-#define SECMOD_ARG_FORTEZZA_FLAG "FORTEZZA"
-#define SECMOD_ARG_ESCAPE '\\'
-
-struct secmodargSlotFlagTable {
-    char *name;
-    int len;
-    unsigned long value;
-};
-
-#define SECMOD_DEFAULT_CIPHER_ORDER 0
-#define SECMOD_DEFAULT_TRUST_ORDER 50
-
-
-#define SECMOD_ARG_ENTRY(arg,flag) \
-{ #arg , sizeof(#arg)-1, flag }
-static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = {
-	SECMOD_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
-	SECMOD_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
-	SECMOD_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
-	SECMOD_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
-	SECMOD_ARG_ENTRY(DES,SECMOD_DES_FLAG),
-	SECMOD_ARG_ENTRY(DH,SECMOD_DH_FLAG),
-	SECMOD_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
-	SECMOD_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
-	SECMOD_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
-	SECMOD_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
-	SECMOD_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
-	SECMOD_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
-	SECMOD_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
-	SECMOD_ARG_ENTRY(AES,SECMOD_AES_FLAG),
-	SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
-	SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
-};
-
-#define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \
-    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
-	param += sizeof(value)-1; \
-	target = secmod_argFetchValue(param,&next); \
-	param += next; \
-	command ;\
-    } else  
-
-#define SECMOD_HANDLE_FINAL_ARG(param) \
-    { param = secmod_argSkipParameter(param); } param = secmod_argStrip(param);
-	
-
-static int secmod_argSlotFlagTableSize = 
-	sizeof(secmod_argSlotFlagTable)/sizeof(secmod_argSlotFlagTable[0]);
-
-
-static PRBool secmod_argGetPair(char c) {
-    switch (c) {
-    case '\'': return c;
-    case '\"': return c;
-    case '<': return '>';
-    case '{': return '}';
-    case '[': return ']';
-    case '(': return ')';
-    default: break;
-    }
-    return ' ';
-}
-
-static PRBool secmod_argIsBlank(char c) {
-   return isspace(c);
-}
-
-static PRBool secmod_argIsEscape(char c) {
-    return c == '\\';
-}
-
-static PRBool secmod_argIsQuote(char c) {
-    switch (c) {
-    case '\'':
-    case '\"':
-    case '<':
-    case '{': /* } end curly to keep vi bracket matching working */
-    case '(': /* ) */
-    case '[': /* ] */ return PR_TRUE;
-    default: break;
-    }
-    return PR_FALSE;
-}
-
-static PRBool secmod_argHasChar(char *v, char c)
-{
-   for ( ;*v; v++) {
-	if (*v == c) return PR_TRUE;
-   }
-   return PR_FALSE;
-}
-
-static PRBool secmod_argHasBlanks(char *v)
-{
-   for ( ;*v; v++) {
-	if (secmod_argIsBlank(*v)) return PR_TRUE;
-   }
-   return PR_FALSE;
-}
-
-static char *secmod_argStrip(char *c) {
-   while (*c && secmod_argIsBlank(*c)) c++;
-   return c;
-}
-
-static char *
-secmod_argFindEnd(char *string) {
-    char endChar = ' ';
-    PRBool lastEscape = PR_FALSE;
-
-    if (secmod_argIsQuote(*string)) {
-	endChar = secmod_argGetPair(*string);
-	string++;
-    }
-
-    for (;*string; string++) {
-	if (lastEscape) {
-	    lastEscape = PR_FALSE;
-	    continue;
-	}
-	if (secmod_argIsEscape(*string) && !lastEscape) {
-	    lastEscape = PR_TRUE;
-	    continue;
-	} 
-	if ((endChar == ' ') && secmod_argIsBlank(*string)) break;
-	if (*string == endChar) {
-	    break;
-	}
-    }
-
-    return string;
-}
-
-static char *
-secmod_argFetchValue(char *string, int *pcount)
-{
-    char *end = secmod_argFindEnd(string);
-    char *retString, *copyString;
-    PRBool lastEscape = PR_FALSE;
-    int len;
-
-    len = end - string;
-    if (len == 0) {
-	*pcount = 0;
-	return NULL;
-    }
-
-    copyString = retString = (char *)PORT_Alloc(len+1);
-
-    if (*end) len++;
-    *pcount = len;
-    if (retString == NULL) return NULL;
-
-
-    if (secmod_argIsQuote(*string)) string++;
-    for (; string < end; string++) {
-	if (secmod_argIsEscape(*string) && !lastEscape) {
-	    lastEscape = PR_TRUE;
-	    continue;
-	}
-	lastEscape = PR_FALSE;
-	*copyString++ = *string;
-    }
-    *copyString = 0;
-    return retString;
-}
-
-static char *
-secmod_argSkipParameter(char *string) 
-{
-     char *end;
-     /* look for the end of the <name>= */
-     for (;*string; string++) {
-	if (*string == '=') { string++; break; }
-	if (secmod_argIsBlank(*string)) return(string); 
-     }
-
-     end = secmod_argFindEnd(string);
-     if (*end) end++;
-     return end;
-}
-
-
-static SECStatus
-secmod_argParseModuleSpec(char *modulespec, char **lib, char **mod, 
-					char **parameters, char **nss)
-{
-    int next;
-    modulespec = secmod_argStrip(modulespec);
-
-    *lib = *mod = *parameters = *nss = 0;
-
-    while (*modulespec) {
-	SECMOD_HANDLE_STRING_ARG(modulespec,*lib,SECMOD_ARG_LIBRARY_PARAMETER,;)
-	SECMOD_HANDLE_STRING_ARG(modulespec,*mod,SECMOD_ARG_NAME_PARAMETER,;)
-	SECMOD_HANDLE_STRING_ARG(modulespec,*parameters,
-						SECMOD_ARG_MODULE_PARAMETER,;)
-	SECMOD_HANDLE_STRING_ARG(modulespec,*nss,SECMOD_ARG_NSS_PARAMETER,;)
-	SECMOD_HANDLE_FINAL_ARG(modulespec)
-   }
-   return SECSuccess;
-}
-
-
-static char *
-secmod_argGetParamValue(char *paramName,char *parameters)
-{
-    char searchValue[256];
-    int paramLen = strlen(paramName);
-    char *returnValue = NULL;
-    int next;
-
-    if ((parameters == NULL) || (*parameters == 0)) return NULL;
-
-    PORT_Assert(paramLen+2 < sizeof(searchValue));
-
-    PORT_Strcpy(searchValue,paramName);
-    PORT_Strcat(searchValue,"=");
-    while (*parameters) {
-	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
-	    parameters += paramLen+1;
-	    returnValue = secmod_argFetchValue(parameters,&next);
-	    break;
-	} else {
-	    parameters = secmod_argSkipParameter(parameters);
-	}
-	parameters = secmod_argStrip(parameters);
-   }
-   return returnValue;
-}
-    
-
-static char *
-secmod_argNextFlag(char *flags)
-{
-    for (; *flags ; flags++) {
-	if (*flags == ',') {
-	    flags++;
-	    break;
-	}
-    }
-    return flags;
-}
-
-static PRBool
-secmod_argHasFlag(char *label, char *flag, char *parameters)
-{
-    char *flags,*index;
-    int len = strlen(flag);
-    PRBool found = PR_FALSE;
-
-    flags = secmod_argGetParamValue(label,parameters);
-    if (flags == NULL) return PR_FALSE;
-
-    for (index=flags; *index; index=secmod_argNextFlag(index)) {
-	if (PORT_Strncasecmp(index,flag,len) == 0) {
-	    found=PR_TRUE;
-	    break;
-	}
-    }
-    PORT_Free(flags);
-    return found;
-}
-
-static void
-secmod_argSetNewCipherFlags(unsigned long *newCiphers,char *cipherList)
-{
-    newCiphers[0] = newCiphers[1] = 0;
-    if ((cipherList == NULL) || (*cipherList == 0)) return;
-
-    for (;*cipherList; cipherList=secmod_argNextFlag(cipherList)) {
-	if (PORT_Strncasecmp(cipherList,SECMOD_ARG_FORTEZZA_FLAG,
-				sizeof(SECMOD_ARG_FORTEZZA_FLAG)-1) == 0) {
-	    newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
-	} 
-
-	/* add additional flags here as necessary */
-	/* direct bit mapping escape */
-	if (*cipherList == 0) {
-	   if (cipherList[1] == 'l') {
-		newCiphers[1] |= atoi(&cipherList[2]);
-	   } else {
-		newCiphers[0] |= atoi(&cipherList[2]);
-	   }
-	}
-    }
-}
-
-
-/*
- * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
- */
-static long
-secmod_argDecodeNumber(char *num)
-{
-    int	radix = 10;
-    unsigned long value = 0;
-    long retValue = 0;
-    int sign = 1;
-    int digit;
-
-    if (num == NULL) return retValue;
-
-    num = secmod_argStrip(num);
-
-    if (*num == '-') {
-	sign = -1;
-	num++;
-    }
-
-    if (*num == '0') {
-	radix = 8;
-	num++;
-	if ((*num == 'x') || (*num == 'X')) {
-	    radix = 16;
-	    num++;
-	}
-    }
-
-   
-    for ( ;*num; num++ ) {
-	if (isdigit(*num)) {
-	    digit = *num - '0';
-	} else if ((*num >= 'a') && (*num <= 'f'))  {
-	    digit = *num - 'a' + 10;
-	} else if ((*num >= 'A') && (*num <= 'F'))  {
-	    digit = *num - 'A' + 10;
-	} else {
-	    break;
-	}
-	if (digit >= radix) break;
-	value = value*radix + digit;
-    }
-
-    retValue = ((int) value) * sign;
-    return retValue;
-}
-
-static long
-secmod_argReadLong(char *label,char *params, long defValue, PRBool *isdefault)
-{
-    char *value;
-    long retValue;
-    if (isdefault) *isdefault = PR_FALSE; 
-
-    value = secmod_argGetParamValue(label,params);
-    if (value == NULL) {
-	if (isdefault) *isdefault = PR_TRUE;
-	return defValue;
-    }
-    retValue = secmod_argDecodeNumber(value);
-    if (value) PORT_Free(value);
-
-    return retValue;
-}
-
-
-static unsigned long
-secmod_argSlotFlags(char *label,char *params)
-{
-    char *flags,*index;
-    unsigned long retValue = 0;
-    int i;
-    PRBool all = PR_FALSE;
-
-    flags = secmod_argGetParamValue(label,params);
-    if (flags == NULL) return 0;
-
-    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
-
-    for (index=flags; *index; index=secmod_argNextFlag(index)) {
-	for (i=0; i < secmod_argSlotFlagTableSize; i++) {
-	    if (all || (PORT_Strncasecmp(index, secmod_argSlotFlagTable[i].name,
-				secmod_argSlotFlagTable[i].len) == 0)) {
-		retValue |= secmod_argSlotFlagTable[i].value;
-	    }
-	}
-    }
-    PORT_Free(flags);
-    return retValue;
-}
-
-
-static void
-secmod_argDecodeSingleSlotInfo(char *name, char *params, 
-                               PK11PreSlotInfo *slotInfo)
-{
-    char *askpw;
-
-    slotInfo->slotID=secmod_argDecodeNumber(name);
-    slotInfo->defaultFlags=secmod_argSlotFlags("slotFlags",params);
-    slotInfo->timeout=secmod_argReadLong("timeout",params, 0, NULL);
-
-    askpw = secmod_argGetParamValue("askpw",params);
-    slotInfo->askpw = 0;
-
-    if (askpw) {
-	if (PORT_Strcasecmp(askpw,"every") == 0) {
-    	    slotInfo->askpw = -1;
-	} else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
-    	    slotInfo->askpw = 1;
-	} 
-	PORT_Free(askpw);
-	slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
-    }
-    slotInfo->hasRootCerts = secmod_argHasFlag("rootFlags", "hasRootCerts", 
-                                               params);
-    slotInfo->hasRootTrust = secmod_argHasFlag("rootFlags", "hasRootTrust", 
-                                               params);
-}
-
-static char *
-secmod_argGetName(char *inString, int *next) 
-{
-    char *name=NULL;
-    char *string;
-    int len;
-
-    /* look for the end of the <name>= */
-    for (string = inString;*string; string++) {
-	if (*string == '=') { break; }
-	if (secmod_argIsBlank(*string)) break;
-    }
-
-    len = string - inString;
-
-    *next = len; 
-    if (*string == '=') (*next) += 1;
-    if (len > 0) {
-	name = PORT_Alloc(len+1);
-	PORT_Strncpy(name,inString,len);
-	name[len] = 0;
-    }
-    return name;
-}
-
-static PK11PreSlotInfo *
-secmod_argParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
-{
-    char *slotIndex;
-    PK11PreSlotInfo *slotInfo = NULL;
-    int i=0,count = 0,next;
-
-    *retCount = 0;
-    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
-
-    /* first count the number of slots */
-    for (slotIndex = secmod_argStrip(slotParams); *slotIndex; 
-	 slotIndex = secmod_argStrip(secmod_argSkipParameter(slotIndex))) {
-	count++;
-    }
-
-    /* get the data structures */
-    if (arena) {
-	slotInfo = (PK11PreSlotInfo *) 
-			PORT_ArenaAlloc(arena,count*sizeof(PK11PreSlotInfo));
-	PORT_Memset(slotInfo,0,count*sizeof(PK11PreSlotInfo));
-    } else {
-	slotInfo = (PK11PreSlotInfo *) 
-			PORT_ZAlloc(count*sizeof(PK11PreSlotInfo));
-    }
-    if (slotInfo == NULL) return NULL;
-
-    for (slotIndex = secmod_argStrip(slotParams), i = 0; 
-					*slotIndex && i < count ; ) {
-	char *name;
-	name = secmod_argGetName(slotIndex,&next);
-	slotIndex += next;
-
-	if (!secmod_argIsBlank(*slotIndex)) {
-	    char *args = secmod_argFetchValue(slotIndex,&next);
-	    slotIndex += next;
-	    if (args) {
-		secmod_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
-		i++;
-		PORT_Free(args);
-	    }
-	}
-	if (name) PORT_Free(name);
-	slotIndex = secmod_argStrip(slotIndex);
-    }
-    *retCount = i;
-    return slotInfo;
-}
-
-static char *secmod_nullString = "";
-
-static char *
-secmod_formatValue(PRArenaPool *arena, char *value, char quote)
-{
-    char *vp,*vp2,*retval;
-    int size = 0, escapes = 0;
-
-    for (vp=value; *vp ;vp++) {
-	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) escapes++;
-	size++;
-    }
-    if (arena) {
-	retval = PORT_ArenaZAlloc(arena,size+escapes+1);
-    } else {
-	retval = PORT_ZAlloc(size+escapes+1);
-    }
-    if (retval == NULL) return NULL;
-    vp2 = retval;
-    for (vp=value; *vp; vp++) {
-	if ((*vp == quote) || (*vp == SECMOD_ARG_ESCAPE)) 
-				*vp2++ = SECMOD_ARG_ESCAPE;
-	*vp2++ = *vp;
-    }
-    return retval;
-}
-    
-static char *secmod_formatPair(char *name,char *value, char quote)
-{
-    char openQuote = quote;
-    char closeQuote = secmod_argGetPair(quote);
-    char *newValue = NULL;
-    char *returnValue;
-    PRBool need_quote = PR_FALSE;
-
-    if (!value || (*value == 0)) return secmod_nullString;
-
-    if (secmod_argHasBlanks(value) || secmod_argIsQuote(value[0]))
-							 need_quote=PR_TRUE;
-
-    if ((need_quote && secmod_argHasChar(value,closeQuote))
-				 || secmod_argHasChar(value,SECMOD_ARG_ESCAPE)) {
-	value = newValue = secmod_formatValue(NULL, value,quote);
-	if (newValue == NULL) return secmod_nullString;
-    }
-    if (need_quote) {
-    	returnValue = PR_smprintf("%s=%c%s%c",name,openQuote,value,closeQuote);
-    } else {
-    	returnValue = PR_smprintf("%s=%s",name,value);
-    }
-    if (returnValue == NULL) returnValue = secmod_nullString;
-
-    if (newValue) PORT_Free(newValue);
-
-    return returnValue;
-}
-
-static char *secmod_formatIntPair(char *name, unsigned long value, 
-                                  unsigned long def)
-{
-    char *returnValue;
-
-    if (value == def) return secmod_nullString;
-
-    returnValue = PR_smprintf("%s=%d",name,value);
-
-    return returnValue;
-}
-
-static void
-secmod_freePair(char *pair)
-{
-    if (pair && pair != secmod_nullString) {
-	PR_smprintf_free(pair);
-    }
-}
-
-#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
-				sizeof("moduleDBOnly")+sizeof("critical")
-static char *
-secmod_mkNSSFlags(PRBool internal, PRBool isFIPS,
-		PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
-{
-    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
-    PRBool first = PR_TRUE;
-
-    PORT_Memset(flags,0,MAX_FLAG_SIZE);
-    if (internal) {
-	PORT_Strcat(flags,"internal");
-	first = PR_FALSE;
-    }
-    if (isFIPS) {
-	if (!first) PORT_Strcat(flags,",");
-	PORT_Strcat(flags,"FIPS");
-	first = PR_FALSE;
-    }
-    if (isModuleDB) {
-	if (!first) PORT_Strcat(flags,",");
-	PORT_Strcat(flags,"moduleDB");
-	first = PR_FALSE;
-    }
-    if (isModuleDBOnly) {
-	if (!first) PORT_Strcat(flags,",");
-	PORT_Strcat(flags,"moduleDBOnly");
-	first = PR_FALSE;
-    }
-    if (isCritical) {
-	if (!first) PORT_Strcat(flags,",");
-	PORT_Strcat(flags,"critical");
-	first = PR_FALSE;
-    }
-    return flags;
-}
-
-static char *
-secmod_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
-{
-    char *cipher = NULL;
-    int i;
-
-    for (i=0; i < sizeof(ssl0)*8; i++) {
-	if (ssl0 & (1<<i)) {
-	    char *string;
-	    if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
-		string = PR_smprintf("%s","FORTEZZA");
-	    } else {
-		string = PR_smprintf("0h0x%08x",1<<i);
-	    }
-	    if (cipher) {
-		char *tmp;
-		tmp = PR_smprintf("%s,%s",cipher,string);
-		PR_smprintf_free(cipher);
-		PR_smprintf_free(string);
-		cipher = tmp;
-	    } else {
-		cipher = string;
-	    }
-	}
-    }
-    for (i=0; i < sizeof(ssl0)*8; i++) {
-	if (ssl1 & (1<<i)) {
-	    if (cipher) {
-		char *tmp;
-		tmp = PR_smprintf("%s,0l0x%08x",cipher,1<<i);
-		PR_smprintf_free(cipher);
-		cipher = tmp;
-	    } else {
-		cipher = PR_smprintf("0l0x%08x",1<<i);
-	    }
-	}
-    }
-
-    return cipher;
-}
-
-static char *
-secmod_mkSlotFlags(unsigned long defaultFlags)
-{
-    char *flags=NULL;
-    int i,j;
-
-    for (i=0; i < sizeof(defaultFlags)*8; i++) {
-	if (defaultFlags & (1<<i)) {
-	    char *string = NULL;
-
-	    for (j=0; j < secmod_argSlotFlagTableSize; j++) {
-		if (secmod_argSlotFlagTable[j].value == ( 1UL << i )) {
-		    string = secmod_argSlotFlagTable[j].name;
-		    break;
-		}
-	    }
-	    if (string) {
-		if (flags) {
-		    char *tmp;
-		    tmp = PR_smprintf("%s,%s",flags,string);
-		    PR_smprintf_free(flags);
-		    flags = tmp;
-		} else {
-		    flags = PR_smprintf("%s",string);
-		}
-	    }
-	}
-    }
-
-    return flags;
-}
-
-#define SECMOD_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
-
-static char *
-secmod_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
-{
-    char *flags= (char *)PORT_ZAlloc(SECMOD_MAX_ROOT_FLAG_SIZE);
-    PRBool first = PR_TRUE;
-
-    PORT_Memset(flags,0,SECMOD_MAX_ROOT_FLAG_SIZE);
-    if (hasRootCerts) {
-	PORT_Strcat(flags,"hasRootCerts");
-	first = PR_FALSE;
-    }
-    if (hasRootTrust) {
-	if (!first) PORT_Strcat(flags,",");
-	PORT_Strcat(flags,"hasRootTrust");
-	first = PR_FALSE;
-    }
-    return flags;
-}
-
-static char *
-secmod_mkSlotString(unsigned long slotID, unsigned long defaultFlags,
-		  unsigned long timeout, unsigned char askpw_in,
-		  PRBool hasRootCerts, PRBool hasRootTrust) {
-    char *askpw,*flags,*rootFlags,*slotString;
-    char *flagPair,*rootFlagsPair;
-	
-    switch (askpw_in) {
-    case 0xff:
-	askpw = "every";
-	break;
-    case 1:
-	askpw = "timeout";
-	break;
-    default:
-	askpw = "any";
-	break;
-    }
-    flags = secmod_mkSlotFlags(defaultFlags);
-    rootFlags = secmod_mkRootFlags(hasRootCerts,hasRootTrust);
-    flagPair=secmod_formatPair("slotFlags",flags,'\'');
-    rootFlagsPair=secmod_formatPair("rootFlags",rootFlags,'\'');
-    if (flags) PR_smprintf_free(flags);
-    if (rootFlags) PORT_Free(rootFlags);
-    if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
-    	slotString = PR_smprintf("0x%08lx=[%s askpw=%s timeout=%d %s]",
-				(PRUint32)slotID,flagPair,askpw,timeout,
-				rootFlagsPair);
-    } else {
-    	slotString = PR_smprintf("0x%08lx=[%s %s]",
-				(PRUint32)slotID,flagPair,rootFlagsPair);
-    }
-    secmod_freePair(flagPair);
-    secmod_freePair(rootFlagsPair);
-    return slotString;
-}
-
-static char *
-secmod_mkNSS(char **slotStrings, int slotCount, PRBool internal, PRBool isFIPS,
-	  PRBool isModuleDB,  PRBool isModuleDBOnly, PRBool isCritical, 
-	  unsigned long trustOrder, unsigned long cipherOrder,
-				unsigned long ssl0, unsigned long ssl1) {
-    int slotLen, i;
-    char *slotParams, *ciphers, *nss, *nssFlags, *tmp;
-    char *trustOrderPair,*cipherOrderPair,*slotPair,*cipherPair,*flagPair;
-
-
-    /* now let's build up the string
-     * first the slot infos
-     */
-    slotLen=0;
-    for (i=0; i < (int)slotCount; i++) {
-	slotLen += PORT_Strlen(slotStrings[i])+1;
-    }
-    slotLen += 1; /* space for the final NULL */
-
-    slotParams = (char *)PORT_ZAlloc(slotLen);
-    PORT_Memset(slotParams,0,slotLen);
-    for (i=0; i < (int)slotCount; i++) {
-	PORT_Strcat(slotParams,slotStrings[i]);
-	PORT_Strcat(slotParams," ");
-	PR_smprintf_free(slotStrings[i]);
-	slotStrings[i]=NULL;
-    }
-    
-    /*
-     * now the NSS structure
-     */
-    nssFlags = secmod_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
-							isCritical); 
-	/* for now only the internal module is critical */
-    ciphers = secmod_mkCipherFlags(ssl0, ssl1);
-
-    trustOrderPair=secmod_formatIntPair("trustOrder",trustOrder,
-					SECMOD_DEFAULT_TRUST_ORDER);
-    cipherOrderPair=secmod_formatIntPair("cipherOrder",cipherOrder,
-					SECMOD_DEFAULT_CIPHER_ORDER);
-    slotPair=secmod_formatPair("slotParams",slotParams,'{'); /* } */
-    if (slotParams) PORT_Free(slotParams);
-    cipherPair=secmod_formatPair("ciphers",ciphers,'\'');
-    if (ciphers) PR_smprintf_free(ciphers);
-    flagPair=secmod_formatPair("Flags",nssFlags,'\'');
-    if (nssFlags) PORT_Free(nssFlags);
-    nss = PR_smprintf("%s %s %s %s %s",trustOrderPair,
-			cipherOrderPair,slotPair,cipherPair,flagPair);
-    secmod_freePair(trustOrderPair);
-    secmod_freePair(cipherOrderPair);
-    secmod_freePair(slotPair);
-    secmod_freePair(cipherPair);
-    secmod_freePair(flagPair);
-    tmp = secmod_argStrip(nss);
-    if (*tmp == '\0') {
-	PR_smprintf_free(nss);
-	nss = NULL;
-    }
-    return nss;
-}
-
-static char *
-secmod_mkNewModuleSpec(char *dllName, char *commonName, char *parameters, 
-								char *NSS) {
-    char *moduleSpec;
-    char *lib,*name,*param,*nss;
-
-    /*
-     * now the final spec
-     */
-    lib = secmod_formatPair("library",dllName,'\"');
-    name = secmod_formatPair("name",commonName,'\"');
-    param = secmod_formatPair("parameters",parameters,'\"');
-    nss = secmod_formatPair("NSS",NSS,'\"');
-    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
-    secmod_freePair(lib);
-    secmod_freePair(name);
-    secmod_freePair(param);
-    secmod_freePair(nss);
-    return (moduleSpec);
-}
-
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
deleted file mode 100644
index 10a7bcfb7..000000000
--- a/security/nss/lib/softoken/pkcs11.c
+++ /dev/null
@@ -1,5157 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login.
- *   It supports Public Key ops, and all they bulk ciphers and hashes. 
- *   It can also support Private Key ops for imported Private keys. It does 
- *   not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "secitem.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "pkcs11p.h"
-#include "softoken.h"
-#include "lowkeyi.h"
-#include "blapi.h"
-#include "secder.h"
-#include "secport.h"
-#include "pcert.h"
-#include "secrng.h"
-#include "nss.h"
-
-#include "keydbi.h" 
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus EC_FillParams(PRArenaPool *arena, 
-    const SECItem *encodedParams, ECParams *params);
-#endif
-
-/*
- * ******************** Static data *******************************
- */
-
-/* The next three strings must be exactly 32 characters long */
-static char *manufacturerID      = "mozilla.org                     ";
-static char manufacturerID_space[33];
-static char *libraryDescription  = "NSS Internal Crypto Services    ";
-static char libraryDescription_space[33];
-
-/*
- * In FIPS mode, we disallow login attempts for 1 second after a login
- * failure so that there are at most 60 login attempts per minute.
- */
-static PRIntervalTime loginWaitTime;
-
-#define __PASTE(x,y)    x##y
-
-/*
- * we renamed all our internal functions, get the correct
- * definitions for them...
- */ 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
-
-#define CK_EXTERN extern
-#define CK_PKCS11_FUNCTION_INFO(func) \
-		CK_RV __PASTE(NS,func)
-#define CK_NEED_ARG_LIST	1
- 
-#include "pkcs11f.h"
- 
- 
- 
-/* build the crypto module table */
-static const CK_FUNCTION_LIST sftk_funcList = {
-    { 1, 10 },
- 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
- 
-#define CK_PKCS11_FUNCTION_INFO(func) \
-				__PASTE(NS,func),
-#include "pkcs11f.h"
- 
-};
- 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
- 
- 
-#undef __PASTE
-
-/* List of DES Weak Keys */ 
-typedef unsigned char desKey[8];
-static const desKey  sftk_desWeakTable[] = {
-#ifdef noParity
-    /* weak */
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e },
-    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 },
-    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
-    /* semi-weak */
-    { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe },
-    { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe },
-
-    { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 },
-    { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
-
-    { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f },
-    { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
-
-    { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
-    { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
-
-    { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e },
-    { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 },
-
-    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe },
-    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
-#else
-    /* weak */
-    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
-    { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e },
-    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 },
-    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
-
-    /* semi-weak */
-    { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe },
-    { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 },
-
-    { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 },
-    { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e },
-
-    { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 },
-    { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 },
-
-    { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
-    { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e },
-
-    { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e },
-    { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 },
-
-    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe }, 
-    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 }
-#endif
-};
-
-    
-static const int sftk_desWeakTableSize = sizeof(sftk_desWeakTable)/
-						sizeof(sftk_desWeakTable[0]);
-
-/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns
- * that byte with the proper parity bit set */
-static const unsigned char parityTable[256] = {
-/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
-/* E */   0x01,0x02,0x04,0x07,0x08,0x0b,0x0d,0x0e,
-/* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
-/* O */   0x10,0x13,0x15,0x16,0x19,0x1a,0x1c,0x1f,
-/* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
-/* O */   0x20,0x23,0x25,0x26,0x29,0x2a,0x2c,0x2f,
-/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
-/* E */   0x31,0x32,0x34,0x37,0x38,0x3b,0x3d,0x3e,
-/* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
-/* O */   0x40,0x43,0x45,0x46,0x49,0x4a,0x4c,0x4f,
-/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
-/* E */   0x51,0x52,0x54,0x57,0x58,0x5b,0x5d,0x5e,
-/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
-/* E */   0x61,0x62,0x64,0x67,0x68,0x6b,0x6d,0x6e,
-/* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
-/* O */   0x70,0x73,0x75,0x76,0x79,0x7a,0x7c,0x7f,
-/* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
-/* O */   0x80,0x83,0x85,0x86,0x89,0x8a,0x8c,0x8f,
-/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
-/* E */   0x91,0x92,0x94,0x97,0x98,0x9b,0x9d,0x9e,
-/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
-/* E */   0xa1,0xa2,0xa4,0xa7,0xa8,0xab,0xad,0xae,
-/* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
-/* O */   0xb0,0xb3,0xb5,0xb6,0xb9,0xba,0xbc,0xbf,
-/* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
-/* E */   0xc1,0xc2,0xc4,0xc7,0xc8,0xcb,0xcd,0xce,
-/* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
-/* O */   0xd0,0xd3,0xd5,0xd6,0xd9,0xda,0xdc,0xdf,
-/* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
-/* O */   0xe0,0xe3,0xe5,0xe6,0xe9,0xea,0xec,0xef,
-/* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */
-/* E */   0xf1,0xf2,0xf4,0xf7,0xf8,0xfb,0xfd,0xfe,
-};
-
-/* Mechanisms */
-struct mechanismList {
-    CK_MECHANISM_TYPE	type;
-    CK_MECHANISM_INFO	info;
-    PRBool		privkey;
-};
-
-/*
- * the following table includes a complete list of mechanism defined by
- * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11
- * module are ifdef'ed out.
- */
-#define CKF_EN_DE		CKF_ENCRYPT      | CKF_DECRYPT
-#define CKF_WR_UN		CKF_WRAP         | CKF_UNWRAP
-#define CKF_SN_VR		CKF_SIGN         | CKF_VERIFY
-#define CKF_SN_RE		CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER
-
-#define CKF_EN_DE_WR_UN 	CKF_EN_DE       | CKF_WR_UN
-#define CKF_SN_VR_RE		CKF_SN_VR       | CKF_SN_RE
-#define CKF_DUZ_IT_ALL		CKF_EN_DE_WR_UN | CKF_SN_VR_RE
-
-#define CKF_EC_PNU		CKF_EC_FP | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS
-
-#define CKF_EC_BPNU		CKF_EC_F_2M | CKF_EC_PNU
-
-#define CK_MAX 0xffffffff
-
-static const struct mechanismList mechanisms[] = {
-
-     /*
-      * PKCS #11 Mechanism List.
-      *
-      * The first argument is the PKCS #11 Mechanism we support.
-      * The second argument is Mechanism info structure. It includes:
-      *    The minimum key size,
-      *       in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
-      *       in bytes for RC5, AES, and CAST*
-      *       ignored for DES*, IDEA and FORTEZZA based
-      *    The maximum key size,
-      *       in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
-      *       in bytes for RC5, AES, and CAST*
-      *       ignored for DES*, IDEA and FORTEZZA based
-      *     Flags
-      *	      What operations are supported by this mechanism.
-      *  The third argument is a bool which tells if this mechanism is 
-      *    supported in the database token.
-      *
-      */
-
-     /* ------------------------- RSA Operations ---------------------------*/
-     {CKM_RSA_PKCS_KEY_PAIR_GEN,{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_GENERATE_KEY_PAIR},PR_TRUE},
-     {CKM_RSA_PKCS,             {RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_DUZ_IT_ALL},       PR_TRUE},
-#ifdef SFTK_RSA9796_SUPPORTED
-     {CKM_RSA_9796,		{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_DUZ_IT_ALL},       PR_TRUE},
-#endif
-     {CKM_RSA_X_509,		{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_DUZ_IT_ALL},       PR_TRUE},
-     /* -------------- RSA Multipart Signing Operations -------------------- */
-     {CKM_MD2_RSA_PKCS,		{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     {CKM_MD5_RSA_PKCS,		{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     {CKM_SHA1_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     {CKM_SHA256_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     {CKM_SHA384_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     {CKM_SHA512_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
-				 CKF_SN_VR}, 	PR_TRUE},
-     /* ------------------------- DSA Operations --------------------------- */
-     {CKM_DSA_KEY_PAIR_GEN,	{DSA_MIN_P_BITS, DSA_MAX_P_BITS,
-				 CKF_GENERATE_KEY_PAIR}, PR_TRUE},
-     {CKM_DSA,			{DSA_MIN_P_BITS, DSA_MAX_P_BITS, 
-				 CKF_SN_VR},              PR_TRUE},
-     {CKM_DSA_SHA1,		{DSA_MIN_P_BITS, DSA_MAX_P_BITS,
-				 CKF_SN_VR},              PR_TRUE},
-     /* -------------------- Diffie Hellman Operations --------------------- */
-     /* no diffie hellman yet */
-     {CKM_DH_PKCS_KEY_PAIR_GEN,	{DH_MIN_P_BITS, DH_MAX_P_BITS, 
-				 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
-     {CKM_DH_PKCS_DERIVE,	{DH_MIN_P_BITS, DH_MAX_P_BITS,
-				 CKF_DERIVE}, 	PR_TRUE}, 
-#ifdef NSS_ENABLE_ECC
-     /* -------------------- Elliptic Curve Operations --------------------- */
-     {CKM_EC_KEY_PAIR_GEN,      {112, 571, CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDH1_DERIVE,         {112, 571, CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDSA,                {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
-     {CKM_ECDSA_SHA1,           {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
-#endif /* NSS_ENABLE_ECC */
-     /* ------------------------- RC2 Operations --------------------------- */
-     {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_TRUE},
-     {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
-     /* ------------------------- RC4 Operations --------------------------- */
-     {CKM_RC4_KEY_GEN,		{1, 256, CKF_GENERATE},		PR_FALSE},
-     {CKM_RC4,			{1, 256, CKF_EN_DE_WR_UN},	PR_FALSE},
-     /* ------------------------- DES Operations --------------------------- */
-     {CKM_DES_KEY_GEN,		{ 8,  8, CKF_GENERATE},		PR_TRUE},
-     {CKM_DES_ECB,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_DES_CBC,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_DES_MAC,		{ 8,  8, CKF_SN_VR},		PR_TRUE},
-     {CKM_DES_MAC_GENERAL,	{ 8,  8, CKF_SN_VR},		PR_TRUE},
-     {CKM_DES_CBC_PAD,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_DES2_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE},
-     {CKM_DES3_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE },
-     {CKM_DES3_ECB,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     {CKM_DES3_CBC,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     {CKM_DES3_MAC,		{24, 24, CKF_SN_VR},		PR_TRUE },
-     {CKM_DES3_MAC_GENERAL,	{24, 24, CKF_SN_VR},		PR_TRUE },
-     {CKM_DES3_CBC_PAD,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
-     /* ------------------------- CDMF Operations --------------------------- */
-     {CKM_CDMF_KEY_GEN,		{8,  8, CKF_GENERATE},		PR_TRUE},
-     {CKM_CDMF_ECB,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_CDMF_CBC,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_CDMF_MAC,		{8,  8, CKF_SN_VR},		PR_TRUE},
-     {CKM_CDMF_MAC_GENERAL,	{8,  8, CKF_SN_VR},		PR_TRUE},
-     {CKM_CDMF_CBC_PAD,		{8,  8, CKF_EN_DE_WR_UN},	PR_TRUE},
-     /* ------------------------- AES Operations --------------------------- */
-     {CKM_AES_KEY_GEN,		{16, 32, CKF_GENERATE},		PR_TRUE},
-     {CKM_AES_ECB,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_AES_CBC,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_AES_MAC,		{16, 32, CKF_SN_VR},		PR_TRUE},
-     {CKM_AES_MAC_GENERAL,	{16, 32, CKF_SN_VR},		PR_TRUE},
-     {CKM_AES_CBC_PAD,		{16, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
-     /* ------------------------- Hashing Operations ----------------------- */
-     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_MD2_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_MD5,			{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_MD5_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_MD5_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA256,		{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_SHA256_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA256_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA384,		{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_SHA384_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA384_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA512,		{0,   0, CKF_DIGEST},		PR_FALSE},
-     {CKM_SHA512_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_SHA512_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
-     {CKM_TLS_PRF_GENERAL,	{0, 512, CKF_SN_VR},		PR_FALSE},
-     /* ------------------------- CAST Operations --------------------------- */
-#ifdef NSS_SOFTOKEN_DOES_CAST
-     /* Cast operations are not supported ( yet? ) */
-     {CKM_CAST_KEY_GEN,		{1,  8, CKF_GENERATE},		PR_TRUE}, 
-     {CKM_CAST_ECB,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST_CBC,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST_MAC,		{1,  8, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST_MAC_GENERAL,	{1,  8, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST_CBC_PAD,		{1,  8, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST3_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_TRUE}, 
-     {CKM_CAST3_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST3_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST3_MAC,		{1, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST3_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST3_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST5_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_TRUE}, 
-     {CKM_CAST5_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST5_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_CAST5_MAC,		{1, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST5_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_CAST5_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-#endif
-#if NSS_SOFTOKEN_DOES_RC5
-     /* ------------------------- RC5 Operations --------------------------- */
-     {CKM_RC5_KEY_GEN,		{1, 32, CKF_GENERATE},          PR_TRUE},
-     {CKM_RC5_ECB,		{1, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_RC5_CBC,		{1, 32, CKF_EN_DE_WR_UN},	PR_TRUE},
-     {CKM_RC5_MAC,		{1, 32, CKF_SN_VR},  		PR_TRUE},
-     {CKM_RC5_MAC_GENERAL,	{1, 32, CKF_SN_VR},  		PR_TRUE},
-     {CKM_RC5_CBC_PAD,		{1, 32, CKF_EN_DE_WR_UN}, 	PR_TRUE},
-#endif
-#ifdef NSS_SOFTOKEN_DOES_IDEA
-     /* ------------------------- IDEA Operations -------------------------- */
-     {CKM_IDEA_KEY_GEN,		{16, 16, CKF_GENERATE}, 	PR_TRUE}, 
-     {CKM_IDEA_ECB,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_IDEA_CBC,		{16, 16, CKF_EN_DE_WR_UN},	PR_TRUE}, 
-     {CKM_IDEA_MAC,		{16, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_IDEA_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_TRUE}, 
-     {CKM_IDEA_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN}, 	PR_TRUE}, 
-#endif
-     /* --------------------- Secret Key Operations ------------------------ */
-     {CKM_GENERIC_SECRET_KEY_GEN,	{1, 32, CKF_GENERATE}, PR_TRUE}, 
-     {CKM_CONCATENATE_BASE_AND_KEY,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_CONCATENATE_BASE_AND_DATA,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_CONCATENATE_DATA_AND_BASE,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_XOR_BASE_AND_DATA,		{1, 32, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_EXTRACT_KEY_FROM_KEY,		{1, 32, CKF_DERIVE},   PR_FALSE}, 
-     /* ---------------------- SSL Key Derivations ------------------------- */
-     {CKM_SSL3_PRE_MASTER_KEY_GEN,	{48, 48, CKF_GENERATE}, PR_FALSE}, 
-     {CKM_SSL3_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_MD5_MAC,			{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SSL3_SHA1_MAC,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_MD5_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_MD2_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_SHA1_KEY_DERIVATION,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_TLS_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_TLS_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
-     {CKM_TLS_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
-     /* ---------------------- PBE Key Derivations  ------------------------ */
-     {CKM_PBE_MD2_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
-     {CKM_PBE_MD5_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
-     /* ------------------ NETSCAPE PBE Key Derivations  ------------------- */
-     {CKM_NETSCAPE_PBE_SHA1_DES_CBC,	     { 8, 8, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, {24,24, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_DES3_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_DES2_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC2_40_CBC,		     {40,40, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC2_128_CBC,		     {128,128, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC4_40,		     {40,40, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBE_SHA1_RC4_128,		     {128,128, CKF_GENERATE}, PR_TRUE},
-     {CKM_PBA_SHA1_WITH_SHA1_HMAC,	     {20,20, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN,    {20,20, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
-     {CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
-     /* ------------------ AES Key Wrap (also encrypt)  ------------------- */
-     {CKM_NETSCAPE_AES_KEY_WRAP,	{16, 32, CKF_EN_DE_WR_UN},  PR_TRUE},
-     {CKM_NETSCAPE_AES_KEY_WRAP_PAD,	{16, 32, CKF_EN_DE_WR_UN},  PR_TRUE},
-};
-static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
-
-static char *
-sftk_setStringName(const char *inString, char *buffer, int buffer_length)
-{
-    int full_length, string_length;
-
-    full_length = buffer_length -1;
-    string_length = PORT_Strlen(inString);
-    /* 
-     *  shorten the string, respecting utf8 encoding
-     *  to do so, we work backward from the end 
-     *  bytes looking from the end are either:
-     *    - ascii [0x00,0x7f]
-     *    - the [2-n]th byte of a multibyte sequence 
-     *        [0x3F,0xBF], i.e, most significant 2 bits are '10'
-     *    - the first byte of a multibyte sequence [0xC0,0xFD],
-     *        i.e, most significant 2 bits are '11'
-     *
-     *    When the string is too long, we lop off any trailing '10' bytes,
-     *  if any. When these are all eliminated we lop off
-     *  one additional byte. Thus if we lopped any '10'
-     *  we'll be lopping a '11' byte (the first byte of the multibyte sequence),
-     *  otherwise we're lopping off an ascii character.
-     *
-     *    To test for '10' bytes, we first AND it with 
-     *  11000000 (0xc0) so that we get 10000000 (0x80) if and only if
-     *  the byte starts with 10. We test for equality.
-     */
-    while ( string_length > full_length ) {
-	/* need to shorten */
-	while ( string_length > 0 && 
-	      ((inString[string_length-1]&(char)0xc0) == (char)0x80)) {
-	    /* lop off '10' byte */
-	    string_length--;
-	}
-	/* 
-	 * test string_length in case bad data is received
-	 * and string consisted of all '10' bytes,
-	 * avoiding any infinite loop
-         */
-	if ( string_length ) {
-	    /* remove either '11' byte or an asci byte */
-	    string_length--;
-	}
-    }
-    PORT_Memset(buffer,' ',full_length);
-    buffer[full_length] = 0;
-    PORT_Memcpy(buffer,inString,string_length);
-    return buffer;
-}
-/*
- * Configuration utils
- */
-static CK_RV
-sftk_configure(const char *man, const char *libdes)
-{
-
-    /* make sure the internationalization was done correctly... */
-    if (man) {
-	manufacturerID = sftk_setStringName(man,manufacturerID_space,
-						sizeof(manufacturerID_space));
-    }
-    if (libdes) {
-	libraryDescription = sftk_setStringName(libdes,
-		libraryDescription_space, sizeof(libraryDescription_space));
-    }
-
-    return CKR_OK;
-}
-
-/*
- * ******************** Password Utilities *******************************
- */
-
-/*
- * see if the key DB password is enabled
- */
-static PRBool
-sftk_hasNullPassword(NSSLOWKEYDBHandle *keydb,SECItem **pwitem)
-{
-    PRBool pwenabled;
-    
-    pwenabled = PR_FALSE;
-    *pwitem = NULL;
-    if (nsslowkey_HasKeyDBPassword (keydb) == SECSuccess) {
-	*pwitem = nsslowkey_HashPassword("", keydb->global_salt);
-	if ( *pwitem ) {
-	    if (nsslowkey_CheckKeyDBPassword (keydb, *pwitem) == SECSuccess) {
-		pwenabled = PR_TRUE;
-	    } else {
-	    	SECITEM_ZfreeItem(*pwitem, PR_TRUE);
-		*pwitem = NULL;
-	    }
-	}
-    }
-
-    return pwenabled;
-}
-
-/*
- * ******************** Object Creation Utilities ***************************
- */
-
-
-/* Make sure a given attribute exists. If it doesn't, initialize it to
- * value and len
- */
-CK_RV
-sftk_defaultAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type,void *value,
-							unsigned int len)
-{
-    if ( !sftk_hasAttribute(object, type)) {
-	return sftk_AddAttributeType(object,type,value,len);
-    }
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Data Object 
- */
-static CK_RV
-sftk_handleDataObject(SFTKSession *session,SFTKObject *object)
-{
-    CK_RV crv;
-
-    /* first reject private and token data objects */
-    if (sftk_isTrue(object,CKA_PRIVATE) || sftk_isTrue(object,CKA_TOKEN)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* now just verify the required date fields */
-    crv = sftk_defaultAttribute(object,CKA_APPLICATION,NULL,0);
-    if (crv != CKR_OK) return crv;
-    crv = sftk_defaultAttribute(object,CKA_VALUE,NULL,0);
-    if (crv != CKR_OK) return crv;
-
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Certificate Object 
- */
-static CK_RV
-sftk_handleCertObject(SFTKSession *session,SFTKObject *object)
-{
-    CK_CERTIFICATE_TYPE type;
-    SFTKAttribute *attribute;
-    CK_RV crv;
-
-    /* certificates must have a type */
-    if ( !sftk_hasAttribute(object,CKA_CERTIFICATE_TYPE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* we can't store any certs private */
-    if (sftk_isTrue(object,CKA_PRIVATE)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-	
-    /* We only support X.509 Certs for now */
-    attribute = sftk_FindAttribute(object,CKA_CERTIFICATE_TYPE);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-    type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-
-    if (type != CKC_X_509) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* X.509 Certificate */
-
-    /* make sure we have a cert */
-    if ( !sftk_hasAttribute(object,CKA_VALUE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* in PKCS #11, Subject is a required field */
-    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* in PKCS #11, Issuer is a required field */
-    if ( !sftk_hasAttribute(object,CKA_ISSUER) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* in PKCS #11, Serial is a required field */
-    if ( !sftk_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* add it to the object */
-    object->objectInfo = NULL;
-    object->infoFree = (SFTKFree) NULL;
-    
-    /* now just verify the required date fields */
-    crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0);
-    if (crv != CKR_OK) { return crv; }
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	SECItem derCert;
-	NSSLOWCERTCertificate *cert;
- 	NSSLOWCERTCertTrust *trust = NULL;
- 	NSSLOWCERTCertTrust userTrust = 
-		{ CERTDB_USER, CERTDB_USER, CERTDB_USER };
- 	NSSLOWCERTCertTrust defTrust = 
-		{ CERTDB_TRUSTED_UNKNOWN, 
-			CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
-	char *label = NULL;
-	char *email = NULL;
-	SECStatus rv;
-	PRBool inDB = PR_TRUE;
-	NSSLOWCERTCertDBHandle *certHandle = sftk_getCertDB(slot);
-	NSSLOWKEYDBHandle *keyHandle = NULL;
-
-	if (certHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	/* get the der cert */ 
-	attribute = sftk_FindAttribute(object,CKA_VALUE);
-	PORT_Assert(attribute);
-
-	derCert.type = 0;
-	derCert.data = (unsigned char *)attribute->attrib.pValue;
-	derCert.len = attribute->attrib.ulValueLen ;
-
-	label = sftk_getString(object,CKA_LABEL);
-
-	cert =  nsslowcert_FindCertByDERCert(certHandle, &derCert);
-	if (cert == NULL) {
-	    cert = nsslowcert_DecodeDERCertificate(&derCert, label);
-	    inDB = PR_FALSE;
-	}
-	if (cert == NULL) {
-	    if (label) PORT_Free(label);
-    	    sftk_FreeAttribute(attribute);
-	    sftk_freeCertDB(certHandle);
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-
-	keyHandle = sftk_getKeyDB(slot);
-	if (keyHandle) {
-	    if (nsslowkey_KeyForCertExists(keyHandle,cert)) {
-		trust = &userTrust;
-	    }
-	    sftk_freeKeyDB(keyHandle);
-	}
-
-	if (!inDB) {
-	    if (!trust) trust = &defTrust;
-	    rv = nsslowcert_AddPermCert(certHandle, cert, label, trust);
-	} else {
-	    rv = trust ? nsslowcert_ChangeCertTrust(certHandle,cert,trust) :
-				SECSuccess;
-	}
-
-	if (label) PORT_Free(label);
-	sftk_FreeAttribute(attribute);
-
-	if (rv != SECSuccess) {
-	    sftk_freeCertDB(certHandle);
-	    nsslowcert_DestroyCertificate(cert);
-	    return CKR_DEVICE_ERROR;
-	}
-
-	/*
-	 * Add a NULL S/MIME profile if necessary.
-	 */
-	email = sftk_getString(object,CKA_NETSCAPE_EMAIL);
-	if (email) {
-	    certDBEntrySMime *entry;
-
-	    entry = nsslowcert_ReadDBSMimeEntry(certHandle,email);
-	    if (!entry) {
-	    	nsslowcert_SaveSMimeProfile(certHandle, email, 
-						&cert->derSubject, NULL, NULL);
-	    } else {
-		 nsslowcert_DestroyDBEntry((certDBEntry *)entry);
-	    }
-	    PORT_Free(email);
-	}
-	sftk_freeCertDB(certHandle);
-	object->handle=sftk_mkHandle(slot,&cert->certKey,SFTK_TOKEN_TYPE_CERT);
-	nsslowcert_DestroyCertificate(cert);
-    }
-
-    return CKR_OK;
-}
-
-unsigned int
-sftk_MapTrust(CK_TRUST trust, PRBool clientAuth)
-{
-    unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA :
-							CERTDB_TRUSTED_CA;
-    switch (trust) {
-    case CKT_NETSCAPE_TRUSTED:
-	return CERTDB_VALID_PEER|CERTDB_TRUSTED;
-    case CKT_NETSCAPE_TRUSTED_DELEGATOR:
-	return CERTDB_VALID_CA|trustCA;
-    case CKT_NETSCAPE_UNTRUSTED:
-	return CERTDB_NOT_TRUSTED;
-    case CKT_NETSCAPE_MUST_VERIFY:
-	return 0;
-    case CKT_NETSCAPE_VALID: /* implies must verify */
-	return CERTDB_VALID_PEER;
-    case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */
-	return CERTDB_VALID_CA;
-    default:
-	break;
-    }
-    return CERTDB_TRUSTED_UNKNOWN;
-}
-    
-	
-/*
- * check the consistancy and initialize a Trust Object 
- */
-static CK_RV
-sftk_handleTrustObject(SFTKSession *session,SFTKObject *object)
-{
-    NSSLOWCERTIssuerAndSN issuerSN;
-
-    /* we can't store any certs private */
-    if (sftk_isTrue(object,CKA_PRIVATE)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* certificates must have a type */
-    if ( !sftk_hasAttribute(object,CKA_ISSUER) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    if ( !sftk_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    if ( !sftk_hasAttribute(object,CKA_CERT_SHA1_HASH) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    if ( !sftk_hasAttribute(object,CKA_CERT_MD5_HASH) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	SFTKAttribute *issuer = NULL;
-	SFTKAttribute *serial = NULL;
-	NSSLOWCERTCertificate *cert = NULL;
-	SFTKAttribute *trust;
-        CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-        CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-        CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-        CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-	CK_BBOOL stepUp;
- 	NSSLOWCERTCertTrust dbTrust = { 0 };
-	SECStatus rv;
-	NSSLOWCERTCertDBHandle *certHandle = sftk_getCertDB(slot);
-
-	if (certHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	issuer = sftk_FindAttribute(object,CKA_ISSUER);
-	PORT_Assert(issuer);
-	issuerSN.derIssuer.data = (unsigned char *)issuer->attrib.pValue;
-	issuerSN.derIssuer.len = issuer->attrib.ulValueLen ;
-
-	serial = sftk_FindAttribute(object,CKA_SERIAL_NUMBER);
-	PORT_Assert(serial);
-	issuerSN.serialNumber.data = (unsigned char *)serial->attrib.pValue;
-	issuerSN.serialNumber.len = serial->attrib.ulValueLen ;
-
-	cert = nsslowcert_FindCertByIssuerAndSN(certHandle,&issuerSN);
-	sftk_FreeAttribute(serial);
-	sftk_FreeAttribute(issuer);
-
-	if (cert == NULL) {
-	    sftk_freeCertDB(certHandle);
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-	
-	trust = sftk_FindAttribute(object,CKA_TRUST_SERVER_AUTH);
-	if (trust) {
-	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
-		PORT_Memcpy(&sslTrust,trust->attrib.pValue, sizeof(sslTrust));
-	    }
-	    sftk_FreeAttribute(trust);
-	}
-	trust = sftk_FindAttribute(object,CKA_TRUST_CLIENT_AUTH);
-	if (trust) {
-	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
-		PORT_Memcpy(&clientTrust,trust->attrib.pValue,
-							 sizeof(clientTrust));
-	    }
-	    sftk_FreeAttribute(trust);
-	}
-	trust = sftk_FindAttribute(object,CKA_TRUST_EMAIL_PROTECTION);
-	if (trust) {
-	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
-		PORT_Memcpy(&emailTrust,trust->attrib.pValue,
-							sizeof(emailTrust));
-	    }
-	    sftk_FreeAttribute(trust);
-	}
-	trust = sftk_FindAttribute(object,CKA_TRUST_CODE_SIGNING);
-	if (trust) {
-	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
-		PORT_Memcpy(&signTrust,trust->attrib.pValue,
-							sizeof(signTrust));
-	    }
-	    sftk_FreeAttribute(trust);
-	}
-	stepUp = CK_FALSE;
-	trust = sftk_FindAttribute(object,CKA_TRUST_STEP_UP_APPROVED);
-	if (trust) {
-	    if (trust->attrib.ulValueLen == sizeof(CK_BBOOL)) {
-		stepUp = *(CK_BBOOL*)trust->attrib.pValue;
-	    }
-	    sftk_FreeAttribute(trust);
-	}
-
-	/* preserve certain old fields */
-	if (cert->trust) {
-	    dbTrust.sslFlags =
-			  cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS;
-	    dbTrust.emailFlags=
-			cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS;
-	    dbTrust.objectSigningFlags = 
-		cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS;
-	}
-
-	dbTrust.sslFlags |= sftk_MapTrust(sslTrust,PR_FALSE);
-	dbTrust.sslFlags |= sftk_MapTrust(clientTrust,PR_TRUE);
-	dbTrust.emailFlags |= sftk_MapTrust(emailTrust,PR_FALSE);
-	dbTrust.objectSigningFlags |= sftk_MapTrust(signTrust,PR_FALSE);
-	if (stepUp) {
-	    dbTrust.sslFlags |= CERTDB_GOVT_APPROVED_CA;
-	}
-
-	rv = nsslowcert_ChangeCertTrust(certHandle,cert,&dbTrust);
-	object->handle=sftk_mkHandle(slot,&cert->certKey,SFTK_TOKEN_TYPE_TRUST);
-	nsslowcert_DestroyCertificate(cert);
-	sftk_freeCertDB(certHandle);
-	if (rv != SECSuccess) {
-	   return CKR_DEVICE_ERROR;
-	}
-    }
-
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Trust Object 
- */
-static CK_RV
-sftk_handleSMimeObject(SFTKSession *session,SFTKObject *object)
-{
-
-    /* we can't store any certs private */
-    if (sftk_isTrue(object,CKA_PRIVATE)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* certificates must have a type */
-    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    if ( !sftk_hasAttribute(object,CKA_NETSCAPE_EMAIL) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	SECItem derSubj,rawProfile,rawTime,emailKey;
-	SECItem *pRawProfile = NULL;
-	SECItem *pRawTime = NULL;
-	char *email = NULL;
-    	SFTKAttribute *subject,*profile,*time;
-	SECStatus rv;
-	NSSLOWCERTCertDBHandle *certHandle;
-
-	PORT_Assert(slot);
-	certHandle = sftk_getCertDB(slot);
-
-	if (certHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	/* lookup SUBJECT */
-	subject = sftk_FindAttribute(object,CKA_SUBJECT);
-	PORT_Assert(subject);
-	derSubj.data = (unsigned char *)subject->attrib.pValue;
-	derSubj.len = subject->attrib.ulValueLen ;
-	derSubj.type = 0;
-
-	/* lookup VALUE */
-	profile = sftk_FindAttribute(object,CKA_VALUE);
-	if (profile) {
-	    rawProfile.data = (unsigned char *)profile->attrib.pValue;
-	    rawProfile.len = profile->attrib.ulValueLen ;
-	    rawProfile.type = siBuffer;
-	    pRawProfile = &rawProfile;
-	}
-
-	/* lookup Time */
-	time = sftk_FindAttribute(object,CKA_NETSCAPE_SMIME_TIMESTAMP);
-	if (time) {
-	    rawTime.data = (unsigned char *)time->attrib.pValue;
-	    rawTime.len = time->attrib.ulValueLen ;
-	    rawTime.type = siBuffer;
-	    pRawTime = &rawTime;
-	}
-
-
-	email = sftk_getString(object,CKA_NETSCAPE_EMAIL);
-
-	/* Store CRL by SUBJECT */
-	rv = nsslowcert_SaveSMimeProfile(certHandle, email, &derSubj, 
-				pRawProfile,pRawTime);
-	sftk_freeCertDB(certHandle);
-    	sftk_FreeAttribute(subject);
-    	if (profile) sftk_FreeAttribute(profile);
-    	if (time) sftk_FreeAttribute(time);
-	if (rv != SECSuccess) {
-    	    PORT_Free(email);
-	    return CKR_DEVICE_ERROR;
-	}
-	emailKey.data = (unsigned char *)email;
-	emailKey.len = PORT_Strlen(email)+1;
-
-	object->handle = sftk_mkHandle(slot, &emailKey, SFTK_TOKEN_TYPE_SMIME);
-    	PORT_Free(email);
-    }
-
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Trust Object 
- */
-static CK_RV
-sftk_handleCrlObject(SFTKSession *session,SFTKObject *object)
-{
-
-    /* we can't store any certs private */
-    if (sftk_isTrue(object,CKA_PRIVATE)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* certificates must have a type */
-    if ( !sftk_hasAttribute(object,CKA_SUBJECT) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    if ( !sftk_hasAttribute(object,CKA_VALUE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	PRBool isKRL = PR_FALSE;
-	SECItem derSubj,derCrl;
-	char *url = NULL;
-    	SFTKAttribute *subject,*crl;
-	SECStatus rv;
-	NSSLOWCERTCertDBHandle *certHandle;
-
-	PORT_Assert(slot);
-	certHandle = sftk_getCertDB(slot);
-
-	if (certHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	/* lookup SUBJECT */
-	subject = sftk_FindAttribute(object,CKA_SUBJECT);
-	PORT_Assert(subject);
-	derSubj.data = (unsigned char *)subject->attrib.pValue;
-	derSubj.len = subject->attrib.ulValueLen ;
-
-	/* lookup VALUE */
-	crl = sftk_FindAttribute(object,CKA_VALUE);
-	PORT_Assert(crl);
-	derCrl.data = (unsigned char *)crl->attrib.pValue;
-	derCrl.len = crl->attrib.ulValueLen ;
-
-
-	url = sftk_getString(object,CKA_NETSCAPE_URL);
-	isKRL = sftk_isTrue(object,CKA_NETSCAPE_KRL);
-
-	/* Store CRL by SUBJECT */
-	rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL);
-	sftk_freeCertDB(certHandle);
-
-	if (url) {
-	    PORT_Free(url);
-	}
-    	sftk_FreeAttribute(crl);
-	if (rv != SECSuccess) {
-    	    sftk_FreeAttribute(subject);
-	    return CKR_DEVICE_ERROR;
-	}
-
-	/* if we overwrote the existing CRL, poison the handle entry so we get
-	 * a new object handle */
-	(void) sftk_poisonHandle(slot, &derSubj,
-			isKRL ? SFTK_TOKEN_KRL_HANDLE : SFTK_TOKEN_TYPE_CRL);
-	object->handle = sftk_mkHandle(slot, &derSubj,
-			isKRL ? SFTK_TOKEN_KRL_HANDLE : SFTK_TOKEN_TYPE_CRL);
-    	sftk_FreeAttribute(subject);
-    }
-
-    return CKR_OK;
-}
-
-/*
- * check the consistancy and initialize a Public Key Object 
- */
-static CK_RV
-sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
-							 CK_KEY_TYPE key_type)
-{
-    CK_BBOOL encrypt = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL wrap = CK_TRUE;
-    CK_BBOOL derive = CK_FALSE;
-    CK_BBOOL verify = CK_TRUE;
-    CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
-    CK_RV crv;
-
-    switch (key_type) {
-    case CKK_RSA:
-	crv = sftk_ConstrainAttribute(object, CKA_MODULUS,
-						 RSA_MIN_MODULUS_BITS, 0, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	pubKeyAttr = CKA_MODULUS;
-	break;
-    case CKK_DSA:
-	crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME, 
-						DSA_Q_BITS, DSA_Q_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_PRIME, 
-					DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DSA_MAX_P_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DSA_MAX_P_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-    case CKK_DH:
-	crv = sftk_ConstrainAttribute(object, CKA_PRIME, 
-					DH_MIN_P_BITS, DH_MAX_P_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DH_MAX_P_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DH_MAX_P_BITS, 0);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	verify = CK_FALSE;
-	derive = CK_TRUE;
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_EC_POINT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	pubKeyAttr = CKA_EC_POINT;
-	derive = CK_TRUE;    /* for ECDH */
-	verify = CK_TRUE;    /* for ECDSA */
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    /* make sure the required fields exist */
-    crv = sftk_defaultAttribute(object,CKA_SUBJECT,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_ENCRYPT,&encrypt,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_VERIFY,&verify,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_VERIFY_RECOVER,
-						&recover,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_WRAP,&wrap,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_DERIVE,&derive,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    object->objectInfo = sftk_GetPubKey(object,key_type, &crv);
-    if (object->objectInfo == NULL) {
-	return crv;
-    }
-    object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey;
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	NSSLOWKEYPrivateKey *priv;
-	SECItem pubKey;
-	NSSLOWKEYDBHandle *keyHandle = NULL;
-
-	crv = sftk_Attribute2SSecItem(NULL,&pubKey,object,pubKeyAttr);
-	if (crv != CKR_OK) return crv;
-
-	PORT_Assert(pubKey.data);
-	keyHandle = sftk_getKeyDB(slot);
-	if (keyHandle == NULL) {
-	    PORT_Free(pubKey.data);
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-	if (keyHandle->version != 3) {
-	    unsigned char buf[SHA1_LENGTH];
-	    SHA1_HashBuf(buf,pubKey.data,pubKey.len);
-	    PORT_Memcpy(pubKey.data,buf,sizeof(buf));
-	    pubKey.len = sizeof(buf);
-	}
-	/* make sure the associated private key already exists */
-	/* only works if we are logged in */
-	priv = nsslowkey_FindKeyByPublicKey(keyHandle, &pubKey, slot->password);
-	sftk_freeKeyDB(keyHandle);
-	if (priv == NULL) {
-	    PORT_Free(pubKey.data);
-	    return crv;
-	}
-	nsslowkey_DestroyPrivateKey(priv);
-
-	object->handle = sftk_mkHandle(slot, &pubKey, SFTK_TOKEN_TYPE_PUB);
-	PORT_Free(pubKey.data);
-    }
-
-    return CKR_OK;
-}
-
-static NSSLOWKEYPrivateKey * 
-sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp);
-
-/*
- * check the consistancy and initialize a Private Key Object 
- */
-static CK_RV
-sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE key_type)
-{
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL encrypt = CK_TRUE;
-    CK_BBOOL recover = CK_TRUE;
-    CK_BBOOL wrap = CK_TRUE;
-    CK_BBOOL derive = CK_FALSE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    SECItem mod;
-    CK_RV crv;
-
-    switch (key_type) {
-    case CKK_RSA:
-	if ( !sftk_hasAttribute(object, CKA_MODULUS)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_PRIVATE_EXPONENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_PRIME_1)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_PRIME_2)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_EXPONENT_1)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_EXPONENT_2)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_COEFFICIENT)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	/* make sure Netscape DB attribute is set correctly */
-	crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
-	if (crv != CKR_OK) return crv;
-	crv = sftk_forceAttribute(object, CKA_NETSCAPE_DB, 
-						sftk_item_expand(&mod));
-	if (mod.data) PORT_Free(mod.data);
-	if (crv != CKR_OK) return crv;
-	
-	break;
-    case CKK_DSA:
-	if ( !sftk_hasAttribute(object, CKA_SUBPRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_NETSCAPE_DB)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	/* fall through */
-    case CKK_DH:
-	if ( !sftk_hasAttribute(object, CKA_PRIME)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_BASE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	if ( !sftk_hasAttribute(object, CKA_NETSCAPE_DB)) {
-	    return CKR_TEMPLATE_INCOMPLETE;
-	}
-	encrypt = CK_FALSE;
-	recover = CK_FALSE;
-	wrap = CK_FALSE;
-	derive = CK_TRUE;
-	break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    crv = sftk_defaultAttribute(object,CKA_SUBJECT,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_DECRYPT,&encrypt,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_SIGN_RECOVER,&recover,
-							     sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_UNWRAP,&wrap,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_DERIVE,&derive,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    /* the next two bits get modified only in the key gen and token cases */
-    crv = sftk_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* should we check the non-token RSA private keys? */
-
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	NSSLOWKEYPrivateKey *privKey;
-	char *label;
-	SECStatus rv = SECSuccess;
-	CK_RV crv = CKR_DEVICE_ERROR;
-	SECItem pubKey;
-	NSSLOWKEYDBHandle *keyHandle = sftk_getKeyDB(slot);
-
-	if (keyHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	privKey=sftk_mkPrivKey(object,key_type,&crv);
-	if (privKey == NULL) return crv;
-	label = sftk_getString(object,CKA_LABEL);
-
-	crv = sftk_Attribute2SSecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB);
-	if (crv != CKR_OK) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    rv = SECFailure;
-	    goto fail;
-	}
-	if (keyHandle->version != 3) {
-	    unsigned char buf[SHA1_LENGTH];
-	    SHA1_HashBuf(buf,pubKey.data,pubKey.len);
-	    PORT_Memcpy(pubKey.data,buf,sizeof(buf));
-	    pubKey.len = sizeof(buf);
-	}
-
-        if (key_type == CKK_RSA) {
-	    rv = RSA_PrivateKeyCheck(&privKey->u.rsa);
-	    if (rv == SECFailure) {
-		goto fail;
-	    }
-	}
-	rv = nsslowkey_StoreKeyByPublicKey(keyHandle, privKey, &pubKey, 
-					   label, slot->password);
-
-fail:
-	sftk_freeKeyDB(keyHandle);
-	if (label) PORT_Free(label);
-	object->handle = sftk_mkHandle(slot,&pubKey,SFTK_TOKEN_TYPE_PRIV);
-	if (pubKey.data) PORT_Free(pubKey.data);
-	nsslowkey_DestroyPrivateKey(privKey);
-	if (rv != SECSuccess) return crv;
-    } else {
-	object->objectInfo = sftk_mkPrivKey(object,key_type,&crv);
-	if (object->objectInfo == NULL) return crv;
-	object->infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey;
-	/* now NULL out the sensitive attributes */
-	/* remove nulled out attributes for session objects. these only
-	 * applied to rsa private keys anyway (other private keys did not
-	 * get their attributes NULL'ed out */
-    }
-    return CKR_OK;
-}
-
-/* forward delcare the DES formating function for handleSecretKey */
-void sftk_FormatDESKey(unsigned char *key, int length);
-static NSSLOWKEYPrivateKey *sftk_mkSecretKeyRep(SFTKObject *object);
-
-/* Validate secret key data, and set defaults */
-static CK_RV
-validateSecretKey(SFTKSession *session, SFTKObject *object, 
-					CK_KEY_TYPE key_type, PRBool isFIPS)
-{
-    CK_RV crv;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    SFTKAttribute *attribute = NULL;
-    unsigned long requiredLen;
-
-    crv = sftk_defaultAttribute(object,CKA_SENSITIVE,
-				isFIPS?&cktrue:&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_ENCRYPT,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_DECRYPT,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_SIGN,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_VERIFY,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_WRAP,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_UNWRAP,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    if ( !sftk_hasAttribute(object, CKA_VALUE)) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    /* the next two bits get modified only in the key gen and token cases */
-    crv = sftk_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
-						&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* some types of keys have a value length */
-    crv = CKR_OK;
-    switch (key_type) {
-    /* force CKA_VALUE_LEN to be set */
-    case CKK_GENERIC_SECRET:
-    case CKK_RC2:
-    case CKK_RC4:
-#if NSS_SOFTOKEN_DOES_RC5
-    case CKK_RC5:
-#endif
-#ifdef NSS_SOFTOKEN_DOES_CAST
-    case CKK_CAST:
-    case CKK_CAST3:
-    case CKK_CAST5:
-#endif
-#if NSS_SOFTOKEN_DOES_IDEA
-    case CKK_IDEA:
-#endif
-	attribute = sftk_FindAttribute(object,CKA_VALUE);
-	/* shouldn't happen */
-	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-	crv = sftk_forceAttribute(object, CKA_VALUE_LEN, 
-			&attribute->attrib.ulValueLen, sizeof(CK_ULONG));
-	sftk_FreeAttribute(attribute);
-	break;
-    /* force the value to have the correct parity */
-    case CKK_DES:
-    case CKK_DES2:
-    case CKK_DES3:
-    case CKK_CDMF:
-	attribute = sftk_FindAttribute(object,CKA_VALUE);
-	/* shouldn't happen */
-	if (attribute == NULL) 
-	    return CKR_TEMPLATE_INCOMPLETE;
-	requiredLen = sftk_MapKeySize(key_type);
-	if (attribute->attrib.ulValueLen != requiredLen) {
-	    sftk_FreeAttribute(attribute);
-	    return CKR_KEY_SIZE_RANGE;
-	}
-	sftk_FormatDESKey((unsigned char*)attribute->attrib.pValue,
-						 attribute->attrib.ulValueLen);
-	sftk_FreeAttribute(attribute);
-	break;
-    default:
-	break;
-    }
-
-    return crv;
-}
-
-#define SFTK_KEY_MAX_RETRIES 10 /* don't hang if we are having problems with the rng */
-#define SFTK_KEY_ID_SIZE 18 /* don't use either SHA1 or MD5 sizes */
-/*
- * Secret keys must have a CKA_ID value to be stored in the database. This code
- * will generate one if there wasn't one already. 
- */
-static CK_RV
-sftk_GenerateSecretCKA_ID(NSSLOWKEYDBHandle *handle, SECItem *id, char *label)
-{
-    unsigned int retries;
-    SECStatus rv = SECSuccess;
-    CK_RV crv = CKR_OK;
-
-    id->data = NULL;
-    if (label) {
-	id->data = (unsigned char *)PORT_Strdup(label);
-	if (id->data == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	id->len = PORT_Strlen(label)+1;
-	if (!nsslowkey_KeyForIDExists(handle,id)) { 
-	    return CKR_OK;
-	}
-	PORT_Free(id->data);
-	id->data = NULL;
-	id->len = 0;
-    }
-    id->data = (unsigned char *)PORT_Alloc(SFTK_KEY_ID_SIZE);
-    if (id->data == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    id->len = SFTK_KEY_ID_SIZE;
-
-    retries = 0;
-    do {
-	rv = RNG_GenerateGlobalRandomBytes(id->data,id->len);
-    } while (rv == SECSuccess && nsslowkey_KeyForIDExists(handle,id) && 
-				(++retries <= SFTK_KEY_MAX_RETRIES));
-
-    if ((rv != SECSuccess) || (retries > SFTK_KEY_MAX_RETRIES)) {
-	crv = CKR_DEVICE_ERROR; /* random number generator is bad */
-	PORT_Free(id->data);
-	id->data = NULL;
-	id->len = 0;
-    }
-    return crv;
-}
-
-/*
- * check the consistancy and initialize a Secret Key Object 
- */
-static CK_RV
-sftk_handleSecretKeyObject(SFTKSession *session,SFTKObject *object,
-					CK_KEY_TYPE key_type, PRBool isFIPS)
-{
-    CK_RV crv;
-    NSSLOWKEYPrivateKey *privKey   = NULL;
-    NSSLOWKEYDBHandle   *keyHandle = NULL;
-    SECItem pubKey;
-    char *label = NULL;
-
-    pubKey.data = 0;
-
-    /* First validate and set defaults */
-    crv = validateSecretKey(session, object, key_type, isFIPS);
-    if (crv != CKR_OK) goto loser;
-
-    /* If the object is a TOKEN object, store in the database */
-    if (sftk_isTrue(object,CKA_TOKEN)) {
-	SFTKSlot *slot = session->slot;
-	SECStatus rv = SECSuccess;
-	keyHandle = sftk_getKeyDB(slot);
-
-	if (keyHandle == NULL) {
-	    return CKR_TOKEN_WRITE_PROTECTED;
-	}
-
-	label = sftk_getString(object,CKA_LABEL);
-
-	crv = sftk_Attribute2SecItem(NULL, &pubKey, object, CKA_ID);  
-						/* Should this be ID? */
-	if (crv != CKR_OK) goto loser;
-
-	/* if we don't have an ID, generate one */
-	if (pubKey.len == 0) {
-	    if (pubKey.data) { 
-		PORT_Free(pubKey.data);
-		pubKey.data = NULL;
-	    }
-	    crv = sftk_GenerateSecretCKA_ID(keyHandle, &pubKey, label);
-	    if (crv != CKR_OK) goto loser;
-
-	    crv = sftk_forceAttribute(object, CKA_ID, pubKey.data, pubKey.len);
-	    if (crv != CKR_OK) goto loser;
-	}
-
-	privKey = sftk_mkSecretKeyRep(object);
-	if (privKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    goto loser;
-	}
-
-	rv = nsslowkey_StoreKeyByPublicKey(keyHandle,
-			privKey, &pubKey, label, slot->password);
-	if (rv != SECSuccess) {
-	    crv = CKR_DEVICE_ERROR;
-	    goto loser;
-	}
-
-	object->handle = sftk_mkHandle(slot,&pubKey,SFTK_TOKEN_TYPE_KEY);
-    }
-
-loser:
-    if (keyHandle) sftk_freeKeyDB(keyHandle);
-    if (label) PORT_Free(label);
-    if (privKey) nsslowkey_DestroyPrivateKey(privKey);
-    if (pubKey.data) PORT_Free(pubKey.data);
-
-    return crv;
-}
-
-/*
- * check the consistancy and initialize a Key Object 
- */
-static CK_RV
-sftk_handleKeyObject(SFTKSession *session, SFTKObject *object)
-{
-    SFTKAttribute *attribute;
-    CK_KEY_TYPE key_type;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_RV crv;
-
-    /* verify the required fields */
-    if ( !sftk_hasAttribute(object,CKA_KEY_TYPE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* now verify the common fields */
-    crv = sftk_defaultAttribute(object,CKA_ID,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_START_DATE,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_END_DATE,NULL,0);
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-    crv = sftk_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* get the key type */
-    attribute = sftk_FindAttribute(object,CKA_KEY_TYPE);
-    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-
-    switch (object->objclass) {
-    case CKO_PUBLIC_KEY:
-	return sftk_handlePublicKeyObject(session,object,key_type);
-    case CKO_PRIVATE_KEY:
-	return sftk_handlePrivateKeyObject(session,object,key_type);
-    case CKO_SECRET_KEY:
-	/* make sure the required fields exist */
-	return sftk_handleSecretKeyObject(session,object,key_type,
-			     (PRBool)(session->slot->slotID == FIPS_SLOT_ID));
-    default:
-	break;
-    }
-    return CKR_ATTRIBUTE_VALUE_INVALID;
-}
-
-/*
- * check the consistancy and Verify a DSA Parameter Object 
- */
-static CK_RV
-sftk_handleDSAParameterObject(SFTKSession *session, SFTKObject *object)
-{
-    SFTKAttribute *primeAttr = NULL;
-    SFTKAttribute *subPrimeAttr = NULL;
-    SFTKAttribute *baseAttr = NULL;
-    SFTKAttribute *seedAttr = NULL;
-    SFTKAttribute *hAttr = NULL;
-    SFTKAttribute *attribute;
-    CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
-    PQGParams params;
-    PQGVerify vfy, *verify = NULL;
-    SECStatus result,rv;
-
-    primeAttr = sftk_FindAttribute(object,CKA_PRIME);
-    if (primeAttr == NULL) goto loser;
-    params.prime.data = primeAttr->attrib.pValue;
-    params.prime.len = primeAttr->attrib.ulValueLen;
-
-    subPrimeAttr = sftk_FindAttribute(object,CKA_SUBPRIME);
-    if (subPrimeAttr == NULL) goto loser;
-    params.subPrime.data = subPrimeAttr->attrib.pValue;
-    params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
-
-    baseAttr = sftk_FindAttribute(object,CKA_BASE);
-    if (baseAttr == NULL) goto loser;
-    params.base.data = baseAttr->attrib.pValue;
-    params.base.len = baseAttr->attrib.ulValueLen;
-
-    attribute = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER);
-    if (attribute != NULL) {
-	vfy.counter = *(CK_ULONG *) attribute->attrib.pValue;
-	sftk_FreeAttribute(attribute);
-
-	seedAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_SEED);
-	if (seedAttr == NULL) goto loser;
-	vfy.seed.data = seedAttr->attrib.pValue;
-	vfy.seed.len = seedAttr->attrib.ulValueLen;
-
-	hAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_H);
-	if (hAttr == NULL) goto loser;
-	vfy.h.data = hAttr->attrib.pValue;
-	vfy.h.len = hAttr->attrib.ulValueLen;
-
-	verify = &vfy;
-    }
-
-    crv = CKR_FUNCTION_FAILED;
-    rv = PQG_VerifyParams(&params,verify,&result);
-    if (rv == SECSuccess) {
-	crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-loser:
-    if (hAttr) sftk_FreeAttribute(hAttr);
-    if (seedAttr) sftk_FreeAttribute(seedAttr);
-    if (baseAttr) sftk_FreeAttribute(baseAttr);
-    if (subPrimeAttr) sftk_FreeAttribute(subPrimeAttr);
-    if (primeAttr) sftk_FreeAttribute(primeAttr);
-
-    return crv;
-}
-
-/*
- * check the consistancy and initialize a Key Parameter Object 
- */
-static CK_RV
-sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object)
-{
-    SFTKAttribute *attribute;
-    CK_KEY_TYPE key_type;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_RV crv;
-
-    /* verify the required fields */
-    if ( !sftk_hasAttribute(object,CKA_KEY_TYPE) ) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-
-    /* now verify the common fields */
-    crv = sftk_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK)  return crv; 
-
-    /* get the key type */
-    attribute = sftk_FindAttribute(object,CKA_KEY_TYPE);
-    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-
-    switch (key_type) {
-    case CKK_DSA:
-	return sftk_handleDSAParameterObject(session,object);
-	
-    default:
-	break;
-    }
-    return CKR_KEY_TYPE_INCONSISTENT;
-}
-
-/* 
- * Handle Object does all the object consistancy checks, automatic attribute
- * generation, attribute defaulting, etc. If handleObject succeeds, the object
- * will be assigned an object handle, and the object installed in the session
- * or stored in the DB.
- */
-CK_RV
-sftk_handleObject(SFTKObject *object, SFTKSession *session)
-{
-    SFTKSlot *slot = session->slot;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_BBOOL cktrue = CK_TRUE;
-    SFTKAttribute *attribute;
-    CK_RV crv;
-
-    /* make sure all the base object types are defined. If not set the
-     * defaults */
-    crv = sftk_defaultAttribute(object,CKA_TOKEN,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-    crv = sftk_defaultAttribute(object,CKA_PRIVATE,&ckfalse,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-    crv = sftk_defaultAttribute(object,CKA_LABEL,NULL,0);
-    if (crv != CKR_OK) return crv;
-    crv = sftk_defaultAttribute(object,CKA_MODIFIABLE,&cktrue,sizeof(CK_BBOOL));
-    if (crv != CKR_OK) return crv;
-
-    /* don't create a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(sftk_isTrue(object,CKA_PRIVATE))) {
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-
-    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
-				(sftk_isTrue(object,CKA_TOKEN))) {
-	return CKR_SESSION_READ_ONLY;
-    }
-	
-    /* PKCS #11 object ID's are unique for all objects on a
-     * token */
-    PZ_Lock(slot->objectLock);
-    object->handle = slot->tokenIDCount++;
-    PZ_Unlock(slot->objectLock);
-
-    /* get the object class */
-    attribute = sftk_FindAttribute(object,CKA_CLASS);
-    if (attribute == NULL) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-
-    /* now handle the specific. Get a session handle for these functions
-     * to use */
-    switch (object->objclass) {
-    case CKO_DATA:
-	crv = sftk_handleDataObject(session,object);
-	break;
-    case CKO_CERTIFICATE:
-	crv = sftk_handleCertObject(session,object);
-	break;
-    case CKO_NETSCAPE_TRUST:
-	crv = sftk_handleTrustObject(session,object);
-	break;
-    case CKO_NETSCAPE_CRL:
-	crv = sftk_handleCrlObject(session,object);
-	break;
-    case CKO_NETSCAPE_SMIME:
-	crv = sftk_handleSMimeObject(session,object);
-	break;
-    case CKO_PRIVATE_KEY:
-    case CKO_PUBLIC_KEY:
-    case CKO_SECRET_KEY:
-	crv = sftk_handleKeyObject(session,object);
-	break;
-    case CKO_KG_PARAMETERS:
-	crv = sftk_handleKeyParameterObject(session,object);
-	break;
-    default:
-	crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	break;
-    }
-
-    /* can't fail from here on out unless the pk_handlXXX functions have
-     * failed the request */
-    if (crv != CKR_OK) {
-	return crv;
-    }
-
-    /* now link the object into the slot and session structures */
-    if (sftk_isToken(object->handle)) {
-	sftk_convertSessionToToken(object);
-    } else {
-	object->slot = slot;
-	sftk_AddObject(session,object);
-    }
-
-    return CKR_OK;
-}
-
-/*
- * ******************** Public Key Utilities ***************************
- */
-/* Generate a low public key structure from an object */
-NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type, 
-								CK_RV *crvp)
-{
-    NSSLOWKEYPublicKey *pubKey;
-    PLArenaPool *arena;
-    CK_RV crv;
-
-    if (object->objclass != CKO_PUBLIC_KEY) {
-	*crvp = CKR_KEY_TYPE_INCONSISTENT;
-	return NULL;
-    }
-
-    if (sftk_isToken(object->handle)) {
-/* ferret out the token object handle */
-    }
-
-    /* If we already have a key, use it */
-    if (object->objectInfo) {
-	*crvp = CKR_OK;
-	return (NSSLOWKEYPublicKey *)object->objectInfo;
-    }
-
-    /* allocate the structure */
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	*crvp = CKR_HOST_MEMORY;
-	return NULL;
-    }
-
-    pubKey = (NSSLOWKEYPublicKey *)
-			PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPublicKey));
-    if (pubKey == NULL) {
-    	PORT_FreeArena(arena,PR_FALSE);
-	*crvp = CKR_HOST_MEMORY;
-	return NULL;
-    }
-
-    /* fill in the structure */
-    pubKey->arena = arena;
-    switch (key_type) {
-    case CKK_RSA:
-	pubKey->keyType = NSSLOWKEYRSAKey;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus,
-							object,CKA_MODULUS);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent,
-						object,CKA_PUBLIC_EXPONENT);
-	break;
-    case CKK_DSA:
-	pubKey->keyType = NSSLOWKEYDSAKey;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.subPrime,
-							object,CKA_SUBPRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.params.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dsa.publicValue,
-							object,CKA_VALUE);
-	break;
-    case CKK_DH:
-	pubKey->keyType = NSSLOWKEYDHKey;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.publicValue,
-							object,CKA_VALUE);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	pubKey->keyType = NSSLOWKEYECKey;
-	crv = sftk_Attribute2SSecItem(arena,
-	                              &pubKey->u.ec.ecParams.DEREncoding,
-	                              object,CKA_EC_PARAMS);
-	if (crv != CKR_OK) break;
-
-	/* Fill out the rest of the ecParams structure 
-	 * based on the encoded params
-	 */
-	if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding,
-	    &pubKey->u.ec.ecParams) != SECSuccess) break;
-	    
-	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.ec.publicValue,
-	                              object,CKA_EC_POINT);
-	break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	break;
-    }
-    *crvp = crv;
-    if (crv != CKR_OK) {
-    	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-
-    object->objectInfo = pubKey;
-    object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey;
-    return pubKey;
-}
-
-/* make a private key from a verified object */
-static NSSLOWKEYPrivateKey *
-sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
-{
-    NSSLOWKEYPrivateKey *privKey;
-    PLArenaPool *arena;
-    CK_RV crv = CKR_OK;
-    SECStatus rv;
-
-    PORT_Assert(!sftk_isToken(object->handle));
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	*crvp = CKR_HOST_MEMORY;
-	return NULL;
-    }
-
-    privKey = (NSSLOWKEYPrivateKey *)
-			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
-    if (privKey == NULL)  {
-	PORT_FreeArena(arena,PR_FALSE);
-	*crvp = CKR_HOST_MEMORY;
-	return NULL;
-    }
-
-    /* in future this would be a switch on key_type */
-    privKey->arena = arena;
-    switch (key_type) {
-    case CKK_RSA:
-	privKey->keyType = NSSLOWKEYRSAKey;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.modulus,
-							object,CKA_MODULUS);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.publicExponent,object,
-							CKA_PUBLIC_EXPONENT);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.privateExponent,object,
-							CKA_PRIVATE_EXPONENT);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.prime1,object,
-								CKA_PRIME_1);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.prime2,object,
-								CKA_PRIME_2);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.exponent1,
-						object, CKA_EXPONENT_1);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.exponent2,
-							object, CKA_EXPONENT_2);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(arena,&privKey->u.rsa.coefficient,object,
-							      CKA_COEFFICIENT);
-	if (crv != CKR_OK) break;
-        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
-                          NSSLOWKEY_VERSION);
-	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
-	break;
-
-    case CKK_DSA:
-	privKey->keyType = NSSLOWKEYDSAKey;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dsa.params.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dsa.params.subPrime,
-							object,CKA_SUBPRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dsa.params.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dsa.privateValue,
-							object,CKA_VALUE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dsa.publicValue,
-							object,CKA_NETSCAPE_DB);
-	/* can't set the public value.... */
-	break;
-
-    case CKK_DH:
-	privKey->keyType = NSSLOWKEYDHKey;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dh.prime,
-							object,CKA_PRIME);
-    	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dh.base,
-							object,CKA_BASE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dh.privateValue,
-							object,CKA_VALUE);
-    	if (crv != CKR_OK) break;
-    	crv = sftk_Attribute2SSecItem(arena,&privKey->u.dh.publicValue,
-							object,CKA_NETSCAPE_DB);
-	break;
-
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	privKey->keyType = NSSLOWKEYECKey;
-	crv = sftk_Attribute2SSecItem(arena, 
-	                              &privKey->u.ec.ecParams.DEREncoding,
-	                              object,CKA_EC_PARAMS);
-    	if (crv != CKR_OK) break;
-
-	/* Fill out the rest of the ecParams structure
-	 * based on the encoded params
-	 */
-	if (EC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
-	    &privKey->u.ec.ecParams) != SECSuccess) break;
-	crv = sftk_Attribute2SSecItem(arena,&privKey->u.ec.privateValue,
-							object,CKA_VALUE);
-	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.publicValue,
-				      object,CKA_NETSCAPE_DB);
-	if (crv != CKR_OK) break;
-        rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
-                          NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
-	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-	crv = CKR_KEY_TYPE_INCONSISTENT;
-	break;
-    }
-    *crvp = crv;
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	return NULL;
-    }
-    return privKey;
-}
-
-
-/* Generate a low private key structure from an object */
-NSSLOWKEYPrivateKey *
-sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp)
-{
-    NSSLOWKEYPrivateKey *priv = NULL;
-
-    if (object->objclass != CKO_PRIVATE_KEY) {
-	*crvp = CKR_KEY_TYPE_INCONSISTENT;
-	return NULL;
-    }
-    if (object->objectInfo) {
-	*crvp = CKR_OK;
-	return (NSSLOWKEYPrivateKey *)object->objectInfo;
-    }
-
-    if (sftk_isToken(object->handle)) {
-	/* grab it from the data base */
-	SFTKTokenObject *to = sftk_narrowToTokenObject(object);
-
-	PORT_Assert(to);
-	priv = sftk_FindKeyByPublicKey(object->slot, &to->dbKey);
-	*crvp = (priv == NULL) ? CKR_DEVICE_ERROR : CKR_OK;
-    } else {
-	priv = sftk_mkPrivKey(object, key_type, crvp);
-    }
-    object->objectInfo = priv;
-    object->infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey;
-    return priv;
-}
-
-/*
- **************************** Symetric Key utils ************************
- */
-/*
- * set the DES key with parity bits correctly
- */
-void
-sftk_FormatDESKey(unsigned char *key, int length)
-{
-    int i;
-
-    /* format the des key */
-    for (i=0; i < length; i++) {
-	key[i] = parityTable[key[i]>>1];
-    }
-}
-
-/*
- * check a des key (des2 or des3 subkey) for weak keys.
- */
-PRBool
-sftk_CheckDESKey(unsigned char *key)
-{
-    int i;
-
-    /* format the des key with parity  */
-    sftk_FormatDESKey(key, 8);
-
-    for (i=0; i < sftk_desWeakTableSize; i++) {
-	if (PORT_Memcmp(key,sftk_desWeakTable[i],8) == 0) {
-	    return PR_TRUE;
-	}
-    }
-    return PR_FALSE;
-}
-
-/*
- * check if a des or triple des key is weak.
- */
-PRBool
-sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type)
-{
-
-    switch(key_type) {
-    case CKK_DES:
-	return sftk_CheckDESKey(key);
-    case CKM_DES2_KEY_GEN:
-	if (sftk_CheckDESKey(key)) return PR_TRUE;
-	return sftk_CheckDESKey(&key[8]);
-    case CKM_DES3_KEY_GEN:
-	if (sftk_CheckDESKey(key)) return PR_TRUE;
-	if (sftk_CheckDESKey(&key[8])) return PR_TRUE;
-	return sftk_CheckDESKey(&key[16]);
-    default:
-	break;
-    }
-    return PR_FALSE;
-}
-
-
-/* make a fake private key representing a symmetric key */
-static NSSLOWKEYPrivateKey *
-sftk_mkSecretKeyRep(SFTKObject *object)
-{
-    NSSLOWKEYPrivateKey *privKey = 0;
-    PLArenaPool *arena = 0;
-    CK_KEY_TYPE keyType;
-    PRUint32 keyTypeStorage;
-    SECItem keyTypeItem;
-    CK_RV crv;
-    SECStatus rv;
-    static unsigned char derZero[1] = { 0 };
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
-
-    privKey = (NSSLOWKEYPrivateKey *)
-			PORT_ArenaZAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
-    if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
-
-    privKey->arena = arena;
-
-    /* Secret keys are represented in the database as "fake" RSA keys.  The RSA key
-     * is marked as a secret key representation by setting the public exponent field
-     * to 0, which is an invalid RSA exponent.  The other fields are set as follows:
-     *   modulus - CKA_ID value for the secret key
-     *   private exponent - CKA_VALUE (the key itself)
-     *   coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
-     *      is used for the key.
-     *   all others - set to integer 0
-     */
-    privKey->keyType = NSSLOWKEYRSAKey;
-
-    /* The modulus is set to the key id of the symmetric key */
-    crv=sftk_Attribute2SecItem(arena,&privKey->u.rsa.modulus,object,CKA_ID);
-    if (crv != CKR_OK) goto loser;
-
-    /* The public exponent is set to 0 length to indicate a special key */
-    privKey->u.rsa.publicExponent.len = sizeof derZero;
-    privKey->u.rsa.publicExponent.data = derZero;
-
-    /* The private exponent is the actual key value */
-    crv=sftk_Attribute2SecItem(arena,&privKey->u.rsa.privateExponent,object,CKA_VALUE);
-    if (crv != CKR_OK) goto loser;
-
-    /* All other fields empty - needs testing */
-    privKey->u.rsa.prime1.len = sizeof derZero;
-    privKey->u.rsa.prime1.data = derZero;
-
-    privKey->u.rsa.prime2.len = sizeof derZero;
-    privKey->u.rsa.prime2.data = derZero;
-
-    privKey->u.rsa.exponent1.len = sizeof derZero;
-    privKey->u.rsa.exponent1.data = derZero;
-
-    privKey->u.rsa.exponent2.len = sizeof derZero;
-    privKey->u.rsa.exponent2.data = derZero;
-
-    /* Coeficient set to KEY_TYPE */
-    crv = sftk_GetULongAttribute(object, CKA_KEY_TYPE, &keyType);
-    if (crv != CKR_OK) goto loser; 
-    /* on 64 bit platforms, we still want to store 32 bits of keyType (This is
-     * safe since the PKCS #11 defines for all types are 32 bits or less). */
-    keyTypeStorage = (PRUint32) keyType;
-    keyTypeStorage = PR_htonl(keyTypeStorage);
-    keyTypeItem.data = (unsigned char *)&keyTypeStorage;
-    keyTypeItem.len = sizeof (keyTypeStorage);
-    rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem);
-    if (rv != SECSuccess) {
-	crv = CKR_HOST_MEMORY;
-	goto loser;
-    }
-    
-    /* Private key version field set normally for compatibility */
-    rv = DER_SetUInteger(privKey->arena, 
-			&privKey->u.rsa.version, NSSLOWKEY_VERSION);
-    if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; goto loser; }
-
-loser:
-    if (crv != CKR_OK) {
-	PORT_FreeArena(arena,PR_FALSE);
-	privKey = 0;
-    }
-
-    return privKey;
-}
-
-static PRBool
-isSecretKey(NSSLOWKEYPrivateKey *privKey)
-{
-  if (privKey->keyType == NSSLOWKEYRSAKey && 
-		privKey->u.rsa.publicExponent.len == 1 &&
-      				privKey->u.rsa.publicExponent.data[0] == 0)
-    return PR_TRUE;
-
-  return PR_FALSE;
-}
-
-/**********************************************************************
- *
- *     Start of PKCS 11 functions 
- *
- **********************************************************************/
-
-
-/* return the function list */
-CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
-{
-    *pFunctionList = (CK_FUNCTION_LIST_PTR) &sftk_funcList;
-    return CKR_OK;
-}
-
-/* return the function list */
-CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
-{
-    return NSC_GetFunctionList(pFunctionList);
-}
-
-static PLHashNumber
-sftk_HashNumber(const void *key)
-{
-    return (PLHashNumber) key;
-}
-
-/*
- * eventually I'd like to expunge all occurances of XXX_SLOT_ID and
- * just go with the info in the slot. This is one place, however,
- * where it might be a little difficult.
- */
-const char *
-sftk_getDefTokName(CK_SLOT_ID slotID)
-{
-    static char buf[33];
-
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	return "NSS Generic Crypto Services     ";
-    case PRIVATE_KEY_SLOT_ID:
-	return "NSS Certificate DB              ";
-    case FIPS_SLOT_ID:
-        return "NSS FIPS-140-1 Certificate DB   ";
-    default:
-	break;
-    }
-    sprintf(buf,"NSS Application Token %08x  ",(unsigned int) slotID);
-    return buf;
-}
-
-const char *
-sftk_getDefSlotName(CK_SLOT_ID slotID)
-{
-    static char buf[65];
-
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	return 
-	 "NSS Internal Cryptographic Services                             ";
-    case PRIVATE_KEY_SLOT_ID:
-	return 
-	 "NSS User Private Key and Certificate Services                   ";
-    case FIPS_SLOT_ID:
-        return 
-         "Netscape FIPS-140-1 User Private Key Services                   ";
-    default:
-	break;
-    }
-    sprintf(buf,
-     "NSS Application Slot %08x                                   ",
-							(unsigned int) slotID);
-    return buf;
-}
-
-static CK_ULONG nscSlotCount[2] = {0 , 0};
-static CK_SLOT_ID_PTR nscSlotList[2] = {NULL, NULL};
-static CK_ULONG nscSlotListSize[2] = {0, 0};
-static PLHashTable *nscSlotHashTable[2] = {NULL, NULL};
-
-static int
-sftk_GetModuleIndex(CK_SLOT_ID slotID)
-{
-    if ((slotID == FIPS_SLOT_ID) || (slotID >= SFTK_MIN_FIPS_USER_SLOT_ID)) {
-	return NSC_FIPS_MODULE;
-    }
-    return NSC_NON_FIPS_MODULE;
-}
-
-/* look up a slot structure from the ID (used to be a macro when we only
- * had two slots) */
-/* if all is true, return the slot even if it has been 'unloaded' */
-/* if all is false, only return the slots which are present */
-SFTKSlot *
-sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
-{
-    SFTKSlot *slot;
-    int index = sftk_GetModuleIndex(slotID);
-    slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], 
-							(void *)slotID);
-    /* cleared slots shouldn't 'show up' */
-    if (slot && !all && !slot->present) slot = NULL;
-    return slot;
-}
-
-SFTKSlot *
-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
-{
-    CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
-    CK_ULONG moduleIndex = (handle >> 31) & 1;
-
-    if (slotIDIndex >= nscSlotCount[moduleIndex]) {
-	return NULL;
-    }
-
-    return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
-}
- 
-static CK_RV
-sftk_RegisterSlot(SFTKSlot *slot, int moduleIndex)
-{
-    PLHashEntry *entry;
-    int index;
-
-    index = sftk_GetModuleIndex(slot->slotID);
-
-    /* make sure the slotID for this module is valid */
-    if (moduleIndex != index) {
-	return CKR_SLOT_ID_INVALID;
-    }
-
-    if (nscSlotList[index] == NULL) {
-	nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE;
-	nscSlotList[index] = (CK_SLOT_ID *)
-		PORT_ZAlloc(nscSlotListSize[index]*sizeof(CK_SLOT_ID));
-	if (nscSlotList[index] == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-    }
-    if (nscSlotCount[index] >= nscSlotListSize[index]) {
-	CK_SLOT_ID* oldNscSlotList = nscSlotList[index];
-	CK_ULONG oldNscSlotListSize = nscSlotListSize[index];
-	nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE;
-	nscSlotList[index] = (CK_SLOT_ID *) PORT_Realloc(oldNscSlotList,
-				nscSlotListSize[index]*sizeof(CK_SLOT_ID));
-	if (nscSlotList[index] == NULL) {
-            nscSlotList[index] = oldNscSlotList;
-            nscSlotListSize[index] = oldNscSlotListSize;
-            return CKR_HOST_MEMORY;
-	}
-    }
-
-    if (nscSlotHashTable[index] == NULL) {
-	nscSlotHashTable[index] = PL_NewHashTable(64,sftk_HashNumber,
-				PL_CompareValues, PL_CompareValues, NULL, 0);
-	if (nscSlotHashTable[index] == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-    }
-
-    entry = PL_HashTableAdd(nscSlotHashTable[index],(void *)slot->slotID,slot);
-    if (entry == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80);
-    nscSlotList[index][nscSlotCount[index]++] = slot->slotID;
-
-    return CKR_OK;
-}
-
-typedef struct sftk_DBsStr {
-    NSSLOWCERTCertDBHandle *certHandle;
-    NSSLOWKEYDBHandle *keyHandle;
-} sftkDBs;
-
-static SECStatus
-sftk_set_user(NSSLOWCERTCertificate *cert, SECItem *dummy, void *arg)
-{
-    sftkDBs *param = (sftkDBs *)arg;
-    NSSLOWCERTCertTrust trust = *cert->trust;
-
-    if (param->keyHandle && 
-                nsslowkey_KeyForCertExists(param->keyHandle,cert)) {
-	trust.sslFlags |= CERTDB_USER;
-	trust.emailFlags |= CERTDB_USER;
-	trust.objectSigningFlags |= CERTDB_USER;
-    } else {
-	trust.sslFlags &= ~CERTDB_USER;
-	trust.emailFlags &= ~CERTDB_USER;
-	trust.objectSigningFlags &= ~CERTDB_USER;
-    }
-
-    if (PORT_Memcmp(&trust,cert->trust, sizeof (trust)) != 0) {
-	nsslowcert_ChangeCertTrust(param->certHandle, cert, &trust);
-    }
-
-    /* should check for email address and make sure we have an s/mime profile */
-    return SECSuccess;
-}
-
-/*
- * this function fixes up old databases that may not have the CERTDB_USER
- * flags set correctly. it expects the owner already has references to
- * the cert and key handles.
- */
-static  void
-sftk_DBVerify(NSSLOWCERTCertDBHandle *certHandle, NSSLOWKEYDBHandle *keyHandle)
-{
-    /* walk through all the certs and check to see if there are any 
-     * user certs, and make sure there are s/mime profiles for all certs with
-     * email addresses */
-    sftkDBs param;
-    param.certHandle = certHandle;
-    param.keyHandle = keyHandle;
-
-    nsslowcert_TraversePermCerts(certHandle, sftk_set_user, &param);
-
-    return;
-}
-
-
-/*
- * ths function has all the common initialization that happens whenever we
- * create a new slot or repurpose an old slot (only valid for slotID's 4 
- * and greater).
- *
- * things that are not reinitialized are:
- *   slotID (can't change)
- *   slotDescription (can't change once defined) 
- *   the locks and hash tables (difficult to change in running code, and
- *     unnecessary. hash tables and list are cleared on shutdown, but they
- *     are cleared in a 'friendly' way).
- *   session and object ID counters -- so any old sessions and objects in the
- *     application will get properly notified that the world has changed.
- * 
- * things that are reinitialized:
- *   database (otherwise what would the point be;).
- *   state variables related to databases.
- *   session count stat info.
- *   tokenDescription.
- *
- * NOTE: slotID's 4 and greater show up as removable devices.
- *
- */
-CK_RV
-SFTK_SlotReInit(SFTKSlot *slot,
-	char *configdir,sftk_token_parameters *params, int moduleIndex)
-{
-    PRBool needLogin = !params->noKeyDB;
-    CK_RV crv;
-
-    slot->hasTokens = PR_FALSE;
-    slot->sessionIDConflict = 0;
-    slot->sessionCount = 0;
-    slot->rwSessionCount = 0;
-    slot->needLogin = PR_FALSE;
-    slot->isLoggedIn = PR_FALSE;
-    slot->ssoLoggedIn = PR_FALSE;
-    slot->DB_loaded = PR_FALSE;
-    slot->certDB = NULL;
-    slot->keyDB = NULL;
-    slot->minimumPinLen = 0;
-    slot->readOnly = params->readOnly;
-    sftk_setStringName(params->tokdes ? params->tokdes : 
-	sftk_getDefTokName(slot->slotID), slot->tokDescription, 
-						sizeof(slot->tokDescription));
-
-    if ((!params->noCertDB) || (!params->noKeyDB)) {
-	NSSLOWCERTCertDBHandle * certHandle = NULL;
-	NSSLOWKEYDBHandle *keyHandle = NULL;
-	crv = sftk_DBInit(params->configdir ? params->configdir : configdir,
-		params->certPrefix, params->keyPrefix, params->readOnly,
-		params->noCertDB, params->noKeyDB, params->forceOpen, 
-						&certHandle, &keyHandle);
-	if (crv != CKR_OK) {
-	    goto loser;
-	}
-
-	if (nsslowcert_needDBVerify(certHandle)) {
-	    sftk_DBVerify(certHandle, keyHandle);
-	}
-	slot->certDB = certHandle;
-	slot->keyDB = keyHandle;
-    }
-    if (needLogin) {
-	/* if the data base is initialized with a null password,remember that */
-	slot->needLogin = 
-		(PRBool)!sftk_hasNullPassword(slot->keyDB,&slot->password);
-	if ((params->minPW >= 0) && (params->minPW <= SFTK_MAX_PIN)) {
-	    slot->minimumPinLen = params->minPW;
-	}
-	if ((slot->minimumPinLen == 0) && (params->pwRequired)) {
-	    slot->minimumPinLen = 1;
-	}
-	if ((moduleIndex == NSC_FIPS_MODULE) &&
-		(slot->minimumPinLen < FIPS_MIN_PIN)) {
-	    slot->minimumPinLen = FIPS_MIN_PIN;
-	}
-    }
-
-    slot->present = PR_TRUE;
-    return CKR_OK;
-
-loser:
-    SFTK_ShutdownSlot(slot);
-    return crv;
-}
-
-/*
- * initialize one of the slot structures. figure out which by the ID
- */
-CK_RV
-SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex)
-{
-    unsigned int i;
-    CK_SLOT_ID slotID = params->slotID;
-    SFTKSlot *slot;
-    CK_RV crv = CKR_HOST_MEMORY;
-
-    /*
-     * first we initialize everything that is 'permanent' with this slot.
-     * that is everything we aren't going to shutdown if we close this slot
-     * and open it up again with different databases */
-
-    slot = PORT_ZNew(SFTKSlot);
-
-    if (slot == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    slot->optimizeSpace = params->optimizeSpace;
-    if (slot->optimizeSpace) {
-	slot->tokObjHashSize = SPACE_TOKEN_OBJECT_HASH_SIZE;
-	slot->sessHashSize = SPACE_SESSION_HASH_SIZE;
-	slot->numSessionLocks = 1;
-    } else {
-	slot->tokObjHashSize = TIME_TOKEN_OBJECT_HASH_SIZE;
-	slot->sessHashSize = TIME_SESSION_HASH_SIZE;
-	slot->numSessionLocks = slot->sessHashSize/BUCKETS_PER_SESSION_LOCK;
-    }
-    slot->sessionLockMask = slot->numSessionLocks-1;
-
-    slot->slotLock = PZ_NewLock(nssILockSession);
-    if (slot->slotLock == NULL)
-	goto mem_loser;
-    slot->sessionLock = PORT_ZNewArray(PZLock *, slot->numSessionLocks);
-    if (slot->sessionLock == NULL)
-	goto mem_loser;
-    for (i=0; i < slot->numSessionLocks; i++) {
-        slot->sessionLock[i] = PZ_NewLock(nssILockSession);
-        if (slot->sessionLock[i] == NULL) 
-	    goto mem_loser;
-    }
-    slot->objectLock = PZ_NewLock(nssILockObject);
-    if (slot->objectLock == NULL) 
-    	goto mem_loser;
-    slot->pwCheckLock = PR_NewLock();
-    if (slot->pwCheckLock == NULL) 
-    	goto mem_loser;
-    slot->head = PORT_ZNewArray(SFTKSession *, slot->sessHashSize);
-    if (slot->head == NULL) 
-	goto mem_loser;
-    slot->tokObjects = PORT_ZNewArray(SFTKObject *, slot->tokObjHashSize);
-    if (slot->tokObjects == NULL) 
-	goto mem_loser;
-    slot->tokenHashTable = PL_NewHashTable(64,sftk_HashNumber,PL_CompareValues,
-					SECITEM_HashCompare, NULL, 0);
-    if (slot->tokenHashTable == NULL) 
-	goto mem_loser;
-
-    slot->sessionIDCount = 0;
-    slot->tokenIDCount = 1;
-    slot->slotID = slotID;
-    sftk_setStringName(params->slotdes ? params->slotdes : 
-	      sftk_getDefSlotName(slotID), slot->slotDescription, 
-						sizeof(slot->slotDescription));
-
-    /* call the reinit code to set everything that changes between token
-     * init calls */
-    crv = SFTK_SlotReInit(slot, configdir, params, moduleIndex);
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-    crv = sftk_RegisterSlot(slot, moduleIndex);
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-    return CKR_OK;
-
-mem_loser:
-    crv = CKR_HOST_MEMORY;
-loser:
-   SFTK_DestroySlotData(slot);
-    return crv;
-}
-
-
-static CK_RV sft_CloseAllSession(SFTKSlot *slot)
-{
-    SECItem *pw = NULL;
-    SFTKSession *session;
-    unsigned int i;
-    /* first log out the card */
-    PZ_Lock(slot->slotLock);
-    pw = slot->password;
-    slot->isLoggedIn = PR_FALSE;
-    slot->password = NULL;
-    PZ_Unlock(slot->slotLock);
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-
-    /* now close all the current sessions */
-    /* NOTE: If you try to open new sessions before NSC_CloseAllSessions
-     * completes, some of those new sessions may or may not be closed by
-     * NSC_CloseAllSessions... but any session running when this code starts
-     * will guarrenteed be close, and no session will be partially closed */
-    for (i=0; i < slot->sessHashSize; i++) {
-	PZLock *lock = SFTK_SESSION_LOCK(slot,i);
-	do {
-	    PZ_Lock(lock);
-	    session = slot->head[i];
-	    /* hand deque */
-	    /* this duplicates function of NSC_close session functions, but 
-	     * because we know that we are freeing all the sessions, we can
-	     * do more efficient processing */
-	    if (session) {
-		slot->head[i] = session->next;
-		if (session->next) session->next->prev = NULL;
-		session->next = session->prev = NULL;
-		PZ_Unlock(lock);
-		PZ_Lock(slot->slotLock);
-		--slot->sessionCount;
-		PZ_Unlock(slot->slotLock);
-		if (session->info.flags & CKF_RW_SESSION) {
-		    PR_AtomicDecrement(&slot->rwSessionCount);
-		}
-	    } else {
-		PZ_Unlock(lock);
-	    }
-	    if (session) sftk_FreeSession(session);
-	} while (session != NULL);
-    }
-    return CKR_OK;
-}
-
-/*
- * shut down the databases.
- * we get the slot lock (which also protects slot->certDB and slot->keyDB)
- * and clear the values so the new users will not find the databases.
- * once things are clear, we can release our references to the databases.
- * The databases will close when the last reference is released.
- *
- * We use reference counts so that we don't crash if someone shuts down
- * a token that another thread is actively using.
- */
-static void
-sftk_DBShutdown(SFTKSlot *slot)
-{
-    NSSLOWCERTCertDBHandle *certHandle;
-    NSSLOWKEYDBHandle      *keyHandle;
-    PZ_Lock(slot->slotLock);
-    certHandle = slot->certDB;
-    slot->certDB = NULL;
-    keyHandle = slot->keyDB;
-    slot->keyDB = NULL;
-    PZ_Unlock(slot->slotLock);
-    if (certHandle) {
-	sftk_freeCertDB(certHandle);
-    }
-    if (keyHandle) {
-	sftk_freeKeyDB(keyHandle);
-    }
-}
-
-CK_RV
-SFTK_ShutdownSlot(SFTKSlot *slot)
-{
-    /* make sure no new PK11 calls work except C_GetSlotInfo */
-    slot->present = PR_FALSE;
-
-    /* close all outstanding sessions
-     * the sessHashSize variable guarentees we have all the session
-     * mechanism set up */
-    if (slot->head) {
-	sft_CloseAllSession(slot);
-     }
-
-    /* clear all objects.. session objects are cleared as a result of
-     * closing all the sessions. We just need to clear the token object
-     * cache. slot->tokenHashTable guarentees we have the token 
-     * infrastructure set up. */
-    if (slot->tokenHashTable) {
-	SFTK_ClearTokenKeyHashTable(slot);
-    }
-
-    /* clear the slot description for the next guy */
-    PORT_Memset(slot->tokDescription, 0, sizeof(slot->tokDescription));
-
-    /* now shut down the databases. */
-    sftk_DBShutdown(slot);
-    return CKR_OK;
-}
-
-/*
- * initialize one of the slot structures. figure out which by the ID
- */
-CK_RV
-SFTK_DestroySlotData(SFTKSlot *slot)
-{
-    unsigned int i;
-
-    SFTK_ShutdownSlot(slot);
-
-    if (slot->tokenHashTable) {
-	PL_HashTableDestroy(slot->tokenHashTable);
-	slot->tokenHashTable = NULL;
-    }
-
-    if (slot->tokObjects) {
-	PORT_Free(slot->tokObjects);
-	slot->tokObjects = NULL;
-    }
-    slot->tokObjHashSize = 0;
-
-    if (slot->head) {
-	PORT_Free(slot->head);
-	slot->head = NULL;
-    }
-    slot->sessHashSize = 0;
-
-    /* OK everything has been disassembled, now we can finally get rid
-     * of the locks */
-    if (slot->slotLock) {
-	PZ_DestroyLock(slot->slotLock);
-	slot->slotLock = NULL;
-    }
-    if (slot->sessionLock) {
-	for (i=0; i < slot->numSessionLocks; i++) {
-	    if (slot->sessionLock[i]) {
-		PZ_DestroyLock(slot->sessionLock[i]);
-		slot->sessionLock[i] = NULL;
-	    }
-	}
-	PORT_Free(slot->sessionLock);
-	slot->sessionLock = NULL;
-    }
-    if (slot->objectLock) {
-	PZ_DestroyLock(slot->objectLock);
-	slot->objectLock = NULL;
-    }
-    if (slot->pwCheckLock) {
-	PR_DestroyLock(slot->pwCheckLock);
-	slot->pwCheckLock = NULL;
-    }
-    PORT_Free(slot);
-    return CKR_OK;
-}
-
-/*
- * handle the SECMOD.db
- */
-char **
-NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args)
-{
-    char *secmod = NULL;
-    char *appName = NULL;
-    char *filename = NULL;
-    PRBool rw;
-    static char *success="Success";
-    char **rvstr = NULL;
-
-    secmod = secmod_getSecmodName(parameters,&appName,&filename, &rw);
-
-    switch (function) {
-    case SECMOD_MODULE_DB_FUNCTION_FIND:
-	rvstr = secmod_ReadPermDB(appName,filename,secmod,(char *)parameters,rw);
-	break;
-    case SECMOD_MODULE_DB_FUNCTION_ADD:
-	rvstr = (secmod_AddPermDB(appName,filename,secmod,(char *)args,rw) 
-				== SECSuccess) ? &success: NULL;
-	break;
-    case SECMOD_MODULE_DB_FUNCTION_DEL:
-	rvstr = (secmod_DeletePermDB(appName,filename,secmod,(char *)args,rw)
-				 == SECSuccess) ? &success: NULL;
-	break;
-    case SECMOD_MODULE_DB_FUNCTION_RELEASE:
-	rvstr = (secmod_ReleasePermDBData(appName,filename,secmod,
-			(char **)args,rw) == SECSuccess) ? &success: NULL;
-	break;
-    }
-    if (secmod) PR_smprintf_free(secmod);
-    if (appName) PORT_Free(appName);
-    if (filename) PORT_Free(filename);
-    return rvstr;
-}
-
-static void nscFreeAllSlots(int moduleIndex)
-{
-    /* free all the slots */
-    SFTKSlot *slot = NULL;
-    CK_SLOT_ID slotID;
-    int i;
-
-    if (nscSlotList[moduleIndex]) {
-	CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex];
-	CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex];
-	PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
-
-	/* first close all the session */
-	for (i=0; i < (int) tmpSlotCount; i++) {
-	    slotID = tmpSlotList[i];
-	    (void) NSC_CloseAllSessions(slotID);
-	}
-
-	/* now clear out the statics */
-	nscSlotList[moduleIndex] = NULL;
-	nscSlotCount[moduleIndex] = 0;
-	nscSlotHashTable[moduleIndex] = NULL;
-	nscSlotListSize[moduleIndex] = 0;
-
-	for (i=0; i < (int) tmpSlotCount; i++) {
-	    slotID = tmpSlotList[i];
-	    slot = (SFTKSlot *)
-			PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
-	    PORT_Assert(slot);
-	    if (!slot) continue;
-	    SFTK_DestroySlotData(slot);
-	    PL_HashTableRemove(tmpSlotHashTable, (void *)slotID);
-	}
-	PORT_Free(tmpSlotList);
-	PL_HashTableDestroy(tmpSlotHashTable);
-    }
-}
-
-static void
-sftk_closePeer(PRBool isFIPS)
-{
-    CK_SLOT_ID slotID = isFIPS ? PRIVATE_KEY_SLOT_ID: FIPS_SLOT_ID;
-    SFTKSlot *slot;
-    int moduleIndex = isFIPS? NSC_NON_FIPS_MODULE : NSC_FIPS_MODULE;
-    PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
-
-    slot = (SFTKSlot *) PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
-    if (slot == NULL) {
-	return;
-    }
-    sftk_DBShutdown(slot);
-    return;
-}
-
-static PRBool nsc_init = PR_FALSE;
-extern SECStatus secoid_Init(void);
-
-/* NSC_Initialize initializes the Cryptoki library. */
-CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
-{
-    CK_RV crv = CKR_OK;
-    SECStatus rv;
-    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved;
-    int i;
-    int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
-
-
-    if (isFIPS) {
-	/* make sure that our check file signatures are OK */
-	if (!BLAPI_VerifySelf(NULL) || 
-	    !BLAPI_SHVerify(SOFTOKEN_LIB_NAME, (PRFuncPtr) sftk_closePeer)) {
-	    crv = CKR_DEVICE_ERROR; /* better error code? checksum error? */
-	    return crv;
-	}
-
-	loginWaitTime = PR_SecondsToInterval(1);
-    }
-
-    rv = secoid_Init();
-    if (rv != SECSuccess) {
-	crv = CKR_DEVICE_ERROR;
-	return crv;
-    }
-
-    rv = RNG_RNGInit();         /* initialize random number generator */
-    if (rv != SECSuccess) {
-	crv = CKR_DEVICE_ERROR;
-	return crv;
-    }
-    RNG_SystemInfoForRNG();
-
-
-    /* NOTE:
-     * we should be getting out mutexes from this list, not statically binding
-     * them from NSPR. This should happen before we allow the internal to split
-     * off from the rest on NSS.
-     */
-
-    /* initialize the key and cert db's */
-    nsslowkey_SetDefaultKeyDBAlg
-			     (SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC);
-    if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK))) {
-        if (init_args->CreateMutex && init_args->DestroyMutex &&
-            init_args->LockMutex && init_args->UnlockMutex) {
-            /* softoken always uses NSPR (ie. OS locking), and doesn't know how
-             * to use the lock functions provided by the application.
-             */
-            crv = CKR_CANT_LOCK;
-            return crv;
-        }
-        if (init_args->CreateMutex || init_args->DestroyMutex ||
-            init_args->LockMutex || init_args->UnlockMutex) {
-            /* only some of the lock functions were provided by the
-             * application. This is invalid per PKCS#11 spec.
-             */
-            crv = CKR_ARGUMENTS_BAD;
-            return crv;
-        }
-    }
-    crv = CKR_ARGUMENTS_BAD;
-    if ((init_args && init_args->LibraryParameters)) {
-	sftk_parameters paramStrings;
-       
-	crv = secmod_parseParameters
-		((char *)init_args->LibraryParameters, &paramStrings, isFIPS);
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-	crv = sftk_configure(paramStrings.man, paramStrings.libdes);
-        if (crv != CKR_OK) {
-	    goto loser;
-	}
-
-	/* if we have a peer already open, have him close his DB's so we
-	 * don't clobber each other. */
-	if ((isFIPS && nsc_init) || (!isFIPS && nsf_init)) {
-	    sftk_closePeer(isFIPS);
-	}
-
-	for (i=0; i < paramStrings.token_count; i++) {
-	    crv = SFTK_SlotInit(paramStrings.configdir, 
-			&paramStrings.tokens[i],
-			moduleIndex);
-	    if (crv != CKR_OK) {
-                nscFreeAllSlots(moduleIndex);
-                break;
-            }
-	}
-loser:
-	secmod_freeParams(&paramStrings);
-    }
-    if (CKR_OK == crv) {
-        sftk_InitFreeLists();
-    }
-
-    return crv;
-}
-
-CK_RV NSC_Initialize(CK_VOID_PTR pReserved)
-{
-    CK_RV crv;
-    if (nsc_init) {
-	return CKR_CRYPTOKI_ALREADY_INITIALIZED;
-    }
-    crv = nsc_CommonInitialize(pReserved,PR_FALSE);
-    nsc_init = (PRBool) (crv == CKR_OK);
-    return crv;
-}
-
-extern SECStatus SECOID_Shutdown(void);
-
-/* NSC_Finalize indicates that an application is done with the 
- * Cryptoki library.*/
-CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS)
-{
-    
-
-    nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE);
-
-    /* don't muck with the globals is our peer is still initialized */
-    if (isFIPS && nsc_init) {
-	return CKR_OK;
-    }
-    if (!isFIPS && nsf_init) {
-	return CKR_OK;
-    }
-
-    sftk_CleanupFreeLists();
-    nsslowcert_DestroyFreeLists();
-    nsslowcert_DestroyGlobalLocks();
-
-#ifdef LEAK_TEST
-    /*
-     * do we really want to throw away all our hard earned entropy here!!?
-     * No we don't! Not calling RNG_RNGShutdown only 'leaks' data on the 
-     * initial call to RNG_Init(). So the only reason to call this is to clean
-     * up leak detection warnings on shutdown. In many cases we *don't* want
-     * to free up the global RNG context because the application has Finalized
-     * simply to swap profiles. We don't want to loose the entropy we've 
-     * already collected.
-     */
-    RNG_RNGShutdown();
-#endif
-
-    /* tell freeBL to clean up after itself */
-    BL_Cleanup();
-    /* clean up the default OID table */
-    SECOID_Shutdown();
-    nsc_init = PR_FALSE;
-
-    return CKR_OK;
-}
-
-/* NSC_Finalize indicates that an application is done with the 
- * Cryptoki library.*/
-CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
-{
-    CK_RV crv;
-
-    if (!nsc_init) {
-	return CKR_OK;
-    }
-
-    crv = nsc_CommonFinalize (pReserved, PR_FALSE);
-
-    nsc_init = (PRBool) !(crv == CKR_OK);
-
-    return crv;
-}
-
-extern const char __nss_softokn_rcsid[];
-extern const char __nss_softokn_sccsid[];
-
-/* NSC_GetInfo returns general information about Cryptoki. */
-CK_RV  NSC_GetInfo(CK_INFO_PTR pInfo)
-{
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; 
-    pInfo->cryptokiVersion.major = 2;
-    pInfo->cryptokiVersion.minor = 20;
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    pInfo->libraryVersion.major = NSS_VMAJOR;
-    pInfo->libraryVersion.minor = NSS_VMINOR;
-    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
-    pInfo->flags = 0;
-    return CKR_OK;
-}
-
-
-/* NSC_GetSlotList obtains a list of slots in the system. */
-CK_RV nsc_CommonGetSlotList(CK_BBOOL tokenPresent, 
-	CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount, int moduleIndex)
-{
-    *pulCount = nscSlotCount[moduleIndex];
-    if (pSlotList != NULL) {
-	PORT_Memcpy(pSlotList,nscSlotList[moduleIndex],
-				nscSlotCount[moduleIndex]*sizeof(CK_SLOT_ID));
-    }
-    return CKR_OK;
-}
-
-/* NSC_GetSlotList obtains a list of slots in the system. */
-CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
-	 		CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount)
-{
-    return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, 
-							NSC_NON_FIPS_MODULE);
-}
-	
-/* NSC_GetSlotInfo obtains information about a particular slot in the system. */
-CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
-{
-    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE);
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    pInfo->firmwareVersion.major = 0;
-    pInfo->firmwareVersion.minor = 0;
-
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,64);
-    pInfo->flags = (slot->present) ? CKF_TOKEN_PRESENT : 0;
-    /* all user defined slots are defined as removable */
-    if (slotID >= SFTK_MIN_USER_SLOT_ID) {
-	pInfo->flags |= CKF_REMOVABLE_DEVICE;
-    }
-    /* ok we really should read it out of the keydb file. */
-    /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
-    pInfo->hardwareVersion.major = NSS_VMAJOR;
-    pInfo->hardwareVersion.minor = NSS_VMINOR;
-    return CKR_OK;
-}
-
-#define CKF_THREAD_SAFE 0x8000 /* for now */
-/*
- * check the current state of the 'needLogin' flag in case the database has
- * been changed underneath us.
- */
-static PRBool
-sftk_checkNeedLogin(SFTKSlot *slot, NSSLOWKEYDBHandle *keyHandle)
-{
-    if (slot->password) {
-	SECStatus rv;
-	rv = nsslowkey_CheckKeyDBPassword(keyHandle,slot->password);
-	if ( rv == SECSuccess) {
-	    return slot->needLogin;
-	} else {
-	    SECITEM_FreeItem(slot->password, PR_TRUE);
-	    slot->password = NULL;
-	    slot->isLoggedIn = PR_FALSE;
-	}
-    }
-    slot->needLogin = 
-		(PRBool)!sftk_hasNullPassword(keyHandle,&slot->password);
-    return (slot->needLogin);
-}
-
-/* NSC_GetTokenInfo obtains information about a particular token in 
- * the system. */
-CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo)
-{
-    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
-    NSSLOWKEYDBHandle *handle;
-
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
-    PORT_Memcpy(pInfo->model,"NSS 3           ",16);
-    PORT_Memcpy(pInfo->serialNumber,"0000000000000000",16);
-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
-    pInfo->ulSessionCount = slot->sessionCount;
-    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
-    pInfo->ulRwSessionCount = slot->rwSessionCount;
-    pInfo->firmwareVersion.major = 0;
-    pInfo->firmwareVersion.minor = 0;
-    PORT_Memcpy(pInfo->label,slot->tokDescription,32);
-    handle = sftk_getKeyDB(slot);
-    if (handle == NULL) {
-        pInfo->flags= CKF_RNG | CKF_WRITE_PROTECTED | CKF_THREAD_SAFE;
-	pInfo->ulMaxPinLen = 0;
-	pInfo->ulMinPinLen = 0;
-	pInfo->ulTotalPublicMemory = 0;
-	pInfo->ulFreePublicMemory = 0;
-	pInfo->ulTotalPrivateMemory = 0;
-	pInfo->ulFreePrivateMemory = 0;
-	pInfo->hardwareVersion.major = 4;
-	pInfo->hardwareVersion.minor = 0;
-    } else {
-	/*
-	 * we have three possible states which we may be in:
-	 *   (1) No DB password has been initialized. This also means we
-	 *   have no keys in the key db.
-	 *   (2) Password initialized to NULL. This means we have keys, but
-	 *   the user has chosen not use a password.
-	 *   (3) Finally we have an initialized password whicn is not NULL, and
-	 *   we will need to prompt for it.
-	 */
-	if (nsslowkey_HasKeyDBPassword(handle) == SECFailure) {
-	    pInfo->flags = CKF_THREAD_SAFE | CKF_LOGIN_REQUIRED;
-	} else if (!sftk_checkNeedLogin(slot,handle)) {
-	    pInfo->flags = CKF_THREAD_SAFE | CKF_USER_PIN_INITIALIZED;
-	} else {
-	    pInfo->flags = CKF_THREAD_SAFE | 
-				CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
-	}
-	pInfo->ulMaxPinLen = SFTK_MAX_PIN;
-	pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen;
-	pInfo->ulTotalPublicMemory = 1;
-	pInfo->ulFreePublicMemory = 1;
-	pInfo->ulTotalPrivateMemory = 1;
-	pInfo->ulFreePrivateMemory = 1;
-	pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION;
-	pInfo->hardwareVersion.minor = handle->version;
-        sftk_freeKeyDB(handle);
-    }
-    return CKR_OK;
-}
-
-/* NSC_GetMechanismList obtains a list of mechanism types 
- * supported by a token. */
-CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID,
-	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
-{
-    CK_ULONG i;
-
-    switch (slotID) {
-    /* default: */
-    case NETSCAPE_SLOT_ID:
-	*pulCount = mechanismCount;
-	if (pMechanismList != NULL) {
-	    for (i=0; i < mechanismCount; i++) {
-		pMechanismList[i] = mechanisms[i].type;
-	    }
-	}
-	break;
-     default:
-	*pulCount = 0;
-	for (i=0; i < mechanismCount; i++) {
-	    if (mechanisms[i].privkey) {
-		(*pulCount)++;
-		if (pMechanismList != NULL) {
-		    *pMechanismList++ = mechanisms[i].type;
-		}
-	    }
-	}
-	break;
-    }
-    return CKR_OK;
-}
-
-
-/* NSC_GetMechanismInfo obtains information about a particular mechanism 
- * possibly supported by a token. */
-CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-    					CK_MECHANISM_INFO_PTR pInfo)
-{
-    PRBool isPrivateKey;
-    CK_ULONG i;
-
-    switch (slotID) {
-    case NETSCAPE_SLOT_ID:
-	isPrivateKey = PR_FALSE;
-	break;
-    default:
-	isPrivateKey = PR_TRUE;
-	break;
-    }
-    for (i=0; i < mechanismCount; i++) {
-        if (type == mechanisms[i].type) {
-	    if (isPrivateKey && !mechanisms[i].privkey) {
-    		return CKR_MECHANISM_INVALID;
-	    }
-	    PORT_Memcpy(pInfo,&mechanisms[i].info, sizeof(CK_MECHANISM_INFO));
-	    return CKR_OK;
-	}
-    }
-    return CKR_MECHANISM_INVALID;
-}
-
-CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op)
-{
-    CK_ULONG i;
-    CK_FLAGS flags;
-
-    switch (op) {
-    case CKA_ENCRYPT:         flags = CKF_ENCRYPT;         break;
-    case CKA_DECRYPT:         flags = CKF_DECRYPT;         break;
-    case CKA_WRAP:            flags = CKF_WRAP;            break;
-    case CKA_UNWRAP:          flags = CKF_UNWRAP;          break;
-    case CKA_SIGN:            flags = CKF_SIGN;            break;
-    case CKA_SIGN_RECOVER:    flags = CKF_SIGN_RECOVER;    break;
-    case CKA_VERIFY:          flags = CKF_VERIFY;          break;
-    case CKA_VERIFY_RECOVER:  flags = CKF_VERIFY_RECOVER;  break;
-    case CKA_DERIVE:          flags = CKF_DERIVE;          break;
-    default:
-    	return CKR_ARGUMENTS_BAD;
-    }
-    for (i=0; i < mechanismCount; i++) {
-        if (type == mechanisms[i].type) {
-	    return (flags & mechanisms[i].info.flags) ? CKR_OK 
-	                                              : CKR_MECHANISM_INVALID;
-	}
-    }
-    return CKR_MECHANISM_INVALID;
-}
-
-
-static SECStatus
-sftk_TurnOffUser(NSSLOWCERTCertificate *cert, SECItem *k, void *arg)
-{
-   NSSLOWCERTCertTrust trust;
-   SECStatus rv;
-
-   rv = nsslowcert_GetCertTrust(cert,&trust);
-   if (rv == SECSuccess && ((trust.emailFlags & CERTDB_USER) ||
-			    (trust.sslFlags & CERTDB_USER) ||
-			    (trust.objectSigningFlags & CERTDB_USER))) {
-	trust.emailFlags &= ~CERTDB_USER;
-	trust.sslFlags &= ~CERTDB_USER;
-	trust.objectSigningFlags &= ~CERTDB_USER;
-	nsslowcert_ChangeCertTrust(cert->dbhandle,cert,&trust);
-   }
-   return SECSuccess;
-}
-
-/* NSC_InitToken initializes a token. */
-CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
- 				CK_ULONG ulPinLen,CK_CHAR_PTR pLabel) {
-    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
-    NSSLOWKEYDBHandle *handle;
-    NSSLOWCERTCertDBHandle *certHandle;
-    SECStatus rv;
-    unsigned int i;
-    SFTKObject *object;
-
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    /* don't initialize the database if we aren't talking to a token
-     * that uses the key database.
-     */
-    if (slotID == NETSCAPE_SLOT_ID) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-
-    /* first, delete all our loaded key and cert objects from our 
-     * internal list. */
-    PZ_Lock(slot->objectLock);
-    for (i=0; i < slot->tokObjHashSize; i++) {
-	do {
-	    object = slot->tokObjects[i];
-	    /* hand deque */
-	    /* this duplicates function of NSC_close session functions, but 
-	     * because we know that we are freeing all the sessions, we can
-	     * do more efficient processing */
-	    if (object) {
-		slot->tokObjects[i] = object->next;
-
-		if (object->next) object->next->prev = NULL;
-		object->next = object->prev = NULL;
-	    }
-	    if (object) sftk_FreeObject(object);
-	} while (object != NULL);
-    }
-    slot->DB_loaded = PR_FALSE;
-    PZ_Unlock(slot->objectLock);
-
-    /* then clear out the key database */
-    handle = sftk_getKeyDB(slot);
-    if (handle == NULL) {
-	return CKR_TOKEN_WRITE_PROTECTED;
-    }
-
-    rv = nsslowkey_ResetKeyDB(handle);
-    sftk_freeKeyDB(handle);
-    if (rv != SECSuccess) {
-	return CKR_DEVICE_ERROR;
-    }
-
-    /* finally  mark all the user certs as non-user certs */
-    certHandle = sftk_getCertDB(slot);
-    if (certHandle == NULL) return CKR_OK;
-
-    nsslowcert_TraversePermCerts(certHandle,sftk_TurnOffUser, NULL);
-    sftk_freeCertDB(certHandle);
-
-    return CKR_OK; /*is this the right function for not implemented*/
-}
-
-
-/* NSC_InitPIN initializes the normal user's PIN. */
-CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession,
-    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
-{
-    SFTKSession *sp = NULL;
-    SFTKSlot *slot;
-    NSSLOWKEYDBHandle *handle = NULL;
-    SECItem *newPin;
-    char newPinStr[SFTK_MAX_PIN+1];
-    SECStatus rv;
-    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
-
-    
-    sp = sftk_SessionFromHandle(hSession);
-    if (sp == NULL) {
-	goto loser;
-    }
-
-    slot = sftk_SlotFromSession(sp);
-    if (slot == NULL) {
-	goto loser;
-    }
-
-    handle = sftk_getKeyDB(slot);
-    if (handle == NULL) {
-	crv = CKR_PIN_LEN_RANGE;
-	goto loser;
-    }
-
-
-    if (sp->info.state != CKS_RW_SO_FUNCTIONS) {
-	crv = CKR_USER_NOT_LOGGED_IN;
-	goto loser;
-    }
-
-    sftk_FreeSession(sp);
-    sp = NULL;
-
-    /* make sure the pins aren't too long */
-    if (ulPinLen > SFTK_MAX_PIN) {
-	crv = CKR_PIN_LEN_RANGE;
-	goto loser;
-    }
-    if (ulPinLen < (CK_ULONG)slot->minimumPinLen) {
-	crv = CKR_PIN_LEN_RANGE;
-	goto loser;
-    }
-
-    if (nsslowkey_HasKeyDBPassword(handle) != SECFailure) {
-	crv = CKR_DEVICE_ERROR;
-	goto loser;
-    }
-
-    /* convert to null terminated string */
-    PORT_Memcpy(newPinStr,pPin,ulPinLen);
-    newPinStr[ulPinLen] = 0; 
-
-    /* build the hashed pins which we pass around */
-    newPin = nsslowkey_HashPassword(newPinStr,handle->global_salt);
-    PORT_Memset(newPinStr,0,sizeof(newPinStr));
-
-    /* change the data base */
-    rv = nsslowkey_SetKeyDBPassword(handle,newPin);
-    sftk_freeKeyDB(handle);
-    handle = NULL;
-
-    /* Now update our local copy of the pin */
-    if (rv == SECSuccess) {
-	if (slot->password) {
-    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
-	}
-	slot->password = newPin;
-	if (ulPinLen == 0) slot->needLogin = PR_FALSE;
-	return CKR_OK;
-    }
-    SECITEM_ZfreeItem(newPin, PR_TRUE);
-    crv = CKR_PIN_INCORRECT;
-
-loser:
-    if (sp) {
-	sftk_FreeSession(sp);
-    }
-    if (handle) {
-	sftk_freeKeyDB(handle);
-    }
-    return crv;
-}
-
-
-/* NSC_SetPIN modifies the PIN of user that is currently logged in. */
-/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
-CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-    CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen)
-{
-    SFTKSession *sp = NULL;
-    SFTKSlot *slot;
-    NSSLOWKEYDBHandle *handle = NULL;
-    SECItem *newPin;
-    SECItem *oldPin;
-    char newPinStr[SFTK_MAX_PIN+1],oldPinStr[SFTK_MAX_PIN+1];
-    SECStatus rv;
-    CK_RV crv = CKR_SESSION_HANDLE_INVALID;
-
-    
-    sp = sftk_SessionFromHandle(hSession);
-    if (sp == NULL) {
-	goto loser;
-    }
-
-    slot = sftk_SlotFromSession(sp);
-    if (!slot) {
-	goto loser;
-    }
-
-    handle = sftk_getKeyDB(slot);
-    if (handle == NULL) {
-	sftk_FreeSession(sp);
-	return CKR_PIN_LEN_RANGE;
-    }
-
-    if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
-	crv = CKR_USER_NOT_LOGGED_IN;
-	goto loser;
-    }
-
-    sftk_FreeSession(sp);
-    sp = NULL;
-
-    /* make sure the pins aren't too long */
-    if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) {
-	crv = CKR_PIN_LEN_RANGE;
-	goto loser;
-    }
-    if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
-	crv = CKR_PIN_LEN_RANGE;
-	goto loser;
-    }
-
-
-    /* convert to null terminated string */
-    PORT_Memcpy(newPinStr,pNewPin,ulNewLen);
-    newPinStr[ulNewLen] = 0; 
-    PORT_Memcpy(oldPinStr,pOldPin,ulOldLen);
-    oldPinStr[ulOldLen] = 0; 
-
-    /* build the hashed pins which we pass around */
-    newPin = nsslowkey_HashPassword(newPinStr,handle->global_salt);
-    oldPin = nsslowkey_HashPassword(oldPinStr,handle->global_salt);
-    PORT_Memset(newPinStr,0,sizeof(newPinStr));
-    PORT_Memset(oldPinStr,0,sizeof(oldPinStr));
-
-    /* change the data base password */
-    PR_Lock(slot->pwCheckLock);
-    rv = nsslowkey_ChangeKeyDBPassword(handle,oldPin,newPin);
-    sftk_freeKeyDB(handle);
-    handle = NULL;
-    if ((rv != SECSuccess) && (slot->slotID == FIPS_SLOT_ID)) {
-	PR_Sleep(loginWaitTime);
-    }
-    PR_Unlock(slot->pwCheckLock);
-
-    /* Now update our local copy of the pin */
-    SECITEM_ZfreeItem(oldPin, PR_TRUE);
-    if (rv == SECSuccess) {
-	if (slot->password) {
-    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
-	}
-	slot->password = newPin;
-	slot->needLogin = (PRBool)(ulNewLen != 0);
-	return CKR_OK;
-    }
-    SECITEM_ZfreeItem(newPin, PR_TRUE);
-    crv = CKR_PIN_INCORRECT;
-loser:
-    if (sp) {
-	sftk_FreeSession(sp);
-    }
-    if (handle) {
-	sftk_freeKeyDB(handle);
-    }
-    return crv;
-}
-
-/* NSC_OpenSession opens a session between an application and a token. */
-CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
-   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession)
-{
-    SFTKSlot *slot;
-    CK_SESSION_HANDLE sessionID;
-    SFTKSession *session;
-    SFTKSession *sameID;
-
-    slot = sftk_SlotFromID(slotID, PR_FALSE);
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    /* new session (we only have serial sessions) */
-    session = sftk_NewSession(slotID, Notify, pApplication,
-						 flags | CKF_SERIAL_SESSION);
-    if (session == NULL) return CKR_HOST_MEMORY;
-
-    if (slot->readOnly && (flags & CKF_RW_SESSION)) {
-	/* NETSCAPE_SLOT_ID is Read ONLY */
-	session->info.flags &= ~CKF_RW_SESSION;
-    }
-    PZ_Lock(slot->slotLock);
-    ++slot->sessionCount;
-    PZ_Unlock(slot->slotLock);
-    if (session->info.flags & CKF_RW_SESSION) {
-	PR_AtomicIncrement(&slot->rwSessionCount);
-    }
-
-    do {
-        PZLock *lock;
-        do {
-            sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) & 0xffffff)
-                        | (slot->index << 24);
-        } while (sessionID == CK_INVALID_HANDLE);
-        lock = SFTK_SESSION_LOCK(slot,sessionID);
-        PZ_Lock(lock);
-        sftkqueue_find(sameID, sessionID, slot->head, slot->sessHashSize);
-        if (sameID == NULL) {
-            session->handle = sessionID;
-            sftk_update_state(slot, session);
-            sftkqueue_add(session, sessionID, slot->head,slot->sessHashSize);
-        } else {
-            slot->sessionIDConflict++;  /* for debugging */
-        }
-        PZ_Unlock(lock);
-    } while (sameID != NULL);
-
-    *phSession = sessionID;
-    return CKR_OK;
-}
-
-
-/* NSC_CloseSession closes a session between an application and a token. */
-CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
-{
-    SFTKSlot *slot;
-    SFTKSession *session;
-    SECItem *pw = NULL;
-    PRBool sessionFound;
-    PZLock *lock;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    slot = sftk_SlotFromSession(session);
-    sessionFound = PR_FALSE;
-
-    /* lock */
-    lock = SFTK_SESSION_LOCK(slot,hSession);
-    PZ_Lock(lock);
-    if (sftkqueue_is_queued(session,hSession,slot->head,slot->sessHashSize)) {
-	sessionFound = PR_TRUE;
-	sftkqueue_delete(session,hSession,slot->head,slot->sessHashSize);
-	session->refCount--; /* can't go to zero while we hold the reference */
-	PORT_Assert(session->refCount > 0);
-    }
-    PZ_Unlock(lock);
-
-    if (sessionFound) {
-	PZ_Lock(slot->slotLock);
-	if (--slot->sessionCount == 0) {
-	    pw = slot->password;
-	    slot->isLoggedIn = PR_FALSE;
-	    slot->password = NULL;
-	}
-	PZ_Unlock(slot->slotLock);
-	if (session->info.flags & CKF_RW_SESSION) {
-	    PR_AtomicDecrement(&slot->rwSessionCount);
-	}
-    }
-
-    sftk_FreeSession(session);
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-    return CKR_OK;
-}
-
-
-/* NSC_CloseAllSessions closes all sessions with a token. */
-CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
-{
-    SFTKSlot *slot;
-
-    slot = sftk_SlotFromID(slotID, PR_FALSE);
-    if (slot == NULL) return CKR_SLOT_ID_INVALID;
-
-    return sft_CloseAllSession(slot);
-}
-
-
-
-/* NSC_GetSessionInfo obtains information about the session. */
-CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
-    						CK_SESSION_INFO_PTR pInfo)
-{
-    SFTKSession *session;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    PORT_Memcpy(pInfo,&session->info,sizeof(CK_SESSION_INFO));
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_Login logs a user into a token. */
-CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
-				    CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
-{
-    SFTKSlot *slot;
-    SFTKSession *session;
-    NSSLOWKEYDBHandle *handle;
-    CK_FLAGS sessionFlags;
-    SECStatus rv;
-    CK_RV crv;
-    SECItem *pin;
-    char pinStr[SFTK_MAX_PIN+1];
-
-
-    /* get the slot */
-    slot = sftk_SlotFromSessionHandle(hSession);
-
-    /* make sure the session is valid */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	return CKR_SESSION_HANDLE_INVALID;
-    }
-    sessionFlags = session->info.flags;
-    sftk_FreeSession(session);
-    session = NULL;
-
-    /* can't log into the Netscape Slot */
-    if (slot->slotID == NETSCAPE_SLOT_ID) {
-	 return CKR_USER_TYPE_INVALID;
-    }
-
-    if (slot->isLoggedIn) return CKR_USER_ALREADY_LOGGED_IN;
-    slot->ssoLoggedIn = PR_FALSE;
-
-    if (ulPinLen > SFTK_MAX_PIN) return CKR_PIN_LEN_RANGE;
-
-    /* convert to null terminated string */
-    PORT_Memcpy(pinStr,pPin,ulPinLen);
-    pinStr[ulPinLen] = 0; 
-
-    handle = sftk_getKeyDB(slot);
-    if (handle == NULL) {
-	 return CKR_USER_TYPE_INVALID;
-    }
-
-    /*
-     * Deal with bootstrap. We allow the SSO to login in with a NULL
-     * password if and only if we haven't initialized the KEY DB yet.
-     * We only allow this on a RW session.
-     */
-    rv = nsslowkey_HasKeyDBPassword(handle);
-    if (rv == SECFailure) {
-	/* allow SSO's to log in only if there is not password on the
-	 * key database */
-	if (((userType == CKU_SO) && (sessionFlags & CKF_RW_SESSION))
-	    /* fips always needs to authenticate, even if there isn't a db */
-					|| (slot->slotID == FIPS_SLOT_ID)) {
-	    /* should this be a fixed password? */
-	    if (ulPinLen == 0) {
-		SECItem *pw;
-    		PZ_Lock(slot->slotLock);
-		pw = slot->password;
-		slot->password = NULL;
-		slot->isLoggedIn = PR_TRUE;
-		slot->ssoLoggedIn = (PRBool)(userType == CKU_SO);
-		PZ_Unlock(slot->slotLock);
-		sftk_update_all_states(slot);
-		SECITEM_ZfreeItem(pw,PR_TRUE);
-		crv = CKR_OK;
-		goto done;
-	    }
-	    crv = CKR_PIN_INCORRECT;
-	    goto done;
-	} 
-	crv = CKR_USER_TYPE_INVALID;
-	goto done;
-    } 
-
-    /* don't allow the SSO to log in if the user is already initialized */
-    if (userType != CKU_USER) { 
-	crv = CKR_USER_TYPE_INVALID; 
-	goto done;
-    }
-
-
-    /* build the hashed pins which we pass around */
-    pin = nsslowkey_HashPassword(pinStr,handle->global_salt);
-    if (pin == NULL) {
-	crv = CKR_HOST_MEMORY;
-	goto done;
-    }
-
-    PR_Lock(slot->pwCheckLock);
-    rv = nsslowkey_CheckKeyDBPassword(handle,pin);
-    sftk_freeKeyDB(handle);
-    handle = NULL;
-    if ((rv != SECSuccess) && (slot->slotID == FIPS_SLOT_ID)) {
-	PR_Sleep(loginWaitTime);
-    }
-    PR_Unlock(slot->pwCheckLock);
-    if (rv == SECSuccess) {
-	SECItem *tmp;
-	PZ_Lock(slot->slotLock);
-	tmp = slot->password;
-	slot->isLoggedIn = PR_TRUE;
-	slot->password = pin;
-	PZ_Unlock(slot->slotLock);
-        if (tmp) SECITEM_ZfreeItem(tmp, PR_TRUE);
-
-	/* update all sessions */
-	sftk_update_all_states(slot);
-	return CKR_OK;
-    }
-
-    SECITEM_ZfreeItem(pin, PR_TRUE);
-    crv = CKR_PIN_INCORRECT;
-done:
-    if (handle) {
-	sftk_freeKeyDB(handle);
-    }
-    return crv;
-}
-
-/* NSC_Logout logs a user out from a token. */
-CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
-{
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SFTKSession *session;
-    SECItem *pw = NULL;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    sftk_FreeSession(session);
-    session = NULL;
-
-    if (!slot->isLoggedIn) return CKR_USER_NOT_LOGGED_IN;
-
-    PZ_Lock(slot->slotLock);
-    pw = slot->password;
-    slot->isLoggedIn = PR_FALSE;
-    slot->ssoLoggedIn = PR_FALSE;
-    slot->password = NULL;
-    PZ_Unlock(slot->slotLock);
-    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
-
-    sftk_update_all_states(slot);
-    return CKR_OK;
-}
-
-/*
- * Create a new slot on the fly. The slot that is passed in is the
- * slot the request came from. Only the crypto or FIPS slots can
- * be used. The resulting slot will live in the same module as
- * the slot the request was passed to. object is the creation object
- * that specifies the module spec for the new slot.
- */
-static CK_RV sftk_CreateNewSlot(SFTKSlot *slot, CK_OBJECT_CLASS class,
-                                SFTKObject *object)
-{
-    CK_SLOT_ID idMin, idMax;
-    PRBool isFIPS = PR_FALSE;
-    unsigned long moduleIndex;
-    SFTKAttribute *attribute;
-    sftk_parameters paramStrings;
-    char *paramString;
-    CK_SLOT_ID slotID = 0;
-    SFTKSlot *newSlot = NULL;
-    CK_RV crv = CKR_OK;
-
-    /* only the crypto or FIPS slots can create new slot objects */
-    if (slot->slotID == NETSCAPE_SLOT_ID) {
-	idMin = SFTK_MIN_USER_SLOT_ID;
-	idMax = SFTK_MAX_USER_SLOT_ID;
-	moduleIndex = NSC_NON_FIPS_MODULE;
-	isFIPS = PR_FALSE;
-    } else if (slot->slotID == FIPS_SLOT_ID) {
-	idMin = SFTK_MIN_FIPS_USER_SLOT_ID;
-	idMax = SFTK_MAX_FIPS_USER_SLOT_ID;
-	moduleIndex = NSC_FIPS_MODULE;
-	isFIPS = PR_TRUE;
-    } else {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    attribute = sftk_FindAttribute(object,CKA_NETSCAPE_MODULE_SPEC);
-    if (attribute == NULL) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    paramString = (unsigned char *)attribute->attrib.pValue;
-    crv = secmod_parseParameters(paramString, &paramStrings, isFIPS);
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-
-    /* enforce only one at a time */
-    if (paramStrings.token_count != 1) {
-	crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	goto loser;
-    }
-
-    slotID = paramStrings.tokens[0].slotID;
-
-    /* stay within the valid ID space */
-    if ((slotID < idMin) || (slotID > idMax)) {
-	crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	goto loser;
-    }
-
-    /* unload any existing slot at this id */
-    newSlot = sftk_SlotFromID(slotID, PR_TRUE);
-    if (newSlot && newSlot->present) {
-	crv = SFTK_ShutdownSlot(newSlot);
-	if (crv != CKR_OK) {
-	    goto loser;
-	}
-    }
-
-    /* if we were just planning on deleting the slot, then do so now */
-    if (class == CKO_NETSCAPE_DELSLOT) {
-	/* sort of a unconventional use of this error code, be we are
-         * overusing CKR_ATTRIBUTE_VALUE_INVALID, and it does apply */
-	crv = newSlot ? CKR_OK : CKR_SLOT_ID_INVALID;
-	goto loser; /* really exit */
-    }
-
-    if (newSlot) {
-	crv = SFTK_SlotReInit(newSlot, paramStrings.configdir, 
-			&paramStrings.tokens[0], moduleIndex);
-    } else {
-	crv = SFTK_SlotInit(paramStrings.configdir, 
-			&paramStrings.tokens[0], moduleIndex);
-    }
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-loser:
-    secmod_freeParams(&paramStrings);
-    sftk_FreeAttribute(attribute);
-
-    return crv;
-}
-
-
-/* NSC_CreateObject creates a new object. */
-CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
-		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
-					CK_OBJECT_HANDLE_PTR phObject)
-{
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SFTKSession *session;
-    SFTKObject *object;
-    CK_OBJECT_CLASS class;
-    CK_RV crv;
-    int i;
-
-    *phObject = CK_INVALID_HANDLE;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    object = sftk_NewObject(slot); /* fill in the handle later */
-    if (object == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	crv = sftk_AddAttributeType(object,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) {
-	    sftk_FreeObject(object);
-	    return crv;
-	}
-	if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) {
-	    class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
-	}
-    }
-
-    /* get the session */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	sftk_FreeObject(object);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle pseudo objects (CKO_NEWSLOT)
-     */
-    if ((class == CKO_NETSCAPE_NEWSLOT)  || (class == CKO_NETSCAPE_DELSLOT)) {
-	crv = sftk_CreateNewSlot(slot, class, object);
-	goto done;
-    } 
-
-    /*
-     * handle the base object stuff
-     */
-    crv = sftk_handleObject(object,session);
-    *phObject = object->handle;
-done:
-    sftk_FreeSession(session);
-    sftk_FreeObject(object);
-
-    return crv;
-}
-
-
-
-/* NSC_CopyObject copies an object, creating a new object for the copy. */
-CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
-       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
-					CK_OBJECT_HANDLE_PTR phNewObject) 
-{
-    SFTKObject *destObject,*srcObject;
-    SFTKSession *session;
-    CK_RV crv = CKR_OK;
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    int i;
-
-    /* Get srcObject so we can find the class */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-    srcObject = sftk_ObjectFromHandle(hObject,session);
-    if (srcObject == NULL) {
-	sftk_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-    /*
-     * create an object to hang the attributes off of
-     */
-    destObject = sftk_NewObject(slot); /* fill in the handle later */
-    if (destObject == NULL) {
-	sftk_FreeSession(session);
-        sftk_FreeObject(srcObject);
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	if (sftk_modifyType(pTemplate[i].type,srcObject->objclass) == SFTK_NEVER) {
-	    crv = CKR_ATTRIBUTE_READ_ONLY;
-	    break;
-	}
-	crv = sftk_AddAttributeType(destObject,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) { break; }
-    }
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-        sftk_FreeObject(srcObject);
-	sftk_FreeObject(destObject);
-	return crv;
-    }
-
-    /* sensitive can only be changed to CK_TRUE */
-    if (sftk_hasAttribute(destObject,CKA_SENSITIVE)) {
-	if (!sftk_isTrue(destObject,CKA_SENSITIVE)) {
-	    sftk_FreeSession(session);
-            sftk_FreeObject(srcObject);
-	    sftk_FreeObject(destObject);
-	    return CKR_ATTRIBUTE_READ_ONLY;
-	}
-    }
-
-    /*
-     * now copy the old attributes from the new attributes
-     */
-    /* don't create a token object if we aren't in a rw session */
-    /* we need to hold the lock to copy a consistant version of
-     * the object. */
-    crv = sftk_CopyObject(destObject,srcObject);
-
-    destObject->objclass = srcObject->objclass;
-    sftk_FreeObject(srcObject);
-    if (crv != CKR_OK) {
-	sftk_FreeObject(destObject);
-	sftk_FreeSession(session);
-        return crv;
-    }
-
-    crv = sftk_handleObject(destObject,session);
-    *phNewObject = destObject->handle;
-    sftk_FreeSession(session);
-    sftk_FreeObject(destObject);
-    
-    return crv;
-}
-
-
-/* NSC_GetObjectSize gets the size of an object in bytes. */
-CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
-    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
-    *pulSize = 0;
-    return CKR_OK;
-}
-
-
-/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
-CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SFTKSession *session;
-    SFTKObject *object;
-    SFTKAttribute *attribute;
-    PRBool sensitive;
-    CK_RV crv;
-    int i;
-
-    /*
-     * make sure we're allowed
-     */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = sftk_ObjectFromHandle(hObject,session);
-    sftk_FreeSession(session);
-    if (object == NULL) {
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't read a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(sftk_isTrue(object,CKA_PRIVATE))) {
-	sftk_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    crv = CKR_OK;
-    sensitive = sftk_isTrue(object,CKA_SENSITIVE);
-    for (i=0; i < (int) ulCount; i++) {
-	/* Make sure that this attribute is retrievable */
-	if (sensitive && sftk_isSensitive(pTemplate[i].type,object->objclass)) {
-	    crv = CKR_ATTRIBUTE_SENSITIVE;
-	    pTemplate[i].ulValueLen = -1;
-	    continue;
-	}
-	attribute = sftk_FindAttribute(object,pTemplate[i].type);
-	if (attribute == NULL) {
-	    crv = CKR_ATTRIBUTE_TYPE_INVALID;
-	    pTemplate[i].ulValueLen = -1;
-	    continue;
-	}
-	if (pTemplate[i].pValue != NULL) {
-	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
-						attribute->attrib.ulValueLen);
-	}
-	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
-	sftk_FreeAttribute(attribute);
-    }
-
-    sftk_FreeObject(object);
-    return crv;
-}
-
-/* NSC_SetAttributeValue modifies the value of one or more object attributes */
-CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SFTKSession *session;
-    SFTKAttribute *attribute;
-    SFTKObject *object;
-    PRBool isToken;
-    CK_RV crv = CKR_OK;
-    CK_BBOOL legal;
-    int i;
-
-    /*
-     * make sure we're allowed
-     */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = sftk_ObjectFromHandle(hObject,session);
-    if (object == NULL) {
-        sftk_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't modify a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(sftk_isTrue(object,CKA_PRIVATE))) {
-	sftk_FreeSession(session);
-	sftk_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    /* don't modify a token object if we aren't in a rw session */
-    isToken = sftk_isTrue(object,CKA_TOKEN);
-    if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) {
-	sftk_FreeSession(session);
-	sftk_FreeObject(object);
-	return CKR_SESSION_READ_ONLY;
-    }
-    sftk_FreeSession(session);
-
-    /* only change modifiable objects */
-    if (!sftk_isTrue(object,CKA_MODIFIABLE)) {
-	sftk_FreeObject(object);
-	return CKR_ATTRIBUTE_READ_ONLY;
-    }
-
-    for (i=0; i < (int) ulCount; i++) {
-	/* Make sure that this attribute is changeable */
-	switch (sftk_modifyType(pTemplate[i].type,object->objclass)) {
-	case SFTK_NEVER:
-	case SFTK_ONCOPY:
-        default:
-	    crv = CKR_ATTRIBUTE_READ_ONLY;
-	    break;
-
-        case SFTK_SENSITIVE:
-	    legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE;
-	    if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) {
-	        crv = CKR_ATTRIBUTE_READ_ONLY;
-	    }
-	    break;
-        case SFTK_ALWAYS:
-	    break;
-	}
-	if (crv != CKR_OK) break;
-
-	/* find the old attribute */
-	attribute = sftk_FindAttribute(object,pTemplate[i].type);
-	if (attribute == NULL) {
-	    crv =CKR_ATTRIBUTE_TYPE_INVALID;
-	    break;
-	}
-    	sftk_FreeAttribute(attribute);
-	crv = sftk_forceAttribute(object,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-
-    }
-
-    sftk_FreeObject(object);
-    return crv;
-}
-
-/*
- * find any certs that may match the template and load them.
- */
-#define NSC_CERT	0x00000001
-#define NSC_TRUST	0x00000002
-#define NSC_CRL		0x00000004
-#define NSC_SMIME	0x00000008
-#define NSC_PRIVATE	0x00000010
-#define NSC_PUBLIC	0x00000020
-#define NSC_KEY		0x00000040
-
-/*
- * structure to collect key handles.
- */
-typedef struct sftkCrlDataStr {
-    SFTKSlot *slot;
-    SFTKSearchResults *searchHandles;
-    CK_ATTRIBUTE *template;
-    CK_ULONG templ_count;
-} sftkCrlData;
-
-
-static SECStatus
-sftk_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
-{
-    sftkCrlData *crlData;
-    CK_OBJECT_HANDLE class_handle;
-    SFTKSlot *slot;
-    
-    crlData = (sftkCrlData *)arg;
-    slot = crlData->slot;
-
-    class_handle = (type == certDBEntryTypeRevocation) ? SFTK_TOKEN_TYPE_CRL :
-							SFTK_TOKEN_KRL_HANDLE;
-    if (sftk_tokenMatch(slot, key, class_handle,
-			crlData->template, crlData->templ_count)) {
-	sftk_addHandle(crlData->searchHandles,
-				 sftk_mkHandle(slot,key,class_handle));
-    }
-    return(SECSuccess);
-}
-
-static void
-sftk_searchCrls(SFTKSlot *slot, SECItem *derSubject, PRBool isKrl, 
-		unsigned long classFlags, SFTKSearchResults *search,
-		CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
-{
-    NSSLOWCERTCertDBHandle *certHandle = NULL;
-
-    certHandle = sftk_getCertDB(slot);
-    if (certHandle == NULL) {
-	return;
-    }
-    if (derSubject->data != NULL)  {
-	certDBEntryRevocation *crl = 
-	    nsslowcert_FindCrlByKey(certHandle, derSubject, isKrl);
-
-	if (crl != NULL) {
-	    sftk_addHandle(search, sftk_mkHandle(slot, derSubject,
-		isKrl ? SFTK_TOKEN_KRL_HANDLE : SFTK_TOKEN_TYPE_CRL));
-	    nsslowcert_DestroyDBEntry((certDBEntry *)crl);
-	}
-    } else {
-	sftkCrlData crlData;
-
-	/* traverse */
-	crlData.slot = slot;
-	crlData.searchHandles = search;
-	crlData.template = pTemplate;
-	crlData.templ_count = ulCount;
-	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation,
-		sftk_crl_collect, (void *)&crlData);
-	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation,
-		sftk_crl_collect, (void *)&crlData);
-    } 
-    sftk_freeCertDB(certHandle);
-}
-
-/*
- * structure to collect key handles.
- */
-typedef struct sftkKeyDataStr {
-    SFTKSlot *slot;
-    NSSLOWKEYDBHandle *keyHandle;
-    SFTKSearchResults *searchHandles;
-    SECItem *id;
-    CK_ATTRIBUTE *template;
-    CK_ULONG templ_count;
-    unsigned long classFlags;
-    PRBool isLoggedIn;
-    PRBool strict;
-} sftkKeyData;
-
-
-static SECStatus
-sftk_key_collect(DBT *key, DBT *data, void *arg)
-{
-    sftkKeyData *keyData;
-    NSSLOWKEYPrivateKey *privKey = NULL;
-    SECItem tmpDBKey;
-    SFTKSlot *slot;
-    
-    keyData = (sftkKeyData *)arg;
-    slot = keyData->slot;
-
-    tmpDBKey.data = key->data;
-    tmpDBKey.len = key->size;
-    tmpDBKey.type = siBuffer;
-
-    PORT_Assert(keyData->keyHandle);
-    if (!keyData->strict && keyData->id) {
-	SECItem result;
-	PRBool haveMatch= PR_FALSE;
-	unsigned char hashKey[SHA1_LENGTH];
-	result.data = hashKey;
-	result.len = sizeof(hashKey);
-
-	if (keyData->id->len == 0) {
-	    /* Make sure this isn't a NSC_KEY */
-	    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, 
-					&tmpDBKey, keyData->slot->password);
-	    if (privKey) {
-		haveMatch = isSecretKey(privKey) ?
-				(PRBool)(keyData->classFlags & NSC_KEY) != 0:
-				(PRBool)(keyData->classFlags & 
-					      (NSC_PRIVATE|NSC_PUBLIC)) != 0;
-		nsslowkey_DestroyPrivateKey(privKey);
-	    }
-	} else {
-	    SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */
-	    haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
-	    if (!haveMatch && ((unsigned char *)key->data)[0] == 0) {
-		/* This is a fix for backwards compatibility.  The key
-		 * database indexes private keys by the public key, and
-		 * versions of NSS prior to 3.4 stored the public key as
-		 * a signed integer.  The public key is now treated as an
-		 * unsigned integer, with no leading zero.  In order to
-		 * correctly compute the hash of an old key, it is necessary
-		 * to fallback and detect the leading zero.
-		 */
-		SHA1_HashBuf(hashKey, 
-		             (unsigned char *)key->data + 1, key->size - 1);
-		haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
-	    }
-	}
-	if (haveMatch) {
-	    if (keyData->classFlags & NSC_PRIVATE)  {
-		sftk_addHandle(keyData->searchHandles,
-			sftk_mkHandle(slot,&tmpDBKey,SFTK_TOKEN_TYPE_PRIV));
-	    }
-	    if (keyData->classFlags & NSC_PUBLIC) {
-		sftk_addHandle(keyData->searchHandles,
-			sftk_mkHandle(slot,&tmpDBKey,SFTK_TOKEN_TYPE_PUB));
-	    }
-	    if (keyData->classFlags & NSC_KEY) {
-		sftk_addHandle(keyData->searchHandles,
-			sftk_mkHandle(slot,&tmpDBKey,SFTK_TOKEN_TYPE_KEY));
-	    }
-	}
-	return SECSuccess;
-    }
-
-    privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, &tmpDBKey, 
-						 keyData->slot->password);
-    if ( privKey == NULL ) {
-	goto loser;
-    }
-
-    if (isSecretKey(privKey)) {
-	if ((keyData->classFlags & NSC_KEY) && 
-		sftk_tokenMatch(keyData->slot, &tmpDBKey, SFTK_TOKEN_TYPE_KEY,
-			keyData->template, keyData->templ_count)) {
-	    sftk_addHandle(keyData->searchHandles,
-		sftk_mkHandle(keyData->slot, &tmpDBKey, SFTK_TOKEN_TYPE_KEY));
-	}
-    } else {
-	if ((keyData->classFlags & NSC_PRIVATE) && 
-		sftk_tokenMatch(keyData->slot, &tmpDBKey, SFTK_TOKEN_TYPE_PRIV,
-			keyData->template, keyData->templ_count)) {
-	    sftk_addHandle(keyData->searchHandles,
-		sftk_mkHandle(keyData->slot,&tmpDBKey,SFTK_TOKEN_TYPE_PRIV));
-	}
-	if ((keyData->classFlags & NSC_PUBLIC) && 
-		sftk_tokenMatch(keyData->slot, &tmpDBKey, SFTK_TOKEN_TYPE_PUB,
-			keyData->template, keyData->templ_count)) {
-	    sftk_addHandle(keyData->searchHandles,
-		sftk_mkHandle(keyData->slot, &tmpDBKey,SFTK_TOKEN_TYPE_PUB));
-	}
-    }
-
-loser:
-    if ( privKey ) {
-	nsslowkey_DestroyPrivateKey(privKey);
-    }
-    return(SECSuccess);
-}
-
-static void
-sftk_searchKeys(SFTKSlot *slot, SECItem *key_id, PRBool isLoggedIn,
-	unsigned long classFlags, SFTKSearchResults *search, PRBool mustStrict,
-	CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
-{
-    NSSLOWKEYDBHandle *keyHandle = NULL;
-    NSSLOWKEYPrivateKey *privKey;
-    sftkKeyData keyData;
-    PRBool found = PR_FALSE;
-
-    keyHandle = sftk_getKeyDB(slot);
-    if (keyHandle == NULL) {
-	return;
-    }
-
-    if (key_id->data) {
-	privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, slot->password);
-	if (privKey) {
-	    if ((classFlags & NSC_KEY) && isSecretKey(privKey)) {
-    	        sftk_addHandle(search,
-			sftk_mkHandle(slot,key_id,SFTK_TOKEN_TYPE_KEY));
-		found = PR_TRUE;
-	    }
-	    if ((classFlags & NSC_PRIVATE) && !isSecretKey(privKey)) {
-    	        sftk_addHandle(search,
-			sftk_mkHandle(slot,key_id,SFTK_TOKEN_TYPE_PRIV));
-		found = PR_TRUE;
-	    }
-	    if ((classFlags & NSC_PUBLIC) && !isSecretKey(privKey)) {
-    	        sftk_addHandle(search,
-			sftk_mkHandle(slot,key_id,SFTK_TOKEN_TYPE_PUB));
-		found = PR_TRUE;
-	    }
-    	    nsslowkey_DestroyPrivateKey(privKey);
-	}
-	/* don't do the traversal if we have an up to date db */
-	if (keyHandle->version != 3) {
-	    goto loser;
-	}
-	/* don't do the traversal if it can't possibly be the correct id */
-	/* all soft token id's are SHA1_HASH_LEN's */
-	if (key_id->len != SHA1_LENGTH) {
-	    goto loser;
-	}
-	if (found) {
-	   /* if we already found some keys, don't do the traversal */
-	   goto loser;
-	}
-    }
-    keyData.slot = slot;
-    keyData.keyHandle = keyHandle;
-    keyData.searchHandles = search;
-    keyData.id = key_id;
-    keyData.template = pTemplate;
-    keyData.templ_count = ulCount;
-    keyData.isLoggedIn = isLoggedIn;
-    keyData.classFlags = classFlags;
-    keyData.strict = mustStrict ? mustStrict : NSC_STRICT;
-
-    nsslowkey_TraverseKeys(keyHandle, sftk_key_collect, &keyData);
-loser:
-    sftk_freeKeyDB(keyHandle);
-	
-}
-
-/*
- * structure to collect certs into
- */
-typedef struct sftkCertDataStr {
-    SFTKSlot *slot;
-    int cert_count;
-    int max_cert_count;
-    NSSLOWCERTCertificate **certs;
-    CK_ATTRIBUTE *template;
-    CK_ULONG	templ_count;
-    unsigned long classFlags;
-    PRBool	strict;
-} sftkCertData;
-
-/*
- * collect all the certs from the traverse call.
- */	
-static SECStatus
-sftk_cert_collect(NSSLOWCERTCertificate *cert,void *arg)
-{
-    sftkCertData *cd = (sftkCertData *)arg;
-
-    if (cert == NULL) {
-	return SECSuccess;
-    }
-
-    if (cd->certs == NULL) {
-	return SECFailure;
-    }
-
-    if (cd->strict) {
-	if ((cd->classFlags & NSC_CERT) && !sftk_tokenMatch(cd->slot,
-	  &cert->certKey, SFTK_TOKEN_TYPE_CERT, cd->template,cd->templ_count)) {
-	    return SECSuccess;
-	}
-	if ((cd->classFlags & NSC_TRUST) && !sftk_tokenMatch(cd->slot,
-	  &cert->certKey, SFTK_TOKEN_TYPE_TRUST, 
-					     cd->template, cd->templ_count)) {
-	    return SECSuccess;
-	}
-    }
-
-    /* allocate more space if we need it. This should only happen in
-     * the general traversal case */
-    if (cd->cert_count >= cd->max_cert_count) {
-	int size;
-	cd->max_cert_count += NSC_CERT_BLOCK_SIZE;
-	size = cd->max_cert_count * sizeof (NSSLOWCERTCertificate *);
-	cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs,size);
-	if (cd->certs == NULL) {
-	    return SECFailure;
-	}
-    }
-
-    cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert);
-    return SECSuccess;
-}
-
-/* provide impedence matching ... */
-static SECStatus
-sftk_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg)
-{
-    return sftk_cert_collect(cert, arg);
-}
-
-static void
-sftk_searchSingleCert(sftkCertData *certData,NSSLOWCERTCertificate *cert)
-{
-    if (cert == NULL) {
-	    return;
-    }
-    if (certData->strict && 
-	!sftk_tokenMatch(certData->slot, &cert->certKey, SFTK_TOKEN_TYPE_CERT, 
-				certData->template,certData->templ_count)) {
-	nsslowcert_DestroyCertificate(cert);
-	return;
-    }
-    certData->certs = (NSSLOWCERTCertificate **) 
-				PORT_Alloc(sizeof (NSSLOWCERTCertificate *));
-    if (certData->certs == NULL) {
-	nsslowcert_DestroyCertificate(cert);
-	return;
-    }
-    certData->certs[0] = cert;
-    certData->cert_count = 1;
-}
-
-static void
-sftk_CertSetupData(sftkCertData *certData,int count)
-{
-    certData->max_cert_count = count;
-
-    if (certData->max_cert_count <= 0) {
-	return;
-    }
-    certData->certs = (NSSLOWCERTCertificate **)
-			 PORT_Alloc( count * sizeof(NSSLOWCERTCertificate *));
-    return;
-}
-
-static void
-sftk_searchCertsAndTrust(SFTKSlot *slot, SECItem *derCert, SECItem *name, 
-			SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN, 
-			SECItem *email,
-			unsigned long classFlags, SFTKSearchResults *handles, 
-			CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
-{
-    NSSLOWCERTCertDBHandle *certHandle = NULL;
-    sftkCertData certData;
-    int i;
-
-    certHandle = sftk_getCertDB(slot);
-    if (certHandle == NULL) return;
-
-    certData.slot = slot;
-    certData.max_cert_count = 0;
-    certData.certs = NULL;
-    certData.cert_count = 0;
-    certData.template = pTemplate;
-    certData.templ_count = ulCount;
-    certData.classFlags = classFlags; 
-    certData.strict = NSC_STRICT; 
-
-
-    /*
-     * Find the Cert.
-     */
-    if (derCert->data != NULL) {
-	NSSLOWCERTCertificate *cert = 
-			nsslowcert_FindCertByDERCert(certHandle,derCert);
-	sftk_searchSingleCert(&certData,cert);
-    } else if (name->data != NULL) {
-	char *tmp_name = (char*)PORT_Alloc(name->len+1);
-	int count;
-
-	if (tmp_name == NULL) {
-	    return;
-	}
-	PORT_Memcpy(tmp_name,name->data,name->len);
-	tmp_name[name->len] = 0;
-
-	count= nsslowcert_NumPermCertsForNickname(certHandle,tmp_name);
-	sftk_CertSetupData(&certData,count);
-	nsslowcert_TraversePermCertsForNickname(certHandle,tmp_name,
-				sftk_cert_collect, &certData);
-	PORT_Free(tmp_name);
-    } else if (derSubject->data != NULL) {
-	int count;
-
-	count = nsslowcert_NumPermCertsForSubject(certHandle,derSubject);
-	sftk_CertSetupData(&certData,count);
-	nsslowcert_TraversePermCertsForSubject(certHandle,derSubject,
-				sftk_cert_collect, &certData);
-    } else if ((issuerSN->derIssuer.data != NULL) && 
-			(issuerSN->serialNumber.data != NULL)) {
-        if (classFlags & NSC_CERT) {
-	    NSSLOWCERTCertificate *cert = 
-		nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN);
-
-	    sftk_searchSingleCert(&certData,cert);
-	}
-	if (classFlags & NSC_TRUST) {
-	    NSSLOWCERTTrust *trust = 
-		nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN);
-
-	    if (trust) {
-		sftk_addHandle(handles,
-		    sftk_mkHandle(slot,&trust->dbKey,SFTK_TOKEN_TYPE_TRUST));
-		nsslowcert_DestroyTrust(trust);
-	    }
-	}
-    } else if (email->data != NULL) {
-	char *tmp_name = (char*)PORT_Alloc(email->len+1);
-	certDBEntrySMime *entry = NULL;
-
-	if (tmp_name == NULL) {
-	    return;
-	}
-	PORT_Memcpy(tmp_name,email->data,email->len);
-	tmp_name[email->len] = 0;
-
-	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
-	if (entry) {
-	    int count;
-	    SECItem *subjectName = &entry->subjectName;
-
-	    count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName);
-	    sftk_CertSetupData(&certData,count);
-	    nsslowcert_TraversePermCertsForSubject(certHandle, subjectName, 
-						sftk_cert_collect, &certData);
-
-	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
-	}
-	PORT_Free(tmp_name);
-    } else {
-	/* we aren't filtering the certs, we are working on all, so turn
-	 * on the strict filters. */
-	certData.strict = PR_TRUE;
-	sftk_CertSetupData(&certData,NSC_CERT_BLOCK_SIZE);
-	nsslowcert_TraversePermCerts(certHandle, sftk_cert_collect2, &certData);
-    }
-    sftk_freeCertDB(certHandle);
-
-    /*
-     * build the handles
-     */	
-    for (i=0 ; i < certData.cert_count ; i++) {
-	NSSLOWCERTCertificate *cert = certData.certs[i];
-
-	/* if we filtered it would have been on the stuff above */
-	if (classFlags & NSC_CERT) {
-	    sftk_addHandle(handles,
-		sftk_mkHandle(slot,&cert->certKey,SFTK_TOKEN_TYPE_CERT));
-	}
-	if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert->trust)) {
-	    sftk_addHandle(handles,
-		sftk_mkHandle(slot,&cert->certKey,SFTK_TOKEN_TYPE_TRUST));
-	}
-	nsslowcert_DestroyCertificate(cert);
-    }
-
-    if (certData.certs) PORT_Free(certData.certs);
-    return;
-}
-
-static void
-sftk_searchSMime(SFTKSlot *slot, SECItem *email, SFTKSearchResults *handles, 
-			CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
-{
-    NSSLOWCERTCertDBHandle *certHandle = NULL;
-    certDBEntrySMime *entry;
-
-    certHandle = sftk_getCertDB(slot);
-    if (certHandle == NULL) return;
-
-    if (email->data != NULL) {
-	char *tmp_name = (char*)PORT_Alloc(email->len+1);
-
-	if (tmp_name == NULL) {
-	    sftk_freeCertDB(certHandle);
-	    return;
-	}
-	PORT_Memcpy(tmp_name,email->data,email->len);
-	tmp_name[email->len] = 0;
-
-	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
-	if (entry) {
-	    SECItem emailKey;
-
-	    emailKey.data = (unsigned char *)tmp_name;
-	    emailKey.len = PORT_Strlen(tmp_name)+1;
-	    emailKey.type = 0;
-	    sftk_addHandle(handles,
-		sftk_mkHandle(slot,&emailKey,SFTK_TOKEN_TYPE_SMIME));
-	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
-	}
-	PORT_Free(tmp_name);
-    }
-    sftk_freeCertDB(certHandle);
-    return;
-}
-
-static CK_RV
-sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search,
-	 		CK_ATTRIBUTE *pTemplate, CK_LONG ulCount, 
-			PRBool *tokenOnly, PRBool isLoggedIn)
-{
-    int i;
-    PRBool isKrl = PR_FALSE;
-    SECItem derCert = { siBuffer, NULL, 0 };
-    SECItem derSubject = { siBuffer, NULL, 0 };
-    SECItem name = { siBuffer, NULL, 0 };
-    SECItem email = { siBuffer, NULL, 0 };
-    SECItem key_id = { siBuffer, NULL, 0 };
-    SECItem cert_sha1_hash = { siBuffer, NULL, 0 };
-    SECItem cert_md5_hash  = { siBuffer, NULL, 0 };
-    NSSLOWCERTIssuerAndSN issuerSN = {
-	{ siBuffer, NULL, 0 },
-	{ siBuffer, NULL, 0 }
-    };
-    SECItem *copy = NULL;
-    unsigned long classFlags = 
-	NSC_CERT|NSC_TRUST|NSC_PRIVATE|NSC_PUBLIC|NSC_KEY|NSC_SMIME|NSC_CRL;
-
-    /* if we aren't logged in, don't look for private or secret keys */
-    if (!isLoggedIn) {
-	classFlags &= ~(NSC_PRIVATE|NSC_KEY);
-    }
-
-    /*
-     * look for things to search on token objects for. If the right options
-     * are specified, we can use them as direct indeces into the database
-     * (rather than using linear searches. We can also use the attributes to
-     * limit the kinds of objects we are searching for. Later we can use this
-     * array to filter the remaining objects more finely.
-     */
-    for (i=0 ;classFlags && i < (int)ulCount; i++) {
-
-	switch (pTemplate[i].type) {
-	case CKA_SUBJECT:
-	    copy = &derSubject;
-	    classFlags &= (NSC_CERT|NSC_PRIVATE|NSC_PUBLIC|NSC_SMIME|NSC_CRL);
-	    break;
-	case CKA_ISSUER: 
-	    copy = &issuerSN.derIssuer;
-	    classFlags &= (NSC_CERT|NSC_TRUST);
-	    break;
-	case CKA_SERIAL_NUMBER: 
-	    copy = &issuerSN.serialNumber;
-	    classFlags &= (NSC_CERT|NSC_TRUST);
-	    break;
-	case CKA_VALUE:
-	    copy = &derCert;
-	    classFlags &= (NSC_CERT|NSC_CRL|NSC_SMIME);
-	    break;
-	case CKA_LABEL:
-	    copy = &name;
-	    break;
-	case CKA_NETSCAPE_EMAIL:
-	    copy = &email;
-	    classFlags &= NSC_SMIME|NSC_CERT;
-	    break;
-	case CKA_NETSCAPE_SMIME_TIMESTAMP:
-	    classFlags &= NSC_SMIME;
-	    break;
-	case CKA_CLASS:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
-		classFlags = 0;
-		break;;
-	    }
-	    switch (*((CK_OBJECT_CLASS *)pTemplate[i].pValue)) {
-	    case CKO_CERTIFICATE:
-		classFlags &= NSC_CERT;
-		break;
-	    case CKO_NETSCAPE_TRUST:
-		classFlags &= NSC_TRUST;
-		break;
-	    case CKO_NETSCAPE_CRL:
-		classFlags &= NSC_CRL;
-		break;
-	    case CKO_NETSCAPE_SMIME:
-		classFlags &= NSC_SMIME;
-		break;
-	    case CKO_PRIVATE_KEY:
-		classFlags &= NSC_PRIVATE;
-		break;
-	    case CKO_PUBLIC_KEY:
-		classFlags &= NSC_PUBLIC;
-		break;
-	    case CKO_SECRET_KEY:
-		classFlags &= NSC_KEY;
-		break;
-	    default:
-		classFlags = 0;
-		break;
-	    }
-	    break;
-	case CKA_PRIVATE:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		classFlags = 0;
-	    }
-	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
-		classFlags &= (NSC_PRIVATE|NSC_KEY);
-	    } else {
-		classFlags &= ~(NSC_PRIVATE|NSC_KEY);
-	    }
-	    break;
-	case CKA_SENSITIVE:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		classFlags = 0;
-	    }
-	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
-		classFlags &= (NSC_PRIVATE|NSC_KEY);
-	    } else {
-		classFlags = 0;
-	    }
-	    break;
-	case CKA_TOKEN:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		classFlags = 0;
-	    }
-	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
-		*tokenOnly = PR_TRUE;
-	    } else {
-		classFlags = 0;
-	    }
-	    break;
-	case CKA_CERT_SHA1_HASH:
-	    classFlags &= NSC_TRUST;
-	    copy = &cert_sha1_hash; break;
-	case CKA_CERT_MD5_HASH:
-	    classFlags &= NSC_TRUST;
-	    copy = &cert_md5_hash; break;
-	case CKA_CERTIFICATE_TYPE:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_CERTIFICATE_TYPE)) {
-		classFlags = 0;
-	    }
-	    classFlags &= NSC_CERT;
-	    if (*((CK_CERTIFICATE_TYPE *)pTemplate[i].pValue) != CKC_X_509) {
-		classFlags = 0;
-	    }
-	    break;
-	case CKA_ID:
-	    copy = &key_id;
-	    classFlags &= (NSC_CERT|NSC_PRIVATE|NSC_KEY|NSC_PUBLIC);
-	    break;
-	case CKA_NETSCAPE_KRL:
-	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
-		classFlags = 0;
-	    }
-	    classFlags &= NSC_CRL;
-	    isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE);
-	    break;
-	case CKA_MODIFIABLE:
-	     break;
-	case CKA_KEY_TYPE:
-	case CKA_DERIVE:
-	    classFlags &= NSC_PUBLIC|NSC_PRIVATE|NSC_KEY;
-	    break;
-	case CKA_VERIFY_RECOVER:
-	    classFlags &= NSC_PUBLIC;
-	    break;
-	case CKA_SIGN_RECOVER:
-	    classFlags &= NSC_PRIVATE;
-	    break;
-	case CKA_ENCRYPT:
-	case CKA_VERIFY:
-	case CKA_WRAP:
-	    classFlags &= NSC_PUBLIC|NSC_KEY;
-	    break;
-	case CKA_DECRYPT:
-	case CKA_SIGN:
-	case CKA_UNWRAP:
-	case CKA_ALWAYS_SENSITIVE:
-	case CKA_EXTRACTABLE:
-	case CKA_NEVER_EXTRACTABLE:
-	    classFlags &= NSC_PRIVATE|NSC_KEY;
-	    break;
-	/* can't be a certificate if it doesn't match one of the above 
-	 * attributes */
-	default: 
-	     classFlags  = 0;
-	     break;
-	}
- 	if (copy) {
-	    copy->data = (unsigned char*)pTemplate[i].pValue;
-	    copy->len = pTemplate[i].ulValueLen;
-	}
-	copy = NULL;
-    }
-
-
-    /* certs */
-    if (classFlags & (NSC_CERT|NSC_TRUST)) {
-	sftk_searchCertsAndTrust(slot,&derCert,&name,&derSubject,
-				 &issuerSN, &email,classFlags,search, 
-				pTemplate, ulCount);
-    }
-
-    /* keys */
-    if (classFlags & (NSC_PRIVATE|NSC_PUBLIC|NSC_KEY)) {
-	PRBool mustStrict = ((classFlags & NSC_KEY) != 0) && (name.len != 0);
-	sftk_searchKeys(slot, &key_id, isLoggedIn, classFlags, search,
-			 mustStrict, pTemplate, ulCount);
-    }
-
-    /* crl's */
-    if (classFlags & NSC_CRL) {
-	sftk_searchCrls(slot, &derSubject, isKrl, classFlags, search,
-			pTemplate, ulCount);
-    }
-    /* Add S/MIME entry stuff */
-    if (classFlags & NSC_SMIME) {
-	sftk_searchSMime(slot, &email, search, pTemplate, ulCount);
-    }
-    return CKR_OK;
-}
-	
-
-/* NSC_FindObjectsInit initializes a search for token and session objects 
- * that match a template. */
-CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
-    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
-{
-    SFTKSearchResults *search = NULL, *freeSearch = NULL;
-    SFTKSession *session = NULL;
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    PRBool tokenOnly = PR_FALSE;
-    CK_RV crv = CKR_OK;
-    PRBool isLoggedIn;
-    
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	crv = CKR_SESSION_HANDLE_INVALID;
-	goto loser;
-    }
-   
-    search = (SFTKSearchResults *)PORT_Alloc(sizeof(SFTKSearchResults));
-    if (search == NULL) {
-	crv = CKR_HOST_MEMORY;
-	goto loser;
-    }
-    search->handles = (CK_OBJECT_HANDLE *)
-		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
-    if (search->handles == NULL) {
-	crv = CKR_HOST_MEMORY;
-	goto loser;
-    }
-    search->index = 0;
-    search->size = 0;
-    search->array_size = NSC_SEARCH_BLOCK_SIZE;
-    isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
-
-    crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, &tokenOnly,
-								isLoggedIn);
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-    
-    /* build list of found objects in the session */
-    if (!tokenOnly) {
-	crv = sftk_searchObjectList(search, slot->tokObjects, 
-				slot->tokObjHashSize, slot->objectLock, 
-					pTemplate, ulCount, isLoggedIn);
-    }
-    if (crv != CKR_OK) {
-	goto loser;
-    }
-
-    if ((freeSearch = session->search) != NULL) {
-	session->search = NULL;
-	sftk_FreeSearch(freeSearch);
-    }
-    session->search = search;
-    sftk_FreeSession(session);
-    return CKR_OK;
-
-loser:
-    if (search) {
-	sftk_FreeSearch(search);
-    }
-    if (session) {
-	sftk_FreeSession(session);
-    }
-    return crv;
-}
-
-
-/* NSC_FindObjects continues a search for token and session objects 
- * that match a template, obtaining additional object handles. */
-CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession,
-    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG ulMaxObjectCount,
-    					CK_ULONG_PTR pulObjectCount)
-{
-    SFTKSession *session;
-    SFTKSearchResults *search;
-    int	transfer;
-    int left;
-
-    *pulObjectCount = 0;
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    if (session->search == NULL) {
-	sftk_FreeSession(session);
-	return CKR_OK;
-    }
-    search = session->search;
-    left = session->search->size - session->search->index;
-    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
-    if (transfer > 0) {
-	PORT_Memcpy(phObject,&search->handles[search->index],
-                                        transfer*sizeof(CK_OBJECT_HANDLE_PTR));
-    } else {
-       *phObject = CK_INVALID_HANDLE;
-    }
-
-    search->index += transfer;
-    if (search->index == search->size) {
-	session->search = NULL;
-	sftk_FreeSearch(search);
-    }
-    *pulObjectCount = transfer;
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_FindObjectsFinal finishes a search for token and session objects. */
-CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
-    SFTKSession *session;
-    SFTKSearchResults *search;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    search = session->search;
-    session->search = NULL;
-    sftk_FreeSession(session);
-    if (search != NULL) {
-	sftk_FreeSearch(search);
-    }
-    return CKR_OK;
-}
-
-
-
-CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-							 CK_VOID_PTR pReserved)
-{
-    return CKR_FUNCTION_NOT_SUPPORTED;
-}
diff --git a/security/nss/lib/softoken/pkcs11.h b/security/nss/lib/softoken/pkcs11.h
deleted file mode 100644
index 9352fc1c6..000000000
--- a/security/nss/lib/softoken/pkcs11.h
+++ /dev/null
@@ -1,323 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   RSA Labs
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- *
- * The latest version of this header can be found at:
- *    http://www.rsalabs.com/pkcs/pkcs-11/index.html
- */
-#ifndef _PKCS11_H_
-#define _PKCS11_H_ 1
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 6 platform-specific macros must be defined.  These
- * macros are described below, and typical definitions for them
- * are also given.  Be advised that these definitions can depend
- * on both the platform and the compiler used (and possibly also
- * on whether a PKCS #11 library is linked statically or
- * dynamically).
- *
- * In addition to defining these 6 macros, the packing convention
- * for PKCS #11 structures should be set.  The PKCS #11
- * convention on packing is that structures should be 1-byte
- * aligned.
- *
- * In a Win32 environment, this might be done by using the
- * following preprocessor directive before including pkcs11.h
- * or pkcs11t.h:
- *
- * #pragma pack(push, cryptoki, 1)
- *
- * and using the following preprocessor directive after including
- * pkcs11.h or pkcs11t.h:
- *
- * #pragma pack(pop, cryptoki)
- *
- * In a Win16 environment, this might be done by using the
- * following preprocessor directive before including pkcs11.h
- * or pkcs11t.h:
- *
- * #pragma pack(1)
- *
- * In a UNIX environment, you're on your own here.  You might
- * not need to do anything.
- *
- *
- * Now for the macros:
- *
- *
- * 1. CK_PTR: The indirection string for making a pointer to an
- * object.  It can be used like this:
- *
- * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
- *
- * In a Win32 environment, it might be defined by
- *
- * #define CK_PTR *
- *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_PTR far *
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_PTR *
- *
- *
- * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
- * an exportable PKCS #11 library function definition out of a
- * return type and a function name.  It should be used in the
- * following fashion to define the exposed PKCS #11 functions in
- * a PKCS #11 library:
- *
- * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * )
- * {
- *   ...
- * }
- *
- * For defining a function in a Win32 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllexport) name
- *
- * For defining a function in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
- * an importable PKCS #11 library function declaration out of a
- * return type and a function name.  It should be used in the
- * following fashion:
- *
- * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * );
- *
- * For declaring a function in a Win32 PKCS #11 .dll, it might
- * be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllimport) name
- *
- * For declaring a function in a Win16 PKCS #11 .dll, it might
- * be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DECLARE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
- * which makes a PKCS #11 API function pointer declaration or
- * function pointer type declaration out of a return type and a
- * function name.  It should be used in the following fashion:
- *
- * // Define funcPtr to be a pointer to a PKCS #11 API function
- * // taking arguments args and returning CK_RV.
- * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
- *
- * or
- *
- * // Define funcPtrType to be the type of a pointer to a
- * // PKCS #11 API function taking arguments args and returning
- * // CK_RV, and then define funcPtr to be a variable of type
- * // funcPtrType.
- * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
- * funcPtrType funcPtr;
- *
- * For accessing functions in a Win32 PKCS #11 .dll, in might be
- * defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __declspec(dllimport) (* name)
- *
- * For accessing functions in a Win16 PKCS #11 .dll, it might be
- * defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType __export _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
- *   returnType (* name)
- *
- *
- * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
- * a function pointer type for an application callback out of
- * a return type for the callback and a name for the callback.
- * It should be used in the following fashion:
- *
- * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
- *
- * to declare a function pointer, myCallback, to a callback
- * which takes arguments args and returns a CK_RV.  It can also
- * be used like this:
- *
- * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
- * myCallbackType myCallback;
- *
- * In a Win32 environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- * In a Win16 environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType _far _pascal (* name)
- *
- * In a UNIX environment, it might be defined by
- *
- * #define CK_CALLBACK_FUNCTION(returnType, name) \
- *   returnType (* name)
- *
- *
- * 6. NULL_PTR: This macro is the value of a NULL pointer.
- *
- * In any ANSI/ISO C environment (and in many others as well),
- * this should be defined by
- *
- * #ifndef NULL_PTR
- * #define NULL_PTR 0
- * #endif
- */
-
-
-/* All the various PKCS #11 types and #define'd values are in the
- * file pkcs11t.h. */
-#include "pkcs11t.h"
-
-#define __PASTE(x,y)      x##y
-
-
-/* packing defines */
-#include "pkcs11p.h"
-/* ==============================================================
- * Define the "extern" form of all the entry points.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  CK_DECLARE_FUNCTION(CK_RV, name)
-
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define the typedef form of all the entry points.  That is, for
- * each PKCS #11 function C_XXX, define a type CK_C_XXX which is
- * a pointer to that kind of function.
- * ==============================================================
- */
-
-#define CK_NEED_ARG_LIST  1
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h"
-
-#undef CK_NEED_ARG_LIST
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-/* ==============================================================
- * Define structed vector of entry points.  A CK_FUNCTION_LIST
- * contains a CK_VERSION indicating a library's PKCS #11 version
- * and then a whole slew of function pointers to the routines in
- * the library.  This type was declared, but not defined, in
- * pkcs11t.h.
- * ==============================================================
- */
-
-#define CK_PKCS11_FUNCTION_INFO(name) \
-  __PASTE(CK_,name) name;
-  
-struct CK_FUNCTION_LIST {
-
-  CK_VERSION    version;  /* PKCS #11 version */
-
-/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-/* pkcs11f.h has all the information about the PKCS #11
- * function prototypes. */
-#include "pkcs11f.h" 
-
-};
-
-#undef CK_PKCS11_FUNCTION_INFO
-
-
-#undef __PASTE
-
-/* unpack */
-#include "pkcs11u.h"
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
deleted file mode 100644
index 56eb1814c..000000000
--- a/security/nss/lib/softoken/pkcs11c.c
+++ /dev/null
@@ -1,5708 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * This file implements PKCS 11 on top of our existing security modules
- *
- * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
- *   This implementation has two slots:
- *	slot 1 is our generic crypto support. It does not require login.
- *   It supports Public Key ops, and all they bulk ciphers and hashes. 
- *   It can also support Private Key ops for imported Private keys. It does 
- *   not have any token storage.
- *	slot 2 is our private key support. It requires a login before use. It
- *   can store Private Keys and Certs as token objects. Currently only private
- *   keys and their associated Certificates are saved on the token.
- *
- *   In this implementation, session objects are only visible to the session
- *   that created or generated them.
- */
-#include "seccomon.h"
-#include "secitem.h"
-#include "secport.h"
-#include "blapi.h"
-#include "pqgutil.h"
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "lowkeyi.h"
-#include "pcert.h"
-#include "sechash.h"
-#include "secder.h"
-#include "secdig.h"
-#include "lowpbe.h"	/* We do PBE below */
-#include "pkcs11t.h"
-#include "secoid.h"
-#include "alghmac.h"
-#include "softoken.h"
-#include "secasn1.h"
-#include "secerr.h"
-
-#include "pcert.h"
-#include "ssl3prot.h" 	/* for SSL3_RANDOM_LENGTH */
-
-#define __PASTE(x,y)    x##y
-
-/*
- * we renamed all our internal functions, get the correct
- * definitions for them...
- */ 
-#undef CK_PKCS11_FUNCTION_INFO
-#undef CK_NEED_ARG_LIST
-
-#define CK_EXTERN extern
-#define CK_PKCS11_FUNCTION_INFO(func) \
-		CK_RV __PASTE(NS,func)
-#define CK_NEED_ARG_LIST	1
- 
-#include "pkcs11f.h"
-
-static void sftk_Null(void *data, PRBool freeit)
-{
-    return;
-} 
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 
-				 ECParams **ecparams);
-#ifdef EC_DEBUG
-#define SEC_PRINT(str1, str2, num, sitem) \
-    printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
-            str1, str2, num, sitem->len); \
-    for (i = 0; i < sitem->len; i++) { \
-	    printf("%02x:", sitem->data[i]); \
-    } \
-    printf("\n") 
-#else
-#define SEC_PRINT(a, b, c, d) 
-#endif
-#endif /* NSS_ENABLE_ECC */
-
-/*
- * free routines.... Free local type  allocated data, and convert
- * other free routines to the destroy signature.
- */
-static void
-sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
-{
-    nsslowkey_DestroyPrivateKey(key);
-}
-
-static void
-sftk_Space(void *data, PRBool freeit)
-{
-    PORT_Free(data);
-} 
-
-
-/*
- * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by
- * Deprecating a full des key to 40 bit key strenth.
- */
-static CK_RV
-sftk_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)
-{
-    unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };
-    unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };
-    unsigned char enc_src[8];
-    unsigned char enc_dest[8];
-    unsigned int leng,i;
-    DESContext *descx;
-    SECStatus rv;
-    
-    
-    /* zero the parity bits */
-    for (i=0; i < 8; i++) {
-	enc_src[i] = cdmfkey[i] & 0xfe;
-    }
-
-    /* encrypt with key 1 */
-    descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);
-    if (descx == NULL) return CKR_HOST_MEMORY;
-    rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);
-    DES_DestroyContext(descx,PR_TRUE);
-    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-
-    /* xor source with des, zero the parity bits and depricate the key*/
-    for (i=0; i < 8; i++) {
-	if (i & 1) {
-	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;
-	} else {
-	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;
-	}
-    }
-
-    /* encrypt with key 2 */
-    descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);
-    if (descx == NULL) return CKR_HOST_MEMORY;
-    rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);
-    DES_DestroyContext(descx,PR_TRUE);
-    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-
-    /* set the corret parity on our new des key */	
-    sftk_FormatDESKey(deskey, 8);
-    return CKR_OK;
-}
-
-
-/* NSC_DestroyObject destroys an object. */
-CK_RV
-NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SFTKSession *session;
-    SFTKObject *object;
-    SFTKFreeStatus status;
-
-    /*
-     * This whole block just makes sure we really can destroy the
-     * requested object.
-     */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    object = sftk_ObjectFromHandle(hObject,session);
-    if (object == NULL) {
-	sftk_FreeSession(session);
-	return CKR_OBJECT_HANDLE_INVALID;
-    }
-
-    /* don't destroy a private object if we aren't logged in */
-    if ((!slot->isLoggedIn) && (slot->needLogin) &&
-				(sftk_isTrue(object,CKA_PRIVATE))) {
-	sftk_FreeSession(session);
-	sftk_FreeObject(object);
-	return CKR_USER_NOT_LOGGED_IN;
-    }
-
-    /* don't destroy a token object if we aren't in a rw session */
-
-    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
-				(sftk_isTrue(object,CKA_TOKEN))) {
-	sftk_FreeSession(session);
-	sftk_FreeObject(object);
-	return CKR_SESSION_READ_ONLY;
-    }
-
-    sftk_DeleteObject(session,object);
-
-    sftk_FreeSession(session);
-
-    /*
-     * get some indication if the object is destroyed. Note: this is not
-     * 100%. Someone may have an object reference outstanding (though that
-     * should not be the case by here. Also note that the object is "half"
-     * destroyed. Our internal representation is destroyed, but it may still
-     * be in the data base.
-     */
-    status = sftk_FreeObject(object);
-
-    return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/*
- ************** Crypto Functions:     Utilities ************************
- */
-
-
-/* 
- * return a context based on the SFTKContext type.
- */
-SFTKSessionContext *
-sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type)
-{
-    switch (type) {
-	case SFTK_ENCRYPT:
-	case SFTK_DECRYPT:
-	    return session->enc_context;
-	case SFTK_HASH:
-	    return session->hash_context;
-	case SFTK_SIGN:
-	case SFTK_SIGN_RECOVER:
-	case SFTK_VERIFY:
-	case SFTK_VERIFY_RECOVER:
-	    return session->hash_context;
-    }
-    return NULL;
-}
-
-/* 
- * change a context based on the SFTKContext type.
- */
-void
-sftk_SetContextByType(SFTKSession *session, SFTKContextType type, 
-						SFTKSessionContext *context)
-{
-    switch (type) {
-	case SFTK_ENCRYPT:
-	case SFTK_DECRYPT:
-	    session->enc_context = context;
-	    break;
-	case SFTK_HASH:
-	    session->hash_context = context;
-	    break;
-	case SFTK_SIGN:
-	case SFTK_SIGN_RECOVER:
-	case SFTK_VERIFY:
-	case SFTK_VERIFY_RECOVER:
-	    session->hash_context = context;
-	    break;
-    }
-    return;
-}
-
-/*
- * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,
- * and C_XXX function. The function takes a session handle, the context type,
- * and wether or not the session needs to be multipart. It returns the context,
- * and optionally returns the session pointer (if sessionPtr != NULL) if session
- * pointer is returned, the caller is responsible for freeing it.
- */
-static CK_RV
-sftk_GetContext(CK_SESSION_HANDLE handle,SFTKSessionContext **contextPtr,
-	SFTKContextType type, PRBool needMulti, SFTKSession **sessionPtr)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-
-    session = sftk_SessionFromHandle(handle);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    context = sftk_ReturnContextByType(session,type);
-    /* make sure the context is valid */
-    if((context==NULL)||(context->type!=type)||(needMulti&&!(context->multi))){
-        sftk_FreeSession(session);
-	return CKR_OPERATION_NOT_INITIALIZED;
-    }
-    *contextPtr = context;
-    if (sessionPtr != NULL) {
-	*sessionPtr = session;
-    } else {
-	sftk_FreeSession(session);
-    }
-    return CKR_OK;
-}
-
-/*
- ************** Crypto Functions:     Encrypt ************************
- */
-
-/*
- * All the NSC_InitXXX functions have a set of common checks and processing they
- * all need to do at the beginning. This is done here.
- */
-static CK_RV
-sftk_InitGeneric(SFTKSession *session,SFTKSessionContext **contextPtr,
-		 SFTKContextType ctype,SFTKObject **keyPtr,
-		 CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
-		 CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)
-{
-    SFTKObject *key = NULL;
-    SFTKAttribute *att;
-    SFTKSessionContext *context;
-
-    /* We can only init if there is not current context active */
-    if (sftk_ReturnContextByType(session,ctype) != NULL) {
-	return CKR_OPERATION_ACTIVE;
-    }
-
-    /* find the key */
-    if (keyPtr) {
-        key = sftk_ObjectFromHandle(hKey,session);
-        if (key == NULL) {
-	    return CKR_KEY_HANDLE_INVALID;
-    	}
-
-	/* make sure it's a valid  key for this operation */
-	if (((key->objclass != CKO_SECRET_KEY) && (key->objclass != pubKeyType))
-					|| !sftk_isTrue(key,operation)) {
-	    sftk_FreeObject(key);
-	    return CKR_KEY_TYPE_INCONSISTENT;
-	}
-	/* get the key type */
-	att = sftk_FindAttribute(key,CKA_KEY_TYPE);
-	if (att == NULL) {
-	    sftk_FreeObject(key);
-	    return CKR_KEY_TYPE_INCONSISTENT;
-	}
-	PORT_Assert(att->attrib.ulValueLen == sizeof(CK_KEY_TYPE));
-	if (att->attrib.ulValueLen != sizeof(CK_KEY_TYPE)) {
-	    sftk_FreeAttribute(att);
-	    sftk_FreeObject(key);
-	    return CKR_ATTRIBUTE_VALUE_INVALID;
-	}
-	PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE));
-	sftk_FreeAttribute(att);
-	*keyPtr = key;
-    }
-
-    /* allocate the context structure */
-    context = (SFTKSessionContext *)PORT_Alloc(sizeof(SFTKSessionContext));
-    if (context == NULL) {
-	if (key) sftk_FreeObject(key);
-	return CKR_HOST_MEMORY;
-    }
-    context->type = ctype;
-    context->multi = PR_TRUE;
-    context->cipherInfo = NULL;
-    context->hashInfo = NULL;
-    context->doPad = PR_FALSE;
-    context->padDataLength = 0;
-    context->key = key;
-    context->blockSize = 0;
-
-    *contextPtr = context;
-    return CKR_OK;
-}
-
-/* NSC_CryptInit initializes an encryption/Decryption operation. */
-/* This function is used by NSC_EncryptInit, NSC_DecryptInit, 
- *                          NSC_WrapKey, NSC_UnwrapKey, 
- *                          NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac),
- * The only difference in their uses is the value of etype.
- */
-static CK_RV
-sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
-		 SFTKContextType contextType, PRBool isEncrypt)
-{
-    SFTKSession *session;
-    SFTKObject *key;
-    SFTKSessionContext *context;
-    SFTKAttribute *att;
-    CK_RC2_CBC_PARAMS *rc2_param;
-#if NSS_SOFTOKEN_DOES_RC5
-    CK_RC5_CBC_PARAMS *rc5_param;
-    SECItem rc5Key;
-#endif
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    unsigned effectiveKeyLength;
-    unsigned char newdeskey[24];
-    PRBool useNewKey=PR_FALSE;
-    int t;
-
-    crv = sftk_MechAllowsOperation(pMechanism->mechanism, etype);
-    if (crv != CKR_OK) 
-    	return crv;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    crv = sftk_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
-    			isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, etype);
-						
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-	return crv;
-    }
-
-    context->doPad = PR_FALSE;
-    switch(pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	context->cipherInfo =  isEncrypt ? 
-			(void *)sftk_GetPubKey(key,CKK_RSA,&crv) :
-				(void *)sftk_GetPrivKey(key,CKK_RSA,&crv);
-	if (context->cipherInfo == NULL) {
-	    break;
-	}
-	if (isEncrypt) {
-	    context->update = (SFTKCipher) 
-		(pMechanism->mechanism == CKM_RSA_X_509
-					? RSA_EncryptRaw : RSA_EncryptBlock);
-	} else {
-	    context->update = (SFTKCipher) 
-		(pMechanism->mechanism == CKM_RSA_X_509
-					? RSA_DecryptRaw : RSA_DecryptBlock);
-	}
-	context->destroy = sftk_Null;
-	break;
-    case CKM_RC2_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_RC2_ECB:
-    case CKM_RC2_CBC:
-	context->blockSize = 8;
-	if (key_type != CKK_RC2) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
-	effectiveKeyLength = (rc2_param->ulEffectiveBits+7)/8;
-	context->cipherInfo = 
-	    RC2_CreateContext((unsigned char*)att->attrib.pValue,
-			      att->attrib.ulValueLen, rc2_param->iv,
-			      pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 :
-			      NSS_RC2_CBC,effectiveKeyLength);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? RC2_Encrypt : RC2_Decrypt);
-	context->destroy = (SFTKDestroy) RC2_DestroyContext;
-	break;
-#if NSS_SOFTOKEN_DOES_RC5
-    case CKM_RC5_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_RC5_ECB:
-    case CKM_RC5_CBC:
-	if (key_type != CKK_RC5) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
-	context->blockSize = rc5_param->ulWordsize*2;
-	rc5Key.data = (unsigned char*)att->attrib.pValue;
-	rc5Key.len = att->attrib.ulValueLen;
-	context->cipherInfo = RC5_CreateContext(&rc5Key,rc5_param->ulRounds,
-	   rc5_param->ulWordsize,rc5_param->pIv,
-		 pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? RC5_Encrypt : RC5_Decrypt);
-	context->destroy = (SFTKDestroy) RC5_DestroyContext;
-	break;
-#endif
-    case CKM_RC4:
-	if (key_type != CKK_RC4) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	context->cipherInfo = 
-	    RC4_CreateContext((unsigned char*)att->attrib.pValue,
-			      att->attrib.ulValueLen);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;  /* WRONG !!! */
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? RC4_Encrypt : RC4_Decrypt);
-	context->destroy = (SFTKDestroy) RC4_DestroyContext;
-	break;
-    case CKM_CDMF_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_CDMF_ECB:
-    case CKM_CDMF_CBC:
-	if (key_type != CKK_CDMF) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
-	if (crv != CKR_OK) break;
-	goto finish_des;
-    case CKM_DES_ECB:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES;
-	goto finish_des;
-    case CKM_DES_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_DES_CBC:
-	if (key_type != CKK_DES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_CBC;
-	goto finish_des;
-    case CKM_DES3_ECB:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3;
-	goto finish_des;
-    case CKM_DES3_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_DES3_CBC:
-	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	t = NSS_DES_EDE3_CBC;
-finish_des:
-	context->blockSize = 8;
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	if (key_type == CKK_DES2 && 
-            (t == NSS_DES_EDE3_CBC || t == NSS_DES_EDE3)) {
-	    /* extend DES2 key to DES3 key. */
-	    memcpy(newdeskey, att->attrib.pValue, 16);
-	    memcpy(newdeskey + 16, newdeskey, 8);
-	    useNewKey=PR_TRUE;
-	} else if (key_type == CKK_CDMF) {
-	    crv = sftk_cdmf2des((unsigned char*)att->attrib.pValue,newdeskey);
-	    if (crv != CKR_OK) {
-		sftk_FreeAttribute(att);
-		break;
-	    }
-	    useNewKey=PR_TRUE;
-	}
-	context->cipherInfo = DES_CreateContext(
-		useNewKey ? newdeskey : (unsigned char*)att->attrib.pValue,
-		(unsigned char*)pMechanism->pParameter,t, isEncrypt);
-	if (useNewKey) 
-	    memset(newdeskey, 0, sizeof newdeskey);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? DES_Encrypt : DES_Decrypt);
-	context->destroy = (SFTKDestroy) DES_DestroyContext;
-	break;
-
-    case CKM_AES_CBC_PAD:
-	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_AES_ECB:
-    case CKM_AES_CBC:
-	context->blockSize = 16;
-	if (key_type != CKK_AES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	context->cipherInfo = AES_CreateContext(
-	    (unsigned char*)att->attrib.pValue,
-	    (unsigned char*)pMechanism->pParameter,
-	    pMechanism->mechanism == CKM_AES_ECB ? NSS_AES : NSS_AES_CBC,
-	    isEncrypt, att->attrib.ulValueLen, 16);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? AES_Encrypt : AES_Decrypt);
-	context->destroy = (SFTKDestroy) AES_DestroyContext;
-	break;
-
-    case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
-    	context->doPad = PR_TRUE;
-	/* fall thru */
-    case CKM_NETSCAPE_AES_KEY_WRAP:
-	context->multi = PR_FALSE;
-	context->blockSize = 8;
-	if (key_type != CKK_AES) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att = sftk_FindAttribute(key,CKA_VALUE);
-	if (att == NULL) {
-	    crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	context->cipherInfo = AESKeyWrap_CreateContext(
-	    (unsigned char*)att->attrib.pValue,
-	    (unsigned char*)pMechanism->pParameter,
-	    isEncrypt, att->attrib.ulValueLen);
-	sftk_FreeAttribute(att);
-	if (context->cipherInfo == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->update = (SFTKCipher) (isEncrypt ? AESKeyWrap_Encrypt 
-	                                          : AESKeyWrap_Decrypt);
-	context->destroy = (SFTKDestroy) AESKeyWrap_DestroyContext;
-	break;
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        sftk_FreeContext(context);
-	sftk_FreeSession(session);
-	return crv;
-    }
-    sftk_SetContextByType(session, contextType, context);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_EncryptInit initializes an encryption operation. */
-CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, 
-						SFTK_ENCRYPT, PR_TRUE);
-}
-
-/* NSC_EncryptUpdate continues a multiple-part encryption operation. */
-CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,	
-					CK_ULONG_PTR pulEncryptedPartLen)
-{
-    SFTKSessionContext *context;
-    unsigned int outlen,i;
-    unsigned int padoutlen = 0;
-    unsigned int maxout = *pulEncryptedPartLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    /* do padding */
-    if (context->doPad) {
-	/* deal with previous buffered data */
-	if (context->padDataLength != 0) {
-	    /* fill in the padded to a full block size */
-	    for (i=context->padDataLength; 
-			(ulPartLen != 0) && i < context->blockSize; i++) {
-		context->padBuf[i] = *pPart++;
-		ulPartLen--;
-		context->padDataLength++;
-	    }
-
-	    /* not enough data to encrypt yet? then return */
-	    if (context->padDataLength != context->blockSize) {
-		*pulEncryptedPartLen = 0;
-		return CKR_OK;
-	    }
-	    /* encrypt the current padded data */
-    	    rv = (*context->update)(context->cipherInfo, pEncryptedPart, 
-		&padoutlen, context->blockSize, context->padBuf,
-							context->blockSize);
-    	    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-	    pEncryptedPart += padoutlen;
-	    maxout -= padoutlen;
-	}
-	/* save the residual */
-	context->padDataLength = ulPartLen % context->blockSize;
-	if (context->padDataLength) {
-	    PORT_Memcpy(context->padBuf,
-			&pPart[ulPartLen-context->padDataLength],
-							context->padDataLength);
-	    ulPartLen -= context->padDataLength;
-	}
-	/* if we've exhausted our new buffer, we're done */
-	if (ulPartLen == 0) {
-	    *pulEncryptedPartLen = padoutlen;
-	    return CKR_OK;
-	}
-    }
-
-
-    /* do it: NOTE: this assumes buf size in is >= buf size out! */
-    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
-					&outlen, maxout, pPart, ulPartLen);
-    *pulEncryptedPartLen = (CK_ULONG) (outlen + padoutlen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/* NSC_EncryptFinal finishes a multiple-part encryption operation. */
-CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen,i;
-    unsigned int maxout = *pulLastEncryptedPartLen;
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-    PRBool contextFinished = PR_TRUE;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    *pulLastEncryptedPartLen = 0;
-    if (!pLastEncryptedPart) {
-	/* caller is checking the amount of remaining data */
-	if (context->blockSize > 0 && context->doPad) {
-	    *pulLastEncryptedPartLen = context->blockSize;
-	    contextFinished = PR_FALSE; /* still have padding to go */
-	}
-	goto finish;
-    }
-
-    /* do padding */
-    if (context->doPad) {
-	unsigned char  padbyte = (unsigned char) 
-				(context->blockSize - context->padDataLength); 
-	/* fill out rest of pad buffer with pad magic*/
-	for (i=context->padDataLength; i < context->blockSize; i++) {
-	    context->padBuf[i] = padbyte;
-	}
-	rv = (*context->update)(context->cipherInfo,pLastEncryptedPart, 
-			&outlen, maxout, context->padBuf, context->blockSize);
-	if (rv == SECSuccess) *pulLastEncryptedPartLen = (CK_ULONG) outlen;
-    }
-
-finish:
-    if (contextFinished) {
-	sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
-	sftk_FreeContext(context);
-    }
-    sftk_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Encrypt encrypts single-part data. */
-CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    		   CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
-		   CK_ULONG_PTR pulEncryptedDataLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulEncryptedDataLen;
-    CK_RV crv;
-    CK_RV crv2;
-    SECStatus rv = SECSuccess;
-    SECItem   pText;
-
-    pText.type = siBuffer;
-    pText.data = pData;
-    pText.len  = ulDataLen;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (!pEncryptedData) {
-	*pulEncryptedDataLen = ulDataLen + 2 * context->blockSize;
-	goto finish;
-    }
-
-    if (context->doPad) {
-	if (context->multi) {
-	    CK_ULONG finalLen;
-	    /* padding is fairly complicated, have the update and final 
-	     * code deal with it */
-	    sftk_FreeSession(session);
-	    crv = NSC_EncryptUpdate(hSession, pData, ulDataLen, pEncryptedData, 
-	                            pulEncryptedDataLen);
-	    if (crv != CKR_OK) 
-	    	*pulEncryptedDataLen = 0;
-	    maxoutlen      -= *pulEncryptedDataLen;
-	    pEncryptedData += *pulEncryptedDataLen;
-	    finalLen = maxoutlen;
-	    crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen);
-	    if (crv2 == CKR_OK) 
-	    	*pulEncryptedDataLen += finalLen;
-	    return crv == CKR_OK ? crv2 : crv;
-	}
-	/* doPad without multi means that padding must be done on the first
-	** and only update.  There will be no final.
-	*/
-	PORT_Assert(context->blockSize > 1);
-	if (context->blockSize > 1) {
-	    CK_ULONG remainder = ulDataLen % context->blockSize;
-	    CK_ULONG padding   = context->blockSize - remainder;
-	    pText.len += padding;
-	    pText.data = PORT_ZAlloc(pText.len);
-	    if (pText.data) {
-		memcpy(pText.data, pData, ulDataLen);
-		memset(pText.data + ulDataLen, padding, padding);
-	    } else {
-		crv = CKR_HOST_MEMORY;
-		goto fail;
-	    }
-	}
-    }
-
-    /* do it: NOTE: this assumes buf size is big enough. */
-    rv = (*context->update)(context->cipherInfo, pEncryptedData, 
-			    &outlen, maxoutlen, pText.data, pText.len);
-    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-    *pulEncryptedDataLen = (CK_ULONG) outlen;
-    if (pText.data != pData)
-    	PORT_ZFree(pText.data, pText.len);
-fail:
-    sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
-    sftk_FreeContext(context);
-finish:
-    sftk_FreeSession(session);
-
-    return crv;
-}
-
-
-/*
- ************** Crypto Functions:     Decrypt ************************
- */
-
-/* NSC_DecryptInit initializes a decryption operation. */
-CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT,
-						SFTK_DECRYPT, PR_FALSE);
-}
-
-/* NSC_DecryptUpdate continues a multiple-part decryption operation. */
-CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
-    				CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
-{
-    SFTKSessionContext *context;
-    unsigned int padoutlen = 0;
-    unsigned int outlen;
-    unsigned int maxout = *pulPartLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    if (context->doPad) {
-	/* first decrypt our saved buffer */
-	if (context->padDataLength != 0) {
-    	    rv = (*context->update)(context->cipherInfo, pPart, &padoutlen,
-		 maxout, context->padBuf, context->blockSize);
-    	    if (rv != SECSuccess)  return CKR_DEVICE_ERROR;
-	    pPart += padoutlen;
-	    maxout -= padoutlen;
-	}
-	/* now save the final block for the next decrypt or the final */
-	PORT_Memcpy(context->padBuf,&pEncryptedPart[ulEncryptedPartLen -
-				context->blockSize], context->blockSize);
-	context->padDataLength = context->blockSize;
-	ulEncryptedPartLen -= context->padDataLength;
-    }
-
-    /* do it: NOTE: this assumes buf size in is >= buf size out! */
-    rv = (*context->update)(context->cipherInfo,pPart, &outlen,
-		 maxout, pEncryptedPart, ulEncryptedPartLen);
-    *pulPartLen = (CK_ULONG) (outlen + padoutlen);
-    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
-CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxout = *pulLastPartLen;
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-    PRBool contextFinished = PR_TRUE;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    *pulLastPartLen = 0;
-    if (!pLastPart) {
-	/* caller is checking the amount of remaining data */
-	if (context->padDataLength > 0) {
-	    *pulLastPartLen = 2 * context->blockSize;
-	    contextFinished = PR_FALSE; /* still have padding to go */
-	}
-	goto finish;
-    }
-
-    if (context->doPad) {
-	/* decrypt our saved buffer */
-	if (context->padDataLength != 0) {
-	    /* this assumes that pLastPart is big enough to hold the *whole*
-	     * buffer!!! */
-    	    rv = (*context->update)(context->cipherInfo, pLastPart, &outlen,
-		 maxout, context->padBuf, context->blockSize);
-    	    if (rv == SECSuccess) {
-		unsigned int padSize = 
-			    (unsigned int) pLastPart[context->blockSize-1];
-		if ((padSize > context->blockSize) || (padSize == 0)) {
-		    rv = SECFailure;
-		} else {
-		    *pulLastPartLen = outlen - padSize;
-		}
-	    }
-	}
-    }
-
-finish:
-    if (contextFinished) {
-	sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
-	sftk_FreeContext(context);
-    }
-    sftk_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Decrypt decrypts encrypted data in a single part. */
-CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,
-    						CK_ULONG_PTR pulDataLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulDataLen;
-    CK_RV crv;
-    CK_RV crv2;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (!pData) {
-	*pulDataLen = ulEncryptedDataLen + context->blockSize;
-	goto finish;
-    }
-
-    if (context->doPad && context->multi) {
-	CK_ULONG finalLen;
-	/* padding is fairly complicated, have the update and final 
-	 * code deal with it */
-	sftk_FreeSession(session);
-	crv = NSC_DecryptUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
-							pData, pulDataLen);
-	if (crv != CKR_OK) 
-	    *pulDataLen = 0;
-	maxoutlen -= *pulDataLen;
-	pData     += *pulDataLen;
-	finalLen = maxoutlen;
-	crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
-	if (crv2 == CKR_OK) 
-	    *pulDataLen += finalLen;
-	return crv == CKR_OK ? crv2 : crv;
-    }
-
-    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
-					pEncryptedData, ulEncryptedDataLen);
-    /* XXX need to do MUCH better error mapping than this. */
-    crv = (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-    if (rv == SECSuccess && context->doPad) {
-    	CK_ULONG padding = pData[outlen - 1];
-	if (padding > context->blockSize || !padding) {
-	    crv = CKR_ENCRYPTED_DATA_INVALID;
-	} else
-	    outlen -= padding;
-    }
-    *pulDataLen = (CK_ULONG) outlen;
-    sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
-    sftk_FreeContext(context);
-finish:
-    sftk_FreeSession(session);
-    return crv;
-}
-
-
-
-/*
- ************** Crypto Functions:     Digest (HASH)  ************************
- */
-
-/* NSC_DigestInit initializes a message-digesting operation. */
-CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
-    					CK_MECHANISM_PTR pMechanism)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    CK_RV crv = CKR_OK;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) 
-    	return CKR_SESSION_HANDLE_INVALID;
-    crv = sftk_InitGeneric(session,&context,SFTK_HASH,NULL,0,NULL, 0, 0);
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-	return crv;
-    }
-
-
-#define INIT_MECH(mech,mmm) \
-    case mech: { \
-	mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
-	context->cipherInfo    = (void *)mmm ## _ctx; \
-	context->cipherInfoLen = mmm ## _FlattenSize(mmm ## _ctx); \
-	context->currentMech   = mech; \
-	context->hashUpdate    = (SFTKHash)    mmm ## _Update; \
-	context->end           = (SFTKEnd)     mmm ## _End; \
-	context->destroy       = (SFTKDestroy) mmm ## _DestroyContext; \
-	context->maxLen        = mmm ## _LENGTH; \
-        if (mmm ## _ctx) \
-	    mmm ## _Begin(mmm ## _ctx); \
-	else  \
-	    crv = CKR_HOST_MEMORY; \
-	break; \
-    }
-
-    switch(pMechanism->mechanism) {
-    INIT_MECH(CKM_MD2,    MD2)
-    INIT_MECH(CKM_MD5,    MD5)
-    INIT_MECH(CKM_SHA_1,  SHA1)
-    INIT_MECH(CKM_SHA256, SHA256)
-    INIT_MECH(CKM_SHA384, SHA384)
-    INIT_MECH(CKM_SHA512, SHA512)
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        sftk_FreeContext(context);
-	sftk_FreeSession(session);
-	return crv;
-    }
-    sftk_SetContextByType(session, SFTK_HASH, context);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_Digest digests data in a single part. */
-CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pulDigestLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int digestLen;
-    unsigned int maxout = *pulDigestLen;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (pDigest == NULL) {
-	*pulDigestLen = context->maxLen;
-	goto finish;
-    }
-
-    /* do it: */
-    (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
-    /*  NOTE: this assumes buf size is bigenough for the algorithm */
-    (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout);
-    *pulDigestLen = digestLen;
-
-    sftk_SetContextByType(session, SFTK_HASH, NULL);
-    sftk_FreeContext(context);
-finish:
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */
-CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-					    CK_ULONG ulPartLen)
-{
-    SFTKSessionContext *context;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_TRUE,NULL);
-    if (crv != CKR_OK) return crv;
-    /* do it: */
-    (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
-    return CKR_OK;
-}
-
-
-/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
-CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
-    						CK_ULONG_PTR pulDigestLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int maxout = *pulDigestLen;
-    unsigned int digestLen;
-    CK_RV crv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
-    if (crv != CKR_OK) return crv;
-
-    if (pDigest != NULL) {
-        (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
-        *pulDigestLen = digestLen;
-	sftk_SetContextByType(session, SFTK_HASH, NULL);
-	sftk_FreeContext(context);
-    } else {
-	*pulDigestLen = context->maxLen;
-    }
-
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-/*
- * these helper functions are used by Generic Macing and Signing functions
- * that use hashes as part of their operations. 
- */
-#define DOSUB(mmm) \
-static CK_RV \
-sftk_doSub ## mmm(SFTKSessionContext *context) { \
-    mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
-    context->hashInfo    = (void *)      mmm ## _ctx; \
-    context->hashUpdate  = (SFTKHash)    mmm ## _Update; \
-    context->end         = (SFTKEnd)     mmm ## _End; \
-    context->hashdestroy = (SFTKDestroy) mmm ## _DestroyContext; \
-    if (!context->hashInfo) { \
-	return CKR_HOST_MEMORY; \
-    } \
-    mmm ## _Begin( mmm ## _ctx ); \
-    return CKR_OK; \
-}
-
-DOSUB(MD2)
-DOSUB(MD5)
-DOSUB(SHA1)
-DOSUB(SHA256)
-DOSUB(SHA384)
-DOSUB(SHA512)
-
-/*
- * HMAC General copies only a portion of the result. This update routine likes
- * the final HMAC output with the signature.
- */
-static SECStatus
-sftk_HMACCopy(CK_ULONG *copyLen,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    if (maxLen < *copyLen) return SECFailure;
-    PORT_Memcpy(sig,hash,*copyLen);
-    *sigLen = *copyLen;
-    return SECSuccess;
-}
-
-/* Verify is just a compare for HMAC */
-static SECStatus
-sftk_HMACCmp(CK_ULONG *copyLen,unsigned char *sig,unsigned int sigLen,
-				unsigned char *hash, unsigned int hashLen)
-{
-    return PORT_Memcmp(sig,hash,*copyLen) ? SECSuccess : SECFailure ;
-}
-
-/*
- * common HMAC initalization routine
- */
-static CK_RV
-sftk_doHMACInit(SFTKSessionContext *context,HASH_HashType hash,
-					SFTKObject *key, CK_ULONG mac_size)
-{
-    SFTKAttribute *keyval;
-    HMACContext *HMACcontext;
-    CK_ULONG *intpointer;
-    const SECHashObject *hashObj = HASH_GetRawHashObject(hash);
-    PRBool isFIPS = (key->slot->slotID == FIPS_SLOT_ID);
-
-    /* required by FIPS 198 Section 4 */
-    if (isFIPS && (mac_size < 4 || mac_size < hashObj->length/2)) {
-	return CKR_BUFFER_TOO_SMALL;
-    }
-
-    keyval = sftk_FindAttribute(key,CKA_VALUE);
-    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
-
-    HMACcontext = HMAC_Create(hashObj, 
-		(const unsigned char*)keyval->attrib.pValue,
-		keyval->attrib.ulValueLen, isFIPS);
-    context->hashInfo = HMACcontext;
-    context->multi = PR_TRUE;
-    sftk_FreeAttribute(keyval);
-    if (context->hashInfo == NULL) {
-	if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
-	    return CKR_KEY_SIZE_RANGE;
-	}
-	return CKR_HOST_MEMORY;
-    }
-    context->hashUpdate = (SFTKHash) HMAC_Update;
-    context->end = (SFTKEnd) HMAC_Finish;
-
-    context->hashdestroy = (SFTKDestroy) HMAC_Destroy;
-    intpointer = (CK_ULONG *) PORT_Alloc(sizeof(CK_ULONG));
-    if (intpointer == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    *intpointer = mac_size;
-    context->cipherInfo = (void *) intpointer;
-    context->destroy = (SFTKDestroy) sftk_Space;
-    context->update = (SFTKCipher) sftk_HMACCopy;
-    context->verify = (SFTKVerify) sftk_HMACCmp;
-    context->maxLen = hashObj->length;
-    HMAC_Begin(HMACcontext);
-    return CKR_OK;
-}
-
-/*
- *  SSL Macing support. SSL Macs are inited, then update with the base
- * hashing algorithm, then finalized in sign and verify
- */
-
-/*
- * FROM SSL:
- * 60 bytes is 3 times the maximum length MAC size that is supported.
- * We probably should have one copy of this table. We still need this table
- * in ssl to 'sign' the handshake hashes.
- */
-static unsigned char ssl_pad_1 [60] = {
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36
-};
-static unsigned char ssl_pad_2 [60] = {
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c
-};
-
-static SECStatus
-sftk_SSLMACSign(SFTKSSLMACInfo *info,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
-    unsigned int out;
-
-    info->begin(info->hashContext);
-    info->update(info->hashContext,info->key,info->keySize);
-    info->update(info->hashContext,ssl_pad_2,info->padSize);
-    info->update(info->hashContext,hash,hashLen);
-    info->end(info->hashContext,tmpBuf,&out,SFTK_MAX_MAC_LENGTH);
-    PORT_Memcpy(sig,tmpBuf,info->macSize);
-    *sigLen = info->macSize;
-    return SECSuccess;
-}
-
-static SECStatus
-sftk_SSLMACVerify(SFTKSSLMACInfo *info,unsigned char *sig,unsigned int sigLen,
-		unsigned char *hash, unsigned int hashLen)
-{
-    unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
-    unsigned int out;
-
-    info->begin(info->hashContext);
-    info->update(info->hashContext,info->key,info->keySize);
-    info->update(info->hashContext,ssl_pad_2,info->padSize);
-    info->update(info->hashContext,hash,hashLen);
-    info->end(info->hashContext,tmpBuf,&out,SFTK_MAX_MAC_LENGTH);
-    return (PORT_Memcmp(sig,tmpBuf,info->macSize) == 0) ? 
-						SECSuccess : SECFailure;
-}
-
-/*
- * common HMAC initalization routine
- */
-static CK_RV
-sftk_doSSLMACInit(SFTKSessionContext *context,SECOidTag oid,
-					SFTKObject *key, CK_ULONG mac_size)
-{
-    SFTKAttribute *keyval;
-    SFTKBegin begin;
-    int padSize;
-    SFTKSSLMACInfo *sslmacinfo;
-    CK_RV crv = CKR_MECHANISM_INVALID;
-
-    if (oid == SEC_OID_SHA1) {
-	crv = sftk_doSubSHA1(context);
-	if (crv != CKR_OK) return crv;
-	begin = (SFTKBegin) SHA1_Begin;
-	padSize = 40;
-    } else {
-	crv = sftk_doSubMD5(context);
-	if (crv != CKR_OK) return crv;
-	begin = (SFTKBegin) MD5_Begin;
-	padSize = 48;
-    }
-    context->multi = PR_TRUE;
-
-    keyval = sftk_FindAttribute(key,CKA_VALUE);
-    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
-
-    context->hashUpdate(context->hashInfo,keyval->attrib.pValue,
-						 keyval->attrib.ulValueLen);
-    context->hashUpdate(context->hashInfo,ssl_pad_1,padSize);
-    sslmacinfo = (SFTKSSLMACInfo *) PORT_Alloc(sizeof(SFTKSSLMACInfo));
-    if (sslmacinfo == NULL) {
-        sftk_FreeAttribute(keyval);
-	return CKR_HOST_MEMORY;
-    }
-    sslmacinfo->macSize = mac_size;
-    sslmacinfo->hashContext = context->hashInfo;
-    PORT_Memcpy(sslmacinfo->key,keyval->attrib.pValue,
-					keyval->attrib.ulValueLen);
-    sslmacinfo->keySize = keyval->attrib.ulValueLen;
-    sslmacinfo->begin = begin;
-    sslmacinfo->end = context->end;
-    sslmacinfo->update = context->hashUpdate;
-    sslmacinfo->padSize = padSize;
-    sftk_FreeAttribute(keyval);
-    context->cipherInfo = (void *) sslmacinfo;
-    context->destroy = (SFTKDestroy) sftk_Space;
-    context->update = (SFTKCipher) sftk_SSLMACSign;
-    context->verify = (SFTKVerify) sftk_SSLMACVerify;
-    context->maxLen = mac_size;
-    return CKR_OK;
-}
-
-/*
- ************** Crypto Functions:     Sign  ************************
- */
-
-/*
- * Check if We're using CBCMacing and initialize the session context if we are.
- */
-static CK_RV
-sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
- 	CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage,
-						 SFTKContextType contextType)
-	
-{
-    CK_MECHANISM cbc_mechanism;
-    CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE;
-    CK_RC2_CBC_PARAMS rc2_params;
-#if NSS_SOFTOKEN_DOES_RC5
-    CK_RC5_CBC_PARAMS rc5_params;
-    CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
-#endif
-    unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE];
-    SFTKSessionContext *context;
-    CK_RV crv;
-    int blockSize;
-
-    switch (pMechanism->mechanism) {
-    case CKM_RC2_MAC_GENERAL:
-	mac_bytes = 
-	    ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
-	/* fall through */
-    case CKM_RC2_MAC:
-	/* this works because ulEffectiveBits is in the same place in both the
-	 * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */
-	rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *)
-				pMechanism->pParameter)->ulEffectiveBits;
-	PORT_Memset(rc2_params.iv,0,sizeof(rc2_params.iv));
-	cbc_mechanism.mechanism = CKM_RC2_CBC;
-	cbc_mechanism.pParameter = &rc2_params;
-	cbc_mechanism.ulParameterLen = sizeof(rc2_params);
-	blockSize = 8;
-	break;
-#if NSS_SOFTOKEN_DOES_RC5
-    case CKM_RC5_MAC_GENERAL:
-	mac_bytes = 
-	    ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
-	/* fall through */
-    case CKM_RC5_MAC:
-	/* this works because ulEffectiveBits is in the same place in both the
-	 * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */
-	rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
-	rc5_params.ulWordsize = rc5_mac->ulWordsize;
-	rc5_params.ulRounds = rc5_mac->ulRounds;
-	rc5_params.pIv = ivBlock;
-	blockSize = rc5_mac->ulWordsize*2;
-	rc5_params.ulIvLen = blockSize;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_RC5_CBC;
-	cbc_mechanism.pParameter = &rc5_params;
-	cbc_mechanism.ulParameterLen = sizeof(rc5_params);
-	break;
-#endif
-    /* add cast and idea later */
-    case CKM_DES_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_DES_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_DES_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    case CKM_DES3_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_DES3_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_DES3_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    case CKM_CDMF_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_CDMF_MAC:
-	blockSize = 8;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_CDMF_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    case CKM_AES_MAC_GENERAL:
-	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
-	/* fall through */
-    case CKM_AES_MAC:
-	blockSize = 16;
-	PORT_Memset(ivBlock,0,blockSize);
-	cbc_mechanism.mechanism = CKM_AES_CBC;
-	cbc_mechanism.pParameter = &ivBlock;
-	cbc_mechanism.ulParameterLen = blockSize;
-	break;
-    default:
-	return CKR_FUNCTION_NOT_SUPPORTED;
-    }
-
-    crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, keyUsage,
-							contextType, PR_TRUE);
-    if (crv != CKR_OK) return crv;
-    crv = sftk_GetContext(hSession,&context,contextType,PR_TRUE,NULL);
-
-    /* this shouldn't happen! */
-    PORT_Assert(crv == CKR_OK);
-    if (crv != CKR_OK) return crv;
-    context->blockSize = blockSize;
-    if (mac_bytes == SFTK_INVALID_MAC_SIZE) mac_bytes = blockSize/2;
-    context->macSize = mac_bytes;
-    return CKR_OK;
-}
-
-/*
- * encode RSA PKCS #1 Signature data before signing... 
- */
-static SECStatus
-sftk_HashSign(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
-		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
-{
-    
-    SECStatus rv = SECFailure;
-    SECItem digder;
-    PLArenaPool *arena = NULL;
-    SGNDigestInfo *di = NULL;
-
-    digder.data = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) { goto loser; }
-    
-    /* Construct digest info */
-    di = SGN_CreateDigestInfo(info->hashOid, hash, hashLen);
-    if (!di) { goto loser; }
-
-    /* Der encode the digest as a DigestInfo */
-    rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /*
-    ** Encrypt signature after constructing appropriate PKCS#1 signature
-    ** block
-    */
-    rv = RSA_Sign(info->key,sig,sigLen,maxLen,digder.data,digder.len);
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    if (arena != NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    return rv;
-}
-
-static SECStatus
-nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
-                               void *dataBuf, unsigned int dataLen)
-{
-    SECItem signature, digest;
-    NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
-
-    signature.data = (unsigned char *)sigBuf;
-    signature.len = sigLen;
-    digest.data = (unsigned char *)dataBuf;
-    digest.len = dataLen;
-    return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest);
-}
-
-static SECStatus
-nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
-                  unsigned int *sigLen, unsigned int maxSigLen,
-                  void *dataBuf, unsigned int dataLen)
-{
-    SECItem signature, digest;
-    SECStatus rv;
-    NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
-
-    signature.data = (unsigned char *)sigBuf;
-    signature.len = maxSigLen;
-    digest.data = (unsigned char *)dataBuf;
-    digest.len = dataLen;
-    rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
-    *sigLen = signature.len;
-    return rv;
-}
-
-#ifdef NSS_ENABLE_ECC
-static SECStatus
-nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
-                    void *dataBuf, unsigned int dataLen)
-{
-    SECItem signature, digest;
-    NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
-
-    signature.data = (unsigned char *)sigBuf;
-    signature.len = sigLen;
-    digest.data = (unsigned char *)dataBuf;
-    digest.len = dataLen;
-    return ECDSA_VerifyDigest(&(key->u.ec), &signature, &digest);
-}
-
-static SECStatus
-nsc_ECDSASignStub(void *ctx, void *sigBuf,
-                  unsigned int *sigLen, unsigned int maxSigLen,
-                  void *dataBuf, unsigned int dataLen)
-{
-    SECItem signature, digest;
-    SECStatus rv;
-    NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
-
-    signature.data = (unsigned char *)sigBuf;
-    signature.len = maxSigLen;
-    digest.data = (unsigned char *)dataBuf;
-    digest.len = dataLen;
-    rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
-    *sigLen = signature.len;
-    return rv;
-}
-#endif /* NSS_ENABLE_ECC */
-
-/* NSC_SignInit setups up the signing operations. There are three basic
- * types of signing:
- *	(1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
- *  to data in a single Sign operation (which often looks a lot like an
- *  encrypt, with data coming in and data going out).
- *	(2) Hash based signing, where we continually hash the data, then apply
- *  some sort of signature to the end.
- *	(3) Block Encryption CBC MAC's, where the Data is encrypted with a key,
- *  and only the final block is part of the mac.
- *
- *  For case number 3, we initialize a context much like the Encryption Context
- *  (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and 
- *  C_Final by the following method... if it's not multi-part, and it's doesn't
- *  have a hash context, it must be a block Encryption CBC MAC.
- *
- *  For case number 2, we initialize a hash structure, as well as make it 
- *  multi-part. Updates are simple calls to the hash update function. Final
- *  calls the hashend, then passes the result to the 'update' function (which
- *  operates as a final signature function). In some hash based MAC'ing (as
- *  opposed to hash base signatures), the update function is can be simply a 
- *  copy (as is the case with HMAC).
- */
-CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
-		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
-{
-    SFTKSession *session;
-    SFTKObject *key;
-    SFTKSessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    NSSLOWKEYPrivateKey *privKey;
-    SFTKHashSignInfo *info = NULL;
-
-    /* Block Cipher MACing Algorithms use a different Context init method..*/
-    crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN);
-    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
-
-    /* we're not using a block cipher mac */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = sftk_InitGeneric(session,&context,SFTK_SIGN,&key,hKey,&key_type,
-						CKO_PRIVATE_KEY,CKA_SIGN);
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_FALSE;
-
-#define INIT_RSA_SIGN_MECH(mmm) \
-    case CKM_ ## mmm ## _RSA_PKCS: \
-        context->multi = PR_TRUE; \
-	crv = sftk_doSub ## mmm (context); \
-	if (crv != CKR_OK) break; \
-	context->update = (SFTKCipher) sftk_HashSign; \
-	info = PORT_New(SFTKHashSignInfo); \
-	if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
-	info->hashOid = SEC_OID_ ## mmm ; \
-	goto finish_rsa; 
-
-    switch(pMechanism->mechanism) {
-    INIT_RSA_SIGN_MECH(MD5)
-    INIT_RSA_SIGN_MECH(MD2)
-    INIT_RSA_SIGN_MECH(SHA1)
-    INIT_RSA_SIGN_MECH(SHA256)
-    INIT_RSA_SIGN_MECH(SHA384)
-    INIT_RSA_SIGN_MECH(SHA512)
-
-    case CKM_RSA_PKCS:
-	context->update = (SFTKCipher) RSA_Sign;
-	goto finish_rsa;
-    case CKM_RSA_X_509:
-	context->update = (SFTKCipher)  RSA_SignRaw;
-finish_rsa:
-	if (key_type != CKK_RSA) {
-	    if (info) PORT_Free(info);
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
-	if (privKey == NULL) {
-	    if (info) PORT_Free(info);
-	    break;
-	}
-	/* OK, info is allocated only if we're doing hash and sign mechanism.
-	 * It's necessary to be able to set the correct OID in the final 
-	 * signature.
-	 */
-	if (info) {
-	    info->key = privKey;
-	    context->cipherInfo = info;
-	    context->destroy = (SFTKDestroy)sftk_Space;
-	} else {
-	    context->cipherInfo = privKey;
-	    context->destroy = (SFTKDestroy)sftk_Null;
-	}
-	context->maxLen = nsslowkey_PrivateModulusLen(privKey);
-	break;
-
-    case CKM_DSA_SHA1:
-        context->multi = PR_TRUE;
-	crv = sftk_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_DSA:
-	if (key_type != CKK_DSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	privKey = sftk_GetPrivKey(key,CKK_DSA,&crv);
-	if (privKey == NULL) {
-	    break;
-	}
-	context->cipherInfo = privKey;
-	context->update     = (SFTKCipher) nsc_DSA_Sign_Stub;
-	context->destroy    = (privKey == key->objectInfo) ?
-		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
-	context->maxLen     = DSA_SIGNATURE_LEN;
-
-	break;
-
-#ifdef NSS_ENABLE_ECC
-    case CKM_ECDSA_SHA1:
-	context->multi = PR_TRUE;
-	crv = sftk_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_ECDSA:
-	if (key_type != CKK_EC) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	privKey = sftk_GetPrivKey(key,CKK_EC,&crv);
-	if (privKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = privKey;
-	context->update     = (SFTKCipher) nsc_ECDSASignStub;
-	context->destroy    = (privKey == key->objectInfo) ?
-		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
-	context->maxLen     = MAX_ECKEY_LEN * 2;
-
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-#define INIT_HMAC_MECH(mmm) \
-    case CKM_ ## mmm ## _HMAC_GENERAL: \
-	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, \
-				*(CK_ULONG *)pMechanism->pParameter); \
-	break; \
-    case CKM_ ## mmm ## _HMAC: \
-	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, mmm ## _LENGTH); \
-	break; 
-
-    INIT_HMAC_MECH(MD2)
-    INIT_HMAC_MECH(MD5)
-    INIT_HMAC_MECH(SHA256)
-    INIT_HMAC_MECH(SHA384)
-    INIT_HMAC_MECH(SHA512)
-
-    case CKM_SHA_1_HMAC_GENERAL:
-	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SHA_1_HMAC:
-	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
-	break;
-
-    case CKM_SSL3_MD5_MAC:
-	crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SSL3_SHA1_MAC:
-	crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_TLS_PRF_GENERAL:
-	crv = sftk_TLSPRFInit(context, key, key_type);
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        sftk_FreeContext(context);
-	sftk_FreeSession(session);
-	return crv;
-    }
-    sftk_SetContextByType(session, SFTK_SIGN, context);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate.
- * (sign and verify only very in their setup and final operations) */
-static CK_RV 
-sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    					CK_ULONG ulPartLen,SFTKContextType type)
-{
-    unsigned int outlen;
-    SFTKSessionContext *context;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,type,PR_FALSE,NULL);
-    if (crv != CKR_OK) return crv;
-
-    if (context->hashInfo) {
-	(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
-	return CKR_OK;
-    }
-
-    /* must be block cipher macing */
-
-    /* deal with previous buffered data */
-    if (context->padDataLength != 0) {
-	int i;
-	/* fill in the padded to a full block size */
-	for (i=context->padDataLength; (ulPartLen != 0) && 
-					i < (int)context->blockSize; i++) {
-	    context->padBuf[i] = *pPart++;
-	    ulPartLen--;
-	    context->padDataLength++;
-	}
-
-	/* not enough data to encrypt yet? then return */
-	if (context->padDataLength != context->blockSize)  return CKR_OK;
-	/* encrypt the current padded data */
-    	rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen,
-			SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-    	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-    }
-
-    /* save the residual */
-    context->padDataLength = ulPartLen % context->blockSize;
-    if (context->padDataLength) {
-	PORT_Memcpy(context->padBuf,
-		    &pPart[ulPartLen-context->padDataLength],
-		    context->padDataLength);
-	ulPartLen -= context->padDataLength;
-    }
-
-    /* if we've exhausted our new buffer, we're done */
-    if (ulPartLen == 0) { return CKR_OK; }
-
-    /* run the data through out encrypter */	
-    while (ulPartLen) {
-    	rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, 
-			SFTK_MAX_BLOCK_SIZE, pPart, context->blockSize);
-	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
-	/* paranoia.. make sure we exit the loop */
-	PORT_Assert(ulPartLen >= context->blockSize);
-	if (ulPartLen < context->blockSize) break;
-	ulPartLen -= context->blockSize;
-    }
-
-    return CKR_OK;
-	
-}
-
-/* NSC_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
-    							CK_ULONG ulPartLen)
-{
-    return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN);
-}
-
-
-/* NSC_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
-CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
-					    CK_ULONG_PTR pulSignatureLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int digestLen;
-    unsigned int maxoutlen = *pulSignatureLen;
-    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    *pulSignatureLen = 0;
-    crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (!pSignature) {
-	*pulSignatureLen = context->maxLen;
-	goto finish;
-    } else if (context->hashInfo) {
-        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, tmpbuf, digestLen);
-        *pulSignatureLen = (CK_ULONG) outlen;
-    } else {
-	/* deal with the last block if any residual */
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf,
-		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    PORT_Memcpy(pSignature,context->macBuf,context->macSize);
-	    *pulSignatureLen = context->macSize;
-	}
-    }
-
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_SIGN, NULL);
-
-finish:
-    sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_Sign signs (encrypts with private key) data in a single part,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,
-    					CK_ULONG_PTR pulSignatureLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulSignatureLen;
-    CK_RV crv,crv2;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (!pSignature) {
-	*pulSignatureLen = context->maxLen;
-	goto finish;
-    }
-
-    /* multi part Signing are completely implemented by SignUpdate and
-     * sign Final */
-    if (context->multi) {
-        sftk_FreeSession(session);
-	crv = NSC_SignUpdate(hSession,pData,ulDataLen);
-	if (crv != CKR_OK) *pulSignatureLen = 0;
-	crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
-	return crv == CKR_OK ? crv2 :crv;
-    }
-
-    rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, pData, ulDataLen);
-    *pulSignatureLen = (CK_ULONG) outlen;
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_SIGN, NULL);
-
-finish:
-    sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-
-/*
- ************** Crypto Functions:     Sign Recover  ************************
- */
-/* NSC_SignRecoverInit initializes a signature operation,
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
-			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
-{
-    switch (pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	return NSC_SignInit(hSession,pMechanism,hKey);
-    default:
-	break;
-    }
-    return CKR_MECHANISM_INVALID;
-}
-
-
-/* NSC_SignRecover signs data in a single operation
- * where the (digest) data can be recovered from the signature. 
- * E.g. encryption with the user's private key */
-CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-  CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
-{
-    return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen);
-}
-
-/*
- ************** Crypto Functions:     verify  ************************
- */
-
-/* Handle RSA Signature formating */
-static SECStatus
-sftk_hashCheckSign(SFTKHashVerifyInfo *info, unsigned char *sig, 
-	unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
-{
-
-    SECItem it;
-    SGNDigestInfo *di = NULL;
-    SECStatus rv = SECSuccess;
-    
-    it.data = NULL;
-
-    if (info->key == NULL) goto loser;
-
-    it.len = nsslowkey_PublicModulusLen(info->key); 
-    if (!it.len) goto loser;
-
-    it.data = (unsigned char *) PORT_Alloc(it.len);
-    if (it.data == NULL) goto loser;
-
-    /* decrypt the block */
-    rv = RSA_CheckSignRecover(info->key, it.data, &it.len, it.len, sig, sigLen);
-    if (rv != SECSuccess) goto loser;
-
-    di = SGN_DecodeDigestInfo(&it);
-    if (di == NULL) goto loser;
-    if (di->digest.len != digestLen)  goto loser; 
-
-    /* make sure the tag is OK */
-    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != info->hashOid) {
-	goto loser;
-    }
-    /* Now check the signature */
-    if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
-	goto done;
-    }
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    if (it.data != NULL) PORT_Free(it.data);
-    if (di != NULL) SGN_DestroyDigestInfo(di);
-    
-    return rv;
-}
-
-/* NSC_VerifyInit initializes a verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature (e.g. DSA) */
-CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
-			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) 
-{
-    SFTKSession *session;
-    SFTKObject *key;
-    SFTKSessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    NSSLOWKEYPublicKey *pubKey;
-    SFTKHashVerifyInfo *info = NULL;
-
-    /* Block Cipher MACing Algorithms use a different Context init method..*/
-    crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY);
-    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = sftk_InitGeneric(session,&context,SFTK_VERIFY,&key,hKey,&key_type,
-						CKO_PUBLIC_KEY,CKA_VERIFY);
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_FALSE;
-
-#define INIT_RSA_VFY_MECH(mmm) \
-    case CKM_ ## mmm ## _RSA_PKCS: \
-        context->multi = PR_TRUE; \
-	crv = sftk_doSub ## mmm (context); \
-	if (crv != CKR_OK) break; \
-	context->verify = (SFTKVerify) sftk_hashCheckSign; \
-	info = PORT_New(SFTKHashVerifyInfo); \
-	if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
-	info->hashOid = SEC_OID_ ## mmm ; \
-	goto finish_rsa; 
-
-    switch(pMechanism->mechanism) {
-    INIT_RSA_VFY_MECH(MD5) 
-    INIT_RSA_VFY_MECH(MD2) 
-    INIT_RSA_VFY_MECH(SHA1) 
-    INIT_RSA_VFY_MECH(SHA256) 
-    INIT_RSA_VFY_MECH(SHA384) 
-    INIT_RSA_VFY_MECH(SHA512) 
-
-    case CKM_RSA_PKCS:
-	context->verify = (SFTKVerify) RSA_CheckSign;
-	goto finish_rsa;
-    case CKM_RSA_X_509:
-	context->verify = (SFTKVerify) RSA_CheckSignRaw;
-finish_rsa:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
-	if (pubKey == NULL) {
-	    break;
-	}
-	if (info) {
-	    info->key = pubKey;
-	    context->cipherInfo = info;
-	    context->destroy = sftk_Space;
-	} else {
-	    context->cipherInfo = pubKey;
-	    context->destroy = sftk_Null;
-	}
-	break;
-    case CKM_DSA_SHA1:
-        context->multi = PR_TRUE;
-	crv = sftk_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_DSA:
-	if (key_type != CKK_DSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	pubKey = sftk_GetPubKey(key,CKK_DSA,&crv);
-	if (pubKey == NULL) {
-	    break;
-	}
-	context->cipherInfo = pubKey;
-	context->verify     = (SFTKVerify) nsc_DSA_Verify_Stub;
-	context->destroy    = sftk_Null;
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKM_ECDSA_SHA1:
-	context->multi = PR_TRUE;
-	crv = sftk_doSubSHA1(context);
-	if (crv != CKR_OK) break;
-	/* fall through */
-    case CKM_ECDSA:
-	if (key_type != CKK_EC) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	pubKey = sftk_GetPubKey(key,CKK_EC,&crv);
-	if (pubKey == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	context->cipherInfo = pubKey;
-	context->verify     = (SFTKVerify) nsc_ECDSAVerifyStub;
-	context->destroy    = sftk_Null;
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    INIT_HMAC_MECH(MD2)
-    INIT_HMAC_MECH(MD5)
-    INIT_HMAC_MECH(SHA256)
-    INIT_HMAC_MECH(SHA384)
-    INIT_HMAC_MECH(SHA512)
-
-    case CKM_SHA_1_HMAC_GENERAL:
-	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,
-				*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SHA_1_HMAC:
-	crv = sftk_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
-	break;
-
-    case CKM_SSL3_MD5_MAC:
-	crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_SSL3_SHA1_MAC:
-	crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key,
-					*(CK_ULONG *)pMechanism->pParameter);
-	break;
-    case CKM_TLS_PRF_GENERAL:
-	crv = sftk_TLSPRFInit(context, key, key_type);
-	break;
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_Free(context);
-	sftk_FreeSession(session);
-	return crv;
-    }
-    sftk_SetContextByType(session, SFTK_VERIFY, context);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-/* NSC_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen,
-							 pData, ulDataLen);
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
-    sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
-
-}
-
-
-/* NSC_VerifyUpdate continues a multiple-part verification operation, 
- * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
-CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-						CK_ULONG ulPartLen)
-{
-    return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY);
-}
-
-
-/* NSC_VerifyFinal finishes a multiple-part verification operation, 
- * checking the signature. */
-CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
-			CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int digestLen;
-    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
-    CK_RV crv;
-    SECStatus rv = SECSuccess;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
-    if (context->hashInfo) {
-        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->verify)(context->cipherInfo, pSignature, 
-					ulSignatureLen, tmpbuf, digestLen);
-    } else {
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf, 
-		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0)
-				 ? SECSuccess : SECFailure;
-	}
-    }
-
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
-    sftk_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
-
-}
-
-/*
- ************** Crypto Functions:     Verify  Recover ************************
- */
-
-/* NSC_VerifyRecoverInit initializes a signature verification operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
-			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
-{
-    SFTKSession *session;
-    SFTKObject *key;
-    SFTKSessionContext *context;
-    CK_KEY_TYPE key_type;
-    CK_RV crv = CKR_OK;
-    NSSLOWKEYPublicKey *pubKey;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-    crv = sftk_InitGeneric(session,&context,SFTK_VERIFY_RECOVER,
-			&key,hKey,&key_type,CKO_PUBLIC_KEY,CKA_VERIFY_RECOVER);
-    if (crv != CKR_OK) {
-	sftk_FreeSession(session);
-	return crv;
-    }
-
-    context->multi = PR_TRUE;
-
-    switch(pMechanism->mechanism) {
-    case CKM_RSA_PKCS:
-    case CKM_RSA_X_509:
-	if (key_type != CKK_RSA) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	context->multi = PR_FALSE;
-	pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
-	if (pubKey == NULL) {
-	    break;
-	}
-	context->cipherInfo = pubKey;
-	context->update = (SFTKCipher) (pMechanism->mechanism == CKM_RSA_X_509
-			? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
-	context->destroy = sftk_Null;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    if (crv != CKR_OK) {
-        PORT_Free(context);
-	sftk_FreeSession(session);
-	return crv;
-    }
-    sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, context);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-
-/* NSC_VerifyRecover verifies a signature in a single-part operation, 
- * where the data is recovered from the signature. 
- * E.g. Decryption with the user's public key */
-CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
-		 CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen,
-    				CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)
-{
-    SFTKSession *session;
-    SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulDataLen;
-    CK_RV crv;
-    SECStatus rv;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,SFTK_VERIFY_RECOVER,
-							PR_FALSE,&session);
-    if (crv != CKR_OK) return crv;
-
-    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
-						pSignature, ulSignatureLen);
-    *pulDataLen = (CK_ULONG) outlen;
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, NULL);
-    sftk_FreeSession(session);
-    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/*
- **************************** Random Functions:  ************************
- */
-
-/* NSC_SeedRandom mixes additional seed material into the token's random number 
- * generator. */
-CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-    CK_ULONG ulSeedLen) 
-{
-    SECStatus rv;
-
-    rv = RNG_RandomUpdate(pSeed, ulSeedLen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/* NSC_GenerateRandom generates random data. */
-CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR	pRandomData, CK_ULONG ulRandomLen)
-{
-    SECStatus rv;
-
-    rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
-    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-}
-
-/*
- **************************** Key Functions:  ************************
- */
-
-
-/*
- * generate a password based encryption key. This code uses
- * PKCS5 to do the work.
- */
-static CK_RV
-nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
-			char *buf, CK_ULONG *key_length, PRBool faulty3DES)
-{
-    SECItem *pbe_key = NULL, iv, pwitem;
-    CK_PBE_PARAMS *pbe_params = NULL;
-
-    *key_length = 0;
-    iv.data = NULL; iv.len = 0;
-
-    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
-
-    pwitem.data = (unsigned char *)pbe_params->pPassword;
-    pwitem.len = (unsigned int)pbe_params->ulPasswordLen;
-    pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES);
-    if (pbe_key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    PORT_Memcpy(buf, pbe_key->data, pbe_key->len);
-    *key_length = pbe_key->len;
-    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
-    pbe_key = NULL;
-
-    if (iv.data && pbe_params->pInitVector != NULL) {
-	PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len);
-    }
-    return CKR_OK;
-}
-static CK_RV
-nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key)
-{
-    SFTKAttribute *attribute;
-    CK_ULONG counter;
-    unsigned int seedBits = 0;
-    unsigned int primeBits;
-    unsigned int j;
-    CK_RV crv = CKR_OK;
-    PQGParams *params = NULL;
-    PQGVerify *vfy = NULL;
-    SECStatus rv;
-
-    attribute = sftk_FindAttribute(key, CKA_PRIME_BITS);
-    if (attribute == NULL) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-    j = PQG_PBITS_TO_INDEX(primeBits);
-    if (j == (unsigned int)-1) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    attribute = sftk_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
-    if (attribute != NULL) {
-	seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
-	sftk_FreeAttribute(attribute);
-    }
-
-    sftk_DeleteAttributeType(key,CKA_PRIME_BITS);
-    sftk_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
-
-    if (seedBits == 0) {
-	rv = PQG_ParamGen(j, &params, &vfy);
-    } else {
-	rv = PQG_ParamGenSeedLen(j,seedBits/8, &params, &vfy);
-    }
-
-    if (rv != SECSuccess) {
-	return CKR_DEVICE_ERROR;
-    }
-    crv = sftk_AddAttributeType(key,CKA_PRIME,
-				 params->prime.data, params->prime.len);
-    if (crv != CKR_OK) goto loser;
-    crv = sftk_AddAttributeType(key,CKA_SUBPRIME,
-				 params->subPrime.data, params->subPrime.len);
-    if (crv != CKR_OK) goto loser;
-    crv = sftk_AddAttributeType(key,CKA_BASE,
-				 params->base.data, params->base.len);
-    if (crv != CKR_OK) goto loser;
-    counter = vfy->counter;
-    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER,
-				 &counter, sizeof(counter));
-    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED,
-				 vfy->seed.data, vfy->seed.len);
-    if (crv != CKR_OK) goto loser;
-    crv = sftk_AddAttributeType(key,CKA_NETSCAPE_PQG_H,
-				 vfy->h.data, vfy->h.len);
-    if (crv != CKR_OK) goto loser;
-
-loser:
-    if (params) {
-	PQG_DestroyParams(params);
-    }
-    if (vfy) {
-	PQG_DestroyVerify(vfy);
-    }
-    return crv;
-}
-
-    
-
-    
-
-
-
-static CK_RV
-nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
-							CK_ULONG *key_length)
-{
-    CK_RV crv = CKR_OK;
-
-    switch (mechanism) {
-    case CKM_RC2_KEY_GEN:
-	*key_type = CKK_RC2;
-	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-#if NSS_SOFTOKEN_DOES_RC5
-    case CKM_RC5_KEY_GEN:
-	*key_type = CKK_RC5;
-	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-#endif
-    case CKM_RC4_KEY_GEN:
-	*key_type = CKK_RC4;
-	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_GENERIC_SECRET_KEY_GEN:
-	*key_type = CKK_GENERIC_SECRET;
-	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    case CKM_CDMF_KEY_GEN:
-	*key_type = CKK_CDMF;
-	*key_length = 8;
-	break;
-    case CKM_DES_KEY_GEN:
-	*key_type = CKK_DES;
-	*key_length = 8;
-	break;
-    case CKM_DES2_KEY_GEN:
-	*key_type = CKK_DES2;
-	*key_length = 16;
-	break;
-    case CKM_DES3_KEY_GEN:
-	*key_type = CKK_DES3;
-	*key_length = 24;
-	break;
-    case CKM_AES_KEY_GEN:
-	*key_type = CKK_AES;
-	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
-	break;
-    default:
-	PORT_Assert(0);
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    return crv;
-}
-
-CK_RV
-nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
-{
-    SECItem  salt;
-    CK_PBE_PARAMS *pbe_params = NULL;
-    NSSPKCS5PBEParameter *params;
-    PRArenaPool *arena = NULL;
-    SECStatus rv;
-
-    *pbe = NULL;
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (arena == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    params = (NSSPKCS5PBEParameter *) PORT_ArenaZAlloc(arena,
-				sizeof(NSSPKCS5PBEParameter));
-    if (params == NULL) {
-	PORT_FreeArena(arena,PR_TRUE);
-	return CKR_HOST_MEMORY;
-    }
-
-    params->poolp = arena;
-    params->ivLen = 0;
-    params->pbeType = NSSPKCS5_PKCS12_V2;
-    params->hashType = HASH_AlgSHA1;
-    params->encAlg = SEC_OID_SHA1; /* any invalid value */
-    params->is2KeyDES = PR_FALSE;
-    params->keyID = pbeBitGenIntegrityKey;
-    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
-    params->iter = pbe_params->ulIteration;
-
-    salt.data = (unsigned char *)pbe_params->pSalt;
-    salt.len = (unsigned int)pbe_params->ulSaltLen;
-    rv = SECITEM_CopyItem(arena,&params->salt,&salt);
-    if (rv != SECSuccess) {
-	PORT_FreeArena(arena,PR_TRUE);
-	return CKR_HOST_MEMORY;
-    }
-    switch (pMechanism->mechanism) {
-    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
-    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-	params->hashType = HASH_AlgSHA1; 
-	params->keyLen = 20;
-	break;
-    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
-	params->hashType = HASH_AlgMD5; 
-	params->keyLen = 16;
-	break;
-    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
-	params->hashType = HASH_AlgMD2; 
-	params->keyLen = 16;
-	break;
-    default:
-	PORT_FreeArena(arena,PR_TRUE);
-	return CKR_MECHANISM_INVALID;
-    }
-    *pbe = params;
-    return CKR_OK;
-}
-/* maybe this should be table driven? */
-static CK_RV
-nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter  **pbe,
-							CK_KEY_TYPE *key_type)
-{
-    CK_RV crv = CKR_OK;
-    SECOidData *oid;
-    CK_PBE_PARAMS *pbe_params;
-    NSSPKCS5PBEParameter *params;
-    SECItem salt;
-
-    *pbe = NULL;
-
-    oid = SECOID_FindOIDByMechanism(pMechanism->mechanism);
-    if (oid == NULL) {
-	return CKR_MECHANISM_INVALID;
-    }
-
-    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
-    salt.data = (unsigned char *)pbe_params->pSalt;
-    salt.len = (unsigned int)pbe_params->ulSaltLen;
-
-    params=nsspkcs5_NewParam(oid->offset, &salt, pbe_params->ulIteration);
-    if (params == NULL) {
-	return CKR_MECHANISM_INVALID;
-    }
-
-
-    switch (params->encAlg) {
-    case SEC_OID_DES_CBC:
-	*key_type = CKK_DES;
-	break;
-    case SEC_OID_DES_EDE3_CBC:
-	*key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3;
-	break;
-    case SEC_OID_RC2_CBC:
-	*key_type = CKK_RC2;
-	break;
-    case SEC_OID_RC4:
-	*key_type = CKK_RC4;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	nsspkcs5_DestroyPBEParameter(params);
-	break;
-    }
-    if (crv == CKR_OK) {
-    	*pbe = params;
-    }
-    return crv;
-}
-
-/* NSC_GenerateKey generates a secret key, creating a new key object. */
-CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
-    						CK_OBJECT_HANDLE_PTR phKey)
-{
-    SFTKObject *key;
-    SFTKSession *session;
-    PRBool checkWeak = PR_FALSE;
-    CK_ULONG key_length = 0;
-    CK_KEY_TYPE key_type = CKK_INVALID_KEY_TYPE;
-    CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
-    CK_RV crv = CKR_OK;
-    CK_BBOOL cktrue = CK_TRUE;
-    int i;
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    char buf[MAX_KEY_LEN];
-    enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type;
-    NSSPKCS5PBEParameter *pbe_param;
-    SSL3RSAPreMasterSecret *rsa_pms;
-    CK_VERSION *version;
-    /* in very old versions of NSS, there were implementation errors with key 
-     * generation methods.  We want to beable to read these, but not 
-     * produce them any more.  The affected algorithm was 3DES.
-     */
-    PRBool faultyPBE3DES = PR_FALSE;
-
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    key = sftk_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulCount; i++) {
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	return crv;
-    }
-
-    /* make sure we don't have any class, key_type, or value fields */
-    sftk_DeleteAttributeType(key,CKA_CLASS);
-    sftk_DeleteAttributeType(key,CKA_KEY_TYPE);
-    sftk_DeleteAttributeType(key,CKA_VALUE);
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    key_gen_type = nsc_bulk; /* bulk key by default */
-    switch (pMechanism->mechanism) {
-    case CKM_CDMF_KEY_GEN:
-    case CKM_DES_KEY_GEN:
-    case CKM_DES2_KEY_GEN:
-    case CKM_DES3_KEY_GEN:
-	checkWeak = PR_TRUE;
-    case CKM_RC2_KEY_GEN:
-    case CKM_RC4_KEY_GEN:
-    case CKM_GENERIC_SECRET_KEY_GEN:
-    case CKM_AES_KEY_GEN:
-#if NSS_SOFTOKEN_DOES_RC5
-    case CKM_RC5_KEY_GEN:
-#endif
-	crv = nsc_SetupBulkKeyGen(pMechanism->mechanism,&key_type,&key_length);
-	break;
-    case CKM_SSL3_PRE_MASTER_KEY_GEN:
-	key_type = CKK_GENERIC_SECRET;
-	key_length = 48;
-	key_gen_type = nsc_ssl;
-	break;
-    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
-    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
-    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
-    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
-	key_gen_type = nsc_pbe;
-	key_type = CKK_GENERIC_SECRET;
-	crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param);
-	break;
-    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
-	faultyPBE3DES = PR_TRUE;
-    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
-    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
-    case CKM_PBE_SHA1_DES3_EDE_CBC:
-    case CKM_PBE_SHA1_DES2_EDE_CBC:
-    case CKM_PBE_SHA1_RC2_128_CBC:
-    case CKM_PBE_SHA1_RC2_40_CBC:
-    case CKM_PBE_SHA1_RC4_128:
-    case CKM_PBE_SHA1_RC4_40:
-    case CKM_PBE_MD5_DES_CBC:
-    case CKM_PBE_MD2_DES_CBC:
-	key_gen_type = nsc_pbe;
-	crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type);
-	break;
-    case CKM_DSA_PARAMETER_GEN:
-	key_gen_type = nsc_param;
-	key_type = CKK_DSA;
-	objclass = CKO_KG_PARAMETERS;
-	crv = CKR_OK;
-	break;
-    default:
-	crv = CKR_MECHANISM_INVALID;
-	break;
-    }
-
-    /* make sure we aren't going to overflow the buffer */
-    if (sizeof(buf) < key_length) {
-	/* someone is getting pretty optimistic about how big their key can
-	 * be... */
-        crv = CKR_TEMPLATE_INCONSISTENT;
-    }
-
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-
-    /* if there was no error,
-     * key_type *MUST* be set in the switch statement above */
-    PORT_Assert( key_type != CKK_INVALID_KEY_TYPE );
-
-    /*
-     * now to the actual key gen.
-     */
-    switch (key_gen_type) {
-    case nsc_pbe:
-	crv = nsc_pbe_key_gen(pbe_param, pMechanism, buf, &key_length,
-			       faultyPBE3DES);
-	nsspkcs5_DestroyPBEParameter(pbe_param);
-	break;
-    case nsc_ssl:
-	rsa_pms = (SSL3RSAPreMasterSecret *)buf;
-	version = (CK_VERSION *)pMechanism->pParameter;
-	rsa_pms->client_version[0] = version->major;
-        rsa_pms->client_version[1] = version->minor;
-        crv = 
-	    NSC_GenerateRandom(0,&rsa_pms->random[0], sizeof(rsa_pms->random));
-	break;
-    case nsc_bulk:
-	/* get the key, check for weak keys and repeat if found */
-	do {
-            crv = NSC_GenerateRandom(0, (unsigned char *)buf, key_length);
-	} while (crv == CKR_OK && checkWeak && 
-			sftk_IsWeakKey((unsigned char *)buf,key_type));
-	break;
-    case nsc_param:
-	/* generate parameters */
-	*buf = 0;
-	crv = nsc_parameter_gen(key_type,key);
-	break;
-    }
-
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-
-    /* Add the class, key_type, and value */
-    crv = sftk_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-    crv = sftk_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-    if (key_length != 0) {
-	crv = sftk_AddAttributeType(key,CKA_VALUE,buf,key_length);
-	if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-    }
-
-    /* get the session */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	sftk_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle the base object stuff
-     */
-    crv = sftk_handleObject(key,session);
-    sftk_FreeSession(session);
-    if (sftk_isTrue(key,CKA_SENSITIVE)) {
-	sftk_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!sftk_isTrue(key,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
-    }
-
-    *phKey = key->handle;
-    sftk_FreeObject(key);
-    return crv;
-}
-
-#define PAIRWISE_DIGEST_LENGTH			SHA1_LENGTH /* 160-bits */
-#define PAIRWISE_MESSAGE_LENGTH			20          /* 160-bits */
-
-/*
- * FIPS 140-2 pairwise consistency check utilized to validate key pair.
- *
- * This function returns
- *   CKR_OK               if pairwise consistency check passed
- *   CKR_GENERAL_ERROR    if pairwise consistency check failed
- *   other error codes    if paiswise consistency check could not be
- *                        performed, for example, CKR_HOST_MEMORY.
- */
-static CK_RV
-sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
-    SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType)
-{
-    /*
-     *                      Key type    Mechanism type
-     *                      --------------------------------
-     * For encrypt/decrypt: CKK_RSA  => CKM_RSA_PKCS
-     *                      others   => CKM_INVALID_MECHANISM
-     *
-     * For sign/verify:     CKK_RSA  => CKM_RSA_PKCS
-     *                      CKK_DSA  => CKM_DSA
-     *                      CKK_EC   => CKM_ECDSA
-     *                      others   => CKM_INVALID_MECHANISM
-     *
-     * None of these mechanisms has a parameter.
-     */
-    CK_MECHANISM mech = {0, NULL, 0};
-
-    CK_ULONG modulusLen;
-    PRBool isEncryptable = PR_FALSE;
-    PRBool canSignVerify = PR_FALSE;
-    PRBool isDerivable = PR_FALSE;
-    CK_RV crv;
-
-    /* Variables used for Encrypt/Decrypt functions. */
-    unsigned char *known_message = (unsigned char *)"Known Crypto Message";
-    unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
-    CK_ULONG bytes_decrypted;
-    unsigned char *ciphertext;
-    unsigned char *text_compared;
-    CK_ULONG bytes_encrypted;
-    CK_ULONG bytes_compared;
-
-    /* Variables used for Signature/Verification functions. */
-    /* always uses SHA-1 digest */
-    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
-    unsigned char *signature;
-    CK_ULONG signature_length;
-
-    if (keyType == CKK_RSA) {
-	SFTKAttribute *attribute;
-
-	/* Get modulus length of private key. */
-	attribute = sftk_FindAttribute(privateKey, CKA_MODULUS);
-	if (attribute == NULL) {
-	    return CKR_DEVICE_ERROR;
-	}
-	modulusLen = attribute->attrib.ulValueLen;
-	if (*(unsigned char *)attribute->attrib.pValue == 0) {
-	    modulusLen--;
-	}
-	sftk_FreeAttribute(attribute);
-    }
-
-    /**************************************************/
-    /* Pairwise Consistency Check of Encrypt/Decrypt. */
-    /**************************************************/
-
-    isEncryptable = sftk_isTrue(privateKey, CKA_DECRYPT); 
-
-    /*
-     * If the decryption attribute is set, attempt to encrypt
-     * with the public key and decrypt with the private key.
-     */
-    if (isEncryptable) {
-	if (keyType != CKK_RSA) {
-	    return CKR_DEVICE_ERROR;
-	}
-	bytes_encrypted = modulusLen;
-	mech.mechanism = CKM_RSA_PKCS;
-
-	/* Allocate space for ciphertext. */
-	ciphertext = (unsigned char *) PORT_ZAlloc(bytes_encrypted);
-	if (ciphertext == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-
-	/* Prepare for encryption using the public key. */
-	crv = NSC_EncryptInit(hSession, &mech, publicKey->handle);
-	if (crv != CKR_OK) {
-	    PORT_Free(ciphertext);
-	    return crv;
-	}
-
-	/* Encrypt using the public key. */
-	crv = NSC_Encrypt(hSession,
-			  known_message,
-			  PAIRWISE_MESSAGE_LENGTH,
-			  ciphertext,
-			  &bytes_encrypted);
-	if (crv != CKR_OK) {
-	    PORT_Free(ciphertext);
-	    return crv;
-	}
-
-	/* Always use the smaller of these two values . . . */
-	bytes_compared = PR_MIN(bytes_encrypted, PAIRWISE_MESSAGE_LENGTH);
-
-	/*
-	 * If there was a failure, the plaintext
-	 * goes at the end, therefore . . .
-	 */
-	text_compared = ciphertext + bytes_encrypted - bytes_compared;
-
-	/*
-	 * Check to ensure that ciphertext does
-	 * NOT EQUAL known input message text
-	 * per FIPS PUB 140-2 directive.
-	 */
-	if (PORT_Memcmp(text_compared, known_message,
-			bytes_compared) == 0) {
-	    /* Set error to Invalid PRIVATE Key. */
-	    PORT_SetError(SEC_ERROR_INVALID_KEY);
-	    PORT_Free(ciphertext);
-	    return CKR_GENERAL_ERROR;
-	}
-
-	/* Prepare for decryption using the private key. */
-	crv = NSC_DecryptInit(hSession, &mech, privateKey->handle);
-	if (crv != CKR_OK) {
-	    PORT_Free(ciphertext);
-	    return crv;
-	}
-
-	memset(plaintext, 0, PAIRWISE_MESSAGE_LENGTH);
-
-	/*
-	 * Initialize bytes decrypted to be the
-	 * expected PAIRWISE_MESSAGE_LENGTH.
-	 */
-	bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
-
-	/*
-	 * Decrypt using the private key.
-	 * NOTE:  No need to reset the
-	 *        value of bytes_encrypted.
-	 */
-	crv = NSC_Decrypt(hSession,
-			  ciphertext,
-			  bytes_encrypted,
-			  plaintext,
-			  &bytes_decrypted);
-
-	/* Finished with ciphertext; free it. */
-	PORT_Free(ciphertext);
-
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-
-	/*
-	 * Check to ensure that the output plaintext
-	 * does EQUAL known input message text.
-	 */
-	if ((bytes_decrypted != PAIRWISE_MESSAGE_LENGTH) ||
-	    (PORT_Memcmp(plaintext, known_message,
-			 PAIRWISE_MESSAGE_LENGTH) != 0)) {
-	    /* Set error to Bad PUBLIC Key. */
-	    PORT_SetError(SEC_ERROR_BAD_KEY);
-	    return CKR_GENERAL_ERROR;
-	}
-    }
-
-    /**********************************************/
-    /* Pairwise Consistency Check of Sign/Verify. */
-    /**********************************************/
-
-    canSignVerify = sftk_isTrue(privateKey, CKA_SIGN);
-    
-    if (canSignVerify) {
-	/* Determine length of signature. */
-	switch (keyType) {
-	case CKK_RSA:
-	    signature_length = modulusLen;
-	    mech.mechanism = CKM_RSA_PKCS;
-	    break;
-	case CKK_DSA:
-	    signature_length = DSA_SIGNATURE_LEN;
-	    mech.mechanism = CKM_DSA;
-	    break;
-#ifdef NSS_ENABLE_ECC
-	case CKK_EC:
-	    signature_length = MAX_ECKEY_LEN * 2;
-	    mech.mechanism = CKM_ECDSA;
-	    break;
-#endif
-	default:
-	    return CKR_DEVICE_ERROR;
-	}
-	
-	/* Allocate space for signature data. */
-	signature = (unsigned char *) PORT_ZAlloc(signature_length);
-	if (signature == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	
-	/* Sign the known hash using the private key. */
-	crv = NSC_SignInit(hSession, &mech, privateKey->handle);
-	if (crv != CKR_OK) {
-	    PORT_Free(signature);
-	    return crv;
-	}
-
-	crv = NSC_Sign(hSession,
-		       known_digest,
-		       PAIRWISE_DIGEST_LENGTH,
-		       signature,
-		       &signature_length);
-	if (crv != CKR_OK) {
-	    PORT_Free(signature);
-	    return crv;
-	}
-	
-	/* Verify the known hash using the public key. */
-	crv = NSC_VerifyInit(hSession, &mech, publicKey->handle);
-	if (crv != CKR_OK) {
-	    PORT_Free(signature);
-	    return crv;
-	}
-
-	crv = NSC_Verify(hSession,
-			 known_digest,
-			 PAIRWISE_DIGEST_LENGTH,
-			 signature,
-			 signature_length);
-
-	/* Free signature data. */
-	PORT_Free(signature);
-
-	if ((crv == CKR_SIGNATURE_LEN_RANGE) ||
-		(crv == CKR_SIGNATURE_INVALID)) {
-	    return CKR_GENERAL_ERROR;
-	}
-	if (crv != CKR_OK) {
-	    return crv;
-	}
-    }
-
-    /**********************************************/
-    /* Pairwise Consistency Check for Derivation  */
-    /**********************************************/
-
-    isDerivable = sftk_isTrue(privateKey, CKA_DERIVE);
-    
-    if (isDerivable) {
-	/* 
-	 * We are not doing consistency check for Diffie-Hellman Key - 
-	 * otherwise it would be here
-	 * This is also true for Elliptic Curve Diffie-Hellman keys
-	 * NOTE: EC keys are currently subjected to pairwise
-	 * consistency check for signing/verification.
-	 */
-	/*
-	 * FIPS 140-2 had the following pairwise consistency test for
-	 * public and private keys used for key agreement:
-	 *   If the keys are used to perform key agreement, then the
-	 *   cryptographic module shall create a second, compatible
-	 *   key pair.  The cryptographic module shall perform both
-	 *   sides of the key agreement algorithm and shall compare
-	 *   the resulting shared values.  If the shared values are
-	 *   not equal, the test shall fail.
-	 * This test was removed in Change Notice 3.
-	 */
-
-    }
-
-    return CKR_OK;
-}
-
-/* NSC_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
-    					CK_OBJECT_HANDLE_PTR phPrivateKey)
-{
-    SFTKObject *	publicKey,*privateKey;
-    SFTKSession *	session;
-    CK_KEY_TYPE 	key_type;
-    CK_RV 		crv 	= CKR_OK;
-    CK_BBOOL 		cktrue 	= CK_TRUE;
-    SECStatus 		rv;
-    CK_OBJECT_CLASS 	pubClass = CKO_PUBLIC_KEY;
-    CK_OBJECT_CLASS 	privClass = CKO_PRIVATE_KEY;
-    int 		i;
-    SFTKSlot *		slot 	= sftk_SlotFromSessionHandle(hSession);
-    unsigned int bitSize;
-
-    /* RSA */
-    int 		public_modulus_bits = 0;
-    SECItem 		pubExp;
-    RSAPrivateKey *	rsaPriv;
-
-    /* DSA */
-    PQGParams 		pqgParam;
-    DHParams  		dhParam;
-    DSAPrivateKey *	dsaPriv;
-
-    /* Diffie Hellman */
-    int 		private_value_bits = 0;
-    DHPrivateKey *	dhPriv;
-
-#ifdef NSS_ENABLE_ECC
-    /* Elliptic Curve Cryptography */
-    SECItem  		ecEncodedParams;  /* DER Encoded parameters */
-    ECPrivateKey *	ecPriv;
-    ECParams *          ecParams;
-#endif /* NSS_ENABLE_ECC */
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    publicKey = sftk_NewObject(slot); /* fill in the handle later */
-    if (publicKey == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the publicKey
-     */
-    for (i=0; i < (int) ulPublicKeyAttributeCount; i++) {
-	if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) {
-	    public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = sftk_AddAttributeType(publicKey,
-				    sftk_attr_expand(&pPublicKeyTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-
-    if (crv != CKR_OK) {
-	sftk_FreeObject(publicKey);
-	return CKR_HOST_MEMORY;
-    }
-
-    privateKey = sftk_NewObject(slot); /* fill in the handle later */
-    if (privateKey == NULL) {
-	sftk_FreeObject(publicKey);
-	return CKR_HOST_MEMORY;
-    }
-    /*
-     * now load the private key template
-     */
-    for (i=0; i < (int) ulPrivateKeyAttributeCount; i++) {
-	if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
-	    private_value_bits = *(CK_ULONG *)pPrivateKeyTemplate[i].pValue;
-	    continue;
-	}
-
-	crv = sftk_AddAttributeType(privateKey,
-				    sftk_attr_expand(&pPrivateKeyTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-
-    if (crv != CKR_OK) {
-	sftk_FreeObject(publicKey);
-	sftk_FreeObject(privateKey);
-	return CKR_HOST_MEMORY;
-    }
-    sftk_DeleteAttributeType(privateKey,CKA_CLASS);
-    sftk_DeleteAttributeType(privateKey,CKA_KEY_TYPE);
-    sftk_DeleteAttributeType(privateKey,CKA_VALUE);
-    sftk_DeleteAttributeType(publicKey,CKA_CLASS);
-    sftk_DeleteAttributeType(publicKey,CKA_KEY_TYPE);
-    sftk_DeleteAttributeType(publicKey,CKA_VALUE);
-
-    /* Now Set up the parameters to generate the key (based on mechanism) */
-    switch (pMechanism->mechanism) {
-    case CKM_RSA_PKCS_KEY_PAIR_GEN:
-	/* format the keys */
-    	sftk_DeleteAttributeType(publicKey,CKA_MODULUS);
-    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-    	sftk_DeleteAttributeType(privateKey,CKA_MODULUS);
-    	sftk_DeleteAttributeType(privateKey,CKA_PRIVATE_EXPONENT);
-    	sftk_DeleteAttributeType(privateKey,CKA_PUBLIC_EXPONENT);
-    	sftk_DeleteAttributeType(privateKey,CKA_PRIME_1);
-    	sftk_DeleteAttributeType(privateKey,CKA_PRIME_2);
-    	sftk_DeleteAttributeType(privateKey,CKA_EXPONENT_1);
-    	sftk_DeleteAttributeType(privateKey,CKA_EXPONENT_2);
-    	sftk_DeleteAttributeType(privateKey,CKA_COEFFICIENT);
-	key_type = CKK_RSA;
-	if (public_modulus_bits == 0) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    break;
-	}
-	if (public_modulus_bits < RSA_MIN_MODULUS_BITS) {
-	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	    break;
-	}
-	if (public_modulus_bits % 2 != 0) {
-	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	    break;
-	}
-
-	/* extract the exponent */
-	crv=sftk_Attribute2SSecItem(NULL,&pubExp,publicKey,CKA_PUBLIC_EXPONENT);
-	if (crv != CKR_OK) break;
-        bitSize = sftk_GetLengthInBits(pubExp.data, pubExp.len);
-	if (bitSize < 2) {
-	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
-	    break;
-	}
-        crv = sftk_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
-				    		    sftk_item_expand(&pubExp));
-	if (crv != CKR_OK) {
-	    PORT_Free(pubExp.data);
-	    break;
-	}
-
-	rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
-	PORT_Free(pubExp.data);
-	if (rsaPriv == NULL) {
-	    crv = CKR_DEVICE_ERROR;
-	    break;
-	}
-        /* now fill in the RSA dependent paramenters in the public key */
-        crv = sftk_AddAttributeType(publicKey,CKA_MODULUS,
-			   sftk_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        /* now fill in the RSA dependent paramenters in the private key */
-        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   sftk_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_MODULUS,
-			   sftk_item_expand(&rsaPriv->modulus));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,
-			   sftk_item_expand(&rsaPriv->privateExponent));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_PRIME_1,
-			   sftk_item_expand(&rsaPriv->prime1));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_PRIME_2,
-			   sftk_item_expand(&rsaPriv->prime2));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_EXPONENT_1,
-			   sftk_item_expand(&rsaPriv->exponent1));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_EXPONENT_2,
-			   sftk_item_expand(&rsaPriv->exponent2));
-	if (crv != CKR_OK) goto kpg_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_COEFFICIENT,
-			   sftk_item_expand(&rsaPriv->coefficient));
-kpg_done:
-	/* Should zeroize the contents first, since this func doesn't. */
-	PORT_FreeArena(rsaPriv->arena, PR_TRUE);
-	break;
-    case CKM_DSA_KEY_PAIR_GEN:
-    	sftk_DeleteAttributeType(publicKey,CKA_VALUE);
-    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-	sftk_DeleteAttributeType(privateKey,CKA_PRIME);
-	sftk_DeleteAttributeType(privateKey,CKA_SUBPRIME);
-	sftk_DeleteAttributeType(privateKey,CKA_BASE);
-	key_type = CKK_DSA;
-
-	/* extract the necessary paramters and copy them to the private key */
-	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME);
-	if (crv != CKR_OK) break;
-	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey,
-	                            CKA_SUBPRIME);
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    break;
-	}
-	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.base,publicKey,CKA_BASE);
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    break;
-	}
-        crv = sftk_AddAttributeType(privateKey,CKA_PRIME,
-				    sftk_item_expand(&pqgParam.prime));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        crv = sftk_AddAttributeType(privateKey,CKA_SUBPRIME,
-			    	    sftk_item_expand(&pqgParam.subPrime));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        crv = sftk_AddAttributeType(privateKey,CKA_BASE,
-			    	    sftk_item_expand(&pqgParam.base));
-	if (crv != CKR_OK) {
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-
-        bitSize = sftk_GetLengthInBits(pqgParam.subPrime.data, 
-							pqgParam.subPrime.len);
-        if (bitSize != DSA_Q_BITS)  {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        bitSize = sftk_GetLengthInBits(pqgParam.prime.data,pqgParam.prime.len);
-        if ((bitSize <  DSA_MIN_P_BITS) || (bitSize > DSA_MAX_P_BITS)) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-        bitSize = sftk_GetLengthInBits(pqgParam.base.data,pqgParam.base.len);
-        if ((bitSize <  1) || (bitSize > DSA_MAX_P_BITS)) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    PORT_Free(pqgParam.prime.data);
-	    PORT_Free(pqgParam.subPrime.data);
-	    PORT_Free(pqgParam.base.data);
-	    break;
-	}
-	    
-	/* Generate the key */
-	rv = DSA_NewKey(&pqgParam, &dsaPriv);
-
-	PORT_Free(pqgParam.prime.data);
-	PORT_Free(pqgParam.subPrime.data);
-	PORT_Free(pqgParam.base.data);
-
-	if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; break; }
-
-	/* store the generated key into the attributes */
-        crv = sftk_AddAttributeType(publicKey,CKA_VALUE,
-			   sftk_item_expand(&dsaPriv->publicValue));
-	if (crv != CKR_OK) goto dsagn_done;
-
-        /* now fill in the RSA dependent paramenters in the private key */
-        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   sftk_item_expand(&dsaPriv->publicValue));
-	if (crv != CKR_OK) goto dsagn_done;
-        crv = sftk_AddAttributeType(privateKey,CKA_VALUE,
-			   sftk_item_expand(&dsaPriv->privateValue));
-
-dsagn_done:
-	/* should zeroize, since this function doesn't. */
-	PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
-	break;
-
-    case CKM_DH_PKCS_KEY_PAIR_GEN:
-	sftk_DeleteAttributeType(privateKey,CKA_PRIME);
-	sftk_DeleteAttributeType(privateKey,CKA_BASE);
-	sftk_DeleteAttributeType(privateKey,CKA_VALUE);
-    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-	key_type = CKK_DH;
-
-	/* extract the necessary parameters and copy them to private keys */
-        crv = sftk_Attribute2SSecItem(NULL, &dhParam.prime, publicKey, 
-				      CKA_PRIME);
-	if (crv != CKR_OK) break;
-	crv = sftk_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE);
-	if (crv != CKR_OK) {
-	    PORT_Free(dhParam.prime.data);
-	    break;
-	}
-	crv = sftk_AddAttributeType(privateKey, CKA_PRIME, 
-				    sftk_item_expand(&dhParam.prime));
-	if (crv != CKR_OK) {
-	    PORT_Free(dhParam.prime.data);
-	    PORT_Free(dhParam.base.data);
-	    break;
-	}
-	crv = sftk_AddAttributeType(privateKey, CKA_BASE, 
-				    sftk_item_expand(&dhParam.base));
-	if (crv != CKR_OK) {
-	    PORT_Free(dhParam.prime.data);
-	    PORT_Free(dhParam.base.data);
-	    break;
-	}
-        bitSize = sftk_GetLengthInBits(dhParam.prime.data,dhParam.prime.len);
-        if ((bitSize <  DH_MIN_P_BITS) || (bitSize > DH_MAX_P_BITS)) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    PORT_Free(dhParam.prime.data);
-	    PORT_Free(dhParam.base.data);
-	    break;
-	}
-        bitSize = sftk_GetLengthInBits(dhParam.base.data,dhParam.base.len);
-        if ((bitSize <  1) || (bitSize > DH_MAX_P_BITS)) {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    PORT_Free(dhParam.prime.data);
-	    PORT_Free(dhParam.base.data);
-	    break;
-	}
-
-	rv = DH_NewKey(&dhParam, &dhPriv);
-	PORT_Free(dhParam.prime.data);
-	PORT_Free(dhParam.base.data);
-	if (rv != SECSuccess) { 
-	    crv = CKR_DEVICE_ERROR;
-	    break;
-	}
-
-	crv=sftk_AddAttributeType(publicKey, CKA_VALUE, 
-				sftk_item_expand(&dhPriv->publicValue));
-	if (crv != CKR_OK) goto dhgn_done;
-
-        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   sftk_item_expand(&dhPriv->publicValue));
-	if (crv != CKR_OK) goto dhgn_done;
-
-	crv=sftk_AddAttributeType(privateKey, CKA_VALUE, 
-			      sftk_item_expand(&dhPriv->privateValue));
-
-dhgn_done:
-	/* should zeroize, since this function doesn't. */
-	PORT_FreeArena(dhPriv->arena, PR_TRUE);
-	break;
-
-#ifdef NSS_ENABLE_ECC
-    case CKM_EC_KEY_PAIR_GEN:
-	sftk_DeleteAttributeType(privateKey,CKA_EC_PARAMS);
-	sftk_DeleteAttributeType(privateKey,CKA_VALUE);
-    	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
-	key_type = CKK_EC;
-
-	/* extract the necessary parameters and copy them to private keys */
-	crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey, 
-				      CKA_EC_PARAMS);
-	if (crv != CKR_OK) break;
-
-	crv = sftk_AddAttributeType(privateKey, CKA_EC_PARAMS, 
-				    sftk_item_expand(&ecEncodedParams));
-	if (crv != CKR_OK) {
-	  PORT_Free(ecEncodedParams.data);
-	  break;
-	}
-
-	/* Decode ec params before calling EC_NewKey */
-	rv = EC_DecodeParams(&ecEncodedParams, &ecParams);
-	PORT_Free(ecEncodedParams.data);
-	if (rv != SECSuccess) {
-	    crv = CKR_DEVICE_ERROR;
-	    break;
-	}
-	rv = EC_NewKey(ecParams, &ecPriv);
-	PORT_FreeArena(ecParams->arena, PR_TRUE);
-	if (rv != SECSuccess) { 
-	  crv = CKR_DEVICE_ERROR;
-	  break;
-	}
-
-	crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, 
-				sftk_item_expand(&ecPriv->publicValue));
-	if (crv != CKR_OK) goto ecgn_done;
-
-	crv = sftk_AddAttributeType(privateKey, CKA_VALUE, 
-			      sftk_item_expand(&ecPriv->privateValue));
-	if (crv != CKR_OK) goto ecgn_done;
-
-        crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
-			   sftk_item_expand(&ecPriv->publicValue));
-ecgn_done:
-	/* should zeroize, since this function doesn't. */
-	PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-
-    if (crv != CKR_OK) {
-	sftk_FreeObject(privateKey);
-	sftk_FreeObject(publicKey);
-	return crv;
-    }
-
-
-    /* Add the class, key_type The loop lets us check errors blow out
-     *  on errors and clean up at the bottom */
-    session = NULL; /* make pedtantic happy... session cannot leave the*/
-		    /* loop below NULL unless an error is set... */
-    do {
-	crv = sftk_AddAttributeType(privateKey,CKA_CLASS,&privClass,
-						sizeof(CK_OBJECT_CLASS));
-        if (crv != CKR_OK) break;
-	crv = sftk_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
-						sizeof(CK_OBJECT_CLASS));
-        if (crv != CKR_OK) break;
-	crv = sftk_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
-						sizeof(CK_KEY_TYPE));
-        if (crv != CKR_OK) break;
-	crv = sftk_AddAttributeType(publicKey,CKA_KEY_TYPE,&key_type,
-						sizeof(CK_KEY_TYPE));
-        if (crv != CKR_OK) break;
-        session = sftk_SessionFromHandle(hSession);
-        if (session == NULL) crv = CKR_SESSION_HANDLE_INVALID;
-    } while (0);
-
-    if (crv != CKR_OK) {
-	 sftk_FreeObject(privateKey);
-	 sftk_FreeObject(publicKey);
-	 return crv;
-    }
-
-    /*
-     * handle the base object cleanup for the public Key
-     */
-    crv = sftk_handleObject(privateKey,session);
-    if (crv != CKR_OK) {
-        sftk_FreeSession(session);
-	sftk_FreeObject(privateKey);
-	sftk_FreeObject(publicKey);
-	return crv;
-    }
-
-    /*
-     * handle the base object cleanup for the private Key
-     * If we have any problems, we destroy the public Key we've
-     * created and linked.
-     */
-    crv = sftk_handleObject(publicKey,session);
-    sftk_FreeSession(session);
-    if (crv != CKR_OK) {
-	sftk_FreeObject(publicKey);
-	NSC_DestroyObject(hSession,privateKey->handle);
-	sftk_FreeObject(privateKey);
-	return crv;
-    }
-    if (sftk_isTrue(privateKey,CKA_SENSITIVE)) {
-	sftk_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (sftk_isTrue(publicKey,CKA_SENSITIVE)) {
-	sftk_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!sftk_isTrue(privateKey,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-    if (!sftk_isTrue(publicKey,CKA_EXTRACTABLE)) {
-	sftk_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
-						&cktrue,sizeof(CK_BBOOL));
-    }
-
-    /* Perform FIPS 140-2 pairwise consistency check. */
-    crv = sftk_PairwiseConsistencyCheck(hSession,
-					publicKey, privateKey, key_type);
-    if (crv != CKR_OK) {
-	NSC_DestroyObject(hSession,publicKey->handle);
-	sftk_FreeObject(publicKey);
-	NSC_DestroyObject(hSession,privateKey->handle);
-	sftk_FreeObject(privateKey);
-	return crv;
-    }
-
-    *phPrivateKey = privateKey->handle;
-    *phPublicKey = publicKey->handle;
-    sftk_FreeObject(publicKey);
-    sftk_FreeObject(privateKey);
-
-    return CKR_OK;
-}
-
-static SECItem *sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
-{
-    NSSLOWKEYPrivateKey *lk = NULL;
-    NSSLOWKEYPrivateKeyInfo *pki = NULL;
-    SFTKAttribute *attribute = NULL;
-    PLArenaPool *arena = NULL;
-    SECOidTag algorithm = SEC_OID_UNKNOWN;
-    void *dummy, *param = NULL;
-    SECStatus rv = SECSuccess;
-    SECItem *encodedKey = NULL;
-#ifdef NSS_ENABLE_ECC
-    SECItem *fordebug;
-    int savelen;
-#endif
-
-    if(!key) {
-	*crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
-	return NULL;
-    }
-
-    attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
-    if(!attribute) {
-	*crvp = CKR_KEY_TYPE_INCONSISTENT;
-	return NULL;
-    }
-
-    lk = sftk_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue, crvp);
-    sftk_FreeAttribute(attribute);
-    if(!lk) {
-	return NULL;
-    }
-
-    arena = PORT_NewArena(2048); 	/* XXX different size? */
-    if(!arena) {
-	*crvp = CKR_HOST_MEMORY;
-	rv = SECFailure;
-	goto loser;
-    }
-
-    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
-					sizeof(NSSLOWKEYPrivateKeyInfo));
-    if(!pki) {
-	*crvp = CKR_HOST_MEMORY;
-	rv = SECFailure;
-	goto loser;
-    }
-    pki->arena = arena;
-
-    param = NULL;
-    switch(lk->keyType) {
-	case NSSLOWKEYRSAKey:
-	    prepare_low_rsa_priv_key_for_asn1(lk);
-	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
-				       nsslowkey_RSAPrivateKeyTemplate);
-	    algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
-	    break;
-	case NSSLOWKEYDSAKey:
-            prepare_low_dsa_priv_key_export_for_asn1(lk);
-	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
-				       nsslowkey_DSAPrivateKeyExportTemplate);
-	    prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
-	    param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
-				       nsslowkey_PQGParamsTemplate);
-	    algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
-	    break;
-#ifdef NSS_ENABLE_ECC	    
-        case NSSLOWKEYECKey:
-            prepare_low_ec_priv_key_for_asn1(lk);
-	    /* Public value is encoded as a bit string so adjust length
-	     * to be in bits before ASN encoding and readjust 
-	     * immediately after.
-	     *
-	     * Since the SECG specification recommends not including the
-	     * parameters as part of ECPrivateKey, we zero out the curveOID
-	     * length before encoding and restore it later.
-	     */
-	    lk->u.ec.publicValue.len <<= 3;
-	    savelen = lk->u.ec.ecParams.curveOID.len;
-	    lk->u.ec.ecParams.curveOID.len = 0;
-	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
-				       nsslowkey_ECPrivateKeyTemplate);
-	    lk->u.ec.ecParams.curveOID.len = savelen;
-	    lk->u.ec.publicValue.len >>= 3;
-
-	    fordebug = &pki->privateKey;
-	    SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
-		      fordebug);
-
-	    param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
-
-	    algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
-	    break;
-#endif /* NSS_ENABLE_ECC */
-	case NSSLOWKEYDHKey:
-	default:
-	    dummy = NULL;
-	    break;
-    }
- 
-    if(!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
-	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
-	rv = SECFailure;
-	goto loser;
-    }
-    
-    rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, 
-			       (SECItem*)param);
-    if(rv != SECSuccess) {
-	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
-	rv = SECFailure;
-	goto loser;
-    }
-
-    dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
-				  NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
-    if(!dummy) {
-	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
-	rv = SECFailure;
-	goto loser;
-    }
-
-    encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
-				    nsslowkey_PrivateKeyInfoTemplate);
-    *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR;
-
-#ifdef NSS_ENABLE_ECC
-    fordebug = encodedKey;
-    SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType,
-	      fordebug);
-#endif
-loser:
-    if(arena) {
-	PORT_FreeArena(arena, PR_TRUE);
-    }
-
-    if(lk && (lk != key->objectInfo)) {
-	nsslowkey_DestroyPrivateKey(lk);
-    }
- 
-    if(param) {
-	SECITEM_ZfreeItem((SECItem*)param, PR_TRUE);
-    }
-
-    if(rv != SECSuccess) {
-	return NULL;
-    }
-
-    return encodedKey;
-}
-    
-/* it doesn't matter yet, since we colapse error conditions in the
- * level above, but we really should map those few key error differences */
-static CK_RV 
-sftk_mapWrap(CK_RV crv) 
-{ 
-    switch (crv) {
-    case CKR_ENCRYPTED_DATA_INVALID:  crv = CKR_WRAPPED_KEY_INVALID; break;
-    }
-    return crv; 
-}
-
-/* NSC_WrapKey wraps (i.e., encrypts) a key. */
-CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
-    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
-					 CK_ULONG_PTR pulWrappedKeyLen)
-{
-    SFTKSession *session;
-    SFTKAttribute *attribute;
-    SFTKObject *key;
-    CK_RV crv;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-    	return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    key = sftk_ObjectFromHandle(hKey,session);
-    sftk_FreeSession(session);
-    if (key == NULL) {
-	return CKR_KEY_HANDLE_INVALID;
-    }
-
-    switch(key->objclass) {
-	case CKO_SECRET_KEY:
-	  {
-	    SFTKSessionContext *context = NULL;
-	    SECItem pText;
-
-	    attribute = sftk_FindAttribute(key,CKA_VALUE);
-
-	    if (attribute == NULL) {
-		crv = CKR_KEY_TYPE_INCONSISTENT;
-		break;
-	    }
-	    crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, 
-					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
-	    if (crv != CKR_OK) {
-		sftk_FreeAttribute(attribute);
-		break;
-	    }
-
-	    pText.type = siBuffer;
-	    pText.data = (unsigned char *)attribute->attrib.pValue;
-	    pText.len  = attribute->attrib.ulValueLen;
-
-	    /* Find out if this is a block cipher. */
-	    crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,NULL);
-	    if (crv != CKR_OK || !context) 
-	        break;
-	    if (context->blockSize > 1) {
-		unsigned int remainder = pText.len % context->blockSize;
-	        if (!context->doPad && remainder) {
-		    /* When wrapping secret keys with unpadded block ciphers, 
-		    ** the keys are zero padded, if necessary, to fill out 
-		    ** a full block.
-		    */
-		    pText.len += context->blockSize - remainder;
-		    pText.data = PORT_ZAlloc(pText.len);
-		    if (pText.data)
-			memcpy(pText.data, attribute->attrib.pValue,
-			                   attribute->attrib.ulValueLen);
-		    else {
-			crv = CKR_HOST_MEMORY;
-			break;
-		    }
-		}
-	    }
-
-	    crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)pText.data, 
-		              pText.len, pWrappedKey, pulWrappedKeyLen);
-
-	    if (pText.data != (unsigned char *)attribute->attrib.pValue) 
-	    	PORT_ZFree(pText.data, pText.len);
-	    sftk_FreeAttribute(attribute);
-	    break;
-	  }
-
-	case CKO_PRIVATE_KEY:
-	    {
-		SECItem *bpki = sftk_PackagePrivateKey(key, &crv);
-
-		if(!bpki) {
-		    break;
-		}
-
-		crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey,
-					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
-		if(crv != CKR_OK) {
-		    SECITEM_ZfreeItem(bpki, PR_TRUE);
-		    crv = CKR_KEY_TYPE_INCONSISTENT;
-		    break;
-		}
-
-		crv = NSC_Encrypt(hSession, bpki->data, bpki->len,
-					pWrappedKey, pulWrappedKeyLen);
-		SECITEM_ZfreeItem(bpki, PR_TRUE);
-		break;
-	    }
-
-	default:
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-    }
-    sftk_FreeObject(key);
-
-    return sftk_mapWrap(crv);
-}
-
-/*
- * import a pprivate key info into the desired slot
- */
-static SECStatus
-sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
-{
-    CK_BBOOL cktrue = CK_TRUE; 
-    CK_KEY_TYPE keyType = CKK_RSA;
-    SECStatus rv = SECFailure;
-    const SEC_ASN1Template *keyTemplate, *paramTemplate;
-    void *paramDest = NULL;
-    PLArenaPool *arena;
-    NSSLOWKEYPrivateKey *lpk = NULL;
-    NSSLOWKEYPrivateKeyInfo *pki = NULL;
-    SECItem *ck_id = NULL;
-    CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
-
-    arena = PORT_NewArena(2048);
-    if(!arena) {
-	return SECFailure;
-    }
-
-    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
-					sizeof(NSSLOWKEYPrivateKeyInfo));
-    if(!pki) {
-	PORT_FreeArena(arena, PR_TRUE);
-	return SECFailure;
-    }
-
-    if(SEC_ASN1DecodeItem(arena, pki, nsslowkey_PrivateKeyInfoTemplate, bpki) 
-				!= SECSuccess) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return SECFailure;
-    }
-
-    lpk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(arena,
-						  sizeof(NSSLOWKEYPrivateKey));
-    if(lpk == NULL) {
-	goto loser;
-    }
-    lpk->arena = arena;
-
-    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	    keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    lpk->keyType = NSSLOWKEYRSAKey;
-	    prepare_low_rsa_priv_key_for_asn1(lpk);
-	    break;
-	case SEC_OID_ANSIX9_DSA_SIGNATURE:
-	    keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
-	    paramTemplate = nsslowkey_PQGParamsTemplate;
-	    paramDest = &(lpk->u.dsa.params);
-	    lpk->keyType = NSSLOWKEYDSAKey;
-	    prepare_low_dsa_priv_key_export_for_asn1(lpk);
-	    prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
-	    break;
-	/* case NSSLOWKEYDHKey: */
-#ifdef NSS_ENABLE_ECC
-        case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-	    keyTemplate = nsslowkey_ECPrivateKeyTemplate;
-	    paramTemplate = NULL;
-	    paramDest = &(lpk->u.ec.ecParams.DEREncoding);
-	    lpk->keyType = NSSLOWKEYECKey;
-	    prepare_low_ec_priv_key_for_asn1(lpk);
-	    prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
-	    break;
-#endif /* NSS_ENABLE_ECC */
-	default:
-	    keyTemplate = NULL;
-	    paramTemplate = NULL;
-	    paramDest = NULL;
-	    break;
-    }
-
-    if(!keyTemplate) {
-	goto loser;
-    }
-
-    /* decode the private key and any algorithm parameters */
-    rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
-
-#ifdef NSS_ENABLE_ECC
-    if (lpk->keyType == NSSLOWKEYECKey) {
-        /* convert length in bits to length in bytes */
-	lpk->u.ec.publicValue.len >>= 3;
-        rv = SECITEM_CopyItem(arena, 
-			      &(lpk->u.ec.ecParams.DEREncoding),
-	                      &(pki->algorithm.parameters));
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-#endif /* NSS_ENABLE_ECC */
-
-    if(rv != SECSuccess) {
-	goto loser;
-    }
-    if(paramDest && paramTemplate) {
-	rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate, 
-				 &(pki->algorithm.parameters));
-	if(rv != SECSuccess) {
-	    goto loser;
-	}
-    }
-
-    rv = SECFailure;
-
-    switch (lpk->keyType) {
-        case NSSLOWKEYRSAKey:
-	    keyType = CKK_RSA;
-	    if(sftk_hasAttribute(key, CKA_NETSCAPE_DB)) {
-		sftk_DeleteAttributeType(key, CKA_NETSCAPE_DB);
-	    }
-	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
-					sizeof(keyType));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_UNWRAP, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_DECRYPT, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
-					sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
-				    sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_MODULUS, 
-				sftk_item_expand(&lpk->u.rsa.modulus));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_PUBLIC_EXPONENT, 
-	     			sftk_item_expand(&lpk->u.rsa.publicExponent));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_PRIVATE_EXPONENT, 
-	     			sftk_item_expand(&lpk->u.rsa.privateExponent));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_PRIME_1, 
-				sftk_item_expand(&lpk->u.rsa.prime1));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_PRIME_2, 
-	     			sftk_item_expand(&lpk->u.rsa.prime2));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_EXPONENT_1, 
-	     			sftk_item_expand(&lpk->u.rsa.exponent1));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_EXPONENT_2, 
-	     			sftk_item_expand(&lpk->u.rsa.exponent2));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_COEFFICIENT, 
-	     			sftk_item_expand(&lpk->u.rsa.coefficient));
-	    break;
-        case NSSLOWKEYDSAKey:
-	    keyType = CKK_DSA;
-	    crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
-						CKR_KEY_TYPE_INCONSISTENT;
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
-						sizeof(keyType));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
-						sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
-						sizeof(CK_BBOOL)); 
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_PRIME,    
-				    sftk_item_expand(&lpk->u.dsa.params.prime));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SUBPRIME,
-				 sftk_item_expand(&lpk->u.dsa.params.subPrime));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_BASE,  
-				    sftk_item_expand(&lpk->u.dsa.params.base));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_VALUE, 
-			sftk_item_expand(&lpk->u.dsa.privateValue));
-	    if(crv != CKR_OK) break;
-	    break;
-#ifdef notdef
-        case NSSLOWKEYDHKey:
-	    template = dhTemplate;
-	    templateCount = sizeof(dhTemplate)/sizeof(CK_ATTRIBUTE);
-	    keyType = CKK_DH;
-	    break;
-#endif
-	/* what about fortezza??? */
-#ifdef NSS_ENABLE_ECC
-        case NSSLOWKEYECKey:
-	    keyType = CKK_EC;
-	    crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
-						CKR_KEY_TYPE_INCONSISTENT;
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
-						sizeof(keyType));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, 
-						sizeof(CK_BBOOL));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
-						sizeof(CK_BBOOL)); 
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_DERIVE, &cktrue, 
-						sizeof(CK_BBOOL)); 
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_EC_PARAMS,
-				 sftk_item_expand(&lpk->u.ec.ecParams.DEREncoding));
-	    if(crv != CKR_OK) break;
-	    crv = sftk_AddAttributeType(key, CKA_VALUE, 
-			sftk_item_expand(&lpk->u.ec.privateValue));
-	    if(crv != CKR_OK) break;
-	    /* XXX Do we need to decode the EC Params here ?? */
-	    break;
-#endif /* NSS_ENABLE_ECC */
-	default:
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-    }
-
-loser:
-    if(ck_id) {
-	SECITEM_ZfreeItem(ck_id, PR_TRUE);
-    }
-
-    if(lpk) {
-	nsslowkey_DestroyPrivateKey(lpk);
-    }
-
-    if(crv != CKR_OK) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
-CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
-    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
-    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
-    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
-						 CK_OBJECT_HANDLE_PTR phKey)
-{
-    SFTKObject *key = NULL;
-    SFTKSession *session;
-    CK_ULONG key_length = 0;
-    unsigned char * buf = NULL;
-    CK_RV crv = CKR_OK;
-    int i;
-    CK_ULONG bsize = ulWrappedKeyLen;
-    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
-    SECItem bpki;
-    CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    key = sftk_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulAttributeCount; i++) {
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
-	    continue;
-	}
-        if (pTemplate[i].type == CKA_CLASS) {
-	    target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
-	}
-	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-    }
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	return crv;
-    }
-
-    crv = sftk_CryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP,
-							SFTK_DECRYPT, PR_FALSE);
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	return sftk_mapWrap(crv);
-    }
-
-    /* allocate the buffer to decrypt into 
-     * this assumes the unwrapped key is never larger than the
-     * wrapped key. For all the mechanisms we support this is true */
-    buf = (unsigned char *)PORT_Alloc( ulWrappedKeyLen);
-    bsize = ulWrappedKeyLen;
-
-    crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize);
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	PORT_Free(buf);
-	return sftk_mapWrap(crv);
-    }
-
-    switch(target_type) {
-	case CKO_SECRET_KEY:
-	    if (!sftk_hasAttribute(key,CKA_KEY_TYPE)) {
-		crv = CKR_TEMPLATE_INCOMPLETE;
-		break;
-	    }
-
-	    if (key_length == 0 || key_length > bsize) {
-		key_length = bsize;
-	    }
-	    if (key_length > MAX_KEY_LEN) {
-		crv = CKR_TEMPLATE_INCONSISTENT;
-		break;
-	    }
-    
-	    /* add the value */
-	    crv = sftk_AddAttributeType(key,CKA_VALUE,buf,key_length);
-	    break;
-	case CKO_PRIVATE_KEY:
-	    bpki.data = (unsigned char *)buf;
-	    bpki.len = bsize;
-	    crv = CKR_OK;
-	    if(sftk_unwrapPrivateKey(key, &bpki) != SECSuccess) {
-		crv = CKR_TEMPLATE_INCOMPLETE;
-	    }
-	    break;
-	default:
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-    }
-
-    PORT_ZFree(buf, bsize);
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-
-    /* get the session */
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	sftk_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    /*
-     * handle the base object stuff
-     */
-    crv = sftk_handleObject(key,session);
-    *phKey = key->handle;
-    sftk_FreeSession(session);
-    sftk_FreeObject(key);
-
-    return crv;
-
-}
-
-/*
- * The SSL key gen mechanism create's lots of keys. This function handles the
- * details of each of these key creation.
- */
-static CK_RV
-sftk_buildSSLKey(CK_SESSION_HANDLE hSession, SFTKObject *baseKey, 
-    PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize,
-						 CK_OBJECT_HANDLE *keyHandle)
-{
-    SFTKObject *key;
-    SFTKSession *session;
-    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
-    CK_BBOOL cktrue = CK_TRUE;
-    CK_BBOOL ckfalse = CK_FALSE;
-    CK_RV crv = CKR_HOST_MEMORY;
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    *keyHandle = CK_INVALID_HANDLE;
-    key = sftk_NewObject(baseKey->slot); 
-    if (key == NULL) return CKR_HOST_MEMORY;
-    sftk_narrowToSessionObject(key)->wasDerived = PR_TRUE;
-
-    crv = sftk_CopyObject(key,baseKey);
-    if (crv != CKR_OK) goto loser;
-    if (isMacKey) {
-	crv = sftk_forceAttribute(key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_ENCRYPT,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_DECRYPT,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_WRAP,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-	crv = sftk_forceAttribute(key,CKA_UNWRAP,&ckfalse,sizeof(CK_BBOOL));
-	if (crv != CKR_OK) goto loser;
-    }
-    crv = sftk_forceAttribute(key,CKA_VALUE,keyBlock,keySize);
-    if (crv != CKR_OK) goto loser;
-
-    /* get the session */
-    crv = CKR_HOST_MEMORY;
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) { goto loser; }
-
-    crv = sftk_handleObject(key,session);
-    sftk_FreeSession(session);
-    *keyHandle = key->handle;
-loser:
-    if (key) sftk_FreeObject(key);
-    return crv;
-}
-
-/*
- * if there is an error, we need to free the keys we already created in SSL
- * This is the routine that will do it..
- */
-static void
-sftk_freeSSLKeys(CK_SESSION_HANDLE session,
-				CK_SSL3_KEY_MAT_OUT *returnedMaterial ) 
-{
-	if (returnedMaterial->hClientMacSecret != CK_INVALID_HANDLE) {
-	   NSC_DestroyObject(session,returnedMaterial->hClientMacSecret);
-	}
-	if (returnedMaterial->hServerMacSecret != CK_INVALID_HANDLE) {
-	   NSC_DestroyObject(session, returnedMaterial->hServerMacSecret);
-	}
-	if (returnedMaterial->hClientKey != CK_INVALID_HANDLE) {
-	   NSC_DestroyObject(session, returnedMaterial->hClientKey);
-	}
-	if (returnedMaterial->hServerKey != CK_INVALID_HANDLE) {
-	   NSC_DestroyObject(session, returnedMaterial->hServerKey);
-	}
-}
-
-/*
- * when deriving from sensitive and extractable keys, we need to preserve some
- * of the semantics in the derived key. This helper routine maintains these
- * semantics.
- */
-static CK_RV
-sftk_DeriveSensitiveCheck(SFTKObject *baseKey,SFTKObject *destKey) 
-{
-    PRBool hasSensitive;
-    PRBool sensitive = PR_FALSE;
-    PRBool hasExtractable;
-    PRBool extractable = PR_TRUE;
-    CK_RV crv = CKR_OK;
-    SFTKAttribute *att;
-
-    hasSensitive = PR_FALSE;
-    att = sftk_FindAttribute(destKey,CKA_SENSITIVE);
-    if (att) {
-        hasSensitive = PR_TRUE;
-	sensitive = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
-	sftk_FreeAttribute(att);
-    }
-
-    hasExtractable = PR_FALSE;
-    att = sftk_FindAttribute(destKey,CKA_EXTRACTABLE);
-    if (att) {
-        hasExtractable = PR_TRUE;
-	extractable = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
-	sftk_FreeAttribute(att);
-    }
-
-
-    /* don't make a key more accessible */
-    if (sftk_isTrue(baseKey,CKA_SENSITIVE) && hasSensitive && 
-						(sensitive == PR_FALSE)) {
-	return CKR_KEY_FUNCTION_NOT_PERMITTED;
-    }
-    if (!sftk_isTrue(baseKey,CKA_EXTRACTABLE) && hasExtractable && 
-						(extractable == PR_TRUE)) {
-	return CKR_KEY_FUNCTION_NOT_PERMITTED;
-    }
-
-    /* inherit parent's sensitivity */
-    if (!hasSensitive) {
-        att = sftk_FindAttribute(baseKey,CKA_SENSITIVE);
-	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
-	crv = sftk_defaultAttribute(destKey,sftk_attr_expand(&att->attrib));
-	sftk_FreeAttribute(att);
-	if (crv != CKR_OK) return crv;
-    }
-    if (!hasExtractable) {
-        att = sftk_FindAttribute(baseKey,CKA_EXTRACTABLE);
-	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
-	crv = sftk_defaultAttribute(destKey,sftk_attr_expand(&att->attrib));
-	sftk_FreeAttribute(att);
-	if (crv != CKR_OK) return crv;
-    }
-
-    /* we should inherit the parent's always extractable/ never sensitive info,
-     * but handleObject always forces this attributes, so we would need to do
-     * something special. */
-    return CKR_OK;
-}
-
-/*
- * make known fixed PKCS #11 key types to their sizes in bytes
- */	
-unsigned long
-sftk_MapKeySize(CK_KEY_TYPE keyType) 
-{
-    switch (keyType) {
-    case CKK_CDMF:
-	return 8;
-    case CKK_DES:
-	return 8;
-    case CKK_DES2:
-	return 16;
-    case CKK_DES3:
-	return 24;
-    /* IDEA and CAST need to be added */
-    default:
-	break;
-    }
-    return 0;
-}
-
-/*
- * SSL Key generation given pre master secret
- */
-#define NUM_MIXERS 9
-static const char * const mixers[NUM_MIXERS] = { 
-    "A", 
-    "BB", 
-    "CCC", 
-    "DDDD", 
-    "EEEEE", 
-    "FFFFFF", 
-    "GGGGGGG",
-    "HHHHHHHH",
-    "IIIIIIIII" };
-#define SSL3_PMS_LENGTH 48
-#define SSL3_MASTER_SECRET_LENGTH 48
-
-
-/* NSC_DeriveKey derives a key from a base key, creating a new key object. */
-CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession,
-	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
-	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 
-						CK_OBJECT_HANDLE_PTR phKey)
-{
-    SFTKSession *   session;
-    SFTKSlot    *   slot	= sftk_SlotFromSessionHandle(hSession);
-    SFTKObject  *   key;
-    SFTKObject  *   sourceKey;
-    SFTKAttribute * att;
-    SFTKAttribute * att2;
-    unsigned char * buf;
-    SHA1Context *   sha;
-    MD5Context *    md5;
-    MD2Context *    md2;
-    CK_ULONG        macSize;
-    CK_ULONG        tmpKeySize;
-    CK_ULONG        IVSize;
-    CK_ULONG        keySize	= 0;
-    CK_RV           crv 	= CKR_OK;
-    CK_BBOOL        cktrue	= CK_TRUE;
-    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
-    CK_OBJECT_CLASS classType	= CKO_SECRET_KEY;
-    CK_KEY_DERIVATION_STRING_DATA *stringPtr;
-    PRBool          isTLS = PR_FALSE;
-    PRBool          isDH = PR_FALSE;
-    SECStatus       rv;
-    int             i;
-    unsigned int    outLen;
-    unsigned char   sha_out[SHA1_LENGTH];
-    unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
-    unsigned char   key_block2[MD5_LENGTH];
-    PRBool          isFIPS;		
-
-    /*
-     * now lets create an object to hang the attributes off of
-     */
-    if (phKey) *phKey = CK_INVALID_HANDLE;
-
-    key = sftk_NewObject(slot); /* fill in the handle later */
-    if (key == NULL) {
-	return CKR_HOST_MEMORY;
-    }
-    isFIPS = (slot->slotID == FIPS_SLOT_ID);
-
-    /*
-     * load the template values into the object
-     */
-    for (i=0; i < (int) ulAttributeCount; i++) {
-	crv = sftk_AddAttributeType(key,sftk_attr_expand(&pTemplate[i]));
-	if (crv != CKR_OK) break;
-
-	if (pTemplate[i].type == CKA_KEY_TYPE) {
-	    keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue;
-	}
-	if (pTemplate[i].type == CKA_VALUE_LEN) {
-	    keySize = *(CK_ULONG *)pTemplate[i].pValue;
-	}
-    }
-    if (crv != CKR_OK) { sftk_FreeObject(key); return crv; }
-
-    if (keySize == 0) {
-	keySize = sftk_MapKeySize(keyType);
-    }
-
-    /* Derive can only create SECRET KEY's currently... */
-    classType = CKO_SECRET_KEY;
-    crv = sftk_forceAttribute (key,CKA_CLASS,&classType,sizeof(classType));
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	return crv;
-    }
-
-    /* look up the base key we're deriving with */ 
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) {
-	sftk_FreeObject(key);
-        return CKR_SESSION_HANDLE_INVALID;
-    }
-
-    sourceKey = sftk_ObjectFromHandle(hBaseKey,session);
-    sftk_FreeSession(session);
-    if (sourceKey == NULL) {
-	sftk_FreeObject(key);
-        return CKR_KEY_HANDLE_INVALID;
-    }
-
-    /* don't use key derive to expose sensitive keys */
-    crv = sftk_DeriveSensitiveCheck(sourceKey,key);
-    if (crv != CKR_OK) {
-	sftk_FreeObject(key);
-	sftk_FreeObject(sourceKey);
-        return crv;
-    }
-
-    /* get the value of the base key */
-    att = sftk_FindAttribute(sourceKey,CKA_VALUE);
-    if (att == NULL) {
-	sftk_FreeObject(key);
-	sftk_FreeObject(sourceKey);
-        return CKR_KEY_HANDLE_INVALID;
-    }
-
-    switch (pMechanism->mechanism) {
-    /*
-     * generate the master secret 
-     */
-    case CKM_TLS_MASTER_KEY_DERIVE:
-    case CKM_TLS_MASTER_KEY_DERIVE_DH:
-	isTLS = PR_TRUE;
-	/* fall thru */
-    case CKM_SSL3_MASTER_KEY_DERIVE:
-    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
-      {
-	CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
-	SSL3RSAPreMasterSecret *rsa_pms;
-        if ((pMechanism->mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
-            (pMechanism->mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH))
-		isDH = PR_TRUE;
-
-	/* first do the consistancy checks */
-	if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
-	    crv = CKR_KEY_TYPE_INCONSISTENT;
-	    break;
-	}
-	att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
-	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
-					CKK_GENERIC_SECRET)) {
-	    if (att2) sftk_FreeAttribute(att2);
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	sftk_FreeAttribute(att2);
-	if (keyType != CKK_GENERIC_SECRET) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-
-
-	/* finally do the key gen */
-	ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)
-					pMechanism->pParameter;
-	if (ssl3_master->pVersion) {
-	    SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
-	    rsa_pms = (SSL3RSAPreMasterSecret *) att->attrib.pValue;
-	    /* don't leak more key material then necessary for SSL to work */
-	    if ((sessKey == NULL) || sessKey->wasDerived) {
-		ssl3_master->pVersion->major = 0xff;
-		ssl3_master->pVersion->minor = 0xff;
-	    } else {
-		ssl3_master->pVersion->major = rsa_pms->client_version[0];
-		ssl3_master->pVersion->minor = rsa_pms->client_version[1];
-	    }
-	}
-	if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) {
-	   crv = CKR_MECHANISM_PARAM_INVALID;
-	   break;
-	}
-	if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) {
-	   crv = CKR_MECHANISM_PARAM_INVALID;
-	   break;
-	}
-
-        if (isTLS) {
-	    unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
-	    SECItem crsr = { siBuffer, NULL, 0 };
-	    SECItem master = { siBuffer, NULL, 0 };
-	    SECItem pms = { siBuffer, NULL, 0 };
-	    SECStatus status;
-
-	    pms.data = (unsigned char*)att->attrib.pValue;
-	    pms.len = att->attrib.ulValueLen;
-	    master.data = key_block;
-	    master.len = SSL3_MASTER_SECRET_LENGTH;
-	    crsr.data = crsrdata;
-	    crsr.len = sizeof(crsrdata);
-
-	    PORT_Memcpy(crsrdata, ssl3_master->RandomInfo.pClientRandom,
-							 SSL3_RANDOM_LENGTH);
-	    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
-		ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
-
-	    status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS);
-	    if (status != SECSuccess) {
-	    	crv = CKR_FUNCTION_FAILED;
-		break;
-	    }
-	} else {
-	    /* now allocate the hash contexts */
-	    md5 = MD5_NewContext();
-	    if (md5 == NULL) { 
-		crv = CKR_HOST_MEMORY;
-		break;
-	    }
-	    sha = SHA1_NewContext();
-	    if (sha == NULL) { 
-		PORT_Free(md5);
-		crv = CKR_HOST_MEMORY;
-		break;
-	    }
-            for (i = 0; i < 3; i++) {
-              SHA1_Begin(sha);
-              SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
-              SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
-			  att->attrib.ulValueLen);
-              SHA1_Update(sha, ssl3_master->RandomInfo.pClientRandom,
-				ssl3_master->RandomInfo.ulClientRandomLen);
-              SHA1_Update(sha, ssl3_master->RandomInfo.pServerRandom, 
-				ssl3_master->RandomInfo.ulServerRandomLen);
-              SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
-              PORT_Assert(outLen == SHA1_LENGTH);
-              MD5_Begin(md5);
-              MD5_Update(md5, (const unsigned char*)att->attrib.pValue, 
-			 att->attrib.ulValueLen);
-              MD5_Update(md5, sha_out, outLen);
-              MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
-              PORT_Assert(outLen == MD5_LENGTH);
-            }
-	    PORT_Free(md5);
-	    PORT_Free(sha);
-	}
-
-	/* store the results */
-	crv = sftk_forceAttribute
-			(key,CKA_VALUE,key_block,SSL3_MASTER_SECRET_LENGTH);
-	if (crv != CKR_OK) break;
-	keyType = CKK_GENERIC_SECRET;
-	crv = sftk_forceAttribute (key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
-	if (isTLS) {
-	    /* TLS's master secret is used to "sign" finished msgs with PRF. */
-	    /* XXX This seems like a hack.   But SFTK_Derive only accepts 
-	     * one "operation" argument. */
-	    crv = sftk_forceAttribute(key,CKA_SIGN,  &cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	    crv = sftk_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	    /* While we're here, we might as well force this, too. */
-	    crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) break;
-	}
-	break;
-      }
-
-    case CKM_TLS_KEY_AND_MAC_DERIVE:
-	isTLS = PR_TRUE;
-	/* fall thru */
-    case CKM_SSL3_KEY_AND_MAC_DERIVE:
-      {
-	CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
-	CK_SSL3_KEY_MAT_OUT *   ssl3_keys_out;
-	CK_ULONG                effKeySize;
-
-	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
-	if (crv != CKR_OK) break;
-
-	if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE);
-	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
-					CKK_GENERIC_SECRET)) {
-	    if (att2) sftk_FreeAttribute(att2);
-	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
-	    break;
-	}
-	sftk_FreeAttribute(att2);
-	md5 = MD5_NewContext();
-	if (md5 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	sha = SHA1_NewContext();
-	if (sha == NULL) { 
-	    PORT_Free(md5);
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *) pMechanism->pParameter;
-	/*
-	 * clear out our returned keys so we can recover on failure
-	 */
-	ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial;
-	ssl3_keys_out->hClientMacSecret = CK_INVALID_HANDLE;
-	ssl3_keys_out->hServerMacSecret = CK_INVALID_HANDLE;
-	ssl3_keys_out->hClientKey       = CK_INVALID_HANDLE;
-	ssl3_keys_out->hServerKey       = CK_INVALID_HANDLE;
-
-	/*
-	 * generate the key material: This looks amazingly similar to the
-	 * PMS code, and is clearly crying out for a function to provide it.
-	 */
-	if (isTLS) {
-	    SECStatus     status;
-	    SECItem       master = { siBuffer, NULL, 0 };
-	    SECItem       srcr   = { siBuffer, NULL, 0 };
-	    SECItem       keyblk = { siBuffer, NULL, 0 };
-	    unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2];
-
-	    master.data = (unsigned char*)att->attrib.pValue;
-	    master.len  = att->attrib.ulValueLen;
-	    srcr.data   = srcrdata;
-	    srcr.len    = sizeof srcrdata;
-	    keyblk.data = key_block;
-	    keyblk.len  = sizeof key_block;
-
-	    PORT_Memcpy(srcrdata, 
-	                ssl3_keys->RandomInfo.pServerRandom,
-			SSL3_RANDOM_LENGTH);
-	    PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, 
-		        ssl3_keys->RandomInfo.pClientRandom, 
-			SSL3_RANDOM_LENGTH);
-
-	    status = TLS_PRF(&master, "key expansion", &srcr, &keyblk,
-			      isFIPS);
-	    if (status != SECSuccess) {
-		goto key_and_mac_derive_fail;
-	    }
-	} else {
-	    /* key_block = 
-	     *     MD5(master_secret + SHA('A' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     MD5(master_secret + SHA('BB' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     MD5(master_secret + SHA('CCC' + master_secret + 
-	     *                      ServerHello.random + ClientHello.random)) +
-	     *     [...];
-	     */
-	    for (i = 0; i < NUM_MIXERS; i++) {
-	      SHA1_Begin(sha);
-	      SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
-	      SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
-			  att->attrib.ulValueLen);
-              SHA1_Update(sha, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-              SHA1_Update(sha, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-	      SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
-	      PORT_Assert(outLen == SHA1_LENGTH);
-	      MD5_Begin(md5);
-	      MD5_Update(md5, (const unsigned char*)att->attrib.pValue,
-			 att->attrib.ulValueLen);
-	      MD5_Update(md5, sha_out, outLen);
-	      MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
-	      PORT_Assert(outLen == MD5_LENGTH);
-	    }
-	}
-
-	/*
-	 * Put the key material where it goes.
-	 */
-	i = 0;			/* now shows how much consumed */
-	macSize    = ssl3_keys->ulMacSizeInBits/8;
-	effKeySize = ssl3_keys->ulKeySizeInBits/8;
-	IVSize     = ssl3_keys->ulIVSizeInBits/8;
-	if (keySize == 0) {
-	    effKeySize = keySize;
-	}
-
-	/* 
-	 * The key_block is partitioned as follows:
-	 * client_write_MAC_secret[CipherSpec.hash_size]
-	 */
-	crv = sftk_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
-					 &ssl3_keys_out->hClientMacSecret);
-	if (crv != CKR_OK)
-	    goto key_and_mac_derive_fail;
-
-	i += macSize;
-
-	/* 
-	 * server_write_MAC_secret[CipherSpec.hash_size]
-	 */
-	crv = sftk_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
-					    &ssl3_keys_out->hServerMacSecret);
-	if (crv != CKR_OK) {
-	    goto key_and_mac_derive_fail;
-	}
-	i += macSize;
-
-	if (keySize) {
-	    if (!ssl3_keys->bIsExport) {
-		/* 
-		** Generate Domestic write keys and IVs.
-		** client_write_key[CipherSpec.key_material]
-		*/
-		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
-					keySize, &ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-		i += keySize;
-
-		/* 
-		** server_write_key[CipherSpec.key_material]
-		*/
-		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
-					keySize, &ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-		i += keySize;
-
-		/* 
-		** client_write_IV[CipherSpec.IV_size]
-		*/
-		if (IVSize > 0) {
-		    PORT_Memcpy(ssl3_keys_out->pIVClient, 
-		                &key_block[i], IVSize);
-		    i += IVSize;
-		}
-
-		/* 
-		** server_write_IV[CipherSpec.IV_size]
-		*/
-		if (IVSize > 0) {
-		    PORT_Memcpy(ssl3_keys_out->pIVServer, 
-		                &key_block[i], IVSize);
-		    i += IVSize;
-		}
-		PORT_Assert(i <= sizeof key_block);
-
-	    } else if (!isTLS) {
-
-		/*
-		** Generate SSL3 Export write keys and IVs.
-		** client_write_key[CipherSpec.key_material]
-		** final_client_write_key = MD5(client_write_key +
-		**                   ClientHello.random + ServerHello.random);
-		*/
-		MD5_Begin(md5);
-		MD5_Update(md5, &key_block[i], effKeySize);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		i += effKeySize;
-		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,key_block2,
-				 	keySize,&ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** server_write_key[CipherSpec.key_material]
-		** final_server_write_key = MD5(server_write_key +
-		**                    ServerHello.random + ClientHello.random);
-		*/
-		MD5_Begin(md5);
-		MD5_Update(md5, &key_block[i], effKeySize);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		i += effKeySize;
-		crv = sftk_buildSSLKey(hSession,key,PR_FALSE,key_block2,
-					 keySize,&ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** client_write_IV = 
-		**	MD5(ClientHello.random + ServerHello.random);
-		*/
-		MD5_Begin(md5);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		PORT_Memcpy(ssl3_keys_out->pIVClient, key_block2, IVSize);
-
-		/*
-		** server_write_IV = 
-		**	MD5(ServerHello.random + ClientHello.random);
-		*/
-		MD5_Begin(md5);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
-				ssl3_keys->RandomInfo.ulServerRandomLen);
-            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
-				ssl3_keys->RandomInfo.ulClientRandomLen);
-		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
-		PORT_Memcpy(ssl3_keys_out->pIVServer, key_block2, IVSize);
-
-	    } else {
-
-		/*
-		** Generate TLS Export write keys and IVs.
-		*/
-		SECStatus     status;
-		SECItem       secret = { siBuffer, NULL, 0 };
-		SECItem       crsr   = { siBuffer, NULL, 0 };
-		SECItem       keyblk = { siBuffer, NULL, 0 };
-		unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
-
-		crsr.data   = crsrdata;
-		crsr.len    = sizeof crsrdata;
-
-		PORT_Memcpy(crsrdata, 
-		            ssl3_keys->RandomInfo.pClientRandom, 
-			    SSL3_RANDOM_LENGTH);
-		PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
-			    ssl3_keys->RandomInfo.pServerRandom,
-			    SSL3_RANDOM_LENGTH);
-
-
-		/*
-		** client_write_key[CipherSpec.key_material]
-		** final_client_write_key = PRF(client_write_key, 
-		**                              "client write key",
-		**                              client_random + server_random);
-		*/
-		secret.data = &key_block[i];
-		secret.len  = effKeySize;
-		i          += effKeySize;
-		keyblk.data = key_block2;
-		keyblk.len  = sizeof key_block2;
-		status = TLS_PRF(&secret, "client write key", &crsr, &keyblk,
-				  isFIPS);
-		if (status != SECSuccess) {
-		    goto key_and_mac_derive_fail;
-		}
-		crv = sftk_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
-				       keySize, &ssl3_keys_out->hClientKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** server_write_key[CipherSpec.key_material]
-		** final_server_write_key = PRF(server_write_key,
-		**                              "server write key",
-		**                              client_random + server_random);
-		*/
-		secret.data = &key_block[i];
-		secret.len  = effKeySize;
-		i          += effKeySize;
-		keyblk.data = key_block2;
-		keyblk.len  = sizeof key_block2;
-		status = TLS_PRF(&secret, "server write key", &crsr, &keyblk,
-				  isFIPS);
-		if (status != SECSuccess) {
-		    goto key_and_mac_derive_fail;
-		}
-		crv = sftk_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
-				       keySize, &ssl3_keys_out->hServerKey);
-		if (crv != CKR_OK) {
-		    goto key_and_mac_derive_fail;
-		}
-
-		/*
-		** iv_block = PRF("", "IV block", 
-		**                    client_random + server_random);
-		** client_write_IV[SecurityParameters.IV_size]
-		** server_write_IV[SecurityParameters.IV_size]
-		*/
-		if (IVSize) {
-		    secret.data = NULL;
-		    secret.len  = 0;
-		    keyblk.data = &key_block[i];
-		    keyblk.len  = 2 * IVSize;
-		    status = TLS_PRF(&secret, "IV block", &crsr, &keyblk,
-				      isFIPS);
-		    if (status != SECSuccess) {
-			goto key_and_mac_derive_fail;
-		    }
-		    PORT_Memcpy(ssl3_keys_out->pIVClient, keyblk.data, IVSize);
-		    PORT_Memcpy(ssl3_keys_out->pIVServer, keyblk.data + IVSize,
-                                IVSize);
-		}
-	    }
-	}
-
-	crv = CKR_OK;
-
-	if (0) {
-key_and_mac_derive_fail:
-	    if (crv == CKR_OK)
-	    	crv = CKR_FUNCTION_FAILED;
-	    sftk_freeSSLKeys(hSession, ssl3_keys_out);
-	}
-	MD5_DestroyContext(md5, PR_TRUE);
-	SHA1_DestroyContext(sha, PR_TRUE);
-	sftk_FreeObject(key);
-	key = NULL;
-	break;
-      }
-
-    case CKM_CONCATENATE_BASE_AND_KEY:
-      {
-	SFTKObject *newKey;
-
-	crv = sftk_DeriveSensitiveCheck(sourceKey,key);
-	if (crv != CKR_OK) break;
-
-	session = sftk_SessionFromHandle(hSession);
-	if (session == NULL) {
-            crv = CKR_SESSION_HANDLE_INVALID;
-	    break;
-    	}
-
-	newKey = sftk_ObjectFromHandle(*(CK_OBJECT_HANDLE *)
-					pMechanism->pParameter,session);
-	sftk_FreeSession(session);
-	if ( newKey == NULL) {
-            crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-
-	if (sftk_isTrue(newKey,CKA_SENSITIVE)) {
-	    crv = sftk_forceAttribute(newKey,CKA_SENSITIVE,&cktrue,
-							sizeof(CK_BBOOL));
-	    if (crv != CKR_OK) {
-		sftk_FreeObject(newKey);
-		break;
-	    }
-	}
-
-	att2 = sftk_FindAttribute(newKey,CKA_VALUE);
-	if (att2 == NULL) {
-	    sftk_FreeObject(newKey);
-            crv = CKR_KEY_HANDLE_INVALID;
-	    break;
-	}
-	tmpKeySize = att->attrib.ulValueLen+att2->attrib.ulValueLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    sftk_FreeObject(newKey);
-	    sftk_FreeAttribute(att2);
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    sftk_FreeAttribute(att2);
-	    sftk_FreeObject(newKey);
-	    crv = CKR_HOST_MEMORY;	
-	    break;
-	}
-
-	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
-	PORT_Memcpy(buf+att->attrib.ulValueLen,
-				att2->attrib.pValue,att2->attrib.ulValueLen);
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	sftk_FreeAttribute(att2);
-	sftk_FreeObject(newKey);
-	break;
-      }
-
-    case CKM_CONCATENATE_BASE_AND_DATA:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
-	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
-	PORT_Memcpy(buf+att->attrib.ulValueLen,stringPtr->pData,
-							stringPtr->ulLen);
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	break;
-    case CKM_CONCATENATE_DATA_AND_BASE:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
-	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	PORT_Memcpy(buf,stringPtr->pData,stringPtr->ulLen);
-	PORT_Memcpy(buf+stringPtr->ulLen,att->attrib.pValue,
-							att->attrib.ulValueLen);
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,tmpKeySize);
-	break;
-    case CKM_XOR_BASE_AND_DATA:
-	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
-	tmpKeySize = PR_MIN(att->attrib.ulValueLen,stringPtr->ulLen);
-	if (keySize == 0) keySize = tmpKeySize;
-	if (keySize > tmpKeySize) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(keySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	
-	PORT_Memcpy(buf,att->attrib.pValue,keySize);
-	for (i=0; i < (int)keySize; i++) {
-	    buf[i] ^= stringPtr->pData[i];
-	}
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,keySize);
-	break;
-
-    case CKM_EXTRACT_KEY_FROM_KEY:
-      {
-	/* the following assumes 8 bits per byte */
-	CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter;
-	CK_ULONG shift   = extract & 0x7;      /* extract mod 8 the fast way */
-	CK_ULONG offset  = extract >> 3;       /* extract div 8 the fast way */
-
-	if (keySize == 0)  {
-	    crv = CKR_TEMPLATE_INCOMPLETE;
-	    break;
-	}
-	/* make sure we have enough bits in the original key */
-	if (att->attrib.ulValueLen < 
-			(offset + keySize + ((shift != 0)? 1 :0)) ) {
-	    crv = CKR_MECHANISM_PARAM_INVALID;
-	    break;
-	}
-	buf = (unsigned char*)PORT_Alloc(keySize);
-	if (buf == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-
-	/* copy the bits we need into the new key */	
-	for (i=0; i < (int)keySize; i++) {
-	    unsigned char *value =
-			 ((unsigned char *)att->attrib.pValue)+offset+i;
-	    if (shift) {
-	        buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift));
-	    } else {
-		buf[i] = value[0];
-	    }
-	}
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,buf,keySize);
-	PORT_ZFree(buf,keySize);
-	break;
-      }
-    case CKM_MD2_KEY_DERIVATION:
-	if (keySize == 0) keySize = MD2_LENGTH;
-	if (keySize > MD2_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	md2 = MD2_NewContext();
-	if (md2 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	MD2_Begin(md2);
-	MD2_Update(md2,(const unsigned char*)att->attrib.pValue,
-		   att->attrib.ulValueLen);
-	MD2_End(md2,key_block,&outLen,MD2_LENGTH);
-	MD2_DestroyContext(md2, PR_TRUE);
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,key_block,keySize);
-	break;
-    case CKM_MD5_KEY_DERIVATION:
-	if (keySize == 0) keySize = MD5_LENGTH;
-	if (keySize > MD5_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	md5 = MD5_NewContext();
-	if (md5 == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	MD5_Begin(md5);
-	MD5_Update(md5,(const unsigned char*)att->attrib.pValue,
-		   att->attrib.ulValueLen);
-	MD5_End(md5,key_block,&outLen,MD5_LENGTH);
-	MD5_DestroyContext(md5, PR_TRUE);
-
-	crv = sftk_forceAttribute (key,CKA_VALUE,key_block,keySize);
-	break;
-     case CKM_SHA1_KEY_DERIVATION:
-	if (keySize == 0) keySize = SHA1_LENGTH;
-	if (keySize > SHA1_LENGTH) {
-	    crv = CKR_TEMPLATE_INCONSISTENT;
-	    break;
-	}
-	/* now allocate the hash contexts */
-	sha = SHA1_NewContext();
-	if (sha == NULL) { 
-	    crv = CKR_HOST_MEMORY;
-	    break;
-	}
-	SHA1_Begin(sha);
-	SHA1_Update(sha,(const unsigned char*)att->attrib.pValue,
-		    att->attrib.ulValueLen);
-	SHA1_End(sha,key_block,&outLen,SHA1_LENGTH);
-	SHA1_DestroyContext(sha, PR_TRUE);
-
-	crv = sftk_forceAttribute(key,CKA_VALUE,key_block,keySize);
-	break;
-
-    case CKM_DH_PKCS_DERIVE:
-      {
-	SECItem  derived,  dhPublic;
-	SECItem  dhPrime,  dhValue;
-	/* sourceKey - values for the local existing low key */
-	/* get prime and value attributes */
-	crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); 
-	if (crv != SECSuccess) break;
-	crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); 
-	if (crv != SECSuccess) {
- 	    PORT_Free(dhPrime.data);
-	    break;
-	}
-
-	dhPublic.data = pMechanism->pParameter;
-	dhPublic.len  = pMechanism->ulParameterLen;
-
-	/* calculate private value - oct */
-	rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); 
-
-	PORT_Free(dhPrime.data);
-	PORT_Free(dhValue.data);
-     
-	if (rv == SECSuccess) {
-	    sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
-	    PORT_ZFree(derived.data, derived.len);
-	} else
-	    crv = CKR_HOST_MEMORY;
-	    
-	break;
-      }
-
-#ifdef NSS_ENABLE_ECC
-    case CKM_ECDH1_DERIVE:
-    case CKM_ECDH1_COFACTOR_DERIVE:
-      {
-	SECItem  ecScalar, ecPoint;
-	SECItem  tmp;
-	PRBool   withCofactor = PR_FALSE;
-	unsigned char secret_hash[20];
-	unsigned char *secret;
-	int secretlen;
-	CK_ECDH1_DERIVE_PARAMS *mechParams;
-	NSSLOWKEYPrivateKey *privKey;
-
-	/* Check mechanism parameters */
-	mechParams = (CK_ECDH1_DERIVE_PARAMS *) pMechanism->pParameter;
-	if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) ||
-	    ((mechParams->kdf == CKD_NULL) &&
-		((mechParams->ulSharedDataLen != 0) || 
-		    (mechParams->pSharedData != NULL)))) {
-	    crv = CKR_MECHANISM_PARAM_INVALID;
-	    break;
-	}
-
-	privKey = sftk_GetPrivKey(sourceKey, CKK_EC, &crv);
-	if (privKey == NULL) {
-	    break;
-	}
-
-	/* Now we are working with a non-NULL private key */
-	SECITEM_CopyItem(NULL, &ecScalar, &privKey->u.ec.privateValue);
-
-	ecPoint.data = mechParams->pPublicData;
-	ecPoint.len  = mechParams->ulPublicDataLen;
-
-	if (pMechanism->mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
-	    withCofactor = PR_TRUE;
-	} else {
-	    /* When not using cofactor derivation, one should
-	     * validate the public key to avoid small subgroup
-	     * attacks.
-	     */
-	    if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) 
-		!= SECSuccess) {
-		crv = CKR_ARGUMENTS_BAD;
-		PORT_Free(ecScalar.data);
-		if (privKey != sourceKey->objectInfo)
-		    nsslowkey_DestroyPrivateKey(privKey);
-		break;
-	    }
-	}
-
-	rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
-	                 withCofactor, &tmp); 
-	PORT_Free(ecScalar.data);
-	if (privKey != sourceKey->objectInfo)
-	   nsslowkey_DestroyPrivateKey(privKey);
-
-	if (rv != SECSuccess) {
-	    crv = CKR_DEVICE_ERROR;
-	    break;
-	}
-
-	secret = tmp.data;
-	secretlen = tmp.len;
-	if (mechParams->kdf == CKD_SHA1_KDF) {
-	    /* Compute SHA1 hash */
-	    memset(secret_hash, 0, 20);
-	    rv = SHA1_HashBuf(secret_hash, tmp.data, tmp.len);
-	    if (rv != SECSuccess) {
-		PORT_ZFree(tmp.data, tmp.len);
-	    } else {
-		secret = secret_hash;
-		secretlen = 20;
-	    }
-	}
-
-	if (rv == SECSuccess) {
-	    sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
-	    PORT_ZFree(tmp.data, tmp.len);
-	    memset(secret_hash, 0, 20);
-	} else
-	    crv = CKR_HOST_MEMORY;
-	    
-	break;
-      }
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-	crv = CKR_MECHANISM_INVALID;
-    }
-    sftk_FreeAttribute(att);
-    sftk_FreeObject(sourceKey);
-    if (crv != CKR_OK) { 
-	if (key) sftk_FreeObject(key);
-	return crv;
-    }
-
-    /* link the key object into the list */
-    if (key) {
-	SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
-	PORT_Assert(sessKey);
-	/* get the session */
-	sessKey->wasDerived = PR_TRUE;
-	session = sftk_SessionFromHandle(hSession);
-	if (session == NULL) {
-	    sftk_FreeObject(key);
-	    return CKR_HOST_MEMORY;
-	}
-
-	crv = sftk_handleObject(key,session);
-	sftk_FreeSession(session);
-	*phKey = key->handle;
-	sftk_FreeObject(key);
-    }
-    return crv;
-}
-
-
-/* NSC_GetFunctionStatus obtains an updated status of a function running 
- * in parallel with an application. */
-CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
-{
-    return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/* NSC_CancelFunction cancels a function running in parallel */
-CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession)
-{
-    return CKR_FUNCTION_NOT_PARALLEL;
-}
-
-/* NSC_GetOperationState saves the state of the cryptographic 
- *operation in a session.
- * NOTE: This code only works for digest functions for now. eventually need
- * to add full flatten/resurect to our state stuff so that all types of state
- * can be saved */
-CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen)
-{
-    SFTKSessionContext *context;
-    SFTKSession *session;
-    CK_RV crv;
-    CK_ULONG pOSLen = *pulOperationStateLen;
-
-    /* make sure we're legal */
-    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
-    if (crv != CKR_OK) return crv;
-
-    *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE)
-				+ sizeof(SFTKContextType);
-    if (pOperationState == NULL) {
-        sftk_FreeSession(session);
-	return CKR_OK;
-    } else {
-	if (pOSLen < *pulOperationStateLen) {
-	    return CKR_BUFFER_TOO_SMALL;
-	}
-    }
-    PORT_Memcpy(pOperationState,&context->type,sizeof(SFTKContextType));
-    pOperationState += sizeof(SFTKContextType);
-    PORT_Memcpy(pOperationState,&context->currentMech,
-						sizeof(CK_MECHANISM_TYPE));
-    pOperationState += sizeof(CK_MECHANISM_TYPE);
-    PORT_Memcpy(pOperationState,context->cipherInfo,context->cipherInfoLen);
-    sftk_FreeSession(session);
-    return CKR_OK;
-}
-
-
-#define sftk_Decrement(stateSize,len) \
-	stateSize = ((stateSize) > (CK_ULONG)(len)) ? \
-				((stateSize) - (CK_ULONG)(len)) : 0;
-
-/* NSC_SetOperationState restores the state of the cryptographic 
- * operation in a session. This is coded like it can restore lots of
- * states, but it only works for truly flat cipher structures. */
-CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
-        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
-{
-    SFTKSessionContext *context;
-    SFTKSession *session;
-    SFTKContextType type;
-    CK_MECHANISM mech;
-    CK_RV crv = CKR_OK;
-
-    while (ulOperationStateLen != 0) {
-	/* get what type of state we're dealing with... */
-	PORT_Memcpy(&type,pOperationState, sizeof(SFTKContextType));
-
-	/* fix up session contexts based on type */
-	session = sftk_SessionFromHandle(hSession);
-	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-	context = sftk_ReturnContextByType(session, type);
-	sftk_SetContextByType(session, type, NULL);
-	if (context) { 
-	     sftk_FreeContext(context);
-	}
-	pOperationState += sizeof(SFTKContextType);
-	sftk_Decrement(ulOperationStateLen,sizeof(SFTKContextType));
-
-
-	/* get the mechanism structure */
-	PORT_Memcpy(&mech.mechanism,pOperationState,sizeof(CK_MECHANISM_TYPE));
-	pOperationState += sizeof(CK_MECHANISM_TYPE);
-	sftk_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE));
-	/* should be filled in... but not necessary for hash */
-	mech.pParameter = NULL;
-	mech.ulParameterLen = 0;
-	switch (type) {
-	case SFTK_HASH:
-	    crv = NSC_DigestInit(hSession,&mech);
-	    if (crv != CKR_OK) break;
-	    crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, 
-								NULL);
-	    if (crv != CKR_OK) break;
-	    PORT_Memcpy(context->cipherInfo,pOperationState,
-						context->cipherInfoLen);
-	    pOperationState += context->cipherInfoLen;
-	    sftk_Decrement(ulOperationStateLen,context->cipherInfoLen);
-	    break;
-	default:
-	    /* do sign/encrypt/decrypt later */
-	    crv = CKR_SAVED_STATE_INVALID;
-         }
-         sftk_FreeSession(session);
-	 if (crv != CKR_OK) break;
-    }
-    return crv;
-}
-
-/* Dual-function cryptographic operations */
-
-/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
- * operation. */
-CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
-						      pulEncryptedPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_DigestUpdate(hSession,pPart,ulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_DecryptDigestUpdate continues a multiple-part decryption and 
- * digesting operation. */
-CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
-    CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
-    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen, 
-							pPart,	pulPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_DigestUpdate(hSession,pPart,*pulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_SignEncryptUpdate continues a multiple-part signing and 
- * encryption operation. */
-CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
-	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
-					 CK_ULONG_PTR pulEncryptedPartLen)
-{
-    CK_RV crv;
-
-    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
-						      pulEncryptedPartLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_SignUpdate(hSession,pPart,ulPartLen);
-
-    return crv;
-}
-
-
-/* NSC_DecryptVerifyUpdate continues a multiple-part decryption 
- * and verify operation. */
-CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
-	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
-				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen)
-{
-    CK_RV crv;
-
-    crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen, 
-							pData,	pulDataLen);
-    if (crv != CKR_OK) return crv;
-    crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen);
-
-    return crv;
-}
-
-/* NSC_DigestKey continues a multi-part message-digesting operation,
- * by digesting the value of a secret key as part of the data already digested.
- */
-CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) 
-{
-    SFTKSession *session = NULL;
-    SFTKObject *key = NULL;
-    SFTKAttribute *att;
-    CK_RV crv;
-
-    session = sftk_SessionFromHandle(hSession);
-    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
-
-    key = sftk_ObjectFromHandle(hKey,session);
-    sftk_FreeSession(session);
-    if (key == NULL)  return CKR_KEY_HANDLE_INVALID;
-
-    /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */
-
-    /* make sure it's a valid  key for this operation */
-    if (key->objclass != CKO_SECRET_KEY) {
-	sftk_FreeObject(key);
-	return CKR_KEY_TYPE_INCONSISTENT;
-    }
-    /* get the key value */
-    att = sftk_FindAttribute(key,CKA_VALUE);
-    sftk_FreeObject(key);
-
-    crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
-			   att->attrib.ulValueLen);
-    sftk_FreeAttribute(att);
-    return crv;
-}
diff --git a/security/nss/lib/softoken/pkcs11f.h b/security/nss/lib/softoken/pkcs11f.h
deleted file mode 100644
index a6bc91f46..000000000
--- a/security/nss/lib/softoken/pkcs11f.h
+++ /dev/null
@@ -1,937 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * RSA Security INC.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security In.c Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* This function contains pretty much everything about all the */
-/* PKCS #11  function prototypes.  Because this information is */
-/* used for more than just declaring function prototypes, the */
-/* order of the functions appearing herein is important, and */
-/* should not be altered. */
-
-
-
-/* General-purpose */
-
-/* C_Initialize initializes the PKCS #11 library. */
-CK_PKCS11_FUNCTION_INFO(C_Initialize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-                            * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced */
-);
-#endif
-
-
-/* C_Finalize indicates that an application is done with the
- * PKCS #11 library. */
-CK_PKCS11_FUNCTION_INFO(C_Finalize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-);
-#endif
-
-
-/* C_GetInfo returns general information about PKCS #11. */
-CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_INFO_PTR   pInfo  /* location that receives information */
-);
-#endif
-
-
-/* C_GetFunctionList returns the function list. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list */
-);
-#endif
-
-
-
-/* Slot and token management */
-
-/* C_GetSlotList obtains a list of slots in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
-  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-  CK_ULONG_PTR   pulCount       /* receives number of slots */
-);
-#endif
-
-
-/* C_GetSlotInfo obtains information about a particular slot in
- * the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID       slotID,  /* the ID of the slot */
-  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-);
-#endif
-
-
-/* C_GetTokenInfo obtains information about a particular token
- * in the system. */
-CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-);
-#endif
-
-
-/* C_GetMechanismList obtains a list of mechanism types
- * supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,          /* ID of token's slot */
-  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-);
-#endif
-
-
-/* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token. */
-CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-);
-#endif
-
-
-/* C_InitToken initializes a token. */
-CK_PKCS11_FUNCTION_INFO(C_InitToken)
-#ifdef CK_NEED_ARG_LIST
-/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
-(
-  CK_SLOT_ID         slotID,    /* ID of the token's slot */
-  CK_UTF8CHAR_PTR    pPin,      /* the SO's initial PIN */
-  CK_ULONG           ulPinLen,  /* length in bytes of the PIN */
-  CK_UTF8CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
-);
-#endif
-
-
-/* C_InitPIN initializes the normal user's PIN. */
-CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-);
-#endif
-
-
-/* C_SetPIN modifies the PIN of the user who is logged in. */
-CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-  CK_ULONG          ulNewLen   /* length of the new PIN */
-);
-#endif
-
-
-
-/* Session management */
-
-/* C_OpenSession opens a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID            slotID,        /* the slot's ID */
-  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-  CK_VOID_PTR           pApplication,  /* passed to callback */
-  CK_NOTIFY             Notify,        /* callback function */
-  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-);
-#endif
-
-
-/* C_CloseSession closes a session between an application and a
- * token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CloseAllSessions closes all sessions with a token. */
-CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SLOT_ID     slotID  /* the token's slot */
-);
-#endif
-
-
-/* C_GetSessionInfo obtains information about the session. */
-CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-);
-#endif
-
-
-/* C_GetOperationState obtains the state of the cryptographic operation
- * in a session. */
-CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,             /* session's handle */
-  CK_BYTE_PTR       pOperationState,      /* gets state */
-  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-);
-#endif
-
-
-/* C_SetOperationState restores the state of the cryptographic
- * operation in a session. */
-CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR      pOperationState,      /* holds state */
-  CK_ULONG         ulOperationStateLen,  /* holds state length */
-  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-);
-#endif
-
-
-/* C_Login logs a user into a token. */
-CK_PKCS11_FUNCTION_INFO(C_Login)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_USER_TYPE      userType,  /* the user type */
-  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-  CK_ULONG          ulPinLen   /* the length of the PIN */
-);
-#endif
-
-
-/* C_Logout logs a user out from a token. */
-CK_PKCS11_FUNCTION_INFO(C_Logout)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Object management */
-
-/* C_CreateObject creates a new object. */
-CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-  CK_ULONG          ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-);
-#endif
-
-
-/* C_CopyObject copies an object, creating a new object for the
- * copy. */
-CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-  CK_ULONG             ulCount,     /* attributes in template */
-  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-);
-#endif
-
-
-/* C_DestroyObject destroys an object. */
-CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-);
-#endif
-
-
-/* C_GetObjectSize gets the size of an object in bytes. */
-CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-  CK_ULONG_PTR      pulSize    /* receives size of object */
-);
-#endif
-
-
-/* C_GetAttributeValue obtains the value of one or more object
- * attributes. */
-CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_SetAttributeValue modifies the value of one or more object
- * attributes */
-CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-  CK_ULONG          ulCount     /* attributes in template */
-);
-#endif
-
-
-/* C_FindObjectsInit initializes a search for token and session
- * objects that match a template. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-  CK_ULONG          ulCount     /* attrs in search template */
-);
-#endif
-
-
-/* C_FindObjects continues a search for token and session
- * objects that match a template, obtaining additional object
- * handles. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-#ifdef CK_NEED_ARG_LIST
-(
- CK_SESSION_HANDLE    hSession,          /* session's handle */
- CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
- CK_ULONG             ulMaxObjectCount,  /* max handles to get */
- CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-);
-#endif
-
-
-/* C_FindObjectsFinal finishes a search for token and session
- * objects. */
-CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Encryption and decryption */
-
-/* C_EncryptInit initializes an encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-);
-#endif
-
-
-/* C_Encrypt encrypts single-part data. */
-CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pData,               /* the plaintext data */
-  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptUpdate continues a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pPart,              /* the plaintext data */
-  CK_ULONG          ulPartLen,          /* plaintext data len */
-  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-);
-#endif
-
-
-/* C_EncryptFinal finishes a multiple-part encryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,                /* session handle */
-  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-);
-#endif
-
-
-/* C_DecryptInit initializes a decryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-);
-#endif
-
-
-/* C_Decrypt decrypts encrypted data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,           /* session's handle */
-  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-  CK_BYTE_PTR       pData,              /* gets plaintext */
-  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-);
-#endif
-
-
-/* C_DecryptUpdate continues a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-  CK_ULONG          ulEncryptedPartLen,  /* input length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* p-text size */
-);
-#endif
-
-
-/* C_DecryptFinal finishes a multiple-part decryption
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-);
-#endif
-
-
-
-/* Message digesting */
-
-/* C_DigestInit initializes a message-digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-);
-#endif
-
-
-/* C_Digest digests data in a single part. */
-CK_PKCS11_FUNCTION_INFO(C_Digest)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pData,        /* data to be digested */
-  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-);
-#endif
-
-
-/* C_DigestUpdate continues a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* data to be digested */
-  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-);
-#endif
-
-
-/* C_DigestKey continues a multi-part message-digesting
- * operation, by digesting the value of a secret key as part of
- * the data already digested. */
-CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-);
-#endif
-
-
-/* C_DigestFinal finishes a multiple-part message-digesting
- * operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-);
-#endif
-
-
-
-/* Signing and MACing */
-
-/* C_SignInit initializes a signature (private key encryption)
- * operation, where the signature is (will be) an appendix to
- * the data, and plaintext cannot be recovered from the
- *signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-);
-#endif
-
-
-/* C_Sign signs (encrypts with private key) data in a single
- * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Sign)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignUpdate continues a multiple-part signature operation,
- * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* the data to sign */
-  CK_ULONG          ulPartLen  /* count of bytes to sign */
-);
-#endif
-
-
-/* C_SignFinal finishes a multiple-part signature operation, 
- * returning the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-/* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,   /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-);
-#endif
-
-
-/* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pData,           /* the data to sign */
-  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-  CK_BYTE_PTR       pSignature,      /* gets the signature */
-  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-);
-#endif
-
-
-
-/* Verifying signatures and MACs */
-
-/* C_VerifyInit initializes a verification operation, where the
- * signature is an appendix to the data, and plaintext cannot
- *  cannot be recovered from the signature (e.g. DSA). */
-CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */ 
-);
-#endif
-
-
-/* C_Verify verifies a signature in a single-part operation, 
- * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_Verify)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pData,          /* signed data */
-  CK_ULONG          ulDataLen,      /* length of signed data */
-  CK_BYTE_PTR       pSignature,     /* signature */
-  CK_ULONG          ulSignatureLen  /* signature length*/
-);
-#endif
-
-
-/* C_VerifyUpdate continues a multiple-part verification
- * operation, where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pPart,     /* signed data */
-  CK_ULONG          ulPartLen  /* length of signed data */
-);
-#endif
-
-
-/* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,       /* the session's handle */
-  CK_BYTE_PTR       pSignature,     /* signature to verify */
-  CK_ULONG          ulSignatureLen  /* signature length */
-);
-#endif
-
-
-/* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-  CK_OBJECT_HANDLE  hKey         /* verification key */
-);
-#endif
-
-
-/* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature. */
-CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_BYTE_PTR       pSignature,      /* signature to verify */
-  CK_ULONG          ulSignatureLen,  /* signature length */
-  CK_BYTE_PTR       pData,           /* gets signed data */
-  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-);
-#endif
-
-
-
-/* Dual-function cryptographic operations */
-
-/* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-);
-#endif
-
-
-/* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation. */
-CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pPart,               /* the plaintext data */
-  CK_ULONG          ulPartLen,           /* plaintext length */
-  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-);
-#endif
-
-
-/* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation. */
-CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,            /* session's handle */
-  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-  CK_BYTE_PTR       pPart,               /* gets plaintext */
-  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-);
-#endif
-
-
-
-/* Key management */
-
-/* C_GenerateKey generates a secret key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-  CK_ULONG             ulCount,     /* # of attrs in template */
-  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-);
-#endif
-
-
-/* C_GenerateKeyPair generates a public-key/private-key pair, 
- * creating new key objects. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,                    /* session
-                                                     * handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-                                                     * mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-                                                     * for pub.
-                                                     * key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-                                                     * attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-                                                     * for priv.
-                                                     * key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-                                                     * attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-                                                     * key
-                                                     * handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-                                                     * priv. key
-                                                     * handle */
-);
-#endif
-
-
-/* C_WrapKey wraps (i.e., encrypts) a key. */
-CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,        /* the session's handle */
-  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-);
-#endif
-
-
-/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object. */
-CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-/* C_DeriveKey derives a key from a base key, creating a new key
- * object. */
-CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE    hSession,          /* session's handle */
-  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-  CK_ULONG             ulAttributeCount,  /* template length */
-  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-);
-#endif
-
-
-
-/* Random number generation */
-
-/* C_SeedRandom mixes additional seed material into the token's
- * random number generator. */
-CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_BYTE_PTR       pSeed,     /* the seed material */
-  CK_ULONG          ulSeedLen  /* length of seed material */
-);
-#endif
-
-
-/* C_GenerateRandom generates random data. */
-CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession,    /* the session's handle */
-  CK_BYTE_PTR       RandomData,  /* receives the random data */
-  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-);
-#endif
-
-
-
-/* Parallel function management */
-
-/* C_GetFunctionStatus is a legacy function; it obtains an
- * updated status of a function running in parallel with an
- * application. */
-CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-/* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel. */
-CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_SESSION_HANDLE hSession  /* the session's handle */
-);
-#endif
-
-
-
-/* Functions added in for PKCS #11 Version 2.01 or later */
-
-/* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur. */
-CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-#ifdef CK_NEED_ARG_LIST
-(
-  CK_FLAGS flags,        /* blocking/nonblocking flag */
-  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-);
-#endif
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
deleted file mode 100644
index 0eaf5bf37..000000000
--- a/security/nss/lib/softoken/pkcs11i.h
+++ /dev/null
@@ -1,730 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Internal data structures and functions used by pkcs11.c
- */
-#ifndef _PKCS11I_H_
-#define _PKCS11I_H_ 1
-
-#include "nssilock.h"
-#include "seccomon.h"
-#include "secoidt.h"
-#include "lowkeyti.h"
-#include "pkcs11t.h"
-#include "pcertt.h"
-
-
-/* 
- * Configuration Defines 
- *
- * The following defines affect the space verse speed trade offs of
- * the PKCS #11 module. For the most part the current settings are optimized
- * for web servers, where we want faster speed and lower lock contention at
- * the expense of space.
- */
-
-/* 
- * The attribute allocation strategy is static allocation:
- *   Attributes are pre-allocated as part of the session object and used from
- *   the object array.
- */
-#define MAX_OBJS_ATTRS 45	/* number of attributes to preallocate in
-				 * the object (must me the absolute max) */
-#define ATTR_SPACE 50  		/* Maximum size of attribute data before extra
-				 * data needs to be allocated. This is set to
-				 * enough space to hold an SSL MASTER secret */
-
-#define NSC_STRICT      PR_FALSE  /* forces the code to do strict template
-				   * matching when doing C_FindObject on token
-				   * objects. This will slow down search in
-				   * NSS. */
-/* default search block allocations and increments */
-#define NSC_CERT_BLOCK_SIZE     50
-#define NSC_SEARCH_BLOCK_SIZE   5 
-#define NSC_SLOT_LIST_BLOCK_SIZE 10
-
-#define NSC_FIPS_MODULE 1
-#define NSC_NON_FIPS_MODULE 0
-
-/* these are data base storage hashes, not cryptographic hashes.. The define
- * the effective size of the various object hash tables */
-/* clients care more about memory usage than lookup performance on
- * cyrptographic objects. Clients also have less objects around to play with 
- *
- * we eventually should make this configurable at runtime! Especially now that
- * NSS is a shared library.
- */
-#define SPACE_ATTRIBUTE_HASH_SIZE 32 
-#define SPACE_TOKEN_OBJECT_HASH_SIZE 32
-#define SPACE_SESSION_HASH_SIZE 32
-#define TIME_ATTRIBUTE_HASH_SIZE 32
-#define TIME_TOKEN_OBJECT_HASH_SIZE 1024
-#define TIME_SESSION_HASH_SIZE 1024
-#define MAX_OBJECT_LIST_SIZE 800  
-				  /* how many objects to keep on the free list
-				   * before we start freeing them */
-#define MAX_KEY_LEN 256
-
-#define MULTIACCESS "multiaccess:"
-
-/*
- * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
- * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
- * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
- *
- * HASH_SIZE   LOG2_BUCKETS_PER   BUCKETS_PER_LOCK  NUMBER_OF_BUCKETS
- * 1024        9                  512               2
- * 1024        5                  32                32
- * 1024        1                  2                 512
- * 1024        0                  1                 1024
- * 4096        11                 2048              2
- * 4096        9                  512               8
- * 4096        5                  32                128
- * 4096        1                  2                 2048
- * 4096        0                  1                 4096
- */
-#define LOG2_BUCKETS_PER_SESSION_LOCK 1
-#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
-/* NOSPREAD sessionID to hash table index macro has been slower. */
-
-/* define typedefs, double as forward declarations as well */
-typedef struct SFTKAttributeStr SFTKAttribute;
-typedef struct SFTKObjectListStr SFTKObjectList;
-typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
-typedef struct SFTKObjectListElementStr SFTKObjectListElement;
-typedef struct SFTKObjectStr SFTKObject;
-typedef struct SFTKSessionObjectStr SFTKSessionObject;
-typedef struct SFTKTokenObjectStr SFTKTokenObject;
-typedef struct SFTKSessionStr SFTKSession;
-typedef struct SFTKSlotStr SFTKSlot;
-typedef struct SFTKSessionContextStr SFTKSessionContext;
-typedef struct SFTKSearchResultsStr SFTKSearchResults;
-typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
-typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
-typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
-
-/* define function pointer typdefs for pointer tables */
-typedef void (*SFTKDestroy)(void *, PRBool);
-typedef void (*SFTKBegin)(void *);
-typedef SECStatus (*SFTKCipher)(void *,void *,unsigned int *,unsigned int,
-					void *, unsigned int);
-typedef SECStatus (*SFTKVerify)(void *,void *,unsigned int,void *,unsigned int);
-typedef void (*SFTKHash)(void *,void *,unsigned int);
-typedef void (*SFTKEnd)(void *,void *,unsigned int *,unsigned int);
-typedef void (*SFTKFree)(void *);
-
-/* Value to tell if an attribute is modifiable or not.
- *    NEVER: attribute is only set on creation.
- *    ONCOPY: attribute is set on creation and can only be changed on copy.
- *    SENSITIVE: attribute can only be changed to TRUE.
- *    ALWAYS: attribute can always be changed.
- */
-typedef enum {
-	SFTK_NEVER = 0,
-	SFTK_ONCOPY = 1,
-	SFTK_SENSITIVE = 2,
-	SFTK_ALWAYS = 3
-} SFTKModifyType;
-
-/*
- * Free Status Enum... tell us more information when we think we're
- * deleting an object.
- */
-typedef enum {
-	SFTK_DestroyFailure,
-	SFTK_Destroyed,
-	SFTK_Busy
-} SFTKFreeStatus;
-
-/*
- * attribute values of an object.
- */
-struct SFTKAttributeStr {
-    SFTKAttribute  	*next;
-    SFTKAttribute  	*prev;
-    PRBool		freeAttr;
-    PRBool		freeData;
-    /*must be called handle to make sftkqueue_find work */
-    CK_ATTRIBUTE_TYPE	handle;
-    CK_ATTRIBUTE 	attrib;
-    unsigned char space[ATTR_SPACE];
-};
-
-
-/*
- * doubly link list of objects
- */
-struct SFTKObjectListStr {
-    SFTKObjectList *next;
-    SFTKObjectList *prev;
-    SFTKObject	   *parent;
-};
-
-struct SFTKObjectFreeListStr {
-    SFTKObject	*head;
-    PZLock	*lock;
-    int		count;
-};
-
-/*
- * PKCS 11 crypto object structure
- */
-struct SFTKObjectStr {
-    SFTKObject *next;
-    SFTKObject	*prev;
-    CK_OBJECT_CLASS 	objclass;
-    CK_OBJECT_HANDLE	handle;
-    int 		refCount;
-    PZLock 		*refLock;
-    SFTKSlot	   	*slot;
-    void 		*objectInfo;
-    SFTKFree 		infoFree;
-};
-
-struct SFTKTokenObjectStr {
-    SFTKObject  obj;
-    SECItem	dbKey;
-};
-
-struct SFTKSessionObjectStr {
-    SFTKObject	   obj;
-    SFTKObjectList sessionList;
-    PZLock		*attributeLock;
-    SFTKSession   	*session;
-    PRBool		wasDerived;
-    int nextAttr;
-    SFTKAttribute	attrList[MAX_OBJS_ATTRS];
-    PRBool		optimizeSpace;
-    unsigned int	hashSize;
-    SFTKAttribute 	*head[1];
-};
-
-/*
- * struct to deal with a temparary list of objects
- */
-struct SFTKObjectListElementStr {
-    SFTKObjectListElement	*next;
-    SFTKObject 			*object;
-};
-
-/*
- * Area to hold Search results
- */
-struct SFTKSearchResultsStr {
-    CK_OBJECT_HANDLE	*handles;
-    int			size;
-    int			index;
-    int			array_size;
-};
-
-
-/* 
- * the universal crypto/hash/sign/verify context structure
- */
-typedef enum {
-    SFTK_ENCRYPT,
-    SFTK_DECRYPT,
-    SFTK_HASH,
-    SFTK_SIGN,
-    SFTK_SIGN_RECOVER,
-    SFTK_VERIFY,
-    SFTK_VERIFY_RECOVER
-} SFTKContextType;
-
-
-#define SFTK_MAX_BLOCK_SIZE 16
-/* currently SHA512 is the biggest hash length */
-#define SFTK_MAX_MAC_LENGTH 64
-#define SFTK_INVALID_MAC_SIZE 0xffffffff
-
-struct SFTKSessionContextStr {
-    SFTKContextType	type;
-    PRBool		multi; 		/* is multipart */
-    PRBool		doPad; 		/* use PKCS padding for block ciphers */
-    unsigned int	blockSize; 	/* blocksize for padding */
-    unsigned int	padDataLength; 	/* length of the valid data in padbuf */
-    unsigned char	padBuf[SFTK_MAX_BLOCK_SIZE];
-    unsigned char	macBuf[SFTK_MAX_BLOCK_SIZE];
-    CK_ULONG		macSize;	/* size of a general block cipher mac*/
-    void		*cipherInfo;
-    void		*hashInfo;
-    unsigned int	cipherInfoLen;
-    CK_MECHANISM_TYPE	currentMech;
-    SFTKCipher		update;
-    SFTKHash		hashUpdate;
-    SFTKEnd		end;
-    SFTKDestroy		destroy;
-    SFTKDestroy		hashdestroy;
-    SFTKVerify		verify;
-    unsigned int	maxLen;
-    SFTKObject		*key;
-};
-
-/*
- * Sessions (have objects)
- */
-struct SFTKSessionStr {
-    SFTKSession        *next;
-    SFTKSession        *prev;
-    CK_SESSION_HANDLE	handle;
-    int			refCount;
-    PZLock		*objectLock;
-    int			objectIDCount;
-    CK_SESSION_INFO	info;
-    CK_NOTIFY		notify;
-    CK_VOID_PTR		appData;
-    SFTKSlot		*slot;
-    SFTKSearchResults	*search;
-    SFTKSessionContext	*enc_context;
-    SFTKSessionContext	*hash_context;
-    SFTKSessionContext	*sign_context;
-    SFTKObjectList	*objects[1];
-};
-
-/*
- * slots (have sessions and objects)
- *
- * The array of sessionLock's protect the session hash table (head[])
- * as well as the reference count of session objects in that bucket
- * (head[]->refCount),  objectLock protects all elements of the token
- * object hash table (tokObjects[], tokenIDCount, and tokenHashTable),
- * slotLock protects the remaining protected elements:
- * password, isLoggedIn, ssoLoggedIn, and sessionCount,
- * and pwCheckLock serializes the key database password checks in
- * NSC_SetPIN and NSC_Login.
- *
- * Each of the fields below has the following lifetime as commented
- * next to the fields:
- *   invariant  - This value is set when the slot is first created and
- * never changed until it is destroyed.
- *   per load   - This value is set when the slot is first created, or 
- * when the slot is used to open another directory. Between open and close
- * this field does not change.
- *   variable - This value changes through the normal process of slot operation.
- *      - reset. The value of this variable is cleared during an open/close 
- *   cycles.
- *      - preserved. The value of this variable is preserved over open/close
- *   cycles.
- */
-struct SFTKSlotStr {
-    CK_SLOT_ID		slotID;			/* invariant */
-    PZLock		*slotLock;		/* invariant */
-    PZLock		**sessionLock;		/* invariant */
-    unsigned int	numSessionLocks;	/* invariant */
-    unsigned long	sessionLockMask;	/* invariant */
-    PZLock		*objectLock;		/* invariant */
-    PRLock		*pwCheckLock;		/* invariant */
-    SECItem		*password;		/* variable - reset */
-    PRBool		present;		/* variable -set */
-    PRBool		hasTokens;		/* per load */
-    PRBool		isLoggedIn;		/* variable - reset */
-    PRBool		ssoLoggedIn;		/* variable - reset */
-    PRBool		needLogin;		/* per load */
-    PRBool		DB_loaded;		/* per load */
-    PRBool		readOnly;		/* per load */
-    PRBool		optimizeSpace;		/* invariant */
-    NSSLOWCERTCertDBHandle *certDB;		/* per load */
-    NSSLOWKEYDBHandle	*keyDB;			/* per load */
-    int			minimumPinLen;		/* per load */
-    PRInt32		sessionIDCount;		/* atomically incremented */
-                                        	/* (preserved) */
-    int			sessionIDConflict; 	/* not protected by a lock */
-                                            	/* (preserved) */
-    int			sessionCount;           /* variable - reset */
-    PRInt32             rwSessionCount;    	/* set by atomic operations */
-                                          	/* (reset) */
-    int			tokenIDCount;      	/* variable - perserved */
-    int			index;			/* invariant */
-    PLHashTable		*tokenHashTable;	/* invariant */
-    SFTKObject		**tokObjects;		/* variable - reset */
-    unsigned int	tokObjHashSize;		/* invariant */
-    SFTKSession		**head;			/* variable -reset */
-    unsigned int	sessHashSize;		/* invariant */
-    char		tokDescription[33];	/* per load */
-    char		slotDescription[64];	/* invariant */
-};
-
-/*
- * special joint operations Contexts
- */
-struct SFTKHashVerifyInfoStr {
-    SECOidTag   	hashOid;
-    NSSLOWKEYPublicKey	*key;
-};
-
-struct SFTKHashSignInfoStr {
-    SECOidTag   	hashOid;
-    NSSLOWKEYPrivateKey	*key;
-};
-
-/* context for the Final SSLMAC message */
-struct SFTKSSLMACInfoStr {
-    void 		*hashContext;
-    SFTKBegin		begin;
-    SFTKHash		update;
-    SFTKEnd		end;
-    CK_ULONG		macSize;
-    int			padSize;
-    unsigned char	key[MAX_KEY_LEN];
-    unsigned int	keySize;
-};
-
-/*
- * session handle modifiers
- */
-#define SFTK_SESSION_SLOT_MASK	0xff000000L
-
-/*
- * object handle modifiers
- */
-#define SFTK_TOKEN_MASK		0x80000000L
-#define SFTK_TOKEN_MAGIC	0x80000000L
-#define SFTK_TOKEN_TYPE_MASK	0x70000000L
-/* keydb (high bit == 0) */
-#define SFTK_TOKEN_TYPE_PRIV	0x10000000L
-#define SFTK_TOKEN_TYPE_PUB	0x20000000L
-#define SFTK_TOKEN_TYPE_KEY	0x30000000L
-/* certdb (high bit == 1) */
-#define SFTK_TOKEN_TYPE_TRUST	0x40000000L
-#define SFTK_TOKEN_TYPE_CRL	0x50000000L
-#define SFTK_TOKEN_TYPE_SMIME	0x60000000L
-#define SFTK_TOKEN_TYPE_CERT	0x70000000L
-
-#define SFTK_TOKEN_KRL_HANDLE	(SFTK_TOKEN_MAGIC|SFTK_TOKEN_TYPE_CRL|1)
-/* how big (in bytes) a password/pin we can deal with */
-#define SFTK_MAX_PIN	255
-/* minimum password/pin length (in Unicode characters) in FIPS mode */
-#define FIPS_MIN_PIN	7
-
-/* slot ID's */
-#define NETSCAPE_SLOT_ID 1
-#define PRIVATE_KEY_SLOT_ID 2
-#define FIPS_SLOT_ID 3
-
-/* slot helper macros */
-#define sftk_SlotFromSession(sp) ((sp)->slot)
-#define sftk_isToken(id) (((id) & SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
-
-/* the session hash multiplier (see bug 201081) */
-#define SHMULTIPLIER 1791398085
-
-/* queueing helper macros */
-#define sftk_hash(value,size) \
-	((PRUint32)((value) * SHMULTIPLIER) & (size-1))
-#define sftkqueue_add(element,id,head,hash_size) \
-	{ int tmp = sftk_hash(id,hash_size); \
-	(element)->next = (head)[tmp]; \
-	(element)->prev = NULL; \
-	if ((head)[tmp]) (head)[tmp]->prev = (element); \
-	(head)[tmp] = (element); }
-#define sftkqueue_find(element,id,head,hash_size) \
-	for( (element) = (head)[sftk_hash(id,hash_size)]; (element) != NULL; \
-					 (element) = (element)->next) { \
-	    if ((element)->handle == (id)) { break; } }
-#define sftkqueue_is_queued(element,id,head,hash_size) \
-	( ((element)->next) || ((element)->prev) || \
-	 ((head)[sftk_hash(id,hash_size)] == (element)) )
-#define sftkqueue_delete(element,id,head,hash_size) \
-	if ((element)->next) (element)->next->prev = (element)->prev; \
-	if ((element)->prev) (element)->prev->next = (element)->next; \
-	   else (head)[sftk_hash(id,hash_size)] = ((element)->next); \
-	(element)->next = NULL; \
-	(element)->prev = NULL; \
-
-#define sftkqueue_init_element(element) \
-    (element)->prev = NULL;
-
-#define sftkqueue_add2(element, id, index, head) \
-    {                                            \
-	(element)->next = (head)[index];         \
-	if ((head)[index])                       \
-	    (head)[index]->prev = (element);     \
-	(head)[index] = (element);               \
-    }
-
-#define sftkqueue_find2(element, id, index, head) \
-    for ( (element) = (head)[index];              \
-          (element) != NULL;                      \
-          (element) = (element)->next) {          \
-	if ((element)->handle == (id)) { break; } \
-    }
-
-#define sftkqueue_delete2(element, id, index, head) \
-	if ((element)->next) (element)->next->prev = (element)->prev; \
-	if ((element)->prev) (element)->prev->next = (element)->next; \
-	   else (head)[index] = ((element)->next);
-
-#define sftkqueue_clear_deleted_element(element) \
-	(element)->next = NULL; \
-	(element)->prev = NULL; \
-
-
-/* sessionID (handle) is used to determine session lock bucket */
-#ifdef NOSPREAD
-/* NOSPREAD:	(ID>>L2LPB) & (perbucket-1) */
-#define SFTK_SESSION_LOCK(slot,handle) \
-    ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
-        & (slot)->sessionLockMask])
-#else
-/* SPREAD:	ID & (perbucket-1) */
-#define SFTK_SESSION_LOCK(slot,handle) \
-    ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
-#endif
-
-/* expand an attribute & secitem structures out */
-#define sftk_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
-#define sftk_item_expand(ip) (ip)->data,(ip)->len
-
-typedef struct sftk_token_parametersStr {
-    CK_SLOT_ID slotID;
-    char *configdir;
-    char *certPrefix;
-    char *keyPrefix;
-    char *tokdes;
-    char *slotdes;
-    int minPW; 
-    PRBool readOnly;
-    PRBool noCertDB;
-    PRBool noKeyDB;
-    PRBool forceOpen;
-    PRBool pwRequired;
-    PRBool optimizeSpace;
-} sftk_token_parameters;
-
-typedef struct sftk_parametersStr {
-    char *configdir;
-    char *secmodName;
-    char *man;
-    char *libdes; 
-    PRBool readOnly;
-    PRBool noModDB;
-    PRBool noCertDB;
-    PRBool forceOpen;
-    PRBool pwRequired;
-    PRBool optimizeSpace;
-    sftk_token_parameters *tokens;
-    int token_count;
-} sftk_parameters;
-
-
-/* machine dependent path stuff used by dbinit.c and pk11db.c */
-#ifdef macintosh
-#define PATH_SEPARATOR ":"
-#define SECMOD_DB "Security Modules"
-#define CERT_DB_FMT "%sCertificates%s"
-#define KEY_DB_FMT "%sKey Database%s"
-#else
-#define PATH_SEPARATOR "/"
-#define SECMOD_DB "secmod.db"
-#define CERT_DB_FMT "%scert%s.db"
-#define KEY_DB_FMT "%skey%s.db"
-#endif
-
-SEC_BEGIN_PROTOS
-
-/* shared functions between PKCS11.c and SFTKFIPS.c */
-extern int nsf_init;
-extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
-extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
-extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, 
-	CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
-
-/* slot initialization, reinit, shutdown and destruction */
-extern CK_RV SFTK_SlotInit(char *configdir,
-			sftk_token_parameters *params, int moduleIndex);
-extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
-			sftk_token_parameters *params, int moduleIndex);
-extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
-extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
-
-
-/* internal utility functions used by pkcs11.c */
-extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
-					 CK_ATTRIBUTE_TYPE type);
-extern void sftk_FreeAttribute(SFTKAttribute *attribute);
-extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
-				   void *valPtr,
-				  CK_ULONG length);
-extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
-				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
-extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
-							 unsigned int bufLen);
-extern CK_RV sftk_ConstrainAttribute(SFTKObject *object, 
-	CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
-extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
-extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
-extern void sftk_DeleteAttributeType(SFTKObject *object,
-				     CK_ATTRIBUTE_TYPE type);
-extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
-				    SFTKObject *object, CK_ATTRIBUTE_TYPE type);
-extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
-				     SFTKObject *object,
-				     CK_ATTRIBUTE_TYPE type);
-extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
-				      CK_OBJECT_CLASS inClass);
-extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
-extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
-extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type);
-extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
-                                                         CK_ULONG *longData);
-extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
-				 void *value, unsigned int len);
-extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
-				   void *value, unsigned int len);
-extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
-
-extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
-extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
-extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
-extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
-extern void sftk_ReferenceObject(SFTKObject *object);
-extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
-					 SFTKSession *session);
-extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
-extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
-/* clear out all the existing object ID to database key mappings.
- * used to reinit a token */
-extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
-
-extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
-				   SFTKObject **head, unsigned int size,
-				   PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
-				   int count, PRBool isLoggedIn);
-extern SFTKObjectListElement *sftk_FreeObjectListElement(
-					     SFTKObjectListElement *objectList);
-extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
-extern void sftk_FreeSearch(SFTKSearchResults *search);
-extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
-
-extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
-extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
-extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
-extern void sftk_FreeSession(SFTKSession *session);
-extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
-				    CK_VOID_PTR pApplication, CK_FLAGS flags);
-extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
-extern void sftk_update_all_states(SFTKSlot *slot);
-extern void sftk_FreeContext(SFTKSessionContext *context);
-extern void sftk_InitFreeLists(void);
-extern void sftk_CleanupFreeLists(void);
-
-extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
-					  CK_KEY_TYPE key_type, CK_RV *crvp);
-extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
-					    CK_KEY_TYPE key_type, CK_RV *crvp);
-extern void sftk_FormatDESKey(unsigned char *key, int length);
-extern PRBool sftk_CheckDESKey(unsigned char *key);
-extern PRBool sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
-
-extern CK_RV secmod_parseParameters(char *param, sftk_parameters *parsed,
-								PRBool isFIPS);
-extern void secmod_freeParams(sftk_parameters *params);
-extern char *secmod_getSecmodName(char *params, char **domain, 
-						char **filename, PRBool *rw);
-extern char ** secmod_ReadPermDB(const char *domain, const char *filename, 
-			const char *dbname, char *params, PRBool rw);
-extern SECStatus secmod_DeletePermDB(const char *domain, const char *filename,
-			const char *dbname, char *args, PRBool rw);
-extern SECStatus secmod_AddPermDB(const char *domain, const char *filename,
-			const char *dbname, char *module, PRBool rw);
-extern SECStatus secmod_ReleasePermDBData(const char *domain, 
-	const char *filename, const char *dbname, char **specList, PRBool rw);
-/* mechanism allows this operation */
-extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
-/*
- * OK there are now lots of options here, lets go through them all:
- *
- * configdir - base directory where all the cert, key, and module datbases live.
- * certPrefix - prefix added to the beginning of the cert database example: "
- *                      "https-server1-"
- * keyPrefix - prefix added to the beginning of the key database example: "
- *                      "https-server1-"
- * secmodName - name of the security module database (usually "secmod.db").
- * readOnly - Boolean: true if the databases are to be openned read only.
- * nocertdb - Don't open the cert DB and key DB's, just initialize the
- *                      Volatile certdb.
- * nomoddb - Don't open the security module DB, just initialize the
- *                      PKCS #11 module.
- * forceOpen - Continue to force initializations even if the databases cannot
- *                      be opened.
- */
-CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
-	 	const char *keyPrefix, PRBool readOnly, PRBool noCertDB, 
-		PRBool noKeyDB, PRBool forceOpen, 
-		NSSLOWCERTCertDBHandle **certDB, NSSLOWKEYDBHandle **keyDB);
-NSSLOWCERTCertDBHandle *sftk_getCertDB(SFTKSlot *slot);
-NSSLOWKEYDBHandle *sftk_getKeyDB(SFTKSlot *slot);
-void sftk_freeCertDB(NSSLOWCERTCertDBHandle *certHandle);
-void sftk_freeKeyDB(NSSLOWKEYDBHandle *keyHandle);
-
-/* helper function which calls nsslowkey_FindKeyByPublicKey after safely
- * acquiring a reference to the keydb from the slot */
-NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
-
-const char *sftk_EvaluateConfigDir(const char *configdir, char **domain);
-
-/*
- * narrow objects
- */
-SFTKSessionObject * sftk_narrowToSessionObject(SFTKObject *);
-SFTKTokenObject * sftk_narrowToTokenObject(SFTKObject *);
-
-/*
- * token object utilities
- */
-void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
-PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey, 
-						CK_OBJECT_HANDLE handle);
-PRBool sftk_tokenMatch(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
-                                        CK_ATTRIBUTE_PTR theTemplate,int count);
-CK_OBJECT_HANDLE sftk_mkHandle(SFTKSlot *slot, 
-					SECItem *dbKey, CK_OBJECT_HANDLE class);
-SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, 
-						CK_OBJECT_HANDLE handle);
-SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
-
-/****************************************
- * implement TLS Pseudo Random Function (PRF)
- */
-
-extern CK_RV
-sftk_TLSPRFInit(SFTKSessionContext *context, 
-		  SFTKObject *        key, 
-		  CK_KEY_TYPE         key_type);
-
-SEC_END_PROTOS
-
-#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h
deleted file mode 100644
index b1dce6c12..000000000
--- a/security/nss/lib/softoken/pkcs11n.h
+++ /dev/null
@@ -1,246 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _PKCS11N_H_
-#define _PKCS11N_H_
-
-#ifdef DEBUG
-static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-/*
- * pkcs11n.h
- *
- * This file contains the NSS-specific type definitions for Cryptoki
- * (PKCS#11).
- */
-
-/*
- * NSSCK_VENDOR_NETSCAPE
- *
- * Cryptoki reserves the high half of all the number spaces for
- * vendor-defined use.  I'd like to keep all of our Netscape-
- * specific values together, but not in the oh-so-obvious
- * 0x80000001, 0x80000002, etc. area.  So I've picked an offset,
- * and constructed values for the beginnings of our spaces.
- *
- * Note that some "historical" Netscape values don't fall within
- * this range.
- */
-#define NSSCK_VENDOR_NETSCAPE 0x4E534350 /* NSCP */
-
-/*
- * Netscape-defined object classes
- * 
- */
-#define CKO_NETSCAPE (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
-#define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
-#define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
-#define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
-#define CKO_NETSCAPE_NEWSLOT            (CKO_NETSCAPE + 5)
-#define CKO_NETSCAPE_DELSLOT            (CKO_NETSCAPE + 6)
-
-/*
- * Netscape-defined key types
- *
- */
-#define CKK_NETSCAPE (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKK_NETSCAPE_PKCS8              (CKK_NETSCAPE + 1)
-/*
- * Netscape-defined certificate types
- *
- */
-#define CKC_NETSCAPE (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-/*
- * Netscape-defined object attributes
- *
- */
-#define CKA_NETSCAPE (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKA_NETSCAPE_URL                (CKA_NETSCAPE +  1)
-#define CKA_NETSCAPE_EMAIL              (CKA_NETSCAPE +  2)
-#define CKA_NETSCAPE_SMIME_INFO         (CKA_NETSCAPE +  3)
-#define CKA_NETSCAPE_SMIME_TIMESTAMP    (CKA_NETSCAPE +  4)
-#define CKA_NETSCAPE_PKCS8_SALT         (CKA_NETSCAPE +  5)
-#define CKA_NETSCAPE_PASSWORD_CHECK     (CKA_NETSCAPE +  6)
-#define CKA_NETSCAPE_EXPIRES            (CKA_NETSCAPE +  7)
-#define CKA_NETSCAPE_KRL                (CKA_NETSCAPE +  8)
-
-#define CKA_NETSCAPE_PQG_COUNTER        (CKA_NETSCAPE +  20)
-#define CKA_NETSCAPE_PQG_SEED           (CKA_NETSCAPE +  21)
-#define CKA_NETSCAPE_PQG_H              (CKA_NETSCAPE +  22)
-#define CKA_NETSCAPE_PQG_SEED_BITS      (CKA_NETSCAPE +  23)
-#define CKA_NETSCAPE_MODULE_SPEC        (CKA_NETSCAPE +  24)
-
-/*
- * Trust attributes:
- *
- * If trust goes standard, these probably will too.  So I'll
- * put them all in one place.
- */
-
-#define CKA_TRUST (CKA_NETSCAPE + 0x2000)
-
-/* "Usage" key information */
-#define CKA_TRUST_DIGITAL_SIGNATURE     (CKA_TRUST +  1)
-#define CKA_TRUST_NON_REPUDIATION       (CKA_TRUST +  2)
-#define CKA_TRUST_KEY_ENCIPHERMENT      (CKA_TRUST +  3)
-#define CKA_TRUST_DATA_ENCIPHERMENT     (CKA_TRUST +  4)
-#define CKA_TRUST_KEY_AGREEMENT         (CKA_TRUST +  5)
-#define CKA_TRUST_KEY_CERT_SIGN         (CKA_TRUST +  6)
-#define CKA_TRUST_CRL_SIGN              (CKA_TRUST +  7)
-
-/* "Purpose" trust information */
-#define CKA_TRUST_SERVER_AUTH           (CKA_TRUST +  8)
-#define CKA_TRUST_CLIENT_AUTH           (CKA_TRUST +  9)
-#define CKA_TRUST_CODE_SIGNING          (CKA_TRUST + 10)
-#define CKA_TRUST_EMAIL_PROTECTION      (CKA_TRUST + 11)
-#define CKA_TRUST_IPSEC_END_SYSTEM      (CKA_TRUST + 12)
-#define CKA_TRUST_IPSEC_TUNNEL          (CKA_TRUST + 13)
-#define CKA_TRUST_IPSEC_USER            (CKA_TRUST + 14)
-#define CKA_TRUST_TIME_STAMPING         (CKA_TRUST + 15)
-#define CKA_TRUST_STEP_UP_APPROVED      (CKA_TRUST + 16)
-
-#define CKA_CERT_SHA1_HASH	        (CKA_TRUST + 100)
-#define CKA_CERT_MD5_HASH		(CKA_TRUST + 101)
-
-/* Netscape trust stuff */
-/* XXX fgmr new ones here-- step-up, etc. */
-
-/* HISTORICAL: define used to pass in the database key for DSA private keys */
-#define CKA_NETSCAPE_DB                 0xD5A0DB00L
-#define CKA_NETSCAPE_TRUST              0x80000001L
-
-/*
- * Netscape-defined crypto mechanisms
- *
- */
-#define CKM_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKM_NETSCAPE_AES_KEY_WRAP      (CKM_NETSCAPE + 1)
-#define CKM_NETSCAPE_AES_KEY_WRAP_PAD  (CKM_NETSCAPE + 2)
-
-/*
- * HISTORICAL:
- * Do not attempt to use these. They are only used by NETSCAPE's internal
- * PKCS #11 interface. Most of these are place holders for other mechanism
- * and will change in the future.
- */
-#define CKM_NETSCAPE_PBE_SHA1_DES_CBC           0x80000002L
-#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC    0x80000003L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC    0x80000004L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC   0x80000005L
-#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4        0x80000006L
-#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4       0x80000007L
-#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC   0x80000008L
-#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN      0x80000009L
-#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN       0x8000000aL
-#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN       0x8000000bL
-
-#define CKM_TLS_PRF_GENERAL                     0x80000373L
-
-/*
- * Netscape-defined return values
- *
- */
-#define CKR_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-#define CKR_NETSCAPE_CERTDB_FAILED      (CKR_NETSCAPE + 1)
-#define CKR_NETSCAPE_KEYDB_FAILED       (CKR_NETSCAPE + 2)
-
-/*
- * Trust info
- *
- * This isn't part of the Cryptoki standard (yet), so I'm putting
- * all the definitions here.  Some of this would move to nssckt.h
- * if trust info were made part of the standard.  In view of this
- * possibility, I'm putting my (Netscape) values in the netscape
- * vendor space, like everything else.
- */
-
-typedef CK_ULONG          CK_TRUST;
-
-/* The following trust types are defined: */
-#define CKT_VENDOR_DEFINED     0x80000000
-
-#define CKT_NETSCAPE (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
-
-/* If trust goes standard, these'll probably drop out of vendor space. */
-#define CKT_NETSCAPE_TRUSTED            (CKT_NETSCAPE + 1)
-#define CKT_NETSCAPE_TRUSTED_DELEGATOR  (CKT_NETSCAPE + 2)
-#define CKT_NETSCAPE_UNTRUSTED          (CKT_NETSCAPE + 3)
-#define CKT_NETSCAPE_MUST_VERIFY        (CKT_NETSCAPE + 4)
-#define CKT_NETSCAPE_TRUST_UNKNOWN      (CKT_NETSCAPE + 5) /* default */
-
-/* 
- * These may well remain Netscape-specific; I'm only using them
- * to cache resolution data.
- */
-#define CKT_NETSCAPE_VALID              (CKT_NETSCAPE + 10)
-#define CKT_NETSCAPE_VALID_DELEGATOR    (CKT_NETSCAPE + 11)
-
-
-/*
- * These are not really PKCS #11 values specifically. They are the 'loadable'
- * module spec NSS uses. The are available for others to use as well, but not
- * part of the formal PKCS #11 spec.
- *
- * The function 'FIND' returns an array of PKCS #11 initialization strings
- * The function 'ADD' takes a PKCS #11 initialization string and stores it.
- * The function 'DEL' takes a 'name= library=' value and deletes the associated
- *  string.
- * The function 'RELEASE' frees the array returned by 'FIND'
- */
-#define SECMOD_MODULE_DB_FUNCTION_FIND  0
-#define SECMOD_MODULE_DB_FUNCTION_ADD   1
-#define SECMOD_MODULE_DB_FUNCTION_DEL   2
-#define SECMOD_MODULE_DB_FUNCTION_RELEASE 3 
-typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
-                                        char *parameters, void *moduleSpec);
-
-/* softoken slot ID's */
-#define SFTK_MIN_USER_SLOT_ID 4
-#define SFTK_MAX_USER_SLOT_ID 100
-#define SFTK_MIN_FIPS_USER_SLOT_ID 101
-#define SFTK_MAX_FIPS_USER_SLOT_ID 127
-
-
-#endif /* _PKCS11N_H_ */
diff --git a/security/nss/lib/softoken/pkcs11ni.h b/security/nss/lib/softoken/pkcs11ni.h
deleted file mode 100644
index 9e584a9f0..000000000
--- a/security/nss/lib/softoken/pkcs11ni.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Red Hat, Inc.
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _PKCS11NI_H_
-#define _PKCS11NI_H_
-
-/*
- * pkcs11ni.h
- *
- * This file contains softoken private exports for NSS
- */
-
-/* softoken slot ID's */
-#define SFTK_MIN_USER_SLOT_ID 4
-#define SFTK_MAX_USER_SLOT_ID 100
-#define SFTK_MIN_FIPS_USER_SLOT_ID 101
-#define SFTK_MAX_FIPS_USER_SLOT_ID 127
-
-
-#endif /* _PKCS11NI_H_ */
diff --git a/security/nss/lib/softoken/pkcs11p.h b/security/nss/lib/softoken/pkcs11p.h
deleted file mode 100644
index f1ea25805..000000000
--- a/security/nss/lib/softoken/pkcs11p.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security Inc. Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/* these data types are platform/implementation dependent. */
-/*
- * Packing was removed from the shipped RSA header files, even
- * though it's still needed. put in a central file to help merging..
- */
-
-#if defined(_WIN32)
-#ifdef _MSC_VER
-#pragma warning(disable:4103)
-#endif
-#pragma pack(push, cryptoki, 1)
-#endif
-
diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h
deleted file mode 100644
index 771f65ab2..000000000
--- a/security/nss/lib/softoken/pkcs11t.h
+++ /dev/null
@@ -1,1747 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * RSA Security, Inc.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-
-#ifndef _PKCS11T_H_
-#define _PKCS11T_H_ 1
-
-#define CK_TRUE 1
-#define CK_FALSE 0
-
-#include "prtypes.h"
-
-#define CK_PTR *
-#define CK_NULL_PTR 0
-#define CK_CALLBACK_FUNCTION(rv,func) rv (PR_CALLBACK * func)
-#define CK_DECLARE_FUNCTION(rv,func) PR_EXTERN(rv) func
-#define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func)
-
-#define CK_INVALID_SESSION    0
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-
-/* pack */
-#include "pkcs11p.h"
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  /* manufacturerID and libraryDecription have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_VERSION    cryptokiVersion;     /* PKCS #11 interface ver */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * PKCS #11 provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  /* slotDescription and manufacturerID have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  /* label, manufacturerID, and model have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-  CK_UTF8CHAR   label[32];           /* blank padded */
-  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-  CK_UTF8CHAR   model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the PKCS #11 library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of PKCS #11.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized. */
-#define CKF_TOKEN_INITIALIZED       0x00000400
-
-/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
- * true, the token supports secondary authentication for
- * private key objects. This flag is deprecated in v2.11 and
-   onwards. */
-#define CKF_SECONDARY_AUTHENTICATION  0x00000800
-
-/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
- * incorrect user login PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_USER_PIN_COUNT_LOW       0x00010000
-
-/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect user PIN will it to become locked. */
-#define CKF_USER_PIN_FINAL_TRY       0x00020000
-
-/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
- * user PIN has been locked. User login to the token is not
- * possible. */
-#define CKF_USER_PIN_LOCKED          0x00040000
-
-/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
- * the user PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
-
-/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
- * incorrect SO login PIN has been entered at least once since
- * the last successful authentication. */
-#define CKF_SO_PIN_COUNT_LOW         0x00100000
-
-/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect SO PIN will it to become locked. */
-#define CKF_SO_PIN_FINAL_TRY         0x00200000
-
-/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
- * PIN has been locked. SO login to the token is not possible.
- */
-#define CKF_SO_PIN_LOCKED            0x00400000
-
-/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
- * the SO PIN value is the default value set by token
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-
-/* CK_SESSION_HANDLE is a PKCS #11-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of PKCS #11 users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-/* Context specific (added in v2.20) */
-#define CKU_CONTEXT_SPECIFIC   2
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that PKCS #11 recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-/* CKO_HW_FEATURE is new for v2.10 */
-/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-/* CKO_MECHANISM is new for v2.20 */
-#define CKO_DATA              0x00000000
-#define CKO_CERTIFICATE       0x00000001
-#define CKO_PUBLIC_KEY        0x00000002
-#define CKO_PRIVATE_KEY       0x00000003
-#define CKO_SECRET_KEY        0x00000004
-#define CKO_HW_FEATURE        0x00000005
-#define CKO_DOMAIN_PARAMETERS 0x00000006
-#define CKO_MECHANISM         0x00000007
-#define CKO_VENDOR_DEFINED    0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
- * value that identifies the hardware feature type of an object
- * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined */
-/* CKH_USER_INTERFACE is new for v2.20 */
-#define CKH_MONOTONIC_COUNTER  0x00000001
-#define CKH_CLOCK           0x00000002
-#define CKH_USER_INTERFACE  0x00000003
-#define CKH_VENDOR_DEFINED  0x80000000
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-#define CKK_ECDSA           0x00000003
-#define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-#define CKK_AES             0x0000001F
-
-/* BlowFish and TwoFish are new for v2.20 */
-#define CKK_BLOWFISH        0x00000020
-#define CKK_TWOFISH         0x00000021
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-/* CKC_X_509_ATTR_CERT is new for v2.10 */
-/* CKC_WTLS is new for v2.20 */
-#define CKC_X_509           0x00000000
-#define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_WTLS            0x00000002
-#define CKC_VENDOR_DEFINED  0x80000000
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-   consists of an array of values. */
-#define CKF_ARRAY_ATTRIBUTE    0x40000000
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-
-/* CKA_OBJECT_ID is new for v2.10 */
-#define CKA_OBJECT_ID          0x00000012
-
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-
-/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
- * for v2.10 */
-#define CKA_AC_ISSUER          0x00000083
-#define CKA_OWNER              0x00000084
-#define CKA_ATTR_TYPES         0x00000085
-
-/* CKA_TRUSTED is new for v2.11 */
-#define CKA_TRUSTED            0x00000086
-
-/* CKA_CERTIFICATE_CATEGORY ...
- * CKA_CHECK_VALUE are new for v2.20 */
-#define CKA_CERTIFICATE_CATEGORY        0x00000087
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-#define CKA_URL                         0x00000089
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-#define CKA_CHECK_VALUE                 0x00000090
-
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-
-/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-#define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-/* (To retain backwards-compatibility) */
-
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
- * and CKA_EC_POINT are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-
-/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-#define CKA_KEY_GEN_MECHANISM  0x00000166
-
-#define CKA_MODIFIABLE         0x00000170
-
-/* CKA_ECDSA_PARAMS is deprecated in v2.11,
- * CKA_EC_PARAMS is preferred. */
-#define CKA_ECDSA_PARAMS       0x00000180
-#define CKA_EC_PARAMS          0x00000180
-
-#define CKA_EC_POINT           0x00000181
-
-/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
- * are new for v2.10. Deprecated in v2.11 and onwards. */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
-
-/* CKA_ALWAYS_AUTHENTICATE ...
- * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-
-/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
- * are new for v2.10 */
-#define CKA_HW_FEATURE_TYPE    0x00000300
-#define CKA_RESET_ON_INIT      0x00000301
-#define CKA_HAS_RESET          0x00000302
-
-/* The following attributes are new for v2.20 */
-#define CKA_PIXEL_X                     0x00000400
-#define CKA_PIXEL_Y                     0x00000401
-#define CKA_RESOLUTION                  0x00000402
-#define CKA_CHAR_ROWS                   0x00000403
-#define CKA_CHAR_COLUMNS                0x00000404
-#define CKA_COLOR                       0x00000405
-#define CKA_BITS_PER_PIXEL              0x00000406
-#define CKA_CHAR_SETS                   0x00000480
-#define CKA_ENCODING_METHODS            0x00000481
-#define CKA_MIME_TYPES                  0x00000482
-#define CKA_MECHANISM_TYPE              0x00000500
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-
-/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
- * CKM_RSA_PKCS_OAEP are new for v2.10 */
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-#define CKM_RSA_PKCS_OAEP              0x00000009
-
-/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
- * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-#define CKM_RSA_X9_31                  0x0000000B
-#define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-
-/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
- * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
- * v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-#define CKM_X9_42_DH_DERIVE            0x00000031
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-#define CKM_X9_42_MQV_DERIVE           0x00000033
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_RSA_PKCS            0x00000040
-#define CKM_SHA384_RSA_PKCS            0x00000041
-#define CKM_SHA512_RSA_PKCS            0x00000042
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
-
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-/* the following four DES mechanisms are new for v2.20 */
-#define CKM_DES_OFB64                  0x00000150
-#define CKM_DES_OFB8                   0x00000151
-#define CKM_DES_CFB64                  0x00000152
-#define CKM_DES_CFB8                   0x00000153
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
- * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
- * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
-#define CKM_RIPEMD128                  0x00000230
-#define CKM_RIPEMD128_HMAC             0x00000231
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-#define CKM_RIPEMD160                  0x00000240
-#define CKM_RIPEMD160_HMAC             0x00000241
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256                     0x00000250
-#define CKM_SHA256_HMAC                0x00000251
-#define CKM_SHA256_HMAC_GENERAL        0x00000252
-#define CKM_SHA384                     0x00000260
-#define CKM_SHA384_HMAC                0x00000261
-#define CKM_SHA384_HMAC_GENERAL        0x00000262
-#define CKM_SHA512                     0x00000270
-#define CKM_SHA512_HMAC                0x00000271
-#define CKM_SHA512_HMAC_GENERAL        0x00000272
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-
-/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
- * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
- * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-
-/* CKM_TLS_PRF is new for v2.20 */
-#define CKM_TLS_PRF                    0x00000378
-
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_KEY_DERIVATION      0x00000393
-#define CKM_SHA384_KEY_DERIVATION      0x00000394
-#define CKM_SHA512_KEY_DERIVATION      0x00000395
-
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-
-/* CKM_PKCS5_PBKD2 is new for v2.10 */
-#define CKM_PKCS5_PBKD2                0x000003B0
-
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-
-/* WTLS mechanisms are new for v2.20 */
-#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
-#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
-#define CKM_WTLS_PRF                        0x000003D3
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
-
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* CKM_CMS_SIG is new for v2.20 */
-#define CKM_CMS_SIG                    0x00000500
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
- * CKM_EC_KEY_PAIR_GEN is preferred */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_EC_KEY_PAIR_GEN            0x00001040
-
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-
-/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
- * are new for v2.11 */
-#define CKM_ECDH1_DERIVE               0x00001050
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-#define CKM_ECMQV_DERIVE               0x00001052
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-
-/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
- * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
- * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
- * new for v2.11 */
-#define CKM_AES_KEY_GEN                0x00001080
-#define CKM_AES_ECB                    0x00001081
-#define CKM_AES_CBC                    0x00001082
-#define CKM_AES_MAC                    0x00001083
-#define CKM_AES_MAC_GENERAL            0x00001084
-#define CKM_AES_CBC_PAD                0x00001085
-
-/* BlowFish and TwoFish are new for v2.20 */
-#define CKM_BLOWFISH_KEY_GEN           0x00001090
-#define CKM_BLOWFISH_CBC               0x00001091
-#define CKM_TWOFISH_KEY_GEN            0x00001092
-#define CKM_TWOFISH_CBC                0x00001093
-
-
-/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
-#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
-#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
-#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
-#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
-#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
-#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
-
-#define CKM_DSA_PARAMETER_GEN          0x00002000
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-
-/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
- * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
- * describe a token's EC capabilities not available in mechanism
- * information. */
-#define CKF_EC_F_P             0x00100000
-#define CKF_EC_F_2M            0x00200000
-#define CKF_EC_ECPARAMETERS    0x00400000
-#define CKF_EC_NAMEDCURVE      0x00800000
-#define CKF_EC_UNCOMPRESS      0x01000000
-#define CKF_EC_COMPRESS        0x02000000
-
-#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * PKCS #11 function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-
-/* These are new to v2.11 */
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-
-/* These are new to v2.0 */
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-/* This is new to v2.20 */
-#define CKR_FUNCTION_REJECTED                 0x00000200
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-
-/* CK_FUNCTION_LIST is a structure holding a PKCS #11 spec
- * version and pointers of appropriate types to all the
- * PKCS #11 functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX LockMutex;
-  CK_UNLOCKMUTEX UnlockMutex;
-  CK_FLAGS flags;
-  /* The official PKCS #11 spec does not have a 'LibraryParameters' field, but
-   * a reserved field. NSS needs a way to pass instance-specific information
-   * to the library (like where to find its config files, etc). This
-   * information is usually provided by the installer and passed uninterpreted
-   * by NSS to the library, though NSS does know the specifics of the softoken
-   * version of this parameter. Most compliant PKCS#11 modules expect this 
-   * parameter to be NULL, and will return CKR_ARGUMENTS_BAD from
-   * C_Initialize if Library parameters is supplied. */
-  CK_CHAR_PTR *LibraryParameters;
-  /* This field is only present if the LibraryParameters is not NULL. It must
-   * be NULL in all cases */
-  CK_VOID_PTR pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
- * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
- * Generation Function (MGF) applied to a message block when
- * formatting a message block for the PKCS #1 OAEP encryption
- * scheme. */
-typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-
-typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-
-/* The following MGFs are defined */
-/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
- * are new for v2.20 */
-#define CKG_MGF1_SHA1         0x00000001
-#define CKG_MGF1_SHA256       0x00000002
-#define CKG_MGF1_SHA384       0x00000003
-#define CKG_MGF1_SHA512       0x00000004
-
-/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
- * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
- * of the encoding parameter when formatting a message block
- * for the PKCS #1 OAEP encryption scheme. */
-typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-
-typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-
-/* The following encoding parameter sources are defined */
-#define CKZ_DATA_SPECIFIED    0x00000001
-
-/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
- * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_OAEP mechanism. */
-typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-        CK_MECHANISM_TYPE hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-        CK_VOID_PTR pSourceData;
-        CK_ULONG ulSourceDataLen;
-} CK_RSA_PKCS_OAEP_PARAMS;
-
-typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-
-/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
- * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_PSS mechanism(s). */
-typedef struct CK_RSA_PKCS_PSS_PARAMS {
-        CK_MECHANISM_TYPE    hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_ULONG             sLen;
-} CK_RSA_PKCS_PSS_PARAMS;
-
-typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-/* CK_EC_KDF_TYPE is new for v2.11. */
-typedef CK_ULONG CK_EC_KDF_TYPE;
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL                 0x00000001
-#define CKD_SHA1_KDF             0x00000002
-
-/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
- * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
- * where each party contributes one key pair.
- */
-typedef struct CK_ECDH1_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_ECDH1_DERIVE_PARAMS;
-
-typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-
-
-/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
- * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
-typedef struct CK_ECDH2_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_ECDH2_DERIVE_PARAMS;
-
-typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_ECMQV_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_ECMQV_DERIVE_PARAMS;
-
-typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-
-/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
- * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
-typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-
-/* The following X9.42 DH key derivation functions are defined
-   (besides CKD_NULL already defined : */
-#define CKD_SHA1_KDF_ASN1        0x00000003
-#define CKD_SHA1_KDF_CONCATENATE 0x00000004
-
-/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
- * contributes one key pair */
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_X9_42_DH1_DERIVE_PARAMS;
-
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-
-/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
- * mechanisms, where each party contributes two key pairs */
-typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_X9_42_DH2_DERIVE_PARAMS;
-
-typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_X9_42_MQV_DERIVE_PARAMS;
-
-typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
-typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[8];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[16];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_BYTE_PTR      pInitVector;
-  CK_UTF8CHAR_PTR  pPassword;
-  CK_ULONG         ulPasswordLen;
-  CK_BYTE_PTR      pSalt;
-  CK_ULONG         ulSaltLen;
-  CK_ULONG         ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-/* CK_TLS_PRF_PARAMS is new for version 2.20 */
-typedef struct CK_TLS_PRF_PARAMS {
-  CK_BYTE_PTR  pSeed;
-  CK_ULONG     ulSeedLen;
-  CK_BYTE_PTR  pLabel;
-  CK_ULONG     ulLabelLen;
-  CK_BYTE_PTR  pOutput;
-  CK_ULONG_PTR pulOutputLen;
-} CK_TLS_PRF_PARAMS;
-
-typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-
-/* WTLS is new for version 2.20 */
-typedef struct CK_WTLS_RANDOM_DATA {
-  CK_BYTE_PTR pClientRandom;
-  CK_ULONG    ulClientRandomLen;
-  CK_BYTE_PTR pServerRandom;
-  CK_ULONG    ulServerRandomLen;
-} CK_WTLS_RANDOM_DATA;
-
-typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-
-typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-  CK_MECHANISM_TYPE   DigestMechanism;
-  CK_WTLS_RANDOM_DATA RandomInfo;
-  CK_BYTE_PTR         pVersion;
-} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_WTLS_PRF_PARAMS {
-  CK_MECHANISM_TYPE DigestMechanism;
-  CK_BYTE_PTR       pSeed;
-  CK_ULONG          ulSeedLen;
-  CK_BYTE_PTR       pLabel;
-  CK_ULONG          ulLabelLen;
-  CK_BYTE_PTR       pOutput;
-  CK_ULONG_PTR      pulOutputLen;
-} CK_WTLS_PRF_PARAMS;
-
-typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hMacSecret;
-  CK_OBJECT_HANDLE hKey;
-  CK_BYTE_PTR      pIV;
-} CK_WTLS_KEY_MAT_OUT;
-
-typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_PARAMS {
-  CK_MECHANISM_TYPE       DigestMechanism;
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_ULONG                ulSequenceNumber;
-  CK_BBOOL                bIsExport;
-  CK_WTLS_RANDOM_DATA     RandomInfo;
-  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_WTLS_KEY_MAT_PARAMS;
-
-typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-
-/* CMS is new for version 2.20 */
-typedef struct CK_CMS_SIG_PARAMS {
-  CK_OBJECT_HANDLE      certificateHandle;
-  CK_MECHANISM_PTR      pSigningMechanism;
-  CK_MECHANISM_PTR      pDigestMechanism;
-  CK_UTF8CHAR_PTR       pContentType;
-  CK_BYTE_PTR           pRequestedAttributes;
-  CK_ULONG              ulRequestedAttributesLen;
-  CK_BYTE_PTR           pRequiredAttributes;
-  CK_ULONG              ulRequiredAttributesLen;
-} CK_CMS_SIG_PARAMS;
-
-typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
- * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
- * indicate the Pseudo-Random Function (PRF) used to generate
- * key bits using PKCS #5 PBKDF2. */
-typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-
-typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-
-/* The following PRFs are defined in PKCS #5 v2.0. */
-#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
-
-
-/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
- * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
- * source of the salt value when deriving a key using PKCS #5
- * PBKDF2. */
-typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-
-typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-
-/* The following salt value sources are defined in PKCS #5 v2.0. */
-#define CKZ_SALT_SPECIFIED        0x00000001
-
-/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
- * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
- * parameters to the CKM_PKCS5_PBKD2 mechanism. */
-typedef struct CK_PKCS5_PBKD2_PARAMS {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-        CK_VOID_PTR                                pSaltSourceData;
-        CK_ULONG                                   ulSaltSourceDataLen;
-        CK_ULONG                                   iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR                                pPrfData;
-        CK_ULONG                                   ulPrfDataLen;
-        CK_UTF8CHAR_PTR                            pPassword;
-        CK_ULONG_PTR                               ulPasswordLen;
-} CK_PKCS5_PBKD2_PARAMS;
-
-typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-
-/* NSS Specific defines */
-
-/* defines that have been deprecated in 2.20, but maintained in our
- * header file for backward compatibility */
-#define CKO_KG_PARAMETERS     CKO_DOMAIN_PARAMETERS
-#define CKF_EC_FP             CKF_EC_F_P
-/* new in v2.11 deprecated by 2.20 */
-#define CKR_KEY_PARAMS_INVALID                0x0000006B
-
-/* stuff that for historic reasons is in this header file but should have
- * been in pkcs11n.h */
-#define CKK_INVALID_KEY_TYPE  0xffffffff
-
-#include "pkcs11n.h"
-
-/* undo packing */
-#include "pkcs11u.h"
-
-#endif
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
deleted file mode 100644
index 8e68587ce..000000000
--- a/security/nss/lib/softoken/pkcs11u.c
+++ /dev/null
@@ -1,3476 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Internal PKCS #11 functions. Should only be called by pkcs11.c
- */
-#include "pkcs11.h"
-#include "pkcs11i.h"
-#include "pcertt.h"
-#include "lowkeyi.h"
-#include "pcert.h"
-#include "secasn1.h"
-#include "blapi.h"
-#include "secerr.h"
-#include "prnetdb.h" /* for PR_ntohl */
-
-/*
- * ******************** Attribute Utilities *******************************
- */
-
-/*
- * create a new attribute with type, value, and length. Space is allocated
- * to hold value.
- */
-static SFTKAttribute *
-sftk_NewAttribute(SFTKObject *object,
-	CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len)
-{
-    SFTKAttribute *attribute;
-
-    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
-    int index;
-
-    if (so == NULL)  {
-	/* allocate new attribute in a buffer */
-	PORT_Assert(0);
-    }
-    /* 
-     * We attempt to keep down contention on Malloc and Arena locks by
-     * limiting the number of these calls on high traversed paths. This
-     * is done for attributes by 'allocating' them from a pool already
-     * allocated by the parent object.
-     */
-    PZ_Lock(so->attributeLock);
-    index = so->nextAttr++;
-    PZ_Unlock(so->attributeLock);
-    PORT_Assert(index < MAX_OBJS_ATTRS);
-    if (index >= MAX_OBJS_ATTRS) return NULL;
-
-    attribute = &so->attrList[index];
-    attribute->attrib.type = type;
-    attribute->freeAttr = PR_FALSE;
-    attribute->freeData = PR_FALSE;
-    if (value) {
-        if (len <= ATTR_SPACE) {
-	    attribute->attrib.pValue = attribute->space;
-	} else {
-	    attribute->attrib.pValue = PORT_Alloc(len);
-    	    attribute->freeData = PR_TRUE;
-	}
-	if (attribute->attrib.pValue == NULL) {
-	    return NULL;
-	}
-	PORT_Memcpy(attribute->attrib.pValue,value,len);
-	attribute->attrib.ulValueLen = len;
-    } else {
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    attribute->attrib.type = type;
-    attribute->handle = type;
-    attribute->next = attribute->prev = NULL;
-    return attribute;
-}
-
-static SFTKAttribute *
-sftk_NewTokenAttribute(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value,
-						CK_ULONG len, PRBool copy)
-{
-    SFTKAttribute *attribute;
-
-    attribute = (SFTKAttribute*)PORT_Alloc(sizeof(SFTKAttribute));
-
-    if (attribute == NULL) return NULL;
-    attribute->attrib.type = type;
-    attribute->handle = type;
-    attribute->next = attribute->prev = NULL;
-    attribute->freeAttr = PR_TRUE;
-    attribute->freeData = PR_FALSE;
-    attribute->attrib.type = type;
-    if (!copy) {
-	attribute->attrib.pValue = value;
-	attribute->attrib.ulValueLen = len;
-	return attribute;
-    }
-
-    if (value) {
-        if (len <= ATTR_SPACE) {
-	    attribute->attrib.pValue = attribute->space;
-	} else {
-	    attribute->attrib.pValue = PORT_Alloc(len);
-	    attribute->freeData = PR_TRUE;
-	}
-	if (attribute->attrib.pValue == NULL) {
-	    PORT_Free(attribute);
-	    return NULL;
-	}
-	PORT_Memcpy(attribute->attrib.pValue,value,len);
-	attribute->attrib.ulValueLen = len;
-    } else {
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    return attribute;
-}
-
-static SFTKAttribute *
-sftk_NewTokenAttributeSigned(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, 
-						CK_ULONG len, PRBool copy)
-{
-    unsigned char * dval = (unsigned char *)value;
-    if (*dval == 0) {
-	dval++;
-	len--;
-    }
-    return sftk_NewTokenAttribute(type,dval,len,copy);
-}
-
-/*
- * Free up all the memory associated with an attribute. Reference count
- * must be zero to call this.
- */
-static void
-sftk_DestroyAttribute(SFTKAttribute *attribute)
-{
-    if (attribute->freeData) {
-	if (attribute->attrib.pValue) {
-	    /* clear out the data in the attribute value... it may have been
-	     * sensitive data */
-	    PORT_Memset(attribute->attrib.pValue, 0,
-						attribute->attrib.ulValueLen);
-	}
-	PORT_Free(attribute->attrib.pValue);
-    }
-    PORT_Free(attribute);
-}
-
-/*
- * release a reference to an attribute structure
- */
-void
-sftk_FreeAttribute(SFTKAttribute *attribute)
-{
-    if (attribute->freeAttr) {
-	sftk_DestroyAttribute(attribute);
-	return;
-    }
-}
-
-#define SFTK_DEF_ATTRIBUTE(value,len) \
-   { NULL, NULL, PR_FALSE, PR_FALSE, 0, { 0, value, len } }
-
-#define SFTK_CLONE_ATTR(type, staticAttr) \
-    sftk_NewTokenAttribute( type, staticAttr.attrib.pValue, \
-    staticAttr.attrib.ulValueLen, PR_FALSE)
-
-CK_BBOOL sftk_staticTrueValue = CK_TRUE;
-CK_BBOOL sftk_staticFalseValue = CK_FALSE;
-static const SFTKAttribute sftk_StaticTrueAttr = 
-  SFTK_DEF_ATTRIBUTE(&sftk_staticTrueValue,sizeof(sftk_staticTrueValue));
-static const SFTKAttribute sftk_StaticFalseAttr = 
-  SFTK_DEF_ATTRIBUTE(&sftk_staticFalseValue,sizeof(sftk_staticFalseValue));
-static const SFTKAttribute sftk_StaticNullAttr = SFTK_DEF_ATTRIBUTE(NULL,0);
-char sftk_StaticOneValue = 1;
-static const SFTKAttribute sftk_StaticOneAttr = 
-  SFTK_DEF_ATTRIBUTE(&sftk_StaticOneValue,sizeof(sftk_StaticOneValue));
-
-CK_CERTIFICATE_TYPE sftk_staticX509Value = CKC_X_509;
-static const SFTKAttribute sftk_StaticX509Attr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticX509Value, sizeof(sftk_staticX509Value));
-CK_TRUST sftk_staticTrustedValue = CKT_NETSCAPE_TRUSTED;
-CK_TRUST sftk_staticTrustedDelegatorValue = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-CK_TRUST sftk_staticValidDelegatorValue = CKT_NETSCAPE_VALID_DELEGATOR;
-CK_TRUST sftk_staticUnTrustedValue = CKT_NETSCAPE_UNTRUSTED;
-CK_TRUST sftk_staticTrustUnknownValue = CKT_NETSCAPE_TRUST_UNKNOWN;
-CK_TRUST sftk_staticValidPeerValue = CKT_NETSCAPE_VALID;
-CK_TRUST sftk_staticMustVerifyValue = CKT_NETSCAPE_MUST_VERIFY;
-static const SFTKAttribute sftk_StaticTrustedAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticTrustedValue,
-				sizeof(sftk_staticTrustedValue));
-static const SFTKAttribute sftk_StaticTrustedDelegatorAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticTrustedDelegatorValue,
-				sizeof(sftk_staticTrustedDelegatorValue));
-static const SFTKAttribute sftk_StaticValidDelegatorAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticValidDelegatorValue,
-				sizeof(sftk_staticValidDelegatorValue));
-static const SFTKAttribute sftk_StaticUnTrustedAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticUnTrustedValue,
-				sizeof(sftk_staticUnTrustedValue));
-static const SFTKAttribute sftk_StaticTrustUnknownAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticTrustUnknownValue,
-				sizeof(sftk_staticTrustUnknownValue));
-static const SFTKAttribute sftk_StaticValidPeerAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticValidPeerValue,
-				sizeof(sftk_staticValidPeerValue));
-static const SFTKAttribute sftk_StaticMustVerifyAttr =
-  SFTK_DEF_ATTRIBUTE(&sftk_staticMustVerifyValue,
-				sizeof(sftk_staticMustVerifyValue));
-
-/*
- * helper functions which get the database and call the underlying 
- * low level database function.
- */
-static char *
-sftk_FindKeyNicknameByPublicKey(SFTKSlot *slot, SECItem *dbKey)
-{
-    NSSLOWKEYDBHandle *keyHandle;
-    char * label;
-
-    keyHandle = sftk_getKeyDB(slot);
-    if (!keyHandle) {
-	return NULL;
-    }
-
-    label = nsslowkey_FindKeyNicknameByPublicKey(keyHandle, dbKey, 
-						 slot->password);
-    sftk_freeKeyDB(keyHandle);
-    return label;
-}
-
-
-NSSLOWKEYPrivateKey *
-sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey)
-{
-    NSSLOWKEYPrivateKey *privKey;
-    NSSLOWKEYDBHandle   *keyHandle;
-
-    keyHandle = sftk_getKeyDB(slot);
-    if (keyHandle == NULL) {
-	return NULL;
-    }
-    privKey = nsslowkey_FindKeyByPublicKey(keyHandle, dbKey, slot->password);
-    sftk_freeKeyDB(keyHandle);
-    if (privKey == NULL) {
-	return NULL;
-    }
-    return privKey;
-}
-
-static certDBEntrySMime *
-sftk_getSMime(SFTKTokenObject *object)
-{
-    certDBEntrySMime *entry;
-    NSSLOWCERTCertDBHandle *certHandle;
-
-    if (object->obj.objclass != CKO_NETSCAPE_SMIME) {
-	return NULL;
-    }
-    if (object->obj.objectInfo) {
-	return (certDBEntrySMime *)object->obj.objectInfo;
-    }
-
-    certHandle = sftk_getCertDB(object->obj.slot);
-    if (!certHandle) {
-	return NULL;
-    }
-    entry = nsslowcert_ReadDBSMimeEntry(certHandle, (char *)object->dbKey.data);
-    object->obj.objectInfo = (void *)entry;
-    object->obj.infoFree = (SFTKFree) nsslowcert_DestroyDBEntry;
-    sftk_freeCertDB(certHandle);
-    return entry;
-}
-
-static certDBEntryRevocation *
-sftk_getCrl(SFTKTokenObject *object)
-{
-    certDBEntryRevocation *crl;
-    PRBool isKrl;
-    NSSLOWCERTCertDBHandle *certHandle;
-
-    if (object->obj.objclass != CKO_NETSCAPE_CRL) {
-	return NULL;
-    }
-    if (object->obj.objectInfo) {
-	return (certDBEntryRevocation *)object->obj.objectInfo;
-    }
-
-    isKrl = (PRBool) (object->obj.handle == SFTK_TOKEN_KRL_HANDLE);
-    certHandle = sftk_getCertDB(object->obj.slot);
-    if (!certHandle) {
-	return NULL;
-    }
-
-    crl = nsslowcert_FindCrlByKey(certHandle, &object->dbKey, isKrl);
-    object->obj.objectInfo = (void *)crl;
-    object->obj.infoFree = (SFTKFree) nsslowcert_DestroyDBEntry;
-    sftk_freeCertDB(certHandle);
-    return crl;
-}
-
-static NSSLOWCERTCertificate *
-sftk_getCert(SFTKTokenObject *object, NSSLOWCERTCertDBHandle *certHandle)
-{
-    NSSLOWCERTCertificate *cert;
-    CK_OBJECT_CLASS objClass = object->obj.objclass;
-
-    if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) {
-	return NULL;
-    }
-    if (objClass == CKO_CERTIFICATE && object->obj.objectInfo) {
-	return (NSSLOWCERTCertificate *)object->obj.objectInfo;
-    }
-    cert = nsslowcert_FindCertByKey(certHandle, &object->dbKey);
-    if (objClass == CKO_CERTIFICATE) {
-	object->obj.objectInfo = (void *)cert;
-	object->obj.infoFree = (SFTKFree) nsslowcert_DestroyCertificate ;
-    }
-    return cert;
-}
-
-static NSSLOWCERTTrust *
-sftk_getTrust(SFTKTokenObject *object)
-{
-    NSSLOWCERTTrust *trust;
-    NSSLOWCERTCertDBHandle *certHandle;
-
-    if (object->obj.objclass != CKO_NETSCAPE_TRUST) {
-	return NULL;
-    }
-    if (object->obj.objectInfo) {
-	return (NSSLOWCERTTrust *)object->obj.objectInfo;
-    }
-    certHandle = sftk_getCertDB(object->obj.slot);
-    if (!certHandle) {
-	return NULL;
-    }
-    trust = nsslowcert_FindTrustByKey(certHandle, &object->dbKey);
-    object->obj.objectInfo = (void *)trust;
-    object->obj.infoFree = (SFTKFree) nsslowcert_DestroyTrust ;
-    sftk_freeCertDB(certHandle);
-    return trust;
-}
-
-static NSSLOWKEYPublicKey *
-sftk_GetPublicKey(SFTKTokenObject *object)
-{
-    NSSLOWKEYPublicKey *pubKey;
-    NSSLOWKEYPrivateKey *privKey;
-
-    if (object->obj.objclass != CKO_PUBLIC_KEY) {
-	return NULL;
-    }
-    if (object->obj.objectInfo) {
-	return (NSSLOWKEYPublicKey *)object->obj.objectInfo;
-    }
-    privKey = sftk_FindKeyByPublicKey(object->obj.slot, &object->dbKey);
-    if (privKey == NULL) {
-	return NULL;
-    }
-    pubKey = nsslowkey_ConvertToPublicKey(privKey);
-    nsslowkey_DestroyPrivateKey(privKey);
-    object->obj.objectInfo = (void *) pubKey;
-    object->obj.infoFree = (SFTKFree) nsslowkey_DestroyPublicKey ;
-    return pubKey;
-}
-
-/*
- * we need two versions of sftk_GetPrivateKey. One version that takes the 
- * DB handle so we can pass the handle we have already acquired in,
- *  rather than going through the 'getKeyDB' code again, 
- *  which may fail the second time and another which just aquires
- *  the key handle from the slot (where we don't already have a key handle.
- * This version does the former.
- */
-static NSSLOWKEYPrivateKey *
-sftk_GetPrivateKeyWithDB(SFTKTokenObject *object, NSSLOWKEYDBHandle *keyHandle)
-{
-    NSSLOWKEYPrivateKey *privKey;
-
-    if ((object->obj.objclass != CKO_PRIVATE_KEY) && 
-			(object->obj.objclass != CKO_SECRET_KEY)) {
-	return NULL;
-    }
-    if (object->obj.objectInfo) {
-	return (NSSLOWKEYPrivateKey *)object->obj.objectInfo;
-    }
-    privKey = nsslowkey_FindKeyByPublicKey(keyHandle, &object->dbKey,
-				           object->obj.slot->password);
-    if (privKey == NULL) {
-	return NULL;
-    }
-    object->obj.objectInfo = (void *) privKey;
-    object->obj.infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey ;
-    return privKey;
-}
-
-/* this version does the latter */
-static NSSLOWKEYPrivateKey *
-sftk_GetPrivateKey(SFTKTokenObject *object)
-{
-    NSSLOWKEYDBHandle *keyHandle;
-    NSSLOWKEYPrivateKey *privKey;
-
-    keyHandle = sftk_getKeyDB(object->obj.slot);
-    if (!keyHandle) {
-	return NULL;
-    }
-    privKey = sftk_GetPrivateKeyWithDB(object, keyHandle);
-    sftk_freeKeyDB(keyHandle);
-    return privKey;
-}
-
-/* sftk_GetPubItem returns data associated with the public key.
- * one only needs to free the public key. This comment is here
- * because this sematic would be non-obvious otherwise. All callers
- * should include this comment.
- */
-static SECItem *
-sftk_GetPubItem(NSSLOWKEYPublicKey *pubKey) {
-    SECItem *pubItem = NULL;
-    /* get value to compare from the cert's public key */
-    switch ( pubKey->keyType ) {
-    case NSSLOWKEYRSAKey:
-	    pubItem = &pubKey->u.rsa.modulus;
-	    break;
-    case NSSLOWKEYDSAKey:
-	    pubItem = &pubKey->u.dsa.publicValue;
-	    break;
-    case NSSLOWKEYDHKey:
-	    pubItem = &pubKey->u.dh.publicValue;
-	    break;
-#ifdef NSS_ENABLE_ECC
-    case NSSLOWKEYECKey:
-	    pubItem = &pubKey->u.ec.publicValue;
-	    break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	    break;
-    }
-    return pubItem;
-}
-
-static const SEC_ASN1Template sftk_SerialTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
-    { 0 }
-};
-
-static SFTKAttribute *
-sftk_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_RSA;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_ENCRYPT:
-    case CKA_VERIFY:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_MODULUS:
-	return sftk_NewTokenAttributeSigned(type,key->u.rsa.modulus.data,
-					key->u.rsa.modulus.len, PR_FALSE);
-    case CKA_PUBLIC_EXPONENT:
-	return sftk_NewTokenAttributeSigned(type,key->u.rsa.publicExponent.data,
-				key->u.rsa.publicExponent.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_DSA;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
-						key->u.dsa.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-    case CKA_ENCRYPT:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_VERIFY:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_VALUE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dsa.publicValue.data,
-					key->u.dsa.publicValue.len, PR_FALSE);
-    case CKA_PRIME:
-	return sftk_NewTokenAttributeSigned(type,key->u.dsa.params.prime.data,
-					key->u.dsa.params.prime.len, PR_FALSE);
-    case CKA_SUBPRIME:
-	return sftk_NewTokenAttributeSigned(type,
-				key->u.dsa.params.subPrime.data,
-				key->u.dsa.params.subPrime.len, PR_FALSE);
-    case CKA_BASE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dsa.params.base.data,
-					key->u.dsa.params.base.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_DH;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_ENCRYPT:
-    case CKA_VERIFY:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_VALUE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.publicValue.data,
-					key->u.dh.publicValue.len, PR_FALSE);
-    case CKA_PRIME:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.prime.data,
-					key->u.dh.prime.len, PR_FALSE);
-    case CKA_BASE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.base.data,
-					key->u.dh.base.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-#ifdef NSS_ENABLE_ECC
-static SFTKAttribute *
-sftk_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_EC;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash, key->u.ec.publicValue.data,
-		     key->u.ec.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-    case CKA_VERIFY:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_ENCRYPT:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_EC_PARAMS:
-        /* XXX Why is the last arg PR_FALSE? */
-	return sftk_NewTokenAttributeSigned(type,
-					key->u.ec.ecParams.DEREncoding.data,
-					key->u.ec.ecParams.DEREncoding.len,
-					PR_FALSE);
-    case CKA_EC_POINT:
-        /* XXX Why is the last arg PR_FALSE? */
-	return sftk_NewTokenAttributeSigned(type,key->u.ec.publicValue.data,
-					key->u.ec.publicValue.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-#endif /* NSS_ENABLE_ECC */
-
-
-static SFTKAttribute *
-sftk_FindPublicKeyAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    NSSLOWKEYPublicKey   *key;
-    SFTKAttribute *att = NULL;
-    char *label;
-
-    switch (type) {
-    case CKA_PRIVATE:
-    case CKA_SENSITIVE:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_NEVER_EXTRACTABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_MODIFIABLE:
-    case CKA_EXTRACTABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_LABEL:
-        label = sftk_FindKeyNicknameByPublicKey(object->obj.slot,
-						&object->dbKey);
-	if (label == NULL) {
-	   return SFTK_CLONE_ATTR(type,sftk_StaticOneAttr);
-	}
-	att = sftk_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
-	PORT_Free(label);
-	return att;
-    default:
-	break;
-    }
-
-    key = sftk_GetPublicKey(object);
-    if (key == NULL) {
-	return NULL;
-    }
-
-    switch (key->keyType) {
-    case NSSLOWKEYRSAKey:
-	return sftk_FindRSAPublicKeyAttribute(key,type);
-    case NSSLOWKEYDSAKey:
-	return sftk_FindDSAPublicKeyAttribute(key,type);
-    case NSSLOWKEYDHKey:
-	return sftk_FindDHPublicKeyAttribute(key,type);
-#ifdef NSS_ENABLE_ECC
-    case NSSLOWKEYECKey:
-	return sftk_FindECPublicKeyAttribute(key,type);
-#endif /* NSS_ENABLE_ECC */
-    default:
-	break;
-    }
-
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindSecretKeyAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    NSSLOWKEYPrivateKey  *key;
-    char *label;
-    unsigned char *keyString;
-    SFTKAttribute *att;
-    int keyTypeLen;
-    CK_ULONG keyLen;
-    CK_KEY_TYPE keyType;
-    PRUint32 keyTypeStorage;
-
-    switch (type) {
-    case CKA_PRIVATE:
-    case CKA_SENSITIVE:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_EXTRACTABLE:
-    case CKA_DERIVE:
-    case CKA_ENCRYPT:
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_VERIFY:
-    case CKA_WRAP:
-    case CKA_UNWRAP:
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_NEVER_EXTRACTABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_LABEL:
-        label = sftk_FindKeyNicknameByPublicKey(object->obj.slot,
-						&object->dbKey);
-	if (label == NULL) {
-	   return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-	}
-	att = sftk_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
-	PORT_Free(label);
-	return att;
-    case CKA_KEY_TYPE:
-    case CKA_VALUE_LEN:
-    case CKA_VALUE:
-	break;
-    default:
-	return NULL;
-    }
-
-    key = sftk_GetPrivateKey(object);
-    if (key == NULL) {
-	return NULL;
-    }
-    switch (type) {
-    case CKA_KEY_TYPE:
-	/* handle legacy databases. In legacy databases key_type was stored
-	 * in host order, with any leading zeros stripped off. Only key types
-	 * under 0x1f (AES) were stored. We assume that any values which are
-	 * either 1 byte long (big endian), or have byte[0] between 0 and 
-	 * 0x7f and bytes[1]-bytes[3] equal to '0' (little endian). All other
-	 * values are assumed to be from the new database, which is always 4
-	 * bytes in network order */
-	keyType=0;
-	keyString = key->u.rsa.coefficient.data;
-	keyTypeLen = key->u.rsa.coefficient.len;
-
-
-	/*
- 	 * Because of various endian and word lengths The database may have
-	 * stored the keyType value in one of the following formats:
-	 *   (kt) <= 0x1f 
-	 *                                   length data
-	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
-	 * Little Endian,  pre-3.9, 32 bits:     4  (kt) 0  0  0
-	 * Little Endian,  pre-3.9, 64 bits:     8  (kt) 0  0  0   0  0  0  0
-	 * All platforms,      3.9, 32 bits:     4    0  0  0 (kt)
-	 * Big Endian,         3.9, 64 bits:     8    0  0  0 (kt) 0  0  0  0
-	 * Little  Endian,     3.9, 64 bits:     8    0  0  0  0   0  0  0 (kt)
-	 * All platforms, >= 3.9.1, all lengths: 4   (a) k1 k2 k3
-	 * where (a) is 0 or >= 0x80. currently (a) can only be 0.
-	 */
-	/*
- 	 * this key was written on a 64 bit platform with a using NSS 3.9
-	 * or earlier. Reduce the 64 bit possibilities above. We were are
-	 * through, we will only have:
-	 * 
-	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
-	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
-	 * All platforms,      3.9, all lengths: 4    0  0  0 (kt)
-	 * All platforms, => 3.9.1, all lengths: 4   (a) k1 k2 k3
-	 */
-	if (keyTypeLen == 8) {
-	    keyTypeStorage = *(PRUint32 *) keyString;
-	    if (keyTypeStorage == 0) {
-		keyString += sizeof(PRUint32);
-	    }
-	    keyTypeLen = 4;
-	}
-	/*
-	 * Now Handle:
-	 *
-	 * All platforms,      3.9, all lengths: 4    0  0  0 (kt)
-	 * All platforms, => 3.9.1, all lengths: 4   (a) k1 k2 k3
-	 *
-	 * NOTE: if  kt == 0 or ak1k2k3 == 0, the test fails and
-	 * we handle it as:
-	 *
-	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
-	 */
-	if (keyTypeLen == sizeof(keyTypeStorage) &&
-	     (((keyString[0] & 0x80) == 0x80) ||
-		!((keyString[1] == 0) && (keyString[2] == 0)
-	   				    && (keyString[3] == 0))) ) {
-	    PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage));
-	    keyType = (CK_KEY_TYPE) PR_ntohl(keyTypeStorage);
-	} else {
-	/*
-	 * Now Handle:
-	 *
-	 * Big Endian,     pre-3.9, all lengths: 1  (kt)
-	 * Little Endian,  pre-3.9, all lengths: 4  (kt) 0  0  0
-	 *  -- KeyType == 0 all other cases ---: 4    0  0  0  0
-	 */
-	    keyType = (CK_KEY_TYPE) keyString[0] ;
-        }
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType),PR_TRUE);
-    case CKA_VALUE:
-	return sftk_NewTokenAttribute(type,key->u.rsa.privateExponent.data,
-				key->u.rsa.privateExponent.len, PR_FALSE);
-    case CKA_VALUE_LEN:
-	keyLen=key->u.rsa.privateExponent.len;
-	return sftk_NewTokenAttribute(type, &keyLen, sizeof(CK_ULONG), PR_TRUE);
-    }
-
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key,
-				CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_RSA;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_SIGN_RECOVER:
-    case CKA_UNWRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_MODULUS:
-	return sftk_NewTokenAttributeSigned(type,key->u.rsa.modulus.data,
-					key->u.rsa.modulus.len, PR_FALSE);
-    case CKA_PUBLIC_EXPONENT:
-	return sftk_NewTokenAttributeSigned(type,key->u.rsa.publicExponent.data,
-				key->u.rsa.publicExponent.len, PR_FALSE);
-    case CKA_PRIVATE_EXPONENT:
-	return sftk_NewTokenAttributeSigned(type,
-				key->u.rsa.privateExponent.data,
-				key->u.rsa.privateExponent.len, PR_FALSE);
-    case CKA_PRIME_1:
-	return sftk_NewTokenAttributeSigned(type, key->u.rsa.prime1.data,
-				key->u.rsa.prime1.len, PR_FALSE);
-    case CKA_PRIME_2:
-	return sftk_NewTokenAttributeSigned(type, key->u.rsa.prime2.data,
-				key->u.rsa.prime2.len, PR_FALSE);
-    case CKA_EXPONENT_1:
-	return sftk_NewTokenAttributeSigned(type, key->u.rsa.exponent1.data,
-				key->u.rsa.exponent1.len, PR_FALSE);
-    case CKA_EXPONENT_2:
-	return sftk_NewTokenAttributeSigned(type, key->u.rsa.exponent2.data,
-				key->u.rsa.exponent2.len, PR_FALSE);
-    case CKA_COEFFICIENT:
-	return sftk_NewTokenAttributeSigned(type, key->u.rsa.coefficient.data,
-				key->u.rsa.coefficient.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, 
-							CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_DSA;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
-			  key->u.dsa.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-    case CKA_DECRYPT:
-    case CKA_SIGN_RECOVER:
-    case CKA_UNWRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_SIGN:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_VALUE:
-	return sftk_NewTokenAttributeSigned(type, key->u.dsa.privateValue.data,
-				key->u.dsa.privateValue.len, PR_FALSE);
-    case CKA_PRIME:
-	return sftk_NewTokenAttributeSigned(type,key->u.dsa.params.prime.data,
-					key->u.dsa.params.prime.len, PR_FALSE);
-    case CKA_SUBPRIME:
-	return sftk_NewTokenAttributeSigned(type,
-				key->u.dsa.params.subPrime.data,
-				key->u.dsa.params.subPrime.len, PR_FALSE);
-    case CKA_BASE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dsa.params.base.data,
-					key->u.dsa.params.base.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_DH;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_SIGN_RECOVER:
-    case CKA_UNWRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_VALUE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.privateValue.data,
-					key->u.dh.privateValue.len, PR_FALSE);
-    case CKA_PRIME:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.prime.data,
-					key->u.dh.prime.len, PR_FALSE);
-    case CKA_BASE:
-	return sftk_NewTokenAttributeSigned(type,key->u.dh.base.data,
-					key->u.dh.base.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-#ifdef NSS_ENABLE_ECC
-static SFTKAttribute *
-sftk_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type)
-{
-    unsigned char hash[SHA1_LENGTH];
-    CK_KEY_TYPE keyType = CKK_EC;
-
-    switch (type) {
-    case CKA_KEY_TYPE:
-	return sftk_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
-    case CKA_ID:
-	SHA1_HashBuf(hash,key->u.ec.publicValue.data,key->u.ec.publicValue.len);
-	return sftk_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
-    case CKA_DERIVE:
-    case CKA_SIGN:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_DECRYPT:
-    case CKA_SIGN_RECOVER:
-    case CKA_UNWRAP:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_VALUE:
-	return sftk_NewTokenAttributeSigned(type, key->u.ec.privateValue.data,
-					key->u.ec.privateValue.len, PR_FALSE);
-    case CKA_EC_PARAMS:
-        /* XXX Why is the last arg PR_FALSE? */
-	return sftk_NewTokenAttributeSigned(type,
-					key->u.ec.ecParams.DEREncoding.data,
-					key->u.ec.ecParams.DEREncoding.len,
-					PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-#endif /* NSS_ENABLE_ECC */
-
-static SFTKAttribute *
-sftk_FindPrivateKeyAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    NSSLOWKEYPrivateKey  *key;
-    char *label;
-    SFTKAttribute *att;
-
-    switch (type) {
-    case CKA_PRIVATE:
-    case CKA_SENSITIVE:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_EXTRACTABLE:
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_NEVER_EXTRACTABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_SUBJECT:
-	   return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-    case CKA_LABEL:
-        label = sftk_FindKeyNicknameByPublicKey(object->obj.slot,
-						&object->dbKey);
-	if (label == NULL) {
-	   return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-	}
-	att = sftk_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
-	PORT_Free(label);
-	return att;
-    default:
-	break;
-    }
-    key = sftk_GetPrivateKey(object);
-    if (key == NULL) {
-	return NULL;
-    }
-    switch (key->keyType) {
-    case NSSLOWKEYRSAKey:
-	return sftk_FindRSAPrivateKeyAttribute(key,type);
-    case NSSLOWKEYDSAKey:
-	return sftk_FindDSAPrivateKeyAttribute(key,type);
-    case NSSLOWKEYDHKey:
-	return sftk_FindDHPrivateKeyAttribute(key,type);
-#ifdef NSS_ENABLE_ECC
-    case NSSLOWKEYECKey:
-	return sftk_FindECPrivateKeyAttribute(key,type);
-#endif /* NSS_ENABLE_ECC */
-    default:
-	break;
-    }
-
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindSMIMEAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    certDBEntrySMime *entry;
-    switch (type) {
-    case CKA_PRIVATE:
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_NETSCAPE_EMAIL:
-	return sftk_NewTokenAttribute(type,object->dbKey.data,
-						object->dbKey.len-1, PR_FALSE);
-    case CKA_NETSCAPE_SMIME_TIMESTAMP:
-    case CKA_SUBJECT:
-    case CKA_VALUE:
-	break;
-    default:
-	return NULL;
-    }
-    entry = sftk_getSMime(object);
-    if (entry == NULL) {
-	return NULL;
-    }
-    switch (type) {
-    case CKA_NETSCAPE_SMIME_TIMESTAMP:
-	return sftk_NewTokenAttribute(type,entry->optionsDate.data,
-					entry->optionsDate.len, PR_FALSE);
-    case CKA_SUBJECT:
-	return sftk_NewTokenAttribute(type,entry->subjectName.data,
-					entry->subjectName.len, PR_FALSE);
-    case CKA_VALUE:
-	return sftk_NewTokenAttribute(type,entry->smimeOptions.data,
-					entry->smimeOptions.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindTrustAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    NSSLOWCERTTrust *trust;
-    unsigned char hash[SHA1_LENGTH];
-    unsigned int trustFlags;
-
-    switch (type) {
-    case CKA_PRIVATE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_CERT_SHA1_HASH:
-    case CKA_CERT_MD5_HASH:
-    case CKA_TRUST_CLIENT_AUTH:
-    case CKA_TRUST_SERVER_AUTH:
-    case CKA_TRUST_EMAIL_PROTECTION:
-    case CKA_TRUST_CODE_SIGNING:
-    case CKA_TRUST_STEP_UP_APPROVED:
-	break;
-    default:
-	return NULL;
-    }
-    trust = sftk_getTrust(object);
-    if (trust == NULL) {
-	return NULL;
-    }
-    switch (type) {
-    case CKA_CERT_SHA1_HASH:
-	SHA1_HashBuf(hash,trust->derCert->data,trust->derCert->len);
-	return sftk_NewTokenAttribute(type, hash, SHA1_LENGTH, PR_TRUE);
-    case CKA_CERT_MD5_HASH:
-	MD5_HashBuf(hash,trust->derCert->data,trust->derCert->len);
-	return sftk_NewTokenAttribute(type, hash, MD5_LENGTH, PR_TRUE);
-    case CKA_TRUST_CLIENT_AUTH:
-	trustFlags = trust->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
-		trust->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
-	goto trust;
-    case CKA_TRUST_SERVER_AUTH:
-	trustFlags = trust->trust->sslFlags;
-	goto trust;
-    case CKA_TRUST_EMAIL_PROTECTION:
-	trustFlags = trust->trust->emailFlags;
-	goto trust;
-    case CKA_TRUST_CODE_SIGNING:
-	trustFlags = trust->trust->objectSigningFlags;
-trust:
-	if (trustFlags & CERTDB_TRUSTED_CA ) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticTrustedDelegatorAttr);
-	}
-	if (trustFlags & CERTDB_TRUSTED) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticTrustedAttr);
-	}
-	if (trustFlags & CERTDB_NOT_TRUSTED) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticUnTrustedAttr);
-	}
-	if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticTrustUnknownAttr);
-	}
-	if (trustFlags & CERTDB_VALID_CA) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticValidDelegatorAttr);
-	}
-	if (trustFlags & CERTDB_VALID_PEER) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticValidPeerAttr);
-	}
-	return SFTK_CLONE_ATTR(type,sftk_StaticMustVerifyAttr);
-    case CKA_TRUST_STEP_UP_APPROVED:
-	if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-	} else {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-	}
-    default:
-	break;
-    }
-
-#ifdef notdef
-    switch (type) {
-    case CKA_ISSUER:
-	cert = sftk_getCertObject(object);
-	if (cert == NULL) break;
-	attr = sftk_NewTokenAttribute(type,cert->derIssuer.data,
-						cert->derIssuer.len, PR_FALSE);
-	
-    case CKA_SERIAL_NUMBER:
-	cert = sftk_getCertObject(object);
-	if (cert == NULL) break;
-	item = SEC_ASN1EncodeItem(NULL,NULL,cert,sftk_SerialTemplate);
-	if (item == NULL) break;
-	attr = sftk_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
-	SECITEM_FreeItem(item,PR_TRUE);
-    }
-    if (cert) {
-	NSSLOWCERTDestroyCertificate(cert);	
-	return attr;
-    }
-#endif
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindCrlAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    certDBEntryRevocation *crl;
-
-    switch (type) {
-    case CKA_PRIVATE:
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_NETSCAPE_KRL:
-	return ((object->obj.handle == SFTK_TOKEN_KRL_HANDLE) 
-		? SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr)
-		: SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr));
-    case CKA_SUBJECT:
-	return sftk_NewTokenAttribute(type,object->dbKey.data,
-						object->dbKey.len, PR_FALSE);	
-    case CKA_NETSCAPE_URL:
-    case CKA_VALUE:
-	break;
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return NULL;
-    }
-    crl =  sftk_getCrl(object);
-    if (!crl) {
-	return NULL;
-    }
-    switch (type) {
-    case CKA_NETSCAPE_URL:
-	if (crl->url == NULL) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-	}
-	return sftk_NewTokenAttribute(type, crl->url, 
-					PORT_Strlen(crl->url)+1, PR_TRUE);
-    case CKA_VALUE:
-	return sftk_NewTokenAttribute(type, crl->derCrl.data, 
-						crl->derCrl.len, PR_FALSE);
-    default:
-	break;
-    }
-    return NULL;
-}
-
-static SFTKAttribute *
-sftk_FindCertAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
-{
-    NSSLOWCERTCertificate  *cert;
-    NSSLOWCERTCertDBHandle *certHandle;
-    NSSLOWKEYPublicKey     *pubKey;
-    unsigned char hash[SHA1_LENGTH];
-    SECItem *item;
-
-    switch (type) {
-    case CKA_PRIVATE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticFalseAttr);
-    case CKA_MODIFIABLE:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_CERTIFICATE_TYPE:
-        /* hardcoding X.509 into here */
-        return SFTK_CLONE_ATTR(type,sftk_StaticX509Attr);
-    case CKA_VALUE:
-    case CKA_ID:
-    case CKA_LABEL:
-    case CKA_SUBJECT:
-    case CKA_ISSUER:
-    case CKA_SERIAL_NUMBER:
-    case CKA_NETSCAPE_EMAIL:
-	break;
-    default:
-	return NULL;
-    }
-
-    certHandle = sftk_getCertDB(object->obj.slot);
-    if (certHandle == NULL) {
-	return NULL;
-    }
-
-    cert = sftk_getCert(object, certHandle);
-    sftk_freeCertDB(certHandle);
-    if (cert == NULL) {
-	return NULL;
-    }
-    switch (type) {
-    case CKA_VALUE:
-	return sftk_NewTokenAttribute(type,cert->derCert.data,
-						cert->derCert.len,PR_FALSE);
-    case CKA_ID:
-	if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
-		((cert->trust->emailFlags & CERTDB_USER) == 0) &&
-		((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
-	    return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-	}
-	pubKey = nsslowcert_ExtractPublicKey(cert);
-	if (pubKey == NULL) break;
-	item = sftk_GetPubItem(pubKey);
-	if (item == NULL) {
-	    nsslowkey_DestroyPublicKey(pubKey);
-	    break;
-	}
-	SHA1_HashBuf(hash,item->data,item->len);
-	/* item is imbedded in pubKey, just free the key */
-	nsslowkey_DestroyPublicKey(pubKey);
-	return sftk_NewTokenAttribute(type, hash, SHA1_LENGTH, PR_TRUE);
-    case CKA_LABEL:
-	return cert->nickname 
-	       ? sftk_NewTokenAttribute(type, cert->nickname,
-				        PORT_Strlen(cert->nickname), PR_FALSE) 
-	       : SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-    case CKA_SUBJECT:
-	return sftk_NewTokenAttribute(type,cert->derSubject.data,
-						cert->derSubject.len, PR_FALSE);
-    case CKA_ISSUER:
-	return sftk_NewTokenAttribute(type,cert->derIssuer.data,
-						cert->derIssuer.len, PR_FALSE);
-    case CKA_SERIAL_NUMBER:
-	return sftk_NewTokenAttribute(type,cert->derSN.data,
-						cert->derSN.len, PR_FALSE);
-    case CKA_NETSCAPE_EMAIL:
-	return (cert->emailAddr && cert->emailAddr[0])
-	    ? sftk_NewTokenAttribute(type, cert->emailAddr,
-	                             PORT_Strlen(cert->emailAddr), PR_FALSE) 
-	    : SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-    default:
-	break;
-    }
-    return NULL;
-}
-    
-static SFTKAttribute *    
-sftk_FindTokenAttribute(SFTKTokenObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    /* handle the common ones */
-    switch (type) {
-    case CKA_CLASS:
-	return sftk_NewTokenAttribute(type,&object->obj.objclass,
-					sizeof(object->obj.objclass),PR_FALSE);
-    case CKA_TOKEN:
-	return SFTK_CLONE_ATTR(type,sftk_StaticTrueAttr);
-    case CKA_LABEL:
-	if (  (object->obj.objclass == CKO_CERTIFICATE) 
-	   || (object->obj.objclass == CKO_PRIVATE_KEY)
-	   || (object->obj.objclass == CKO_PUBLIC_KEY)
-	   || (object->obj.objclass == CKO_SECRET_KEY)) {
-	    break;
-	}
-	return SFTK_CLONE_ATTR(type,sftk_StaticNullAttr);
-    default:
-	break;
-    }
-    switch (object->obj.objclass) {
-    case CKO_CERTIFICATE:
-	return sftk_FindCertAttribute(object,type);
-    case CKO_NETSCAPE_CRL:
-	return sftk_FindCrlAttribute(object,type);
-    case CKO_NETSCAPE_TRUST:
-	return sftk_FindTrustAttribute(object,type);
-    case CKO_NETSCAPE_SMIME:
-	return sftk_FindSMIMEAttribute(object,type);
-    case CKO_PUBLIC_KEY:
-	return sftk_FindPublicKeyAttribute(object,type);
-    case CKO_PRIVATE_KEY:
-	return sftk_FindPrivateKeyAttribute(object,type);
-    case CKO_SECRET_KEY:
-	return sftk_FindSecretKeyAttribute(object,type);
-    default:
-	break;
-    }
-    PORT_Assert(0);
-    return NULL;
-} 
-
-/*
- * look up and attribute structure from a type and Object structure.
- * The returned attribute is referenced and needs to be freed when 
- * it is no longer needed.
- */
-SFTKAttribute *
-sftk_FindAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
-
-    if (sessObject == NULL) {
-	return sftk_FindTokenAttribute(sftk_narrowToTokenObject(object),type);
-    }
-
-    PZ_Lock(sessObject->attributeLock);
-    sftkqueue_find(attribute,type,sessObject->head, sessObject->hashSize);
-    PZ_Unlock(sessObject->attributeLock);
-
-    return(attribute);
-}
-
-/*
- * Take a buffer and it's length and return it's true size in bits;
- */
-unsigned int
-sftk_GetLengthInBits(unsigned char *buf, unsigned int bufLen)
-{
-    unsigned int size = bufLen * 8;
-    unsigned int i;
-
-    /* Get the real length in bytes */
-    for (i=0; i < bufLen; i++) {
-	unsigned char  c = *buf++;
-	if (c != 0) {
-	    unsigned char m;
-	    for (m=0x80; m > 0 ;  m = m >> 1) {
-		if ((c & m) != 0) {
-		    break;
-		} 
-		size--;
-	    }
-	    break;
-	}
-	size-=8;
-    }
-    return size;
-}
-
-/*
- * Constrain a big num attribute. to size and padding
- * minLength means length of the object must be greater than equal to minLength
- * maxLength means length of the object must be less than equal to maxLength
- * minMultiple means that object length mod minMultiple must equal 0.
- * all input sizes are in bits.
- * if any constraint is '0' that constraint is not checked.
- */
-CK_RV
-sftk_ConstrainAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 
-			int minLength, int maxLength, int minMultiple)
-{
-    SFTKAttribute *attribute;
-    int size;
-    unsigned char *ptr;
-
-    attribute = sftk_FindAttribute(object, type);
-    if (!attribute) {
-	return CKR_TEMPLATE_INCOMPLETE;
-    }
-    ptr = (unsigned char *) attribute->attrib.pValue;
-    if (ptr == NULL) {
-	sftk_FreeAttribute(attribute);
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    size = sftk_GetLengthInBits(ptr, attribute->attrib.ulValueLen);
-    sftk_FreeAttribute(attribute);
-
-    if ((minLength != 0) && (size <  minLength)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    if ((maxLength != 0) && (size >  maxLength)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    if ((minMultiple != 0) && ((size % minMultiple) != 0)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    return CKR_OK;
-}
-
-PRBool
-sftk_hasAttributeToken(SFTKTokenObject *object)
-{
-    return PR_FALSE;
-}
-
-/*
- * return true if object has attribute
- */
-PRBool
-sftk_hasAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
-
-    if (sessObject == NULL) {
-	return sftk_hasAttributeToken(sftk_narrowToTokenObject(object));
-    }
-
-    PZ_Lock(sessObject->attributeLock);
-    sftkqueue_find(attribute,type,sessObject->head, sessObject->hashSize);
-    PZ_Unlock(sessObject->attributeLock);
-
-    return (PRBool)(attribute != NULL);
-}
-
-/*
- * add an attribute to an object
- */
-static void
-sftk_AddAttribute(SFTKObject *object,SFTKAttribute *attribute)
-{
-    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
-
-    if (sessObject == NULL) return;
-    PZ_Lock(sessObject->attributeLock);
-    sftkqueue_add(attribute,attribute->handle,
-				sessObject->head, sessObject->hashSize);
-    PZ_Unlock(sessObject->attributeLock);
-}
-
-/* 
- * copy an unsigned attribute into a SECItem. Secitem is allocated in
- * the specified arena.
- */
-CK_RV
-sftk_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,SFTKObject *object,
-                                      CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-
-    item->data = NULL;
-
-    attribute = sftk_FindAttribute(object, type);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-
-    (void)SECITEM_AllocItem(arena, item, attribute->attrib.ulValueLen);
-    if (item->data == NULL) {
-	sftk_FreeAttribute(attribute);
-	return CKR_HOST_MEMORY;
-    }
-    PORT_Memcpy(item->data, attribute->attrib.pValue, item->len);
-    sftk_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-
-/*
- * delete an attribute from an object
- */
-static void
-sftk_DeleteAttribute(SFTKObject *object, SFTKAttribute *attribute)
-{
-    SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
-
-    if (sessObject == NULL) {
-	return ;
-    }
-    PZ_Lock(sessObject->attributeLock);
-    if (sftkqueue_is_queued(attribute,attribute->handle,
-				sessObject->head, sessObject->hashSize)) {
-	sftkqueue_delete(attribute,attribute->handle,
-				sessObject->head, sessObject->hashSize);
-    }
-    PZ_Unlock(sessObject->attributeLock);
-    sftk_FreeAttribute(attribute);
-}
-
-/*
- * this is only valid for CK_BBOOL type attributes. Return the state
- * of that attribute.
- */
-PRBool
-sftk_isTrue(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-    PRBool tok = PR_FALSE;
-
-    attribute=sftk_FindAttribute(object,type);
-    if (attribute == NULL) { return PR_FALSE; }
-    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
-    sftk_FreeAttribute(attribute);
-
-    return tok;
-}
-
-/*
- * force an attribute to null.
- * this is for sensitive keys which are stored in the database, we don't
- * want to keep this info around in memory in the clear.
- */
-void
-sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-
-    attribute=sftk_FindAttribute(object,type);
-    if (attribute == NULL) return;
-
-    if (attribute->attrib.pValue != NULL) {
-	PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
-	if (attribute->freeData) {
-	    PORT_Free(attribute->attrib.pValue);
-	}
-	attribute->freeData = PR_FALSE;
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    sftk_FreeAttribute(attribute);
-}
-
-static CK_RV
-sftk_SetCertAttribute(SFTKTokenObject *to, CK_ATTRIBUTE_TYPE type, 
-						void *value, unsigned int len)
-{
-    NSSLOWCERTCertificate  *cert;
-    NSSLOWCERTCertDBHandle *certHandle;
-    char *nickname = NULL;
-    SECStatus rv;
-    CK_RV crv;
-
-    /* we can't change  the EMAIL values, but let the
-     * upper layers feel better about the fact we tried to set these */
-    if (type == CKA_NETSCAPE_EMAIL) {
-	return CKR_OK;
-    }
-
-    certHandle = sftk_getCertDB(to->obj.slot);
-    if (certHandle == NULL) {
-	crv = CKR_TOKEN_WRITE_PROTECTED;
-	goto done;
-    }
-
-    if ((type != CKA_LABEL)  && (type != CKA_ID)) {
-	crv = CKR_ATTRIBUTE_READ_ONLY;
-	goto done;
-    }
-
-    cert = sftk_getCert(to, certHandle);
-    if (cert == NULL) {
-	crv = CKR_OBJECT_HANDLE_INVALID;
-	goto done;
-    }
-
-    /* if the app is trying to set CKA_ID, it's probably because it just
-     * imported the key. Look to see if we need to set the CERTDB_USER bits.
-     */
-    if (type == CKA_ID) {
-	if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
-		((cert->trust->emailFlags & CERTDB_USER) == 0) &&
-		((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
-	    SFTKSlot *slot = to->obj.slot;
-	    NSSLOWKEYDBHandle      *keyHandle;
-
-	    keyHandle = sftk_getKeyDB(slot);
-	    if (keyHandle) {
-		if (nsslowkey_KeyForCertExists(keyHandle, cert)) {
-		    NSSLOWCERTCertTrust trust = *cert->trust;
-		    trust.sslFlags |= CERTDB_USER;
-		    trust.emailFlags |= CERTDB_USER;
-		    trust.objectSigningFlags |= CERTDB_USER;
-		    nsslowcert_ChangeCertTrust(certHandle,cert,&trust);
-		}
-		sftk_freeKeyDB(keyHandle);
-	    }
-	}
-	crv = CKR_OK;
-	goto done;
-    }
-
-    /* must be CKA_LABEL */
-    if (value != NULL) {
-	nickname = PORT_ZAlloc(len+1);
-	if (nickname == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    goto done;
-	}
-	PORT_Memcpy(nickname,value,len);
-	nickname[len] = 0;
-    }
-    rv = nsslowcert_AddPermNickname(certHandle, cert, nickname);
-    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-
-done:
-    if (nickname) {
-	PORT_Free(nickname);
-    }
-    if (certHandle) {
-	sftk_freeCertDB(certHandle);
-    }
-    return crv;
-}
-
-static CK_RV
-sftk_SetPrivateKeyAttribute(SFTKTokenObject *to, CK_ATTRIBUTE_TYPE type, 
-						void *value, unsigned int len)
-{
-    NSSLOWKEYPrivateKey *privKey;
-    NSSLOWKEYDBHandle   *keyHandle;
-    char *nickname = NULL;
-    SECStatus rv;
-    CK_RV crv;
-
-    /* we can't change the ID and we don't store the subject, but let the
-     * upper layers feel better about the fact we tried to set these */
-    if ((type == CKA_ID) || (type == CKA_SUBJECT)) {
-	return CKR_OK;
-    }
-
-    keyHandle = sftk_getKeyDB(to->obj.slot);
-    if (keyHandle == NULL) {
-	crv = CKR_TOKEN_WRITE_PROTECTED;
-	goto done;
-    }
-    if (type != CKA_LABEL) {
-	crv = CKR_ATTRIBUTE_READ_ONLY;
-	goto done;
-    }
-
-    privKey = sftk_GetPrivateKeyWithDB(to, keyHandle);
-    if (privKey == NULL) {
-	crv = CKR_OBJECT_HANDLE_INVALID;
-	goto done;
-    }
-    if (value != NULL) {
-	nickname = PORT_ZAlloc(len+1);
-	if (nickname == NULL) {
-	    crv = CKR_HOST_MEMORY;
-	    goto done;
-	}
-	PORT_Memcpy(nickname,value,len);
-	nickname[len] = 0;
-    }
-    rv = nsslowkey_UpdateNickname(keyHandle, privKey, &to->dbKey, 
-					nickname, to->obj.slot->password);
-    crv = (rv == SECSuccess) ? CKR_OK :  CKR_DEVICE_ERROR;
-done:
-    if (nickname) {
-	PORT_Free(nickname);
-    }
-    if (keyHandle) {
-	sftk_freeKeyDB(keyHandle);
-    }
-    return crv;
-}
-
-static CK_RV
-sftk_SetTrustAttribute(SFTKTokenObject *to, CK_ATTRIBUTE_TYPE type, 
-						void *value, unsigned int len)
-{
-    unsigned int flags;
-    CK_TRUST  trust;
-    NSSLOWCERTCertificate  *cert;
-    NSSLOWCERTCertDBHandle *certHandle;
-    NSSLOWCERTCertTrust    dbTrust;
-    SECStatus rv;
-    CK_RV crv;
-
-    if (len != sizeof (CK_TRUST)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-    trust = *(CK_TRUST *)value;
-    flags = sftk_MapTrust(trust, (PRBool) (type == CKA_TRUST_SERVER_AUTH));
-
-    certHandle = sftk_getCertDB(to->obj.slot);
-
-    if (certHandle == NULL) {
-	crv = CKR_TOKEN_WRITE_PROTECTED;
-	goto done;
-    }
-
-    cert = sftk_getCert(to, certHandle);
-    if (cert == NULL) {
-	crv = CKR_OBJECT_HANDLE_INVALID;
-	goto done;
-    }
-    dbTrust = *cert->trust;
-
-    switch (type) {
-    case CKA_TRUST_EMAIL_PROTECTION:
-	dbTrust.emailFlags = flags |
-		(cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS);
-	break;
-    case CKA_TRUST_CODE_SIGNING:
-	dbTrust.objectSigningFlags = flags |
-		(cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS);
-	break;
-    case CKA_TRUST_CLIENT_AUTH:
-	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
-				(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA));
-	break;
-    case CKA_TRUST_SERVER_AUTH:
-	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
-			(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA));
-	break;
-    default:
-	crv = CKR_ATTRIBUTE_READ_ONLY;
-	goto done;
-    }
-
-    rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust);
-    crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
-done:
-    if (certHandle) {
-	sftk_freeCertDB(certHandle);
-    }
-    return crv;
-}
-
-static CK_RV
-sftk_forceTokenAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type, 
-						void *value, unsigned int len)
-{
-    SFTKAttribute *attribute;
-    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
-    CK_RV crv = CKR_ATTRIBUTE_READ_ONLY;
-
-    PORT_Assert(to);
-    if (to == NULL) {
-	return CKR_DEVICE_ERROR;
-    }
-
-    /* if we are just setting it to the value we already have,
-     * allow it to happen. Let label setting go through so
-     * we have the opportunity to repair any database corruption. */
-    attribute=sftk_FindAttribute(object,type);
-    PORT_Assert(attribute);
-    if (!attribute) {
-        return CKR_ATTRIBUTE_TYPE_INVALID;
-
-    }
-    if ((type != CKA_LABEL) && (attribute->attrib.ulValueLen == len) &&
-	PORT_Memcmp(attribute->attrib.pValue,value,len) == 0) {
-	sftk_FreeAttribute(attribute);
-	return CKR_OK;
-    }
-
-    switch (object->objclass) {
-    case CKO_CERTIFICATE:
-	/* change NICKNAME, EMAIL,  */
-	crv = sftk_SetCertAttribute(to,type,value,len);
-	break;
-    case CKO_NETSCAPE_CRL:
-	/* change URL */
-	break;
-    case CKO_NETSCAPE_TRUST:
-	crv = sftk_SetTrustAttribute(to,type,value,len);
-	break;
-    case CKO_PRIVATE_KEY:
-    case CKO_SECRET_KEY:
-	crv = sftk_SetPrivateKeyAttribute(to,type,value,len);
-	break;
-    }
-    sftk_FreeAttribute(attribute);
-    return crv;
-}
-	
-/*
- * force an attribute to a spaecif value.
- */
-CK_RV
-sftk_forceAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type, void *value,
-						unsigned int len)
-{
-    SFTKAttribute *attribute;
-    void *att_val = NULL;
-    PRBool freeData = PR_FALSE;
-
-    PORT_Assert(object);
-    PORT_Assert(object->refCount);
-    PORT_Assert(object->slot);
-    if (!object ||
-        !object->refCount ||
-        !object->slot) {
-        return CKR_DEVICE_ERROR;
-    }
-    if (sftk_isToken(object->handle)) {
-	return sftk_forceTokenAttribute(object,type,value,len);
-    }
-    attribute=sftk_FindAttribute(object,type);
-    if (attribute == NULL) return sftk_AddAttributeType(object,type,value,len);
-
-
-    if (value) {
-        if (len <= ATTR_SPACE) {
-	    att_val = attribute->space;
-	} else {
-	    att_val = PORT_Alloc(len);
-	    freeData = PR_TRUE;
-	}
-	if (att_val == NULL) {
-	    return CKR_HOST_MEMORY;
-	}
-	if (attribute->attrib.pValue == att_val) {
-	    PORT_Memset(attribute->attrib.pValue,0,
-					attribute->attrib.ulValueLen);
-	}
-	PORT_Memcpy(att_val,value,len);
-    }
-    if (attribute->attrib.pValue != NULL) {
-	if (attribute->attrib.pValue != att_val) {
-	    PORT_Memset(attribute->attrib.pValue,0,
-					attribute->attrib.ulValueLen);
-	}
-	if (attribute->freeData) {
-	    PORT_Free(attribute->attrib.pValue);
-	}
-	attribute->freeData = PR_FALSE;
-	attribute->attrib.pValue = NULL;
-	attribute->attrib.ulValueLen = 0;
-    }
-    if (att_val) {
-	attribute->attrib.pValue = att_val;
-	attribute->attrib.ulValueLen = len;
-	attribute->freeData = freeData;
-    }
-    sftk_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-/*
- * return a null terminated string from attribute 'type'. This string
- * is allocated and needs to be freed with PORT_Free() When complete.
- */
-char *
-sftk_getString(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-    char *label = NULL;
-
-    attribute=sftk_FindAttribute(object,type);
-    if (attribute == NULL) return NULL;
-
-    if (attribute->attrib.pValue != NULL) {
-	label = (char *) PORT_Alloc(attribute->attrib.ulValueLen+1);
-	if (label == NULL) {
-    	    sftk_FreeAttribute(attribute);
-	    return NULL;
-	}
-
-	PORT_Memcpy(label,attribute->attrib.pValue,
-						attribute->attrib.ulValueLen);
-	label[attribute->attrib.ulValueLen] = 0;
-    }
-    sftk_FreeAttribute(attribute);
-    return label;
-}
-
-/*
- * decode when a particular attribute may be modified
- * 	SFTK_NEVER: This attribute must be set at object creation time and
- *  can never be modified.
- *	SFTK_ONCOPY: This attribute may be modified only when you copy the
- *  object.
- *	SFTK_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
- *  CK_FALSE to CK_TRUE.
- *	SFTK_ALWAYS: This attribute can always be modified.
- * Some attributes vary their modification type based on the class of the 
- *   object.
- */
-SFTKModifyType
-sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
-{
-    /* if we don't know about it, user user defined, always allow modify */
-    SFTKModifyType mtype = SFTK_ALWAYS; 
-
-    switch(type) {
-    /* NEVER */
-    case CKA_CLASS:
-    case CKA_CERTIFICATE_TYPE:
-    case CKA_KEY_TYPE:
-    case CKA_MODULUS:
-    case CKA_MODULUS_BITS:
-    case CKA_PUBLIC_EXPONENT:
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME:
-    case CKA_SUBPRIME:
-    case CKA_BASE:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-    case CKA_VALUE_LEN:
-    case CKA_ALWAYS_SENSITIVE:
-    case CKA_NEVER_EXTRACTABLE:
-    case CKA_NETSCAPE_DB:
-	mtype = SFTK_NEVER;
-	break;
-
-    /* ONCOPY */
-    case CKA_TOKEN:
-    case CKA_PRIVATE:
-    case CKA_MODIFIABLE:
-	mtype = SFTK_ONCOPY;
-	break;
-
-    /* SENSITIVE */
-    case CKA_SENSITIVE:
-    case CKA_EXTRACTABLE:
-	mtype = SFTK_SENSITIVE;
-	break;
-
-    /* ALWAYS */
-    case CKA_LABEL:
-    case CKA_APPLICATION:
-    case CKA_ID:
-    case CKA_SERIAL_NUMBER:
-    case CKA_START_DATE:
-    case CKA_END_DATE:
-    case CKA_DERIVE:
-    case CKA_ENCRYPT:
-    case CKA_DECRYPT:
-    case CKA_SIGN:
-    case CKA_VERIFY:
-    case CKA_SIGN_RECOVER:
-    case CKA_VERIFY_RECOVER:
-    case CKA_WRAP:
-    case CKA_UNWRAP:
-	mtype = SFTK_ALWAYS;
-	break;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	mtype = (inClass == CKO_DATA) ? SFTK_ALWAYS : SFTK_NEVER;
-	break;
-
-    case CKA_SUBJECT:
-	mtype = (inClass == CKO_CERTIFICATE) ? SFTK_NEVER : SFTK_ALWAYS;
-	break;
-    default:
-	break;
-    }
-    return mtype;
-}
-
-/* decode if a particular attribute is sensitive (cannot be read
- * back to the user of if the object is set to SENSITIVE) */
-PRBool
-sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
-{
-    switch(type) {
-    /* ALWAYS */
-    case CKA_PRIVATE_EXPONENT:
-    case CKA_PRIME_1:
-    case CKA_PRIME_2:
-    case CKA_EXPONENT_1:
-    case CKA_EXPONENT_2:
-    case CKA_COEFFICIENT:
-	return PR_TRUE;
-
-    /* DEPENDS ON CLASS */
-    case CKA_VALUE:
-	/* PRIVATE and SECRET KEYS have SENSITIVE values */
-	return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY));
-
-    default:
-	break;
-    }
-    return PR_FALSE;
-}
-
-/* 
- * copy an attribute into a SECItem. Secitem is allocated in the specified
- * arena.
- */
-CK_RV
-sftk_Attribute2SecItem(PLArenaPool *arena,SECItem *item,SFTKObject *object,
-					CK_ATTRIBUTE_TYPE type)
-{
-    int len;
-    SFTKAttribute *attribute;
-
-    attribute = sftk_FindAttribute(object, type);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-    len = attribute->attrib.ulValueLen;
-
-    if (arena) {
-    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
-    } else {
-    	item->data = (unsigned char *) PORT_Alloc(len);
-    }
-    if (item->data == NULL) {
-	sftk_FreeAttribute(attribute);
-	return CKR_HOST_MEMORY;
-    }
-    item->len = len;
-    PORT_Memcpy(item->data,attribute->attrib.pValue, len);
-    sftk_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-CK_RV
-sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
-							 CK_ULONG *longData)
-{
-    SFTKAttribute *attribute;
-
-    attribute = sftk_FindAttribute(object, type);
-    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
-
-    if (attribute->attrib.ulValueLen != sizeof(CK_ULONG)) {
-	return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    *longData = *(CK_ULONG *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-    return CKR_OK;
-}
-
-void
-sftk_DeleteAttributeType(SFTKObject *object,CK_ATTRIBUTE_TYPE type)
-{
-    SFTKAttribute *attribute;
-    attribute = sftk_FindAttribute(object, type);
-    if (attribute == NULL) return ;
-    sftk_DeleteAttribute(object,attribute);
-    sftk_FreeAttribute(attribute);
-}
-
-CK_RV
-sftk_AddAttributeType(SFTKObject *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
-							CK_ULONG length)
-{
-    SFTKAttribute *attribute;
-    attribute = sftk_NewAttribute(object,type,valPtr,length);
-    if (attribute == NULL) { return CKR_HOST_MEMORY; }
-    sftk_AddAttribute(object,attribute);
-    return CKR_OK;
-}
-
-/*
- * ******************** Object Utilities *******************************
- */
-
-static SECStatus
-sftk_deleteTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle)
-{
-   SECItem *item;
-   PRBool rem;
-
-   item = (SECItem *)PL_HashTableLookup(slot->tokenHashTable, (void *)handle);
-   rem = PL_HashTableRemove(slot->tokenHashTable,(void *)handle) ;
-   if (rem && item) {
-	SECITEM_FreeItem(item,PR_TRUE);
-   }
-   return rem ? SECSuccess : SECFailure;
-}
-
-/* must be called holding sftk_tokenKeyLock(slot) */
-static SECStatus
-sftk_addTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle, SECItem *key)
-{
-    PLHashEntry *entry;
-    SECItem *item;
-
-    /* don't add a new handle in the middle of closing down a slot */
-    if (!slot->present) {
-	return SECFailure;
-    }
-
-    item = SECITEM_DupItem(key);
-    if (item == NULL) {
-	return SECFailure;
-    }
-    entry = PL_HashTableAdd(slot->tokenHashTable,(void *)handle,item);
-    if (entry == NULL) {
-	SECITEM_FreeItem(item,PR_TRUE);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* must be called holding sftk_tokenKeyLock(slot) */
-static SECItem *
-sftk_lookupTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle)
-{
-    return (SECItem *)PL_HashTableLookup(slot->tokenHashTable, (void *)handle);
-}
-
-/*
- * use the refLock. This operations should be very rare, so the added
- * contention on the ref lock should be lower than the overhead of adding
- * a new lock. We use separate functions for this just in case I'm wrong.
- */
-static void
-sftk_tokenKeyLock(SFTKSlot *slot) {
-    PZ_Lock(slot->objectLock);
-}
-
-static void
-sftk_tokenKeyUnlock(SFTKSlot *slot) {
-    PZ_Unlock(slot->objectLock);
-}
-
-static PRIntn
-sftk_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
-{
-    SECItem *item = (SECItem *)entry->value;
-
-    SECITEM_FreeItem(item, PR_TRUE);
-    return HT_ENUMERATE_NEXT;
-}
-
-CK_RV
-SFTK_ClearTokenKeyHashTable(SFTKSlot *slot)
-{
-    sftk_tokenKeyLock(slot);
-    PORT_Assert(!slot->present);
-    PL_HashTableEnumerateEntries(slot->tokenHashTable, sftk_freeHashItem, NULL);
-    sftk_tokenKeyUnlock(slot);
-    return CKR_OK;
-}
-
-
-/* allocation hooks that allow us to recycle old object structures */
-static SFTKObjectFreeList sessionObjectList = { NULL, NULL, 0 };
-static SFTKObjectFreeList tokenObjectList = { NULL, NULL, 0 };
-
-SFTKObject *
-sftk_GetObjectFromList(PRBool *hasLocks, PRBool optimizeSpace, 
-     SFTKObjectFreeList *list, unsigned int hashSize, PRBool isSessionObject)
-{
-    SFTKObject *object;
-    int size = 0;
-
-    if (!optimizeSpace) {
-	PZ_Lock(list->lock);
-	object = list->head;
-	if (object) {
-	    list->head = object->next;
-	    list->count--;
-	}    	
-	PZ_Unlock(list->lock);
-	if (object) {
-	    object->next = object->prev = NULL;
-            *hasLocks = PR_TRUE;
-	    return object;
-	}
-    }
-    size = isSessionObject ? sizeof(SFTKSessionObject) 
-		+ hashSize *sizeof(SFTKAttribute *) : sizeof(SFTKTokenObject);
-
-    object  = (SFTKObject*)PORT_ZAlloc(size);
-    if (isSessionObject) {
-	((SFTKSessionObject *)object)->hashSize = hashSize;
-    }
-    *hasLocks = PR_FALSE;
-    return object;
-}
-
-static void
-sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list,
-						PRBool isSessionObject) {
-
-    /* the code below is equivalent to :
-     *     optimizeSpace = isSessionObject ? object->optimizeSpace : PR_FALSE;
-     * just faster.
-     */
-    PRBool optimizeSpace = isSessionObject && 
-				((SFTKSessionObject *)object)->optimizeSpace; 
-    if (!optimizeSpace && (list->count < MAX_OBJECT_LIST_SIZE)) {
-	PZ_Lock(list->lock);
-	object->next = list->head;
-	list->head = object;
-	list->count++;
-	PZ_Unlock(list->lock);
-	return;
-    }
-    if (isSessionObject) {
-	SFTKSessionObject *so = (SFTKSessionObject *)object;
-	PZ_DestroyLock(so->attributeLock);
-	so->attributeLock = NULL;
-    }
-    PZ_DestroyLock(object->refLock);
-    object->refLock = NULL;
-    PORT_Free(object);
-}
-
-static SFTKObject *
-sftk_freeObjectData(SFTKObject *object) {
-   SFTKObject *next = object->next;
-
-   PORT_Free(object);
-   return next;
-}
-
-static void
-sftk_InitFreeList(SFTKObjectFreeList *list)
-{
-    list->lock = PZ_NewLock(nssILockObject);
-}
-
-void sftk_InitFreeLists(void)
-{
-    sftk_InitFreeList(&sessionObjectList);
-    sftk_InitFreeList(&tokenObjectList);
-}
-   
-static void
-sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList)
-{
-    SFTKObject *object;
-
-    if (!list->lock) {
-	return;
-    }
-    PZ_Lock(list->lock);
-    for (object= list->head; object != NULL; 
-					object = sftk_freeObjectData(object)) {
-	PZ_DestroyLock(object->refLock);
-	if (isSessionList) {
-	    PZ_DestroyLock(((SFTKSessionObject *)object)->attributeLock);
-	}
-    }
-    list->count = 0;
-    list->head = NULL;
-    PZ_Unlock(list->lock);
-    PZ_DestroyLock(list->lock);
-    list->lock = NULL;
-}
-
-void
-sftk_CleanupFreeLists(void)
-{
-    sftk_CleanupFreeList(&sessionObjectList, PR_TRUE);
-    sftk_CleanupFreeList(&tokenObjectList, PR_FALSE);
-}
-
-
-/*
- * Create a new object
- */
-SFTKObject *
-sftk_NewObject(SFTKSlot *slot)
-{
-    SFTKObject *object;
-    SFTKSessionObject *sessObject;
-    PRBool hasLocks = PR_FALSE;
-    unsigned int i;
-    unsigned int hashSize = 0;
-
-    hashSize = (slot->optimizeSpace) ? SPACE_ATTRIBUTE_HASH_SIZE :
-				TIME_ATTRIBUTE_HASH_SIZE;
-
-    object = sftk_GetObjectFromList(&hasLocks, slot->optimizeSpace,
-				&sessionObjectList,  hashSize, PR_TRUE);
-    if (object == NULL) {
-	return NULL;
-    }
-    sessObject = (SFTKSessionObject *)object;
-    sessObject->nextAttr = 0;
-
-    for (i=0; i < MAX_OBJS_ATTRS; i++) {
-	sessObject->attrList[i].attrib.pValue = NULL;
-	sessObject->attrList[i].freeData = PR_FALSE;
-    }
-    sessObject->optimizeSpace = slot->optimizeSpace;
-
-    object->handle = 0;
-    object->next = object->prev = NULL;
-    object->slot = slot;
-    
-    object->refCount = 1;
-    sessObject->sessionList.next = NULL;
-    sessObject->sessionList.prev = NULL;
-    sessObject->sessionList.parent = object;
-    sessObject->session = NULL;
-    sessObject->wasDerived = PR_FALSE;
-    if (!hasLocks) object->refLock = PZ_NewLock(nssILockRefLock);
-    if (object->refLock == NULL) {
-	PORT_Free(object);
-	return NULL;
-    }
-    if (!hasLocks) sessObject->attributeLock = PZ_NewLock(nssILockAttribute);
-    if (sessObject->attributeLock == NULL) {
-	PZ_DestroyLock(object->refLock);
-	PORT_Free(object);
-	return NULL;
-    }
-    for (i=0; i < sessObject->hashSize; i++) {
-	sessObject->head[i] = NULL;
-    }
-    object->objectInfo = NULL;
-    object->infoFree = NULL;
-    return object;
-}
-
-static CK_RV
-sftk_DestroySessionObjectData(SFTKSessionObject *so)
-{
-	int i;
-
-	for (i=0; i < MAX_OBJS_ATTRS; i++) {
-	    unsigned char *value = so->attrList[i].attrib.pValue;
-	    if (value) {
-		PORT_Memset(value,0,so->attrList[i].attrib.ulValueLen);
-		if (so->attrList[i].freeData) {
-		    PORT_Free(value);
-		}
-		so->attrList[i].attrib.pValue = NULL;
-		so->attrList[i].freeData = PR_FALSE;
-	    }
-	}
-/*	PZ_DestroyLock(so->attributeLock);*/
-	return CKR_OK;
-}
-
-/*
- * free all the data associated with an object. Object reference count must
- * be 'zero'.
- */
-static CK_RV
-sftk_DestroyObject(SFTKObject *object)
-{
-    CK_RV crv = CKR_OK;
-    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
-    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
-
-    PORT_Assert(object->refCount == 0);
-
-    /* delete the database value */
-    if (to) {
-	if (to->dbKey.data) {
-	   PORT_Free(to->dbKey.data);
-	   to->dbKey.data = NULL;
-	}
-    } 
-    if (so) {
-	sftk_DestroySessionObjectData(so);
-    }
-    if (object->objectInfo) {
-	(*object->infoFree)(object->objectInfo);
-	object->objectInfo = NULL;
-	object->infoFree = NULL;
-    }
-    if (so) {
-	sftk_PutObjectToList(object,&sessionObjectList,PR_TRUE);
-    } else {
-	sftk_PutObjectToList(object,&tokenObjectList,PR_FALSE);
-    }
-    return crv;
-}
-
-void
-sftk_ReferenceObject(SFTKObject *object)
-{
-    PZ_Lock(object->refLock);
-    object->refCount++;
-    PZ_Unlock(object->refLock);
-}
-
-static SFTKObject *
-sftk_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, SFTKSlot *slot)
-{
-    SFTKObject *object;
-    PRUint32 index = sftk_hash(handle, slot->tokObjHashSize);
-
-    if (sftk_isToken(handle)) {
-	return sftk_NewTokenObject(slot, NULL, handle);
-    }
-
-    PZ_Lock(slot->objectLock);
-    sftkqueue_find2(object, handle, index, slot->tokObjects);
-    if (object) {
-	sftk_ReferenceObject(object);
-    }
-    PZ_Unlock(slot->objectLock);
-
-    return(object);
-}
-/*
- * look up and object structure from a handle. OBJECT_Handles only make
- * sense in terms of a given session.  make a reference to that object
- * structure returned.
- */
-SFTKObject *
-sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, SFTKSession *session)
-{
-    SFTKSlot *slot = sftk_SlotFromSession(session);
-
-    return sftk_ObjectFromHandleOnSlot(handle,slot);
-}
-
-
-/*
- * release a reference to an object handle
- */
-SFTKFreeStatus
-sftk_FreeObject(SFTKObject *object)
-{
-    PRBool destroy = PR_FALSE;
-    CK_RV crv;
-
-    PZ_Lock(object->refLock);
-    if (object->refCount == 1) destroy = PR_TRUE;
-    object->refCount--;
-    PZ_Unlock(object->refLock);
-
-    if (destroy) {
-	crv = sftk_DestroyObject(object);
-	if (crv != CKR_OK) {
-	   return SFTK_DestroyFailure;
-	} 
-	return SFTK_Destroyed;
-    }
-    return SFTK_Busy;
-}
- 
-/*
- * add an object to a slot and session queue. These two functions
- * adopt the object.
- */
-void
-sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object)
-{
-    PRUint32 index = sftk_hash(object->handle, slot->tokObjHashSize);
-    sftkqueue_init_element(object);
-    PZ_Lock(slot->objectLock);
-    sftkqueue_add2(object, object->handle, index, slot->tokObjects);
-    PZ_Unlock(slot->objectLock);
-}
-
-void
-sftk_AddObject(SFTKSession *session, SFTKObject *object)
-{
-    SFTKSlot *slot = sftk_SlotFromSession(session);
-    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
-
-    if (so) {
-	PZ_Lock(session->objectLock);
-	sftkqueue_add(&so->sessionList,0,session->objects,0);
-	so->session = session;
-	PZ_Unlock(session->objectLock);
-    }
-    sftk_AddSlotObject(slot,object);
-    sftk_ReferenceObject(object);
-} 
-
-/*
- * add an object to a slot andsession queue
- */
-CK_RV
-sftk_DeleteObject(SFTKSession *session, SFTKObject *object)
-{
-    SFTKSlot *slot = sftk_SlotFromSession(session);
-    SFTKSessionObject *so = sftk_narrowToSessionObject(object);
-    SFTKTokenObject *to = sftk_narrowToTokenObject(object);
-    CK_RV crv = CKR_OK;
-    SECStatus rv;
-    NSSLOWCERTCertificate *cert;
-    NSSLOWCERTCertTrust tmptrust;
-    PRBool isKrl;
-    PRUint32 index = sftk_hash(object->handle, slot->tokObjHashSize);
-
-  /* Handle Token case */
-    if (so && so->session) {
-	SFTKSession *session = so->session;
-	PZ_Lock(session->objectLock);
-	sftkqueue_delete(&so->sessionList,0,session->objects,0);
-	PZ_Unlock(session->objectLock);
-	PZ_Lock(slot->objectLock);
-	sftkqueue_delete2(object, object->handle, index, slot->tokObjects);
-	PZ_Unlock(slot->objectLock);
-	sftkqueue_clear_deleted_element(object);
-	sftk_FreeObject(object); /* reduce it's reference count */
-    } else {
-	NSSLOWKEYDBHandle *keyHandle;
-	NSSLOWCERTCertDBHandle *certHandle;
-
-	PORT_Assert(to);
-	/* remove the objects from the real data base */
-	switch (object->handle & SFTK_TOKEN_TYPE_MASK) {
-	case SFTK_TOKEN_TYPE_PRIV:
-	case SFTK_TOKEN_TYPE_KEY:
-	    /* KEYID is the public KEY for DSA and DH, and the MODULUS for
-	     *  RSA */
-	    keyHandle = sftk_getKeyDB(slot);
-	    if (!keyHandle) {
-		crv = CKR_TOKEN_WRITE_PROTECTED;
-		break;
-	    }
-	    rv = nsslowkey_DeleteKey(keyHandle, &to->dbKey);
-	    sftk_freeKeyDB(keyHandle);
-	    if (rv != SECSuccess) {
-		crv = CKR_DEVICE_ERROR;
-	    }
-	    break;
-	case SFTK_TOKEN_TYPE_PUB:
-	    break; /* public keys only exist at the behest of the priv key */
-	case SFTK_TOKEN_TYPE_CERT:
-	    certHandle = sftk_getCertDB(slot);
-	    if (!certHandle) {
-		crv = CKR_TOKEN_WRITE_PROTECTED;
-		break;
-	    }
-	    cert = nsslowcert_FindCertByKey(certHandle,&to->dbKey);
-	    sftk_freeCertDB(certHandle);
-	    if (cert == NULL) {
-		crv = CKR_DEVICE_ERROR;
-		break;
-	    }
-	    rv = nsslowcert_DeletePermCertificate(cert);
-	    if (rv != SECSuccess) {
-		crv = CKR_DEVICE_ERROR;
-	    }
-	    nsslowcert_DestroyCertificate(cert);
-	    break;
-	case SFTK_TOKEN_TYPE_CRL:
-	    certHandle = sftk_getCertDB(slot);
-	    if (!certHandle) {
-		crv = CKR_TOKEN_WRITE_PROTECTED;
-		break;
-	    }
-	    isKrl = (PRBool) (object->handle == SFTK_TOKEN_KRL_HANDLE);
-	    rv = nsslowcert_DeletePermCRL(certHandle, &to->dbKey, isKrl);
-	    sftk_freeCertDB(certHandle);
-	    if (rv == SECFailure) crv = CKR_DEVICE_ERROR;
-	    break;
-	case SFTK_TOKEN_TYPE_TRUST:
-	    certHandle = sftk_getCertDB(slot);
-	    if (!certHandle) {
-		crv = CKR_TOKEN_WRITE_PROTECTED;
-		break;
-	    }
-	    cert = nsslowcert_FindCertByKey(certHandle, &to->dbKey);
-	    if (cert == NULL) {
-		sftk_freeCertDB(certHandle);
-		crv = CKR_DEVICE_ERROR;
-		break;
-	    }
-	    tmptrust = *cert->trust;
-	    tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
-	    tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
-	    tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
-	    tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
-	    tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
-	    tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
-	    rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust);
-	    sftk_freeCertDB(certHandle);
-	    if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
-	    nsslowcert_DestroyCertificate(cert);
-	    break;
-	default:
-	    break;
-	}
-	sftk_tokenKeyLock(object->slot);
-	sftk_deleteTokenKeyByHandle(object->slot,object->handle);
-	sftk_tokenKeyUnlock(object->slot);
-    } 
-    return crv;
-}
-
-/*
- * Token objects don't explicitly store their attributes, so we need to know
- * what attributes make up a particular token object before we can copy it.
- * below are the tables by object type.
- */
-static const CK_ATTRIBUTE_TYPE commonAttrs[] = {
-    CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_MODIFIABLE
-};
-static const CK_ULONG commonAttrsCount = 
-			sizeof(commonAttrs)/sizeof(commonAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE commonKeyAttrs[] = {
-    CKA_ID, CKA_START_DATE, CKA_END_DATE, CKA_DERIVE, CKA_LOCAL, CKA_KEY_TYPE
-};
-static const CK_ULONG commonKeyAttrsCount = 
-			sizeof(commonKeyAttrs)/sizeof(commonKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE secretKeyAttrs[] = {
-    CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN,
-    CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_VALUE
-};
-static const CK_ULONG secretKeyAttrsCount = 
-			sizeof(secretKeyAttrs)/sizeof(secretKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE commonPubKeyAttrs[] = {
-    CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_WRAP, CKA_SUBJECT
-};
-static const CK_ULONG commonPubKeyAttrsCount = 
-			sizeof(commonPubKeyAttrs)/sizeof(commonPubKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE rsaPubKeyAttrs[] = {
-    CKA_MODULUS, CKA_PUBLIC_EXPONENT
-};
-static const CK_ULONG rsaPubKeyAttrsCount = 
-			sizeof(rsaPubKeyAttrs)/sizeof(rsaPubKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE dsaPubKeyAttrs[] = {
-    CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
-};
-static const CK_ULONG dsaPubKeyAttrsCount = 
-			sizeof(dsaPubKeyAttrs)/sizeof(dsaPubKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
-    CKA_PRIME, CKA_BASE, CKA_VALUE
-};
-static const CK_ULONG dhPubKeyAttrsCount = 
-			sizeof(dhPubKeyAttrs)/sizeof(dhPubKeyAttrs[0]);
-#ifdef NSS_ENABLE_ECC
-static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
-    CKA_EC_PARAMS, CKA_EC_POINT
-};
-static const CK_ULONG ecPubKeyAttrsCount = 
-			sizeof(ecPubKeyAttrs)/sizeof(ecPubKeyAttrs[0]);
-#endif
-
-static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
-    CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
-    CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB
-};
-static const CK_ULONG commonPrivKeyAttrsCount = 
-		sizeof(commonPrivKeyAttrs)/sizeof(commonPrivKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE rsaPrivKeyAttrs[] = {
-    CKA_MODULUS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, 
-    CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT
-};
-static const CK_ULONG rsaPrivKeyAttrsCount = 
-			sizeof(rsaPrivKeyAttrs)/sizeof(rsaPrivKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE dsaPrivKeyAttrs[] = {
-    CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
-};
-static const CK_ULONG dsaPrivKeyAttrsCount = 
-			sizeof(dsaPrivKeyAttrs)/sizeof(dsaPrivKeyAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
-    CKA_PRIME, CKA_BASE, CKA_VALUE
-};
-static const CK_ULONG dhPrivKeyAttrsCount = 
-			sizeof(dhPrivKeyAttrs)/sizeof(dhPrivKeyAttrs[0]);
-#ifdef NSS_ENABLE_ECC
-static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
-    CKA_EC_PARAMS, CKA_VALUE
-};
-static const CK_ULONG ecPrivKeyAttrsCount = 
-			sizeof(ecPrivKeyAttrs)/sizeof(ecPrivKeyAttrs[0]);
-#endif
-
-static const CK_ATTRIBUTE_TYPE certAttrs[] = {
-    CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
-};
-static const CK_ULONG certAttrsCount = 
-		sizeof(certAttrs)/sizeof(certAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE trustAttrs[] = {
-    CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
-    CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_EMAIL_PROTECTION,
-    CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
-};
-static const CK_ULONG trustAttrsCount = 
-		sizeof(trustAttrs)/sizeof(trustAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE smimeAttrs[] = {
-    CKA_SUBJECT, CKA_NETSCAPE_EMAIL, CKA_NETSCAPE_SMIME_TIMESTAMP, CKA_VALUE
-};
-static const CK_ULONG smimeAttrsCount = 
-		sizeof(smimeAttrs)/sizeof(smimeAttrs[0]);
-
-static const CK_ATTRIBUTE_TYPE crlAttrs[] = {
-    CKA_SUBJECT, CKA_VALUE, CKA_NETSCAPE_URL, CKA_NETSCAPE_KRL
-};
-static const CK_ULONG crlAttrsCount = 
-		sizeof(crlAttrs)/sizeof(crlAttrs[0]);
-
-/* copy an object based on it's table */
-CK_RV
-stfk_CopyTokenAttributes(SFTKObject *destObject,SFTKTokenObject *src_to,
-	const CK_ATTRIBUTE_TYPE *attrArray, CK_ULONG attrCount)
-{
-    SFTKAttribute *attribute;
-    SFTKAttribute *newAttribute;
-    CK_RV crv = CKR_OK;
-    unsigned int i;
-
-    for (i=0; i < attrCount; i++) {
-	if (!sftk_hasAttribute(destObject,attrArray[i])) {
-	    attribute =sftk_FindAttribute(&src_to->obj, attrArray[i]);
-	    if (!attribute) {
-		continue; /* return CKR_ATTRIBUTE_VALUE_INVALID; */
-	    }
-	    /* we need to copy the attribute since each attribute
-	     * only has one set of link list pointers */
-	    newAttribute = sftk_NewAttribute( destObject,
-				sftk_attr_expand(&attribute->attrib));
-	    sftk_FreeAttribute(attribute); /* free the old attribute */
-	    if (!newAttribute) {
-		return CKR_HOST_MEMORY;
-	    }
-	    sftk_AddAttribute(destObject,newAttribute);
-	}
-    }
-    return crv;
-}
-
-CK_RV
-stfk_CopyTokenPrivateKey(SFTKObject *destObject,SFTKTokenObject *src_to)
-{
-    CK_RV crv;
-    CK_KEY_TYPE key_type;
-    SFTKAttribute *attribute;
-
-    /* copy the common attributes for all keys first */
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
-							commonKeyAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-    /* copy the common attributes for all private keys next */
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonPrivKeyAttrs,
-							commonKeyAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-    attribute =sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
-    PORT_Assert(attribute); /* if it wasn't here, ww should have failed
-			     * copying the common attributes */
-    if (!attribute) {
-	/* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
-	 * the fact is, the only reason we couldn't get the attribute would
-	 * be a memory error or database error (an error in the 'device').
-	 * if we have a database error code, we could return it here */
-	crv = CKR_DEVICE_ERROR;
-	goto fail;
-    }
-    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-    
-    /* finally copy the attributes for various private key types */
-    switch (key_type) {
-    case CKK_RSA:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPrivKeyAttrs,
-							rsaPrivKeyAttrsCount);
-	break;
-    case CKK_DSA:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
-							dsaPrivKeyAttrsCount);
-	break;
-    case CKK_DH:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
-							dhPrivKeyAttrsCount);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
-							ecPrivKeyAttrsCount);
-	break;
-#endif
-     default:
-	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
-				* of token keys into our database. */
-    }
-fail:
-    return crv;
-}
-
-CK_RV
-stfk_CopyTokenPublicKey(SFTKObject *destObject,SFTKTokenObject *src_to)
-{
-    CK_RV crv;
-    CK_KEY_TYPE key_type;
-    SFTKAttribute *attribute;
-
-    /* copy the common attributes for all keys first */
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
-							commonKeyAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-
-    /* copy the common attributes for all public keys next */
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonPubKeyAttrs,
-							commonPubKeyAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-    attribute =sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
-    PORT_Assert(attribute); /* if it wasn't here, ww should have failed
-			     * copying the common attributes */
-    if (!attribute) {
-	/* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
-	 * the fact is, the only reason we couldn't get the attribute would
-	 * be a memory error or database error (an error in the 'device').
-	 * if we have a database error code, we could return it here */
-	crv = CKR_DEVICE_ERROR;
-	goto fail;
-    }
-    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
-    sftk_FreeAttribute(attribute);
-    
-    /* finally copy the attributes for various public key types */
-    switch (key_type) {
-    case CKK_RSA:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPubKeyAttrs,
-							rsaPubKeyAttrsCount);
-	break;
-    case CKK_DSA:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
-							dsaPubKeyAttrsCount);
-	break;
-    case CKK_DH:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
-							dhPubKeyAttrsCount);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case CKK_EC:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
-							ecPubKeyAttrsCount);
-	break;
-#endif
-     default:
-	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
-				* of token keys into our database. */
-    }
-fail:
-    return crv;
-}
-CK_RV
-stfk_CopyTokenSecretKey(SFTKObject *destObject,SFTKTokenObject *src_to)
-{
-    CK_RV crv;
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
-							commonKeyAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-    crv = stfk_CopyTokenAttributes(destObject, src_to, secretKeyAttrs,
-							secretKeyAttrsCount);
-fail:
-    return crv;
-}
-
-/*
- * Copy a token object. We need to explicitly copy the relevant
- * attributes since token objects don't store those attributes in
- * the token itself.
- */
-CK_RV
-sftk_CopyTokenObject(SFTKObject *destObject,SFTKObject *srcObject)
-{
-    SFTKTokenObject *src_to = sftk_narrowToTokenObject(srcObject);
-    CK_RV crv;
-
-    PORT_Assert(src_to);
-    if (src_to == NULL) {
-	return CKR_DEVICE_ERROR; /* internal state inconsistant */
-    }
-
-    crv = stfk_CopyTokenAttributes(destObject, src_to, commonAttrs,
-							commonAttrsCount);
-    if (crv != CKR_OK) {
-	goto fail;
-    }
-    switch (src_to->obj.objclass) {
-    case CKO_CERTIFICATE:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, certAttrs,
-							certAttrsCount);
- 	break;
-    case CKO_NETSCAPE_TRUST:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, trustAttrs,
-							trustAttrsCount);
-	break;
-    case CKO_NETSCAPE_SMIME:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, smimeAttrs,
-							smimeAttrsCount);
-	break;
-    case CKO_NETSCAPE_CRL:
-	crv = stfk_CopyTokenAttributes(destObject, src_to, crlAttrs,
-							crlAttrsCount);
-	break;
-    case CKO_PRIVATE_KEY:
-	crv = stfk_CopyTokenPrivateKey(destObject,src_to);
-	break;
-    case CKO_PUBLIC_KEY:
-	crv = stfk_CopyTokenPublicKey(destObject,src_to);
-	break;
-    case CKO_SECRET_KEY:
-	crv = stfk_CopyTokenSecretKey(destObject,src_to);
-	break;
-    default:
-	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
-				* of token keys into our database. */
-    }
-fail:
-    return crv;
-}
-
-/*
- * copy the attributes from one object to another. Don't overwrite existing
- * attributes. NOTE: This is a pretty expensive operation since it
- * grabs the attribute locks for the src object for a *long* time.
- */
-CK_RV
-sftk_CopyObject(SFTKObject *destObject,SFTKObject *srcObject)
-{
-    SFTKAttribute *attribute;
-    SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
-    unsigned int i;
-
-    if (src_so == NULL) {
-	return sftk_CopyTokenObject(destObject,srcObject); 
-    }
-
-    PZ_Lock(src_so->attributeLock);
-    for(i=0; i < src_so->hashSize; i++) {
-	attribute = src_so->head[i];
-	do {
-	    if (attribute) {
-		if (!sftk_hasAttribute(destObject,attribute->handle)) {
-		    /* we need to copy the attribute since each attribute
-		     * only has one set of link list pointers */
-		    SFTKAttribute *newAttribute = sftk_NewAttribute(
-			  destObject,sftk_attr_expand(&attribute->attrib));
-		    if (newAttribute == NULL) {
-			PZ_Unlock(src_so->attributeLock);
-			return CKR_HOST_MEMORY;
-		    }
-		    sftk_AddAttribute(destObject,newAttribute);
-		}
-		attribute=attribute->next;
-	    }
-	} while (attribute != NULL);
-    }
-    PZ_Unlock(src_so->attributeLock);
-
-    return CKR_OK;
-}
-
-/*
- * ******************** Search Utilities *******************************
- */
-
-/* add an object to a search list */
-CK_RV
-AddToList(SFTKObjectListElement **list,SFTKObject *object)
-{
-     SFTKObjectListElement *newElem = 
-	(SFTKObjectListElement *)PORT_Alloc(sizeof(SFTKObjectListElement));
-
-     if (newElem == NULL) return CKR_HOST_MEMORY;
-
-     newElem->next = *list;
-     newElem->object = object;
-     sftk_ReferenceObject(object);
-
-    *list = newElem;
-    return CKR_OK;
-}
-
-
-/* return true if the object matches the template */
-PRBool
-sftk_objectMatch(SFTKObject *object,CK_ATTRIBUTE_PTR theTemplate,int count)
-{
-    int i;
-
-    for (i=0; i < count; i++) {
-	SFTKAttribute *attribute = sftk_FindAttribute(object,theTemplate[i].type);
-	if (attribute == NULL) {
-	    return PR_FALSE;
-	}
-	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
-	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
-					theTemplate[i].ulValueLen) == 0) {
-        	sftk_FreeAttribute(attribute);
-		continue;
-	    }
-	}
-        sftk_FreeAttribute(attribute);
-	return PR_FALSE;
-    }
-    return PR_TRUE;
-}
-
-/* search through all the objects in the queue and return the template matches
- * in the object list.
- */
-CK_RV
-sftk_searchObjectList(SFTKSearchResults *search,SFTKObject **head, 
-	unsigned int size, PZLock *lock, CK_ATTRIBUTE_PTR theTemplate, 
-						int count, PRBool isLoggedIn)
-{
-    unsigned int i;
-    SFTKObject *object;
-    CK_RV crv = CKR_OK;
-
-    for(i=0; i < size; i++) {
-        /* We need to hold the lock to copy a consistant version of
-         * the linked list. */
-        PZ_Lock(lock);
-	for (object = head[i]; object != NULL; object= object->next) {
-	    if (sftk_objectMatch(object,theTemplate,count)) {
-		/* don't return objects that aren't yet visible */
-		if ((!isLoggedIn) && sftk_isTrue(object,CKA_PRIVATE)) continue;
-		sftk_addHandle(search,object->handle);
-	    }
-	}
-        PZ_Unlock(lock);
-    }
-    return crv;
-}
-
-/*
- * free a single list element. Return the Next object in the list.
- */
-SFTKObjectListElement *
-sftk_FreeObjectListElement(SFTKObjectListElement *objectList)
-{
-    SFTKObjectListElement *ol = objectList->next;
-
-    sftk_FreeObject(objectList->object);
-    PORT_Free(objectList);
-    return ol;
-}
-
-/* free an entire object list */
-void
-sftk_FreeObjectList(SFTKObjectListElement *objectList)
-{
-    SFTKObjectListElement *ol;
-
-    for (ol= objectList; ol != NULL; ol = sftk_FreeObjectListElement(ol)) {}
-}
-
-/*
- * free a search structure
- */
-void
-sftk_FreeSearch(SFTKSearchResults *search)
-{
-    if (search->handles) {
-	PORT_Free(search->handles);
-    }
-    PORT_Free(search);
-}
-
-/*
- * ******************** Session Utilities *******************************
- */
-
-/* update the sessions state based in it's flags and wether or not it's
- * logged in */
-void
-sftk_update_state(SFTKSlot *slot,SFTKSession *session)
-{
-    if (slot->isLoggedIn) {
-	if (slot->ssoLoggedIn) {
-    	    session->info.state = CKS_RW_SO_FUNCTIONS;
-	} else if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_USER_FUNCTIONS;
-	} else {
-    	    session->info.state = CKS_RO_USER_FUNCTIONS;
-	}
-    } else {
-	if (session->info.flags & CKF_RW_SESSION) {
-    	    session->info.state = CKS_RW_PUBLIC_SESSION;
-	} else {
-    	    session->info.state = CKS_RO_PUBLIC_SESSION;
-	}
-    }
-}
-
-/* update the state of all the sessions on a slot */
-void
-sftk_update_all_states(SFTKSlot *slot)
-{
-    unsigned int i;
-    SFTKSession *session;
-
-    for (i=0; i < slot->sessHashSize; i++) {
-	PZLock *lock = SFTK_SESSION_LOCK(slot,i);
-	PZ_Lock(lock);
-	for (session = slot->head[i]; session; session = session->next) {
-	    sftk_update_state(slot,session);
-	}
-	PZ_Unlock(lock);
-    }
-}
-
-/*
- * context are cipher and digest contexts that are associated with a session
- */
-void
-sftk_FreeContext(SFTKSessionContext *context)
-{
-    if (context->cipherInfo) {
-	(*context->destroy)(context->cipherInfo,PR_TRUE);
-    }
-    if (context->hashInfo) {
-	(*context->hashdestroy)(context->hashInfo,PR_TRUE);
-    }
-    if (context->key) {
-	sftk_FreeObject(context->key);
-	context->key = NULL;
-    }
-    PORT_Free(context);
-}
-
-/*
- * create a new nession. NOTE: The session handle is not set, and the
- * session is not added to the slot's session queue.
- */
-SFTKSession *
-sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
-							     CK_FLAGS flags)
-{
-    SFTKSession *session;
-    SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
-
-    if (slot == NULL) return NULL;
-
-    session = (SFTKSession*)PORT_Alloc(sizeof(SFTKSession));
-    if (session == NULL) return NULL;
-
-    session->next = session->prev = NULL;
-    session->refCount = 1;
-    session->enc_context = NULL;
-    session->hash_context = NULL;
-    session->sign_context = NULL;
-    session->search = NULL;
-    session->objectIDCount = 1;
-    session->objectLock = PZ_NewLock(nssILockObject);
-    if (session->objectLock == NULL) {
-	PORT_Free(session);
-	return NULL;
-    }
-    session->objects[0] = NULL;
-
-    session->slot = slot;
-    session->notify = notify;
-    session->appData = pApplication;
-    session->info.flags = flags;
-    session->info.slotID = slotID;
-    session->info.ulDeviceError = 0;
-    sftk_update_state(slot,session);
-    return session;
-}
-
-
-/* free all the data associated with a session. */
-static void
-sftk_DestroySession(SFTKSession *session)
-{
-    SFTKObjectList *op,*next;
-    PORT_Assert(session->refCount == 0);
-
-    /* clean out the attributes */
-    /* since no one is referencing us, it's safe to walk the chain
-     * without a lock */
-    for (op = session->objects[0]; op != NULL; op = next) {
-        next = op->next;
-        /* paranoia */
-	op->next = op->prev = NULL;
-	sftk_DeleteObject(session,op->parent);
-    }
-    PZ_DestroyLock(session->objectLock);
-    if (session->enc_context) {
-	sftk_FreeContext(session->enc_context);
-    }
-    if (session->hash_context) {
-	sftk_FreeContext(session->hash_context);
-    }
-    if (session->sign_context) {
-	sftk_FreeContext(session->sign_context);
-    }
-    if (session->search) {
-	sftk_FreeSearch(session->search);
-    }
-    PORT_Free(session);
-}
-
-
-/*
- * look up a session structure from a session handle
- * generate a reference to it.
- */
-SFTKSession *
-sftk_SessionFromHandle(CK_SESSION_HANDLE handle)
-{
-    SFTKSlot	*slot = sftk_SlotFromSessionHandle(handle);
-    SFTKSession *session;
-    PZLock	*lock;
-    
-    if (!slot) return NULL;
-    lock = SFTK_SESSION_LOCK(slot,handle);
-
-    PZ_Lock(lock);
-    sftkqueue_find(session,handle,slot->head,slot->sessHashSize);
-    if (session) session->refCount++;
-    PZ_Unlock(lock);
-
-    return (session);
-}
-
-/*
- * release a reference to a session handle
- */
-void
-sftk_FreeSession(SFTKSession *session)
-{
-    PRBool destroy = PR_FALSE;
-    SFTKSlot *slot = sftk_SlotFromSession(session);
-    PZLock *lock = SFTK_SESSION_LOCK(slot,session->handle);
-
-    PZ_Lock(lock);
-    if (session->refCount == 1) destroy = PR_TRUE;
-    session->refCount--;
-    PZ_Unlock(lock);
-
-    if (destroy) sftk_DestroySession(session);
-}
-/*
- * handle Token Object stuff
- */
-static void
-sftk_XORHash(unsigned char *key, unsigned char *dbkey, int len)
-{
-   int i;
-
-   PORT_Memset(key, 0, 4);
-
-   for (i=0; i < len-4; i += 4) {
-	key[0] ^= dbkey[i];
-	key[1] ^= dbkey[i+1];
-	key[2] ^= dbkey[i+2];
-	key[3] ^= dbkey[i+3];
-   }
-}
-
-/* Make a token handle for an object and record it so we can find it again */
-CK_OBJECT_HANDLE
-sftk_mkHandle(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class)
-{
-    unsigned char hashBuf[4];
-    CK_OBJECT_HANDLE handle;
-    SECItem *key;
-
-    handle = class;
-    /* there is only one KRL, use a fixed handle for it */
-    if (handle != SFTK_TOKEN_KRL_HANDLE) {
-	sftk_XORHash(hashBuf,dbKey->data,dbKey->len);
-	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
-					(hashBuf[2] << 8)  | hashBuf[3];
-	handle = SFTK_TOKEN_MAGIC | class | 
-			(handle & ~(SFTK_TOKEN_TYPE_MASK|SFTK_TOKEN_MASK));
-	/* we have a CRL who's handle has randomly matched the reserved KRL
-	 * handle, increment it */
-	if (handle == SFTK_TOKEN_KRL_HANDLE) {
-	    handle++;
-	}
-    }
-
-    sftk_tokenKeyLock(slot);
-    while ((key = sftk_lookupTokenKeyByHandle(slot,handle)) != NULL) {
-	if (SECITEM_ItemsAreEqual(key,dbKey)) {
-    	   sftk_tokenKeyUnlock(slot);
-	   return handle;
-	}
-	handle++;
-    }
-    sftk_addTokenKeyByHandle(slot,handle,dbKey);
-    sftk_tokenKeyUnlock(slot);
-    return handle;
-}
-
-PRBool
-sftk_poisonHandle(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class)
-{
-    unsigned char hashBuf[4];
-    CK_OBJECT_HANDLE handle;
-    SECItem *key;
-
-    handle = class;
-    /* there is only one KRL, use a fixed handle for it */
-    if (handle != SFTK_TOKEN_KRL_HANDLE) {
-	sftk_XORHash(hashBuf,dbKey->data,dbKey->len);
-	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
-					(hashBuf[2] << 8)  | hashBuf[3];
-	handle = SFTK_TOKEN_MAGIC | class | 
-			(handle & ~(SFTK_TOKEN_TYPE_MASK|SFTK_TOKEN_MASK));
-	/* we have a CRL who's handle has randomly matched the reserved KRL
-	 * handle, increment it */
-	if (handle == SFTK_TOKEN_KRL_HANDLE) {
-	    handle++;
-	}
-    }
-    sftk_tokenKeyLock(slot);
-    while ((key = sftk_lookupTokenKeyByHandle(slot,handle)) != NULL) {
-	if (SECITEM_ItemsAreEqual(key,dbKey)) {
-	   key->data[0] ^= 0x80;
-    	   sftk_tokenKeyUnlock(slot);
-	   return PR_TRUE;
-	}
-	handle++;
-    }
-    sftk_tokenKeyUnlock(slot);
-    return PR_FALSE;
-}
-
-void
-sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle)
-{
-    if (search->handles == NULL) {
-	return;
-    }
-    if (search->size >= search->array_size) {
-	search->array_size += NSC_SEARCH_BLOCK_SIZE;
-	search->handles = (CK_OBJECT_HANDLE *) PORT_Realloc(search->handles,
-				 sizeof(CK_OBJECT_HANDLE)* search->array_size);
-	if (search->handles == NULL) {
-	   return;
-	}
-    }
-    search->handles[search->size] = handle;
-    search->size++;
-}
-
-static const CK_OBJECT_HANDLE sftk_classArray[] = {
-    0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
-    CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME,
-     CKO_CERTIFICATE };
-
-#define handleToClass(handle) \
-    sftk_classArray[((handle & SFTK_TOKEN_TYPE_MASK))>>28]
-
-SFTKObject *
-sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle)
-{
-    SFTKObject *object = NULL;
-    SFTKTokenObject *tokObject = NULL;
-    PRBool hasLocks = PR_FALSE;
-    SECStatus rv;
-
-    object = sftk_GetObjectFromList(&hasLocks, PR_FALSE, &tokenObjectList,  0,
-							PR_FALSE);
-    if (object == NULL) {
-	return NULL;
-    }
-    tokObject = (SFTKTokenObject *) object;
-
-    object->objclass = handleToClass(handle);
-    object->handle = handle;
-    object->slot = slot;
-    object->objectInfo = NULL;
-    object->infoFree = NULL;
-    if (dbKey == NULL) {
-	sftk_tokenKeyLock(slot);
-	dbKey = sftk_lookupTokenKeyByHandle(slot,handle);
-	if (dbKey == NULL) {
-    	    sftk_tokenKeyUnlock(slot);
-	    goto loser;
-	}
-	rv = SECITEM_CopyItem(NULL,&tokObject->dbKey,dbKey);
-	sftk_tokenKeyUnlock(slot);
-    } else {
-	rv = SECITEM_CopyItem(NULL,&tokObject->dbKey,dbKey);
-    }
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    if (!hasLocks) {
-	object->refLock = PZ_NewLock(nssILockRefLock);
-    }
-    if (object->refLock == NULL) {
-	goto loser;
-    }
-    object->refCount = 1;
-
-    return object;
-loser:
-    if (object) {
-	(void) sftk_DestroyObject(object);
-    }
-    return NULL;
-
-}
-
-PRBool
-sftk_tokenMatch(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
-					CK_ATTRIBUTE_PTR theTemplate,int count)
-{
-    SFTKObject *object;
-    PRBool ret;
-
-    object = sftk_NewTokenObject(slot,dbKey,SFTK_TOKEN_MASK|class);
-    if (object == NULL) {
-	return PR_FALSE;
-    }
-
-    ret = sftk_objectMatch(object,theTemplate,count);
-    sftk_FreeObject(object);
-    return ret;
-}
-
-SFTKTokenObject *
-sftk_convertSessionToToken(SFTKObject *obj)
-{
-    SECItem *key;
-    SFTKSessionObject *so = (SFTKSessionObject *)obj;
-    SFTKTokenObject *to = sftk_narrowToTokenObject(obj);
-    SECStatus rv;
-
-    sftk_DestroySessionObjectData(so);
-    PZ_DestroyLock(so->attributeLock);
-    if (to == NULL) {
-	return NULL;
-    }
-    sftk_tokenKeyLock(so->obj.slot);
-    key = sftk_lookupTokenKeyByHandle(so->obj.slot,so->obj.handle);
-    if (key == NULL) {
-    	sftk_tokenKeyUnlock(so->obj.slot);
-	return NULL;
-    }
-    rv = SECITEM_CopyItem(NULL,&to->dbKey,key);
-    sftk_tokenKeyUnlock(so->obj.slot);
-    if (rv == SECFailure) {
-	return NULL;
-    }
-
-    return to;
-
-}
-
-SFTKSessionObject *
-sftk_narrowToSessionObject(SFTKObject *obj)
-{
-    return !sftk_isToken(obj->handle) ? (SFTKSessionObject *)obj : NULL;
-}
-
-SFTKTokenObject *
-sftk_narrowToTokenObject(SFTKObject *obj)
-{
-    return sftk_isToken(obj->handle) ? (SFTKTokenObject *)obj : NULL;
-}
-
diff --git a/security/nss/lib/softoken/pkcs11u.h b/security/nss/lib/softoken/pkcs11u.h
deleted file mode 100644
index 8383b471d..000000000
--- a/security/nss/lib/softoken/pkcs11u.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/*
- * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
- * is granted provided that it is identified as "RSA Security Inc. Public-Key
- * Cryptography Standards (PKCS)" in all material mentioning or referencing
- * this document.
- */
-/*
- * reset any packing set by pkcs11p.h
- */
-
-#if defined (_WIN32)
-#ifdef _MSC_VER
-#pragma warning(disable:4103)
-#endif
-#pragma pack(pop, cryptoki)
-#endif
-
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
deleted file mode 100644
index b40a30d80..000000000
--- a/security/nss/lib/softoken/rsawrapr.c
+++ /dev/null
@@ -1,879 +0,0 @@
-/*
- * PKCS#1 encoding and decoding functions.
- * This file is believed to contain no code licensed from other parties.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "blapi.h"
-#include "softoken.h"
-#include "sechash.h"
-
-#include "lowkeyi.h"
-#include "secerr.h"
-
-#define RSA_BLOCK_MIN_PAD_LEN		8
-#define RSA_BLOCK_FIRST_OCTET		0x00
-#define RSA_BLOCK_PRIVATE0_PAD_OCTET	0x00
-#define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
-#define RSA_BLOCK_AFTER_PAD_OCTET	0x00
-
-#define OAEP_SALT_LEN		8
-#define OAEP_PAD_LEN		8
-#define OAEP_PAD_OCTET		0x00
-
-#define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
-
-static SHA1Context *
-SHA1_CloneContext(SHA1Context *original)
-{
-    SHA1Context *  clone	= NULL;
-    unsigned char *pBuf;
-    int            sha1ContextSize = SHA1_FlattenSize(original);
-    SECStatus      frv;
-    unsigned char  buf[FLAT_BUFSIZE];
-
-    PORT_Assert(sizeof buf >= sha1ContextSize);
-    if (sizeof buf >= sha1ContextSize) {
-    	pBuf = buf;
-    } else {
-        pBuf = PORT_Alloc(sha1ContextSize);
-	if (!pBuf)
-	    goto done;
-    }
-
-    frv = SHA1_Flatten(original, pBuf);
-    if (frv == SECSuccess) {
-	clone = SHA1_Resurrect(pBuf, NULL);
-	memset(pBuf, 0, sha1ContextSize);
-    }
-done:
-    if (pBuf != buf)
-    	PORT_Free(pBuf);
-    return clone;
-}
-
-/*
- * Modify data by XORing it with a special hash of salt.
- */
-static SECStatus
-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
-		 unsigned char *salt, unsigned int saltlen)
-{
-    SHA1Context *sha1cx;
-    unsigned char *dp, *dataend;
-    unsigned char end_octet;
-
-    sha1cx = SHA1_NewContext();
-    if (sha1cx == NULL) {
-	return SECFailure;
-    }
-
-    /*
-     * Get a hash of salt started; we will use it several times,
-     * adding in a different end octet (x00, x01, x02, ...).
-     */
-    SHA1_Begin (sha1cx);
-    SHA1_Update (sha1cx, salt, saltlen);
-    end_octet = 0;
-
-    dp = data;
-    dataend = data + datalen;
-
-    while (dp < dataend) {
-	SHA1Context *sha1cx_h1;
-	unsigned int sha1len, sha1off;
-	unsigned char sha1[SHA1_LENGTH];
-
-	/*
-	 * Create hash of (salt || end_octet)
-	 */
-	sha1cx_h1 = SHA1_CloneContext (sha1cx);
-	SHA1_Update (sha1cx_h1, &end_octet, 1);
-	SHA1_End (sha1cx_h1, sha1, &sha1len, sizeof(sha1));
-	SHA1_DestroyContext (sha1cx_h1, PR_TRUE);
-	PORT_Assert (sha1len == SHA1_LENGTH);
-
-	/*
-	 * XOR that hash with the data.
-	 * When we have fewer than SHA1_LENGTH octets of data
-	 * left to xor, use just the low-order ones of the hash.
-	 */
-	sha1off = 0;
-	if ((dataend - dp) < SHA1_LENGTH)
-	    sha1off = SHA1_LENGTH - (dataend - dp);
-	while (sha1off < SHA1_LENGTH)
-	    *dp++ ^= sha1[sha1off++];
-
-	/*
-	 * Bump for next hash chunk.
-	 */
-	end_octet++;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Modify salt by XORing it with a special hash of data.
- */
-static SECStatus
-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
-		 unsigned char *data, unsigned int datalen)
-{
-    unsigned char sha1[SHA1_LENGTH];
-    unsigned char *psalt, *psha1, *saltend;
-    SECStatus rv;
-
-    /*
-     * Create a hash of data.
-     */
-    rv = SHA1_HashBuf (sha1, data, datalen);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    /*
-     * XOR the low-order octets of that hash with salt.
-     */
-    PORT_Assert (saltlen <= SHA1_LENGTH);
-    saltend = salt + saltlen;
-    psalt = salt;
-    psha1 = sha1 + SHA1_LENGTH - saltlen;
-    while (psalt < saltend) {
-	*psalt++ ^= *psha1++;
-    }
-
-    return SECSuccess;
-}
-
-/*
- * Format one block of data for public/private key encryption using
- * the rules defined in PKCS #1.
- */
-static unsigned char *
-rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
-		   SECItem *data)
-{
-    unsigned char *block;
-    unsigned char *bp;
-    int padLen;
-    int i;
-
-    block = (unsigned char *) PORT_Alloc(modulusLen);
-    if (block == NULL)
-	return NULL;
-
-    bp = block;
-
-    /*
-     * All RSA blocks start with two octets:
-     *	0x00 || BlockType
-     */
-    *bp++ = RSA_BLOCK_FIRST_OCTET;
-    *bp++ = (unsigned char) blockType;
-
-    switch (blockType) {
-
-      /*
-       * Blocks intended for private-key operation.
-       */
-      case RSA_BlockPrivate0: /* essentially unused */
-      case RSA_BlockPrivate:	 /* preferred method */
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *   1      1   padLen    1      data->len
-	 * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
-	 */
-	padLen = modulusLen - data->len - 3;
-	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-	PORT_Memset (bp,
-		   blockType == RSA_BlockPrivate0
-			? RSA_BLOCK_PRIVATE0_PAD_OCTET
-			: RSA_BLOCK_PRIVATE_PAD_OCTET,
-		   padLen);
-	bp += padLen;
-	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-	PORT_Memcpy (bp, data->data, data->len);
-	break;
-
-      /*
-       * Blocks intended for public-key operation.
-       */
-      case RSA_BlockPublic:
-
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *   1      1   padLen    1      data->len
-	 * Pad is all non-zero random bytes.
-	 */
-	padLen = modulusLen - data->len - 3;
-	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-	for (i = 0; i < padLen; i++) {
-	    /* Pad with non-zero random data. */
-	    do {
-		RNG_GenerateGlobalRandomBytes(bp + i, 1);
-	    } while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
-	}
-	bp += padLen;
-	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-	PORT_Memcpy (bp, data->data, data->len);
-
-	break;
-
-      /*
-       * Blocks intended for public-key operation, using
-       * Optimal Asymmetric Encryption Padding (OAEP).
-       */
-      case RSA_BlockOAEP:
-	/*
-	 * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
-	 *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
-	 *
-	 * where:
-	 *   PaddedData is "Pad1 || ActualData [|| Pad2]"
-	 *   Salt is random data.
-	 *   Pad1 is all zeros.
-	 *   Pad2, if present, is random data.
-	 *   (The "modified" fields are all the same length as the original
-	 * unmodified values; they are just xor'd with other values.)
-	 *
-	 *   Modified1 is an XOR of PaddedData with a special octet
-	 * string constructed of iterated hashing of Salt (see below).
-	 *   Modified2 is an XOR of Salt with the low-order octets of
-	 * the hash of Modified1 (see farther below ;-).
-	 *
-	 * Whew!
-	 */
-
-
-	/*
-	 * Salt
-	 */
-	RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
-	bp += OAEP_SALT_LEN;
-
-	/*
-	 * Pad1
-	 */
-	PORT_Memset (bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
-	bp += OAEP_PAD_LEN;
-
-	/*
-	 * Data
-	 */
-	PORT_Memcpy (bp, data->data, data->len);
-	bp += data->len;
-
-	/*
-	 * Pad2
-	 */
-	if (bp < (block + modulusLen))
-	    RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
-
-	/*
-	 * Now we have the following:
-	 * 0x00 || BT || Salt || PaddedData
-	 * (From this point on, "Pad1 || Data [|| Pad2]" is treated
-	 * as the one entity PaddedData.)
-	 *
-	 * We need to turn PaddedData into Modified1.
-	 */
-	if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
-			     modulusLen - 2 - OAEP_SALT_LEN,
-			     block + 2, OAEP_SALT_LEN) != SECSuccess) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-
-	/*
-	 * Now we have:
-	 * 0x00 || BT || Salt || Modified1(PaddedData)
-	 *
-	 * The remaining task is to turn Salt into Modified2.
-	 */
-	if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
-			     block + 2 + OAEP_SALT_LEN,
-			     modulusLen - 2 - OAEP_SALT_LEN) != SECSuccess) {
-	    PORT_Free (block);
-	    return NULL;
-	}
-
-	break;
-
-      default:
-	PORT_Assert (0);
-	PORT_Free (block);
-	return NULL;
-    }
-
-    return block;
-}
-
-static SECStatus
-rsa_FormatBlock(SECItem *result, unsigned modulusLen,
-		RSA_BlockType blockType, SECItem *data)
-{
-    /*
-     * XXX For now assume that the data length fits in a single
-     * XXX encryption block; the ASSERTs below force this.
-     * XXX To fix it, each case will have to loop over chunks whose
-     * XXX lengths satisfy the assertions, until all data is handled.
-     * XXX (Unless RSA has more to say about how to handle data
-     * XXX which does not fit in a single encryption block?)
-     * XXX And I do not know what the result is supposed to be,
-     * XXX so the interface to this function may need to change
-     * XXX to allow for returning multiple blocks, if they are
-     * XXX not wanted simply concatenated one after the other.
-     */
-
-    switch (blockType) {
-      case RSA_BlockPrivate0:
-      case RSA_BlockPrivate:
-      case RSA_BlockPublic:
-	/*
-	 * 0x00 || BT || Pad || 0x00 || ActualData
-	 *
-	 * The "3" below is the first octet + the second octet + the 0x00
-	 * octet that always comes just before the ActualData.
-	 */
-	PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
-
-	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
-	if (result->data == NULL) {
-	    result->len = 0;
-	    return SECFailure;
-	}
-	result->len = modulusLen;
-
-	break;
-
-      case RSA_BlockOAEP:
-	/*
-	 * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
-	 *
-	 * The "2" below is the first octet + the second octet.
-	 * (The other fields do not contain the clear values, but are
-	 * the same length as the clear values.)
-	 */
-	PORT_Assert (data->len <= (modulusLen - (2 + OAEP_SALT_LEN
-						 + OAEP_PAD_LEN)));
-
-	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
-	if (result->data == NULL) {
-	    result->len = 0;
-	    return SECFailure;
-	}
-	result->len = modulusLen;
-
-	break;
-
-      case RSA_BlockRaw:
-	/*
-	 * Pad || ActualData
-	 * Pad is zeros. The application is responsible for recovering
-	 * the actual data.
-	 */
-	if (data->len > modulusLen ) {
-	    return SECFailure;
-	}
-	result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
-	result->len = modulusLen;
-	PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
-	break;
-
-      default:
-	PORT_Assert (0);
-	result->data = NULL;
-	result->len = 0;
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_Sign(NSSLOWKEYPrivateKey *key, 
-         unsigned char *      output, 
-	 unsigned int *       output_len,
-         unsigned int         maxOutputLen, 
-	 unsigned char *      input, 
-	 unsigned int         input_len)
-{
-    SECStatus     rv          = SECSuccess;
-    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    if (maxOutputLen < modulus_len) 
-    	return SECFailure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	return SECFailure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
-			 &unformatted);
-    if (rv != SECSuccess) 
-    	goto done;
-
-    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
-    *output_len = modulus_len;
-
-    goto done;
-
-done:
-    if (formatted.data != NULL) 
-    	PORT_ZFree(formatted.data, modulus_len);
-    return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSign(NSSLOWKEYPublicKey *key,
-              unsigned char *     sign, 
-	      unsigned int        sign_len, 
-	      unsigned char *     hash, 
-	      unsigned int        hash_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    modulus_len = nsslowkey_PublicModulusLen(key);
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (hash_len > modulus_len - 8) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * check the padding that was used
-     */
-    if (buffer[0] != 0 || buffer[1] != 1) 
-    	goto loser;
-    for (i = 2; i < modulus_len - hash_len - 1; i++) {
-	if (buffer[i] == 0) 
-	    break;
-	if (buffer[i] != 0xff) 
-	    goto loser;
-    }
-
-    /*
-     * make sure we get the same results
-     */
-    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
-	goto loser;
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
-                     unsigned char *     data,
-                     unsigned int *      data_len, 
-		     unsigned int        max_output_len, 
-		     unsigned char *     sign,
-		     unsigned int        sign_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-    	goto loser;
-    *data_len = 0;
-
-    /*
-     * check the padding that was used
-     */
-    if (buffer[0] != 0 || buffer[1] != 1) 
-    	goto loser;
-    for (i = 2; i < modulus_len; i++) {
-	if (buffer[i] == 0) {
-	    *data_len = modulus_len - i - 1;
-	    break;
-	}
-	if (buffer[i] != 0xff) 
-	    goto loser;
-    }
-    if (*data_len == 0) 
-    	goto loser;
-    if (*data_len > max_output_len) 
-    	goto loser;
-
-    /*
-     * make sure we get the same results
-     */
-    PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptBlock(NSSLOWKEYPublicKey *key, 
-                 unsigned char *     output, 
-		 unsigned int *      output_len,
-                 unsigned int        max_output_len, 
-		 unsigned char *     input, 
-		 unsigned int        input_len)
-{
-    SECStatus     rv;
-    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    formatted.data = NULL;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
-			 &unformatted);
-    if (rv != SECSuccess) 
-	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
-    if (rv != SECSuccess) 
-    	goto failure;
-
-    PORT_ZFree(formatted.data, modulus_len);
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    if (formatted.data != NULL) 
-	PORT_ZFree(formatted.data, modulus_len);
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, 
-                 unsigned char *      output, 
-		 unsigned int *       output_len,
-                 unsigned int         max_output_len, 
-		 unsigned char *      input, 
-		 unsigned int         input_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = nsslowkey_PrivateModulusLen(key);
-    unsigned int    i;
-    unsigned char * buffer;
-
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-    if (input_len != modulus_len)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
-    if (rv != SECSuccess) 
-    	goto loser;
-
-    if (buffer[0] != 0 || buffer[1] != 2) 
-    	goto loser;
-    *output_len = 0;
-    for (i = 2; i < modulus_len; i++) {
-	if (buffer[i] == 0) {
-	    *output_len = modulus_len - i - 1;
-	    break;
-	}
-    }
-    if (*output_len == 0) 
-    	goto loser;
-    if (*output_len > max_output_len) 
-    	goto loser;
-
-    PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-/*
- * added to make pkcs #11 happy
- *   RAW is RSA_X_509
- */
-SECStatus
-RSA_SignRaw(NSSLOWKEYPrivateKey *key, 
-            unsigned char *      output, 
-	    unsigned int *       output_len,
-            unsigned int         maxOutputLen, 
-	    unsigned char *      input, 
-	    unsigned int         input_len)
-{
-    SECStatus    rv          = SECSuccess;
-    unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
-    SECItem      formatted;
-    SECItem      unformatted;
-
-    if (maxOutputLen < modulus_len) 
-    	return SECFailure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	return SECFailure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
-    if (rv != SECSuccess) 
-    	goto done;
-
-    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
-    *output_len = modulus_len;
-
-done:
-    if (formatted.data != NULL) 
-    	PORT_ZFree(formatted.data, modulus_len);
-    return rv;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
-                 unsigned char *     sign, 
-		 unsigned int        sign_len, 
-		 unsigned char *     hash, 
-		 unsigned int        hash_len)
-{
-    SECStatus       rv;
-    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
-    unsigned char * buffer;
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (hash_len > modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
-    if (!buffer)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-     * make sure we get the same results
-     */
-    /* NOTE: should we verify the leading zeros? */
-    if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
-	goto loser;
-
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
-                        unsigned char *     data,
-                        unsigned int *      data_len, 
-			unsigned int        max_output_len, 
-			unsigned char *     sign,
-			unsigned int        sign_len)
-{
-    SECStatus      rv;
-    unsigned int   modulus_len = nsslowkey_PublicModulusLen(key);
-
-    if (sign_len != modulus_len) 
-    	goto failure;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
-    if (rv != SECSuccess)
-	goto failure;
-
-    *data_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    return SECFailure;
-}
-
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_EncryptRaw(NSSLOWKEYPublicKey *key, 
-	       unsigned char *     output, 
-	       unsigned int *      output_len,
-               unsigned int        max_output_len, 
-	       unsigned char *     input, 
-	       unsigned int        input_len)
-{
-    SECStatus rv;
-    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
-    SECItem       formatted;
-    SECItem       unformatted;
-
-    formatted.data = NULL;
-    if (max_output_len < modulus_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-
-    unformatted.len  = input_len;
-    unformatted.data = input;
-    formatted.data   = NULL;
-    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
-    if (rv != SECSuccess)
-	goto failure;
-
-    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
-    if (rv != SECSuccess) 
-    	goto failure;
-
-    PORT_ZFree(formatted.data, modulus_len);
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    if (formatted.data != NULL) 
-	PORT_ZFree(formatted.data, modulus_len);
-    return SECFailure;
-}
-
-/* XXX Doesn't set error code */
-SECStatus
-RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, 
-               unsigned char *      output, 
-	       unsigned int *       output_len,
-               unsigned int         max_output_len, 
-	       unsigned char *      input, 
-	       unsigned int         input_len)
-{
-    SECStatus     rv;
-    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
-
-    if (modulus_len <= 0) 
-    	goto failure;
-    if (modulus_len > max_output_len) 
-    	goto failure;
-    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
-    if (key->keyType != NSSLOWKEYRSAKey)
-    	goto failure;
-    if (input_len != modulus_len) 
-    	goto failure;
-
-    rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
-    if (rv != SECSuccess)
-    	goto failure;
-
-    *output_len = modulus_len;
-    return SECSuccess;
-
-failure:
-    return SECFailure;
-}
diff --git a/security/nss/lib/softoken/softkver.c b/security/nss/lib/softoken/softkver.c
deleted file mode 100644
index 343be94bb..000000000
--- a/security/nss/lib/softoken/softkver.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2002
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nss.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_softokn_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_softokn_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
deleted file mode 100644
index b89546e53..000000000
--- a/security/nss/lib/softoken/softoken.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * softoken.h - private data structures and prototypes for the softoken lib
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _SOFTOKEN_H_
-#define _SOFTOKEN_H_
-
-#include "blapi.h"
-#include "lowkeyti.h"
-#include "softoknt.h"
-#include "secoidt.h"
-
-#include "pkcs11t.h"     /* CK_RV Required for sftk_fipsPowerUpSelfTest(). */
-
-SEC_BEGIN_PROTOS
-
-/*
-** RSA encryption/decryption. When encrypting/decrypting the output
-** buffer must be at least the size of the public key modulus.
-*/
-
-/*
-** Format some data into a PKCS#1 encryption block, preparing the
-** data for RSA encryption.
-**	"result" where the formatted block is stored (memory is allocated)
-**	"modulusLen" the size of the formatted block
-**	"blockType" what block type to use (SEC_RSABlock*)
-**	"data" the data to format
-*/
-extern SECStatus RSA_FormatBlock(SECItem *result,
-				 unsigned int modulusLen,
-				 RSA_BlockType blockType,
-				 SECItem *data);
-/*
-** Similar, but just returns a pointer to the allocated memory, *and*
-** will *only* format one block, even if we (in the future) modify
-** RSA_FormatBlock() to loop over multiples of modulusLen.
-*/
-extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
-					 RSA_BlockType blockType,
-					 SECItem *data);
-
-
-
-/*
- * convenience wrappers for doing single RSA operations. They create the
- * RSA context internally and take care of the formatting
- * requirements. Blinding happens automagically within RSA_SignHash and
- * RSA_DecryptBlock.
- */
-extern
-SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
-		       unsigned int *outputLen, unsigned int maxOutputLen,
-		       unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
-			    unsigned int signLength, unsigned char *hash,
-			    unsigned int hashLength);
-extern
-SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
-    			    unsigned int *data_len,unsigned int max_output_len, 
-			    unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
-			   unsigned int *outputLen, unsigned int maxOutputLen,
-			   unsigned char *input, unsigned int inputLen);
-extern
-SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
-			   unsigned int *outputLen, unsigned int maxOutputLen,
-			   unsigned char *input, unsigned int inputLen);
-
-/*
- * added to make pkcs #11 happy
- *   RAW is RSA_X_509
- */
-extern
-SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
-			 unsigned int *output_len, unsigned int maxOutputLen,
-			 unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign, 
-			    unsigned int sign_len, unsigned char *hash, 
-			    unsigned int hash_len);
-extern
-SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
-			    unsigned int *data_len, unsigned int max_output_len,
-			    unsigned char *sign, unsigned int sign_len);
-extern
-SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
-			    unsigned int *output_len,
-			    unsigned int max_output_len, 
-			    unsigned char *input, unsigned int input_len);
-extern
-SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
-			     unsigned int *output_len,
-    			     unsigned int max_output_len,
-			     unsigned char *input, unsigned int input_len);
-
-/*
-** Prepare a buffer for DES encryption, growing to the appropriate boundary,
-** filling with the appropriate padding.
-** We add from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
-** The extra bytes contain the value of the length of the padding:
-** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
-**
-** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
-** we assume (and use) PR memory (re)allocation.
-** Maybe this belongs in util?
-*/
-extern unsigned char * DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, 
-                                     unsigned int inlen, unsigned int *outlen);
-
-
-/****************************************/
-/*
-** Power-Up selftests required for FIPS and invoked only
-** under PKCS #11 FIPS mode.
-*/
-extern CK_RV sftk_fipsPowerUpSelfTest( void ); 
-
-/*
-** make known fixed PKCS #11 key types to their sizes in bytes
-*/	
-unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
-
-SEC_END_PROTOS
-
-#endif /* _SOFTOKEN_H_ */
diff --git a/security/nss/lib/softoken/softokn.def b/security/nss/lib/softoken/softokn.def
deleted file mode 100644
index 2544d1b92..000000000
--- a/security/nss/lib/softoken/softokn.def
+++ /dev/null
@@ -1,61 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#   Dr Stephen Henson <stephen.henson@gemplus.com>
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#	line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.  
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.  
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+NSS_3.4 {       # NSS 3.4 release
-;+    global:
-LIBRARY softokn3 ;-
-EXPORTS ;-
-C_GetFunctionList; Make this function like a real PKCS #11 module as well
-FC_GetFunctionList;
-NSC_GetFunctionList;
-NSC_ModuleDBFunc;
-;+    local:
-;+       *;
-;+};
diff --git a/security/nss/lib/softoken/softokn.rc b/security/nss/lib/softoken/softokn.rc
deleted file mode 100644
index 0fcaa1219..000000000
--- a/security/nss/lib/softoken/softokn.rc
+++ /dev/null
@@ -1,101 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nss.h"
-#include <winver.h>
-
-#define MY_LIBNAME "softokn"
-#define MY_FILEDESCRIPTION "NSS PKCS #11 Library"
-
-#define STRINGIZE(x) #x
-#define STRINGIZE2(x) STRINGIZE(x)
-#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
deleted file mode 100644
index b499eb6b0..000000000
--- a/security/nss/lib/softoken/softoknt.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * softoknt.h - public data structures for the software token library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _SOFTOKNT_H_
-#define _SOFTOKNT_H_
-
-/*
- * RSA block types
- *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
- */
-typedef enum {
-    RSA_BlockPrivate0 = 0,	/* unused, really */
-    RSA_BlockPrivate = 1,	/* pad for a private-key operation */
-    RSA_BlockPublic = 2,	/* pad for a public-key operation */
-    RSA_BlockOAEP = 3,		/* use OAEP padding */
-				/* XXX is this only for a public-key
-				   operation? If so, add "Public" */
-    RSA_BlockRaw = 4,		/* simply justify the block appropriately */
-    RSA_BlockTotal
-} RSA_BlockType;
-
-#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE   2048
-
-#endif /* _SOFTOKNT_H_ */
diff --git a/security/nss/lib/softoken/tlsprf.c b/security/nss/lib/softoken/tlsprf.c
deleted file mode 100644
index 23e996d5f..000000000
--- a/security/nss/lib/softoken/tlsprf.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/* tlsprf.c - TLS Pseudo Random Function (PRF) implementation
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "pkcs11i.h"
-#include "blapi.h"
-
-#define SFTK_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
-
-static void sftk_TLSPRFNull(void *data, PRBool freeit)
-{
-    return;
-} 
-
-typedef struct {
-    PRUint32	   cxSize;	/* size of allocated block, in bytes.        */
-    PRUint32       cxBufSize;   /* sizeof buffer at cxBufPtr.                */
-    unsigned char *cxBufPtr;	/* points to real buffer, may be cxBuf.      */
-    PRUint32	   cxKeyLen;	/* bytes of cxBufPtr containing key.         */
-    PRUint32	   cxDataLen;	/* bytes of cxBufPtr containing data.        */
-    SECStatus	   cxRv;	/* records failure of void functions.        */
-    PRBool	   cxIsFIPS;	/* true if conforming to FIPS 198.           */
-    unsigned char  cxBuf[512];	/* actual size may be larger than 512.       */
-} TLSPRFContext;
-
-static void
-sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
-                        unsigned int data_len)
-{
-    PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen;
-
-    if (cx->cxRv != SECSuccess)	/* function has previously failed. */
-    	return;
-    if (bytesUsed + data_len > cx->cxBufSize) {
-	/* We don't use realloc here because 
-	** (a) realloc doesn't zero out the old block, and 
-	** (b) if realloc fails, we lose the old block.
-	*/
-	PRUint32 newBufSize = bytesUsed + data_len + 512;
-    	unsigned char * newBuf = (unsigned char *)PORT_Alloc(newBufSize);
-	if (!newBuf) {
-	   cx->cxRv = SECFailure;
-	   return;
-	}
-	PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed);
-	if (cx->cxBufPtr != cx->cxBuf) {
-	    PORT_ZFree(cx->cxBufPtr, bytesUsed);
-	}
-	cx->cxBufPtr  = newBuf;
-	cx->cxBufSize = newBufSize;
-    }
-    PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len);
-    cx->cxDataLen += data_len;
-}
-
-static void 
-sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
-	 unsigned int *pDigestLen, unsigned int maxDigestLen)
-{
-    *pDigestLen = 0; /* tells Verify that no data has been input yet. */
-}
-
-/* Compute the PRF values from the data previously input. */
-static SECStatus
-sftk_TLSPRFUpdate(TLSPRFContext *cx, 
-                  unsigned char *sig,		/* output goes here. */
-		  unsigned int * sigLen, 	/* how much output.  */
-		  unsigned int   maxLen, 	/* output buffer size */
-		  unsigned char *hash, 		/* unused. */
-		  unsigned int   hashLen)	/* unused. */
-{
-    SECStatus rv;
-    SECItem sigItem;
-    SECItem seedItem;
-    SECItem secretItem;
-
-    if (cx->cxRv != SECSuccess)
-    	return cx->cxRv;
-
-    secretItem.data = cx->cxBufPtr;
-    secretItem.len  = cx->cxKeyLen;
-
-    seedItem.data = cx->cxBufPtr + cx->cxKeyLen;
-    seedItem.len  = cx->cxDataLen;
-
-    sigItem.data = sig;
-    sigItem.len  = maxLen;
-
-    rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS);
-    if (rv == SECSuccess && sigLen != NULL)
-    	*sigLen = sigItem.len;
-    return rv;
-
-}
-
-static SECStatus
-sftk_TLSPRFVerify(TLSPRFContext *cx, 
-                  unsigned char *sig, 		/* input, for comparison. */
-		  unsigned int   sigLen,	/* length of sig.         */
-		  unsigned char *hash, 		/* data to be verified.   */
-		  unsigned int   hashLen)	/* size of hash data.     */
-{
-    unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
-    unsigned int    tmpLen = sigLen;
-    SECStatus       rv;
-
-    if (!tmp)
-    	return SECFailure;
-    if (hashLen) {
-    	/* hashLen is non-zero when the user does a one-step verify.
-	** In this case, none of the data has been input yet.
-	*/
-    	sftk_TLSPRFHashUpdate(cx, hash, hashLen);
-    }
-    rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
-    if (rv == SECSuccess) {
-    	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
-    }
-    PORT_ZFree(tmp, sigLen);
-    return rv;
-}
-
-static void
-sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
-{
-    if (freeit) {
-	if (cx->cxBufPtr != cx->cxBuf) 
-	    PORT_ZFree(cx->cxBufPtr, cx->cxBufSize);
-	PORT_ZFree(cx, cx->cxSize);
-    }
-}
-
-CK_RV
-sftk_TLSPRFInit(SFTKSessionContext *context, 
-		  SFTKObject *        key, 
-		  CK_KEY_TYPE         key_type)
-{
-    SFTKAttribute * keyVal;
-    TLSPRFContext * prf_cx;
-    CK_RV           crv = CKR_HOST_MEMORY;
-    PRUint32        keySize;
-    PRUint32        blockSize;
-
-    if (key_type != CKK_GENERIC_SECRET)
-    	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
-
-    context->multi = PR_TRUE;
-
-    keyVal = sftk_FindAttribute(key, CKA_VALUE);
-    keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
-    blockSize = keySize + sizeof(TLSPRFContext);
-    prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
-    if (!prf_cx) 
-    	goto done;
-    prf_cx->cxSize    = blockSize;
-    prf_cx->cxKeyLen  = keySize;
-    prf_cx->cxDataLen = 0;
-    prf_cx->cxBufSize = blockSize - SFTK_OFFSETOF(TLSPRFContext, cxBuf);
-    prf_cx->cxRv      = SECSuccess;
-    prf_cx->cxIsFIPS  = (key->slot->slotID == FIPS_SLOT_ID);
-    prf_cx->cxBufPtr  = prf_cx->cxBuf;
-    if (keySize)
-	PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize);
-
-    context->hashInfo    = (void *) prf_cx;
-    context->cipherInfo  = (void *) prf_cx;
-    context->hashUpdate  = (SFTKHash)    sftk_TLSPRFHashUpdate;
-    context->end         = (SFTKEnd)     sftk_TLSPRFEnd;
-    context->update      = (SFTKCipher)  sftk_TLSPRFUpdate;
-    context->verify      = (SFTKVerify)  sftk_TLSPRFVerify;
-    context->destroy     = (SFTKDestroy) sftk_TLSPRFNull;
-    context->hashdestroy = (SFTKDestroy) sftk_TLSPRFHashDestroy;
-    crv = CKR_OK;
-
-done:
-    if (keyVal) 
-	sftk_FreeAttribute(keyVal);
-    return crv;
-}
-
diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
deleted file mode 100644
index e5b98f77b..000000000
--- a/security/nss/lib/ssl/Makefile
+++ /dev/null
@@ -1,91 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-CSRCS	+= win32err.c
-DEFINES += -DIN_LIBSSL
-else
-ifeq ($(OS_TARGET),OS2)
-CSRCS	+= os2_err.c
-else
-CSRCS	+= unix_err.c
-endif
-endif
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-export:: private_export
-
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
deleted file mode 100644
index 0e02c15fa..000000000
--- a/security/nss/lib/ssl/authcert.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * NSS utility functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <string.h>
-#include "prerror.h"
-#include "secitem.h"
-#include "prnetdb.h"
-#include "cert.h"
-#include "nspr.h"
-#include "secder.h"
-#include "key.h"
-#include "nss.h"
-#include "ssl.h"
-#include "pk11func.h"	/* for PK11_ function calls */
-
-/*
- * This callback used by SSL to pull client sertificate upon
- * server request
- */
-SECStatus 
-NSS_GetClientAuthData(void *                       arg, 
-                      PRFileDesc *                 socket, 
-		      struct CERTDistNamesStr *    caNames, 
-		      struct CERTCertificateStr ** pRetCert, 
-		      struct SECKEYPrivateKeyStr **pRetKey)
-{
-  CERTCertificate *  cert = NULL;
-  SECKEYPrivateKey * privkey = NULL;
-  char *             chosenNickName = (char *)arg;    /* CONST */
-  void *             proto_win  = NULL;
-  SECStatus          rv         = SECFailure;
-  
-  proto_win = SSL_RevealPinArg(socket);
-  
-  if (chosenNickName) {
-    cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
-                                    chosenNickName, certUsageSSLClient,
-                                    PR_FALSE, proto_win);	
-    if ( cert ) {
-      privkey = PK11_FindKeyByAnyCert(cert, proto_win);
-      if ( privkey ) {
-	rv = SECSuccess;
-      } else {
-	CERT_DestroyCertificate(cert);
-      }
-    }
-  } else { /* no name given, automatically find the right cert. */
-    CERTCertNicknames * names;
-    int                 i;
-      
-    names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
-				  SEC_CERT_NICKNAMES_USER, proto_win);
-    if (names != NULL) {
-      for (i = 0; i < names->numnicknames; i++) {
-	cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
-                            names->nicknames[i], certUsageSSLClient,
-                            PR_FALSE, proto_win);	
-	if ( !cert )
-	  continue;
-	/* Only check unexpired certs */
-	if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
-	    secCertTimeValid ) {
-	  CERT_DestroyCertificate(cert);
-	  continue;
-	}
-	rv = NSS_CmpCertChainWCANames(cert, caNames);
-	if ( rv == SECSuccess ) {
-	  privkey = PK11_FindKeyByAnyCert(cert, proto_win);
-	  if ( privkey )
-	    break;
-	}
-	rv = SECFailure;
-	CERT_DestroyCertificate(cert);
-      } 
-      CERT_FreeNicknames(names);
-    }
-  }
-  if (rv == SECSuccess) {
-    *pRetCert = cert;
-    *pRetKey  = privkey;
-  }
-  return rv;
-}
-
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
deleted file mode 100644
index 56cd8dce4..000000000
--- a/security/nss/lib/ssl/cmpcert.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * NSS utility functions
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include <stdio.h>
-#include <string.h>
-#include "prerror.h"
-#include "secitem.h"
-#include "prnetdb.h"
-#include "cert.h"
-#include "nspr.h"
-#include "secder.h"
-#include "key.h"
-#include "nss.h"
-
-/*
- * Look to see if any of the signers in the cert chain for "cert" are found
- * in the list of caNames.  
- * Returns SECSuccess if so, SECFailure if not.
- */
-SECStatus
-NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
-{
-  SECItem *         caname;
-  CERTCertificate * curcert;
-  CERTCertificate * oldcert;
-  PRInt32           contentlen;
-  int               j;
-  int               headerlen;
-  int               depth;
-  SECStatus         rv;
-  SECItem           issuerName;
-  SECItem           compatIssuerName;
-
-  if (!cert || !caNames || !caNames->nnames || !caNames->names ||
-      !caNames->names->data)
-    return SECFailure;
-  depth=0;
-  curcert = CERT_DupCertificate(cert);
-  
-  while( curcert ) {
-    issuerName = curcert->derIssuer;
-    
-    /* compute an alternate issuer name for compatibility with 2.0
-     * enterprise server, which send the CA names without
-     * the outer layer of DER hearder
-     */
-    rv = DER_Lengths(&issuerName, &headerlen, (uint32 *)&contentlen);
-    if ( rv == SECSuccess ) {
-      compatIssuerName.data = &issuerName.data[headerlen];
-      compatIssuerName.len = issuerName.len - headerlen;
-    } else {
-      compatIssuerName.data = NULL;
-      compatIssuerName.len = 0;
-    }
-    
-    for (j = 0; j < caNames->nnames; j++) {
-      caname = &caNames->names[j];
-      if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
-	rv = SECSuccess;
-	CERT_DestroyCertificate(curcert);
-	goto done;
-      } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
-	rv = SECSuccess;
-	CERT_DestroyCertificate(curcert);
-	goto done;
-      }
-    }
-    if ( ( depth <= 20 ) &&
-	 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
-	   != SECEqual ) ) {
-      oldcert = curcert;
-      curcert = CERT_FindCertByName(curcert->dbhandle,
-				    &curcert->derIssuer);
-      CERT_DestroyCertificate(oldcert);
-      depth++;
-    } else {
-      CERT_DestroyCertificate(curcert);
-      curcert = NULL;
-    }
-  }
-  rv = SECFailure;
-  
-done:
-  return rv;
-}
-
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
deleted file mode 100644
index 35e4147b5..000000000
--- a/security/nss/lib/ssl/config.mk
+++ /dev/null
@@ -1,125 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-ifdef NISCC_TEST
-DEFINES += -DNISCC_TEST
-endif
-
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-# don't want the 32 in the shared library name
-SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
-IMPORT_LIBRARY = $(OBJDIR)/$(IMPORT_LIB_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION)$(IMPORT_LIB_SUFFIX)
-
-RES = $(OBJDIR)/ssl.res
-RESNAME = ssl.rc
-
-ifdef NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lnss3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-else # ! NS_USE_GCC
-EXTRA_SHARED_LIBS += \
-	$(DIST)/lib/nss3.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
-	$(NULL)
-endif # NS_USE_GCC
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
-
-EXTRA_LIBS += \
-	$(CRYPTOLIB) \
-	$(NULL)
-
-else
-
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-CRYPTODIR=../freebl
-ifdef MOZILLA_SECURITY_BUILD
-	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
-	CRYPTODIR=../crypto
-endif
-
-EXTRA_LIBS += \
-	$(CRYPTOLIB) \
-	$(NULL)
-
-
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
-# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
-EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
-	-lnss3 \
-	-L$(NSPR_LIB_DIR) \
-	-lplc4 \
-	-lplds4 \
-	-lnspr4 \
-	$(NULL)
-
-ifeq ($(OS_ARCH), BeOS)
-EXTRA_SHARED_LIBS += -lbe
-endif
-
-ifeq ($(OS_ARCH), Darwin)
-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
-endif
-
-ifeq ($(OS_TARGET),SunOS)
-# The -R '$ORIGIN' linker option instructs this library to search for its
-# dependencies in the same directory where it resides.
-MKSHLIB += -R '$$ORIGIN'
-#EXTRA_SHARED_LIBS += -ldl -lrt -lc -z defs
-endif
-
-endif
-
-# indicates dependency on freebl static lib
-$(SHARED_LIBRARY): $(CRYPTOLIB)
diff --git a/security/nss/lib/ssl/derive.c b/security/nss/lib/ssl/derive.c
deleted file mode 100644
index c00822bee..000000000
--- a/security/nss/lib/ssl/derive.c
+++ /dev/null
@@ -1,481 +0,0 @@
-/*
- * Key Derivation that doesn't use PKCS11
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "ssl.h" 	/* prereq to sslimpl.h */
-#include "certt.h"	/* prereq to sslimpl.h */
-#include "keythi.h"	/* prereq to sslimpl.h */
-#include "sslimpl.h"
-#include "blapi.h"
-
-/* make this a macro! */
-#ifdef NOT_A_MACRO
-static void
-buildSSLKey(unsigned char * keyBlock, unsigned int keyLen, SECItem * result)
-{
-    result->type = siBuffer;
-    result->data = keyBlock;
-    result->len  = keyLen;
-}
-#else
-#define buildSSLKey(keyBlock, keyLen, result) \
-{ \
-    (result)->type = siBuffer; \
-    (result)->data = keyBlock; \
-    (result)->len  = keyLen; \
-}
-#endif
-
-/*
- * SSL Key generation given pre master secret
- */
-#ifndef NUM_MIXERS
-#define NUM_MIXERS 9
-#endif
-static const char * const mixers[NUM_MIXERS] = { 
-    "A", 
-    "BB", 
-    "CCC", 
-    "DDDD", 
-    "EEEEE", 
-    "FFFFFF", 
-    "GGGGGGG",
-    "HHHHHHHH",
-    "IIIIIIIII" 
-};
-
-
-SECStatus
-ssl3_KeyAndMacDeriveBypass(
-    ssl3CipherSpec *      pwSpec,
-    const unsigned char * cr,
-    const unsigned char * sr,
-    PRBool                isTLS,
-    PRBool                isExport)
-{
-    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
-    unsigned char * key_block    = pwSpec->key_block;
-    unsigned char * key_block2   = NULL;
-    unsigned int    block_bytes  = 0;
-    unsigned int    block_needed = 0;
-    unsigned int    i;
-    unsigned int    keySize;            /* actual    size of cipher keys */
-    unsigned int    effKeySize;		/* effective size of cipher keys */
-    unsigned int    macSize;		/* size of MAC secret */
-    unsigned int    IVSize;		/* size of IV */
-    SECStatus       rv    = SECFailure;
-    SECStatus       status = SECSuccess;
-    PRBool          isFIPS = PR_FALSE;
-
-    SECItem         srcr;
-    SECItem         crsr;
-
-    unsigned char     srcrdata[SSL3_RANDOM_LENGTH * 2];
-    unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
-    PRUint64          md5buf[22];
-    PRUint64          shabuf[40];
-
-#define md5Ctx ((MD5Context *)md5buf)
-#define shaCtx ((SHA1Context *)shabuf)
-
-    static const SECItem zed  = { siBuffer, NULL, 0 };
-
-    if (pwSpec->msItem.data == NULL ||
-        pwSpec->msItem.len  != SSL3_MASTER_SECRET_LENGTH) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return rv;
-    }
-
-    /* figure out how much is needed */
-    macSize    = pwSpec->mac_size;
-    keySize    = cipher_def->key_size;
-    effKeySize = cipher_def->secret_key_size;
-    IVSize     = cipher_def->iv_size;
-    if (keySize == 0) {
-	effKeySize = IVSize = 0; /* only MACing */
-    }
-    block_needed = 2 * (macSize + effKeySize + ((!isExport) * IVSize));
-
-    /*
-     * clear out our returned keys so we can recover on failure
-     */
-    pwSpec->client.write_key_item     = zed;
-    pwSpec->client.write_mac_key_item = zed;
-    pwSpec->server.write_key_item     = zed;
-    pwSpec->server.write_mac_key_item = zed;
-
-    /* initialize the server random, client random block */
-    srcr.type   = siBuffer;
-    srcr.data   = srcrdata;
-    srcr.len    = sizeof srcrdata;
-    PORT_Memcpy(srcrdata, sr, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, cr, SSL3_RANDOM_LENGTH);
-
-    /* initialize the client random, server random block */
-    crsr.type   = siBuffer;
-    crsr.data   = crsrdata;
-    crsr.len    = sizeof crsrdata;
-    PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH);
-
-    /*
-     * generate the key material:
-     */
-    if (isTLS) {
-	SECItem       keyblk;
-
-	keyblk.type = siBuffer;
-	keyblk.data = key_block;
-	keyblk.len  = block_needed;
-
-	status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
-			  isFIPS);
-	if (status != SECSuccess) {
-	    goto key_and_mac_derive_fail;
-	}
-	block_bytes = keyblk.len;
-    } else {
-	/* key_block = 
-	 *     MD5(master_secret + SHA('A' + master_secret + 
-	 *                      ServerHello.random + ClientHello.random)) +
-	 *     MD5(master_secret + SHA('BB' + master_secret + 
-	 *                      ServerHello.random + ClientHello.random)) +
-	 *     MD5(master_secret + SHA('CCC' + master_secret + 
-	 *                      ServerHello.random + ClientHello.random)) +
-	 *     [...];
-	 */
-	int made = 0;
-	for (i = 0; made < block_needed && i < NUM_MIXERS; ++i) {
-	    unsigned int    outLen;
-	    unsigned char   sha_out[SHA1_LENGTH];
-
-	    SHA1_Begin(shaCtx);
-	    SHA1_Update(shaCtx, (unsigned char*)(mixers[i]), i+1);
-	    SHA1_Update(shaCtx, pwSpec->msItem.data, pwSpec->msItem.len);
-	    SHA1_Update(shaCtx, srcr.data, srcr.len);
-	    SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH);
-	    PORT_Assert(outLen == SHA1_LENGTH);
-
-	    MD5_Begin(md5Ctx);
-	    MD5_Update(md5Ctx, pwSpec->msItem.data, pwSpec->msItem.len);
-	    MD5_Update(md5Ctx, sha_out, outLen);
-	    MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH);
-	    PORT_Assert(outLen == MD5_LENGTH);
-	    made += MD5_LENGTH;
-	}
-	block_bytes = made;
-    }
-    PORT_Assert(block_bytes >= block_needed);
-    PORT_Assert(block_bytes <= sizeof pwSpec->key_block);
-
-    /*
-     * Put the key material where it goes.
-     */
-    key_block2 = key_block + block_bytes;
-    i = 0;			/* now shows how much consumed */
-
-    /* 
-     * The key_block is partitioned as follows:
-     * client_write_MAC_secret[CipherSpec.hash_size]
-     */
-    buildSSLKey(&key_block[i],macSize, &pwSpec->client.write_mac_key_item);
-    i += macSize;
-
-    /* 
-     * server_write_MAC_secret[CipherSpec.hash_size]
-     */
-    buildSSLKey(&key_block[i],macSize, &pwSpec->server.write_mac_key_item);
-    i += macSize;
-
-    if (!keySize) {
-	/* only MACing */
-	buildSSLKey(NULL, 0, &pwSpec->client.write_key_item);
-	buildSSLKey(NULL, 0, &pwSpec->server.write_key_item);
-	buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item);
-	buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item);
-    } else if (!isExport) {
-	/* 
-	** Generate Domestic write keys and IVs.
-	** client_write_key[CipherSpec.key_material]
-	*/
-	buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item);
-	i += keySize;
-
-	/* 
-	** server_write_key[CipherSpec.key_material]
-	*/
-	buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item);
-	i += keySize;
-
-	if (IVSize > 0) {
-	    /* 
-	    ** client_write_IV[CipherSpec.IV_size]
-	    */
-	    buildSSLKey(&key_block[i], IVSize, &pwSpec->client.write_iv_item);
-	    i += IVSize;
-
-	    /* 
-	    ** server_write_IV[CipherSpec.IV_size]
-	    */
-	    buildSSLKey(&key_block[i], IVSize, &pwSpec->server.write_iv_item);
-	    i += IVSize;
-	}
-	PORT_Assert(i <= block_bytes);
-
-    } else if (!isTLS) { 
-	/*
-	** Generate SSL3 Export write keys and IVs.
-	*/
-	unsigned int    outLen;
-
-	/*
-	** client_write_key[CipherSpec.key_material]
-	** final_client_write_key = MD5(client_write_key +
-	**                   ClientHello.random + ServerHello.random);
-	*/
-	MD5_Begin(md5Ctx);
-	MD5_Update(md5Ctx, &key_block[i], effKeySize);
-	MD5_Update(md5Ctx, crsr.data, crsr.len);
-	MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-	i += effKeySize;
-	buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item);
-	key_block2 += keySize;
-
-	/*
-	** server_write_key[CipherSpec.key_material]
-	** final_server_write_key = MD5(server_write_key +
-	**                    ServerHello.random + ClientHello.random);
-	*/
-	MD5_Begin(md5Ctx);
-	MD5_Update(md5Ctx, &key_block[i], effKeySize);
-	MD5_Update(md5Ctx, srcr.data, srcr.len);
-	MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-	i += effKeySize;
-	buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item);
-	key_block2 += keySize;
-	PORT_Assert(i <= block_bytes);
-
-	if (IVSize) {
-	    /*
-	    ** client_write_IV = 
-	    **	MD5(ClientHello.random + ServerHello.random);
-	    */
-	    MD5_Begin(md5Ctx);
-	    MD5_Update(md5Ctx, crsr.data, crsr.len);
-	    MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-	    buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item);
-	    key_block2 += IVSize;
-
-	    /*
-	    ** server_write_IV = 
-	    **	MD5(ServerHello.random + ClientHello.random);
-	    */
-	    MD5_Begin(md5Ctx);
-	    MD5_Update(md5Ctx, srcr.data, srcr.len);
-	    MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-	    buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item);
-	    key_block2 += IVSize;
-	}
-
-	PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
-    } else {
-	/*
-	** Generate TLS Export write keys and IVs.
-	*/
-	SECItem       secret ;
-	SECItem       keyblk ;
-
-	secret.type = siBuffer;
-	keyblk.type = siBuffer;
-	/*
-	** client_write_key[CipherSpec.key_material]
-	** final_client_write_key = PRF(client_write_key, 
-	**                              "client write key",
-	**                              client_random + server_random);
-	*/
-	secret.data = &key_block[i];
-	secret.len  = effKeySize;
-	i          += effKeySize;
-	keyblk.data = key_block2;
-	keyblk.len  = keySize;
-	status = TLS_PRF(&secret, "client write key", &crsr, &keyblk, isFIPS);
-	if (status != SECSuccess) {
-	    goto key_and_mac_derive_fail;
-	}
-	buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item);
-	key_block2 += keySize;
-
-	/*
-	** server_write_key[CipherSpec.key_material]
-	** final_server_write_key = PRF(server_write_key,
-	**                              "server write key",
-	**                              client_random + server_random);
-	*/
-	secret.data = &key_block[i];
-	secret.len  = effKeySize;
-	i          += effKeySize;
-	keyblk.data = key_block2;
-	keyblk.len  = keySize;
-	status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS);
-	if (status != SECSuccess) {
-	    goto key_and_mac_derive_fail;
-	}
-	buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item);
-	key_block2 += keySize;
-
-	/*
-	** iv_block = PRF("", "IV block", client_random + server_random);
-	** client_write_IV[SecurityParameters.IV_size]
-	** server_write_IV[SecurityParameters.IV_size]
-	*/
-	if (IVSize) {
-	    secret.data = NULL;
-	    secret.len  = 0;
-	    keyblk.data = key_block2;
-	    keyblk.len  = 2 * IVSize;
-	    status = TLS_PRF(&secret, "IV block", &crsr, &keyblk, isFIPS);
-	    if (status != SECSuccess) {
-		goto key_and_mac_derive_fail;
-	    }
-	    buildSSLKey(key_block2,          IVSize, &pwSpec->client.write_iv_item);
-	    buildSSLKey(key_block2 + IVSize, IVSize, &pwSpec->server.write_iv_item);
-	    key_block2 += 2 * IVSize;
-	}
-	PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
-    }
-    rv = SECSuccess;
-
-key_and_mac_derive_fail:
-
-    MD5_DestroyContext(md5Ctx, PR_FALSE);
-    SHA1_DestroyContext(shaCtx, PR_FALSE);
-
-    if (rv != SECSuccess) {
-	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-    }
-
-    return rv;
-}
-
-
-/* derive the Master Secret from the PMS */
-/* Presently, this is only done wtih RSA PMS, os isRSA is always true. */
-SECStatus
-ssl3_MasterKeyDeriveBypass( 
-    ssl3CipherSpec *      pwSpec,
-    const unsigned char * cr,
-    const unsigned char * sr,
-    const SECItem *       pms,
-    PRBool                isTLS,
-    PRBool                isRSA)
-{
-    unsigned char * key_block    = pwSpec->key_block;
-    SECStatus       rv    = SECSuccess;
-    PRBool          isFIPS = PR_FALSE;
-
-    SECItem         crsr;
-
-    unsigned char     crsrdata[SSL3_RANDOM_LENGTH * 2];
-    PRUint64          md5buf[22];
-    PRUint64          shabuf[40];
-
-#define md5Ctx ((MD5Context *)md5buf)
-#define shaCtx ((SHA1Context *)shabuf)
-
-    /* first do the consistancy checks */
-    if (isRSA) { 
-	PORT_Assert(pms->len == SSL3_RSA_PMS_LENGTH);
-	if (pms->len != SSL3_RSA_PMS_LENGTH) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	/* caller must test PMS version for rollback */
-    }
-
-    /* initialize the client random, server random block */
-    crsr.type   = siBuffer;
-    crsr.data   = crsrdata;
-    crsr.len    = sizeof crsrdata;
-    PORT_Memcpy(crsrdata, cr, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, sr, SSL3_RANDOM_LENGTH);
-
-    /* finally do the key gen */
-    if (isTLS) {
-	SECItem master = { siBuffer, NULL, 0 };
-
-	master.data = key_block;
-	master.len = SSL3_MASTER_SECRET_LENGTH;
-
-	rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
-	if (rv != SECSuccess) {
-	    PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	}
-    } else {
-	int i;
-	int made = 0;
-	for (i = 0; i < 3; i++) {
-	    unsigned int    outLen;
-	    unsigned char   sha_out[SHA1_LENGTH];
-
-	    SHA1_Begin(shaCtx);
-	    SHA1_Update(shaCtx, (unsigned char*) mixers[i], i+1);
-	    SHA1_Update(shaCtx, pms->data, pms->len);
-	    SHA1_Update(shaCtx, crsr.data, crsr.len);
-	    SHA1_End(shaCtx, sha_out, &outLen, SHA1_LENGTH);
-	    PORT_Assert(outLen == SHA1_LENGTH);
-
-	    MD5_Begin(md5Ctx);
-	    MD5_Update(md5Ctx, pms->data, pms->len);
-	    MD5_Update(md5Ctx, sha_out, outLen);
-	    MD5_End(md5Ctx, key_block + made, &outLen, MD5_LENGTH);
-	    PORT_Assert(outLen == MD5_LENGTH);
-	    made += outLen;
-	}
-    }
-
-    /* store the results */
-    PORT_Memcpy(pwSpec->raw_master_secret, key_block, 
-		SSL3_MASTER_SECRET_LENGTH);
-    pwSpec->msItem.data = pwSpec->raw_master_secret;
-    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
-
-    return rv;
-}
-
-
diff --git a/security/nss/lib/ssl/emulate.c b/security/nss/lib/ssl/emulate.c
deleted file mode 100644
index a381cd7d2..000000000
--- a/security/nss/lib/ssl/emulate.c
+++ /dev/null
@@ -1,636 +0,0 @@
-/*
- * Functions that emulate PR_AcceptRead and PR_TransmitFile for SSL sockets.
- * Each Layered NSPR protocol (like SSL) must unfortunately contain its 
- * own implementation of these functions.  This code was taken from NSPR.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "nspr.h"
-
-#if defined( XP_UNIX ) || defined( XP_BEOS )
-#include <fcntl.h>
-#endif
-#if defined(WIN32)
-#include <windef.h>
-#include <winbase.h>
-#endif
-#include <string.h>
-
-#define AMASK 7	/* mask for alignment of PRNetAddr */
-
-/*
- * _PR_EmulateAcceptRead
- *
- *  Accept an incoming connection on sd, set *nd to point to the
- *  newly accepted socket, read 'amount' bytes from the accepted
- *  socket.
- *
- *  buf is a buffer of length = amount + (2 * sizeof(PRNetAddr)) + 32
- *  *raddr points to the PRNetAddr of the accepted connection upon
- *  return
- *
- *  return number of bytes read or -1 on error
- *
- */
-PRInt32 
-ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
-			PRFileDesc **  nd,
-			PRNetAddr **   raddr, 
-			void *         buf, 
-			PRInt32        amount, 
-			PRIntervalTime timeout)
-{
-    PRFileDesc *   newsockfd;
-    PRInt32        rv;
-    PRNetAddr      remote;
-
-    if (!(newsockfd = PR_Accept(sd, &remote, PR_INTERVAL_NO_TIMEOUT))) {
-	return -1;
-    }
-
-    rv = PR_Recv(newsockfd, buf, amount, 0, timeout);
-    if (rv >= 0) {
-	ptrdiff_t pNetAddr = (((ptrdiff_t)buf) + amount + AMASK) & ~AMASK;
-
-	*nd = newsockfd;
-	*raddr = (PRNetAddr *)pNetAddr;
-	memcpy((void *)pNetAddr, &remote, sizeof(PRNetAddr));
-	return rv;
-    }
-
-    PR_Close(newsockfd);
-    return -1;
-}
-
-
-#if !defined( XP_UNIX ) && !defined( WIN32 ) && !defined( XP_BEOS )
-/*
- * _PR_EmulateTransmitFile
- *
- *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
- *  bytes of headers is sent before sending the file.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-#define _TRANSMITFILE_BUFSIZE	(16 * 1024)
-
-PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout)
-{
-    char *  buf 	= NULL;
-    PRInt32 count 	= 0;
-    PRInt32 rlen;
-    PRInt32 rv;
-
-    buf = PR_MALLOC(_TRANSMITFILE_BUFSIZE);
-    if (buf == NULL) {
-	PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
-	return -1;
-    }
-
-    /*
-     * send headers, first
-     */
-    while (hlen) {
-	rv =  PR_Send(sd, headers, hlen, 0, timeout);
-	if (rv < 0) {
-	    /* PR_Send() has invoked PR_SetError(). */
-	    rv = -1;
-	    goto done;
-	} 
-	count += rv;
-	headers = (const void*) ((const char*)headers + rv);
-	hlen -= rv;
-    }
-    /*
-     * send file, next
-     */
-    while ((rlen = PR_Read(fd, buf, _TRANSMITFILE_BUFSIZE)) > 0) {
-	while (rlen) {
-	    char *bufptr = buf;
-
-	    rv =  PR_Send(sd, bufptr, rlen,0,PR_INTERVAL_NO_TIMEOUT);
-	    if (rv < 0) {
-		/* PR_Send() has invoked PR_SetError(). */
-		rv = -1;
-		goto done;
-	    } 
-	    count += rv;
-	    bufptr = ((char*)bufptr + rv);
-	    rlen -= rv;
-	}
-    }
-    if (rlen == 0) {
-	/*
-	 * end-of-file
-	 */
-	if (flags & PR_TRANSMITFILE_CLOSE_SOCKET)
-	    PR_Close(sd);
-	rv = count;
-    } else {
-	PR_ASSERT(rlen < 0);
-	/* PR_Read() has invoked PR_SetError(). */
-	rv = -1;
-    }
-
-done:
-    if (buf)
-	PR_DELETE(buf);
-    return rv;
-}
-#else
-
-#define TRANSMITFILE_MMAP_CHUNK (256 * 1024)
-
-/*
- * _PR_UnixTransmitFile
- *
- *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
- *  bytes of headers is sent before sending the file.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-
-PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout)
-{
-    void *            addr = NULL;
-    PRFileMap *       mapHandle = NULL;
-    PRInt32           count     = 0;
-    PRInt32           index     = 0;
-    PRInt32           len	= 0;
-    PRInt32           rv;
-    struct PRFileInfo info;
-    struct PRIOVec    iov[2];
-
-    /* Get file size */
-    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {
-	count = -1;
-	goto done;
-    }
-    if (hlen) {
-	iov[index].iov_base = (char *) headers;
-	iov[index].iov_len  = hlen;
-	index++;
-    }
-    if (info.size > 0) {
-	mapHandle = PR_CreateFileMap(fd, info.size, PR_PROT_READONLY);
-	if (mapHandle == NULL) {
-	    count = -1;
-	    goto done;
-	}
-	/*
-	 * If the file is large, mmap and send the file in chunks so as
-	 * to not consume too much virtual address space
-	 */
-	len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-	/*
-	 * Map in (part of) file. Take care of zero-length files.
-	 */
-	if (len) {
-	    addr = PR_MemMap(mapHandle, 0, len);
-	    if (addr == NULL) {
-		count = -1;
-		goto done;
-	    }
-	}
-	iov[index].iov_base = (char*)addr;
-	iov[index].iov_len = len;
-	index++;
-    }
-    if (!index)
-    	goto done;
-    rv = PR_Writev(sd, iov, index, timeout);
-    if (len) {
-	PR_MemUnmap(addr, len);
-    }
-    if (rv >= 0) {
-	PR_ASSERT(rv == hlen + len);
-	info.size -= len;
-	count     += rv;
-    } else {
-	count = -1;
-	goto done;
-    }
-    /*
-     * send remaining bytes of the file, if any
-     */
-    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-    while (len > 0) {
-	/*
-	 * Map in (part of) file
-	 */
-	PR_ASSERT((count - hlen) % TRANSMITFILE_MMAP_CHUNK == 0);
-	addr = PR_MemMap(mapHandle, count - hlen, len);
-	if (addr == NULL) {
-	    count = -1;
-	    goto done;
-	}
-	rv =  PR_Send(sd, addr, len, 0, timeout);
-	PR_MemUnmap(addr, len);
-	if (rv >= 0) {
-	    PR_ASSERT(rv == len);
-	    info.size -= rv;
-	    count     += rv;
-	    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
-	} else {
-	    count = -1;
-	    goto done;
-	}
-    }
-done:
-    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    if (mapHandle != NULL)
-    	PR_CloseFileMap(mapHandle);
-    return count;
-}
-#endif  /* XP_UNIX || WIN32 || XP_BEOS */
-
-
-
-
-#if !defined( XP_UNIX ) && !defined( WIN32 ) && !defined( XP_BEOS )
-/*
- * _PR_EmulateSendFile
- *
- *  Send file sfd->fd across socket sd. The header and trailer buffers
- *  specified in the 'sfd' argument are sent before and after the file,
- *  respectively.
- *
- *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *  return number of bytes sent or -1 on error
- *
- */
-
-PRInt32 
-ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
-                    PRTransmitFileFlags flags, PRIntervalTime timeout)
-{
-    char *       buf = NULL;
-    const void * buffer;
-    PRInt32      rv;
-    PRInt32      count = 0;
-    PRInt32      rlen;
-    PRInt32      buflen;
-    PRInt32      sendbytes;
-    PRInt32      readbytes;
-
-#define _SENDFILE_BUFSIZE   (16 * 1024)
-
-    buf = (char*)PR_MALLOC(_SENDFILE_BUFSIZE);
-    if (buf == NULL) {
-        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
-        return -1;
-    }
-
-    /*
-     * send header, first
-     */
-    buflen = sfd->hlen;
-    buffer = sfd->header;
-    while (buflen) {
-        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
-        if (rv < 0) {
-            /* PR_Send() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else {
-            count += rv;
-            buffer = (const void*) ((const char*)buffer + rv);
-            buflen -= rv;
-        }
-    }
-    /*
-     * send file, next
-     */
-
-    if (PR_Seek(sfd->fd, sfd->file_offset, PR_SEEK_SET) < 0) {
-        rv = -1;
-        goto done;
-    }
-    sendbytes = sfd->file_nbytes;
-    if (sendbytes == 0) {
-        /* send entire file */
-        while ((rlen = PR_Read(sfd->fd, buf, _SENDFILE_BUFSIZE)) > 0) {
-            while (rlen) {
-                char *bufptr = buf;
-
-                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
-                if (rv < 0) {
-                    /* PR_Send() has invoked PR_SetError(). */
-                    rv = -1;
-                    goto done;
-                } else {
-                    count += rv;
-                    bufptr = ((char*)bufptr + rv);
-                    rlen -= rv;
-                }
-            }
-        }
-        if (rlen < 0) {
-            /* PR_Read() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        }
-    } else {
-        readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
-        while (readbytes && ((rlen = PR_Read(sfd->fd, buf, readbytes)) > 0)) {
-            while (rlen) {
-                char *bufptr = buf;
-
-                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
-                if (rv < 0) {
-                    /* PR_Send() has invoked PR_SetError(). */
-                    rv = -1;
-                    goto done;
-                } else {
-                    count += rv;
-                    sendbytes -= rv;
-                    bufptr = ((char*)bufptr + rv);
-                    rlen -= rv;
-                }
-            }
-	    readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
-        }
-        if (rlen < 0) {
-            /* PR_Read() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else if (sendbytes != 0) {
-            /*
-             * there are fewer bytes in file to send than specified
-             */
-	    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-            rv = -1;
-            goto done;
-        }
-    }
-    /*
-     * send trailer, last
-     */
-    buflen = sfd->tlen;
-    buffer = sfd->trailer;
-    while (buflen) {
-        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
-        if (rv < 0) {
-            /* PR_Send() has invoked PR_SetError(). */
-            rv = -1;
-            goto done;
-        } else {
-            count += rv;
-            buffer = (const void*) ((const char*)buffer + rv);
-            buflen -= rv;
-        }
-    }
-    rv = count;
-
-done:
-    if (buf)
-        PR_DELETE(buf);
-    if ((rv >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    return rv;
-}
-
-#else /* UNIX, NT, and BEOS handled below */
-
-/*
- * _PR_UnixSendFile
- *
- *    Send file sfd->fd across socket sd. If header/trailer are specified
- *    they are sent before and after the file, respectively.
- *
- *    PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
- *
- *    return number of bytes sent or -1 on error
- *
- */
-#define SENDFILE_MMAP_CHUNK    (256 * 1024)
-
-PRInt32 
-ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
-                    PRTransmitFileFlags flags, PRIntervalTime timeout)
-{
-    void *            addr = NULL;
-    PRFileMap *       mapHandle  	= NULL;
-    PRInt32           count 		= 0;
-    PRInt32           file_bytes;
-    PRInt32           index 		= 0;
-    PRInt32           len;
-    PRInt32           rv;
-    PRUint32          addr_offset;
-    PRUint32          file_mmap_offset;
-    PRUint32          mmap_len;
-    PRUint32          pagesize;
-    struct PRFileInfo info;
-    struct PRIOVec    iov[3];
-
-    /* Get file size */
-    if (PR_SUCCESS != PR_GetOpenFileInfo(sfd->fd, &info)) {
-	count = -1;
-	goto done;
-    }
-    if (sfd->file_nbytes && 
-		(info.size < (sfd->file_offset + sfd->file_nbytes))) {
-        /*
-         * there are fewer bytes in file to send than specified
-         */
-	PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        count = -1;
-        goto done;
-    }
-    if (sfd->file_nbytes)
-        file_bytes = sfd->file_nbytes;
-    else
-        file_bytes = info.size - sfd->file_offset;
-
-#if defined(WIN32)
-    {
-        SYSTEM_INFO sysinfo;
-        GetSystemInfo(&sysinfo);
-        pagesize = sysinfo.dwAllocationGranularity;
-    }
-#else
-    pagesize = PR_GetPageSize();
-#endif
-    /*
-     * If the file is large, mmap and send the file in chunks so as
-     * to not consume too much virtual address space
-     */
-    if (!sfd->file_offset || !(sfd->file_offset & (pagesize - 1))) {
-        /*
-         * case 1: page-aligned file offset
-         */
-        mmap_len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-        len      = mmap_len;
-        file_mmap_offset = sfd->file_offset;
-        addr_offset = 0;
-    } else {
-        /*
-         * case 2: non page-aligned file offset
-         */
-        /* find previous page boundary */
-        file_mmap_offset = (sfd->file_offset & ~(pagesize - 1));
-
-        /* number of initial bytes to skip in mmap'd segment */
-        addr_offset = sfd->file_offset - file_mmap_offset;
-        PR_ASSERT(addr_offset > 0);
-        mmap_len = PR_MIN(file_bytes + addr_offset, SENDFILE_MMAP_CHUNK);
-        len      = mmap_len - addr_offset;
-    }
-    /*
-     * OK I've convinced myself that length has to be possitive (file_bytes is 
-     * negative or  SENDFILE_MMAP_CHUNK is less than pagesize). Just assert 
-     * that this is the case so we catch problems in debug builds.
-     */
-    PR_ASSERT(len >= 0);
-
-    /*
-     * Map in (part of) file. Take care of zero-length files.
-     */
-    if (len > 0) {
-	mapHandle = PR_CreateFileMap(sfd->fd, info.size, PR_PROT_READONLY);
-	if (!mapHandle) {
-	    count = -1;
-	    goto done;
-	}
-	addr = PR_MemMap(mapHandle, file_mmap_offset, mmap_len);
-        if (!addr) {
-            count = -1;
-            goto done;
-        }
-    }
-    /*
-     * send headers, first, followed by the file
-     */
-    if (sfd->hlen) {
-        iov[index].iov_base = (char *) sfd->header;
-        iov[index].iov_len  = sfd->hlen;
-        index++;
-    }
-    if (len) {
-        iov[index].iov_base = (char*)addr + addr_offset;
-        iov[index].iov_len  = len;
-        index++;
-    }
-    if ((file_bytes == len) && (sfd->tlen)) {
-        /*
-         * all file data is mapped in; send the trailer too
-         */
-        iov[index].iov_base = (char *) sfd->trailer;
-        iov[index].iov_len  = sfd->tlen;
-        index++;
-    }
-    rv = PR_Writev(sd, iov, index, timeout);
-    if (len)
-        PR_MemUnmap(addr, mmap_len);
-    if (rv < 0) {
-        count = -1;
-        goto done;
-    }
-
-    PR_ASSERT(rv == sfd->hlen + len + ((len == file_bytes) ? sfd->tlen : 0));
-
-    file_bytes -= len;
-    count      += rv;
-    if (!file_bytes)    /* header, file and trailer are sent */
-	goto done;
-
-    /*
-     * send remaining bytes of the file, if any
-     */
-    len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-    while (len > 0) {
-	/*
-	 * Map in (part of) file
-	 */
-	file_mmap_offset = sfd->file_offset + count - sfd->hlen;
-	PR_ASSERT((file_mmap_offset % pagesize) == 0);
-
-	addr = PR_MemMap(mapHandle, file_mmap_offset, len);
-        if (!addr) {
-            count = -1;
-            goto done;
-        }
-	rv = PR_Send(sd, addr, len, 0, timeout);
-	PR_MemUnmap(addr, len);
-	if (rv < 0) {
-	    count = -1;
-	    goto done;
-	}
-
-	PR_ASSERT(rv == len);
-	file_bytes -= rv;
-	count      += rv;
-	len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
-    }
-    PR_ASSERT(0 == file_bytes);
-    if (sfd->tlen) {
-        rv =  PR_Send(sd, sfd->trailer, sfd->tlen, 0, timeout);
-        if (rv >= 0) {
-            PR_ASSERT(rv == sfd->tlen);
-            count += rv;
-        } else
-            count = -1;
-    }
-done:
-    if (mapHandle)
-    	PR_CloseFileMap(mapHandle);
-    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
-	PR_Close(sd);
-    return count;
-}
-#endif /* UNIX, NT, and BEOS */
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
deleted file mode 100644
index 6428ce5c7..000000000
--- a/security/nss/lib/ssl/manifest.mn
+++ /dev/null
@@ -1,90 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-# DEFINES = -DTRACE
-
-PRIVATE_EXPORTS = \
-	ssl3prot.h \
-	sslimpl.h \
-	$(NULL)
-
-EXPORTS = \
-	ssl.h \
-	sslt.h \
-	sslerr.h \
-	sslproto.h \
-	preenc.h \
-	$(NULL)
-
-MODULE = nss
-MAPFILE = $(OBJDIR)/ssl.def
-
-CSRCS = \
-	derive.c \
-	emulate.c \
-	prelib.c \
-	ssl3con.c \
-	ssl3gthr.c \
-	sslauth.c \
-	sslcon.c \
-	ssldef.c \
-	sslenum.c \
-	sslerr.c \
-	sslgathr.c \
-	sslmutex.c \
-	sslnonce.c \
-	sslreveal.c \
-	sslsecur.c \
-	sslsnce.c \
-	sslsock.c \
-	ssltrace.c \
-	sslver.c \
-	authcert.c \
-	cmpcert.c \
-	nsskea.c \
-	sslinfo.c \
-	ssl3ecc.c \
-	$(NULL)
-
-ifdef NSS_ENABLE_ECC
-DEFINES += -DNSS_ENABLE_ECC
-endif
-
-LIBRARY_NAME = ssl
-LIBRARY_VERSION = 3
-
diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt
deleted file mode 100644
index 772da4d58..000000000
--- a/security/nss/lib/ssl/notes.txt
+++ /dev/null
@@ -1,166 +0,0 @@
-***** BEGIN LICENSE BLOCK *****
-Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
-The contents of this file are subject to the Mozilla Public License Version 
-1.1 (the "License"); you may not use this file except in compliance with 
-the License. You may obtain a copy of the License at 
-http://www.mozilla.org/MPL/
-
-Software distributed under the License is distributed on an "AS IS" basis,
-WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-for the specific language governing rights and limitations under the
-License.
-
-The Original Code is the Netscape security libraries.
-
-The Initial Developer of the Original Code is
-Netscape Communications Corporation.
-Portions created by the Initial Developer are Copyright (C) 1994-2000
-the Initial Developer. All Rights Reserved.
-
-Contributor(s):
-
-Alternatively, the contents of this file may be used under the terms of
-either the GNU General Public License Version 2 or later (the "GPL"), or
-the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-in which case the provisions of the GPL or the LGPL are applicable instead
-of those above. If you wish to allow use of your version of this file only
-under the terms of either the GPL or the LGPL, and not to allow others to
-use your version of this file under the terms of the MPL, indicate your
-decision by deleting the provisions above and replace them with the notice
-and other provisions required by the GPL or the LGPL. If you do not delete
-the provisions above, a recipient may use your version of this file under
-the terms of any one of the MPL, the GPL or the LGPL.
-
-***** END LICENSE BLOCK *****
-
-SSL's Buffers: enumerated and explained.
-
----------------------------------------------------------------------------
-incoming:
-
-gs = ss->gather
-hs = ss->ssl3->hs
-
-gs->inbuf	SSL3 only: incoming (encrypted) ssl records are placed here,
-		and then decrypted (or copied) to gs->buf.
-
-gs->buf		SSL2: incoming SSL records are put here, and then decrypted
-		in place.
-		SSL3: ssl3_HandleHandshake puts decrypted ssl records here.
-
-hs.msg_body	(SSL3 only) When an incoming handshake message spans more 
-		than one ssl record, the first part(s) of it are accumulated 
-		here until it all arrives.
-
-hs.msgState	(SSL3 only) an alternative set of pointers/lengths for gs->buf.
-		Used only when a handleHandshake function returns SECWouldBlock.
-		ssl3_HandleHandshake remembers how far it previously got by
-		using these pointers instead of gs->buf when it is called 
-		after a previous SECWouldBlock return.
-
----------------------------------------------------------------------------
-outgoing:
-
-sec = ss->sec
-ci  = ss->sec->ci	/* connect info */
-
-ci->sendBuf	Outgoing handshake messages are appended to this buffer.
-		This buffer will then be sent as a single SSL record.
-
-sec->writeBuf	outgoing ssl records are constructed here and encrypted in 
-		place before being written or copied to pendingBuf.
-
-ss->pendingBuf	contains outgoing ciphertext that was saved after a write
-		attempt to the socket failed, e.g. EWouldBlock. 
-		Generally empty with blocking sockets (should be no incomplete
-		writes).
-
-ss->saveBuf	Used only by socks code.  Intended to be used to buffer 
-		outgoing data until a socks handshake completes.  However,
-		this buffer is always empty.  There is no code to put 
-		anything into it.
-
----------------------------------------------------------------------------
-
-SECWouldBlock means that the function cannot make progress because it is 
-waiting for some event OTHER THAN socket I/O completion (e.g. waiting for 
-user dialog to finish).  It is not the same as EWOULDBLOCK.
-
----------------------------------------------------------------------------
-
-Rank (order) of locks
-
-[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec"
-[WriteLock->]/                                        xmitbuf /
-
-crypto and hash Data that must be protected while turning plaintext into
-ciphertext:
-
-SSL2: 	(in ssl2_Send*)
-	sec->hash*
-	sec->hashcx 	(ptr and data)
-	sec->enc
-	sec->writecx*	(ptr and content)
-	sec->sendSecret*(ptr and content)
-	sec->sendSequence		locked by xmitBufLock
-	sec->blockSize
-	sec->writeBuf*  (ptr & content)	locked by xmitBufLock
-	"in"				locked by xmitBufLock
-
-SSl3:	(in ssl3_SendPlainText)
-	ss->ssl3		    (the pointer)
-	ss->ssl3->current_write*    (the pointer and the data in the spec
-				     and any data referenced by the spec.
-
-	ss->sec->isServer
-	ss->sec->writebuf* (ptr & content) locked by xmitBufLock
-	"buf" 				   locked by xmitBufLock
-
-crypto and hash data that must be protected while turning ciphertext into 
-plaintext:
-
-SSL2:	(in ssl2_GatherData)
-	gs->*				(locked by recvBufLock )
-	sec->dec
-	sec->readcx
-	sec->hash* 		(ptr and data)
-	sec->hashcx 		(ptr and data)
-
-SSL3:	(in ssl3_HandleRecord )
-	ssl3->current_read*	(the pointer and all data refernced)
-	ss->sec->isServer
-
-
-Data that must be protected while being used by a "writer":
-
-ss->pendingBuf.*
-ss->saveBuf.*		(which is dead)
-
-in ssl3_sendPlainText
-
-ss->ssl3->current_write-> (spec)
-ss->sec->writeBuf.*
-ss->sec->isServer 
-
-in SendBlock
-
-ss->sec->hash->length
-ss->sec->blockSize
-ss->sec->writeBuf.*
-ss->sec->sendSecret
-ss->sec->sendSequence
-ss->sec->writecx	*
-ss->pendingBuf
-
---------------------------------------------------------------------------
-
-Data variables (not const) protected by the "sslGlobalDataLock".  
-Note, this really should be a reader/writer lock.
-
-allowedByPolicy		sslcon.c
-maybeAllowedByPolicy	sslcon.c
-chosenPreference	sslcon.c
-policyWasSet		sslcon.c
-
-cipherSuites[] 		ssl3con.c
diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c
deleted file mode 100644
index beafc506e..000000000
--- a/security/nss/lib/ssl/nsskea.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Return SSLKEAType derived from cert's Public Key algorithm info.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "cert.h"
-#include "ssl.h"	/* for SSLKEAType */
-#include "secoid.h"
-
-SSLKEAType
-NSS_FindCertKEAType(CERTCertificate * cert)
-{
-  SSLKEAType keaType = kt_null; 
-  int tag;
-  
-  if (!cert) goto loser;
-  
-  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-  
-  switch (tag) {
-  case SEC_OID_X500_RSA_ENCRYPTION:
-  case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    keaType = kt_rsa;
-    break;
-  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-    keaType = kt_dh;
-    break;
-#ifdef NSS_ENABLE_ECC
-  case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-    keaType = kt_ecdh;
-    break;
-#endif /* NSS_ENABLE_ECC */
-  default:
-    keaType = kt_null;
-  }
-  
- loser:
-  
-  return keaType;
-
-}
-
diff --git a/security/nss/lib/ssl/os2_err.c b/security/nss/lib/ssl/os2_err.c
deleted file mode 100644
index 0274676c0..000000000
--- a/security/nss/lib/ssl/os2_err.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "prerror.h"
-#include "prlog.h"
-#include <errno.h>
-
-
-/*
- * Based on win32err.c
- * OS2TODO Stub everything for now to build. HCT
- */
-
-/* forward declaration. */
-void nss_MD_os2_map_default_error(PRInt32 err);
-
-void nss_MD_os2_map_opendir_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_closedir_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_readdir_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_delete_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-/* The error code for stat() is in errno. */
-void nss_MD_os2_map_stat_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_fstat_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_rename_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-/* The error code for access() is in errno. */
-void nss_MD_os2_map_access_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_mkdir_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_rmdir_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_read_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_transmitfile_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_write_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_lseek_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_fsync_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-/*
- * For both CloseHandle() and closesocket().
- */
-void nss_MD_os2_map_close_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_socket_error(PRInt32 err)
-{
-//  PR_ASSERT(err != WSANOTINITIALISED);
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_recv_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_recvfrom_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_send_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//     case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_sendto_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_accept_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_acceptex_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_connect_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
-//    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
-//    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_bind_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//  case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_listen_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_shutdown_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_getsockname_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_getpeername_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_getsockopt_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_setsockopt_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_open_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-void nss_MD_os2_map_gethostname_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-/* Win32 select() only works on sockets.  So in this
-** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
-*/
-void nss_MD_os2_map_select_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-//    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_os2_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_os2_map_lockf_error(PRInt32 err)
-{
-    nss_MD_os2_map_default_error(err);
-}
-
-
-
-void nss_MD_os2_map_default_error(PRInt32 err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-//    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
-//    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-//    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-//    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
-//    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-//    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
-//    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-//    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
-//    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
-//    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-//    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-#if ERROR_FILE_NOT_FOUND != ENOENT
-//    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-#endif
-    default: 			prError = PR_UNKNOWN_ERROR; break;
-    }
-    PR_SetError(prError, err);
-}
-
diff --git a/security/nss/lib/ssl/os2_err.h b/security/nss/lib/ssl/os2_err.h
deleted file mode 100644
index 151932132..000000000
--- a/security/nss/lib/ssl/os2_err.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * This code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/*  NSPR doesn't make these functions public, so we have to duplicate
-**  them in NSS.
-*/
-
-//HCT  Based on Win32err.h
-extern void nss_MD_os2_map_accept_error(PRInt32 err);
-extern void nss_MD_os2_map_acceptex_error(PRInt32 err);
-extern void nss_MD_os2_map_access_error(PRInt32 err);
-extern void nss_MD_os2_map_bind_error(PRInt32 err);
-extern void nss_MD_os2_map_close_error(PRInt32 err);
-extern void nss_MD_os2_map_closedir_error(PRInt32 err);
-extern void nss_MD_os2_map_connect_error(PRInt32 err);
-extern void nss_MD_os2_map_default_error(PRInt32 err);
-extern void nss_MD_os2_map_delete_error(PRInt32 err);
-extern void nss_MD_os2_map_fstat_error(PRInt32 err);
-extern void nss_MD_os2_map_fsync_error(PRInt32 err);
-extern void nss_MD_os2_map_gethostname_error(PRInt32 err);
-extern void nss_MD_os2_map_getpeername_error(PRInt32 err);
-extern void nss_MD_os2_map_getsockname_error(PRInt32 err);
-extern void nss_MD_os2_map_getsockopt_error(PRInt32 err);
-extern void nss_MD_os2_map_listen_error(PRInt32 err);
-extern void nss_MD_os2_map_lockf_error(PRInt32 err);
-extern void nss_MD_os2_map_lseek_error(PRInt32 err);
-extern void nss_MD_os2_map_mkdir_error(PRInt32 err);
-extern void nss_MD_os2_map_open_error(PRInt32 err);
-extern void nss_MD_os2_map_opendir_error(PRInt32 err);
-extern void nss_MD_os2_map_read_error(PRInt32 err);
-extern void nss_MD_os2_map_readdir_error(PRInt32 err);
-extern void nss_MD_os2_map_recv_error(PRInt32 err);
-extern void nss_MD_os2_map_recvfrom_error(PRInt32 err);
-extern void nss_MD_os2_map_rename_error(PRInt32 err);
-extern void nss_MD_os2_map_rmdir_error(PRInt32 err);
-extern void nss_MD_os2_map_select_error(PRInt32 err);
-extern void nss_MD_os2_map_send_error(PRInt32 err);
-extern void nss_MD_os2_map_sendto_error(PRInt32 err);
-extern void nss_MD_os2_map_setsockopt_error(PRInt32 err);
-extern void nss_MD_os2_map_shutdown_error(PRInt32 err);
-extern void nss_MD_os2_map_socket_error(PRInt32 err);
-extern void nss_MD_os2_map_stat_error(PRInt32 err);
-extern void nss_MD_os2_map_transmitfile_error(PRInt32 err);
-extern void nss_MD_os2_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/ssl/preenc.h b/security/nss/lib/ssl/preenc.h
deleted file mode 100644
index f7c9093cb..000000000
--- a/security/nss/lib/ssl/preenc.h
+++ /dev/null
@@ -1,146 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Fortezza support is removed.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* Fortezza support is removed.
- * This file remains so that old programs will continue to compile,
- * But this functionality is no longer supported or implemented.
- */
-
-#include "seccomon.h"
-#include "prio.h"
-
-typedef struct PEHeaderStr PEHeader;
-
-#define PE_MIME_TYPE "application/pre-encrypted"
-
-typedef struct PEFortezzaHeaderStr PEFortezzaHeader;
-typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader;
-typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader;
-typedef struct PERSAKeyHeaderStr PERSAKeyHeader;
-
-struct PEFortezzaHeaderStr {
-    unsigned char key[12];      
-    unsigned char iv[24];       
-    unsigned char hash[20];     
-    unsigned char serial[8];    
-};
-
-struct PEFortezzaGeneratedHeaderStr {
-    unsigned char key[12];      
-    unsigned char iv[24];       
-    unsigned char hash[20];     
-    unsigned char Ra[128];      
-    unsigned char Y[128];       
-};
-
-struct PEFixedKeyHeaderStr {
-    unsigned char pkcs11Mech[4];  
-    unsigned char labelLen[2];	  
-    unsigned char keyIDLen[2];	  
-    unsigned char ivLen[2];	  
-    unsigned char keyLen[2];	  
-    unsigned char data[1];	  
-};
-
-struct PERSAKeyHeaderStr {
-    unsigned char pkcs11Mech[4];  
-    unsigned char issuerLen[2];	  
-    unsigned char serialLen[2];	  
-    unsigned char ivLen[2];	  
-    unsigned char keyLen[2];	  
-    unsigned char data[1];	  
-};
-
-#define PEFIXED_Label(header) (header->data)
-#define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
-#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\
-						+GetInt2(header->keyIDLen)])
-#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen)\
-			+GetInt2(header->keyIDLen)+GetInt2(header->keyLen)])
-#define PERSA_Issuer(header) (header->data)
-#define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
-#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen)\
-						+GetInt2(header->serialLen)])
-#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\
-			+GetInt2(header->serialLen)+GetInt2(header->keyLen)])
-struct PEHeaderStr {
-    unsigned char magic  [2];		
-    unsigned char len    [2];		
-    unsigned char type   [2];		
-    unsigned char version[2];		
-    union {
-        PEFortezzaHeader          fortezza;
-        PEFortezzaGeneratedHeader g_fortezza;
-	PEFixedKeyHeader          fixed;
-	PERSAKeyHeader            rsa;
-    } u;
-};
-
-#define PE_CRYPT_INTRO_LEN 8
-#define PE_INTRO_LEN 4
-#define PE_BASE_HEADER_LEN  8
-
-#define PRE_BLOCK_SIZE 8         
-
-
-#define GetInt2(c) ((c[0] << 8) | c[1])
-#define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\
-			|((unsigned long)c[2] << 8)| ((unsigned long)c[3]))
-#define PutInt2(c,i) ((c[1] = (i) & 0xff), (c[0] = ((i) >> 8) & 0xff))
-#define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\
-			(c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff))
-
-#define PRE_MAGIC		0xc0de
-#define PRE_VERSION		0x1010
-#define PRE_FORTEZZA_FILE	0x00ff  
-#define PRE_FORTEZZA_STREAM	0x00f5  
-#define PRE_FORTEZZA_GEN_STREAM	0x00f6  
-#define PRE_FIXED_FILE		0x000f  
-#define PRE_RSA_FILE		0x001f  
-#define PRE_FIXED_STREAM	0x0005  
-
-PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
-				       int *headerSize);
-
-PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
-				       int *headerSize);
-
diff --git a/security/nss/lib/ssl/prelib.c b/security/nss/lib/ssl/prelib.c
deleted file mode 100644
index c63483924..000000000
--- a/security/nss/lib/ssl/prelib.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Functions used by https servers to send (download) pre-encrypted files
- * over SSL connections that use Fortezza ciphersuites.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "cert.h"
-#include "ssl.h"
-#include "keyhi.h"
-#include "secitem.h"
-#include "sslimpl.h"
-#include "pkcs11t.h"
-#include "preenc.h"
-#include "pk11func.h"
-
-PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, 
-				       int *headerSize)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return NULL;
-}
-
-PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, 
-							int *headerSize)
-{
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return NULL;
-}
-
-
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
deleted file mode 100644
index 745934e92..000000000
--- a/security/nss/lib/ssl/ssl.def
+++ /dev/null
@@ -1,128 +0,0 @@
-;+#
-;+# ***** BEGIN LICENSE BLOCK *****
-;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-;+#
-;+# The contents of this file are subject to the Mozilla Public License Version
-;+# 1.1 (the "License"); you may not use this file except in compliance with
-;+# the License. You may obtain a copy of the License at
-;+# http://www.mozilla.org/MPL/
-;+#
-;+# Software distributed under the License is distributed on an "AS IS" basis,
-;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-;+# for the specific language governing rights and limitations under the
-;+# License.
-;+#
-;+# The Original Code is the Netscape security libraries.
-;+#
-;+# The Initial Developer of the Original Code is
-;+# Netscape Communications Corporation.
-;+# Portions created by the Initial Developer are Copyright (C) 2000
-;+# the Initial Developer. All Rights Reserved.
-;+#
-;+# Contributor(s):
-;+#
-;+# Alternatively, the contents of this file may be used under the terms of
-;+# either the GNU General Public License Version 2 or later (the "GPL"), or
-;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-;+# in which case the provisions of the GPL or the LGPL are applicable instead
-;+# of those above. If you wish to allow use of your version of this file only
-;+# under the terms of either the GPL or the LGPL, and not to allow others to
-;+# use your version of this file under the terms of the MPL, indicate your
-;+# decision by deleting the provisions above and replace them with the notice
-;+# and other provisions required by the GPL or the LGPL. If you do not delete
-;+# the provisions above, a recipient may use your version of this file under
-;+# the terms of any one of the MPL, the GPL or the LGPL.
-;+#
-;+# ***** END LICENSE BLOCK *****
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+#   1. For all unix platforms, the string ";-"  means "remove this line"
-;+#   2. For all unix platforms, the string " DATA " will be removed from any 
-;+#     line on which it occurs.
-;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+#      On AIX, lines containing ";+" will be removed.
-;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+#   5. For all unix platforms, after the above processing has taken place,
-;+#    all characters after the first ";" on the line will be removed.
-;+#    And for AIX, the first ";" will also be removed.
-;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+#   directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSS_3.2 {       # NSS 3.2 release
-;+    global:
-LIBRARY ssl3 ;-
-EXPORTS ;-
-SSL_ImplementedCiphers DATA ;
-SSL_NumImplementedCiphers DATA ;
-NSS_CmpCertChainWCANames;
-NSS_FindCertKEAType;
-NSS_GetClientAuthData;
-NSS_SetDomesticPolicy;
-NSS_SetExportPolicy;
-NSS_SetFrancePolicy;
-SSL_AuthCertificate;
-SSL_AuthCertificateHook;
-SSL_BadCertHook;
-SSL_CertDBHandleSet;
-SSL_CipherPolicyGet;
-SSL_CipherPolicySet;
-SSL_CipherPrefGet;
-SSL_CipherPrefGetDefault;
-SSL_CipherPrefSet;
-SSL_CipherPrefSetDefault;
-SSL_ClearSessionCache;
-SSL_ConfigMPServerSIDCache;
-SSL_ConfigSecureServer;
-SSL_ConfigServerSessionIDCache;
-SSL_DataPending;
-SSL_ForceHandshake;
-SSL_GetClientAuthDataHook;
-SSL_GetSessionID;
-SSL_GetStatistics;
-SSL_HandshakeCallback;
-SSL_ImportFD;
-SSL_InheritMPServerSIDCache;
-SSL_InvalidateSession;
-SSL_OptionGet;
-SSL_OptionGetDefault;
-SSL_OptionSet;
-SSL_OptionSetDefault;
-SSL_PeerCertificate;
-SSL_PreencryptedFileToStream;
-SSL_PreencryptedStreamToFile;
-SSL_ReHandshake;
-SSL_ResetHandshake;
-SSL_RestartHandshakeAfterCertReq;
-SSL_RestartHandshakeAfterServerCert;
-SSL_RevealCert;
-SSL_RevealPinArg;
-SSL_RevealURL;
-SSL_SecurityStatus;
-SSL_SetPKCS11PinArg;
-SSL_SetSockPeerID;
-SSL_SetURL;
-;+    local:
-;+*;
-;+};
-;+NSS_3.2.1 {       # NSS 3.2.1 release
-;+    global:
-NSSSSL_VersionCheck;
-;+    local:
-;+*;
-;+};
-;+NSS_3.4 {         # NSS 3.4   release
-;+    global:
-SSL_GetChannelInfo;
-SSL_GetCipherSuiteInfo;
-SSL_GetMaxServerCacheLocks;
-SSL_LocalCertificate;
-SSL_SetMaxServerCacheLocks;
-;+    local:
-;+*;
-;+};
-;+NSS_3.7.4 {       # NSS 3.7.4 release
-;+    global:
-SSL_ShutdownServerSessionIDCache;
-;+    local:
-;+*;
-;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
deleted file mode 100644
index afd139d1c..000000000
--- a/security/nss/lib/ssl/ssl.h
+++ /dev/null
@@ -1,479 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __ssl_h_
-#define __ssl_h_
-
-#include "prtypes.h"
-#include "prerror.h"
-#include "prio.h"
-#include "seccomon.h"
-#include "cert.h"
-#include "keyt.h"
-
-#include "sslt.h"  /* public ssl data types */
-
-#if defined(_WIN32) && !defined(IN_LIBSSL) && !defined(NSS_USE_STATIC_LIBS)
-#define SSL_IMPORT extern __declspec(dllimport)
-#else
-#define SSL_IMPORT extern
-#endif
-
-SEC_BEGIN_PROTOS
-
-/* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
-SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
-
-/* number of entries in the above table. */
-SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
-
-/* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
-#define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
-
-/*
-** Imports fd into SSL, returning a new socket.  Copies SSL configuration
-** from model.
-*/
-SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
-
-/*
-** Enable/disable an ssl mode
-**
-** 	SSL_SECURITY:
-** 		enable/disable use of SSL security protocol before connect
-**
-** 	SSL_SOCKS:
-** 		enable/disable use of socks before connect
-**		(No longer supported).
-**
-** 	SSL_REQUEST_CERTIFICATE:
-** 		require a certificate during secure connect
-*/
-/* options */
-#define SSL_SECURITY			1 /* (on by default) */
-#define SSL_SOCKS			2 /* (off by default) */
-#define SSL_REQUEST_CERTIFICATE		3 /* (off by default) */
-#define SSL_HANDSHAKE_AS_CLIENT		5 /* force accept to hs as client */
-                               		  /* (off by default) */
-#define SSL_HANDSHAKE_AS_SERVER		6 /* force connect to hs as server */
-                               		  /* (off by default) */
-#define SSL_ENABLE_SSL2			7 /* enable ssl v2 (on by default) */
-#define SSL_ENABLE_SSL3		        8 /* enable ssl v3 (on by default) */
-#define SSL_NO_CACHE		        9 /* don't use the session cache */
-                    		          /* (off by default) */
-#define SSL_REQUIRE_CERTIFICATE        10 /* (SSL_REQUIRE_FIRST_HANDSHAKE */
-                                          /* by default) */
-#define SSL_ENABLE_FDX                 11 /* permit simultaneous read/write */
-                                          /* (off by default) */
-#define SSL_V2_COMPATIBLE_HELLO        12 /* send v3 client hello in v2 fmt */
-                                          /* (on by default) */
-#define SSL_ENABLE_TLS		       13 /* enable TLS (on by default) */
-#define SSL_ROLLBACK_DETECTION         14 /* for compatibility, default: on */
-#define SSL_NO_STEP_DOWN               15 /* Disable export cipher suites   */
-                                          /* if step-down keys are needed.  */
-					  /* default: off, generate         */
-					  /* step-down keys if needed.      */
-#define SSL_BYPASS_PKCS11              16 /* use PKCS#11 for pub key only   */
-#define SSL_NO_LOCKS                   17 /* Don't use locks for protection */
-
-#ifdef SSL_DEPRECATED_FUNCTION 
-/* Old deprecated function names */
-SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
-SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on);
-#endif
-
-/* New function names */
-SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on);
-SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on);
-SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
-SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
-SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
-
-/*
-** Control ciphers that SSL uses. If on is non-zero then the named cipher
-** is enabled, otherwise it is disabled. 
-** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
-** EnableCipher records user preferences.
-** SetPolicy sets the policy according to the policy module.
-*/
-#ifdef SSL_DEPRECATED_FUNCTION 
-/* Old deprecated function names */
-SSL_IMPORT SECStatus SSL_EnableCipher(long which, PRBool enabled);
-SSL_IMPORT SECStatus SSL_SetPolicy(long which, int policy);
-#endif
-
-/* New function names */
-SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled);
-SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
-SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
-SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
-SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
-SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
-
-/* Values for "policy" argument to SSL_PolicySet */
-/* Values returned by SSL_CipherPolicyGet. */
-#define SSL_NOT_ALLOWED		 0	      /* or invalid or unimplemented */
-#define SSL_ALLOWED		 1
-#define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
-
-/* Values for "on" with SSL_REQUIRE_CERTIFICATE. */
-#define SSL_REQUIRE_NEVER           ((PRBool)0)
-#define SSL_REQUIRE_ALWAYS          ((PRBool)1)
-#define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2)
-#define SSL_REQUIRE_NO_ERROR        ((PRBool)3)
-
-/*
-** Reset the handshake state for fd. This will make the complete SSL
-** handshake protocol execute from the ground up on the next i/o
-** operation.
-*/
-SSL_IMPORT SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer);
-
-/*
-** Force the handshake for fd to complete immediately.  This blocks until
-** the complete SSL handshake protocol is finished.
-*/
-SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd);
-
-/*
-** Same as above, but with an I/O timeout.
- */
-SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
-                                                   PRIntervalTime timeout);
-
-/*
-** Query security status of socket. *on is set to one if security is
-** enabled. *keySize will contain the stream key size used. *issuer will
-** contain the RFC1485 verison of the name of the issuer of the
-** certificate at the other end of the connection. For a client, this is
-** the issuer of the server's certificate; for a server, this is the
-** issuer of the client's certificate (if any). Subject is the subject of
-** the other end's certificate. The pointers can be zero if the desired
-** data is not needed.  All strings returned by this function are owned
-** by SSL, and will be freed when the socket is closed.
-*/
-SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher,
-			                int *keySize, int *secretKeySize,
-			                char **issuer, char **subject);
-
-/* Values for "on" */
-#define SSL_SECURITY_STATUS_NOOPT	-1
-#define SSL_SECURITY_STATUS_OFF		0
-#define SSL_SECURITY_STATUS_ON_HIGH	1
-#define SSL_SECURITY_STATUS_ON_LOW	2
-#define SSL_SECURITY_STATUS_FORTEZZA	3 /* NO LONGER SUPPORTED */
-
-/*
-** Return the certificate for our SSL peer. If the client calls this
-** it will always return the server's certificate. If the server calls
-** this, it may return NULL if client authentication is not enabled or
-** if the client had no certificate when asked.
-**	"fd" the socket "file" descriptor
-*/
-SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
-
-/*
-** Authenticate certificate hook. Called when a certificate comes in
-** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
-** certificate.
-*/
-typedef SECStatus (PR_CALLBACK *SSLAuthCertificate)(void *arg, PRFileDesc *fd, 
-                                                    PRBool checkSig,
-                                                    PRBool isServer);
-
-SSL_IMPORT SECStatus SSL_AuthCertificateHook(PRFileDesc *fd, 
-					     SSLAuthCertificate f,
-				             void *arg);
-
-/* An implementation of the certificate authentication hook */
-SSL_IMPORT SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, 
-					 PRBool checkSig, PRBool isServer);
-
-/*
- * Prototype for SSL callback to get client auth data from the application.
- *	arg - application passed argument
- *	caNames - pointer to distinguished names of CAs that the server likes
- *	pRetCert - pointer to pointer to cert, for return of cert
- *	pRetKey - pointer to key pointer, for return of key
- */
-typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
-                                PRFileDesc *fd,
-                                CERTDistNames *caNames,
-                                CERTCertificate **pRetCert,/*return */
-                                SECKEYPrivateKey **pRetKey);/* return */
-
-/*
- * Set the client side callback for SSL to retrieve user's private key
- * and certificate.
- *	fd - the file descriptor for the connection in question
- *	f - the application's callback that delivers the key and cert
- *	a - application specific data
- */
-SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
-			                       SSLGetClientAuthData f, void *a);
-
-
-/*
- * Set the client side argument for SSL to retrieve PKCS #11 pin.
- *	fd - the file descriptor for the connection in question
- *	a - pkcs11 application specific data
- */
-SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
-
-/*
-** This is a callback for dealing with server certs that are not authenticated
-** by the client.  The client app can decide that it actually likes the
-** cert by some external means and restart the connection.
-*/
-typedef SECStatus (PR_CALLBACK *SSLBadCertHandler)(void *arg, PRFileDesc *fd);
-SSL_IMPORT SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, 
-				     void *arg);
-
-/*
-** Configure ssl for running a secure server. Needs the
-** certificate for the server and the servers private key. The arguments
-** are copied.
-*/
-SSL_IMPORT SECStatus SSL_ConfigSecureServer(
-				PRFileDesc *fd, CERTCertificate *cert,
-				SECKEYPrivateKey *key, SSLKEAType kea);
-
-/*
-** Configure a secure servers session-id cache. Define the maximum number
-** of entries in the cache, the longevity of the entires, and the directory
-** where the cache files will be placed.  These values can be zero, and 
-** if so, the implementation will choose defaults.
-** This version of the function is for use in applications that have only one 
-** process that uses the cache (even if that process has multiple threads).
-*/
-SSL_IMPORT SECStatus SSL_ConfigServerSessionIDCache(int      maxCacheEntries,
-					            PRUint32 timeout,
-					            PRUint32 ssl3_timeout,
-				              const char *   directory);
-/*
-** Like SSL_ConfigServerSessionIDCache, with one important difference.
-** If the application will run multiple processes (as opposed to, or in 
-** addition to multiple threads), then it must call this function, instead
-** of calling SSL_ConfigServerSessionIDCache().
-** This has nothing to do with the number of processORs, only processEs.
-** This function sets up a Server Session ID (SID) cache that is safe for
-** access by multiple processes on the same system.
-*/
-SSL_IMPORT SECStatus SSL_ConfigMPServerSIDCache(int      maxCacheEntries, 
-				                PRUint32 timeout,
-			       	                PRUint32 ssl3_timeout, 
-		                          const char *   directory);
-
-/* Get and set the configured maximum number of mutexes used for the 
-** server's store of SSL sessions.  This value is used by the server 
-** session ID cache initialization functions shown above.  Note that on 
-** some platforms, these mutexes are actually implemented with POSIX 
-** semaphores, or with unnamed pipes.  The default value varies by platform.
-** An attempt to set a too-low maximum will return an error and the 
-** configured value will not be changed.
-*/
-SSL_IMPORT PRUint32  SSL_GetMaxServerCacheLocks(void);
-SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
-
-/* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
- * SSL_InheritMPServerSIDCache when envString is NULL.
- */
-#define SSL_ENV_VAR_NAME            "SSL_INHERITANCE"
-
-/* called in child to inherit SID Cache variables. 
- * If envString is NULL, this function will use the value of the environment
- * variable "SSL_INHERITANCE", otherwise the string value passed in will be 
- * used.
- */
-SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
-
-/*
-** Set the callback on a particular socket that gets called when we finish
-** performing a handshake.
-*/
-typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
-                                                 void *client_data);
-SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
-			          SSLHandshakeCallback cb, void *client_data);
-
-/*
-** For the server, request a new handshake.  For the client, begin a new
-** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
-** flushed first, ensuring that a full SSL handshake will be done.
-** If flushCache is zero, and an SSL connection is established, it will 
-** do the much faster session restart handshake.  This will change the 
-** session keys without doing another private key operation.
-*/
-SSL_IMPORT SECStatus SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache);
-
-/*
-** Same as above, but with an I/O timeout.
- */
-SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
-                                                PRBool flushCache,
-                                                PRIntervalTime timeout);
-
-
-#ifdef SSL_DEPRECATED_FUNCTION 
-/* deprecated!
-** For the server, request a new handshake.  For the client, begin a new
-** handshake.  Flushes SSL3 session cache entry first, ensuring that a 
-** full handshake will be done.  
-** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE)
-*/
-SSL_IMPORT SECStatus SSL_RedoHandshake(PRFileDesc *fd);
-#endif
-
-/*
- * Allow the application to pass a URL or hostname into the SSL library
- */
-SSL_IMPORT SECStatus SSL_SetURL(PRFileDesc *fd, const char *url);
-
-/*
-** Return the number of bytes that SSL has waiting in internal buffers.
-** Return 0 if security is not enabled.
-*/
-SSL_IMPORT int SSL_DataPending(PRFileDesc *fd);
-
-/*
-** Invalidate the SSL session associated with fd.
-*/
-SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
-
-/*
-** Return a SECItem containing the SSL session ID associated with the fd.
-*/
-SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
-
-/*
-** Clear out the client's SSL session cache, not the server's session cache.
-*/
-SSL_IMPORT void SSL_ClearSessionCache(void);
-
-/*
-** Close the server's SSL session cache.
-*/
-SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void);
-
-/*
-** Set peer information so we can correctly look up SSL session later.
-** You only have to do this if you're tunneling through a proxy.
-*/
-SSL_IMPORT SECStatus SSL_SetSockPeerID(PRFileDesc *fd, char *peerID);
-
-/*
-** Reveal the security information for the peer. 
-*/
-SSL_IMPORT CERTCertificate * SSL_RevealCert(PRFileDesc * socket);
-SSL_IMPORT void * SSL_RevealPinArg(PRFileDesc * socket);
-SSL_IMPORT char * SSL_RevealURL(PRFileDesc * socket);
-
-
-/* This callback may be passed to the SSL library via a call to
- * SSL_GetClientAuthDataHook() for each SSL client socket.
- * It will be invoked when SSL needs to know what certificate and private key
- * (if any) to use to respond to a request for client authentication.
- * If arg is non-NULL, it is a pointer to a NULL-terminated string containing
- * the nickname of the cert/key pair to use.
- * If arg is NULL, this function will search the cert and key databases for 
- * a suitable match and send it if one is found.
- */
-SSL_IMPORT SECStatus
-NSS_GetClientAuthData(void *                       arg,
-                      PRFileDesc *                 socket,
-                      struct CERTDistNamesStr *    caNames,
-                      struct CERTCertificateStr ** pRetCert,
-                      struct SECKEYPrivateKeyStr **pRetKey);
-
-/*
- * Look to see if any of the signers in the cert chain for "cert" are found
- * in the list of caNames.  
- * Returns SECSuccess if so, SECFailure if not.
- * Used by NSS_GetClientAuthData.  May be used by other callback functions.
- */
-SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
-                                          CERTDistNames *caNames);
-
-/* 
- * Returns key exchange type of the keys in an SSL server certificate.
- */
-SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
-
-/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
- * This essentially enables all supported ciphers.
- */
-SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them.
- * See documentation for the list.
- * Note that your particular application program may be able to obtain
- *   an export license with more or fewer capabilities than those allowed
- *   by this function.  In that case, you should use SSL_SetPolicy()
- *   to explicitly allow those ciphers you may legally export.
- */
-SSL_IMPORT SECStatus NSS_SetExportPolicy(void);
-
-/* Set cipher policies to a predefined Policy that is exportable from the USA
- *   according to present U.S. policies as we understand them, and that the 
- *   nation of France will permit to be imported into their country.
- * See documentation for the list.
- */
-SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
-
-SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
-
-/* Report more information than SSL_SecurityStatus.
-** Caller supplies the info struct.  Function fills it in.
-*/
-SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
-                                        PRUintn len);
-SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
-                                        SSLCipherSuiteInfo *info, PRUintn len);
-
-/*
-** Return a new reference to the certificate that was most recently sent
-** to the peer on this SSL/TLS connection, or NULL if none has been sent.
-*/
-SSL_IMPORT CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd);
-
-SEC_END_PROTOS
-
-#endif /* __ssl_h_ */
diff --git a/security/nss/lib/ssl/ssl.rc b/security/nss/lib/ssl/ssl.rc
deleted file mode 100644
index b20493219..000000000
--- a/security/nss/lib/ssl/ssl.rc
+++ /dev/null
@@ -1,101 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nss.h"
-#include <winver.h>
-
-#define MY_LIBNAME "ssl"
-#define MY_FILEDESCRIPTION "NSS SSL Library"
-
-#define STRINGIZE(x) #x
-#define STRINGIZE2(x) STRINGIZE(x)
-#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
-
-#ifdef _DEBUG
-#define MY_DEBUG_STR " (debug)"
-#define MY_FILEFLAGS_1 VS_FF_DEBUG
-#else
-#define MY_DEBUG_STR ""
-#define MY_FILEFLAGS_1 0x0L
-#endif
-#if NSS_BETA
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
-#else
-#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
-#endif
-
-#ifdef WINNT
-#define MY_FILEOS VOS_NT_WINDOWS32
-#else
-#define MY_FILEOS VOS__WINDOWS32
-#endif
-
-#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
-
-/////////////////////////////////////////////////////////////////////////////
-//
-// Version-information resource
-//
-
-VS_VERSION_INFO VERSIONINFO
- FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
- FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
- FILEFLAGS MY_FILEFLAGS_2
- FILEOS MY_FILEOS
- FILETYPE VFT_DLL
- FILESUBTYPE 0x0L // not used
-
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
-        BEGIN
-            VALUE "CompanyName", "Netscape Communications Corporation\0"
-            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
-            VALUE "FileVersion", NSS_VERSION "\0"
-            VALUE "InternalName", MY_INTERNAL_NAME "\0"
-            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
-            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
-            VALUE "ProductName", "Network Security Services\0"
-            VALUE "ProductVersion", NSS_VERSION "\0"
-        END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 1200
-    END
-END
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
deleted file mode 100644
index bcd9cf874..000000000
--- a/security/nss/lib/ssl/ssl3con.c
+++ /dev/null
@@ -1,8041 +0,0 @@
-/*
- * SSL3 Protocol
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "nssrenam.h"
-#include "cert.h"
-#include "ssl.h"
-#include "cryptohi.h"	/* for DSAU_ stuff */
-#include "keyhi.h"
-#include "secder.h"
-#include "secitem.h"
-
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "sslerr.h"
-#include "prtime.h"
-#include "prinrval.h"
-#include "prerror.h"
-#include "pratom.h"
-#include "prthread.h"
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "nsslocks.h"
-#include "ec.h"
-#include "blapi.h"
-
-#include <stdio.h>
-
-#ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-#endif
-
-static void      ssl3_CleanupPeerCerts(sslSocket *ss);
-static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
-                                       PK11SlotInfo * serverKeySlot);
-static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, const PK11SymKey *pms);
-static SECStatus ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss);
-static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
-static SECStatus ssl3_InitState(             sslSocket *ss);
-static sslSessionID *ssl3_NewSessionID(      sslSocket *ss, PRBool is_server);
-static SECStatus ssl3_SendCertificate(       sslSocket *ss);
-static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
-static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
-static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
-static SECStatus ssl3_SendServerHello(       sslSocket *ss);
-static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
-static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
-
-static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
-			     int maxOutputLen, const unsigned char *input,
-			     int inputLen);
-
-#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
-#define MIN_SEND_BUF_LENGTH  4000
-
-#define MAX_CIPHER_SUITES 20
-
-/* This list of SSL3 cipher suites is sorted in descending order of
- * precedence (desirability).  It only includes cipher suites we implement.
- * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
- * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
- */
-static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
-   /*      cipher_suite                         policy      enabled is_present*/
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
-
-
- { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_DES_CBC_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
-
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-
-};
-
-static const /*SSL3CompressionMethod*/ uint8 compressions [] = {
-    compression_null
-};
-
-static const int compressionMethodsCount =
-		sizeof(compressions) / sizeof(compressions[0]);
-
-static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
-    ct_RSA_sign,
-    ct_DSS_sign,
-#ifdef NSS_ENABLE_ECC
-    ct_ECDSA_sign,
-#endif /* NSS_ENABLE_ECC */
-};
-
-
-/*
- * make sure there is room in the write buffer for padding and
- * other compression and cryptographic expansions
- */
-#define SSL3_BUFFER_FUDGE     100
-
-#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
-
-
-/* This is a hack to make sure we don't do double handshakes for US policy */
-PRBool ssl3_global_policy_some_restricted = PR_FALSE;
-
-/* This global item is used only in servers.  It is is initialized by
-** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
-*/
-CERTDistNames *ssl3_server_ca_list = NULL;
-static SSL3Statistics ssl3stats;
-
-/* indexed by SSL3BulkCipher */
-static const ssl3BulkCipherDef bulk_cipher_defs[] = {
-    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
-    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
-    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
-    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
-    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
-    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
-    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
-    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
-    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
-    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
-    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
-    {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
-    {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
-    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
-};
-
-static const ssl3KEADef kea_defs[] = 
-{ /* indexed by SSL3KeyExchangeAlgorithm */
-    /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
-    {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
-    {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
-    {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
-    {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
-    {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
-    {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
-#ifdef NSS_ENABLE_ECC
-    {kea_ecdh_ecdsa,     kt_ecdh,     sign_ecdsa,  PR_FALSE, 0, PR_FALSE},
-    {kea_ecdhe_ecdsa,    kt_ecdh,     sign_ecdsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_ecdh_rsa,       kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
-    {kea_ecdhe_rsa,      kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
-};
-
-/* must use ssl_LookupCipherSuiteDef to access */
-static const ssl3CipherSuiteDef cipher_suite_defs[] = 
-{
-/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
-
-    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
-    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
-    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
-    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
-    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-                                    cipher_rc2_40, mac_md5, kea_rsa_export},
-#if 0 /* not implemented */
-    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_rsa_export},
-#endif
-    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
-    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
-    {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
-    {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-                                    cipher_3des,   mac_sha, kea_dhe_dss},
-    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
-#if 0 /* not implemented */
-    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
-    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
-    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
-    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
-    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
-#endif
-    {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
-    {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-                                    cipher_3des,   mac_sha, kea_dhe_rsa},
-#if 0
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4,    mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
-                                    cipher_des40,  mac_sha, kea_dh_anon_export},
-    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
-    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
-#endif
-
-
-/* New TLS cipher suites */
-    {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
-    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
-    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
-    {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
-    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
-    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
-#if 0
-    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
-    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
-    {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
-    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
-    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
-    {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
-#endif
-
-    {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                                    cipher_des,    mac_sha,kea_rsa_export_1024},
-    {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
-
-    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
-    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
-
-#ifdef NSS_ENABLE_ECC
-    /* Experimental TLS cipher suites using Elliptic Curves */
-    {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
-    {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
-    {TLS_ECDH_ECDSA_WITH_DES_CBC_SHA,      cipher_des, mac_sha, kea_ecdh_ecdsa},
-    {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
-    {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
-    {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
-
-    {TLS_ECDH_RSA_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_rsa},
-    {TLS_ECDH_RSA_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_rsa},
-    {TLS_ECDH_RSA_WITH_DES_CBC_SHA,      cipher_des,     mac_sha, kea_ecdh_rsa},
-    {TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_rsa},
-    {TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_rsa},
-    {TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_rsa},
-
-    {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_ecdsa},
-
-    {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdhe_rsa},
-#endif /* NSS_ENABLE_ECC */
-};
-
-static const CK_MECHANISM_TYPE kea_alg_defs[] = {
-    0x80000000L,
-    CKM_RSA_PKCS,
-    CKM_DH_PKCS_DERIVE,
-    CKM_KEA_KEY_DERIVE,
-    CKM_ECDH1_DERIVE
-};
-
-typedef struct SSLCipher2MechStr {
-    SSLCipherAlgorithm  calg;
-    CK_MECHANISM_TYPE   cmech;
-} SSLCipher2Mech;
-
-/* indexed by type SSLCipherAlgorithm */
-static const SSLCipher2Mech alg2Mech[] = {
-    /* calg,          cmech  */
-    { calg_null     , (CK_MECHANISM_TYPE)0x80000000L	},
-    { calg_rc4      , CKM_RC4				},
-    { calg_rc2      , CKM_RC2_CBC			},
-    { calg_des      , CKM_DES_CBC			},
-    { calg_3des     , CKM_DES3_CBC			},
-    { calg_idea     , CKM_IDEA_CBC			},
-    { calg_fortezza , CKM_SKIPJACK_CBC64                },
-    { calg_aes      , CKM_AES_CBC			},
-/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
-};
-
-#define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
-#define mmech_md5      CKM_SSL3_MD5_MAC
-#define mmech_sha      CKM_SSL3_SHA1_MAC
-#define mmech_md5_hmac CKM_MD5_HMAC
-#define mmech_sha_hmac CKM_SHA_1_HMAC
-
-static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
-    /* mac      mmech       pad_size  mac_size                       */
-    { mac_null, mmech_null,       0,  0          },
-    { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
-    { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
-    {hmac_md5,  mmech_md5_hmac,  48,  MD5_LENGTH },
-    {hmac_sha,  mmech_sha_hmac,  40,  SHA1_LENGTH},
-};
-
-/* indexed by SSL3BulkCipher */
-const char * const ssl3_cipherName[] = {
-    "NULL",
-    "RC4",
-    "RC4-40",
-    "RC4-56",
-    "RC2-CBC",
-    "RC2-CBC-40",
-    "DES-CBC",
-    "3DES-EDE-CBC",
-    "DES-CBC-40",
-    "IDEA-CBC",
-    "AES-128",
-    "AES-256",
-    "missing"
-};
-
-
-#if defined(TRACE)
-
-static char *
-ssl3_DecodeHandshakeType(int msgType)
-{
-    char * rv;
-    static char line[40];
-
-    switch(msgType) {
-    case hello_request:	        rv = "hello_request (0)";               break;
-    case client_hello:	        rv = "client_hello  (1)";               break;
-    case server_hello:	        rv = "server_hello  (2)";               break;
-    case certificate:	        rv = "certificate  (11)";               break;
-    case server_key_exchange:	rv = "server_key_exchange (12)";        break;
-    case certificate_request:	rv = "certificate_request (13)";        break;
-    case server_hello_done:	rv = "server_hello_done   (14)";        break;
-    case certificate_verify:	rv = "certificate_verify  (15)";        break;
-    case client_key_exchange:	rv = "client_key_exchange (16)";        break;
-    case finished:	        rv = "finished     (20)";               break;
-    default:
-        sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
-	rv = line;
-    }
-    return rv;
-}
-
-static char *
-ssl3_DecodeContentType(int msgType)
-{
-    char * rv;
-    static char line[40];
-
-    switch(msgType) {
-    case content_change_cipher_spec:
-                                rv = "change_cipher_spec (20)";         break;
-    case content_alert:	        rv = "alert      (21)";                 break;
-    case content_handshake:	rv = "handshake  (22)";                 break;
-    case content_application_data:
-                                rv = "application_data (23)";           break;
-    default:
-        sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
-	rv = line;
-    }
-    return rv;
-}
-
-#endif
-
-SSL3Statistics * 
-SSL_GetStatistics(void)
-{
-    return &ssl3stats;
-}
-
-/* return pointer to ssl3CipherSuiteDef for suite, or NULL */
-/* XXX This does a linear search.  A binary search would be better. */
-static const ssl3CipherSuiteDef *
-ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
-{
-    int cipher_suite_def_len =
-	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
-    int i;
-
-    for (i = 0; i < cipher_suite_def_len; i++) {
-	if (cipher_suite_defs[i].cipher_suite == suite)
-	    return &cipher_suite_defs[i];
-    }
-    PORT_Assert(PR_FALSE);  /* We should never get here. */
-    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    return NULL;
-}
-
-/* Find the cipher configuration struct associate with suite */
-/* XXX This does a linear search.  A binary search would be better. */
-static ssl3CipherSuiteCfg *
-ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
-{
-    int i;
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	if (suites[i].cipher_suite == suite)
-	    return &suites[i];
-    }
-    /* return NULL and let the caller handle it.  */
-    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    return NULL;
-}
-
-
-/* Initialize the suite->isPresent value for config_match
- * Returns count of enabled ciphers supported by extant tokens,
- * regardless of policy or user preference.
- * If this returns zero, the user cannot do SSL v3.
- */
-int
-ssl3_config_match_init(sslSocket *ss)
-{
-    ssl3CipherSuiteCfg *      suite;
-    const ssl3CipherSuiteDef *cipher_def;
-    SSLCipherAlgorithm        cipher_alg;
-    CK_MECHANISM_TYPE         cipher_mech;
-    SSL3KEAType               exchKeyType;
-    int                       i;
-    int                       numPresent		= 0;
-    int                       numEnabled		= 0;
-    PRBool                    isServer;
-    sslServerCerts           *svrAuth;
-
-    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-    	return 0;
-    }
-    isServer = (PRBool)( ss && ss->sec.isServer );
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	suite = &ss->cipherSuites[i];
-	if (suite->enabled) {
-	    ++numEnabled;
-	    /* We need the cipher defs to see if we have a token that can handle
-	     * this cipher.  It isn't part of the static definition.
-	     */
-	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
-	    if (!cipher_def) {
-	    	suite->isPresent = PR_FALSE;
-		continue;
-	    }
-	    cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
-	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
-	    cipher_mech = alg2Mech[cipher_alg].cmech;
-	    exchKeyType =
-	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
-#ifndef NSS_ENABLE_ECC
-	    svrAuth = ss->serverCerts + exchKeyType;
-#else
-	    /* XXX SSLKEAType isn't really a good choice for 
-	     * indexing certificates. It doesn't work for
-	     * (EC)DHE-* ciphers. Here we use a hack to ensure
-	     * that the server uses an RSA cert for (EC)DHE-RSA.
-	     */
-	    switch (cipher_def->key_exchange_alg) {
-	    case kea_ecdhe_rsa:
-	    case kea_dhe_rsa:
-		svrAuth = ss->serverCerts + kt_rsa;
-		break;
-	    case kea_ecdh_ecdsa:
-	    case kea_ecdh_rsa:
-	        /* 
-		 * XXX We ought to have different indices for 
-		 * ECDSA- and RSA-signed EC certificates so
-		 * we could support both key exchange mechanisms
-		 * simultaneously. For now, both of them use
-		 * whatever is in the certificate slot for kt_ecdh
-		 */
-	    default:
-		svrAuth = ss->serverCerts + exchKeyType;
-		break;
-	    }
-#endif /* NSS_ENABLE_ECC */
-
-	    /* Mark the suites that are backed by real tokens, certs and keys */
-	    suite->isPresent = (PRBool)
-		(((exchKeyType == kt_null) ||
-		   ((!isServer || (svrAuth->serverKeyPair &&
-		                   svrAuth->SERVERKEY &&
-				   svrAuth->serverCertChain)) &&
-		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
-		((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
-	    if (suite->isPresent)
-	    	++numPresent;
-	}
-    }
-    PORT_Assert(numPresent > 0 || numEnabled == 0);
-    if (numPresent <= 0) {
-	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
-    }
-    return numPresent;
-}
-
-
-/* return PR_TRUE if suite matches policy and enabled state */
-/* It would be a REALLY BAD THING (tm) if we ever permitted the use
-** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
-** policy == SSL_NOT_ALLOWED, report no match.
-*/
-/* adjust suite enabled to the availability of a token that can do the
- * cipher suite. */
-static PRBool
-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
-{
-    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
-    if (policy == SSL_NOT_ALLOWED || !enabled)
-    	return PR_FALSE;
-    return (PRBool)(suite->enabled &&
-                    suite->isPresent &&
-	            suite->policy != SSL_NOT_ALLOWED &&
-		    suite->policy <= policy);
-}
-
-/* return number of cipher suites that match policy and enabled state */
-/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
-static int
-count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
-{
-    int i, count = 0;
-
-    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-    	return 0;
-    }
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	if (config_match(&ss->cipherSuites[i], policy, enabled))
-	    count++;
-    }
-    if (count <= 0) {
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    }
-    return count;
-}
-
-static PRBool
-anyRestrictedEnabled(sslSocket *ss)
-{
-    int i;
-
-    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-    	return PR_FALSE;
-    }
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (suite->policy == SSL_RESTRICTED &&
-	    suite->enabled &&
-	    suite->isPresent)
-	    return PR_TRUE;
-    }
-    return PR_FALSE;
-}
-
-/*
- * Null compression, mac and encryption functions
- */
-
-static SECStatus
-Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
-	    const unsigned char *input, int inputLen)
-{
-    *outputLen = inputLen;
-    if (input != output)
-	PORT_Memcpy(output, input, inputLen);
-    return SECSuccess;
-}
-
-/*
- * SSL3 Utility functions
- */
-
-SECStatus
-ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
-{
-    SSL3ProtocolVersion version;
-    SSL3ProtocolVersion maxVersion;
-
-    if (ss->opt.enableTLS) {
-	maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if (ss->opt.enableSSL3) {
-	maxVersion = SSL_LIBRARY_VERSION_3_0;
-    } else {
-    	/* what are we doing here? */
-	PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-	return SECFailure;
-    }
-
-    ss->version = version = PR_MIN(maxVersion, peerVersion);
-
-    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->opt.enableTLS) ||
-    	(version == SSL_LIBRARY_VERSION_3_0     && ss->opt.enableSSL3)) {
-	return SECSuccess;
-    }
-
-    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-    return SECFailure;
-
-}
-
-static SECStatus
-ssl3_GetNewRandom(SSL3Random *random)
-{
-    PRIntervalTime gmt = PR_IntervalToSeconds(PR_IntervalNow());
-    SECStatus rv;
-
-    random->rand[0] = (unsigned char)(gmt >> 24);
-    random->rand[1] = (unsigned char)(gmt >> 16);
-    random->rand[2] = (unsigned char)(gmt >>  8);
-    random->rand[3] = (unsigned char)(gmt);
-
-    /* first 4 bytes are reserverd for time */
-    rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-    }
-    return rv;
-}
-
-/* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
-SECStatus
-ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 
-                PRBool isTLS)
-{
-    SECStatus rv		= SECFailure;
-    PRBool    doDerEncode       = PR_FALSE;
-    int       signatureLen;
-    SECItem   hashItem;
-
-    buf->data    = NULL;
-    signatureLen = PK11_SignatureLen(key);
-    if (signatureLen <= 0) {
-	PORT_SetError(SEC_ERROR_INVALID_KEY);
-        goto done;
-    }
-
-    buf->len  = (unsigned)signatureLen;
-    buf->data = (unsigned char *)PORT_Alloc(signatureLen + 1);
-    if (!buf->data)
-        goto done;	/* error code was set. */
-
-    switch (key->keyType) {
-    case rsaKey:
-    	hashItem.data = hash->md5;
-    	hashItem.len = sizeof(SSL3Hashes);
-	break;
-    case dsaKey:
-	doDerEncode = isTLS;
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	break;
-#ifdef NSS_ENABLE_ECC
-    case ecKey:
-	doDerEncode = PR_TRUE;
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	break;
-#endif /* NSS_ENABLE_ECC */
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_KEY);
-	goto done;
-    }
-    PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
-
-    rv = PK11_Sign(key, buf, &hashItem);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
-    } else if (doDerEncode) {
-	SECItem   derSig	= {siBuffer, NULL, 0};
-
-	/* This also works for an ECDSA signature */
-	rv = DSAU_EncodeDerSigWithLen(&derSig, buf, (unsigned) signatureLen);
-	if (rv == SECSuccess) {
-	    PORT_Free(buf->data);	/* discard unencoded signature. */
-	    *buf = derSig;		/* give caller encoded signature. */
-	} else if (derSig.data) {
-	    PORT_Free(derSig.data);
-	}
-    }
-
-    PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
-done:
-    if (rv != SECSuccess && buf->data) {
-	PORT_Free(buf->data);
-	buf->data = NULL;
-    }
-    return rv;
-}
-
-/* Called from ssl3_HandleServerKeyExchange, ssl3_HandleCertificateVerify */
-SECStatus
-ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 
-                        SECItem *buf, PRBool isTLS, void *pwArg)
-{
-    SECKEYPublicKey * key;
-    SECItem *         signature	= NULL;
-    SECStatus         rv;
-    SECItem           hashItem;
-#ifdef NSS_ENABLE_ECC
-    unsigned int      len;
-#endif /* NSS_ENABLE_ECC */
-
-
-    PRINT_BUF(60, (NULL, "check signed hashes",
-                  buf->data, buf->len));
-
-    key = CERT_ExtractPublicKey(cert);
-    if (key == NULL) {
-	/* CERT_ExtractPublicKey doesn't set error code */
-	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-    	return SECFailure;
-    }
-
-    switch (key->keyType) {
-    case rsaKey:
-    	hashItem.data = hash->md5;
-    	hashItem.len = sizeof(SSL3Hashes);
-	break;
-    case dsaKey:
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	if (isTLS) {
-	    signature = DSAU_DecodeDerSig(buf);
-	    if (!signature) {
-	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-		return SECFailure;
-	    }
-	    buf = signature;
-	}
-	break;
-
-#ifdef NSS_ENABLE_ECC
-    case ecKey:
-	hashItem.data = hash->sha;
-	hashItem.len = sizeof(hash->sha);
-	/*
-	 * ECDSA signatures always encode the integers r and s 
-	 * using ASN (unlike DSA where ASN encoding is used
-	 * with TLS but not with SSL3)
-	 */
-	len = SECKEY_PublicKeyStrength(key) * 2;
-	if (len == 0) {
-	    SECKEY_DestroyPublicKey(key);
-	    PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	    return SECFailure;
-	}
-	signature = DSAU_DecodeDerSigToLen(buf, len);
-	if (!signature) {
-	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	    return SECFailure;
-	}
-	buf = signature;
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-    	SECKEY_DestroyPublicKey(key);
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-
-    PRINT_BUF(60, (NULL, "hash(es) to be verified",
-                  hashItem.data, hashItem.len));
-
-    rv = PK11_Verify(key, buf, &hashItem, pwArg);
-    SECKEY_DestroyPublicKey(key);
-    if (signature) {
-    	SECITEM_FreeItem(signature, PR_TRUE);
-    }
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-    }
-    return rv;
-}
-
-
-/* Caller must set hiLevel error code. */
-/* Called from ssl3_ComputeExportRSAKeyHash
- *             ssl3_ComputeDHKeyHash
- * which are called from ssl3_HandleServerKeyExchange. 
- */
-SECStatus
-ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen,
-			     SSL3Hashes *hashes, PRBool bypassPKCS11)
-{
-    SECStatus     rv 		= SECSuccess;
-
-    if (bypassPKCS11) {
-	MD5_HashBuf (hashes->md5, hashBuf, bufLen);
-	SHA1_HashBuf(hashes->sha, hashBuf, bufLen);
-    } else {
-	rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto done;
-	}
-
-	rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    rv = SECFailure;
-	}
-    }
-done:
-    return rv;
-}
-
-/* Caller must set hiLevel error code. 
-** Called from ssl3_SendServerKeyExchange and 
-**             ssl3_HandleServerKeyExchange.
-*/
-static SECStatus
-ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
-			     SSL3Random *client_rand, SSL3Random *server_rand,
-			     SSL3Hashes *hashes, PRBool bypassPKCS11)
-{
-    PRUint8     * hashBuf;
-    PRUint8     * pBuf;
-    SECStatus     rv 		= SECSuccess;
-    unsigned int  bufLen;
-    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
-
-    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
-    if (bufLen <= sizeof buf) {
-    	hashBuf = buf;
-    } else {
-    	hashBuf = PORT_Alloc(bufLen);
-	if (!hashBuf) {
-	    return SECFailure;
-	}
-    }
-
-    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
-    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
-    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
-    	pBuf += SSL3_RANDOM_LENGTH;
-    pBuf[0]  = (PRUint8)(modulus.len >> 8);
-    pBuf[1]  = (PRUint8)(modulus.len);
-    	pBuf += 2;
-    memcpy(pBuf, modulus.data, modulus.len);
-    	pBuf += modulus.len;
-    pBuf[0] = (PRUint8)(publicExponent.len >> 8);
-    pBuf[1] = (PRUint8)(publicExponent.len);
-    	pBuf += 2;
-    memcpy(pBuf, publicExponent.data, publicExponent.len);
-    	pBuf += publicExponent.len;
-    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
-
-    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
-
-    PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
-    PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
-    PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
-
-    if (hashBuf != buf && hashBuf != NULL)
-    	PORT_Free(hashBuf);
-    return rv;
-}
-
-/* Caller must set hiLevel error code. */
-/* Called from ssl3_HandleServerKeyExchange. */
-static SECStatus
-ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
-			     SSL3Random *client_rand, SSL3Random *server_rand,
-			     SSL3Hashes *hashes, PRBool bypassPKCS11)
-{
-    PRUint8     * hashBuf;
-    PRUint8     * pBuf;
-    SECStatus     rv 		= SECSuccess;
-    unsigned int  bufLen;
-    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
-
-    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
-    if (bufLen <= sizeof buf) {
-    	hashBuf = buf;
-    } else {
-    	hashBuf = PORT_Alloc(bufLen);
-	if (!hashBuf) {
-	    return SECFailure;
-	}
-    }
-
-    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
-    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
-    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
-    	pBuf += SSL3_RANDOM_LENGTH;
-    pBuf[0]  = (PRUint8)(dh_p.len >> 8);
-    pBuf[1]  = (PRUint8)(dh_p.len);
-    	pBuf += 2;
-    memcpy(pBuf, dh_p.data, dh_p.len);
-    	pBuf += dh_p.len;
-    pBuf[0] = (PRUint8)(dh_g.len >> 8);
-    pBuf[1] = (PRUint8)(dh_g.len);
-    	pBuf += 2;
-    memcpy(pBuf, dh_g.data, dh_g.len);
-    	pBuf += dh_g.len;
-    pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
-    pBuf[1] = (PRUint8)(dh_Ys.len);
-    	pBuf += 2;
-    memcpy(pBuf, dh_Ys.data, dh_Ys.len);
-    	pBuf += dh_Ys.len;
-    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
-
-    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
-
-    PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
-    PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
-    PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
-
-    if (hashBuf != buf && hashBuf != NULL)
-    	PORT_Free(hashBuf);
-    return rv;
-}
-
-static void
-ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
-{
-    num->low++;
-    if (num->low == 0)
-	num->high++;
-}
-
-/* Called twice, only from ssl3_DestroyCipherSpec (immediately below). */
-static void
-ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
-{
-    if (mat->write_key != NULL) {
-	PK11_FreeSymKey(mat->write_key);
-	mat->write_key = NULL;
-    }
-    if (mat->write_mac_key != NULL) {
-	PK11_FreeSymKey(mat->write_mac_key);
-	mat->write_mac_key = NULL;
-    }
-    if (mat->write_mac_context != NULL) {
-	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
-	mat->write_mac_context = NULL;
-    }
-}
-
-/* Called from ssl3_SendChangeCipherSpecs() and 
-**	       ssl3_HandleChangeCipherSpecs()
-**             ssl3_DestroySSL3Info
-** Caller must hold SpecWriteLock.
-*/
-static void
-ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
-{
-    PRBool freeit = (PRBool)(!spec->bypassCiphers);
-/*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
-    if (spec->destroy) {
-	spec->destroy(spec->encodeContext, freeit);
-	spec->destroy(spec->decodeContext, freeit);
-	spec->encodeContext = NULL; /* paranoia */
-	spec->decodeContext = NULL;
-    }
-    if (spec->master_secret != NULL) {
-	PK11_FreeSymKey(spec->master_secret);
-	spec->master_secret = NULL;
-    }
-    spec->msItem.data = NULL;
-    spec->msItem.len  = 0;
-    ssl3_CleanupKeyMaterial(&spec->client);
-    ssl3_CleanupKeyMaterial(&spec->server);
-    spec->bypassCiphers = PR_FALSE;
-    spec->destroy=NULL;
-}
-
-/* Fill in the pending cipher spec with info from the selected ciphersuite.
-** This is as much initialization as we can do without having key material.
-** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
-** Caller must hold the ssl3 handshake lock.
-** Acquires & releases SpecWriteLock.
-*/
-static SECStatus
-ssl3_SetupPendingCipherSpec(sslSocket *ss)
-{
-    ssl3CipherSpec *          pwSpec;
-    ssl3CipherSpec *          cwSpec;
-    ssl3CipherSuite           suite     = ss->ssl3.hs.cipher_suite;
-    SSL3MACAlgorithm          mac;
-    SSL3BulkCipher            cipher;
-    SSL3KeyExchangeAlgorithm  kea;
-    const ssl3CipherSuiteDef *suite_def;
-    PRBool                    isTLS;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecWriteLock(ss);  /*******************************/
-
-    pwSpec = ss->ssl3.pwSpec;
-    PORT_Assert(pwSpec == ss->ssl3.prSpec);
-
-    /* This hack provides maximal interoperability with SSL 3 servers. */
-    cwSpec = ss->ssl3.cwSpec;
-    if (cwSpec->mac_def->mac == mac_null) {
-	/* SSL records are not being MACed. */
-	cwSpec->version = ss->version;
-    }
-
-    pwSpec->version  = ss->version;
-    isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
-		SSL_GETPID(), ss->fd, suite));
-
-    suite_def = ssl_LookupCipherSuiteDef(suite);
-    if (suite_def == NULL) {
-	ssl_ReleaseSpecWriteLock(ss);
-	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
-    }
-
-
-    cipher = suite_def->bulk_cipher_alg;
-    kea    = suite_def->key_exchange_alg;
-    mac    = suite_def->mac_alg;
-    if (isTLS)
-	mac += 2;
-
-    ss->ssl3.hs.suite_def = suite_def;
-    ss->ssl3.hs.kea_def   = &kea_defs[kea];
-    PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
-
-    pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
-    PORT_Assert(pwSpec->cipher_def->cipher == cipher);
-
-    pwSpec->mac_def = &mac_defs[mac];
-    PORT_Assert(pwSpec->mac_def->mac == mac);
-
-    ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
-    ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
-    ss->sec.cipherType    = cipher;
-
-    pwSpec->encodeContext = NULL;
-    pwSpec->decodeContext = NULL;
-
-    pwSpec->mac_size = pwSpec->mac_def->mac_size;
-
-    ssl_ReleaseSpecWriteLock(ss);  /*******************************/
-    return SECSuccess;
-}
-
-/* Initialize encryption and MAC contexts for pending spec.
- * Master Secret already is derived in spec->msItem
- * Caller holds Spec write lock.
- */
-static SECStatus
-ssl3_InitPendingContextsBypass(sslSocket *ss)
-{
-      ssl3CipherSpec  *  pwSpec;
-const ssl3BulkCipherDef *cipher_def;
-      void *             serverContext = NULL;
-      void *             clientContext = NULL;
-      BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
-      int                mode     = 0;
-      unsigned int       optArg1  = 0;
-      unsigned int       optArg2  = 0;
-      PRBool             server_encrypts = ss->sec.isServer;
-      CK_ULONG           macLength;
-      SSLCipherAlgorithm calg;
-      SECStatus          rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-
-    pwSpec        = ss->ssl3.pwSpec;
-    cipher_def    = pwSpec->cipher_def;
-    macLength     = pwSpec->mac_size;
-
-    /* MAC setup is done when computing the mac, not here.
-     * Now setup the crypto contexts.
-     */
-
-    calg = cipher_def->calg;
-
-    serverContext = pwSpec->server.cipher_context;
-    clientContext = pwSpec->client.cipher_context;
-
-    switch (calg) {
-    case ssl_calg_null:
-	pwSpec->encode  = Null_Cipher;
-	pwSpec->decode  = Null_Cipher;
-        pwSpec->destroy = NULL;
-	goto success;
-
-    case ssl_calg_rc4:
-      	initFn = (BLapiInitContextFunc)RC4_InitContext;
-	pwSpec->encode  = (SSLCipher) RC4_Encrypt;
-	pwSpec->decode  = (SSLCipher) RC4_Decrypt;
-	pwSpec->destroy = (SSLDestroy) RC4_DestroyContext;
-	break;
-    case ssl_calg_rc2:
-      	initFn = (BLapiInitContextFunc)RC2_InitContext;
-	mode = NSS_RC2_CBC;
-	optArg1 = cipher_def->key_size;
-	pwSpec->encode  = (SSLCipher) RC2_Encrypt;
-	pwSpec->decode  = (SSLCipher) RC2_Decrypt;
-	pwSpec->destroy = (SSLDestroy) RC2_DestroyContext;
-	break;
-    case ssl_calg_des:
-      	initFn = (BLapiInitContextFunc)DES_InitContext;
-	mode = NSS_DES_CBC;
-	optArg1 = server_encrypts;
-	pwSpec->encode  = (SSLCipher) DES_Encrypt;
-	pwSpec->decode  = (SSLCipher) DES_Decrypt;
-	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
-	break;
-    case ssl_calg_3des:
-      	initFn = (BLapiInitContextFunc)DES_InitContext;
-	mode = NSS_DES_EDE3_CBC;
-	optArg1 = server_encrypts;
-	pwSpec->encode  = (SSLCipher) DES_Encrypt;
-	pwSpec->decode  = (SSLCipher) DES_Decrypt;
-	pwSpec->destroy = (SSLDestroy) DES_DestroyContext;
-	break;
-    case ssl_calg_aes:
-      	initFn = (BLapiInitContextFunc)AES_InitContext;
-	mode = NSS_AES_CBC;
-	optArg1 = server_encrypts;
-	optArg2 = AES_BLOCK_SIZE;
-	pwSpec->encode  = (SSLCipher) AES_Encrypt;
-	pwSpec->decode  = (SSLCipher) AES_Decrypt;
-	pwSpec->destroy = (SSLDestroy) AES_DestroyContext;
-	break;
-
-    case ssl_calg_idea:
-    case ssl_calg_fortezza :
-    default:
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	goto bail_out;
-    }
-    rv = (*initFn)(serverContext,
-		   pwSpec->server.write_key_item.data,
-		   pwSpec->server.write_key_item.len,
-		   pwSpec->server.write_iv_item.data,
-		   mode, optArg1, optArg2);
-    if (rv != SECSuccess) {
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	goto bail_out;
-    }
-
-    if (calg == ssl_calg_des || calg == ssl_calg_3des || calg == ssl_calg_aes) {
-	/* For block ciphers, if the server is encrypting, then the client
-	 * is decrypting, and vice versa.
-	 */
-	optArg1 = !optArg1;
-    }
-
-    rv = (*initFn)(clientContext,
-		   pwSpec->client.write_key_item.data,
-		   pwSpec->client.write_key_item.len,
-		   pwSpec->client.write_iv_item.data,
-		   mode, optArg1, optArg2);
-    if (rv != SECSuccess) {
-	PORT_Assert(0);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	goto bail_out;
-    }
-
-    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
-    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
-
-success:
-    return SECSuccess;
-
-bail_out:
-    return SECFailure;
-}
-
-/* This function should probably be moved to pk11wrap and be named 
- * PK11_ParamFromIVAndEffectiveKeyBits
- */
-static SECItem *
-ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
-{
-    SECItem * param = PK11_ParamFromIV(mtype, iv);
-    if (param && param->data  && param->len >= sizeof(CK_RC2_PARAMS)) {
-	switch (mtype) {
-	case CKM_RC2_KEY_GEN:
-	case CKM_RC2_ECB:
-	case CKM_RC2_CBC:
-	case CKM_RC2_MAC:
-	case CKM_RC2_MAC_GENERAL:
-	case CKM_RC2_CBC_PAD:
-	    *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
-	default: break;
-	}
-    }
-    return param;
-}
-
-/* Initialize encryption and MAC contexts for pending spec.
- * Master Secret already is derived.
- * Caller holds Spec write lock.
- */
-static SECStatus
-ssl3_InitPendingContextsPKCS11(sslSocket *ss)
-{
-      ssl3CipherSpec  *  pwSpec;
-const ssl3BulkCipherDef *cipher_def;
-      PK11Context *      serverContext = NULL;
-      PK11Context *      clientContext = NULL;
-      SECItem *          param;
-      CK_MECHANISM_TYPE  mechanism;
-      CK_MECHANISM_TYPE  mac_mech;
-      CK_ULONG           macLength;
-      CK_ULONG           effKeyBits;
-      SECItem            iv;
-      SECItem            mac_param;
-      SSLCipherAlgorithm calg;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-
-    pwSpec        = ss->ssl3.pwSpec;
-    cipher_def    = pwSpec->cipher_def;
-    macLength     = pwSpec->mac_size;
-
-    /* 
-    ** Now setup the MAC contexts, 
-    **   crypto contexts are setup below.
-    */
-
-    pwSpec->client.write_mac_context = NULL;
-    pwSpec->server.write_mac_context = NULL;
-    mac_mech       = pwSpec->mac_def->mmech;
-    mac_param.data = (unsigned char *)&macLength;
-    mac_param.len  = sizeof(macLength);
-    mac_param.type = 0;
-
-    pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
-	    mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
-    if (pwSpec->client.write_mac_context == NULL)  {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-	goto fail;
-    }
-    pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
-	    mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
-    if (pwSpec->server.write_mac_context == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-	goto fail;
-    }
-
-    /* 
-    ** Now setup the crypto contexts.
-    */
-
-    calg = cipher_def->calg;
-    PORT_Assert(alg2Mech[calg].calg == calg);
-
-    if (calg == calg_null) {
-	pwSpec->encode  = Null_Cipher;
-	pwSpec->decode  = Null_Cipher;
-	pwSpec->destroy = NULL;
-	return SECSuccess;
-    }
-    mechanism = alg2Mech[calg].cmech;
-    effKeyBits = cipher_def->key_size * BPB;
-
-    /*
-     * build the server context
-     */
-    iv.data = pwSpec->server.write_iv;
-    iv.len  = cipher_def->iv_size;
-    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
-    if (param == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
-    	goto fail;
-    }
-    serverContext = PK11_CreateContextBySymKey(mechanism,
-				(ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
-				pwSpec->server.write_key, param);
-    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
-    if (iv.data)
-    	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (serverContext == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-
-    /*
-     * build the client context
-     */
-    iv.data = pwSpec->client.write_iv;
-    iv.len  = cipher_def->iv_size;
-
-    param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
-    if (param == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
-    	goto fail;
-    }
-    clientContext = PK11_CreateContextBySymKey(mechanism,
-				(ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
-				pwSpec->client.write_key, param);
-    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
-    if (iv.data)
-    	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (clientContext == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
-    	goto fail;
-    }
-    pwSpec->encode  = (SSLCipher) PK11_CipherOp;
-    pwSpec->decode  = (SSLCipher) PK11_CipherOp;
-    pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
-
-    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
-    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
-
-    serverContext = NULL;
-    clientContext = NULL;
-
-    return SECSuccess;
-
-fail:
-    if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
-    if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
-    if (pwSpec->client.write_mac_context != NULL) {
-    	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
-	pwSpec->client.write_mac_context = NULL;
-    }
-    if (pwSpec->server.write_mac_context != NULL) {
-    	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
-	pwSpec->server.write_mac_context = NULL;
-    }
-
-    return SECFailure;
-}
-
-/* Complete the initialization of all keys, ciphers, MACs and their contexts
- * for the pending Cipher Spec.
- * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
- *              ssl3_HandleRSAClientKeyExchange	(for Full handshake)
- *              ssl3_HandleServerHello		(for session restart)
- *              ssl3_HandleClientHello		(for session restart)
- * Sets error code, but caller probably should override to disambiguate.
- * NULL pms means re-use old master_secret.
- *
- * This code is common to the bypass and PKCS11 execution paths.
- * For the bypass case,  pms is NULL.
- */
-SECStatus
-ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
-{
-    ssl3CipherSpec  *  pwSpec;
-    SECStatus          rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecWriteLock(ss);	/**************************************/
-
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-
-    pwSpec        = ss->ssl3.pwSpec;
-
-    if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
-	rv = ssl3_DeriveMasterSecret(ss, pms);
-	if (rv != SECSuccess) {
-	    goto done;  /* err code set by ssl3_DeriveMasterSecret */
-	}
-    }
-    if (pwSpec->msItem.len && pwSpec->msItem.data) {
-	/* Double Bypass */
-	const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
-	PRBool             isTLS   = (PRBool)(kea_def->tls_keygen ||
-                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
-	pwSpec->bypassCiphers = PR_TRUE;
-	rv = ssl3_KeyAndMacDeriveBypass( pwSpec, 
-			     (const unsigned char *)&ss->ssl3.hs.client_random,
-			     (const unsigned char *)&ss->ssl3.hs.server_random,
-			     isTLS, 
-			     (PRBool)(kea_def->is_limited));
-	if (rv == SECSuccess) {
-	    rv = ssl3_InitPendingContextsBypass(ss);
-	}
-    } else if (pwSpec->master_secret) {
-	rv = ssl3_DeriveConnectionKeysPKCS11(ss);
-	if (rv == SECSuccess) {
-	    rv = ssl3_InitPendingContextsPKCS11(ss);
-	}
-    } else {
-	PORT_Assert(pwSpec->master_secret);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	rv = SECFailure;
-    }
-
-done:
-    ssl_ReleaseSpecWriteLock(ss);	/******************************/
-    if (rv != SECSuccess)
-	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-    return rv;
-}
-
-/*
- * 60 bytes is 3 times the maximum length MAC size that is supported.
- */
-static const unsigned char mac_pad_1 [60] = {
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36
-};
-static const unsigned char mac_pad_2 [60] = {
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
-    0x5c, 0x5c, 0x5c, 0x5c
-};
-
-/* Called from: ssl3_SendRecord()
-**		ssl3_HandleRecord()
-** Caller must already hold the SpecReadLock. (wish we could assert that!)
-*/
-static SECStatus
-ssl3_ComputeRecordMAC(
-    ssl3CipherSpec *   spec,
-    PRBool             useServerMacKey,
-    SSL3ContentType    type,
-    SSL3ProtocolVersion version,
-    SSL3SequenceNumber seq_num,
-    const SSL3Opaque * input,
-    int                inputLength,
-    unsigned char *    outbuf,
-    unsigned int *     outLength)
-{
-    const ssl3MACDef * mac_def;
-    SECStatus          rv;
-    PRBool             isTLS;
-    unsigned int       tempLen;
-    unsigned char      temp[MAX_MAC_LENGTH];
-
-    temp[0] = (unsigned char)(seq_num.high >> 24);
-    temp[1] = (unsigned char)(seq_num.high >> 16);
-    temp[2] = (unsigned char)(seq_num.high >>  8);
-    temp[3] = (unsigned char)(seq_num.high >>  0);
-    temp[4] = (unsigned char)(seq_num.low  >> 24);
-    temp[5] = (unsigned char)(seq_num.low  >> 16);
-    temp[6] = (unsigned char)(seq_num.low  >>  8);
-    temp[7] = (unsigned char)(seq_num.low  >>  0);
-    temp[8] = type;
-
-    /* TLS MAC includes the record's version field, SSL's doesn't.
-    ** We decide which MAC defintiion to use based on the version of 
-    ** the protocol that was negotiated when the spec became current,
-    ** NOT based on the version value in the record itself.
-    ** But, we use the record'v version value in the computation.
-    */
-    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
-	temp[9]  = MSB(inputLength);
-	temp[10] = LSB(inputLength);
-	tempLen  = 11;
-	isTLS    = PR_FALSE;
-    } else {
-    	/* New TLS hash includes version. */
-	temp[9]  = MSB(version);
-	temp[10] = LSB(version);
-	temp[11] = MSB(inputLength);
-	temp[12] = LSB(inputLength);
-	tempLen  = 13;
-	isTLS    = PR_TRUE;
-    }
-
-    PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
-    PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
-
-    mac_def = spec->mac_def;
-    if (mac_def->mac == mac_null) {
-	*outLength = 0;
-	return SECSuccess;
-    }
-    if (! spec->bypassCiphers) {
-	PK11Context *mac_context = 
-	    (useServerMacKey ? spec->server.write_mac_context
-	                     : spec->client.write_mac_context);
-	rv  = PK11_DigestBegin(mac_context);
-	rv |= PK11_DigestOp(mac_context, temp, tempLen);
-	rv |= PK11_DigestOp(mac_context, input, inputLength);
-	rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
-    } else {
-	/* bypass version */
-	const SECHashObject *hashObj = NULL;
-	unsigned int       pad_bytes;
-	PRUint64           write_mac_context[MAX_MAC_CONTEXT_LLONGS];
-
-	switch (mac_def->mac) {
-	case ssl_mac_null:
-	    *outLength = 0;
-	    return SECSuccess;
-	case ssl_mac_md5:
-	    pad_bytes = 48;
-	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
-	    break;
-	case ssl_mac_sha:
-	    pad_bytes = 40;
-	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
-	    break;
-	case ssl_hmac_md5: /* used with TLS */
-	    hashObj = HASH_GetRawHashObject(HASH_AlgMD5);
-	    break;
-	case ssl_hmac_sha: /* used with TLS */
-	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA1);
-	    break;
-	default:
-	    break;
-	}
-	if (!hashObj) {
-	    PORT_Assert(0);
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return SECFailure;
-	}
-
-	if (!isTLS) {
-	    /* compute "inner" part of SSL3 MAC */
-	    hashObj->begin(write_mac_context);
-	    if (useServerMacKey)
-		hashObj->update(write_mac_context, 
-				spec->server.write_mac_key_item.data,
-				spec->server.write_mac_key_item.len);
-	    else
-		hashObj->update(write_mac_context, 
-				spec->client.write_mac_key_item.data,
-				spec->client.write_mac_key_item.len);
-	    hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
-	    hashObj->update(write_mac_context, temp,  tempLen);
-	    hashObj->update(write_mac_context, input, inputLength);
-	    hashObj->end(write_mac_context,    temp, &tempLen, sizeof temp);
-
-	    /* compute "outer" part of SSL3 MAC */
-	    hashObj->begin(write_mac_context);
-	    if (useServerMacKey)
-		hashObj->update(write_mac_context, 
-				spec->server.write_mac_key_item.data,
-				spec->server.write_mac_key_item.len);
-	    else
-		hashObj->update(write_mac_context, 
-				spec->client.write_mac_key_item.data,
-				spec->client.write_mac_key_item.len);
-	    hashObj->update(write_mac_context, mac_pad_2, pad_bytes);
-	    hashObj->update(write_mac_context, temp, tempLen);
-	    hashObj->end(write_mac_context, outbuf, outLength, spec->mac_size);
-	    rv = SECSuccess;
-	} else { /* is TLS */
-#define cx ((HMACContext *)write_mac_context)
-	    if (useServerMacKey) {
-		rv = HMAC_Init(cx, hashObj, 
-			       spec->server.write_mac_key_item.data,
-			       spec->server.write_mac_key_item.len, PR_FALSE);
-	    } else {
-		rv = HMAC_Init(cx, hashObj, 
-			       spec->client.write_mac_key_item.data,
-			       spec->client.write_mac_key_item.len, PR_FALSE);
-	    }
-	    if (rv == SECSuccess) {
-		HMAC_Begin(cx);
-		HMAC_Update(cx, temp, tempLen);
-		HMAC_Update(cx, input, inputLength);
-		rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
-		HMAC_Destroy(cx, PR_FALSE);
-	    }
-#undef cx
-	}
-    }
-
-    PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
-
-    PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
-
-    if (rv != SECSuccess) {
-    	rv = SECFailure;
-	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-    }
-    return rv;
-}
-
-static PRBool
-ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
-    PK11SlotInfo *slot = NULL;
-    PRBool isPresent = PR_TRUE;
-
-    /* we only care if we are doing client auth */
-    if (!sid || !sid->u.ssl3.clAuthValid) {
-	return PR_TRUE;
-    }
-
-    /* get the slot */
-    slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
-	                     sid->u.ssl3.clAuthSlotID);
-    if (slot == NULL ||
-	!PK11_IsPresent(slot) ||
-	sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
-	sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
-	sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ||
-	(PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
-	isPresent = PR_FALSE;
-    } 
-    if (slot) {
-	PK11_FreeSlot(slot);
-    }
-    return isPresent;
-}
-
-/* Process the plain text before sending it.
- * Returns the number of bytes of plaintext that were succesfully sent
- * 	plus the number of bytes of plaintext that were copied into the
- *	output (write) buffer.
- * Returns SECFailure on a hard IO error, memory error, or crypto error.
- * Does NOT return SECWouldBlock.
- */
-static PRInt32
-ssl3_SendRecord(   sslSocket *        ss,
-                   SSL3ContentType    type,
-		   const SSL3Opaque * buf,
-		   PRInt32            bytes,
-		   PRInt32            flags)
-{
-    ssl3CipherSpec *          cwSpec;
-    sslBuffer      *          write 	  = &ss->sec.writeBuf;
-    const ssl3BulkCipherDef * cipher_def;
-    SECStatus                 rv;
-    PRUint32                  bufSize     =  0;
-    PRInt32                   sent        =  0;
-    PRBool                    isBlocking  = ssl_SocketIsBlocking(ss);
-
-    SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s bytes=%d",
-		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
-		bytes));
-    PRINT_BUF(3, (ss, "Send record (plain text)", buf, bytes));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    if (ss->ssl3.initialized == PR_FALSE) {
-	/* This can happen on a server if the very first incoming record
-	** looks like a defective ssl3 record (e.g. too long), and we're
-	** trying to send an alert.
-	*/
-	PR_ASSERT(type == content_alert);
-	rv = ssl3_InitState(ss);
-	if (rv != SECSuccess) {
-	    return SECFailure;	/* ssl3_InitState has set the error code. */
-    	}
-    }
-
-    /* check for Token Presence */
-    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
-	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-	return SECFailure;
-    }
-
-    while (bytes > 0) {
-    	PRInt32   count;
-	PRUint32  contentLen;
-	PRUint32  fragLen;
-	PRUint32  macLen;
-	PRInt32   cipherBytes =  0;
-	PRUint32  p1Len, p2Len, oddLen = 0;
-
-	contentLen = PR_MIN(bytes, MAX_FRAGMENT_LENGTH);
-	if (write->space < contentLen + SSL3_BUFFER_FUDGE) {
-	    rv = sslBuffer_Grow(write, contentLen + SSL3_BUFFER_FUDGE);
-	    if (rv != SECSuccess) {
-		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
-			 SSL_GETPID(), ss->fd, contentLen + SSL3_BUFFER_FUDGE));
-		return SECFailure; /* sslBuffer_Grow set a memory error code. */
-	    }
-	}
-
-	/* This variable records the actual size of the buffer allocated above.
-	 * Some algorithms may expand the number of bytes needed to send data. 
-	 * If we only supply the output buffer with the same number
-	 * of bytes as the input buffer, we will fail.
-	 */
-	bufSize = contentLen + SSL3_BUFFER_FUDGE;
-
-	/*
-	 * null compression is easy to do
-	PORT_Memcpy(write->buf + SSL3_RECORD_HEADER_LENGTH, buf, contentLen);
-	 */
-
-	ssl_GetSpecReadLock(ss);	/********************************/
-
-	cwSpec = ss->ssl3.cwSpec;
-	cipher_def = cwSpec->cipher_def;
-	/*
-	 * Add the MAC
-	 */
-	rv = ssl3_ComputeRecordMAC( cwSpec, (PRBool)(ss->sec.isServer),
-	    type, cwSpec->version, cwSpec->write_seq_num, buf, contentLen,
-	    write->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-	    goto spec_locked_loser;
-	}
-	p1Len   = contentLen;
-	p2Len   = macLen;
-	fragLen = contentLen + macLen;	/* needs to be encrypted */
-	PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
-
-	/*
-	 * Pad the text (if we're doing a block cipher)
-	 * then Encrypt it
-	 */
-	if (cipher_def->type == type_block) {
-	    unsigned char * pBuf;
-	    int             padding_length;
-	    int             i;
-
-	    oddLen = contentLen % cipher_def->block_size;
-	    /* Assume blockSize is a power of two */
-	    padding_length = cipher_def->block_size - 1 -
-		((fragLen) & (cipher_def->block_size - 1));
-	    fragLen += padding_length + 1;
-	    PORT_Assert((fragLen % cipher_def->block_size) == 0);
-
-	    /* Pad according to TLS rules (also acceptable to SSL3). */
-	    pBuf = &write->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
-	    for (i = padding_length + 1; i > 0; --i) {
-	    	*pBuf-- = padding_length;
-	    }
-	    /* now, if contentLen is not a multiple of block size, fix it */
-	    p2Len = fragLen - p1Len;
-	}
-	if (p1Len < 256) {
-	    oddLen = p1Len;
-	    p1Len = 0;
-	} else {
-	    p1Len -= oddLen;
-	}
-	if (oddLen) {
-	    p2Len += oddLen;
-	    PORT_Assert( (cipher_def->block_size < 2) || \
-			 (p2Len % cipher_def->block_size) == 0);
-	    memcpy(write->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
-		   buf + p1Len, oddLen);
-	}
-	if (p1Len > 0) {
-	    rv = cwSpec->encode( cwSpec->encodeContext, 
-		write->buf + SSL3_RECORD_HEADER_LENGTH, /* output */
-		&cipherBytes,                           /* actual outlen */
-		p1Len,                                  /* max outlen */
-		buf, p1Len);                      /* input, and inputlen */
-	    PORT_Assert(rv == SECSuccess && cipherBytes == p1Len);
-	    if (rv != SECSuccess || cipherBytes != p1Len) {
-		PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
-		goto spec_locked_loser;
-	    }
-	}
-	if (p2Len > 0) {
-	    PRInt32 cipherBytesPart2 = -1;
-	    rv = cwSpec->encode( cwSpec->encodeContext, 
-		write->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
-		&cipherBytesPart2,          /* output and actual outLen */
-		p2Len,                             /* max outlen */
-		write->buf + SSL3_RECORD_HEADER_LENGTH + p1Len,
-		p2Len);                            /* input and inputLen*/
-	    PORT_Assert(rv == SECSuccess && cipherBytesPart2 == p2Len);
-	    if (rv != SECSuccess || cipherBytesPart2 != p2Len) {
-		PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
-		    goto spec_locked_loser;
-		}
-	    cipherBytes += cipherBytesPart2;
-	}	
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_ENCRYPTION_FAILURE);
-spec_locked_loser:
-	    ssl_ReleaseSpecReadLock(ss);
-	    return SECFailure;
-	}
-	PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
-
-	/*
-	 * XXX should we zero out our copy of the buffer after compressing
-	 * and encryption ??
-	 */
-
-	ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
-
-	ssl_ReleaseSpecReadLock(ss); /************************************/
-
-	buf   += contentLen;
-	bytes -= contentLen;
-	PORT_Assert( bytes >= 0 );
-
-	/* PORT_Assert(fragLen == cipherBytes); */
-	write->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
-	write->buf[0] = type;
-	write->buf[1] = MSB(cwSpec->version);
-	write->buf[2] = LSB(cwSpec->version);
-	write->buf[3] = MSB(cipherBytes);
-	write->buf[4] = LSB(cipherBytes);
-
-	PRINT_BUF(50, (ss, "send (encrypted) record data:", write->buf, write->len));
-
-	/* If there's still some previously saved ciphertext,
-	 * or the caller doesn't want us to send the data yet,
-	 * then add all our new ciphertext to the amount previously saved.
-	 */
-	if ((ss->pendingBuf.len > 0) ||
-	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
-
-	    rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
-				   write->buf, write->len);
-	    if (rv != SECSuccess) {
-		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
-		return SECFailure;
-	    }
-	    write->len = 0;	/* All cipher text is saved away. */
-
-	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
-
-		ss->handshakeBegun = 1;
-		count = ssl_SendSavedWriteData(ss, &ss->pendingBuf,
-		                               &ssl_DefSend);
-		if (count < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
-		    return SECFailure;
-		}
-	    }
-	} else if (write->len > 0) {
-	    ss->handshakeBegun = 1;
-	    count = ssl_DefSend(ss, write->buf, write->len,
-				flags & ~ssl_SEND_FLAG_MASK);
-	    if (count < 0) {
-		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
-		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
-		    return (sent > 0) ? sent : SECFailure;
-		}
-		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
-		count = 0;
-	    }
-	    /* now take all the remaining unsent newly-generated ciphertext and
-	     * append it to the buffer of previously unsent ciphertext.
-	     */
-	    if ((unsigned)count < write->len) {
-		rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
-				       write->buf + (unsigned)count,
-				       write->len - (unsigned)count);
-		if (rv != SECSuccess) {
-		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
-		    return SECFailure;
-		}
-	    }
-	    write->len = 0;
-	}
-	sent += contentLen;
-	if ((flags & ssl_SEND_FLAG_NO_BUFFER) &&
-	    (isBlocking || (ss->pendingBuf.len > 0))) {
-	    break;
-	}
-    }
-    return sent;
-}
-
-/* Attempt to send the content of "in" in an SSL application_data record.
- * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
- */
-int
-ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
-			 PRInt32 len, PRInt32 flags)
-{
-    PRInt32   sent	= 0;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    while (len > 0) {
-	PRInt32   count;
-
-	if (sent > 0) {
-	    /*
-	     * The thread yield is intended to give the reader thread a
-	     * chance to get some cycles while the writer thread is in
-	     * the middle of a large application data write.  (See
-	     * Bugzilla bug 127740, comment #1.)
-	     */
-	    ssl_ReleaseXmitBufLock(ss);
-	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
-	    ssl_GetXmitBufLock(ss);
-	}
-	count = ssl3_SendRecord(ss, content_application_data, in, len,
-	                           flags | ssl_SEND_FLAG_NO_BUFFER);
-	if (count < 0) {
-	    return (sent > 0) ? sent : count;
-				    /* error code set by ssl3_SendRecord */
-	}
-	sent += count;
-	len  -= count;
-	in   += count;
-    }
-    return sent;
-}
-
-/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
- * This function returns SECSuccess or SECFailure, never SECWouldBlock.
- * It used to always set sendBuf.len to 0, even when returning SECFailure.
- * Now it does not.
- *
- * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
- *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
- *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
- *             ssl3_SendFinished(),
- */
-static SECStatus
-ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
-{
-    PRInt32 rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
-	return SECSuccess;
-
-    rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
-			 ss->sec.ci.sendBuf.len, flags);
-    if (rv < 0) {
-	return (SECStatus)rv;	/* error code set by ssl3_SendRecord */
-    }
-    ss->sec.ci.sendBuf.len = 0;
-    return SECSuccess;
-}
-
-/*
- * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
- * the remote client sends a negative response to our certificate request.
- * Returns SECFailure if the application has required client auth.
- *         SECSuccess otherwise.
- */
-static SECStatus
-ssl3_HandleNoCertificate(sslSocket *ss)
-{
-    if (ss->sec.peerCert != NULL) {
-	if (ss->sec.peerKey != NULL) {
-	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
-	    ss->sec.peerKey = NULL;
-	}
-	CERT_DestroyCertificate(ss->sec.peerCert);
-	ss->sec.peerCert = NULL;
-    }
-    ssl3_CleanupPeerCerts(ss);
-
-    /* If the server has required client-auth blindly but doesn't
-     * actually look at the certificate it won't know that no
-     * certificate was presented so we shutdown the socket to ensure
-     * an error.  We only do this if we haven't already completed the
-     * first handshake because if we're redoing the handshake we 
-     * know the server is paying attention to the certificate.
-     */
-    if ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
-	(!ss->firstHsDone && 
-	 (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
-	PRFileDesc * lower;
-
-	ss->sec.uncache(ss->sec.ci.sid);
-	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
-
-	lower = ss->fd->lower;
-#ifdef _WIN32
-	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
-#else
-	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
-#endif
-	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/************************************************************************
- * Alerts
- */
-
-/*
-** Acquires both handshake and XmitBuf locks.
-** Called from: ssl3_IllegalParameter	<-
-**              ssl3_HandshakeFailure	<-
-**              ssl3_HandleAlert	<- ssl3_HandleRecord.
-**              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
-**              ssl3_ConsumeHandshakeVariable <-
-**              ssl3_HandleHelloRequest	<-
-**              ssl3_HandleServerHello	<-
-**              ssl3_HandleServerKeyExchange <-
-**              ssl3_HandleCertificateRequest <-
-**              ssl3_HandleServerHelloDone <-
-**              ssl3_HandleClientHello	<-
-**              ssl3_HandleV2ClientHello <-
-**              ssl3_HandleCertificateVerify <-
-**              ssl3_HandleClientKeyExchange <-
-**              ssl3_HandleCertificate	<-
-**              ssl3_HandleFinished	<-
-**              ssl3_HandleHandshakeMessage <-
-**              ssl3_HandleRecord	<-
-**
-*/
-SECStatus
-SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
-{
-    uint8 	bytes[2];
-    SECStatus	rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
-		SSL_GETPID(), ss->fd, level, desc));
-
-    bytes[0] = level;
-    bytes[1] = desc;
-
-    ssl_GetSSL3HandshakeLock(ss);
-    if (level == alert_fatal) {
-	if (ss->sec.ci.sid) {
-	    ss->sec.uncache(ss->sec.ci.sid);
-	}
-    }
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (rv == SECSuccess) {
-	PRInt32 sent;
-	sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 
-			       desc == no_certificate 
-			       ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
-	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-    }
-    ssl_ReleaseXmitBufLock(ss);
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
-}
-
-/*
- * Send illegal_parameter alert.  Set generic error number.
- */
-static SECStatus
-ssl3_IllegalParameter(sslSocket *ss)
-{
-    PRBool isTLS;
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
-                                   : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/*
- * Send handshake_Failure alert.  Set generic error number.
- */
-static SECStatus
-ssl3_HandshakeFailure(sslSocket *ss)
-{
-    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
-    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
-                                    : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/*
- * Send handshake_Failure alert.  Set generic error number.
- */
-static SECStatus
-ssl3_DecodeError(sslSocket *ss)
-{
-    (void)SSL3_SendAlert(ss, alert_fatal, 
-		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
-							: illegal_parameter);
-    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
-                                    : SSL_ERROR_BAD_SERVER );
-    return SECFailure;
-}
-
-/* Called from ssl3_HandleRecord.
-** Caller must hold both RecvBuf and Handshake locks.
-*/
-static SECStatus
-ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
-{
-    SSL3AlertLevel       level;
-    SSL3AlertDescription desc;
-    int                  error;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
-
-    if (buf->len != 2) {
-	(void)ssl3_DecodeError(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
-	return SECFailure;
-    }
-    level = (SSL3AlertLevel)buf->buf[0];
-    desc  = (SSL3AlertDescription)buf->buf[1];
-    buf->len = 0;
-    SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
-        SSL_GETPID(), ss->fd, level, desc));
-
-    switch (desc) {
-    case close_notify:		ss->recvdCloseNotify = 1;
-		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
-    case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
-									  break;
-    case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
-    case decryption_failed: 	error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
-    									  break;
-    case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
-    case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
-									  break;
-    case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
-			        					  break;
-    case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
-    case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
-    case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
-    case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
-    case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
-    case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
-			        					  break;
-    case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
-
-    /* All alerts below are TLS only. */
-    case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
-    case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
-    case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
-    case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
-    case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 
-    									  break;
-    case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
-    case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 
-    									  break;
-    case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
-    case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
-    case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
-    default: 			error = SSL_ERROR_RX_UNKNOWN_ALERT; 	  break;
-    }
-    if (level == alert_fatal) {
-	ss->sec.uncache(ss->sec.ci.sid);
-	if ((ss->ssl3.hs.ws == wait_server_hello) &&
-	    (desc == handshake_failure)) {
-	    /* XXX This is a hack.  We're assuming that any handshake failure
-	     * XXX on the client hello is a failure to match ciphers.
-	     */
-	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
-	}
-	PORT_SetError(error);
-	return SECFailure;
-    }
-    if ((desc == no_certificate) && (ss->ssl3.hs.ws == wait_client_cert)) {
-    	/* I'm a server. I've requested a client cert. He hasn't got one. */
-	SECStatus rv;
-
-	PORT_Assert(ss->sec.isServer);
-	ss->ssl3.hs.ws = wait_client_key;
-	rv = ssl3_HandleNoCertificate(ss);
-	return rv;
-    }
-    return SECSuccess;
-}
-
-/*
- * Change Cipher Specs
- * Called from ssl3_HandleServerHelloDone,
- *             ssl3_HandleClientHello,
- * and         ssl3_HandleFinished
- *
- * Acquires and releases spec write lock, to protect switching the current
- * and pending write spec pointers.
- */
-
-static SECStatus
-ssl3_SendChangeCipherSpecs(sslSocket *ss)
-{
-    uint8             change = change_cipher_spec_choice;
-    ssl3CipherSpec *  pwSpec;
-    SECStatus         rv;
-    PRInt32           sent;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
-                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (sent < 0) {
-	return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
-    }
-
-    /* swap the pending and current write specs. */
-    ssl_GetSpecWriteLock(ss);	/**************************************/
-    pwSpec                     = ss->ssl3.pwSpec;
-    pwSpec->write_seq_num.high = 0;
-    pwSpec->write_seq_num.low  = 0;
-
-    ss->ssl3.pwSpec = ss->ssl3.cwSpec;
-    ss->ssl3.cwSpec = pwSpec;
-
-    SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
-		SSL_GETPID(), ss->fd ));
-
-    /* We need to free up the contexts, keys and certs ! */
-    /* If we are really through with the old cipher spec
-     * (Both the read and write sides have changed) destroy it.
-     */
-    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
-    	ssl3_DestroyCipherSpec(ss->ssl3.pwSpec);
-    }
-    ssl_ReleaseSpecWriteLock(ss); /**************************************/
-
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleRecord.
-** Caller must hold both RecvBuf and Handshake locks.
- *
- * Acquires and releases spec write lock, to protect switching the current
- * and pending write spec pointers.
-*/
-static SECStatus
-ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
-{
-    ssl3CipherSpec *           prSpec;
-    SSL3WaitState              ws      = ss->ssl3.hs.ws;
-    SSL3ChangeCipherSpecChoice change;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
-		SSL_GETPID(), ss->fd));
-
-    if (ws != wait_change_cipher) {
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-
-    if(buf->len != 1) {
-	(void)ssl3_DecodeError(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-    change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
-    if (change != change_cipher_spec_choice) {
-	/* illegal_parameter is correct here for both SSL3 and TLS. */
-	(void)ssl3_IllegalParameter(ss);
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-	return SECFailure;
-    }
-    buf->len = 0;
-
-    /* Swap the pending and current read specs. */
-    ssl_GetSpecWriteLock(ss);   /*************************************/
-    prSpec                    = ss->ssl3.prSpec;
-    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
-
-    ss->ssl3.prSpec  = ss->ssl3.crSpec;
-    ss->ssl3.crSpec  = prSpec;
-    ss->ssl3.hs.ws         = wait_finished;
-
-    SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
-		SSL_GETPID(), ss->fd ));
-
-    /* If we are really through with the old cipher prSpec
-     * (Both the read and write sides have changed) destroy it.
-     */
-    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
-    	ssl3_DestroyCipherSpec(ss->ssl3.prSpec);
-    }
-    ssl_ReleaseSpecWriteLock(ss);   /*************************************/
-    return SECSuccess;
-}
-
-/* This method uses PKCS11 to derive the MS from the PMS, where PMS 
-** is a PKCS11 symkey. This is used in all cases except the 
-** "triple bypass" with RSA key exchange.
-** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
-*/
-static SECStatus
-ssl3_DeriveMasterSecret(sslSocket *ss, const PK11SymKey *pms)
-{
-    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
-    const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
-    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
-    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
-    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
-                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
-    /* 
-     * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
-     * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
-     * data into a 48-byte value. 
-     */
-    PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
-	                       (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
-    SECStatus         rv = SECFailure;
-    CK_MECHANISM_TYPE master_derive;
-    CK_MECHANISM_TYPE key_derive;
-    SECItem           params;
-    CK_FLAGS          keyFlags;
-    CK_VERSION        pms_version;
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-    if (isTLS) {
-	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
-	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
-	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
-	keyFlags      = CKF_SIGN | CKF_VERIFY;
-    } else {
-	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
-	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
-	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
-	keyFlags      = 0;
-    }
-
-    if (pms || !pwSpec->master_secret) {
-	master_params.pVersion                     = &pms_version;
-	master_params.RandomInfo.pClientRandom     = cr;
-	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-	master_params.RandomInfo.pServerRandom     = sr;
-	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
-
-	params.data = (unsigned char *) &master_params;
-	params.len  = sizeof master_params;
-    }
-
-    if (pms != NULL) {
-	pwSpec->master_secret = PK11_DeriveWithFlags((PK11SymKey *)pms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-	if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
-	    SSL3ProtocolVersion client_version;
-	    client_version = pms_version.major << 8 | pms_version.minor;
-	    if (client_version != ss->clientHelloVersion) {
-		/* Destroy it.  Version roll-back detected. */
-		PK11_FreeSymKey(pwSpec->master_secret);
-	    	pwSpec->master_secret = NULL;
-	    }
-	}
-	if (pwSpec->master_secret == NULL) {
-	    /* Generate a faux master secret in the same slot as the old one. */
-	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
-	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
-
-	    PK11_FreeSlot(slot);
-	    if (fpms != NULL) {
-		pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-		PK11_FreeSymKey(fpms);
-	    }
-	}
-    }
-    if (pwSpec->master_secret == NULL) {
-	/* Generate a faux master secret from the internal slot. */
-	PK11SlotInfo *  slot = PK11_GetInternalSlot();
-	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
-
-	PK11_FreeSlot(slot);
-	if (fpms != NULL) {
-	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-					master_derive, &params, key_derive, 
-					CKA_DERIVE, 0, keyFlags);
-	    if (pwSpec->master_secret == NULL) {
-	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
-		fpms = NULL;
-	    }
-	}
-	if (fpms) {
-	    PK11_FreeSymKey(fpms);
-    	}
-    }
-    if (pwSpec->master_secret == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	return rv;
-    }
-    if (ss->opt.bypassPKCS11) {
-	SECItem * keydata;
-	/* In hope of doing a "double bypass", 
-	 * need to extract the master secret's value from the key object 
-	 * and store it raw in the sslSocket struct.
-	 */
-	rv = PK11_ExtractKeyValue(pwSpec->master_secret);
-	if (rv != SECSuccess) {
-	    return rv;
-	} 
-	/* This returns the address of the secItem inside the key struct,
-	 * not a copy or a reference.  So, there's no need to free it.
-	 */
-	keydata = PK11_GetKeyData(pwSpec->master_secret);
-	if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
-	    memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
-	    pwSpec->msItem.data = pwSpec->raw_master_secret;
-	    pwSpec->msItem.len  = keydata->len;
-	} else {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-
-/* 
- * Derive encryption and MAC Keys (and IVs) from master secret
- * Sets a useful error code when returning SECFailure.
- *
- * Called only from ssl3_InitPendingCipherSpec(),
- * which in turn is called from
- *              sendRSAClientKeyExchange        (for Full handshake)
- *              sendDHClientKeyExchange         (for Full handshake)
- *              ssl3_HandleClientKeyExchange    (for Full handshake)
- *              ssl3_HandleServerHello          (for session restart)
- *              ssl3_HandleClientHello          (for session restart)
- * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
- * ssl3_InitPendingCipherSpec does that.
- *
- */
-static SECStatus
-ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
-{
-    ssl3CipherSpec *         pwSpec     = ss->ssl3.pwSpec;
-    const ssl3KEADef *       kea_def    = ss->ssl3.hs.kea_def;
-    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
-    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
-    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
-                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
-    /* following variables used in PKCS11 path */
-    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
-    PK11SlotInfo *         slot   = NULL;
-    PK11SymKey *           symKey = NULL;
-    void *                 pwArg  = ss->pkcs11PinArg;
-    int                    keySize;
-    CK_SSL3_KEY_MAT_PARAMS key_material_params;
-    CK_SSL3_KEY_MAT_OUT    returnedKeys;
-    CK_MECHANISM_TYPE      key_derive;
-    CK_MECHANISM_TYPE      bulk_mechanism;
-    SSLCipherAlgorithm     calg;
-    SECItem                params;
-    PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-
-    if (!pwSpec->master_secret) {
-	PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	return SECFailure;
-    }
-    /*
-     * generate the key material
-     */
-    key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
-    key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
-    key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
-
-    key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
-    /* was:	(CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
-
-    key_material_params.RandomInfo.pClientRandom     = cr;
-    key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-    key_material_params.RandomInfo.pServerRandom     = sr;
-    key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
-    key_material_params.pReturnedKeyMaterial         = &returnedKeys;
-
-    returnedKeys.pIVClient = pwSpec->client.write_iv;
-    returnedKeys.pIVServer = pwSpec->server.write_iv;
-    keySize                = cipher_def->key_size;
-
-    if (skipKeysAndIVs) {
-	keySize                             = 0;
-        key_material_params.ulKeySizeInBits = 0;
-        key_material_params.ulIVSizeInBits  = 0;
-    	returnedKeys.pIVClient              = NULL;
-    	returnedKeys.pIVServer              = NULL;
-    }
-
-    calg = cipher_def->calg;
-    PORT_Assert(     alg2Mech[calg].calg == calg);
-    bulk_mechanism = alg2Mech[calg].cmech;
-
-    params.data    = (unsigned char *)&key_material_params;
-    params.len     = sizeof(key_material_params);
-
-    if (isTLS) {
-	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
-    } else {
-	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
-    }
-
-    /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
-     * DERIVE by DEFAULT */
-    symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
-                         bulk_mechanism, CKA_ENCRYPT, keySize);
-    if (!symKey) {
-	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-	return SECFailure;
-    }
-    /* we really should use the actual mac'ing mechanism here, but we
-     * don't because these types are used to map keytype anyway and both
-     * mac's map to the same keytype.
-     */
-    slot  = PK11_GetSlotFromKey(symKey);
-
-    PK11_FreeSlot(slot); /* slot is held until the key is freed */
-    pwSpec->client.write_mac_key =
-    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
-    if (pwSpec->client.write_mac_key == NULL ) {
-	goto loser;	/* loser sets err */
-    }
-    pwSpec->server.write_mac_key =
-    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
-    if (pwSpec->server.write_mac_key == NULL ) {
-	goto loser;	/* loser sets err */
-    }
-    if (!skipKeysAndIVs) {
-	pwSpec->client.write_key =
-		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
-	if (pwSpec->client.write_key == NULL ) {
-	    goto loser;	/* loser sets err */
-	}
-	pwSpec->server.write_key =
-		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
-		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
-	if (pwSpec->server.write_key == NULL ) {
-	    goto loser;	/* loser sets err */
-	}
-    }
-    PK11_FreeSymKey(symKey);
-    return SECSuccess;
-
-
-loser:
-    if (symKey) PK11_FreeSymKey(symKey);
-    ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-    return SECFailure;
-}
-
-/*
- * Handshake messages
- */
-/* Called from	ssl3_AppendHandshake()
-**		ssl3_StartHandshakeHash()
-**		ssl3_HandleV2ClientHello()
-**		ssl3_HandleHandshakeMessage()
-** Caller must hold the ssl3Handshake lock.
-*/
-static SECStatus
-ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
-{
-    SECStatus  rv = SECSuccess;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
-
-    if (ss->opt.bypassPKCS11) {
-	MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
-	SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
-	return rv;
-    }
-    rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	return rv;
-    }
-    rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	return rv;
-    }
-    return rv;
-}
-
-/**************************************************************************
- * Append Handshake functions.
- * All these functions set appropriate error codes.
- * Most rely on ssl3_AppendHandshake to set the error code.
- **************************************************************************/
-SECStatus
-ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
-{
-    unsigned char *  src  = (unsigned char *)void_src;
-    int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
-
-    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
-	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
-		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
-	if (rv != SECSuccess)
-	    return rv;	/* sslBuffer_Grow has set a memory error code. */
-	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
-    }
-
-    PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
-    rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
-    if (rv != SECSuccess)
-	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
-
-    while (bytes > room) {
-	if (room > 0)
-	    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, 
-	                room);
-	ss->sec.ci.sendBuf.len += room;
-	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-	if (rv != SECSuccess) {
-	    return rv;	/* error code set by ssl3_FlushHandshake */
-	}
-	bytes -= room;
-	src += room;
-	room = ss->sec.ci.sendBuf.space;
-	PORT_Assert(ss->sec.ci.sendBuf.len == 0);
-    }
-    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
-    ss->sec.ci.sendBuf.len += bytes;
-    return SECSuccess;
-}
-
-static SECStatus
-ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
-{
-    SECStatus rv;
-    uint8     b[4];
-    uint8 *   p = b;
-
-    switch (lenSize) {
-      case 4:
-	*p++ = (num >> 24) & 0xff;
-      case 3:
-	*p++ = (num >> 16) & 0xff;
-      case 2:
-	*p++ = (num >> 8) & 0xff;
-      case 1:
-	*p = num & 0xff;
-    }
-    SSL_TRC(60, ("%d: number:", SSL_GETPID()));
-    rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
-    return rv;	/* error code set by AppendHandshake, if applicable. */
-}
-
-SECStatus
-ssl3_AppendHandshakeVariable(
-    sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
-{
-    SECStatus rv;
-
-    PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
-	      (bytes < (1L<<16) && lenSize == 2) ||
-	      (bytes < (1L<<24) && lenSize == 3));
-
-    SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
-    rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by AppendHandshake, if applicable. */
-    }
-    SSL_TRC(60, ("data:"));
-    rv = ssl3_AppendHandshake(ss, src, bytes);
-    return rv;	/* error code set by AppendHandshake, if applicable. */
-}
-
-SECStatus
-ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
-{
-    SECStatus rv;
-
-    SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
-    	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-    	          (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-    	          (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
-
-    rv = ssl3_AppendHandshakeNumber(ss, t, 1);
-    if (rv != SECSuccess) {
-    	return rv;	/* error code set by AppendHandshake, if applicable. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, length, 3);
-    return rv;		/* error code set by AppendHandshake, if applicable. */
-}
-
-/**************************************************************************
- * Consume Handshake functions.
- *
- * All data used in these functions is protected by two locks,
- * the RecvBufLock and the SSL3HandshakeLock
- **************************************************************************/
-
-/* Read up the next "bytes" number of bytes from the (decrypted) input
- * stream "b" (which is *length bytes long). Copy them into buffer "v".
- * Reduces *length by bytes.  Advances *b by bytes.
- *
- * If this function returns SECFailure, it has already sent an alert,
- * and has set a generic error code.  The caller should probably
- * override the generic error code by setting another.
- */
-SECStatus
-ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
-		      PRUint32 *length)
-{
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if ((PRUint32)bytes > *length) {
-	return ssl3_DecodeError(ss);
-    }
-    PORT_Memcpy(v, *b, bytes);
-    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
-    *b      += bytes;
-    *length -= bytes;
-    return SECSuccess;
-}
-
-/* Read up the next "bytes" number of bytes from the (decrypted) input
- * stream "b" (which is *length bytes long), and interpret them as an
- * integer in network byte order.  Returns the received value.
- * Reduces *length by bytes.  Advances *b by bytes.
- *
- * Returns SECFailure (-1) on failure.
- * This value is indistinguishable from the equivalent received value.
- * Only positive numbers are to be received this way.
- * Thus, the largest value that may be sent this way is 0x7fffffff.
- * On error, an alert has been sent, and a generic error code has been set.
- */
-static PRInt32
-ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
-			    PRUint32 *length)
-{
-    uint8     *buf = *b;
-    int       i;
-    PRInt32   num = 0;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( bytes <= sizeof num);
-
-    if ((PRUint32)bytes > *length) {
-	return ssl3_DecodeError(ss);
-    }
-    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
-
-    for (i = 0; i < bytes; i++)
-	num = (num << 8) + buf[i];
-    *b      += bytes;
-    *length -= bytes;
-    return num;
-}
-
-/* Read in two values from the incoming decrypted byte stream "b", which is
- * *length bytes long.  The first value is a number whose size is "bytes"
- * bytes long.  The second value is a byte-string whose size is the value
- * of the first number received.  The latter byte-string, and its length,
- * is returned in the SECItem i.
- *
- * Returns SECFailure (-1) on failure.
- * On error, an alert has been sent, and a generic error code has been set.
- *
- * RADICAL CHANGE for NSS 3.11.  All callers of this function make copies 
- * of the data returned in the SECItem *i, so making a copy of it here
- * is simply wasteful.  So, This function now just sets SECItem *i to 
- * point to the values in the buffer **b.
- */
-SECStatus
-ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
-			      SSL3Opaque **b, PRUint32 *length)
-{
-    PRInt32   count;
-
-    PORT_Assert(bytes <= 3);
-    i->len  = 0;
-    i->data = NULL;
-    count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
-    if (count < 0) { 		/* Can't test for SECSuccess here. */
-    	return SECFailure;
-    }
-    if (count > 0) {
-	if ((PRUint32)count > *length) {
-	    return ssl3_DecodeError(ss);
-	}
-	i->data = *b;
-	i->len  = count;
-	*b      += count;
-	*length -= count;
-    }
-    return SECSuccess;
-}
-
-/**************************************************************************
- * end of Consume Handshake functions.
- **************************************************************************/
-
-/* Extract the hashes of handshake messages to this point.
- * Called from ssl3_SendCertificateVerify
- *             ssl3_SendFinished
- *             ssl3_HandleHandshakeMessage
- *
- * Caller must hold the SSL3HandshakeLock.
- * Caller must hold a read or write lock on the Spec R/W lock.
- *	(There is presently no way to assert on a Read lock.)
- */
-static SECStatus
-ssl3_ComputeHandshakeHashes(sslSocket *     ss,
-                            ssl3CipherSpec *spec,   /* uses ->master_secret */
-			    SSL3Hashes *    hashes, /* output goes here. */
-			    uint32          sender)
-{
-    SECStatus     rv        = SECSuccess;
-    PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
-    unsigned int  outLength;
-    SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
-    SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->opt.bypassPKCS11) {
-	/* compute them without PKCS11 */
-	PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
-	PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
-
-#define md5cx ((MD5Context *)md5_cx)
-#define shacx ((SHA1Context *)sha_cx)
-
-	if (!spec->msItem.data) {
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-	    return SECFailure;
-	}
-
-	MD5_Clone (md5cx,  (MD5Context *)ss->ssl3.hs.md5_cx);
-	SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
-
-	if (!isTLS) {
-	    /* compute hashes for SSL3. */
-	    unsigned char s[4];
-
-	    s[0] = (unsigned char)(sender >> 24);
-	    s[1] = (unsigned char)(sender >> 16);
-	    s[2] = (unsigned char)(sender >> 8);
-	    s[3] = (unsigned char)sender;
-
-	    if (sender != 0) {
-		MD5_Update(md5cx, s, 4);
-		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
-	    }
-
-	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 
-			    mac_defs[mac_md5].pad_size));
-
-	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
-	    MD5_Update(md5cx, mac_pad_1, mac_defs[mac_md5].pad_size);
-	    MD5_End(md5cx, md5_inner, &outLength, MD5_LENGTH);
-
-	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
-
-	    if (sender != 0) {
-		SHA1_Update(shacx, s, 4);
-		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
-	    }
-
-	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 
-			    mac_defs[mac_sha].pad_size));
-
-	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
-	    SHA1_Update(shacx, mac_pad_1, mac_defs[mac_sha].pad_size);
-	    SHA1_End(shacx, sha_inner, &outLength, SHA1_LENGTH);
-
-	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
-	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 
-			    mac_defs[mac_md5].pad_size));
-	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
-
-	    MD5_Begin(md5cx);
-	    MD5_Update(md5cx, spec->msItem.data, spec->msItem.len);
-	    MD5_Update(md5cx, mac_pad_2, mac_defs[mac_md5].pad_size);
-	    MD5_Update(md5cx, md5_inner, MD5_LENGTH);
-	}
-	MD5_End(md5cx, hashes->md5, &outLength, MD5_LENGTH);
-
-	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
-
-	if (!isTLS) {
-	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 
-			    mac_defs[mac_sha].pad_size));
-	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
-
-	    SHA1_Begin(shacx);
-	    SHA1_Update(shacx, spec->msItem.data, spec->msItem.len);
-	    SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
-	    SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
-	}
-	SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH);
-
-	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
-
-	rv = SECSuccess;
-#undef md5cx
-#undef shacx
-    } else {
-	/* compute hases with PKCS11 */
-	PK11Context * md5;
-	PK11Context * sha       = NULL;
-	unsigned char *md5StateBuf = NULL;
-	unsigned char *shaStateBuf = NULL;
-	unsigned int  md5StateLen, shaStateLen;
-	unsigned char md5StackBuf[256];
-	unsigned char shaStackBuf[512];
-
-	if (!spec->master_secret) {
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-	    return SECFailure;
-	}
-
-	md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
-					    sizeof md5StackBuf, &md5StateLen);
-	if (md5StateBuf == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    goto loser;
-	}
-	md5 = ss->ssl3.hs.md5;
-
-	shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
-					    sizeof shaStackBuf, &shaStateLen);
-	if (shaStateBuf == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    goto loser;
-	}
-	sha = ss->ssl3.hs.sha;
-
-	if (!isTLS) {
-	    /* compute hashes for SSL3. */
-	    unsigned char s[4];
-
-	    s[0] = (unsigned char)(sender >> 24);
-	    s[1] = (unsigned char)(sender >> 16);
-	    s[2] = (unsigned char)(sender >> 8);
-	    s[3] = (unsigned char)sender;
-
-	    if (sender != 0) {
-		rv |= PK11_DigestOp(md5, s, 4);
-		PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
-	    }
-
-	    PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, 
-			  mac_defs[mac_md5].pad_size));
-
-	    rv |= PK11_DigestKey(md5,spec->master_secret);
-	    rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
-	    rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
-	    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-		rv = SECFailure;
-		goto loser;
-	    }
-
-	    PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
-
-	    if (sender != 0) {
-		rv |= PK11_DigestOp(sha, s, 4);
-		PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
-	    }
-
-	    PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, 
-			  mac_defs[mac_sha].pad_size));
-
-	    rv |= PK11_DigestKey(sha, spec->master_secret);
-	    rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
-	    rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
-	    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-		rv = SECFailure;
-		goto loser;
-	    }
-
-	    PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
-
-	    PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, 
-			  mac_defs[mac_md5].pad_size));
-	    PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
-
-	    rv |= PK11_DigestBegin(md5);
-	    rv |= PK11_DigestKey(md5, spec->master_secret);
-	    rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
-	    rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
-	}
-	rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
-	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
-
-	if (!isTLS) {
-	    PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, 
-			  mac_defs[mac_sha].pad_size));
-	    PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
-
-	    rv |= PK11_DigestBegin(sha);
-	    rv |= PK11_DigestKey(sha,spec->master_secret);
-	    rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
-	    rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
-	}
-	rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
-	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-
-	PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
-
-	rv = SECSuccess;
-
-    loser:
-	if (md5StateBuf) {
-	    if (PK11_RestoreContext(ss->ssl3.hs.md5, md5StateBuf, md5StateLen)
-		 != SECSuccess) 
-	    {
-		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-		rv = SECFailure;
-	    }
-	    if (md5StateBuf != md5StackBuf) {
-		PORT_ZFree(md5StateBuf, md5StateLen);
-	    }
-	}
-	if (shaStateBuf) {
-	    if (PK11_RestoreContext(ss->ssl3.hs.sha, shaStateBuf, shaStateLen)
-		 != SECSuccess) 
-	    {
-		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-		rv = SECFailure;
-	    }
-	    if (shaStateBuf != shaStackBuf) {
-		PORT_ZFree(shaStateBuf, shaStateLen);
-	    }
-	}
-    }
-    return rv;
-}
-
-/*
- * SSL 2 based implementations pass in the initial outbound buffer
- * so that the handshake hash can contain the included information.
- *
- * Called from ssl2_BeginClientHandshake() in sslcon.c
- */
-SECStatus
-ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
-{
-    SECStatus rv;
-
-    ssl_GetSSL3HandshakeLock(ss);  /**************************************/
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	goto done;		/* ssl3_InitState has set the error code. */
-    }
-
-    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(
-	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
-	&ss->sec.ci.clientChallenge,
-	SSL_CHALLENGE_BYTES);
-
-    rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
-    /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
-
-done:
-    ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
-    return rv;
-}
-
-/**************************************************************************
- * end of Handshake Hash functions.
- * Begin Send and Handle functions for handshakes.
- **************************************************************************/
-
-/* Called from ssl3_HandleHelloRequest(),
- *             ssl3_HandleFinished() (for step-up)
- *             ssl3_RedoHandshake()
- *             ssl2_BeginClientHandshake (when resuming ssl3 session)
- */
-SECStatus
-ssl3_SendClientHello(sslSocket *ss)
-{
-    sslSessionID *   sid;
-    ssl3CipherSpec * cwSpec;
-    SECStatus        rv;
-    int              i;
-    int              length;
-    int              num_suites;
-    int              actual_count = 0;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-
-    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-	    SSL_GETPID(), ss->fd ));
-    if (ss->opt.bypassPKCS11) {
-	MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
-	SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
-    } else {
-	rv = PK11_DigestBegin(ss->ssl3.hs.md5);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    return rv;
-	}
-	rv = PK11_DigestBegin(ss->ssl3.hs.sha);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    return rv;
-	}
-    }
-    /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
-     * handles expired entries and other details.
-     * XXX If we've been called from ssl2_BeginClientHandshake, then
-     * this lookup is duplicative and wasteful.
-     */
-    sid = (ss->opt.noCache) ? NULL
-	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
-
-    /* We can't resume based on a different token. If the sid exists,
-     * make sure the token that holds the master secret still exists ...
-     * If we previously did client-auth, make sure that the token that holds
-     * the private key still exists, is logged in, hasn't been removed, etc.
-     */
-    if (sid) {
-	PRBool sidOK = PR_TRUE;
-	if (sid->u.ssl3.keys.msIsWrapped) {
-	    /* Session key was wrapped, which means it was using PKCS11, */
-	    PK11SlotInfo *slot = NULL;
-	    if (sid->u.ssl3.masterValid && !ss->opt.bypassPKCS11) {
-		slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
-					 sid->u.ssl3.masterSlotID);
-	    }
-	    if (slot == NULL) {
-	       sidOK = PR_FALSE;
-	    } else {
-		PK11SymKey *wrapKey = NULL;
-		if (!PK11_IsPresent(slot) ||
-		    ((wrapKey = PK11_GetWrapKey(slot, 
-						sid->u.ssl3.masterWrapIndex,
-						sid->u.ssl3.masterWrapMech,
-						sid->u.ssl3.masterWrapSeries,
-						ss->pkcs11PinArg)) == NULL) ) {
-		    sidOK = PR_FALSE;
-		}
-		if (wrapKey) PK11_FreeSymKey(wrapKey);
-		PK11_FreeSlot(slot);
-		slot = NULL;
-	    }
-	}
-	/* If we previously did client-auth, make sure that the token that
-	** holds the private key still exists, is logged in, hasn't been
-	** removed, etc.
-	*/
-	if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
-	    sidOK = PR_FALSE;
-	}
-
-	if (!sidOK) {
-	    ++ssl3stats.sch_sid_cache_not_ok;
-	    (*ss->sec.uncache)(sid);
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
-    }
-
-    if (sid) {
-	++ssl3stats.sch_sid_cache_hits;
-
-	rv = ssl3_NegotiateVersion(ss, sid->version);
-	if (rv != SECSuccess)
-	    return rv;	/* error code was set */
-
-	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
-		      sid->u.ssl3.sessionIDLength));
-
-	ss->ssl3.policy = sid->u.ssl3.policy;
-    } else {
-	++ssl3stats.sch_sid_cache_misses;
-
-	rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
-	if (rv != SECSuccess)
-	    return rv;	/* error code was set */
-
-	sid = ssl3_NewSessionID(ss, PR_FALSE);
-	if (!sid) {
-	    return SECFailure;	/* memory error is set */
-        }
-    }
-
-    ssl_GetSpecWriteLock(ss);
-    cwSpec = ss->ssl3.cwSpec;
-    if (cwSpec->mac_def->mac == mac_null) {
-	/* SSL records are not being MACed. */
-	cwSpec->version = ss->version;
-    }
-    ssl_ReleaseSpecWriteLock(ss);
-
-    if (ss->sec.ci.sid != NULL) {
-	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
-    }
-    ss->sec.ci.sid = sid;
-
-    ss->sec.send = ssl3_SendApplicationData;
-
-    /* shouldn't get here if SSL3 is disabled, but ... */
-    PORT_Assert(ss->opt.enableSSL3 || ss->opt.enableTLS);
-    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    	return SECFailure;
-    }
-
-    /* how many suites does our PKCS11 support (regardless of policy)? */
-    num_suites = ssl3_config_match_init(ss);
-    if (!num_suites)
-    	return SECFailure;	/* ssl3_config_match_init has set error code. */
-
-    /* how many suites are permitted by policy and user preference? */
-    num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
-    if (!num_suites)
-    	return SECFailure;	/* count_cipher_suites has set error code. */
-
-    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
-	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
-	2 + num_suites*sizeof(ssl3CipherSuite) +
-	1 + compressionMethodsCount;
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    ss->clientHelloVersion = ss->version;
-    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-    rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by GetNewRandom. */
-    }
-    rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
-                              SSL3_RANDOM_LENGTH);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    if (sid)
-	rv = ssl3_AppendHandshakeVariable(
-	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
-    else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-
-
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
-	    actual_count++;
-	    if (actual_count > num_suites) {
-		/* set error card removal/insertion error */
-		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-		return SECFailure;
-	    }
-	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
-					    sizeof(ssl3CipherSuite));
-	    if (rv != SECSuccess) {
-		return rv;	/* err set by ssl3_AppendHandshake* */
-	    }
-	}
-    }
-
-    /* if cards were removed or inserted between count_cipher_suites and
-     * generating our list, detect the error here rather than send it off to
-     * the server.. */
-    if (actual_count != num_suites) {
-	/* Card removal/insertion error */
-	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-	return SECFailure;
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, compressionMethodsCount, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_AppendHandshake* */
-    }
-    for (i = 0; i < compressionMethodsCount; i++) {
-	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
-	if (rv != SECSuccess) {
-	    return rv;	/* err set by ssl3_AppendHandshake* */
-	}
-    }
-
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-
-    ss->ssl3.hs.ws = wait_server_hello;
-    return rv;
-}
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Hello Request.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHelloRequest(sslSocket *ss)
-{
-    sslSessionID *sid = ss->sec.ci.sid;
-    SECStatus     rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3.hs.ws == wait_server_hello)
-	return SECSuccess;
-    if (ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer) {
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
-	return SECFailure;
-    }
-    if (sid) {
-	ss->sec.uncache(sid);
-	ssl_FreeSID(sid);
-	ss->sec.ci.sid = NULL;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendClientHello(ss);
-    ssl_ReleaseXmitBufLock(ss);
-
-    return rv;
-}
-
-#define UNKNOWN_WRAP_MECHANISM 0x7fffffff
-
-static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
-    CKM_DES3_ECB,
-    CKM_CAST5_ECB,
-    CKM_DES_ECB,
-    CKM_KEY_WRAP_LYNKS,
-    CKM_IDEA_ECB,
-    CKM_CAST3_ECB,
-    CKM_CAST_ECB,
-    CKM_RC5_ECB,
-    CKM_RC2_ECB,
-    CKM_CDMF_ECB,
-    CKM_SKIPJACK_WRAP,
-    CKM_SKIPJACK_CBC64,
-    UNKNOWN_WRAP_MECHANISM
-};
-
-static int
-ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
-{
-    const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
-
-    while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
-    	++pMech;
-    }
-    return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
-                                              : (pMech - wrapMechanismList);
-}
-
-static PK11SymKey *
-ssl_UnwrapSymWrappingKey(
-	SSLWrappedSymWrappingKey *pWswk,
-	SECKEYPrivateKey *        svrPrivKey,
-	SSL3KEAType               exchKeyType,
-	CK_MECHANISM_TYPE         masterWrapMech,
-	void *                    pwArg)
-{
-    PK11SymKey *             unwrappedWrappingKey  = NULL;
-    SECItem                  wrappedKey;
-
-    /* found the wrapping key on disk. */
-    PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
-    PORT_Assert(pWswk->exchKeyType      == exchKeyType);
-    if (pWswk->symWrapMechanism != masterWrapMech ||
-	pWswk->exchKeyType      != exchKeyType) {
-	goto loser;
-    }
-    wrappedKey.type = siBuffer;
-    wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
-    wrappedKey.len  = pWswk->wrappedSymKeyLen;
-    PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
-
-    switch (exchKeyType) {
-
-    case kt_rsa:
-	unwrappedWrappingKey =
-	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
-				 masterWrapMech, CKA_UNWRAP, 0);
-	break;
-    default:
-	/* Assert? */
-	SET_ERROR_CODE
-	goto loser;
-    }
-loser:
-    return unwrappedWrappingKey;
-}
-
-/* Each process sharing the server session ID cache has its own array of
- * SymKey pointers for the symmetric wrapping keys that are used to wrap
- * the master secrets.  There is one key for each KEA type.  These Symkeys
- * correspond to the wrapped SymKeys kept in the server session cache.
- */
-
-typedef struct {
-    PK11SymKey *      symWrapKey[kt_kea_size];
-} ssl3SymWrapKey;
-
-static PZLock *          symWrapKeysLock = NULL;
-static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
-
-SECStatus
-SSL3_ShutdownServerCache(void)
-{
-    int             i, j;
-
-    if (!symWrapKeysLock)
-    	return SECSuccess;	/* was never initialized */
-    PZ_Lock(symWrapKeysLock);
-    /* get rid of all symWrapKeys */
-    for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
-    	for (j = 0; j < kt_kea_size; ++j) {
-	    PK11SymKey **   pSymWrapKey;
-	    pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
-	    if (*pSymWrapKey) {
-		PK11_FreeSymKey(*pSymWrapKey);
-	    	*pSymWrapKey = NULL;
-	    }
-	}
-    }
-
-    PZ_Unlock(symWrapKeysLock);
-    return SECSuccess;
-}
-
-void ssl_InitSymWrapKeysLock(void)
-{
-    /* atomically initialize the lock */
-    if (!symWrapKeysLock)
-	nss_InitLock(&symWrapKeysLock, nssILockOther);
-}
-
-/* Try to get wrapping key for mechanism from in-memory array.
- * If that fails, look for one on disk.
- * If that fails, generate a new one, put the new one on disk,
- * Put the new key in the in-memory array.
- */
-static PK11SymKey *
-getWrappingKey( sslSocket *       ss,
-		PK11SlotInfo *    masterSecretSlot,
-		SSL3KEAType       exchKeyType,
-                CK_MECHANISM_TYPE masterWrapMech,
-	        void *            pwArg)
-{
-    CERTCertificate *        svrCert;
-    SECKEYPrivateKey *       svrPrivKey;
-    SECKEYPublicKey *        svrPubKey             = NULL;
-    PK11SymKey *             unwrappedWrappingKey  = NULL;
-    PK11SymKey **            pSymWrapKey;
-    CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
-    int                      length;
-    int                      symWrapMechIndex;
-    SECStatus                rv;
-    SECItem                  wrappedKey;
-    SSLWrappedSymWrappingKey wswk;
-
-    svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
-    PORT_Assert(svrPrivKey != NULL);
-    if (!svrPrivKey) {
-    	return NULL;	/* why are we here?!? */
-    }
-
-    symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
-    PORT_Assert(symWrapMechIndex >= 0);
-    if (symWrapMechIndex < 0)
-    	return NULL;	/* invalid masterWrapMech. */
-
-    pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
-
-    ssl_InitSymWrapKeysLock();
-
-    PZ_Lock(symWrapKeysLock);
-
-    unwrappedWrappingKey = *pSymWrapKey;
-    if (unwrappedWrappingKey != NULL) {
-	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
-	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
-	    goto done;
-	}
-	/* slot series has changed, so this key is no good any more. */
-	PK11_FreeSymKey(unwrappedWrappingKey);
-	*pSymWrapKey = unwrappedWrappingKey = NULL;
-    }
-
-    /* Try to get wrapped SymWrapping key out of the (disk) cache. */
-    /* Following call fills in wswk on success. */
-    if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
-    	/* found the wrapped sym wrapping key on disk. */
-	unwrappedWrappingKey =
-	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
-                                     masterWrapMech, pwArg);
-	if (unwrappedWrappingKey) {
-	    goto install;
-	}
-    }
-
-    if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
-    	goto loser;
-
-    length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
-    /* Zero length means fixed key length algorithm, or error.
-     * It's ambiguous.
-     */
-    unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
-                                       length, pwArg);
-    if (!unwrappedWrappingKey) {
-    	goto loser;
-    }
-
-    /* Prepare the buffer to receive the wrappedWrappingKey,
-     * the symmetric wrapping key wrapped using the server's pub key.
-     */
-    PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
-
-    svrCert         = ss->serverCerts[exchKeyType].serverCert;
-    svrPubKey       = CERT_ExtractPublicKey(svrCert);
-    if (svrPubKey == NULL) {
-	/* CERT_ExtractPublicKey doesn't set error code */
-	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-    	goto loser;
-    }
-    wrappedKey.type = siBuffer;
-    wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
-    wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
-
-    PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
-    if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
-    	goto loser;
-
-    /* wrap symmetric wrapping key in server's public key. */
-    switch (exchKeyType) {
-
-    case kt_rsa:
-	asymWrapMechanism = CKM_RSA_PKCS;
-	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
-	                        unwrappedWrappingKey, &wrappedKey);
-	break;
-
-    default:
-	rv = SECFailure;
-	break;
-    }
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
-
-    wswk.symWrapMechanism  = masterWrapMech;
-    wswk.symWrapMechIndex  = symWrapMechIndex;
-    wswk.asymWrapMechanism = asymWrapMechanism;
-    wswk.exchKeyType       = exchKeyType;
-    wswk.wrappedSymKeyLen  = wrappedKey.len;
-
-    /* put it on disk. */
-    /* If the wrapping key for this KEA type has already been set, 
-     * then abandon the value we just computed and 
-     * use the one we got from the disk.
-     */
-    if (ssl_SetWrappingKey(&wswk)) {
-    	/* somebody beat us to it.  The original contents of our wswk
-	 * has been replaced with the content on disk.  Now, discard
-	 * the key we just created and unwrap this new one.
-	 */
-    	PK11_FreeSymKey(unwrappedWrappingKey);
-
-	unwrappedWrappingKey =
-	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
-                                     masterWrapMech, pwArg);
-    }
-
-install:
-    if (unwrappedWrappingKey) {
-	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
-    }
-
-loser:
-done:
-    if (svrPubKey) {
-    	SECKEY_DestroyPublicKey(svrPubKey);
-	svrPubKey = NULL;
-    }
-    PZ_Unlock(symWrapKeysLock);
-    return unwrappedWrappingKey;
-}
-
-
-/* Called from ssl3_SendClientKeyExchange(). */
-/* Presently, this always uses PKCS11.  There is no bypass for this. */
-static SECStatus
-sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
-{
-    PK11SymKey *	pms 		= NULL;
-    SECStatus           rv    		= SECFailure;
-    SECItem 		enc_pms 	= {siBuffer, NULL, 0};
-    PRBool              isTLS;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-
-    /* Generate the pre-master secret ...  */
-    ssl_GetSpecWriteLock(ss);
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.pwSpec, NULL);
-    ssl_ReleaseSpecWriteLock(ss);
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    /* Get the wrapped (encrypted) pre-master secret, enc_pms */
-    enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
-    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
-    if (enc_pms.data == NULL) {
-	goto loser;	/* err set by PORT_Alloc */
-    }
-
-    /* wrap pre-master secret in server's public key. */
-    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
-				    isTLS ? enc_pms.len + 2 : enc_pms.len);
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-    if (isTLS) {
-    	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
-    } else {
-	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
-    }
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = SECSuccess;
-
-loser:
-    if (enc_pms.data != NULL) {
-	PORT_Free(enc_pms.data);
-    }
-    if (pms != NULL) {
-    	PK11_FreeSymKey(pms);
-    }
-    return rv;
-}
-
-/* Called from ssl3_SendClientKeyExchange(). */
-/* Presently, this always uses PKCS11.  There is no bypass for this. */
-static SECStatus
-sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
-{
-    PK11SymKey *	pms 		= NULL;
-    SECStatus           rv    		= SECFailure;
-    PRBool              isTLS;
-    CK_MECHANISM_TYPE	target;
-
-    SECKEYDHParams	dhParam;		/* DH parameters */
-    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
-    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* Copy DH parameters from server key */
-
-    dhParam.prime.data = svrPubKey->u.dh.prime.data;
-    dhParam.prime.len = svrPubKey->u.dh.prime.len;
-    dhParam.base.data = svrPubKey->u.dh.base.data;
-    dhParam.base.len = svrPubKey->u.dh.base.len;
-
-    /* Generate ephemeral DH keypair */
-    privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
-    if (!privKey || !pubKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-	    goto loser;
-    }
-    PRINT_BUF(50, (ss, "DH public value:",
-					pubKey->u.dh.publicValue.data,
-					pubKey->u.dh.publicValue.len));
-
-    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
-
-    /* Determine the PMS */
-
-    pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
-			    CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
-
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    SECKEY_DestroyPrivateKey(privKey);
-    privKey = NULL;
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
-					pubKey->u.dh.publicValue.len + 2);
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-    rv = ssl3_AppendHandshakeVariable(ss, 
-					pubKey->u.dh.publicValue.data,
-					pubKey->u.dh.publicValue.len, 2);
-    SECKEY_DestroyPublicKey(pubKey);
-    pubKey = NULL;
-
-    if (rv != SECSuccess) {
-	goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = SECSuccess;
-
-
-loser:
-
-    if(pms) PK11_FreeSymKey(pms);
-    if(privKey) SECKEY_DestroyPrivateKey(privKey);
-    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
-    return rv;
-}
-
-
-
-
-
-/* Called from ssl3_HandleServerHelloDone(). */
-static SECStatus
-ssl3_SendClientKeyExchange(sslSocket *ss)
-{
-    SECKEYPublicKey *	serverKey 	= NULL;
-    SECStatus 		rv 		= SECFailure;
-    PRBool              isTLS;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    if (ss->sec.peerKey == NULL) {
-	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
-	if (serverKey == NULL) {
-	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	    return SECFailure;
-	}
-    } else {
-	serverKey = ss->sec.peerKey;
-	ss->sec.peerKey = NULL; /* we're done with it now */
-    }
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    /* enforce limits on kea key sizes. */
-    if (ss->ssl3.hs.kea_def->is_limited) {
-	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
-
-	if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
-	    if (isTLS)
-		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
-	    else
-		(void)ssl3_HandshakeFailure(ss);
-	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
-	    goto loser;
-	}
-    }
-
-    ss->sec.keaType    = ss->ssl3.hs.kea_def->exchKeyType;
-    ss->sec.keaKeyBits = SECKEY_PublicKeyStrengthInBits(serverKey);
-
-    switch (ss->ssl3.hs.kea_def->exchKeyType) {
-    case kt_rsa:
-	rv = sendRSAClientKeyExchange(ss, serverKey);
-	break;
-
-    case kt_dh:
-	rv = sendDHClientKeyExchange(ss, serverKey);
-	break;
-
-#ifdef NSS_ENABLE_ECC
-    case kt_ecdh:
-	rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-	/* got an unknown or unsupported Key Exchange Algorithm.  */
-	SEND_ALERT
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	break;
-    }
-
-    SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
-		SSL_GETPID(), ss->fd));
-
-loser:
-    if (serverKey) 
-    	SECKEY_DestroyPublicKey(serverKey);
-    return rv;	/* err code already set. */
-}
-
-/* Called from ssl3_HandleServerHelloDone(). */
-static SECStatus
-ssl3_SendCertificateVerify(sslSocket *ss)
-{
-    SECStatus     rv		= SECFailure;
-    PRBool        isTLS;
-    SECItem       buf           = {siBuffer, NULL, 0};
-    SSL3Hashes    hashes;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
-		SSL_GETPID(), ss->fd));
-
-    ssl_GetSpecReadLock(ss);
-    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
-    ssl_ReleaseSpecReadLock(ss);
-    if (rv != SECSuccess) {
-	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
-    }
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
-    if (rv == SECSuccess) {
-	PK11SlotInfo * slot;
-	sslSessionID * sid   = ss->sec.ci.sid;
-
-    	/* Remember the info about the slot that did the signing.
-	** Later, when doing an SSL restart handshake, verify this.
-	** These calls are mere accessors, and can't fail.
-	*/
-	slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
-	sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
-	sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
-	sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
-	sid->u.ssl3.clAuthValid      = PR_TRUE;
-	PK11_FreeSlot(slot);
-    }
-    /* If we're doing RSA key exchange, we're all done with the private key
-     * here.  Diffie-Hellman key exchanges need the client's
-     * private key for the key exchange.
-     */
-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
-	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-	ss->ssl3.clientPrivateKey = NULL;
-    }
-    if (rv != SECSuccess) {
-	goto done;	/* err code was set by ssl3_SignHashes */
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
-    if (rv != SECSuccess) {
-	goto done;	/* error code set by AppendHandshake */
-    }
-    rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
-    if (rv != SECSuccess) {
-	goto done;	/* error code set by AppendHandshake */
-    }
-
-done:
-    if (buf.data)
-	PORT_Free(buf.data);
-    return rv;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ServerHello message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    sslSessionID *sid		= ss->sec.ci.sid;
-    PRInt32       temp;		/* allow for consume number failure */
-    PRBool        suite_found   = PR_FALSE;
-    int           i;
-    int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
-    SECStatus     rv;
-    SECItem       sidBytes 	= {siBuffer, NULL, 0};
-    PRBool        sid_match;
-    PRBool        isTLS		= PR_FALSE;
-    SSL3AlertDescription desc   = illegal_parameter;
-    SSL3ProtocolVersion version;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
-    	SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
-	goto alert_loser;
-    }
-    if (ss->ssl3.hs.ws != wait_server_hello) {
-        errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-
-    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    version = (SSL3ProtocolVersion)temp;
-
-    /* this is appropriate since the negotiation is complete, and we only
-    ** know SSL 3.x.
-    */
-    if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
-						   : handshake_failure;
-	goto alert_loser;
-    }
-
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
-						   : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
-
-    rv = ssl3_ConsumeHandshake(
-	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
-    if (rv != SECSuccess) {
-    	goto loser; 	/* alert has been sent */
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
-    if (rv != SECSuccess) {
-    	goto loser; 	/* alert has been sent */
-    }
-    if (sidBytes.len > SSL3_SESSIONID_BYTES) {
-	if (isTLS)
-	    desc = decode_error;
-	goto alert_loser;	/* malformed. */
-    }
-
-    /* find selected cipher suite in our list. */
-    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    ssl3_config_match_init(ss);
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if ((temp == suite->cipher_suite) &&
-	    (config_match(suite, ss->ssl3.policy, PR_TRUE))) {
-	    suite_found = PR_TRUE;
-	    break;	/* success */
-	}
-    }
-    if (!suite_found) {
-    	desc    = handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-    ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
-    ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
-    PORT_Assert(ss->ssl3.hs.suite_def);
-    if (!ss->ssl3.hs.suite_def) {
-    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
-	goto loser;	/* we don't send alerts for our screw-ups. */
-    }
-
-    /* find selected compression method in our list. */
-    temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
-    if (temp < 0) {
-    	goto loser; 	/* alert has been sent */
-    }
-    suite_found = PR_FALSE;
-    for (i = 0; i < compressionMethodsCount; i++) {
-	if (temp == compressions[i])  {
-	    suite_found = PR_TRUE;
-	    break;	/* success */
-    	}
-    }
-    if (!suite_found) {
-    	desc    = handshake_failure;
-	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
-	goto alert_loser;
-    }
-    ss->ssl3.hs.compression = (SSL3CompressionMethod)temp;
-
-#ifdef DISALLOW_SERVER_HELLO_EXTENSIONS
-    if (length != 0) {	/* malformed */
-	goto alert_loser;
-    }
-#endif
-
-    /* Any errors after this point are not "malformed" errors. */
-    desc    = handshake_failure;
-
-    /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
-     * key exchange algorithm. */
-    rv = ssl3_SetupPendingCipherSpec(ss);
-    if (rv != SECSuccess) {
-	goto alert_loser;	/* error code is set. */
-    }
-
-    /* We may or may not have sent a session id, we may get one back or
-     * not and if so it may match the one we sent.
-     * Attempt to restore the master secret to see if this is so...
-     * Don't consider failure to find a matching SID an error.
-     */
-    sid_match = (PRBool)(sidBytes.len > 0 &&
-	sidBytes.len == sid->u.ssl3.sessionIDLength &&
-	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
-
-    if (sid_match &&
-	sid->version == ss->version &&
-	sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
-	ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
-
-	PK11SlotInfo *slot;
-	PK11SymKey *  wrapKey;     /* wrapping key */
-	CK_FLAGS      keyFlags      = 0;
-
-	SECItem       wrappedMS;   /* wrapped master secret. */
-
-        ss->sec.authAlgorithm = sid->authAlgorithm;
-	ss->sec.authKeyBits   = sid->authKeyBits;
-	ss->sec.keaType       = sid->keaType;
-	ss->sec.keaKeyBits    = sid->keaKeyBits;
-
-	/* 3 cases here:
-	 * a) key is wrapped (implies using PKCS11)
-	 * b) key is unwrapped, but we're still using PKCS11
-	 * c) key is unwrapped, and we're bypassing PKCS11.
-	 */
-	if (sid->u.ssl3.keys.msIsWrapped) {
-	    if (ss->opt.bypassPKCS11) {
-		/* we cannot restart a non-bypass session in a 
-		** bypass socket.
-		*/
-		break;  
-	    }
-	    /* unwrap master secret with PKCS11 */
-	    slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
-				     sid->u.ssl3.masterSlotID);
-	    if (slot == NULL) {
-		break;		/* not considered an error. */
-	    }
-	    if (!PK11_IsPresent(slot)) {
-		PK11_FreeSlot(slot);
-		break;		/* not considered an error. */
-	    }
-	    wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
-				      sid->u.ssl3.masterWrapMech,
-				      sid->u.ssl3.masterWrapSeries,
-				      ss->pkcs11PinArg);
-	    PK11_FreeSlot(slot);
-	    if (wrapKey == NULL) {
-		break;		/* not considered an error. */
-	    }
-
-	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
-		keyFlags = CKF_SIGN | CKF_VERIFY;
-	    }
-
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	    pwSpec->master_secret =
-		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
-			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
-	    errCode = PORT_GetError();
-	    PK11_FreeSymKey(wrapKey);
-	    if (pwSpec->master_secret == NULL) {
-		break;	/* errorCode set just after call to UnwrapSymKey. */
-	    }
-	} else if (ss->opt.bypassPKCS11) {
-	    /* MS is not wrapped */
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
-	    pwSpec->msItem.data = pwSpec->raw_master_secret;
-	    pwSpec->msItem.len  = wrappedMS.len;
-	} else {
-	    /* We CAN restart a bypass session in a non-bypass socket. */
-	    /* need to import the raw master secret to session object */
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	    pwSpec->master_secret =  
-		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
-				  PK11_OriginUnwrap, CKA_ENCRYPT, 
-				  &wrappedMS, NULL);
-	    PK11_FreeSlot(slot);
-	    if (pwSpec->master_secret == NULL) {
-		break; 
-	    }
-	}
-
-	/* Got a Match */
-	++ssl3stats.hsh_sid_cache_hits;
-	ss->ssl3.hs.ws         = wait_change_cipher;
-	ss->ssl3.hs.isResuming = PR_TRUE;
-
-	/* copy the peer cert from the SID */
-	if (sid->peerCert != NULL) {
-	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
-	}
-
-
-	/* NULL value for PMS signifies re-use of the old MS */
-	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-	if (rv != SECSuccess) {
-	    goto alert_loser;	/* err code was set */
-	}
-	return SECSuccess;
-    } while (0);
-
-    if (sid_match)
-	++ssl3stats.hsh_sid_cache_not_ok;
-    else
-	++ssl3stats.hsh_sid_cache_misses;
-
-    /* throw the old one away */
-    sid->u.ssl3.keys.resumable = PR_FALSE;
-    (*ss->sec.uncache)(sid);
-    ssl_FreeSID(sid);
-
-    /* get a new sid */
-    ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
-    if (sid == NULL) {
-	goto alert_loser;	/* memory error is set. */
-    }
-
-    sid->version = ss->version;
-    sid->u.ssl3.sessionIDLength = sidBytes.len;
-    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
-
-    ss->ssl3.hs.isResuming = PR_FALSE;
-    ss->ssl3.hs.ws         = wait_server_cert;
-    return SECSuccess;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
-loser:
-    errCode = ssl_MapLowLevelError(errCode);
-    return SECFailure;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ServerKeyExchange message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    PRArenaPool *    arena     = NULL;
-    SECKEYPublicKey *peerKey   = NULL;
-    PRBool           isTLS;
-    SECStatus        rv;
-    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
-    SSL3AlertDescription desc  = illegal_parameter;
-    SSL3Hashes       hashes;
-    SECItem          signature = {siBuffer, NULL, 0};
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3.hs.ws != wait_server_key &&
-	ss->ssl3.hs.ws != wait_server_cert) {
-	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-    if (ss->sec.peerCert == NULL) {
-	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
-	desc    = unexpected_message;
-	goto alert_loser;
-    }
-
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    switch (ss->ssl3.hs.kea_def->exchKeyType) {
-
-    case kt_rsa: {
-	SECItem          modulus   = {siBuffer, NULL, 0};
-	SECItem          exponent  = {siBuffer, NULL, 0};
-
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	if (length != 0) {
-	    if (isTLS)
-		desc = decode_error;
-	    goto alert_loser;		/* malformed. */
-	}
-
-	/* failures after this point are not malformed handshakes. */
-	/* TLS: send decrypt_error if signature failed. */
-    	desc = isTLS ? decrypt_error : handshake_failure;
-
-    	/*
-     	 *  check to make sure the hash is signed by right guy
-     	 */
-    	rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
-					  &ss->ssl3.hs.client_random,
-					  &ss->ssl3.hs.server_random, 
-					  &hashes, ss->opt.bypassPKCS11);
-        if (rv != SECSuccess) {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
-				    isTLS, ss->pkcs11PinArg);
-	if (rv != SECSuccess)  {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-
-	/*
-	 * we really need to build a new key here because we can no longer
-	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
-	 * pkcs11 slots and ID's.
-	 */
-    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-	    goto no_memory;
-	}
-
-    	peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
-    	if (peerKey == NULL) {
-            PORT_FreeArena(arena, PR_FALSE);
-	    goto no_memory;
-	}
-
-	peerKey->arena              = arena;
-	peerKey->keyType            = rsaKey;
-	peerKey->pkcs11Slot         = NULL;
-	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
-	if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
-	    SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
-	{
-            PORT_FreeArena(arena, PR_FALSE);
-	    goto no_memory;
-        }
-    	ss->sec.peerKey = peerKey;
-    	ss->ssl3.hs.ws = wait_cert_request;
-    	return SECSuccess;
-    }
-
-    case kt_dh: {
-	SECItem          dh_p      = {siBuffer, NULL, 0};
-	SECItem          dh_g      = {siBuffer, NULL, 0};
-	SECItem          dh_Ys     = {siBuffer, NULL, 0};
-
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
-    	if (rv != SECSuccess) {
-	    goto loser;		/* malformed. */
-	}
-    	if (length != 0) {
-	    if (isTLS)
-		desc = decode_error;
-	    goto alert_loser;		/* malformed. */
-	}
-
-	PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
-	PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
-	PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
-
-	/* failures after this point are not malformed handshakes. */
-	/* TLS: send decrypt_error if signature failed. */
-    	desc = isTLS ? decrypt_error : handshake_failure;
-
-    	/*
-     	 *  check to make sure the hash is signed by right guy
-     	 */
-    	rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
-					  &ss->ssl3.hs.client_random,
-					  &ss->ssl3.hs.server_random, 
-					  &hashes, ss->opt.bypassPKCS11);
-        if (rv != SECSuccess) {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
-				    isTLS, ss->pkcs11PinArg);
-	if (rv != SECSuccess)  {
-	    errCode =
-	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto alert_loser;
-	}
-
-	/*
-	 * we really need to build a new key here because we can no longer
-	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
-	 * pkcs11 slots and ID's.
-	 */
-    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-	if (arena == NULL) {
-	    goto no_memory;
-	}
-
-    	ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
-    	if (peerKey == NULL) {
-	    goto no_memory;
-	}
-
-	peerKey->arena              = arena;
-	peerKey->keyType            = dhKey;
-	peerKey->pkcs11Slot         = NULL;
-	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
-
-	if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
-	    SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
-	    SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
-	{
-            PORT_FreeArena(arena, PR_FALSE);
-	    goto no_memory;
-        }
-    	ss->sec.peerKey = peerKey;
-    	ss->ssl3.hs.ws = wait_cert_request;
-    	return SECSuccess;
-    }
-
-#ifdef NSS_ENABLE_ECC
-    case kt_ecdh:
-	rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
-	return rv;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-    	desc    = handshake_failure;
-	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
-	break;		/* goto alert_loser; */
-    }
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    PORT_SetError( errCode );
-    return SECFailure;
-
-no_memory:	/* no-memory error has already been set. */
-    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-    return SECFailure;
-}
-
-
-typedef struct dnameNode {
-    struct dnameNode *next;
-    SECItem           name;
-} dnameNode;
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate Request message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    PRArenaPool *        arena       = NULL;
-    dnameNode *          node;
-    PRInt32              remaining;
-    PRBool               isTLS       = PR_FALSE;
-    int                  i;
-    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
-    int                  nnames      = 0;
-    SECStatus            rv;
-    SSL3AlertDescription desc        = illegal_parameter;
-    SECItem              cert_types  = {siBuffer, NULL, 0};
-    CERTDistNames        ca_list;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3.hs.ws != wait_cert_request &&
-    	ss->ssl3.hs.ws != wait_server_key) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
-	goto alert_loser;
-    }
-
-    /* clean up anything left from previous handshake. */
-    if (ss->ssl3.clientCertChain != NULL) {
-       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
-       ss->ssl3.clientCertChain = NULL;
-    }
-
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
-    if (rv != SECSuccess)
-    	goto loser;		/* malformed, alert has been sent */
-
-    arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-    	goto no_mem;
-
-    remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (remaining < 0)
-    	goto loser;	 	/* malformed, alert has been sent */
-
-    if ((PRUint32)remaining > length)
-	goto alert_loser;
-
-    ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
-    if (node == NULL)
-    	goto no_mem;
-
-    while (remaining > 0) {
-	PRInt32 len;
-
-	if (remaining < 2)
-	    goto alert_loser;	/* malformed */
-
-	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-	if (len <= 0)
-	    goto loser;		/* malformed, alert has been sent */
-
-	remaining -= 2;
-	if (remaining < len)
-	    goto alert_loser;	/* malformed */
-
-	node->name.data = b;
-	b         += len;
-	length    -= len;
-	remaining -= len;
-	nnames++;
-	if (remaining <= 0)
-	    break;		/* success */
-
-	node->next = PORT_ArenaZNew(arena, dnameNode);
-	node = node->next;
-	if (node == NULL)
-	    goto no_mem;
-    }
-
-    ca_list.nnames = nnames;
-    ca_list.names  = PORT_ArenaNewArray(arena, SECItem, nnames);
-    if (nnames > 0 && ca_list.names == NULL)
-        goto no_mem;
-
-    for(i = 0, node = (dnameNode*)ca_list.head;
-	i < nnames;
-	i++, node = node->next) {
-	ca_list.names[i] = node->name;
-    }
-
-    if (length != 0)
-        goto alert_loser;   	/* malformed */
-
-    desc = no_certificate;
-    ss->ssl3.hs.ws = wait_hello_done;
-
-    if (ss->getClientAuthData == NULL) {
-	rv = SECFailure; /* force it to send a no_certificate alert */
-    } else {
-	/* XXX Should pass cert_types in this call!! */
-	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-						 ss->fd, &ca_list,
-						 &ss->ssl3.clientCertificate,
-						 &ss->ssl3.clientPrivateKey);
-    }
-    switch (rv) {
-    case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
-	ssl_SetAlwaysBlock(ss);
-	break;	/* not an error */
-
-    case SECSuccess:
-        /* check what the callback function returned */
-        if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
-            /* we are missing either the key or cert */
-            if (ss->ssl3.clientCertificate) {
-                /* got a cert, but no key - free it */
-                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-                ss->ssl3.clientCertificate = NULL;
-            }
-            if (ss->ssl3.clientPrivateKey) {
-                /* got a key, but no cert - free it */
-                SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-                ss->ssl3.clientPrivateKey = NULL;
-            }
-            goto send_no_certificate;
-        }
-	/* Setting ssl3.clientCertChain non-NULL will cause
-	 * ssl3_HandleServerHelloDone to call SendCertificate.
-	 */
-	ss->ssl3.clientCertChain = CERT_CertChainFromCert(
-					ss->ssl3.clientCertificate,
-					certUsageSSLClient, PR_FALSE);
-	if (ss->ssl3.clientCertChain == NULL) {
-	    if (ss->ssl3.clientCertificate != NULL) {
-		CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-		ss->ssl3.clientCertificate = NULL;
-	    }
-	    if (ss->ssl3.clientPrivateKey != NULL) {
-		SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-		ss->ssl3.clientPrivateKey = NULL;
-	    }
-	    goto send_no_certificate;
-	}
-	break;	/* not an error */
-
-    case SECFailure:
-    default:
-send_no_certificate:
-	if (isTLS) {
-	    ss->ssl3.sendEmptyCert = PR_TRUE;
-	} else {
-	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
-	}
-	rv = SECSuccess;
-	break;
-    }
-    goto done;
-
-no_mem:
-    rv = SECFailure;
-    PORT_SetError(SEC_ERROR_NO_MEMORY);
-    goto done;
-
-alert_loser:
-    if (isTLS && desc == illegal_parameter)
-    	desc = decode_error;
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    PORT_SetError(errCode);
-    rv = SECFailure;
-done:
-    if (arena != NULL)
-    	PORT_FreeArena(arena, PR_FALSE);
-    return rv;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:
- *	cert	Client cert chosen by application.
- *		Note: ssl takes this reference, and does not bump the
- *		reference count.  The caller should drop its reference
- *		without calling CERT_DestroyCert after calling this function.
- *
- *	key	Private key associated with cert.  This function makes a
- *		copy of the private key, so the caller remains responsible
- *		for destroying its copy after this function returns.
- *
- *	certChain  DER-encoded certs, client cert and its signers.
- *		Note: ssl takes this reference, and does not copy the chain.
- *		The caller should drop its reference without destroying the
- *		chain.  SSL will free the chain when it is done with it.
- *
- * Return value: XXX
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Caller holds 1stHandshakeLock.
- */
-SECStatus
-ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
-				CERTCertificate *    cert,
-				SECKEYPrivateKey *   key,
-				CERTCertificateList *certChain)
-{
-    SECStatus        rv          = SECSuccess;
-
-    if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
-	/* XXX This code only works on the initial handshake on a connection,
-	** XXX It does not work on a subsequent handshake (redo).
-	*/
-	if (ss->handshake != 0) {
-	    ss->handshake               = ssl_GatherRecord1stHandshake;
-	    ss->ssl3.clientCertificate = cert;
-	    ss->ssl3.clientCertChain   = certChain;
-	    if (key == NULL) {
-		(void)SSL3_SendAlert(ss, alert_warning, no_certificate);
-		ss->ssl3.clientPrivateKey = NULL;
-	    } else {
-		ss->ssl3.clientPrivateKey = SECKEY_CopyPrivateKey(key);
-	    }
-	    ssl_GetRecvBufLock(ss);
-	    if (ss->ssl3.hs.msgState.buf != NULL) {
-		rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
-	    }
-	    ssl_ReleaseRecvBufLock(ss);
-	}
-    }
-    return rv;
-}
-
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Server Hello Done message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleServerHelloDone(sslSocket *ss)
-{
-    SECStatus     rv;
-    SSL3WaitState ws          = ss->ssl3.hs.ws;
-    PRBool        send_verify = PR_FALSE;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ws != wait_hello_done  &&
-        ws != wait_server_cert &&
-	ws != wait_server_key  &&
-	ws != wait_cert_request) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
-	return SECFailure;
-    }
-
-    ssl_GetXmitBufLock(ss);		/*******************************/
-
-    if (ss->ssl3.sendEmptyCert) {
-	ss->ssl3.sendEmptyCert = PR_FALSE;
-	rv = ssl3_SendEmptyCertificate(ss);
-	/* Don't send verify */
-	if (rv != SECSuccess) {
-	    goto loser;	/* error code is set. */
-    	}
-    } else
-    if (ss->ssl3.clientCertChain  != NULL &&
-	ss->ssl3.clientPrivateKey != NULL) {
-	send_verify = PR_TRUE;
-	rv = ssl3_SendCertificate(ss);
-	if (rv != SECSuccess) {
-	    goto loser;	/* error code is set. */
-    	}
-    }
-
-    rv = ssl3_SendClientKeyExchange(ss);
-    if (rv != SECSuccess) {
-    	goto loser;	/* err is set. */
-    }
-
-    if (send_verify) {
-	rv = ssl3_SendCertificateVerify(ss);
-	if (rv != SECSuccess) {
-	    goto loser;	/* err is set. */
-        }
-    }
-    rv = ssl3_SendChangeCipherSpecs(ss);
-    if (rv != SECSuccess) {
-	goto loser;	/* err code was set. */
-    }
-    rv = ssl3_SendFinished(ss, 0);
-    if (rv != SECSuccess) {
-	goto loser;	/* err code was set. */
-    }
-
-    ssl_ReleaseXmitBufLock(ss);		/*******************************/
-
-    ss->ssl3.hs.ws = wait_change_cipher;
-    return SECSuccess;
-
-loser:
-    ssl_ReleaseXmitBufLock(ss);
-    return rv;
-}
-
-/*
- * Routines used by servers
- */
-static SECStatus
-ssl3_SendHelloRequest(sslSocket *ss)
-{
-    SECStatus rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake */
-    }
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    ss->ssl3.hs.ws = wait_client_hello;
-    return SECSuccess;
-}
-
-/* Sets memory error when returning NULL.
- * Called from:
- *	ssl3_SendClientHello()
- *	ssl3_HandleServerHello()
- *	ssl3_HandleClientHello()
- *	ssl3_HandleV2ClientHello()
- */
-static sslSessionID *
-ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
-{
-    sslSessionID *sid;
-
-    sid = PORT_ZNew(sslSessionID);
-    if (sid == NULL)
-    	return sid;
-
-    sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
-    sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
-    sid->addr           = ss->sec.ci.peer;
-    sid->port           = ss->sec.ci.port;
-    sid->references     = 1;
-    sid->cached         = never_cached;
-    sid->version        = ss->version;
-
-    sid->u.ssl3.keys.resumable = PR_TRUE;
-    sid->u.ssl3.policy         = SSL_ALLOWED;
-    sid->u.ssl3.clientWriteKey = NULL;
-    sid->u.ssl3.serverWriteKey = NULL;
-
-    if (is_server) {
-	SECStatus rv;
-	int       pid = SSL_GETPID();
-
-	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
-	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
-	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
-	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
-	                         SSL3_SESSIONID_BYTES -2);
-	if (rv != SECSuccess) {
-	    ssl_FreeSID(sid);
-	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-	    return NULL;
-    	}
-    }
-    return sid;
-}
-
-/* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
-static SECStatus
-ssl3_SendServerHelloSequence(sslSocket *ss)
-{
-    const ssl3KEADef *kea_def;
-    SECStatus         rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    rv = ssl3_SendServerHello(ss);
-    if (rv != SECSuccess) {
-	return rv;	/* err code is set. */
-    }
-    rv = ssl3_SendCertificate(ss);
-    if (rv != SECSuccess) {
-	return rv;	/* error code is set. */
-    }
-    /* We have to do this after the call to ssl3_SendServerHello,
-     * because kea_def is set up by ssl3_SendServerHello().
-     */
-    kea_def = ss->ssl3.hs.kea_def;
-    ss->ssl3.hs.usedStepDownKey = PR_FALSE;
-
-    if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
-	/* see if we can legally use the key in the cert. */
-	int keyLen;  /* bytes */
-
-	keyLen = PK11_GetPrivateModulusLen(
-			    ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
-
-	if (keyLen > 0 &&
-	    keyLen * BPB <= kea_def->key_size_limit ) {
-	    /* XXX AND cert is not signing only!! */
-	    /* just fall through and use it. */
-	} else if (ss->stepDownKeyPair != NULL) {
-	    ss->ssl3.hs.usedStepDownKey = PR_TRUE;
-	    rv = ssl3_SendServerKeyExchange(ss);
-	    if (rv != SECSuccess) {
-		return rv;	/* err code was set. */
-	    }
-	} else {
-#ifndef HACKED_EXPORT_SERVER
-	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
-	    return rv;
-#endif
-	}
-#ifdef NSS_ENABLE_ECC
-    } else if ((kea_def->kea == kea_ecdhe_rsa) ||
-	       (kea_def->kea == kea_ecdhe_ecdsa)) {
-	rv = ssl3_SendServerKeyExchange(ss);
-	if (rv != SECSuccess) {
-	    return rv;	/* err code was set. */
-	}
-#endif /* NSS_ENABLE_ECC */
-    }
-
-    if (ss->opt.requestCertificate) {
-	rv = ssl3_SendCertificateRequest(ss);
-	if (rv != SECSuccess) {
-	    return rv;		/* err code is set. */
-	}
-    }
-    rv = ssl3_SendServerHelloDone(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* err code is set. */
-    }
-
-    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
-                                               : wait_client_key;
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Client Hello message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    sslSessionID *      sid      = NULL;
-    PRInt32		tmp;
-    unsigned int        i;
-    int                 j;
-    SECStatus           rv;
-    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
-    SSL3AlertDescription desc    = illegal_parameter;
-    SSL3ProtocolVersion version;
-    SECItem             sidBytes = {siBuffer, NULL, 0};
-    SECItem             suites   = {siBuffer, NULL, 0};
-    SECItem             comps    = {siBuffer, NULL, 0};
-    PRBool              haveSpecWriteLock = PR_FALSE;
-    PRBool              haveXmitBufLock   = PR_FALSE;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
-    	SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    /* Get peer name of client */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* error code is set. */
-    }
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-
-    if ((ss->ssl3.hs.ws != wait_client_hello) &&
-	(ss->ssl3.hs.ws != idle_handshake)) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
-	goto alert_loser;
-    }
-
-    tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
-    if (tmp < 0)
-	goto loser;		/* malformed, alert already sent */
-    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-
-    /* grab the client random data. */
-    rv = ssl3_ConsumeHandshake(
-	ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* grab the client's SID, if present. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    if (sidBytes.len > 0 && !ss->opt.noCache) {
-	SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
-                    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
-		    ss->sec.ci.peer.pr_s6_addr32[1], 
-		    ss->sec.ci.peer.pr_s6_addr32[2],
-		    ss->sec.ci.peer.pr_s6_addr32[3]));
-	if (ssl_sid_lookup) {
-	    sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, 
-	                            sidBytes.len, ss->dbHandle);
-    	} else {
-	    errCode = SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED;
-	    goto loser;
-	}
-    }
-
-    /* grab the list of cipher suites. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* grab the list of compression methods. */
-    rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed */
-    }
-
-    /* It's OK for length to be non-zero here.
-     * Non-zero length means that some new protocol revision has extended
-     * the client hello message.
-     */
-
-    desc = handshake_failure;
-
-    if (sid != NULL) {
-	/* We've found a session cache entry for this client.
-	 * Now, if we're going to require a client-auth cert,
-	 * and we don't already have this client's cert in the session cache,
-	 * and this is the first handshake on this connection (not a redo),
-	 * then drop this old cache entry and start a new session.
-	 */
-	if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
-	    ((ss->opt.requireCertificate == SSL_REQUIRE_ALWAYS) ||
-	     (ss->opt.requireCertificate == SSL_REQUIRE_NO_ERROR) ||
-	     ((ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
-	      && !ss->firstHsDone))) {
-
-	    ++ssl3stats.hch_sid_cache_not_ok;
-	    ss->sec.uncache(sid);
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
-    }
-
-    /* Look for a matching cipher suite. */
-    j = ssl3_config_match_init(ss);
-    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
-    	errCode = PORT_GetError();	/* error code is already set. */
-	goto alert_loser;
-    }
-    /* If we already have a session for this client, be sure to pick the
-    ** same cipher suite we picked before.
-    ** This is not a loop, despite appearances.
-    */
-    if (sid) do {
-	ssl3CipherSuiteCfg *suite = ss->cipherSuites;
-	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
-	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
-		break;
-	}
-	if (!j)
-	    break;
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
-	    break;
-	for (i = 0; i < suites.len; i += 2) {
-	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
-	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
-
-		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
-		ss->ssl3.hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    } while (0);
-
-    /* Select a cipher suite.
-    ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleV2ClientHello().  
-    */
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
-	    continue;
-	for (i = 0; i < suites.len; i += 2) {
-	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
-	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
-
-		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
-		ss->ssl3.hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-    goto alert_loser;
-
-suite_found:
-    /* Look for a matching compression algorithm. */
-    for (i = 0; i < comps.len; i++) {
-	for (j = 0; j < compressionMethodsCount; j++) {
-	    if (comps.data[i] == compressions[j]) {
-		ss->ssl3.hs.compression = 
-					(SSL3CompressionMethod)compressions[j];
-		goto compression_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
-    				/* null compression must be supported */
-    goto alert_loser;
-
-compression_found:
-    suites.data = NULL;
-    comps.data = NULL;
-
-    ss->sec.send = ssl3_SendApplicationData;
-
-    /* If there are any failures while processing the old sid,
-     * we don't consider them to be errors.  Instead, We just behave
-     * as if the client had sent us no sid to begin with, and make a new one.
-     */
-    if (sid != NULL) do {
-	ssl3CipherSpec *pwSpec;
-	SECItem         wrappedMS;  	/* wrapped key */
-
-	if (sid->version != ss->version  ||
-	    sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) {
-	    break;	/* not an error */
-	}
-
-	if (ss->sec.ci.sid) {
-	    ss->sec.uncache(ss->sec.ci.sid);
-	    PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
-	    if (ss->sec.ci.sid != sid) {
-		ssl_FreeSID(ss->sec.ci.sid);
-	    }
-	    ss->sec.ci.sid = NULL;
-	}
-	/* we need to resurrect the master secret.... */
-
-	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
-	pwSpec = ss->ssl3.pwSpec;
-	if (sid->u.ssl3.keys.msIsWrapped) {
-	    PK11SymKey *    wrapKey; 	/* wrapping key */
-	    CK_FLAGS        keyFlags      = 0;
-	    if (ss->opt.bypassPKCS11) {
-		/* we cannot restart a non-bypass session in a 
-		** bypass socket.
-		*/
-		break;  
-	    }
-
-	    wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
-				     sid->u.ssl3.masterWrapMech, 
-				     ss->pkcs11PinArg);
-	    if (!wrapKey) {
-		/* we have a SID cache entry, but no wrapping key for it??? */
-		break;
-	    }
-
-	    if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
-		keyFlags = CKF_SIGN | CKF_VERIFY;
-	    }
-
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-
-	    /* unwrap the master secret. */
-	    pwSpec->master_secret =
-		PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
-			    NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-			    CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
-	    PK11_FreeSymKey(wrapKey);
-	    if (pwSpec->master_secret == NULL) {
-		break;	/* not an error */
-	    }
-	} else if (ss->opt.bypassPKCS11) {
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	    memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
-	    pwSpec->msItem.data = pwSpec->raw_master_secret;
-	    pwSpec->msItem.len  = wrappedMS.len;
-	} else {
-	    /* We CAN restart a bypass session in a non-bypass socket. */
-	    /* need to import the raw master secret to session object */
-	    PK11SlotInfo * slot;
-	    wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
-	    wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
-	    slot = PK11_GetInternalSlot();
-	    pwSpec->master_secret =  
-		PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
-				  PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS, 
-				  NULL);
-	    PK11_FreeSlot(slot);
-	    if (pwSpec->master_secret == NULL) {
-		break;	/* not an error */
-	    }
-	}
-	ss->sec.ci.sid = sid;
-	if (sid->peerCert != NULL) {
-	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
-	}
-
-	/*
-	 * Old SID passed all tests, so resume this old session.
-	 *
-	 * XXX make sure compression still matches
-	 */
-	++ssl3stats.hch_sid_cache_hits;
-	ss->ssl3.hs.isResuming = PR_TRUE;
-
-        ss->sec.authAlgorithm = sid->authAlgorithm;
-	ss->sec.authKeyBits   = sid->authKeyBits;
-	ss->sec.keaType       = sid->keaType;
-	ss->sec.keaKeyBits    = sid->keaKeyBits;
-
-	/* server sids don't remember the server cert we previously sent,
-	** but they do remember the kea type we originally used, so we
-	** can locate it again, provided that the current ssl socket
-	** has had its server certs configured the same as the previous one.
-	*/
-	ss->sec.localCert     = 
-		CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
-
-	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
-
-	rv = ssl3_SendServerHello(ss);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	if (haveSpecWriteLock) {
-	    ssl_ReleaseSpecWriteLock(ss);
-	    haveSpecWriteLock = PR_FALSE;
-	}
-
-	/* NULL value for PMS signifies re-use of the old MS */
-	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	rv = ssl3_SendChangeCipherSpecs(ss);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-	rv = ssl3_SendFinished(ss, 0);
-	ss->ssl3.hs.ws = wait_change_cipher;
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-
-	if (haveXmitBufLock) {
-	    ssl_ReleaseXmitBufLock(ss);
-	    haveXmitBufLock = PR_FALSE;
-	}
-
-        return SECSuccess;
-    } while (0);
-
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-
-    if (sid) { 	/* we had a sid, but it's no longer valid, free it */
-	++ssl3stats.hch_sid_cache_not_ok;
-	ss->sec.uncache(sid);
-	ssl_FreeSID(sid);
-	sid = NULL;
-    }
-    ++ssl3stats.hch_sid_cache_misses;
-
-    sid = ssl3_NewSessionID(ss, PR_TRUE);
-    if (sid == NULL) {
-	errCode = PORT_GetError();
-	goto loser;	/* memory error is set. */
-    }
-    ss->sec.ci.sid = sid;
-
-    ss->ssl3.hs.isResuming = PR_FALSE;
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendServerHelloSequence(ss);
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv != SECSuccess) {
-	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    if (haveXmitBufLock) {
-	ssl_ReleaseXmitBufLock(ss);
-	haveXmitBufLock = PR_FALSE;
-    }
-
-    return SECSuccess;
-
-alert_loser:
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-    /* FALLTHRU */
-loser:
-    if (haveSpecWriteLock) {
-	ssl_ReleaseSpecWriteLock(ss);
-	haveSpecWriteLock = PR_FALSE;
-    }
-
-    if (haveXmitBufLock) {
-	ssl_ReleaseXmitBufLock(ss);
-	haveXmitBufLock = PR_FALSE;
-    }
-
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-/*
- * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
- * in asking to use the V3 handshake.
- * Called from ssl2_HandleClientHelloMessage() in sslcon.c
- */
-SECStatus
-ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
-{
-    sslSessionID *      sid 		= NULL;
-    unsigned char *     suites;
-    unsigned char *     random;
-    SSL3ProtocolVersion version;
-    SECStatus           rv;
-    int                 i;
-    int                 j;
-    int                 sid_length;
-    int                 suite_length;
-    int                 rand_length;
-    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
-    SSL3AlertDescription desc    = handshake_failure;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-
-    ssl_GetSSL3HandshakeLock(ss);
-
-    rv = ssl3_InitState(ss);
-    if (rv != SECSuccess) {
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	return rv;		/* ssl3_InitState has set the error code. */
-    }
-
-    if (ss->ssl3.hs.ws != wait_client_hello) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
-	goto loser;	/* alert_loser */
-    }
-
-    version      = (buffer[1] << 8) | buffer[2];
-    suite_length = (buffer[3] << 8) | buffer[4];
-    sid_length   = (buffer[5] << 8) | buffer[6];
-    rand_length  = (buffer[7] << 8) | buffer[8];
-    ss->clientHelloVersion = version;
-
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-	/* send back which ever alert client will understand. */
-    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
-	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-	goto alert_loser;
-    }
-
-    /* if we get a non-zero SID, just ignore it. */
-    if (length !=
-        SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
-	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
-		 SSL_GETPID(), ss->fd, length,
-		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
-		 rand_length));
-	goto loser;	/* malformed */	/* alert_loser */
-    }
-
-    suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
-    random = suites + suite_length + sid_length;
-
-    if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
-	rand_length > SSL_MAX_CHALLENGE_BYTES) {
-	goto loser;	/* malformed */	/* alert_loser */
-    }
-
-    PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
-
-    PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
-    PORT_Memcpy(
-	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
-	random, rand_length);
-
-    PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
-		   SSL3_RANDOM_LENGTH));
-
-    i = ssl3_config_match_init(ss);
-    if (i <= 0) {
-    	errCode = PORT_GetError();	/* error code is already set. */
-	goto alert_loser;
-    }
-
-    /* Select a cipher suite.
-    ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleClientHello().  
-    */
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
-	    continue;
-	for (i = 0; i < suite_length; i += 3) {
-	    if ((suites[i]   == 0) &&
-		(suites[i+1] == MSB(suite->cipher_suite)) &&
-		(suites[i+2] == LSB(suite->cipher_suite))) {
-
-		ss->ssl3.hs.cipher_suite = suite->cipher_suite;
-		ss->ssl3.hs.suite_def =
-		    ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
-		goto suite_found;
-	    }
-	}
-    }
-    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
-    goto alert_loser;
-
-suite_found:
-
-    ss->ssl3.hs.compression = compression_null;
-    ss->sec.send            = ssl3_SendApplicationData;
-
-    /* we don't even search for a cache hit here.  It's just a miss. */
-    ++ssl3stats.hch_sid_cache_misses;
-    sid = ssl3_NewSessionID(ss, PR_TRUE);
-    if (sid == NULL) {
-    	errCode = PORT_GetError();
-	goto loser;	/* memory error is set. */
-    }
-    ss->sec.ci.sid = sid;
-    /* do not worry about memory leak of sid since it now belongs to ci */
-
-    /* We have to update the handshake hashes before we can send stuff */
-    rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendServerHelloSequence(ss);
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	goto loser;
-    }
-
-    /* XXX_1 	The call stack to here is:
-     * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
-     * ssl2_HandleClientHelloMessage returns whatever we return here.
-     * ssl_Do1stHandshake will continue looping if it gets back either
-     *		SECSuccess or SECWouldBlock.
-     * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
-     */
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return SECSuccess;
-
-alert_loser:
-    SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-/* The negotiated version number has been already placed in ss->version.
-**
-** Called from:  ssl3_HandleClientHello                     (resuming session),
-** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
-** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
-*/
-static SECStatus
-ssl3_SendServerHello(sslSocket *ss)
-{
-    sslSessionID *sid;
-    SECStatus     rv;
-    PRUint32      length;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
-		ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
-
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	return SECFailure;
-    }
-
-    sid = ss->sec.ci.sid;
-    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
-             ((sid == NULL) ? 0: SSL3_SESSIONID_BYTES) +
-	     sizeof(ssl3CipherSuite) + 1;
-    rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
-	return rv;
-    }
-    rv = ssl3_AppendHandshake(
-	ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    if (sid)
-	rv = ssl3_AppendHandshakeVariable(
-	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
-    else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by AppendHandshake. */
-    }
-    rv = ssl3_SetupPendingCipherSpec(ss);
-    if (rv != SECSuccess) {
-	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
-    }
-
-    return SECSuccess;
-}
-
-
-static SECStatus
-ssl3_SendServerKeyExchange(sslSocket *ss)
-{
-const ssl3KEADef *     kea_def     = ss->ssl3.hs.kea_def;
-    SECStatus          rv          = SECFailure;
-    int                length;
-    PRBool             isTLS;
-    SECItem            signed_hash = {siBuffer, NULL, 0};
-    SSL3Hashes         hashes;
-    SECKEYPublicKey *  sdPub;	/* public key for step-down */
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    switch (kea_def->exchKeyType) {
-    case kt_rsa:
-	/* Perform SSL Step-Down here. */
-	sdPub = ss->stepDownKeyPair->pubKey;
-	PORT_Assert(sdPub != NULL);
-	if (!sdPub) {
-	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    return SECFailure;
-	}
-    	rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
-					  sdPub->u.rsa.publicExponent,
-	                                  &ss->ssl3.hs.client_random,
-	                                  &ss->ssl3.hs.server_random,
-					  &hashes, ss->opt.bypassPKCS11);
-        if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    return rv;
-	}
-
-	isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].SERVERKEY, 
-	                     &signed_hash, isTLS);
-        if (rv != SECSuccess) {
-	    goto loser;		/* ssl3_SignHashes has set err. */
-	}
-	if (signed_hash.data == NULL) {
-	    /* how can this happen and rv == SECSuccess ?? */
-	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	    goto loser;
-	}
-	length = 2 + sdPub->u.rsa.modulus.len +
-	         2 + sdPub->u.rsa.publicExponent.len +
-	         2 + signed_hash.len;
-
-	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
-					  sdPub->u.rsa.modulus.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(
-				ss, sdPub->u.rsa.publicExponent.data,
-				sdPub->u.rsa.publicExponent.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-
-	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
-	                                  signed_hash.len, 2);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
-	PORT_Free(signed_hash.data);
-	return SECSuccess;
-
-#ifdef NSS_ENABLE_ECC
-    case kt_ecdh: {
-	rv = ssl3_SendECDHServerKeyExchange(ss);
-	return rv;
-    }
-#endif /* NSS_ENABLE_ECC */
-
-    case kt_dh:
-    case kt_null:
-    default:
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	break;
-    }
-loser:
-    if (signed_hash.data != NULL) 
-    	PORT_Free(signed_hash.data);
-    return SECFailure;
-}
-
-
-static SECStatus
-ssl3_SendCertificateRequest(sslSocket *ss)
-{
-    SECItem *      name;
-    CERTDistNames *ca_list;
-const uint8 *      certTypes;
-    SECItem *      names	= NULL;
-    SECStatus      rv;
-    int            length;
-    int            i;
-    int            calen	= 0;
-    int            nnames	= 0;
-    int            certTypesLength;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    /* ssl3.ca_list is initialized to NULL, and never changed. */
-    ca_list = ss->ssl3.ca_list;
-    if (!ca_list) {
-	ca_list = ssl3_server_ca_list;
-    }
-
-    if (ca_list != NULL) {
-	names = ca_list->names;
-	nnames = ca_list->nnames;
-    }
-
-    if (!nnames) {
-	PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
-	return SECFailure;
-    }
-
-    for (i = 0, name = names; i < nnames; i++, name++) {
-	calen += 2 + name->len;
-    }
-
-    certTypes       = certificate_types;
-    certTypesLength = sizeof certificate_types;
-
-    length = 1 + certTypesLength + 2 + calen;
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    for (i = 0, name = names; i < nnames; i++, name++) {
-	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
-	if (rv != SECSuccess) {
-	    return rv; 		/* err set by AppendHandshake. */
-	}
-    }
-
-    return SECSuccess;
-}
-
-static SECStatus
-ssl3_SendServerHelloDone(sslSocket *ss)
-{
-    SECStatus rv;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_FlushHandshake(ss, 0);
-    if (rv != SECSuccess) {
-	return rv;	/* error code set by ssl3_FlushHandshake */
-    }
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate Verify message
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
-			     SSL3Hashes *hashes)
-{
-    SECItem              signed_hash = {siBuffer, NULL, 0};
-    SECStatus            rv;
-    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
-    SSL3AlertDescription desc        = handshake_failure;
-    PRBool               isTLS;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3.hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
-	goto alert_loser;
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
-    }
-
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* XXX verify that the key & kea match */
-    rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
-				 isTLS, ss->pkcs11PinArg);
-    if (rv != SECSuccess) {
-    	errCode = PORT_GetError();
-	desc = isTLS ? decrypt_error : handshake_failure;
-	goto alert_loser;
-    }
-
-    signed_hash.data = NULL;
-
-    if (length != 0) {
-	desc    = isTLS ? decode_error : illegal_parameter;
-	goto alert_loser;	/* malformed */
-    }
-    ss->ssl3.hs.ws = wait_change_cipher;
-    return SECSuccess;
-
-alert_loser:
-    SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    PORT_SetError(errCode);
-    return SECFailure;
-}
-
-
-/* find a slot that is able to generate a PMS and wrap it with RSA.
- * Then generate and return the PMS.
- * If the serverKeySlot parameter is non-null, this function will use
- * that slot to do the job, otherwise it will find a slot.
- *
- * Called from  ssl3_DeriveConnectionKeysPKCS11()  (above)
- *		sendRSAClientKeyExchange()         (above)
- *		ssl3_HandleRSAClientKeyExchange()  (below)
- * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
- */
-static PK11SymKey *
-ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
-                    PK11SlotInfo * serverKeySlot)
-{
-    PK11SymKey *      pms		= NULL;
-    PK11SlotInfo *    slot		= serverKeySlot;
-    void *	      pwArg 		= ss->pkcs11PinArg;
-    SECItem           param;
-    CK_VERSION 	      version;
-    CK_MECHANISM_TYPE mechanism_array[3];
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (slot == NULL) {
-	SSLCipherAlgorithm calg;
-	/* The specReadLock would suffice here, but we cannot assert on
-	** read locks.  Also, all the callers who call with a non-null
-	** slot already hold the SpecWriteLock.
-	*/
-	PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-	PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
-
-        calg = spec->cipher_def->calg;
-	PORT_Assert(alg2Mech[calg].calg == calg);
-
-	/* First get an appropriate slot.  */
-	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
-	mechanism_array[1] = CKM_RSA_PKCS;
-	mechanism_array[2] = alg2Mech[calg].cmech;
-
-	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
-	if (slot == NULL) {
-	   /* can't find a slot with all three, find a slot with the minimum */
-	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
-	    if (slot == NULL) {
-		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
-		return pms;	/* which is NULL */
-	    }
-	}
-    }
-
-    /* Generate the pre-master secret ...  */
-    version.major = MSB(ss->clientHelloVersion);
-    version.minor = LSB(ss->clientHelloVersion);
-
-    param.data = (unsigned char *)&version;
-    param.len  = sizeof version;
-
-    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
-    if (!serverKeySlot)
-	PK11_FreeSlot(slot);
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-    }
-    return pms;
-}
-
-/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
- * return any indication of failure of the Client Key Exchange message,
- * where that failure is caused by the content of the client's message.
- * This function must not return SECFailure for any reason that is directly
- * or indirectly caused by the content of the client's encrypted PMS.
- * We must not send an alert and also not drop the connection.
- * Instead, we generate a random PMS.  This will cause a failure
- * in the processing the finished message, which is exactly where
- * the failure must occur.
- *
- * Called from ssl3_HandleClientKeyExchange
- */
-static SECStatus
-ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
-                                SSL3Opaque *b,
-				PRUint32 length,
-				SECKEYPrivateKey *serverKey)
-{
-    PK11SymKey *      pms;
-    unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
-    unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
-    ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
-    unsigned int      outLen = 0;
-    PRBool            isTLS  = PR_FALSE;
-    SECStatus         rv;
-    SECItem           enc_pms;
-    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
-    SECItem           pmsItem = {siBuffer, rsaPmsBuf, sizeof rsaPmsBuf};
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    enc_pms.data = b;
-    enc_pms.len  = length;
-
-    if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
-	PRInt32 kLen;
-	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
-	if (kLen < 0) {
-	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    return SECFailure;
-	}
-	if ((unsigned)kLen < enc_pms.len) {
-	    enc_pms.len = kLen;
-	}
-	isTLS = PR_TRUE;
-    } else {
-	isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
-    }
-
-    if (ss->opt.bypassPKCS11) {
-	/* TRIPLE BYPASS, get PMS directly from RSA decryption.
-	 * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 
-	 * then, check for version rollback attack, then 
-	 * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 
-	 * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with 
-	 * ss and NULL, so that it will use the MS we've already derived here. 
-	 */
-
-	rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
-				   sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
-	if (rv != SECSuccess) {
-	    /* avoid Bleichenbacker attack.  generate faux pms. */
-	    rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
-	    /* ignore failure */
-	} else if (ss->opt.detectRollBack) {
-	    SSL3ProtocolVersion client_version = 
-					 (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
-	    if (client_version != ss->clientHelloVersion) {
-		/* Version roll-back detected. ensure failure.  */
-		rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
-	    }
-	}
-	/* have PMS, build MS without PKCS11 */
-	rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
-					PR_TRUE);
-	if (rv != SECSuccess) {
-	    pwSpec->msItem.data = pwSpec->raw_master_secret;
-	    pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
-	    PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
-	}
-	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-    } else {
-	/*
-	 * unwrap pms out of the incoming buffer
-	 * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 
-	 *	the unwrap.  Rather, it is the mechanism with which the 
-	 *      unwrapped pms will be used.
-	 */
-	pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
-				   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
-	if (pms != NULL) {
-	    PRINT_BUF(60, (ss, "decrypted premaster secret:",
-			   PK11_GetKeyData(pms)->data,
-			   PK11_GetKeyData(pms)->len));
-	} else {
-	    /* unwrap failed. Generate a bogus PMS and carry on. */
-	    PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
-
-	    ssl_GetSpecWriteLock(ss);
-	    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
-	    ssl_ReleaseSpecWriteLock(ss);
-	    PK11_FreeSlot(slot);
-	}
-
-	if (pms == NULL) {
-	    /* last gasp.  */
-	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	    return SECFailure;
-	}
-
-	rv = ssl3_InitPendingCipherSpec(ss,  pms);
-	PK11_FreeSymKey(pms);
-    }
-
-    if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
-    }
-    return SECSuccess;
-}
-
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 ClientKeyExchange message from the remote client
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    SECKEYPrivateKey *serverKey         = NULL;
-    SECStatus         rv;
-const ssl3KEADef *    kea_def;
-#ifdef NSS_ENABLE_ECC
-    SECKEYPublicKey *serverPubKey       = NULL;
-#endif /* NSS_ENABLE_ECC */
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (ss->ssl3.hs.ws != wait_client_key) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
-	return SECFailure;
-    }
-
-    kea_def   = ss->ssl3.hs.kea_def;
-
-#ifdef NSS_ENABLE_ECC
-    /* XXX Using SSLKEAType to index server certifiates
-     * does not work for (EC)DHE ciphers. Until we have
-     * an indexing mechanism general enough for all key
-     * exchange algorithms, we'll need to deal with each
-     * one seprately.
-     */
-    if ((kea_def->kea == kea_ecdhe_rsa) ||
-	(kea_def->kea == kea_ecdhe_ecdsa)) {
-	    if (ss->ephemeralECDHKeyPair != NULL) {
-		    serverKey = ss->ephemeralECDHKeyPair->privKey;
-		    ss->sec.keaKeyBits = 
-			SECKEY_PublicKeyStrengthInBits(ss->ephemeralECDHKeyPair->pubKey);
-	    }
-    } else {
-#endif /* NSS_ENABLE_ECC */
-
-    serverKey =  (ss->ssl3.hs.usedStepDownKey
-#ifdef DEBUG
-		 && kea_def->is_limited /* XXX OR cert is signing only */
-		 && kea_def->exchKeyType == kt_rsa 
-		 && ss->stepDownKeyPair != NULL
-#endif
-		 ) ? ss->stepDownKeyPair->privKey
-		   : ss->serverCerts[kea_def->exchKeyType].SERVERKEY;
-
-    if (ss->ssl3.hs.usedStepDownKey
-#ifdef DEBUG
-	 && kea_def->is_limited /* XXX OR cert is signing only */
-	 && kea_def->exchKeyType == kt_rsa 
-	 && ss->stepDownKeyPair != NULL
-#endif
-	 ) { 
-    	serverKey = ss->stepDownKeyPair->privKey;
-	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
-    } else {
-	sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
-	serverKey           = sc->SERVERKEY;
-	ss->sec.keaKeyBits = sc->serverKeyBits;
-    }
-
-#ifdef NSS_ENABLE_ECC
-    }
-#endif /* NSS_ENABLE_ECC */
-
-    if (serverKey == NULL) {
-    	SEND_ALERT
-	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
-	return SECFailure;
-    }
-
-    ss->sec.keaType    = kea_def->exchKeyType;
-
-    switch (kea_def->exchKeyType) {
-    case kt_rsa:
-	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
-	if (rv != SECSuccess) {
-	    SEND_ALERT
-	    return SECFailure;	/* error code set */
-	}
-	break;
-
-
-#ifdef NSS_ENABLE_ECC
-    case kt_ecdh:
-        /* XXX We really ought to be able to store multiple
-	 * EC certs (a requirement if we wish to support both
-	 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
-	 * When we make that change, we'll need an index other
-	 * than kt_ecdh to pick the right EC certificate.
-	 */
-        if (((kea_def->kea == kea_ecdhe_ecdsa) ||
-	     (kea_def->kea == kea_ecdhe_rsa)) &&
-	    (ss->ephemeralECDHKeyPair != NULL)) {
-	    serverPubKey = ss->ephemeralECDHKeyPair->pubKey;
-	} else {
-	    serverPubKey = CERT_ExtractPublicKey(
-			   ss->serverCerts[kt_ecdh].serverCert);
-        }
-	if (serverPubKey == NULL) {
-	    /* XXX Is this the right error code? */
-	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 
-					      serverPubKey, serverKey);
-	if (rv != SECSuccess) {
-	    return SECFailure;	/* error code set */
-	}
-	break;
-#endif /* NSS_ENABLE_ECC */
-
-    default:
-	(void) ssl3_HandshakeFailure(ss);
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-    ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
-    return SECSuccess;
-
-}
-
-/* This is TLS's equivalent of sending a no_certificate alert. */
-static SECStatus
-ssl3_SendEmptyCertificate(sslSocket *ss)
-{
-    SECStatus            rv;
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
-    if (rv == SECSuccess) {
-	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
-    }
-    return rv;	/* error, if any, set by functions called above. */
-}
-
-#ifdef NISCC_TEST
-static PRInt32 connNum = 0;
-
-static SECStatus 
-get_fake_cert(SECItem *pCertItem, int *pIndex)
-{
-    PRFileDesc *cf;
-    char *      testdir;
-    char *      startat;
-    char *      stopat;
-    const char *extension;
-    int         fileNum;
-    PRInt32     numBytes   = 0;
-    PRStatus    prStatus;
-    PRFileInfo  info;
-    char        cfn[100];
-
-    pCertItem->data = 0;
-    if ((testdir = PR_GetEnv("NISCC_TEST")) == NULL) {
-	return SECSuccess;
-    }
-    *pIndex   = (NULL != strstr(testdir, "root"));
-    extension = (strstr(testdir, "simple") ? "" : ".der");
-    fileNum     = PR_AtomicIncrement(&connNum) - 1;
-    if ((startat = PR_GetEnv("START_AT")) != NULL) {
-	fileNum += atoi(startat);
-    }
-    if ((stopat = PR_GetEnv("STOP_AT")) != NULL && 
-	fileNum >= atoi(stopat)) {
-	*pIndex = -1;
-	return SECSuccess;
-    }
-    sprintf(cfn, "%s/%08d%s", testdir, fileNum, extension);
-    cf = PR_Open(cfn, PR_RDONLY, 0);
-    if (!cf) {
-	goto loser;
-    }
-    prStatus = PR_GetOpenFileInfo(cf, &info);
-    if (prStatus != PR_SUCCESS) {
-	PR_Close(cf);
-	goto loser;
-    }
-    pCertItem = SECITEM_AllocItem(NULL, pCertItem, info.size);
-    if (pCertItem) {
-	numBytes = PR_Read(cf, pCertItem->data, info.size);
-    }
-    PR_Close(cf);
-    if (numBytes != info.size) {
-	SECITEM_FreeItem(pCertItem, PR_FALSE);
-	PORT_SetError(SEC_ERROR_IO);
-	goto loser;
-    }
-    fprintf(stderr, "using %s\n", cfn);
-    return SECSuccess;
-
-loser:
-    fprintf(stderr, "failed to use %s\n", cfn);
-    *pIndex = -1;
-    return SECFailure;
-}
-#endif
-
-/*
- * Used by both client and server.
- * Called from HandleServerHelloDone and from SendServerHelloSequence.
- */
-static SECStatus
-ssl3_SendCertificate(sslSocket *ss)
-{
-    SECStatus            rv;
-    CERTCertificateList *certChain;
-    int                  len 		= 0;
-    int                  i;
-    SSL3KEAType          certIndex;
-#ifdef NISCC_TEST
-    SECItem              fakeCert;
-    int                  ndex           = -1;
-#endif
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
-		SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    if (ss->sec.localCert)
-    	CERT_DestroyCertificate(ss->sec.localCert);
-    if (ss->sec.isServer) {
-	sslServerCerts * sc = NULL;
-
-	/* XXX SSLKEAType isn't really a good choice for 
-	 * indexing certificates (it breaks when we deal
-	 * with (EC)DHE-* cipher suites. This hack ensures
-	 * the RSA cert is picked for (EC)DHE-RSA.
-	 * Revisit this when we add server side support
-	 * for ECDHE-ECDSA or client-side authentication
-	 * using EC certificates.
-	 */
-	if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
-	    (ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
-	    certIndex = kt_rsa;
-	} else {
-	    certIndex = ss->ssl3.hs.kea_def->exchKeyType;
-	}
-	sc                    = ss->serverCerts + certIndex;
-	certChain             = sc->serverCertChain;
-	ss->sec.authKeyBits   = sc->serverKeyBits;
-	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
-	ss->sec.localCert     = CERT_DupCertificate(sc->serverCert);
-    } else {
-	certChain          = ss->ssl3.clientCertChain;
-	ss->sec.localCert = CERT_DupCertificate(ss->ssl3.clientCertificate);
-    }
-
-#ifdef NISCC_TEST
-    rv = get_fake_cert(&fakeCert, &ndex);
-#endif
-
-    if (certChain) {
-	for (i = 0; i < certChain->len; i++) {
-#ifdef NISCC_TEST
-	    if (fakeCert.len > 0 && i == ndex) {
-		len += fakeCert.len + 3;
-	    } else {
-		len += certChain->certs[i].len + 3;
-	    }
-#else
-	    len += certChain->certs[i].len + 3;
-#endif
-	}
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_AppendHandshakeNumber(ss, len, 3);
-    if (rv != SECSuccess) {
-	return rv; 		/* err set by AppendHandshake. */
-    }
-    for (i = 0; i < certChain->len; i++) {
-#ifdef NISCC_TEST
-	if (fakeCert.len > 0 && i == ndex) {
-	    rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data, fakeCert.len, 
-	                                      3);
-	    SECITEM_FreeItem(&fakeCert, PR_FALSE);
-	} else {
-	    rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
-					      certChain->certs[i].len, 3);
-	}
-#else
-	rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
-					  certChain->certs[i].len, 3);
-#endif
-	if (rv != SECSuccess) {
-	    return rv; 		/* err set by AppendHandshake. */
-	}
-    }
-
-    return SECSuccess;
-}
-
-/* This is used to delete the CA certificates in the peer certificate chain
- * from the cert database after they've been validated.
- */
-static void
-ssl3_CleanupPeerCerts(sslSocket *ss)
-{
-    PRArenaPool * arena = ss->ssl3.peerCertArena;
-    ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
-
-    for (; certs; certs = certs->next) {
-	CERT_DestroyCertificate(certs->cert);
-    }
-    if (arena) PORT_FreeArena(arena, PR_FALSE);
-    ss->ssl3.peerCertArena = NULL;
-    ss->ssl3.peerCertChain = NULL;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Certificate message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    ssl3CertNode *   c;
-    ssl3CertNode *   certs 	= NULL;
-    PRArenaPool *    arena 	= NULL;
-    CERTCertificate *cert;
-    PRInt32          remaining  = 0;
-    PRInt32          size;
-    SECStatus        rv;
-    PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
-    PRBool           trusted 	= PR_FALSE;
-    PRBool           isTLS;
-    SSL3AlertDescription desc	= bad_certificate;
-    int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
-    SECItem          certItem;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
-		SSL_GETPID(), ss->fd));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if ((ss->ssl3.hs.ws != wait_server_cert) &&
-	(ss->ssl3.hs.ws != wait_client_cert)) {
-	desc    = unexpected_message;
-	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
-	goto alert_loser;
-    }
-
-    if (ss->sec.peerCert != NULL) {
-	if (ss->sec.peerKey) {
-	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
-	    ss->sec.peerKey = NULL;
-	}
-	CERT_DestroyCertificate(ss->sec.peerCert);
-	ss->sec.peerCert = NULL;
-    }
-
-    ssl3_CleanupPeerCerts(ss);
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* It is reported that some TLS client sends a Certificate message
-    ** with a zero-length message body.  We'll treat that case like a
-    ** normal no_certificates message to maximize interoperability.
-    */
-    if (length) {
-	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-	if (remaining < 0)
-	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-	if ((PRUint32)remaining > length)
-	    goto decode_loser;
-    }
-
-    if (!remaining) {
-	if (!(isTLS && isServer))
-	    goto alert_loser;
-    	/* This is TLS's version of a no_certificate alert. */
-    	/* I'm a server. I've requested a client cert. He hasn't got one. */
-	rv = ssl3_HandleNoCertificate(ss);
-	if (rv != SECSuccess) {
-	    errCode = PORT_GetError();
-	    goto loser;
-	}
-	goto cert_block;
-    }
-
-    ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( arena == NULL ) {
-	goto loser;	/* don't send alerts on memory errors */
-    }
-
-    /* First get the peer cert. */
-    remaining -= 3;
-    if (remaining < 0)
-	goto decode_loser;
-
-    size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-    if (size <= 0)
-	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-    if (remaining < size)
-	goto decode_loser;
-
-    certItem.data = b;
-    certItem.len = size;
-    b      += size;
-    length -= size;
-    remaining -= size;
-
-    ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-                                            PR_FALSE, PR_TRUE);
-    if (ss->sec.peerCert == NULL) {
-	/* We should report an alert if the cert was bad, but not if the
-	 * problem was just some local problem, like memory error.
-	 */
-	goto ambiguous_err;
-    }
-
-    /* Now get all of the CA certs. */
-    while (remaining > 0) {
-	remaining -= 3;
-	if (remaining < 0)
-	    goto decode_loser;
-
-	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-	if (size <= 0)
-	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
-
-	if (remaining < size)
-	    goto decode_loser;
-
-	certItem.data = b;
-	certItem.len = size;
-	b      += size;
-	length -= size;
-	remaining -= size;
-
-	c = PORT_ArenaNew(arena, ssl3CertNode);
-	if (c == NULL) {
-	    goto loser;	/* don't send alerts on memory errors */
-	}
-
-	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-	                                  PR_FALSE, PR_TRUE);
-	if (c->cert == NULL) {
-	    goto ambiguous_err;
-	}
-
-	if (c->cert->trust)
-	    trusted = PR_TRUE;
-
-	c->next = certs;
-	certs = c;
-    }
-
-    if (remaining != 0)
-        goto decode_loser;
-
-    SECKEY_UpdateCertPQG(ss->sec.peerCert);
-
-    /*
-     * Ask caller-supplied callback function to validate cert chain.
-     */
-    rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
-					   PR_TRUE, isServer);
-    if (rv) {
-	errCode = PORT_GetError();
-	if (!ss->handleBadCert) {
-	    goto bad_cert;
-	}
-	rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
-	if ( rv ) {
-	    if ( rv == SECWouldBlock ) {
-		/* someone will handle this connection asynchronously*/
-		SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
-			 SSL_GETPID(), ss->fd));
-		ss->ssl3.peerCertChain = certs;
-		certs               = NULL;
-		ssl_SetAlwaysBlock(ss);
-		goto cert_block;
-	    }
-	    /* cert is bad */
-	    goto bad_cert;
-	}
-	/* cert is good */
-    }
-
-    /* start SSL Step Up, if appropriate */
-    cert = ss->sec.peerCert;
-    if (!isServer &&
-    	ssl3_global_policy_some_restricted &&
-        ss->ssl3.policy == SSL_ALLOWED &&
-	anyRestrictedEnabled(ss) &&
-	SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
-	                                 PR_FALSE, /* checkSig */
-				         certUsageSSLServerWithStepUp,
-/*XXX*/				         ss->authCertificateArg) ) {
-	ss->ssl3.policy         = SSL_RESTRICTED;
-	ss->ssl3.hs.rehandshake = PR_TRUE;
-    }
-
-    ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-
-    if (!ss->sec.isServer) {
-	/* set the server authentication and key exchange types and sizes
-	** from the value in the cert.  If the key exchange key is different,
-	** it will get fixed when we handle the server key exchange message.
-	*/
-	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
-	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
-	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
-	if (pubKey) {
-	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
-		SECKEY_PublicKeyStrengthInBits(pubKey);
-#ifdef NSS_ENABLE_ECC
-	    if (ss->sec.keaType == kt_ecdh) {
-		/* Get authKeyBits from signing key.
-		 * XXX The code below uses a quick approximation of
-		 * key size based on cert->signatureWrap.signature.data
-		 * (which contains the DER encoded signature). The field
-		 * cert->signatureWrap.signature.len contains the
-		 * length of the encoded signature in bits.
-		 */
-		if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
-		    ss->sec.authKeyBits = 
-			cert->signatureWrap.signature.data[3]*8;
-		    if (cert->signatureWrap.signature.data[4] == 0x00)
-			    ss->sec.authKeyBits -= 8;
-		    /* 
-		     * XXX: if cert is not signed by ecdsa we should
-		     * destroy pubKey and goto bad_cert
-		     */
-		} else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
-		    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
-		    /* 
-		     * XXX: if cert is not signed by rsa we should
-		     * destroy pubKey and goto bad_cert
-		     */
-		}
-	    }
-#endif /* NSS_ENABLE_ECC */
-	    SECKEY_DestroyPublicKey(pubKey); 
-	    pubKey = NULL;
-    	}
-    }
-
-    ss->ssl3.peerCertChain = certs;  certs = NULL;  arena = NULL;
-
-cert_block:
-    if (ss->sec.isServer) {
-	ss->ssl3.hs.ws = wait_client_key;
-    } else {
-	ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
-	if (ss->ssl3.hs.kea_def->is_limited ||
-	    /* XXX OR server cert is signing only. */
-#ifdef NSS_ENABLE_ECC
-	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
-#endif /* NSS_ENABLE_ECC */
-	    ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
-	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
-	}
-    }
-
-    /* rv must normally be equal to SECSuccess here.  If we called
-     * handleBadCert, it can also be SECWouldBlock.
-     */
-    return rv;
-
-ambiguous_err:
-    errCode = PORT_GetError();
-    switch (errCode) {
-    case PR_OUT_OF_MEMORY_ERROR:
-    case SEC_ERROR_BAD_DATABASE:
-    case SEC_ERROR_NO_MEMORY:
-	if (isTLS) {
-	    desc = internal_error;
-	    goto alert_loser;
-	}
-	goto loser;
-    }
-    /* fall through to bad_cert. */
-
-bad_cert:	/* caller has set errCode. */
-    switch (errCode) {
-    case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
-    case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
-    case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
-    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-    case SEC_ERROR_INADEQUATE_CERT_TYPE:
-		                        desc = certificate_unknown;     break;
-    case SEC_ERROR_UNTRUSTED_CERT:
-		    desc = isTLS ? access_denied : certificate_unknown; break;
-    case SEC_ERROR_UNKNOWN_ISSUER:      
-    case SEC_ERROR_UNTRUSTED_ISSUER:    
-		    desc = isTLS ? unknown_ca : certificate_unknown; break;
-    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
-		    desc = isTLS ? unknown_ca : certificate_expired; break;
-
-    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
-    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
-    case SEC_ERROR_CA_CERT_INVALID:
-    case SEC_ERROR_BAD_SIGNATURE:
-    default:                            desc = bad_certificate;     break;
-    }
-    SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
-	     SSL_GETPID(), ss->fd, errCode));
-
-    goto alert_loser;
-
-decode_loser:
-    desc = isTLS ? decode_error : bad_certificate;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-
-loser:
-    ss->ssl3.peerCertChain = certs;  certs = NULL;  arena = NULL;
-    ssl3_CleanupPeerCerts(ss);
-
-    if (ss->sec.peerCert != NULL) {
-	CERT_DestroyCertificate(ss->sec.peerCert);
-	ss->sec.peerCert = NULL;
-    }
-    (void)ssl_MapLowLevelError(errCode);
-    return SECFailure;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    CERTCertificate * cert;
-    int               rv	= SECSuccess;
-
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-    if (!ss->ssl3.initialized) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-
-    cert = ss->sec.peerCert;
-
-    /* Permit step up if user decided to accept the cert */
-    if (!ss->sec.isServer &&
-    	ssl3_global_policy_some_restricted &&
-        ss->ssl3.policy == SSL_ALLOWED &&
-	anyRestrictedEnabled(ss) &&
-	(SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
-	                                  PR_FALSE, /* checksig */
-				          certUsageSSLServerWithStepUp,
-/*XXX*/				          ss->authCertificateArg) )) {
-	ss->ssl3.policy         = SSL_RESTRICTED;
-	ss->ssl3.hs.rehandshake = PR_TRUE;
-    }
-
-    if (ss->handshake != NULL) {
-	ss->handshake = ssl_GatherRecord1stHandshake;
-	ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-
-	ssl_GetRecvBufLock(ss);
-	if (ss->ssl3.hs.msgState.buf != NULL) {
-	    rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
-	}
-	ssl_ReleaseRecvBufLock(ss);
-    }
-
-    return rv;
-}
-
-static SECStatus
-ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
-			PRBool          isServer,
-                const   SSL3Finished *  hashes,
-                        TLSFinished  *  tlsFinished)
-{
-    const char * label;
-    unsigned int len;
-    SECStatus    rv;
-
-    label = isServer ? "server finished" : "client finished";
-    len   = 15;
-
-    if (spec->master_secret && !spec->bypassCiphers) {
-	SECItem      param       = {siBuffer, NULL, 0};
-	PK11Context *prf_context =
-	    PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 
-				       spec->master_secret, &param);
-	if (!prf_context)
-	    return SECFailure;
-
-	rv  = PK11_DigestBegin(prf_context);
-	rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
-	rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
-	rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, 
-			       &len, sizeof tlsFinished->verify_data);
-	PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
-
-	PK11_DestroyContext(prf_context, PR_TRUE);
-    } else {
-	/* bypass PKCS11 */
-	SECItem inData  = { siBuffer, };
-	SECItem outData = { siBuffer, };
-	PRBool isFIPS   = PR_FALSE;
-
-	inData.data  = (unsigned char *)hashes->md5;
-	inData.len   = sizeof hashes[0];
-	outData.data = tlsFinished->verify_data;
-	outData.len  = sizeof tlsFinished->verify_data;
-	rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
-	PORT_Assert(rv != SECSuccess || \
-		    outData.len == sizeof tlsFinished->verify_data);
-    }
-    return rv;
-}
-
-/* called from ssl3_HandleServerHelloDone
- *             ssl3_HandleClientHello
- *             ssl3_HandleFinished
- */
-static SECStatus
-ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
-{
-    ssl3CipherSpec *cwSpec;
-    PRBool          isTLS;
-    PRBool          isServer = ss->sec.isServer;
-    SECStatus       rv;
-    SSL3Sender      sender = isServer ? sender_server : sender_client;
-    SSL3Finished    hashes;
-    TLSFinished     tlsFinished;
-
-    SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    ssl_GetSpecReadLock(ss);
-    cwSpec = ss->ssl3.cwSpec;
-    isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
-    rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
-    if (isTLS && rv == SECSuccess) {
-	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
-    }
-    ssl_ReleaseSpecReadLock(ss);
-    if (rv != SECSuccess) {
-	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
-    }
-
-    if (isTLS) {
-	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-    } else {
-	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-	rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
-	if (rv != SECSuccess) 
-	    goto fail; 		/* err set by AppendHandshake. */
-    }
-    rv = ssl3_FlushHandshake(ss, flags);
-    if (rv != SECSuccess) {
-	goto fail;	/* error code set by ssl3_FlushHandshake */
-    }
-    return SECSuccess;
-
-fail:
-    return rv;
-}
-
-/* wrap the master secret, and put it into the SID.
- * Caller holds the Spec read lock.
- */
-static SECStatus
-ssl3_CacheWrappedMasterSecret(sslSocket *ss, SSL3KEAType effectiveExchKeyType)
-{
-    sslSessionID *    sid	   = ss->sec.ci.sid;
-    PK11SymKey *      wrappingKey  = NULL;
-    PK11SlotInfo *    symKeySlot;
-    void *            pwArg        = ss->pkcs11PinArg;
-    SECStatus         rv           = SECFailure;
-    PRBool            isServer     = ss->sec.isServer;
-    CK_MECHANISM_TYPE mechanism    = CKM_INVALID_MECHANISM;
-    symKeySlot = PK11_GetSlotFromKey(ss->ssl3.crSpec->master_secret);
-    if (!isServer) {
-	int  wrapKeyIndex;
-	int  incarnation;
-
-	/* these next few functions are mere accessors and don't fail. */
-	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
-				       PK11_GetCurrentWrapIndex(symKeySlot);
-	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
-
-	sid->u.ssl3.masterWrapSeries = incarnation =
-				       PK11_GetSlotSeries(symKeySlot);
-	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
-	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
-	sid->u.ssl3.masterValid    = PR_TRUE;
-	/* Get the default wrapping key, for wrapping the master secret before
-	 * placing it in the SID cache entry. */
-	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
-				      CKM_INVALID_MECHANISM, incarnation,
-				      pwArg);
-	if (wrappingKey) {
-	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
-	} else {
-	    int keyLength;
-	    /* if the wrappingKey doesn't exist, attempt to create it.
-	     * Note: we intentionally ignore errors here.  If we cannot
-	     * generate a wrapping key, it is not fatal to this SSL connection,
-	     * but we will not be able to restart this session.
-	     */
-	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
-	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
-	    /* Zero length means fixed key length algorithm, or error.
-	     * It's ambiguous.
-	     */
-	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
-				      keyLength, pwArg);
-	    if (wrappingKey) {
-		PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
-	    }
-	}
-    } else {
-	/* server socket using session cache. */
-	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
-	if (mechanism != CKM_INVALID_MECHANISM) {
-	    wrappingKey =
-		getWrappingKey(ss, symKeySlot, effectiveExchKeyType,
-			       mechanism, pwArg);
-	    if (wrappingKey) {
-		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
-	    }
-	}
-    }
-
-    sid->u.ssl3.masterWrapMech = mechanism;
-    PK11_FreeSlot(symKeySlot);
-
-    if (wrappingKey) {
-	SECItem wmsItem;
-
-	wmsItem.data = sid->u.ssl3.keys.wrapped_master_secret;
-	wmsItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
-	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
-			     ss->ssl3.crSpec->master_secret, &wmsItem);
-	/* rv is examined below. */
-	sid->u.ssl3.keys.wrapped_master_secret_len = wmsItem.len;
-	PK11_FreeSymKey(wrappingKey);
-    }
-    return rv;
-}
-
-/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
- * ssl3 Finished message from the peer.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
-		    const SSL3Hashes *hashes)
-{
-    sslSessionID *    sid	   = ss->sec.ci.sid;
-    SECStatus         rv           = SECSuccess;
-    PRBool            isServer     = ss->sec.isServer;
-    PRBool            isTLS;
-    PRBool            doStepUp;
-    SSL3KEAType       effectiveExchKeyType;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
-    	SSL_GETPID(), ss->fd));
-
-    if (ss->ssl3.hs.ws != wait_finished) {
-	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
-	return SECFailure;
-    }
-
-    isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
-    if (isTLS) {
-	TLSFinished tlsFinished;
-
-	if (length != sizeof tlsFinished) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
-	    return SECFailure;
-	}
-	rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, 
-	                             hashes, &tlsFinished);
-	if (rv != SECSuccess ||
-	    0 != PORT_Memcmp(&tlsFinished, b, length)) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
-	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	    return SECFailure;
-	}
-    } else {
-	if (length != sizeof(SSL3Hashes)) {
-	    (void)ssl3_IllegalParameter(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
-	    return SECFailure;
-	}
-
-	if (0 != PORT_Memcmp(hashes, b, length)) {
-	    (void)ssl3_HandshakeFailure(ss);
-	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	    return SECFailure;
-	}
-    }
-
-    doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake);
-
-    ssl_GetXmitBufLock(ss);	/*************************************/
-
-    if ((isServer && !ss->ssl3.hs.isResuming) ||
-	(!isServer && ss->ssl3.hs.isResuming)) {
-	PRInt32 flags = 0;
-
-	rv = ssl3_SendChangeCipherSpecs(ss);
-	if (rv != SECSuccess) {
-	    goto xmit_loser;	/* err is set. */
-	}
-	/* If this thread is in SSL_SecureSend (trying to write some data) 
-	** or if it is going to step up, 
-	** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 
-	** last two handshake messages (change cipher spec and finished) 
-	** will be sent in the same send/write call as the application data.
-	*/
-	if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
-	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
-	}
-	rv = ssl3_SendFinished(ss, flags);
-	if (rv != SECSuccess) {
-	    goto xmit_loser;	/* err is set. */
-	}
-    }
-
-    /* Optimization: don't cache this connection if we're going to step up. */
-    if (doStepUp) {
-	ssl_FreeSID(sid);
-	ss->sec.ci.sid     = sid = NULL;
-	ss->ssl3.hs.rehandshake = PR_FALSE;
-	rv = ssl3_SendClientHello(ss);
-xmit_loser:
-	ssl_ReleaseXmitBufLock(ss);
-	return rv;	/* err code is set if appropriate. */
-    }
-
-    ssl_ReleaseXmitBufLock(ss);	/*************************************/
-
-    /* The first handshake is now completed. */
-    ss->handshake           = NULL;
-    ss->firstHsDone         = PR_TRUE;
-    ss->gs.writeOffset = 0;
-    ss->gs.readOffset  = 0;
-
-    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
-	effectiveExchKeyType = kt_rsa;
-    } else {
-	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
-    }
-
-    if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
-	/* fill in the sid */
-	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
-	sid->u.ssl3.compression = ss->ssl3.hs.compression;
-	sid->u.ssl3.policy      = ss->ssl3.policy;
-	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
-	sid->version            = ss->version;
-	sid->authAlgorithm      = ss->sec.authAlgorithm;
-	sid->authKeyBits        = ss->sec.authKeyBits;
-	sid->keaType            = ss->sec.keaType;
-	sid->keaKeyBits         = ss->sec.keaKeyBits;
-	sid->lastAccessTime     = sid->creationTime = ssl_Time();
-	sid->expirationTime     = sid->creationTime + ssl3_sid_timeout;
-	sid->localCert          = CERT_DupCertificate(ss->sec.localCert);
-
-	ssl_GetSpecReadLock(ss);	/*************************************/
-
-	/* Copy the master secret (wrapped or unwrapped) into the sid */
-	if (ss->ssl3.crSpec->msItem.len && ss->ssl3.crSpec->msItem.data) {
-	    sid->u.ssl3.keys.wrapped_master_secret_len = 
-			    ss->ssl3.crSpec->msItem.len;
-	    memcpy(sid->u.ssl3.keys.wrapped_master_secret, 
-		   ss->ssl3.crSpec->msItem.data, ss->ssl3.crSpec->msItem.len);
-	    sid->u.ssl3.masterValid    = PR_TRUE;
-	    sid->u.ssl3.keys.msIsWrapped = PR_FALSE;
-	    rv = SECSuccess;
-	} else {
-	    rv = ssl3_CacheWrappedMasterSecret(ss, effectiveExchKeyType);
-	    sid->u.ssl3.keys.msIsWrapped = PR_TRUE;
-	}
-	ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-	/* If the wrap failed, we don't cache the sid.
-	 * The connection continues normally however.
-	 */
-	if (rv == SECSuccess) {
-	    (*ss->sec.cache)(sid);
-	}
-    }
-    ss->ssl3.hs.ws = idle_handshake;
-
-    /* Do the handshake callback for sslv3 here. */
-    if (ss->handshakeCallback != NULL) {
-	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-    }
-
-    return SECSuccess;
-}
-
-/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
- * hanshake message.
- * Caller must hold Handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    SECStatus         rv 	= SECSuccess;
-    SSL3HandshakeType type 	= ss->ssl3.hs.msg_type;
-    SSL3Hashes        hashes;	/* computed hashes are put here. */
-    PRUint8           hdr[4];
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    /*
-     * We have to compute the hashes before we update them with the
-     * current message.
-     */
-    ssl_GetSpecReadLock(ss);	/************************************/
-    if((type == finished) || (type == certificate_verify)) {
-	SSL3Sender      sender = (SSL3Sender)0;
-	ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
-
-	if (type == finished) {
-	    sender = ss->sec.isServer ? sender_client : sender_server;
-	    rSpec  = ss->ssl3.crSpec;
-	}
-	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
-    }
-    ssl_ReleaseSpecReadLock(ss); /************************************/
-    if (rv != SECSuccess) {
-	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
-    }
-    SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
-		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
-    PRINT_BUF(60, (ss, "MD5 handshake hash:",
-    	      (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
-    PRINT_BUF(95, (ss, "SHA handshake hash:",
-    	      (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
-
-    hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
-    hdr[1] = (PRUint8)(length >> 16);
-    hdr[2] = (PRUint8)(length >>  8);
-    hdr[3] = (PRUint8)(length      );
-
-    /* Start new handshake hashes when we start a new handshake */
-    if (ss->ssl3.hs.msg_type == client_hello) {
-	SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
-		SSL_GETPID(), ss->fd ));
-	if (ss->opt.bypassPKCS11) {
-	    MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
-	    SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
-	} else {
-	    rv = PK11_DigestBegin(ss->ssl3.hs.md5);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-		return rv;
-	    }
-	    rv = PK11_DigestBegin(ss->ssl3.hs.sha);
-	    if (rv != SECSuccess) {
-		ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-		return rv;
-	    }
-	}
-    }
-    /* We should not include hello_request messages in the handshake hashes */
-    if (ss->ssl3.hs.msg_type != hello_request) {
-	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
-	if (rv != SECSuccess) return rv;	/* err code already set. */
-	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
-	if (rv != SECSuccess) return rv;	/* err code already set. */
-    }
-
-    PORT_SetError(0);	/* each message starts with no error. */
-    switch (ss->ssl3.hs.msg_type) {
-    case hello_request:
-	if (length != 0) {
-	    (void)ssl3_DecodeError(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
-	    return SECFailure;
-	}
-	if (ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleHelloRequest(ss);
-	break;
-    case client_hello:
-	if (!ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleClientHello(ss, b, length);
-	break;
-    case server_hello:
-	if (ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerHello(ss, b, length);
-	break;
-    case certificate:
-	rv = ssl3_HandleCertificate(ss, b, length);
-	break;
-    case server_key_exchange:
-	if (ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerKeyExchange(ss, b, length);
-	break;
-    case certificate_request:
-	if (ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleCertificateRequest(ss, b, length);
-	break;
-    case server_hello_done:
-	if (length != 0) {
-	    (void)ssl3_DecodeError(ss);
-	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
-	    return SECFailure;
-	}
-	if (ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleServerHelloDone(ss);
-	break;
-    case certificate_verify:
-	if (!ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
-	break;
-    case client_key_exchange:
-	if (!ss->sec.isServer) {
-	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
-	    return SECFailure;
-	}
-	rv = ssl3_HandleClientKeyExchange(ss, b, length);
-	break;
-    case finished:
-        rv = ssl3_HandleFinished(ss, b, length, &hashes);
-	break;
-    default:
-	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
- * origBuf is the decrypted ssl record content.
- * Caller must hold the handshake and RecvBuf locks.
- */
-static SECStatus
-ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
-{
-    /*
-     * There may be a partial handshake message already in the handshake
-     * state. The incoming buffer may contain another portion, or a
-     * complete message or several messages followed by another portion.
-     *
-     * Each message is made contiguous before being passed to the actual
-     * message parser.
-     */
-    sslBuffer *buf = &ss->ssl3.hs.msgState; /* do not lose the original buffer pointer */
-    SECStatus rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (buf->buf == NULL) {
-	*buf = *origBuf;
-    }
-    while (buf->len > 0) {
-	if (ss->ssl3.hs.header_bytes < 4) {
-	    uint8 t;
-	    t = *(buf->buf++);
-	    buf->len--;
-	    if (ss->ssl3.hs.header_bytes++ == 0)
-		ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
-	    else
-		ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
-	    if (ss->ssl3.hs.header_bytes < 4)
-	    	continue;
-
-#define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
-	    if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
-		(void)ssl3_DecodeError(ss);
-		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-		return SECFailure;
-	    }
-#undef MAX_HANDSHAKE_MSG_LEN
-
-	    /* If msg_len is zero, be sure we fall through, 
-	    ** even if buf->len is zero. 
-	    */
-	    if (ss->ssl3.hs.msg_len > 0) 
-	    	continue;
-	}
-
-	/*
-	 * Header has been gathered and there is at least one byte of new
-	 * data available for this message. If it can be done right out
-	 * of the original buffer, then use it from there.
-	 */
-	if (ss->ssl3.hs.msg_body.len == 0 && buf->len >= ss->ssl3.hs.msg_len) {
-	    /* handle it from input buffer */
-	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ss->ssl3.hs.msg_len);
-	    if (rv == SECFailure) {
-		/* This test wants to fall through on either
-		 * SECSuccess or SECWouldBlock.
-		 * ssl3_HandleHandshakeMessage MUST set the error code.
-		 */
-		return rv;
-	    }
-	    buf->buf += ss->ssl3.hs.msg_len;
-	    buf->len -= ss->ssl3.hs.msg_len;
-	    ss->ssl3.hs.msg_len = 0;
-	    ss->ssl3.hs.header_bytes = 0;
-	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
-		return rv;
-	    }
-	} else {
-	    /* must be copied to msg_body and dealt with from there */
-	    unsigned int bytes;
-
-	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
-	    bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
-
-	    /* Grow the buffer if needed */
-	    rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
-	    if (rv != SECSuccess) {
-		/* sslBuffer_Grow has set a memory error code. */
-		return SECFailure;
-	    }
-
-	    PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
-		        buf->buf, bytes);
-	    ss->ssl3.hs.msg_body.len += bytes;
-	    buf->buf += bytes;
-	    buf->len -= bytes;
-
-	    PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
-
-	    /* if we have a whole message, do it */
-	    if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
-		rv = ssl3_HandleHandshakeMessage(
-		    ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
-		/*
-		 * XXX This appears to be wrong.  This error handling
-		 * should clean up after a SECWouldBlock return, like the
-		 * error handling used 40 lines before/above this one,
-		 */
-		if (rv != SECSuccess) {
-		    /* ssl3_HandleHandshakeMessage MUST set error code. */
-		    return rv;
-		}
-		ss->ssl3.hs.msg_body.len = 0;
-		ss->ssl3.hs.msg_len      = 0;
-		ss->ssl3.hs.header_bytes = 0;
-	    } else {
-		PORT_Assert(buf->len == 0);
-		break;
-	    }
-	}
-    }	/* end loop */
-
-    origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
-    buf->buf = NULL;	/* not a leak. */
-    return SECSuccess;
-}
-
-/* if cText is non-null, then decipher, check MAC, and decompress the
- * SSL record from cText->buf (typically gs->inbuf)
- * into databuf (typically gs->buf), and any previous contents of databuf
- * is lost.  Then handle databuf according to its SSL record type,
- * unless it's an application record.
- *
- * If cText is NULL, then the ciphertext has previously been deciphered and
- * checked, and is already sitting in databuf.  It is processed as an SSL
- * Handshake message.
- *
- * DOES NOT process the decrypted/decompressed application data.
- * On return, databuf contains the decrypted/decompressed record.
- *
- * Called from ssl3_GatherCompleteHandshake
- *             ssl3_RestartHandshakeAfterCertReq
- *             ssl3_RestartHandshakeAfterServerCert
- *
- * Caller must hold the RecvBufLock.
- *
- * This function aquires and releases the SSL3Handshake Lock, holding the
- * lock around any calls to functions that handle records other than
- * Application Data records.
- */
-SECStatus
-ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
-{
-const ssl3BulkCipherDef *cipher_def;
-    ssl3CipherSpec *     crSpec;
-    SECStatus            rv;
-    unsigned int         hashBytes		= MAX_MAC_LENGTH + 1;
-    unsigned int         padding_length;
-    PRBool               isTLS;
-    PRBool               padIsBad               = PR_FALSE;
-    SSL3ContentType      rType;
-    SSL3Opaque           hash[MAX_MAC_LENGTH];
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-
-    if (!ss->ssl3.initialized) {
-	ssl_GetSSL3HandshakeLock(ss);
-	rv = ssl3_InitState(ss);
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	if (rv != SECSuccess) {
-	    return rv;		/* ssl3_InitState has set the error code. */
-    	}
-    }
-
-    /* check for Token Presence */
-    if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
-	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
-	return SECFailure;
-    }
-
-    /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
-     * This implies that databuf holds a previously deciphered SSL Handshake
-     * message.
-     */
-    if (cText == NULL) {
-	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
-		 SSL_GETPID(), ss->fd));
-	rType = content_handshake;
-	goto process_it;
-    }
-
-    databuf->len = 0; /* filled in by decode call below. */
-    if (databuf->space < MAX_FRAGMENT_LENGTH) {
-	rv = sslBuffer_Grow(databuf, MAX_FRAGMENT_LENGTH + 2048);
-	if (rv != SECSuccess) {
-	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
-		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
-	    /* sslBuffer_Grow has set a memory error code. */
-	    /* Perhaps we should send an alert. (but we have no memory!) */
-	    return SECFailure;
-	}
-    }
-
-    PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
-
-    ssl_GetSpecReadLock(ss); /******************************************/
-
-    crSpec = ss->ssl3.crSpec;
-    cipher_def = crSpec->cipher_def;
-    isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal, record_overflow);
-	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-	return SECFailure;
-    }
-    /* decrypt from cText buf to databuf. */
-    rv = crSpec->decode(
-	crSpec->decodeContext, databuf->buf, (int *)&databuf->len,
-	databuf->space, cText->buf->buf, cText->buf->len);
-
-    PRINT_BUF(80, (ss, "cleartext:", databuf->buf, databuf->len));
-    if (rv != SECSuccess) {
-	int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal,
-	               isTLS ? decryption_failed : bad_record_mac);
-	PORT_SetError(err);
-	return SECFailure;
-    }
-
-    /* If it's a block cipher, check and strip the padding. */
-    if (cipher_def->type == type_block) {
-	padding_length = *(databuf->buf + databuf->len - 1);
-	/* TLS permits padding to exceed the block size, up to 255 bytes. */
-	if (padding_length + 1 + crSpec->mac_size > databuf->len)
-	    padIsBad = PR_TRUE;
-	/* if TLS, check value of first padding byte. */
-	else if (padding_length && isTLS && 
-	         padding_length != 
-	                 *(databuf->buf + databuf->len - (padding_length + 1)))
-	    padIsBad = PR_TRUE;
-	else
-	    databuf->len -= padding_length + 1;
-    }
-
-    /* Remove the MAC. */
-    if (databuf->len >= crSpec->mac_size)
-	databuf->len -= crSpec->mac_size;
-    else
-    	padIsBad = PR_TRUE;	/* really macIsBad */
-
-    /* compute the MAC */
-    rType = cText->type;
-    rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
-	rType, cText->version, crSpec->read_seq_num, 
-	databuf->buf, databuf->len, hash, &hashBytes);
-    if (rv != SECSuccess) {
-	int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-	PORT_SetError(err);
-	return rv;
-    }
-
-    /* Check the MAC */
-    if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
-	PORT_Memcmp(databuf->buf + databuf->len, hash, crSpec->mac_size) != 0) {
-	/* must not hold spec lock when calling SSL3_SendAlert. */
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-	/* always log mac error, in case attacker can read server logs. */
-	PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-
-	SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
-
-	return SECFailure;
-    }
-
-    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
-
-    ssl_ReleaseSpecReadLock(ss); /*****************************************/
-
-    /*
-     * The decrypted data is now in databuf.
-     *
-     * the null decompression routine is right here
-     */
-
-    /*
-    ** Having completed the decompression, check the length again. 
-    */
-    if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
-	SSL3_SendAlert(ss, alert_fatal, record_overflow);
-	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-	return SECFailure;
-    }
-
-    /* Application data records are processed by the caller of this
-    ** function, not by this function.
-    */
-    if (rType == content_application_data) {
-    	return SECSuccess;
-    }
-
-    /* It's a record that must be handled by ssl itself, not the application.
-    */
-process_it:
-    /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
-     * data ang getting the xmit lock here prevents deadlocks.
-     */
-    ssl_GetSSL3HandshakeLock(ss);
-
-    /* All the functions called in this switch MUST set error code if
-    ** they return SECFailure or SECWouldBlock.
-    */
-    switch (rType) {
-    case content_change_cipher_spec:
-	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
-	break;
-    case content_alert:
-	rv = ssl3_HandleAlert(ss, databuf);
-	break;
-    case content_handshake:
-	rv = ssl3_HandleHandshake(ss, databuf);
-	break;
-    case content_application_data:
-	rv = SECSuccess;
-	break;
-    default:
-	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
-		 SSL_GETPID(), ss->fd, cText->type));
-	/* XXX Send an alert ???  */
-	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
-	rv = SECFailure;
-	break;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    return rv;
-
-}
-
-/*
- * Initialization functions
- */
-
-/* Called from ssl3_InitState, immediately below. */
-/* Caller must hold the SpecWriteLock. */
-static void
-ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
-{
-    spec->cipher_def               = &bulk_cipher_defs[cipher_null];
-    PORT_Assert(spec->cipher_def->cipher == cipher_null);
-    spec->mac_def                  = &mac_defs[mac_null];
-    PORT_Assert(spec->mac_def->mac == mac_null);
-    spec->encode                   = Null_Cipher;
-    spec->decode                   = Null_Cipher;
-    spec->destroy                  = NULL;
-    spec->mac_size                 = 0;
-    spec->master_secret            = NULL;
-    spec->bypassCiphers            = PR_FALSE;
-
-    spec->msItem.data              = NULL;
-    spec->msItem.len               = 0;
-
-    spec->client.write_key         = NULL;
-    spec->client.write_mac_key     = NULL;
-    spec->client.write_mac_context = NULL;
-
-    spec->server.write_key         = NULL;
-    spec->server.write_mac_key     = NULL;
-    spec->server.write_mac_context = NULL;
-
-    spec->write_seq_num.high       = 0;
-    spec->write_seq_num.low        = 0;
-
-    spec->read_seq_num.high        = 0;
-    spec->read_seq_num.low         = 0;
-
-    spec->version                  = ss->opt.enableTLS
-                                          ? SSL_LIBRARY_VERSION_3_1_TLS
-                                          : SSL_LIBRARY_VERSION_3_0;
-}
-
-/* Called from:	ssl3_SendRecord
-**		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
-**		ssl3_SendClientHello()
-**		ssl3_HandleServerHello()
-**		ssl3_HandleClientHello()
-**		ssl3_HandleV2ClientHello()
-**		ssl3_HandleRecord()
-**
-** This function should perhaps acquire and release the SpecWriteLock.
-**
-**
-*/
-static SECStatus
-ssl3_InitState(sslSocket *ss)
-{
-    PK11Context *md5  = NULL;
-    PK11Context *sha  = NULL;
-    SECStatus    rv;
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    if (ss->ssl3.initialized)
-    	return SECSuccess;	/* Function should be idempotent */
-
-    ss->ssl3.policy = SSL_ALLOWED;
-
-    ssl_GetSpecWriteLock(ss);
-    ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
-    ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
-    ss->ssl3.hs.rehandshake = PR_FALSE;
-    ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
-    ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
-
-    ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
-    ssl_ReleaseSpecWriteLock(ss);
-
-    /*
-     * note: We should probably lookup an SSL3 slot for these
-     * handshake hashes in hopes that we wind up with the same slots
-     * that the master secret will wind up in ...
-     */
-    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
-    if (ss->opt.bypassPKCS11) {
-	MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
-	SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
-    } else {
-	ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
-	if (md5 == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    goto loser;
-	}
-	rv = PK11_DigestBegin(ss->ssl3.hs.md5);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    goto loser;
-	}
-
-	sha = ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
-	if (sha == NULL) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    goto loser;
-	}
-	rv = PK11_DigestBegin(ss->ssl3.hs.sha);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-	    goto loser;
-	}
-    }
-
-    ss->ssl3.initialized = PR_TRUE;
-
-    return SECSuccess;
-
-loser:
-    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
-    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
-    return SECFailure;
-}
-
-/* Returns a reference counted object that contains a key pair.
- * Or NULL on failure.  Initial ref count is 1.
- * Uses the keys in the pair as input.
- */
-ssl3KeyPair *
-ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
-{
-    ssl3KeyPair * pair;
-
-    if (!privKey && !pubKey) {
-	/* one or the other may be NULL, but not both. */
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return NULL;
-    }
-    pair = PORT_ZNew(ssl3KeyPair);
-    if (!pair)
-    	return NULL;			/* error code is set. */
-    pair->refCount = 1;
-    pair->privKey  = privKey;
-    pair->pubKey   = pubKey;
-    return pair;			/* success */
-}
-
-ssl3KeyPair *
-ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
-{
-    PR_AtomicIncrement(&keyPair->refCount);
-    return keyPair;
-}
-
-void
-ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
-{
-    PRInt32 newCount =  PR_AtomicDecrement(&keyPair->refCount);
-    if (!newCount) {
-	if (keyPair->privKey)
-	    SECKEY_DestroyPrivateKey(keyPair->privKey);
-	if (keyPair->pubKey)
-	    SECKEY_DestroyPublicKey( keyPair->pubKey);
-    	PORT_Free(keyPair);
-    }
-}
-
-
-
-/*
- * Creates the public and private RSA keys for SSL Step down.
- * Called from SSL_ConfigSecureServer in sslsecur.c
- */
-SECStatus
-ssl3_CreateRSAStepDownKeys(sslSocket *ss)
-{
-    SECStatus             rv  	 = SECSuccess;
-    SECKEYPrivateKey *    privKey;		/* RSA step down key */
-    SECKEYPublicKey *     pubKey;		/* RSA step down key */
-
-    if (ss->stepDownKeyPair)
-	ssl3_FreeKeyPair(ss->stepDownKeyPair);
-    ss->stepDownKeyPair = NULL;
-#ifndef HACKED_EXPORT_SERVER
-    /* Sigh, should have a get key strength call for private keys */
-    if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].SERVERKEY) >
-                                                     EXPORT_RSA_KEY_LENGTH) {
-	/* need to ask for the key size in bits */
-	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
-					     &pubKey, NULL);
-    	if (!privKey || !pubKey ||
-	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-	}
-    }
-#endif
-    return rv;
-}
-
-
-/* record the export policy for this cipher suite */
-SECStatus
-ssl3_SetPolicy(ssl3CipherSuite which, int policy)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->policy = policy;
-
-    if (policy == SSL_RESTRICTED) {
-	ssl3_global_policy_some_restricted = PR_TRUE;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRInt32             policy;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite) {
-    	policy = suite->policy;
-	rv     = SECSuccess;
-    } else {
-    	policy = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *oPolicy = policy;
-    return rv;
-}
-
-/* record the user preference for this suite */
-SECStatus
-ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->enabled = enabled;
-    return SECSuccess;
-}
-
-/* return the user preference for this suite */
-SECStatus
-ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRBool              pref;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
-    if (suite) {
-    	pref   = suite->enabled;
-	rv     = SECSuccess;
-    } else {
-    	pref   = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *enabled = pref;
-    return rv;
-}
-
-SECStatus
-ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-
-    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
-    if (suite == NULL) {
-	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
-    }
-    suite->enabled = enabled;
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
-{
-    ssl3CipherSuiteCfg *suite;
-    PRBool              pref;
-    SECStatus           rv;
-
-    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
-    if (suite) {
-    	pref   = suite->enabled;
-	rv     = SECSuccess;
-    } else {
-    	pref   = SSL_NOT_ALLOWED;
-	rv     = SECFailure;	/* err code was set by Lookup. */
-    }
-    *enabled = pref;
-    return rv;
-}
-
-/* copy global default policy into socket. */
-void
-ssl3_InitSocketPolicy(sslSocket *ss)
-{
-    PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
-}
-
-/* ssl3_config_match_init must have already been called by
- * the caller of this function.
- */
-SECStatus
-ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
-{
-    int i, count = 0;
-
-    PORT_Assert(ss != 0);
-    if (!ss) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-    	*size = 0;
-	return SECSuccess;
-    }
-    if (cs == NULL) {
-	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
-	return SECSuccess;
-    }
-
-    /* ssl3_config_match_init was called by the caller of this function. */
-    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
-	    if (cs != NULL) {
-		*cs++ = 0x00;
-		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
-		*cs++ =  suite->cipher_suite       & 0xFF;
-	    }
-	    count++;
-	}
-    }
-    *size = count;
-    return SECSuccess;
-}
-
-/*
-** If ssl3 socket has completed the first handshake, and is in idle state, 
-** then start a new handshake.
-** If flushCache is true, the SID cache will be flushed first, forcing a
-** "Full" handshake (not a session restart handshake), to be done.
-**
-** called from SSL_RedoHandshake(), which already holds the handshake locks.
-*/
-SECStatus
-ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
-{
-    sslSessionID *   sid = ss->sec.ci.sid;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    if (!ss->firstHsDone ||
-        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
-	 ss->ssl3.initialized && 
-	 (ss->ssl3.hs.ws != idle_handshake))) {
-	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
-	return SECFailure;
-    }
-    if (sid && flushCache) {
-	ss->sec.uncache(sid);	/* remove it from whichever cache it's in. */
-	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
-	ss->sec.ci.sid = NULL;
-    }
-
-    ssl_GetXmitBufLock(ss);	/**************************************/
-
-    /* start off a new handshake. */
-    rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
-                            : ssl3_SendClientHello(ss);
-
-    ssl_ReleaseXmitBufLock(ss);	/**************************************/
-    return rv;
-}
-
-/* Called from ssl_FreeSocket() in sslsock.c */
-void
-ssl3_DestroySSL3Info(sslSocket *ss)
-{
-
-    if (ss->ssl3.clientCertificate != NULL)
-	CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-
-    if (ss->ssl3.clientPrivateKey != NULL)
-	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-
-    if (ss->ssl3.peerCertArena != NULL)
-	ssl3_CleanupPeerCerts(ss);
-
-    if (ss->ssl3.clientCertChain != NULL) {
-       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
-       ss->ssl3.clientCertChain = NULL;
-    }
-
-    /* clean up handshake */
-    if (ss->opt.bypassPKCS11) {
-	SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
-	MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
-    } 
-    if (ss->ssl3.hs.md5) {
-	PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
-    }
-    if (ss->ssl3.hs.sha) {
-	PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
-    }
-
-    /* free the SSL3Buffer (msg_body) */
-    PORT_Free(ss->ssl3.hs.msg_body.buf);
-
-    /* free up the CipherSpecs */
-    ssl3_DestroyCipherSpec(&ss->ssl3.specs[0]);
-    ssl3_DestroyCipherSpec(&ss->ssl3.specs[1]);
-
-    ss->ssl3.initialized = PR_FALSE;
-}
-
-/* End of ssl3con.c */
diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c
deleted file mode 100644
index af7cdb30f..000000000
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ /dev/null
@@ -1,673 +0,0 @@
-/*
- * SSL3 Protocol
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* ECC code moved here from ssl3con.c */
-/* $Id$ */
-
-#ifdef NSS_ENABLE_ECC
-
-#include "nssrenam.h"
-#include "cert.h"
-#include "ssl.h"
-#include "cryptohi.h"	/* for DSAU_ stuff */
-#include "keyhi.h"
-#include "secder.h"
-#include "secitem.h"
-
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "sslerr.h"
-#include "prtime.h"
-#include "prinrval.h"
-#include "prerror.h"
-#include "pratom.h"
-#include "prthread.h"
-
-#include "pk11func.h"
-#include "secmod.h"
-#include "nsslocks.h"
-#include "ec.h"
-#include "blapi.h"
-
-#include <stdio.h>
-
-/*
-    line 297: implicit function declaration: ssl3_InitPendingCipherSpec
-    line 305: implicit function declaration: ssl3_AppendHandshakeHeader
-    line 311: implicit function declaration: ssl3_AppendHandshakeVariable
-    line 356: implicit function declaration: ssl3_ConsumeHandshakeVariable
-*/
-
-
-#ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
-#endif
-
-/* Types and names of elliptic curves used in TLS */
-typedef enum { ec_type_explicitPrime = 1,
-	       ec_type_explicitChar2Curve,
-	       ec_type_named
-} ECType;
-
-typedef enum { ec_noName = 0,
-	       ec_sect163k1, ec_sect163r1, ec_sect163r2,
-	       ec_sect193r1, ec_sect193r2, ec_sect233k1,
-	       ec_sect233r1, ec_sect239k1, ec_sect283k1,
-	       ec_sect283r1, ec_sect409k1, ec_sect409r1,
-	       ec_sect571k1, ec_sect571r1, ec_secp160k1,
-	       ec_secp160r1, ec_secp160r2, ec_secp192k1,
-	       ec_secp192r1, ec_secp224k1, ec_secp224r1,
-	       ec_secp256k1, ec_secp256r1, ec_secp384r1,
-	       ec_secp521r1,
-	       ec_pastLastName
-} ECName;
-
-#define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
-
-/* Table containing OID tags for elliptic curves named in the
- * ECC-TLS IETF draft.
- */
-static const SECOidTag ecName2OIDTag[] = {
-	0,  
-	SEC_OID_SECG_EC_SECT163K1,  /*  1 */
-	SEC_OID_SECG_EC_SECT163R1,  /*  2 */
-	SEC_OID_SECG_EC_SECT163R2,  /*  3 */
-	SEC_OID_SECG_EC_SECT193R1,  /*  4 */
-	SEC_OID_SECG_EC_SECT193R2,  /*  5 */
-	SEC_OID_SECG_EC_SECT233K1,  /*  6 */
-	SEC_OID_SECG_EC_SECT233R1,  /*  7 */
-	SEC_OID_SECG_EC_SECT239K1,  /*  8 */
-	SEC_OID_SECG_EC_SECT283K1,  /*  9 */
-	SEC_OID_SECG_EC_SECT283R1,  /* 10 */
-	SEC_OID_SECG_EC_SECT409K1,  /* 11 */
-	SEC_OID_SECG_EC_SECT409R1,  /* 12 */
-	SEC_OID_SECG_EC_SECT571K1,  /* 13 */
-	SEC_OID_SECG_EC_SECT571R1,  /* 14 */
-	SEC_OID_SECG_EC_SECP160K1,  /* 15 */
-	SEC_OID_SECG_EC_SECP160R1,  /* 16 */
-	SEC_OID_SECG_EC_SECP160R2,  /* 17 */
-	SEC_OID_SECG_EC_SECP192K1,  /* 18 */
-	SEC_OID_SECG_EC_SECP192R1,  /* 19 */
-	SEC_OID_SECG_EC_SECP224K1,  /* 20 */
-	SEC_OID_SECG_EC_SECP224R1,  /* 21 */
-	SEC_OID_SECG_EC_SECP256K1,  /* 22 */
-	SEC_OID_SECG_EC_SECP256R1,  /* 23 */
-	SEC_OID_SECG_EC_SECP384R1,  /* 24 */
-	SEC_OID_SECG_EC_SECP521R1,  /* 25 */
-};
-
-static SECStatus 
-ecName2params(PRArenaPool * arena, ECName curve, SECKEYECParams * params)
-{
-    SECOidData *oidData = NULL;
-
-    if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
-	((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
-        PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	return SECFailure;
-    }
-
-    SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
-    /* 
-     * params->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
-     * oidData->oid.data so we simply prepend 0x06 and OID length
-     */
-    params->data[0] = SEC_ASN1_OBJECT_ID;
-    params->data[1] = oidData->oid.len;
-    memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
-
-    return SECSuccess;
-}
-
-static ECName 
-params2ecName(SECKEYECParams * params)
-{
-    SECItem oid = { siBuffer, NULL, 0};
-    SECOidData *oidData = NULL;
-    ECName i;
-
-    /* 
-     * params->data needs to contain the ASN encoding of an object ID (OID)
-     * representing a named curve. Here, we strip away everything
-     * before the actual OID and use the OID to look up a named curve.
-     */
-    if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
-    oid.len = params->len - 2;
-    oid.data = params->data + 2;
-    if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
-    for (i = ec_noName + 1; i < ec_pastLastName; i++) {
-	if (ecName2OIDTag[i] == oidData->offset)
-	    return i;
-    }
-
-    return ec_noName;
-}
-
-/* Caller must set hiLevel error code. */
-static SECStatus
-ssl3_ComputeECDHKeyHash(SECItem ec_params, SECItem server_ecpoint,
-			     SSL3Random *client_rand, SSL3Random *server_rand,
-			     SSL3Hashes *hashes, PRBool bypassPKCS11)
-{
-    PRUint8     * hashBuf;
-    PRUint8     * pBuf;
-    SECStatus     rv 		= SECSuccess;
-    unsigned int  bufLen;
-    /*
-     * XXX For now, we only support named curves (the appropriate
-     * checks are made before this method is called) so ec_params
-     * takes up only two bytes. ECPoint needs to fit in 256 bytes
-     * (because the spec says the length must fit in one byte)
-     */
-    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
-
-    bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
-    if (bufLen <= sizeof buf) {
-    	hashBuf = buf;
-    } else {
-    	hashBuf = PORT_Alloc(bufLen);
-	if (!hashBuf) {
-	    return SECFailure;
-	}
-    }
-
-    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
-    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
-    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
-    	pBuf += SSL3_RANDOM_LENGTH;
-    memcpy(pBuf, ec_params.data, ec_params.len);
-    	pBuf += ec_params.len;
-    pBuf[0] = (PRUint8)(server_ecpoint.len);
-    pBuf += 1;
-    memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
-    	pBuf += server_ecpoint.len;
-    PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
-
-    rv = ssl3_ComputeCommonKeyHash(hashBuf, bufLen, hashes, bypassPKCS11);
-
-    PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
-    PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
-    PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
-
-done:
-    if (hashBuf != buf && hashBuf != NULL)
-    	PORT_Free(hashBuf);
-    return rv;
-}
-
-
-/* Called from ssl3_SendClientKeyExchange(). */
-SECStatus
-ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
-{
-    PK11SymKey *	pms 		= NULL;
-    SECStatus           rv    		= SECFailure;
-    PRBool              isTLS;
-    CK_MECHANISM_TYPE	target;
-    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral ECDH key */
-    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral ECDH key */
-    CK_EC_KDF_TYPE	kdf;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* Generate ephemeral EC keypair */
-    privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, 
-	                                &pubKey, NULL);
-    if (!privKey || !pubKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-	    goto loser;
-    }
-    PRINT_BUF(50, (ss, "ECDH public value:",
-					pubKey->u.ec.publicValue.data,
-					pubKey->u.ec.publicValue.len));
-
-    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
-
-    /* If field size is not more than 24 octets, then use SHA-1 hash of result;
-     * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt).
-     */
-    if ((pubKey->u.ec.publicValue.len - 1) / 2 <= 24) {
-	kdf = CKD_SHA1_KDF;
-    } else {
-	kdf = CKD_NULL;
-    }
-
-    /*  Determine the PMS */
-    pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
-			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
-			    kdf, NULL, NULL);
-
-    if (pms == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    SECKEY_DestroyPrivateKey(privKey);
-    privKey = NULL;
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
-					pubKey->u.ec.publicValue.len + 1);
-    if (rv != SECSuccess) {
-        goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = ssl3_AppendHandshakeVariable(ss, 
-					pubKey->u.ec.publicValue.data,
-					pubKey->u.ec.publicValue.len, 1);
-    SECKEY_DestroyPublicKey(pubKey);
-    pubKey = NULL;
-
-    if (rv != SECSuccess) {
-        goto loser;	/* err set by ssl3_AppendHandshake* */
-    }
-
-    rv = SECSuccess;
-
-loser:
-    if(pms) PK11_FreeSymKey(pms);
-    if(privKey) SECKEY_DestroyPrivateKey(privKey);
-    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
-    return rv;
-}
-
-
-/*
-** Called from ssl3_HandleClientKeyExchange()
-*/
-SECStatus
-ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
-				     PRUint32 length,
-                                     SECKEYPublicKey *srvrPubKey,
-                                     SECKEYPrivateKey *srvrPrivKey)
-{
-    PK11SymKey *      pms;
-    SECStatus         rv;
-    SECKEYPublicKey   clntPubKey;
-    CK_MECHANISM_TYPE	target;
-    PRBool isTLS;
-    CK_EC_KDF_TYPE	kdf;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-
-    clntPubKey.keyType = ecKey;
-    clntPubKey.u.ec.DEREncodedParams.len = 
-	srvrPubKey->u.ec.DEREncodedParams.len;
-    clntPubKey.u.ec.DEREncodedParams.data = 
-	srvrPubKey->u.ec.DEREncodedParams.data;
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, 
-	                               1, &b, &length);
-    if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure;	/* XXX Who sets the error code?? */
-    }
-
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
-    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
-
-    /* If field size is not more than 24 octets, then use SHA-1 hash of result;
-     * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt).
-     */
-    if (srvrPubKey->u.ec.size <= 24 * 8) {
-	kdf = CKD_SHA1_KDF;
-    } else {
-	kdf = CKD_NULL;
-    }
-
-    /*  Determine the PMS */
-    pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
-			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
-			    kdf, NULL, NULL);
-
-    if (pms == NULL) {
-	/* last gasp.  */
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	return SECFailure;
-    }
-
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms);
-    if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
-    }
-    return SECSuccess;
-}
-
-
-/*
- * Creates the ephemeral public and private ECDH keys used by
- * server in ECDHE_RSA and ECDHE_ECDSA handshakes.
- * XXX For now, the elliptic curve is hardcoded to NIST P-224.
- * We need an API to specify the curve. This won't be a real
- * issue until we further develop server-side support for ECC
- * cipher suites.
- */
-SECStatus
-ssl3_CreateECDHEphemeralKeys(sslSocket *ss)
-{
-    SECStatus             rv  	 = SECSuccess;
-    SECKEYPrivateKey *    privKey;
-    SECKEYPublicKey *     pubKey;
-    SECKEYECParams	  ecParams = { siBuffer, NULL, 0 };
-
-    if (ss->ephemeralECDHKeyPair)
-	ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
-    ss->ephemeralECDHKeyPair = NULL;
-
-    if (ecName2params(NULL, ec_secp224r1, &ecParams) == SECFailure)
-	return SECFailure;
-    privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);    
-    if (!privKey || !pubKey ||
-	!(ss->ephemeralECDHKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-    }
-
-    PORT_Free(ecParams.data);
-    return rv;
-}
-
-SECStatus
-ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-{
-    PRArenaPool *    arena     = NULL;
-    SECKEYPublicKey *peerKey   = NULL;
-    PRBool           isTLS;
-    SECStatus        rv;
-    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
-    SSL3AlertDescription desc  = illegal_parameter;
-    SSL3Hashes       hashes;
-    SECItem          signature = {siBuffer, NULL, 0};
-
-    SECItem          ec_params = {siBuffer, NULL, 0};
-    SECItem          ec_point  = {siBuffer, NULL, 0};
-    unsigned char    paramBuf[2];
-
-    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* XXX This works only for named curves, revisit this when
-     * we support generic curves.
-     */
-    ec_params.len = 2;
-    ec_params.data = paramBuf;
-    rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, 
-			       &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
-    }
-
-    /* Fail if the curve is not a named curve */
-    if ((ec_params.data[0] != ec_type_named) || 
-	!supportedCurve(ec_params.data[1])) {
-	    errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
-	    desc = handshake_failure;
-	    goto alert_loser;
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
-    }
-    /* Fail if the ec point uses compressed representation */
-    if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
-	    errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
-	    desc = handshake_failure;
-	    goto alert_loser;
-    }
-
-    rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
-    if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
-    }
-
-    if (length != 0) {
-	if (isTLS)
-	    desc = decode_error;
-	goto alert_loser;		/* malformed. */
-    }
-
-    PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, 
-	ec_params.len));
-    PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
-
-    /* failures after this point are not malformed handshakes. */
-    /* TLS: send decrypt_error if signature failed. */
-    desc = isTLS ? decrypt_error : handshake_failure;
-
-    /*
-     *  check to make sure the hash is signed by right guy
-     */
-    rv = ssl3_ComputeECDHKeyHash(ec_params, ec_point,
-				      &ss->ssl3.hs.client_random,
-				      &ss->ssl3.hs.server_random, 
-				      &hashes, ss->opt.bypassPKCS11);
-
-    if (rv != SECSuccess) {
-	errCode =
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto alert_loser;
-    }
-    rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
-				isTLS, ss->pkcs11PinArg);
-    if (rv != SECSuccess)  {
-	errCode =
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto alert_loser;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto no_memory;
-    }
-
-    ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
-    if (peerKey == NULL) {
-	goto no_memory;
-    }
-
-    peerKey->arena                 = arena;
-    peerKey->keyType               = ecKey;
-
-    /* set up EC parameters in peerKey */
-    if (ecName2params(arena, ec_params.data[1], 
-	    &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
-	/* we should never get here since we already 
-	 * checked that we are dealing with a supported curve
-	 */
-	errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
-	goto alert_loser;
-    }
-
-    /* copy publicValue in peerKey */
-    if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue,  &ec_point))
-    {
-	PORT_FreeArena(arena, PR_FALSE);
-	goto no_memory;
-    }
-    peerKey->pkcs11Slot         = NULL;
-    peerKey->pkcs11ID           = CK_INVALID_HANDLE;
-
-    ss->sec.peerKey = peerKey;
-    ss->ssl3.hs.ws = wait_cert_request;
-
-    return SECSuccess;
-
-alert_loser:
-    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-loser:
-    PORT_SetError( errCode );
-    return SECFailure;
-
-no_memory:	/* no-memory error has already been set. */
-    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-    return SECFailure;
-}
-
-SECStatus
-ssl3_SendECDHServerKeyExchange(sslSocket *ss)
-{
-const ssl3KEADef *     kea_def     = ss->ssl3.hs.kea_def;
-    SECStatus          rv          = SECFailure;
-    int                length;
-    PRBool             isTLS;
-    SECItem            signed_hash = {siBuffer, NULL, 0};
-    SSL3Hashes         hashes;
-
-    SECKEYPublicKey *  ecdhePub;
-    SECItem            ec_params = {siBuffer, NULL, 0};
-    ECName             curve;
-    SSL3KEAType        certIndex;
-
-
-    /* Generate ephemeral ECDH key pair and send the public key */
-    rv = ssl3_CreateECDHEphemeralKeys(ss);
-    if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }	    
-    ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
-    PORT_Assert(ecdhePub != NULL);
-    if (!ecdhePub) {
-	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	return SECFailure;
-    }	
-    
-    ec_params.len = 2;
-    ec_params.data = (unsigned char*)PORT_Alloc(ec_params.len);
-    curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
-    if (curve != ec_noName) {
-	ec_params.data[0] = ec_type_named;
-	ec_params.data[1] = curve;
-    } else {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	goto loser;
-    }		
-
-    rv = ssl3_ComputeECDHKeyHash(ec_params, ecdhePub->u.ec.publicValue,
-				      &ss->ssl3.hs.client_random,
-				      &ss->ssl3.hs.server_random,
-				      &hashes, ss->opt.bypassPKCS11);
-    if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-
-    /* XXX SSLKEAType isn't really a good choice for 
-     * indexing certificates but that's all we have
-     * for now.
-     */
-    if (kea_def->kea == kea_ecdhe_rsa)
-	certIndex = kt_rsa;
-    else /* kea_def->kea == kea_ecdhe_ecdsa */
-	certIndex = kt_ecdh;
-
-    rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, 
-			 &signed_hash, isTLS);
-    if (rv != SECSuccess) {
-	goto loser;		/* ssl3_SignHashes has set err. */
-    }
-    if (signed_hash.data == NULL) {
-	/* how can this happen and rv == SECSuccess ?? */
-	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto loser;
-    }
-
-    length = ec_params.len + 
-	     1 + ecdhePub->u.ec.publicValue.len + 
-	     2 + signed_hash.len;
-
-    rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
-    if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
-    if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
-				      ecdhePub->u.ec.publicValue.len, 1);
-    if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }
-
-    rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
-				      signed_hash.len, 2);
-    if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }
-
-    PORT_Free(ec_params.data);
-    PORT_Free(signed_hash.data);
-    return SECSuccess;
-
-loser:
-    if (ec_params.data != NULL) 
-	PORT_Free(ec_params.data);
-    if (signed_hash.data != NULL) 
-    	PORT_Free(signed_hash.data);
-    return SECFailure;
-}
-
-
-#endif /* NSS_ENABLE_ECC */
-
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
deleted file mode 100644
index 4465c4359..000000000
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * Gather (Read) entire SSL3 records from socket into buffer.  
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "ssl3prot.h"
-
-/* 
- * Attempt to read in an entire SSL3 record.
- * Blocks here for blocking sockets, otherwise returns -1 with 
- * 	PR_WOULD_BLOCK_ERROR when socket would block.
- *
- * returns  1 if received a complete SSL3 record.
- * returns  0 if recv returns EOF
- * returns -1 if recv returns <0  
- *	(The error value may have already been set to PR_WOULD_BLOCK_ERROR)
- *
- * Caller must hold the recv buf lock.
- *
- * The Gather state machine has 3 states:  GS_INIT, GS_HEADER, GS_DATA.
- * GS_HEADER: waiting for the 5-byte SSL3 record header to come in.
- * GS_DATA:   waiting for the body of the SSL3 record   to come in.
- *
- * This loop returns when either (a) an error or EOF occurs, 
- *	(b) PR_WOULD_BLOCK_ERROR,
- * 	(c) data (entire SSL3 record) has been received.
- */
-static int
-ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
-{
-    unsigned char *bp;
-    unsigned char *lbp;
-    int            nb;
-    int            err;
-    int            rv		= 1;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    if (gs->state == GS_INIT) {
-	gs->state       = GS_HEADER;
-	gs->remainder   = 5;
-	gs->offset      = 0;
-	gs->writeOffset = 0;
-	gs->readOffset  = 0;
-	gs->inbuf.len   = 0;
-    }
-    
-    lbp = gs->inbuf.buf;
-    for(;;) {
-	SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)",
-		SSL_GETPID(), ss->fd, gs->state, gs->remainder));
-	bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset;
-	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
-
-	if (nb > 0) {
-	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
-	} else if (nb == 0) {
-	    /* EOF */
-	    SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
-	    rv = 0;
-	    break;
-	} else /* if (nb < 0) */ {
-	    SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
-		     PR_GetError()));
-	    rv = SECFailure;
-	    break;
-	}
-
-	PORT_Assert( nb <= gs->remainder );
-	if (nb > gs->remainder) {
-	    /* ssl_DefRecv is misbehaving!  this error is fatal to SSL. */
-	    gs->state = GS_INIT;         /* so we don't crash next time */
-	    rv = SECFailure;
-	    break;
-	}
-
-	gs->offset    += nb;
-	gs->remainder -= nb;
-	if (gs->state == GS_DATA)
-	    gs->inbuf.len += nb;
-
-	/* if there's more to go, read some more. */
-	if (gs->remainder > 0) {
-	    continue;
-	}
-
-	/* have received entire record header, or entire record. */
-	switch (gs->state) {
-	case GS_HEADER:
-	    /*
-	    ** Have received SSL3 record header in gs->hdr.
-	    ** Now extract the length of the following encrypted data, 
-	    ** and then read in the rest of the SSL3 record into gs->inbuf.
-	    */
-	    gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4];
-
-	    /* This is the max fragment length for an encrypted fragment
-	    ** plus the size of the record header.
-	    */
-	    if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) {
-		SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-		gs->state = GS_INIT;
-		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-		return SECFailure;
-	    }
-
-	    gs->state     = GS_DATA;
-	    gs->offset    = 0;
-	    gs->inbuf.len = 0;
-
-	    if (gs->remainder > gs->inbuf.space) {
-		err = sslBuffer_Grow(&gs->inbuf, gs->remainder);
-		if (err) {	/* realloc has set error code to no mem. */
-		    return err;
-		}
-		lbp = gs->inbuf.buf;
-	    }
-	    break;	/* End this case.  Continue around the loop. */
-
-
-	case GS_DATA:
-	    /* 
-	    ** SSL3 record has been completely received.
-	    */
-	    gs->state = GS_INIT;
-	    return 1;
-	}
-    }
-
-    return rv;
-}
-
-/* Gather in a record and when complete, Handle that record.
- * Repeat this until the handshake is complete, 
- * or until application data is available.
- *
- * Returns  1 when the handshake is completed without error, or 
- *                 application data is available.
- * Returns  0 if ssl3_GatherData hits EOF.
- * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
- *
- * Called from ssl_GatherRecord1stHandshake       in sslcon.c, 
- *    and from SSL_ForceHandshake in sslsecur.c
- *    and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c).
- *
- * Caller must hold the recv buf lock.
- */
-int
-ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
-{
-    SSL3Ciphertext cText;
-    int            rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    do {
-	/* bring in the next sslv3 record. */
-	rv = ssl3_GatherData(ss, &ss->gs, flags);
-	if (rv <= 0) {
-	    return rv;
-	}
-	
-	/* decipher it, and handle it if it's a handshake. 
-	 * If it's application data, ss->gs.buf will not be empty upon return. 
-	 */
-	cText.type    = (SSL3ContentType)ss->gs.hdr[0];
-	cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
-	cText.buf     = &ss->gs.inbuf;
-	rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
-	if (rv < 0) {
-	    return ss->recvdCloseNotify ? 0 : rv;
-	}
-    } while (ss->ssl3.hs.ws != idle_handshake && ss->gs.buf.len == 0);
-
-    ss->gs.readOffset = 0;
-    ss->gs.writeOffset = ss->gs.buf.len;
-    return 1;
-}
-
-/* Repeatedly gather in a record and when complete, Handle that record.
- * Repeat this until some application data is received.
- *
- * Returns  1 when application data is available.
- * Returns  0 if ssl3_GatherData hits EOF.
- * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
- *
- * Called from DoRecv in sslsecur.c
- * Caller must hold the recv buf lock.
- */
-int
-ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
-{
-    int            rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    do {
-	rv = ssl3_GatherCompleteHandshake(ss, flags);
-    } while (rv > 0 && ss->gs.buf.len == 0);
-
-    return rv;
-}
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
deleted file mode 100644
index d466c614d..000000000
--- a/security/nss/lib/ssl/ssl3prot.h
+++ /dev/null
@@ -1,306 +0,0 @@
-/* Private header file of libSSL.
- * Various and sundry protocol constants. DON'T CHANGE THESE. These
- * values are defined by the SSL 3.0 protocol specification.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __ssl3proto_h_
-#define __ssl3proto_h_
-
-typedef uint8 SSL3Opaque;
-
-typedef uint16 SSL3ProtocolVersion;
-/* version numbers are defined in sslproto.h */
-
-typedef uint16 ssl3CipherSuite;
-/* The cipher suites are defined in sslproto.h */
-
-#define MAX_CERT_TYPES			10
-#define MAX_COMPRESSION_METHODS		10
-#define MAX_MAC_LENGTH			64
-#define MAX_PADDING_LENGTH		64
-#define MAX_KEY_LENGTH			64
-#define EXPORT_KEY_LENGTH		 5
-#define SSL3_RANDOM_LENGTH		32
-
-#define SSL3_RECORD_HEADER_LENGTH	 5
-
-#define MAX_FRAGMENT_LENGTH		16384
-     
-typedef enum {
-    content_change_cipher_spec = 20, 
-    content_alert              = 21,
-    content_handshake          = 22, 
-    content_application_data   = 23
-} SSL3ContentType;
-
-typedef struct {
-    SSL3ContentType     type;
-    SSL3ProtocolVersion version;
-    uint16              length;
-    SECItem             fragment;
-} SSL3Plaintext;
-
-typedef struct {
-    SSL3ContentType     type;
-    SSL3ProtocolVersion version;
-    uint16              length;
-    SECItem             fragment;
-} SSL3Compressed;
-
-typedef struct {
-    SECItem    content;
-    SSL3Opaque MAC[MAX_MAC_LENGTH];
-} SSL3GenericStreamCipher;
-
-typedef struct {
-    SECItem    content;
-    SSL3Opaque MAC[MAX_MAC_LENGTH];
-    uint8      padding[MAX_PADDING_LENGTH];
-    uint8      padding_length;
-} SSL3GenericBlockCipher;
-
-typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
-
-typedef struct {
-    SSL3ChangeCipherSpecChoice choice;
-} SSL3ChangeCipherSpec;
-
-typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
-
-typedef enum {
-    close_notify            = 0,
-    unexpected_message      = 10,
-    bad_record_mac          = 20,
-    decryption_failed       = 21,	/* TLS only */
-    record_overflow         = 22,	/* TLS only */
-    decompression_failure   = 30,
-    handshake_failure       = 40,
-    no_certificate          = 41,	/* SSL3 only, NOT TLS */
-    bad_certificate         = 42,
-    unsupported_certificate = 43,
-    certificate_revoked     = 44,
-    certificate_expired     = 45,
-    certificate_unknown     = 46,
-    illegal_parameter       = 47,
-
-/* All alerts below are TLS only. */
-    unknown_ca              = 48,
-    access_denied           = 49,
-    decode_error            = 50,
-    decrypt_error           = 51,
-    export_restriction      = 60,
-    protocol_version        = 70,
-    insufficient_security   = 71,
-    internal_error          = 80,
-    user_canceled           = 90,
-    no_renegotiation        = 100
-
-} SSL3AlertDescription;
-
-typedef struct {
-    SSL3AlertLevel       level;
-    SSL3AlertDescription description;
-} SSL3Alert;
-
-typedef enum {
-    hello_request	= 0, 
-    client_hello	= 1, 
-    server_hello	= 2,
-    certificate 	= 11, 
-    server_key_exchange = 12,
-    certificate_request	= 13, 
-    server_hello_done	= 14,
-    certificate_verify	= 15, 
-    client_key_exchange	= 16, 
-    finished		= 20
-} SSL3HandshakeType;
-
-typedef struct {
-    uint8 empty;
-} SSL3HelloRequest;
-     
-typedef struct {
-    SSL3Opaque rand[SSL3_RANDOM_LENGTH];
-} SSL3Random;
-     
-typedef struct {
-    SSL3Opaque id[32];
-    uint8 length;
-} SSL3SessionID;
-     
-typedef enum { compression_null = 0 } SSL3CompressionMethod;
-     
-typedef struct {
-    SSL3ProtocolVersion   client_version;
-    SSL3Random            random;
-    SSL3SessionID         session_id;
-    SECItem               cipher_suites;
-    uint8                 cm_count;
-    SSL3CompressionMethod compression_methods[MAX_COMPRESSION_METHODS];
-} SSL3ClientHello;
-     
-typedef struct  {
-    SSL3ProtocolVersion   server_version;
-    SSL3Random            random;
-    SSL3SessionID         session_id;
-    ssl3CipherSuite       cipher_suite;
-    SSL3CompressionMethod compression_method;
-} SSL3ServerHello;
-     
-typedef struct {
-    SECItem list;
-} SSL3Certificate;
-
-/* SSL3SignType moved to ssl.h */
-
-/* The SSL key exchange method used */     
-typedef enum {
-    kea_null, 
-    kea_rsa, 
-    kea_rsa_export,
-    kea_rsa_export_1024,
-    kea_dh_dss, 
-    kea_dh_dss_export, 
-    kea_dh_rsa, 
-    kea_dh_rsa_export,
-    kea_dhe_dss, 
-    kea_dhe_dss_export, 
-    kea_dhe_rsa, 
-    kea_dhe_rsa_export,
-    kea_dh_anon, 
-    kea_dh_anon_export, 
-    kea_rsa_fips,
-    kea_ecdh_ecdsa,
-    kea_ecdhe_ecdsa,
-    kea_ecdh_rsa,
-    kea_ecdhe_rsa
-} SSL3KeyExchangeAlgorithm;
-     
-typedef struct {
-    SECItem modulus;
-    SECItem exponent;
-} SSL3ServerRSAParams;
-
-typedef struct {
-    SECItem p;
-    SECItem g;
-    SECItem Ys;
-} SSL3ServerDHParams;
-
-typedef struct {
-    union {
-	SSL3ServerDHParams dh;
-	SSL3ServerRSAParams rsa;
-    } u;
-} SSL3ServerParams;
-
-typedef struct {
-    uint8 md5[16];
-    uint8 sha[20];
-} SSL3Hashes;
-     
-typedef struct {
-    union {
-	SSL3Opaque anonymous;
-	SSL3Hashes certified;
-    } u;
-} SSL3ServerKeyExchange;
-     
-typedef enum {
-    ct_RSA_sign 	=  1, 
-    ct_DSS_sign 	=  2, 
-    ct_RSA_fixed_DH 	=  3,
-    ct_DSS_fixed_DH 	=  4, 
-    ct_RSA_ephemeral_DH =  5, 
-    ct_DSS_ephemeral_DH =  6,
-    /* XXX The numbers assigned to the following EC-based 
-     * certificate types might change before the ECC in TLS
-     * draft becomes an IETF RFC.
-     */
-    ct_ECDSA_sign	=  7, 
-    ct_RSA_fixed_ECDH	=  8, 
-    ct_ECDSA_fixed_ECDH	=  9 
-
-} SSL3ClientCertificateType;
-     
-typedef SECItem *SSL3DistinquishedName;
-
-typedef struct {
-    SSL3Opaque client_version[2];
-    SSL3Opaque random[46];
-} SSL3RSAPreMasterSecret;
-     
-typedef SECItem SSL3EncryptedPreMasterSecret;
-
-
-typedef SSL3Opaque SSL3MasterSecret[48];
-
-typedef enum { implicit, explicit } SSL3PublicValueEncoding;
-     
-typedef struct {
-    union {
-	SSL3Opaque implicit;
-	SECItem    explicit;
-    } dh_public;
-} SSL3ClientDiffieHellmanPublic;
-     
-typedef struct {
-    union {
-	SSL3EncryptedPreMasterSecret  rsa;
-	SSL3ClientDiffieHellmanPublic diffie_helman;
-    } exchange_keys;
-} SSL3ClientKeyExchange;
-
-typedef SSL3Hashes SSL3PreSignedCertificateVerify;
-
-typedef SECItem SSL3CertificateVerify;
-
-typedef enum {
-    sender_client = 0x434c4e54,
-    sender_server = 0x53525652
-} SSL3Sender;
-
-typedef SSL3Hashes SSL3Finished;   
-
-typedef struct {
-    SSL3Opaque verify_data[12];
-} TLSFinished;
-
-#endif /* __ssl3proto_h_ */
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c
deleted file mode 100644
index 848f5aa63..000000000
--- a/security/nss/lib/ssl/sslauth.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "cert.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "pk11func.h"
-
-/* NEED LOCKS IN HERE.  */
-CERTCertificate *
-SSL_PeerCertificate(PRFileDesc *fd)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
-		 SSL_GETPID(), fd));
-	return 0;
-    }
-    if (ss->opt.useSecurity && ss->sec.peerCert) {
-	return CERT_DupCertificate(ss->sec.peerCert);
-    }
-    return 0;
-}
-
-/* NEED LOCKS IN HERE.  */
-CERTCertificate *
-SSL_LocalCertificate(PRFileDesc *fd)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
-		 SSL_GETPID(), fd));
-	return NULL;
-    }
-    if (ss->opt.useSecurity) {
-    	if (ss->sec.localCert) {
-	    return CERT_DupCertificate(ss->sec.localCert);
-	}
-	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
-	    return CERT_DupCertificate(ss->sec.ci.sid->localCert);
-	}
-    }
-    return NULL;
-}
-
-
-
-/* NEED LOCKS IN HERE.  */
-SECStatus
-SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
-		   char **ip, char **sp)
-{
-    sslSocket *ss;
-    const char *cipherName;
-    PRBool isDes = PR_FALSE;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    if (cp) *cp = 0;
-    if (kp0) *kp0 = 0;
-    if (kp1) *kp1 = 0;
-    if (ip) *ip = 0;
-    if (sp) *sp = 0;
-    if (op) {
-	*op = SSL_SECURITY_STATUS_OFF;
-    }
-
-    if (ss->opt.useSecurity && ss->firstHsDone) {
-
-	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-	    cipherName = ssl_cipherName[ss->sec.cipherType];
-	} else {
-	    cipherName = ssl3_cipherName[ss->sec.cipherType];
-	}
-	if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
-
-	if (cp) {
-	    *cp = PORT_Strdup(cipherName);
-	}
-
-	if (kp0) {
-	    *kp0 = ss->sec.keyBits;
-	    if (isDes) *kp0 = (*kp0 * 7) / 8;
-	}
-	if (kp1) {
-	    *kp1 = ss->sec.secretKeyBits;
-	    if (isDes) *kp1 = (*kp1 * 7) / 8;
-	}
-	if (op) {
-	    if (ss->sec.keyBits == 0) {
-		*op = SSL_SECURITY_STATUS_OFF;
-	    } else if (ss->sec.secretKeyBits < 90) {
-		*op = SSL_SECURITY_STATUS_ON_LOW;
-
-	    } else {
-		*op = SSL_SECURITY_STATUS_ON_HIGH;
-	    }
-	}
-
-	if (ip || sp) {
-	    CERTCertificate *cert;
-
-	    cert = ss->sec.peerCert;
-	    if (cert) {
-		if (ip) {
-		    *ip = CERT_NameToAscii(&cert->issuer);
-		}
-		if (sp) {
-		    *sp = CERT_NameToAscii(&cert->subject);
-		}
-	    } else {
-		if (ip) {
-		    *ip = PORT_Strdup("no certificate");
-		}
-		if (sp) {
-		    *sp = PORT_Strdup("no certificate");
-		}
-	    }
-	}
-    }
-
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-/* NEED LOCKS IN HERE.  */
-SECStatus
-SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    ss->authCertificate = func;
-    ss->authCertificateArg = arg;
-
-    return SECSuccess;
-}
-
-/* NEED LOCKS IN HERE.  */
-SECStatus 
-SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
-			      void *arg)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    ss->getClientAuthData = func;
-    ss->getClientAuthDataArg = arg;
-    return SECSuccess;
-}
-
-/* NEED LOCKS IN HERE.  */
-SECStatus 
-SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
-		 SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    ss->pkcs11PinArg = arg;
-    return SECSuccess;
-}
-
-
-/* This is the "default" authCert callback function.  It is called when a 
- * certificate message is received from the peer and the local application
- * has not registered an authCert callback function.
- */
-SECStatus
-SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
-{
-    SECStatus          rv;
-    CERTCertDBHandle * handle;
-    sslSocket *        ss;
-    SECCertUsage       certUsage;
-    const char *             hostname    = NULL;
-    
-    ss = ssl_FindSocket(fd);
-    PORT_Assert(ss != NULL);
-    if (!ss) {
-	return SECFailure;
-    }
-
-    handle = (CERTCertDBHandle *)arg;
-
-    /* this may seem backwards, but isn't. */
-    certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
-
-    rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,
-			    ss->pkcs11PinArg);
-
-    if ( rv != SECSuccess || isServer )
-	return rv;
-  
-    /* cert is OK.  This is the client side of an SSL connection.
-     * Now check the name field in the cert against the desired hostname.
-     * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
-     */
-    hostname = ss->url;
-    if (hostname && hostname[0])
-	rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
-    else 
-	rv = SECFailure;
-    if (rv != SECSuccess)
-	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
-
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
deleted file mode 100644
index 06ec09813..000000000
--- a/security/nss/lib/ssl/sslcon.c
+++ /dev/null
@@ -1,3804 +0,0 @@
-/* 
- * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "nssrenam.h"
-#include "cert.h"
-#include "secitem.h"
-#include "sechash.h"
-#include "cryptohi.h"		/* for SGN_ funcs */
-#include "keyhi.h" 		/* for SECKEY_ high level functions. */
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "ssl3prot.h"
-#include "sslerr.h"
-#include "pk11func.h"
-#include "prinit.h"
-#include "prtime.h" 	/* for PR_Now() */
-
-#define XXX
-static PRBool policyWasSet;
-
-/* This ordered list is indexed by (SSL_CK_xx * 3)   */
-/* Second and third bytes are MSB and LSB of master key length. */
-static const PRUint8 allCipherSuites[] = {
-    0,						0,    0,
-    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
-    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80,
-    SSL_CK_IDEA_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
-    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
-    0,						0,    0
-};
-
-#define ssl2_NUM_SUITES_IMPLEMENTED 6
-
-/* This list is sent back to the client when the client-hello message 
- * contains no overlapping ciphers, so the client can report what ciphers
- * are supported by the server.  Unlike allCipherSuites (above), this list
- * is sorted by descending preference, not by cipherSuite number. 
- */
-static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
-    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
-    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
-    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
-    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
-    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
-    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80
-};
-
-typedef struct ssl2SpecsStr {
-    PRUint8           nkm; /* do this many hashes to generate key material. */
-    PRUint8           nkd; /* size of readKey and writeKey in bytes. */
-    PRUint8           blockSize;
-    PRUint8           blockShift;
-    CK_MECHANISM_TYPE mechanism;
-    PRUint8           keyLen;	/* cipher symkey size in bytes. */
-    PRUint8           pubLen;	/* publicly reveal this many bytes of key. */
-    PRUint8           ivLen;	/* length of IV data at *ca.	*/
-} ssl2Specs;
-
-static const ssl2Specs ssl_Specs[] = {
-/* NONE                                 */ 
-				{  0,  0, 0, 0, },
-/* SSL_CK_RC4_128_WITH_MD5		*/ 
-				{  2, 16, 1, 0, CKM_RC4,       16,   0, 0, },
-/* SSL_CK_RC4_128_EXPORT40_WITH_MD5	*/ 
-				{  2, 16, 1, 0, CKM_RC4,       16,  11, 0, },
-/* SSL_CK_RC2_128_CBC_WITH_MD5		*/ 
-				{  2, 16, 8, 3, CKM_RC2_CBC,   16,   0, 8, },
-/* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	*/ 
-				{  2, 16, 8, 3, CKM_RC2_CBC,   16,  11, 8, },
-/* SSL_CK_IDEA_128_CBC_WITH_MD5		*/ 
-				{  0,  0, 0, 0, },
-/* SSL_CK_DES_64_CBC_WITH_MD5		*/ 
-				{  1,  8, 8, 3, CKM_DES_CBC,    8,   0, 8, },
-/* SSL_CK_DES_192_EDE3_CBC_WITH_MD5	*/ 
-				{  3, 24, 8, 3, CKM_DES3_CBC,  24,   0, 8, },
-};
-
-#define SET_ERROR_CODE	  /* reminder */
-#define TEST_FOR_FAILURE  /* reminder */
-
-/*
-** Put a string tag in the library so that we can examine an executable
-** and see what kind of security it supports.
-*/
-const char *ssl_version = "SECURITY_VERSION:"
-			" +us"
-			" +export"
-#ifdef TRACE
-			" +trace"
-#endif
-#ifdef DEBUG
-			" +debug"
-#endif
-			;
-
-const char * const ssl_cipherName[] = {
-    "unknown",
-    "RC4",
-    "RC4-Export",
-    "RC2-CBC",
-    "RC2-CBC-Export",
-    "IDEA-CBC",
-    "DES-CBC",
-    "DES-EDE3-CBC",
-    "unknown",
-    "unknown", /* was fortezza, NO LONGER USED */
-};
-
-
-/* bit-masks, showing which SSLv2 suites are allowed.
- * lsb corresponds to first cipher suite in allCipherSuites[].
- */
-static PRUint16	allowedByPolicy;          /* all off by default */
-static PRUint16	maybeAllowedByPolicy;     /* all off by default */
-static PRUint16	chosenPreference = 0xff;  /* all on  by default */
-
-/* bit values for the above two bit masks */
-#define SSL_CB_RC4_128_WITH_MD5              (1 << SSL_CK_RC4_128_WITH_MD5)
-#define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
-#define SSL_CB_RC2_128_CBC_WITH_MD5          (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
-#define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
-#define SSL_CB_IDEA_128_CBC_WITH_MD5         (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
-#define SSL_CB_DES_64_CBC_WITH_MD5           (1 << SSL_CK_DES_64_CBC_WITH_MD5)
-#define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
-#define SSL_CB_IMPLEMENTED \
-   (SSL_CB_RC4_128_WITH_MD5              | \
-    SSL_CB_RC4_128_EXPORT40_WITH_MD5     | \
-    SSL_CB_RC2_128_CBC_WITH_MD5          | \
-    SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
-    SSL_CB_DES_64_CBC_WITH_MD5           | \
-    SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
-
-
-/* Construct a socket's list of cipher specs from the global default values.
- */
-static SECStatus
-ssl2_ConstructCipherSpecs(sslSocket *ss) 
-{
-    PRUint8 *	        cs		= NULL;
-    unsigned int	allowed;
-    unsigned int	count;
-    int 		ssl3_count	= 0;
-    int 		final_count;
-    int 		i;
-    SECStatus 		rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    count = 0;
-    PORT_Assert(ss != 0);
-    allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
-    while (allowed) {
-    	if (allowed & 1) 
-	    ++count;
-	allowed >>= 1;
-    }
-
-    /* Call ssl3_config_match_init() once here, 
-     * instead of inside ssl3_ConstructV2CipherSpecsHack(),
-     * because the latter gets called twice below, 
-     * and then again in ssl2_BeginClientHandshake().
-     */
-    ssl3_config_match_init(ss);
-
-    /* ask SSL3 how many cipher suites it has. */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
-    if (rv < 0) 
-	return rv;
-    count += ssl3_count;
-
-    /* Allocate memory to hold cipher specs */
-    if (count > 0)
-	cs = (PRUint8*) PORT_Alloc(count * 3);
-    else
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-    if (cs == NULL)
-    	return SECFailure;
-
-    if (ss->cipherSpecs != NULL) {
-	PORT_Free(ss->cipherSpecs);
-    }
-    ss->cipherSpecs     = cs;
-    ss->sizeCipherSpecs = count * 3;
-
-    /* fill in cipher specs for SSL2 cipher suites */
-    allowed = !ss->opt.enableSSL2 ? 0 :
-    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
-    for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
-	const PRUint8 * hs = implementedCipherSuites + i;
-	int             ok = allowed & (1U << hs[0]);
-	if (ok) {
-	    cs[0] = hs[0];
-	    cs[1] = hs[1];
-	    cs[2] = hs[2];
-	    cs += 3;
-	}
-    }
-
-    /* now have SSL3 add its suites onto the end */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
-    
-    /* adjust for any difference between first pass and second pass */
-    ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
-
-    return rv;
-}
-
-/* This function is called immediately after ssl2_ConstructCipherSpecs()
-** at the beginning of a handshake.  It detects cases where a protocol
-** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
-** for that protocol have been disabled.  If such cases, it clears the 
-** enable bit for the protocol.  If no protocols remain enabled, or
-** if no cipher suites are found, it sets the error code and returns
-** SECFailure, otherwise it returns SECSuccess.
-*/
-static SECStatus
-ssl2_CheckConfigSanity(sslSocket *ss)
-{
-    unsigned int      allowed;
-    int               ssl3CipherCount = 0;
-    SECStatus         rv;
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    if (!ss->cipherSpecs)
-    	goto disabled;
-
-    allowed = ss->allowedByPolicy & ss->chosenPreference;
-    if (! allowed)
-	ss->opt.enableSSL2 = PR_FALSE; /* not really enabled if no ciphers */
-
-    /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
-    /* Ask how many ssl3 CipherSuites were enabled. */
-    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
-    if (rv != SECSuccess || ssl3CipherCount <= 0) {
-	ss->opt.enableSSL3 = PR_FALSE; /* not really enabled if no ciphers */
-	ss->opt.enableTLS  = PR_FALSE;
-    }
-
-    if (!ss->opt.enableSSL2 && !ss->opt.enableSSL3 && !ss->opt.enableTLS) {
-	SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
-		 SSL_GETPID(), ss->fd));
-disabled:
-	PORT_SetError(SSL_ERROR_SSL_DISABLED);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* 
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- */
-SECStatus
-ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
-{
-    PRUint32  bitMask;
-    SECStatus rv       = SECSuccess;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (policy == SSL_ALLOWED) {
-	allowedByPolicy 	|= bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else if (policy == SSL_RESTRICTED) {
-    	allowedByPolicy 	&= ~bitMask;
-	maybeAllowedByPolicy 	|= bitMask;
-    } else {
-    	allowedByPolicy 	&= ~bitMask;
-    	maybeAllowedByPolicy 	&= ~bitMask;
-    }
-    allowedByPolicy 		&= SSL_CB_IMPLEMENTED;
-    maybeAllowedByPolicy 	&= SSL_CB_IMPLEMENTED;
-
-    policyWasSet = PR_TRUE;
-    return rv;
-}
-
-SECStatus
-ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
-{
-    PRUint32     bitMask;
-    PRInt32      policy;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    /* Caller assures oPolicy is not null. */
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*oPolicy = SSL_NOT_ALLOWED;
-    	return SECFailure;
-    }
-
-    if (maybeAllowedByPolicy & bitMask) {
-    	policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
-    } else {
-	policy = SSL_NOT_ALLOWED;
-    }
-
-    *oPolicy = policy;
-    return SECSuccess;
-}
-
-/* 
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- * Called from SSL_CipherPrefSetDefault in sslsock.c
- * These changes have no effect on any sslSockets already created. 
- */
-SECStatus
-ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
-{
-    PRUint32     bitMask;
-    
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (enabled)
-	chosenPreference |= bitMask;
-    else
-    	chosenPreference &= ~bitMask;
-    chosenPreference &= SSL_CB_IMPLEMENTED;
-
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
-{
-    PRBool       rv       = PR_FALSE;
-    PRUint32     bitMask;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*enabled = PR_FALSE;
-    	return SECFailure;
-    }
-
-    rv = (PRBool)((chosenPreference & bitMask) != 0);
-    *enabled = rv;
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
-{
-    PRUint32     bitMask;
-    
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-    	return SECFailure;
-    }
-
-    if (enabled)
-	ss->chosenPreference |= bitMask;
-    else
-    	ss->chosenPreference &= ~bitMask;
-    ss->chosenPreference &= SSL_CB_IMPLEMENTED;
-
-    return SECSuccess;
-}
-
-SECStatus 
-ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
-{
-    PRBool       rv       = PR_FALSE;
-    PRUint32     bitMask;
-
-    which &= 0x000f;
-    bitMask = 1 << which;
-
-    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
-    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
-	*enabled = PR_FALSE;
-    	return SECFailure;
-    }
-
-    rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
-    *enabled = rv;
-    return SECSuccess;
-}
-
-
-/* copy global default policy into socket. */
-void      
-ssl2_InitSocketPolicy(sslSocket *ss)
-{
-    ss->allowedByPolicy		= allowedByPolicy;
-    ss->maybeAllowedByPolicy	= maybeAllowedByPolicy;
-    ss->chosenPreference 	= chosenPreference;
-}
-
-
-/************************************************************************/
-
-/* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
- */
-static SECStatus
-ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey, 
-          int cipherChoice)
-{
-    switch (cipherChoice) {
-
-      case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-      case SSL_CK_RC2_128_CBC_WITH_MD5:
-      case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-      case SSL_CK_RC4_128_WITH_MD5:
-      case SSL_CK_DES_64_CBC_WITH_MD5:
-      case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	sec->hash = HASH_GetHashObject(HASH_AlgMD5);
-	SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
-	SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
-	break;
-
-      default:
-	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	return SECFailure;
-    }
-    sec->hashcx = (*sec->hash->create)();
-    if (sec->hashcx == NULL)
-	return SECFailure;
-    return SECSuccess;
-}
-
-/************************************************************************
- * All the Send functions below must acquire and release the socket's 
- * xmitBufLock.
- */
-
-/* Called from all the Send* functions below. */
-static SECStatus
-ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
-{
-    SECStatus rv = SECSuccess;
-
-    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-
-    if (len < 128) {
-	len = 128;
-    }
-    if (len > ss->sec.ci.sendBuf.space) {
-	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
-	if (rv != SECSuccess) {
-	    SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
-		     SSL_GETPID(), ss->fd, len));
-	    rv = SECFailure;
-	}
-    }
-    return rv;
-}
-
-/* Called from:
- * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
- * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
- 					ssl_Do1stHandshake()
- * ssl2_HandleMessage()                <- ssl_Do1stHandshake()
- * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
-                                     after ssl2_BeginClientHandshake()
- * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
- * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() 
-                                     after ssl2_BeginServerHandshake()
- * 
- * Acquires and releases the socket's xmitBufLock.
- */	
-int
-ssl2_SendErrorMessage(sslSocket *ss, int error)
-{
-    int rv;
-    PRUint8 msg[SSL_HL_ERROR_HBYTES];
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    msg[0] = SSL_MT_ERROR;
-    msg[1] = MSB(error);
-    msg[2] = LSB(error);
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
-
-    ss->handshakeBegun = 1;
-    rv = (*ss->sec.send)(ss, msg, sizeof(msg), 0);
-    if (rv >= 0) {
-	rv = SECSuccess;
-    }
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TryToFinish().  
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendClientFinishedMessage(sslSocket *ss)
-{
-    SECStatus        rv    = SECSuccess;
-    int              sent;
-    PRUint8    msg[1 + SSL_CONNECTIONID_BYTES];
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    if (ss->sec.ci.sentFinished == 0) {
-	ss->sec.ci.sentFinished = 1;
-
-	SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
-		    SSL_GETPID(), ss->fd));
-
-	msg[0] = SSL_MT_CLIENT_FINISHED;
-	PORT_Memcpy(msg+1, ss->sec.ci.connectionID, 
-	            sizeof(ss->sec.ci.connectionID));
-
-	DUMP_MSG(29, (ss, msg, 1 + sizeof(ss->sec.ci.connectionID)));
-	sent = (*ss->sec.send)(ss, msg, 1 + sizeof(ss->sec.ci.connectionID), 0);
-	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-    }
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from 
- * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
- * ssl2_HandleClientHelloMessage()  <- ssl_Do1stHandshake() 
-                                      after ssl2_BeginServerHandshake()
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendServerVerifyMessage(sslSocket *ss)
-{
-    PRUint8 *        msg;
-    int              sendLen;
-    int              sent;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    sendLen = 1 + SSL_CHALLENGE_BYTES;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) {
-	goto done;
-    }
-
-    msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_SERVER_VERIFY;
-    PORT_Memcpy(msg+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
-
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TryToFinish(). 
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendServerFinishedMessage(sslSocket *ss)
-{
-    sslSessionID *   sid;
-    PRUint8 *        msg;
-    int              sendLen, sent;
-    SECStatus        rv    = SECSuccess;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    if (ss->sec.ci.sentFinished == 0) {
-	ss->sec.ci.sentFinished = 1;
-	PORT_Assert(ss->sec.ci.sid != 0);
-	sid = ss->sec.ci.sid;
-
-	SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
-		    SSL_GETPID(), ss->fd));
-
-	sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
-	rv = ssl2_GetSendBuffer(ss, sendLen);
-	if (rv != SECSuccess) {
-	    goto done;
-	}
-
-	msg = ss->sec.ci.sendBuf.buf;
-	msg[0] = SSL_MT_SERVER_FINISHED;
-	PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
-		    sizeof(sid->u.ssl2.sessionID));
-
-	DUMP_MSG(29, (ss, msg, sendLen));
-	sent = (*ss->sec.send)(ss, msg, sendLen, 0);
-
-	if (sent < 0) {
-	    /* If send failed, it is now a bogus  session-id */
-	    (*ss->sec.uncache)(sid);
-	    rv = (SECStatus)sent;
-	} else if (!ss->opt.noCache) {
-	    /* Put the sid in session-id cache, (may already be there) */
-	    (*ss->sec.cache)(sid);
-	    rv = SECSuccess;
-	}
-	ssl_FreeSID(sid);
-	ss->sec.ci.sid = 0;
-    }
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_ClientSetupSessionCypher() <- 
- *						ssl2_HandleServerHelloMessage() 
- *                                           after ssl2_BeginClientHandshake()
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
-		      PRUint8 *ca, int caLen,
-		      PRUint8 *ck, int ckLen,
-		      PRUint8 *ek, int ekLen)
-{
-    PRUint8 *        msg;
-    int              sendLen;
-    int              sent;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) 
-	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
-		SSL_GETPID(), ss->fd));
-
-    msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_MASTER_KEY;
-    msg[1] = cipher;
-    msg[2] = MSB(keySize);
-    msg[3] = LSB(keySize);
-    msg[4] = MSB(ckLen);
-    msg[5] = LSB(ckLen);
-    msg[6] = MSB(ekLen);
-    msg[7] = LSB(ekLen);
-    msg[8] = MSB(caLen);
-    msg[9] = LSB(caLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
-    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage() 
- * Acquires and releases the socket's xmitBufLock.
- */
-static SECStatus
-ssl2_SendCertificateRequestMessage(sslSocket *ss)
-{
-    PRUint8 *        msg;
-    int              sent;
-    int              sendLen;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) 
-	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
-		SSL_GETPID(), ss->fd));
-
-    /* Generate random challenge for client to encrypt */
-    PK11_GenerateRandom(ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
-
-    msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_REQUEST_CERTIFICATE;
-    msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
-    PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES, 
-                ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
-    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
- *             ssl2_RestartHandshakeAfterCertReq() <- (application)
- * Acquires and releases the socket's xmitBufLock.
- */
-static int
-ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
-                                    SECItem *encCode)
-{
-    PRUint8 *msg;
-    int rv, sendLen;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv) 
-    	goto done;
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
-		SSL_GETPID(), ss->fd));
-
-    msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_CERTIFICATE;
-    msg[1] = SSL_CT_X509_CERTIFICATE;
-    msg[2] = MSB(cert->len);
-    msg[3] = LSB(cert->len);
-    msg[4] = MSB(encCode->len);
-    msg[5] = LSB(encCode->len);
-    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
-    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
-	      encCode->data, encCode->len);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
-    if (rv >= 0) {
-	rv = SECSuccess;
-    }
-done:
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-    return rv;
-}
-
-/********************************************************************
-**  Send functions above this line must aquire & release the socket's   
-**	xmitBufLock.  
-** All the ssl2_Send functions below this line are called vis ss->sec.send
-**	and require that the caller hold the xmitBufLock.
-*/
-
-/*
-** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
-*/
-static SECStatus
-ssl2_CalcMAC(PRUint8             * result, 
-	     sslSecurityInfo     * sec,
-	     const PRUint8       * data, 
-	     unsigned int          dataLen,
-	     unsigned int          paddingLen)
-{
-    const PRUint8 *      secret		= sec->sendSecret.data;
-    unsigned int         secretLen	= sec->sendSecret.len;
-    unsigned long        sequenceNumber = sec->sendSequence;
-    unsigned int         nout;
-    PRUint8              seq[4];
-    PRUint8              padding[32];/* XXX max blocksize? */
-
-    if (!sec->hash || !sec->hash->length)
-    	return SECSuccess;
-    if (!sec->hashcx)
-    	return SECFailure;
-
-    /* Reset hash function */
-    (*sec->hash->begin)(sec->hashcx);
-
-    /* Feed hash the data */
-    (*sec->hash->update)(sec->hashcx, secret, secretLen);
-    (*sec->hash->update)(sec->hashcx, data, dataLen);
-    PORT_Memset(padding, paddingLen, paddingLen);
-    (*sec->hash->update)(sec->hashcx, padding, paddingLen);
-
-    seq[0] = (PRUint8) (sequenceNumber >> 24);
-    seq[1] = (PRUint8) (sequenceNumber >> 16);
-    seq[2] = (PRUint8) (sequenceNumber >> 8);
-    seq[3] = (PRUint8) (sequenceNumber);
-
-    PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
-    PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
-    PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
-    PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
-
-    (*sec->hash->update)(sec->hashcx, seq, 4);
-
-    /* Get result */
-    (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
-
-    return SECSuccess;
-}
-
-/*
-** Maximum transmission amounts. These are tiny bit smaller than they
-** need to be (they account for the MAC length plus some padding),
-** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
-** long. This gives an additional 9 bytes of slop to work within.
-*/
-#define MAX_STREAM_CYPHER_LEN	0x7fe0
-#define MAX_BLOCK_CYPHER_LEN	0x3fe0
-
-/*
-** Send some data in the clear. 
-** Package up data with the length header and send it.
-**
-** Return count of bytes succesfully written, or negative number (failure).
-*/
-static PRInt32 
-ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    PRUint8         * out;
-    int               rv;
-    int               amount;
-    int               count	= 0;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
-
-    while (len) {
-	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
-	if (amount + 2 > ss->sec.writeBuf.space) {
-	    rv = sslBuffer_Grow(&ss->sec.writeBuf, amount + 2);
-	    if (rv != SECSuccess) {
-		count = rv;
-		break;
-	    }
-	}
-	out = ss->sec.writeBuf.buf;
-
-	/*
-	** Construct message.
-	*/
-	out[0] = 0x80 | MSB(amount);
-	out[1] = LSB(amount);
-	PORT_Memcpy(&out[2], in, amount);
-
-	/* Now send the data */
-	rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		rv = 0;
-	    } else {
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		break;
-	    }
-	}
-
-	if ((unsigned)rv < (amount + 2)) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				   amount + 2 - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-		count += amount;
-		ss->sec.sendSequence++;
-	    }
-	    break;
-	}
-
-	ss->sec.sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-    return count;
-}
-
-/*
-** Send some data, when using a stream cipher. Stream ciphers have a
-** block size of 1. Package up the data with the length header
-** and send it.
-*/
-static PRInt32 
-ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    PRUint8       *  out;
-    int              rv;
-    int              count	= 0;
-
-    int              amount;
-    PRUint8          macLen;
-    int              nout;
-    int              buflen;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
-
-    while (len) {
-	ssl_GetSpecReadLock(ss);  /*************************************/
-
-	macLen = ss->sec.hash->length;
-	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
-	buflen = amount + 2 + macLen;
-	if (buflen > ss->sec.writeBuf.space) {
-	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-	out    = ss->sec.writeBuf.buf;
-	nout   = amount + macLen;
-	out[0] = 0x80 | MSB(nout);
-	out[1] = LSB(nout);
-
-	/* Calculate MAC */
-	rv = ssl2_CalcMAC(out+2, 		/* put MAC here */
-	                  &ss->sec, 
-		          in, amount, 		/* input addr & length */
-			  0); 			/* no padding */
-	if (rv != SECSuccess) 
-	    goto loser;
-
-	/* Encrypt MAC */
-	rv = (*ss->sec.enc)(ss->sec.writecx, out+2, &nout, macLen, out+2, macLen);
-	if (rv) goto loser;
-
-	/* Encrypt data from caller */
-	rv = (*ss->sec.enc)(ss->sec.writecx, out+2+macLen, &nout, amount, in, amount);
-	if (rv) goto loser;
-
-	ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-	PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
-
-	rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
-			     "saving data", SSL_GETPID(), ss->fd));
-		rv = 0;
-	    } else {
-		SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
-			     SSL_GETPID(), ss->fd, PORT_GetError()));
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		goto done;
-	    }
-	}
-
-	if ((unsigned)rv < buflen) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				  buflen - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-	    	count += amount;
-		ss->sec.sendSequence++;
-	    }
-	    goto done;
-	}
-
-	ss->sec.sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-done:
-    return count;
-
-loser:
-    ssl_ReleaseSpecReadLock(ss);
-    return SECFailure;
-}
-
-/*
-** Send some data, when using a block cipher. Package up the data with
-** the length header and send it.
-*/
-/* XXX assumes blocksize is > 7 */
-static PRInt32
-ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
-{
-    PRUint8       *  out;  		    /* begining of output buffer.    */
-    PRUint8       *  op;		    /* next output byte goes here.   */
-    int              rv;		    /* value from funcs we called.   */
-    int              count	= 0;        /* this function's return value. */
-
-    unsigned int     hlen;		    /* output record hdr len, 2 or 3 */
-    unsigned int     macLen;		    /* MAC is this many bytes long.  */
-    int              amount;		    /* of plaintext to go in record. */
-    unsigned int     padding;		    /* add this many padding byte.   */
-    int              nout;		    /* ciphertext size after header. */
-    int              buflen;		    /* size of generated record.     */
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-
-    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
-		 SSL_GETPID(), ss->fd, len));
-    PRINT_BUF(50, (ss, "clear data:", in, len));
-
-    while (len) {
-	ssl_GetSpecReadLock(ss);  /*************************************/
-
-	macLen = ss->sec.hash->length;
-	/* Figure out how much to send, including mac and padding */
-	amount  = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
-	nout    = amount + macLen;
-	padding = nout & (ss->sec.blockSize - 1);
-	if (padding) {
-	    hlen    = 3;
-	    padding = ss->sec.blockSize - padding;
-	    nout   += padding;
-	} else {
-	    hlen = 2;
-	}
-	buflen = hlen + nout;
-	if (buflen > ss->sec.writeBuf.space) {
-	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-	out = ss->sec.writeBuf.buf;
-
-	/* Construct header */
-	op = out;
-	if (padding) {
-	    *op++ = MSB(nout);
-	    *op++ = LSB(nout);
-	    *op++ = padding;
-	} else {
-	    *op++ = 0x80 | MSB(nout);
-	    *op++ = LSB(nout);
-	}
-
-	/* Calculate MAC */
-	rv = ssl2_CalcMAC(op, 		/* MAC goes here. */
-	                  &ss->sec, 
-		          in, amount, 	/* intput addr, len */
-			  padding);
-	if (rv != SECSuccess) 
-	    goto loser;
-	op += macLen;
-
-	/* Copy in the input data */
-	/* XXX could eliminate the copy by folding it into the encryption */
-	PORT_Memcpy(op, in, amount);
-	op += amount;
-	if (padding) {
-	    PORT_Memset(op, padding, padding);
-	    op += padding;
-	}
-
-	/* Encrypt result */
-	rv = (*ss->sec.enc)(ss->sec.writecx, out+hlen, &nout, buflen-hlen,
-			 out+hlen, op - (out + hlen));
-	if (rv) 
-	    goto loser;
-
-	ssl_ReleaseSpecReadLock(ss);  /*************************************/
-
-	PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
-
-	rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
-	if (rv < 0) {
-	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
-		rv = 0;
-	    } else {
-		SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
-			     SSL_GETPID(), ss->fd, PORT_GetError()));
-		/* Return short write if some data already went out... */
-		if (count == 0)
-		    count = rv;
-		goto done;
-	    }
-	}
-
-	if (rv < (op - out)) {
-	    /* Short write.  Save the data and return. */
-	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
-				  op - out - rv) == SECFailure) {
-		count = SECFailure;
-	    } else {
-		count += amount;
-		ss->sec.sendSequence++;
-	    }
-	    goto done;
-	}
-
-	ss->sec.sendSequence++;
-	in    += amount;
-	count += amount;
-	len   -= amount;
-    }
-
-done:
-    return count;
-
-loser:
-    ssl_ReleaseSpecReadLock(ss);
-    return SECFailure;
-}
-
-/*
-** Called from: ssl2_HandleServerHelloMessage,
-**              ssl2_HandleClientSessionKeyMessage,
-**              ssl2_RestartHandshakeAfterServerCert,
-**              ssl2_HandleClientHelloMessage,
-**              
-*/
-static void
-ssl2_UseEncryptedSendFunc(sslSocket *ss)
-{
-    ssl_GetXmitBufLock(ss);
-    PORT_Assert(ss->sec.hashcx != 0);
-
-    ss->gs.encrypted = 1;
-    ss->sec.send = (ss->sec.blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
-    ssl_ReleaseXmitBufLock(ss);
-}
-
-/* Called while initializing socket in ssl_CreateSecurityInfo().
-** This function allows us to keep the name of ssl2_SendClear static.
-*/
-void
-ssl2_UseClearSendFunc(sslSocket *ss)
-{
-    ss->sec.send = ssl2_SendClear;
-}
-
-/************************************************************************
-** 			END of Send functions.                          * 
-*************************************************************************/
-
-/***********************************************************************
- * For SSL3, this gathers in and handles records/messages until either 
- *	the handshake is complete or application data is available.
- *
- * For SSL2, this gathers in only the next SSLV2 record.
- *
- * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
- * Caller must hold handshake lock.
- * This function acquires and releases the RecvBufLock.
- *
- * returns SECSuccess for success.
- * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
- *	ssl3_GatherCompleteHandshake().
- * returns SECFailure on all other errors.
- *
- * The gather functions called by ssl_GatherRecord1stHandshake are expected 
- * 	to return values interpreted as follows:
- *  1 : the function completed without error.
- *  0 : the function read EOF.
- * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
- * -2 : the function wants ssl_GatherRecord1stHandshake to be called again 
- *	immediately, by ssl_Do1stHandshake.
- *
- * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
- *
- * This function is called from ssl_Do1stHandshake().  
- * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
- *	ssl2_HandleMessage
- *	ssl2_HandleVerifyMessage
- *	ssl2_HandleServerHelloMessage
- *	ssl2_BeginClientHandshake	
- *	ssl2_HandleClientSessionKeyMessage
- *	ssl2_RestartHandshakeAfterCertReq 
- *	ssl3_RestartHandshakeAfterCertReq 
- *	ssl2_RestartHandshakeAfterServerCert 
- *	ssl3_RestartHandshakeAfterServerCert 
- *	ssl2_HandleClientHelloMessage
- *	ssl2_BeginServerHandshake
- */
-SECStatus
-ssl_GatherRecord1stHandshake(sslSocket *ss)
-{
-    int rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetRecvBufLock(ss);
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	/* Wait for handshake to complete, or application data to arrive.  */
-	rv = ssl3_GatherCompleteHandshake(ss, 0);
-    } else {
-	/* See if we have a complete record */
-	rv = ssl2_GatherRecord(ss, 0);
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
-		 SSL_GETPID(), ss->fd, rv));
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (rv <= 0) {
-	if (rv == SECWouldBlock) {
-	    /* Progress is blocked waiting for callback completion.  */
-	    SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
-			 SSL_GETPID(), ss->fd, ss->gs.remainder));
-	    return SECWouldBlock;
-	}
-	if (rv == 0) {
-	    /* EOF. Loser  */
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	}
-	return SECFailure;	/* rv is < 0 here. */
-    }
-
-    SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
-		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
-
-    ss->handshake = 0;	/* makes ssl_Do1stHandshake call ss->nextHandshake.*/
-    return SECSuccess;
-}
-
-/************************************************************************/
-
-/* Called from ssl2_ServerSetupSessionCypher()
- *             ssl2_ClientSetupSessionCypher()
- */
-static SECStatus
-ssl2_FillInSID(sslSessionID * sid, 
-          int            cipher,
-	  PRUint8       *keyData, 
-	  int            keyLen,
-	  PRUint8       *ca, 
-	  int            caLen,
-	  int            keyBits, 
-	  int            secretKeyBits,
-	  SSLSignType    authAlgorithm,
-	  PRUint32       authKeyBits,
-	  SSLKEAType     keaType,
-	  PRUint32       keaKeyBits)
-{
-    PORT_Assert(sid->references == 1);
-    PORT_Assert(sid->cached == never_cached);
-    PORT_Assert(sid->u.ssl2.masterKey.data == 0);
-    PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
-
-    sid->version = SSL_LIBRARY_VERSION_2;
-
-    sid->u.ssl2.cipherType = cipher;
-    sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
-    if (!sid->u.ssl2.masterKey.data) {
-	return SECFailure;
-    }
-    PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
-    sid->u.ssl2.masterKey.len = keyLen;
-    sid->u.ssl2.keyBits       = keyBits;
-    sid->u.ssl2.secretKeyBits = secretKeyBits;
-    sid->authAlgorithm        = authAlgorithm;
-    sid->authKeyBits          = authKeyBits;
-    sid->keaType              = keaType;
-    sid->keaKeyBits           = keaKeyBits;
-    sid->lastAccessTime = sid->creationTime = ssl_Time();
-    sid->expirationTime = sid->creationTime + ssl_sid_timeout;
-
-    if (caLen) {
-	sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
-	if (!sid->u.ssl2.cipherArg.data) {
-	    return SECFailure;
-	}
-	sid->u.ssl2.cipherArg.len = caLen;
-	PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
-    }
-    return SECSuccess;
-}
-
-/*
-** Construct session keys given the masterKey (tied to the session-id),
-** the client's challenge and the server's nonce.
-**
-** Called from ssl2_CreateSessionCypher() <-
-*/
-static SECStatus
-ssl2_ProduceKeys(sslSocket *    ss, 
-            SECItem *      readKey, 
-	    SECItem *      writeKey,
-	    SECItem *      masterKey, 
-	    PRUint8 *      challenge,
-	    PRUint8 *      nonce, 
-	    int            cipherType)
-{
-    PK11Context * cx        = 0;
-    unsigned      nkm       = 0; /* number of hashes to generate key mat. */
-    unsigned      nkd       = 0; /* size of readKey and writeKey. */
-    unsigned      part;
-    unsigned      i;
-    unsigned      off;
-    SECStatus     rv;
-    PRUint8       countChar;
-    PRUint8       km[3*16];	/* buffer for key material. */
-
-    readKey->data = 0;
-    writeKey->data = 0;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    rv = SECSuccess;
-    cx = PK11_CreateDigestContext(SEC_OID_MD5);
-    if (cx == NULL) {
-	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	return SECFailure;
-    }
-
-    nkm = ssl_Specs[cipherType].nkm;
-    nkd = ssl_Specs[cipherType].nkd;
-
-    readKey->data = (PRUint8*) PORT_Alloc(nkd);
-    if (!readKey->data) 
-    	goto loser;
-    readKey->len = nkd;
-
-    writeKey->data = (PRUint8*) PORT_Alloc(nkd);
-    if (!writeKey->data) 
-    	goto loser;
-    writeKey->len = nkd;
-
-    /* Produce key material */
-    countChar = '0';
-    for (i = 0, off = 0; i < nkm; i++, off += 16) {
-	rv  = PK11_DigestBegin(cx);
-	rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
-	rv |= PK11_DigestOp(cx, &countChar,      1);
-	rv |= PK11_DigestOp(cx, challenge,       SSL_CHALLENGE_BYTES);
-	rv |= PK11_DigestOp(cx, nonce,           SSL_CONNECTIONID_BYTES);
-	rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
-	if (rv != SECSuccess) {
-	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-	    rv = SECFailure;
-	    goto loser;
-	}
-	countChar++;
-    }
-
-    /* Produce keys */
-    PORT_Memcpy(readKey->data,  km,       nkd);
-    PORT_Memcpy(writeKey->data, km + nkd, nkd);
-
-loser:
-    PK11_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-/* Called from ssl2_ServerSetupSessionCypher() 
-**                  <- ssl2_HandleClientSessionKeyMessage()
-**                          <- ssl2_HandleClientHelloMessage()
-** and from    ssl2_ClientSetupSessionCypher() 
-**                  <- ssl2_HandleServerHelloMessage()
-*/
-static SECStatus
-ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
-{
-    SECItem         * rk = NULL;
-    SECItem         * wk = NULL;
-    SECItem *         param;
-    SECStatus         rv;
-    int               cipherType  = sid->u.ssl2.cipherType;
-    PK11SlotInfo *    slot        = NULL;
-    CK_MECHANISM_TYPE mechanism;
-    SECItem           readKey;
-    SECItem           writeKey;
-
-    void *readcx = 0;
-    void *writecx = 0;
-    readKey.data = 0;
-    writeKey.data = 0;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    if((ss->sec.ci.sid == 0))
-    	goto sec_loser;	/* don't crash if asserts are off */
-
-    /* Trying to cut down on all these switch statements that should be tables.
-     * So, test cipherType once, here, and then use tables below. 
-     */
-    switch (cipherType) {
-    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-    case SSL_CK_RC4_128_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_WITH_MD5:
-    case SSL_CK_DES_64_CBC_WITH_MD5:
-    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	break;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
-		 SSL_GETPID(), ss->fd, cipherType));
-	PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
-	goto sec_loser;
-    }
- 
-    rk = isClient ? &readKey  : &writeKey;
-    wk = isClient ? &writeKey : &readKey;
-
-    /* Produce the keys for this session */
-    rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
-		     ss->sec.ci.clientChallenge, ss->sec.ci.connectionID,
-		     cipherType);
-    if (rv != SECSuccess) 
-	goto loser;
-    PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
-    PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
-
-    PORT_Memcpy(ss->sec.ci.readKey, readKey.data, readKey.len);
-    PORT_Memcpy(ss->sec.ci.writeKey, writeKey.data, writeKey.len);
-    ss->sec.ci.keySize = readKey.len;
-
-    /* Setup the MAC */
-    rv = ssl2_CreateMAC(&ss->sec, rk, wk, cipherType);
-    if (rv != SECSuccess) 
-    	goto loser;
-
-    /* First create the session key object */
-    SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
-	    ssl_cipherName[cipherType]));
-
-
-    mechanism  = ssl_Specs[cipherType].mechanism;
-
-    /* set destructer before we call loser... */
-    ss->sec.destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
-    slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
-    if (slot == NULL)
-	goto loser;
-
-    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
-    if (param == NULL)
-	goto loser;
-    readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
-					CKA_DECRYPT, rk, param,
-					ss->pkcs11PinArg);
-    SECITEM_FreeItem(param, PR_TRUE);
-    if (readcx == NULL)
-	goto loser;
-
-    /* build the client context */
-    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
-    if (param == NULL)
-	goto loser;
-    writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
-					 CKA_ENCRYPT, wk, param,
-					 ss->pkcs11PinArg);
-    SECITEM_FreeItem(param,PR_TRUE);
-    if (writecx == NULL)
-	goto loser;
-    PK11_FreeSlot(slot);
-
-    rv = SECSuccess;
-    ss->sec.enc           = (SSLCipher) PK11_CipherOp;
-    ss->sec.dec           = (SSLCipher) PK11_CipherOp;
-    ss->sec.readcx        = (void *) readcx;
-    ss->sec.writecx       = (void *) writecx;
-    ss->sec.blockSize     = ssl_Specs[cipherType].blockSize;
-    ss->sec.blockShift    = ssl_Specs[cipherType].blockShift;
-    ss->sec.cipherType    = sid->u.ssl2.cipherType;
-    ss->sec.keyBits       = sid->u.ssl2.keyBits;
-    ss->sec.secretKeyBits = sid->u.ssl2.secretKeyBits;
-    goto done;
-
-  loser:
-    if (ss->sec.destroy) {
-	if (readcx)  (*ss->sec.destroy)(readcx, PR_TRUE);
-	if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
-    }
-    ss->sec.destroy = NULL;
-    if (slot) PK11_FreeSlot(slot);
-
-  sec_loser:
-    rv = SECFailure;
-
-  done:
-    if (rk) {
-	SECITEM_ZfreeItem(rk, PR_FALSE);
-    }
-    if (wk) {
-	SECITEM_ZfreeItem(wk, PR_FALSE);
-    }
-    return rv;
-}
-
-/*
-** Setup the server ciphers given information from a CLIENT-MASTER-KEY
-** message.
-** 	"ss"      pointer to the ssl-socket object
-** 	"cipher"  the cipher type to use
-** 	"keyBits" the size of the final cipher key
-** 	"ck"      the clear-key data
-** 	"ckLen"   the number of bytes of clear-key data
-** 	"ek"      the encrypted-key data
-** 	"ekLen"   the number of bytes of encrypted-key data
-** 	"ca"      the cipher-arg data
-** 	"caLen"   the number of bytes of cipher-arg data
-**
-** The MASTER-KEY is constructed by first decrypting the encrypted-key
-** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
-** concatenating the clear-key data with the SECRET-KEY-DATA. This code
-** checks to make sure that the client didn't send us an improper amount
-** of SECRET-KEY-DATA (it restricts the length of that data to match the
-** spec).
-**
-** Called from ssl2_HandleClientSessionKeyMessage().
-*/
-static SECStatus
-ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
-			 PRUint8 *ck, unsigned int ckLen,
-			 PRUint8 *ek, unsigned int ekLen,
-			 PRUint8 *ca, unsigned int caLen)
-{
-    PRUint8           *kk = NULL;
-    sslSessionID *    sid;
-    PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
-    unsigned int      el1;	/* length of RSA decrypted data in kbuf */
-    unsigned int      keySize;
-    unsigned int      modulusLen;
-    SECStatus         rv;
-    PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
-    sslServerCerts  * sc = ss->serverCerts + kt_rsa;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
-    PORT_Assert((sc->SERVERKEY != 0));
-    PORT_Assert((ss->sec.ci.sid != 0));
-    sid = ss->sec.ci.sid;
-
-    keySize = (keyBits + 7) >> 3;
-    /* Is the message just way too big? */
-    if (keySize > SSL_MAX_MASTER_KEY_BYTES) {
-	/* bummer */
-	SSL_DBG(("%d: SSL[%d]: keySize=%d ckLen=%d max session key size=%d",
-		 SSL_GETPID(), ss->fd, keySize, ckLen,
-		 SSL_MAX_MASTER_KEY_BYTES));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-
-    /* Trying to cut down on all these switch statements that should be tables.
-     * So, test cipherType once, here, and then use tables below. 
-     */
-    switch (cipher) {
-    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-    case SSL_CK_RC4_128_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-    case SSL_CK_RC2_128_CBC_WITH_MD5:
-    case SSL_CK_DES_64_CBC_WITH_MD5:
-    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
-	break;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
-		 SSL_GETPID(), ss->fd, cipher));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-    /* For export ciphers, make sure they didn't send too much key data. */
-    if (ckLen != ssl_Specs[cipher].pubLen) {
-	SSL_DBG(("%d: SSL[%d]: odd secret key size, keySize=%d ckLen=%d!",
-		 SSL_GETPID(), ss->fd, keySize, ckLen));
-	/* Somebody tried to sneak by a strange secret key */
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto loser;
-    }
-
-    /* allocate the buffer to hold the decrypted portion of the key. */
-    /* XXX Haven't done any range check on ekLen. */
-    kbuf = (PRUint8*) PORT_Alloc(ekLen);
-    if (!kbuf) {
-	goto loser;
-    }
-
-    /*
-    ** Decrypt encrypted half of the key. Note that encrypted half has
-    ** been made to match the modulus size of our public key using
-    ** PKCS#1. keySize is the real size of the data that is interesting.
-    ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
-    ** desired behavior here.
-    */
-    rv = PK11_PubDecryptRaw(sc->SERVERKEY, kbuf, &el1, ekLen, ek, ekLen);
-    if (rv != SECSuccess) 
-	goto hide_loser;
-
-    modulusLen = PK11_GetPrivateModulusLen(sc->SERVERKEY);
-    if (modulusLen == -1) {
-	/* If the key was really bad, then PK11_pubDecryptRaw
-	 * would have failed, therefore the we must assume that the card
-	 * is just being a pain and not giving us the modulus... but it
-	 * should be the same size as the encrypted key length, so use it
-	 * and keep cranking */
-	modulusLen = ekLen;
-    }
-    /* Is the length of the decrypted data (el1) the expected value? */
-    if (modulusLen != el1) 
-	goto hide_loser;
-
-    /* Cheaply verify that PKCS#1 was used to format the encryption block */
-    kk = kbuf + modulusLen - (keySize - ckLen);
-    if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (kk[-1] != 0x00)) {
-	/* Tsk tsk. */
-	SSL_DBG(("%d: SSL[%d]: strange encryption block",
-		 SSL_GETPID(), ss->fd));
-	PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	goto hide_loser;
-    }
-
-    /* Make sure we're not subject to a version rollback attack. */
-    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
-	PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
-			      0x03, 0x03, 0x03, 0x03 };
-	
-	if (PORT_Memcmp(kk - 8 - 1, threes, 8) == 0) {
-	    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-	    goto hide_loser;
-	}
-    }
-    if (0) {
-hide_loser:
-	/* Defense against the Bleichenbacher attack.
-	 * Provide the client with NO CLUES that the decrypted master key
-	 * was erroneous.  Don't send any error messages.
-	 * Instead, Generate a completely bogus master key .
-	 */
-	PK11_GenerateRandom(kbuf, ekLen);
-	if (!kk) {
-	    kk = kbuf + ekLen - (keySize-ckLen);
-	}
-    }
-
-    /*
-    ** Construct master key out of the pieces.
-    */
-    if (ckLen) {
-	PORT_Memcpy(mkbuf, ck, ckLen);
-    }
-    PORT_Memcpy(mkbuf+ckLen, kk, keySize-ckLen);
-
-    /* Fill in session-id */
-    rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
-		   keyBits, keyBits - (ckLen<<3),
-		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
-		   ss->sec.keaType,       ss->sec.keaKeyBits);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* Create session ciphers */
-    rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
-		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
-		ckLen<<3, keySize<<3));
-    rv = SECSuccess;
-    goto done;
-
-  loser:
-    rv = SECFailure;
-
-  done:
-    PORT_Free(kbuf);
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Rewrite the incoming cipher specs, comparing to list of specs we support,
-** (ss->cipherSpecs) and eliminating anything we don't support
-**
-*  Note: Our list may contain SSL v3 ciphers.  
-*  We MUST NOT match on any of those.  
-*  Fortunately, this is easy to detect because SSLv3 ciphers have zero
-*  in the first byte, and none of the SSLv2 ciphers do.
-*
-*  Called from ssl2_HandleClientHelloMessage().
-*/
-static int
-ssl2_QualifyCypherSpecs(sslSocket *ss, 
-                        PRUint8 *  cs, /* cipher specs in client hello msg. */
-		        int        csLen)
-{
-    PRUint8 *    ms;
-    PRUint8 *    hs;
-    PRUint8 *    qs;
-    int          mc;
-    int          hc;
-    PRUint8      qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
-
-    if (!ss->cipherSpecs) {
-	ssl2_ConstructCipherSpecs(ss);
-    }
-
-    PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
-    qs = qualifiedSpecs;
-    ms = ss->cipherSpecs;
-    for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
-	if (ms[0] == 0)
-	    continue;
-	for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
-	    if ((hs[0] == ms[0]) &&
-		(hs[1] == ms[1]) &&
-		(hs[2] == ms[2])) {
-		/* Copy this cipher spec into the "keep" section */
-		qs[0] = hs[0];
-		qs[1] = hs[1];
-		qs[2] = hs[2];
-		qs   += 3;
-		break;
-	    }
-	}
-    }
-    hc = qs - qualifiedSpecs;
-    PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
-    PORT_Memcpy(cs, qualifiedSpecs, hc);
-    return hc;
-}
-
-/*
-** Pick the best cipher we can find, given the array of server cipher
-** specs.  Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
-** If succesful, stores the master key size (bytes) in *pKeyLen.
-**
-** This is correct only for the client side, but presently
-** this function is only called from 
-**	ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
-**
-** Note that most servers only return a single cipher suite in their 
-** ServerHello messages.  So, the code below for finding the "best" cipher
-** suite usually has only one choice.  The client and server should send 
-** their cipher suite lists sorted in descending order by preference.
-*/
-static int
-ssl2_ChooseSessionCypher(sslSocket *ss, 
-                         int        hc,    /* number of cs's in hs. */
-		         PRUint8 *  hs,    /* server hello's cipher suites. */
-		         int *      pKeyLen) /* out: sym key size in bytes. */
-{
-    PRUint8 *       ms;
-    unsigned int    i;
-    int             bestKeySize;
-    int             bestRealKeySize;
-    int             bestCypher;
-    int             keySize;
-    int             realKeySize;
-    PRUint8 *       ohs               = hs;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
-
-    if (!ss->cipherSpecs) {
-	ssl2_ConstructCipherSpecs(ss);
-    }
-
-    if (!ss->preferredCipher) {
-	const PRUint8 * preferred = implementedCipherSuites;
-    	unsigned int    allowed = ss->allowedByPolicy & ss->chosenPreference &
-	                       SSL_CB_IMPLEMENTED;
-	if (allowed) {
-	    for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
-		if (0 != (allowed & (1U << preferred[0]))) {
-		    ss->preferredCipher = preferred;
-		    break;
-		}
-		preferred += 3;
-	    }
-	}
-    }
-    /*
-    ** Scan list of ciphers recieved from peer and look for a match in
-    ** our list.  
-    *  Note: Our list may contain SSL v3 ciphers.  
-    *  We MUST NOT match on any of those.  
-    *  Fortunately, this is easy to detect because SSLv3 ciphers have zero
-    *  in the first byte, and none of the SSLv2 ciphers do.
-    */
-    bestKeySize = bestRealKeySize = 0;
-    bestCypher = -1;
-    while (--hc >= 0) {
-	for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
-	    if ((hs[0] == ss->preferredCipher[0]) &&
-		(hs[1] == ss->preferredCipher[1]) &&
-		(hs[2] == ss->preferredCipher[2]) &&
-		 hs[0] != 0) {
-		/* Pick this cipher immediately! */
-		*pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
-		return hs[0];
-	    }
-	    if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
-	         hs[0] != 0) {
-		/* Found a match */
-
-		/* Use secret keySize to determine which cipher is best */
-		realKeySize = (hs[1] << 8) | hs[2];
-		switch (hs[0]) {
-		  case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
-		  case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
-		    keySize = 40;
-		    break;
-		  default:
-		    keySize = realKeySize;
-		    break;
-		}
-		if (keySize > bestKeySize) {
-		    bestCypher = hs[0];
-		    bestKeySize = keySize;
-		    bestRealKeySize = realKeySize;
-		}
-	    }
-	}
-	hs += 3;
-    }
-    if (bestCypher < 0) {
-	/*
-	** No overlap between server and client. Re-examine server list
-	** to see what kind of ciphers it does support so that we can set
-	** the error code appropriately.
-	*/
-	if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
-	    (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
-	    PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
-	} else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
-		   (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
-	    PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
-	} else {
-	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	}
-	SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
-	goto loser;
-    }
-    *pKeyLen = (bestRealKeySize + 7) >> 3;
-    return bestCypher;
-
-  loser:
-    return -1;
-}
-
-static SECStatus
-ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
-{
-    CERTCertificate *cert      = NULL;
-    SECItem          certItem;
-
-    certItem.data = certData;
-    certItem.len  = certLen;
-
-    /* decode the certificate */
-    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-				   PR_FALSE, PR_TRUE);
-    
-    if (cert == NULL) {
-	SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
-		 SSL_GETPID(), ss->fd));
-	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
-	return SECFailure;
-    }
-
-#ifdef TRACE
-    {
-	if (ssl_trace >= 1) {
-	    char *issuer;
-	    char *subject;
-	    issuer = CERT_NameToAscii(&cert->issuer);
-	    subject = CERT_NameToAscii(&cert->subject);
-	    SSL_TRC(1,("%d: server certificate issuer: '%s'",
-		       SSL_GETPID(), issuer ? issuer : "OOPS"));
-	    SSL_TRC(1,("%d: server name: '%s'",
-		       SSL_GETPID(), subject ? subject : "OOPS"));
-	    PORT_Free(issuer);
-	    PORT_Free(subject);
-	}
-    }
-#endif
-
-    ss->sec.peerCert = cert;
-    return SECSuccess;
-}
-
-
-/*
- * Format one block of data for public/private key encryption using
- * the rules defined in PKCS #1. SSL2 does this itself to handle the
- * rollback detection.
- */
-#define RSA_BLOCK_MIN_PAD_LEN           8
-#define RSA_BLOCK_FIRST_OCTET           0x00
-#define RSA_BLOCK_AFTER_PAD_OCTET       0x00
-#define RSA_BLOCK_PUBLIC_OCTET       	0x02
-unsigned char *
-ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
-{
-    unsigned char *block;
-    unsigned char *bp;
-    int padLen;
-    SECStatus rv;
-    int i;
-
-    PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
-    block = (unsigned char *) PORT_Alloc(modulusLen);
-    if (block == NULL)
-	return NULL;
-
-    bp = block;
-
-    /*
-     * All RSA blocks start with two octets:
-     *	0x00 || BlockType
-     */
-    *bp++ = RSA_BLOCK_FIRST_OCTET;
-    *bp++ = RSA_BLOCK_PUBLIC_OCTET;
-
-    /*
-     * 0x00 || BT || Pad || 0x00 || ActualData
-     *   1      1   padLen    1      data->len
-     * Pad is all non-zero random bytes.
-     */
-    padLen = modulusLen - data->len - 3;
-    PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-    rv = PK11_GenerateRandom(bp, padLen);
-    if (rv == SECFailure) goto loser;
-    /* replace all the 'zero' bytes */
-    for (i = 0; i < padLen; i++) {
-	while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
-    	    rv = PK11_GenerateRandom(bp+i, 1);
-	    if (rv == SECFailure) goto loser;
-	}
-    }
-    bp += padLen;
-    *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-    PORT_Memcpy (bp, data->data, data->len);
-
-    return block;
-loser:
-    if (block) PORT_Free(block);
-    return NULL;
-}
-
-/*
-** Given the server's public key and cipher specs, generate a session key
-** that is ready to use for encrypting/decrypting the byte stream. At
-** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
-** send it to the server.
-**
-** Called from ssl2_HandleServerHelloMessage()
-*/
-static SECStatus
-ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
-{
-    sslSessionID *    sid;
-    PRUint8 *         ca;	/* points to iv data, or NULL if none. */
-    PRUint8 *         ekbuf 		= 0;
-    CERTCertificate * cert 		= 0;
-    SECKEYPublicKey * serverKey 	= 0;
-    unsigned          modulusLen 	= 0;
-    SECStatus         rv;
-    int               cipher;
-    int               keyLen;	/* cipher symkey size in bytes. */
-    int               ckLen;	/* publicly reveal this many bytes of key. */
-    int               caLen;	/* length of IV data at *ca.	*/
-    int               nc;
-
-    unsigned char *eblock;	/* holds unencrypted PKCS#1 formatted key. */
-    SECItem           rek;	/* holds portion of symkey to be encrypted. */
-
-    PRUint8           keyData[SSL_MAX_MASTER_KEY_BYTES];
-    PRUint8           iv     [8];
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    eblock = NULL;
-
-    sid = ss->sec.ci.sid;
-    PORT_Assert(sid != 0);
-
-    cert = ss->sec.peerCert;
-    
-    serverKey = CERT_ExtractPublicKey(cert);
-    if (!serverKey) {
-	SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
-	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
-	rv = SECFailure;
-	goto loser2;
-    }
-
-    ss->sec.authAlgorithm = ssl_sign_rsa;
-    ss->sec.keaType       = ssl_kea_rsa;
-    ss->sec.keaKeyBits    = \
-    ss->sec.authKeyBits   = SECKEY_PublicKeyStrengthInBits(serverKey);
-
-    /* Choose a compatible cipher with the server */
-    nc = csLen / 3;
-    cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
-    if (cipher < 0) {
-	/* ssl2_ChooseSessionCypher has set error code. */
-	ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
-	goto loser;
-    }
-
-    /* Generate the random keys */
-    PK11_GenerateRandom(keyData, sizeof(keyData));
-
-    /*
-    ** Next, carve up the keys into clear and encrypted portions. The
-    ** clear data is taken from the start of keyData and the encrypted
-    ** portion from the remainder. Note that each of these portions is
-    ** carved in half, one half for the read-key and one for the
-    ** write-key.
-    */
-    ca = 0;
-
-    /* We know that cipher is a legit value here, because 
-     * ssl2_ChooseSessionCypher doesn't return bogus values.
-     */
-    ckLen = ssl_Specs[cipher].pubLen;	/* cleartext key length. */
-    caLen = ssl_Specs[cipher].ivLen;	/* IV length.		*/
-    if (caLen) {
-	PORT_Assert(sizeof iv >= caLen);
-    	PK11_GenerateRandom(iv, caLen);
-	ca = iv;
-    }
-
-    /* Fill in session-id */
-    rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
-		   ca, caLen, keyLen << 3, (keyLen - ckLen) << 3,
-		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
-		   ss->sec.keaType,       ss->sec.keaKeyBits);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
-		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
-		ckLen<<3, keyLen<<3));
-
-    /* Now setup read and write ciphers */
-    rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /*
-    ** Fill in the encryption buffer with some random bytes. Then 
-    ** copy in the portion of the session key we are encrypting.
-    */
-    modulusLen = SECKEY_PublicKeyStrength(serverKey);
-    rek.data   = keyData + ckLen;
-    rek.len    = keyLen  - ckLen;
-    eblock = ssl_FormatSSL2Block(modulusLen, &rek);
-    if (eblock == NULL) 
-    	goto loser;
-
-    /* Set up the padding for version 2 rollback detection. */
-    /* XXX We should really use defines here */
-    if (ss->opt.enableSSL3 || ss->opt.enableTLS) {
-	PORT_Assert((modulusLen - rek.len) > 12);
-	PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
-    }
-    ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
-    if (!ekbuf) 
-	goto loser;
-    PRINT_BUF(10, (ss, "master key encryption block:",
-		   eblock, modulusLen));
-
-    /* Encrypt ekitem */
-    rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock, modulusLen,
-						ss->pkcs11PinArg);
-    if (rv) 
-    	goto loser;
-
-    /*  Now we have everything ready to send */
-    rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
-			       keyData, ckLen, ekbuf, modulusLen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    rv = SECSuccess;
-    goto done;
-
-  loser:
-    rv = SECFailure;
-
-  loser2:
-  done:
-    PORT_Memset(keyData, 0, sizeof(keyData));
-    PORT_ZFree(ekbuf, modulusLen);
-    PORT_ZFree(eblock, modulusLen);
-    SECKEY_DestroyPublicKey(serverKey);
-    return rv;
-}
-
-/************************************************************************/
-
-/* 
- * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
- * Caller holds recvBufLock and handshakeLock
- */
-static void
-ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
-{
-    sslSessionID *sid = ss->sec.ci.sid;
-
-    /* Record entry in nonce cache */
-    if (sid->peerCert == NULL) {
-	PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
-	sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-
-    }
-    if (!ss->opt.noCache)
-	(*ss->sec.cache)(sid);
-}
-
-/* Called from ssl2_HandleMessage() */
-static SECStatus
-ssl2_TriggerNextMessage(sslSocket *ss)
-{
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
-	!(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
-	ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
-	rv = ssl2_SendCertificateRequestMessage(ss);
-	return rv;
-    }
-    return SECSuccess;
-}
-
-/* See if it's time to send our finished message, or if the handshakes are
-** complete.  Send finished message if appropriate.
-** Returns SECSuccess unless anything goes wrong.
-**
-** Called from ssl2_HandleMessage,
-**             ssl2_HandleVerifyMessage 
-**             ssl2_HandleServerHelloMessage
-**             ssl2_HandleClientSessionKeyMessage
-**             ssl2_RestartHandshakeAfterCertReq
-**             ssl2_RestartHandshakeAfterServerCert
-*/
-static SECStatus
-ssl2_TryToFinish(sslSocket *ss)
-{
-    SECStatus        rv;
-    char             e, ef;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    e = ss->sec.ci.elements;
-    ef = e | CIS_HAVE_FINISHED;
-    if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
-	if (ss->sec.isServer) {
-	    /* Send server finished message if we already didn't */
-	    rv = ssl2_SendServerFinishedMessage(ss);
-	} else {
-	    /* Send client finished message if we already didn't */
-	    rv = ssl2_SendClientFinishedMessage(ss);
-	}
-	if (rv != SECSuccess) {
-	    return rv;
-	}
-	if ((e & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
-	    /* Totally finished */
-	    ss->handshake = 0;
-	    return SECSuccess;
-	}
-    }
-    return SECSuccess;
-}
-
-/*
-** Called from ssl2_HandleRequestCertificate
-**             ssl2_RestartHandshakeAfterCertReq
-*/
-static SECStatus
-ssl2_SignResponse(sslSocket *ss,
-	     SECKEYPrivateKey *key,
-	     SECItem *response)
-{
-    SGNContext *     sgn = NULL;
-    PRUint8 *        challenge;
-    unsigned int     len;
-    SECStatus        rv		= SECFailure;
-    
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    challenge = ss->sec.ci.serverChallenge;
-    len = ss->sec.ci.serverChallengeLen;
-    
-    /* Sign the expected data... */
-    sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
-    if (!sgn) 
-    	goto done;
-    rv = SGN_Begin(sgn);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, ss->sec.ci.readKey, ss->sec.ci.keySize);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, ss->sec.ci.writeKey, ss->sec.ci.keySize);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, challenge, len);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_Update(sgn, ss->sec.peerCert->derCert.data, 
-                         ss->sec.peerCert->derCert.len);
-    if (rv != SECSuccess) 
-    	goto done;
-    rv = SGN_End(sgn, response);
-    if (rv != SECSuccess) 
-    	goto done;
-
-done:
-    SGN_DestroyContext(sgn, PR_TRUE);
-    return rv == SECSuccess ? SECSuccess : SECFailure;
-}
-
-/*
-** Try to handle a request-certificate message. Get client's certificate
-** and private key and sign a message for the server to see.
-** Caller must hold handshakeLock 
-**
-** Called from ssl2_HandleMessage().
-*/
-static int
-ssl2_HandleRequestCertificate(sslSocket *ss)
-{
-    CERTCertificate * cert	= NULL;	/* app-selected client cert. */
-    SECKEYPrivateKey *key	= NULL;	/* priv key for cert. */
-    SECStatus         rv;
-    SECItem           response;
-    int               ret	= 0;
-    PRUint8           authType;
-
-
-    /*
-     * These things all need to be initialized before we can "goto loser".
-     */
-    response.data = NULL;
-
-    /* get challenge info from connectionInfo */
-    authType = ss->sec.ci.authType;
-
-    if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
-	SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
-		    ss->fd, authType));
-	goto no_cert_error;
-    }
-
-    /* Get certificate and private-key from client */
-    if (!ss->getClientAuthData) {
-	SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
-		    SSL_GETPID(), ss->fd));
-	goto no_cert_error;
-    }
-    ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
-				   NULL, &cert, &key);
-    if ( ret == SECWouldBlock ) {
-	ssl_SetAlwaysBlock(ss);
-	goto done;
-    }
-
-    if (ret) {
-	goto no_cert_error;
-    }
-
-    /* check what the callback function returned */
-    if ((!cert) || (!key)) {
-        /* we are missing either the key or cert */
-        if (cert) {
-            /* got a cert, but no key - free it */
-            CERT_DestroyCertificate(cert);
-            cert = NULL;
-        }
-        if (key) {
-            /* got a key, but no cert - free it */
-            SECKEY_DestroyPrivateKey(key);
-            key = NULL;
-        }
-        goto no_cert_error;
-    }
-
-    rv = ssl2_SignResponse(ss, key, &response);
-    if ( rv != SECSuccess ) {
-	ret = -1;
-	goto loser;
-    }
-
-    /* Send response message */
-    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
-
-    /* Now, remember the cert we sent. But first, forget any previous one. */
-    if (ss->sec.localCert) {
-	CERT_DestroyCertificate(ss->sec.localCert);
-    }
-    ss->sec.localCert = CERT_DupCertificate(cert);
-    PORT_Assert(!ss->sec.ci.sid->localCert);
-    if (ss->sec.ci.sid->localCert) {
-	CERT_DestroyCertificate(ss->sec.ci.sid->localCert);
-    }
-    ss->sec.ci.sid->localCert = cert;
-    cert = NULL;
-
-    goto done;
-
-  no_cert_error:
-    SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
-		ss->fd, ret));
-    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
-
-  loser:
-  done:
-    if ( cert ) {
-	CERT_DestroyCertificate(cert);
-    }
-    if ( key ) {
-	SECKEY_DestroyPrivateKey(key);
-    }
-    if ( response.data ) {
-	PORT_Free(response.data);
-    }
-    
-    return ret;
-}
-
-/*
-** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
-** Caller must hold HandshakeLock and RecvBufLock, since cd and response
-** are contained in the gathered input data.
-*/
-static SECStatus
-ssl2_HandleClientCertificate(sslSocket *    ss, 
-                             PRUint8        certType,	/* XXX unused */
-			     PRUint8 *      cd, 
-			     unsigned int   cdLen,
-			     PRUint8 *      response,
-			     unsigned int   responseLen)
-{
-    CERTCertificate *cert	= NULL;
-    SECKEYPublicKey *pubKey	= NULL;
-    VFYContext *     vfy	= NULL;
-    SECItem *        derCert;
-    SECStatus        rv		= SECFailure;
-    SECItem          certItem;
-    SECItem          rep;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss)   );
-
-    /* Extract the certificate */
-    certItem.data = cd;
-    certItem.len  = cdLen;
-
-    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
-			 	   PR_FALSE, PR_TRUE);
-    if (cert == NULL) {
-	goto loser;
-    }
-
-    /* save the certificate, since the auth routine will need it */
-    ss->sec.peerCert = cert;
-
-    /* Extract the public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if (!pubKey) 
-    	goto loser;
-    
-    /* Verify the response data... */
-    rep.data = response;
-    rep.len = responseLen;
-    /* SSL 2.0 only supports RSA certs, so we don't have to worry about
-     * DSA here. */
-    vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
-			    ss->pkcs11PinArg);
-    if (!vfy) 
-    	goto loser;
-    rv = VFY_Begin(vfy);
-    if (rv) 
-    	goto loser;
-
-    rv = VFY_Update(vfy, ss->sec.ci.readKey, ss->sec.ci.keySize);
-    if (rv) 
-    	goto loser;
-    rv = VFY_Update(vfy, ss->sec.ci.writeKey, ss->sec.ci.keySize);
-    if (rv) 
-    	goto loser;
-    rv = VFY_Update(vfy, ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
-    if (rv) 
-    	goto loser;
-
-    derCert = &ss->serverCerts[kt_rsa].serverCert->derCert;
-    rv = VFY_Update(vfy, derCert->data, derCert->len);
-    if (rv) 
-    	goto loser;
-    rv = VFY_End(vfy);
-    if (rv) 
-    	goto loser;
-
-    /* Now ask the server application if it likes the certificate... */
-    rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
-					    ss->fd, PR_TRUE, PR_TRUE);
-    /* Hey, it liked it. */
-    if (SECSuccess == rv) 
-	goto done;
-
-loser:
-    ss->sec.peerCert = NULL;
-    CERT_DestroyCertificate(cert);
-
-done:
-    VFY_DestroyContext(vfy, PR_TRUE);
-    SECKEY_DestroyPublicKey(pubKey);
-    return rv;
-}
-
-/*
-** Handle remaining messages between client/server. Process finished
-** messages from either side and any authentication requests.
-** This should only be called for SSLv2 handshake messages, 
-** not for application data records.
-** Caller must hold handshake lock.
-**
-** Called from ssl_Do1stHandshake().
-** 
-*/
-static SECStatus
-ssl2_HandleMessage(sslSocket *ss)
-{
-    PRUint8 *        data;
-    PRUint8 *        cid;
-    unsigned         len, certType, certLen, responseLen;
-    int              rv;
-    int              rv2;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ssl_GetRecvBufLock(ss);
-
-    data = ss->gs.buf.buf + ss->gs.recordOffset;
-
-    if (ss->gs.recordLen < 1) {
-	goto bad_peer;
-    }
-    SSL_TRC(3, ("%d: SSL[%d]: received %d message",
-		SSL_GETPID(), ss->fd, data[0]));
-    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
-
-    switch (data[0]) {
-    case SSL_MT_CLIENT_FINISHED:
-	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
-	    SSL_DBG(("%d: SSL[%d]: dup client-finished message",
-		     SSL_GETPID(), ss->fd));
-	    goto bad_peer;
-	}
-
-	/* See if nonce matches */
-	len = ss->gs.recordLen - 1;
-	cid = data + 1;
-	if ((len != sizeof(ss->sec.ci.connectionID)) ||
-	    (PORT_Memcmp(ss->sec.ci.connectionID, cid, len) != 0)) {
-	    SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
-	    PRINT_BUF(5, (ss, "sent connection-id",
-			  ss->sec.ci.connectionID, 
-			  sizeof(ss->sec.ci.connectionID)));
-	    PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
-	    goto bad_peer;
-	}
-
-	SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
-		    SSL_GETPID(), ss->fd, 
-		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
-	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
-	break;
-
-    case SSL_MT_SERVER_FINISHED:
-	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
-	    SSL_DBG(("%d: SSL[%d]: dup server-finished message",
-		     SSL_GETPID(), ss->fd));
-	    goto bad_peer;
-	}
-
-	if (ss->gs.recordLen - 1 != SSL2_SESSIONID_BYTES) {
-	    SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
-		     SSL_GETPID(), ss->fd, ss->gs.recordLen));
-	    goto bad_peer;
-	}
-	ssl2_ClientRegSessionID(ss, data+1);
-	SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
-		    SSL_GETPID(), ss->fd, 
-		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
-	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
-	break;
-
-    case SSL_MT_REQUEST_CERTIFICATE:
-	len = ss->gs.recordLen - 2;
-	if ((len < SSL_MIN_CHALLENGE_BYTES) ||
-	    (len > SSL_MAX_CHALLENGE_BYTES)) {
-	    /* Bad challenge */
-	    SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
-		     SSL_GETPID(), ss->fd, len));
-	    goto bad_peer;
-	}
-	
-	/* save auth request info */
-	ss->sec.ci.authType           = data[1];
-	ss->sec.ci.serverChallengeLen = len;
-	PORT_Memcpy(ss->sec.ci.serverChallenge, data + 2, len);
-	
-	rv = ssl2_HandleRequestCertificate(ss);
-	if (rv == SECWouldBlock) {
-	    SSL_TRC(3, ("%d: SSL[%d]: async cert request",
-			SSL_GETPID(), ss->fd));
-	    /* someone is handling this asynchronously */
-	    ssl_ReleaseRecvBufLock(ss);
-	    return SECWouldBlock;
-	}
-	if (rv) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	break;
-
-    case SSL_MT_CLIENT_CERTIFICATE:
-	if (!ss->authCertificate) {
-	    /* Server asked for authentication and can't handle it */
-	    PORT_SetError(SSL_ERROR_BAD_SERVER);
-	    goto loser;
-	}
-	if (ss->gs.recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	certType    = data[1];
-	certLen     = (data[2] << 8) | data[3];
-	responseLen = (data[4] << 8) | data[5];
-	if (certType != SSL_CT_X509_CERTIFICATE) {
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
-	    goto loser;
-	}
-	if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES 
-	    > ss->gs.recordLen) {
-	    /* prevent overflow crash. */
-	    rv = SECFailure;
-	} else
-	rv = ssl2_HandleClientCertificate(ss, data[1],
-		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
-		certLen,
-		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
-		responseLen);
-	if (rv) {
-	    rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
-	break;
-
-    case SSL_MT_ERROR:
-	rv = (data[1] << 8) | data[2];
-	SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
-		    SSL_GETPID(), ss->fd, rv));
-
-	/* Convert protocol error number into API error number */
-	switch (rv) {
-	  case SSL_PE_NO_CYPHERS:
-	    rv = SSL_ERROR_NO_CYPHER_OVERLAP;
-	    break;
-	  case SSL_PE_NO_CERTIFICATE:
-	    rv = SSL_ERROR_NO_CERTIFICATE;
-	    break;
-	  case SSL_PE_BAD_CERTIFICATE:
-	    rv = SSL_ERROR_BAD_CERTIFICATE;
-	    break;
-	  case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
-	    rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
-	    break;
-	  default:
-	    goto bad_peer;
-	}
-	/* XXX make certificate-request optionally fail... */
-	PORT_SetError(rv);
-	goto loser;
-
-    default:
-	SSL_DBG(("%d: SSL[%d]: unknown message %d",
-		 SSL_GETPID(), ss->fd, data[0]));
-	goto loser;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
-		SSL_GETPID(), ss->fd, data[0],
-		ss->sec.ci.requiredElements, ss->sec.ci.elements));
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    ss->gs.recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleMessage;
-    return ssl2_TriggerNextMessage(ss);
-
-  bad_peer:
-    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
-    /* FALL THROUGH */
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/************************************************************************/
-
-/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or 
-** ssl2_RestartHandshakeAfterServerCert.
-*/
-static SECStatus
-ssl2_HandleVerifyMessage(sslSocket *ss)
-{
-    PRUint8 *        data;
-    SECStatus        rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-    ssl_GetRecvBufLock(ss);
-
-    data = ss->gs.buf.buf + ss->gs.recordOffset;
-    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
-    if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
-	(data[0] != SSL_MT_SERVER_VERIFY) ||
-	PORT_Memcmp(data+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES)) {
-	/* Bad server */
-	PORT_SetError(SSL_ERROR_BAD_SERVER);
-	goto loser;
-    }
-    ss->sec.ci.elements |= CIS_HAVE_VERIFY;
-
-    SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
-		ss->sec.ci.elements));
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv) 
-	goto loser;
-
-    ss->gs.recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-    ss->handshake         = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake     = ssl2_HandleMessage;
-    return SECSuccess;
-
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
- * ICK! 
- * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
- */
-SECStatus
-ssl2_HandleServerHelloMessage(sslSocket *ss)
-{
-    sslSessionID *   sid;
-    PRUint8 *        cert;
-    PRUint8 *        cs;
-    PRUint8 *        data;
-    SECStatus        rv; 
-    int              needed, sidHit, certLen, csLen, cidLen, certType, err;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    if (!ss->opt.enableSSL2) {
-	PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-	return SECFailure;
-    }
-
-    ssl_GetRecvBufLock(ss);
-
-    PORT_Assert(ss->sec.ci.sid != 0);
-    sid = ss->sec.ci.sid;
-
-    data = ss->gs.buf.buf + ss->gs.recordOffset;
-    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
-
-    /* Make sure first message has some data and is the server hello message */
-    if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_SERVER_HELLO)) {
-	if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
-	    err = (data[1] << 8) | data[2];
-	    if (err == SSL_PE_NO_CYPHERS) {
-		PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-		goto loser;
-	    }
-	}
-	goto bad_server;
-    }
-
-    sidHit      = data[1];
-    certType    = data[2];
-    ss->version = (data[3] << 8) | data[4];
-    certLen     = (data[5] << 8) | data[6];
-    csLen       = (data[7] << 8) | data[8];
-    cidLen      = (data[9] << 8) | data[10];
-    cert        = data + SSL_HL_SERVER_HELLO_HBYTES;
-    cs          = cert + certLen;
-
-    SSL_TRC(5,
-	    ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
-	     SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
-	     csLen, cidLen));
-    if (ss->version != SSL_LIBRARY_VERSION_2) {
-        if (ss->version < SSL_LIBRARY_VERSION_2) {
-	  SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
-		      SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
-		      ss->version));
-	} else {
-	  SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
-		    SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
-	  /* server claims to be newer but does not follow protocol */
-	  PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
-	  goto loser;
-	}
-    }
-
-    if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen 
-                                                  > ss->gs.recordLen)
-	|| (csLen % 3) != 0   
-	/* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32  */
-	) {
-	goto bad_server;
-    }
-
-    /* Save connection-id.
-    ** This code only saves the first 16 byte of the connectionID.
-    ** If the connectionID is shorter than 16 bytes, it is zero-padded.
-    */
-    if (cidLen < sizeof ss->sec.ci.connectionID)
-	memset(ss->sec.ci.connectionID, 0, sizeof ss->sec.ci.connectionID);
-    cidLen = PR_MIN(cidLen, sizeof ss->sec.ci.connectionID);
-    PORT_Memcpy(ss->sec.ci.connectionID, cs + csLen, cidLen);
-
-    /* See if session-id hit */
-    needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
-    if (sidHit) {
-	if (certLen || csLen) {
-	    /* Uh oh - bogus server */
-	    SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
-		     SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
-	    goto bad_server;
-	}
-
-	/* Total winner. */
-	SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
-		    "port=0x%04x",
-		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, ss->sec.ci.port));
-	ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
-        ss->sec.authAlgorithm = sid->authAlgorithm;
-	ss->sec.authKeyBits   = sid->authKeyBits;
-	ss->sec.keaType       = sid->keaType;
-	ss->sec.keaKeyBits    = sid->keaKeyBits;
-	rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	if (certType != SSL_CT_X509_CERTIFICATE) {
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
-	    goto loser;
-	}
-	if (csLen == 0) {
-	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	    SSL_DBG(("%d: SSL[%d]: no cipher overlap",
-		     SSL_GETPID(), ss->fd));
-	    goto loser;
-	}
-	if (certLen == 0) {
-	    SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
-		     SSL_GETPID(), ss->fd, certLen, csLen));
-	    goto bad_server;
-	}
-
-	if (sid->cached != never_cached) {
-	    /* Forget our session-id - server didn't like it */
-	    SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
-			SSL_GETPID(), ss->fd));
-	    (*ss->sec.uncache)(sid);
-	    ssl_FreeSID(sid);
-	    ss->sec.ci.sid = sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	    if (!sid) {
-		goto loser;
-	    }
-	    sid->references = 1;
-	    sid->addr = ss->sec.ci.peer;
-	    sid->port = ss->sec.ci.port;
-	}
-
-	/* decode the server's certificate */
-	rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
-		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    }
-	    goto loser;
-	}
-
-	/* Setup new session cipher */
-	rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
-	if (rv != SECSuccess) {
-	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
-		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
-	    }
-	    goto loser;
-	}
-    }
-
-    /* Build up final list of required elements */
-    ss->sec.ci.elements         = CIS_HAVE_MASTER_KEY;
-    ss->sec.ci.requiredElements = needed;
-
-  if (!sidHit) {
-    /* verify the server's certificate. if sidHit, don't check signatures */
-    rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd, 
-				 (PRBool)(!sidHit), PR_FALSE);
-    if (rv) {
-	if (ss->handleBadCert) {
-	    rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
-	    if ( rv ) {
-		if ( rv == SECWouldBlock ) {
-		    /* someone will handle this connection asynchronously*/
-
-		    SSL_DBG(("%d: SSL[%d]: go to async cert handler",
-			     SSL_GETPID(), ss->fd));
-		    ssl_ReleaseRecvBufLock(ss);
-		    ssl_SetAlwaysBlock(ss);
-		    return SECWouldBlock;
-		}
-		/* cert is bad */
-		SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
-			 SSL_GETPID(), ss->fd, PORT_GetError()));
-		goto loser;
-
-	    }
-	    /* cert is good */
-	} else {
-	    SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
-		     SSL_GETPID(), ss->fd, PORT_GetError()));
-	    goto loser;
-	}
-    }
-  }
-    /*
-    ** At this point we have a completed session key and our session
-    ** cipher is setup and ready to go. Switch to encrypted write routine
-    ** as all future message data is to be encrypted.
-    */
-    ssl2_UseEncryptedSendFunc(ss);
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    ss->gs.recordLen = 0;
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements, 
-		ss->sec.ci.elements));
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleVerifyMessage;
-    return SECSuccess;
-
-  bad_server:
-    PORT_SetError(SSL_ERROR_BAD_SERVER);
-    /* FALL THROUGH */
-
-  loser:
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-/* Sends out the initial client Hello message on the connection.
- * Acquires and releases the socket's xmitBufLock.
- */
-SECStatus
-ssl2_BeginClientHandshake(sslSocket *ss)
-{
-    sslSessionID      *sid;
-    PRUint8           *msg;
-    PRUint8           *cp;
-    PRUint8           *localCipherSpecs = NULL;
-    unsigned int      localCipherSize;
-    unsigned int      i;
-    int               sendLen, sidLen = 0;
-    SECStatus         rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    ss->sec.isServer     = 0;
-    ss->sec.sendSequence = 0;
-    ss->sec.rcvSequence  = 0;
-    ssl_ChooseSessionIDProcs(&ss->sec);
-
-    if (!ss->cipherSpecs) {
-	rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    rv = ssl2_CheckConfigSanity(ss);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /* Get peer name of server */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv < 0) {
-#ifdef HPUX11
-        /*
-         * On some HP-UX B.11.00 systems, getpeername() occasionally
-         * fails with ENOTCONN after a successful completion of
-         * non-blocking connect.  I found that if we do a write()
-         * and then retry getpeername(), it will work.
-         */
-        if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
-            char dummy;
-            (void) PR_Write(ss->fd->lower, &dummy, 0);
-            rv = ssl_GetPeerInfo(ss);
-            if (rv < 0) {
-                goto loser;
-            }
-        }
-#else
-	goto loser;
-#endif
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
-
-    /* Try to find server in our session-id cache */
-    if (ss->opt.noCache) {
-	sid = NULL;
-    } else {
-	sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, 
-	                    ss->url);
-    }
-    while (sid) {  /* this isn't really a loop */
-	/* if we're not doing this SID's protocol any more, drop it. */
-	if (((sid->version  < SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL2) ||
-	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableSSL3) ||
-	    ((sid->version >  SSL_LIBRARY_VERSION_3_0) && !ss->opt.enableTLS)) {
-	    ss->sec.uncache(sid);
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	    break;
-	}
-	if (ss->opt.enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
-	    /* If the cipher in this sid is not enabled, drop it. */
-	    for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
-		if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
-		    break;
-	    }
-	    if (i >= ss->sizeCipherSpecs) {
-		ss->sec.uncache(sid);
-		ssl_FreeSID(sid);
-		sid = NULL;
-		break;
-	    }
-	}
-	sidLen = sizeof(sid->u.ssl2.sessionID);
-	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
-		      sidLen));
-	ss->version = sid->version;
-	PORT_Assert(!ss->sec.localCert);
-	if (ss->sec.localCert) {
-	    CERT_DestroyCertificate(ss->sec.localCert);
-	}
-	ss->sec.localCert     = CERT_DupCertificate(sid->localCert);
-	break;  /* this isn't really a loop */
-    } 
-    if (!sid) {
-	sidLen = 0;
-	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	if (!sid) {
-	    goto loser;
-	}
-	sid->references = 1;
-	sid->cached     = never_cached;
-	sid->addr       = ss->sec.ci.peer;
-	sid->port       = ss->sec.ci.port;
-	if (ss->peerID != NULL) {
-	    sid->peerID = PORT_Strdup(ss->peerID);
-	}
-	if (ss->url != NULL) {
-	    sid->urlSvrName = PORT_Strdup(ss->url);
-	}
-    }
-    ss->sec.ci.sid = sid;
-
-    PORT_Assert(sid != NULL);
-
-    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->opt.v2CompatibleHello) &&
-        (ss->opt.enableSSL3 || ss->opt.enableTLS)) {
-
-	ss->gs.state      = GS_INIT;
-	ss->handshake     = ssl_GatherRecord1stHandshake;
-
-	/* ssl3_SendClientHello will override this if it succeeds. */
-	ss->version       = SSL_LIBRARY_VERSION_3_0;
-
-	ssl_GetXmitBufLock(ss);    /***************************************/
-	ssl_GetSSL3HandshakeLock(ss);
-	rv =  ssl3_SendClientHello(ss);
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_ReleaseXmitBufLock(ss); /***************************************/
-
-	return rv;
-    }
-   
-    if (!ss->cipherSpecs) {
-        rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv < 0) {
-	    return rv;
-    	}
-    }
-    localCipherSpecs = ss->cipherSpecs;
-    localCipherSize  = ss->sizeCipherSpecs;
-
-    sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + sidLen +
-	SSL_CHALLENGE_BYTES;
-
-    /* Generate challenge bytes for server */
-    PK11_GenerateRandom(ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
-
-    ssl_GetXmitBufLock(ss);    /***************************************/
-
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv) 
-    	goto unlock_loser;
-
-    /* Construct client-hello message */
-    cp = msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_CLIENT_HELLO;
-    if ( ss->opt.enableTLS ) {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
-    } else if ( ss->opt.enableSSL3 ) {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
-    } else {
-	ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
-    }
-    
-    msg[1] = MSB(ss->clientHelloVersion);
-    msg[2] = LSB(ss->clientHelloVersion);
-    msg[3] = MSB(localCipherSize);
-    msg[4] = LSB(localCipherSize);
-    msg[5] = MSB(sidLen);
-    msg[6] = LSB(sidLen);
-    msg[7] = MSB(SSL_CHALLENGE_BYTES);
-    msg[8] = LSB(SSL_CHALLENGE_BYTES);
-    cp += SSL_HL_CLIENT_HELLO_HBYTES;
-    PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
-    cp += localCipherSize;
-    if (sidLen) {
-	PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
-	cp += sidLen;
-    }
-    PORT_Memcpy(cp, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
-
-    /* Send it to the server */
-    DUMP_MSG(29, (ss, msg, sendLen));
-    ss->handshakeBegun = 1;
-    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
-
-    ssl_ReleaseXmitBufLock(ss);    /***************************************/
-
-    if (rv < 0) {
-	goto loser;
-    }
-
-    rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
-    if (rv < 0) {
-	goto loser;
-    }
-
-    /* Setup to receive servers hello message */
-    ssl_GetRecvBufLock(ss);
-    ss->gs.recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleServerHelloMessage;
-    return SECSuccess;
-
-unlock_loser:
-    ssl_ReleaseXmitBufLock(ss);
-loser:
-    return SECFailure;
-}
-
-/************************************************************************/
-
-/* Handle the CLIENT-MASTER-KEY message. 
-** Acquires and releases RecvBufLock.
-** Called from ssl2_HandleClientHelloMessage(). 
-*/
-static SECStatus
-ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
-{
-    PRUint8 *        data;
-    unsigned int     caLen;
-    unsigned int     ckLen;
-    unsigned int     ekLen;
-    unsigned int     keySize;
-    int              cipher;
-    SECStatus        rv;
-
-
-    ssl_GetRecvBufLock(ss);
-
-    data = ss->gs.buf.buf + ss->gs.recordOffset;
-    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
-
-    if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
-	goto bad_client;
-    }
-    cipher  = data[1];
-    keySize = (data[2] << 8) | data[3];
-    ckLen   = (data[4] << 8) | data[5];
-    ekLen   = (data[6] << 8) | data[7];
-    caLen   = (data[8] << 8) | data[9];
-
-    SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keySize=%d ckLen=%d ekLen=%d caLen=%d",
-		SSL_GETPID(), ss->fd, cipher, keySize, ckLen, ekLen, caLen));
-
-    if (ss->gs.recordLen < 
-    	    SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
-	SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
-		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
-	goto bad_client;
-    }
-
-    /* Use info from client to setup session key */
-    /* XXX should validate cipher&keySize are in our array */
-    rv = ssl2_ServerSetupSessionCypher(ss, cipher, keySize,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,                 ckLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,         ekLen,
-		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
-    ss->gs.recordLen = 0;	/* we're done with this record. */
-
-    ssl_ReleaseRecvBufLock(ss);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-    ss->sec.ci.elements |= CIS_HAVE_MASTER_KEY;
-    ssl2_UseEncryptedSendFunc(ss);
-
-    /* Send server verify message now that keys are established */
-    rv = ssl2_SendServerVerifyMessage(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv != SECSuccess) 
-	goto loser;
-    if (ss->handshake == 0) {
-	return SECSuccess;
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
-		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
-    ss->handshake         = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake     = ssl2_HandleMessage;
-
-    return ssl2_TriggerNextMessage(ss);
-
-bad_client:
-    ssl_ReleaseRecvBufLock(ss);
-    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-    /* FALLTHROUGH */
-
-loser:
-    return SECFailure;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:  
- *	cert	Client cert chosen by application.
- *	key	Private key associated with cert.  
- *
- * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
- *	they take the reference, or bump the ref count!
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
- */
-int
-ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
-				  CERTCertificate *    cert, 
-				  SECKEYPrivateKey *   key)
-{
-    int              ret;
-    SECStatus        rv          = SECSuccess;
-    SECItem          response;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-    	return SECFailure;
-
-    response.data = NULL;
-
-    /* generate error if no cert or key */
-    if ( ( cert == NULL ) || ( key == NULL ) ) {
-	goto no_cert;
-    }
-    
-    /* generate signed response to the challenge */
-    rv = ssl2_SignResponse(ss, key, &response);
-    if ( rv != SECSuccess ) {
-	goto no_cert;
-    }
-    
-    /* Send response message */
-    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
-    if (ret) {
-	goto no_cert;
-    }
-
-    /* try to finish the handshake */
-    ret = ssl2_TryToFinish(ss);
-    if (ret) {
-	goto loser;
-    }
-    
-    /* done with handshake */
-    if (ss->handshake == 0) {
-	ret = SECSuccess;
-	goto done;
-    }
-
-    /* continue handshake */
-    ssl_GetRecvBufLock(ss);
-    ss->gs.recordLen = 0;
-    ssl_ReleaseRecvBufLock(ss);
-
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleMessage;
-    ret = ssl2_TriggerNextMessage(ss);
-    goto done;
-    
-no_cert:
-    /* no cert - send error */
-    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
-    goto done;
-    
-loser:
-    ret = SECFailure;
-done:
-    /* free allocated data */
-    if ( response.data ) {
-	PORT_Free(response.data);
-    }
-    
-    return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * Return value: XXX
- *
- * Caller holds 1stHandshakeLock.
-*/
-int
-ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    int rv	= SECSuccess;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
-	return SECFailure;
-
-    /* SSL 2
-    ** At this point we have a completed session key and our session
-    ** cipher is setup and ready to go. Switch to encrypted write routine
-    ** as all future message data is to be encrypted.
-    */
-    ssl2_UseEncryptedSendFunc(ss);
-
-    rv = ssl2_TryToFinish(ss);
-    if (rv == SECSuccess && ss->handshake != NULL) {	
-	/* handshake is not yet finished. */
-
-	SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
-		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
-		ss->sec.ci.elements));
-
-	ssl_GetRecvBufLock(ss);
-	ss->gs.recordLen = 0;	/* mark it all used up. */
-	ssl_ReleaseRecvBufLock(ss);
-
-	ss->handshake     = ssl_GatherRecord1stHandshake;
-	ss->nextHandshake = ssl2_HandleVerifyMessage;
-    }
-
-    return rv;
-}
-
-/*
-** Handle the initial hello message from the client
-**
-** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
-*/
-SECStatus
-ssl2_HandleClientHelloMessage(sslSocket *ss)
-{
-    sslSessionID    *sid;
-    sslServerCerts * sc;
-    CERTCertificate *serverCert;
-    PRUint8         *msg;
-    PRUint8         *data;
-    PRUint8         *cs;
-    PRUint8         *sd;
-    PRUint8         *cert = NULL;
-    PRUint8         *challenge;
-    unsigned int    challengeLen;
-    SECStatus       rv; 
-    int             csLen;
-    int             sendLen;
-    int             sdLen;
-    int             certLen;
-    int             pid;
-    int             sent;
-    int             gotXmitBufLock = 0;
-#if defined(SOLARIS) && defined(i386)
-    volatile PRUint8 hit;
-#else
-    int             hit;
-#endif
-    PRUint8         csImpl[sizeof implementedCipherSuites];
-
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    sc = ss->serverCerts + kt_rsa;
-    serverCert = sc->serverCert;
-
-    ssl_GetRecvBufLock(ss);
-
-
-    data = ss->gs.buf.buf + ss->gs.recordOffset;
-    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
-
-    /* Make sure first message has some data and is the client hello message */
-    if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
-	|| (data[0] != SSL_MT_CLIENT_HELLO)) {
-	goto bad_client;
-    }
-
-    /* Get peer name of client */
-    rv = ssl_GetPeerInfo(ss);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* Examine version information */
-    /*
-     * See if this might be a V2 client hello asking to use the V3 protocol
-     */
-    if ((data[0] == SSL_MT_CLIENT_HELLO) && 
-        (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) && 
-	(ss->opt.enableSSL3 || ss->opt.enableTLS)) {
-	rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
-	if (rv != SECFailure) { /* Success */
-	    ss->handshake             = NULL;
-	    ss->nextHandshake         = ssl_GatherRecord1stHandshake;
-	    ss->securityHandshake     = NULL;
-	    ss->gs.state              = GS_INIT;
-
-	    /* ssl3_HandleV3ClientHello has set ss->version,
-	    ** and has gotten us a brand new sid.  
-	    */
-	    ss->sec.ci.sid->version  = ss->version;
-	}
-	ssl_ReleaseRecvBufLock(ss);
-	return rv;
-    }
-    /* Previously, there was a test here to see if SSL2 was enabled.
-    ** If not, an error code was set, and SECFailure was returned,
-    ** without sending any error code to the other end of the connection.
-    ** That test has been removed.  If SSL2 has been disabled, there
-    ** should be no SSL2 ciphers enabled, and consequently, the code
-    ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
-    ** We now believe this is the correct thing to do, even when SSL2
-    ** has been explicitly disabled by the application.
-    */
-
-    /* Extract info from message */
-    ss->version = (data[1] << 8) | data[2];
-
-    /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it.  */
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	ss->version = SSL_LIBRARY_VERSION_2;
-    }
-    
-    csLen        = (data[3] << 8) | data[4];
-    sdLen        = (data[5] << 8) | data[6];
-    challengeLen = (data[7] << 8) | data[8];
-    cs           = data + SSL_HL_CLIENT_HELLO_HBYTES;
-    sd           = cs + csLen;
-    challenge    = sd + sdLen;
-    PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
-
-    if (!csLen || (csLen % 3) != 0 || 
-        (sdLen != 0 && sdLen != SSL2_SESSIONID_BYTES) ||
-	challengeLen < SSL_MIN_CHALLENGE_BYTES || 
-	challengeLen > SSL_MAX_CHALLENGE_BYTES ||
-        (unsigned)ss->gs.recordLen != 
-            SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
-	SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
-		 SSL_GETPID(), ss->fd, ss->gs.recordLen,
-		 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
-	goto bad_client;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
-		SSL_GETPID(), ss->fd, ss->version));
-    if (ss->version != SSL_LIBRARY_VERSION_2) {
-	if (ss->version > SSL_LIBRARY_VERSION_2) {
-	    /*
-	    ** Newer client than us. Things are ok because new clients
-	    ** are required to be backwards compatible with old servers.
-	    ** Change version number to our version number so that client
-	    ** knows whats up.
-	    */
-	    ss->version = SSL_LIBRARY_VERSION_2;
-	} else {
-	    SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
-		SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
-	    PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
-	    goto loser;
-	}
-    }
-
-    /* Qualify cipher specs before returning them to client */
-    csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
-    if (csLen == 0) {
-	/* no overlap, send client our list of supported SSL v2 ciphers. */
-        cs    = csImpl;
-	csLen = sizeof implementedCipherSuites;
-    	PORT_Memcpy(cs, implementedCipherSuites, csLen);
-	csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
-	if (csLen == 0) {
-	  /* We don't support any SSL v2 ciphers! */
-	  ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
-	  PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	  goto loser;
-	}
-	/* Since this handhsake is going to fail, don't cache it. */
-	ss->opt.noCache = 1; 
-    }
-
-    /* Squirrel away the challenge for later */
-    PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
-
-    /* Examine message and see if session-id is good */
-    ss->sec.ci.elements = 0;
-    if (sdLen > 0 && !ss->opt.noCache) {
-	SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
-		    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
-		    ss->sec.ci.peer.pr_s6_addr32[1], 
-		    ss->sec.ci.peer.pr_s6_addr32[2],
-		    ss->sec.ci.peer.pr_s6_addr32[3]));
-	sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
-    } else {
-	sid = NULL;
-    }
-    if (sid) {
-	/* Got a good session-id. Short cut! */
-	SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
-		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, 
-		    ssl_Time() - sid->creationTime));
-	PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
-	ss->sec.ci.sid = sid;
-	ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
-	hit = 1;
-	certLen = 0;
-	csLen = 0;
-
-        ss->sec.authAlgorithm = sid->authAlgorithm;
-	ss->sec.authKeyBits   = sid->authKeyBits;
-	ss->sec.keaType       = sid->keaType;
-	ss->sec.keaKeyBits    = sid->keaKeyBits;
-
-	rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-    } else {
-	SECItem * derCert   = &serverCert->derCert;
-
-	SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
-		    SSL_GETPID(), ss->fd));
-	if (!serverCert) {
-	    SET_ERROR_CODE
-	    goto loser;
-	}
-	hit = 0;
-	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-	if (!sid) {
-	    goto loser;
-	}
-	sid->references = 1;
-	sid->addr = ss->sec.ci.peer;
-	sid->port = ss->sec.ci.port;
-
-	/* Invent a session-id */
-	ss->sec.ci.sid = sid;
-	PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2);
-
-	pid = SSL_GETPID();
-	sid->u.ssl2.sessionID[0] = MSB(pid);
-	sid->u.ssl2.sessionID[1] = LSB(pid);
-	cert    = derCert->data;
-	certLen = derCert->len;
-
-	/* pretend that server sids remember the local cert. */
-	PORT_Assert(!sid->localCert);
-	if (sid->localCert) {
-	    CERT_DestroyCertificate(sid->localCert);
-	}
-	sid->localCert     = CERT_DupCertificate(serverCert);
-
-	ss->sec.authAlgorithm = ssl_sign_rsa;
-	ss->sec.keaType       = ssl_kea_rsa;
-	ss->sec.keaKeyBits    = \
-	ss->sec.authKeyBits   = ss->serverCerts[kt_rsa].serverKeyBits;
-    }
-
-    /* server sids don't remember the local cert, so whether we found
-    ** a sid or not, just "remember" we used the rsa server cert.
-    */
-    if (ss->sec.localCert) {
-	CERT_DestroyCertificate(ss->sec.localCert);
-    }
-    ss->sec.localCert     = CERT_DupCertificate(serverCert);
-
-    /* Build up final list of required elements */
-    ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
-    if (ss->opt.requestCertificate) {
-	ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
-    }
-    ss->sec.ci.sentElements = 0;
-
-    /* Send hello message back to client */
-    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
-	    + SSL_CONNECTIONID_BYTES;
-
-    ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
-    rv = ssl2_GetSendBuffer(ss, sendLen);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
-		SSL_GETPID(), ss->fd, sendLen));
-
-    msg = ss->sec.ci.sendBuf.buf;
-    msg[0] = SSL_MT_SERVER_HELLO;
-    msg[1] = hit;
-    msg[2] = SSL_CT_X509_CERTIFICATE;
-    msg[3] = MSB(ss->version);
-    msg[4] = LSB(ss->version);
-    msg[5] = MSB(certLen);
-    msg[6] = LSB(certLen);
-    msg[7] = MSB(csLen);
-    msg[8] = LSB(csLen);
-    msg[9] = MSB(SSL_CONNECTIONID_BYTES);
-    msg[10] = LSB(SSL_CONNECTIONID_BYTES);
-    if (certLen) {
-	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
-    }
-    if (csLen) {
-	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
-    }
-    PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen, 
-                ss->sec.ci.connectionID, SSL_CONNECTIONID_BYTES);
-
-    DUMP_MSG(29, (ss, msg, sendLen));
-
-    ss->handshakeBegun = 1;
-    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
-    if (sent < 0) {
-	goto loser;
-    }
-    ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
-
-    ss->gs.recordLen = 0;
-    ss->handshake = ssl_GatherRecord1stHandshake;
-    if (hit) {
-	/* Old SID Session key is good. Go encrypted */
-	ssl2_UseEncryptedSendFunc(ss);
-
-	/* Send server verify message now that keys are established */
-	rv = ssl2_SendServerVerifyMessage(ss);
-	if (rv != SECSuccess) 
-	    goto loser;
-
-	ss->nextHandshake = ssl2_HandleMessage;
-	ssl_ReleaseRecvBufLock(ss);
-	rv = ssl2_TriggerNextMessage(ss);
-	return rv;
-    }
-    ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
-    ssl_ReleaseRecvBufLock(ss);
-    return SECSuccess;
-
-  bad_client:
-    PORT_SetError(SSL_ERROR_BAD_CLIENT);
-    /* FALLTHROUGH */
-
-  loser:
-    if (gotXmitBufLock) {
-    	ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
-    }
-    SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
-		 SSL_GETPID(), ss->fd));
-    ssl_ReleaseRecvBufLock(ss);
-    return SECFailure;
-}
-
-SECStatus
-ssl2_BeginServerHandshake(sslSocket *ss)
-{
-    SECStatus        rv;
-    sslServerCerts * rsaAuth = ss->serverCerts + kt_rsa;
-
-    ss->sec.isServer = 1;
-    ssl_ChooseSessionIDProcs(&ss->sec);
-    ss->sec.sendSequence = 0;
-    ss->sec.rcvSequence = 0;
-
-    /* don't turn on SSL2 if we don't have an RSA key and cert */
-    if (!rsaAuth->SERVERKEY || !rsaAuth->serverCert) {
-	ss->opt.enableSSL2 = PR_FALSE;
-    }
-
-    if (!ss->cipherSpecs) {
-	rv = ssl2_ConstructCipherSpecs(ss);
-	if (rv != SECSuccess)
-	    goto loser;
-    }
-
-    /* count the SSL2 and SSL3 enabled ciphers.
-     * if either is zero, clear the socket's enable for that protocol.
-     */
-    rv = ssl2_CheckConfigSanity(ss);
-    if (rv != SECSuccess)
-	goto loser;
-
-    /*
-    ** Generate connection-id. Always do this, even if things fail
-    ** immediately. This way the random number generator is always
-    ** rolling around, every time we get a connection.
-    */
-    PK11_GenerateRandom(ss->sec.ci.connectionID, 
-                        sizeof(ss->sec.ci.connectionID));
-
-    ss->gs.recordLen = 0;
-    ss->handshake     = ssl_GatherRecord1stHandshake;
-    ss->nextHandshake = ssl2_HandleClientHelloMessage;
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-/* This function doesn't really belong in this file.
-** It's here to keep AIX compilers from optimizing it away, 
-** and not including it in the DSO.
-*/
-
-#include "nss.h"
-extern const char __nss_ssl_rcsid[];
-extern const char __nss_ssl_sccsid[];
-
-PRBool
-NSSSSL_VersionCheck(const char *importedVersion)
-{
-    /*
-     * This is the secret handshake algorithm.
-     *
-     * This release has a simple version compatibility
-     * check algorithm.  This release is not backward
-     * compatible with previous major releases.  It is
-     * not compatible with future major, minor, or
-     * patch releases.
-     */
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
-    return NSS_VersionCheck(importedVersion);
-}
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
deleted file mode 100644
index 23ef9cafe..000000000
--- a/security/nss/lib/ssl/ssldef.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * "Default" SSLSocket methods, used by sockets that do neither SSL nor socks.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-
-#if defined(WIN32)
-#define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); }
-#define DEFINE_ERROR       PRErrorCode err = PR_GetError();
-#else
-#define MAP_ERROR(from,to)
-#define DEFINE_ERROR
-#endif
-
-int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->connect(lower, sa, ss->cTimeout);
-    return rv;
-}
-
-int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->bind(lower, addr);
-    return rv;
-}
-
-int ssl_DefListen(sslSocket *ss, int backlog)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->listen(lower, backlog);
-    return rv;
-}
-
-int ssl_DefShutdown(sslSocket *ss, int how)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->shutdown(lower, how);
-    return rv;
-}
-
-int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
-    if (rv < 0) {
-	DEFINE_ERROR
-	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
-    } else if (rv > len) {
-	PORT_Assert(rv <= len);
-	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/* Default (unencrypted) send.
- * Returns SECSuccess or SECFailure,  NOT SECWouldBlock. 
- * Returns positive count if any data was written. 
- * ALWAYS check for a short write after calling ssl_DefSend.
- */
-int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv, count;
-
-#if NSS_DISABLE_NAGLE_DELAYS
-    /* Although this is overkill, we disable Nagle delays completely for 
-    ** SSL sockets.
-    */
-    if (ss->opt.useSecurity && !ss->delayDisabled) {
-	ssl_EnableNagleDelay(ss, PR_FALSE);   /* ignore error */
-    	ss->delayDisabled = 1;
-    }
-#endif
-    count = 0;
-    for (;;) {
-	rv = lower->methods->send(lower, (const void *)buf, len,
-				 flags, ss->wTimeout);
-	if (rv < 0) {
-	    PRErrorCode err = PR_GetError();
-	    if (err == PR_WOULD_BLOCK_ERROR) {
-		ss->lastWriteBlocked = 1;
-		return count ? count : rv;
-	    }
-	    ss->lastWriteBlocked = 0;
-	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
-	    /* Loser */
-	    return rv;
-	}
-	count += rv;
-	if (rv < len) {
-	    /* Short send. Send the rest in the next call */
-	    buf += rv;
-	    len -= rv;
-	    continue;
-	}
-	break;
-    }
-    ss->lastWriteBlocked = 0;
-    return count;
-}
-
-int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->read(lower, (void *)buf, len);
-    if (rv < 0) {
-	DEFINE_ERROR
-	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
-    }
-    return rv;
-}
-
-int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv, count;
-
-    count = 0;
-    for (;;) {
-	rv = lower->methods->write(lower, (void *)buf, len);
-	if (rv < 0) {
-	    PRErrorCode err = PR_GetError();
-	    if (err == PR_WOULD_BLOCK_ERROR) {
-		ss->lastWriteBlocked = 1;
-		return count ? count : rv;
-	    }
-	    ss->lastWriteBlocked = 0;
-	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
-	    /* Loser */
-	    return rv;
-	}
-	count += rv;
-	if (rv != len) {
-	    /* Short write. Send the rest in the next call */
-	    buf += rv;
-	    len -= rv;
-	    continue;
-	}
-	break;
-    }
-    ss->lastWriteBlocked = 0;
-    return count;
-}
-
-int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->getpeername(lower, name);
-    return rv;
-}
-
-int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
-{
-    PRFileDesc *lower = ss->fd->lower;
-    int rv;
-
-    rv = lower->methods->getsockname(lower, name);
-    return rv;
-}
-
-int ssl_DefClose(sslSocket *ss)
-{
-    PRFileDesc *fd;
-    PRFileDesc *popped;
-    int         rv;
-
-    fd    = ss->fd;
-
-    /* First, remove the SSL layer PRFileDesc from the socket's stack, 
-    ** then invoke the SSL layer's PRFileDesc destructor.
-    ** This must happen before the next layer down is closed.
-    */
-    PORT_Assert(fd->higher == NULL);
-    if (fd->higher) {
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return SECFailure;
-    }
-    ss->fd = NULL;
-
-    /* PR_PopIOLayer will swap the contents of the top two PRFileDescs on
-    ** the stack, and then remove the second one.  This way, the address
-    ** of the PRFileDesc on the top of the stack doesn't change.
-    */
-    popped = PR_PopIOLayer(fd, PR_TOP_IO_LAYER); 
-    popped->dtor(popped);
-
-    /* fd is now the PRFileDesc for the next layer down.
-    ** Now close the underlying socket. 
-    */
-    rv = fd->methods->close(fd);
-
-    ssl_FreeSocket(ss);
-
-    SSL_TRC(5, ("%d: SSL[%d]: closing, rv=%d errno=%d",
-		SSL_GETPID(), fd, rv, PORT_GetError()));
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c
deleted file mode 100644
index d28d689b7..000000000
--- a/security/nss/lib/ssl/sslenum.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Table enumerating all implemented cipher suites
- * Part of public API.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "ssl.h"
-#include "sslproto.h"
-
-const PRUint16 SSL_ImplementedCiphers[] = {
-
-    /* 256-bit */
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
-    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
-    TLS_RSA_WITH_AES_256_CBC_SHA,
-
-    /* 128-bit */
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
-    TLS_DHE_DSS_WITH_RC4_128_SHA,
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDH_RSA_WITH_RC4_128_SHA,
-    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
-    SSL_RSA_WITH_RC4_128_MD5,
-    SSL_RSA_WITH_RC4_128_SHA,
-    TLS_RSA_WITH_AES_128_CBC_SHA,
-
-    /* 112-bit 3DES */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
-    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
-
-    /* 56-bit DES "domestic" cipher suites */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDH_RSA_WITH_DES_CBC_SHA,
-    TLS_ECDH_ECDSA_WITH_DES_CBC_SHA,
-#endif /* NSS_ENABLE_ECC */
-    SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-    SSL_RSA_WITH_DES_CBC_SHA,
-
-    /* export ciphersuites with 1024-bit public key exchange keys */
-    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-
-    /* export ciphersuites with 512-bit public key exchange keys */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-
-    /* ciphersuites with no encryption */
-#ifdef NSS_ENABLE_ECC
-    TLS_ECDH_RSA_WITH_NULL_SHA,
-    TLS_ECDH_ECDSA_WITH_NULL_SHA,
-#endif /* NSS_ENABLE_ECC */
-    SSL_RSA_WITH_NULL_SHA,
-    SSL_RSA_WITH_NULL_MD5,
-
-    /* SSL2 cipher suites. */
-    SSL_EN_RC4_128_WITH_MD5,
-    SSL_EN_RC2_128_CBC_WITH_MD5,
-    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  /* actually 112, not 192 */
-    SSL_EN_DES_64_CBC_WITH_MD5,
-    SSL_EN_RC4_128_EXPORT40_WITH_MD5,
-    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
-
-    0
-
-};
-
-const PRUint16 SSL_NumImplementedCiphers = 
-    (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
-
diff --git a/security/nss/lib/ssl/sslerr.c b/security/nss/lib/ssl/sslerr.c
deleted file mode 100644
index d619bbfb0..000000000
--- a/security/nss/lib/ssl/sslerr.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Function to set error code only when meaningful error has not already 
- * been set.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "prerror.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "seccomon.h"
-
-/* look at the current value of PR_GetError, and evaluate it to see
- * if it is meaningful or meaningless (out of context). 
- * If it is meaningless, replace it with the hiLevelError.
- * Returns the chosen error value.
- */
-int
-ssl_MapLowLevelError(int hiLevelError)
-{
-    int oldErr	= PORT_GetError();
-
-    switch (oldErr) {
-
-    case 0:
-    case PR_IO_ERROR:
-    case SEC_ERROR_IO:
-    case SEC_ERROR_BAD_DATA:
-    case SEC_ERROR_LIBRARY_FAILURE:
-    case SEC_ERROR_EXTENSION_NOT_FOUND:
-    case SSL_ERROR_BAD_CLIENT:
-    case SSL_ERROR_BAD_SERVER:
-    case SSL_ERROR_SESSION_NOT_FOUND:
-    	PORT_SetError(hiLevelError);
-	return hiLevelError;
-
-    default:	/* leave the majority of error codes alone. */
-	return oldErr;
-    }
-}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
deleted file mode 100644
index be808b8bc..000000000
--- a/security/nss/lib/ssl/sslerr.h
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Enumeration of all SSL-specific error codes.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#ifndef __SSL_ERR_H_
-#define __SSL_ERR_H_
-
-
-#define SSL_ERROR_BASE				(-0x3000)
-#define SSL_ERROR_LIMIT				(SSL_ERROR_BASE + 1000)
-
-#define IS_SSL_ERROR(code) \
-    (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
-
-#ifndef NO_SECURITY_ERROR_ENUM
-typedef enum {
-SSL_ERROR_EXPORT_ONLY_SERVER 		= (SSL_ERROR_BASE +  0),
-SSL_ERROR_US_ONLY_SERVER 		= (SSL_ERROR_BASE +  1),
-SSL_ERROR_NO_CYPHER_OVERLAP 		= (SSL_ERROR_BASE +  2),
-/* 
- * Received an alert reporting what we did wrong.  (more alerts below)
- */
-SSL_ERROR_NO_CERTIFICATE /*_ALERT */	= (SSL_ERROR_BASE +  3),
-SSL_ERROR_BAD_CERTIFICATE            	= (SSL_ERROR_BASE +  4),
-					/* error 5 is obsolete */
-SSL_ERROR_BAD_CLIENT 			= (SSL_ERROR_BASE +  6),
-SSL_ERROR_BAD_SERVER 			= (SSL_ERROR_BASE +  7),
-SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	= (SSL_ERROR_BASE +  8),
-SSL_ERROR_UNSUPPORTED_VERSION 		= (SSL_ERROR_BASE +  9),
-					/* error 10 is obsolete */
-SSL_ERROR_WRONG_CERTIFICATE		= (SSL_ERROR_BASE + 11),
-SSL_ERROR_BAD_CERT_DOMAIN 		= (SSL_ERROR_BASE + 12),
-SSL_ERROR_POST_WARNING 			= (SSL_ERROR_BASE + 13),
-SSL_ERROR_SSL2_DISABLED 		= (SSL_ERROR_BASE + 14),
-SSL_ERROR_BAD_MAC_READ 			= (SSL_ERROR_BASE + 15),
-/* 
- * Received an alert reporting what we did wrong.
- * (two more alerts above, and many more below)
- */
-SSL_ERROR_BAD_MAC_ALERT 		= (SSL_ERROR_BASE + 16),
-SSL_ERROR_BAD_CERT_ALERT                = (SSL_ERROR_BASE + 17),
-SSL_ERROR_REVOKED_CERT_ALERT 		= (SSL_ERROR_BASE + 18),
-SSL_ERROR_EXPIRED_CERT_ALERT 		= (SSL_ERROR_BASE + 19),
-
-SSL_ERROR_SSL_DISABLED 			= (SSL_ERROR_BASE + 20),
-SSL_ERROR_FORTEZZA_PQG 			= (SSL_ERROR_BASE + 21),
-SSL_ERROR_UNKNOWN_CIPHER_SUITE		= (SSL_ERROR_BASE + 22),
-SSL_ERROR_NO_CIPHERS_SUPPORTED		= (SSL_ERROR_BASE + 23),
-SSL_ERROR_BAD_BLOCK_PADDING		= (SSL_ERROR_BASE + 24),
-SSL_ERROR_RX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 25),
-SSL_ERROR_TX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 26),
-/* 
- * Received a malformed (too long or short) SSL handshake.
- */
-SSL_ERROR_RX_MALFORMED_HELLO_REQUEST	= (SSL_ERROR_BASE + 27),
-SSL_ERROR_RX_MALFORMED_CLIENT_HELLO	= (SSL_ERROR_BASE + 28),
-SSL_ERROR_RX_MALFORMED_SERVER_HELLO	= (SSL_ERROR_BASE + 29),
-SSL_ERROR_RX_MALFORMED_CERTIFICATE	= (SSL_ERROR_BASE + 30),
-SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 31),
-SSL_ERROR_RX_MALFORMED_CERT_REQUEST	= (SSL_ERROR_BASE + 32),
-SSL_ERROR_RX_MALFORMED_HELLO_DONE	= (SSL_ERROR_BASE + 33),
-SSL_ERROR_RX_MALFORMED_CERT_VERIFY	= (SSL_ERROR_BASE + 34),
-SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 35),
-SSL_ERROR_RX_MALFORMED_FINISHED 	= (SSL_ERROR_BASE + 36),
-/* 
- * Received a malformed (too long or short) SSL record.
- */
-SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 37),
-SSL_ERROR_RX_MALFORMED_ALERT	 	= (SSL_ERROR_BASE + 38),
-SSL_ERROR_RX_MALFORMED_HANDSHAKE 	= (SSL_ERROR_BASE + 39),
-SSL_ERROR_RX_MALFORMED_APPLICATION_DATA	= (SSL_ERROR_BASE + 40),
-/*
- * Received an SSL handshake that was inappropriate for the state we're in.
- * E.g. Server received message from server, or wrong state in state machine.
- */
-SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST	= (SSL_ERROR_BASE + 41),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO	= (SSL_ERROR_BASE + 42),
-SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO	= (SSL_ERROR_BASE + 43),
-SSL_ERROR_RX_UNEXPECTED_CERTIFICATE	= (SSL_ERROR_BASE + 44),
-SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 45),
-SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST	= (SSL_ERROR_BASE + 46),
-SSL_ERROR_RX_UNEXPECTED_HELLO_DONE	= (SSL_ERROR_BASE + 47),
-SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY	= (SSL_ERROR_BASE + 48),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 49),
-SSL_ERROR_RX_UNEXPECTED_FINISHED 	= (SSL_ERROR_BASE + 50),
-/*
- * Received an SSL record that was inappropriate for the state we're in.
- */
-SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 51),
-SSL_ERROR_RX_UNEXPECTED_ALERT	 	= (SSL_ERROR_BASE + 52),
-SSL_ERROR_RX_UNEXPECTED_HANDSHAKE 	= (SSL_ERROR_BASE + 53),
-SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54),
-/*
- * Received record/message with unknown discriminant.
- */
-SSL_ERROR_RX_UNKNOWN_RECORD_TYPE	= (SSL_ERROR_BASE + 55),
-SSL_ERROR_RX_UNKNOWN_HANDSHAKE 		= (SSL_ERROR_BASE + 56),
-SSL_ERROR_RX_UNKNOWN_ALERT 		= (SSL_ERROR_BASE + 57),
-/* 
- * Received an alert reporting what we did wrong.  (more alerts above)
- */
-SSL_ERROR_CLOSE_NOTIFY_ALERT 		= (SSL_ERROR_BASE + 58),
-SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 	= (SSL_ERROR_BASE + 59),
-SSL_ERROR_DECOMPRESSION_FAILURE_ALERT 	= (SSL_ERROR_BASE + 60),
-SSL_ERROR_HANDSHAKE_FAILURE_ALERT 	= (SSL_ERROR_BASE + 61),
-SSL_ERROR_ILLEGAL_PARAMETER_ALERT 	= (SSL_ERROR_BASE + 62),
-SSL_ERROR_UNSUPPORTED_CERT_ALERT 	= (SSL_ERROR_BASE + 63),
-SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (SSL_ERROR_BASE + 64),
-
-SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
-SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
-SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
-SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
-SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
-
-SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
-SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71),
-SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
-
-SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
-SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
-SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
-SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
-SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
-SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),
-SSL_ERROR_IV_PARAM_FAILURE		= (SSL_ERROR_BASE + 79),
-SSL_ERROR_INIT_CIPHER_SUITE_FAILURE	= (SSL_ERROR_BASE + 80),
-SSL_ERROR_SESSION_KEY_GEN_FAILURE	= (SSL_ERROR_BASE + 81),
-SSL_ERROR_NO_SERVER_KEY_FOR_ALG		= (SSL_ERROR_BASE + 82),
-SSL_ERROR_TOKEN_INSERTION_REMOVAL	= (SSL_ERROR_BASE + 83),
-SSL_ERROR_TOKEN_SLOT_NOT_FOUND		= (SSL_ERROR_BASE + 84),
-SSL_ERROR_NO_COMPRESSION_OVERLAP	= (SSL_ERROR_BASE + 85),
-SSL_ERROR_HANDSHAKE_NOT_COMPLETED	= (SSL_ERROR_BASE + 86),
-SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE	= (SSL_ERROR_BASE + 87),
-SSL_ERROR_CERT_KEA_MISMATCH		= (SSL_ERROR_BASE + 88),
-SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	= (SSL_ERROR_BASE + 89),
-SSL_ERROR_SESSION_NOT_FOUND		= (SSL_ERROR_BASE + 90),
-
-SSL_ERROR_DECRYPTION_FAILED_ALERT	= (SSL_ERROR_BASE + 91),
-SSL_ERROR_RECORD_OVERFLOW_ALERT		= (SSL_ERROR_BASE + 92),
-SSL_ERROR_UNKNOWN_CA_ALERT		= (SSL_ERROR_BASE + 93),
-SSL_ERROR_ACCESS_DENIED_ALERT		= (SSL_ERROR_BASE + 94),
-SSL_ERROR_DECODE_ERROR_ALERT		= (SSL_ERROR_BASE + 95),
-SSL_ERROR_DECRYPT_ERROR_ALERT		= (SSL_ERROR_BASE + 96),
-SSL_ERROR_EXPORT_RESTRICTION_ALERT	= (SSL_ERROR_BASE + 97),
-SSL_ERROR_PROTOCOL_VERSION_ALERT	= (SSL_ERROR_BASE + 98),
-SSL_ERROR_INSUFFICIENT_SECURITY_ALERT	= (SSL_ERROR_BASE + 99),
-SSL_ERROR_INTERNAL_ERROR_ALERT		= (SSL_ERROR_BASE + 100),
-SSL_ERROR_USER_CANCELED_ALERT		= (SSL_ERROR_BASE + 101),
-SSL_ERROR_NO_RENEGOTIATION_ALERT	= (SSL_ERROR_BASE + 102),
-
-SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED	= (SSL_ERROR_BASE + 103),
-
-SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
-} SSLErrorCodes;
-#endif /* NO_SECURITY_ERROR_ENUM */
-
-#endif /* __SSL_ERR_H_ */
diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c
deleted file mode 100644
index 8308ad194..000000000
--- a/security/nss/lib/ssl/sslgathr.c
+++ /dev/null
@@ -1,483 +0,0 @@
-/*
- * Gather (Read) entire SSL2 records from socket into buffer.  
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-
-/* Forward static declarations */
-static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
-
-/*
-** Gather a single record of data from the receiving stream. This code
-** first gathers the header (2 or 3 bytes long depending on the value of
-** the most significant bit in the first byte) then gathers up the data
-** for the record into gs->buf. This code handles non-blocking I/O
-** and is to be called multiple times until ss->sec.recordLen != 0.
-** This function decrypts the gathered record in place, in gs_buf.
- *
- * Caller must hold RecvBufLock. 
- *
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
-**
-** The SSL2 Gather State machine has 4 states:
-** GS_INIT   - Done reading in previous record.  Haven't begun to read in
-**             next record.  When ssl2_GatherData is called with the machine
-**             in this state, the machine will attempt to read the first 3
-**             bytes of the SSL2 record header, and will advance the state
-**             to GS_HEADER.
-**
-** GS_HEADER - The machine is in this state while waiting for the completion
-**             of the first 3 bytes of the SSL2 record.  When complete, the
-**             machine will compute the remaining unread length of this record
-**             and will initiate a read of that many bytes.  The machine will
-**             advance to one of two states, depending on whether the record
-**             is encrypted (GS_MAC), or unencrypted (GS_DATA).
-**
-** GS_MAC    - The machine is in this state while waiting for the remainder 
-**             of the SSL2 record to be read in.  When the read is completed,
-**             the machine checks the record for valid length, decrypts it,
-**             and checks and discards the MAC, then advances to GS_INIT.
-**
-** GS_DATA   - The machine is in this state while waiting for the remainder
-**             of the unencrypted SSL2 record to be read in.  Upon completion,
-**             the machine advances to the GS_INIT state and returns the data.
-*/
-int 
-ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
-{
-    unsigned char *  bp;
-    unsigned char *  pBuf;
-    int              nb, err, rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-
-    if (gs->state == GS_INIT) {
-	/* Initialize gathering engine */
-	gs->state         = GS_HEADER;
-	gs->remainder     = 3;
-	gs->count         = 3;
-	gs->offset        = 0;
-	gs->recordLen     = 0;
-	gs->recordPadding = 0;
-	gs->hdr[2]        = 0;
-
-	gs->writeOffset   = 0;
-	gs->readOffset    = 0;
-    }
-    if (gs->encrypted) {
-	PORT_Assert(ss->sec.hash != 0);
-    }
-
-    pBuf = gs->buf.buf;
-    for (;;) {
-	SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
-		     SSL_GETPID(), ss->fd, gs->state, gs->remainder));
-	bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
-	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
-	if (nb > 0) {
-	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
-	}
-	if (nb == 0) {
-	    /* EOF */
-	    SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
-	    rv = 0;
-	    break;
-	}
-	if (nb < 0) {
-	    SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
-		     PR_GetError()));
-	    rv = SECFailure;
-	    break;
-	}
-
-	gs->offset    += nb;
-	gs->remainder -= nb;
-
-	if (gs->remainder > 0) {
-	    continue;
-	}
-
-	/* Probably finished this piece */
-	switch (gs->state) {
-	case GS_HEADER: 
-	    if ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) {
-
-		PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-		/* If this looks like an SSL3 handshake record, 
-		** and we're expecting an SSL2 Hello message from our peer, 
-		** handle it here.
-		*/
-		if (gs->hdr[0] == content_handshake) {
-		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
-			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
-			rv = ssl2_HandleV3HandshakeRecord(ss);
-			if (rv == SECFailure) {
-			    return SECFailure;
-			}
-		    }
-		    /* XXX_1	The call stack to here is:
-		     * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> 
-		     *			ssl2_GatherRecord -> here.
-		     * We want to return all the way out to ssl_Do1stHandshake,
-		     * and have it call ssl_GatherRecord1stHandshake again. 
-		     * ssl_GatherRecord1stHandshake will call 
-		     * ssl3_GatherCompleteHandshake when it is called again.
-		     *
-		     * Returning SECWouldBlock here causes 
-		     * ssl_GatherRecord1stHandshake to return without clearing 
-		     * ss->handshake, ensuring that ssl_Do1stHandshake will 
-		     * call it again immediately.
-		     * 
-		     * If we return 1 here, ssl_GatherRecord1stHandshake will 
-		     * clear ss->handshake before returning, and thus will not 
-		     * be called again by ssl_Do1stHandshake.  
-		     */
-		    return SECWouldBlock;
-		} else if (gs->hdr[0] == content_alert) {
-		    if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
-			/* XXX This is a hack.  We're assuming that any failure
-			 * XXX on the client hello is a failure to match
-			 * XXX ciphers.
-			 */
-			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-			return SECFailure;
-		    }
-		}
-	    }	/* ((ss->opt.enableSSL3 || ss->opt.enableTLS) && !ss->firstHsDone) */
-
-	    /* we've got the first 3 bytes.  The header may be two or three. */
-	    if (gs->hdr[0] & 0x80) {
-		/* This record has a 2-byte header, and no padding */
-		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
-		gs->recordPadding = 0;
-	    } else {
-		/* This record has a 3-byte header that is all read in now. */
-		gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
-	    /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
-		gs->recordPadding = gs->hdr[2];
-	    }
-	    if (!gs->count) {
-		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
-		goto cleanup;
-	    }
-
-	    if (gs->count > gs->buf.space) {
-		err = sslBuffer_Grow(&gs->buf, gs->count);
-		if (err) {
-		    return err;
-		}
-		pBuf = gs->buf.buf;
-	    }
-
-
-	    if (gs->hdr[0] & 0x80) {
-	    	/* we've already read in the first byte of the body.
-		** Put it into the buffer.
-		*/
-		pBuf[0]        = gs->hdr[2];
-		gs->offset    = 1;
-		gs->remainder = gs->count - 1;
-	    } else {
-		gs->offset    = 0;
-		gs->remainder = gs->count;
-	    }
-
-	    if (gs->encrypted) {
-		gs->state     = GS_MAC;
-		gs->recordLen = gs->count - gs->recordPadding
-		                          - ss->sec.hash->length;
-	    } else {
-		gs->state     = GS_DATA;
-		gs->recordLen = gs->count;
-	    }
-
-	    break;
-
-
-	case GS_MAC:
-	    /* Have read in entire rest of the ciphertext.  
-	    ** Check for valid length.
-	    ** Decrypt it.
-	    ** Check the MAC.
-	    */
-	    PORT_Assert(gs->encrypted);
-
-	  {
-	    unsigned int     macLen;
-	    int              nout;
-	    unsigned char    mac[SSL_MAX_MAC_BYTES];
-
-	    ssl_GetSpecReadLock(ss); /**********************************/
-
-	    /* If this is a stream cipher, blockSize will be 1,
-	     * and this test will always be false.
-	     * If this is a block cipher, this will detect records
-	     * that are not a multiple of the blocksize in length.
-	     */
-	    if (gs->count & (ss->sec.blockSize - 1)) {
-		/* This is an error. Sender is misbehaving */
-		SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
-			 SSL_GETPID(), ss->fd, gs->count,
-			 ss->sec.blockSize));
-		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
-		rv = SECFailure;
-		goto spec_locked_done;
-	    }
-	    PORT_Assert(gs->count == gs->offset);
-
-	    if (gs->offset == 0) {
-		rv = 0;			/* means EOF. */
-		goto spec_locked_done;
-	    }
-
-	    /* Decrypt the portion of data that we just recieved.
-	    ** Decrypt it in place.
-	    */
-	    rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
-			     pBuf, gs->offset);
-	    if (rv != SECSuccess) {
-		goto spec_locked_done;
-	    }
-
-
-	    /* Have read in all the MAC portion of record 
-	    **
-	    ** Prepare MAC by resetting it and feeding it the shared secret
-	    */
-	    macLen = ss->sec.hash->length;
-	    if (gs->offset >= macLen) {
-		uint32           sequenceNumber = ss->sec.rcvSequence++;
-		unsigned char    seq[4];
-
-		seq[0] = (unsigned char) (sequenceNumber >> 24);
-		seq[1] = (unsigned char) (sequenceNumber >> 16);
-		seq[2] = (unsigned char) (sequenceNumber >> 8);
-		seq[3] = (unsigned char) (sequenceNumber);
-
-		(*ss->sec.hash->begin)(ss->sec.hashcx);
-		(*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
-				        ss->sec.rcvSecret.len);
-		(*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, 
-				        gs->offset - macLen);
-		(*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
-		(*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
-	    }
-
-	    PORT_Assert(macLen == ss->sec.hash->length);
-
-	    ssl_ReleaseSpecReadLock(ss);  /******************************/
-
-	    if (PORT_Memcmp(mac, pBuf, macLen) != 0) {
-		/* MAC's didn't match... */
-		SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
-			 SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
-		PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
-		PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
-		PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-		rv = SECFailure;
-		goto cleanup;
-	    }
-
-
-	    PORT_Assert(gs->recordPadding + macLen <= gs->offset);
-	    if (gs->recordPadding + macLen <= gs->offset) {
-		gs->recordOffset  = macLen;
-		gs->readOffset    = macLen;
-		gs->writeOffset   = gs->offset - gs->recordPadding;
-		rv = 1;
-	    } else {
-		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
-cleanup:
-		/* nothing in the buffer any more. */
-		gs->recordOffset  = 0;
-		gs->readOffset    = 0;
-	    	gs->writeOffset   = 0;
-		rv = SECFailure;
-	    }
-
-	    gs->recordLen     = gs->writeOffset - gs->readOffset;
-	    gs->recordPadding = 0;	/* forget we did any padding. */
-	    gs->state = GS_INIT;
-
-
-	    if (rv > 0) {
-		PRINT_BUF(50, (ss, "recv clear record:", 
-		               pBuf + gs->recordOffset, gs->recordLen));
-	    }
-	    return rv;
-
-spec_locked_done:
-	    ssl_ReleaseSpecReadLock(ss);
-	    return rv;
-	  }
-
-	case GS_DATA:
-	    /* Have read in all the DATA portion of record */
-
-	    gs->recordOffset  = 0;
-	    gs->readOffset    = 0;
-	    gs->writeOffset   = gs->offset;
-	    PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
-	    gs->recordLen     = gs->offset;
-	    gs->recordPadding = 0;
-	    gs->state         = GS_INIT;
-
-	    ++ss->sec.rcvSequence;
-
-	    PRINT_BUF(50, (ss, "recv clear record:", 
-	                   pBuf + gs->recordOffset, gs->recordLen));
-	    return 1;
-
-	}	/* end switch gs->state */
-    }		/* end gather loop. */
-    return rv;
-}
-
-/*
-** Gather a single record of data from the receiving stream. This code
-** first gathers the header (2 or 3 bytes long depending on the value of
-** the most significant bit in the first byte) then gathers up the data
-** for the record into the readBuf. This code handles non-blocking I/O
-** and is to be called multiple times until ss->sec.recordLen != 0.
- *
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) 
- *
- * Called by ssl_GatherRecord1stHandshake in sslcon.c, 
- * and by DoRecv in sslsecur.c
- * Caller must hold RecvBufLock.
- */
-int 
-ssl2_GatherRecord(sslSocket *ss, int flags)
-{
-    return ssl2_GatherData(ss, &ss->gs, flags);
-}
-
-/*
- * Returns +1 when it has gathered a complete SSLV2 record.
- * Returns  0 if it hits EOF.
- * Returns -1 (SECFailure)    on any error
- * Returns -2 (SECWouldBlock) 
- *
- * Called from SocksStartGather in sslsocks.c
- * Caller must hold RecvBufLock. 
- */
-int 
-ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
-{
-    int rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    gs->state     = GS_DATA;
-    gs->remainder = count;
-    gs->count     = count;
-    gs->offset    = 0;
-    if (count > gs->buf.space) {
-	rv = sslBuffer_Grow(&gs->buf, count);
-	if (rv) {
-	    return rv;
-	}
-    }
-    return ssl2_GatherData(ss, gs, 0);
-}
-
-/* Caller should hold RecvBufLock. */
-SECStatus
-ssl_InitGather(sslGather *gs)
-{
-    SECStatus status;
-
-    gs->state = GS_INIT;
-    gs->writeOffset = 0;
-    gs->readOffset  = 0;
-    status = sslBuffer_Grow(&gs->buf, 4096);
-    return status;
-}
-
-/* Caller must hold RecvBufLock. */
-void 
-ssl_DestroyGather(sslGather *gs)
-{
-    if (gs) {	/* the PORT_*Free functions check for NULL pointers. */
-	PORT_ZFree(gs->buf.buf, gs->buf.space);
-	PORT_Free(gs->inbuf.buf);
-    }
-}
-
-/* Caller must hold RecvBufLock. */
-static SECStatus
-ssl2_HandleV3HandshakeRecord(sslSocket *ss)
-{
-    SECStatus           rv;
-    SSL3ProtocolVersion version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-
-    /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
-    ss->gs.remainder         = 2;
-    ss->gs.count             = 0;
-
-    /* Clearing these handshake pointers ensures that 
-     * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
-     */
-    ss->nextHandshake     = 0;
-    ss->securityHandshake = 0;
-
-    /* Setting ss->version to an SSL 3.x value will cause 
-    ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() 
-    ** the next time it is called.
-    **/
-    rv = ssl3_NegotiateVersion(ss, version);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-
-    ss->sec.send         = ssl3_SendApplicationData;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
deleted file mode 100644
index 45e7fa552..000000000
--- a/security/nss/lib/ssl/sslimpl.h
+++ /dev/null
@@ -1,1393 +0,0 @@
-/*
- * This file is PRIVATE to SSL and should be the first thing included by
- * any SSL implementation file.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __sslimpl_h_
-#define __sslimpl_h_
-
-#ifdef DEBUG
-#undef NDEBUG
-#else
-#undef NDEBUG
-#define NDEBUG
-#endif
-#include "secport.h"
-#include "secerr.h"
-#include "sslerr.h"
-#include "ssl3prot.h"
-#include "hasht.h"
-#include "nssilock.h"
-#include "pkcs11t.h"
-#if defined(XP_UNIX) || defined(XP_BEOS)
-#include "unistd.h"
-#endif
-#include "nssrwlk.h"
-#include "prthread.h"
-
-#include "sslt.h" /* for some formerly private types, now public */
-
-/* to make some of these old enums public without namespace pollution,
-** it was necessary to prepend ssl_ to the names.
-** These #defines preserve compatibility with the old code here in libssl.
-*/
-typedef SSLKEAType      SSL3KEAType;
-typedef SSLMACAlgorithm SSL3MACAlgorithm;
-typedef SSLSignType     SSL3SignType;
-
-#define sign_null	ssl_sign_null
-#define sign_rsa	ssl_sign_rsa
-#define sign_dsa	ssl_sign_dsa
-#define sign_ecdsa	ssl_sign_ecdsa
-
-#define calg_null	ssl_calg_null
-#define calg_rc4	ssl_calg_rc4
-#define calg_rc2	ssl_calg_rc2
-#define calg_des	ssl_calg_des
-#define calg_3des	ssl_calg_3des
-#define calg_idea	ssl_calg_idea
-#define calg_fortezza	ssl_calg_fortezza /* deprecated, must preserve */
-#define calg_aes	ssl_calg_aes
-
-#define mac_null	ssl_mac_null
-#define mac_md5 	ssl_mac_md5
-#define mac_sha 	ssl_mac_sha
-#define hmac_md5	ssl_hmac_md5
-#define hmac_sha	ssl_hmac_sha
-
-#define SET_ERROR_CODE		/* reminder */
-#define SEND_ALERT		/* reminder */
-#define TEST_FOR_FAILURE	/* reminder */
-#define DEAL_WITH_FAILURE	/* reminder */
-
-#if defined(DEBUG) || defined(TRACE)
-#ifdef __cplusplus
-#define Debug 1
-#else
-extern int Debug;
-#endif
-#else
-#undef Debug
-#endif
-
-#if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
-#define TRACE
-#endif
-
-#ifdef TRACE
-#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
-#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
-#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
-#else
-#define SSL_TRC(a,b)
-#define PRINT_BUF(a,b)
-#define DUMP_MSG(a,b)
-#endif
-
-#ifdef DEBUG
-#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
-#else
-#define SSL_DBG(b)
-#endif
-
-#if defined (DEBUG)
-#ifdef macintosh
-#include "pprthred.h"
-#else
-#include "private/pprthred.h"	/* for PR_InMonitor() */
-#endif
-#define ssl_InMonitor(m) PZ_InMonitor(m)
-#endif
-
-#define LSB(x) ((unsigned char) (x & 0xff))
-#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
-
-/************************************************************************/
-
-typedef enum { SSLAppOpRead = 0,
-	       SSLAppOpWrite,
-	       SSLAppOpRDWR,
-	       SSLAppOpPost,
-	       SSLAppOpHeader
-} SSLAppOperation;
-
-#define SSL_MIN_MASTER_KEY_BYTES	5
-#define SSL_MAX_MASTER_KEY_BYTES	64
-
-#define SSL2_SESSIONID_BYTES		16
-#define SSL3_SESSIONID_BYTES		32
-
-#define SSL_MIN_CHALLENGE_BYTES		16
-#define SSL_MAX_CHALLENGE_BYTES		32
-#define SSL_CHALLENGE_BYTES		16
-
-#define SSL_CONNECTIONID_BYTES		16
-
-#define SSL_MIN_CYPHER_ARG_BYTES	0
-#define SSL_MAX_CYPHER_ARG_BYTES	32
-
-#define SSL_MAX_MAC_BYTES		16
-
-#define SSL3_RSA_PMS_LENGTH 48
-#define SSL3_MASTER_SECRET_LENGTH 48
-
-/* number of wrap mechanisms potentially used to wrap master secrets. */
-#define SSL_NUM_WRAP_MECHS              13
-
-/* This makes the cert cache entry exactly 4k. */
-#define SSL_MAX_CACHED_CERT_LEN		4060
-
-#define NUM_MIXERS                      9
-
-#ifndef BPB
-#define BPB 8 /* Bits Per Byte */
-#endif
-
-typedef struct sslBufferStr             sslBuffer;
-typedef struct sslConnectInfoStr        sslConnectInfo;
-typedef struct sslGatherStr             sslGather;
-typedef struct sslSecurityInfoStr       sslSecurityInfo;
-typedef struct sslSessionIDStr          sslSessionID;
-typedef struct sslSocketStr             sslSocket;
-typedef struct sslSocketOpsStr          sslSocketOps;
-
-typedef struct ssl3StateStr             ssl3State;
-typedef struct ssl3CertNodeStr          ssl3CertNode;
-typedef struct ssl3BulkCipherDefStr     ssl3BulkCipherDef;
-typedef struct ssl3MACDefStr            ssl3MACDef;
-typedef struct ssl3KeyPairStr		ssl3KeyPair;
-
-struct ssl3CertNodeStr {
-    struct ssl3CertNodeStr *next;
-    CERTCertificate *       cert;
-};
-
-typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
-
-/* This type points to the low layer send func, 
-** e.g. ssl2_SendStream or ssl3_SendPlainText.
-** These functions return the same values as PR_Send, 
-** i.e.  >= 0 means number of bytes sent, < 0 means error.
-*/
-typedef PRInt32       (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
-			             PRInt32 n, PRInt32 flags);
-
-typedef void          (*sslSessionIDCacheFunc)  (sslSessionID *sid);
-typedef void          (*sslSessionIDUncacheFunc)(sslSessionID *sid);
-typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr    *addr,
-						unsigned char* sid,
-						unsigned int   sidLen,
-                                                CERTCertDBHandle * dbHandle);
-
-
-/* Socket ops */
-struct sslSocketOpsStr {
-    int         (*connect) (sslSocket *, const PRNetAddr *);
-    PRFileDesc *(*accept)  (sslSocket *, PRNetAddr *);
-    int         (*bind)    (sslSocket *, const PRNetAddr *);
-    int         (*listen)  (sslSocket *, int);
-    int         (*shutdown)(sslSocket *, int);
-    int         (*close)   (sslSocket *);
-
-    int         (*recv)    (sslSocket *, unsigned char *, int, int);
-
-    /* points to the higher-layer send func, e.g. ssl_SecureSend. */
-    int         (*send)    (sslSocket *, const unsigned char *, int, int);
-    int         (*read)    (sslSocket *, unsigned char *, int);
-    int         (*write)   (sslSocket *, const unsigned char *, int);
-
-    int         (*getpeername)(sslSocket *, PRNetAddr *);
-    int         (*getsockname)(sslSocket *, PRNetAddr *);
-};
-
-/* Flags interpreted by ssl send functions. */
-#define ssl_SEND_FLAG_FORCE_INTO_BUFFER	0x40000000
-#define ssl_SEND_FLAG_NO_BUFFER		0x20000000
-#define ssl_SEND_FLAG_MASK		0x7f000000
-
-/*
-** A buffer object.
-*/
-struct sslBufferStr {
-    unsigned char *	buf;
-    unsigned int 	len;
-    unsigned int 	space;
-};
-
-/*
-** SSL3 cipher suite policy and preference struct.
-*/
-typedef struct {
-#if !defined(_WIN32)
-    unsigned int    cipher_suite : 16;
-    unsigned int    policy       :  8;
-    unsigned int    enabled      :  1;
-    unsigned int    isPresent    :  1;
-#else
-    ssl3CipherSuite cipher_suite;
-    PRUint8         policy;
-    unsigned char   enabled   : 1;
-    unsigned char   isPresent : 1;
-#endif
-} ssl3CipherSuiteCfg;
-
-#ifdef NSS_ENABLE_ECC
-#define ssl_V3_SUITES_IMPLEMENTED 40
-#else
-#define ssl_V3_SUITES_IMPLEMENTED 26
-#endif /* NSS_ENABLE_ECC */
-
-typedef struct sslOptionsStr {
-    unsigned int useSecurity		: 1;  /*  1 */
-    unsigned int useSocks		: 1;  /*  2 */
-    unsigned int requestCertificate	: 1;  /*  3 */
-    unsigned int requireCertificate	: 2;  /*  4-5 */
-    unsigned int handshakeAsClient	: 1;  /*  6 */
-    unsigned int handshakeAsServer	: 1;  /*  7 */
-    unsigned int enableSSL2		: 1;  /*  8 */
-    unsigned int enableSSL3		: 1;  /*  9 */
-    unsigned int enableTLS		: 1;  /* 10 */
-    unsigned int noCache		: 1;  /* 11 */
-    unsigned int fdx			: 1;  /* 12 */
-    unsigned int v2CompatibleHello	: 1;  /* 13 */
-    unsigned int detectRollBack  	: 1;  /* 14 */
-    unsigned int noStepDown             : 1;  /* 15 */
-    unsigned int bypassPKCS11           : 1;  /* 16 */
-    unsigned int noLocks                : 1;  /* 17 */
-} sslOptions;
-
-typedef enum { sslHandshakingUndetermined = 0,
-	       sslHandshakingAsClient,
-	       sslHandshakingAsServer 
-} sslHandshakingType;
-
-typedef struct sslServerCertsStr {
-    /* Configuration state for server sockets */
-    CERTCertificate *     serverCert;
-    CERTCertificateList * serverCertChain;
-    ssl3KeyPair *         serverKeyPair;
-    unsigned int          serverKeyBits;
-} sslServerCerts;
-
-#define SERVERKEY serverKeyPair->privKey
-
-#define SSL_LOCK_RANK_SPEC 	255
-#define SSL_LOCK_RANK_GLOBAL 	NSS_RWLOCK_RANK_NONE
-
-/* These are the valid values for shutdownHow. 
-** These values are each 1 greater than the NSPR values, and the code
-** depends on that relation to efficiently convert PR_SHUTDOWN values 
-** into ssl_SHUTDOWN values.  These values use one bit for read, and 
-** another bit for write, and can be used as bitmasks.
-*/
-#define ssl_SHUTDOWN_NONE	0	/* NOT shutdown at all */
-#define ssl_SHUTDOWN_RCV	1	/* PR_SHUTDOWN_RCV  +1 */
-#define ssl_SHUTDOWN_SEND	2	/* PR_SHUTDOWN_SEND +1 */
-#define ssl_SHUTDOWN_BOTH	3	/* PR_SHUTDOWN_BOTH +1 */
-
-/*
-** A gather object. Used to read some data until a count has been
-** satisfied. Primarily for support of async sockets.
-** Everything in here is protected by the recvBufLock.
-*/
-struct sslGatherStr {
-    int           state;	/* see GS_ values below. */     /* ssl 2 & 3 */
-
-    /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
-     * SSL2: recv'd ciphertext records are put here, then decrypted in place.
-     * SSL3: recv'd ciphertext records are put in inbuf (see below), then 
-     *       decrypted into buf.
-     */
-    sslBuffer     buf;				/*recvBufLock*/	/* ssl 2 & 3 */
-
-    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). 
-    ** (offset - writeOffset) is the number of ciphertext bytes read in but 
-    **     not yet deciphered.
-    */
-    unsigned int  offset;                                       /* ssl 2 & 3 */
-
-    /* number of bytes to read in next call to ssl_DefRecv (recv) */
-    unsigned int  remainder;                                    /* ssl 2 & 3 */
-
-    /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
-    unsigned int  count;					/* ssl2 only */
-
-    /* size of the final plaintext record. 
-    ** == count - (recordPadding + MAC size)
-    */
-    unsigned int  recordLen;					/* ssl2 only */
-
-    /* number of bytes of padding to be removed after decrypting. */
-    /* This value is taken from the record's hdr[2], which means a too large
-     * value could crash us.
-     */
-    unsigned int  recordPadding;				/* ssl2 only */
-
-    /* plaintext DATA begins this many bytes into "buf".  */
-    unsigned int  recordOffset;					/* ssl2 only */
-
-    int           encrypted;    /* SSL2 session is now encrypted.  ssl2 only */
-
-    /* These next two values are used by SSL2 and SSL3.  
-    ** DoRecv uses them to extract application data.
-    ** The difference between writeOffset and readOffset is the amount of 
-    ** data available to the application.   Note that the actual offset of 
-    ** the data in "buf" is recordOffset (above), not readOffset.
-    ** In the current implementation, this is made available before the 
-    ** MAC is checked!!
-    */
-    unsigned int  readOffset;  /* Spot where DATA reader (e.g. application
-                               ** or handshake code) will read next.
-                               ** Always zero for SSl3 application data.
-			       */
-    /* offset in buf/inbuf/hdr into which new data will be read from socket. */
-    unsigned int  writeOffset; 
-
-    /* Buffer for ssl3 to read (encrypted) data from the socket */
-    sslBuffer     inbuf;			/*recvBufLock*/	/* ssl3 only */
-
-    /* The ssl[23]_GatherData functions read data into this buffer, rather
-    ** than into buf or inbuf, while in the GS_HEADER state.  
-    ** The portion of the SSL record header put here always comes off the wire 
-    ** as plaintext, never ciphertext.
-    ** For SSL2, the plaintext portion is two bytes long.  For SSl3 it is 5.
-    */
-    unsigned char hdr[5];					/* ssl 2 & 3 */
-};
-
-/* sslGather.state */
-#define GS_INIT		0
-#define GS_HEADER	1
-#define GS_MAC		2
-#define GS_DATA		3
-#define GS_PAD		4
-
-typedef SECStatus (*SSLCipher)(void *               context, 
-                               unsigned char *      out,
-			       int *                outlen, 
-			       int                  maxout, 
-			       const unsigned char *in,
-			       int                  inlen);
-typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
-
-
-
-/*
-** ssl3State and CipherSpec structs
-*/
-
-/* The SSL bulk cipher definition */
-typedef enum {
-    cipher_null,
-    cipher_rc4, 
-    cipher_rc4_40,
-    cipher_rc4_56,
-    cipher_rc2, 
-    cipher_rc2_40,
-    cipher_des, 
-    cipher_3des, 
-    cipher_des40,
-    cipher_idea, 
-    cipher_aes_128,
-    cipher_aes_256,
-    cipher_missing              /* reserved for no such supported cipher */
-    /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
-} SSL3BulkCipher;
-
-typedef enum { type_stream, type_block } CipherType;
-
-#define MAX_IV_LENGTH 64
-
-/*
- * Do not depend upon 64 bit arithmetic in the underlying machine. 
- */
-typedef struct {
-    uint32         high;
-    uint32         low;
-} SSL3SequenceNumber;
-
-#define MAX_MAC_CONTEXT_BYTES 400
-#define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
-
-#define MAX_CIPHER_CONTEXT_BYTES 2080
-#define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
-
-typedef struct {
-    SSL3Opaque        client_write_iv         [24];
-    SSL3Opaque        server_write_iv         [24];
-    SSL3Opaque        wrapped_master_secret   [48];
-    PRUint16          wrapped_master_secret_len;
-    PRUint8           msIsWrapped;
-    PRUint8           resumable;
-} ssl3SidKeys; /* 100 bytes */
-
-typedef struct {
-    PK11SymKey  *write_key;
-    PK11SymKey  *write_mac_key;
-    PK11Context *write_mac_context;
-    SECItem     write_key_item;
-    SECItem     write_iv_item;
-    SECItem     write_mac_key_item;
-    SSL3Opaque  write_iv[MAX_IV_LENGTH];
-    PRUint64    cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
-} ssl3KeyMaterial;
-
-/*
-** These are the "specs" in the "ssl3" struct.
-** Access to the pointers to these specs, and all the specs' contents
-** (direct and indirect) is protected by the reader/writer lock ss->specLock.
-*/
-typedef struct {
-    const ssl3BulkCipherDef *cipher_def;
-    const ssl3MACDef * mac_def;
-    int                mac_size;
-    SSLCipher          encode;
-    SSLCipher          decode;
-    SSLDestroy         destroy;
-    void *             encodeContext;
-    void *             decodeContext;
-    PRBool             bypassCiphers;	/* did double bypass (at least) */
-    PK11SymKey *       master_secret;
-    SSL3SequenceNumber write_seq_num;
-    SSL3SequenceNumber read_seq_num;
-    SSL3ProtocolVersion version;
-    ssl3KeyMaterial    client;
-    ssl3KeyMaterial    server;
-    SECItem            msItem;
-    unsigned char      key_block[NUM_MIXERS * MD5_LENGTH];
-    unsigned char      raw_master_secret[56];
-} ssl3CipherSpec;
-
-typedef enum {	never_cached, 
-		in_client_cache, 
-		in_server_cache, 
-		invalid_cache		/* no longer in any cache. */
-} Cached;
-
-struct sslSessionIDStr {
-    sslSessionID *        next;   /* chain used for client sockets, only */
-
-    CERTCertificate *     peerCert;
-    const char *          peerID;     /* client only */
-    const char *          urlSvrName; /* client only */
-    CERTCertificate *     localCert;
-
-    PRIPv6Addr            addr;
-    PRUint16              port;
-
-    SSL3ProtocolVersion   version;
-
-    PRUint32              creationTime;		/* seconds since Jan 1, 1970 */
-    PRUint32              lastAccessTime;	/* seconds since Jan 1, 1970 */
-    PRUint32              expirationTime;	/* seconds since Jan 1, 1970 */
-    Cached                cached;
-    int                   references;
-
-    SSLSignType           authAlgorithm;
-    PRUint32              authKeyBits;
-    SSLKEAType            keaType;
-    PRUint32              keaKeyBits;
-
-    union {
-	struct {
-	    /* the V2 code depends upon the size of sessionID.  */
-	    unsigned char         sessionID[SSL2_SESSIONID_BYTES];
-
-	    /* Stuff used to recreate key and read/write cipher objects */
-	    SECItem               masterKey;        /* never wrapped */
-	    int                   cipherType;
-	    SECItem               cipherArg;
-	    int                   keyBits;
-	    int                   secretKeyBits;
-	} ssl2;
-	struct {
-	    /* values that are copied into the server's on-disk SID cache. */
-	    uint8                 sessionIDLength;
-	    SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
-
-	    ssl3CipherSuite       cipherSuite;
-	    SSL3CompressionMethod compression;
-	    int                   policy;
-	    ssl3SidKeys           keys;
-	    CK_MECHANISM_TYPE     masterWrapMech;
-				  /* mechanism used to wrap master secret */
-            SSL3KEAType           exchKeyType;
-				  /* key type used in exchange algorithm,
-				   * and to wrap the sym wrapping key. */
-
-	    /* The following values are NOT restored from the server's on-disk
-	     * session cache, but are restored from the client's cache.
-	     */
- 	    PK11SymKey *      clientWriteKey;
-	    PK11SymKey *      serverWriteKey;
-
-	    /* The following values pertain to the slot that wrapped the 
-	    ** master secret. (used only in client)
-	    */
-	    SECMODModuleID    masterModuleID;
-				    /* what module wrapped the master secret */
-	    CK_SLOT_ID        masterSlotID;
-	    PRUint16	      masterWrapIndex;
-				/* what's the key index for the wrapping key */
-	    PRUint16          masterWrapSeries;
-	                        /* keep track of the slot series, so we don't 
-				 * accidently try to use new keys after the 
-				 * card gets removed and replaced.*/
-
-	    /* The following values pertain to the slot that did the signature
-	    ** for client auth.   (used only in client)
-	    */
-	    SECMODModuleID    clAuthModuleID;
-	    CK_SLOT_ID        clAuthSlotID;
-	    PRUint16          clAuthSeries;
-
-            char              masterValid;
-	    char              clAuthValid;
-
-	} ssl3;
-    } u;
-};
-
-
-typedef struct ssl3CipherSuiteDefStr {
-    ssl3CipherSuite          cipher_suite;
-    SSL3BulkCipher           bulk_cipher_alg;
-    SSL3MACAlgorithm         mac_alg;
-    SSL3KeyExchangeAlgorithm key_exchange_alg;
-} ssl3CipherSuiteDef;
-
-/*
-** There are tables of these, all const.
-*/
-typedef struct {
-    SSL3KeyExchangeAlgorithm kea;
-    SSL3KEAType              exchKeyType;
-    SSL3SignType             signKeyType;
-    PRBool                   is_limited;
-    int                      key_size_limit;
-    PRBool                   tls_keygen;
-} ssl3KEADef;
-
-typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
-
-/*
-** There are tables of these, all const.
-*/
-struct ssl3BulkCipherDefStr {
-    SSL3BulkCipher  cipher;
-    SSLCipherAlgorithm calg;
-    int             key_size;
-    int             secret_key_size;
-    CipherType      type;
-    int             iv_size;
-    int             block_size;
-    SSL3KeyGenMode  keygen_mode;
-};
-
-/*
-** There are tables of these, all const.
-*/
-struct ssl3MACDefStr {
-    SSL3MACAlgorithm mac;
-    CK_MECHANISM_TYPE mmech;
-    int              pad_size;
-    int              mac_size;
-};
-
-typedef enum {
-    wait_client_hello, 
-    wait_client_cert, 
-    wait_client_key,
-    wait_cert_verify, 
-    wait_change_cipher, 
-    wait_finished,
-    wait_server_hello, 
-    wait_server_cert, 
-    wait_server_key,
-    wait_cert_request, 
-    wait_hello_done,
-    idle_handshake
-} SSL3WaitState;
-
-/*
-** This is the "hs" member of the "ssl3" struct.
-** This entire struct is protected by ssl3HandshakeLock
-*/
-typedef struct SSL3HandshakeStateStr {
-    SSL3Random            server_random;
-    SSL3Random            client_random;
-    SSL3WaitState         ws;
-    PRUint64              md5_cx[MAX_MAC_CONTEXT_LLONGS];
-    PRUint64              sha_cx[MAX_MAC_CONTEXT_LLONGS];
-    PK11Context *         md5;            /* handshake running hashes */
-    PK11Context *         sha;
-const ssl3KEADef *        kea_def;
-    ssl3CipherSuite       cipher_suite;
-const ssl3CipherSuiteDef *suite_def;
-    SSL3CompressionMethod compression;
-    sslBuffer             msg_body;    /* protected by recvBufLock */
-                               /* partial handshake message from record layer */
-    unsigned int          header_bytes; 
-                               /* number of bytes consumed from handshake */
-                               /* message for message type and header length */
-    SSL3HandshakeType     msg_type;
-    unsigned long         msg_len;
-    SECItem               ca_list;     /* used only by client */
-    PRBool                isResuming;  /* are we resuming a session */
-    PRBool                rehandshake; /* immediately start another handshake 
-                                        * when this one finishes */
-    PRBool                usedStepDownKey;  /* we did a server key exchange. */
-    sslBuffer             msgState;    /* current state for handshake messages*/
-                                       /* protected by recvBufLock */
-} SSL3HandshakeState;
-
-
-
-/*
-** This is the "ssl3" struct, as in "ss->ssl3".
-** note:
-** usually,   crSpec == cwSpec and prSpec == pwSpec.  
-** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
-** But there are never more than 2 actual specs.  
-** No spec must ever be modified if either "current" pointer points to it.
-*/
-struct ssl3StateStr {
-
-    /*
-    ** The following Specs and Spec pointers must be protected using the 
-    ** Spec Lock.
-    */
-    ssl3CipherSpec *     crSpec; 	/* current read spec. */
-    ssl3CipherSpec *     prSpec; 	/* pending read spec. */
-    ssl3CipherSpec *     cwSpec; 	/* current write spec. */
-    ssl3CipherSpec *     pwSpec; 	/* pending write spec. */
-
-    CERTCertificate *    clientCertificate;  /* used by client */
-    SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
-    CERTCertificateList *clientCertChain;    /* used by client */
-    PRBool               sendEmptyCert;      /* used by client */
-
-    int                  policy;
-			/* This says what cipher suites we can do, and should 
-			 * be either SSL_ALLOWED or SSL_RESTRICTED 
-			 */
-    PRArenaPool *        peerCertArena;  
-			    /* These are used to keep track of the peer CA */
-    void *               peerCertChain;     
-			    /* chain while we are trying to validate it.   */
-    CERTDistNames *      ca_list; 
-			    /* used by server.  trusted CAs for this socket. */
-    PRBool               initialized;
-    SSL3HandshakeState   hs;
-    ssl3CipherSpec       specs[2];	/* one is current, one is pending. */
-};
-
-typedef struct {
-    SSL3ContentType      type;
-    SSL3ProtocolVersion  version;
-    sslBuffer *          buf;
-} SSL3Ciphertext;
-
-struct ssl3KeyPairStr {
-    SECKEYPrivateKey *    privKey;		/* RSA step down key */
-    SECKEYPublicKey *     pubKey;		/* RSA step down key */
-    PRInt32               refCount;	/* use PR_Atomic calls for this. */
-};
-
-typedef struct SSLWrappedSymWrappingKeyStr {
-    SSL3Opaque        wrappedSymmetricWrappingkey[512];
-    SSL3Opaque        wrapIV[24];
-    CK_MECHANISM_TYPE symWrapMechanism;  
-		    /* unwrapped symmetric wrapping key uses this mechanism */
-    CK_MECHANISM_TYPE asymWrapMechanism; 
-		    /* mechanism used to wrap the SymmetricWrappingKey using
-		     * server's public and/or private keys. */
-    SSL3KEAType       exchKeyType;   /* type of keys used to wrap SymWrapKey*/
-    PRInt32           symWrapMechIndex;
-    PRUint16          wrappedSymKeyLen;
-    PRUint16          wrapIVLen;
-} SSLWrappedSymWrappingKey;
-
-
-
-
-
-
-
-
-
-
-/*
- * SSL2 buffers used in SSL3.
- *     writeBuf in the SecurityInfo maintained by sslsecur.c is used
- *              to hold the data just about to be passed to the kernel
- *     sendBuf in the ConnectInfo maintained by sslcon.c is used
- *              to hold handshake messages as they are accumulated
- */
-
-/*
-** This is "ci", as in "ss->sec.ci".
-**
-** Protection:  All the variables in here are protected by 
-** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock 
-*/
-struct sslConnectInfoStr {
-    /* outgoing handshakes appended to this. */
-    sslBuffer       sendBuf;	                /*xmitBufLock*/ /* ssl 2 & 3 */
-
-    PRIPv6Addr      peer;                                       /* ssl 2 & 3 */
-    unsigned short  port;                                       /* ssl 2 & 3 */
-
-    sslSessionID   *sid;                                        /* ssl 2 & 3 */
-
-    /* see CIS_HAVE defines below for the bit values in *elements. */
-    char            elements;					/* ssl2 only */
-    char            requiredElements;				/* ssl2 only */
-    char            sentElements;                               /* ssl2 only */
-
-    char            sentFinished;                               /* ssl2 only */
-
-    /* Length of server challenge.  Used by client when saving challenge */
-    int             serverChallengeLen;                         /* ssl2 only */
-    /* type of authentication requested by server */
-    unsigned char   authType;                                   /* ssl2 only */
-
-    /* Challenge sent by client to server in client-hello message */
-    /* SSL3 gets a copy of this.  See ssl3_StartHandshakeHash().  */
-    unsigned char   clientChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl 2 & 3 */
-
-    /* Connection-id sent by server to client in server-hello message */
-    unsigned char   connectionID[SSL_CONNECTIONID_BYTES];	/* ssl2 only */
-
-    /* Challenge sent by server to client in request-certificate message */
-    unsigned char   serverChallenge[SSL_MAX_CHALLENGE_BYTES];	/* ssl2 only */
-
-    /* Information kept to handle a request-certificate message */
-    unsigned char   readKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
-    unsigned char   writeKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
-    unsigned        keySize;					/* ssl2 only */
-};
-
-/* bit values for ci->elements, ci->requiredElements, sentElements. */
-#define CIS_HAVE_MASTER_KEY		0x01
-#define CIS_HAVE_CERTIFICATE		0x02
-#define CIS_HAVE_FINISHED		0x04
-#define CIS_HAVE_VERIFY			0x08
-
-/* Note: The entire content of this struct and whatever it points to gets
- * blown away by SSL_ResetHandshake().  This is "sec" as in "ss->sec".
- *
- * Unless otherwise specified below, the contents of this struct are 
- * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
- */
-struct sslSecurityInfoStr {
-    sslSendFunc      send;			/*xmitBufLock*/	/* ssl 2 & 3 */
-    int              isServer;			/* Spec Lock?*/	/* ssl 2 & 3 */
-    sslBuffer        writeBuf;			/*xmitBufLock*/	/* ssl 2 & 3 */
-
-    int              cipherType;				/* ssl 2 & 3 */
-    int              keyBits;					/* ssl 2 & 3 */
-    int              secretKeyBits;				/* ssl 2 & 3 */
-    CERTCertificate *localCert;					/* ssl 2 & 3 */
-    CERTCertificate *peerCert;					/* ssl 2 & 3 */
-    SECKEYPublicKey *peerKey;					/* ssl3 only */
-
-    SSLSignType      authAlgorithm;
-    PRUint32         authKeyBits;
-    SSLKEAType       keaType;
-    PRUint32         keaKeyBits;
-
-    /*
-    ** Procs used for SID cache (nonce) management. 
-    ** Different implementations exist for clients/servers 
-    ** The lookup proc is only used for servers.  Baloney!
-    */
-    sslSessionIDCacheFunc     cache;				/* ssl 2 & 3 */
-    sslSessionIDUncacheFunc   uncache;				/* ssl 2 & 3 */
-
-    /*
-    ** everything below here is for ssl2 only.
-    ** This stuff is equivalent to SSL3's "spec", and is protected by the 
-    ** same "Spec Lock" as used for SSL3's specs.
-    */
-    uint32           sendSequence;		/*xmitBufLock*/	/* ssl2 only */
-    uint32           rcvSequence;		/*recvBufLock*/	/* ssl2 only */
-
-    /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
-    const SECHashObject   *hash;		/* Spec Lock */ /* ssl2 only */
-    void            *hashcx;			/* Spec Lock */	/* ssl2 only */
-
-    SECItem          sendSecret;		/* Spec Lock */	/* ssl2 only */
-    SECItem          rcvSecret;			/* Spec Lock */	/* ssl2 only */
-
-    /* Session cypher contexts; one for each direction */
-    void            *readcx;			/* Spec Lock */	/* ssl2 only */
-    void            *writecx;			/* Spec Lock */	/* ssl2 only */
-    SSLCipher        enc;			/* Spec Lock */	/* ssl2 only */
-    SSLCipher        dec;			/* Spec Lock */	/* ssl2 only */
-    void           (*destroy)(void *, PRBool);	/* Spec Lock */	/* ssl2 only */
-
-    /* Blocking information for the session cypher */
-    int              blockShift;		/* Spec Lock */	/* ssl2 only */
-    int              blockSize;			/* Spec Lock */	/* ssl2 only */
-
-    /* These are used during a connection handshake */
-    sslConnectInfo   ci;					/* ssl 2 & 3 */
-
-};
-
-
-/*
-** SSL Socket struct
-**
-** Protection:  XXX
-*/
-struct sslSocketStr {
-    PRFileDesc *	fd;
-
-    /* Pointer to operations vector for this socket */
-    const sslSocketOps * ops;
-
-    /* SSL socket options */
-    sslOptions       opt;
-
-    /* State flags */
-    unsigned long    clientAuthRequested;
-    unsigned long    delayDisabled;       /* Nagle delay disabled */
-    unsigned long    firstHsDone;         /* first handshake is complete. */
-    unsigned long    handshakeBegun;     
-    unsigned long    lastWriteBlocked;   
-    unsigned long    recvdCloseNotify;    /* received SSL EOF. */
-    unsigned long    TCPconnected;       
-
-    /* version of the protocol to use */
-    SSL3ProtocolVersion version;
-    SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
-
-    sslSecurityInfo  sec;		/* not a pointer any more */
-
-    /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
-    const char      *url;				/* ssl 2 & 3 */
-
-    sslHandshakeFunc handshake;				/*firstHandshakeLock*/
-    sslHandshakeFunc nextHandshake;			/*firstHandshakeLock*/
-    sslHandshakeFunc securityHandshake;			/*firstHandshakeLock*/
-
-    /* the following variable is only used with socks or other proxies. */
-    char *           peerID;	/* String uniquely identifies target server. */
-
-    unsigned char *  cipherSpecs;
-    unsigned int     sizeCipherSpecs;
-const unsigned char *  preferredCipher;
-
-    ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
-
-    /* Callbacks */
-    SSLAuthCertificate        authCertificate;
-    void                     *authCertificateArg;
-    SSLGetClientAuthData      getClientAuthData;
-    void                     *getClientAuthDataArg;
-    SSLBadCertHandler         handleBadCert;
-    void                     *badCertArg;
-    SSLHandshakeCallback      handshakeCallback;
-    void                     *handshakeCallbackData;
-    void                     *pkcs11PinArg;
-
-    PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            cTimeout; /* timeout for NSPR I/O */
-
-    PZLock *      recvLock;	/* lock against multiple reader threads. */
-    PZLock *      sendLock;	/* lock against multiple sender threads. */
-
-    PZMonitor *   recvBufLock;	/* locks low level recv buffers. */
-    PZMonitor *   xmitBufLock;	/* locks low level xmit buffers. */
-
-    /* Only one thread may operate on the socket until the initial handshake
-    ** is complete.  This Monitor ensures that.  Since SSL2 handshake is
-    ** only done once, this is also effectively the SSL2 handshake lock.
-    */
-    PZMonitor *   firstHandshakeLock; 
-
-    /* This monitor protects the ssl3 handshake state machine data.
-    ** Only one thread (reader or writer) may be in the ssl3 handshake state
-    ** machine at any time.  */
-    PZMonitor *   ssl3HandshakeLock;
-
-    /* reader/writer lock, protects the secret data needed to encrypt and MAC
-    ** outgoing records, and to decrypt and MAC check incoming ciphertext 
-    ** records.  */
-    NSSRWLock *   specLock;
-
-    /* handle to perm cert db (and implicitly to the temp cert db) used 
-    ** with this socket. 
-    */
-    CERTCertDBHandle * dbHandle;
-
-    PRThread *  writerThread;   /* thread holds SSL_LOCK_WRITER lock */
-
-    PRUint16	shutdownHow; 	/* See ssl_SHUTDOWN defines below. */
-
-    PRUint16	allowedByPolicy;          /* copy of global policy bits. */
-    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */
-    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */
-
-    sslHandshakingType handshaking;
-
-    /* Gather object used for gathering data */
-    sslGather        gs;				/*recvBufLock*/
-
-    sslBuffer        saveBuf;				/*xmitBufLock*/
-    sslBuffer        pendingBuf;			/*xmitBufLock*/
-
-    /* Configuration state for server sockets */
-    /* server cert and key for each KEA type */
-    sslServerCerts        serverCerts[kt_kea_size];
-
-    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
-    ssl3KeyPair *         ephemeralECDHKeyPair; /* for ECDHE-* handshake */
-
-    /* SSL3 state info.  Formerly was a pointer */
-    ssl3State        ssl3;
-};
-
-
-
-/* All the global data items declared here should be protected using the 
-** ssl_global_data_lock, which is a reader/writer lock.
-*/
-extern NSSRWLock *             ssl_global_data_lock;
-extern char                    ssl_debug;
-extern char                    ssl_trace;
-extern CERTDistNames *         ssl3_server_ca_list;
-extern PRUint32                ssl_sid_timeout;
-extern PRUint32                ssl3_sid_timeout;
-extern PRBool                  ssl3_global_policy_some_restricted;
-
-extern const char * const      ssl_cipherName[];
-extern const char * const      ssl3_cipherName[];
-
-extern sslSessionIDLookupFunc  ssl_sid_lookup;
-extern sslSessionIDCacheFunc   ssl_sid_cache;
-extern sslSessionIDUncacheFunc ssl_sid_uncache;
-
-/************************************************************************/
-
-SEC_BEGIN_PROTOS
-
-/* Implementation of ops for default (non socks, non secure) case */
-extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
-extern int ssl_DefListen(sslSocket *ss, int backlog);
-extern int ssl_DefShutdown(sslSocket *ss, int how);
-extern int ssl_DefClose(sslSocket *ss);
-extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
-extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
-		       int len, int flags);
-extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
-extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
-extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
-extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
-			     void *optval, PRInt32 *optlen);
-extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
-			     const void *optval, PRInt32 optlen);
-
-/* Implementation of ops for socks only case */
-extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
-extern int ssl_SocksListen(sslSocket *ss, int backlog);
-extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
-extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
-extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
-			 int len, int flags);
-extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
-
-/* Implementation of ops for secure only case */
-extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
-extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
-			  int len, int flags);
-extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
-			  int len, int flags);
-extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
-extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
-extern int ssl_SecureShutdown(sslSocket *ss, int how);
-extern int ssl_SecureClose(sslSocket *ss);
-
-/* Implementation of ops for secure socks case */
-extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
-extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
-extern PRFileDesc *ssl_FindTop(sslSocket *ss);
-
-/* Gather funcs. */
-extern sslGather * ssl_NewGather(void);
-extern SECStatus   ssl_InitGather(sslGather *gs);
-extern void        ssl_DestroyGather(sslGather *gs);
-extern int         ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
-extern int         ssl2_GatherRecord(sslSocket *ss, int flags);
-extern SECStatus   ssl_GatherRecord1stHandshake(sslSocket *ss);
-
-extern SECStatus   ssl2_HandleClientHelloMessage(sslSocket *ss);
-extern SECStatus   ssl2_HandleServerHelloMessage(sslSocket *ss);
-extern int         ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, 
-                                         unsigned int count);
-
-extern SECStatus   ssl_CreateSecurityInfo(sslSocket *ss);
-extern SECStatus   ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
-extern void        ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
-extern void        ssl_DestroySecurityInfo(sslSecurityInfo *sec);
-
-extern sslSocket * ssl_DupSocket(sslSocket *old);
-
-extern void        ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
-extern void        ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
-
-extern int         ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf,
-				          sslSendFunc fp);
-extern SECStatus ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, 
-                                   const void* p, unsigned int l);
-extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
-extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
-extern int       ssl_Do1stHandshake(sslSocket *ss);
-
-extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
-
-extern void      ssl2_UseClearSendFunc(sslSocket *ss);
-extern void      ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
-
-extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, 
-                                   const char *peerID, const char *urlSvrName);
-extern void      ssl_FreeSID(sslSessionID *sid);
-
-extern int       ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
-				          int len, int flags);
-
-extern PRBool    ssl_FdIsBlocking(PRFileDesc *fd);
-
-extern SECStatus ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout);
-
-extern PRBool    ssl_SocketIsBlocking(sslSocket *ss);
-
-extern void      ssl_SetAlwaysBlock(sslSocket *ss);
-
-extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
-
-#define SSL_LOCK_READER(ss)		if (ss->recvLock) PZ_Lock(ss->recvLock)
-#define SSL_UNLOCK_READER(ss)		if (ss->recvLock) PZ_Unlock(ss->recvLock)
-#define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
-#define SSL_UNLOCK_WRITER(ss)		if (ss->sendLock) PZ_Unlock(ss->sendLock)
-
-#define ssl_Get1stHandshakeLock(ss)     \
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); }
-#define ssl_Release1stHandshakeLock(ss) \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
-#define ssl_Have1stHandshakeLock(ss)    \
-    (PZ_InMonitor((ss)->firstHandshakeLock))
-
-#define ssl_GetSSL3HandshakeLock(ss)	\
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); }
-#define ssl_ReleaseSSL3HandshakeLock(ss) \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
-#define ssl_HaveSSL3HandshakeLock(ss)	\
-    (PZ_InMonitor((ss)->ssl3HandshakeLock))
-
-#define ssl_GetSpecReadLock(ss)		\
-    { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
-#define ssl_ReleaseSpecReadLock(ss)	\
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
-
-#define ssl_GetSpecWriteLock(ss)	\
-    { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
-#define ssl_ReleaseSpecWriteLock(ss)	\
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
-#define ssl_HaveSpecWriteLock(ss)	\
-    (NSSRWLock_HaveWriteLock((ss)->specLock))
-
-#define ssl_GetRecvBufLock(ss)		\
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->recvBufLock); }
-#define ssl_ReleaseRecvBufLock(ss)	\
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
-#define ssl_HaveRecvBufLock(ss)		\
-    (PZ_InMonitor((ss)->recvBufLock))
-
-#define ssl_GetXmitBufLock(ss)		\
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
-#define ssl_ReleaseXmitBufLock(ss)	\
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
-#define ssl_HaveXmitBufLock(ss)		\
-    (PZ_InMonitor((ss)->xmitBufLock))
-
-
-extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
-		    const unsigned char * cr, const unsigned char * sr,
-		    PRBool isTLS, PRBool isExport);
-extern  SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
-		    const unsigned char * cr, const unsigned char * sr,
-		    const SECItem * pms, PRBool isTLS, PRBool isRSA);
-
-/* These functions are called from secnav, even though they're "private". */
-
-extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
-extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss);
-extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
-					    CERTCertificate *cert,
-					    SECKEYPrivateKey *key,
-					    CERTCertificateList *certChain);
-extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
-extern void ssl_FreeSocket(struct sslSocketStr *ssl);
-extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
-				SSL3AlertDescription desc);
-
-extern int ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
-					     CERTCertificate *    cert, 
-					     SECKEYPrivateKey *   key);
-
-extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
-					     CERTCertificate *    cert, 
-					     SECKEYPrivateKey *   key,
-					     CERTCertificateList *certChain);
-
-extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
-extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
-
-/*
- * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
- */
-extern SECStatus ssl3_HandleV2ClientHello(
-    sslSocket *ss, unsigned char *buffer, int length);
-extern SECStatus ssl3_StartHandshakeHash(
-    sslSocket *ss, unsigned char *buf, int length);
-
-/*
- * SSL3 specific routines
- */
-SECStatus ssl3_SendClientHello(sslSocket *ss);
-
-/*
- * input into the SSL3 machinery from the actualy network reading code
- */
-SECStatus ssl3_HandleRecord(
-    sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
-
-int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
-int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
-/*
- * When talking to export clients or using export cipher suites, servers 
- * with public RSA keys larger than 512 bits need to use a 512-bit public
- * key, signed by the larger key.  The smaller key is a "step down" key.
- * Generate that key pair and keep it around.
- */
-extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
-
-#ifdef NSS_ENABLE_ECC
-extern SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss);
-#endif /* NSS_ENABLE_ECC */
-
-extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
-extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
-extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
-extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
-
-extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
-extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
-extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
-extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
-
-extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
-extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
-extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
-extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
-
-extern void      ssl2_InitSocketPolicy(sslSocket *ss);
-extern void      ssl3_InitSocketPolicy(sslSocket *ss);
-
-extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
-						 unsigned char *cs, int *size);
-
-extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
-
-extern void ssl3_DestroySSL3Info(sslSocket *ss);
-
-extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
-                                       SSL3ProtocolVersion peerVersion);
-
-extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
-
-#ifdef NSS_ENABLE_ECC
-/* ECDH functions */
-extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss, 
-			     SECKEYPublicKey * svrPubKey);
-extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, 
-					SSL3Opaque *b, PRUint32 length);
-extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, 
-				     SSL3Opaque *b, PRUint32 length,
-                                     SECKEYPublicKey *srvrPubKey,
-                                     SECKEYPrivateKey *srvrPrivKey);
-extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
-#endif
-
-extern SECStatus ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, 
-				unsigned int bufLen, SSL3Hashes *hashes, 
-				PRBool bypassPKCS11);
-extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
-extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, 
-			PRInt32 bytes);
-extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, 
-			SSL3HandshakeType t, PRUint32 length);
-extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss, 
-			const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
-extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, 
-			SSL3Opaque **b, PRUint32 *length);
-extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, 
-			PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
-extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, 
-			SECItem *buf, PRBool isTLS);
-extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash, 
-			CERTCertificate *cert, SECItem *buf, PRBool isTLS, 
-			void *pwArg);
-
-/* Construct a new NSPR socket for the app to use */
-extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
-extern void ssl_FreePRSocket(PRFileDesc *fd);
-
-/* Internal config function so SSL2 can initialize the present state of 
- * various ciphers */
-extern int ssl3_config_match_init(sslSocket *);
-
-
-/* Create a new ref counted key pair object from two keys. */
-extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
-                                      SECKEYPublicKey * pubKey);
-
-/* get a new reference (bump ref count) to an ssl3KeyPair. */
-extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
-
-/* Decrement keypair's ref count and free if zero. */
-extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
-
-/* calls for accessing wrapping keys across processes. */
-extern PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk);
-
-/* The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the file on disk.  
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/semaphores necessary to make 
- * the operation atomic.
- */
-extern PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
-
-/* get rid of the symmetric wrapping key references. */
-extern SECStatus SSL3_ShutdownServerCache(void);
-
-extern void ssl_InitClientSessionCacheLock(void);
-
-extern void ssl_InitSymWrapKeysLock(void);
-
-/********************** misc calls *********************/
-
-extern int ssl_MapLowLevelError(int hiLevelError);
-
-extern PRUint32 ssl_Time(void);
-
-/* emulation of NSPR routines. */
-extern PRInt32 
-ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
-			PRFileDesc **  nd,
-			PRNetAddr **   raddr, 
-			void *         buf, 
-			PRInt32        amount, 
-			PRIntervalTime timeout);
-extern PRInt32 
-ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
-			    PRFileDesc *        fd,
-			    const void *        headers, 
-			    PRInt32             hlen, 
-			    PRTransmitFileFlags flags,
-			    PRIntervalTime      timeout);
-extern PRInt32 
-ssl_EmulateSendFile( PRFileDesc *        sd, 
-		     PRSendFileData *    sfd,
-                     PRTransmitFileFlags flags, 
-		     PRIntervalTime      timeout);
-
-
-SECStatus SSL_DisableDefaultExportCipherSuites(void);
-SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
-PRBool    SSL_IsExportCipherSuite(PRUint16 cipherSuite);
-
-
-#ifdef TRACE
-#define SSL_TRACE(msg) ssl_Trace msg
-#else
-#define SSL_TRACE(msg)
-#endif
-
-void ssl_Trace(const char *format, ...);
-
-SEC_END_PROTOS
-
-#ifdef XP_OS2_VACPP
-#include <process.h>
-#endif
-
-#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
-#define SSL_GETPID getpid
-#elif defined(_WIN32_WCE)
-#define SSL_GETPID GetCurrentProcessId
-#elif defined(WIN32)
-extern int __cdecl _getpid(void);
-#define SSL_GETPID _getpid
-#else
-#define SSL_GETPID() 0
-#endif
-
-#endif /* __sslimpl_h_ */
diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c
deleted file mode 100644
index d3a9735f0..000000000
--- a/security/nss/lib/ssl/sslinfo.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-
-SECStatus 
-SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
-{
-    sslSocket *      ss;
-    SSLChannelInfo   inf;
-    sslSessionID *   sid;
-
-    if (!info || len < sizeof inf.length) { 
-    	return SECSuccess;
-    }
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    memset(&inf, 0, sizeof inf);
-    inf.length = PR_MIN(sizeof inf, len);
-
-    if (ss->opt.useSecurity && ss->firstHsDone) {
-        sid = ss->sec.ci.sid;
-	inf.protocolVersion  = ss->version;
-	inf.authKeyBits      = ss->sec.authKeyBits;
-	inf.keaKeyBits       = ss->sec.keaKeyBits;
-	if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
-	    inf.cipherSuite      = ss->sec.cipherType | 0xff00;
-	} else if (ss->ssl3.initialized) { 	/* SSL3 and TLS */
-
-	    /* XXX  These should come from crSpec */
-	    inf.cipherSuite      = ss->ssl3.hs.cipher_suite;
-	}
-	if (sid) {
-	    inf.creationTime   = sid->creationTime;
-	    inf.lastAccessTime = sid->lastAccessTime;
-	    inf.expirationTime = sid->expirationTime;
-	    if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
-	        inf.sessionIDLength = SSL2_SESSIONID_BYTES;
-		memcpy(inf.sessionID, sid->u.ssl2.sessionID, 
-		       SSL2_SESSIONID_BYTES);
-	    } else {
-		unsigned int sidLen = sid->u.ssl3.sessionIDLength;
-	        sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
-	        inf.sessionIDLength = sidLen;
-		memcpy(inf.sessionID, sid->u.ssl3.sessionID, sidLen);
-	    }
-	}
-    }
-
-    memcpy(info, &inf, inf.length);
-
-    return SECSuccess;
-}
-
-
-#define CS(x) x, #x
-#define CK(x) x | 0xff00, #x
-
-#define S_DSA   "DSA", ssl_auth_dsa
-#define S_RSA	"RSA", ssl_auth_rsa
-#define S_KEA   "KEA", ssl_auth_kea
-#define S_ECDSA "ECDSA", ssl_auth_ecdsa
-
-#define K_DHE	"DHE", kt_dh
-#define K_RSA	"RSA", kt_rsa
-#define K_KEA	"KEA", kt_kea
-#define K_ECDH	"ECDH", kt_ecdh
-#define K_ECDHE	"ECDHE", kt_ecdh
-
-#define C_AES	"AES", calg_aes
-#define C_RC4	"RC4", calg_rc4
-#define C_RC2	"RC2", calg_rc2
-#define C_DES	"DES", calg_des
-#define C_3DES	"3DES", calg_3des
-#define C_NULL  "NULL", calg_null
-#define C_SJ 	"SKIPJACK", calg_sj
-
-#define B_256	256, 256, 256
-#define B_128	128, 128, 128
-#define B_3DES  192, 156, 112
-#define B_SJ     96,  80,  80
-#define B_DES    64,  56,  56
-#define B_56    128,  56,  56
-#define B_40    128,  40,  40
-#define B_0  	  0,   0,   0
-
-#define M_SHA	"SHA1", ssl_mac_sha, 160
-#define M_MD5	"MD5",  ssl_mac_md5, 128
-
-static const SSLCipherSuiteInfo suiteInfo[] = {
-/* <------ Cipher suite --------------------> <auth> <KEA>  <bulk cipher> <MAC> <FIPS> */
-{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA),      S_RSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
-{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA),      S_DSA, K_DHE, C_AES, B_256, M_SHA, 1, 0, 0, },
-{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA),          S_RSA, K_RSA, C_AES, B_256, M_SHA, 1, 0, 0, },
-
-{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA),          S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
-{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),      S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
-{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),      S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
-{0,CS(SSL_RSA_WITH_RC4_128_MD5),              S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
-{0,CS(SSL_RSA_WITH_RC4_128_SHA),              S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
-{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA),          S_RSA, K_RSA, C_AES, B_128, M_SHA, 1, 0, 0, },
-
-{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),     S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
-{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),     S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
-{0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, },
-{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA),         S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
-
-{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA),          S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
-{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA),          S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
-{0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA),         S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 1, },
-{0,CS(SSL_RSA_WITH_DES_CBC_SHA),              S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, },
-
-{0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA),    S_RSA, K_RSA, C_RC4, B_56,  M_SHA, 0, 1, 0, },
-{0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA),   S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 1, 0, },
-{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5),        S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
-{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),    S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, },
-{0,CS(SSL_RSA_WITH_NULL_SHA),                 S_RSA, K_RSA, C_NULL,B_0,   M_SHA, 0, 1, 0, },
-{0,CS(SSL_RSA_WITH_NULL_MD5),                 S_RSA, K_RSA, C_NULL,B_0,   M_MD5, 0, 1, 0, },
-
-#ifdef NSS_ENABLE_ECC
-/* ECC cipher suites */
-{0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA),          S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA),       S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_ECDSA_WITH_DES_CBC_SHA),       S_ECDSA, K_ECDH, C_DES, B_DES, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA),  S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
-{0,CS(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA),   S_ECDSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
-{0,CS(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA),   S_ECDSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
-
-{0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_RSA_WITH_DES_CBC_SHA),         S_RSA, K_ECDH, C_DES, B_DES, M_SHA, 0, 0, 0, },
-{0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
-{0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
-{0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
-
-{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
-
-{0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
-#endif /* NSS_ENABLE_ECC */
-
-/* SSL 2 table */
-{0,CK(SSL_CK_RC4_128_WITH_MD5),               S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
-{0,CK(SSL_CK_RC2_128_CBC_WITH_MD5),           S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
-{0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5),      S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, },
-{0,CK(SSL_CK_DES_64_CBC_WITH_MD5),            S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, },
-{0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5),      S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
-{0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5),  S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, }
-};
-
-#define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
-
-
-SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
-                                 SSLCipherSuiteInfo *info, PRUintn len)
-{
-    unsigned int i;
-
-    len = PR_MIN(len, sizeof suiteInfo[0]);
-    if (!info || len < sizeof suiteInfo[0].length) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-    for (i = 0; i < NUM_SUITEINFOS; i++) {
-    	if (suiteInfo[i].cipherSuite == cipherSuite) {
-	    memcpy(info, &suiteInfo[i], len);
-	    info->length = len;
-	    return SECSuccess;
-	}
-    }
-    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    return SECFailure;
-}
-
-/* This function might be a candidate to be public. 
- * Disables all export ciphers in the default set of enabled ciphers.
- */
-SECStatus 
-SSL_DisableDefaultExportCipherSuites(void)
-{
-    const SSLCipherSuiteInfo * pInfo = suiteInfo;
-    unsigned int i;
-    SECStatus rv;
-
-    for (i = 0; i < NUM_SUITEINFOS; ++i, ++pInfo) {
-    	if (pInfo->isExportable) {
-	    rv = SSL_CipherPrefSetDefault(pInfo->cipherSuite, PR_FALSE);
-	    PORT_Assert(rv == SECSuccess);
-	}
-    }
-    return SECSuccess;
-}
-
-/* This function might be a candidate to be public, 
- * except that it takes an sslSocket pointer as an argument.
- * A Public version would take a PRFileDesc pointer.
- * Disables all export ciphers in the default set of enabled ciphers.
- */
-SECStatus 
-SSL_DisableExportCipherSuites(PRFileDesc * fd)
-{
-    const SSLCipherSuiteInfo * pInfo = suiteInfo;
-    unsigned int i;
-    SECStatus rv;
-
-    for (i = 0; i < NUM_SUITEINFOS; ++i, ++pInfo) {
-    	if (pInfo->isExportable) {
-	    rv = SSL_CipherPrefSet(fd, pInfo->cipherSuite, PR_FALSE);
-	    PORT_Assert(rv == SECSuccess);
-	}
-    }
-    return SECSuccess;
-}
-
-/* Tells us if the named suite is exportable 
- * returns false for unknown suites.
- */
-PRBool
-SSL_IsExportCipherSuite(PRUint16 cipherSuite)
-{
-    unsigned int i;
-    for (i = 0; i < NUM_SUITEINFOS; i++) {
-    	if (suiteInfo[i].cipherSuite == cipherSuite) {
-	    return (PRBool)(suiteInfo[i].isExportable);
-	}
-    }
-    return PR_FALSE;
-}
diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c
deleted file mode 100644
index 0c5ae4cee..000000000
--- a/security/nss/lib/ssl/sslmutex.c
+++ /dev/null
@@ -1,673 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "seccomon.h"
-/* This ifdef should match the one in sslsnce.c */
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
-
-#include "sslmutex.h"
-#include "prerr.h"
-
-static SECStatus single_process_sslMutex_Init(sslMutex* pMutex)
-{
-    PR_ASSERT(pMutex != 0 && pMutex->u.sslLock == 0 );
-    
-    pMutex->u.sslLock = PR_NewLock();
-    if (!pMutex->u.sslLock) {
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex)
-{
-    PR_ASSERT(pMutex != 0);
-    PR_ASSERT(pMutex->u.sslLock!= 0);
-    if (!pMutex->u.sslLock) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    PR_DestroyLock(pMutex->u.sslLock);
-    return SECSuccess;
-}
-
-static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex)
-{
-    PR_ASSERT(pMutex != 0 );
-    PR_ASSERT(pMutex->u.sslLock !=0);
-    if (!pMutex->u.sslLock) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    PR_Unlock(pMutex->u.sslLock);
-    return SECSuccess;
-}
-
-static SECStatus single_process_sslMutex_Lock(sslMutex* pMutex)
-{
-    PR_ASSERT(pMutex != 0);
-    PR_ASSERT(pMutex->u.sslLock != 0 );
-    if (!pMutex->u.sslLock) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    PR_Lock(pMutex->u.sslLock);
-    return SECSuccess;
-}
-
-#if defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || defined(NETBSD) || defined(OPENBSD)
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-#include "unix_err.h"
-#include "pratom.h"
-
-#define SSL_MUTEX_MAGIC 0xfeedfd
-#define NONBLOCKING_POSTS 1	/* maybe this is faster */
-
-#if NONBLOCKING_POSTS
-
-#ifndef FNONBLOCK
-#define FNONBLOCK O_NONBLOCK
-#endif
-
-static int
-setNonBlocking(int fd, int nonBlocking)
-{
-    int flags;
-    int err;
-
-    flags = fcntl(fd, F_GETFL, 0);
-    if (0 > flags)
-	return flags;
-    if (nonBlocking)
-	flags |= FNONBLOCK;
-    else
-	flags &= ~FNONBLOCK;
-    err = fcntl(fd, F_SETFL, flags);
-    return err;
-}
-#endif
-
-SECStatus
-sslMutex_Init(sslMutex *pMutex, int shared)
-{
-    int  err;
-    PR_ASSERT(pMutex);
-    pMutex->isMultiProcess = (PRBool)(shared != 0);
-    if (!shared) {
-        return single_process_sslMutex_Init(pMutex);
-    }
-    pMutex->u.pipeStr.mPipes[0] = -1;
-    pMutex->u.pipeStr.mPipes[1] = -1;
-    pMutex->u.pipeStr.mPipes[2] = -1;
-    pMutex->u.pipeStr.nWaiters  =  0;
-
-    err = pipe(pMutex->u.pipeStr.mPipes);
-    if (err) {
-	return err;
-    }
-    /* close-on-exec is false by default */
-    if (!shared) {
-	err = fcntl(pMutex->u.pipeStr.mPipes[0], F_SETFD, FD_CLOEXEC);
-	if (err) 
-	    goto loser;
-
-	err = fcntl(pMutex->u.pipeStr.mPipes[1], F_SETFD, FD_CLOEXEC);
-	if (err) 
-	    goto loser;
-    }
-
-#if NONBLOCKING_POSTS
-    err = setNonBlocking(pMutex->u.pipeStr.mPipes[1], 1);
-    if (err)
-	goto loser;
-#endif
-
-    pMutex->u.pipeStr.mPipes[2] = SSL_MUTEX_MAGIC;
-
-#if defined(LINUX) && defined(i386)
-    /* Pipe starts out empty */
-    return SECSuccess;
-#else
-    /* Pipe starts with one byte. */
-    return sslMutex_Unlock(pMutex);
-#endif
-
-loser:
-    nss_MD_unix_map_default_error(errno);
-    close(pMutex->u.pipeStr.mPipes[0]);
-    close(pMutex->u.pipeStr.mPipes[1]);
-    return SECFailure;
-}
-
-SECStatus
-sslMutex_Destroy(sslMutex *pMutex)
-{
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Destroy(pMutex);
-    }
-    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    close(pMutex->u.pipeStr.mPipes[0]);
-    close(pMutex->u.pipeStr.mPipes[1]);
-
-    pMutex->u.pipeStr.mPipes[0] = -1;
-    pMutex->u.pipeStr.mPipes[1] = -1;
-    pMutex->u.pipeStr.mPipes[2] = -1;
-    pMutex->u.pipeStr.nWaiters  =  0;
-
-    return SECSuccess;
-}
-
-#if defined(LINUX) && defined(i386)
-/* No memory barrier needed for this platform */
-
-/* nWaiters includes the holder of the lock (if any) and the number
-** threads waiting for it.  After incrementing nWaiters, if the count
-** is exactly 1, then you have the lock and may proceed.  If the 
-** count is greater than 1, then you must wait on the pipe.
-*/ 
-
-
-SECStatus 
-sslMutex_Unlock(sslMutex *pMutex)
-{
-    PRInt32 newValue;
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Unlock(pMutex);
-    }
-
-    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    /* Do Memory Barrier here. */
-    newValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters);
-    if (newValue > 0) {
-	int  cc;
-	char c  = 1;
-	do {
-	    cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
-	} while (cc < 0 && (errno == EINTR || errno == EAGAIN));
-	if (cc != 1) {
-	    if (cc < 0)
-		nss_MD_unix_map_default_error(errno);
-	    else
-		PORT_SetError(PR_UNKNOWN_ERROR);
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-sslMutex_Lock(sslMutex *pMutex)
-{
-    PRInt32 newValue;
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Lock(pMutex);
-    }
-
-    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    newValue = PR_AtomicIncrement(&pMutex->u.pipeStr.nWaiters);
-    /* Do Memory Barrier here. */
-    if (newValue > 1) {
-	int   cc;
-	char  c;
-	do {
-	    cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
-	} while (cc < 0 && errno == EINTR);
-	if (cc != 1) {
-	    if (cc < 0)
-		nss_MD_unix_map_default_error(errno);
-	    else
-		PORT_SetError(PR_UNKNOWN_ERROR);
-	    return SECFailure;
-	}
-    }
-    return SECSuccess;
-}
-
-#else
-
-/* Using Atomic operations requires the use of a memory barrier instruction 
-** on PowerPC, Sparc, and Alpha.  NSPR's PR_Atomic functions do not perform
-** them, and NSPR does not provide a function that does them (e.g. PR_Barrier).
-** So, we don't use them on those platforms. 
-*/
-
-SECStatus 
-sslMutex_Unlock(sslMutex *pMutex)
-{
-    int  cc;
-    char c  = 1;
-
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Unlock(pMutex);
-    }
-
-    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-    do {
-	cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
-    } while (cc < 0 && (errno == EINTR || errno == EAGAIN));
-    if (cc != 1) {
-	if (cc < 0)
-	    nss_MD_unix_map_default_error(errno);
-	else
-	    PORT_SetError(PR_UNKNOWN_ERROR);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-SECStatus 
-sslMutex_Lock(sslMutex *pMutex)
-{
-    int   cc;
-    char  c;
-
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Lock(pMutex);
-    }
- 
-    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return SECFailure;
-    }
-
-    do {
-	cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
-    } while (cc < 0 && errno == EINTR);
-    if (cc != 1) {
-	if (cc < 0)
-	    nss_MD_unix_map_default_error(errno);
-	else
-	    PORT_SetError(PR_UNKNOWN_ERROR);
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-#endif
-
-#elif defined(WIN32)
-
-#include "win32err.h"
-
-/* on Windows, we need to find the optimal type of locking mechanism to use
- for the sslMutex.
-
- There are 3 cases :
- 1) single-process, use a PRLock, as for all other platforms
- 2) Win95 multi-process, use a Win32 mutex
- 3) on WINNT multi-process, use a PRLock + a Win32 mutex
-
-*/
-
-#ifdef WINNT
-
-SECStatus sslMutex_2LevelInit(sslMutex *sem)
-{
-    /*  the following adds a PRLock to sslMutex . This is done in each
-        process of a multi-process server and is only needed on WINNT, if
-        using fibers. We can't tell if native threads or fibers are used, so
-        we always do it on WINNT
-    */
-    PR_ASSERT(sem);
-    if (sem) {
-        /* we need to reset the sslLock in the children or the single_process init
-           function below will assert */
-        sem->u.sslLock = NULL;
-    }
-    return single_process_sslMutex_Init(sem);
-}
-
-static SECStatus sslMutex_2LevelDestroy(sslMutex *sem)
-{
-    return single_process_sslMutex_Destroy(sem);
-}
-
-#endif
-
-SECStatus
-sslMutex_Init(sslMutex *pMutex, int shared)
-{
-#ifdef WINNT
-    SECStatus retvalue;
-#endif
-    HANDLE hMutex;
-    SECURITY_ATTRIBUTES attributes =
-                                { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
-
-    PR_ASSERT(pMutex != 0 && (pMutex->u.sslMutx == 0 || 
-              pMutex->u.sslMutx == INVALID_HANDLE_VALUE) );
-    
-    pMutex->isMultiProcess = (PRBool)(shared != 0);
-    
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Init(pMutex);
-    }
-    
-#ifdef WINNT
-    /*  we need a lock on WINNT for fibers in the parent process */
-    retvalue = sslMutex_2LevelInit(pMutex);
-    if (SECSuccess != retvalue)
-        return SECFailure;
-#endif
-    
-    if (!pMutex || ((hMutex = pMutex->u.sslMutx) != 0 && 
-        hMutex != INVALID_HANDLE_VALUE)) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    attributes.bInheritHandle = (shared ? TRUE : FALSE);
-    hMutex = CreateMutex(&attributes, FALSE, NULL);
-    if (hMutex == NULL) {
-        hMutex = INVALID_HANDLE_VALUE;
-        nss_MD_win32_map_default_error(GetLastError());
-        return SECFailure;
-    }
-    pMutex->u.sslMutx = hMutex;
-    return SECSuccess;
-}
-
-SECStatus
-sslMutex_Destroy(sslMutex *pMutex)
-{
-    HANDLE hMutex;
-    int    rv;
-    int retvalue = SECSuccess;
-
-    PR_ASSERT(pMutex != 0);
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Destroy(pMutex);
-    }
-
-    /*  multi-process mode */    
-#ifdef WINNT
-    /* on NT, get rid of the PRLock used for fibers within a process */
-    retvalue = sslMutex_2LevelDestroy(pMutex);
-#endif
-    
-    PR_ASSERT( pMutex->u.sslMutx != 0 && 
-               pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
-    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 
-        || hMutex == INVALID_HANDLE_VALUE) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    
-    rv = CloseHandle(hMutex); /* ignore error */
-    if (rv) {
-        pMutex->u.sslMutx = hMutex = INVALID_HANDLE_VALUE;
-    } else {
-        nss_MD_win32_map_default_error(GetLastError());
-        retvalue = SECFailure;
-    }
-    return retvalue;
-}
-
-int 
-sslMutex_Unlock(sslMutex *pMutex)
-{
-    BOOL   success = FALSE;
-    HANDLE hMutex;
-
-    PR_ASSERT(pMutex != 0 );
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Unlock(pMutex);
-    }
-    
-    PR_ASSERT(pMutex->u.sslMutx != 0 && 
-              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
-    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 ||
-        hMutex == INVALID_HANDLE_VALUE) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;
-    }
-    success = ReleaseMutex(hMutex);
-    if (!success) {
-        nss_MD_win32_map_default_error(GetLastError());
-        return SECFailure;
-    }
-#ifdef WINNT
-    return single_process_sslMutex_Unlock(pMutex);
-    /* release PRLock for other fibers in the process */
-#else
-    return SECSuccess;
-#endif
-}
-
-int 
-sslMutex_Lock(sslMutex *pMutex)
-{
-    HANDLE    hMutex;
-    DWORD     event;
-    DWORD     lastError;
-    SECStatus rv;
-    SECStatus retvalue = SECSuccess;
-    PR_ASSERT(pMutex != 0);
-
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Lock(pMutex);
-    }
-#ifdef WINNT
-    /* lock first to preserve from other threads/fibers
-       in the same process */
-    retvalue = single_process_sslMutex_Lock(pMutex);
-#endif
-    PR_ASSERT(pMutex->u.sslMutx != 0 && 
-              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
-    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || 
-        hMutex == INVALID_HANDLE_VALUE) {
-        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-        return SECFailure;      /* what else ? */
-    }
-    /* acquire the mutex to be the only owner accross all other processes */
-    event = WaitForSingleObject(hMutex, INFINITE);
-    switch (event) {
-    case WAIT_OBJECT_0:
-    case WAIT_ABANDONED:
-        rv = SECSuccess;
-        break;
-
-    case WAIT_TIMEOUT:
-#if defined(WAIT_IO_COMPLETION)
-    case WAIT_IO_COMPLETION:
-#endif
-    default:            /* should never happen. nothing we can do. */
-        PR_ASSERT(!("WaitForSingleObject returned invalid value."));
-	PORT_SetError(PR_UNKNOWN_ERROR);
-	rv = SECFailure;
-	break;
-
-    case WAIT_FAILED:           /* failure returns this */
-        rv = SECFailure;
-        lastError = GetLastError();     /* for debugging */
-        nss_MD_win32_map_default_error(lastError);
-        break;
-    }
-
-    if (! (SECSuccess == retvalue && SECSuccess == rv)) {
-        return SECFailure;
-    }
-    
-    return SECSuccess;
-}
-
-#elif defined(XP_UNIX)
-
-#include <errno.h>
-#include "unix_err.h"
-
-SECStatus 
-sslMutex_Init(sslMutex *pMutex, int shared)
-{
-    int rv;
-    PR_ASSERT(pMutex);
-    pMutex->isMultiProcess = (PRBool)(shared != 0);
-    if (!shared) {
-        return single_process_sslMutex_Init(pMutex);
-    }
-    do {
-        rv = sem_init(&pMutex->u.sem, shared, 1);
-    } while (rv < 0 && errno == EINTR);
-    if (rv < 0) {
-        nss_MD_unix_map_default_error(errno);
-        return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-sslMutex_Destroy(sslMutex *pMutex)
-{
-    int rv;
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Destroy(pMutex);
-    }
-    do {
-	rv = sem_destroy(&pMutex->u.sem);
-    } while (rv < 0 && errno == EINTR);
-    if (rv < 0) {
-	nss_MD_unix_map_default_error(errno);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-sslMutex_Unlock(sslMutex *pMutex)
-{
-    int rv;
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Unlock(pMutex);
-    }
-    do {
-	rv = sem_post(&pMutex->u.sem);
-    } while (rv < 0 && errno == EINTR);
-    if (rv < 0) {
-	nss_MD_unix_map_default_error(errno);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-SECStatus 
-sslMutex_Lock(sslMutex *pMutex)
-{
-    int rv;
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Lock(pMutex);
-    }
-    do {
-	rv = sem_wait(&pMutex->u.sem);
-    } while (rv < 0 && errno == EINTR);
-    if (rv < 0) {
-	nss_MD_unix_map_default_error(errno);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-#else
-
-SECStatus 
-sslMutex_Init(sslMutex *pMutex, int shared)
-{
-    PR_ASSERT(pMutex);
-    pMutex->isMultiProcess = (PRBool)(shared != 0);
-    if (!shared) {
-        return single_process_sslMutex_Init(pMutex);
-    }
-    PORT_Assert(!("sslMutex_Init not implemented for multi-process applications !"));
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
-SECStatus 
-sslMutex_Destroy(sslMutex *pMutex)
-{
-    PR_ASSERT(pMutex);
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Destroy(pMutex);
-    }
-    PORT_Assert(!("sslMutex_Destroy not implemented for multi-process applications !"));
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
-SECStatus 
-sslMutex_Unlock(sslMutex *pMutex)
-{
-    PR_ASSERT(pMutex);
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Unlock(pMutex);
-    }
-    PORT_Assert(!("sslMutex_Unlock not implemented for multi-process applications !"));
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
-SECStatus 
-sslMutex_Lock(sslMutex *pMutex)
-{
-    PR_ASSERT(pMutex);
-    if (PR_FALSE == pMutex->isMultiProcess) {
-        return single_process_sslMutex_Lock(pMutex);
-    }
-    PORT_Assert(!("sslMutex_Lock not implemented for multi-process applications !"));
-    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-    return SECFailure;
-}
-
-#endif
-
-#endif
diff --git a/security/nss/lib/ssl/sslmutex.h b/security/nss/lib/ssl/sslmutex.h
deleted file mode 100644
index 645b6c5bd..000000000
--- a/security/nss/lib/ssl/sslmutex.h
+++ /dev/null
@@ -1,151 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#ifndef __SSLMUTEX_H_
-#define __SSLMUTEX_H_ 1
-
-/* What SSL really wants is portable process-shared unnamed mutexes in 
- * shared memory, that have the property that if the process that holds
- * them dies, they are released automatically, and that (unlike fcntl 
- * record locking) lock to the thread, not to the process.  
- * NSPR doesn't provide that.  
- * Windows has mutexes that meet that description, but they're not portable.  
- * POSIX mutexes are not automatically released when the holder dies, 
- * and other processes/threads cannot release the mutex on behalf of the 
- * dead holder.  
- * POSIX semaphores can be used to accomplish this on systems that implement 
- * process-shared unnamed POSIX semaphores, because a watchdog thread can 
- * discover and release semaphores that were held by a dead process.  
- * On systems that do not support process-shared POSIX unnamed semaphores, 
- * they can be emulated using pipes.  
- * The performance cost of doing that is not yet measured.
- *
- * So, this API looks a lot like POSIX pthread mutexes.
- */
-
-#include "prtypes.h"
-#include "prlock.h"
-
-#if defined(WIN32)
-
-#include <wtypes.h>
-
-typedef struct 
-{
-    PRBool isMultiProcess;
-#ifdef WINNT
-    /* on WINNT we need both the PRLock and the Win32 mutex for fibers */
-    struct {
-#else
-    union {
-#endif
-        PRLock* sslLock;
-        HANDLE sslMutx;
-    } u;
-} sslMutex;
-
-typedef int    sslPID;
-
-#elif defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || defined(NETBSD) || defined(OPENBSD)
-
-#include <sys/types.h>
-#include "prtypes.h"
-
-typedef struct { 
-    PRBool isMultiProcess;
-    union {
-        PRLock* sslLock;
-        struct {
-            int      mPipes[3]; 
-            PRInt32  nWaiters;
-        } pipeStr;
-    } u;
-} sslMutex;
-typedef pid_t sslPID;
-
-#elif defined(XP_UNIX) /* other types of Unix */
-
-#include <sys/types.h>	/* for pid_t */
-#include <semaphore.h>  /* for sem_t, and sem_* functions */
-
-typedef struct
-{
-    PRBool isMultiProcess;
-    union {
-        PRLock* sslLock;
-        sem_t  sem;
-    } u;
-} sslMutex;
-
-typedef pid_t sslPID;
-
-#else
-
-/* what platform is this ?? */
-
-typedef struct { 
-    PRBool isMultiProcess;
-    union {
-        PRLock* sslLock;
-        /* include cross-process locking mechanism here */
-    } u;
-} sslMutex;
-
-typedef int sslPID;
-
-#endif
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-extern SECStatus sslMutex_Init(sslMutex *sem, int shared);
-
-extern SECStatus sslMutex_Destroy(sslMutex *sem);
-
-extern SECStatus sslMutex_Unlock(sslMutex *sem);
-
-extern SECStatus sslMutex_Lock(sslMutex *sem);
-
-#ifdef WINNT
-
-extern SECStatus sslMutex_2LevelInit(sslMutex *sem);
-
-#endif
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
deleted file mode 100644
index e2dbcf0a5..000000000
--- a/security/nss/lib/ssl/sslnonce.c
+++ /dev/null
@@ -1,375 +0,0 @@
-/* 
- * This file implements the CLIENT Session ID cache.  
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "nssrenam.h"
-#include "cert.h"
-#include "secitem.h"
-#include "ssl.h"
-
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "nssilock.h"
-#include "nsslocks.h"
-#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
-#include <time.h>
-#endif
-
-PRUint32 ssl_sid_timeout = 100;
-PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
-
-static sslSessionID *cache = NULL;
-static PZLock *      cacheLock = NULL;
-
-/* sids can be in one of 4 states:
- *
- * never_cached, 	created, but not yet put into cache. 
- * in_client_cache, 	in the client cache's linked list.
- * in_server_cache, 	entry came from the server's cache file.
- * invalid_cache	has been removed from the cache. 
- */
-
-#define LOCK_CACHE 	lock_cache()
-#define UNLOCK_CACHE	PZ_Unlock(cacheLock)
-
-void ssl_InitClientSessionCacheLock(void)
-{
-    if (!cacheLock)
-	nss_InitLock(&cacheLock, nssILockCache);
-}
-
-static void 
-lock_cache(void)
-{
-    ssl_InitClientSessionCacheLock();
-    PZ_Lock(cacheLock);
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * If the unreferenced sid is not in the cache, Free sid and its contents.
- */
-static void
-ssl_DestroySID(sslSessionID *sid)
-{
-    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
-    PORT_Assert((sid->references == 0));
-
-    if (sid->cached == in_client_cache)
-    	return;	/* it will get taken care of next time cache is traversed. */
-
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
-	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
-    }
-    if (sid->peerID != NULL)
-	PORT_Free((void *)sid->peerID);		/* CONST */
-
-    if (sid->urlSvrName != NULL)
-	PORT_Free((void *)sid->urlSvrName);	/* CONST */
-
-    if ( sid->peerCert ) {
-	CERT_DestroyCertificate(sid->peerCert);
-    }
-    if ( sid->localCert ) {
-	CERT_DestroyCertificate(sid->localCert);
-    }
-    
-    PORT_ZFree(sid, sizeof(sslSessionID));
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * Decrement reference count, and 
- *    free sid if ref count is zero, and sid is not in the cache. 
- * Does NOT remove from the cache first.  
- * If the sid is still in the cache, it is left there until next time
- * the cache list is traversed.
- */
-static void 
-ssl_FreeLockedSID(sslSessionID *sid)
-{
-    PORT_Assert(sid->references >= 1);
-    if (--sid->references == 0) {
-	ssl_DestroySID(sid);
-    }
-}
-
-/* BEWARE: This function gets called for both client and server SIDs !!
- * Decrement reference count, and 
- *    free sid if ref count is zero, and sid is not in the cache. 
- * Does NOT remove from the cache first.  
- * These locks are necessary because the sid _might_ be in the cache list.
- */
-void
-ssl_FreeSID(sslSessionID *sid)
-{
-    LOCK_CACHE;
-    ssl_FreeLockedSID(sid);
-    UNLOCK_CACHE;
-}
-
-/************************************************************************/
-
-/*
-**  Lookup sid entry in cache by Address, port, and peerID string.
-**  If found, Increment reference count, and return pointer to caller.
-**  If it has timed out or ref count is zero, remove from list and free it.
-*/
-
-sslSessionID *
-ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, 
-              const char * urlSvrName)
-{
-    sslSessionID **sidp;
-    sslSessionID * sid;
-    PRUint32       now;
-
-    if (!urlSvrName)
-    	return NULL;
-    now = ssl_Time();
-    LOCK_CACHE;
-    sidp = &cache;
-    while ((sid = *sidp) != 0) {
-	PORT_Assert(sid->cached == in_client_cache);
-	PORT_Assert(sid->references >= 1);
-
-	SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
-
-	if (sid->expirationTime < now || !sid->references) {
-	    /*
-	    ** This session-id timed out, or was orphaned.
-	    ** Don't even care who it belongs to, blow it out of our cache.
-	    */
-	    SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
-			now - sid->creationTime, sid->references));
-
-	    *sidp = sid->next; 			/* delink it from the list. */
-	    sid->cached = invalid_cache;	/* mark not on list. */
-	    if (!sid->references)
-	    	ssl_DestroySID(sid);
-	    else
-		ssl_FreeLockedSID(sid);		/* drop ref count, free. */
-
-	} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
-	           (sid->port == port) && /* server port matches */
-		   /* proxy (peerID) matches */
-		   (((peerID == NULL) && (sid->peerID == NULL)) ||
-		    ((peerID != NULL) && (sid->peerID != NULL) &&
-		     PORT_Strcmp(sid->peerID, peerID) == 0)) &&
-		   /* is cacheable */
-		   (sid->version < SSL_LIBRARY_VERSION_3_0 ||
-		    sid->u.ssl3.keys.resumable) &&
-		   /* server hostname matches. */
-	           (sid->urlSvrName != NULL) &&
-		   ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
-		    ((sid->peerCert != NULL) && (SECSuccess == 
-		      CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
-		  ) {
-	    /* Hit */
-	    sid->lastAccessTime = now;
-	    sid->references++;
-	    break;
-	} else {
-	    sidp = &sid->next;
-	}
-    }
-    UNLOCK_CACHE;
-    return sid;
-}
-
-/*
-** Add an sid to the cache or return a previously cached entry to the cache.
-** Although this is static, it is called via ss->sec.cache().
-*/
-static void 
-CacheSID(sslSessionID *sid)
-{
-    PRUint32  expirationPeriod;
-    SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
-		"time=%x cached=%d",
-		sid, sid->cached, sid->addr.pr_s6_addr32[0], 
-		sid->addr.pr_s6_addr32[1], sid->addr.pr_s6_addr32[2],
-		sid->addr.pr_s6_addr32[3],  sid->port, sid->creationTime,
-		sid->cached));
-
-    if (sid->cached == in_client_cache)
-	return;
-
-    if (!sid->urlSvrName) {
-        /* don't cache this SID because it can never be matched */
-        return;
-    }
-
-    /* XXX should be different trace for version 2 vs. version 3 */
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	expirationPeriod = ssl_sid_timeout;
-	PRINT_BUF(8, (0, "sessionID:",
-		  sid->u.ssl2.sessionID, sizeof(sid->u.ssl2.sessionID)));
-	PRINT_BUF(8, (0, "masterKey:",
-		  sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:",
-		  sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
-    } else {
-	if (sid->u.ssl3.sessionIDLength == 0) 
-	    return;
-	expirationPeriod = ssl3_sid_timeout;
-	PRINT_BUF(8, (0, "sessionID:",
-		      sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
-    }
-    PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
-    if (!sid->creationTime)
-	sid->lastAccessTime = sid->creationTime = ssl_Time();
-    if (!sid->expirationTime)
-	sid->expirationTime = sid->creationTime + expirationPeriod;
-
-    /*
-     * Put sid into the cache.  Bump reference count to indicate that
-     * cache is holding a reference. Uncache will reduce the cache
-     * reference.
-     */
-    LOCK_CACHE;
-    sid->references++;
-    sid->cached = in_client_cache;
-    sid->next   = cache;
-    cache       = sid;
-    UNLOCK_CACHE;
-}
-
-/* 
- * If sid "zap" is in the cache,
- *    removes sid from cache, and decrements reference count.
- * Caller must hold cache lock.
- */
-static void
-UncacheSID(sslSessionID *zap)
-{
-    sslSessionID **sidp = &cache;
-    sslSessionID *sid;
-
-    if (zap->cached != in_client_cache) {
-	return;
-    }
-
-    SSL_TRC(8,("SSL: Uncache: zap=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
-	       "time=%x cipher=%d",
-	       zap, zap->cached, zap->addr.pr_s6_addr32[0],
-	       zap->addr.pr_s6_addr32[1], zap->addr.pr_s6_addr32[2],
-	       zap->addr.pr_s6_addr32[3], zap->port, zap->creationTime,
-	       zap->u.ssl2.cipherType));
-    if (zap->version < SSL_LIBRARY_VERSION_3_0) {
-	PRINT_BUF(8, (0, "sessionID:",
-		      zap->u.ssl2.sessionID, sizeof(zap->u.ssl2.sessionID)));
-	PRINT_BUF(8, (0, "masterKey:",
-		      zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:",
-		      zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.len));
-    }
-
-    /* See if it's in the cache, if so nuke it */
-    while ((sid = *sidp) != 0) {
-	if (sid == zap) {
-	    /*
-	    ** Bingo. Reduce reference count by one so that when
-	    ** everyone is done with the sid we can free it up.
-	    */
-	    *sidp = zap->next;
-	    zap->cached = invalid_cache;
-	    ssl_FreeLockedSID(zap);
-	    return;
-	}
-	sidp = &sid->next;
-    }
-}
-
-/* If sid "zap" is in the cache,
- *    removes sid from cache, and decrements reference count.
- * Although this function is static, it is called externally via 
- *    ss->sec.uncache().
- */
-static void
-LockAndUncacheSID(sslSessionID *zap)
-{
-    LOCK_CACHE;
-    UncacheSID(zap);
-    UNLOCK_CACHE;
-
-}
-
-/* choose client or server cache functions for this sslsocket. */
-void 
-ssl_ChooseSessionIDProcs(sslSecurityInfo *sec)
-{
-    if (sec->isServer) {
-	sec->cache   = ssl_sid_cache;
-	sec->uncache = ssl_sid_uncache;
-    } else {
-	sec->cache   = CacheSID;
-	sec->uncache = LockAndUncacheSID;
-    }
-}
-
-/* wipe out the entire client session cache. */
-void
-SSL_ClearSessionCache(void)
-{
-    LOCK_CACHE;
-    while(cache != NULL)
-	UncacheSID(cache);
-    UNLOCK_CACHE;
-}
-
-/* returns an unsigned int containing the number of seconds in PR_Now() */
-PRUint32
-ssl_Time(void)
-{
-    PRUint32 myTime;
-#if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
-    myTime = time(NULL);	/* accurate until the year 2038. */
-#else
-    /* portable, but possibly slower */
-    PRTime now;
-    PRInt64 ll;
-
-    now = PR_Now();
-    LL_I2L(ll, 1000000L);
-    LL_DIV(now, now, ll);
-    LL_L2UI(myTime, now);
-#endif
-    return myTime;
-}
-
diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h
deleted file mode 100644
index e7a998126..000000000
--- a/security/nss/lib/ssl/sslproto.h
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Various and sundry protocol constants. DON'T CHANGE THESE. These values 
- * are mostly defined by the SSL2, SSL3, or TLS protocol specifications.
- * Cipher kinds and ciphersuites are part of the public API.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __sslproto_h_
-#define __sslproto_h_
-
-/* All versions less than 3_0 are treated as SSL version 2 */
-#define SSL_LIBRARY_VERSION_2			0x0002
-#define SSL_LIBRARY_VERSION_3_0			0x0300
-#define SSL_LIBRARY_VERSION_3_1_TLS		0x0301
-
-/* Header lengths of some of the messages */
-#define SSL_HL_ERROR_HBYTES			3
-#define SSL_HL_CLIENT_HELLO_HBYTES		9
-#define SSL_HL_CLIENT_MASTER_KEY_HBYTES		10
-#define SSL_HL_CLIENT_FINISHED_HBYTES		1
-#define SSL_HL_SERVER_HELLO_HBYTES		11
-#define SSL_HL_SERVER_VERIFY_HBYTES		1
-#define SSL_HL_SERVER_FINISHED_HBYTES		1
-#define SSL_HL_REQUEST_CERTIFICATE_HBYTES	2
-#define SSL_HL_CLIENT_CERTIFICATE_HBYTES	6
-
-/* Security handshake protocol codes */
-#define SSL_MT_ERROR				0
-#define SSL_MT_CLIENT_HELLO			1
-#define SSL_MT_CLIENT_MASTER_KEY		2
-#define SSL_MT_CLIENT_FINISHED			3
-#define SSL_MT_SERVER_HELLO			4
-#define SSL_MT_SERVER_VERIFY			5
-#define SSL_MT_SERVER_FINISHED			6
-#define SSL_MT_REQUEST_CERTIFICATE		7
-#define SSL_MT_CLIENT_CERTIFICATE		8
-
-/* Certificate types */
-#define SSL_CT_X509_CERTIFICATE			0x01
-#if 0 /* XXX Not implemented yet */
-#define SSL_PKCS6_CERTIFICATE			0x02
-#endif
-#define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
-
-/* Error codes */
-#define SSL_PE_NO_CYPHERS			0x0001
-#define SSL_PE_NO_CERTIFICATE			0x0002
-#define SSL_PE_BAD_CERTIFICATE			0x0004
-#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE	0x0006
-
-/* Cypher kinds (not the spec version!) */
-#define SSL_CK_RC4_128_WITH_MD5			0x01
-#define SSL_CK_RC4_128_EXPORT40_WITH_MD5	0x02
-#define SSL_CK_RC2_128_CBC_WITH_MD5		0x03
-#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x04
-#define SSL_CK_IDEA_128_CBC_WITH_MD5		0x05
-#define SSL_CK_DES_64_CBC_WITH_MD5		0x06
-#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5	0x07
-
-/* Cipher enables.  These are used only for SSL_EnableCipher 
- * These values define the SSL2 suites, and do not colide with the 
- * SSL3 Cipher suites defined below.
- */
-#define SSL_EN_RC4_128_WITH_MD5			0xFF01
-#define SSL_EN_RC4_128_EXPORT40_WITH_MD5	0xFF02
-#define SSL_EN_RC2_128_CBC_WITH_MD5		0xFF03
-#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5	0xFF04
-#define SSL_EN_IDEA_128_CBC_WITH_MD5		0xFF05
-#define SSL_EN_DES_64_CBC_WITH_MD5		0xFF06
-#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5	0xFF07
-
-/* SSL v3 Cipher Suites */
-#define SSL_NULL_WITH_NULL_NULL			0x0000
-
-#define SSL_RSA_WITH_NULL_MD5			0x0001
-#define SSL_RSA_WITH_NULL_SHA			0x0002
-#define SSL_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
-#define SSL_RSA_WITH_RC4_128_MD5		0x0004
-#define SSL_RSA_WITH_RC4_128_SHA		0x0005
-#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
-#define SSL_RSA_WITH_IDEA_CBC_SHA		0x0007
-#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
-#define SSL_RSA_WITH_DES_CBC_SHA		0x0009
-#define SSL_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
-						       
-#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
-#define SSL_DH_DSS_WITH_DES_CBC_SHA		0x000c
-#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
-#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
-#define SSL_DH_RSA_WITH_DES_CBC_SHA		0x000f
-#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
-						       
-#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
-#define SSL_DHE_DSS_WITH_DES_CBC_SHA		0x0012
-#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
-#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
-#define SSL_DHE_RSA_WITH_DES_CBC_SHA		0x0015
-#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
-						       
-#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5	0x0017
-#define SSL_DH_ANON_WITH_RC4_128_MD5		0x0018
-#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA	0x0019
-#define SSL_DH_ANON_WITH_DES_CBC_SHA		0x001a
-#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA	0x001b
-
-#define SSL_FORTEZZA_DMS_WITH_NULL_SHA		0x001c /* deprecated */
-#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA	0x001d /* deprecated */
-#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	0x001e /* deprecated */
-
-/* New TLS cipher suites */
-#define TLS_RSA_WITH_AES_128_CBC_SHA      	0x002F
-#define TLS_DH_DSS_WITH_AES_128_CBC_SHA   	0x0030
-#define TLS_DH_RSA_WITH_AES_128_CBC_SHA   	0x0031
-#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA  	0x0032
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA  	0x0033
-#define TLS_DH_ANON_WITH_AES_128_CBC_SHA  	0x0034
-
-#define TLS_RSA_WITH_AES_256_CBC_SHA      	0x0035
-#define TLS_DH_DSS_WITH_AES_256_CBC_SHA   	0x0036
-#define TLS_DH_RSA_WITH_AES_256_CBC_SHA   	0x0037
-#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA  	0x0038
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA  	0x0039
-#define TLS_DH_ANON_WITH_AES_256_CBC_SHA  	0x003A
-
-#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     0x0062
-#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      0x0064
-
-#define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
-#define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  0x0065
-#define TLS_DHE_DSS_WITH_RC4_128_SHA            0x0066
-
-#ifdef NSS_ENABLE_ECC
-/* "Experimental" ECC cipher suites. 
-** XXX These numbers might change before the current IETF draft
-** on ECC cipher suites for TLS becomes an RFC.
-*/
-#define TLS_ECDH_ECDSA_WITH_NULL_SHA            0x0047
-#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA         0x0048
-#define TLS_ECDH_ECDSA_WITH_DES_CBC_SHA         0x0049
-#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    0x004A
-#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     0x004B
-#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     0x004C
-
-#define TLS_ECDH_RSA_WITH_NULL_SHA              0x004D
-#define TLS_ECDH_RSA_WITH_RC4_128_SHA           0x004E
-#define TLS_ECDH_RSA_WITH_DES_CBC_SHA           0x004F
-#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      0x0050
-#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       0x0051
-#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       0x0052
-
-#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    0x0077
-#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      0x0078
-#endif /* NSS_ENABLE_ECC */
-
-/* Netscape "experimental" cipher suites. */
-#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
-#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
-
-/* New non-experimental openly spec'ed versions of those cipher suites. */
-#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 	0xfeff
-#define SSL_RSA_FIPS_WITH_DES_CBC_SHA      	0xfefe
-
-#endif /* __sslproto_h_ */
diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c
deleted file mode 100644
index 09d20d496..000000000
--- a/security/nss/lib/ssl/sslreveal.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/* 
- * Accessor functions for SSLSocket private members.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#include "cert.h"
-#include "ssl.h"
-#include "certt.h"
-#include "sslimpl.h"
-
-/* given PRFileDesc, returns a copy of certificate associated with the socket
- * the caller should delete the cert when done with SSL_DestroyCertificate
- */
-CERTCertificate * 
-SSL_RevealCert(PRFileDesc * fd)
-{
-  CERTCertificate * cert = NULL;
-  sslSocket * sslsocket = NULL;
-
-  sslsocket = ssl_FindSocket(fd);
-  
-  /* CERT_DupCertificate increases reference count and returns pointer to 
-   * the same cert
-   */
-  if (sslsocket && sslsocket->sec.peerCert)
-    cert = CERT_DupCertificate(sslsocket->sec.peerCert);
-  
-  return cert;
-}
-
-/* given PRFileDesc, returns a pointer to PinArg associated with the socket
- */
-void * 
-SSL_RevealPinArg(PRFileDesc * fd)
-{
-  sslSocket * sslsocket = NULL;
-  void * PinArg = NULL;
-  
-  sslsocket = ssl_FindSocket(fd);
-  
-  /* is pkcs11PinArg part of the sslSocket or sslSecurityInfo ? */
-  if (sslsocket)
-    PinArg = sslsocket->pkcs11PinArg;
-  
-  return PinArg;
-}
-
-
-/* given PRFileDesc, returns a pointer to the URL associated with the socket
- * the caller should free url when done  
- */
-char * 
-SSL_RevealURL(PRFileDesc * fd)
-{
-  sslSocket * sslsocket = NULL;
-  char * url = NULL;
-
-  sslsocket = ssl_FindSocket(fd);
-  
-  if (sslsocket && sslsocket->url)
-    url = PL_strdup(sslsocket->url);
-  
-  return url;
-}
-
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
deleted file mode 100644
index a30b062df..000000000
--- a/security/nss/lib/ssl/sslsecur.c
+++ /dev/null
@@ -1,1348 +0,0 @@
-/*
- * Various SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "cert.h"
-#include "secitem.h"
-#include "keyhi.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "secoid.h"	/* for SECOID_GetALgorithmTag */
-#include "pk11func.h"	/* for PK11_GenerateRandom */
-
-#define MAX_BLOCK_CYPHER_SIZE	32
-
-#define TEST_FOR_FAILURE	/* reminder */
-#define SET_ERROR_CODE		/* reminder */
-
-/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 
- * 
- * Currently, the list of functions called through ss->handshake is:
- * 
- * In sslsocks.c:
- *  SocksGatherRecord
- *  SocksHandleReply	
- *  SocksStartGather
- *
- * In sslcon.c:
- *  ssl_GatherRecord1stHandshake
- *  ssl2_HandleClientSessionKeyMessage
- *  ssl2_HandleMessage
- *  ssl2_HandleVerifyMessage
- *  ssl2_BeginClientHandshake
- *  ssl2_BeginServerHandshake
- *  ssl2_HandleClientHelloMessage
- *  ssl2_HandleServerHelloMessage
- * 
- * The ss->handshake function returns SECWouldBlock under these conditions:
- * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 
- *	the beginning of an SSL v3 hello message and returned SECWouldBlock 
- *	to switch to SSL v3 handshake processing.
- *
- * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
- *	v2 client hello msg, and called ssl3_HandleV2ClientHello which 
- *	returned SECWouldBlock.
- *
- * 3.   SECWouldBlock was returned by one of the callback functions, via
- *	one of these paths:
- * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
- *
- * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
- *
- * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
- *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
- *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 
- *	ss->handleBadCert()
- *
- * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
- *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
- *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 
- *	ss->getClientAuthData()
- *
- * Called from: SSL_ForceHandshake	(below), 
- *              ssl_SecureRecv 		(below) and
- *              ssl_SecureSend		(below)
- *	  from: WaitForResponse 	in sslsocks.c
- *	        ssl_SocksRecv   	in sslsocks.c
- *              ssl_SocksSend   	in sslsocks.c
- *
- * Caller must hold the (write) handshakeLock.
- */
-int 
-ssl_Do1stHandshake(sslSocket *ss)
-{
-    int rv        = SECSuccess;
-    int loopCount = 0;
-
-    do {
-	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
-	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
-	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
-
-	if (ss->handshake == 0) {
-	    /* Previous handshake finished. Switch to next one */
-	    ss->handshake = ss->nextHandshake;
-	    ss->nextHandshake = 0;
-	}
-	if (ss->handshake == 0) {
-	    /* Previous handshake finished. Switch to security handshake */
-	    ss->handshake = ss->securityHandshake;
-	    ss->securityHandshake = 0;
-	}
-	if (ss->handshake == 0) {
-	    ssl_GetRecvBufLock(ss);
-	    ss->gs.recordLen = 0;
-	    ssl_ReleaseRecvBufLock(ss);
-
-	    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
-			SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-	    /* for v3 this is done in ssl3_HandleFinished() */
-	    if ((ss->handshakeCallback != NULL) && /* has callback */
-		(!ss->firstHsDone) &&              /* only first time */
-		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-		ss->firstHsDone     = PR_TRUE;
-		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-	    }
-	    ss->firstHsDone         = PR_TRUE;
-	    ss->gs.writeOffset = 0;
-	    ss->gs.readOffset  = 0;
-	    break;
-	}
-	rv = (*ss->handshake)(ss);
-	++loopCount;
-    /* This code must continue to loop on SECWouldBlock, 
-     * or any positive value.	See XXX_1 comments.
-     */
-    } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
-
-    PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
-    PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
-
-    if (rv == SECWouldBlock) {
-	PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	rv = SECFailure;
-    }
-    return rv;
-}
-
-/*
- * Handshake function that blocks.  Used to force a
- * retry on a connection on the next read/write.
- */
-static SECStatus
-AlwaysBlock(sslSocket *ss)
-{
-    PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
-    return SECWouldBlock;
-}
-
-/*
- * set the initial handshake state machine to block
- */
-void
-ssl_SetAlwaysBlock(sslSocket *ss)
-{
-    if (!ss->firstHsDone) {
-	ss->handshake = AlwaysBlock;
-	ss->nextHandshake = 0;
-    }
-}
-
-/* Acquires and releases HandshakeLock.
-*/
-SECStatus
-SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
-{
-    sslSocket *ss;
-    SECStatus status;
-    PRNetAddr addr;
-
-    ss = ssl_FindSocket(s);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
-	return SECFailure;
-    }
-
-    /* Don't waste my time */
-    if (!ss->opt.useSecurity)
-	return SECSuccess;
-
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    /* Reset handshake state */
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    ss->firstHsDone = PR_FALSE;
-    if ( asServer ) {
-	ss->handshake = ssl2_BeginServerHandshake;
-	ss->handshaking = sslHandshakingAsServer;
-    } else {
-	ss->handshake = ssl2_BeginClientHandshake;
-	ss->handshaking = sslHandshakingAsClient;
-    }
-    ss->nextHandshake       = 0;
-    ss->securityHandshake   = 0;
-
-    ssl_GetRecvBufLock(ss);
-    status = ssl_InitGather(&ss->gs);
-    ssl_ReleaseRecvBufLock(ss);
-
-    /*
-    ** Blow away old security state and get a fresh setup.
-    */
-    ssl_GetXmitBufLock(ss); 
-    ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);
-    status = ssl_CreateSecurityInfo(ss);
-    ssl_ReleaseXmitBufLock(ss); 
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    if (!ss->TCPconnected)
-	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-
-    return status;
-}
-
-/* For SSLv2, does nothing but return an error.
-** For SSLv3, flushes SID cache entry (if requested),
-** and then starts new client hello or hello request.
-** Acquires and releases HandshakeLock.
-*/
-SECStatus
-SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
-{
-    sslSocket *ss;
-    SECStatus  rv;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    if (!ss->opt.useSecurity)
-	return SECSuccess;
-    
-    ssl_Get1stHandshakeLock(ss);
-
-    /* SSL v2 protocol does not support subsequent handshakes. */
-    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    } else {
-	ssl_GetSSL3HandshakeLock(ss);
-	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
-	ssl_ReleaseSSL3HandshakeLock(ss);
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-/*
-** Same as above, but with an I/O timeout.
- */
-SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,
-                                                PRBool flushCache,
-                                                PRIntervalTime timeout)
-{
-    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
-        return SECFailure;
-    }
-    return SSL_ReHandshake(fd, flushCache);
-}
-
-SECStatus
-SSL_RedoHandshake(PRFileDesc *fd)
-{
-    return SSL_ReHandshake(fd, PR_TRUE);
-}
-
-/* Register an application callback to be called when SSL handshake completes.
-** Acquires and releases HandshakeLock.
-*/
-SECStatus
-SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
-		      void *client_data)
-{
-    sslSocket *ss;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    if (!ss->opt.useSecurity) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    ss->handshakeCallback     = cb;
-    ss->handshakeCallbackData = client_data;
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return SECSuccess;
-}
-
-/* Try to make progress on an SSL handshake by attempting to read the 
-** next handshake from the peer, and sending any responses.
-** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
-** read the next handshake from the underlying socket.
-** For SSLv2, returns when handshake is complete or fatal error occurs.
-** For SSLv3, returns when handshake is complete, or application data has
-** arrived that must be taken by application before handshake can continue, 
-** or a fatal error occurs.
-** Application should use handshake completion callback to tell which. 
-*/
-SECStatus
-SSL_ForceHandshake(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    SECStatus  rv = SECFailure;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
-		 SSL_GETPID(), fd));
-	return rv;
-    }
-
-    /* Don't waste my time */
-    if (!ss->opt.useSecurity) 
-    	return SECSuccess;
-
-    ssl_Get1stHandshakeLock(ss);
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	int gatherResult;
-
-    	ssl_GetRecvBufLock(ss);
-	gatherResult = ssl3_GatherCompleteHandshake(ss, 0);
-	ssl_ReleaseRecvBufLock(ss);
-	if (gatherResult > 0) {
-	    rv = SECSuccess;
-	} else if (gatherResult == 0) {
-	    PORT_SetError(PR_END_OF_FILE_ERROR);
-	} else if (gatherResult == SECWouldBlock) {
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	}
-    } else if (!ss->firstHsDone) {
-	rv = ssl_Do1stHandshake(ss);
-    } else {
-	/* tried to force handshake on an SSL 2 socket that has 
-	** already completed the handshake. */
-    	rv = SECSuccess;	/* just pretend we did it. */
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-/*
- ** Same as above, but with an I/O timeout.
- */
-SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
-                                                   PRIntervalTime timeout)
-{
-    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {
-        return SECFailure;
-    }
-    return SSL_ForceHandshake(fd);
-}
-
-
-/************************************************************************/
-
-/*
-** Grow a buffer to hold newLen bytes of data.
-** Called for both recv buffers and xmit buffers.
-** Caller must hold xmitBufLock or recvBufLock, as appropriate.
-*/
-SECStatus
-sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
-{
-    newLen = PR_MAX(newLen, MAX_FRAGMENT_LENGTH + 2048);
-    if (newLen > b->space) {
-	unsigned char *newBuf;
-	if (b->buf) {
-	    newBuf = (unsigned char *) PORT_Realloc(b->buf, newLen);
-	} else {
-	    newBuf = (unsigned char *) PORT_Alloc(newLen);
-	}
-	if (!newBuf) {
-	    return SECFailure;
-	}
-	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",
-		     SSL_GETPID(), b->space, newLen));
-	b->buf = newBuf;
-	b->space = newLen;
-    }
-    return SECSuccess;
-}
-
-/*
-** Save away write data that is trying to be written before the security
-** handshake has been completed. When the handshake is completed, we will
-** flush this data out.
-** Caller must hold xmitBufLock
-*/
-SECStatus 
-ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, 
-                      unsigned int len)
-{
-    unsigned int newlen;
-    SECStatus    rv;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-    newlen = buf->len + len;
-    if (newlen > buf->space) {
-	rv = sslBuffer_Grow(buf, newlen);
-	if (rv) {
-	    return rv;
-	}
-    }
-    SSL_TRC(5, ("%d: SSL[%d]: saving %d bytes of data (%d total saved so far)",
-		 SSL_GETPID(), ss->fd, len, newlen));
-    PORT_Memcpy(buf->buf + buf->len, data, len);
-    buf->len = newlen;
-    return SECSuccess;
-}
-
-/*
-** Send saved write data. This will flush out data sent prior to a
-** complete security handshake. Hopefully there won't be too much of it.
-** Returns count of the bytes sent, NOT a SECStatus.
-** Caller must hold xmitBufLock
-*/
-int 
-ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send)
-{
-    int rv	= 0;
-    int len	= buf->len;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
-    if (len != 0) {
-	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
-		     SSL_GETPID(), ss->fd, len));
-	rv = (*send)(ss, buf->buf, len, 0);
-	if (rv < 0) {
-	    return rv;
-	} 
-	if (rv < len) {
-	    /* UGH !! This shifts the whole buffer down by copying it, and 
-	    ** it depends on PORT_Memmove doing overlapping moves correctly!
-	    ** It should advance the pointer offset instead !!
-	    */
-	    PORT_Memmove(buf->buf, buf->buf + rv, len - rv);
-	    buf->len = len - rv;
-	} else {
-	    buf->len = 0;
-    	}
-    }
-    return rv;
-}
-
-/************************************************************************/
-
-/*
-** Receive some application data on a socket.  Reads SSL records from the input
-** stream, decrypts them and then copies them to the output buffer.
-** Called from ssl_SecureRecv() below.
-**
-** Caller does NOT hold 1stHandshakeLock because that handshake is over.
-** Caller doesn't call this until initial handshake is complete.
-** For SSLv2, there is no subsequent handshake.
-** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake
-** messages from a subsequent handshake.
-**
-** This code is similar to, and easily confused with, 
-**   ssl_GatherRecord1stHandshake() in sslcon.c
-*/
-static int 
-DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
-{
-    int              rv;
-    int              amount;
-    int              available;
-
-    ssl_GetRecvBufLock(ss);
-
-    available = ss->gs.writeOffset - ss->gs.readOffset;
-    if (available == 0) {
-	/* Get some more data */
-	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	    /* Wait for application data to arrive.  */
-	    rv = ssl3_GatherAppDataRecord(ss, 0);
-	} else {
-	    /* See if we have a complete record */
-	    rv = ssl2_GatherRecord(ss, 0);
-	}
-	if (rv <= 0) {
-	    if (rv == 0) {
-		/* EOF */
-		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",
-			     SSL_GETPID(), ss->fd));
-		goto done;
-	    }
-	    if ((rv != SECWouldBlock) && 
-	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {
-		/* Some random error */
-		goto done;
-	    }
-
-	    /*
-	    ** Gather record is blocked waiting for more record data to
-	    ** arrive. Try to process what we have already received
-	    */
-	} else {
-	    /* Gather record has finished getting a complete record */
-	}
-
-	/* See if any clear data is now available */
-	available = ss->gs.writeOffset - ss->gs.readOffset;
-	if (available == 0) {
-	    /*
-	    ** No partial data is available. Force error code to
-	    ** EWOULDBLOCK so that caller will try again later. Note
-	    ** that the error code is probably EWOULDBLOCK already,
-	    ** but if it isn't (for example, if we received a zero
-	    ** length record) then this will force it to be correct.
-	    */
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	    rv = SECFailure;
-	    goto done;
-	}
-	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",
-		     SSL_GETPID(), ss->fd, available));
-    }
-
-    /* Dole out clear data to reader */
-    amount = PR_MIN(len, available);
-    PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);
-    if (!(flags & PR_MSG_PEEK)) {
-	ss->gs.readOffset += amount;
-    }
-    rv = amount;
-
-    SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
-		 SSL_GETPID(), ss->fd, amount, available));
-    PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
-
-done:
-    ssl_ReleaseRecvBufLock(ss);
-    return rv;
-}
-
-/************************************************************************/
-
-SSLKEAType
-ssl_FindCertKEAType(CERTCertificate * cert)
-{
-  SSLKEAType keaType = kt_null; 
-  int tag;
-  
-  if (!cert) goto loser;
-  
-  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
-  
-  switch (tag) {
-  case SEC_OID_X500_RSA_ENCRYPTION:
-  case SEC_OID_PKCS1_RSA_ENCRYPTION:
-    keaType = kt_rsa;
-    break;
-
-  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
-    keaType = kt_dh;
-    break;
-#ifdef NSS_ENABLE_ECC
-  case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
-    keaType = kt_ecdh;
-    break;
-#endif /* NSS_ENABLE_ECC */
-  default:
-    keaType = kt_null;
-  }
-  
- loser:
-  
-  return keaType;
-
-}
-
-
-/* XXX need to protect the data that gets changed here.!! */
-
-SECStatus
-SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
-		       SECKEYPrivateKey *key, SSL3KEAType kea)
-{
-    SECStatus rv;
-    sslSocket *ss;
-    sslServerCerts  *sc;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	return SECFailure;
-    }
-
-    /* Both key and cert must have a value or be NULL */
-    /* Passing a value of NULL will turn off key exchange algorithms that were
-     * previously turned on */
-    if (!cert != !key) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /* make sure the key exchange is recognized */
-    if ((kea >= kt_kea_size) || (kea < kt_null)) {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-	return SECFailure;
-    }
-
-    if (kea != ssl_FindCertKEAType(cert)) {
-    	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);
-	return SECFailure;
-    }
-
-    sc = ss->serverCerts + kea;
-    /* load the server certificate */
-    if (sc->serverCert != NULL) {
-	CERT_DestroyCertificate(sc->serverCert);
-    	sc->serverCert = NULL;
-    }
-    if (cert) {
-	SECKEYPublicKey * pubKey;
-	sc->serverCert = CERT_DupCertificate(cert);
-	if (!sc->serverCert)
-	    goto loser;
-    	/* get the size of the cert's public key, and remember it */
-	pubKey = CERT_ExtractPublicKey(cert);
-	if (!pubKey) 
-	    goto loser;
-	sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
-	SECKEY_DestroyPublicKey(pubKey); 
-	pubKey = NULL;
-    }
-
-
-    /* load the server cert chain */
-    if (sc->serverCertChain != NULL) {
-	CERT_DestroyCertificateList(sc->serverCertChain);
-    	sc->serverCertChain = NULL;
-    }
-    if (cert) {
-	sc->serverCertChain = CERT_CertChainFromCert(
-			    sc->serverCert, certUsageSSLServer, PR_TRUE);
-	if (sc->serverCertChain == NULL)
-	     goto loser;
-    }
-
-    /* load the private key */
-    if (sc->serverKeyPair != NULL) {
-        ssl3_FreeKeyPair(sc->serverKeyPair);
-        sc->serverKeyPair = NULL;
-    }
-    if (key) {
-	SECKEYPrivateKey * keyCopy	= NULL;
-	CK_MECHANISM_TYPE  keyMech	= CKM_INVALID_MECHANISM;
-
-	if (key->pkcs11Slot) {
-	    PK11SlotInfo * bestSlot;
-	    bestSlot = PK11_ReferenceSlot(key->pkcs11Slot);
-	    if (bestSlot) {
-		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
-		PK11_FreeSlot(bestSlot);
-	    }
-	}
-	if (keyCopy == NULL)
-	    keyMech = PK11_MapSignKeyType(key->keyType);
-	if (keyMech != CKM_INVALID_MECHANISM) {
-	    PK11SlotInfo * bestSlot;
-	    /* XXX Maybe should be bestSlotMultiple? */
-	    bestSlot = PK11_GetBestSlot(keyMech, NULL /* wincx */);
-	    if (bestSlot) {
-		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);
-		PK11_FreeSlot(bestSlot);
-	    }
-	}
-	if (keyCopy == NULL)
-	    keyCopy = SECKEY_CopyPrivateKey(key);
-	if (keyCopy == NULL)
-	    goto loser;
-	SECKEY_CacheStaticFlags(keyCopy);
-        sc->serverKeyPair = ssl3_NewKeyPair(keyCopy, NULL);
-        if (sc->serverKeyPair == NULL) {
-            SECKEY_DestroyPrivateKey(keyCopy);
-            goto loser;
-        }
-    }
-
-    if (kea == kt_rsa && cert && sc->serverKeyBits > 512) {
-	if (ss->opt.noStepDown) {
-	    /* disable all export ciphersuites */
-	} else {
-	    rv = ssl3_CreateRSAStepDownKeys(ss);
-	    if (rv != SECSuccess) {
-		return SECFailure; /* err set by ssl3_CreateRSAStepDownKeys */
-	    }
-	}
-    }
-
-    /* Only do this once because it's global. */
-    if (ssl3_server_ca_list == NULL)
-	ssl3_server_ca_list = CERT_GetSSLCACerts(ss->dbHandle);
-
-    return SECSuccess;
-
-loser:
-    if (sc->serverCert != NULL) {
-	CERT_DestroyCertificate(sc->serverCert);
-	sc->serverCert = NULL;
-    }
-    if (sc->serverCertChain != NULL) {
-	CERT_DestroyCertificateList(sc->serverCertChain);
-	sc->serverCertChain = NULL;
-    }
-    if (sc->serverKeyPair != NULL) {
-	ssl3_FreeKeyPair(sc->serverKeyPair);
-	sc->serverKeyPair = NULL;
-    }
-    return SECFailure;
-}
-
-/************************************************************************/
-
-SECStatus
-ssl_CreateSecurityInfo(sslSocket *ss)
-{
-    SECStatus status;
-
-    /* initialize sslv2 socket to send data in the clear. */
-    ssl2_UseClearSendFunc(ss);
-
-    ss->sec.blockSize  = 1;
-    ss->sec.blockShift = 0;
-
-    ssl_GetXmitBufLock(ss); 
-    status = sslBuffer_Grow(&ss->sec.writeBuf, 4096);
-    ssl_ReleaseXmitBufLock(ss); 
-
-    return status;
-}
-
-SECStatus
-ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
-{
-    ss->sec.send 		= os->sec.send;
-    ss->sec.isServer 		= os->sec.isServer;
-    ss->sec.keyBits    		= os->sec.keyBits;
-    ss->sec.secretKeyBits 	= os->sec.secretKeyBits;
-
-    ss->sec.peerCert   		= CERT_DupCertificate(os->sec.peerCert);
-    if (os->sec.peerCert && !ss->sec.peerCert)
-    	goto loser;
-
-    ss->sec.cache      		= os->sec.cache;
-    ss->sec.uncache    		= os->sec.uncache;
-
-    /* we don't dup the connection info. */
-
-    ss->sec.sendSequence 	= os->sec.sendSequence;
-    ss->sec.rcvSequence 	= os->sec.rcvSequence;
-
-    if (os->sec.hash && os->sec.hashcx) {
-	ss->sec.hash 		= os->sec.hash;
-	ss->sec.hashcx 		= os->sec.hash->clone(os->sec.hashcx);
-	if (os->sec.hashcx && !ss->sec.hashcx)
-	    goto loser;
-    } else {
-	ss->sec.hash 		= NULL;
-	ss->sec.hashcx 		= NULL;
-    }
-
-    SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret);
-    if (os->sec.sendSecret.data && !ss->sec.sendSecret.data)
-    	goto loser;
-    SECITEM_CopyItem(0, &ss->sec.rcvSecret,  &os->sec.rcvSecret);
-    if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data)
-    	goto loser;
-
-    /* XXX following code is wrong if either cx != 0 */
-    PORT_Assert(os->sec.readcx  == 0);
-    PORT_Assert(os->sec.writecx == 0);
-    ss->sec.readcx     		= os->sec.readcx;
-    ss->sec.writecx    		= os->sec.writecx;
-    ss->sec.destroy    		= 0;	
-
-    ss->sec.enc        		= os->sec.enc;
-    ss->sec.dec        		= os->sec.dec;
-
-    ss->sec.blockShift 		= os->sec.blockShift;
-    ss->sec.blockSize  		= os->sec.blockSize;
-
-    return SECSuccess;
-
-loser:
-    return SECFailure;
-}
-
-/* Reset sec back to its initial state.
-** Caller holds any relevant locks.
-*/
-void 
-ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset)
-{
-    /* Destroy MAC */
-    if (sec->hash && sec->hashcx) {
-	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
-	sec->hashcx = NULL;
-	sec->hash = NULL;
-    }
-    SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
-    SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
-
-    /* Destroy ciphers */
-    if (sec->destroy) {
-	(*sec->destroy)(sec->readcx, PR_TRUE);
-	(*sec->destroy)(sec->writecx, PR_TRUE);
-	sec->readcx = NULL;
-	sec->writecx = NULL;
-    } else {
-	PORT_Assert(sec->readcx == 0);
-	PORT_Assert(sec->writecx == 0);
-    }
-    sec->readcx = 0;
-    sec->writecx = 0;
-
-    if (sec->localCert) {
-	CERT_DestroyCertificate(sec->localCert);
-	sec->localCert = NULL;
-    }
-    if (sec->peerCert) {
-	CERT_DestroyCertificate(sec->peerCert);
-	sec->peerCert = NULL;
-    }
-    if (sec->peerKey) {
-	SECKEY_DestroyPublicKey(sec->peerKey);
-	sec->peerKey = NULL;
-    }
-
-    /* cleanup the ci */
-    if (sec->ci.sid != NULL) {
-	ssl_FreeSID(sec->ci.sid);
-    }
-    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
-    if (doMemset) {
-        memset(&sec->ci, 0, sizeof sec->ci);
-    }
-    
-}
-
-/*
-** Called from SSL_ResetHandshake (above), and 
-**        from ssl_FreeSocket     in sslsock.c
-** Caller should hold relevant locks (e.g. XmitBufLock)
-*/
-void 
-ssl_DestroySecurityInfo(sslSecurityInfo *sec)
-{
-    ssl_ResetSecurityInfo(sec, PR_FALSE);
-
-    PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space);
-    sec->writeBuf.buf = 0;
-
-    memset(sec, 0, sizeof *sec);
-}
-
-/************************************************************************/
-
-int 
-ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int rv;
-
-    if ( ss->opt.handshakeAsServer ) {
-	ss->securityHandshake = ssl2_BeginServerHandshake;
-	ss->handshaking = sslHandshakingAsServer;
-    } else {
-	ss->securityHandshake = ssl2_BeginClientHandshake;
-	ss->handshaking = sslHandshakingAsClient;
-    }
-
-    /* connect to server */
-    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
-    if (rv == PR_SUCCESS) {
-	ss->TCPconnected = 1;
-    } else {
-	int err = PR_GetError();
-	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
-		 SSL_GETPID(), ss->fd, err));
-	if (err == PR_IS_CONNECTED_ERROR) {
-	    ss->TCPconnected = 1;
-	} 
-    }
-
-    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d",
-		SSL_GETPID(), ss->fd, rv));
-    return rv;
-}
-
-int
-ssl_SecureClose(sslSocket *ss)
-{
-    int rv;
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
-    	ss->firstHsDone 			&& 
-	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
-	!ss->recvdCloseNotify                   &&
-	ss->ssl3.initialized) {
-
-	/* We don't want the final alert to be Nagle delayed. */
-	if (!ss->delayDisabled) {
-	    ssl_EnableNagleDelay(ss, PR_FALSE);
-	    ss->delayDisabled = 1;
-	}
-
-	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
-    }
-    rv = ssl_DefClose(ss);
-    return rv;
-}
-
-/* Caller handles all locking */
-int
-ssl_SecureShutdown(sslSocket *ss, int nsprHow)
-{
-    PRFileDesc *osfd = ss->fd->lower;
-    int 	rv;
-    PRIntn	sslHow	= nsprHow + 1;
-
-    if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
-	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
-    	(ss->version >= SSL_LIBRARY_VERSION_3_0)	&&
-	ss->firstHsDone 				&& 
-	!ss->recvdCloseNotify                   	&&
-	ss->ssl3.initialized) {
-
-	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
-    }
-
-    rv = osfd->methods->shutdown(osfd, nsprHow);
-
-    ss->shutdownHow |= sslHow;
-
-    return rv;
-}
-
-/************************************************************************/
-
-
-int
-ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
-{
-    sslSecurityInfo *sec;
-    int              rv   = 0;
-
-    sec = &ss->sec;
-
-    if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
-	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
-    	return PR_FAILURE;
-    }
-    if (flags & ~PR_MSG_PEEK) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) {
-	ssl_GetXmitBufLock(ss);
-	if (ss->pendingBuf.len != 0) {
-	    rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
-	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
-		ssl_ReleaseXmitBufLock(ss);
-		return SECFailure;
-	    }
-	    /* XXX short write? */
-	}
-	ssl_ReleaseXmitBufLock(ss);
-    }
-    
-    rv = 0;
-    /* If any of these is non-zero, the initial handshake is not done. */
-    if (!ss->firstHsDone) {
-	ssl_Get1stHandshakeLock(ss);
-	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
-	    rv = ssl_Do1stHandshake(ss);
-	}
-	ssl_Release1stHandshakeLock(ss);
-    }
-    if (rv < 0) {
-	return rv;
-    }
-
-    if (len == 0) return 0;
-
-    rv = DoRecv(ss, (unsigned char*) buf, len, flags);
-    SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
-		SSL_GETPID(), ss->fd, rv, PORT_GetError()));
-    return rv;
-}
-
-int
-ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
-{
-    return ssl_SecureRecv(ss, buf, len, 0);
-}
-
-/* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
-int
-ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-{
-    int              rv		= 0;
-
-    if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
-	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
-    	return PR_FAILURE;
-    }
-    if (flags) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-    	return PR_FAILURE;
-    }
-
-    ssl_GetXmitBufLock(ss);
-    if (ss->pendingBuf.len != 0) {
-	PORT_Assert(ss->pendingBuf.len > 0);
-	rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
-	if (rv >= 0 && ss->pendingBuf.len != 0) {
-	    PORT_Assert(ss->pendingBuf.len > 0);
-	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
-	    rv = SECFailure;
-	}
-    }
-    ssl_ReleaseXmitBufLock(ss);
-    if (rv < 0) {
-	return rv;
-    }
-
-    if (len > 0) 
-    	ss->writerThread = PR_GetCurrentThread();
-    /* If any of these is non-zero, the initial handshake is not done. */
-    if (!ss->firstHsDone) {
-	ssl_Get1stHandshakeLock(ss);
-	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
-	    rv = ssl_Do1stHandshake(ss);
-	}
-	ssl_Release1stHandshakeLock(ss);
-    }
-    if (rv < 0) {
-    	ss->writerThread = NULL;
-	return rv;
-    }
-
-    /* Check for zero length writes after we do housekeeping so we make forward
-     * progress.
-     */
-    if (len == 0) {
-    	return 0;
-    }
-    PORT_Assert(buf != NULL);
-    
-    SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
-		SSL_GETPID(), ss->fd, len));
-
-    /* Send out the data using one of these functions:
-     *	ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
-     *  ssl3_SendApplicationData
-     */
-    ssl_GetXmitBufLock(ss);
-    rv = (*ss->sec.send)(ss, buf, len, flags);
-    ssl_ReleaseXmitBufLock(ss);
-    ss->writerThread = NULL;
-    return rv;
-}
-
-int
-ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
-{
-    return ssl_SecureSend(ss, buf, len, 0);
-}
-
-SECStatus
-SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
-{
-    sslSocket *ss;
-    
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    ss->handleBadCert = f;
-    ss->badCertArg = arg;
-
-    return SECSuccess;
-}
-
-/*
- * Allow the application to pass the url or hostname into the SSL library
- * so that we can do some checking on it.
- */
-SECStatus
-SSL_SetURL(PRFileDesc *fd, const char *url)
-{
-    sslSocket *   ss = ssl_FindSocket(fd);
-    SECStatus     rv = SECSuccess;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSLSetURL",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    if ( ss->url ) {
-	PORT_Free((void *)ss->url);	/* CONST */
-    }
-
-    ss->url = (const char *)PORT_Strdup(url);
-    if ( ss->url == NULL ) {
-	rv = SECFailure;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    return rv;
-}
-
-/*
-** Returns Negative number on error, zero or greater on success.
-** Returns the amount of data immediately available to be read.
-*/
-int
-SSL_DataPending(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    int        rv  = 0;
-
-    ss = ssl_FindSocket(fd);
-
-    if (ss && ss->opt.useSecurity) {
-
-	ssl_Get1stHandshakeLock(ss);
-	ssl_GetSSL3HandshakeLock(ss);
-
-	ssl_GetRecvBufLock(ss);
-	rv = ss->gs.writeOffset - ss->gs.readOffset;
-	ssl_ReleaseRecvBufLock(ss);
-
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_Release1stHandshakeLock(ss);
-    }
-
-    return rv;
-}
-
-SECStatus
-SSL_InvalidateSession(PRFileDesc *fd)
-{
-    sslSocket *   ss = ssl_FindSocket(fd);
-    SECStatus     rv = SECFailure;
-
-    if (ss) {
-	ssl_Get1stHandshakeLock(ss);
-	ssl_GetSSL3HandshakeLock(ss);
-
-	if (ss->sec.ci.sid) {
-	    ss->sec.uncache(ss->sec.ci.sid);
-	    rv = SECSuccess;
-	}
-
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_Release1stHandshakeLock(ss);
-    }
-    return rv;
-}
-
-SECItem *
-SSL_GetSessionID(PRFileDesc *fd)
-{
-    sslSocket *    ss;
-    SECItem *      item = NULL;
-
-    ss = ssl_FindSocket(fd);
-    if (ss) {
-	ssl_Get1stHandshakeLock(ss);
-	ssl_GetSSL3HandshakeLock(ss);
-
-	if (ss->opt.useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
-	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
-	    if (item) {
-		sslSessionID * sid = ss->sec.ci.sid;
-		if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-		    item->len = SSL2_SESSIONID_BYTES;
-		    item->data = (unsigned char*)PORT_Alloc(item->len);
-		    PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
-		} else {
-		    item->len = sid->u.ssl3.sessionIDLength;
-		    item->data = (unsigned char*)PORT_Alloc(item->len);
-		    PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
-		}
-	    }
-	}
-
-	ssl_ReleaseSSL3HandshakeLock(ss);
-	ssl_Release1stHandshakeLock(ss);
-    }
-    return item;
-}
-
-SECStatus
-SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle)
-{
-    sslSocket *    ss;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss)
-    	return SECFailure;
-    if (!dbHandle) {
-    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    ss->dbHandle = dbHandle;
-    return SECSuccess;
-}
-
-/*
- * attempt to restart the handshake after asynchronously handling
- * a request for the client's certificate.
- *
- * inputs:  
- *	cert	Client cert chosen by application.
- *		Note: ssl takes this reference, and does not bump the 
- *		reference count.  The caller should drop its reference
- *		without calling CERT_DestroyCert after calling this function.
- *
- *	key	Private key associated with cert.  This function makes a 
- *		copy of the private key, so the caller remains responsible 
- *		for destroying its copy after this function returns.
- *
- *	certChain  Chain of signers for cert.  
- *		Note: ssl takes this reference, and does not copy the chain.
- *		The caller should drop its reference without destroying the 
- *		chain.  SSL will free the chain when it is done with it.
- *
- * Return value: XXX
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- */
-int
-SSL_RestartHandshakeAfterCertReq(sslSocket *         ss,
-				CERTCertificate *    cert, 
-				SECKEYPrivateKey *   key,
-				CERTCertificateList *certChain)
-{
-    int              ret;
-
-    ssl_Get1stHandshakeLock(ss);   /************************************/
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
-    } else {
-    	ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
-    }
-
-    ssl_Release1stHandshakeLock(ss);  /************************************/
-    return ret;
-}
-
-
-/* restart an SSL connection that we stopped to run certificate dialogs 
-** XXX	Need to document here how an application marks a cert to show that
-**	the application has accepted it (overridden CERT_VerifyCert).
- *
- * XXX This code only works on the initial handshake on a connection, XXX
- *     It does not work on a subsequent handshake (redo).
- *
- * Return value: XXX
-*/
-int
-SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
-{
-    int rv	= SECSuccess;
-
-    ssl_Get1stHandshakeLock(ss); 
-
-    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-	rv = ssl3_RestartHandshakeAfterServerCert(ss);
-    } else {
-	rv = ssl2_RestartHandshakeAfterServerCert(ss);
-    }
-
-    ssl_Release1stHandshakeLock(ss);
-    return rv;
-}
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
deleted file mode 100644
index 877a5a995..000000000
--- a/security/nss/lib/ssl/sslsnce.c
+++ /dev/null
@@ -1,1699 +0,0 @@
-/* This file implements the SERVER Session ID cache. 
- * NOTE:  The contents of this file are NOT used by the client.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
- * cache sids!
- *
- * About record locking among different server processes:
- *
- * All processes that are part of the same conceptual server (serving on 
- * the same address and port) MUST share a common SSL session cache. 
- * This code makes the content of the shared cache accessible to all
- * processes on the same "server".  This code works on Unix and Win32 only.
- *
- * We use NSPR anonymous shared memory and move data to & from shared memory.
- * We must do explicit locking of the records for all reads and writes.
- * The set of Cache entries are divided up into "sets" of 128 entries. 
- * Each set is protected by a lock.  There may be one or more sets protected
- * by each lock.  That is, locks to sets are 1:N.
- * There is one lock for the entire cert cache.
- * There is one lock for the set of wrapped sym wrap keys.
- *
- * The anonymous shared memory is laid out as if it were declared like this:
- *
- * struct {
- *     cacheDescriptor          desc;
- *     sidCacheLock             sidCacheLocks[ numSIDCacheLocks];
- *     sidCacheLock             keyCacheLock;
- *     sidCacheLock             certCacheLock;
- *     sidCacheSet              sidCacheSets[ numSIDCacheSets ];
- *     sidCacheEntry            sidCacheData[ numSIDCacheEntries];
- *     certCacheEntry           certCacheData[numCertCacheEntries];
- *     SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS];
- * } cacheMemCacheData;
- */
-#include "nssrenam.h"
-#include "seccomon.h"
-
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
-
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "pk11func.h"
-#include "base64.h"
-
-#include <stdio.h>
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-
-#include <syslog.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <errno.h>
-#include <signal.h>
-#include "unix_err.h"
-
-#else
-
-#ifdef XP_WIN32
-#include <wtypes.h>
-#include "win32err.h"
-#endif
-
-#endif 
-#include <sys/types.h>
-
-#define SET_ERROR_CODE /* reminder */
-
-#include "nspr.h"
-#include "nsslocks.h"
-#include "sslmutex.h"
-
-#ifdef XP_OS2_VACPP
-#pragma pack(1)
-#endif
-
-/*
-** Format of a cache entry in the shared memory.
-*/ 
-struct sidCacheEntryStr {
-/* 16 */    PRIPv6Addr  addr;	/* client's IP address */
-/*  4 */    PRUint32    creationTime;
-/*  4 */    PRUint32    lastAccessTime;	
-/*  4 */    PRUint32    expirationTime;
-/*  2 */    PRUint16	version;
-/*  1 */    PRUint8	valid;
-/*  1 */    PRUint8     sessionIDLength;
-/* 32 */    PRUint8     sessionID[SSL3_SESSIONID_BYTES];
-/*  2 */    PRUint16    authAlgorithm;
-/*  2 */    PRUint16    authKeyBits;
-/*  2 */    PRUint16    keaType;
-/*  2 */    PRUint16    keaKeyBits;
-/* 72  - common header total */
-
-    union {
-	struct {
-/* 64 */    PRUint8	masterKey[SSL_MAX_MASTER_KEY_BYTES];
-/* 32 */    PRUint8	cipherArg[SSL_MAX_CYPHER_ARG_BYTES];
-
-/*  1 */    PRUint8	cipherType;
-/*  1 */    PRUint8	masterKeyLen;
-/*  1 */    PRUint8	keyBits;
-/*  1 */    PRUint8	secretKeyBits;
-/*  1 */    PRUint8	cipherArgLen;
-/*101 */} ssl2;
-
-	struct {
-/*  2 */    ssl3CipherSuite  cipherSuite;
-/*  2 */    PRUint16    compression; 	/* SSL3CompressionMethod */
-
-/*100 */    ssl3SidKeys keys;	/* keys and ivs, wrapped as needed. */
-
-/*  4 */    PRUint32    masterWrapMech; 
-/*  4 */    SSL3KEAType exchKeyType;
-/*  4 */    PRInt32     certIndex;
-/*116 */} ssl3;
-#if defined(LINUX)                      /* XXX Why only on Linux ? */
-	struct {
-	    PRUint8     filler[144];	/* XXX why this number ? */
-	} forceSize;
-#endif
-    } u;
-};
-typedef struct sidCacheEntryStr sidCacheEntry;
-
-/* The length of this struct is supposed to be a power of 2, e.g. 4KB */
-struct certCacheEntryStr {
-    PRUint16    certLength;				/*    2 */
-    PRUint16    sessionIDLength;			/*    2 */
-    PRUint8 	sessionID[SSL3_SESSIONID_BYTES];	/*   32 */
-    PRUint8 	cert[SSL_MAX_CACHED_CERT_LEN];		/* 4060 */
-};						/* total   4096 */
-typedef struct certCacheEntryStr certCacheEntry;
-
-struct sidCacheLockStr {
-    PRUint32	timeStamp;
-    sslMutex	mutex;
-    sslPID	pid;
-};
-typedef struct sidCacheLockStr sidCacheLock;
-
-struct sidCacheSetStr {
-    PRIntn	next;
-};
-typedef struct sidCacheSetStr sidCacheSet;
-
-struct cacheDescStr {
-
-    PRUint32            cacheMemSize;
-
-    PRUint32		numSIDCacheLocks;
-    PRUint32		numSIDCacheSets;
-    PRUint32		numSIDCacheSetsPerLock;
-
-    PRUint32            numSIDCacheEntries; 
-    PRUint32            sidCacheSize;
-
-    PRUint32            numCertCacheEntries;
-    PRUint32            certCacheSize;
-
-    PRUint32            numKeyCacheEntries;
-    PRUint32            keyCacheSize;
-
-    PRUint32		ssl2Timeout;
-    PRUint32		ssl3Timeout;
-
-    PRUint32            numSIDCacheLocksInitialized;
-
-    /* These values are volatile, and are accessed through sharedCache-> */
-    PRUint32		nextCertCacheEntry;	/* certCacheLock protects */
-    PRBool      	stopPolling;
-    PRBool		everInherited;
-
-    /* The private copies of these values are pointers into shared mem */
-    /* The copies of these values in shared memory are merely offsets */
-    sidCacheLock    *          sidCacheLocks;
-    sidCacheLock    *          keyCacheLock;
-    sidCacheLock    *          certCacheLock;
-    sidCacheSet     *          sidCacheSets;
-    sidCacheEntry   *          sidCacheData;
-    certCacheEntry  *          certCacheData;
-    SSLWrappedSymWrappingKey * keyCacheData;
-
-    /* Only the private copies of these pointers are valid */
-    char *                     cacheMem;
-    struct cacheDescStr *      sharedCache;  /* shared copy of this struct */
-    PRFileMap *                cacheMemMap;
-    PRThread  *                poller;
-    PRBool                     shared;
-};
-typedef struct cacheDescStr cacheDesc;
-
-static cacheDesc globalCache;
-
-static const char envVarName[] = { SSL_ENV_VAR_NAME };
-
-static PRBool isMultiProcess  = PR_FALSE;
-
-
-#define DEF_SID_CACHE_ENTRIES  10000
-#define DEF_CERT_CACHE_ENTRIES 250
-#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
-#define DEF_KEY_CACHE_ENTRIES  250
-
-#define SID_CACHE_ENTRIES_PER_SET  128
-#define SID_ALIGNMENT          16
-
-#define DEF_SSL2_TIMEOUT	100   /* seconds */
-#define MAX_SSL2_TIMEOUT	100   /* seconds */
-#define MIN_SSL2_TIMEOUT	  5   /* seconds */
-
-#define DEF_SSL3_TIMEOUT      86400L  /* 24 hours */
-#define MAX_SSL3_TIMEOUT      86400L  /* 24 hours */
-#define MIN_SSL3_TIMEOUT          5   /* seconds  */
-
-#if defined(AIX) || defined(LINUX) || defined(VMS)
-#define MAX_SID_CACHE_LOCKS 8	/* two FDs per lock */
-#elif defined(OSF1)
-#define MAX_SID_CACHE_LOCKS 16	/* one FD per lock */
-#else
-#define MAX_SID_CACHE_LOCKS 256
-#endif
-
-#define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size))
-#define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size)))
-
-
-static sslPID myPid;
-static PRUint32  ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
-
-/* forward static function declarations */
-static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, 
-                         unsigned nl);
-static SECStatus LaunchLockPoller(cacheDesc *cache);
-
-
-struct inheritanceStr {
-    PRUint32 cacheMemSize;
-    PRUint32 fmStrLen;
-};
-
-typedef struct inheritanceStr inheritance;
-
-#if defined(_WIN32) || defined(XP_OS2)
-
-#define DEFAULT_CACHE_DIRECTORY "\\temp"
-
-#endif /* _win32 */
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-
-#define DEFAULT_CACHE_DIRECTORY "/tmp"
-
-#endif /* XP_UNIX || XP_BEOS */
-
-
-/************************************************************************/
-
-static PRUint32
-LockSidCacheLock(sidCacheLock *lock, PRUint32 now)
-{
-    SECStatus      rv      = sslMutex_Lock(&lock->mutex);
-    if (rv != SECSuccess)
-    	return 0;
-    if (!now)
-	now  = ssl_Time();
-    lock->timeStamp = now;
-    lock->pid       = myPid;
-    return now;
-}
-
-static SECStatus
-UnlockSidCacheLock(sidCacheLock *lock)
-{
-    SECStatus      rv;
-
-    lock->pid = 0;
-    rv        = sslMutex_Unlock(&lock->mutex);
-    return rv;
-}
-
-/* returns the value of ssl_Time on success, zero on failure. */
-static PRUint32
-LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now)
-{
-    PRUint32       lockNum = set % cache->numSIDCacheLocks;
-    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
-
-    return LockSidCacheLock(lock, now);
-}
-
-static SECStatus
-UnlockSet(cacheDesc *cache, PRUint32 set)
-{
-    PRUint32       lockNum = set % cache->numSIDCacheLocks;
-    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
-
-    return UnlockSidCacheLock(lock);
-}
-
-/************************************************************************/
-
-
-/* Put a certificate in the cache.  Update the cert index in the sce.
-*/
-static PRUint32
-CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce)
-{
-    PRUint32        now;
-    certCacheEntry  cce;
-
-    if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) ||
-        (cert->derCert.len <= 0) ||
-	(cert->derCert.data == NULL)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return 0;
-    }
-
-    cce.sessionIDLength = sce->sessionIDLength;
-    PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength);
-
-    cce.certLength = cert->derCert.len;
-    PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength);
-
-    /* get lock on cert cache */
-    now = LockSidCacheLock(cache->certCacheLock, 0);
-    if (now) {
-
-	/* Find where to place the next cert cache entry. */
-	cacheDesc * sharedCache = cache->sharedCache;
-	PRUint32    ndx         = sharedCache->nextCertCacheEntry;
-
-	/* write the entry */
-	cache->certCacheData[ndx] = cce;
-
-	/* remember where we put it. */
-	sce->u.ssl3.certIndex = ndx;
-
-	/* update the "next" cache entry index */
-	sharedCache->nextCertCacheEntry = 
-					(ndx + 1) % cache->numCertCacheEntries;
-
-	UnlockSidCacheLock(cache->certCacheLock);
-    }
-    return now;
-
-}
-
-/*
-** Convert local SID to shared memory one
-*/
-static void 
-ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
-{
-    to->valid   = 1;
-    to->version = from->version;
-    to->addr    = from->addr;
-    to->creationTime    = from->creationTime;
-    to->lastAccessTime  = from->lastAccessTime;
-    to->expirationTime  = from->expirationTime;
-    to->authAlgorithm	= from->authAlgorithm;
-    to->authKeyBits	= from->authKeyBits;
-    to->keaType		= from->keaType;
-    to->keaKeyBits	= from->keaKeyBits;
-
-    if (from->version < SSL_LIBRARY_VERSION_3_0) {
-	if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) ||
-	    (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) {
-	    SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d",
-		     myPid, from->u.ssl2.masterKey.len,
-		     from->u.ssl2.cipherArg.len));
-	    to->valid = 0;
-	    return;
-	}
-
-	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
-	to->u.ssl2.masterKeyLen  = from->u.ssl2.masterKey.len;
-	to->u.ssl2.cipherArgLen  = from->u.ssl2.cipherArg.len;
-	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
-	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
-	to->sessionIDLength      = SSL2_SESSIONID_BYTES;
-	PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES);
-	PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data,
-		  from->u.ssl2.masterKey.len);
-	PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data,
-		  from->u.ssl2.cipherArg.len);
-#ifdef DEBUG
-	PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0,
-		  sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len);
-	PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0,
-		  sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
-#endif
-	SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
-		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid,
-		    to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
-		    to->creationTime, to->addr.pr_s6_addr32[0],
-		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
-		    to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
-    } else {
-	/* This is an SSL v3 session */
-
-	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
-	to->u.ssl3.compression      = (uint16)from->u.ssl3.compression;
-	to->u.ssl3.keys             = from->u.ssl3.keys;
-	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
-	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
-	to->sessionIDLength         = from->u.ssl3.sessionIDLength;
-	to->u.ssl3.certIndex        = -1;
-
-	PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID,
-		    to->sessionIDLength);
-
-	SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x "
-	            "cipherSuite=%d",
-		    myPid, to->creationTime, to->addr.pr_s6_addr32[0],
-		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
-		    to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite));
-    }
-}
-
-/*
-** Convert shared memory cache-entry to local memory based one
-** This is only called from ServerSessionIDLookup().
-** Caller must hold cache lock when calling this.
-*/
-static sslSessionID *
-ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, 
-             CERTCertDBHandle * dbHandle)
-{
-    sslSessionID *to;
-    uint16 version = from->version;
-
-    to = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
-    if (!to) {
-	return 0;
-    }
-
-    if (version < SSL_LIBRARY_VERSION_3_0) {
-	/* This is an SSL v2 session */
-	to->u.ssl2.masterKey.data =
-	    (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen);
-	if (!to->u.ssl2.masterKey.data) {
-	    goto loser;
-	}
-	if (from->u.ssl2.cipherArgLen) {
-	    to->u.ssl2.cipherArg.data = 
-	    	(unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen);
-	    if (!to->u.ssl2.cipherArg.data) {
-		goto loser;
-	    }
-	    PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg,
-		        from->u.ssl2.cipherArgLen);
-	}
-
-	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
-	to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen;
-	to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen;
-	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
-	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
-/*	to->sessionIDLength      = SSL2_SESSIONID_BYTES; */
-	PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES);
-	PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey,
-		    from->u.ssl2.masterKeyLen);
-
-	SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
-		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
-		    myPid, to->u.ssl2.masterKey.len,
-		    to->u.ssl2.cipherArg.len, to->creationTime,
-		    to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
-		    to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
-		    to->u.ssl2.cipherType));
-    } else {
-	/* This is an SSL v3 session */
-
-	to->u.ssl3.sessionIDLength  = from->sessionIDLength;
-	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
-	to->u.ssl3.compression      = (SSL3CompressionMethod)from->u.ssl3.compression;
-	to->u.ssl3.keys             = from->u.ssl3.keys;
-	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
-	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
-
-	PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength);
-
-	/* the portions of the SID that are only restored on the client
-	 * are set to invalid values on the server.
-	 */
-	to->u.ssl3.clientWriteKey   = NULL;
-	to->u.ssl3.serverWriteKey   = NULL;
-
-	to->urlSvrName              = NULL;
-
-	to->u.ssl3.masterModuleID   = (SECMODModuleID)-1; /* invalid value */
-	to->u.ssl3.masterSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
-	to->u.ssl3.masterWrapIndex  = 0;
-	to->u.ssl3.masterWrapSeries = 0;
-	to->u.ssl3.masterValid      = PR_FALSE;
-
-	to->u.ssl3.clAuthModuleID   = (SECMODModuleID)-1; /* invalid value */
-	to->u.ssl3.clAuthSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
-	to->u.ssl3.clAuthSeries     = 0;
-	to->u.ssl3.clAuthValid      = PR_FALSE;
-
-	if (from->u.ssl3.certIndex != -1 && pcce) {
-	    SECItem          derCert;
-
-	    derCert.len  = pcce->certLength;
-	    derCert.data = pcce->cert;
-
-	    to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL,
-					           PR_FALSE, PR_TRUE);
-	    if (to->peerCert == NULL)
-		goto loser;
-	}
-    }
-
-    to->version         = from->version;
-    to->creationTime    = from->creationTime;
-    to->lastAccessTime  = from->lastAccessTime;
-    to->expirationTime  = from->expirationTime;
-    to->cached          = in_server_cache;
-    to->addr            = from->addr;
-    to->references      = 1;
-    to->authAlgorithm	= from->authAlgorithm;
-    to->authKeyBits	= from->authKeyBits;
-    to->keaType		= from->keaType;
-    to->keaKeyBits	= from->keaKeyBits;
-    
-    return to;
-
-  loser:
-    if (to) {
-	if (version < SSL_LIBRARY_VERSION_3_0) {
-	    if (to->u.ssl2.masterKey.data)
-		PORT_Free(to->u.ssl2.masterKey.data);
-	    if (to->u.ssl2.cipherArg.data)
-		PORT_Free(to->u.ssl2.cipherArg.data);
-	}
-	PORT_Free(to);
-    }
-    return NULL;
-}
-
-
-
-/*
-** Perform some mumbo jumbo on the ip-address and the session-id value to
-** compute a hash value.
-*/
-static PRUint32 
-SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl)
-{
-    PRUint32 rv;
-    PRUint32 x[8];
-
-    memset(x, 0, sizeof x);
-    if (nl > sizeof x)
-    	nl = sizeof x;
-    memcpy(x, s, nl);
-
-    rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^
-	  addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^
-          x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7])
-	  % cache->numSIDCacheSets;
-    return rv;
-}
-
-
-
-/*
-** Look something up in the cache. This will invalidate old entries
-** in the process. Caller has locked the cache set!
-** Returns PR_TRUE if found a valid match.  PR_FALSE otherwise.
-*/
-static sidCacheEntry *
-FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now,
-        const PRIPv6Addr *addr, unsigned char *sessionID,
-	unsigned sessionIDLength)
-{
-    PRUint32      ndx   = cache->sidCacheSets[setNum].next;
-    int           i;
-
-    sidCacheEntry * set = cache->sidCacheData + 
-    			 (setNum * SID_CACHE_ENTRIES_PER_SET);
-
-    for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) {
-	sidCacheEntry * sce;
-
-	ndx  = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET;
-	sce = set + ndx;
-
-	if (!sce->valid)
-	    continue;
-
-	if (now > sce->expirationTime) {
-	    /* SessionID has timed out. Invalidate the entry. */
-	    SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x "
-			"time+=%x",
-			myPid, sce->addr.pr_s6_addr32[0],
-			sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2],
-			sce->addr.pr_s6_addr32[3], now,
-			sce->expirationTime ));
-	    sce->valid = 0;
-	    continue;
-	}
-
-	/*
-	** Next, examine specific session-id/addr data to see if the cache
-	** entry matches our addr+session-id value
-	*/
-	if (sessionIDLength == sce->sessionIDLength      &&
-	    !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) &&
-	    !memcmp(sce->sessionID, sessionID, sessionIDLength)) {
-	    /* Found it */
-	    return sce;
-	}
-    }
-
-    PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
-    return NULL;
-}
-
-/************************************************************************/
-
-/* This is the primary function for finding entries in the server's sid cache.
- * Although it is static, this function is called via the global function 
- * pointer ssl_sid_lookup.
- */
-static sslSessionID *
-ServerSessionIDLookup(const PRIPv6Addr *addr,
-			unsigned char *sessionID,
-			unsigned int   sessionIDLength,
-                        CERTCertDBHandle * dbHandle)
-{
-    sslSessionID *  sid      = 0;
-    sidCacheEntry * psce;
-    certCacheEntry *pcce     = 0;
-    cacheDesc *     cache    = &globalCache;
-    PRUint32        now;
-    PRUint32        set;
-    PRInt32         cndx;
-    sidCacheEntry   sce;
-    certCacheEntry  cce;
-
-    set = SIDindex(cache, addr, sessionID, sessionIDLength);
-    now = LockSet(cache, set, 0);
-    if (!now)
-    	return NULL;
-
-    psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength);
-    if (psce) {
-	if (psce->version >= SSL_LIBRARY_VERSION_3_0 && 
-	    (cndx = psce->u.ssl3.certIndex) != -1) {
-
-	    PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now);
-	    if (gotLock) {
-		pcce = &cache->certCacheData[cndx];
-
-		/* See if the cert's session ID matches the sce cache. */
-		if ((pcce->sessionIDLength == psce->sessionIDLength) &&
-		    !PORT_Memcmp(pcce->sessionID, psce->sessionID, 
-		                 pcce->sessionIDLength)) {
-		    cce = *pcce;
-		} else {
-		    /* The cert doesen't match the SID cache entry, 
-		    ** so invalidate the SID cache entry. 
-		    */
-		    psce->valid = 0;
-		    psce = 0;
-		    pcce = 0;
-		}
-		UnlockSidCacheLock(cache->certCacheLock);
-	    } else {
-		/* what the ??.  Didn't get the cert cache lock.
-		** Don't invalidate the SID cache entry, but don't find it.
-		*/
-		PORT_Assert(!("Didn't get cert Cache Lock!"));
-		psce = 0;
-		pcce = 0;
-	    }
-	}
-	if (psce) {
-	    psce->lastAccessTime = now;
-	    sce = *psce;	/* grab a copy while holding the lock */
-    	}
-    }
-    UnlockSet(cache, set);
-    if (psce) {
-	/* sce conains a copy of the cache entry.
-	** Convert shared memory format to local format 
-	*/
-	sid = ConvertToSID(&sce, pcce ? &cce : 0, dbHandle);
-    }
-    return sid;
-}
-
-/*
-** Place a sid into the cache, if it isn't already there. 
-*/
-static void 
-ServerSessionIDCache(sslSessionID *sid)
-{
-    sidCacheEntry sce;
-    PRUint32      now     = 0;
-    uint16        version = sid->version;
-    cacheDesc *   cache   = &globalCache;
-
-    if ((version >= SSL_LIBRARY_VERSION_3_0) &&
-	(sid->u.ssl3.sessionIDLength == 0)) {
-	return;
-    }
-
-    if (sid->cached == never_cached || sid->cached == invalid_cache) {
-	PRUint32 set;
-
-	PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
-	if (!sid->creationTime)
-	    sid->lastAccessTime = sid->creationTime = ssl_Time();
-	if (version < SSL_LIBRARY_VERSION_3_0) {
-	    if (!sid->expirationTime)
-		sid->expirationTime = sid->creationTime + ssl_sid_timeout;
-	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
-			"cipher=%d", myPid, sid->cached,
-			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
-			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
-			sid->creationTime, sid->u.ssl2.cipherType));
-	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
-			  SSL2_SESSIONID_BYTES));
-	    PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
-			  sid->u.ssl2.masterKey.len));
-	    PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
-			  sid->u.ssl2.cipherArg.len));
-
-	} else {
-	    if (!sid->expirationTime)
-		sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
-	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
-			"cipherSuite=%d", myPid, sid->cached,
-			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
-			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
-			sid->creationTime, sid->u.ssl3.cipherSuite));
-	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
-			  sid->u.ssl3.sessionIDLength));
-	}
-
-	ConvertFromSID(&sce, sid);
-
-	if ((version >= SSL_LIBRARY_VERSION_3_0) && 
-	    (sid->peerCert != NULL)) {
-	    now = CacheCert(cache, sid->peerCert, &sce);
-	}
-
-	set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength);
-	now = LockSet(cache, set, now);
-	if (now) {
-	    PRUint32  next = cache->sidCacheSets[set].next;
-	    PRUint32  ndx  = set * SID_CACHE_ENTRIES_PER_SET + next;
-
-	    /* Write out new cache entry */
-	    cache->sidCacheData[ndx] = sce;
-
-	    cache->sidCacheSets[set].next = 
-	    				(next + 1) % SID_CACHE_ENTRIES_PER_SET;
-
-	    UnlockSet(cache, set);
-	    sid->cached = in_server_cache;
-	}
-    }
-}
-
-/*
-** Although this is static, it is called from ssl via global function pointer
-**	ssl_sid_uncache.  This invalidates the referenced cache entry.
-*/
-static void 
-ServerSessionIDUncache(sslSessionID *sid)
-{
-    cacheDesc *    cache   = &globalCache;
-    PRUint8 *      sessionID;
-    unsigned int   sessionIDLength;
-    PRErrorCode    err;
-    PRUint32       set;
-    PRUint32       now;
-    sidCacheEntry *psce;
-
-    if (sid == NULL) 
-    	return;
-    
-    /* Uncaching a SID should never change the error code. 
-    ** So save it here and restore it before exiting.
-    */
-    err = PR_GetError();
-
-    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
-	sessionID       = sid->u.ssl2.sessionID;
-	sessionIDLength = SSL2_SESSIONID_BYTES;
-	SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
-		    "cipher=%d", myPid, sid->cached,
-		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
-		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
-		    sid->creationTime, sid->u.ssl2.cipherType));
-	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
-	PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
-		      sid->u.ssl2.masterKey.len));
-	PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
-		      sid->u.ssl2.cipherArg.len));
-    } else {
-	sessionID       = sid->u.ssl3.sessionID;
-	sessionIDLength = sid->u.ssl3.sessionIDLength;
-	SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
-		    "cipherSuite=%d", myPid, sid->cached,
-		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
-		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
-		    sid->creationTime, sid->u.ssl3.cipherSuite));
-	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
-    }
-    set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength);
-    now = LockSet(cache, set, 0);
-    if (now) {
-	psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength);
-	if (psce) {
-	    psce->valid = 0;
-	}
-	UnlockSet(cache, set);
-    }
-    sid->cached = invalid_cache;
-    PORT_SetError(err);
-}
-
-#ifdef XP_OS2
-
-#define INCL_DOSPROCESS
-#include <os2.h>
-
-long gettid(void)
-{
-    PTIB ptib;
-    PPIB ppib;
-    DosGetInfoBlocks(&ptib, &ppib);
-    return ((long)ptib->tib_ordinal); /* thread id */
-}
-#endif
-
-static void
-CloseCache(cacheDesc *cache)
-{
-    int locks_initialized = cache->numSIDCacheLocksInitialized;
-
-    if (cache->cacheMem) {
-	/* If everInherited is true, this shared cache was (and may still
-	** be) in use by multiple processes.  We do not wish to destroy
-	** the mutexes while they are still in use.  
-	*/
-	if (PR_FALSE == cache->sharedCache->everInherited) {
-	    sidCacheLock *pLock = cache->sidCacheLocks;
-	    for (; locks_initialized > 0; --locks_initialized, ++pLock ) {
-		sslMutex_Destroy(&pLock->mutex);
-	    }
-	}
-	if (cache->shared) {
-	    PR_MemUnmap(cache->cacheMem, cache->cacheMemSize);
-	} else {
-	    PORT_Free(cache->cacheMem);
-	}
-	cache->cacheMem = NULL;
-    }
-    if (cache->cacheMemMap) {
-	PR_CloseFileMap(cache->cacheMemMap);
-	cache->cacheMemMap = NULL;
-    }
-    memset(cache, 0, sizeof *cache);
-}
-
-static SECStatus
-InitCache(cacheDesc *cache, int maxCacheEntries, PRUint32 ssl2_timeout, 
-          PRUint32 ssl3_timeout, const char *directory, PRBool shared)
-{
-    ptrdiff_t     ptr;
-    sidCacheLock *pLock;
-    char *        cacheMem;
-    PRFileMap *   cacheMemMap;
-    char *        cfn = NULL;	/* cache file name */
-    int           locks_initialized = 0;
-    int           locks_to_initialize = 0;
-    PRUint32      init_time;
-
-    if ( (!cache) || (maxCacheEntries < 0) || (!directory) ) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (cache->cacheMem) {
-	/* Already done */
-	return SECSuccess;
-    }
-
-    /* make sure loser can clean up properly */
-    cache->shared = shared;
-    cache->cacheMem    = cacheMem    = NULL;
-    cache->cacheMemMap = cacheMemMap = NULL;
-    cache->sharedCache = (cacheDesc *)0;
-
-    cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries 
-                                                : DEF_SID_CACHE_ENTRIES;
-    cache->numSIDCacheSets    = 
-    	SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET);
-
-    cache->numSIDCacheEntries = 
-    	cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET;
-
-    cache->numSIDCacheLocks   = 
-    	PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks);
-
-    cache->numSIDCacheSetsPerLock = 
-    	SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
-
-    /* compute size of shared memory, and offsets of all pointers */
-    ptr = 0;
-    cache->cacheMem     = (char *)ptr;
-    ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT);
-
-    cache->sidCacheLocks = (sidCacheLock *)ptr;
-    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
-    cache->certCacheLock = cache->keyCacheLock  + 1;
-    ptr = (ptrdiff_t)(cache->certCacheLock + 1);
-    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
-
-    cache->sidCacheSets  = (sidCacheSet *)ptr;
-    ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets);
-    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
-
-    cache->sidCacheData  = (sidCacheEntry *)ptr;
-    ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries);
-    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
-
-    cache->certCacheData = (certCacheEntry *)ptr;
-    cache->sidCacheSize  = 
-    	(char *)cache->certCacheData - (char *)cache->sidCacheData;
-
-    /* This is really a poor way to computer this! */
-    cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry);
-    if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES)
-    	cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES;
-    ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries);
-    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
-
-    cache->keyCacheData  = (SSLWrappedSymWrappingKey *)ptr;
-    cache->certCacheSize = 
-    	(char *)cache->keyCacheData - (char *)cache->certCacheData;
-
-    cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS;
-    ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries);
-    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
-
-    cache->cacheMemSize = ptr;
-
-    cache->keyCacheSize  = (char *)ptr - (char *)cache->keyCacheData;
-
-    if (ssl2_timeout) {   
-	if (ssl2_timeout > MAX_SSL2_TIMEOUT) {
-	    ssl2_timeout = MAX_SSL2_TIMEOUT;
-	}
-	if (ssl2_timeout < MIN_SSL2_TIMEOUT) {
-	    ssl2_timeout = MIN_SSL2_TIMEOUT;
-	}
-	cache->ssl2Timeout = ssl2_timeout;
-    } else {
-	cache->ssl2Timeout = DEF_SSL2_TIMEOUT;
-    }
-
-    if (ssl3_timeout) {   
-	if (ssl3_timeout > MAX_SSL3_TIMEOUT) {
-	    ssl3_timeout = MAX_SSL3_TIMEOUT;
-	}
-	if (ssl3_timeout < MIN_SSL3_TIMEOUT) {
-	    ssl3_timeout = MIN_SSL3_TIMEOUT;
-	}
-	cache->ssl3Timeout = ssl3_timeout;
-    } else {
-	cache->ssl3Timeout = DEF_SSL3_TIMEOUT;
-    }
-
-    if (shared) {
-	/* Create file names */
-#if defined(XP_UNIX) || defined(XP_BEOS)
-	/* there's some confusion here about whether PR_OpenAnonFileMap wants
-	** a directory name or a file name for its first argument.
-	cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid);
-	*/
-	cfn = PR_smprintf("%s", directory);
-#elif defined(XP_WIN32)
-	cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
-			    GetCurrentThreadId());
-#elif defined(XP_OS2)
-	cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
-			    gettid());
-#else
-#error "Don't know how to create file name for this platform!"
-#endif
-	if (!cfn) {
-	    goto loser;
-	}
-
-	/* Create cache */
-	cacheMemMap = PR_OpenAnonFileMap(cfn, cache->cacheMemSize, 
-					 PR_PROT_READWRITE);
-
-	PR_smprintf_free(cfn);
-	if(!cacheMemMap) {
-	    goto loser;
-	}
-
-        cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize);
-    } else {
-        cacheMem = PORT_Alloc(cache->cacheMemSize);
-    }
-    
-    if (! cacheMem) {
-        goto loser;
-    }
-
-    /* Initialize shared memory. This may not be necessary on all platforms */
-    memset(cacheMem, 0, cache->cacheMemSize);
-
-    /* Copy cache descriptor header into shared memory */
-    memcpy(cacheMem, cache, sizeof *cache);
-
-    /* save private copies of these values */
-    cache->cacheMemMap = cacheMemMap;
-    cache->cacheMem    = cacheMem;
-    cache->sharedCache = (cacheDesc *)cacheMem;
-
-    /* Fix pointers in our private copy of cache descriptor to point to 
-    ** spaces in shared memory 
-    */
-    ptr = (ptrdiff_t)cache->cacheMem;
-    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
-    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
-    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
-    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
-    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
-    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
-    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
-
-    /* initialize the locks */
-    init_time = ssl_Time();
-    pLock = cache->sidCacheLocks;
-    for (locks_to_initialize = cache->numSIDCacheLocks + 2;
-         locks_initialized < locks_to_initialize; 
-	 ++locks_initialized, ++pLock ) {
-
-	SECStatus err = sslMutex_Init(&pLock->mutex, shared);
-	if (err) {
-	    cache->numSIDCacheLocksInitialized = locks_initialized;
-	    goto loser;
-	}
-        pLock->timeStamp = init_time;
-	pLock->pid       = 0;
-    }
-    cache->numSIDCacheLocksInitialized = locks_initialized;
-
-    return SECSuccess;
-
-loser:
-    CloseCache(cache);
-    return SECFailure;
-}
-
-PRUint32
-SSL_GetMaxServerCacheLocks(void)
-{
-    return ssl_max_sid_cache_locks + 2;
-    /* The extra two are the cert cache lock and the key cache lock. */
-}
-
-SECStatus
-SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
-{
-    /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock.
-    ** We'd like to test for a maximum value, but not all platforms' header
-    ** files provide a symbol or function or other means of determining
-    ** the maximum, other than trial and error.
-    */
-    if (maxLocks < 3) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    ssl_max_sid_cache_locks = maxLocks - 2;
-    /* The extra two are the cert cache lock and the key cache lock. */
-    return SECSuccess;
-}
-
-SECStatus
-SSL_ConfigServerSessionIDCacheInstance(	cacheDesc *cache,
-                                int      maxCacheEntries, 
-				PRUint32 ssl2_timeout,
-			       	PRUint32 ssl3_timeout, 
-			  const char *   directory, PRBool shared)
-{
-    SECStatus rv;
-
-#if defined(DEBUG_nelsonb)
-    printf("sizeof(sidCacheEntry) == %u\n", sizeof(sidCacheEntry));
-#endif
-#if !(defined(SOLARIS) && defined(i386))
-#ifndef XP_OS2
-    PORT_Assert(sizeof(sidCacheEntry) % 8 == 0);
-#endif
-#endif
-    PORT_Assert(sizeof(certCacheEntry) == 4096);
-
-    myPid = SSL_GETPID();
-    if (!directory) {
-	directory = DEFAULT_CACHE_DIRECTORY;
-    }
-    rv = InitCache(cache, maxCacheEntries, ssl2_timeout, ssl3_timeout, 
-                   directory, shared);
-    if (rv) {
-	SET_ERROR_CODE
-    	return SECFailure;
-    }
-
-    ssl_sid_lookup  = ServerSessionIDLookup;
-    ssl_sid_cache   = ServerSessionIDCache;
-    ssl_sid_uncache = ServerSessionIDUncache;
-    return SECSuccess;
-}
-
-SECStatus
-SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
-				PRUint32 ssl2_timeout,
-			       	PRUint32 ssl3_timeout, 
-			  const char *   directory)
-{
-    ssl_InitClientSessionCacheLock();
-    ssl_InitSymWrapKeysLock();
-    return SSL_ConfigServerSessionIDCacheInstance(&globalCache, 
-    		maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE);
-}
-
-SECStatus
-SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache)
-{
-    CloseCache(cache);
-    return SECSuccess;
-}
-
-SECStatus
-SSL_ShutdownServerSessionIDCache(void)
-{
-    SSL3_ShutdownServerCache();
-    return SSL_ShutdownServerSessionIDCacheInstance(&globalCache);
-}
-
-/* Use this function, instead of SSL_ConfigServerSessionIDCache,
- * if the cache will be shared by multiple processes.
- */
-SECStatus
-SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
-				PRUint32 ssl2_timeout,
-			       	PRUint32 ssl3_timeout, 
-		          const char *   directory)
-{
-    char *	envValue;
-    char *	inhValue;
-    cacheDesc * cache         = &globalCache;
-    PRUint32    fmStrLen;
-    SECStatus 	result;
-    PRStatus 	prStatus;
-    SECStatus	putEnvFailed;
-    inheritance inherit;
-    char        fmString[PR_FILEMAP_STRING_BUFSIZE];
-
-    isMultiProcess = PR_TRUE;
-    result = SSL_ConfigServerSessionIDCacheInstance(cache, maxCacheEntries, 
-			ssl2_timeout, ssl3_timeout, directory, PR_TRUE);
-    if (result != SECSuccess) 
-        return result;
-
-    prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, 
-                                        sizeof fmString, fmString);
-    if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) {
-	SET_ERROR_CODE
-	return SECFailure;
-    }
-
-    inherit.cacheMemSize	= cache->cacheMemSize;
-    inherit.fmStrLen            = fmStrLen;
-
-    inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit);
-    if (!inhValue || !strlen(inhValue)) {
-	SET_ERROR_CODE
-	return SECFailure;
-    }
-    envValue = PR_smprintf("%s,%s", inhValue, fmString);
-    if (!envValue || !strlen(envValue)) {
-	SET_ERROR_CODE
-	return SECFailure;
-    }
-    PORT_Free(inhValue);
-
-    putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
-    PR_smprintf_free(envValue);
-    if (putEnvFailed) {
-        SET_ERROR_CODE
-        result = SECFailure;
-    }
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-    /* Launch thread to poll cache for expired locks on Unix */
-    LaunchLockPoller(cache);
-#endif
-    return result;
-}
-
-SECStatus
-SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString)
-{
-    unsigned char * decoString = NULL;
-    char *          fmString   = NULL;
-    char *          myEnvString = NULL;
-    unsigned int    decoLen;
-    ptrdiff_t       ptr;
-    inheritance     inherit;
-    cacheDesc       my;
-#ifdef WINNT
-    sidCacheLock* newLocks;
-    int           locks_initialized = 0;
-    int           locks_to_initialize = 0;
-#endif
-
-    myPid = SSL_GETPID();
-
-    /* If this child was created by fork(), and not by exec() on unix,
-    ** then isMultiProcess will already be set.
-    ** If not, we'll set it below.
-    */
-    if (isMultiProcess) {
-	if (cache && cache->sharedCache) {
-	    cache->sharedCache->everInherited = PR_TRUE;
-	}
-    	return SECSuccess;	/* already done. */
-    }
-
-    ssl_InitClientSessionCacheLock();
-    ssl_InitSymWrapKeysLock();
-
-    ssl_sid_lookup  = ServerSessionIDLookup;
-    ssl_sid_cache   = ServerSessionIDCache;
-    ssl_sid_uncache = ServerSessionIDUncache;
-
-    if (!envString) {
-    	envString  = getenv(envVarName);
-	if (!envString) {
-	    SET_ERROR_CODE
-	    return SECFailure;
-	}
-    }
-    myEnvString = PORT_Strdup(envString);
-    if (!myEnvString) 
-	return SECFailure;
-    fmString = strchr(myEnvString, ',');
-    if (!fmString) 
-    	goto loser;
-    *fmString++ = 0;
-
-    decoString = ATOB_AsciiToData(myEnvString, &decoLen);
-    if (!decoString) {
-    	SET_ERROR_CODE
-	goto loser;
-    }
-    if (decoLen != sizeof inherit) {
-    	SET_ERROR_CODE
-    	goto loser;
-    }
-
-    PORT_Memcpy(&inherit, decoString, sizeof inherit);
-
-    if (strlen(fmString)  != inherit.fmStrLen ) {
-    	goto loser;
-    }
-
-    memset(cache, 0, sizeof *cache);
-    cache->cacheMemSize	= inherit.cacheMemSize;
-
-    /* Create cache */
-    cache->cacheMemMap = PR_ImportFileMapFromString(fmString);
-    if(! cache->cacheMemMap) {
-	goto loser;
-    }
-    cache->cacheMem = PR_MemMap(cache->cacheMemMap, 0, cache->cacheMemSize);
-    if (! cache->cacheMem) {
-	goto loser;
-    }
-    cache->sharedCache   = (cacheDesc *)cache->cacheMem;
-
-    if (cache->sharedCache->cacheMemSize != cache->cacheMemSize) {
-	SET_ERROR_CODE
-    	goto loser;
-    }
-
-    /* We're now going to overwrite the local cache instance with the 
-    ** shared copy of the cache struct, then update several values in 
-    ** the local cache using the values for cache->cacheMemMap and 
-    ** cache->cacheMem computed just above.  So, we copy cache into 
-    ** the automatic variable "my", to preserve the variables while
-    ** cache is overwritten.
-    */
-    my = *cache;  /* save values computed above. */
-    memcpy(cache, cache->sharedCache, sizeof *cache); /* overwrite */
-
-    /* Fix pointers in our private copy of cache descriptor to point to 
-    ** spaces in shared memory, whose address is now in "my".
-    */
-    ptr = (ptrdiff_t)my.cacheMem;
-    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
-    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
-    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
-    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
-    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
-    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
-    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
-
-    cache->cacheMemMap = my.cacheMemMap;
-    cache->cacheMem    = my.cacheMem;
-    cache->sharedCache = (cacheDesc *)cache->cacheMem;
-
-#ifdef WINNT
-    /*  On Windows NT we need to "fix" the sidCacheLocks here to support fibers
-    **  When NT fibers are used in a multi-process server, a second level of
-    **  locking is needed to prevent a deadlock, in case a fiber acquires the
-    **  cross-process mutex, yields, and another fiber is later scheduled on
-    **  the same native thread and tries to acquire the cross-process mutex.
-    **  We do this by using a PRLock in the sslMutex. However, it is stored in
-    **  shared memory as part of sidCacheLocks, and we don't want to overwrite
-    **  the PRLock of the parent process. So we need to make new, private
-    **  copies of sidCacheLocks before modifying the sslMutex with our own
-    **  PRLock
-    */
-    
-    /* note from jpierre : this should be free'd in child processes when
-    ** a function is added to delete the SSL session cache in the future. 
-    */
-    locks_to_initialize = cache->numSIDCacheLocks + 2;
-    newLocks = PORT_NewArray(sidCacheLock, locks_to_initialize);
-    if (!newLocks)
-    	goto loser;
-    /* copy the old locks */
-    memcpy(newLocks, cache->sidCacheLocks, 
-           locks_to_initialize * sizeof(sidCacheLock));
-    cache->sidCacheLocks = newLocks;
-    /* fix the locks */		
-    for (; locks_initialized < locks_to_initialize; ++locks_initialized) {
-        /* now, make a local PRLock in this sslMutex for this child process */
-	SECStatus err;
-        err = sslMutex_2LevelInit(&newLocks[locks_initialized].mutex);
-	if (err != SECSuccess) {
-	    cache->numSIDCacheLocksInitialized = locks_initialized;
-	    goto loser;
-    	}
-    }
-    cache->numSIDCacheLocksInitialized = locks_initialized;
-
-    /* also fix the key and cert cache which use the last 2 lock entries */
-    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
-    cache->certCacheLock = cache->keyCacheLock  + 1;
-#endif
-
-    PORT_Free(myEnvString);
-    PORT_Free(decoString);
-
-    /* mark that we have inherited this. */
-    cache->sharedCache->everInherited = PR_TRUE;
-    isMultiProcess = PR_TRUE;
-
-    return SECSuccess;
-
-loser:
-    PORT_Free(myEnvString);
-    if (decoString) 
-	PORT_Free(decoString);
-    CloseCache(cache);
-    return SECFailure;
-}
-
-SECStatus
-SSL_InheritMPServerSIDCache(const char * envString)
-{
-    return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString);
-}
-
-#if defined(XP_UNIX) || defined(XP_BEOS)
-
-#define SID_LOCK_EXPIRATION_TIMEOUT  30 /* seconds */
-
-static void
-LockPoller(void * arg)
-{
-    cacheDesc *    cache         = (cacheDesc *)arg;
-    cacheDesc *    sharedCache   = cache->sharedCache;
-    sidCacheLock * pLock;
-    const char *   timeoutString;
-    PRIntervalTime timeout;
-    PRUint32       now;
-    PRUint32       then;
-    int            locks_polled  = 0;
-    int            locks_to_poll = cache->numSIDCacheLocks + 2;
-    PRUint32       expiration    = SID_LOCK_EXPIRATION_TIMEOUT;
-
-    timeoutString = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
-    if (timeoutString) {
-	long newTime = strtol(timeoutString, 0, 0);
-	if (newTime == 0) 
-	    return;  /* application doesn't want this function */
-	if (newTime > 0)
-	    expiration = (PRUint32)newTime;
-	/* if error (newTime < 0) ignore it and use default */
-    }
-
-    timeout = PR_SecondsToInterval(expiration);
-    while(!sharedCache->stopPolling) {
-    	PR_Sleep(timeout);
-	if (sharedCache->stopPolling)
-	    break;
-
-	now   = ssl_Time();
-	then  = now - expiration;
-	for (pLock = cache->sidCacheLocks, locks_polled = 0;
-	     locks_to_poll > locks_polled && !sharedCache->stopPolling; 
-	     ++locks_polled, ++pLock ) {
-	    pid_t pid;
-
-	    if (pLock->timeStamp   < then && 
-	        pLock->timeStamp   != 0 && 
-		(pid = pLock->pid) != 0) {
-
-	    	/* maybe we should try the lock? */
-		int result = kill(pid, 0);
-		if (result < 0 && errno == ESRCH) {
-		    SECStatus rv;
-		    /* No process exists by that pid any more.
-		    ** Treat this mutex as abandoned.
-		    */
-		    pLock->timeStamp = now;
-		    pLock->pid       = 0;
-		    rv = sslMutex_Unlock(&pLock->mutex);
-		    if (rv != SECSuccess) {
-		    	/* Now what? */
-		    }
-		}
-	    }
-	} /* end of loop over locks */
-    } /* end of entire polling loop */
-}
-
-/* Launch thread to poll cache for expired locks */
-static SECStatus 
-LaunchLockPoller(cacheDesc *cache)
-{
-    PRThread * pollerThread;
-
-    pollerThread = 
-	PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, 
-	                PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0);
-    if (!pollerThread) {
-    	return SECFailure;
-    }
-    cache->poller = pollerThread;
-    return SECSuccess;
-}
-#endif
-
-/************************************************************************
- *  Code dealing with shared wrapped symmetric wrapping keys below      *
- ************************************************************************/
-
-/* If now is zero, it implies that the lock is not held, and must be 
-** aquired here.  
-*/
-static PRBool
-getSvrWrappingKey(PRInt32                symWrapMechIndex,
-               SSL3KEAType               exchKeyType, 
-               SSLWrappedSymWrappingKey *wswk, 
-	       cacheDesc *               cache,
-	       PRUint32                  lockTime)
-{
-    PRUint32  ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
-    SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx;
-    PRUint32  now = 0;
-    PRBool    rv  = PR_FALSE;
-
-    if (!cache->cacheMem) { /* cache is uninitialized */
-	PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
-	return rv;
-    }
-    if (!lockTime) {
-	lockTime = now = LockSidCacheLock(cache->keyCacheLock, now);
-	if (!lockTime) {
-	    return rv;
-	}
-    }
-    if (pwswk->exchKeyType      == exchKeyType && 
-	pwswk->symWrapMechIndex == symWrapMechIndex &&
-	pwswk->wrappedSymKeyLen != 0) {
-	*wswk = *pwswk;
-	rv = PR_TRUE;
-    }
-    if (now) {
-	UnlockSidCacheLock(cache->keyCacheLock);
-    }
-    return rv;
-}
-
-PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool rv;
-
-    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
-    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
-    if ((unsigned)exchKeyType < kt_kea_size &&
-        (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
-	rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, 
-	                       &globalCache, 0);
-    } else {
-    	rv = PR_FALSE;
-    }
-
-    return rv;
-}
-
-/* The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the shared memory.
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/mutexes necessary to make 
- * the operation atomic.
- */
-PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
-{
-    cacheDesc *   cache            = &globalCache;
-    PRBool        rv               = PR_FALSE;
-    SSL3KEAType   exchKeyType      = wswk->exchKeyType;   
-                                /* type of keys used to wrap SymWrapKey*/
-    PRInt32       symWrapMechIndex = wswk->symWrapMechIndex;
-    PRUint32      ndx;
-    PRUint32      now = 0;
-    SSLWrappedSymWrappingKey myWswk;
-
-    if (!cache->cacheMem) { /* cache is uninitialized */
-	PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
-	return 0;
-    }
-
-    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
-    if ((unsigned)exchKeyType >= kt_kea_size)
-    	return 0;
-
-    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
-    if ((unsigned)symWrapMechIndex >=  SSL_NUM_WRAP_MECHS)
-    	return 0;
-
-    ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
-    PORT_Memset(&myWswk, 0, sizeof myWswk);	/* eliminate UMRs. */
-
-    now = LockSidCacheLock(cache->keyCacheLock, now);
-    if (now) {
-	rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, 
-	                       &myWswk, cache, now);
-	if (rv) {
-	    /* we found it on disk, copy it out to the caller. */
-	    PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
-	} else {
-	    /* Wasn't on disk, and we're still holding the lock, so write it. */
-	    cache->keyCacheData[ndx] = *wswk;
-	}
-	UnlockSidCacheLock(cache->keyCacheLock);
-    }
-    return rv;
-}
-
-#else  /* MAC version or other platform */
-
-#include "seccomon.h"
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-
-SECStatus
-SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
-				PRUint32 ssl2_timeout,
-			       	PRUint32 ssl3_timeout, 
-			  const char *   directory)
-{
-    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServerSessionIDCache)");    
-    return SECFailure;
-}
-
-SECStatus
-SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
-				PRUint32 ssl2_timeout,
-			       	PRUint32 ssl3_timeout, 
-		          const char *   directory)
-{
-    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPServerSIDCache)");    
-    return SECFailure;
-}
-
-SECStatus
-SSL_InheritMPServerSIDCache(const char * envString)
-{
-    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPServerSIDCache)");    
-    return SECFailure;
-}
-
-PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-		    SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool rv = PR_FALSE;
-    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)");    
-    return rv;
-}
-
-/* This is a kind of test-and-set.  The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the shared memory.
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/mutexes necessary to make 
- * the operation atomic.
- */
-PRBool
-ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
-{
-    PRBool        rv = PR_FALSE;
-    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)");
-    return rv;
-}
-
-PRUint32  
-SSL_GetMaxServerCacheLocks(void)
-{
-    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServerCacheLocks)");
-    return -1;
-}
-
-SECStatus 
-SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
-{
-    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServerCacheLocks)");
-    return SECFailure;
-}
-
-#endif /* XP_UNIX || XP_WIN32 */
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
deleted file mode 100644
index f3ea1ca75..000000000
--- a/security/nss/lib/ssl/sslsock.c
+++ /dev/null
@@ -1,2073 +0,0 @@
-/*
- * vtables (and methods that call through them) for the 4 types of 
- * SSLSockets supported.  Only one type is still supported.
- * Various other functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "seccomon.h"
-#include "cert.h"
-#include "keyhi.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "nspr.h"
-
-#define SET_ERROR_CODE   /* reminder */
-
-struct cipherPolicyStr {
-	int		cipher;
-	unsigned char 	export;	/* policy value for export policy */
-	unsigned char 	france;	/* policy value for france policy */
-};
-
-typedef struct cipherPolicyStr cipherPolicy;
-
-/* This table contains two preconfigured policies: Export and France.
-** It is used only by the functions SSL_SetDomesticPolicy, 
-** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
-** Order of entries is not important.
-*/
-static cipherPolicy ssl_ciphers[] = {	   /*   Export           France   */
- {  SSL_EN_RC4_128_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_RC2_128_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_EN_DES_64_CBC_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_RC4_128_MD5,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_RC4_128_SHA,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,	    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
- {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_DES_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  SSL_RSA_WITH_NULL_SHA,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  SSL_RSA_WITH_NULL_MD5,		    SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_128_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_WITH_AES_256_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
- {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
-#ifdef NSS_ENABLE_ECC
- {  TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_DES_CBC_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_ALLOWED,     SSL_ALLOWED },
- {  TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
- {  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
-#endif /* NSS_ENABLE_ECC */
- {  0,					    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
-};
-
-static const sslSocketOps ssl_default_ops = {	/* No SSL. */
-    ssl_DefConnect,
-    NULL,
-    ssl_DefBind,
-    ssl_DefListen,
-    ssl_DefShutdown,
-    ssl_DefClose,
-    ssl_DefRecv,
-    ssl_DefSend,
-    ssl_DefRead,
-    ssl_DefWrite,
-    ssl_DefGetpeername,
-    ssl_DefGetsockname
-};
-
-static const sslSocketOps ssl_secure_ops = {	/* SSL. */
-    ssl_SecureConnect,
-    NULL,
-    ssl_DefBind,
-    ssl_DefListen,
-    ssl_SecureShutdown,
-    ssl_SecureClose,
-    ssl_SecureRecv,
-    ssl_SecureSend,
-    ssl_SecureRead,
-    ssl_SecureWrite,
-    ssl_DefGetpeername,
-    ssl_DefGetsockname
-};
-
-/*
-** default settings for socket enables
-*/
-static sslOptions ssl_defaults = {
-    PR_TRUE, 	/* useSecurity        */
-    PR_FALSE,	/* useSocks           */
-    PR_FALSE,	/* requestCertificate */
-    2,	        /* requireCertificate */
-    PR_FALSE,	/* handshakeAsClient  */
-    PR_FALSE,	/* handshakeAsServer  */
-    PR_TRUE,	/* enableSSL2         */
-    PR_TRUE,	/* enableSSL3         */
-    PR_TRUE, 	/* enableTLS          */ /* now defaults to on in NSS 3.0 */
-    PR_FALSE,	/* noCache            */
-    PR_FALSE,	/* fdx                */
-    PR_TRUE,	/* v2CompatibleHello  */
-    PR_TRUE,	/* detectRollBack     */
-    PR_FALSE,   /* noStepDown         */
-    PR_FALSE,   /* bypassPKCS11       */
-    PR_FALSE,   /* noLocks            */
-};
-
-sslSessionIDLookupFunc  ssl_sid_lookup;
-sslSessionIDCacheFunc   ssl_sid_cache;
-sslSessionIDUncacheFunc ssl_sid_uncache;
-
-static PRBool ssl_inited = PR_FALSE;
-static PRDescIdentity ssl_layer_id;
-
-PRBool                  locksEverDisabled; 	/* implicitly PR_FALSE */
-PRBool			ssl_force_locks;  	/* implicitly PR_FALSE */
-int                     ssl_lock_readers	= 1;	/* default true. */
-char                    ssl_debug;
-char                    ssl_trace;
-char lockStatus[] = "Locks are ENABLED.  ";
-#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
-
-/* forward declarations. */
-static sslSocket *ssl_NewSocket(PRBool makeLocks);
-static SECStatus  ssl_MakeLocks(sslSocket *ss);
-static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
-                                  PRDescIdentity id);
-
-/************************************************************************/
-
-/*
-** Lookup a socket structure from a file descriptor.
-** Only functions called through the PRIOMethods table should use this.
-** Other app-callable functions should use ssl_FindSocket.
-*/
-static sslSocket *
-ssl_GetPrivate(PRFileDesc *fd)
-{
-    sslSocket *ss;
-
-    PORT_Assert(fd != NULL);
-    PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
-    PORT_Assert(fd->identity == ssl_layer_id);
-
-    ss = (sslSocket *)fd->secret;
-    ss->fd = fd;
-    return ss;
-}
-
-sslSocket *
-ssl_FindSocket(PRFileDesc *fd)
-{
-    PRFileDesc *layer;
-    sslSocket *ss;
-
-    PORT_Assert(fd != NULL);
-    PORT_Assert(ssl_layer_id != 0);
-
-    layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
-    if (layer == NULL) {
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return NULL;
-    }
-
-    ss = (sslSocket *)layer->secret;
-    ss->fd = layer;
-    return ss;
-}
-
-sslSocket *
-ssl_DupSocket(sslSocket *os)
-{
-    sslSocket *ss;
-    SECStatus rv;
-
-    ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
-    if (ss) {
-	ss->opt                = os->opt;
-	ss->opt.useSocks       = PR_FALSE;
-
-	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
-	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
-
-	ss->ops      = os->ops;
-	ss->rTimeout = os->rTimeout;
-	ss->wTimeout = os->wTimeout;
-	ss->cTimeout = os->cTimeout;
-	ss->dbHandle = os->dbHandle;
-
-	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
-	ss->allowedByPolicy	= os->allowedByPolicy;
-	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
-	ss->chosenPreference 	= os->chosenPreference;
-	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
-
-	if (os->cipherSpecs) {
-	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
-	    if (ss->cipherSpecs) 
-	    	PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
-		            os->sizeCipherSpecs);
-	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
-	    ss->preferredCipher    = os->preferredCipher;
-	} else {
-	    ss->cipherSpecs        = NULL;  /* produced lazily */
-	    ss->sizeCipherSpecs    = 0;
-	    ss->preferredCipher    = NULL;
-	}
-	if (ss->opt.useSecurity) {
-	    /* This int should be SSLKEAType, but CC on Irix complains,
-	     * during the for loop.
-	     */
-	    int i;
-	    sslServerCerts * oc = os->serverCerts;
-	    sslServerCerts * sc = ss->serverCerts;
-
-	    for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
-		if (oc->serverCert && oc->serverCertChain) {
-		    sc->serverCert      = CERT_DupCertificate(oc->serverCert);
-		    sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
-		    if (!sc->serverCertChain) 
-		    	goto loser;
-		} else {
-		    sc->serverCert      = NULL;
-		    sc->serverCertChain = NULL;
-		}
-		sc->serverKeyPair = oc->serverKeyPair ?
-				ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
-		if (oc->serverKeyPair && !sc->serverKeyPair)
-		    goto loser;
-	        sc->serverKeyBits = oc->serverKeyBits;
-	    }
-	    ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
-		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
-/*
- * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
- * XXX We should detect this, and not just march on with NULL pointers.
- */
-	    ss->authCertificate       = os->authCertificate;
-	    ss->authCertificateArg    = os->authCertificateArg;
-	    ss->getClientAuthData     = os->getClientAuthData;
-	    ss->getClientAuthDataArg  = os->getClientAuthDataArg;
-	    ss->handleBadCert         = os->handleBadCert;
-	    ss->badCertArg            = os->badCertArg;
-	    ss->handshakeCallback     = os->handshakeCallback;
-	    ss->handshakeCallbackData = os->handshakeCallbackData;
-	    ss->pkcs11PinArg          = os->pkcs11PinArg;
-    
-	    /* Create security data */
-	    rv = ssl_CopySecurityInfo(ss, os);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
-    }
-    return ss;
-
-loser:
-    ssl_FreeSocket(ss);
-    return NULL;
-}
-
-static void
-ssl_DestroyLocks(sslSocket *ss)
-{
-    /* Destroy locks. */
-    if (ss->firstHandshakeLock) {
-    	PZ_DestroyMonitor(ss->firstHandshakeLock);
-	ss->firstHandshakeLock = NULL;
-    }
-    if (ss->ssl3HandshakeLock) {
-    	PZ_DestroyMonitor(ss->ssl3HandshakeLock);
-	ss->ssl3HandshakeLock = NULL;
-    }
-    if (ss->specLock) {
-    	NSSRWLock_Destroy(ss->specLock);
-	ss->specLock = NULL;
-    }
-
-    if (ss->recvLock) {
-    	PZ_DestroyLock(ss->recvLock);
-	ss->recvLock = NULL;
-    }
-    if (ss->sendLock) {
-    	PZ_DestroyLock(ss->sendLock);
-	ss->sendLock = NULL;
-    }
-    if (ss->xmitBufLock) {
-    	PZ_DestroyMonitor(ss->xmitBufLock);
-	ss->xmitBufLock = NULL;
-    }
-    if (ss->recvBufLock) {
-    	PZ_DestroyMonitor(ss->recvBufLock);
-	ss->recvBufLock = NULL;
-    }
-}
-
-/* Caller holds any relevant locks */
-static void
-ssl_DestroySocketContents(sslSocket *ss)
-{
-    /* "i" should be of type SSLKEAType, but CC on IRIX complains during
-     * the for loop.
-     */
-    int        i;
-
-    /* Free up socket */
-    ssl_DestroySecurityInfo(&ss->sec);
-
-    ssl3_DestroySSL3Info(ss);
-
-    PORT_Free(ss->saveBuf.buf);
-    PORT_Free(ss->pendingBuf.buf);
-    ssl_DestroyGather(&ss->gs);
-
-    if (ss->peerID != NULL)
-	PORT_Free(ss->peerID);
-    if (ss->url != NULL)
-	PORT_Free((void *)ss->url);	/* CONST */
-    if (ss->cipherSpecs) {
-	PORT_Free(ss->cipherSpecs);
-	ss->cipherSpecs     = NULL;
-	ss->sizeCipherSpecs = 0;
-    }
-
-    /* Clean up server configuration */
-    for (i=kt_null; i < kt_kea_size; i++) {
-	sslServerCerts * sc = ss->serverCerts + i;
-	if (sc->serverCert != NULL)
-	    CERT_DestroyCertificate(sc->serverCert);
-	if (sc->serverCertChain != NULL)
-	    CERT_DestroyCertificateList(sc->serverCertChain);
-	if (sc->serverKeyPair != NULL)
-	    ssl3_FreeKeyPair(sc->serverKeyPair);
-    }
-    if (ss->stepDownKeyPair) {
-	ssl3_FreeKeyPair(ss->stepDownKeyPair);
-	ss->stepDownKeyPair = NULL;
-    }
-}
-
-/*
- * free an sslSocket struct, and all the stuff that hangs off of it
- */
-void
-ssl_FreeSocket(sslSocket *ss)
-{
-#ifdef DEBUG
-    sslSocket *fs;
-    sslSocket  lSock;
-#endif
-
-/* Get every lock you can imagine!
-** Caller already holds these:
-**  SSL_LOCK_READER(ss);
-**  SSL_LOCK_WRITER(ss);
-*/
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetRecvBufLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-    ssl_GetXmitBufLock(ss);
-    ssl_GetSpecWriteLock(ss);
-
-#ifdef DEBUG
-    fs = &lSock;
-    *fs = *ss;				/* Copy the old socket structure, */
-    PORT_Memset(ss, 0x1f, sizeof *ss);  /* then blast the old struct ASAP. */
-#else
-#define fs ss
-#endif
-
-    ssl_DestroySocketContents(fs);
-
-    /* Release all the locks acquired above.  */
-    SSL_UNLOCK_READER(fs);
-    SSL_UNLOCK_WRITER(fs);
-    ssl_Release1stHandshakeLock(fs);
-    ssl_ReleaseRecvBufLock(fs);
-    ssl_ReleaseSSL3HandshakeLock(fs);
-    ssl_ReleaseXmitBufLock(fs);
-    ssl_ReleaseSpecWriteLock(fs);
-
-    ssl_DestroyLocks(fs);
-
-    PORT_Free(ss);	/* free the caller's copy, not ours. */
-    return;
-}
-#undef fs
-
-/************************************************************************/
-SECStatus 
-ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
-{
-    PRFileDesc *       osfd = ss->fd->lower;
-    SECStatus         rv = SECFailure;
-    PRSocketOptionData opt;
-
-    opt.option         = PR_SockOpt_NoDelay;
-    opt.value.no_delay = (PRBool)!enabled;
-
-    if (osfd->methods->setsocketoption) {
-        rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt);
-    } else {
-        PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    }
-
-    return rv;
-}
-
-static void
-ssl_ChooseOps(sslSocket *ss)
-{
-    ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
-}
-
-/* Called from SSL_Enable (immediately below) */
-static SECStatus
-PrepareSocket(sslSocket *ss)
-{
-    SECStatus     rv = SECSuccess;
-
-    ssl_ChooseOps(ss);
-    return rv;
-}
-
-SECStatus
-SSL_Enable(PRFileDesc *fd, int which, PRBool on)
-{
-    return SSL_OptionSet(fd, which, on);
-}
-
-SECStatus
-SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
-{
-    sslSocket *ss = ssl_FindSocket(fd);
-    SECStatus  rv = SECSuccess;
-    PRBool     holdingLocks;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    holdingLocks = (!ss->opt.noLocks);
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    switch (which) {
-      case SSL_SOCKS:
-	ss->opt.useSocks = PR_FALSE;
-	rv = PrepareSocket(ss);
-	if (on) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-	break;
-
-      case SSL_SECURITY:
-	ss->opt.useSecurity = on;
-	rv = PrepareSocket(ss);
-	break;
-
-      case SSL_REQUEST_CERTIFICATE:
-	ss->opt.requestCertificate = on;
-	break;
-
-      case SSL_REQUIRE_CERTIFICATE:
-	ss->opt.requireCertificate = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ss->opt.handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->opt.handshakeAsClient = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_SERVER:
-	if ( ss->opt.handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->opt.handshakeAsServer = on;
-	break;
-
-      case SSL_ENABLE_TLS:
-	ss->opt.enableTLS       = on;
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_ENABLE_SSL3:
-	ss->opt.enableSSL3      = on;
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_ENABLE_SSL2:
-	ss->opt.enableSSL2       = on;
-	if (on) {
-	    ss->opt.v2CompatibleHello = on;
-	}
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
-
-      case SSL_NO_CACHE:
-	ss->opt.noCache = on;
-	break;
-
-      case SSL_ENABLE_FDX:
-	if (on && ss->opt.noLocks) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-      	ss->opt.fdx = on;
-	break;
-
-      case SSL_V2_COMPATIBLE_HELLO:
-      	ss->opt.v2CompatibleHello = on;
-	if (!on) {
-	    ss->opt.enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ss->opt.detectRollBack = on;
-        break;
-
-      case SSL_NO_STEP_DOWN:        
-	ss->opt.noStepDown     = on;         
-	if (on) 
-	    SSL_DisableExportCipherSuites(fd);
-	break;
-
-      case SSL_BYPASS_PKCS11:
-	if (ss->handshakeBegun) {
-	    PORT_SetError(PR_INVALID_STATE_ERROR);
-	    rv = SECFailure;
-	} else {
-	    ss->opt.bypassPKCS11   = on;
-	}
-	break;
-
-      case SSL_NO_LOCKS:
-	if (on && ss->opt.fdx) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-	if (on && ssl_force_locks) 
-	    on = PR_FALSE;	/* silent override */
-	ss->opt.noLocks   = on;
-	if (on) {
-	    locksEverDisabled = PR_TRUE;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
-	} else if (!holdingLocks) {
-	    rv = ssl_MakeLocks(ss);
-	    if (rv != SECSuccess) {
-		ss->opt.noLocks   = PR_TRUE;
-	    }
-	}
-	break;
-
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    /* We can't use the macros for releasing the locks here,
-     * because ss->opt.noLocks might have changed just above.
-     * We must release these locks (monitors) here, if we aquired them above,
-     * regardless of the current value of ss->opt.noLocks.
-     */
-    if (holdingLocks) {
-	PZ_ExitMonitor((ss)->ssl3HandshakeLock);
-	PZ_ExitMonitor((ss)->firstHandshakeLock);
-    }
-
-    return rv;
-}
-
-SECStatus
-SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
-{
-    sslSocket *ss = ssl_FindSocket(fd);
-    SECStatus  rv = SECSuccess;
-    PRBool     on = PR_FALSE;
-
-    if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	*pOn = PR_FALSE;
-	return SECFailure;
-    }
-
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    switch (which) {
-    case SSL_SOCKS:               on = PR_FALSE;               break;
-    case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
-    case SSL_ENABLE_TLS:          on = ss->opt.enableTLS;          break;
-    case SSL_ENABLE_SSL3:         on = ss->opt.enableSSL3;         break;
-    case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
-    case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
-    case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
-    case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
-    case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
-
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-
-    *pOn = on;
-    return rv;
-}
-
-SECStatus
-SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
-{
-    SECStatus  rv = SECSuccess;
-    PRBool     on = PR_FALSE;
-
-    if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    switch (which) {
-    case SSL_SOCKS:               on = PR_FALSE;                        break;
-    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
-    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
-    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
-    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
-    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
-    case SSL_ENABLE_TLS:          on = ssl_defaults.enableTLS;          break;
-    case SSL_ENABLE_SSL3:         on = ssl_defaults.enableSSL3;         break;
-    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ssl_defaults.noCache;		break;
-    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
-    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
-    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
-    case SSL_NO_STEP_DOWN:        on = ssl_defaults.noStepDown;         break;
-    case SSL_BYPASS_PKCS11:       on = ssl_defaults.bypassPKCS11;       break;
-    case SSL_NO_LOCKS:            on = ssl_defaults.noLocks;            break;
-
-    default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
-    }
-
-    *pOn = on;
-    return rv;
-}
-
-/* XXX Use Global Lock to protect this stuff. */
-SECStatus
-SSL_EnableDefault(int which, PRBool on)
-{
-    return SSL_OptionSetDefault(which, on);
-}
-
-SECStatus
-SSL_OptionSetDefault(PRInt32 which, PRBool on)
-{
-    switch (which) {
-      case SSL_SOCKS:
-	ssl_defaults.useSocks = PR_FALSE;
-	if (on) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	break;
-
-      case SSL_SECURITY:
-	ssl_defaults.useSecurity = on;
-	break;
-
-      case SSL_REQUEST_CERTIFICATE:
-	ssl_defaults.requestCertificate = on;
-	break;
-
-      case SSL_REQUIRE_CERTIFICATE:
-	ssl_defaults.requireCertificate = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ssl_defaults.handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsClient = on;
-	break;
-
-      case SSL_HANDSHAKE_AS_SERVER:
-	if ( ssl_defaults.handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsServer = on;
-	break;
-
-      case SSL_ENABLE_TLS:
-	ssl_defaults.enableTLS = on;
-	break;
-
-      case SSL_ENABLE_SSL3:
-	ssl_defaults.enableSSL3 = on;
-	break;
-
-      case SSL_ENABLE_SSL2:
-	ssl_defaults.enableSSL2 = on;
-	if (on) {
-	    ssl_defaults.v2CompatibleHello = on;
-	}
-	break;
-
-      case SSL_NO_CACHE:
-	ssl_defaults.noCache = on;
-	break;
-
-      case SSL_ENABLE_FDX:
-	if (on && ssl_defaults.noLocks) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-      	ssl_defaults.fdx = on;
-	break;
-
-      case SSL_V2_COMPATIBLE_HELLO:
-      	ssl_defaults.v2CompatibleHello = on;
-	if (!on) {
-	    ssl_defaults.enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ssl_defaults.detectRollBack = on;
-	break;
-
-      case SSL_NO_STEP_DOWN:        
-	ssl_defaults.noStepDown     = on;         
-	if (on)
-	    SSL_DisableDefaultExportCipherSuites();
-	break;
-
-      case SSL_BYPASS_PKCS11:
-	ssl_defaults.bypassPKCS11   = on;
-	break;
-
-      case SSL_NO_LOCKS:
-	if (on && ssl_defaults.fdx) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	if (on && ssl_force_locks) 
-	    on = PR_FALSE;		/* silent override */
-	ssl_defaults.noLocks        = on;
-	if (on) {
-	    locksEverDisabled = PR_TRUE;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
-	}
-	break;
-
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-/* Part of the public NSS API.
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- */
-SECStatus
-SSL_SetPolicy(long which, int policy)
-{
-    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
-    }
-    return SSL_CipherPolicySet(which, policy);
-}
-
-SECStatus
-SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
-{
-    SECStatus rv;
-
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_SetPolicy(which, policy);
-    } else {
-	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
-    }
-    return rv;
-}
-
-SECStatus
-SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
-{
-    SECStatus rv;
-
-    if (!oPolicy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_GetPolicy(which, oPolicy);
-    } else {
-	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
-    }
-    return rv;
-}
-
-/* Part of the public NSS API.
- * Since this is a global (not per-socket) setting, we cannot use the
- * HandshakeLock to protect this.  Probably want a global lock.
- * These changes have no effect on any sslSockets already created. 
- */
-SECStatus
-SSL_EnableCipher(long which, PRBool enabled)
-{
-    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
-    }
-    return SSL_CipherPrefSetDefault(which, enabled);
-}
-
-SECStatus
-SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
-{
-    SECStatus rv;
-    
-    if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSetDefault(which, enabled);
-    } else {
-	rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus 
-SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
-{
-    SECStatus  rv;
-    
-    if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGetDefault(which, enabled);
-    } else {
-	rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus
-SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
-{
-    SECStatus rv;
-    sslSocket *ss = ssl_FindSocket(fd);
-    
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSet(ss, which, enabled);
-    } else {
-	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus 
-SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
-{
-    SECStatus  rv;
-    sslSocket *ss = ssl_FindSocket(fd);
-    
-    if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
-	*enabled = PR_FALSE;
-	return SECFailure;
-    }
-    if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGet(ss, which, enabled);
-    } else {
-	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
-    }
-    return rv;
-}
-
-SECStatus
-NSS_SetDomesticPolicy(void)
-{
-#ifndef EXPORT_VERSION
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-#else
-    return NSS_SetExportPolicy();
-#endif
-}
-
-SECStatus
-NSS_SetExportPolicy(void)
-{
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, policy->export);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-}
-
-SECStatus
-NSS_SetFrancePolicy(void)
-{
-    SECStatus      status = SECSuccess;
-    cipherPolicy * policy;
-
-    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
-	status = SSL_SetPolicy(policy->cipher, policy->france);
-	if (status != SECSuccess)
-	    break;
-    }
-    return status;
-}
-
-
-
-/* LOCKS ??? XXX */
-PRFileDesc *
-SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
-{
-    sslSocket * ns = NULL;
-    PRStatus    rv;
-    PRNetAddr   addr;
-
-    if (model == NULL) {
-	/* Just create a default socket if we're given NULL for the model */
-	ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks));
-    } else {
-	sslSocket * ss = ssl_FindSocket(model);
-	if (ss == NULL) {
-	    SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
-	    	      SSL_GETPID(), model));
-	    return NULL;
-	}
-	ns = ssl_DupSocket(ss);
-    }
-    if (ns == NULL)
-    	return NULL;
-
-    rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
-    if (rv != PR_SUCCESS) {
-	ssl_FreeSocket(ns);
-	SET_ERROR_CODE
-	return NULL;
-    }
-#ifdef _WIN32
-    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
-#endif
-    ns = ssl_FindSocket(fd);
-    PORT_Assert(ns);
-    if (ns)
-	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
-    return fd;
-}
-
-/************************************************************************/
-/* The following functions are the TOP LEVEL SSL functions.
-** They all get called through the NSPRIOMethods table below.
-*/
-
-static PRFileDesc * PR_CALLBACK
-ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
-{
-    sslSocket  *ss;
-    sslSocket  *ns 	= NULL;
-    PRFileDesc *newfd 	= NULL;
-    PRFileDesc *osfd;
-    PRStatus    status;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
-	return NULL;
-    }
-
-    /* IF this is a listen socket, there shouldn't be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-    ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
-
-    ss->cTimeout = timeout;
-
-    osfd = ss->fd->lower;
-
-    /* First accept connection */
-    newfd = osfd->methods->accept(osfd, sockaddr, timeout);
-    if (newfd == NULL) {
-	SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
-    } else {
-	/* Create ssl module */
-	ns = ssl_DupSocket(ss);
-    }
-
-    ssl_ReleaseSSL3HandshakeLock(ss);
-    ssl_Release1stHandshakeLock(ss);
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);			/* ss isn't used below here. */
-
-    if (ns == NULL)
-	goto loser;
-
-    /* push ssl module onto the new socket */
-    status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
-    if (status != PR_SUCCESS)
-	goto loser;
-
-    /* Now start server connection handshake with client.
-    ** Don't need locks here because nobody else has a reference to ns yet.
-    */
-    if ( ns->opt.useSecurity ) {
-	if ( ns->opt.handshakeAsClient ) {
-	    ns->handshake = ssl2_BeginClientHandshake;
-	    ss->handshaking = sslHandshakingAsClient;
-	} else {
-	    ns->handshake = ssl2_BeginServerHandshake;
-	    ss->handshaking = sslHandshakingAsServer;
-	}
-    }
-    ns->TCPconnected = 1;
-    return newfd;
-
-loser:
-    if (ns != NULL)
-	ssl_FreeSocket(ns);
-    if (newfd != NULL)
-	PR_Close(newfd);
-    return NULL;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    PRStatus   rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-
-    /* IF this is a listen socket, there shouldn't be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    ss->cTimeout = timeout;
-    rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
-#ifdef _WIN32
-    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
-#endif
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    rv = (PRStatus)(*ss->ops->bind)(ss, addr);
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Listen(PRFileDesc *fd, PRIntn backlog)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
-
-    SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Shutdown(PRFileDesc *fd, PRIntn how)
-{
-    sslSocket * ss = ssl_GetPrivate(fd);
-    PRStatus    rv;
-
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_READER(ss);
-    }
-    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_WRITER(ss);
-    }
-
-    rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
-
-    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_WRITER(ss);
-    }
-    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_READER(ss);
-    }
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_Close(PRFileDesc *fd)
-{
-    sslSocket *ss;
-    PRStatus   rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-
-    /* There must not be any I/O going on */
-    SSL_LOCK_READER(ss);
-    SSL_LOCK_WRITER(ss);
-
-    /* By the time this function returns, 
-    ** ss is an invalid pointer, and the locks to which it points have 
-    ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
-    ** where the LOCK calls and the corresponding UNLOCK calls are not in
-    ** the same function scope.  The unlock calls are in ssl_FreeSocket().
-    */
-    rv = (PRStatus)(*ss->ops->close)(ss);
-
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_READER(ss);
-    ss->rTimeout = timeout;
-    if (!ss->opt.fdx)
-	ss->wTimeout = timeout;
-    rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_WRITER(ss);
-    ss->wTimeout = timeout;
-    if (!ss->opt.fdx)
-	ss->rTimeout = timeout;
-    rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
-    SSL_UNLOCK_WRITER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_READER(ss);
-    ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
-    if (!ss->opt.fdx)
-	ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
-    rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
-    SSL_UNLOCK_READER(ss);
-    return rv;
-}
-
-static int PR_CALLBACK
-ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_WRITER(ss);
-    ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
-    if (!ss->opt.fdx)
-	ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
-    rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
-    SSL_UNLOCK_WRITER(ss);
-    return rv;
-}
-
-static PRStatus PR_CALLBACK
-ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
-{
-    sslSocket *ss;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    return (PRStatus)(*ss->ops->getpeername)(ss, addr);
-}
-
-/*
-*/
-SECStatus
-ssl_GetPeerInfo(sslSocket *ss)
-{
-    PRFileDesc *      osfd;
-    int               rv;
-    PRNetAddr         sin;
-
-    osfd = ss->fd->lower;
-
-    PORT_Memset(&sin, 0, sizeof(sin));
-    rv = osfd->methods->getpeername(osfd, &sin);
-    if (rv < 0) {
-	return SECFailure;
-    }
-    ss->TCPconnected = 1;
-    if (sin.inet.family == PR_AF_INET) {
-        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
-	ss->sec.ci.port = sin.inet.port;
-    } else if (sin.ipv6.family == PR_AF_INET6) {
-	ss->sec.ci.peer = sin.ipv6.ip;
-	ss->sec.ci.port = sin.ipv6.port;
-    } else {
-	PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
-    	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-static PRStatus PR_CALLBACK
-ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
-{
-    sslSocket *ss;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
-	return PR_FAILURE;
-    }
-    return (PRStatus)(*ss->ops->getsockname)(ss, name);
-}
-
-SECStatus PR_CALLBACK
-SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
-{
-    sslSocket *ss;
-
-    ss = ssl_FindSocket(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
-		 SSL_GETPID(), fd));
-	return SECFailure;
-    }
-
-    ss->peerID = PORT_Strdup(peerID);
-    return SECSuccess;
-}
-
-SECStatus PR_CALLBACK
-ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout)
-{
-    sslSocket *ss;
-    int        rv;
-
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SetTimeout", SSL_GETPID(), fd));
-	return SECFailure;
-    }
-    SSL_LOCK_READER(ss);
-    ss->rTimeout = timeout;
-    if (ss->opt.fdx) {
-        SSL_LOCK_WRITER(ss);
-    }
-    ss->wTimeout = timeout;
-    if (ss->opt.fdx) {
-        SSL_UNLOCK_WRITER(ss);
-    }
-    SSL_UNLOCK_READER(ss);
-    return SECSuccess;
-}
-
-#define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
-
-static PRInt16 PR_CALLBACK
-ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
-{
-    sslSocket *ss;
-    PRInt16    new_flags = how_flags;	/* should select on these flags. */
-    PRNetAddr  addr;
-
-    *p_out_flags = 0;
-    ss = ssl_GetPrivate(fd);
-    if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
-		 SSL_GETPID(), fd));
-	return 0;	/* don't poll on this socket */
-    }
-
-    if (ss->opt.useSecurity && 
-	ss->handshaking != sslHandshakingUndetermined &&
-        !ss->firstHsDone &&
-	(how_flags & PR_POLL_RW)) {
-	if (!ss->TCPconnected) {
-	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
-	}
-	/* If it's not connected, then presumably the application is polling
-	** on read or write appropriately, so don't change it. 
-	*/
-	if (ss->TCPconnected) {
-	    if (!ss->handshakeBegun) {
-		/* If the handshake has not begun, poll on read or write 
-		** based on the local application's role in the handshake,
-		** not based on what the application requested.
-		*/
-		new_flags &= ~PR_POLL_RW;
-		if (ss->handshaking == sslHandshakingAsClient) {
-		    new_flags |= PR_POLL_WRITE;
-		} else { /* handshaking as server */
-		    new_flags |= PR_POLL_READ;
-		}
-	    } else 
-	    /* First handshake is in progress */
-	    if (ss->lastWriteBlocked) {
-		if (new_flags & PR_POLL_READ) {
-		    /* The caller is waiting for data to be received, 
-		    ** but the initial handshake is blocked on write, or the 
-		    ** client's first handshake record has not been written.
-		    ** The code should select on write, not read.
-		    */
-		    new_flags ^=  PR_POLL_READ;	   /* don't select on read. */
-		    new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
-		}
-	    } else if (new_flags & PR_POLL_WRITE) {
-		    /* The caller is trying to write, but the handshake is 
-		    ** blocked waiting for data to read, and the first 
-		    ** handshake has been sent.  so do NOT to poll on write.
-		    */
-		    new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
-		    new_flags |=  PR_POLL_READ;	   /* do    select on read. */
-	    }
-	}
-    } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
-	*p_out_flags = PR_POLL_READ;	/* it's ready already. */
-	return new_flags;
-    } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
-	       (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
-	new_flags |=  PR_POLL_WRITE;   /* also select on write. */
-    } 
-    if (new_flags && (fd->lower->methods->poll != NULL)) {
-	PRInt16    lower_out_flags = 0;
-	PRInt16    lower_new_flags;
-        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 
-					           &lower_out_flags);
-	if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
-	    PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
-	    if (lower_out_flags & PR_POLL_READ) 
-		out_flags |= PR_POLL_WRITE;
-	    if (lower_out_flags & PR_POLL_WRITE) 
-		out_flags |= PR_POLL_READ;
-	    *p_out_flags = out_flags;
-	    new_flags = how_flags;
-	} else {
-	    *p_out_flags = lower_out_flags;
-	    new_flags    = lower_new_flags;
-	}
-    }
-
-    return new_flags;
-}
-
-
-PRBool
-ssl_FdIsBlocking(PRFileDesc *fd)
-{
-    PRSocketOptionData opt;
-    PRStatus           status;
-
-    opt.option             = PR_SockOpt_Nonblocking;
-    opt.value.non_blocking = PR_FALSE;
-    status = PR_GetSocketOption(fd, &opt);
-    if (status != PR_SUCCESS)
-	return PR_FALSE;
-    return (PRBool)!opt.value.non_blocking;
-}
-
-PRBool
-ssl_SocketIsBlocking(sslSocket *ss)
-{
-    return ssl_FdIsBlocking(ss->fd);
-}
-
-PRInt32  sslFirstBufSize = 8 * 1024;
-PRInt32  sslCopyLimit    = 1024;
-
-static PRInt32 PR_CALLBACK
-ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
-           PRIntervalTime timeout)
-{
-    PRInt32            bufLen;
-    PRInt32            left;
-    PRInt32            rv;
-    PRInt32            sent      =  0;
-    const PRInt32      first_len = sslFirstBufSize;
-    const PRInt32      limit     = sslCopyLimit;
-    PRBool             blocking;
-    PRIOVec            myIov	 = { 0, 0 };
-    char               buf[MAX_FRAGMENT_LENGTH];
-
-    if (vectors > PR_MAX_IOVECTOR_SIZE) {
-    	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
-	return -1;
-    }
-    blocking = ssl_FdIsBlocking(fd);
-
-#define K16 sizeof(buf)
-#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
-#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
-#define HANDLE_ERR(rv, len) \
-    if (rv != len) { \
-	if (rv < 0) { \
-	    if (!blocking \
-		&& (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
-		&& (sent > 0)) { \
-		return sent; \
-	    } else { \
-		return -1; \
-	    } \
-	} \
-	/* Only a nonblocking socket can have partial sends */ \
-	PR_ASSERT(!blocking); \
-	return sent; \
-    } 
-#define SEND(bfr, len) \
-    do { \
-	rv = ssl_Send(fd, bfr, len, 0, timeout); \
-	HANDLE_ERR(rv, len) \
-	sent += len; \
-    } while (0)
-
-    /* Make sure the first write is at least 8 KB, if possible. */
-    KILL_VECTORS
-    if (!vectors)
-	return ssl_Send(fd, 0, 0, 0, timeout);
-    GET_VECTOR;
-    if (!vectors) {
-	return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
-    }
-    if (myIov.iov_len < first_len) {
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	left = first_len - bufLen;
-	while (vectors && left) {
-	    int toCopy;
-	    GET_VECTOR;
-	    toCopy = PR_MIN(left, myIov.iov_len);
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
-	    bufLen         += toCopy;
-	    left           -= toCopy;
-	    myIov.iov_base += toCopy;
-	    myIov.iov_len  -= toCopy;
-	}
-	SEND( buf, bufLen );
-    }
-
-    while (vectors || myIov.iov_len) {
-	PRInt32   addLen;
-	if (!myIov.iov_len) {
-	    GET_VECTOR;
-	}
-	while (myIov.iov_len >= K16) {
-	    SEND(myIov.iov_base, K16);
-	    myIov.iov_base += K16;
-	    myIov.iov_len  -= K16;
-	}
-	if (!myIov.iov_len)
-	    continue;
-
-	if (!vectors || myIov.iov_len > limit) {
-	    addLen = 0;
-	} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
-	    /* Addlen is already computed. */;
-	} else if (vectors > 1 && 
-	     iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
-	     addLen = limit - myIov.iov_len;
-	} else 
-	    addLen = 0;
-
-	if (!addLen) {
-	    SEND( myIov.iov_base, myIov.iov_len );
-	    myIov.iov_len = 0;
-	    continue;
-	}
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	do {
-	    GET_VECTOR;
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
-	    myIov.iov_base += addLen;
-	    myIov.iov_len  -= addLen;
-	    bufLen         += addLen;
-
-	    left = PR_MIN( limit, K16 - bufLen);
-	    if (!vectors 		/* no more left */
-	    ||  myIov.iov_len > 0	/* we didn't use that one all up */
-	    ||  bufLen >= K16		/* it's full. */
-	    ) {
-		addLen = 0;
-	    } else if ((addLen = iov->iov_len % K16) <= left) {
-		/* Addlen is already computed. */;
-	    } else if (vectors > 1 && 
-		 iov[1].iov_len % K16 + addLen <= left + limit) {
-		 addLen = left;
-	    } else 
-		addLen = 0;
-
-	} while (addLen);
-	SEND( buf, bufLen );
-    } 
-    return sent;
-}
-
-/*
- * These functions aren't implemented.
- */
-
-static PRInt32 PR_CALLBACK
-ssl_Available(PRFileDesc *fd)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt64 PR_CALLBACK
-ssl_Available64(PRFileDesc *fd)
-{
-    PRInt64 res;
-
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    LL_I2L(res, -1L);
-    return res;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FSync(PRFileDesc *fd)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt64 PR_CALLBACK
-ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
-    PRInt64 res;
-
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    LL_I2L(res, -1L);
-    return res;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRStatus PR_CALLBACK
-ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
-	     PRNetAddr *addr, PRIntervalTime timeout)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static PRInt32 PR_CALLBACK
-ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
-	   const PRNetAddr *addr, PRIntervalTime timeout)
-{
-    PORT_Assert(0);
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return SECFailure;
-}
-
-static const PRIOMethods ssl_methods = {
-    PR_DESC_LAYERED,
-    ssl_Close,           	/* close        */
-    ssl_Read,            	/* read         */
-    ssl_Write,           	/* write        */
-    ssl_Available,       	/* available    */
-    ssl_Available64,     	/* available64  */
-    ssl_FSync,           	/* fsync        */
-    ssl_Seek,            	/* seek         */
-    ssl_Seek64,          	/* seek64       */
-    ssl_FileInfo,        	/* fileInfo     */
-    ssl_FileInfo64,      	/* fileInfo64   */
-    ssl_WriteV,          	/* writev       */
-    ssl_Connect,         	/* connect      */
-    ssl_Accept,          	/* accept       */
-    ssl_Bind,            	/* bind         */
-    ssl_Listen,          	/* listen       */
-    ssl_Shutdown,        	/* shutdown     */
-    ssl_Recv,            	/* recv         */
-    ssl_Send,            	/* send         */
-    ssl_RecvFrom,        	/* recvfrom     */
-    ssl_SendTo,          	/* sendto       */
-    ssl_Poll,            	/* poll         */
-    ssl_EmulateAcceptRead,      /* acceptread   */
-    ssl_EmulateTransmitFile,    /* transmitfile */
-    ssl_GetSockName,     	/* getsockname  */
-    ssl_GetPeerName,     	/* getpeername  */
-    NULL,                	/* getsockopt   OBSOLETE */
-    NULL,                	/* setsockopt   OBSOLETE */
-    NULL,                	/* getsocketoption   */
-    NULL,                	/* setsocketoption   */
-    ssl_EmulateSendFile, 	/* Send a (partial) file with header/trailer*/
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL                 	/* reserved for future use */
-};
-
-
-static PRIOMethods combined_methods;
-
-static void
-ssl_SetupIOMethods(void)
-{
-          PRIOMethods *new_methods  = &combined_methods;
-    const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
-    const PRIOMethods *my_methods   = &ssl_methods;
-
-    *new_methods = *nspr_methods;
-
-    new_methods->file_type         = my_methods->file_type;
-    new_methods->close             = my_methods->close;
-    new_methods->read              = my_methods->read;
-    new_methods->write             = my_methods->write;
-    new_methods->available         = my_methods->available;
-    new_methods->available64       = my_methods->available64;
-    new_methods->fsync             = my_methods->fsync;
-    new_methods->seek              = my_methods->seek;
-    new_methods->seek64            = my_methods->seek64;
-    new_methods->fileInfo          = my_methods->fileInfo;
-    new_methods->fileInfo64        = my_methods->fileInfo64;
-    new_methods->writev            = my_methods->writev;
-    new_methods->connect           = my_methods->connect;
-    new_methods->accept            = my_methods->accept;
-    new_methods->bind              = my_methods->bind;
-    new_methods->listen            = my_methods->listen;
-    new_methods->shutdown          = my_methods->shutdown;
-    new_methods->recv              = my_methods->recv;
-    new_methods->send              = my_methods->send;
-    new_methods->recvfrom          = my_methods->recvfrom;
-    new_methods->sendto            = my_methods->sendto;
-    new_methods->poll              = my_methods->poll;
-    new_methods->acceptread        = my_methods->acceptread;
-    new_methods->transmitfile      = my_methods->transmitfile;
-    new_methods->getsockname       = my_methods->getsockname;
-    new_methods->getpeername       = my_methods->getpeername;
-/*  new_methods->getsocketoption   = my_methods->getsocketoption;	*/
-/*  new_methods->setsocketoption   = my_methods->setsocketoption;	*/
-    new_methods->sendfile          = my_methods->sendfile;
-
-}
-
-static PRCallOnceType initIoLayerOnce;
-
-static PRStatus  
-ssl_InitIOLayer(void)
-{
-    ssl_layer_id = PR_GetUniqueIdentity("SSL");
-    ssl_SetupIOMethods();
-    ssl_inited = PR_TRUE;
-    return PR_SUCCESS;
-}
-
-static PRStatus
-ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
-{
-    PRFileDesc *layer	= NULL;
-    PRStatus    status;
-
-    if (!ssl_inited) {
-	PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
-    }
-
-    if (ns == NULL)
-	goto loser;
-
-    layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
-    if (layer == NULL)
-	goto loser;
-    layer->secret = (PRFilePrivate *)ns;
-
-    /* Here, "stack" points to the PRFileDesc on the top of the stack.
-    ** "layer" points to a new FD that is to be inserted into the stack.
-    ** If layer is being pushed onto the top of the stack, then 
-    ** PR_PushIOLayer switches the contents of stack and layer, and then
-    ** puts stack on top of layer, so that after it is done, the top of 
-    ** stack is the same "stack" as it was before, and layer is now the 
-    ** FD for the former top of stack.
-    ** After this call, stack always points to the top PRFD on the stack.
-    ** If this function fails, the contents of stack and layer are as 
-    ** they were before the call.
-    */
-    status = PR_PushIOLayer(stack, id, layer);
-    if (status != PR_SUCCESS)
-	goto loser;
-
-    ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
-    return PR_SUCCESS;
-
-loser:
-    if (layer) {
-	layer->dtor(layer); /* free layer */
-    }
-    return PR_FAILURE;
-}
-
-/* if this fails, caller must destroy socket. */
-static SECStatus
-ssl_MakeLocks(sslSocket *ss)
-{
-    ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
-    if (!ss->firstHandshakeLock) 
-	goto loser;
-    ss->ssl3HandshakeLock  = PZ_NewMonitor(nssILockSSL);
-    if (!ss->ssl3HandshakeLock) 
-	goto loser;
-    ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
-    if (!ss->specLock) 
-	goto loser;
-    ss->recvBufLock        = PZ_NewMonitor(nssILockSSL);
-    if (!ss->recvBufLock) 
-	goto loser;
-    ss->xmitBufLock        = PZ_NewMonitor(nssILockSSL);
-    if (!ss->xmitBufLock) 
-	goto loser;
-    ss->writerThread       = NULL;
-    if (ssl_lock_readers) {
-	ss->recvLock       = PZ_NewLock(nssILockSSL);
-	if (!ss->recvLock) 
-	    goto loser;
-	ss->sendLock       = PZ_NewLock(nssILockSSL);
-	if (!ss->sendLock) 
-	    goto loser;
-    }
-    return SECSuccess;
-loser:
-    ssl_DestroyLocks(ss);
-    return SECFailure;
-}
-
-#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
-#define NSS_HAVE_GETENV 1
-#endif
-
-/*
-** Create a newsocket structure for a file descriptor.
-*/
-static sslSocket *
-ssl_NewSocket(PRBool makeLocks)
-{
-    sslSocket *ss;
-#if defined( NSS_HAVE_GETENV )
-    static int firsttime = 1;
-
-    if (firsttime) {
-	char * ev;
-	firsttime = 0;
-#ifdef DEBUG
-#ifdef TRACE
-	ev = getenv("SSLTRACE");
-	if (ev && ev[0]) {
-	    ssl_trace = atoi(ev);
-	    SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
-	}
-#endif /* TRACE */
-	ev = getenv("SSLDEBUG");
-	if (ev && ev[0]) {
-	    ssl_debug = atoi(ev);
-	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
-	}
-#endif /* DEBUG */
-	ev = getenv("SSLBYPASS");
-	if (ev && ev[0]) {
-	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');
-	    SSL_TRACE(("SSL: bypass default set to %d", \
-		      ssl_defaults.bypassPKCS11));
-	}
-	ev = getenv("SSLFORCELOCKS");
-	if (ev && ev[0] == '1') {
-	    ssl_force_locks = PR_TRUE;
-	    ssl_defaults.noLocks = 0;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
-	    SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
-	}
-    }
-#endif /* NSS_HAVE_GETENV */
-    if (ssl_force_locks)
-	makeLocks = PR_TRUE;
-
-    /* Make a new socket and get it ready */
-    ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
-    if (ss) {
-        /* This should be of type SSLKEAType, but CC on IRIX
-	 * complains during the for loop.
-	 */
-	int i;
-	SECStatus status;
- 
-	ss->opt                = ssl_defaults;
-	ss->opt.useSocks       = PR_FALSE;
-	ss->opt.noLocks        = !makeLocks;
-
-	ss->peerID             = NULL;
-	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cipherSpecs        = NULL;
-        ss->sizeCipherSpecs    = 0;  /* produced lazily */
-        ss->preferredCipher    = NULL;
-        ss->url                = NULL;
-
-	for (i=kt_null; i < kt_kea_size; i++) {
-	    sslServerCerts * sc = ss->serverCerts + i;
-	    sc->serverCert      = NULL;
-	    sc->serverCertChain = NULL;
-	    sc->serverKeyPair   = NULL;
-	    sc->serverKeyBits   = 0;
-	}
-	ss->stepDownKeyPair    = NULL;
-	ss->dbHandle           = CERT_GetDefaultCertDB();
-
-	/* Provide default implementation of hooks */
-	ss->authCertificate    = SSL_AuthCertificate;
-	ss->authCertificateArg = (void *)ss->dbHandle;
-	ss->getClientAuthData  = NULL;
-	ss->handleBadCert      = NULL;
-	ss->badCertArg         = NULL;
-	ss->pkcs11PinArg       = NULL;
-
-	ssl_ChooseOps(ss);
-	ssl2_InitSocketPolicy(ss);
-	ssl3_InitSocketPolicy(ss);
-
-	if (makeLocks) {
-	    status = ssl_MakeLocks(ss);
-	    if (status != SECSuccess)
-		goto loser;
-	}
-	status = ssl_CreateSecurityInfo(ss);
-	if (status != SECSuccess) 
-	    goto loser;
-	status = ssl_InitGather(&ss->gs);
-	if (status != SECSuccess) {
-loser:
-	    ssl_DestroySocketContents(ss);
-	    ssl_DestroyLocks(ss);
-	    PORT_Free(ss);
-	    ss = NULL;
-	}
-    }
-    return ss;
-}
-
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
deleted file mode 100644
index 052339b7d..000000000
--- a/security/nss/lib/ssl/sslt.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * This file contains prototypes for the public SSL functions.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef __sslt_h_
-#define __sslt_h_
-
-#include "prtypes.h"
-
-typedef struct SSL3StatisticsStr {
-    /* statistics from ssl3_SendClientHello (sch) */
-    long sch_sid_cache_hits;
-    long sch_sid_cache_misses;
-    long sch_sid_cache_not_ok;
-
-    /* statistics from ssl3_HandleServerHello (hsh) */
-    long hsh_sid_cache_hits;
-    long hsh_sid_cache_misses;
-    long hsh_sid_cache_not_ok;
-
-    /* statistics from ssl3_HandleClientHello (hch) */
-    long hch_sid_cache_hits;
-    long hch_sid_cache_misses;
-    long hch_sid_cache_not_ok;
-} SSL3Statistics;
-
-/* Key Exchange algorithm values */
-typedef enum {
-    ssl_kea_null     = 0,
-    ssl_kea_rsa      = 1,
-    ssl_kea_dh       = 2,
-    ssl_kea_fortezza = 3,       /* deprecated, now unused */
-    ssl_kea_ecdh     = 4,
-    ssl_kea_size		/* number of ssl_kea_ algorithms */
-} SSLKEAType;
-
-/* The following defines are for backwards compatibility.
-** They will be removed in a forthcoming release to reduce namespace pollution.
-** programs that use the kt_ symbols should convert to the ssl_kt_ symbols
-** soon.
-*/
-#define kt_null   	ssl_kea_null
-#define kt_rsa   	ssl_kea_rsa
-#define kt_dh   	ssl_kea_dh
-#define kt_fortezza	ssl_kea_fortezza       /* deprecated, now unused */
-#define kt_ecdh   	ssl_kea_ecdh
-#define kt_kea_size	ssl_kea_size
-
-typedef enum {
-    ssl_sign_null   = 0, 
-    ssl_sign_rsa    = 1,
-    ssl_sign_dsa    = 2,
-    ssl_sign_ecdsa  = 3
-} SSLSignType;
-
-typedef enum {
-    ssl_auth_null   = 0, 
-    ssl_auth_rsa    = 1,
-    ssl_auth_dsa    = 2,
-    ssl_auth_kea    = 3,
-    ssl_auth_ecdsa  = 4
-} SSLAuthType;
-
-typedef enum {
-    ssl_calg_null     = 0,
-    ssl_calg_rc4      = 1,
-    ssl_calg_rc2      = 2,
-    ssl_calg_des      = 3,
-    ssl_calg_3des     = 4,
-    ssl_calg_idea     = 5,
-    ssl_calg_fortezza = 6,      /* deprecated, now unused */
-    ssl_calg_aes      = 7       /* coming soon */
-} SSLCipherAlgorithm;
-
-typedef enum { 
-    ssl_mac_null      = 0, 
-    ssl_mac_md5       = 1, 
-    ssl_mac_sha       = 2, 
-    ssl_hmac_md5      = 3, 	/* TLS HMAC version of mac_md5 */
-    ssl_hmac_sha      = 4 	/* TLS HMAC version of mac_sha */
-} SSLMACAlgorithm;
-
-typedef struct SSLChannelInfoStr {
-    PRUint32             length;
-    PRUint16             protocolVersion;
-    PRUint16             cipherSuite;
-
-    /* server authentication info */
-    PRUint32             authKeyBits;
-
-    /* key exchange algorithm info */
-    PRUint32             keaKeyBits;
-
-    /* session info */
-    PRUint32             creationTime;		/* seconds since Jan 1, 1970 */
-    PRUint32             lastAccessTime;	/* seconds since Jan 1, 1970 */
-    PRUint32             expirationTime;	/* seconds since Jan 1, 1970 */
-    PRUint32             sessionIDLength;	/* up to 32 */
-    PRUint8              sessionID    [32];
-} SSLChannelInfo;
-
-typedef struct SSLCipherSuiteInfoStr {
-    PRUint16             length;
-    PRUint16             cipherSuite;
-
-    /* Cipher Suite Name */
-    const char *         cipherSuiteName;
-
-    /* server authentication info */
-    const char *         authAlgorithmName;
-    SSLAuthType          authAlgorithm;
-
-    /* key exchange algorithm info */
-    const char *         keaTypeName;
-    SSLKEAType           keaType;
-
-    /* symmetric encryption info */
-    const char *         symCipherName;
-    SSLCipherAlgorithm   symCipher;
-    PRUint16             symKeyBits;
-    PRUint16             symKeySpace;
-    PRUint16             effectiveKeyBits;
-
-    /* MAC info */
-    const char *         macAlgorithmName;
-    SSLMACAlgorithm      macAlgorithm;
-    PRUint16             macBits;
-
-    PRUintn              isFIPS       : 1;
-    PRUintn              isExportable : 1;
-    PRUintn              nonStandard  : 1;
-    PRUintn              reservedBits :29;
-
-} SSLCipherSuiteInfo;
-
-#endif /* __sslt_h_ */
diff --git a/security/nss/lib/ssl/ssltrace.c b/security/nss/lib/ssl/ssltrace.c
deleted file mode 100644
index af5a00ed6..000000000
--- a/security/nss/lib/ssl/ssltrace.c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Functions to trace SSL protocol behavior in DEBUG builds.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include <stdarg.h>
-#include "cert.h"
-#include "ssl.h"
-#include "sslimpl.h"
-#include "sslproto.h"
-#include "prprf.h"
-
-#if defined(DEBUG) || defined(TRACE)
-static const char *hex = "0123456789abcdef";
-
-static const char printable[257] = {
-	"................"	/* 0x */
-	"................"	/* 1x */
-	" !\"#$%&'()*+,-./"	/* 2x */
-	"0123456789:;<=>?"	/* 3x */
-	"@ABCDEFGHIJKLMNO"	/* 4x */
-	"PQRSTUVWXYZ[\\]^_"	/* 5x */
-	"`abcdefghijklmno"	/* 6x */
-	"pqrstuvwxyz{|}~."	/* 7x */
-	"................"	/* 8x */
-	"................"	/* 9x */
-	"................"	/* ax */
-	"................"	/* bx */
-	"................"	/* cx */
-	"................"	/* dx */
-	"................"	/* ex */
-	"................"	/* fx */
-};
-
-void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
-{
-    const unsigned char *cp = (const unsigned char *)vp;
-    char buf[80];
-    char *bp;
-    char *ap;
-
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]: %s [Len: %d]", SSL_GETPID(), ss->fd,
-		   msg, len));
-    } else {
-	SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
-    }
-    memset(buf, ' ', sizeof buf);
-    bp = buf;
-    ap = buf + 50;
-    while (--len >= 0) {
-	unsigned char ch = *cp++;
-	*bp++ = hex[(ch >> 4) & 0xf];
-	*bp++ = hex[ch & 0xf];
-	*bp++ = ' ';
-	*ap++ = printable[ch];
-	if (ap - buf >= 66) {
-	    *ap = 0;
-	    SSL_TRACE(("   %s", buf));
-	    memset(buf, ' ', sizeof buf);
-	    bp = buf;
-	    ap = buf + 50;
-	}
-    }
-    if (bp > buf) {
-	*ap = 0;
-	SSL_TRACE(("   %s", buf));
-    }
-}
-
-#define LEN(cp)		(((cp)[0] << 8) | ((cp)[1]))
-
-static void PrintType(sslSocket *ss, char *msg)
-{
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd,
-		   msg));
-    } else {
-	SSL_TRACE(("%d: SSL: dump-msg: %s", SSL_GETPID(), msg));
-    }
-}
-
-static void PrintInt(sslSocket *ss, char *msg, unsigned v)
-{
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd,
-		   msg, v));
-    } else {
-	SSL_TRACE(("%d: SSL:           %s=%u", SSL_GETPID(), msg, v));
-    }
-}
-
-/* PrintBuf is just like ssl_PrintBuf above, except that:
- * a) It prefixes each line of the buffer with "XX: SSL[xxx]           "
- * b) It dumps only hex, not ASCII.
- */
-static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
-{
-    char buf[80];
-    char *bp;
-
-    if (ss) {
-	SSL_TRACE(("%d: SSL[%d]:           %s [Len: %d]", 
-		   SSL_GETPID(), ss->fd, msg, len));
-    } else {
-	SSL_TRACE(("%d: SSL:           %s [Len: %d]", 
-		   SSL_GETPID(), msg, len));
-    }
-    bp = buf;
-    while (--len >= 0) {
-	unsigned char ch = *cp++;
-	*bp++ = hex[(ch >> 4) & 0xf];
-	*bp++ = hex[ch & 0xf];
-	*bp++ = ' ';
-	if (bp + 4 > buf + 50) {
-	    *bp = 0;
-	    if (ss) {
-		SSL_TRACE(("%d: SSL[%d]:             %s",
-			   SSL_GETPID(), ss->fd, buf));
-	    } else {
-		SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
-	    }
-	    bp = buf;
-	}
-    }
-    if (bp > buf) {
-	*bp = 0;
-	if (ss) {
-	    SSL_TRACE(("%d: SSL[%d]:             %s",
-		       SSL_GETPID(), ss->fd, buf));
-	} else {
-	    SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
-	}
-    }
-}
-
-void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
-{
-    switch (bp[0]) {
-      case SSL_MT_ERROR:
-	PrintType(ss, "Error");
-	PrintInt(ss, "error", LEN(bp+1));
-	break;
-
-      case SSL_MT_CLIENT_HELLO:
-	{
-	    unsigned lcs = LEN(bp+3);
-	    unsigned ls  = LEN(bp+5);
-	    unsigned lc  = LEN(bp+7);
-
-	    PrintType(ss, "Client-Hello");
-
-	    PrintInt(ss, "version (Major)",                   bp[1]);
-	    PrintInt(ss, "version (minor)",                   bp[2]);
-
-	    PrintBuf(ss, "cipher-specs",         bp+9,        lcs);
-	    PrintBuf(ss, "session-id",           bp+9+lcs,    ls);
-	    PrintBuf(ss, "challenge",            bp+9+lcs+ls, lc);
-	}
-	break;
-      case SSL_MT_CLIENT_MASTER_KEY:
-	{
-	    unsigned lck = LEN(bp+4);
-	    unsigned lek = LEN(bp+6);
-	    unsigned lka = LEN(bp+8);
-
-	    PrintType(ss, "Client-Master-Key");
-
-	    PrintInt(ss, "cipher-choice",                       bp[1]);
-	    PrintInt(ss, "key-length",                          LEN(bp+2));
-
-	    PrintBuf(ss, "clear-key",            bp+10,         lck);
-	    PrintBuf(ss, "encrypted-key",        bp+10+lck,     lek);
-	    PrintBuf(ss, "key-arg",              bp+10+lck+lek, lka);
-	}
-	break;
-      case SSL_MT_CLIENT_FINISHED:
-	PrintType(ss, "Client-Finished");
-	PrintBuf(ss, "connection-id",            bp+1,          len-1);
-	break;
-      case SSL_MT_SERVER_HELLO:
-	{
-	    unsigned lc = LEN(bp+5);
-	    unsigned lcs = LEN(bp+7);
-	    unsigned lci = LEN(bp+9);
-
-	    PrintType(ss, "Server-Hello");
-
-	    PrintInt(ss, "session-id-hit",                     bp[1]);
-	    PrintInt(ss, "certificate-type",                   bp[2]);
-	    PrintInt(ss, "version (Major)",                    bp[3]);
-	    PrintInt(ss, "version (minor)",                    bp[3]);
-	    PrintBuf(ss, "certificate",          bp+11,        lc);
-	    PrintBuf(ss, "cipher-specs",         bp+11+lc,     lcs);
-	    PrintBuf(ss, "connection-id",        bp+11+lc+lcs, lci);
-	}
-	break;
-      case SSL_MT_SERVER_VERIFY:
-	PrintType(ss, "Server-Verify");
-	PrintBuf(ss, "challenge",                bp+1,         len-1);
-	break;
-      case SSL_MT_SERVER_FINISHED:
-	PrintType(ss, "Server-Finished");
-	PrintBuf(ss, "session-id",               bp+1,         len-1);
-	break;
-      case SSL_MT_REQUEST_CERTIFICATE:
-	PrintType(ss, "Request-Certificate");
-	PrintInt(ss, "authentication-type",                    bp[1]);
-	PrintBuf(ss, "certificate-challenge",    bp+2,         len-2);
-	break;
-      case SSL_MT_CLIENT_CERTIFICATE:
-	{
-	    unsigned lc = LEN(bp+2);
-	    unsigned lr = LEN(bp+4);
-	    PrintType(ss, "Client-Certificate");
-	    PrintInt(ss, "certificate-type",                   bp[1]);
-	    PrintBuf(ss, "certificate",          bp+6,         lc);
-	    PrintBuf(ss, "response",             bp+6+lc,      lr);
-	}
-	break;
-      default:
-	ssl_PrintBuf(ss, "sending *unknown* message type", bp, len);
-	return;
-    }
-}
-
-void
-ssl_Trace(const char *format, ... )
-{
-    char buf[2000]; 
-
-    va_list args;
-    va_start(args, format);
-    PR_vsnprintf(buf, sizeof(buf), format, args);
-    va_end(args);
-    puts(buf);
-}
-#endif
diff --git a/security/nss/lib/ssl/sslver.c b/security/nss/lib/ssl/sslver.c
deleted file mode 100644
index 782048fd8..000000000
--- a/security/nss/lib/ssl/sslver.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* Library identity and versioning */
-
-#include "nss.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information for the 'ident' and 'what commands
- *
- * NOTE: the first component of the concatenated rcsid string
- * must not end in a '$' to prevent rcs keyword substitution.
- */
-const char __nss_ssl_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__ " $";
-const char __nss_ssl_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
-        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ssl/unix_err.c b/security/nss/lib/ssl/unix_err.c
deleted file mode 100644
index 6fb2583ef..000000000
--- a/security/nss/lib/ssl/unix_err.c
+++ /dev/null
@@ -1,550 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#if 0
-#include "primpl.h"
-#else
-#define _PR_POLL_AVAILABLE 1
-#include "prerror.h"
-#endif
-
-#if defined (__bsdi__) || defined(NTO) || defined(DARWIN) || defined(BEOS)
-#undef _PR_POLL_AVAILABLE
-#endif
-
-#if defined(_PR_POLL_AVAILABLE)
-#include <poll.h>
-#endif
-#include <errno.h>
-
-/* forward declarations. */
-void nss_MD_unix_map_default_error(int err);
-
-void nss_MD_unix_map_opendir_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_closedir_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_readdir_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case ENOENT:	prError = PR_NO_MORE_FILES_ERROR; break;
-#ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_IO_ERROR; break;
-#endif
-    case EINVAL:	prError = PR_IO_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_unlink_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EPERM:		prError = PR_IS_DIRECTORY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_stat_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_fstat_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_rename_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_access_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_mkdir_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_rmdir_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case EINVAL:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_read_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_write_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_lseek_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_fsync_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_close_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_socket_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_socketavailable_error(int err)
-{
-    PR_SetError(PR_BAD_DESCRIPTOR_ERROR, err);
-}
-
-void nss_MD_unix_map_recv_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_recvfrom_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_send_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_sendto_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_writev_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_accept_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENODEV:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_connect_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EACCES:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-#if defined(UNIXWARE) || defined(SNI) || defined(NEC)
-    /*
-     * On some platforms, if we connect to a port on the local host 
-     * (the loopback address) that no process is listening on, we get 
-     * EIO instead of ECONNREFUSED.
-     */
-    case EIO:		prError = PR_CONNECT_REFUSED_ERROR; break;
-#endif
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_IO_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_bind_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-        /*
-         * UNIX domain sockets are not supported in NSPR
-         */
-    case EIO:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EISDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ENOTDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EROFS:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_listen_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_shutdown_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_socketpair_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getsockname_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getpeername_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_getsockopt_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_setsockopt_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_open_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EBUSY:		prError = PR_IO_ERROR; break;
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_mmap_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case EMFILE:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ENODEV:	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_gethostname_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-void nss_MD_unix_map_select_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-
-#ifdef _PR_POLL_AVAILABLE
-void nss_MD_unix_map_poll_error(int err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_poll_revents_error(int err)
-{
-    if (err & POLLNVAL)
-        PR_SetError(PR_BAD_DESCRIPTOR_ERROR, EBADF);
-    else if (err & POLLHUP)
-        PR_SetError(PR_CONNECT_RESET_ERROR, EPIPE);
-    else if (err & POLLERR)
-        PR_SetError(PR_IO_ERROR, EIO);
-    else
-        PR_SetError(PR_UNKNOWN_ERROR, err);
-}
-#endif /* _PR_POLL_AVAILABLE */
-
-
-void nss_MD_unix_map_flock_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case EWOULDBLOCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_unix_map_lockf_error(int err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case EACCES:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case EDEADLK:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    default:		nss_MD_unix_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-#ifdef HPUX11
-void nss_MD_hpux_map_sendfile_error(int err)
-{
-    nss_MD_unix_map_default_error(err);
-}
-#endif /* HPUX11 */
-
-
-void nss_MD_unix_map_default_error(int err)
-{
-    PRErrorCode prError;
-    switch (err ) {
-    case EACCES:	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EADDRINUSE:	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case EADDRNOTAVAIL:	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case EAFNOSUPPORT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case EAGAIN:	prError = PR_WOULD_BLOCK_ERROR; break;
-    /*
-     * On QNX and Neutrino, EALREADY is defined as EBUSY.
-     */
-#if EALREADY != EBUSY
-    case EALREADY:	prError = PR_ALREADY_INITIATED_ERROR; break;
-#endif
-    case EBADF:		prError = PR_BAD_DESCRIPTOR_ERROR; break;
-#ifdef EBADMSG
-    case EBADMSG:	prError = PR_IO_ERROR; break;
-#endif
-    case EBUSY:		prError = PR_FILESYSTEM_MOUNTED_ERROR; break;
-    case ECONNREFUSED:	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case ECONNRESET:	prError = PR_CONNECT_RESET_ERROR; break;
-    case EDEADLK:	prError = PR_DEADLOCK_ERROR; break;
-#ifdef EDIRCORRUPTED
-    case EDIRCORRUPTED:	prError = PR_DIRECTORY_CORRUPTED_ERROR; break;
-#endif
-#ifdef EDQUOT
-    case EDQUOT:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-#endif
-    case EEXIST:	prError = PR_FILE_EXISTS_ERROR; break;
-    case EFAULT:	prError = PR_ACCESS_FAULT_ERROR; break;
-    case EFBIG:		prError = PR_FILE_TOO_BIG_ERROR; break;
-    case EINPROGRESS:	prError = PR_IN_PROGRESS_ERROR; break;
-    case EINTR:		prError = PR_PENDING_INTERRUPT_ERROR; break;
-    case EINVAL:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case EIO:		prError = PR_IO_ERROR; break;
-    case EISCONN:	prError = PR_IS_CONNECTED_ERROR; break;
-    case EISDIR:	prError = PR_IS_DIRECTORY_ERROR; break;
-    case ELOOP:		prError = PR_LOOP_ERROR; break;
-    case EMFILE:	prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case EMLINK:	prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break;
-    case EMSGSIZE:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-#ifdef EMULTIHOP
-    case EMULTIHOP:	prError = PR_REMOTE_FILE_ERROR; break;
-#endif
-    case ENAMETOOLONG:	prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ENETUNREACH:	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case ENFILE:	prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
-#if !defined(SCO)
-    case ENOBUFS:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-#endif
-    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOENT:	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ENOLCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
-#ifdef ENOLINK 
-    case ENOLINK:	prError = PR_REMOTE_FILE_ERROR; break;
-#endif
-    case ENOMEM:	prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ENOPROTOOPT:	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ENOSPC:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-#ifdef ENOSR 
-    case ENOSR:		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-#endif
-    case ENOTCONN:	prError = PR_NOT_CONNECTED_ERROR; break;
-    case ENOTDIR:	prError = PR_NOT_DIRECTORY_ERROR; break;
-    case ENOTSOCK:	prError = PR_NOT_SOCKET_ERROR; break;
-    case ENXIO:		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case EOPNOTSUPP:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
-#ifdef EOVERFLOW
-    case EOVERFLOW:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
-#endif
-    case EPERM:		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case EPIPE:		prError = PR_CONNECT_RESET_ERROR; break;
-#ifdef EPROTO
-    case EPROTO:	prError = PR_IO_ERROR; break;
-#endif
-    case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case EPROTOTYPE:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case ERANGE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case EROFS:		prError = PR_READ_ONLY_FILESYSTEM_ERROR; break;
-    case ESPIPE:	prError = PR_INVALID_METHOD_ERROR; break;
-    case ETIMEDOUT:	prError = PR_IO_TIMEOUT_ERROR; break;
-#if EWOULDBLOCK != EAGAIN
-    case EWOULDBLOCK:	prError = PR_WOULD_BLOCK_ERROR; break;
-#endif
-    case EXDEV:		prError = PR_NOT_SAME_DEVICE_ERROR; break;
-
-    default:		prError = PR_UNKNOWN_ERROR; break;
-    }
-    PR_SetError(prError, err);
-}
diff --git a/security/nss/lib/ssl/unix_err.h b/security/nss/lib/ssl/unix_err.h
deleted file mode 100644
index 628b856a9..000000000
--- a/security/nss/lib/ssl/unix_err.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/*  NSPR doesn't make these functions public, so we have to duplicate
-**  them in NSS.
-*/
-extern void nss_MD_hpux_map_sendfile_error(int err);
-extern void nss_MD_unix_map_accept_error(int err);
-extern void nss_MD_unix_map_access_error(int err);
-extern void nss_MD_unix_map_bind_error(int err);
-extern void nss_MD_unix_map_close_error(int err);
-extern void nss_MD_unix_map_closedir_error(int err);
-extern void nss_MD_unix_map_connect_error(int err);
-extern void nss_MD_unix_map_default_error(int err);
-extern void nss_MD_unix_map_flock_error(int err);
-extern void nss_MD_unix_map_fstat_error(int err);
-extern void nss_MD_unix_map_fsync_error(int err);
-extern void nss_MD_unix_map_gethostname_error(int err);
-extern void nss_MD_unix_map_getpeername_error(int err);
-extern void nss_MD_unix_map_getsockname_error(int err);
-extern void nss_MD_unix_map_getsockopt_error(int err);
-extern void nss_MD_unix_map_listen_error(int err);
-extern void nss_MD_unix_map_lockf_error(int err);
-extern void nss_MD_unix_map_lseek_error(int err);
-extern void nss_MD_unix_map_mkdir_error(int err);
-extern void nss_MD_unix_map_mmap_error(int err);
-extern void nss_MD_unix_map_open_error(int err);
-extern void nss_MD_unix_map_opendir_error(int err);
-extern void nss_MD_unix_map_poll_error(int err);
-extern void nss_MD_unix_map_poll_revents_error(int err);
-extern void nss_MD_unix_map_read_error(int err);
-extern void nss_MD_unix_map_readdir_error(int err);
-extern void nss_MD_unix_map_recv_error(int err);
-extern void nss_MD_unix_map_recvfrom_error(int err);
-extern void nss_MD_unix_map_rename_error(int err);
-extern void nss_MD_unix_map_rmdir_error(int err);
-extern void nss_MD_unix_map_select_error(int err);
-extern void nss_MD_unix_map_send_error(int err);
-extern void nss_MD_unix_map_sendto_error(int err);
-extern void nss_MD_unix_map_setsockopt_error(int err);
-extern void nss_MD_unix_map_shutdown_error(int err);
-extern void nss_MD_unix_map_socket_error(int err);
-extern void nss_MD_unix_map_socketavailable_error(int err);
-extern void nss_MD_unix_map_socketpair_error(int err);
-extern void nss_MD_unix_map_stat_error(int err);
-extern void nss_MD_unix_map_unlink_error(int err);
-extern void nss_MD_unix_map_write_error(int err);
-extern void nss_MD_unix_map_writev_error(int err);
diff --git a/security/nss/lib/ssl/win32err.c b/security/nss/lib/ssl/win32err.c
deleted file mode 100644
index b2662816d..000000000
--- a/security/nss/lib/ssl/win32err.c
+++ /dev/null
@@ -1,379 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * this code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#if !defined(_WIN32_WCE)
-
-#include "prerror.h"
-#include "prlog.h"
-#include <errno.h>
-#include <windows.h>
-
-/*
- * On Win32, we map three kinds of error codes:
- * - GetLastError(): for Win32 functions
- * - WSAGetLastError(): for Winsock functions
- * - errno: for standard C library functions
- *
- * We do not check for WSAEINPROGRESS and WSAEINTR because we do not
- * use blocking Winsock 1.1 calls.
- *
- * Except for the 'socket' call, we do not check for WSAEINITIALISED.
- * It is assumed that if Winsock is not initialized, that fact will
- * be detected at the time we create new sockets.
- */
-
-/* forward declaration. */
-void nss_MD_win32_map_default_error(PRInt32 err);
-
-void nss_MD_win32_map_opendir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_closedir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_readdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_delete_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* The error code for stat() is in errno. */
-void nss_MD_win32_map_stat_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_fstat_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_rename_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* The error code for access() is in errno. */
-void nss_MD_win32_map_access_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_mkdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_rmdir_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_read_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_transmitfile_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_write_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_lseek_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_fsync_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/*
- * For both CloseHandle() and closesocket().
- */
-void nss_MD_win32_map_close_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_socket_error(PRInt32 err)
-{
-    PR_ASSERT(err != WSANOTINITIALISED);
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_recv_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_recvfrom_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_send_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_sendto_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_accept_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_acceptex_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_connect_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
-    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_bind_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_listen_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_shutdown_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_getsockname_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_getpeername_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_getsockopt_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_setsockopt_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_open_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-void nss_MD_win32_map_gethostname_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-/* Win32 select() only works on sockets.  So in this
-** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
-*/
-void nss_MD_win32_map_select_error(PRInt32 err)
-{
-    PRErrorCode prError;
-    switch (err) {
-    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    default:		nss_MD_win32_map_default_error(err); return;
-    }
-    PR_SetError(prError, err);
-}
-
-void nss_MD_win32_map_lockf_error(PRInt32 err)
-{
-    nss_MD_win32_map_default_error(err);
-}
-
-
-
-void nss_MD_win32_map_default_error(PRInt32 err)
-{
-    PRErrorCode prError;
-
-    switch (err) {
-    case EACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
-    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
-    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
-    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
-    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-#if ERROR_FILE_NOT_FOUND != ENOENT
-    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-#endif
-    case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break;
-    case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_INVALID_HANDLE: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case ERROR_INVALID_NAME: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_LOCKED:	 	prError = PR_FILE_IS_LOCKED_ERROR; break;
-    case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break;
-    case ERROR_NOACCESS: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break;
-    case ERROR_NOT_READY: 	prError = PR_IO_ERROR; break;
-    case ERROR_NO_MORE_FILES: 	prError = PR_NO_MORE_FILES_ERROR; break;
-    case ERROR_OPEN_FAILED: 	prError = PR_IO_ERROR; break;
-    case ERROR_OPEN_FILES: 	prError = PR_IO_ERROR; break;
-    case ERROR_OUTOFMEMORY: 	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case ERROR_PATH_BUSY: 	prError = PR_IO_ERROR; break;
-    case ERROR_PATH_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
-    case ERROR_SEEK_ON_DEVICE: 	prError = PR_IO_ERROR; break;
-    case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break;
-    case ERROR_STACK_OVERFLOW: 	prError = PR_ACCESS_FAULT_ERROR; break;
-    case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
-    case ERROR_WRITE_PROTECT: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
-    case WSAEADDRINUSE: 	prError = PR_ADDRESS_IN_USE_ERROR; break;
-    case WSAEADDRNOTAVAIL: 	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
-    case WSAEAFNOSUPPORT: 	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
-    case WSAEALREADY: 		prError = PR_ALREADY_INITIATED_ERROR; break;
-    case WSAEBADF: 		prError = PR_BAD_DESCRIPTOR_ERROR; break;
-    case WSAECONNABORTED: 	prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAECONNREFUSED: 	prError = PR_CONNECT_REFUSED_ERROR; break;
-    case WSAECONNRESET: 	prError = PR_CONNECT_RESET_ERROR; break;
-    case WSAEDESTADDRREQ: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEFAULT: 		prError = PR_ACCESS_FAULT_ERROR; break;
-    case WSAEHOSTUNREACH: 	prError = PR_HOST_UNREACHABLE_ERROR; break;
-    case WSAEINVAL: 		prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAEISCONN: 		prError = PR_IS_CONNECTED_ERROR; break;
-    case WSAEMFILE: 		prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
-    case WSAEMSGSIZE: 		prError = PR_BUFFER_OVERFLOW_ERROR; break;
-    case WSAENETDOWN: 		prError = PR_NETWORK_DOWN_ERROR; break;
-    case WSAENETRESET: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAENETUNREACH: 	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
-    case WSAENOBUFS: 		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
-    case WSAENOPROTOOPT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAENOTCONN: 		prError = PR_NOT_CONNECTED_ERROR; break;
-    case WSAENOTSOCK: 		prError = PR_NOT_SOCKET_ERROR; break;
-    case WSAEOPNOTSUPP: 	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTONOSUPPORT: 	prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
-    case WSAEPROTOTYPE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAESHUTDOWN: 		prError = PR_SOCKET_SHUTDOWN_ERROR; break;
-    case WSAESOCKTNOSUPPORT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
-    case WSAETIMEDOUT: 		prError = PR_CONNECT_ABORTED_ERROR; break;
-    case WSAEWOULDBLOCK: 	prError = PR_WOULD_BLOCK_ERROR; break;
-    default: 			prError = PR_UNKNOWN_ERROR; break;
-    }
-    PR_SetError(prError, err);
-}
-
-#endif
diff --git a/security/nss/lib/ssl/win32err.h b/security/nss/lib/ssl/win32err.h
deleted file mode 100644
index 84fa4d6a4..000000000
--- a/security/nss/lib/ssl/win32err.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * This file essentially replicates NSPR's source for the functions that
- * map system-specific error codes to NSPR error codes.  We would use 
- * NSPR's functions, instead of duplicating them, but they're private.
- * As long as SSL's server session cache code must do platform native I/O
- * to accomplish its job, and NSPR's error mapping functions remain private,
- * This code will continue to need to be replicated.
- * 
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-/*  NSPR doesn't make these functions public, so we have to duplicate
-**  them in NSS.
-*/
-extern void nss_MD_win32_map_accept_error(PRInt32 err);
-extern void nss_MD_win32_map_acceptex_error(PRInt32 err);
-extern void nss_MD_win32_map_access_error(PRInt32 err);
-extern void nss_MD_win32_map_bind_error(PRInt32 err);
-extern void nss_MD_win32_map_close_error(PRInt32 err);
-extern void nss_MD_win32_map_closedir_error(PRInt32 err);
-extern void nss_MD_win32_map_connect_error(PRInt32 err);
-extern void nss_MD_win32_map_default_error(PRInt32 err);
-extern void nss_MD_win32_map_delete_error(PRInt32 err);
-extern void nss_MD_win32_map_fstat_error(PRInt32 err);
-extern void nss_MD_win32_map_fsync_error(PRInt32 err);
-extern void nss_MD_win32_map_gethostname_error(PRInt32 err);
-extern void nss_MD_win32_map_getpeername_error(PRInt32 err);
-extern void nss_MD_win32_map_getsockname_error(PRInt32 err);
-extern void nss_MD_win32_map_getsockopt_error(PRInt32 err);
-extern void nss_MD_win32_map_listen_error(PRInt32 err);
-extern void nss_MD_win32_map_lockf_error(PRInt32 err);
-extern void nss_MD_win32_map_lseek_error(PRInt32 err);
-extern void nss_MD_win32_map_mkdir_error(PRInt32 err);
-extern void nss_MD_win32_map_open_error(PRInt32 err);
-extern void nss_MD_win32_map_opendir_error(PRInt32 err);
-extern void nss_MD_win32_map_read_error(PRInt32 err);
-extern void nss_MD_win32_map_readdir_error(PRInt32 err);
-extern void nss_MD_win32_map_recv_error(PRInt32 err);
-extern void nss_MD_win32_map_recvfrom_error(PRInt32 err);
-extern void nss_MD_win32_map_rename_error(PRInt32 err);
-extern void nss_MD_win32_map_rmdir_error(PRInt32 err);
-extern void nss_MD_win32_map_select_error(PRInt32 err);
-extern void nss_MD_win32_map_send_error(PRInt32 err);
-extern void nss_MD_win32_map_sendto_error(PRInt32 err);
-extern void nss_MD_win32_map_setsockopt_error(PRInt32 err);
-extern void nss_MD_win32_map_shutdown_error(PRInt32 err);
-extern void nss_MD_win32_map_socket_error(PRInt32 err);
-extern void nss_MD_win32_map_stat_error(PRInt32 err);
-extern void nss_MD_win32_map_transmitfile_error(PRInt32 err);
-extern void nss_MD_win32_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/util/Makefile b/security/nss/lib/util/Makefile
deleted file mode 100644
index afe353d31..000000000
--- a/security/nss/lib/util/Makefile
+++ /dev/null
@@ -1,88 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-# include $(CORE_DEPTH)/coreconf/arch.mk
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include config.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-export:: private_export
-
-test: $(OBJDIR)/test_utf8
-
-$(OBJDIR)/test_utf8: utf8.c
-	@$(MAKE_OBJDIR)
-	$(CCF) -o $(OBJDIR)/test_utf8 -DTEST_UTF8 utf8.c $(OS_LIBS)
diff --git a/security/nss/lib/util/base64.h b/security/nss/lib/util/base64.h
deleted file mode 100644
index 44fcbfd12..000000000
--- a/security/nss/lib/util/base64.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * base64.h - prototypes for base64 encoding/decoding
- * Note: These functions are deprecated; see nssb64.h for new routines.
- *
- * $Id$
- */
-#ifndef _BASE64_H_
-#define _BASE64_H_
-
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Return an PORT_Alloc'd ascii string which is the base64 encoded
-** version of the input string.
-*/
-extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
-
-/*
-** Return an PORT_Alloc'd string which is the base64 decoded version
-** of the input string; set *lenp to the length of the returned data.
-*/
-extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
- 
-/*
-** Convert from ascii to binary encoding of an item.
-*/
-extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii);
-
-/*
-** Convert from binary encoding of an item to ascii.
-*/
-extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
-
-SEC_END_PROTOS
-
-#endif /* _BASE64_H_ */
diff --git a/security/nss/lib/util/ciferfam.h b/security/nss/lib/util/ciferfam.h
deleted file mode 100644
index 5fe8b18d7..000000000
--- a/security/nss/lib/util/ciferfam.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * ciferfam.h - cipher familie IDs used for configuring ciphers for export
- *              control
- *
- * $Id$
- */
-
-#ifndef _CIFERFAM_H_
-#define _CIFERFAM_H_
-
-/* Cipher Suite "Families" */
-#define CIPHER_FAMILY_PKCS12			"PKCS12"
-#define CIPHER_FAMILY_SMIME			"SMIME"
-#define CIPHER_FAMILY_SSL2			"SSLv2"
-#define CIPHER_FAMILY_SSL3			"SSLv3"
-#define CIPHER_FAMILY_SSL			"SSL"
-#define CIPHER_FAMILY_ALL			""
-#define CIPHER_FAMILY_UNKNOWN			"UNKNOWN"
-
-#define CIPHER_FAMILYID_MASK			0xFFFF0000L
-#define CIPHER_FAMILYID_SSL			0x00000000L
-#define CIPHER_FAMILYID_SMIME			0x00010000L
-#define CIPHER_FAMILYID_PKCS12			0x00020000L
-
-/* SMIME "Cipher Suites" */
-/*
- * Note that it is assumed that the cipher number itself can be used
- * as a bit position in a mask, and that mask is currently 32 bits wide.
- * So, if you want to add a cipher that is greater than 0033, secmime.c
- * needs to be made smarter at the same time.
- */
-#define	SMIME_RC2_CBC_40		(CIPHER_FAMILYID_SMIME | 0001)
-#define	SMIME_RC2_CBC_64		(CIPHER_FAMILYID_SMIME | 0002)
-#define	SMIME_RC2_CBC_128		(CIPHER_FAMILYID_SMIME | 0003)
-#define	SMIME_DES_CBC_56		(CIPHER_FAMILYID_SMIME | 0011)
-#define	SMIME_DES_EDE3_168		(CIPHER_FAMILYID_SMIME | 0012)
-#define	SMIME_RC5PAD_64_16_40		(CIPHER_FAMILYID_SMIME | 0021)
-#define	SMIME_RC5PAD_64_16_64		(CIPHER_FAMILYID_SMIME | 0022)
-#define	SMIME_RC5PAD_64_16_128		(CIPHER_FAMILYID_SMIME | 0023)
-#define	SMIME_FORTEZZA			(CIPHER_FAMILYID_SMIME | 0031)
-
-/* PKCS12 "Cipher Suites" */
-
-#define	PKCS12_RC2_CBC_40		(CIPHER_FAMILYID_PKCS12 | 0001)
-#define	PKCS12_RC2_CBC_128		(CIPHER_FAMILYID_PKCS12 | 0002)
-#define	PKCS12_RC4_40			(CIPHER_FAMILYID_PKCS12 | 0011)
-#define	PKCS12_RC4_128			(CIPHER_FAMILYID_PKCS12 | 0012)
-#define	PKCS12_DES_56			(CIPHER_FAMILYID_PKCS12 | 0021)
-#define	PKCS12_DES_EDE3_168		(CIPHER_FAMILYID_PKCS12 | 0022)
-
-/* SMIME version numbers are negative, to avoid colliding with SSL versions */
-#define SMIME_LIBRARY_VERSION_1_0			-0x0100
-
-#endif /* _CIFERFAM_H_ */
diff --git a/security/nss/lib/util/config.mk b/security/nss/lib/util/config.mk
deleted file mode 100644
index 665828c63..000000000
--- a/security/nss/lib/util/config.mk
+++ /dev/null
@@ -1,47 +0,0 @@
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-#  Override TARGETS variable so that only static libraries
-#  are specifed as dependencies within rules.mk.
-#
-
-TARGETS        = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM        =
-
diff --git a/security/nss/lib/util/derdec.c b/security/nss/lib/util/derdec.c
deleted file mode 100644
index b0215c61f..000000000
--- a/security/nss/lib/util/derdec.c
+++ /dev/null
@@ -1,555 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secder.h"
-#include "secerr.h"
-
-static uint32
-der_indefinite_length(unsigned char *buf, unsigned char *end)
-{
-    uint32 len, ret, dataLen;
-    unsigned char tag, lenCode;
-    int dataLenLen;
-
-    len = 0;
-    while ( 1 ) {
-	if ((buf + 2) > end) {
-	    return(0);
-	}
-	
-	tag = *buf++;
-	lenCode = *buf++;
-	len += 2;
-	
-	if ( ( tag == 0 ) && ( lenCode == 0 ) ) {
-	    return(len);
-	}
-	
-	if ( lenCode == 0x80 ) {	/* indefinite length */
-	    ret = der_indefinite_length(buf, end); /* recurse to find length */
-	    if (ret == 0)
-		return 0;
-	    len += ret;
-	    buf += ret;
-	} else {			/* definite length */
-	    if (lenCode & 0x80) {
-		/* Length of data is in multibyte format */
-		dataLenLen = lenCode & 0x7f;
-		switch (dataLenLen) {
-		  case 1:
-		    dataLen = buf[0];
-		    break;
-		  case 2:
-		    dataLen = (buf[0]<<8)|buf[1];
-		    break;
-		  case 3:
-		    dataLen = ((unsigned long)buf[0]<<16)|(buf[1]<<8)|buf[2];
-		    break;
-		  case 4:
-		    dataLen = ((unsigned long)buf[0]<<24)|
-			((unsigned long)buf[1]<<16)|(buf[2]<<8)|buf[3];
-		    break;
-		  default:
-		    PORT_SetError(SEC_ERROR_BAD_DER);
-		    return SECFailure;
-		}
-	    } else {
-		/* Length of data is in single byte */
-		dataLen = lenCode;
-		dataLenLen = 0;
-	    }
-
-	    /* skip this item */
-	    buf = buf + dataLenLen + dataLen;
-	    len = len + dataLenLen + dataLen;
-	}
-    }
-}
-
-/*
-** Capture the next thing in the buffer.
-** Returns the length of the header and the length of the contents.
-*/
-static SECStatus
-der_capture(unsigned char *buf, unsigned char *end,
-	    int *header_len_p, uint32 *contents_len_p)
-{
-    unsigned char *bp;
-    unsigned char whole_tag;
-    uint32 contents_len;
-    int tag_number;
-
-    if ((buf + 2) > end) {
-	*header_len_p = 0;
-	*contents_len_p = 0;
-	if (buf == end)
-	    return SECSuccess;
-	return SECFailure;
-    }
-
-    bp = buf;
-
-    /* Get tag and verify that it is ok. */
-    whole_tag = *bp++;
-    tag_number = whole_tag & DER_TAGNUM_MASK;
-
-    /*
-     * XXX This code does not (yet) handle the high-tag-number form!
-     */
-    if (tag_number == DER_HIGH_TAG_NUMBER) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
-    }
-
-    if ((whole_tag & DER_CLASS_MASK) == DER_UNIVERSAL) {
-	/* Check that the universal tag number is one we implement.  */
-	switch (tag_number) {
-	  case DER_BOOLEAN:
-	  case DER_INTEGER:
-	  case DER_BIT_STRING:
-	  case DER_OCTET_STRING:
-	  case DER_NULL:
-	  case DER_OBJECT_ID:
-	  case DER_SEQUENCE:
-	  case DER_SET:
-	  case DER_PRINTABLE_STRING:
-	  case DER_T61_STRING:
-	  case DER_IA5_STRING:
-	  case DER_VISIBLE_STRING:
-	  case DER_UTC_TIME:
-	  case 0:			/* end-of-contents tag */
-	    break;
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
-    }
-
-    /*
-     * Get first byte of length code (might contain entire length, might not).
-     */
-    contents_len = *bp++;
-
-    /*
-     * If the high bit is set, then the length is in multibyte format,
-     * or the thing has an indefinite-length.
-     */
-    if (contents_len & 0x80) {
-	int bytes_of_encoded_len;
-
-	bytes_of_encoded_len = contents_len & 0x7f;
-	contents_len = 0;
-
-	switch (bytes_of_encoded_len) {
-	  case 4:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 3:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 2:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 1:
-	    contents_len |= *bp++;
-	    break;
-
-	  case 0:
-	    contents_len = der_indefinite_length (bp, end);
-	    if (contents_len)
-		break;
-	    /* fallthru */
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
-    }
-
-    if ((bp + contents_len) > end) {
-	/* Ran past end of buffer */
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
-    }
-
-    *header_len_p = bp - buf;
-    *contents_len_p = contents_len;
-
-    return SECSuccess;
-}
-
-static unsigned char *
-der_decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate,
-	   unsigned char *buf, int header_len, uint32 contents_len)
-{
-    unsigned char *orig_buf, *end;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal, check_tag;
-    SECItem *item;
-    SECStatus rv;
-    PRBool indefinite_length, explicit_indefinite_length;
-
-    encode_kind = dtemplate->kind;
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    if (header_len == 0) {
-	if (optional || (encode_kind & DER_ANY))
-	    return buf;
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return NULL;
-    }
-
-    if (encode_kind & DER_POINTER) {
-	void *place, **placep;
-	int offset;
-
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	    place = PORT_ArenaZAlloc(arena, dtemplate->arg);
-	    offset = dtemplate->offset;
-	} else {
-	    if (universal) {
-		under_kind = encode_kind & ~DER_POINTER;
-	    } else {
-		under_kind = dtemplate->arg;
-	    }
-	    place = PORT_ArenaZAlloc(arena, sizeof(SECItem));
-	    offset = 0;
-	}
-	if (place == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;		/* Out of memory */
-	}
-	placep = (void **)dest;
-	*placep = place;
-	dest = (void *)((char *)place + offset);
-    } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-	dest = (void *)((char *)dest + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    orig_buf = buf;
-    end = buf + header_len + contents_len;
-
-    explicit_indefinite_length = PR_FALSE;
-
-    if (explicit) {
-	/*
-	 * This tag is expected to match exactly.
-	 * (The template has all of the bits specified.)
-	 */
-	if (*buf != (encode_kind & DER_TAG_MASK)) {
-	    if (optional)
-		return buf;
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-	if ((header_len == 2) && (*(buf + 1) == 0x80))
-	    explicit_indefinite_length = PR_TRUE;
-	buf += header_len;
-	rv = der_capture (buf, end, &header_len, &contents_len);
-	if (rv != SECSuccess)
-	    return NULL;
-	if (header_len == 0) {		/* XXX is this right? */
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-	optional = PR_FALSE;		/* can no longer be optional */
-	encode_kind = under_kind;
-    }
-
-    check_tag = PR_TRUE;
-    if (encode_kind & (DER_DERPTR | DER_ANY | DER_FORCE | DER_SKIP)) {
-	PORT_Assert ((encode_kind & DER_ANY) || !optional);
-	encode_kind = encode_kind & (~DER_FORCE);
-	under_kind = under_kind & (~DER_FORCE);
-	check_tag = PR_FALSE;
-    }
-
-    if (check_tag) {
-	PRBool wrong;
-	unsigned char expect_tag, expect_num;
-
-	/*
-	 * This tag is expected to match, but the simple types
-	 * may or may not have the constructed bit set, so we
-	 * have to have all this extra logic.
-	 */
-	wrong = PR_TRUE;
-	expect_tag = (unsigned char)encode_kind & DER_TAG_MASK;
-	expect_num = expect_tag & DER_TAGNUM_MASK;
-	if (expect_num == DER_SET || expect_num == DER_SEQUENCE) {
-	    if (*buf == (expect_tag | DER_CONSTRUCTED))
-		wrong = PR_FALSE;
-	} else {
-	    if (*buf == expect_tag)
-		wrong = PR_FALSE;
-	    else if (*buf == (expect_tag | DER_CONSTRUCTED))
-		wrong = PR_FALSE;
-	}
-	if (wrong) {
-	    if (optional)
-		return buf;
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return NULL;
-	}
-    }
-
-    if (under_kind & DER_DERPTR) {
-	item = (SECItem *)dest;
-	if (under_kind & DER_OUTER) {
-	    item->data = buf;
-	    item->len = header_len + contents_len;
-	} else {
-	    item->data = buf + header_len;
-	    item->len = contents_len;
-	}
-	return orig_buf;
-    }
-
-    if (encode_kind & DER_ANY) {
-	contents_len += header_len;
-	header_len = 0;
-    }
-
-    if ((header_len == 2) && (*(buf + 1) == 0x80))
-	indefinite_length = PR_TRUE;
-    else
-	indefinite_length = PR_FALSE;
-
-    buf += header_len;
-
-    if (contents_len == 0)
-	return buf;
-
-    under_kind &= ~DER_OPTIONAL;
-
-    if (under_kind & DER_INDEFINITE) {
-	int count, thing_size;
-	unsigned char *sub_buf;
-	DERTemplate *tmpt;
-	void *things, **indp, ***placep;
-
-	under_kind &= ~DER_INDEFINITE;
-
-	/*
-	 * Count items.
-	 */
-	count = 0;
-	sub_buf = buf;
-	while (sub_buf < end) {
-	    if (indefinite_length && sub_buf[0] == 0 && sub_buf[1] == 0) {
-		break; 
-	    }
-	    rv = der_capture (sub_buf, end, &header_len, &contents_len);
-	    if (rv != SECSuccess)
-		return NULL;
-	    count++;
-	    sub_buf += header_len + contents_len;
-	}
-
-	/*
-	 * Allocate an array of pointers to items; extra one is for a NULL.
-	 */
-	indp = (void**)PORT_ArenaZAlloc(arena, (count + 1) * sizeof(void *));
-	if (indp == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;
-	}
-
-	/*
-	 * Prepare.
-	 */
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    tmpt = dtemplate->sub;
-	    PORT_Assert (tmpt != NULL);
-	    thing_size = tmpt->arg;
-	    PORT_Assert (thing_size != 0);
-	} else {
-	    tmpt = NULL;
-	    thing_size = sizeof(SECItem);
-	}
-
-	/*
-	 * Allocate the items themselves.
-	 */
-	things = PORT_ArenaZAlloc(arena, count * thing_size);
-	if (things == NULL) {
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    return NULL;
-	}
-
-	placep = (void ***)dest;
-	*placep = indp;
-
-	while (count) {
-	    /* ignore return value because we already did whole thing above */
-	    (void) der_capture (buf, end, &header_len, &contents_len);
-	    if (tmpt != NULL) {
-		void *sub_thing;
-
-		sub_thing = (void *)((char *)things + tmpt->offset);
-		buf = der_decode (arena, sub_thing, tmpt,
-				  buf, header_len, contents_len);
-		if (buf == NULL)
-		    return NULL;
-	    } else {
-		item = (SECItem *)things;
-		if (under_kind == DER_ANY) {
-		    contents_len += header_len;
-		    header_len = 0;
-		}
-		buf += header_len;
-		if (under_kind == DER_BIT_STRING) {
-		    item->data = buf + 1;
-		    item->len = ((contents_len - 1) << 3) - *buf;
-		} else {
-		    item->data = buf;
-		    item->len = contents_len;
-		}
-		buf += contents_len;
-	    }
-	    *indp++ = things;
-	    things = (void *)((char *)things + thing_size);
-	    count--;
-	}
-
-	*indp = NULL;
-
-	goto der_decode_done;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_dest;
-
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_dest = (void *)((char *)dest + tmpt->offset);
-		rv = der_capture (buf, end, &header_len, &contents_len);
-		if (rv != SECSuccess)
-		    return NULL;
-		buf = der_decode (arena, sub_dest, tmpt,
-				  buf, header_len, contents_len);
-		if (buf == NULL)
-		    return NULL;
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	item = (SECItem *)dest;
-	item->data = buf + 1;
-	item->len = ((contents_len - 1) << 3) - *buf;
-	buf += contents_len;
-	break;
-
-      case DER_SKIP:
-	buf += contents_len;
-	break;
-
-      default:
-	item = (SECItem *)dest;
-	item->data = buf;
-	item->len = contents_len;
-	buf += contents_len;
-	break;
-    }
-
-der_decode_done:
-
-    if (indefinite_length && buf[0] == 0 && buf[1] == 0) {
-	buf += 2;
-    }
-
-    if (explicit_indefinite_length && buf[0] == 0 && buf[1] == 0) {
-	buf += 2;
-    }
-
-    return buf;
-}
-
-SECStatus
-DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate, SECItem *src)
-{
-    unsigned char *buf;
-    uint32 buf_len, contents_len;
-    int header_len;
-    SECStatus rv;
-
-    buf = src->data;
-    buf_len = src->len;
-
-    rv = der_capture (buf, buf + buf_len, &header_len, &contents_len);
-    if (rv != SECSuccess)
-	return rv;
-
-    dest = (void *)((char *)dest + dtemplate->offset);
-    buf = der_decode (arena, dest, dtemplate, buf, header_len, contents_len);
-    if (buf == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-SECStatus
-DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p)
-{
-    return(der_capture(item->data, &item->data[item->len], header_len_p,
-		       contents_len_p));
-}
diff --git a/security/nss/lib/util/derenc.c b/security/nss/lib/util/derenc.c
deleted file mode 100644
index c894ed729..000000000
--- a/security/nss/lib/util/derenc.c
+++ /dev/null
@@ -1,507 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secder.h"
-#include "secerr.h"
-/*
- * Generic templates for individual/simple items.
- */
-
-DERTemplate SECAnyTemplate[] = {
-    { DER_ANY,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECBitStringTemplate[] = {
-    { DER_BIT_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECBooleanTemplate[] = {
-    { DER_BOOLEAN,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECIA5StringTemplate[] = {
-    { DER_IA5_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECIntegerTemplate[] = {
-    { DER_INTEGER,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECNullTemplate[] = {
-    { DER_NULL,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECObjectIDTemplate[] = {
-    { DER_OBJECT_ID,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECOctetStringTemplate[] = {
-    { DER_OCTET_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECPrintableStringTemplate[] = {
-    { DER_PRINTABLE_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECT61StringTemplate[] = {
-    { DER_T61_STRING,
-	  0, NULL, sizeof(SECItem) }
-};
-
-DERTemplate SECUTCTimeTemplate[] = {
-    { DER_UTC_TIME,
-	  0, NULL, sizeof(SECItem) }
-};
-
-
-static int
-header_length(DERTemplate *dtemplate, uint32 contents_len)
-{
-    uint32 len;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal;
-
-    encode_kind = dtemplate->kind;
-
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    if (encode_kind & DER_POINTER) {
-	if (dtemplate->sub != NULL) {
-	    under_kind = dtemplate->sub->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	under_kind = dtemplate->sub->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (under_kind & DER_DERPTR)
-	return 0;
-
-    /* No header at all for an "empty" optional.  */
-    if ((contents_len == 0) && optional)
-	return 0;
-
-    /* And no header for a full DER_ANY.  */
-    if (encode_kind & DER_ANY)
-	return 0;
-
-    /*
-     * The common case: one octet for identifier and as many octets
-     * as necessary to hold the content length.
-     */
-    len = 1 + DER_LengthLength(contents_len);
-
-    /* Account for the explicit wrapper, if necessary.  */
-    if (explicit) {
-#if 0		/*
-		 * Well, I was trying to do something useful, but these
-		 * assertions are too restrictive on valid templates.
-		 * I wanted to make sure that the top-level "kind" of
-		 * a template does not also specify DER_EXPLICIT, which
-		 * should only modify a component field.  Maybe later
-		 * I can figure out a better way to detect such a problem,
-		 * but for now I must remove these checks altogether.
-		 */
-	/*
-	 * This modifier applies only to components of a set or sequence;
-	 * it should never be used on a set/sequence itself -- confirm.
-	 */
-	PORT_Assert (under_kind != DER_SEQUENCE);
-	PORT_Assert (under_kind != DER_SET);
-#endif
-
-	len += 1 + DER_LengthLength(len + contents_len);
-    }
-
-    return len;
-}
-
-
-static uint32
-contents_length(DERTemplate *dtemplate, void *src)
-{
-    uint32 len;
-    unsigned long encode_kind, under_kind;
-    PRBool universal;
-
-
-    PORT_Assert (src != NULL);
-
-    encode_kind = dtemplate->kind;
-
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-    encode_kind &= ~DER_OPTIONAL;
-
-    if (encode_kind & DER_POINTER) {
-	src = *(void **)src;
-	if (src == NULL) {
-	    return 0;
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	src = (void *)((char *)src + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    /* Having any of these bits is not expected here...  */
-    PORT_Assert ((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL
-				| DER_POINTER | DER_SKIP)) == 0);
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (under_kind & DER_DERPTR)
-	return 0;
-
-    if (under_kind & DER_INDEFINITE) {
-	uint32 sub_len;
-	void **indp;
-
-	indp = *(void ***)src;
-	if (indp == NULL)
-	    return 0;
-
-	len = 0;
-	under_kind &= ~DER_INDEFINITE;
-
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    tmpt = dtemplate->sub;
-
-	    for (; *indp != NULL; indp++) {
-		sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	} else {
-	    /*
-	     * XXX Lisa is not sure this code (for handling, for example,
-	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
-	     */
-	    for (; *indp != NULL; indp++) {
-		SECItem *item;
-		item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    sub_len = (sub_len + 7) >> 3;
-		    /* bit string contents involve an extra octet */
-		    if (sub_len)
-			sub_len++;
-		}
-		if (under_kind != DER_ANY)
-		    len += 1 + DER_LengthLength (sub_len);
-	    }
-	}
-
-	return len;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
-	    uint32 sub_len;
-
-	    len = 0;
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	len = (((SECItem *)src)->len + 7) >> 3;
-	/* bit string contents involve an extra octet */
-	if (len)
-	    len++;
-	break;
-
-      default:
-	len = ((SECItem *)src)->len;
-	break;
-    }
-
-    return len;
-}
-
-
-static unsigned char *
-der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src)
-{
-    int header_len;
-    uint32 contents_len;
-    unsigned long encode_kind, under_kind;
-    PRBool explicit, optional, universal;
-
-
-    /*
-     * First figure out how long the encoding will be.  Do this by
-     * traversing the template from top to bottom and accumulating
-     * the length of each leaf item.
-     */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
-
-    /*
-     * Enough smarts was involved already, so that if both the
-     * header and the contents have a length of zero, then we
-     * are not doing any encoding for this element.
-     */
-    if (header_len == 0 && contents_len == 0)
-	return buf;
-
-    encode_kind = dtemplate->kind;
-
-    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~DER_OPTIONAL;
-    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    if (encode_kind & DER_POINTER) {
-	if (contents_len) {
-	    src = *(void **)src;
-	    PORT_Assert (src != NULL);
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
-    } else if (encode_kind & DER_INLINE) {
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-	src = (void *)((char *)src + dtemplate->offset);
-    } else if (universal) {
-	under_kind = encode_kind;
-    } else {
-	under_kind = dtemplate->arg;
-    }
-
-    if (explicit) {
-	buf = DER_StoreHeader (buf, encode_kind,
-			       (1 + DER_LengthLength(contents_len)
-				+ contents_len));
-	encode_kind = under_kind;
-    }
-
-    if ((encode_kind & DER_ANY) == 0) {	/* DER_ANY already contains header */
-	buf = DER_StoreHeader (buf, encode_kind, contents_len);
-    }
-
-    /* If no real contents to encode, then we are done.  */
-    if (contents_len == 0)
-	return buf;
-
-    if (under_kind & DER_INDEFINITE) {
-	void **indp;
-
-	indp = *(void ***)src;
-	PORT_Assert (indp != NULL);
-
-	under_kind &= ~DER_INDEFINITE;
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    tmpt = dtemplate->sub;
-	    for (; *indp != NULL; indp++) {
-		sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	} else {
-	    for (; *indp != NULL; indp++) {
-		SECItem *item;
-		int sub_len;
-
-		item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    if (sub_len) {
-			int rem;
-
-			sub_len = (sub_len + 7) >> 3;
-			buf = DER_StoreHeader (buf, under_kind, sub_len + 1);
-			rem = (sub_len << 3) - item->len;
-			*buf++ = rem;		/* remaining bits */
-		    } else {
-			buf = DER_StoreHeader (buf, under_kind, 0);
-		    }
-		} else if (under_kind != DER_ANY) {
-		    buf = DER_StoreHeader (buf, under_kind, sub_len);
-		}
-		PORT_Memcpy (buf, item->data, sub_len);
-		buf += sub_len;
-	    }
-	}
-	return buf;
-    }
-
-    switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
-
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	}
-	break;
-
-      case DER_BIT_STRING:
-	{
-	    SECItem *item;
-	    int rem;
-
-	    /*
-	     * The contents length includes our extra octet; subtract
-	     * it off so we just have the real string length there.
-	     */
-	    contents_len--;
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == ((item->len + 7) >> 3));
-	    rem = (contents_len << 3) - item->len;
-	    *buf++ = rem;		/* remaining bits */
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
-
-      default:
-	{
-	    SECItem *item;
-
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == item->len);
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
-    }
-
-    return buf;
-}
-
-
-SECStatus
-DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *dtemplate, void *src)
-{
-    unsigned int contents_len, header_len;
-
-    src = (void **)((char *)src + dtemplate->offset);
-
-    /*
-     * First figure out how long the encoding will be. Do this by
-     * traversing the template from top to bottom and accumulating
-     * the length of each leaf item.
-     */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
-
-    dest->len = contents_len + header_len;
-
-    /* Allocate storage to hold the encoding */
-    dest->data = (unsigned char*) PORT_ArenaAlloc(arena, dest->len);
-    if (dest->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
-    }
-
-    /* Now encode into the buffer */
-    (void) der_encode (dest->data, dtemplate, src);
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/util/dersubr.c b/security/nss/lib/util/dersubr.c
deleted file mode 100644
index 1a71afa80..000000000
--- a/security/nss/lib/util/dersubr.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secder.h"
-#include <limits.h>
-#include "secerr.h"
-
-int
-DER_LengthLength(uint32 len)
-{
-    if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535L) {
-		if (len > 16777215L) {
-		    return 5;
-		} else {
-		    return 4;
-		}
-	    } else {
-		return 3;
-	    }
-	} else {
-	    return 2;
-	}
-    } else {
-	return 1;
-    }
-}
-
-unsigned char *
-DER_StoreHeader(unsigned char *buf, unsigned int code, uint32 len)
-{
-    unsigned char b[4];
-
-    b[0] = (unsigned char)(len >> 24);
-    b[1] = (unsigned char)(len >> 16);
-    b[2] = (unsigned char)(len >> 8);
-    b[3] = (unsigned char)len;
-    if ((code & DER_TAGNUM_MASK) == DER_SET
-	|| (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
-	code |= DER_CONSTRUCTED;
-    *buf++ = code;
-    if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535) {
-		if (len > 16777215) {
-		    *buf++ = 0x84;
-		    *buf++ = b[0];
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		} else {
-		    *buf++ = 0x83;
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		}
-	    } else {
-		*buf++ = 0x82;
-		*buf++ = b[2];
-		*buf++ = b[3];
-	    }
-	} else {
-	    *buf++ = 0x81;
-	    *buf++ = b[3];
-	}
-    } else {
-	*buf++ = b[3];
-    }
-    return buf;
-}
-
-/*
- * XXX This should be rewritten, generalized, to take a long instead
- * of an int32.
- */
-SECStatus
-DER_SetInteger(PRArenaPool *arena, SECItem *it, int32 i)
-{
-    unsigned char bb[4];
-    unsigned len;
-
-    bb[0] = (unsigned char) (i >> 24);
-    bb[1] = (unsigned char) (i >> 16);
-    bb[2] = (unsigned char) (i >> 8);
-    bb[3] = (unsigned char) (i);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (i < -128) {
-	if (i < -32768L) {
-	    if (i < -8388608L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else if (i > 127) {
-	if (i > 32767L) {
-	    if (i > 8388607L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else {
-	len = 1;
-    }
-    it->data = (unsigned char*) PORT_ArenaAlloc(arena, len);
-    if (!it->data) {
-	return SECFailure;
-    }
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (4 - len), len);
-    return SECSuccess;
-}
-
-/*
- * XXX This should be rewritten, generalized, to take an unsigned long instead
- * of a uint32.
- */
-SECStatus
-DER_SetUInteger(PRArenaPool *arena, SECItem *it, uint32 ui)
-{
-    unsigned char bb[5];
-    int len;
-
-    bb[0] = 0;
-    bb[1] = (unsigned char) (ui >> 24);
-    bb[2] = (unsigned char) (ui >> 16);
-    bb[3] = (unsigned char) (ui >> 8);
-    bb[4] = (unsigned char) (ui);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (ui > 0x7f) {
-	if (ui > 0x7fff) {
-	    if (ui > 0x7fffffL) {
-		if (ui >= 0x80000000L) {
-		    len = 5;
-		} else {
-		    len = 4;
-		}
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
-    } else {
-	len = 1;
-    }
-
-    it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
-    if (it->data == NULL) {
-	return SECFailure;
-    }
-
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
-
-    return SECSuccess;
-}
-
-/*
-** Convert a der encoded *signed* integer into a machine integral value.
-** If an underflow/overflow occurs, sets error code and returns min/max.
-*/
-long
-DER_GetInteger(SECItem *it)
-{
-    long ival = 0;
-    unsigned len = it->len;
-    unsigned char *cp = it->data;
-    unsigned long overflow = 0x1ffUL << (((sizeof(ival) - 1) * 8) - 1);
-    unsigned long ofloinit;
-
-    if (*cp & 0x80)
-    	ival = -1L;
-    ofloinit = ival & overflow;
-
-    while (len) {
-	if ((ival & overflow) != ofloinit) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    if (ival < 0) {
-		return LONG_MIN;
-	    }
-	    return LONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
-    }
-    return ival;
-}
-
-/*
-** Convert a der encoded *unsigned* integer into a machine integral value.
-** If an underflow/overflow occurs, sets error code and returns min/max.
-*/
-unsigned long
-DER_GetUInteger(SECItem *it)
-{
-    unsigned long ival = 0;
-    unsigned len = it->len;
-    unsigned char *cp = it->data;
-    unsigned long overflow = 0xffUL << ((sizeof(ival) - 1) * 8);
-
-    /* Cannot put a negative value into an unsigned container. */
-    if (*cp & 0x80) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return 0;
-    }
-
-    while (len) {
-	if (ival & overflow) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return ULONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
-    }
-    return ival;
-}
diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c
deleted file mode 100644
index c47232b24..000000000
--- a/security/nss/lib/util/dertime.c
+++ /dev/null
@@ -1,403 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prtypes.h"
-#include "prtime.h"
-#include "secder.h"
-#include "prlong.h"
-#include "secerr.h"
-
-#define HIDIGIT(v) (((v) / 10) + '0')
-#define LODIGIT(v) (((v) % 10) + '0')
-
-#define C_SINGLE_QUOTE '\047'
-
-#define DIGITHI(dig) (((dig) - '0') * 10)
-#define DIGITLO(dig) ((dig) - '0')
-#define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
-#define CAPTURE(var,p,label)				  \
-{							  \
-    if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
-    (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0');	  \
-}
-
-#define SECMIN ((time_t) 60L)
-#define SECHOUR (60L*SECMIN)
-#define SECDAY (24L*SECHOUR)
-#define SECYEAR (365L*SECDAY)
-
-static long monthToDayInYear[12] = {
-    0,
-    31,
-    31+28,
-    31+28+31,
-    31+28+31+30,
-    31+28+31+30+31,
-    31+28+31+30+31+30,
-    31+28+31+30+31+30+31,
-    31+28+31+30+31+30+31+31,
-    31+28+31+30+31+30+31+31+30,
-    31+28+31+30+31+30+31+31+30+31,
-    31+28+31+30+31+30+31+31+30+31+30,
-};
-
-/* gmttime must contains UTC time in micro-seconds unit */
-SECStatus
-DER_TimeToUTCTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
-{
-    PRExplodedTime printableTime;
-    unsigned char *d;
-
-    dst->len = 13;
-    if (arenaOpt) {
-        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
-    } else {
-        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
-    }
-    dst->type = siUTCTime;
-    if (!d) {
-	return SECFailure;
-    }
-
-    /* Convert an int64 time to a printable format.  */
-    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
-
-    /* The month in UTC time is base one */
-    printableTime.tm_month++;
-
-    /* UTC time does not handle the years before 1950 */
-    if (printableTime.tm_year < 1950)
-	    return SECFailure;
-
-    /* remove the century since it's added to the tm_year by the 
-       PR_ExplodeTime routine, but is not needed for UTC time */
-    printableTime.tm_year %= 100; 
-
-    d[0] = HIDIGIT(printableTime.tm_year);
-    d[1] = LODIGIT(printableTime.tm_year);
-    d[2] = HIDIGIT(printableTime.tm_month);
-    d[3] = LODIGIT(printableTime.tm_month);
-    d[4] = HIDIGIT(printableTime.tm_mday);
-    d[5] = LODIGIT(printableTime.tm_mday);
-    d[6] = HIDIGIT(printableTime.tm_hour);
-    d[7] = LODIGIT(printableTime.tm_hour);
-    d[8] = HIDIGIT(printableTime.tm_min);
-    d[9] = LODIGIT(printableTime.tm_min);
-    d[10] = HIDIGIT(printableTime.tm_sec);
-    d[11] = LODIGIT(printableTime.tm_sec);
-    d[12] = 'Z';
-    return SECSuccess;
-}
-
-SECStatus
-DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
-{
-    return DER_TimeToUTCTimeArena(NULL, dst, gmttime);
-}
-
-/* The caller of DER_AsciiToItem MUST ENSURE that either
-** a) "string" points to a null-terminated ASCII string, or
-** b) "string" points to a buffer containing a valid UTCTime, 
-**     whether null terminated or not.
-** otherwise, this function may UMR and/or crash.
-** It suffices to ensure that the input "string" is at least 17 bytes long.
-*/
-SECStatus
-DER_AsciiToTime(int64 *dst, const char *string)
-{
-    long year, month, mday, hour, minute, second, hourOff, minOff, days;
-    int64 result, tmp1, tmp2;
-
-    if (string == NULL) {
-	goto loser;
-    }
-    
-    /* Verify time is formatted properly and capture information */
-    second = 0;
-    hourOff = 0;
-    minOff = 0;
-    CAPTURE(year,string+0,loser);
-    if (year < 50) {
-	/* ASSUME that year # is in the 2000's, not the 1900's */
-	year += 100;
-    }
-    CAPTURE(month,string+2,loser);
-    if ((month == 0) || (month > 12)) goto loser;
-    CAPTURE(mday,string+4,loser);
-    if ((mday == 0) || (mday > 31)) goto loser;
-    CAPTURE(hour,string+6,loser);
-    if (hour > 23) goto loser;
-    CAPTURE(minute,string+8,loser);
-    if (minute > 59) goto loser;
-    if (ISDIGIT(string[10])) {
-	CAPTURE(second,string+10,loser);
-	if (second > 59) goto loser;
-	string += 2;
-    }
-    if (string[10] == '+') {
-	CAPTURE(hourOff,string+11,loser);
-	if (hourOff > 23) goto loser;
-	CAPTURE(minOff,string+13,loser);
-	if (minOff > 59) goto loser;
-    } else if (string[10] == '-') {
-	CAPTURE(hourOff,string+11,loser);
-	if (hourOff > 23) goto loser;
-	hourOff = -hourOff;
-	CAPTURE(minOff,string+13,loser);
-	if (minOff > 59) goto loser;
-	minOff = -minOff;
-    } else if (string[10] != 'Z') {
-	goto loser;
-    }
-    
-    
-    /* Convert pieces back into a single value year  */
-    LL_I2L(tmp1, (year-70L));
-    LL_I2L(tmp2, SECYEAR);
-    LL_MUL(result, tmp1, tmp2);
-    
-    LL_I2L(tmp1, ( (mday-1L)*SECDAY + hour*SECHOUR + minute*SECMIN -
-		  hourOff*SECHOUR - minOff*SECMIN + second ) );
-    LL_ADD(result, result, tmp1);
-
-    /*
-    ** Have to specially handle the day in the month and the year, to
-    ** take into account leap days. The return time value is in
-    ** seconds since January 1st, 12:00am 1970, so start examining
-    ** the time after that. We can't represent a time before that.
-    */
-
-    /* Using two digit years, we can only represent dates from 1970
-       to 2069. As a result, we cannot run into the leap year rule
-       that states that 1700, 2100, etc. are not leap years (but 2000
-       is). In other words, there are no years in the span of time
-       that we can represent that are == 0 mod 4 but are not leap
-       years. Whew.
-       */
-
-    days = monthToDayInYear[month-1];
-    days += (year - 68)/4;
-
-    if (((year % 4) == 0) && (month < 3)) {
-	days--;
-    }
-   
-    LL_I2L(tmp1, (days * SECDAY) );
-    LL_ADD(result, result, tmp1 );
-
-    /* convert to micro seconds */
-    LL_I2L(tmp1, PR_USEC_PER_SEC);
-    LL_MUL(result, result, tmp1);
-
-    *dst = result;
-    return SECSuccess;
-
-  loser:
-    PORT_SetError(SEC_ERROR_INVALID_TIME);
-    return SECFailure;
-	
-}
-
-SECStatus
-DER_UTCTimeToTime(int64 *dst, const SECItem *time)
-{
-    const char * string;
-    char localBuf[20]; 
-
-    /* Minimum valid UTCTime is yymmddhhmmZ       which is 11 bytes. 
-    ** Maximum valid UTCTime is yymmddhhmmss+0000 which is 17 bytes.
-    ** 20 should be large enough for all valid encoded times. 
-    */
-    if (!time || !time->data || time->len < 11) {
-	PORT_SetError(SEC_ERROR_INVALID_TIME);
-	return SECFailure;
-    }
-    if (time->len >= sizeof localBuf) { 
-	string = (const char *)time->data;
-    } else {
-	memset(localBuf, 0, sizeof localBuf);
-	memcpy(localBuf, time->data, time->len);
-        string = (const char *)localBuf;
-    }
-    return DER_AsciiToTime(dst, string);
-}
-
-/*
-   gmttime must contains UTC time in micro-seconds unit.
-   Note: the caller should make sure that Generalized time
-   should only be used for certifiate validities after the
-   year 2049.  Otherwise, UTC time should be used.  This routine
-   does not check this case, since it can be used to encode
-   certificate extension, which does not have this restriction. 
- */
-SECStatus
-DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
-{
-    PRExplodedTime printableTime;
-    unsigned char *d;
-
-    dst->len = 15;
-    if (arenaOpt) {
-        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
-    } else {
-        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
-    }
-    dst->type = siGeneralizedTime;
-    if (!d) {
-	return SECFailure;
-    }
-
-    /*Convert a int64 time to a printable format. This is a temporary call
-	  until we change to NSPR 2.0
-     */
-    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
-
-    /* The month in Generalized time is base one */
-    printableTime.tm_month++;
-
-    d[0] = (printableTime.tm_year /1000) + '0';
-    d[1] = ((printableTime.tm_year % 1000) / 100) + '0';
-    d[2] = ((printableTime.tm_year % 100) / 10) + '0';
-    d[3] = (printableTime.tm_year % 10) + '0';
-    d[4] = HIDIGIT(printableTime.tm_month);
-    d[5] = LODIGIT(printableTime.tm_month);
-    d[6] = HIDIGIT(printableTime.tm_mday);
-    d[7] = LODIGIT(printableTime.tm_mday);
-    d[8] = HIDIGIT(printableTime.tm_hour);
-    d[9] = LODIGIT(printableTime.tm_hour);
-    d[10] = HIDIGIT(printableTime.tm_min);
-    d[11] = LODIGIT(printableTime.tm_min);
-    d[12] = HIDIGIT(printableTime.tm_sec);
-    d[13] = LODIGIT(printableTime.tm_sec);
-    d[14] = 'Z';
-    return SECSuccess;
-}
-
-SECStatus
-DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
-{
-    return DER_TimeToGeneralizedTimeArena(NULL, dst, gmttime);
-}
-
-
-/*
-    The caller should make sure that the generalized time should only
-    be used for the certificate validity after the year 2051; otherwise,
-    the certificate should be consider invalid!?
- */
-SECStatus
-DER_GeneralizedTimeToTime(int64 *dst, const SECItem *time)
-{
-    PRExplodedTime genTime;
-    const char *string;
-    long hourOff, minOff;
-    uint16 century;
-    char localBuf[20];
-
-    /* Minimum valid GeneralizedTime is ccyymmddhhmmZ       which is 13 bytes.
-    ** Maximum valid GeneralizedTime is ccyymmddhhmmss+0000 which is 19 bytes.
-    ** 20 should be large enough for all valid encoded times. 
-    */
-    if (!time || !time->data || time->len < 13)
-        goto loser;
-    if (time->len >= sizeof localBuf) {
-        string = (const char *)time->data;
-    } else {
-	memset(localBuf, 0, sizeof localBuf);
-        memcpy(localBuf, time->data, time->len);
-	string = (const char *)localBuf;
-    }
-
-    memset(&genTime, 0, sizeof genTime);
-
-    /* Verify time is formatted properly and capture information */
-    hourOff = 0;
-    minOff = 0;
-
-    CAPTURE(century, string+0, loser);
-    century *= 100;
-    CAPTURE(genTime.tm_year,string+2,loser);
-    genTime.tm_year += century;
-
-    CAPTURE(genTime.tm_month,string+4,loser);
-    if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) goto loser;
-
-    /* NSPR month base is 0 */
-    --genTime.tm_month;
-    
-    CAPTURE(genTime.tm_mday,string+6,loser);
-    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) goto loser;
-    
-    CAPTURE(genTime.tm_hour,string+8,loser);
-    if (genTime.tm_hour > 23) goto loser;
-    
-    CAPTURE(genTime.tm_min,string+10,loser);
-    if (genTime.tm_min > 59) goto loser;
-    
-    if (ISDIGIT(string[12])) {
-	CAPTURE(genTime.tm_sec,string+12,loser);
-	if (genTime.tm_sec > 59) goto loser;
-	string += 2;
-    }
-    if (string[12] == '+') {
-	CAPTURE(hourOff,string+13,loser);
-	if (hourOff > 23) goto loser;
-	CAPTURE(minOff,string+15,loser);
-	if (minOff > 59) goto loser;
-    } else if (string[12] == '-') {
-	CAPTURE(hourOff,string+13,loser);
-	if (hourOff > 23) goto loser;
-	hourOff = -hourOff;
-	CAPTURE(minOff,string+15,loser);
-	if (minOff > 59) goto loser;
-	minOff = -minOff;
-    } else if (string[12] != 'Z') {
-	goto loser;
-    }
-
-    /* Since the values of hourOff and minOff are small, there will
-       be no loss of data by the conversion to int8 */
-    /* Convert the GMT offset to seconds and save it it genTime
-       for the implode time process */
-    genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L);
-    *dst = PR_ImplodeTime (&genTime);
-    return SECSuccess;
-
-  loser:
-    PORT_SetError(SEC_ERROR_INVALID_TIME);
-    return SECFailure;
-	
-}
diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn
deleted file mode 100644
index 6f5038b87..000000000
--- a/security/nss/lib/util/manifest.mn
+++ /dev/null
@@ -1,100 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-CORE_DEPTH = ../../..
-
-EXPORTS = \
-	base64.h \
-	ciferfam.h \
-	nssb64.h \
-	nssb64t.h \
-	nsslocks.h \
-	nssilock.h \
-	nssilckt.h \
-	nssrwlk.h \
-	nssrwlkt.h \
-	portreg.h \
-	secasn1.h \
-	secasn1t.h \
-	seccomon.h \
-	secder.h \
-	secdert.h \
-	secdig.h \
-	secdigt.h \
-	secitem.h \
-	secoid.h \
-	secoidt.h \
-	secport.h \
-	secerr.h \
-	watcomfx.h \
-	$(NULL)
-
-PRIVATE_EXPORTS = \
-	pqgutil.h \
-	$(NULL)
-
-CSRCS = \
-	quickder.c \
-	secdig.c \
-	derdec.c \
-	derenc.c \
-	dersubr.c \
-	dertime.c \
-	nssb64d.c \
-	nssb64e.c \
-	nssrwlk.c \
-	nssilock.c \
-	nsslocks.c \
-	portreg.c \
-	pqgutil.c \
-	secalgid.c \
-	secasn1d.c \
-	secasn1e.c \
-	secasn1u.c \
-	secitem.c \
-	secoid.c \
-	sectime.c \
-	secport.c \
-	secinit.c \
-	utf8.c \
-	$(NULL)
-
-MODULE = nss
-
-# don't duplicate module name in REQUIRES
-REQUIRES = dbm
-
-LIBRARY_NAME = secutil
diff --git a/security/nss/lib/util/nssb64.h b/security/nss/lib/util/nssb64.h
deleted file mode 100644
index 3f2302bdb..000000000
--- a/security/nss/lib/util/nssb64.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Public prototypes for base64 encoding/decoding.
- *
- * $Id$
- */
-#ifndef _NSSB64_H_
-#define _NSSB64_H_
-
-#include "seccomon.h"
-#include "nssb64t.h"
-
-SEC_BEGIN_PROTOS
-
-/*
- * Functions to start a base64 decoding/encoding context.
- */
-
-extern NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg);
-
-extern NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg);
-
-/*
- * Push data through the decoder/encoder, causing the output_fn (provided
- * to Create) to be called with the decoded/encoded data.
- */
-
-extern SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size);
-
-extern SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size);
-
-/*
- * When you're done processing, call this to close the context.
- * If "abort_p" is false, then calling this may cause the output_fn
- * to be called one last time (as the last buffered data is flushed out).
- */
-
-extern SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p);
-
-extern SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p);
-
-/*
- * Perform base64 decoding from an ascii string "inStr" to an Item.
- * The length of the input must be provided as "inLen".  The Item
- * may be provided (as "outItemOpt"); you can also pass in a NULL
- * and the Item will be allocated for you.
- *
- * In any case, the data within the Item will be allocated for you.
- * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
- * If "arenaOpt" is NULL, standard allocation (heap) will be used and
- * you will want to free the result via SECITEM_FreeItem.
- *
- * Return value is NULL on error, the Item (allocated or provided) otherwise.
- */
-extern SECItem *
-NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen);
-
-/*
- * Perform base64 encoding of binary data "inItem" to an ascii string.
- * The output buffer may be provided (as "outStrOpt"); you can also pass
- * in a NULL and the buffer will be allocated for you.  The result will
- * be null-terminated, and if the buffer is provided, "maxOutLen" must
- * specify the maximum length of the buffer and will be checked to
- * supply sufficient space space for the encoded result.  (If "outStrOpt"
- * is NULL, "maxOutLen" is ignored.)
- *
- * If "outStrOpt" is NULL, allocation will happen out of the passed-in
- * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
- * will be used.
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-extern char *
-NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem);
-
-SEC_END_PROTOS
-
-#endif /* _NSSB64_H_ */
diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c
deleted file mode 100644
index 2168d01bd..000000000
--- a/security/nss/lib/util/nssb64d.c
+++ /dev/null
@@ -1,864 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Base64 decoding (ascii to binary).
- *
- * $Id$
- */
-
-#include "nssb64.h"
-#include "nspr.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/*
- * XXX We want this basic support to go into NSPR (the PL part).
- * Until that can happen, the PL interface is going to be kept entirely
- * internal here -- all static functions and opaque data structures.
- * When someone can get it moved over into NSPR, that should be done:
- *    - giving everything names that are accepted by the NSPR module owners
- *	(though I tried to choose ones that would work without modification)
- *    - exporting the functions (remove static declarations and add
- *	PR_IMPLEMENT as necessary)
- *    - put prototypes into appropriate header file (probably replacing
- *	the entire current lib/libc/include/plbase64.h in NSPR)
- *	along with a typedef for the context structure (which should be
- *	kept opaque -- definition in the source file only, but typedef
- *	ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
- *    - modify anything else as necessary to conform to NSPR required style
- *	(I looked but found no formatting guide to follow)
- *
- * You will want to move over everything from here down to the comment
- * which says "XXX End of base64 decoding code to be moved into NSPR",
- * into a new file in NSPR.
- */
-
-/*
- **************************************************************
- * XXX Beginning of base64 decoding code to be moved into NSPR.
- */
-
-/*
- * This typedef would belong in the NSPR header file (i.e. plbase64.h).
- */
-typedef struct PLBase64DecoderStr PLBase64Decoder;
-
-/*
- * The following implementation of base64 decoding was based on code
- * found in libmime (specifically, in mimeenc.c).  It has been adapted to
- * use PR types and naming as well as to provide other necessary semantics
- * (like buffer-in/buffer-out in addition to "streaming" without undue
- * performance hit of extra copying if you made the buffer versions
- * use the output_fn).  It also incorporates some aspects of the current
- * NSPR base64 decoding code.  As such, you may find similarities to
- * both of those implementations.  I tried to use names that reflected
- * the original code when possible.  For this reason you may find some
- * inconsistencies -- libmime used lots of "in" and "out" whereas the
- * NSPR version uses "src" and "dest"; sometimes I changed one to the other
- * and sometimes I left them when I thought the subroutines were at least
- * self-consistent.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Opaque object used by the decoder to store state.
- */
-struct PLBase64DecoderStr {
-    /* Current token (or portion, if token_size < 4) being decoded. */
-    unsigned char token[4];
-    int token_size;
-
-    /*
-     * Where to write the decoded data (used when streaming, not when
-     * doing all in-memory (buffer) operations).
-     *
-     * Note that this definition is chosen to be compatible with PR_Write.
-     */
-    PRInt32 (*output_fn) (void *output_arg, const unsigned char *buf,
-			  PRInt32 size);
-    void *output_arg;
-
-    /*
-     * Where the decoded output goes -- either temporarily (in the streaming
-     * case, staged here before it goes to the output function) or what will
-     * be the entire buffered result for users of the buffer version.
-     */
-    unsigned char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Table to convert an ascii "code" to its corresponding binary value.
- * For ease of use, the binary values in the table are the actual values
- * PLUS ONE.  This is so that the special value of zero can denote an
- * invalid mapping; that was much easier than trying to fill in the other
- * values with some value other than zero, and to check for it.
- * Just remember to SUBTRACT ONE when using the value retrieved.
- */
-static unsigned char base64_codetovaluep1[256] = {
-/*   0: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*   8: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  16: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  24: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  32: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  40: */	  0,	  0,	  0,	 63,	  0,	  0,	  0,	 64,
-/*  48: */	 53,	 54,	 55,	 56,	 57,	 58,	 59,	 60,
-/*  56: */	 61,	 62,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  64: */	  0,	  1,	  2,	  3,	  4,	  5,	  6,	  7,
-/*  72: */	  8,	  9,	 10,	 11,	 12,	 13,	 14,	 15,
-/*  80: */	 16,	 17,	 18,	 19,	 20,	 21,	 22,	 23,
-/*  88: */	 24,	 25,	 26,	  0,	  0,	  0,	  0,	  0,
-/*  96: */	  0,	 27,	 28,	 29,	 30,	 31,	 32,	 33,
-/* 104: */	 34,	 35,	 36,	 37,	 38,	 39,	 40,	 41,
-/* 112: */	 42,	 43,	 44,	 45,	 46,	 47,	 48,	 49,
-/* 120: */	 50,	 51,	 52,	  0,	  0,	  0,	  0,	  0,
-/* 128: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0
-/* and rest are all zero as well */
-};
-
-#define B64_PAD	'='
-
-
-/*
- * Reads 4; writes 3 (known, or expected, to have no trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_4to3 (const unsigned char *in, unsigned char *out)
-{
-    int j;
-    PRUint32 num = 0;
-    unsigned char bits;
-
-    for (j = 0; j < 4; j++) {
-	bits = base64_codetovaluep1[in[j]];
-	if (bits == 0)
-	    return -1;
-	num = (num << 6) | (bits - 1);
-    }
-
-    out[0] = (unsigned char) (num >> 16);
-    out[1] = (unsigned char) ((num >> 8) & 0xFF);
-    out[2] = (unsigned char) (num & 0xFF);
-
-    return 3;
-}
-
-/*
- * Reads 3; writes 2 (caller already confirmed EOF or trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_3to2 (const unsigned char *in, unsigned char *out)
-{
-    PRUint32 num = 0;
-    unsigned char bits1, bits2, bits3;
-
-    bits1 = base64_codetovaluep1[in[0]];
-    bits2 = base64_codetovaluep1[in[1]];
-    bits3 = base64_codetovaluep1[in[2]];
-
-    if ((bits1 == 0) || (bits2 == 0) || (bits3 == 0))
-	return -1;
-
-    num = ((PRUint32)(bits1 - 1)) << 10;
-    num |= ((PRUint32)(bits2 - 1)) << 4;
-    num |= ((PRUint32)(bits3 - 1)) >> 2;
-
-    out[0] = (unsigned char) (num >> 8);
-    out[1] = (unsigned char) (num & 0xFF);
-
-    return 2;
-}
-
-/*
- * Reads 2; writes 1 (caller already confirmed EOF or trailing padding).
- * Returns bytes written; -1 on error (unexpected character).
- */
-static int
-pl_base64_decode_2to1 (const unsigned char *in, unsigned char *out)
-{
-    PRUint32 num = 0;
-    unsigned char bits1, bits2;
-
-    bits1 = base64_codetovaluep1[in[0]];
-    bits2 = base64_codetovaluep1[in[1]];
-
-    if ((bits1 == 0) || (bits2 == 0))
-	return -1;
-
-    num = ((PRUint32)(bits1 - 1)) << 2;
-    num |= ((PRUint32)(bits2 - 1)) >> 4;
-
-    out[0] = (unsigned char) num;
-
-    return 1;
-}
-
-/*
- * Reads 4; writes 0-3.  Returns bytes written or -1 on error.
- * (Writes less than 3 only at (presumed) EOF.)
- */
-static int
-pl_base64_decode_token (const unsigned char *in, unsigned char *out)
-{
-    if (in[3] != B64_PAD)
-	return pl_base64_decode_4to3 (in, out);
-
-    if (in[2] == B64_PAD)
-	return pl_base64_decode_2to1 (in, out);
-
-    return pl_base64_decode_3to2 (in, out);
-}
-
-static PRStatus
-pl_base64_decode_buffer (PLBase64Decoder *data, const unsigned char *in,
-			 PRUint32 length)
-{
-    unsigned char *out = data->output_buffer;
-    unsigned char *token = data->token;
-    int i, n = 0;
-
-    i = data->token_size;
-    data->token_size = 0;
-
-    while (length > 0) {
-	while (i < 4 && length > 0) {
-	    /*
-	     * XXX Note that the following simply ignores any unexpected
-	     * characters.  This is exactly what the original code in
-	     * libmime did, and I am leaving it.  We certainly want to skip
-	     * over whitespace (we must); this does much more than that.
-	     * I am not confident changing it, and I don't want to slow
-	     * the processing down doing more complicated checking, but
-	     * someone else might have different ideas in the future.
-	     */
-	    if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
-		token[i++] = *in;
-	    in++;
-	    length--;
-	}
-
-	if (i < 4) {
-	    /* Didn't get enough for a complete token. */
-	    data->token_size = i;
-	    break;
-	}
-	i = 0;
-
-	PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
-
-	/*
-	 * Assume we are not at the end; the following function only works
-	 * for an internal token (no trailing padding characters) but is
-	 * faster that way.  If it hits an invalid character (padding) it
-	 * will return an error; we break out of the loop and try again
-	 * calling the routine that will handle a final token.
-	 * Note that we intentionally do it this way rather than explicitly
-	 * add a check for padding here (because that would just slow down
-	 * the normal case) nor do we rely on checking whether we have more
-	 * input to process (because that would also slow it down but also
-	 * because we want to allow trailing garbage, especially white space
-	 * and cannot tell that without read-ahead, also a slow proposition).
-	 * Whew.  Understand?
-	 */
-	n = pl_base64_decode_4to3 (token, out);
-	if (n < 0)
-	    break;
-
-	/* Advance "out" by the number of bytes just written to it. */
-	out += n;
-	n = 0;
-    }
-
-    /*
-     * See big comment above, before call to pl_base64_decode_4to3.
-     * Here we check if we error'd out of loop, and allow for the case
-     * that we are processing the last interesting token.  If the routine
-     * which should handle padding characters also fails, then we just
-     * have bad input and give up.
-     */
-    if (n < 0) {
-	n = pl_base64_decode_token (token, out);
-	if (n < 0)
-	    return PR_FAILURE;
-
-	out += n;
-    }
-
-    /*
-     * As explained above, we can get here with more input remaining, but
-     * it should be all characters we do not care about (i.e. would be
-     * ignored when transferring from "in" to "token" in loop above,
-     * except here we choose to ignore extraneous pad characters, too).
-     * Swallow it, performing that check.  If we find more characters that
-     * we would expect to decode, something is wrong.
-     */
-    while (length > 0) {
-	if (base64_codetovaluep1[*in] > 0)
-	    return PR_FAILURE;
-	in++;
-	length--;
-    }
-
-    /* Record the length of decoded data we have left in output_buffer. */
-    data->output_length = (PRUint32) (out - data->output_buffer);
-    return PR_SUCCESS;
-}
-
-/*
- * Flush any remaining buffered characters.  Given well-formed input,
- * this will have nothing to do.  If the input was missing the padding
- * characters at the end, though, there could be 1-3 characters left
- * behind -- we will tolerate that by adding the padding for them.
- */
-static PRStatus
-pl_base64_decode_flush (PLBase64Decoder *data)
-{
-    int count;
-
-    /*
-     * If no remaining characters, or all are padding (also not well-formed
-     * input, but again, be tolerant), then nothing more to do.  (And, that
-     * is considered successful.)
-     */
-    if (data->token_size == 0 || data->token[0] == B64_PAD)
-	return PR_SUCCESS;
-
-    /*
-     * Assume we have all the interesting input except for some expected
-     * padding characters.  Add them and decode the resulting token.
-     */
-    while (data->token_size < 4)
-	data->token[data->token_size++] = B64_PAD;
-
-    data->token_size = 0;	/* so a subsequent flush call is a no-op */
-
-    count = pl_base64_decode_token (data->token,
-				    data->output_buffer + data->output_length);
-    if (count < 0)
-	return PR_FAILURE;
-
-    /*
-     * If there is an output function, call it with this last bit of data.
-     * Otherwise we are doing all buffered output, and the decoded bytes
-     * are now there, we just need to reflect that in the length.
-     */
-    if (data->output_fn != NULL) {
-	PRInt32 output_result;
-
-	PR_ASSERT(data->output_length == 0);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) count);
-	if (output_result < 0)
-	    return  PR_FAILURE;
-    } else {
-	data->output_length += count;
-    }
-
-    return PR_SUCCESS;
-}
-
-
-/*
- * The maximum space needed to hold the output of the decoder given
- * input data of length "size".
- */
-static PRUint32
-PL_Base64MaxDecodedLength (PRUint32 size)
-{
-    return ((size * 3) / 4);
-}
-
-
-/*
- * A distinct internal creation function for the buffer version to use.
- * (It does not want to specify an output_fn, and we want the normal
- * Create function to require that.)  If more common initialization
- * of the decoding context needs to be done, it should be done *here*.
- */
-static PLBase64Decoder *
-pl_base64_create_decoder (void)
-{
-    return PR_NEWZAP(PLBase64Decoder);
-}
-
-/*
- * Function to start a base64 decoding context.
- * An "output_fn" is required; the "output_arg" parameter to that is optional.
- */
-static PLBase64Decoder *
-PL_CreateBase64Decoder (PRInt32 (*output_fn) (void *, const unsigned char *,
-					      PRInt32),
-			void *output_arg)
-{
-    PLBase64Decoder *data;
-
-    if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
-    }
-
-    data = pl_base64_create_decoder ();
-    if (data != NULL) {
-	data->output_fn = output_fn;
-	data->output_arg = output_arg;
-    }
-    return data;
-}
-
-
-/*
- * Push data through the decoder, causing the output_fn (provided to Create)
- * to be called with the decoded data.
- */
-static PRStatus
-PL_UpdateBase64Decoder (PLBase64Decoder *data, const char *buffer,
-			PRUint32 size)
-{
-    PRUint32 need_length;
-    PRStatus status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /*
-     * How much space could this update need for decoding?
-     */
-    need_length = PL_Base64MaxDecodedLength (size + data->token_size);
-
-    /*
-     * Make sure we have at least that much.  If not, (re-)allocate.
-     */
-    if (need_length > data->output_buflen) {
-	unsigned char *output_buffer = data->output_buffer;
-
-	if (output_buffer != NULL)
-	    output_buffer = (unsigned char *) PR_Realloc(output_buffer,
-							 need_length);
-	else
-	    output_buffer = (unsigned char *) PR_Malloc(need_length);
-
-	if (output_buffer == NULL)
-	    return PR_FAILURE;
-
-	data->output_buffer = output_buffer;
-	data->output_buflen = need_length;
-    }
-
-    /* There should not have been any leftover output data in the buffer. */
-    PR_ASSERT(data->output_length == 0);
-    data->output_length = 0;
-
-    status = pl_base64_decode_buffer (data, (const unsigned char *) buffer,
-				      size);
-
-    /* Now that we have some decoded data, write it. */
-    if (status == PR_SUCCESS && data->output_length > 0) {
-	PRInt32 output_result;
-
-	PR_ASSERT(data->output_fn != NULL);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) data->output_length);
-	if (output_result < 0)
-	    status = PR_FAILURE;
-    }
-
-    data->output_length = 0;
-    return status;
-}
-
-
-/*
- * When you're done decoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-static PRStatus
-PL_DestroyBase64Decoder (PLBase64Decoder *data, PRBool abort_p)
-{
-    PRStatus status = PR_SUCCESS;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /* Flush out the last few buffered characters. */
-    if (!abort_p)
-	status = pl_base64_decode_flush (data);
-
-    if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
-    PR_Free(data);
-
-    return status;
-}
-
-
-/*
- * Perform base64 decoding from an input buffer to an output buffer.
- * The output buffer can be provided (as "dest"); you can also pass in
- * a NULL and this function will allocate a buffer large enough for you,
- * and return it.  If you do provide the output buffer, you must also
- * provide the maximum length of that buffer (as "maxdestlen").
- * The actual decoded length of output will be returned to you in
- * "output_destlen".
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-static unsigned char *
-PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
-		       PRUint32 maxdestlen, PRUint32 *output_destlen)
-{
-    PRUint32 need_length;
-    unsigned char *output_buffer = NULL;
-    PLBase64Decoder *data = NULL;
-    PRStatus status;
-
-    PR_ASSERT(srclen > 0);
-    if (srclen == 0)
-	return dest;
-
-    /*
-     * How much space could we possibly need for decoding this input?
-     */
-    need_length = PL_Base64MaxDecodedLength (srclen);
-
-    /*
-     * Make sure we have at least that much, if output buffer provided.
-     * If no output buffer provided, then we allocate that much.
-     */
-    if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    goto loser;
-	}
-	output_buffer = dest;
-    } else {
-	output_buffer = (unsigned char *) PR_Malloc(need_length);
-	if (output_buffer == NULL)
-	    goto loser;
-	maxdestlen = need_length;
-    }
-
-    data = pl_base64_create_decoder();
-    if (data == NULL)
-	goto loser;
-
-    data->output_buflen = maxdestlen;
-    data->output_buffer = output_buffer;
-
-    status = pl_base64_decode_buffer (data, (const unsigned char *) src,
-				      srclen);
-
-    /*
-     * We do not wait for Destroy to flush, because Destroy will also
-     * get rid of our decoder context, which we need to look at first!
-     */
-    if (status == PR_SUCCESS)
-	status = pl_base64_decode_flush (data);
-
-    /* Must clear this or Destroy will free it. */
-    data->output_buffer = NULL;
-
-    if (status == PR_SUCCESS) {
-	*output_destlen = data->output_length;
-	status = PL_DestroyBase64Decoder (data, PR_FALSE);
-	data = NULL;
-	if (status == PR_FAILURE)
-	    goto loser;
-	return output_buffer;
-    }
-
-loser:
-    if (dest == NULL && output_buffer != NULL)
-	PR_Free(output_buffer);
-    if (data != NULL)
-	(void) PL_DestroyBase64Decoder (data, PR_TRUE);
-    return NULL;
-}
-
-
-/*
- * XXX End of base64 decoding code to be moved into NSPR.
- ********************************************************
- */
-
-/*
- * This is the beginning of the NSS cover functions.  These will
- * provide the interface we want to expose as NSS-ish.  For example,
- * they will operate on our Items, do any special handling or checking
- * we want to do, etc.
- */
-
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A boring cover structure for now.  Perhaps someday it will include
- * some more interesting fields.
- */
-struct NSSBase64DecoderStr {
-    PLBase64Decoder *pl_data;
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Function to start a base64 decoding context.
- */
-NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg)
-{
-    PLBase64Decoder *pl_data;
-    NSSBase64Decoder *nss_data;
-
-    nss_data = PORT_ZNew(NSSBase64Decoder);
-    if (nss_data == NULL)
-	return NULL;
-
-    pl_data = PL_CreateBase64Decoder (output_fn, output_arg);
-    if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
-    }
-
-    nss_data->pl_data = pl_data;
-    return nss_data;
-}
-
-
-/*
- * Push data through the decoder, causing the output_fn (provided to Create)
- * to be called with the decoded data.
- */
-SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_UpdateBase64Decoder (data->pl_data, buffer, size);
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * When you're done decoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_DestroyBase64Decoder (data->pl_data, abort_p);
-
-    PORT_Free(data);
-
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * Perform base64 decoding from an ascii string "inStr" to an Item.
- * The length of the input must be provided as "inLen".  The Item
- * may be provided (as "outItemOpt"); you can also pass in a NULL
- * and the Item will be allocated for you.
- *
- * In any case, the data within the Item will be allocated for you.
- * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
- * If "arenaOpt" is NULL, standard allocation (heap) will be used and
- * you will want to free the result via SECITEM_FreeItem.
- *
- * Return value is NULL on error, the Item (allocated or provided) otherwise.
- */
-SECItem *
-NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen)
-{
-    SECItem *out_item = outItemOpt;
-    PRUint32 max_out_len = PL_Base64MaxDecodedLength (inLen);
-    PRUint32 out_len;
-    void *mark = NULL;
-    unsigned char *dummy;
-
-    PORT_Assert(outItemOpt == NULL || outItemOpt->data == NULL);
-
-    if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
-
-    out_item = SECITEM_AllocItem (arenaOpt, outItemOpt, max_out_len);
-    if (out_item == NULL) {
-	if (arenaOpt != NULL)
-	    PORT_ArenaRelease (arenaOpt, mark);
-	return NULL;
-    }
-
-    dummy = PL_Base64DecodeBuffer (inStr, inLen, out_item->data,
-				   max_out_len, &out_len);
-    if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	    if (outItemOpt != NULL) {
-		outItemOpt->data = NULL;
-		outItemOpt->len = 0;
-	    }
-	} else {
-	    SECITEM_FreeItem (out_item,
-			      (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
-	}
-	return NULL;
-    }
-
-    if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
-    out_item->len = out_len;
-    return out_item;
-}
-
-
-/*
- * XXX Everything below is deprecated.  If you add new stuff, put it
- * *above*, not below.
- */
-
-/*
- * XXX The following "ATOB" functions are provided for backward compatibility
- * with current code.  They should be considered strongly deprecated.
- * When we can convert all our code over to using the new NSSBase64Decoder_
- * functions defined above, we should get rid of these altogether.  (Remove
- * protoypes from base64.h as well -- actually, remove that file completely).
- * If someone thinks either of these functions provides such a very useful
- * interface (though, as shown, the same functionality can already be
- * obtained by calling NSSBase64_DecodeBuffer directly), fine -- but then
- * that API should be provided with a nice new NSSFoo name and using
- * appropriate types, etc.
- */
-
-#include "base64.h"
-
-/*
-** Return an PORT_Alloc'd string which is the base64 decoded version
-** of the input string; set *lenp to the length of the returned data.
-*/
-unsigned char *
-ATOB_AsciiToData(const char *string, unsigned int *lenp)
-{
-    SECItem binary_item, *dummy;
-
-    binary_item.data = NULL;
-    binary_item.len = 0;
-
-    dummy = NSSBase64_DecodeBuffer (NULL, &binary_item, string,
-				    (PRUint32) PORT_Strlen(string));
-    if (dummy == NULL)
-	return NULL;
-
-    PORT_Assert(dummy == &binary_item);
-
-    *lenp = dummy->len;
-    return dummy->data;
-}
- 
-/*
-** Convert from ascii to binary encoding of an item.
-*/
-SECStatus
-ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
-{
-    SECItem *dummy;
-
-    if (binary_item == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    /*
-     * XXX Would prefer to assert here if data is non-null (actually,
-     * don't need to, just let NSSBase64_DecodeBuffer do it), so as to
-     * to catch unintended memory leaks, but callers are not clean in
-     * this respect so we need to explicitly clear here to avoid the
-     * assert in NSSBase64_DecodeBuffer.
-     */
-    binary_item->data = NULL;
-    binary_item->len = 0;
-
-    dummy = NSSBase64_DecodeBuffer (NULL, binary_item, ascii,
-				    (PRUint32) PORT_Strlen(ascii));
-
-    if (dummy == NULL)
-	return SECFailure;
-
-    return SECSuccess;
-}
diff --git a/security/nss/lib/util/nssb64e.c b/security/nss/lib/util/nssb64e.c
deleted file mode 100644
index 71cf05373..000000000
--- a/security/nss/lib/util/nssb64e.c
+++ /dev/null
@@ -1,765 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Base64 encoding (binary to ascii).
- *
- * $Id$
- */
-
-#include "nssb64.h"
-#include "nspr.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/*
- * XXX See the big comment at the top of nssb64d.c about moving the
- * bulk of this code over into NSPR (the PL part).  It all applies
- * here but I didn't want to duplicate it, to avoid divergence problems.
- */ 
-
-/*
- **************************************************************
- * XXX Beginning of base64 encoding code to be moved into NSPR.
- */
-
-
-struct PLBase64EncodeStateStr {
-    unsigned chunks;
-    unsigned saved;
-    unsigned char buf[3];
-};
-
-/*
- * This typedef would belong in the NSPR header file (i.e. plbase64.h).
- */
-typedef struct PLBase64EncoderStr PLBase64Encoder;
-
-/*
- * The following implementation of base64 encoding was based on code
- * found in libmime (specifically, in mimeenc.c).  It has been adapted to
- * use PR types and naming as well as to provide other necessary semantics
- * (like buffer-in/buffer-out in addition to "streaming" without undue
- * performance hit of extra copying if you made the buffer versions
- * use the output_fn).  It also incorporates some aspects of the current
- * NSPR base64 encoding code.  As such, you may find similarities to
- * both of those implementations.  I tried to use names that reflected
- * the original code when possible.  For this reason you may find some
- * inconsistencies -- libmime used lots of "in" and "out" whereas the
- * NSPR version uses "src" and "dest"; sometimes I changed one to the other
- * and sometimes I left them when I thought the subroutines were at least
- * self-consistent.
- */
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Opaque object used by the encoder to store state.
- */
-struct PLBase64EncoderStr {
-    /*
-     * The one or two bytes pending.  (We need 3 to create a "token",
-     * and hold the leftovers here.  in_buffer_count is *only* ever
-     * 0, 1, or 2.
-     */
-    unsigned char in_buffer[2];
-    int in_buffer_count;
-
-    /*
-     * If the caller wants linebreaks added, line_length specifies
-     * where they come out.  It must be a multiple of 4; if the caller
-     * provides one that isn't, we round it down to the nearest
-     * multiple of 4.
-     *
-     * The value of current_column counts how many characters have been
-     * added since the last linebreaks (or since the beginning, on the
-     * first line).  It is also always a multiple of 4; it is unused when
-     * line_length is 0.
-     */ 
-    PRUint32 line_length;
-    PRUint32 current_column;
-
-    /*
-     * Where to write the encoded data (used when streaming, not when
-     * doing all in-memory (buffer) operations).
-     *
-     * Note that this definition is chosen to be compatible with PR_Write.
-     */
-    PRInt32 (*output_fn) (void *output_arg, const char *buf, PRInt32 size);
-    void *output_arg;
-
-    /*
-     * Where the encoded output goes -- either temporarily (in the streaming
-     * case, staged here before it goes to the output function) or what will
-     * be the entire buffered result for users of the buffer version.
-     */
-    char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Table to convert a binary value to its corresponding ascii "code".
- */
-static unsigned char base64_valuetocode[64] =
-    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-#define B64_PAD	'='
-#define B64_CR	'\r'
-#define B64_LF	'\n'
-
-static PRStatus
-pl_base64_encode_buffer (PLBase64Encoder *data, const unsigned char *in,
-			 PRUint32 size)
-{
-    const unsigned char *end = in + size;
-    char *out = data->output_buffer + data->output_length;
-    unsigned int i = data->in_buffer_count;
-    PRUint32 n = 0;
-    int off;
-    PRUint32 output_threshold;
-
-    /* If this input buffer is too small, wait until next time. */
-    if (size < (3 - i)) {
-	data->in_buffer[i++] = in[0];
-	if (size > 1)
-	    data->in_buffer[i++] = in[1];
-	PR_ASSERT(i < 3);
-	data->in_buffer_count = i;
-	return PR_SUCCESS;
-    }
-
-    /* If there are bytes that were put back last time, take them now. */
-    if (i > 0) {
-	n = data->in_buffer[0];
-	if (i > 1)
-	    n = (n << 8) | data->in_buffer[1];
-	data->in_buffer_count = 0;
-    }
-
-    /* If our total is not a multiple of three, put one or two bytes back. */
-    off = (size + i) % 3;
-    if (off > 0) {
-	size -= off;
-	data->in_buffer[0] = in[size];
-	if (off > 1)
-	    data->in_buffer[1] = in[size + 1];
-	data->in_buffer_count = off;
-	end -= off;
-    }
-
-    output_threshold = data->output_buflen - 3;
-
-    /*
-     * Populate the output buffer with base64 data, one line (or buffer)
-     * at a time.
-     */
-    while (in < end) {
-	int j, k;
-
-	while (i < 3) {
-	    n = (n << 8) | *in++;
-	    i++;
-	}
-	i = 0;
-
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	    data->current_column += 4;	/* the bytes we are about to add */
-	}
-
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
-	n = 0;
-	data->output_length += 4;
-
-	if (data->output_length >= output_threshold) {
-	    PR_ASSERT(data->output_length <= data->output_buflen);
-	    if (data->output_fn != NULL) {
-		PRInt32 output_result;
-
-		output_result = data->output_fn (data->output_arg,
-						 data->output_buffer,
-						 (PRInt32) data->output_length);
-		if (output_result < 0)
-		    return PR_FAILURE;
-
-		out = data->output_buffer;
-		data->output_length = 0;
-	    } else {
-		/*
-		 * Check that we are about to exit the loop.  (Since we
-		 * are over the threshold, there isn't enough room in the
-		 * output buffer for another trip around.)
-		 */
-		PR_ASSERT(in == end);
-		if (in < end) {
-		    PR_SetError (PR_BUFFER_OVERFLOW_ERROR, 0);
-		    return PR_FAILURE;
-		}
-	    }
-	}
-    }
-
-    return PR_SUCCESS;
-}
-
-static PRStatus
-pl_base64_encode_flush (PLBase64Encoder *data)
-{
-    int i = data->in_buffer_count;
-
-    if (i == 0 && data->output_length == 0)
-	return PR_SUCCESS;
-
-    if (i > 0) {
-	char *out = data->output_buffer + data->output_length;
-	PRUint32 n;
-	int j, k;
-
-	n = ((PRUint32) data->in_buffer[0]) << 16;
-	if (i > 1)
-	    n |= ((PRUint32) data->in_buffer[1] << 8);
-
-	data->in_buffer_count = 0;
-
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	}
-
-	/*
-	 * This will fill in more than we really have data for, but the
-	 * valid parts will end up in the correct position and the extras
-	 * will be over-written with pad characters below.
-	 */
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
-
-	/* Pad with equal-signs. */
-	if (i == 1)
-	    out[-2] = B64_PAD;
-	out[-1] = B64_PAD;
-
-	data->output_length += 4;
-    }
-
-    if (data->output_fn != NULL) {
-	PRInt32 output_result;
-
-	output_result = data->output_fn (data->output_arg, data->output_buffer,
-					 (PRInt32) data->output_length);
-	data->output_length = 0;
-
-	if (output_result < 0)
-	    return PR_FAILURE;
-    }
-
-    return PR_SUCCESS;
-}
-
-
-/*
- * The maximum space needed to hold the output of the encoder given input
- * data of length "size", and allowing for CRLF added at least every
- * line_length bytes (we will add it at nearest lower multiple of 4).
- * There is no trailing CRLF.
- */
-static PRUint32
-PL_Base64MaxEncodedLength (PRUint32 size, PRUint32 line_length)
-{
-    PRUint32 tokens, tokens_per_line, full_lines, line_break_chars, remainder;
-
-    tokens = (size + 2) / 3;
-
-    if (line_length == 0)
-	return tokens * 4;
-
-    if (line_length < 4)	/* too small! */
-	line_length = 4;
-
-    tokens_per_line = line_length / 4;
-    full_lines = tokens / tokens_per_line;
-    remainder = (tokens - (full_lines * tokens_per_line)) * 4;
-    line_break_chars = full_lines * 2;
-    if (remainder == 0)
-	line_break_chars -= 2;
-
-    return (full_lines * tokens_per_line * 4) + line_break_chars + remainder;
-}
-
-
-/*
- * A distinct internal creation function for the buffer version to use.
- * (It does not want to specify an output_fn, and we want the normal
- * Create function to require that.)  All common initialization of the
- * encoding context should be done *here*.
- *
- * Save "line_length", rounded down to nearest multiple of 4 (if not
- * already even multiple).  Allocate output_buffer, if not provided --
- * based on given size if specified, otherwise based on line_length.
- */
-static PLBase64Encoder *
-pl_base64_create_encoder (PRUint32 line_length, char *output_buffer,
-			  PRUint32 output_buflen)
-{
-    PLBase64Encoder *data;
-    PRUint32 line_tokens;
-
-    data = PR_NEWZAP(PLBase64Encoder);
-    if (data == NULL)
-	return NULL;
-
-    if (line_length > 0 && line_length < 4)	/* too small! */
-	line_length = 4;
-
-    line_tokens = line_length / 4;
-    data->line_length = line_tokens * 4;
-
-    if (output_buffer == NULL) {
-	if (output_buflen == 0) {
-	    if (data->line_length > 0)	/* need to include room for CRLF */
-		output_buflen = data->line_length + 2;
-	    else
-		output_buflen = 64;		/* XXX what is a good size? */
-	}
-
-	output_buffer = (char *) PR_Malloc(output_buflen);
-	if (output_buffer == NULL) {
-	    PR_Free(data);
-	    return NULL;
-	}
-    }
-
-    data->output_buffer = output_buffer;
-    data->output_buflen = output_buflen;
-    return data;
-}
-
-/*
- * Function to start a base64 encoding context.
- * An "output_fn" is required; the "output_arg" parameter to that is optional.
- * If linebreaks in the encoded output are desired, "line_length" specifies
- * where to place them -- it will be rounded down to the nearest multiple of 4
- * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
- * will be added.  (FYI, a linebreak is CRLF -- two characters.)
- */
-static PLBase64Encoder *
-PL_CreateBase64Encoder (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			void *output_arg, PRUint32 line_length)
-{
-    PLBase64Encoder *data;
-
-    if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
-    }
-
-    data = pl_base64_create_encoder (line_length, NULL, 0);
-    if (data == NULL)
-	return NULL;
-
-    data->output_fn = output_fn;
-    data->output_arg = output_arg;
-
-    return data;
-}
-
-
-/*
- * Push data through the encoder, causing the output_fn (provided to Create)
- * to be called with the encoded data.
- */
-static PRStatus
-PL_UpdateBase64Encoder (PLBase64Encoder *data, const unsigned char *buffer,
-			PRUint32 size)
-{
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    return pl_base64_encode_buffer (data, buffer, size);
-}
-
-
-/*
- * When you're done encoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-static PRStatus
-PL_DestroyBase64Encoder (PLBase64Encoder *data, PRBool abort_p)
-{
-    PRStatus status = PR_SUCCESS;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
-    }
-
-    /* Flush out the last few buffered characters. */
-    if (!abort_p)
-	status = pl_base64_encode_flush (data);
-
-    if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
-    PR_Free(data);
-
-    return status;
-}
-
-
-/*
- * Perform base64 encoding from an input buffer to an output buffer.
- * The output buffer can be provided (as "dest"); you can also pass in
- * a NULL and this function will allocate a buffer large enough for you,
- * and return it.  If you do provide the output buffer, you must also
- * provide the maximum length of that buffer (as "maxdestlen").
- * The actual encoded length of output will be returned to you in
- * "output_destlen".
- *
- * If linebreaks in the encoded output are desired, "line_length" specifies
- * where to place them -- it will be rounded down to the nearest multiple of 4
- * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
- * will be added.  (FYI, a linebreak is CRLF -- two characters.)
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-static char *
-PL_Base64EncodeBuffer (const unsigned char *src, PRUint32 srclen,
-		       PRUint32 line_length, char *dest, PRUint32 maxdestlen,
-		       PRUint32 *output_destlen)
-{
-    PRUint32 need_length;
-    PLBase64Encoder *data = NULL;
-    PRStatus status;
-
-    PR_ASSERT(srclen > 0);
-    if (srclen == 0)
-	return dest;
-
-    /*
-     * How much space could we possibly need for encoding this input?
-     */
-    need_length = PL_Base64MaxEncodedLength (srclen, line_length);
-
-    /*
-     * Make sure we have at least that much, if output buffer provided.
-     */
-    if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    return NULL;
-	}
-    } else {
-	maxdestlen = need_length;
-    }
-
-    data = pl_base64_create_encoder(line_length, dest, maxdestlen);
-    if (data == NULL)
-	return NULL;
-
-    status = pl_base64_encode_buffer (data, src, srclen);
-
-    /*
-     * We do not wait for Destroy to flush, because Destroy will also
-     * get rid of our encoder context, which we need to look at first!
-     */
-    if (status == PR_SUCCESS)
-	status = pl_base64_encode_flush (data);
-
-    if (status != PR_SUCCESS) {
-	(void) PL_DestroyBase64Encoder (data, PR_TRUE);
-	return NULL;
-    }
-
-    dest = data->output_buffer;
-
-    /* Must clear this or Destroy will free it. */
-    data->output_buffer = NULL;
-
-    *output_destlen = data->output_length;
-    status = PL_DestroyBase64Encoder (data, PR_FALSE);
-    if (status == PR_FAILURE) {
-	PR_Free(dest);
-	return NULL;
-    }
-
-    return dest;
-}
-
-/*
- * XXX End of base64 encoding code to be moved into NSPR.
- ********************************************************
- */
-
-/*
- * This is the beginning of the NSS cover functions.  These will
- * provide the interface we want to expose as NSS-ish.  For example,
- * they will operate on our Items, do any special handling or checking
- * we want to do, etc.
- */
-
-
-PR_BEGIN_EXTERN_C
-
-/*
- * A boring cover structure for now.  Perhaps someday it will include
- * some more interesting fields.
- */
-struct NSSBase64EncoderStr {
-    PLBase64Encoder *pl_data;
-};
-
-PR_END_EXTERN_C
-
-
-/*
- * Function to start a base64 encoding context.
- */
-NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg)
-{
-    PLBase64Encoder *pl_data;
-    NSSBase64Encoder *nss_data;
-
-    nss_data = PORT_ZNew(NSSBase64Encoder);
-    if (nss_data == NULL)
-	return NULL;
-
-    pl_data = PL_CreateBase64Encoder (output_fn, output_arg, 64);
-    if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
-    }
-
-    nss_data->pl_data = pl_data;
-    return nss_data;
-}
-
-
-/*
- * Push data through the encoder, causing the output_fn (provided to Create)
- * to be called with the encoded data.
- */
-SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_UpdateBase64Encoder (data->pl_data, buffer, size);
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * When you're done encoding, call this to free the data.  If "abort_p"
- * is false, then calling this may cause the output_fn to be called
- * one last time (as the last buffered data is flushed out).
- */
-SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
-{
-    PRStatus pr_status;
-
-    /* XXX Should we do argument checking only in debug build? */
-    if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    pr_status = PL_DestroyBase64Encoder (data->pl_data, abort_p);
-
-    PORT_Free(data);
-
-    if (pr_status == PR_FAILURE)
-	return SECFailure;
-
-    return SECSuccess;
-}
-
-
-/*
- * Perform base64 encoding of binary data "inItem" to an ascii string.
- * The output buffer may be provided (as "outStrOpt"); you can also pass
- * in a NULL and the buffer will be allocated for you.  The result will
- * be null-terminated, and if the buffer is provided, "maxOutLen" must
- * specify the maximum length of the buffer and will be checked to
- * supply sufficient space space for the encoded result.  (If "outStrOpt"
- * is NULL, "maxOutLen" is ignored.)
- *
- * If "outStrOpt" is NULL, allocation will happen out of the passed-in
- * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
- * will be used.
- *
- * Return value is NULL on error, the output buffer (allocated or provided)
- * otherwise.
- */
-char *
-NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem)
-{
-    char *out_string = outStrOpt;
-    PRUint32 max_out_len;
-    PRUint32 out_len;
-    void *mark = NULL;
-    char *dummy;
-
-    PORT_Assert(inItem != NULL && inItem->data != NULL && inItem->len != 0);
-    if (inItem == NULL || inItem->data == NULL || inItem->len == 0) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return NULL;
-    }
-
-    max_out_len = PL_Base64MaxEncodedLength (inItem->len, 64);
-
-    if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
-
-    if (out_string == NULL) {
-	if (arenaOpt != NULL)
-	    out_string = PORT_ArenaAlloc (arenaOpt, max_out_len + 1);
-	else
-	    out_string = PORT_Alloc (max_out_len + 1);
-
-	if (out_string == NULL) {
-	    if (arenaOpt != NULL)
-		PORT_ArenaRelease (arenaOpt, mark);
-	    return NULL;
-	}
-    } else {
-	if ((max_out_len + 1) > maxOutLen) {
-	    PORT_SetError (SEC_ERROR_OUTPUT_LEN);
-	    return NULL;
-	}
-	max_out_len = maxOutLen;
-    }
-
-
-    dummy = PL_Base64EncodeBuffer (inItem->data, inItem->len, 64,
-				   out_string, max_out_len, &out_len);
-    if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	} else {
-	    PORT_Free (out_string);
-	}
-	return NULL;
-    }
-
-    if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
-
-    out_string[out_len] = '\0';
-    return out_string;
-}
-
-
-/*
- * XXX Everything below is deprecated.  If you add new stuff, put it
- * *above*, not below.
- */
-
-/*
- * XXX The following "BTOA" functions are provided for backward compatibility
- * with current code.  They should be considered strongly deprecated.
- * When we can convert all our code over to using the new NSSBase64Encoder_
- * functions defined above, we should get rid of these altogether.  (Remove
- * protoypes from base64.h as well -- actually, remove that file completely).
- * If someone thinks either of these functions provides such a very useful
- * interface (though, as shown, the same functionality can already be
- * obtained by calling NSSBase64_EncodeItem directly), fine -- but then
- * that API should be provided with a nice new NSSFoo name and using
- * appropriate types, etc.
- */
-
-#include "base64.h"
-
-/*
-** Return an PORT_Alloc'd ascii string which is the base64 encoded
-** version of the input string.
-*/
-char *
-BTOA_DataToAscii(const unsigned char *data, unsigned int len)
-{
-    SECItem binary_item;
-
-    binary_item.data = (unsigned char *)data;
-    binary_item.len = len;
-
-    return NSSBase64_EncodeItem (NULL, NULL, 0, &binary_item);
-}
-
-/*
-** Convert from binary encoding of an item to ascii.
-*/
-char *
-BTOA_ConvertItemToAscii (SECItem *binary_item)
-{
-    return NSSBase64_EncodeItem (NULL, NULL, 0, binary_item);
-}
diff --git a/security/nss/lib/util/nssb64t.h b/security/nss/lib/util/nssb64t.h
deleted file mode 100644
index 62b891ae0..000000000
--- a/security/nss/lib/util/nssb64t.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Public data structures for base64 encoding/decoding.
- *
- * $Id$
- */
-#ifndef _NSSB64T_H_
-#define _NSSB64T_H_
-
-typedef struct NSSBase64DecoderStr NSSBase64Decoder;
-typedef struct NSSBase64EncoderStr NSSBase64Encoder;
-
-#endif /* _NSSB64T_H_ */
diff --git a/security/nss/lib/util/nssilckt.h b/security/nss/lib/util/nssilckt.h
deleted file mode 100644
index 69cb703fa..000000000
--- a/security/nss/lib/util/nssilckt.h
+++ /dev/null
@@ -1,224 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** nssilock.h - Instrumented locking functions for NSS
-**
-** Description:
-**    nssilock provides instrumentation for locks and monitors in
-**    the NSS libraries. The instrumentation, when enabled, causes
-**    each call to the instrumented function to record data about
-**    the call to an external file. The external file
-**    subsequently used to extract performance data and other
-**    statistical information about the operation of locks used in
-**    the nss library.
-**     
-**    To enable compilation with instrumentation, build NSS with 
-**    the compile time switch NEED_NSS_ILOCK defined.
-**
-**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
-**
-**    At runtime, to enable recording from nssilock, one or more
-**    environment variables must be set. For each nssILockType to
-**    be recorded, an environment variable of the form NSS_ILOCK_x
-**    must be set to 1. For example:
-**
-**       set NSS_ILOCK_Cert=1
-**
-**    nssilock uses PRLOG is used to record to trace data. The
-**    PRLogModule name associated with nssilock data is: "nssilock".
-**    To enable recording of nssilock data you will need to set the
-**    environment variable NSPR_LOG_MODULES to enable
-**    recording for the nssilock log module. Similarly, you will
-**    need to set the environment variable NSPR_LOG_FILE to specify
-**    the filename to receive the recorded data. See prlog.h for usage.
-**    Example:
-**
-**        export NSPR_LOG_MODULES=nssilock:6
-**        export NSPR_LOG_FILE=xxxLogfile
-**
-** Operation:
-**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
-**    with similarly named functions: PZ_NewLock(), etc. When NSS is
-**    built with lock instrumentation enabled, the PZ* functions are
-**    compiled into NSS; when lock instrumentation is disabled,
-**    calls to PZ* functions are directly mapped to PR* functions
-**    and the instrumentation arguments to the PZ* functions are
-**    compiled away.
-**
-**
-** File Format:
-**    The format of the external file is implementation
-**    dependent. Where NSPR's PR_LOG() function is used, the file
-**    contains data defined for PR_LOG() plus the data written by
-**    the wrapped function. On some platforms and under some
-**    circumstances, platform dependent logging or
-**    instrumentation probes may be used. In any case, the
-**    relevant data provided by the lock instrumentation is:
-**    
-**      lockType, func, address, duration, line, file [heldTime]
-** 
-**    where:
-**    
-**       lockType: a character representation of nssILockType for the
-**       call. e.g. ... "cert"
-**    
-**       func: the function doing the tracing. e.g. "NewLock"
-**    
-**       address: address of the instrumented lock or monitor
-**    
-**       duration: is how long was spent in the instrumented function,
-**       in PRIntervalTime "ticks".
-**    
-**       line: the line number within the calling function
-**    
-**       file: the file from which the call was made
-**    
-**       heldTime: how long the lock/monitor was held. field
-**       present only for PZ_Unlock() and PZ_ExitMonitor().
-**    
-** Design Notes:
-**    The design for lock instrumentation was influenced by the
-**    need to gather performance data on NSS 3.x. It is intended
-**    that the effort to modify NSS to use lock instrumentation
-**    be minimized. Existing calls to locking functions need only
-**    have their names changed to the instrumentation function
-**    names.
-**    
-** Private NSS Interface:
-**    nssilock.h defines a private interface for use by NSS.
-**    nssilock.h is experimental in nature and is subject to
-**    change or revocation without notice. ... Don't mess with
-**    it.
-**    
-*/
-
-/*
- * $Id:
- */
-
-#ifndef _NSSILCKT_H_
-#define _NSSILCKT_H_
-
-#include "prtypes.h"
-#include "prmon.h"
-#include "prlock.h"
-#include "prcvar.h"
-
-typedef enum {
-    nssILockArena = 0,
-    nssILockSession = 1,
-    nssILockObject = 2,
-    nssILockRefLock = 3,
-    nssILockCert = 4,
-    nssILockCertDB = 5,
-    nssILockDBM = 6,
-    nssILockCache = 7,
-    nssILockSSL = 8,
-    nssILockList = 9,
-    nssILockSlot = 10,
-    nssILockFreelist = 11,
-    nssILockOID = 12,
-    nssILockAttribute = 13,
-    nssILockPK11cxt = 14,  /* pk11context */
-    nssILockRWLock = 15,
-    nssILockOther = 16,
-    nssILockSelfServ = 17,
-    nssILockKeyDB = 18,
-    nssILockLast  /* don't use this one! */
-} nssILockType;
-
-/*
-** Declare operation type enumerator
-** enumerations identify the function being performed
-*/
-typedef enum  {
-    FlushTT = 0,
-    NewLock = 1,
-    Lock = 2,
-    Unlock = 3,
-    DestroyLock = 4,
-    NewCondVar = 5,
-    WaitCondVar = 6,
-    NotifyCondVar = 7,
-    NotifyAllCondVar = 8,
-    DestroyCondVar = 9,
-    NewMonitor = 10,
-    EnterMonitor = 11,
-    ExitMonitor = 12,
-    Notify = 13,
-    NotifyAll = 14,
-    Wait = 15,
-    DestroyMonitor = 16
-} nssILockOp;
-
-/*
-** Declare the trace record
-*/
-struct pzTrace_s {
-    PRUint32        threadID; /* PR_GetThreadID() */
-    nssILockOp      op;       /* operation being performed */
-    nssILockType    ltype;    /* lock type identifier */
-    PRIntervalTime  callTime; /* time spent in function */
-    PRIntervalTime  heldTime; /* lock held time, or -1 */
-    void            *lock;    /* address of lock structure */    
-    PRIntn          line;     /* line number */
-    char            file[24]; /* filename */
-};
-
-PR_BEGIN_EXTERN_C
-/*
-** conditionally compile in nssilock features
-*/
-#if defined(NEED_NSS_ILOCK)
-
-/*
-** declare opaque types. See: nssilock.c
-*/
-typedef struct pzlock_s PZLock;
-typedef struct pzcondvar_s PZCondVar;
-typedef struct pzmonitor_s PZMonitor;
-
-#else /* NEED_NSS_ILOCK */
-
-#define PZLock                  PRLock
-#define PZCondVar               PRCondVar
-#define PZMonitor               PRMonitor
-    
-#endif /* NEED_NSS_ILOCK */
-
-PR_END_EXTERN_C
-#endif /* _NSSILCKT_H_ */
diff --git a/security/nss/lib/util/nssilock.c b/security/nss/lib/util/nssilock.c
deleted file mode 100644
index 48875fb2f..000000000
--- a/security/nss/lib/util/nssilock.c
+++ /dev/null
@@ -1,522 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * nssilock.c - NSS lock instrumentation wrapper functions
- *
- * NOTE - These are not public interfaces
- *
- * Implementation Notes:
- * I've tried to make the instrumentation relatively non-intrusive.
- * To do this, I have used a single PR_LOG() call in each
- * instrumented function. There's room for improvement.
- *
- *
- */
-
-#include "prinit.h"
-#include "prerror.h"
-#include "prlock.h"
-#include "prmem.h"
-#include "prenv.h"
-#include "prcvar.h"
-#include "prio.h"
-
-#if defined(NEED_NSS_ILOCK)
-#include "prlog.h"
-#include "nssilock.h"
-
-/*
-** Declare the instrumented PZLock 
-*/
-struct pzlock_s {
-    PRLock *lock;  /* the PZLock to be instrumented */
-    PRIntervalTime time; /* timestamp when the lock was aquired */
-    nssILockType ltype;
-};
-
-/*
-** Declare the instrumented PZMonitor 
-*/
-struct pzmonitor_s {
-    PRMonitor *mon;   /* the PZMonitor to be instrumented */
-    PRIntervalTime time; /* timestamp when the monitor was aquired */
-    nssILockType ltype;
-};
-
-/*
-** Declare the instrumented PZCondVar
-*/
-struct pzcondvar_s  {
-    PRCondVar   *cvar;  /* the PZCondVar to be instrumented */
-    nssILockType ltype;
-};
-
-
-/*
-** Define a CallOnce type to ensure serialized self-initialization
-*/
-static PRCallOnceType coNssILock;     /* CallOnce type */
-static PRIntn  nssILockInitialized;   /* initialization done when 1 */
-static PRLogModuleInfo *nssILog;      /* Log instrumentation to this handle */
-
-
-#define NUM_TT_ENTRIES 6000000
-static PRInt32  traceIndex = -1;      /* index into trace table */
-static struct pzTrace_s *tt;          /* pointer to trace table */
-static PRInt32  ttBufSize = (NUM_TT_ENTRIES * sizeof(struct pzTrace_s ));
-static PRCondVar *ttCVar;
-static PRLock    *ttLock;
-static PRFileDesc *ttfd;              /* trace table file */
-
-/*
-** Vtrace() -- Trace events, write events to external media
-**
-** Vtrace() records traced events in an in-memory trace table
-** when the trace table fills, Vtrace writes the entire table
-** to a file.
-**
-** data can be lost!
-**
-*/
-static void Vtrace(
-    nssILockOp      op,
-    nssILockType    ltype,
-    PRIntervalTime  callTime,
-    PRIntervalTime  heldTime,
-    void            *lock,
-    PRIntn          line,
-    char            *file
-)  {
-    PRInt32 idx;
-    struct pzTrace_s *tp;
-
-RetryTrace:
-    idx = PR_AtomicIncrement( &traceIndex );
-    while( NUM_TT_ENTRIES <= idx || op == FlushTT ) {
-        if( NUM_TT_ENTRIES == idx  || op == FlushTT )  {
-            int writeSize = idx * sizeof(struct pzTrace_s);
-            PR_Lock(ttLock);
-            PR_Write( ttfd, tt, writeSize );
-            traceIndex = -1;
-            PR_NotifyAllCondVar( ttCVar );
-            PR_Unlock(ttLock);
-            goto RetryTrace;
-        } else {
-            PR_Lock(ttLock);
-            while( NUM_TT_ENTRIES < idx )
-                PR_WaitCondVar(ttCVar, PR_INTERVAL_NO_WAIT);
-            PR_Unlock(ttLock);
-            goto RetryTrace;
-        }
-    } /* end while() */
-
-    /* create the trace entry */
-    tp = tt + idx;
-    tp->threadID = PR_GetThreadID(PR_GetCurrentThread());
-    tp->op = op;
-    tp->ltype = ltype;
-    tp->callTime = callTime;
-    tp->heldTime = heldTime;
-    tp->lock = lock;
-    tp ->line = line;
-    strcpy(tp->file, file );
-    return;
-} /* --- end Vtrace() --- */
-
-/*
-** pz_TraceFlush() -- Force trace table write to file
-**
-*/
-extern void pz_TraceFlush( void )
-{
-    Vtrace( FlushTT, nssILockSelfServ, 0, 0, NULL, 0, "" );
-    return;
-} /* --- end pz_TraceFlush() --- */
-
-/*
-** nssILockInit() -- Initialization for nssilock
-**
-** This function is called from the CallOnce mechanism.
-*/
-static PRStatus
-    nssILockInit( void ) 
-{   
-    int i;
-    nssILockInitialized = 1;
-
-    /* new log module */
-    nssILog = PR_NewLogModule("nssilock");
-    if ( NULL == nssILog )  {
-        return(PR_FAILURE);
-    }
-
-    tt = PR_Calloc( NUM_TT_ENTRIES, sizeof(struct pzTrace_s));
-    if (NULL == tt ) {
-        fprintf(stderr, "nssilock: can't allocate trace table\n");
-        exit(1);
-    }
-
-    ttfd = PR_Open( "xxxTTLog", PR_CREATE_FILE | PR_WRONLY, 0666 );
-    if ( NULL == ttfd )  {
-        fprintf( stderr, "Oh Drat! Can't open 'xxxTTLog'\n");
-        exit(1);
-    }
-
-    ttLock = PR_NewLock();
-    ttCVar = PR_NewCondVar(ttLock);
-
-    return(PR_SUCCESS);
-} /* --- end nssILockInit() --- */
-
-extern PZLock * pz_NewLock( 
-    nssILockType ltype,
-    char *file,  
-    PRIntn line )
-{
-    PRStatus rc;
-    PZLock  *lock;
-    
-    /* Self Initialize the nssILock feature */
-    if (!nssILockInitialized)  {
-        rc = PR_CallOnce( &coNssILock, nssILockInit );
-        if ( PR_FAILURE == rc ) {
-            PR_SetError( PR_UNKNOWN_ERROR, 0 );
-            return( NULL );
-        }
-    }
-
-    lock = PR_NEWZAP( PZLock );
-    if ( NULL != lock )  {
-        lock->lock = PR_NewLock();
-        if ( NULL == lock->lock )  {
-            PR_DELETE( lock );
-            lock = NULL;
-        }
-    }
-    lock->ltype = ltype;
-
-    Vtrace( NewLock, ltype, 0, 0, lock, line, file );
-    return(lock);
-} /* --- end pz_NewLock() --- */
-
-extern void
-    pz_Lock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{            
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    PR_Lock( lock->lock );
-    lock->time = PR_IntervalNow();
-    callTime = lock->time - callTime;
-
-    Vtrace( Lock, lock->ltype, callTime, 0, lock, line, file );
-    return;
-} /* --- end  pz_Lock() --- */
-
-extern PRStatus
-    pz_Unlock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    ) 
-{
-    PRStatus rc;
-    PRIntervalTime callTime, now, heldTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_Unlock( lock->lock );
-    now = PR_IntervalNow(); 
-    callTime = now - callTime;
-    heldTime = now - lock->time;
-    Vtrace( Unlock, lock->ltype, callTime, heldTime, lock, line, file );
-    return( rc );
-} /* --- end  pz_Unlock() --- */
-
-extern void
-    pz_DestroyLock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{
-    Vtrace( DestroyLock, lock->ltype, 0, 0, lock, line, file );
-    PR_DestroyLock( lock->lock );
-    PR_DELETE( lock );
-    return;
-} /* --- end  pz_DestroyLock() --- */
-
-
-
-extern PZCondVar *
-    pz_NewCondVar(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{
-    PZCondVar *cvar;
-
-    cvar = PR_NEWZAP( PZCondVar );
-    if ( NULL == cvar ) return(NULL);
-   
-    cvar->ltype = lock->ltype; 
-    cvar->cvar = PR_NewCondVar( lock->lock );
-    if ( NULL == cvar->cvar )  {
-        PR_DELETE( cvar );
-    }
-    Vtrace( NewCondVar, cvar->ltype, 0, 0, cvar, line, file );
-    return( cvar );
-} /* --- end  pz_NewCondVar() --- */
-
-extern void
-    pz_DestroyCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    )
-{
-    Vtrace( DestroyCondVar, cvar->ltype, 0, 0, cvar, line, file );
-    PR_DestroyCondVar( cvar->cvar );
-    PR_DELETE( cvar );
-} /* --- end  pz_DestroyCondVar() --- */
-
-extern PRStatus
-    pz_WaitCondVar(
-        PZCondVar *cvar,
-        PRIntervalTime timeout,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus    rc;
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_WaitCondVar( cvar->cvar, timeout );
-    callTime = PR_IntervalNow() - callTime;
-    
-    Vtrace( WaitCondVar, cvar->ltype, callTime, 0, cvar, line, file );
-    return(rc);
-} /* --- end  pz_WaitCondVar() --- */
-
-extern PRStatus
-    pz_NotifyCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus    rc;
-    
-    rc = PR_NotifyCondVar( cvar->cvar );
-    
-    Vtrace( NotifyCondVar, cvar->ltype, 0, 0, cvar, line, file );
-    return(rc);
-} /* --- end  pz_NotifyCondVar() --- */
-
-extern PRStatus
-    pz_NotifyAllCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus    rc;
-    
-    rc = PR_NotifyAllCondVar( cvar->cvar );
-    
-    Vtrace( NotifyAllCondVar, cvar->ltype, 0, 0, cvar, line, file );
-    return(rc);
-} /* --- end  pz_NotifyAllCondVar() --- */
-
-extern PZMonitor *
-    pz_NewMonitor( 
-        nssILockType ltype,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus rc;
-    PZMonitor   *mon;
-
-    /* Self Initialize the nssILock feature */
-    if (!nssILockInitialized)  {
-        rc = PR_CallOnce( &coNssILock, nssILockInit );
-        if ( PR_FAILURE == rc ) {
-            PR_SetError( PR_UNKNOWN_ERROR, 0 );
-            return( NULL );
-        }
-    }
-
-    mon = PR_NEWZAP( PZMonitor );
-    if ( NULL != mon )  {
-        mon->mon = PR_NewMonitor();
-        if ( NULL == mon->mon )  {
-            PR_DELETE( mon );
-            return NULL;
-        }
-    }
-    mon->ltype = ltype;
-
-    Vtrace( NewMonitor, mon->ltype, 0, 0, mon, line, file );
-    return(mon);
-} /* --- end  pz_NewMonitor() --- */
-
-extern void
-    pz_DestroyMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    Vtrace( DestroyMonitor, mon->ltype, 0, 0, mon, line, file );
-    PR_DestroyMonitor( mon->mon );
-    PR_DELETE( mon );
-    return;                
-} /* --- end  pz_DestroyMonitor() --- */
-
-extern void
-    pz_EnterMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    PRIntervalTime callTime, now;
-
-    callTime = PR_IntervalNow();
-    PR_EnterMonitor( mon->mon );
-    now = PR_IntervalNow();
-    callTime = now - callTime;
-    if ( PR_GetMonitorEntryCount(mon->mon) == 1 )  {
-        mon->time = now;
-    }
-    Vtrace( EnterMonitor, mon->ltype, callTime, 0, mon, line, file );
-    return;
-} /* --- end  pz_EnterMonitor() --- */
-
-extern PRStatus
-    pz_ExitMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus rc;
-    PRIntervalTime callTime, now, heldTime;
-    PRIntn  mec = PR_GetMonitorEntryCount( mon->mon );
-   
-    heldTime = (PRIntervalTime)-1; 
-    callTime = PR_IntervalNow();
-    rc = PR_ExitMonitor( mon->mon );
-    now = PR_IntervalNow();
-    callTime = now - callTime;
-    if ( mec == 1 )
-        heldTime = now - mon->time;
-    Vtrace( ExitMonitor, mon->ltype, callTime, heldTime, mon, line, file );
-    return( rc );
-} /* --- end  pz_ExitMonitor() --- */
-
-extern PRIntn
-    pz_GetMonitorEntryCount(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    return( PR_GetMonitorEntryCount(mon->mon));
-} /* --- end pz_GetMonitorEntryCount() --- */
-
-
-extern PRStatus
-    pz_Wait(
-        PZMonitor *mon,
-        PRIntervalTime ticks,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus rc;
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_Wait( mon->mon, ticks );
-    callTime = PR_IntervalNow() - callTime;
-    Vtrace( Wait, mon->ltype, callTime, 0, mon, line, file );
-    return( rc );
-} /* --- end  pz_Wait() --- */
-
-extern PRStatus
-    pz_Notify(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus rc;
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_Notify( mon->mon );
-    callTime = PR_IntervalNow() - callTime;
-    Vtrace( Notify, mon->ltype, callTime, 0, mon, line, file );
-    return( rc );
-} /* --- end  pz_Notify() --- */
-
-extern PRStatus
-    pz_NotifyAll(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    )
-{
-    PRStatus rc;
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_NotifyAll( mon->mon );
-    callTime = PR_IntervalNow() - callTime;
-    Vtrace( NotifyAll, mon->ltype, callTime, 0, mon, line, file );
-    return( rc );
-} /* --- end  pz_NotifyAll() --- */
-
-#endif /* NEED_NSS_ILOCK */
-/* --- end nssilock.c --------------------------------- */
diff --git a/security/nss/lib/util/nssilock.h b/security/nss/lib/util/nssilock.h
deleted file mode 100644
index 7198c7454..000000000
--- a/security/nss/lib/util/nssilock.h
+++ /dev/null
@@ -1,319 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** nssilock.h - Instrumented locking functions for NSS
-**
-** Description:
-**    nssilock provides instrumentation for locks and monitors in
-**    the NSS libraries. The instrumentation, when enabled, causes
-**    each call to the instrumented function to record data about
-**    the call to an external file. The external file
-**    subsequently used to extract performance data and other
-**    statistical information about the operation of locks used in
-**    the nss library.
-**     
-**    To enable compilation with instrumentation, build NSS with 
-**    the compile time switch NEED_NSS_ILOCK defined.
-**
-**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
-**
-**    At runtime, to enable recording from nssilock, one or more
-**    environment variables must be set. For each nssILockType to
-**    be recorded, an environment variable of the form NSS_ILOCK_x
-**    must be set to 1. For example:
-**
-**       set NSS_ILOCK_Cert=1
-**
-**    nssilock uses PRLOG is used to record to trace data. The
-**    PRLogModule name associated with nssilock data is: "nssilock".
-**    To enable recording of nssilock data you will need to set the
-**    environment variable NSPR_LOG_MODULES to enable
-**    recording for the nssilock log module. Similarly, you will
-**    need to set the environment variable NSPR_LOG_FILE to specify
-**    the filename to receive the recorded data. See prlog.h for usage.
-**    Example:
-**
-**        export NSPR_LOG_MODULES=nssilock:6
-**        export NSPR_LOG_FILE=xxxLogfile
-**
-** Operation:
-**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
-**    with similarly named functions: PZ_NewLock(), etc. When NSS is
-**    built with lock instrumentation enabled, the PZ* functions are
-**    compiled into NSS; when lock instrumentation is disabled,
-**    calls to PZ* functions are directly mapped to PR* functions
-**    and the instrumentation arguments to the PZ* functions are
-**    compiled away.
-**
-**
-** File Format:
-**    The format of the external file is implementation
-**    dependent. Where NSPR's PR_LOG() function is used, the file
-**    contains data defined for PR_LOG() plus the data written by
-**    the wrapped function. On some platforms and under some
-**    circumstances, platform dependent logging or
-**    instrumentation probes may be used. In any case, the
-**    relevant data provided by the lock instrumentation is:
-**    
-**      lockType, func, address, duration, line, file [heldTime]
-** 
-**    where:
-**    
-**       lockType: a character representation of nssILockType for the
-**       call. e.g. ... "cert"
-**    
-**       func: the function doing the tracing. e.g. "NewLock"
-**    
-**       address: address of the instrumented lock or monitor
-**    
-**       duration: is how long was spent in the instrumented function,
-**       in PRIntervalTime "ticks".
-**    
-**       line: the line number within the calling function
-**    
-**       file: the file from which the call was made
-**    
-**       heldTime: how long the lock/monitor was held. field
-**       present only for PZ_Unlock() and PZ_ExitMonitor().
-**    
-** Design Notes:
-**    The design for lock instrumentation was influenced by the
-**    need to gather performance data on NSS 3.x. It is intended
-**    that the effort to modify NSS to use lock instrumentation
-**    be minimized. Existing calls to locking functions need only
-**    have their names changed to the instrumentation function
-**    names.
-**    
-** Private NSS Interface:
-**    nssilock.h defines a private interface for use by NSS.
-**    nssilock.h is experimental in nature and is subject to
-**    change or revocation without notice. ... Don't mess with
-**    it.
-**    
-*/
-
-/*
- * $Id:
- */
-
-#ifndef _NSSILOCK_H_
-#define _NSSILOCK_H_
-
-#include "prtypes.h"
-#include "prmon.h"
-#include "prlock.h"
-#include "prcvar.h"
-
-#include "nssilckt.h"
-
-PR_BEGIN_EXTERN_C
-
-#if defined(NEED_NSS_ILOCK)
-
-#define PZ_NewLock(t) pz_NewLock((t),__FILE__,__LINE__)
-extern PZLock * 
-    pz_NewLock(
-        nssILockType ltype,
-        char *file,
-        PRIntn  line
-    );
-
-#define PZ_Lock(k)  pz_Lock((k),__FILE__,__LINE__)
-extern void
-    pz_Lock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_Unlock(k) pz_Unlock((k),__FILE__,__LINE__)
-extern PRStatus
-    pz_Unlock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_DestroyLock(k) pz_DestroyLock((k),__FILE__,__LINE__)
-extern void
-    pz_DestroyLock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    );
-
-
-#define PZ_NewCondVar(l)        pz_NewCondVar((l),__FILE__,__LINE__)
-extern PZCondVar *
-    pz_NewCondVar(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_DestroyCondVar(v)    pz_DestroyCondVar((v),__FILE__,__LINE__)
-extern void
-    pz_DestroyCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_WaitCondVar(v,t)       pz_WaitCondVar((v),(t),__FILE__,__LINE__)
-extern PRStatus
-    pz_WaitCondVar(
-        PZCondVar *cvar,
-        PRIntervalTime timeout,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_NotifyCondVar(v)     pz_NotifyCondVar((v),__FILE__,__LINE__)
-extern PRStatus
-    pz_NotifyCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_NotifyAllCondVar(v)  pz_NotifyAllCondVar((v),__FILE__,__LINE__)
-extern PRStatus
-    pz_NotifyAllCondVar(
-        PZCondVar *cvar,
-        char *file,
-        PRIntn line
-    );
-
-
-#define PZ_NewMonitor(t) pz_NewMonitor((t),__FILE__,__LINE__)
-extern PZMonitor *
-    pz_NewMonitor( 
-        nssILockType ltype,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_DestroyMonitor(m) pz_DestroyMonitor((m),__FILE__,__LINE__)
-extern void
-    pz_DestroyMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_EnterMonitor(m) pz_EnterMonitor((m),__FILE__,__LINE__)
-extern void
-    pz_EnterMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-
-#define PZ_ExitMonitor(m) pz_ExitMonitor((m),__FILE__,__LINE__)
-extern PRStatus
-    pz_ExitMonitor(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_InMonitor(m)  (PZ_GetMonitorEntryCount(m) > 0 )
-#define PZ_GetMonitorEntryCount(m) pz_GetMonitorEntryCount((m),__FILE__,__LINE__)
-extern PRIntn
-    pz_GetMonitorEntryCount(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_Wait(m,i) pz_Wait((m),((i)),__FILE__,__LINE__)
-extern PRStatus
-    pz_Wait(
-        PZMonitor *mon,
-        PRIntervalTime ticks,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_Notify(m) pz_Notify((m),__FILE__,__LINE__)
-extern PRStatus
-    pz_Notify(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_NotifyAll(m) pz_NotifyAll((m),__FILE__,__LINE__)
-extern PRStatus
-    pz_NotifyAll(
-        PZMonitor *mon,
-        char *file,
-        PRIntn line
-    );
-
-#define PZ_TraceFlush() pz_TraceFlush()
-extern void pz_TraceFlush( void );
-
-#else /* NEED_NSS_ILOCK */
-
-#define PZ_NewLock(t)           PR_NewLock()
-#define PZ_DestroyLock(k)       PR_DestroyLock((k))
-#define PZ_Lock(k)              PR_Lock((k))
-#define PZ_Unlock(k)            PR_Unlock((k))
-
-#define PZ_NewCondVar(l)        PR_NewCondVar((l))
-#define PZ_DestroyCondVar(v)    PR_DestroyCondVar((v))
-#define PZ_WaitCondVar(v,t)     PR_WaitCondVar((v),(t))
-#define PZ_NotifyCondVar(v)     PR_NotifyCondVar((v))
-#define PZ_NotifyAllCondVar(v)  PR_NotifyAllCondVar((v))
-
-#define PZ_NewMonitor(t)        PR_NewMonitor()
-#define PZ_DestroyMonitor(m)    PR_DestroyMonitor((m))
-#define PZ_EnterMonitor(m)      PR_EnterMonitor((m))
-#define PZ_ExitMonitor(m)       PR_ExitMonitor((m))
-#define PZ_InMonitor(m)         PR_InMonitor((m))
-#define PZ_Wait(m,t)            PR_Wait(((m)),((t)))
-#define PZ_Notify(m)            PR_Notify((m))
-#define PZ_NotifyAll(m)         PR_Notify((m))
-#define PZ_TraceFlush()         /* nothing */
-
-    
-#endif /* NEED_NSS_ILOCK */
-
-PR_END_EXTERN_C
-#endif /* _NSSILOCK_H_ */
diff --git a/security/nss/lib/util/nsslocks.c b/security/nss/lib/util/nsslocks.c
deleted file mode 100644
index deff7939c..000000000
--- a/security/nss/lib/util/nsslocks.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * nsslocks.h - threadsafe functions to initialize lock pointers.
- *
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "nsslocks.h"
-#include "pratom.h"
-#include "prthread.h"
-
-/* Given the address of a (global) pointer to a PZLock, 
- * atomicly create the lock and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-SECStatus 
-__nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
-{
-    static PRInt32  initializers;
-
-    PORT_Assert( ppLock != NULL);
-
-    /* atomically initialize the lock */
-    while (!*ppLock) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-            if (!*ppLock) {
-                *ppLock = PZ_NewLock(ltype);
-            }
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return (*ppLock != NULL) ? SECSuccess : SECFailure;
-}
-
-SECStatus 
-nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
-{
-    return __nss_InitLock(ppLock, ltype);
-}
-
-/* Given the address of a (global) pointer to a PZMonitor, 
- * atomicly create the monitor and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-SECStatus 
-nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype )
-{
-    static PRInt32  initializers;
-
-    PORT_Assert( ppMonitor != NULL);
-
-    /* atomically initialize the lock */
-    while (!*ppMonitor) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-            if (!*ppMonitor) {
-                *ppMonitor = PZ_NewMonitor(ltype);
-            }
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return (*ppMonitor != NULL) ? SECSuccess : SECFailure;
-}
diff --git a/security/nss/lib/util/nsslocks.h b/security/nss/lib/util/nsslocks.h
deleted file mode 100644
index c8cb0892c..000000000
--- a/security/nss/lib/util/nsslocks.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * nsslocks.h - threadsafe functions to initialize lock pointers.
- *
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#ifndef _NSSLOCKS_H_
-#define _NSSLOCKS_H_
-
-#include "seccomon.h"
-#include "nssilock.h"
-#include "prmon.h"
-
-SEC_BEGIN_PROTOS
-
-/* Given the address of a (global) pointer to a PZLock, 
- * atomicly create the lock and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-extern SECStatus nss_InitLock(   PZLock    **ppLock, nssILockType ltype );
-
-/* Given the address of a (global) pointer to a PZMonitor, 
- * atomicly create the monitor and initialize the (global) pointer, 
- * if it is not already created/initialized.
- */
-
-extern SECStatus nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype );
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c
deleted file mode 100644
index dd9a8826f..000000000
--- a/security/nss/lib/util/nssrwlk.c
+++ /dev/null
@@ -1,514 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nssrwlk.h"
-#include "nspr.h"
-
-PR_BEGIN_EXTERN_C
-
-/*
- * Reader-writer lock
- */
-struct nssRWLockStr {
-    PZLock *        rw_lock;
-    char   *        rw_name;            /* lock name                    */
-    PRUint32        rw_rank;            /* rank of the lock             */
-    PRInt32         rw_writer_locks;    /* ==  0, if unlocked           */
-    PRInt32         rw_reader_locks;    /* ==  0, if unlocked           */
-                                        /* > 0  , # of read locks       */
-    PRUint32        rw_waiting_readers; /* number of waiting readers    */
-    PRUint32        rw_waiting_writers; /* number of waiting writers    */
-    PZCondVar *     rw_reader_waitq;    /* cvar for readers             */
-    PZCondVar *     rw_writer_waitq;    /* cvar for writers             */
-    PRThread  *     rw_owner;           /* lock owner for write-lock    */
-                                        /* Non-null if write lock held. */
-};
-
-PR_END_EXTERN_C
-
-#include <string.h>
-
-#ifdef DEBUG_RANK_ORDER
-#define NSS_RWLOCK_RANK_ORDER_DEBUG /* enable deadlock detection using
-                                       rank-order for locks
-                                    */
-#endif
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-static PRUintn  nss_thread_rwlock_initialized;
-static PRUintn  nss_thread_rwlock;               /* TPD key for lock stack */
-static PRUintn  nss_thread_rwlock_alloc_failed;
-
-#define _NSS_RWLOCK_RANK_ORDER_LIMIT 10
-
-typedef struct thread_rwlock_stack {
-    PRInt32     trs_index;                                  /* top of stack */
-    NSSRWLock    *trs_stack[_NSS_RWLOCK_RANK_ORDER_LIMIT];  /* stack of lock
-                                                               pointers */
-} thread_rwlock_stack;
-
-/* forward static declarations. */
-static PRUint32 nssRWLock_GetThreadRank(PRThread *me);
-static void     nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock);
-static void     nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock);
-static void     nssRWLock_ReleaseLockStack(void *lock_stack);
-
-#endif
-
-#define UNTIL(x) while(!(x))
-
-/*
- * Reader/Writer Locks
- */
-
-/*
- * NSSRWLock_New
- *      Create a reader-writer lock, with the given lock rank and lock name
- *
- */
-
-PR_IMPLEMENT(NSSRWLock *)
-NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
-{
-    NSSRWLock *rwlock;
-
-    rwlock = PR_NEWZAP(NSSRWLock);
-    if (rwlock == NULL)
-        return NULL;
-
-    rwlock->rw_lock = PZ_NewLock(nssILockRWLock);
-    if (rwlock->rw_lock == NULL) {
-	goto loser;
-    }
-    rwlock->rw_reader_waitq = PZ_NewCondVar(rwlock->rw_lock);
-    if (rwlock->rw_reader_waitq == NULL) {
-	goto loser;
-    }
-    rwlock->rw_writer_waitq = PZ_NewCondVar(rwlock->rw_lock);
-    if (rwlock->rw_writer_waitq == NULL) {
-	goto loser;
-    }
-    if (lock_name != NULL) {
-        rwlock->rw_name = (char*) PR_Malloc(strlen(lock_name) + 1);
-        if (rwlock->rw_name == NULL) {
-	    goto loser;
-        }
-        strcpy(rwlock->rw_name, lock_name);
-    } else {
-        rwlock->rw_name = NULL;
-    }
-    rwlock->rw_rank            = lock_rank;
-    rwlock->rw_waiting_readers = 0;
-    rwlock->rw_waiting_writers = 0;
-    rwlock->rw_reader_locks    = 0;
-    rwlock->rw_writer_locks    = 0;
-
-    return rwlock;
-
-loser:
-    NSSRWLock_Destroy(rwlock);
-    return(NULL);
-}
-
-/*
-** Destroy the given RWLock "lock".
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_Destroy(NSSRWLock *rwlock)
-{
-    PR_ASSERT(rwlock != NULL);
-    PR_ASSERT(rwlock->rw_waiting_readers == 0);
-
-    /* XXX Shouldn't we lock the PZLock before destroying this?? */
-
-    if (rwlock->rw_name)
-    	PR_Free(rwlock->rw_name);
-    if (rwlock->rw_reader_waitq)
-    	PZ_DestroyCondVar(rwlock->rw_reader_waitq);
-    if (rwlock->rw_writer_waitq)
-	PZ_DestroyCondVar(rwlock->rw_writer_waitq);
-    if (rwlock->rw_lock)
-	PZ_DestroyLock(rwlock->rw_lock);
-    PR_DELETE(rwlock);
-}
-
-/***********************************************************************
-**  Given the address of a NULL pointer to a NSSRWLock, 
-**  atomically initializes that pointer to a newly created NSSRWLock.
-**  Returns the value placed into that pointer, or NULL.
-**   If the lock cannot be created because of resource constraints, 
-**   the pointer will be left NULL.
-**  
-***********************************************************************/
-PR_IMPLEMENT(NSSRWLock *)
-nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
-			PRUint32      lock_rank, 
-			const char *  lock_name)
-{
-    NSSRWLock  *    rwlock;
-    static PRInt32  initializers;
-
-    PR_ASSERT(prwlock != NULL);
-
-    /* atomically initialize the lock */
-    while (NULL == (rwlock = *prwlock)) {
-        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
-        if (myAttempt == 1) {
-            if (NULL == (rwlock = *prwlock)) {
-                *prwlock = rwlock = NSSRWLock_New(lock_rank, lock_name);
-            }
-            (void) PR_AtomicDecrement(&initializers);
-            break;
-        }
-        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
-        (void) PR_AtomicDecrement(&initializers);
-    }
-
-    return rwlock;
-}
-
-/*
-** Read-lock the RWLock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_LockRead(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PZ_Lock(rwlock->rw_lock);
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-    /*
-     * assert that rank ordering is not violated; the rank of 'rwlock' should
-     * be equal to or greater than the highest rank of all the locks held by
-     * the thread.
-     */
-    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
-              (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
-#endif
-    /*
-     * wait if write-locked or if a writer is waiting; preference for writers
-     */
-    UNTIL ( (rwlock->rw_owner == me) ||		  /* I own it, or        */
-	   ((rwlock->rw_owner == NULL) &&	  /* no-one owns it, and */
-	    (rwlock->rw_waiting_writers == 0))) { /* no-one is waiting to own */
-
-	rwlock->rw_waiting_readers++;
-	PZ_WaitCondVar(rwlock->rw_reader_waitq, PR_INTERVAL_NO_TIMEOUT);
-	rwlock->rw_waiting_readers--;
-    }
-    rwlock->rw_reader_locks++; 		/* Increment read-lock count */
-
-    PZ_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    nssRWLock_SetThreadRank(me, rwlock);/* update thread's lock rank */
-#endif
-}
-
-/* Unlock a Read lock held on this RW lock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_UnlockRead(NSSRWLock *rwlock)
-{
-    PZ_Lock(rwlock->rw_lock);
-
-    PR_ASSERT(rwlock->rw_reader_locks > 0); /* lock must be read locked */
-
-    if ((  rwlock->rw_reader_locks  > 0)  &&	/* caller isn't screwey */
-        (--rwlock->rw_reader_locks == 0)  &&	/* not read locked any more */
-	(  rwlock->rw_owner        == NULL) &&	/* not write locked */
-	(  rwlock->rw_waiting_writers > 0)) {	/* someone's waiting. */
-
-	PZ_NotifyCondVar(rwlock->rw_writer_waitq); /* wake him up. */
-    }
-
-    PZ_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_UnsetThreadRank(me, rwlock);
-#endif
-    return;
-}
-
-/*
-** Write-lock the RWLock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_LockWrite(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PZ_Lock(rwlock->rw_lock);
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * assert that rank ordering is not violated; the rank of 'rwlock' should
-     * be equal to or greater than the highest rank of all the locks held by
-     * the thread.
-     */
-    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
-                    (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
-#endif
-    /*
-     * wait if read locked or write locked.
-     */
-    PR_ASSERT(rwlock->rw_reader_locks >= 0);
-    PR_ASSERT(me != NULL);
-
-    UNTIL ( (rwlock->rw_owner == me) ||           /* I own write lock, or */
-	   ((rwlock->rw_owner == NULL) &&	  /* no writer   and */
-	    (rwlock->rw_reader_locks == 0))) {    /* no readers, either. */
-
-        rwlock->rw_waiting_writers++;
-        PZ_WaitCondVar(rwlock->rw_writer_waitq, PR_INTERVAL_NO_TIMEOUT);
-        rwlock->rw_waiting_writers--;
-	PR_ASSERT(rwlock->rw_reader_locks >= 0);
-    }
-
-    PR_ASSERT(rwlock->rw_reader_locks == 0);
-    /*
-     * apply write lock
-     */
-    rwlock->rw_owner = me;
-    rwlock->rw_writer_locks++; 		/* Increment write-lock count */
-
-    PZ_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_SetThreadRank(me,rwlock);
-#endif
-}
-
-/* Unlock a Read lock held on this RW lock.
-*/
-PR_IMPLEMENT(void)
-NSSRWLock_UnlockWrite(NSSRWLock *rwlock)
-{
-    PRThread *me = PR_GetCurrentThread();
-
-    PZ_Lock(rwlock->rw_lock);
-    PR_ASSERT(rwlock->rw_owner == me); /* lock must be write-locked by me.  */
-    PR_ASSERT(rwlock->rw_writer_locks > 0); /* lock must be write locked */
-
-    if (  rwlock->rw_owner        == me  &&	/* I own it, and            */
-          rwlock->rw_writer_locks  > 0   &&	/* I own it, and            */
-        --rwlock->rw_writer_locks == 0) {	/* I'm all done with it     */
-
-	rwlock->rw_owner = NULL;		/* I don't own it any more. */
-
-	/* Give preference to waiting writers. */
-	if (rwlock->rw_waiting_writers > 0) {
-	    if (rwlock->rw_reader_locks == 0)
-		PZ_NotifyCondVar(rwlock->rw_writer_waitq);
-	} else if (rwlock->rw_waiting_readers > 0) {
-	    PZ_NotifyAllCondVar(rwlock->rw_reader_waitq);
-	}
-    }
-    PZ_Unlock(rwlock->rw_lock);
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-    /*
-     * update thread's lock rank
-     */
-    nssRWLock_UnsetThreadRank(me, rwlock);
-#endif
-    return;
-}
-
-/* This is primarily for debugging, i.e. for inclusion in ASSERT calls. */
-PR_IMPLEMENT(PRBool)
-NSSRWLock_HaveWriteLock(NSSRWLock *rwlock) {
-    PRBool ownWriteLock;
-    PRThread *me = PR_GetCurrentThread();
-
-    /* This lock call isn't really necessary.
-    ** If this thread is the owner, that fact cannot change during this call,
-    ** because this thread is in this call.
-    ** If this thread is NOT the owner, the owner could change, but it 
-    ** could not become this thread.  
-    */
-#if UNNECESSARY
-    PZ_Lock(rwlock->rw_lock);	
-#endif
-    ownWriteLock = (PRBool)(me == rwlock->rw_owner);
-#if UNNECESSARY
-    PZ_Unlock(rwlock->rw_lock);
-#endif
-    return ownWriteLock;
-}
-
-#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
-
-/*
- * nssRWLock_SetThreadRank
- *      Set a thread's lock rank, which is the highest of the ranks of all
- *      the locks held by the thread. Pointers to the locks are added to a
- *      per-thread list, which is anchored off a thread-private data key.
- */
-
-static void
-nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock)
-{
-    thread_rwlock_stack *lock_stack;
-    PRStatus rv;
-
-    /*
-     * allocated thread-private-data for rwlock list, if not already allocated
-     */
-    if (!nss_thread_rwlock_initialized) {
-        /*
-         * allocate tpd, only if not failed already
-         */
-        if (!nss_thread_rwlock_alloc_failed) {
-            if (PR_NewThreadPrivateIndex(&nss_thread_rwlock,
-                                        nssRWLock_ReleaseLockStack)
-                                                == PR_FAILURE) {
-                nss_thread_rwlock_alloc_failed = 1;
-                return;
-            }
-        } else
-            return;
-    }
-    /*
-     * allocate a lock stack
-     */
-    if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL) {
-        lock_stack = (thread_rwlock_stack *)
-                        PR_CALLOC(1 * sizeof(thread_rwlock_stack));
-        if (lock_stack) {
-            rv = PR_SetThreadPrivate(nss_thread_rwlock, lock_stack);
-            if (rv == PR_FAILURE) {
-                PR_DELETE(lock_stack);
-                nss_thread_rwlock_alloc_failed = 1;
-                return;
-            }
-        } else {
-            nss_thread_rwlock_alloc_failed = 1;
-            return;
-        }
-    }
-    /*
-     * add rwlock to lock stack, if limit is not exceeded
-     */
-    if (lock_stack) {
-        if (lock_stack->trs_index < _NSS_RWLOCK_RANK_ORDER_LIMIT)
-            lock_stack->trs_stack[lock_stack->trs_index++] = rwlock;
-    }
-    nss_thread_rwlock_initialized = 1;
-}
-
-static void
-nssRWLock_ReleaseLockStack(void *lock_stack)
-{
-    PR_ASSERT(lock_stack);
-    PR_DELETE(lock_stack);
-}
-
-/*
- * nssRWLock_GetThreadRank
- *
- *      return thread's lock rank. If thread-private-data for the lock
- *      stack is not allocated, return NSS_RWLOCK_RANK_NONE.
- */
-
-static PRUint32
-nssRWLock_GetThreadRank(PRThread *me)
-{
-    thread_rwlock_stack *lock_stack;
-
-    if (nss_thread_rwlock_initialized) {
-        if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL)
-            return (NSS_RWLOCK_RANK_NONE);
-        else
-            return(lock_stack->trs_stack[lock_stack->trs_index - 1]->rw_rank);
-
-    } else
-            return (NSS_RWLOCK_RANK_NONE);
-}
-
-/*
- * nssRWLock_UnsetThreadRank
- *
- *      remove the rwlock from the lock stack. Since locks may not be
- *      unlocked in a FIFO order, the entire lock stack is searched.
- */
-
-static void
-nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock)
-{
-    thread_rwlock_stack *lock_stack;
-    int new_index = 0, index, done = 0;
-
-    if (!nss_thread_rwlock_initialized)
-        return;
-
-    lock_stack = PR_GetThreadPrivate(nss_thread_rwlock);
-
-    PR_ASSERT(lock_stack != NULL);
-
-    index = lock_stack->trs_index - 1;
-    while (index-- >= 0) {
-        if ((lock_stack->trs_stack[index] == rwlock) && !done)  {
-            /*
-             * reset the slot for rwlock
-             */
-            lock_stack->trs_stack[index] = NULL;
-            done = 1;
-        }
-        /*
-         * search for the lowest-numbered empty slot, above which there are
-         * no non-empty slots
-         */
-        if ((lock_stack->trs_stack[index] != NULL) && !new_index)
-            new_index = index + 1;
-        if (done && new_index)
-            break;
-    }
-    /*
-     * set top of stack to highest numbered empty slot
-     */
-    lock_stack->trs_index = new_index;
-
-}
-
-#endif  /* NSS_RWLOCK_RANK_ORDER_DEBUG */
diff --git a/security/nss/lib/util/nssrwlk.h b/security/nss/lib/util/nssrwlk.h
deleted file mode 100644
index 91eca20ca..000000000
--- a/security/nss/lib/util/nssrwlk.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-** File:		nsrwlock.h
-** Description:	API to basic reader-writer lock functions of NSS.
-**	These are re-entrant reader writer locks; that is,
-**	If I hold the write lock, I can ask for it and get it again.
-**	If I hold the write lock, I can also ask for and get a read lock.
-**      I can then release the locks in any order (read or write).
-**	I must release each lock type as many times as I acquired it.
-**	Otherwise, these are normal reader/writer locks.
-**
-** For deadlock detection, locks should be ranked, and no lock may be aquired
-** while I hold a lock of higher rank number.
-** If you don't want that feature, always use NSS_RWLOCK_RANK_NONE.
-** Lock name is for debugging, and is optional (may be NULL)
-**/
-
-#ifndef nssrwlk_h___
-#define nssrwlk_h___
-
-#include "prtypes.h"
-#include "nssrwlkt.h"
-
-#define	NSS_RWLOCK_RANK_NONE	0
-
-/* SEC_BEGIN_PROTOS */
-PR_BEGIN_EXTERN_C
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_New
-** DESCRIPTION:
-**  Returns a pointer to a newly created reader-writer lock object.
-** INPUTS:      Lock rank
-**		Lock name
-** OUTPUTS:     void
-** RETURN:      NSSRWLock*
-**   If the lock cannot be created because of resource constraints, NULL
-**   is returned.
-**  
-***********************************************************************/
-PR_EXTERN(NSSRWLock*) NSSRWLock_New(PRUint32 lock_rank, const char *lock_name);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_AtomicCreate
-** DESCRIPTION:
-**  Given the address of a NULL pointer to a NSSRWLock, 
-**  atomically initializes that pointer to a newly created NSSRWLock.
-**  Returns the value placed into that pointer, or NULL.
-**
-** INPUTS:      address of NSRWLock pointer
-**              Lock rank
-**		Lock name
-** OUTPUTS:     NSSRWLock*
-** RETURN:      NSSRWLock*
-**   If the lock cannot be created because of resource constraints, 
-**   the pointer will be left NULL.
-**  
-***********************************************************************/
-PR_EXTERN(NSSRWLock *)
-nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
-			PRUint32      lock_rank, 
-			const char *  lock_name);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_Destroy
-** DESCRIPTION:
-**  Destroys a given RW lock object.
-** INPUTS:      NSSRWLock *lock - Lock to be freed.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_Destroy(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_LockRead
-** DESCRIPTION:
-**  Apply a read lock (non-exclusive) on a RWLock
-** INPUTS:      NSSRWLock *lock - Lock to be read-locked.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_LockRead(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_LockWrite
-** DESCRIPTION:
-**  Apply a write lock (exclusive) on a RWLock
-** INPUTS:      NSSRWLock *lock - Lock to write-locked.
-** OUTPUTS:     void
-** RETURN:      None
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_LockWrite(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_UnlockRead
-** DESCRIPTION:
-**  Release a Read lock. Unlocking an unlocked lock has undefined results.
-** INPUTS:      NSSRWLock *lock - Lock to unlocked.
-** OUTPUTS:     void
-** RETURN:      void
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_UnlockRead(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_UnlockWrite
-** DESCRIPTION:
-**  Release a Write lock. Unlocking an unlocked lock has undefined results.
-** INPUTS:      NSSRWLock *lock - Lock to unlocked.
-** OUTPUTS:     void
-** RETURN:      void
-***********************************************************************/
-PR_EXTERN(void) NSSRWLock_UnlockWrite(NSSRWLock *lock);
-
-/***********************************************************************
-** FUNCTION:    NSSRWLock_HaveWriteLock
-** DESCRIPTION:
-**  Tells caller whether the current thread holds the write lock, or not.
-** INPUTS:      NSSRWLock *lock - Lock to test.
-** OUTPUTS:     void
-** RETURN:      PRBool	PR_TRUE IFF the current thread holds the write lock.
-***********************************************************************/
-
-PR_EXTERN(PRBool) NSSRWLock_HaveWriteLock(NSSRWLock *rwlock);
-
-/* SEC_END_PROTOS */
-PR_END_EXTERN_C
-
-#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/nssrwlkt.h b/security/nss/lib/util/nssrwlkt.h
deleted file mode 100644
index 995c00d81..000000000
--- a/security/nss/lib/util/nssrwlkt.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef nssrwlkt_h___
-#define nssrwlkt_h___
-#include "nssilock.h"
-/*
- * NSSRWLock --
- *
- *	The reader writer lock, NSSRWLock, is an opaque object to the clients
- *	of NSS.  All routines operate on a pointer to this opaque entity.
- */
-
-typedef struct nssRWLockStr NSSRWLock;
-
-
-#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/portreg.c b/security/nss/lib/util/portreg.c
deleted file mode 100644
index 869dab10a..000000000
--- a/security/nss/lib/util/portreg.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * 	Ken Key <key+mozilla@ksquared.net>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/* 
- * shexp.c: shell-like wildcard match routines
- *
- *
- * See shexp.h for public documentation.
- *
- */
-
-#include "seccomon.h"
-#include "portreg.h"
-
-/* ----------------------------- shexp_valid ------------------------------ */
-
-
-static int 
-_valid_subexp(const char *exp, char stop) 
-{
-    register int x,y,t;
-    int nsc,np,tld;
-
-    x=0;nsc=0;tld=0;
-
-    while(exp[x] && (exp[x] != stop)) {
-        switch(exp[x]) {
-          case '~':
-            if(tld) return INVALID_SXP;
-            else ++tld;
-          case '*':
-          case '?':
-          case '^':
-          case '$':
-            ++nsc;
-            break;
-          case '[':
-            ++nsc;
-            if((!exp[++x]) || (exp[x] == ']'))
-                return INVALID_SXP;
-            for(++x;exp[x] && (exp[x] != ']');++x)
-                if(exp[x] == '\\')
-                    if(!exp[++x])
-                        return INVALID_SXP;
-            if(!exp[x])
-                return INVALID_SXP;
-            break;
-          case '(':
-            ++nsc;np = 0;
-            while(1) {
-                if(exp[++x] == ')')
-                    return INVALID_SXP;
-                for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y)
-                    if(exp[y] == '\\')
-                        if(!exp[++y])
-                            return INVALID_SXP;
-                if(!exp[y])
-                    return INVALID_SXP;
-                if(exp[y] == '|')
-                    ++np;
-                t = _valid_subexp(&exp[x],exp[y]);
-                if(t == INVALID_SXP)
-                    return INVALID_SXP;
-                x+=t;
-                if(exp[x] == ')') {
-                    if(!np)
-                        return INVALID_SXP;
-                    break;
-                }
-            }
-            break;
-          case ')':
-          case ']':
-            return INVALID_SXP;
-          case '\\':
-            if(!exp[++x])
-                return INVALID_SXP;
-          default:
-            break;
-        }
-        ++x;
-    }
-    if((!stop) && (!nsc))
-        return NON_SXP;
-    return ((exp[x] == stop) ? x : INVALID_SXP);
-}
-
-int 
-PORT_RegExpValid(const char *exp) 
-{
-    int x;
-
-    x = _valid_subexp(exp, '\0');
-    return (x < 0 ? x : VALID_SXP);
-}
-
-
-/* ----------------------------- shexp_match ----------------------------- */
-
-
-#define MATCH 0
-#define NOMATCH 1
-#define ABORTED -1
-
-static int _shexp_match(const char *str, const char *exp, PRBool case_insensitive);
-
-static int 
-_handle_union(const char *str, const char *exp, PRBool case_insensitive) 
-{
-    char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
-    register int t,p2,p1 = 1;
-    int cp;
-
-    while(1) {
-        for(cp=1;exp[cp] != ')';cp++)
-            if(exp[cp] == '\\')
-                ++cp;
-        for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
-            if(exp[p1] == '\\')
-                e2[p2++] = exp[p1++];
-            e2[p2] = exp[p1];
-        }
-        for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
-        if(_shexp_match(str,e2, case_insensitive) == MATCH) {
-            PORT_Free(e2);
-            return MATCH;
-        }
-        if(p1 == cp) {
-            PORT_Free(e2);
-            return NOMATCH;
-        }
-        else ++p1;
-    }
-}
-
-
-static int 
-_shexp_match(const char *str, const char *exp, PRBool case_insensitive) 
-{
-    register int x,y;
-    int ret,neg;
-
-    ret = 0;
-    for(x=0,y=0;exp[y];++y,++x) {
-        if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*'))
-            ret = ABORTED;
-        else {
-            switch(exp[y]) {
-              case '$':
-                if( (str[x]) )
-                    ret = NOMATCH;
-                else
-                    --x;             /* we don't want loop to increment x */
-                break;
-              case '*':
-                while(exp[++y] == '*'){}
-                if(!exp[y])
-                    return MATCH;
-                while(str[x]) {
-                    switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) {
-                    case NOMATCH:
-                        continue;
-                    case ABORTED:
-                        ret = ABORTED;
-                        break;
-                    default:
-                        return MATCH;
-                    }
-                    break;
-                }
-                if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
-                    return MATCH;
-                else
-                    ret = ABORTED;
-                break;
-              case '[':
-              	neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
-                if (neg)
-                    ++y;
-                
-                if ((isalnum(exp[y])) && (exp[y+1] == '-') && 
-                   (isalnum(exp[y+2])) && (exp[y+3] == ']'))
-                    {
-                        int start = exp[y], end = exp[y+2];
-                        
-                        /* no safeguards here */
-                        if(neg ^ ((str[x] < start) || (str[x] > end))) {
-                            ret = NOMATCH;
-                            break;
-                        }
-                        y+=3;
-                    }
-                else {
-                    int matched;
-                    
-                    for (matched=0;exp[y] != ']';y++)
-                        matched |= (str[x] == exp[y]);
-                    if (neg ^ (!matched))
-                        ret = NOMATCH;
-                }
-                break;
-              case '(':
-                return _handle_union(&str[x],&exp[y], case_insensitive);
-                break;
-              case '?':
-                break;
-              case '\\':
-                ++y;
-              default:
-		if(case_insensitive)
-		  {
-                    if(toupper(str[x]) != toupper(exp[y]))
-                        ret = NOMATCH;
-		  }
-		else
-		  {
-                    if(str[x] != exp[y])
-                        ret = NOMATCH;
-		  }
-                break;
-            }
-        }
-        if(ret)
-            break;
-    }
-    return (ret ? ret : (str[x] ? NOMATCH : MATCH));
-}
-
-static int 
-port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive) {
-    register int x;
-    char *exp = 0;
-
-    exp = PORT_Strdup(xp);
-
-    if(!exp)
-	return 1;
-
-    for(x=strlen(exp)-1;x;--x) {
-        if((exp[x] == '~') && (exp[x-1] != '\\')) {
-            exp[x] = '\0';
-            if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
-                goto punt;
-            break;
-        }
-    }
-    if(_shexp_match(str,exp, case_insensitive) == MATCH) {
-        PORT_Free(exp);
-        return 0;
-    }
-
-  punt:
-    PORT_Free(exp);
-    return 1;
-}
-
-
-/* ------------------------------ shexp_cmp ------------------------------- */
-
-int 
-PORT_RegExpSearch(const char *str, const char *exp)
-{
-    switch(PORT_RegExpValid(exp)) 
-	  {
-        case INVALID_SXP:
-            return -1;
-        case NON_SXP:
-            return (strcmp(exp,str) ? 1 : 0);
-        default:
-            return port_RegExpMatch(str, exp, PR_FALSE);
-      }
-}
-
-int
-PORT_RegExpCaseSearch(const char *str, const char *exp)
-{
-    switch(PORT_RegExpValid(exp))
-      {
-        case INVALID_SXP:
-            return -1;
-        case NON_SXP:
-            return (PORT_Strcasecmp(exp,str) ? 1 : 0);
-        default:
-            return port_RegExpMatch(str, exp, PR_TRUE);
-      }
-}
-
diff --git a/security/nss/lib/util/portreg.h b/security/nss/lib/util/portreg.h
deleted file mode 100644
index 6045f3b08..000000000
--- a/security/nss/lib/util/portreg.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * shexp.h: Defines and prototypes for shell exp. match routines
- * 
- *
- * This routine will match a string with a shell expression. The expressions
- * accepted are based loosely on the expressions accepted by zsh.
- * 
- * o * matches anything
- * o ? matches one character
- * o \ will escape a special character
- * o $ matches the end of the string
- * o [abc] matches one occurence of a, b, or c. The only character that needs
- *         to be escaped in this is ], all others are not special.
- * o [a-z] matches any character between a and z
- * o [^az] matches any character except a or z
- * o ~ followed by another shell expression will remove any pattern
- *     matching the shell expression from the match list
- * o (foo|bar) will match either the substring foo, or the substring bar.
- *             These can be shell expressions as well.
- * 
- * The public interface to these routines is documented below.
- * 
- */
- 
-#ifndef SHEXP_H
-#define SHEXP_H
-
-/*
- * Requires that the macro MALLOC be set to a "safe" malloc that will 
- * exit if no memory is available. 
- */
-
-
-/* --------------------------- Public routines ---------------------------- */
-
-
-/*
- * shexp_valid takes a shell expression exp as input. It returns:
- * 
- *  NON_SXP      if exp is a standard string
- *  INVALID_SXP  if exp is a shell expression, but invalid
- *  VALID_SXP    if exp is a valid shell expression
- */
-
-#define NON_SXP -1
-#define INVALID_SXP -2
-#define VALID_SXP 1
-
-SEC_BEGIN_PROTOS
-
-extern int PORT_RegExpValid(const char *exp);
-
-extern int PORT_RegExpSearch(const char *str, const char *exp);
-
-/* same as above but uses case insensitive search */
-extern int PORT_RegExpCaseSearch(const char *str, const char *exp);
-
-SEC_END_PROTOS
-
-#endif
diff --git a/security/nss/lib/util/pqgutil.c b/security/nss/lib/util/pqgutil.c
deleted file mode 100644
index edc69f8b3..000000000
--- a/security/nss/lib/util/pqgutil.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include "pqgutil.h"
-#include "prerror.h"
-#include "secitem.h"
-
-#define PQG_DEFAULT_CHUNKSIZE 2048	/* bytes */
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- *                                                                        *
- **************************************************************************/
-
-PQGParams *
-PQG_DupParams(const PQGParams *src)
-{
-    PRArenaPool *arena;
-    PQGParams *dest;
-    SECStatus status;
-
-    if (src == NULL) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    dest = (PQGParams*)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
-    if (dest == NULL)
-	goto loser;
-
-    dest->arena = arena;
-
-    status = SECITEM_CopyItem(arena, &dest->prime, &src->prime);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->subPrime, &src->subPrime);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->base, &src->base);
-    if (status != SECSuccess)
-	goto loser;
-
-    return dest;
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-
-PQGParams *
-PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
-              const SECItem * base)
-{
-    PQGParams *  dest;
-    PQGParams    src;
-
-    src.arena    = NULL;
-    src.prime    = *prime;
-    src.subPrime = *subPrime;
-    src.base     = *base;
-    dest         = PQG_DupParams(&src);
-    return dest;
-}
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime)
-{
-    return SECITEM_CopyItem(NULL, prime, &params->prime);
-}
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime)
-{
-    return SECITEM_CopyItem(NULL, subPrime, &params->subPrime);
-}
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetBaseFromParams(const PQGParams *params, SECItem * base)
-{
-    return SECITEM_CopyItem(NULL, base, &params->base);
-}
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-void
-PQG_DestroyParams(PQGParams *params)
-{
-    if (params == NULL) 
-    	return;
-    if (params->arena != NULL) {
-	PORT_FreeArena(params->arena, PR_FALSE);	/* don't zero it */
-    } else {
-	SECITEM_FreeItem(&params->prime,    PR_FALSE); /* don't free prime */
-	SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
-	SECITEM_FreeItem(&params->base,     PR_FALSE); /* don't free base */
-	PORT_Free(params);
-    }
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-
-PQGVerify *
-PQG_DupVerify(const PQGVerify *src)
-{
-    PRArenaPool *arena;
-    PQGVerify *  dest;
-    SECStatus    status;
-
-    if (src == NULL) {
-	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
-    if (arena == NULL)
-	goto loser;
-
-    dest = (PQGVerify*)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
-    if (dest == NULL)
-	goto loser;
-
-    dest->arena   = arena;
-    dest->counter = src->counter;
-
-    status = SECITEM_CopyItem(arena, &dest->seed, &src->seed);
-    if (status != SECSuccess)
-	goto loser;
-
-    status = SECITEM_CopyItem(arena, &dest->h, &src->h);
-    if (status != SECSuccess)
-	goto loser;
-
-    return dest;
-
-loser:
-    if (arena != NULL)
-	PORT_FreeArena(arena, PR_FALSE);
-    return NULL;
-}
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-
-PQGVerify *
-PQG_NewVerify(unsigned int counter, const SECItem * seed, const SECItem * h)
-{
-    PQGVerify *  dest;
-    PQGVerify    src;
-
-    src.arena    = NULL;
-    src.counter  = counter;
-    src.seed     = *seed;
-    src.h        = *h;
-    dest         = PQG_DupVerify(&src);
-    return dest;
-}
-
-/**************************************************************************
- * Returns the "counter" value from the PQGVerify.
- **************************************************************************/
-unsigned int
-PQG_GetCounterFromVerify(const PQGVerify *verify)
-{
-    return verify->counter;
-}
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem * seed)
-{
-    return SECITEM_CopyItem(NULL, seed, &verify->seed);
-}
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-SECStatus
-PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h)
-{
-    return SECITEM_CopyItem(NULL, h, &verify->h);
-}
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-
-void
-PQG_DestroyVerify(PQGVerify *vfy)
-{
-    if (vfy == NULL) 
-    	return;
-    if (vfy->arena != NULL) {
-	PORT_FreeArena(vfy->arena, PR_FALSE);	/* don't zero it */
-    } else {
-	SECITEM_FreeItem(&vfy->seed,   PR_FALSE); /* don't free seed */
-	SECITEM_FreeItem(&vfy->h,      PR_FALSE); /* don't free h */
-	PORT_Free(vfy);
-    }
-}
diff --git a/security/nss/lib/util/pqgutil.h b/security/nss/lib/util/pqgutil.h
deleted file mode 100644
index d792f72a8..000000000
--- a/security/nss/lib/util/pqgutil.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#ifndef _PQGUTIL_H_
-#define _PQGUTIL_H_ 1
-
-#include "blapi.h"
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-extern PQGParams * PQG_DupParams(const PQGParams *src);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGParams struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGParams * PQG_NewParams(const SECItem * prime, 
-                                 const SECItem * subPrime, 
-                                 const SECItem * base);
-
-
-/**************************************************************************
- * Fills in caller's "prime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetPrimeFromParams(const PQGParams *params, 
-                                        SECItem * prime);
-
-
-/**************************************************************************
- * Fills in caller's "subPrime" SECItem with the prime value in params.
- * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetSubPrimeFromParams(const PQGParams *params, 
-                                           SECItem * subPrime);
-
-
-/**************************************************************************
- * Fills in caller's "base" SECItem with the base value in params.
- * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetBaseFromParams(const PQGParams *params, SECItem *base);
-
-
-/**************************************************************************
- *  Free the PQGParams struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyParams(PQGParams *params);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
- *  the one passed as an argument.                                        *
- *  Return NULL on failure, or if NULL was passed in.                     *
- **************************************************************************/
-extern PQGVerify * PQG_DupVerify(const PQGVerify *src);
-
-
-/**************************************************************************
- *  Return a pointer to a new PQGVerify struct that is constructed from   *
- *  copies of the arguments passed in.                                    *
- *  Return NULL on failure.                                               *
- **************************************************************************/
-extern PQGVerify * PQG_NewVerify(unsigned int counter, const SECItem * seed, 
-                                 const SECItem * h);
-
-
-/**************************************************************************
- * Returns "counter" value from the PQGVerify.
- **************************************************************************/
-extern unsigned int PQG_GetCounterFromVerify(const PQGVerify *verify);
-
-/**************************************************************************
- * Fills in caller's "seed" SECItem with the seed value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed);
-
-
-/**************************************************************************
- * Fills in caller's "h" SECItem with the h value in verify.
- * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
- **************************************************************************/
-extern SECStatus PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
-
-
-/**************************************************************************
- *  Free the PQGVerify struct and the things it points to.                *
- **************************************************************************/
-extern void PQG_DestroyVerify(PQGVerify *vfy);
-
-
-#endif
diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c
deleted file mode 100644
index 29a582147..000000000
--- a/security/nss/lib/util/quickder.c
+++ /dev/null
@@ -1,912 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
-    Optimized ASN.1 DER decoder
-    
-*/
-
-#include "secerr.h"
-#include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
-#include "secitem.h"
-
-/*
- * simple definite-length ASN.1 decoder
- */
-
-static unsigned char* definite_length_decoder(const unsigned char *buf,
-                                              const unsigned int length,
-                                              unsigned int *data_length,
-                                              PRBool includeTag)
-{
-    unsigned char tag;
-    unsigned int used_length= 0;
-    unsigned int data_len;
-
-    if (used_length >= length)
-    {
-        return NULL;
-    }
-    tag = buf[used_length++];
-
-    /* blow out when we come to the end */
-    if (tag == 0)
-    {
-        return NULL;
-    }
-
-    if (used_length >= length)
-    {
-        return NULL;
-    }
-    data_len = buf[used_length++];
-
-    if (data_len&0x80)
-    {
-        int  len_count = data_len & 0x7f;
-
-        data_len = 0;
-
-        while (len_count-- > 0)
-        {
-            if (used_length >= length)
-            {
-                return NULL;
-            }
-            data_len = (data_len << 8) | buf[used_length++];
-        }
-    }
-
-    if (data_len > (length-used_length) )
-    {
-        return NULL;
-    }
-    if (includeTag) data_len += used_length;
-
-    *data_length = data_len;
-    return ((unsigned char*)buf + (includeTag ? 0 : used_length));
-}
-
-static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
-{
-    if ( (!src) || (!dest) || (!src->data) )
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (!src->len)
-    {
-        /* reaching the end of the buffer is not an error */
-        dest->data = NULL;
-        dest->len = 0;
-        return SECSuccess;
-    }
-
-    dest->data = definite_length_decoder(src->data,  src->len, &dest->len,
-        includeTag);
-    if (dest->data == NULL)
-    {
-        PORT_SetError(SEC_ERROR_BAD_DER);
-        return SECFailure;
-    }
-    src->len -= (dest->data - src->data) + dest->len;
-    src->data = dest->data + dest->len;
-    return SECSuccess;
-}
-
-/* check if the actual component's type matches the type in the template */
-
-static SECStatus MatchComponentType(const SEC_ASN1Template* templateEntry,
-                                    SECItem* item, PRBool* match, void* dest)
-{
-    unsigned long kind = 0;
-    unsigned char tag = 0;
-
-    if ( (!item) || (!templateEntry) || (!match) )
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-    }
-
-    if (!item->len || !item->data)
-    {
-        *match = PR_FALSE;
-        return SECSuccess;
-    }
-
-    kind = templateEntry->kind;
-    tag = *(unsigned char*) item->data;
-
-    if ( ( (kind & SEC_ASN1_INLINE) ||
-           (kind & SEC_ASN1_POINTER) ) &&
-           (0 == (kind & SEC_ASN1_TAG_MASK) ) )
-    {
-        /* These cases are special because the template's "kind" does not
-           give us the information for the ASN.1 tag of the next item. It can
-           only be figured out from the subtemplate. */
-        if (!(kind & SEC_ASN1_OPTIONAL))
-        {
-            /* This is a required component. If there is a type mismatch,
-               the decoding of the subtemplate will fail, so assume this
-               is a match at the parent level and let it fail later. This
-               avoids a redundant check in matching cases */
-            *match = PR_TRUE;
-            return SECSuccess;
-        }
-        else
-        {
-            /* optional component. This is the hard case. Now we need to
-               look at the subtemplate to get the expected kind */
-            const SEC_ASN1Template* subTemplate = 
-                SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
-            if (!subTemplate)
-            {
-                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
-                return SECFailure;
-            }
-            if ( (subTemplate->kind & SEC_ASN1_INLINE) ||
-                 (subTemplate->kind & SEC_ASN1_POINTER) )
-            {
-                /* disallow nesting SEC_ASN1_POINTER and SEC_ASN1_INLINE,
-                   otherwise you may get a false positive due to the recursion
-                   optimization above that always matches the type if the
-                   component is required . Nesting these should never be
-                   required, so that no one should miss this ability */
-                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
-                return SECFailure;
-            }
-            return MatchComponentType(subTemplate, item, match,
-                                      (void*)((char*)dest + templateEntry->offset));
-        }
-    }
-
-    if (kind & SEC_ASN1_CHOICE)
-    {
-        /* we need to check the component's tag against each choice's tag */
-        /* XXX it would be nice to save the index of the choice here so that
-           DecodeChoice wouldn't have to do this again. However, due to the
-           recursivity of MatchComponentType, we don't know if we are in a
-           required or optional component, so we can't write anywhere in
-           the destination within this function */
-        unsigned choiceIndex = 1;
-        const SEC_ASN1Template* choiceEntry;
-        while ( (choiceEntry = &templateEntry[choiceIndex++]) && (choiceEntry->kind))
-        {
-            if ( (SECSuccess == MatchComponentType(choiceEntry, item, match,
-                                (void*)((char*)dest + choiceEntry->offset))) &&
-                 (PR_TRUE == *match) )
-            {
-                return SECSuccess;
-            }
-        }
-	/* no match, caller must decide if this is BAD DER, or not. */
-        *match = PR_FALSE;
-        return SECSuccess;
-    }
-
-    if (kind & SEC_ASN1_ANY)
-    {
-        /* SEC_ASN1_ANY always matches */
-        *match = PR_TRUE;
-        return SECSuccess;
-    }
-
-    if ( (0 == ((unsigned char)kind & SEC_ASN1_TAGNUM_MASK)) &&
-         (!(kind & SEC_ASN1_EXPLICIT)) &&
-         ( ( (kind & SEC_ASN1_SAVE) ||
-             (kind & SEC_ASN1_SKIP) ) &&
-           (!(kind & SEC_ASN1_OPTIONAL)) 
-         )
-       )
-    {
-        /* when saving or skipping a required component,  a type is not
-           required in the template. This is for legacy support of
-           SEC_ASN1_SAVE and SEC_ASN1_SKIP only. XXX I would like to
-           deprecate these usages and always require a type, as this
-           disables type checking, and effectively forbids us from
-           transparently ignoring optional components we aren't aware of */
-        *match = PR_TRUE;
-        return SECSuccess;
-    }
-
-    /* first, do a class check */
-    if ( (tag & SEC_ASN1_CLASS_MASK) !=
-         (((unsigned char)kind) & SEC_ASN1_CLASS_MASK) )
-    {
-#ifdef DEBUG
-        /* this is only to help debugging of the decoder in case of problems */
-        unsigned char tagclass = tag & SEC_ASN1_CLASS_MASK;
-        unsigned char expectedclass = (unsigned char)kind & SEC_ASN1_CLASS_MASK;
-        tagclass = tagclass;
-        expectedclass = expectedclass;
-#endif
-        *match = PR_FALSE;
-        return SECSuccess;
-    }
-
-    /* now do a tag check */
-    if ( ((unsigned char)kind & SEC_ASN1_TAGNUM_MASK) !=
-         (tag & SEC_ASN1_TAGNUM_MASK))
-    {
-        *match = PR_FALSE;
-        return SECSuccess;
-    }
-
-    /* now, do a method check. This depends on the class */
-    switch (tag & SEC_ASN1_CLASS_MASK)
-    {
-    case SEC_ASN1_UNIVERSAL:
-        /* For types of the SEC_ASN1_UNIVERSAL class, we know which must be
-           primitive or constructed based on the tag */
-        switch (tag & SEC_ASN1_TAGNUM_MASK)
-        {
-        case SEC_ASN1_SEQUENCE:
-        case SEC_ASN1_SET:
-        case SEC_ASN1_EMBEDDED_PDV:
-            /* this component must be a constructed type */
-            /* XXX add any new universal constructed type here */
-            if (tag & SEC_ASN1_CONSTRUCTED)
-            {
-                *match = PR_TRUE;
-                return SECSuccess;
-            }
-            break;
-
-        default:
-            /* this component must be a primitive type */
-            if (! (tag & SEC_ASN1_CONSTRUCTED))
-            {
-                *match = PR_TRUE;
-                return SECSuccess;
-            }
-            break;
-        }
-        break;
-
-    default:
-        /* for all other classes, we check the method based on the template */
-        if ( (unsigned char)(kind & SEC_ASN1_METHOD_MASK) ==
-             (tag & SEC_ASN1_METHOD_MASK) )
-        {
-            *match = PR_TRUE;
-            return SECSuccess;
-        }
-        /* method does not match between template and component */
-        break;
-    }
-
-    *match = PR_FALSE;
-    return SECSuccess;
-}
-
-#ifdef DEBUG
-
-static SECStatus CheckSequenceTemplate(const SEC_ASN1Template* sequenceTemplate)
-{
-    SECStatus rv = SECSuccess;
-    const SEC_ASN1Template* sequenceEntry = NULL;
-    unsigned long seqIndex = 0;
-    unsigned long lastEntryIndex = 0;
-    unsigned long ambiguityIndex = 0;
-    PRBool foundAmbiguity = PR_FALSE;
-
-    do
-    {
-        sequenceEntry = &sequenceTemplate[seqIndex++];
-        if (sequenceEntry->kind)
-        {
-            /* ensure that we don't have an optional component of SEC_ASN1_ANY
-               in the middle of the sequence, since we could not handle it */
-            /* XXX this function needs to dig into the subtemplates to find
-               the next tag */
-            if ( (PR_FALSE == foundAmbiguity) &&
-                 (sequenceEntry->kind & SEC_ASN1_OPTIONAL) &&
-                 (sequenceEntry->kind & SEC_ASN1_ANY) )
-            {
-                foundAmbiguity = PR_TRUE;
-                ambiguityIndex = seqIndex - 1;
-            }
-        }
-    } while (sequenceEntry->kind);
-
-    lastEntryIndex = seqIndex - 2;
-
-    if (PR_FALSE != foundAmbiguity)
-    {
-        if (ambiguityIndex < lastEntryIndex)
-        {
-            /* ambiguity can only be tolerated on the last entry */
-            PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
-            rv = SECFailure;
-        }
-    }
-
-    /* XXX also enforce ASN.1 requirement that tags be
-       distinct for consecutive optional components */
-
-    return rv;
-}
-
-#endif
-
-static SECStatus DecodeItem(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena, PRBool checkTag);
-
-static SECStatus DecodeSequence(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena)
-{
-    SECStatus rv = SECSuccess;
-    SECItem source;
-    SECItem sequence;
-    const SEC_ASN1Template* sequenceTemplate = &(templateEntry[1]);
-    const SEC_ASN1Template* sequenceEntry = NULL;
-    unsigned long seqindex = 0;
-
-#ifdef DEBUG
-    /* for a sequence, we need to validate the template. */
-    rv = CheckSequenceTemplate(sequenceTemplate);
-#endif
-
-    source = *src;
-
-    /* get the sequence */
-    if (SECSuccess == rv)
-    {
-        rv = GetItem(&source, &sequence, PR_FALSE);
-    }
-
-    /* process it */
-    if (SECSuccess == rv)
-    do
-    {
-        sequenceEntry = &sequenceTemplate[seqindex++];
-        if ( (sequenceEntry && sequenceEntry->kind) &&
-             (sequenceEntry->kind != SEC_ASN1_SKIP_REST) )
-        {
-            rv = DecodeItem(dest, sequenceEntry, &sequence, arena, PR_TRUE);
-        }
-    } while ( (SECSuccess == rv) &&
-              (sequenceEntry->kind &&
-               sequenceEntry->kind != SEC_ASN1_SKIP_REST) );
-    /* we should have consumed all the bytes in the sequence by now
-       unless the caller doesn't care about the rest of the sequence */
-    if (SECSuccess == rv && sequence.len &&
-        sequenceEntry && sequenceEntry->kind != SEC_ASN1_SKIP_REST)
-    {
-        /* it isn't 100% clear whether this is a bad DER or a bad template.
-           The problem is that logically, they don't match - there is extra
-           data in the DER that the template doesn't know about */
-        PORT_SetError(SEC_ERROR_BAD_DER);
-        rv = SECFailure;
-    }
-
-    return rv;
-}
-
-static SECStatus DecodeInline(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
-{
-    const SEC_ASN1Template* inlineTemplate = 
-        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
-    return DecodeItem((void*)((char*)dest + templateEntry->offset),
-                            inlineTemplate, src, arena, checkTag);
-}
-
-static SECStatus DecodePointer(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
-{
-    const SEC_ASN1Template* ptrTemplate = 
-        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
-    void* subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size);
-    *(void**)((char*)dest + templateEntry->offset) = subdata;
-    if (subdata)
-    {
-        return DecodeItem(subdata, ptrTemplate, src, arena, checkTag);
-    }
-    else
-    {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        return SECFailure;
-    }
-}
-
-static SECStatus DecodeImplicit(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena)
-{
-    if (templateEntry->kind & SEC_ASN1_POINTER)
-    {
-        return DecodePointer((void*)((char*)dest ),
-                             templateEntry, src, arena, PR_FALSE);
-    }
-    else
-    {
-        return DecodeInline((void*)((char*)dest ),
-                             templateEntry, src, arena, PR_FALSE);
-    }
-}
-
-static SECStatus DecodeChoice(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena)
-{
-    SECStatus rv = SECSuccess;
-    SECItem choice;
-    const SEC_ASN1Template* choiceTemplate = &(templateEntry[1]);
-    const SEC_ASN1Template* choiceEntry = NULL;
-    unsigned long choiceindex = 0;
-
-    /* XXX for a choice component, we should validate the template to make
-       sure the tags are distinct, in debug builds. This hasn't been
-       implemented yet */
-    /* rv = CheckChoiceTemplate(sequenceTemplate); */
-
-    /* process it */
-    do
-    {
-        choice = *src;
-        choiceEntry = &choiceTemplate[choiceindex++];
-        if (choiceEntry->kind)
-        {
-            rv = DecodeItem(dest, choiceEntry, &choice, arena, PR_TRUE);
-        }
-    } while ( (SECFailure == rv) && (choiceEntry->kind));
-
-    if (SECFailure == rv)
-    {
-        /* the component didn't match any of the choices */
-        PORT_SetError(SEC_ERROR_BAD_DER);
-    }
-    else
-    {
-        /* set the type in the union here */
-        int *which = (int *)((char *)dest + templateEntry->offset);
-        *which = (int)choiceEntry->size;
-    }
-
-    /* we should have consumed all the bytes by now */
-    /* fail if we have not */
-    if (SECSuccess == rv && choice.len)
-    {
-        /* there is extra data that isn't listed in the template */
-        PORT_SetError(SEC_ERROR_BAD_DER);
-        rv = SECFailure;
-    }
-    return rv;
-}
-
-static SECStatus DecodeGroup(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena)
-{
-    SECStatus rv = SECSuccess;
-    SECItem source;
-    SECItem group;
-    PRUint32 totalEntries = 0;
-    PRUint32 entryIndex = 0;
-    void** entries = NULL;
-
-    const SEC_ASN1Template* subTemplate =
-        SEC_ASN1GetSubtemplate (templateEntry, dest, PR_FALSE);
-
-    source = *src;
-
-    /* get the group */
-    if (SECSuccess == rv)
-    {
-        rv = GetItem(&source, &group, PR_FALSE);
-    }
-
-    /* XXX we should check the subtemplate in debug builds */
-    if (SECSuccess == rv)
-    {
-        /* first, count the number of entries. Benchmarking showed that this
-           counting pass is more efficient than trying to allocate entries as
-           we read the DER, even if allocating many entries at a time
-        */
-        SECItem counter = group;
-        do
-        {
-            SECItem anitem;
-            rv = GetItem(&counter, &anitem, PR_TRUE);
-            if (SECSuccess == rv && (anitem.len) )
-            {
-                totalEntries++;
-            }
-        }  while ( (SECSuccess == rv) && (counter.len) );
-
-        if (SECSuccess == rv)
-        {
-            /* allocate room for pointer array and entries */
-            /* we want to allocate the array even if there is 0 entry */
-            entries = (void**)PORT_ArenaZAlloc(arena, sizeof(void*)*
-                                          (totalEntries + 1 ) + /* the extra one is for NULL termination */
-                                          subTemplate->size*totalEntries); 
-
-            if (entries)
-            {
-                entries[totalEntries] = NULL; /* terminate the array */
-            }
-            else
-            {
-                PORT_SetError(SEC_ERROR_NO_MEMORY);
-                rv = SECFailure;
-            }
-            if (SECSuccess == rv)
-            {
-                void* entriesData = (unsigned char*)entries + (unsigned long)(sizeof(void*)*(totalEntries + 1 ));
-                /* and fix the pointers in the array */
-                PRUint32 entriesIndex = 0;
-                for (entriesIndex = 0;entriesIndex<totalEntries;entriesIndex++)
-                {
-                    entries[entriesIndex] =
-                        (char*)entriesData + (subTemplate->size*entriesIndex);
-                }
-            }
-        }
-    }
-
-    if (SECSuccess == rv && totalEntries)
-    do
-    {
-        if (!(entryIndex<totalEntries))
-        {
-            rv = SECFailure;
-            break;
-        }
-        rv = DecodeItem(entries[entryIndex++], subTemplate, &group, arena, PR_TRUE);
-    } while ( (SECSuccess == rv) && (group.len) );
-    /* we should be at the end of the set by now */    
-    /* save the entries where requested */
-    memcpy(((char*)dest + templateEntry->offset), &entries, sizeof(void**));
-
-    return rv;
-}
-
-static SECStatus DecodeExplicit(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena)
-{
-    SECStatus rv = SECSuccess;
-    SECItem subItem;
-    SECItem constructed = *src;
-
-    rv = GetItem(&constructed, &subItem, PR_FALSE);
-
-    if (SECSuccess == rv)
-    {
-        if (templateEntry->kind & SEC_ASN1_POINTER)
-        {
-            rv = DecodePointer(dest, templateEntry, &subItem, arena, PR_TRUE);
-        }
-        else
-        {
-            rv = DecodeInline(dest, templateEntry, &subItem, arena, PR_TRUE);
-        }
-    }
-
-    return rv;
-}
-
-/* new decoder implementation. This is a recursive function */
-
-static SECStatus DecodeItem(void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     SECItem* src, PRArenaPool* arena, PRBool checkTag)
-{
-    SECStatus rv = SECSuccess;
-    SECItem temp;
-    SECItem mark;
-    PRBool pop = PR_FALSE;
-    PRBool decode = PR_TRUE;
-    PRBool save = PR_FALSE;
-    unsigned long kind;
-    PRBool match = PR_TRUE;
-    PRBool optional = PR_FALSE;
-
-    PR_ASSERT(src && dest && templateEntry && arena);
-#if 0
-    if (!src || !dest || !templateEntry || !arena)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        rv = SECFailure;
-    }
-#endif
-
-    if (SECSuccess == rv)
-    {
-        /* do the template validation */
-        kind = templateEntry->kind;
-        optional = (0 != (kind & SEC_ASN1_OPTIONAL));
-        if (!kind)
-        {
-            PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
-            rv = SECFailure;
-        }
-    }
-
-    if (SECSuccess == rv)
-    {
-#ifdef DEBUG
-        if (kind & SEC_ASN1_DEBUG_BREAK)
-        {
-            /* when debugging the decoder or a template that fails to
-            decode, put SEC_ASN1_DEBUG in the component that gives you
-            trouble. The decoder will then get to this block and assert.
-            If you want to debug the rest of the code, you can set a
-            breakpoint and set dontassert to PR_TRUE, which will let
-            you skip over the assert and continue the debugging session
-            past it. */
-            PRBool dontassert = PR_FALSE;
-            PR_ASSERT(dontassert); /* set bkpoint here & set dontassert*/
-        }
-#endif
-
-        if ((kind & SEC_ASN1_SKIP) ||
-            (kind & SEC_ASN1_SAVE))
-        {
-            /* if skipping or saving this component, don't decode it */
-            decode = PR_FALSE;
-        }
-    
-        if (kind & (SEC_ASN1_SAVE | SEC_ASN1_OPTIONAL))
-        {
-            /* if saving this component, or if it is optional, we may not want to
-               move past it, so save the position in case we have to rewind */
-            mark = *src;
-            if (kind & SEC_ASN1_SAVE)
-            {
-                save = PR_TRUE;
-                if (0 == (kind & SEC_ASN1_SKIP))
-                {
-                    /* we will for sure have to rewind when saving this
-                       component and not skipping it. This is true for all
-                       legacy uses of SEC_ASN1_SAVE where the following entry
-                       in the template would causes the same component to be
-                       processed again */
-                    pop = PR_TRUE;
-                }
-            }
-        }
-
-        rv = GetItem(src, &temp, PR_TRUE);
-    }
-
-    if (SECSuccess == rv)
-    {
-        /* now check if the component matches what we expect in the template */
-
-        if (PR_TRUE == checkTag)
-
-        {
-            rv = MatchComponentType(templateEntry, &temp, &match, dest);
-        }
-
-        if ( (SECSuccess == rv) && (PR_TRUE != match) )
-        {
-            if (kind & SEC_ASN1_OPTIONAL)
-            {
-
-                /* the optional component is missing. This is not fatal. */
-                /* Rewind, don't decode, and don't save */
-                pop = PR_TRUE;
-                decode = PR_FALSE;
-                save = PR_FALSE;
-            }
-            else
-            {
-                /* a required component is missing. abort */
-                PORT_SetError(SEC_ERROR_BAD_DER);
-                rv = SECFailure;
-            }
-        }
-    }
-
-    if ((SECSuccess == rv) && (PR_TRUE == decode))
-    {
-        /* the order of processing here is is the tricky part */
-        /* we start with our special cases */
-        /* first, check the component class */
-        if (kind & SEC_ASN1_INLINE)
-        {
-            /* decode inline template */
-            rv = DecodeInline(dest, templateEntry, &temp , arena, PR_TRUE);
-        }
-
-        else
-        if (kind & SEC_ASN1_EXPLICIT)
-        {
-            rv = DecodeExplicit(dest, templateEntry, &temp, arena);
-        }
-        else
-        if ( (SEC_ASN1_UNIVERSAL != (kind & SEC_ASN1_CLASS_MASK)) &&
-
-              (!(kind & SEC_ASN1_EXPLICIT)))
-        {
-
-            /* decode implicitly tagged components */
-            rv = DecodeImplicit(dest, templateEntry, &temp , arena);
-        }
-        else
-        if (kind & SEC_ASN1_POINTER)
-        {
-            rv = DecodePointer(dest, templateEntry, &temp, arena, PR_TRUE);
-        }
-        else
-        if (kind & SEC_ASN1_CHOICE)
-        {
-            rv = DecodeChoice(dest, templateEntry, &temp, arena);
-        }
-        else
-        if (kind & SEC_ASN1_ANY)
-        {
-            /* catch-all ANY type, don't decode */
-            save = PR_TRUE;
-            if (kind & SEC_ASN1_INNER)
-            {
-                /* skip the tag and length */
-                SECItem newtemp = temp;
-                rv = GetItem(&newtemp, &temp, PR_FALSE);
-            }
-        }
-        else
-        if (kind & SEC_ASN1_GROUP)
-        {
-            if ( (SEC_ASN1_SEQUENCE == (kind & SEC_ASN1_TAGNUM_MASK)) ||
-                 (SEC_ASN1_SET == (kind & SEC_ASN1_TAGNUM_MASK)) )
-            {
-                rv = DecodeGroup(dest, templateEntry, &temp , arena);
-            }
-            else
-            {
-                /* a group can only be a SET OF or SEQUENCE OF */
-                PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
-                rv = SECFailure;
-            }
-        }
-        else
-        if (SEC_ASN1_SEQUENCE == (kind & SEC_ASN1_TAGNUM_MASK))
-        {
-            /* plain SEQUENCE */
-            rv = DecodeSequence(dest, templateEntry, &temp , arena);
-        }
-        else
-        {
-            /* handle all other types as "save" */
-            /* we should only get here for primitive universal types */
-            SECItem newtemp = temp;
-            rv = GetItem(&newtemp, &temp, PR_FALSE);
-            save = PR_TRUE;
-            if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK))
-            switch (kind & SEC_ASN1_TAGNUM_MASK)
-            {
-            /* special cases of primitive types */
-            case SEC_ASN1_INTEGER:
-                {
-                    /* remove leading zeroes if the caller requested siUnsignedInteger
-                       This is to allow RSA key operations to work */
-                    SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
-                    if (destItem && (siUnsignedInteger == destItem->type))
-                    {
-                        while (temp.len > 1 && temp.data[0] == 0)
-                        {              /* leading 0 */
-                            temp.data++;
-                            temp.len--;
-                        }
-                    }
-                    break;
-                }
-
-            case SEC_ASN1_BIT_STRING:
-                {
-                    /* change the length in the SECItem to be the number of bits */
-                    if (temp.len && temp.data)
-                    {
-                        temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7);
-                        temp.data = (unsigned char*)(temp.data+1);
-                    }
-                    break;
-                }
-
-            default:
-                {
-                    break;
-                }
-            }
-        }
-    }
-
-    if ((SECSuccess == rv) && (PR_TRUE == save))
-    {
-        SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
-        if (destItem)
-        {
-            /* we leave the type alone in the destination SECItem.
-               If part of the destination was allocated by the decoder, in
-               cases of POINTER, SET OF and SEQUENCE OF, then type is set to
-               siBuffer due to the use of PORT_ArenaZAlloc*/
-            destItem->data = temp.data;
-            destItem->len = temp.len;
-        }
-        else
-        {
-            PORT_SetError(SEC_ERROR_INVALID_ARGS);
-            rv = SECFailure;
-        }
-    }
-
-    if (PR_TRUE == pop)
-    {
-        /* we don't want to move ahead, so restore the position */
-        *src = mark;
-    }
-    return rv;
-}
-
-/* the function below is the public one */
-
-SECStatus SEC_QuickDERDecodeItem(PRArenaPool* arena, void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     const SECItem* src)
-{
-    SECStatus rv = SECSuccess;
-    SECItem newsrc;
-
-    if (!arena || !templateEntry || !src)
-    {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        rv = SECFailure;
-    }
-
-    if (SECSuccess == rv)
-    {
-        newsrc = *src;
-        rv = DecodeItem(dest, templateEntry, &newsrc, arena, PR_TRUE);
-        if (SECSuccess == rv && newsrc.len)
-        {
-            rv = SECFailure;
-            PORT_SetError(SEC_ERROR_EXTRA_INPUT);
-        }
-    }
-
-    return rv;
-}
-
diff --git a/security/nss/lib/util/secalgid.c b/security/nss/lib/util/secalgid.c
deleted file mode 100644
index e39d00354..000000000
--- a/security/nss/lib/util/secalgid.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secoid.h"
-#include "secder.h"	/* XXX remove this when remove the DERTemplate */
-#include "secasn1.h"
-#include "secitem.h"
-#include "secerr.h"
-
-/* XXX Old template; want to expunge it eventually. */
-DERTemplate SECAlgorithmIDTemplate[] = {
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { DER_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { DER_OPTIONAL | DER_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SECAlgorithmID) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(SECAlgorithmID,algorithm), },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
-	  offsetof(SECAlgorithmID,parameters), },
-    { 0, }
-};
-
-SECOidTag
-SECOID_GetAlgorithmTag(SECAlgorithmID *id)
-{
-    if (id == NULL || id->algorithm.data == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return SECOID_FindOIDTag (&(id->algorithm));
-}
-
-SECStatus
-SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *id, SECOidTag which,
-		      SECItem *params)
-{
-    SECOidData *oiddata;
-    PRBool add_null_param;
-
-    oiddata = SECOID_FindOIDByTag(which);
-    if ( !oiddata ) {
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
-    }
-
-    if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
-	return SECFailure;
-
-    switch (which) {
-      case SEC_OID_MD2:
-      case SEC_OID_MD4:
-      case SEC_OID_MD5:
-      case SEC_OID_SHA1:
-      case SEC_OID_SHA256:
-      case SEC_OID_SHA384:
-      case SEC_OID_SHA512:
-      case SEC_OID_PKCS1_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
-      case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-	add_null_param = PR_TRUE;
-	break;
-      default:
-	add_null_param = PR_FALSE;
-	break;
-    }
-
-    if (params) {
-	/*
-	 * I am specifically *not* enforcing the following assertion
-	 * (by following it up with an error and a return of failure)
-	 * because I do not want to introduce any change in the current
-	 * behavior.  But I do want for us to notice if the following is
-	 * ever true, because I do not think it should be so and probably
-	 * signifies an error/bug somewhere.
-	 */
-	PORT_Assert(!add_null_param || (params->len == 2
-					&& params->data[0] == SEC_ASN1_NULL
-					&& params->data[1] == 0));
-	if (SECITEM_CopyItem(arena, &id->parameters, params)) {
-	    return SECFailure;
-	}
-    } else {
-	/*
-	 * Again, this is not considered an error.  But if we assume
-	 * that nobody tries to set the parameters field themselves
-	 * (but always uses this routine to do that), then we should
-	 * not hit the following assertion.  Unless they forgot to zero
-	 * the structure, which could also be a bad (and wrong) thing.
-	 */
-	PORT_Assert(id->parameters.data == NULL);
-
-	if (add_null_param) {
-	    (void) SECITEM_AllocItem(arena, &id->parameters, 2);
-	    if (id->parameters.data == NULL) {
-		return SECFailure;
-	    }
-	    id->parameters.data[0] = SEC_ASN1_NULL;
-	    id->parameters.data[1] = 0;
-	}
-    }
-
-    return SECSuccess;
-}
-
-SECStatus
-SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *to, SECAlgorithmID *from)
-{
-    SECStatus rv;
-
-    rv = SECITEM_CopyItem(arena, &to->algorithm, &from->algorithm);
-    if (rv) return rv;
-    rv = SECITEM_CopyItem(arena, &to->parameters, &from->parameters);
-    return rv;
-}
-
-void SECOID_DestroyAlgorithmID(SECAlgorithmID *algid, PRBool freeit)
-{
-    SECITEM_FreeItem(&algid->parameters, PR_FALSE);
-    SECITEM_FreeItem(&algid->algorithm, PR_FALSE);
-    if(freeit == PR_TRUE)
-        PORT_Free(algid);
-}
-
-SECComparison
-SECOID_CompareAlgorithmID(SECAlgorithmID *a, SECAlgorithmID *b)
-{
-    SECComparison rv;
-
-    rv = SECITEM_CompareItem(&a->algorithm, &b->algorithm);
-    if (rv) return rv;
-    rv = SECITEM_CompareItem(&a->parameters, &b->parameters);
-    return rv;
-}
-
-/* This functions simply returns the address of the above-declared template. */
-SEC_ASN1_CHOOSER_IMPLEMENT(SECOID_AlgorithmIDTemplate)
-
diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h
deleted file mode 100644
index 462aaac23..000000000
--- a/security/nss/lib/util/secasn1.h
+++ /dev/null
@@ -1,310 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
- * Encoding Rules).  The routines are found in and used extensively by the
- * security library, but exported for other use.
- *
- * $Id$
- */
-
-#ifndef _SECASN1_H_
-#define _SECASN1_H_
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secasn1t.h"
-
-
-/************************************************************************/
-SEC_BEGIN_PROTOS
-
-/*
- * XXX These function prototypes need full, explanatory comments.
- */
-
-/*
-** Decoding.
-*/
-
-extern SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PRArenaPool *pool,
-						    void *dest,
-						    const SEC_ASN1Template *t);
-
-/* XXX char or unsigned char? */
-extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
-				       const char *buf,
-				       unsigned long len);
-
-extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
-
-/* Higher level code detected an error, abort the rest of the processing */
-extern void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error);
-
-extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1WriteProc fn,
-					 void *arg, PRBool no_store);
-
-extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
-
-extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg);
-
-extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
-
-extern SECStatus SEC_ASN1Decode(PRArenaPool *pool, void *dest,
-				const SEC_ASN1Template *t,
-				const char *buf, long len);
-
-/* Both classic ASN.1 and QuickDER have a feature that removes leading zeroes
-   out of SEC_ASN1_INTEGER if the caller sets siUnsignedInteger in the type
-   field of the target SECItem prior to calling the decoder. Otherwise, the
-   type field is ignored and untouched. For SECItem that are dynamically
-   allocated (from POINTER, SET OF, SEQUENCE OF) the decoder sets the type
-   field to siBuffer. */
-
-extern SECStatus SEC_ASN1DecodeItem(PRArenaPool *pool, void *dest,
-				    const SEC_ASN1Template *t,
-				    const SECItem *src);
-
-extern SECStatus SEC_QuickDERDecodeItem(PRArenaPool* arena, void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     const SECItem* src);
-
-/*
-** Encoding.
-*/
-
-extern SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(const void *src,
-						    const SEC_ASN1Template *t,
-						    SEC_ASN1WriteProc fn,
-						    void *output_arg);
-
-/* XXX char or unsigned char? */
-extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
-				       const char *buf,
-				       unsigned long len);
-
-extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
-
-/* Higher level code detected an error, abort the rest of the processing */
-extern void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error);
-
-extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg);
-
-extern void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx);
-
-extern void sec_ASN1EncoderSetDER(SEC_ASN1EncoderContext *cx);
-
-extern void sec_ASN1EncoderClearDER(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx);
-
-extern void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx);
-
-extern SECStatus SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
-				SEC_ASN1WriteProc output_proc,
-				void *output_arg);
-
-extern SECItem * SEC_ASN1EncodeItem(PRArenaPool *pool, SECItem *dest,
-				    const void *src, const SEC_ASN1Template *t);
-
-extern SECItem * SEC_ASN1EncodeInteger(PRArenaPool *pool,
-				       SECItem *dest, long value);
-
-extern SECItem * SEC_ASN1EncodeUnsignedInteger(PRArenaPool *pool,
-					       SECItem *dest,
-					       unsigned long value);
-
-extern SECStatus SEC_ASN1DecodeInteger(SECItem *src,
-				       unsigned long *value);
-
-/*
-** Utilities.
-*/
-
-/*
- * We have a length that needs to be encoded; how many bytes will the
- * encoding take?
- */
-extern int SEC_ASN1LengthLength (unsigned long len);
-
-/* encode the length and return the number of bytes we encoded. Buffer
- * must be pre allocated  */
-extern int SEC_ASN1EncodeLength(unsigned char *buf,int value);
-
-/*
- * Find the appropriate subtemplate for the given template.
- * This may involve calling a "chooser" function, or it may just
- * be right there.  In either case, it is expected to *have* a
- * subtemplate; this is asserted in debug builds (in non-debug
- * builds, NULL will be returned).
- *
- * "thing" is a pointer to the structure being encoded/decoded
- * "encoding", when true, means that we are in the process of encoding
- *	(as opposed to in the process of decoding)
- */
-extern const SEC_ASN1Template *
-SEC_ASN1GetSubtemplate (const SEC_ASN1Template *inTemplate, void *thing,
-			PRBool encoding);
-
-/* whether the template is for a primitive type or a choice of
- * primitive types
- */
-extern PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate);
-
-/************************************************************************/
-
-/*
- * Generic Templates
- * One for each of the simple types, plus a special one for ANY, plus:
- *	- a pointer to each one of those
- *	- a set of each one of those
- *	- a sequence of each one of those
- *
- * Note that these are alphabetical (case insensitive); please add new
- * ones in the appropriate place.
- */
-
-extern const SEC_ASN1Template SEC_AnyTemplate[];
-extern const SEC_ASN1Template SEC_BitStringTemplate[];
-extern const SEC_ASN1Template SEC_BMPStringTemplate[];
-extern const SEC_ASN1Template SEC_BooleanTemplate[];
-extern const SEC_ASN1Template SEC_EnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_GeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_IA5StringTemplate[];
-extern const SEC_ASN1Template SEC_IntegerTemplate[];
-extern const SEC_ASN1Template SEC_NullTemplate[];
-extern const SEC_ASN1Template SEC_ObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_OctetStringTemplate[];
-extern const SEC_ASN1Template SEC_PrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_T61StringTemplate[];
-extern const SEC_ASN1Template SEC_UniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_UTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_UTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_VisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_PointerToAnyTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBitStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToBooleanTemplate[];
-extern const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_PointerToIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToIntegerTemplate[];
-extern const SEC_ASN1Template SEC_PointerToNullTemplate[];
-extern const SEC_ASN1Template SEC_PointerToObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_PointerToOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToT61StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_SequenceOfAnyTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfNullTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[];
-
-extern const SEC_ASN1Template SEC_SetOfAnyTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBitStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBMPStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfBooleanTemplate[];
-extern const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[];
-extern const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[];
-extern const SEC_ASN1Template SEC_SetOfIA5StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfIntegerTemplate[];
-extern const SEC_ASN1Template SEC_SetOfNullTemplate[];
-extern const SEC_ASN1Template SEC_SetOfObjectIDTemplate[];
-extern const SEC_ASN1Template SEC_SetOfOctetStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfT61StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[];
-extern const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[];
-extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
-
-/*
- * Template for skipping a subitem; this only makes sense when decoding.
- */
-extern const SEC_ASN1Template SEC_SkipTemplate[];
-
-/* These functions simply return the address of the above-declared templates.
-** This is necessary for Windows DLLs.  Sigh.
-*/
-SEC_ASN1_CHOOSER_DECLARE(SEC_AnyTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_BMPStringTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_BooleanTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_BitStringTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_GeneralizedTimeTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_IA5StringTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_IntegerTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_NullTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_ObjectIDTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_OctetStringTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_UTCTimeTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_UTF8StringTemplate)
-
-SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToAnyTemplate)
-SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToOctetStringTemplate)
-
-SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)
-
-SEC_END_PROTOS
-#endif /* _SECASN1_H_ */
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
deleted file mode 100644
index ab0914b5d..000000000
--- a/security/nss/lib/util/secasn1d.c
+++ /dev/null
@@ -1,3300 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-/* #define DEBUG_ASN1D_STATES 1 */
-
-#ifdef DEBUG_ASN1D_STATES
-#include <stdio.h>
-#define PR_Assert sec_asn1d_Assert
-#endif
-
-#include "secasn1.h"
-#include "secerr.h"
-
-typedef enum {
-    beforeIdentifier,
-    duringIdentifier,
-    afterIdentifier,
-    beforeLength,
-    duringLength,
-    afterLength,
-    beforeBitString,
-    duringBitString,
-    duringConstructedString,
-    duringGroup,
-    duringLeaf,
-    duringSaveEncoding,
-    duringSequence,
-    afterConstructedString,
-    afterGroup,
-    afterExplicit,
-    afterImplicit,
-    afterInline,
-    afterPointer,
-    afterSaveEncoding,
-    beforeEndOfContents,
-    duringEndOfContents,
-    afterEndOfContents,
-    beforeChoice,
-    duringChoice,
-    afterChoice,
-    notInUse
-} sec_asn1d_parse_place;
-
-#ifdef DEBUG_ASN1D_STATES
-static const char * const place_names[] = {
-    "beforeIdentifier",
-    "duringIdentifier",
-    "afterIdentifier",
-    "beforeLength",
-    "duringLength",
-    "afterLength",
-    "beforeBitString",
-    "duringBitString",
-    "duringConstructedString",
-    "duringGroup",
-    "duringLeaf",
-    "duringSaveEncoding",
-    "duringSequence",
-    "afterConstructedString",
-    "afterGroup",
-    "afterExplicit",
-    "afterImplicit",
-    "afterInline",
-    "afterPointer",
-    "afterSaveEncoding",
-    "beforeEndOfContents",
-    "duringEndOfContents",
-    "afterEndOfContents",
-    "beforeChoice",
-    "duringChoice",
-    "afterChoice",
-    "notInUse"
-};
-
-static const char * const class_names[] = {
-    "UNIVERSAL",
-    "APPLICATION",
-    "CONTEXT_SPECIFIC",
-    "PRIVATE"
-};
-
-static const char * const method_names[] = { "PRIMITIVE", "CONSTRUCTED" };
-
-static const char * const type_names[] = {
-    "END_OF_CONTENTS",
-    "BOOLEAN",
-    "INTEGER",
-    "BIT_STRING",
-    "OCTET_STRING",
-    "NULL",
-    "OBJECT_ID",
-    "OBJECT_DESCRIPTOR",
-    "(type 08)",
-    "REAL",
-    "ENUMERATED",
-    "EMBEDDED",
-    "UTF8_STRING",
-    "(type 0d)",
-    "(type 0e)",
-    "(type 0f)",
-    "SEQUENCE",
-    "SET",
-    "NUMERIC_STRING",
-    "PRINTABLE_STRING",
-    "T61_STRING",
-    "VIDEOTEXT_STRING",
-    "IA5_STRING",
-    "UTC_TIME",
-    "GENERALIZED_TIME",
-    "GRAPHIC_STRING",
-    "VISIBLE_STRING",
-    "GENERAL_STRING",
-    "UNIVERSAL_STRING",
-    "(type 1d)",
-    "BMP_STRING",
-    "HIGH_TAG_VALUE"
-};
-
-static const char * const flag_names[] = { /* flags, right to left */
-    "OPTIONAL",
-    "EXPLICIT",
-    "ANY",
-    "INLINE",
-    "POINTER",
-    "GROUP",
-    "DYNAMIC",
-    "SKIP",
-    "INNER",
-    "SAVE",
-    "",            /* decoder ignores "MAY_STREAM", */
-    "SKIP_REST",
-    "CHOICE",
-    "NO_STREAM",
-    "DEBUG_BREAK",
-    "unknown 08",
-    "unknown 10",
-    "unknown 20",
-    "unknown 40",
-    "unknown 80"
-};
-
-static int /* bool */
-formatKind(unsigned long kind, char * buf)
-{
-    int i;
-    unsigned long k = kind & SEC_ASN1_TAGNUM_MASK;
-    unsigned long notag = kind & (SEC_ASN1_CHOICE | SEC_ASN1_POINTER |
-        SEC_ASN1_INLINE | SEC_ASN1_ANY | SEC_ASN1_SAVE);
-
-    buf[0] = 0;
-    if ((kind & SEC_ASN1_CLASS_MASK) != SEC_ASN1_UNIVERSAL) {
-        sprintf(buf, " %s", class_names[(kind & SEC_ASN1_CLASS_MASK) >> 6] );
-        buf += strlen(buf);
-    }
-    if (kind & SEC_ASN1_METHOD_MASK) {
-        sprintf(buf, " %s", method_names[1]);
-        buf += strlen(buf);
-    }
-    if ((kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL) {
-        if (k || !notag) {
-            sprintf(buf, " %s", type_names[k] );
-            if ((k == SEC_ASN1_SET || k == SEC_ASN1_SEQUENCE) &&
-                (kind & SEC_ASN1_GROUP)) {
-                buf += strlen(buf);
-                sprintf(buf, "_OF");
-            }
-        }
-    } else {
-        sprintf(buf, " [%d]", k);
-    }
-    buf += strlen(buf);
-
-    for (k = kind >> 8, i = 0; k; k >>= 1, ++i) {
-        if (k & 1) {
-            sprintf(buf, " %s", flag_names[i]);
-            buf += strlen(buf);
-        }
-    }
-    return notag != 0;
-}
-
-#endif /* DEBUG_ASN1D_STATES */
-
-typedef enum {
-    allDone,
-    decodeError,
-    keepGoing,
-    needBytes
-} sec_asn1d_parse_status;
-
-struct subitem {
-    const void *data;
-    unsigned long len;		/* only used for substrings */
-    struct subitem *next;
-};
-
-typedef struct sec_asn1d_state_struct {
-    SEC_ASN1DecoderContext *top;
-    const SEC_ASN1Template *theTemplate;
-    void *dest;
-
-    void *our_mark;	/* free on completion */
-
-    struct sec_asn1d_state_struct *parent;	/* aka prev */
-    struct sec_asn1d_state_struct *child;	/* aka next */
-
-    sec_asn1d_parse_place place;
-
-    /*
-     * XXX explain the next fields as clearly as possible...
-     */
-    unsigned char found_tag_modifiers;
-    unsigned char expect_tag_modifiers;
-    unsigned long check_tag_mask;
-    unsigned long found_tag_number;
-    unsigned long expect_tag_number;
-    unsigned long underlying_kind;
-
-    unsigned long contents_length;
-    unsigned long pending;
-    unsigned long consumed;
-
-    int depth;
-
-    /*
-     * Bit strings have their length adjusted -- the first octet of the
-     * contents contains a value between 0 and 7 which says how many bits
-     * at the end of the octets are not actually part of the bit string;
-     * when parsing bit strings we put that value here because we need it
-     * later, for adjustment of the length (when the whole string is done).
-     */
-    unsigned int bit_string_unused_bits;
-
-    /*
-     * The following are used for indefinite-length constructed strings.
-     */
-    struct subitem *subitems_head;
-    struct subitem *subitems_tail;
-
-    PRPackedBool
-	allocate,	/* when true, need to allocate the destination */
-	endofcontents,	/* this state ended up parsing end-of-contents octets */
-	explicit,	/* we are handling an explicit header */
-	indefinite,	/* the current item has indefinite-length encoding */
-	missing,	/* an optional field that was not present */
-	optional,	/* the template says this field may be omitted */
-	substring;	/* this is a substring of a constructed string */
-
-} sec_asn1d_state;
-
-#define IS_HIGH_TAG_NUMBER(n)	((n) == SEC_ASN1_HIGH_TAG_NUMBER)
-#define LAST_TAG_NUMBER_BYTE(b)	(((b) & 0x80) == 0)
-#define TAG_NUMBER_BITS		7
-#define TAG_NUMBER_MASK		0x7f
-
-#define LENGTH_IS_SHORT_FORM(b)	(((b) & 0x80) == 0)
-#define LONG_FORM_LENGTH(b)	((b) & 0x7f)
-
-#define HIGH_BITS(field,cnt)	((field) >> ((sizeof(field) * 8) - (cnt)))
-
-
-/*
- * An "outsider" will have an opaque pointer to this, created by calling
- * SEC_ASN1DecoderStart().  It will be passed back in to all subsequent
- * calls to SEC_ASN1DecoderUpdate(), and when done it is passed to
- * SEC_ASN1DecoderFinish().
- */
-struct sec_DecoderContext_struct {
-    PRArenaPool *our_pool;		/* for our internal allocs */
-    PRArenaPool *their_pool;		/* for destination structure allocs */
-#ifdef SEC_ASN1D_FREE_ON_ERROR		/*
-					 * XXX see comment below (by same
-					 * ifdef) that explains why this
-					 * does not work (need more smarts
-					 * in order to free back to mark)
-					 */
-    /*
-     * XXX how to make their_mark work in the case where they do NOT
-     * give us a pool pointer?
-     */
-    void *their_mark;			/* free on error */
-#endif
-
-    sec_asn1d_state *current;
-    sec_asn1d_parse_status status;
-
-    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
-    void *notify_arg;			/* argument to notify_proc */
-    PRBool during_notify;		/* true during call to notify_proc */
-
-    SEC_ASN1WriteProc filter_proc;	/* pass field bytes to this  */
-    void *filter_arg;			/* argument to that function */
-    PRBool filter_only;			/* do not allocate/store fields */
-};
-
-
-/*
- * XXX this is a fairly generic function that may belong elsewhere
- */
-static void *
-sec_asn1d_alloc (PRArenaPool *poolp, unsigned long len)
-{
-    void *thing;
-
-    if (poolp != NULL) {
-	/*
-	 * Allocate from the pool.
-	 */
-	thing = PORT_ArenaAlloc (poolp, len);
-    } else {
-	/*
-	 * Allocate generically.
-	 */
-	thing = PORT_Alloc (len);
-    }
-
-    return thing;
-}
-
-
-/*
- * XXX this is a fairly generic function that may belong elsewhere
- */
-static void *
-sec_asn1d_zalloc (PRArenaPool *poolp, unsigned long len)
-{
-    void *thing;
-
-    thing = sec_asn1d_alloc (poolp, len);
-    if (thing != NULL)
-	PORT_Memset (thing, 0, len);
-    return thing;
-}
-
-
-static sec_asn1d_state *
-sec_asn1d_push_state (SEC_ASN1DecoderContext *cx,
-		      const SEC_ASN1Template *theTemplate,
-		      void *dest, PRBool new_depth)
-{
-    sec_asn1d_state *state, *new_state;
-
-    state = cx->current;
-
-    PORT_Assert (state == NULL || state->child == NULL);
-
-    if (state != NULL) {
-	PORT_Assert (state->our_mark == NULL);
-	state->our_mark = PORT_ArenaMark (cx->our_pool);
-    }
-
-    new_state = (sec_asn1d_state*)sec_asn1d_zalloc (cx->our_pool, 
-						    sizeof(*new_state));
-    if (new_state == NULL) {
-	goto loser;
-    }
-
-    new_state->top         = cx;
-    new_state->parent      = state;
-    new_state->theTemplate = theTemplate;
-    new_state->place       = notInUse;
-    if (dest != NULL)
-	new_state->dest = (char *)dest + theTemplate->offset;
-
-    if (state != NULL) {
-	new_state->depth = state->depth;
-	if (new_depth) {
-	    if (++new_state->depth > SEC_ASN1D_MAX_DEPTH) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		goto loser;
-	    }
-	}
-	state->child = new_state;
-    }
-
-    cx->current = new_state;
-    return new_state;
-
-loser:
-    cx->status = decodeError;
-    if (state != NULL) {
-	PORT_ArenaRelease(cx->our_pool, state->our_mark);
-	state->our_mark = NULL;
-    }
-    return NULL;
-}
-
-
-static void
-sec_asn1d_scrub_state (sec_asn1d_state *state)
-{
-    /*
-     * Some default "scrubbing".
-     * XXX right set of initializations?
-     */
-    state->place = beforeIdentifier;
-    state->endofcontents = PR_FALSE;
-    state->indefinite = PR_FALSE;
-    state->missing = PR_FALSE;
-    PORT_Assert (state->consumed == 0);
-}
-
-
-static void
-sec_asn1d_notify_before (SEC_ASN1DecoderContext *cx, void *dest, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, dest, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static void
-sec_asn1d_notify_after (SEC_ASN1DecoderContext *cx, void *dest, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, dest, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static sec_asn1d_state *
-sec_asn1d_init_state_based_on_template (sec_asn1d_state *state)
-{
-    PRBool explicit, optional, universal;
-    unsigned char expect_tag_modifiers;
-    unsigned long encode_kind, under_kind;
-    unsigned long check_tag_mask, expect_tag_number;
-
-
-    /* XXX Check that both of these tests are really needed/appropriate. */
-    if (state == NULL || state->top->status == decodeError)
-	return state;
-
-    encode_kind = state->theTemplate->kind;
-
-    if (encode_kind & SEC_ASN1_SAVE) {
-	/*
-	 * This is a "magic" field that saves away all bytes, allowing
-	 * the immediately following field to still be decoded from this
-	 * same spot -- sort of a fork.
-	 */
-	/* check that there are no extraneous bits */
-	PORT_Assert (encode_kind == SEC_ASN1_SAVE);
-	if (state->top->filter_only) {
-	    /*
-	     * If we are not storing, then we do not do the SAVE field
-	     * at all.  Just move ahead to the "real" field instead,
-	     * doing the appropriate notify calls before and after.
-	     */
-	    sec_asn1d_notify_after (state->top, state->dest, state->depth);
-	    /*
-	     * Since we are not storing, allow for our current dest value
-	     * to be NULL.  (This might not actually occur, but right now I
-	     * cannot convince myself one way or the other.)  If it is NULL,
-	     * assume that our parent dest can help us out.
-	     */
-	    if (state->dest == NULL)
-		state->dest = state->parent->dest;
-	    else
-		state->dest = (char *)state->dest - state->theTemplate->offset;
-	    state->theTemplate++;
-	    if (state->dest != NULL)
-		state->dest = (char *)state->dest + state->theTemplate->offset;
-	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
-	    encode_kind = state->theTemplate->kind;
-	    PORT_Assert ((encode_kind & SEC_ASN1_SAVE) == 0);
-	} else {
-	    sec_asn1d_scrub_state (state);
-	    state->place = duringSaveEncoding;
-	    state = sec_asn1d_push_state (state->top, SEC_AnyTemplate,
-					  state->dest, PR_FALSE);
-	    if (state != NULL)
-		state = sec_asn1d_init_state_based_on_template (state);
-	    return state;
-	}
-    }
-
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(explicit && universal));	/* bad templates */
-
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    if (encode_kind & SEC_ASN1_CHOICE) {
-#if 0	/* XXX remove? */
-      sec_asn1d_state *child = sec_asn1d_push_state(state->top, state->theTemplate, state->dest, PR_FALSE);
-      if ((sec_asn1d_state *)NULL == child) {
-        return (sec_asn1d_state *)NULL;
-      }
-
-      child->allocate = state->allocate;
-      child->place = beforeChoice;
-      return child;
-#else
-      state->place = beforeChoice;
-      return state;
-#endif
-    }
-
-    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
-							      && !explicit)) {
-	const SEC_ASN1Template *subt;
-	void *dest;
-	PRBool child_allocate;
-
-	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
-
-	sec_asn1d_scrub_state (state);
-	child_allocate = PR_FALSE;
-
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    /*
-	     * A POINTER means we need to allocate the destination for
-	     * this field.  But, since it may also be an optional field,
-	     * we defer the allocation until later; we just record that
-	     * it needs to be done.
-	     *
-	     * There are two possible scenarios here -- one is just a
-	     * plain POINTER (kind of like INLINE, except with allocation)
-	     * and the other is an implicitly-tagged POINTER.  We don't
-	     * need to do anything special here for the two cases, but
-	     * since the template definition can be tricky, we do check
-	     * that there are no extraneous bits set in encode_kind.
-	     *
-	     * XXX The same conditions which assert should set an error.
-	     */
-	    if (universal) {
-		/*
-		 * "universal" means this entry is a standalone POINTER;
-		 * there should be no other bits set in encode_kind.
-		 */
-		PORT_Assert (encode_kind == SEC_ASN1_POINTER);
-	    } else {
-		/*
-		 * If we get here we have an implicitly-tagged field
-		 * that needs to be put into a POINTER.  The subtemplate
-		 * will determine how to decode the field, but encode_kind
-		 * describes the (implicit) tag we are looking for.
-		 * The non-tag bits of encode_kind will be ignored by
-		 * the code below; none of them should be set, however,
-		 * except for the POINTER bit itself -- so check that.
-		 */
-		PORT_Assert ((encode_kind & ~SEC_ASN1_TAG_MASK)
-			     == SEC_ASN1_POINTER);
-	    }
-	    if (!state->top->filter_only)
-		child_allocate = PR_TRUE;
-	    dest = NULL;
-	    state->place = afterPointer;
-	} else {
-	    dest = state->dest;
-	    if (encode_kind & SEC_ASN1_INLINE) {
-		/* check that there are no extraneous bits */
-		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
-		state->place = afterInline;
-	    } else {
-		state->place = afterImplicit;
-	    }
-	}
-
-	state->optional = optional;
-	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest, PR_FALSE);
-	state = sec_asn1d_push_state (state->top, subt, dest, PR_FALSE);
-	if (state == NULL)
-	    return NULL;
-
-	state->allocate = child_allocate;
-
-	if (universal) {
-	    state = sec_asn1d_init_state_based_on_template (state);
-	    if (state != NULL) {
-		/*
-		 * If this field is optional, we need to record that on
-		 * the pushed child so it won't fail if the field isn't
-		 * found.  I can't think of a way that this new state
-		 * could already have optional set (which we would wipe
-		 * out below if our local optional is not set) -- but
-		 * just to be sure, assert that it isn't set.
-		 */
-		PORT_Assert (!state->optional);
-		state->optional = optional;
-	    }
-	    return state;
-	}
-
-	under_kind = state->theTemplate->kind;
-	under_kind &= ~SEC_ASN1_MAY_STREAM;
-    } else if (explicit) {
-	/*
-	 * For explicit, we only need to match the encoding tag next,
-	 * then we will push another state to handle the entire inner
-	 * part.  In this case, there is no underlying kind which plays
-	 * any part in the determination of the outer, explicit tag.
-	 * So we just set under_kind to 0, which is not a valid tag,
-	 * and the rest of the tag matching stuff should be okay.
-	 */
-	under_kind = 0;
-    } else {
-	/*
-	 * Nothing special; the underlying kind and the given encoding
-	 * information are the same.
-	 */
-	under_kind = encode_kind;
-    }
-
-    /* XXX is this the right set of bits to test here? */
-    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
-				| SEC_ASN1_MAY_STREAM
-				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
-
-    if (encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) {
-	PORT_Assert (encode_kind == under_kind);
-	if (encode_kind & SEC_ASN1_SKIP) {
-	    PORT_Assert (!optional);
-	    PORT_Assert (encode_kind == SEC_ASN1_SKIP);
-	    state->dest = NULL;
-	}
-	check_tag_mask = 0;
-	expect_tag_modifiers = 0;
-	expect_tag_number = 0;
-    } else {
-	check_tag_mask = SEC_ASN1_TAG_MASK;
-	expect_tag_modifiers = (unsigned char)encode_kind & SEC_ASN1_TAG_MASK
-				& ~SEC_ASN1_TAGNUM_MASK;
-	/*
-	 * XXX This assumes only single-octet identifiers.  To handle
-	 * the HIGH TAG form we would need to do some more work, especially
-	 * in how to specify them in the template, because right now we
-	 * do not provide a way to specify more *tag* bits in encode_kind.
-	 */
-	expect_tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
-
-	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
-	  case SEC_ASN1_SET:
-	    /*
-	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
-	     * If it ever is, remove this assert...
-	     */
-	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
-	    /* fallthru */
-	  case SEC_ASN1_SEQUENCE:
-	    expect_tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	    break;
-	  case SEC_ASN1_BIT_STRING:
-	  case SEC_ASN1_BMP_STRING:
-	  case SEC_ASN1_GENERALIZED_TIME:
-	  case SEC_ASN1_IA5_STRING:
-	  case SEC_ASN1_OCTET_STRING:
-	  case SEC_ASN1_PRINTABLE_STRING:
-	  case SEC_ASN1_T61_STRING:
-	  case SEC_ASN1_UNIVERSAL_STRING:
-	  case SEC_ASN1_UTC_TIME:
-	  case SEC_ASN1_UTF8_STRING:
-	  case SEC_ASN1_VISIBLE_STRING:
-	    check_tag_mask &= ~SEC_ASN1_CONSTRUCTED;
-	    break;
-	}
-    }
-
-    state->check_tag_mask = check_tag_mask;
-    state->expect_tag_modifiers = expect_tag_modifiers;
-    state->expect_tag_number = expect_tag_number;
-    state->underlying_kind = under_kind;
-    state->explicit = explicit;
-    state->optional = optional;
-
-    sec_asn1d_scrub_state (state);
-
-    return state;
-}
-
-static sec_asn1d_state *
-sec_asn1d_get_enclosing_construct(sec_asn1d_state *state)
-{
-    for (state = state->parent; state; state = state->parent) {
-	sec_asn1d_parse_place place = state->place;
-	if (place != afterImplicit      &&
-	    place != afterPointer       &&
-	    place != afterInline        &&
-	    place != afterSaveEncoding  &&
-	    place != duringSaveEncoding &&
-	    place != duringChoice) {
-
-            /* we've walked up the stack to a state that represents
-            ** the enclosing construct.  
-	    */
-            break;
-	}
-    }
-    return state;
-}
-
-static PRBool
-sec_asn1d_parent_allows_EOC(sec_asn1d_state *state)
-{
-    /* get state of enclosing construct. */
-    state = sec_asn1d_get_enclosing_construct(state);
-    if (state) {
-	sec_asn1d_parse_place place = state->place;
-        /* Is it one of the types that permits an unexpected EOC? */
-	int eoc_permitted = 
-	    (place == duringGroup ||
-	     place == duringConstructedString ||
-	     state->child->optional);
-	return (state->indefinite && eoc_permitted) ? PR_TRUE : PR_FALSE;
-    }
-    return PR_FALSE;
-}
-
-static unsigned long
-sec_asn1d_parse_identifier (sec_asn1d_state *state,
-			    const char *buf, unsigned long len)
-{
-    unsigned char byte;
-    unsigned char tag_number;
-
-    PORT_Assert (state->place == beforeIdentifier);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    byte = (unsigned char) *buf;
-#ifdef DEBUG_ASN1D_STATES
-    {
-        char kindBuf[256];
-        formatKind(byte, kindBuf);
-        printf("Found tag %02x %s\n", byte, kindBuf);
-    }
-#endif
-    tag_number = byte & SEC_ASN1_TAGNUM_MASK;
-
-    if (IS_HIGH_TAG_NUMBER (tag_number)) {
-	state->place = duringIdentifier;
-	state->found_tag_number = 0;
-	/*
-	 * Actually, we have no idea how many bytes are pending, but we
-	 * do know that it is at least 1.  That is all we know; we have
-	 * to look at each byte to know if there is another, etc.
-	 */
-	state->pending = 1;
-    } else {
-	if (byte == 0 && sec_asn1d_parent_allows_EOC(state)) {
-	    /*
-	     * Our parent has indefinite-length encoding, and the
-	     * entire tag found is 0, so it seems that we have hit the
-	     * end-of-contents octets.  To handle this, we just change
-	     * our state to that which expects to get the bytes of the
-	     * end-of-contents octets and let that code re-read this byte
-	     * so that our categorization of field types is correct.
-	     * After that, our parent will then deal with everything else.
-	     */
-	    state->place = duringEndOfContents;
-	    state->pending = 2;
-	    state->found_tag_number = 0;
-	    state->found_tag_modifiers = 0;
-	    /*
-	     * We might be an optional field that is, as we now find out,
-	     * missing.  Give our parent a clue that this happened.
-	     */
-	    if (state->optional)
-		state->missing = PR_TRUE;
-	    return 0;
-	}
-	state->place = afterIdentifier;
-	state->found_tag_number = tag_number;
-    }
-    state->found_tag_modifiers = byte & ~SEC_ASN1_TAGNUM_MASK;
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_identifier (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    unsigned char byte;
-    int count;
-
-    PORT_Assert (state->pending == 1);
-    PORT_Assert (state->place == duringIdentifier);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    count = 0;
-
-    while (len && state->pending) {
-	if (HIGH_BITS (state->found_tag_number, TAG_NUMBER_BITS) != 0) {
-	    /*
-	     * The given high tag number overflows our container;
-	     * just give up.  This is not likely to *ever* happen.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-
-	state->found_tag_number <<= TAG_NUMBER_BITS;
-
-	byte = (unsigned char) buf[count++];
-	state->found_tag_number |= (byte & TAG_NUMBER_MASK);
-
-	len--;
-	if (LAST_TAG_NUMBER_BYTE (byte))
-	    state->pending = 0;
-    }
-
-    if (state->pending == 0)
-	state->place = afterIdentifier;
-
-    return count;
-}
-
-
-static void
-sec_asn1d_confirm_identifier (sec_asn1d_state *state)
-{
-    PRBool match;
-
-    PORT_Assert (state->place == afterIdentifier);
-
-    match = (PRBool)(((state->found_tag_modifiers & state->check_tag_mask)
-	     == state->expect_tag_modifiers)
-	    && ((state->found_tag_number & state->check_tag_mask)
-		== state->expect_tag_number));
-    if (match) {
-	state->place = beforeLength;
-    } else {
-	if (state->optional) {
-	    state->missing = PR_TRUE;
-	    state->place = afterEndOfContents;
-	} else {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	}
-    }
-}
-
-
-static unsigned long
-sec_asn1d_parse_length (sec_asn1d_state *state,
-			const char *buf, unsigned long len)
-{
-    unsigned char byte;
-
-    PORT_Assert (state->place == beforeLength);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    /*
-     * The default/likely outcome.  It may get adjusted below.
-     */
-    state->place = afterLength;
-
-    byte = (unsigned char) *buf;
-
-    if (LENGTH_IS_SHORT_FORM (byte)) {
-	state->contents_length = byte;
-    } else {
-	state->contents_length = 0;
-	state->pending = LONG_FORM_LENGTH (byte);
-	if (state->pending == 0) {
-	    state->indefinite = PR_TRUE;
-	} else {
-	    state->place = duringLength;
-	}
-    }
-
-    /* If we're parsing an ANY, SKIP, or SAVE template, and 
-    ** the object being saved is definite length encoded and constructed, 
-    ** there's no point in decoding that construct's members.
-    ** So, just forget it's constructed and treat it as primitive.
-    ** (SAVE appears as an ANY at this point)
-    */
-    if (!state->indefinite &&
-	(state->underlying_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP))) {
-	state->found_tag_modifiers &= ~SEC_ASN1_CONSTRUCTED;
-    }
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_length (sec_asn1d_state *state,
-			     const char *buf, unsigned long len)
-{
-    int count;
-
-    PORT_Assert (state->pending > 0);
-    PORT_Assert (state->place == duringLength);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    count = 0;
-
-    while (len && state->pending) {
-	if (HIGH_BITS (state->contents_length, 9) != 0) {
-	    /*
-	     * The given full content length overflows our container;
-	     * just give up.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-
-	state->contents_length <<= 8;
-	state->contents_length |= (unsigned char) buf[count++];
-
-	len--;
-	state->pending--;
-    }
-
-    if (state->pending == 0)
-	state->place = afterLength;
-
-    return count;
-}
-
-
-static void
-sec_asn1d_prepare_for_contents (sec_asn1d_state *state)
-{
-    SECItem *item;
-    PRArenaPool *poolp;
-    unsigned long alloc_len;
-
-#ifdef DEBUG_ASN1D_STATES
-    {
-        printf("Found Length %d %s\n", state->contents_length,
-               state->indefinite ? "indefinite" : "");
-    }
-#endif
-
-    /*
-     * XXX I cannot decide if this allocation should exclude the case
-     *     where state->endofcontents is true -- figure it out!
-     */
-    if (state->allocate) {
-	void *dest;
-
-	PORT_Assert (state->dest == NULL);
-	/*
-	 * We are handling a POINTER or a member of a GROUP, and need to
-	 * allocate for the data structure.
-	 */
-	dest = sec_asn1d_zalloc (state->top->their_pool,
-				 state->theTemplate->size);
-	if (dest == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-	state->dest = (char *)dest + state->theTemplate->offset;
-
-	/*
-	 * For a member of a GROUP, our parent will later put the
-	 * pointer wherever it belongs.  But for a POINTER, we need
-	 * to record the destination now, in case notify or filter
-	 * procs need access to it -- they cannot find it otherwise,
-	 * until it is too late (for one-pass processing).
-	 */
-	if (state->parent->place == afterPointer) {
-	    void **placep;
-
-	    placep = state->parent->dest;
-	    *placep = dest;
-	}
-    }
-
-    /*
-     * Remember, length may be indefinite here!  In that case,
-     * both contents_length and pending will be zero.
-     */
-    state->pending = state->contents_length;
-
-    /* If this item has definite length encoding, and 
-    ** is enclosed by a definite length constructed type,
-    ** make sure it isn't longer than the remaining space in that 
-    ** constructed type.  
-    */
-    if (state->contents_length > 0) {
-	sec_asn1d_state *parent = sec_asn1d_get_enclosing_construct(state);
-	if (parent && !parent->indefinite && 
-	    state->consumed + state->contents_length > parent->pending) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return;
-	}
-    }
-
-    /*
-     * An EXPLICIT is nothing but an outer header, which we have
-     * already parsed and accepted.  Now we need to do the inner
-     * header and its contents.
-     */
-    if (state->explicit) {
-	state->place = afterExplicit;
-	state = sec_asn1d_push_state (state->top,
-				      SEC_ASN1GetSubtemplate(state->theTemplate,
-							     state->dest,
-							     PR_FALSE),
-				      state->dest, PR_TRUE);
-	if (state != NULL)
-	    state = sec_asn1d_init_state_based_on_template (state);
-	return;
-    }
-
-    /*
-     * For GROUP (SET OF, SEQUENCE OF), even if we know the length here
-     * we cannot tell how many items we will end up with ... so push a
-     * state that can keep track of "children" (the individual members
-     * of the group; we will allocate as we go and put them all together
-     * at the end.
-     */
-    if (state->underlying_kind & SEC_ASN1_GROUP) {
-	/* XXX If this assertion holds (should be able to confirm it via
-	 * inspection, too) then move this code into the switch statement
-	 * below under cases SET_OF and SEQUENCE_OF; it will be cleaner.
-	 */
-	PORT_Assert (state->underlying_kind == SEC_ASN1_SET_OF
-	   || state->underlying_kind == SEC_ASN1_SEQUENCE_OF
-	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
-	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
-		     );
-	if (state->contents_length != 0 || state->indefinite) {
-	    const SEC_ASN1Template *subt;
-
-	    state->place = duringGroup;
-	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest,
-					   PR_FALSE);
-	    state = sec_asn1d_push_state (state->top, subt, NULL, PR_TRUE);
-	    if (state != NULL) {
-		if (!state->top->filter_only)
-		    state->allocate = PR_TRUE;	/* XXX propogate this? */
-		/*
-		 * Do the "before" field notification for next in group.
-		 */
-		sec_asn1d_notify_before (state->top, state->dest, state->depth);
-		state = sec_asn1d_init_state_based_on_template (state);
-	    }
-	} else {
-	    /*
-	     * A group of zero; we are done.
-	     * Set state to afterGroup and let that code plant the NULL.
-	     */
-	    state->place = afterGroup;
-	}
-	return;
-    }
-
-    switch (state->underlying_kind) {
-      case SEC_ASN1_SEQUENCE:
-	/*
-	 * We need to push a child to handle the individual fields.
-	 */
-	state->place = duringSequence;
-	state = sec_asn1d_push_state (state->top, state->theTemplate + 1,
-				      state->dest, PR_TRUE);
-	if (state != NULL) {
-	    /*
-	     * Do the "before" field notification.
-	     */
-	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
-	    state = sec_asn1d_init_state_based_on_template (state);
-	}
-	break;
-
-      case SEC_ASN1_SET:	/* XXX SET is not really implemented */
-	/*
-	 * XXX A plain SET requires special handling; scanning of a
-	 * template to see where a field should go (because by definition,
-	 * they are not in any particular order, and you have to look at
-	 * each tag to disambiguate what the field is).  We may never
-	 * implement this because in practice, it seems to be unused.
-	 */
-	PORT_Assert(0);
-	PORT_SetError (SEC_ERROR_BAD_DER); /* XXX */
-	state->top->status = decodeError;
-	break;
-
-      case SEC_ASN1_NULL:
-	/*
-	 * The NULL type, by definition, is "nothing", content length of zero.
-	 * An indefinite-length encoding is not alloweed.
-	 */
-	if (state->contents_length || state->indefinite) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    break;
-	}
-	if (state->dest != NULL) {
-	    item = (SECItem *)(state->dest);
-	    item->data = NULL;
-	    item->len = 0;
-	}
-	state->place = afterEndOfContents;
-	break;
-
-      case SEC_ASN1_BMP_STRING:
-	/* Error if length is not divisable by 2 */
-	if (state->contents_length % 2) {
-	   PORT_SetError (SEC_ERROR_BAD_DER);
-	   state->top->status = decodeError;
-	   break;
-	}   
-	/* otherwise, handle as other string types */
-	goto regular_string_type;
-
-      case SEC_ASN1_UNIVERSAL_STRING:
-	/* Error if length is not divisable by 4 */
-	if (state->contents_length % 4) {
-	   PORT_SetError (SEC_ERROR_BAD_DER);
-	   state->top->status = decodeError;
-	   break;
-	}   
-	/* otherwise, handle as other string types */
-	goto regular_string_type;
-
-      case SEC_ASN1_SKIP:
-      case SEC_ASN1_ANY:
-      case SEC_ASN1_ANY_CONTENTS:
-	/*
-	 * These are not (necessarily) strings, but they need nearly
-	 * identical handling (especially when we need to deal with
-	 * constructed sub-pieces), so we pretend they are.
-	 */
-	/* fallthru */
-regular_string_type:
-      case SEC_ASN1_BIT_STRING:
-      case SEC_ASN1_IA5_STRING:
-      case SEC_ASN1_OCTET_STRING:
-      case SEC_ASN1_PRINTABLE_STRING:
-      case SEC_ASN1_T61_STRING:
-      case SEC_ASN1_UTC_TIME:
-      case SEC_ASN1_UTF8_STRING:
-      case SEC_ASN1_VISIBLE_STRING:
-	/*
-	 * We are allocating for a primitive or a constructed string.
-	 * If it is a constructed string, it may also be indefinite-length.
-	 * If it is primitive, the length can (legally) be zero.
-	 * Our first order of business is to allocate the memory for
-	 * the string, if we can (if we know the length).
-	 */
-	item = (SECItem *)(state->dest);
-
-	/*
-	 * If the item is a definite-length constructed string, then
-	 * the contents_length is actually larger than what we need
-	 * (because it also counts each intermediate header which we
-	 * will be throwing away as we go), but it is a perfectly good
-	 * upper bound that we just allocate anyway, and then concat
-	 * as we go; we end up wasting a few extra bytes but save a
-	 * whole other copy.
-	 */
-	alloc_len = state->contents_length;
-	poolp = NULL;	/* quiet compiler warnings about unused... */
-
-	if (item == NULL || state->top->filter_only) {
-	    if (item != NULL) {
-		item->data = NULL;
-		item->len = 0;
-	    }
-	    alloc_len = 0;
-	} else if (state->substring) {
-	    /*
-	     * If we are a substring of a constructed string, then we may
-	     * not have to allocate anything (because our parent, the
-	     * actual constructed string, did it for us).  If we are a
-	     * substring and we *do* have to allocate, that means our
-	     * parent is an indefinite-length, so we allocate from our pool;
-	     * later our parent will copy our string into the aggregated
-	     * whole and free our pool allocation.
-	     */
-	    if (item->data == NULL) {
-		PORT_Assert (item->len == 0);
-		poolp = state->top->our_pool;
-	    } else {
-		alloc_len = 0;
-	    }
-	} else {
-	    item->len = 0;
-	    item->data = NULL;
-	    poolp = state->top->their_pool;
-	}
-
-	if (alloc_len || ((! state->indefinite)
-			  && (state->subitems_head != NULL))) {
-	    struct subitem *subitem;
-	    int len;
-
-	    PORT_Assert (item->len == 0 && item->data == NULL);
-	    /*
-	     * Check for and handle an ANY which has stashed aside the
-	     * header (identifier and length) bytes for us to include
-	     * in the saved contents.
-	     */
-	    if (state->subitems_head != NULL) {
-		PORT_Assert (state->underlying_kind == SEC_ASN1_ANY);
-		for (subitem = state->subitems_head;
-		     subitem != NULL; subitem = subitem->next)
-		    alloc_len += subitem->len;
-	    }
-
-	    item->data = (unsigned char*)sec_asn1d_zalloc (poolp, alloc_len);
-	    if (item->data == NULL) {
-		state->top->status = decodeError;
-		break;
-	    }
-
-	    len = 0;
-	    for (subitem = state->subitems_head;
-		 subitem != NULL; subitem = subitem->next) {
-		PORT_Memcpy (item->data + len, subitem->data, subitem->len);
-		len += subitem->len;
-	    }
-	    item->len = len;
-
-	    /*
-	     * Because we use arenas and have a mark set, we later free
-	     * everything we have allocated, so this does *not* present
-	     * a memory leak (it is just temporarily left dangling).
-	     */
-	    state->subitems_head = state->subitems_tail = NULL;
-	}
-
-	if (state->contents_length == 0 && (! state->indefinite)) {
-	    /*
-	     * A zero-length simple or constructed string; we are done.
-	     */
-	    state->place = afterEndOfContents;
-	} else if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) {
-	    const SEC_ASN1Template *sub;
-
-	    switch (state->underlying_kind) {
-	      case SEC_ASN1_ANY:
-	      case SEC_ASN1_ANY_CONTENTS:
-		sub = SEC_AnyTemplate;
-		break;
-	      case SEC_ASN1_BIT_STRING:
-		sub = SEC_BitStringTemplate;
-		break;
-	      case SEC_ASN1_BMP_STRING:
-		sub = SEC_BMPStringTemplate;
-		break;
-	      case SEC_ASN1_GENERALIZED_TIME:
-		sub = SEC_GeneralizedTimeTemplate;
-		break;
-	      case SEC_ASN1_IA5_STRING:
-		sub = SEC_IA5StringTemplate;
-		break;
-	      case SEC_ASN1_OCTET_STRING:
-		sub = SEC_OctetStringTemplate;
-		break;
-	      case SEC_ASN1_PRINTABLE_STRING:
-		sub = SEC_PrintableStringTemplate;
-		break;
-	      case SEC_ASN1_T61_STRING:
-		sub = SEC_T61StringTemplate;
-		break;
-	      case SEC_ASN1_UNIVERSAL_STRING:
-		sub = SEC_UniversalStringTemplate;
-		break;
-	      case SEC_ASN1_UTC_TIME:
-		sub = SEC_UTCTimeTemplate;
-		break;
-	      case SEC_ASN1_UTF8_STRING:
-		sub = SEC_UTF8StringTemplate;
-		break;
-	      case SEC_ASN1_VISIBLE_STRING:
-		sub = SEC_VisibleStringTemplate;
-		break;
-	      case SEC_ASN1_SKIP:
-		sub = SEC_SkipTemplate;
-		break;
-	      default:		/* redundant given outer switch cases, but */
-		PORT_Assert(0);	/* the compiler does not seem to know that, */
-		sub = NULL;	/* so just do enough to quiet it. */
-		break;
-	    }
-
-	    state->place = duringConstructedString;
-	    state = sec_asn1d_push_state (state->top, sub, item, PR_TRUE);
-	    if (state != NULL) {
-		state->substring = PR_TRUE;	/* XXX propogate? */
-		state = sec_asn1d_init_state_based_on_template (state);
-	    }
-	} else if (state->indefinite) {
-	    /*
-	     * An indefinite-length string *must* be constructed!
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	} else {
-	    /*
-	     * A non-zero-length simple string.
-	     */
-	    if (state->underlying_kind == SEC_ASN1_BIT_STRING)
-		state->place = beforeBitString;
-	    else
-		state->place = duringLeaf;
-	}
-	break;
-
-      default:
-	/*
-	 * We are allocating for a simple leaf item.
-	 */
-	if (state->contents_length) {
-	    if (state->dest != NULL) {
-		item = (SECItem *)(state->dest);
-		item->len = 0;
-		if (state->top->filter_only) {
-		    item->data = NULL;
-		} else {
-		    item->data = (unsigned char*)
-		                  sec_asn1d_zalloc (state->top->their_pool,
-						   state->contents_length);
-		    if (item->data == NULL) {
-			state->top->status = decodeError;
-			return;
-		    }
-		}
-	    }
-	    state->place = duringLeaf;
-	} else {
-	    /*
-	     * An indefinite-length or zero-length item is not allowed.
-	     * (All legal cases of such were handled above.)
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	}
-    }
-}
-
-
-static void
-sec_asn1d_free_child (sec_asn1d_state *state, PRBool error)
-{
-    if (state->child != NULL) {
-	PORT_Assert (error || state->child->consumed == 0);
-	PORT_Assert (state->our_mark != NULL);
-	PORT_ArenaRelease (state->top->our_pool, state->our_mark);
-	if (error && state->top->their_pool == NULL) {
-	    /*
-	     * XXX We need to free anything allocated.
-             * At this point, we failed in the middle of decoding. But we
-             * can't free the data we previously allocated with PR_Malloc
-             * unless we keep track of every pointer. So instead we have a
-             * memory leak when decoding fails half-way, unless an arena is
-             * used. See bug 95311 .
-	     */
-	}
-	state->child = NULL;
-	state->our_mark = NULL;
-    } else {
-	/*
-	 * It is important that we do not leave a mark unreleased/unmarked.
-	 * But I do not think we should ever have one set in this case, only
-	 * if we had a child (handled above).  So check for that.  If this
-	 * assertion should ever get hit, then we probably need to add code
-	 * here to release back to our_mark (and then set our_mark to NULL).
-	 */
-	PORT_Assert (state->our_mark == NULL);
-    }
-    state->place = beforeEndOfContents;
-}
-
-/* We have just saved an entire encoded ASN.1 object (type) for a SAVE 
-** template, and now in the next template, we are going to decode that 
-** saved data  by calling SEC_ASN1DecoderUpdate recursively.
-** If that recursive call fails with needBytes, it is a fatal error,
-** because the encoded object should have been complete.
-** If that recursive call fails with decodeError, it will have already
-** cleaned up the state stack, so we must bail out quickly.
-**
-** These checks of the status returned by the recursive call are now
-** done in the caller of this function, immediately after it returns.
-*/
-static void
-sec_asn1d_reuse_encoding (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long consumed;
-    SECItem *item;
-    void *dest;
-
-
-    child = state->child;
-    PORT_Assert (child != NULL);
-
-    consumed = child->consumed;
-    child->consumed = 0;
-
-    item = (SECItem *)(state->dest);
-    PORT_Assert (item != NULL);
-
-    PORT_Assert (item->len == consumed);
-
-    /*
-     * Free any grandchild.
-     */
-    sec_asn1d_free_child (child, PR_FALSE);
-
-    /*
-     * Notify after the SAVE field.
-     */
-    sec_asn1d_notify_after (state->top, state->dest, state->depth);
-
-    /*
-     * Adjust to get new dest and move forward.
-     */
-    dest = (char *)state->dest - state->theTemplate->offset;
-    state->theTemplate++;
-    child->dest = (char *)dest + state->theTemplate->offset;
-    child->theTemplate = state->theTemplate;
-
-    /*
-     * Notify before the "real" field.
-     */
-    PORT_Assert (state->depth == child->depth);
-    sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-    /*
-     * This will tell DecoderUpdate to return when it is done.
-     */
-    state->place = afterSaveEncoding;
-
-    /*
-     * We already have a child; "push" it by making it current.
-     */
-    state->top->current = child;
-
-    /*
-     * And initialize it so it is ready to parse.
-     */
-    (void) sec_asn1d_init_state_based_on_template(child);
-
-    /*
-     * Now parse that out of our data.
-     */
-    if (SEC_ASN1DecoderUpdate (state->top,
-			       (char *) item->data, item->len) != SECSuccess)
-	return;
-    if (state->top->status == needBytes) {
-	return;
-    }
-
-    PORT_Assert (state->top->current == state);
-    PORT_Assert (state->child == child);
-
-    /*
-     * That should have consumed what we consumed before.
-     */
-    PORT_Assert (consumed == child->consumed);
-    child->consumed = 0;
-
-    /*
-     * Done.
-     */
-    state->consumed += consumed;
-    child->place = notInUse;
-    state->place = afterEndOfContents;
-}
-
-
-static unsigned long
-sec_asn1d_parse_leaf (sec_asn1d_state *state,
-		      const char *buf, unsigned long len)
-{
-    SECItem *item;
-    unsigned long bufLen;
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    if (state->pending < len)
-	len = state->pending;
-
-    bufLen = len;
-
-    item = (SECItem *)(state->dest);
-    if (item != NULL && item->data != NULL) {
-	/* Strip leading zeroes when target is unsigned integer */
-	if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER   */
-	    item->len == 0 &&                             /* MSB       */
-	    item->type == siUnsignedInteger)              /* unsigned  */
-	{
-	    while (len > 1 && buf[0] == 0) {              /* leading 0 */
-		buf++;
-		len--;
-	    }
-	}
-	PORT_Memcpy (item->data + item->len, buf, len);
-	item->len += len;
-    }
-    state->pending -= bufLen;
-    if (state->pending == 0)
-	state->place = beforeEndOfContents;
-
-    return bufLen;
-}
-
-
-static unsigned long
-sec_asn1d_parse_bit_string (sec_asn1d_state *state,
-			    const char *buf, unsigned long len)
-{
-    unsigned char byte;
-
-    /*PORT_Assert (state->pending > 0); */
-    PORT_Assert (state->place == beforeBitString);
-
-    if (state->pending == 0) {
-	if (state->dest != NULL) {
-	    SECItem *item = (SECItem *)(state->dest);
-	    item->data = NULL;
-	    item->len = 0;
-	    state->place = beforeEndOfContents;
-	    return 0;
-	}
-    }
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    byte = (unsigned char) *buf;
-    if (byte > 7) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	state->top->status = decodeError;
-	return 0;
-    }
-
-    state->bit_string_unused_bits = byte;
-    state->place = duringBitString;
-    state->pending -= 1;
-
-    return 1;
-}
-
-
-static unsigned long
-sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    PORT_Assert (state->place == duringBitString);
-    if (state->pending == 0) {
-	/* An empty bit string with some unused bits is invalid. */
-	if (state->bit_string_unused_bits) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	} else {
-	    /* An empty bit string with no unused bits is OK. */
-	    state->place = beforeEndOfContents;
-	}
-	return 0;
-    }
-
-    len = sec_asn1d_parse_leaf (state, buf, len);
-    if (state->place == beforeEndOfContents && state->dest != NULL) {
-	SECItem *item;
-
-	item = (SECItem *)(state->dest);
-	if (item->len)
-	    item->len = (item->len << 3) - state->bit_string_unused_bits;
-    }
-
-    return len;
-}
-
-
-/*
- * XXX All callers should be looking at return value to detect
- * out-of-memory errors (and stop!).
- */
-static struct subitem *
-sec_asn1d_add_to_subitems (sec_asn1d_state *state,
-			   const void *data, unsigned long len,
-			   PRBool copy_data)
-{
-    struct subitem *thing;
-
-    thing = (struct subitem*)sec_asn1d_zalloc (state->top->our_pool,
-				sizeof (struct subitem));
-    if (thing == NULL) {
-	state->top->status = decodeError;
-	return NULL;
-    }
-
-    if (copy_data) {
-	void *copy;
-	copy = sec_asn1d_alloc (state->top->our_pool, len);
-	if (copy == NULL) {
-	    state->top->status = decodeError;
-	    return NULL;
-	}
-	PORT_Memcpy (copy, data, len);
-	thing->data = copy;
-    } else {
-	thing->data = data;
-    }
-    thing->len = len;
-    thing->next = NULL;
-
-    if (state->subitems_head == NULL) {
-	PORT_Assert (state->subitems_tail == NULL);
-	state->subitems_head = state->subitems_tail = thing;
-    } else {
-	state->subitems_tail->next = thing;
-	state->subitems_tail = thing;
-    }
-
-    return thing;
-}
-
-
-static void
-sec_asn1d_record_any_header (sec_asn1d_state *state,
-			     const char *buf,
-			     unsigned long len)
-{
-    SECItem *item;
-
-    item = (SECItem *)(state->dest);
-    if (item != NULL && item->data != NULL) {
-	PORT_Assert (state->substring);
-	PORT_Memcpy (item->data + item->len, buf, len);
-	item->len += len;
-    } else {
-	sec_asn1d_add_to_subitems (state, buf, len, PR_TRUE);
-    }
-}
-
-
-/*
- * We are moving along through the substrings of a constructed string,
- * and have just finished parsing one -- we need to save our child data
- * (if the child was not already writing directly into the destination)
- * and then move forward by one.
- *
- * We also have to detect when we are done:
- *	- a definite-length encoding stops when our pending value hits 0
- *	- an indefinite-length encoding stops when our child is empty
- *	  (which means it was the end-of-contents octets)
- */
-static void
-sec_asn1d_next_substring (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    SECItem *item;
-    unsigned long child_consumed;
-    PRBool done;
-
-    PORT_Assert (state->place == duringConstructedString);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    child_consumed = child->consumed;
-    child->consumed = 0;
-    state->consumed += child_consumed;
-
-    done = PR_FALSE;
-
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	if (child_consumed > state->pending) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return;
-	}
-
-	state->pending -= child_consumed;
-	if (state->pending == 0)
-	    done = PR_TRUE;
-    } else {
-	PORT_Assert (state->indefinite);
-
-	item = (SECItem *)(child->dest);
-	if (item != NULL && item->data != NULL) {
-	    /*
-	     * Save the string away for later concatenation.
-	     */
-	    PORT_Assert (item->data != NULL);
-	    sec_asn1d_add_to_subitems (state, item->data, item->len, PR_FALSE);
-	    /*
-	     * Clear the child item for the next round.
-	     */
-	    item->data = NULL;
-	    item->len = 0;
-	}
-
-	/*
-	 * If our child was just our end-of-contents octets, we are done.
-	 */
-	if (child->endofcontents)
-	    done = PR_TRUE;
-    }
-
-    /*
-     * Stop or do the next one.
-     */
-    if (done) {
-	child->place = notInUse;
-	state->place = afterConstructedString;
-    } else {
-	sec_asn1d_scrub_state (child);
-	state->top->current = child;
-    }
-}
-
-
-/*
- * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
- */
-static void
-sec_asn1d_next_in_group (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long child_consumed;
-
-    PORT_Assert (state->place == duringGroup);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    child_consumed = child->consumed;
-    child->consumed = 0;
-    state->consumed += child_consumed;
-
-    /*
-     * If our child was just our end-of-contents octets, we are done.
-     */
-    if (child->endofcontents) {
-	/* XXX I removed the PORT_Assert (child->dest == NULL) because there
-	 * was a bug in that a template that was a sequence of which also had
-	 * a child of a sequence of, in an indefinite group was not working 
-	 * properly.  This fix seems to work, (added the if statement below),
-	 * and nothing appears broken, but I am putting this note here just
-	 * in case. */
-	/*
-	 * XXX No matter how many times I read that comment,
-	 * I cannot figure out what case he was fixing.  I believe what he
-	 * did was deliberate, so I am loathe to touch it.  I need to
-	 * understand how it could ever be that child->dest != NULL but
-	 * child->endofcontents is true, and why it is important to check
-	 * that state->subitems_head is NULL.  This really needs to be
-	 * figured out, as I am not sure if the following code should be
-	 * compensating for "offset", as is done a little farther below
-	 * in the more normal case.
-	 */
-	PORT_Assert (state->indefinite);
-	PORT_Assert (state->pending == 0);
-	if(child->dest && !state->subitems_head) {
-	    sec_asn1d_add_to_subitems (state, child->dest, 0, PR_FALSE);
-	    child->dest = NULL;
-	}
-
-	child->place = notInUse;
-	state->place = afterGroup;
-	return;
-    }
-
-    /* 
-     * Do the "after" field notification for next in group.
-     */
-    sec_asn1d_notify_after (state->top, child->dest, child->depth);
-
-    /*
-     * Save it away (unless we are not storing).
-     */
-    if (child->dest != NULL) {
-	void *dest;
-
-	dest = child->dest;
-	dest = (char *)dest - child->theTemplate->offset;
-	sec_asn1d_add_to_subitems (state, dest, 0, PR_FALSE);
-	child->dest = NULL;
-    }
-
-    /*
-     * Account for those bytes; see if we are done.
-     */
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	if (child_consumed > state->pending) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return;
-	}
-
-	state->pending -= child_consumed;
-	if (state->pending == 0) {
-	    child->place = notInUse;
-	    state->place = afterGroup;
-	    return;
-	}
-    }
-
-    /*
-     * Do the "before" field notification for next item in group.
-     */
-    sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-    /*
-     * Now we do the next one.
-     */
-    sec_asn1d_scrub_state (child);
-
-    /* Initialize child state from the template */
-    sec_asn1d_init_state_based_on_template(child);
-
-    state->top->current = child;
-}
-
-
-/*
- * We are moving along through a sequence; move forward by one,
- * (detecting end-of-sequence when it happens).
- * XXX The handling of "missing" is ugly.  Fix it.
- */
-static void
-sec_asn1d_next_in_sequence (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-    unsigned long child_consumed;
-    PRBool child_missing;
-
-    PORT_Assert (state->place == duringSequence);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    /*
-     * Do the "after" field notification.
-     */
-    sec_asn1d_notify_after (state->top, child->dest, child->depth);
-
-    child_missing = (PRBool) child->missing;
-    child_consumed = child->consumed;
-    child->consumed = 0;
-
-    /*
-     * Take care of accounting.
-     */
-    if (child_missing) {
-	PORT_Assert (child->optional);
-    } else {
-	state->consumed += child_consumed;
-	/*
-	 * Free any grandchild.
-	 */
-	sec_asn1d_free_child (child, PR_FALSE);
-	if (state->pending) {
-	    PORT_Assert (!state->indefinite);
-	    if (child_consumed > state->pending) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return;
-	    }
-	    state->pending -= child_consumed;
-	    if (state->pending == 0) {
-		child->theTemplate++;
-		while (child->theTemplate->kind != 0) {
-		    if ((child->theTemplate->kind & SEC_ASN1_OPTIONAL) == 0) {
-			PORT_SetError (SEC_ERROR_BAD_DER);
-			state->top->status = decodeError;
-			return;
-		    }
-		    child->theTemplate++;
-		}
-		child->place = notInUse;
-		state->place = afterEndOfContents;
-		return;
-	    }
-	}
-    }
-
-    /*
-     * Move forward.
-     */
-    child->theTemplate++;
-    if (child->theTemplate->kind == 0) {
-	/*
-	 * We are done with this sequence.
-	 */
-	child->place = notInUse;
-	if (state->pending) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	} else if (child_missing) {
-	    /*
-	     * We got to the end, but have a child that started parsing
-	     * and ended up "missing".  The only legitimate reason for
-	     * this is that we had one or more optional fields at the
-	     * end of our sequence, and we were encoded indefinite-length,
-	     * so when we went looking for those optional fields we
-	     * found our end-of-contents octets instead.
-	     * (Yes, this is ugly; dunno a better way to handle it.)
-	     * So, first confirm the situation, and then mark that we
-	     * are done.
-	     */
-	    if (state->indefinite && child->endofcontents) {
-		PORT_Assert (child_consumed == 2);
-		if (child_consumed != 2) {
-		    PORT_SetError (SEC_ERROR_BAD_DER);
-		    state->top->status = decodeError;
-		} else {
-		    state->consumed += child_consumed;
-		    state->place = afterEndOfContents;
-		}
-	    } else {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-	    }
-	} else {
-	    /*
-	     * We have to finish out, maybe reading end-of-contents octets;
-	     * let the normal logic do the right thing.
-	     */
-	    state->place = beforeEndOfContents;
-	}
-    } else {
-	unsigned char child_found_tag_modifiers = 0;
-	unsigned long child_found_tag_number = 0;
-
-	/*
-	 * Reset state and push.
-	 */
-	if (state->dest != NULL)
-	    child->dest = (char *)state->dest + child->theTemplate->offset;
-
-	/*
-	 * Do the "before" field notification.
-	 */
-	sec_asn1d_notify_before (state->top, child->dest, child->depth);
-
-	if (child_missing) { /* if previous child was missing, copy the tag data we already have */
-	    child_found_tag_modifiers = child->found_tag_modifiers;
-	    child_found_tag_number = child->found_tag_number;
-	}
-	state->top->current = child;
-	child = sec_asn1d_init_state_based_on_template (child);
-	if (child_missing) {
-	    child->place = afterIdentifier;
-	    child->found_tag_modifiers = child_found_tag_modifiers;
-	    child->found_tag_number = child_found_tag_number;
-	    child->consumed = child_consumed;
-	    if (child->underlying_kind == SEC_ASN1_ANY
-		&& !child->top->filter_only) {
-		/*
-		 * If the new field is an ANY, and we are storing, then
-		 * we need to save the tag out.  We would have done this
-		 * already in the normal case, but since we were looking
-		 * for an optional field, and we did not find it, we only
-		 * now realize we need to save the tag.
-		 */
-		unsigned char identifier;
-
-		/*
-		 * Check that we did not end up with a high tag; for that
-		 * we need to re-encode the tag into multiple bytes in order
-		 * to store it back to look like what we parsed originally.
-		 * In practice this does not happen, but for completeness
-		 * sake it should probably be made to work at some point.
-		 */
-		PORT_Assert (child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
-		identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
-		sec_asn1d_record_any_header (child, (char *) &identifier, 1);
-	    }
-	}
-    }
-}
-
-
-static void
-sec_asn1d_concat_substrings (sec_asn1d_state *state)
-{
-    PORT_Assert (state->place == afterConstructedString);
-
-    if (state->subitems_head != NULL) {
-	struct subitem *substring;
-	unsigned long alloc_len, item_len;
-	unsigned char *where;
-	SECItem *item;
-	PRBool is_bit_string;
-
-	item_len = 0;
-	is_bit_string = (state->underlying_kind == SEC_ASN1_BIT_STRING)
-			? PR_TRUE : PR_FALSE;
-
-	substring = state->subitems_head;
-	while (substring != NULL) {
-	    /*
-	     * All bit-string substrings except the last one should be
-	     * a clean multiple of 8 bits.
-	     */
-	    if (is_bit_string && (substring->next == NULL)
-			      && (substring->len & 0x7)) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return;
-	    }
-	    item_len += substring->len;
-	    substring = substring->next;
-	}
-
-	if (is_bit_string) {
-#ifdef XP_WIN16		/* win16 compiler gets an internal error otherwise */
-	    alloc_len = (((long)item_len + 7) / 8);
-#else
-	    alloc_len = ((item_len + 7) >> 3);
-#endif
-	} else {
-	    /*
-	     * Add 2 for the end-of-contents octets of an indefinite-length
-	     * ANY that is *not* also an INNER.  Because we zero-allocate
-	     * below, all we need to do is increase the length here.
-	     */
-	    if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
-		item_len += 2; 
-	    alloc_len = item_len;
-	}
-
-	item = (SECItem *)(state->dest);
-	PORT_Assert (item != NULL);
-	PORT_Assert (item->data == NULL);
-	item->data = (unsigned char*)sec_asn1d_zalloc (state->top->their_pool, 
-						       alloc_len);
-	if (item->data == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-	item->len = item_len;
-
-	where = item->data;
-	substring = state->subitems_head;
-	while (substring != NULL) {
-	    if (is_bit_string)
-		item_len = (substring->len + 7) >> 3;
-	    else
-		item_len = substring->len;
-	    PORT_Memcpy (where, substring->data, item_len);
-	    where += item_len;
-	    substring = substring->next;
-	}
-
-	/*
-	 * Because we use arenas and have a mark set, we later free
-	 * everything we have allocated, so this does *not* present
-	 * a memory leak (it is just temporarily left dangling).
-	 */
-	state->subitems_head = state->subitems_tail = NULL;
-    }
-
-    state->place = afterEndOfContents;
-}
-
-
-static void
-sec_asn1d_concat_group (sec_asn1d_state *state)
-{
-    const void ***placep;
-
-    PORT_Assert (state->place == afterGroup);
-
-    placep = (const void***)state->dest;
-    PORT_Assert(state->subitems_head == NULL || placep != NULL);
-    if (placep != NULL) {
-	struct subitem *item;
-	const void **group;
-	int count;
-
-	count = 0;
-	item = state->subitems_head;
-	while (item != NULL) {
-	    PORT_Assert (item->next != NULL || item == state->subitems_tail);
-	    count++;
-	    item = item->next;
-	}
-
-	group = (const void**)sec_asn1d_zalloc (state->top->their_pool,
-				  (count + 1) * (sizeof(void *)));
-	if (group == NULL) {
-	    state->top->status = decodeError;
-	    return;
-	}
-
-	*placep = group;
-
-	item = state->subitems_head;
-	while (item != NULL) {
-	    *group++ = item->data;
-	    item = item->next;
-	}
-	*group = NULL;
-
-	/*
-	 * Because we use arenas and have a mark set, we later free
-	 * everything we have allocated, so this does *not* present
-	 * a memory leak (it is just temporarily left dangling).
-	 */
-	state->subitems_head = state->subitems_tail = NULL;
-    }
-
-    state->place = afterEndOfContents;
-}
-
-
-/*
- * For those states that push a child to handle a subtemplate,
- * "absorb" that child (transfer necessary information).
- */
-static void
-sec_asn1d_absorb_child (sec_asn1d_state *state)
-{
-    /*
-     * There is absolutely supposed to be a child there.
-     */
-    PORT_Assert (state->child != NULL);
-
-    /*
-     * Inherit the missing status of our child, and do the ugly
-     * backing-up if necessary.
-     */
-    state->missing = state->child->missing;
-    if (state->missing) {
-	state->found_tag_number = state->child->found_tag_number;
-	state->found_tag_modifiers = state->child->found_tag_modifiers;
-	state->endofcontents = state->child->endofcontents;
-    }
-
-    /*
-     * Add in number of bytes consumed by child.
-     * (Only EXPLICIT should have already consumed bytes itself.)
-     */
-    PORT_Assert (state->place == afterExplicit || state->consumed == 0);
-    state->consumed += state->child->consumed;
-
-    /*
-     * Subtract from bytes pending; this only applies to a definite-length
-     * EXPLICIT field.
-     */
-    if (state->pending) {
-	PORT_Assert (!state->indefinite);
-	PORT_Assert (state->place == afterExplicit);
-
-	/*
-	 * If we had a definite-length explicit, then what the child
-	 * consumed should be what was left pending.
-	 */
-	if (state->pending != state->child->consumed) {
-	    if (state->pending < state->child->consumed) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return;
-	    }
-	    /*
-	     * Okay, this is a hack.  It *should* be an error whether
-	     * pending is too big or too small, but it turns out that
-	     * we had a bug in our *old* DER encoder that ended up
-	     * counting an explicit header twice in the case where
-	     * the underlying type was an ANY.  So, because we cannot
-	     * prevent receiving these (our own certificate server can
-	     * send them to us), we need to be lenient and accept them.
-	     * To do so, we need to pretend as if we read all of the
-	     * bytes that the header said we would find, even though
-	     * we actually came up short.
-	     */
-	    state->consumed += (state->pending - state->child->consumed);
-	}
-	state->pending = 0;
-    }
-
-    /*
-     * Indicate that we are done with child.
-     */
-    state->child->consumed = 0;
-
-    /*
-     * And move on to final state.
-     * (Technically everybody could move to afterEndOfContents except
-     * for an indefinite-length EXPLICIT; for simplicity though we assert
-     * that but let the end-of-contents code do the real determination.)
-     */
-    PORT_Assert (state->place == afterExplicit || (! state->indefinite));
-    state->place = beforeEndOfContents;
-}
-
-
-static void
-sec_asn1d_prepare_for_end_of_contents (sec_asn1d_state *state)
-{
-    PORT_Assert (state->place == beforeEndOfContents);
-
-    if (state->indefinite) {
-	state->place = duringEndOfContents;
-	state->pending = 2;
-    } else {
-	state->place = afterEndOfContents;
-    }
-}
-
-
-static unsigned long
-sec_asn1d_parse_end_of_contents (sec_asn1d_state *state,
-				 const char *buf, unsigned long len)
-{
-    unsigned int i;
-
-    PORT_Assert (state->pending <= 2);
-    PORT_Assert (state->place == duringEndOfContents);
-
-    if (len == 0) {
-	state->top->status = needBytes;
-	return 0;
-    }
-
-    if (state->pending < len)
-	len = state->pending;
-
-    for (i = 0; i < len; i++) {
-	if (buf[i] != 0) {
-	    /*
-	     * We expect to find only zeros; if not, just give up.
-	     */
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return 0;
-	}
-    }
-
-    state->pending -= len;
-
-    if (state->pending == 0) {
-	state->place = afterEndOfContents;
-	state->endofcontents = PR_TRUE;
-    }
-
-    return len;
-}
-
-
-static void
-sec_asn1d_pop_state (sec_asn1d_state *state)
-{
-#if 0	/* XXX I think this should always be handled explicitly by parent? */
-    /*
-     * Account for our child.
-     */
-    if (state->child != NULL) {
-	state->consumed += state->child->consumed;
-	if (state->pending) {
-	    PORT_Assert (!state->indefinite);
-	    if (state->child->consumed > state->pending) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-	    } else {
-		state->pending -= state->child->consumed;
-	    }
-	}
-	state->child->consumed = 0;
-    }
-#endif	/* XXX */
-
-    /*
-     * Free our child.
-     */
-    sec_asn1d_free_child (state, PR_FALSE);
-
-    /*
-     * Just make my parent be the current state.  It will then clean
-     * up after me and free me (or reuse me).
-     */
-    state->top->current = state->parent;
-}
-
-static sec_asn1d_state *
-sec_asn1d_before_choice (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child;
-
-    if (state->allocate) {
-	void *dest;
-
-	dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size);
-	if ((void *)NULL == dest) {
-	    state->top->status = decodeError;
-	    return (sec_asn1d_state *)NULL;
-	}
-
-	state->dest = (char *)dest + state->theTemplate->offset;
-    }
-
-    child = sec_asn1d_push_state(state->top, state->theTemplate + 1, 
-				 (char *)state->dest - state->theTemplate->offset, 
-				 PR_FALSE);
-    if ((sec_asn1d_state *)NULL == child) {
-	return (sec_asn1d_state *)NULL;
-    }
-
-    sec_asn1d_scrub_state(child);
-    child = sec_asn1d_init_state_based_on_template(child);
-    if ((sec_asn1d_state *)NULL == child) {
-	return (sec_asn1d_state *)NULL;
-    }
-
-    child->optional = PR_TRUE;
-
-    state->place = duringChoice;
-
-    return child;
-}
-
-static sec_asn1d_state *
-sec_asn1d_during_choice (sec_asn1d_state *state)
-{
-    sec_asn1d_state *child = state->child;
-    
-    PORT_Assert((sec_asn1d_state *)NULL != child);
-
-    if (child->missing) {
-	unsigned char child_found_tag_modifiers = 0;
-	unsigned long child_found_tag_number = 0;
-	void *        dest;
-
-	state->consumed += child->consumed;
-
-	if (child->endofcontents) {
-	    /* This choice is probably the first item in a GROUP
-	    ** (e.g. SET_OF) that was indefinite-length encoded.
-	    ** We're actually at the end of that GROUP.
-	    ** We look up the stack to be sure that we find
-	    ** a state with indefinite length encoding before we
-	    ** find a state (like a SEQUENCE) that is definite.
-	    */
-	    child->place = notInUse;
-	    state->place = afterChoice;
-	    state->endofcontents = PR_TRUE;  /* propagate this up */
-	    if (sec_asn1d_parent_allows_EOC(state))
-		return state;
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return NULL;
-	}
-
-	dest = (char *)child->dest - child->theTemplate->offset;
-	child->theTemplate++;
-
-	if (0 == child->theTemplate->kind) {
-	    /* Ran out of choices */
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    state->top->status = decodeError;
-	    return (sec_asn1d_state *)NULL;
-	}
-	child->dest = (char *)dest + child->theTemplate->offset;
-
-	/* cargo'd from next_in_sequence innards */
-	if (state->pending) {
-	    PORT_Assert(!state->indefinite);
-	    if (child->consumed > state->pending) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return NULL;
-	    }
-	    state->pending -= child->consumed;
-	    if (0 == state->pending) {
-		/* XXX uh.. not sure if I should have stopped this
-		 * from happening before. */
-		PORT_Assert(0);
-		PORT_SetError(SEC_ERROR_BAD_DER);
-		state->top->status = decodeError;
-		return (sec_asn1d_state *)NULL;
-	    }
-	}
-
-	child->consumed = 0;
-	sec_asn1d_scrub_state(child);
-
-	/* move it on top again */
-	state->top->current = child;
-
-	child_found_tag_modifiers = child->found_tag_modifiers;
-	child_found_tag_number = child->found_tag_number;
-
-	child = sec_asn1d_init_state_based_on_template(child);
-	if ((sec_asn1d_state *)NULL == child) {
-	    return (sec_asn1d_state *)NULL;
-	}
-
-	/* copy our findings to the new top */
-	child->found_tag_modifiers = child_found_tag_modifiers;
-	child->found_tag_number = child_found_tag_number;
-
-	child->optional = PR_TRUE;
-	child->place = afterIdentifier;
-
-	return child;
-    } 
-    if ((void *)NULL != state->dest) {
-	/* Store the enum */
-	int *which = (int *)state->dest;
-	*which = (int)child->theTemplate->size;
-    }
-
-    child->place = notInUse;
-
-    state->place = afterChoice;
-    return state;
-}
-
-static void
-sec_asn1d_after_choice (sec_asn1d_state *state)
-{
-    state->consumed += state->child->consumed;
-    state->child->consumed = 0;
-    state->place = afterEndOfContents;
-    sec_asn1d_pop_state(state);
-}
-
-unsigned long
-sec_asn1d_uinteger(SECItem *src)
-{
-    unsigned long value;
-    int len;
-
-    if (src->len > 5 || (src->len > 4 && src->data[0] == 0))
-	return 0;
-
-    value = 0;
-    len = src->len;
-    while (len) {
-	value <<= 8;
-	value |= src->data[--len];
-    }
-    return value;
-}
-
-SECStatus
-SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value)
-{
-    unsigned long v;
-    unsigned int i;
-    
-    if (src == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (src->len > sizeof(unsigned long)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
-    }
-
-    if (src->data == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
-    }
-
-    if (src->data[0] & 0x80)
-	v = -1;		/* signed and negative - start with all 1's */
-    else
-	v = 0;
-
-    for (i= 0; i < src->len; i++) {
-	/* shift in next byte */
-	v <<= 8;
-	v |= src->data[i];
-    }
-    *value = v;
-    return SECSuccess;
-}
-
-#ifdef DEBUG_ASN1D_STATES
-static void
-dump_states(SEC_ASN1DecoderContext *cx)
-{
-    sec_asn1d_state *state;
-    char kindBuf[256];
-
-    for (state = cx->current; state->parent; state = state->parent) {
-        ;
-    }
-
-    for (; state; state = state->child) {
-        int i;
-        for (i = 0; i < state->depth; i++) {
-            printf("  ");
-        }
-
-        i = formatKind(state->theTemplate->kind, kindBuf);
-        printf("%s: tmpl %08x, kind%s",
-               (state == cx->current) ? "STATE" : "State",
-               state->theTemplate,
-               kindBuf);
-        printf(" %s", (state->place >= 0 && state->place <= notInUse)
-                       ? place_names[ state->place ]
-                       : "(undefined)");
-        if (!i)
-            printf(", expect 0x%02x",
-                   state->expect_tag_number | state->expect_tag_modifiers);
-
-        printf("%s%s%s %d\n",
-               state->indefinite    ? ", indef"   : "",
-               state->missing       ? ", miss"    : "",
-               state->endofcontents ? ", EOC"     : "",
-               state->pending
-               );
-    }
-
-    return;
-}
-#endif /* DEBUG_ASN1D_STATES */
-
-SECStatus
-SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx,
-		       const char *buf, unsigned long len)
-{
-    sec_asn1d_state *state = NULL;
-    unsigned long consumed;
-    SEC_ASN1EncodingPart what;
-    sec_asn1d_state *stateEnd = cx->current;
-
-    if (cx->status == needBytes)
-	cx->status = keepGoing;
-
-    while (cx->status == keepGoing) {
-	state = cx->current;
-	what = SEC_ASN1_Contents;
-	consumed = 0;
-#ifdef DEBUG_ASN1D_STATES
-        printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n",
-               (state->place >= 0 && state->place <= notInUse) ?
-               place_names[ state->place ] : "(undefined)",
-               (unsigned int)((unsigned char *)buf)[ consumed ],
-               buf, consumed);
-        dump_states(cx);
-#endif /* DEBUG_ASN1D_STATES */
-	switch (state->place) {
-	  case beforeIdentifier:
-	    consumed = sec_asn1d_parse_identifier (state, buf, len);
-	    what = SEC_ASN1_Identifier;
-	    break;
-	  case duringIdentifier:
-	    consumed = sec_asn1d_parse_more_identifier (state, buf, len);
-	    what = SEC_ASN1_Identifier;
-	    break;
-	  case afterIdentifier:
-	    sec_asn1d_confirm_identifier (state);
-	    break;
-	  case beforeLength:
-	    consumed = sec_asn1d_parse_length (state, buf, len);
-	    what = SEC_ASN1_Length;
-	    break;
-	  case duringLength:
-	    consumed = sec_asn1d_parse_more_length (state, buf, len);
-	    what = SEC_ASN1_Length;
-	    break;
-	  case afterLength:
-	    sec_asn1d_prepare_for_contents (state);
-	    break;
-	  case beforeBitString:
-	    consumed = sec_asn1d_parse_bit_string (state, buf, len);
-	    break;
-	  case duringBitString:
-	    consumed = sec_asn1d_parse_more_bit_string (state, buf, len);
-	    break;
-	  case duringConstructedString:
-	    sec_asn1d_next_substring (state);
-	    break;
-	  case duringGroup:
-	    sec_asn1d_next_in_group (state);
-	    break;
-	  case duringLeaf:
-	    consumed = sec_asn1d_parse_leaf (state, buf, len);
-	    break;
-	  case duringSaveEncoding:
-	    sec_asn1d_reuse_encoding (state);
-	    if (cx->status == decodeError) {
-		/* recursive call has already popped all states from stack.
-		** Bail out quickly.
-		*/
-		return SECFailure;
-	    }
-	    if (cx->status == needBytes) {
-		/* recursive call wanted more data. Fatal. Clean up below. */
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		cx->status = decodeError;
-	    }
-	    break;
-	  case duringSequence:
-	    sec_asn1d_next_in_sequence (state);
-	    break;
-	  case afterConstructedString:
-	    sec_asn1d_concat_substrings (state);
-	    break;
-	  case afterExplicit:
-	  case afterImplicit:
-	  case afterInline:
-	  case afterPointer:
-	    sec_asn1d_absorb_child (state);
-	    break;
-	  case afterGroup:
-	    sec_asn1d_concat_group (state);
-	    break;
-	  case afterSaveEncoding:
-	    /* SEC_ASN1DecoderUpdate has called itself recursively to 
-	    ** decode SAVEd encoded data, and now is done decoding that.
-	    ** Return to the calling copy of SEC_ASN1DecoderUpdate.
-	    */
-	    return SECSuccess;
-	  case beforeEndOfContents:
-	    sec_asn1d_prepare_for_end_of_contents (state);
-	    break;
-	  case duringEndOfContents:
-	    consumed = sec_asn1d_parse_end_of_contents (state, buf, len);
-	    what = SEC_ASN1_EndOfContents;
-	    break;
-	  case afterEndOfContents:
-	    sec_asn1d_pop_state (state);
-	    break;
-          case beforeChoice:
-            state = sec_asn1d_before_choice(state);
-            break;
-          case duringChoice:
-            state = sec_asn1d_during_choice(state);
-            break;
-          case afterChoice:
-            sec_asn1d_after_choice(state);
-            break;
-	  case notInUse:
-	  default:
-	    /* This is not an error, but rather a plain old BUG! */
-	    PORT_Assert (0);
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    cx->status = decodeError;
-	    break;
-	}
-
-	if (cx->status == decodeError)
-	    break;
-
-	/* We should not consume more than we have.  */
-	PORT_Assert (consumed <= len);
-	if (consumed > len) {
-	    PORT_SetError (SEC_ERROR_BAD_DER);
-	    cx->status = decodeError;
-	    break;
-	}
-
-	/* It might have changed, so we have to update our local copy.  */
-	state = cx->current;
-
-	/* If it is NULL, we have popped all the way to the top.  */
-	if (state == NULL) {
-	    PORT_Assert (consumed == 0);
-#if 0	/* XXX I want this here, but it seems that we have situations (like
-	 * downloading a pkcs7 cert chain from some issuers) that give us a
-	 * length which is greater than the entire encoding.  So, we cannot
-	 * have this be an error.
-	 */
-	    if (len > 0) {
-		PORT_SetError (SEC_ERROR_BAD_DER);
-		cx->status = decodeError;
-	    } else
-#endif
-		cx->status = allDone;
-	    break;
-	}
-	else if (state->theTemplate->kind == SEC_ASN1_SKIP_REST) {
-	    cx->status = allDone;
-	    break;
-	}
-	  
-	if (consumed == 0)
-	    continue;
-
-	/*
-	 * The following check is specifically looking for an ANY
-	 * that is *not* also an INNER, because we need to save aside
-	 * all bytes in that case -- the contents parts will get
-	 * handled like all other contents, and the end-of-contents
-	 * bytes are added by the concat code, but the outer header
-	 * bytes need to get saved too, so we do them explicitly here.
-	 */
-	if (state->underlying_kind == SEC_ASN1_ANY
-	    && !cx->filter_only && (what == SEC_ASN1_Identifier
-				    || what == SEC_ASN1_Length)) {
-	    sec_asn1d_record_any_header (state, buf, consumed);
-	}
-
-	/*
-	 * We had some number of good, accepted bytes.  If the caller
-	 * has registered to see them, pass them along.
-	 */
-	if (state->top->filter_proc != NULL) {
-	    int depth;
-
-	    depth = state->depth;
-	    if (what == SEC_ASN1_EndOfContents && !state->indefinite) {
-		PORT_Assert (state->parent != NULL
-			     && state->parent->indefinite);
-		depth--;
-		PORT_Assert (depth == state->parent->depth);
-	    }
-	    (* state->top->filter_proc) (state->top->filter_arg,
-					 buf, consumed, depth, what);
-	}
-
-	state->consumed += consumed;
-	buf += consumed;
-	len -= consumed;
-    }
-
-    if (cx->status == decodeError) {
-	while (state != NULL && stateEnd->parent!=state) {
-	    sec_asn1d_free_child (state, PR_TRUE);
-	    state = state->parent;
-	}
-#ifdef SEC_ASN1D_FREE_ON_ERROR	/*
-				 * XXX This does not work because we can
-				 * end up leaving behind dangling pointers
-				 * to stuff that was allocated.  In order
-				 * to make this really work (which would
-				 * be a good thing, I think), we need to
-				 * keep track of every place/pointer that
-				 * was allocated and make sure to NULL it
-				 * out before we then free back to the mark.	
-				 */
-	if (cx->their_pool != NULL) {
-	    PORT_Assert (cx->their_mark != NULL);
-	    PORT_ArenaRelease (cx->their_pool, cx->their_mark);
-	}
-#endif
-	return SECFailure;
-    }
-
-#if 0	/* XXX This is what I want, but cannot have because it seems we
-	 * have situations (like when downloading a pkcs7 cert chain from
-	 * some issuers) that give us a total length which is greater than
-	 * the entire encoding.  So, we have to allow allDone to have a
-	 * remaining length greater than zero.  I wanted to catch internal
-	 * bugs with this, noticing when we do not have the right length.
-	 * Oh well.
-	 */
-    PORT_Assert (len == 0
-		 && (cx->status == needBytes || cx->status == allDone));
-#else
-    PORT_Assert ((len == 0 && cx->status == needBytes)
-		 || cx->status == allDone);
-#endif
-    return SECSuccess;
-}
-
-
-SECStatus
-SEC_ASN1DecoderFinish (SEC_ASN1DecoderContext *cx)
-{
-    SECStatus rv;
-
-    if (cx->status == needBytes) {
-	PORT_SetError (SEC_ERROR_BAD_DER);
-	rv = SECFailure;
-    } else {
-	rv = SECSuccess;
-    }
-
-    /*
-     * XXX anything else that needs to be finished?
-     */
-
-    PORT_FreeArena (cx->our_pool, PR_FALSE);
-
-    return rv;
-}
-
-
-SEC_ASN1DecoderContext *
-SEC_ASN1DecoderStart (PRArenaPool *their_pool, void *dest,
-		      const SEC_ASN1Template *theTemplate)
-{
-    PRArenaPool *our_pool;
-    SEC_ASN1DecoderContext *cx;
-
-    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (our_pool == NULL)
-	return NULL;
-
-    cx = (SEC_ASN1DecoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
-    if (cx == NULL) {
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    cx->our_pool = our_pool;
-    if (their_pool != NULL) {
-	cx->their_pool = their_pool;
-#ifdef SEC_ASN1D_FREE_ON_ERROR
-	cx->their_mark = PORT_ArenaMark (their_pool);
-#endif
-    }
-
-    cx->status = needBytes;
-
-    if (sec_asn1d_push_state(cx, theTemplate, dest, PR_FALSE) == NULL
-	|| sec_asn1d_init_state_based_on_template (cx->current) == NULL) {
-	/*
-	 * Trouble initializing (probably due to failed allocations)
-	 * requires that we just give up.
-	 */
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    return cx;
-}
-
-
-void
-SEC_ASN1DecoderSetFilterProc (SEC_ASN1DecoderContext *cx,
-			      SEC_ASN1WriteProc fn, void *arg,
-			      PRBool only)
-{
-    /* check that we are "between" fields here */
-    PORT_Assert (cx->during_notify);
-
-    cx->filter_proc = fn;
-    cx->filter_arg = arg;
-    cx->filter_only = only;
-}
-
-
-void
-SEC_ASN1DecoderClearFilterProc (SEC_ASN1DecoderContext *cx)
-{
-    /* check that we are "between" fields here */
-    PORT_Assert (cx->during_notify);
-
-    cx->filter_proc = NULL;
-    cx->filter_arg = NULL;
-    cx->filter_only = PR_FALSE;
-}
-
-
-void
-SEC_ASN1DecoderSetNotifyProc (SEC_ASN1DecoderContext *cx,
-			      SEC_ASN1NotifyProc fn, void *arg)
-{
-    cx->notify_proc = fn;
-    cx->notify_arg = arg;
-}
-
-
-void
-SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx)
-{
-    cx->notify_proc = NULL;
-    cx->notify_arg = NULL;	/* not necessary; just being clean */
-}
-
-void
-SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
-{
-    PORT_Assert(cx);
-    PORT_SetError(error);
-    cx->status = decodeError;
-}
-
-
-SECStatus
-SEC_ASN1Decode (PRArenaPool *poolp, void *dest,
-		const SEC_ASN1Template *theTemplate,
-		const char *buf, long len)
-{
-    SEC_ASN1DecoderContext *dcx;
-    SECStatus urv, frv;
-
-    dcx = SEC_ASN1DecoderStart (poolp, dest, theTemplate);
-    if (dcx == NULL)
-	return SECFailure;
-
-    urv = SEC_ASN1DecoderUpdate (dcx, buf, len);
-    frv = SEC_ASN1DecoderFinish (dcx);
-
-    if (urv != SECSuccess)
-	return urv;
-
-    return frv;
-}
-
-
-SECStatus
-SEC_ASN1DecodeItem (PRArenaPool *poolp, void *dest,
-		    const SEC_ASN1Template *theTemplate,
-		    const SECItem *src)
-{
-    return SEC_ASN1Decode (poolp, dest, theTemplate,
-			   (const char *)src->data, src->len);
-}
-
-#ifdef DEBUG_ASN1D_STATES
-void sec_asn1d_Assert(const char *s, const char *file, PRIntn ln)
-{
-    printf("Assertion failed, \"%s\", file %s, line %d\n", s, file, ln);
-    fflush(stdout);
-}
-#endif
-
-/*
- * Generic templates for individual/simple items and pointers to
- * and sets of same.
- *
- * If you need to add a new one, please note the following:
- *	 - For each new basic type you should add *four* templates:
- *	one plain, one PointerTo, one SequenceOf and one SetOf.
- *	 - If the new type can be constructed (meaning, it is a
- *	*string* type according to BER/DER rules), then you should
- *	or-in SEC_ASN1_MAY_STREAM to the type in the basic template.
- *	See the definition of the OctetString template for an example.
- *	 - It may not be obvious, but these are in *alphabetical*
- *	order based on the SEC_ASN1_XXX name; so put new ones in
- *	the appropriate place.
- */
-
-const SEC_ASN1Template SEC_AnyTemplate[] = {
-    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToAnyTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfAnyTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfAnyTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_AnyTemplate }
-};
-
-const SEC_ASN1Template SEC_BitStringTemplate[] = {
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBitStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBitStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BitStringTemplate }
-};
-
-const SEC_ASN1Template SEC_BMPStringTemplate[] = {
-    { SEC_ASN1_BMP_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBMPStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBMPStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BMPStringTemplate }
-};
-
-const SEC_ASN1Template SEC_BooleanTemplate[] = {
-    { SEC_ASN1_BOOLEAN, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToBooleanTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfBooleanTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_BooleanTemplate }
-};
-
-const SEC_ASN1Template SEC_EnumeratedTemplate[] = {
-    { SEC_ASN1_ENUMERATED, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_EnumeratedTemplate }
-};
-
-const SEC_ASN1Template SEC_GeneralizedTimeTemplate[] = {
-    { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_GeneralizedTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_IA5StringTemplate[] = {
-    { SEC_ASN1_IA5_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToIA5StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfIA5StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_IA5StringTemplate }
-};
-
-const SEC_ASN1Template SEC_IntegerTemplate[] = {
-    { SEC_ASN1_INTEGER, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToIntegerTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfIntegerTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_IntegerTemplate }
-};
-
-const SEC_ASN1Template SEC_NullTemplate[] = {
-    { SEC_ASN1_NULL, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToNullTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfNullTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfNullTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_NullTemplate }
-};
-
-const SEC_ASN1Template SEC_ObjectIDTemplate[] = {
-    { SEC_ASN1_OBJECT_ID, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToObjectIDTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfObjectIDTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_ObjectIDTemplate }
-};
-
-const SEC_ASN1Template SEC_OctetStringTemplate[] = {
-    { SEC_ASN1_OCTET_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToOctetStringTemplate[] = {
-    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfOctetStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_OctetStringTemplate }
-};
-
-const SEC_ASN1Template SEC_PrintableStringTemplate[] = {
-    { SEC_ASN1_PRINTABLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_PrintableStringTemplate }
-};
-
-const SEC_ASN1Template SEC_T61StringTemplate[] = {
-    { SEC_ASN1_T61_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToT61StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfT61StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_T61StringTemplate }
-};
-
-const SEC_ASN1Template SEC_UniversalStringTemplate[] = {
-    { SEC_ASN1_UNIVERSAL_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UniversalStringTemplate }
-};
-
-const SEC_ASN1Template SEC_UTCTimeTemplate[] = {
-    { SEC_ASN1_UTC_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UTCTimeTemplate }
-};
-
-const SEC_ASN1Template SEC_UTF8StringTemplate[] = {
-    { SEC_ASN1_UTF8_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
-};
-
-const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_UTF8StringTemplate }
-};
-
-const SEC_ASN1Template SEC_VisibleStringTemplate[] = {
-    { SEC_ASN1_VISIBLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
-};
-
-const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[] = {
-    { SEC_ASN1_POINTER, 0, SEC_VisibleStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[] = {
-    { SEC_ASN1_SEQUENCE_OF, 0, SEC_VisibleStringTemplate }
-};
-
-const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[] = {
-    { SEC_ASN1_SET_OF, 0, SEC_VisibleStringTemplate }
-};
-
-
-/*
- * Template for skipping a subitem.
- *
- * Note that it only makes sense to use this for decoding (when you want
- * to decode something where you are only interested in one or two of
- * the fields); you cannot encode a SKIP!
- */
-const SEC_ASN1Template SEC_SkipTemplate[] = {
-    { SEC_ASN1_SKIP }
-};
-
-
-/* These functions simply return the address of the above-declared templates.
-** This is necessary for Windows DLLs.  Sigh.
-*/
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_AnyTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BMPStringTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BooleanTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BitStringTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IA5StringTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_GeneralizedTimeTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IntegerTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_NullTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_ObjectIDTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_OctetStringTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToAnyTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToOctetStringTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SetOfAnyTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTCTimeTemplate)
-SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTF8StringTemplate)
-
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
deleted file mode 100644
index db7792cb1..000000000
--- a/security/nss/lib/util/secasn1e.c
+++ /dev/null
@@ -1,1647 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-#include "secasn1.h"
-
-typedef enum {
-    beforeHeader,
-    duringContents,
-    duringGroup,
-    duringSequence,
-    afterContents,
-    afterImplicit,
-    afterInline,
-    afterPointer,
-    afterChoice,
-    notInUse
-} sec_asn1e_parse_place;
-
-typedef enum {
-    allDone,
-    encodeError,
-    keepGoing,
-    needBytes
-} sec_asn1e_parse_status;
-
-typedef enum {
-    hdr_normal      = 0,  /* encode header normally */
-    hdr_any         = 1,  /* header already encoded in content */
-    hdr_decoder     = 2,  /* template only used by decoder. skip it. */
-    hdr_optional    = 3,  /* optional component, to be omitted */
-    hdr_placeholder = 4   /* place holder for from_buf content */
-} sec_asn1e_hdr_encoding;
-
-typedef struct sec_asn1e_state_struct {
-    SEC_ASN1EncoderContext *top;
-    const SEC_ASN1Template *theTemplate;
-    void *src;
-
-    struct sec_asn1e_state_struct *parent;	/* aka prev */
-    struct sec_asn1e_state_struct *child;	/* aka next */
-
-    sec_asn1e_parse_place place;	/* where we are in encoding process */
-
-    /*
-     * XXX explain the next fields as clearly as possible...
-     */
-    unsigned char tag_modifiers;
-    unsigned char tag_number;
-    unsigned long underlying_kind;
-
-    int depth;
-
-    PRBool isExplicit,		/* we are handling an isExplicit header */
-	   indefinite,		/* need end-of-contents */
-	   is_string,		/* encoding a simple string or an ANY */
-	   may_stream,		/* when streaming, do indefinite encoding */
-	   optional,		/* omit field if it has no contents */
-	   disallowStreaming;	/* disallow streaming in all sub-templates */	
-} sec_asn1e_state;
-
-/*
- * An "outsider" will have an opaque pointer to this, created by calling
- * SEC_ASN1EncoderStart().  It will be passed back in to all subsequent
- * calls to SEC_ASN1EncoderUpdate() and related routines, and when done
- * it is passed to SEC_ASN1EncoderFinish().
- */
-struct sec_EncoderContext_struct {
-    PRArenaPool *our_pool;		/* for our internal allocs */
-
-    sec_asn1e_state *current;
-    sec_asn1e_parse_status status;
-
-    PRBool streaming;
-    PRBool from_buf;
-
-    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
-    void *notify_arg;			/* argument to notify_proc */
-    PRBool during_notify;		/* true during call to notify_proc */
-
-    SEC_ASN1WriteProc output_proc;	/* pass encoded bytes to this  */
-    void *output_arg;			/* argument to that function */
-};
-
-
-static sec_asn1e_state *
-sec_asn1e_push_state (SEC_ASN1EncoderContext *cx,
-		      const SEC_ASN1Template *theTemplate,
-		      const void *src, PRBool new_depth)
-{
-    sec_asn1e_state *state, *new_state;
-
-    state = cx->current;
-
-    new_state = (sec_asn1e_state*)PORT_ArenaZAlloc (cx->our_pool, 
-						    sizeof(*new_state));
-    if (new_state == NULL) {
-	cx->status = encodeError;
-	return NULL;
-    }
-
-    new_state->top = cx;
-    new_state->parent = state;
-    new_state->theTemplate = theTemplate;
-    new_state->place = notInUse;
-    if (src != NULL)
-	new_state->src = (char *)src + theTemplate->offset;
-
-    if (state != NULL) {
-	new_state->depth = state->depth;
-	if (new_depth)
-	    new_state->depth++;
-	state->child = new_state;
-    }
-
-    cx->current = new_state;
-    return new_state;
-}
-
-
-static void
-sec_asn1e_scrub_state (sec_asn1e_state *state)
-{
-    /*
-     * Some default "scrubbing".
-     * XXX right set of initializations?
-     */
-    state->place = beforeHeader;
-    state->indefinite = PR_FALSE;
-}
-
-
-static void
-sec_asn1e_notify_before (SEC_ASN1EncoderContext *cx, void *src, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, src, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static void
-sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth)
-{
-    if (cx->notify_proc == NULL)
-	return;
-
-    cx->during_notify = PR_TRUE;
-    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, src, depth);
-    cx->during_notify = PR_FALSE;
-}
-
-
-static sec_asn1e_state *
-sec_asn1e_init_state_based_on_template (sec_asn1e_state *state)
-{
-    PRBool isExplicit, is_string, may_stream, optional, universal; 
-    PRBool disallowStreaming;
-    unsigned char tag_modifiers;
-    unsigned long encode_kind, under_kind;
-    unsigned long tag_number;
-    PRBool isInline = PR_FALSE;
-
-
-    encode_kind = state->theTemplate->kind;
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    isExplicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(isExplicit && universal));	/* bad templates */
-
-    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    disallowStreaming = (encode_kind & SEC_ASN1_NO_STREAM) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_NO_STREAM;
-
-    /* Just clear this to get it out of the way; we do not need it here */
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-
-    if( encode_kind & SEC_ASN1_CHOICE ) {
-      under_kind = SEC_ASN1_CHOICE;
-    } else if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || 
-        (!universal && !isExplicit)) {
-	const SEC_ASN1Template *subt;
-	void *src = NULL;
-
-	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
-
-	sec_asn1e_scrub_state (state);
-
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    src = *(void **)state->src;
-	    state->place = afterPointer;
-
-	    if (src == NULL) {
-		/*
-		 * If this is optional, but NULL, then the field does
-		 * not need to be encoded.  In this case we are done;
-		 * we do not want to push a subtemplate.
-		 */
-		if (optional)
-		    return state;
-
-		/*
-		 * XXX this is an error; need to figure out
-		 * how to handle this
-		 */
-	    }
-	} else {
-	    src = state->src;
-	    if (encode_kind & SEC_ASN1_INLINE) {
-		/* check that there are no extraneous bits */
-		/* PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional); */
-		state->place = afterInline;
-		isInline = PR_TRUE;
-	    } else {
-		/*
-		 * Save the tag modifiers and tag number here before moving
-		 * on to the next state in case this is a member of a
-		 * SEQUENCE OF
-		 */
-		state->tag_modifiers = (unsigned char)
-		    (encode_kind & (SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK));
-		state->tag_number = (unsigned char)
-		    (encode_kind & SEC_ASN1_TAGNUM_MASK);
-		
-		state->place = afterImplicit;
-		state->optional = optional;
-	    }
-	}
-
-	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src, PR_TRUE);
-	if (isInline && optional) {
-	    /* we only handle a very limited set of optional inline cases at
-	       this time */
-	    if (PR_FALSE != SEC_ASN1IsTemplateSimple(subt)) {
-		/* we now know that the target is a SECItem*, so we can check
-		   if the source contains one */
-		SECItem* target = (SECItem*)state->src;
-		if (!target || !target->data || !target->len) {
-		    /* no valid data to encode subtemplate */
-		    return state;
-		}
-	    } else {
-		PORT_Assert(0); /* complex templates are not handled as
-				   inline optional */
-	    }
-	}
-	state = sec_asn1e_push_state (state->top, subt, src, PR_FALSE);
-	if (state == NULL)
-	    return state;
-
-	if (universal) {
-	    /*
-	     * This is a POINTER or INLINE; just init based on that
-	     * and we are done.
-	     */
-	    return sec_asn1e_init_state_based_on_template (state);
-	}
-
-	/*
-	 * This is an implicit, non-universal (meaning, application-private
-	 * or context-specific) field.  This results in a "magic" tag but
-	 * encoding based on the underlying type.  We pushed a new state
-	 * that is based on the subtemplate (the underlying type), but
-	 * now we will sort of alias it to give it some of our properties
-	 * (tag, optional status, etc.).
-	 *
-	 * NB: ALL the following flags in the subtemplate are disallowed
-	 *     and/or ignored: EXPLICIT, OPTIONAL, INNER, INLINE, POINTER.
-	 */
-
-	under_kind = state->theTemplate->kind;
-	if ((under_kind & SEC_ASN1_MAY_STREAM) && !disallowStreaming) {
-	    may_stream = PR_TRUE;
-	}
-	under_kind &= ~(SEC_ASN1_MAY_STREAM | SEC_ASN1_DYNAMIC);
-    } else {
-	under_kind = encode_kind;
-    }
-
-    /*
-     * Sanity check that there are no unwanted bits marked in under_kind.
-     * These bits were either removed above (after we recorded them) or
-     * they simply should not be found (signalling a bad/broken template).
-     * XXX is this the right set of bits to test here? (i.e. need to add
-     * or remove any?)
-     */
-#define UNEXPECTED_FLAGS \
- (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_SKIP | SEC_ASN1_INNER | \
-  SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM | SEC_ASN1_INLINE | SEC_ASN1_POINTER)
-
-    PORT_Assert ((under_kind & UNEXPECTED_FLAGS) == 0);
-    under_kind &= ~UNEXPECTED_FLAGS;
-#undef UNEXPECTED_FLAGS
-
-    if (encode_kind & SEC_ASN1_ANY) {
-	PORT_Assert (encode_kind == under_kind);
-	tag_modifiers = 0;
-	tag_number = 0;
-	is_string = PR_TRUE;
-    } else {
-	tag_modifiers = (unsigned char)
-		(encode_kind & (SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK));
-	/*
-	 * XXX This assumes only single-octet identifiers.  To handle
-	 * the HIGH TAG form we would need to do some more work, especially
-	 * in how to specify them in the template, because right now we
-	 * do not provide a way to specify more *tag* bits in encode_kind.
-	 */
-	tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
-
-	is_string = PR_FALSE;
-	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
-	  case SEC_ASN1_SET:
-	    /*
-	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
-	     * If it ever is, remove this assert...
-	     */
-	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
-	    /* fallthru */
-	  case SEC_ASN1_SEQUENCE:
-	    tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	    break;
-	  case SEC_ASN1_BIT_STRING:
-	  case SEC_ASN1_BMP_STRING: 
-	  case SEC_ASN1_GENERALIZED_TIME:
-	  case SEC_ASN1_IA5_STRING:
-	  case SEC_ASN1_OCTET_STRING:
-	  case SEC_ASN1_PRINTABLE_STRING:
-	  case SEC_ASN1_T61_STRING:
-	  case SEC_ASN1_UNIVERSAL_STRING: 
-	  case SEC_ASN1_UTC_TIME:
-	  case SEC_ASN1_UTF8_STRING:
-	  case SEC_ASN1_VISIBLE_STRING: 
-	    /*
-	     * We do not yet know if we will be constructing the string,
-	     * so we have to wait to do this final tag modification.
-	     */
-	    is_string = PR_TRUE;
-	    break;
-	}
-    }
-
-    state->tag_modifiers = tag_modifiers;
-    state->tag_number = (unsigned char)tag_number;
-    state->underlying_kind = under_kind;
-    state->isExplicit = isExplicit;
-    state->may_stream = may_stream;
-    state->is_string = is_string;
-    state->optional = optional;
-    state->disallowStreaming = disallowStreaming;
-
-    sec_asn1e_scrub_state (state);
-
-    return state;
-}
-
-
-static void
-sec_asn1e_write_part (sec_asn1e_state *state,
-		      const char *buf, unsigned long len,
-		      SEC_ASN1EncodingPart part)
-{
-    SEC_ASN1EncoderContext *cx;
-
-    cx = state->top;
-    (* cx->output_proc) (cx->output_arg, buf, len, state->depth, part);
-}
-
-
-/*
- * XXX This assumes only single-octet identifiers.  To handle
- * the HIGH TAG form we would need to modify this interface and
- * teach it to properly encode the special form.
- */
-static void
-sec_asn1e_write_identifier_bytes (sec_asn1e_state *state, unsigned char value)
-{
-    char byte;
-
-    byte = (char) value;
-    sec_asn1e_write_part (state, &byte, 1, SEC_ASN1_Identifier);
-}
-
-int
-SEC_ASN1EncodeLength(unsigned char *buf,int value) {
-    int lenlen;
-
-    lenlen = SEC_ASN1LengthLength (value);
-    if (lenlen == 1) {
-	buf[0] = value;
-    } else {
-	int i;
-
-	i = lenlen - 1;
-	buf[0] = 0x80 | i;
-	while (i) {
-	    buf[i--] = value;
-	    value >>= 8;
-	}
-        PORT_Assert (value == 0);
-    }
-    return lenlen;
-}
-
-static void
-sec_asn1e_write_length_bytes (sec_asn1e_state *state, unsigned long value,
-			      PRBool indefinite)
-{
-    int lenlen;
-    unsigned char buf[sizeof(unsigned long) + 1];
-
-    if (indefinite) {
-	PORT_Assert (value == 0);
-	buf[0] = 0x80;
-	lenlen = 1;
-    } else {
-	lenlen = SEC_ASN1EncodeLength(buf,value);
-    }
-
-    sec_asn1e_write_part (state, (char *) buf, lenlen, SEC_ASN1_Length);
-}
-
-
-static void
-sec_asn1e_write_contents_bytes (sec_asn1e_state *state,
-				const char *buf, unsigned long len)
-{
-    sec_asn1e_write_part (state, buf, len, SEC_ASN1_Contents);
-}
-
-
-static void
-sec_asn1e_write_end_of_contents_bytes (sec_asn1e_state *state)
-{
-    const char eoc[2] = {0, 0};
-
-    sec_asn1e_write_part (state, eoc, 2, SEC_ASN1_EndOfContents);
-}
-
-static int
-sec_asn1e_which_choice
-(
-  void *src,
-  const SEC_ASN1Template *theTemplate
-)
-{
-  int rv;
-  unsigned int which = *(unsigned int *)src;
-
-  for( rv = 1, theTemplate++; theTemplate->kind != 0; rv++, theTemplate++ ) {
-    if( which == theTemplate->size ) {
-      return rv;
-    }
-  }
-
-  return 0;
-}
-
-static unsigned long
-sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src,
-			   PRBool disallowStreaming, PRBool insideIndefinite,
-			   sec_asn1e_hdr_encoding *pHdrException)
-{
-    unsigned long encode_kind, underlying_kind;
-    PRBool isExplicit, optional, universal, may_stream;
-    unsigned long len;
-
-    /*
-     * This function currently calculates the length in all cases
-     * except the following: when writing out the contents of a 
-     * template that belongs to a state where it was a sub-template
-     * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the
-     * optional bit set.  The information that the parent is optional
-     * and that we should return the length of 0 when that length is 
-     * present since that means the optional field is no longer present.
-     * So we add the disallowStreaming flag which is passed in when
-     * writing the contents, but for all recursive calls to 
-     * sec_asn1e_contents_length, we pass PR_FALSE, because this
-     * function correctly calculates the length for children templates
-     * from that point on.  Confused yet?  At least you didn't have
-     * to figure it out.  ;)  -javi
-     */
-    encode_kind = theTemplate->kind;
-
-    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
-
-    isExplicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_EXPLICIT;
-
-    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_OPTIONAL;
-
-    PORT_Assert (!(isExplicit && universal));	/* bad templates */
-
-    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
-    encode_kind &= ~SEC_ASN1_MAY_STREAM;
-
-    /* Just clear this to get it out of the way; we do not need it here */
-    encode_kind &= ~SEC_ASN1_DYNAMIC;
-
-    if (encode_kind & SEC_ASN1_NO_STREAM) {
-	disallowStreaming = PR_TRUE;
-    }
-    encode_kind &= ~SEC_ASN1_NO_STREAM;
-
-    if (encode_kind & SEC_ASN1_CHOICE) {
-	void *src2;
-	int indx = sec_asn1e_which_choice(src, theTemplate);
-	if (0 == indx) {
-	    /* XXX set an error? "choice not found" */
-	    /* state->top->status = encodeError; */
-	    return 0;
-	}
-
-        src2 = (void *)
-	        ((char *)src - theTemplate->offset + theTemplate[indx].offset);
-
-        return sec_asn1e_contents_length(&theTemplate[indx], src2, 
-					 disallowStreaming, insideIndefinite,
-					 pHdrException);
-    }
-
-    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) {
-	/* XXX any bits we want to disallow (PORT_Assert against) here? */
-	theTemplate = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
-	if (encode_kind & SEC_ASN1_POINTER) {
-	    src = *(void **)src;
-	    if (src == NULL) {
-		*pHdrException = optional ? hdr_optional : hdr_normal;
-		return 0;
-	    }
-	} else if (encode_kind & SEC_ASN1_INLINE) {
-	    /* check that there are no extraneous bits */
-	    if (optional) {
-		if (PR_FALSE != SEC_ASN1IsTemplateSimple(theTemplate)) {
-		    /* we now know that the target is a SECItem*, so we can check
-		       if the source contains one */
-		    SECItem* target = (SECItem*)src;
-		    if (!target || !target->data || !target->len) {
-			/* no valid data to encode subtemplate */
-			*pHdrException = hdr_optional;
-			return 0;
-		    }
-		} else {
-		    PORT_Assert(0); /* complex templates not handled as inline
-                                       optional */
-		}
-	    }
-	}
-
-	src = (char *)src + theTemplate->offset;
-
-	/* recurse to find the length of the subtemplate */
-	len = sec_asn1e_contents_length (theTemplate, src, disallowStreaming, 
-	                                 insideIndefinite, pHdrException);
-	if (len == 0 && optional) {
-	    *pHdrException = hdr_optional;
-	} else if (isExplicit) {
-	    if (*pHdrException == hdr_any) {
-		/* *we* do not want to add in a header, 
-		** but our caller still does. 
-		*/
-		*pHdrException = hdr_normal;
-	    } else if (*pHdrException == hdr_normal) {
-		/* if the inner content exists, our length is
-		 * len(identifier) + len(length) + len(innercontent)
-		 * XXX we currently assume len(identifier) == 1;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		len += 1 + SEC_ASN1LengthLength (len);
-	    }
-	}
-	return len;
-    }
-    underlying_kind = encode_kind;
-
-    /* This is only used in decoding; it plays no part in encoding.  */
-    if (underlying_kind & SEC_ASN1_SAVE) {
-	/* check that there are no extraneous bits */
-	PORT_Assert (underlying_kind == SEC_ASN1_SAVE);
-	*pHdrException = hdr_decoder;
-	return 0;
-    }
-
-#define UNEXPECTED_FLAGS \
- (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_INLINE | SEC_ASN1_POINTER |\
-  SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM | SEC_ASN1_SAVE | SEC_ASN1_SKIP)
-
-    /* Having any of these bits is not expected here...  */
-    PORT_Assert ((underlying_kind & UNEXPECTED_FLAGS) == 0);
-    underlying_kind &= ~UNEXPECTED_FLAGS;
-#undef UNEXPECTED_FLAGS
-
-    if (underlying_kind & SEC_ASN1_CHOICE) {
-	void *src2;
-	int indx = sec_asn1e_which_choice(src, theTemplate);
-	if (0 == indx) {
-	    /* XXX set an error? "choice not found" */
-	    /* state->top->status = encodeError; */
-	    return 0;
-	}
-
-        src2 = (void *)
-		((char *)src - theTemplate->offset + theTemplate[indx].offset);
-        len = sec_asn1e_contents_length(&theTemplate[indx], src2, 
-	                                disallowStreaming, insideIndefinite, 
-					pHdrException);
-    } else {
-      switch (underlying_kind) {
-      case SEC_ASN1_SEQUENCE_OF:
-      case SEC_ASN1_SET_OF:
-	{
-	    const SEC_ASN1Template *tmpt;
-	    void *sub_src;
-	    unsigned long sub_len;
-	    void **group;
-
-	    len = 0;
-
-	    group = *(void ***)src;
-	    if (group == NULL)
-		break;
-
-	    tmpt = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
-
-	    for (; *group != NULL; group++) {
-		sub_src = (char *)(*group) + tmpt->offset;
-		sub_len = sec_asn1e_contents_length (tmpt, sub_src, 
-		                                     disallowStreaming,
-						     insideIndefinite,
-                                                     pHdrException);
-		len += sub_len;
-		/*
-		 * XXX The 1 below is the presumed length of the identifier;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		if (*pHdrException == hdr_normal)
-		    len += 1 + SEC_ASN1LengthLength (sub_len);
-	    }
-	}
-	break;
-
-      case SEC_ASN1_SEQUENCE:
-      case SEC_ASN1_SET:
-	{
-	    const SEC_ASN1Template *tmpt;
-	    void *sub_src;
-	    unsigned long sub_len;
-
-	    len = 0;
-	    for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (char *)src + tmpt->offset;
-		sub_len = sec_asn1e_contents_length (tmpt, sub_src, 
-		                                     disallowStreaming,
-						     insideIndefinite,
-                                                     pHdrException);
-		len += sub_len;
-		/*
-		 * XXX The 1 below is the presumed length of the identifier;
-		 * to support a high-tag-number this would need to be smarter.
-		 */
-		if (*pHdrException == hdr_normal)
-		    len += 1 + SEC_ASN1LengthLength (sub_len);
-	    }
-	}
-	break;
-
-      case SEC_ASN1_BIT_STRING:
-	/* convert bit length to byte */
-	len = (((SECItem *)src)->len + 7) >> 3;
-	/* bit string contents involve an extra octet */
-	if (len)
-	    len++;
-	break;
-
-      case SEC_ASN1_INTEGER:
-	/* ASN.1 INTEGERs are signed.
-	 * If the source is an unsigned integer, the encoder will need 
-	 * to handle the conversion here.
-	 */
-	{
-	    unsigned char *buf = ((SECItem *)src)->data;
-	    SECItemType integerType = ((SECItem *)src)->type;
-	    len = ((SECItem *)src)->len;
-	    while (len > 0) {
-		if (*buf != 0) {
-		    if (*buf & 0x80 && integerType == siUnsignedInteger) {
-			len++; /* leading zero needed to make number signed */
-		    }
-		    break; /* reached beginning of number */
-		}
-		if (len == 1) {
-		    break; /* the number 0 */
-		}
-		if (buf[1] & 0x80) {
-		    break; /* leading zero already present */
-		} 
-		/* extraneous leading zero, keep going */
-		buf++;
-		len--;
-	    }
-	}
-	break;
-
-      default:
-	len = ((SECItem *)src)->len;
-	break;
-      }  /* end switch */
-
-#ifndef WHAT_PROBLEM_DOES_THIS_SOLVE
-      /* if we're streaming, we may have a secitem w/len 0 as placeholder */
-      if (!len && insideIndefinite && may_stream && !disallowStreaming) {
-	  len = 1;
-      }
-#endif
-    }    /* end else */
-
-    if (len == 0 && optional)
-	*pHdrException = hdr_optional;
-    else if (underlying_kind == SEC_ASN1_ANY)
-	*pHdrException = hdr_any;
-    else 
-	*pHdrException = hdr_normal;
-
-    return len;
-}
-
-
-static void
-sec_asn1e_write_header (sec_asn1e_state *state)
-{
-    unsigned long contents_length;
-    unsigned char tag_number, tag_modifiers;
-    sec_asn1e_hdr_encoding hdrException = hdr_normal;
-    PRBool indefinite = PR_FALSE;
-
-    PORT_Assert (state->place == beforeHeader);
-
-    tag_number = state->tag_number;
-    tag_modifiers = state->tag_modifiers;
-
-    if (state->underlying_kind == SEC_ASN1_ANY) {
-	state->place = duringContents;
-	return;
-    }
-
-    if (state->underlying_kind & SEC_ASN1_CHOICE) {
-	int indx = sec_asn1e_which_choice(state->src, state->theTemplate);
-	if( 0 == indx ) {
-	    /* XXX set an error? "choice not found" */
-	    state->top->status = encodeError;
-	    return;
-	}
-	state->place = afterChoice;
-	state = sec_asn1e_push_state(state->top, &state->theTemplate[indx],
-			       (char *)state->src - state->theTemplate->offset, 
-			       PR_TRUE);
-	if (state) {
-	    /*
-	     * Do the "before" field notification.
-	     */
-	    sec_asn1e_notify_before (state->top, state->src, state->depth);
-	    state = sec_asn1e_init_state_based_on_template (state);
-	}
-	return;
-    }
-
-    /* The !isString test below is apparently intended to ensure that all 
-    ** constructed types receive indefinite length encoding.
-    */
-   indefinite = (PRBool) 
-	(state->top->streaming && state->may_stream && 
-	 (state->top->from_buf || !state->is_string));
-
-    /*
-     * If we are doing a definite-length encoding, first we have to
-     * walk the data structure to calculate the entire contents length.
-     * If we are doing an indefinite-length encoding, we still need to 
-     * know if the contents is:
-     *    optional and to be omitted, or 
-     *    an ANY (header is pre-encoded), or 
-     *    a SAVE or some other kind of template used only by the decoder.
-     * So, we call this function either way.
-     */
-    contents_length = sec_asn1e_contents_length (state->theTemplate,
-						 state->src, 
-                                                 state->disallowStreaming,
-						 indefinite,
-                                                 &hdrException);
-    /*
-     * We might be told explicitly not to put out a header.
-     * But it can also be the case, via a pushed subtemplate, that
-     * sec_asn1e_contents_length could not know that this field is
-     * really optional.  So check for that explicitly, too.
-     */
-    if (hdrException != hdr_normal || 
-	(contents_length == 0 && state->optional)) {
-	state->place = afterContents;
-	if (state->top->streaming && 
-	    state->may_stream && 
-	    state->top->from_buf) {
-	    /* we did not find an optional indefinite string, so we 
-	     * don't encode it.  However, if TakeFromBuf is on, we stop 
-	     * here anyway to give our caller a chance to intercept at the 
-	     * same point where we would stop if the field were present. 
-	     */
-	    state->top->status = needBytes;
-	}
-	return;
-    }
-
-    if (indefinite) {
-	/*
-	 * We need to put out an indefinite-length encoding.
-	 * The only universal types that can be constructed are SETs,
-	 * SEQUENCEs, and strings; so check that it is one of those,
-	 * or that it is not universal (e.g. context-specific).
-	 */
-	state->indefinite = PR_TRUE;
-	PORT_Assert ((tag_number == SEC_ASN1_SET)
-		     || (tag_number == SEC_ASN1_SEQUENCE)
-		     || ((tag_modifiers & SEC_ASN1_CLASS_MASK) != 0)
-		     || state->is_string);
-	tag_modifiers |= SEC_ASN1_CONSTRUCTED;
-	contents_length = 0;
-    }
-
-    sec_asn1e_write_identifier_bytes (state, 
-                                (unsigned char)(tag_number | tag_modifiers));
-    sec_asn1e_write_length_bytes (state, contents_length, state->indefinite);
-
-    if (contents_length == 0 && !state->indefinite) {
-	/*
-	 * If no real contents to encode, then we are done with this field.
-	 */
-	state->place = afterContents;
-	return;
-    }
-
-    /*
-     * An EXPLICIT is nothing but an outer header, which we have already
-     * written.  Now we need to do the inner header and contents.
-     */
-    if (state->isExplicit) {
-	const SEC_ASN1Template *subt =
-	      SEC_ASN1GetSubtemplate(state->theTemplate, state->src, PR_TRUE);
-	state->place = afterContents;
-	state = sec_asn1e_push_state (state->top, subt, state->src, PR_TRUE);
-	if (state != NULL)
-	    state = sec_asn1e_init_state_based_on_template (state);
-	return;
-    }
-
-    switch (state->underlying_kind) {
-      case SEC_ASN1_SET_OF:
-      case SEC_ASN1_SEQUENCE_OF:
-	/*
-	 * We need to push a child to handle each member.
-	 */
-	{
-	    void **group;
-	    const SEC_ASN1Template *subt;
-
-	    group = *(void ***)state->src;
-	    if (group == NULL || *group == NULL) {
-		/*
-		 * Group is empty; we are done.
-		 */
-		state->place = afterContents;
-		return;
-	    }
-	    state->place = duringGroup;
-	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src,
-					   PR_TRUE);
-	    state = sec_asn1e_push_state (state->top, subt, *group, PR_TRUE);
-	    if (state != NULL)
-		state = sec_asn1e_init_state_based_on_template (state);
-	}
-	break;
-
-      case SEC_ASN1_SEQUENCE:
-      case SEC_ASN1_SET:
-	/*
-	 * We need to push a child to handle the individual fields.
-	 */
-	state->place = duringSequence;
-	state = sec_asn1e_push_state (state->top, state->theTemplate + 1,
-				      state->src, PR_TRUE);
-	if (state != NULL) {
-	    /*
-	     * Do the "before" field notification.
-	     */
-	    sec_asn1e_notify_before (state->top, state->src, state->depth);
-	    state = sec_asn1e_init_state_based_on_template (state);
-	}
-	break;
-
-      default:
-	/*
-	 * I think we do not need to do anything else.
-	 * XXX Correct?
-	 */
-	state->place = duringContents;
-	break;
-    }
-}
-
-
-static void
-sec_asn1e_write_contents_from_buf (sec_asn1e_state *state,
-			  const char *buf, unsigned long len)
-{
-    PORT_Assert (state->place == duringContents);
-    PORT_Assert (state->top->from_buf);
-    PORT_Assert (state->may_stream && !state->disallowStreaming);
-
-    /*
-     * Probably they just turned on "take from buf", but have not
-     * yet given us any bytes.  If there is nothing in the buffer
-     * then we have nothing to do but return and wait.
-     */
-    if (buf == NULL || len == 0) {
-	state->top->status = needBytes;
-	return;
-    }
-    /*
-     * We are streaming, reading from a passed-in buffer.
-     * This means we are encoding a simple string or an ANY.
-     * For the former, we need to put out a substring, with its
-     * own identifier and length.  For an ANY, we just write it
-     * out as is (our caller is required to ensure that it
-     * is a properly encoded entity).
-     */
-    PORT_Assert (state->is_string);		/* includes ANY */
-    if (state->underlying_kind != SEC_ASN1_ANY) {
-	unsigned char identifier;
-
-	/*
-	 * Create the identifier based on underlying_kind.  We cannot
-	 * use tag_number and tag_modifiers because this can be an
-	 * implicitly encoded field.  In that case, the underlying
-	 * substrings *are* encoded with their real tag.
-	 */
-	identifier = (unsigned char)
-	                    (state->underlying_kind & SEC_ASN1_TAG_MASK);
-	/*
-	 * The underlying kind should just be a simple string; there
-	 * should be no bits like CONTEXT_SPECIFIC or CONSTRUCTED set.
-	 */
-	PORT_Assert ((identifier & SEC_ASN1_TAGNUM_MASK) == identifier);
-	/*
-	 * Write out the tag and length for the substring.
-	 */
-	sec_asn1e_write_identifier_bytes (state, identifier);
-	if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
-	    char byte;
-	    /*
-	     * Assume we have a length in bytes but we need to output
-	     * a proper bit string.  This interface only works for bit
-	     * strings that are full multiples of 8.  If support for
-	     * real, variable length bit strings is needed then the
-	     * caller will have to know to pass in a bit length instead
-	     * of a byte length and then this code will have to
-	     * perform the encoding necessary (length written is length
-	     * in bytes plus 1, and the first octet of string is the
-	     * number of bits remaining between the end of the bit
-	     * string and the next byte boundary).
-	     */
-	    sec_asn1e_write_length_bytes (state, len + 1, PR_FALSE);
-	    byte = 0;
-	    sec_asn1e_write_contents_bytes (state, &byte, 1);
-	} else {
-	    sec_asn1e_write_length_bytes (state, len, PR_FALSE);
-	}
-    }
-    sec_asn1e_write_contents_bytes (state, buf, len);
-    state->top->status = needBytes;
-}
-
-static void
-sec_asn1e_write_contents (sec_asn1e_state *state)
-{
-    unsigned long len = 0;
-
-    PORT_Assert (state->place == duringContents);
-
-    switch (state->underlying_kind) {
-      case SEC_ASN1_SET:
-      case SEC_ASN1_SEQUENCE:
-	PORT_Assert (0);
-	break;
-
-      case SEC_ASN1_BIT_STRING:
-	{
-	    SECItem *item;
-	    char rem;
-
-	    item = (SECItem *)state->src;
-	    len = (item->len + 7) >> 3;
-	    rem = (unsigned char)((len << 3) - item->len); /* remaining bits */
-	    sec_asn1e_write_contents_bytes (state, &rem, 1);
-	    sec_asn1e_write_contents_bytes (state, (char *) item->data, len);
-	}
-	break;
-
-      case SEC_ASN1_BMP_STRING:
-	/* The number of bytes must be divisable by 2 */
-	if ((((SECItem *)state->src)->len) % 2) {
-	    SEC_ASN1EncoderContext *cx;
-
-	    cx = state->top;
-	    cx->status = encodeError;
-	    break;
-	}
-	/* otherwise, fall through to write the content */
-	goto process_string;
-
-      case SEC_ASN1_UNIVERSAL_STRING:
-	/* The number of bytes must be divisable by 4 */
-	if ((((SECItem *)state->src)->len) % 4) {
-	    SEC_ASN1EncoderContext *cx;
-
-	    cx = state->top;
-	    cx->status = encodeError;
-	    break;
-	}
-	/* otherwise, fall through to write the content */
-	goto process_string;
-
-      case SEC_ASN1_INTEGER:
-       /* ASN.1 INTEGERs are signed.  If the source is an unsigned
-	* integer, the encoder will need to handle the conversion here.
-	*/
-	{
-	    unsigned int blen;
-	    unsigned char *buf;
-	    SECItemType integerType;
-	    blen = ((SECItem *)state->src)->len;
-	    buf = ((SECItem *)state->src)->data;
-	    integerType = ((SECItem *)state->src)->type;
-	    while (blen > 0) {
-		if (*buf & 0x80 && integerType == siUnsignedInteger) {
-		    char zero = 0; /* write a leading 0 */
-		    sec_asn1e_write_contents_bytes(state, &zero, 1);
-		    /* and then the remaining buffer */
-		    sec_asn1e_write_contents_bytes(state, 
-						   (char *)buf, blen); 
-		    break;
-		} 
-		/* Check three possibilities:
-		 * 1.  No leading zeros, msb of MSB is not 1;
-		 * 2.  The number is zero itself;
-		 * 3.  Encoding a signed integer with a leading zero,
-		 *     keep the zero so that the number is positive.
-		 */
-		if (*buf != 0 || 
-		     blen == 1 || 
-		     (buf[1] & 0x80 && integerType != siUnsignedInteger) ) 
-		{
-		    sec_asn1e_write_contents_bytes(state, 
-						   (char *)buf, blen); 
-		    break;
-		}
-		/* byte is 0, continue */
-		buf++;
-		blen--;
-	    }
-	}
-	/* done with this content */
-	break;
-			
-process_string:			
-      default:
-	{
-	    SECItem *item;
-
-	    item = (SECItem *)state->src;
-	    sec_asn1e_write_contents_bytes (state, (char *) item->data,
-					    item->len);
-	}
-	break;
-    }
-    state->place = afterContents;
-}
-
-/*
- * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
- */
-static void
-sec_asn1e_next_in_group (sec_asn1e_state *state)
-{
-    sec_asn1e_state *child;
-    void **group;
-    void *member;
-
-    PORT_Assert (state->place == duringGroup);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    group = *(void ***)state->src;
-
-    /*
-     * Find placement of current item.
-     */
-    member = (char *)(state->child->src) - child->theTemplate->offset;
-    while (*group != member)
-	group++;
-
-    /*
-     * Move forward to next item.
-     */
-    group++;
-    if (*group == NULL) {
-	/*
-	 * That was our last one; we are done now.
-	 */
-	child->place = notInUse;
-	state->place = afterContents;
-	return;
-    }
-    child->src = (char *)(*group) + child->theTemplate->offset;
-
-    /*
-     * Re-"push" child.
-     */
-    sec_asn1e_scrub_state (child);
-    state->top->current = child;
-}
-
-
-/*
- * We are moving along through a sequence; move forward by one,
- * (detecting end-of-sequence when it happens).
- */
-static void
-sec_asn1e_next_in_sequence (sec_asn1e_state *state)
-{
-    sec_asn1e_state *child;
-
-    PORT_Assert (state->place == duringSequence);
-    PORT_Assert (state->child != NULL);
-
-    child = state->child;
-
-    /*
-     * Do the "after" field notification.
-     */
-    sec_asn1e_notify_after (state->top, child->src, child->depth);
-
-    /*
-     * Move forward.
-     */
-    child->theTemplate++;
-    if (child->theTemplate->kind == 0) {
-	/*
-	 * We are done with this sequence.
-	 */
-	child->place = notInUse;
-	state->place = afterContents;
-	return;
-    }
-
-    /*
-     * Reset state and push.
-     */
-
-    child->src = (char *)state->src + child->theTemplate->offset;
-
-    /*
-     * Do the "before" field notification.
-     */
-    sec_asn1e_notify_before (state->top, child->src, child->depth);
-
-    state->top->current = child;
-    (void) sec_asn1e_init_state_based_on_template (child);
-}
-
-
-static void
-sec_asn1e_after_contents (sec_asn1e_state *state)
-{
-    PORT_Assert (state->place == afterContents);
-
-    if (state->indefinite)
-	sec_asn1e_write_end_of_contents_bytes (state);
-
-    /*
-     * Just make my parent be the current state.  It will then clean
-     * up after me and free me (or reuse me).
-     */
-    state->top->current = state->parent;
-}
-
-
-/*
- * This function is called whether or not we are streaming; if we
- * *are* streaming, our caller can also instruct us to take bytes
- * from the passed-in buffer (at buf, for length len, which is likely
- * bytes but could even mean bits if the current field is a bit string).
- * If we have been so instructed, we will gobble up bytes from there
- * (rather than from our src structure) and output them, and then
- * we will just return, expecting to be called again -- either with
- * more bytes or after our caller has instructed us that we are done
- * (for now) with the buffer.
- */
-SECStatus
-SEC_ASN1EncoderUpdate (SEC_ASN1EncoderContext *cx,
-		       const char *buf, unsigned long len)
-{
-    sec_asn1e_state *state;
-
-    if (cx->status == needBytes) {
-	cx->status = keepGoing;
-    }
-
-    while (cx->status == keepGoing) {
-	state = cx->current;
-	switch (state->place) {
-	  case beforeHeader:
-	    sec_asn1e_write_header (state);
-	    break;
-	  case duringContents:
-	    if (cx->from_buf)
-		sec_asn1e_write_contents_from_buf (state, buf, len);
-	    else
-		sec_asn1e_write_contents (state);
-	    break;
-	  case duringGroup:
-	    sec_asn1e_next_in_group (state);
-	    break;
-	  case duringSequence:
-	    sec_asn1e_next_in_sequence (state);
-	    break;
-	  case afterContents:
-	    sec_asn1e_after_contents (state);
-	    break;
-	  case afterImplicit:
-	  case afterInline:
-	  case afterPointer:
-	  case afterChoice:
-	    /*
-	     * These states are more documentation than anything.
-	     * They just need to force a pop.
-	     */
-	    PORT_Assert (!state->indefinite);
-	    state->place = afterContents;
-	    break;
-	  case notInUse:
-	  default:
-	    /* This is not an error, but rather a plain old BUG! */
-	    PORT_Assert (0);
-	    cx->status = encodeError;
-	    break;
-	}
-
-	if (cx->status == encodeError)
-	    break;
-
-	/* It might have changed, so we have to update our local copy.  */
-	state = cx->current;
-
-	/* If it is NULL, we have popped all the way to the top.  */
-	if (state == NULL) {
-	    cx->status = allDone;
-	    break;
-	}
-    }
-
-    if (cx->status == encodeError) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-
-void
-SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
-{
-    /*
-     * XXX anything else that needs to be finished?
-     */
-
-    PORT_FreeArena (cx->our_pool, PR_FALSE);
-}
-
-
-SEC_ASN1EncoderContext *
-SEC_ASN1EncoderStart (const void *src, const SEC_ASN1Template *theTemplate,
-		      SEC_ASN1WriteProc output_proc, void *output_arg)
-{
-    PRArenaPool *our_pool;
-    SEC_ASN1EncoderContext *cx;
-
-    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if (our_pool == NULL)
-	return NULL;
-
-    cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
-    if (cx == NULL) {
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    cx->our_pool = our_pool;
-    cx->output_proc = output_proc;
-    cx->output_arg = output_arg;
-
-    cx->status = keepGoing;
-
-    if (sec_asn1e_push_state(cx, theTemplate, src, PR_FALSE) == NULL
-	|| sec_asn1e_init_state_based_on_template (cx->current) == NULL) {
-	/*
-	 * Trouble initializing (probably due to failed allocations)
-	 * requires that we just give up.
-	 */
-	PORT_FreeArena (our_pool, PR_FALSE);
-	return NULL;
-    }
-
-    return cx;
-}
-
-
-/*
- * XXX Do we need a FilterProc, too?
- */
-
-
-void
-SEC_ASN1EncoderSetNotifyProc (SEC_ASN1EncoderContext *cx,
-			      SEC_ASN1NotifyProc fn, void *arg)
-{
-    cx->notify_proc = fn;
-    cx->notify_arg = arg;
-}
-
-
-void
-SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
-{
-    cx->notify_proc = NULL;
-    cx->notify_arg = NULL;	/* not necessary; just being clean */
-}
-
-void
-SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
-{
-    PORT_Assert(cx);
-    PORT_SetError(error);
-    cx->status = encodeError;
-}
-
-void
-SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
-{
-    /* XXX is there a way to check that we are "between" fields here? */
-
-    cx->streaming = PR_TRUE;
-}
-
-
-void
-SEC_ASN1EncoderClearStreaming (SEC_ASN1EncoderContext *cx)
-{
-    /* XXX is there a way to check that we are "between" fields here? */
-
-    cx->streaming = PR_FALSE;
-}
-
-
-void
-SEC_ASN1EncoderSetTakeFromBuf (SEC_ASN1EncoderContext *cx)
-{
-    /* 
-     * XXX is there a way to check that we are "between" fields here?  this
-     * needs to include a check for being in between groups of items in
-     * a SET_OF or SEQUENCE_OF.
-     */
-    PORT_Assert (cx->streaming);
-
-    cx->from_buf = PR_TRUE;
-}
-
-
-void
-SEC_ASN1EncoderClearTakeFromBuf (SEC_ASN1EncoderContext *cx)
-{
-    /* we should actually be taking from buf *now* */
-    PORT_Assert (cx->from_buf);
-    if (! cx->from_buf)		/* if not, just do nothing */
-	return;
-
-    cx->from_buf = PR_FALSE;
-
-    if (cx->status == needBytes) {
-	cx->status = keepGoing;
-	cx->current->place = afterContents;
-    }
-}
-
-
-SECStatus
-SEC_ASN1Encode (const void *src, const SEC_ASN1Template *theTemplate,
-		SEC_ASN1WriteProc output_proc, void *output_arg)
-{
-    SEC_ASN1EncoderContext *ecx;
-    SECStatus rv;
-
-    ecx = SEC_ASN1EncoderStart (src, theTemplate, output_proc, output_arg);
-    if (ecx == NULL)
-	return SECFailure;
-
-    rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);
-
-    SEC_ASN1EncoderFinish (ecx);
-    return rv;
-}
-
-
-/*
- * XXX depth and data_kind are unused; is there a PC way to silence warnings?
- * (I mean "politically correct", not anything to do with intel/win platform) 
- */
-static void
-sec_asn1e_encode_item_count (void *arg, const char *buf, unsigned long len,
-			     int depth, SEC_ASN1EncodingPart data_kind)
-{
-    unsigned long *count;
-
-    count = (unsigned long*)arg;
-    PORT_Assert (count != NULL);
-
-    *count += len;
-}
-
-
-/* XXX depth and data_kind are unused; is there a PC way to silence warnings? */
-static void
-sec_asn1e_encode_item_store (void *arg, const char *buf, unsigned long len,
-			     int depth, SEC_ASN1EncodingPart data_kind)
-{
-    SECItem *dest;
-
-    dest = (SECItem*)arg;
-    PORT_Assert (dest != NULL);
-
-    PORT_Memcpy (dest->data + dest->len, buf, len);
-    dest->len += len;
-}
-
-
-/*
- * Allocate an entire SECItem, or just the data part of it, to hold
- * "len" bytes of stuff.  Allocate from the given pool, if specified,
- * otherwise just do a vanilla PORT_Alloc.
- *
- * XXX This seems like a reasonable general-purpose function (for SECITEM_)?
- */
-static SECItem *
-sec_asn1e_allocate_item (PRArenaPool *poolp, SECItem *dest, unsigned long len)
-{
-    if (poolp != NULL) {
-	void *release;
-
-	release = PORT_ArenaMark (poolp);
-	if (dest == NULL)
-	    dest = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
-	if (dest != NULL) {
-	    dest->data = (unsigned char*)PORT_ArenaAlloc (poolp, len);
-	    if (dest->data == NULL) {
-		dest = NULL;
-	    }
-	}
-	if (dest == NULL) {
-	    /* one or both allocations failed; release everything */
-	    PORT_ArenaRelease (poolp, release);
-	} else {
-	    /* everything okay; unmark the arena */
-	    PORT_ArenaUnmark (poolp, release);
-	}
-    } else {
-	SECItem *indest;
-
-	indest = dest;
-	if (dest == NULL)
-	    dest = (SECItem*)PORT_Alloc (sizeof(SECItem));
-	if (dest != NULL) {
-	    dest->type = siBuffer;
-	    dest->data = (unsigned char*)PORT_Alloc (len);
-	    if (dest->data == NULL) {
-		if (indest == NULL)
-		    PORT_Free (dest);
-		dest = NULL;
-	    }
-	}
-    }
-
-    return dest;
-}
-
-
-SECItem *
-SEC_ASN1EncodeItem (PRArenaPool *poolp, SECItem *dest, const void *src,
-		    const SEC_ASN1Template *theTemplate)
-{
-    unsigned long encoding_length;
-    SECStatus rv;
-
-    PORT_Assert (dest == NULL || dest->data == NULL);
-
-    encoding_length = 0;
-    rv = SEC_ASN1Encode (src, theTemplate,
-			 sec_asn1e_encode_item_count, &encoding_length);
-    if (rv != SECSuccess)
-	return NULL;
-
-    dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
-    if (dest == NULL)
-	return NULL;
-
-    /* XXX necessary?  This really just checks for a bug in the allocate fn */
-    PORT_Assert (dest->data != NULL);
-    if (dest->data == NULL)
-	return NULL;
-
-    dest->len = 0;
-    (void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);
-
-    PORT_Assert (encoding_length == dest->len);
-    return dest;
-}
-
-
-static SECItem *
-sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
-		  PRBool make_unsigned)
-{
-    unsigned long copy;
-    unsigned char sign;
-    int len = 0;
-
-    /*
-     * Determine the length of the encoded value (minimum of 1).
-     */
-    copy = value;
-    do {
-	len++;
-	sign = (unsigned char)(copy & 0x80);
-	copy >>= 8;
-    } while (copy);
-
-    /*
-     * If this is an unsigned encoding, and the high bit of the last
-     * byte we counted was set, we need to add one to the length so
-     * we put a high-order zero byte in the encoding.
-     */
-    if (sign && make_unsigned)
-	len++;
-
-    /*
-     * Allocate the item (if necessary) and the data pointer within.
-     */
-    dest = sec_asn1e_allocate_item (poolp, dest, len);
-    if (dest == NULL)
-	return NULL;
-
-    /*
-     * Store the value, byte by byte, in the item.
-     */
-    dest->len = len;
-    while (len) {
-	dest->data[--len] = (unsigned char)value;
-	value >>= 8;
-    }
-    PORT_Assert (value == 0);
-
-    return dest;
-}
-
-
-SECItem *
-SEC_ASN1EncodeInteger(PRArenaPool *poolp, SECItem *dest, long value)
-{
-    return sec_asn1e_integer (poolp, dest, (unsigned long) value, PR_FALSE);
-}
-
-
-extern SECItem *
-SEC_ASN1EncodeUnsignedInteger(PRArenaPool *poolp,
-			      SECItem *dest, unsigned long value)
-{
-    return sec_asn1e_integer (poolp, dest, value, PR_TRUE);
-}
diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h
deleted file mode 100644
index 871f3ae89..000000000
--- a/security/nss/lib/util/secasn1t.h
+++ /dev/null
@@ -1,300 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
- * Encoding Rules).
- *
- * $Id$
- */
-
-#ifndef _SECASN1T_H_
-#define _SECASN1T_H_
-
-/*
-** An array of these structures defines a BER/DER encoding for an object.
-**
-** The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE;
-** such an array is terminated with an entry where kind == 0.  (An array
-** which consists of a single component does not require a second dummy
-** entry -- the array is only searched as long as previous component(s)
-** instruct it.)
-*/
-typedef struct sec_ASN1Template_struct {
-    /*
-    ** Kind of item being decoded/encoded, including tags and modifiers.
-    */
-    unsigned long kind;
-
-    /*
-    ** The value is the offset from the base of the structure to the
-    ** field that holds the value being decoded/encoded.
-    */
-    unsigned long offset;
-
-    /*
-    ** When kind suggests it (SEC_ASN1_POINTER, SEC_ASN1_GROUP, SEC_ASN1_INLINE,
-    ** or a component that is *not* a SEC_ASN1_UNIVERSAL), this points to
-    ** a sub-template for nested encoding/decoding,
-    ** OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer
-    ** to a function which will return the appropriate template when called
-    ** at runtime.  NOTE! that explicit level of indirection, which is
-    ** necessary because ANSI does not allow you to store a function
-    ** pointer directly as a "void *" so we must store it separately and
-    ** dereference it to get at the function pointer itself.
-    */
-    const void *sub;
-
-    /*
-    ** In the first element of a template array, the value is the size
-    ** of the structure to allocate when this template is being referenced
-    ** by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP.
-    ** In all other cases, the value is ignored.
-    */
-    unsigned int size;
-} SEC_ASN1Template;
-
-
-/* default size used for allocation of encoding/decoding stuff */
-/* XXX what is the best value here? */
-#define SEC_ASN1_DEFAULT_ARENA_SIZE	(2048)
-
-/*
-** BER/DER values for ASN.1 identifier octets.
-*/
-#define SEC_ASN1_TAG_MASK		0xff
-
-/*
- * BER/DER universal type tag numbers.
- * The values are defined by the X.208 standard; do not change them!
- * NOTE: if you add anything to this list, you must add code to secasn1d.c
- * to accept the tag, and probably also to secasn1e.c to encode it.
- * XXX It appears some have been added recently without being added to
- * the code; so need to go through the list now and double-check them all.
- * (Look especially at those added in revision 1.10.)
- */
-#define SEC_ASN1_TAGNUM_MASK		0x1f
-#define SEC_ASN1_BOOLEAN		0x01
-#define SEC_ASN1_INTEGER		0x02
-#define SEC_ASN1_BIT_STRING		0x03
-#define SEC_ASN1_OCTET_STRING		0x04
-#define SEC_ASN1_NULL			0x05
-#define SEC_ASN1_OBJECT_ID		0x06
-#define SEC_ASN1_OBJECT_DESCRIPTOR      0x07
-/* External type and instance-of type   0x08 */
-#define SEC_ASN1_REAL                   0x09
-#define SEC_ASN1_ENUMERATED		0x0a
-#define SEC_ASN1_EMBEDDED_PDV           0x0b
-#define SEC_ASN1_UTF8_STRING		0x0c
-/*                                      0x0d */
-/*                                      0x0e */
-/*                                      0x0f */
-#define SEC_ASN1_SEQUENCE		0x10
-#define SEC_ASN1_SET			0x11
-#define SEC_ASN1_NUMERIC_STRING         0x12
-#define SEC_ASN1_PRINTABLE_STRING	0x13
-#define SEC_ASN1_T61_STRING		0x14
-#define SEC_ASN1_VIDEOTEX_STRING        0x15
-#define SEC_ASN1_IA5_STRING		0x16
-#define SEC_ASN1_UTC_TIME		0x17
-#define SEC_ASN1_GENERALIZED_TIME	0x18
-#define SEC_ASN1_GRAPHIC_STRING         0x19
-#define SEC_ASN1_VISIBLE_STRING		0x1a
-#define SEC_ASN1_GENERAL_STRING         0x1b
-#define SEC_ASN1_UNIVERSAL_STRING	0x1c
-/*                                      0x1d */
-#define SEC_ASN1_BMP_STRING		0x1e
-#define SEC_ASN1_HIGH_TAG_NUMBER	0x1f
-#define SEC_ASN1_TELETEX_STRING 	SEC_ASN1_T61_STRING
-
-/*
-** Modifiers to type tags.  These are also specified by a/the
-** standard, and must not be changed.
-*/
-
-#define SEC_ASN1_METHOD_MASK		0x20
-#define SEC_ASN1_PRIMITIVE		0x00
-#define SEC_ASN1_CONSTRUCTED		0x20
-
-#define SEC_ASN1_CLASS_MASK		0xc0
-#define SEC_ASN1_UNIVERSAL		0x00
-#define SEC_ASN1_APPLICATION		0x40
-#define SEC_ASN1_CONTEXT_SPECIFIC	0x80
-#define SEC_ASN1_PRIVATE		0xc0
-
-/*
-** Our additions, used for templates.
-** These are not defined by any standard; the values are used internally only.
-** Just be careful to keep them out of the low 8 bits.
-** XXX finish comments
-*/
-#define SEC_ASN1_OPTIONAL	0x00100
-#define SEC_ASN1_EXPLICIT	0x00200
-#define SEC_ASN1_ANY		0x00400
-#define SEC_ASN1_INLINE		0x00800
-#define SEC_ASN1_POINTER	0x01000
-#define SEC_ASN1_GROUP		0x02000	/* with SET or SEQUENCE means
-					 * SET OF or SEQUENCE OF */
-#define SEC_ASN1_DYNAMIC	0x04000 /* subtemplate is found by calling
-					 * a function at runtime */
-#define SEC_ASN1_SKIP		0x08000 /* skip a field; only for decoding */
-#define SEC_ASN1_INNER		0x10000	/* with ANY means capture the
-					 * contents only (not the id, len,
-					 * or eoc); only for decoding */
-#define SEC_ASN1_SAVE		0x20000 /* stash away the encoded bytes first;
-					 * only for decoding */
-#define SEC_ASN1_MAY_STREAM	0x40000	/* field or one of its sub-fields may
-					 * stream in and so should encode as
-					 * indefinite-length when streaming
-					 * has been indicated; only for
-					 * encoding */
-#define SEC_ASN1_SKIP_REST	0x80000	/* skip all following fields;
-					   only for decoding */
-#define SEC_ASN1_CHOICE        0x100000 /* pick one from a template */
-#define SEC_ASN1_NO_STREAM     0X200000 /* This entry will not stream
-                                           even if the sub-template says
-                                           streaming is possible.  Helps
-                                           to solve ambiguities with potential
-                                           streaming entries that are 
-                                           optional */
-#define SEC_ASN1_DEBUG_BREAK   0X400000 /* put this in your template and the
-                                           decoder will assert when it
-                                           processes it. Only for use with
-                                           SEC_QuickDERDecodeItem */
-
-                                          
-
-/* Shorthand/Aliases */
-#define SEC_ASN1_SEQUENCE_OF	(SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE)
-#define SEC_ASN1_SET_OF		(SEC_ASN1_GROUP | SEC_ASN1_SET)
-#define SEC_ASN1_ANY_CONTENTS	(SEC_ASN1_ANY | SEC_ASN1_INNER)
-
-/* Maximum depth of nested SEQUENCEs and SETs */
-#define SEC_ASN1D_MAX_DEPTH 32
-
-/*
-** Function used for SEC_ASN1_DYNAMIC.
-** "arg" is a pointer to the structure being encoded/decoded
-** "enc", when true, means that we are encoding (false means decoding)
-*/
-typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
-typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
-
-#if defined(_WIN32)
-#define SEC_ASN1_GET(x)        NSS_Get_##x(NULL, PR_FALSE)
-#define SEC_ASN1_SUB(x)        &p_NSS_Get_##x
-#define SEC_ASN1_XTRN          SEC_ASN1_DYNAMIC
-#define SEC_ASN1_MKSUB(x) \
-static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
-#else
-#define SEC_ASN1_GET(x)        x
-#define SEC_ASN1_SUB(x)        x
-#define SEC_ASN1_XTRN          0
-#define SEC_ASN1_MKSUB(x) 
-#endif
-
-#define SEC_ASN1_CHOOSER_DECLARE(x) \
-extern const SEC_ASN1Template * NSS_Get_##x (void *arg, PRBool enc);
-
-#define SEC_ASN1_CHOOSER_IMPLEMENT(x) \
-const SEC_ASN1Template * NSS_Get_##x(void * arg, PRBool enc) \
-{ return x; }
-
-/*
-** Opaque object used by the decoder to store state.
-*/
-typedef struct sec_DecoderContext_struct SEC_ASN1DecoderContext;
-
-/*
-** Opaque object used by the encoder to store state.
-*/
-typedef struct sec_EncoderContext_struct SEC_ASN1EncoderContext;
-
-/*
- * This is used to describe to a filter function the bytes that are
- * being passed to it.  This is only useful when the filter is an "outer"
- * one, meaning it expects to get *all* of the bytes not just the
- * contents octets.
- */
-typedef enum {
-    SEC_ASN1_Identifier = 0,
-    SEC_ASN1_Length = 1,
-    SEC_ASN1_Contents = 2,
-    SEC_ASN1_EndOfContents = 3
-} SEC_ASN1EncodingPart;
-
-/*
- * Type of the function pointer used either for decoding or encoding,
- * when doing anything "funny" (e.g. manipulating the data stream)
- */ 
-typedef void (* SEC_ASN1NotifyProc)(void *arg, PRBool before,
-				    void *dest, int real_depth);
-
-/*
- * Type of the function pointer used for grabbing encoded bytes.
- * This can be used during either encoding or decoding, as follows...
- *
- * When decoding, this can be used to filter the encoded bytes as they
- * are parsed.  This is what you would do if you wanted to process the data
- * along the way (like to decrypt it, or to perform a hash on it in order
- * to do a signature check later).  See SEC_ASN1DecoderSetFilterProc().
- * When processing only part of the encoded bytes is desired, you "watch"
- * for the field(s) you are interested in with a "notify proc" (see
- * SEC_ASN1DecoderSetNotifyProc()) and for even finer granularity (e.g. to
- * ignore all by the contents bytes) you pay attention to the "data_kind"
- * parameter.
- *
- * When encoding, this is the specification for the output function which
- * will receive the bytes as they are encoded.  The output function can
- * perform any postprocessing necessary (like hashing (some of) the data
- * to create a digest that gets included at the end) as well as shoving
- * the data off wherever it needs to go.  (In order to "tune" any processing,
- * you can set a "notify proc" as described above in the decoding case.)
- *
- * The parameters:
- * - "arg" is an opaque pointer that you provided at the same time you
- *   specified a function of this type
- * - "data" is a buffer of length "len", containing the encoded bytes
- * - "depth" is how deep in a nested encoding we are (it is not usually
- *   valuable, but can be useful sometimes so I included it)
- * - "data_kind" tells you if these bytes are part of the ASN.1 encoded
- *   octets for identifier, length, contents, or end-of-contents
- */ 
-typedef void (* SEC_ASN1WriteProc)(void *arg,
-				   const char *data, unsigned long len,
-				   int depth, SEC_ASN1EncodingPart data_kind);
-
-#endif /* _SECASN1T_H_ */
diff --git a/security/nss/lib/util/secasn1u.c b/security/nss/lib/util/secasn1u.c
deleted file mode 100644
index 1514bd7ed..000000000
--- a/security/nss/lib/util/secasn1u.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Utility routines to complement the ASN.1 encoding and decoding functions.
- *
- * $Id$
- */
-
-#include "secasn1.h"
-
-
-/*
- * We have a length that needs to be encoded; how many bytes will the
- * encoding take?
- *
- * The rules are that 0 - 0x7f takes one byte (the length itself is the
- * entire encoding); everything else takes one plus the number of bytes
- * in the length.
- */
-int
-SEC_ASN1LengthLength (unsigned long len)
-{
-    int lenlen = 1;
-
-    if (len > 0x7f) {
-	do {
-	    lenlen++;
-	    len >>= 8;
-	} while (len);
-    }
-
-    return lenlen;
-}
-
-
-/*
- * XXX Move over (and rewrite as appropriate) the rest of the
- * stuff in dersubr.c!
- */
-
-
-/*
- * Find the appropriate subtemplate for the given template.
- * This may involve calling a "chooser" function, or it may just
- * be right there.  In either case, it is expected to *have* a
- * subtemplate; this is asserted in debug builds (in non-debug
- * builds, NULL will be returned).
- *
- * "thing" is a pointer to the structure being encoded/decoded
- * "encoding", when true, means that we are in the process of encoding
- *	(as opposed to in the process of decoding)
- */
-const SEC_ASN1Template *
-SEC_ASN1GetSubtemplate (const SEC_ASN1Template *theTemplate, void *thing,
-			PRBool encoding)
-{
-    const SEC_ASN1Template *subt = NULL;
-
-    PORT_Assert (theTemplate->sub != NULL);
-    if (theTemplate->sub != NULL) {
-	if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
-	    SEC_ASN1TemplateChooserPtr chooserp;
-
-	    chooserp = *(SEC_ASN1TemplateChooserPtr *) theTemplate->sub;
-	    if (chooserp) {
-		if (thing != NULL)
-		    thing = (char *)thing - theTemplate->offset;
-		subt = (* chooserp)(thing, encoding);
-	    }
-	} else {
-	    subt = (SEC_ASN1Template*)theTemplate->sub;
-	}
-    }
-    return subt;
-}
-
-PRBool SEC_ASN1IsTemplateSimple(const SEC_ASN1Template *theTemplate)
-{
-    if (!theTemplate) {
-	return PR_TRUE; /* it doesn't get any simpler than NULL */
-    }
-    /* only templates made of one primitive type or a choice of primitive
-       types are considered simple */
-    if (! (theTemplate->kind & (~SEC_ASN1_TAGNUM_MASK))) {
-	return PR_TRUE; /* primitive type */
-    }
-    if (!theTemplate->kind & SEC_ASN1_CHOICE) {
-	return PR_FALSE; /* no choice means not simple */
-    }
-    while (++theTemplate && theTemplate->kind) {
-	if (theTemplate->kind & (~SEC_ASN1_TAGNUM_MASK)) {
-	    return PR_FALSE; /* complex type */
-	}
-    }
-    return PR_TRUE; /* choice of primitive types */
-}
-
diff --git a/security/nss/lib/util/seccomon.h b/security/nss/lib/util/seccomon.h
deleted file mode 100644
index 0ffac6606..000000000
--- a/security/nss/lib/util/seccomon.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * seccomon.h - common data structures for security libraries
- *
- * This file should have lowest-common-denominator datastructures
- * for security libraries.  It should not be dependent on any other
- * headers, and should not require linking with any libraries.
- *
- * $Id$
- */
-
-#ifndef _SECCOMMON_H_
-#define _SECCOMMON_H_
-
-#include "prtypes.h"
-
-
-#ifdef __cplusplus 
-# define SEC_BEGIN_PROTOS extern "C" {
-# define SEC_END_PROTOS }
-#else
-# define SEC_BEGIN_PROTOS
-# define SEC_END_PROTOS
-#endif
-
-#include "secport.h"
-
-typedef enum {
-    siBuffer = 0,
-    siClearDataBuffer = 1,
-    siCipherDataBuffer = 2,
-    siDERCertBuffer = 3,
-    siEncodedCertBuffer = 4,
-    siDERNameBuffer = 5,
-    siEncodedNameBuffer = 6,
-    siAsciiNameString = 7,
-    siAsciiString = 8,
-    siDEROID = 9,
-    siUnsignedInteger = 10,
-    siUTCTime = 11,
-    siGeneralizedTime = 12
-} SECItemType;
-
-typedef struct SECItemStr SECItem;
-
-struct SECItemStr {
-    SECItemType type;
-    unsigned char *data;
-    unsigned int len;
-};
-
-/*
-** A status code. Status's are used by procedures that return status
-** values. Again the motivation is so that a compiler can generate
-** warnings when return values are wrong. Correct testing of status codes:
-**
-**	SECStatus rv;
-**	rv = some_function (some_argument);
-**	if (rv != SECSuccess)
-**		do_an_error_thing();
-**
-*/
-typedef enum _SECStatus {
-    SECWouldBlock = -2,
-    SECFailure = -1,
-    SECSuccess = 0
-} SECStatus;
-
-/*
-** A comparison code. Used for procedures that return comparision
-** values. Again the motivation is so that a compiler can generate
-** warnings when return values are wrong.
-*/
-typedef enum _SECComparison {
-    SECLessThan = -1,
-    SECEqual = 0,
-    SECGreaterThan = 1
-} SECComparison;
-
-#endif /* _SECCOMMON_H_ */
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
deleted file mode 100644
index d14655e92..000000000
--- a/security/nss/lib/util/secder.h
+++ /dev/null
@@ -1,223 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECDER_H_
-#define _SECDER_H_
-
-/*
- * secder.h - public data structures and prototypes for the DER encoding and
- *	      decoding utilities library
- *
- * $Id$
- */
-
-#if defined(_WIN32_WCE)
-#else
-#include <time.h>
-#endif
-
-#include "plarena.h"
-#include "prlong.h"
-
-#include "seccomon.h"
-#include "secdert.h"
-#include "prtime.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Decode a piece of der encoded data.
-** 	"dest" points to a structure that will be filled in with the
-**	   decoding results.  (NOTE: it should be zeroed before calling;
-**	   optional/missing fields are not zero-filled by DER_Decode.)
-**	"t" is a template structure which defines the shape of the
-**	   expected data.
-**	"src" is the der encoded data.
-** NOTE: substructures of "dest" will be allocated as needed from
-** "arena", but data subfields will point directly into the buffer
-** passed in as src->data.  That is, the resulting "dest" structure
-** will contain pointers back into src->data, which must remain
-** active (allocated) and unmodified for as long as "dest" is active.
-** If this is a potential problem, you may want to just dup the buffer
-** (allocated from "arena", probably) and pass *that* in instead.
-*/
-extern SECStatus DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *t,
-			   SECItem *src);
-
-/*
-** Encode a data structure into DER.
-**	"dest" will be filled in (and memory allocated) to hold the der
-**	   encoded structure in "src"
-**	"t" is a template structure which defines the shape of the
-**	   stored data
-**	"src" is a pointer to the structure that will be encoded
-*/
-extern SECStatus DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *t,
-			   void *src);
-
-extern SECStatus DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p);
-
-/*
-** Lower level der subroutine that stores the standard header into "to".
-** The header is of variable length, based on encodingLen.
-** The return value is the new value of "to" after skipping over the header.
-**	"to" is where the header will be stored
-**	"code" is the der code to write
-**	"encodingLen" is the number of bytes of data that will follow
-**	   the header
-*/
-extern unsigned char *DER_StoreHeader(unsigned char *to, unsigned int code,
-				      uint32 encodingLen);
-
-/*
-** Return the number of bytes it will take to hold a der encoded length.
-*/
-extern int DER_LengthLength(uint32 len);
-
-/*
-** Store a der encoded *signed* integer (whose value is "src") into "dst".
-** XXX This should really be enhanced to take a long.
-*/
-extern SECStatus DER_SetInteger(PRArenaPool *arena, SECItem *dst, int32 src);
-
-/*
-** Store a der encoded *unsigned* integer (whose value is "src") into "dst".
-** XXX This should really be enhanced to take an unsigned long.
-*/
-extern SECStatus DER_SetUInteger(PRArenaPool *arena, SECItem *dst, uint32 src);
-
-/*
-** Decode a der encoded *signed* integer that is stored in "src".
-** If "-1" is returned, then the caller should check the error in
-** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
-*/
-extern long DER_GetInteger(SECItem *src);
-
-/*
-** Decode a der encoded *unsigned* integer that is stored in "src".
-** If the ULONG_MAX is returned, then the caller should check the error
-** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
-*/
-extern unsigned long DER_GetUInteger(SECItem *src);
-
-/*
-** Convert a "UNIX" time value to a der encoded time value.
-**	"result" is the der encoded time (memory is allocated)
-**	"time" is the "UNIX" time value (Since Jan 1st, 1970).
-** The caller is responsible for freeing up the buffer which
-** result->data points to upon a successfull operation.
-*/
-extern SECStatus DER_TimeToUTCTime(SECItem *result, int64 time);
-extern SECStatus DER_TimeToUTCTimeArena(PRArenaPool* arenaOpt,
-                                        SECItem *dst, int64 gmttime);
-
-
-/*
-** Convert an ascii encoded time value (according to DER rules) into
-** a UNIX time value.
-**	"result" the resulting "UNIX" time
-**	"string" the der notation ascii value to decode
-*/
-extern SECStatus DER_AsciiToTime(int64 *result, const char *string);
-
-/*
-** Same as DER_AsciiToTime except takes an SECItem instead of a string
-*/
-extern SECStatus DER_UTCTimeToTime(int64 *result, const SECItem *time);
-
-/*
-** Convert a DER encoded UTC time to an ascii time representation
-** "utctime" is the DER encoded UTC time to be converted. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *DER_UTCTimeToAscii(SECItem *utcTime);
-
-/*
-** Convert a DER encoded UTC time to an ascii time representation, but only
-** include the day, not the time.
-**	"utctime" is the DER encoded UTC time to be converted.
-** The caller is responsible for deallocating the returned buffer.
-*/
-extern char *DER_UTCDayToAscii(SECItem *utctime);
-/* same thing for DER encoded GeneralizedTime */
-extern char *DER_GeneralizedDayToAscii(SECItem *gentime);
-/* same thing for either DER UTCTime or GeneralizedTime */
-extern char *DER_TimeChoiceDayToAscii(SECItem *timechoice);
-
-/*
-** Convert a int64 time to a DER encoded Generalized time
-*/
-extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime);
-extern SECStatus DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt,
-                                                SECItem *dst, int64 gmttime);
-
-/*
-** Convert a DER encoded Generalized time value into a UNIX time value.
-**	"dst" the resulting "UNIX" time
-**	"string" the der notation ascii value to decode
-*/
-extern SECStatus DER_GeneralizedTimeToTime(int64 *dst, const SECItem *time);
-
-/*
-** Convert from a int64 UTC time value to a formatted ascii value. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *CERT_UTCTime2FormattedAscii (int64 utcTime, char *format);
-#define CERT_GeneralizedTime2FormattedAscii CERT_UTCTime2FormattedAscii
-
-/*
-** Convert from a int64 Generalized time value to a formatted ascii value. The
-** caller is responsible for deallocating the returned buffer.
-*/
-extern char *CERT_GenTime2FormattedAscii (int64 genTime, char *format);
-
-/*
-** decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME 
-** or a SEC_ASN1_UTC_TIME
-*/
-
-extern SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input);
-
-/* encode a PRTime to an ASN.1 DER SECItem containing either a
-   SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
-
-extern SECStatus DER_EncodeTimeChoice(PRArenaPool* arena, SECItem* output,
-                                       PRTime input);
-
-SEC_END_PROTOS
-
-#endif /* _SECDER_H_ */
-
diff --git a/security/nss/lib/util/secdert.h b/security/nss/lib/util/secdert.h
deleted file mode 100644
index 2352eae39..000000000
--- a/security/nss/lib/util/secdert.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECDERT_H_
-#define _SECDERT_H_
-/*
- * secdert.h - public data structures for the DER encoding and
- *	       decoding utilities library
- *
- * $Id$
- */
-
-typedef struct DERTemplateStr DERTemplate;
-
-/*
-** An array of these structures defines an encoding for an object using DER.
-** The array usually starts with a dummy entry whose kind is DER_SEQUENCE;
-** such an array is terminated with an entry where kind == 0.  (An array
-** which consists of a single component does not require a second dummy
-** entry -- the array is only searched as long as previous component(s)
-** instruct it.)
-*/
-struct DERTemplateStr {
-    /*
-    ** Kind of item being decoded/encoded, including tags and modifiers.
-    */
-    unsigned long kind;
-
-    /*
-    ** Offset from base of structure to field that holds the value
-    ** being decoded/encoded.
-    */
-    unsigned int offset;
-
-    /*
-    ** When kind suggests it (DER_POINTER, DER_INDEFINITE, DER_INLINE),
-    ** this points to a sub-template for nested encoding/decoding.
-    */
-    DERTemplate *sub;
-
-    /*
-    ** Argument value, dependent on "kind" and/or template placement
-    ** within an array of templates:
-    **	- In the first element of a template array, the value is the
-    **	  size of the structure to allocate when this template is being
-    **	  referenced by another template via DER_POINTER or DER_INDEFINITE.
-    **  - In a component of a DER_SET or DER_SEQUENCE which is *not* a
-    **	  DER_UNIVERSAL type (that is, it has a class tag for either
-    **	  DER_APPLICATION, DER_CONTEXT_SPECIFIC, or DER_PRIVATE), the
-    **	  value is the underlying type of item being decoded/encoded.
-    */
-    unsigned long arg;
-};
-
-/************************************************************************/
-
-/* default chunksize for arenas used for DER stuff */
-#define DER_DEFAULT_CHUNKSIZE (2048)
-
-/*
-** BER/DER values for ASN.1 identifier octets.
-*/
-#define DER_TAG_MASK		0xff
-
-/*
- * BER/DER universal type tag numbers.
- * The values are defined by the X.208 standard; do not change them!
- * NOTE: if you add anything to this list, you must add code to derdec.c
- * to accept the tag, and probably also to derenc.c to encode it.
- */
-#define DER_TAGNUM_MASK		0x1f
-#define DER_BOOLEAN		0x01
-#define DER_INTEGER		0x02
-#define DER_BIT_STRING		0x03
-#define DER_OCTET_STRING	0x04
-#define DER_NULL		0x05
-#define DER_OBJECT_ID		0x06
-#define DER_SEQUENCE		0x10
-#define DER_SET			0x11
-#define DER_PRINTABLE_STRING	0x13
-#define DER_T61_STRING		0x14
-#define DER_IA5_STRING		0x16
-#define DER_UTC_TIME		0x17
-#define DER_VISIBLE_STRING	0x1a
-#define DER_HIGH_TAG_NUMBER	0x1f
-
-/*
-** Modifiers to type tags.  These are also specified by a/the
-** standard, and must not be changed.
-*/
-
-#define DER_METHOD_MASK		0x20
-#define DER_PRIMITIVE		0x00
-#define DER_CONSTRUCTED		0x20
-
-#define DER_CLASS_MASK		0xc0
-#define DER_UNIVERSAL		0x00
-#define DER_APPLICATION		0x40
-#define DER_CONTEXT_SPECIFIC	0x80
-#define DER_PRIVATE		0xc0
-
-/*
-** Our additions, used for templates.
-** These are not defined by any standard; the values are used internally only.
-** Just be careful to keep them out of the low 8 bits.
-*/
-#define DER_OPTIONAL		0x00100
-#define DER_EXPLICIT		0x00200
-#define DER_ANY			0x00400
-#define DER_INLINE		0x00800
-#define DER_POINTER		0x01000
-#define DER_INDEFINITE		0x02000
-#define DER_DERPTR		0x04000
-#define DER_SKIP		0x08000
-#define DER_FORCE		0x10000
-#define DER_OUTER		0x40000 /* for DER_DERPTR */
-
-/*
-** Macro to convert der decoded bit string into a decoded octet
-** string. All it needs to do is fiddle with the length code.
-*/
-#define DER_ConvertBitString(item)	  \
-{					  \
-    (item)->len = ((item)->len + 7) >> 3; \
-}
-
-extern DERTemplate SECAnyTemplate[];
-extern DERTemplate SECBitStringTemplate[];
-extern DERTemplate SECBooleanTemplate[];
-extern DERTemplate SECIA5StringTemplate[];
-extern DERTemplate SECIntegerTemplate[];
-extern DERTemplate SECNullTemplate[];
-extern DERTemplate SECObjectIDTemplate[];
-extern DERTemplate SECOctetStringTemplate[];
-extern DERTemplate SECPrintableStringTemplate[];
-extern DERTemplate SECT61StringTemplate[];
-extern DERTemplate SECUTCTimeTemplate[];
-extern DERTemplate SECAlgorithmIDTemplate[];
-
-#endif /* _SECDERT_H_ */
diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
deleted file mode 100644
index 263c8030f..000000000
--- a/security/nss/lib/util/secdig.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-#include "secdig.h"
-
-#include "secoid.h"
-#include "secasn1.h" 
-#include "secerr.h"
-
-/*
- * XXX OLD Template.  Once all uses have been switched over to new one,
- * remove this.
- */
-DERTemplate SGNDigestInfoTemplate[] = {
-    { DER_SEQUENCE,
-	  0, NULL, sizeof(SGNDigestInfo) },
-    { DER_INLINE,
-	  offsetof(SGNDigestInfo,digestAlgorithm),
-	  SECAlgorithmIDTemplate, },
-    { DER_OCTET_STRING,
-	  offsetof(SGNDigestInfo,digest), },
-    { 0, }
-};
-
-/* XXX See comment below about SGN_DecodeDigestInfo -- keep this static! */
-/* XXX Changed from static -- need to change name? */
-const SEC_ASN1Template sgn_DigestInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(SGNDigestInfo) },
-    { SEC_ASN1_INLINE,
-	  offsetof(SGNDigestInfo,digestAlgorithm),
-	  SECOID_AlgorithmIDTemplate },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(SGNDigestInfo,digest) },
-    { 0 }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(sgn_DigestInfoTemplate)
-
-/*
- * XXX Want to have a SGN_DecodeDigestInfo, like:
- *	SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
- * that creates a pool and allocates from it and decodes didata into
- * the newly allocated DigestInfo structure.  Then fix secvfy.c (it
- * will no longer need an arena itself) to call this and then call
- * DestroyDigestInfo when it is done, then can remove the old template
- * above and keep our new template static and "hidden".
- */
-
-/*
- * XXX It might be nice to combine the following two functions (create
- * and encode).  I think that is all anybody ever wants to do anyway.
- */
-
-SECItem *
-SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest, SGNDigestInfo *diginfo)
-{
-    return SEC_ASN1EncodeItem (poolp, dest, diginfo, sgn_DigestInfoTemplate);
-}
-
-SGNDigestInfo *
-SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
-{
-    SGNDigestInfo *di;
-    SECStatus rv;
-    PRArenaPool *arena;
-    SECItem *null_param;
-    SECItem dummy_value;
-
-    switch (algorithm) {
-      case SEC_OID_MD2:
-      case SEC_OID_MD5:
-      case SEC_OID_SHA1:
-      case SEC_OID_SHA256:
-      case SEC_OID_SHA384:
-      case SEC_OID_SHA512:
-	break;
-      default:
-	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return NULL;
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	return NULL;
-    }
-
-    di = (SGNDigestInfo *) PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if (di == NULL) {
-	PORT_FreeArena(arena, PR_FALSE);
-	return NULL;
-    }
-
-    di->arena = arena;
-
-    /*
-     * PKCS #1 specifies that the AlgorithmID must have a NULL parameter
-     * (as opposed to no parameter at all).
-     */
-    dummy_value.data = NULL;
-    dummy_value.len = 0;
-    null_param = SEC_ASN1EncodeItem(NULL, NULL, &dummy_value, SEC_NullTemplate);
-    if (null_param == NULL) {
-	goto loser;
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &di->digestAlgorithm, algorithm,
-			       null_param);
-
-    SECITEM_FreeItem(null_param, PR_TRUE);
-
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    di->digest.data = (unsigned char *) PORT_ArenaAlloc(arena, len);
-    if (di->digest.data == NULL) {
-	goto loser;
-    }
-
-    di->digest.len = len;
-    PORT_Memcpy(di->digest.data, sig, len);
-    return di;
-
-  loser:
-    SGN_DestroyDigestInfo(di);
-    return NULL;
-}
-
-SGNDigestInfo *
-SGN_DecodeDigestInfo(SECItem *didata)
-{
-    PRArenaPool *arena;
-    SGNDigestInfo *di;
-    SECStatus rv = SECFailure;
-
-    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
-    if(arena == NULL)
-	return NULL;
-
-    di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if(di != NULL)
-    {
-	di->arena = arena;
-	rv = SEC_ASN1DecodeItem(arena, di, sgn_DigestInfoTemplate, didata);
-    }
-	
-    if((di == NULL) || (rv != SECSuccess))
-    {
-	PORT_FreeArena(arena, PR_TRUE);
-	di = NULL;
-    }
-
-    return di;
-}
-
-void
-SGN_DestroyDigestInfo(SGNDigestInfo *di)
-{
-    if (di && di->arena) {
-	PORT_FreeArena(di->arena, PR_FALSE);
-    }
-
-    return;
-}
-
-SECStatus 
-SGN_CopyDigestInfo(PRArenaPool *poolp, SGNDigestInfo *a, SGNDigestInfo *b)
-{
-    SECStatus rv;
-    void *mark;
-
-    if((poolp == NULL) || (a == NULL) || (b == NULL))
-	return SECFailure;
-
-    mark = PORT_ArenaMark(poolp);
-    a->arena = poolp;
-    rv = SECOID_CopyAlgorithmID(poolp, &a->digestAlgorithm, 
-	&b->digestAlgorithm);
-    if (rv == SECSuccess)
-	rv = SECITEM_CopyItem(poolp, &a->digest, &b->digest);
-
-    if (rv != SECSuccess) {
-	PORT_ArenaRelease(poolp, mark);
-    } else {
-	PORT_ArenaUnmark(poolp, mark);
-    }
-
-    return rv;
-}
-
-SECComparison
-SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
-{
-    SECComparison rv;
-
-    /* Check signature algorithm's */
-    rv = SECOID_CompareAlgorithmID(&a->digestAlgorithm, &b->digestAlgorithm);
-    if (rv) return rv;
-
-    /* Compare signature block length's */
-    rv = SECITEM_CompareItem(&a->digest, &b->digest);
-    return rv;
-}
diff --git a/security/nss/lib/util/secdig.h b/security/nss/lib/util/secdig.h
deleted file mode 100644
index f9bb77e17..000000000
--- a/security/nss/lib/util/secdig.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * crypto.h - public data structures and prototypes for the crypto library
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _SECDIG_H_
-#define _SECDIG_H_
-
-#include "secdigt.h"
-
-#include "seccomon.h"
-#include "secasn1t.h" 
-#include "secdert.h"
-
-SEC_BEGIN_PROTOS
-
-
-extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
-
-SEC_ASN1_CHOOSER_DECLARE(sgn_DigestInfoTemplate)
-
-extern DERTemplate SGNDigestInfoTemplate[];
-
-
-/****************************************/
-/*
-** Digest-info functions
-*/
-
-/*
-** Create a new digest-info object
-** 	"algorithm" one of SEC_OID_MD2, SEC_OID_MD5, or SEC_OID_SHA1
-** 	"sig" the raw signature data (from MD2 or MD5)
-** 	"sigLen" the length of the signature data
-**
-** NOTE: this is a low level routine used to prepare some data for PKCS#1
-** digital signature formatting.
-**
-** XXX It might be nice to combine the create and encode functions.
-** I think that is all anybody ever wants to do anyway.
-*/
-extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
-					   unsigned char *sig,
-					   unsigned int sigLen);
-
-/*
-** Destroy a digest-info object
-*/
-extern void SGN_DestroyDigestInfo(SGNDigestInfo *info);
-
-/*
-** Encode a digest-info object
-**	"poolp" is where to allocate the result from; it can be NULL in
-**		which case generic heap allocation (XP_ALLOC) will be used
-**	"dest" is where to store the result; it can be NULL, in which case
-**		it will be allocated (from poolp or heap, as explained above)
-**	"diginfo" is the object to be encoded
-** The return value is NULL if any error occurred, otherwise it is the
-** resulting SECItem (either allocated or the same as the "dest" parameter).
-**
-** XXX It might be nice to combine the create and encode functions.
-** I think that is all anybody ever wants to do anyway.
-*/
-extern SECItem *SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest,
-				     SGNDigestInfo *diginfo);
-
-/*
-** Decode a DER encoded digest info objct.
-**  didata is thr source of the encoded digest.  
-** The return value is NULL if an error occurs.  Otherwise, a
-** digest info object which is allocated within it's own
-** pool is returned.  The digest info should be deleted
-** by later calling SGN_DestroyDigestInfo.
-*/
-extern SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
-
-
-/*
-** Copy digest info.
-**  poolp is the arena to which the digest will be copied.
-**  a is the destination digest, it must be non-NULL.
-**  b is the source digest
-** This function is for copying digests.  It allows digests
-** to be copied into a specified pool.  If the digest is in
-** the same pool as other data, you do not want to delete
-** the digest by calling SGN_DestroyDigestInfo.  
-** A return value of SECFailure indicates an error.  A return
-** of SECSuccess indicates no error occured.
-*/
-extern SECStatus  SGN_CopyDigestInfo(PRArenaPool *poolp,
-					SGNDigestInfo *a, 
-					SGNDigestInfo *b);
-
-/*
-** Compare two digest-info objects, returning the difference between
-** them.
-*/
-extern SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b);
-
-
-SEC_END_PROTOS
-
-#endif /* _SECDIG_H_ */
diff --git a/security/nss/lib/util/secdigt.h b/security/nss/lib/util/secdigt.h
deleted file mode 100644
index 5d99955db..000000000
--- a/security/nss/lib/util/secdigt.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * secdigt.h - public data structures for digestinfos from the util lib.
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id$ */
-
-#ifndef _SECDIGT_H_
-#define _SECDIGT_H_
-
-#include "plarena.h"
-#include "secoidt.h"
-#include "secitem.h"
-
-/*
-** A PKCS#1 digest-info object
-*/
-struct SGNDigestInfoStr {
-    PLArenaPool *  arena;
-    SECAlgorithmID digestAlgorithm;
-    SECItem        digest;
-};
-typedef struct SGNDigestInfoStr SGNDigestInfo;
-
-
-
-#endif /* _SECDIGT_H_ */
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
deleted file mode 100644
index 2cc1bcef3..000000000
--- a/security/nss/lib/util/secerr.h
+++ /dev/null
@@ -1,213 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __SEC_ERR_H_
-#define __SEC_ERR_H_
-
-
-#define SEC_ERROR_BASE				(-0x2000)
-#define SEC_ERROR_LIMIT				(SEC_ERROR_BASE + 1000)
-
-#define IS_SEC_ERROR(code) \
-    (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
-
-#ifndef NO_SECURITY_ERROR_ENUM
-typedef enum {
-SEC_ERROR_IO 				    =	SEC_ERROR_BASE + 0,
-SEC_ERROR_LIBRARY_FAILURE 		    =	SEC_ERROR_BASE + 1,
-SEC_ERROR_BAD_DATA 			    =	SEC_ERROR_BASE + 2,
-SEC_ERROR_OUTPUT_LEN 			    =	SEC_ERROR_BASE + 3,
-SEC_ERROR_INPUT_LEN 			    =	SEC_ERROR_BASE + 4,
-SEC_ERROR_INVALID_ARGS 			    =	SEC_ERROR_BASE + 5,
-SEC_ERROR_INVALID_ALGORITHM 		    =	SEC_ERROR_BASE + 6,
-SEC_ERROR_INVALID_AVA 			    =	SEC_ERROR_BASE + 7,
-SEC_ERROR_INVALID_TIME 			    =	SEC_ERROR_BASE + 8,
-SEC_ERROR_BAD_DER 			    =	SEC_ERROR_BASE + 9,
-SEC_ERROR_BAD_SIGNATURE 		    =	SEC_ERROR_BASE + 10,
-SEC_ERROR_EXPIRED_CERTIFICATE 		    =	SEC_ERROR_BASE + 11,
-SEC_ERROR_REVOKED_CERTIFICATE 		    =	SEC_ERROR_BASE + 12,
-SEC_ERROR_UNKNOWN_ISSUER 		    =	SEC_ERROR_BASE + 13,
-SEC_ERROR_BAD_KEY 			    =	SEC_ERROR_BASE + 14,
-SEC_ERROR_BAD_PASSWORD 			    =	SEC_ERROR_BASE + 15,
-SEC_ERROR_RETRY_PASSWORD 		    =	SEC_ERROR_BASE + 16,
-SEC_ERROR_NO_NODELOCK 			    =	SEC_ERROR_BASE + 17,
-SEC_ERROR_BAD_DATABASE 			    =	SEC_ERROR_BASE + 18,
-SEC_ERROR_NO_MEMORY 			    =	SEC_ERROR_BASE + 19,
-SEC_ERROR_UNTRUSTED_ISSUER 		    =	SEC_ERROR_BASE + 20,
-SEC_ERROR_UNTRUSTED_CERT 		    =	SEC_ERROR_BASE + 21,
-SEC_ERROR_DUPLICATE_CERT 		    =	(SEC_ERROR_BASE + 22),
-SEC_ERROR_DUPLICATE_CERT_NAME 		    =	(SEC_ERROR_BASE + 23),
-SEC_ERROR_ADDING_CERT 			    =	(SEC_ERROR_BASE + 24),
-SEC_ERROR_FILING_KEY 			    =	(SEC_ERROR_BASE + 25),
-SEC_ERROR_NO_KEY 			    =	(SEC_ERROR_BASE + 26),
-SEC_ERROR_CERT_VALID 			    =	(SEC_ERROR_BASE + 27),
-SEC_ERROR_CERT_NOT_VALID 		    =	(SEC_ERROR_BASE + 28),
-SEC_ERROR_CERT_NO_RESPONSE 		    =	(SEC_ERROR_BASE + 29),
-SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 	    =	(SEC_ERROR_BASE + 30),
-SEC_ERROR_CRL_EXPIRED 			    =	(SEC_ERROR_BASE + 31),
-SEC_ERROR_CRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 32),
-SEC_ERROR_CRL_INVALID 			    =	(SEC_ERROR_BASE + 33),
-SEC_ERROR_EXTENSION_VALUE_INVALID 	    = 	(SEC_ERROR_BASE + 34),
-SEC_ERROR_EXTENSION_NOT_FOUND 		    = 	(SEC_ERROR_BASE + 35),
-SEC_ERROR_CA_CERT_INVALID 		    = 	(SEC_ERROR_BASE + 36),
-SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 	    = 	(SEC_ERROR_BASE + 37),
-SEC_ERROR_CERT_USAGES_INVALID 		    = 	(SEC_ERROR_BASE + 38),
-SEC_INTERNAL_ONLY 			    =	(SEC_ERROR_BASE + 39),
-SEC_ERROR_INVALID_KEY 			    =	(SEC_ERROR_BASE + 40),
-SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 	    = 	(SEC_ERROR_BASE + 41),
-SEC_ERROR_OLD_CRL 			    =	(SEC_ERROR_BASE + 42),
-SEC_ERROR_NO_EMAIL_CERT 		    =	(SEC_ERROR_BASE + 43),
-SEC_ERROR_NO_RECIPIENT_CERTS_QUERY 	    =	(SEC_ERROR_BASE + 44),
-SEC_ERROR_NOT_A_RECIPIENT 		    =	(SEC_ERROR_BASE + 45),
-SEC_ERROR_PKCS7_KEYALG_MISMATCH 	    =	(SEC_ERROR_BASE + 46),
-SEC_ERROR_PKCS7_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 47),
-SEC_ERROR_UNSUPPORTED_KEYALG 		    =	(SEC_ERROR_BASE + 48),
-SEC_ERROR_DECRYPTION_DISALLOWED 	    =	(SEC_ERROR_BASE + 49),
-/* Fortezza Alerts */
-XP_SEC_FORTEZZA_BAD_CARD 		    =	(SEC_ERROR_BASE + 50),
-XP_SEC_FORTEZZA_NO_CARD 		    =	(SEC_ERROR_BASE + 51),
-XP_SEC_FORTEZZA_NONE_SELECTED 		    =	(SEC_ERROR_BASE + 52),
-XP_SEC_FORTEZZA_MORE_INFO 		    =	(SEC_ERROR_BASE + 53),
-XP_SEC_FORTEZZA_PERSON_NOT_FOUND 	    =	(SEC_ERROR_BASE + 54),
-XP_SEC_FORTEZZA_NO_MORE_INFO 		    =	(SEC_ERROR_BASE + 55),
-XP_SEC_FORTEZZA_BAD_PIN 		    =	(SEC_ERROR_BASE + 56),
-XP_SEC_FORTEZZA_PERSON_ERROR 		    =	(SEC_ERROR_BASE + 57),
-SEC_ERROR_NO_KRL 			    =	(SEC_ERROR_BASE + 58),
-SEC_ERROR_KRL_EXPIRED 			    =	(SEC_ERROR_BASE + 59),
-SEC_ERROR_KRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 60),
-SEC_ERROR_REVOKED_KEY 			    =	(SEC_ERROR_BASE + 61),
-SEC_ERROR_KRL_INVALID 			    =	(SEC_ERROR_BASE + 62),
-SEC_ERROR_NEED_RANDOM 			    =	(SEC_ERROR_BASE + 63),
-SEC_ERROR_NO_MODULE 			    =	(SEC_ERROR_BASE + 64),
-SEC_ERROR_NO_TOKEN 			    =	(SEC_ERROR_BASE + 65),
-SEC_ERROR_READ_ONLY 			    =	(SEC_ERROR_BASE + 66),
-SEC_ERROR_NO_SLOT_SELECTED 		    =	(SEC_ERROR_BASE + 67),
-SEC_ERROR_CERT_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 68),
-SEC_ERROR_KEY_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 69),
-SEC_ERROR_SAFE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 70),
-SEC_ERROR_BAGGAGE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 71),
-XP_JAVA_REMOVE_PRINCIPAL_ERROR 		    =	(SEC_ERROR_BASE + 72),
-XP_JAVA_DELETE_PRIVILEGE_ERROR 		    =	(SEC_ERROR_BASE + 73),
-XP_JAVA_CERT_NOT_EXISTS_ERROR 		    =	(SEC_ERROR_BASE + 74),
-SEC_ERROR_BAD_EXPORT_ALGORITHM 		    =	(SEC_ERROR_BASE + 75),
-SEC_ERROR_EXPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 76),
-SEC_ERROR_IMPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 77),
-SEC_ERROR_PKCS12_DECODING_PFX 		    =	(SEC_ERROR_BASE + 78),
-SEC_ERROR_PKCS12_INVALID_MAC 		    =	(SEC_ERROR_BASE + 79),
-SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =	(SEC_ERROR_BASE + 80),
-SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =	(SEC_ERROR_BASE + 81),
-SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE 	    =	(SEC_ERROR_BASE + 82),
-SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  = 	(SEC_ERROR_BASE + 83),
-SEC_ERROR_PKCS12_UNSUPPORTED_VERSION 	    =	(SEC_ERROR_BASE + 84),
-SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =	(SEC_ERROR_BASE + 85),
-SEC_ERROR_PKCS12_CERT_COLLISION 	    =	(SEC_ERROR_BASE + 86),
-SEC_ERROR_USER_CANCELLED 		    =	(SEC_ERROR_BASE + 87),
-SEC_ERROR_PKCS12_DUPLICATE_DATA 	    =	(SEC_ERROR_BASE + 88),
-SEC_ERROR_MESSAGE_SEND_ABORTED 		    =	(SEC_ERROR_BASE + 89),
-SEC_ERROR_INADEQUATE_KEY_USAGE 		    =	(SEC_ERROR_BASE + 90),
-SEC_ERROR_INADEQUATE_CERT_TYPE 		    =	(SEC_ERROR_BASE + 91),
-SEC_ERROR_CERT_ADDR_MISMATCH 		    =	(SEC_ERROR_BASE + 92),
-SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY 	    =	(SEC_ERROR_BASE + 93),
-SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN 	    =	(SEC_ERROR_BASE + 94),
-SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
-SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY 	    =	(SEC_ERROR_BASE + 96),
-SEC_ERROR_PKCS12_UNABLE_TO_WRITE 	    = 	(SEC_ERROR_BASE + 97),
-SEC_ERROR_PKCS12_UNABLE_TO_READ 	    =	(SEC_ERROR_BASE + 98),
-SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED 	 = (SEC_ERROR_BASE + 99),
-SEC_ERROR_KEYGEN_FAIL 			    =	(SEC_ERROR_BASE + 100),
-SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
-SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
-SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
-SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
-SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY         =   (SEC_ERROR_BASE + 105),
-SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
-SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
-SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
-SEC_ERROR_JS_DEL_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 109),
-SEC_ERROR_OLD_KRL 			    =	(SEC_ERROR_BASE + 110),
-SEC_ERROR_CKL_CONFLICT 			    =	(SEC_ERROR_BASE + 111),
-SEC_ERROR_CERT_NOT_IN_NAME_SPACE 	    =	(SEC_ERROR_BASE + 112),
-SEC_ERROR_KRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 113),
-SEC_ERROR_CRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 114),
-SEC_ERROR_UNKNOWN_CERT 			    =	(SEC_ERROR_BASE + 115),
-SEC_ERROR_UNKNOWN_SIGNER 		    =	(SEC_ERROR_BASE + 116),
-SEC_ERROR_CERT_BAD_ACCESS_LOCATION 	    =	(SEC_ERROR_BASE + 117),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE 	    =	(SEC_ERROR_BASE + 118),
-SEC_ERROR_OCSP_BAD_HTTP_RESPONSE 	    =	(SEC_ERROR_BASE + 119),
-SEC_ERROR_OCSP_MALFORMED_REQUEST 	    =	(SEC_ERROR_BASE + 120),
-SEC_ERROR_OCSP_SERVER_ERROR 		    =	(SEC_ERROR_BASE + 121),
-SEC_ERROR_OCSP_TRY_SERVER_LATER 	    =	(SEC_ERROR_BASE + 122),
-SEC_ERROR_OCSP_REQUEST_NEEDS_SIG 	    =	(SEC_ERROR_BASE + 123),
-SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST 	    =	(SEC_ERROR_BASE + 124),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS 	    =	(SEC_ERROR_BASE + 125),
-SEC_ERROR_OCSP_UNKNOWN_CERT 		    =	(SEC_ERROR_BASE + 126),
-SEC_ERROR_OCSP_NOT_ENABLED 		    =	(SEC_ERROR_BASE + 127),
-SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER 	    =	(SEC_ERROR_BASE + 128),
-SEC_ERROR_OCSP_MALFORMED_RESPONSE 	    =	(SEC_ERROR_BASE + 129),
-SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE 	    =	(SEC_ERROR_BASE + 130),
-SEC_ERROR_OCSP_FUTURE_RESPONSE 		    =	(SEC_ERROR_BASE + 131),
-SEC_ERROR_OCSP_OLD_RESPONSE 		    =	(SEC_ERROR_BASE + 132),
-/* smime stuff */
-SEC_ERROR_DIGEST_NOT_FOUND		    =	(SEC_ERROR_BASE + 133),
-SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE	    =	(SEC_ERROR_BASE + 134),
-SEC_ERROR_MODULE_STUCK			    =	(SEC_ERROR_BASE + 135),
-SEC_ERROR_BAD_TEMPLATE			    =	(SEC_ERROR_BASE + 136),
-SEC_ERROR_CRL_NOT_FOUND 		    =	(SEC_ERROR_BASE + 137),
-SEC_ERROR_REUSED_ISSUER_AND_SERIAL          =   (SEC_ERROR_BASE + 138),
-SEC_ERROR_BUSY                              =   (SEC_ERROR_BASE + 139),
-SEC_ERROR_EXTRA_INPUT                       =   (SEC_ERROR_BASE + 140),
-/* error codes used by elliptic curve code */
-SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE	    =	(SEC_ERROR_BASE + 141),
-SEC_ERROR_UNSUPPORTED_EC_POINT_FORM	    =	(SEC_ERROR_BASE + 142),
-SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143),
-SEC_ERROR_OCSP_INVALID_SIGNING_CERT	    =   (SEC_ERROR_BASE + 144),
-/* new revocation errors */
-SEC_ERROR_REVOKED_CERTIFICATE_CRL	    =	(SEC_ERROR_BASE + 145),
-SEC_ERROR_REVOKED_CERTIFICATE_OCSP	    =	(SEC_ERROR_BASE + 146),
-SEC_ERROR_CRL_INVALID_VERSION               =	(SEC_ERROR_BASE + 147),
-SEC_ERROR_CRL_V1_CRITICAL_EXTENSION         =	(SEC_ERROR_BASE + 148),
-SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION    =	(SEC_ERROR_BASE + 149),
-SEC_ERROR_UNKNOWN_OBJECT_TYPE               =	(SEC_ERROR_BASE + 150),
-SEC_ERROR_INCOMPATIBLE_PKCS11               =	(SEC_ERROR_BASE + 151),
-SEC_ERROR_NO_EVENT                          = 	(SEC_ERROR_BASE + 152),
-SEC_ERROR_CRL_ALREADY_EXISTS                = 	(SEC_ERROR_BASE + 153),
-
-/* Add new error codes above here. */
-SEC_ERROR_END_OF_LIST 
-} SECErrorCodes;
-#endif /* NO_SECURITY_ERROR_ENUM */
-
-#endif /* __SEC_ERR_H_ */
diff --git a/security/nss/lib/util/secinit.c b/security/nss/lib/util/secinit.c
deleted file mode 100644
index c62d83a80..000000000
--- a/security/nss/lib/util/secinit.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nspr.h"
-#include "secport.h"
-
-static int sec_inited = 0;
-
-void 
-SEC_Init(void)
-{
-    /* PR_Init() must be called before SEC_Init() */
-#if !defined(SERVER_BUILD)
-    PORT_Assert(PR_Initialized() == PR_TRUE);
-#endif
-    if (sec_inited)
-	return;
-
-    sec_inited = 1;
-}
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
deleted file mode 100644
index 71009143c..000000000
--- a/security/nss/lib/util/secitem.c
+++ /dev/null
@@ -1,313 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * Support routines for SECItem data structure.
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "secitem.h"
-#include "base64.h"
-#include "secerr.h"
-
-SECItem *
-SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
-{
-    SECItem *result = NULL;
-    void *mark = NULL;
-
-    if (arena != NULL) {
-	mark = PORT_ArenaMark(arena);
-    }
-
-    if (item == NULL) {
-	if (arena != NULL) {
-	    result = PORT_ArenaZAlloc(arena, sizeof(SECItem));
-	} else {
-	    result = PORT_ZAlloc(sizeof(SECItem));
-	}
-	if (result == NULL) {
-	    goto loser;
-	}
-    } else {
-	PORT_Assert(item->data == NULL);
-	result = item;
-    }
-
-    result->len = len;
-    if (len) {
-	if (arena != NULL) {
-	    result->data = PORT_ArenaAlloc(arena, len);
-	} else {
-	    result->data = PORT_Alloc(len);
-	}
-    }
-
-    if (mark) {
-	PORT_ArenaUnmark(arena, mark);
-    }
-    return(result);
-
-loser:
-    if ( arena != NULL ) {
-	if (mark) {
-	    PORT_ArenaRelease(arena, mark);
-	}
-	if (item != NULL) {
-	    item->data = NULL;
-	    item->len = 0;
-	}
-    } else {
-	if (result != NULL) {
-	    SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
-	}
-    }
-    return(NULL);
-}
-
-SECStatus
-SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item, unsigned int oldlen,
-		    unsigned int newlen)
-{
-    PORT_Assert(item != NULL);
-    if (item == NULL) {
-	/* XXX Set error.  But to what? */
-	return SECFailure;
-    }
-
-    /*
-     * If no old length, degenerate to just plain alloc.
-     */
-    if (oldlen == 0) {
-	PORT_Assert(item->data == NULL || item->len == 0);
-	if (newlen == 0) {
-	    /* Nothing to do.  Weird, but not a failure.  */
-	    return SECSuccess;
-	}
-	item->len = newlen;
-	if (arena != NULL) {
-	    item->data = PORT_ArenaAlloc(arena, newlen);
-	} else {
-	    item->data = PORT_Alloc(newlen);
-	}
-    } else {
-	if (arena != NULL) {
-	    item->data = PORT_ArenaGrow(arena, item->data, oldlen, newlen);
-	} else {
-	    item->data = PORT_Realloc(item->data, newlen);
-	}
-    }
-
-    if (item->data == NULL) {
-	return SECFailure;
-    }
-
-    return SECSuccess;
-}
-
-SECComparison
-SECITEM_CompareItem(const SECItem *a, const SECItem *b)
-{
-    unsigned m;
-    SECComparison rv;
-
-    if (!a || !a->len || !a->data) 
-        return (!b || !b->len || !b->data) ? SECEqual : SECLessThan;
-    if (!b || !b->len || !b->data) 
-    	return SECGreaterThan;
-
-    m = ( ( a->len < b->len ) ? a->len : b->len );
-    
-    rv = (SECComparison) PORT_Memcmp(a->data, b->data, m);
-    if (rv) {
-	return rv;
-    }
-    if (a->len < b->len) {
-	return SECLessThan;
-    }
-    if (a->len == b->len) {
-	return SECEqual;
-    }
-    return SECGreaterThan;
-}
-
-PRBool
-SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
-{
-    if (a->len != b->len)
-        return PR_FALSE;
-    if (!a->len)
-    	return PR_TRUE;
-    if (!a->data || !b->data) {
-        /* avoid null pointer crash. */
-	return (PRBool)(a->data == b->data);
-    }
-    return (PRBool)!PORT_Memcmp(a->data, b->data, a->len);
-}
-
-SECItem *
-SECITEM_DupItem(const SECItem *from)
-{
-    return SECITEM_ArenaDupItem(NULL, from);
-}
-
-SECItem *
-SECITEM_ArenaDupItem(PRArenaPool *arena, const SECItem *from)
-{
-    SECItem *to;
-    
-    if ( from == NULL ) {
-	return(NULL);
-    }
-    
-    if ( arena != NULL ) {
-	to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
-    } else {
-	to = (SECItem *)PORT_Alloc(sizeof(SECItem));
-    }
-    if ( to == NULL ) {
-	return(NULL);
-    }
-
-    if ( arena != NULL ) {
-	to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len);
-    } else {
-	to->data = (unsigned char *)PORT_Alloc(from->len);
-    }
-    if ( to->data == NULL ) {
-	PORT_Free(to);
-	return(NULL);
-    }
-
-    to->len = from->len;
-    to->type = from->type;
-    if ( to->len ) {
-	PORT_Memcpy(to->data, from->data, to->len);
-    }
-    
-    return(to);
-}
-
-SECStatus
-SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from)
-{
-    to->type = from->type;
-    if (from->data && from->len) {
-	if ( arena ) {
-	    to->data = (unsigned char*) PORT_ArenaAlloc(arena, from->len);
-	} else {
-	    to->data = (unsigned char*) PORT_Alloc(from->len);
-	}
-	
-	if (!to->data) {
-	    return SECFailure;
-	}
-	PORT_Memcpy(to->data, from->data, from->len);
-	to->len = from->len;
-    } else {
-	to->data = 0;
-	to->len = 0;
-    }
-    return SECSuccess;
-}
-
-void
-SECITEM_FreeItem(SECItem *zap, PRBool freeit)
-{
-    if (zap) {
-	PORT_Free(zap->data);
-	zap->data = 0;
-	zap->len = 0;
-	if (freeit) {
-	    PORT_Free(zap);
-	}
-    }
-}
-
-void
-SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
-{
-    if (zap) {
-	PORT_ZFree(zap->data, zap->len);
-	zap->data = 0;
-	zap->len = 0;
-	if (freeit) {
-	    PORT_ZFree(zap, sizeof(SECItem));
-	}
-    }
-}
-/* these reroutines were taken from pkix oid.c, which is supposed to
- * replace this file some day */
-/*
- * This is the hash function.  We simply XOR the encoded form with
- * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
- * routine is left as an excercise for the more mathematically
- * inclined student.
- */
-PLHashNumber PR_CALLBACK
-SECITEM_Hash ( const void *key)
-{
-    const SECItem *item = (const SECItem *)key;
-    PLHashNumber rv = 0;
-
-    PRUint8 *data = (PRUint8 *)item->data;
-    PRUint32 i;
-    PRUint8 *rvc = (PRUint8 *)&rv;
-
-    for( i = 0; i < item->len; i++ ) {
-        rvc[ i % sizeof(rv) ] ^= *data;
-        data++;
-    }
-
-    return rv;
-}
-
-/*
- * This is the key-compare function.  It simply does a lexical
- * comparison on the item data.  This does not result in
- * quite the same ordering as the "sequence of numbers" order,
- * but heck it's only used internally by the hash table anyway.
- */
-PRIntn PR_CALLBACK
-SECITEM_HashCompare ( const void *k1, const void *k2)
-{
-    const SECItem *i1 = (const SECItem *)k1;
-    const SECItem *i2 = (const SECItem *)k2;
-
-    return SECITEM_ItemsAreEqual(i1,i2);
-}
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
deleted file mode 100644
index b73083f2b..000000000
--- a/security/nss/lib/util/secitem.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECITEM_H_
-#define _SECITEM_H_
-/*
- * secitem.h - public data structures and prototypes for handling
- *	       SECItems
- *
- * $Id$
- */
-
-#include "plarena.h"
-#include "plhash.h"
-#include "seccomon.h"
-
-SEC_BEGIN_PROTOS
-
-/*
-** Allocate an item.  If "arena" is not NULL, then allocate from there,
-** otherwise allocate from the heap.  If "item" is not NULL, allocate
-** only the data for the item, not the item itself.  The item structure
-** is allocated zero-filled; the data buffer is not zeroed.
-**
-** The resulting item is returned; NULL if any error occurs.
-**
-** XXX This probably should take a SECItemType, but since that is mostly
-** unused and our improved APIs (aka Stan) are looming, I left it out.
-*/
-extern SECItem *SECITEM_AllocItem(PRArenaPool *arena, SECItem *item,
-				  unsigned int len);
-
-/*
-** Reallocate the data for the specified "item".  If "arena" is not NULL,
-** then reallocate from there, otherwise reallocate from the heap.
-** In the case where oldlen is 0, the data is allocated (not reallocated).
-** In any case, "item" is expected to be a valid SECItem pointer;
-** SECFailure is returned if it is not.  If the allocation succeeds,
-** SECSuccess is returned.
-*/
-extern SECStatus SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item,
-				     unsigned int oldlen, unsigned int newlen);
-
-/*
-** Compare two items returning the difference between them.
-*/
-extern SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b);
-
-/*
-** Compare two items -- if they are the same, return true; otherwise false.
-*/
-extern PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b);
-
-/*
-** Copy "from" to "to"
-*/
-extern SECStatus SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, 
-                                  const SECItem *from);
-
-/*
-** Allocate an item and copy "from" into it.
-*/
-extern SECItem *SECITEM_DupItem(const SECItem *from);
-
-/*
-** Allocate an item and copy "from" into it.  The item itself and the 
-** data it points to are both allocated from the arena.  If arena is
-** NULL, this function is equivalent to SECITEM_DupItem.
-*/
-extern SECItem *SECITEM_ArenaDupItem(PRArenaPool *arena, const SECItem *from);
-
-/*
-** Free "zap". If freeit is PR_TRUE then "zap" itself is freed.
-*/
-extern void SECITEM_FreeItem(SECItem *zap, PRBool freeit);
-
-/*
-** Zero and then free "zap". If freeit is PR_TRUE then "zap" itself is freed.
-*/
-extern void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit);
-
-PLHashNumber PR_CALLBACK SECITEM_Hash ( const void *key);
-
-PRIntn PR_CALLBACK SECITEM_HashCompare ( const void *k1, const void *k2);
-
-
-SEC_END_PROTOS
-
-#endif /* _SECITEM_H_ */
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
deleted file mode 100644
index 550f09b4f..000000000
--- a/security/nss/lib/util/secoid.c
+++ /dev/null
@@ -1,1848 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secoid.h"
-#include "pkcs11t.h"
-#include "secmodt.h"
-#include "secitem.h"
-#include "secerr.h"
-#include "plhash.h"
-#include "nssrwlk.h"
-
-/* MISSI Mosaic Object ID space */
-#define USGOV                   0x60, 0x86, 0x48, 0x01, 0x65
-#define MISSI	                USGOV, 0x02, 0x01, 0x01
-#define MISSI_OLD_KEA_DSS	MISSI, 0x0c
-#define MISSI_OLD_DSS		MISSI, 0x02
-#define MISSI_KEA_DSS		MISSI, 0x14
-#define MISSI_DSS		MISSI, 0x13
-#define MISSI_KEA               MISSI, 0x0a
-#define MISSI_ALT_KEA           MISSI, 0x16
-
-#define NISTALGS    USGOV, 3, 4
-#define AES         NISTALGS, 1
-#define SHAXXX      NISTALGS, 2
-
-/**
- ** The Netscape OID space is allocated by Terry Hayes.  If you need
- ** a piece of the space, contact him at thayes@netscape.com.
- **/
-
-/* Netscape Communications Corporation Object ID space */
-/* { 2 16 840 1 113730 } */
-#define NETSCAPE_OID	          0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
-#define NETSCAPE_CERT_EXT 	  NETSCAPE_OID, 0x01
-#define NETSCAPE_DATA_TYPE 	  NETSCAPE_OID, 0x02
-/* netscape directory oid - owned by Mark Smith (mcs@netscape.com) */
-#define NETSCAPE_DIRECTORY 	  NETSCAPE_OID, 0x03
-#define NETSCAPE_POLICY 	  NETSCAPE_OID, 0x04
-#define NETSCAPE_CERT_SERVER 	  NETSCAPE_OID, 0x05
-#define NETSCAPE_ALGS 		  NETSCAPE_OID, 0x06 /* algorithm OIDs */
-#define NETSCAPE_NAME_COMPONENTS  NETSCAPE_OID, 0x07
-
-#define NETSCAPE_CERT_EXT_AIA     NETSCAPE_CERT_EXT, 0x10
-#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
-
-/* these are old and should go away soon */
-#define OLD_NETSCAPE		0x60, 0x86, 0x48, 0xd8, 0x6a
-#define NS_CERT_EXT		OLD_NETSCAPE, 0x01
-#define NS_FILE_TYPE		OLD_NETSCAPE, 0x02
-#define NS_IMAGE_TYPE		OLD_NETSCAPE, 0x03
-
-/* RSA OID name space */
-#define RSADSI			0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
-#define PKCS			RSADSI, 0x01
-#define DIGEST			RSADSI, 0x02
-#define CIPHER			RSADSI, 0x03
-#define PKCS1			PKCS, 0x01
-#define PKCS5			PKCS, 0x05
-#define PKCS7			PKCS, 0x07
-#define PKCS9			PKCS, 0x09
-#define PKCS12			PKCS, 0x0c
-
-/* Fortezza algorithm OID space: { 2 16 840 1 101 2 1 1 } */
-/* ### mwelch -- Is this just for algorithms, or all of Fortezza? */
-#define FORTEZZA_ALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01
-
-/* Other OID name spaces */
-#define ALGORITHM		0x2b, 0x0e, 0x03, 0x02
-#define X500			0x55
-#define X520_ATTRIBUTE_TYPE	X500, 0x04
-#define X500_ALG		X500, 0x08
-#define X500_ALG_ENCRYPTION	X500_ALG, 0x01
-
-/** X.509 v3 Extension OID 
- ** {joint-iso-ccitt (2) ds(5) 29}
- **/
-#define	ID_CE_OID 		X500, 0x1d
-
-#define RFC1274_ATTR_TYPE  0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
-/* #define RFC2247_ATTR_TYPE  0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
-
-/* PKCS #12 name spaces */
-#define PKCS12_MODE_IDS		PKCS12, 0x01
-#define PKCS12_ESPVK_IDS	PKCS12, 0x02
-#define PKCS12_BAG_IDS		PKCS12, 0x03
-#define PKCS12_CERT_BAG_IDS	PKCS12, 0x04
-#define PKCS12_OIDS		PKCS12, 0x05
-#define PKCS12_PBE_IDS		PKCS12_OIDS, 0x01
-#define PKCS12_ENVELOPING_IDS	PKCS12_OIDS, 0x02
-#define PKCS12_SIGNATURE_IDS	PKCS12_OIDS, 0x03
-#define PKCS12_V2_PBE_IDS	PKCS12, 0x01
-#define PKCS9_CERT_TYPES	PKCS9, 0x16
-#define PKCS9_CRL_TYPES		PKCS9, 0x17
-#define PKCS9_SMIME_IDS		PKCS9, 0x10
-#define PKCS9_SMIME_ATTRS	PKCS9_SMIME_IDS, 2
-#define PKCS9_SMIME_ALGS	PKCS9_SMIME_IDS, 3
-#define PKCS12_VERSION1		PKCS12, 0x0a
-#define PKCS12_V1_BAG_IDS	PKCS12_VERSION1, 1
-
-/* for DSA algorithm */
-/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
-#define ANSI_X9_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
-
-/* for DH algorithm */
-/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
-/* need real OID person to look at this, copied the above line
- * and added 6 to second to last value (and changed '4' to '2' */
-#define ANSI_X942_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
-
-#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
-
-#define PKIX 			0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
-#define PKIX_CERT_EXTENSIONS    PKIX, 1
-#define PKIX_POLICY_QUALIFIERS  PKIX, 2
-#define PKIX_KEY_USAGE 		PKIX, 3
-#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
-#define PKIX_OCSP 		PKIX_ACCESS_DESCRIPTION, 1
-#define PKIX_CA_ISSUERS		PKIX_ACCESS_DESCRIPTION, 2
-
-#define PKIX_ID_PKIP     	PKIX, 5
-#define PKIX_ID_REGCTRL  	PKIX_ID_PKIP, 1 
-#define PKIX_ID_REGINFO  	PKIX_ID_PKIP, 2
-
-/* Microsoft Object ID space */
-/* { 1.3.6.1.4.1.311 } */
-#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
-
-#define CERTICOM_OID            0x2b, 0x81, 0x04
-#define SECG_OID                CERTICOM_OID, 0x00
-
-#define ANSI_X962_OID           0x2a, 0x86, 0x48, 0xce, 0x3d
-#define ANSI_X962_CURVE_OID     ANSI_X962_OID, 0x03
-#define ANSI_X962_GF2m_OID      ANSI_X962_CURVE_OID, 0x00
-#define ANSI_X962_GFp_OID       ANSI_X962_CURVE_OID, 0x01
-
-#define CONST_OID static const unsigned char
-
-CONST_OID md2[]        				= { DIGEST, 0x02 };
-CONST_OID md4[]        				= { DIGEST, 0x04 };
-CONST_OID md5[]        				= { DIGEST, 0x05 };
-
-CONST_OID rc2cbc[]     				= { CIPHER, 0x02 };
-CONST_OID rc4[]        				= { CIPHER, 0x04 };
-CONST_OID desede3cbc[] 				= { CIPHER, 0x07 };
-CONST_OID rc5cbcpad[]  				= { CIPHER, 0x09 };
-
-CONST_OID desecb[]                           = { ALGORITHM, 0x06 };
-CONST_OID descbc[]                           = { ALGORITHM, 0x07 };
-CONST_OID desofb[]                           = { ALGORITHM, 0x08 };
-CONST_OID descfb[]                           = { ALGORITHM, 0x09 };
-CONST_OID desmac[]                           = { ALGORITHM, 0x0a };
-CONST_OID sdn702DSASignature[]               = { ALGORITHM, 0x0c };
-CONST_OID isoSHAWithRSASignature[]           = { ALGORITHM, 0x0f };
-CONST_OID desede[]                           = { ALGORITHM, 0x11 };
-CONST_OID sha1[]                             = { ALGORITHM, 0x1a };
-CONST_OID bogusDSASignaturewithSHA1Digest[]  = { ALGORITHM, 0x1b };
-
-CONST_OID pkcs1RSAEncryption[]         		= { PKCS1, 0x01 };
-CONST_OID pkcs1MD2WithRSAEncryption[]  		= { PKCS1, 0x02 };
-CONST_OID pkcs1MD4WithRSAEncryption[]  		= { PKCS1, 0x03 };
-CONST_OID pkcs1MD5WithRSAEncryption[]  		= { PKCS1, 0x04 };
-CONST_OID pkcs1SHA1WithRSAEncryption[] 		= { PKCS1, 0x05 };
-CONST_OID pkcs1SHA256WithRSAEncryption[] 	= { PKCS1, 11 };
-CONST_OID pkcs1SHA384WithRSAEncryption[] 	= { PKCS1, 12 };
-CONST_OID pkcs1SHA512WithRSAEncryption[] 	= { PKCS1, 13 };
-
-CONST_OID pkcs5PbeWithMD2AndDEScbc[]  		= { PKCS5, 0x01 };
-CONST_OID pkcs5PbeWithMD5AndDEScbc[]  		= { PKCS5, 0x03 };
-CONST_OID pkcs5PbeWithSha1AndDEScbc[] 		= { PKCS5, 0x0a };
-
-CONST_OID pkcs7[]                     		= { PKCS7 };
-CONST_OID pkcs7Data[]                 		= { PKCS7, 0x01 };
-CONST_OID pkcs7SignedData[]           		= { PKCS7, 0x02 };
-CONST_OID pkcs7EnvelopedData[]        		= { PKCS7, 0x03 };
-CONST_OID pkcs7SignedEnvelopedData[]  		= { PKCS7, 0x04 };
-CONST_OID pkcs7DigestedData[]         		= { PKCS7, 0x05 };
-CONST_OID pkcs7EncryptedData[]        		= { PKCS7, 0x06 };
-
-CONST_OID pkcs9EmailAddress[]                  = { PKCS9, 0x01 };
-CONST_OID pkcs9UnstructuredName[]              = { PKCS9, 0x02 };
-CONST_OID pkcs9ContentType[]                   = { PKCS9, 0x03 };
-CONST_OID pkcs9MessageDigest[]                 = { PKCS9, 0x04 };
-CONST_OID pkcs9SigningTime[]                   = { PKCS9, 0x05 };
-CONST_OID pkcs9CounterSignature[]              = { PKCS9, 0x06 };
-CONST_OID pkcs9ChallengePassword[]             = { PKCS9, 0x07 };
-CONST_OID pkcs9UnstructuredAddress[]           = { PKCS9, 0x08 };
-CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
-CONST_OID pkcs9ExtensionRequest[]              = { PKCS9, 14 };
-CONST_OID pkcs9SMIMECapabilities[]             = { PKCS9, 15 };
-CONST_OID pkcs9FriendlyName[]                  = { PKCS9, 20 };
-CONST_OID pkcs9LocalKeyID[]                    = { PKCS9, 21 };
-
-CONST_OID pkcs9X509Certificate[]        	= { PKCS9_CERT_TYPES, 1 };
-CONST_OID pkcs9SDSICertificate[]        	= { PKCS9_CERT_TYPES, 2 };
-CONST_OID pkcs9X509CRL[]                	= { PKCS9_CRL_TYPES, 1 };
-
-/* RFC2630 (CMS) OIDs */
-CONST_OID cmsESDH[]     			= { PKCS9_SMIME_ALGS, 5 };
-CONST_OID cms3DESwrap[] 			= { PKCS9_SMIME_ALGS, 6 };
-CONST_OID cmsRC2wrap[]  			= { PKCS9_SMIME_ALGS, 7 };
-
-/* RFC2633 SMIME message attributes */
-CONST_OID smimeEncryptionKeyPreference[] 	= { PKCS9_SMIME_ATTRS, 11 };
-CONST_OID ms_smimeEncryptionKeyPreference[] 	= { MICROSOFT_OID, 0x10, 0x4 };
-
-CONST_OID x520CommonName[]                      = { X520_ATTRIBUTE_TYPE, 3 };
-CONST_OID x520SurName[]                         = { X520_ATTRIBUTE_TYPE, 4 };
-CONST_OID x520SerialNumber[]                    = { X520_ATTRIBUTE_TYPE, 5 };
-CONST_OID x520CountryName[]                     = { X520_ATTRIBUTE_TYPE, 6 };
-CONST_OID x520LocalityName[]                    = { X520_ATTRIBUTE_TYPE, 7 };
-CONST_OID x520StateOrProvinceName[]             = { X520_ATTRIBUTE_TYPE, 8 };
-CONST_OID x520StreetAddress[]                   = { X520_ATTRIBUTE_TYPE, 9 };
-CONST_OID x520OrgName[]                         = { X520_ATTRIBUTE_TYPE, 10 };
-CONST_OID x520OrgUnitName[]                     = { X520_ATTRIBUTE_TYPE, 11 };
-CONST_OID x520Title[]                           = { X520_ATTRIBUTE_TYPE, 12 };
-CONST_OID x520PostalAddress[]                   = { X520_ATTRIBUTE_TYPE, 16 };
-CONST_OID x520PostalCode[]                      = { X520_ATTRIBUTE_TYPE, 17 };
-CONST_OID x520PostOfficeBox[]                   = { X520_ATTRIBUTE_TYPE, 18 };
-CONST_OID x520GivenName[]                       = { X520_ATTRIBUTE_TYPE, 42 };
-CONST_OID x520Initials[]                        = { X520_ATTRIBUTE_TYPE, 43 };
-CONST_OID x520GenerationQualifier[]             = { X520_ATTRIBUTE_TYPE, 44 };
-CONST_OID x520DnQualifier[]                     = { X520_ATTRIBUTE_TYPE, 46 };
-CONST_OID x520HouseIdentifier[]                 = { X520_ATTRIBUTE_TYPE, 51 };
-CONST_OID x520Pseudonym[]                       = { X520_ATTRIBUTE_TYPE, 65 };
-
-CONST_OID nsTypeGIF[]          			= { NETSCAPE_DATA_TYPE, 0x01 };
-CONST_OID nsTypeJPEG[]         			= { NETSCAPE_DATA_TYPE, 0x02 };
-CONST_OID nsTypeURL[]          			= { NETSCAPE_DATA_TYPE, 0x03 };
-CONST_OID nsTypeHTML[]         			= { NETSCAPE_DATA_TYPE, 0x04 };
-CONST_OID nsTypeCertSeq[]      			= { NETSCAPE_DATA_TYPE, 0x05 };
-
-CONST_OID missiCertKEADSSOld[] 			= { MISSI_OLD_KEA_DSS };
-CONST_OID missiCertDSSOld[]    			= { MISSI_OLD_DSS };
-CONST_OID missiCertKEADSS[]    			= { MISSI_KEA_DSS };
-CONST_OID missiCertDSS[]       			= { MISSI_DSS };
-CONST_OID missiCertKEA[]       			= { MISSI_KEA };
-CONST_OID missiCertAltKEA[]    			= { MISSI_ALT_KEA };
-CONST_OID x500RSAEncryption[]  			= { X500_ALG_ENCRYPTION, 0x01 };
-
-/* added for alg 1485 */
-CONST_OID rfc1274Uid[]             		= { RFC1274_ATTR_TYPE, 1 };
-CONST_OID rfc1274Mail[]            		= { RFC1274_ATTR_TYPE, 3 };
-CONST_OID rfc2247DomainComponent[] 		= { RFC1274_ATTR_TYPE, 25 };
-
-/* Netscape private certificate extensions */
-CONST_OID nsCertExtNetscapeOK[]  		= { NS_CERT_EXT, 1 };
-CONST_OID nsCertExtIssuerLogo[]  		= { NS_CERT_EXT, 2 };
-CONST_OID nsCertExtSubjectLogo[] 		= { NS_CERT_EXT, 3 };
-CONST_OID nsExtCertType[]        		= { NETSCAPE_CERT_EXT, 0x01 };
-CONST_OID nsExtBaseURL[]         		= { NETSCAPE_CERT_EXT, 0x02 };
-CONST_OID nsExtRevocationURL[]   		= { NETSCAPE_CERT_EXT, 0x03 };
-CONST_OID nsExtCARevocationURL[] 		= { NETSCAPE_CERT_EXT, 0x04 };
-CONST_OID nsExtCACRLURL[]        		= { NETSCAPE_CERT_EXT, 0x05 };
-CONST_OID nsExtCACertURL[]       		= { NETSCAPE_CERT_EXT, 0x06 };
-CONST_OID nsExtCertRenewalURL[]  		= { NETSCAPE_CERT_EXT, 0x07 };
-CONST_OID nsExtCAPolicyURL[]     		= { NETSCAPE_CERT_EXT, 0x08 };
-CONST_OID nsExtHomepageURL[]     		= { NETSCAPE_CERT_EXT, 0x09 };
-CONST_OID nsExtEntityLogo[]      		= { NETSCAPE_CERT_EXT, 0x0a };
-CONST_OID nsExtUserPicture[]     		= { NETSCAPE_CERT_EXT, 0x0b };
-CONST_OID nsExtSSLServerName[]   		= { NETSCAPE_CERT_EXT, 0x0c };
-CONST_OID nsExtComment[]         		= { NETSCAPE_CERT_EXT, 0x0d };
-
-/* the following 2 extensions are defined for and used by Cartman(NSM) */
-CONST_OID nsExtLostPasswordURL[] 		= { NETSCAPE_CERT_EXT, 0x0e };
-CONST_OID nsExtCertRenewalTime[] 		= { NETSCAPE_CERT_EXT, 0x0f };
-
-CONST_OID nsExtAIACertRenewal[]    	= { NETSCAPE_CERT_EXT_AIA, 0x01 };
-CONST_OID nsExtCertScopeOfUse[]    	= { NETSCAPE_CERT_EXT, 0x11 };
-/* Reserved Netscape (2 16 840 1 113730 1 18) = { NETSCAPE_CERT_EXT, 0x12 }; */
-
-/* Netscape policy values */
-CONST_OID nsKeyUsageGovtApproved[] 	= { NETSCAPE_POLICY, 0x01 };
-
-/* Netscape other name types */
-CONST_OID netscapeNickname[] 		= { NETSCAPE_NAME_COMPONENTS, 0x01 };
-CONST_OID netscapeAOLScreenname[] 	= { NETSCAPE_NAME_COMPONENTS, 0x02 };
-
-/* OIDs needed for cert server */
-CONST_OID netscapeRecoveryRequest[] 	= { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
-
-
-/* Standard x.509 v3 Certificate Extensions */
-CONST_OID x509SubjectDirectoryAttr[]  		= { ID_CE_OID,  9 };
-CONST_OID x509SubjectKeyID[]          		= { ID_CE_OID, 14 };
-CONST_OID x509KeyUsage[]              		= { ID_CE_OID, 15 };
-CONST_OID x509PrivateKeyUsagePeriod[] 		= { ID_CE_OID, 16 };
-CONST_OID x509SubjectAltName[]        		= { ID_CE_OID, 17 };
-CONST_OID x509IssuerAltName[]         		= { ID_CE_OID, 18 };
-CONST_OID x509BasicConstraints[]      		= { ID_CE_OID, 19 };
-CONST_OID x509NameConstraints[]       		= { ID_CE_OID, 30 };
-CONST_OID x509CRLDistPoints[]         		= { ID_CE_OID, 31 };
-CONST_OID x509CertificatePolicies[]   		= { ID_CE_OID, 32 };
-CONST_OID x509PolicyMappings[]        		= { ID_CE_OID, 33 };
-CONST_OID x509PolicyConstraints[]     		= { ID_CE_OID, 34 };
-CONST_OID x509AuthKeyID[]             		= { ID_CE_OID, 35 };
-CONST_OID x509ExtKeyUsage[]           		= { ID_CE_OID, 37 };
-CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS, 1 };
-
-/* Standard x.509 v3 CRL Extensions */
-CONST_OID x509CrlNumber[]                    	= { ID_CE_OID, 20};
-CONST_OID x509ReasonCode[]                   	= { ID_CE_OID, 21};
-CONST_OID x509InvalidDate[]                  	= { ID_CE_OID, 24};
-
-/* pkcs 12 additions */
-CONST_OID pkcs12[]                           = { PKCS12 };
-CONST_OID pkcs12ModeIDs[]                    = { PKCS12_MODE_IDS };
-CONST_OID pkcs12ESPVKIDs[]                   = { PKCS12_ESPVK_IDS };
-CONST_OID pkcs12BagIDs[]                     = { PKCS12_BAG_IDS };
-CONST_OID pkcs12CertBagIDs[]                 = { PKCS12_CERT_BAG_IDS };
-CONST_OID pkcs12OIDs[]                       = { PKCS12_OIDS };
-CONST_OID pkcs12PBEIDs[]                     = { PKCS12_PBE_IDS };
-CONST_OID pkcs12EnvelopingIDs[]              = { PKCS12_ENVELOPING_IDS };
-CONST_OID pkcs12SignatureIDs[]               = { PKCS12_SIGNATURE_IDS };
-CONST_OID pkcs12PKCS8KeyShrouding[]          = { PKCS12_ESPVK_IDS, 0x01 };
-CONST_OID pkcs12KeyBagID[]                   = { PKCS12_BAG_IDS, 0x01 };
-CONST_OID pkcs12CertAndCRLBagID[]            = { PKCS12_BAG_IDS, 0x02 };
-CONST_OID pkcs12SecretBagID[]                = { PKCS12_BAG_IDS, 0x03 };
-CONST_OID pkcs12X509CertCRLBag[]             = { PKCS12_CERT_BAG_IDS, 0x01 };
-CONST_OID pkcs12SDSICertBag[]                = { PKCS12_CERT_BAG_IDS, 0x02 };
-CONST_OID pkcs12PBEWithSha1And128BitRC4[]    = { PKCS12_PBE_IDS, 0x01 };
-CONST_OID pkcs12PBEWithSha1And40BitRC4[]     = { PKCS12_PBE_IDS, 0x02 };
-CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
-CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
-CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[]  = { PKCS12_PBE_IDS, 0x05 };
-CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 };
-CONST_OID pkcs12RSAEncryptionWith40BitRC4[]  = { PKCS12_ENVELOPING_IDS, 0x02 };
-CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 }; 
-CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 };
-
-/* pkcs 12 version 1.0 ids */
-CONST_OID pkcs12V2PBEWithSha1And128BitRC4[]       = { PKCS12_V2_PBE_IDS, 0x01 };
-CONST_OID pkcs12V2PBEWithSha1And40BitRC4[]        = { PKCS12_V2_PBE_IDS, 0x02 };
-CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x03 };
-CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x04 };
-CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[]    = { PKCS12_V2_PBE_IDS, 0x05 };
-CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[]     = { PKCS12_V2_PBE_IDS, 0x06 };
-
-CONST_OID pkcs12SafeContentsID[]                  = { PKCS12_BAG_IDS, 0x04 };
-CONST_OID pkcs12PKCS8ShroudedKeyBagID[]           = { PKCS12_BAG_IDS, 0x05 };
-
-CONST_OID pkcs12V1KeyBag[]              	= { PKCS12_V1_BAG_IDS, 0x01 };
-CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] 	= { PKCS12_V1_BAG_IDS, 0x02 };
-CONST_OID pkcs12V1CertBag[]             	= { PKCS12_V1_BAG_IDS, 0x03 };
-CONST_OID pkcs12V1CRLBag[]              	= { PKCS12_V1_BAG_IDS, 0x04 };
-CONST_OID pkcs12V1SecretBag[]           	= { PKCS12_V1_BAG_IDS, 0x05 };
-CONST_OID pkcs12V1SafeContentsBag[]     	= { PKCS12_V1_BAG_IDS, 0x06 };
-
-CONST_OID pkcs12KeyUsageAttr[]          	= { 2, 5, 29, 15 };
-
-CONST_OID ansix9DSASignature[]               	= { ANSI_X9_ALGORITHM, 0x01 };
-CONST_OID ansix9DSASignaturewithSHA1Digest[] 	= { ANSI_X9_ALGORITHM, 0x03 };
-
-/* verisign OIDs */
-CONST_OID verisignUserNotices[]     		= { VERISIGN, 1, 7, 1, 1 };
-
-/* pkix OIDs */
-CONST_OID pkixCPSPointerQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 1 };
-CONST_OID pkixUserNoticeQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 2 };
-
-CONST_OID pkixOCSP[]				= { PKIX_OCSP };
-CONST_OID pkixOCSPBasicResponse[]		= { PKIX_OCSP, 1 };
-CONST_OID pkixOCSPNonce[]			= { PKIX_OCSP, 2 };
-CONST_OID pkixOCSPCRL[] 			= { PKIX_OCSP, 3 };
-CONST_OID pkixOCSPResponse[]			= { PKIX_OCSP, 4 };
-CONST_OID pkixOCSPNoCheck[]			= { PKIX_OCSP, 5 };
-CONST_OID pkixOCSPArchiveCutoff[]		= { PKIX_OCSP, 6 };
-CONST_OID pkixOCSPServiceLocator[]		= { PKIX_OCSP, 7 };
-
-CONST_OID pkixCAIssuers[]			= { PKIX_CA_ISSUERS };
-
-CONST_OID pkixRegCtrlRegToken[]       		= { PKIX_ID_REGCTRL, 1};
-CONST_OID pkixRegCtrlAuthenticator[]  		= { PKIX_ID_REGCTRL, 2};
-CONST_OID pkixRegCtrlPKIPubInfo[]     		= { PKIX_ID_REGCTRL, 3};
-CONST_OID pkixRegCtrlPKIArchOptions[] 		= { PKIX_ID_REGCTRL, 4};
-CONST_OID pkixRegCtrlOldCertID[]      		= { PKIX_ID_REGCTRL, 5};
-CONST_OID pkixRegCtrlProtEncKey[]     		= { PKIX_ID_REGCTRL, 6};
-CONST_OID pkixRegInfoUTF8Pairs[]      		= { PKIX_ID_REGINFO, 1};
-CONST_OID pkixRegInfoCertReq[]        		= { PKIX_ID_REGINFO, 2};
-
-CONST_OID pkixExtendedKeyUsageServerAuth[]    	= { PKIX_KEY_USAGE, 1 };
-CONST_OID pkixExtendedKeyUsageClientAuth[]    	= { PKIX_KEY_USAGE, 2 };
-CONST_OID pkixExtendedKeyUsageCodeSign[]      	= { PKIX_KEY_USAGE, 3 };
-CONST_OID pkixExtendedKeyUsageEMailProtect[]  	= { PKIX_KEY_USAGE, 4 };
-CONST_OID pkixExtendedKeyUsageTimeStamp[]     	= { PKIX_KEY_USAGE, 8 };
-CONST_OID pkixOCSPResponderExtendedKeyUsage[] 	= { PKIX_KEY_USAGE, 9 };
-
-/* OIDs for Netscape defined algorithms */
-CONST_OID netscapeSMimeKEA[] 			= { NETSCAPE_ALGS, 0x01 };
-
-/* Fortezza algorithm OIDs */
-CONST_OID skipjackCBC[] 			= { FORTEZZA_ALG, 0x04 };
-CONST_OID dhPublicKey[] 			= { ANSI_X942_ALGORITHM, 0x1 };
-
-CONST_OID aes128_ECB[] 				= { AES, 1 };
-CONST_OID aes128_CBC[] 				= { AES, 2 };
-#ifdef DEFINE_ALL_AES_CIPHERS
-CONST_OID aes128_OFB[] 				= { AES, 3 };
-CONST_OID aes128_CFB[] 				= { AES, 4 };
-#endif
-CONST_OID aes128_KEY_WRAP[]			= { AES, 5 };
-
-CONST_OID aes192_ECB[] 				= { AES, 21 };
-CONST_OID aes192_CBC[] 				= { AES, 22 };
-#ifdef DEFINE_ALL_AES_CIPHERS
-CONST_OID aes192_OFB[] 				= { AES, 23 };
-CONST_OID aes192_CFB[] 				= { AES, 24 };
-#endif
-CONST_OID aes192_KEY_WRAP[]			= { AES, 25 };
-
-CONST_OID aes256_ECB[] 				= { AES, 41 };
-CONST_OID aes256_CBC[] 				= { AES, 42 };
-#ifdef DEFINE_ALL_AES_CIPHERS
-CONST_OID aes256_OFB[] 				= { AES, 43 };
-CONST_OID aes256_CFB[] 				= { AES, 44 };
-#endif
-CONST_OID aes256_KEY_WRAP[]			= { AES, 45 };
-
-CONST_OID sha256[]                              = { SHAXXX, 1 };
-CONST_OID sha384[]                              = { SHAXXX, 2 };
-CONST_OID sha512[]                              = { SHAXXX, 3 };
-
-CONST_OID ansix962ECPublicKey[]                 = { ANSI_X962_OID, 0x02, 0x01 };
-CONST_OID ansix962ECDSASignaturewithSHA1Digest[] = { ANSI_X962_OID, 0x04, 0x01 };
-
-/* ANSI X9.62 prime curve OIDs */
-/* NOTE: prime192v1 is the same as secp192r1, prime256v1 is the
- * same as secp256r1
- */
-CONST_OID ansiX962prime192v1[] = { ANSI_X962_GFp_OID, 0x01 };
-CONST_OID ansiX962prime192v2[] = { ANSI_X962_GFp_OID, 0x02 };
-CONST_OID ansiX962prime192v3[] = { ANSI_X962_GFp_OID, 0x03 };
-CONST_OID ansiX962prime239v1[] = { ANSI_X962_GFp_OID, 0x04 };
-CONST_OID ansiX962prime239v2[] = { ANSI_X962_GFp_OID, 0x05 };
-CONST_OID ansiX962prime239v3[] = { ANSI_X962_GFp_OID, 0x06 };
-CONST_OID ansiX962prime256v1[] = { ANSI_X962_GFp_OID, 0x07 };
-
-/* SECG prime curve OIDs */
-CONST_OID secgECsecp112r1[] = { SECG_OID, 0x06 };
-CONST_OID secgECsecp112r2[] = { SECG_OID, 0x07 };
-CONST_OID secgECsecp128r1[] = { SECG_OID, 0x1c };
-CONST_OID secgECsecp128r2[] = { SECG_OID, 0x1d };
-CONST_OID secgECsecp160k1[] = { SECG_OID, 0x09 };
-CONST_OID secgECsecp160r1[] = { SECG_OID, 0x08 };
-CONST_OID secgECsecp160r2[] = { SECG_OID, 0x1e };
-CONST_OID secgECsecp192k1[] = { SECG_OID, 0x1f };
-CONST_OID secgECsecp224k1[] = { SECG_OID, 0x20 };
-CONST_OID secgECsecp224r1[] = { SECG_OID, 0x21 };
-CONST_OID secgECsecp256k1[] = { SECG_OID, 0x0a };
-CONST_OID secgECsecp384r1[] = { SECG_OID, 0x22 };
-CONST_OID secgECsecp521r1[] = { SECG_OID, 0x23 };
-
-/* ANSI X9.62 characteristic two curve OIDs */
-CONST_OID ansiX962c2pnb163v1[] = { ANSI_X962_GF2m_OID, 0x01 };
-CONST_OID ansiX962c2pnb163v2[] = { ANSI_X962_GF2m_OID, 0x02 };
-CONST_OID ansiX962c2pnb163v3[] = { ANSI_X962_GF2m_OID, 0x03 };
-CONST_OID ansiX962c2pnb176v1[] = { ANSI_X962_GF2m_OID, 0x04 };
-CONST_OID ansiX962c2tnb191v1[] = { ANSI_X962_GF2m_OID, 0x05 };
-CONST_OID ansiX962c2tnb191v2[] = { ANSI_X962_GF2m_OID, 0x06 };
-CONST_OID ansiX962c2tnb191v3[] = { ANSI_X962_GF2m_OID, 0x07 };
-CONST_OID ansiX962c2onb191v4[] = { ANSI_X962_GF2m_OID, 0x08 };
-CONST_OID ansiX962c2onb191v5[] = { ANSI_X962_GF2m_OID, 0x09 };
-CONST_OID ansiX962c2pnb208w1[] = { ANSI_X962_GF2m_OID, 0x0a };
-CONST_OID ansiX962c2tnb239v1[] = { ANSI_X962_GF2m_OID, 0x0b };
-CONST_OID ansiX962c2tnb239v2[] = { ANSI_X962_GF2m_OID, 0x0c };
-CONST_OID ansiX962c2tnb239v3[] = { ANSI_X962_GF2m_OID, 0x0d };
-CONST_OID ansiX962c2onb239v4[] = { ANSI_X962_GF2m_OID, 0x0e };
-CONST_OID ansiX962c2onb239v5[] = { ANSI_X962_GF2m_OID, 0x0f };
-CONST_OID ansiX962c2pnb272w1[] = { ANSI_X962_GF2m_OID, 0x10 };
-CONST_OID ansiX962c2pnb304w1[] = { ANSI_X962_GF2m_OID, 0x11 };
-CONST_OID ansiX962c2tnb359v1[] = { ANSI_X962_GF2m_OID, 0x12 };
-CONST_OID ansiX962c2pnb368w1[] = { ANSI_X962_GF2m_OID, 0x13 };
-CONST_OID ansiX962c2tnb431r1[] = { ANSI_X962_GF2m_OID, 0x14 };
-
-/* SECG characterisitic two curve OIDs */
-CONST_OID secgECsect113r1[] = {SECG_OID, 0x04 };
-CONST_OID secgECsect113r2[] = {SECG_OID, 0x05 };
-CONST_OID secgECsect131r1[] = {SECG_OID, 0x16 };
-CONST_OID secgECsect131r2[] = {SECG_OID, 0x17 };
-CONST_OID secgECsect163k1[] = {SECG_OID, 0x01 };
-CONST_OID secgECsect163r1[] = {SECG_OID, 0x02 };
-CONST_OID secgECsect163r2[] = {SECG_OID, 0x0f };
-CONST_OID secgECsect193r1[] = {SECG_OID, 0x18 };
-CONST_OID secgECsect193r2[] = {SECG_OID, 0x19 };
-CONST_OID secgECsect233k1[] = {SECG_OID, 0x1a };
-CONST_OID secgECsect233r1[] = {SECG_OID, 0x1b };
-CONST_OID secgECsect239k1[] = {SECG_OID, 0x03 };
-CONST_OID secgECsect283k1[] = {SECG_OID, 0x10 };
-CONST_OID secgECsect283r1[] = {SECG_OID, 0x11 };
-CONST_OID secgECsect409k1[] = {SECG_OID, 0x24 };
-CONST_OID secgECsect409r1[] = {SECG_OID, 0x25 };
-CONST_OID secgECsect571k1[] = {SECG_OID, 0x26 };
-CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
-
-#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
-#ifndef SECOID_NO_STRINGS
-#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
-#else
-#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
-#endif
-
-/*
- * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
- */
-const static SECOidData oids[] = {
-    { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
-	"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
-    OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
-    OD( md4, SEC_OID_MD4,
-	"MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION ),
-    OD( sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION ),
-    OD( rc2cbc, SEC_OID_RC2_CBC,
-	"RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
-    OD( rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION ),
-    OD( desede3cbc, SEC_OID_DES_EDE3_CBC,
-	"DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION ),
-    OD( rc5cbcpad, SEC_OID_RC5_CBC_PAD,
-	"RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION ),
-    OD( desecb, SEC_OID_DES_ECB,
-	"DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION ),
-    OD( descbc, SEC_OID_DES_CBC,
-	"DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION ),
-    OD( desofb, SEC_OID_DES_OFB,
-	"DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( descfb, SEC_OID_DES_CFB,
-	"DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( desmac, SEC_OID_DES_MAC,
-	"DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION ),
-    OD( desede, SEC_OID_DES_EDE,
-	"DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
-	"ISO SHA with RSA Signature", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION,
-	"PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION ),
-
-    /* the following Signing mechanisms should get new CKM_ values when
-     * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
-     * PKCS #11.
-     */
-    OD( pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
-	"PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-    OD( pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
-	"PKCS #1 MD4 With RSA Encryption", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
-	"PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-    OD( pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
-	"PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-
-    OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
-	"PKCS #5 Password Based Encryption with MD2 and DES CBC",
-	CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
-	"PKCS #5 Password Based Encryption with MD5 and DES CBC",
-	CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
-	"PKCS #5 Password Based Encryption with SHA1 and DES CBC", 
-	CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs7, SEC_OID_PKCS7,
-	"PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7Data, SEC_OID_PKCS7_DATA,
-	"PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA,
-	"PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA,
-	"PKCS #7 Enveloped Data", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
-	"PKCS #7 Signed And Enveloped Data", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA,
-	"PKCS #7 Digested Data", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA,
-	"PKCS #7 Encrypted Data", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS,
-	"PKCS #9 Email Address", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME,
-	"PKCS #9 Unstructured Name", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE,
-	"PKCS #9 Content Type", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST,
-	"PKCS #9 Message Digest", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME,
-	"PKCS #9 Signing Time", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE,
-	"PKCS #9 Counter Signature", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD,
-	"PKCS #9 Challenge Password", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
-	"PKCS #9 Unstructured Address", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9ExtendedCertificateAttributes,
-	SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
-	"PKCS #9 Extended Certificate Attributes", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES,
-	"PKCS #9 S/MIME Capabilities", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520CommonName, SEC_OID_AVA_COMMON_NAME,
-	"X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520CountryName, SEC_OID_AVA_COUNTRY_NAME,
-	"X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520LocalityName, SEC_OID_AVA_LOCALITY,
-	"X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE,
-	"X520 State Or Province Name", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME,
-	"X520 Organization Name", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
-	"X520 Organizational Unit Name", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER,
-	"X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( rfc2247DomainComponent, SEC_OID_AVA_DC,
-	"RFC 2247 Domain Component", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( nsTypeGIF, SEC_OID_NS_TYPE_GIF,
-	"GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( nsTypeJPEG, SEC_OID_NS_TYPE_JPEG,
-	"JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( nsTypeURL, SEC_OID_NS_TYPE_URL,
-	"URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( nsTypeHTML, SEC_OID_NS_TYPE_HTML,
-	"HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE,
-	"Certificate Sequence", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD, 
-	"MISSI KEA and DSS Algorithm (Old)",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertDSSOld, SEC_OID_MISSI_DSS_OLD, 
-	"MISSI DSS Algorithm (Old)",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertKEADSS, SEC_OID_MISSI_KEA_DSS, 
-	"MISSI KEA and DSS Algorithm",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertDSS, SEC_OID_MISSI_DSS, 
-	"MISSI DSS Algorithm",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertKEA, SEC_OID_MISSI_KEA, 
-	"MISSI KEA Algorithm",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( missiCertAltKEA, SEC_OID_MISSI_ALT_KEA, 
-	"MISSI Alternate KEA Algorithm",
-          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* Netscape private extensions */
-    OD( nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
-	"Netscape says this cert is OK",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-	"Certificate Issuer Logo",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-	"Certificate Subject Logo",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE,
-	"Certificate Type",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL,
-	"Certificate Extension Base URL",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL,
-	"Certificate Revocation URL",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
-	"Certificate Authority Revocation URL",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL,
-	"Certificate Authority CRL Download URL",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL,
-	"Certificate Authority Certificate Download URL",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
-	"Certificate Renewal URL", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), 
-    OD( nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
-	"Certificate Authority Policy URL",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
-	"Certificate Homepage URL", 
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
-	"Certificate Entity Logo", 
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE,
-	"Certificate User Picture", 
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
-	"Certificate SSL Server Name", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT,
-	"Certificate Comment", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
-        "Lost Password URL", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 
-	"Certificate Renewal Time", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
-	"Strong Crypto Export Approved",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-
-
-    /* x.509 v3 certificate extensions */
-    OD( x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
-	"Certificate Subject Directory Attributes",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
-    OD( x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID, 
-	"Certificate Subject Key ID",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509KeyUsage, SEC_OID_X509_KEY_USAGE, 
-	"Certificate Key Usage",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
-	"Certificate Private Key Usage Period",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME, 
-	"Certificate Subject Alt Name",
-        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 
-	"Certificate Issuer Alt Name",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 
-	"Certificate Basic Constraints",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS, 
-	"Certificate Name Constraints",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 
-	"CRL Distribution Points",
-	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
-	"Certificate Policies",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 
-	"Certificate Policy Mappings",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 
-	"Certificate Policy Constraints",
-        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
-    OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 
-	"Certificate Authority Key Identifier",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE, 
-	"Extended Key Usage",
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS, 
-	"Authority Information Access",
-        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-
-    /* x.509 v3 CRL extensions */
-    OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER, 
-	"CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, 
-	"CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( x509InvalidDate, SEC_OID_X509_INVALID_DATE, 
-	"Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-	
-    OD( x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION,
-	"X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION ),
-
-    /* added for alg 1485 */
-    OD( rfc1274Uid, SEC_OID_RFC1274_UID,
-	"RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( rfc1274Mail, SEC_OID_RFC1274_MAIL,
-	"RFC1274 E-mail Address", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* pkcs 12 additions */
-    OD( pkcs12, SEC_OID_PKCS12,
-	"PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS,
-	"PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS,
-	"PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS,
-	"PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS,
-	"PKCS #12 Cert Bag IDs", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12OIDs, SEC_OID_PKCS12_OIDS,
-	"PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS,
-	"PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS,
-	"PKCS #12 Signature IDs", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS,
-	"PKCS #12 Enveloping IDs", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
-	"PKCS #12 Key Shrouding", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID,
-	"PKCS #12 Key Bag ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
-	"PKCS #12 Cert And CRL Bag ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID,
-	"PKCS #12 Secret Bag ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG,
-	"PKCS #12 X509 Cert CRL Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG,
-	"PKCS #12 SDSI Cert Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEWithSha1And128BitRC4,
-	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
-	"PKCS #12 PBE With Sha1 and 128 Bit RC4", 
-	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEWithSha1And40BitRC4,
-	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
-	"PKCS #12 PBE With Sha1 and 40 Bit RC4", 
-	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEWithSha1AndTripleDESCBC,
-	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
-	"PKCS #12 PBE With Sha1 and Triple DES CBC", 
-	CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEWithSha1And128BitRC2CBC,
-	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-	"PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC", 
-	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PBEWithSha1And40BitRC2CBC,
-	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-	"PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC", 
-	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12RSAEncryptionWith128BitRC4,
-	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
-	"PKCS #12 RSA Encryption with 128 Bit RC4",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12RSAEncryptionWith40BitRC4,
-	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
-	"PKCS #12 RSA Encryption with 40 Bit RC4",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12RSAEncryptionWithTripleDES,
-	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
-	"PKCS #12 RSA Encryption with Triple DES",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12RSASignatureWithSHA1Digest,
-	SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"PKCS #12 RSA Encryption with Triple DES",
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* DSA signatures */
-    OD( ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE,
-	"ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION ),
-    OD( ansix9DSASignaturewithSHA1Digest,
-        SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"ANSI X9.57 DSA Signature with SHA1 Digest", 
-	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
-    OD( bogusDSASignaturewithSHA1Digest,
-        SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"FORTEZZA DSA Signature with SHA1 Digest", 
-	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
-
-    /* verisign oids */
-    OD( verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES,
-	"Verisign User Notices", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* pkix oids */
-    OD( pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
-	"PKIX CPS Pointer Qualifier", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
-	"PKIX User Notice Qualifier", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( pkixOCSP, SEC_OID_PKIX_OCSP,
-	"PKIX Online Certificate Status Protocol", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
-	"OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE,
-	"OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL,
-	"OCSP CRL Reference Extension", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE,
-	"OCSP Response Types Extension", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK,
-	"OCSP No Check Extension", 
-	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
-    OD( pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
-	"OCSP Archive Cutoff Extension", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
-	"OCSP Service Locator Extension", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN,
-        "PKIX CRMF Registration Control, Registration Token", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
-        "PKIX CRMF Registration Control, Registration Authenticator", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
-        "PKIX CRMF Registration Control, PKI Publication Info", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixRegCtrlPKIArchOptions,
-        SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
-        "PKIX CRMF Registration Control, PKI Archive Options", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
-        "PKIX CRMF Registration Control, Old Certificate ID", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
-        "PKIX CRMF Registration Control, Protocol Encryption Key", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
-        "PKIX CRMF Registration Info, UTF8 Pairs", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST,
-        "PKIX CRMF Registration Info, Certificate Request", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixExtendedKeyUsageServerAuth,
-        SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
-        "TLS Web Server Authentication Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixExtendedKeyUsageClientAuth,
-        SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
-        "TLS Web Client Authentication Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
-        "Code Signing Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixExtendedKeyUsageEMailProtect,
-        SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
-        "E-Mail Protection Certificate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixExtendedKeyUsageTimeStamp,
-        SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
-        "Time Stamping Certifcate",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-    OD( pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER,
-          "OCSP Responder Certificate",
-          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-
-    /* Netscape Algorithm OIDs */
-
-    OD( netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA,
-	"Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-      /* Skipjack OID -- ### mwelch temporary */
-    OD( skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK,
-	"Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION ),
-
-    /* pkcs12 v2 oids */
-    OD( pkcs12V2PBEWithSha1And128BitRC4,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
-	"PKCS12 V2 PBE With SHA1 And 128 Bit RC4", 
-	CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V2PBEWithSha1And40BitRC4,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
-	"PKCS12 V2 PBE With SHA1 And 40 Bit RC4", 
-	CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
-	"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc", 
-	CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
-	"PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc", 
-	CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V2PBEWithSha1And128BitRC2cbc,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
-	"PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC", 
-	CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V2PBEWithSha1And40BitRC2cbc,
-        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
-	"PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC", 
-	CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION ),
-    OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
-	"PKCS #12 Safe Contents ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12PKCS8ShroudedKeyBagID,
-	SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
-	"PKCS #12 Safe Contents ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID,
-	"PKCS #12 V1 Key Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1PKCS8ShroudedKeyBag,
-	SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
-	"PKCS #12 V1 PKCS8 Shrouded Key Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID,
-	"PKCS #12 V1 Cert Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID,
-	"PKCS #12 V1 CRL Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID,
-	"PKCS #12 V1 Secret Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
-	"PKCS #12 V1 Safe Contents Bag", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT,
-	"PKCS #9 X509 Certificate", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT,
-	"PKCS #9 SDSI Certificate", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL,
-	"PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME,
-	"PKCS #9 Friendly Name", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
-	"PKCS #9 Local Key ID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), 
-    OD( pkcs12KeyUsageAttr, SEC_OID_PKCS12_KEY_USAGE,
-	"PKCS 12 Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
-	"Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
-	INVALID_CERT_EXTENSION ),
-    OD( netscapeNickname, SEC_OID_NETSCAPE_NICKNAME,
-	"Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* Cert Server specific OIDs */
-    OD( netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST,
-        "Recovery Request OID", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR,
-        "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
-        INVALID_CERT_EXTENSION ), 
-
-    OD( nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
-        "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
-        SUPPORTED_CERT_EXTENSION ),
-
-    /* CMS stuff */
-    OD( cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
-        "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION ),
-    OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
-        "CMS 3DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION ),
-    OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
-        "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
-        INVALID_CERT_EXTENSION ),
-    OD( smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
-	"S/MIME Encryption Key Preference", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* AES algorithm OIDs */
-    OD( aes128_ECB, SEC_OID_AES_128_ECB,
-	"AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
-    OD( aes128_CBC, SEC_OID_AES_128_CBC,
-	"AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
-    OD( aes192_ECB, SEC_OID_AES_192_ECB,
-	"AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
-    OD( aes192_CBC, SEC_OID_AES_192_CBC,
-	"AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
-    OD( aes256_ECB, SEC_OID_AES_256_ECB,
-	"AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
-    OD( aes256_CBC, SEC_OID_AES_256_CBC,
-	"AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
-
-    /* More bogus DSA OIDs */
-    OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 
-	"SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
-
-    OD( ms_smimeEncryptionKeyPreference, 
-        SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE,
-	"Microsoft S/MIME Encryption Key Preference", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    OD( sha256, SEC_OID_SHA256, "SHA-256", CKM_SHA256, INVALID_CERT_EXTENSION),
-    OD( sha384, SEC_OID_SHA384, "SHA-384", CKM_SHA384, INVALID_CERT_EXTENSION),
-    OD( sha512, SEC_OID_SHA512, "SHA-512", CKM_SHA512, INVALID_CERT_EXTENSION),
-
-    OD( pkcs1SHA256WithRSAEncryption, SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
-	"PKCS #1 SHA-256 With RSA Encryption", CKM_SHA256_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-    OD( pkcs1SHA384WithRSAEncryption, SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION,
-	"PKCS #1 SHA-384 With RSA Encryption", CKM_SHA384_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-    OD( pkcs1SHA512WithRSAEncryption, SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION,
-	"PKCS #1 SHA-512 With RSA Encryption", CKM_SHA512_RSA_PKCS,
-	INVALID_CERT_EXTENSION ),
-
-    OD( aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP,
-	"AES-128 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
-    OD( aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP,
-	"AES-192 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
-    OD( aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP,
-	"AES-256 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
-
-    /* Elliptic Curve Cryptography (ECC) OIDs */
-    OD( ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
-	"X9.62 elliptic curve public key", CKM_ECDH1_DERIVE,
-	INVALID_CERT_EXTENSION ),
-    OD( ansix962ECDSASignaturewithSHA1Digest, 
-	SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST,
-	"X9.62 ECDSA signature with SHA1", CKM_ECDSA_SHA1,
-	INVALID_CERT_EXTENSION ),
-
-    /* Named curves */
-
-    /* ANSI X9.62 named elliptic curves (prime field) */
-    OD( ansiX962prime192v1, SEC_OID_ANSIX962_EC_PRIME192V1,
-	"ANSI X9.62 elliptic curve prime192v1 (aka secp192r1, NIST P-192)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime192v2, SEC_OID_ANSIX962_EC_PRIME192V2,
-	"ANSI X9.62 elliptic curve prime192v2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime192v3, SEC_OID_ANSIX962_EC_PRIME192V3,
-	"ANSI X9.62 elliptic curve prime192v3", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime239v1, SEC_OID_ANSIX962_EC_PRIME239V1,
-	"ANSI X9.62 elliptic curve prime239v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime239v2, SEC_OID_ANSIX962_EC_PRIME239V2,
-	"ANSI X9.62 elliptic curve prime239v2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime239v3, SEC_OID_ANSIX962_EC_PRIME239V3,
-	"ANSI X9.62 elliptic curve prime239v3", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962prime256v1, SEC_OID_ANSIX962_EC_PRIME256V1,
-	"ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-
-    /* SECG named elliptic curves (prime field) */
-    OD( secgECsecp112r1, SEC_OID_SECG_EC_SECP112R1,
-	"SECG elliptic curve secp112r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp112r2, SEC_OID_SECG_EC_SECP112R2,
-	"SECG elliptic curve secp112r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp128r1, SEC_OID_SECG_EC_SECP128R1,
-	"SECG elliptic curve secp128r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp128r2, SEC_OID_SECG_EC_SECP128R2,
-	"SECG elliptic curve secp128r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp160k1, SEC_OID_SECG_EC_SECP160K1,
-	"SECG elliptic curve secp160k1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp160r1, SEC_OID_SECG_EC_SECP160R1,
-	"SECG elliptic curve secp160r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp160r2, SEC_OID_SECG_EC_SECP160R2,
-	"SECG elliptic curve secp160r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp192k1, SEC_OID_SECG_EC_SECP192K1,
-	"SECG elliptic curve secp192k1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp224k1, SEC_OID_SECG_EC_SECP224K1,
-	"SECG elliptic curve secp224k1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp224r1, SEC_OID_SECG_EC_SECP224R1,
-	"SECG elliptic curve secp224r1 (aka NIST P-224)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp256k1, SEC_OID_SECG_EC_SECP256K1,
-	"SECG elliptic curve secp256k1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp384r1, SEC_OID_SECG_EC_SECP384R1,
-	"SECG elliptic curve secp384r1 (aka NIST P-384)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsecp521r1, SEC_OID_SECG_EC_SECP521R1,
-	"SECG elliptic curve secp521r1 (aka NIST P-521)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-
-    /* ANSI X9.62 named elliptic curves (characteristic two field) */
-    OD( ansiX962c2pnb163v1, SEC_OID_ANSIX962_EC_C2PNB163V1,
-	"ANSI X9.62 elliptic curve c2pnb163v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb163v2, SEC_OID_ANSIX962_EC_C2PNB163V2,
-	"ANSI X9.62 elliptic curve c2pnb163v2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb163v3, SEC_OID_ANSIX962_EC_C2PNB163V3,
-	"ANSI X9.62 elliptic curve c2pnb163v3", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb176v1, SEC_OID_ANSIX962_EC_C2PNB176V1,
-	"ANSI X9.62 elliptic curve c2pnb176v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb191v1, SEC_OID_ANSIX962_EC_C2TNB191V1,
-	"ANSI X9.62 elliptic curve c2tnb191v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb191v2, SEC_OID_ANSIX962_EC_C2TNB191V2,
-	"ANSI X9.62 elliptic curve c2tnb191v2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb191v3, SEC_OID_ANSIX962_EC_C2TNB191V3,
-	"ANSI X9.62 elliptic curve c2tnb191v3", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2onb191v4, SEC_OID_ANSIX962_EC_C2ONB191V4,
-	"ANSI X9.62 elliptic curve c2onb191v4", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2onb191v5, SEC_OID_ANSIX962_EC_C2ONB191V5,
-	"ANSI X9.62 elliptic curve c2onb191v5", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb208w1, SEC_OID_ANSIX962_EC_C2PNB208W1,
-	"ANSI X9.62 elliptic curve c2pnb208w1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb239v1, SEC_OID_ANSIX962_EC_C2TNB239V1,
-	"ANSI X9.62 elliptic curve c2tnb239v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb239v2, SEC_OID_ANSIX962_EC_C2TNB239V2,
-	"ANSI X9.62 elliptic curve c2tnb239v2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb239v3, SEC_OID_ANSIX962_EC_C2TNB239V3,
-	"ANSI X9.62 elliptic curve c2tnb239v3", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2onb239v4, SEC_OID_ANSIX962_EC_C2ONB239V4,
-	"ANSI X9.62 elliptic curve c2onb239v4", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2onb239v5, SEC_OID_ANSIX962_EC_C2ONB239V5,
-	"ANSI X9.62 elliptic curve c2onb239v5", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb272w1, SEC_OID_ANSIX962_EC_C2PNB272W1,
-	"ANSI X9.62 elliptic curve c2pnb272w1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb304w1, SEC_OID_ANSIX962_EC_C2PNB304W1,
-	"ANSI X9.62 elliptic curve c2pnb304w1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb359v1, SEC_OID_ANSIX962_EC_C2TNB359V1,
-	"ANSI X9.62 elliptic curve c2tnb359v1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2pnb368w1, SEC_OID_ANSIX962_EC_C2PNB368W1,
-	"ANSI X9.62 elliptic curve c2pnb368w1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( ansiX962c2tnb431r1, SEC_OID_ANSIX962_EC_C2TNB431R1,
-	"ANSI X9.62 elliptic curve c2tnb431r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-
-    /* SECG named elliptic curves (characterisitic two field) */
-    OD( secgECsect113r1, SEC_OID_SECG_EC_SECT113R1,
-	"SECG elliptic curve sect113r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect113r2, SEC_OID_SECG_EC_SECT113R2,
-	"SECG elliptic curve sect113r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect131r1, SEC_OID_SECG_EC_SECT131R1,
-	"SECG elliptic curve sect131r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect131r2, SEC_OID_SECG_EC_SECT131R2,
-	"SECG elliptic curve sect131r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect163k1, SEC_OID_SECG_EC_SECT163K1,
-	"SECG elliptic curve sect163k1 (aka NIST K-163)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect163r1, SEC_OID_SECG_EC_SECT163R1,
-	"SECG elliptic curve sect163r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect163r2, SEC_OID_SECG_EC_SECT163R2,
-	"SECG elliptic curve sect163r2 (aka NIST B-163)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect193r1, SEC_OID_SECG_EC_SECT193R1,
-	"SECG elliptic curve sect193r1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect193r2, SEC_OID_SECG_EC_SECT193R2,
-	"SECG elliptic curve sect193r2", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect233k1, SEC_OID_SECG_EC_SECT233K1,
-	"SECG elliptic curve sect233k1 (aka NIST K-233)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect233r1, SEC_OID_SECG_EC_SECT233R1,
-	"SECG elliptic curve sect233r1 (aka NIST B-233)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect239k1, SEC_OID_SECG_EC_SECT239K1,
-	"SECG elliptic curve sect239k1", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect283k1, SEC_OID_SECG_EC_SECT283K1,
-	"SECG elliptic curve sect283k1 (aka NIST K-283)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect283r1, SEC_OID_SECG_EC_SECT283R1,
-	"SECG elliptic curve sect283r1 (aka NIST B-283)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect409k1, SEC_OID_SECG_EC_SECT409K1,
-	"SECG elliptic curve sect409k1 (aka NIST K-409)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect409r1, SEC_OID_SECG_EC_SECT409R1,
-	"SECG elliptic curve sect409r1 (aka NIST B-409)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect571k1, SEC_OID_SECG_EC_SECT571K1,
-	"SECG elliptic curve sect571k1 (aka NIST K-571)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-    OD( secgECsect571r1, SEC_OID_SECG_EC_SECT571R1,
-	"SECG elliptic curve sect571r1 (aka NIST B-571)", 
-	CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-
-    OD( netscapeAOLScreenname, SEC_OID_NETSCAPE_AOLSCREENNAME,
-	"AOL Screenname", CKM_INVALID_MECHANISM,
-	INVALID_CERT_EXTENSION ),
-
-    OD( x520SurName, SEC_OID_AVA_SURNAME,
-    	"X520 Title",         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520SerialNumber, SEC_OID_AVA_SERIAL_NUMBER,
-        "X520 Serial Number", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520StreetAddress, SEC_OID_AVA_STREET_ADDRESS,
-        "X520 Street Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520Title, SEC_OID_AVA_TITLE, 
-    	"X520 Title",         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520PostalAddress, SEC_OID_AVA_POSTAL_ADDRESS,
-    	"X520 Postal Address", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520PostalCode, SEC_OID_AVA_POSTAL_CODE,
-    	"X520 Postal Code",   CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520PostOfficeBox, SEC_OID_AVA_POST_OFFICE_BOX,
-    	"X520 Post Office Box", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520GivenName, SEC_OID_AVA_GIVEN_NAME,
-    	"X520 Given Name",    CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520Initials, SEC_OID_AVA_INITIALS,
-    	"X520 Initials",      CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520GenerationQualifier, SEC_OID_AVA_GENERATION_QUALIFIER,
-    	"X520 Generation Qualifier", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520HouseIdentifier, SEC_OID_AVA_HOUSE_IDENTIFIER,
-    	"X520 House Identifier", 
-	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( x520Pseudonym, SEC_OID_AVA_PSEUDONYM,
-    	"X520 Pseudonym",     CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-
-    /* More OIDs */
-    OD( pkixCAIssuers, SEC_OID_PKIX_CA_ISSUERS,
-        "PKIX CA issuers access method", 
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-    OD( pkcs9ExtensionRequest, SEC_OID_PKCS9_EXTENSION_REQUEST,
-    	"PKCS #9 Extension Request",
-        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
-};
-
-/*
- * now the dynamic table. The dynamic table gets build at init time.
- * and conceivably gets modified if the user loads new crypto modules.
- * All this static data, and the allocated data to which it points,
- * is protected by a global reader/writer lock.  
- * The c language guarantees that global and static data that is not 
- * explicitly initialized will be initialized with zeros.  If we 
- * initialize it with zeros, the data goes into the initialized data
- * secment, and increases the size of the library.  By leaving it 
- * uninitialized, it is allocated in BSS, and does NOT increase the 
- * library size. 
- */
-static NSSRWLock   * dynOidLock;
-static PLArenaPool * dynOidPool;
-static PLHashTable * dynOidHash;
-static SECOidData ** dynOidTable;	/* not in the pool */
-static int           dynOidEntriesAllocated;
-static int           dynOidEntriesUsed;
-
-/* Creates NSSRWLock and dynOidPool, if they don't exist.
-** This function MIGHT create the lock, but not the pool, so
-** code should test for dynOidPool, not dynOidLock, when deciding
-** whether or not to call this function.
-*/
-static SECStatus
-secoid_InitDynOidData(void)
-{
-    SECStatus   rv = SECSuccess;
-    NSSRWLock * lock;
-
-    /* This function will create the lock if it doesn't exist,
-    ** and will return the address of the lock, whether it was 
-    ** previously created, or was created by the function.
-    */
-    lock = nssRWLock_AtomicCreate(&dynOidLock, 1, "dynamic OID data");
-    if (!lock) {
-    	return SECFailure; /* Error code should already be set. */
-    }
-    PORT_Assert(lock == dynOidLock);
-    NSSRWLock_LockWrite(lock);
-    if (!dynOidPool) {
-    	dynOidPool = PORT_NewArena(2048);
-	if (!dynOidPool) {
-	    rv = SECFailure /* Error code should already be set. */;
-	}
-    }
-    NSSRWLock_UnlockWrite(lock);
-    return rv;
-}
-
-/* Add oidData to hash table.  Caller holds write lock dynOidLock. */
-static SECStatus
-secoid_HashDynamicOiddata(const SECOidData * oid)
-{
-    PLHashEntry *entry;
-
-    if (!dynOidHash) {
-        dynOidHash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-			PL_CompareValues, NULL, NULL);
-	if ( !dynOidHash ) {
-	    return SECFailure;
-	}
-    }
-
-    entry = PL_HashTableAdd( dynOidHash, &oid->oid, (void *)oid );
-    return entry ? SECSuccess : SECFailure;
-}
-
-
-/*
- * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
- * cheaper to rehash the table when it changes than it is to do the loop
- * each time. 
- */
-static SECOidData *
-secoid_FindDynamic(const SECItem *key) 
-{
-    SECOidData *ret = NULL;
-
-    if (dynOidHash) {
-	NSSRWLock_LockRead(dynOidLock);
-	if (dynOidHash) { /* must check it again with lock held. */
-	    ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key);
-	}
-	NSSRWLock_UnlockRead(dynOidLock);
-    }
-    if (ret == NULL) {
-	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
-    }
-    return ret;
-}
-
-static SECOidData *
-secoid_FindDynamicByTag(SECOidTag tagnum)
-{
-    SECOidData *data = NULL;
-    int tagNumDiff;
-
-    if (tagnum < SEC_OID_TOTAL) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return NULL;
-    }
-    tagNumDiff = tagnum - SEC_OID_TOTAL;
-
-    if (dynOidTable) {
-	NSSRWLock_LockRead(dynOidLock);
-	if (dynOidTable != NULL && /* must check it again with lock held. */
-	    tagNumDiff < dynOidEntriesUsed) {
-	    data = dynOidTable[tagNumDiff];
-	}
-	NSSRWLock_UnlockRead(dynOidLock);
-    }
-    if (data == NULL) {
-	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
-    }
-    return data;
-}
-
-/*
- * This routine is thread safe now.
- */
-SECOidTag
-SECOID_AddEntry(const SECOidData * src)
-{
-    SECOidData * dst;
-    SECOidData **table;
-    SECOidTag    ret         = SEC_OID_UNKNOWN;
-    SECStatus    rv;
-    int          tableEntries;
-    int          used;
-
-    if (!src || !src->oid.data || !src->oid.len || \
-        !src->desc || !strlen(src->desc)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return ret;
-    }
-    if (src->supportedExtension != INVALID_CERT_EXTENSION     &&
-    	src->supportedExtension != UNSUPPORTED_CERT_EXTENSION &&
-    	src->supportedExtension != SUPPORTED_CERT_EXTENSION     ) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return ret;
-    }
-
-    if (!dynOidPool && secoid_InitDynOidData() != SECSuccess) {
-	/* Caller has set error code. */
-    	return ret;
-    }
-
-    NSSRWLock_LockWrite(dynOidLock);
-
-    /* We've just acquired the write lock, and now we call FindOIDTag
-    ** which will acquire and release the read lock.  NSSRWLock has been
-    ** designed to allow this very case without deadlock.  This approach 
-    ** makes the test for the presence of the OID, and the subsequent 
-    ** addition of the OID to the table a single atomic write operation.
-    */
-    ret = SECOID_FindOIDTag(&src->oid);
-    if (ret != SEC_OID_UNKNOWN) {
-    	/* we could return an error here, but I chose not to do that.
-	** This way, if we add an OID to the shared library's built in
-	** list of OIDs in some future release, and that OID is the same
-	** as some OID that a program has been adding, the program will
-	** not suddenly stop working.
-	*/
-	goto done;
-    }
-
-    table        = dynOidTable;
-    tableEntries = dynOidEntriesAllocated;
-    used         = dynOidEntriesUsed;
-
-    if (used + 1 > tableEntries) {
-	SECOidData **newTable;
-	int          newTableEntries = tableEntries + 16;
-
-	newTable = (SECOidData **)PORT_Realloc(table, 
-				       newTableEntries * sizeof(SECOidData *));
-	if (newTable == NULL) {
-	    goto done;
-	}
-	dynOidTable            = table        = newTable;
-	dynOidEntriesAllocated = tableEntries = newTableEntries;
-    }
-
-    /* copy oid structure */
-    dst = PORT_ArenaNew(dynOidPool, SECOidData);
-    if (!dst) {
-    	goto done;
-    }
-    rv  = SECITEM_CopyItem(dynOidPool, &dst->oid, &src->oid);
-    if (rv != SECSuccess) {
-	goto done;
-    }
-    dst->desc = PORT_ArenaStrdup(dynOidPool, src->desc);
-    if (!dst->desc) {
-	goto done;
-    }
-    dst->offset             = (SECOidTag)(used + SEC_OID_TOTAL);
-    dst->mechanism          = src->mechanism;
-    dst->supportedExtension = src->supportedExtension;
-
-    rv = secoid_HashDynamicOiddata(dst);
-    if ( rv == SECSuccess ) {
-	table[used++] = dst;
-	dynOidEntriesUsed = used;
-	ret = dst->offset;
-    }
-done:
-    NSSRWLock_UnlockWrite(dynOidLock);
-    return ret;
-}
-
-
-/* normal static table processing */
-static PLHashTable *oidhash     = NULL;
-static PLHashTable *oidmechhash = NULL;
-
-static PLHashNumber
-secoid_HashNumber(const void *key)
-{
-    return (PLHashNumber) key;
-}
-
-
-SECStatus
-secoid_Init(void)
-{
-    PLHashEntry *entry;
-    const SECOidData *oid;
-    int i;
-
-    if (!dynOidPool && secoid_InitDynOidData() != SECSuccess) {
-    	return SECFailure;
-    }
-
-    if (oidhash) {
-	return SECSuccess;
-    }
-    
-    oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
-			PL_CompareValues, NULL, NULL);
-    oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues,
-			PL_CompareValues, NULL, NULL);
-
-    if ( !oidhash || !oidmechhash) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- 	PORT_Assert(0); /*This function should never fail. */
-	return(SECFailure);
-    }
-
-    for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
-	oid = &oids[i];
-
-	PORT_Assert ( oid->offset == i );
-
-	entry = PL_HashTableAdd( oidhash, &oid->oid, (void *)oid );
-	if ( entry == NULL ) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-            PORT_Assert(0); /*This function should never fail. */
-	    return(SECFailure);
-	}
-
-	if ( oid->mechanism != CKM_INVALID_MECHANISM ) {
-	    entry = PL_HashTableAdd( oidmechhash, 
-					(void *)oid->mechanism, (void *)oid );
-	    if ( entry == NULL ) {
-	        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-                PORT_Assert(0); /* This function should never fail. */
-		return(SECFailure);
-	    }
-	}
-    }
-
-    PORT_Assert (i == SEC_OID_TOTAL);
-
-    return(SECSuccess);
-}
-
-SECOidData *
-SECOID_FindOIDByMechanism(unsigned long mechanism)
-{
-    SECOidData *ret;
-
-    PR_ASSERT(oidhash != NULL);
-
-    ret = PL_HashTableLookupConst ( oidmechhash, (void *)mechanism);
-    if ( ret == NULL ) {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-    }
-
-    return (ret);
-}
-
-SECOidData *
-SECOID_FindOID(const SECItem *oid)
-{
-    SECOidData *ret;
-
-    PR_ASSERT(oidhash != NULL);
-    
-    ret = PL_HashTableLookupConst ( oidhash, oid );
-    if ( ret == NULL ) {
-	ret  = secoid_FindDynamic(oid);
-	if (ret == NULL) {
-	    PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
-	}
-    }
-
-    return(ret);
-}
-
-SECOidTag
-SECOID_FindOIDTag(const SECItem *oid)
-{
-    SECOidData *oiddata;
-
-    oiddata = SECOID_FindOID (oid);
-    if (oiddata == NULL)
-	return SEC_OID_UNKNOWN;
-
-    return oiddata->offset;
-}
-
-/* This really should return const. */
-SECOidData *
-SECOID_FindOIDByTag(SECOidTag tagnum)
-{
-
-    if (tagnum >= SEC_OID_TOTAL) {
-	return secoid_FindDynamicByTag(tagnum);
-    }
-
-    PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
-    return (SECOidData *)(&oids[tagnum]);
-}
-
-PRBool SECOID_KnownCertExtenOID (SECItem *extenOid)
-{
-    SECOidData * oidData;
-
-    oidData = SECOID_FindOID (extenOid);
-    if (oidData == (SECOidData *)NULL)
-	return (PR_FALSE);
-    return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ?
-            PR_TRUE : PR_FALSE);
-}
-
-
-const char *
-SECOID_FindOIDTagDescription(SECOidTag tagnum)
-{
-  const SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
-  return oidData ? oidData->desc : 0;
-}
-
-/*
- * free up the oid tables.
- */
-SECStatus
-SECOID_Shutdown(void)
-{
-    if (oidhash) {
-	PL_HashTableDestroy(oidhash);
-	oidhash = NULL;
-    }
-    if (oidmechhash) {
-	PL_HashTableDestroy(oidmechhash);
-	oidmechhash = NULL;
-    }
-    /* Have to handle the case where the lock was created, but
-    ** the pool wasn't. 
-    ** I'm not going to attempt to create the lock, just to protect
-    ** the destruction of data the probably isn't inisialized anyway.
-    */
-    if (dynOidLock) {
-	NSSRWLock_LockWrite(dynOidLock);
-	if (dynOidHash) {
-	    PL_HashTableDestroy(dynOidHash);
-	    dynOidHash = NULL;
-	}
-	if (dynOidPool) {
-	    PORT_FreeArena(dynOidPool, PR_FALSE);
-	    dynOidPool = NULL;
-	}
-	if (dynOidTable) {
-	    PORT_Free(dynOidTable);
-	    dynOidTable = NULL;
-	}
-	dynOidEntriesAllocated = 0;
-	dynOidEntriesUsed = 0;
-
-	NSSRWLock_UnlockWrite(dynOidLock);
-	NSSRWLock_Destroy(dynOidLock);
-	dynOidLock = NULL;
-    } else {
-    	/* Since dynOidLock doesn't exist, then all the data it protects
-	** should be uninitialized.  We'll check that (in DEBUG builds),
-	** and then make sure it is so, in case NSS is reinitialized.
-	*/
-	PORT_Assert(!dynOidHash && !dynOidPool && !dynOidTable && \
-	            !dynOidEntriesAllocated && !dynOidEntriesUsed);
-	dynOidHash = NULL;
-	dynOidPool = NULL;
-	dynOidTable = NULL;
-	dynOidEntriesAllocated = 0;
-	dynOidEntriesUsed = 0;
-    }
-    return SECSuccess;
-}
diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h
deleted file mode 100644
index 15313f0fa..000000000
--- a/security/nss/lib/util/secoid.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECOID_H_
-#define _SECOID_H_
-/*
- * secoid.h - public data structures and prototypes for ASN.1 OID functions
- *
- * $Id$
- */
-
-#include "plarena.h"
-
-#include "seccomon.h"
-#include "secoidt.h"
-#include "secasn1t.h"
-
-SEC_BEGIN_PROTOS
-
-extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];
-
-/* This functions simply returns the address of the above-declared template. */
-SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
-
-/*
- * OID handling routines
- */
-extern SECOidData *SECOID_FindOID( const SECItem *oid);
-extern SECOidTag SECOID_FindOIDTag(const SECItem *oid);
-extern SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum);
-extern SECOidData *SECOID_FindOIDByMechanism(unsigned long mechanism);
-
-/****************************************/
-/*
-** Algorithm id handling operations
-*/
-
-/*
-** Fill in an algorithm-ID object given a tag and some parameters.
-** 	"aid" where the DER encoded algorithm info is stored (memory
-**	   is allocated)
-**	"tag" the tag number defining the algorithm 
-**	"params" if not NULL, the parameters to go with the algorithm
-*/
-extern SECStatus SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *aid,
-				   SECOidTag tag, SECItem *params);
-
-/*
-** Copy the "src" object to "dest". Memory is allocated in "dest" for
-** each of the appropriate sub-objects. Memory in "dest" is not freed
-** before memory is allocated (use SECOID_DestroyAlgorithmID(dest, PR_FALSE)
-** to do that).
-*/
-extern SECStatus SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *dest,
-				    SECAlgorithmID *src);
-
-/*
-** Get the tag number for the given algorithm-id object.
-*/
-extern SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid);
-
-/*
-** Destroy an algorithm-id object.
-**	"aid" the certificate-request to destroy
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
-*/
-extern void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit);
-
-/*
-** Compare two algorithm-id objects, returning the difference between
-** them.
-*/
-extern SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
-					   SECAlgorithmID *b);
-
-extern PRBool SECOID_KnownCertExtenOID (SECItem *extenOid);
-
-/* Given a tag number, return a string describing it.
- */
-extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum);
-
-/* Add a dynamic SECOidData to the dynamic OID table.
-** Routine copies the src entry, and returns the new SECOidTag.
-** Returns SEC_OID_INVALID if failed to add for some reason.
-*/
-extern SECOidTag SECOID_AddEntry(const SECOidData * src);
-
-/*
- * free up the oid data structures.
- */
-extern SECStatus SECOID_Shutdown(void);
-
-
-SEC_END_PROTOS
-
-#endif /* _SECOID_H_ */
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
deleted file mode 100644
index e1072c5bb..000000000
--- a/security/nss/lib/util/secoidt.h
+++ /dev/null
@@ -1,432 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef _SECOIDT_H_
-#define _SECOIDT_H_
-/*
- * secoidt.h - public data structures for ASN.1 OID functions
- *
- * $Id$
- */
-
-#include "secitem.h"
-
-typedef struct SECOidDataStr SECOidData;
-typedef struct SECAlgorithmIDStr SECAlgorithmID;
-
-/*
-** An X.500 algorithm identifier
-*/
-struct SECAlgorithmIDStr {
-    SECItem algorithm;
-    SECItem parameters;
-};
-
-/*
- * Misc object IDs - these numbers are for convenient handling.
- * They are mapped into real object IDs
- *
- * NOTE: the order of these entries must mach the array "oids" of SECOidData
- * in util/secoid.c.
- */
-typedef enum {
-    SEC_OID_UNKNOWN = 0,
-    SEC_OID_MD2 = 1,
-    SEC_OID_MD4 = 2,
-    SEC_OID_MD5 = 3,
-    SEC_OID_SHA1 = 4,
-    SEC_OID_RC2_CBC = 5,
-    SEC_OID_RC4 = 6,
-    SEC_OID_DES_EDE3_CBC = 7,
-    SEC_OID_RC5_CBC_PAD = 8,
-    SEC_OID_DES_ECB = 9,
-    SEC_OID_DES_CBC = 10,
-    SEC_OID_DES_OFB = 11,
-    SEC_OID_DES_CFB = 12,
-    SEC_OID_DES_MAC = 13,
-    SEC_OID_DES_EDE = 14,
-    SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE = 15,
-    SEC_OID_PKCS1_RSA_ENCRYPTION = 16,
-    SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = 17,
-    SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = 18,
-    SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = 19,
-    SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = 20,
-    SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = 21,
-    SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = 22,
-    SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = 23,
-    SEC_OID_PKCS7 = 24,
-    SEC_OID_PKCS7_DATA = 25,
-    SEC_OID_PKCS7_SIGNED_DATA = 26,
-    SEC_OID_PKCS7_ENVELOPED_DATA = 27,
-    SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA = 28,
-    SEC_OID_PKCS7_DIGESTED_DATA = 29,
-    SEC_OID_PKCS7_ENCRYPTED_DATA = 30,
-    SEC_OID_PKCS9_EMAIL_ADDRESS = 31,
-    SEC_OID_PKCS9_UNSTRUCTURED_NAME = 32,
-    SEC_OID_PKCS9_CONTENT_TYPE = 33,
-    SEC_OID_PKCS9_MESSAGE_DIGEST = 34,
-    SEC_OID_PKCS9_SIGNING_TIME = 35,
-    SEC_OID_PKCS9_COUNTER_SIGNATURE = 36,
-    SEC_OID_PKCS9_CHALLENGE_PASSWORD = 37,
-    SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS = 38,
-    SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = 39,
-    SEC_OID_PKCS9_SMIME_CAPABILITIES = 40,
-    SEC_OID_AVA_COMMON_NAME = 41,
-    SEC_OID_AVA_COUNTRY_NAME = 42,
-    SEC_OID_AVA_LOCALITY = 43,
-    SEC_OID_AVA_STATE_OR_PROVINCE = 44,
-    SEC_OID_AVA_ORGANIZATION_NAME = 45,
-    SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME = 46,
-    SEC_OID_AVA_DN_QUALIFIER = 47,
-    SEC_OID_AVA_DC = 48,
-
-    SEC_OID_NS_TYPE_GIF = 49,
-    SEC_OID_NS_TYPE_JPEG = 50,
-    SEC_OID_NS_TYPE_URL = 51,
-    SEC_OID_NS_TYPE_HTML = 52,
-    SEC_OID_NS_TYPE_CERT_SEQUENCE = 53,
-    SEC_OID_MISSI_KEA_DSS_OLD = 54,
-    SEC_OID_MISSI_DSS_OLD = 55,
-    SEC_OID_MISSI_KEA_DSS = 56,
-    SEC_OID_MISSI_DSS = 57,
-    SEC_OID_MISSI_KEA = 58,
-    SEC_OID_MISSI_ALT_KEA = 59,
-
-    /* Netscape private certificate extensions */
-    SEC_OID_NS_CERT_EXT_NETSCAPE_OK = 60,
-    SEC_OID_NS_CERT_EXT_ISSUER_LOGO = 61,
-    SEC_OID_NS_CERT_EXT_SUBJECT_LOGO = 62,
-    SEC_OID_NS_CERT_EXT_CERT_TYPE = 63,
-    SEC_OID_NS_CERT_EXT_BASE_URL = 64,
-    SEC_OID_NS_CERT_EXT_REVOCATION_URL = 65,
-    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL = 66,
-    SEC_OID_NS_CERT_EXT_CA_CRL_URL = 67,
-    SEC_OID_NS_CERT_EXT_CA_CERT_URL = 68,
-    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL = 69,
-    SEC_OID_NS_CERT_EXT_CA_POLICY_URL = 70,
-    SEC_OID_NS_CERT_EXT_HOMEPAGE_URL = 71,
-    SEC_OID_NS_CERT_EXT_ENTITY_LOGO = 72,
-    SEC_OID_NS_CERT_EXT_USER_PICTURE = 73,
-    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME = 74,
-    SEC_OID_NS_CERT_EXT_COMMENT = 75,
-    SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL = 76,
-    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME = 77,
-    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED = 78,
-
-    /* x.509 v3 Extensions */
-    SEC_OID_X509_SUBJECT_DIRECTORY_ATTR = 79,
-    SEC_OID_X509_SUBJECT_KEY_ID = 80,
-    SEC_OID_X509_KEY_USAGE = 81,
-    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD = 82,
-    SEC_OID_X509_SUBJECT_ALT_NAME = 83,
-    SEC_OID_X509_ISSUER_ALT_NAME = 84,
-    SEC_OID_X509_BASIC_CONSTRAINTS = 85,
-    SEC_OID_X509_NAME_CONSTRAINTS = 86,
-    SEC_OID_X509_CRL_DIST_POINTS = 87,
-    SEC_OID_X509_CERTIFICATE_POLICIES = 88,
-    SEC_OID_X509_POLICY_MAPPINGS = 89,
-    SEC_OID_X509_POLICY_CONSTRAINTS = 90,
-    SEC_OID_X509_AUTH_KEY_ID = 91,
-    SEC_OID_X509_EXT_KEY_USAGE = 92,
-    SEC_OID_X509_AUTH_INFO_ACCESS = 93,
-
-    SEC_OID_X509_CRL_NUMBER = 94,
-    SEC_OID_X509_REASON_CODE = 95,
-    SEC_OID_X509_INVALID_DATE = 96,
-    /* End of x.509 v3 Extensions */    
-
-    SEC_OID_X500_RSA_ENCRYPTION = 97,
-
-    /* alg 1485 additions */
-    SEC_OID_RFC1274_UID = 98,
-    SEC_OID_RFC1274_MAIL = 99,
-
-    /* PKCS 12 additions */
-    SEC_OID_PKCS12 = 100,
-    SEC_OID_PKCS12_MODE_IDS = 101,
-    SEC_OID_PKCS12_ESPVK_IDS = 102,
-    SEC_OID_PKCS12_BAG_IDS = 103,
-    SEC_OID_PKCS12_CERT_BAG_IDS = 104,
-    SEC_OID_PKCS12_OIDS = 105,
-    SEC_OID_PKCS12_PBE_IDS = 106,
-    SEC_OID_PKCS12_SIGNATURE_IDS = 107,
-    SEC_OID_PKCS12_ENVELOPING_IDS = 108,
-   /* SEC_OID_PKCS12_OFFLINE_TRANSPORT_MODE,
-    SEC_OID_PKCS12_ONLINE_TRANSPORT_MODE, */
-    SEC_OID_PKCS12_PKCS8_KEY_SHROUDING = 109,
-    SEC_OID_PKCS12_KEY_BAG_ID = 110,
-    SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID = 111,
-    SEC_OID_PKCS12_SECRET_BAG_ID = 112,
-    SEC_OID_PKCS12_X509_CERT_CRL_BAG = 113,
-    SEC_OID_PKCS12_SDSI_CERT_BAG = 114,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = 115,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = 116,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC = 117,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 118,
-    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 119,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4 = 120,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4 = 121,
-    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES = 122,
-    SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST = 123,
-    /* end of PKCS 12 additions */
-
-    /* DSA signatures */
-    SEC_OID_ANSIX9_DSA_SIGNATURE = 124,
-    SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = 125,
-    SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = 126,
-
-    /* Verisign OIDs */
-    SEC_OID_VERISIGN_USER_NOTICES = 127,
-
-    /* PKIX OIDs */
-    SEC_OID_PKIX_CPS_POINTER_QUALIFIER = 128,
-    SEC_OID_PKIX_USER_NOTICE_QUALIFIER = 129,
-    SEC_OID_PKIX_OCSP = 130,
-    SEC_OID_PKIX_OCSP_BASIC_RESPONSE = 131,
-    SEC_OID_PKIX_OCSP_NONCE = 132,
-    SEC_OID_PKIX_OCSP_CRL = 133,
-    SEC_OID_PKIX_OCSP_RESPONSE = 134,
-    SEC_OID_PKIX_OCSP_NO_CHECK = 135,
-    SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF = 136,
-    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR = 137,
-    SEC_OID_PKIX_REGCTRL_REGTOKEN = 138,
-    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR = 139,
-    SEC_OID_PKIX_REGCTRL_PKIPUBINFO = 140,
-    SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = 141,
-    SEC_OID_PKIX_REGCTRL_OLD_CERT_ID = 142,
-    SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = 143,
-    SEC_OID_PKIX_REGINFO_UTF8_PAIRS = 144,
-    SEC_OID_PKIX_REGINFO_CERT_REQUEST = 145,
-    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH = 146,
-    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH = 147,
-    SEC_OID_EXT_KEY_USAGE_CODE_SIGN = 148,
-    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT = 149,
-    SEC_OID_EXT_KEY_USAGE_TIME_STAMP = 150,
-    SEC_OID_OCSP_RESPONDER = 151,
-
-    /* Netscape Algorithm OIDs */
-    SEC_OID_NETSCAPE_SMIME_KEA = 152,
-
-    /* Skipjack OID -- ### mwelch temporary */
-    SEC_OID_FORTEZZA_SKIPJACK = 153,
-
-    /* PKCS 12 V2 oids */
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 = 154,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 = 155,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC = 156,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC = 157,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 158,
-    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 159,
-    SEC_OID_PKCS12_SAFE_CONTENTS_ID = 160,
-    SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID = 161,
-
-    SEC_OID_PKCS12_V1_KEY_BAG_ID = 162,
-    SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID = 163,
-    SEC_OID_PKCS12_V1_CERT_BAG_ID = 164,
-    SEC_OID_PKCS12_V1_CRL_BAG_ID = 165,
-    SEC_OID_PKCS12_V1_SECRET_BAG_ID = 166,
-    SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID = 167,
-    SEC_OID_PKCS9_X509_CERT = 168,
-    SEC_OID_PKCS9_SDSI_CERT = 169,
-    SEC_OID_PKCS9_X509_CRL = 170,
-    SEC_OID_PKCS9_FRIENDLY_NAME = 171,
-    SEC_OID_PKCS9_LOCAL_KEY_ID = 172,
-    SEC_OID_PKCS12_KEY_USAGE = 173,
-
-    /*Diffe Helman OIDS */
-    SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
-
-    /* Netscape other name types */
-    SEC_OID_NETSCAPE_NICKNAME = 175,
-
-    /* Cert Server OIDS */
-    SEC_OID_NETSCAPE_RECOVERY_REQUEST = 176,
-
-    /* New PSM certificate management OIDs */
-    SEC_OID_CERT_RENEWAL_LOCATOR = 177,
-    SEC_OID_NS_CERT_EXT_SCOPE_OF_USE = 178,
-    
-    /* CMS (RFC2630) OIDs */
-    SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN = 179,
-    SEC_OID_CMS_3DES_KEY_WRAP = 180,
-    SEC_OID_CMS_RC2_KEY_WRAP = 181,
-
-    /* SMIME attributes */
-    SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182,
-
-    /* AES OIDs */
-    SEC_OID_AES_128_ECB 	= 183,
-    SEC_OID_AES_128_CBC 	= 184,
-    SEC_OID_AES_192_ECB 	= 185,
-    SEC_OID_AES_192_CBC 	= 186,
-    SEC_OID_AES_256_ECB 	= 187,
-    SEC_OID_AES_256_CBC 	= 188,
-
-    SEC_OID_SDN702_DSA_SIGNATURE = 189,
-
-    SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190,
-
-    SEC_OID_SHA256              = 191,
-    SEC_OID_SHA384              = 192,
-    SEC_OID_SHA512              = 193,
-
-    SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION = 194,
-    SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION = 195,
-    SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION = 196,
-
-    SEC_OID_AES_128_KEY_WRAP	= 197,
-    SEC_OID_AES_192_KEY_WRAP	= 198,
-    SEC_OID_AES_256_KEY_WRAP	= 199,
-
-    /* Elliptic Curve Cryptography (ECC) OIDs */
-    SEC_OID_ANSIX962_EC_PUBLIC_KEY  = 200,
-    SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST = 201,
-
-    /* ANSI X9.62 named elliptic curves (prime field) */
-    SEC_OID_ANSIX962_EC_PRIME192V1  = 202,
-    SEC_OID_ANSIX962_EC_PRIME192V2  = 203,
-    SEC_OID_ANSIX962_EC_PRIME192V3  = 204,
-    SEC_OID_ANSIX962_EC_PRIME239V1  = 205,
-    SEC_OID_ANSIX962_EC_PRIME239V2  = 206,
-    SEC_OID_ANSIX962_EC_PRIME239V3  = 207,
-    SEC_OID_ANSIX962_EC_PRIME256V1  = 208,
-
-    /* SECG named elliptic curves (prime field) */
-    SEC_OID_SECG_EC_SECP112R1       = 209,
-    SEC_OID_SECG_EC_SECP112R2       = 210,
-    SEC_OID_SECG_EC_SECP128R1       = 211,
-    SEC_OID_SECG_EC_SECP128R2       = 212,
-    SEC_OID_SECG_EC_SECP160K1       = 213,
-    SEC_OID_SECG_EC_SECP160R1       = 214, 
-    SEC_OID_SECG_EC_SECP160R2       = 215,
-    SEC_OID_SECG_EC_SECP192K1       = 216,
-    /* SEC_OID_SECG_EC_SECP192R1 is SEC_OID_ANSIX962_EC_PRIME192V1 */
-    SEC_OID_SECG_EC_SECP224K1       = 217,
-    SEC_OID_SECG_EC_SECP224R1       = 218,
-    SEC_OID_SECG_EC_SECP256K1       = 219,
-    /* SEC_OID_SECG_EC_SECP256R1 is SEC_OID_ANSIX962_EC_PRIME256V1 */
-    SEC_OID_SECG_EC_SECP384R1       = 220,
-    SEC_OID_SECG_EC_SECP521R1       = 221,
-
-    /* ANSI X9.62 named elliptic curves (characteristic two field) */
-    SEC_OID_ANSIX962_EC_C2PNB163V1  = 222,
-    SEC_OID_ANSIX962_EC_C2PNB163V2  = 223,
-    SEC_OID_ANSIX962_EC_C2PNB163V3  = 224,
-    SEC_OID_ANSIX962_EC_C2PNB176V1  = 225,
-    SEC_OID_ANSIX962_EC_C2TNB191V1  = 226,
-    SEC_OID_ANSIX962_EC_C2TNB191V2  = 227,
-    SEC_OID_ANSIX962_EC_C2TNB191V3  = 228,
-    SEC_OID_ANSIX962_EC_C2ONB191V4  = 229,
-    SEC_OID_ANSIX962_EC_C2ONB191V5  = 230,
-    SEC_OID_ANSIX962_EC_C2PNB208W1  = 231,
-    SEC_OID_ANSIX962_EC_C2TNB239V1  = 232,
-    SEC_OID_ANSIX962_EC_C2TNB239V2  = 233,
-    SEC_OID_ANSIX962_EC_C2TNB239V3  = 234,
-    SEC_OID_ANSIX962_EC_C2ONB239V4  = 235,
-    SEC_OID_ANSIX962_EC_C2ONB239V5  = 236,
-    SEC_OID_ANSIX962_EC_C2PNB272W1  = 237,
-    SEC_OID_ANSIX962_EC_C2PNB304W1  = 238,
-    SEC_OID_ANSIX962_EC_C2TNB359V1  = 239,
-    SEC_OID_ANSIX962_EC_C2PNB368W1  = 240,
-    SEC_OID_ANSIX962_EC_C2TNB431R1  = 241,
-
-    /* SECG named elliptic curves (characteristic two field) */
-    SEC_OID_SECG_EC_SECT113R1       = 242,
-    SEC_OID_SECG_EC_SECT113R2       = 243,
-    SEC_OID_SECG_EC_SECT131R1       = 244,
-    SEC_OID_SECG_EC_SECT131R2       = 245,
-    SEC_OID_SECG_EC_SECT163K1       = 246,
-    SEC_OID_SECG_EC_SECT163R1       = 247,
-    SEC_OID_SECG_EC_SECT163R2       = 248,
-    SEC_OID_SECG_EC_SECT193R1       = 249,
-    SEC_OID_SECG_EC_SECT193R2       = 250,
-    SEC_OID_SECG_EC_SECT233K1       = 251,
-    SEC_OID_SECG_EC_SECT233R1       = 252,
-    SEC_OID_SECG_EC_SECT239K1       = 253,
-    SEC_OID_SECG_EC_SECT283K1       = 254,
-    SEC_OID_SECG_EC_SECT283R1       = 255,
-    SEC_OID_SECG_EC_SECT409K1       = 256,
-    SEC_OID_SECG_EC_SECT409R1       = 257,
-    SEC_OID_SECG_EC_SECT571K1       = 258,
-    SEC_OID_SECG_EC_SECT571R1       = 259,
-
-    SEC_OID_NETSCAPE_AOLSCREENNAME  = 260,
-
-    SEC_OID_AVA_SURNAME              = 261,
-    SEC_OID_AVA_SERIAL_NUMBER        = 262,
-    SEC_OID_AVA_STREET_ADDRESS       = 263,
-    SEC_OID_AVA_TITLE                = 264,
-    SEC_OID_AVA_POSTAL_ADDRESS       = 265,
-    SEC_OID_AVA_POSTAL_CODE          = 266,
-    SEC_OID_AVA_POST_OFFICE_BOX      = 267,
-    SEC_OID_AVA_GIVEN_NAME           = 268,
-    SEC_OID_AVA_INITIALS             = 269,
-    SEC_OID_AVA_GENERATION_QUALIFIER = 270,
-    SEC_OID_AVA_HOUSE_IDENTIFIER     = 271,
-    SEC_OID_AVA_PSEUDONYM            = 272,
-
-    /* More OIDs */
-    SEC_OID_PKIX_CA_ISSUERS          = 273,
-    SEC_OID_PKCS9_EXTENSION_REQUEST  = 274,
-
-    SEC_OID_TOTAL
-} SECOidTag;
-
-#define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
-#define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
-
-/* fake OID for DSS sign/verify */
-#define SEC_OID_SHA SEC_OID_MISS_DSS
-
-typedef enum {
-    INVALID_CERT_EXTENSION = 0,
-    UNSUPPORTED_CERT_EXTENSION = 1,
-    SUPPORTED_CERT_EXTENSION = 2
-} SECSupportExtenTag;
-
-struct SECOidDataStr {
-    SECItem            oid;
-    SECOidTag          offset;
-    const char *       desc;
-    unsigned long      mechanism;
-    SECSupportExtenTag supportedExtension;	
-    				/* only used for x.509 v3 extensions, so
-				   that we can print the names of those
-				   extensions that we don't even support */
-};
-
-#endif /* _SECOIDT_H_ */
diff --git a/security/nss/lib/util/secplcy.c b/security/nss/lib/util/secplcy.c
deleted file mode 100644
index f2b66fb53..000000000
--- a/security/nss/lib/util/secplcy.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "secplcy.h"
-#include "prmem.h"
-
-SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
-				  secCPStruct *policy,
-				  long *ciphers)
-{
-  SECCipherFind *find = PR_NEWZAP(SECCipherFind);
-  if (find)
-    {
-      find->policy = policy;
-      find->ciphers = ciphers;
-      find->onlyAllowed = onlyAllowed;
-      find->index = -1;
-    }
-  return find;
-}
-
-long sec_CipherFindNext(SECCipherFind *find)
-{
-  char *policy;
-  long rv = -1;
-  secCPStruct *policies = (secCPStruct *) find->policy;
-  long *ciphers = (long *) find->ciphers;
-  long numCiphers = policies->num_ciphers;
-
-  find->index++;
-  while((find->index < numCiphers) && (rv == -1))
-    {
-      /* Translate index to cipher. */
-      rv = ciphers[find->index];
-
-      /* If we're only looking for allowed ciphers, and if this
-	 cipher isn't allowed, loop around.*/
-      if (find->onlyAllowed)
-	{
-	  /* Find the appropriate policy flag. */
-	  policy = (&(policies->begin_ciphers)) + find->index + 1;
-
-	  /* If this cipher isn't allowed by policy, continue. */
-	  if (! (*policy))
-	    {
-	      rv = -1;
-	      find->index++;
-	    }
-	}
-    }
-
-  return rv;
-}
-
-char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
-			 long *ciphers)
-{
-  char result = SEC_CIPHER_NOT_ALLOWED; /* our default answer */
-  long numCiphers = policies->num_ciphers;
-  char *policy;
-  int i;
-  
-  /* Convert the cipher number into a policy flag location. */
-  for (i=0, policy=(&(policies->begin_ciphers) + 1);
-       i<numCiphers;
-       i++, policy++)
-    {
-      if (cipher == ciphers[i])
-	break;
-    }
-
-  if (i < numCiphers)
-    {
-      /* Found the cipher, get the policy value. */
-      result = *policy;
-    }
-
-  return result;
-}
-
-void sec_CipherFindEnd(SECCipherFind *find)
-{
-  PR_FREEIF(find);
-}
diff --git a/security/nss/lib/util/secplcy.h b/security/nss/lib/util/secplcy.h
deleted file mode 100644
index 2e1e70c24..000000000
--- a/security/nss/lib/util/secplcy.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef __secplcy_h__
-#define __secplcy_h__
-
-#include "prtypes.h"
-
-/*
-** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
-** the purpose of obscuring policy information from potential fortifiers. :-)
-**
-** The following routines are generic and intended for anywhere where cipher
-** policy enforcement is to be done, e.g. SSL and PKCS7&12.
-*/
-
-#define SEC_CIPHER_NOT_ALLOWED 0
-#define SEC_CIPHER_ALLOWED 1
-#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases 
-				   e.g. step-up */
-
-/* The length of the header string for each cipher table. 
-   (It's the same regardless of whether we're using md5 strings or not.) */
-#define SEC_POLICY_HEADER_LENGTH 48
-
-/* If we're testing policy stuff, we may want to use the plaintext version */
-#define SEC_POLICY_USE_MD5_STRINGS 1
-
-#define SEC_POLICY_THIS_IS_THE \
-    "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
-#define SEC_POLICY_STRING_FOR_THE \
-    "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
-#define SEC_POLICY_SSL_TAIL \
-    "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
-#define SEC_POLICY_SMIME_TAIL \
-    "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
-#define SEC_POLICY_PKCS12_TAIL \
-    "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
-
-#if defined(SEC_POLICY_USE_MD5_STRINGS)
-
-/* We're not testing. 
-   Use md5 checksums of the strings. */
-
-#define SEC_POLICY_SSL_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
-
-#define SEC_POLICY_SMIME_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
-
-#define SEC_POLICY_PKCS12_HEADER \
-    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
-
-#else
-
-/* We're testing. 
-   Use plaintext versions of the strings, for testing purposes. */
-#define SEC_POLICY_SSL_HEADER \
-    "This is the string for the SSL policy table.    "
-#define SEC_POLICY_SMIME_HEADER \
-    "This is the string for the PKCS7 policy table.  "
-#define SEC_POLICY_PKCS12_HEADER \
-    "This is the string for the PKCS12 policy table. "
-
-#endif
-
-/* Local cipher tables have to have these members at the top. */
-typedef struct _sec_cp_struct
-{
-  char policy_string[SEC_POLICY_HEADER_LENGTH];
-  long unused; /* placeholder for max keybits in pkcs12 struct */
-  char num_ciphers;
-  char begin_ciphers;
-  /* cipher policy settings follow. each is a char. */
-} secCPStruct;
-
-struct SECCipherFindStr
-{
-  /* (policy) and (ciphers) are opaque to the outside world */
-  void *policy;
-  void *ciphers;
-  long index;
-  PRBool onlyAllowed;
-};
-
-typedef struct SECCipherFindStr SECCipherFind;
-
-SEC_BEGIN_PROTOS
-
-SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
-				  secCPStruct *policy,
-				  long *ciphers);
-
-long sec_CipherFindNext(SECCipherFind *find);
-
-char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
-			 long *ciphers);
-
-void sec_CipherFindEnd(SECCipherFind *find);
-
-SEC_END_PROTOS
-
-#endif /* __SECPLCY_H__ */
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
deleted file mode 100644
index 4ad02ba91..000000000
--- a/security/nss/lib/util/secport.c
+++ /dev/null
@@ -1,607 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * secport.c - portability interfaces for security libraries
- *
- * This file abstracts out libc functionality that libsec depends on
- * 
- * NOTE - These are not public interfaces
- *
- * $Id$
- */
-
-#include "seccomon.h"
-#include "prmem.h"
-#include "prerror.h"
-#include "plarena.h"
-#include "secerr.h"
-#include "prmon.h"
-#include "nsslocks.h"
-#include "secport.h"
-#include "prvrsion.h"
-#include "prenv.h"
-
-#ifdef DEBUG
-#define THREADMARK
-#endif /* DEBUG */
-
-#ifdef THREADMARK
-#include "prthread.h"
-#endif /* THREADMARK */
-
-#if defined(XP_UNIX) || defined(XP_MAC) || defined(XP_OS2) || defined(XP_BEOS)
-#include <stdlib.h>
-#else
-#include "wtypes.h"
-#endif
-
-#define SET_ERROR_CODE	/* place holder for code to set PR error code. */
-
-#ifdef THREADMARK
-typedef struct threadmark_mark_str {
-  struct threadmark_mark_str *next;
-  void *mark;
-} threadmark_mark;
-
-#endif /* THREADMARK */
-
-/* The value of this magic must change each time PORTArenaPool changes. */
-#define ARENAPOOL_MAGIC 0xB8AC9BDF 
-
-typedef struct PORTArenaPool_str {
-  PLArenaPool arena;
-  PRUint32    magic;
-  PRLock *    lock;
-#ifdef THREADMARK
-  PRThread *marking_thread;
-  threadmark_mark *first_mark;
-#endif
-} PORTArenaPool;
-
-
-/* count of allocation failures. */
-unsigned long port_allocFailures;
-
-/* locations for registering Unicode conversion functions.  
- * XXX is this the appropriate location?  or should they be
- *     moved to client/server specific locations?
- */
-PORTCharConversionFunc ucs4Utf8ConvertFunc;
-PORTCharConversionFunc ucs2Utf8ConvertFunc;
-PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
-
-void *
-PORT_Alloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-void *
-PORT_Realloc(void *oldptr, size_t bytes)
-{
-    void *rv;
-
-    rv = (void *)PR_Realloc(oldptr, bytes);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-void *
-PORT_ZAlloc(size_t bytes)
-{
-    void *rv;
-
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
-    if (!rv) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-    return rv;
-}
-
-void
-PORT_Free(void *ptr)
-{
-    if (ptr) {
-	PR_Free(ptr);
-    }
-}
-
-void
-PORT_ZFree(void *ptr, size_t len)
-{
-    if (ptr) {
-	memset(ptr, 0, len);
-	PR_Free(ptr);
-    }
-}
-
-char *
-PORT_Strdup(const char *str)
-{
-    size_t len = PORT_Strlen(str)+1;
-    char *newstr;
-
-    newstr = (char *)PORT_Alloc(len);
-    if (newstr) {
-        PORT_Memcpy(newstr, str, len);
-    }
-    return newstr;
-}
-
-void
-PORT_SetError(int value)
-{	
-    PR_SetError(value, 0);
-    return;
-}
-
-int
-PORT_GetError(void)
-{
-    return(PR_GetError());
-}
-
-/********************* Arena code follows *****************************/
-
-PLArenaPool *
-PORT_NewArena(unsigned long chunksize)
-{
-    PORTArenaPool *pool;
-    
-    pool = PORT_ZNew(PORTArenaPool);
-    if (!pool) {
-	return NULL;
-    }
-    pool->magic = ARENAPOOL_MAGIC;
-    pool->lock = PZ_NewLock(nssILockArena);
-    if (!pool->lock) {
-	++port_allocFailures;
-	PORT_Free(pool);
-	return NULL;
-    }
-    PL_InitArenaPool(&pool->arena, "security", chunksize, sizeof(double));
-    return(&pool->arena);
-}
-
-#define MAX_SIZE 0x7fffffffUL
-
-void *
-PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p = NULL;
-
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-
-    if (size <= 0) {
-	size = 1;
-    }
-
-    if (size > MAX_SIZE) {
-	/* you lose. */
-    } else 
-    /* Is it one of ours?  Assume so and check the magic */
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	PZ_Lock(pool->lock);
-#ifdef THREADMARK
-        /* Most likely one of ours.  Is there a thread id? */
-	if (pool->marking_thread  &&
-	    pool->marking_thread != PR_GetCurrentThread() ) {
-	    /* Another thread holds a mark in this arena */
-	    PZ_Unlock(pool->lock);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    PORT_Assert(0);
-	    return NULL;
-	} /* tid != null */
-#endif /* THREADMARK */
-	PL_ARENA_ALLOCATE(p, arena, size);
-	PZ_Unlock(pool->lock);
-    } else {
-	PL_ARENA_ALLOCATE(p, arena, size);
-    }
-
-    if (!p) {
-	++port_allocFailures;
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    return(p);
-}
-
-void *
-PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
-{
-    void *p;
-
-    if (size <= 0)
-        size = 1;
-
-    p = PORT_ArenaAlloc(arena, size);
-
-    if (p) {
-	PORT_Memset(p, 0, size);
-    }
-
-    return(p);
-}
-
-/* XXX - need to zeroize!! - jsw */
-void
-PORT_FreeArena(PLArenaPool *arena, PRBool zero)
-{
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-    PRLock *       lock = (PRLock *)0;
-    size_t         len  = sizeof *arena;
-    extern const PRVersionDescription * libVersionPoint(void);
-    static const PRVersionDescription * pvd;
-    static PRBool  doFreeArenaPool = PR_FALSE;
-
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	len  = sizeof *pool;
-	lock = pool->lock;
-	PZ_Lock(lock);
-    }
-    if (!pvd) {
-	/* Each of NSPR's DLLs has a function libVersionPoint().
-	** We could do a lot of extra work to be sure we're calling the
-	** one in the DLL that holds PR_FreeArenaPool, but instead we
-	** rely on the fact that ALL NSPR DLLs in the same directory
-	** must be from the same release, and we call which ever one we get. 
-	*/
-	/* no need for thread protection here */
-	pvd = libVersionPoint();
-	if ((pvd->vMajor > 4) || 
-	    (pvd->vMajor == 4 && pvd->vMinor > 1) ||
-	    (pvd->vMajor == 4 && pvd->vMinor == 1 && pvd->vPatch >= 1)) {
-	    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
-	    if (!ev) doFreeArenaPool = PR_TRUE;
-	}
-    }
-    if (doFreeArenaPool) {
-	PL_FreeArenaPool(arena);
-    } else {
-	PL_FinishArenaPool(arena);
-    }
-    PORT_ZFree(arena, len);
-    if (lock) {
-	PZ_Unlock(lock);
-	PZ_DestroyLock(lock);
-    }
-}
-
-void *
-PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
-{
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-    PORT_Assert(newsize >= oldsize);
-    
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	PZ_Lock(pool->lock);
-	/* Do we do a THREADMARK check here? */
-	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
-	PZ_Unlock(pool->lock);
-    } else {
-	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
-    }
-    
-    return(ptr);
-}
-
-void *
-PORT_ArenaMark(PLArenaPool *arena)
-{
-    void * result;
-
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	PZ_Lock(pool->lock);
-#ifdef THREADMARK
-	{
-	  threadmark_mark *tm, **pw;
-	  PRThread * currentThread = PR_GetCurrentThread();
-
-	    if (! pool->marking_thread ) {
-		/* First mark */
-		pool->marking_thread = currentThread;
-	    } else if (currentThread != pool->marking_thread ) {
-		PZ_Unlock(pool->lock);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		PORT_Assert(0);
-		return NULL;
-	    }
-
-	    result = PL_ARENA_MARK(arena);
-	    PL_ARENA_ALLOCATE(tm, arena, sizeof(threadmark_mark));
-	    if (!tm) {
-		PZ_Unlock(pool->lock);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		return NULL;
-	    }
-
-	    tm->mark = result;
-	    tm->next = (threadmark_mark *)NULL;
-
-	    pw = &pool->first_mark;
-	    while( *pw ) {
-		 pw = &(*pw)->next;
-	    }
-
-	    *pw = tm;
-	}
-#else /* THREADMARK */
-	result = PL_ARENA_MARK(arena);
-#endif /* THREADMARK */
-	PZ_Unlock(pool->lock);
-    } else {
-	/* a "pure" NSPR arena */
-	result = PL_ARENA_MARK(arena);
-    }
-    return result;
-}
-
-void
-PORT_ArenaRelease(PLArenaPool *arena, void *mark)
-{
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	PZ_Lock(pool->lock);
-#ifdef THREADMARK
-	{
-	    threadmark_mark **pw, *tm;
-
-	    if (PR_GetCurrentThread() != pool->marking_thread ) {
-		PZ_Unlock(pool->lock);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		PORT_Assert(0);
-		return /* no error indication available */ ;
-	    }
-
-	    pw = &pool->first_mark;
-	    while( *pw && (mark != (*pw)->mark) ) {
-		pw = &(*pw)->next;
-	    }
-
-	    if (! *pw ) {
-		/* bad mark */
-		PZ_Unlock(pool->lock);
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		PORT_Assert(0);
-		return /* no error indication available */ ;
-	    }
-
-	    tm = *pw;
-	    *pw = (threadmark_mark *)NULL;
-
-	    PL_ARENA_RELEASE(arena, mark);
-
-	    if (! pool->first_mark ) {
-		pool->marking_thread = (PRThread *)NULL;
-	    }
-	}
-#else /* THREADMARK */
-	PL_ARENA_RELEASE(arena, mark);
-#endif /* THREADMARK */
-	PZ_Unlock(pool->lock);
-    } else {
-	PL_ARENA_RELEASE(arena, mark);
-    }
-}
-
-void
-PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
-{
-#ifdef THREADMARK
-    PORTArenaPool *pool = (PORTArenaPool *)arena;
-    if (ARENAPOOL_MAGIC == pool->magic ) {
-	threadmark_mark **pw, *tm;
-
-	PZ_Lock(pool->lock);
-
-	if (PR_GetCurrentThread() != pool->marking_thread ) {
-	    PZ_Unlock(pool->lock);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    PORT_Assert(0);
-	    return /* no error indication available */ ;
-	}
-
-	pw = &pool->first_mark;
-	while( ((threadmark_mark *)NULL != *pw) && (mark != (*pw)->mark) ) {
-	    pw = &(*pw)->next;
-	}
-
-	if ((threadmark_mark *)NULL == *pw ) {
-	    /* bad mark */
-	    PZ_Unlock(pool->lock);
-	    PORT_SetError(SEC_ERROR_NO_MEMORY);
-	    PORT_Assert(0);
-	    return /* no error indication available */ ;
-	}
-
-	tm = *pw;
-	*pw = (threadmark_mark *)NULL;
-
-	if (! pool->first_mark ) {
-	    pool->marking_thread = (PRThread *)NULL;
-	}
-
-	PZ_Unlock(pool->lock);
-    }
-#endif /* THREADMARK */
-}
-
-char *
-PORT_ArenaStrdup(PLArenaPool *arena, const char *str) {
-    int len = PORT_Strlen(str)+1;
-    char *newstr;
-
-    newstr = (char*)PORT_ArenaAlloc(arena,len);
-    if (newstr) {
-        PORT_Memcpy(newstr,str,len);
-    }
-    return newstr;
-}
-
-/********************** end of arena functions ***********************/
-
-/****************** unicode conversion functions ***********************/
-/*
- * NOTE: These conversion functions all assume that the multibyte
- * characters are going to be in NETWORK BYTE ORDER, not host byte
- * order.  This is because the only time we deal with UCS-2 and UCS-4
- * are when the data was received from or is going to be sent out
- * over the wire (in, e.g. certificates).
- */
-
-void
-PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
-{ 
-    ucs4Utf8ConvertFunc = convFunc;
-}
-
-void
-PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
-{ 
-    ucs2AsciiConvertFunc = convFunc;
-}
-
-void
-PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
-{ 
-    ucs2Utf8ConvertFunc = convFunc;
-}
-
-PRBool 
-PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
-{
-    if(!ucs4Utf8ConvertFunc) {
-      return sec_port_ucs4_utf8_conversion_function(toUnicode,
-        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
-    }
-
-    return (*ucs4Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen);
-}
-
-PRBool 
-PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
-{
-    if(!ucs2Utf8ConvertFunc) {
-      return sec_port_ucs2_utf8_conversion_function(toUnicode,
-        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
-    }
-
-    return (*ucs2Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen);
-}
-
-PRBool 
-PORT_ISO88591_UTF8Conversion(const unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
-{
-    return sec_port_iso88591_utf8_conversion_function(inBuf, inBufLen,
-      outBuf, maxOutBufLen, outBufLen);
-}
-
-PRBool 
-PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
-			  unsigned int inBufLen, unsigned char *outBuf,
-			  unsigned int maxOutBufLen, unsigned int *outBufLen,
-			  PRBool swapBytes)
-{
-    if(!ucs2AsciiConvertFunc) {
-	return PR_FALSE;
-    }
-
-    return (*ucs2AsciiConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
-				  maxOutBufLen, outBufLen, swapBytes);
-}
-
-
-/* Portable putenv.  Creates/replaces an environment variable of the form
- *  envVarName=envValue
- */
-int
-NSS_PutEnv(const char * envVarName, const char * envValue)
-{
-#if  defined(XP_MAC) || defined(_WIN32_WCE)
-    return SECFailure;
-#else
-    SECStatus result = SECSuccess;
-    char *    encoded;
-    int       putEnvFailed;
-#ifdef _WIN32
-    PRBool      setOK;
-
-    setOK = SetEnvironmentVariable(envVarName, envValue);
-    if (!setOK) {
-        SET_ERROR_CODE
-        return SECFailure;
-    }
-#endif
-
-    encoded = (char *)PORT_ZAlloc(strlen(envVarName) + 2 + strlen(envValue));
-    strcpy(encoded, envVarName);
-    strcat(encoded, "=");
-    strcat(encoded, envValue);
-
-    putEnvFailed = putenv(encoded); /* adopt. */
-    if (putEnvFailed) {
-        SET_ERROR_CODE
-        result = SECFailure;
-        PORT_Free(encoded);
-    }
-    return result;
-#endif
-}
-
diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h
deleted file mode 100644
index 65c14def0..000000000
--- a/security/nss/lib/util/secport.h
+++ /dev/null
@@ -1,263 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * secport.h - portability interfaces for security libraries
- *
- * $Id$
- */
-
-#ifndef _SECPORT_H_
-#define _SECPORT_H_
-
-/*
- * define XP_MAC, XP_WIN, XP_BEOS, or XP_UNIX, in case they are not defined
- * by anyone else
- */
-#ifdef macintosh
-# ifndef XP_MAC
-# define XP_MAC 1
-# endif
-#endif
-
-#ifdef _WINDOWS
-# ifndef XP_WIN
-# define XP_WIN
-# endif
-#if defined(_WIN32) || defined(WIN32)
-# ifndef XP_WIN32
-# define XP_WIN32
-# endif
-#else
-# ifndef XP_WIN16
-# define XP_WIN16
-# endif
-#endif
-#endif
-
-#ifdef __BEOS__
-# ifndef XP_BEOS
-# define XP_BEOS
-# endif
-#endif
-
-#ifdef unix
-# ifndef XP_UNIX
-# define XP_UNIX
-# endif
-#endif
-
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
-#include "watcomfx.h"
-#endif
-
-#if defined(_WIN32_WCE)
-#include <windef.h>
-#include <types.h>
-#elif defined( XP_MAC ) 
-#include <types.h>
-#include <time.h> /* for time_t below */
-#else
-#include <sys/types.h>
-#endif
-
-#include <ctype.h>
-#include <string.h>
-#if defined(_WIN32_WCE)
-#include <stdlib.h>	/* WinCE puts some stddef symbols here. */
-#else
-#include <stddef.h>
-#endif
-#include <stdlib.h>
-#include "prtypes.h"
-#include "prlog.h"	/* for PR_ASSERT */
-#include "plarena.h"
-#include "plstr.h"
-
-/*
- * HACK for NSS 2.8 to allow Admin to compile without source changes.
- */
-#ifndef SEC_BEGIN_PROTOS
-#include "seccomon.h"
-#endif
-
-SEC_BEGIN_PROTOS
-
-extern void *PORT_Alloc(size_t len);
-extern void *PORT_Realloc(void *old, size_t len);
-extern void *PORT_AllocBlock(size_t len);
-extern void *PORT_ReallocBlock(void *old, size_t len);
-extern void PORT_FreeBlock(void *ptr);
-extern void *PORT_ZAlloc(size_t len);
-extern void PORT_Free(void *ptr);
-extern void PORT_ZFree(void *ptr, size_t len);
-extern char *PORT_Strdup(const char *s);
-extern time_t PORT_Time(void);
-extern void PORT_SetError(int value);
-extern int PORT_GetError(void);
-
-extern PLArenaPool *PORT_NewArena(unsigned long chunksize);
-extern void *PORT_ArenaAlloc(PLArenaPool *arena, size_t size);
-extern void *PORT_ArenaZAlloc(PLArenaPool *arena, size_t size);
-extern void PORT_FreeArena(PLArenaPool *arena, PRBool zero);
-extern void *PORT_ArenaGrow(PLArenaPool *arena, void *ptr,
-			    size_t oldsize, size_t newsize);
-extern void *PORT_ArenaMark(PLArenaPool *arena);
-extern void PORT_ArenaRelease(PLArenaPool *arena, void *mark);
-extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark);
-extern char *PORT_ArenaStrdup(PLArenaPool *arena, const char *str);
-
-#ifdef __cplusplus
-}
-#endif
-
-#define PORT_Assert PR_ASSERT
-#define PORT_ZNew(type) (type*)PORT_ZAlloc(sizeof(type))
-#define PORT_New(type) (type*)PORT_Alloc(sizeof(type))
-#define PORT_ArenaNew(poolp, type)	\
-		(type*) PORT_ArenaAlloc(poolp, sizeof(type))
-#define PORT_ArenaZNew(poolp, type)	\
-		(type*) PORT_ArenaZAlloc(poolp, sizeof(type))
-#define PORT_NewArray(type, num)	\
-		(type*) PORT_Alloc (sizeof(type)*(num))
-#define PORT_ZNewArray(type, num)	\
-		(type*) PORT_ZAlloc (sizeof(type)*(num))
-#define PORT_ArenaNewArray(poolp, type, num)	\
-		(type*) PORT_ArenaAlloc (poolp, sizeof(type)*(num))
-#define PORT_ArenaZNewArray(poolp, type, num)	\
-		(type*) PORT_ArenaZAlloc (poolp, sizeof(type)*(num))
-
-/* Please, keep these defines sorted alphabetically.  Thanks! */
-
-#define PORT_Atoi 	atoi
-
-#define PORT_Memcmp 	memcmp
-#define PORT_Memcpy 	memcpy
-#ifndef SUNOS4
-#define PORT_Memmove 	memmove
-#else /*SUNOS4*/
-#define PORT_Memmove(s,ct,n)    bcopy ((ct), (s), (n))
-#endif/*SUNOS4*/
-#define PORT_Memset 	memset
-
-#define PORT_Strcasecmp PL_strcasecmp
-#define PORT_Strcat 	strcat
-#define PORT_Strchr 	strchr
-#define PORT_Strrchr    strrchr
-#define PORT_Strcmp 	strcmp
-#define PORT_Strcpy 	strcpy
-#define PORT_Strlen(s) 	strlen(s)
-#define PORT_Strncasecmp PL_strncasecmp
-#define PORT_Strncat 	strncat
-#define PORT_Strncmp 	strncmp
-#define PORT_Strncpy 	strncpy
-#define PORT_Strpbrk    strpbrk
-#define PORT_Strstr 	strstr
-#define PORT_Strtok 	strtok
-
-#define PORT_Tolower 	tolower
-
-typedef PRBool (PR_CALLBACK * PORTCharConversionWSwapFunc) (PRBool toUnicode,
-			unsigned char *inBuf, unsigned int inBufLen,
-			unsigned char *outBuf, unsigned int maxOutBufLen,
-			unsigned int *outBufLen, PRBool swapBytes);
-
-typedef PRBool (PR_CALLBACK * PORTCharConversionFunc) (PRBool toUnicode,
-			unsigned char *inBuf, unsigned int inBufLen,
-			unsigned char *outBuf, unsigned int maxOutBufLen,
-			unsigned int *outBufLen);
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
-void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc);
-PRBool PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen);
-PRBool PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen,
-			PRBool swapBytes);
-void PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
-PRBool PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen);
-
-/* One-way conversion from ISO-8859-1 to UTF-8 */
-PRBool PORT_ISO88591_UTF8Conversion(const unsigned char *inBuf,
-			unsigned int inBufLen, unsigned char *outBuf,
-			unsigned int maxOutBufLen, unsigned int *outBufLen);
-
-PR_EXTERN(PRBool)
-sec_port_ucs4_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-);
-
-PR_EXTERN(PRBool)
-sec_port_ucs2_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-);
-
-/* One-way conversion from ISO-8859-1 to UTF-8 */
-extern PRBool
-sec_port_iso88591_utf8_conversion_function
-(
-  const unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-);
-
-extern int NSS_PutEnv(const char * envVarName, const char * envValue);
-
-SEC_END_PROTOS
-
-#endif /* _SECPORT_H_ */
diff --git a/security/nss/lib/util/sectime.c b/security/nss/lib/util/sectime.c
deleted file mode 100644
index a5a927bb4..000000000
--- a/security/nss/lib/util/sectime.c
+++ /dev/null
@@ -1,260 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prlong.h"
-#include "prtime.h"
-#include "secder.h"
-#include "cert.h"
-#include "secitem.h"
-#include "secerr.h"
-
-const SEC_ASN1Template CERT_TimeChoiceTemplate[] = {
-  { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
-  { SEC_ASN1_UTC_TIME, 0, 0, siUTCTime },
-  { SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime },
-  { 0 }
-};
-
-SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate)
-
-const SEC_ASN1Template CERT_ValidityTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTValidity) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTValidity,notBefore), CERT_TimeChoiceTemplate, 0 },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTValidity,notAfter), CERT_TimeChoiceTemplate, 0 },
-    { 0 }
-};
-
-PRTime January1st2050 = LL_INIT(0x0008f81e,0x1b098000);
-
-static char *DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format);
-static char *DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER, char *format);
-
-/* convert DER utc time to ascii time string */
-char *
-DER_UTCTimeToAscii(SECItem *utcTime)
-{
-    return (DecodeUTCTime2FormattedAscii (utcTime, "%a %b %d %H:%M:%S %Y"));
-}
-
-/* convert DER utc time to ascii time string, only include day, not time */
-char *
-DER_UTCDayToAscii(SECItem *utctime)
-{
-    return (DecodeUTCTime2FormattedAscii (utctime, "%a %b %d, %Y"));
-}
-
-/* convert DER generalized time to ascii time string, only include day,
-   not time */
-char *
-DER_GeneralizedDayToAscii(SECItem *gentime)
-{
-    return (DecodeGeneralizedTime2FormattedAscii (gentime, "%a %b %d, %Y"));
-}
-
-/* convert DER generalized or UTC time to ascii time string, only include
-   day, not time */
-char *
-DER_TimeChoiceDayToAscii(SECItem *timechoice)
-{
-    switch (timechoice->type) {
-
-    case siUTCTime:
-        return DER_UTCDayToAscii(timechoice);
-
-    case siGeneralizedTime:
-        return DER_GeneralizedDayToAscii(timechoice);
-
-    default:
-        PORT_Assert(0);
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return NULL;
-    }
-}
-
-
-
-CERTValidity *
-CERT_CreateValidity(int64 notBefore, int64 notAfter)
-{
-    CERTValidity *v;
-    int rv;
-    PRArenaPool *arena;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    
-    if ( !arena ) {
-	return(0);
-    }
-    
-    v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
-    if (v) {
-	v->arena = arena;
-	rv = DER_EncodeTimeChoice(arena, &v->notBefore, notBefore);
-	if (rv) goto loser;
-	rv = DER_EncodeTimeChoice(arena, &v->notAfter, notAfter);
-	if (rv) goto loser;
-    }
-    return v;
-
-  loser:
-    CERT_DestroyValidity(v);
-    return 0;
-}
-
-SECStatus
-CERT_CopyValidity(PRArenaPool *arena, CERTValidity *to, CERTValidity *from)
-{
-    SECStatus rv;
-
-    CERT_DestroyValidity(to);
-    to->arena = arena;
-    
-    rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore);
-    if (rv) return rv;
-    rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter);
-    return rv;
-}
-
-void
-CERT_DestroyValidity(CERTValidity *v)
-{
-    if (v && v->arena) {
-	PORT_FreeArena(v->arena, PR_FALSE);
-    }
-    return;
-}
-
-char *
-CERT_UTCTime2FormattedAscii (int64 utcTime, char *format)
-{
-    PRExplodedTime printableTime; 
-    char *timeString;
-   
-    /* Converse time to local time and decompose it into components */
-    PR_ExplodeTime(utcTime, PR_LocalTimeParameters, &printableTime);
-    
-    timeString = (char *)PORT_Alloc(100);
-
-    if ( timeString ) {
-        PR_FormatTime( timeString, 100, format, &printableTime );
-    }
-    
-    return (timeString);
-}
-
-char *CERT_GenTime2FormattedAscii (int64 genTime, char *format)
-{
-    PRExplodedTime printableTime; 
-    char *timeString;
-   
-    /* Decompose time into components */
-    PR_ExplodeTime(genTime, PR_GMTParameters, &printableTime);
-    
-    timeString = (char *)PORT_Alloc(100);
-
-    if ( timeString ) {
-        PR_FormatTime( timeString, 100, format, &printableTime );
-    }
-    
-    return (timeString);
-}
-
-
-/* convert DER utc time to ascii time string, The format of the time string
-   depends on the input "format"
- */
-static char *
-DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER,  char *format)
-{
-    int64 utcTime;
-    int rv;
-   
-    rv = DER_UTCTimeToTime(&utcTime, utcTimeDER);
-    if (rv) {
-        return(NULL);
-    }
-    return (CERT_UTCTime2FormattedAscii (utcTime, format));
-}
-
-/* convert DER utc time to ascii time string, The format of the time string
-   depends on the input "format"
- */
-static char *
-DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER,  char *format)
-{
-    PRTime generalizedTime;
-    int rv;
-   
-    rv = DER_GeneralizedTimeToTime(&generalizedTime, generalizedTimeDER);
-    if (rv) {
-        return(NULL);
-    }
-    return (CERT_GeneralizedTime2FormattedAscii (generalizedTime, format));
-}
-
-/* decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME 
-   or a SEC_ASN1_UTC_TIME */
-
-SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input)
-{
-    switch (input->type) {
-        case siGeneralizedTime:
-            return DER_GeneralizedTimeToTime(output, input);
-
-        case siUTCTime:
-            return DER_UTCTimeToTime(output, input);
-
-        default:
-            PORT_SetError(SEC_ERROR_INVALID_ARGS);
-            PORT_Assert(0);
-            return SECFailure;
-    }
-}
-
-/* encode a PRTime to an ASN.1 DER SECItem containing either a
-   SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
-
-SECStatus DER_EncodeTimeChoice(PRArenaPool* arena, SECItem* output, PRTime input)
-{
-    if (LL_CMP(input, >, January1st2050)) {
-        return DER_TimeToGeneralizedTimeArena(arena, output, input);
-    } else {
-        return DER_TimeToUTCTimeArena(arena, output, input);
-    }
-}
diff --git a/security/nss/lib/util/utf8.c b/security/nss/lib/util/utf8.c
deleted file mode 100644
index b47a172d1..000000000
--- a/security/nss/lib/util/utf8.c
+++ /dev/null
@@ -1,1833 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   John Gardiner Myers <jgmyers@speakeasy.net>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
-#endif /* DEBUG */
-
-#include "seccomon.h"
-#include "secport.h"
-
-#ifdef TEST_UTF8
-#include <assert.h>
-#undef PORT_Assert
-#define PORT_Assert assert
-#endif
-
-/*
- * From RFC 2044:
- *
- * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
- * 0000 0000-0000 007F   0xxxxxxx
- * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
- * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
- * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
- * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
- * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
- */  
-
-/*
- * From http://www.imc.org/draft-hoffman-utf16
- *
- * For U on [0x00010000,0x0010FFFF]:  Let U' = U - 0x00010000
- *
- * U' = yyyyyyyyyyxxxxxxxxxx
- * W1 = 110110yyyyyyyyyy
- * W2 = 110111xxxxxxxxxx
- */
-
-/*
- * This code is assuming NETWORK BYTE ORDER for the 16- and 32-bit
- * character values.  If you wish to use this code for working with
- * host byte order values, define the following:
- *
- * #if IS_BIG_ENDIAN
- * #define L_0 0
- * #define L_1 1
- * #define L_2 2
- * #define L_3 3
- * #define H_0 0
- * #define H_1 1
- * #else / * not everyone has elif * /
- * #if IS_LITTLE_ENDIAN
- * #define L_0 3
- * #define L_1 2
- * #define L_2 1
- * #define L_3 0
- * #define H_0 1
- * #define H_1 0
- * #else
- * #error "PDP and NUXI support deferred"
- * #endif / * IS_LITTLE_ENDIAN * /
- * #endif / * IS_BIG_ENDIAN * /
- */
-
-#define L_0 0
-#define L_1 1
-#define L_2 2
-#define L_3 3
-#define H_0 0
-#define H_1 1
-
-#define BAD_UTF8 ((PRUint32)-1)
-
-/*
- * Parse a single UTF-8 character per the spec. in section 3.9 (D36)
- * of Unicode 4.0.0.
- *
- * Parameters:
- * index - Points to the byte offset in inBuf of character to read.  On success,
- *         updated to the offset of the following character.
- * inBuf - Input buffer, UTF-8 encoded
- * inbufLen - Length of input buffer, in bytes.
- *
- * Returns:
- * Success - The UCS4 encoded character
- * Failure - BAD_UTF8
- */
-static PRUint32
-sec_port_read_utf8(unsigned int *index, unsigned char *inBuf, unsigned int inBufLen)
-{
-  PRUint32 result;
-  unsigned int i = *index;
-  int bytes_left;
-  PRUint32 min_value;
-
-  PORT_Assert(i < inBufLen);
-
-  if ( (inBuf[i] & 0x80) == 0x00 ) {
-    result = inBuf[i++];
-    bytes_left = 0;
-    min_value = 0;
-  } else if ( (inBuf[i] & 0xE0) == 0xC0 ) {
-    result = inBuf[i++] & 0x1F;
-    bytes_left = 1;
-    min_value = 0x80;
-  } else if ( (inBuf[i] & 0xF0) == 0xE0) {
-    result = inBuf[i++] & 0x0F;
-    bytes_left = 2;
-    min_value = 0x800;
-  } else if ( (inBuf[i] & 0xF8) == 0xF0) {
-    result = inBuf[i++] & 0x07;
-    bytes_left = 3;
-    min_value = 0x10000;
-  } else {
-    return BAD_UTF8;
-  }
-
-  while (bytes_left--) {
-    if (i >= inBufLen || (inBuf[i] & 0xC0) != 0x80) return BAD_UTF8;
-    result = (result << 6) | (inBuf[i++] & 0x3F);
-  }
-
-  /* Check for overlong sequences, surrogates, and outside unicode range */
-  if (result < min_value || (result & 0xFFFFF800) == 0xD800 || result > 0x10FFFF) {
-    return BAD_UTF8;
-  }
-
-  *index = i;
-  return result;
-}
-
-PR_IMPLEMENT(PRBool)
-sec_port_ucs4_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-)
-{
-  PORT_Assert((unsigned int *)NULL != outBufLen);
-
-  if( toUnicode ) {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) i += 1;
-      else if( (inBuf[i] & 0xE0) == 0xC0 ) i += 2;
-      else if( (inBuf[i] & 0xF0) == 0xE0 ) i += 3;
-      else if( (inBuf[i] & 0xF8) == 0xF0 ) i += 4;
-      else return PR_FALSE;
-
-      len += 4;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      PRUint32 ucs4 = sec_port_read_utf8(&i, inBuf, inBufLen);
-
-      if (ucs4 == BAD_UTF8) return PR_FALSE;
-           
-      outBuf[len+L_0] = 0x00;
-      outBuf[len+L_1] = (unsigned char)(ucs4 >> 16);
-      outBuf[len+L_2] = (unsigned char)(ucs4 >> 8);
-      outBuf[len+L_3] = (unsigned char)ucs4;
-
-      len += 4;
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  } else {
-    unsigned int i, len = 0;
-    PORT_Assert((inBufLen % 4) == 0);
-    if ((inBufLen % 4) != 0) {
-      *outBufLen = 0;
-      return PR_FALSE;
-    }
-
-    for( i = 0; i < inBufLen; i += 4 ) {
-      if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] > 0x10) ) {
-	*outBufLen = 0;
-	return PR_FALSE;
-      } else if( inBuf[i+L_1] >= 0x01 ) len += 4;
-      else if( inBuf[i+L_2] >= 0x08 ) len += 3;
-      else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) len += 2;
-      else len += 1;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; i += 4 ) {
-      if( inBuf[i+L_1] >= 0x01 ) {
-        /* 0001 0000-001F FFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 00000000 000abcde fghijklm nopqrstu ->
-           11110abc 10defghi 10jklmno 10pqrstu */
-
-        outBuf[len+0] = 0xF0 | ((inBuf[i+L_1] & 0x1C) >> 2);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
-                             | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+3] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 4;
-      } else if( inBuf[i+L_2] >= 0x08 ) {
-        /* 0000 0800-0000 FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
-        /* 00000000 00000000 abcdefgh ijklmnop ->
-           1110abcd 10efghij 10klmnop */
-
-        outBuf[len+0] = 0xE0 | ((inBuf[i+L_2] & 0xF0) >> 4);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+2] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 3;
-      } else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) {
-        /* 0000 0080-0000 07FF -> 110xxxxx 10xxxxxx */
-        /* 00000000 00000000 00000abc defghijk ->
-           110abcde 10fghijk */
-
-        outBuf[len+0] = 0xC0 | ((inBuf[i+L_2] & 0x07) << 2)
-                             | ((inBuf[i+L_3] & 0xC0) >> 6);
-        outBuf[len+1] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
-
-        len += 2;
-      } else {
-        /* 0000 0000-0000 007F -> 0xxxxxx */
-        /* 00000000 00000000 00000000 0abcdefg ->
-           0abcdefg */
-
-        outBuf[len+0] = (inBuf[i+L_3] & 0x7F);
-
-        len += 1;
-      }
-    }
-                            
-    *outBufLen = len;
-    return PR_TRUE;
-  }
-}
-
-PR_IMPLEMENT(PRBool)
-sec_port_ucs2_utf8_conversion_function
-(
-  PRBool toUnicode,
-  unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-)
-{
-  PORT_Assert((unsigned int *)NULL != outBufLen);
-
-  if( toUnicode ) {
-    unsigned int i, len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      if( (inBuf[i] & 0x80) == 0x00 ) {
-        i += 1;
-        len += 2;
-      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
-        i += 2;
-        len += 2;
-      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
-        i += 3;
-        len += 2;
-      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
-        i += 4;
-        len += 4;
-      } else return PR_FALSE;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; ) {
-      PRUint32 ucs4 = sec_port_read_utf8(&i, inBuf, inBufLen);
-
-      if (ucs4 == BAD_UTF8) return PR_FALSE;
-
-      if( ucs4 < 0x10000) {
-        outBuf[len+H_0] = (unsigned char)(ucs4 >> 8);
-        outBuf[len+H_1] = (unsigned char)ucs4;
-        len += 2;
-      } else {
-	ucs4 -= 0x10000;
-        outBuf[len+0+H_0] = (unsigned char)(0xD8 | ((ucs4 >> 18) & 0x3));
-        outBuf[len+0+H_1] = (unsigned char)(ucs4 >> 10);
-        outBuf[len+2+H_0] = (unsigned char)(0xDC | ((ucs4 >> 8) & 0x3));
-        outBuf[len+2+H_1] = (unsigned char)ucs4;
-	len += 4;
-      }
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  } else {
-    unsigned int i, len = 0;
-    PORT_Assert((inBufLen % 2) == 0);
-    if ((inBufLen % 2) != 0) {
-      *outBufLen = 0;
-      return PR_FALSE;
-    }
-
-    for( i = 0; i < inBufLen; i += 2 ) {
-      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_0] & 0x80) == 0x00) ) len += 1;
-      else if( inBuf[i+H_0] < 0x08 ) len += 2;
-      else if( ((inBuf[i+0+H_0] & 0xDC) == 0xD8) ) {
-        if( ((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2) ) {
-          i += 2;
-          len += 4;
-        } else {
-          return PR_FALSE;
-        }
-      }
-      else len += 3;
-    }
-
-    if( len > maxOutBufLen ) {
-      *outBufLen = len;
-      return PR_FALSE;
-    }
-
-    len = 0;
-
-    for( i = 0; i < inBufLen; i += 2 ) {
-      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_1] & 0x80) == 0x00) ) {
-        /* 0000-007F -> 0xxxxxx */
-        /* 00000000 0abcdefg -> 0abcdefg */
-
-        outBuf[len] = inBuf[i+H_1] & 0x7F;
-
-        len += 1;
-      } else if( inBuf[i+H_0] < 0x08 ) {
-        /* 0080-07FF -> 110xxxxx 10xxxxxx */
-        /* 00000abc defghijk -> 110abcde 10fghijk */
-
-        outBuf[len+0] = 0xC0 | ((inBuf[i+H_0] & 0x07) << 2) 
-                             | ((inBuf[i+H_1] & 0xC0) >> 6);
-        outBuf[len+1] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
-
-        len += 2;
-      } else if( (inBuf[i+H_0] & 0xDC) == 0xD8 ) {
-        int abcde, BCDE;
-
-        PORT_Assert(((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2));
-
-        /* D800-DBFF DC00-DFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
-        /* 110110BC DEfghijk 110111lm nopqrstu ->
-           { Let abcde = BCDE + 1 }
-           11110abc 10defghi 10jklmno 10pqrstu */
-
-        BCDE = ((inBuf[i+H_0] & 0x03) << 2) | ((inBuf[i+H_1] & 0xC0) >> 6);
-        abcde = BCDE + 1;
-
-        outBuf[len+0] = 0xF0 | ((abcde & 0x1C) >> 2);
-        outBuf[len+1] = 0x80 | ((abcde & 0x03) << 4) 
-                             | ((inBuf[i+0+H_1] & 0x3C) >> 2);
-        outBuf[len+2] = 0x80 | ((inBuf[i+0+H_1] & 0x03) << 4)
-                             | ((inBuf[i+2+H_0] & 0x03) << 2)
-                             | ((inBuf[i+2+H_1] & 0xC0) >> 6);
-        outBuf[len+3] = 0x80 | ((inBuf[i+2+H_1] & 0x3F) >> 0);
-
-        i += 2;
-        len += 4;
-      } else {
-        /* 0800-FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
-        /* abcdefgh ijklmnop -> 1110abcd 10efghij 10klmnop */
-
-        outBuf[len+0] = 0xE0 | ((inBuf[i+H_0] & 0xF0) >> 4);
-        outBuf[len+1] = 0x80 | ((inBuf[i+H_0] & 0x0F) << 2) 
-                             | ((inBuf[i+H_1] & 0xC0) >> 6);
-        outBuf[len+2] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
-
-        len += 3;
-      }
-    }
-
-    *outBufLen = len;
-    return PR_TRUE;
-  }
-}
-
-PRBool
-sec_port_iso88591_utf8_conversion_function
-(
-  const unsigned char *inBuf,
-  unsigned int inBufLen,
-  unsigned char *outBuf,
-  unsigned int maxOutBufLen,
-  unsigned int *outBufLen
-)
-{
-  unsigned int i, len = 0;
-
-  PORT_Assert((unsigned int *)NULL != outBufLen);
-
-  for( i = 0; i < inBufLen; i++) {
-    if( (inBuf[i] & 0x80) == 0x00 ) len += 1;
-    else len += 2;
-  }
-
-  if( len > maxOutBufLen ) {
-    *outBufLen = len;
-    return PR_FALSE;
-  }
-
-  len = 0;
-
-  for( i = 0; i < inBufLen; i++) {
-    if( (inBuf[i] & 0x80) == 0x00 ) {
-      /* 00-7F -> 0xxxxxxx */
-      /* 0abcdefg -> 0abcdefg */
-
-      outBuf[len] = inBuf[i];
-      len += 1;
-    } else {
-      /* 80-FF <- 110xxxxx 10xxxxxx */
-      /* 00000000 abcdefgh -> 110000ab 10cdefgh */
-
-      outBuf[len+0] = 0xC0 | ((inBuf[i] & 0xC0) >> 6);
-      outBuf[len+1] = 0x80 | ((inBuf[i] & 0x3F) >> 0);
-
-      len += 2;
-    }
-  }
-
-  *outBufLen = len;
-  return PR_TRUE;
-}
-
-#ifdef TEST_UTF8
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <netinet/in.h> /* for htonl and htons */
-
-/*
- * UCS-4 vectors
- */
-
-struct ucs4 {
-  PRUint32 c;
-  char *utf8;
-};
-
-/*
- * UCS-2 vectors
- */
-
-struct ucs2 {
-  PRUint16 c;
-  char *utf8;
-};
-
-/*
- * UTF-16 vectors
- */
-
-struct utf16 {
-  PRUint32 c;
-  PRUint16 w[2];
-};
-
-
-/*
- * UCS-4 vectors
- */
-
-struct ucs4 ucs4[] = {
-  { 0x00000001, "\x01" },
-  { 0x00000002, "\x02" },
-  { 0x00000003, "\x03" },
-  { 0x00000004, "\x04" },
-  { 0x00000007, "\x07" },
-  { 0x00000008, "\x08" },
-  { 0x0000000F, "\x0F" },
-  { 0x00000010, "\x10" },
-  { 0x0000001F, "\x1F" },
-  { 0x00000020, "\x20" },
-  { 0x0000003F, "\x3F" },
-  { 0x00000040, "\x40" },
-  { 0x0000007F, "\x7F" },
-          
-  { 0x00000080, "\xC2\x80" },
-  { 0x00000081, "\xC2\x81" },
-  { 0x00000082, "\xC2\x82" },
-  { 0x00000084, "\xC2\x84" },
-  { 0x00000088, "\xC2\x88" },
-  { 0x00000090, "\xC2\x90" },
-  { 0x000000A0, "\xC2\xA0" },
-  { 0x000000C0, "\xC3\x80" },
-  { 0x000000FF, "\xC3\xBF" },
-  { 0x00000100, "\xC4\x80" },
-  { 0x00000101, "\xC4\x81" },
-  { 0x00000102, "\xC4\x82" },
-  { 0x00000104, "\xC4\x84" },
-  { 0x00000108, "\xC4\x88" },
-  { 0x00000110, "\xC4\x90" },
-  { 0x00000120, "\xC4\xA0" },
-  { 0x00000140, "\xC5\x80" },
-  { 0x00000180, "\xC6\x80" },
-  { 0x000001FF, "\xC7\xBF" },
-  { 0x00000200, "\xC8\x80" },
-  { 0x00000201, "\xC8\x81" },
-  { 0x00000202, "\xC8\x82" },
-  { 0x00000204, "\xC8\x84" },
-  { 0x00000208, "\xC8\x88" },
-  { 0x00000210, "\xC8\x90" },
-  { 0x00000220, "\xC8\xA0" },
-  { 0x00000240, "\xC9\x80" },
-  { 0x00000280, "\xCA\x80" },
-  { 0x00000300, "\xCC\x80" },
-  { 0x000003FF, "\xCF\xBF" },
-  { 0x00000400, "\xD0\x80" },
-  { 0x00000401, "\xD0\x81" },
-  { 0x00000402, "\xD0\x82" },
-  { 0x00000404, "\xD0\x84" },
-  { 0x00000408, "\xD0\x88" },
-  { 0x00000410, "\xD0\x90" },
-  { 0x00000420, "\xD0\xA0" },
-  { 0x00000440, "\xD1\x80" },
-  { 0x00000480, "\xD2\x80" },
-  { 0x00000500, "\xD4\x80" },
-  { 0x00000600, "\xD8\x80" },
-  { 0x000007FF, "\xDF\xBF" },
-          
-  { 0x00000800, "\xE0\xA0\x80" },
-  { 0x00000801, "\xE0\xA0\x81" },
-  { 0x00000802, "\xE0\xA0\x82" },
-  { 0x00000804, "\xE0\xA0\x84" },
-  { 0x00000808, "\xE0\xA0\x88" },
-  { 0x00000810, "\xE0\xA0\x90" },
-  { 0x00000820, "\xE0\xA0\xA0" },
-  { 0x00000840, "\xE0\xA1\x80" },
-  { 0x00000880, "\xE0\xA2\x80" },
-  { 0x00000900, "\xE0\xA4\x80" },
-  { 0x00000A00, "\xE0\xA8\x80" },
-  { 0x00000C00, "\xE0\xB0\x80" },
-  { 0x00000FFF, "\xE0\xBF\xBF" },
-  { 0x00001000, "\xE1\x80\x80" },
-  { 0x00001001, "\xE1\x80\x81" },
-  { 0x00001002, "\xE1\x80\x82" },
-  { 0x00001004, "\xE1\x80\x84" },
-  { 0x00001008, "\xE1\x80\x88" },
-  { 0x00001010, "\xE1\x80\x90" },
-  { 0x00001020, "\xE1\x80\xA0" },
-  { 0x00001040, "\xE1\x81\x80" },
-  { 0x00001080, "\xE1\x82\x80" },
-  { 0x00001100, "\xE1\x84\x80" },
-  { 0x00001200, "\xE1\x88\x80" },
-  { 0x00001400, "\xE1\x90\x80" },
-  { 0x00001800, "\xE1\xA0\x80" },
-  { 0x00001FFF, "\xE1\xBF\xBF" },
-  { 0x00002000, "\xE2\x80\x80" },
-  { 0x00002001, "\xE2\x80\x81" },
-  { 0x00002002, "\xE2\x80\x82" },
-  { 0x00002004, "\xE2\x80\x84" },
-  { 0x00002008, "\xE2\x80\x88" },
-  { 0x00002010, "\xE2\x80\x90" },
-  { 0x00002020, "\xE2\x80\xA0" },
-  { 0x00002040, "\xE2\x81\x80" },
-  { 0x00002080, "\xE2\x82\x80" },
-  { 0x00002100, "\xE2\x84\x80" },
-  { 0x00002200, "\xE2\x88\x80" },
-  { 0x00002400, "\xE2\x90\x80" },
-  { 0x00002800, "\xE2\xA0\x80" },
-  { 0x00003000, "\xE3\x80\x80" },
-  { 0x00003FFF, "\xE3\xBF\xBF" },
-  { 0x00004000, "\xE4\x80\x80" },
-  { 0x00004001, "\xE4\x80\x81" },
-  { 0x00004002, "\xE4\x80\x82" },
-  { 0x00004004, "\xE4\x80\x84" },
-  { 0x00004008, "\xE4\x80\x88" },
-  { 0x00004010, "\xE4\x80\x90" },
-  { 0x00004020, "\xE4\x80\xA0" },
-  { 0x00004040, "\xE4\x81\x80" },
-  { 0x00004080, "\xE4\x82\x80" },
-  { 0x00004100, "\xE4\x84\x80" },
-  { 0x00004200, "\xE4\x88\x80" },
-  { 0x00004400, "\xE4\x90\x80" },
-  { 0x00004800, "\xE4\xA0\x80" },
-  { 0x00005000, "\xE5\x80\x80" },
-  { 0x00006000, "\xE6\x80\x80" },
-  { 0x00007FFF, "\xE7\xBF\xBF" },
-  { 0x00008000, "\xE8\x80\x80" },
-  { 0x00008001, "\xE8\x80\x81" },
-  { 0x00008002, "\xE8\x80\x82" },
-  { 0x00008004, "\xE8\x80\x84" },
-  { 0x00008008, "\xE8\x80\x88" },
-  { 0x00008010, "\xE8\x80\x90" },
-  { 0x00008020, "\xE8\x80\xA0" },
-  { 0x00008040, "\xE8\x81\x80" },
-  { 0x00008080, "\xE8\x82\x80" },
-  { 0x00008100, "\xE8\x84\x80" },
-  { 0x00008200, "\xE8\x88\x80" },
-  { 0x00008400, "\xE8\x90\x80" },
-  { 0x00008800, "\xE8\xA0\x80" },
-  { 0x00009000, "\xE9\x80\x80" },
-  { 0x0000A000, "\xEA\x80\x80" },
-  { 0x0000C000, "\xEC\x80\x80" },
-  { 0x0000FFFF, "\xEF\xBF\xBF" },
-          
-  { 0x00010000, "\xF0\x90\x80\x80" },
-  { 0x00010001, "\xF0\x90\x80\x81" },
-  { 0x00010002, "\xF0\x90\x80\x82" },
-  { 0x00010004, "\xF0\x90\x80\x84" },
-  { 0x00010008, "\xF0\x90\x80\x88" },
-  { 0x00010010, "\xF0\x90\x80\x90" },
-  { 0x00010020, "\xF0\x90\x80\xA0" },
-  { 0x00010040, "\xF0\x90\x81\x80" },
-  { 0x00010080, "\xF0\x90\x82\x80" },
-  { 0x00010100, "\xF0\x90\x84\x80" },
-  { 0x00010200, "\xF0\x90\x88\x80" },
-  { 0x00010400, "\xF0\x90\x90\x80" },
-  { 0x00010800, "\xF0\x90\xA0\x80" },
-  { 0x00011000, "\xF0\x91\x80\x80" },
-  { 0x00012000, "\xF0\x92\x80\x80" },
-  { 0x00014000, "\xF0\x94\x80\x80" },
-  { 0x00018000, "\xF0\x98\x80\x80" },
-  { 0x0001FFFF, "\xF0\x9F\xBF\xBF" },
-  { 0x00020000, "\xF0\xA0\x80\x80" },
-  { 0x00020001, "\xF0\xA0\x80\x81" },
-  { 0x00020002, "\xF0\xA0\x80\x82" },
-  { 0x00020004, "\xF0\xA0\x80\x84" },
-  { 0x00020008, "\xF0\xA0\x80\x88" },
-  { 0x00020010, "\xF0\xA0\x80\x90" },
-  { 0x00020020, "\xF0\xA0\x80\xA0" },
-  { 0x00020040, "\xF0\xA0\x81\x80" },
-  { 0x00020080, "\xF0\xA0\x82\x80" },
-  { 0x00020100, "\xF0\xA0\x84\x80" },
-  { 0x00020200, "\xF0\xA0\x88\x80" },
-  { 0x00020400, "\xF0\xA0\x90\x80" },
-  { 0x00020800, "\xF0\xA0\xA0\x80" },
-  { 0x00021000, "\xF0\xA1\x80\x80" },
-  { 0x00022000, "\xF0\xA2\x80\x80" },
-  { 0x00024000, "\xF0\xA4\x80\x80" },
-  { 0x00028000, "\xF0\xA8\x80\x80" },
-  { 0x00030000, "\xF0\xB0\x80\x80" },
-  { 0x0003FFFF, "\xF0\xBF\xBF\xBF" },
-  { 0x00040000, "\xF1\x80\x80\x80" },
-  { 0x00040001, "\xF1\x80\x80\x81" },
-  { 0x00040002, "\xF1\x80\x80\x82" },
-  { 0x00040004, "\xF1\x80\x80\x84" },
-  { 0x00040008, "\xF1\x80\x80\x88" },
-  { 0x00040010, "\xF1\x80\x80\x90" },
-  { 0x00040020, "\xF1\x80\x80\xA0" },
-  { 0x00040040, "\xF1\x80\x81\x80" },
-  { 0x00040080, "\xF1\x80\x82\x80" },
-  { 0x00040100, "\xF1\x80\x84\x80" },
-  { 0x00040200, "\xF1\x80\x88\x80" },
-  { 0x00040400, "\xF1\x80\x90\x80" },
-  { 0x00040800, "\xF1\x80\xA0\x80" },
-  { 0x00041000, "\xF1\x81\x80\x80" },
-  { 0x00042000, "\xF1\x82\x80\x80" },
-  { 0x00044000, "\xF1\x84\x80\x80" },
-  { 0x00048000, "\xF1\x88\x80\x80" },
-  { 0x00050000, "\xF1\x90\x80\x80" },
-  { 0x00060000, "\xF1\xA0\x80\x80" },
-  { 0x0007FFFF, "\xF1\xBF\xBF\xBF" },
-  { 0x00080000, "\xF2\x80\x80\x80" },
-  { 0x00080001, "\xF2\x80\x80\x81" },
-  { 0x00080002, "\xF2\x80\x80\x82" },
-  { 0x00080004, "\xF2\x80\x80\x84" },
-  { 0x00080008, "\xF2\x80\x80\x88" },
-  { 0x00080010, "\xF2\x80\x80\x90" },
-  { 0x00080020, "\xF2\x80\x80\xA0" },
-  { 0x00080040, "\xF2\x80\x81\x80" },
-  { 0x00080080, "\xF2\x80\x82\x80" },
-  { 0x00080100, "\xF2\x80\x84\x80" },
-  { 0x00080200, "\xF2\x80\x88\x80" },
-  { 0x00080400, "\xF2\x80\x90\x80" },
-  { 0x00080800, "\xF2\x80\xA0\x80" },
-  { 0x00081000, "\xF2\x81\x80\x80" },
-  { 0x00082000, "\xF2\x82\x80\x80" },
-  { 0x00084000, "\xF2\x84\x80\x80" },
-  { 0x00088000, "\xF2\x88\x80\x80" },
-  { 0x00090000, "\xF2\x90\x80\x80" },
-  { 0x000A0000, "\xF2\xA0\x80\x80" },
-  { 0x000C0000, "\xF3\x80\x80\x80" },
-  { 0x000FFFFF, "\xF3\xBF\xBF\xBF" },
-  { 0x00100000, "\xF4\x80\x80\x80" },
-  { 0x00100001, "\xF4\x80\x80\x81" },
-  { 0x00100002, "\xF4\x80\x80\x82" },
-  { 0x00100004, "\xF4\x80\x80\x84" },
-  { 0x00100008, "\xF4\x80\x80\x88" },
-  { 0x00100010, "\xF4\x80\x80\x90" },
-  { 0x00100020, "\xF4\x80\x80\xA0" },
-  { 0x00100040, "\xF4\x80\x81\x80" },
-  { 0x00100080, "\xF4\x80\x82\x80" },
-  { 0x00100100, "\xF4\x80\x84\x80" },
-  { 0x00100200, "\xF4\x80\x88\x80" },
-  { 0x00100400, "\xF4\x80\x90\x80" },
-  { 0x00100800, "\xF4\x80\xA0\x80" },
-  { 0x00101000, "\xF4\x81\x80\x80" },
-  { 0x00102000, "\xF4\x82\x80\x80" },
-  { 0x00104000, "\xF4\x84\x80\x80" },
-  { 0x00108000, "\xF4\x88\x80\x80" },
-  { 0x0010FFFF, "\xF4\x8F\xBF\xBF" },
-};
-
-/*
- * UCS-2 vectors
- */
-
-struct ucs2 ucs2[] = {
-  { 0x0001, "\x01" },
-  { 0x0002, "\x02" },
-  { 0x0003, "\x03" },
-  { 0x0004, "\x04" },
-  { 0x0007, "\x07" },
-  { 0x0008, "\x08" },
-  { 0x000F, "\x0F" },
-  { 0x0010, "\x10" },
-  { 0x001F, "\x1F" },
-  { 0x0020, "\x20" },
-  { 0x003F, "\x3F" },
-  { 0x0040, "\x40" },
-  { 0x007F, "\x7F" },
-          
-  { 0x0080, "\xC2\x80" },
-  { 0x0081, "\xC2\x81" },
-  { 0x0082, "\xC2\x82" },
-  { 0x0084, "\xC2\x84" },
-  { 0x0088, "\xC2\x88" },
-  { 0x0090, "\xC2\x90" },
-  { 0x00A0, "\xC2\xA0" },
-  { 0x00C0, "\xC3\x80" },
-  { 0x00FF, "\xC3\xBF" },
-  { 0x0100, "\xC4\x80" },
-  { 0x0101, "\xC4\x81" },
-  { 0x0102, "\xC4\x82" },
-  { 0x0104, "\xC4\x84" },
-  { 0x0108, "\xC4\x88" },
-  { 0x0110, "\xC4\x90" },
-  { 0x0120, "\xC4\xA0" },
-  { 0x0140, "\xC5\x80" },
-  { 0x0180, "\xC6\x80" },
-  { 0x01FF, "\xC7\xBF" },
-  { 0x0200, "\xC8\x80" },
-  { 0x0201, "\xC8\x81" },
-  { 0x0202, "\xC8\x82" },
-  { 0x0204, "\xC8\x84" },
-  { 0x0208, "\xC8\x88" },
-  { 0x0210, "\xC8\x90" },
-  { 0x0220, "\xC8\xA0" },
-  { 0x0240, "\xC9\x80" },
-  { 0x0280, "\xCA\x80" },
-  { 0x0300, "\xCC\x80" },
-  { 0x03FF, "\xCF\xBF" },
-  { 0x0400, "\xD0\x80" },
-  { 0x0401, "\xD0\x81" },
-  { 0x0402, "\xD0\x82" },
-  { 0x0404, "\xD0\x84" },
-  { 0x0408, "\xD0\x88" },
-  { 0x0410, "\xD0\x90" },
-  { 0x0420, "\xD0\xA0" },
-  { 0x0440, "\xD1\x80" },
-  { 0x0480, "\xD2\x80" },
-  { 0x0500, "\xD4\x80" },
-  { 0x0600, "\xD8\x80" },
-  { 0x07FF, "\xDF\xBF" },
-          
-  { 0x0800, "\xE0\xA0\x80" },
-  { 0x0801, "\xE0\xA0\x81" },
-  { 0x0802, "\xE0\xA0\x82" },
-  { 0x0804, "\xE0\xA0\x84" },
-  { 0x0808, "\xE0\xA0\x88" },
-  { 0x0810, "\xE0\xA0\x90" },
-  { 0x0820, "\xE0\xA0\xA0" },
-  { 0x0840, "\xE0\xA1\x80" },
-  { 0x0880, "\xE0\xA2\x80" },
-  { 0x0900, "\xE0\xA4\x80" },
-  { 0x0A00, "\xE0\xA8\x80" },
-  { 0x0C00, "\xE0\xB0\x80" },
-  { 0x0FFF, "\xE0\xBF\xBF" },
-  { 0x1000, "\xE1\x80\x80" },
-  { 0x1001, "\xE1\x80\x81" },
-  { 0x1002, "\xE1\x80\x82" },
-  { 0x1004, "\xE1\x80\x84" },
-  { 0x1008, "\xE1\x80\x88" },
-  { 0x1010, "\xE1\x80\x90" },
-  { 0x1020, "\xE1\x80\xA0" },
-  { 0x1040, "\xE1\x81\x80" },
-  { 0x1080, "\xE1\x82\x80" },
-  { 0x1100, "\xE1\x84\x80" },
-  { 0x1200, "\xE1\x88\x80" },
-  { 0x1400, "\xE1\x90\x80" },
-  { 0x1800, "\xE1\xA0\x80" },
-  { 0x1FFF, "\xE1\xBF\xBF" },
-  { 0x2000, "\xE2\x80\x80" },
-  { 0x2001, "\xE2\x80\x81" },
-  { 0x2002, "\xE2\x80\x82" },
-  { 0x2004, "\xE2\x80\x84" },
-  { 0x2008, "\xE2\x80\x88" },
-  { 0x2010, "\xE2\x80\x90" },
-  { 0x2020, "\xE2\x80\xA0" },
-  { 0x2040, "\xE2\x81\x80" },
-  { 0x2080, "\xE2\x82\x80" },
-  { 0x2100, "\xE2\x84\x80" },
-  { 0x2200, "\xE2\x88\x80" },
-  { 0x2400, "\xE2\x90\x80" },
-  { 0x2800, "\xE2\xA0\x80" },
-  { 0x3000, "\xE3\x80\x80" },
-  { 0x3FFF, "\xE3\xBF\xBF" },
-  { 0x4000, "\xE4\x80\x80" },
-  { 0x4001, "\xE4\x80\x81" },
-  { 0x4002, "\xE4\x80\x82" },
-  { 0x4004, "\xE4\x80\x84" },
-  { 0x4008, "\xE4\x80\x88" },
-  { 0x4010, "\xE4\x80\x90" },
-  { 0x4020, "\xE4\x80\xA0" },
-  { 0x4040, "\xE4\x81\x80" },
-  { 0x4080, "\xE4\x82\x80" },
-  { 0x4100, "\xE4\x84\x80" },
-  { 0x4200, "\xE4\x88\x80" },
-  { 0x4400, "\xE4\x90\x80" },
-  { 0x4800, "\xE4\xA0\x80" },
-  { 0x5000, "\xE5\x80\x80" },
-  { 0x6000, "\xE6\x80\x80" },
-  { 0x7FFF, "\xE7\xBF\xBF" },
-  { 0x8000, "\xE8\x80\x80" },
-  { 0x8001, "\xE8\x80\x81" },
-  { 0x8002, "\xE8\x80\x82" },
-  { 0x8004, "\xE8\x80\x84" },
-  { 0x8008, "\xE8\x80\x88" },
-  { 0x8010, "\xE8\x80\x90" },
-  { 0x8020, "\xE8\x80\xA0" },
-  { 0x8040, "\xE8\x81\x80" },
-  { 0x8080, "\xE8\x82\x80" },
-  { 0x8100, "\xE8\x84\x80" },
-  { 0x8200, "\xE8\x88\x80" },
-  { 0x8400, "\xE8\x90\x80" },
-  { 0x8800, "\xE8\xA0\x80" },
-  { 0x9000, "\xE9\x80\x80" },
-  { 0xA000, "\xEA\x80\x80" },
-  { 0xC000, "\xEC\x80\x80" },
-  { 0xFFFF, "\xEF\xBF\xBF" }
-
-};
-
-/*
- * UTF-16 vectors
- */
-
-struct utf16 utf16[] = {
-  { 0x00010000, { 0xD800, 0xDC00 } },
-  { 0x00010001, { 0xD800, 0xDC01 } },
-  { 0x00010002, { 0xD800, 0xDC02 } },
-  { 0x00010003, { 0xD800, 0xDC03 } },
-  { 0x00010004, { 0xD800, 0xDC04 } },
-  { 0x00010007, { 0xD800, 0xDC07 } },
-  { 0x00010008, { 0xD800, 0xDC08 } },
-  { 0x0001000F, { 0xD800, 0xDC0F } },
-  { 0x00010010, { 0xD800, 0xDC10 } },
-  { 0x0001001F, { 0xD800, 0xDC1F } },
-  { 0x00010020, { 0xD800, 0xDC20 } },
-  { 0x0001003F, { 0xD800, 0xDC3F } },
-  { 0x00010040, { 0xD800, 0xDC40 } },
-  { 0x0001007F, { 0xD800, 0xDC7F } },
-  { 0x00010080, { 0xD800, 0xDC80 } },
-  { 0x00010081, { 0xD800, 0xDC81 } },
-  { 0x00010082, { 0xD800, 0xDC82 } },
-  { 0x00010084, { 0xD800, 0xDC84 } },
-  { 0x00010088, { 0xD800, 0xDC88 } },
-  { 0x00010090, { 0xD800, 0xDC90 } },
-  { 0x000100A0, { 0xD800, 0xDCA0 } },
-  { 0x000100C0, { 0xD800, 0xDCC0 } },
-  { 0x000100FF, { 0xD800, 0xDCFF } },
-  { 0x00010100, { 0xD800, 0xDD00 } },
-  { 0x00010101, { 0xD800, 0xDD01 } },
-  { 0x00010102, { 0xD800, 0xDD02 } },
-  { 0x00010104, { 0xD800, 0xDD04 } },
-  { 0x00010108, { 0xD800, 0xDD08 } },
-  { 0x00010110, { 0xD800, 0xDD10 } },
-  { 0x00010120, { 0xD800, 0xDD20 } },
-  { 0x00010140, { 0xD800, 0xDD40 } },
-  { 0x00010180, { 0xD800, 0xDD80 } },
-  { 0x000101FF, { 0xD800, 0xDDFF } },
-  { 0x00010200, { 0xD800, 0xDE00 } },
-  { 0x00010201, { 0xD800, 0xDE01 } },
-  { 0x00010202, { 0xD800, 0xDE02 } },
-  { 0x00010204, { 0xD800, 0xDE04 } },
-  { 0x00010208, { 0xD800, 0xDE08 } },
-  { 0x00010210, { 0xD800, 0xDE10 } },
-  { 0x00010220, { 0xD800, 0xDE20 } },
-  { 0x00010240, { 0xD800, 0xDE40 } },
-  { 0x00010280, { 0xD800, 0xDE80 } },
-  { 0x00010300, { 0xD800, 0xDF00 } },
-  { 0x000103FF, { 0xD800, 0xDFFF } },
-  { 0x00010400, { 0xD801, 0xDC00 } },
-  { 0x00010401, { 0xD801, 0xDC01 } },
-  { 0x00010402, { 0xD801, 0xDC02 } },
-  { 0x00010404, { 0xD801, 0xDC04 } },
-  { 0x00010408, { 0xD801, 0xDC08 } },
-  { 0x00010410, { 0xD801, 0xDC10 } },
-  { 0x00010420, { 0xD801, 0xDC20 } },
-  { 0x00010440, { 0xD801, 0xDC40 } },
-  { 0x00010480, { 0xD801, 0xDC80 } },
-  { 0x00010500, { 0xD801, 0xDD00 } },
-  { 0x00010600, { 0xD801, 0xDE00 } },
-  { 0x000107FF, { 0xD801, 0xDFFF } },
-  { 0x00010800, { 0xD802, 0xDC00 } },
-  { 0x00010801, { 0xD802, 0xDC01 } },
-  { 0x00010802, { 0xD802, 0xDC02 } },
-  { 0x00010804, { 0xD802, 0xDC04 } },
-  { 0x00010808, { 0xD802, 0xDC08 } },
-  { 0x00010810, { 0xD802, 0xDC10 } },
-  { 0x00010820, { 0xD802, 0xDC20 } },
-  { 0x00010840, { 0xD802, 0xDC40 } },
-  { 0x00010880, { 0xD802, 0xDC80 } },
-  { 0x00010900, { 0xD802, 0xDD00 } },
-  { 0x00010A00, { 0xD802, 0xDE00 } },
-  { 0x00010C00, { 0xD803, 0xDC00 } },
-  { 0x00010FFF, { 0xD803, 0xDFFF } },
-  { 0x00011000, { 0xD804, 0xDC00 } },
-  { 0x00011001, { 0xD804, 0xDC01 } },
-  { 0x00011002, { 0xD804, 0xDC02 } },
-  { 0x00011004, { 0xD804, 0xDC04 } },
-  { 0x00011008, { 0xD804, 0xDC08 } },
-  { 0x00011010, { 0xD804, 0xDC10 } },
-  { 0x00011020, { 0xD804, 0xDC20 } },
-  { 0x00011040, { 0xD804, 0xDC40 } },
-  { 0x00011080, { 0xD804, 0xDC80 } },
-  { 0x00011100, { 0xD804, 0xDD00 } },
-  { 0x00011200, { 0xD804, 0xDE00 } },
-  { 0x00011400, { 0xD805, 0xDC00 } },
-  { 0x00011800, { 0xD806, 0xDC00 } },
-  { 0x00011FFF, { 0xD807, 0xDFFF } },
-  { 0x00012000, { 0xD808, 0xDC00 } },
-  { 0x00012001, { 0xD808, 0xDC01 } },
-  { 0x00012002, { 0xD808, 0xDC02 } },
-  { 0x00012004, { 0xD808, 0xDC04 } },
-  { 0x00012008, { 0xD808, 0xDC08 } },
-  { 0x00012010, { 0xD808, 0xDC10 } },
-  { 0x00012020, { 0xD808, 0xDC20 } },
-  { 0x00012040, { 0xD808, 0xDC40 } },
-  { 0x00012080, { 0xD808, 0xDC80 } },
-  { 0x00012100, { 0xD808, 0xDD00 } },
-  { 0x00012200, { 0xD808, 0xDE00 } },
-  { 0x00012400, { 0xD809, 0xDC00 } },
-  { 0x00012800, { 0xD80A, 0xDC00 } },
-  { 0x00013000, { 0xD80C, 0xDC00 } },
-  { 0x00013FFF, { 0xD80F, 0xDFFF } },
-  { 0x00014000, { 0xD810, 0xDC00 } },
-  { 0x00014001, { 0xD810, 0xDC01 } },
-  { 0x00014002, { 0xD810, 0xDC02 } },
-  { 0x00014004, { 0xD810, 0xDC04 } },
-  { 0x00014008, { 0xD810, 0xDC08 } },
-  { 0x00014010, { 0xD810, 0xDC10 } },
-  { 0x00014020, { 0xD810, 0xDC20 } },
-  { 0x00014040, { 0xD810, 0xDC40 } },
-  { 0x00014080, { 0xD810, 0xDC80 } },
-  { 0x00014100, { 0xD810, 0xDD00 } },
-  { 0x00014200, { 0xD810, 0xDE00 } },
-  { 0x00014400, { 0xD811, 0xDC00 } },
-  { 0x00014800, { 0xD812, 0xDC00 } },
-  { 0x00015000, { 0xD814, 0xDC00 } },
-  { 0x00016000, { 0xD818, 0xDC00 } },
-  { 0x00017FFF, { 0xD81F, 0xDFFF } },
-  { 0x00018000, { 0xD820, 0xDC00 } },
-  { 0x00018001, { 0xD820, 0xDC01 } },
-  { 0x00018002, { 0xD820, 0xDC02 } },
-  { 0x00018004, { 0xD820, 0xDC04 } },
-  { 0x00018008, { 0xD820, 0xDC08 } },
-  { 0x00018010, { 0xD820, 0xDC10 } },
-  { 0x00018020, { 0xD820, 0xDC20 } },
-  { 0x00018040, { 0xD820, 0xDC40 } },
-  { 0x00018080, { 0xD820, 0xDC80 } },
-  { 0x00018100, { 0xD820, 0xDD00 } },
-  { 0x00018200, { 0xD820, 0xDE00 } },
-  { 0x00018400, { 0xD821, 0xDC00 } },
-  { 0x00018800, { 0xD822, 0xDC00 } },
-  { 0x00019000, { 0xD824, 0xDC00 } },
-  { 0x0001A000, { 0xD828, 0xDC00 } },
-  { 0x0001C000, { 0xD830, 0xDC00 } },
-  { 0x0001FFFF, { 0xD83F, 0xDFFF } },
-  { 0x00020000, { 0xD840, 0xDC00 } },
-  { 0x00020001, { 0xD840, 0xDC01 } },
-  { 0x00020002, { 0xD840, 0xDC02 } },
-  { 0x00020004, { 0xD840, 0xDC04 } },
-  { 0x00020008, { 0xD840, 0xDC08 } },
-  { 0x00020010, { 0xD840, 0xDC10 } },
-  { 0x00020020, { 0xD840, 0xDC20 } },
-  { 0x00020040, { 0xD840, 0xDC40 } },
-  { 0x00020080, { 0xD840, 0xDC80 } },
-  { 0x00020100, { 0xD840, 0xDD00 } },
-  { 0x00020200, { 0xD840, 0xDE00 } },
-  { 0x00020400, { 0xD841, 0xDC00 } },
-  { 0x00020800, { 0xD842, 0xDC00 } },
-  { 0x00021000, { 0xD844, 0xDC00 } },
-  { 0x00022000, { 0xD848, 0xDC00 } },
-  { 0x00024000, { 0xD850, 0xDC00 } },
-  { 0x00028000, { 0xD860, 0xDC00 } },
-  { 0x0002FFFF, { 0xD87F, 0xDFFF } },
-  { 0x00030000, { 0xD880, 0xDC00 } },
-  { 0x00030001, { 0xD880, 0xDC01 } },
-  { 0x00030002, { 0xD880, 0xDC02 } },
-  { 0x00030004, { 0xD880, 0xDC04 } },
-  { 0x00030008, { 0xD880, 0xDC08 } },
-  { 0x00030010, { 0xD880, 0xDC10 } },
-  { 0x00030020, { 0xD880, 0xDC20 } },
-  { 0x00030040, { 0xD880, 0xDC40 } },
-  { 0x00030080, { 0xD880, 0xDC80 } },
-  { 0x00030100, { 0xD880, 0xDD00 } },
-  { 0x00030200, { 0xD880, 0xDE00 } },
-  { 0x00030400, { 0xD881, 0xDC00 } },
-  { 0x00030800, { 0xD882, 0xDC00 } },
-  { 0x00031000, { 0xD884, 0xDC00 } },
-  { 0x00032000, { 0xD888, 0xDC00 } },
-  { 0x00034000, { 0xD890, 0xDC00 } },
-  { 0x00038000, { 0xD8A0, 0xDC00 } },
-  { 0x0003FFFF, { 0xD8BF, 0xDFFF } },
-  { 0x00040000, { 0xD8C0, 0xDC00 } },
-  { 0x00040001, { 0xD8C0, 0xDC01 } },
-  { 0x00040002, { 0xD8C0, 0xDC02 } },
-  { 0x00040004, { 0xD8C0, 0xDC04 } },
-  { 0x00040008, { 0xD8C0, 0xDC08 } },
-  { 0x00040010, { 0xD8C0, 0xDC10 } },
-  { 0x00040020, { 0xD8C0, 0xDC20 } },
-  { 0x00040040, { 0xD8C0, 0xDC40 } },
-  { 0x00040080, { 0xD8C0, 0xDC80 } },
-  { 0x00040100, { 0xD8C0, 0xDD00 } },
-  { 0x00040200, { 0xD8C0, 0xDE00 } },
-  { 0x00040400, { 0xD8C1, 0xDC00 } },
-  { 0x00040800, { 0xD8C2, 0xDC00 } },
-  { 0x00041000, { 0xD8C4, 0xDC00 } },
-  { 0x00042000, { 0xD8C8, 0xDC00 } },
-  { 0x00044000, { 0xD8D0, 0xDC00 } },
-  { 0x00048000, { 0xD8E0, 0xDC00 } },
-  { 0x0004FFFF, { 0xD8FF, 0xDFFF } },
-  { 0x00050000, { 0xD900, 0xDC00 } },
-  { 0x00050001, { 0xD900, 0xDC01 } },
-  { 0x00050002, { 0xD900, 0xDC02 } },
-  { 0x00050004, { 0xD900, 0xDC04 } },
-  { 0x00050008, { 0xD900, 0xDC08 } },
-  { 0x00050010, { 0xD900, 0xDC10 } },
-  { 0x00050020, { 0xD900, 0xDC20 } },
-  { 0x00050040, { 0xD900, 0xDC40 } },
-  { 0x00050080, { 0xD900, 0xDC80 } },
-  { 0x00050100, { 0xD900, 0xDD00 } },
-  { 0x00050200, { 0xD900, 0xDE00 } },
-  { 0x00050400, { 0xD901, 0xDC00 } },
-  { 0x00050800, { 0xD902, 0xDC00 } },
-  { 0x00051000, { 0xD904, 0xDC00 } },
-  { 0x00052000, { 0xD908, 0xDC00 } },
-  { 0x00054000, { 0xD910, 0xDC00 } },
-  { 0x00058000, { 0xD920, 0xDC00 } },
-  { 0x00060000, { 0xD940, 0xDC00 } },
-  { 0x00070000, { 0xD980, 0xDC00 } },
-  { 0x0007FFFF, { 0xD9BF, 0xDFFF } },
-  { 0x00080000, { 0xD9C0, 0xDC00 } },
-  { 0x00080001, { 0xD9C0, 0xDC01 } },
-  { 0x00080002, { 0xD9C0, 0xDC02 } },
-  { 0x00080004, { 0xD9C0, 0xDC04 } },
-  { 0x00080008, { 0xD9C0, 0xDC08 } },
-  { 0x00080010, { 0xD9C0, 0xDC10 } },
-  { 0x00080020, { 0xD9C0, 0xDC20 } },
-  { 0x00080040, { 0xD9C0, 0xDC40 } },
-  { 0x00080080, { 0xD9C0, 0xDC80 } },
-  { 0x00080100, { 0xD9C0, 0xDD00 } },
-  { 0x00080200, { 0xD9C0, 0xDE00 } },
-  { 0x00080400, { 0xD9C1, 0xDC00 } },
-  { 0x00080800, { 0xD9C2, 0xDC00 } },
-  { 0x00081000, { 0xD9C4, 0xDC00 } },
-  { 0x00082000, { 0xD9C8, 0xDC00 } },
-  { 0x00084000, { 0xD9D0, 0xDC00 } },
-  { 0x00088000, { 0xD9E0, 0xDC00 } },
-  { 0x0008FFFF, { 0xD9FF, 0xDFFF } },
-  { 0x00090000, { 0xDA00, 0xDC00 } },
-  { 0x00090001, { 0xDA00, 0xDC01 } },
-  { 0x00090002, { 0xDA00, 0xDC02 } },
-  { 0x00090004, { 0xDA00, 0xDC04 } },
-  { 0x00090008, { 0xDA00, 0xDC08 } },
-  { 0x00090010, { 0xDA00, 0xDC10 } },
-  { 0x00090020, { 0xDA00, 0xDC20 } },
-  { 0x00090040, { 0xDA00, 0xDC40 } },
-  { 0x00090080, { 0xDA00, 0xDC80 } },
-  { 0x00090100, { 0xDA00, 0xDD00 } },
-  { 0x00090200, { 0xDA00, 0xDE00 } },
-  { 0x00090400, { 0xDA01, 0xDC00 } },
-  { 0x00090800, { 0xDA02, 0xDC00 } },
-  { 0x00091000, { 0xDA04, 0xDC00 } },
-  { 0x00092000, { 0xDA08, 0xDC00 } },
-  { 0x00094000, { 0xDA10, 0xDC00 } },
-  { 0x00098000, { 0xDA20, 0xDC00 } },
-  { 0x000A0000, { 0xDA40, 0xDC00 } },
-  { 0x000B0000, { 0xDA80, 0xDC00 } },
-  { 0x000C0000, { 0xDAC0, 0xDC00 } },
-  { 0x000D0000, { 0xDB00, 0xDC00 } },
-  { 0x000FFFFF, { 0xDBBF, 0xDFFF } },
-  { 0x0010FFFF, { 0xDBFF, 0xDFFF } }
-
-};
-
-/* illegal utf8 sequences */
-char *utf8_bad[] = {
-  "\xC0\x80",
-  "\xC1\xBF",
-  "\xE0\x80\x80",
-  "\xE0\x9F\xBF",
-  "\xF0\x80\x80\x80",
-  "\xF0\x8F\xBF\xBF",
-  "\xF4\x90\x80\x80",
-  "\xF7\xBF\xBF\xBF",
-  "\xF8\x80\x80\x80\x80",
-  "\xF8\x88\x80\x80\x80",
-  "\xF8\x92\x80\x80\x80",
-  "\xF8\x9F\xBF\xBF\xBF",
-  "\xF8\xA0\x80\x80\x80",
-  "\xF8\xA8\x80\x80\x80",
-  "\xF8\xB0\x80\x80\x80",
-  "\xF8\xBF\xBF\xBF\xBF",
-  "\xF9\x80\x80\x80\x88",
-  "\xF9\x84\x80\x80\x80",
-  "\xF9\xBF\xBF\xBF\xBF",
-  "\xFA\x80\x80\x80\x80",
-  "\xFA\x90\x80\x80\x80",
-  "\xFB\xBF\xBF\xBF\xBF",
-  "\xFC\x84\x80\x80\x80\x81",
-  "\xFC\x85\x80\x80\x80\x80",
-  "\xFC\x86\x80\x80\x80\x80",
-  "\xFC\x87\xBF\xBF\xBF\xBF",
-  "\xFC\x88\xA0\x80\x80\x80",
-  "\xFC\x89\x80\x80\x80\x80",
-  "\xFC\x8A\x80\x80\x80\x80",
-  "\xFC\x90\x80\x80\x80\x82",
-  "\xFD\x80\x80\x80\x80\x80",
-  "\xFD\xBF\xBF\xBF\xBF\xBF",
-  "\x80",
-  "\xC3",
-  "\xC3\xC3\x80",
-  "\xED\xA0\x80",
-  "\xED\xBF\x80",
-  "\xED\xBF\xBF",
-  "\xED\xA0\x80\xE0\xBF\xBF",
-};
-
-static void
-dump_utf8
-(
-  char *word,
-  unsigned char *utf8,
-  char *end
-)
-{
-  fprintf(stdout, "%s ", word);
-  for( ; *utf8; utf8++ ) {
-    fprintf(stdout, "%02.2x ", (unsigned int)*utf8);
-  }
-  fprintf(stdout, "%s", end);
-}
-
-static PRBool
-test_ucs4_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    struct ucs4 *e = &ucs4[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint32 back = 0;
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8\n", e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (len >= sizeof(utf8)) ||
-        (strlen(e->utf8) != len) ||
-        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
-      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8: ", e->c);
-      dump_utf8("expected", e->utf8, ", ");
-      dump_utf8("received", utf8, "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back, sizeof(back), &len);
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->c != back) ) {
-      dump_utf8("Wrong conversion of UTF-8", utf8, " to UCS-4:");
-      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-
-static PRBool
-test_ucs2_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    struct ucs2 *e = &ucs2[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint16 back = 0;
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-2 0x%04.4x to UTF-8\n", e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (len >= sizeof(utf8)) ||
-        (strlen(e->utf8) != len) ||
-        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
-      fprintf(stdout, "Wrong conversion of UCS-2 0x%04.4x to UTF-8: ", e->c);
-      dump_utf8("expected", e->utf8, ", ");
-      dump_utf8("received", utf8, "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back, sizeof(back), &len);
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-2\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->c != back) ) {
-      dump_utf8("Wrong conversion of UTF-8", utf8, "to UCS-2:");
-      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-
-static PRBool
-test_utf16_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
-    struct utf16 *e = &utf16[i];
-    PRBool result;
-    unsigned char utf8[8];
-    unsigned int len = 0;
-    PRUint32 back32 = 0;
-    PRUint16 back[2];
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    
-    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
-      (unsigned char *)&e->w[0], sizeof(e->w), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8\n", 
-              e->w[0], e->w[1]);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back32, sizeof(back32), &len);
-
-    if( 4 != len ) {
-      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8: "
-              "unexpected len %d\n", e->w[0], e->w[1], len);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    utf8[len] = '\0'; /* null-terminate for printing */
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4 (utf-16 test)\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back32) != len) || (e->c != back32) ) {
-      fprintf(stdout, "Wrong conversion of UTF-16 0x%04.4x 0x%04.4x ", 
-              e->w[0], e->w[1]);
-      dump_utf8("to UTF-8", utf8, "and then to UCS-4: ");
-      if( sizeof(back32) != len ) {
-        fprintf(stdout, "len is %d\n", len);
-      } else {
-        fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back32);
-      }
-      rv = PR_FALSE;
-      continue;
-    }
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    back[0] = back[1] = 0;
-
-    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
-      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8 (utf-16 test)\n",
-              e->c);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-      utf8, len, (unsigned char *)&back[0], sizeof(back), &len);
-
-    if( 4 != len ) {
-      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8: "
-              "unexpected len %d\n", e->c, len);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    utf8[len] = '\0'; /* null-terminate for printing */
-
-    if( !result ) {
-      dump_utf8("Failed to convert UTF-8", utf8, "to UTF-16\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (sizeof(back) != len) || (e->w[0] != back[0]) || (e->w[1] != back[1]) ) {
-      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8", e->c);
-      dump_utf8("", utf8, "and then to UTF-16:");
-      if( sizeof(back) != len ) {
-        fprintf(stdout, "len is %d\n", len);
-      } else {
-        fprintf(stdout, "expected 0x%04.4x 0x%04.4x, received 0x%04.4x 0x%04.4xx\n",
-                e->w[0], e->w[1], back[0], back[1]);
-      }
-      rv = PR_FALSE;
-      continue;
-    }
-  }
-
-  return rv;
-}
-
-static PRBool
-test_utf8_bad_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(utf8_bad)/sizeof(utf8_bad[0]); i++ ) {
-    PRBool result;
-    unsigned char destbuf[30];
-    unsigned int len = 0;
-
-    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-      (unsigned char *)utf8_bad[i], strlen(utf8_bad[i]), destbuf, sizeof(destbuf), &len);
-
-    if( result ) {
-      dump_utf8("Failed to detect bad UTF-8 string converting to UCS2: ", utf8_bad[i], "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-      (unsigned char *)utf8_bad[i], strlen(utf8_bad[i]), destbuf, sizeof(destbuf), &len);
-
-    if( result ) {
-      dump_utf8("Failed to detect bad UTF-8 string converting to UCS4: ", utf8_bad[i], "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-  }
-
-  return rv;
-}
-
-static PRBool
-test_iso88591_chars
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  int i;
-
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    struct ucs2 *e = &ucs2[i];
-    PRBool result;
-    unsigned char iso88591;
-    unsigned char utf8[3];
-    unsigned int len = 0;
-
-    if (ntohs(e->c) > 0xFF) continue;
-
-    (void)memset(utf8, 0, sizeof(utf8));
-    iso88591 = ntohs(e->c);
-    
-    result = sec_port_iso88591_utf8_conversion_function(&iso88591,
-      1, utf8, sizeof(utf8), &len);
-
-    if( !result ) {
-      fprintf(stdout, "Failed to convert ISO-8859-1 0x%02.2x to UTF-8\n", iso88591);
-      rv = PR_FALSE;
-      continue;
-    }
-
-    if( (len >= sizeof(utf8)) ||
-        (strlen(e->utf8) != len) ||
-        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
-      fprintf(stdout, "Wrong conversion of ISO-8859-1 0x%02.2x to UTF-8: ", iso88591);
-      dump_utf8("expected", e->utf8, ", ");
-      dump_utf8("received", utf8, "\n");
-      rv = PR_FALSE;
-      continue;
-    }
-
-  }
-
-  return rv;
-}
-
-static PRBool
-test_zeroes
-(
-  void
-)
-{
-  PRBool rv = PR_TRUE;
-  PRBool result;
-  PRUint32 lzero = 0;
-  PRUint16 szero = 0;
-  unsigned char utf8[8];
-  unsigned int len = 0;
-  PRUint32 lback = 1;
-  PRUint16 sback = 1;
-
-  (void)memset(utf8, 1, sizeof(utf8));
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
-    (unsigned char *)&lzero, sizeof(lzero), utf8, sizeof(utf8), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UCS-4 0x00000000 to UTF-8\n");
-    rv = PR_FALSE;
-  } else if( 1 != len ) {
-    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( '\0' != *utf8 ) {
-    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: expected 00 ,"
-            "received %02.2x\n", (unsigned int)*utf8);
-    rv = PR_FALSE;
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-    "", 1, (unsigned char *)&lback, sizeof(lback), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-4\n");
-    rv = PR_FALSE;
-  } else if( 4 != len ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( 0 != lback ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: "
-            "expected 0x00000000, received 0x%08.8x\n", lback);
-    rv = PR_FALSE;
-  }
-
-  (void)memset(utf8, 1, sizeof(utf8));
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
-    (unsigned char *)&szero, sizeof(szero), utf8, sizeof(utf8), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UCS-2 0x0000 to UTF-8\n");
-    rv = PR_FALSE;
-  } else if( 1 != len ) {
-    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( '\0' != *utf8 ) {
-    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: expected 00 ,"
-            "received %02.2x\n", (unsigned int)*utf8);
-    rv = PR_FALSE;
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-    "", 1, (unsigned char *)&sback, sizeof(sback), &len);
-
-  if( !result ) {
-    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-2\n");
-    rv = PR_FALSE;
-  } else if( 2 != len ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: len = %d\n", len);
-    rv = PR_FALSE;
-  } else if( 0 != sback ) {
-    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: "
-            "expected 0x0000, received 0x%04.4x\n", sback);
-    rv = PR_FALSE;
-  }
-
-  return rv;
-}
-
-static PRBool
-test_multichars
-(
-  void
-)
-{
-  int i;
-  unsigned int len, lenout;
-  PRUint32 *ucs4s;
-  char *ucs4_utf8;
-  PRUint16 *ucs2s;
-  char *ucs2_utf8;
-  void *tmp;
-  PRBool result;
-
-  ucs4s = (PRUint32 *)calloc(sizeof(ucs4)/sizeof(ucs4[0]), sizeof(PRUint32));
-  ucs2s = (PRUint16 *)calloc(sizeof(ucs2)/sizeof(ucs2[0]), sizeof(PRUint16));
-
-  if( ((PRUint32 *)NULL == ucs4s) || ((PRUint16 *)NULL == ucs2s) ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  len = 0;
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    ucs4s[i] = ucs4[i].c;
-    len += strlen(ucs4[i].utf8);
-  }
-
-  ucs4_utf8 = (char *)malloc(len);
-
-  len = 0;
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    ucs2s[i] = ucs2[i].c;
-    len += strlen(ucs2[i].utf8);
-  }
-
-  ucs2_utf8 = (char *)malloc(len);
-
-  if( ((char *)NULL == ucs4_utf8) || ((char *)NULL == ucs2_utf8) ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  *ucs4_utf8 = '\0';
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    strcat(ucs4_utf8, ucs4[i].utf8);
-  }
-
-  *ucs2_utf8 = '\0';
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    strcat(ucs2_utf8, ucs2[i].utf8);
-  }
-
-  /* UTF-8 -> UCS-4 */
-  len = sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
-    ucs4_utf8, strlen(ucs4_utf8), tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UTF-8 to UCS-4\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-4\n");
-    goto loser;
-  }
-
-  if( 0 != memcmp(ucs4s, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-4\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UCS-4 -> UTF-8 */
-  len = strlen(ucs4_utf8);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
-    (unsigned char *)ucs4s, sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32), 
-    tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UCS-4 to UTF-8\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UCS-4 to UTF-8\n");
-    goto loser;
-  }
-
-  if( 0 != strncmp(ucs4_utf8, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UCS-4 to UTF-8\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UTF-8 -> UCS-2 */
-  len = sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
-    ucs2_utf8, strlen(ucs2_utf8), tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UTF-8 to UCS-2\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-2\n");
-    goto loser;
-  }
-
-  if( 0 != memcmp(ucs2s, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-2\n");
-    goto loser;
-  }
-
-  free(tmp); tmp = (void *)NULL;
-
-  /* UCS-2 -> UTF-8 */
-  len = strlen(ucs2_utf8);
-  tmp = calloc(len, 1);
-  if( (void *)NULL == tmp ) {
-    fprintf(stderr, "out of memory\n");
-    exit(1);
-  }
-
-  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
-    (unsigned char *)ucs2s, sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16), 
-    tmp, len, &lenout);
-  if( !result ) {
-    fprintf(stdout, "Failed to convert much UCS-2 to UTF-8\n");
-    goto done;
-  }
-
-  if( lenout != len ) {
-    fprintf(stdout, "Unexpected length converting much UCS-2 to UTF-8\n");
-    goto loser;
-  }
-
-  if( 0 != strncmp(ucs2_utf8, tmp, len) ) {
-    fprintf(stdout, "Wrong conversion of much UCS-2 to UTF-8\n");
-    goto loser;
-  }
-
-  /* implement UTF16 */
-
-  result = PR_TRUE;
-  goto done;
-
- loser:
-  result = PR_FALSE;
- done:
-  free(ucs4s);
-  free(ucs4_utf8);
-  free(ucs2s);
-  free(ucs2_utf8);
-  if( (void *)NULL != tmp ) free(tmp);
-  return result;
-}
-
-void
-byte_order
-(
-  void
-)
-{
-  /*
-   * The implementation (now) expects the 16- and 32-bit characters
-   * to be in network byte order, not host byte order.  Therefore I
-   * have to byteswap all those test vectors above.  hton[ls] may be
-   * functions, so I have to do this dynamically.  If you want to 
-   * use this code to do host byte order conversions, just remove
-   * the call in main() to this function.
-   */
-
-  int i;
-
-  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
-    struct ucs4 *e = &ucs4[i];
-    e->c = htonl(e->c);
-  }
-
-  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
-    struct ucs2 *e = &ucs2[i];
-    e->c = htons(e->c);
-  }
-
-  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
-    struct utf16 *e = &utf16[i];
-    e->c = htonl(e->c);
-    e->w[0] = htons(e->w[0]);
-    e->w[1] = htons(e->w[1]);
-  }
-
-  return;
-}
-
-int
-main
-(
-  int argc,
-  char *argv[]
-)
-{
-  byte_order();
-
-  if( test_ucs4_chars() &&
-      test_ucs2_chars() &&
-      test_utf16_chars() &&
-      test_utf8_bad_chars() &&
-      test_iso88591_chars() &&
-      test_zeroes() &&
-      test_multichars() &&
-      PR_TRUE ) {
-    fprintf(stderr, "PASS\n");
-    return 1;
-  } else {
-    fprintf(stderr, "FAIL\n");
-    return 0;
-  }
-}
-
-#endif /* TEST_UTF8 */
diff --git a/security/nss/lib/util/watcomfx.h b/security/nss/lib/util/watcomfx.h
deleted file mode 100644
index d0b6fc5d3..000000000
--- a/security/nss/lib/util/watcomfx.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
-#ifndef __WATCOM_FIX_H__
-#define __WATCOM_FIX_H__ 1
-/*
- * WATCOM's C compiler doesn't default to "__cdecl" conventions for external
- * symbols and functions.  Rather than adding an explicit __cdecl modifier to 
- * every external symbol and function declaration and definition, we use the 
- * following pragma to (attempt to) change WATCOM c's default to __cdecl.
- * These pragmas were taken from pages 180-181, 266 & 269 of the 
- * Watcom C/C++ version 11 User's Guide, 3rd edition.
- */
-#if defined(XP_WIN16) || defined(WIN16) 
-#pragma aux default "_*" \
-	parm caller [] \
-	value struct float struct routine [ax] \
-	modify [ax bx cx dx es]
-#else
-#pragma aux default "_*" \
-	parm caller [] \
-	value struct float struct routine [eax] \
-	modify [eax ecx edx]
-#endif
-#pragma aux default far
-
-#endif /* once */
-#endif /* WATCOM compiler */